From 9d825dadf0245ec843f0add2fcaa264a454fe2c7 Mon Sep 17 00:00:00 2001 From: Ricardo Jesus <219317970+cx-ricardo-jesus@users.noreply.github.com> Date: Thu, 5 Mar 2026 15:48:59 +0000 Subject: [PATCH 01/22] first script --- .../scripts/generate-expected-results/main.go | 257 ++++++++++++++++++ 1 file changed, 257 insertions(+) create mode 100644 .github/scripts/generate-expected-results/main.go diff --git a/.github/scripts/generate-expected-results/main.go b/.github/scripts/generate-expected-results/main.go new file mode 100644 index 00000000000..db53ca5b74d --- /dev/null +++ b/.github/scripts/generate-expected-results/main.go @@ -0,0 +1,257 @@ +package main + +import ( + "encoding/json" + "fmt" + "os" + "os/exec" + "path/filepath" + "strings" +) + +// ── Metadata ────────────────────────────────────────────────────────────────── + +type Metadata struct { + ID string `json:"id"` +} + +// ── Scan result structures ──────────────────────────────────────────────────── + +type ScanFile struct { + FileName string `json:"file_name"` + SimilarityID string `json:"similarity_id"` + Line int `json:"line"` + ResourceType string `json:"resource_type"` + ResourceName string `json:"resource_name"` + SearchLine int `json:"search_line"` + SearchValue string `json:"search_value"` + ExpectedValue string `json:"expected_value"` + ActualValue string `json:"actual_value"` +} + +type Query struct { + QueryName string `json:"query_name"` + Severity string `json:"severity"` + Files []ScanFile `json:"files"` +} + +type ScanResult struct { + Queries []Query `json:"queries"` +} + +// ── Output structure ────────────────────────────────────────────────────────── + +type ExpectedResult struct { + QueryName string `json:"queryName"` + Severity string `json:"severity"` + Line int `json:"line"` + Filename string `json:"filename"` + ResourceType string `json:"resourceType"` + ResourceName string `json:"resourceName"` + SearchLine int `json:"searchLine"` + SearchValue string `json:"search_value"` + ExpectedValue string `json:"expected_value"` + ActualValue string `json:"actual_value"` + ResourceNameS string `json:"resource_name"` + ResourceTypeS string `json:"resource_type"` + SimilarityID string `json:"similarityID"` +} + +// ── Entry point ─────────────────────────────────────────────────────────────── + +func main() { + // The script must be executed from the KICS project root. + // e.g.: go run .github/scripts/generate-expected-results/main.go + root, err := os.Getwd() + if err != nil { + fatalf("getting working directory: %v", err) + } + + queriesRoot := filepath.Join(root, "assets", "queries") + + if _, err := os.Stat(queriesRoot); os.IsNotExist(err) { + fatalf("queries directory not found at %s — make sure you run this script from the KICS project root", queriesRoot) + } + + fmt.Printf("🔍 Scanning queries under: %s\n\n", queriesRoot) + + err = filepath.Walk(queriesRoot, func(path string, info os.FileInfo, err error) error { + if err != nil { + return err + } + + // Skip 'common' directories entirely. + if info.IsDir() && info.Name() == "common" { + fmt.Printf("⏭️ Skipping common dir: %s\n", path) + return filepath.SkipDir + } + + if !info.IsDir() { + return nil + } + + // A query directory must contain both query.rego and metadata.json. + if !fileExists(filepath.Join(path, "query.rego")) || + !fileExists(filepath.Join(path, "metadata.json")) { + return nil + } + + fmt.Printf("✅ Found query: %s\n", path) + if err := processQuery(root, path); err != nil { + fmt.Fprintf(os.Stderr, "❌ Error processing %s: %v\n", path, err) + } + // Always skip going deeper once a query directory is found. + return filepath.SkipDir + }) + + if err != nil { + fatalf("walking queries directory: %v", err) + } + + fmt.Println("\n🎉 Done!") +} + +// ── Per-query processing ────────────────────────────────────────────────────── + +func processQuery(root, queryDir string) error { + // 1. Read the query ID from metadata.json. + metaPath := filepath.Join(queryDir, "metadata.json") + metaBytes, err := os.ReadFile(metaPath) + if err != nil { + return fmt.Errorf("reading metadata.json: %w", err) + } + + var meta Metadata + if err := json.Unmarshal(metaBytes, &meta); err != nil { + return fmt.Errorf("parsing metadata.json: %w", err) + } + + if meta.ID == "" { + return fmt.Errorf("metadata.json has an empty 'id' field") + } + + // 2. Build relative paths (relative to KICS root) for use in the command. + relQueryDir, err := filepath.Rel(root, queryDir) + if err != nil { + return fmt.Errorf("computing relative path: %w", err) + } + + relTestDir := filepath.Join(relQueryDir, "test") + relResultsDir := filepath.Join(relQueryDir, "results") + relPayloadsFile := filepath.Join(relQueryDir, "payloads", "all_payloads.json") + + // 3. Create results/ and payloads/ directories if they don't exist yet. + if err := os.MkdirAll(filepath.Join(queryDir, "results"), 0o755); err != nil { + return fmt.Errorf("creating results dir: %w", err) + } + + if err := os.MkdirAll(filepath.Join(queryDir, "payloads"), 0o755); err != nil { + return fmt.Errorf("creating payloads dir: %w", err) + } + + // 4. Run the KICS scan from the project root. + // go run .\cmd\console\main.go scan + // -p + // -o + // --output-name all_results.json + // -i + // -d + // -v + // --experimental-queries + mainGoPath := filepath.Join("cmd", "console", "main.go") + + cmd := exec.Command( + "go", "run", mainGoPath, + "scan", + "-p", relTestDir, + "-o", relResultsDir, + "--output-name", "all_results.json", + "-i", meta.ID, + "-d", relPayloadsFile, + "-v", + "--experimental-queries", + ) + cmd.Dir = root + cmd.Stdout = os.Stdout + cmd.Stderr = os.Stderr + + fmt.Printf("\n▶️ Running scan for: %s\n", relQueryDir) + fmt.Printf(" Command: go run %s scan -p %s -o %s --output-name all_results.json -i %s -d %s -v --experimental-queries\n\n", + mainGoPath, relTestDir, relResultsDir, meta.ID, relPayloadsFile) + + if err := cmd.Run(); err != nil { + return fmt.Errorf("running kics scan: %w", err) + } + + // 5. Parse the results and write positive_expected_result.json. + resultsFile := filepath.Join(queryDir, "results", "all_results.json") + return writePositiveExpectedResults(resultsFile, queryDir) +} + +// ── Result parsing & writing ────────────────────────────────────────────────── + +func writePositiveExpectedResults(resultsFile, queryDir string) error { + data, err := os.ReadFile(resultsFile) + if err != nil { + return fmt.Errorf("reading all_results.json: %w", err) + } + + var scanResult ScanResult + if err := json.Unmarshal(data, &scanResult); err != nil { + return fmt.Errorf("parsing all_results.json: %w", err) + } + + var expected []ExpectedResult + + for _, q := range scanResult.Queries { + for _, f := range q.Files { + filename := filepath.Base(f.FileName) + + // Only include entries whose file name starts with "positive". + if !strings.HasPrefix(filename, "positive") { + continue + } + + expected = append(expected, ExpectedResult{ + QueryName: q.QueryName, + Severity: q.Severity, + Line: f.Line, + Filename: filename, + ResourceType: f.ResourceType, + ResourceName: f.ResourceName, + SearchLine: f.SearchLine, + SearchValue: f.SearchValue, + ExpectedValue: f.ExpectedValue, + ActualValue: f.ActualValue, + ResourceNameS: f.ResourceName, + ResourceTypeS: f.ResourceType, + SimilarityID: f.SimilarityID, + }) + } + } + + outputPath := filepath.Join(queryDir, "test", "positive_expected_result.json") + outputBytes, err := json.MarshalIndent(expected, "", " ") + if err != nil { + return fmt.Errorf("marshaling expected results: %w", err) + } + + if err := os.WriteFile(outputPath, outputBytes, 0o644); err != nil { + return fmt.Errorf("writing positive_expected_result.json: %w", err) + } + + fmt.Printf("📄 Written: %s (%d entries)\n", outputPath, len(expected)) + return nil +} + +// ── Helpers ─────────────────────────────────────────────────────────────────── + +func fileExists(path string) bool { + _, err := os.Stat(path) + return !os.IsNotExist(err) +} + +func fatalf(format string, args ...any) { + fmt.Fprintf(os.Stderr, "fatal: "+format+"\n", args...) + os.Exit(1) +} From 55606d913891ce7012dbabf5e21ad2192449401e Mon Sep 17 00:00:00 2001 From: Ricardo Jesus <219317970+cx-ricardo-jesus@users.noreply.github.com> Date: Sun, 8 Mar 2026 23:03:10 +0000 Subject: [PATCH 02/22] changing all positive_expected_results except from the passwords and secrets --- .../scripts/generate-expected-results/main.go | 257 --- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 73 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 27 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 13 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 29 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 36 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 53 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 47 +- .../test/positive_expected_result.json | 36 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 27 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 37 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 19 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 29 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 28 +- .../test/positive_expected_result.json | 54 +- .../test/positive_expected_result.json | 104 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 63 +- .../test/positive_expected_result.json | 53 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 27 +- .../test/positive_expected_result.json | 19 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 362 ++- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 47 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 13 +- .../test/positive_expected_result.json | 29 +- .../test/positive_expected_result.json | 27 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 27 +- .../test/positive_expected_result.json | 19 +- .../test/positive_expected_result.json | 36 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 34 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 29 +- .../test/positive_expected_result.json | 29 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 65 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 36 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 56 +- .../test/positive_expected_result.json | 29 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 74 +- .../test/positive_expected_result.json | 47 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 36 +- .../test/positive_expected_result.json | 36 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 19 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 27 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 56 +- .../test/positive_expected_result.json | 56 +- .../test/positive_expected_result.json | 56 +- .../test/positive_expected_result.json | 56 +- .../test/positive_expected_result.json | 56 +- .../test/positive_expected_result.json | 36 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 45 +- .../test/positive_expected_result.json | 398 +++- .../test/positive_expected_result.json | 27 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 27 +- .../test/positive_expected_result.json | 27 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 81 +- .../test/positive_expected_result.json | 36 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 27 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 19 +- .../test/positive_expected_result.json | 19 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 19 +- .../test/positive_expected_result.json | 29 +- .../test/positive_expected_result.json | 53 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 27 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 27 +- .../test/positive_expected_result.json | 45 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 52 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 45 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 27 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 29 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 27 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 45 +- .../test/positive_expected_result.json | 27 +- .../test/positive_expected_result.json | 19 +- .../test/positive_expected_result.json | 36 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 45 +- .../test/positive_expected_result.json | 53 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 19 +- .../test/positive_expected_result.json | 65 +- .../test/positive_expected_result.json | 36 +- .../test/positive_expected_result.json | 27 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 70 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 36 +- .../test/positive_expected_result.json | 108 +- .../test/positive_expected_result.json | 180 +- .../test/positive_expected_result.json | 468 ++-- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 82 +- .../test/positive_expected_result.json | 82 +- .../test/positive_expected_result.json | 76 +- .../test/positive_expected_result.json | 42 +- .../test/positive_expected_result.json | 76 +- .../test/positive_expected_result.json | 196 +- .../test/positive_expected_result.json | 156 +- .../test/positive_expected_result.json | 70 +- .../test/positive_expected_result.json | 74 +- .../test/positive_expected_result.json | 58 +- .../test/positive_expected_result.json | 240 +- .../test/positive_expected_result.json | 40 +- .../test/positive_expected_result.json | 122 +- .../test/positive_expected_result.json | 32 +- .../test/positive_expected_result.json | 78 +- .../test/positive_expected_result.json | 116 +- .../test/positive_expected_result.json | 124 +- .../test/positive_expected_result.json | 42 +- .../test/positive_expected_result.json | 120 +- .../test/positive_expected_result.json | 154 +- .../test/positive_expected_result.json | 158 +- .../test/positive_expected_result.json | 78 +- .../test/positive_expected_result.json | 72 +- .../test/positive_expected_result.json | 76 +- .../test/positive_expected_result.json | 116 +- .../test/positive_expected_result.json | 72 +- .../test/positive_expected_result.json | 158 +- .../test/positive_expected_result.json | 138 +- .../test/positive_expected_result.json | 142 +- .../test/positive_expected_result.json | 54 +- .../test/positive_expected_result.json | 116 +- .../test/positive_expected_result.json | 116 +- .../test/positive_expected_result.json | 100 +- .../test/positive_expected_result.json | 370 +++- .../test/positive_expected_result.json | 132 +- .../test/positive_expected_result.json | 118 +- .../test/positive_expected_result.json | 238 +- .../test/positive_expected_result.json | 114 +- .../test/positive_expected_result.json | 136 +- .../test/positive_expected_result.json | 80 +- .../test/positive_expected_result.json | 118 +- .../test/positive_expected_result.json | 122 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 66 +- .../test/positive_expected_result.json | 128 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 56 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 42 +- .../test/positive_expected_result.json | 54 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 64 +- .../test/positive_expected_result.json | 58 +- .../test/positive_expected_result.json | 40 +- .../test/positive_expected_result.json | 57 +- .../test/positive_expected_result.json | 188 +- .../test/positive_expected_result.json | 58 +- .../test/positive_expected_result.json | 62 +- .../test/positive_expected_result.json | 62 +- .../test/positive_expected_result.json | 66 +- .../test/positive_expected_result.json | 42 +- .../test/positive_expected_result.json | 58 +- .../test/positive_expected_result.json | 64 +- .../test/positive_expected_result.json | 60 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 76 +- .../test/positive_expected_result.json | 34 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 40 +- .../test/positive_expected_result.json | 64 +- .../test/positive_expected_result.json | 74 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 118 +- .../test/positive_expected_result.json | 40 +- .../test/positive_expected_result.json | 54 +- .../test/positive_expected_result.json | 46 +- .../test/positive_expected_result.json | 40 +- .../test/positive_expected_result.json | 44 +- .../test/positive_expected_result.json | 40 +- .../test/positive_expected_result.json | 74 +- .../test/positive_expected_result.json | 30 +- .../test/positive_expected_result.json | 60 +- .../test/positive_expected_result.json | 42 +- .../test/positive_expected_result.json | 80 +- .../test/positive_expected_result.json | 42 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 82 +- .../test/positive_expected_result.json | 52 +- .../test/positive_expected_result.json | 50 +- .../test/positive_expected_result.json | 82 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 42 +- .../test/positive_expected_result.json | 86 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 44 +- .../test/positive_expected_result.json | 52 +- .../test/positive_expected_result.json | 76 +- .../test/positive_expected_result.json | 122 +- .../test/positive_expected_result.json | 150 +- .../test/positive_expected_result.json | 30 +- .../test/positive_expected_result.json | 72 +- .../test/positive_expected_result.json | 60 +- .../test/positive_expected_result.json | 62 +- .../test/positive_expected_result.json | 66 +- .../test/positive_expected_result.json | 52 +- .../test/positive_expected_result.json | 60 +- .../test/positive_expected_result.json | 32 +- .../test/positive_expected_result.json | 28 +- .../test/positive_expected_result.json | 66 +- .../test/positive_expected_result.json | 66 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 44 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 102 +- .../test/positive_expected_result.json | 28 +- .../test/positive_expected_result.json | 28 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 84 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 126 +- .../test/positive_expected_result.json | 72 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 1692 +++++++++++--- .../test/positive_expected_result.json | 42 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 98 +- .../test/positive_expected_result.json | 34 +- .../test/positive_expected_result.json | 36 +- .../test/positive_expected_result.json | 44 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 42 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 30 +- .../test/positive_expected_result.json | 76 +- .../test/positive_expected_result.json | 28 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 46 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 42 +- .../test/positive_expected_result.json | 34 +- .../test/positive_expected_result.json | 48 +- .../test/positive_expected_result.json | 50 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 46 +- .../test/positive_expected_result.json | 112 +- .../test/positive_expected_result.json | 44 +- .../test/positive_expected_result.json | 36 +- .../test/positive_expected_result.json | 196 +- .../test/positive_expected_result.json | 192 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 320 ++- .../test/positive_expected_result.json | 52 +- .../test/positive_expected_result.json | 1940 ++++++++++++++--- .../test/positive_expected_result.json | 40 +- .../test/positive_expected_result.json | 58 +- .../test/positive_expected_result.json | 52 +- .../test/positive_expected_result.json | 30 +- .../test/positive_expected_result.json | 78 +- .../test/positive_expected_result.json | 40 +- .../test/positive_expected_result.json | 62 +- .../test/positive_expected_result.json | 40 +- .../test/positive_expected_result.json | 156 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 82 +- .../test/positive_expected_result.json | 92 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 48 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 42 +- .../test/positive_expected_result.json | 220 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 46 +- .../test/positive_expected_result.json | 346 ++- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 44 +- .../test/positive_expected_result.json | 32 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 114 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 42 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 40 +- .../test/positive_expected_result.json | 44 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 362 ++- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 54 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 58 +- .../test/positive_expected_result.json | 40 +- .../test/positive_expected_result.json | 30 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 46 +- .../test/positive_expected_result.json | 42 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 80 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 150 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 62 +- .../test/positive_expected_result.json | 126 +- .../test/positive_expected_result.json | 56 +- .../test/positive_expected_result.json | 28 +- .../test/positive_expected_result.json | 80 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 28 +- .../test/positive_expected_result.json | 50 +- .../test/positive_expected_result.json | 56 +- .../test/positive_expected_result.json | 56 +- .../test/positive_expected_result.json | 52 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 112 +- .../test/positive_expected_result.json | 50 +- .../test/positive_expected_result.json | 62 +- .../test/positive_expected_result.json | 42 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 218 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 60 +- .../test/positive_expected_result.json | 48 +- .../test/positive_expected_result.json | 78 +- .../test/positive_expected_result.json | 78 +- .../test/positive_expected_result.json | 70 +- .../test/positive_expected_result.json | 40 +- .../test/positive_expected_result.json | 42 +- .../test/positive_expected_result.json | 42 +- .../test/positive_expected_result.json | 70 +- .../test/positive_expected_result.json | 32 +- .../test/positive_expected_result.json | 34 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 76 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 68 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 66 +- .../test/positive_expected_result.json | 62 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 128 +- .../test/positive_expected_result.json | 42 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 46 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 48 +- .../test/positive_expected_result.json | 28 +- .../test/positive_expected_result.json | 34 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 42 +- .../test/positive_expected_result.json | 42 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 44 +- .../test/positive_expected_result.json | 122 +- .../test/positive_expected_result.json | 98 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 158 +- .../test/positive_expected_result.json | 158 +- .../test/positive_expected_result.json | 220 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 36 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 42 +- .../test/positive_expected_result.json | 42 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 150 +- .../test/positive_expected_result.json | 64 +- .../test/positive_expected_result.json | 216 +- .../test/positive_expected_result.json | 88 +- .../test/positive_expected_result.json | 158 +- .../test/positive_expected_result.json | 36 +- .../test/positive_expected_result.json | 40 +- .../test/positive_expected_result.json | 36 +- .../test/positive_expected_result.json | 70 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 56 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 40 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 30 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 28 +- .../test/positive_expected_result.json | 30 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 40 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 60 +- .../test/positive_expected_result.json | 60 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 36 +- .../test/positive_expected_result.json | 40 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 28 +- .../test/positive_expected_result.json | 42 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 40 +- .../test/positive_expected_result.json | 30 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 40 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 58 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 56 +- .../test/positive_expected_result.json | 56 +- .../test/positive_expected_result.json | 110 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 236 +- .../test/positive_expected_result.json | 46 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 21 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 74 +- .../test/positive_expected_result.json | 74 +- .../test/positive_expected_result.json | 74 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 50 +- .../test/positive_expected_result.json | 148 +- .../test/positive_expected_result.json | 142 +- .../test/positive_expected_result.json | 36 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 29 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 98 +- .../test/positive_expected_result.json | 19 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 19 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 48 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 19 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 36 +- .../test/positive_expected_result.json | 70 +- .../test/positive_expected_result.json | 45 +- .../test/positive_expected_result.json | 28 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 27 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 47 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 56 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 30 +- .../test/positive_expected_result.json | 32 +- .../test/positive_expected_result.json | 52 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 58 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 78 +- .../test/positive_expected_result.json | 36 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 28 +- .../test/positive_expected_result.json | 30 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 28 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 30 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 27 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 56 +- .../test/positive_expected_result.json | 110 +- .../test/positive_expected_result.json | 58 +- .../test/positive_expected_result.json | 56 +- .../test/positive_expected_result.json | 40 +- .../test/positive_expected_result.json | 56 +- .../test/positive_expected_result.json | 158 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 52 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 36 +- .../test/positive_expected_result.json | 58 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 74 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 30 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 158 +- .../test/positive_expected_result.json | 202 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 32 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 19 +- .../test/positive_expected_result.json | 36 +- .../test/positive_expected_result.json | 36 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 27 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 30 +- .../test/positive_expected_result.json | 30 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 19 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 56 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 36 +- .../test/positive_expected_result.json | 19 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 46 +- .../test/positive_expected_result.json | 74 +- .../test/positive_expected_result.json | 74 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 56 +- .../test/positive_expected_result.json | 74 +- .../test/positive_expected_result.json | 40 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 48 +- .../test/positive_expected_result.json | 50 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 70 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 52 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 29 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 81 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 87 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 129 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 74 +- .../test/positive_expected_result.json | 74 +- .../test/positive_expected_result.json | 37 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 92 +- .../test/positive_expected_result.json | 128 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 19 +- .../test/positive_expected_result.json | 19 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 56 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 36 +- .../test/positive_expected_result.json | 65 +- .../test/positive_expected_result.json | 19 +- .../test/positive_expected_result.json | 110 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 36 +- .../test/positive_expected_result.json | 47 +- .../test/positive_expected_result.json | 73 +- .../test/positive_expected_result.json | 146 +- .../test/positive_expected_result.json | 53 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 53 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 53 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 42 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 19 +- .../test/positive_expected_result.json | 79 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 48 +- .../test/positive_expected_result.json | 36 +- .../test/positive_expected_result.json | 53 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 36 +- .../test/positive_expected_result.json | 71 +- .../test/positive_expected_result.json | 53 +- .../test/positive_expected_result.json | 42 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 46 +- .../test/positive_expected_result.json | 102 +- .../test/positive_expected_result.json | 75 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 117 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 40 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 58 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 42 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 42 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 42 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 40 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 120 +- .../test/positive_expected_result.json | 50 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 40 +- .../test/positive_expected_result.json | 82 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 42 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 60 +- .../test/positive_expected_result.json | 40 +- .../test/positive_expected_result.json | 60 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 30 +- .../test/positive_expected_result.json | 40 +- .../test/positive_expected_result.json | 34 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 60 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 62 +- .../test/positive_expected_result.json | 58 +- .../test/positive_expected_result.json | 98 +- .../test/positive_expected_result.json | 48 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 182 +- .../test/positive_expected_result.json | 62 +- .../test/positive_expected_result.json | 62 +- .../test/positive_expected_result.json | 62 +- .../test/positive_expected_result.json | 62 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 58 +- .../test/positive_expected_result.json | 40 +- .../test/positive_expected_result.json | 58 +- .../test/positive_expected_result.json | 42 +- .../test/positive_expected_result.json | 42 +- .../test/positive_expected_result.json | 42 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 42 +- .../test/positive_expected_result.json | 34 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 56 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 42 +- .../test/positive_expected_result.json | 42 +- .../test/positive_expected_result.json | 42 +- .../test/positive_expected_result.json | 42 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 42 +- .../test/positive_expected_result.json | 40 +- .../test/positive_expected_result.json | 42 +- .../test/positive_expected_result.json | 98 +- .../test/positive_expected_result.json | 112 +- .../test/positive_expected_result.json | 112 +- .../test/positive_expected_result.json | 86 +- .../test/positive_expected_result.json | 66 +- .../test/positive_expected_result.json | 108 +- .../test/positive_expected_result.json | 108 +- .../test/positive_expected_result.json | 156 +- .../test/positive_expected_result.json | 46 +- .../test/positive_expected_result.json | 118 +- .../test/positive_expected_result.json | 116 +- .../test/positive_expected_result.json | 116 +- .../test/positive_expected_result.json | 56 +- .../test/positive_expected_result.json | 48 +- .../test/positive_expected_result.json | 46 +- .../test/positive_expected_result.json | 128 +- .../test/positive_expected_result.json | 48 +- .../test/positive_expected_result.json | 48 +- .../test/positive_expected_result.json | 46 +- .../test/positive_expected_result.json | 98 +- .../test/positive_expected_result.json | 96 +- .../test/positive_expected_result.json | 68 +- .../test/positive_expected_result.json | 212 +- .../test/positive_expected_result.json | 64 +- .../test/positive_expected_result.json | 80 +- .../test/positive_expected_result.json | 72 +- .../test/positive_expected_result.json | 74 +- .../test/positive_expected_result.json | 74 +- .../test/positive_expected_result.json | 70 +- .../test/positive_expected_result.json | 94 +- .../test/positive_expected_result.json | 42 +- .../test/positive_expected_result.json | 234 +- .../test/positive_expected_result.json | 68 +- .../test/positive_expected_result.json | 98 +- .../test/positive_expected_result.json | 106 +- .../test/positive_expected_result.json | 50 +- .../test/positive_expected_result.json | 50 +- .../test/positive_expected_result.json | 42 +- .../test/positive_expected_result.json | 42 +- .../test/positive_expected_result.json | 154 +- .../test/positive_expected_result.json | 68 +- .../test/positive_expected_result.json | 86 +- .../test/positive_expected_result.json | 88 +- .../test/positive_expected_result.json | 72 +- .../test/positive_expected_result.json | 254 ++- .../test/positive_expected_result.json | 64 +- .../test/positive_expected_result.json | 122 +- .../test/positive_expected_result.json | 68 +- .../test/positive_expected_result.json | 90 +- .../test/positive_expected_result.json | 96 +- .../test/positive_expected_result.json | 98 +- .../test/positive_expected_result.json | 98 +- .../test/positive_expected_result.json | 78 +- .../test/positive_expected_result.json | 98 +- .../test/positive_expected_result.json | 204 +- .../test/positive_expected_result.json | 70 +- .../test/positive_expected_result.json | 50 +- .../test/positive_expected_result.json | 134 +- .../test/positive_expected_result.json | 108 +- .../test/positive_expected_result.json | 108 +- .../test/positive_expected_result.json | 76 +- .../test/positive_expected_result.json | 60 +- .../test/positive_expected_result.json | 40 +- .../test/positive_expected_result.json | 46 +- .../test/positive_expected_result.json | 64 +- .../test/positive_expected_result.json | 66 +- .../test/positive_expected_result.json | 68 +- .../test/positive_expected_result.json | 146 +- .../test/positive_expected_result.json | 186 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 28 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 56 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 56 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 28 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 136 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 28 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 56 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 42 +- .../test/positive_expected_result.json | 32 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 34 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 39 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 56 +- .../test/positive_expected_result.json | 56 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 56 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 28 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 28 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 30 +- .../test/positive_expected_result.json | 30 +- .../test/positive_expected_result.json | 28 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 54 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 58 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 86 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 30 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 126 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 42 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 40 +- .../test/positive_expected_result.json | 27 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 19 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 32 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 58 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 86 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 13 +- .../test/positive_expected_result.json | 250 ++- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 29 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 32 +- .../test/positive_expected_result.json | 28 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 28 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 32 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 36 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 34 +- .../test/positive_expected_result.json | 32 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 32 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 74 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 32 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 40 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 27 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 32 +- .../test/positive_expected_result.json | 74 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 29 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 36 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 40 +- .../test/positive_expected_result.json | 44 +- .../test/positive_expected_result.json | 114 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 42 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 19 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 40 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 29 +- .../test/positive_expected_result.json | 62 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 28 +- .../test/positive_expected_result.json | 42 +- .../test/positive_expected_result.json | 32 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 166 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 36 +- .../test/positive_expected_result.json | 32 +- .../test/positive_expected_result.json | 182 +- .../test/positive_expected_result.json | 46 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 30 +- .../test/positive_expected_result.json | 112 +- .../test/positive_expected_result.json | 118 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 52 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 452 ++-- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 29 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 46 +- .../test/positive_expected_result.json | 40 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 110 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 13 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 53 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 29 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 36 +- .../test/positive_expected_result.json | 40 +- .../test/positive_expected_result.json | 32 +- .../test/positive_expected_result.json | 45 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 56 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 36 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 36 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 164 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 19 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 54 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 54 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 30 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 28 +- .../test/positive_expected_result.json | 30 +- .../test/positive_expected_result.json | 116 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 50 +- .../test/positive_expected_result.json | 28 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 100 +- .../test/positive_expected_result.json | 46 +- .../test/positive_expected_result.json | 96 +- .../test/positive_expected_result.json | 40 +- .../test/positive_expected_result.json | 42 +- .../test/positive_expected_result.json | 80 +- .../test/positive_expected_result.json | 30 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 182 +- .../test/positive_expected_result.json | 168 +- .../test/positive_expected_result.json | 42 +- .../test/positive_expected_result.json | 80 +- .../test/positive_expected_result.json | 398 +++- .../test/positive_expected_result.json | 476 +++- .../test/positive_expected_result.json | 398 +++- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 94 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 166 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 29 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 66 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 108 +- .../test/positive_expected_result.json | 170 +- .../test/positive_expected_result.json | 178 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 30 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 62 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 42 +- .../test/positive_expected_result.json | 32 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 36 +- .../test/positive_expected_result.json | 58 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 27 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 88 +- .../test/positive_expected_result.json | 130 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 82 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 96 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 30 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 138 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 40 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 29 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 28 +- .../test/positive_expected_result.json | 29 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 50 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 47 +- .../test/positive_expected_result.json | 44 +- .../test/positive_expected_result.json | 72 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 134 +- .../test/positive_expected_result.json | 60 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 40 +- .../test/positive_expected_result.json | 88 +- .../test/positive_expected_result.json | 29 +- .../test/positive_expected_result.json | 98 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 29 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 32 +- .../test/positive_expected_result.json | 19 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 29 +- .../test/positive_expected_result.json | 29 +- .../test/positive_expected_result.json | 29 +- .../test/positive_expected_result.json | 29 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 29 +- .../test/positive_expected_result.json | 92 +- .../test/positive_expected_result.json | 340 ++- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 19 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 260 ++- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 398 +++- .../test/positive_expected_result.json | 398 +++- .../test/positive_expected_result.json | 396 +++- .../test/positive_expected_result.json | 136 +- .../test/positive_expected_result.json | 27 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 36 +- .../test/positive_expected_result.json | 36 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 48 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 182 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 34 +- .../test/positive_expected_result.json | 56 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 56 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 46 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 176 +- .../test/positive_expected_result.json | 48 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 29 +- .../test/positive_expected_result.json | 74 +- .../test/positive_expected_result.json | 84 +- .../test/positive_expected_result.json | 80 +- .../test/positive_expected_result.json | 86 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 48 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 34 +- .../test/positive_expected_result.json | 30 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 19 +- .../metadata.json | 3 +- .../test/positive_expected_result.json | 19 +- .../test/positive_expected_result.json | 27 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 42 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 32 +- .../test/positive_expected_result.json | 36 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 36 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 36 +- .../test/positive_expected_result.json | 27 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 44 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 56 +- .../test/positive_expected_result.json | 98 +- .../test/positive_expected_result.json | 78 +- .../test/positive_expected_result.json | 126 +- .../test/positive_expected_result.json | 54 +- .../test/positive_expected_result.json | 27 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 63 +- .../test/positive_expected_result.json | 36 +- .../test/positive_expected_result.json | 27 +- .../test/positive_expected_result.json | 60 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 65 +- .../test/positive_expected_result.json | 27 +- .../test/positive_expected_result.json | 36 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 47 +- .../test/positive_expected_result.json | 47 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 47 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 47 +- .../test/positive_expected_result.json | 29 +- .../test/positive_expected_result.json | 29 +- .../test/positive_expected_result.json | 29 +- .../test/positive_expected_result.json | 47 +- .../test/positive_expected_result.json | 47 +- .../test/positive_expected_result.json | 47 +- .../test/positive_expected_result.json | 29 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 30 +- .../test/positive_expected_result.json | 87 +- .../test/positive_expected_result.json | 53 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 30 +- .../test/positive_expected_result.json | 30 +- .../test/positive_expected_result.json | 30 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 29 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 19 +- .../test/positive_expected_result.json | 29 +- .../test/positive_expected_result.json | 47 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 29 +- .../test/positive_expected_result.json | 29 +- .../test/positive_expected_result.json | 56 +- .../test/positive_expected_result.json | 56 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 40 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 56 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 56 +- .../test/positive_expected_result.json | 30 +- .../test/positive_expected_result.json | 52 +- .../test/positive_expected_result.json | 29 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 83 +- .../test/positive_expected_result.json | 83 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 110 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 92 +- .../test/positive_expected_result.json | 36 +- .../test/positive_expected_result.json | 76 +- .../test/positive_expected_result.json | 47 +- .../test/positive_expected_result.json | 29 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 29 +- .../test/positive_expected_result.json | 9 +- .../test/positive_expected_result.json | 29 +- .../test/positive_expected_result.json | 47 +- .../test/positive_expected_result.json | 83 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 34 +- .../test/positive_expected_result.json | 52 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 42 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 19 +- .../test/positive_expected_result.json | 19 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 47 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 140 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 34 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 34 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 116 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 10 +- test/queries_test.go | 6 + 1742 files changed, 59148 insertions(+), 15834 deletions(-) delete mode 100644 .github/scripts/generate-expected-results/main.go diff --git a/.github/scripts/generate-expected-results/main.go b/.github/scripts/generate-expected-results/main.go deleted file mode 100644 index db53ca5b74d..00000000000 --- a/.github/scripts/generate-expected-results/main.go +++ /dev/null @@ -1,257 +0,0 @@ -package main - -import ( - "encoding/json" - "fmt" - "os" - "os/exec" - "path/filepath" - "strings" -) - -// ── Metadata ────────────────────────────────────────────────────────────────── - -type Metadata struct { - ID string `json:"id"` -} - -// ── Scan result structures ──────────────────────────────────────────────────── - -type ScanFile struct { - FileName string `json:"file_name"` - SimilarityID string `json:"similarity_id"` - Line int `json:"line"` - ResourceType string `json:"resource_type"` - ResourceName string `json:"resource_name"` - SearchLine int `json:"search_line"` - SearchValue string `json:"search_value"` - ExpectedValue string `json:"expected_value"` - ActualValue string `json:"actual_value"` -} - -type Query struct { - QueryName string `json:"query_name"` - Severity string `json:"severity"` - Files []ScanFile `json:"files"` -} - -type ScanResult struct { - Queries []Query `json:"queries"` -} - -// ── Output structure ────────────────────────────────────────────────────────── - -type ExpectedResult struct { - QueryName string `json:"queryName"` - Severity string `json:"severity"` - Line int `json:"line"` - Filename string `json:"filename"` - ResourceType string `json:"resourceType"` - ResourceName string `json:"resourceName"` - SearchLine int `json:"searchLine"` - SearchValue string `json:"search_value"` - ExpectedValue string `json:"expected_value"` - ActualValue string `json:"actual_value"` - ResourceNameS string `json:"resource_name"` - ResourceTypeS string `json:"resource_type"` - SimilarityID string `json:"similarityID"` -} - -// ── Entry point ─────────────────────────────────────────────────────────────── - -func main() { - // The script must be executed from the KICS project root. - // e.g.: go run .github/scripts/generate-expected-results/main.go - root, err := os.Getwd() - if err != nil { - fatalf("getting working directory: %v", err) - } - - queriesRoot := filepath.Join(root, "assets", "queries") - - if _, err := os.Stat(queriesRoot); os.IsNotExist(err) { - fatalf("queries directory not found at %s — make sure you run this script from the KICS project root", queriesRoot) - } - - fmt.Printf("🔍 Scanning queries under: %s\n\n", queriesRoot) - - err = filepath.Walk(queriesRoot, func(path string, info os.FileInfo, err error) error { - if err != nil { - return err - } - - // Skip 'common' directories entirely. - if info.IsDir() && info.Name() == "common" { - fmt.Printf("⏭️ Skipping common dir: %s\n", path) - return filepath.SkipDir - } - - if !info.IsDir() { - return nil - } - - // A query directory must contain both query.rego and metadata.json. - if !fileExists(filepath.Join(path, "query.rego")) || - !fileExists(filepath.Join(path, "metadata.json")) { - return nil - } - - fmt.Printf("✅ Found query: %s\n", path) - if err := processQuery(root, path); err != nil { - fmt.Fprintf(os.Stderr, "❌ Error processing %s: %v\n", path, err) - } - // Always skip going deeper once a query directory is found. - return filepath.SkipDir - }) - - if err != nil { - fatalf("walking queries directory: %v", err) - } - - fmt.Println("\n🎉 Done!") -} - -// ── Per-query processing ────────────────────────────────────────────────────── - -func processQuery(root, queryDir string) error { - // 1. Read the query ID from metadata.json. - metaPath := filepath.Join(queryDir, "metadata.json") - metaBytes, err := os.ReadFile(metaPath) - if err != nil { - return fmt.Errorf("reading metadata.json: %w", err) - } - - var meta Metadata - if err := json.Unmarshal(metaBytes, &meta); err != nil { - return fmt.Errorf("parsing metadata.json: %w", err) - } - - if meta.ID == "" { - return fmt.Errorf("metadata.json has an empty 'id' field") - } - - // 2. Build relative paths (relative to KICS root) for use in the command. - relQueryDir, err := filepath.Rel(root, queryDir) - if err != nil { - return fmt.Errorf("computing relative path: %w", err) - } - - relTestDir := filepath.Join(relQueryDir, "test") - relResultsDir := filepath.Join(relQueryDir, "results") - relPayloadsFile := filepath.Join(relQueryDir, "payloads", "all_payloads.json") - - // 3. Create results/ and payloads/ directories if they don't exist yet. - if err := os.MkdirAll(filepath.Join(queryDir, "results"), 0o755); err != nil { - return fmt.Errorf("creating results dir: %w", err) - } - - if err := os.MkdirAll(filepath.Join(queryDir, "payloads"), 0o755); err != nil { - return fmt.Errorf("creating payloads dir: %w", err) - } - - // 4. Run the KICS scan from the project root. - // go run .\cmd\console\main.go scan - // -p - // -o - // --output-name all_results.json - // -i - // -d - // -v - // --experimental-queries - mainGoPath := filepath.Join("cmd", "console", "main.go") - - cmd := exec.Command( - "go", "run", mainGoPath, - "scan", - "-p", relTestDir, - "-o", relResultsDir, - "--output-name", "all_results.json", - "-i", meta.ID, - "-d", relPayloadsFile, - "-v", - "--experimental-queries", - ) - cmd.Dir = root - cmd.Stdout = os.Stdout - cmd.Stderr = os.Stderr - - fmt.Printf("\n▶️ Running scan for: %s\n", relQueryDir) - fmt.Printf(" Command: go run %s scan -p %s -o %s --output-name all_results.json -i %s -d %s -v --experimental-queries\n\n", - mainGoPath, relTestDir, relResultsDir, meta.ID, relPayloadsFile) - - if err := cmd.Run(); err != nil { - return fmt.Errorf("running kics scan: %w", err) - } - - // 5. Parse the results and write positive_expected_result.json. - resultsFile := filepath.Join(queryDir, "results", "all_results.json") - return writePositiveExpectedResults(resultsFile, queryDir) -} - -// ── Result parsing & writing ────────────────────────────────────────────────── - -func writePositiveExpectedResults(resultsFile, queryDir string) error { - data, err := os.ReadFile(resultsFile) - if err != nil { - return fmt.Errorf("reading all_results.json: %w", err) - } - - var scanResult ScanResult - if err := json.Unmarshal(data, &scanResult); err != nil { - return fmt.Errorf("parsing all_results.json: %w", err) - } - - var expected []ExpectedResult - - for _, q := range scanResult.Queries { - for _, f := range q.Files { - filename := filepath.Base(f.FileName) - - // Only include entries whose file name starts with "positive". - if !strings.HasPrefix(filename, "positive") { - continue - } - - expected = append(expected, ExpectedResult{ - QueryName: q.QueryName, - Severity: q.Severity, - Line: f.Line, - Filename: filename, - ResourceType: f.ResourceType, - ResourceName: f.ResourceName, - SearchLine: f.SearchLine, - SearchValue: f.SearchValue, - ExpectedValue: f.ExpectedValue, - ActualValue: f.ActualValue, - ResourceNameS: f.ResourceName, - ResourceTypeS: f.ResourceType, - SimilarityID: f.SimilarityID, - }) - } - } - - outputPath := filepath.Join(queryDir, "test", "positive_expected_result.json") - outputBytes, err := json.MarshalIndent(expected, "", " ") - if err != nil { - return fmt.Errorf("marshaling expected results: %w", err) - } - - if err := os.WriteFile(outputPath, outputBytes, 0o644); err != nil { - return fmt.Errorf("writing positive_expected_result.json: %w", err) - } - - fmt.Printf("📄 Written: %s (%d entries)\n", outputPath, len(expected)) - return nil -} - -// ── Helpers ─────────────────────────────────────────────────────────────────── - -func fileExists(path string) bool { - _, err := os.Stat(path) - return !os.IsNotExist(err) -} - -func fatalf(format string, args ...any) { - fmt.Fprintf(os.Stderr, "fatal: "+format+"\n", args...) - os.Exit(1) -} diff --git a/assets/queries/ansible/aws/alb_listening_on_http/test/positive_expected_result.json b/assets/queries/ansible/aws/alb_listening_on_http/test/positive_expected_result.json index 40450933989..85d8c08ef2c 100644 --- a/assets/queries/ansible/aws/alb_listening_on_http/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/alb_listening_on_http/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "ALB Listening on HTTP", "severity": "MEDIUM", - "line": 11 + "line": 11, + "filename": "positive.yaml", + "resourceType": "community.aws.elb_application_lb", + "resourceName": "my_elb_application", + "searchKey": "name={{my_elb_application}}.{{community.aws.elb_application_lb}}.listeners.Protocol=HTTP", + "searchValue": "", + "expectedValue": "'aws_elb_application_lb' Protocol should be 'HTTP'", + "actualValue": "'aws_elb_application_lb' Protocol it's not 'HTTP'" }, { "queryName": "ALB Listening on HTTP", "severity": "MEDIUM", - "line": 29 + "line": 29, + "filename": "positive.yaml", + "resourceType": "community.aws.elb_application_lb", + "resourceName": "my_elb_application2", + "searchKey": "name={{my_elb_application2}}.{{community.aws.elb_application_lb}}.listeners", + "searchValue": "", + "expectedValue": "'aws_elb_application_lb' Protocol should be 'HTTP'", + "actualValue": "'aws_elb_application_lb' Protocol is missing" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/ami_not_encrypted/test/positive_expected_result.json b/assets/queries/ansible/aws/ami_not_encrypted/test/positive_expected_result.json index d31968ad825..7282b7ea4f6 100644 --- a/assets/queries/ansible/aws/ami_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ami_not_encrypted/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "AMI Not Encrypted", "severity": "MEDIUM", - "line": 6 + "line": 6, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_ami", + "resourceName": "Basic AMI Creation", + "searchKey": "name={{Basic AMI Creation}}.{{amazon.aws.ec2_ami}}.device_mapping.encrypted", + "searchValue": "", + "expectedValue": "ec2_ami.device_mapping.encrypted should be set to true", + "actualValue": "ec2_ami.device_mapping.encrypted is set to false" }, { "queryName": "AMI Not Encrypted", "severity": "MEDIUM", - "line": 13 + "line": 13, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_ami", + "resourceName": "Basic AMI Creation2", + "searchKey": "name={{Basic AMI Creation2}}.{{amazon.aws.ec2_ami}}", + "searchValue": "", + "expectedValue": "ec2_ami.device_mapping.device_name.encrypted should be set to true", + "actualValue": "ec2_ami.device_mapping.device_name.encrypted is undefined" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/ami_shared_with_multiple_accounts/test/positive_expected_result.json b/assets/queries/ansible/aws/ami_shared_with_multiple_accounts/test/positive_expected_result.json index 88b18dd84e1..964d4c3ea8e 100644 --- a/assets/queries/ansible/aws/ami_shared_with_multiple_accounts/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ami_shared_with_multiple_accounts/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "AMI Shared With Multiple Accounts", "severity": "MEDIUM", - "line": 5 + "line": 11, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_ami", + "resourceName": "Allow AMI to be launched by another account", + "searchKey": "name={{Allow AMI to be launched by another account}}.{{amazon.aws.ec2_ami}}.launch_permissions", + "searchValue": "", + "expectedValue": "ec2_ami.launch_permissions just allows one user to launch the AMI", + "actualValue": "ec2_ami.launch_permissions allows more than one user to launch the AMI" }, { "queryName": "AMI Shared With Multiple Accounts", "severity": "MEDIUM", - "line": 11 + "line": 5, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_ami", + "resourceName": "Update AMI Launch Permissions, making it public", + "searchKey": "name={{Update AMI Launch Permissions, making it public}}.{{amazon.aws.ec2_ami}}.launch_permissions", + "searchValue": "", + "expectedValue": "ec2_ami.launch_permissions just allows one user to launch the AMI", + "actualValue": "ec2_ami.launch_permissions allows more than one user to launch the AMI" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/api_gateway_endpoint_config_is_not_private/test/positive_expected_result.json b/assets/queries/ansible/aws/api_gateway_endpoint_config_is_not_private/test/positive_expected_result.json index 1ed39fc54bd..fa19b98a94b 100644 --- a/assets/queries/ansible/aws/api_gateway_endpoint_config_is_not_private/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/api_gateway_endpoint_config_is_not_private/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "API Gateway Endpoint Config is Not Private", "severity": "MEDIUM", - "line": 8 + "line": 8, + "filename": "positive.yaml", + "resourceType": "community.aws.aws_api_gateway", + "resourceName": "Setup AWS API Gateway setup on AWS and deploy API definition", + "searchKey": "name={{Setup AWS API Gateway setup on AWS and deploy API definition}}.{{community.aws.aws_api_gateway}}.endpoint_type", + "searchValue": "", + "expectedValue": "'aws_api_gateway.endpoint_type' should be set to 'PRIVATE'", + "actualValue": "'aws_api_gateway.endpoint_type' is not 'PRIVATE'" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/api_gateway_with_cloudwatch_logging_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/api_gateway_with_cloudwatch_logging_disabled/test/positive_expected_result.json index aef74f95ba2..63291d5835a 100644 --- a/assets/queries/ansible/aws/api_gateway_with_cloudwatch_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/api_gateway_with_cloudwatch_logging_disabled/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "API Gateway With CloudWatch Logging Disabled", "severity": "MEDIUM", - "line": 3 + "line": 3, + "filename": "positive.yaml", + "resourceType": "community.aws.cloudwatchlogs_log_group", + "resourceName": "Setup AWS API Gateway setup on AWS cloudwatchlogs", + "searchKey": "name={{Setup AWS API Gateway setup on AWS cloudwatchlogs}}.{{community.aws.cloudwatchlogs_log_group}}", + "searchValue": "", + "expectedValue": "cloudwatchlogs_log_grouptracing_enabled should contain log_group_name", + "actualValue": "cloudwatchlogs_log_group does not contain log_group_name defined" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/api_gateway_without_configured_authorizer/test/positive_expected_result.json b/assets/queries/ansible/aws/api_gateway_without_configured_authorizer/test/positive_expected_result.json index 9be124eee7b..44dafeb2d5f 100644 --- a/assets/queries/ansible/aws/api_gateway_without_configured_authorizer/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/api_gateway_without_configured_authorizer/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "API Gateway Without Configured Authorizer", "severity": "MEDIUM", - "line": 3, - "fileName": "positive1.yaml" + "line": 2, + "filename": "positive2.yaml", + "resourceType": "aws_api_gateway", + "resourceName": "Setup AWS API Gateway setup on AWS and deploy API definition2", + "searchKey": "name={{Setup AWS API Gateway setup on AWS and deploy API definition2}}.{{aws_api_gateway}}", + "searchValue": "", + "expectedValue": "'aws_api_gateway' should have swagger_file, swagger_text or swagger_dict set", + "actualValue": "'aws_api_gateway' does not have swagger_file, swagger_text or swagger_dict set" }, { "queryName": "API Gateway Without Configured Authorizer", "severity": "MEDIUM", - "line": 2, - "fileName": "positive2.yaml" + "line": 3, + "filename": "positive1.yaml", + "resourceType": "community.aws.aws_api_gateway", + "resourceName": "Setup AWS API Gateway setup on AWS and deploy API definition", + "searchKey": "name={{Setup AWS API Gateway setup on AWS and deploy API definition}}.{{community.aws.aws_api_gateway}}.swagger_dict", + "searchValue": "", + "expectedValue": "'community.aws.aws_api_gateway.swagger_dict' should have an authorizer set", + "actualValue": "'community.aws.aws_api_gateway.swagger_dict' does not have a authorizer set" }, { "queryName": "API Gateway Without Configured Authorizer", "severity": "MEDIUM", "line": 3, - "fileName": "positive3.yaml" + "filename": "positive4.yaml", + "resourceType": "aws_api_gateway", + "resourceName": "Setup AWS API Gateway setup on AWS and deploy API 222", + "searchKey": "name={{Setup AWS API Gateway setup on AWS and deploy API 222}}.{{aws_api_gateway}}.swagger_text", + "searchValue": "", + "expectedValue": "'aws_api_gateway.swagger_text' should have an authorizer set", + "actualValue": "'aws_api_gateway.swagger_text' does not have a authorizer set" }, { "queryName": "API Gateway Without Configured Authorizer", "severity": "MEDIUM", "line": 3, - "fileName": "positive4.yaml" + "filename": "positive3.yaml", + "resourceType": "aws_api_gateway", + "resourceName": "Setup AWS API Gateway setup on AWS and deploy API 222", + "searchKey": "name={{Setup AWS API Gateway setup on AWS and deploy API 222}}.{{aws_api_gateway}}.swagger_file", + "searchValue": "", + "expectedValue": "'aws_api_gateway.swagger_file' should have an authorizer set", + "actualValue": "'aws_api_gateway.swagger_file' does not have a authorizer set" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/api_gateway_without_ssl_certificate/test/positive_expected_result.json b/assets/queries/ansible/aws/api_gateway_without_ssl_certificate/test/positive_expected_result.json index 211045f9e04..271927e2b0d 100644 --- a/assets/queries/ansible/aws/api_gateway_without_ssl_certificate/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/api_gateway_without_ssl_certificate/test/positive_expected_result.json @@ -1,25 +1,50 @@ [ - { - "queryName": "API Gateway Without SSL Certificate", - "severity": "MEDIUM", - "line": 6 - }, - - { - "queryName": "API Gateway Without SSL Certificate", - "severity": "MEDIUM", - "line": 8 - }, - - { - "queryName": "API Gateway Without SSL Certificate", - "severity": "MEDIUM", - "line": 21 - }, - - { - "queryName": "API Gateway Without SSL Certificate", - "severity": "MEDIUM", - "line": 23 - } -] + { + "queryName": "API Gateway Without SSL Certificate", + "severity": "MEDIUM", + "line": 21, + "filename": "positive.yaml", + "resourceType": "community.aws.aws_api_gateway", + "resourceName": "Setup AWS API Gateway setup on AWS and deploy API definition", + "searchKey": "name={{Setup AWS API Gateway setup on AWS and deploy API definition}}.{{community.aws.aws_api_gateway}}.validate_certs", + "searchValue": "", + "expectedValue": "aws_api_gateway.validate_certs should be set to yes", + "actualValue": "aws_api_gateway.validate_certs is not set to yes" + }, + { + "queryName": "API Gateway Without SSL Certificate", + "severity": "MEDIUM", + "line": 6, + "filename": "positive.yaml", + "resourceType": "aws_api_gateway", + "resourceName": "update API", + "searchKey": "name={{update API}}.{{aws_api_gateway}}.validate_certs", + "searchValue": "", + "expectedValue": "aws_api_gateway.validate_certs should be set to yes", + "actualValue": "aws_api_gateway.validate_certs is not set to yes" + }, + { + "queryName": "API Gateway Without SSL Certificate", + "severity": "MEDIUM", + "line": 23, + "filename": "positive.yaml", + "resourceType": "community.aws.aws_api_gateway", + "resourceName": "Setup AWS API Gateway setup on AWS and deploy API definition v1", + "searchKey": "name={{Setup AWS API Gateway setup on AWS and deploy API definition v1}}.{{community.aws.aws_api_gateway}}", + "searchValue": "", + "expectedValue": "aws_api_gateway.validate_certs should be set", + "actualValue": "aws_api_gateway.validate_certs is undefined" + }, + { + "queryName": "API Gateway Without SSL Certificate", + "severity": "MEDIUM", + "line": 8, + "filename": "positive.yaml", + "resourceType": "aws_api_gateway", + "resourceName": "update API v1", + "searchKey": "name={{update API v1}}.{{aws_api_gateway}}", + "searchValue": "", + "expectedValue": "aws_api_gateway.validate_certs should be set", + "actualValue": "aws_api_gateway.validate_certs is undefined" + } +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/api_gateway_without_waf/test/positive_expected_result.json b/assets/queries/ansible/aws/api_gateway_without_waf/test/positive_expected_result.json index 02ac980101b..700acc0743f 100644 --- a/assets/queries/ansible/aws/api_gateway_without_waf/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/api_gateway_without_waf/test/positive_expected_result.json @@ -1,8 +1,14 @@ [ - { - "queryName": "API Gateway without WAF", - "severity": "MEDIUM", - "line": 8, - "fileName": "positive.yaml" - } -] + { + "queryName": "API Gateway without WAF", + "severity": "MEDIUM", + "line": 8, + "filename": "positive.yaml", + "resourceType": "community.aws.aws_api_gateway", + "resourceName": "Setup AWS API Gateway setup on AWS and deploy API definition2", + "searchKey": "name={{Setup AWS API Gateway setup on AWS and deploy API definition2}}.{{community.aws.aws_api_gateway}}", + "searchValue": "", + "expectedValue": "API Gateway Stage should be associated with a Web Application Firewall", + "actualValue": "API Gateway Stage is not associated with a Web Application Firewall" + } +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/api_gateway_xray_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/api_gateway_xray_disabled/test/positive_expected_result.json index dbe97c3a028..b051d9d4974 100644 --- a/assets/queries/ansible/aws/api_gateway_xray_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/api_gateway_xray_disabled/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "API Gateway X-Ray Disabled", "severity": "LOW", - "line": 8 + "line": 8, + "filename": "positive.yaml", + "resourceType": "community.aws.aws_api_gateway", + "resourceName": "Setup AWS API Gateway setup on AWS and deploy API definition", + "searchKey": "name={{Setup AWS API Gateway setup on AWS and deploy API definition}}.{{community.aws.aws_api_gateway}}.tracing_enabled", + "searchValue": "", + "expectedValue": "aws_api_gateway.tracing_enabled should be true", + "actualValue": "aws_api_gateway.tracing_enabled is false" }, { "queryName": "API Gateway X-Ray Disabled", "severity": "LOW", - "line": 12 + "line": 12, + "filename": "positive.yaml", + "resourceType": "community.aws.aws_api_gateway", + "resourceName": "Update API definition to deploy new version", + "searchKey": "name={{Update API definition to deploy new version}}.{{community.aws.aws_api_gateway}}", + "searchValue": "", + "expectedValue": "aws_api_gateway.tracing_enabled should be defined", + "actualValue": "aws_api_gateway.tracing_enabled is undefined" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/authentication_without_mfa/test/positive_expected_result.json b/assets/queries/ansible/aws/authentication_without_mfa/test/positive_expected_result.json index 27bfe61de31..319048178e8 100644 --- a/assets/queries/ansible/aws/authentication_without_mfa/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/authentication_without_mfa/test/positive_expected_result.json @@ -2,16 +2,37 @@ { "queryName": "Authentication Without MFA", "severity": "LOW", - "line": 2 + "line": 9, + "filename": "positive.yaml", + "resourceType": "sts_assume_role", + "resourceName": "Hello", + "searchKey": "name={{Hello}}.{{sts_assume_role}}", + "searchValue": "mfa_token", + "expectedValue": "sts_assume_role.mfa_token should be set", + "actualValue": "sts_assume_role.mfa_token is undefined" }, { "queryName": "Authentication Without MFA", "severity": "LOW", - "line": 9 + "line": 9, + "filename": "positive.yaml", + "resourceType": "sts_assume_role", + "resourceName": "Hello", + "searchKey": "name={{Hello}}.{{sts_assume_role}}", + "searchValue": "mfa_serial_number", + "expectedValue": "sts_assume_role.mfa_serial_number should be set", + "actualValue": "sts_assume_role.mfa_serial_number is undefined" }, { "queryName": "Authentication Without MFA", "severity": "LOW", - "line": 9 + "line": 2, + "filename": "positive.yaml", + "resourceType": "community.aws.sts_assume_role", + "resourceName": "Assume an existing role", + "searchKey": "name={{Assume an existing role}}.{{community.aws.sts_assume_role}}", + "searchValue": "mfa_token", + "expectedValue": "sts_assume_role.mfa_token should be set", + "actualValue": "sts_assume_role.mfa_token is undefined" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/auto_scaling_group_with_no_associated_elb/test/positive_expected_result.json b/assets/queries/ansible/aws/auto_scaling_group_with_no_associated_elb/test/positive_expected_result.json index ba9b8c747ce..d77e1ed0bc8 100644 --- a/assets/queries/ansible/aws/auto_scaling_group_with_no_associated_elb/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/auto_scaling_group_with_no_associated_elb/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "Auto Scaling Group With No Associated ELB", "severity": "MEDIUM", - "line": 4, - "fileName": "positive1.yaml" + "line": 2, + "filename": "positive2.yaml", + "resourceType": "ec2_asg", + "resourceName": "elb2", + "searchKey": "name={{elb2}}.{{ec2_asg}}", + "searchValue": "", + "expectedValue": "ec2_asg.load_balancers should be set and not empty", + "actualValue": "ec2_asg.load_balancers is undefined" }, { "queryName": "Auto Scaling Group With No Associated ELB", "severity": "MEDIUM", - "line": 2, - "fileName": "positive2.yaml" + "line": 4, + "filename": "positive1.yaml", + "resourceType": "community.aws.ec2_asg", + "resourceName": "elb1", + "searchKey": "name={{elb1}}.{{community.aws.ec2_asg}}.load_balancers", + "searchValue": "", + "expectedValue": "community.aws.ec2_asg.load_balancers should not be empty", + "actualValue": "community.aws.ec2_asg.load_balancers is empty" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/automatic_minor_upgrades_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/automatic_minor_upgrades_disabled/test/positive_expected_result.json index 2cff287eee5..90fad5f9a7a 100644 --- a/assets/queries/ansible/aws/automatic_minor_upgrades_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/automatic_minor_upgrades_disabled/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Automatic Minor Upgrades Disabled", "severity": "LOW", - "line": 10 + "line": 12, + "filename": "positive.yaml", + "resourceType": "community.aws.rds_instance", + "resourceName": "community - Create a DB instance using the default AWS KMS encryption key", + "searchKey": "name={{community - Create a DB instance using the default AWS KMS encryption key}}.{{community.aws.rds_instance}}", + "searchValue": "", + "expectedValue": "rds_instance.auto_minor_version_upgrade should be set", + "actualValue": "rds_instance.auto_minor_version_upgrade is undefined" }, { "queryName": "Automatic Minor Upgrades Disabled", "severity": "LOW", - "line": 12 + "line": 10, + "filename": "positive.yaml", + "resourceType": "community.aws.rds_instance", + "resourceName": "community - create minimal aurora instance in default VPC and default subnet group", + "searchKey": "name={{community - create minimal aurora instance in default VPC and default subnet group}}.{{community.aws.rds_instance}}.auto_minor_version_upgrade", + "searchValue": "", + "expectedValue": "rds_instance.auto_minor_version_upgrade should be true", + "actualValue": "rds_instance.auto_minor_version_upgrade is false" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/aws_password_policy_with_unchangeable_passwords/test/positive_expected_result.json b/assets/queries/ansible/aws/aws_password_policy_with_unchangeable_passwords/test/positive_expected_result.json index 858725018b5..1c0b9d6d7ba 100644 --- a/assets/queries/ansible/aws/aws_password_policy_with_unchangeable_passwords/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/aws_password_policy_with_unchangeable_passwords/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "AWS Password Policy With Unchangeable Passwords", "severity": "LOW", - "line": 9 + "line": 21, + "filename": "positive.yaml", + "resourceType": "community.aws.iam_password_policy", + "resourceName": "Alias Password policy for AWS account", + "searchKey": "name={{Alias Password policy for AWS account}}.{{community.aws.iam_password_policy}}.allow_password_change", + "searchValue": "", + "expectedValue": "iam_password_policy should have the property 'allow_pw_change/allow_password_change' true", + "actualValue": "iam_password_policy has the property 'allow_pw_change/allow_password_change' undefined or false" }, { "queryName": "AWS Password Policy With Unchangeable Passwords", "severity": "LOW", - "line": 21 + "line": 9, + "filename": "positive.yaml", + "resourceType": "community.aws.iam_password_policy", + "resourceName": "Password policy for AWS account", + "searchKey": "name={{Password policy for AWS account}}.{{community.aws.iam_password_policy}}.allow_pw_change", + "searchValue": "", + "expectedValue": "iam_password_policy should have the property 'allow_pw_change/allow_password_change' true", + "actualValue": "iam_password_policy has the property 'allow_pw_change/allow_password_change' undefined or false" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/batch_job_definition_with_privileged_container_properties/test/positive_expected_result.json b/assets/queries/ansible/aws/batch_job_definition_with_privileged_container_properties/test/positive_expected_result.json index f1d91515e25..c132971238b 100644 --- a/assets/queries/ansible/aws/batch_job_definition_with_privileged_container_properties/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/batch_job_definition_with_privileged_container_properties/test/positive_expected_result.json @@ -1,7 +1,14 @@ [ { - "line": 9, "queryName": "Batch Job Definition With Privileged Container Properties", - "severity": "HIGH" + "severity": "HIGH", + "line": 9, + "filename": "positive.yaml", + "resourceType": "community.aws.aws_batch_job_definition", + "resourceName": "My Batch Job Definition", + "searchKey": "name={{My Batch Job Definition}}.{{community.aws.aws_batch_job_definition}}.privileged", + "searchValue": "", + "expectedValue": "name={{My Batch Job Definition}}.{{community.aws.aws_batch_job_definition}}.privileged should be set to 'false' or not set", + "actualValue": "name={{My Batch Job Definition}}.{{community.aws.aws_batch_job_definition}}.privileged is 'true'" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/ca_certificate_identifier_is_outdated/test/positive_expected_result.json b/assets/queries/ansible/aws/ca_certificate_identifier_is_outdated/test/positive_expected_result.json index 222b4d17cd8..3c4bcd45f9a 100644 --- a/assets/queries/ansible/aws/ca_certificate_identifier_is_outdated/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ca_certificate_identifier_is_outdated/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "CA Certificate Identifier Is Outdated", "severity": "MEDIUM", - "line": 10 + "line": 10, + "filename": "positive.yaml", + "resourceType": "community.aws.rds_instance", + "resourceName": "create minimal aurora instance in default VPC and default subnet group", + "searchKey": "name={{create minimal aurora instance in default VPC and default subnet group}}.{{community.aws.rds_instance}}.ca_certificate_identifier", + "searchValue": "", + "expectedValue": "rds_instance.ca_certificate_identifier should equal to 'rds-ca-2019'", + "actualValue": "rds_instance.ca_certificate_identifier is not equal to 'rds-ca-2019'" }, { "queryName": "CA Certificate Identifier Is Outdated", "severity": "MEDIUM", - "line": 12 + "line": 12, + "filename": "positive.yaml", + "resourceType": "community.aws.rds_instance", + "resourceName": "create a DB instance using the default AWS KMS encryption key", + "searchKey": "name={{create a DB instance using the default AWS KMS encryption key}}.{{community.aws.rds_instance}}", + "searchValue": "", + "expectedValue": "rds_instance.ca_certificate_identifier should be defined", + "actualValue": "rds_instance.ca_certificate_identifier is undefined" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/cdn_configuration_is_missing/test/positive_expected_result.json b/assets/queries/ansible/aws/cdn_configuration_is_missing/test/positive_expected_result.json index b448a833b84..41255f89f7e 100644 --- a/assets/queries/ansible/aws/cdn_configuration_is_missing/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cdn_configuration_is_missing/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "CDN Configuration Is Missing", "severity": "LOW", - "line": 2 + "line": 23, + "filename": "positive.yaml", + "resourceType": "community.aws.cloudfront_distribution", + "resourceName": "create a distribution without an origin and with enabled=false", + "searchKey": "name={{create a distribution without an origin and with enabled=false}}.{{community.aws.cloudfront_distribution}}.enabled", + "searchValue": "", + "expectedValue": "name={{create a distribution without an origin and with enabled=false}}.{{community.aws.cloudfront_distribution}}.enabled should be set to 'true'", + "actualValue": "name={{create a distribution without an origin and with enabled=false}}.{{community.aws.cloudfront_distribution}}.enabled is set to 'false'" }, { "queryName": "CDN Configuration Is Missing", "severity": "LOW", - "line": 23 + "line": 2, + "filename": "positive.yaml", + "resourceType": "community.aws.cloudfront_distribution", + "resourceName": "create a distribution without an origin and with enabled=false", + "searchKey": "name={{create a distribution without an origin and with enabled=false}}.{{community.aws.cloudfront_distribution}}", + "searchValue": "origins", + "expectedValue": "name={{create a distribution without an origin and with enabled=false}}.{{community.aws.cloudfront_distribution}}.origins should be defined", + "actualValue": "name={{create a distribution without an origin and with enabled=false}}.{{community.aws.cloudfront_distribution}}.origins is not defined" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/certificate_has_expired/test/positive_expected_result.json b/assets/queries/ansible/aws/certificate_has_expired/test/positive_expected_result.json index 58dbbac7544..956aeff2050 100644 --- a/assets/queries/ansible/aws/certificate_has_expired/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/certificate_has_expired/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Certificate Has Expired", "severity": "MEDIUM", - "line": 3 + "line": 3, + "filename": "positive.yaml", + "resourceType": "community.aws.aws_acm", + "resourceName": "upload a self-signed certificate", + "searchKey": "name={{upload a self-signed certificate}}.community.aws.aws_acm.certificate", + "searchValue": "", + "expectedValue": "'community.aws.aws_acm.certificate' should not have expired", + "actualValue": "'community.aws.aws_acm.certificate' has expired" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/certificate_rsa_key_bytes_lower_than_256/test/positive_expected_result.json b/assets/queries/ansible/aws/certificate_rsa_key_bytes_lower_than_256/test/positive_expected_result.json index 26c7b277c74..08dca83ff31 100644 --- a/assets/queries/ansible/aws/certificate_rsa_key_bytes_lower_than_256/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/certificate_rsa_key_bytes_lower_than_256/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Certificate RSA Key Bytes Lower Than 256", "severity": "MEDIUM", - "line": 3 + "line": 3, + "filename": "positive.yaml", + "resourceType": "community.aws.aws_acm", + "resourceName": "upload a self-signed certificate", + "searchKey": "name={{upload a self-signed certificate}}.community.aws.aws_acm.certificate", + "searchValue": "", + "expectedValue": "'community.aws.aws_acm.certificate' should use a RSA key with a length equal to or higher than 256 bytes", + "actualValue": "'community.aws.aws_acm.certificate' does not use a RSA key with a length equal to or higher than 256 bytes" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/cloudfront_logging_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/cloudfront_logging_disabled/test/positive_expected_result.json index 45d5f284ccf..dfdfd381cb7 100644 --- a/assets/queries/ansible/aws/cloudfront_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cloudfront_logging_disabled/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "CloudFront Logging Disabled", "severity": "MEDIUM", - "line": 2 + "line": 62, + "filename": "positive.yaml", + "resourceType": "community.aws.cloudfront_distribution", + "resourceName": "create a second distribution with an origin, logging and default cache behavior", + "searchKey": "name={{create a second distribution with an origin, logging and default cache behavior}}.{{community.aws.cloudfront_distribution}}.logging.enabled", + "searchValue": "", + "expectedValue": "cloudfront_distribution.logging.enabled should be true", + "actualValue": "cloudfront_distribution.logging.enabled is false" }, { "queryName": "CloudFront Logging Disabled", "severity": "MEDIUM", - "line": 62 + "line": 2, + "filename": "positive.yaml", + "resourceType": "community.aws.cloudfront_distribution", + "resourceName": "create a distribution with an origin, logging and default cache behavior", + "searchKey": "name={{create a distribution with an origin, logging and default cache behavior}}.{{community.aws.cloudfront_distribution}}", + "searchValue": "", + "expectedValue": "cloudfront_distribution.logging should be defined", + "actualValue": "cloudfront_distribution.logging is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json b/assets/queries/ansible/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json index f5d18279262..c22c014fdd1 100644 --- a/assets/queries/ansible/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json @@ -2,16 +2,37 @@ { "queryName": "CloudFront Without Minimum Protocol TLS 1.2", "severity": "MEDIUM", - "line": 18 + "line": 37, + "filename": "positive.yaml", + "resourceType": "community.aws.cloudfront_distribution", + "resourceName": "create another distribution with an origin and logging", + "searchKey": "name={{create another distribution with an origin and logging}}.{{community.aws.cloudfront_distribution}}.viewer_certificate.minimum_protocol_version", + "searchValue": "", + "expectedValue": "name={{create another distribution with an origin and logging}}.{{community.aws.cloudfront_distribution}}.viewer_certificate.minimum_protocol_version' should be TLSv1.2_x", + "actualValue": "name={{create another distribution with an origin and logging}}.{{community.aws.cloudfront_distribution}}.viewer_certificate.minimum_protocol_version' is TLSv1.1_2016" }, { "queryName": "CloudFront Without Minimum Protocol TLS 1.2", "severity": "MEDIUM", - "line": 37 + "line": 40, + "filename": "positive.yaml", + "resourceType": "community.aws.cloudfront_distribution", + "resourceName": "create a third distribution", + "searchKey": "name={{create a third distribution}}.{{community.aws.cloudfront_distribution}}", + "searchValue": "", + "expectedValue": "cloudfront_distribution.viewer_certificate should be defined", + "actualValue": "cloudfront_distribution.viewer_certificate is undefined" }, { - "line": 40, "queryName": "CloudFront Without Minimum Protocol TLS 1.2", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 18, + "filename": "positive.yaml", + "resourceType": "community.aws.cloudfront_distribution", + "resourceName": "create a distribution with an origin and logging", + "searchKey": "name={{create a distribution with an origin and logging}}.{{community.aws.cloudfront_distribution}}.viewer_certificate.minimum_protocol_version", + "searchValue": "", + "expectedValue": "name={{create a distribution with an origin and logging}}.{{community.aws.cloudfront_distribution}}.viewer_certificate.minimum_protocol_version' should be TLSv1.2_x", + "actualValue": "name={{create a distribution with an origin and logging}}.{{community.aws.cloudfront_distribution}}.viewer_certificate.minimum_protocol_version' is TLSv1" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/cloudfront_without_waf/test/positive_expected_result.json b/assets/queries/ansible/aws/cloudfront_without_waf/test/positive_expected_result.json index f4dbbfce596..336c867d0bb 100644 --- a/assets/queries/ansible/aws/cloudfront_without_waf/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cloudfront_without_waf/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "CloudFront Without WAF", "severity": "MEDIUM", - "line": 2 + "line": 2, + "filename": "positive.yaml", + "resourceType": "community.aws.cloudfront_distribution", + "resourceName": "create a basic distribution with defaults and tags", + "searchKey": "name={{create a basic distribution with defaults and tags}}.{{community.aws.cloudfront_distribution}}", + "searchValue": "", + "expectedValue": "cloudfront_distribution.web_acl_id should be defined", + "actualValue": "cloudfront_distribution.web_acl_id is undefined" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/cloudtrail_log_file_validation_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/cloudtrail_log_file_validation_disabled/test/positive_expected_result.json index 4e971a4b33b..c8234d5152f 100644 --- a/assets/queries/ansible/aws/cloudtrail_log_file_validation_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cloudtrail_log_file_validation_disabled/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "CloudTrail Log File Validation Disabled", "severity": "LOW", - "line": 2 + "line": 2, + "filename": "positive.yaml", + "resourceType": "community.aws.cloudtrail", + "resourceName": "create multi-region trail with validation and tags", + "searchKey": "name={{create multi-region trail with validation and tags}}.{{community.aws.cloudtrail}}", + "searchValue": "", + "expectedValue": "cloudtrail.enable_log_file_validation or cloudtrail.log_file_validation_enabled should be defined", + "actualValue": "cloudtrail.enable_log_file_validation and cloudtrail.log_file_validation_enabled are undefined" }, { "queryName": "CloudTrail Log File Validation Disabled", "severity": "LOW", - "line": 21 + "line": 21, + "filename": "positive.yaml", + "resourceType": "community.aws.cloudtrail", + "resourceName": "create multi-region trail with validation and tags v7", + "searchKey": "name={{create multi-region trail with validation and tags v7}}.{{community.aws.cloudtrail}}.enable_log_file_validation", + "searchValue": "", + "expectedValue": "cloudtrail.enable_log_file_validation should be set to true or yes", + "actualValue": "cloudtrail.enable_log_file_validation is not set to true nor yes" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/cloudtrail_log_files_not_encrypted_with_kms/test/positive_expected_result.json b/assets/queries/ansible/aws/cloudtrail_log_files_not_encrypted_with_kms/test/positive_expected_result.json index f8ba4b8005d..06cec696874 100644 --- a/assets/queries/ansible/aws/cloudtrail_log_files_not_encrypted_with_kms/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cloudtrail_log_files_not_encrypted_with_kms/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "CloudTrail Log Files Not Encrypted With KMS", "severity": "LOW", - "line": 2 + "line": 2, + "filename": "positive.yaml", + "resourceType": "community.aws.cloudtrail", + "resourceName": "no sns topic name", + "searchKey": "name={{no sns topic name}}.{{community.aws.cloudtrail}}", + "searchValue": "", + "expectedValue": "cloudtrail.kms_key_id should be set", + "actualValue": "cloudtrail.kms_key_id is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/cloudtrail_logging_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/cloudtrail_logging_disabled/test/positive_expected_result.json index 8e57b93dc88..867a626de15 100644 --- a/assets/queries/ansible/aws/cloudtrail_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cloudtrail_logging_disabled/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "CloudTrail Logging Disabled", "severity": "MEDIUM", - "line": 5 + "line": 5, + "filename": "positive.yaml", + "resourceType": "community.aws.cloudtrail", + "resourceName": "example", + "searchKey": "name={{example}}.{{community.aws.cloudtrail}}.enable_logging", + "searchValue": "", + "expectedValue": "cloudtrail.enable_logging should be true", + "actualValue": "cloudtrail.enable_logging is false" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/cloudtrail_multi_region_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/cloudtrail_multi_region_disabled/test/positive_expected_result.json index f69ea5b8494..cc0d03ebe82 100644 --- a/assets/queries/ansible/aws/cloudtrail_multi_region_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cloudtrail_multi_region_disabled/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "CloudTrail Multi Region Disabled", "severity": "LOW", - "line": 7 + "line": 18, + "filename": "positive.yaml", + "resourceType": "community.aws.cloudtrail", + "resourceName": "example2", + "searchKey": "name={{example2}}.{{community.aws.cloudtrail}}", + "searchValue": "", + "expectedValue": "cloudtrail.is_multi_region_trail should be defined and set to true", + "actualValue": "cloudtrail.is_multi_region_trail is undefined" }, { "queryName": "CloudTrail Multi Region Disabled", "severity": "LOW", - "line": 18 + "line": 7, + "filename": "positive.yaml", + "resourceType": "community.aws.cloudtrail", + "resourceName": "example1", + "searchKey": "name={{example1}}.{{community.aws.cloudtrail}}.is_multi_region_trail", + "searchValue": "", + "expectedValue": "cloudtrail.is_multi_region_trail should be true", + "actualValue": "cloudtrail.is_multi_region_trail is false" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/cloudtrail_not_integrated_with_cloudwatch/test/positive_expected_result.json b/assets/queries/ansible/aws/cloudtrail_not_integrated_with_cloudwatch/test/positive_expected_result.json index 1a0aa93a791..3e690b42cdb 100644 --- a/assets/queries/ansible/aws/cloudtrail_not_integrated_with_cloudwatch/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cloudtrail_not_integrated_with_cloudwatch/test/positive_expected_result.json @@ -1,22 +1,50 @@ [ { + "queryName": "CloudTrail Not Integrated With CloudWatch", "severity": "LOW", "line": 2, - "queryName": "CloudTrail Not Integrated With CloudWatch" + "filename": "positive.yaml", + "resourceType": "community.aws.cloudtrail", + "resourceName": "positive1", + "searchKey": "name={{positive1}}.{{community.aws.cloudtrail}}", + "searchValue": "cloudwatch_logs_log_group_arn", + "expectedValue": "name={{positive1}}.{{community.aws.cloudtrail}}.cloudwatch_logs_log_group_arn should be defined", + "actualValue": "name={{positive1}}.{{community.aws.cloudtrail}}.cloudwatch_logs_log_group_arn is not defined" }, { + "queryName": "CloudTrail Not Integrated With CloudWatch", "severity": "LOW", "line": 2, - "queryName": "CloudTrail Not Integrated With CloudWatch" + "filename": "positive.yaml", + "resourceType": "community.aws.cloudtrail", + "resourceName": "positive1", + "searchKey": "name={{positive1}}.{{community.aws.cloudtrail}}", + "searchValue": "cloudwatch_logs_role_arn", + "expectedValue": "name={{positive1}}.{{community.aws.cloudtrail}}.cloudwatch_logs_role_arn should be defined", + "actualValue": "name={{positive1}}.{{community.aws.cloudtrail}}.cloudwatch_logs_role_arn is not defined" }, { "queryName": "CloudTrail Not Integrated With CloudWatch", "severity": "LOW", - "line": 14 + "line": 14, + "filename": "positive.yaml", + "resourceType": "community.aws.cloudtrail", + "resourceName": "positive2", + "searchKey": "name={{positive2}}.{{community.aws.cloudtrail}}", + "searchValue": "cloudwatch_logs_log_group_arn", + "expectedValue": "name={{positive2}}.{{community.aws.cloudtrail}}.cloudwatch_logs_log_group_arn should be defined", + "actualValue": "name={{positive2}}.{{community.aws.cloudtrail}}.cloudwatch_logs_log_group_arn is not defined" }, { "queryName": "CloudTrail Not Integrated With CloudWatch", "severity": "LOW", - "line": 27 + "line": 27, + "filename": "positive.yaml", + "resourceType": "community.aws.cloudtrail", + "resourceName": "positive3", + "searchKey": "name={{positive3}}.{{community.aws.cloudtrail}}", + "searchValue": "cloudwatch_logs_role_arn", + "expectedValue": "name={{positive3}}.{{community.aws.cloudtrail}}.cloudwatch_logs_role_arn should be defined", + "actualValue": "name={{positive3}}.{{community.aws.cloudtrail}}.cloudwatch_logs_role_arn is not defined" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/cloudtrail_sns_topic_name_undefined/test/positive_expected_result.json b/assets/queries/ansible/aws/cloudtrail_sns_topic_name_undefined/test/positive_expected_result.json index 85466e93e7a..13c83791139 100644 --- a/assets/queries/ansible/aws/cloudtrail_sns_topic_name_undefined/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cloudtrail_sns_topic_name_undefined/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "CloudTrail SNS Topic Name Undefined", "severity": "LOW", - "line": 2 + "line": 15, + "filename": "positive.yaml", + "resourceType": "community.aws.cloudtrail", + "resourceName": "sns topic name defined", + "searchKey": "name={{sns topic name defined}}.{{community.aws.cloudtrail}}.sns_topic_name", + "searchValue": "", + "expectedValue": "cloudtrail.sns_topic_name should be set", + "actualValue": "cloudtrail.sns_topic_name is empty" }, { "queryName": "CloudTrail SNS Topic Name Undefined", "severity": "LOW", - "line": 15 + "line": 2, + "filename": "positive.yaml", + "resourceType": "community.aws.cloudtrail", + "resourceName": "no sns topic name", + "searchKey": "name={{no sns topic name}}.{{community.aws.cloudtrail}}", + "searchValue": "", + "expectedValue": "cloudtrail.sns_topic_name should be set", + "actualValue": "cloudtrail.sns_topic_name is undefined" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/cloudwatch_without_retention_period_specified/test/positive_expected_result.json b/assets/queries/ansible/aws/cloudwatch_without_retention_period_specified/test/positive_expected_result.json index 09180c09cd9..22df8b8b6fa 100644 --- a/assets/queries/ansible/aws/cloudwatch_without_retention_period_specified/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cloudwatch_without_retention_period_specified/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "CloudWatch Without Retention Period Specified", "severity": "INFO", - "line": 2 + "line": 7, + "filename": "positive.yaml", + "resourceType": "community.aws.cloudwatchlogs_log_group", + "resourceName": "example2 ec2 group", + "searchKey": "name={{example2 ec2 group}}.{{community.aws.cloudwatchlogs_log_group}}.retention", + "searchValue": "", + "expectedValue": "cloudwatchlogs_log_group.retention should be set and valid", + "actualValue": "cloudwatchlogs_log_group.retention is set and invalid" }, { "queryName": "CloudWatch Without Retention Period Specified", "severity": "INFO", - "line": 7 + "line": 2, + "filename": "positive.yaml", + "resourceType": "community.aws.cloudwatchlogs_log_group", + "resourceName": "example ec2 group", + "searchKey": "name={{example ec2 group}}.{{community.aws.cloudwatchlogs_log_group}}", + "searchValue": "", + "expectedValue": "cloudwatchlogs_log_group.retention should be set", + "actualValue": "cloudwatchlogs_log_group.retention is undefined" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/cmk_is_unusable/test/positive_expected_result.json b/assets/queries/ansible/aws/cmk_is_unusable/test/positive_expected_result.json index e29e5d54553..c0e999606df 100644 --- a/assets/queries/ansible/aws/cmk_is_unusable/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cmk_is_unusable/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "CMK Is Unusable", "severity": "MEDIUM", "line": 6, - "fileName": "positive1.yaml" + "filename": "positive2.yaml", + "resourceType": "community.aws.aws_kms", + "resourceName": "Update IAM policy on an existing KMS key2", + "searchKey": "name={{Update IAM policy on an existing KMS key2}}.{{community.aws.aws_kms}}.pending_window", + "searchValue": "", + "expectedValue": "community.aws.aws_kms.pending_window should be undefined", + "actualValue": "community.aws.aws_kms.pending_windowis is set" }, { "queryName": "CMK Is Unusable", "severity": "MEDIUM", "line": 6, - "fileName": "positive2.yaml" + "filename": "positive1.yaml", + "resourceType": "community.aws.aws_kms", + "resourceName": "Update IAM policy on an existing KMS key1", + "searchKey": "name={{Update IAM policy on an existing KMS key1}}.{{community.aws.aws_kms}}.enabled", + "searchValue": "", + "expectedValue": "community.aws.aws_kms.enabled should be set to true", + "actualValue": "community.aws.aws_kms.enabled is set to false" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/cmk_rotation_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/cmk_rotation_disabled/test/positive_expected_result.json index 1515aadbc47..f79f8576508 100644 --- a/assets/queries/ansible/aws/cmk_rotation_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cmk_rotation_disabled/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "CMK Rotation Disabled", "severity": "LOW", - "line": 2, - "fileName": "positive1.yaml" + "line": 7, + "filename": "positive2.yaml", + "resourceType": "community.aws.aws_kms", + "resourceName": "Update IAM policy on an existing KMS key2", + "searchKey": "name={{Update IAM policy on an existing KMS key2}}.{{community.aws.aws_kms}}.enable_key_rotation", + "searchValue": "", + "expectedValue": "community.aws.aws_kms.enable_key_rotation should be set to true", + "actualValue": "community.aws.aws_kms.enable_key_rotation is set to false" }, { "queryName": "CMK Rotation Disabled", "severity": "LOW", - "line": 7, - "fileName": "positive2.yaml" + "line": 2, + "filename": "positive1.yaml", + "resourceType": "community.aws.aws_kms", + "resourceName": "Update IAM policy on an existing KMS key", + "searchKey": "name={{Update IAM policy on an existing KMS key}}.{{community.aws.aws_kms}}", + "searchValue": "", + "expectedValue": "community.aws.aws_kms.enable_key_rotation should be set", + "actualValue": "community.aws.aws_kms.enable_key_rotation is undefined" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/codebuild_not_encrypted/test/positive_expected_result.json b/assets/queries/ansible/aws/codebuild_not_encrypted/test/positive_expected_result.json index 73a4efdc353..e14f25f985a 100644 --- a/assets/queries/ansible/aws/codebuild_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/codebuild_not_encrypted/test/positive_expected_result.json @@ -1,8 +1,14 @@ [ - { - "queryName": "CodeBuild Not Encrypted", - "severity": "MEDIUM", - "line": 2 - } - -] + { + "queryName": "CodeBuild Not Encrypted", + "severity": "MEDIUM", + "line": 2, + "filename": "positive.yaml", + "resourceType": "community.aws.aws_codebuild", + "resourceName": "My project", + "searchKey": "name={{My project}}.{{community.aws.aws_codebuild}}", + "searchValue": "", + "expectedValue": "aws_codebuild.encryption_key should be set", + "actualValue": "aws_codebuild.encryption_key is undefined" + } +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/config_configuration_aggregator_to_all_regions_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/config_configuration_aggregator_to_all_regions_disabled/test/positive_expected_result.json index db2fb69850e..cd38ebd3b2e 100644 --- a/assets/queries/ansible/aws/config_configuration_aggregator_to_all_regions_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/config_configuration_aggregator_to_all_regions_disabled/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Configuration Aggregator to All Regions Disabled", "severity": "LOW", - "line": 10 + "line": 10, + "filename": "positive.yaml", + "resourceType": "community.aws.aws_config_aggregator", + "resourceName": "Create cross-account aggregator", + "searchKey": "name={{Create cross-account aggregator}}.{{community.aws.aws_config_aggregator}}.account_sources.all_aws_regions", + "searchValue": "", + "expectedValue": "'aws_config_aggregator.account_sources' should have all_aws_regions set to true", + "actualValue": "'aws_config_aggregator.account_sources' has all_aws_regions set to false" }, { "queryName": "Configuration Aggregator to All Regions Disabled", "severity": "LOW", - "line": 24 + "line": 24, + "filename": "positive.yaml", + "resourceType": "community.aws.aws_config_aggregator", + "resourceName": "Create cross-account aggregator2", + "searchKey": "name={{Create cross-account aggregator2}}.{{community.aws.aws_config_aggregator}}.organization_source.all_aws_regions", + "searchValue": "", + "expectedValue": "'aws_config_aggregator.organization_source' should have all_aws_regions set to true", + "actualValue": "'aws_config_aggregator.organization_source' has all_aws_regions set to false" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/config_rule_for_encrypted_volumes_is_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/config_rule_for_encrypted_volumes_is_disabled/test/positive_expected_result.json index 8310f19905b..55a63ea0b2f 100644 --- a/assets/queries/ansible/aws/config_rule_for_encrypted_volumes_is_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/config_rule_for_encrypted_volumes_is_disabled/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Config Rule For Encrypted Volumes Disabled", "severity": "HIGH", - "line": 2 + "line": 2, + "filename": "positive.yaml", + "resourceType": "community.aws.aws_config_rule", + "resourceName": "foo", + "searchKey": "name={{foo}}", + "searchValue": "", + "expectedValue": "There should be a aws_config_rule with source.identifier equal to 'ENCRYPTED_VOLUMES'", + "actualValue": "There is no aws_config_rule with source.identifier equal to 'ENCRYPTED_VOLUMES'" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/test/positive_expected_result.json b/assets/queries/ansible/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/test/positive_expected_result.json index a68d8c5122c..a8a67ef881f 100644 --- a/assets/queries/ansible/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/test/positive_expected_result.json @@ -3,18 +3,36 @@ "queryName": "Cross-Account IAM Assume Role Policy Without ExternalId or MFA", "severity": "HIGH", "line": 4, - "fileName": "positive1.yaml" + "filename": "positive3.yaml", + "resourceType": "community.aws.iam_role", + "resourceName": "Create a role with description and tags3", + "searchKey": "name={{Create a role with description and tags3}}.{{community.aws.iam_role}}.assume_role_policy_document", + "searchValue": "", + "expectedValue": "assume_role_policy_document should not contain ':root", + "actualValue": "assume_role_policy_document contains ':root'" }, { "queryName": "Cross-Account IAM Assume Role Policy Without ExternalId or MFA", "severity": "HIGH", "line": 4, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "community.aws.iam_role", + "resourceName": "Create a role with description and tags2", + "searchKey": "name={{Create a role with description and tags2}}.{{community.aws.iam_role}}.assume_role_policy_document", + "searchValue": "", + "expectedValue": "assume_role_policy_document should not contain ':root", + "actualValue": "assume_role_policy_document contains ':root'" }, { "queryName": "Cross-Account IAM Assume Role Policy Without ExternalId or MFA", "severity": "HIGH", "line": 4, - "fileName": "positive3.yaml" + "filename": "positive1.yaml", + "resourceType": "community.aws.iam_role", + "resourceName": "Create a role with description and tags", + "searchKey": "name={{Create a role with description and tags}}.{{community.aws.iam_role}}.assume_role_policy_document", + "searchValue": "", + "expectedValue": "assume_role_policy_document should not contain ':root", + "actualValue": "assume_role_policy_document contains ':root'" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/db_instance_storage_not_encrypted/test/positive_expected_result.json b/assets/queries/ansible/aws/db_instance_storage_not_encrypted/test/positive_expected_result.json index 3f8f176a5fa..3d206aabf97 100644 --- a/assets/queries/ansible/aws/db_instance_storage_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/db_instance_storage_not_encrypted/test/positive_expected_result.json @@ -1,17 +1,38 @@ [ - { - "queryName": "DB Instance Storage Not Encrypted", - "severity": "HIGH", - "line": 7 - }, - { - "queryName": "DB Instance Storage Not Encrypted", - "severity": "HIGH", - "line": 17 - }, - { - "queryName": "DB Instance Storage Not Encrypted", - "severity": "HIGH", - "line": 23 - } -] + { + "queryName": "DB Instance Storage Not Encrypted", + "severity": "HIGH", + "line": 7, + "filename": "positive.yaml", + "resourceType": "community.aws.rds_instance", + "resourceName": "foo", + "searchKey": "name={{foo}}.{{community.aws.rds_instance}}.storage_encrypted", + "searchValue": "", + "expectedValue": "rds_instance.storage_encrypted should be set to true", + "actualValue": "rds_instance.storage_encrypted is set to false" + }, + { + "queryName": "DB Instance Storage Not Encrypted", + "severity": "HIGH", + "line": 17, + "filename": "positive.yaml", + "resourceType": "community.aws.rds_instance", + "resourceName": "foo2", + "searchKey": "name={{foo2}}.{{community.aws.rds_instance}}.storage_encrypted", + "searchValue": "", + "expectedValue": "rds_instance.storage_encrypted should be set to true", + "actualValue": "rds_instance.storage_encrypted is set to false" + }, + { + "queryName": "DB Instance Storage Not Encrypted", + "severity": "HIGH", + "line": 23, + "filename": "positive.yaml", + "resourceType": "community.aws.rds_instance", + "resourceName": "foo3", + "searchKey": "name={{foo3}}.{{community.aws.rds_instance}}", + "searchValue": "", + "expectedValue": "rds_instance.storage_encrypted should be set to true", + "actualValue": "rds_instance.storage_encrypted is undefined" + } +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/db_security_group_open_to_large_scope/test/positive_expected_result.json b/assets/queries/ansible/aws/db_security_group_open_to_large_scope/test/positive_expected_result.json index 0c0d773c5d5..623a0a3d338 100644 --- a/assets/queries/ansible/aws/db_security_group_open_to_large_scope/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/db_security_group_open_to_large_scope/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "DB Security Group Open To Large Scope", "severity": "HIGH", - "line": 22 + "line": 22, + "filename": "positive.yaml", + "resourceType": "ec2_group", + "resourceName": "example ec2 group", + "searchKey": "name={{example ec2 group}}.{{ec2_group}}.rules.cidr_ip", + "searchValue": "", + "expectedValue": "'ec2_group.rules.cidr_ip' should be one of [10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12]", + "actualValue": "'ec2_group.rules.cidr_ip' is [0.0.0.0/0,10.0.0.0/8,192.168.1.0/24]" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/db_security_group_with_public_scope/test/positive_expected_result.json b/assets/queries/ansible/aws/db_security_group_with_public_scope/test/positive_expected_result.json index dc66872abf9..b6b78c334b8 100644 --- a/assets/queries/ansible/aws/db_security_group_with_public_scope/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/db_security_group_with_public_scope/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "DB Security Group With Public Scope", "severity": "CRITICAL", - "line": 22 + "line": 22, + "filename": "positive.yaml", + "resourceType": "ec2_group", + "resourceName": "example ec2 group", + "searchKey": "name={{example ec2 group}}.{{ec2_group}}.rules.cidr_ip", + "searchValue": "", + "expectedValue": "'ec2_group.rules.cidr_ip' should be one of [10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12]", + "actualValue": "'ec2_group.rules.cidr_ip' is [0.0.0.0/0]" }, { "queryName": "DB Security Group With Public Scope", "severity": "CRITICAL", - "line": 53 + "line": 53, + "filename": "positive.yaml", + "resourceType": "ec2_group", + "resourceName": "example ec2 group", + "searchKey": "name={{example ec2 group}}.{{ec2_group}}.rules_egress.cidr_ip", + "searchValue": "", + "expectedValue": "'ec2_group.rules_egress.cidr_ip' should be one of [10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12]", + "actualValue": "'ec2_group.rules_egress.cidr_ip' is [0.0.0.0/0]" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/default_security_groups_with_unrestricted_traffic/test/positive_expected_result.json b/assets/queries/ansible/aws/default_security_groups_with_unrestricted_traffic/test/positive_expected_result.json index fbf9d83dbd4..0935555d82e 100644 --- a/assets/queries/ansible/aws/default_security_groups_with_unrestricted_traffic/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/default_security_groups_with_unrestricted_traffic/test/positive_expected_result.json @@ -2,26 +2,61 @@ { "queryName": "Default Security Groups With Unrestricted Traffic", "severity": "HIGH", - "line": 17 + "line": 30, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example2 ec2 group", + "searchKey": "name={{example2 ec2 group}}.{{amazon.aws.ec2_group}}.rules_egress.cidr_ip={{0.0.0.0/0}}", + "searchValue": "", + "expectedValue": "ec2_group.rules_egress.cidr_ip should not contain the value '0.0.0.0/0'", + "actualValue": "ec2_group.rules_egress.cidr_ip contains value '0.0.0.0/0'" }, { "queryName": "Default Security Groups With Unrestricted Traffic", "severity": "HIGH", - "line": 30 + "line": 61, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example4 ec2 group", + "searchKey": "name={{example4 ec2 group}}.{{amazon.aws.ec2_group}}.rules_egress.cidr_ipv6={{::/0}}", + "searchValue": "", + "expectedValue": "ec2_group.rules_egress.cidr_ipv6 should not contain the value '::/0'", + "actualValue": "ec2_group.rules_egress.cidr_ipv6 contains value '::/0'" }, { "queryName": "Default Security Groups With Unrestricted Traffic", "severity": "HIGH", - "line": 48 + "line": 83, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example5 ec2 group", + "searchKey": "name={{example5 ec2 group}}.{{amazon.aws.ec2_group}}.rules_egress.cidr_ipv6.{{::/0}}", + "searchValue": "", + "expectedValue": "ec2_group.rules_egress.cidr_ipv6 should not contain the value '::/0'", + "actualValue": "ec2_group.rules_egress.cidr_ipv6 contains value '::/0'" }, { "queryName": "Default Security Groups With Unrestricted Traffic", "severity": "HIGH", - "line": 61 + "line": 17, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group", + "searchKey": "name={{example ec2 group}}.{{amazon.aws.ec2_group}}.rules.cidr_ip.{{0.0.0.0/0}}", + "searchValue": "", + "expectedValue": "ec2_group.rules.cidr_ip should not contain the value '0.0.0.0/0'", + "actualValue": "ec2_group.rules.cidr_ip contains value '0.0.0.0/0'" }, { "queryName": "Default Security Groups With Unrestricted Traffic", "severity": "HIGH", - "line": 83 + "line": 48, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example3 ec2 group", + "searchKey": "name={{example3 ec2 group}}.{{amazon.aws.ec2_group}}.rules.cidr_ipv6={{::/0}}", + "searchValue": "", + "expectedValue": "ec2_group.rules.cidr_ipv6 should not contain the value '::/0'", + "actualValue": "ec2_group.rules.cidr_ipv6 contains value '::/0'" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/ebs_volume_encryption_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/ebs_volume_encryption_disabled/test/positive_expected_result.json index 7c506eb099d..23d89c7c259 100644 --- a/assets/queries/ansible/aws/ebs_volume_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ebs_volume_encryption_disabled/test/positive_expected_result.json @@ -2,21 +2,49 @@ { "queryName": "EBS Volume Encryption Disabled", "severity": "HIGH", - "line": 5 + "line": 12, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_vol", + "resourceName": "Creating EBS volume02", + "searchKey": "name={{Creating EBS volume02}}.{{amazon.aws.ec2_vol}}.encrypted", + "searchValue": "", + "expectedValue": "ec2_vol.encrypted should be enabled", + "actualValue": "ec2_vol.encrypted is disabled" }, { "queryName": "EBS Volume Encryption Disabled", "severity": "HIGH", - "line": 12 + "line": 19, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_vol", + "resourceName": "Creating EBS volume03", + "searchKey": "name={{Creating EBS volume03}}.{{amazon.aws.ec2_vol}}.encrypted", + "searchValue": "", + "expectedValue": "ec2_vol.encrypted should be enabled", + "actualValue": "ec2_vol.encrypted is disabled" }, { "queryName": "EBS Volume Encryption Disabled", "severity": "HIGH", - "line": 19 + "line": 24, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_vol", + "resourceName": "Creating EBS volume04", + "searchKey": "name={{Creating EBS volume04}}.{{amazon.aws.ec2_vol}}", + "searchValue": "", + "expectedValue": "ec2_vol.encrypted should be defined", + "actualValue": "ec2_vol.encrypted is undefined" }, { "queryName": "EBS Volume Encryption Disabled", "severity": "HIGH", - "line": 24 + "line": 5, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_vol", + "resourceName": "Creating EBS volume01", + "searchKey": "name={{Creating EBS volume01}}.{{amazon.aws.ec2_vol}}.encrypted", + "searchValue": "", + "expectedValue": "ec2_vol.encrypted should be enabled", + "actualValue": "ec2_vol.encrypted is disabled" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/ec2_group_has_public_interface/test/positive_expected_result.json b/assets/queries/ansible/aws/ec2_group_has_public_interface/test/positive_expected_result.json index 422c66bd094..60aa9c98562 100644 --- a/assets/queries/ansible/aws/ec2_group_has_public_interface/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ec2_group_has_public_interface/test/positive_expected_result.json @@ -1,8 +1,14 @@ [ - { - "queryName": "EC2 Group Has Public Interface", - "severity": "HIGH", - "line": 22, - "fileName": "positive.yaml" - } -] + { + "queryName": "EC2 Group Has Public Interface", + "severity": "HIGH", + "line": 22, + "filename": "positive.yaml", + "resourceType": "ec2_group", + "resourceName": "example ec2 group", + "searchKey": "name={{example ec2 group}}.{{ec2_group}}.rules.cidr_ip", + "searchValue": "", + "expectedValue": "'ec2_group.rules.cidr_ip' should not be 0.0.0.0/0", + "actualValue": "'ec2_group.rules.cidr_ip' is 0.0.0.0/0" + } +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/ec2_instance_has_public_ip/test/positive_expected_result.json b/assets/queries/ansible/aws/ec2_instance_has_public_ip/test/positive_expected_result.json index a9c99cf8b4d..48552cb2fb6 100644 --- a/assets/queries/ansible/aws/ec2_instance_has_public_ip/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ec2_instance_has_public_ip/test/positive_expected_result.json @@ -2,16 +2,37 @@ { "queryName": "EC2 Instance Has Public IP", "severity": "MEDIUM", - "line": 7 + "line": 7, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2", + "resourceName": "example", + "searchKey": "name={{example}}.{{amazon.aws.ec2}}.assign_public_ip", + "searchValue": "", + "expectedValue": "ec2.assign_public_ip should be set to false, 'no' or undefined", + "actualValue": "ec2.assign_public_ip is 'yes'" }, { "queryName": "EC2 Instance Has Public IP", "severity": "MEDIUM", - "line": 15 + "line": 24, + "filename": "positive.yaml", + "resourceType": "community.aws.ec2_instance", + "resourceName": "start an instance with a public IP address", + "searchKey": "name={{start an instance with a public IP address}}.{{community.aws.ec2_instance}}.network.assign_public_ip", + "searchValue": "", + "expectedValue": "ec2_instance.network.assign_public_ip should be set to false, 'no' or undefined", + "actualValue": "ec2_instance.network.assign_public_ip is 'true'" }, { "queryName": "EC2 Instance Has Public IP", "severity": "MEDIUM", - "line": 24 + "line": 15, + "filename": "positive.yaml", + "resourceType": "community.aws.ec2_launch_template", + "resourceName": "Create an ec2 launch template", + "searchKey": "name={{Create an ec2 launch template}}.{{community.aws.ec2_launch_template}}.network_interfaces.associate_public_ip_address", + "searchValue": "", + "expectedValue": "ec2_launch_template.network_interfaces.associate_public_ip_address should be set to false, 'no' or undefined", + "actualValue": "ec2_launch_template.network_interfaces.associate_public_ip_address is 'true'" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/ec2_instance_using_default_security_group/test/positive_expected_result.json b/assets/queries/ansible/aws/ec2_instance_using_default_security_group/test/positive_expected_result.json index 0d4b8742ab6..e22c594cb81 100644 --- a/assets/queries/ansible/aws/ec2_instance_using_default_security_group/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ec2_instance_using_default_security_group/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "EC2 Instance Using Default Security Group", "severity": "MEDIUM", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "amazon.aws.ec2", + "resourceName": "example", + "searchKey": "name={{example}}.{{amazon.aws.ec2}}.group", + "searchValue": "", + "expectedValue": "'group' should not be using default security group", + "actualValue": "'group' is using default security group" }, { "queryName": "EC2 Instance Using Default Security Group", "severity": "MEDIUM", "line": 8, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "amazon.aws.ec2", + "resourceName": "example2", + "searchKey": "name={{example2}}.{{amazon.aws.ec2}}.group", + "searchValue": "", + "expectedValue": "'group' should not be using default security group", + "actualValue": "'group' is using default security group" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/ec2_instance_using_default_vpc/test/positive_expected_result.json b/assets/queries/ansible/aws/ec2_instance_using_default_vpc/test/positive_expected_result.json index 8007e2c024b..5d4c3c4af86 100644 --- a/assets/queries/ansible/aws/ec2_instance_using_default_vpc/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ec2_instance_using_default_vpc/test/positive_expected_result.json @@ -1,8 +1,14 @@ [ - { - "queryName": "EC2 Instance Using Default VPC", - "severity": "LOW", - "line": 8, - "fileName": "positive.yaml" - } -] + { + "queryName": "EC2 Instance Using Default VPC", + "severity": "LOW", + "line": 8, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2", + "resourceName": "example", + "searchKey": "name={{example}}.{{amazon.aws.ec2}}.vpc_subnet_id", + "searchValue": "", + "expectedValue": "'vpc_subnet_id' should not be associated with a default VPC", + "actualValue": "'vpc_subnet_id' is associated with a default VPC" + } +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/ec2_not_ebs_optimized/test/positive_expected_result.json b/assets/queries/ansible/aws/ec2_not_ebs_optimized/test/positive_expected_result.json index d41d61c38f5..781b250899a 100644 --- a/assets/queries/ansible/aws/ec2_not_ebs_optimized/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ec2_not_ebs_optimized/test/positive_expected_result.json @@ -3,18 +3,36 @@ "queryName": "EC2 Not EBS Optimized", "severity": "INFO", "line": 2, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "amazon.aws.ec2", + "resourceName": "example", + "searchKey": "name={{example}}.{{amazon.aws.ec2}}", + "searchValue": "", + "expectedValue": "ec2 to have ebs_optimized set to true.", + "actualValue": "ec2 doesn't have ebs_optimized set to true." }, { "queryName": "EC2 Not EBS Optimized", "severity": "INFO", "line": 10, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "amazon.aws.ec2", + "resourceName": "example2", + "searchKey": "name={{example2}}.{{amazon.aws.ec2}}.ebs_optimized", + "searchValue": "", + "expectedValue": "ec2 to have ebs_optimized set to true.", + "actualValue": "ec2 ebs_optimized is set to false." }, { "queryName": "EC2 Not EBS Optimized", "severity": "INFO", "line": 2, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "amazon.aws.ec2", + "resourceName": "example3", + "searchKey": "name={{example3}}.{{amazon.aws.ec2}}", + "searchValue": "", + "expectedValue": "ec2 to have ebs_optimized set to true.", + "actualValue": "ec2 doesn't have ebs_optimized set to true." } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/ecr_image_tag_not_immutable/test/positive_expected_result.json b/assets/queries/ansible/aws/ecr_image_tag_not_immutable/test/positive_expected_result.json index 738ab12a4ba..b1d6c129797 100644 --- a/assets/queries/ansible/aws/ecr_image_tag_not_immutable/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ecr_image_tag_not_immutable/test/positive_expected_result.json @@ -1,13 +1,26 @@ [ - { - "queryName": "ECR Image Tag Not Immutable", - "severity": "MEDIUM", - "line": 2 - }, - - { - "queryName": "ECR Image Tag Not Immutable", - "severity": "MEDIUM", - "line": 7 - } -] + { + "queryName": "ECR Image Tag Not Immutable", + "severity": "MEDIUM", + "line": 7, + "filename": "positive.yaml", + "resourceType": "community.aws.ecs_ecr", + "resourceName": "create immutable ecr-repo v2", + "searchKey": "name={{create immutable ecr-repo v2}}.{{community.aws.ecs_ecr}}.image_tag_mutability", + "searchValue": "", + "expectedValue": "ecs_ecr.image_tag_mutability should be set to 'immutable'", + "actualValue": "ecs_ecr.image_tag_mutability is not set to 'immutable'" + }, + { + "queryName": "ECR Image Tag Not Immutable", + "severity": "MEDIUM", + "line": 2, + "filename": "positive.yaml", + "resourceType": "community.aws.ecs_ecr", + "resourceName": "create immutable ecr-repo", + "searchKey": "name={{create immutable ecr-repo}}.{{community.aws.ecs_ecr}}", + "searchValue": "", + "expectedValue": "ecs_ecr.image_tag_mutability should be set ", + "actualValue": "ecs_ecr.image_tag_mutability is undefined" + } +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/ecr_repository_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/ansible/aws/ecr_repository_is_publicly_accessible/test/positive_expected_result.json index 5676de08d61..38a52543f95 100644 --- a/assets/queries/ansible/aws/ecr_repository_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ecr_repository_is_publicly_accessible/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "ECR Repository Is Publicly Accessible", "severity": "CRITICAL", - "line": 4 + "line": 4, + "filename": "positive.yaml", + "resourceType": "community.aws.ecs_ecr", + "resourceName": "set-policy as object", + "searchKey": "name={{set-policy as object}}.{{community.aws.ecs_ecr}}.policy", + "searchValue": "", + "expectedValue": "ecs_ecr.policy.Principal should not equal to '*'", + "actualValue": "ecs_ecr.policy.Principal is equal to '*'" }, { "queryName": "ECR Repository Is Publicly Accessible", "severity": "CRITICAL", - "line": 17 + "line": 17, + "filename": "positive.yaml", + "resourceType": "community.aws.ecs_ecr", + "resourceName": "set-policy as string", + "searchKey": "name={{set-policy as string}}.{{community.aws.ecs_ecr}}.policy", + "searchValue": "", + "expectedValue": "ecs_ecr.policy.Principal should not equal to '*'", + "actualValue": "ecs_ecr.policy.Principal is equal to '*'" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/ecs_service_admin_role_is_present/test/positive_expected_result.json b/assets/queries/ansible/aws/ecs_service_admin_role_is_present/test/positive_expected_result.json index 0b9e1c22307..7ddc6f1a72e 100644 --- a/assets/queries/ansible/aws/ecs_service_admin_role_is_present/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ecs_service_admin_role_is_present/test/positive_expected_result.json @@ -1,7 +1,14 @@ [ - { - "queryName": "ECS Service Admin Role Is Present", - "severity": "HIGH", - "line": 9 - } -] + { + "queryName": "ECS Service Admin Role Is Present", + "severity": "HIGH", + "line": 9, + "filename": "positive.yaml", + "resourceType": "community.aws.ecs_service", + "resourceName": "ECS Service", + "searchKey": "name={{ECS Service}}.{{community.aws.ecs_service}}.role", + "searchValue": "", + "expectedValue": "ecs_service.role should not be an admin role", + "actualValue": "ecs_service.role is an admin role" + } +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/ecs_service_without_running_tasks/test/positive_expected_result.json b/assets/queries/ansible/aws/ecs_service_without_running_tasks/test/positive_expected_result.json index b8fd110dab6..d44762256c9 100644 --- a/assets/queries/ansible/aws/ecs_service_without_running_tasks/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ecs_service_without_running_tasks/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "ECS Service Without Running Tasks", "severity": "LOW", - "line": 2 + "line": 2, + "filename": "positive.yaml", + "resourceType": "community.aws.ecs_service", + "resourceName": "ECS Service", + "searchKey": "name={{ECS Service}}.{{community.aws.ecs_service}}", + "searchValue": "", + "expectedValue": "community.aws.ecs_service.deployment_configuration should be defined", + "actualValue": "%!&(string=community.aws.ecs_service)s.deployment_configuration is undefined" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/ecs_services_assigned_with_public_ip_address/test/positive_expected_result.json b/assets/queries/ansible/aws/ecs_services_assigned_with_public_ip_address/test/positive_expected_result.json index a40ef0f6b38..b8fd004b8de 100644 --- a/assets/queries/ansible/aws/ecs_services_assigned_with_public_ip_address/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ecs_services_assigned_with_public_ip_address/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ { + "queryName": "ECS Services assigned with public IP address", "severity": "MEDIUM", "line": 19, - "queryName": "ECS Services assigned with public IP address", - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "community.aws.ecs_service", + "resourceName": "Create ECS service with network configuration", + "searchKey": "name={{Create ECS service with network configuration}}.{{community.aws.ecs_service}}.network_configuration.assign_public_ip", + "searchValue": "", + "expectedValue": "'community.aws.ecs_service.network_configuration.assign_public_ip' should be set to false (default value is false)", + "actualValue": "'community.aws.ecs_service.network_configuration.assign_public_ip' is set to true" }, { + "queryName": "ECS Services assigned with public IP address", "severity": "MEDIUM", "line": 19, - "queryName": "ECS Services assigned with public IP address", - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "ecs_service", + "resourceName": "Create ECS service with network configuration", + "searchKey": "name={{Create ECS service with network configuration}}.{{ecs_service}}.network_configuration.assign_public_ip", + "searchValue": "", + "expectedValue": "'ecs_service.network_configuration.assign_public_ip' should be set to false (default value is false)", + "actualValue": "'ecs_service.network_configuration.assign_public_ip' is set to true" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/ecs_task_definition_network_mode_not_recommended/test/positive_expected_result.json b/assets/queries/ansible/aws/ecs_task_definition_network_mode_not_recommended/test/positive_expected_result.json index 84a0f173861..6ef0d9fae10 100644 --- a/assets/queries/ansible/aws/ecs_task_definition_network_mode_not_recommended/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ecs_task_definition_network_mode_not_recommended/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "ECS Task Definition Network Mode Not Recommended", "severity": "MEDIUM", - "line": 15 + "line": 15, + "filename": "positive.yaml", + "resourceType": "community.aws.ecs_taskdefinition", + "resourceName": "Create task definition", + "searchKey": "name={{Create task definition}}.{{community.aws.ecs_taskdefinition}}.network_mode", + "searchValue": "", + "expectedValue": "'ecs_taskdefinition.network_mode' should be set to 'awsvpc'", + "actualValue": "'ecs_taskdefinition.network_mode' is 'default'" }, { "queryName": "ECS Task Definition Network Mode Not Recommended", "severity": "MEDIUM", - "line": 31 + "line": 31, + "filename": "positive.yaml", + "resourceType": "community.aws.ecs_taskdefinition", + "resourceName": "Create task definition2", + "searchKey": "name={{Create task definition2}}.{{community.aws.ecs_taskdefinition}}.network_mode", + "searchValue": "", + "expectedValue": "'ecs_taskdefinition.network_mode' should be set to 'awsvpc'", + "actualValue": "'ecs_taskdefinition.network_mode' is 'none'" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/efs_not_encrypted/test/positive_expected_result.json b/assets/queries/ansible/aws/efs_not_encrypted/test/positive_expected_result.json index 970263b7fe3..fd763f8516d 100644 --- a/assets/queries/ansible/aws/efs_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/efs_not_encrypted/test/positive_expected_result.json @@ -2,16 +2,37 @@ { "queryName": "EFS Not Encrypted", "severity": "HIGH", - "line": 6 + "line": 25, + "filename": "positive.yaml", + "resourceType": "community.aws.efs", + "resourceName": "foo3", + "searchKey": "name={{foo3}}.{{community.aws.efs}}", + "searchValue": "", + "expectedValue": "efs.encrypt should be set to true", + "actualValue": "efs.encrypt is undefined" }, { "queryName": "EFS Not Encrypted", "severity": "HIGH", - "line": 17 + "line": 6, + "filename": "positive.yaml", + "resourceType": "community.aws.efs", + "resourceName": "foo", + "searchKey": "name={{foo}}.{{community.aws.efs}}.encrypt", + "searchValue": "", + "expectedValue": "efs.encrypt should be set to true", + "actualValue": "efs.encrypt is set to false" }, { "queryName": "EFS Not Encrypted", "severity": "HIGH", - "line": 25 + "line": 17, + "filename": "positive.yaml", + "resourceType": "community.aws.efs", + "resourceName": "foo2", + "searchKey": "name={{foo2}}.{{community.aws.efs}}.encrypt", + "searchValue": "", + "expectedValue": "efs.encrypt should be set to true", + "actualValue": "efs.encrypt is set to false" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/efs_without_kms/test/positive_expected_result.json b/assets/queries/ansible/aws/efs_without_kms/test/positive_expected_result.json index 8995f772a8e..b9017c4afe5 100644 --- a/assets/queries/ansible/aws/efs_without_kms/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/efs_without_kms/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "EFS Without KMS", "severity": "LOW", - "line": 3 + "line": 3, + "filename": "positive.yaml", + "resourceType": "community.aws.efs", + "resourceName": "foo", + "searchKey": "name={{foo}}.{{community.aws.efs}}", + "searchValue": "", + "expectedValue": "efs.kms_key_id should be set", + "actualValue": "efs.kms_key_id is undefined" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/efs_without_tags/test/positive_expected_result.json b/assets/queries/ansible/aws/efs_without_tags/test/positive_expected_result.json index 8594bf83818..61763b17149 100644 --- a/assets/queries/ansible/aws/efs_without_tags/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/efs_without_tags/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "EFS Without Tags", "severity": "LOW", - "line": 2 + "line": 2, + "filename": "positive.yaml", + "resourceType": "community.aws.efs", + "resourceName": "EFS provisioning without tags", + "searchKey": "name={{EFS provisioning without tags}}.{{community.aws.efs}}", + "searchValue": "", + "expectedValue": "name={{EFS provisioning without tags}}.{{community.aws.efs}}.tags should be set", + "actualValue": "name={{EFS provisioning without tags}}.{{community.aws.efs}}.tags is not defined" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/elasticache_using_default_port/test/positive_expected_result.json b/assets/queries/ansible/aws/elasticache_using_default_port/test/positive_expected_result.json index a729b0e9d1c..ec2cbe69f14 100644 --- a/assets/queries/ansible/aws/elasticache_using_default_port/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/elasticache_using_default_port/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "ElastiCache Using Default Port", "severity": "LOW", "line": 9, - "fileName": "positive1.yaml" + "filename": "positive2.yaml", + "resourceType": "community.aws.elasticache", + "resourceName": "Basic example2", + "searchKey": "name={{Basic example2}}.{{community.aws.elasticache}}.cache_port", + "searchValue": "", + "expectedValue": "'cache_port' should not be set to 6379", + "actualValue": "'cache_port' is set to 6379" }, { "queryName": "ElastiCache Using Default Port", "severity": "LOW", "line": 9, - "fileName": "positive2.yaml" + "filename": "positive1.yaml", + "resourceType": "community.aws.elasticache", + "resourceName": "Basic example", + "searchKey": "name={{Basic example}}.{{community.aws.elasticache}}.cache_port", + "searchValue": "", + "expectedValue": "'cache_port' should not be set to 11211", + "actualValue": "'cache_port' is set to 11211" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/elasticache_without_vpc/test/positive_expected_result.json b/assets/queries/ansible/aws/elasticache_without_vpc/test/positive_expected_result.json index 6367ea5e9ee..9aa6b98b743 100644 --- a/assets/queries/ansible/aws/elasticache_without_vpc/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/elasticache_without_vpc/test/positive_expected_result.json @@ -1,8 +1,14 @@ [ - { - "queryName": "ElastiCache Without VPC", - "severity": "LOW", - "line": 2, - "fileName": "positive.yaml" - } -] + { + "queryName": "ElastiCache Without VPC", + "severity": "LOW", + "line": 2, + "filename": "positive.yaml", + "resourceType": "community.aws.elasticache", + "resourceName": "Basic example", + "searchKey": "name={{Basic example}}.{{community.aws.elasticache}}", + "searchValue": "", + "expectedValue": "'cache_subnet_group' should be defined and not null", + "actualValue": "'cache_subnet_group' is undefined or null" + } +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json index db63e1ea6e3..6d2387e8020 100644 --- a/assets/queries/ansible/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json @@ -2,19 +2,37 @@ { "queryName": "Elasticsearch with HTTPS disabled", "severity": "MEDIUM", - "line": 11, - "fileName": "positive1.yaml" + "line": 10, + "filename": "positive2.yaml", + "resourceType": "community.aws.opensearch", + "resourceName": "Create OpenSearch domain for dev environment, no zone awareness, no dedicated masters", + "searchKey": "name={{Create OpenSearch domain for dev environment, no zone awareness, no dedicated masters}}.{{community.aws.opensearch}}.domain_endpoint_options", + "searchValue": "", + "expectedValue": "name={{Create OpenSearch domain for dev environment, no zone awareness, no dedicated masters}}.{{community.aws.opensearch}}.domain_endpoint_options.enforce_https should be defined and set to 'true'", + "actualValue": "name={{Create OpenSearch domain for dev environment, no zone awareness, no dedicated masters}}.{{community.aws.opensearch}}.domain_endpoint_options.enforce_https is not set" }, { "queryName": "Elasticsearch with HTTPS disabled", "severity": "MEDIUM", - "line": 10, - "fileName": "positive2.yaml" + "line": 11, + "filename": "positive1.yaml", + "resourceType": "community.aws.opensearch", + "resourceName": "Create OpenSearch domain for dev environment, no zone awareness, no dedicated masters", + "searchKey": "name={{Create OpenSearch domain for dev environment, no zone awareness, no dedicated masters}}.{{community.aws.opensearch}}.domain_endpoint_options.enforce_https", + "searchValue": "", + "expectedValue": "name={{Create OpenSearch domain for dev environment, no zone awareness, no dedicated masters}}.{{community.aws.opensearch}}.domain_endpoint_options.enforce_https should be set to 'true'", + "actualValue": "name={{Create OpenSearch domain for dev environment, no zone awareness, no dedicated masters}}.{{community.aws.opensearch}}.domain_endpoint_options.enforce_https is set to 'false'" }, { "queryName": "Elasticsearch with HTTPS disabled", "severity": "MEDIUM", "line": 2, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "community.aws.opensearch", + "resourceName": "Create OpenSearch domain for dev environment, no zone awareness, no dedicated masters", + "searchKey": "name={{Create OpenSearch domain for dev environment, no zone awareness, no dedicated masters}}.{{community.aws.opensearch}}", + "searchValue": "", + "expectedValue": "name={{Create OpenSearch domain for dev environment, no zone awareness, no dedicated masters}}.{{community.aws.opensearch}}.domain_endpoint_options.enforce_https should be defined and set to 'true'", + "actualValue": "name={{Create OpenSearch domain for dev environment, no zone awareness, no dedicated masters}}.{{community.aws.opensearch}}.domain_endpoint_options.enforce_https is not set" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/elb_using_insecure_protocols/test/positive_expected_result.json b/assets/queries/ansible/aws/elb_using_insecure_protocols/test/positive_expected_result.json index 0c3e3ad87ae..20632feb1c5 100644 --- a/assets/queries/ansible/aws/elb_using_insecure_protocols/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/elb_using_insecure_protocols/test/positive_expected_result.json @@ -2,31 +2,73 @@ { "queryName": "ELB Using Insecure Protocols", "severity": "MEDIUM", - "line": 3 + "line": 3, + "filename": "positive.yaml", + "resourceType": "community.aws.elb_application_lb", + "resourceName": "elb1", + "searchKey": "name={{elb1}}.{{community.aws.elb_application_lb}}", + "searchValue": "", + "expectedValue": "community.aws.elb_application_lb.listeners should be defined", + "actualValue": "%!&(string=community.aws.elb_application_lb)s.listeners is undefined" }, { "queryName": "ELB Using Insecure Protocols", "severity": "MEDIUM", - "line": 21 + "line": 52, + "filename": "positive.yaml", + "resourceType": "community.aws.elb_network_lb", + "resourceName": "elb4", + "searchKey": "name={{elb4}}.{{community.aws.elb_network_lb}}", + "searchValue": "", + "expectedValue": "community.aws.elb_network_lb.listeners should be defined", + "actualValue": "%!&(string=community.aws.elb_network_lb)s.listeners is undefined" }, { "queryName": "ELB Using Insecure Protocols", "severity": "MEDIUM", - "line": 40 + "line": 21, + "filename": "positive.yaml", + "resourceType": "community.aws.elb_application_lb", + "resourceName": "elb2", + "searchKey": "name={{elb2}}.{{community.aws.elb_application_lb}}.listeners.%!s(int=0)", + "searchValue": "", + "expectedValue": "community.aws.elb_application_lb.listeners.SslPolicy should be defined", + "actualValue": "community.aws.elb_application_lb.listeners.SslPolicy is undefined" }, { "queryName": "ELB Using Insecure Protocols", "severity": "MEDIUM", - "line": 52 + "line": 70, + "filename": "positive.yaml", + "resourceType": "community.aws.elb_network_lb", + "resourceName": "elb5", + "searchKey": "name={{elb5}}.{{community.aws.elb_network_lb}}.listeners.%!s(int=0)", + "searchValue": "", + "expectedValue": "community.aws.elb_network_lb.listeners.SslPolicy should be defined", + "actualValue": "community.aws.elb_network_lb.listeners.SslPolicy is undefined" }, { "queryName": "ELB Using Insecure Protocols", "severity": "MEDIUM", - "line": 70 + "line": 40, + "filename": "positive.yaml", + "resourceType": "community.aws.elb_application_lb", + "resourceName": "elb3", + "searchKey": "name={{elb3}}.{{community.aws.elb_application_lb}}.listeners.%!s(int=0)", + "searchValue": "", + "expectedValue": "community.aws.elb_application_lb.listeners.SslPolicy is a secure protocol", + "actualValue": "community.aws.elb_application_lb.listeners.SslPolicy is an insecure protocol" }, { "queryName": "ELB Using Insecure Protocols", "severity": "MEDIUM", - "line": 89 + "line": 89, + "filename": "positive.yaml", + "resourceType": "community.aws.elb_network_lb", + "resourceName": "elb6", + "searchKey": "name={{elb6}}.{{community.aws.elb_network_lb}}.listeners.%!s(int=0)", + "searchValue": "", + "expectedValue": "community.aws.elb_network_lb.listeners.SslPolicy is a secure protocol", + "actualValue": "community.aws.elb_network_lb.listeners.SslPolicy is an insecure protocol" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/elb_using_weak_ciphers/test/positive_expected_result.json b/assets/queries/ansible/aws/elb_using_weak_ciphers/test/positive_expected_result.json index deda62d1c26..c594becca83 100644 --- a/assets/queries/ansible/aws/elb_using_weak_ciphers/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/elb_using_weak_ciphers/test/positive_expected_result.json @@ -1,32 +1,74 @@ [ - { - "queryName": "ELB Using Weak Ciphers", - "severity": "HIGH", - "line": 3 - }, - { - "queryName": "ELB Using Weak Ciphers", - "severity": "HIGH", - "line": 21 - }, - { - "queryName": "ELB Using Weak Ciphers", - "severity": "HIGH", - "line": 40 - }, - { - "queryName": "ELB Using Weak Ciphers", - "severity": "HIGH", - "line": 52 - }, - { - "queryName": "ELB Using Weak Ciphers", - "severity": "HIGH", - "line": 70 - }, - { - "queryName": "ELB Using Weak Ciphers", - "severity": "HIGH", - "line": 89 - } -] + { + "queryName": "ELB Using Weak Ciphers", + "severity": "HIGH", + "line": 40, + "filename": "positive.yaml", + "resourceType": "community.aws.elb_application_lb", + "resourceName": "elb3", + "searchKey": "name={{elb3}}.{{community.aws.elb_application_lb}}.listeners.%!s(int=0)", + "searchValue": "", + "expectedValue": "community.aws.elb_application_lb.listeners.SslPolicy should not be a weak cipher", + "actualValue": "community.aws.elb_application_lb.listeners.SslPolicy is a weak cipher" + }, + { + "queryName": "ELB Using Weak Ciphers", + "severity": "HIGH", + "line": 89, + "filename": "positive.yaml", + "resourceType": "community.aws.elb_network_lb", + "resourceName": "elb6", + "searchKey": "name={{elb6}}.{{community.aws.elb_network_lb}}.listeners.%!s(int=0)", + "searchValue": "", + "expectedValue": "community.aws.elb_network_lb.listeners.SslPolicy should not be a weak cipher", + "actualValue": "community.aws.elb_network_lb.listeners.SslPolicy is a weak cipher" + }, + { + "queryName": "ELB Using Weak Ciphers", + "severity": "HIGH", + "line": 3, + "filename": "positive.yaml", + "resourceType": "community.aws.elb_application_lb", + "resourceName": "elb1", + "searchKey": "name={{elb1}}.{{community.aws.elb_application_lb}}", + "searchValue": "", + "expectedValue": "community.aws.elb_application_lb.listeners should be defined", + "actualValue": "%!&(string=community.aws.elb_application_lb)s.listeners is undefined" + }, + { + "queryName": "ELB Using Weak Ciphers", + "severity": "HIGH", + "line": 52, + "filename": "positive.yaml", + "resourceType": "community.aws.elb_network_lb", + "resourceName": "elb4", + "searchKey": "name={{elb4}}.{{community.aws.elb_network_lb}}", + "searchValue": "", + "expectedValue": "community.aws.elb_network_lb.listeners should be defined", + "actualValue": "%!&(string=community.aws.elb_network_lb)s.listeners is undefined" + }, + { + "queryName": "ELB Using Weak Ciphers", + "severity": "HIGH", + "line": 21, + "filename": "positive.yaml", + "resourceType": "community.aws.elb_application_lb", + "resourceName": "elb2", + "searchKey": "name={{elb2}}.{{community.aws.elb_application_lb}}.listeners.%!s(int=0)", + "searchValue": "", + "expectedValue": "community.aws.elb_application_lb.listeners.SslPolicy should be defined", + "actualValue": "community.aws.elb_application_lb.listeners.SslPolicy is undefined" + }, + { + "queryName": "ELB Using Weak Ciphers", + "severity": "HIGH", + "line": 70, + "filename": "positive.yaml", + "resourceType": "community.aws.elb_network_lb", + "resourceName": "elb5", + "searchKey": "name={{elb5}}.{{community.aws.elb_network_lb}}.listeners.%!s(int=0)", + "searchValue": "", + "expectedValue": "community.aws.elb_network_lb.listeners.SslPolicy should be defined", + "actualValue": "community.aws.elb_network_lb.listeners.SslPolicy is undefined" + } +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/hardcoded_aws_access_key/test/positive_expected_result.json b/assets/queries/ansible/aws/hardcoded_aws_access_key/test/positive_expected_result.json index af7fa0f090a..e96eef9f4f3 100644 --- a/assets/queries/ansible/aws/hardcoded_aws_access_key/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/hardcoded_aws_access_key/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Hardcoded AWS Access Key", "severity": "HIGH", - "line": 7 + "line": 7, + "filename": "positive.yaml", + "resourceType": "community.aws.ec2_instance", + "resourceName": "start an instance with a cpu_options", + "searchKey": "name={{start an instance with a cpu_options}}.{{community.aws.ec2_instance}}.user_data", + "searchValue": "", + "expectedValue": "'ec2_instance.user_data' shouldn't contain access key", + "actualValue": "'ec2_instance.user_data' contains access key" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/hardcoded_aws_access_key_in_lambda/test/positive_expected_result.json b/assets/queries/ansible/aws/hardcoded_aws_access_key_in_lambda/test/positive_expected_result.json index e0069607293..16f5c943a85 100644 --- a/assets/queries/ansible/aws/hardcoded_aws_access_key_in_lambda/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/hardcoded_aws_access_key_in_lambda/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Hardcoded AWS Access Key In Lambda", "severity": "HIGH", - "line": 3 + "line": 3, + "filename": "positive.yaml", + "resourceType": "community.aws.lambda", + "resourceName": "looped creation", + "searchKey": "name={{looped creation}}.{{community.aws.lambda}}.aws_access_key", + "searchValue": "", + "expectedValue": "lambda.aws_access_key should not be in plaintext", + "actualValue": "lambda.aws_access_key is in plaintext" }, { "queryName": "Hardcoded AWS Access Key In Lambda", "severity": "HIGH", - "line": 32 + "line": 32, + "filename": "positive.yaml", + "resourceType": "community.aws.lambda", + "resourceName": "remove tags", + "searchKey": "name={{remove tags}}.{{community.aws.lambda}}.aws_access_key", + "searchValue": "", + "expectedValue": "lambda.aws_access_key should not be in plaintext", + "actualValue": "lambda.aws_access_key is in plaintext" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/http_port_open_to_internet/test/positive_expected_result.json b/assets/queries/ansible/aws/http_port_open_to_internet/test/positive_expected_result.json index 094f0bad534..4f2d32bfe5b 100644 --- a/assets/queries/ansible/aws/http_port_open_to_internet/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/http_port_open_to_internet/test/positive_expected_result.json @@ -2,36 +2,85 @@ { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 9 + "line": 23, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group2", + "searchKey": "name={{example ec2 group2}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[0] shouldn't open the http port (80)", + "actualValue": "ec2_group.rules[0] opens the http port (80)" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 23 + "line": 36, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group3", + "searchKey": "name={{example ec2 group3}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[0] shouldn't open the http port (80)", + "actualValue": "ec2_group.rules[0] opens the http port (80)" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 36 + "line": 49, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group4", + "searchKey": "name={{example ec2 group4}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[0] shouldn't open the http port (80)", + "actualValue": "ec2_group.rules[0] opens the http port (80)" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 49 + "line": 64, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group5", + "searchKey": "name={{example ec2 group5}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[0] shouldn't open the http port (80)", + "actualValue": "ec2_group.rules[0] opens the http port (80)" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 64 + "line": 79, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group6", + "searchKey": "name={{example ec2 group6}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[0] shouldn't open the http port (80)", + "actualValue": "ec2_group.rules[0] opens the http port (80)" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 79 + "line": 93, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group7", + "searchKey": "name={{example ec2 group7}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[0] shouldn't open the http port (80)", + "actualValue": "ec2_group.rules[0] opens the http port (80)" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 93 + "line": 9, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group1", + "searchKey": "name={{example ec2 group1}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[0] shouldn't open the http port (80)", + "actualValue": "ec2_group.rules[0] opens the http port (80)" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/iam_access_key_is_exposed/test/positive_expected_result.json b/assets/queries/ansible/aws/iam_access_key_is_exposed/test/positive_expected_result.json index 0935349027b..29a898ed721 100644 --- a/assets/queries/ansible/aws/iam_access_key_is_exposed/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/iam_access_key_is_exposed/test/positive_expected_result.json @@ -1,17 +1,38 @@ [ - { - "queryName": "IAM Access Key Is Exposed", - "severity": "MEDIUM", - "line": 7 - }, - { - "queryName": "IAM Access Key Is Exposed", - "severity": "MEDIUM", - "line": 26 - }, - { - "queryName": "IAM Access Key Is Exposed", - "severity": "MEDIUM", - "line": 36 - } -] + { + "queryName": "IAM Access Key Is Exposed", + "severity": "MEDIUM", + "line": 36, + "filename": "positive.yaml", + "resourceType": "community.aws.iam", + "resourceName": "Update user", + "searchKey": "name={{Update user}}.{{community.aws.iam}}.access_key_state", + "searchValue": "", + "expectedValue": "iam.name should be 'root' for an active access key", + "actualValue": "iam.name is 'jdavila' for an active access key" + }, + { + "queryName": "IAM Access Key Is Exposed", + "severity": "MEDIUM", + "line": 26, + "filename": "positive.yaml", + "resourceType": "community.aws.iam", + "resourceName": "Create Two Groups, Mario and Luigi", + "searchKey": "name={{Create Two Groups, Mario and Luigi}}.{{community.aws.iam}}.access_key_state", + "searchValue": "", + "expectedValue": "iam.name should be 'root' for an active access key", + "actualValue": "iam.name is '{{ item }}' for an active access key" + }, + { + "queryName": "IAM Access Key Is Exposed", + "severity": "MEDIUM", + "line": 7, + "filename": "positive.yaml", + "resourceType": "community.aws.iam", + "resourceName": "Create two new IAM users with API keys", + "searchKey": "name={{Create two new IAM users with API keys}}.{{community.aws.iam}}.access_key_state", + "searchValue": "", + "expectedValue": "iam.name should be 'root' for an active access key", + "actualValue": "iam.name is '{{ item }}' for an active access key" + } +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/iam_database_auth_not_enabled/test/positive_expected_result.json b/assets/queries/ansible/aws/iam_database_auth_not_enabled/test/positive_expected_result.json index 3e10b8cd6a2..ace2ce64747 100644 --- a/assets/queries/ansible/aws/iam_database_auth_not_enabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/iam_database_auth_not_enabled/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "IAM Database Auth Not Enabled", "severity": "MEDIUM", - "line": 9 + "line": 22, + "filename": "positive.yaml", + "resourceType": "community.aws.rds_instance", + "resourceName": "Create a DB instance using the default AWS KMS encryption key", + "searchKey": "name={{Create a DB instance using the default AWS KMS encryption key}}.{{community.aws.rds_instance}}.enable_iam_database_authentication", + "searchValue": "", + "expectedValue": "rds_instance.enable_iam_database_authentication should be enabled", + "actualValue": "rds_instance.enable_iam_database_authentication is disabled" }, { "queryName": "IAM Database Auth Not Enabled", "severity": "MEDIUM", - "line": 22 + "line": 9, + "filename": "positive.yaml", + "resourceType": "community.aws.rds_instance", + "resourceName": "create minimal aurora instance in default VPC and default subnet group", + "searchKey": "name={{create minimal aurora instance in default VPC and default subnet group}}.{{community.aws.rds_instance}}.enable_iam_database_authentication", + "searchValue": "", + "expectedValue": "rds_instance.enable_iam_database_authentication should be enabled", + "actualValue": "rds_instance.enable_iam_database_authentication is disabled" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/iam_group_without_users/test/positive_expected_result.json b/assets/queries/ansible/aws/iam_group_without_users/test/positive_expected_result.json index 476d69ce3c0..62adad52a9d 100644 --- a/assets/queries/ansible/aws/iam_group_without_users/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/iam_group_without_users/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "IAM Group Without Users", "severity": "MEDIUM", "line": 2, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "iam_group", + "resourceName": "Group1", + "searchKey": "name={{Group1}}.{{iam_group}}", + "searchValue": "", + "expectedValue": "iam_group.users should be defined and not null", + "actualValue": "iam_group.users is undefined or null" }, { "queryName": "IAM Group Without Users", "severity": "MEDIUM", "line": 2, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "iam_group", + "resourceName": "Group2", + "searchKey": "name={{Group2}}.{{iam_group}}", + "searchValue": "", + "expectedValue": "iam_group.users should be defined and not null", + "actualValue": "iam_group.users is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/iam_password_without_minimum_length/test/positive_expected_result.json b/assets/queries/ansible/aws/iam_password_without_minimum_length/test/positive_expected_result.json index 11e6af830a7..7c52e075185 100644 --- a/assets/queries/ansible/aws/iam_password_without_minimum_length/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/iam_password_without_minimum_length/test/positive_expected_result.json @@ -2,16 +2,37 @@ { "queryName": "IAM Password Without Minimum Length", "severity": "LOW", - "line": 2 + "line": 16, + "filename": "positive.yaml", + "resourceType": "community.aws.iam_password_policy", + "resourceName": "aws_iam_account_password_policy", + "searchKey": "name={{aws_iam_account_password_policy}}.{{community.aws.iam_password_policy}}.{{min_pw_length}}", + "searchValue": "", + "expectedValue": "iam_password_policy.min_pw_length should be set and no less than 8", + "actualValue": "iam_password_policy.min_pw_length is less than 8" }, { "queryName": "IAM Password Without Minimum Length", "severity": "LOW", - "line": 16 + "line": 27, + "filename": "positive.yaml", + "resourceType": "community.aws.iam_password_policy", + "resourceName": "aws_iam_account_password_policy_2", + "searchKey": "name={{aws_iam_account_password_policy_2}}.{{community.aws.iam_password_policy}}.{{min_pw_length}}", + "searchValue": "", + "expectedValue": "iam_password_policy.minimum_password_length should be set and no less than 8", + "actualValue": "iam_password_policy.minimum_password_length is less than 8" }, { "queryName": "IAM Password Without Minimum Length", "severity": "LOW", - "line": 27 + "line": 2, + "filename": "positive.yaml", + "resourceType": "community.aws.iam_password_policy", + "resourceName": "Password policy for AWS account", + "searchKey": "name={{Password policy for AWS account}}.{{community.aws.iam_password_policy}}", + "searchValue": "", + "expectedValue": "iam_password_policy.min_pw_length/minimum_password_length should be set and no less than 8", + "actualValue": "iam_password_policy.min_pw_length/minimum_password_length is undefined" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/iam_policies_attached_to_user/test/positive_expected_result.json b/assets/queries/ansible/aws/iam_policies_attached_to_user/test/positive_expected_result.json index 3eb0b178029..4107a2b9160 100644 --- a/assets/queries/ansible/aws/iam_policies_attached_to_user/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/iam_policies_attached_to_user/test/positive_expected_result.json @@ -1,7 +1,14 @@ [ - { - "queryName": "IAM Policies Attached To User", - "severity": "MEDIUM", - "line": 3 - } -] + { + "queryName": "IAM Policies Attached To User", + "severity": "MEDIUM", + "line": 3, + "filename": "positive.yaml", + "resourceType": "community.aws.iam_policy", + "resourceName": "Assign a policy called Admin to user", + "searchKey": "name={{Assign a policy called Admin to user}}.{{community.aws.iam_policy}}.iam_type", + "searchValue": "", + "expectedValue": "iam_policy.iam_type should be configured with group or role", + "actualValue": "iam_policy.iam_type is configured with user" + } +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/iam_policies_with_full_privileges/test/positive_expected_result.json b/assets/queries/ansible/aws/iam_policies_with_full_privileges/test/positive_expected_result.json index c8eb04cd6f1..2158976522f 100644 --- a/assets/queries/ansible/aws/iam_policies_with_full_privileges/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/iam_policies_with_full_privileges/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "IAM Policies With Full Privileges", "severity": "MEDIUM", "line": 4, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "community.aws.iam_managed_policy", + "resourceName": "Create IAM Managed Policy", + "searchKey": "name={{Create IAM Managed Policy}}.{{community.aws.iam_managed_policy}}.policy", + "searchValue": "", + "expectedValue": "iam_managed_policy.policy.Statement.Action should not contain '*'", + "actualValue": "iam_managed_policy.policy.Statement.Action contains '*'" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/iam_policy_grants_assumerole_permission_across_all_services/test/positive_expected_result.json b/assets/queries/ansible/aws/iam_policy_grants_assumerole_permission_across_all_services/test/positive_expected_result.json index 4caf867fb9d..5624fdda872 100644 --- a/assets/queries/ansible/aws/iam_policy_grants_assumerole_permission_across_all_services/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/iam_policy_grants_assumerole_permission_across_all_services/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "IAM Policy Grants 'AssumeRole' Permission Across All Services", "severity": "MEDIUM", "line": 4, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "community.aws.iam_managed_policy", + "resourceName": "Create IAM Managed Policy", + "searchKey": "name={{Create IAM Managed Policy}}.{{community.aws.iam_managed_policy}}.policy", + "searchValue": "", + "expectedValue": "iam_managed_policy.policy.Statement.Principal.AWS should not contain '*'", + "actualValue": "iam_managed_policy.policy.Statement.Principal.AWS contains '*'" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/iam_policy_grants_full_permissions/test/positive_expected_result.json b/assets/queries/ansible/aws/iam_policy_grants_full_permissions/test/positive_expected_result.json index 6b957568732..19fe9cba72f 100644 --- a/assets/queries/ansible/aws/iam_policy_grants_full_permissions/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/iam_policy_grants_full_permissions/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "IAM Policy Grants Full Permissions", "severity": "HIGH", "line": 4, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "community.aws.iam_managed_policy", + "resourceName": "Create IAM Managed Policy", + "searchKey": "name={{Create IAM Managed Policy}}.{{community.aws.iam_managed_policy}}.policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Resource' and 'policy.Statement.Action' should no be equal to '*'", + "actualValue": "'policy.Statement.Resource' and 'policy.Statement.Action' are equal to '*'" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/iam_role_allows_all_principals_to_assume/test/positive_expected_result.json b/assets/queries/ansible/aws/iam_role_allows_all_principals_to_assume/test/positive_expected_result.json index 770a1a9129e..024ff76dafc 100644 --- a/assets/queries/ansible/aws/iam_role_allows_all_principals_to_assume/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/iam_role_allows_all_principals_to_assume/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "IAM Role Allows All Principals To Assume", "severity": "MEDIUM", "line": 4, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "community.aws.iam_managed_policy", + "resourceName": "Create IAM Managed Policy", + "searchKey": "name={{Create IAM Managed Policy}}.{{community.aws.iam_managed_policy}}.policy", + "searchValue": "", + "expectedValue": "iam_managed_policy.policy.Statement.Principal.AWS should not contain ':root", + "actualValue": "iam_managed_policy.policy.Statement.Principal.AWS contains ':root'" }, { "queryName": "IAM Role Allows All Principals To Assume", "severity": "MEDIUM", "line": 17, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "community.aws.iam_managed_policy", + "resourceName": "Create2 IAM Managed Policy", + "searchKey": "name={{Create2 IAM Managed Policy}}.{{community.aws.iam_managed_policy}}.policy", + "searchValue": "", + "expectedValue": "iam_managed_policy.policy.Statement.Principal.AWS should not contain ':root", + "actualValue": "iam_managed_policy.policy.Statement.Principal.AWS contains ':root'" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/instance_uses_metadata_service_IMDSv1/test/positive_expected_result.json b/assets/queries/ansible/aws/instance_uses_metadata_service_IMDSv1/test/positive_expected_result.json index f43bdfb60d9..a1ff963da54 100644 --- a/assets/queries/ansible/aws/instance_uses_metadata_service_IMDSv1/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/instance_uses_metadata_service_IMDSv1/test/positive_expected_result.json @@ -1,122 +1,242 @@ [ - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 10, - "fileName": "positive1.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 20, - "fileName": "positive1.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 32, - "fileName": "positive1.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 42, - "fileName": "positive1.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 2, - "fileName": "positive2.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 11, - "fileName": "positive2.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 20, - "fileName": "positive2.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 29, - "fileName": "positive2.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 11, - "fileName": "positive3.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 23, - "fileName": "positive3.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 35, - "fileName": "positive3.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 47, - "fileName": "positive3.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 9, - "fileName": "positive4.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 20, - "fileName": "positive4.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 31, - "fileName": "positive4.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 42, - "fileName": "positive4.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 9, - "fileName": "positive5.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 20, - "fileName": "positive5.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 31, - "fileName": "positive5.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 42, - "fileName": "positive5.yaml" - } -] + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 20, + "filename": "positive2.yaml", + "resourceType": "community.aws.ec2_instance", + "resourceName": "start an instance with legacy naming", + "searchKey": "name={{start an instance with legacy naming}}.{{community.aws.ec2_instance}}", + "searchValue": "", + "expectedValue": "'community.aws.ec2_instance.metadata_options' should be defined with 'http_tokens' field set to 'required'", + "actualValue": "'community.aws.ec2_instance.metadata_options' is not defined" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 29, + "filename": "positive2.yaml", + "resourceType": "community.aws.ec2_lc", + "resourceName": "create launch configuration with legacy naming", + "searchKey": "name={{create launch configuration with legacy naming}}.{{community.aws.ec2_lc}}", + "searchValue": "", + "expectedValue": "'community.aws.ec2_lc.metadata_options' should be defined with 'http_tokens' field set to 'required'", + "actualValue": "'community.aws.ec2_lc.metadata_options' is not defined" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 32, + "filename": "positive1.yaml", + "resourceType": "community.aws.ec2_instance", + "resourceName": "start an instance with legacy naming and metadata options", + "searchKey": "name={{start an instance with legacy naming and metadata options}}.{{community.aws.ec2_instance}}.metadata_options.http_tokens", + "searchValue": "", + "expectedValue": "'community.aws.ec2_instance.metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'community.aws.ec2_instance.metadata_options.http_tokens' is not defined to 'required'" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 31, + "filename": "positive4.yaml", + "resourceType": "community.aws.ec2_instance", + "resourceName": "start an instance with legacy naming and metadata options", + "searchKey": "name={{start an instance with legacy naming and metadata options}}.{{community.aws.ec2_instance}}.metadata_options", + "searchValue": "", + "expectedValue": "'community.aws.ec2_instance.metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'community.aws.ec2_instance.metadata_options.http_tokens' is not defined" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 47, + "filename": "positive3.yaml", + "resourceType": "community.aws.ec2_lc", + "resourceName": "create launch configuration with legacy naming and metadata options", + "searchKey": "name={{create launch configuration with legacy naming and metadata options}}.{{community.aws.ec2_lc}}.metadata_options.http_tokens", + "searchValue": "", + "expectedValue": "'community.aws.ec2_lc.metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'community.aws.ec2_lc.metadata_options.http_tokens' is not defined to 'required'" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 9, + "filename": "positive5.yaml", + "resourceType": "amazon.aws.ec2_instance", + "resourceName": "start an instance with metadata options", + "searchKey": "name={{start an instance with metadata options}}.{{amazon.aws.ec2_instance}}.metadata_options", + "searchValue": "", + "expectedValue": "'amazon.aws.ec2_instance.metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'amazon.aws.ec2_instance.metadata_options.http_tokens' is not defined" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 31, + "filename": "positive5.yaml", + "resourceType": "community.aws.ec2_instance", + "resourceName": "start an instance with legacy naming and metadata options", + "searchKey": "name={{start an instance with legacy naming and metadata options}}.{{community.aws.ec2_instance}}.metadata_options", + "searchValue": "", + "expectedValue": "'community.aws.ec2_instance.metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'community.aws.ec2_instance.metadata_options.http_tokens' is not defined" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 10, + "filename": "positive1.yaml", + "resourceType": "amazon.aws.ec2_instance", + "resourceName": "start an instance with metadata options", + "searchKey": "name={{start an instance with metadata options}}.{{amazon.aws.ec2_instance}}.metadata_options.http_tokens", + "searchValue": "", + "expectedValue": "'amazon.aws.ec2_instance.metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'amazon.aws.ec2_instance.metadata_options.http_tokens' is not defined to 'required'" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 42, + "filename": "positive1.yaml", + "resourceType": "community.aws.ec2_lc", + "resourceName": "create launch configuration with legacy naming and metadata options", + "searchKey": "name={{create launch configuration with legacy naming and metadata options}}.{{community.aws.ec2_lc}}.metadata_options.http_tokens", + "searchValue": "", + "expectedValue": "'community.aws.ec2_lc.metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'community.aws.ec2_lc.metadata_options.http_tokens' is not defined to 'required'" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 9, + "filename": "positive4.yaml", + "resourceType": "amazon.aws.ec2_instance", + "resourceName": "start an instance with metadata options", + "searchKey": "name={{start an instance with metadata options}}.{{amazon.aws.ec2_instance}}.metadata_options", + "searchValue": "", + "expectedValue": "'amazon.aws.ec2_instance.metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'amazon.aws.ec2_instance.metadata_options.http_tokens' is not defined" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 23, + "filename": "positive3.yaml", + "resourceType": "community.aws.autoscaling_launch_config", + "resourceName": "create launch configuration with metadata options", + "searchKey": "name={{create launch configuration with metadata options}}.{{community.aws.autoscaling_launch_config}}.metadata_options.http_tokens", + "searchValue": "", + "expectedValue": "'community.aws.autoscaling_launch_config.metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'community.aws.autoscaling_launch_config.metadata_options.http_tokens' is not defined to 'required'" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 11, + "filename": "positive2.yaml", + "resourceType": "community.aws.autoscaling_launch_config", + "resourceName": "create launch configuration", + "searchKey": "name={{create launch configuration}}.{{community.aws.autoscaling_launch_config}}", + "searchValue": "", + "expectedValue": "'community.aws.autoscaling_launch_config.metadata_options' should be defined with 'http_tokens' field set to 'required'", + "actualValue": "'community.aws.autoscaling_launch_config.metadata_options' is not defined" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 20, + "filename": "positive1.yaml", + "resourceType": "community.aws.autoscaling_launch_config", + "resourceName": "create launch configuration with metadata options", + "searchKey": "name={{create launch configuration with metadata options}}.{{community.aws.autoscaling_launch_config}}.metadata_options.http_tokens", + "searchValue": "", + "expectedValue": "'community.aws.autoscaling_launch_config.metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'community.aws.autoscaling_launch_config.metadata_options.http_tokens' is not defined to 'required'" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 20, + "filename": "positive4.yaml", + "resourceType": "community.aws.autoscaling_launch_config", + "resourceName": "create launch configuration with metadata options", + "searchKey": "name={{create launch configuration with metadata options}}.{{community.aws.autoscaling_launch_config}}.metadata_options", + "searchValue": "", + "expectedValue": "'community.aws.autoscaling_launch_config.metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'community.aws.autoscaling_launch_config.metadata_options.http_tokens' is not defined" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 11, + "filename": "positive3.yaml", + "resourceType": "amazon.aws.ec2_instance", + "resourceName": "start an instance with metadata options", + "searchKey": "name={{start an instance with metadata options}}.{{amazon.aws.ec2_instance}}.metadata_options.http_tokens", + "searchValue": "", + "expectedValue": "'amazon.aws.ec2_instance.metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'amazon.aws.ec2_instance.metadata_options.http_tokens' is not defined to 'required'" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 35, + "filename": "positive3.yaml", + "resourceType": "community.aws.ec2_instance", + "resourceName": "start an instance with legacy naming and metadata options", + "searchKey": "name={{start an instance with legacy naming and metadata options}}.{{community.aws.ec2_instance}}.metadata_options.http_tokens", + "searchValue": "", + "expectedValue": "'community.aws.ec2_instance.metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'community.aws.ec2_instance.metadata_options.http_tokens' is not defined to 'required'" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 42, + "filename": "positive4.yaml", + "resourceType": "community.aws.ec2_lc", + "resourceName": "create launch configuration with legacy naming and metadata options", + "searchKey": "name={{create launch configuration with legacy naming and metadata options}}.{{community.aws.ec2_lc}}.metadata_options", + "searchValue": "", + "expectedValue": "'community.aws.ec2_lc.metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'community.aws.ec2_lc.metadata_options.http_tokens' is not defined" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 20, + "filename": "positive5.yaml", + "resourceType": "community.aws.autoscaling_launch_config", + "resourceName": "create launch configuration with metadata options", + "searchKey": "name={{create launch configuration with metadata options}}.{{community.aws.autoscaling_launch_config}}.metadata_options", + "searchValue": "", + "expectedValue": "'community.aws.autoscaling_launch_config.metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'community.aws.autoscaling_launch_config.metadata_options.http_tokens' is not defined" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 42, + "filename": "positive5.yaml", + "resourceType": "community.aws.ec2_lc", + "resourceName": "create launch configuration with legacy naming and metadata options", + "searchKey": "name={{create launch configuration with legacy naming and metadata options}}.{{community.aws.ec2_lc}}.metadata_options", + "searchValue": "", + "expectedValue": "'community.aws.ec2_lc.metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'community.aws.ec2_lc.metadata_options.http_tokens' is not defined" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 2, + "filename": "positive2.yaml", + "resourceType": "amazon.aws.ec2_instance", + "resourceName": "start an instance", + "searchKey": "name={{start an instance}}.{{amazon.aws.ec2_instance}}", + "searchValue": "", + "expectedValue": "'amazon.aws.ec2_instance.metadata_options' should be defined with 'http_tokens' field set to 'required'", + "actualValue": "'amazon.aws.ec2_instance.metadata_options' is not defined" + } +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/instance_with_no_vpc/test/positive_expected_result.json b/assets/queries/ansible/aws/instance_with_no_vpc/test/positive_expected_result.json index fa4b4be12f2..98cc820a642 100644 --- a/assets/queries/ansible/aws/instance_with_no_vpc/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/instance_with_no_vpc/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Instance With No VPC", "severity": "LOW", - "line": 2 + "line": 18, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2", + "resourceName": "Start an instance and have it begin a Tower callback on boot v2", + "searchKey": "name={{Start an instance and have it begin a Tower callback on boot v2}}.{{amazon.aws.ec2}}", + "searchValue": "", + "expectedValue": "amazon.aws.ec2.vpc_subnet_id should be set", + "actualValue": "amazon.aws.ec2.vpc_subnet_id is undefined" }, { "queryName": "Instance With No VPC", "severity": "LOW", - "line": 18 + "line": 2, + "filename": "positive.yaml", + "resourceType": "community.aws.ec2_instance", + "resourceName": "Start an instance and have it begin a Tower callback on boot", + "searchKey": "name={{Start an instance and have it begin a Tower callback on boot}}.{{community.aws.ec2_instance}}", + "searchValue": "", + "expectedValue": "community.aws.ec2_instance.vpc_subnet_id should be set", + "actualValue": "community.aws.ec2_instance.vpc_subnet_id is undefined" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/kinesis_not_encrypted_with_kms/test/positive_expected_result.json b/assets/queries/ansible/aws/kinesis_not_encrypted_with_kms/test/positive_expected_result.json index 579cb51f9e7..f9c40ffa4bf 100644 --- a/assets/queries/ansible/aws/kinesis_not_encrypted_with_kms/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/kinesis_not_encrypted_with_kms/test/positive_expected_result.json @@ -2,26 +2,61 @@ { "queryName": "Kinesis Not Encrypted With KMS", "severity": "HIGH", - "line": 2 + "line": 23, + "filename": "positive.yaml", + "resourceType": "community.aws.kinesis_stream", + "resourceName": "Encrypt Kinesis Stream test-stream. v3", + "searchKey": "name={{Encrypt Kinesis Stream test-stream. v3}}.{{community.aws.kinesis_stream}}", + "searchValue": "", + "expectedValue": "kinesis_stream.encryption_type should be set", + "actualValue": "kinesis_stream.encryption_type is undefined" }, { "queryName": "Kinesis Not Encrypted With KMS", "severity": "HIGH", - "line": 16 + "line": 44, + "filename": "positive.yaml", + "resourceType": "community.aws.kinesis_stream", + "resourceName": "Encrypt Kinesis Stream test-stream. v5", + "searchKey": "name={{Encrypt Kinesis Stream test-stream. v5}}.{{community.aws.kinesis_stream}}", + "searchValue": "", + "expectedValue": "kinesis_stream.key_id should be set", + "actualValue": "kinesis_stream.key_id is undefined" }, { "queryName": "Kinesis Not Encrypted With KMS", "severity": "HIGH", - "line": 23 + "line": 16, + "filename": "positive.yaml", + "resourceType": "community.aws.kinesis_stream", + "resourceName": "Encrypt Kinesis Stream test-stream. v2", + "searchKey": "name={{Encrypt Kinesis Stream test-stream. v2}}.{{community.aws.kinesis_stream}}.encryption_state", + "searchValue": "", + "expectedValue": "kinesis_stream.encryption_state should be set to enabled", + "actualValue": "kinesis_stream.encryption_state is not set to enabled" }, { "queryName": "Kinesis Not Encrypted With KMS", "severity": "HIGH", - "line": 38 + "line": 38, + "filename": "positive.yaml", + "resourceType": "community.aws.kinesis_stream", + "resourceName": "Encrypt Kinesis Stream test-stream. v4", + "searchKey": "name={{Encrypt Kinesis Stream test-stream. v4}}.{{community.aws.kinesis_stream}}.encryption_type", + "searchValue": "", + "expectedValue": "kinesis_stream.encryption_type should be set and not NONE", + "actualValue": "kinesis_stream.encryption_type is set but NONE" }, { "queryName": "Kinesis Not Encrypted With KMS", "severity": "HIGH", - "line": 44 + "line": 2, + "filename": "positive.yaml", + "resourceType": "community.aws.kinesis_stream", + "resourceName": "Encrypt Kinesis Stream test-stream.", + "searchKey": "name={{Encrypt Kinesis Stream test-stream.}}.{{community.aws.kinesis_stream}}", + "searchValue": "", + "expectedValue": "kinesis_stream.encryption_state should be set", + "actualValue": "kinesis_stream.encryption_state is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/kms_key_with_full_permissions/test/positive_expected_result.json b/assets/queries/ansible/aws/kms_key_with_full_permissions/test/positive_expected_result.json index bfae2532cb7..3b5ad678cbe 100644 --- a/assets/queries/ansible/aws/kms_key_with_full_permissions/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/kms_key_with_full_permissions/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "KMS Key With Vulnerable Policy", "severity": "HIGH", - "line": 5, - "fileName": "positive.yaml" + "line": 3, + "filename": "positive2.yaml", + "resourceType": "community.aws.aws_kms", + "resourceName": "Update IAM policy on an existing KMS key2", + "searchKey": "name={{Update IAM policy on an existing KMS key2}}.{{community.aws.aws_kms}}", + "searchValue": "", + "expectedValue": "'policy' should be undefined or null", + "actualValue": "'policy' is defined and not null" }, { "queryName": "KMS Key With Vulnerable Policy", "severity": "HIGH", - "line": 3, - "fileName": "positive2.yaml" + "line": 5, + "filename": "positive.yaml", + "resourceType": "community.aws.aws_kms", + "resourceName": "Update IAM policy on an existing KMS key", + "searchKey": "name={{Update IAM policy on an existing KMS key}}.{{community.aws.aws_kms}}.policy", + "searchValue": "", + "expectedValue": "aws_kms.policy should not have wildcard in 'Action' and 'Principal'", + "actualValue": "aws_kms.policy has wildcard in 'Action' or 'Principal'" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/lambda_function_without_tags/test/positive_expected_result.json b/assets/queries/ansible/aws/lambda_function_without_tags/test/positive_expected_result.json index 39bea3ef11d..1e91399545f 100644 --- a/assets/queries/ansible/aws/lambda_function_without_tags/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/lambda_function_without_tags/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Lambda Function Without Tags", "severity": "LOW", - "line": 2 + "line": 2, + "filename": "positive.yaml", + "resourceType": "community.aws.lambda", + "resourceName": "add tags", + "searchKey": "name={{add tags}}.{{community.aws.lambda}}", + "searchValue": "", + "expectedValue": "name={{add tags}}.{{community.aws.lambda}}.tags should be defined", + "actualValue": "name={{add tags}}.{{community.aws.lambda}}.tags is undefined" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/lambda_functions_without_x-ray_tracing/test/positive_expected_result.json b/assets/queries/ansible/aws/lambda_functions_without_x-ray_tracing/test/positive_expected_result.json index 1b3f379b1a1..9041a5ac127 100644 --- a/assets/queries/ansible/aws/lambda_functions_without_x-ray_tracing/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/lambda_functions_without_x-ray_tracing/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Lambda Functions Without X-Ray Tracing", "severity": "LOW", - "line": 2 + "line": 2, + "filename": "positive.yaml", + "resourceType": "community.aws.lambda", + "resourceName": "looped creation", + "searchKey": "name={{looped creation}}.{{community.aws.lambda}}", + "searchValue": "", + "expectedValue": "lambda.tracing_mode should be set", + "actualValue": "lambda.tracing_mode is undefined" }, { "queryName": "Lambda Functions Without X-Ray Tracing", "severity": "LOW", - "line": 37 + "line": 37, + "filename": "positive.yaml", + "resourceType": "community.aws.lambda", + "resourceName": "looped creation V2", + "searchKey": "name={{looped creation V2}}.{{community.aws.lambda}}.tracing_mode", + "searchValue": "", + "expectedValue": "lambda.tracing_mode should be set to 'Active'", + "actualValue": "lambda.tracing_mode is not set to 'Active'" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/lambda_permission_misconfigured/test/positive_expected_result.json b/assets/queries/ansible/aws/lambda_permission_misconfigured/test/positive_expected_result.json index ac77dd2ec5c..ac770bdcc0a 100644 --- a/assets/queries/ansible/aws/lambda_permission_misconfigured/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/lambda_permission_misconfigured/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Lambda Permission Misconfigured", "severity": "LOW", - "line": 7 + "line": 7, + "filename": "positive.yaml", + "resourceType": "community.aws.lambda_policy", + "resourceName": "Lambda S3 notification positive", + "searchKey": "name={{Lambda S3 notification positive}}.{{community.aws.lambda_policy}}.action", + "searchValue": "", + "expectedValue": "name={{Lambda S3 notification positive}}.{{community.aws.lambda_policy}}.action should be 'lambda:InvokeFunction'", + "actualValue": "name={{Lambda S3 notification positive}}.{{community.aws.lambda_policy}}.action is lambda:CreateFunction" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/lambda_permission_principal_is_wildcard/test/positive_expected_result.json b/assets/queries/ansible/aws/lambda_permission_principal_is_wildcard/test/positive_expected_result.json index 5e494d7d90e..1ee54fdf508 100644 --- a/assets/queries/ansible/aws/lambda_permission_principal_is_wildcard/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/lambda_permission_principal_is_wildcard/test/positive_expected_result.json @@ -1,7 +1,14 @@ [ { - "line": 8, "queryName": "Lambda Permission Principal Is Wildcard", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 8, + "filename": "positive.yaml", + "resourceType": "community.aws.lambda_policy", + "resourceName": "Lambda S3 event notification", + "searchKey": "name={{Lambda S3 event notification}}.{{community.aws.lambda_policy}}.principal", + "searchValue": "", + "expectedValue": "name={{Lambda S3 event notification}}.{{community.aws.lambda_policy}}.principal shouldn't contain a wildcard", + "actualValue": "name={{Lambda S3 event notification}}.{{community.aws.lambda_policy}}.principal contains a wildcard" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/launch_configuration_is_not_encrypted/test/positive_expected_result.json b/assets/queries/ansible/aws/launch_configuration_is_not_encrypted/test/positive_expected_result.json index 5793a13e191..96c27a80ee6 100644 --- a/assets/queries/ansible/aws/launch_configuration_is_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/launch_configuration_is_not_encrypted/test/positive_expected_result.json @@ -2,16 +2,37 @@ { "queryName": "Launch Configuration Is Not Encrypted", "severity": "HIGH", - "line": 8 + "line": 22, + "filename": "positive.yaml", + "resourceType": "ec2_lc", + "resourceName": "note that encrypted volumes are only supported in >= Ansible 2.4 v2", + "searchKey": "name={{note that encrypted volumes are only supported in >= Ansible 2.4 v2}}.{{ec2_lc}}.volumes", + "searchValue": "", + "expectedValue": "ec2_lc.volumes[0].encrypted should be set", + "actualValue": "ec2_lc.volumes[0].encrypted is undefined" }, { "queryName": "Launch Configuration Is Not Encrypted", "severity": "HIGH", - "line": 22 + "line": 8, + "filename": "positive.yaml", + "resourceType": "community.aws.ec2_lc", + "resourceName": "note that encrypted volumes are only supported in >= Ansible 2.4", + "searchKey": "name={{note that encrypted volumes are only supported in >= Ansible 2.4}}.{{community.aws.ec2_lc}}.volumes", + "searchValue": "", + "expectedValue": "ec2_lc.volumes[0].encrypted should be set to true or yes", + "actualValue": "ec2_lc.volumes[0].encrypted is not set to true or yes" }, { "queryName": "Launch Configuration Is Not Encrypted", "severity": "HIGH", - "line": 29 + "line": 29, + "filename": "positive.yaml", + "resourceType": "ec2_lc", + "resourceName": "note that encrypted volumes are only supported in >= Ansible 2.4 v3", + "searchKey": "name={{note that encrypted volumes are only supported in >= Ansible 2.4 v3}}.{{ec2_lc}}", + "searchValue": "", + "expectedValue": "ec2_lc.volumes should be set", + "actualValue": "ec2_lc.volumes is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/misconfigured_password_policy_expiration/test/positive_expected_result.json b/assets/queries/ansible/aws/misconfigured_password_policy_expiration/test/positive_expected_result.json index 16b5f7cbeab..606842f2f1b 100644 --- a/assets/queries/ansible/aws/misconfigured_password_policy_expiration/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/misconfigured_password_policy_expiration/test/positive_expected_result.json @@ -2,16 +2,37 @@ { "queryName": "Misconfigured Password Policy Expiration", "severity": "LOW", - "line": 2 + "line": 21, + "filename": "positive.yaml", + "resourceType": "community.aws.iam_password_policy", + "resourceName": "Extreme Password policy for AWS account", + "searchKey": "name={{Extreme Password policy for AWS account}}.{{community.aws.iam_password_policy}}.pw_max_age", + "searchValue": "", + "expectedValue": "iam_password_policy should have the property 'pw_max_age/password_max_age' lower than 90", + "actualValue": "iam_password_policy has the property 'pw_max_age/password_max_age' unassigned or greater than 90" }, { "queryName": "Misconfigured Password Policy Expiration", "severity": "LOW", - "line": 21 + "line": 2, + "filename": "positive.yaml", + "resourceType": "community.aws.iam_password_policy", + "resourceName": "Missing Password policy for AWS account", + "searchKey": "name={{Missing Password policy for AWS account}}.{{community.aws.iam_password_policy}}", + "searchValue": "", + "expectedValue": "iam_password_policy should have the property 'pw_max_age/password_max_age' lower than 90", + "actualValue": "iam_password_policy has the property 'pw_max_age/password_max_age' unassigned or greater than 90" }, { "queryName": "Misconfigured Password Policy Expiration", "severity": "LOW", - "line": 33 + "line": 33, + "filename": "positive.yaml", + "resourceType": "community.aws.iam_password_policy", + "resourceName": "Alias extreme Password policy for AWS account", + "searchKey": "name={{Alias extreme Password policy for AWS account}}.{{community.aws.iam_password_policy}}.password_max_age", + "searchValue": "", + "expectedValue": "iam_password_policy should have the property 'pw_max_age/password_max_age' lower than 90", + "actualValue": "iam_password_policy has the property 'pw_max_age/password_max_age' unassigned or greater than 90" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/no_stack_policy/test/positive_expected_result.json b/assets/queries/ansible/aws/no_stack_policy/test/positive_expected_result.json index 9efdc650bfc..4394a7e84ea 100644 --- a/assets/queries/ansible/aws/no_stack_policy/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/no_stack_policy/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "No Stack Policy", "severity": "MEDIUM", - "line": 2 + "line": 2, + "filename": "positive.yaml", + "resourceType": "amazon.aws.cloudformation", + "resourceName": "create a stack, pass in the template via an URL", + "searchKey": "name={{create a stack, pass in the template via an URL}}.{{amazon.aws.cloudformation}}", + "searchValue": "", + "expectedValue": "cloudformation.stack_policy should be set", + "actualValue": "cloudformation.stack_policy is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/password_without_reuse_prevention/test/positive_expected_result.json b/assets/queries/ansible/aws/password_without_reuse_prevention/test/positive_expected_result.json index 1dacba2e48f..8afdfe7dca6 100644 --- a/assets/queries/ansible/aws/password_without_reuse_prevention/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/password_without_reuse_prevention/test/positive_expected_result.json @@ -2,16 +2,37 @@ { "queryName": "Password Without Reuse Prevention", "severity": "LOW", - "line": 3 + "line": 23, + "filename": "positive.yaml", + "resourceType": "community.aws.iam_password_policy", + "resourceName": "Password policy for AWS account2", + "searchKey": "name={{Password policy for AWS account2}}.{{community.aws.iam_password_policy}}.password_reuse_prevent", + "searchValue": "", + "expectedValue": "iam_password_policy should have the property 'password_reuse_prevent' greater than 0", + "actualValue": "iam_password_policy has the property 'password_reuse_prevent' unassigned or assigned to 0" }, { "queryName": "Password Without Reuse Prevention", "severity": "LOW", - "line": 23 + "line": 3, + "filename": "positive.yaml", + "resourceType": "community.aws.iam_password_policy", + "resourceName": "Password policy for AWS account", + "searchKey": "name={{Password policy for AWS account}}.{{community.aws.iam_password_policy}}", + "searchValue": "", + "expectedValue": "iam_password_policy should have the property 'password_reuse_prevent' greater than 0", + "actualValue": "iam_password_policy has the property 'password_reuse_prevent' unassigned or assigned to 0" }, { "queryName": "Password Without Reuse Prevention", "severity": "LOW", - "line": 26 + "line": 26, + "filename": "positive.yaml", + "resourceType": "community.aws.iam_password_policy", + "resourceName": "Password policy for AWS account3", + "searchKey": "name={{Password policy for AWS account3}}.{{community.aws.iam_password_policy}}", + "searchValue": "", + "expectedValue": "iam_password_policy should have the property 'password_reuse_prevent' greater than 0", + "actualValue": "iam_password_policy has the property 'password_reuse_prevent' unassigned or assigned to 0" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/public_lambda_via_api_gateway/test/positive_expected_result.json b/assets/queries/ansible/aws/public_lambda_via_api_gateway/test/positive_expected_result.json index db5c9004dc2..e997514223f 100644 --- a/assets/queries/ansible/aws/public_lambda_via_api_gateway/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/public_lambda_via_api_gateway/test/positive_expected_result.json @@ -1,7 +1,14 @@ [ - { - "queryName": "Public Lambda via API Gateway", - "severity": "MEDIUM", - "line": 9 - } -] + { + "queryName": "Public Lambda via API Gateway", + "severity": "MEDIUM", + "line": 9, + "filename": "positive.yaml", + "resourceType": "lambda_policy", + "resourceName": "Lambda S3 event notification", + "searchKey": "name={{Lambda S3 event notification}}.{{lambda_policy}}.source_arn", + "searchValue": "", + "expectedValue": "lambda_policy.source_arn should not equal to '/*/*'", + "actualValue": "lambda_policy.source_arn is equal to '/*/*'" + } +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/public_port_wide/test/positive_expected_result.json b/assets/queries/ansible/aws/public_port_wide/test/positive_expected_result.json index 697c1bac5ea..fa702f76624 100644 --- a/assets/queries/ansible/aws/public_port_wide/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/public_port_wide/test/positive_expected_result.json @@ -1,12 +1,26 @@ [ - { - "queryName": "Public Port Wide", - "severity": "HIGH", - "line": 8 - }, - { - "queryName": "Public Port Wide", - "severity": "HIGH", - "line": 12 - } -] + { + "queryName": "Public Port Wide", + "severity": "HIGH", + "line": 8, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group", + "searchKey": "name={{example ec2 group}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[0] shouldn't have public port wide", + "actualValue": "ec2_group.rules[0] has public port wide" + }, + { + "queryName": "Public Port Wide", + "severity": "HIGH", + "line": 12, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group", + "searchKey": "name={{example ec2 group}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[1] shouldn't have public port wide", + "actualValue": "ec2_group.rules[1] has public port wide" + } +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/rds_associated_with_public_subnet/test/positive_expected_result.json b/assets/queries/ansible/aws/rds_associated_with_public_subnet/test/positive_expected_result.json index 4d438cbfa35..6dfb39e510b 100644 --- a/assets/queries/ansible/aws/rds_associated_with_public_subnet/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/rds_associated_with_public_subnet/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "RDS Associated with Public Subnet", "severity": "CRITICAL", "line": 9, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "community.aws.rds_instance", + "resourceName": "create minimal aurora instance in default VPC and default subnet group", + "searchKey": "name={{create minimal aurora instance in default VPC and default subnet group}}.{{community.aws.rds_instance}}.db_subnet_group_name", + "searchValue": "", + "expectedValue": "RDS should not be running in a public subnet", + "actualValue": "RDS is running in a public subnet" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json b/assets/queries/ansible/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json index 75c61207d63..055fbb0bc3e 100644 --- a/assets/queries/ansible/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "RDS DB Instance Publicly Accessible", "severity": "CRITICAL", - "line": 12 + "line": 12, + "filename": "positive.yaml", + "resourceType": "community.aws.rds_instance", + "resourceName": "community - Create a DB instance using the default AWS KMS encryption key", + "searchKey": "name={{community - Create a DB instance using the default AWS KMS encryption key}}.{{community.aws.rds_instance}}.publicly_accessible", + "searchValue": "", + "expectedValue": "community.aws.rds_instance.publicly_accessible should be false", + "actualValue": "community.aws.rds_instance.publicly_accessible is true" }, { "queryName": "RDS DB Instance Publicly Accessible", "severity": "CRITICAL", - "line": 22 + "line": 22, + "filename": "positive.yaml", + "resourceType": "community.aws.rds", + "resourceName": "community - Basic mysql provisioning example", + "searchKey": "name={{community - Basic mysql provisioning example}}.{{community.aws.rds}}.publicly_accessible", + "searchValue": "", + "expectedValue": "community.aws.rds.publicly_accessible should be false", + "actualValue": "community.aws.rds.publicly_accessible is true" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/rds_using_default_port/test/positive_expected_result.json b/assets/queries/ansible/aws/rds_using_default_port/test/positive_expected_result.json index 0282b397a25..255dcaa56be 100644 --- a/assets/queries/ansible/aws/rds_using_default_port/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/rds_using_default_port/test/positive_expected_result.json @@ -3,24 +3,48 @@ "queryName": "RDS Using Default Port", "severity": "LOW", "line": 10, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "community.aws.rds_instance", + "resourceName": "create minimal aurora instance in default VPC and default subnet group", + "searchKey": "name={{create minimal aurora instance in default VPC and default subnet group}}.{{community.aws.rds_instance}}.port", + "searchValue": "", + "expectedValue": "'port' should not be set to 3306", + "actualValue": "'port' is set to 3306" }, { "queryName": "RDS Using Default Port", "severity": "LOW", "line": 10, - "fileName": "positive2.yaml" + "filename": "positive4.yaml", + "resourceType": "community.aws.rds_instance", + "resourceName": "create minimal aurora instance in default VPC and default subnet group2", + "searchKey": "name={{create minimal aurora instance in default VPC and default subnet group2}}.{{community.aws.rds_instance}}.port", + "searchValue": "", + "expectedValue": "'port' should not be set to 1433", + "actualValue": "'port' is set to 1433" }, { "queryName": "RDS Using Default Port", "severity": "LOW", "line": 10, - "fileName": "positive3.yaml" + "filename": "positive2.yaml", + "resourceType": "community.aws.rds_instance", + "resourceName": "create minimal aurora instance in default VPC and default subnet group2", + "searchKey": "name={{create minimal aurora instance in default VPC and default subnet group2}}.{{community.aws.rds_instance}}.port", + "searchValue": "", + "expectedValue": "'port' should not be set to 5432", + "actualValue": "'port' is set to 5432" }, { "queryName": "RDS Using Default Port", "severity": "LOW", "line": 10, - "fileName": "positive4.yaml" + "filename": "positive3.yaml", + "resourceType": "community.aws.rds_instance", + "resourceName": "create minimal aurora instance in default VPC and default subnet group2", + "searchKey": "name={{create minimal aurora instance in default VPC and default subnet group2}}.{{community.aws.rds_instance}}.port", + "searchValue": "", + "expectedValue": "'port' should not be set to 1521", + "actualValue": "'port' is set to 1521" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/rds_with_backup_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/rds_with_backup_disabled/test/positive_expected_result.json index 61f421b9d95..0a89a3cffe1 100644 --- a/assets/queries/ansible/aws/rds_with_backup_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/rds_with_backup_disabled/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "RDS With Backup Disabled", "severity": "MEDIUM", - "line": 10 + "line": 10, + "filename": "positive.yaml", + "resourceType": "community.aws.rds_instance", + "resourceName": "create minimal aurora instance in default VPC and default subnet group", + "searchKey": "name={{create minimal aurora instance in default VPC and default subnet group}}.{{community.aws.rds_instance}}.backup_retention_period", + "searchValue": "", + "expectedValue": "rds_instance should have the property 'backup_retention_period' greater than 0", + "actualValue": "rds_instance has the property 'backup_retention_period' assigned to 0" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/redis_not_compliant/test/positive_expected_result.json b/assets/queries/ansible/aws/redis_not_compliant/test/positive_expected_result.json index b9ec5be90a3..6d38b972dc1 100644 --- a/assets/queries/ansible/aws/redis_not_compliant/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/redis_not_compliant/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Redis Not Compliant", "severity": "HIGH", - "line": 6 + "line": 6, + "filename": "positive.yaml", + "resourceType": "community.aws.elasticache", + "resourceName": "Basic example", + "searchKey": "name={{Basic example}}.{{community.aws.elasticache}}.cache_engine_version", + "searchValue": "", + "expectedValue": "elasticache.cache_engine_version should be compliant with the AWS PCI DSS requirements", + "actualValue": "elasticache.cache_engine_version isn't compliant with the AWS PCI DSS requirements" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/redshift_not_encrypted/test/positive_expected_result.json b/assets/queries/ansible/aws/redshift_not_encrypted/test/positive_expected_result.json index e51ed569eba..211a9cc4d55 100644 --- a/assets/queries/ansible/aws/redshift_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/redshift_not_encrypted/test/positive_expected_result.json @@ -2,16 +2,37 @@ { "queryName": "Redshift Not Encrypted", "severity": "HIGH", - "line": 2 + "line": 19, + "filename": "positive.yaml", + "resourceType": "community.aws.redshift", + "resourceName": "Basic cluster provisioning example2", + "searchKey": "name={{Basic cluster provisioning example2}}.{{community.aws.redshift}}.encrypted", + "searchValue": "", + "expectedValue": "redshift.encrypted should be set to true", + "actualValue": "redshift.encrypted is set to false" }, { "queryName": "Redshift Not Encrypted", "severity": "HIGH", - "line": 19 + "line": 29, + "filename": "positive.yaml", + "resourceType": "community.aws.redshift", + "resourceName": "Basic cluster provisioning example3", + "searchKey": "name={{Basic cluster provisioning example3}}.{{community.aws.redshift}}.encrypted", + "searchValue": "", + "expectedValue": "redshift.encrypted should be set to true", + "actualValue": "redshift.encrypted is set to false" }, { "queryName": "Redshift Not Encrypted", "severity": "HIGH", - "line": 29 + "line": 2, + "filename": "positive.yaml", + "resourceType": "community.aws.redshift", + "resourceName": "Basic cluster provisioning example", + "searchKey": "name={{Basic cluster provisioning example}}.{{community.aws.redshift}}", + "searchValue": "", + "expectedValue": "redshift.encrypted should be set to true", + "actualValue": "redshift.encrypted is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/redshift_publicly_accessible/test/positive_expected_result.json b/assets/queries/ansible/aws/redshift_publicly_accessible/test/positive_expected_result.json index 183c583e6ea..0fe28c33a65 100644 --- a/assets/queries/ansible/aws/redshift_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/redshift_publicly_accessible/test/positive_expected_result.json @@ -2,16 +2,37 @@ { "queryName": "Redshift Publicly Accessible", "severity": "HIGH", - "line": 9 + "line": 17, + "filename": "positive.yaml", + "resourceType": "community.aws.redshift", + "resourceName": "Basic cluster provisioning example05", + "searchKey": "name={{Basic cluster provisioning example05}}.{{community.aws.redshift}}.publicly_accessible", + "searchValue": "", + "expectedValue": "redshift.publicly_accessible should be set to false", + "actualValue": "redshift.publicly_accessible is true" }, { "queryName": "Redshift Publicly Accessible", "severity": "HIGH", - "line": 17 + "line": 25, + "filename": "positive.yaml", + "resourceType": "redshift", + "resourceName": "Basic cluster provisioning example06", + "searchKey": "name={{Basic cluster provisioning example06}}.{{redshift}}.publicly_accessible", + "searchValue": "", + "expectedValue": "redshift.publicly_accessible should be set to false", + "actualValue": "redshift.publicly_accessible is true" }, { "queryName": "Redshift Publicly Accessible", "severity": "HIGH", - "line": 25 + "line": 9, + "filename": "positive.yaml", + "resourceType": "community.aws.redshift", + "resourceName": "Basic cluster provisioning example04", + "searchKey": "name={{Basic cluster provisioning example04}}.{{community.aws.redshift}}.publicly_accessible", + "searchValue": "", + "expectedValue": "redshift.publicly_accessible should be set to false", + "actualValue": "redshift.publicly_accessible is true" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/redshift_using_default_port/test/positive_expected_result.json b/assets/queries/ansible/aws/redshift_using_default_port/test/positive_expected_result.json index 8241a36870f..b53dc532c2b 100644 --- a/assets/queries/ansible/aws/redshift_using_default_port/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/redshift_using_default_port/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Redshift Using Default Port", "severity": "LOW", "line": 8, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "community.aws.redshift", + "resourceName": "Redshift", + "searchKey": "name={{Redshift}}.{{community.aws.redshift}}.port", + "searchValue": "", + "expectedValue": "redshift.port should not be set to 5439", + "actualValue": "redshift.port is set to 5439" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/remote_desktop_port_open/test/positive_expected_result.json b/assets/queries/ansible/aws/remote_desktop_port_open/test/positive_expected_result.json index 656120158f2..2eade52c07b 100644 --- a/assets/queries/ansible/aws/remote_desktop_port_open/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/remote_desktop_port_open/test/positive_expected_result.json @@ -2,36 +2,85 @@ { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 9 + "line": 79, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group6", + "searchKey": "name={{example ec2 group6}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules shouldn't open the remote desktop port (3389)", + "actualValue": "ec2_group.rules opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 23 + "line": 93, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group7", + "searchKey": "name={{example ec2 group7}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules shouldn't open the remote desktop port (3389)", + "actualValue": "ec2_group.rules opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 36 + "line": 9, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group1", + "searchKey": "name={{example ec2 group1}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules shouldn't open the remote desktop port (3389)", + "actualValue": "ec2_group.rules opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 49 + "line": 23, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group2", + "searchKey": "name={{example ec2 group2}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules shouldn't open the remote desktop port (3389)", + "actualValue": "ec2_group.rules opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 64 + "line": 36, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group3", + "searchKey": "name={{example ec2 group3}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules shouldn't open the remote desktop port (3389)", + "actualValue": "ec2_group.rules opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 79 + "line": 49, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group4", + "searchKey": "name={{example ec2 group4}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules shouldn't open the remote desktop port (3389)", + "actualValue": "ec2_group.rules opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 93 + "line": 64, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group5", + "searchKey": "name={{example ec2 group5}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules shouldn't open the remote desktop port (3389)", + "actualValue": "ec2_group.rules opens the remote desktop port (3389)" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/root_account_has_active_access_keys/test/positive_expected_result.json b/assets/queries/ansible/aws/root_account_has_active_access_keys/test/positive_expected_result.json index 25b4a19110d..86e3549fa2d 100644 --- a/assets/queries/ansible/aws/root_account_has_active_access_keys/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/root_account_has_active_access_keys/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Root Account Has Active Access Keys", "severity": "HIGH", - "line": 3 + "line": 3, + "filename": "positive.yaml", + "resourceType": "community.aws.iam", + "resourceName": "Create two new IAM users with API keys", + "searchKey": "name={{Create two new IAM users with API keys}}.{{community.aws.iam}}", + "searchValue": "", + "expectedValue": "iam should not be active for a root account", + "actualValue": "iam is active for a root account" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/route53_record_undefined/test/positive_expected_result.json b/assets/queries/ansible/aws/route53_record_undefined/test/positive_expected_result.json index f2880c7d7f9..c5c9e783f4f 100644 --- a/assets/queries/ansible/aws/route53_record_undefined/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/route53_record_undefined/test/positive_expected_result.json @@ -1,12 +1,26 @@ [ - { - "queryName": "Route53 Record Undefined", - "severity": "HIGH", - "line": 3 - }, - { - "queryName": "Route53 Record Undefined", - "severity": "HIGH", - "line": 14 - } -] + { + "queryName": "Route53 Record Undefined", + "severity": "HIGH", + "line": 3, + "filename": "positive.yaml", + "resourceType": "community.aws.route53", + "resourceName": "Use a routing policy to distribute traffic02", + "searchKey": "name={{Use a routing policy to distribute traffic02}}.{{community.aws.route53}}", + "searchValue": "", + "expectedValue": "route53.value should be defined or not null", + "actualValue": "route53.value is undefined or null" + }, + { + "queryName": "Route53 Record Undefined", + "severity": "HIGH", + "line": 14, + "filename": "positive.yaml", + "resourceType": "community.aws.route53", + "resourceName": "Use a routing policy to distribute traffic03", + "searchKey": "name={{Use a routing policy to distribute traffic03}}.{{community.aws.route53}}", + "searchValue": "", + "expectedValue": "route53.value should be defined or not null", + "actualValue": "route53.value is undefined or null" + } +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/s3_bucket_access_to_any_principal/test/positive_expected_result.json b/assets/queries/ansible/aws/s3_bucket_access_to_any_principal/test/positive_expected_result.json index a0c9e642dd8..fc52ffd8ccf 100644 --- a/assets/queries/ansible/aws/s3_bucket_access_to_any_principal/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/s3_bucket_access_to_any_principal/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "S3 Bucket Access to Any Principal", "severity": "CRITICAL", "line": 4, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "amazon.aws.s3_bucket", + "resourceName": "Create a simple s3 bucket with a policy", + "searchKey": "name={{Create a simple s3 bucket with a policy}}.{{amazon.aws.s3_bucket}}.policy", + "searchValue": "", + "expectedValue": "s3_bucket.policy.Statement shouldn't make the bucket accessible to all AWS Accounts", + "actualValue": "s3_bucket.policy.Statement does make the bucket accessible to all AWS Accounts" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_all_users/test/positive_expected_result.json b/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_all_users/test/positive_expected_result.json index 18d2e29c9e0..db4fb911d36 100644 --- a/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_all_users/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_all_users/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "S3 Bucket ACL Allows Read to All Users", "severity": "HIGH", - "line": 6 + "line": 6, + "filename": "positive.yaml", + "resourceType": "amazon.aws.aws_s3", + "resourceName": "Create an empty bucket", + "searchKey": "name={{Create an empty bucket}}.{{amazon.aws.aws_s3}}.permission", + "searchValue": "", + "expectedValue": "aws_s3 should not have read access for all user groups", + "actualValue": "aws_s3 has read access for all user groups" }, { "queryName": "S3 Bucket ACL Allows Read to All Users", "severity": "HIGH", - "line": 11 + "line": 11, + "filename": "positive.yaml", + "resourceType": "amazon.aws.aws_s3", + "resourceName": "Create an empty bucket2", + "searchKey": "name={{Create an empty bucket2}}.{{amazon.aws.aws_s3}}.permission", + "searchValue": "", + "expectedValue": "aws_s3 should not have read access for all user groups", + "actualValue": "aws_s3 has read access for all user groups" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/test/positive_expected_result.json b/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/test/positive_expected_result.json index 87d25ea164a..7e54f45e61a 100644 --- a/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "S3 Bucket ACL Allows Read to Any Authenticated User", "severity": "HIGH", - "line": 6 + "line": 6, + "filename": "positive.yaml", + "resourceType": "amazon.aws.aws_s3", + "resourceName": "Create an empty bucket2", + "searchKey": "name={{Create an empty bucket2}}.{{amazon.aws.aws_s3}}.permission", + "searchValue": "", + "expectedValue": "aws_s3 should not have read access for all authenticated users", + "actualValue": "aws_s3 has read access for all authenticated users" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/s3_bucket_allows_delete_action_from_all_principals/test/positive_expected_result.json b/assets/queries/ansible/aws/s3_bucket_allows_delete_action_from_all_principals/test/positive_expected_result.json index 06c2ef921aa..9445db35847 100644 --- a/assets/queries/ansible/aws/s3_bucket_allows_delete_action_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/s3_bucket_allows_delete_action_from_all_principals/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "S3 Bucket Allows Delete Action From All Principals", "severity": "CRITICAL", "line": 6, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "amazon.aws.s3_bucket", + "resourceName": "Bucket", + "searchKey": "name={{Bucket}}.{{amazon.aws.s3_bucket}}.policy", + "searchValue": "", + "expectedValue": "s3_bucket[mys3bucket] should not allow Delete Action From All Principals", + "actualValue": "s3_bucket[mys3bucket] allows Delete Action From All Principals" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/s3_bucket_allows_get_action_from_all_principals/test/positive_expected_result.json b/assets/queries/ansible/aws/s3_bucket_allows_get_action_from_all_principals/test/positive_expected_result.json index 8f1b3fbcadf..efb3d37c071 100644 --- a/assets/queries/ansible/aws/s3_bucket_allows_get_action_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/s3_bucket_allows_get_action_from_all_principals/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "S3 Bucket Allows Get Action From All Principals", "severity": "HIGH", "line": 6, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "amazon.aws.s3_bucket", + "resourceName": "Bucket", + "searchKey": "name={{Bucket}}.{{amazon.aws.s3_bucket}}.policy", + "searchValue": "", + "expectedValue": "s3_bucket[mys3bucket] should not allow Get Action From All Principals", + "actualValue": "s3_bucket[mys3bucket] allows Get Action From All Principals" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/s3_bucket_allows_list_action_from_all_principals/test/positive_expected_result.json b/assets/queries/ansible/aws/s3_bucket_allows_list_action_from_all_principals/test/positive_expected_result.json index 29ade8a428f..4c890f3aff0 100644 --- a/assets/queries/ansible/aws/s3_bucket_allows_list_action_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/s3_bucket_allows_list_action_from_all_principals/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "S3 Bucket Allows List Action From All Principals", "severity": "HIGH", "line": 6, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "amazon.aws.s3_bucket", + "resourceName": "Bucket", + "searchKey": "name={{Bucket}}.{{amazon.aws.s3_bucket}}.policy", + "searchValue": "", + "expectedValue": "s3_bucket[mys3bucket] should not allow List Action From All Principals", + "actualValue": "s3_bucket[mys3bucket] allows List Action From All Principals" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/s3_bucket_allows_put_action_from_all_principals/test/positive_expected_result.json b/assets/queries/ansible/aws/s3_bucket_allows_put_action_from_all_principals/test/positive_expected_result.json index c876ed36f9f..588e4253135 100644 --- a/assets/queries/ansible/aws/s3_bucket_allows_put_action_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/s3_bucket_allows_put_action_from_all_principals/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "S3 Bucket Allows Put Action From All Principals", "severity": "CRITICAL", "line": 6, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "amazon.aws.s3_bucket", + "resourceName": "Bucket", + "searchKey": "name={{Bucket}}.{{amazon.aws.s3_bucket}}.policy", + "searchValue": "", + "expectedValue": "s3_bucket[mys3bucket] should not allow Put Action From All Principals", + "actualValue": "s3_bucket[mys3bucket] allows Put Action From All Principals" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/s3_bucket_logging_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/s3_bucket_logging_disabled/test/positive_expected_result.json index 312ed116fe5..341c78ce547 100644 --- a/assets/queries/ansible/aws/s3_bucket_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/s3_bucket_logging_disabled/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "S3 Bucket Logging Disabled", "severity": "MEDIUM", - "line": 6 + "line": 6, + "filename": "positive.yaml", + "resourceType": "amazon.aws.s3_bucket", + "resourceName": "Create S3 bucket", + "searchKey": "name={{Create S3 bucket}}.{{amazon.aws.s3_bucket}}.debug_botocore_endpoint_logs", + "searchValue": "", + "expectedValue": "s3_bucket.debug_botocore_endpoint_logs should be true", + "actualValue": "s3_bucket.debug_botocore_endpoint_logs is false" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/s3_bucket_with_all_permissions/test/positive_expected_result.json b/assets/queries/ansible/aws/s3_bucket_with_all_permissions/test/positive_expected_result.json index fafb06cc6bd..32af7c6ff95 100644 --- a/assets/queries/ansible/aws/s3_bucket_with_all_permissions/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/s3_bucket_with_all_permissions/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "S3 Bucket With All Permissions", "severity": "CRITICAL", - "line": 5 + "line": 5, + "filename": "positive.yaml", + "resourceType": "amazon.aws.s3_bucket", + "resourceName": "Create s3 bucket", + "searchKey": "name={{Create s3 bucket}}.{{amazon.aws.s3_bucket}}.policy", + "searchValue": "", + "expectedValue": "'policy.Statement' should not allow all actions to all principal", + "actualValue": "'policy.Statement' allows all actions to all principal" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/s3_bucket_with_public_access/test/positive_expected_result.json b/assets/queries/ansible/aws/s3_bucket_with_public_access/test/positive_expected_result.json index aa8f4a2d3a9..acca18c30c1 100644 --- a/assets/queries/ansible/aws/s3_bucket_with_public_access/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/s3_bucket_with_public_access/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "S3 Bucket With Public Access", "severity": "CRITICAL", - "line": 6 + "line": 6, + "filename": "positive.yaml", + "resourceType": "amazon.aws.aws_s3", + "resourceName": "Create an empty bucket", + "searchKey": "name={{Create an empty bucket}}.{{amazon.aws.aws_s3}}.permission", + "searchValue": "", + "expectedValue": "aws_s3.permission shouldn't allow public access", + "actualValue": "aws_s3.permission allows public access" }, { "queryName": "S3 Bucket With Public Access", "severity": "CRITICAL", - "line": 11 + "line": 11, + "filename": "positive.yaml", + "resourceType": "amazon.aws.aws_s3", + "resourceName": "Create an empty bucket 01", + "searchKey": "name={{Create an empty bucket 01}}.{{amazon.aws.aws_s3}}.permission", + "searchValue": "", + "expectedValue": "aws_s3.permission shouldn't allow public access", + "actualValue": "aws_s3.permission allows public access" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/s3_bucket_with_unsecured_cors_rule/test/positive_expected_result.json b/assets/queries/ansible/aws/s3_bucket_with_unsecured_cors_rule/test/positive_expected_result.json index 92201a3d8d4..da06d618da5 100644 --- a/assets/queries/ansible/aws/s3_bucket_with_unsecured_cors_rule/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/s3_bucket_with_unsecured_cors_rule/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "S3 Bucket with Unsecured CORS Rule", "severity": "MEDIUM", "line": 5, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "community.aws.aws_s3_cors", + "resourceName": "Create s3 bucket2", + "searchKey": "name={{Create s3 bucket2}}.{{community.aws.aws_s3_cors}}.rules", + "searchValue": "", + "expectedValue": "community.aws.aws_s3_cors[0] should not allow all methods, all headers or several origins", + "actualValue": "community.aws.aws_s3_cors[0] allows all methods, all headers or several origins" }, { "queryName": "S3 Bucket with Unsecured CORS Rule", "severity": "MEDIUM", "line": 5, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "aws_s3_cors", + "resourceName": "Create s3 bucket4", + "searchKey": "name={{Create s3 bucket4}}.{{aws_s3_cors}}.rules", + "searchValue": "", + "expectedValue": "aws_s3_cors[0] should not allow all methods, all headers or several origins", + "actualValue": "aws_s3_cors[0] allows all methods, all headers or several origins" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/s3_bucket_without_server-side_encryption/test/positive_expected_result.json b/assets/queries/ansible/aws/s3_bucket_without_server-side_encryption/test/positive_expected_result.json index 64fca39c902..645f63faaff 100644 --- a/assets/queries/ansible/aws/s3_bucket_without_server-side_encryption/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/s3_bucket_without_server-side_encryption/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "S3 Bucket Without Server-side-encryption", "severity": "HIGH", - "line": 5 + "line": 5, + "filename": "positive.yaml", + "resourceType": "amazon.aws.s3_bucket", + "resourceName": "Create a simple s3 bucket", + "searchKey": "name={{Create a simple s3 bucket}}.{{amazon.aws.s3_bucket}}.encryption", + "searchValue": "", + "expectedValue": "s3_bucket.encryption should not be 'none'", + "actualValue": "s3_bucket.encryption is 'none'" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/s3_bucket_without_versioning/test/positive_expected_result.json b/assets/queries/ansible/aws/s3_bucket_without_versioning/test/positive_expected_result.json index b92ee4c0630..419111f5de2 100644 --- a/assets/queries/ansible/aws/s3_bucket_without_versioning/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/s3_bucket_without_versioning/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "S3 Bucket Without Versioning", "severity": "MEDIUM", - "line": 3 + "line": 15, + "filename": "positive.yaml", + "resourceType": "amazon.aws.s3_bucket", + "resourceName": "foo2", + "searchKey": "name={{foo2}}.{{amazon.aws.s3_bucket}}.versioning", + "searchValue": "", + "expectedValue": "s3_bucket should have versioning set to true", + "actualValue": "s3_bucket does has versioning set to false" }, { "queryName": "S3 Bucket Without Versioning", "severity": "MEDIUM", - "line": 15 + "line": 3, + "filename": "positive.yaml", + "resourceType": "amazon.aws.s3_bucket", + "resourceName": "foo", + "searchKey": "name={{foo}}.{{amazon.aws.s3_bucket}}", + "searchValue": "", + "expectedValue": "s3_bucket should have versioning set to true", + "actualValue": "s3_bucket does not have versioning (defaults to false)" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/secure_ciphers_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/secure_ciphers_disabled/test/positive_expected_result.json index 0c32f95eaa3..2b344ecbd8b 100644 --- a/assets/queries/ansible/aws/secure_ciphers_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/secure_ciphers_disabled/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Secure Ciphers Disabled", "severity": "MEDIUM", - "line": 14 + "line": 14, + "filename": "positive.yaml", + "resourceType": "community.aws.cloudfront_distribution", + "resourceName": "example", + "searchKey": "name={{example}}.{{community.aws.cloudfront_distribution}}.viewer_certificate.minimum_protocol_version", + "searchValue": "", + "expectedValue": "cloudfront_distribution.viewer_certificate.minimum_protocol_version should be TLSv1.1 or TLSv1.2", + "actualValue": "cloudfront_distribution.viewer_certificate.minimum_protocol_version isn't TLSv1.1 or TLSv1.2" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/security_group_ingress_not_restricted/test/positive_expected_result.json b/assets/queries/ansible/aws/security_group_ingress_not_restricted/test/positive_expected_result.json index 6f227d16122..ccddfef5fd2 100644 --- a/assets/queries/ansible/aws/security_group_ingress_not_restricted/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/security_group_ingress_not_restricted/test/positive_expected_result.json @@ -2,31 +2,73 @@ { "queryName": "Security Group Ingress Not Restricted", "severity": "HIGH", - "line": 8 + "line": 8, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group", + "searchKey": "name={{example ec2 group}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[0] should be restricted", + "actualValue": "ec2_group.rules[0] is not restricted" }, { "queryName": "Security Group Ingress Not Restricted", "severity": "HIGH", - "line": 12 + "line": 27, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group v2", + "searchKey": "name={{example ec2 group v2}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[0] should be restricted", + "actualValue": "ec2_group.rules[0] is not restricted" }, { "queryName": "Security Group Ingress Not Restricted", "severity": "HIGH", - "line": 16 + "line": 12, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group", + "searchKey": "name={{example ec2 group}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[1] should be restricted", + "actualValue": "ec2_group.rules[1] is not restricted" }, { "queryName": "Security Group Ingress Not Restricted", "severity": "HIGH", - "line": 27 + "line": 31, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group v2", + "searchKey": "name={{example ec2 group v2}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[1] should be restricted", + "actualValue": "ec2_group.rules[1] is not restricted" }, { "queryName": "Security Group Ingress Not Restricted", "severity": "HIGH", - "line": 31 + "line": 16, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group", + "searchKey": "name={{example ec2 group}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[2] should be restricted", + "actualValue": "ec2_group.rules[2] is not restricted" }, { "queryName": "Security Group Ingress Not Restricted", "severity": "HIGH", - "line": 35 + "line": 35, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group v2", + "searchKey": "name={{example ec2 group v2}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[2] should be restricted", + "actualValue": "ec2_group.rules[2] is not restricted" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/security_group_with_unrestricted_access_to_ssh/test/positive_expected_result.json b/assets/queries/ansible/aws/security_group_with_unrestricted_access_to_ssh/test/positive_expected_result.json index 494b7d0ff8b..2819965670b 100644 --- a/assets/queries/ansible/aws/security_group_with_unrestricted_access_to_ssh/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/security_group_with_unrestricted_access_to_ssh/test/positive_expected_result.json @@ -2,16 +2,37 @@ { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 8 + "line": 8, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group", + "searchKey": "name={{example ec2 group}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[0] SSH' (Port:22) should not be public", + "actualValue": "ec2_group.rules[0] SSH' (Port:22) is public" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 12 + "line": 12, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group", + "searchKey": "name={{example ec2 group}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[1] SSH' (Port:22) should not be public", + "actualValue": "ec2_group.rules[1] SSH' (Port:22) is public" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 16 + "line": 16, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group", + "searchKey": "name={{example ec2 group}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[2] SSH' (Port:22) should not be public", + "actualValue": "ec2_group.rules[2] SSH' (Port:22) is public" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/ses_policy_with_allowed_iam_actions/test/positive_expected_result.json b/assets/queries/ansible/aws/ses_policy_with_allowed_iam_actions/test/positive_expected_result.json index 3f258837a38..b80e58527d5 100644 --- a/assets/queries/ansible/aws/ses_policy_with_allowed_iam_actions/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ses_policy_with_allowed_iam_actions/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "SES Policy With Allowed IAM Actions", "severity": "HIGH", "line": 5, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "community.aws.aws_ses_identity_policy", + "resourceName": "add sending authorization policy to email identityyy", + "searchKey": "name={{add sending authorization policy to email identityyy}}.{{community.aws.aws_ses_identity_policy}}.policy", + "searchValue": "", + "expectedValue": "'policy' should not allow IAM actions to all principals", + "actualValue": "'policy' allows IAM actions to all principals" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/ansible/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json index 879a626a397..1dcc880b001 100644 --- a/assets/queries/ansible/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json @@ -1,26 +1,50 @@ [ - { - "queryName": "SNS Topic is Publicly Accessible", - "severity": "CRITICAL", - "line": 23, - "fileName": "positive1.yaml" - }, - { - "queryName": "SNS Topic is Publicly Accessible", - "severity": "CRITICAL", - "line": 52, - "fileName": "positive1.yaml" - }, - { - "queryName": "SNS Topic is Publicly Accessible", - "severity": "CRITICAL", - "line": 23, - "fileName": "positive2.yaml" - }, - { - "queryName": "SNS Topic is Publicly Accessible", - "severity": "CRITICAL", - "line": 55, - "fileName": "positive2.yaml" - } -] + { + "queryName": "SNS Topic is Publicly Accessible", + "severity": "CRITICAL", + "line": 52, + "filename": "positive1.yaml", + "resourceType": "sns_topic", + "resourceName": "Create alarm SNS topic", + "searchKey": "name={{Create alarm SNS topic}}.{{sns_topic}}.policy", + "searchValue": "", + "expectedValue": "sns_topic.policy.Statement shouldn't contain '*' for an AWS Principal", + "actualValue": "sns_topic.policy.Statement contains '*' in an AWS Principal" + }, + { + "queryName": "SNS Topic is Publicly Accessible", + "severity": "CRITICAL", + "line": 23, + "filename": "positive1.yaml", + "resourceType": "community.aws.sns_topic", + "resourceName": "Create alarm SNS topic community", + "searchKey": "name={{Create alarm SNS topic community}}.{{community.aws.sns_topic}}.policy", + "searchValue": "", + "expectedValue": "sns_topic.policy.Statement shouldn't contain '*' for an AWS Principal", + "actualValue": "sns_topic.policy.Statement contains '*' in an AWS Principal" + }, + { + "queryName": "SNS Topic is Publicly Accessible", + "severity": "CRITICAL", + "line": 55, + "filename": "positive2.yaml", + "resourceType": "sns_topic", + "resourceName": "Create alarm SNS topic", + "searchKey": "name={{Create alarm SNS topic}}.{{sns_topic}}.policy", + "searchValue": "", + "expectedValue": "sns_topic.policy.Statement shouldn't contain '*' for an AWS Principal", + "actualValue": "sns_topic.policy.Statement contains '*' in an AWS Principal" + }, + { + "queryName": "SNS Topic is Publicly Accessible", + "severity": "CRITICAL", + "line": 23, + "filename": "positive2.yaml", + "resourceType": "community.aws.sns_topic", + "resourceName": "Create alarm SNS topic community", + "searchKey": "name={{Create alarm SNS topic community}}.{{community.aws.sns_topic}}.policy", + "searchValue": "", + "expectedValue": "sns_topic.policy.Statement shouldn't contain '*' for an AWS Principal", + "actualValue": "sns_topic.policy.Statement contains '*' in an AWS Principal" + } +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/sql_analysis_services_port_2383_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/ansible/aws/sql_analysis_services_port_2383_is_publicly_accessible/test/positive_expected_result.json index a3eb82d8f96..476a6ce835c 100644 --- a/assets/queries/ansible/aws/sql_analysis_services_port_2383_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/sql_analysis_services_port_2383_is_publicly_accessible/test/positive_expected_result.json @@ -2,26 +2,61 @@ { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", - "line": 9 + "line": 65, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example using security group rule descriptions 5", + "searchKey": "name={{example using security group rule descriptions 5}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[0] shouldn't open the SQL analysis services port (2383)", + "actualValue": "ec2_group.rules[0] opens the SQL analysis services port (2383)" }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", - "line": 23 + "line": 9, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example using security group rule descriptions", + "searchKey": "name={{example using security group rule descriptions}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[0] shouldn't open the SQL analysis services port (2383)", + "actualValue": "ec2_group.rules[0] opens the SQL analysis services port (2383)" }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", - "line": 37 + "line": 23, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example using security group rule descriptions 2", + "searchKey": "name={{example using security group rule descriptions 2}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[0] shouldn't open the SQL analysis services port (2383)", + "actualValue": "ec2_group.rules[0] opens the SQL analysis services port (2383)" }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", - "line": 51 + "line": 37, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example using security group rule descriptions 3", + "searchKey": "name={{example using security group rule descriptions 3}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[0] shouldn't open the SQL analysis services port (2383)", + "actualValue": "ec2_group.rules[0] opens the SQL analysis services port (2383)" }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", - "line": 65 + "line": 51, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example using security group rule descriptions 4", + "searchKey": "name={{example using security group rule descriptions 4}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[0] shouldn't open the SQL analysis services port (2383)", + "actualValue": "ec2_group.rules[0] opens the SQL analysis services port (2383)" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/sqs_policy_allows_all_actions/test/positive_expected_result.json b/assets/queries/ansible/aws/sqs_policy_allows_all_actions/test/positive_expected_result.json index c16a93df09f..46b53984359 100644 --- a/assets/queries/ansible/aws/sqs_policy_allows_all_actions/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/sqs_policy_allows_all_actions/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "SQS Policy Allows All Actions", "severity": "HIGH", "line": 10, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "community.aws.sqs_queue", + "resourceName": "Second SQS queue with policy", + "searchKey": "name={{Second SQS queue with policy}}.{{community.aws.sqs_queue}}.policy", + "searchValue": "", + "expectedValue": "sqs_queue.policy.Statement should not contain Action equal to '*'", + "actualValue": "sqs_queue.policy.Statement contains Action equal to '*'" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/sqs_policy_with_public_access/test/positive_expected_result.json b/assets/queries/ansible/aws/sqs_policy_with_public_access/test/positive_expected_result.json index 0e7522dd585..18f4abc6ccb 100644 --- a/assets/queries/ansible/aws/sqs_policy_with_public_access/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/sqs_policy_with_public_access/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "SQS Policy With Public Access", "severity": "MEDIUM", "line": 10, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "community.aws.sqs_queue", + "resourceName": "First SQS queue with policy", + "searchKey": "name={{First SQS queue with policy}}.{{community.aws.sqs_queue}}.policy", + "searchValue": "", + "expectedValue": "sqs_queue.policy.Principal should not equal to '*'", + "actualValue": "sqs_queue.policy.Principal is equal to '*'" }, { "queryName": "SQS Policy With Public Access", "severity": "MEDIUM", "line": 28, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "community.aws.sqs_queue", + "resourceName": "Second SQS queue with policy", + "searchKey": "name={{Second SQS queue with policy}}.{{community.aws.sqs_queue}}.policy", + "searchValue": "", + "expectedValue": "sqs_queue.policy.Principal should not equal to '*'", + "actualValue": "sqs_queue.policy.Principal is equal to '*'" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/sqs_queue_exposed/test/positive_expected_result.json b/assets/queries/ansible/aws/sqs_queue_exposed/test/positive_expected_result.json index f2422275416..69d78e4336b 100644 --- a/assets/queries/ansible/aws/sqs_queue_exposed/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/sqs_queue_exposed/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "SQS Queue Exposed", "severity": "HIGH", "line": 10, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "community.aws.sqs_queue", + "resourceName": "example", + "searchKey": "name={{example}}.{{community.aws.sqs_queue}}.policy", + "searchValue": "", + "expectedValue": "sqs_queue.policy.Principal shouldn't get the queue publicly accessible", + "actualValue": "sqs_queue.policy.Principal does get the queue publicly accessible" }, { "queryName": "SQS Queue Exposed", "severity": "HIGH", "line": 31, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "community.aws.sqs_queue", + "resourceName": "example with list", + "searchKey": "name={{example with list}}.{{community.aws.sqs_queue}}.policy", + "searchValue": "", + "expectedValue": "sqs_queue.policy.Principal shouldn't get the queue publicly accessible", + "actualValue": "sqs_queue.policy.Principal does get the queue publicly accessible" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/sqs_with_sse_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/sqs_with_sse_disabled/test/positive_expected_result.json index 9508951fea5..d99f390e4dc 100644 --- a/assets/queries/ansible/aws/sqs_with_sse_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/sqs_with_sse_disabled/test/positive_expected_result.json @@ -2,21 +2,49 @@ { "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", - "line": 2 + "line": 22, + "filename": "positive.yaml", + "resourceType": "community.aws.sqs_queue", + "resourceName": "Create FIFO queue", + "searchKey": "name={{Create FIFO queue}}.{{community.aws.sqs_queue}}.kms_master_key_id", + "searchValue": "", + "expectedValue": "'kms_master_key_id' should be set", + "actualValue": "'kms_master_key_id' is undefined" }, { "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", - "line": 16 + "line": 2, + "filename": "positive.yaml", + "resourceType": "community.aws.sqs_queue", + "resourceName": "Create SQS queue with redrive policy", + "searchKey": "name={{Create SQS queue with redrive policy}}.{{community.aws.sqs_queue}}.kms_master_key_id", + "searchValue": "", + "expectedValue": "'kms_master_key_id' should be set", + "actualValue": "'kms_master_key_id' is undefined" }, { "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", - "line": 22 + "line": 16, + "filename": "positive.yaml", + "resourceType": "community.aws.sqs_queue", + "resourceName": "Drop redrive policy", + "searchKey": "name={{Drop redrive policy}}.{{community.aws.sqs_queue}}.kms_master_key_id", + "searchValue": "", + "expectedValue": "'kms_master_key_id' should be set", + "actualValue": "'kms_master_key_id' is undefined" }, { "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", - "line": 29 + "line": 29, + "filename": "positive.yaml", + "resourceType": "community.aws.sqs_queue", + "resourceName": "Tag queue", + "searchKey": "name={{Tag queue}}.{{community.aws.sqs_queue}}.kms_master_key_id", + "searchValue": "", + "expectedValue": "'kms_master_key_id' should be set", + "actualValue": "'kms_master_key_id' is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/stack_notifications_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/stack_notifications_disabled/test/positive_expected_result.json index 092c000c61f..7d742abc82c 100644 --- a/assets/queries/ansible/aws/stack_notifications_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/stack_notifications_disabled/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Stack Notifications Disabled", "severity": "LOW", - "line": 2 + "line": 2, + "filename": "positive.yaml", + "resourceType": "amazon.aws.cloudformation", + "resourceName": "create a stack, pass in the template via an URL", + "searchKey": "name={{create a stack, pass in the template via an URL}}.{{amazon.aws.cloudformation}}", + "searchValue": "", + "expectedValue": "cloudformation.notification_arns should be set", + "actualValue": "cloudformation.notification_arns is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/stack_retention_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/stack_retention_disabled/test/positive_expected_result.json index 26d12a6c987..affb9286dd7 100644 --- a/assets/queries/ansible/aws/stack_retention_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/stack_retention_disabled/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Stack Retention Disabled", "severity": "MEDIUM", - "line": 2 + "line": 23, + "filename": "positive.yaml", + "resourceType": "community.aws.cloudformation_stack_set", + "resourceName": "on subsequent calls, templates are optional but parameters and tags can be altered", + "searchKey": "name={{on subsequent calls, templates are optional but parameters and tags can be altered}}.{{community.aws.cloudformation_stack_set}}.purge_stacks", + "searchValue": "", + "expectedValue": "cloudformation_stack_set.purge_stacks should be set to false", + "actualValue": "cloudformation_stack_set.purge_stacks is true" }, { "queryName": "Stack Retention Disabled", "severity": "MEDIUM", - "line": 23 + "line": 2, + "filename": "positive.yaml", + "resourceType": "community.aws.cloudformation_stack_set", + "resourceName": "Create a stack set with instances in two accounts", + "searchKey": "name={{Create a stack set with instances in two accounts}}.{{community.aws.cloudformation_stack_set}}", + "searchValue": "", + "expectedValue": "cloudformation_stack_set.purge_stacks should be set", + "actualValue": "cloudformation_stack_set.purge_stacks is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/stack_without_template/test/positive_expected_result.json b/assets/queries/ansible/aws/stack_without_template/test/positive_expected_result.json index 45c13d3d70f..93130f55db0 100644 --- a/assets/queries/ansible/aws/stack_without_template/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/stack_without_template/test/positive_expected_result.json @@ -2,21 +2,49 @@ { "queryName": "Stack Without Template", "severity": "LOW", - "line": 2 + "line": 30, + "filename": "positive.yaml", + "resourceType": "community.aws.cloudformation_stack_set", + "resourceName": "Create a stack set with instances in two accounts", + "searchKey": "name={{Create a stack set with instances in two accounts}}.{{community.aws.cloudformation_stack_set}}", + "searchValue": "", + "expectedValue": "community.aws.cloudformation_stack_set should not have more than one of the attributes template, template_body and template_url set", + "actualValue": "community.aws.cloudformation_stack_set has more than one of the attributes template, template_body and template_url set" }, { "queryName": "Stack Without Template", "severity": "LOW", - "line": 15 + "line": 2, + "filename": "positive.yaml", + "resourceType": "amazon.aws.cloudformation", + "resourceName": "create a stack, pass in the template via an URL", + "searchKey": "name={{create a stack, pass in the template via an URL}}.{{amazon.aws.cloudformation}}", + "searchValue": "", + "expectedValue": "amazon.aws.cloudformation has template, template_body or template_url set", + "actualValue": "amazon.aws.cloudformation does not have template, template_body or template_url set" }, { "queryName": "Stack Without Template", "severity": "LOW", - "line": 30 + "line": 40, + "filename": "positive.yaml", + "resourceType": "community.aws.cloudformation_stack_set", + "resourceName": "Create a stack set with instances in two accounts v2", + "searchKey": "name={{Create a stack set with instances in two accounts v2}}.{{community.aws.cloudformation_stack_set}}", + "searchValue": "", + "expectedValue": "community.aws.cloudformation_stack_set has template, template_body or template_url set", + "actualValue": "community.aws.cloudformation_stack_set does not have template, template_body or template_url set" }, { "queryName": "Stack Without Template", "severity": "LOW", - "line": 40 + "line": 15, + "filename": "positive.yaml", + "resourceType": "amazon.aws.cloudformation", + "resourceName": "create a stack, pass in the template via an URL v2", + "searchKey": "name={{create a stack, pass in the template via an URL v2}}.{{amazon.aws.cloudformation}}", + "searchValue": "", + "expectedValue": "amazon.aws.cloudformation should not have more than one of the attributes template, template_body and template_url set", + "actualValue": "amazon.aws.cloudformation has more than one of the attributes template, template_body and template_url set" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/unknown_port_exposed_to_internet/test/positive_expected_result.json b/assets/queries/ansible/aws/unknown_port_exposed_to_internet/test/positive_expected_result.json index 05f6d2f3c8f..d4e07ea469c 100644 --- a/assets/queries/ansible/aws/unknown_port_exposed_to_internet/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/unknown_port_exposed_to_internet/test/positive_expected_result.json @@ -1,12 +1,26 @@ [ - { - "queryName": "Unknown Port Exposed To Internet", - "severity": "HIGH", - "line": 9 - }, - { - "queryName": "Unknown Port Exposed To Internet", - "severity": "HIGH", - "line": 13 - } -] + { + "queryName": "Unknown Port Exposed To Internet", + "severity": "HIGH", + "line": 13, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group", + "searchKey": "name={{example ec2 group}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[1] port_range should not contain unknown ports and should not be exposed to the entire Internet", + "actualValue": "ec2_group.rules[1] port_range contains unknown ports and are exposed to the entire Internet" + }, + { + "queryName": "Unknown Port Exposed To Internet", + "severity": "HIGH", + "line": 9, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group", + "searchKey": "name={{example ec2 group}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[0] port_range should not contain unknown ports and should not be exposed to the entire Internet", + "actualValue": "ec2_group.rules[0] port_range contains unknown ports and are exposed to the entire Internet" + } +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/unrestricted_security_group_ingress/test/positive_expected_result.json b/assets/queries/ansible/aws/unrestricted_security_group_ingress/test/positive_expected_result.json index e600c057d23..db7ea03e6d3 100644 --- a/assets/queries/ansible/aws/unrestricted_security_group_ingress/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/unrestricted_security_group_ingress/test/positive_expected_result.json @@ -2,21 +2,49 @@ { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", - "line": 14 + "line": 14, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example1", + "searchKey": "name={{example1}}.{{amazon.aws.ec2_group}}.rules.cidr_ip={{0.0.0.0/0}}", + "searchValue": "", + "expectedValue": "ec2_group.rules.cidr_ip should not contain the value '0.0.0.0/0'", + "actualValue": "ec2_group.rules.cidr_ip contains value '0.0.0.0/0'" }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", - "line": 28 + "line": 28, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example2", + "searchKey": "name={{example2}}.{{amazon.aws.ec2_group}}.rules.cidr_ip.{{0.0.0.0/0}}", + "searchValue": "", + "expectedValue": "ec2_group.rules.cidr_ip should not contain the value '0.0.0.0/0'", + "actualValue": "ec2_group.rules.cidr_ip contains value '0.0.0.0/0'" }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", - "line": 41 + "line": 41, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example3", + "searchKey": "name={{example3}}.{{amazon.aws.ec2_group}}.rules.cidr_ipv6={{::/0}}", + "searchValue": "", + "expectedValue": "ec2_group.rules.cidr_ipv6 should not contain the value '::/0'", + "actualValue": "ec2_group.rules.cidr_ipv6 contains value '::/0'" }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", - "line": 55 + "line": 55, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example4", + "searchKey": "name={{example4}}.{{amazon.aws.ec2_group}}.rules.cidr_ipv6.{{::/0}}", + "searchValue": "", + "expectedValue": "ec2_group.rules.cidr_ipv6 should not contain the value '::/0'", + "actualValue": "ec2_group.rules.cidr_ipv6 contains value '::/0'" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/user_data_contains_encoded_private_key/test/positive_expected_result.json b/assets/queries/ansible/aws/user_data_contains_encoded_private_key/test/positive_expected_result.json index 772c99ba9f8..f92ace115e3 100644 --- a/assets/queries/ansible/aws/user_data_contains_encoded_private_key/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/user_data_contains_encoded_private_key/test/positive_expected_result.json @@ -1,7 +1,14 @@ [ - { - "queryName": "User Data Contains Encoded Private Key", - "severity": "HIGH", - "line": 9 - } -] + { + "queryName": "User Data Contains Encoded Private Key", + "severity": "HIGH", + "line": 9, + "filename": "positive.yaml", + "resourceType": "community.aws.ec2_lc", + "resourceName": "note that encrypted volumes are only supported in >= Ansible 2.4", + "searchKey": "name={{note that encrypted volumes are only supported in >= Ansible 2.4}}.{{community.aws.ec2_lc}}.user_data", + "searchValue": "", + "expectedValue": "ec2_lc.user_data should not contain RSA Private Key", + "actualValue": "ec2_lc.user_data contains RSA Private Key" + } +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/viewer_protocol_policy_allows_http/test/positive_expected_result.json b/assets/queries/ansible/aws/viewer_protocol_policy_allows_http/test/positive_expected_result.json index 7a3f75db184..2c5a93aa87f 100644 --- a/assets/queries/ansible/aws/viewer_protocol_policy_allows_http/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/viewer_protocol_policy_allows_http/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Cloudfront Viewer Protocol Policy Allows HTTP", "severity": "MEDIUM", - "line": 20 + "line": 50, + "filename": "positive.yaml", + "resourceType": "community.aws.cloudfront_distribution", + "resourceName": "example2", + "searchKey": "name={{example2}}.{{community.aws.cloudfront_distribution}}.cache_behaviors.viewer_protocol_policy", + "searchValue": "", + "expectedValue": "cloudfront_distribution.cache_behaviors.viewer_protocol_policy should be 'https-only' or 'redirect-to-https'", + "actualValue": "cloudfront_distribution.cache_behaviors.viewer_protocol_policy isn't 'https-only' or 'redirect-to-https'" }, { "queryName": "Cloudfront Viewer Protocol Policy Allows HTTP", "severity": "MEDIUM", - "line": 50 + "line": 20, + "filename": "positive.yaml", + "resourceType": "community.aws.cloudfront_distribution", + "resourceName": "example1", + "searchKey": "name={{example1}}.{{community.aws.cloudfront_distribution}}.default_cache_behavior.viewer_protocol_policy", + "searchValue": "", + "expectedValue": "cloudfront_distribution.default_cache_behavior.viewer_protocol_policy should be 'https-only' or 'redirect-to-https'", + "actualValue": "cloudfront_distribution.default_cache_behavior.viewer_protocol_policy isn't 'https-only' or 'redirect-to-https'" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/vulnerable_default_ssl_certificate/test/positive_expected_result.json b/assets/queries/ansible/aws/vulnerable_default_ssl_certificate/test/positive_expected_result.json index a319e98250d..2235c4681ba 100644 --- a/assets/queries/ansible/aws/vulnerable_default_ssl_certificate/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/vulnerable_default_ssl_certificate/test/positive_expected_result.json @@ -2,16 +2,37 @@ { "queryName": "Vulnerable Default SSL Certificate", "severity": "MEDIUM", - "line": 6 + "line": 6, + "filename": "positive.yaml", + "resourceType": "community.aws.cloudfront_distribution", + "resourceName": "create a basic distribution with defaults, tags and default SSL certificate", + "searchKey": "name={{create a basic distribution with defaults, tags and default SSL certificate}}.{{community.aws.cloudfront_distribution}}.viewer_certificate.cloudfront_default_certificate", + "searchValue": "", + "expectedValue": "Attribute 'cloudfront_default_certificate' should be 'false' or not defined", + "actualValue": "Attribute 'cloudfront_default_certificate' is 'true'" }, { "queryName": "Vulnerable Default SSL Certificate", "severity": "MEDIUM", - "line": 15 + "line": 15, + "filename": "positive.yaml", + "resourceType": "community.aws.cloudfront_distribution", + "resourceName": "create a basic distribution with defaults, tags and misconfigured custom SSL certificate", + "searchKey": "name={{create a basic distribution with defaults, tags and misconfigured custom SSL certificate}}.{{community.aws.cloudfront_distribution}}.viewer_certificate", + "searchValue": "minimum_protocol_version", + "expectedValue": "Attribute minimum_protocol_version should be defined when one of 'acm_certificate_arn' or 'iam_certificate_id' is declared.", + "actualValue": "Attribute 'minimum_protocol_version' is not defined" }, { "queryName": "Vulnerable Default SSL Certificate", "severity": "MEDIUM", - "line": 15 + "line": 15, + "filename": "positive.yaml", + "resourceType": "community.aws.cloudfront_distribution", + "resourceName": "create a basic distribution with defaults, tags and misconfigured custom SSL certificate", + "searchKey": "name={{create a basic distribution with defaults, tags and misconfigured custom SSL certificate}}.{{community.aws.cloudfront_distribution}}.viewer_certificate", + "searchValue": "ssl_support_method", + "expectedValue": "Attribute ssl_support_method should be defined when one of 'acm_certificate_arn' or 'iam_certificate_id' is declared.", + "actualValue": "Attribute 'ssl_support_method' is not defined" } ] \ No newline at end of file diff --git a/assets/queries/ansible/azure/ad_admin_not_configured_for_sql_server/test/positive_expected_result.json b/assets/queries/ansible/azure/ad_admin_not_configured_for_sql_server/test/positive_expected_result.json index 85e34b71da8..cf3e6e12d43 100644 --- a/assets/queries/ansible/azure/ad_admin_not_configured_for_sql_server/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/ad_admin_not_configured_for_sql_server/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "AD Admin Not Configured For SQL Server", "severity": "MEDIUM", - "line": 3 + "line": 3, + "filename": "positive.yaml", + "resourceType": "azure_rm_sqlserver", + "resourceName": "Create (or update) SQL Server", + "searchKey": "name={{Create (or update) SQL Server}}.{{azure_rm_sqlserver}}", + "searchValue": "", + "expectedValue": "azure_rm_sqlserver.ad_user should be defined", + "actualValue": "azure_rm_sqlserver.ad_user is undefined" } ] \ No newline at end of file diff --git a/assets/queries/ansible/azure/admin_user_enabled_for_container_registry/test/positive_expected_result.json b/assets/queries/ansible/azure/admin_user_enabled_for_container_registry/test/positive_expected_result.json index 8db54668eed..a93bab71a7b 100644 --- a/assets/queries/ansible/azure/admin_user_enabled_for_container_registry/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/admin_user_enabled_for_container_registry/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Admin User Enabled For Container Registry", "severity": "MEDIUM", - "line": 7 + "line": 7, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_containerregistry", + "resourceName": "Create an azure container registry", + "searchKey": "name={{Create an azure container registry}}.{{azure.azcollection.azure_rm_containerregistry}}.admin_user_enabled", + "searchValue": "", + "expectedValue": "azure_rm_containerregistry.admin_user_enabled should be false or undefined (defaults to false)", + "actualValue": "azure_rm_containerregistry.admin_user_enabled is true" }, { "queryName": "Admin User Enabled For Container Registry", "severity": "MEDIUM", - "line": 17 + "line": 17, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_containerregistry", + "resourceName": "Create an azure container registry2", + "searchKey": "name={{Create an azure container registry2}}.{{azure.azcollection.azure_rm_containerregistry}}.admin_user_enabled", + "searchValue": "", + "expectedValue": "azure_rm_containerregistry.admin_user_enabled should be false or undefined (defaults to false)", + "actualValue": "azure_rm_containerregistry.admin_user_enabled is true" } ] \ No newline at end of file diff --git a/assets/queries/ansible/azure/aks_monitoring_logging_disabled/test/positive_expected_result.json b/assets/queries/ansible/azure/aks_monitoring_logging_disabled/test/positive_expected_result.json index 222abd325a6..82c165377f6 100644 --- a/assets/queries/ansible/azure/aks_monitoring_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/aks_monitoring_logging_disabled/test/positive_expected_result.json @@ -2,21 +2,49 @@ { "queryName": "AKS Monitoring Logging Disabled", "severity": "MEDIUM", - "line": 2 + "line": 43, + "filename": "positive.yaml", + "resourceType": "azure_rm_aks", + "resourceName": "Create an AKS instance", + "searchKey": "name={{Create an AKS instance}}.{{azure_rm_aks}}.addon", + "searchValue": "", + "expectedValue": "azure_rm_aks.addon.monitoring should be set", + "actualValue": "azure_rm_aks.addon.monitoring is undefined" }, { "queryName": "AKS Monitoring Logging Disabled", "severity": "MEDIUM", - "line": 43 + "line": 68, + "filename": "positive.yaml", + "resourceType": "azure_rm_aks", + "resourceName": "Create an AKS instance v3", + "searchKey": "name={{Create an AKS instance v3}}.{{azure_rm_aks}}.addon.monitoring", + "searchValue": "", + "expectedValue": "azure_rm_aks.addon.monitoring.{\"enabled\", \"log_analytics_workspace_resource_id\"} should be set", + "actualValue": "azure_rm_aks.addon.monitoring.{\"enabled\", \"log_analytics_workspace_resource_id\"} is undefined" }, { "queryName": "AKS Monitoring Logging Disabled", "severity": "MEDIUM", - "line": 68 + "line": 94, + "filename": "positive.yaml", + "resourceType": "azure_rm_aks", + "resourceName": "Create an AKS instance v9", + "searchKey": "name={{Create an AKS instance v9}}.{{azure_rm_aks}}.addon.monitoring.enabled", + "searchValue": "", + "expectedValue": "azure_rm_aks.addon.monitoring.enabled should be set to 'yes' or 'false'", + "actualValue": "azure_rm_aks.addon.monitoring.enabled is not set to 'yes' or 'false'" }, { "queryName": "AKS Monitoring Logging Disabled", "severity": "MEDIUM", - "line": 94 + "line": 2, + "filename": "positive.yaml", + "resourceType": "azure_rm_aks", + "resourceName": "Create an AKS instance v0", + "searchKey": "name={{Create an AKS instance v0}}.{{azure_rm_aks}}", + "searchValue": "", + "expectedValue": "azure_rm_aks.addon should be set", + "actualValue": "azure_rm_aks.addon is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/azure/aks_network_policy_misconfigured/test/positive_expected_result.json b/assets/queries/ansible/azure/aks_network_policy_misconfigured/test/positive_expected_result.json index a9f6033dbaa..cbd51b1b590 100644 --- a/assets/queries/ansible/azure/aks_network_policy_misconfigured/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/aks_network_policy_misconfigured/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "AKS Network Policy Misconfigured", "severity": "LOW", - "line": 10 + "line": 10, + "filename": "positive.yaml", + "resourceType": "azure_rm_aks", + "resourceName": "Create a managed Azure Container Services (AKS) instance03", + "searchKey": "name={{Create a managed Azure Container Services (AKS) instance03}}.{{azure_rm_aks}}.network_profile.network_policy", + "searchValue": "", + "expectedValue": "Azure AKS cluster network policy should be either 'calico' or 'azure'", + "actualValue": "Azure AKS cluster network policy is istio" }, { "queryName": "AKS Network Policy Misconfigured", "severity": "LOW", - "line": 24 + "line": 24, + "filename": "positive.yaml", + "resourceType": "azure_rm_aks", + "resourceName": "Create a managed Azure Container Services (AKS) instance04", + "searchKey": "name={{Create a managed Azure Container Services (AKS) instance04}}.{{azure_rm_aks}}", + "searchValue": "", + "expectedValue": "Azure AKS cluster network profile should be defined", + "actualValue": "Azure AKS cluster network profile is undefined" } ] \ No newline at end of file diff --git a/assets/queries/ansible/azure/aks_rbac_disabled/test/positive_expected_result.json b/assets/queries/ansible/azure/aks_rbac_disabled/test/positive_expected_result.json index 8d15a88670b..ff854e68d5e 100644 --- a/assets/queries/ansible/azure/aks_rbac_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/aks_rbac_disabled/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "AKS RBAC Disabled", "severity": "MEDIUM", - "line": 21 + "line": 21, + "filename": "positive.yaml", + "resourceType": "azure_rm_aks", + "resourceName": "Create an AKS instance", + "searchKey": "name={{Create an AKS instance}}.{{azure_rm_aks}}.enable_rbac", + "searchValue": "", + "expectedValue": "azure_rm_aks.enable_rbac should be set to 'yes' or 'true'", + "actualValue": "azure_rm_aks.enable_rbac is not set to 'yes' or 'true'" }, { "queryName": "AKS RBAC Disabled", "severity": "MEDIUM", - "line": 23 + "line": 23, + "filename": "positive.yaml", + "resourceType": "azure_rm_aks", + "resourceName": "Create an AKS instance v2", + "searchKey": "name={{Create an AKS instance v2}}.{{azure_rm_aks}}", + "searchValue": "", + "expectedValue": "azure_rm_aks.enable_rbac should be defined", + "actualValue": "azure_rm_aks.enable_rbac is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/azure/azure_container_registry_with_no_locks/test/positive_expected_result.json b/assets/queries/ansible/azure/azure_container_registry_with_no_locks/test/positive_expected_result.json index 1129e0d6c75..e745140ce7c 100644 --- a/assets/queries/ansible/azure/azure_container_registry_with_no_locks/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/azure_container_registry_with_no_locks/test/positive_expected_result.json @@ -3,18 +3,36 @@ "queryName": "Azure Container Registry With No Locks", "severity": "HIGH", "line": 2, - "fileName": "positive1.yaml" + "filename": "positive2.yaml", + "resourceType": "azure.azcollection.azure_rm_containerregistry", + "resourceName": "Create an azure container registryy1", + "searchKey": "name={{Create an azure container registryy1}}.{{azure.azcollection.azure_rm_containerregistry}}", + "searchValue": "", + "expectedValue": "'azure.azcollection.azure_rm_containerregistry' should be referenced by an existing lock", + "actualValue": "'azure.azcollection.azure_rm_containerregistry' is not referenced by an existing lock" }, { "queryName": "Azure Container Registry With No Locks", "severity": "HIGH", "line": 17, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "azure.azcollection.azure_rm_containerregistry", + "resourceName": "Create an azure container registry2", + "searchKey": "name={{Create an azure container registry2}}.{{azure.azcollection.azure_rm_containerregistry}}", + "searchValue": "", + "expectedValue": "'azure.azcollection.azure_rm_containerregistry' should be referenced by an existing lock", + "actualValue": "'azure.azcollection.azure_rm_containerregistry' is not referenced by an existing lock" }, { "queryName": "Azure Container Registry With No Locks", "severity": "HIGH", "line": 2, - "fileName": "positive2.yaml" + "filename": "positive1.yaml", + "resourceType": "azure_rm_containerregistry", + "resourceName": "Create an azure container registry", + "searchKey": "name={{Create an azure container registry}}.{{azure_rm_containerregistry}}", + "searchValue": "", + "expectedValue": "'azure_rm_containerregistry' should be referenced by an existing lock", + "actualValue": "'azure_rm_containerregistry' is not referenced by an existing lock" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/azure/azure_instance_using_basic_authentication/test/positive_expected_result.json b/assets/queries/ansible/azure/azure_instance_using_basic_authentication/test/positive_expected_result.json index 7f2e13b5a90..8a07c973fad 100644 --- a/assets/queries/ansible/azure/azure_instance_using_basic_authentication/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/azure_instance_using_basic_authentication/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Azure Instance Using Basic Authentication", "severity": "MEDIUM", "line": 1, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "azure_rm_virtualmachine", + "resourceName": "testvm001", + "searchKey": "azure_rm_virtualmachine[testvm001].ssh_public_keys", + "searchValue": "", + "expectedValue": "'azure_rm_virtualmachine[testvm001]' should be using SSH keys for authentication", + "actualValue": "'azure_rm_virtualmachine[testvm001]' is using username and password for authentication" } ] \ No newline at end of file diff --git a/assets/queries/ansible/azure/cosmosdb_account_ip_range_filter_not_set/test/positive_expected_result.json b/assets/queries/ansible/azure/cosmosdb_account_ip_range_filter_not_set/test/positive_expected_result.json index 0d8570fd156..5f90390655d 100644 --- a/assets/queries/ansible/azure/cosmosdb_account_ip_range_filter_not_set/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/cosmosdb_account_ip_range_filter_not_set/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "CosmosDB Account IP Range Filter Not Set", "severity": "CRITICAL", - "line": 2 + "line": 2, + "filename": "positive.yaml", + "resourceType": "azure_rm_cosmosdbaccount", + "resourceName": "Create Cosmos DB Account - max", + "searchKey": "name={{Create Cosmos DB Account - max}}.{{azure_rm_cosmosdbaccount}}", + "searchValue": "", + "expectedValue": "'azurerm_cosmosdb_account.ip_range_filter' should be defined", + "actualValue": "'azurerm_cosmosdb_account.ip_range_filter' is undefined" } ] \ No newline at end of file diff --git a/assets/queries/ansible/azure/cosmosdb_account_without_tags/test/positive_expected_result.json b/assets/queries/ansible/azure/cosmosdb_account_without_tags/test/positive_expected_result.json index a1ef5db4746..bf2928b144b 100644 --- a/assets/queries/ansible/azure/cosmosdb_account_without_tags/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/cosmosdb_account_without_tags/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Cosmos DB Account Without Tags", "severity": "LOW", - "line": 3 + "line": 3, + "filename": "positive.yaml", + "resourceType": "azure_rm_cosmosdbaccount", + "resourceName": "Create Cosmos DB Account - min", + "searchKey": "name={{Create Cosmos DB Account - min}}.{{azure_rm_cosmosdbaccount}}.tags", + "searchValue": "", + "expectedValue": "azure_rm_cosmosdbaccount.tags should be defined", + "actualValue": "azure_rm_cosmosdbaccount.tags is undefined" } ] \ No newline at end of file diff --git a/assets/queries/ansible/azure/default_azure_storage_account_network_access_is_too_permissive/test/positive_expected_result.json b/assets/queries/ansible/azure/default_azure_storage_account_network_access_is_too_permissive/test/positive_expected_result.json index 0a1c0773b32..282f667b107 100644 --- a/assets/queries/ansible/azure/default_azure_storage_account_network_access_is_too_permissive/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/default_azure_storage_account_network_access_is_too_permissive/test/positive_expected_result.json @@ -3,18 +3,36 @@ "queryName": "Default Azure Storage Account Network Access Is Too Permissive", "severity": "HIGH", "line": 3, - "fileName": "positive1.yaml" + "filename": "positive3.yaml", + "resourceType": "azure.azcollection.azure_rm_storageaccount", + "resourceName": "create an account", + "searchKey": "name={{create an account}}.{{azure.azcollection.azure_rm_storageaccount}}", + "searchValue": "", + "expectedValue": "azure_rm_storageaccountnetworkAcls.network_acls.default_action should be set to 'Deny'", + "actualValue": "azure_rm_storageaccountnetworkAcls.network_acls.default_action is set to 'Allow'" }, { "queryName": "Default Azure Storage Account Network Access Is Too Permissive", "severity": "HIGH", "line": 3, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "azure.azcollection.azure_rm_storageaccount", + "resourceName": "create an account", + "searchKey": "name={{create an account}}.{{azure.azcollection.azure_rm_storageaccount}}", + "searchValue": "", + "expectedValue": "azure_rm_storageaccount.public_network_access should be set to 'Disabled'", + "actualValue": "azure_rm_storageaccount.public_network_access is not set (default is 'Enabled')" }, { "queryName": "Default Azure Storage Account Network Access Is Too Permissive", "severity": "HIGH", "line": 3, - "fileName": "positive3.yaml" + "filename": "positive1.yaml", + "resourceType": "azure.azcollection.azure_rm_storageaccount", + "resourceName": "create an account", + "searchKey": "name={{create an account}}.{{azure.azcollection.azure_rm_storageaccount}}", + "searchValue": "", + "expectedValue": "azure_rm_storageaccount.public_network_access should be set to 'Disabled'", + "actualValue": "azure_rm_storageaccount.public_network_access is set to 'Enabled'" } ] \ No newline at end of file diff --git a/assets/queries/ansible/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/test/positive_expected_result.json b/assets/queries/ansible/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/test/positive_expected_result.json index 29b80de7ead..ed61f4d6f8a 100644 --- a/assets/queries/ansible/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Firewall Rule Allows Too Many Hosts To Access Redis Cache", "severity": "MEDIUM", - "line": 6 + "line": 6, + "filename": "positive.yaml", + "resourceType": "azure_rm_rediscachefirewallrule", + "resourceName": "too_many_hosts", + "searchKey": "name={{too_many_hosts}}.{{azure_rm_rediscachefirewallrule}}.start_ip_address", + "searchValue": "", + "expectedValue": "azure_rm_rediscachefirewallrule.start_ip_address and end_ip_address should allow up to 255 hosts", + "actualValue": "azure_rm_rediscachefirewallrule.start_ip_address and end_ip_address allow 65539 hosts" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/azure/key_vault_soft_delete_is_disabled/test/positive_expected_result.json b/assets/queries/ansible/azure/key_vault_soft_delete_is_disabled/test/positive_expected_result.json index 188baf9b196..8557a42d902 100644 --- a/assets/queries/ansible/azure/key_vault_soft_delete_is_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/key_vault_soft_delete_is_disabled/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Key Vault Soft Delete Is Disabled", "severity": "MEDIUM", - "line": 7 + "line": 18, + "filename": "positive.yaml", + "resourceType": "azure_rm_keyvault", + "resourceName": "Create instance of Key Vault 02", + "searchKey": "name={{Create instance of Key Vault 02}}.{{azure_rm_keyvault}}", + "searchValue": "", + "expectedValue": "azure_rm_keyvault.enable_soft_delete should be defined", + "actualValue": "azure_rm_keyvault.enable_soft_delete is undefined" }, { "queryName": "Key Vault Soft Delete Is Disabled", "severity": "MEDIUM", - "line": 18 + "line": 7, + "filename": "positive.yaml", + "resourceType": "azure_rm_keyvault", + "resourceName": "Create instance of Key Vault", + "searchKey": "name={{Create instance of Key Vault}}.{{azure_rm_keyvault}}.enable_soft_delete", + "searchValue": "", + "expectedValue": "azure_rm_keyvault.enable_soft_delete should be true", + "actualValue": "azure_rm_keyvault.enable_soft_delete is false" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/azure/log_retention_is_not_set/test/positive_expected_result.json b/assets/queries/ansible/azure/log_retention_is_not_set/test/positive_expected_result.json index 6295e41f7be..0f7ae6f85ab 100644 --- a/assets/queries/ansible/azure/log_retention_is_not_set/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/log_retention_is_not_set/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Log Retention Is Not Set", "severity": "MEDIUM", - "line": 7 + "line": 7, + "filename": "positive.yaml", + "resourceType": "azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting", + "searchKey": "name={{Update PostgreSQL Server setting}}.{{azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should equal to 'on'", + "actualValue": "azure_rm_postgresqlconfiguration.value is not equal to 'on'" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/azure/monitoring_log_profile_without_all_activities/test/positive_expected_result.json b/assets/queries/ansible/azure/monitoring_log_profile_without_all_activities/test/positive_expected_result.json index 43927abce46..6c50f8f1b65 100644 --- a/assets/queries/ansible/azure/monitoring_log_profile_without_all_activities/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/monitoring_log_profile_without_all_activities/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Monitoring Log Profile Without All Activities", "severity": "MEDIUM", - "line": 9 + "line": 9, + "filename": "positive.yaml", + "resourceType": "azure_rm_monitorlogprofile", + "resourceName": "Create a log profile", + "searchKey": "name={{Create a log profile}}.{{azure_rm_monitorlogprofile}}.categories", + "searchValue": "", + "expectedValue": "azure_rm_monitorlogprofile.categories should have all categories, Write, Action and Delete", + "actualValue": "azure_rm_monitorlogprofile.categories does not have all categories, Write, Action and Delete" }, { "queryName": "Monitoring Log Profile Without All Activities", "severity": "MEDIUM", - "line": 21 + "line": 21, + "filename": "positive.yaml", + "resourceType": "azure_rm_monitorlogprofile", + "resourceName": "Create a log profile2", + "searchKey": "name={{Create a log profile2}}.{{azure_rm_monitorlogprofile}}", + "searchValue": "", + "expectedValue": "azure_rm_monitorlogprofile.categories should be defined", + "actualValue": "azure_rm_monitorlogprofile.categories is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/azure/mysql_ssl_connection_disabled/test/positive_expected_result.json b/assets/queries/ansible/azure/mysql_ssl_connection_disabled/test/positive_expected_result.json index a9e5e06cdb7..2eb7e6340e4 100644 --- a/assets/queries/ansible/azure/mysql_ssl_connection_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/mysql_ssl_connection_disabled/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "MySQL SSL Connection Disabled", "severity": "MEDIUM", - "line": 3 + "line": 23, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_mysqlserver", + "resourceName": "Create (or update) MySQL Server2", + "searchKey": "name={{Create (or update) MySQL Server2}}.{{azure.azcollection.azure_rm_mysqlserver}}.enforce_ssl", + "searchValue": "", + "expectedValue": "azure_rm_mysqlserver should have enforce_ssl set to true", + "actualValue": "azure_rm_mysqlserver does has enforce_ssl set to false" }, { "queryName": "MySQL SSL Connection Disabled", "severity": "MEDIUM", - "line": 23 + "line": 3, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_mysqlserver", + "resourceName": "Create (or update) MySQL Server", + "searchKey": "name={{Create (or update) MySQL Server}}.{{azure.azcollection.azure_rm_mysqlserver}}", + "searchValue": "", + "expectedValue": "azure_rm_mysqlserver should have enforce_ssl set to true", + "actualValue": "azure_rm_mysqlserver does not have enforce_ssl (defaults to false)" } ] \ No newline at end of file diff --git a/assets/queries/ansible/azure/postgresql_log_checkpoints_disabled/test/positive_expected_result.json b/assets/queries/ansible/azure/postgresql_log_checkpoints_disabled/test/positive_expected_result.json index c9faef24c34..40063113608 100644 --- a/assets/queries/ansible/azure/postgresql_log_checkpoints_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/postgresql_log_checkpoints_disabled/test/positive_expected_result.json @@ -2,31 +2,73 @@ { "queryName": "PostgreSQL Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 7 + "line": 25, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting4", + "searchKey": "name={{Update PostgreSQL Server setting4}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_checkpoints'", + "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'" }, { "queryName": "PostgreSQL Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 13 + "line": 31, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting5", + "searchKey": "name={{Update PostgreSQL Server setting5}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_checkpoints'", + "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'" }, { "queryName": "PostgreSQL Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 19 + "line": 37, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting6", + "searchKey": "name={{Update PostgreSQL Server setting6}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_checkpoints'", + "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'" }, { "queryName": "PostgreSQL Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 25 + "line": 7, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting", + "searchKey": "name={{Update PostgreSQL Server setting}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_checkpoints'", + "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'" }, { "queryName": "PostgreSQL Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 31 + "line": 13, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting2", + "searchKey": "name={{Update PostgreSQL Server setting2}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_checkpoints'", + "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'" }, { "queryName": "PostgreSQL Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 37 + "line": 19, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting3", + "searchKey": "name={{Update PostgreSQL Server setting3}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_checkpoints'", + "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/azure/postgresql_log_connections_not_set/test/positive_expected_result.json b/assets/queries/ansible/azure/postgresql_log_connections_not_set/test/positive_expected_result.json index dfe5d144763..c19015d10da 100644 --- a/assets/queries/ansible/azure/postgresql_log_connections_not_set/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/postgresql_log_connections_not_set/test/positive_expected_result.json @@ -2,31 +2,73 @@ { "queryName": "PostgreSQL Log Connections Not Set", "severity": "MEDIUM", - "line": 7 + "line": 7, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting", + "searchKey": "name={{Update PostgreSQL Server setting}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_connections'", + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF'" }, { "queryName": "PostgreSQL Log Connections Not Set", "severity": "MEDIUM", - "line": 13 + "line": 13, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting2", + "searchKey": "name={{Update PostgreSQL Server setting2}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_connections'", + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF'" }, { "queryName": "PostgreSQL Log Connections Not Set", "severity": "MEDIUM", - "line": 19 + "line": 19, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting3", + "searchKey": "name={{Update PostgreSQL Server setting3}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_connections'", + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF'" }, { "queryName": "PostgreSQL Log Connections Not Set", "severity": "MEDIUM", - "line": 25 + "line": 25, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting4", + "searchKey": "name={{Update PostgreSQL Server setting4}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_connections'", + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF'" }, { "queryName": "PostgreSQL Log Connections Not Set", "severity": "MEDIUM", - "line": 31 + "line": 31, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting5", + "searchKey": "name={{Update PostgreSQL Server setting5}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_connections'", + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF'" }, { "queryName": "PostgreSQL Log Connections Not Set", "severity": "MEDIUM", - "line": 37 + "line": 37, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting6", + "searchKey": "name={{Update PostgreSQL Server setting6}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_connections'", + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF'" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/azure/postgresql_log_disconnections_not_set/test/positive_expected_result.json b/assets/queries/ansible/azure/postgresql_log_disconnections_not_set/test/positive_expected_result.json index d3675e682a1..67da74c4872 100644 --- a/assets/queries/ansible/azure/postgresql_log_disconnections_not_set/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/postgresql_log_disconnections_not_set/test/positive_expected_result.json @@ -2,31 +2,73 @@ { "queryName": "PostgreSQL Log Disconnections Not Set", "severity": "MEDIUM", - "line": 7 + "line": 7, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting", + "searchKey": "name={{Update PostgreSQL Server setting}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_disconnections'", + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF'" }, { "queryName": "PostgreSQL Log Disconnections Not Set", "severity": "MEDIUM", - "line": 13 + "line": 13, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting2", + "searchKey": "name={{Update PostgreSQL Server setting2}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_disconnections'", + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF'" }, { "queryName": "PostgreSQL Log Disconnections Not Set", "severity": "MEDIUM", - "line": 19 + "line": 19, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting3", + "searchKey": "name={{Update PostgreSQL Server setting3}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_disconnections'", + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF'" }, { "queryName": "PostgreSQL Log Disconnections Not Set", "severity": "MEDIUM", - "line": 25 + "line": 25, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting4", + "searchKey": "name={{Update PostgreSQL Server setting4}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_disconnections'", + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF'" }, { "queryName": "PostgreSQL Log Disconnections Not Set", "severity": "MEDIUM", - "line": 31 + "line": 31, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting5", + "searchKey": "name={{Update PostgreSQL Server setting5}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_disconnections'", + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF'" }, { "queryName": "PostgreSQL Log Disconnections Not Set", "severity": "MEDIUM", - "line": 37 + "line": 37, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting6", + "searchKey": "name={{Update PostgreSQL Server setting6}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_disconnections'", + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF'" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/azure/postgresql_log_duration_not_set/test/positive_expected_result.json b/assets/queries/ansible/azure/postgresql_log_duration_not_set/test/positive_expected_result.json index 86f29653a21..5a3381bdc92 100644 --- a/assets/queries/ansible/azure/postgresql_log_duration_not_set/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/postgresql_log_duration_not_set/test/positive_expected_result.json @@ -2,31 +2,73 @@ { "queryName": "PostgreSQL Log Duration Not Set", "severity": "MEDIUM", - "line": 6 + "line": 6, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "example1", + "searchKey": "name={{example1}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' for 'log_duration'", + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF' for 'log_duration'" }, { "queryName": "PostgreSQL Log Duration Not Set", "severity": "MEDIUM", - "line": 12 + "line": 12, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "example2", + "searchKey": "name={{example2}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' for 'log_duration'", + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF' for 'log_duration'" }, { "queryName": "PostgreSQL Log Duration Not Set", "severity": "MEDIUM", - "line": 18 + "line": 18, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "example3", + "searchKey": "name={{example3}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' for 'log_duration'", + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF' for 'log_duration'" }, { "queryName": "PostgreSQL Log Duration Not Set", "severity": "MEDIUM", - "line": 24 + "line": 24, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "example4", + "searchKey": "name={{example4}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' for 'log_duration'", + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF' for 'log_duration'" }, { "queryName": "PostgreSQL Log Duration Not Set", "severity": "MEDIUM", - "line": 30 + "line": 30, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "example5", + "searchKey": "name={{example5}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' for 'log_duration'", + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF' for 'log_duration'" }, { "queryName": "PostgreSQL Log Duration Not Set", "severity": "MEDIUM", - "line": 36 + "line": 36, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "example6", + "searchKey": "name={{example6}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' for 'log_duration'", + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF' for 'log_duration'" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/azure/postgresql_server_without_connection_throttling/test/positive_expected_result.json b/assets/queries/ansible/azure/postgresql_server_without_connection_throttling/test/positive_expected_result.json index ded293c1435..5d3a91fae00 100644 --- a/assets/queries/ansible/azure/postgresql_server_without_connection_throttling/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/postgresql_server_without_connection_throttling/test/positive_expected_result.json @@ -2,31 +2,73 @@ { "queryName": "PostgreSQL Server Without Connection Throttling", "severity": "MEDIUM", - "line": 7 + "line": 19, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting3", + "searchKey": "name={{Update PostgreSQL Server setting3}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'connection_throttling'", + "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'" }, { "queryName": "PostgreSQL Server Without Connection Throttling", "severity": "MEDIUM", - "line": 13 + "line": 25, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting4", + "searchKey": "name={{Update PostgreSQL Server setting4}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'connection_throttling'", + "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'" }, { "queryName": "PostgreSQL Server Without Connection Throttling", "severity": "MEDIUM", - "line": 19 + "line": 31, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting5", + "searchKey": "name={{Update PostgreSQL Server setting5}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'connection_throttling'", + "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'" }, { "queryName": "PostgreSQL Server Without Connection Throttling", "severity": "MEDIUM", - "line": 25 + "line": 37, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting6", + "searchKey": "name={{Update PostgreSQL Server setting6}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'connection_throttling'", + "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'" }, { "queryName": "PostgreSQL Server Without Connection Throttling", "severity": "MEDIUM", - "line": 31 + "line": 7, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting", + "searchKey": "name={{Update PostgreSQL Server setting}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'connection_throttling'", + "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'" }, { "queryName": "PostgreSQL Server Without Connection Throttling", "severity": "MEDIUM", - "line": 37 + "line": 13, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting2", + "searchKey": "name={{Update PostgreSQL Server setting2}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'connection_throttling'", + "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/azure/public_storage_account/test/positive_expected_result.json b/assets/queries/ansible/azure/public_storage_account/test/positive_expected_result.json index 95adb340371..3fba890ab64 100644 --- a/assets/queries/ansible/azure/public_storage_account/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/public_storage_account/test/positive_expected_result.json @@ -1,12 +1,26 @@ [ - { - "queryName": "Public Storage Account", - "severity": "HIGH", - "line": 9 - }, - { - "queryName": "Public Storage Account", - "severity": "HIGH", - "line": 19 - } -] + { + "queryName": "Public Storage Account", + "severity": "HIGH", + "line": 19, + "filename": "positive.yaml", + "resourceType": "azure_rm_storageaccount", + "resourceName": "configure firewall and more virtual networks", + "searchKey": "name={{configure firewall and more virtual networks}}.{{azure_rm_storageaccount}}.network_acls.default_action", + "searchValue": "", + "expectedValue": "azure_rm_storageaccount.network_acls.default_action should not be set", + "actualValue": "azure_rm_storageaccount.network_acls.default_action is 'Allow'" + }, + { + "queryName": "Public Storage Account", + "severity": "HIGH", + "line": 9, + "filename": "positive.yaml", + "resourceType": "azure_rm_storageaccount", + "resourceName": "configure firewall and virtual networks", + "searchKey": "name={{configure firewall and virtual networks}}.{{azure_rm_storageaccount}}.network_acls.ip_rules", + "searchValue": "", + "expectedValue": "azure_rm_storageaccount.network_acls.default_action should be set to 'Deny' and azure_rm_storageaccount.network_acls.ip_rules should not contain value '0.0.0.0/0' ", + "actualValue": "azure_rm_storageaccount.network_acls.default_action is 'Deny' and azure_rm_storageaccount.network_acls.ip_rules contains value '0.0.0.0/0'" + } +] \ No newline at end of file diff --git a/assets/queries/ansible/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json b/assets/queries/ansible/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json index 34ebe756b7d..7b3ce78c2e4 100644 --- a/assets/queries/ansible/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Redis Cache Allows Non SSL Connections", "severity": "MEDIUM", - "line": 5 + "line": 5, + "filename": "positive.yaml", + "resourceType": "azure_rm_rediscache", + "resourceName": "Non SSl Allowed", + "searchKey": "name={{Non SSl Allowed}}.{{azure_rm_rediscache}}.enable_non_ssl_port", + "searchValue": "", + "expectedValue": "azure_rm_rediscache.enable_non_ssl_port should be set to false or undefined", + "actualValue": "azure_rm_rediscache.enable_non_ssl_port is true" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/azure/redis_entirely_accessible/test/positive_expected_result.json b/assets/queries/ansible/azure/redis_entirely_accessible/test/positive_expected_result.json index f04cd803160..98e1e2e8647 100644 --- a/assets/queries/ansible/azure/redis_entirely_accessible/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/redis_entirely_accessible/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Redis Entirely Accessible", "severity": "CRITICAL", - "line": 7 + "line": 7, + "filename": "positive.yaml", + "resourceType": "azure_rm_rediscachefirewallrule", + "resourceName": "Create a Firewall rule for Azure Cache for Redis", + "searchKey": "name={{Create a Firewall rule for Azure Cache for Redis}}.{{azure_rm_rediscachefirewallrule}}.start_ip_address", + "searchValue": "", + "expectedValue": "azure_rm_rediscachefirewallrule start_ip and end_ip should not equal to '0.0.0.0'", + "actualValue": "azure_rm_rediscachefirewallrule start_ip and end_ip are equal to '0.0.0.0'" } ] \ No newline at end of file diff --git a/assets/queries/ansible/azure/redis_publicly_accessible/test/positive_expected_result.json b/assets/queries/ansible/azure/redis_publicly_accessible/test/positive_expected_result.json index bc5829b31c7..bf543b96a40 100644 --- a/assets/queries/ansible/azure/redis_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/redis_publicly_accessible/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Redis Publicly Accessible", "severity": "CRITICAL", - "line": 7 + "line": 7, + "filename": "positive.yaml", + "resourceType": "azure_rm_rediscachefirewallrule", + "resourceName": "Create a Firewall rule for Azure Cache for Redis", + "searchKey": "name={{Create a Firewall rule for Azure Cache for Redis}}.{{azure_rm_rediscachefirewallrule}}.start_ip_address", + "searchValue": "", + "expectedValue": "azure_rm_rediscachefirewallrule ip range should be private", + "actualValue": "azure_rm_rediscachefirewallrule ip range is public" } ] \ No newline at end of file diff --git a/assets/queries/ansible/azure/role_definition_allows_custom_role_creation/test/positive_expected_result.json b/assets/queries/ansible/azure/role_definition_allows_custom_role_creation/test/positive_expected_result.json index ac9202cc9b3..7adad92197d 100644 --- a/assets/queries/ansible/azure/role_definition_allows_custom_role_creation/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/role_definition_allows_custom_role_creation/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Role Definition Allows Custom Role Creation", "severity": "MEDIUM", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive2.yaml", + "resourceType": "azure_rm_roledefinition", + "resourceName": "Create a role definition2", + "searchKey": "name={{Create a role definition2}}.{{azure_rm_roledefinition}}.permissions.actions", + "searchValue": "", + "expectedValue": "azure_rm_roledefinition.permissions[0].actions should not allow custom role creation", + "actualValue": "azure_rm_roledefinition.permissions[0].actions allows custom role creation" }, { "queryName": "Role Definition Allows Custom Role Creation", "severity": "MEDIUM", "line": 7, - "fileName": "positive2.yaml" + "filename": "positive1.yaml", + "resourceType": "azure_rm_roledefinition", + "resourceName": "Create a role definition", + "searchKey": "name={{Create a role definition}}.{{azure_rm_roledefinition}}.permissions.actions", + "searchValue": "", + "expectedValue": "azure_rm_roledefinition.permissions[0].actions should not allow custom role creation", + "actualValue": "azure_rm_roledefinition.permissions[0].actions allows custom role creation" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/azure/security_group_is_not_configured/test/positive_expected_result.json b/assets/queries/ansible/azure/security_group_is_not_configured/test/positive_expected_result.json index d0ea6a501f6..8dfa84f75ec 100644 --- a/assets/queries/ansible/azure/security_group_is_not_configured/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/security_group_is_not_configured/test/positive_expected_result.json @@ -2,26 +2,61 @@ { "queryName": "Security Group is Not Configured", "severity": "HIGH", - "line": 3 + "line": 28, + "filename": "positive.yaml", + "resourceType": "azure_rm_subnet", + "resourceName": "Create a subnet4", + "searchKey": "name={{Create a subnet4}}.{{azure_rm_subnet}}.security_group", + "searchValue": "", + "expectedValue": "azure_rm_subnet.security_group should not be empty", + "actualValue": "azure_rm_subnet.security_group is empty" }, { "queryName": "Security Group is Not Configured", "severity": "HIGH", - "line": 9 + "line": 35, + "filename": "positive.yaml", + "resourceType": "azure_rm_subnet", + "resourceName": "Create a subnet5", + "searchKey": "name={{Create a subnet5}}.{{azure_rm_subnet}}.security_group_name", + "searchValue": "", + "expectedValue": "azure_rm_subnet.security_group_name should not be empty", + "actualValue": "azure_rm_subnet.security_group_name is empty" }, { "queryName": "Security Group is Not Configured", "severity": "HIGH", - "line": 16 + "line": 3, + "filename": "positive.yaml", + "resourceType": "azure_rm_subnet", + "resourceName": "Create a subnet1", + "searchKey": "name={{Create a subnet1}}.{{azure_rm_subnet}}", + "searchValue": "", + "expectedValue": "azure_rm_subnet.security_group should be defined and not null", + "actualValue": "azure_rm_subnet.security_group is undefined or null" }, { "queryName": "Security Group is Not Configured", "severity": "HIGH", - "line": 28 + "line": 9, + "filename": "positive.yaml", + "resourceType": "azure_rm_subnet", + "resourceName": "Create a subnet2", + "searchKey": "name={{Create a subnet2}}.{{azure_rm_subnet}}", + "searchValue": "", + "expectedValue": "azure_rm_subnet.security_group should be defined and not null", + "actualValue": "azure_rm_subnet.security_group is undefined or null" }, { "queryName": "Security Group is Not Configured", "severity": "HIGH", - "line": 35 + "line": 16, + "filename": "positive.yaml", + "resourceType": "azure_rm_subnet", + "resourceName": "Create a subnet3", + "searchKey": "name={{Create a subnet3}}.{{azure_rm_subnet}}", + "searchValue": "", + "expectedValue": "azure_rm_subnet.security_group should be defined and not null", + "actualValue": "azure_rm_subnet.security_group is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/ansible/azure/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json b/assets/queries/ansible/azure/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json index 14b473342aa..87cf440b21b 100644 --- a/assets/queries/ansible/azure/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json @@ -2,221 +2,529 @@ { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 13 + "line": 130, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example9}}.destination_port_range", + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 27 + "line": 142, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "TCP,138", + "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed", + "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 27 + "line": 142, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "UDP,25", + "expectedValue": "SMTP (UDP:25) should not be allowed", + "actualValue": "SMTP (UDP:25) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 41 + "line": 142, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 41 + "line": 27, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo2", + "searchKey": "name={{foo2}}.{{azure_rm_securitygroup}}.rules.name={{example2}}.destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 41 + "line": 142, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 41 + "line": 142, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "TCP,21", + "expectedValue": "FTP (TCP:21) should not be allowed", + "actualValue": "FTP (TCP:21) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 41 + "line": 142, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "UDP,21", + "expectedValue": "FTP (UDP:21) should not be allowed", + "actualValue": "FTP (UDP:21) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 41 + "line": 142, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "UDP,80", + "expectedValue": "HTTP (UDP:80) should not be allowed", + "actualValue": "HTTP (UDP:80) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 55 + "line": 41, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo3", + "searchKey": "name={{foo3}}.{{azure_rm_securitygroup}}.rules.name={{example3}}.destination_port_range", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 55 + "line": 41, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo3", + "searchKey": "name={{foo3}}.{{azure_rm_securitygroup}}.rules.name={{example3}}.destination_port_range", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 69 + "line": 113, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo8", + "searchKey": "name={{foo8}}.{{azure_rm_securitygroup}}.rules.name={{example8}}.destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 85 + "line": 130, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example9}}.destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 99 + "line": 142, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "TCP,53", + "expectedValue": "DNS (TCP:53) should not be allowed", + "actualValue": "DNS (TCP:53) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 99 + "line": 27, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo2", + "searchKey": "name={{foo2}}.{{azure_rm_securitygroup}}.rules.name={{example2}}.destination_port_range", + "searchValue": "TCP,25", + "expectedValue": "SMTP (TCP:25) should not be allowed", + "actualValue": "SMTP (TCP:25) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 99 + "line": 99, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo7", + "searchKey": "name={{foo7}}.{{azure_rm_securitygroup}}.rules.name={{example7}}.destination_port_range", + "searchValue": "UDP,25", + "expectedValue": "SMTP (UDP:25) should not be allowed", + "actualValue": "SMTP (UDP:25) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 99 + "line": 55, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo4", + "searchKey": "name={{foo4}}.{{azure_rm_securitygroup}}.rules.name={{example4}}.destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 113 + "line": 85, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo6", + "searchKey": "name={{foo6}}.{{azure_rm_securitygroup}}.rules.name={{example6}}.destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 130 + "line": 99, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo7", + "searchKey": "name={{foo7}}.{{azure_rm_securitygroup}}.rules.name={{example7}}.destination_port_range", + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 130 + "line": 142, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "UDP,53", + "expectedValue": "DNS (UDP:53) should not be allowed", + "actualValue": "DNS (UDP:53) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 142, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "TCP,137", + "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed", + "actualValue": "NetBIOS Name Service (TCP:137) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 142, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 142, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 13, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo1", + "searchKey": "name={{foo1}}.{{azure_rm_securitygroup}}.rules.name={{example1}}.destination_port_range", + "searchValue": "UDP,61621", + "expectedValue": "Cassandra OpsCenter (UDP:61621) should not be allowed", + "actualValue": "Cassandra OpsCenter (UDP:61621) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 142, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 142, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "TCP,139", + "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed", + "actualValue": "NetBIOS Session Service (TCP:139) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 142, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "TCP,25", + "expectedValue": "SMTP (TCP:25) should not be allowed", + "actualValue": "SMTP (TCP:25) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 41, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo3", + "searchKey": "name={{foo3}}.{{azure_rm_securitygroup}}.rules.name={{example3}}.destination_port_range", + "searchValue": "UDP,21", + "expectedValue": "FTP (UDP:21) should not be allowed", + "actualValue": "FTP (UDP:21) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 142, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "TCP,135", + "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed", + "actualValue": "MSSQL Debugger (TCP:135) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 142, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "TCP,20", + "expectedValue": "FTP (TCP:20) should not be allowed", + "actualValue": "FTP (TCP:20) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 41, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo3", + "searchKey": "name={{foo3}}.{{azure_rm_securitygroup}}.rules.name={{example3}}.destination_port_range", + "searchValue": "TCP,21", + "expectedValue": "FTP (TCP:21) should not be allowed", + "actualValue": "FTP (TCP:21) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 142, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "UDP,135", + "expectedValue": "MSSQL Debugger (UDP:135) should not be allowed", + "actualValue": "MSSQL Debugger (UDP:135) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 142, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "UDP,139", + "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed", + "actualValue": "NetBIOS Session Service (UDP:139) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 142, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 99, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo7", + "searchKey": "name={{foo7}}.{{azure_rm_securitygroup}}.rules.name={{example7}}.destination_port_range", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 142, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 41, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo3", + "searchKey": "name={{foo3}}.{{azure_rm_securitygroup}}.rules.name={{example3}}.destination_port_range", + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 99, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo7", + "searchKey": "name={{foo7}}.{{azure_rm_securitygroup}}.rules.name={{example7}}.destination_port_range", + "searchValue": "UDP,53", + "expectedValue": "DNS (UDP:53) should not be allowed", + "actualValue": "DNS (UDP:53) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 142, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "UDP,20", + "expectedValue": "FTP (UDP:20) should not be allowed", + "actualValue": "FTP (UDP:20) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 142, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "TCP,80", + "expectedValue": "HTTP (TCP:80) should not be allowed", + "actualValue": "HTTP (TCP:80) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 142, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "TCP,110", + "expectedValue": "POP3 (TCP:110) should not be allowed", + "actualValue": "POP3 (TCP:110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 41, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo3", + "searchKey": "name={{foo3}}.{{azure_rm_securitygroup}}.rules.name={{example3}}.destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 55, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo4", + "searchKey": "name={{foo4}}.{{azure_rm_securitygroup}}.rules.name={{example4}}.destination_port_range", + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 69, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo5", + "searchKey": "name={{foo5}}.{{azure_rm_securitygroup}}.rules.name={{example5}}.destination_port_range", + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/azure/small_activity_log_retention_period/test/positive_expected_result.json b/assets/queries/ansible/azure/small_activity_log_retention_period/test/positive_expected_result.json index 5282ba8c326..1a9ea084c15 100644 --- a/assets/queries/ansible/azure/small_activity_log_retention_period/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/small_activity_log_retention_period/test/positive_expected_result.json @@ -2,16 +2,37 @@ { "queryName": "Small Activity Log Retention Period", "severity": "LOW", - "line": 13 + "line": 46, + "filename": "positive.yaml", + "resourceType": "azure_rm_monitorlogprofile", + "resourceName": "Create a log profile3", + "searchKey": "name={{Create a log profile3}}.{{azure_rm_monitorlogprofile}}.retention_policy.days", + "searchValue": "", + "expectedValue": "azure_rm_monitorlogprofile.retention_policy.days should be greater than or equal to 365 days or 0 (indefinitely)", + "actualValue": "azure_rm_monitorlogprofile.retention_policy.days is less than 365 days or different than 0 (indefinitely)" }, { "queryName": "Small Activity Log Retention Period", "severity": "LOW", - "line": 20 + "line": 13, + "filename": "positive.yaml", + "resourceType": "azure_rm_monitorlogprofile", + "resourceName": "Create a log profile", + "searchKey": "name={{Create a log profile}}.{{azure_rm_monitorlogprofile}}.retention_policy.enabled", + "searchValue": "", + "expectedValue": "azure_rm_monitorlogprofile.retention_policy.enabled should be true or yes", + "actualValue": "azure_rm_monitorlogprofile.retention_policy.enabled is false or no" }, { "queryName": "Small Activity Log Retention Period", "severity": "LOW", - "line": 46 + "line": 20, + "filename": "positive.yaml", + "resourceType": "azure_rm_monitorlogprofile", + "resourceName": "Create a log profile2", + "searchKey": "name={{Create a log profile2}}.{{azure_rm_monitorlogprofile}}", + "searchValue": "", + "expectedValue": "azure_rm_monitorlogprofile.retention_policy should be defined", + "actualValue": "azure_rm_monitorlogprofile.retention_policy is undefined" } ] \ No newline at end of file diff --git a/assets/queries/ansible/azure/sql_server_ingress_from_any_ip/test/positive_expected_result.json b/assets/queries/ansible/azure/sql_server_ingress_from_any_ip/test/positive_expected_result.json index 31a8c77cc01..21c69736641 100644 --- a/assets/queries/ansible/azure/sql_server_ingress_from_any_ip/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/sql_server_ingress_from_any_ip/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "SQLServer Ingress From Any IP", "severity": "CRITICAL", - "line": 8 + "line": 8, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_sqlfirewallrule", + "resourceName": "Create (or update) Firewall Rule", + "searchKey": "name={{Create (or update) Firewall Rule}}.{{azure.azcollection.azure_rm_sqlfirewallrule}}.end_ip_address", + "searchValue": "", + "expectedValue": "azure_rm_sqlfirewallrule should allow all IPs", + "actualValue": "azure_rm_sqlfirewallrule should not allow all IPs (range from start_ip_address to end_ip_address)" } ] \ No newline at end of file diff --git a/assets/queries/ansible/azure/sql_server_predictable_active_directory_admin_account_name/test/positive_expected_result.json b/assets/queries/ansible/azure/sql_server_predictable_active_directory_admin_account_name/test/positive_expected_result.json index abfcd251cad..a56c07a500d 100644 --- a/assets/queries/ansible/azure/sql_server_predictable_active_directory_admin_account_name/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/sql_server_predictable_active_directory_admin_account_name/test/positive_expected_result.json @@ -2,16 +2,37 @@ { "queryName": "SQL Server Predictable Active Directory Account Name", "severity": "LOW", - "line": 7 + "line": 13, + "filename": "positive.yaml", + "resourceType": "azure_ad_serviceprincipal", + "resourceName": "create ad sp2", + "searchKey": "name={{create ad sp2}}.{{azure_ad_serviceprincipal}}.ad_user", + "searchValue": "", + "expectedValue": "azure_ad_serviceprincipal.ad_user should be neither empty nor null", + "actualValue": "azure_ad_serviceprincipal.ad_user is empty or null" }, { "queryName": "SQL Server Predictable Active Directory Account Name", "severity": "LOW", - "line": 13 + "line": 19, + "filename": "positive.yaml", + "resourceType": "azure_ad_serviceprincipal", + "resourceName": "create ad sp3", + "searchKey": "name={{create ad sp3}}.{{azure_ad_serviceprincipal}}.ad_user", + "searchValue": "", + "expectedValue": "azure_ad_serviceprincipal.ad_user should be neither empty nor null", + "actualValue": "azure_ad_serviceprincipal.ad_user is empty or null" }, { "queryName": "SQL Server Predictable Active Directory Account Name", "severity": "LOW", - "line": 19 + "line": 7, + "filename": "positive.yaml", + "resourceType": "azure_ad_serviceprincipal", + "resourceName": "create ad sp", + "searchKey": "name={{create ad sp}}.{{azure_ad_serviceprincipal}}.ad_user", + "searchValue": "", + "expectedValue": "azure_ad_serviceprincipal.ad_user should not be predictable", + "actualValue": "azure_ad_serviceprincipal.ad_user is predictable" } ] \ No newline at end of file diff --git a/assets/queries/ansible/azure/sql_server_predictable_admin_account_name/test/positive_expected_result.json b/assets/queries/ansible/azure/sql_server_predictable_admin_account_name/test/positive_expected_result.json index ce8105939d3..18824e13cf7 100644 --- a/assets/queries/ansible/azure/sql_server_predictable_admin_account_name/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/sql_server_predictable_admin_account_name/test/positive_expected_result.json @@ -2,16 +2,37 @@ { "queryName": "SQL Server Predictable Admin Account Name", "severity": "LOW", - "line": 7 + "line": 7, + "filename": "positive.yaml", + "resourceType": "azure_rm_sqlserver", + "resourceName": "Create (or update) SQL Server1", + "searchKey": "name={{Create (or update) SQL Server1}}.{{azure_rm_sqlserver}}.admin_username", + "searchValue": "", + "expectedValue": "azure_rm_sqlserver.admin_username should not be empty", + "actualValue": "azure_rm_sqlserver.admin_username is empty" }, { "queryName": "SQL Server Predictable Admin Account Name", "severity": "LOW", - "line": 14 + "line": 14, + "filename": "positive.yaml", + "resourceType": "azure_rm_sqlserver", + "resourceName": "Create (or update) SQL Server2", + "searchKey": "name={{Create (or update) SQL Server2}}.{{azure_rm_sqlserver}}.admin_username", + "searchValue": "", + "expectedValue": "azure_rm_sqlserver.admin_username should not be empty", + "actualValue": "azure_rm_sqlserver.admin_username is empty" }, { "queryName": "SQL Server Predictable Admin Account Name", "severity": "LOW", - "line": 21 + "line": 21, + "filename": "positive.yaml", + "resourceType": "azure_rm_sqlserver", + "resourceName": "Create (or update) SQL Server3", + "searchKey": "name={{Create (or update) SQL Server3}}.{{azure_rm_sqlserver}}.admin_username", + "searchValue": "", + "expectedValue": "azure_rm_sqlserver.admin_username should not be predictable", + "actualValue": "azure_rm_sqlserver.admin_username is predictable" } ] \ No newline at end of file diff --git a/assets/queries/ansible/azure/ssl_enforce_is_disabled/test/positive_expected_result.json b/assets/queries/ansible/azure/ssl_enforce_is_disabled/test/positive_expected_result.json index a0427e72698..d27557aea1c 100644 --- a/assets/queries/ansible/azure/ssl_enforce_is_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/ssl_enforce_is_disabled/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "SSL Enforce Disabled", "severity": "MEDIUM", - "line": 2 + "line": 21, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlserver", + "resourceName": "Create (or update) PostgreSQL Server2", + "searchKey": "name={{Create (or update) PostgreSQL Server2}}.{{azure.azcollection.azure_rm_postgresqlserver}}.enforce_ssl", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlserver should have enforce_ssl set to true", + "actualValue": "azure_rm_postgresqlserver does has enforce_ssl set to false" }, { "queryName": "SSL Enforce Disabled", "severity": "MEDIUM", - "line": 21 + "line": 2, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlserver", + "resourceName": "Create (or update) PostgreSQL Server", + "searchKey": "name={{Create (or update) PostgreSQL Server}}.{{azure.azcollection.azure_rm_postgresqlserver}}", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlserver should have enforce_ssl set to true", + "actualValue": "azure_rm_postgresqlserver does not have enforce_ssl (defaults to false)" } ] \ No newline at end of file diff --git a/assets/queries/ansible/azure/storage_account_not_forcing_https/test/positive_expected_result.json b/assets/queries/ansible/azure/storage_account_not_forcing_https/test/positive_expected_result.json index 571578e12dc..83db86d559d 100644 --- a/assets/queries/ansible/azure/storage_account_not_forcing_https/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/storage_account_not_forcing_https/test/positive_expected_result.json @@ -2,46 +2,109 @@ { "queryName": "Storage Account Not Forcing HTTPS", "severity": "MEDIUM", - "line": 3 + "line": 33, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_storageaccount", + "resourceName": "create an account4", + "searchKey": "name={{create an account4}}.{{azure.azcollection.azure_rm_storageaccount}}.https_only", + "searchValue": "", + "expectedValue": "azure_rm_storageaccount should have https_only set to true", + "actualValue": "azure_rm_storageaccount has https_only set to false" }, { "queryName": "Storage Account Not Forcing HTTPS", "severity": "MEDIUM", - "line": 15 + "line": 24, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_storageaccount", + "resourceName": "create an account3", + "searchKey": "name={{create an account3}}.{{azure.azcollection.azure_rm_storageaccount}}.https_only", + "searchValue": "", + "expectedValue": "azure_rm_storageaccount should have https_only set to true", + "actualValue": "azure_rm_storageaccount has https_only set to false" }, { "queryName": "Storage Account Not Forcing HTTPS", "severity": "MEDIUM", - "line": 24 + "line": 42, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_storageaccount", + "resourceName": "create an account5", + "searchKey": "name={{create an account5}}.{{azure.azcollection.azure_rm_storageaccount}}.https_only", + "searchValue": "", + "expectedValue": "azure_rm_storageaccount should have https_only set to true", + "actualValue": "azure_rm_storageaccount has https_only set to false" }, { "queryName": "Storage Account Not Forcing HTTPS", "severity": "MEDIUM", - "line": 33 + "line": 51, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_storageaccount", + "resourceName": "create an account6", + "searchKey": "name={{create an account6}}.{{azure.azcollection.azure_rm_storageaccount}}.https_only", + "searchValue": "", + "expectedValue": "azure_rm_storageaccount should have https_only set to true", + "actualValue": "azure_rm_storageaccount has https_only set to false" }, { "queryName": "Storage Account Not Forcing HTTPS", "severity": "MEDIUM", - "line": 42 + "line": 60, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_storageaccount", + "resourceName": "create an account7", + "searchKey": "name={{create an account7}}.{{azure.azcollection.azure_rm_storageaccount}}.https_only", + "searchValue": "", + "expectedValue": "azure_rm_storageaccount should have https_only set to true", + "actualValue": "azure_rm_storageaccount has https_only set to false" }, { "queryName": "Storage Account Not Forcing HTTPS", "severity": "MEDIUM", - "line": 51 + "line": 69, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_storageaccount", + "resourceName": "create an account8", + "searchKey": "name={{create an account8}}.{{azure.azcollection.azure_rm_storageaccount}}.https_only", + "searchValue": "", + "expectedValue": "azure_rm_storageaccount should have https_only set to true", + "actualValue": "azure_rm_storageaccount has https_only set to false" }, { "queryName": "Storage Account Not Forcing HTTPS", "severity": "MEDIUM", - "line": 60 + "line": 78, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_storageaccount", + "resourceName": "create an account9", + "searchKey": "name={{create an account9}}.{{azure.azcollection.azure_rm_storageaccount}}.https_only", + "searchValue": "", + "expectedValue": "azure_rm_storageaccount should have https_only set to true", + "actualValue": "azure_rm_storageaccount has https_only set to false" }, { "queryName": "Storage Account Not Forcing HTTPS", "severity": "MEDIUM", - "line": 69 + "line": 3, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_storageaccount", + "resourceName": "create an account", + "searchKey": "name={{create an account}}.{{azure.azcollection.azure_rm_storageaccount}}", + "searchValue": "", + "expectedValue": "azure_rm_storageaccount.https_only should be defined", + "actualValue": "azure_rm_storageaccount.https_only is undefined (defaults to false)" }, { "queryName": "Storage Account Not Forcing HTTPS", "severity": "MEDIUM", - "line": 78 + "line": 15, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_storageaccount", + "resourceName": "create an account2", + "searchKey": "name={{create an account2}}.{{azure.azcollection.azure_rm_storageaccount}}.https_only", + "searchValue": "", + "expectedValue": "azure_rm_storageaccount should have https_only set to true", + "actualValue": "azure_rm_storageaccount has https_only set to false" } ] \ No newline at end of file diff --git a/assets/queries/ansible/azure/storage_account_not_using_latest_tls_encryption_version/test/positive_expected_result.json b/assets/queries/ansible/azure/storage_account_not_using_latest_tls_encryption_version/test/positive_expected_result.json index b46384e752e..ad3fcb31396 100644 --- a/assets/queries/ansible/azure/storage_account_not_using_latest_tls_encryption_version/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/storage_account_not_using_latest_tls_encryption_version/test/positive_expected_result.json @@ -1,12 +1,26 @@ [ - { - "queryName": "Storage Account Not Using Latest TLS Encryption Version", - "severity": "MEDIUM", - "line": 8 - }, - { - "queryName": "Storage Account Not Using Latest TLS Encryption Version", - "severity": "MEDIUM", - "line": 12 - } -] + { + "queryName": "Storage Account Not Using Latest TLS Encryption Version", + "severity": "MEDIUM", + "line": 8, + "filename": "positive.yaml", + "resourceType": "azure_rm_storageaccount", + "resourceName": "Create an account with kind of FileStorage", + "searchKey": "name={{Create an account with kind of FileStorage}}.{{azure_rm_storageaccount}}.minimum_tls_version", + "searchValue": "", + "expectedValue": "azure_rm_storageaccount should be using the latest version of TLS encryption", + "actualValue": "azure_rm_storageaccount is using version TLS1_0 of TLS encryption" + }, + { + "queryName": "Storage Account Not Using Latest TLS Encryption Version", + "severity": "MEDIUM", + "line": 12, + "filename": "positive.yaml", + "resourceType": "azure_rm_storageaccount", + "resourceName": "Create a second account with kind of FileStorage", + "searchKey": "name={{Create a second account with kind of FileStorage}}.{{azure_rm_storageaccount}}", + "searchValue": "", + "expectedValue": "azure_rm_storageaccount.minimum_tls_version should be defined", + "actualValue": "azure_rm_storageaccount.minimum_tls_version is undefined" + } +] \ No newline at end of file diff --git a/assets/queries/ansible/azure/storage_container_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/ansible/azure/storage_container_is_publicly_accessible/test/positive_expected_result.json index b27a116746e..9d6cccf3901 100644 --- a/assets/queries/ansible/azure/storage_container_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/storage_container_is_publicly_accessible/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Storage Container Is Publicly Accessible", "severity": "HIGH", - "line": 9 + "line": 17, + "filename": "positive.yaml", + "resourceType": "azure_rm_storageblob", + "resourceName": "Create container foo2 and upload a file", + "searchKey": "name={{Create container foo2 and upload a file}}.{{azure_rm_storageblob}}.public_access", + "searchValue": "", + "expectedValue": "azure_rm_storageblob.public_access should not be set", + "actualValue": "azure_rm_storageblob.public_access is equal to 'blob' or 'container'" }, { "queryName": "Storage Container Is Publicly Accessible", "severity": "HIGH", - "line": 17 + "line": 9, + "filename": "positive.yaml", + "resourceType": "azure_rm_storageblob", + "resourceName": "Create container foo and upload a file", + "searchKey": "name={{Create container foo and upload a file}}.{{azure_rm_storageblob}}.public_access", + "searchValue": "", + "expectedValue": "azure_rm_storageblob.public_access should not be set", + "actualValue": "azure_rm_storageblob.public_access is equal to 'blob' or 'container'" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/azure/trusted_microsoft_services_not_enabled/test/positive_expected_result.json b/assets/queries/ansible/azure/trusted_microsoft_services_not_enabled/test/positive_expected_result.json index 3d9d3360063..0540545350c 100644 --- a/assets/queries/ansible/azure/trusted_microsoft_services_not_enabled/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/trusted_microsoft_services_not_enabled/test/positive_expected_result.json @@ -2,16 +2,37 @@ { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", - "line": 7 + "line": 7, + "filename": "positive.yaml", + "resourceType": "azure_rm_storageaccount", + "resourceName": "configure firewall and virtual networks", + "searchKey": "name={{configure firewall and virtual networks}}.{{azure_rm_storageaccount}}.network_acls.bypass", + "searchValue": "", + "expectedValue": "azure_rm_storageaccount.network_acls.bypass should not be set or contain 'AzureServices'", + "actualValue": "azure_rm_storageaccount.network_acls.bypass does not contain 'AzureServices' " }, { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", - "line": 24 + "line": 24, + "filename": "positive.yaml", + "resourceType": "azure_rm_storageaccount", + "resourceName": "configure firewall and virtual networks2", + "searchKey": "name={{configure firewall and virtual networks2}}.{{azure_rm_storageaccount}}.network_acls.bypass", + "searchValue": "", + "expectedValue": "azure_rm_storageaccount.network_acls.bypass should not be set or contain 'AzureServices'", + "actualValue": "azure_rm_storageaccount.network_acls.bypass does not contain 'AzureServices' " }, { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", - "line": 40 + "line": 40, + "filename": "positive.yaml", + "resourceType": "azure_rm_storageaccount", + "resourceName": "configure firewall and virtual networks3", + "searchKey": "name={{configure firewall and virtual networks3}}.{{azure_rm_storageaccount}}.network_acls.bypass", + "searchValue": "", + "expectedValue": "azure_rm_storageaccount.network_acls.bypass should not be set or contain 'AzureServices'", + "actualValue": "azure_rm_storageaccount.network_acls.bypass does not contain 'AzureServices' " } ] \ No newline at end of file diff --git a/assets/queries/ansible/azure/unrestricted_sql_server_acess/test/positive_expected_result.json b/assets/queries/ansible/azure/unrestricted_sql_server_acess/test/positive_expected_result.json index 44cefe27131..f47ea2c74c2 100644 --- a/assets/queries/ansible/azure/unrestricted_sql_server_acess/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/unrestricted_sql_server_acess/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", - "line": 3 + "line": 3, + "filename": "positive.yaml", + "resourceType": "azure_rm_sqlfirewallrule", + "resourceName": "Create (or update) Firewall Rule1", + "searchKey": "name={{Create (or update) Firewall Rule1}}.{{azure_rm_sqlfirewallrule}}", + "searchValue": "", + "expectedValue": "The difference between the value of azure_rm_sqlfirewallrule end_ip_address and start_ip_address should be less than 256", + "actualValue": "The difference between the value of azure_rm_sqlfirewallrule end_ip_address and start_ip_address is greater than or equal to 256" }, { "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", - "line": 10 + "line": 10, + "filename": "positive.yaml", + "resourceType": "azure_rm_sqlfirewallrule", + "resourceName": "Create (or update) Firewall Rule2", + "searchKey": "name={{Create (or update) Firewall Rule2}}.{{azure_rm_sqlfirewallrule}}", + "searchValue": "", + "expectedValue": "The difference between the value of azure_rm_sqlfirewallrule end_ip_address and start_ip_address should be less than 256", + "actualValue": "The difference between the value of azure_rm_sqlfirewallrule end_ip_address and start_ip_address is greater than or equal to 256" } ] \ No newline at end of file diff --git a/assets/queries/ansible/azure/vm_not_attached_to_network/test/positive_expected_result.json b/assets/queries/ansible/azure/vm_not_attached_to_network/test/positive_expected_result.json index 0c333d3f99e..9f405d94dd6 100644 --- a/assets/queries/ansible/azure/vm_not_attached_to_network/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/vm_not_attached_to_network/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "VM Not Attached To Network", "severity": "MEDIUM", - "line": 3 + "line": 3, + "filename": "positive.yaml", + "resourceType": "azure_rm_virtualmachine", + "resourceName": "Create a VM with a custom image", + "searchKey": "name={{Create a VM with a custom image}}.{{azure_rm_virtualmachine}}", + "searchValue": "", + "expectedValue": "azure_rm_virtualmachine.network_interface_names should be defined", + "actualValue": "azure_rm_virtualmachine.network_interface_names is undefined" } ] \ No newline at end of file diff --git a/assets/queries/ansible/azure/waf_is_disabled_for_azure_application_gateway/test/positive_expected_result.json b/assets/queries/ansible/azure/waf_is_disabled_for_azure_application_gateway/test/positive_expected_result.json index 22b5f2f5a9e..6882cead6dc 100644 --- a/assets/queries/ansible/azure/waf_is_disabled_for_azure_application_gateway/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/waf_is_disabled_for_azure_application_gateway/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "WAF Is Disabled For Azure Application Gateway", "severity": "MEDIUM", - "line": 7 + "line": 7, + "filename": "positive.yaml", + "resourceType": "azure_rm_appgateway", + "resourceName": "Create instance of Application Gateway", + "searchKey": "name={{Create instance of Application Gateway}}.{{azure_rm_appgateway}}.sku.tier", + "searchValue": "", + "expectedValue": "azure_rm_appgateway.sku.tier should be 'waf' or 'waf_v2'", + "actualValue": "azure_rm_appgateway.sku.tier is standard" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/azure/web_app_accepting_traffic_other_than_https/test/positive_expected_result.json b/assets/queries/ansible/azure/web_app_accepting_traffic_other_than_https/test/positive_expected_result.json index fe2ba76306d..aed8c662eca 100644 --- a/assets/queries/ansible/azure/web_app_accepting_traffic_other_than_https/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/web_app_accepting_traffic_other_than_https/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Web App Accepting Traffic Other Than HTTPS", "severity": "MEDIUM", - "line": 5 + "line": 5, + "filename": "positive.yaml", + "resourceType": "azure_rm_webapp", + "resourceName": "Create a windows web app with non-exist app service plan", + "searchKey": "name={{Create a windows web app with non-exist app service plan}}.{{azure_rm_webapp}}.https_only", + "searchValue": "", + "expectedValue": "azure_rm_webapp.https_only should be set to true or 'yes'", + "actualValue": "azure_rm_webapp.https_only value is 'false'" }, { "queryName": "Web App Accepting Traffic Other Than HTTPS", "severity": "MEDIUM", - "line": 12 + "line": 12, + "filename": "positive.yaml", + "resourceType": "azure_rm_webapp", + "resourceName": "Create another windows web app", + "searchKey": "name={{Create another windows web app}}.{{azure_rm_webapp}}", + "searchValue": "", + "expectedValue": "azure_rm_webapp.https_only should be defined", + "actualValue": "azure_rm_webapp.https_only is undefined" } ] \ No newline at end of file diff --git a/assets/queries/ansible/config/allow_unsafe_lookups_enabled_in_defaults/test/positive_expected_result.json b/assets/queries/ansible/config/allow_unsafe_lookups_enabled_in_defaults/test/positive_expected_result.json index ab2ceef570a..2f945749899 100644 --- a/assets/queries/ansible/config/allow_unsafe_lookups_enabled_in_defaults/test/positive_expected_result.json +++ b/assets/queries/ansible/config/allow_unsafe_lookups_enabled_in_defaults/test/positive_expected_result.json @@ -1,7 +1,14 @@ [ - { - "queryName": "Allow Unsafe Lookups Enabled In Defaults", - "severity": "HIGH", - "line": 19 - } -] + { + "queryName": "Allow Unsafe Lookups Enabled In Defaults", + "severity": "HIGH", + "line": 19, + "filename": "positive1.cfg", + "resourceType": "n/a", + "resourceName": "defaults", + "searchKey": "defaults.allow_unsafe_lookups", + "searchValue": "", + "expectedValue": "allow_unsafe_lookups should be set to 'False'", + "actualValue": "allow_unsafe_lookups is set to 'True'" + } +] \ No newline at end of file diff --git a/assets/queries/ansible/config/communication_over_http_in_defaults/test/positive_expected_result.json b/assets/queries/ansible/config/communication_over_http_in_defaults/test/positive_expected_result.json index af3bb39b39d..bef06fa20b7 100644 --- a/assets/queries/ansible/config/communication_over_http_in_defaults/test/positive_expected_result.json +++ b/assets/queries/ansible/config/communication_over_http_in_defaults/test/positive_expected_result.json @@ -1,7 +1,14 @@ [ - { - "queryName": "Communication Over HTTP In Defaults", - "severity": "MEDIUM", - "line": 5 - } -] + { + "queryName": "Communication Over HTTP In Defaults", + "severity": "MEDIUM", + "line": 5, + "filename": "positive1.cfg", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "[galaxy].server", + "searchValue": "", + "expectedValue": "'server' from galaxy group should be accessed via the HTTPS protocol", + "actualValue": "'server' from galaxy group is accessed via the HTTP protocol'" + } +] \ No newline at end of file diff --git a/assets/queries/ansible/config/logging_of_sensitive_data_in_defaults/test/positive_expected_result.json b/assets/queries/ansible/config/logging_of_sensitive_data_in_defaults/test/positive_expected_result.json index 4236128659b..7c93162624a 100644 --- a/assets/queries/ansible/config/logging_of_sensitive_data_in_defaults/test/positive_expected_result.json +++ b/assets/queries/ansible/config/logging_of_sensitive_data_in_defaults/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ - { - "queryName": "Logging of Sensitive Data In Defaults", - "severity": "LOW", - "filename": "positive1.cfg", - "line": 1 - }, - { - "queryName": "Logging of Sensitive Data In Defaults", - "severity": "LOW", - "filename": "positive2.cfg", - "line": 39 - } -] + { + "queryName": "Logging of Sensitive Data In Defaults", + "severity": "LOW", + "line": 39, + "filename": "positive2.cfg", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "defaults.no_log", + "searchValue": "", + "expectedValue": "no_log should be set to 'true'", + "actualValue": "no_log is set to 'false'" + }, + { + "queryName": "Logging of Sensitive Data In Defaults", + "severity": "LOW", + "line": 1, + "filename": "positive1.cfg", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "defaults", + "searchValue": "", + "expectedValue": "no_log should be defined and set to 'true'", + "actualValue": "no_log is not defined" + } +] \ No newline at end of file diff --git a/assets/queries/ansible/config/privilege_escalation_using_become_plugin_in_defaults/test/positive_expected_result.json b/assets/queries/ansible/config/privilege_escalation_using_become_plugin_in_defaults/test/positive_expected_result.json index edcbda369aa..69a240fe00d 100644 --- a/assets/queries/ansible/config/privilege_escalation_using_become_plugin_in_defaults/test/positive_expected_result.json +++ b/assets/queries/ansible/config/privilege_escalation_using_become_plugin_in_defaults/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ - { - "queryName": "Privilege Escalation Using Become Plugin In Defaults", - "severity": "MEDIUM", - "filename": "positive1.cfg", - "line": 10 - }, - { - "queryName": "Privilege Escalation Using Become Plugin In Defaults", - "severity": "MEDIUM", - "filename": "positive2.cfg", - "line": 12 - } -] + { + "queryName": "Privilege Escalation Using Become Plugin In Defaults", + "severity": "MEDIUM", + "line": 12, + "filename": "positive2.cfg", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "defaults.become_user", + "searchValue": "", + "expectedValue": "'become' should be defined and set to 'true'", + "actualValue": "'become' is not defined" + }, + { + "queryName": "Privilege Escalation Using Become Plugin In Defaults", + "severity": "MEDIUM", + "line": 10, + "filename": "positive1.cfg", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "defaults.become", + "searchValue": "", + "expectedValue": "'become' should be set to 'true'", + "actualValue": "'become' is set to 'false'" + } +] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/bigquery_dataset_is_public/test/positive_expected_result.json b/assets/queries/ansible/gcp/bigquery_dataset_is_public/test/positive_expected_result.json index ccbd9315993..a78d4fdd312 100644 --- a/assets/queries/ansible/gcp/bigquery_dataset_is_public/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/bigquery_dataset_is_public/test/positive_expected_result.json @@ -1,7 +1,14 @@ [ - { - "queryName": "BigQuery Dataset Is Public", - "severity": "HIGH", - "line": 5 - } -] + { + "queryName": "BigQuery Dataset Is Public", + "severity": "HIGH", + "line": 5, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_bigquery_dataset", + "resourceName": "create a dataset", + "searchKey": "name={{create a dataset}}.{{google.cloud.gcp_bigquery_dataset}}.access", + "searchValue": "", + "expectedValue": "gcp_bigquery_dataset.access.special_group should not equal to 'allAuthenticatedUsers'", + "actualValue": "gcp_bigquery_dataset.access.special_group is equal to 'allAuthenticatedUsers'" + } +] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/client_certificate_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/client_certificate_disabled/test/positive_expected_result.json index 36503065ad0..369174de97e 100644 --- a/assets/queries/ansible/gcp/client_certificate_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/client_certificate_disabled/test/positive_expected_result.json @@ -2,16 +2,37 @@ { "queryName": "Client Certificate Disabled", "severity": "HIGH", - "line": 3 + "line": 37, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster3", + "searchKey": "name={{create a cluster3}}.{{google.cloud.gcp_container_cluster}}.master_auth.client_certificate_config.issue_client_certificate", + "searchValue": "", + "expectedValue": "gcp_container_cluster.master_auth.password should be true", + "actualValue": "gcp_container_cluster.master_auth.password is false" }, { "queryName": "Client Certificate Disabled", "severity": "HIGH", - "line": 18 + "line": 3, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster1", + "searchKey": "name={{create a cluster1}}.{{google.cloud.gcp_container_cluster}}", + "searchValue": "", + "expectedValue": "gcp_container_cluster.master_auth should be defined", + "actualValue": "gcp_container_cluster.master_auth is undefined" }, { "queryName": "Client Certificate Disabled", "severity": "HIGH", - "line": 37 + "line": 18, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster2", + "searchKey": "name={{create a cluster2}}.{{google.cloud.gcp_container_cluster}}.master_auth", + "searchValue": "", + "expectedValue": "gcp_container_cluster.master_auth.client_certificate_config should be defined", + "actualValue": "gcp_container_cluster.master_auth.client_certificate_config is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/cloud_dns_without_dnnsec/test/positive_expected_result.json b/assets/queries/ansible/gcp/cloud_dns_without_dnnsec/test/positive_expected_result.json index 9379e54d288..cb272a360c7 100644 --- a/assets/queries/ansible/gcp/cloud_dns_without_dnnsec/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/cloud_dns_without_dnnsec/test/positive_expected_result.json @@ -1,17 +1,38 @@ [ - { - "queryName": "Cloud DNS Without DNSSEC", - "severity": "MEDIUM", - "line": 3 - }, - { - "queryName": "Cloud DNS Without DNSSEC", - "severity": "MEDIUM", - "line": 20 - }, - { - "queryName": "Cloud DNS Without DNSSEC", - "severity": "MEDIUM", - "line": 33 - } -] + { + "queryName": "Cloud DNS Without DNSSEC", + "severity": "MEDIUM", + "line": 33, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_dns_managed_zone", + "resourceName": "create a third managed zone", + "searchKey": "name={{create a third managed zone}}.{{google.cloud.gcp_dns_managed_zone}}.dnssec_config.state", + "searchValue": "", + "expectedValue": "gcp_dns_managed_zone.dnssec_config.state should equal to 'on'", + "actualValue": "gcp_dns_managed_zone.dnssec_config.state is not equal to 'on'" + }, + { + "queryName": "Cloud DNS Without DNSSEC", + "severity": "MEDIUM", + "line": 3, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_dns_managed_zone", + "resourceName": "create a managed zone", + "searchKey": "name={{create a managed zone}}.{{google.cloud.gcp_dns_managed_zone}}", + "searchValue": "", + "expectedValue": "gcp_dns_managed_zone.dnssec_config should be defined", + "actualValue": "gcp_dns_managed_zone.dnssec_config is undefined" + }, + { + "queryName": "Cloud DNS Without DNSSEC", + "severity": "MEDIUM", + "line": 20, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_dns_managed_zone", + "resourceName": "create a second managed zone", + "searchKey": "name={{create a second managed zone}}.{{google.cloud.gcp_dns_managed_zone}}.dnssec_config", + "searchValue": "", + "expectedValue": "gcp_dns_managed_zone.dnssec_config.state should be defined", + "actualValue": "gcp_dns_managed_zone.dnssec_config.state is undefined" + } +] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/cloud_sql_instance_with_contained_database_authentication_on/test/positive_expected_result.json b/assets/queries/ansible/gcp/cloud_sql_instance_with_contained_database_authentication_on/test/positive_expected_result.json index 0d9b8e9029c..610ef091dee 100644 --- a/assets/queries/ansible/gcp/cloud_sql_instance_with_contained_database_authentication_on/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/cloud_sql_instance_with_contained_database_authentication_on/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Cloud SQL Instance With Contained Database Authentication On", "severity": "HIGH", - "line": 10 + "line": 10, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_sql_instance", + "resourceName": "sql_instance", + "searchKey": "name={{sql_instance}}.{{google.cloud.gcp_sql_instance}}.settings.database_flags", + "searchValue": "", + "expectedValue": "cloud_gcp_sql_instance.settings.database_flags should be correct", + "actualValue": "cloud_gcp_sql_instance.settings.database_flags.name is 'contained database authentication' and cloud_gcp_sql_instance.settings.database_flags.value is not 'off'" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/cloud_sql_instance_with_cross_db_ownership_chaining_on/test/positive_expected_result.json b/assets/queries/ansible/gcp/cloud_sql_instance_with_cross_db_ownership_chaining_on/test/positive_expected_result.json index 195a85873d7..d91183c2cb6 100644 --- a/assets/queries/ansible/gcp/cloud_sql_instance_with_cross_db_ownership_chaining_on/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/cloud_sql_instance_with_cross_db_ownership_chaining_on/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Cloud SQL Instance With Cross DB Ownership Chaining On", "severity": "HIGH", - "line": 10 + "line": 10, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_sql_instance", + "resourceName": "sql_instance", + "searchKey": "name={{sql_instance}}.{{google.cloud.gcp_sql_instance}}.settings.database_flags", + "searchValue": "", + "expectedValue": "{{cloud_gcp_sql_instance}}.settings.database_flags should be correct", + "actualValue": "{{cloud_gcp_sql_instance}}.settings.database_flags.name is 'cross db ownership chaining' and cloud_gcp_sql_instance.settings.database_flags.value is not 'off'" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/cloud_storage_anonymous_or_publicly_accessible/test/positive_expected_result.json b/assets/queries/ansible/gcp/cloud_storage_anonymous_or_publicly_accessible/test/positive_expected_result.json index e0ee2d2a9d5..ba659ff9fee 100644 --- a/assets/queries/ansible/gcp/cloud_storage_anonymous_or_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/cloud_storage_anonymous_or_publicly_accessible/test/positive_expected_result.json @@ -2,16 +2,37 @@ { "queryName": "Cloud Storage Anonymous or Publicly Accessible", "severity": "CRITICAL", - "line": 11 + "line": 22, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_storage_bucket", + "resourceName": "create a bucket2", + "searchKey": "name={{create a bucket2}}.{{google.cloud.gcp_storage_bucket}}.acl.entity", + "searchValue": "", + "expectedValue": "gcp_storage_bucket.acl.entity should not be 'allUsers' or 'allAuthenticatedUsers'", + "actualValue": "gcp_storage_bucket.acl.entity is 'allUsers' or 'allAuthenticatedUsers'" }, { "queryName": "Cloud Storage Anonymous or Publicly Accessible", "severity": "CRITICAL", - "line": 22 + "line": 11, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_storage_bucket", + "resourceName": "create a bucket1", + "searchKey": "name={{create a bucket1}}.{{google.cloud.gcp_storage_bucket}}.default_object_acl.entity", + "searchValue": "", + "expectedValue": "gcp_storage_bucket.default_object_acl.entity should not be 'allUsers' or 'allAuthenticatedUsers'", + "actualValue": "gcp_storage_bucket.default_object_acl.entity is 'allUsers' or 'allAuthenticatedUsers'" }, { "queryName": "Cloud Storage Anonymous or Publicly Accessible", "severity": "CRITICAL", - "line": 28 + "line": 28, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_storage_bucket", + "resourceName": "create a bucket3", + "searchKey": "name={{create a bucket3}}.{{google.cloud.gcp_storage_bucket}}", + "searchValue": "", + "expectedValue": "gcp_storage_bucket.default_object_acl should be defined", + "actualValue": "gcp_storage_bucket.default_object_acl is undefined" } ] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/cloud_storage_bucket_logging_not_enabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/cloud_storage_bucket_logging_not_enabled/test/positive_expected_result.json index 1d61cc30951..514b1dbc420 100644 --- a/assets/queries/ansible/gcp/cloud_storage_bucket_logging_not_enabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/cloud_storage_bucket_logging_not_enabled/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Cloud Storage Bucket Logging Not Enabled", "severity": "MEDIUM", - "line": 3 + "line": 3, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_storage_bucket", + "resourceName": "create a bucket", + "searchKey": "name={{create a bucket}}.{{google.cloud.gcp_storage_bucket}}", + "searchValue": "", + "expectedValue": "gcp_storage_bucket.logging should be defined", + "actualValue": "gcp_storage_bucket.logging is undefined" } ] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/cloud_storage_bucket_versioning_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/cloud_storage_bucket_versioning_disabled/test/positive_expected_result.json index e2023f7479b..0fe3a9605b5 100644 --- a/assets/queries/ansible/gcp/cloud_storage_bucket_versioning_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/cloud_storage_bucket_versioning_disabled/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Cloud Storage Bucket Versioning Disabled", "severity": "MEDIUM", - "line": 3 + "line": 17, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_storage_bucket", + "resourceName": "create a second bucket", + "searchKey": "name={{create a second bucket}}.{{google.cloud.gcp_storage_bucket}}.versioning.enabled", + "searchValue": "", + "expectedValue": "gcp_storage_bucket.versioning.enabled should be true", + "actualValue": "gcp_storage_bucket.versioning.enabled is false" }, { "queryName": "Cloud Storage Bucket Versioning Disabled", "severity": "MEDIUM", - "line": 17 + "line": 3, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_storage_bucket", + "resourceName": "create a bucket", + "searchKey": "name={{create a bucket}}.{{google.cloud.gcp_storage_bucket}}", + "searchValue": "", + "expectedValue": "gcp_storage_bucket.versioning should be defined", + "actualValue": "gcp_storage_bucket.versioning is undefined" } ] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/cluster_labels_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/cluster_labels_disabled/test/positive_expected_result.json index 8c1a8dc644d..905b1fdf4b2 100644 --- a/assets/queries/ansible/gcp/cluster_labels_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/cluster_labels_disabled/test/positive_expected_result.json @@ -2,16 +2,37 @@ { "queryName": "Cluster Labels Disabled", "severity": "LOW", - "line": 2 + "line": 47, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster3", + "searchKey": "name={{create a cluster3}}.{{google.cloud.gcp_container_cluster}}.resource_labels", + "searchValue": "", + "expectedValue": "google.cloud.gcp_container_cluster should not be empty", + "actualValue": "google.cloud.gcp_container_cluster is empty" }, { "queryName": "Cluster Labels Disabled", "severity": "LOW", - "line": 17 + "line": 2, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster1", + "searchKey": "name={{create a cluster1}}.{{google.cloud.gcp_container_cluster}}", + "searchValue": "", + "expectedValue": "google.cloud.gcp_container_cluster should be defined and not null", + "actualValue": "google.cloud.gcp_container_cluster is undefined and null" }, { "queryName": "Cluster Labels Disabled", "severity": "LOW", - "line": 47 + "line": 17, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster2", + "searchKey": "name={{create a cluster2}}.{{google.cloud.gcp_container_cluster}}", + "searchValue": "", + "expectedValue": "google.cloud.gcp_container_cluster should be defined and not null", + "actualValue": "google.cloud.gcp_container_cluster is undefined and null" } ] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/cluster_master_authentication_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/cluster_master_authentication_disabled/test/positive_expected_result.json index 06b3b7a82fa..4b35f9aa817 100644 --- a/assets/queries/ansible/gcp/cluster_master_authentication_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/cluster_master_authentication_disabled/test/positive_expected_result.json @@ -2,26 +2,61 @@ { "queryName": "Cluster Master Authentication Disabled", "severity": "MEDIUM", - "line": 3 + "line": 3, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster1", + "searchKey": "name={{create a cluster1}}.{{google.cloud.gcp_container_cluster}}", + "searchValue": "", + "expectedValue": "gcp_container_cluster.master_auth should be defined and not null", + "actualValue": "gcp_container_cluster.master_auth is undefined or null" }, { "queryName": "Cluster Master Authentication Disabled", "severity": "MEDIUM", - "line": 18 + "line": 32, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster3", + "searchKey": "name={{create a cluster3}}.{{google.cloud.gcp_container_cluster}}.master_auth", + "searchValue": "", + "expectedValue": "gcp_container_cluster.master_auth.password should be defined and not null", + "actualValue": "gcp_container_cluster.master_auth.password is undefined or null" }, { "queryName": "Cluster Master Authentication Disabled", "severity": "MEDIUM", - "line": 32 + "line": 61, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster5", + "searchKey": "name={{create a cluster5}}.{{google.cloud.gcp_container_cluster}}.master_auth", + "searchValue": "", + "expectedValue": "gcp_container_cluster.master_auth.password should be defined and not null", + "actualValue": "gcp_container_cluster.master_auth.password is undefined or null" }, { "queryName": "Cluster Master Authentication Disabled", "severity": "MEDIUM", - "line": 46 + "line": 18, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster2", + "searchKey": "name={{create a cluster2}}.{{google.cloud.gcp_container_cluster}}.master_auth", + "searchValue": "", + "expectedValue": "gcp_container_cluster.master_auth.username should be defined and not null", + "actualValue": "gcp_container_cluster.master_auth.username is undefined or null" }, { "queryName": "Cluster Master Authentication Disabled", "severity": "MEDIUM", - "line": 61 + "line": 46, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster4", + "searchKey": "name={{create a cluster4}}.{{google.cloud.gcp_container_cluster}}.master_auth", + "searchValue": "", + "expectedValue": "gcp_container_cluster.master_auth.username should be defined and not null", + "actualValue": "gcp_container_cluster.master_auth.username is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/compute_instance_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/ansible/gcp/compute_instance_is_publicly_accessible/test/positive_expected_result.json index 77e4bef3293..677109a159d 100644 --- a/assets/queries/ansible/gcp/compute_instance_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/compute_instance_is_publicly_accessible/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Compute Instance Is Publicly Accessible", "severity": "MEDIUM", - "line": 6 + "line": 6, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_instance", + "resourceName": "create a instance", + "searchKey": "name={{create a instance}}.{{google.cloud.gcp_compute_instance}}.network_interfaces.access_configs", + "searchValue": "", + "expectedValue": "gcp_compute_instance.network_interfaces.access_configs should not be defined", + "actualValue": "gcp_compute_instance.network_interfaces.access_configs is defined" } ] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/cos_node_image_not_used/test/positive_expected_result.json b/assets/queries/ansible/gcp/cos_node_image_not_used/test/positive_expected_result.json index 7749e1bcee8..dd84fb41d4d 100644 --- a/assets/queries/ansible/gcp/cos_node_image_not_used/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/cos_node_image_not_used/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "COS Node Image Not Used", "severity": "LOW", - "line": 13 + "line": 13, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_node_pool", + "resourceName": "create a node pool", + "searchKey": "name={{create a node pool}}.{{google.cloud.gcp_container_node_pool}}.config.image_type", + "searchValue": "", + "expectedValue": "gcp_container_node_pool.config.image_type should start with 'COS'", + "actualValue": "gcp_container_node_pool.config.image_type does not start with 'COS'" } ] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/disk_encryption_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/disk_encryption_disabled/test/positive_expected_result.json index ed85273a162..c3cc4df5013 100644 --- a/assets/queries/ansible/gcp/disk_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/disk_encryption_disabled/test/positive_expected_result.json @@ -2,31 +2,61 @@ { "queryName": "Disk Encryption Disabled", "severity": "MEDIUM", - "line": 3, - "filename": "positive1.yaml" + "line": 27, + "filename": "positive1.yaml", + "resourceType": "google.cloud.gcp_compute_disk", + "resourceName": "create a disk4", + "searchKey": "name={{create a disk4}}.{{google.cloud.gcp_compute_disk}}.disk_encryption_key.raw_key", + "searchValue": "", + "expectedValue": "gcp_compute_disk.disk_encryption_key.raw_key should not be empty", + "actualValue": "gcp_compute_disk.disk_encryption_key.raw_key is empty" }, { "queryName": "Disk Encryption Disabled", "severity": "MEDIUM", - "line": 15, - "filename": "positive1.yaml" + "line": 3, + "filename": "positive1.yaml", + "resourceType": "google.cloud.gcp_compute_disk", + "resourceName": "create a disk1", + "searchKey": "name={{create a disk1}}.{{google.cloud.gcp_compute_disk}}", + "searchValue": "", + "expectedValue": "gcp_compute_disk.disk_encryption_key should be defined and not null", + "actualValue": "gcp_compute_disk.disk_encryption_key is undefined or null" }, { "queryName": "Disk Encryption Disabled", "severity": "MEDIUM", - "line": 27, - "filename": "positive1.yaml" + "line": 15, + "filename": "positive1.yaml", + "resourceType": "google.cloud.gcp_compute_disk", + "resourceName": "create a disk3", + "searchKey": "name={{create a disk3}}.{{google.cloud.gcp_compute_disk}}.disk_encryption_key", + "searchValue": "", + "expectedValue": "gcp_compute_disk.disk_encryption_key.raw_key or gcp_compute_disk.disk_encryption_key.kms_key_name should be defined and not null", + "actualValue": "gcp_compute_disk.disk_encryption_key.raw_key and gcp_compute_disk.disk_encryption_key.kms_key_name are undefined or null" }, { "queryName": "Disk Encryption Disabled", "severity": "MEDIUM", - "line": 5, - "filename": "positive2.yaml" + "line": 17, + "filename": "positive2.yaml", + "resourceType": "google.cloud.gcp_compute_disk", + "resourceName": "create a disk4", + "searchKey": "name={{create a disk4}}.{{google.cloud.gcp_compute_disk}}.disk_encryption_key.kms_key_name", + "searchValue": "", + "expectedValue": "gcp_compute_disk.disk_encryption_key.kms_key_name should not be empty", + "actualValue": "gcp_compute_disk.disk_encryption_key.kms_key_name is empty" }, { "queryName": "Disk Encryption Disabled", "severity": "MEDIUM", - "line": 17, - "filename": "positive2.yaml" + "line": 5, + "filename": "positive2.yaml", + "resourceType": "google.cloud.gcp_compute_disk", + "resourceName": "create a disk3", + "searchKey": "name={{create a disk3}}.{{google.cloud.gcp_compute_disk}}.disk_encryption_key", + "searchValue": "", + "expectedValue": "gcp_compute_disk.disk_encryption_key.raw_key or gcp_compute_disk.disk_encryption_key.kms_key_name should be defined and not null", + "actualValue": "gcp_compute_disk.disk_encryption_key.raw_key and gcp_compute_disk.disk_encryption_key.kms_key_name are undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/dnssec_using_rsasha1/test/positive_expected_result.json b/assets/queries/ansible/gcp/dnssec_using_rsasha1/test/positive_expected_result.json index e0b836b45d2..e7878dcd8ba 100644 --- a/assets/queries/ansible/gcp/dnssec_using_rsasha1/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/dnssec_using_rsasha1/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "DNSSEC Using RSASHA1", "severity": "MEDIUM", - "line": 13 + "line": 13, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_dns_managed_zone", + "resourceName": "create a managed zone", + "searchKey": "name={{create a managed zone}}.{{google.cloud.gcp_dns_managed_zone}}.dnssec_config.defaultKeySpecs.algorithm", + "searchValue": "", + "expectedValue": "gcp_dns_managed_zone.dnssec_config.defaultKeySpecs.algorithm should not equal to 'rsasha1'", + "actualValue": "gcp_dns_managed_zone.dnssec_config.defaultKeySpecs.algorithm is equal to 'rsasha1'" } ] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/gke_basic_authentication_enabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/gke_basic_authentication_enabled/test/positive_expected_result.json index 7d0d7d53ef2..fb7ecfb191e 100644 --- a/assets/queries/ansible/gcp/gke_basic_authentication_enabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/gke_basic_authentication_enabled/test/positive_expected_result.json @@ -2,26 +2,61 @@ { "queryName": "GKE Basic Authentication Enabled", "severity": "MEDIUM", - "line": 3 + "line": 47, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster4", + "searchKey": "name={{create a cluster4}}.{{google.cloud.gcp_container_cluster}}.master_auth.username", + "searchValue": "", + "expectedValue": "gcp_container_cluster.master_auth.username should be empty", + "actualValue": "gcp_container_cluster.master_auth.username is not empty" }, { "queryName": "GKE Basic Authentication Enabled", "severity": "MEDIUM", - "line": 18 + "line": 3, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster1", + "searchKey": "name={{create a cluster1}}.{{google.cloud.gcp_container_cluster}}", + "searchValue": "", + "expectedValue": "gcp_container_cluster.master_auth should be defined", + "actualValue": "gcp_container_cluster.master_auth is undefined" }, { "queryName": "GKE Basic Authentication Enabled", "severity": "MEDIUM", - "line": 32 + "line": 32, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster3", + "searchKey": "name={{create a cluster3}}.{{google.cloud.gcp_container_cluster}}.master_auth", + "searchValue": "", + "expectedValue": "gcp_container_cluster.master_auth.password should be defined", + "actualValue": "gcp_container_cluster.master_auth.password is undefined" }, { "queryName": "GKE Basic Authentication Enabled", "severity": "MEDIUM", - "line": 47 + "line": 18, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster2", + "searchKey": "name={{create a cluster2}}.{{google.cloud.gcp_container_cluster}}.master_auth", + "searchValue": "", + "expectedValue": "gcp_container_cluster.master_auth.username should be defined", + "actualValue": "gcp_container_cluster.master_auth.username is undefined" }, { "queryName": "GKE Basic Authentication Enabled", "severity": "MEDIUM", - "line": 63 + "line": 63, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster5", + "searchKey": "name={{create a cluster5}}.{{google.cloud.gcp_container_cluster}}.master_auth.password", + "searchValue": "", + "expectedValue": "gcp_container_cluster.master_auth.password should be empty", + "actualValue": "gcp_container_cluster.master_auth.password is not empty" } ] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/gke_legacy_authorization_enabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/gke_legacy_authorization_enabled/test/positive_expected_result.json index 7a792dec50d..e2018dc7308 100644 --- a/assets/queries/ansible/gcp/gke_legacy_authorization_enabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/gke_legacy_authorization_enabled/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "GKE Legacy Authorization Enabled", "severity": "HIGH", - "line": 18 + "line": 18, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster", + "searchKey": "name={{create a cluster}}.{{google.cloud.gcp_container_cluster}}.legacy_abac.enabled", + "searchValue": "", + "expectedValue": "gcp_container_cluster.legacy_abac.enabled should be set to false", + "actualValue": "gcp_container_cluster.legacy_abac.enabled is true" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/gke_master_authorized_networks_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/gke_master_authorized_networks_disabled/test/positive_expected_result.json index 5535f921553..35effb5a6ee 100644 --- a/assets/queries/ansible/gcp/gke_master_authorized_networks_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/gke_master_authorized_networks_disabled/test/positive_expected_result.json @@ -2,16 +2,37 @@ { "queryName": "GKE Master Authorized Networks Disabled", "severity": "MEDIUM", - "line": 10 + "line": 10, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster", + "searchKey": "name={{create a cluster}}.{{google.cloud.gcp_container_cluster}}.master_authorized_networks_config.enabled", + "searchValue": "", + "expectedValue": "gcp_container_cluster.master_authorized_networks_config.enabled should be true", + "actualValue": "gcp_container_cluster.master_authorized_networks_config.enabled is false" }, { "queryName": "GKE Master Authorized Networks Disabled", "severity": "MEDIUM", - "line": 17 + "line": 22, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a third cluster", + "searchKey": "name={{create a third cluster}}.{{google.cloud.gcp_container_cluster}}", + "searchValue": "", + "expectedValue": "gcp_container_cluster.master_authorized_networks_config should be defined", + "actualValue": "gcp_container_cluster.master_authorized_networks_config is undefined" }, { "queryName": "GKE Master Authorized Networks Disabled", "severity": "MEDIUM", - "line": 22 + "line": 17, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a second cluster", + "searchKey": "name={{create a second cluster}}.{{google.cloud.gcp_container_cluster}}.master_authorized_networks_config", + "searchValue": "", + "expectedValue": "gcp_container_cluster.master_authorized_networks_config.enabled should be defined", + "actualValue": "gcp_container_cluster.master_authorized_networks_config.enabled is undefined" } ] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/gke_using_default_service_account/test/positive_expected_result.json b/assets/queries/ansible/gcp/gke_using_default_service_account/test/positive_expected_result.json index c1d0cdbb565..b8801cf1c3e 100644 --- a/assets/queries/ansible/gcp/gke_using_default_service_account/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/gke_using_default_service_account/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ - { - "queryName": "GKE Using Default Service Account", - "severity": "MEDIUM", - "line": 8, - "fileName": "positive1.yaml" - }, - { - "queryName": "GKE Using Default Service Account", - "severity": "MEDIUM", - "line": 11, - "fileName": "positive2.yaml" - } -] + { + "queryName": "GKE Using Default Service Account", + "severity": "MEDIUM", + "line": 11, + "filename": "positive2.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster", + "searchKey": "name={{create a cluster}}.{{google.cloud.gcp_container_cluster}}.node_config.service_account", + "searchValue": "", + "expectedValue": "'service_account' should not be default", + "actualValue": "'service_account' is default" + }, + { + "queryName": "GKE Using Default Service Account", + "severity": "MEDIUM", + "line": 8, + "filename": "positive1.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster", + "searchKey": "name={{create a cluster}}.{{google.cloud.gcp_container_cluster}}.node_config", + "searchValue": "", + "expectedValue": "'service_account' should not be default", + "actualValue": "'service_account' is missing" + } +] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/google_compute_network_using_default_firewall_rule/test/positive_expected_result.json b/assets/queries/ansible/gcp/google_compute_network_using_default_firewall_rule/test/positive_expected_result.json index ed1b5a8150c..ce303782d3c 100644 --- a/assets/queries/ansible/gcp/google_compute_network_using_default_firewall_rule/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/google_compute_network_using_default_firewall_rule/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Google Compute Network Using Default Firewall Rule", "severity": "MEDIUM", "line": 11, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_network", + "resourceName": "create a network2", + "searchKey": "name={{create a network2}}.{{google.cloud.gcp_compute_network}}", + "searchValue": "", + "expectedValue": "'google.cloud.gcp_compute_network' should not be using a default firewall rule", + "actualValue": "'google.cloud.gcp_compute_network' is using a default firewall rule" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/google_compute_network_using_firewall_allows_port_range/test/positive_expected_result.json b/assets/queries/ansible/gcp/google_compute_network_using_firewall_allows_port_range/test/positive_expected_result.json index 35ee2790201..660a1c91e63 100644 --- a/assets/queries/ansible/gcp/google_compute_network_using_firewall_allows_port_range/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/google_compute_network_using_firewall_allows_port_range/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Google Compute Network Using Firewall Rule that Allows Port Range", "severity": "LOW", "line": 19, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_network", + "resourceName": "create a network2", + "searchKey": "name={{create a network2}}.{{google.cloud.gcp_compute_network}}", + "searchValue": "", + "expectedValue": "'google.cloud.gcp_compute_network' should not be using a firewall rule that allows access to port range", + "actualValue": "'google.cloud.gcp_compute_network' is using a firewall rule that allows access to port range" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/google_compute_network_using_firewall_rule_allows_all_ports/test/positive_expected_result.json b/assets/queries/ansible/gcp/google_compute_network_using_firewall_rule_allows_all_ports/test/positive_expected_result.json index c07d1c5283a..8f32ef54a5a 100644 --- a/assets/queries/ansible/gcp/google_compute_network_using_firewall_rule_allows_all_ports/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/google_compute_network_using_firewall_rule_allows_all_ports/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Google Compute Network Using Firewall Rule that Allows All Ports", "severity": "MEDIUM", "line": 19, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_network", + "resourceName": "create a network2", + "searchKey": "name={{create a network2}}.{{google.cloud.gcp_compute_network}}", + "searchValue": "", + "expectedValue": "'google.cloud.gcp_compute_network' should not be using a firewall rule that allows access to all ports", + "actualValue": "'google.cloud.gcp_compute_network' is using a firewall rule that allows access to all ports" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/google_compute_ssl_policy_weak_cipher_in_use/test/positive_expected_result.json b/assets/queries/ansible/gcp/google_compute_ssl_policy_weak_cipher_in_use/test/positive_expected_result.json index 9fab22393ec..c2cd9a64e9b 100644 --- a/assets/queries/ansible/gcp/google_compute_ssl_policy_weak_cipher_in_use/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/google_compute_ssl_policy_weak_cipher_in_use/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Google Compute SSL Policy Weak Cipher In Use", "severity": "MEDIUM", - "line": 2 + "line": 16, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_ssl_policy", + "resourceName": "create a SSL policy2", + "searchKey": "name={{create a SSL policy2}}.{{google.cloud.gcp_compute_ssl_policy}}.min_tls_version", + "searchValue": "", + "expectedValue": "gcp_compute_ssl_policy.min_tls_version has min_tls_version should be set to 'TLS_1_2'", + "actualValue": "gcp_compute_ssl_policy.min_tls_version does not have min_tls_version set to 'TLS_1_2'" }, { "queryName": "Google Compute SSL Policy Weak Cipher In Use", "severity": "MEDIUM", - "line": 16 + "line": 2, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_ssl_policy", + "resourceName": "create a SSL policy", + "searchKey": "name={{create a SSL policy}}.{{google.cloud.gcp_compute_ssl_policy}}", + "searchValue": "", + "expectedValue": "gcp_compute_ssl_policy has min_tls_version should be set to 'TLS_1_2'", + "actualValue": "gcp_compute_ssl_policy does not have min_tls_version set to 'TLS_1_2'" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/google_compute_subnetwork_with_private_google_access_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/google_compute_subnetwork_with_private_google_access_disabled/test/positive_expected_result.json index 4b088e2c82c..850ce02e451 100644 --- a/assets/queries/ansible/gcp/google_compute_subnetwork_with_private_google_access_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/google_compute_subnetwork_with_private_google_access_disabled/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Google Compute Subnetwork with Private Google Access Disabled", "severity": "LOW", "line": 2, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "google.cloud.gcp_compute_subnetwork", + "resourceName": "create a subnetwork", + "searchKey": "name={{create a subnetwork}}.{{google.cloud.gcp_compute_subnetwork}}", + "searchValue": "", + "expectedValue": "google.cloud.gcp_compute_subnetwork.private_ip_google_access should be defined and not null", + "actualValue": "google.cloud.gcp_compute_subnetwork.private_ip_google_access is undefined or null" }, { "queryName": "Google Compute Subnetwork with Private Google Access Disabled", "severity": "LOW", "line": 10, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "google.cloud.gcp_compute_subnetwork", + "resourceName": "create a subnetwork2", + "searchKey": "name={{create a subnetwork2}}.{{google.cloud.gcp_compute_subnetwork}}.private_ip_google_access", + "searchValue": "", + "expectedValue": "google.cloud.gcp_compute_subnetwork.private_ip_google_access should be set to yes", + "actualValue": "google.cloud.gcp_compute_subnetwork.private_ip_google_access is set to no" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/google_container_node_pool_auto_repair_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/google_container_node_pool_auto_repair_disabled/test/positive_expected_result.json index 6be1d2d4a37..8c9dbd89a8e 100644 --- a/assets/queries/ansible/gcp/google_container_node_pool_auto_repair_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/google_container_node_pool_auto_repair_disabled/test/positive_expected_result.json @@ -2,16 +2,37 @@ { "queryName": "Google Container Node Pool Auto Repair Disabled", "severity": "MEDIUM", - "line": 13 + "line": 13, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_node_pool", + "resourceName": "create a node pool", + "searchKey": "name={{create a node pool}}.{{google.cloud.gcp_container_node_pool}}.management.auto_repair", + "searchValue": "", + "expectedValue": "gcp_container_node_pool.management.auto_repair should be set to true", + "actualValue": "gcp_container_node_poolmanagement.auto_repair is set to false" }, { "queryName": "Google Container Node Pool Auto Repair Disabled", "severity": "MEDIUM", - "line": 26 + "line": 26, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_node_pool", + "resourceName": "create a node pool2", + "searchKey": "name={{create a node pool2}}.{{google.cloud.gcp_container_node_pool}}.management.auto_repair", + "searchValue": "", + "expectedValue": "gcp_container_node_pool.management.auto_repair should be set to true", + "actualValue": "gcp_container_node_poolmanagement.auto_repair is set to false" }, { "queryName": "Google Container Node Pool Auto Repair Disabled", "severity": "MEDIUM", - "line": 29 + "line": 29, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_node_pool", + "resourceName": "create a node pool3", + "searchKey": "name={{create a node pool3}}.{{google.cloud.gcp_container_node_pool}}", + "searchValue": "", + "expectedValue": "gcp_container_node_pool.management should be defined", + "actualValue": "gcp_container_node_pool.management is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/high_google_kms_crypto_key_rotation_period/test/positive_expected_result.json b/assets/queries/ansible/gcp/high_google_kms_crypto_key_rotation_period/test/positive_expected_result.json index 64749f941ee..3707a8c39d4 100644 --- a/assets/queries/ansible/gcp/high_google_kms_crypto_key_rotation_period/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/high_google_kms_crypto_key_rotation_period/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "High Google KMS Crypto Key Rotation Period", "severity": "MEDIUM", - "line": 18 + "line": 23, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_kms_crypto_key", + "resourceName": "create a crypto key2", + "searchKey": "name={{create a crypto key2}}.{{google.cloud.gcp_kms_crypto_key}}", + "searchValue": "", + "expectedValue": "gcp_kms_crypto_key.rotation_period should be defined with a value less or equal to 7776000", + "actualValue": "gcp_kms_crypto_key.rotation_period is undefined" }, { "queryName": "High Google KMS Crypto Key Rotation Period", "severity": "MEDIUM", - "line": 23 + "line": 18, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_kms_crypto_key", + "resourceName": "create a crypto key", + "searchKey": "name={{create a crypto key}}.{{google.cloud.gcp_kms_crypto_key}}.rotation_period", + "searchValue": "", + "expectedValue": "gcp_kms_crypto_key.rotation_period should be less or equal to 7776000", + "actualValue": "gcp_kms_crypto_key.rotation_period exceeds 7776000" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/ip_aliasing_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/ip_aliasing_disabled/test/positive_expected_result.json index 515f5894a3c..3d82b62569a 100644 --- a/assets/queries/ansible/gcp/ip_aliasing_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/ip_aliasing_disabled/test/positive_expected_result.json @@ -2,16 +2,37 @@ { "queryName": "IP Aliasing Disabled", "severity": "MEDIUM", - "line": 2 + "line": 50, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster3", + "searchKey": "name={{create a cluster3}}.{{google.cloud.gcp_container_cluster}}.ip_allocation_policy.use_ip_aliases", + "searchValue": "", + "expectedValue": "gcp_container_cluster.ip_allocation_policy.use_ip_aliases should be true", + "actualValue": "gcp_container_cluster.ip_allocation_policy.use_ip_aliases is false" }, { "queryName": "IP Aliasing Disabled", "severity": "MEDIUM", - "line": 31 + "line": 2, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster1", + "searchKey": "name={{create a cluster1}}.{{google.cloud.gcp_container_cluster}}", + "searchValue": "", + "expectedValue": "gcp_container_cluster.ip_allocation_policy should be defined", + "actualValue": "gcp_container_cluster.ip_allocation_policy is undefined" }, { "queryName": "IP Aliasing Disabled", "severity": "MEDIUM", - "line": 50 + "line": 31, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster2", + "searchKey": "name={{create a cluster2}}.{{google.cloud.gcp_container_cluster}}.ip_allocation_policy", + "searchValue": "", + "expectedValue": "gcp_container_cluster.ip_allocation_policy.use_ip_aliases should be set to true", + "actualValue": "gcp_container_cluster.ip_allocation_policy.use_ip_aliases is undefined" } ] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/ip_forwarding_enabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/ip_forwarding_enabled/test/positive_expected_result.json index fd23b343a69..320fb0583b3 100644 --- a/assets/queries/ansible/gcp/ip_forwarding_enabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/ip_forwarding_enabled/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "IP Forwarding Enabled", "severity": "MEDIUM", - "line": 22 + "line": 22, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_instance", + "resourceName": "create a instance", + "searchKey": "name={{create a instance}}.{{google.cloud.gcp_compute_instance}}.can_ip_forward", + "searchValue": "", + "expectedValue": "gcp_compute_instance.can_ip_forward should be set to false", + "actualValue": "gcp_compute_instance.can_ip_forward is true" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/mysql_instance_with_local_infile_on/test/positive_expected_result.json b/assets/queries/ansible/gcp/mysql_instance_with_local_infile_on/test/positive_expected_result.json index ca7bdf90551..395be491147 100644 --- a/assets/queries/ansible/gcp/mysql_instance_with_local_infile_on/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/mysql_instance_with_local_infile_on/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "MySQL Instance With Local Infile On", "severity": "HIGH", - "line": 10 + "line": 10, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_sql_instance", + "resourceName": "sql_instance", + "searchKey": "name={{sql_instance}}.{{google.cloud.gcp_sql_instance}}.settings.database_flags", + "searchValue": "", + "expectedValue": "cloud_gcp_sql_instance.settings.database_flags should be correct", + "actualValue": "cloud_gcp_sql_instance.settings.database_flags.name is 'local_infile' and cloud_gcp_sql_instance.settings.database_flags.value is not 'off'" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/network_policy_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/network_policy_disabled/test/positive_expected_result.json index 422a04267dc..eca41504d64 100644 --- a/assets/queries/ansible/gcp/network_policy_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/network_policy_disabled/test/positive_expected_result.json @@ -2,26 +2,61 @@ { "queryName": "Network Policy Disabled", "severity": "MEDIUM", - "line": 3 + "line": 96, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster5", + "searchKey": "name={{create a cluster5}}.{{google.cloud.gcp_container_cluster}}.addons_config.network_policy_config.disabled", + "searchValue": "", + "expectedValue": "gcp_container_cluster.addons_config.network_policy_config.disabled should be set to false", + "actualValue": "gcp_container_cluster.addons_config.network_policy_config.disabled is true" }, { "queryName": "Network Policy Disabled", "severity": "MEDIUM", - "line": 21 + "line": 73, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster4", + "searchKey": "name={{create a cluster4}}.{{google.cloud.gcp_container_cluster}}.network_policy.enabled", + "searchValue": "", + "expectedValue": "gcp_container_cluster.network_policy.enabled should be true", + "actualValue": "gcp_container_cluster.network_policy.enabled is false" }, { "queryName": "Network Policy Disabled", "severity": "MEDIUM", - "line": 54 + "line": 21, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster2", + "searchKey": "name={{create a cluster2}}.{{google.cloud.gcp_container_cluster}}", + "searchValue": "addons_config", + "expectedValue": "gcp_container_cluster.addons_config should be defined", + "actualValue": "gcp_container_cluster.addons_config is undefined" }, { "queryName": "Network Policy Disabled", "severity": "MEDIUM", - "line": 73 + "line": 54, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster3", + "searchKey": "name={{create a cluster3}}.{{google.cloud.gcp_container_cluster}}.addons_config", + "searchValue": "", + "expectedValue": "gcp_container_cluster.addons_config.network_policy_config should be defined", + "actualValue": "gcp_container_cluster.addons_config.network_policy_config is undefined" }, { "queryName": "Network Policy Disabled", "severity": "MEDIUM", - "line": 96 + "line": 3, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster1", + "searchKey": "name={{create a cluster1}}.{{google.cloud.gcp_container_cluster}}", + "searchValue": "network_policy", + "expectedValue": "gcp_container_cluster.network_policy should be defined", + "actualValue": "gcp_container_cluster.network_policy is undefined" } ] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/node_auto_upgrade_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/node_auto_upgrade_disabled/test/positive_expected_result.json index 1e8d4e0b4e8..8a73ae29c17 100644 --- a/assets/queries/ansible/gcp/node_auto_upgrade_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/node_auto_upgrade_disabled/test/positive_expected_result.json @@ -2,16 +2,37 @@ { "queryName": "Node Auto Upgrade Disabled", "severity": "MEDIUM", - "line": 3 + "line": 36, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_node_pool", + "resourceName": "create a third node pool", + "searchKey": "name={{create a third node pool}}.{{google.cloud.gcp_container_node_pool}}.management.auto_upgrade", + "searchValue": "", + "expectedValue": "gcp_container_node_pool.management.auto_upgrade should be true", + "actualValue": "gcp_container_node_pool.management.auto_upgrade is false" }, { "queryName": "Node Auto Upgrade Disabled", "severity": "MEDIUM", - "line": 22 + "line": 3, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_node_pool", + "resourceName": "create a node pool", + "searchKey": "name={{create a node pool}}.{{google.cloud.gcp_container_node_pool}}", + "searchValue": "", + "expectedValue": "gcp_container_node_pool.management should be defined", + "actualValue": "gcp_container_node_pool.management is undefined" }, { "queryName": "Node Auto Upgrade Disabled", "severity": "MEDIUM", - "line": 36 + "line": 22, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_node_pool", + "resourceName": "create a second node pool", + "searchKey": "name={{create a second node pool}}.{{google.cloud.gcp_container_node_pool}}.management", + "searchValue": "", + "expectedValue": "gcp_container_node_pool.management.auto_upgrade should be defined", + "actualValue": "gcp_container_node_pool.management.auto_upgrade is undefined" } ] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/oslogin_is_disabled_for_vm_instance/test/positive_expected_result.json b/assets/queries/ansible/gcp/oslogin_is_disabled_for_vm_instance/test/positive_expected_result.json index 489e34a7d20..87195853fb4 100644 --- a/assets/queries/ansible/gcp/oslogin_is_disabled_for_vm_instance/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/oslogin_is_disabled_for_vm_instance/test/positive_expected_result.json @@ -1,7 +1,14 @@ [ - { - "queryName": "OSLogin Is Disabled In VM Instance", - "severity": "MEDIUM", - "line": 4 - } -] + { + "queryName": "OSLogin Is Disabled In VM Instance", + "severity": "MEDIUM", + "line": 4, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_instance", + "resourceName": "oslogin-disabled", + "searchKey": "name={{oslogin-disabled}}.{{google.cloud.gcp_compute_instance}}.metadata.enable-oslogin", + "searchValue": "", + "expectedValue": "gcp_compute_instance.metadata.enable-oslogin should be true", + "actualValue": "gcp_compute_instance.metadata.enable-oslogin is false" + } +] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/postgresql_log_checkpoints_flag_not_set_to_on/test/positive_expected_result.json b/assets/queries/ansible/gcp/postgresql_log_checkpoints_flag_not_set_to_on/test/positive_expected_result.json index f8fa12d454b..eba18d9a9cd 100644 --- a/assets/queries/ansible/gcp/postgresql_log_checkpoints_flag_not_set_to_on/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/postgresql_log_checkpoints_flag_not_set_to_on/test/positive_expected_result.json @@ -1,12 +1,26 @@ [ - { - "queryName": "PostgreSQL log_checkpoints Flag Not Set To ON", - "severity": "MEDIUM", - "line": 5 - }, - { - "queryName": "PostgreSQL log_checkpoints Flag Not Set To ON", - "severity": "MEDIUM", - "line": 16 - } -] + { + "queryName": "PostgreSQL log_checkpoints Flag Not Set To ON", + "severity": "MEDIUM", + "line": 16, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_sql_instance", + "resourceName": "create another instance", + "searchKey": "name={{create another instance}}.{{google.cloud.gcp_sql_instance}}", + "searchValue": "", + "expectedValue": "gcp_sql_instance.settings.databaseFlags should be defined", + "actualValue": "gcp_sql_instance.settings.databaseFlags is not defined" + }, + { + "queryName": "PostgreSQL log_checkpoints Flag Not Set To ON", + "severity": "MEDIUM", + "line": 5, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_sql_instance", + "resourceName": "create instance", + "searchKey": "name={{create instance}}.{{google.cloud.gcp_sql_instance}}.settings.databaseFlags", + "searchValue": "", + "expectedValue": "gcp_sql_instance.settings.databaseFlags should have 'log_checkpoints' flag set to 'on'", + "actualValue": "gcp_sql_instance.settings.databaseFlags has 'log_checkpoints' flag set to 'off'" + } +] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/postgresql_log_connections_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/postgresql_log_connections_disabled/test/positive_expected_result.json index 6cd81a17bd4..2f2ecdf0b78 100644 --- a/assets/queries/ansible/gcp/postgresql_log_connections_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/postgresql_log_connections_disabled/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "PostgreSQL Log Connections Disabled", "severity": "MEDIUM", - "line": 5 + "line": 5, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_sql_instance", + "resourceName": "create instance", + "searchKey": "name={{create instance}}.{{google.cloud.gcp_sql_instance}}.settings.databaseFlags", + "searchValue": "", + "expectedValue": "gcp_sql_instance.settings.databaseFlags should have 'log_connections' flag set to 'on'", + "actualValue": "gcp_sql_instance.settings.databaseFlags has 'log_connections' flag set to 'off'" }, { "queryName": "PostgreSQL Log Connections Disabled", "severity": "MEDIUM", - "line": 16 + "line": 16, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_sql_instance", + "resourceName": "create another instance", + "searchKey": "name={{create another instance}}.{{google.cloud.gcp_sql_instance}}", + "searchValue": "", + "expectedValue": "gcp_sql_instance.settings.databaseFlags should be defined", + "actualValue": "gcp_sql_instance.settings.databaseFlags is not defined" } ] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/postgresql_logging_of_temporary_files_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/postgresql_logging_of_temporary_files_disabled/test/positive_expected_result.json index 176293e62bf..dd6f8ab1f99 100644 --- a/assets/queries/ansible/gcp/postgresql_logging_of_temporary_files_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/postgresql_logging_of_temporary_files_disabled/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "PostgreSQL Logging Of Temporary Files Disabled", "severity": "LOW", - "line": 10 + "line": 10, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_sql_instance", + "resourceName": "sql_instance", + "searchKey": "name={{sql_instance}}.{{google.cloud.gcp_sql_instance}}.settings.database_flags", + "searchValue": "", + "expectedValue": "gcp_sql_instance.settings.database_flags should set the log_temp_files to 0", + "actualValue": "gcp_sql_instance.settings.database_flags doesn't set the log_temp_files to 0" } ] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/postgresql_misconfigured_log_messages_flag/test/positive_expected_result.json b/assets/queries/ansible/gcp/postgresql_misconfigured_log_messages_flag/test/positive_expected_result.json index 58a65f3141f..7f7db602824 100644 --- a/assets/queries/ansible/gcp/postgresql_misconfigured_log_messages_flag/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/postgresql_misconfigured_log_messages_flag/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "PostgreSQL Misconfigured Log Messages Flag", "severity": "LOW", - "line": 11 + "line": 11, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_sql_instance", + "resourceName": "sql_instance", + "searchKey": "name={{sql_instance}}.{{google.cloud.gcp_sql_instance}}.settings.database_flags.log_min_messages", + "searchValue": "", + "expectedValue": "gcp_sql_instance.settings.database_flags should set 'log_min_messages' to a valid value", + "actualValue": "gcp_sql_instance.settings.database_flags doesn't set 'log_min_messages' to a valid value" } ] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/postgresql_misconfigured_logging_duration_flag/test/positive_expected_result.json b/assets/queries/ansible/gcp/postgresql_misconfigured_logging_duration_flag/test/positive_expected_result.json index 2032e1d2680..8b9e1125eab 100644 --- a/assets/queries/ansible/gcp/postgresql_misconfigured_logging_duration_flag/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/postgresql_misconfigured_logging_duration_flag/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "PostgreSQL Misconfigured Logging Duration Flag", "severity": "LOW", - "line": 10 + "line": 10, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_sql_instance", + "resourceName": "sql_instance", + "searchKey": "name={{sql_instance}}.{{google.cloud.gcp_sql_instance}}.settings.database_flags", + "searchValue": "", + "expectedValue": "gcp_sql_instance.settings.database_flags should set the log_min_duration_statement to -1", + "actualValue": "gcp_sql_instance.settings.database_flags doesn't set the log_min_duration_statement to -1" } ] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/private_cluster_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/private_cluster_disabled/test/positive_expected_result.json index 689ed5ffc81..563aa3989bd 100644 --- a/assets/queries/ansible/gcp/private_cluster_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/private_cluster_disabled/test/positive_expected_result.json @@ -2,26 +2,61 @@ { "queryName": "Private Cluster Disabled", "severity": "MEDIUM", - "line": 2 + "line": 2, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster1", + "searchKey": "name={{create a cluster1}}.{{google.cloud.gcp_container_cluster}}", + "searchValue": "", + "expectedValue": "gcp_container_cluster.private_cluster_config should be defined", + "actualValue": "gcp_container_cluster.private_cluster_config is undefined" }, { "queryName": "Private Cluster Disabled", "severity": "MEDIUM", - "line": 31 + "line": 48, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster3", + "searchKey": "name={{create a cluster3}}.{{google.cloud.gcp_container_cluster}}.private_cluster_config", + "searchValue": "", + "expectedValue": "gcp_container_cluster.private_cluster_config.enable_private_endpoint should be defined", + "actualValue": "gcp_container_cluster.private_cluster_config.enable_private_endpoint is undefined" }, { "queryName": "Private Cluster Disabled", "severity": "MEDIUM", - "line": 48 + "line": 31, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster2", + "searchKey": "name={{create a cluster2}}.{{google.cloud.gcp_container_cluster}}.private_cluster_config", + "searchValue": "", + "expectedValue": "gcp_container_cluster.private_cluster_config.enable_private_nodes should be defined", + "actualValue": "gcp_container_cluster.private_cluster_config.enable_private_nodes is undefined" }, { "queryName": "Private Cluster Disabled", "severity": "MEDIUM", - "line": 66 + "line": 66, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster4", + "searchKey": "name={{create a cluster4}}.{{google.cloud.gcp_container_cluster}}.private_cluster_config.enable_private_endpoint", + "searchValue": "", + "expectedValue": "gcp_container_cluster.private_cluster_config.enable_private_endpoint should be true", + "actualValue": "gcp_container_cluster.private_cluster_config.enable_private_endpoint is false" }, { "queryName": "Private Cluster Disabled", "severity": "MEDIUM", - "line": 85 + "line": 85, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster5", + "searchKey": "name={{create a cluster5}}.{{google.cloud.gcp_container_cluster}}.private_cluster_config.enable_private_nodes", + "searchValue": "", + "expectedValue": "gcp_container_cluster.private_cluster_config.enable_private_nodes should be true", + "actualValue": "gcp_container_cluster.private_cluster_config.enable_private_nodes is false" } ] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/test/positive_expected_result.json b/assets/queries/ansible/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/test/positive_expected_result.json index 13ca90f5f99..a6e78f0e583 100644 --- a/assets/queries/ansible/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/test/positive_expected_result.json @@ -1,17 +1,38 @@ [ - { - "queryName": "Project-wide SSH Keys Are Enabled In VM Instances", - "severity": "MEDIUM", - "line": 4 - }, - { - "queryName": "Project-wide SSH Keys Are Enabled In VM Instances", - "severity": "MEDIUM", - "line": 9 - }, - { - "queryName": "Project-wide SSH Keys Are Enabled In VM Instances", - "severity": "MEDIUM", - "line": 15 - } -] + { + "queryName": "Project-wide SSH Keys Are Enabled In VM Instances", + "severity": "MEDIUM", + "line": 4, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_instance", + "resourceName": "ssh_keys_unblocked", + "searchKey": "name={{ssh_keys_unblocked}}.{{google.cloud.gcp_compute_instance}}.metadata.block-project-ssh-keys", + "searchValue": "", + "expectedValue": "gcp_compute_instance.metadata.block-project-ssh-keys should be true", + "actualValue": "gcp_compute_instance.metadata.block-project-ssh-keys is false" + }, + { + "queryName": "Project-wide SSH Keys Are Enabled In VM Instances", + "severity": "MEDIUM", + "line": 15, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_instance", + "resourceName": "no_metadata", + "searchKey": "name={{no_metadata}}.{{google.cloud.gcp_compute_instance}}", + "searchValue": "", + "expectedValue": "gcp_compute_instance.metadata should be set", + "actualValue": "gcp_compute_instance.metadata is undefined" + }, + { + "queryName": "Project-wide SSH Keys Are Enabled In VM Instances", + "severity": "MEDIUM", + "line": 9, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_instance", + "resourceName": "ssh_keys_missing", + "searchKey": "name={{ssh_keys_missing}}.{{google.cloud.gcp_compute_instance}}.metadata", + "searchValue": "", + "expectedValue": "gcp_compute_instance.metadata.block-project-ssh-keys should be set to true", + "actualValue": "gcp_compute_instance.metadata.block-project-ssh-keys is undefined" + } +] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/rdp_access_is_not_restricted/test/positive_expected_result.json b/assets/queries/ansible/gcp/rdp_access_is_not_restricted/test/positive_expected_result.json index 54fdcecba5f..30453d63495 100644 --- a/assets/queries/ansible/gcp/rdp_access_is_not_restricted/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/rdp_access_is_not_restricted/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "RDP Access Is Not Restricted", "severity": "HIGH", - "line": 8 + "line": 29, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_firewall", + "resourceName": "rdp_in_port", + "searchKey": "name={{rdp_in_port}}.{{google.cloud.gcp_compute_firewall}}.allowed.ip_protocol=tcp.ports", + "searchValue": "", + "expectedValue": "gcp_compute_firewall.allowed.ip_protocol=tcp.ports shouldn't contain RDP port (3389) with unrestricted ingress traffic", + "actualValue": "gcp_compute_firewall.allowed.ip_protocol=tcp.ports contain RDP port (3389) with unrestricted ingress traffic" }, { "queryName": "RDP Access Is Not Restricted", "severity": "HIGH", - "line": 29 + "line": 8, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_firewall", + "resourceName": "rdp_in_range", + "searchKey": "name={{rdp_in_range}}.{{google.cloud.gcp_compute_firewall}}.allowed.ip_protocol=tcp.ports", + "searchValue": "", + "expectedValue": "gcp_compute_firewall.allowed.ip_protocol=tcp.ports shouldn't contain RDP port (3389) with unrestricted ingress traffic", + "actualValue": "gcp_compute_firewall.allowed.ip_protocol=tcp.ports contain RDP port (3389) with unrestricted ingress traffic" } ] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/serial_ports_enabled_for_vm_instances/test/positive_expected_result.json b/assets/queries/ansible/gcp/serial_ports_enabled_for_vm_instances/test/positive_expected_result.json index b24c967c2c6..317268008ad 100644 --- a/assets/queries/ansible/gcp/serial_ports_enabled_for_vm_instances/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/serial_ports_enabled_for_vm_instances/test/positive_expected_result.json @@ -1,7 +1,14 @@ [ - { - "queryName": "Serial Ports Are Enabled For VM Instances", - "severity": "MEDIUM", - "line": 4 - } -] + { + "queryName": "Serial Ports Are Enabled For VM Instances", + "severity": "MEDIUM", + "line": 4, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_instance", + "resourceName": "serial_enabled", + "searchKey": "name={{serial_enabled}}.{{google.cloud.gcp_compute_instance}}.metadata.serial-port-enable", + "searchValue": "", + "expectedValue": "gcp_compute_instance.metadata.serial-port-enable should be undefined or set to false", + "actualValue": "gcp_compute_instance.metadata.serial-port-enable is set to true" + } +] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/shielded_vm_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/shielded_vm_disabled/test/positive_expected_result.json index eca3f4bb68b..a50fa2728da 100644 --- a/assets/queries/ansible/gcp/shielded_vm_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/shielded_vm_disabled/test/positive_expected_result.json @@ -2,36 +2,85 @@ { "queryName": "Shielded VM Disabled", "severity": "MEDIUM", - "line": 3 + "line": 42, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_instance", + "resourceName": "create a instance2", + "searchKey": "name={{create a instance2}}.{{google.cloud.gcp_compute_instance}}.shielded_instance_config", + "searchValue": "", + "expectedValue": "gcp_compute_instance.shielded_instance_config.enable_integrity_monitoring should be defined", + "actualValue": "gcp_compute_instance.shielded_instance_config.enable_integrity_monitoring is undefined" }, { "queryName": "Shielded VM Disabled", "severity": "MEDIUM", - "line": 42 + "line": 65, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_instance", + "resourceName": "create a instance3", + "searchKey": "name={{create a instance3}}.{{google.cloud.gcp_compute_instance}}.shielded_instance_config", + "searchValue": "", + "expectedValue": "gcp_compute_instance.shielded_instance_config.enable_secure_boot should be defined", + "actualValue": "gcp_compute_instance.shielded_instance_config.enable_secure_boot is undefined" }, { "queryName": "Shielded VM Disabled", "severity": "MEDIUM", - "line": 65 + "line": 88, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_instance", + "resourceName": "create a instance4", + "searchKey": "name={{create a instance4}}.{{google.cloud.gcp_compute_instance}}.shielded_instance_config", + "searchValue": "", + "expectedValue": "gcp_compute_instance.shielded_instance_config.enable_vtpm should be defined", + "actualValue": "gcp_compute_instance.shielded_instance_config.enable_vtpm is undefined" }, { "queryName": "Shielded VM Disabled", "severity": "MEDIUM", - "line": 88 + "line": 112, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_instance", + "resourceName": "create a instance5", + "searchKey": "name={{create a instance5}}.{{google.cloud.gcp_compute_instance}}.shielded_instance_config.enable_integrity_monitoring", + "searchValue": "", + "expectedValue": "gcp_compute_instance.shielded_instance_config.enable_integrity_monitoring should be true", + "actualValue": "gcp_compute_instance.shielded_instance_config.enable_integrity_monitoring is false" }, { "queryName": "Shielded VM Disabled", "severity": "MEDIUM", - "line": 112 + "line": 137, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_instance", + "resourceName": "create a instance6", + "searchKey": "name={{create a instance6}}.{{google.cloud.gcp_compute_instance}}.shielded_instance_config.enable_secure_boot", + "searchValue": "", + "expectedValue": "gcp_compute_instance.shielded_instance_config.enable_secure_boot should be true", + "actualValue": "gcp_compute_instance.shielded_instance_config.enable_secure_boot is false" }, { "queryName": "Shielded VM Disabled", "severity": "MEDIUM", - "line": 137 + "line": 162, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_instance", + "resourceName": "create a instance7", + "searchKey": "name={{create a instance7}}.{{google.cloud.gcp_compute_instance}}.shielded_instance_config.enable_vtpm", + "searchValue": "", + "expectedValue": "gcp_compute_instance.shielded_instance_config.enable_vtpm should be true", + "actualValue": "gcp_compute_instance.shielded_instance_config.enable_vtpm is false" }, { "queryName": "Shielded VM Disabled", "severity": "MEDIUM", - "line": 162 + "line": 3, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_instance", + "resourceName": "create a instance1", + "searchKey": "name={{create a instance1}}.{{google.cloud.gcp_compute_instance}}", + "searchValue": "", + "expectedValue": "gcp_compute_instance.shielded_instance_config should be defined", + "actualValue": "gcp_compute_instance.shielded_instance_config is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/sql_db_instance_backup_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/sql_db_instance_backup_disabled/test/positive_expected_result.json index 4beca497fd1..c960978ef14 100644 --- a/assets/queries/ansible/gcp/sql_db_instance_backup_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/sql_db_instance_backup_disabled/test/positive_expected_result.json @@ -2,21 +2,49 @@ { "queryName": "SQL DB Instance Backup Disabled", "severity": "MEDIUM", - "line": 3 + "line": 38, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_sql_instance", + "resourceName": "create a forth instance", + "searchKey": "name={{create a forth instance}}.{{google.cloud.gcp_sql_instance}}.settings.backup_configuration.enabled", + "searchValue": "", + "expectedValue": "gcp_sql_instance.settings.backup_configuration.require_ssl should be true", + "actualValue": "gcp_sql_instance.settings.backup_configuration.require_ssl is false" }, { "queryName": "SQL DB Instance Backup Disabled", "severity": "MEDIUM", - "line": 13 + "line": 3, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_sql_instance", + "resourceName": "create a instance", + "searchKey": "name={{create a instance}}.{{google.cloud.gcp_sql_instance}}", + "searchValue": "", + "expectedValue": "gcp_sql_instance.settings should be defined", + "actualValue": "gcp_sql_instance.settings is undefined" }, { "queryName": "SQL DB Instance Backup Disabled", "severity": "MEDIUM", - "line": 24 + "line": 13, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_sql_instance", + "resourceName": "create a second instance", + "searchKey": "name={{create a second instance}}.{{google.cloud.gcp_sql_instance}}.settings", + "searchValue": "", + "expectedValue": "gcp_sql_instance.settings.backup_configuration should be defined", + "actualValue": "gcp_sql_instance.settings.backup_configuration is undefined" }, { "queryName": "SQL DB Instance Backup Disabled", "severity": "MEDIUM", - "line": 38 + "line": 24, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_sql_instance", + "resourceName": "create a third instance", + "searchKey": "name={{create a third instance}}.{{google.cloud.gcp_sql_instance}}.settings.backup_configuration", + "searchValue": "", + "expectedValue": "gcp_sql_instance.settings.backup_configuration.enabled should be defined", + "actualValue": "gcp_sql_instance.settings.backup_configuration.enabled is undefined" } ] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/sql_db_instance_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/ansible/gcp/sql_db_instance_is_publicly_accessible/test/positive_expected_result.json index 895e3ab0522..9b6da82cf12 100644 --- a/assets/queries/ansible/gcp/sql_db_instance_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/sql_db_instance_is_publicly_accessible/test/positive_expected_result.json @@ -2,16 +2,37 @@ { "queryName": "SQL DB Instance Publicly Accessible", "severity": "CRITICAL", - "line": 12 + "line": 12, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_sql_instance", + "resourceName": "sql_instance", + "searchKey": "name={{sql_instance}}.{{google.cloud.gcp_sql_instance}}.settings.ip_configuration.authorized_networks.name={{google dns server}}.value", + "searchValue": "", + "expectedValue": "gcp_sql_instance.settings.ip_configuration.authorized_networks.name={{google dns server}}.value address should be trusted", + "actualValue": "gcp_sql_instance.settings.ip_configuration.authorized_networks.name={{google dns server}}.value address is not restricted: '0.0.0.0'" }, { "queryName": "SQL DB Instance Publicly Accessible", "severity": "CRITICAL", - "line": 24 + "line": 24, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_sql_instance", + "resourceName": "sql_instance2", + "searchKey": "name={{sql_instance2}}.{{google.cloud.gcp_sql_instance}}.settings.ip_configuration.ipv4_enabled", + "searchValue": "", + "expectedValue": "gcp_sql_instance.settings.ip_configuration.ipv4_enabled should be disabled when there are no authorized networks", + "actualValue": "gcp_sql_instance.settings.ip_configuration.ipv4_enabled is enabled when there are no authorized networks" }, { "queryName": "SQL DB Instance Publicly Accessible", "severity": "CRITICAL", - "line": 34 + "line": 34, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_sql_instance", + "resourceName": "sql_instance3", + "searchKey": "name={{sql_instance3}}.{{google.cloud.gcp_sql_instance}}.settings", + "searchValue": "", + "expectedValue": "gcp_sql_instance.settings.ip_configuration should be defined and allow only trusted networks", + "actualValue": "gcp_sql_instance.settings.ip_configuration is undefined" } ] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json index f57970923b9..6adc8bf7ac5 100644 --- a/assets/queries/ansible/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json @@ -2,21 +2,49 @@ { "queryName": "SQL DB Instance With SSL Disabled", "severity": "HIGH", - "line": 3 + "line": 39, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_sql_instance", + "resourceName": "create a forth instance", + "searchKey": "name={{create a forth instance}}.{{google.cloud.gcp_sql_instance}}.settings.ip_configuration.require_ssl", + "searchValue": "", + "expectedValue": "gcp_sql_instance.settings.ip_configuration.require_ssl should be true", + "actualValue": "gcp_sql_instance.settings.ip_configuration.require_ssl is false" }, { "queryName": "SQL DB Instance With SSL Disabled", "severity": "HIGH", - "line": 13 + "line": 3, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_sql_instance", + "resourceName": "create a instance", + "searchKey": "name={{create a instance}}.{{google.cloud.gcp_sql_instance}}", + "searchValue": "", + "expectedValue": "gcp_sql_instance.settings should be defined", + "actualValue": "gcp_sql_instance.settings is undefined" }, { "queryName": "SQL DB Instance With SSL Disabled", "severity": "HIGH", - "line": 24 + "line": 13, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_sql_instance", + "resourceName": "create a second instance", + "searchKey": "name={{create a second instance}}.{{google.cloud.gcp_sql_instance}}.settings", + "searchValue": "", + "expectedValue": "gcp_sql_instance.settings.ip_configuration should be defined", + "actualValue": "gcp_sql_instance.settings.ip_configuration is undefined" }, { "queryName": "SQL DB Instance With SSL Disabled", "severity": "HIGH", - "line": 39 + "line": 24, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_sql_instance", + "resourceName": "create a third instance", + "searchKey": "name={{create a third instance}}.{{google.cloud.gcp_sql_instance}}.settings.ip_configuration", + "searchValue": "", + "expectedValue": "gcp_sql_instance.settings.ip_configuration.require_ssl should be defined", + "actualValue": "gcp_sql_instance.settings.ip_configuration.require_ssl is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/ssh_access_is_not_restricted/test/positive_expected_result.json b/assets/queries/ansible/gcp/ssh_access_is_not_restricted/test/positive_expected_result.json index 87ae2e25edb..1ba1dceba8a 100644 --- a/assets/queries/ansible/gcp/ssh_access_is_not_restricted/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/ssh_access_is_not_restricted/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "SSH Access Is Not Restricted", "severity": "MEDIUM", - "line": 6 + "line": 6, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_firewall", + "resourceName": "ssh_unrestricted", + "searchKey": "name={{ssh_unrestricted}}.{{google.cloud.gcp_compute_firewall}}.allowed.ip_protocol=tcp.ports", + "searchValue": "", + "expectedValue": "gcp_compute_firewall.allowed.ip_protocol=tcp.ports shouldn't contain SSH port (22) with unrestricted ingress traffic", + "actualValue": "gcp_compute_firewall.allowed.ip_protocol=tcp.ports contain SSH port (22) with unrestricted ingress traffic" } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/stackdriver_logging_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/stackdriver_logging_disabled/test/positive_expected_result.json index 73738c59a3a..4b040a25953 100644 --- a/assets/queries/ansible/gcp/stackdriver_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/stackdriver_logging_disabled/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Stackdriver Logging Disabled", "severity": "MEDIUM", - "line": 3 + "line": 32, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster2", + "searchKey": "name={{create a cluster2}}.{{google.cloud.gcp_container_cluster}}.logging_service", + "searchValue": "", + "expectedValue": "gcp_container_cluster.logging_service should not be 'none'", + "actualValue": "gcp_container_cluster.logging_service is 'none'" }, { "queryName": "Stackdriver Logging Disabled", "severity": "MEDIUM", - "line": 32 + "line": 3, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster1", + "searchKey": "name={{create a cluster1}}.{{google.cloud.gcp_container_cluster}}", + "searchValue": "", + "expectedValue": "gcp_container_cluster.logging_service should be defined", + "actualValue": "gcp_container_cluster.logging_service is undefined" } ] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/stackdriver_monitoring_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/stackdriver_monitoring_disabled/test/positive_expected_result.json index 325445d9111..22b71908c49 100644 --- a/assets/queries/ansible/gcp/stackdriver_monitoring_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/stackdriver_monitoring_disabled/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Stackdriver Monitoring Disabled", "severity": "MEDIUM", - "line": 3 + "line": 32, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster2", + "searchKey": "name={{create a cluster2}}.{{google.cloud.gcp_container_cluster}}.monitoring_service", + "searchValue": "", + "expectedValue": "gcp_container_cluster.monitoring_service should not be 'none'", + "actualValue": "gcp_container_cluster.monitoring_service is 'none'" }, { "queryName": "Stackdriver Monitoring Disabled", "severity": "MEDIUM", - "line": 32 + "line": 3, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster1", + "searchKey": "name={{create a cluster1}}.{{google.cloud.gcp_container_cluster}}", + "searchValue": "", + "expectedValue": "gcp_container_cluster.monitoring_service should be defined", + "actualValue": "gcp_container_cluster.monitoring_service is undefined" } ] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/using_default_service_account/test/positive_expected_result.json b/assets/queries/ansible/gcp/using_default_service_account/test/positive_expected_result.json index 8c434d44683..fc7d5a2e3fb 100644 --- a/assets/queries/ansible/gcp/using_default_service_account/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/using_default_service_account/test/positive_expected_result.json @@ -1,22 +1,50 @@ [ - { - "queryName": "Using Default Service Account", - "severity": "MEDIUM", - "line": 3 - }, - { - "queryName": "Using Default Service Account", - "severity": "MEDIUM", - "line": 57 - }, - { - "queryName": "Using Default Service Account", - "severity": "MEDIUM", - "line": 86 - }, - { - "queryName": "Using Default Service Account", - "severity": "MEDIUM", - "line": 115 - } -] + { + "queryName": "Using Default Service Account", + "severity": "MEDIUM", + "line": 115, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_instance", + "resourceName": "create a instance4", + "searchKey": "name={{create a instance4}}.{{google.cloud.gcp_compute_instance}}.service_account_email", + "searchValue": "", + "expectedValue": "gcp_compute_instance.service_account_email should not be a default Google Compute Engine service account", + "actualValue": "gcp_compute_instance.service_account_email is a default Google Compute Engine service account" + }, + { + "queryName": "Using Default Service Account", + "severity": "MEDIUM", + "line": 57, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_instance", + "resourceName": "create a instance2", + "searchKey": "name={{create a instance2}}.{{google.cloud.gcp_compute_instance}}.service_account_email", + "searchValue": "", + "expectedValue": "gcp_compute_instance.service_account_email should not be empty", + "actualValue": "gcp_compute_instance.service_account_email is empty" + }, + { + "queryName": "Using Default Service Account", + "severity": "MEDIUM", + "line": 86, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_instance", + "resourceName": "create a instance3", + "searchKey": "name={{create a instance3}}.{{google.cloud.gcp_compute_instance}}.service_account_email", + "searchValue": "", + "expectedValue": "gcp_compute_instance.service_account_email should be an email", + "actualValue": "gcp_compute_instance.service_account_email is not an email" + }, + { + "queryName": "Using Default Service Account", + "severity": "MEDIUM", + "line": 3, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_instance", + "resourceName": "create a instance1", + "searchKey": "name={{create a instance1}}.{{google.cloud.gcp_compute_instance}}", + "searchValue": "", + "expectedValue": "gcp_compute_instance.service_account_email should be defined", + "actualValue": "gcp_compute_instance.service_account_email is undefined" + } +] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/vm_with_full_cloud_access/test/positive_expected_result.json b/assets/queries/ansible/gcp/vm_with_full_cloud_access/test/positive_expected_result.json index ace8a7b988f..0df5d498573 100644 --- a/assets/queries/ansible/gcp/vm_with_full_cloud_access/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/vm_with_full_cloud_access/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "VM With Full Cloud Access", "severity": "MEDIUM", - "line": 7 + "line": 7, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_instance", + "resourceName": "create a instance", + "searchKey": "name={{create a instance}}.{{google.cloud.gcp_compute_instance}}.service_accounts", + "searchValue": "", + "expectedValue": "gcp_compute_instance.service_accounts.scopes should not contain 'cloud-platform'", + "actualValue": "gcp_compute_instance.service_accounts.scopes contains 'cloud-platform'" } ] \ No newline at end of file diff --git a/assets/queries/ansible/general/communication_over_http/test/positive_expected_result.json b/assets/queries/ansible/general/communication_over_http/test/positive_expected_result.json index 82b40927d37..f3b32d20242 100644 --- a/assets/queries/ansible/general/communication_over_http/test/positive_expected_result.json +++ b/assets/queries/ansible/general/communication_over_http/test/positive_expected_result.json @@ -1,8 +1,14 @@ [ - { - "queryName": "Communication Over HTTP", - "severity": "MEDIUM", - "line": 6, - "filename": "positive1.yaml" - } + { + "queryName": "Communication Over HTTP", + "severity": "MEDIUM", + "line": 6, + "filename": "positive1.yaml", + "resourceType": "ansible.builtin.uri", + "resourceName": "Verificar o status do site", + "searchKey": "name={{Verificar o status do site}}.{{ansible.builtin.uri}}.url", + "searchValue": "", + "expectedValue": "ansible.builtin.uri.url should be accessed via the HTTPS protocol", + "actualValue": "ansible.builtin.uri.url is accessed via the HTTP protocol'" + } ] \ No newline at end of file diff --git a/assets/queries/ansible/general/insecure_relative_path_resolution/test/positive_expected_result.json b/assets/queries/ansible/general/insecure_relative_path_resolution/test/positive_expected_result.json index d18625872a6..9a83fd5ab90 100644 --- a/assets/queries/ansible/general/insecure_relative_path_resolution/test/positive_expected_result.json +++ b/assets/queries/ansible/general/insecure_relative_path_resolution/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ - { - "queryName": "Insecure Relative Path Resolution", - "severity": "LOW", - "line": 7, - "fileName": "positive1.yaml" - }, - { - "queryName": "Insecure Relative Path Resolution", - "severity": "LOW", - "line": 12, - "fileName": "positive1.yaml" - } -] + { + "queryName": "Insecure Relative Path Resolution", + "severity": "LOW", + "line": 12, + "filename": "positive1.yaml", + "resourceType": "ansible.builtin.copy", + "resourceName": "Two", + "searchKey": "name={{Two}}.{{ansible.builtin.copy}}.src", + "searchValue": "", + "expectedValue": "ansible.builtin.copy.src should not be a relative path", + "actualValue": "ansible.builtin.copy.src is a relative path" + }, + { + "queryName": "Insecure Relative Path Resolution", + "severity": "LOW", + "line": 7, + "filename": "positive1.yaml", + "resourceType": "ansible.builtin.template", + "resourceName": "One", + "searchKey": "name={{One}}.{{ansible.builtin.template}}.src", + "searchValue": "", + "expectedValue": "ansible.builtin.template.src should not be a relative path", + "actualValue": "ansible.builtin.template.src is a relative path" + } +] \ No newline at end of file diff --git a/assets/queries/ansible/general/logging_of_sensitive_data/test/positive_expected_result.json b/assets/queries/ansible/general/logging_of_sensitive_data/test/positive_expected_result.json index fd7f628c92d..2cc0c111a8f 100644 --- a/assets/queries/ansible/general/logging_of_sensitive_data/test/positive_expected_result.json +++ b/assets/queries/ansible/general/logging_of_sensitive_data/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ - { - "queryName": "Logging of Sensitive Data", - "severity": "LOW", - "line": 14, - "fileName": "positive1.yaml" - }, - { - "queryName": "Logging of Sensitive Data", - "severity": "LOW", - "line": 5, - "fileName": "positive2.yaml" - } + { + "queryName": "Logging of Sensitive Data", + "severity": "LOW", + "line": 5, + "filename": "positive2.yaml", + "resourceType": "ansible.builtin.user", + "resourceName": "bar", + "searchKey": "name={{bar}}", + "searchValue": "", + "expectedValue": "'no_log' should be defined and set to 'true' in order to not expose sensitive data", + "actualValue": "'no_log' is not defined" + }, + { + "queryName": "Logging of Sensitive Data", + "severity": "LOW", + "line": 14, + "filename": "positive1.yaml", + "resourceType": "ansible.builtin.user", + "resourceName": "bar", + "searchKey": "name={{bar}}.no_log", + "searchValue": "", + "expectedValue": "'no_log' should be set to 'true' in order to not expose sensitive data", + "actualValue": "'no_log' is set to false" + } ] \ No newline at end of file diff --git a/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive_expected_result.json b/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive_expected_result.json index 9f87ac0816f..6f7ad039389 100644 --- a/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive_expected_result.json +++ b/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive_expected_result.json @@ -1,38 +1,74 @@ [ - { - "queryName": "Privilege Escalation Using Become Plugin", - "severity": "MEDIUM", - "line": 4, - "fileName": "positive1.yaml" - }, - { - "queryName": "Privilege Escalation Using Become Plugin", - "severity": "MEDIUM", - "line": 15, - "fileName": "positive1.yaml" - }, - { - "queryName": "Privilege Escalation Using Become Plugin", - "severity": "MEDIUM", - "line": 31, - "fileName": "positive1.yaml" - }, - { - "queryName": "Privilege Escalation Using Become Plugin", - "severity": "MEDIUM", - "line": 44, - "fileName": "positive1.yaml" - }, - { - "queryName": "Privilege Escalation Using Become Plugin", - "severity": "MEDIUM", - "line": 53, - "fileName": "positive1.yaml" - }, - { - "queryName": "Privilege Escalation Using Become Plugin", - "severity": "MEDIUM", - "line": 61, - "fileName": "positive1.yaml" - } + { + "queryName": "Privilege Escalation Using Become Plugin", + "severity": "MEDIUM", + "line": 53, + "filename": "positive1.yaml", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "name={{become_user with become task as false}}.become_user={{mongodb}}.become", + "searchValue": "", + "expectedValue": "'become' should be to 'true' in order to perform an action with mongodb", + "actualValue": "'become' is set to 'false'" + }, + { + "queryName": "Privilege Escalation Using Become Plugin", + "severity": "MEDIUM", + "line": 61, + "filename": "positive1.yaml", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "name={{become_user without become}}.become_user={{mysql}}", + "searchValue": "", + "expectedValue": "'become' should be defined and set to 'true' in order to perform an action with mysql", + "actualValue": "'become' is not defined" + }, + { + "queryName": "Privilege Escalation Using Become Plugin", + "severity": "MEDIUM", + "line": 44, + "filename": "positive1.yaml", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "name={{Sample become_user}}.become_user={{postgres}}.become", + "searchValue": "", + "expectedValue": "'become' should be to 'true' in order to perform an action with postgres", + "actualValue": "'become' is set to 'false'" + }, + { + "queryName": "Privilege Escalation Using Become Plugin", + "severity": "MEDIUM", + "line": 15, + "filename": "positive1.yaml", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "become", + "searchValue": "", + "expectedValue": "'become' should be defined and set to 'true' in order to perform an action with root", + "actualValue": "'become' is set to 'false'" + }, + { + "queryName": "Privilege Escalation Using Become Plugin", + "severity": "MEDIUM", + "line": 31, + "filename": "positive1.yaml", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "name={{Sample become_user}}.become_user={{foo}}", + "searchValue": "", + "expectedValue": "'become' should be defined and set to 'true' in order to perform an action with foo", + "actualValue": "'become' is not defined" + }, + { + "queryName": "Privilege Escalation Using Become Plugin", + "severity": "MEDIUM", + "line": 4, + "filename": "positive1.yaml", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "become_user={{bar}}", + "searchValue": "", + "expectedValue": "'become' should be defined and set to 'true' in order to perform an action with bar", + "actualValue": "'become' is not defined" + } ] \ No newline at end of file diff --git a/assets/queries/ansible/general/risky_file_permissions/test/positive_expected_result.json b/assets/queries/ansible/general/risky_file_permissions/test/positive_expected_result.json index 96a4bfa8502..0bdc72b5ced 100644 --- a/assets/queries/ansible/general/risky_file_permissions/test/positive_expected_result.json +++ b/assets/queries/ansible/general/risky_file_permissions/test/positive_expected_result.json @@ -1,62 +1,122 @@ [ - { - "queryName": "Risky File Permissions", - "severity": "INFO", - "file": "positive1.yaml", - "line": 5 - }, - { - "queryName": "Risky File Permissions", - "severity": "INFO", - "file": "positive1.yaml", - "line": 13 - }, - { - "queryName": "Risky File Permissions", - "severity": "INFO", - "file": "positive1.yaml", - "line": 17 - }, - { - "queryName": "Risky File Permissions", - "severity": "INFO", - "file": "positive1.yaml", - "line": 25 - }, - { - "queryName": "Risky File Permissions", - "severity": "INFO", - "file": "positive1.yaml", - "line": 29 - }, - { - "queryName": "Risky File Permissions", - "severity": "INFO", - "file": "positive1.yaml", - "line": 38 - }, - { - "queryName": "Risky File Permissions", - "severity": "INFO", - "file": "positive1.yaml", - "line": 46 - }, - { - "queryName": "Risky File Permissions", - "severity": "INFO", - "file": "positive1.yaml", - "line": 55 - }, - { - "queryName": "Risky File Permissions", - "severity": "INFO", - "file": "positive1.yaml", - "line": 64 - }, - { - "queryName": "Risky File Permissions", - "severity": "INFO", - "file": "positive1.yaml", - "line": 74 - } + { + "queryName": "Risky File Permissions", + "severity": "INFO", + "line": 46, + "filename": "positive1.yaml", + "resourceType": "false", + "resourceName": "create is true 2x", + "searchKey": "name={{create is true 2x}}.{{ansible.builtin.lineinfile}}", + "searchValue": "", + "expectedValue": "ansible.builtin.lineinfile 'create' key should set to 'false' or 'mode' key should be defined", + "actualValue": "ansible.builtin.lineinfile 'create' key is set to 'true' and 'mode' key is not defined" + }, + { + "queryName": "Risky File Permissions", + "severity": "INFO", + "line": 25, + "filename": "positive1.yaml", + "resourceType": "file", + "resourceName": "Permissions missing 3x", + "searchKey": "name={{Permissions missing 3x}}.{{file}}", + "searchValue": "", + "expectedValue": "All the permissions set in file about creating files/directories", + "actualValue": "There are some permissions missing in file and might create directory/file" + }, + { + "queryName": "Risky File Permissions", + "severity": "INFO", + "line": 64, + "filename": "positive1.yaml", + "resourceType": "file", + "resourceName": "Not Permissions", + "searchKey": "name={{Not Permissions}}.{{file}}", + "searchValue": "", + "expectedValue": "All the permissions set in file about creating files/directories", + "actualValue": "There are some permissions missing in file and might create directory/file" + }, + { + "queryName": "Risky File Permissions", + "severity": "INFO", + "line": 38, + "filename": "positive1.yaml", + "resourceType": "get_url", + "resourceName": "Permissions missing 4x", + "searchKey": "name={{Permissions missing 4x}}.{{get_url}}", + "searchValue": "", + "expectedValue": "All the permissions set in get_url about creating files/directories", + "actualValue": "There are some permissions missing in get_url and might create directory/file" + }, + { + "queryName": "Risky File Permissions", + "severity": "INFO", + "line": 13, + "filename": "positive1.yaml", + "resourceType": "file", + "resourceName": "Permissions missing", + "searchKey": "name={{Permissions missing}}.{{file}}", + "searchValue": "", + "expectedValue": "All the permissions set in file about creating files/directories", + "actualValue": "There are some permissions missing in file and might create directory/file" + }, + { + "queryName": "Risky File Permissions", + "severity": "INFO", + "line": 55, + "filename": "positive1.yaml", + "resourceType": "replace", + "resourceName": "not preserve mode 2x", + "searchKey": "name={{not preserve mode 2x}}.{{replace}}", + "searchValue": "", + "expectedValue": "replace does not allow setting 'preserve' value for 'mode' key", + "actualValue": "'Mode' key of replace is set to 'preserve'" + }, + { + "queryName": "Risky File Permissions", + "severity": "INFO", + "line": 5, + "filename": "positive1.yaml", + "resourceType": "ansible.builtin.file", + "resourceName": "not preserve value", + "searchKey": "name={{not preserve value}}.{{ansible.builtin.file}}", + "searchValue": "", + "expectedValue": "ansible.builtin.file does not allow setting 'preserve' value for 'mode' key", + "actualValue": "'Mode' key of ansible.builtin.file is set to 'preserve'" + }, + { + "queryName": "Risky File Permissions", + "severity": "INFO", + "line": 29, + "filename": "positive1.yaml", + "resourceType": "false", + "resourceName": "create is true", + "searchKey": "name={{create is true}}.{{ansible.builtin.lineinfile}}", + "searchValue": "", + "expectedValue": "ansible.builtin.lineinfile 'create' key should set to 'false' or 'mode' key should be defined", + "actualValue": "ansible.builtin.lineinfile 'create' key is set to 'true' and 'mode' key is not defined" + }, + { + "queryName": "Risky File Permissions", + "severity": "INFO", + "line": 17, + "filename": "positive1.yaml", + "resourceType": "ansible.builtin.file", + "resourceName": "Permissions missing 2x", + "searchKey": "name={{Permissions missing 2x}}.{{ansible.builtin.file}}", + "searchValue": "", + "expectedValue": "All the permissions set in ansible.builtin.file about creating files/directories", + "actualValue": "There are some permissions missing in ansible.builtin.file and might create directory/file" + }, + { + "queryName": "Risky File Permissions", + "severity": "INFO", + "line": 74, + "filename": "positive1.yaml", + "resourceType": "ansible.builtin.lineinfile", + "resourceName": "create_false", + "searchKey": "name={{create_false}}.{{ansible.builtin.lineinfile}}", + "searchValue": "", + "expectedValue": "ansible.builtin.lineinfile does not allow setting 'preserve' value for 'mode' key", + "actualValue": "'Mode' key of ansible.builtin.lineinfile is set to 'preserve'" + } ] \ No newline at end of file diff --git a/assets/queries/ansible/general/unpinned_package_version/test/positive_expected_result.json b/assets/queries/ansible/general/unpinned_package_version/test/positive_expected_result.json index f67cb49ccc2..f2e2679d87c 100644 --- a/assets/queries/ansible/general/unpinned_package_version/test/positive_expected_result.json +++ b/assets/queries/ansible/general/unpinned_package_version/test/positive_expected_result.json @@ -1,158 +1,314 @@ [ - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 8 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 13 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 18 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 23 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 29 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 34 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 40 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 44 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 50 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 55 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 60 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 65 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 74 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 79 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 84 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 89 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 94 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 101 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 106 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 111 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 116 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 121 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 130 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 136 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 144 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 149 - } + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 29, + "filename": "positive1.yaml", + "resourceType": "community.general.zypper", + "resourceName": "Install nmap", + "searchKey": "name={{Install nmap}}.{{community.general.zypper}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'" + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 101, + "filename": "positive1.yaml", + "resourceType": "community.general.pkgutil", + "resourceName": "Install several packages", + "searchKey": "name={{Install several packages}}.{{community.general.pkgutil}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'" + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 18, + "filename": "positive1.yaml", + "resourceType": "ansible.builtin.package", + "resourceName": "Install some-package", + "searchKey": "name={{Install some-package}}.{{ansible.builtin.package}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'" + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 44, + "filename": "positive1.yaml", + "resourceType": "community.general.bundler", + "resourceName": "Update Gemfile in another directory", + "searchKey": "name={{Update Gemfile in another directory}}.{{community.general.bundler}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'" + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 8, + "filename": "positive1.yaml", + "resourceType": "ansible.builtin.yum", + "resourceName": "Install Ansible", + "searchKey": "name={{Install Ansible}}.{{ansible.builtin.yum}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'" + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 144, + "filename": "positive1.yaml", + "resourceType": "ansible.builtin.yum", + "resourceName": "Install a list of packages (suitable replacement for 2.11 loop deprecation warning)", + "searchKey": "name={{Install a list of packages (suitable replacement for 2.11 loop deprecation warning)}}.{{ansible.builtin.yum}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'" + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 50, + "filename": "positive1.yaml", + "resourceType": "ansible.builtin.dnf", + "resourceName": "Install a modularity appstream with defined profile", + "searchKey": "name={{Install a modularity appstream with defined profile}}.{{ansible.builtin.dnf}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'" + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 55, + "filename": "positive1.yaml", + "resourceType": "community.general.gem", + "resourceName": "Install rake", + "searchKey": "name={{Install rake}}.{{community.general.gem}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'" + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 111, + "filename": "positive1.yaml", + "resourceType": "community.general.slackpkg", + "resourceName": "Make sure that it is the most updated package", + "searchKey": "name={{Make sure that it is the most updated package}}.{{community.general.slackpkg}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'" + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 94, + "filename": "positive1.yaml", + "resourceType": "community.general.pkg5", + "resourceName": "Install finger daemon", + "searchKey": "name={{Install finger daemon}}.{{community.general.pkg5}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'" + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 60, + "filename": "positive1.yaml", + "resourceType": "community.general.homebrew", + "resourceName": "Install formula foo with 'brew' from cask", + "searchKey": "name={{Install formula foo with 'brew' from cask}}.{{community.general.homebrew}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'" + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 84, + "filename": "positive1.yaml", + "resourceType": "ansible.builtin.package", + "resourceName": "Install ntpdate", + "searchKey": "name={{Install ntpdate}}.{{ansible.builtin.package}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'" + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 121, + "filename": "positive1.yaml", + "resourceType": "community.general.swdepot", + "resourceName": "Install package unzip", + "searchKey": "name={{Install package unzip}}.{{community.general.swdepot}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'" + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 34, + "filename": "positive1.yaml", + "resourceType": "community.general.apk", + "resourceName": "Install package without using cache", + "searchKey": "name={{Install package without using cache}}.{{community.general.apk}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'" + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 74, + "filename": "positive1.yaml", + "resourceType": "community.general.npm", + "resourceName": "Install packages based on package.json", + "searchKey": "name={{Install packages based on package.json}}.{{community.general.npm}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'" + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 116, + "filename": "positive1.yaml", + "resourceType": "community.general.sorcery", + "resourceName": "Make sure spell foo is installed", + "searchKey": "name={{Make sure spell foo is installed}}.{{community.general.sorcery}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'" + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 136, + "filename": "positive1.yaml", + "resourceType": "community.general.yarn", + "resourceName": "Install \"imagemin\" node.js package globally.", + "searchKey": "name={{Install \"imagemin\" node.js package globally.}}.{{community.general.yarn}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'" + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 40, + "filename": "positive1.yaml", + "resourceType": "ansible.builtin.apt", + "resourceName": "Install apache httpd", + "searchKey": "name={{Install apache httpd}}.{{ansible.builtin.apt}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'" + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 149, + "filename": "positive1.yaml", + "resourceType": "community.general.zypper", + "resourceName": "Install local rpm file", + "searchKey": "name={{Install local rpm file}}.{{community.general.zypper}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'" + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 79, + "filename": "positive1.yaml", + "resourceType": "community.general.openbsd_pkg", + "resourceName": "Install nmap", + "searchKey": "name={{Install nmap}}.{{community.general.openbsd_pkg}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'" + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 89, + "filename": "positive1.yaml", + "resourceType": "community.general.pacman", + "resourceName": "Install package bar from file", + "searchKey": "name={{Install package bar from file}}.{{community.general.pacman}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'" + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 106, + "filename": "positive1.yaml", + "resourceType": "community.general.portage", + "resourceName": "Install package foo", + "searchKey": "name={{Install package foo}}.{{community.general.portage}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'" + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 23, + "filename": "positive1.yaml", + "resourceType": "ansible.builtin.yum", + "resourceName": "Install Ansible with update_only to false", + "searchKey": "name={{Install Ansible with update_only to false}}.{{ansible.builtin.yum}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'" + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 13, + "filename": "positive1.yaml", + "resourceType": "ansible.builtin.pip", + "resourceName": "Install Ansible-lint", + "searchKey": "name={{Install Ansible-lint}}.{{ansible.builtin.pip}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'" + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 65, + "filename": "positive1.yaml", + "resourceType": "community.general.jenkins_plugin", + "resourceName": "Install Green Balls plugin", + "searchKey": "name={{Install Green Balls plugin}}.{{community.general.jenkins_plugin}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'" + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 130, + "filename": "positive1.yaml", + "resourceType": "win_chocolatey", + "resourceName": "Install multiple packages", + "searchKey": "name={{Install multiple packages}}.{{win_chocolatey}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'" + } ] \ No newline at end of file diff --git a/assets/queries/ansible/hosts/ansible_tower_exposed_to_internet/test/positive_expected_result.json b/assets/queries/ansible/hosts/ansible_tower_exposed_to_internet/test/positive_expected_result.json index 1f10687fd09..0e62f1eb4e8 100644 --- a/assets/queries/ansible/hosts/ansible_tower_exposed_to_internet/test/positive_expected_result.json +++ b/assets/queries/ansible/hosts/ansible_tower_exposed_to_internet/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "Ansible Tower Exposed To Internet", "severity": "MEDIUM", - "line": 1, - "fileName": "positive1.ini" + "line": 24, + "filename": "positive2.yaml", + "resourceType": "n/a", + "resourceName": "children", + "searchKey": "all.children.tower.hosts", + "searchValue": "", + "expectedValue": "Ansible Tower IP should be private", + "actualValue": "Ansible Tower IP is public" }, { "queryName": "Ansible Tower Exposed To Internet", "severity": "MEDIUM", - "line": 24, - "fileName": "positive2.yaml" + "line": 1, + "filename": "positive1.ini", + "resourceType": "n/a", + "resourceName": "children", + "searchKey": "[tower]", + "searchValue": "", + "expectedValue": "Ansible Tower IP should be private", + "actualValue": "Ansible Tower IP is public" } -] +] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/account_admins_not_notified_by_email/test/positive_expected_result.json b/assets/queries/azureResourceManager/account_admins_not_notified_by_email/test/positive_expected_result.json index 8c4c5e42123..c5662cd4d87 100644 --- a/assets/queries/azureResourceManager/account_admins_not_notified_by_email/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/account_admins_not_notified_by_email/test/positive_expected_result.json @@ -2,49 +2,97 @@ { "queryName": "Account Admins Not Notified By Email", "severity": "INFO", - "line": 14, - "filename": "positive1.json" + "line": 15, + "filename": "positive4.json", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sample/server/default", + "searchKey": "properties.template.resources.name={{sample/server/default}}.properties", + "searchValue": "", + "expectedValue": "securityAlertPolicies.properties.emailAccountAdmins should be set to true", + "actualValue": "securityAlertPolicies.properties.emailAccountAdmins is missing" }, { "queryName": "Account Admins Not Notified By Email", "severity": "INFO", - "line": 13, - "filename": "positive2.json" + "line": 3, + "filename": "positive2.bicep", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sample/server/default", + "searchKey": "resources.name={{sample/server/default}}.properties", + "searchValue": "", + "expectedValue": "securityAlertPolicies.properties.emailAccountAdmins should be set to true", + "actualValue": "securityAlertPolicies.properties.emailAccountAdmins is missing" }, { "queryName": "Account Admins Not Notified By Email", "severity": "INFO", - "line": 16, - "filename": "positive3.json" + "line": 4, + "filename": "positive1.bicep", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sample/server/default", + "searchKey": "resources.name={{sample/server/default}}.properties.emailAccountAdmins", + "searchValue": "", + "expectedValue": "securityAlertPolicies.properties.emailAccountAdmins property value should be set to true", + "actualValue": "securityAlertPolicies.properties.emailAccountAdmins property value is set to false" }, { "queryName": "Account Admins Not Notified By Email", "severity": "INFO", - "line": 15, - "filename": "positive4.json" + "line": 3, + "filename": "positive4.bicep", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sample/server/default", + "searchKey": "resources.name={{sample/server/default}}.properties", + "searchValue": "", + "expectedValue": "securityAlertPolicies.properties.emailAccountAdmins should be set to true", + "actualValue": "securityAlertPolicies.properties.emailAccountAdmins is missing" }, { "queryName": "Account Admins Not Notified By Email", "severity": "INFO", "line": 4, - "filename": "positive1.bicep" - }, + "filename": "positive3.bicep", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sample/server/default", + "searchKey": "resources.name={{sample/server/default}}.properties.emailAccountAdmins", + "searchValue": "", + "expectedValue": "securityAlertPolicies.properties.emailAccountAdmins property value should be set to true", + "actualValue": "securityAlertPolicies.properties.emailAccountAdmins property value is set to false" + }, { "queryName": "Account Admins Not Notified By Email", "severity": "INFO", - "line": 3, - "filename": "positive2.bicep" + "line": 14, + "filename": "positive1.json", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sample/server/default", + "searchKey": "resources.name={{sample/server/default}}.properties.emailAccountAdmins", + "searchValue": "", + "expectedValue": "securityAlertPolicies.properties.emailAccountAdmins property value should be set to true", + "actualValue": "securityAlertPolicies.properties.emailAccountAdmins property value is set to false" }, { "queryName": "Account Admins Not Notified By Email", "severity": "INFO", - "line": 4, - "filename": "positive3.bicep" + "line": 13, + "filename": "positive2.json", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sample/server/default", + "searchKey": "resources.name={{sample/server/default}}.properties", + "searchValue": "", + "expectedValue": "securityAlertPolicies.properties.emailAccountAdmins should be set to true", + "actualValue": "securityAlertPolicies.properties.emailAccountAdmins is missing" }, { "queryName": "Account Admins Not Notified By Email", "severity": "INFO", - "line": 3, - "filename": "positive4.bicep" + "line": 16, + "filename": "positive3.json", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sample/server/default", + "searchKey": "properties.template.resources.name={{sample/server/default}}.properties.emailAccountAdmins", + "searchValue": "", + "expectedValue": "securityAlertPolicies.properties.emailAccountAdmins property value should be set to true", + "actualValue": "securityAlertPolicies.properties.emailAccountAdmins property value is set to false" } -] +] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/aks_cluster_network_policy_not_configured/test/positive_expected_result.json b/assets/queries/azureResourceManager/aks_cluster_network_policy_not_configured/test/positive_expected_result.json index 31a9ddc78c3..147acc45e96 100644 --- a/assets/queries/azureResourceManager/aks_cluster_network_policy_not_configured/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/aks_cluster_network_policy_not_configured/test/positive_expected_result.json @@ -2,49 +2,97 @@ { "queryName": "AKS Cluster Network Policy Not Configured", "severity": "MEDIUM", - "line": 6, - "filename": "positive1.json" + "line": 31, + "filename": "positive4.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1.properties.networkProfile.networkPolicy", + "searchValue": "", + "expectedValue": "'networkProfile.networkPolicy' should be defined and not empty", + "actualValue": "'networkProfile.networkPolicy' is empty" }, { "queryName": "AKS Cluster Network Policy Not Configured", "severity": "MEDIUM", - "line": 37, - "filename": "positive2.json" + "line": 31, + "filename": "positive2.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1.properties.networkProfile.networkPolicy", + "searchValue": "", + "expectedValue": "'networkProfile.networkPolicy' should be defined and not empty", + "actualValue": "'networkProfile.networkPolicy' is empty" }, { "queryName": "AKS Cluster Network Policy Not Configured", "severity": "MEDIUM", - "line": 8, - "filename": "positive3.json" + "line": 2, + "filename": "positive1.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1", + "searchValue": "", + "expectedValue": "'networkProfile.networkPolicy' should be defined and not empty", + "actualValue": "'networkProfile.networkPolicy' is undefined" }, { "queryName": "AKS Cluster Network Policy Not Configured", "severity": "MEDIUM", - "line": 39, - "filename": "positive4.json" + "line": 2, + "filename": "positive3.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1", + "searchValue": "", + "expectedValue": "'networkProfile.networkPolicy' should be defined and not empty", + "actualValue": "'networkProfile.networkPolicy' is undefined" }, { "queryName": "AKS Cluster Network Policy Not Configured", "severity": "MEDIUM", - "line": 2, - "filename": "positive1.bicep" + "line": 39, + "filename": "positive4.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "properties.template.resources.name=aksCluster1.properties.networkProfile.networkPolicy", + "searchValue": "", + "expectedValue": "'networkProfile.networkPolicy' should be defined and not empty", + "actualValue": "'networkProfile.networkPolicy' is empty" }, { "queryName": "AKS Cluster Network Policy Not Configured", "severity": "MEDIUM", - "line": 31, - "filename": "positive2.bicep" + "line": 37, + "filename": "positive2.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1.properties.networkProfile.networkPolicy", + "searchValue": "", + "expectedValue": "'networkProfile.networkPolicy' should be defined and not empty", + "actualValue": "'networkProfile.networkPolicy' is empty" }, { "queryName": "AKS Cluster Network Policy Not Configured", "severity": "MEDIUM", - "line": 2, - "filename": "positive3.bicep" + "line": 6, + "filename": "positive1.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1", + "searchValue": "", + "expectedValue": "'networkProfile.networkPolicy' should be defined and not empty", + "actualValue": "'networkProfile.networkPolicy' is undefined" }, { "queryName": "AKS Cluster Network Policy Not Configured", "severity": "MEDIUM", - "line": 31, - "filename": "positive4.bicep" + "line": 8, + "filename": "positive3.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "properties.template.resources.name=aksCluster1", + "searchValue": "", + "expectedValue": "'networkProfile.networkPolicy' should be defined and not empty", + "actualValue": "'networkProfile.networkPolicy' is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/aks_cluster_rbac_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/aks_cluster_rbac_disabled/test/positive_expected_result.json index 70cdf5c8a8f..433c9007612 100644 --- a/assets/queries/azureResourceManager/aks_cluster_rbac_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/aks_cluster_rbac_disabled/test/positive_expected_result.json @@ -2,49 +2,97 @@ { "queryName": "AKS Cluster RBAC Disabled", "severity": "HIGH", - "line": 14, - "fileName": "positive1.json" + "line": 26, + "filename": "positive4.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name={{aksCluster1}}.properties.enableRBAC", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.ContainerService/managedClusters' should have the 'enableRBAC' property value set to true", + "actualValue": "resource with type 'Microsoft.ContainerService/managedClusters' doesn't have 'enableRBAC' set to true%!(EXTRA string=property value)" }, { "queryName": "AKS Cluster RBAC Disabled", "severity": "HIGH", - "line": 36, - "fileName": "positive2.json" + "line": 4, + "filename": "positive3.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name={{aksCluster1}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.ContainerService/managedClusters' should have the 'enableRBAC' property defined", + "actualValue": "resource with type 'Microsoft.ContainerService/managedClusters' doesn't have 'enableRBAC' property defined" }, { "queryName": "AKS Cluster RBAC Disabled", "severity": "HIGH", - "line": 16, - "fileName": "positive3.json" + "line": 38, + "filename": "positive4.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "properties.template.resources.name={{aksCluster1}}.properties.enableRBAC", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.ContainerService/managedClusters' should have the 'enableRBAC' property value set to true", + "actualValue": "resource with type 'Microsoft.ContainerService/managedClusters' doesn't have 'enableRBAC' set to true%!(EXTRA string=property value)" }, { "queryName": "AKS Cluster RBAC Disabled", "severity": "HIGH", - "line": 38, - "fileName": "positive4.json" + "line": 16, + "filename": "positive3.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "properties.template.resources.name={{aksCluster1}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.ContainerService/managedClusters' should have the 'enableRBAC' property defined", + "actualValue": "resource with type 'Microsoft.ContainerService/managedClusters' doesn't have 'enableRBAC' property defined" }, { "queryName": "AKS Cluster RBAC Disabled", "severity": "HIGH", - "line": 4, - "fileName": "positive1.bicep" + "line": 36, + "filename": "positive2.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name={{aksCluster1}}.properties.enableRBAC", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.ContainerService/managedClusters' should have the 'enableRBAC' property value set to true", + "actualValue": "resource with type 'Microsoft.ContainerService/managedClusters' doesn't have 'enableRBAC' set to true%!(EXTRA string=property value)" }, { "queryName": "AKS Cluster RBAC Disabled", "severity": "HIGH", - "line": 26, - "fileName": "positive2.bicep" + "line": 14, + "filename": "positive1.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name={{aksCluster1}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.ContainerService/managedClusters' should have the 'enableRBAC' property defined", + "actualValue": "resource with type 'Microsoft.ContainerService/managedClusters' doesn't have 'enableRBAC' property defined" }, { "queryName": "AKS Cluster RBAC Disabled", "severity": "HIGH", "line": 4, - "fileName": "positive3.bicep" + "filename": "positive1.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name={{aksCluster1}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.ContainerService/managedClusters' should have the 'enableRBAC' property defined", + "actualValue": "resource with type 'Microsoft.ContainerService/managedClusters' doesn't have 'enableRBAC' property defined" }, { "queryName": "AKS Cluster RBAC Disabled", "severity": "HIGH", "line": 26, - "fileName": "positive4.bicep" + "filename": "positive2.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name={{aksCluster1}}.properties.enableRBAC", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.ContainerService/managedClusters' should have the 'enableRBAC' property value set to true", + "actualValue": "resource with type 'Microsoft.ContainerService/managedClusters' doesn't have 'enableRBAC' set to true%!(EXTRA string=property value)" } ] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/aks_dashboard_enabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/aks_dashboard_enabled/test/positive_expected_result.json index 2a226e8456a..e64d0f9020d 100644 --- a/assets/queries/azureResourceManager/aks_dashboard_enabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/aks_dashboard_enabled/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "AKS Dashboard Is Enabled", "severity": "LOW", - "line": 14, - "filename": "positive1.json" + "line": 8, + "filename": "positive1.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1.properties.addonProfiles.kubeDashboard.enabled", + "searchValue": "", + "expectedValue": "'addonProfiles.kubeDashboard.enabled' should be defined and false", + "actualValue": "'addonProfiles.kubeDashboard.enabled' property value is false" }, { "queryName": "AKS Dashboard Is Enabled", "severity": "LOW", - "line": 16, - "filename": "positive2.json" + "line": 8, + "filename": "positive2.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1.properties.addonProfiles.kubeDashboard.enabled", + "searchValue": "", + "expectedValue": "'addonProfiles.kubeDashboard.enabled' should be defined and false", + "actualValue": "'addonProfiles.kubeDashboard.enabled' property value is false" }, { "queryName": "AKS Dashboard Is Enabled", "severity": "LOW", - "line": 8, - "filename": "positive1.bicep" + "line": 16, + "filename": "positive2.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "properties.template.resources.name=aksCluster1.properties.addonProfiles.kubeDashboard.enabled", + "searchValue": "", + "expectedValue": "'addonProfiles.kubeDashboard.enabled' should be defined and false", + "actualValue": "'addonProfiles.kubeDashboard.enabled' property value is false" }, { "queryName": "AKS Dashboard Is Enabled", "severity": "LOW", - "line": 8, - "filename": "positive2.bicep" + "line": 14, + "filename": "positive1.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1.properties.addonProfiles.kubeDashboard.enabled", + "searchValue": "", + "expectedValue": "'addonProfiles.kubeDashboard.enabled' should be defined and false", + "actualValue": "'addonProfiles.kubeDashboard.enabled' property value is false" } -] +] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/aks_logging_azure_monitoring_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/aks_logging_azure_monitoring_disabled/test/positive_expected_result.json index 1f589057ff2..7cd01cc74ad 100644 --- a/assets/queries/azureResourceManager/aks_logging_azure_monitoring_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/aks_logging_azure_monitoring_disabled/test/positive_expected_result.json @@ -2,49 +2,97 @@ { "queryName": "AKS Logging To Azure Monitoring Is Disabled", "severity": "MEDIUM", - "line": 14, - "filename": "positive1.json" + "line": 6, + "filename": "positive2.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1", + "searchValue": "", + "expectedValue": "'addonProfiles.omsagent.enabled' should be defined and false", + "actualValue": "'addonProfiles.omsagent.enabled' is undefined" }, { "queryName": "AKS Logging To Azure Monitoring Is Disabled", "severity": "MEDIUM", - "line": 6, - "filename": "positive2.json" + "line": 14, + "filename": "positive1.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1.properties.addonProfiles.omsagent.enabled", + "searchValue": "", + "expectedValue": "'addonProfiles.omsagent.enabled' should be defined and false", + "actualValue": "'addonProfiles.omsagent.enabled' property value is set to false" }, { "queryName": "AKS Logging To Azure Monitoring Is Disabled", "severity": "MEDIUM", - "line": 16, - "filename": "positive3.json" + "line": 8, + "filename": "positive4.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "properties.template.resources.name=aksCluster1", + "searchValue": "", + "expectedValue": "'addonProfiles.omsagent.enabled' should be defined and false", + "actualValue": "'addonProfiles.omsagent.enabled' is undefined" }, { "queryName": "AKS Logging To Azure Monitoring Is Disabled", "severity": "MEDIUM", "line": 8, - "filename": "positive4.json" + "filename": "positive1.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1.properties.addonProfiles.omsagent.enabled", + "searchValue": "", + "expectedValue": "'addonProfiles.omsagent.enabled' should be defined and false", + "actualValue": "'addonProfiles.omsagent.enabled' property value is set to false" }, { "queryName": "AKS Logging To Azure Monitoring Is Disabled", "severity": "MEDIUM", "line": 8, - "filename": "positive1.bicep" + "filename": "positive3.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1.properties.addonProfiles.omsagent.enabled", + "searchValue": "", + "expectedValue": "'addonProfiles.omsagent.enabled' should be defined and false", + "actualValue": "'addonProfiles.omsagent.enabled' property value is set to false" }, { "queryName": "AKS Logging To Azure Monitoring Is Disabled", "severity": "MEDIUM", "line": 2, - "filename": "positive2.bicep" + "filename": "positive2.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1", + "searchValue": "", + "expectedValue": "'addonProfiles.omsagent.enabled' should be defined and false", + "actualValue": "'addonProfiles.omsagent.enabled' is undefined" }, { "queryName": "AKS Logging To Azure Monitoring Is Disabled", "severity": "MEDIUM", - "line": 8, - "filename": "positive3.bicep" + "line": 2, + "filename": "positive4.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1", + "searchValue": "", + "expectedValue": "'addonProfiles.omsagent.enabled' should be defined and false", + "actualValue": "'addonProfiles.omsagent.enabled' is undefined" }, { "queryName": "AKS Logging To Azure Monitoring Is Disabled", "severity": "MEDIUM", - "line": 2, - "filename": "positive4.bicep" + "line": 16, + "filename": "positive3.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "properties.template.resources.name=aksCluster1.properties.addonProfiles.omsagent.enabled", + "searchValue": "", + "expectedValue": "'addonProfiles.omsagent.enabled' should be defined and false", + "actualValue": "'addonProfiles.omsagent.enabled' property value is set to false" } -] +] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/aks_with_authorized_ip_ranges_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/aks_with_authorized_ip_ranges_disabled/test/positive_expected_result.json index 5c44f1fdc75..5279a23b05b 100644 --- a/assets/queries/azureResourceManager/aks_with_authorized_ip_ranges_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/aks_with_authorized_ip_ranges_disabled/test/positive_expected_result.json @@ -2,121 +2,241 @@ { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", - "line": 8, - "filename": "positive1.json" + "line": 1, + "filename": "positive1.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1.apiVersion", + "searchValue": "", + "expectedValue": "'apiVersion' should be '2019-02-01' or newer", + "actualValue": "'apiVersion' is 2017-08-31" }, { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", - "line": 6, - "filename": "positive2.json" + "line": 10, + "filename": "positive6.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "properties.template.resources.name=aksCluster1.apiVersion", + "searchValue": "", + "expectedValue": "'apiVersion' should be '2019-02-01' or newer", + "actualValue": "'apiVersion' is 2017-08-31" }, { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", - "line": 36, - "filename": "positive3.json" + "line": 37, + "filename": "positive5.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1.properties.apiServerAccessProfile.authorizedIPRanges", + "searchValue": "", + "expectedValue": "'apiServerAccessProfile.authorizedIPRanges' should be defined as an array", + "actualValue": "'apiServerAccessProfile.authorizedIPRanges' is empty" }, { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", - "line": 6, - "filename": "positive4.json" + "line": 2, + "filename": "positive9.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1", + "searchValue": "", + "expectedValue": "'apiServerAccessProfile.authorizedIPRanges' should be defined as an array", + "actualValue": "'apiServerAccessProfile.authorizedIPRanges' is undefined" }, { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", - "line": 37, - "filename": "positive5.json" + "line": 2, + "filename": "positive7.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1", + "searchValue": "", + "expectedValue": "'apiServerAuthorizedIPRanges' should be a defined as an array", + "actualValue": "'apiServerAuthorizedIPRanges' is undefined" }, { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", - "line": 10, - "filename": "positive6.json" + "line": 8, + "filename": "positive7.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "properties.template.resources.name=aksCluster1", + "searchValue": "", + "expectedValue": "'apiServerAuthorizedIPRanges' should be a defined as an array", + "actualValue": "'apiServerAuthorizedIPRanges' is undefined" }, { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", "line": 8, - "filename": "positive7.json" + "filename": "positive9.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "properties.template.resources.name=aksCluster1", + "searchValue": "", + "expectedValue": "'apiServerAccessProfile.authorizedIPRanges' should be defined as an array", + "actualValue": "'apiServerAccessProfile.authorizedIPRanges' is undefined" }, { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", - "line": 38, - "filename": "positive8.json" + "line": 36, + "filename": "positive3.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1.properties.apiServerAuthorizedIPRanges", + "searchValue": "", + "expectedValue": "'apiServerAuthorizedIPRanges' should be a defined as an array", + "actualValue": "'apiServerAuthorizedIPRanges' is empty" }, { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", - "line": 8, - "filename": "positive9.json" + "line": 31, + "filename": "positive5.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1.properties.apiServerAccessProfile.authorizedIPRanges", + "searchValue": "", + "expectedValue": "'apiServerAccessProfile.authorizedIPRanges' should be defined as an array", + "actualValue": "'apiServerAccessProfile.authorizedIPRanges' is empty" }, { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", - "line": 39, - "filename": "positive10.json" + "line": 31, + "filename": "positive10.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1.properties.apiServerAccessProfile.authorizedIPRanges", + "searchValue": "", + "expectedValue": "'apiServerAccessProfile.authorizedIPRanges' should be defined as an array", + "actualValue": "'apiServerAccessProfile.authorizedIPRanges' is empty" }, { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", - "line": 1, - "filename": "positive1.bicep" + "line": 6, + "filename": "positive4.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1", + "searchValue": "", + "expectedValue": "'apiServerAccessProfile.authorizedIPRanges' should be defined as an array", + "actualValue": "'apiServerAccessProfile.authorizedIPRanges' is undefined" }, { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", - "line": 2, - "filename": "positive2.bicep" + "line": 8, + "filename": "positive1.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1.apiVersion", + "searchValue": "", + "expectedValue": "'apiVersion' should be '2019-02-01' or newer", + "actualValue": "'apiVersion' is 2017-08-31" }, { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", - "line": 30, - "filename": "positive3.bicep" + "line": 6, + "filename": "positive2.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1", + "searchValue": "", + "expectedValue": "'apiServerAuthorizedIPRanges' should be a defined as an array", + "actualValue": "'apiServerAuthorizedIPRanges' is undefined" }, { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", - "line": 2, - "filename": "positive4.bicep" + "line": 38, + "filename": "positive8.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "properties.template.resources.name=aksCluster1.properties.apiServerAuthorizedIPRanges", + "searchValue": "", + "expectedValue": "'apiServerAuthorizedIPRanges' should be a defined as an array", + "actualValue": "'apiServerAuthorizedIPRanges' is empty" }, { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", - "line": 31, - "filename": "positive5.bicep" + "line": 2, + "filename": "positive2.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1", + "searchValue": "", + "expectedValue": "'apiServerAuthorizedIPRanges' should be a defined as an array", + "actualValue": "'apiServerAuthorizedIPRanges' is undefined" }, { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", "line": 1, - "filename": "positive6.bicep" + "filename": "positive6.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1.apiVersion", + "searchValue": "", + "expectedValue": "'apiVersion' should be '2019-02-01' or newer", + "actualValue": "'apiVersion' is 2017-08-31" }, { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", - "line": 2, - "filename": "positive7.bicep" + "line": 39, + "filename": "positive10.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "properties.template.resources.name=aksCluster1.properties.apiServerAccessProfile.authorizedIPRanges", + "searchValue": "", + "expectedValue": "'apiServerAccessProfile.authorizedIPRanges' should be defined as an array", + "actualValue": "'apiServerAccessProfile.authorizedIPRanges' is empty" }, { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", - "line": 30, - "filename": "positive8.bicep" + "line": 2, + "filename": "positive4.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1", + "searchValue": "", + "expectedValue": "'apiServerAccessProfile.authorizedIPRanges' should be defined as an array", + "actualValue": "'apiServerAccessProfile.authorizedIPRanges' is undefined" }, { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", - "line": 2, - "filename": "positive9.bicep" + "line": 30, + "filename": "positive8.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1.properties.apiServerAuthorizedIPRanges", + "searchValue": "", + "expectedValue": "'apiServerAuthorizedIPRanges' should be a defined as an array", + "actualValue": "'apiServerAuthorizedIPRanges' is empty" }, { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", - "line": 31, - "filename": "positive10.bicep" + "line": 30, + "filename": "positive3.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1.properties.apiServerAuthorizedIPRanges", + "searchValue": "", + "expectedValue": "'apiServerAuthorizedIPRanges' should be a defined as an array", + "actualValue": "'apiServerAuthorizedIPRanges' is empty" } ] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/app_service_authentication_not_set/test/positive_expected_result.json b/assets/queries/azureResourceManager/app_service_authentication_not_set/test/positive_expected_result.json index d3571dede33..72df6c24056 100644 --- a/assets/queries/azureResourceManager/app_service_authentication_not_set/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/app_service_authentication_not_set/test/positive_expected_result.json @@ -2,97 +2,193 @@ { "queryName": "App Service Authentication Is Not Set", "severity": "MEDIUM", - "line": 37, - "fileName": "positive1.json" + "line": 31, + "filename": "positive6.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webApp1", + "searchKey": "resources.name=webApp1.resources.name=authsettings", + "searchValue": "", + "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", + "actualValue": "'enabled' is undefined" }, { "queryName": "App Service Authentication Is Not Set", "severity": "MEDIUM", "line": 33, - "fileName": "positive2.json" + "filename": "positive5.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webApp1", + "searchKey": "resources.name=webApp1.resources.name=authsettings.properties.enabled", + "searchValue": "", + "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", + "actualValue": "'enabled' property value is false on authsettings properties" }, { "queryName": "App Service Authentication Is Not Set", "severity": "MEDIUM", - "line": 44, - "fileName": "positive3.json" + "line": 42, + "filename": "positive8.json", + "resourceType": "Microsoft.Web/sites/config", + "resourceName": "webApp1/authsettings", + "searchKey": "properties.template.resources.name=webApp1/authsettings", + "searchValue": "", + "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", + "actualValue": "'enabled' is undefined" }, { "queryName": "App Service Authentication Is Not Set", "severity": "MEDIUM", - "line": 40, - "fileName": "positive4.json" + "line": 44, + "filename": "positive3.json", + "resourceType": "Microsoft.Web/sites/config", + "resourceName": "webApp1/authsettings", + "searchKey": "resources.name=webApp1/authsettings.properties.enabled", + "searchValue": "", + "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", + "actualValue": "'enabled' property value is false on authsettings properties" }, { "queryName": "App Service Authentication Is Not Set", "severity": "MEDIUM", - "line": 39, - "fileName": "positive5.json" + "line": 31, + "filename": "positive8.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webApp1", + "searchKey": "resources.name=webApp1.resources.name=authsettings", + "searchValue": "", + "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", + "actualValue": "'enabled' is undefined" }, { "queryName": "App Service Authentication Is Not Set", "severity": "MEDIUM", - "line": 35, - "fileName": "positive6.json" + "line": 33, + "filename": "positive7.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webApp1", + "searchKey": "resources.name=webApp1.resources.name=authsettings.properties.enabled", + "searchValue": "", + "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", + "actualValue": "'enabled' property value is false on authsettings properties" }, { "queryName": "App Service Authentication Is Not Set", "severity": "MEDIUM", - "line": 46, - "fileName": "positive7.json" + "line": 39, + "filename": "positive5.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webApp1", + "searchKey": "properties.template.resources.name=webApp1.resources.name=authsettings.properties.enabled", + "searchValue": "", + "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", + "actualValue": "'enabled' property value is false on authsettings properties" }, { "queryName": "App Service Authentication Is Not Set", "severity": "MEDIUM", - "line": 42, - "fileName": "positive8.json" + "line": 31, + "filename": "positive4.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webApp1", + "searchKey": "resources.name=webApp1.resources.name=authsettings", + "searchValue": "", + "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", + "actualValue": "'enabled' is undefined" }, { "queryName": "App Service Authentication Is Not Set", "severity": "MEDIUM", - "line": 33, - "fileName": "positive1.bicep" + "line": 31, + "filename": "positive2.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webApp1", + "searchKey": "resources.name=webApp1.resources.name=authsettings", + "searchValue": "", + "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", + "actualValue": "'enabled' is undefined" }, { "queryName": "App Service Authentication Is Not Set", "severity": "MEDIUM", - "line": 31, - "fileName": "positive2.bicep" + "line": 37, + "filename": "positive1.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webApp1", + "searchKey": "resources.name=webApp1.resources.name=authsettings.properties.enabled", + "searchValue": "", + "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", + "actualValue": "'enabled' property value is false on authsettings properties" }, { "queryName": "App Service Authentication Is Not Set", "severity": "MEDIUM", - "line": 33, - "fileName": "positive3.bicep" + "line": 35, + "filename": "positive6.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webApp1", + "searchKey": "properties.template.resources.name=webApp1.resources.name=authsettings", + "searchValue": "", + "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", + "actualValue": "'enabled' is undefined" }, { "queryName": "App Service Authentication Is Not Set", "severity": "MEDIUM", - "line": 31, - "fileName": "positive4.bicep" + "line": 33, + "filename": "positive2.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webApp1", + "searchKey": "resources.name=webApp1.resources.name=authsettings", + "searchValue": "", + "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", + "actualValue": "'enabled' is undefined" }, { "queryName": "App Service Authentication Is Not Set", "severity": "MEDIUM", - "line": 33, - "fileName": "positive5.bicep" + "line": 40, + "filename": "positive4.json", + "resourceType": "Microsoft.Web/sites/config", + "resourceName": "webApp1/authsettings", + "searchKey": "resources.name=webApp1/authsettings", + "searchValue": "", + "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", + "actualValue": "'enabled' is undefined" }, { "queryName": "App Service Authentication Is Not Set", "severity": "MEDIUM", - "line": 31, - "fileName": "positive6.bicep" + "line": 33, + "filename": "positive3.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webApp1", + "searchKey": "resources.name=webApp1.resources.name=authsettings.properties.enabled", + "searchValue": "", + "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", + "actualValue": "'enabled' property value is false on authsettings properties" }, { "queryName": "App Service Authentication Is Not Set", "severity": "MEDIUM", "line": 33, - "fileName": "positive7.bicep" + "filename": "positive1.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webApp1", + "searchKey": "resources.name=webApp1.resources.name=authsettings.properties.enabled", + "searchValue": "", + "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", + "actualValue": "'enabled' property value is false on authsettings properties" }, { "queryName": "App Service Authentication Is Not Set", "severity": "MEDIUM", - "line": 31, - "fileName": "positive8.bicep" + "line": 46, + "filename": "positive7.json", + "resourceType": "Microsoft.Web/sites/config", + "resourceName": "webApp1/authsettings", + "searchKey": "properties.template.resources.name=webApp1/authsettings.properties.enabled", + "searchValue": "", + "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", + "actualValue": "'enabled' property value is false on authsettings properties" } ] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/azure_instance_using_basic_authentication/test/positive_expected_result.json b/assets/queries/azureResourceManager/azure_instance_using_basic_authentication/test/positive_expected_result.json index 9b56de65a46..068c5b8543b 100644 --- a/assets/queries/azureResourceManager/azure_instance_using_basic_authentication/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/azure_instance_using_basic_authentication/test/positive_expected_result.json @@ -2,49 +2,97 @@ { "queryName": "Azure Instance Using Basic Authentication", "severity": "MEDIUM", - "line": 53, - "filename": "positive1.json" + "line": 17, + "filename": "positive4.bicep", + "resourceType": "Microsoft.Compute/virtualMachines", + "resourceName": "[variables('vmName')]", + "searchKey": "resources.name=[variables('vmName')]", + "searchValue": "", + "expectedValue": "'disablePasswordAuthentication' should be set to true", + "actualValue": "'linuxConfiguration.disablePasswordAuthentication' is not defined" }, { "queryName": "Azure Instance Using Basic Authentication", "severity": "MEDIUM", "line": 40, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "Microsoft.Compute/virtualMachines", + "resourceName": "[variables('vmName')]", + "searchKey": "resources.name=[variables('vmName')]", + "searchValue": "", + "expectedValue": "'disablePasswordAuthentication' should be set to true", + "actualValue": "'linuxConfiguration.disablePasswordAuthentication' is not defined" }, { "queryName": "Azure Instance Using Basic Authentication", "severity": "MEDIUM", "line": 55, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "Microsoft.Compute/virtualMachines", + "resourceName": "[variables('vmName')]", + "searchKey": "properties.template.resources.name=[variables('vmName')].properties.osProfile.linuxConfiguration.disablePasswordAuthentication", + "searchValue": "", + "expectedValue": "'disablePasswordAuthentication' should be set to true", + "actualValue": "'disablePasswordAuthentication' property value is set to false" }, { "queryName": "Azure Instance Using Basic Authentication", "severity": "MEDIUM", "line": 42, - "filename": "positive4.json" + "filename": "positive4.json", + "resourceType": "Microsoft.Compute/virtualMachines", + "resourceName": "[variables('vmName')]", + "searchKey": "properties.template.resources.name=[variables('vmName')]", + "searchValue": "", + "expectedValue": "'disablePasswordAuthentication' should be set to true", + "actualValue": "'linuxConfiguration.disablePasswordAuthentication' is not defined" }, { "queryName": "Azure Instance Using Basic Authentication", "severity": "MEDIUM", - "line": 27, - "filename": "positive1.bicep" + "line": 53, + "filename": "positive1.json", + "resourceType": "Microsoft.Compute/virtualMachines", + "resourceName": "[variables('vmName')]", + "searchKey": "resources.name=[variables('vmName')].properties.osProfile.linuxConfiguration.disablePasswordAuthentication", + "searchValue": "", + "expectedValue": "'disablePasswordAuthentication' should be set to true", + "actualValue": "'disablePasswordAuthentication' property value is set to false" }, { "queryName": "Azure Instance Using Basic Authentication", "severity": "MEDIUM", - "line": 17, - "filename": "positive2.bicep" + "line": 27, + "filename": "positive1.bicep", + "resourceType": "Microsoft.Compute/virtualMachines", + "resourceName": "[variables('vmName')]", + "searchKey": "resources.name=[variables('vmName')].properties.osProfile.linuxConfiguration.disablePasswordAuthentication", + "searchValue": "", + "expectedValue": "'disablePasswordAuthentication' should be set to true", + "actualValue": "'disablePasswordAuthentication' property value is set to false" }, { "queryName": "Azure Instance Using Basic Authentication", "severity": "MEDIUM", "line": 27, - "filename": "positive3.bicep" + "filename": "positive3.bicep", + "resourceType": "Microsoft.Compute/virtualMachines", + "resourceName": "[variables('vmName')]", + "searchKey": "resources.name=[variables('vmName')].properties.osProfile.linuxConfiguration.disablePasswordAuthentication", + "searchValue": "", + "expectedValue": "'disablePasswordAuthentication' should be set to true", + "actualValue": "'disablePasswordAuthentication' property value is set to false" }, { "queryName": "Azure Instance Using Basic Authentication", "severity": "MEDIUM", "line": 17, - "filename": "positive4.bicep" + "filename": "positive2.bicep", + "resourceType": "Microsoft.Compute/virtualMachines", + "resourceName": "[variables('vmName')]", + "searchKey": "resources.name=[variables('vmName')]", + "searchValue": "", + "expectedValue": "'disablePasswordAuthentication' should be set to true", + "actualValue": "'linuxConfiguration.disablePasswordAuthentication' is not defined" } ] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/azure_managed_disk_without_encryption/test/positive_expected_result.json b/assets/queries/azureResourceManager/azure_managed_disk_without_encryption/test/positive_expected_result.json index f69a151c8c5..00f2c6d603f 100644 --- a/assets/queries/azureResourceManager/azure_managed_disk_without_encryption/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/azure_managed_disk_without_encryption/test/positive_expected_result.json @@ -2,49 +2,97 @@ { "queryName": "Azure Managed Disk Without Encryption", "severity": "HIGH", - "line": 30, - "filename": "positive1.json" + "line": 32, + "filename": "positive3.json", + "resourceType": "Microsoft.Compute/disks", + "resourceName": "[concat(variables('vmName'),'-disk1')]", + "searchKey": "properties.template.resources.name=[concat(variables('vmName'),'-disk1')].properties.encryptionSettingsCollection.enabled", + "searchValue": "", + "expectedValue": "'encryptionSettingsCollection.enabled' should be set to true", + "actualValue": "'encryptionSettingsCollection.enabled' property value is set to false" }, { "queryName": "Azure Managed Disk Without Encryption", "severity": "HIGH", "line": 19, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "Microsoft.Compute/disks", + "resourceName": "[concat(variables('vmName'),'-disk1')]", + "searchKey": "resources.name=[concat(variables('vmName'),'-disk1')]", + "searchValue": "", + "expectedValue": "'encryptionSettingsCollection.enabled' should be set to true", + "actualValue": "'encryptionSettingsCollection.enabled' is undefined" }, { "queryName": "Azure Managed Disk Without Encryption", "severity": "HIGH", - "line": 32, - "filename": "positive3.json" + "line": 30, + "filename": "positive1.json", + "resourceType": "Microsoft.Compute/disks", + "resourceName": "[concat(variables('vmName'),'-disk1')]", + "searchKey": "resources.name=[concat(variables('vmName'),'-disk1')].properties.encryptionSettingsCollection.enabled", + "searchValue": "", + "expectedValue": "'encryptionSettingsCollection.enabled' should be set to true", + "actualValue": "'encryptionSettingsCollection.enabled' property value is set to false" }, { "queryName": "Azure Managed Disk Without Encryption", "severity": "HIGH", "line": 21, - "filename": "positive4.json" + "filename": "positive4.json", + "resourceType": "Microsoft.Compute/disks", + "resourceName": "[concat(variables('vmName'),'-disk1')]", + "searchKey": "properties.template.resources.name=[concat(variables('vmName'),'-disk1')]", + "searchValue": "", + "expectedValue": "'encryptionSettingsCollection.enabled' should be set to true", + "actualValue": "'encryptionSettingsCollection.enabled' is undefined" }, { "queryName": "Azure Managed Disk Without Encryption", "severity": "HIGH", "line": 18, - "filename": "positive1.bicep" + "filename": "positive3.bicep", + "resourceType": "Microsoft.Compute/disks", + "resourceName": "['${variables('vmName')}-disk1']", + "searchKey": "resources.name=['${variables('vmName')}-disk1'].properties.encryptionSettingsCollection.enabled", + "searchValue": "", + "expectedValue": "'encryptionSettingsCollection.enabled' should be set to true", + "actualValue": "'encryptionSettingsCollection.enabled' property value is set to false" }, { "queryName": "Azure Managed Disk Without Encryption", "severity": "HIGH", - "line": 7, - "filename": "positive2.bicep" + "line": 18, + "filename": "positive1.bicep", + "resourceType": "Microsoft.Compute/disks", + "resourceName": "['${variables('vmName')}-disk1']", + "searchKey": "resources.name=['${variables('vmName')}-disk1'].properties.encryptionSettingsCollection.enabled", + "searchValue": "", + "expectedValue": "'encryptionSettingsCollection.enabled' should be set to true", + "actualValue": "'encryptionSettingsCollection.enabled' property value is set to false" }, { "queryName": "Azure Managed Disk Without Encryption", "severity": "HIGH", - "line": 18, - "filename": "positive3.bicep" + "line": 7, + "filename": "positive4.bicep", + "resourceType": "Microsoft.Compute/disks", + "resourceName": "['${variables('vmName')}-disk1']", + "searchKey": "resources.name=['${variables('vmName')}-disk1']", + "searchValue": "", + "expectedValue": "'encryptionSettingsCollection.enabled' should be set to true", + "actualValue": "'encryptionSettingsCollection.enabled' is undefined" }, { "queryName": "Azure Managed Disk Without Encryption", "severity": "HIGH", "line": 7, - "filename": "positive4.bicep" + "filename": "positive2.bicep", + "resourceType": "Microsoft.Compute/disks", + "resourceName": "['${variables('vmName')}-disk1']", + "searchKey": "resources.name=['${variables('vmName')}-disk1']", + "searchValue": "", + "expectedValue": "'encryptionSettingsCollection.enabled' should be set to true", + "actualValue": "'encryptionSettingsCollection.enabled' is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/default_azure_storage_account_network_access_is_too_permissive/test/positive_expected_result.json b/assets/queries/azureResourceManager/default_azure_storage_account_network_access_is_too_permissive/test/positive_expected_result.json index 51ce6bdf54a..5f963c1b932 100644 --- a/assets/queries/azureResourceManager/default_azure_storage_account_network_access_is_too_permissive/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/default_azure_storage_account_network_access_is_too_permissive/test/positive_expected_result.json @@ -2,37 +2,73 @@ { "queryName": "Default Azure Storage Account Network Access Is Too Permissive", "severity": "HIGH", - "line": 13, - "fileName": "positive1.json" + "line": 11, + "filename": "positive3.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "positive3", + "searchKey": "resources.name=positive3.properties.publicNetworkAccess", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' publicNetworkAccess should be set to false, and/or networkAcls.defaultAction should be set to deny", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' publicNetworkAccess is set to 'Enabled')" }, { "queryName": "Default Azure Storage Account Network Access Is Too Permissive", "severity": "HIGH", - "line": 11, - "fileName": "positive2.json" + "line": 12, + "filename": "positive1.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "positive1", + "searchKey": "resources.name=positive1.properties.networkAcls.defaultAction", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' publicNetworkAccess should be set to false, and/or networkAcls.defaultAction should be set to deny", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' networkAcls.defaultAction is set to 'Allow')" }, { "queryName": "Default Azure Storage Account Network Access Is Too Permissive", "severity": "HIGH", - "line": 12, - "fileName": "positive3.json" + "line": 10, + "filename": "positive2.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "positive2", + "searchKey": "resources.name=positive2.properties.publicNetworkAccess", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' publicNetworkAccess should be set to false, and/or networkAcls.defaultAction should be set to deny", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' publicNetworkAccess is not set (default is 'Enabled')" }, { "queryName": "Default Azure Storage Account Network Access Is Too Permissive", "severity": "HIGH", - "line": 12, - "fileName": "positive1.bicep" + "line": 13, + "filename": "positive1.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "positive1", + "searchKey": "resources.name=positive1.properties.networkAcls.defaultAction", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' publicNetworkAccess should be set to false, and/or networkAcls.defaultAction should be set to deny", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' networkAcls.defaultAction is set to 'Allow')" }, { "queryName": "Default Azure Storage Account Network Access Is Too Permissive", "severity": "HIGH", - "line": 10, - "fileName": "positive2.bicep" + "line": 12, + "filename": "positive3.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "positive3", + "searchKey": "resources.name=positive3.properties.publicNetworkAccess", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' publicNetworkAccess should be set to false, and/or networkAcls.defaultAction should be set to deny", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' publicNetworkAccess is set to 'Enabled')" }, { "queryName": "Default Azure Storage Account Network Access Is Too Permissive", "severity": "HIGH", "line": 11, - "fileName": "positive3.bicep" + "filename": "positive2.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "positive2", + "searchKey": "resources.name=positive2.properties.publicNetworkAccess", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' publicNetworkAccess should be set to false, and/or networkAcls.defaultAction should be set to deny", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' publicNetworkAccess is not set (default is 'Enabled')" } ] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/email_notifications_set_off/test/positive_expected_result.json b/assets/queries/azureResourceManager/email_notifications_set_off/test/positive_expected_result.json index 205542f4c46..79fd5037dd6 100644 --- a/assets/queries/azureResourceManager/email_notifications_set_off/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/email_notifications_set_off/test/positive_expected_result.json @@ -2,145 +2,289 @@ { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 17, - "filename": "positive1.json" + "line": 6, + "filename": "positive3.bicep", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "resources.name={{security contact}}.properties.alertNotifications", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'alertNotifications.state' property defined" }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 13, - "filename": "positive2.json" + "line": 16, + "filename": "positive3.json", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "resources.name={{security contact}}.properties.alertNotifications", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'alertNotifications.state' property defined" }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 16, - "filename": "positive3.json" + "line": 19, + "filename": "positive7.json", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "properties.template.resources.name={{security contact}}.properties.alertNotifications.state", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' property value should have 'alertNotifications.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'Off'" }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 13, - "filename": "positive4.json" + "line": 6, + "filename": "positive9.bicep", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "resources.name={{security contact}}.properties.alertNotifications", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'alertNotifications.state' property defined" }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 21, - "filename": "positive5.json" + "line": 3, + "filename": "positive10.bicep", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "resources.name={{security contact}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'notificationsByRole.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'notificationsByRole' property defined" }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 20, - "filename": "positive6.json" + "line": 10, + "filename": "positive12.bicep", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "resources.name={{security contact}}.properties.notificationsByRole", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'notificationsByRole.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'notificationsByRole.state' property defined" }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 19, - "filename": "positive7.json" + "line": 3, + "filename": "positive2.bicep", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "resources.name={{security contact}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'alertNotifications' property defined" }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 15, - "filename": "positive8.json" + "line": 3, + "filename": "positive8.bicep", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "resources.name={{security contact}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'alertNotifications' property defined" }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 18, - "filename": "positive9.json" + "line": 3, + "filename": "positive4.bicep", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "resources.name={{security contact}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'notificationsByRole.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'notificationsByRole' property defined" }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 15, - "filename": "positive10.json" + "line": 18, + "filename": "positive9.json", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "properties.template.resources.name={{security contact}}.properties.alertNotifications", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'alertNotifications.state' property defined" }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 23, - "filename": "positive11.json" + "line": 15, + "filename": "positive8.json", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "properties.template.resources.name={{security contact}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'alertNotifications' property defined" }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 22, - "filename": "positive12.json" + "line": 11, + "filename": "positive11.bicep", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "resources.name={{security contact}}.properties.notificationsByRole.state", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' property value should have 'notificationsByRole.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' should have 'notificationsByRole.state' property set to 'Off'" }, { "queryName": "Email Notifications Disabled", "severity": "INFO", "line": 7, - "filename": "positive1.bicep" + "filename": "positive7.bicep", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "resources.name={{security contact}}.properties.alertNotifications.state", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' property value should have 'alertNotifications.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'Off'" }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 3, - "filename": "positive2.bicep" + "line": 10, + "filename": "positive6.bicep", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "resources.name={{security contact}}.properties.notificationsByRole", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'notificationsByRole.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'notificationsByRole.state' property defined" }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 6, - "filename": "positive3.bicep" + "line": 15, + "filename": "positive10.json", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "properties.template.resources.name={{security contact}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'notificationsByRole.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'notificationsByRole' property defined" }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 3, - "filename": "positive4.bicep" + "line": 23, + "filename": "positive11.json", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "properties.template.resources.name={{security contact}}.properties.notificationsByRole.state", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' property value should have 'notificationsByRole.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' should have 'notificationsByRole.state' property set to 'Off'" }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 11, - "filename": "positive5.bicep" + "line": 21, + "filename": "positive5.json", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "resources.name={{security contact}}.properties.notificationsByRole.state", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' property value should have 'notificationsByRole.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' should have 'notificationsByRole.state' property set to 'Off'" }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 10, - "filename": "positive6.bicep" + "line": 13, + "filename": "positive4.json", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "resources.name={{security contact}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'notificationsByRole.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'notificationsByRole' property defined" }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 7, - "filename": "positive7.bicep" + "line": 13, + "filename": "positive2.json", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "resources.name={{security contact}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'alertNotifications' property defined" }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 3, - "filename": "positive8.bicep" + "line": 7, + "filename": "positive1.bicep", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "resources.name={{security contact}}.properties.alertNotifications.state", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' property value should have 'alertNotifications.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'Off'" }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 6, - "filename": "positive9.bicep" + "line": 22, + "filename": "positive12.json", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "properties.template.resources.name={{security contact}}.properties.notificationsByRole", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'notificationsByRole.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'notificationsByRole.state' property defined" }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 3, - "filename": "positive10.bicep" + "line": 17, + "filename": "positive1.json", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "resources.name={{security contact}}.properties.alertNotifications.state", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' property value should have 'alertNotifications.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'Off'" }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 11, - "filename": "positive11.bicep" + "line": 20, + "filename": "positive6.json", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "resources.name={{security contact}}.properties.notificationsByRole", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'notificationsByRole.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'notificationsByRole.state' property defined" }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 10, - "filename": "positive12.bicep" + "line": 11, + "filename": "positive5.bicep", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "resources.name={{security contact}}.properties.notificationsByRole.state", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' property value should have 'notificationsByRole.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' should have 'notificationsByRole.state' property set to 'Off'" } -] +] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/hardcoded_securestring_parameter_default_value/test/positive_expected_result.json b/assets/queries/azureResourceManager/hardcoded_securestring_parameter_default_value/test/positive_expected_result.json index 66a1cf66b62..09b4ce7224d 100644 --- a/assets/queries/azureResourceManager/hardcoded_securestring_parameter_default_value/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/hardcoded_securestring_parameter_default_value/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "Hardcoded SecureString Parameter Default Value", "severity": "HIGH", - "line": 7, - "fileName": "positive1.json" + "line": 2, + "filename": "positive2.bicep", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "parameters.adminPassword.defaultValue", + "searchValue": "", + "expectedValue": "parameters.adminPassword.defaultValue should not be hardcoded", + "actualValue": "parameters.adminPassword.defaultValue is hardcoded" }, { "queryName": "Hardcoded SecureString Parameter Default Value", "severity": "HIGH", - "line": 9, - "fileName": "positive2.json" + "line": 2, + "filename": "positive1.bicep", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "parameters.adminPassword.defaultValue", + "searchValue": "", + "expectedValue": "parameters.adminPassword.defaultValue should not be hardcoded", + "actualValue": "parameters.adminPassword.defaultValue is hardcoded" }, { "queryName": "Hardcoded SecureString Parameter Default Value", "severity": "HIGH", - "line": 2, - "fileName": "positive1.bicep" + "line": 9, + "filename": "positive2.json", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "parameters.adminPassword.defaultValue", + "searchValue": "", + "expectedValue": "parameters.adminPassword.defaultValue should not be hardcoded", + "actualValue": "parameters.adminPassword.defaultValue is hardcoded" }, { "queryName": "Hardcoded SecureString Parameter Default Value", "severity": "HIGH", - "line": 2, - "fileName": "positive2.bicep" + "line": 7, + "filename": "positive1.json", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "parameters.adminPassword.defaultValue", + "searchValue": "", + "expectedValue": "parameters.adminPassword.defaultValue should not be hardcoded", + "actualValue": "parameters.adminPassword.defaultValue is hardcoded" } ] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/key_vault_not_recoverable/test/positive_expected_result.json b/assets/queries/azureResourceManager/key_vault_not_recoverable/test/positive_expected_result.json index aedb11e80d1..b5d9c9d8b19 100644 --- a/assets/queries/azureResourceManager/key_vault_not_recoverable/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/key_vault_not_recoverable/test/positive_expected_result.json @@ -2,73 +2,145 @@ { "queryName": "Key Vault Not Recoverable", "severity": "HIGH", - "line": 15, - "fileName": "positive1.json" + "line": 5, + "filename": "positive1.bicep", + "resourceType": "Microsoft.KeyVault/vaults", + "resourceName": "keyVaultInstance", + "searchKey": "resources.name={{keyVaultInstance}}.properties", + "searchValue": "enablePurgeProtection", + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults' should have 'enablePurgeProtection' property defined", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enablePurgeProtection' property defined" }, { "queryName": "Key Vault Not Recoverable", "severity": "HIGH", - "line": 39, - "fileName": "positive2.json" + "line": 15, + "filename": "positive1.json", + "resourceType": "Microsoft.KeyVault/vaults", + "resourceName": "keyVaultInstance", + "searchKey": "resources.name={{keyVaultInstance}}.properties", + "searchValue": "enablePurgeProtection", + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults' should have 'enablePurgeProtection' property defined", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enablePurgeProtection' property defined" }, { "queryName": "Key Vault Not Recoverable", "severity": "HIGH", - "line": 17, - "fileName": "positive3.json" + "line": 23, + "filename": "positive5.json", + "resourceType": "Microsoft.KeyVault/vaults", + "resourceName": "[parameters('vaults_pgs_bot_prod_name')]", + "searchKey": "resources.name={{[parameters('vaults_pgs_bot_prod_name')]}}.properties", + "searchValue": "enableSoftDelete", + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults' should have 'enableSoftDelete' property defined", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enableSoftDelete' property defined" }, { "queryName": "Key Vault Not Recoverable", "severity": "HIGH", - "line": 41, - "fileName": "positive4.json" + "line": 17, + "filename": "positive3.json", + "resourceType": "Microsoft.KeyVault/vaults", + "resourceName": "keyVaultInstance", + "searchKey": "properties.template.resources.name={{keyVaultInstance}}.properties", + "searchValue": "enablePurgeProtection", + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults' should have 'enablePurgeProtection' property defined", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enablePurgeProtection' property defined" }, { "queryName": "Key Vault Not Recoverable", "severity": "HIGH", - "line": 23, - "fileName": "positive5.json" + "line": 27, + "filename": "positive2.bicep", + "resourceType": "Microsoft.KeyVault/vaults", + "resourceName": "keyVaultInstance", + "searchKey": "resources.name={{keyVaultInstance}}.properties.enablePurgeProtection", + "searchValue": "enablePurgeProtection", + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults' property value should have 'enablePurgeProtection' property set to true", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enablePurgeProtection' property set to true" }, { "queryName": "Key Vault Not Recoverable", "severity": "HIGH", - "line": 23, - "fileName": "positive5.json" + "line": 5, + "filename": "positive3.bicep", + "resourceType": "Microsoft.KeyVault/vaults", + "resourceName": "keyVaultInstance", + "searchKey": "resources.name={{keyVaultInstance}}.properties", + "searchValue": "enablePurgeProtection", + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults' should have 'enablePurgeProtection' property defined", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enablePurgeProtection' property defined" }, { "queryName": "Key Vault Not Recoverable", "severity": "HIGH", - "line": 5, - "fileName": "positive1.bicep" + "line": 18, + "filename": "positive5.bicep", + "resourceType": "Microsoft.KeyVault/vaults", + "resourceName": "[parameters('vaults_pgs_bot_prod_name')]", + "searchKey": "resources.name={{[parameters('vaults_pgs_bot_prod_name')]}}.properties", + "searchValue": "enablePurgeProtection", + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults' should have 'enablePurgeProtection' property defined", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enablePurgeProtection' property defined" }, { "queryName": "Key Vault Not Recoverable", "severity": "HIGH", - "line": 27, - "fileName": "positive2.bicep" + "line": 18, + "filename": "positive5.bicep", + "resourceType": "Microsoft.KeyVault/vaults", + "resourceName": "[parameters('vaults_pgs_bot_prod_name')]", + "searchKey": "resources.name={{[parameters('vaults_pgs_bot_prod_name')]}}.properties", + "searchValue": "enableSoftDelete", + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults' should have 'enableSoftDelete' property defined", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enableSoftDelete' property defined" }, { "queryName": "Key Vault Not Recoverable", "severity": "HIGH", - "line": 5, - "fileName": "positive3.bicep" + "line": 39, + "filename": "positive2.json", + "resourceType": "Microsoft.KeyVault/vaults", + "resourceName": "keyVaultInstance", + "searchKey": "resources.name={{keyVaultInstance}}.properties.enablePurgeProtection", + "searchValue": "enablePurgeProtection", + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults' property value should have 'enablePurgeProtection' property set to true", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enablePurgeProtection' property set to true" }, { "queryName": "Key Vault Not Recoverable", "severity": "HIGH", - "line": 27, - "fileName": "positive4.bicep" + "line": 23, + "filename": "positive5.json", + "resourceType": "Microsoft.KeyVault/vaults", + "resourceName": "[parameters('vaults_pgs_bot_prod_name')]", + "searchKey": "resources.name={{[parameters('vaults_pgs_bot_prod_name')]}}.properties", + "searchValue": "enablePurgeProtection", + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults' should have 'enablePurgeProtection' property defined", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enablePurgeProtection' property defined" }, { "queryName": "Key Vault Not Recoverable", "severity": "HIGH", - "line": 18, - "fileName": "positive5.bicep" + "line": 41, + "filename": "positive4.json", + "resourceType": "Microsoft.KeyVault/vaults", + "resourceName": "keyVaultInstance", + "searchKey": "properties.template.resources.name={{keyVaultInstance}}.properties.enablePurgeProtection", + "searchValue": "enablePurgeProtection", + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults' property value should have 'enablePurgeProtection' property set to true", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enablePurgeProtection' property set to true" }, { "queryName": "Key Vault Not Recoverable", "severity": "HIGH", - "line": 18, - "fileName": "positive5.bicep" + "line": 27, + "filename": "positive4.bicep", + "resourceType": "Microsoft.KeyVault/vaults", + "resourceName": "keyVaultInstance", + "searchKey": "resources.name={{keyVaultInstance}}.properties.enablePurgeProtection", + "searchValue": "enablePurgeProtection", + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults' property value should have 'enablePurgeProtection' property set to true", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enablePurgeProtection' property set to true" } -] +] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/log_profile_incorrect_category/test/positive_expected_result.json b/assets/queries/azureResourceManager/log_profile_incorrect_category/test/positive_expected_result.json index 5493d0ff29d..1f41a47223a 100644 --- a/assets/queries/azureResourceManager/log_profile_incorrect_category/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/log_profile_incorrect_category/test/positive_expected_result.json @@ -3,24 +3,48 @@ "queryName": "Log Profile Incorrect Category", "severity": "LOW", "line": 22, - "fileName": "positive1.json" + "filename": "positive1.json", + "resourceType": "microsoft.insights/logprofiles", + "resourceName": "string", + "searchKey": "resources.name={{string}}.properties.categories", + "searchValue": "", + "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have categories[%!d(string=property value)] %!s(int=0) set to 'Write', 'Delete' or 'Action'", + "actualValue": "resource with type 'microsoft.insights/logprofiles' has categories[0] set to 'Writ'" }, { "queryName": "Log Profile Incorrect Category", "severity": "LOW", "line": 24, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "microsoft.insights/logprofiles", + "resourceName": "string", + "searchKey": "properties.template.resources.name={{string}}.properties.categories", + "searchValue": "", + "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have categories[%!d(string=property value)] %!s(int=0) set to 'Write', 'Delete' or 'Action'", + "actualValue": "resource with type 'microsoft.insights/logprofiles' has categories[0] set to 'Writ'" }, { "queryName": "Log Profile Incorrect Category", "severity": "LOW", "line": 9, - "fileName": "positive1.bicep" + "filename": "positive1.bicep", + "resourceType": "microsoft.insights/logprofiles", + "resourceName": "string", + "searchKey": "resources.name={{string}}.properties.categories", + "searchValue": "", + "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have categories[%!d(string=property value)] %!s(int=0) set to 'Write', 'Delete' or 'Action'", + "actualValue": "resource with type 'microsoft.insights/logprofiles' has categories[0] set to 'Writ'" }, { "queryName": "Log Profile Incorrect Category", "severity": "LOW", "line": 9, - "fileName": "positive2.bicep" + "filename": "positive2.bicep", + "resourceType": "microsoft.insights/logprofiles", + "resourceName": "string", + "searchKey": "resources.name={{string}}.properties.categories", + "searchValue": "", + "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have categories[%!d(string=property value)] %!s(int=0) set to 'Write', 'Delete' or 'Action'", + "actualValue": "resource with type 'microsoft.insights/logprofiles' has categories[0] set to 'Writ'" } ] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/mysql_server_ssl_enforcement_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/mysql_server_ssl_enforcement_disabled/test/positive_expected_result.json index a2a485c0bac..85bd6c85c1e 100644 --- a/assets/queries/azureResourceManager/mysql_server_ssl_enforcement_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/mysql_server_ssl_enforcement_disabled/test/positive_expected_result.json @@ -1,50 +1,98 @@ [ - { - "queryName": "MySQL Server SSL Enforcement Disabled", - "severity": "MEDIUM", - "line": 16, - "fileName": "positive1.json" - }, { "queryName": "MySQL Server SSL Enforcement Disabled", "severity": "MEDIUM", "line": 18, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "Microsoft.DBforMySQL/servers", + "resourceName": "server", + "searchKey": "resources.name={{server}}.properties.sslEnforcement", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforMySQL/servers' should have the 'sslEnforcement' property value set to 'Enabled'", + "actualValue": "resource with type 'Microsoft.DBforMySQL/servers' doesn't have 'sslEnforcement' set to 'Enabled'" }, { "queryName": "MySQL Server SSL Enforcement Disabled", "severity": "MEDIUM", - "line": 18, - "fileName": "positive3.json" + "line": 16, + "filename": "positive1.json", + "resourceType": "Microsoft.DBforMySQL/servers", + "resourceName": "server", + "searchKey": "resources.name={{server}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforMySQL/servers' should have the 'sslEnforcement' property defined", + "actualValue": "resource with type 'Microsoft.DBforMySQL/servers' doesn't have 'sslEnforcement' property defined" }, { "queryName": "MySQL Server SSL Enforcement Disabled", "severity": "MEDIUM", - "line": 20, - "fileName": "positive4.json" + "line": 18, + "filename": "positive3.json", + "resourceType": "Microsoft.DBforMySQL/servers", + "resourceName": "server", + "searchKey": "properties.template.resources.name={{server}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforMySQL/servers' should have the 'sslEnforcement' property defined", + "actualValue": "resource with type 'Microsoft.DBforMySQL/servers' doesn't have 'sslEnforcement' property defined" }, { "queryName": "MySQL Server SSL Enforcement Disabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive1.bicep" + "filename": "positive3.bicep", + "resourceType": "Microsoft.DBforMySQL/servers", + "resourceName": "server", + "searchKey": "resources.name={{server}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforMySQL/servers' should have the 'sslEnforcement' property defined", + "actualValue": "resource with type 'Microsoft.DBforMySQL/servers' doesn't have 'sslEnforcement' property defined" }, { "queryName": "MySQL Server SSL Enforcement Disabled", "severity": "MEDIUM", "line": 8, - "fileName": "positive2.bicep" + "filename": "positive4.bicep", + "resourceType": "Microsoft.DBforMySQL/servers", + "resourceName": "server", + "searchKey": "resources.name={{server}}.properties.sslEnforcement", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforMySQL/servers' should have the 'sslEnforcement' property value set to 'Enabled'", + "actualValue": "resource with type 'Microsoft.DBforMySQL/servers' doesn't have 'sslEnforcement' set to 'Enabled'" }, { "queryName": "MySQL Server SSL Enforcement Disabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive3.bicep" + "filename": "positive1.bicep", + "resourceType": "Microsoft.DBforMySQL/servers", + "resourceName": "server", + "searchKey": "resources.name={{server}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforMySQL/servers' should have the 'sslEnforcement' property defined", + "actualValue": "resource with type 'Microsoft.DBforMySQL/servers' doesn't have 'sslEnforcement' property defined" }, { "queryName": "MySQL Server SSL Enforcement Disabled", "severity": "MEDIUM", "line": 8, - "fileName": "positive4.bicep" + "filename": "positive2.bicep", + "resourceType": "Microsoft.DBforMySQL/servers", + "resourceName": "server", + "searchKey": "resources.name={{server}}.properties.sslEnforcement", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforMySQL/servers' should have the 'sslEnforcement' property value set to 'Enabled'", + "actualValue": "resource with type 'Microsoft.DBforMySQL/servers' doesn't have 'sslEnforcement' set to 'Enabled'" + }, + { + "queryName": "MySQL Server SSL Enforcement Disabled", + "severity": "MEDIUM", + "line": 20, + "filename": "positive4.json", + "resourceType": "Microsoft.DBforMySQL/servers", + "resourceName": "server", + "searchKey": "properties.template.resources.name={{server}}.properties.sslEnforcement", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforMySQL/servers' should have the 'sslEnforcement' property value set to 'Enabled'", + "actualValue": "resource with type 'Microsoft.DBforMySQL/servers' doesn't have 'sslEnforcement' set to 'Enabled'" } ] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_rdp/test/positive_expected_result.json b/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_rdp/test/positive_expected_result.json index 81f2c0350d3..94184bac639 100644 --- a/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_rdp/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_rdp/test/positive_expected_result.json @@ -2,73 +2,145 @@ { "queryName": "Network Security Group With Unrestricted Access To RDP", "severity": "HIGH", - "line": 19, - "fileName": "positive1.json" + "line": 21, + "filename": "positive4.json", + "resourceType": "Microsoft.Network/networkSecurityGroups", + "resourceName": "security group", + "searchKey": "properties.template.resources.name={{security group}}.properties.securityRules", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups' should restrict access to RDP", + "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups' does not restrict access to RDP" }, { "queryName": "Network Security Group With Unrestricted Access To RDP", "severity": "HIGH", - "line": 13, - "fileName": "positive2.json" + "line": 19, + "filename": "positive1.json", + "resourceType": "Microsoft.Network/networkSecurityGroups", + "resourceName": "security group", + "searchKey": "resources.name={{security group}}.properties.securityRules", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups' should restrict access to RDP", + "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups' does not restrict access to RDP" }, { "queryName": "Network Security Group With Unrestricted Access To RDP", "severity": "HIGH", - "line": 20, - "fileName": "positive3.json" + "line": 13, + "filename": "positive2.json", + "resourceType": "Microsoft.Network/networkSecurityGroups/securityRules", + "resourceName": "sample/securitygroup", + "searchKey": "resources.type={{Microsoft.Network/networkSecurityGroups/securityRules}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' should restrict access to RDP", + "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' does not restrict access to RDP" }, { "queryName": "Network Security Group With Unrestricted Access To RDP", "severity": "HIGH", - "line": 21, - "fileName": "positive4.json" + "line": 10, + "filename": "positive6.bicep", + "resourceType": "securityRules", + "resourceName": "sr", + "searchKey": "resources.type={{securityRules}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'securityRules' should restrict access to RDP", + "actualValue": "resource with type 'securityRules' does not restrict access to RDP" }, { "queryName": "Network Security Group With Unrestricted Access To RDP", "severity": "HIGH", - "line": 15, - "fileName": "positive5.json" + "line": 9, + "filename": "positive4.bicep", + "resourceType": "Microsoft.Network/networkSecurityGroups", + "resourceName": "security group", + "searchKey": "resources.name={{security group}}.properties.securityRules", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups' should restrict access to RDP", + "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups' does not restrict access to RDP" }, { "queryName": "Network Security Group With Unrestricted Access To RDP", "severity": "HIGH", - "line": 22, - "fileName": "positive6.json" + "line": 3, + "filename": "positive5.bicep", + "resourceType": "Microsoft.Network/networkSecurityGroups/securityRules", + "resourceName": "sample/securitygroup", + "searchKey": "resources.type={{Microsoft.Network/networkSecurityGroups/securityRules}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' should restrict access to RDP", + "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' does not restrict access to RDP" }, { "queryName": "Network Security Group With Unrestricted Access To RDP", "severity": "HIGH", - "line": 9, - "fileName": "positive1.bicep" + "line": 15, + "filename": "positive5.json", + "resourceType": "Microsoft.Network/networkSecurityGroups/securityRules", + "resourceName": "sample/securitygroup", + "searchKey": "resources.type={{Microsoft.Network/networkSecurityGroups/securityRules}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' should restrict access to RDP", + "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' does not restrict access to RDP" }, { "queryName": "Network Security Group With Unrestricted Access To RDP", "severity": "HIGH", - "line": 3, - "fileName": "positive2.bicep" + "line": 20, + "filename": "positive3.json", + "resourceType": "securityRules", + "resourceName": "sr", + "searchKey": "resources.type={{securityRules}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'securityRules' should restrict access to RDP", + "actualValue": "resource with type 'securityRules' does not restrict access to RDP" }, { "queryName": "Network Security Group With Unrestricted Access To RDP", "severity": "HIGH", - "line": 10, - "fileName": "positive3.bicep" + "line": 22, + "filename": "positive6.json", + "resourceType": "securityRules", + "resourceName": "sr", + "searchKey": "resources.type={{securityRules}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'securityRules' should restrict access to RDP", + "actualValue": "resource with type 'securityRules' does not restrict access to RDP" }, { "queryName": "Network Security Group With Unrestricted Access To RDP", "severity": "HIGH", "line": 9, - "fileName": "positive4.bicep" + "filename": "positive1.bicep", + "resourceType": "Microsoft.Network/networkSecurityGroups", + "resourceName": "security group", + "searchKey": "resources.name={{security group}}.properties.securityRules", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups' should restrict access to RDP", + "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups' does not restrict access to RDP" }, { "queryName": "Network Security Group With Unrestricted Access To RDP", "severity": "HIGH", "line": 3, - "fileName": "positive5.bicep" + "filename": "positive2.bicep", + "resourceType": "Microsoft.Network/networkSecurityGroups/securityRules", + "resourceName": "sample/securitygroup", + "searchKey": "resources.type={{Microsoft.Network/networkSecurityGroups/securityRules}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' should restrict access to RDP", + "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' does not restrict access to RDP" }, { "queryName": "Network Security Group With Unrestricted Access To RDP", "severity": "HIGH", "line": 10, - "fileName": "positive6.bicep" + "filename": "positive3.bicep", + "resourceType": "securityRules", + "resourceName": "sr", + "searchKey": "resources.type={{securityRules}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'securityRules' should restrict access to RDP", + "actualValue": "resource with type 'securityRules' does not restrict access to RDP" } -] +] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/test/positive_expected_result.json b/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/test/positive_expected_result.json index f4b05c4f8ac..d112363b065 100644 --- a/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/test/positive_expected_result.json @@ -2,79 +2,157 @@ { "queryName": "Network Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 19, - "fileName": "positive1.json" + "line": 21, + "filename": "positive4.json", + "resourceType": "Microsoft.Network/networkSecurityGroups", + "resourceName": "security group", + "searchKey": "properties.template.resources.name={{security group}}.properties.securityRules", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups' restricts access to SSH", + "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups' does not restrict access to SSH" }, { "queryName": "Network Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 13, - "fileName": "positive2.json" + "line": 15, + "filename": "positive5.json", + "resourceType": "Microsoft.Network/networkSecurityGroups/securityRules", + "resourceName": "sample/securitygroup", + "searchKey": "resources.type={{Microsoft.Network/networkSecurityGroups/securityRules}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' restricts access to SSH", + "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' does not restrict access to SSH" }, { "queryName": "Network Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 20, - "fileName": "positive3.json" + "line": 9, + "filename": "positive1.bicep", + "resourceType": "Microsoft.Network/networkSecurityGroups", + "resourceName": "security group", + "searchKey": "resources.name={{security group}}.properties.securityRules", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups' restricts access to SSH", + "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups' does not restrict access to SSH" }, { "queryName": "Network Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 21, - "fileName": "positive4.json" + "line": 10, + "filename": "positive3.bicep", + "resourceType": "securityRules", + "resourceName": "sr", + "searchKey": "resources.type={{securityRules}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'securityRules' restricts access to SSH", + "actualValue": "resource with type 'securityRules' does not restrict access to SSH" }, { "queryName": "Network Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 15, - "fileName": "positive5.json" + "line": 9, + "filename": "positive4.bicep", + "resourceType": "Microsoft.Network/networkSecurityGroups", + "resourceName": "security group", + "searchKey": "resources.name={{security group}}.properties.securityRules", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups' restricts access to SSH", + "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups' does not restrict access to SSH" }, { "queryName": "Network Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 22, - "fileName": "positive6.json" + "line": 13, + "filename": "positive2.json", + "resourceType": "Microsoft.Network/networkSecurityGroups/securityRules", + "resourceName": "sample/securitygroup", + "searchKey": "resources.type={{Microsoft.Network/networkSecurityGroups/securityRules}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' restricts access to SSH", + "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' does not restrict access to SSH" }, { "queryName": "Network Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 22, - "fileName": "positive7.json" + "filename": "positive6.json", + "resourceType": "securityRules", + "resourceName": "sr", + "searchKey": "resources.type={{securityRules}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'securityRules' restricts access to SSH", + "actualValue": "resource with type 'securityRules' does not restrict access to SSH" }, { "queryName": "Network Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 9, - "fileName": "positive1.bicep" + "line": 19, + "filename": "positive1.json", + "resourceType": "Microsoft.Network/networkSecurityGroups", + "resourceName": "security group", + "searchKey": "resources.name={{security group}}.properties.securityRules", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups' restricts access to SSH", + "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups' does not restrict access to SSH" }, { "queryName": "Network Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 3, - "fileName": "positive2.bicep" + "line": 22, + "filename": "positive7.json", + "resourceType": "securityRules", + "resourceName": "sr", + "searchKey": "resources.type={{securityRules}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'securityRules' restricts access to SSH", + "actualValue": "resource with type 'securityRules' does not restrict access to SSH" }, { "queryName": "Network Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 10, - "fileName": "positive3.bicep" + "line": 20, + "filename": "positive3.json", + "resourceType": "securityRules", + "resourceName": "sr", + "searchKey": "resources.type={{securityRules}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'securityRules' restricts access to SSH", + "actualValue": "resource with type 'securityRules' does not restrict access to SSH" }, { "queryName": "Network Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 9, - "fileName": "positive4.bicep" + "line": 3, + "filename": "positive5.bicep", + "resourceType": "Microsoft.Network/networkSecurityGroups/securityRules", + "resourceName": "sample/securitygroup", + "searchKey": "resources.type={{Microsoft.Network/networkSecurityGroups/securityRules}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' restricts access to SSH", + "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' does not restrict access to SSH" }, { "queryName": "Network Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 3, - "fileName": "positive5.bicep" + "filename": "positive2.bicep", + "resourceType": "Microsoft.Network/networkSecurityGroups/securityRules", + "resourceName": "sample/securitygroup", + "searchKey": "resources.type={{Microsoft.Network/networkSecurityGroups/securityRules}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' restricts access to SSH", + "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' does not restrict access to SSH" }, { "queryName": "Network Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 10, - "fileName": "positive6.bicep" + "filename": "positive6.bicep", + "resourceType": "securityRules", + "resourceName": "sr", + "searchKey": "resources.type={{securityRules}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'securityRules' restricts access to SSH", + "actualValue": "resource with type 'securityRules' does not restrict access to SSH" } ] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/phone_number_not_set_security_contacts/test/positive_expected_result.json b/assets/queries/azureResourceManager/phone_number_not_set_security_contacts/test/positive_expected_result.json index 05b67ec86dd..0841a6f26f1 100644 --- a/assets/queries/azureResourceManager/phone_number_not_set_security_contacts/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/phone_number_not_set_security_contacts/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "Phone Number Not Set For Security Contacts", "severity": "LOW", - "line": 13, - "fileName": "positive1.json" + "line": 3, + "filename": "positive2.bicep", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "resources.name={{security contact}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'phone' property defined", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'phone' property defined" }, { "queryName": "Phone Number Not Set For Security Contacts", "severity": "LOW", - "line": 15, - "fileName": "positive2.json" + "line": 3, + "filename": "positive1.bicep", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "resources.name={{security contact}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'phone' property defined", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'phone' property defined" }, { "queryName": "Phone Number Not Set For Security Contacts", "severity": "LOW", - "line": 3, - "fileName": "positive1.bicep" + "line": 13, + "filename": "positive1.json", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "resources.name={{security contact}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'phone' property defined", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'phone' property defined" }, { "queryName": "Phone Number Not Set For Security Contacts", "severity": "LOW", - "line": 3, - "fileName": "positive2.bicep" + "line": 15, + "filename": "positive2.json", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "properties.template.resources.name={{security contact}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'phone' property defined", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'phone' property defined" } -] +] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/postgresql_database_server_connection_throttling_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/postgresql_database_server_connection_throttling_disabled/test/positive_expected_result.json index b6417cef88c..6a8b37e689a 100644 --- a/assets/queries/azureResourceManager/postgresql_database_server_connection_throttling_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/postgresql_database_server_connection_throttling_disabled/test/positive_expected_result.json @@ -2,73 +2,145 @@ { "queryName": "PostgreSQL Database Server Connection Throttling Disabled", "severity": "MEDIUM", - "line": 45, - "fileName": "positive1.json" + "line": 47, + "filename": "positive4.json", + "resourceType": "configurations", + "resourceName": "connection_throttling", + "searchKey": "properties.template.resources.resources.name=connection_throttling.properties.value", + "searchValue": "", + "expectedValue": "resource 'property value' should have an 'auditingsettings' servers1 resource enabled", + "actualValue": "resource 'servers1' doesn't have an 'auditingsettings' resource enabled" }, { "queryName": "PostgreSQL Database Server Connection Throttling Disabled", "severity": "MEDIUM", - "line": 9, - "fileName": "positive2.json" + "line": 45, + "filename": "positive1.json", + "resourceType": "configurations", + "resourceName": "connection_throttling", + "searchKey": "resources.resources.name=connection_throttling.properties.value", + "searchValue": "", + "expectedValue": "resource 'property value' should have an 'auditingsettings' servers1 resource enabled", + "actualValue": "resource 'servers1' doesn't have an 'auditingsettings' resource enabled" }, { "queryName": "PostgreSQL Database Server Connection Throttling Disabled", "severity": "MEDIUM", - "line": 9, - "fileName": "positive3.json" + "line": 11, + "filename": "positive5.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "servers1", + "searchKey": "properties.template.resources.name=servers1", + "searchValue": "", + "expectedValue": "resource 'servers1' should have an 'auditingsettings' resource enabled", + "actualValue": "resource 'servers1' doesn't have an 'auditingsettings' resource enabled" }, { "queryName": "PostgreSQL Database Server Connection Throttling Disabled", "severity": "MEDIUM", - "line": 47, - "fileName": "positive4.json" + "line": 9, + "filename": "positive2.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "servers1", + "searchKey": "resources.name=servers1", + "searchValue": "", + "expectedValue": "resource 'servers1' should have an 'auditingsettings' resource enabled", + "actualValue": "resource 'servers1' doesn't have an 'auditingsettings' resource enabled" }, { "queryName": "PostgreSQL Database Server Connection Throttling Disabled", "severity": "MEDIUM", - "line": 11, - "fileName": "positive5.json" + "line": 2, + "filename": "positive6.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "servers1", + "searchKey": "resources.name=servers1", + "searchValue": "", + "expectedValue": "resource 'servers1' should have an 'auditingsettings' resource enabled", + "actualValue": "resource 'servers1' doesn't have an 'auditingsettings' resource enabled" }, { "queryName": "PostgreSQL Database Server Connection Throttling Disabled", "severity": "MEDIUM", - "line": 11, - "fileName": "positive6.json" + "line": 2, + "filename": "positive5.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "servers1", + "searchKey": "resources.name=servers1", + "searchValue": "", + "expectedValue": "resource 'servers1' should have an 'auditingsettings' resource enabled", + "actualValue": "resource 'servers1' doesn't have an 'auditingsettings' resource enabled" }, { "queryName": "PostgreSQL Database Server Connection Throttling Disabled", "severity": "MEDIUM", - "line": 36, - "fileName": "positive1.bicep" + "line": 9, + "filename": "positive3.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "servers1", + "searchKey": "resources.name=servers1", + "searchValue": "", + "expectedValue": "resource 'servers1' should have an 'auditingsettings' resource enabled", + "actualValue": "resource 'servers1' doesn't have an 'auditingsettings' resource enabled" }, { "queryName": "PostgreSQL Database Server Connection Throttling Disabled", "severity": "MEDIUM", - "line": 2, - "fileName": "positive2.bicep" + "line": 11, + "filename": "positive6.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "servers1", + "searchKey": "properties.template.resources.name=servers1", + "searchValue": "", + "expectedValue": "resource 'servers1' should have an 'auditingsettings' resource enabled", + "actualValue": "resource 'servers1' doesn't have an 'auditingsettings' resource enabled" }, { "queryName": "PostgreSQL Database Server Connection Throttling Disabled", "severity": "MEDIUM", "line": 2, - "fileName": "positive3.bicep" + "filename": "positive3.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "servers1", + "searchKey": "resources.name=servers1", + "searchValue": "", + "expectedValue": "resource 'servers1' should have an 'auditingsettings' resource enabled", + "actualValue": "resource 'servers1' doesn't have an 'auditingsettings' resource enabled" }, { "queryName": "PostgreSQL Database Server Connection Throttling Disabled", "severity": "MEDIUM", - "line": 36, - "fileName": "positive4.bicep" + "line": 2, + "filename": "positive2.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "servers1", + "searchKey": "resources.name=servers1", + "searchValue": "", + "expectedValue": "resource 'servers1' should have an 'auditingsettings' resource enabled", + "actualValue": "resource 'servers1' doesn't have an 'auditingsettings' resource enabled" }, { "queryName": "PostgreSQL Database Server Connection Throttling Disabled", "severity": "MEDIUM", - "line": 2, - "fileName": "positive5.bicep" + "line": 36, + "filename": "positive1.bicep", + "resourceType": "configurations", + "resourceName": "connection_throttling", + "searchKey": "resources.resources.name=connection_throttling.properties.value", + "searchValue": "", + "expectedValue": "resource 'property value' should have an 'auditingsettings' servers1 resource enabled", + "actualValue": "resource 'servers1' doesn't have an 'auditingsettings' resource enabled" }, { "queryName": "PostgreSQL Database Server Connection Throttling Disabled", "severity": "MEDIUM", - "line": 2, - "fileName": "positive6.bicep" + "line": 36, + "filename": "positive4.bicep", + "resourceType": "configurations", + "resourceName": "connection_throttling", + "searchKey": "resources.resources.name=connection_throttling.properties.value", + "searchValue": "", + "expectedValue": "resource 'property value' should have an 'auditingsettings' servers1 resource enabled", + "actualValue": "resource 'servers1' doesn't have an 'auditingsettings' resource enabled" } -] +] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/postgresql_server_log_checkpoint_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/postgresql_server_log_checkpoint_disabled/test/positive_expected_result.json index 1cc3d9d0314..79c403a9823 100644 --- a/assets/queries/azureResourceManager/postgresql_server_log_checkpoint_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/postgresql_server_log_checkpoint_disabled/test/positive_expected_result.json @@ -2,97 +2,193 @@ { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 43, - "fileName": "positive1.json" + "line": 33, + "filename": "positive2.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer2", + "searchKey": "resources.name={{MyDBServer2}}.resources.name=log_checkpoints.properties.value", + "searchValue": "", + "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_checkpoints' property value set to 'on'", + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_checkpoints' set to 'off'" }, { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 45, - "fileName": "positive2.json" + "line": 47, + "filename": "positive6.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer2", + "searchKey": "properties.template.resources.name={{MyDBServer2}}.resources.name=log_checkpoints.properties.value", + "searchValue": "", + "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_checkpoints' property value set to 'on'", + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_checkpoints' set to 'off'" }, { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 44, - "fileName": "positive3.json" + "line": 31, + "filename": "positive4.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers/configurations", + "resourceName": "MyDBServer/log_checkpoints", + "searchKey": "resources.name={{MyDBServer/log_checkpoints}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_checkpoints' property set to 'off'", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' 'log_checkpoints' is not defined" }, { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 43, - "fileName": "positive4.json" + "line": 45, + "filename": "positive5.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer1", + "searchKey": "properties.template.resources.name={{MyDBServer1}}.resources.name=log_checkpoints", + "searchValue": "", + "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_checkpoints' set to 'on'", + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' 'log_checkpoints' is not defined" }, { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", "severity": "MEDIUM", "line": 45, - "fileName": "positive5.json" + "filename": "positive8.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers/configurations", + "resourceName": "MyDBServer/log_checkpoints", + "searchKey": "properties.template.resources.name={{MyDBServer/log_checkpoints}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_checkpoints' property set to 'off'", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' 'log_checkpoints' is not defined" }, { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 47, - "fileName": "positive6.json" + "line": 44, + "filename": "positive3.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers/configurations", + "resourceName": "MyDBServer/log_checkpoints", + "searchKey": "resources.name={{MyDBServer/log_checkpoints}}.properties.value", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_checkpoints' property value set to 'on'", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_checkpoints' property set to 'off'" }, { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 46, - "fileName": "positive7.json" + "line": 45, + "filename": "positive2.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer2", + "searchKey": "resources.name={{MyDBServer2}}.resources.name=log_checkpoints.properties.value", + "searchValue": "", + "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_checkpoints' property value set to 'on'", + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_checkpoints' set to 'off'" }, { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 45, - "fileName": "positive8.json" + "line": 32, + "filename": "positive7.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers/configurations", + "resourceName": "MyDBServer/log_checkpoints", + "searchKey": "resources.name={{MyDBServer/log_checkpoints}}.properties.value", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_checkpoints' property value set to 'on'", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_checkpoints' property set to 'off'" }, { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 40, - "fileName": "positive1.bicep" + "line": 33, + "filename": "positive6.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer2", + "searchKey": "resources.name={{MyDBServer2}}.resources.name=log_checkpoints.properties.value", + "searchValue": "", + "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_checkpoints' property value set to 'on'", + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_checkpoints' set to 'off'" }, { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 33, - "fileName": "positive2.bicep" + "line": 46, + "filename": "positive7.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers/configurations", + "resourceName": "MyDBServer/log_checkpoints", + "searchKey": "properties.template.resources.name={{MyDBServer/log_checkpoints}}.properties.value", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_checkpoints' property value set to 'on'", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_checkpoints' property set to 'off'" }, { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 32, - "fileName": "positive3.bicep" + "line": 43, + "filename": "positive1.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer1", + "searchKey": "resources.name={{MyDBServer1}}.resources.name=log_checkpoints", + "searchValue": "", + "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_checkpoints' set to 'on'", + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' 'log_checkpoints' is not defined" }, { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 31, - "fileName": "positive4.bicep" + "line": 43, + "filename": "positive4.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers/configurations", + "resourceName": "MyDBServer/log_checkpoints", + "searchKey": "resources.name={{MyDBServer/log_checkpoints}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_checkpoints' property set to 'off'", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' 'log_checkpoints' is not defined" }, { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", "severity": "MEDIUM", "line": 40, - "fileName": "positive5.bicep" + "filename": "positive5.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer1", + "searchKey": "resources.name={{MyDBServer1}}.resources.name=log_checkpoints", + "searchValue": "", + "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_checkpoints' set to 'on'", + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' 'log_checkpoints' is not defined" }, { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 33, - "fileName": "positive6.bicep" + "line": 32, + "filename": "positive3.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers/configurations", + "resourceName": "MyDBServer/log_checkpoints", + "searchKey": "resources.name={{MyDBServer/log_checkpoints}}.properties.value", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_checkpoints' property value set to 'on'", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_checkpoints' property set to 'off'" }, { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 32, - "fileName": "positive7.bicep" + "line": 40, + "filename": "positive1.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer1", + "searchKey": "resources.name={{MyDBServer1}}.resources.name=log_checkpoints", + "searchValue": "", + "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_checkpoints' set to 'on'", + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' 'log_checkpoints' is not defined" }, { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", "severity": "MEDIUM", "line": 31, - "fileName": "positive8.bicep" + "filename": "positive8.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers/configurations", + "resourceName": "MyDBServer/log_checkpoints", + "searchKey": "resources.name={{MyDBServer/log_checkpoints}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_checkpoints' property set to 'off'", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' 'log_checkpoints' is not defined" } ] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/postgresql_server_log_connections_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/postgresql_server_log_connections_disabled/test/positive_expected_result.json index 20ea5616ff9..a43b800fb0d 100644 --- a/assets/queries/azureResourceManager/postgresql_server_log_connections_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/postgresql_server_log_connections_disabled/test/positive_expected_result.json @@ -2,97 +2,193 @@ { "queryName": "PostgreSQL Database Server Log Connections Disabled", "severity": "MEDIUM", - "line": 40, - "fileName": "positive1.json" + "line": 31, + "filename": "positive5.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer1", + "searchKey": "resources.name={{MyDBServer1}}.resources.name=log_connections", + "searchValue": "", + "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_connections' set to 'on'", + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_connections' value undefined" }, { "queryName": "PostgreSQL Database Server Log Connections Disabled", "severity": "MEDIUM", - "line": 45, - "fileName": "positive2.json" + "line": 31, + "filename": "positive8.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers/configurations", + "resourceName": "MyDBServer/log_connections", + "searchKey": "resources.name={{MyDBServer/log_connections}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_connections' property set to 'on'", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_connections' value undefined" }, { "queryName": "PostgreSQL Database Server Log Connections Disabled", "severity": "MEDIUM", - "line": 44, - "fileName": "positive3.json" + "line": 47, + "filename": "positive6.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer2", + "searchKey": "properties.template.resources.name={{MyDBServer2}}.resources.name=log_connections.properties.value", + "searchValue": "", + "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_connections' property value set to 'on'", + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_connections' set to 'off'" }, { "queryName": "PostgreSQL Database Server Log Connections Disabled", "severity": "MEDIUM", - "line": 43, - "fileName": "positive4.json" + "line": 32, + "filename": "positive3.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers/configurations", + "resourceName": "MyDBServer/log_connections", + "searchKey": "resources.name={{MyDBServer/log_connections}}.properties.value", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_connections' property value set to 'on'", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_connections' property set to 'on'" }, { "queryName": "PostgreSQL Database Server Log Connections Disabled", "severity": "MEDIUM", - "line": 42, - "fileName": "positive5.json" + "line": 31, + "filename": "positive1.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer1", + "searchKey": "resources.name={{MyDBServer1}}.resources.name=log_connections", + "searchValue": "", + "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_connections' set to 'on'", + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_connections' value undefined" }, { "queryName": "PostgreSQL Database Server Log Connections Disabled", "severity": "MEDIUM", - "line": 47, - "fileName": "positive6.json" + "line": 32, + "filename": "positive7.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers/configurations", + "resourceName": "MyDBServer/log_connections", + "searchKey": "resources.name={{MyDBServer/log_connections}}.properties.value", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_connections' property value set to 'on'", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_connections' property set to 'on'" }, { "queryName": "PostgreSQL Database Server Log Connections Disabled", "severity": "MEDIUM", - "line": 46, - "fileName": "positive7.json" + "line": 42, + "filename": "positive5.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer1", + "searchKey": "properties.template.resources.name={{MyDBServer1}}.resources.name=log_connections", + "searchValue": "", + "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_connections' set to 'on'", + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_connections' value undefined" }, { "queryName": "PostgreSQL Database Server Log Connections Disabled", "severity": "MEDIUM", - "line": 45, - "fileName": "positive8.json" + "line": 31, + "filename": "positive4.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers/configurations", + "resourceName": "MyDBServer/log_connections", + "searchKey": "resources.name={{MyDBServer/log_connections}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_connections' property set to 'on'", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_connections' value undefined" }, { "queryName": "PostgreSQL Database Server Log Connections Disabled", "severity": "MEDIUM", - "line": 31, - "fileName": "positive1.bicep" + "line": 33, + "filename": "positive6.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer2", + "searchKey": "resources.name={{MyDBServer2}}.resources.name=log_connections.properties.value", + "searchValue": "", + "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_connections' property value set to 'on'", + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_connections' set to 'off'" }, { "queryName": "PostgreSQL Database Server Log Connections Disabled", "severity": "MEDIUM", "line": 33, - "fileName": "positive2.bicep" + "filename": "positive2.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer2", + "searchKey": "resources.name={{MyDBServer2}}.resources.name=log_connections.properties.value", + "searchValue": "", + "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_connections' property value set to 'on'", + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_connections' set to 'off'" }, { "queryName": "PostgreSQL Database Server Log Connections Disabled", "severity": "MEDIUM", - "line": 32, - "fileName": "positive3.bicep" + "line": 43, + "filename": "positive4.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers/configurations", + "resourceName": "MyDBServer/log_connections", + "searchKey": "resources.name={{MyDBServer/log_connections}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_connections' property set to 'on'", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_connections' value undefined" }, { "queryName": "PostgreSQL Database Server Log Connections Disabled", "severity": "MEDIUM", - "line": 31, - "fileName": "positive4.bicep" + "line": 46, + "filename": "positive7.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers/configurations", + "resourceName": "MyDBServer/log_connections", + "searchKey": "properties.template.resources.name={{MyDBServer/log_connections}}.properties.value", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_connections' property value set to 'on'", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_connections' property set to 'on'" }, { "queryName": "PostgreSQL Database Server Log Connections Disabled", "severity": "MEDIUM", - "line": 31, - "fileName": "positive5.bicep" + "line": 45, + "filename": "positive2.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer2", + "searchKey": "resources.name={{MyDBServer2}}.resources.name=log_connections.properties.value", + "searchValue": "", + "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_connections' property value set to 'on'", + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_connections' set to 'off'" }, { "queryName": "PostgreSQL Database Server Log Connections Disabled", "severity": "MEDIUM", - "line": 33, - "fileName": "positive6.bicep" + "line": 44, + "filename": "positive3.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers/configurations", + "resourceName": "MyDBServer/log_connections", + "searchKey": "resources.name={{MyDBServer/log_connections}}.properties.value", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_connections' property value set to 'on'", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_connections' property set to 'on'" }, { "queryName": "PostgreSQL Database Server Log Connections Disabled", "severity": "MEDIUM", - "line": 32, - "fileName": "positive7.bicep" + "line": 40, + "filename": "positive1.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer1", + "searchKey": "resources.name={{MyDBServer1}}.resources.name=log_connections", + "searchValue": "", + "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_connections' set to 'on'", + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_connections' value undefined" }, { "queryName": "PostgreSQL Database Server Log Connections Disabled", "severity": "MEDIUM", - "line": 31, - "fileName": "positive8.bicep" + "line": 45, + "filename": "positive8.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers/configurations", + "resourceName": "MyDBServer/log_connections", + "searchKey": "properties.template.resources.name={{MyDBServer/log_connections}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_connections' property set to 'on'", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_connections' value undefined" } ] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/postgresql_server_ssl_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/postgresql_server_ssl_disabled/test/positive_expected_result.json index 55b0b39ad44..6e9d68c65c3 100644 --- a/assets/queries/azureResourceManager/postgresql_server_ssl_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/postgresql_server_ssl_disabled/test/positive_expected_result.json @@ -2,49 +2,97 @@ { "queryName": "PostgreSQL Database Server SSL Disabled", "severity": "MEDIUM", - "line": 14, - "fileName": "positive1.json" + "line": 16, + "filename": "positive3.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer", + "searchKey": "properties.template.resources.name={{MyDBServer}}.properties.sslEnforcement", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' should have 'sslEnforcement' property value set to 'Enabled'", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' doesn't have 'sslEnforcement' property set to 'Enabled'" }, { "queryName": "PostgreSQL Database Server SSL Disabled", "severity": "MEDIUM", - "line": 13, - "fileName": "positive2.json" + "line": 15, + "filename": "positive4.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer", + "searchKey": "properties.template.resources.name={{MyDBServer}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' should have 'sslEnforcement' property defined", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' doesn't have 'sslEnforcement' property defined" }, { "queryName": "PostgreSQL Database Server SSL Disabled", "severity": "MEDIUM", - "line": 16, - "fileName": "positive3.json" + "line": 14, + "filename": "positive1.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer", + "searchKey": "resources.name={{MyDBServer}}.properties.sslEnforcement", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' should have 'sslEnforcement' property value set to 'Enabled'", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' doesn't have 'sslEnforcement' property set to 'Enabled'" }, { "queryName": "PostgreSQL Database Server SSL Disabled", "severity": "MEDIUM", - "line": 15, - "fileName": "positive4.json" + "line": 12, + "filename": "positive4.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer", + "searchKey": "resources.name={{MyDBServer}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' should have 'sslEnforcement' property defined", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' doesn't have 'sslEnforcement' property defined" }, { "queryName": "PostgreSQL Database Server SSL Disabled", "severity": "MEDIUM", - "line": 13, - "fileName": "positive1.bicep" + "line": 12, + "filename": "positive2.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer", + "searchKey": "resources.name={{MyDBServer}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' should have 'sslEnforcement' property defined", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' doesn't have 'sslEnforcement' property defined" }, { "queryName": "PostgreSQL Database Server SSL Disabled", "severity": "MEDIUM", - "line": 12, - "fileName": "positive2.bicep" + "line": 13, + "filename": "positive1.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer", + "searchKey": "resources.name={{MyDBServer}}.properties.sslEnforcement", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' should have 'sslEnforcement' property value set to 'Enabled'", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' doesn't have 'sslEnforcement' property set to 'Enabled'" }, { "queryName": "PostgreSQL Database Server SSL Disabled", "severity": "MEDIUM", "line": 13, - "fileName": "positive3.bicep" + "filename": "positive3.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer", + "searchKey": "resources.name={{MyDBServer}}.properties.sslEnforcement", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' should have 'sslEnforcement' property value set to 'Enabled'", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' doesn't have 'sslEnforcement' property set to 'Enabled'" }, { "queryName": "PostgreSQL Database Server SSL Disabled", "severity": "MEDIUM", - "line": 12, - "fileName": "positive4.bicep" + "line": 13, + "filename": "positive2.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer", + "searchKey": "resources.name={{MyDBServer}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' should have 'sslEnforcement' property defined", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' doesn't have 'sslEnforcement' property defined" } ] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/role_definitions_allow_custom_subscription_role_creation/test/positive_expected_result.json b/assets/queries/azureResourceManager/role_definitions_allow_custom_subscription_role_creation/test/positive_expected_result.json index 494dc192beb..a4f0247830b 100644 --- a/assets/queries/azureResourceManager/role_definitions_allow_custom_subscription_role_creation/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/role_definitions_allow_custom_subscription_role_creation/test/positive_expected_result.json @@ -3,48 +3,96 @@ "queryName": "Role Definitions Allow Custom Subscription Role Creation", "severity": "HIGH", "line": 18, - "fileName": "positive1.json" + "filename": "positive2.json", + "resourceType": "Microsoft.Authorization/roleDefinitions", + "resourceName": "roleDef", + "searchKey": "resources.name={{roleDef}}.properties.permissions.actions", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Authorization/roleDefinitions' should not allow custom role creation", + "actualValue": "resource with type 'Microsoft.Authorization/roleDefinitions' allows custom role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write')" }, { "queryName": "Role Definitions Allow Custom Subscription Role Creation", "severity": "HIGH", - "line": 18, - "fileName": "positive2.json" + "line": 20, + "filename": "positive3.json", + "resourceType": "Microsoft.Authorization/roleDefinitions", + "resourceName": "roleDef", + "searchKey": "properties.template.resources.name={{roleDef}}.properties.permissions.actions", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Authorization/roleDefinitions' should not allow custom role creation", + "actualValue": "resource with type 'Microsoft.Authorization/roleDefinitions' allows custom role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write')" }, { "queryName": "Role Definitions Allow Custom Subscription Role Creation", "severity": "HIGH", - "line": 20, - "fileName": "positive3.json" + "line": 18, + "filename": "positive1.json", + "resourceType": "Microsoft.Authorization/roleDefinitions", + "resourceName": "roleDef", + "searchKey": "resources.name={{roleDef}}.properties.permissions.actions", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Authorization/roleDefinitions' should not allow custom role creation", + "actualValue": "resource with type 'Microsoft.Authorization/roleDefinitions' allows custom role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write')" }, { "queryName": "Role Definitions Allow Custom Subscription Role Creation", "severity": "HIGH", - "line": 20, - "fileName": "positive4.json" + "line": 8, + "filename": "positive2.bicep", + "resourceType": "Microsoft.Authorization/roleDefinitions", + "resourceName": "roleDef", + "searchKey": "resources.name={{roleDef}}.properties.permissions.actions", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Authorization/roleDefinitions' should not allow custom role creation", + "actualValue": "resource with type 'Microsoft.Authorization/roleDefinitions' allows custom role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write')" }, { "queryName": "Role Definitions Allow Custom Subscription Role Creation", "severity": "HIGH", "line": 8, - "fileName": "positive1.bicep" + "filename": "positive1.bicep", + "resourceType": "Microsoft.Authorization/roleDefinitions", + "resourceName": "roleDef", + "searchKey": "resources.name={{roleDef}}.properties.permissions.actions", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Authorization/roleDefinitions' should not allow custom role creation", + "actualValue": "resource with type 'Microsoft.Authorization/roleDefinitions' allows custom role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write')" }, { "queryName": "Role Definitions Allow Custom Subscription Role Creation", "severity": "HIGH", "line": 8, - "fileName": "positive2.bicep" + "filename": "positive4.bicep", + "resourceType": "Microsoft.Authorization/roleDefinitions", + "resourceName": "roleDef", + "searchKey": "resources.name={{roleDef}}.properties.permissions.actions", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Authorization/roleDefinitions' should not allow custom role creation", + "actualValue": "resource with type 'Microsoft.Authorization/roleDefinitions' allows custom role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write')" }, { "queryName": "Role Definitions Allow Custom Subscription Role Creation", "severity": "HIGH", "line": 8, - "fileName": "positive3.bicep" + "filename": "positive3.bicep", + "resourceType": "Microsoft.Authorization/roleDefinitions", + "resourceName": "roleDef", + "searchKey": "resources.name={{roleDef}}.properties.permissions.actions", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Authorization/roleDefinitions' should not allow custom role creation", + "actualValue": "resource with type 'Microsoft.Authorization/roleDefinitions' allows custom role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write')" }, { "queryName": "Role Definitions Allow Custom Subscription Role Creation", "severity": "HIGH", - "line": 8, - "fileName": "positive4.bicep" + "line": 20, + "filename": "positive4.json", + "resourceType": "Microsoft.Authorization/roleDefinitions", + "resourceName": "roleDef", + "searchKey": "properties.template.resources.name={{roleDef}}.properties.permissions.actions", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Authorization/roleDefinitions' should not allow custom role creation", + "actualValue": "resource with type 'Microsoft.Authorization/roleDefinitions' allows custom role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write')" } ] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/secret_without_expiration_date/test/positive_expected_result.json b/assets/queries/azureResourceManager/secret_without_expiration_date/test/positive_expected_result.json index 07b856517d0..906c97b31fb 100644 --- a/assets/queries/azureResourceManager/secret_without_expiration_date/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/secret_without_expiration_date/test/positive_expected_result.json @@ -2,49 +2,97 @@ { "queryName": "Secret Without Expiration Date", "severity": "MEDIUM", - "line": 49, - "filename": "positive1.json" + "line": 56, + "filename": "positive4.json", + "resourceType": "secrets", + "resourceName": "keyVaultSecret1", + "searchKey": "properties.template.resources.resources.name={{keyVaultSecret1}}.properties.attributes", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' should have 'attributes.exp' property id defined", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' doesn't have 'attributes.exp' property defined" }, { "queryName": "Secret Without Expiration Date", "severity": "MEDIUM", "line": 54, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "secrets", + "resourceName": "keyVaultSecret1", + "searchKey": "resources.resources.name={{keyVaultSecret1}}.properties.attributes", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' should have 'attributes.exp' property id defined", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' doesn't have 'attributes.exp' property defined" }, { "queryName": "Secret Without Expiration Date", "severity": "MEDIUM", - "line": 51, - "filename": "positive3.json" + "line": 49, + "filename": "positive1.json", + "resourceType": "Microsoft.KeyVault/vaults/secrets", + "resourceName": "keyVault1/secretid1", + "searchKey": "resources.name={{keyVault1/secretid1}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' should have 'attributes.exp' property id defined", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' doesn't have 'attributes' property defined" }, { "queryName": "Secret Without Expiration Date", "severity": "MEDIUM", - "line": 56, - "filename": "positive4.json" + "line": 35, + "filename": "positive2.bicep", + "resourceType": "secrets", + "resourceName": "keyVaultSecret1", + "searchKey": "resources.resources.name={{keyVaultSecret1}}.properties.attributes", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' should have 'attributes.exp' property id defined", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' doesn't have 'attributes.exp' property defined" }, { "queryName": "Secret Without Expiration Date", "severity": "MEDIUM", "line": 33, - "filename": "positive1.bicep" + "filename": "positive3.bicep", + "resourceType": "secrets", + "resourceName": "secretid1", + "searchKey": "resources.resources.name={{secretid1}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' should have 'attributes.exp' property id defined", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' doesn't have 'attributes' property defined" }, { "queryName": "Secret Without Expiration Date", "severity": "MEDIUM", - "line": 35, - "filename": "positive2.bicep" + "line": 33, + "filename": "positive1.bicep", + "resourceType": "secrets", + "resourceName": "secretid1", + "searchKey": "resources.resources.name={{secretid1}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' should have 'attributes.exp' property id defined", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' doesn't have 'attributes' property defined" }, { "queryName": "Secret Without Expiration Date", "severity": "MEDIUM", - "line": 33, - "filename": "positive3.bicep" + "line": 35, + "filename": "positive4.bicep", + "resourceType": "secrets", + "resourceName": "keyVaultSecret1", + "searchKey": "resources.resources.name={{keyVaultSecret1}}.properties.attributes", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' should have 'attributes.exp' property id defined", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' doesn't have 'attributes.exp' property defined" }, { "queryName": "Secret Without Expiration Date", "severity": "MEDIUM", - "line": 35, - "filename": "positive4.bicep" + "line": 51, + "filename": "positive3.json", + "resourceType": "Microsoft.KeyVault/vaults/secrets", + "resourceName": "keyVault1/secretid1", + "searchKey": "properties.template.resources.name={{keyVault1/secretid1}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' should have 'attributes.exp' property id defined", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' doesn't have 'attributes' property defined" } ] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/sql_alert_policy_without_emails/test/positive_expected_result.json b/assets/queries/azureResourceManager/sql_alert_policy_without_emails/test/positive_expected_result.json index 203f8fff574..132e2321e00 100644 --- a/assets/queries/azureResourceManager/sql_alert_policy_without_emails/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/sql_alert_policy_without_emails/test/positive_expected_result.json @@ -2,73 +2,145 @@ { "queryName": "SQL Alert Policy Without Emails", "severity": "INFO", - "line": 46, - "filename": "positive1.json" + "line": 50, + "filename": "positive6.json", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sqlServer1/sqlDatabase1/securityPolicy1", + "searchKey": "properties.template.resources.resources.name={{sqlServer1/sqlDatabase1/securityPolicy1}}.properties.emailAddresses", + "searchValue": "", + "expectedValue": "securityAlertPolicies.properties.emailAddresses should be defined and contain emails", + "actualValue": "securityAlertPolicies.properties.emailAddresses doesn't contain emails" }, { "queryName": "SQL Alert Policy Without Emails", "severity": "INFO", "line": 48, - "filename": "positive2.json" + "filename": "positive4.json", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sqlServer1/sqlDatabase1/securityPolicy1", + "searchKey": "properties.template.resources.resources.name={{sqlServer1/sqlDatabase1/securityPolicy1}}.properties", + "searchValue": "", + "expectedValue": "securityAlertPolicies.properties.emailAddresses should be defined and contain emails", + "actualValue": "securityAlertPolicies.properties.emailAddresses is not defined" }, { "queryName": "SQL Alert Policy Without Emails", "severity": "INFO", - "line": 48, - "filename": "positive3.json" + "line": 33, + "filename": "positive6.bicep", + "resourceType": "securityAlertPolicies", + "resourceName": "securityPolicy1", + "searchKey": "resources.resources.resources.name={{securityPolicy1}}.properties.emailAddresses", + "searchValue": "", + "expectedValue": "securityAlertPolicies.properties.emailAddresses should be defined and contain emails", + "actualValue": "securityAlertPolicies.properties.emailAddresses doesn't contain emails" }, { "queryName": "SQL Alert Policy Without Emails", "severity": "INFO", - "line": 48, - "filename": "positive4.json" + "line": 31, + "filename": "positive1.bicep", + "resourceType": "securityAlertPolicies", + "resourceName": "securityPolicy1", + "searchKey": "resources.resources.resources.name={{securityPolicy1}}.properties", + "searchValue": "", + "expectedValue": "securityAlertPolicies.properties.emailAddresses should be defined and contain emails", + "actualValue": "securityAlertPolicies.properties.emailAddresses is not defined" }, { "queryName": "SQL Alert Policy Without Emails", "severity": "INFO", - "line": 50, - "filename": "positive5.json" + "line": 33, + "filename": "positive2.bicep", + "resourceType": "securityAlertPolicies", + "resourceName": "securityPolicy1", + "searchKey": "resources.resources.resources.name={{securityPolicy1}}.properties.emailAddresses", + "searchValue": "", + "expectedValue": "securityAlertPolicies.properties.emailAddresses should be defined and contain emails", + "actualValue": "securityAlertPolicies.properties.emailAddresses doesn't contain emails" }, { "queryName": "SQL Alert Policy Without Emails", "severity": "INFO", - "line": 50, - "filename": "positive6.json" + "line": 31, + "filename": "positive4.bicep", + "resourceType": "securityAlertPolicies", + "resourceName": "securityPolicy1", + "searchKey": "resources.resources.resources.name={{securityPolicy1}}.properties", + "searchValue": "", + "expectedValue": "securityAlertPolicies.properties.emailAddresses should be defined and contain emails", + "actualValue": "securityAlertPolicies.properties.emailAddresses is not defined" }, { "queryName": "SQL Alert Policy Without Emails", "severity": "INFO", - "line": 31, - "filename": "positive1.bicep" + "line": 50, + "filename": "positive5.json", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sqlServer1/sqlDatabase1/securityPolicy1", + "searchKey": "properties.template.resources.resources.name={{sqlServer1/sqlDatabase1/securityPolicy1}}.properties.emailAddresses", + "searchValue": "", + "expectedValue": "securityAlertPolicies.properties.emailAddresses should be defined and contain emails", + "actualValue": "securityAlertPolicies.properties.emailAddresses doesn't contain emails" }, { "queryName": "SQL Alert Policy Without Emails", "severity": "INFO", - "line": 33, - "filename": "positive2.bicep" + "line": 48, + "filename": "positive2.json", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sqlServer1/sqlDatabase1/securityPolicy1", + "searchKey": "resources.resources.name={{sqlServer1/sqlDatabase1/securityPolicy1}}.properties.emailAddresses", + "searchValue": "", + "expectedValue": "securityAlertPolicies.properties.emailAddresses should be defined and contain emails", + "actualValue": "securityAlertPolicies.properties.emailAddresses doesn't contain emails" }, { "queryName": "SQL Alert Policy Without Emails", "severity": "INFO", - "line": 33, - "filename": "positive3.bicep" + "line": 48, + "filename": "positive3.json", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sqlServer1/sqlDatabase1/securityPolicy1", + "searchKey": "resources.resources.name={{sqlServer1/sqlDatabase1/securityPolicy1}}.properties.emailAddresses", + "searchValue": "", + "expectedValue": "securityAlertPolicies.properties.emailAddresses should be defined and contain emails", + "actualValue": "securityAlertPolicies.properties.emailAddresses doesn't contain emails" }, { "queryName": "SQL Alert Policy Without Emails", "severity": "INFO", - "line": 31, - "filename": "positive4.bicep" + "line": 46, + "filename": "positive1.json", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sqlServer1/sqlDatabase1/securityPolicy1", + "searchKey": "resources.resources.name={{sqlServer1/sqlDatabase1/securityPolicy1}}.properties", + "searchValue": "", + "expectedValue": "securityAlertPolicies.properties.emailAddresses should be defined and contain emails", + "actualValue": "securityAlertPolicies.properties.emailAddresses is not defined" }, { "queryName": "SQL Alert Policy Without Emails", "severity": "INFO", "line": 33, - "filename": "positive5.bicep" + "filename": "positive3.bicep", + "resourceType": "securityAlertPolicies", + "resourceName": "securityPolicy1", + "searchKey": "resources.resources.resources.name={{securityPolicy1}}.properties.emailAddresses", + "searchValue": "", + "expectedValue": "securityAlertPolicies.properties.emailAddresses should be defined and contain emails", + "actualValue": "securityAlertPolicies.properties.emailAddresses doesn't contain emails" }, { "queryName": "SQL Alert Policy Without Emails", "severity": "INFO", "line": 33, - "filename": "positive6.bicep" + "filename": "positive5.bicep", + "resourceType": "securityAlertPolicies", + "resourceName": "securityPolicy1", + "searchKey": "resources.resources.resources.name={{securityPolicy1}}.properties.emailAddresses", + "searchValue": "", + "expectedValue": "securityAlertPolicies.properties.emailAddresses should be defined and contain emails", + "actualValue": "securityAlertPolicies.properties.emailAddresses doesn't contain emails" } -] +] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/sql_database_server_firewall_allows_all_ips/test/positive_expected_result.json b/assets/queries/azureResourceManager/sql_database_server_firewall_allows_all_ips/test/positive_expected_result.json index 0b8fdaabb48..723d041e45f 100644 --- a/assets/queries/azureResourceManager/sql_database_server_firewall_allows_all_ips/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/sql_database_server_firewall_allows_all_ips/test/positive_expected_result.json @@ -3,48 +3,96 @@ "queryName": "SQL Database Server Firewall Allows All IPS", "severity": "CRITICAL", "line": 31, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "firewallRules", + "resourceName": "AllowAllWindowsAzureIps", + "searchKey": "resources.resources.name={{AllowAllWindowsAzureIps}}.properties.endIpAddress", + "searchValue": "", + "expectedValue": "endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0'", + "actualValue": "endIpAddress is '255.255.255.255' and startIpAddress is '0.0.0.0'" }, { "queryName": "SQL Database Server Firewall Allows All IPS", "severity": "CRITICAL", - "line": 14, - "filename": "positive2.json" + "line": 33, + "filename": "positive3.json", + "resourceType": "firewallRules", + "resourceName": "AllowAllWindowsAzureIps", + "searchKey": "properties.template.resources.resources.name={{AllowAllWindowsAzureIps}}.properties.endIpAddress", + "searchValue": "", + "expectedValue": "endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0'", + "actualValue": "endIpAddress is '255.255.255.255' and startIpAddress is '0.0.0.0'" }, { "queryName": "SQL Database Server Firewall Allows All IPS", "severity": "CRITICAL", - "line": 33, - "filename": "positive3.json" + "line": 16, + "filename": "positive4.json", + "resourceType": "Microsoft.Sql/servers/firewallRules", + "resourceName": "sample/firewall", + "searchKey": "properties.template.resources.name={{sample/firewall}}.properties.endIpAddress", + "searchValue": "", + "expectedValue": "endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0'", + "actualValue": "endIpAddress is '255.255.255.255' and startIpAddress is '0.0.0.0/0'" }, { "queryName": "SQL Database Server Firewall Allows All IPS", "severity": "CRITICAL", - "line": 16, - "filename": "positive4.json" + "line": 4, + "filename": "positive2.bicep", + "resourceType": "Microsoft.Sql/servers/firewallRules", + "resourceName": "sample/firewall", + "searchKey": "resources.name={{sample/firewall}}.properties.endIpAddress", + "searchValue": "", + "expectedValue": "endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0'", + "actualValue": "endIpAddress is '255.255.255.255' and startIpAddress is '0.0.0.0/0'" }, { "queryName": "SQL Database Server Firewall Allows All IPS", "severity": "CRITICAL", "line": 18, - "filename": "positive1.bicep" + "filename": "positive1.bicep", + "resourceType": "firewallRules", + "resourceName": "AllowAllWindowsAzureIps", + "searchKey": "resources.resources.name={{AllowAllWindowsAzureIps}}.properties.endIpAddress", + "searchValue": "", + "expectedValue": "endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0'", + "actualValue": "endIpAddress is '255.255.255.255' and startIpAddress is '0.0.0.0'" }, { "queryName": "SQL Database Server Firewall Allows All IPS", "severity": "CRITICAL", "line": 4, - "filename": "positive2.bicep" + "filename": "positive4.bicep", + "resourceType": "Microsoft.Sql/servers/firewallRules", + "resourceName": "sample/firewall", + "searchKey": "resources.name={{sample/firewall}}.properties.endIpAddress", + "searchValue": "", + "expectedValue": "endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0'", + "actualValue": "endIpAddress is '255.255.255.255' and startIpAddress is '0.0.0.0/0'" }, { "queryName": "SQL Database Server Firewall Allows All IPS", "severity": "CRITICAL", "line": 18, - "filename": "positive3.bicep" + "filename": "positive3.bicep", + "resourceType": "firewallRules", + "resourceName": "AllowAllWindowsAzureIps", + "searchKey": "resources.resources.name={{AllowAllWindowsAzureIps}}.properties.endIpAddress", + "searchValue": "", + "expectedValue": "endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0'", + "actualValue": "endIpAddress is '255.255.255.255' and startIpAddress is '0.0.0.0'" }, { "queryName": "SQL Database Server Firewall Allows All IPS", "severity": "CRITICAL", - "line": 4, - "filename": "positive4.bicep" + "line": 14, + "filename": "positive2.json", + "resourceType": "Microsoft.Sql/servers/firewallRules", + "resourceName": "sample/firewall", + "searchKey": "resources.name={{sample/firewall}}.properties.endIpAddress", + "searchValue": "", + "expectedValue": "endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0'", + "actualValue": "endIpAddress is '255.255.255.255' and startIpAddress is '0.0.0.0/0'" } ] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/sql_server_database_with_alerts_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/sql_server_database_with_alerts_disabled/test/positive_expected_result.json index 40352de71bc..255f4feb76a 100644 --- a/assets/queries/azureResourceManager/sql_server_database_with_alerts_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/sql_server_database_with_alerts_disabled/test/positive_expected_result.json @@ -2,97 +2,193 @@ { "queryName": "SQL Server Database With Alerts Disabled", "severity": "MEDIUM", - "line": 14, - "filename": "positive1.json" + "line": 4, + "filename": "positive6.bicep", + "resourceType": "Microsoft.Sql/servers/securityAlertPolicies", + "resourceName": "sampleServer/default", + "searchKey": "resources.name={{sampleServer/default}}.properties.disabledAlerts", + "searchValue": "", + "expectedValue": "'resources.name=sampleServer/default.disabledAlerts' should be empty", + "actualValue": "'resources.name=sampleServer/default.disabledAlerts' is not empty" }, { "queryName": "SQL Server Database With Alerts Disabled", "severity": "MEDIUM", - "line": 16, - "filename": "positive2.json" + "line": 7, + "filename": "positive3.bicep", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sample/databases/default", + "searchKey": "resources.name={{sample/databases/default}}.properties", + "searchValue": "", + "expectedValue": "'resources.name=sample/databases/default.state' should be enabled", + "actualValue": "'resources.name=sample/databases/default.state' is not enabled" }, { "queryName": "SQL Server Database With Alerts Disabled", "severity": "MEDIUM", - "line": 17, - "filename": "positive3.json" + "line": 4, + "filename": "positive2.bicep", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sample/databases/default", + "searchKey": "resources.name={{sample/databases/default}}.properties.disabledAlerts", + "searchValue": "", + "expectedValue": "'resources.name=sample/databases/default.disabledAlerts' should be empty", + "actualValue": "'resources.name=sample/databases/default.disabledAlerts' is not empty" }, { "queryName": "SQL Server Database With Alerts Disabled", "severity": "MEDIUM", - "line": 19, - "filename": "positive4.json" + "line": 17, + "filename": "positive3.json", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sample/databases/default", + "searchKey": "resources.name={{sample/databases/default}}.properties", + "searchValue": "", + "expectedValue": "'resources.name=sample/databases/default.state' should be enabled", + "actualValue": "'resources.name=sample/databases/default.state' is not enabled" }, { "queryName": "SQL Server Database With Alerts Disabled", "severity": "MEDIUM", - "line": 12, - "filename": "positive5.json" + "line": 17, + "filename": "positive6.json", + "resourceType": "Microsoft.Sql/servers/securityAlertPolicies", + "resourceName": "sampleServer/default", + "searchKey": "resources.name={{sampleServer/default}}.properties.disabledAlerts", + "searchValue": "", + "expectedValue": "'resources.name=sampleServer/default.disabledAlerts' should be empty", + "actualValue": "'resources.name=sampleServer/default.disabledAlerts' is not empty" }, { "queryName": "SQL Server Database With Alerts Disabled", "severity": "MEDIUM", - "line": 17, - "filename": "positive6.json" + "line": 8, + "filename": "positive7.bicep", + "resourceType": "Microsoft.Sql/servers/securityAlertPolicies", + "resourceName": "sampleServer/default", + "searchKey": "resources.name={{sampleServer/default}}.properties", + "searchValue": "", + "expectedValue": "'resources.name=sampleServer/default.state' should be enabled", + "actualValue": "'resources.name=sampleServer/default.state' is not enabled" }, { "queryName": "SQL Server Database With Alerts Disabled", "severity": "MEDIUM", - "line": 23, - "filename": "positive7.json" + "line": 7, + "filename": "positive4.bicep", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sample/databases/default", + "searchKey": "resources.name={{sample/databases/default}}.properties", + "searchValue": "", + "expectedValue": "'resources.name=sample/databases/default.state' should be enabled", + "actualValue": "'resources.name=sample/databases/default.state' is not enabled" }, { "queryName": "SQL Server Database With Alerts Disabled", "severity": "MEDIUM", - "line": 13, - "filename": "positive8.json" + "line": 12, + "filename": "positive5.json", + "resourceType": "Microsoft.Sql/servers/databases", + "resourceName": "sample/default", + "searchKey": "properties.template.resources.name={{sample/default}}", + "searchValue": "", + "expectedValue": "Security alert policy should be defined and enabled", + "actualValue": "Security alert policy is undefined" }, { "queryName": "SQL Server Database With Alerts Disabled", "severity": "MEDIUM", - "line": 4, - "filename": "positive1.bicep" + "line": 19, + "filename": "positive4.json", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sample/databases/default", + "searchKey": "properties.template.resources.name={{sample/databases/default}}.properties", + "searchValue": "", + "expectedValue": "'properties.template.resources.name=sample/databases/default.state' should be enabled", + "actualValue": "'properties.template.resources.name=sample/databases/default.state' is not enabled" }, { "queryName": "SQL Server Database With Alerts Disabled", "severity": "MEDIUM", - "line": 4, - "filename": "positive2.bicep" + "line": 23, + "filename": "positive7.json", + "resourceType": "Microsoft.Sql/servers/securityAlertPolicies", + "resourceName": "sampleServer/default", + "searchKey": "resources.name={{sampleServer/default}}.properties", + "searchValue": "", + "expectedValue": "'resources.name=sampleServer/default.state' should be enabled", + "actualValue": "'resources.name=sampleServer/default.state' is not enabled" }, { "queryName": "SQL Server Database With Alerts Disabled", "severity": "MEDIUM", - "line": 7, - "filename": "positive3.bicep" + "line": 14, + "filename": "positive1.json", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sample/databases/default", + "searchKey": "resources.name={{sample/databases/default}}.properties.disabledAlerts", + "searchValue": "", + "expectedValue": "'resources.name=sample/databases/default.disabledAlerts' should be empty", + "actualValue": "'resources.name=sample/databases/default.disabledAlerts' is not empty" }, { "queryName": "SQL Server Database With Alerts Disabled", "severity": "MEDIUM", - "line": 7, - "filename": "positive4.bicep" + "line": 1, + "filename": "positive5.bicep", + "resourceType": "Microsoft.Sql/servers/databases", + "resourceName": "sample/default", + "searchKey": "resources.name={{sample/default}}", + "searchValue": "", + "expectedValue": "Security alert policy should be defined and enabled", + "actualValue": "Security alert policy is undefined" }, { "queryName": "SQL Server Database With Alerts Disabled", "severity": "MEDIUM", "line": 1, - "filename": "positive5.bicep" + "filename": "positive8.bicep", + "resourceType": "Microsoft.Sql/servers", + "resourceName": "sample", + "searchKey": "resources.name={{sample}}", + "searchValue": "", + "expectedValue": "Security alert policy should be defined and enabled", + "actualValue": "Security alert policy is undefined" }, { "queryName": "SQL Server Database With Alerts Disabled", "severity": "MEDIUM", "line": 4, - "filename": "positive6.bicep" + "filename": "positive1.bicep", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sample/databases/default", + "searchKey": "resources.name={{sample/databases/default}}.properties.disabledAlerts", + "searchValue": "", + "expectedValue": "'resources.name=sample/databases/default.disabledAlerts' should be empty", + "actualValue": "'resources.name=sample/databases/default.disabledAlerts' is not empty" }, { "queryName": "SQL Server Database With Alerts Disabled", "severity": "MEDIUM", - "line": 8, - "filename": "positive7.bicep" + "line": 13, + "filename": "positive8.json", + "resourceType": "Microsoft.Sql/servers", + "resourceName": "sample", + "searchKey": "resources.name={{sample}}", + "searchValue": "", + "expectedValue": "Security alert policy should be defined and enabled", + "actualValue": "Security alert policy is undefined" }, { "queryName": "SQL Server Database With Alerts Disabled", "severity": "MEDIUM", - "line": 1, - "filename": "positive8.bicep" + "line": 16, + "filename": "positive2.json", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sample/databases/default", + "searchKey": "properties.template.resources.name={{sample/databases/default}}.properties.disabledAlerts", + "searchValue": "", + "expectedValue": "'properties.template.resources.name=sample/databases/default.disabledAlerts' should be empty", + "actualValue": "'properties.template.resources.name=sample/databases/default.disabledAlerts' is not empty" } -] +] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/sql_server_database_with_low_retention_days/test/positive_expected_result.json b/assets/queries/azureResourceManager/sql_server_database_with_low_retention_days/test/positive_expected_result.json index a3671a1324c..72b2335c096 100644 --- a/assets/queries/azureResourceManager/sql_server_database_with_low_retention_days/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/sql_server_database_with_low_retention_days/test/positive_expected_result.json @@ -2,85 +2,169 @@ { "queryName": "SQL Server Database With Unrecommended Retention Days", "severity": "LOW", - "line": 48, - "filename": "positive1.json" + "line": 36, + "filename": "positive3.bicep", + "resourceType": "auditingSettings", + "resourceName": "default", + "searchKey": "resources.resources.resources.name={{default}}.properties.retentionDays", + "searchValue": "", + "expectedValue": "'auditingSettings.properties.retentionDays' property value should be defined and above 90 days", + "actualValue": "'auditingSettings.properties.retentionDays' property value is 50" }, { "queryName": "SQL Server Database With Unrecommended Retention Days", "severity": "LOW", - "line": 43, - "filename": "positive2.json" + "line": 31, + "filename": "positive4.bicep", + "resourceType": "auditingSettings", + "resourceName": "default", + "searchKey": "resources.resources.resources.name={{default}}.properties", + "searchValue": "", + "expectedValue": "'auditingSettings.properties.retentionDays' should be defined and above 90 days", + "actualValue": "'auditingSettings.properties.retentionDays' is missing" }, { "queryName": "SQL Server Database With Unrecommended Retention Days", "severity": "LOW", - "line": 50, - "filename": "positive3.json" + "line": 19, + "filename": "positive5.bicep", + "resourceType": "auditingSettings", + "resourceName": "default", + "searchKey": "resources.resources.name={{default}}.properties.retentionDays", + "searchValue": "", + "expectedValue": "'auditingSettings.properties.retentionDays' property value should be defined and above 90 days", + "actualValue": "'auditingSettings.properties.retentionDays' property value is 89" }, { "queryName": "SQL Server Database With Unrecommended Retention Days", "severity": "LOW", - "line": 45, - "filename": "positive4.json" + "line": 31, + "filename": "positive7.bicep", + "resourceType": "auditingSettings", + "resourceName": "default", + "searchKey": "resources.resources.resources.name={{default}}.properties", + "searchValue": "", + "expectedValue": "'auditingSettings.properties.retentionDays' should be defined and above 90 days", + "actualValue": "'auditingSettings.properties.retentionDays' is missing" }, { "queryName": "SQL Server Database With Unrecommended Retention Days", "severity": "LOW", - "line": 32, - "filename": "positive5.json" + "line": 16, + "filename": "positive6.bicep", + "resourceType": "auditingSettings", + "resourceName": "default", + "searchKey": "resources.resources.name={{default}}.properties", + "searchValue": "", + "expectedValue": "'auditingSettings.properties.retentionDays' should be defined and above 90 days", + "actualValue": "'auditingSettings.properties.retentionDays' is missing" }, { "queryName": "SQL Server Database With Unrecommended Retention Days", "severity": "LOW", "line": 29, - "filename": "positive6.json" + "filename": "positive6.json", + "resourceType": "Microsoft.Sql/servers/auditingSettings", + "resourceName": "[format('{0}/{1}', 'sqlServer1', 'default')]", + "searchKey": "resources.name={{[format('{0}/{1}', 'sqlServer1', 'default')]}}.properties", + "searchValue": "", + "expectedValue": "'auditingSettings.properties.retentionDays' should be defined and above 90 days", + "actualValue": "'auditingSettings.properties.retentionDays' is missing" }, { "queryName": "SQL Server Database With Unrecommended Retention Days", "severity": "LOW", - "line": 40, - "filename": "positive7.json" + "line": 32, + "filename": "positive5.json", + "resourceType": "Microsoft.Sql/servers/auditingSettings", + "resourceName": "sqlServer1/default", + "searchKey": "resources.name={{sqlServer1/default}}.properties.retentionDays", + "searchValue": "", + "expectedValue": "'auditingSettings.properties.retentionDays' property value should be defined and above 90 days", + "actualValue": "'auditingSettings.properties.retentionDays' property value is 89" }, { "queryName": "SQL Server Database With Unrecommended Retention Days", "severity": "LOW", - "line": 36, - "filename": "positive1.bicep" + "line": 31, + "filename": "positive2.bicep", + "resourceType": "auditingSettings", + "resourceName": "default", + "searchKey": "resources.resources.resources.name={{default}}.properties", + "searchValue": "", + "expectedValue": "'auditingSettings.properties.retentionDays' should be defined and above 90 days", + "actualValue": "'auditingSettings.properties.retentionDays' is missing" }, { "queryName": "SQL Server Database With Unrecommended Retention Days", "severity": "LOW", - "line": 31, - "filename": "positive2.bicep" + "line": 45, + "filename": "positive4.json", + "resourceType": "Microsoft.Sql/servers/databases/auditingSettings", + "resourceName": "sqlServer1/sqlDatabase1/default", + "searchKey": "properties.template.resources.resources.resources.name={{sqlServer1/sqlDatabase1/default}}.properties", + "searchValue": "", + "expectedValue": "'auditingSettings.properties.retentionDays' should be defined and above 90 days", + "actualValue": "'auditingSettings.properties.retentionDays' is missing" }, { "queryName": "SQL Server Database With Unrecommended Retention Days", "severity": "LOW", - "line": 36, - "filename": "positive3.bicep" + "line": 48, + "filename": "positive1.json", + "resourceType": "Microsoft.Sql/servers/databases/auditingSettings", + "resourceName": "sqlServer1/sqlDatabase1/default", + "searchKey": "resources.resources.resources.name={{sqlServer1/sqlDatabase1/default}}.properties.retentionDays", + "searchValue": "", + "expectedValue": "'auditingSettings.properties.retentionDays' property value should be defined and above 90 days", + "actualValue": "'auditingSettings.properties.retentionDays' property value is 50" }, { "queryName": "SQL Server Database With Unrecommended Retention Days", "severity": "LOW", - "line": 31, - "filename": "positive4.bicep" + "line": 50, + "filename": "positive3.json", + "resourceType": "Microsoft.Sql/servers/databases/auditingSettings", + "resourceName": "sqlServer1/sqlDatabase1/default", + "searchKey": "properties.template.resources.resources.resources.name={{sqlServer1/sqlDatabase1/default}}.properties.retentionDays", + "searchValue": "", + "expectedValue": "'auditingSettings.properties.retentionDays' property value should be defined and above 90 days", + "actualValue": "'auditingSettings.properties.retentionDays' property value is 50" }, { "queryName": "SQL Server Database With Unrecommended Retention Days", "severity": "LOW", - "line": 19, - "filename": "positive5.bicep" + "line": 40, + "filename": "positive7.json", + "resourceType": "Microsoft.Sql/servers/databases/auditingSettings", + "resourceName": "sqlServer1/sqlDatabase1/default", + "searchKey": "resources.resources.resources.name={{sqlServer1/sqlDatabase1/default}}.properties", + "searchValue": "", + "expectedValue": "'auditingSettings.properties.retentionDays' should be defined and above 90 days", + "actualValue": "'auditingSettings.properties.retentionDays' is missing" }, { "queryName": "SQL Server Database With Unrecommended Retention Days", "severity": "LOW", - "line": 16, - "filename": "positive6.bicep" + "line": 43, + "filename": "positive2.json", + "resourceType": "Microsoft.Sql/servers/databases/auditingSettings", + "resourceName": "sqlServer1/sqlDatabase1/default", + "searchKey": "resources.resources.resources.name={{sqlServer1/sqlDatabase1/default}}.properties", + "searchValue": "", + "expectedValue": "'auditingSettings.properties.retentionDays' should be defined and above 90 days", + "actualValue": "'auditingSettings.properties.retentionDays' is missing" }, { "queryName": "SQL Server Database With Unrecommended Retention Days", "severity": "LOW", - "line": 31, - "filename": "positive7.bicep" + "line": 36, + "filename": "positive1.bicep", + "resourceType": "auditingSettings", + "resourceName": "default", + "searchKey": "resources.resources.resources.name={{default}}.properties.retentionDays", + "searchValue": "", + "expectedValue": "'auditingSettings.properties.retentionDays' property value should be defined and above 90 days", + "actualValue": "'auditingSettings.properties.retentionDays' property value is 50" } ] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/sql_server_database_without_auditing/test/positive_expected_result.json b/assets/queries/azureResourceManager/sql_server_database_without_auditing/test/positive_expected_result.json index 3c2defc7892..592dc08bb0f 100644 --- a/assets/queries/azureResourceManager/sql_server_database_without_auditing/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/sql_server_database_without_auditing/test/positive_expected_result.json @@ -3,90 +3,180 @@ "queryName": "SQL Server Database Without Auditing", "severity": "MEDIUM", "line": 2, - "filename": "positive1.bicep" + "filename": "positive3.bicep", + "resourceType": "Microsoft.Sql/servers", + "resourceName": "sqlServer1", + "searchKey": "resources.name=sqlServer1", + "searchValue": "", + "expectedValue": "resource 'sqlServer1' should have an enabled 'auditingsettings' resource", + "actualValue": "resource 'sqlServer1' is missing an enabled 'auditingsettings' resource" }, { "queryName": "SQL Server Database Without Auditing", "severity": "MEDIUM", - "line": 8, - "filename": "positive1.bicep" + "line": 2, + "filename": "positive1.bicep", + "resourceType": "Microsoft.Sql/servers", + "resourceName": "sqlServer1", + "searchKey": "resources.name=sqlServer1", + "searchValue": "", + "expectedValue": "resource 'sqlServer1' should have an enabled 'auditingsettings' resource", + "actualValue": "resource 'sqlServer1' is missing an enabled 'auditingsettings' resource" }, { "queryName": "SQL Server Database Without Auditing", "severity": "MEDIUM", - "line": 2, - "filename": "positive2.bicep" + "line": 8, + "filename": "positive9.json", + "resourceType": "Microsoft.Sql/servers", + "resourceName": "sqlServer1", + "searchKey": "resources.name=sqlServer1", + "searchValue": "", + "expectedValue": "resource 'sqlServer1' should have an enabled 'auditingsettings' resource", + "actualValue": "resource 'sqlServer1' is missing an enabled 'auditingsettings' resource" }, { "queryName": "SQL Server Database Without Auditing", "severity": "MEDIUM", - "line": 16, - "filename": "positive2.bicep" + "line": 15, + "filename": "positive5.json", + "resourceType": "databases", + "resourceName": "sqlDatabase1", + "searchKey": "resources.resources.name=sqlDatabase1", + "searchValue": "", + "expectedValue": "resource 'sqlDatabase1' should have an enabled 'auditingsettings' resource", + "actualValue": "resource 'sqlDatabase1' is missing an enabled 'auditingsettings' resource" }, { "queryName": "SQL Server Database Without Auditing", "severity": "MEDIUM", - "line": 2, - "filename": "positive3.bicep" + "line": 15, + "filename": "positive4.json", + "resourceType": "Microsoft.Sql/servers/databases", + "resourceName": "sqlServer1/sqlDatabase1", + "searchKey": "resources.name=sqlServer1/sqlDatabase1", + "searchValue": "", + "expectedValue": "resource 'sqlServer1/sqlDatabase1' should have an enabled 'auditingsettings' resource", + "actualValue": "resource 'sqlServer1/sqlDatabase1' is missing an enabled 'auditingsettings' resource" }, { "queryName": "SQL Server Database Without Auditing", "severity": "MEDIUM", "line": 8, - "filename": "positive4.json" + "filename": "positive6.json", + "resourceType": "Microsoft.Sql/servers", + "resourceName": "sqlServer1", + "searchKey": "resources.name=sqlServer1", + "searchValue": "", + "expectedValue": "resource 'sqlServer1' should have an enabled 'auditingsettings' resource", + "actualValue": "resource 'sqlServer1' is missing an enabled 'auditingsettings' resource" }, { "queryName": "SQL Server Database Without Auditing", "severity": "MEDIUM", - "line": 15, - "filename": "positive4.json" + "line": 16, + "filename": "positive2.bicep", + "resourceType": "databases", + "resourceName": "sqlDatabase1", + "searchKey": "resources.resources.name=sqlDatabase1", + "searchValue": "", + "expectedValue": "resource 'sqlDatabase1' should have an enabled 'auditingsettings' resource", + "actualValue": "resource 'sqlDatabase1' is missing an enabled 'auditingsettings' resource" }, { "queryName": "SQL Server Database Without Auditing", "severity": "MEDIUM", - "line": 8, - "filename": "positive5.json" + "line": 23, + "filename": "positive6.json", + "resourceType": "Microsoft.Sql/servers/databases", + "resourceName": "sqlServer1/sqlDatabase1", + "searchKey": "resources.name=sqlServer1/sqlDatabase1", + "searchValue": "", + "expectedValue": "resource 'sqlServer1/sqlDatabase1' should have an enabled 'auditingsettings' resource", + "actualValue": "resource 'sqlServer1/sqlDatabase1' is missing an enabled 'auditingsettings' resource" }, { "queryName": "SQL Server Database Without Auditing", "severity": "MEDIUM", - "line": 15, - "filename": "positive5.json" + "line": 2, + "filename": "positive2.bicep", + "resourceType": "Microsoft.Sql/servers", + "resourceName": "sqlServer1", + "searchKey": "resources.name=sqlServer1", + "searchValue": "", + "expectedValue": "resource 'sqlServer1' should have an enabled 'auditingsettings' resource", + "actualValue": "resource 'sqlServer1' is missing an enabled 'auditingsettings' resource" }, { "queryName": "SQL Server Database Without Auditing", "severity": "MEDIUM", "line": 8, - "filename": "positive6.json" + "filename": "positive4.json", + "resourceType": "Microsoft.Sql/servers", + "resourceName": "sqlServer1", + "searchKey": "resources.name=sqlServer1", + "searchValue": "", + "expectedValue": "resource 'sqlServer1' should have an enabled 'auditingsettings' resource", + "actualValue": "resource 'sqlServer1' is missing an enabled 'auditingsettings' resource" }, { "queryName": "SQL Server Database Without Auditing", "severity": "MEDIUM", - "line": 23, - "filename": "positive6.json" + "line": 8, + "filename": "positive7.json", + "resourceType": "Microsoft.Sql/servers", + "resourceName": "sqlServer1", + "searchKey": "resources.name=sqlServer1", + "searchValue": "", + "expectedValue": "resource 'sqlServer1' should have an enabled 'auditingsettings' resource", + "actualValue": "resource 'sqlServer1' is missing an enabled 'auditingsettings' resource" }, { "queryName": "SQL Server Database Without Auditing", "severity": "MEDIUM", "line": 8, - "filename": "positive7.json" + "filename": "positive1.bicep", + "resourceType": "databases", + "resourceName": "sqlDatabase1", + "searchKey": "resources.resources.name=sqlDatabase1", + "searchValue": "", + "expectedValue": "resource 'sqlDatabase1' should have an enabled 'auditingsettings' resource", + "actualValue": "resource 'sqlDatabase1' is missing an enabled 'auditingsettings' resource" }, { "queryName": "SQL Server Database Without Auditing", "severity": "MEDIUM", - "line": 23, - "filename": "positive7.json" + "line": 8, + "filename": "positive5.json", + "resourceType": "Microsoft.Sql/servers", + "resourceName": "sqlServer1", + "searchKey": "resources.name=sqlServer1", + "searchValue": "", + "expectedValue": "resource 'sqlServer1' should have an enabled 'auditingsettings' resource", + "actualValue": "resource 'sqlServer1' is missing an enabled 'auditingsettings' resource" }, { "queryName": "SQL Server Database Without Auditing", "severity": "MEDIUM", "line": 8, - "filename": "positive8.json" + "filename": "positive8.json", + "resourceType": "Microsoft.Sql/servers", + "resourceName": "sqlServer1", + "searchKey": "resources.name=sqlServer1", + "searchValue": "", + "expectedValue": "resource 'sqlServer1' should have an enabled 'auditingsettings' resource", + "actualValue": "resource 'sqlServer1' is missing an enabled 'auditingsettings' resource" }, { "queryName": "SQL Server Database Without Auditing", "severity": "MEDIUM", - "line": 8, - "filename": "positive9.json" + "line": 23, + "filename": "positive7.json", + "resourceType": "databases", + "resourceName": "sqlDatabase1", + "searchKey": "resources.resources.name=sqlDatabase1", + "searchValue": "", + "expectedValue": "resource 'sqlDatabase1' should have an enabled 'auditingsettings' resource", + "actualValue": "resource 'sqlDatabase1' is missing an enabled 'auditingsettings' resource" } -] +] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/standard_price_not_selected/test/positive_expected_result.json b/assets/queries/azureResourceManager/standard_price_not_selected/test/positive_expected_result.json index d934e5404b5..ab77885e17b 100644 --- a/assets/queries/azureResourceManager/standard_price_not_selected/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/standard_price_not_selected/test/positive_expected_result.json @@ -3,36 +3,72 @@ "queryName": "Standard Price Is Not Selected", "severity": "LOW", "line": 27, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "Microsoft.Security/pricings", + "resourceName": "Princing", + "searchKey": "resources.name=Princing.properties.pricingTier", + "searchValue": "", + "expectedValue": "'pricingTier' should be set to standard", + "actualValue": "'pricingTier' property value is set to Free" }, { "queryName": "Standard Price Is Not Selected", "severity": "LOW", - "line": 29, - "filename": "positive2.json" + "line": 23, + "filename": "positive3.json", + "resourceType": "Microsoft.Security/pricings", + "resourceName": "VirtualMachines", + "searchKey": "resources.name=VirtualMachines.properties.pricingTier", + "searchValue": "", + "expectedValue": "'pricingTier' should be set to standard", + "actualValue": "'pricingTier' parameter default value is set to Free" }, { "queryName": "Standard Price Is Not Selected", "severity": "LOW", - "line": 23, - "filename": "positive3.json" + "line": 10, + "filename": "positive3.bicep", + "resourceType": "Microsoft.Security/pricings", + "resourceName": "VirtualMachines", + "searchKey": "resources.name=VirtualMachines.properties.pricingTier", + "searchValue": "", + "expectedValue": "'pricingTier' should be set to standard", + "actualValue": "'pricingTier' parameter default value is set to Free" }, { "queryName": "Standard Price Is Not Selected", "severity": "LOW", "line": 18, - "filename": "positive1.bicep" + "filename": "positive2.bicep", + "resourceType": "Microsoft.Security/pricings", + "resourceName": "Princing", + "searchKey": "resources.name=Princing.properties.pricingTier", + "searchValue": "", + "expectedValue": "'pricingTier' should be set to standard", + "actualValue": "'pricingTier' property value is set to Free" }, { "queryName": "Standard Price Is Not Selected", "severity": "LOW", "line": 18, - "filename": "positive2.bicep" + "filename": "positive1.bicep", + "resourceType": "Microsoft.Security/pricings", + "resourceName": "Princing", + "searchKey": "resources.name=Princing.properties.pricingTier", + "searchValue": "", + "expectedValue": "'pricingTier' should be set to standard", + "actualValue": "'pricingTier' property value is set to Free" }, { "queryName": "Standard Price Is Not Selected", "severity": "LOW", - "line": 10, - "filename": "positive3.bicep" + "line": 29, + "filename": "positive2.json", + "resourceType": "Microsoft.Security/pricings", + "resourceName": "Princing", + "searchKey": "properties.template.resources.name=Princing.properties.pricingTier", + "searchValue": "", + "expectedValue": "'pricingTier' should be set to standard", + "actualValue": "'pricingTier' property value is set to Free" } ] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/storage_account_allows_network_default_access/test/positive_expected_result.json b/assets/queries/azureResourceManager/storage_account_allows_network_default_access/test/positive_expected_result.json index efe274a3d47..658595eafef 100644 --- a/assets/queries/azureResourceManager/storage_account_allows_network_default_access/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/storage_account_allows_network_default_access/test/positive_expected_result.json @@ -2,73 +2,145 @@ { "queryName": "Storage Account Allows Default Network Access", "severity": "LOW", - "line": 41, - "fileName": "positive1.json" + "line": 12, + "filename": "positive5.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storageaccount1Positive2", + "searchKey": "resources.name=storageaccount1Positive2.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have the 'properties.networkAcls.defaultAction' defined", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'properties.networkAcls.defaultAction' defined" }, { "queryName": "Storage Account Allows Default Network Access", "severity": "LOW", - "line": 18, - "fileName": "positive2.json" + "line": 19, + "filename": "positive4.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "[variables('storageAccountName')]", + "searchKey": "resources.name=[variables('storageAccountName')].properties.networkAcls.defaultAction", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' property value should have the 'properties.networkAcls.defaultAction' set to 'Deny'", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' has the 'properties.networkAcls.defaultAction' set to 'Allow'" }, { "queryName": "Storage Account Allows Default Network Access", "severity": "LOW", - "line": 8, - "fileName": "positive3.json" + "line": 1, + "filename": "positive3.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storageaccount1Positive3", + "searchKey": "resources.name=storageaccount1Positive3.apiVersion=2016-12-01", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' apiVersion should be newer than 2017 and enable setting networkAcls", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' apiVersion is older than 2017 and doesn't enable setting networkAcls" }, { "queryName": "Storage Account Allows Default Network Access", "severity": "LOW", "line": 43, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "[variables('storageAccountName')]", + "searchKey": "properties.template.resources.name=[variables('storageAccountName')].properties.networkAcls.defaultAction", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' property value should have the 'properties.networkAcls.defaultAction' set to 'Deny'", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' has the 'properties.networkAcls.defaultAction' set to 'Allow'" }, { "queryName": "Storage Account Allows Default Network Access", "severity": "LOW", "line": 20, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storageaccount1Positive2", + "searchKey": "properties.template.resources.name=storageaccount1Positive2.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have the 'properties.networkAcls.defaultAction' defined", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'properties.networkAcls.defaultAction' defined" }, { "queryName": "Storage Account Allows Default Network Access", "severity": "LOW", - "line": 10, - "fileName": "positive6.json" + "line": 18, + "filename": "positive2.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storageaccount1Positive2", + "searchKey": "resources.name=storageaccount1Positive2.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have the 'properties.networkAcls.defaultAction' defined", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'properties.networkAcls.defaultAction' defined" }, { "queryName": "Storage Account Allows Default Network Access", "severity": "LOW", - "line": 19, - "fileName": "positive1.bicep" + "line": 8, + "filename": "positive3.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storageaccount1Positive3", + "searchKey": "resources.name=storageaccount1Positive3.apiVersion=2016-12-01", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' apiVersion should be newer than 2017 and enable setting networkAcls", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' apiVersion is older than 2017 and doesn't enable setting networkAcls" }, { "queryName": "Storage Account Allows Default Network Access", "severity": "LOW", - "line": 12, - "fileName": "positive2.bicep" + "line": 10, + "filename": "positive6.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storageaccount1Positive3", + "searchKey": "properties.template.resources.name=storageaccount1Positive3.apiVersion=2016-12-01", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' apiVersion should be newer than 2017 and enable setting networkAcls", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' apiVersion is older than 2017 and doesn't enable setting networkAcls" }, { "queryName": "Storage Account Allows Default Network Access", "severity": "LOW", - "line": 1, - "fileName": "positive3.bicep" + "line": 41, + "filename": "positive1.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "[variables('storageAccountName')]", + "searchKey": "resources.name=[variables('storageAccountName')].properties.networkAcls.defaultAction", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' property value should have the 'properties.networkAcls.defaultAction' set to 'Deny'", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' has the 'properties.networkAcls.defaultAction' set to 'Allow'" }, { "queryName": "Storage Account Allows Default Network Access", "severity": "LOW", - "line": 19, - "fileName": "positive4.bicep" + "line": 1, + "filename": "positive6.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storageaccount1Positive3", + "searchKey": "resources.name=storageaccount1Positive3.apiVersion=2016-12-01", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' apiVersion should be newer than 2017 and enable setting networkAcls", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' apiVersion is older than 2017 and doesn't enable setting networkAcls" }, { "queryName": "Storage Account Allows Default Network Access", "severity": "LOW", "line": 12, - "fileName": "positive5.bicep" + "filename": "positive2.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storageaccount1Positive2", + "searchKey": "resources.name=storageaccount1Positive2.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have the 'properties.networkAcls.defaultAction' defined", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'properties.networkAcls.defaultAction' defined" }, { "queryName": "Storage Account Allows Default Network Access", "severity": "LOW", - "line": 1, - "fileName": "positive6.bicep" + "line": 19, + "filename": "positive1.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "[variables('storageAccountName')]", + "searchKey": "resources.name=[variables('storageAccountName')].properties.networkAcls.defaultAction", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' property value should have the 'properties.networkAcls.defaultAction' set to 'Deny'", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' has the 'properties.networkAcls.defaultAction' set to 'Allow'" } -] +] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/storage_account_allows_unsecure_transfer/test/positive_expected_result.json b/assets/queries/azureResourceManager/storage_account_allows_unsecure_transfer/test/positive_expected_result.json index a7fe7354ff6..2aca8487050 100644 --- a/assets/queries/azureResourceManager/storage_account_allows_unsecure_transfer/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/storage_account_allows_unsecure_transfer/test/positive_expected_result.json @@ -2,73 +2,145 @@ { "queryName": "Storage Account Allows Unsecure Transfer", "severity": "MEDIUM", - "line": 19, - "fileName": "positive1.json" + "line": 6, + "filename": "positive2.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storageaccount1Positive2", + "searchKey": "resources.name={{storageaccount1Positive2}}", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have the 'supportsHttpsTrafficOnly' property defined", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'supportsHttpsTrafficOnly' property defined" }, { "queryName": "Storage Account Allows Unsecure Transfer", "severity": "MEDIUM", - "line": 6, - "fileName": "positive2.json" + "line": 21, + "filename": "positive4.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storageaccount1", + "searchKey": "properties.template.resources.name=storageaccount1.properties.supportsHttpsTrafficOnly", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' property value should have the 'supportsHttpsTrafficOnly' property set to true", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'supportsHttpsTrafficOnly' set to true" }, { "queryName": "Storage Account Allows Unsecure Transfer", "severity": "MEDIUM", - "line": 18, - "fileName": "positive3.json" + "line": 2, + "filename": "positive5.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storageaccount1Positive2", + "searchKey": "resources.name={{storageaccount1Positive2}}", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have the 'supportsHttpsTrafficOnly' property defined", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'supportsHttpsTrafficOnly' property defined" }, { "queryName": "Storage Account Allows Unsecure Transfer", "severity": "MEDIUM", - "line": 21, - "fileName": "positive4.json" + "line": 13, + "filename": "positive1.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storageaccount1", + "searchKey": "resources.name=storageaccount1.properties.supportsHttpsTrafficOnly", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' property value should have the 'supportsHttpsTrafficOnly' property set to true", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'supportsHttpsTrafficOnly' set to true" }, { "queryName": "Storage Account Allows Unsecure Transfer", "severity": "MEDIUM", - "line": 8, - "fileName": "positive5.json" + "line": 19, + "filename": "positive1.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storageaccount1", + "searchKey": "resources.name=storageaccount1.properties.supportsHttpsTrafficOnly", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' property value should have the 'supportsHttpsTrafficOnly' property set to true", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'supportsHttpsTrafficOnly' set to true" }, { "queryName": "Storage Account Allows Unsecure Transfer", "severity": "MEDIUM", - "line": 20, - "fileName": "positive6.json" + "line": 8, + "filename": "positive5.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storageaccount1Positive2", + "searchKey": "resources.name={{storageaccount1Positive2}}", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have the 'supportsHttpsTrafficOnly' property defined", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'supportsHttpsTrafficOnly' property defined" }, { "queryName": "Storage Account Allows Unsecure Transfer", "severity": "MEDIUM", - "line": 13, - "fileName": "positive1.bicep" + "line": 18, + "filename": "positive3.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storageaccount1Positive3", + "searchKey": "resources.name={{storageaccount1Positive3}}properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have the 'supportsHttpsTrafficOnly' property defined", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'supportsHttpsTrafficOnly' property defined" }, { "queryName": "Storage Account Allows Unsecure Transfer", "severity": "MEDIUM", - "line": 2, - "fileName": "positive2.bicep" + "line": 20, + "filename": "positive6.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storageaccount1Positive3", + "searchKey": "resources.name={{storageaccount1Positive3}}properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have the 'supportsHttpsTrafficOnly' property defined", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'supportsHttpsTrafficOnly' property defined" }, { "queryName": "Storage Account Allows Unsecure Transfer", "severity": "MEDIUM", - "line": 12, - "fileName": "positive3.bicep" + "line": 13, + "filename": "positive4.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storageaccount1", + "searchKey": "resources.name=storageaccount1.properties.supportsHttpsTrafficOnly", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' property value should have the 'supportsHttpsTrafficOnly' property set to true", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'supportsHttpsTrafficOnly' set to true" }, { "queryName": "Storage Account Allows Unsecure Transfer", "severity": "MEDIUM", - "line": 13, - "fileName": "positive4.bicep" + "line": 12, + "filename": "positive3.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storageaccount1Positive3", + "searchKey": "resources.name={{storageaccount1Positive3}}properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have the 'supportsHttpsTrafficOnly' property defined", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'supportsHttpsTrafficOnly' property defined" }, { "queryName": "Storage Account Allows Unsecure Transfer", "severity": "MEDIUM", "line": 2, - "fileName": "positive5.bicep" + "filename": "positive2.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storageaccount1Positive2", + "searchKey": "resources.name={{storageaccount1Positive2}}", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have the 'supportsHttpsTrafficOnly' property defined", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'supportsHttpsTrafficOnly' property defined" }, { "queryName": "Storage Account Allows Unsecure Transfer", "severity": "MEDIUM", "line": 12, - "fileName": "positive6.bicep" + "filename": "positive6.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storageaccount1Positive3", + "searchKey": "resources.name={{storageaccount1Positive3}}properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have the 'supportsHttpsTrafficOnly' property defined", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'supportsHttpsTrafficOnly' property defined" } ] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/storage_blob_service_container_with_public_access/test/positive_expected_result.json b/assets/queries/azureResourceManager/storage_blob_service_container_with_public_access/test/positive_expected_result.json index 8958f4d9404..b436c45db90 100644 --- a/assets/queries/azureResourceManager/storage_blob_service_container_with_public_access/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/storage_blob_service_container_with_public_access/test/positive_expected_result.json @@ -2,61 +2,121 @@ { "queryName": "Storage Blob Service Container With Public Access", "severity": "HIGH", - "line": 15, - "fileName": "positive1.json" + "line": 29, + "filename": "positive3.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/blobServices/containers", + "resourceName": "['${parameters('storageAccountName')}/default/${parameters('containerName')}']", + "searchKey": "resources.name=['${parameters('storageAccountName')}/default/${parameters('containerName')}'].properties.publicAccess", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts/blobServices/containers' shouldn't have 'publicAccess' property value set to 'Container' or 'Blob'", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts/blobServices/containers' has 'publicAccess' property set to 'Blob'" }, { "queryName": "Storage Blob Service Container With Public Access", "severity": "HIGH", - "line": 107, - "fileName": "positive2.json" + "line": 17, + "filename": "positive4.json", + "resourceType": "Microsoft.Storage/storageAccounts/blobServices/containers", + "resourceName": "blob/container/example", + "searchKey": "properties.template.resources.name=blob/container/example.properties.publicAccess", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts/blobServices/containers' shouldn't have 'publicAccess' property value set to 'Container' or 'Blob'", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts/blobServices/containers' has 'publicAccess' property set to 'Container'" }, { "queryName": "Storage Blob Service Container With Public Access", "severity": "HIGH", - "line": 50, - "fileName": "positive3.json" + "line": 107, + "filename": "positive2.json", + "resourceType": "Microsoft.Storage/storageAccounts/blobServices", + "resourceName": "[concat(parameters('storageAccountName'), '/default')]", + "searchKey": "resources.name=[concat(parameters('storageAccountName'), '/default')].resources.name=container.properties.publicAccess", + "searchValue": "", + "expectedValue": "resource with type 'containers' shouldn't have 'publicAccess' property value set to 'Container' or 'Blob'", + "actualValue": "resource with type 'containers' has 'publicAccess' property set to 'Blob'" }, { "queryName": "Storage Blob Service Container With Public Access", "severity": "HIGH", - "line": 17, - "fileName": "positive4.json" + "line": 52, + "filename": "positive6.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "[parameters('storageAccountName')]", + "searchKey": "properties.template.resources.name=[parameters('storageAccountName')].resources.name=[concat('default/', parameters('containerName'))].properties.publicAccess", + "searchValue": "", + "expectedValue": "resource with type 'blobServices/containers' shouldn't have 'publicAccess' property value set to 'Container' or 'Blob'", + "actualValue": "resource with type 'blobServices/containers' has 'publicAccess' property set to 'Blob'" }, { "queryName": "Storage Blob Service Container With Public Access", "severity": "HIGH", "line": 109, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "Microsoft.Storage/storageAccounts/blobServices", + "resourceName": "[concat(parameters('storageAccountName'), '/default')]", + "searchKey": "properties.template.resources.name=[concat(parameters('storageAccountName'), '/default')].resources.name=container.properties.publicAccess", + "searchValue": "", + "expectedValue": "resource with type 'containers' shouldn't have 'publicAccess' property value set to 'Container' or 'Blob'", + "actualValue": "resource with type 'containers' has 'publicAccess' property set to 'Blob'" }, { "queryName": "Storage Blob Service Container With Public Access", "severity": "HIGH", - "line": 52, - "fileName": "positive6.json" + "line": 50, + "filename": "positive3.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "[parameters('storageAccountName')]", + "searchKey": "resources.name=[parameters('storageAccountName')].resources.name=[concat('default/', parameters('containerName'))].properties.publicAccess", + "searchValue": "", + "expectedValue": "resource with type 'blobServices/containers' shouldn't have 'publicAccess' property value set to 'Container' or 'Blob'", + "actualValue": "resource with type 'blobServices/containers' has 'publicAccess' property set to 'Blob'" }, { "queryName": "Storage Blob Service Container With Public Access", "severity": "HIGH", - "line": 96, - "fileName": "positive7.json" + "line": 5, + "filename": "positive1.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/blobServices/containers", + "resourceName": "blob/container/example", + "searchKey": "resources.name=blob/container/example.properties.publicAccess", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts/blobServices/containers' shouldn't have 'publicAccess' property value set to 'Container' or 'Blob'", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts/blobServices/containers' has 'publicAccess' property set to 'Container'" }, { "queryName": "Storage Blob Service Container With Public Access", "severity": "HIGH", - "line": 5, - "fileName": "positive1.bicep" + "line": 15, + "filename": "positive1.json", + "resourceType": "Microsoft.Storage/storageAccounts/blobServices/containers", + "resourceName": "blob/container/example", + "searchKey": "resources.name=blob/container/example.properties.publicAccess", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts/blobServices/containers' shouldn't have 'publicAccess' property value set to 'Container' or 'Blob'", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts/blobServices/containers' has 'publicAccess' property set to 'Container'" }, { "queryName": "Storage Blob Service Container With Public Access", "severity": "HIGH", - "line": 87, - "fileName": "positive2.bicep" + "line": 96, + "filename": "positive7.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "[parameters('storageAccountName')]", + "searchKey": "resources.name=[parameters('storageAccountName')].resources.name=[concat(parameters('storageAccountName'), '/default')].resources.name=container.properties.publicAccess", + "searchValue": "", + "expectedValue": "resource with type 'containers' shouldn't have 'publicAccess' property value set to 'Container' or 'Blob'", + "actualValue": "resource with type 'containers' has 'publicAccess' property set to 'Blob'" }, { "queryName": "Storage Blob Service Container With Public Access", "severity": "HIGH", - "line": 29, - "fileName": "positive3.bicep" + "line": 87, + "filename": "positive2.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "[parameters('storageAccountName')]", + "searchKey": "resources.name=[parameters('storageAccountName')].resources.name=default.resources.name=container.properties.publicAccess", + "searchValue": "", + "expectedValue": "resource with type 'containers' shouldn't have 'publicAccess' property value set to 'Container' or 'Blob'", + "actualValue": "resource with type 'containers' has 'publicAccess' property set to 'Blob'" } -] +] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/storage_logging_for_read_write_delete_requests_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/storage_logging_for_read_write_delete_requests_disabled/test/positive_expected_result.json index a38a9ae1865..8cdf7e3b02a 100644 --- a/assets/queries/azureResourceManager/storage_logging_for_read_write_delete_requests_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/storage_logging_for_read_write_delete_requests_disabled/test/positive_expected_result.json @@ -2,223 +2,445 @@ { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 80, - "fileName": "positive1.json" + "line": 4, + "filename": "positive2.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageRead", + "searchValue": "StorageRead", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageRead' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageRead' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 84, - "fileName": "positive1.json" + "line": 7, + "filename": "positive1.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageRead", + "searchValue": "", + "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Read' method", + "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Read' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 88, - "fileName": "positive1.json" + "line": 11, + "filename": "positive1.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageWrite", + "searchValue": "", + "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Write' method", + "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Write' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 77, - "fileName": "positive2.json" + "line": 3, + "filename": "positive7.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageWrite", + "searchValue": "StorageWrite", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageWrite' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageWrite' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 77, - "fileName": "positive2.json" + "line": 67, + "filename": "positive3.json", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", + "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageDelete", + "searchValue": "StorageDelete", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 80, - "fileName": "positive2.json" + "line": 69, + "filename": "positive6.json", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", + "searchKey": "properties.template.resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageRead", + "searchValue": "StorageRead", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageRead' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageRead' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 67, - "fileName": "positive3.json" + "line": 7, + "filename": "positive5.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageWrite", + "searchValue": "", + "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Write' method", + "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Write' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 67, - "fileName": "positive3.json" + "line": 2, + "filename": "positive6.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageDelete", + "searchValue": "StorageDelete", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 67, - "fileName": "positive3.json" + "line": 15, + "filename": "positive1.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageDelete", + "searchValue": "", + "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Delete' method", + "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Delete' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 82, - "fileName": "positive4.json" + "line": 15, + "filename": "positive3.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageDelete", + "searchValue": "", + "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Delete' method", + "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Delete' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 86, - "fileName": "positive4.json" + "line": 2, + "filename": "positive6.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageRead", + "searchValue": "StorageRead", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageRead' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageRead' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 90, - "fileName": "positive4.json" + "line": 80, + "filename": "positive2.json", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", + "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageRead", + "searchValue": "", + "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Read' method", + "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Read' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", "line": 79, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", + "searchKey": "properties.template.resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageWrite", + "searchValue": "StorageWrite", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageWrite' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageWrite' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 79, - "fileName": "positive5.json" + "line": 80, + "filename": "positive1.json", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", + "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageRead", + "searchValue": "", + "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Read' method", + "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Read' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 82, - "fileName": "positive5.json" + "line": 69, + "filename": "positive6.json", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", + "searchKey": "properties.template.resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageDelete", + "searchValue": "StorageDelete", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 69, - "fileName": "positive6.json" + "line": 79, + "filename": "positive5.json", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", + "searchKey": "properties.template.resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageDelete", + "searchValue": "StorageDelete", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 69, - "fileName": "positive6.json" + "line": 4, + "filename": "positive5.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageDelete", + "searchValue": "StorageDelete", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 69, - "fileName": "positive6.json" + "line": 4, + "filename": "positive2.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageWrite", + "searchValue": "StorageWrite", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageWrite' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageWrite' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 7, - "fileName": "positive1.bicep" + "line": 4, + "filename": "positive4.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageDelete", + "searchValue": "StorageDelete", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 15, - "fileName": "positive1.bicep" + "line": 82, + "filename": "positive5.json", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", + "searchKey": "properties.template.resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageRead", + "searchValue": "", + "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Read' method", + "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Read' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 11, - "fileName": "positive1.bicep" + "line": 2, + "filename": "positive6.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageWrite", + "searchValue": "StorageWrite", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageWrite' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageWrite' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 4, - "fileName": "positive2.bicep" + "line": 3, + "filename": "positive7.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageRead", + "searchValue": "StorageRead", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageRead' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageRead' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 4, - "fileName": "positive2.bicep" + "line": 88, + "filename": "positive1.json", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", + "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageDelete", + "searchValue": "", + "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Delete' method", + "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Delete' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 4, - "fileName": "positive2.bicep" + "line": 67, + "filename": "positive3.json", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", + "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageWrite", + "searchValue": "StorageWrite", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageWrite' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageWrite' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 7, - "fileName": "positive3.bicep" + "line": 4, + "filename": "positive2.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageDelete", + "searchValue": "StorageDelete", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 15, - "fileName": "positive3.bicep" + "line": 4, + "filename": "positive4.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageRead", + "searchValue": "StorageRead", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageRead' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageRead' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 4, - "fileName": "positive4.bicep" + "line": 77, + "filename": "positive2.json", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", + "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageDelete", + "searchValue": "StorageDelete", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 4, - "fileName": "positive4.bicep" + "line": 90, + "filename": "positive4.json", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", + "searchKey": "properties.template.resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageDelete", + "searchValue": "", + "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Delete' method", + "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Delete' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 7, - "fileName": "positive5.bicep" + "line": 82, + "filename": "positive4.json", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", + "searchKey": "properties.template.resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageRead", + "searchValue": "", + "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Read' method", + "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Read' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 4, - "fileName": "positive5.bicep" + "line": 86, + "filename": "positive4.json", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", + "searchKey": "properties.template.resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageWrite", + "searchValue": "", + "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Write' method", + "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Write' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 4, - "fileName": "positive5.bicep" + "line": 67, + "filename": "positive3.json", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", + "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageRead", + "searchValue": "StorageRead", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageRead' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageRead' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 2, - "fileName": "positive6.bicep" + "line": 69, + "filename": "positive6.json", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", + "searchKey": "properties.template.resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageWrite", + "searchValue": "StorageWrite", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageWrite' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageWrite' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 2, - "fileName": "positive6.bicep" + "line": 4, + "filename": "positive5.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageRead", + "searchValue": "StorageRead", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageRead' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageRead' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 2, - "fileName": "positive6.bicep" + "line": 3, + "filename": "positive7.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageDelete", + "searchValue": "StorageDelete", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 3, - "fileName": "positive7.bicep" + "line": 7, + "filename": "positive3.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageRead", + "searchValue": "", + "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Read' method", + "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Read' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 3, - "fileName": "positive7.bicep" + "line": 77, + "filename": "positive2.json", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", + "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageWrite", + "searchValue": "StorageWrite", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageWrite' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageWrite' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 3, - "fileName": "positive7.bicep" + "line": 84, + "filename": "positive1.json", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", + "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageWrite", + "searchValue": "", + "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Write' method", + "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Write' method" } -] +] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/trusted_microsoft_services_not_enabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/trusted_microsoft_services_not_enabled/test/positive_expected_result.json index 273685f7d4b..12b6dab69ec 100644 --- a/assets/queries/azureResourceManager/trusted_microsoft_services_not_enabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/trusted_microsoft_services_not_enabled/test/positive_expected_result.json @@ -3,84 +3,168 @@ "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", "line": 21, - "fileName": "positive1.json" + "filename": "positive1.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storage", + "searchKey": "resources.name=storage.properties.networkAcls", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' property value enabled", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled" }, { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", - "line": 21, - "fileName": "positive2.json" + "line": 18, + "filename": "positive7.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "value.name", + "searchKey": "resources.name=positive7.properties.networkAcls", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' enabled", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled" }, { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", - "line": 23, - "fileName": "positive3.json" + "line": 19, + "filename": "positive6.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "value.name", + "searchKey": "resources.name=positive6", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' enabled", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled" }, { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", "line": 23, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storage", + "searchKey": "properties.template.resources.name=storage.properties.networkAcls", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' property value enabled", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled" }, { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", - "line": 17, - "fileName": "positive5.json" + "line": 10, + "filename": "positive7.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "value.name", + "searchKey": "resources.name=positive7.properties.networkAcls", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' enabled", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled" }, { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", - "line": 19, - "fileName": "positive6.json" + "line": 1, + "filename": "positive6.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "value.name", + "searchKey": "resources.name=positive6", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' enabled", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled" }, { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", - "line": 18, - "fileName": "positive7.json" + "line": 11, + "filename": "positive4.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storage", + "searchKey": "resources.name=storage.properties.networkAcls", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' property value enabled", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled" }, { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", "line": 11, - "fileName": "positive1.bicep" + "filename": "positive2.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storage", + "searchKey": "resources.name=storage.properties.networkAcls", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' property value enabled", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled" }, { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", "line": 11, - "fileName": "positive2.bicep" + "filename": "positive3.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storage", + "searchKey": "resources.name=storage.properties.networkAcls", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' property value enabled", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled" }, { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", - "line": 11, - "fileName": "positive3.bicep" + "line": 9, + "filename": "positive5.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "value.name", + "searchKey": "resources.name=positive5.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' enabled", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled" }, { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", - "line": 11, - "fileName": "positive4.bicep" + "line": 17, + "filename": "positive5.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "value.name", + "searchKey": "resources.name=positive5.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' enabled", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled" }, { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", - "line": 9, - "fileName": "positive5.bicep" + "line": 23, + "filename": "positive3.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storage", + "searchKey": "properties.template.resources.name=storage.properties.networkAcls", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' property value enabled", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled" }, { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", - "line": 1, - "fileName": "positive6.bicep" + "line": 11, + "filename": "positive1.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storage", + "searchKey": "resources.name=storage.properties.networkAcls", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' property value enabled", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled" }, { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", - "line": 10, - "fileName": "positive7.bicep" + "line": 21, + "filename": "positive2.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storage", + "searchKey": "resources.name=storage.properties.networkAcls", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' property value enabled", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled" } ] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/unrecommended_log_profile_retention_policy/test/positive_expected_result.json b/assets/queries/azureResourceManager/unrecommended_log_profile_retention_policy/test/positive_expected_result.json index 3ce6f3b5fcd..57e22cd6455 100644 --- a/assets/queries/azureResourceManager/unrecommended_log_profile_retention_policy/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/unrecommended_log_profile_retention_policy/test/positive_expected_result.json @@ -2,73 +2,145 @@ { "queryName": "Unrecommended Log Profile Retention Policy", "severity": "LOW", - "line": 26, - "fileName": "positive1.json" + "line": 12, + "filename": "positive3.bicep", + "resourceType": "microsoft.insights/logprofiles", + "resourceName": "string", + "searchKey": "resources.name=string.properties.retentionPolicy.days", + "searchValue": "", + "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have 'days' property value set to 0 or higher than 365", + "actualValue": "resource with type 'microsoft.insights/logprofiles' doesn't have 'days' set to 0 or higher than 365" }, { "queryName": "Unrecommended Log Profile Retention Policy", "severity": "LOW", - "line": 25, - "fileName": "positive2.json" + "line": 27, + "filename": "positive4.json", + "resourceType": "microsoft.insights/logprofiles", + "resourceName": "string", + "searchKey": "properties.template.resources.name=string.properties.retentionPolicy.enabled", + "searchValue": "", + "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have 'enabled' property value set to true", + "actualValue": "resource with type 'microsoft.insights/logprofiles' doesn't have 'enabled' set to true" }, { "queryName": "Unrecommended Log Profile Retention Policy", "severity": "LOW", - "line": 26, - "fileName": "positive2.json" + "line": 12, + "filename": "positive4.bicep", + "resourceType": "microsoft.insights/logprofiles", + "resourceName": "string", + "searchKey": "resources.name=string.properties.retentionPolicy.days", + "searchValue": "", + "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have 'days' property value set to 0 or higher than 365", + "actualValue": "resource with type 'microsoft.insights/logprofiles' doesn't have 'days' set to 0 or higher than 365" }, { "queryName": "Unrecommended Log Profile Retention Policy", "severity": "LOW", - "line": 28, - "fileName": "positive3.json" + "line": 11, + "filename": "positive4.bicep", + "resourceType": "microsoft.insights/logprofiles", + "resourceName": "string", + "searchKey": "resources.name=string.properties.retentionPolicy.enabled", + "searchValue": "", + "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have 'enabled' property value set to true", + "actualValue": "resource with type 'microsoft.insights/logprofiles' doesn't have 'enabled' set to true" }, { "queryName": "Unrecommended Log Profile Retention Policy", "severity": "LOW", - "line": 27, - "fileName": "positive4.json" + "line": 26, + "filename": "positive2.json", + "resourceType": "microsoft.insights/logprofiles", + "resourceName": "string", + "searchKey": "resources.name=string.properties.retentionPolicy.days", + "searchValue": "", + "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have 'days' property value set to 0 or higher than 365", + "actualValue": "resource with type 'microsoft.insights/logprofiles' doesn't have 'days' set to 0 or higher than 365" }, { "queryName": "Unrecommended Log Profile Retention Policy", "severity": "LOW", - "line": 28, - "fileName": "positive4.json" + "line": 25, + "filename": "positive2.json", + "resourceType": "microsoft.insights/logprofiles", + "resourceName": "string", + "searchKey": "resources.name=string.properties.retentionPolicy.enabled", + "searchValue": "", + "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have 'enabled' property value set to true", + "actualValue": "resource with type 'microsoft.insights/logprofiles' doesn't have 'enabled' set to true" }, { "queryName": "Unrecommended Log Profile Retention Policy", "severity": "LOW", - "line": 12, - "fileName": "positive1.bicep" + "line": 28, + "filename": "positive4.json", + "resourceType": "microsoft.insights/logprofiles", + "resourceName": "string", + "searchKey": "properties.template.resources.name=string.properties.retentionPolicy.days", + "searchValue": "", + "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have 'days' property value set to 0 or higher than 365", + "actualValue": "resource with type 'microsoft.insights/logprofiles' doesn't have 'days' set to 0 or higher than 365" }, { "queryName": "Unrecommended Log Profile Retention Policy", "severity": "LOW", - "line": 12, - "fileName": "positive2.bicep" + "line": 26, + "filename": "positive1.json", + "resourceType": "microsoft.insights/logprofiles", + "resourceName": "string", + "searchKey": "resources.name=string.properties.retentionPolicy.days", + "searchValue": "", + "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have 'days' property value set to 0 or higher than 365", + "actualValue": "resource with type 'microsoft.insights/logprofiles' doesn't have 'days' set to 0 or higher than 365" }, { "queryName": "Unrecommended Log Profile Retention Policy", "severity": "LOW", - "line": 11, - "fileName": "positive2.bicep" + "line": 28, + "filename": "positive3.json", + "resourceType": "microsoft.insights/logprofiles", + "resourceName": "string", + "searchKey": "properties.template.resources.name=string.properties.retentionPolicy.days", + "searchValue": "", + "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have 'days' property value set to 0 or higher than 365", + "actualValue": "resource with type 'microsoft.insights/logprofiles' doesn't have 'days' set to 0 or higher than 365" }, { "queryName": "Unrecommended Log Profile Retention Policy", "severity": "LOW", "line": 12, - "fileName": "positive3.bicep" + "filename": "positive1.bicep", + "resourceType": "microsoft.insights/logprofiles", + "resourceName": "string", + "searchKey": "resources.name=string.properties.retentionPolicy.days", + "searchValue": "", + "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have 'days' property value set to 0 or higher than 365", + "actualValue": "resource with type 'microsoft.insights/logprofiles' doesn't have 'days' set to 0 or higher than 365" }, { "queryName": "Unrecommended Log Profile Retention Policy", "severity": "LOW", - "line": 11, - "fileName": "positive4.bicep" + "line": 12, + "filename": "positive2.bicep", + "resourceType": "microsoft.insights/logprofiles", + "resourceName": "string", + "searchKey": "resources.name=string.properties.retentionPolicy.days", + "searchValue": "", + "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have 'days' property value set to 0 or higher than 365", + "actualValue": "resource with type 'microsoft.insights/logprofiles' doesn't have 'days' set to 0 or higher than 365" }, { "queryName": "Unrecommended Log Profile Retention Policy", "severity": "LOW", - "line": 12, - "fileName": "positive4.bicep" + "line": 11, + "filename": "positive2.bicep", + "resourceType": "microsoft.insights/logprofiles", + "resourceName": "string", + "searchKey": "resources.name=string.properties.retentionPolicy.enabled", + "searchValue": "", + "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have 'enabled' property value set to true", + "actualValue": "resource with type 'microsoft.insights/logprofiles' doesn't have 'enabled' set to true" } ] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/unrecommended_network_watcher_flow_log_retention_policy/test/positive_expected_result.json b/assets/queries/azureResourceManager/unrecommended_network_watcher_flow_log_retention_policy/test/positive_expected_result.json index 559db459cb4..f42bb2a7df7 100644 --- a/assets/queries/azureResourceManager/unrecommended_network_watcher_flow_log_retention_policy/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/unrecommended_network_watcher_flow_log_retention_policy/test/positive_expected_result.json @@ -2,145 +2,289 @@ { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 20, - "fileName": "positive1.json" + "line": 21, + "filename": "positive1.json", + "resourceType": "Microsoft.Network/networkWatchers/flowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "resources.name={{flowlogs/sample}}.properties.retentionPolicy.enabled", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'enabled' property value set to true", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' set to true" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 21, - "fileName": "positive1.json" + "line": 15, + "filename": "positive4.json", + "resourceType": "Microsoft.Network/networkWatchers/FlowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "resources.name={{flowlogs/sample}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'enabled' property defined", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' property defined" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 19, - "fileName": "positive2.json" + "line": 10, + "filename": "positive6.bicep", + "resourceType": "Microsoft.Network/networkWatchers/FlowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "resources.name={{flowlogs/sample}}.properties.retentionPolicy.days", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'days' property value higher than 90", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'days' property higher than 90" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 20, - "fileName": "positive2.json" + "line": 9, + "filename": "positive6.bicep", + "resourceType": "Microsoft.Network/networkWatchers/FlowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "resources.name={{flowlogs/sample}}.properties.retentionPolicy", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'enabled' property defined", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' property defined" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 15, - "fileName": "positive3.json" + "line": 20, + "filename": "positive2.json", + "resourceType": "Microsoft.Network/networkWatchers/FlowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "resources.name={{flowlogs/sample}}.properties.retentionPolicy.days", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'days' property value higher than 90", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'days' property higher than 90" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 15, - "fileName": "positive4.json" + "line": 17, + "filename": "positive7.json", + "resourceType": "Microsoft.Network/networkWatchers/FlowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "properties.template.resources.name={{flowlogs/sample}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'retentionPolicy' property defined", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'retentionPolicy' property defined" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 22, - "fileName": "positive5.json" + "line": 15, + "filename": "positive3.json", + "resourceType": "Microsoft.Network/networkWatchers/FlowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "resources.name={{flowlogs/sample}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'retentionPolicy' property defined", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'retentionPolicy' property defined" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 23, - "fileName": "positive5.json" + "line": 22, + "filename": "positive6.json", + "resourceType": "Microsoft.Network/networkWatchers/FlowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "properties.template.resources.name={{flowlogs/sample}}.properties.retentionPolicy.days", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'days' property value higher than 90", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'days' property higher than 90" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 21, - "fileName": "positive6.json" + "line": 11, + "filename": "positive1.bicep", + "resourceType": "Microsoft.Network/networkWatchers/flowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "resources.name={{flowlogs/sample}}.properties.retentionPolicy.enabled", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'enabled' property value set to true", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' set to true" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 22, - "fileName": "positive6.json" + "line": 5, + "filename": "positive8.bicep", + "resourceType": "Microsoft.Network/networkWatchers/FlowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "resources.name={{flowlogs/sample}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'enabled' property defined", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' property defined" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 17, - "fileName": "positive7.json" + "line": 10, + "filename": "positive5.bicep", + "resourceType": "Microsoft.Network/networkWatchers/flowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "resources.name={{flowlogs/sample}}.properties.retentionPolicy.days", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'days' property value higher than 90", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'days' property higher than 90" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 17, - "fileName": "positive8.json" + "line": 19, + "filename": "positive2.json", + "resourceType": "Microsoft.Network/networkWatchers/FlowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "resources.name={{flowlogs/sample}}.properties.retentionPolicy", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'enabled' property defined", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' property defined" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 10, - "fileName": "positive1.bicep" + "line": 17, + "filename": "positive8.json", + "resourceType": "Microsoft.Network/networkWatchers/FlowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "properties.template.resources.name={{flowlogs/sample}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'enabled' property defined", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' property defined" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 11, - "fileName": "positive1.bicep" + "line": 5, + "filename": "positive4.bicep", + "resourceType": "Microsoft.Network/networkWatchers/FlowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "resources.name={{flowlogs/sample}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'enabled' property defined", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' property defined" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 10, - "fileName": "positive2.bicep" + "line": 5, + "filename": "positive3.bicep", + "resourceType": "Microsoft.Network/networkWatchers/FlowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "resources.name={{flowlogs/sample}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'retentionPolicy' property defined", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'retentionPolicy' property defined" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 9, - "fileName": "positive2.bicep" + "line": 11, + "filename": "positive5.bicep", + "resourceType": "Microsoft.Network/networkWatchers/flowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "resources.name={{flowlogs/sample}}.properties.retentionPolicy.enabled", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'enabled' property value set to true", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' set to true" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 5, - "fileName": "positive3.bicep" + "line": 22, + "filename": "positive5.json", + "resourceType": "Microsoft.Network/networkWatchers/flowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "properties.template.resources.name={{flowlogs/sample}}.properties.retentionPolicy.days", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'days' property value higher than 90", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'days' property higher than 90" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 5, - "fileName": "positive4.bicep" + "line": 21, + "filename": "positive6.json", + "resourceType": "Microsoft.Network/networkWatchers/FlowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "properties.template.resources.name={{flowlogs/sample}}.properties.retentionPolicy", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'enabled' property defined", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' property defined" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", "line": 10, - "fileName": "positive5.bicep" + "filename": "positive1.bicep", + "resourceType": "Microsoft.Network/networkWatchers/flowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "resources.name={{flowlogs/sample}}.properties.retentionPolicy.days", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'days' property value higher than 90", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'days' property higher than 90" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 11, - "fileName": "positive5.bicep" + "line": 5, + "filename": "positive7.bicep", + "resourceType": "Microsoft.Network/networkWatchers/FlowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "resources.name={{flowlogs/sample}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'retentionPolicy' property defined", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'retentionPolicy' property defined" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 9, - "fileName": "positive6.bicep" + "line": 10, + "filename": "positive2.bicep", + "resourceType": "Microsoft.Network/networkWatchers/FlowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "resources.name={{flowlogs/sample}}.properties.retentionPolicy.days", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'days' property value higher than 90", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'days' property higher than 90" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 10, - "fileName": "positive6.bicep" + "line": 9, + "filename": "positive2.bicep", + "resourceType": "Microsoft.Network/networkWatchers/FlowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "resources.name={{flowlogs/sample}}.properties.retentionPolicy", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'enabled' property defined", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' property defined" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 5, - "fileName": "positive7.bicep" + "line": 23, + "filename": "positive5.json", + "resourceType": "Microsoft.Network/networkWatchers/flowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "properties.template.resources.name={{flowlogs/sample}}.properties.retentionPolicy.enabled", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'enabled' property value set to true", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' set to true" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 5, - "fileName": "positive8.bicep" + "line": 20, + "filename": "positive1.json", + "resourceType": "Microsoft.Network/networkWatchers/flowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "resources.name={{flowlogs/sample}}.properties.retentionPolicy.days", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'days' property value higher than 90", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'days' property higher than 90" } ] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/web_app_not_using_tls_last_version/test/positive_expected_result.json b/assets/queries/azureResourceManager/web_app_not_using_tls_last_version/test/positive_expected_result.json index 239378fb4dd..f9cb67d5c75 100644 --- a/assets/queries/azureResourceManager/web_app_not_using_tls_last_version/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/web_app_not_using_tls_last_version/test/positive_expected_result.json @@ -2,73 +2,145 @@ { "queryName": "Web App Not Using TLS Last Version", "severity": "MEDIUM", - "line": 14, - "filename": "positive1.json" + "line": 17, + "filename": "positive5.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "meuAppService", + "searchKey": "resources.name=meuAppService.properties", + "searchValue": "", + "expectedValue": "'siteConfig.minTlsVersion' should be defined", + "actualValue": "'siteConfig.minTlsVersion' is undefined" }, { "queryName": "Web App Not Using TLS Last Version", "severity": "MEDIUM", - "line": 12, - "filename": "positive2.json" + "line": 13, + "filename": "positive4.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "App", + "searchKey": "properties.template.resources.name=App.properties.siteConfig", + "searchValue": "", + "expectedValue": "'minTlsVersion' should be defined", + "actualValue": "'minTlsVersion' is undefined" }, { "queryName": "Web App Not Using TLS Last Version", "severity": "MEDIUM", "line": 14, - "filename": "positive3.json" + "filename": "positive1.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "App", + "searchKey": "properties.template.resources.name=App.properties.siteConfig.minTlsVersion", + "searchValue": "", + "expectedValue": "'siteConfig.minTlsVersion' should be 1.2 or 1.3", + "actualValue": "'minTlsVersion' is not 1.2 or 1.3" }, { "queryName": "Web App Not Using TLS Last Version", "severity": "MEDIUM", - "line": 13, - "filename": "positive4.json" + "line": 17, + "filename": "positive6.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "meuAppService", + "searchKey": "resources.name=meuAppService.properties", + "searchValue": "", + "expectedValue": "'siteConfig.minTlsVersion' should be defined", + "actualValue": "'siteConfig.minTlsVersion' is undefined" }, { "queryName": "Web App Not Using TLS Last Version", "severity": "MEDIUM", - "line": 17, - "filename": "positive5.json" + "line": 10, + "filename": "positive6.bicep", + "resourceType": "config", + "resourceName": "web", + "searchKey": "resources.resources.name=web.properties", + "searchValue": "", + "expectedValue": "'minTlsVersion' should be defined with the version '1.2' or higher", + "actualValue": "'minTlsVersion' is not defined" }, { "queryName": "Web App Not Using TLS Last Version", "severity": "MEDIUM", - "line": 17, - "filename": "positive6.json" + "line": 11, + "filename": "positive5.bicep", + "resourceType": "config", + "resourceName": "web", + "searchKey": "resources.resources.name=web.properties.minTlsVersion", + "searchValue": "", + "expectedValue": "'minTlsVersion' should be defined with the version '1.2' or higher", + "actualValue": "'minTlsVersion' is defined to '1.1'" }, { "queryName": "Web App Not Using TLS Last Version", "severity": "MEDIUM", - "line": 6, - "filename": "positive1.bicep" + "line": 5, + "filename": "positive4.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "App", + "searchKey": "resources.name=App.properties.siteConfig", + "searchValue": "", + "expectedValue": "'minTlsVersion' should be defined", + "actualValue": "'minTlsVersion' is undefined" }, { "queryName": "Web App Not Using TLS Last Version", "severity": "MEDIUM", "line": 4, - "filename": "positive2.bicep" + "filename": "positive2.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "App", + "searchKey": "resources.name=App.properties", + "searchValue": "", + "expectedValue": "'siteConfig.minTlsVersion' should be defined", + "actualValue": "'siteConfig.minTlsVersion' is undefined" }, { "queryName": "Web App Not Using TLS Last Version", "severity": "MEDIUM", "line": 6, - "filename": "positive3.bicep" + "filename": "positive1.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "App", + "searchKey": "resources.name=App.properties.siteConfig.minTlsVersion", + "searchValue": "", + "expectedValue": "'siteConfig.minTlsVersion' should be 1.2 or 1.3", + "actualValue": "'minTlsVersion' is not 1.2 or 1.3" }, { "queryName": "Web App Not Using TLS Last Version", "severity": "MEDIUM", - "line": 5, - "filename": "positive4.bicep" + "line": 14, + "filename": "positive3.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "App", + "searchKey": "properties.template.resources.name=App.properties.siteConfig.minTlsVersion", + "searchValue": "", + "expectedValue": "'siteConfig.minTlsVersion' should be 1.2 or 1.3", + "actualValue": "'minTlsVersion' is not 1.2 or 1.3" }, { "queryName": "Web App Not Using TLS Last Version", "severity": "MEDIUM", - "line": 11, - "filename": "positive5.bicep" + "line": 12, + "filename": "positive2.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "App", + "searchKey": "properties.template.resources.name=App.properties", + "searchValue": "", + "expectedValue": "'siteConfig.minTlsVersion' should be defined", + "actualValue": "'siteConfig.minTlsVersion' is undefined" }, { "queryName": "Web App Not Using TLS Last Version", "severity": "MEDIUM", - "line": 10, - "filename": "positive6.bicep" + "line": 6, + "filename": "positive3.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "App", + "searchKey": "resources.name=App.properties.siteConfig.minTlsVersion", + "searchValue": "", + "expectedValue": "'siteConfig.minTlsVersion' should be 1.2 or 1.3", + "actualValue": "'minTlsVersion' is not 1.2 or 1.3" } ] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/website_azure_active_directory_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/website_azure_active_directory_disabled/test/positive_expected_result.json index a4f6d28793d..4bab8c0efa5 100644 --- a/assets/queries/azureResourceManager/website_azure_active_directory_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/website_azure_active_directory_disabled/test/positive_expected_result.json @@ -2,85 +2,169 @@ { "queryName": "Website Azure Active Directory Disabled", "severity": "LOW", - "line": 10, - "fileName": "positive1.json" + "line": 5, + "filename": "positive2.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSitePositive3", + "searchKey": "resources.name={{webSitePositive3}}.identity", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the identity type set to 'SystemAssigned' or 'UserAssigned'", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned'" }, { "queryName": "Website Azure Active Directory Disabled", "severity": "LOW", - "line": 15, - "fileName": "positive2.json" + "line": 5, + "filename": "positive6.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSitePositive3", + "searchKey": "resources.name={{webSitePositive3}}.identity", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the identity type set to 'SystemAssigned' or 'UserAssigned' and 'userAssignedIdentities' defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned' and 'userAssignedIdentities' defined" }, { "queryName": "Website Azure Active Directory Disabled", "severity": "LOW", "line": 15, - "fileName": "positive3.json" + "filename": "positive2.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSitePositive3", + "searchKey": "resources.name={{webSitePositive3}}.identity", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the identity type set to 'SystemAssigned' or 'UserAssigned'", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned'" }, { "queryName": "Website Azure Active Directory Disabled", "severity": "LOW", - "line": 12, - "fileName": "positive4.json" + "line": 17, + "filename": "positive6.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSitePositive3", + "searchKey": "properties.template.resources.name={{webSitePositive3}}.identity", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the identity type set to 'SystemAssigned' or 'UserAssigned' and 'userAssignedIdentities' defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned' and 'userAssignedIdentities' defined" }, { "queryName": "Website Azure Active Directory Disabled", "severity": "LOW", - "line": 17, - "fileName": "positive5.json" + "line": 10, + "filename": "positive1.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSitePositive2", + "searchKey": "resources.name={{webSitePositive2}}", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'identity' property defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'identity' property defined" }, { "queryName": "Website Azure Active Directory Disabled", "severity": "LOW", - "line": 17, - "fileName": "positive6.json" + "line": 5, + "filename": "positive7.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSitePositive7", + "searchKey": "resources.name={{webSitePositive7}}.identity", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the identity type set to 'SystemAssigned' or 'UserAssigned'", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned'" }, { "queryName": "Website Azure Active Directory Disabled", "severity": "LOW", - "line": 18, - "fileName": "positive7.json" + "line": 5, + "filename": "positive3.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSitePositive3", + "searchKey": "resources.name={{webSitePositive3}}.identity", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the identity type set to 'SystemAssigned' or 'UserAssigned' and 'userAssignedIdentities' defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned' and 'userAssignedIdentities' defined" }, { "queryName": "Website Azure Active Directory Disabled", "severity": "LOW", "line": 2, - "fileName": "positive1.bicep" + "filename": "positive4.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSitePositive2", + "searchKey": "resources.name={{webSitePositive2}}", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'identity' property defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'identity' property defined" }, { "queryName": "Website Azure Active Directory Disabled", "severity": "LOW", - "line": 5, - "fileName": "positive2.bicep" + "line": 17, + "filename": "positive5.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSitePositive3", + "searchKey": "properties.template.resources.name={{webSitePositive3}}.identity", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the identity type set to 'SystemAssigned' or 'UserAssigned'", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned'" }, { "queryName": "Website Azure Active Directory Disabled", "severity": "LOW", - "line": 5, - "fileName": "positive3.bicep" + "line": 15, + "filename": "positive3.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSitePositive3", + "searchKey": "resources.name={{webSitePositive3}}.identity", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the identity type set to 'SystemAssigned' or 'UserAssigned' and 'userAssignedIdentities' defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned' and 'userAssignedIdentities' defined" }, { "queryName": "Website Azure Active Directory Disabled", "severity": "LOW", - "line": 2, - "fileName": "positive4.bicep" + "line": 12, + "filename": "positive4.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSitePositive2", + "searchKey": "properties.template.resources.name={{webSitePositive2}}", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'identity' property defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'identity' property defined" }, { "queryName": "Website Azure Active Directory Disabled", "severity": "LOW", - "line": 5, - "fileName": "positive5.bicep" + "line": 18, + "filename": "positive7.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSitePositive7", + "searchKey": "resources.name={{webSitePositive7}}.identity", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the identity type set to 'SystemAssigned' or 'UserAssigned'", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned'" }, { "queryName": "Website Azure Active Directory Disabled", "severity": "LOW", - "line": 5, - "fileName": "positive6.bicep" + "line": 2, + "filename": "positive1.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSitePositive2", + "searchKey": "resources.name={{webSitePositive2}}", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'identity' property defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'identity' property defined" }, { "queryName": "Website Azure Active Directory Disabled", "severity": "LOW", "line": 5, - "fileName": "positive7.bicep" + "filename": "positive5.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSitePositive3", + "searchKey": "resources.name={{webSitePositive3}}.identity", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the identity type set to 'SystemAssigned' or 'UserAssigned'", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned'" } -] +] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/website_not_forcing_https/test/positive_expected_result.json b/assets/queries/azureResourceManager/website_not_forcing_https/test/positive_expected_result.json index 139dfcbc9e3..01fbb9ae742 100644 --- a/assets/queries/azureResourceManager/website_not_forcing_https/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/website_not_forcing_https/test/positive_expected_result.json @@ -2,49 +2,97 @@ { "queryName": "Website Not Forcing HTTPS", "severity": "MEDIUM", - "line": 15, - "fileName": "positive1.json" + "line": 5, + "filename": "positive3.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "resources.name={{webSite}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'httpsOnly' property defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'httpsOnly' property defined" }, { "queryName": "Website Not Forcing HTTPS", "severity": "MEDIUM", - "line": 17, - "fileName": "positive2.json" + "line": 7, + "filename": "positive2.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "resources.name={{webSite}}.properties.httpsOnly", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'httpsOnly' false set to true", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'httpsOnly' set to true" }, { "queryName": "Website Not Forcing HTTPS", "severity": "MEDIUM", - "line": 17, - "fileName": "positive3.json" + "line": 15, + "filename": "positive1.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "resources.name={{webSite}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'httpsOnly' property defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'httpsOnly' property defined" }, { "queryName": "Website Not Forcing HTTPS", "severity": "MEDIUM", - "line": 19, - "fileName": "positive4.json" + "line": 17, + "filename": "positive3.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "properties.template.resources.name={{webSite}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'httpsOnly' property defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'httpsOnly' property defined" }, { "queryName": "Website Not Forcing HTTPS", "severity": "MEDIUM", - "line": 5, - "fileName": "positive1.bicep" + "line": 19, + "filename": "positive4.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "properties.template.resources.name={{webSite}}.properties.httpsOnly", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'httpsOnly' false set to true", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'httpsOnly' set to true" }, { "queryName": "Website Not Forcing HTTPS", "severity": "MEDIUM", - "line": 7, - "fileName": "positive2.bicep" + "line": 17, + "filename": "positive2.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "resources.name={{webSite}}.properties.httpsOnly", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'httpsOnly' false set to true", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'httpsOnly' set to true" }, { "queryName": "Website Not Forcing HTTPS", "severity": "MEDIUM", - "line": 5, - "fileName": "positive3.bicep" + "line": 7, + "filename": "positive4.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "resources.name={{webSite}}.properties.httpsOnly", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'httpsOnly' false set to true", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'httpsOnly' set to true" }, { "queryName": "Website Not Forcing HTTPS", "severity": "MEDIUM", - "line": 7, - "fileName": "positive4.bicep" + "line": 5, + "filename": "positive1.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "resources.name={{webSite}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'httpsOnly' property defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'httpsOnly' property defined" } ] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/website_with_client_certificate_auth_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/website_with_client_certificate_auth_disabled/test/positive_expected_result.json index 0c8d1bb5c60..e708a1e9f48 100644 --- a/assets/queries/azureResourceManager/website_with_client_certificate_auth_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/website_with_client_certificate_auth_disabled/test/positive_expected_result.json @@ -2,73 +2,145 @@ { "queryName": "Website with Client Certificate Auth Disabled", "severity": "MEDIUM", - "line": 15, - "fileName": "positive1.json" + "line": 5, + "filename": "positive3.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "resources.name={{webSite}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' property defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' property defined" }, { "queryName": "Website with Client Certificate Auth Disabled", "severity": "MEDIUM", - "line": 17, - "fileName": "positive2.json" + "line": 19, + "filename": "positive4.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "properties.template.resources.name={{webSite}}.properties.clientCertEnabled", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' property value set to true", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' set to true" }, { "queryName": "Website with Client Certificate Auth Disabled", "severity": "MEDIUM", "line": 17, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "properties.template.resources.name={{webSite}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' property defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' property defined" }, { "queryName": "Website with Client Certificate Auth Disabled", "severity": "MEDIUM", - "line": 19, - "fileName": "positive4.json" + "line": 15, + "filename": "positive1.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "resources.name={{webSite}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' property defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' property defined" }, { "queryName": "Website with Client Certificate Auth Disabled", "severity": "MEDIUM", - "line": 46, - "fileName": "positive5.json" + "line": 25, + "filename": "positive5.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "[parameters('siteName')]", + "searchKey": "resources.name={{[parameters('siteName')]}}.properties.clientCertEnabled", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' property value or 'http20Enabled' field set to true", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' or 'http20Enabled' set to true" }, { "queryName": "Website with Client Certificate Auth Disabled", "severity": "MEDIUM", - "line": 44, - "fileName": "positive6.json" + "line": 5, + "filename": "positive1.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "resources.name={{webSite}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' property defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' property defined" }, { "queryName": "Website with Client Certificate Auth Disabled", "severity": "MEDIUM", - "line": 5, - "fileName": "positive1.bicep" + "line": 7, + "filename": "positive4.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "resources.name={{webSite}}.properties.clientCertEnabled", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' property value set to true", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' set to true" }, { "queryName": "Website with Client Certificate Auth Disabled", "severity": "MEDIUM", - "line": 7, - "fileName": "positive2.bicep" + "line": 44, + "filename": "positive6.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "[parameters('siteName')]", + "searchKey": "resources.name={{[parameters('siteName')]}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' property defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' property defined" }, { "queryName": "Website with Client Certificate Auth Disabled", "severity": "MEDIUM", - "line": 5, - "fileName": "positive3.bicep" + "line": 17, + "filename": "positive2.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "resources.name={{webSite}}.properties.clientCertEnabled", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' property value set to true", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' set to true" }, { "queryName": "Website with Client Certificate Auth Disabled", "severity": "MEDIUM", - "line": 7, - "fileName": "positive4.bicep" + "line": 46, + "filename": "positive5.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "[parameters('siteName')]", + "searchKey": "resources.name={{[parameters('siteName')]}}.properties.clientCertEnabled", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' property value or 'http20Enabled' field set to true", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' or 'http20Enabled' set to true" }, { "queryName": "Website with Client Certificate Auth Disabled", "severity": "MEDIUM", - "line": 25, - "fileName": "positive5.bicep" + "line": 23, + "filename": "positive6.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "[parameters('siteName')]", + "searchKey": "resources.name={{[parameters('siteName')]}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' property defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' property defined" }, { "queryName": "Website with Client Certificate Auth Disabled", "severity": "MEDIUM", - "line": 23, - "fileName": "positive6.bicep" + "line": 7, + "filename": "positive2.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "resources.name={{webSite}}.properties.clientCertEnabled", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' property value set to true", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' set to true" } ] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/website_with_http20enabled_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/website_with_http20enabled_disabled/test/positive_expected_result.json index d0b031f4309..c29eaf47442 100644 --- a/assets/queries/azureResourceManager/website_with_http20enabled_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/website_with_http20enabled_disabled/test/positive_expected_result.json @@ -2,73 +2,145 @@ { "queryName": "Website with 'Http20Enabled' Disabled", "severity": "LOW", - "line": 15, - "fileName": "positive1.json" - }, - { - "queryName": "Website with 'Http20Enabled' Disabled", - "severity": "LOW", - "line": 19, - "fileName": "positive2.json" + "line": 8, + "filename": "positive6.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "resources.name={{webSite}}.properties.siteConfig", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'http20Enabled' property defined in siteConfig", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'http20Enabled' property defined in siteConfig" }, { "queryName": "Website with 'Http20Enabled' Disabled", "severity": "LOW", - "line": 18, - "fileName": "positive3.json" + "line": 9, + "filename": "positive5.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "resources.type={{Microsoft.Web/sites}}.properties.siteConfig.http20Enabled", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'http20Enabled' property value set to true in siteConfig", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'http20Enabled' set to true in siteConfig" }, { "queryName": "Website with 'Http20Enabled' Disabled", "severity": "LOW", "line": 17, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "properties.template.resources.name={{webSite}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'siteConfig' property defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'siteConfig' property defined" }, { "queryName": "Website with 'Http20Enabled' Disabled", "severity": "LOW", - "line": 21, - "fileName": "positive5.json" + "line": 15, + "filename": "positive1.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "resources.name={{webSite}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'siteConfig' property defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'siteConfig' property defined" }, { "queryName": "Website with 'Http20Enabled' Disabled", "severity": "LOW", "line": 20, - "fileName": "positive6.json" + "filename": "positive6.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "properties.template.resources.name={{webSite}}.properties.siteConfig", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'http20Enabled' property defined in siteConfig", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'http20Enabled' property defined in siteConfig" }, { "queryName": "Website with 'Http20Enabled' Disabled", "severity": "LOW", - "line": 5, - "fileName": "positive1.bicep" + "line": 21, + "filename": "positive5.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "resources.type={{Microsoft.Web/sites}}.properties.siteConfig.http20Enabled", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'http20Enabled' property value set to true in siteConfig", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'http20Enabled' set to true in siteConfig" }, { "queryName": "Website with 'Http20Enabled' Disabled", "severity": "LOW", "line": 9, - "fileName": "positive2.bicep" + "filename": "positive2.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "resources.type={{Microsoft.Web/sites}}.properties.siteConfig.http20Enabled", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'http20Enabled' property value set to true in siteConfig", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'http20Enabled' set to true in siteConfig" }, { "queryName": "Website with 'Http20Enabled' Disabled", "severity": "LOW", - "line": 8, - "fileName": "positive3.bicep" + "line": 5, + "filename": "positive1.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "resources.name={{webSite}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'siteConfig' property defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'siteConfig' property defined" }, { "queryName": "Website with 'Http20Enabled' Disabled", "severity": "LOW", - "line": 5, - "fileName": "positive4.bicep" + "line": 19, + "filename": "positive2.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "resources.type={{Microsoft.Web/sites}}.properties.siteConfig.http20Enabled", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'http20Enabled' property value set to true in siteConfig", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'http20Enabled' set to true in siteConfig" }, { "queryName": "Website with 'Http20Enabled' Disabled", "severity": "LOW", - "line": 9, - "fileName": "positive5.bicep" + "line": 18, + "filename": "positive3.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "resources.name={{webSite}}.properties.siteConfig", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'http20Enabled' property defined in siteConfig", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'http20Enabled' property defined in siteConfig" }, { "queryName": "Website with 'Http20Enabled' Disabled", "severity": "LOW", "line": 8, - "fileName": "positive6.bicep" + "filename": "positive3.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "resources.name={{webSite}}.properties.siteConfig", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'http20Enabled' property defined in siteConfig", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'http20Enabled' property defined in siteConfig" + }, + { + "queryName": "Website with 'Http20Enabled' Disabled", + "severity": "LOW", + "line": 5, + "filename": "positive4.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "resources.name={{webSite}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'siteConfig' property defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'siteConfig' property defined" } -] +] \ No newline at end of file diff --git a/assets/queries/buildah/run_using_apt/test/positive_expected_result.json b/assets/queries/buildah/run_using_apt/test/positive_expected_result.json index b170be0f78e..8bc63902839 100644 --- a/assets/queries/buildah/run_using_apt/test/positive_expected_result.json +++ b/assets/queries/buildah/run_using_apt/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Run Using apt", "severity": "LOW", "line": 3, - "fileName": "positive.sh" + "filename": "positive.sh", + "resourceType": "", + "resourceName": "", + "searchKey": "from[{{fedora}}].{{buildah run ${c} apt install python3-setuptools -y}}", + "searchValue": "", + "expectedValue": "RUN instructions should not use the 'apt' program", + "actualValue": "RUN instruction is invoking the 'apt' program" } ] \ No newline at end of file diff --git a/assets/queries/cicd/github/run_block_injection/test/positive_expected_result.json b/assets/queries/cicd/github/run_block_injection/test/positive_expected_result.json index d286f9fe022..dee55bda680 100644 --- a/assets/queries/cicd/github/run_block_injection/test/positive_expected_result.json +++ b/assets/queries/cicd/github/run_block_injection/test/positive_expected_result.json @@ -3,48 +3,96 @@ "queryName": "Run Block Injection", "severity": "HIGH", "line": 10, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "run={{if [ \"${{ github.event.issue.body }}\" ]; then\n if [[ \"${{ github.event.issue.title }}\" =~ ^\\[Auto\\]* ]]; then\n :\n else\n echo \"This issue does not need to generate a markdown file.\" 1>&2\n exit 1;\n fi;\nelse\n echo \"The description of the issue is empty.\" 1>&2\n exit 1;\nfi;\n}}", + "searchValue": "github.event.issue.body", + "expectedValue": "Run block does not contain dangerous input controlled by user.", + "actualValue": "Run block contains dangerous input controlled by user." }, { "queryName": "Run Block Injection", "severity": "HIGH", "line": 10, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "run={{if [ \"${{ github.event.issue.body }}\" ]; then\n if [[ \"${{ github.event.issue.title }}\" =~ ^\\[Auto\\]* ]]; then\n :\n else\n echo \"This issue does not need to generate a markdown file.\" 1>&2\n exit 1;\n fi;\nelse\n echo \"The description of the issue is empty.\" 1>&2\n exit 1;\nfi;\n}}", + "searchValue": "github.event.issue.title", + "expectedValue": "Run block does not contain dangerous input controlled by user.", + "actualValue": "Run block contains dangerous input controlled by user." }, { "queryName": "Run Block Injection", "severity": "HIGH", "line": 13, - "fileName": "positive2.yaml" + "filename": "positive7.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "run={{echo \"Workflow Run Path: ${{ github.event.workflow.path }}\"\n}}", + "searchValue": "github.event.workflow.path", + "expectedValue": "Run block does not contain dangerous input controlled by user.", + "actualValue": "Run block contains dangerous input controlled by user." }, { "queryName": "Run Block Injection", "severity": "HIGH", "line": 13, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "run={{echo \"Issue Comment Body: ${{ github.event.comment.body }}\"\n}}", + "searchValue": "github.event.comment.body", + "expectedValue": "Run block does not contain dangerous input controlled by user.", + "actualValue": "Run block contains dangerous input controlled by user." }, { "queryName": "Run Block Injection", "severity": "HIGH", "line": 13, - "fileName": "positive4.yaml" + "filename": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "run={{echo \"Discussion Comment Body: ${{ github.event.comment.body }}\"\n}}", + "searchValue": "github.event.comment.body", + "expectedValue": "Run block does not contain dangerous input controlled by user.", + "actualValue": "Run block contains dangerous input controlled by user." }, { "queryName": "Run Block Injection", "severity": "HIGH", "line": 13, - "fileName": "positive5.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "run={{echo \"Discussion Title: ${{ github.event.discussion.title }}\"\n}}", + "searchValue": "github.event.discussion.title", + "expectedValue": "Run block does not contain dangerous input controlled by user.", + "actualValue": "Run block contains dangerous input controlled by user." }, { "queryName": "Run Block Injection", "severity": "HIGH", "line": 13, - "fileName": "positive6.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "run={{echo \"Pull Request Body: ${{ github.event.pull_request.body }}\"\n}}", + "searchValue": "github.event.pull_request.body", + "expectedValue": "Run block does not contain dangerous input controlled by user.", + "actualValue": "Run block contains dangerous input controlled by user." }, { "queryName": "Run Block Injection", "severity": "HIGH", "line": 13, - "fileName": "positive7.yaml" + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "run={{echo \"Author's Name: ${{ github.event.authors.name }}\"\n}}", + "searchValue": "github.*.authors.name", + "expectedValue": "Run block does not contain dangerous input controlled by user.", + "actualValue": "Run block contains dangerous input controlled by user." } -] +] \ No newline at end of file diff --git a/assets/queries/cicd/github/script_block_injection/test/positive_expected_result.json b/assets/queries/cicd/github/script_block_injection/test/positive_expected_result.json index cd44b6b0881..0666597288a 100644 --- a/assets/queries/cicd/github/script_block_injection/test/positive_expected_result.json +++ b/assets/queries/cicd/github/script_block_injection/test/positive_expected_result.json @@ -1,44 +1,86 @@ [ - { - "queryName": "Script Block Injection", - "severity": "HIGH", - "line": 17, - "fileName": "positive1.yaml" - }, - { - "queryName": "Script Block Injection", - "severity": "HIGH", - "line": 17, - "fileName": "positive2.yaml" - }, - { - "queryName": "Script Block Injection", - "severity": "HIGH", - "line": 17, - "fileName": "positive3.yaml" - }, - { - "queryName": "Script Block Injection", - "severity": "HIGH", - "line": 17, - "fileName": "positive4.yaml" - }, - { - "queryName": "Script Block Injection", - "severity": "HIGH", - "line": 17, - "fileName": "positive5.yaml" - }, - { - "queryName": "Script Block Injection", - "severity": "HIGH", - "line": 17, - "fileName": "positive6.yaml" - }, - { - "queryName": "Script Block Injection", - "severity": "HIGH", - "line": 17, - "fileName": "positive7.yaml" - } -] + { + "queryName": "Script Block Injection", + "severity": "HIGH", + "line": 17, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "script={{const fs = require('fs');\nconst body = fs.readFileSync('/tmp/${{ github.event.discussion.title }}.txt', {encoding: 'utf8'});\n\nawait github.rest.issues.createComment({\n issue_number: context.issue.number,\n owner: context.repo.owner,\n repo: context.repo.repo,\n body: 'Thanks for reporting!'\n})\n\nreturn true;\n}}", + "searchValue": "github.event.discussion.title", + "expectedValue": "Script block does not contain dangerous input controlled by user.", + "actualValue": "Script block contains dangerous input controlled by user." + }, + { + "queryName": "Script Block Injection", + "severity": "HIGH", + "line": 17, + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "script={{const fs = require('fs');\nconst body = fs.readFileSync('/tmp/${{ github.event.issue.title }}.txt', {encoding: 'utf8'});\n\nawait github.rest.issues.createComment({\n issue_number: context.issue.number,\n owner: context.repo.owner,\n repo: context.repo.repo,\n body: 'Thanks for reporting!'\n})\n\nreturn true;\n}}", + "searchValue": "github.event.issue.title", + "expectedValue": "Script block does not contain dangerous input controlled by user.", + "actualValue": "Script block contains dangerous input controlled by user." + }, + { + "queryName": "Script Block Injection", + "severity": "HIGH", + "line": 17, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "script={{const fs = require('fs');\nconst body = fs.readFileSync('/tmp/${{ github.event.issue.title }}.txt', {encoding: 'utf8'});\n\nawait github.rest.issues.createComment({\n issue_number: context.issue.number,\n owner: context.repo.owner,\n repo: context.repo.repo,\n body: 'Thanks for reporting!'\n})\n\nreturn true;\n}}", + "searchValue": "github.event.issue.title", + "expectedValue": "Script block does not contain dangerous input controlled by user.", + "actualValue": "Script block contains dangerous input controlled by user." + }, + { + "queryName": "Script Block Injection", + "severity": "HIGH", + "line": 17, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "script={{const fs = require('fs');\nconst body = fs.readFileSync('/tmp/${{ github.event.pull_request.title }}.txt', {encoding: 'utf8'});\n\nawait github.rest.issues.createComment({\n issue_number: context.issue.number,\n owner: context.repo.owner,\n repo: context.repo.repo,\n body: 'Thanks for reporting!'\n})\n\nreturn true;\n}}", + "searchValue": "github.event.pull_request.title", + "expectedValue": "Script block does not contain dangerous input controlled by user.", + "actualValue": "Script block contains dangerous input controlled by user." + }, + { + "queryName": "Script Block Injection", + "severity": "HIGH", + "line": 17, + "filename": "positive7.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "script={{const fs = require('fs');\nconst body = fs.readFileSync('/tmp/${{ github.event.authors.name }}.txt', {encoding: 'utf8'});\n\nawait github.rest.issues.createComment({\n issue_number: context.issue.number,\n owner: context.repo.owner,\n repo: context.repo.repo,\n body: 'Thanks for reporting!'\n})\n\nreturn true;\n}}", + "searchValue": "github.*.authors.name", + "expectedValue": "Script block does not contain dangerous input controlled by user.", + "actualValue": "Script block contains dangerous input controlled by user." + }, + { + "queryName": "Script Block Injection", + "severity": "HIGH", + "line": 17, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "script={{const fs = require('fs');\nconst body = fs.readFileSync('/tmp/${{ github.event.workflow.path }}.txt', {encoding: 'utf8'});\n\nawait github.rest.issues.createComment({\n issue_number: context.issue.number,\n owner: context.repo.owner,\n repo: context.repo.repo,\n body: 'Thanks for reporting!'\n})\n\nreturn true;\n}}", + "searchValue": "github.event.workflow.path", + "expectedValue": "Script block does not contain dangerous input controlled by user.", + "actualValue": "Script block contains dangerous input controlled by user." + }, + { + "queryName": "Script Block Injection", + "severity": "HIGH", + "line": 17, + "filename": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "script={{const fs = require('fs');\nconst body = fs.readFileSync('/tmp/${{ github.event.discussion.title }}.txt', {encoding: 'utf8'});\n\nawait github.rest.issues.createComment({\n issue_number: context.issue.number,\n owner: context.repo.owner,\n repo: context.repo.repo,\n body: 'Thanks for reporting!'\n})\n\nreturn true;\n}}", + "searchValue": "github.event.discussion.title", + "expectedValue": "Script block does not contain dangerous input controlled by user.", + "actualValue": "Script block contains dangerous input controlled by user." + } +] \ No newline at end of file diff --git a/assets/queries/cicd/github/unpinned_actions_full_length_commit_sha/test/positive_expected_result.json b/assets/queries/cicd/github/unpinned_actions_full_length_commit_sha/test/positive_expected_result.json index 239e93bff3d..3de30fa0f97 100644 --- a/assets/queries/cicd/github/unpinned_actions_full_length_commit_sha/test/positive_expected_result.json +++ b/assets/queries/cicd/github/unpinned_actions_full_length_commit_sha/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Unpinned Actions Full Length Commit SHA", "severity": "LOW", "line": 12, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "uses={{thollander/actions-comment-pull-request@v2}}", + "searchValue": "", + "expectedValue": "Action pinned to a full length commit SHA.", + "actualValue": "Action is not pinned to a full length commit SHA." } ] \ No newline at end of file diff --git a/assets/queries/cicd/github/unsecured_commands/test/positive_expected_result.json b/assets/queries/cicd/github/unsecured_commands/test/positive_expected_result.json index cf333643e72..27d9feeebeb 100644 --- a/assets/queries/cicd/github/unsecured_commands/test/positive_expected_result.json +++ b/assets/queries/cicd/github/unsecured_commands/test/positive_expected_result.json @@ -1,20 +1,38 @@ [ - { - "queryName": "Unsecured Commands", - "severity": "MEDIUM", - "line": 8, - "fileName": "positive1.yaml" - }, - { - "queryName": "Unsecured Commands", - "severity": "MEDIUM", - "line": 11, - "fileName": "positive2.yaml" - }, - { - "queryName": "Unsecured Commands", - "severity": "MEDIUM", - "line": 16, - "fileName": "positive3.yaml" - } -] + { + "queryName": "Unsecured Commands", + "severity": "MEDIUM", + "line": 11, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "env.actions_allow_unsecure_commands={{true}}", + "searchValue": "", + "expectedValue": "ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable is not set as true.", + "actualValue": "ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable is set as true." + }, + { + "queryName": "Unsecured Commands", + "severity": "MEDIUM", + "line": 8, + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "env.actions_allow_unsecure_commands={{true}}", + "searchValue": "", + "expectedValue": "ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable is not set as true.", + "actualValue": "ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable is set as true." + }, + { + "queryName": "Unsecured Commands", + "severity": "MEDIUM", + "line": 16, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "env.actions_allow_unsecure_commands={{true}}", + "searchValue": "", + "expectedValue": "ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable is not set as true.", + "actualValue": "ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable is set as true." + } +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/access_key_not_rotated_within_90_days/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/access_key_not_rotated_within_90_days/test/positive_expected_result.json index 141986e6d6a..5a589eea199 100644 --- a/assets/queries/cloudFormation/aws/access_key_not_rotated_within_90_days/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/access_key_not_rotated_within_90_days/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "High Access Key Rotation Period", "severity": "MEDIUM", - "line": 7, - "fileName": "positive1.yaml" + "line": 8, + "filename": "positive2.json", + "resourceType": "AWS::Config::ConfigRule", + "resourceName": "access-keys-rotated", + "searchKey": "Resources.ConfigRule.Properties.InputParameters.maxAccessKeyAge", + "searchValue": "", + "expectedValue": "Resources.ConfigRule.InputParameters.maxAccessKeyAge should be less or equal to 90 (days)", + "actualValue": "Resources.ConfigRule.InputParameters.maxAccessKeyAge is more than 90 (days)." }, { - "fileName": "positive2.json", "queryName": "High Access Key Rotation Period", "severity": "MEDIUM", - "line": 8 + "line": 7, + "filename": "positive1.yaml", + "resourceType": "AWS::Config::ConfigRule", + "resourceName": "access-keys-rotated", + "searchKey": "Resources.ConfigRule.Properties.InputParameters.maxAccessKeyAge", + "searchValue": "", + "expectedValue": "Resources.ConfigRule.InputParameters.maxAccessKeyAge should be less or equal to 90 (days)", + "actualValue": "Resources.ConfigRule.InputParameters.maxAccessKeyAge is more than 90 (days)." } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/alb_is_not_integrated_with_waf/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/alb_is_not_integrated_with_waf/test/positive_expected_result.json index 752bfdd1cca..5c5a944569a 100644 --- a/assets/queries/cloudFormation/aws/alb_is_not_integrated_with_waf/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/alb_is_not_integrated_with_waf/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "ALB Is Not Integrated With WAF", "severity": "MEDIUM", - "line": 3, - "fileName": "positive1.yaml" + "line": 4, + "filename": "positive3.json", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer22222222", + "searchKey": "Resources.MyLoadBalancer22222222", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer22222222' should not have an 'internal' scheme and should have a 'WebACLAssociation' associated", + "actualValue": "'Resources.MyLoadBalancer22222222' does not have an 'internal' scheme and a 'WebACLAssociation' associated" }, { - "fileName": "positive2.yaml", "queryName": "ALB Is Not Integrated With WAF", "severity": "MEDIUM", - "line": 3 + "line": 4, + "filename": "positive4.json", + "resourceType": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "resourceName": "myloadbalancerv2", + "searchKey": "Resources.MyLoadBalancerV22222", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancerV22222' should not have an 'internal' scheme and should have a 'WebACLAssociation' associated", + "actualValue": "'Resources.MyLoadBalancerV22222' does not have an 'internal' scheme and a 'WebACLAssociation' associated" }, { - "fileName": "positive3.json", "queryName": "ALB Is Not Integrated With WAF", "severity": "MEDIUM", - "line": 4 + "line": 3, + "filename": "positive2.yaml", + "resourceType": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "resourceName": "myloadbalancerv2", + "searchKey": "Resources.MyLoadBalancerV2", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancerV2' should not have an 'internal' scheme and should have a 'WebACLAssociation' associated", + "actualValue": "'Resources.MyLoadBalancerV2' does not have an 'internal' scheme and a 'WebACLAssociation' associated" }, { "queryName": "ALB Is Not Integrated With WAF", "severity": "MEDIUM", - "line": 4, - "fileName": "positive4.json" + "line": 3, + "filename": "positive1.yaml", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer22", + "searchKey": "Resources.MyLoadBalancer22", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer22' should not have an 'internal' scheme and should have a 'WebACLAssociation' associated", + "actualValue": "'Resources.MyLoadBalancer22' does not have an 'internal' scheme and a 'WebACLAssociation' associated" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/alb_listening_on_http/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/alb_listening_on_http/test/positive_expected_result.json index 04e2f4531a9..83be4f140b7 100644 --- a/assets/queries/cloudFormation/aws/alb_listening_on_http/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/alb_listening_on_http/test/positive_expected_result.json @@ -1,32 +1,62 @@ [ { - "fileName": "positive1.yaml", "queryName": "ALB Listening on HTTP", "severity": "MEDIUM", - "line": 25 + "line": 25, + "filename": "positive1.yaml", + "resourceType": "AWS::ElasticLoadBalancingV2::Listener", + "resourceName": "HTTPlistener", + "searchKey": "Resources.HTTPlistener.Properties.Protocol=HTTP", + "searchValue": "", + "expectedValue": "'Resources.HTTPlistener.Protocol' should not equal to 'HTTP'", + "actualValue": "'Resources.HTTPlistener.Protocol' equals to 'HTTP'" }, { - "fileName": "positive1.yaml", "queryName": "ALB Listening on HTTP", "severity": "MEDIUM", - "line": 13 + "line": 13, + "filename": "positive1.yaml", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.MyLoadBalancer.Properties.Listeners.Protocol=HTTP", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer.Listeners.Protocol' should not equal to 'HTTP'", + "actualValue": "'Resources.MyLoadBalancer.Listeners.Protocol' equals to 'HTTP'" }, { - "line": 35, - "fileName": "positive2.json", "queryName": "ALB Listening on HTTP", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 16, + "filename": "positive3.yaml", + "resourceType": "AWS::ElasticLoadBalancingV2::Listener", + "resourceName": "HTTPlistener", + "searchKey": "Resources.HTTPlistener.Properties.Protocol=HTTP", + "searchValue": "", + "expectedValue": "'Resources.HTTPlistener.Protocol' should not equal to 'HTTP'", + "actualValue": "'Resources.HTTPlistener.Protocol' equals to 'HTTP'" }, { - "line": 9, - "fileName": "positive2.json", "queryName": "ALB Listening on HTTP", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 35, + "filename": "positive2.json", + "resourceType": "AWS::ElasticLoadBalancingV2::Listener", + "resourceName": "HTTPlistener", + "searchKey": "Resources.HTTPlistener.Properties.Protocol=HTTP", + "searchValue": "", + "expectedValue": "'Resources.HTTPlistener.Protocol' should not equal to 'HTTP'", + "actualValue": "'Resources.HTTPlistener.Protocol' equals to 'HTTP'" }, { "queryName": "ALB Listening on HTTP", "severity": "MEDIUM", - "line": 16, - "fileName": "positive3.yaml" + "line": 9, + "filename": "positive2.json", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.MyLoadBalancer.Properties.Listeners.Protocol=HTTP", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer.Listeners.Protocol' should not equal to 'HTTP'", + "actualValue": "'Resources.MyLoadBalancer.Listeners.Protocol' equals to 'HTTP'" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/alexa_skill_plaintext_client_secret_exposed/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/alexa_skill_plaintext_client_secret_exposed/test/positive_expected_result.json index 71586537796..68ae2e8e772 100644 --- a/assets/queries/cloudFormation/aws/alexa_skill_plaintext_client_secret_exposed/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/alexa_skill_plaintext_client_secret_exposed/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ { - "fileName": "positive1.yaml", "queryName": "Alexa Skill Plaintext Client Secret Exposed", "severity": "MEDIUM", - "line": 17 + "line": 24, + "filename": "positive2.json", + "resourceType": "Alexa::ASK::Skill", + "resourceName": "MySkill", + "searchKey": "Resources.MySkill.Properties.AuthenticationConfiguration.ClientSecret", + "searchValue": "", + "expectedValue": "'Resources.MySkill.Properties.ClientSecret' should start with '{{resolve:secretsmanager:' or '{{resolve:ssm-secure:'", + "actualValue": "'Resources.MySkill.Properties.ClientSecret' does not start with '{{resolve:secretsmanager:' or '{{resolve:ssm-secure:'" }, { "queryName": "Alexa Skill Plaintext Client Secret Exposed", "severity": "MEDIUM", - "line": 24, - "fileName": "positive2.json" + "line": 17, + "filename": "positive1.yaml", + "resourceType": "Alexa::ASK::Skill", + "resourceName": "MySkill", + "searchKey": "Resources.MySkill.Properties.AuthenticationConfiguration.ClientSecret", + "searchValue": "", + "expectedValue": "'Resources.MySkill.Properties.ClientSecret' should start with '{{resolve:secretsmanager:' or '{{resolve:ssm-secure:'", + "actualValue": "'Resources.MySkill.Properties.ClientSecret' does not start with '{{resolve:secretsmanager:' or '{{resolve:ssm-secure:'" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/amazon_dms_replication_instance_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/amazon_dms_replication_instance_is_publicly_accessible/test/positive_expected_result.json index b6f9e0c14ad..c23d69988ed 100644 --- a/assets/queries/cloudFormation/aws/amazon_dms_replication_instance_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/amazon_dms_replication_instance_is_publicly_accessible/test/positive_expected_result.json @@ -3,18 +3,36 @@ "queryName": "Amazon DMS Replication Instance Is Publicly Accessible", "severity": "CRITICAL", "line": 9, - "fileName": "positive1.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::DMS::ReplicationInstance", + "resourceName": "ReplicationInstance", + "searchKey": "Resources.ReplicationInstance.Properties.PubliclyAccessible", + "searchValue": "", + "expectedValue": "Resources.ReplicationInstance.Properties.PubliclyAccessible should be defined to 'false'", + "actualValue": "Resources.ReplicationInstance.Properties.PubliclyAccessible is defined to 'true" }, { "queryName": "Amazon DMS Replication Instance Is Publicly Accessible", "severity": "CRITICAL", "line": 4, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::DMS::ReplicationInstance", + "resourceName": "ReplicationInstance", + "searchKey": "Resources.ReplicationInstance.Properties", + "searchValue": "", + "expectedValue": "Resources.ReplicationInstance.Properties.PubliclyAccessible should be defined to 'false'", + "actualValue": "Resources.ReplicationInstance.Properties.PubliclyAccessible is not defined" }, { "queryName": "Amazon DMS Replication Instance Is Publicly Accessible", "severity": "CRITICAL", "line": 9, - "fileName": "positive3.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::DMS::ReplicationInstance", + "resourceName": "ReplicationInstance", + "searchKey": "Resources.ReplicationInstance.Properties.PubliclyAccessible", + "searchValue": "", + "expectedValue": "Resources.ReplicationInstance.Properties.PubliclyAccessible should be defined to 'false'", + "actualValue": "Resources.ReplicationInstance.Properties.PubliclyAccessible is defined to 'true" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/amazon_mq_broker_encryption_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/amazon_mq_broker_encryption_disabled/test/positive_expected_result.json index 23eaadc63ed..922bdc7b034 100644 --- a/assets/queries/cloudFormation/aws/amazon_mq_broker_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/amazon_mq_broker_encryption_disabled/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "AmazonMQ Broker Encryption Disabled", "severity": "HIGH", - "line": 6, - "fileName": "positive1.yaml" + "line": 7, + "filename": "positive2.json", + "resourceType": "AWS::AmazonMQ::Broker", + "resourceName": "MyBasicBroker", + "searchKey": "Resources.BasicBroker.Properties.EncryptionOptions", + "searchValue": "", + "expectedValue": "Resources.BasicBroker.Properties.EncryptionOptions should be defined", + "actualValue": "Resources.BasicBroker.Properties.EncryptionOptions is not defined" }, { "queryName": "AmazonMQ Broker Encryption Disabled", "severity": "HIGH", - "line": 7, - "fileName": "positive2.json" + "line": 6, + "filename": "positive1.yaml", + "resourceType": "AWS::AmazonMQ::Broker", + "resourceName": "MyBasicBroker", + "searchKey": "Resources.BasicBroker.Properties.EncryptionOptions", + "searchValue": "", + "expectedValue": "Resources.BasicBroker.Properties.EncryptionOptions should be defined", + "actualValue": "Resources.BasicBroker.Properties.EncryptionOptions is not defined" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/amplify_app_access_token_exposed/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/amplify_app_access_token_exposed/test/positive_expected_result.json index 15c356f85c1..3f5824f34f1 100644 --- a/assets/queries/cloudFormation/aws/amplify_app_access_token_exposed/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/amplify_app_access_token_exposed/test/positive_expected_result.json @@ -2,37 +2,73 @@ { "queryName": "Amplify App Access Token Exposed", "severity": "HIGH", - "line": 6, - "fileName": "positive2.yaml" + "line": 9, + "filename": "positive6.json", + "resourceType": "AWS::Amplify::App", + "resourceName": "NewAmpApp", + "searchKey": "Resources.NewApp.Properties.AccessToken", + "searchValue": "", + "expectedValue": "Resources.NewApp.Properties.AccessToken must not be in plain text string", + "actualValue": "Resources.NewApp.Properties.AccessToken must be defined as a parameter or have a secret manager referenced" }, { - "line": 10, - "fileName": "positive3.yaml", "queryName": "Amplify App Access Token Exposed", - "severity": "HIGH" + "severity": "HIGH", + "line": 7, + "filename": "positive5.json", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "Parameters.ParentAccessToken.Default", + "searchValue": "", + "expectedValue": "Parameters.ParentAccessToken.Default should be defined", + "actualValue": "Parameters.ParentAccessToken.Default shouldn't be defined" }, { - "fileName": "positive1.yaml", "queryName": "Amplify App Access Token Exposed", "severity": "HIGH", - "line": 6 + "line": 11, + "filename": "positive4.json", + "resourceType": "AWS::Amplify::App", + "resourceName": "String", + "searchKey": "Resources.NewAmpApp.Properties.AccessToken", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp.Properties.AccessToken must not be in plain text string", + "actualValue": "Resources.NewAmpApp.Properties.AccessToken must be defined as a parameter or have a secret manager referenced" }, { - "line": 11, - "fileName": "positive4.json", "queryName": "Amplify App Access Token Exposed", - "severity": "HIGH" + "severity": "HIGH", + "line": 6, + "filename": "positive1.yaml", + "resourceType": "AWS::Amplify::App", + "resourceName": "String", + "searchKey": "Resources.NewAmpApp.Properties.AccessToken", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp.Properties.AccessToken must not be in plain text string", + "actualValue": "Resources.NewAmpApp.Properties.AccessToken must be defined as a parameter or have a secret manager referenced" }, { "queryName": "Amplify App Access Token Exposed", "severity": "HIGH", - "line": 7, - "fileName": "positive5.json" + "line": 6, + "filename": "positive2.yaml", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "Parameters.ParentAccessToken.Default", + "searchValue": "", + "expectedValue": "Parameters.ParentAccessToken.Default should be defined", + "actualValue": "Parameters.ParentAccessToken.Default shouldn't be defined" }, { "queryName": "Amplify App Access Token Exposed", "severity": "HIGH", - "line": 9, - "fileName": "positive6.json" + "line": 10, + "filename": "positive3.yaml", + "resourceType": "AWS::Amplify::App", + "resourceName": "NewAmpApp", + "searchKey": "Resources.NewApp.Properties.AccessToken", + "searchValue": "", + "expectedValue": "Resources.NewApp.Properties.AccessToken must not be in plain text string", + "actualValue": "Resources.NewApp.Properties.AccessToken must be defined as a parameter or have a secret manager referenced" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/amplify_app_basic_auth_config_password_exposed/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/amplify_app_basic_auth_config_password_exposed/test/positive_expected_result.json index f96f04cb1a8..15f866d5c1f 100644 --- a/assets/queries/cloudFormation/aws/amplify_app_basic_auth_config_password_exposed/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/amplify_app_basic_auth_config_password_exposed/test/positive_expected_result.json @@ -2,37 +2,73 @@ { "queryName": "Amplify App Basic Auth Config Password Exposed", "severity": "HIGH", - "line": 16, - "fileName": "positive1.yaml" + "line": 12, + "filename": "positive4.json", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "Parameters.ParentPassword.Default", + "searchValue": "", + "expectedValue": "Parameters.ParentPassword.Default should be defined", + "actualValue": "Parameters.ParentPassword.Default shouldn't be defined" }, { "queryName": "Amplify App Basic Auth Config Password Exposed", "severity": "HIGH", - "line": 6, - "fileName": "positive2.yaml" + "line": 16, + "filename": "positive1.yaml", + "resourceType": "AWS::Amplify::App", + "resourceName": "NewAmpApp", + "searchKey": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password must not be in plain text string", + "actualValue": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password must be defined as a parameter or have a secret manager referenced" }, { "queryName": "Amplify App Basic Auth Config Password Exposed", "severity": "HIGH", - "line": 12, - "fileName": "positive3.json" + "line": 6, + "filename": "positive5.yaml", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "Parameters.ParentPassword.Default", + "searchValue": "", + "expectedValue": "Parameters.ParentPassword.Default should be defined", + "actualValue": "Parameters.ParentPassword.Default shouldn't be defined" }, { "queryName": "Amplify App Basic Auth Config Password Exposed", "severity": "HIGH", - "line": 12, - "fileName": "positive4.json" + "line": 6, + "filename": "positive2.yaml", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "Parameters.ParentPassword.Default", + "searchValue": "", + "expectedValue": "Parameters.ParentPassword.Default should be defined", + "actualValue": "Parameters.ParentPassword.Default shouldn't be defined" }, { "queryName": "Amplify App Basic Auth Config Password Exposed", "severity": "HIGH", - "line": 6, - "fileName": "positive5.yaml" + "line": 12, + "filename": "positive3.json", + "resourceType": "AWS::Amplify::App", + "resourceName": "NewAmpApp", + "searchKey": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password must not be in plain text string", + "actualValue": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password must be defined as a parameter or have a secret manager referenced" }, { "queryName": "Amplify App Basic Auth Config Password Exposed", "severity": "HIGH", "line": 12, - "fileName": "positive6.json" + "filename": "positive6.json", + "resourceType": "AWS::Amplify::App", + "resourceName": "NewAmpApp", + "searchKey": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password must not be in plain text string", + "actualValue": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password must be defined as a parameter or have a secret manager referenced" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/amplify_app_oauth_token_exposed/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/amplify_app_oauth_token_exposed/test/positive_expected_result.json index e205140998d..d99574e9674 100644 --- a/assets/queries/cloudFormation/aws/amplify_app_oauth_token_exposed/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/amplify_app_oauth_token_exposed/test/positive_expected_result.json @@ -3,24 +3,48 @@ "queryName": "Amplify App OAuth Token Exposed", "severity": "HIGH", "line": 5, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "Parameters.ParentPassword.Default", + "searchValue": "", + "expectedValue": "Parameters.ParentPassword.Default should be defined", + "actualValue": "Parameters.ParentPassword.Default shouldn't be defined" }, { - "line": 4, - "fileName": "positive1.yaml", "queryName": "Amplify App OAuth Token Exposed", - "severity": "HIGH" + "severity": "HIGH", + "line": 4, + "filename": "positive1.yaml", + "resourceType": "AWS::Amplify::App", + "resourceName": "NewAmpApp", + "searchKey": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password must not be in plain text string", + "actualValue": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password must be defined as a parameter or have a secret manager referenced" }, { "queryName": "Amplify App OAuth Token Exposed", "severity": "HIGH", - "line": 5, - "fileName": "positive3.json" + "line": 11, + "filename": "positive4.json", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "Parameters.ParentPassword.Default", + "searchValue": "", + "expectedValue": "Parameters.ParentPassword.Default should be defined", + "actualValue": "Parameters.ParentPassword.Default shouldn't be defined" }, { "queryName": "Amplify App OAuth Token Exposed", "severity": "HIGH", - "line": 11, - "fileName": "positive4.json" + "line": 5, + "filename": "positive3.json", + "resourceType": "AWS::Amplify::App", + "resourceName": "NewAmpApp", + "searchKey": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password must not be in plain text string", + "actualValue": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password must be defined as a parameter or have a secret manager referenced" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/amplify_branch_basic_auth_config_password_exposed/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/amplify_branch_basic_auth_config_password_exposed/test/positive_expected_result.json index d6968d166f3..13e4020cc62 100644 --- a/assets/queries/cloudFormation/aws/amplify_branch_basic_auth_config_password_exposed/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/amplify_branch_basic_auth_config_password_exposed/test/positive_expected_result.json @@ -3,37 +3,72 @@ "queryName": "Amplify Branch Basic Auth Config Password Exposed", "severity": "HIGH", "line": 18, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::Amplify::Branch", + "resourceName": "NewAmpApp1", + "searchKey": "Resources.NewAmpApp1.Properties.BasicAuthConfig.Password", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp1.Properties.BasicAuthConfig.Password must not be in plain text string", + "actualValue": "Resources.NewAmpApp1.Properties.BasicAuthConfig.Password must be defined as a parameter or have a secret manager referenced" }, { "queryName": "Amplify Branch Basic Auth Config Password Exposed", "severity": "HIGH", - "line": 5, - "fileName": "positive2.yaml" + "line": 18, + "filename": "positive5.yaml", + "resourceType": "AWS::Amplify::Branch", + "resourceName": "NewAmpApp1", + "searchKey": "Resources.NewAmpApp1.Properties.BasicAuthConfig.Password", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp1.Properties.BasicAuthConfig.Password must not be in plain text string", + "actualValue": "Resources.NewAmpApp1.Properties.BasicAuthConfig.Password must be defined as a parameter or have a secret manager referenced" }, { - "queryName": "Amplify Branch Basic Auth Config Password Exposed", "severity": "HIGH", - "line": 19, - "fileName": "positive3.json" + "line": 5, + "filename": "positive2.yaml", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "Parameters.ParentPassword.Default", + "searchValue": "", + "expectedValue": "Parameters.ParentPassword.Default should be defined", + "actualValue": "Parameters.ParentPassword.Default shouldn't be defined" }, { "queryName": "Amplify Branch Basic Auth Config Password Exposed", "severity": "HIGH", - "line": 35, - "fileName": "positive4.json" + "line": 19, + "filename": "positive6.json", + "resourceType": "AWS::Amplify::Branch", + "resourceName": "NewAmpApp1", + "searchKey": "Resources.NewAmpApp1.Properties.BasicAuthConfig.Password", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp1.Properties.BasicAuthConfig.Password must not be in plain text string", + "actualValue": "Resources.NewAmpApp1.Properties.BasicAuthConfig.Password must be defined as a parameter or have a secret manager referenced" }, { "queryName": "Amplify Branch Basic Auth Config Password Exposed", "severity": "HIGH", - "line": 18, - "fileName": "positive5.yaml" + "line": 35, + "filename": "positive4.json", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "Parameters.ParentPassword.Default", + "searchValue": "", + "expectedValue": "Parameters.ParentPassword.Default should be defined", + "actualValue": "Parameters.ParentPassword.Default shouldn't be defined" }, { "queryName": "Amplify Branch Basic Auth Config Password Exposed", "severity": "HIGH", "line": 19, - "fileName": "positive6.json" + "filename": "positive3.json", + "resourceType": "AWS::Amplify::Branch", + "resourceName": "NewAmpApp1", + "searchKey": "Resources.NewAmpApp1.Properties.BasicAuthConfig.Password", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp1.Properties.BasicAuthConfig.Password must not be in plain text string", + "actualValue": "Resources.NewAmpApp1.Properties.BasicAuthConfig.Password must be defined as a parameter or have a secret manager referenced" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json index 4038d0f764d..9b2320b5c38 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json @@ -2,115 +2,229 @@ { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", - "line": 16, - "fileName": "positive1.yaml" + "line": 4, + "filename": "positive16.yaml", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties", + "searchValue": "AccessLogSetting", + "expectedValue": "'AccessLogSetting' should be defined", + "actualValue": "'AccessLogSetting' is not defined" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", - "line": 7, - "fileName": "positive2.json" + "line": 15, + "filename": "positive15.yaml", + "resourceType": "AWS::ApiGatewayV2::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties.DefaultRouteSettings.LoggingLevel", + "searchValue": "", + "expectedValue": "Resources.Prod.Properties.DefaultRouteSettings.LoggingLevel should not be set to OFF", + "actualValue": "Resources.Prod.Properties.DefaultRouteSettings.LoggingLevel is OFF" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", - "line": 21, - "fileName": "positive3.json" + "line": 6, + "filename": "positive6.json", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.MyStage.Properties", + "searchValue": "AccessLogSetting", + "expectedValue": "'AccessLogSetting' should be defined", + "actualValue": "'AccessLogSetting' is not defined" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", - "line": 19, - "fileName": "positive4.json" + "line": 21, + "filename": "positive3.json", + "resourceType": "AWS::ApiGatewayV2::Stage", + "resourceName": "Prod", + "searchKey": "Resources.MyStage.Properties.DefaultRouteSettings.LoggingLevel", + "searchValue": "", + "expectedValue": "Resources.MyStage.Properties.DefaultRouteSettings.LoggingLevel should not be set to OFF", + "actualValue": "Resources.MyStage.Properties.DefaultRouteSettings.LoggingLevel is OFF" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", - "line": 6, - "fileName": "positive5.json" + "line": 7, + "filename": "positive7.json", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.MyStage.Properties", + "searchValue": "MethodSettings", + "expectedValue": "Resources.MyStage.Properties.MethodSettings should be defined and not null", + "actualValue": "Resources.MyStage.Properties.MethodSettings are undefined or null" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", - "line": 6, - "fileName": "positive6.json" + "line": 16, + "filename": "positive1.yaml", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties.MethodSettings", + "searchValue": "", + "expectedValue": "Resources.Prod.Properties.MethodSettings.LoggingLevel should be defined and not null", + "actualValue": "Resources.Prod.Properties.MethodSettings.LoggingLevel are undefined or null" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", - "line": 7, - "fileName": "positive7.json" + "line": 14, + "filename": "positive14.yaml", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties.MethodSettings.LoggingLevel", + "searchValue": "", + "expectedValue": "Resources.Prod.Properties.MethodSettings.LoggingLevel should not be set to OFF", + "actualValue": "Resources.Prod.Properties.MethodSettings.LoggingLevel is OFF" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", "line": 4, - "fileName": "positive8.yaml" + "filename": "positive11.yaml", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties", + "searchValue": "MethodSettings", + "expectedValue": "Resources.Prod.Properties.MethodSettings should be defined and not null", + "actualValue": "Resources.Prod.Properties.MethodSettings are undefined or null" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", - "line": 4, - "fileName": "positive9.yaml" + "line": 21, + "filename": "positive12.json", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.MyStage.Properties.MethodSettings.LoggingLevel", + "searchValue": "", + "expectedValue": "Resources.MyStage.Properties.MethodSettings.LoggingLevel should not be set to OFF", + "actualValue": "Resources.MyStage.Properties.MethodSettings.LoggingLevel is OFF" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", - "line": 19, - "fileName": "positive10.json" + "line": 6, + "filename": "positive5.json", + "resourceType": "AWS::ApiGatewayV2::Stage", + "resourceName": "Prod", + "searchKey": "Resources.MyStage.Properties", + "searchValue": "AccessLogSettings", + "expectedValue": "'AccessLogSettings' should be defined", + "actualValue": "'AccessLogSettings' is not defined" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", - "line": 4, - "fileName": "positive11.yaml" + "line": 19, + "filename": "positive4.json", + "resourceType": "AWS::ApiGatewayV2::Stage", + "resourceName": "Prod", + "searchKey": "Resources.MyStage.Properties.DefaultRouteSettings", + "searchValue": "", + "expectedValue": "Resources.MyStage.Properties.DefaultRouteSettings.LoggingLevel should be defined and not null", + "actualValue": "Resources.MyStage.Properties.DefaultRouteSettings.LoggingLevel are undefined or null" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", - "line": 13, - "fileName": "positive11.yaml" + "line": 4, + "filename": "positive9.yaml", + "resourceType": "AWS::ApiGatewayV2::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties", + "searchValue": "DefaultRouteSettings", + "expectedValue": "Resources.Prod.Properties.DefaultRouteSettings should be defined and not null", + "actualValue": "Resources.Prod.Properties.DefaultRouteSettings are undefined or null" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", - "line": 21, - "fileName": "positive12.json" + "line": 4, + "filename": "positive13.yaml", + "resourceType": "AWS::ApiGatewayV2::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties", + "searchValue": "DefaultRouteSettings", + "expectedValue": "Resources.Prod.Properties.DefaultRouteSettings should be defined and not null", + "actualValue": "Resources.Prod.Properties.DefaultRouteSettings are undefined or null" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", "line": 4, - "fileName": "positive13.yaml" + "filename": "positive17.yaml", + "resourceType": "AWS::ApiGatewayV2::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties", + "searchValue": "AccessLogSettings", + "expectedValue": "'AccessLogSettings' should be defined", + "actualValue": "'AccessLogSettings' is not defined" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", - "line": 14, - "fileName": "positive13.yaml" + "line": 7, + "filename": "positive2.json", + "resourceType": "AWS::ApiGatewayV2::Stage", + "resourceName": "Prod", + "searchKey": "Resources.MyStage.Properties", + "searchValue": "DefaultRouteSettings", + "expectedValue": "Resources.MyStage.Properties.DefaultRouteSettings should be defined and not null", + "actualValue": "Resources.MyStage.Properties.DefaultRouteSettings are undefined or null" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", - "line": 14, - "fileName": "positive14.yaml" + "line": 4, + "filename": "positive8.yaml", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties", + "searchValue": "MethodSettings", + "expectedValue": "Resources.Prod.Properties.MethodSettings should be defined and not null", + "actualValue": "Resources.Prod.Properties.MethodSettings are undefined or null" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", - "line": 15, - "fileName": "positive15.yaml" + "line": 14, + "filename": "positive13.yaml", + "resourceType": "AWS::ApiGatewayV2::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties.DefaultRouteSettings", + "searchValue": "", + "expectedValue": "Resources.Prod.Properties.DefaultRouteSettings.LoggingLevel should be defined and not null", + "actualValue": "Resources.Prod.Properties.DefaultRouteSettings.LoggingLevel are undefined or null" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", - "line": 4, - "fileName": "positive16.yaml" + "line": 19, + "filename": "positive10.json", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.MyStage.Properties.MethodSettings", + "searchValue": "", + "expectedValue": "Resources.MyStage.Properties.MethodSettings.LoggingLevel should be defined and not null", + "actualValue": "Resources.MyStage.Properties.MethodSettings.LoggingLevel are undefined or null" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", - "line": 4, - "fileName": "positive17.yaml" + "line": 13, + "filename": "positive11.yaml", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties.MethodSettings", + "searchValue": "", + "expectedValue": "Resources.Prod.Properties.MethodSettings.LoggingLevel should be defined and not null", + "actualValue": "Resources.Prod.Properties.MethodSettings.LoggingLevel are undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_cache_cluster_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_cache_cluster_disabled/test/positive_expected_result.json index 5c7f7c57d03..2791b94a5c7 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_cache_cluster_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_cache_cluster_disabled/test/positive_expected_result.json @@ -3,36 +3,72 @@ "queryName": "API Gateway Cache Cluster Disabled", "severity": "LOW", "line": 6, - "fileName": "positive1.yaml" + "filename": "positive3.json", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.ProdPos1.Properties", + "searchValue": "", + "expectedValue": "Resources.ProdPos1.Properties.CacheClusterEnabled should be defined and not null", + "actualValue": "Resources.ProdPos1.Properties.CacheClusterEnabled is undefined or null" }, { "queryName": "API Gateway Cache Cluster Disabled", "severity": "LOW", - "line": 31, - "fileName": "positive2.yaml" + "line": 6, + "filename": "positive6.json", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.ProdPos2.Properties.CacheClusterEnabled", + "searchValue": "", + "expectedValue": "Resources.ProdPos2.Properties.CacheClusterEnabled should be set to true", + "actualValue": "Resources.ProdPos2.Properties.CacheClusterEnabled is set to false" }, { "queryName": "API Gateway Cache Cluster Disabled", "severity": "LOW", - "line": 6, - "fileName": "positive3.json" + "line": 31, + "filename": "positive5.yaml", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.ProdPos2.Properties.CacheClusterEnabled", + "searchValue": "", + "expectedValue": "Resources.ProdPos2.Properties.CacheClusterEnabled should be set to true", + "actualValue": "Resources.ProdPos2.Properties.CacheClusterEnabled is set to false" }, { "queryName": "API Gateway Cache Cluster Disabled", "severity": "LOW", - "line": 6, - "fileName": "positive4.json" + "line": 31, + "filename": "positive2.yaml", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.ProdPos2.Properties.CacheClusterEnabled", + "searchValue": "", + "expectedValue": "Resources.ProdPos2.Properties.CacheClusterEnabled should be set to true", + "actualValue": "Resources.ProdPos2.Properties.CacheClusterEnabled is set to false" }, { "queryName": "API Gateway Cache Cluster Disabled", "severity": "LOW", - "line": 31, - "fileName": "positive5.yaml" + "line": 6, + "filename": "positive1.yaml", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.ProdPos1.Properties", + "searchValue": "", + "expectedValue": "Resources.ProdPos1.Properties.CacheClusterEnabled should be defined and not null", + "actualValue": "Resources.ProdPos1.Properties.CacheClusterEnabled is undefined or null" }, { "queryName": "API Gateway Cache Cluster Disabled", "severity": "LOW", "line": 6, - "fileName": "positive6.json" + "filename": "positive4.json", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.ProdPos2.Properties.CacheClusterEnabled", + "searchValue": "", + "expectedValue": "Resources.ProdPos2.Properties.CacheClusterEnabled should be set to true", + "actualValue": "Resources.ProdPos2.Properties.CacheClusterEnabled is set to false" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_cache_encrypted_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_cache_encrypted_disabled/test/positive_expected_result.json index fc1ce51db13..b0e5d533663 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_cache_encrypted_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_cache_encrypted_disabled/test/positive_expected_result.json @@ -1,38 +1,74 @@ [ { - "fileName": "positive1.yaml", "queryName": "API Gateway Cache Encrypted Disabled", "severity": "HIGH", - "line": 8 + "line": 8, + "filename": "positive1.yaml", + "resourceType": "AWS::ApiGateway::Deployment", + "resourceName": "DummyStage", + "searchKey": "Resources.Deployment.Properties.StageDescription", + "searchValue": "", + "expectedValue": "'Resources.Deployment.Properties.StageDescription.CacheDataEncrypted' should be defined and not null", + "actualValue": "'Resources.Deployment.Properties.StageDescription.CacheDataEncrypted' is undefined or null" }, { - "fileName": "positive2.json", "queryName": "API Gateway Cache Encrypted Disabled", "severity": "HIGH", - "line": 11 + "line": 9, + "filename": "positive5.yaml", + "resourceType": "AWS::ApiGateway::Deployment", + "resourceName": "DummyStage", + "searchKey": "Resources.Deployment.Properties.StageDescription.CacheDataEncrypted", + "searchValue": "", + "expectedValue": "'Resources.Deployment.Properties.StageDescription.CacheDataEncrypted' should be set to true", + "actualValue": "'Resources.Deployment.Properties.StageDescription.CacheDataEncrypted' is set to false" }, { - "fileName": "positive3.yaml", "queryName": "API Gateway Cache Encrypted Disabled", "severity": "HIGH", - "line": 9 + "line": 12, + "filename": "positive6.json", + "resourceType": "AWS::ApiGateway::Deployment", + "resourceName": "DummyStage", + "searchKey": "Resources.Deployment.Properties.StageDescription.CacheDataEncrypted", + "searchValue": "", + "expectedValue": "'Resources.Deployment.Properties.StageDescription.CacheDataEncrypted' should be set to true", + "actualValue": "'Resources.Deployment.Properties.StageDescription.CacheDataEncrypted' is set to false" }, { - "fileName": "positive4.json", "queryName": "API Gateway Cache Encrypted Disabled", "severity": "HIGH", - "line": 12 + "line": 11, + "filename": "positive2.json", + "resourceType": "AWS::ApiGateway::Deployment", + "resourceName": "DummyStage", + "searchKey": "Resources.Deployment.Properties.StageDescription", + "searchValue": "", + "expectedValue": "'Resources.Deployment.Properties.StageDescription.CacheDataEncrypted' should be defined and not null", + "actualValue": "'Resources.Deployment.Properties.StageDescription.CacheDataEncrypted' is undefined or null" }, { - "fileName": "positive5.yaml", "queryName": "API Gateway Cache Encrypted Disabled", "severity": "HIGH", - "line": 9 + "line": 12, + "filename": "positive4.json", + "resourceType": "AWS::ApiGateway::Deployment", + "resourceName": "DummyStage", + "searchKey": "Resources.Deployment.Properties.StageDescription.CacheDataEncrypted", + "searchValue": "", + "expectedValue": "'Resources.Deployment.Properties.StageDescription.CacheDataEncrypted' should be set to true", + "actualValue": "'Resources.Deployment.Properties.StageDescription.CacheDataEncrypted' is set to false" }, { - "fileName": "positive6.json", "queryName": "API Gateway Cache Encrypted Disabled", "severity": "HIGH", - "line": 12 + "line": 9, + "filename": "positive3.yaml", + "resourceType": "AWS::ApiGateway::Deployment", + "resourceName": "DummyStage", + "searchKey": "Resources.Deployment.Properties.StageDescription.CacheDataEncrypted", + "searchValue": "", + "expectedValue": "'Resources.Deployment.Properties.StageDescription.CacheDataEncrypted' should be set to true", + "actualValue": "'Resources.Deployment.Properties.StageDescription.CacheDataEncrypted' is set to false" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_deployment_without_access_log_setting/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_deployment_without_access_log_setting/test/positive_expected_result.json index 348bf203e11..b4e52be8aeb 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_deployment_without_access_log_setting/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_deployment_without_access_log_setting/test/positive_expected_result.json @@ -2,37 +2,73 @@ { "queryName": "API Gateway Deployment Without Access Log Setting", "severity": "MEDIUM", - "line": 21, - "fileName": "positive2.yaml" + "line": 15, + "filename": "positive4.json", + "resourceType": "AWS::ApiGateway::Deployment", + "resourceName": "DummyStage", + "searchKey": "Resources.ApiDeployment.Properties.StageDescription.AccessLogSetting", + "searchValue": "", + "expectedValue": "Resources.ApiDeployment.Properties.StageDescriptionAccessLogSetting should be defined", + "actualValue": "Resources.ApiDeployment.Properties.StageDescription.AccessLogSetting is not defined" }, { - "fileName": "positive3.yaml", "queryName": "API Gateway Deployment Without Access Log Setting", "severity": "MEDIUM", - "line": 21 + "line": 31, + "filename": "positive5.json", + "resourceType": "AWS::ApiGateway::Deployment", + "resourceName": "DummyStage", + "searchKey": "Resources.ApiDeployment1", + "searchValue": "", + "expectedValue": "Resources.ApiDeployment1 should have AWS::ApiGateway::Stage associated, DeploymentId.Ref should be the same as the ApiGateway::Stage resource", + "actualValue": "Resources.ApiDeployment1 should have AWS::ApiGateway::Stage associated, DeploymentId.Ref should be the same in the ApiGateway::Stage resource" }, { "queryName": "API Gateway Deployment Without Access Log Setting", "severity": "MEDIUM", - "line": 29, - "fileName": "positive1.yaml" + "line": 31, + "filename": "positive6.json", + "resourceType": "AWS::ApiGateway::Deployment", + "resourceName": "DummyStage", + "searchKey": "Resources.ApiDeployment2", + "searchValue": "", + "expectedValue": "Resources.ApiDeployment2 should have AWS::ApiGateway::Stage associated, DeploymentId.Ref should be the same as the ApiGateway::Stage resource", + "actualValue": "Resources.ApiDeployment2 should have AWS::ApiGateway::Stage associated, DeploymentId.Ref should be the same in the ApiGateway::Stage resource" }, { - "fileName": "positive4.json", "queryName": "API Gateway Deployment Without Access Log Setting", "severity": "MEDIUM", - "line": 15 + "line": 21, + "filename": "positive3.yaml", + "resourceType": "AWS::ApiGateway::Deployment", + "resourceName": "DummyStage", + "searchKey": "Resources.ApiDeployment2", + "searchValue": "", + "expectedValue": "Resources.ApiDeployment2 should have AWS::ApiGateway::Stage associated, DeploymentId.Ref should be the same as the ApiGateway::Stage resource", + "actualValue": "Resources.ApiDeployment2 should have AWS::ApiGateway::Stage associated, DeploymentId.Ref should be the same in the ApiGateway::Stage resource" }, { "queryName": "API Gateway Deployment Without Access Log Setting", "severity": "MEDIUM", - "line": 31, - "fileName": "positive5.json" + "line": 21, + "filename": "positive2.yaml", + "resourceType": "AWS::ApiGateway::Deployment", + "resourceName": "DummyStage", + "searchKey": "Resources.ApiDeployment1", + "searchValue": "", + "expectedValue": "Resources.ApiDeployment1 should have AWS::ApiGateway::Stage associated, DeploymentId.Ref should be the same as the ApiGateway::Stage resource", + "actualValue": "Resources.ApiDeployment1 should have AWS::ApiGateway::Stage associated, DeploymentId.Ref should be the same in the ApiGateway::Stage resource" }, { "queryName": "API Gateway Deployment Without Access Log Setting", "severity": "MEDIUM", - "line": 31, - "fileName": "positive6.json" + "line": 29, + "filename": "positive1.yaml", + "resourceType": "AWS::ApiGateway::Deployment", + "resourceName": "DummyStage", + "searchKey": "Resources.ApiDeployment.Properties.StageDescription.AccessLogSetting", + "searchValue": "", + "expectedValue": "Resources.ApiDeployment.Properties.StageDescriptionAccessLogSetting should be defined", + "actualValue": "Resources.ApiDeployment.Properties.StageDescription.AccessLogSetting is not defined" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/test/positive_expected_result.json index 98171acb95d..95ed160091f 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/test/positive_expected_result.json @@ -2,37 +2,73 @@ { "queryName": "API Gateway Deployment Without API Gateway UsagePlan Associated", "severity": "LOW", - "line": 4, - "fileName": "positive1.yaml" + "line": 5, + "filename": "positive6.json", + "resourceType": "AWS::ApiGateway::Deployment", + "resourceName": "Prod1", + "searchKey": "Resources.Deployment2", + "searchValue": "", + "expectedValue": "Resources.Deployment2 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same as the Deployment2 resource", + "actualValue": "Resources.Deployment2 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same in the Deployment2 resource" }, { - "line": 4, - "fileName": "positive2.yaml", "queryName": "API Gateway Deployment Without API Gateway UsagePlan Associated", - "severity": "LOW" + "severity": "LOW", + "line": 5, + "filename": "positive5.json", + "resourceType": "AWS::ApiGateway::Deployment", + "resourceName": "Prod", + "searchKey": "Resources.Deployment1", + "searchValue": "", + "expectedValue": "Resources.Deployment1 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same as the Deployment1 resource", + "actualValue": "Resources.Deployment1 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same in the Deployment1 resource" }, { "queryName": "API Gateway Deployment Without API Gateway UsagePlan Associated", "severity": "LOW", - "line": 4, - "fileName": "positive3.yaml" + "line": 5, + "filename": "positive4.json", + "resourceType": "AWS::ApiGateway::Deployment", + "resourceName": "Prod", + "searchKey": "Resources.Deployment", + "searchValue": "", + "expectedValue": "Resources.Deployment should have UsagePlan defined", + "actualValue": "Resources.Deployment doesn't have UsagePlan defined" }, { - "line": 5, - "fileName": "positive4.json", "queryName": "API Gateway Deployment Without API Gateway UsagePlan Associated", - "severity": "LOW" + "severity": "LOW", + "line": 4, + "filename": "positive3.yaml", + "resourceType": "AWS::ApiGateway::Deployment", + "resourceName": "Prod1", + "searchKey": "Resources.Deployment2", + "searchValue": "", + "expectedValue": "Resources.Deployment2 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same as the Deployment2 resource", + "actualValue": "Resources.Deployment2 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same in the Deployment2 resource" }, { - "fileName": "positive5.json", "queryName": "API Gateway Deployment Without API Gateway UsagePlan Associated", "severity": "LOW", - "line": 5 + "line": 4, + "filename": "positive1.yaml", + "resourceType": "AWS::ApiGateway::Deployment", + "resourceName": "Prod", + "searchKey": "Resources.Deployment", + "searchValue": "", + "expectedValue": "Resources.Deployment should have UsagePlan defined", + "actualValue": "Resources.Deployment doesn't have UsagePlan defined" }, { "queryName": "API Gateway Deployment Without API Gateway UsagePlan Associated", "severity": "LOW", - "line": 5, - "fileName": "positive6.json" + "line": 4, + "filename": "positive2.yaml", + "resourceType": "AWS::ApiGateway::Deployment", + "resourceName": "Prod", + "searchKey": "Resources.Deployment1", + "searchValue": "", + "expectedValue": "Resources.Deployment1 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same as the Deployment1 resource", + "actualValue": "Resources.Deployment1 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same in the Deployment1 resource" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_endpoint_config_is_not_private/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_endpoint_config_is_not_private/test/positive_expected_result.json index 61437b8b033..0c3a07b5b99 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_endpoint_config_is_not_private/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_endpoint_config_is_not_private/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "API Gateway Endpoint Config is Not Private", "severity": "MEDIUM", - "line": 5, - "fileName": "positive1.yaml" + "line": 6, + "filename": "positive2.json", + "resourceType": "AWS::ApiGateway::RestApi", + "resourceName": "myRestApi", + "searchKey": "Resources.MyRestApi.Properties", + "searchValue": "", + "expectedValue": "'Resources.MyRestApi.EndpointConfiguration' should be defined", + "actualValue": "'Resources.MyRestApi.EndpointConfiguration' is undefined" }, { "queryName": "API Gateway Endpoint Config is Not Private", "severity": "MEDIUM", "line": 11, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::ApiGateway::RestApi", + "resourceName": "myRestApi2", + "searchKey": "Resources.MyRestApi2.Properties.EndpointConfiguration.Types", + "searchValue": "", + "expectedValue": "'Resources.MyRestApi2.EndpointConfiguration.Types' should contain 'PRIVATE'", + "actualValue": "'Resources.MyRestApi2.EndpointConfiguration.Types' does not contain 'PRIVATE'" }, { "queryName": "API Gateway Endpoint Config is Not Private", "severity": "MEDIUM", - "line": 6, - "fileName": "positive2.json" + "line": 5, + "filename": "positive1.yaml", + "resourceType": "AWS::ApiGateway::RestApi", + "resourceName": "myRestApi", + "searchKey": "Resources.MyRestApi.Properties", + "searchValue": "", + "expectedValue": "'Resources.MyRestApi.EndpointConfiguration' should be defined", + "actualValue": "'Resources.MyRestApi.EndpointConfiguration' is undefined" }, { - "line": 14, - "fileName": "positive2.json", "queryName": "API Gateway Endpoint Config is Not Private", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 14, + "filename": "positive2.json", + "resourceType": "AWS::ApiGateway::RestApi", + "resourceName": "myRestApi2", + "searchKey": "Resources.MyRestApi2.Properties.EndpointConfiguration.Types", + "searchValue": "", + "expectedValue": "'Resources.MyRestApi2.EndpointConfiguration.Types' should contain 'PRIVATE'", + "actualValue": "'Resources.MyRestApi2.EndpointConfiguration.Types' does not contain 'PRIVATE'" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_method_does_not_contains_an_api_key/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_method_does_not_contains_an_api_key/test/positive_expected_result.json index 2862d01c542..41402f79077 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_method_does_not_contains_an_api_key/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_method_does_not_contains_an_api_key/test/positive_expected_result.json @@ -3,36 +3,72 @@ "queryName": "API Gateway Method Does Not Contains An API Key", "severity": "MEDIUM", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive6.yaml", + "resourceType": "AWS::ApiGateway::Method", + "resourceName": "MockMethod", + "searchKey": "Resources.MockMethod.Properties.ApiKeyRequired", + "searchValue": "", + "expectedValue": "Resources.MockMethod.Properties.ApiKeyRequired should be true", + "actualValue": "Resources.MockMethod.Properties.ApiKeyRequired is false" }, { "queryName": "API Gateway Method Does Not Contains An API Key", "severity": "MEDIUM", - "line": 6, - "fileName": "positive2.yaml" + "line": 7, + "filename": "positive1.yaml", + "resourceType": "AWS::ApiGateway::Method", + "resourceName": "MockMethod", + "searchKey": "Resources.MockMethod.Properties.ApiKeyRequired", + "searchValue": "", + "expectedValue": "Resources.MockMethod.Properties.ApiKeyRequired should be true", + "actualValue": "Resources.MockMethod.Properties.ApiKeyRequired is false" }, { "queryName": "API Gateway Method Does Not Contains An API Key", "severity": "MEDIUM", "line": 13, - "fileName": "positive3.json" + "filename": "positive5.json", + "resourceType": "AWS::ApiGateway::Method", + "resourceName": "MockMethod", + "searchKey": "Resources.MockMethod.Properties.ApiKeyRequired", + "searchValue": "", + "expectedValue": "Resources.MockMethod.Properties.ApiKeyRequired should be true", + "actualValue": "Resources.MockMethod.Properties.ApiKeyRequired is false" }, { "queryName": "API Gateway Method Does Not Contains An API Key", "severity": "MEDIUM", - "line": 6, - "fileName": "positive4.json" + "line": 13, + "filename": "positive3.json", + "resourceType": "AWS::ApiGateway::Method", + "resourceName": "MockMethod", + "searchKey": "Resources.MockMethod.Properties.ApiKeyRequired", + "searchValue": "", + "expectedValue": "Resources.MockMethod.Properties.ApiKeyRequired should be true", + "actualValue": "Resources.MockMethod.Properties.ApiKeyRequired is false" }, { "queryName": "API Gateway Method Does Not Contains An API Key", "severity": "MEDIUM", - "line": 13, - "fileName": "positive5.json" + "line": 6, + "filename": "positive4.json", + "resourceType": "AWS::ApiGateway::Method", + "resourceName": "MockMethod1", + "searchKey": "Resources.MockMethod1.Properties", + "searchValue": "", + "expectedValue": "Resources.MockMethod1.Properties.ApiKeyRequired should be defined", + "actualValue": "Resources.MockMethod1.Properties.ApiKeyRequired is undefined" }, { "queryName": "API Gateway Method Does Not Contains An API Key", "severity": "MEDIUM", - "line": 7, - "fileName": "positive6.yaml" + "line": 6, + "filename": "positive2.yaml", + "resourceType": "AWS::ApiGateway::Method", + "resourceName": "MockMethod1", + "searchKey": "Resources.MockMethod1.Properties", + "searchValue": "", + "expectedValue": "Resources.MockMethod1.Properties.ApiKeyRequired should be defined", + "actualValue": "Resources.MockMethod1.Properties.ApiKeyRequired is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_stage_without_api_gateway_usage_plan_associated/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_stage_without_api_gateway_usage_plan_associated/test/positive_expected_result.json index bc88b844206..3c80800f5bd 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_stage_without_api_gateway_usage_plan_associated/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_stage_without_api_gateway_usage_plan_associated/test/positive_expected_result.json @@ -1,38 +1,74 @@ [ { + "queryName": "API Gateway Stage Without API Gateway UsagePlan Associated", "severity": "LOW", - "line": 4, - "fileName": "positive1.yaml", - "queryName": "API Gateway Stage Without API Gateway UsagePlan Associated" + "line": 5, + "filename": "positive6.json", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod2", + "searchValue": "", + "expectedValue": "Resources.Prod2 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same as the Prod2 resource", + "actualValue": "Resources.Prod2 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same in the Prod2 resource" }, { "queryName": "API Gateway Stage Without API Gateway UsagePlan Associated", "severity": "LOW", - "line": 4, - "fileName": "positive2.yaml" + "line": 5, + "filename": "positive5.json", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod1", + "searchValue": "", + "expectedValue": "Resources.Prod1 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same as the Prod1 resource", + "actualValue": "Resources.Prod1 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same in the Prod1 resource" }, { "queryName": "API Gateway Stage Without API Gateway UsagePlan Associated", "severity": "LOW", - "line": 4, - "fileName": "positive3.yaml" + "line": 5, + "filename": "positive4.json", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod", + "searchValue": "", + "expectedValue": "Resources.Prod should have UsagePlan defined", + "actualValue": "Resources.Prod doesn't have UsagePlan defined" }, { "queryName": "API Gateway Stage Without API Gateway UsagePlan Associated", "severity": "LOW", - "line": 5, - "fileName": "positive4.json" + "line": 4, + "filename": "positive1.yaml", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod", + "searchValue": "", + "expectedValue": "Resources.Prod should have UsagePlan defined", + "actualValue": "Resources.Prod doesn't have UsagePlan defined" }, { "queryName": "API Gateway Stage Without API Gateway UsagePlan Associated", "severity": "LOW", - "line": 5, - "fileName": "positive5.json" + "line": 4, + "filename": "positive2.yaml", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod1", + "searchValue": "", + "expectedValue": "Resources.Prod1 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same as the Prod1 resource", + "actualValue": "Resources.Prod1 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same in the Prod1 resource" }, { "queryName": "API Gateway Stage Without API Gateway UsagePlan Associated", "severity": "LOW", - "line": 5, - "fileName": "positive6.json" + "line": 4, + "filename": "positive3.yaml", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod2", + "searchValue": "", + "expectedValue": "Resources.Prod2 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same as the Prod2 resource", + "actualValue": "Resources.Prod2 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same in the Prod2 resource" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_with_invalid_compression/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_with_invalid_compression/test/positive_expected_result.json index 476b31885dd..f3b7b3f1873 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_with_invalid_compression/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_with_invalid_compression/test/positive_expected_result.json @@ -2,37 +2,73 @@ { "queryName": "API Gateway With Invalid Compression", "severity": "LOW", - "line": 17, - "fileName": "positive1.yaml" + "line": 22, + "filename": "positive5.json", + "resourceType": "AWS::ApiGateway::RestApi", + "resourceName": "myApi", + "searchKey": "Resources.RestApi7.Properties.MinimumCompressionSize", + "searchValue": "", + "expectedValue": "Resources.RestApi7.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760", + "actualValue": "Resources.RestApi7.Properties.MinimumCompressionSize is set to greater than 10485759" }, { "queryName": "API Gateway With Invalid Compression", "severity": "LOW", - "line": 22, - "fileName": "positive4.json" + "line": 5, + "filename": "positive6.json", + "resourceType": "AWS::ApiGateway::RestApi", + "resourceName": "myApi", + "searchKey": "Resources.RestApi8.Properties", + "searchValue": "", + "expectedValue": "Resources.RestApi8.Properties.MinimumCompressionSize should be defined", + "actualValue": "Resources.RestApi8.Properties.MinimumCompressionSize is not defined" }, { "queryName": "API Gateway With Invalid Compression", "severity": "LOW", - "line": 17, - "fileName": "positive2.yaml" + "line": 22, + "filename": "positive4.json", + "resourceType": "AWS::ApiGateway::RestApi", + "resourceName": "myApi", + "searchKey": "Resources.RestApi6.Properties.MinimumCompressionSize", + "searchValue": "", + "expectedValue": "Resources.RestApi6.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760", + "actualValue": "Resources.RestApi6.Properties.MinimumCompressionSize is set to smaller than 0" }, { "queryName": "API Gateway With Invalid Compression", "severity": "LOW", - "line": 22, - "fileName": "positive5.json" + "line": 5, + "filename": "positive3.yaml", + "resourceType": "AWS::ApiGateway::RestApi", + "resourceName": "myApi", + "searchKey": "Resources.RestApi5.Properties", + "searchValue": "", + "expectedValue": "Resources.RestApi5.Properties.MinimumCompressionSize should be defined", + "actualValue": "Resources.RestApi5.Properties.MinimumCompressionSize is not defined" }, { "queryName": "API Gateway With Invalid Compression", "severity": "LOW", - "line": 5, - "fileName": "positive3.yaml" + "line": 17, + "filename": "positive1.yaml", + "resourceType": "AWS::ApiGateway::RestApi", + "resourceName": "myApi", + "searchKey": "Resources.RestApi3.Properties.MinimumCompressionSize", + "searchValue": "", + "expectedValue": "Resources.RestApi3.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760", + "actualValue": "Resources.RestApi3.Properties.MinimumCompressionSize is set to smaller than 0" }, { "queryName": "API Gateway With Invalid Compression", "severity": "LOW", - "line": 5, - "fileName": "positive6.json" + "line": 17, + "filename": "positive2.yaml", + "resourceType": "AWS::ApiGateway::RestApi", + "resourceName": "myApi", + "searchKey": "Resources.RestApi4.Properties.MinimumCompressionSize", + "searchValue": "", + "expectedValue": "Resources.RestApi4.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760", + "actualValue": "Resources.RestApi4.Properties.MinimumCompressionSize is set to greater than 10485759" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_with_open_access/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_with_open_access/test/positive_expected_result.json index 75c0bb8a047..020d5d534b0 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_with_open_access/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_with_open_access/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "API Gateway With Open Access", "severity": "MEDIUM", "line": 6, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::ApiGateway::Method", + "resourceName": "MockMethod", + "searchKey": "Resources.MockMethod.Properties", + "searchValue": "", + "expectedValue": "Resources.MockMethod.Properties.AuthorizationType is NONE and Resources.MockMethod.Properties.HttpMethod should be OPTIONS", + "actualValue": "Resources.MockMethod.Properties.AuthorizationType is NONE and Resources.MockMethod.Properties.HttpMethod is not OPTIONS" }, { "queryName": "API Gateway With Open Access", "severity": "MEDIUM", "line": 7, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::ApiGateway::Method", + "resourceName": "MockMethod", + "searchKey": "Resources.MockMethod.Properties", + "searchValue": "", + "expectedValue": "Resources.MockMethod.Properties.AuthorizationType is NONE and Resources.MockMethod.Properties.HttpMethod should be OPTIONS", + "actualValue": "Resources.MockMethod.Properties.AuthorizationType is NONE and Resources.MockMethod.Properties.HttpMethod is not OPTIONS" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_without_configured_authorizer/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_without_configured_authorizer/test/positive_expected_result.json index f12a5dcc457..f02ab18095a 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_without_configured_authorizer/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_without_configured_authorizer/test/positive_expected_result.json @@ -2,49 +2,97 @@ { "queryName": "API Gateway Without Configured Authorizer", "severity": "MEDIUM", - "line": 3, - "fileName": "positive3.yaml" + "line": 4, + "filename": "positive7.json", + "resourceType": "AWS::ApiGateway::RestApi", + "resourceName": "myRestApi", + "searchKey": "Resources.MyRestApi10", + "searchValue": "", + "expectedValue": "API Gateway REST API should be associated with an API Gateway Authorizer", + "actualValue": "API Gateway REST API is not associated with an API Gateway Authorizer" }, { "queryName": "API Gateway Without Configured Authorizer", "severity": "MEDIUM", - "line": 3, - "fileName": "positive4.yaml" + "line": 20, + "filename": "positive6.json", + "resourceType": "AWS::ApiGatewayV2::Api", + "resourceName": "TL-Dev-WebSocket-API", + "searchKey": "Resources.DevWebSocket9", + "searchValue": "", + "expectedValue": "API Gateway REST API should be associated with an API Gateway Authorizer", + "actualValue": "API Gateway REST API is not associated with an API Gateway Authorizer" }, { "queryName": "API Gateway Without Configured Authorizer", "severity": "MEDIUM", - "line": 4, - "fileName": "positive7.json" + "line": 3, + "filename": "positive1.yaml", + "resourceType": "AWS::ApiGatewayV2::Api", + "resourceName": "TL-Dev-WebSocket-API", + "searchKey": "Resources.DevWebSocket", + "searchValue": "", + "expectedValue": "API Gateway REST API should be associated with an API Gateway Authorizer", + "actualValue": "API Gateway REST API is not associated with an API Gateway Authorizer" }, { "queryName": "API Gateway Without Configured Authorizer", "severity": "MEDIUM", - "line": 4, - "fileName": "positive8.json" + "line": 3, + "filename": "positive3.yaml", + "resourceType": "AWS::ApiGateway::RestApi", + "resourceName": "myRestApi", + "searchKey": "Resources.MyRestApi6", + "searchValue": "", + "expectedValue": "API Gateway REST API should be associated with an API Gateway Authorizer", + "actualValue": "API Gateway REST API is not associated with an API Gateway Authorizer" }, { "queryName": "API Gateway Without Configured Authorizer", "severity": "MEDIUM", "line": 3, - "fileName": "positive1.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::ApiGatewayV2::Api", + "resourceName": "TL-Dev-WebSocket-API", + "searchKey": "Resources.DevWebSocket5", + "searchValue": "", + "expectedValue": "API Gateway REST API should be associated with an API Gateway Authorizer", + "actualValue": "API Gateway REST API is not associated with an API Gateway Authorizer" }, { "queryName": "API Gateway Without Configured Authorizer", "severity": "MEDIUM", "line": 3, - "fileName": "positive2.yaml" + "filename": "positive4.yaml", + "resourceType": "AWS::ApiGateway::RestApi", + "resourceName": "myRestApi", + "searchKey": "Resources.MyRestApi7", + "searchValue": "", + "expectedValue": "API Gateway REST API should be associated with an API Gateway Authorizer", + "actualValue": "API Gateway REST API is not associated with an API Gateway Authorizer" }, { "queryName": "API Gateway Without Configured Authorizer", "severity": "MEDIUM", "line": 4, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::ApiGatewayV2::Api", + "resourceName": "TL-Dev-WebSocket-API", + "searchKey": "Resources.DevWebSocket8", + "searchValue": "", + "expectedValue": "API Gateway REST API should be associated with an API Gateway Authorizer", + "actualValue": "API Gateway REST API is not associated with an API Gateway Authorizer" }, { "queryName": "API Gateway Without Configured Authorizer", "severity": "MEDIUM", - "line": 20, - "fileName": "positive6.json" + "line": 4, + "filename": "positive8.json", + "resourceType": "AWS::ApiGateway::RestApi", + "resourceName": "myRestApi", + "searchKey": "Resources.MyRestApi11", + "searchValue": "", + "expectedValue": "API Gateway REST API should be associated with an API Gateway Authorizer", + "actualValue": "API Gateway REST API is not associated with an API Gateway Authorizer" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_without_security_policy/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_without_security_policy/test/positive_expected_result.json index b41df1f3039..27a59599624 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_without_security_policy/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_without_security_policy/test/positive_expected_result.json @@ -3,24 +3,48 @@ "queryName": "API Gateway Without Security Policy", "severity": "MEDIUM", "line": 13, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::ApiGateway::DomainName", + "resourceName": "cfnDomainName", + "searchKey": "Resources.myDomainName1.Properties.SecurityPolicy", + "searchValue": "", + "expectedValue": "Resources.myDomainName1.Properties.SecurityPolicy should not be defined", + "actualValue": "Resources.myDomainName1.Properties.SecurityPolicy is defined" }, { "queryName": "API Gateway Without Security Policy", "severity": "MEDIUM", "line": 20, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::ApiGateway::DomainName", + "resourceName": "cfnDomainName", + "searchKey": "Resources.myDomainName.Properties.SecurityPolicy", + "searchValue": "", + "expectedValue": "Resources.myDomainName.Properties.SecurityPolicy should be TLS_1_2", + "actualValue": "Resources.myDomainName.Properties.SecurityPolicy should be TLS_1_2" }, { "queryName": "API Gateway Without Security Policy", "severity": "MEDIUM", "line": 26, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::ApiGateway::DomainName", + "resourceName": "cfnDomainName", + "searchKey": "Resources.myDomainName.Properties.SecurityPolicy", + "searchValue": "", + "expectedValue": "Resources.myDomainName.Properties.SecurityPolicy should be TLS_1_2", + "actualValue": "Resources.myDomainName.Properties.SecurityPolicy should be TLS_1_2" }, { - "fileName": "positive4.json", "queryName": "API Gateway Without Security Policy", "severity": "MEDIUM", - "line": 15 + "line": 15, + "filename": "positive4.json", + "resourceType": "AWS::ApiGateway::DomainName", + "resourceName": "cfnDomainName", + "searchKey": "Resources.myDomainName1.Properties.SecurityPolicy", + "searchValue": "", + "expectedValue": "Resources.myDomainName1.Properties.SecurityPolicy should not be defined", + "actualValue": "Resources.myDomainName1.Properties.SecurityPolicy is defined" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_without_ssl_certificate/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_without_ssl_certificate/test/positive_expected_result.json index 7809abfcec6..c89f9f88d5a 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_without_ssl_certificate/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_without_ssl_certificate/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "API Gateway Without SSL Certificate", "severity": "MEDIUM", "line": 5, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.ProdApiGatewayStagePos.Properties", + "searchValue": "", + "expectedValue": "Resources.ProdApiGatewayStagePos.Properties should have ClientCertificateId defined", + "actualValue": "Resources.ProdApiGatewayStagePos.Properties doesn't have ClientCertificateId defined" }, { "queryName": "API Gateway Without SSL Certificate", "severity": "MEDIUM", "line": 6, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.ProdApiGatewayStagePos2.Properties", + "searchValue": "", + "expectedValue": "Resources.ProdApiGatewayStagePos2.Properties should have ClientCertificateId defined", + "actualValue": "Resources.ProdApiGatewayStagePos2.Properties doesn't have ClientCertificateId defined" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_without_waf/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_without_waf/test/positive_expected_result.json index 6bd883801f4..43cae870810 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_without_waf/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_without_waf/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ { "queryName": "API Gateway without WAF", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties.StageName", + "searchValue": "", + "expectedValue": "API Gateway Stage should be associated with a Web Application Firewall", + "actualValue": "API Gateway Stage is not associated with a Web Application Firewall" }, { "queryName": "API Gateway without WAF", "severity": "MEDIUM", "line": 33, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties.StageName", + "searchValue": "", + "expectedValue": "API Gateway Stage should be associated with a Web Application Firewall", + "actualValue": "API Gateway Stage is not associated with a Web Application Firewall" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_xray_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_xray_disabled/test/positive_expected_result.json index 8eeda87f4fb..6807b55b7b0 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_xray_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_xray_disabled/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "API Gateway X-Ray Disabled", "severity": "LOW", - "line": 13, - "fileName": "positive1.yaml" + "line": 6, + "filename": "positive2.yaml", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.ProdPos4.Properties", + "searchValue": "", + "expectedValue": "Resources.ProdPos4.Properties.TracingEnabled should be defined", + "actualValue": "Resources.ProdPos4.Properties.TracingEnabled is undefined" }, { "queryName": "API Gateway X-Ray Disabled", "severity": "LOW", - "line": 6, - "fileName": "positive2.yaml" + "line": 13, + "filename": "positive1.yaml", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.ProdPos3.Properties.TracingEnabled", + "searchValue": "", + "expectedValue": "Resources.ProdPos3.Properties.TracingEnabled should be true", + "actualValue": "Resources.ProdPos3.Properties.TracingEnabled is false" }, { "queryName": "API Gateway X-Ray Disabled", "severity": "LOW", - "line": 23, - "fileName": "positive3.json" + "line": 6, + "filename": "positive4.json", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.ProdPos2.Properties", + "searchValue": "", + "expectedValue": "Resources.ProdPos2.Properties.TracingEnabled should be defined", + "actualValue": "Resources.ProdPos2.Properties.TracingEnabled is undefined" }, { "queryName": "API Gateway X-Ray Disabled", "severity": "LOW", - "line": 6, - "fileName": "positive4.json" + "line": 23, + "filename": "positive3.json", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.ProdPos1.Properties.TracingEnabled", + "searchValue": "", + "expectedValue": "Resources.ProdPos1.Properties.TracingEnabled should be true", + "actualValue": "Resources.ProdPos1.Properties.TracingEnabled is false" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/auto_scaling_group_with_no_associated_elb/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/auto_scaling_group_with_no_associated_elb/test/positive_expected_result.json index 8e31712dcf2..20f6466f0f4 100644 --- a/assets/queries/cloudFormation/aws/auto_scaling_group_with_no_associated_elb/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/auto_scaling_group_with_no_associated_elb/test/positive_expected_result.json @@ -1,38 +1,74 @@ [ { - "line": 28, - "fileName": "positive1.yaml", "queryName": "Auto Scaling Group With No Associated ELB", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 126, + "filename": "positive2.json", + "resourceType": "AWS::AutoScaling::AutoScalingGroup", + "resourceName": "myASG", + "searchKey": "Resources.myASG3.Properties.LoadBalancerNames", + "searchValue": "", + "expectedValue": "'Resources.myASG3.Properties.LoadBalancerNames' should not be empty", + "actualValue": "'Resources.myASG3.Properties.LoadBalancerNames' is empty" }, { - "fileName": "positive1.yaml", "queryName": "Auto Scaling Group With No Associated ELB", "severity": "MEDIUM", - "line": 60 + "line": 38, + "filename": "positive2.json", + "resourceType": "AWS::AutoScaling::AutoScalingGroup", + "resourceName": "myASG", + "searchKey": "Resources.myASG.Properties", + "searchValue": "", + "expectedValue": "'Resources.myASG.Properties.LoadBalancerNames' should be defined", + "actualValue": "'Resources.myASG.Properties.LoadBalancerNames' is not defined" }, { "queryName": "Auto Scaling Group With No Associated ELB", "severity": "MEDIUM", - "line": 87, - "fileName": "positive1.yaml" + "line": 60, + "filename": "positive1.yaml", + "resourceType": "AWS::AutoScaling::AutoScalingGroup", + "resourceName": "myASG2", + "searchKey": "Resources.myASG2.Properties.LoadBalancerNames", + "searchValue": "", + "expectedValue": "'Resources.myASG2.Properties.LoadBalancerNames' should not be empty", + "actualValue": "'Resources.myASG2.Properties.LoadBalancerNames' is empty" }, { "queryName": "Auto Scaling Group With No Associated ELB", "severity": "MEDIUM", - "line": 38, - "fileName": "positive2.json" + "line": 87, + "filename": "positive1.yaml", + "resourceType": "AWS::AutoScaling::AutoScalingGroup", + "resourceName": "myASG", + "searchKey": "Resources.myASG3.Properties.LoadBalancerNames", + "searchValue": "", + "expectedValue": "'Resources.myASG3.Properties.LoadBalancerNames' should not be empty", + "actualValue": "'Resources.myASG3.Properties.LoadBalancerNames' is empty" }, { "queryName": "Auto Scaling Group With No Associated ELB", "severity": "MEDIUM", - "line": 78, - "fileName": "positive2.json" + "line": 28, + "filename": "positive1.yaml", + "resourceType": "AWS::AutoScaling::AutoScalingGroup", + "resourceName": "myASG", + "searchKey": "Resources.myASG.Properties", + "searchValue": "", + "expectedValue": "'Resources.myASG.Properties.LoadBalancerNames' should be defined", + "actualValue": "'Resources.myASG.Properties.LoadBalancerNames' is not defined" }, { - "fileName": "positive2.json", "queryName": "Auto Scaling Group With No Associated ELB", "severity": "MEDIUM", - "line": 126 + "line": 78, + "filename": "positive2.json", + "resourceType": "AWS::AutoScaling::AutoScalingGroup", + "resourceName": "myASG2", + "searchKey": "Resources.myASG2.Properties.LoadBalancerNames", + "searchValue": "", + "expectedValue": "'Resources.myASG2.Properties.LoadBalancerNames' should not be empty", + "actualValue": "'Resources.myASG2.Properties.LoadBalancerNames' is empty" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/automatic_minor_upgrades_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/automatic_minor_upgrades_disabled/test/positive_expected_result.json index a7a2b2484ab..0cd092621a6 100644 --- a/assets/queries/cloudFormation/aws/automatic_minor_upgrades_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/automatic_minor_upgrades_disabled/test/positive_expected_result.json @@ -2,49 +2,97 @@ { "queryName": "Automatic Minor Upgrades Disabled", "severity": "LOW", - "line": 18, - "fileName": "positive1.yaml" + "line": 17, + "filename": "positive4.json", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "DBName", + "searchKey": "Resources.MyDB.Properties", + "searchValue": "", + "expectedValue": "'Resources.MyDB.Properties.AutoMinorVersionUpgrade' should be defined", + "actualValue": "'Resources.MyDB.Properties.AutoMinorVersionUpgrade' is undefined" }, { "queryName": "Automatic Minor Upgrades Disabled", "severity": "LOW", - "line": 42, - "fileName": "positive1.yaml" + "line": 44, + "filename": "positive2.json", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "DBName", + "searchKey": "Resources.MyDB2.Properties.AutoMinorVersionUpgrade", + "searchValue": "", + "expectedValue": "'Resources.MyDB2.Properties.AutoMinorVersionUpgrade' should be true", + "actualValue": "'Resources.MyDB2.Properties.AutoMinorVersionUpgrade' is false" }, { "queryName": "Automatic Minor Upgrades Disabled", "severity": "LOW", "line": 17, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "DBName", + "searchKey": "Resources.MyDB.Properties", + "searchValue": "", + "expectedValue": "'Resources.MyDB.Properties.AutoMinorVersionUpgrade' should be defined", + "actualValue": "'Resources.MyDB.Properties.AutoMinorVersionUpgrade' is undefined" }, { "queryName": "Automatic Minor Upgrades Disabled", "severity": "LOW", - "line": 44, - "fileName": "positive2.json" + "line": 42, + "filename": "positive1.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "DBName", + "searchKey": "Resources.MyDB2.Properties.AutoMinorVersionUpgrade", + "searchValue": "", + "expectedValue": "'Resources.MyDB2.Properties.AutoMinorVersionUpgrade' should be true", + "actualValue": "'Resources.MyDB2.Properties.AutoMinorVersionUpgrade' is false" }, { "queryName": "Automatic Minor Upgrades Disabled", "severity": "LOW", "line": 18, - "fileName": "positive3.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "DBName", + "searchKey": "Resources.MyDB.Properties", + "searchValue": "", + "expectedValue": "'Resources.MyDB.Properties.AutoMinorVersionUpgrade' should be defined", + "actualValue": "'Resources.MyDB.Properties.AutoMinorVersionUpgrade' is undefined" }, { "queryName": "Automatic Minor Upgrades Disabled", "severity": "LOW", "line": 42, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "DBName", + "searchKey": "Resources.MyDB2.Properties.AutoMinorVersionUpgrade", + "searchValue": "", + "expectedValue": "'Resources.MyDB2.Properties.AutoMinorVersionUpgrade' should be true", + "actualValue": "'Resources.MyDB2.Properties.AutoMinorVersionUpgrade' is false" }, { "queryName": "Automatic Minor Upgrades Disabled", "severity": "LOW", - "line": 17, - "fileName": "positive4.json" + "line": 18, + "filename": "positive3.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "DBName", + "searchKey": "Resources.MyDB.Properties", + "searchValue": "", + "expectedValue": "'Resources.MyDB.Properties.AutoMinorVersionUpgrade' should be defined", + "actualValue": "'Resources.MyDB.Properties.AutoMinorVersionUpgrade' is undefined" }, { "queryName": "Automatic Minor Upgrades Disabled", "severity": "LOW", "line": 44, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "DBName", + "searchKey": "Resources.MyDB2.Properties.AutoMinorVersionUpgrade", + "searchValue": "", + "expectedValue": "'Resources.MyDB2.Properties.AutoMinorVersionUpgrade' should be true", + "actualValue": "'Resources.MyDB2.Properties.AutoMinorVersionUpgrade' is false" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/batch_job_definition_with_privileged_container_properties/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/batch_job_definition_with_privileged_container_properties/test/positive_expected_result.json index 2a6d712aed3..e5aa97561c1 100644 --- a/assets/queries/cloudFormation/aws/batch_job_definition_with_privileged_container_properties/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/batch_job_definition_with_privileged_container_properties/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "Batch Job Definition With Privileged Container Properties", "severity": "HIGH", - "line": 21, - "fileName": "positive1.yaml" + "line": 12, + "filename": "positive4.json", + "resourceType": "AWS::Batch::JobDefinition", + "resourceName": "nvidia-smi", + "searchKey": "Resources.JobDefinition.Properties.ContainerProperties.Privileged", + "searchValue": "", + "expectedValue": "Resources.JobDefinition.Properties.ContainerProperties.Privileged should be set to false", + "actualValue": "Resources.JobDefinition.Properties.ContainerProperties.Privileged is true" }, { "queryName": "Batch Job Definition With Privileged Container Properties", "severity": "HIGH", "line": 12, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::Batch::JobDefinition", + "resourceName": "nvidia-smi", + "searchKey": "Resources.JobDefinition.Properties.ContainerProperties.Privileged", + "searchValue": "", + "expectedValue": "Resources.JobDefinition.Properties.ContainerProperties.Privileged should be set to false", + "actualValue": "Resources.JobDefinition.Properties.ContainerProperties.Privileged is true" }, { "queryName": "Batch Job Definition With Privileged Container Properties", "severity": "HIGH", "line": 21, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::Batch::JobDefinition", + "resourceName": "nvidia-smi", + "searchKey": "Resources.JobDefinition.Properties.ContainerProperties.Privileged", + "searchValue": "", + "expectedValue": "Resources.JobDefinition.Properties.ContainerProperties.Privileged should be set to false", + "actualValue": "Resources.JobDefinition.Properties.ContainerProperties.Privileged is true" }, { "queryName": "Batch Job Definition With Privileged Container Properties", "severity": "HIGH", - "line": 12, - "fileName": "positive4.json" + "line": 21, + "filename": "positive1.yaml", + "resourceType": "AWS::Batch::JobDefinition", + "resourceName": "nvidia-smi", + "searchKey": "Resources.JobDefinition.Properties.ContainerProperties.Privileged", + "searchValue": "", + "expectedValue": "Resources.JobDefinition.Properties.ContainerProperties.Privileged should be set to false", + "actualValue": "Resources.JobDefinition.Properties.ContainerProperties.Privileged is true" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/block_device_is_not_encrypted/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/block_device_is_not_encrypted/test/positive_expected_result.json index 939db20c092..aa865074aef 100644 --- a/assets/queries/cloudFormation/aws/block_device_is_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/block_device_is_not_encrypted/test/positive_expected_result.json @@ -2,73 +2,145 @@ { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", - "line": 14, - "fileName": "positive1.json" + "line": 10, + "filename": "positive8.yaml", + "resourceType": "AWS::AutoScaling::LaunchConfiguration", + "resourceName": "MyLaunchConfiguration", + "searchKey": "Resources.MyLaunchConfiguration.Properties.BlockDeviceMappings[0].Ebs", + "searchValue": "", + "expectedValue": "'BlockDeviceMappings[0].Ebs.Encrypted' should be defined to 'true'", + "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 12, - "fileName": "positive2.yaml" + "filename": "positive10.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.BlockDeviceMappings[0].Ebs.Encrypted", + "searchValue": "", + "expectedValue": "'BlockDeviceMappings[0].Ebs.Encrypted' should be defined to 'true'", + "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined to 'true'" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", - "line": 12, - "fileName": "positive3.json" + "line": 10, + "filename": "positive4.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.BlockDeviceMappings[0].Ebs", + "searchValue": "", + "expectedValue": "'BlockDeviceMappings[0].Ebs.Encrypted' should be defined to 'true'", + "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", - "line": 10, - "fileName": "positive4.yaml" + "line": 12, + "filename": "positive12.yaml", + "resourceType": "AWS::AutoScaling::LaunchConfiguration", + "resourceName": "MyLaunchConfiguration", + "searchKey": "Resources.MyLaunchConfiguration.Properties.BlockDeviceMappings[0].Ebs.Encrypted", + "searchValue": "", + "expectedValue": "'BlockDeviceMappings[0].Ebs.Encrypted' should be defined to 'true'", + "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined to 'true'" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", - "line": 15, - "fileName": "positive5.json" + "line": 12, + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.BlockDeviceMappings[0].Ebs.Encrypted", + "searchValue": "", + "expectedValue": "'BlockDeviceMappings[0].Ebs.Encrypted' should be defined to 'true'", + "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined to 'true'" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", - "line": 12, - "fileName": "positive6.yaml" + "line": 14, + "filename": "positive1.json", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.BlockDeviceMappings[0].Ebs.Encrypted", + "searchValue": "", + "expectedValue": "'BlockDeviceMappings[0].Ebs.Encrypted' should be defined to 'true'", + "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined to 'true'" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", - "line": 13, - "fileName": "positive7.json" + "line": 15, + "filename": "positive11.json", + "resourceType": "AWS::AutoScaling::LaunchConfiguration", + "resourceName": "MyLaunchConfiguration", + "searchKey": "Resources.MyLaunchConfiguration.Properties.BlockDeviceMappings[0].Ebs.Encrypted", + "searchValue": "", + "expectedValue": "'BlockDeviceMappings[0].Ebs.Encrypted' should be defined to 'true'", + "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined to 'true'" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", - "line": 10, - "fileName": "positive8.yaml" + "line": 15, + "filename": "positive5.json", + "resourceType": "AWS::AutoScaling::LaunchConfiguration", + "resourceName": "MyLaunchConfiguration", + "searchKey": "Resources.MyLaunchConfiguration.Properties.BlockDeviceMappings[0].Ebs.Encrypted", + "searchValue": "", + "expectedValue": "'BlockDeviceMappings[0].Ebs.Encrypted' should be defined to 'true'", + "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined to 'true'" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", - "line": 14, - "fileName": "positive9.json" + "line": 12, + "filename": "positive6.yaml", + "resourceType": "AWS::AutoScaling::LaunchConfiguration", + "resourceName": "MyLaunchConfiguration", + "searchKey": "Resources.MyLaunchConfiguration.Properties.BlockDeviceMappings[0].Ebs.Encrypted", + "searchValue": "", + "expectedValue": "'BlockDeviceMappings[0].Ebs.Encrypted' should be defined to 'true'", + "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined to 'true'" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", - "line": 12, - "fileName": "positive10.yaml" + "line": 13, + "filename": "positive7.json", + "resourceType": "AWS::AutoScaling::LaunchConfiguration", + "resourceName": "MyLaunchConfiguration", + "searchKey": "Resources.MyLaunchConfiguration.Properties.BlockDeviceMappings[0].Ebs", + "searchValue": "", + "expectedValue": "'BlockDeviceMappings[0].Ebs.Encrypted' should be defined to 'true'", + "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", - "line": 15, - "fileName": "positive11.json" + "line": 14, + "filename": "positive9.json", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.BlockDeviceMappings[0].Ebs.Encrypted", + "searchValue": "", + "expectedValue": "'BlockDeviceMappings[0].Ebs.Encrypted' should be defined to 'true'", + "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined to 'true'" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 12, - "fileName": "positive12.yaml" + "filename": "positive3.json", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.BlockDeviceMappings[0].Ebs", + "searchValue": "", + "expectedValue": "'BlockDeviceMappings[0].Ebs.Encrypted' should be defined to 'true'", + "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cdn_configuration_is_missing/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cdn_configuration_is_missing/test/positive_expected_result.json index 2dc7aa82920..e5b27a678d5 100644 --- a/assets/queries/cloudFormation/aws/cdn_configuration_is_missing/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cdn_configuration_is_missing/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "CDN Configuration Is Missing", "severity": "LOW", - "line": 6, - "fileName": "positive1.yaml" + "line": 15, + "filename": "positive2.json", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "myDistribution", + "searchKey": "Resources.myDistribution.Properties.DistributionConfig.Enabled", + "searchValue": "", + "expectedValue": "Resources.myDistribution.Properties.DistributionConfig.Enabled should be 'true'", + "actualValue": "Resources.myDistribution.Properties.DistributionConfig.Enabled is configured as 'false'" }, { "queryName": "CDN Configuration Is Missing", "severity": "LOW", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive2.json", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "myDistribution", + "searchKey": "Resources.myDistribution.Properties.DistributionConfig", + "searchValue": "", + "expectedValue": "Resources.myDistribution.Properties.DistributionConfig should contain an 'Origins' object", + "actualValue": "Resources.myDistribution.Properties.DistributionConfig does not contain an 'Origins' object configured" }, { + "queryName": "CDN Configuration Is Missing", "severity": "LOW", "line": 7, - "fileName": "positive2.json", - "queryName": "CDN Configuration Is Missing" + "filename": "positive1.yaml", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "myDistribution", + "searchKey": "Resources.myDistribution.Properties.DistributionConfig.Enabled", + "searchValue": "", + "expectedValue": "Resources.myDistribution.Properties.DistributionConfig.Enabled should be 'true'", + "actualValue": "Resources.myDistribution.Properties.DistributionConfig.Enabled is configured as 'false'" }, { - "fileName": "positive2.json", "queryName": "CDN Configuration Is Missing", "severity": "LOW", - "line": 15 + "line": 6, + "filename": "positive1.yaml", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "myDistribution", + "searchKey": "Resources.myDistribution.Properties.DistributionConfig", + "searchValue": "", + "expectedValue": "Resources.myDistribution.Properties.DistributionConfig should contain an 'Origins' object", + "actualValue": "Resources.myDistribution.Properties.DistributionConfig does not contain an 'Origins' object configured" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cloudformation_specifying_credentials_not_safe/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cloudformation_specifying_credentials_not_safe/test/positive_expected_result.json index 8ce4013218e..46abfa03290 100644 --- a/assets/queries/cloudFormation/aws/cloudformation_specifying_credentials_not_safe/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cloudformation_specifying_credentials_not_safe/test/positive_expected_result.json @@ -1,38 +1,74 @@ [ { + "queryName": "CloudFormation Specifying Credentials Not Safe", "severity": "MEDIUM", "line": 33, - "fileName": "positive1.yaml", - "queryName": "CloudFormation Specifying Credentials Not Safe" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "WebServer", + "searchKey": "Resources.WebServer.Metadata.AWS::CloudFormation::Authentication.S3AccessCreds.accessKeyId", + "searchValue": "", + "expectedValue": "Resources.WebServer.Metadata.AWS::CloudFormation::Authentication.S3AccessCreds.accessKeyId should not exist", + "actualValue": "Resources.WebServer.Metadata.AWS::CloudFormation::Authentication.S3AccessCreds.accessKeyId exists" }, { "queryName": "CloudFormation Specifying Credentials Not Safe", "severity": "MEDIUM", "line": 35, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "WebServer", + "searchKey": "Resources.WebServer.Metadata.AWS::CloudFormation::Authentication.S3AccessCreds.secretKey", + "searchValue": "", + "expectedValue": "Resources.WebServer.Metadata.AWS::CloudFormation::Authentication.S3AccessCreds.secretKey should not exist", + "actualValue": "Resources.WebServer.Metadata.AWS::CloudFormation::Authentication.S3AccessCreds.secretKey exists" }, { "queryName": "CloudFormation Specifying Credentials Not Safe", "severity": "MEDIUM", "line": 71, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "WebServer2", + "searchKey": "Resources.WebServer2.Metadata.AWS::CloudFormation::Authentication.BasicAccessCreds.password", + "searchValue": "", + "expectedValue": "Resources.WebServer2.Metadata.AWS::CloudFormation::Authentication.BasicAccessCreds.password should not exist", + "actualValue": "Resources.WebServer2.Metadata.AWS::CloudFormation::Authentication.BasicAccessCreds.password exists" }, { "queryName": "CloudFormation Specifying Credentials Not Safe", "severity": "MEDIUM", "line": 48, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::Instance", + "resourceName": "WebServer", + "searchKey": "Resources.WebServer.Metadata.AWS::CloudFormation::Authentication.S3AccessCreds.accessKeyId", + "searchValue": "", + "expectedValue": "Resources.WebServer.Metadata.AWS::CloudFormation::Authentication.S3AccessCreds.accessKeyId should not exist", + "actualValue": "Resources.WebServer.Metadata.AWS::CloudFormation::Authentication.S3AccessCreds.accessKeyId exists" }, { - "line": 51, - "fileName": "positive2.json", "queryName": "CloudFormation Specifying Credentials Not Safe", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 51, + "filename": "positive2.json", + "resourceType": "AWS::EC2::Instance", + "resourceName": "WebServer", + "searchKey": "Resources.WebServer.Metadata.AWS::CloudFormation::Authentication.S3AccessCreds.secretKey", + "searchValue": "", + "expectedValue": "Resources.WebServer.Metadata.AWS::CloudFormation::Authentication.S3AccessCreds.secretKey should not exist", + "actualValue": "Resources.WebServer.Metadata.AWS::CloudFormation::Authentication.S3AccessCreds.secretKey exists" }, { "queryName": "CloudFormation Specifying Credentials Not Safe", "severity": "MEDIUM", "line": 112, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::Instance", + "resourceName": "WebServer2", + "searchKey": "Resources.WebServer2.Metadata.AWS::CloudFormation::Authentication.BasicAccessCreds.password", + "searchValue": "", + "expectedValue": "Resources.WebServer2.Metadata.AWS::CloudFormation::Authentication.BasicAccessCreds.password should not exist", + "actualValue": "Resources.WebServer2.Metadata.AWS::CloudFormation::Authentication.BasicAccessCreds.password exists" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cloudfront_logging_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cloudfront_logging_disabled/test/positive_expected_result.json index 309047d4b3d..1ff00352ec4 100644 --- a/assets/queries/cloudFormation/aws/cloudfront_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cloudfront_logging_disabled/test/positive_expected_result.json @@ -3,24 +3,48 @@ "queryName": "CloudFront Logging Disabled", "severity": "MEDIUM", "line": 5, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "myDistribution1", + "searchKey": "Resources.myDistribution1.Properties", + "searchValue": "", + "expectedValue": "Resources.myDistribution1.Properties.DistributionConfig.Logging should be defined", + "actualValue": "Resources.myDistribution1.Properties.DistributionConfig.Logging is undefined" }, { - "line": 30, - "fileName": "positive2.yaml", "queryName": "CloudFront Logging Disabled", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 30, + "filename": "positive2.yaml", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "myDistribution2", + "searchKey": "Resources.myDistribution2.Properties.DistributionConfig.Logging.Bucket", + "searchValue": "", + "expectedValue": "Resources.myDistribution2.Properties.DistributionConfig.Logging.Bucket should have the domain '.s3.amazonaws.com'", + "actualValue": "Resources.myDistribution2.Properties.DistributionConfig.Logging.Bucket does not have the correct domain" }, { - "line": 6, - "fileName": "positive3.json", "queryName": "CloudFront Logging Disabled", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 6, + "filename": "positive3.json", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "myDistribution1", + "searchKey": "Resources.myDistribution1.Properties", + "searchValue": "", + "expectedValue": "Resources.myDistribution1.Properties.DistributionConfig.Logging should be defined", + "actualValue": "Resources.myDistribution1.Properties.DistributionConfig.Logging is undefined" }, { - "line": 40, - "fileName": "positive4.json", "queryName": "CloudFront Logging Disabled", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 40, + "filename": "positive4.json", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "myDistribution2", + "searchKey": "Resources.myDistribution2.Properties.DistributionConfig.Logging.Bucket", + "searchValue": "", + "expectedValue": "Resources.myDistribution2.Properties.DistributionConfig.Logging.Bucket should have the domain '.s3.amazonaws.com'", + "actualValue": "Resources.myDistribution2.Properties.DistributionConfig.Logging.Bucket does not have the correct domain" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cloudfront_viewer_protocol_policy_allows_http/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cloudfront_viewer_protocol_policy_allows_http/test/positive_expected_result.json index 6d69099acae..93fbf24ef0d 100644 --- a/assets/queries/cloudFormation/aws/cloudfront_viewer_protocol_policy_allows_http/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cloudfront_viewer_protocol_policy_allows_http/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "Cloudfront Viewer Protocol Policy Allows HTTP", "severity": "MEDIUM", - "line": 13, - "fileName": "positive1.yaml" + "line": 30, + "filename": "positive1.yaml", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "cloudfrontdistribution_2", + "searchKey": "Resources.cloudfrontdistribution_2.Properties.DistributionConfig.CacheBehaviors.ViewerProtocolPolicy", + "searchValue": "", + "expectedValue": "Resources.cloudfrontdistribution_2.Properties.DistributionConfig.CacheBehaviors.ViewerProtocolPolicy is 'https-only' or 'redirect-to-https'", + "actualValue": "Resources.cloudfrontdistribution_2.Properties.DistributionConfig.CacheBehaviors.ViewerProtocolPolicy is 'allow-all'" }, { + "queryName": "Cloudfront Viewer Protocol Policy Allows HTTP", "severity": "MEDIUM", - "line": 30, - "fileName": "positive1.yaml", - "queryName": "Cloudfront Viewer Protocol Policy Allows HTTP" + "line": 50, + "filename": "positive2.json", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "cloudfrontdistribution_1", + "searchKey": "Resources.cloudfrontdistribution_1.Properties.DistributionConfig.DefaultCacheBehavior.ViewerProtocolPolicy", + "searchValue": "", + "expectedValue": "Resources.cloudfrontdistribution_1.Properties.DistributionConfig.DefaultCacheBehavior.ViewerProtocolPolicy is 'https-only' or 'redirect-to-https'", + "actualValue": "Resources.cloudfrontdistribution_1.Properties.DistributionConfig.DefaultCacheBehavior.ViewerProtocolPolicy is 'allow-all'" }, { "queryName": "Cloudfront Viewer Protocol Policy Allows HTTP", "severity": "MEDIUM", "line": 10, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "cloudfrontdistribution_2", + "searchKey": "Resources.cloudfrontdistribution_2.Properties.DistributionConfig.CacheBehaviors.ViewerProtocolPolicy", + "searchValue": "", + "expectedValue": "Resources.cloudfrontdistribution_2.Properties.DistributionConfig.CacheBehaviors.ViewerProtocolPolicy is 'https-only' or 'redirect-to-https'", + "actualValue": "Resources.cloudfrontdistribution_2.Properties.DistributionConfig.CacheBehaviors.ViewerProtocolPolicy is 'allow-all'" }, { - "fileName": "positive2.json", "queryName": "Cloudfront Viewer Protocol Policy Allows HTTP", "severity": "MEDIUM", - "line": 50 + "line": 13, + "filename": "positive1.yaml", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "cloudfrontdistribution_1", + "searchKey": "Resources.cloudfrontdistribution_1.Properties.DistributionConfig.DefaultCacheBehavior.ViewerProtocolPolicy", + "searchValue": "", + "expectedValue": "Resources.cloudfrontdistribution_1.Properties.DistributionConfig.DefaultCacheBehavior.ViewerProtocolPolicy is 'https-only' or 'redirect-to-https'", + "actualValue": "Resources.cloudfrontdistribution_1.Properties.DistributionConfig.DefaultCacheBehavior.ViewerProtocolPolicy is 'allow-all'" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json index 53cec9a0d72..5a848c8b1a5 100644 --- a/assets/queries/cloudFormation/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "CloudFront Without Minimum Protocol TLS 1.2", "severity": "MEDIUM", - "line": 25, - "fileName": "positive1.yaml" + "line": 11, + "filename": "positive2.json", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "cloudfrontdistribution", + "searchKey": "Resources.cloudfrontdistribution.Properties.DistributionConfig.ViewerCertificate.MinimumProtocolVersion", + "searchValue": "", + "expectedValue": "Resources.cloudfrontdistribution.Properties.DistributionConfig.ViewerCertificate.MinimumProtocolVersion' should be TLSv1.2_x", + "actualValue": "Resources.cloudfrontdistribution.Properties.DistributionConfig.ViewerCertificate.MinimumProtocolVersion' is TLSv1.1_2016" }, { "queryName": "CloudFront Without Minimum Protocol TLS 1.2", "severity": "MEDIUM", - "line": 33, - "fileName": "positive1.yaml" + "line": 55, + "filename": "positive2.json", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "cloudfrontdistribution2", + "searchKey": "Resources.cloudfrontdistribution2.Properties.DistributionConfig", + "searchValue": "", + "expectedValue": "Resources.cloudfrontdistribution2.Properties.DistributionConfig.ViewerCertificate' should be defined", + "actualValue": "Resources.cloudfrontdistribution2.Properties.DistributionConfig.ViewerCertificate' is undefined" }, { - "line": 55, - "fileName": "positive2.json", "queryName": "CloudFront Without Minimum Protocol TLS 1.2", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 25, + "filename": "positive1.yaml", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "cloudfrontdistribution", + "searchKey": "Resources.cloudfrontdistribution.Properties.DistributionConfig.ViewerCertificate.MinimumProtocolVersion", + "searchValue": "", + "expectedValue": "Resources.cloudfrontdistribution.Properties.DistributionConfig.ViewerCertificate.MinimumProtocolVersion' should be TLSv1.2_x", + "actualValue": "Resources.cloudfrontdistribution.Properties.DistributionConfig.ViewerCertificate.MinimumProtocolVersion' is TLSv1.1_2016" }, { + "queryName": "CloudFront Without Minimum Protocol TLS 1.2", "severity": "MEDIUM", - "line": 11, - "fileName": "positive2.json", - "queryName": "CloudFront Without Minimum Protocol TLS 1.2" + "line": 33, + "filename": "positive1.yaml", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "cloudfrontdistribution2", + "searchKey": "Resources.cloudfrontdistribution2.Properties.DistributionConfig", + "searchValue": "", + "expectedValue": "Resources.cloudfrontdistribution2.Properties.DistributionConfig.ViewerCertificate' should be defined", + "actualValue": "Resources.cloudfrontdistribution2.Properties.DistributionConfig.ViewerCertificate' is undefined" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cloudfront_without_waf/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cloudfront_without_waf/test/positive_expected_result.json index ed9820e4c0b..dd166d6a84c 100644 --- a/assets/queries/cloudFormation/aws/cloudfront_without_waf/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cloudfront_without_waf/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "CloudFront Without WAF", "severity": "MEDIUM", - "line": 6, - "fileName": "positive1.yaml" + "line": 21, + "filename": "positive3.yaml", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "cloudfrontdistribution", + "searchKey": "Resources.cloudfrontdistribution.Properties.DistributionConfig.WebACLId", + "searchValue": "", + "expectedValue": "Resources..Properties.DistributionConfig.WebACLId should be properly defined", + "actualValue": "Resources..Properties.DistributionConfig.WebACLId contains invalid value" }, { - "fileName": "positive2.json", "queryName": "CloudFront Without WAF", "severity": "MEDIUM", - "line": 13 + "line": 6, + "filename": "positive1.yaml", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "cloudfrontdistribution", + "searchKey": "Resources.cloudfrontdistribution.Properties.DistributionConfig", + "searchValue": "", + "expectedValue": "Resources.cloudfrontdistribution.Properties.DistributionConfig.WebACLId should be defined", + "actualValue": "Resources.cloudfrontdistribution.Properties.DistributionConfig.WebACLId is undefined" }, { - "fileName": "positive3.yaml", "queryName": "CloudFront Without WAF", "severity": "MEDIUM", - "line": 21 + "line": 36, + "filename": "positive4.json", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "cloudfrontdistribution", + "searchKey": "Resources.cloudfrontdistribution.Properties.DistributionConfig.WebACLId", + "searchValue": "", + "expectedValue": "Resources..Properties.DistributionConfig.WebACLId should be properly defined", + "actualValue": "Resources..Properties.DistributionConfig.WebACLId contains invalid value" }, { - "fileName": "positive4.json", "queryName": "CloudFront Without WAF", "severity": "MEDIUM", - "line": 36 + "line": 13, + "filename": "positive2.json", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "cloudfrontdistribution", + "searchKey": "Resources.cloudfrontdistribution.Properties.DistributionConfig", + "searchValue": "", + "expectedValue": "Resources.cloudfrontdistribution.Properties.DistributionConfig.WebACLId should be defined", + "actualValue": "Resources.cloudfrontdistribution.Properties.DistributionConfig.WebACLId is undefined" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cloudtrail_log_file_validation_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cloudtrail_log_file_validation_disabled/test/positive_expected_result.json index 0a532feff98..5d13b4b1bab 100644 --- a/assets/queries/cloudFormation/aws/cloudtrail_log_file_validation_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cloudtrail_log_file_validation_disabled/test/positive_expected_result.json @@ -3,48 +3,96 @@ "queryName": "CloudTrail Log File Validation Disabled", "severity": "LOW", "line": 62, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail", + "searchKey": "Resources.myTrail.Properties", + "searchValue": "", + "expectedValue": "'Resources.myTrail.Properties.EnableLogFileValidation' should exist", + "actualValue": "'Resources.myTrail.Properties.EnableLogFileValidation' is missing" }, { "queryName": "CloudTrail Log File Validation Disabled", "severity": "LOW", - "line": 77, - "fileName": "positive1.yaml" + "line": 108, + "filename": "positive4.json", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail2", + "searchKey": "Resources.myTrail2.Properties.EnableLogFileValidation", + "searchValue": "", + "expectedValue": "'Resources.myTrail2.Properties.EnableLogFileValidation' should be true", + "actualValue": "'Resources.myTrail2.Properties.EnableLogFileValidation' is not true" }, { "queryName": "CloudTrail Log File Validation Disabled", "severity": "LOW", "line": 87, - "fileName": "positive2.json" + "filename": "positive4.json", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail", + "searchKey": "Resources.myTrail.Properties", + "searchValue": "", + "expectedValue": "'Resources.myTrail.Properties.EnableLogFileValidation' should exist", + "actualValue": "'Resources.myTrail.Properties.EnableLogFileValidation' is missing" }, { "queryName": "CloudTrail Log File Validation Disabled", "severity": "LOW", "line": 108, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail2", + "searchKey": "Resources.myTrail2.Properties.EnableLogFileValidation", + "searchValue": "", + "expectedValue": "'Resources.myTrail2.Properties.EnableLogFileValidation' should be true", + "actualValue": "'Resources.myTrail2.Properties.EnableLogFileValidation' is not true" }, { "queryName": "CloudTrail Log File Validation Disabled", "severity": "LOW", - "line": 62, - "fileName": "positive3.yaml" + "line": 87, + "filename": "positive2.json", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail", + "searchKey": "Resources.myTrail.Properties", + "searchValue": "", + "expectedValue": "'Resources.myTrail.Properties.EnableLogFileValidation' should exist", + "actualValue": "'Resources.myTrail.Properties.EnableLogFileValidation' is missing" }, { "queryName": "CloudTrail Log File Validation Disabled", "severity": "LOW", "line": 77, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail2", + "searchKey": "Resources.myTrail2.Properties.EnableLogFileValidation", + "searchValue": "", + "expectedValue": "'Resources.myTrail2.Properties.EnableLogFileValidation' should be true", + "actualValue": "'Resources.myTrail2.Properties.EnableLogFileValidation' is not true" }, { "queryName": "CloudTrail Log File Validation Disabled", "severity": "LOW", - "line": 87, - "fileName": "positive4.json" + "line": 62, + "filename": "positive3.yaml", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail", + "searchKey": "Resources.myTrail.Properties", + "searchValue": "", + "expectedValue": "'Resources.myTrail.Properties.EnableLogFileValidation' should exist", + "actualValue": "'Resources.myTrail.Properties.EnableLogFileValidation' is missing" }, { "queryName": "CloudTrail Log File Validation Disabled", "severity": "LOW", - "line": 108, - "fileName": "positive4.json" + "line": 77, + "filename": "positive1.yaml", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail2", + "searchKey": "Resources.myTrail2.Properties.EnableLogFileValidation", + "searchValue": "", + "expectedValue": "'Resources.myTrail2.Properties.EnableLogFileValidation' should be true", + "actualValue": "'Resources.myTrail2.Properties.EnableLogFileValidation' is not true" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_kms/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_kms/test/positive_expected_result.json index 0c9a19e668c..c1535f6defb 100644 --- a/assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_kms/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_kms/test/positive_expected_result.json @@ -2,19 +2,37 @@ { "queryName": "CloudTrail Log Files Not Encrypted With KMS", "severity": "LOW", - "line": 62, - "fileName": "positive1.yaml" + "line": 53, + "filename": "positive2.json", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail", + "searchKey": "Resources.myTrail.Properties", + "searchValue": "", + "expectedValue": "'Resources.myTrail.Properties.KMSKeyId' should be defined and not null", + "actualValue": "'Resources.myTrail.Properties.KMSKeyId' is undefined or null" }, { "queryName": "CloudTrail Log Files Not Encrypted With KMS", "severity": "LOW", - "line": 53, - "fileName": "positive2.json" + "line": 6, + "filename": "positive3.json", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail", + "searchKey": "Resources.myTrail.Properties", + "searchValue": "", + "expectedValue": "'Resources.myTrail.Properties.KMSKeyId' should be defined and not null", + "actualValue": "'Resources.myTrail.Properties.KMSKeyId' is undefined or null" }, { "queryName": "CloudTrail Log Files Not Encrypted With KMS", "severity": "LOW", - "line": 6, - "fileName": "positive3.json" + "line": 62, + "filename": "positive1.yaml", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail", + "searchKey": "Resources.myTrail.Properties", + "searchValue": "", + "expectedValue": "'Resources.myTrail.Properties.KMSKeyId' should be defined and not null", + "actualValue": "'Resources.myTrail.Properties.KMSKeyId' is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cloudtrail_logging_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cloudtrail_logging_disabled/test/positive_expected_result.json index 989c8dbedb1..837e024960f 100644 --- a/assets/queries/cloudFormation/aws/cloudtrail_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cloudtrail_logging_disabled/test/positive_expected_result.json @@ -2,37 +2,73 @@ { "queryName": "CloudTrail Logging Disabled", "severity": "MEDIUM", - "line": 19, - "fileName": "positive1.yaml" + "line": 20, + "filename": "positive3.yaml", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail", + "searchKey": "Resources.myTrail.Properties.IsLogging", + "searchValue": "", + "expectedValue": "'Resources.myTrail.Properties.IsLogging' should be true", + "actualValue": "'Resources.myTrail.Properties.IsLogging' is false" }, { "queryName": "CloudTrail Logging Disabled", "severity": "MEDIUM", - "line": 34, - "fileName": "positive1.yaml" + "line": 19, + "filename": "positive1.yaml", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail3", + "searchKey": "Resources.myTrail3.Properties.IsLogging", + "searchValue": "", + "expectedValue": "'Resources.myTrail3.Properties.IsLogging' should be true", + "actualValue": "'Resources.myTrail3.Properties.IsLogging' is false" }, { "queryName": "CloudTrail Logging Disabled", "severity": "MEDIUM", - "line": 25, - "fileName": "positive2.json" + "line": 34, + "filename": "positive1.yaml", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail4", + "searchKey": "Resources.myTrail4.Properties.IsLogging", + "searchValue": "", + "expectedValue": "'Resources.myTrail4.Properties.IsLogging' should be true", + "actualValue": "'Resources.myTrail4.Properties.IsLogging' is false" }, { "queryName": "CloudTrail Logging Disabled", "severity": "MEDIUM", - "line": 45, - "fileName": "positive2.json" + "line": 25, + "filename": "positive4.json", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail5", + "searchKey": "Resources.myTrail5.Properties.IsLogging", + "searchValue": "", + "expectedValue": "'Resources.myTrail5.Properties.IsLogging' should be true", + "actualValue": "'Resources.myTrail5.Properties.IsLogging' is false" }, { "queryName": "CloudTrail Logging Disabled", "severity": "MEDIUM", - "line": 20, - "fileName": "positive3.yaml" + "line": 25, + "filename": "positive2.json", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail5", + "searchKey": "Resources.myTrail5.Properties.IsLogging", + "searchValue": "", + "expectedValue": "'Resources.myTrail5.Properties.IsLogging' should be true", + "actualValue": "'Resources.myTrail5.Properties.IsLogging' is false" }, { "queryName": "CloudTrail Logging Disabled", "severity": "MEDIUM", - "line": 25, - "fileName": "positive4.json" + "line": 45, + "filename": "positive2.json", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail6", + "searchKey": "Resources.myTrail6.Properties.IsLogging", + "searchValue": "", + "expectedValue": "'Resources.myTrail6.Properties.IsLogging' should be true", + "actualValue": "'Resources.myTrail6.Properties.IsLogging' is false" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cloudtrail_multi_region_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cloudtrail_multi_region_disabled/test/positive_expected_result.json index ed813dff05c..00832068b3a 100644 --- a/assets/queries/cloudFormation/aws/cloudtrail_multi_region_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cloudtrail_multi_region_disabled/test/positive_expected_result.json @@ -1,32 +1,62 @@ [ - { + { "queryName": "CloudTrail Multi Region Disabled", "severity": "LOW", "line": 70, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail", + "searchKey": "Resources.myTrail.Properties.IsMultiRegionTrail", + "searchValue": "", + "expectedValue": "'Resources.myTrail.Properties.IsMultiRegionTrail' should be true", + "actualValue": "'Resources.myTrail.Properties.IsMultiRegionTrail' is not true" }, { "queryName": "CloudTrail Multi Region Disabled", "severity": "LOW", "line": 76, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail2", + "searchKey": "Resources.myTrail2.Properties", + "searchValue": "", + "expectedValue": "'Resources.myTrail2.Properties.IsMultiRegionTrail' should exist", + "actualValue": "'Resources.myTrail2.Properties.IsMultiRegionTrail' is missing" }, { "queryName": "CloudTrail Multi Region Disabled", "severity": "LOW", "line": 17, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail", + "searchKey": "Resources.myTrail.Properties.IsMultiRegionTrail", + "searchValue": "", + "expectedValue": "'Resources.myTrail.Properties.IsMultiRegionTrail' should be true", + "actualValue": "'Resources.myTrail.Properties.IsMultiRegionTrail' is not true" }, { "queryName": "CloudTrail Multi Region Disabled", "severity": "LOW", "line": 32, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail2", + "searchKey": "Resources.myTrail2.Properties", + "searchValue": "", + "expectedValue": "'Resources.myTrail2.Properties.IsMultiRegionTrail' should exist", + "actualValue": "'Resources.myTrail2.Properties.IsMultiRegionTrail' is missing" }, { "queryName": "CloudTrail Multi Region Disabled", "severity": "LOW", "line": 70, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail", + "searchKey": "Resources.myTrail.Properties.IsMultiRegionTrail", + "searchValue": "", + "expectedValue": "'Resources.myTrail.Properties.IsMultiRegionTrail' should be true", + "actualValue": "'Resources.myTrail.Properties.IsMultiRegionTrail' is not true" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cloudtrail_not_integrated_with_cloudwatch/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cloudtrail_not_integrated_with_cloudwatch/test/positive_expected_result.json index 309385fe204..16ea8cc19fb 100644 --- a/assets/queries/cloudFormation/aws/cloudtrail_not_integrated_with_cloudwatch/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cloudtrail_not_integrated_with_cloudwatch/test/positive_expected_result.json @@ -1,50 +1,98 @@ [ { + "queryName": "CloudTrail Not Integrated With CloudWatch", "severity": "LOW", "line": 62, - "fileName": "positive1.yaml", - "queryName": "CloudTrail Not Integrated With CloudWatch" + "filename": "positive1.yaml", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail", + "searchKey": "Resources.myTrail.Properties", + "searchValue": "CloudWatchLogsLogGroupArn", + "expectedValue": "'Resources.myTrail.Properties.CloudWatchLogsLogGroupArn' should be declared", + "actualValue": "'Resources.myTrail.Properties.CloudWatchLogsLogGroupArn' is not declared" }, { + "queryName": "CloudTrail Not Integrated With CloudWatch", "severity": "LOW", "line": 62, - "fileName": "positive1.yaml", - "queryName": "CloudTrail Not Integrated With CloudWatch" + "filename": "positive1.yaml", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail", + "searchKey": "Resources.myTrail.Properties", + "searchValue": "CloudWatchLogsRoleArn", + "expectedValue": "'Resources.myTrail.Properties.CloudWatchLogsRoleArn' should be declared", + "actualValue": "'Resources.myTrail.Properties.CloudWatchLogsRoleArn' is not declared" }, { + "queryName": "CloudTrail Not Integrated With CloudWatch", "severity": "LOW", - "line": 62, - "fileName": "positive2.yaml", - "queryName": "CloudTrail Not Integrated With CloudWatch" + "line": 82, + "filename": "positive4.json", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail", + "searchKey": "Resources.myTrail.Properties", + "searchValue": "CloudWatchLogsLogGroupArn", + "expectedValue": "'Resources.myTrail.Properties.CloudWatchLogsLogGroupArn' should be declared", + "actualValue": "'Resources.myTrail.Properties.CloudWatchLogsLogGroupArn' is not declared" }, { + "queryName": "CloudTrail Not Integrated With CloudWatch", "severity": "LOW", - "line": 62, - "fileName": "positive3.yaml", - "queryName": "CloudTrail Not Integrated With CloudWatch" + "line": 82, + "filename": "positive4.json", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail", + "searchKey": "Resources.myTrail.Properties", + "searchValue": "CloudWatchLogsRoleArn", + "expectedValue": "'Resources.myTrail.Properties.CloudWatchLogsRoleArn' should be declared", + "actualValue": "'Resources.myTrail.Properties.CloudWatchLogsRoleArn' is not declared" }, { "queryName": "CloudTrail Not Integrated With CloudWatch", "severity": "LOW", "line": 82, - "fileName": "positive4.json" + "filename": "positive5.json", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail", + "searchKey": "Resources.myTrail.Properties", + "searchValue": "CloudWatchLogsLogGroupArn", + "expectedValue": "'Resources.myTrail.Properties.CloudWatchLogsLogGroupArn' should be declared", + "actualValue": "'Resources.myTrail.Properties.CloudWatchLogsLogGroupArn' is not declared" }, { "queryName": "CloudTrail Not Integrated With CloudWatch", "severity": "LOW", "line": 82, - "fileName": "positive4.json" + "filename": "positive6.json", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail", + "searchKey": "Resources.myTrail.Properties", + "searchValue": "CloudWatchLogsRoleArn", + "expectedValue": "'Resources.myTrail.Properties.CloudWatchLogsRoleArn' should be declared", + "actualValue": "'Resources.myTrail.Properties.CloudWatchLogsRoleArn' is not declared" }, { "queryName": "CloudTrail Not Integrated With CloudWatch", "severity": "LOW", - "line": 82, - "fileName": "positive5.json" + "line": 62, + "filename": "positive3.yaml", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail3", + "searchKey": "Resources.myTrail3.Properties", + "searchValue": "CloudWatchLogsRoleArn", + "expectedValue": "'Resources.myTrail3.Properties.CloudWatchLogsRoleArn' should be declared", + "actualValue": "'Resources.myTrail3.Properties.CloudWatchLogsRoleArn' is not declared" }, { "queryName": "CloudTrail Not Integrated With CloudWatch", "severity": "LOW", - "line": 82, - "fileName": "positive6.json" + "line": 62, + "filename": "positive2.yaml", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail2", + "searchKey": "Resources.myTrail2.Properties", + "searchValue": "CloudWatchLogsLogGroupArn", + "expectedValue": "'Resources.myTrail2.Properties.CloudWatchLogsLogGroupArn' should be declared", + "actualValue": "'Resources.myTrail2.Properties.CloudWatchLogsLogGroupArn' is not declared" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cloudtrail_sns_topic_name_undefined/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cloudtrail_sns_topic_name_undefined/test/positive_expected_result.json index c7914b58792..f938503175c 100644 --- a/assets/queries/cloudFormation/aws/cloudtrail_sns_topic_name_undefined/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cloudtrail_sns_topic_name_undefined/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "CloudTrail SNS Topic Name Undefined", "severity": "LOW", - "line": 12, - "fileName": "positive1.yaml" + "line": 22, + "filename": "positive1.yaml", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail4", + "searchKey": "Resources.myTrail4.Properties", + "searchValue": "", + "expectedValue": "'Resources.myTrail4.Properties.SnsTopicName' should be set", + "actualValue": "'Resources.myTrail4.Properties.SnsTopicName' is undefined" }, { "queryName": "CloudTrail SNS Topic Name Undefined", "severity": "LOW", - "line": 22, - "fileName": "positive1.yaml" + "line": 9, + "filename": "positive2.json", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail5", + "searchKey": "Resources.myTrail5.Properties", + "searchValue": "", + "expectedValue": "'Resources.myTrail5.Properties.SnsTopicName' should be set", + "actualValue": "'Resources.myTrail5.Properties.SnsTopicName' is undefined" }, { - "line": 9, - "fileName": "positive2.json", "queryName": "CloudTrail SNS Topic Name Undefined", - "severity": "LOW" + "severity": "LOW", + "line": 23, + "filename": "positive2.json", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail6", + "searchKey": "Resources.myTrail6.Properties", + "searchValue": "", + "expectedValue": "'Resources.myTrail6.Properties.SnsTopicName' should be set", + "actualValue": "'Resources.myTrail6.Properties.SnsTopicName' is undefined" }, { "queryName": "CloudTrail SNS Topic Name Undefined", "severity": "LOW", - "line": 23, - "fileName": "positive2.json" + "line": 12, + "filename": "positive1.yaml", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail3", + "searchKey": "Resources.myTrail3.Properties", + "searchValue": "", + "expectedValue": "'Resources.myTrail3.Properties.SnsTopicName' should be set", + "actualValue": "'Resources.myTrail3.Properties.SnsTopicName' is undefined" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cloudwatch_logging_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cloudwatch_logging_disabled/test/positive_expected_result.json index 372d5fa2709..920ec5ac936 100644 --- a/assets/queries/cloudFormation/aws/cloudwatch_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cloudwatch_logging_disabled/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ { + "queryName": "CloudWatch Logging Disabled", "severity": "MEDIUM", - "line": 6, - "fileName": "positive1.yaml", - "queryName": "CloudWatch Logging Disabled" + "line": 7, + "filename": "positive2.json", + "resourceType": "AWS::Route53::HostedZone", + "resourceName": "HostedZone", + "searchKey": "Resources.HostedZone4.Properties", + "searchValue": "", + "expectedValue": "Resources.HostedZone4.QueryLoggingConfig should be set", + "actualValue": "Resources.HostedZone4.QueryLoggingConfig is undefined" }, { "queryName": "CloudWatch Logging Disabled", "severity": "MEDIUM", - "line": 7, - "fileName": "positive2.json" + "line": 6, + "filename": "positive1.yaml", + "resourceType": "AWS::Route53::HostedZone", + "resourceName": "HostedZone", + "searchKey": "Resources.HostedZone3.Properties", + "searchValue": "", + "expectedValue": "Resources.HostedZone3.QueryLoggingConfig should be set", + "actualValue": "Resources.HostedZone3.QueryLoggingConfig is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cloudwatch_metrics_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cloudwatch_metrics_disabled/test/positive_expected_result.json index d67127722ba..9a08935ec94 100644 --- a/assets/queries/cloudFormation/aws/cloudwatch_metrics_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cloudwatch_metrics_disabled/test/positive_expected_result.json @@ -2,49 +2,97 @@ { "queryName": "CloudWatch Metrics Disabled", "severity": "MEDIUM", - "line": 18, - "fileName": "positive1.yaml" + "line": 20, + "filename": "positive5.yaml", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties.MethodSettings", + "searchValue": "", + "expectedValue": "Resources.Prod.Properties.MethodSettings[1].MetricsEnabled should be set to true", + "actualValue": "Resources.Prod.Properties.MethodSettings[1].MetricsEnabled is undefined" }, { "queryName": "CloudWatch Metrics Disabled", "severity": "MEDIUM", - "line": 20, - "fileName": "positive1.yaml" + "line": 18, + "filename": "positive1.yaml", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties.MethodSettings", + "searchValue": "", + "expectedValue": "Resources.Prod.Properties.MethodSettings[0].MetricsEnabled should be set to true", + "actualValue": "Resources.Prod.Properties.MethodSettings[0].MetricsEnabled is set to false" }, { "queryName": "CloudWatch Metrics Disabled", "severity": "MEDIUM", - "line": 25, - "fileName": "positive2.json" + "line": 20, + "filename": "positive1.yaml", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties.MethodSettings", + "searchValue": "", + "expectedValue": "Resources.Prod.Properties.MethodSettings[1].MetricsEnabled should be set to true", + "actualValue": "Resources.Prod.Properties.MethodSettings[1].MetricsEnabled is undefined" }, { "queryName": "CloudWatch Metrics Disabled", "severity": "MEDIUM", - "line": 32, - "fileName": "positive2.json" + "line": 6, + "filename": "positive3.yaml", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties", + "searchValue": "", + "expectedValue": "Resources.Prod.Properties.MethodSettings should be defined", + "actualValue": "Resources.Prod.Properties.MethodSettings is undefined" }, { "queryName": "CloudWatch Metrics Disabled", "severity": "MEDIUM", - "line": 6, - "fileName": "positive3.yaml" + "line": 25, + "filename": "positive2.json", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties.MethodSettings", + "searchValue": "", + "expectedValue": "Resources.Prod.Properties.MethodSettings[0].MetricsEnabled should be set to true", + "actualValue": "Resources.Prod.Properties.MethodSettings[0].MetricsEnabled is undefined" }, { "queryName": "CloudWatch Metrics Disabled", "severity": "MEDIUM", - "line": 5, - "fileName": "positive4.json" + "line": 32, + "filename": "positive2.json", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties.MethodSettings", + "searchValue": "", + "expectedValue": "Resources.Prod.Properties.MethodSettings[1].MetricsEnabled should be set to true", + "actualValue": "Resources.Prod.Properties.MethodSettings[1].MetricsEnabled is set to false" }, { "queryName": "CloudWatch Metrics Disabled", "severity": "MEDIUM", - "line": 18, - "fileName": "positive5.yaml" + "line": 5, + "filename": "positive4.json", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties", + "searchValue": "", + "expectedValue": "Resources.Prod.Properties.MethodSettings should be defined", + "actualValue": "Resources.Prod.Properties.MethodSettings is undefined" }, { "queryName": "CloudWatch Metrics Disabled", "severity": "MEDIUM", - "line": 20, - "fileName": "positive5.yaml" + "line": 18, + "filename": "positive5.yaml", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties.MethodSettings", + "searchValue": "", + "expectedValue": "Resources.Prod.Properties.MethodSettings[0].MetricsEnabled should be set to true", + "actualValue": "Resources.Prod.Properties.MethodSettings[0].MetricsEnabled is set to false" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cmk_is_unusable/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cmk_is_unusable/test/positive_expected_result.json index d1b3cd303b5..000351182d2 100644 --- a/assets/queries/cloudFormation/aws/cmk_is_unusable/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cmk_is_unusable/test/positive_expected_result.json @@ -2,31 +2,61 @@ { "queryName": "CMK Is Unusable", "severity": "MEDIUM", - "line": 5, - "fileName": "positive1.yaml" + "line": 6, + "filename": "positive2.json", + "resourceType": "AWS::KMS::Key", + "resourceName": "myKey", + "searchKey": "Resources.myKey.Properties.Enabled", + "searchValue": "", + "expectedValue": "'Resources.myKey.Properties.Enabled' should be true", + "actualValue": "'Resources.myKey.Properties.Enabled' is false" }, { "queryName": "CMK Is Unusable", "severity": "MEDIUM", - "line": 30, - "fileName": "positive1.yaml" + "line": 59, + "filename": "positive2.json", + "resourceType": "AWS::KMS::Key", + "resourceName": "myKey2", + "searchKey": "Resources.myKey2.Properties.PendingWindowInDays", + "searchValue": "", + "expectedValue": "'Resources.myKey2.Properties.PendingWindowInDays' should be undefined", + "actualValue": "'Resources.myKey2.Properties.PendingWindowInDays' is defined" }, { "queryName": "CMK Is Unusable", "severity": "MEDIUM", - "line": 6, - "fileName": "positive2.json" + "line": 5, + "filename": "positive3.yaml", + "resourceType": "AWS::KMS::Key", + "resourceName": "myKey", + "searchKey": "Resources.myKey.Properties.Enabled", + "searchValue": "", + "expectedValue": "'Resources.myKey.Properties.Enabled' should be true", + "actualValue": "'Resources.myKey.Properties.Enabled' is false" }, { "queryName": "CMK Is Unusable", "severity": "MEDIUM", - "line": 59, - "fileName": "positive2.json" + "line": 5, + "filename": "positive1.yaml", + "resourceType": "AWS::KMS::Key", + "resourceName": "myKey", + "searchKey": "Resources.myKey.Properties.Enabled", + "searchValue": "", + "expectedValue": "'Resources.myKey.Properties.Enabled' should be true", + "actualValue": "'Resources.myKey.Properties.Enabled' is false" }, { "queryName": "CMK Is Unusable", "severity": "MEDIUM", - "line": 5, - "fileName": "positive3.yaml" + "line": 30, + "filename": "positive1.yaml", + "resourceType": "AWS::KMS::Key", + "resourceName": "myKey2", + "searchKey": "Resources.myKey2.Properties.PendingWindowInDays", + "searchValue": "", + "expectedValue": "'Resources.myKey2.Properties.PendingWindowInDays' should be undefined", + "actualValue": "'Resources.myKey2.Properties.PendingWindowInDays' is defined" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cmk_rotation_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cmk_rotation_disabled/test/positive_expected_result.json index 5ebce8e3f8f..5c33faed445 100644 --- a/assets/queries/cloudFormation/aws/cmk_rotation_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cmk_rotation_disabled/test/positive_expected_result.json @@ -2,31 +2,61 @@ { "queryName": "CMK Rotation Disabled", "severity": "LOW", - "line": 5, - "fileName": "positive1.yaml" + "line": 49, + "filename": "positive2.json", + "resourceType": "AWS::KMS::Key", + "resourceName": "myKey2", + "searchKey": "Resources.myKey2.Properties.EnableKeyRotation", + "searchValue": "", + "expectedValue": "'Resources.myKey2.Properties.EnableKeyRotation' should be true", + "actualValue": "'Resources.myKey2.Properties.EnableKeyRotation' is false" }, { "queryName": "CMK Rotation Disabled", "severity": "LOW", - "line": 31, - "fileName": "positive1.yaml" + "line": 5, + "filename": "positive2.json", + "resourceType": "AWS::KMS::Key", + "resourceName": "myKey", + "searchKey": "Resources.myKey.Properties", + "searchValue": "", + "expectedValue": "'Resources.myKey.Properties.EnableKeyRotation' should be defined and not null", + "actualValue": "'Resources.myKey.Properties.EnableKeyRotation' is undefined or null" }, { "queryName": "CMK Rotation Disabled", "severity": "LOW", - "line": 5, - "fileName": "positive2.json" + "line": 7, + "filename": "positive3.yaml", + "resourceType": "AWS::KMS::Key", + "resourceName": "myKey2", + "searchKey": "Resources.myKey2.Properties.EnableKeyRotation", + "searchValue": "", + "expectedValue": "'Resources.myKey2.Properties.EnableKeyRotation' should be true", + "actualValue": "'Resources.myKey2.Properties.EnableKeyRotation' is false" }, { "queryName": "CMK Rotation Disabled", "severity": "LOW", - "line": 49, - "fileName": "positive2.json" + "line": 31, + "filename": "positive1.yaml", + "resourceType": "AWS::KMS::Key", + "resourceName": "myKey2", + "searchKey": "Resources.myKey2.Properties.EnableKeyRotation", + "searchValue": "", + "expectedValue": "'Resources.myKey2.Properties.EnableKeyRotation' should be true", + "actualValue": "'Resources.myKey2.Properties.EnableKeyRotation' is false" }, { "queryName": "CMK Rotation Disabled", "severity": "LOW", - "line": 7, - "fileName": "positive3.yaml" + "line": 5, + "filename": "positive1.yaml", + "resourceType": "AWS::KMS::Key", + "resourceName": "myKey", + "searchKey": "Resources.myKey.Properties", + "searchValue": "", + "expectedValue": "'Resources.myKey.Properties.EnableKeyRotation' should be defined and not null", + "actualValue": "'Resources.myKey.Properties.EnableKeyRotation' is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cmk_unencrypted_storage/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cmk_unencrypted_storage/test/positive_expected_result.json index 33a0d16b773..a40bc635db4 100644 --- a/assets/queries/cloudFormation/aws/cmk_unencrypted_storage/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cmk_unencrypted_storage/test/positive_expected_result.json @@ -3,48 +3,96 @@ "queryName": "CMK Unencrypted Storage", "severity": "HIGH", "line": 54, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "DBName", + "searchKey": "Resources.MyDB.Properties", + "searchValue": "", + "expectedValue": "Resources.MyDB.Properties.StorageEncrypted should be defined", + "actualValue": "Resources.MyDB.Properties.StorageEncrypted is undefined" }, { "queryName": "CMK Unencrypted Storage", "severity": "HIGH", - "line": 24, - "fileName": "positive2.yaml" + "line": 4, + "filename": "positive7.yaml", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.myCluster.Properties", + "searchValue": "", + "expectedValue": "Resources.myCluster.Properties.Encrypted should be defined", + "actualValue": "Resources.myCluster.Properties.Encrypted is undefined" }, { + "queryName": "CMK Unencrypted Storage", "severity": "HIGH", - "line": 36, - "fileName": "positive3.yaml", - "queryName": "CMK Unencrypted Storage" + "line": 58, + "filename": "positive4.json", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "DBName", + "searchKey": "Resources.MyDB.Properties", + "searchValue": "", + "expectedValue": "Resources.MyDB.Properties.StorageEncrypted should be defined", + "actualValue": "Resources.MyDB.Properties.StorageEncrypted is undefined" }, { + "queryName": "CMK Unencrypted Storage", "severity": "HIGH", - "line": 58, - "fileName": "positive4.json", - "queryName": "CMK Unencrypted Storage" + "line": 37, + "filename": "positive6.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "RDSCluster-2", + "searchKey": "Resources.RDSCluster-2.Properties.StorageEncrypted", + "searchValue": "", + "expectedValue": "Resources.RDSCluster-2.Properties.StorageEncrypted should be true", + "actualValue": "Resources.RDSCluster-2.Properties.StorageEncrypted is false" }, { "queryName": "CMK Unencrypted Storage", "severity": "HIGH", "line": 25, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "RDSCluster1", + "searchKey": "Resources.RDSCluster1.Properties", + "searchValue": "", + "expectedValue": "Resources.RDSCluster1.Properties.StorageEncrypted should be defined", + "actualValue": "Resources.RDSCluster1.Properties.StorageEncrypted is undefined" }, { - "fileName": "positive6.json", "queryName": "CMK Unencrypted Storage", "severity": "HIGH", - "line": 37 + "line": 5, + "filename": "positive8.json", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.myCluster.Properties", + "searchValue": "", + "expectedValue": "Resources.myCluster.Properties.Encrypted should be defined", + "actualValue": "Resources.myCluster.Properties.Encrypted is undefined" }, { - "fileName": "positive7.yaml", "queryName": "CMK Unencrypted Storage", "severity": "HIGH", - "line": 4 + "line": 24, + "filename": "positive2.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "RDSCluster1", + "searchKey": "Resources.RDSCluster1.Properties", + "searchValue": "", + "expectedValue": "Resources.RDSCluster1.Properties.StorageEncrypted should be defined", + "actualValue": "Resources.RDSCluster1.Properties.StorageEncrypted is undefined" }, { - "fileName": "positive8.json", "queryName": "CMK Unencrypted Storage", "severity": "HIGH", - "line": 5 + "line": 36, + "filename": "positive3.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "RDSCluster-2", + "searchKey": "Resources.RDSCluster-2.Properties.StorageEncrypted", + "searchValue": "", + "expectedValue": "Resources.RDSCluster-2.Properties.StorageEncrypted should be true", + "actualValue": "Resources.RDSCluster-2.Properties.StorageEncrypted is false" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/codebuild_not_encrypted/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/codebuild_not_encrypted/test/positive_expected_result.json index 7c93149d589..3e13b6d1c2d 100644 --- a/assets/queries/cloudFormation/aws/codebuild_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/codebuild_not_encrypted/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ { + "queryName": "CodeBuild Not Encrypted", "severity": "MEDIUM", "line": 7, - "fileName": "positive1.yaml", - "queryName": "CodeBuild Not Encrypted" + "filename": "positive1.yaml", + "resourceType": "AWS::CodeBuild::Project", + "resourceName": "CodeBuildProject", + "searchKey": "Resources.CodeBuildProject.Project.Properties", + "searchValue": "", + "expectedValue": "Resources.CodeBuildProject.Project.Properties.EncryptionKey' should be defined and not null", + "actualValue": "Resources.CodeBuildProject.Project.Properties.EncryptionKey' is undefined or null" }, { "queryName": "CodeBuild Not Encrypted", "severity": "MEDIUM", "line": 8, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::CodeBuild::Project", + "resourceName": "CodeBuildProject", + "searchKey": "Resources.CodeBuildProject.Project.Properties", + "searchValue": "", + "expectedValue": "Resources.CodeBuildProject.Project.Properties.EncryptionKey' should be defined and not null", + "actualValue": "Resources.CodeBuildProject.Project.Properties.EncryptionKey' is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cognito_userpool_without_mfa/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cognito_userpool_without_mfa/test/positive_expected_result.json index ae5f99ba86a..2e9c08ea318 100644 --- a/assets/queries/cloudFormation/aws/cognito_userpool_without_mfa/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cognito_userpool_without_mfa/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "Cognito UserPool Without MFA", "severity": "LOW", - "line": 14, - "fileName": "positive1.yaml" + "line": 10, + "filename": "positive2.json", + "resourceType": "AWS::Cognito::UserPool", + "resourceName": "${AuthName}-user-pool", + "searchKey": "Resources.UserPool2.Properties.MfaConfiguration", + "searchValue": "", + "expectedValue": "Resources.UserPool2.Properties.MfaConfiguration should be set to ON or OPTIONAL", + "actualValue": "Resources.UserPool2.Properties.MfaConfiguration is set to OFF" }, { "queryName": "Cognito UserPool Without MFA", "severity": "LOW", - "line": 8, - "fileName": "positive1.yaml" + "line": 19, + "filename": "positive2.json", + "resourceType": "AWS::Cognito::UserPool", + "resourceName": "${AuthName}-user-pool", + "searchKey": "Resources.UserPool4.Properties", + "searchValue": "", + "expectedValue": "Resources.UserPool4.Properties.MfaConfiguration should be set", + "actualValue": "Resources.UserPool4.Properties.MfaConfiguration is undefined" }, { "queryName": "Cognito UserPool Without MFA", "severity": "LOW", - "line": 19, - "fileName": "positive2.json" + "line": 8, + "filename": "positive1.yaml", + "resourceType": "AWS::Cognito::UserPool", + "resourceName": "${AuthName}-user-pool", + "searchKey": "Resources.UserPool2.Properties.MfaConfiguration", + "searchValue": "", + "expectedValue": "Resources.UserPool2.Properties.MfaConfiguration should be set to ON or OPTIONAL", + "actualValue": "Resources.UserPool2.Properties.MfaConfiguration is set to OFF" }, { + "queryName": "Cognito UserPool Without MFA", "severity": "LOW", - "line": 10, - "fileName": "positive2.json", - "queryName": "Cognito UserPool Without MFA" + "line": 14, + "filename": "positive1.yaml", + "resourceType": "AWS::Cognito::UserPool", + "resourceName": "${AuthName}-user-pool", + "searchKey": "Resources.UserPool4.Properties", + "searchValue": "", + "expectedValue": "Resources.UserPool4.Properties.MfaConfiguration should be set", + "actualValue": "Resources.UserPool4.Properties.MfaConfiguration is undefined" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/config_configuration_aggregator_to_all_regions_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/config_configuration_aggregator_to_all_regions_disabled/test/positive_expected_result.json index b59fb53e28f..4aedf7604ca 100644 --- a/assets/queries/cloudFormation/aws/config_configuration_aggregator_to_all_regions_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/config_configuration_aggregator_to_all_regions_disabled/test/positive_expected_result.json @@ -2,55 +2,109 @@ { "queryName": "Configuration Aggregator to All Regions Disabled", "severity": "LOW", - "line": 10, - "fileName": "positive1.yaml" + "line": 21, + "filename": "positive1.yaml", + "resourceType": "AWS::Config::ConfigurationAggregator", + "resourceName": "ConfigurationAggregator2", + "searchKey": "Resources.ConfigurationAggregator2.Properties.AccountAggregationSources", + "searchValue": "", + "expectedValue": "'Resources.ConfigurationAggregator2.Properties.AccountAggregationSources' have all configurations with AllAwsRegions set to true", + "actualValue": "'Resources.ConfigurationAggregator2.Properties.AccountAggregationSources' has a configuration with AllAwsRegions set to false" }, { "queryName": "Configuration Aggregator to All Regions Disabled", "severity": "LOW", - "line": 21, - "fileName": "positive1.yaml" + "line": 10, + "filename": "positive1.yaml", + "resourceType": "AWS::Config::ConfigurationAggregator", + "resourceName": "ConfigurationAggregator1", + "searchKey": "Resources.ConfigurationAggregator1.Properties.AccountAggregationSources", + "searchValue": "", + "expectedValue": "'Resources.ConfigurationAggregator1.Properties.AccountAggregationSources' have all configurations with AllAwsRegions", + "actualValue": "'Resources.ConfigurationAggregator1.Properties.AccountAggregationSources' has a configuration without AllAwsRegions" }, { "queryName": "Configuration Aggregator to All Regions Disabled", "severity": "LOW", "line": 33, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::Config::ConfigurationAggregator", + "resourceName": "MyConfigurationAggregator", + "searchKey": "Resources.ConfigurationAggregator3.Properties.OrganizationAggregationSource", + "searchValue": "", + "expectedValue": "'Resources.ConfigurationAggregator3.Properties.OrganizationAggregationSource.AllAwsRegions' should be set", + "actualValue": "'Resources.ConfigurationAggregator3.Properties.OrganizationAggregationSource.AllAwsRegions' is undefined" }, { "queryName": "Configuration Aggregator to All Regions Disabled", "severity": "LOW", - "line": 49, - "fileName": "positive1.yaml" + "line": 43, + "filename": "positive2.json", + "resourceType": "AWS::Config::ConfigurationAggregator", + "resourceName": "MyConfigurationAggregator", + "searchKey": "Resources.ConfigurationAggregator7.Properties.OrganizationAggregationSource", + "searchValue": "", + "expectedValue": "'Resources.ConfigurationAggregator7.Properties.OrganizationAggregationSource.AllAwsRegions' should be set", + "actualValue": "'Resources.ConfigurationAggregator7.Properties.OrganizationAggregationSource.AllAwsRegions' is undefined" }, { "queryName": "Configuration Aggregator to All Regions Disabled", "severity": "LOW", - "line": 6, - "fileName": "positive2.json" + "line": 10, + "filename": "positive3.yaml", + "resourceType": "AWS::Config::ConfigurationAggregator", + "resourceName": "ConfigurationAggregator2", + "searchKey": "Resources.ConfigurationAggregator2.Properties.AccountAggregationSources", + "searchValue": "", + "expectedValue": "'Resources.ConfigurationAggregator2.Properties.AccountAggregationSources' have all configurations with AllAwsRegions set to true", + "actualValue": "'Resources.ConfigurationAggregator2.Properties.AccountAggregationSources' has a configuration with AllAwsRegions set to false" }, { "queryName": "Configuration Aggregator to All Regions Disabled", "severity": "LOW", - "line": 24, - "fileName": "positive2.json" + "line": 49, + "filename": "positive1.yaml", + "resourceType": "AWS::Config::ConfigurationAggregator", + "resourceName": "MyConfigurationAggregator", + "searchKey": "Resources.ConfigurationAggregator4.Properties.OrganizationAggregationSource.AllAwsRegions", + "searchValue": "", + "expectedValue": "'Resources.ConfigurationAggregator4.Properties.OrganizationAggregationSource.AllAwsRegions' is true", + "actualValue": "'Resources.ConfigurationAggregator4.Properties.OrganizationAggregationSource.AllAwsRegions' is false" }, { "queryName": "Configuration Aggregator to All Regions Disabled", "severity": "LOW", - "line": 43, - "fileName": "positive2.json" + "line": 24, + "filename": "positive2.json", + "resourceType": "AWS::Config::ConfigurationAggregator", + "resourceName": "MyConfigurationAggregator", + "searchKey": "Resources.ConfigurationAggregator6.Properties.AccountAggregationSources", + "searchValue": "", + "expectedValue": "'Resources.ConfigurationAggregator6.Properties.AccountAggregationSources' have all configurations with AllAwsRegions set to true", + "actualValue": "'Resources.ConfigurationAggregator6.Properties.AccountAggregationSources' has a configuration with AllAwsRegions set to false" }, { "queryName": "Configuration Aggregator to All Regions Disabled", "severity": "LOW", "line": 62, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::Config::ConfigurationAggregator", + "resourceName": "MyConfigurationAggregator", + "searchKey": "Resources.ConfigurationAggregator8.Properties.OrganizationAggregationSource.AllAwsRegions", + "searchValue": "", + "expectedValue": "'Resources.ConfigurationAggregator8.Properties.OrganizationAggregationSource.AllAwsRegions' is true", + "actualValue": "'Resources.ConfigurationAggregator8.Properties.OrganizationAggregationSource.AllAwsRegions' is false" }, { "queryName": "Configuration Aggregator to All Regions Disabled", "severity": "LOW", - "line": 10, - "fileName": "positive3.yaml" + "line": 6, + "filename": "positive2.json", + "resourceType": "AWS::Config::ConfigurationAggregator", + "resourceName": "MyConfigurationAggregator", + "searchKey": "Resources.ConfigurationAggregator5.Properties.AccountAggregationSources", + "searchValue": "", + "expectedValue": "'Resources.ConfigurationAggregator5.Properties.AccountAggregationSources' have all configurations with AllAwsRegions", + "actualValue": "'Resources.ConfigurationAggregator5.Properties.AccountAggregationSources' has a configuration without AllAwsRegions" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/config_rule_for_encryption_volumes_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/config_rule_for_encryption_volumes_disabled/test/positive_expected_result.json index 695b9f2ccc9..215d1b9f51b 100644 --- a/assets/queries/cloudFormation/aws/config_rule_for_encryption_volumes_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/config_rule_for_encryption_volumes_disabled/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Config Rule For Encrypted Volumes Disabled", "severity": "HIGH", "line": 2, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::Config::ConfigRule", + "resourceName": "access-keys-rotated", + "searchKey": "Resources.ConfigRule", + "searchValue": "", + "expectedValue": "There should be a ConfigRule for encrypted volumes.", + "actualValue": "There isn't a ConfigRule for encrypted volumes." }, { - "fileName": "positive2.json", "queryName": "Config Rule For Encrypted Volumes Disabled", "severity": "HIGH", - "line": 3 + "line": 3, + "filename": "positive2.json", + "resourceType": "AWS::Config::ConfigRule", + "resourceName": "access-keys-rotated", + "searchKey": "Resources.ConfigRule", + "searchValue": "", + "expectedValue": "There should be a ConfigRule for encrypted volumes.", + "actualValue": "There isn't a ConfigRule for encrypted volumes." } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/connection_between_cloudfront_origin_not_encrypted/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/connection_between_cloudfront_origin_not_encrypted/test/positive_expected_result.json index acd66f251b2..26357238fe6 100644 --- a/assets/queries/cloudFormation/aws/connection_between_cloudfront_origin_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/connection_between_cloudfront_origin_not_encrypted/test/positive_expected_result.json @@ -1,26 +1,50 @@ [ { - "line": 13, - "fileName": "positive1.yaml", "queryName": "Connection Between CloudFront Origin Not Encrypted", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 56, + "filename": "positive2.json", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "cloudfrontdistribution_2", + "searchKey": "Resources.cloudfrontdistribution_2.Properties.DistributionConfig.CacheBehaviors.ViewerProtocolPolicy", + "searchValue": "", + "expectedValue": "Resources.cloudfrontdistribution_2.Properties.DistributionConfig.CacheBehaviors.ViewerProtocolPolicy should be 'https-only' or 'redirect-to-https'", + "actualValue": "Resources.cloudfrontdistribution_2.Properties.DistributionConfig.CacheBehaviors.ViewerProtocolPolicy 'isn't https-only' or 'redirect-to-https'" }, { "queryName": "Connection Between CloudFront Origin Not Encrypted", "severity": "MEDIUM", - "line": 30, - "fileName": "positive1.yaml" + "line": 13, + "filename": "positive1.yaml", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "cloudfrontdistribution_1", + "searchKey": "Resources.cloudfrontdistribution_1.Properties.DistributionConfig.DefaultCacheBehavior.ViewerProtocolPolicy", + "searchValue": "", + "expectedValue": "Resources.cloudfrontdistribution_1.Properties.DistributionConfig.DefaultCacheBehavior.ViewerProtocolPolicy should be 'https-only' or 'redirect-to-https'", + "actualValue": "Resources.cloudfrontdistribution_1.Properties.DistributionConfig.DefaultCacheBehavior.ViewerProtocolPolicy 'isn't https-only' or 'redirect-to-https'" }, { "queryName": "Connection Between CloudFront Origin Not Encrypted", "severity": "MEDIUM", - "line": 19, - "fileName": "positive2.json" + "line": 30, + "filename": "positive1.yaml", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "cloudfrontdistribution_2", + "searchKey": "Resources.cloudfrontdistribution_2.Properties.DistributionConfig.CacheBehaviors.ViewerProtocolPolicy", + "searchValue": "", + "expectedValue": "Resources.cloudfrontdistribution_2.Properties.DistributionConfig.CacheBehaviors.ViewerProtocolPolicy should be 'https-only' or 'redirect-to-https'", + "actualValue": "Resources.cloudfrontdistribution_2.Properties.DistributionConfig.CacheBehaviors.ViewerProtocolPolicy 'isn't https-only' or 'redirect-to-https'" }, { + "queryName": "Connection Between CloudFront Origin Not Encrypted", "severity": "MEDIUM", - "line": 56, - "fileName": "positive2.json", - "queryName": "Connection Between CloudFront Origin Not Encrypted" + "line": 19, + "filename": "positive2.json", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "cloudfrontdistribution_1", + "searchKey": "Resources.cloudfrontdistribution_1.Properties.DistributionConfig.DefaultCacheBehavior.ViewerProtocolPolicy", + "searchValue": "", + "expectedValue": "Resources.cloudfrontdistribution_1.Properties.DistributionConfig.DefaultCacheBehavior.ViewerProtocolPolicy should be 'https-only' or 'redirect-to-https'", + "actualValue": "Resources.cloudfrontdistribution_1.Properties.DistributionConfig.DefaultCacheBehavior.ViewerProtocolPolicy 'isn't https-only' or 'redirect-to-https'" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/test/positive_expected_result.json index efb66945b4a..f7007dd1558 100644 --- a/assets/queries/cloudFormation/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/test/positive_expected_result.json @@ -3,36 +3,72 @@ "queryName": "Cross-Account IAM Assume Role Policy Without ExternalId or MFA", "severity": "HIGH", "line": 6, - "fileName": "positive1.yaml" + "filename": "positive5.yaml", + "resourceType": "AWS::IAM::Role", + "resourceName": "RootRole", + "searchKey": "Resources.RootRole.Properties.AssumeRolePolicyDocument", + "searchValue": "", + "expectedValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument should require external ID or MFA", + "actualValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument does not require external ID or MFA" }, { "queryName": "Cross-Account IAM Assume Role Policy Without ExternalId or MFA", "severity": "HIGH", - "line": 7, - "fileName": "positive2.json" + "line": 6, + "filename": "positive3.yaml", + "resourceType": "AWS::IAM::Role", + "resourceName": "RootRole", + "searchKey": "Resources.RootRole.Properties.AssumeRolePolicyDocument", + "searchValue": "", + "expectedValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument should require external ID or MFA", + "actualValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument does not require external ID or MFA" }, { "queryName": "Cross-Account IAM Assume Role Policy Without ExternalId or MFA", "severity": "HIGH", "line": 6, - "fileName": "positive3.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::IAM::Role", + "resourceName": "RootRole", + "searchKey": "Resources.RootRole.Properties.AssumeRolePolicyDocument", + "searchValue": "", + "expectedValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument should require external ID or MFA", + "actualValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument does not require external ID or MFA" }, { "queryName": "Cross-Account IAM Assume Role Policy Without ExternalId or MFA", "severity": "HIGH", "line": 7, - "fileName": "positive4.json" + "filename": "positive2.json", + "resourceType": "AWS::IAM::Role", + "resourceName": "RootRole", + "searchKey": "Resources.RootRole.Properties.AssumeRolePolicyDocument", + "searchValue": "", + "expectedValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument should require external ID or MFA", + "actualValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument does not require external ID or MFA" }, { "queryName": "Cross-Account IAM Assume Role Policy Without ExternalId or MFA", "severity": "HIGH", - "line": 6, - "fileName": "positive5.yaml" + "line": 7, + "filename": "positive4.json", + "resourceType": "AWS::IAM::Role", + "resourceName": "RootRole", + "searchKey": "Resources.RootRole.Properties.AssumeRolePolicyDocument", + "searchValue": "", + "expectedValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument should require external ID or MFA", + "actualValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument does not require external ID or MFA" }, { "queryName": "Cross-Account IAM Assume Role Policy Without ExternalId or MFA", "severity": "HIGH", "line": 7, - "fileName": "positive6.json" + "filename": "positive6.json", + "resourceType": "AWS::IAM::Role", + "resourceName": "RootRole", + "searchKey": "Resources.RootRole.Properties.AssumeRolePolicyDocument", + "searchValue": "", + "expectedValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument should require external ID or MFA", + "actualValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument does not require external ID or MFA" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/dax_cluster_not_encrypted/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/dax_cluster_not_encrypted/test/positive_expected_result.json index c34b2aca335..8ee240b878d 100644 --- a/assets/queries/cloudFormation/aws/dax_cluster_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/dax_cluster_not_encrypted/test/positive_expected_result.json @@ -2,49 +2,97 @@ { "queryName": "DAX Cluster Not Encrypted", "severity": "HIGH", - "line": 8, - "fileName": "positive1.yaml" + "line": 7, + "filename": "positive8.json", + "resourceType": "AWS::DAX::Cluster", + "resourceName": "daxCluster", + "searchKey": "Resources.daxCluster.Properties", + "searchValue": "", + "expectedValue": "'Resources.daxCluster.Properties' should have SSESpecification declared.", + "actualValue": "'Resources.daxCluster.Properties' does not declare SSESpecification." }, { "queryName": "DAX Cluster Not Encrypted", "severity": "HIGH", - "line": 8, - "fileName": "positive2.yaml" + "line": 9, + "filename": "positive6.json", + "resourceType": "AWS::DAX::Cluster", + "resourceName": "daxCluster", + "searchKey": "Resources.daxCluster.Properties.SSESpecification.SSEEnabled", + "searchValue": "", + "expectedValue": "'Resources.daxCluster.Properties.SSESpecification.SSEEnabled' should be set to true.", + "actualValue": "'Resources.daxCluster.Properties.SSESpecification.SSEEnabled' is set to false." }, { "queryName": "DAX Cluster Not Encrypted", "severity": "HIGH", "line": 7, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::DAX::Cluster", + "resourceName": "daxCluster", + "searchKey": "Resources.daxCluster.Properties.SSESpecification", + "searchValue": "", + "expectedValue": "'Resources.daxCluster.Properties.SSESpecification' should have SSEEnabled declared and set to true.", + "actualValue": "'Resources.daxCluster.Properties.SSESpecification' does not declare SSEEnabled." }, { "queryName": "DAX Cluster Not Encrypted", "severity": "HIGH", "line": 6, - "fileName": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "AWS::DAX::Cluster", + "resourceName": "daxCluster", + "searchKey": "Resources.daxCluster.Properties", + "searchValue": "", + "expectedValue": "'Resources.daxCluster.Properties' should have SSESpecification declared.", + "actualValue": "'Resources.daxCluster.Properties' does not declare SSESpecification." }, { "queryName": "DAX Cluster Not Encrypted", "severity": "HIGH", - "line": 9, - "fileName": "positive5.json" + "line": 8, + "filename": "positive2.yaml", + "resourceType": "AWS::DAX::Cluster", + "resourceName": "daxCluster", + "searchKey": "Resources.daxCluster.Properties.SSESpecification.SSEEnabled", + "searchValue": "", + "expectedValue": "'Resources.daxCluster.Properties.SSESpecification.SSEEnabled' should be set to true.", + "actualValue": "'Resources.daxCluster.Properties.SSESpecification.SSEEnabled' is set to false." }, { "queryName": "DAX Cluster Not Encrypted", "severity": "HIGH", - "line": 9, - "fileName": "positive6.json" + "line": 8, + "filename": "positive1.yaml", + "resourceType": "AWS::DAX::Cluster", + "resourceName": "daxCluster", + "searchKey": "Resources.daxCluster.Properties.SSESpecification.SSEEnabled", + "searchValue": "", + "expectedValue": "'Resources.daxCluster.Properties.SSESpecification.SSEEnabled' should be set to true.", + "actualValue": "'Resources.daxCluster.Properties.SSESpecification.SSEEnabled' is set to false." }, { "queryName": "DAX Cluster Not Encrypted", "severity": "HIGH", - "line": 8, - "fileName": "positive7.json" + "line": 9, + "filename": "positive5.json", + "resourceType": "AWS::DAX::Cluster", + "resourceName": "daxCluster", + "searchKey": "Resources.daxCluster.Properties.SSESpecification.SSEEnabled", + "searchValue": "", + "expectedValue": "'Resources.daxCluster.Properties.SSESpecification.SSEEnabled' should be set to true.", + "actualValue": "'Resources.daxCluster.Properties.SSESpecification.SSEEnabled' is set to false." }, { "queryName": "DAX Cluster Not Encrypted", "severity": "HIGH", - "line": 7, - "fileName": "positive8.json" + "line": 8, + "filename": "positive7.json", + "resourceType": "AWS::DAX::Cluster", + "resourceName": "daxCluster", + "searchKey": "Resources.daxCluster.Properties.SSESpecification", + "searchValue": "", + "expectedValue": "'Resources.daxCluster.Properties.SSESpecification' should have SSEEnabled declared and set to true.", + "actualValue": "'Resources.daxCluster.Properties.SSESpecification' does not declare SSEEnabled." } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/db_security_group_open_to_large_scope/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/db_security_group_open_to_large_scope/test/positive_expected_result.json index 14755c73640..2fd264d8da7 100644 --- a/assets/queries/cloudFormation/aws/db_security_group_open_to_large_scope/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/db_security_group_open_to_large_scope/test/positive_expected_result.json @@ -2,73 +2,145 @@ { "queryName": "DB Security Group Open To Large Scope", "severity": "HIGH", - "line": 8, - "fileName": "positive1.yaml" + "line": 15, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DbSecurityByEC2SecurityGroup1", + "searchKey": "Resources.DbSecurityByEC2SecurityGroup1.Properties.SecurityGroupIngress[0].CidrIp", + "searchValue": "", + "expectedValue": "'Resources.DbSecurityByEC2SecurityGroup1.Properties.SecurityGroupIngress[0].CidrIp' should not have more than 256 hosts.", + "actualValue": "'Resources.DbSecurityByEC2SecurityGroup1.Properties.SecurityGroupIngress[0].CidrIp' has more than 256 hosts." }, { "queryName": "DB Security Group Open To Large Scope", "severity": "HIGH", - "line": 15, - "fileName": "positive1.yaml" + "line": 20, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DbSecurityByEC2SecurityGroup1", + "searchKey": "Resources.DbSecurityByEC2SecurityGroup1.Properties.SecurityGroupIngress[0].CidrIp", + "searchValue": "", + "expectedValue": "'Resources.DbSecurityByEC2SecurityGroup1.Properties.SecurityGroupIngress[0].CidrIp' should not have more than 256 hosts.", + "actualValue": "'Resources.DbSecurityByEC2SecurityGroup1.Properties.SecurityGroupIngress[0].CidrIp' has more than 256 hosts." }, { "queryName": "DB Security Group Open To Large Scope", "severity": "HIGH", - "line": 22, - "fileName": "positive1.yaml" + "line": 31, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DbSecurityByEC2SecurityGroup2", + "searchKey": "Resources.DbSecurityByEC2SecurityGroup2.Properties.SecurityGroupIngress[0].CidrIpv6", + "searchValue": "", + "expectedValue": "'Resources.DbSecurityByEC2SecurityGroup2.Properties.SecurityGroupIngress[0].CidrIpv6' should not have more than 256 hosts.", + "actualValue": "'Resources.DbSecurityByEC2SecurityGroup2.Properties.SecurityGroupIngress[0].CidrIpv6' has more than 256 hosts." }, { "queryName": "DB Security Group Open To Large Scope", "severity": "HIGH", - "line": 7, - "fileName": "positive2.yaml" + "line": 8, + "filename": "positive1.yaml", + "resourceType": "AWS::RDS::DBSecurityGroup", + "resourceName": "DbSecurity", + "searchKey": "Resources.DbSecurity.Properties.DBSecurityGroupIngress[0].CIDRIP", + "searchValue": "", + "expectedValue": "'Resources.DbSecurity.Properties.DBSecurityGroupIngress[0].CIDRIP' should not have more than 256 hosts.", + "actualValue": "'Resources.DbSecurity.Properties.DBSecurityGroupIngress[0].CIDRIP' has more than 256 hosts." }, { "queryName": "DB Security Group Open To Large Scope", "severity": "HIGH", - "line": 13, - "fileName": "positive2.yaml" + "line": 22, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DbSecurityByEC2SecurityGroup2", + "searchKey": "Resources.DbSecurityByEC2SecurityGroup2.Properties.SecurityGroupIngress[0].CidrIpv6", + "searchValue": "", + "expectedValue": "'Resources.DbSecurityByEC2SecurityGroup2.Properties.SecurityGroupIngress[0].CidrIpv6' should not have more than 256 hosts.", + "actualValue": "'Resources.DbSecurityByEC2SecurityGroup2.Properties.SecurityGroupIngress[0].CidrIpv6' has more than 256 hosts." }, { "queryName": "DB Security Group Open To Large Scope", "severity": "HIGH", - "line": 19, - "fileName": "positive2.yaml" + "line": 9, + "filename": "positive4.json", + "resourceType": "AWS::RDS::DBSecurityGroupIngress", + "resourceName": "MyDBSecurityGroupIngress", + "searchKey": "Resources.MyDBSecurityGroupIngress.Properties.CIDRIP", + "searchValue": "", + "expectedValue": "'Resources.MyDBSecurityGroupIngress.Properties.CIDRIP' should not have more than 256 hosts.", + "actualValue": "'Resources.MyDBSecurityGroupIngress.Properties.CIDRIP' has more than 256 hosts." }, { "queryName": "DB Security Group Open To Large Scope", "severity": "HIGH", - "line": 9, - "fileName": "positive3.json" + "line": 18, + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "StandaloneIngressIPv4", + "searchKey": "Resources.StandaloneIngressIPv4.Properties.CidrIp", + "searchValue": "", + "expectedValue": "'Resources.StandaloneIngressIPv4.Properties.CidrIp' should not have more than 256 hosts.", + "actualValue": "'Resources.StandaloneIngressIPv4.Properties.CidrIp' has more than 256 hosts." }, { "queryName": "DB Security Group Open To Large Scope", "severity": "HIGH", - "line": 20, - "fileName": "positive3.json" + "line": 27, + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "StandaloneIngressIPv6", + "searchKey": "Resources.StandaloneIngressIPv6.Properties.CidrIpv6", + "searchValue": "", + "expectedValue": "'Resources.StandaloneIngressIPv6.Properties.CidrIpv6' should not have more than 256 hosts.", + "actualValue": "'Resources.StandaloneIngressIPv6.Properties.CidrIpv6' has more than 256 hosts." }, { "queryName": "DB Security Group Open To Large Scope", "severity": "HIGH", - "line": 31, - "fileName": "positive3.json" + "line": 9, + "filename": "positive3.json", + "resourceType": "AWS::RDS::DBSecurityGroup", + "resourceName": "DbSecurity", + "searchKey": "Resources.DbSecurity.Properties.DBSecurityGroupIngress[0].CIDRIP", + "searchValue": "", + "expectedValue": "'Resources.DbSecurity.Properties.DBSecurityGroupIngress[0].CIDRIP' should not have more than 256 hosts.", + "actualValue": "'Resources.DbSecurity.Properties.DBSecurityGroupIngress[0].CIDRIP' has more than 256 hosts." }, { "queryName": "DB Security Group Open To Large Scope", "severity": "HIGH", - "line": 9, - "fileName": "positive4.json" + "line": 7, + "filename": "positive2.yaml", + "resourceType": "AWS::RDS::DBSecurityGroupIngress", + "resourceName": "MyDBSecurityGroupIngress", + "searchKey": "Resources.MyDBSecurityGroupIngress.Properties.CIDRIP", + "searchValue": "", + "expectedValue": "'Resources.MyDBSecurityGroupIngress.Properties.CIDRIP' should not have more than 256 hosts.", + "actualValue": "'Resources.MyDBSecurityGroupIngress.Properties.CIDRIP' has more than 256 hosts." }, { "queryName": "DB Security Group Open To Large Scope", "severity": "HIGH", - "line": 18, - "fileName": "positive4.json" + "line": 13, + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "StandaloneIngressIPv4", + "searchKey": "Resources.StandaloneIngressIPv4.Properties.CidrIp", + "searchValue": "", + "expectedValue": "'Resources.StandaloneIngressIPv4.Properties.CidrIp' should not have more than 256 hosts.", + "actualValue": "'Resources.StandaloneIngressIPv4.Properties.CidrIp' has more than 256 hosts." }, { "queryName": "DB Security Group Open To Large Scope", "severity": "HIGH", - "line": 27, - "fileName": "positive4.json" + "line": 19, + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "StandaloneIngressIPv6", + "searchKey": "Resources.StandaloneIngressIPv6.Properties.CidrIpv6", + "searchValue": "", + "expectedValue": "'Resources.StandaloneIngressIPv6.Properties.CidrIpv6' should not have more than 256 hosts.", + "actualValue": "'Resources.StandaloneIngressIPv6.Properties.CidrIpv6' has more than 256 hosts." } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/db_security_group_with_public_scope/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/db_security_group_with_public_scope/test/positive_expected_result.json index 09e8322a452..669b7d07d98 100644 --- a/assets/queries/cloudFormation/aws/db_security_group_with_public_scope/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/db_security_group_with_public_scope/test/positive_expected_result.json @@ -2,91 +2,181 @@ { "queryName": "DB Security Group With Public Scope", "severity": "CRITICAL", - "line": 8, - "fileName": "positive1.yaml" + "line": 41, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DBEC2SecurityGroupInline_pos3", + "searchKey": "Resources.DBEC2SecurityGroupInline_pos3.Properties.SecurityGroupIngress[0].CidrIp", + "searchValue": "", + "expectedValue": "'Resources.DBEC2SecurityGroupInline_pos3.Properties.SecurityGroupIngress[0].CidrIp' should not be '0.0.0.0/0'.", + "actualValue": "'Resources.DBEC2SecurityGroupInline_pos3.Properties.SecurityGroupIngress[0].CidrIp' is '0.0.0.0/0'." }, { "queryName": "DB Security Group With Public Scope", "severity": "CRITICAL", - "line": 20, - "fileName": "positive1.yaml" + "line": 9, + "filename": "positive3.json", + "resourceType": "AWS::RDS::DBSecurityGroup", + "resourceName": "DbSecurityByEC2SecurityGroupInline_pos3", + "searchKey": "Resources.DbSecurityByEC2SecurityGroupInline_pos3.Properties.DBSecurityGroupIngress[0].CIDRIP", + "searchValue": "", + "expectedValue": "'Resources.DbSecurityByEC2SecurityGroupInline_pos3.Properties.DBSecurityGroupIngress[0].CIDRIP' should not be '0.0.0.0/0'.", + "actualValue": "'Resources.DbSecurityByEC2SecurityGroupInline_pos3.Properties.DBSecurityGroupIngress[0].CIDRIP' is '0.0.0.0/0'." }, { "queryName": "DB Security Group With Public Scope", "severity": "CRITICAL", - "line": 32, - "fileName": "positive1.yaml" + "line": 8, + "filename": "positive2.yaml", + "resourceType": "AWS::RDS::DBSecurityGroup", + "resourceName": "DbSecurityByEC2SecurityGroup_pos2", + "searchKey": "Resources.DbSecurityByEC2SecurityGroup_pos2.Properties.DBSecurityGroupIngress[0].CIDRIP", + "searchValue": "", + "expectedValue": "'Resources.DbSecurityByEC2SecurityGroup_pos2.Properties.DBSecurityGroupIngress[0].CIDRIP' should not be '0.0.0.0/0'.", + "actualValue": "'Resources.DbSecurityByEC2SecurityGroup_pos2.Properties.DBSecurityGroupIngress[0].CIDRIP' is '0.0.0.0/0'." }, { "queryName": "DB Security Group With Public Scope", "severity": "CRITICAL", - "line": 36, - "fileName": "positive1.yaml" + "line": 61, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DBEC2SecurityGroupIngressIPv6_pos1", + "searchKey": "Resources.DBEC2SecurityGroupIngressIPv6_pos1.Properties.CidrIpv6", + "searchValue": "", + "expectedValue": "'Resources.DBEC2SecurityGroupIngressIPv6_pos1.Properties.CidrIpv6' should not be '0000:0000:0000:0000:0000:0000:0000:0000/0'.", + "actualValue": "'Resources.DBEC2SecurityGroupIngressIPv6_pos1.Properties.CidrIpv6' is '0000:0000:0000:0000:0000:0000:0000:0000/0'." }, { "queryName": "DB Security Group With Public Scope", "severity": "CRITICAL", - "line": 52, - "fileName": "positive1.yaml" + "line": 8, + "filename": "positive5.yaml", + "resourceType": "AWS::RDS::DBSecurityGroup", + "resourceName": "DbSecurityByEC2SecurityGroup_pos5", + "searchKey": "Resources.DbSecurityByEC2SecurityGroup_pos5.Properties.DBSecurityGroupIngress[0].CIDRIP", + "searchValue": "", + "expectedValue": "'Resources.DbSecurityByEC2SecurityGroup_pos5.Properties.DBSecurityGroupIngress[0].CIDRIP' should not be '0.0.0.0/0'.", + "actualValue": "'Resources.DbSecurityByEC2SecurityGroup_pos5.Properties.DBSecurityGroupIngress[0].CIDRIP' is '0.0.0.0/0'." }, { "queryName": "DB Security Group With Public Scope", "severity": "CRITICAL", - "line": 61, - "fileName": "positive1.yaml" + "line": 52, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DBEC2SecurityGroupIngress_pos1", + "searchKey": "Resources.DBEC2SecurityGroupIngress_pos1.Properties.CidrIp", + "searchValue": "", + "expectedValue": "'Resources.DBEC2SecurityGroupIngress_pos1.Properties.CidrIp' should not be '0.0.0.0/0'.", + "actualValue": "'Resources.DBEC2SecurityGroupIngress_pos1.Properties.CidrIp' is '0.0.0.0/0'." }, { "queryName": "DB Security Group With Public Scope", "severity": "CRITICAL", - "line": 8, - "fileName": "positive2.yaml" + "line": 32, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DBEC2SecurityGroupInline_pos1", + "searchKey": "Resources.DBEC2SecurityGroupInline_pos1.Properties.SecurityGroupIngress[0].CidrIp", + "searchValue": "", + "expectedValue": "'Resources.DBEC2SecurityGroupInline_pos1.Properties.SecurityGroupIngress[0].CidrIp' should not be '0.0.0.0/0'.", + "actualValue": "'Resources.DBEC2SecurityGroupInline_pos1.Properties.SecurityGroupIngress[0].CidrIp' is '0.0.0.0/0'." }, { "queryName": "DB Security Group With Public Scope", "severity": "CRITICAL", - "line": 9, - "fileName": "positive3.json" + "line": 70, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DBEC2SecurityGroupIngress_pos3", + "searchKey": "Resources.DBEC2SecurityGroupIngress_pos3.Properties.CidrIp", + "searchValue": "", + "expectedValue": "'Resources.DBEC2SecurityGroupIngress_pos3.Properties.CidrIp' should not be '0.0.0.0/0'.", + "actualValue": "'Resources.DBEC2SecurityGroupIngress_pos3.Properties.CidrIp' is '0.0.0.0/0'." }, { "queryName": "DB Security Group With Public Scope", "severity": "CRITICAL", - "line": 26, - "fileName": "positive3.json" + "line": 47, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DBEC2SecurityGroupInline_pos3", + "searchKey": "Resources.DBEC2SecurityGroupInline_pos3.Properties.SecurityGroupIngress[1].CidrIpv6", + "searchValue": "", + "expectedValue": "'Resources.DBEC2SecurityGroupInline_pos3.Properties.SecurityGroupIngress[1].CidrIpv6' should not be '::/0'.", + "actualValue": "'Resources.DBEC2SecurityGroupInline_pos3.Properties.SecurityGroupIngress[1].CidrIpv6' is '::/0'." }, { "queryName": "DB Security Group With Public Scope", "severity": "CRITICAL", - "line": 41, - "fileName": "positive3.json" + "line": 26, + "filename": "positive3.json", + "resourceType": "AWS::RDS::DBSecurityGroupIngress", + "resourceName": "DbSecurityIngressRule_pos3", + "searchKey": "Resources.DbSecurityIngressRule_pos3.Properties.CIDRIP", + "searchValue": "", + "expectedValue": "'Resources.DbSecurityIngressRule_pos3.Properties.CIDRIP' should not be '0.0.0.0/0'.", + "actualValue": "'Resources.DbSecurityIngressRule_pos3.Properties.CIDRIP' is '0.0.0.0/0'." }, { "queryName": "DB Security Group With Public Scope", "severity": "CRITICAL", - "line": 47, - "fileName": "positive3.json" + "line": 36, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DBEC2SecurityGroupInline_pos1", + "searchKey": "Resources.DBEC2SecurityGroupInline_pos1.Properties.SecurityGroupIngress[1].CidrIpv6", + "searchValue": "", + "expectedValue": "'Resources.DBEC2SecurityGroupInline_pos1.Properties.SecurityGroupIngress[1].CidrIpv6' should not be '::/0'.", + "actualValue": "'Resources.DBEC2SecurityGroupInline_pos1.Properties.SecurityGroupIngress[1].CidrIpv6' is '::/0'." }, { "queryName": "DB Security Group With Public Scope", "severity": "CRITICAL", - "line": 70, - "fileName": "positive3.json" + "line": 9, + "filename": "positive4.json", + "resourceType": "AWS::RDS::DBSecurityGroup", + "resourceName": "DbSecurityByEC2SecurityGroup_pos4", + "searchKey": "Resources.DbSecurityByEC2SecurityGroup_pos4.Properties.DBSecurityGroupIngress[0].CIDRIP", + "searchValue": "", + "expectedValue": "'Resources.DbSecurityByEC2SecurityGroup_pos4.Properties.DBSecurityGroupIngress[0].CIDRIP' should not be '0.0.0.0/0'.", + "actualValue": "'Resources.DbSecurityByEC2SecurityGroup_pos4.Properties.DBSecurityGroupIngress[0].CIDRIP' is '0.0.0.0/0'." }, { "queryName": "DB Security Group With Public Scope", "severity": "CRITICAL", "line": 82, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DBEC2SecurityGroupIngressIPv6_pos3", + "searchKey": "Resources.DBEC2SecurityGroupIngressIPv6_pos3.Properties.CidrIpv6", + "searchValue": "", + "expectedValue": "'Resources.DBEC2SecurityGroupIngressIPv6_pos3.Properties.CidrIpv6' should not be '0000:0000:0000:0000:0000:0000:0000:0000/0'.", + "actualValue": "'Resources.DBEC2SecurityGroupIngressIPv6_pos3.Properties.CidrIpv6' is '0000:0000:0000:0000:0000:0000:0000:0000/0'." }, { "queryName": "DB Security Group With Public Scope", "severity": "CRITICAL", - "line": 9, - "fileName": "positive4.json" + "line": 8, + "filename": "positive1.yaml", + "resourceType": "AWS::RDS::DBSecurityGroup", + "resourceName": "DbSecurityByEC2SecurityGroupInline_pos1", + "searchKey": "Resources.DbSecurityByEC2SecurityGroupInline_pos1.Properties.DBSecurityGroupIngress[0].CIDRIP", + "searchValue": "", + "expectedValue": "'Resources.DbSecurityByEC2SecurityGroupInline_pos1.Properties.DBSecurityGroupIngress[0].CIDRIP' should not be '0.0.0.0/0'.", + "actualValue": "'Resources.DbSecurityByEC2SecurityGroupInline_pos1.Properties.DBSecurityGroupIngress[0].CIDRIP' is '0.0.0.0/0'." }, { "queryName": "DB Security Group With Public Scope", "severity": "CRITICAL", - "line": 8, - "fileName": "positive5.yaml" + "line": 20, + "filename": "positive1.yaml", + "resourceType": "AWS::RDS::DBSecurityGroupIngress", + "resourceName": "DbSecurityIngressRule_pos1", + "searchKey": "Resources.DbSecurityIngressRule_pos1.Properties.CIDRIP", + "searchValue": "", + "expectedValue": "'Resources.DbSecurityIngressRule_pos1.Properties.CIDRIP' should not be '0.0.0.0/0'.", + "actualValue": "'Resources.DbSecurityIngressRule_pos1.Properties.CIDRIP' is '0.0.0.0/0'." } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/default_kms_key_usage/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/default_kms_key_usage/test/positive_expected_result.json index 4df0f766fc8..7d34a6ede23 100644 --- a/assets/queries/cloudFormation/aws/default_kms_key_usage/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/default_kms_key_usage/test/positive_expected_result.json @@ -2,19 +2,37 @@ { "queryName": "Default KMS Key Usage", "severity": "MEDIUM", - "line": 24, - "fileName": "positive1.yaml" + "line": 25, + "filename": "positive2.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "RDSCluster1", + "searchKey": "Resources.RDSCluster1.Properties", + "searchValue": "", + "expectedValue": "Resources.RDSCluster1.Properties.KmsKeyId should be defined with AWS-Managed CMK", + "actualValue": "Resources.RDSCluster1.Properties.KmsKeyId is undefined" }, { "queryName": "Default KMS Key Usage", "severity": "MEDIUM", - "line": 25, - "fileName": "positive2.json" + "line": 24, + "filename": "positive3.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "RDSCluster1", + "searchKey": "Resources.RDSCluster1.Properties", + "searchValue": "", + "expectedValue": "Resources.RDSCluster1.Properties.KmsKeyId should be defined with AWS-Managed CMK", + "actualValue": "Resources.RDSCluster1.Properties.KmsKeyId is undefined" }, { "queryName": "Default KMS Key Usage", "severity": "MEDIUM", "line": 24, - "fileName": "positive3.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "RDSCluster1", + "searchKey": "Resources.RDSCluster1.Properties", + "searchValue": "", + "expectedValue": "Resources.RDSCluster1.Properties.KmsKeyId should be defined with AWS-Managed CMK", + "actualValue": "Resources.RDSCluster1.Properties.KmsKeyId is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/default_security_groups_with_unrestricted_traffic/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/default_security_groups_with_unrestricted_traffic/test/positive_expected_result.json index b90bf1cf9c9..d8c4e75d676 100644 --- a/assets/queries/cloudFormation/aws/default_security_groups_with_unrestricted_traffic/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/default_security_groups_with_unrestricted_traffic/test/positive_expected_result.json @@ -3,48 +3,96 @@ "queryName": "Default Security Groups With Unrestricted Traffic", "severity": "HIGH", "line": 4, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "default", + "searchKey": "Resources.InstanceSecurityGroup_ingress.Properties", + "searchValue": "", + "expectedValue": "Any 'AWS::EC2::SecurityGroup' with 'Properties.GroupName' set to 'default' should not have any traffic rules set.", + "actualValue": "'Resources.InstanceSecurityGroup_ingress' has 'Properties.GroupName' set to 'default' and traffic rules set in 'Properties'." }, { "queryName": "Default Security Groups With Unrestricted Traffic", "severity": "HIGH", - "line": 15, - "fileName": "positive1.yaml" + "line": 20, + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "default", + "searchKey": "Resources.InstanceSecurityGroupEgress.Properties.GroupId", + "searchValue": "", + "expectedValue": "Any 'AWS::EC2::SecurityGroup' with 'Properties.GroupName' set to 'default' should not have any traffic rules set.", + "actualValue": "'Resources.InstanceSecurityGroup_default' has 'Properties.GroupName' set to 'default' and a standalone 'AWS::EC2::SecurityGroupEgress' rule set." }, { "queryName": "Default Security Groups With Unrestricted Traffic", "severity": "HIGH", "line": 11, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "default", + "searchKey": "Resources.InstanceSecurityGroupIngress.Properties.GroupId", + "searchValue": "", + "expectedValue": "Any 'AWS::EC2::SecurityGroup' with 'Properties.GroupName' set to 'default' should not have any traffic rules set.", + "actualValue": "'Resources.InstanceSecurityGroup_default' has 'Properties.GroupName' set to 'default' and a standalone 'AWS::EC2::SecurityGroupIngress' rule set." }, { "queryName": "Default Security Groups With Unrestricted Traffic", "severity": "HIGH", "line": 20, - "fileName": "positive2.yaml" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "default", + "searchKey": "Resources.InstanceSecurityGroup_egress.Properties", + "searchValue": "", + "expectedValue": "Any 'AWS::EC2::SecurityGroup' with 'Properties.GroupName' set to 'default' should not have any traffic rules set.", + "actualValue": "'Resources.InstanceSecurityGroup_egress' has 'Properties.GroupName' set to 'default' and traffic rules set in 'Properties'." }, { "queryName": "Default Security Groups With Unrestricted Traffic", "severity": "HIGH", "line": 5, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "default", + "searchKey": "Resources.InstanceSecurityGroup_ingress.Properties", + "searchValue": "", + "expectedValue": "Any 'AWS::EC2::SecurityGroup' with 'Properties.GroupName' set to 'default' should not have any traffic rules set.", + "actualValue": "'Resources.InstanceSecurityGroup_ingress' has 'Properties.GroupName' set to 'default' and traffic rules set in 'Properties'." }, { "queryName": "Default Security Groups With Unrestricted Traffic", "severity": "HIGH", - "line": 20, - "fileName": "positive3.json" + "line": 25, + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "default", + "searchKey": "Resources.InstanceSecurityGroupEgress.Properties.GroupId", + "searchValue": "", + "expectedValue": "Any 'AWS::EC2::SecurityGroup' with 'Properties.GroupName' set to 'default' should not have any traffic rules set.", + "actualValue": "'Resources.InstanceSecurityGroup_default' has 'Properties.GroupName' set to 'default' and a standalone 'AWS::EC2::SecurityGroupEgress' rule set." }, { "queryName": "Default Security Groups With Unrestricted Traffic", "severity": "HIGH", "line": 13, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "default", + "searchKey": "Resources.InstanceSecurityGroupIngress.Properties.GroupId", + "searchValue": "", + "expectedValue": "Any 'AWS::EC2::SecurityGroup' with 'Properties.GroupName' set to 'default' should not have any traffic rules set.", + "actualValue": "'Resources.InstanceSecurityGroup_default' has 'Properties.GroupName' set to 'default' and a standalone 'AWS::EC2::SecurityGroupIngress' rule set." }, { "queryName": "Default Security Groups With Unrestricted Traffic", "severity": "HIGH", - "line": 25, - "fileName": "positive4.json" + "line": 15, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "default", + "searchKey": "Resources.InstanceSecurityGroup_egress.Properties", + "searchValue": "", + "expectedValue": "Any 'AWS::EC2::SecurityGroup' with 'Properties.GroupName' set to 'default' should not have any traffic rules set.", + "actualValue": "'Resources.InstanceSecurityGroup_egress' has 'Properties.GroupName' set to 'default' and traffic rules set in 'Properties'." } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/directory_service_microsoft_ad_password_set_to_plaintext_or_default_ref/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/directory_service_microsoft_ad_password_set_to_plaintext_or_default_ref/test/positive_expected_result.json index 208eae633ff..f4c97625f7d 100644 --- a/assets/queries/cloudFormation/aws/directory_service_microsoft_ad_password_set_to_plaintext_or_default_ref/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/directory_service_microsoft_ad_password_set_to_plaintext_or_default_ref/test/positive_expected_result.json @@ -2,37 +2,73 @@ { "queryName": "Directory Service Microsoft AD Password Set to Plaintext or Default Ref", "severity": "HIGH", - "line": 5, - "fileName": "positive3.yaml" + "line": 17, + "filename": "positive4.json", + "resourceType": "AWS::DirectoryService::MicrosoftAD", + "resourceName": "String", + "searchKey": "Resources.NewAmpApp-2.Properties.Password", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp-2.Properties.Password must be defined as a parameter or have a secret manager referenced", + "actualValue": "Resources.NewAmpApp-2.Properties.Password must not be in plain text string" }, { "queryName": "Directory Service Microsoft AD Password Set to Plaintext or Default Ref", "severity": "HIGH", - "line": 9, - "fileName": "positive2.yaml" + "line": 11, + "filename": "positive5.json", + "resourceType": "AWS::DirectoryService::MicrosoftAD", + "resourceName": "String", + "searchKey": "Resources.NewAmpApp.Properties.Password", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp.Properties.Password must be defined as a parameter or have a secret manager referenced", + "actualValue": "Resources.NewAmpApp.Properties.Password must not be in plain text string" }, { "queryName": "Directory Service Microsoft AD Password Set to Plaintext or Default Ref", "severity": "HIGH", - "line": 14, - "fileName": "positive1.yaml" + "line": 9, + "filename": "positive2.yaml", + "resourceType": "AWS::DirectoryService::MicrosoftAD", + "resourceName": "String", + "searchKey": "Resources.NewAmpApp.Properties.Password", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp.Properties.Password must be defined as a parameter or have a secret manager referenced", + "actualValue": "Resources.NewAmpApp.Properties.Password must not be in plain text string" }, { "queryName": "Directory Service Microsoft AD Password Set to Plaintext or Default Ref", "severity": "HIGH", - "line": 17, - "fileName": "positive4.json" + "line": 14, + "filename": "positive1.yaml", + "resourceType": "AWS::DirectoryService::MicrosoftAD", + "resourceName": "String", + "searchKey": "Resources.NewAmpApp-2.Properties.Password", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp-2.Properties.Password must be defined as a parameter or have a secret manager referenced", + "actualValue": "Resources.NewAmpApp-2.Properties.Password must not be in plain text string" }, { - "severity": "HIGH", - "line": 11, "queryName": "Directory Service Microsoft AD Password Set to Plaintext or Default Ref", - "fileName": "positive5.json" + "severity": "HIGH", + "line": 5, + "filename": "positive3.yaml", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "Parameters.ParentMasterPassword.Default", + "searchValue": "", + "expectedValue": "Parameters.ParentMasterPassword.Default should not be defined", + "actualValue": "Parameters.ParentMasterPassword.Default is defined" }, { "queryName": "Directory Service Microsoft AD Password Set to Plaintext or Default Ref", "severity": "HIGH", "line": 5, - "fileName": "positive6.json" + "filename": "positive6.json", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "Parameters.ParentMasterPassword.Default", + "searchValue": "", + "expectedValue": "Parameters.ParentMasterPassword.Default should not be defined", + "actualValue": "Parameters.ParentMasterPassword.Default is defined" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/directory_service_simple_ad_password_exposed/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/directory_service_simple_ad_password_exposed/test/positive_expected_result.json index 8df12a589f9..431ea0ff862 100644 --- a/assets/queries/cloudFormation/aws/directory_service_simple_ad_password_exposed/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/directory_service_simple_ad_password_exposed/test/positive_expected_result.json @@ -1,38 +1,74 @@ [ { - "fileName": "positive3.yaml", "queryName": "Directory Service Simple AD Password Exposed", "severity": "HIGH", - "line": 5 + "line": 20, + "filename": "positive4.json", + "resourceType": "AWS::DirectoryService::SimpleAD", + "resourceName": "String", + "searchKey": "Resources.NewAmpApp4.Properties.Password", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp4.Properties.Password must not be in plain text string", + "actualValue": "Resources.NewAmpApp4.Properties.Password must be defined as a parameter or have a secret manager referenced" }, { + "queryName": "Directory Service Simple AD Password Exposed", "severity": "HIGH", - "line": 9, - "fileName": "positive2.yaml", - "queryName": "Directory Service Simple AD Password Exposed" + "line": 18, + "filename": "positive1.yaml", + "resourceType": "AWS::DirectoryService::SimpleAD", + "resourceName": "String", + "searchKey": "Resources.NewAmpApp4.Properties.Password", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp4.Properties.Password must not be in plain text string", + "actualValue": "Resources.NewAmpApp4.Properties.Password must be defined as a parameter or have a secret manager referenced" }, { "queryName": "Directory Service Simple AD Password Exposed", "severity": "HIGH", - "line": 18, - "fileName": "positive1.yaml" + "line": 9, + "filename": "positive2.yaml", + "resourceType": "AWS::DirectoryService::SimpleAD", + "resourceName": "String", + "searchKey": "Resources.NewAmpApp5.Properties.Password", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp5.Properties.Password must not be in plain text string", + "actualValue": "Resources.NewAmpApp5.Properties.Password must be defined as a parameter or have a secret manager referenced" }, { + "queryName": "Directory Service Simple AD Password Exposed", "severity": "HIGH", - "line": 20, - "fileName": "positive4.json", - "queryName": "Directory Service Simple AD Password Exposed" + "line": 5, + "filename": "positive3.yaml", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "Parameters.ParentMasterPassword.Default", + "searchValue": "", + "expectedValue": "Parameters.ParentMasterPassword.Default should be defined", + "actualValue": "Parameters.ParentMasterPassword.Default shouldn't be defined" }, { - "fileName": "positive5.json", "queryName": "Directory Service Simple AD Password Exposed", "severity": "HIGH", - "line": 12 + "line": 12, + "filename": "positive5.json", + "resourceType": "AWS::DirectoryService::SimpleAD", + "resourceName": "String", + "searchKey": "Resources.NewAmpApp5.Properties.Password", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp5.Properties.Password must not be in plain text string", + "actualValue": "Resources.NewAmpApp5.Properties.Password must be defined as a parameter or have a secret manager referenced" }, { "queryName": "Directory Service Simple AD Password Exposed", "severity": "HIGH", "line": 6, - "fileName": "positive6.json" + "filename": "positive6.json", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "Parameters.ParentMasterPassword.Default", + "searchValue": "", + "expectedValue": "Parameters.ParentMasterPassword.Default should be defined", + "actualValue": "Parameters.ParentMasterPassword.Default shouldn't be defined" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/dms_endpoint_mongo_db_settings_password_exposed/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/dms_endpoint_mongo_db_settings_password_exposed/test/positive_expected_result.json index cb7f890e5bb..f25c50004ca 100644 --- a/assets/queries/cloudFormation/aws/dms_endpoint_mongo_db_settings_password_exposed/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/dms_endpoint_mongo_db_settings_password_exposed/test/positive_expected_result.json @@ -1,38 +1,74 @@ [ { - "line": 13, - "fileName": "positive1.yaml", "queryName": "DMS Endpoint MongoDB Settings Password Exposed", - "severity": "HIGH" + "severity": "HIGH", + "line": 38, + "filename": "positive6.json", + "resourceType": "AWS::DMS::Endpoint", + "resourceName": "NewAmpApp6", + "searchKey": "Resources.NewAmpApp6.Properties.MongoDbSettings.Password", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp6.Properties.MongoDbSettings.Password must not be in plain text string", + "actualValue": "Resources.NewAmpApp6.Properties.MongoDbSettings.Password must be defined as a parameter or have a secret manager referenced" }, { - "line": 24, - "fileName": "positive2.yaml", "queryName": "DMS Endpoint MongoDB Settings Password Exposed", - "severity": "HIGH" + "severity": "HIGH", + "line": 26, + "filename": "positive5.json", + "resourceType": "AWS::DMS::Endpoint", + "resourceName": "NewAmpApp5", + "searchKey": "Resources.NewAmpApp5.Properties.MongoDbSettings.Password", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp5.Properties.MongoDbSettings.Password must not be in plain text string", + "actualValue": "Resources.NewAmpApp5.Properties.MongoDbSettings.Password must be defined as a parameter or have a secret manager referenced" }, { + "queryName": "DMS Endpoint MongoDB Settings Password Exposed", "severity": "HIGH", - "line": 35, - "fileName": "positive3.yaml", - "queryName": "DMS Endpoint MongoDB Settings Password Exposed" + "line": 13, + "filename": "positive1.yaml", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "Parameters.MasterMongoDBPassword.Default", + "searchValue": "", + "expectedValue": "Parameters.MasterMongoDBPassword.Default should be defined", + "actualValue": "Parameters.MasterMongoDBPassword.Default shouldn't be defined" }, { "queryName": "DMS Endpoint MongoDB Settings Password Exposed", "severity": "HIGH", - "line": 16, - "fileName": "positive4.json" + "line": 24, + "filename": "positive2.yaml", + "resourceType": "AWS::DMS::Endpoint", + "resourceName": "NewAmpApp5", + "searchKey": "Resources.NewAmpApp5.Properties.MongoDbSettings.Password", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp5.Properties.MongoDbSettings.Password must not be in plain text string", + "actualValue": "Resources.NewAmpApp5.Properties.MongoDbSettings.Password must be defined as a parameter or have a secret manager referenced" }, { "queryName": "DMS Endpoint MongoDB Settings Password Exposed", "severity": "HIGH", - "line": 26, - "fileName": "positive5.json" + "line": 35, + "filename": "positive3.yaml", + "resourceType": "AWS::DMS::Endpoint", + "resourceName": "NewAmpApp6", + "searchKey": "Resources.NewAmpApp6.Properties.MongoDbSettings.Password", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp6.Properties.MongoDbSettings.Password must not be in plain text string", + "actualValue": "Resources.NewAmpApp6.Properties.MongoDbSettings.Password must be defined as a parameter or have a secret manager referenced" }, { "queryName": "DMS Endpoint MongoDB Settings Password Exposed", "severity": "HIGH", - "line": 38, - "fileName": "positive6.json" + "line": 16, + "filename": "positive4.json", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "Parameters.MasterMongoDBPassword.Default", + "searchValue": "", + "expectedValue": "Parameters.MasterMongoDBPassword.Default should be defined", + "actualValue": "Parameters.MasterMongoDBPassword.Default shouldn't be defined" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/dms_endpoint_password_exposed/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/dms_endpoint_password_exposed/test/positive_expected_result.json index f309b51052e..46991b0d943 100644 --- a/assets/queries/cloudFormation/aws/dms_endpoint_password_exposed/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/dms_endpoint_password_exposed/test/positive_expected_result.json @@ -2,37 +2,73 @@ { "queryName": "DMS Endpoint Password Exposed", "severity": "HIGH", - "line": 5, - "fileName": "positive2.yaml" + "line": 25, + "filename": "positive3.yaml", + "resourceType": "AWS::DMS::Endpoint", + "resourceName": "DMSEndpoint6", + "searchKey": "Resources.DMSEndpoint6.Properties.Password", + "searchValue": "", + "expectedValue": "Resources.DMSEndpoint6.Properties.Password must not be in plain text string", + "actualValue": "Resources.DMSEndpoint6.Properties.Password must be defined as a parameter or have a secret manager referenced" }, { "queryName": "DMS Endpoint Password Exposed", "severity": "HIGH", "line": 20, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::DMS::Endpoint", + "resourceName": "DMSEndpoint4", + "searchKey": "Resources.DMSEndpoint4.Properties.Password", + "searchValue": "", + "expectedValue": "Resources.DMSEndpoint4.Properties.Password must not be in plain text string", + "actualValue": "Resources.DMSEndpoint4.Properties.Password must be defined as a parameter or have a secret manager referenced" }, { "queryName": "DMS Endpoint Password Exposed", "severity": "HIGH", - "line": 25, - "fileName": "positive3.yaml" + "line": 5, + "filename": "positive2.yaml", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "Parameters.ParentMasterPassword.Default", + "searchValue": "", + "expectedValue": "Parameters.ParentMasterPassword.Default should be defined", + "actualValue": "Parameters.ParentMasterPassword.Default shouldn't be defined" }, { "queryName": "DMS Endpoint Password Exposed", "severity": "HIGH", "line": 23, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::DMS::Endpoint", + "resourceName": "DMSEndpoint4", + "searchKey": "Resources.DMSEndpoint4.Properties.Password", + "searchValue": "", + "expectedValue": "Resources.DMSEndpoint4.Properties.Password must not be in plain text string", + "actualValue": "Resources.DMSEndpoint4.Properties.Password must be defined as a parameter or have a secret manager referenced" }, { "queryName": "DMS Endpoint Password Exposed", "severity": "HIGH", "line": 6, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "Parameters.ParentMasterPassword.Default", + "searchValue": "", + "expectedValue": "Parameters.ParentMasterPassword.Default should be defined", + "actualValue": "Parameters.ParentMasterPassword.Default shouldn't be defined" }, { "queryName": "DMS Endpoint Password Exposed", "severity": "HIGH", "line": 26, - "fileName": "positive6.json" + "filename": "positive6.json", + "resourceType": "AWS::DMS::Endpoint", + "resourceName": "DMSEndpoint6", + "searchKey": "Resources.DMSEndpoint6.Properties.Password", + "searchValue": "", + "expectedValue": "Resources.DMSEndpoint6.Properties.Password must not be in plain text string", + "actualValue": "Resources.DMSEndpoint6.Properties.Password must be defined as a parameter or have a secret manager referenced" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/docdb_cluster_master_password_in_plaintext/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/docdb_cluster_master_password_in_plaintext/test/positive_expected_result.json index da879bc197f..24347ec319d 100644 --- a/assets/queries/cloudFormation/aws/docdb_cluster_master_password_in_plaintext/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/docdb_cluster_master_password_in_plaintext/test/positive_expected_result.json @@ -1,38 +1,74 @@ [ { + "queryName": "DocDB Cluster Master Password In Plaintext", "severity": "HIGH", - "line": 5, - "fileName": "positive2.yaml", - "queryName": "DocDB Cluster Master Password In Plaintext" + "line": 18, + "filename": "positive6.json", + "resourceType": "AWS::DocDB::DBCluster", + "resourceName": "NewAmpApp03", + "searchKey": "Resources.NewAmpApp03.Properties.MasterUserPassword", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp03.Properties.MasterUserPassword must not be in plain text string", + "actualValue": "Resources.NewAmpApp03.Properties.MasterUserPassword must be defined as a parameter or have a secret manager referenced" }, { "queryName": "DocDB Cluster Master Password In Plaintext", "severity": "HIGH", "line": 12, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::DocDB::DBCluster", + "resourceName": "NewAmpApp", + "searchKey": "Resources.NewAmpApp.Properties.MasterUserPassword", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp.Properties.MasterUserPassword must not be in plain text string", + "actualValue": "Resources.NewAmpApp.Properties.MasterUserPassword must be defined as a parameter or have a secret manager referenced" }, { "queryName": "DocDB Cluster Master Password In Plaintext", "severity": "HIGH", - "line": 12, - "fileName": "positive3.yaml" + "line": 5, + "filename": "positive2.yaml", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "Parameters.ParentMasterPassword.Default", + "searchValue": "", + "expectedValue": "Parameters.ParentMasterPassword.Default should be defined", + "actualValue": "Parameters.ParentMasterPassword.Default shouldn't be defined" }, { + "queryName": "DocDB Cluster Master Password In Plaintext", "severity": "HIGH", - "line": 17, - "fileName": "positive4.json", - "queryName": "DocDB Cluster Master Password In Plaintext" + "line": 12, + "filename": "positive3.yaml", + "resourceType": "AWS::DocDB::DBCluster", + "resourceName": "NewAmpApp03", + "searchKey": "Resources.NewAmpApp03.Properties.MasterUserPassword", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp03.Properties.MasterUserPassword must not be in plain text string", + "actualValue": "Resources.NewAmpApp03.Properties.MasterUserPassword must be defined as a parameter or have a secret manager referenced" }, { "queryName": "DocDB Cluster Master Password In Plaintext", "severity": "HIGH", "line": 6, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "Parameters.ParentMasterPassword.Default", + "searchValue": "", + "expectedValue": "Parameters.ParentMasterPassword.Default should be defined", + "actualValue": "Parameters.ParentMasterPassword.Default shouldn't be defined" }, { "queryName": "DocDB Cluster Master Password In Plaintext", "severity": "HIGH", - "line": 18, - "fileName": "positive6.json" + "line": 17, + "filename": "positive4.json", + "resourceType": "AWS::DocDB::DBCluster", + "resourceName": "NewAmpApp", + "searchKey": "Resources.NewAmpApp.Properties.MasterUserPassword", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp.Properties.MasterUserPassword must not be in plain text string", + "actualValue": "Resources.NewAmpApp.Properties.MasterUserPassword must be defined as a parameter or have a secret manager referenced" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/docdb_logging_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/docdb_logging_disabled/test/positive_expected_result.json index ffbae5321d4..48cf0f125dc 100644 --- a/assets/queries/cloudFormation/aws/docdb_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/docdb_logging_disabled/test/positive_expected_result.json @@ -3,24 +3,48 @@ "queryName": "DocDB Logging Is Disabled", "severity": "MEDIUM", "line": 6, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "AWS::DocDB::DBCluster", + "resourceName": "MyDocDBCluster", + "searchKey": "Resources.MyDocDBCluster.Properties", + "searchValue": "", + "expectedValue": "AWS::DocDB::DBCluster.Properties.EnableCloudwatchLogsExports should be defined", + "actualValue": "AWS::DocDB::DBCluster.Properties.EnableCloudwatchLogsExports is undefined" }, { "queryName": "DocDB Logging Is Disabled", "severity": "MEDIUM", "line": 15, - "filename": "positive2.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::DocDB::DBCluster", + "resourceName": "MyDocDBCluster", + "searchKey": "Resources.MyDocDBCluster.Properties.EnableCloudwatchLogsExports", + "searchValue": "", + "expectedValue": "AWS::DocDB::DBCluster.Properties.EnableCloudwatchLogsExports should have all following values: audit, profiler", + "actualValue": "AWS::DocDB::DBCluster.Properties.EnableCloudwatchLogsExports haven't got the following values: audit" }, { "queryName": "DocDB Logging Is Disabled", "severity": "MEDIUM", "line": 15, - "filename": "positive3.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::DocDB::DBCluster", + "resourceName": "MyDocDBCluster", + "searchKey": "Resources.MyDocDBCluster.Properties.EnableCloudwatchLogsExports", + "searchValue": "", + "expectedValue": "AWS::DocDB::DBCluster.Properties.EnableCloudwatchLogsExports should have all following values: audit, profiler", + "actualValue": "AWS::DocDB::DBCluster.Properties.EnableCloudwatchLogsExports haven't got the following values: audit, profiler" }, { "queryName": "DocDB Logging Is Disabled", "severity": "MEDIUM", "line": 14, - "filename": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::DocDB::DBCluster", + "resourceName": "MyDocDBCluster", + "searchKey": "Resources.MyDocDBCluster.Properties.EnableCloudwatchLogsExports", + "searchValue": "", + "expectedValue": "AWS::DocDB::DBCluster.Properties.EnableCloudwatchLogsExports should have all following values: audit, profiler", + "actualValue": "AWS::DocDB::DBCluster.Properties.EnableCloudwatchLogsExports haven't got the following values: profiler" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/dynamodb_table_not_encrypted/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/dynamodb_table_not_encrypted/test/positive_expected_result.json index ca734781071..cdcb93c9347 100644 --- a/assets/queries/cloudFormation/aws/dynamodb_table_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/dynamodb_table_not_encrypted/test/positive_expected_result.json @@ -2,19 +2,37 @@ { "queryName": "DynamoDB Table Not Encrypted", "severity": "HIGH", - "line": 18, - "filename": "positive1.yaml" + "line": 8, + "filename": "positive3.yaml", + "resourceType": "AWS::DynamoDB::Table", + "resourceName": "AuthorsTable_prod", + "searchKey": "Resources.OrdersTable.Properties.SSESpecification.SSEEnabled", + "searchValue": "", + "expectedValue": "Resources[OrdersTable].Properties.SSESpecification.SSEEnabled should be 'true'", + "actualValue": "Resources[OrdersTable].Properties.SSESpecification.SSEEnabled is 'false'" }, { "queryName": "DynamoDB Table Not Encrypted", "severity": "HIGH", "line": 17, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::DynamoDB::Table", + "resourceName": "my-table", + "searchKey": "Resources.MyDynamoDBTable.Properties.SSESpecification", + "searchValue": "", + "expectedValue": "Resources[MyDynamoDBTable].Properties.SSESpecification.SSEEnabled should be set and to 'true'", + "actualValue": "Resources[MyDynamoDBTable].Properties.SSESpecification.SSEEnabled is not set" }, { "queryName": "DynamoDB Table Not Encrypted", "severity": "HIGH", - "line": 8, - "filename": "positive3.yaml" + "line": 18, + "filename": "positive1.yaml", + "resourceType": "AWS::DynamoDB::Table", + "resourceName": "my-table", + "searchKey": "Resources.MyDynamoDBTable.Properties.SSESpecification.SSEEnabled", + "searchValue": "", + "expectedValue": "Resources[MyDynamoDBTable].Properties.SSESpecification.SSEEnabled should be 'true'", + "actualValue": "Resources[MyDynamoDBTable].Properties.SSESpecification.SSEEnabled is 'false'" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive_expected_result.json index 6b9c1de7eae..459c806b6d7 100644 --- a/assets/queries/cloudFormation/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive_expected_result.json @@ -2,43 +2,85 @@ { "queryName": "DynamoDB Table Point In Time Recovery Disabled", "severity": "INFO", - "line": 6, - "filename": "positive1.yaml" + "line": 4, + "filename": "positive2.yaml", + "resourceType": "AWS::DynamoDB::Table", + "resourceName": "my-table", + "searchKey": "Resources.MyDynamoDBTable.Properties", + "searchValue": "", + "expectedValue": "Resources[MyDynamoDBTable].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled should be defined and set to 'true'", + "actualValue": "Resources[MyDynamoDBTable].Properties.PointInTimeRecoverySpecification is not defined" }, { "queryName": "DynamoDB Table Point In Time Recovery Disabled", "severity": "INFO", - "line": 4, - "filename": "positive2.yaml" + "line": 7, + "filename": "positive6.json", + "resourceType": "AWS::DynamoDB::Table", + "resourceName": "DynamoDBOnDemandTable1", + "searchKey": "Resources.DynamoDBOnDemandTable1.Properties.PointInTimeRecoverySpecification", + "searchValue": "", + "expectedValue": "Resources[DynamoDBOnDemandTable1].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled should be defined and set to 'true'", + "actualValue": "Resources[DynamoDBOnDemandTable1].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled is not defined" }, { "queryName": "DynamoDB Table Point In Time Recovery Disabled", "severity": "INFO", "line": 8, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::DynamoDB::Table", + "resourceName": "DynamoDBOnDemandTable1", + "searchKey": "Resources.DynamoDBOnDemandTable1.Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled", + "searchValue": "", + "expectedValue": "Resources[DynamoDBOnDemandTable1].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled should be set to 'true'", + "actualValue": "Resources[DynamoDBOnDemandTable1].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled is set to 'false'" }, { "queryName": "DynamoDB Table Point In Time Recovery Disabled", "severity": "INFO", "line": 5, - "filename": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::DynamoDB::Table", + "resourceName": "DynamoDBOnDemandTable1", + "searchKey": "Resources.DynamoDBOnDemandTable1.Properties", + "searchValue": "", + "expectedValue": "Resources[DynamoDBOnDemandTable1].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled should be defined and set to 'true'", + "actualValue": "Resources[DynamoDBOnDemandTable1].Properties.PointInTimeRecoverySpecification is not defined" }, { "queryName": "DynamoDB Table Point In Time Recovery Disabled", "severity": "INFO", - "line": 5, - "filename": "positive5.yaml" + "line": 6, + "filename": "positive1.yaml", + "resourceType": "AWS::DynamoDB::Table", + "resourceName": "MyDynamoDBTable", + "searchKey": "Resources.MyDynamoDBTable.Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled", + "searchValue": "", + "expectedValue": "Resources[MyDynamoDBTable].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled should be set to 'true'", + "actualValue": "Resources[MyDynamoDBTable].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled is set to 'false'" }, { "queryName": "DynamoDB Table Point In Time Recovery Disabled", "severity": "INFO", - "line": 7, - "filename": "positive6.json" + "line": 5, + "filename": "positive5.yaml", + "resourceType": "AWS::DynamoDB::Table", + "resourceName": "MyDynamoDBTable", + "searchKey": "Resources.MyDynamoDBTable.Properties.PointInTimeRecoverySpecification", + "searchValue": "", + "expectedValue": "Resources[MyDynamoDBTable].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled should be defined and set to 'true'", + "actualValue": "Resources[MyDynamoDBTable].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled is not defined" }, { "queryName": "DynamoDB Table Point In Time Recovery Disabled", "severity": "INFO", "line": 6, - "filename": "positive7.yaml" + "filename": "positive7.yaml", + "resourceType": "AWS::DynamoDB::Table", + "resourceName": "MyDynamoDBTable", + "searchKey": "Resources.MyDynamoDBTable.Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled", + "searchValue": "", + "expectedValue": "Resources[MyDynamoDBTable].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled should be set to 'true'", + "actualValue": "Resources[MyDynamoDBTable].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled is set to 'false'" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/dynamodb_with_aws_owned_cmk/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/dynamodb_with_aws_owned_cmk/test/positive_expected_result.json index 9e900553ca0..b0cc56e31cc 100644 --- a/assets/queries/cloudFormation/aws/dynamodb_with_aws_owned_cmk/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/dynamodb_with_aws_owned_cmk/test/positive_expected_result.json @@ -3,42 +3,84 @@ "queryName": "DynamoDB With Aws Owned CMK", "severity": "HIGH", "line": 4, - "fileName": "positive1.yaml" + "filename": "positive5.json", + "resourceType": "AWS::DynamoDB::Table", + "resourceName": "dynamodb-kms-2", + "searchKey": "Resources.DynamoDBOnDemandTable4.properties;", + "searchValue": "", + "expectedValue": "Resources.DynamoDBOnDemandTable4.properties.SSESpecification.SSEEnabled should be set", + "actualValue": "Resources.DynamoDBOnDemandTable4.properties.SSESpecification.SSEEnabled is undefined" }, { "queryName": "DynamoDB With Aws Owned CMK", "severity": "HIGH", - "line": 4, - "fileName": "positive2.yaml" + "line": 5, + "filename": "positive6.json", + "resourceType": "AWS::DynamoDB::Table", + "resourceName": "dynamodb-kms-3", + "searchKey": "Resources.DynamoDBOnDemandTable5.properties;", + "searchValue": "", + "expectedValue": "Resources.DynamoDBOnDemandTable5.properties.SSESpecification should be set", + "actualValue": "Resources.DynamoDBOnDemandTable5.properties.SSESpecification is undefined" }, { "queryName": "DynamoDB With Aws Owned CMK", "severity": "HIGH", "line": 4, - "fileName": "positive3.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::DynamoDB::Table", + "resourceName": "dynamodb-kms-3", + "searchKey": "Resources.DynamoDBOnDemandTable5.properties;", + "searchValue": "", + "expectedValue": "Resources.DynamoDBOnDemandTable5.properties.SSESpecification should be set", + "actualValue": "Resources.DynamoDBOnDemandTable5.properties.SSESpecification is undefined" }, { "queryName": "DynamoDB With Aws Owned CMK", "severity": "HIGH", - "line": 5, - "fileName": "positive4.json" + "line": 4, + "filename": "positive1.yaml", + "resourceType": "AWS::DynamoDB::Table", + "resourceName": "dynamodb-kms-0", + "searchKey": "Resources.DynamoDBOnDemandTable2.properties;", + "searchValue": "", + "expectedValue": "Resources[DynamoDBOnDemandTable2].properties.SSESpecification.SSEEnabled should be true", + "actualValue": "Resources[DynamoDBOnDemandTable2].properties.SSESpecification.SSEEnabled is false" }, { "queryName": "DynamoDB With Aws Owned CMK", "severity": "HIGH", "line": 4, - "fileName": "positive5.json" + "filename": "positive7.yaml", + "resourceType": "AWS::DynamoDB::Table", + "resourceName": "dynamodb-kms-0", + "searchKey": "Resources.DynamoDBOnDemandTable2.properties;", + "searchValue": "", + "expectedValue": "Resources[DynamoDBOnDemandTable2].properties.SSESpecification.SSEEnabled should be true", + "actualValue": "Resources[DynamoDBOnDemandTable2].properties.SSESpecification.SSEEnabled is false" }, { "queryName": "DynamoDB With Aws Owned CMK", "severity": "HIGH", - "line": 5, - "fileName": "positive6.json" + "line": 4, + "filename": "positive3.yaml", + "resourceType": "AWS::DynamoDB::Table", + "resourceName": "dynamodb-kms-2", + "searchKey": "Resources.DynamoDBOnDemandTable4.properties;", + "searchValue": "", + "expectedValue": "Resources.DynamoDBOnDemandTable4.properties.SSESpecification.SSEEnabled should be set", + "actualValue": "Resources.DynamoDBOnDemandTable4.properties.SSESpecification.SSEEnabled is undefined" }, { "queryName": "DynamoDB With Aws Owned CMK", "severity": "HIGH", - "line": 4, - "fileName": "positive7.yaml" + "line": 5, + "filename": "positive4.json", + "resourceType": "AWS::DynamoDB::Table", + "resourceName": "dynamodb-kms-0", + "searchKey": "Resources.DynamoDBOnDemandTable2.properties;", + "searchValue": "", + "expectedValue": "Resources[DynamoDBOnDemandTable2].properties.SSESpecification.SSEEnabled should be true", + "actualValue": "Resources[DynamoDBOnDemandTable2].properties.SSESpecification.SSEEnabled is false" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/dynamodb_with_table_billing_mode_not_recommended/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/dynamodb_with_table_billing_mode_not_recommended/test/positive_expected_result.json index 9d6b05aba69..ae79a4b55c6 100644 --- a/assets/queries/cloudFormation/aws/dynamodb_with_table_billing_mode_not_recommended/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/dynamodb_with_table_billing_mode_not_recommended/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "DynamoDB With Not Recommended Table Billing Mode", "severity": "LOW", "line": 13, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::DynamoDB::Table", + "resourceName": "myTableName", + "searchKey": "Resources.myDynamoDBTable.Properties.BillingMode", + "searchValue": "", + "expectedValue": "Resources.myDynamoDBTable.Properties.BillingMode should not be 'PROVISIONED' or 'PAY_PER_REQUEST'", + "actualValue": "Resources.myDynamoDBTable.Properties.BillingMode is 'PROVISIONED' or 'PAY_PER_REQUEST'" }, { "queryName": "DynamoDB With Not Recommended Table Billing Mode", "severity": "LOW", "line": 16, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::DynamoDB::Table", + "resourceName": "myTableName", + "searchKey": "Resources.myDynamoDBTable.Properties.BillingMode", + "searchValue": "", + "expectedValue": "Resources.myDynamoDBTable.Properties.BillingMode should not be 'PROVISIONED' or 'PAY_PER_REQUEST'", + "actualValue": "Resources.myDynamoDBTable.Properties.BillingMode is 'PROVISIONED' or 'PAY_PER_REQUEST'" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ebs_volume_encryption_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ebs_volume_encryption_disabled/test/positive_expected_result.json index 79ec37039ae..72792630fc5 100644 --- a/assets/queries/cloudFormation/aws/ebs_volume_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ebs_volume_encryption_disabled/test/positive_expected_result.json @@ -3,30 +3,60 @@ "queryName": "EBS Volume Encryption Disabled", "severity": "HIGH", "line": 8, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::Volume", + "resourceName": "NewVolume", + "searchKey": "Resources.NewVolume.Properties.Encrypted", + "searchValue": "", + "expectedValue": "Resources.NewVolume.Properties.Encrypted should be true", + "actualValue": "Resources.NewVolume.Properties.Encrypted is false" }, { "queryName": "EBS Volume Encryption Disabled", "severity": "HIGH", - "line": 6, - "fileName": "positive2.yaml" + "line": 8, + "filename": "positive5.yaml", + "resourceType": "AWS::EC2::Volume", + "resourceName": "NewVolume", + "searchKey": "Resources.NewVolume.Properties.Encrypted", + "searchValue": "", + "expectedValue": "Resources.NewVolume.Properties.Encrypted should be true", + "actualValue": "Resources.NewVolume.Properties.Encrypted is false" }, { "queryName": "EBS Volume Encryption Disabled", "severity": "HIGH", "line": 15, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::Volume", + "resourceName": "NewVolume", + "searchKey": "Resources.NewVolume.Properties.Encrypted", + "searchValue": "", + "expectedValue": "Resources.NewVolume.Properties.Encrypted should be true", + "actualValue": "Resources.NewVolume.Properties.Encrypted is false" }, { "queryName": "EBS Volume Encryption Disabled", "severity": "HIGH", "line": 6, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::EC2::Volume", + "resourceName": "NewVolume02", + "searchKey": "Resources.NewVolume02.Properties", + "searchValue": "", + "expectedValue": "Resources.NewVolume02.Properties.Encrypted should be defined and not null", + "actualValue": "Resources.NewVolume02.Properties.Encrypted is undefined or null" }, { "queryName": "EBS Volume Encryption Disabled", "severity": "HIGH", - "line": 8, - "fileName": "positive5.yaml" + "line": 6, + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::Volume", + "resourceName": "NewVolume02", + "searchKey": "Resources.NewVolume02.Properties", + "searchValue": "", + "expectedValue": "Resources.NewVolume02.Properties.Encrypted should be defined and not null", + "actualValue": "Resources.NewVolume02.Properties.Encrypted is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ebs_volume_without_kms_key_id/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ebs_volume_without_kms_key_id/test/positive_expected_result.json index fffab5be473..3a35f06d9c1 100644 --- a/assets/queries/cloudFormation/aws/ebs_volume_without_kms_key_id/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ebs_volume_without_kms_key_id/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "EBS Volume Without KmsKeyId", "severity": "LOW", "line": 6, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::Volume", + "resourceName": "NewVolume", + "searchKey": "Resources.NewVolume.Properties", + "searchValue": "", + "expectedValue": "Resources.NewVolume.Properties.KmsKeyId should be defined", + "actualValue": "Resources.NewVolume.Properties.KmsKeyId is undefined" }, { - "line": 7, - "fileName": "positive2.json", "queryName": "EBS Volume Without KmsKeyId", - "severity": "LOW" + "severity": "LOW", + "line": 7, + "filename": "positive2.json", + "resourceType": "AWS::EC2::Volume", + "resourceName": "NewVolume", + "searchKey": "Resources.NewVolume.Properties", + "searchValue": "", + "expectedValue": "Resources.NewVolume.Properties.KmsKeyId should be defined", + "actualValue": "Resources.NewVolume.Properties.KmsKeyId is undefined" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ec2_instance_has_no_iam_role/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ec2_instance_has_no_iam_role/test/positive_expected_result.json index 3b88d058195..129f27e5389 100644 --- a/assets/queries/cloudFormation/aws/ec2_instance_has_no_iam_role/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ec2_instance_has_no_iam_role/test/positive_expected_result.json @@ -2,55 +2,109 @@ { "queryName": "EC2 Instance Has No IAM Role", "severity": "MEDIUM", - "line": 4, - "fileName": "positive1.yaml" + "line": 55, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "Test", + "searchKey": "Resources.NoRolesProfile.Properties", + "searchValue": "", + "expectedValue": "'Resources.NoRolesProfile.Properties.Roles' should be set", + "actualValue": "'Resources.NoRolesProfile.Properties.Roles' is undefined" }, { "queryName": "EC2 Instance Has No IAM Role", "severity": "MEDIUM", - "line": 29, - "fileName": "positive1.yaml" + "line": 5, + "filename": "positive2.json", + "resourceType": "AWS::EC2::Instance", + "resourceName": "Test", + "searchKey": "Resources.NoIAM.Properties", + "searchValue": "", + "expectedValue": "'Resources.NoIAM.Properties.IamInstanceProfile' should be set", + "actualValue": "'Resources.NoIAM.Properties.IamInstanceProfile' is undefined" }, { + "queryName": "EC2 Instance Has No IAM Role", "severity": "MEDIUM", - "line": 55, - "fileName": "positive1.yaml", - "queryName": "EC2 Instance Has No IAM Role" + "line": 94, + "filename": "positive2.json", + "resourceType": "AWS::EC2::Instance", + "resourceName": "Test", + "searchKey": "Resources.NoRolesProfile.Properties", + "searchValue": "", + "expectedValue": "'Resources.NoRolesProfile.Properties.Roles' should be set", + "actualValue": "'Resources.NoRolesProfile.Properties.Roles' is undefined" }, { "queryName": "EC2 Instance Has No IAM Role", "severity": "MEDIUM", - "line": 5, - "fileName": "positive2.json" + "line": 29, + "filename": "positive3.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "Test", + "searchKey": "Resources.IAM_Missing.Properties.IamInstanceProfile", + "searchValue": "", + "expectedValue": "'Resources.IAM_Missing.Properties.IamInstanceProfile' should have a matching IamInstanceProfile resource", + "actualValue": "'Resources.IAM_Missing.Properties.IamInstanceProfile' does not have matching IamInstanceProfile resource" }, { - "line": 47, - "fileName": "positive2.json", "queryName": "EC2 Instance Has No IAM Role", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 29, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "Test", + "searchKey": "Resources.IAM_Missing.Properties.IamInstanceProfile", + "searchValue": "", + "expectedValue": "'Resources.IAM_Missing.Properties.IamInstanceProfile' should have a matching IamInstanceProfile resource", + "actualValue": "'Resources.IAM_Missing.Properties.IamInstanceProfile' does not have matching IamInstanceProfile resource" }, { - "fileName": "positive2.json", "queryName": "EC2 Instance Has No IAM Role", "severity": "MEDIUM", - "line": 94 + "line": 4, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "Test", + "searchKey": "Resources.NoIAM.Properties", + "searchValue": "", + "expectedValue": "'Resources.NoIAM.Properties.IamInstanceProfile' should be set", + "actualValue": "'Resources.NoIAM.Properties.IamInstanceProfile' is undefined" }, { - "line": 53, - "fileName": "positive3.yaml", "queryName": "EC2 Instance Has No IAM Role", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 47, + "filename": "positive2.json", + "resourceType": "AWS::EC2::Instance", + "resourceName": "Test", + "searchKey": "Resources.IAM_Missing.Properties.IamInstanceProfile", + "searchValue": "", + "expectedValue": "'Resources.IAM_Missing.Properties.IamInstanceProfile' should have a matching IamInstanceProfile resource", + "actualValue": "'Resources.IAM_Missing.Properties.IamInstanceProfile' does not have matching IamInstanceProfile resource" }, { - "line": 4, - "fileName": "positive3.yaml", "queryName": "EC2 Instance Has No IAM Role", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 4, + "filename": "positive3.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "Test", + "searchKey": "Resources.NoIAM.Properties", + "searchValue": "", + "expectedValue": "'Resources.NoIAM.Properties.IamInstanceProfile' should be set", + "actualValue": "'Resources.NoIAM.Properties.IamInstanceProfile' is undefined" }, { - "line": 29, - "fileName": "positive3.yaml", "queryName": "EC2 Instance Has No IAM Role", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 53, + "filename": "positive3.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "Test", + "searchKey": "Resources.NoRolesProfile.Properties", + "searchValue": "", + "expectedValue": "'Resources.NoRolesProfile.Properties.Roles' should be set", + "actualValue": "'Resources.NoRolesProfile.Properties.Roles' is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ec2_instance_monitoring_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ec2_instance_monitoring_disabled/test/positive_expected_result.json index 98e34e6fa58..8ba4bc04b1d 100644 --- a/assets/queries/cloudFormation/aws/ec2_instance_monitoring_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ec2_instance_monitoring_disabled/test/positive_expected_result.json @@ -3,18 +3,36 @@ "queryName": "EC2 Instance Monitoring Disabled", "severity": "MEDIUM", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.Monitoring", + "searchValue": "", + "expectedValue": "'Resources.MyEC2Instance.Properties.Monitoring' should be set to 'true'", + "actualValue": "'Resources.MyEC2Instance.Properties.Monitoring' is set to 'false'" }, { "queryName": "EC2 Instance Monitoring Disabled", "severity": "MEDIUM", - "line": 4, - "fileName": "positive2.yaml" + "line": 7, + "filename": "positive3.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.Monitoring", + "searchValue": "", + "expectedValue": "'Resources.MyEC2Instance.Properties.Monitoring' should be set to 'true'", + "actualValue": "'Resources.MyEC2Instance.Properties.Monitoring' is set to 'false'" }, { "queryName": "EC2 Instance Monitoring Disabled", "severity": "MEDIUM", - "line": 7, - "fileName": "positive3.yaml" + "line": 4, + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.Monitoring", + "searchValue": "", + "expectedValue": "'Resources.MyEC2Instance.Properties.Monitoring' should be set and to 'true'", + "actualValue": "'Resources.MyEC2Instance.Properties.Monitoring' is not set" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ec2_instance_subnet_has_public_ip_mapping_on_launch/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ec2_instance_subnet_has_public_ip_mapping_on_launch/test/positive_expected_result.json index 95bff5b59c4..663f28c6b40 100644 --- a/assets/queries/cloudFormation/aws/ec2_instance_subnet_has_public_ip_mapping_on_launch/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ec2_instance_subnet_has_public_ip_mapping_on_launch/test/positive_expected_result.json @@ -2,19 +2,37 @@ { "queryName": "EC2 Instance Subnet Has Public IP Mapping On Launch", "severity": "MEDIUM", - "line": 7, - "fileName": "positive1.yaml" + "line": 8, + "filename": "positive2.json", + "resourceType": "AWS::EC2::Subnet", + "resourceName": "mySubnet", + "searchKey": "Resources.mySubnet.Properties.MapPublicIpOnLaunch", + "searchValue": "", + "expectedValue": "'Resources.mySubnet.Properties.MapPublicIpOnLaunch' should be false", + "actualValue": "'Resources.mySubnet.Properties.MapPublicIpOnLaunch' is true" }, { "queryName": "EC2 Instance Subnet Has Public IP Mapping On Launch", "severity": "MEDIUM", - "line": 8, - "fileName": "positive2.json" + "line": 7, + "filename": "positive3.yaml", + "resourceType": "AWS::EC2::Subnet", + "resourceName": "mySubnet", + "searchKey": "Resources.mySubnet.Properties.MapPublicIpOnLaunch", + "searchValue": "", + "expectedValue": "'Resources.mySubnet.Properties.MapPublicIpOnLaunch' should be false", + "actualValue": "'Resources.mySubnet.Properties.MapPublicIpOnLaunch' is true" }, { "queryName": "EC2 Instance Subnet Has Public IP Mapping On Launch", "severity": "MEDIUM", "line": 7, - "fileName": "positive3.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::Subnet", + "resourceName": "mySubnet", + "searchKey": "Resources.mySubnet.Properties.MapPublicIpOnLaunch", + "searchValue": "", + "expectedValue": "'Resources.mySubnet.Properties.MapPublicIpOnLaunch' should be false", + "actualValue": "'Resources.mySubnet.Properties.MapPublicIpOnLaunch' is true" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ec2_instance_using_default_security_group/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ec2_instance_using_default_security_group/test/positive_expected_result.json index 21e8b9adb1c..4d7ca46a2c1 100644 --- a/assets/queries/cloudFormation/aws/ec2_instance_using_default_security_group/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ec2_instance_using_default_security_group/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "EC2 Instance Using Default Security Group", "severity": "MEDIUM", - "line": 8, - "fileName": "positive1.yaml" + "line": 23, + "filename": "positive2.json", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.SecurityGroups", + "searchValue": "", + "expectedValue": "'Resources.MyEC2Instance.Properties.SecurityGroups' should not be using default security group", + "actualValue": "'Resources.MyEC2Instance.Properties.SecurityGroups' is using default security group" }, { "queryName": "EC2 Instance Using Default Security Group", "severity": "MEDIUM", - "line": 23, - "fileName": "positive2.json" + "line": 8, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.SecurityGroups", + "searchValue": "", + "expectedValue": "'Resources.MyEC2Instance.Properties.SecurityGroups' should not be using default security group", + "actualValue": "'Resources.MyEC2Instance.Properties.SecurityGroups' is using default security group" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ec2_instance_using_default_vpc/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ec2_instance_using_default_vpc/test/positive_expected_result.json index 13ad6579c84..1929be6e3cd 100644 --- a/assets/queries/cloudFormation/aws/ec2_instance_using_default_vpc/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ec2_instance_using_default_vpc/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "EC2 Instance Using Default VPC", "severity": "LOW", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive2.json", + "resourceType": "AWS::EC2::Instance", + "resourceName": "DefaultVPC", + "searchKey": "Resources.DefaultVPC.Properties.SubnetId", + "searchValue": "", + "expectedValue": "Resources.DefaultVPC.Properties.SubnetId should not be associated with a default VPC", + "actualValue": "Resources.DefaultVPC.Properties.SubnetId is associated with a default VPC" }, { "queryName": "EC2 Instance Using Default VPC", "severity": "LOW", "line": 7, - "fileName": "positive2.json" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "DefaultVPC", + "searchKey": "Resources.DefaultVPC.Properties.SubnetId", + "searchValue": "", + "expectedValue": "Resources.DefaultVPC.Properties.SubnetId should not be associated with a default VPC", + "actualValue": "Resources.DefaultVPC.Properties.SubnetId is associated with a default VPC" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ec2_network_acl_duplicate_rule/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ec2_network_acl_duplicate_rule/test/positive_expected_result.json index 76b37110772..f2f7a749c0b 100644 --- a/assets/queries/cloudFormation/aws/ec2_network_acl_duplicate_rule/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ec2_network_acl_duplicate_rule/test/positive_expected_result.json @@ -1,50 +1,98 @@ [ { + "queryName": "EC2 Network ACL Duplicate Rule", "severity": "INFO", - "line": 12, - "fileName": "positive1.yaml", - "queryName": "EC2 Network ACL Duplicate Rule" + "line": 39, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "InboundRule2", + "searchKey": "Resources.InboundRule2.Properties.RuleNumber", + "searchValue": "", + "expectedValue": "'Resources.InboundRule2' shouldn't have the same rule number as other entry for the same NetworkACL", + "actualValue": "'Resources.InboundRule2' has the same rule number as other entry for the same NetworkACL" }, { + "queryName": "EC2 Network ACL Duplicate Rule", "severity": "INFO", "line": 25, - "fileName": "positive1.yaml", - "queryName": "EC2 Network ACL Duplicate Rule" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "OutboundRule", + "searchKey": "Resources.OutboundRule.Properties.RuleNumber", + "searchValue": "", + "expectedValue": "'Resources.OutboundRule' shouldn't have the same rule number as other entry for the same NetworkACL", + "actualValue": "'Resources.OutboundRule' has the same rule number as other entry for the same NetworkACL" }, { "queryName": "EC2 Network ACL Duplicate Rule", "severity": "INFO", - "line": 39, - "fileName": "positive1.yaml" + "line": 52, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "OutboundRule2", + "searchKey": "Resources.OutboundRule2.Properties.RuleNumber", + "searchValue": "", + "expectedValue": "'Resources.OutboundRule2' shouldn't have the same rule number as other entry for the same NetworkACL", + "actualValue": "'Resources.OutboundRule2' has the same rule number as other entry for the same NetworkACL" }, { "queryName": "EC2 Network ACL Duplicate Rule", "severity": "INFO", - "line": 52, - "fileName": "positive1.yaml" + "line": 23, + "filename": "positive2.json", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "InboundRule", + "searchKey": "Resources.InboundRule.Properties.RuleNumber", + "searchValue": "", + "expectedValue": "'Resources.InboundRule' shouldn't have the same rule number as other entry for the same NetworkACL", + "actualValue": "'Resources.InboundRule' has the same rule number as other entry for the same NetworkACL" }, { - "line": 33, - "fileName": "positive2.json", "queryName": "EC2 Network ACL Duplicate Rule", - "severity": "INFO" + "severity": "INFO", + "line": 57, + "filename": "positive2.json", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "InboundRule2", + "searchKey": "Resources.InboundRule2.Properties.RuleNumber", + "searchValue": "", + "expectedValue": "'Resources.InboundRule2' shouldn't have the same rule number as other entry for the same NetworkACL", + "actualValue": "'Resources.InboundRule2' has the same rule number as other entry for the same NetworkACL" }, { "queryName": "EC2 Network ACL Duplicate Rule", "severity": "INFO", - "line": 71, - "fileName": "positive2.json" + "line": 33, + "filename": "positive2.json", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "OutboundRule", + "searchKey": "Resources.OutboundRule.Properties.RuleNumber", + "searchValue": "", + "expectedValue": "'Resources.OutboundRule' shouldn't have the same rule number as other entry for the same NetworkACL", + "actualValue": "'Resources.OutboundRule' has the same rule number as other entry for the same NetworkACL" }, { "queryName": "EC2 Network ACL Duplicate Rule", "severity": "INFO", - "line": 23, - "fileName": "positive2.json" + "line": 71, + "filename": "positive2.json", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "OutboundRule2", + "searchKey": "Resources.OutboundRule2.Properties.RuleNumber", + "searchValue": "", + "expectedValue": "'Resources.OutboundRule2' shouldn't have the same rule number as other entry for the same NetworkACL", + "actualValue": "'Resources.OutboundRule2' has the same rule number as other entry for the same NetworkACL" }, { "queryName": "EC2 Network ACL Duplicate Rule", "severity": "INFO", - "line": 57, - "fileName": "positive2.json" + "line": 12, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "InboundRule", + "searchKey": "Resources.InboundRule.Properties.RuleNumber", + "searchValue": "", + "expectedValue": "'Resources.InboundRule' shouldn't have the same rule number as other entry for the same NetworkACL", + "actualValue": "'Resources.InboundRule' has the same rule number as other entry for the same NetworkACL" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ec2_network_acl_ineffective_denied_traffic/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ec2_network_acl_ineffective_denied_traffic/test/positive_expected_result.json index d21807992f5..699a01f65c1 100644 --- a/assets/queries/cloudFormation/aws/ec2_network_acl_ineffective_denied_traffic/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ec2_network_acl_ineffective_denied_traffic/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "EC2 Network ACL Ineffective Denied Traffic", "severity": "MEDIUM", "line": 17, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "InboundRule", + "searchKey": "Resources.InboundRule.Properties.CidrBlock", + "searchValue": "", + "expectedValue": "Traffic denial should be effective (Action is 'Deny' when CidrBlock is '0.0.0.0/0')%!(EXTRA string=InboundRule)", + "actualValue": "Traffic denial is ineffective (Action is 'Deny' when CidrBlock is different from '0.0.0.0/0'%!(EXTRA string=InboundRule)" }, { "queryName": "EC2 Network ACL Ineffective Denied Traffic", "severity": "MEDIUM", "line": 20, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "InboundRule", + "searchKey": "Resources.InboundRule.Properties.CidrBlock", + "searchValue": "", + "expectedValue": "Traffic denial should be effective (Action is 'Deny' when CidrBlock is '0.0.0.0/0')%!(EXTRA string=InboundRule)", + "actualValue": "Traffic denial is ineffective (Action is 'Deny' when CidrBlock is different from '0.0.0.0/0'%!(EXTRA string=InboundRule)" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ec2_network_acl_overlapping_ports/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ec2_network_acl_overlapping_ports/test/positive_expected_result.json index 07ad254cb0d..afd6be9bb7c 100644 --- a/assets/queries/cloudFormation/aws/ec2_network_acl_overlapping_ports/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ec2_network_acl_overlapping_ports/test/positive_expected_result.json @@ -2,73 +2,145 @@ { "queryName": "EC2 Network ACL Overlapping Ports", "severity": "MEDIUM", - "line": 78, - "fileName": "positive1.yaml" + "line": 105, + "filename": "positive2.json", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "OutboundTests", + "searchKey": "Resources.OutboundTests.Properties.PortRange", + "searchValue": "", + "expectedValue": "'Resources.OutboundTests.Properties.PortRange should be configured with a different unused port range to avoid overlapping'", + "actualValue": "'Resources.OutboundTests.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'" }, { "queryName": "EC2 Network ACL Overlapping Ports", "severity": "MEDIUM", - "line": 90, - "fileName": "positive1.yaml" + "line": 18, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "InboundRule", + "searchKey": "Resources.InboundRule.Properties.PortRange", + "searchValue": "", + "expectedValue": "'Resources.InboundRule.Properties.PortRange should be configured with a different unused port range to avoid overlapping'", + "actualValue": "'Resources.InboundRule.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'" }, { "queryName": "EC2 Network ACL Overlapping Ports", "severity": "MEDIUM", - "line": 18, - "fileName": "positive1.yaml" + "line": 54, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "InboundTests", + "searchKey": "Resources.InboundTests.Properties.PortRange", + "searchValue": "", + "expectedValue": "'Resources.InboundTests.Properties.PortRange should be configured with a different unused port range to avoid overlapping'", + "actualValue": "'Resources.InboundTests.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'" }, { - "fileName": "positive1.yaml", "queryName": "EC2 Network ACL Overlapping Ports", "severity": "MEDIUM", - "line": 30 + "line": 78, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "Match", + "searchKey": "Resources.Match.Properties.PortRange", + "searchValue": "", + "expectedValue": "'Resources.Match.Properties.PortRange should be configured with a different unused port range to avoid overlapping'", + "actualValue": "'Resources.Match.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'" }, { + "queryName": "EC2 Network ACL Overlapping Ports", "severity": "MEDIUM", "line": 42, - "fileName": "positive1.yaml", - "queryName": "EC2 Network ACL Overlapping Ports" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "OutboundTests", + "searchKey": "Resources.OutboundTests.Properties.PortRange", + "searchValue": "", + "expectedValue": "'Resources.OutboundTests.Properties.PortRange should be configured with a different unused port range to avoid overlapping'", + "actualValue": "'Resources.OutboundTests.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'" }, { "queryName": "EC2 Network ACL Overlapping Ports", "severity": "MEDIUM", - "line": 54, - "fileName": "positive1.yaml" + "line": 73, + "filename": "positive2.json", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "InboundRule", + "searchKey": "Resources.InboundRule.Properties.PortRange", + "searchValue": "", + "expectedValue": "'Resources.InboundRule.Properties.PortRange should be configured with a different unused port range to avoid overlapping'", + "actualValue": "'Resources.InboundRule.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'" }, { "queryName": "EC2 Network ACL Overlapping Ports", "severity": "MEDIUM", - "line": 73, - "fileName": "positive2.json" + "line": 116, + "filename": "positive2.json", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "InboundTests", + "searchKey": "Resources.InboundTests.Properties.PortRange", + "searchValue": "", + "expectedValue": "'Resources.InboundTests.Properties.PortRange should be configured with a different unused port range to avoid overlapping'", + "actualValue": "'Resources.InboundTests.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'" }, { - "line": 116, - "fileName": "positive2.json", "queryName": "EC2 Network ACL Overlapping Ports", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 90, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "EqualMatch", + "searchKey": "Resources.EqualMatch.Properties.PortRange", + "searchValue": "", + "expectedValue": "'Resources.EqualMatch.Properties.PortRange should be configured with a different unused port range to avoid overlapping'", + "actualValue": "'Resources.EqualMatch.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'" }, { "queryName": "EC2 Network ACL Overlapping Ports", "severity": "MEDIUM", - "line": 22, - "fileName": "positive2.json" + "line": 30, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "OutboundRule", + "searchKey": "Resources.OutboundRule.Properties.PortRange", + "searchValue": "", + "expectedValue": "'Resources.OutboundRule.Properties.PortRange should be configured with a different unused port range to avoid overlapping'", + "actualValue": "'Resources.OutboundRule.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'" }, { - "line": 82, - "fileName": "positive2.json", "queryName": "EC2 Network ACL Overlapping Ports", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 38, + "filename": "positive2.json", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "EqualMatch", + "searchKey": "Resources.EqualMatch.Properties.PortRange", + "searchValue": "", + "expectedValue": "'Resources.EqualMatch.Properties.PortRange should be configured with a different unused port range to avoid overlapping'", + "actualValue": "'Resources.EqualMatch.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'" }, { - "line": 105, - "fileName": "positive2.json", "queryName": "EC2 Network ACL Overlapping Ports", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 22, + "filename": "positive2.json", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "Match", + "searchKey": "Resources.Match.Properties.PortRange", + "searchValue": "", + "expectedValue": "'Resources.Match.Properties.PortRange should be configured with a different unused port range to avoid overlapping'", + "actualValue": "'Resources.Match.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'" }, { "queryName": "EC2 Network ACL Overlapping Ports", "severity": "MEDIUM", - "line": 38, - "fileName": "positive2.json" + "line": 82, + "filename": "positive2.json", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "OutboundRule", + "searchKey": "Resources.OutboundRule.Properties.PortRange", + "searchValue": "", + "expectedValue": "'Resources.OutboundRule.Properties.PortRange should be configured with a different unused port range to avoid overlapping'", + "actualValue": "'Resources.OutboundRule.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ec2_not_ebs_optimized/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ec2_not_ebs_optimized/test/positive_expected_result.json index 53aad6fca47..f8365bdf0eb 100644 --- a/assets/queries/cloudFormation/aws/ec2_not_ebs_optimized/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ec2_not_ebs_optimized/test/positive_expected_result.json @@ -2,43 +2,85 @@ { "queryName": "EC2 Not EBS Optimized", "severity": "INFO", - "line": 4, - "fileName": "positive1.yaml" + "line": 5, + "filename": "positive6.json", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.EbsOptimized", + "searchValue": "", + "expectedValue": "Resources.MyEC2Instance.Properties should have EbsOptimized set to true.", + "actualValue": "Resources.MyEC2Instance.Properties doesn't have EbsOptimized set to true." }, { "queryName": "EC2 Not EBS Optimized", "severity": "INFO", - "line": 5, - "fileName": "positive2.json" + "line": 23, + "filename": "positive4.json", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.EbsOptimized", + "searchValue": "", + "expectedValue": "Resources.MyEC2Instance.Properties should have EbsOptimized set to true.", + "actualValue": "Resources.MyEC2Instance.Properties.EbsOptimized is set to false." }, { "queryName": "EC2 Not EBS Optimized", "severity": "INFO", - "line": 16, - "fileName": "positive3.yaml" + "line": 5, + "filename": "positive2.json", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.EbsOptimized", + "searchValue": "", + "expectedValue": "Resources.MyEC2Instance.Properties should have EbsOptimized set to true.", + "actualValue": "Resources.MyEC2Instance.Properties doesn't have EbsOptimized set to true." }, { "queryName": "EC2 Not EBS Optimized", "severity": "INFO", - "line": 23, - "fileName": "positive4.json" + "line": 4, + "filename": "positive5.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.EbsOptimized", + "searchValue": "", + "expectedValue": "Resources.MyEC2Instance.Properties should have EbsOptimized set to true.", + "actualValue": "Resources.MyEC2Instance.Properties doesn't have EbsOptimized set to true." }, { "queryName": "EC2 Not EBS Optimized", "severity": "INFO", - "line": 4, - "fileName": "positive5.yaml" + "line": 16, + "filename": "positive7.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.EbsOptimized", + "searchValue": "", + "expectedValue": "Resources.MyEC2Instance.Properties should have EbsOptimized set to true.", + "actualValue": "Resources.MyEC2Instance.Properties.EbsOptimized is set to false." }, { "queryName": "EC2 Not EBS Optimized", "severity": "INFO", - "line": 5, - "fileName": "positive6.json" + "line": 16, + "filename": "positive3.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.EbsOptimized", + "searchValue": "", + "expectedValue": "Resources.MyEC2Instance.Properties should have EbsOptimized set to true.", + "actualValue": "Resources.MyEC2Instance.Properties.EbsOptimized is set to false." }, { "queryName": "EC2 Not EBS Optimized", "severity": "INFO", - "line": 16, - "fileName": "positive7.yaml" + "line": 4, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.EbsOptimized", + "searchValue": "", + "expectedValue": "Resources.MyEC2Instance.Properties should have EbsOptimized set to true.", + "actualValue": "Resources.MyEC2Instance.Properties doesn't have EbsOptimized set to true." } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ec2_permissive_network_acl_protocols/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ec2_permissive_network_acl_protocols/test/positive_expected_result.json index 4e0fafdad8d..6ba54453fe2 100644 --- a/assets/queries/cloudFormation/aws/ec2_permissive_network_acl_protocols/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ec2_permissive_network_acl_protocols/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "EC2 Permissive Network ACL Protocols", "severity": "MEDIUM", "line": 17, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "OutboundRule", + "searchKey": "Resources.OutboundRule.Properties.Protocol", + "searchValue": "", + "expectedValue": "'Resources.OutboundRule.Properties.Protocol' should be either 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code)", + "actualValue": "'Resources.OutboundRule.Properties.Protocol' is configured with a protocol different than 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code)" }, { + "queryName": "EC2 Permissive Network ACL Protocols", "severity": "MEDIUM", "line": 24, - "fileName": "positive2.json", - "queryName": "EC2 Permissive Network ACL Protocols" + "filename": "positive2.json", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "OutboundRule", + "searchKey": "Resources.OutboundRule.Properties.Protocol", + "searchValue": "", + "expectedValue": "'Resources.OutboundRule.Properties.Protocol' should be either 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code)", + "actualValue": "'Resources.OutboundRule.Properties.Protocol' is configured with a protocol different than 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code)" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ec2_public_instance_exposed_through_subnet/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ec2_public_instance_exposed_through_subnet/test/positive_expected_result.json index 5f3620a8431..fc02bee7c68 100644 --- a/assets/queries/cloudFormation/aws/ec2_public_instance_exposed_through_subnet/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ec2_public_instance_exposed_through_subnet/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ { - "fileName": "positive1.yaml", "queryName": "EC2 Public Instance Exposed Through Subnet", "severity": "MEDIUM", - "line": 28 + "line": 28, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "Ec2Instance", + "searchKey": "Resources.mySubnet", + "searchValue": "", + "expectedValue": "Resources.mySubnet should be a private subnet", + "actualValue": "Resources.mySubnet has a route for unrestricted internet traffic" }, { "queryName": "EC2 Public Instance Exposed Through Subnet", "severity": "MEDIUM", "line": 3, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::Instance", + "resourceName": "Ec2Instance", + "searchKey": "Resources.mySubnet", + "searchValue": "", + "expectedValue": "Resources.mySubnet should be a private subnet", + "actualValue": "Resources.mySubnet has a route for unrestricted internet traffic" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ec2_sensitive_port_is_publicly_exposed/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ec2_sensitive_port_is_publicly_exposed/test/positive_expected_result.json index 0adf53057a5..cd7343dd4b9 100644 --- a/assets/queries/cloudFormation/aws/ec2_sensitive_port_is_publicly_exposed/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ec2_sensitive_port_is_publicly_exposed/test/positive_expected_result.json @@ -2,1093 +2,2185 @@ { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 21, - "fileName": "positive1.yaml" + "line": 60, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 31, - "fileName": "positive1.yaml" + "line": 60, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:2484", + "expectedValue": "Oracle DB SSL (UDP:2484) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracle DB SSL (UDP:2484) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 41, - "fileName": "positive1.yaml" + "line": 79, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:53", + "expectedValue": "DNS (TCP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "DNS (TCP:53) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 49, - "fileName": "positive1.yaml" + "line": 79, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:636", + "expectedValue": "LDAP SSL (TCP:636) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "LDAP SSL (TCP:636) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "fileName": "positive1.yaml" + "line": 79, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:139", + "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Session Service (TCP:139) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:3020", + "expectedValue": "CIFS / SMB (TCP:3020) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "CIFS / SMB (TCP:3020) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:7000", + "expectedValue": "Cassandra Internode Communication (TCP:7000) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra Internode Communication (TCP:7000) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:8020", + "expectedValue": "HDFS NameNode (TCP:8020) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HDFS NameNode (TCP:8020) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:5432", + "expectedValue": "PostgreSQL (UDP:5432) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "PostgreSQL (UDP:5432) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:5900", + "expectedValue": "VNC Server (TCP:5900) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "VNC Server (TCP:5900) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "fileName": "positive1.yaml" + "line": 66, + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress2.Properties", + "searchValue": "EC2Instance01/TCP:22", + "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "fileName": "positive1.yaml" + "line": 79, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:50070", + "expectedValue": "HDFS NameNode WebUI (TCP:50070) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HDFS NameNode WebUI (TCP:50070) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "fileName": "positive1.yaml" + "line": 79, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:1433", + "expectedValue": "MSSQL Server (TCP:1433) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MSSQL Server (TCP:1433) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:161", + "expectedValue": "SNMP (UDP:161) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SNMP (UDP:161) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "fileName": "positive1.yaml" + "line": 25, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:53", + "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "fileName": "positive1.yaml" + "line": 79, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:80", + "expectedValue": "HTTP (TCP:80) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HTTP (TCP:80) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "fileName": "positive1.yaml" + "line": 79, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:389", + "expectedValue": "LDAP (TCP:389) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "LDAP (TCP:389) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "fileName": "positive1.yaml" + "line": 79, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:3306", + "expectedValue": "MySQL (TCP:3306) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MySQL (TCP:3306) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "fileName": "positive1.yaml" + "line": 79, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:25", + "expectedValue": "SMTP (TCP:25) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SMTP (TCP:25) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "fileName": "positive1.yaml" + "line": 79, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:2382", + "expectedValue": "SQL Server Analysis (TCP:2382) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SQL Server Analysis (TCP:2382) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "fileName": "positive1.yaml" + "line": 93, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_2", + "searchKey": "Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:22", + "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:9000", + "expectedValue": "Hadoop Name Node (TCP:9000) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Hadoop Name Node (TCP:9000) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:11211", + "expectedValue": "Memcached (UDP:11211) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached (UDP:11211) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "fileName": "positive1.yaml" + "line": 79, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:135", + "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MSSQL Debugger (TCP:135) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "fileName": "positive1.yaml" + "line": 79, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:2484", + "expectedValue": "Oracle DB SSL (TCP:2484) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracle DB SSL (TCP:2484) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "fileName": "positive1.yaml" + "line": 54, + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress4.Properties", + "searchValue": "EC2Instance01/UDP:137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:5601", + "expectedValue": "Kibana (TCP:5601) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Kibana (TCP:5601) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:11214", + "expectedValue": "Memcached SSL (TCP:11214) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached SSL (TCP:11214) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "fileName": "positive1.yaml" + "line": 113, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv6", + "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]", + "searchValue": "EC2Instance01/UDP:137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "fileName": "positive1.yaml" + "line": 44, + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress3.Properties", + "searchValue": "EC2Instance01/UDP:53", + "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "fileName": "positive1.yaml" + "line": 79, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:21", + "expectedValue": "FTP (TCP:21) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "FTP (TCP:21) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:61620", + "expectedValue": "Cassandra OpsCenter (TCP:61620) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra OpsCenter (TCP:61620) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:23", + "expectedValue": "Telnet (TCP:23) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Telnet (TCP:23) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "fileName": "positive1.yaml" + "line": 79, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:11215", + "expectedValue": "Memcached SSL (UDP:11215) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached SSL (UDP:11215) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "fileName": "positive1.yaml" + "line": 79, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:2483", + "expectedValue": "Oracle DB SSL (UDP:2483) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracle DB SSL (UDP:2483) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "fileName": "positive1.yaml" + "line": 79, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:110", + "expectedValue": "POP3 (TCP:110) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "POP3 (TCP:110) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "fileName": "positive1.yaml" + "line": 79, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:161", + "expectedValue": "SNMP (UDP:161) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SNMP (UDP:161) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:11215", + "expectedValue": "Memcached SSL (TCP:11215) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached SSL (TCP:11215) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:27018", + "expectedValue": "Mongo Web Portal (TCP:27018) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Mongo Web Portal (TCP:27018) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:25", + "expectedValue": "SMTP (TCP:25) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SMTP (TCP:25) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:2383", + "expectedValue": "SQL Server Analysis (TCP:2383) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SQL Server Analysis (TCP:2383) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "fileName": "positive1.yaml" + "line": 79, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:8020", + "expectedValue": "HDFS NameNode (TCP:8020) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HDFS NameNode (TCP:8020) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "fileName": "positive1.yaml" + "line": 79, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:22", + "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "fileName": "positive1.yaml" + "line": 79, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:4505", + "expectedValue": "SaltStack Master (TCP:4505) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SaltStack Master (TCP:4505) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:21", + "expectedValue": "FTP (TCP:21) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "FTP (TCP:21) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:443", + "expectedValue": "HTTPS (TCP:443) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HTTPS (TCP:443) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:1433", + "expectedValue": "MSSQL Server (TCP:1433) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MSSQL Server (TCP:1433) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:138", + "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "fileName": "positive1.yaml" + "line": 79, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:445", + "expectedValue": "Microsoft-DS (TCP:445) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Microsoft-DS (TCP:445) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "fileName": "positive1.yaml" + "line": 79, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:3000", + "expectedValue": "Prevalent known internal port (TCP:3000) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Prevalent known internal port (TCP:3000) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:27017", + "expectedValue": "Mongo (TCP:27017) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Mongo (TCP:27017) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "fileName": "positive1.yaml" + "line": 84, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv6", + "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]", + "searchValue": "EC2Instance01/UDP:137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:139", + "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Session Service (UDP:139) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "fileName": "positive1.yaml" + "line": 79, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:8888", + "expectedValue": "Cassandra OpsCenter Website (TCP:8888) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra OpsCenter Website (TCP:8888) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:9160", + "expectedValue": "Cassandra Thrift (TCP:9160) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra Thrift (TCP:9160) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "fileName": "positive1.yaml" + "line": 79, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:11211", + "expectedValue": "Memcached (UDP:11211) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached (UDP:11211) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "fileName": "positive1.yaml" + "line": 79, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:4506", + "expectedValue": "SaltStack Master (TCP:4506) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SaltStack Master (TCP:4506) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:53", + "expectedValue": "DNS (TCP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "DNS (TCP:53) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:5985", + "expectedValue": "WinRM for HTTP (TCP:5985) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "WinRM for HTTP (TCP:5985) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "fileName": "positive1.yaml" + "line": 79, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:389", + "expectedValue": "LDAP (UDP:389) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "LDAP (UDP:389) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "fileName": "positive1.yaml" + "line": 79, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:139", + "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Session Service (UDP:139) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "fileName": "positive1.yaml" + "line": 94, + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress4.Properties", + "searchValue": "EC2Instance01/UDP:137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "fileName": "positive1.yaml" + "line": 34, + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress2.Properties", + "searchValue": "EC2Instance01/TCP:22", + "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "fileName": "positive1.yaml" + "line": 31, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_2", + "searchKey": "Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:80", + "expectedValue": "HTTP (TCP:80) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HTTP (TCP:80) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:445", + "expectedValue": "Microsoft-DS (TCP:445) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Microsoft-DS (TCP:445) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:4333", + "expectedValue": "MySQL (TCP:4333) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MySQL (TCP:4333) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:3000", + "expectedValue": "Prevalent known internal port (TCP:3000) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Prevalent known internal port (TCP:3000) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "fileName": "positive1.yaml" + "line": 38, + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress3.Properties", + "searchValue": "EC2Instance01/UDP:53", + "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "fileName": "positive1.yaml" + "line": 79, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:9160", + "expectedValue": "Cassandra Thrift (TCP:9160) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra Thrift (TCP:9160) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "fileName": "positive1.yaml" + "line": 79, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:11211", + "expectedValue": "Memcached (TCP:11211) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached (TCP:11211) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "fileName": "positive1.yaml" + "line": 107, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv6", + "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:53", + "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "fileName": "positive1.yaml" + "line": 79, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:2375", + "expectedValue": "Docker (TCP:2375) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Docker (TCP:2375) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "fileName": "positive1.yaml" + "line": 21, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:53", + "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:61621", + "expectedValue": "Cassandra OpsCenter (TCP:61621) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra OpsCenter (TCP:61621) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "fileName": "positive1.yaml" + "line": 79, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:7000", + "expectedValue": "Cassandra Internode Communication (TCP:7000) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra Internode Communication (TCP:7000) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "fileName": "positive1.yaml" + "line": 79, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:8888", + "expectedValue": "Cassandra OpsCenter Website (TCP:8888) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra OpsCenter Website (TCP:8888) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "fileName": "positive1.yaml" + "line": 79, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:4333", + "expectedValue": "MySQL (TCP:4333) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MySQL (TCP:4333) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "fileName": "positive1.yaml" + "line": 79, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:5432", + "expectedValue": "PostgreSQL (UDP:5432) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "PostgreSQL (UDP:5432) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 70, - "fileName": "positive1.yaml" + "line": 60, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:11211", + "expectedValue": "Memcached (TCP:11211) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached (TCP:11211) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 80, - "fileName": "positive1.yaml" + "line": 60, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:1521", + "expectedValue": "Oracl DB (TCP:1521) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracl DB (TCP:1521) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 84, - "fileName": "positive1.yaml" + "line": 75, + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress3.Properties", + "searchValue": "EC2Instance01/UDP:53", + "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 20, - "fileName": "positive2.yaml" + "line": 65, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv4", + "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[2]", + "searchValue": "EC2Instance01/UDP:137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 29, - "fileName": "positive2.yaml" + "line": 79, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:1522", + "expectedValue": "Oracle Auto Data Warehouse (TCP:1522) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracle Auto Data Warehouse (TCP:1522) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 38, - "fileName": "positive2.yaml" + "line": 60, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:8080", + "expectedValue": "Known internal web port (TCP:8080) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Known internal web port (TCP:8080) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 47, - "fileName": "positive2.yaml" + "line": 60, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:161", + "expectedValue": "SNMP (TCP:161) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SNMP (TCP:161) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 57, - "fileName": "positive2.yaml" + "line": 60, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:4505", + "expectedValue": "SaltStack Master (TCP:4505) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SaltStack Master (TCP:4505) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 66, - "fileName": "positive2.yaml" + "line": 47, + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress4.Properties", + "searchValue": "EC2Instance01/UDP:137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 75, - "fileName": "positive2.yaml" + "line": 79, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:7001", + "expectedValue": "Cassandra (TCP:7001) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra (TCP:7001) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 84, - "fileName": "positive2.yaml" + "line": 79, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:27017", + "expectedValue": "Mongo (TCP:27017) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Mongo (TCP:27017) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 25, - "fileName": "positive3.json" + "line": 80, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv6", + "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:53", + "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 39, - "fileName": "positive3.json" + "line": 60, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:389", + "expectedValue": "LDAP (TCP:389) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "LDAP (TCP:389) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 53, - "fileName": "positive3.json" + "line": 60, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:135", + "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MSSQL Debugger (TCP:135) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 65, - "fileName": "positive3.json" + "line": 79, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:2376", + "expectedValue": "Docker (TCP:2376) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Docker (TCP:2376) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "fileName": "positive3.json" + "line": 60, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:50070", + "expectedValue": "HDFS NameNode WebUI (TCP:50070) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HDFS NameNode WebUI (TCP:50070) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "fileName": "positive3.json" + "line": 60, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:137", + "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Name Service (TCP:137) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "fileName": "positive3.json" + "line": 60, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:1522", + "expectedValue": "Oracle Auto Data Warehouse (TCP:1522) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracle Auto Data Warehouse (TCP:1522) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "fileName": "positive3.json" + "line": 60, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:8140", + "expectedValue": "Puppet Master (TCP:8140) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Puppet Master (TCP:8140) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:20", + "expectedValue": "FTP (TCP:20) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "FTP (TCP:20) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:443", + "expectedValue": "HTTPS (TCP:443) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HTTPS (TCP:443) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:5601", + "expectedValue": "Kibana (TCP:5601) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Kibana (TCP:5601) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:2484", + "expectedValue": "Oracle DB SSL (UDP:2484) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracle DB SSL (UDP:2484) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "fileName": "positive3.json" + "line": 60, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:9200", + "expectedValue": "Elastic Search (TCP:9200) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Elastic Search (TCP:9200) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "fileName": "positive3.json" + "line": 60, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:389", + "expectedValue": "LDAP (UDP:389) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "LDAP (UDP:389) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "fileName": "positive3.json" + "line": 60, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:1434", + "expectedValue": "MSSQL Browser (UDP:1434) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MSSQL Browser (UDP:1434) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "fileName": "positive3.json" + "line": 60, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:22", + "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "fileName": "positive3.json" + "line": 29, + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress2.Properties", + "searchValue": "EC2Instance01/TCP:22", + "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "fileName": "positive3.json" + "line": 39, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_2", + "searchKey": "Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:80", + "expectedValue": "HTTP (TCP:80) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HTTP (TCP:80) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:8000", + "expectedValue": "Known internal web port (TCP:8000) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Known internal web port (TCP:8000) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:6379", + "expectedValue": "Redis (TCP:6379) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Redis (TCP:6379) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "fileName": "positive3.json" + "line": 60, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:3389", + "expectedValue": "Remote Desktop (TCP:3389) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Remote Desktop (TCP:3389) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:9042", + "expectedValue": "Cassandra Client (TCP:9042) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra Client (TCP:9042) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:8140", + "expectedValue": "Puppet Master (TCP:8140) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Puppet Master (TCP:8140) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:3389", + "expectedValue": "Remote Desktop (TCP:3389) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Remote Desktop (TCP:3389) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "fileName": "positive3.json" + "line": 60, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:636", + "expectedValue": "LDAP SSL (TCP:636) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "LDAP SSL (TCP:636) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:5985", + "expectedValue": "WinRM for HTTP (TCP:5985) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "WinRM for HTTP (TCP:5985) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "fileName": "positive3.json" + "line": 60, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:9042", + "expectedValue": "Cassandra Client (TCP:9042) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra Client (TCP:9042) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "fileName": "positive3.json" + "line": 60, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:9300", + "expectedValue": "Elastic Search (TCP:9300) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Elastic Search (TCP:9300) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "fileName": "positive3.json" + "line": 60, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:3306", + "expectedValue": "MySQL (TCP:3306) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MySQL (TCP:3306) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "fileName": "positive3.json" + "line": 60, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:5500", + "expectedValue": "VNC Listener (TCP:5500) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "VNC Listener (TCP:5500) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:3020", + "expectedValue": "CIFS / SMB (TCP:3020) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "CIFS / SMB (TCP:3020) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "fileName": "positive3.json" + "line": 53, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv4", + "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:53", + "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:53", + "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "fileName": "positive3.json" + "line": 84, + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress3.Properties", + "searchValue": "EC2Instance01/UDP:53", + "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "fileName": "positive3.json" + "line": 60, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:53", + "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "fileName": "positive3.json" + "line": 60, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:2483", + "expectedValue": "Oracle DB SSL (TCP:2483) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracle DB SSL (TCP:2483) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:9300", + "expectedValue": "Elastic Search (TCP:9300) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Elastic Search (TCP:9300) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:1434", + "expectedValue": "MSSQL Browser (TCP:1434) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MSSQL Browser (TCP:1434) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:5432", + "expectedValue": "PostgreSQL (TCP:5432) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "PostgreSQL (TCP:5432) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:5500", + "expectedValue": "VNC Listener (TCP:5500) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "VNC Listener (TCP:5500) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "fileName": "positive3.json" + "line": 60, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:20", + "expectedValue": "FTP (TCP:20) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "FTP (TCP:20) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "fileName": "positive3.json" + "line": 60, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:11215", + "expectedValue": "Memcached SSL (UDP:11215) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached SSL (UDP:11215) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "fileName": "positive3.json" + "line": 57, + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress1.Properties", + "searchValue": "EC2Instance01/TCP:22", + "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:61621", + "expectedValue": "Cassandra OpsCenter (TCP:61621) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra OpsCenter (TCP:61621) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:9090", + "expectedValue": "CiscoSecure, WebSM (TCP:9090) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "CiscoSecure, WebSM (TCP:9090) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:9000", + "expectedValue": "Hadoop Name Node (TCP:9000) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Hadoop Name Node (TCP:9000) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:11214", + "expectedValue": "Memcached SSL (TCP:11214) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached SSL (TCP:11214) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:1521", + "expectedValue": "Oracl DB (TCP:1521) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracl DB (TCP:1521) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "fileName": "positive3.json" + "line": 60, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:50470", + "expectedValue": "HDFS NameNode WebUI (TCP:50470) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HDFS NameNode WebUI (TCP:50470) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "fileName": "positive3.json" + "line": 60, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:80", + "expectedValue": "HTTP (TCP:80) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HTTP (TCP:80) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "fileName": "positive3.json" + "line": 49, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv4", + "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[2]", + "searchValue": "EC2Instance01/UDP:137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "fileName": "positive3.json" + "line": 84, + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress4.Properties", + "searchValue": "EC2Instance01/UDP:137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:137", + "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Name Service (TCP:137) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:2483", + "expectedValue": "Oracle DB SSL (TCP:2483) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracle DB SSL (TCP:2483) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:23", + "expectedValue": "Telnet (TCP:23) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Telnet (TCP:23) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:5900", + "expectedValue": "VNC Server (TCP:5900) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "VNC Server (TCP:5900) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "fileName": "positive3.json" + "line": 60, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:1434", + "expectedValue": "MSSQL Browser (TCP:1434) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MSSQL Browser (TCP:1434) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "fileName": "positive3.json" + "line": 60, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:139", + "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Session Service (TCP:139) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "fileName": "positive3.json" + "line": 60, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:110", + "expectedValue": "POP3 (TCP:110) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "POP3 (TCP:110) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "fileName": "positive3.json" + "line": 60, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:5432", + "expectedValue": "PostgreSQL (TCP:5432) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "PostgreSQL (TCP:5432) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:11214", + "expectedValue": "Memcached SSL (UDP:11214) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached SSL (UDP:11214) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "fileName": "positive3.json" + "line": 74, + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress2.Properties", + "searchValue": "EC2Instance01/TCP:22", + "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "fileName": "positive3.json" + "line": 41, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv4", + "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:53", + "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:61620", + "expectedValue": "Cassandra OpsCenter (TCP:61620) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra OpsCenter (TCP:61620) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:27018", + "expectedValue": "Mongo Web Portal (TCP:27018) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Mongo Web Portal (TCP:27018) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:161", + "expectedValue": "SNMP (TCP:161) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SNMP (TCP:161) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "fileName": "positive3.json" + "line": 64, + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress1.Properties", + "searchValue": "EC2Instance01/TCP:22", + "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "fileName": "positive3.json" + "line": 60, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:2375", + "expectedValue": "Docker (TCP:2375) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Docker (TCP:2375) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "fileName": "positive3.json" + "line": 60, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:2484", + "expectedValue": "Oracle DB SSL (TCP:2484) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracle DB SSL (TCP:2484) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "fileName": "positive3.json" + "line": 60, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:4506", + "expectedValue": "SaltStack Master (TCP:4506) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SaltStack Master (TCP:4506) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "fileName": "positive3.json" + "line": 20, + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress1.Properties", + "searchValue": "EC2Instance01/TCP:22", + "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:7199", + "expectedValue": "Cassandra Monitoring (TCP:7199) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra Monitoring (TCP:7199) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:50470", + "expectedValue": "HDFS NameNode WebUI (TCP:50470) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HDFS NameNode WebUI (TCP:50470) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:8080", + "expectedValue": "Known internal web port (TCP:8080) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Known internal web port (TCP:8080) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "fileName": "positive3.json" + "line": 24, + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress1.Properties", + "searchValue": "EC2Instance01/TCP:22", + "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "fileName": "positive3.json" + "line": 60, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:7001", + "expectedValue": "Cassandra (TCP:7001) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra (TCP:7001) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "fileName": "positive3.json" + "line": 60, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:2376", + "expectedValue": "Docker (TCP:2376) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Docker (TCP:2376) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "fileName": "positive3.json" + "line": 60, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:11214", + "expectedValue": "Memcached SSL (UDP:11214) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached SSL (UDP:11214) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:11215", + "expectedValue": "Memcached SSL (TCP:11215) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached SSL (TCP:11215) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 93, - "fileName": "positive3.json" + "line": 79, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:138", + "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 107, - "fileName": "positive3.json" + "line": 60, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:7199", + "expectedValue": "Cassandra Monitoring (TCP:7199) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra Monitoring (TCP:7199) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 113, - "fileName": "positive3.json" + "line": 70, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_2", + "searchKey": "Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:22", + "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 24, - "fileName": "positive4.json" + "line": 79, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:9200", + "expectedValue": "Elastic Search (TCP:9200) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Elastic Search (TCP:9200) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 34, - "fileName": "positive4.json" + "line": 79, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:1434", + "expectedValue": "MSSQL Browser (UDP:1434) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MSSQL Browser (UDP:1434) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 44, - "fileName": "positive4.json" + "line": 60, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:9090", + "expectedValue": "CiscoSecure, WebSM (TCP:9090) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "CiscoSecure, WebSM (TCP:9090) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 54, - "fileName": "positive4.json" + "line": 60, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:2483", + "expectedValue": "Oracle DB SSL (UDP:2483) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracle DB SSL (UDP:2483) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 64, - "fileName": "positive4.json" + "line": 60, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:6379", + "expectedValue": "Redis (TCP:6379) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Redis (TCP:6379) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 74, - "fileName": "positive4.json" + "line": 60, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:2382", + "expectedValue": "SQL Server Analysis (TCP:2382) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SQL Server Analysis (TCP:2382) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 84, - "fileName": "positive4.json" + "line": 79, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:2383", + "expectedValue": "SQL Server Analysis (TCP:2383) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SQL Server Analysis (TCP:2383) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 94, - "fileName": "positive4.json" + "line": 60, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:8000", + "expectedValue": "Known internal web port (TCP:8000) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Known internal web port (TCP:8000) is allowed in EC2 security group for instance 'EC2Instance01'" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ecr_image_tag_not_immutable/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ecr_image_tag_not_immutable/test/positive_expected_result.json index d6ad7efe073..dc2a084df86 100644 --- a/assets/queries/cloudFormation/aws/ecr_image_tag_not_immutable/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ecr_image_tag_not_immutable/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "ECR Image Tag Not Immutable", "severity": "MEDIUM", - "line": 5, - "fileName": "positive1.yaml" + "line": 27, + "filename": "positive1.yaml", + "resourceType": "AWS::ECR::Repository", + "resourceName": "test-repository", + "searchKey": "Resources.MyRepository4.Properties", + "searchValue": "", + "expectedValue": "Resources.MyRepository4.Properties.ImageTagMutability should be defined and not null", + "actualValue": "Resources.MyRepository4.Properties.ImageTagMutability is undefined or null" }, { "queryName": "ECR Image Tag Not Immutable", "severity": "MEDIUM", - "line": 27, - "fileName": "positive1.yaml" + "line": 6, + "filename": "positive2.json", + "resourceType": "AWS::ECR::Repository", + "resourceName": "test-repository", + "searchKey": "Resources.MyRepository5.Properties.ImageTagMutability", + "searchValue": "", + "expectedValue": "Resources.MyRepository5.Properties.ImageTagMutability should be 'IMMUTABLE'", + "actualValue": "Resources.MyRepository5.Properties.ImageTagMutability is 'MUTABLE'" }, { "queryName": "ECR Image Tag Not Immutable", "severity": "MEDIUM", - "line": 6, - "fileName": "positive2.json" + "line": 36, + "filename": "positive2.json", + "resourceType": "AWS::ECR::Repository", + "resourceName": "test-repository", + "searchKey": "Resources.MyRepository6.Properties", + "searchValue": "", + "expectedValue": "Resources.MyRepository6.Properties.ImageTagMutability should be defined and not null", + "actualValue": "Resources.MyRepository6.Properties.ImageTagMutability is undefined or null" }, { "queryName": "ECR Image Tag Not Immutable", "severity": "MEDIUM", - "line": 36, - "fileName": "positive2.json" + "line": 5, + "filename": "positive1.yaml", + "resourceType": "AWS::ECR::Repository", + "resourceName": "test-repository", + "searchKey": "Resources.MyRepository3.Properties.ImageTagMutability", + "searchValue": "", + "expectedValue": "Resources.MyRepository3.Properties.ImageTagMutability should be 'IMMUTABLE'", + "actualValue": "Resources.MyRepository3.Properties.ImageTagMutability is 'MUTABLE'" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ecr_repository_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ecr_repository_is_publicly_accessible/test/positive_expected_result.json index 9118d4b848e..d137f6dc1e6 100644 --- a/assets/queries/cloudFormation/aws/ecr_repository_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ecr_repository_is_publicly_accessible/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "ECR Repository Is Publicly Accessible", "severity": "CRITICAL", "line": 6, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::ECR::Repository", + "resourceName": "test-repository", + "searchKey": "Resources.MyRepository3.Properties.RepositoryPolicyText", + "searchValue": "", + "expectedValue": "Resources.MyRepository3.Properties.RepositoryPolicyText.Statement.Principal shouldn't contain '*'", + "actualValue": "Resources.MyRepository3.Properties.RepositoryPolicyText.Statement.Principal contains '*'" }, { "queryName": "ECR Repository Is Publicly Accessible", "severity": "CRITICAL", "line": 7, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::ECR::Repository", + "resourceName": "test-repository", + "searchKey": "Resources.MyRepository4.Properties.RepositoryPolicyText", + "searchValue": "", + "expectedValue": "Resources.MyRepository4.Properties.RepositoryPolicyText.Statement.Principal shouldn't contain '*'", + "actualValue": "Resources.MyRepository4.Properties.RepositoryPolicyText.Statement.Principal contains '*'" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ecr_repository_not_encrypted_with_CMK/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ecr_repository_not_encrypted_with_CMK/test/positive_expected_result.json index 951a94d2d37..ae7269c2358 100644 --- a/assets/queries/cloudFormation/aws/ecr_repository_not_encrypted_with_CMK/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ecr_repository_not_encrypted_with_CMK/test/positive_expected_result.json @@ -2,61 +2,121 @@ { "queryName": "ECR Repository Not Encrypted With CMK", "severity": "LOW", - "line": 6, - "fileName": "positive1.json" + "line": 11, + "filename": "positive5.json", + "resourceType": "AWS::ECR::Repository", + "resourceName": "test-repository", + "searchKey": "Resources.MyRepository.Properties.EncryptionConfiguration", + "searchValue": "", + "expectedValue": "Resources.MyRepository.Properties.EncryptionConfiguration.KmsKey should be defined and not null", + "actualValue": "Resources.MyRepository.Properties.EncryptionConfiguration.KmsKey is undefined or null" }, { "queryName": "ECR Repository Not Encrypted With CMK", "severity": "LOW", - "line": 12, - "fileName": "positive2.json" + "line": 6, + "filename": "positive1.json", + "resourceType": "AWS::ECR::Repository", + "resourceName": "test-repository", + "searchKey": "Resources.MyRepository.Properties", + "searchValue": "", + "expectedValue": "Resources.MyRepository.Properties.EncryptionConfiguration should be defined and not null", + "actualValue": "Resources.MyRepository.Properties.EncryptionConfiguration is undefined or null" }, { "queryName": "ECR Repository Not Encrypted With CMK", "severity": "LOW", - "line": 12, - "fileName": "positive3.json" + "line": 8, + "filename": "positive9.yaml", + "resourceType": "AWS::ECR::Repository", + "resourceName": "ecrepo", + "searchKey": "Resources.ecrepo.Properties.EncryptionConfiguration", + "searchValue": "", + "expectedValue": "Resources.ecrepo.Properties.EncryptionConfiguration.KmsKey should be defined and not null", + "actualValue": "Resources.ecrepo.Properties.EncryptionConfiguration.KmsKey is undefined or null" }, { "queryName": "ECR Repository Not Encrypted With CMK", "severity": "LOW", "line": 11, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::ECR::Repository", + "resourceName": "test-repository", + "searchKey": "Resources.MyRepository.Properties.EncryptionConfiguration", + "searchValue": "", + "expectedValue": "Resources.MyRepository.Properties.EncryptionConfiguration.KmsKey should be defined and not null", + "actualValue": "Resources.MyRepository.Properties.EncryptionConfiguration.KmsKey is undefined or null" }, { "queryName": "ECR Repository Not Encrypted With CMK", "severity": "LOW", - "line": 11, - "fileName": "positive5.json" + "line": 12, + "filename": "positive3.json", + "resourceType": "AWS::ECR::Repository", + "resourceName": "test-repository", + "searchKey": "Resources.MyRepository.Properties.EncryptionConfiguration.EncryptionType", + "searchValue": "", + "expectedValue": "Resources.MyRepository.Properties.EncryptionConfiguration.EncryptionType should be 'KMS_DSSE' or 'KMS'", + "actualValue": "Resources.MyRepository.Properties.EncryptionConfiguration.EncryptionType is 'AES256'" }, - { + { "queryName": "ECR Repository Not Encrypted With CMK", "severity": "LOW", "line": 5, - "fileName": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "AWS::ECR::Repository", + "resourceName": "ecrepo", + "searchKey": "Resources.ecrepo.Properties", + "searchValue": "", + "expectedValue": "Resources.ecrepo.Properties.EncryptionConfiguration should be defined and not null", + "actualValue": "Resources.ecrepo.Properties.EncryptionConfiguration is undefined or null" }, { "queryName": "ECR Repository Not Encrypted With CMK", "severity": "LOW", - "line": 9, - "fileName": "positive7.yaml" + "line": 8, + "filename": "positive10.yaml", + "resourceType": "AWS::ECR::Repository", + "resourceName": "ecrepo", + "searchKey": "Resources.ecrepo.Properties.EncryptionConfiguration", + "searchValue": "", + "expectedValue": "Resources.ecrepo.Properties.EncryptionConfiguration.KmsKey should be defined and not null", + "actualValue": "Resources.ecrepo.Properties.EncryptionConfiguration.KmsKey is undefined or null" }, { "queryName": "ECR Repository Not Encrypted With CMK", "severity": "LOW", "line": 9, - "fileName": "positive8.yaml" + "filename": "positive7.yaml", + "resourceType": "AWS::ECR::Repository", + "resourceName": "ecrepo", + "searchKey": "Resources.ecrepo.Properties.EncryptionConfiguration.EncryptionType", + "searchValue": "", + "expectedValue": "Resources.ecrepo.Properties.EncryptionConfiguration.EncryptionType should be 'KMS_DSSE' or 'KMS'", + "actualValue": "Resources.ecrepo.Properties.EncryptionConfiguration.EncryptionType is 'AES256'" }, { "queryName": "ECR Repository Not Encrypted With CMK", "severity": "LOW", - "line": 8, - "fileName": "positive9.yaml" + "line": 9, + "filename": "positive8.yaml", + "resourceType": "AWS::ECR::Repository", + "resourceName": "ecrepo", + "searchKey": "Resources.ecrepo.Properties.EncryptionConfiguration.EncryptionType", + "searchValue": "", + "expectedValue": "Resources.ecrepo.Properties.EncryptionConfiguration.EncryptionType should be 'KMS_DSSE' or 'KMS'", + "actualValue": "Resources.ecrepo.Properties.EncryptionConfiguration.EncryptionType is 'AES256'" }, { "queryName": "ECR Repository Not Encrypted With CMK", "severity": "LOW", - "line": 8, - "fileName": "positive10.yaml" + "line": 12, + "filename": "positive2.json", + "resourceType": "AWS::ECR::Repository", + "resourceName": "test-repository", + "searchKey": "Resources.MyRepository.Properties.EncryptionConfiguration.EncryptionType", + "searchValue": "", + "expectedValue": "Resources.MyRepository.Properties.EncryptionConfiguration.EncryptionType should be 'KMS_DSSE' or 'KMS'", + "actualValue": "Resources.MyRepository.Properties.EncryptionConfiguration.EncryptionType is 'AES256'" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ecs_cluster_container_insights_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ecs_cluster_container_insights_disabled/test/positive_expected_result.json index cd03c0a5a7c..3bd0469a6e3 100644 --- a/assets/queries/cloudFormation/aws/ecs_cluster_container_insights_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ecs_cluster_container_insights_disabled/test/positive_expected_result.json @@ -2,19 +2,37 @@ { "queryName": "ECS Cluster with Container Insights Disabled", "severity": "LOW", - "line": 4, - "fileName": "positive1.yaml" + "line": 7, + "filename": "positive2.json", + "resourceType": "AWS::ECS::Cluster", + "resourceName": "ECSCluster", + "searchKey": "Resources.ECSCluster.Properties.ClusterSettings", + "searchValue": "", + "expectedValue": "Resources.ECSCluster.Properties.ClusterSettings should have a ClusterSetting named 'containerInsights' which value is 'enabled'", + "actualValue": "Resources.ECSCluster.Properties.ClusterSettings hasn't got a ClusterSetting named 'containerInsights' which value is 'enabled'" }, { + "queryName": "ECS Cluster with Container Insights Disabled", "severity": "LOW", "line": 7, - "fileName": "positive2.json", - "queryName": "ECS Cluster with Container Insights Disabled" + "filename": "positive3.json", + "resourceType": "AWS::ECS::Cluster", + "resourceName": "ECSCluster", + "searchKey": "Resources.ECSCluster.Properties.ClusterSettings", + "searchValue": "", + "expectedValue": "Resources.ECSCluster.Properties.ClusterSettings should have a ClusterSetting named 'containerInsights' which value is 'enabled'", + "actualValue": "Resources.ECSCluster.Properties.ClusterSettings hasn't got a ClusterSetting named 'containerInsights' which value is 'enabled'" }, { + "queryName": "ECS Cluster with Container Insights Disabled", "severity": "LOW", - "line": 7, - "fileName": "positive3.json", - "queryName": "ECS Cluster with Container Insights Disabled" + "line": 4, + "filename": "positive1.yaml", + "resourceType": "AWS::ECS::Cluster", + "resourceName": "ECSCluster", + "searchKey": "Resources.ECSCluster.Properties", + "searchValue": "", + "expectedValue": "Resources.ECSCluster.Properties.ClusterSettings should be defined and have a ClusterSetting named containerInsights which value is 'enabled'", + "actualValue": "Resources.ECSCluster.Properties.ClusterSettings is not defined" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/positive_expected_result.json index acd4c922ed6..8b91db39dc1 100644 --- a/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/positive_expected_result.json @@ -3,24 +3,48 @@ "queryName": "ECS Cluster Not Encrypted At Rest", "severity": "HIGH", "line": 37, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::ECS::Service", + "resourceName": "service", + "searchKey": "Resources.taskdefinition.Properties.Volumes", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption should be enabled", + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption is disabled" }, { + "queryName": "ECS Cluster Not Encrypted At Rest", "severity": "HIGH", "line": 26, - "fileName": "positive2.yaml", - "queryName": "ECS Cluster Not Encrypted At Rest" + "filename": "positive2.yaml", + "resourceType": "AWS::ECS::Service", + "resourceName": "service", + "searchKey": "Resources.taskdefinition1", + "searchValue": "", + "expectedValue": "Resources.taskdefinition1 should be defined", + "actualValue": "Resources.taskdefinition1 is not defined." }, { + "queryName": "ECS Cluster Not Encrypted At Rest", "severity": "HIGH", "line": 122, - "fileName": "positive3.json", - "queryName": "ECS Cluster Not Encrypted At Rest" + "filename": "positive3.json", + "resourceType": "AWS::ECS::Service", + "resourceName": "service", + "searchKey": "Resources.taskdefinition.Properties.Volumes", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption should be enabled", + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption is disabled" }, { "queryName": "ECS Cluster Not Encrypted At Rest", "severity": "HIGH", "line": 54, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::ECS::Service", + "resourceName": "service", + "searchKey": "Resources.taskdefinition1", + "searchValue": "", + "expectedValue": "Resources.taskdefinition1 should be defined", + "actualValue": "Resources.taskdefinition1 is not defined." } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ecs_no_load_balancer_attached/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ecs_no_load_balancer_attached/test/positive_expected_result.json index 380d9611400..134af83f2e0 100644 --- a/assets/queries/cloudFormation/aws/ecs_no_load_balancer_attached/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ecs_no_load_balancer_attached/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "ECS No Load Balancer Attached", "severity": "MEDIUM", - "line": 7, - "fileName": "positive1.yaml" + "line": 25, + "filename": "positive1.yaml", + "resourceType": "AWS::ECS::Service", + "resourceName": "ECSService2", + "searchKey": "Resources.ECSService2.Properties.LoadBalancers", + "searchValue": "", + "expectedValue": "'Resources.ECSService2.Properties.LoadBalancers' should not be empty", + "actualValue": "'Resources.ECSService2.Properties.LoadBalancers' is empty" }, { "queryName": "ECS No Load Balancer Attached", "severity": "MEDIUM", - "line": 25, - "fileName": "positive1.yaml" + "line": 7, + "filename": "positive1.yaml", + "resourceType": "AWS::ECS::Service", + "resourceName": "ECSService", + "searchKey": "Resources.ECSService.Properties", + "searchValue": "", + "expectedValue": "'Resources.ECSService.Properties.LoadBalancers' should be defined", + "actualValue": "'Resources.ECSService.Properties.LoadBalancers' is not defined" }, { "queryName": "ECS No Load Balancer Attached", "severity": "MEDIUM", - "line": 7, - "fileName": "positive2.json" + "line": 27, + "filename": "positive2.json", + "resourceType": "AWS::ECS::Service", + "resourceName": "ECSService2", + "searchKey": "Resources.ECSService2.Properties.LoadBalancers", + "searchValue": "", + "expectedValue": "'Resources.ECSService2.Properties.LoadBalancers' should not be empty", + "actualValue": "'Resources.ECSService2.Properties.LoadBalancers' is empty" }, { + "queryName": "ECS No Load Balancer Attached", "severity": "MEDIUM", - "line": 27, - "fileName": "positive2.json", - "queryName": "ECS No Load Balancer Attached" + "line": 7, + "filename": "positive2.json", + "resourceType": "AWS::ECS::Service", + "resourceName": "ECSService", + "searchKey": "Resources.ECSService.Properties", + "searchValue": "", + "expectedValue": "'Resources.ECSService.Properties.LoadBalancers' should be defined", + "actualValue": "'Resources.ECSService.Properties.LoadBalancers' is not defined" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ecs_service_admin_role_is_present/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ecs_service_admin_role_is_present/test/positive_expected_result.json index 54d894980d7..1ff0add812c 100644 --- a/assets/queries/cloudFormation/aws/ecs_service_admin_role_is_present/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ecs_service_admin_role_is_present/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "ECS Service Admin Role Is Present", "severity": "HIGH", "line": 87, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::ECS::Service", + "resourceName": "ServiceName", + "searchKey": "Resources.service.Properties.Role", + "searchValue": "", + "expectedValue": "Resources.service.Properties.Role should not be an admin role", + "actualValue": "Resources.service.Properties.Role is an admin role" }, { "queryName": "ECS Service Admin Role Is Present", "severity": "HIGH", "line": 66, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::ECS::Service", + "resourceName": "ServiceName", + "searchKey": "Resources.service.Properties.Role", + "searchValue": "", + "expectedValue": "Resources.service.Properties.Role should not be an admin role", + "actualValue": "Resources.service.Properties.Role is an admin role" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ecs_service_without_running_tasks/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ecs_service_without_running_tasks/test/positive_expected_result.json index 565c78ce282..a425bc532ea 100644 --- a/assets/queries/cloudFormation/aws/ecs_service_without_running_tasks/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ecs_service_without_running_tasks/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ { - "fileName": "positive1.yaml", "queryName": "ECS Service Without Running Tasks", "severity": "LOW", - "line": 64 + "line": 64, + "filename": "positive1.yaml", + "resourceType": "AWS::ECS::Service", + "resourceName": "ServiceName", + "searchKey": "Resources.service.Properties", + "searchValue": "", + "expectedValue": "Resources.service.Properties.DeploymentConfiguration should be defined and not null", + "actualValue": "Resources.service.Properties.DeploymentConfiguration is undefined or null" }, { "queryName": "ECS Service Without Running Tasks", "severity": "LOW", "line": 152, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::ECS::Service", + "resourceName": "ServiceName", + "searchKey": "Resources.service.Properties", + "searchValue": "", + "expectedValue": "Resources.service.Properties.DeploymentConfiguration should be defined and not null", + "actualValue": "Resources.service.Properties.DeploymentConfiguration is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ecs_services_assigned_with_public_ip_address/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ecs_services_assigned_with_public_ip_address/test/positive_expected_result.json index 00b22e5a9dd..59b26c95af5 100644 --- a/assets/queries/cloudFormation/aws/ecs_services_assigned_with_public_ip_address/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ecs_services_assigned_with_public_ip_address/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ { - "severity": "MEDIUM", - "line": 54, "queryName": "ECS Services assigned with public IP address", - "fileName": "positive1.yaml" - }, - { "severity": "MEDIUM", "line": 66, + "filename": "positive2.json", + "resourceType": "AWS::ECS::Service", + "resourceName": "cfn-service", + "searchKey": "Resources.ECSService.Properties.NetworkConfiguration.AwsvpcConfiguration.AssignPublicIp", + "searchValue": "", + "expectedValue": "'AssignPublicIp' field should be defined to 'DISABLED' (defaults to 'DISABLED')", + "actualValue": "'AssignPublicIp' field is defined to 'ENABLED'" + }, + { "queryName": "ECS Services assigned with public IP address", - "fileName": "positive2.json" + "severity": "MEDIUM", + "line": 54, + "filename": "positive1.yaml", + "resourceType": "AWS::ECS::Service", + "resourceName": "cfn-service", + "searchKey": "Resources.ECSService.Properties.NetworkConfiguration.AwsvpcConfiguration.AssignPublicIp", + "searchValue": "", + "expectedValue": "'AssignPublicIp' field should be defined to 'DISABLED' (defaults to 'DISABLED')", + "actualValue": "'AssignPublicIp' field is defined to 'ENABLED'" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ecs_task_definition_healthcheck_missing/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ecs_task_definition_healthcheck_missing/test/positive_expected_result.json index 803ab1f8440..fc8bbf2cc91 100644 --- a/assets/queries/cloudFormation/aws/ecs_task_definition_healthcheck_missing/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ecs_task_definition_healthcheck_missing/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ { - "fileName": "positive1.yaml", "queryName": "ECS Task Definition HealthCheck Missing", "severity": "LOW", - "line": 48 + "line": 48, + "filename": "positive1.yaml", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.ContainerDefinitions.1.Name.Ref=AppName", + "searchValue": "", + "expectedValue": "'Resources.taskdefinition.Properties.ContainerDefinitions' should contain 'HealthCheck' property", + "actualValue": "'Resources.taskdefinition.Properties.ContainerDefinitions' doesn't contain 'HealthCheck' property" }, { - "line": 55, - "fileName": "positive2.json", "queryName": "ECS Task Definition HealthCheck Missing", - "severity": "LOW" + "severity": "LOW", + "line": 55, + "filename": "positive2.json", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.ContainerDefinitions.0.Name.Ref=AppName", + "searchValue": "", + "expectedValue": "'Resources.taskdefinition.Properties.ContainerDefinitions' should contain 'HealthCheck' property", + "actualValue": "'Resources.taskdefinition.Properties.ContainerDefinitions' doesn't contain 'HealthCheck' property" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ecs_task_definition_invalid_cpu_or_memory/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ecs_task_definition_invalid_cpu_or_memory/test/positive_expected_result.json index 1b13003f4ec..90dce3a01b6 100644 --- a/assets/queries/cloudFormation/aws/ecs_task_definition_invalid_cpu_or_memory/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ecs_task_definition_invalid_cpu_or_memory/test/positive_expected_result.json @@ -1,26 +1,50 @@ [ { - "fileName": "positive1.yaml", "queryName": "ECS Task Definition Invalid CPU or Memory", "severity": "LOW", - "line": 42 + "line": 93, + "filename": "positive2.json", + "resourceType": "AWS::ECS::Service", + "resourceName": "ECSService", + "searchKey": "Resources.taskdefinition2.Properties.ContainerDefinitions.Name.Ref=AppName2", + "searchValue": "", + "expectedValue": "'Resources.taskdefinition2.Properties.ContainerDefinitions.Cpu' shouldn't have incorrect values", + "actualValue": "'Resources.taskdefinition2.Properties.ContainerDefinitions.Cpu' has incorrect value" }, { "queryName": "ECS Task Definition Invalid CPU or Memory", "severity": "LOW", - "line": 58, - "fileName": "positive1.yaml" + "line": 42, + "filename": "positive1.yaml", + "resourceType": "AWS::ECS::Service", + "resourceName": "ECSService", + "searchKey": "Resources.taskdefinition.Properties.ContainerDefinitions.Name.Ref=AppName", + "searchValue": "", + "expectedValue": "'Resources.taskdefinition.Properties.ContainerDefinitions.Memory' shouldn't have incorrect values", + "actualValue": "'Resources.taskdefinition.Properties.ContainerDefinitions.Memory' has incorrect value" }, { "queryName": "ECS Task Definition Invalid CPU or Memory", "severity": "LOW", - "line": 63, - "fileName": "positive2.json" + "line": 58, + "filename": "positive1.yaml", + "resourceType": "AWS::ECS::Service", + "resourceName": "ECSService", + "searchKey": "Resources.taskdefinition2.Properties.ContainerDefinitions.Name.Ref=AppName2", + "searchValue": "", + "expectedValue": "'Resources.taskdefinition2.Properties.ContainerDefinitions.Cpu' shouldn't have incorrect values", + "actualValue": "'Resources.taskdefinition2.Properties.ContainerDefinitions.Cpu' has incorrect value" }, { "queryName": "ECS Task Definition Invalid CPU or Memory", "severity": "LOW", - "line": 93, - "fileName": "positive2.json" + "line": 63, + "filename": "positive2.json", + "resourceType": "AWS::ECS::Service", + "resourceName": "ECSService", + "searchKey": "Resources.taskdefinition.Properties.ContainerDefinitions.Name.Ref=AppName", + "searchValue": "", + "expectedValue": "'Resources.taskdefinition.Properties.ContainerDefinitions.Memory' shouldn't have incorrect values", + "actualValue": "'Resources.taskdefinition.Properties.ContainerDefinitions.Memory' has incorrect value" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ecs_task_definition_network_mode_not_recommended/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ecs_task_definition_network_mode_not_recommended/test/positive_expected_result.json index 3ee7e3ba995..89e0fb31cba 100644 --- a/assets/queries/cloudFormation/aws/ecs_task_definition_network_mode_not_recommended/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ecs_task_definition_network_mode_not_recommended/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ { - "fileName": "positive1.yaml", "queryName": "ECS Task Definition Network Mode Not Recommended", "severity": "MEDIUM", - "line": 7 + "line": 7, + "filename": "positive2.json", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties", + "searchValue": "", + "expectedValue": "'Resources.taskdefinition.Properties.NetworkMode' should be set and should be 'awsvpc'", + "actualValue": "'Resources.taskdefinition.Properties.NetworkMode' is undefined and defaults to 'bridge'" }, { - "line": 7, - "fileName": "positive2.json", "queryName": "ECS Task Definition Network Mode Not Recommended", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 7, + "filename": "positive1.yaml", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.NetworkMode", + "searchValue": "", + "expectedValue": "'Resources.taskdefinition.Properties.NetworkMode' should be 'awsvpc'", + "actualValue": "'Resources.taskdefinition.Properties.NetworkMode' is 'none'" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/efs_not_encrypted/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/efs_not_encrypted/test/positive_expected_result.json index fc9de30c639..4302e2bb9f3 100644 --- a/assets/queries/cloudFormation/aws/efs_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/efs_not_encrypted/test/positive_expected_result.json @@ -3,18 +3,36 @@ "queryName": "EFS Not Encrypted", "severity": "HIGH", "line": 49, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EFS::FileSystem", + "resourceName": "test-VPC-EFS", + "searchKey": "Resources.EFSFileSystem01.Properties.Encrypted", + "searchValue": "", + "expectedValue": "EFS resource 'EFSFileSystem01' should have encryption enabled", + "actualValue": "EFS resource 'EFSFileSystem01' has encryption set to false" }, { "queryName": "EFS Not Encrypted", "severity": "HIGH", - "line": 90, - "fileName": "positive2.json" + "line": 49, + "filename": "positive3.yaml", + "resourceType": "AWS::EFS::FileSystem", + "resourceName": "test-VPC-EFS", + "searchKey": "Resources.EFSFileSystem01.Properties.Encrypted", + "searchValue": "", + "expectedValue": "EFS resource 'EFSFileSystem01' should have encryption enabled", + "actualValue": "EFS resource 'EFSFileSystem01' has encryption set to false" }, { "queryName": "EFS Not Encrypted", "severity": "HIGH", - "line": 49, - "fileName": "positive3.yaml" + "line": 90, + "filename": "positive2.json", + "resourceType": "AWS::EFS::FileSystem", + "resourceName": "test-VPC-EFS", + "searchKey": "Resources.EFSFileSystem01.Properties.Encrypted", + "searchValue": "", + "expectedValue": "EFS resource 'EFSFileSystem01' should have encryption enabled", + "actualValue": "EFS resource 'EFSFileSystem01' has encryption set to false" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/efs_volume_with_disabled_transit_encryption/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/efs_volume_with_disabled_transit_encryption/test/positive_expected_result.json index 2e8f3c2f72a..436ebd003e5 100644 --- a/assets/queries/cloudFormation/aws/efs_volume_with_disabled_transit_encryption/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/efs_volume_with_disabled_transit_encryption/test/positive_expected_result.json @@ -2,49 +2,97 @@ { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", - "line": 35, - "fileName": "positive1.json" + "line": 30, + "filename": "positive3.json", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[0]", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration should be defined", + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration is not defined" }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", - "line": 31, - "fileName": "positive2.json" + "line": 7, + "filename": "positive4.json", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes should be defined", + "actualValue": "Resources.taskdefinition.Properties.Volumes is not defined" }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", - "line": 30, - "fileName": "positive3.json" + "line": 31, + "filename": "positive2.json", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption should be defined", + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption is not defined (set to DISABLED by default)" }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", - "line": 7, - "fileName": "positive4.json" + "line": 35, + "filename": "positive1.json", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption should be enabled", + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption is disabled" }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", - "line": 35, - "fileName": "positive5.yaml" + "line": 34, + "filename": "positive6.yaml", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption should be defined", + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption is not defined (set to DISABLED by default)" }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", - "line": 34, - "fileName": "positive6.yaml" + "line": 35, + "filename": "positive5.yaml", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption should be enabled", + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption is disabled" }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 32, - "fileName": "positive7.yaml" + "filename": "positive7.yaml", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[0]", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration should be defined", + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration is not defined" }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 4, - "fileName": "positive8.yaml" + "filename": "positive8.yaml", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes should be defined", + "actualValue": "Resources.taskdefinition.Properties.Volumes is not defined" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/efs_without_kms/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/efs_without_kms/test/positive_expected_result.json index b3569a8fb15..917dc73d26e 100644 --- a/assets/queries/cloudFormation/aws/efs_without_kms/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/efs_without_kms/test/positive_expected_result.json @@ -2,19 +2,37 @@ { "queryName": "EFS Without KMS", "severity": "LOW", - "line": 82, - "fileName": "positive1.yaml" + "line": 157, + "filename": "positive2.json", + "resourceType": "AWS::EFS::FileSystem", + "resourceName": "test-VPC-EFS", + "searchKey": "Resources.EFSFileSystem01", + "searchValue": "", + "expectedValue": "EFS resource 'EFSFileSystem01' should have encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys", + "actualValue": "EFS resource 'EFSFileSystem01' is not encrypted using KMS CMK customer-managed keys instead of AWS managed-keys" }, { "queryName": "EFS Without KMS", "severity": "LOW", - "line": 157, - "fileName": "positive2.json" + "line": 82, + "filename": "positive3.yaml", + "resourceType": "AWS::EFS::FileSystem", + "resourceName": "test-VPC-EFS", + "searchKey": "Resources.EFSFileSystem01", + "searchValue": "", + "expectedValue": "EFS resource 'EFSFileSystem01' should have encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys", + "actualValue": "EFS resource 'EFSFileSystem01' is not encrypted using KMS CMK customer-managed keys instead of AWS managed-keys" }, { "queryName": "EFS Without KMS", "severity": "LOW", "line": 82, - "fileName": "positive3.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EFS::FileSystem", + "resourceName": "test-VPC-EFS", + "searchKey": "Resources.EFSFileSystem01", + "searchValue": "", + "expectedValue": "EFS resource 'EFSFileSystem01' should have encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys", + "actualValue": "EFS resource 'EFSFileSystem01' is not encrypted using KMS CMK customer-managed keys instead of AWS managed-keys" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/efs_without_tags/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/efs_without_tags/test/positive_expected_result.json index f69d1cd120b..4fbae484ef5 100644 --- a/assets/queries/cloudFormation/aws/efs_without_tags/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/efs_without_tags/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "EFS Without Tags", "severity": "LOW", "line": 15, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EFS::FileSystem", + "resourceName": "FileSystem", + "searchKey": "Resources.FileSystem", + "searchValue": "", + "expectedValue": "'Resources.FileSystem.Properties.FileSystemTags' should be defined and not null", + "actualValue": "'Resources.FileSystem.Properties.FileSystemTags' is undefined or null" }, { "queryName": "EFS Without Tags", "severity": "LOW", "line": 40, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EFS::FileSystem", + "resourceName": "FileSystem", + "searchKey": "Resources.FileSystem", + "searchValue": "", + "expectedValue": "'Resources.FileSystem.Properties.FileSystemTags' should be defined and not null", + "actualValue": "'Resources.FileSystem.Properties.FileSystemTags' is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/eks_cluster_encryption_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/eks_cluster_encryption_disabled/test/positive_expected_result.json index e1ca5a31001..f5b5cb1ee47 100644 --- a/assets/queries/cloudFormation/aws/eks_cluster_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/eks_cluster_encryption_disabled/test/positive_expected_result.json @@ -1,26 +1,50 @@ [ { - "severity": "HIGH", - "line": 5, "queryName": "EKS Cluster Encryption Disabled", - "fileName": "positive1.yaml" + "severity": "HIGH", + "line": 16, + "filename": "positive3.yaml", + "resourceType": "AWS::EKS::Cluster", + "resourceName": "MyEKSClusterB", + "searchKey": "Resources.MyEKSClusterB.Properties.EncryptionConfig", + "searchValue": "", + "expectedValue": "'secrets' should be defined inside the Resources field", + "actualValue": "'secrets' is undefined on the Resources field" }, { - "severity": "HIGH", - "line": 6, "queryName": "EKS Cluster Encryption Disabled", - "fileName": "positive2.json" + "severity": "HIGH", + "line": 5, + "filename": "positive1.yaml", + "resourceType": "AWS::EKS::Cluster", + "resourceName": "MyEKSClusterA", + "searchKey": "Resources.MyEKSClusterA.Properties", + "searchValue": "", + "expectedValue": "'EncryptionConfig' should be defined and not null", + "actualValue": "'EncryptionConfig' is undefined or null" }, { - "severity": "HIGH", - "line": 16, "queryName": "EKS Cluster Encryption Disabled", - "fileName": "positive3.yaml" + "severity": "HIGH", + "line": 6, + "filename": "positive2.json", + "resourceType": "AWS::EKS::Cluster", + "resourceName": "MyEKSClusterA", + "searchKey": "Resources.MyEKSClusterA.Properties", + "searchValue": "", + "expectedValue": "'EncryptionConfig' should be defined and not null", + "actualValue": "'EncryptionConfig' is undefined or null" }, { + "queryName": "EKS Cluster Encryption Disabled", "severity": "HIGH", "line": 19, - "queryName": "EKS Cluster Encryption Disabled", - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::EKS::Cluster", + "resourceName": "MyEKSClusterB", + "searchKey": "Resources.MyEKSClusterB.Properties.EncryptionConfig", + "searchValue": "", + "expectedValue": "'secrets' should be defined inside the Resources field", + "actualValue": "'secrets' is undefined on the Resources field" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/eks_node_group_remote_access/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/eks_node_group_remote_access/test/positive_expected_result.json index facfe6cd979..44809606009 100644 --- a/assets/queries/cloudFormation/aws/eks_node_group_remote_access/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/eks_node_group_remote_access/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "EKS node group remote access", "severity": "MEDIUM", - "line": 17, - "fileName": "positive1.yaml" + "line": 21, + "filename": "positive2.json", + "resourceType": "AWS::EKS::Nodegroup", + "resourceName": "EKSNodegroup", + "searchKey": "Resources.EKSNodegroup.Properties.RemoteAccess", + "searchValue": "", + "expectedValue": "'Resources.EKSNodegroup.Properties.RemoteAccess.SourceSecurityGroups' should be defined and not null", + "actualValue": "'Resources.EKSNodegroup.Properties.RemoteAccess.Source SecurityGroups' is undefined or null" }, { "queryName": "EKS node group remote access", "severity": "MEDIUM", - "line": 21, - "fileName": "positive2.json" + "line": 17, + "filename": "positive1.yaml", + "resourceType": "AWS::EKS::Nodegroup", + "resourceName": "EKSNodegroup", + "searchKey": "Resources.EKSNodegroup.Properties.RemoteAccess", + "searchValue": "", + "expectedValue": "'Resources.EKSNodegroup.Properties.RemoteAccess.SourceSecurityGroups' should be defined and not null", + "actualValue": "'Resources.EKSNodegroup.Properties.RemoteAccess.Source SecurityGroups' is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elasticache_nodes_not_created_across_multi_az/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elasticache_nodes_not_created_across_multi_az/test/positive_expected_result.json index e8a84d33553..d44e9251036 100644 --- a/assets/queries/cloudFormation/aws/elasticache_nodes_not_created_across_multi_az/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elasticache_nodes_not_created_across_multi_az/test/positive_expected_result.json @@ -1,26 +1,50 @@ [ { - "line": 6, - "fileName": "positive1.yaml", "queryName": "ElastiCache Nodes Not Created Across Multi AZ", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 6, + "filename": "positive1.yaml", + "resourceType": "AWS::ElastiCache::CacheCluster", + "resourceName": "myCacheCluster3", + "searchKey": "Resources.myCacheCluster3.Properties.AZMode", + "searchValue": "", + "expectedValue": "Resources.myCacheCluster3.Properties.AZMode is 'cross-az'", + "actualValue": "Resources.myCacheCluster3.Properties.AZMode is 'single-az" }, { - "fileName": "positive3.json", "queryName": "ElastiCache Nodes Not Created Across Multi AZ", "severity": "MEDIUM", - "line": 6 + "line": 5, + "filename": "positive4.json", + "resourceType": "AWS::ElastiCache::CacheCluster", + "resourceName": "myCacheCluster6", + "searchKey": "Resources.myCacheCluster6.Properties", + "searchValue": "", + "expectedValue": "Resources.myCacheCluster6.Properties.AZMode should be defined and is 'cross-az'", + "actualValue": "Resources.myCacheCluster6.Properties.AZMode is not defined, default value is 'single-az'" }, { "queryName": "ElastiCache Nodes Not Created Across Multi AZ", "severity": "MEDIUM", - "line": 5, - "fileName": "positive2.yaml" + "line": 6, + "filename": "positive3.json", + "resourceType": "AWS::ElastiCache::CacheCluster", + "resourceName": "myCacheCluster5", + "searchKey": "Resources.myCacheCluster5.Properties.AZMode", + "searchValue": "", + "expectedValue": "Resources.myCacheCluster5.Properties.AZMode is 'cross-az'", + "actualValue": "Resources.myCacheCluster5.Properties.AZMode is 'single-az" }, { "queryName": "ElastiCache Nodes Not Created Across Multi AZ", "severity": "MEDIUM", "line": 5, - "fileName": "positive4.json" + "filename": "positive2.yaml", + "resourceType": "AWS::ElastiCache::CacheCluster", + "resourceName": "myCacheCluster4", + "searchKey": "Resources.myCacheCluster4.Properties", + "searchValue": "", + "expectedValue": "Resources.myCacheCluster4.Properties.AZMode should be defined and is 'cross-az'", + "actualValue": "Resources.myCacheCluster4.Properties.AZMode is not defined, default value is 'single-az'" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elasticache_using_default_port/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elasticache_using_default_port/test/positive_expected_result.json index 20174b78ed6..7a7f9c3a988 100644 --- a/assets/queries/cloudFormation/aws/elasticache_using_default_port/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elasticache_using_default_port/test/positive_expected_result.json @@ -3,24 +3,48 @@ "queryName": "ElastiCache Using Default Port", "severity": "LOW", "line": 12, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::ElastiCache::ReplicationGroup", + "resourceName": "BasicReplicationGroup", + "searchKey": "Resources.BasicReplicationGroup.Properties.Port", + "searchValue": "", + "expectedValue": "Resources.BasicReplicationGroup.Properties.Port should not be set to 6379", + "actualValue": "Resources.BasicReplicationGroup.Properties.Port is set to 6379" }, { "queryName": "ElastiCache Using Default Port", "severity": "LOW", "line": 12, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::ElastiCache::ReplicationGroup", + "resourceName": "BasicReplicationGroup", + "searchKey": "Resources.BasicReplicationGroup.Properties.Port", + "searchValue": "", + "expectedValue": "Resources.BasicReplicationGroup.Properties.Port should not be set to 11211", + "actualValue": "Resources.BasicReplicationGroup.Properties.Port is set to 11211" }, { "queryName": "ElastiCache Using Default Port", "severity": "LOW", "line": 15, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::ElastiCache::ReplicationGroup", + "resourceName": "BasicReplicationGroup", + "searchKey": "Resources.BasicReplicationGroup.Properties.Port", + "searchValue": "", + "expectedValue": "Resources.BasicReplicationGroup.Properties.Port should not be set to 6379", + "actualValue": "Resources.BasicReplicationGroup.Properties.Port is set to 6379" }, { "queryName": "ElastiCache Using Default Port", "severity": "LOW", "line": 15, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::ElastiCache::ReplicationGroup", + "resourceName": "BasicReplicationGroup", + "searchKey": "Resources.BasicReplicationGroup.Properties.Port", + "searchValue": "", + "expectedValue": "Resources.BasicReplicationGroup.Properties.Port should not be set to 11211", + "actualValue": "Resources.BasicReplicationGroup.Properties.Port is set to 11211" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elasticache_with_disabled_at_rest_encryption/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elasticache_with_disabled_at_rest_encryption/test/positive_expected_result.json index 36188c1bb62..38ee242adb8 100644 --- a/assets/queries/cloudFormation/aws/elasticache_with_disabled_at_rest_encryption/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elasticache_with_disabled_at_rest_encryption/test/positive_expected_result.json @@ -3,30 +3,60 @@ "queryName": "ElastiCache With Disabled at Rest Encryption", "severity": "HIGH", "line": 10, - "fileName": "positive1.yaml" + "filename": "positive5.yaml", + "resourceType": "AWS::ElastiCache::ReplicationGroup", + "resourceName": "ReplicationGroup", + "searchKey": "Resources.ReplicationGroup.Properties.AtRestEncryptionEnabled", + "searchValue": "", + "expectedValue": "Resources.ReplicationGroup.Properties.AtRestEncryptionEnabled should be true", + "actualValue": "Resources.ReplicationGroup.Properties.AtRestEncryptionEnabled is false" }, { "queryName": "ElastiCache With Disabled at Rest Encryption", "severity": "HIGH", "line": 8, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::ElastiCache::ReplicationGroup", + "resourceName": "MyReplicationGroup", + "searchKey": "Resources.MyReplicationGroup.Properties", + "searchValue": "", + "expectedValue": "Resources.MyReplicationGroup.Properties.AtRestEncryptionEnabled should be defined", + "actualValue": "Resources.MyReplicationGroup.Properties.AtRestEncryptionEnabled is undefined" }, { "queryName": "ElastiCache With Disabled at Rest Encryption", "severity": "HIGH", - "line": 19, - "fileName": "positive3.json" + "line": 10, + "filename": "positive1.yaml", + "resourceType": "AWS::ElastiCache::ReplicationGroup", + "resourceName": "ReplicationGroup", + "searchKey": "Resources.ReplicationGroup.Properties.AtRestEncryptionEnabled", + "searchValue": "", + "expectedValue": "Resources.ReplicationGroup.Properties.AtRestEncryptionEnabled should be true", + "actualValue": "Resources.ReplicationGroup.Properties.AtRestEncryptionEnabled is false" }, { "queryName": "ElastiCache With Disabled at Rest Encryption", "severity": "HIGH", - "line": 7, - "fileName": "positive4.json" + "line": 19, + "filename": "positive3.json", + "resourceType": "AWS::ElastiCache::ReplicationGroup", + "resourceName": "ReplicationGroup", + "searchKey": "Resources.ReplicationGroup.Properties.AtRestEncryptionEnabled", + "searchValue": "", + "expectedValue": "Resources.ReplicationGroup.Properties.AtRestEncryptionEnabled should be true", + "actualValue": "Resources.ReplicationGroup.Properties.AtRestEncryptionEnabled is false" }, { "queryName": "ElastiCache With Disabled at Rest Encryption", "severity": "HIGH", - "line": 10, - "fileName": "positive5.yaml" + "line": 7, + "filename": "positive4.json", + "resourceType": "AWS::ElastiCache::ReplicationGroup", + "resourceName": "MyReplicationGroup", + "searchKey": "Resources.MyReplicationGroup.Properties", + "searchValue": "", + "expectedValue": "Resources.MyReplicationGroup.Properties.AtRestEncryptionEnabled should be defined", + "actualValue": "Resources.MyReplicationGroup.Properties.AtRestEncryptionEnabled is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elasticache_with_disabled_transit_encryption/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elasticache_with_disabled_transit_encryption/test/positive_expected_result.json index 303cc495823..4dd68bd301c 100644 --- a/assets/queries/cloudFormation/aws/elasticache_with_disabled_transit_encryption/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elasticache_with_disabled_transit_encryption/test/positive_expected_result.json @@ -2,31 +2,61 @@ { "queryName": "ElastiCache With Disabled Transit Encryption", "severity": "MEDIUM", - "line": 6, - "fileName": "positive1.yaml" + "line": 4, + "filename": "positive3.json", + "resourceType": "AWS::ElastiCache::ReplicationGroup", + "resourceName": "ReplicationGroup", + "searchKey": "Resources.ReplicationGroup.Properties", + "searchValue": "", + "expectedValue": "Resources.ReplicationGroup.Properties.TransitEncryptionEnabled should be defined", + "actualValue": "Resources.ReplicationGroup.Properties.TransitEncryptionEnabled is undefined" }, { "queryName": "ElastiCache With Disabled Transit Encryption", "severity": "MEDIUM", - "line": 26, - "fileName": "positive2.yaml" + "line": 18, + "filename": "positive4.json", + "resourceType": "AWS::ElastiCache::ReplicationGroup", + "resourceName": "MyReplicationGroup", + "searchKey": "Resources.MyReplicationGroup.Properties.TransitEncryptionEnabled", + "searchValue": "", + "expectedValue": "Resources.MyReplicationGroup.Properties.TransitEncryptionEnabled should be true", + "actualValue": "Resources.MyReplicationGroup.Properties.TransitEncryptionEnabled is false" }, { "queryName": "ElastiCache With Disabled Transit Encryption", "severity": "MEDIUM", - "line": 4, - "fileName": "positive3.json" + "line": 6, + "filename": "positive5.yaml", + "resourceType": "AWS::ElastiCache::ReplicationGroup", + "resourceName": "ReplicationGroup", + "searchKey": "Resources.ReplicationGroup.Properties", + "searchValue": "", + "expectedValue": "Resources.ReplicationGroup.Properties.TransitEncryptionEnabled should be defined", + "actualValue": "Resources.ReplicationGroup.Properties.TransitEncryptionEnabled is undefined" }, { "queryName": "ElastiCache With Disabled Transit Encryption", "severity": "MEDIUM", - "line": 18, - "fileName": "positive4.json" + "line": 6, + "filename": "positive1.yaml", + "resourceType": "AWS::ElastiCache::ReplicationGroup", + "resourceName": "ReplicationGroup", + "searchKey": "Resources.ReplicationGroup.Properties", + "searchValue": "", + "expectedValue": "Resources.ReplicationGroup.Properties.TransitEncryptionEnabled should be defined", + "actualValue": "Resources.ReplicationGroup.Properties.TransitEncryptionEnabled is undefined" }, { "queryName": "ElastiCache With Disabled Transit Encryption", "severity": "MEDIUM", - "line": 6, - "fileName": "positive5.yaml" + "line": 26, + "filename": "positive2.yaml", + "resourceType": "AWS::ElastiCache::ReplicationGroup", + "resourceName": "MyReplicationGroup", + "searchKey": "Resources.MyReplicationGroup.Properties.TransitEncryptionEnabled", + "searchValue": "", + "expectedValue": "Resources.MyReplicationGroup.Properties.TransitEncryptionEnabled should be true", + "actualValue": "Resources.MyReplicationGroup.Properties.TransitEncryptionEnabled is false" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elasticache_without_vpc/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elasticache_without_vpc/test/positive_expected_result.json index 7031db962ef..e16714fbd59 100644 --- a/assets/queries/cloudFormation/aws/elasticache_without_vpc/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elasticache_without_vpc/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "ElastiCache Without VPC", "severity": "LOW", "line": 4, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::ElastiCache::CacheCluster", + "resourceName": "ElasticacheCluster", + "searchKey": "Resources.ElasticacheCluster.Properties", + "searchValue": "", + "expectedValue": "Resources.ElasticacheCluster.Properties.CacheSubnetGroupName should be defined and not null", + "actualValue": "Resources.ElasticacheCluster.Properties.CacheSubnetGroupName is undefined or null" }, { "queryName": "ElastiCache Without VPC", "severity": "LOW", "line": 5, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::ElastiCache::CacheCluster", + "resourceName": "ElasticacheCluster", + "searchKey": "Resources.ElasticacheCluster.Properties", + "searchValue": "", + "expectedValue": "Resources.ElasticacheCluster.Properties.CacheSubnetGroupName should be defined and not null", + "actualValue": "Resources.ElasticacheCluster.Properties.CacheSubnetGroupName is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elasticsearch_domain_encryption_with_kms_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elasticsearch_domain_encryption_with_kms_disabled/test/positive_expected_result.json index c1b2e200ba8..6ef4ad3ec8d 100644 --- a/assets/queries/cloudFormation/aws/elasticsearch_domain_encryption_with_kms_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elasticsearch_domain_encryption_with_kms_disabled/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "ElasticSearch Encryption With KMS Disabled", "severity": "HIGH", - "line": 15, - "fileName": "positive1.yaml" + "line": 7, + "filename": "positive2.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "test", + "searchKey": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions.KmsKeyId should be set", + "actualValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions.KmsKeyId is undefined" }, { - "line": 7, - "fileName": "positive2.json", "queryName": "ElasticSearch Encryption With KMS Disabled", - "severity": "HIGH" + "severity": "HIGH", + "line": 6, + "filename": "positive4.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "test", + "searchKey": "Resources.ElasticsearchDomain.Properties", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions should be defined and not null", + "actualValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions is undefined or null" }, { - "line": 6, - "fileName": "positive3.yaml", "queryName": "ElasticSearch Encryption With KMS Disabled", - "severity": "HIGH" + "severity": "HIGH", + "line": 15, + "filename": "positive1.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "test", + "searchKey": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions.KmsKeyId should be set", + "actualValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions.KmsKeyId is undefined" }, { - "line": 6, - "fileName": "positive4.json", "queryName": "ElasticSearch Encryption With KMS Disabled", - "severity": "HIGH" + "severity": "HIGH", + "line": 6, + "filename": "positive3.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "test", + "searchKey": "Resources.ElasticsearchDomain.Properties", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions should be defined and not null", + "actualValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elasticsearch_domain_not_encrypted_node_to_node/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elasticsearch_domain_not_encrypted_node_to_node/test/positive_expected_result.json index d07d400b7a1..9c994d20d45 100644 --- a/assets/queries/cloudFormation/aws/elasticsearch_domain_not_encrypted_node_to_node/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elasticsearch_domain_not_encrypted_node_to_node/test/positive_expected_result.json @@ -3,72 +3,144 @@ "queryName": "Elasticsearch Domain Not Encrypted Node To Node", "severity": "MEDIUM", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive6.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "my-es-domain", + "searchKey": "Resources.MyElasticsearchDomain.Properties", + "searchValue": "", + "expectedValue": "'Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions' should be defined", + "actualValue": "'Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions' is null or not defined" }, { "queryName": "Elasticsearch Domain Not Encrypted Node To Node", "severity": "MEDIUM", - "line": 7, - "fileName": "positive2.json" + "line": 10, + "filename": "positive12.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "my-es-domain", + "searchKey": "Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions", + "searchValue": "", + "expectedValue": "'Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions' should be defined", + "actualValue": "'Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions' is null or not defined" }, { "queryName": "Elasticsearch Domain Not Encrypted Node To Node", "severity": "MEDIUM", - "line": 34, - "fileName": "positive3.yaml" + "line": 44, + "filename": "positive4.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "MyOpenSearchDomain", + "searchKey": "Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled", + "searchValue": "", + "expectedValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled' should be defined to true", + "actualValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled' is not defined to true" }, { "queryName": "Elasticsearch Domain Not Encrypted Node To Node", "severity": "MEDIUM", - "line": 44, - "fileName": "positive4.json" + "line": 7, + "filename": "positive2.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "MyOpenSearchDomain", + "searchKey": "Resources.MyOpenSearchDomain.Properties", + "searchValue": "", + "expectedValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions' should be defined", + "actualValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions' is null or not defined" }, { "queryName": "Elasticsearch Domain Not Encrypted Node To Node", "severity": "MEDIUM", "line": 7, - "fileName": "positive5.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "MyOpenSearchDomain", + "searchKey": "Resources.MyOpenSearchDomain.Properties", + "searchValue": "", + "expectedValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions' should be defined", + "actualValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions' is null or not defined" }, { "queryName": "Elasticsearch Domain Not Encrypted Node To Node", "severity": "MEDIUM", "line": 7, - "fileName": "positive6.json" + "filename": "positive9.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "MyOpenSearchDomain", + "searchKey": "Resources.MyOpenSearchDomain.Properties", + "searchValue": "", + "expectedValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions' should be defined", + "actualValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions' is null or not defined" }, { "queryName": "Elasticsearch Domain Not Encrypted Node To Node", "severity": "MEDIUM", - "line": 32, - "fileName": "positive7.yaml" + "line": 42, + "filename": "positive8.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "my-es-domain", + "searchKey": "Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled", + "searchValue": "", + "expectedValue": "'Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled' should be defined to true", + "actualValue": "'Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled' is not defined to true" }, { "queryName": "Elasticsearch Domain Not Encrypted Node To Node", "severity": "MEDIUM", - "line": 42, - "fileName": "positive8.json" + "line": 10, + "filename": "positive10.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "MyOpenSearchDomain", + "searchKey": "Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions", + "searchValue": "", + "expectedValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions' should be defined", + "actualValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions' is null or not defined" }, { "queryName": "Elasticsearch Domain Not Encrypted Node To Node", "severity": "MEDIUM", "line": 7, - "fileName": "positive9.yaml" + "filename": "positive5.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "my-es-domain", + "searchKey": "Resources.MyElasticsearchDomain.Properties", + "searchValue": "", + "expectedValue": "'Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions' should be defined", + "actualValue": "'Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions' is null or not defined" }, { "queryName": "Elasticsearch Domain Not Encrypted Node To Node", "severity": "MEDIUM", - "line": 10, - "fileName": "positive10.json" + "line": 7, + "filename": "positive11.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "my-es-domain", + "searchKey": "Resources.MyElasticsearchDomain.Properties", + "searchValue": "", + "expectedValue": "'Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions' should be defined", + "actualValue": "'Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions' is null or not defined" }, { "queryName": "Elasticsearch Domain Not Encrypted Node To Node", "severity": "MEDIUM", - "line": 7, - "fileName": "positive11.yaml" + "line": 34, + "filename": "positive3.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "MyOpenSearchDomain", + "searchKey": "Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled", + "searchValue": "", + "expectedValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled' should be defined to true", + "actualValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled' is not defined to true" }, { "queryName": "Elasticsearch Domain Not Encrypted Node To Node", "severity": "MEDIUM", - "line": 10, - "fileName": "positive12.json" + "line": 32, + "filename": "positive7.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "my-es-domain", + "searchKey": "Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled", + "searchValue": "", + "expectedValue": "'Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled' should be defined to true", + "actualValue": "'Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled' is not defined to true" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elasticsearch_not_encrypted_at_rest/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elasticsearch_not_encrypted_at_rest/test/positive_expected_result.json index 572646d6388..33e69aa2cbf 100644 --- a/assets/queries/cloudFormation/aws/elasticsearch_not_encrypted_at_rest/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elasticsearch_not_encrypted_at_rest/test/positive_expected_result.json @@ -3,30 +3,60 @@ "queryName": "ElasticSearch Not Encrypted At Rest", "severity": "HIGH", "line": 16, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "test", + "searchKey": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions should be enabled", + "actualValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions is disabled" }, { "queryName": "ElasticSearch Not Encrypted At Rest", "severity": "HIGH", "line": 6, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "test", + "searchKey": "Resources.ElasticsearchDomain1.Properties", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain1.Properties.EncryptionAtRestOptions should be defined and not null", + "actualValue": "Resources.ElasticsearchDomain1.Properties.EncryptionAtRestOptions is undefined or null" }, { "queryName": "ElasticSearch Not Encrypted At Rest", "severity": "HIGH", - "line": 8, - "fileName": "positive3.json" + "line": 16, + "filename": "positive5.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "test", + "searchKey": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions should be enabled", + "actualValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions is disabled" }, { "queryName": "ElasticSearch Not Encrypted At Rest", "severity": "HIGH", "line": 5, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "test", + "searchKey": "Resources.ElasticsearchDomain1.Properties", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain1.Properties.EncryptionAtRestOptions should be defined and not null", + "actualValue": "Resources.ElasticsearchDomain1.Properties.EncryptionAtRestOptions is undefined or null" }, { "queryName": "ElasticSearch Not Encrypted At Rest", "severity": "HIGH", - "line": 16, - "fileName": "positive5.yaml" + "line": 8, + "filename": "positive3.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "test", + "searchKey": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions should be enabled", + "actualValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions is disabled" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json index 2e61a6091c4..cee9b02c04e 100644 --- a/assets/queries/cloudFormation/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json @@ -3,24 +3,48 @@ "queryName": "Elasticsearch with HTTPS disabled", "severity": "MEDIUM", "line": 15, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "OpenSearchDomain", + "searchKey": "Resources.OpenSearchDomain.Properties.DomainEndpointOptions.EnforceHTTPS", + "searchValue": "", + "expectedValue": "Resources.OpenSearchDomain.Properties.DomainEndpointOptions.EnforceHTTPS should be set to 'true'", + "actualValue": "Resources.OpenSearchDomain.Properties.DomainEndpointOptions.EnforceHTTPS is set to 'false'" }, { "queryName": "Elasticsearch with HTTPS disabled", "severity": "MEDIUM", - "line": 24, - "fileName": "positive2.yaml" + "line": 15, + "filename": "positive4.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "OpenSearchDomain", + "searchKey": "Resources.OpenSearchDomain.Properties.DomainEndpointOptions.EnforceHTTPS", + "searchValue": "", + "expectedValue": "Resources.OpenSearchDomain.Properties.DomainEndpointOptions.EnforceHTTPS should be set to 'true'", + "actualValue": "Resources.OpenSearchDomain.Properties.DomainEndpointOptions.EnforceHTTPS is set to 'false'" }, { "queryName": "Elasticsearch with HTTPS disabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "my-elasticsearch-domain", + "searchKey": "Resources.ElasticsearchDomain.Properties", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.DomainEndpointOptions.EnforceHTTPS should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.DomainEndpointOptions.EnforceHTTPS is not set" }, { "queryName": "Elasticsearch with HTTPS disabled", "severity": "MEDIUM", - "line": 15, - "fileName": "positive4.yaml" + "line": 24, + "filename": "positive2.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "my-elasticsearch-domain", + "searchKey": "Resources.ElasticsearchDomain.Properties.DomainEndpointOptions", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.DomainEndpointOptions.EnforceHTTPS should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.DomainEndpointOptions.EnforceHTTPS is not set" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elasticsearch_without_audit_logs/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elasticsearch_without_audit_logs/test/positive_expected_result.json index 5047b434ad6..8b3c3926812 100644 --- a/assets/queries/cloudFormation/aws/elasticsearch_without_audit_logs/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elasticsearch_without_audit_logs/test/positive_expected_result.json @@ -2,121 +2,241 @@ { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", - "line": 13, - "fileName": "positive1.yaml" + "line": 14, + "filename": "positive11.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled is set to 'false'" }, { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", - "line": 9, - "fileName": "positive2.yaml" + "line": 11, + "filename": "positive12.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should declare audit logs", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare audit logs" }, { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", - "line": 6, - "fileName": "positive3.yaml" + "line": 11, + "filename": "positive17.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should declare audit logs", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare audit logs" }, { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", "line": 13, - "fileName": "positive4.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled is set to 'false'" }, { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", - "line": 10, - "fileName": "positive5.yaml" + "line": 13, + "filename": "positive9.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled is set to 'false'" }, { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", - "line": 13, - "fileName": "positive6.yaml" + "line": 10, + "filename": "positive5.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled is undefined" }, { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", - "line": 9, - "fileName": "positive7.yaml" + "line": 12, + "filename": "positive15.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled is undefined" }, { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", - "line": 6, - "fileName": "positive8.yaml" + "line": 14, + "filename": "positive14.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled is set to 'false'" }, { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", - "line": 13, - "fileName": "positive9.yaml" + "line": 12, + "filename": "positive20.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled is undefined" }, { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", - "line": 10, - "fileName": "positive10.yaml" + "line": 14, + "filename": "positive16.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled is set to 'false'" }, { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", - "line": 14, - "fileName": "positive11.json" + "line": 10, + "filename": "positive10.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled is undefined" }, { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", - "line": 11, - "fileName": "positive12.json" + "line": 9, + "filename": "positive2.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should declare audit logs", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare audit logs" }, { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", - "line": 7, - "fileName": "positive13.json" + "line": 13, + "filename": "positive6.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled is set to 'false'" }, { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", - "line": 14, - "fileName": "positive14.json" + "line": 7, + "filename": "positive18.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should be defined and not null", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null" }, { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", - "line": 12, - "fileName": "positive15.json" + "line": 7, + "filename": "positive13.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should be defined and not null", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null" }, { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", - "line": 14, - "fileName": "positive16.json" + "line": 6, + "filename": "positive3.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should be defined and not null", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null" }, { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", - "line": 11, - "fileName": "positive17.json" + "line": 13, + "filename": "positive4.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled is set to 'false'" }, { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", - "line": 7, - "fileName": "positive18.json" + "line": 6, + "filename": "positive8.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should be defined and not null", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null" }, { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", "line": 14, - "fileName": "positive19.json" + "filename": "positive19.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled is set to 'false'" }, { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", - "line": 12, - "fileName": "positive20.json" + "line": 9, + "filename": "positive7.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should declare audit logs", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare audit logs" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elasticsearch_without_es_application_logs/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elasticsearch_without_es_application_logs/test/positive_expected_result.json index 60b2f117754..a2246555216 100644 --- a/assets/queries/cloudFormation/aws/elasticsearch_without_es_application_logs/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elasticsearch_without_es_application_logs/test/positive_expected_result.json @@ -2,121 +2,241 @@ { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", - "line": 13, - "fileName": "positive1.yaml" + "line": 6, + "filename": "positive3.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should be defined and not null", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null" }, { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", - "line": 9, - "fileName": "positive2.yaml" + "line": 12, + "filename": "positive15.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is undefined" }, { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", - "line": 6, - "fileName": "positive3.yaml" + "line": 14, + "filename": "positive16.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is set to 'false'" }, { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", - "line": 13, - "fileName": "positive4.yaml" + "line": 14, + "filename": "positive14.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is set to 'false'" }, { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", - "line": 10, - "fileName": "positive5.yaml" + "line": 9, + "filename": "positive2.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should declare es application logs", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare es application logs" }, { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", "line": 13, - "fileName": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is set to 'false'" }, { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", - "line": 9, - "fileName": "positive7.yaml" + "line": 7, + "filename": "positive18.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should be defined and not null", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null" }, { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", - "line": 6, - "fileName": "positive8.yaml" + "line": 12, + "filename": "positive20.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is undefined" }, { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", "line": 13, - "fileName": "positive9.yaml" + "filename": "positive9.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is set to 'false'" }, { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", - "line": 10, - "fileName": "positive10.yaml" + "line": 6, + "filename": "positive8.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should be defined and not null", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null" }, { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", "line": 14, - "fileName": "positive11.json" + "filename": "positive19.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is set to 'false'" }, { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", - "line": 11, - "fileName": "positive12.json" + "line": 7, + "filename": "positive13.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should be defined and not null", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null" }, { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", - "line": 7, - "fileName": "positive13.json" + "line": 11, + "filename": "positive17.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should declare es application logs", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare es application logs" }, { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", - "line": 14, - "fileName": "positive14.json" + "line": 9, + "filename": "positive7.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should declare es application logs", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare es application logs" }, { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", - "line": 12, - "fileName": "positive15.json" + "line": 13, + "filename": "positive1.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is set to 'false'" }, { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", - "line": 14, - "fileName": "positive16.json" + "line": 13, + "filename": "positive4.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is set to 'false'" }, { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", "line": 11, - "fileName": "positive17.json" + "filename": "positive12.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should declare es application logs", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare es application logs" }, { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", - "line": 7, - "fileName": "positive18.json" + "line": 14, + "filename": "positive11.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is set to 'false'" }, { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", - "line": 14, - "fileName": "positive19.json" + "line": 10, + "filename": "positive10.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is undefined" }, { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", - "line": 12, - "fileName": "positive20.json" + "line": 10, + "filename": "positive5.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is undefined" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elasticsearch_without_iam_authentication/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elasticsearch_without_iam_authentication/test/positive_expected_result.json index 5986337a1f0..651c10b0742 100644 --- a/assets/queries/cloudFormation/aws/elasticsearch_without_iam_authentication/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elasticsearch_without_iam_authentication/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "Elasticsearch Without IAM Authentication", "severity": "MEDIUM", - "line": 24, - "fileName": "positive1.yaml" + "line": 26, + "filename": "positive2.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "test", + "searchKey": "Resources.ElasticsearchDomain.Properties.AccessPolicies.Statement", + "searchValue": "", + "expectedValue": "Elasticsearch Domain should ensure IAM Authentication", + "actualValue": "Elasticsearch Domain does not ensure IAM Authentication" }, { "queryName": "Elasticsearch Without IAM Authentication", "severity": "MEDIUM", - "line": 26, - "fileName": "positive2.json" + "line": 24, + "filename": "positive1.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "test", + "searchKey": "Resources.ElasticsearchDomain.Properties.AccessPolicies.Statement", + "searchValue": "", + "expectedValue": "Elasticsearch Domain should ensure IAM Authentication", + "actualValue": "Elasticsearch Domain does not ensure IAM Authentication" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elasticsearch_without_slow_logs/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elasticsearch_without_slow_logs/test/positive_expected_result.json index 9872b4ed14c..9d1cf08f65d 100644 --- a/assets/queries/cloudFormation/aws/elasticsearch_without_slow_logs/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elasticsearch_without_slow_logs/test/positive_expected_result.json @@ -2,193 +2,385 @@ { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 13, - "fileName": "positive1.yaml" + "line": 17, + "filename": "positive4.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is set to 'false'" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 17, - "fileName": "positive1.yaml" + "line": 12, + "filename": "positive20.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is undefined" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 9, - "fileName": "positive2.yaml" + "line": 6, + "filename": "positive8.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should be defined and not null", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 6, - "fileName": "positive3.yaml" + "line": 18, + "filename": "positive19.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is set to 'false'" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 13, - "fileName": "positive4.yaml" + "line": 14, + "filename": "positive19.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is set to 'false'" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 17, - "fileName": "positive4.yaml" + "line": 9, + "filename": "positive7.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should declare slow logs", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare slow logs" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 10, - "fileName": "positive5.yaml" + "line": 11, + "filename": "positive12.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should declare slow logs", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare slow logs" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 13, - "fileName": "positive5.yaml" + "line": 15, + "filename": "positive15.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is undefined" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 13, - "fileName": "positive6.yaml" + "line": 12, + "filename": "positive15.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is undefined" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 17, - "fileName": "positive6.yaml" + "line": 13, + "filename": "positive5.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is undefined" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 9, - "fileName": "positive7.yaml" + "line": 10, + "filename": "positive5.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is undefined" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 6, - "fileName": "positive8.yaml" + "line": 7, + "filename": "positive13.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should be defined and not null", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 13, - "fileName": "positive9.yaml" + "line": 14, + "filename": "positive16.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is set to 'false'" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 17, - "fileName": "positive9.yaml" + "line": 13, + "filename": "positive4.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is set to 'false'" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 10, - "fileName": "positive10.yaml" + "line": 7, + "filename": "positive18.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should be defined and not null", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 13, - "fileName": "positive10.yaml" + "line": 11, + "filename": "positive17.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should declare slow logs", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare slow logs" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 14, - "fileName": "positive11.json" + "line": 15, + "filename": "positive20.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is undefined" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 18, - "fileName": "positive11.json" + "line": 14, + "filename": "positive11.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is set to 'false'" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 11, - "fileName": "positive12.json" + "line": 17, + "filename": "positive6.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is set to 'false'" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 7, - "fileName": "positive13.json" + "line": 18, + "filename": "positive14.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is set to 'false'" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 14, - "fileName": "positive14.json" + "line": 6, + "filename": "positive3.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should be defined and not null", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 18, - "fileName": "positive14.json" + "line": 13, + "filename": "positive1.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is set to 'false'" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 12, - "fileName": "positive15.json" + "line": 17, + "filename": "positive9.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is set to 'false'" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 15, - "fileName": "positive15.json" + "line": 18, + "filename": "positive11.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is set to 'false'" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 14, - "fileName": "positive16.json" + "line": 18, + "filename": "positive16.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is set to 'false'" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 18, - "fileName": "positive16.json" + "line": 14, + "filename": "positive14.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is set to 'false'" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 11, - "fileName": "positive17.json" + "line": 13, + "filename": "positive6.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is set to 'false'" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 7, - "fileName": "positive18.json" + "line": 9, + "filename": "positive2.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should declare slow logs", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare slow logs" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 14, - "fileName": "positive19.json" + "line": 13, + "filename": "positive10.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is undefined" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 18, - "fileName": "positive19.json" + "line": 17, + "filename": "positive1.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is set to 'false'" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 12, - "fileName": "positive20.json" + "line": 10, + "filename": "positive10.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is undefined" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 15, - "fileName": "positive20.json" + "line": 13, + "filename": "positive9.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is set to 'false'" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elb_access_log_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elb_access_log_disabled/test/positive_expected_result.json index d4dfeba79a3..f09ae666c8d 100644 --- a/assets/queries/cloudFormation/aws/elb_access_log_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elb_access_log_disabled/test/positive_expected_result.json @@ -2,31 +2,61 @@ { "queryName": "ELB Access Log Disabled", "severity": "MEDIUM", - "line": 6, - "fileName": "positive1.yaml" + "line": 7, + "filename": "positive3.json", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.MyLoadBalancer.Properties", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer.Properties.AccessLoggingPolicy' should exist", + "actualValue": "'Resources.MyLoadBalancer.Properties.AccessLoggingPolicy' is missing" }, { "queryName": "ELB Access Log Disabled", "severity": "MEDIUM", - "line": 31, - "fileName": "positive2.yaml" + "line": 18, + "filename": "positive4.json", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer2", + "searchKey": "Resources.MyLoadBalancer2.Properties.AccessLoggingPolicy.Enabled", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer2.Properties.AccessLoggingPolicy.Enabled' is true", + "actualValue": "'Resources.MyLoadBalancer2.Properties.AccessLoggingPolicy.Enabled' is false" }, { "queryName": "ELB Access Log Disabled", "severity": "MEDIUM", - "line": 7, - "fileName": "positive3.json" + "line": 31, + "filename": "positive2.yaml", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer2", + "searchKey": "Resources.MyLoadBalancer2.Properties.AccessLoggingPolicy.Enabled", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer2.Properties.AccessLoggingPolicy.Enabled' is true", + "actualValue": "'Resources.MyLoadBalancer2.Properties.AccessLoggingPolicy.Enabled' is false" }, { "queryName": "ELB Access Log Disabled", "severity": "MEDIUM", - "line": 18, - "fileName": "positive4.json" + "line": 31, + "filename": "positive5.yaml", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer2", + "searchKey": "Resources.MyLoadBalancer2.Properties.AccessLoggingPolicy.Enabled", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer2.Properties.AccessLoggingPolicy.Enabled' is true", + "actualValue": "'Resources.MyLoadBalancer2.Properties.AccessLoggingPolicy.Enabled' is false" }, { "queryName": "ELB Access Log Disabled", "severity": "MEDIUM", - "line": 31, - "fileName": "positive5.yaml" + "line": 6, + "filename": "positive1.yaml", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.MyLoadBalancer.Properties", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer.Properties.AccessLoggingPolicy' should exist", + "actualValue": "'Resources.MyLoadBalancer.Properties.AccessLoggingPolicy' is missing" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elb_sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elb_sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json index 419d903f827..40759bd25a1 100644 --- a/assets/queries/cloudFormation/aws/elb_sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elb_sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json @@ -2,1237 +2,2473 @@ { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "fileName": "positive1.yaml" + "line": 45, + "filename": "positive7.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstancesSecGroup", + "searchKey": "Resources.InstancesSecGroup.Properties.SecurityGroupIngress[2]", + "searchValue": "UDP,1434", + "expectedValue": "MSSQL Browser (UDP:1434) should not be allowed in classic load balancer 'GatewayLoadBalancer'", + "actualValue": "MSSQL Browser (UDP:1434) is allowed in classic load balancer 'GatewayLoadBalancer'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "fileName": "positive1.yaml" + "line": 45, + "filename": "positive7.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstancesSecGroup", + "searchKey": "Resources.InstancesSecGroup.Properties.SecurityGroupIngress[2]", + "searchValue": "UDP,2484", + "expectedValue": "Oracle DB SSL (UDP:2484) should not be allowed in classic load balancer 'GatewayLoadBalancer'", + "actualValue": "Oracle DB SSL (UDP:2484) is allowed in classic load balancer 'GatewayLoadBalancer'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,8888", + "expectedValue": "Cassandra OpsCenter Website (TCP:8888) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra OpsCenter Website (TCP:8888) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,443", + "expectedValue": "HTTPS (TCP:443) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HTTPS (TCP:443) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,3306", + "expectedValue": "MySQL (TCP:3306) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MySQL (TCP:3306) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "fileName": "positive1.yaml" + "line": 71, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_2", + "searchKey": "Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "fileName": "positive1.yaml" + "line": 29, + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,9300", + "expectedValue": "Elastic Search (TCP:9300) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Elastic Search (TCP:9300) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "fileName": "positive1.yaml" + "line": 29, + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,139", + "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Session Service (TCP:139) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "fileName": "positive1.yaml" + "line": 29, + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,1521", + "expectedValue": "Oracl DB (TCP:1521) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracl DB (TCP:1521) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,8000", + "expectedValue": "Known internal web port (TCP:8000) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Known internal web port (TCP:8000) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,389", + "expectedValue": "LDAP (UDP:389) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "LDAP (UDP:389) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,636", + "expectedValue": "LDAP SSL (TCP:636) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "LDAP SSL (TCP:636) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,11211", + "expectedValue": "Memcached (TCP:11211) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached (TCP:11211) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "fileName": "positive1.yaml" + "line": 81, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv6", + "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "fileName": "positive1.yaml" + "line": 90, + "filename": "positive6.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress4.Properties", + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in application load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "fileName": "positive1.yaml" + "line": 29, + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,2484", + "expectedValue": "Oracle DB SSL (UDP:2484) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle DB SSL (UDP:2484) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,9160", + "expectedValue": "Cassandra Thrift (TCP:9160) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra Thrift (TCP:9160) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,1521", + "expectedValue": "Oracl DB (TCP:1521) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracl DB (TCP:1521) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "fileName": "positive1.yaml" + "line": 44, + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress4.Properties", + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in application load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,9090", + "expectedValue": "CiscoSecure, WebSM (TCP:9090) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "CiscoSecure, WebSM (TCP:9090) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,25", + "expectedValue": "SMTP (TCP:25) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SMTP (TCP:25) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "fileName": "positive1.yaml" + "line": 64, + "filename": "positive8.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[7]", + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in application load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "fileName": "positive1.yaml" + "line": 29, + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,8080", + "expectedValue": "Known internal web port (TCP:8080) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Known internal web port (TCP:8080) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,8020", + "expectedValue": "HDFS NameNode (TCP:8020) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HDFS NameNode (TCP:8020) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,161", + "expectedValue": "SNMP (UDP:161) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SNMP (UDP:161) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "fileName": "positive1.yaml" + "line": 70, + "filename": "positive6.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress2.Properties", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive8.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "fileName": "positive1.yaml" + "line": 29, + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,7000", + "expectedValue": "Cassandra Internode Communication (TCP:7000) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra Internode Communication (TCP:7000) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "fileName": "positive1.yaml" + "line": 29, + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,9200", + "expectedValue": "Elastic Search (TCP:9200) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Elastic Search (TCP:9200) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "fileName": "positive1.yaml" + "line": 29, + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,1522", + "expectedValue": "Oracle Auto Data Warehouse (TCP:1522) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle Auto Data Warehouse (TCP:1522) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "fileName": "positive1.yaml" + "line": 29, + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,5432", + "expectedValue": "PostgreSQL (UDP:5432) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "PostgreSQL (UDP:5432) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,11214", + "expectedValue": "Memcached SSL (TCP:11214) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached SSL (TCP:11214) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,27018", + "expectedValue": "Mongo Web Portal (TCP:27018) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Mongo Web Portal (TCP:27018) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,139", + "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Session Service (TCP:139) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,2383", + "expectedValue": "SQL Server Analysis (TCP:2383) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SQL Server Analysis (TCP:2383) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "fileName": "positive1.yaml" + "line": 55, + "filename": "positive4.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[7]", + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in application load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "fileName": "positive1.yaml" + "line": 27, + "filename": "positive4.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[2]", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "fileName": "positive1.yaml" + "line": 81, + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress4.Properties", + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in application load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "fileName": "positive1.yaml" + "line": 29, + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,5985", + "expectedValue": "WinRM for HTTP (TCP:5985) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "WinRM for HTTP (TCP:5985) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,53", + "expectedValue": "DNS (TCP:53) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "DNS (TCP:53) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,11214", + "expectedValue": "Memcached SSL (UDP:11214) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached SSL (UDP:11214) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "fileName": "positive1.yaml" + "line": 40, + "filename": "positive4.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[4]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "fileName": "positive1.yaml" + "line": 30, + "filename": "positive6.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress2.Properties", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "fileName": "positive1.yaml" + "line": 29, + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,8140", + "expectedValue": "Puppet Master (TCP:8140) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Puppet Master (TCP:8140) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "fileName": "positive1.yaml" + "line": 29, + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,161", + "expectedValue": "SNMP (TCP:161) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SNMP (TCP:161) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,50070", + "expectedValue": "HDFS NameNode WebUI (TCP:50070) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HDFS NameNode WebUI (TCP:50070) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,389", + "expectedValue": "LDAP (TCP:389) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "LDAP (TCP:389) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "fileName": "positive1.yaml" + "line": 50, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv4", + "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[2]", + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,5432", + "expectedValue": "PostgreSQL (TCP:5432) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "PostgreSQL (TCP:5432) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "fileName": "positive1.yaml" + "line": 29, + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,50470", + "expectedValue": "HDFS NameNode WebUI (TCP:50470) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HDFS NameNode WebUI (TCP:50470) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "fileName": "positive1.yaml" + "line": 29, + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,11215", + "expectedValue": "Memcached SSL (UDP:11215) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached SSL (UDP:11215) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "fileName": "positive1.yaml" + "line": 29, + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,4333", + "expectedValue": "MySQL (TCP:4333) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MySQL (TCP:4333) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "fileName": "positive1.yaml" + "line": 29, + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,2383", + "expectedValue": "SQL Server Analysis (TCP:2383) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SQL Server Analysis (TCP:2383) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "fileName": "positive1.yaml" + "line": 85, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv6", + "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]", + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,139", + "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Session Service (UDP:139) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,5432", + "expectedValue": "PostgreSQL (UDP:5432) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "PostgreSQL (UDP:5432) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "fileName": "positive1.yaml" + "line": 61, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "fileName": "positive1.yaml" + "line": 29, + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,9000", + "expectedValue": "Hadoop Name Node (TCP:9000) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Hadoop Name Node (TCP:9000) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "fileName": "positive1.yaml" + "line": 29, + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,11214", + "expectedValue": "Memcached SSL (TCP:11214) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached SSL (TCP:11214) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "fileName": "positive1.yaml" + "line": 29, + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,110", + "expectedValue": "POP3 (TCP:110) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "POP3 (TCP:110) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,20", + "expectedValue": "FTP (TCP:20) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "FTP (TCP:20) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,8080", + "expectedValue": "Known internal web port (TCP:8080) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Known internal web port (TCP:8080) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,3000", + "expectedValue": "Prevalent known internal port (TCP:3000) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Prevalent known internal port (TCP:3000) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "fileName": "positive1.yaml" + "line": 50, + "filename": "positive6.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress4.Properties", + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in application load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "fileName": "positive1.yaml" + "line": 29, + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,636", + "expectedValue": "LDAP SSL (TCP:636) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "LDAP SSL (TCP:636) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "fileName": "positive1.yaml" + "line": 29, + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,1433", + "expectedValue": "MSSQL Server (TCP:1433) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MSSQL Server (TCP:1433) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "fileName": "positive1.yaml" + "line": 111, + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv6", + "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "fileName": "positive1.yaml" + "line": 29, + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,2483", + "expectedValue": "Oracle DB SSL (UDP:2483) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle DB SSL (UDP:2483) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,2484", + "expectedValue": "Oracle DB SSL (UDP:2484) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle DB SSL (UDP:2484) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "fileName": "positive1.yaml" + "line": 17, + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress1.Properties", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "fileName": "positive1.yaml" + "line": 29, + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,443", + "expectedValue": "HTTPS (TCP:443) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HTTPS (TCP:443) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "fileName": "positive1.yaml" + "line": 29, + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,4505", + "expectedValue": "SaltStack Master (TCP:4505) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SaltStack Master (TCP:4505) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,137", + "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (TCP:137) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "fileName": "positive1.yaml" + "line": 35, + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress3.Properties", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 32, - "fileName": "positive1.yaml" + "line": 40, + "filename": "positive8.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[3]", + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in application load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 42, - "fileName": "positive1.yaml" + "line": 29, + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,61620", + "expectedValue": "Cassandra OpsCenter (TCP:61620) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra OpsCenter (TCP:61620) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 50, - "fileName": "positive1.yaml" + "line": 29, + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,11211", + "expectedValue": "Memcached (UDP:11211) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached (UDP:11211) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 61, - "fileName": "positive1.yaml" + "line": 29, + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,445", + "expectedValue": "Microsoft-DS (TCP:445) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Microsoft-DS (TCP:445) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 71, - "fileName": "positive1.yaml" + "line": 29, + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,27018", + "expectedValue": "Mongo Web Portal (TCP:27018) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Mongo Web Portal (TCP:27018) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 81, - "fileName": "positive1.yaml" + "line": 45, + "filename": "positive7.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstancesSecGroup", + "searchKey": "Resources.InstancesSecGroup.Properties.SecurityGroupIngress[2]", + "searchValue": "UDP,2483", + "expectedValue": "Oracle DB SSL (UDP:2483) should not be allowed in classic load balancer 'GatewayLoadBalancer'", + "actualValue": "Oracle DB SSL (UDP:2483) is allowed in classic load balancer 'GatewayLoadBalancer'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 85, - "fileName": "positive1.yaml" + "line": 29, + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,27017", + "expectedValue": "Mongo (TCP:27017) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Mongo (TCP:27017) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 17, - "fileName": "positive2.yaml" + "line": 22, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,7001", + "expectedValue": "Cassandra (TCP:7001) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra (TCP:7001) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 26, - "fileName": "positive2.yaml" + "line": 22, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,7199", + "expectedValue": "Cassandra Monitoring (TCP:7199) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra Monitoring (TCP:7199) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 35, - "fileName": "positive2.yaml" + "line": 22, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,2375", + "expectedValue": "Docker (TCP:2375) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Docker (TCP:2375) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 44, - "fileName": "positive2.yaml" + "line": 22, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,5900", + "expectedValue": "VNC Server (TCP:5900) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "VNC Server (TCP:5900) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 54, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress1.Properties", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 63, - "fileName": "positive2.yaml" + "line": 29, + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,8888", + "expectedValue": "Cassandra OpsCenter Website (TCP:8888) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra OpsCenter Website (TCP:8888) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 72, - "fileName": "positive2.yaml" + "line": 29, + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,1434", + "expectedValue": "MSSQL Browser (TCP:1434) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MSSQL Browser (TCP:1434) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 81, - "fileName": "positive2.yaml" + "line": 57, + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv4", + "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 26, - "fileName": "positive3.yaml" + "line": 72, + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress3.Properties", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 30, - "fileName": "positive3.yaml" + "line": 80, + "filename": "positive6.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress3.Properties", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 30, - "fileName": "positive3.yaml" + "line": 58, + "filename": "positive8.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[6]", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 30, - "fileName": "positive3.yaml" + "line": 29, + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,9042", + "expectedValue": "Cassandra Client (TCP:9042) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra Client (TCP:9042) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 17, - "fileName": "positive4.yaml" + "line": 29, + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,20", + "expectedValue": "FTP (TCP:20) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "FTP (TCP:20) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "fileName": "positive4.yaml" + "line": 29, + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,11215", + "expectedValue": "Memcached SSL (TCP:11215) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached SSL (TCP:11215) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 27, - "fileName": "positive4.yaml" + "line": 29, + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,6379", + "expectedValue": "Redis (TCP:6379) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Redis (TCP:6379) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 32, - "fileName": "positive4.yaml" + "line": 29, + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 40, - "fileName": "positive4.yaml" + "line": 22, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,135", + "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MSSQL Debugger (TCP:135) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 45, - "fileName": "positive4.yaml" + "line": 26, + "filename": "positive3.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstancesSecGroup", + "searchKey": "Resources.InstancesSecGroup.Properties.SecurityGroupIngress[1]", + "searchValue": "TCP,636", + "expectedValue": "LDAP SSL (TCP:636) should not be allowed in classic load balancer 'GatewayLoadBalancer'", + "actualValue": "LDAP SSL (TCP:636) is allowed in classic load balancer 'GatewayLoadBalancer'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 50, - "fileName": "positive4.yaml" + "line": 29, + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,8020", + "expectedValue": "HDFS NameNode (TCP:8020) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HDFS NameNode (TCP:8020) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 55, - "fileName": "positive4.yaml" + "line": 29, + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,80", + "expectedValue": "HTTP (TCP:80) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HTTP (TCP:80) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,135", + "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MSSQL Debugger (TCP:135) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,2484", + "expectedValue": "Oracle DB SSL (TCP:2484) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle DB SSL (TCP:2484) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "fileName": "positive5.json" + "line": 97, + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_2", + "searchKey": "Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "fileName": "positive5.json" + "line": 22, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,9042", + "expectedValue": "Cassandra Client (TCP:9042) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra Client (TCP:9042) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,53", + "expectedValue": "DNS (TCP:53) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "DNS (TCP:53) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,5900", + "expectedValue": "VNC Server (TCP:5900) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "VNC Server (TCP:5900) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "fileName": "positive5.json" + "line": 22, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,3020", + "expectedValue": "CIFS / SMB (TCP:3020) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "CIFS / SMB (TCP:3020) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "fileName": "positive5.json" + "line": 22, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,11215", + "expectedValue": "Memcached SSL (UDP:11215) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached SSL (UDP:11215) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "fileName": "positive5.json" + "line": 42, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv4", + "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "fileName": "positive5.json" + "line": 32, + "filename": "positive4.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[3]", + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in application load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "fileName": "positive5.json" + "line": 63, + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress2.Properties", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,50070", + "expectedValue": "HDFS NameNode WebUI (TCP:50070) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HDFS NameNode WebUI (TCP:50070) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,5601", + "expectedValue": "Kibana (TCP:5601) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Kibana (TCP:5601) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "fileName": "positive5.json" + "line": 69, + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv4", + "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[2]", + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "fileName": "positive5.json" + "line": 22, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,1434", + "expectedValue": "MSSQL Browser (TCP:1434) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MSSQL Browser (TCP:1434) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "fileName": "positive5.json" + "line": 22, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,3389", + "expectedValue": "Remote Desktop (TCP:3389) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Remote Desktop (TCP:3389) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "fileName": "positive5.json" + "line": 22, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,161", + "expectedValue": "SNMP (TCP:161) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SNMP (TCP:161) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "fileName": "positive5.json" + "line": 17, + "filename": "positive4.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,161", + "expectedValue": "SNMP (UDP:161) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SNMP (UDP:161) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "fileName": "positive5.json" + "line": 83, + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Telnet (TCP:23) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "fileName": "positive5.json" + "line": 22, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,61620", + "expectedValue": "Cassandra OpsCenter (TCP:61620) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra OpsCenter (TCP:61620) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "fileName": "positive5.json" + "line": 22, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,50470", + "expectedValue": "HDFS NameNode WebUI (TCP:50470) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HDFS NameNode WebUI (TCP:50470) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "fileName": "positive5.json" + "line": 22, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,1434", + "expectedValue": "MSSQL Browser (UDP:1434) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MSSQL Browser (UDP:1434) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "fileName": "positive5.json" + "line": 22, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,2484", + "expectedValue": "Oracle DB SSL (TCP:2484) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle DB SSL (TCP:2484) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "fileName": "positive5.json" + "line": 22, + "filename": "positive4.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[1]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "fileName": "positive5.json" + "line": 45, + "filename": "positive4.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[5]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,3020", + "expectedValue": "CIFS / SMB (TCP:3020) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "CIFS / SMB (TCP:3020) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,53", + "expectedValue": "DNS (UDP:53) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "DNS (UDP:53) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "fileName": "positive5.json" + "line": 22, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,110", + "expectedValue": "POP3 (TCP:110) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "POP3 (TCP:110) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "fileName": "positive5.json" + "line": 30, + "filename": "positive3.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstancesSecGroup", + "searchKey": "Resources.InstancesSecGroup.Properties.SecurityGroupIngress[2]", + "searchValue": "UDP,2483", + "expectedValue": "Oracle DB SSL (UDP:2483) should not be allowed in classic load balancer 'GatewayLoadBalancer'", + "actualValue": "Oracle DB SSL (UDP:2483) is allowed in classic load balancer 'GatewayLoadBalancer'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "fileName": "positive5.json" + "line": 30, + "filename": "positive3.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstancesSecGroup", + "searchKey": "Resources.InstancesSecGroup.Properties.SecurityGroupIngress[2]", + "searchValue": "UDP,2484", + "expectedValue": "Oracle DB SSL (UDP:2484) should not be allowed in classic load balancer 'GatewayLoadBalancer'", + "actualValue": "Oracle DB SSL (UDP:2484) is allowed in classic load balancer 'GatewayLoadBalancer'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,7001", + "expectedValue": "Cassandra (TCP:7001) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra (TCP:7001) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,7199", + "expectedValue": "Cassandra Monitoring (TCP:7199) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra Monitoring (TCP:7199) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,9160", + "expectedValue": "Cassandra Thrift (TCP:9160) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra Thrift (TCP:9160) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,389", + "expectedValue": "LDAP (UDP:389) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "LDAP (UDP:389) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,3306", + "expectedValue": "MySQL (TCP:3306) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MySQL (TCP:3306) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "fileName": "positive5.json" + "line": 22, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,61621", + "expectedValue": "Cassandra OpsCenter (TCP:61621) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra OpsCenter (TCP:61621) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "fileName": "positive5.json" + "line": 22, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,21", + "expectedValue": "FTP (TCP:21) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "FTP (TCP:21) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "fileName": "positive5.json" + "line": 22, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,11211", + "expectedValue": "Memcached (UDP:11211) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached (UDP:11211) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "fileName": "positive5.json" + "line": 28, + "filename": "positive8.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[1]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,1434", + "expectedValue": "MSSQL Browser (UDP:1434) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MSSQL Browser (UDP:1434) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "fileName": "positive5.json" + "line": 117, + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv6", + "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]", + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,137", + "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (TCP:137) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,5432", + "expectedValue": "PostgreSQL (TCP:5432) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "PostgreSQL (TCP:5432) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "fileName": "positive5.json" + "line": 22, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,1433", + "expectedValue": "MSSQL Server (TCP:1433) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MSSQL Server (TCP:1433) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "fileName": "positive5.json" + "line": 22, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,445", + "expectedValue": "Microsoft-DS (TCP:445) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Microsoft-DS (TCP:445) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "fileName": "positive5.json" + "line": 22, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "fileName": "positive5.json" + "line": 22, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Telnet (TCP:23) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "fileName": "positive5.json" + "line": 22, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,5985", + "expectedValue": "WinRM for HTTP (TCP:5985) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "WinRM for HTTP (TCP:5985) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,11211", + "expectedValue": "Memcached (TCP:11211) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached (TCP:11211) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "fileName": "positive5.json" + "line": 22, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,4333", + "expectedValue": "MySQL (TCP:4333) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MySQL (TCP:4333) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "fileName": "positive5.json" + "line": 40, + "filename": "positive6.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress3.Properties", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "fileName": "positive5.json" + "line": 60, + "filename": "positive6.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress1.Properties", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "fileName": "positive5.json" + "line": 34, + "filename": "positive8.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[2]", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,61621", + "expectedValue": "Cassandra OpsCenter (TCP:61621) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra OpsCenter (TCP:61621) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,2376", + "expectedValue": "Docker (TCP:2376) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Docker (TCP:2376) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,8000", + "expectedValue": "Known internal web port (TCP:8000) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Known internal web port (TCP:8000) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "fileName": "positive5.json" + "line": 22, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,1522", + "expectedValue": "Oracle Auto Data Warehouse (TCP:1522) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle Auto Data Warehouse (TCP:1522) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "fileName": "positive5.json" + "line": 22, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,2483", + "expectedValue": "Oracle DB SSL (TCP:2483) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle DB SSL (TCP:2483) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "fileName": "positive5.json" + "line": 32, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_2", + "searchKey": "Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "fileName": "positive5.json" + "line": 22, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,4505", + "expectedValue": "SaltStack Master (TCP:4505) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SaltStack Master (TCP:4505) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "fileName": "positive5.json" + "line": 46, + "filename": "positive8.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[4]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,3000", + "expectedValue": "Prevalent known internal port (TCP:3000) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Prevalent known internal port (TCP:3000) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,5500", + "expectedValue": "VNC Listener (TCP:5500) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "VNC Listener (TCP:5500) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "fileName": "positive5.json" + "line": 22, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,2376", + "expectedValue": "Docker (TCP:2376) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Docker (TCP:2376) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "fileName": "positive5.json" + "line": 22, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,27017", + "expectedValue": "Mongo (TCP:27017) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Mongo (TCP:27017) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "fileName": "positive5.json" + "line": 22, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,138", + "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "fileName": "positive5.json" + "line": 22, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,2382", + "expectedValue": "SQL Server Analysis (TCP:2382) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SQL Server Analysis (TCP:2382) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "fileName": "positive5.json" + "line": 22, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,5500", + "expectedValue": "VNC Listener (TCP:5500) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "VNC Listener (TCP:5500) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "fileName": "positive5.json" + "line": 26, + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress2.Properties", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "fileName": "positive5.json" + "line": 20, + "filename": "positive6.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress1.Properties", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,9090", + "expectedValue": "CiscoSecure, WebSM (TCP:9090) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "CiscoSecure, WebSM (TCP:9090) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "fileName": "positive5.json" + "line": 22, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,9000", + "expectedValue": "Hadoop Name Node (TCP:9000) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Hadoop Name Node (TCP:9000) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 43, - "fileName": "positive5.json" + "line": 29, + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,138", + "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 57, - "fileName": "positive5.json" + "line": 39, + "filename": "positive7.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstancesSecGroup", + "searchKey": "Resources.InstancesSecGroup.Properties.SecurityGroupIngress[1]", + "searchValue": "TCP,636", + "expectedValue": "LDAP SSL (TCP:636) should not be allowed in classic load balancer 'GatewayLoadBalancer'", + "actualValue": "LDAP SSL (TCP:636) is allowed in classic load balancer 'GatewayLoadBalancer'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 69, - "fileName": "positive5.json" + "line": 22, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,7000", + "expectedValue": "Cassandra Internode Communication (TCP:7000) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra Internode Communication (TCP:7000) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 83, - "fileName": "positive5.json" + "line": 22, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,9300", + "expectedValue": "Elastic Search (TCP:9300) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Elastic Search (TCP:9300) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 97, - "fileName": "positive5.json" + "line": 22, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,80", + "expectedValue": "HTTP (TCP:80) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HTTP (TCP:80) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 111, - "fileName": "positive5.json" + "line": 52, + "filename": "positive8.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[5]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 117, - "fileName": "positive5.json" + "line": 29, + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,389", + "expectedValue": "LDAP (TCP:389) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "LDAP (TCP:389) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 20, - "fileName": "positive6.json" + "line": 29, + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,25", + "expectedValue": "SMTP (TCP:25) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SMTP (TCP:25) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 30, - "fileName": "positive6.json" + "line": 29, + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,2382", + "expectedValue": "SQL Server Analysis (TCP:2382) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SQL Server Analysis (TCP:2382) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 40, - "fileName": "positive6.json" + "line": 29, + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,4506", + "expectedValue": "SaltStack Master (TCP:4506) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SaltStack Master (TCP:4506) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 50, - "fileName": "positive6.json" + "line": 22, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,53", + "expectedValue": "DNS (UDP:53) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "DNS (UDP:53) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 60, - "fileName": "positive6.json" + "line": 22, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,8140", + "expectedValue": "Puppet Master (TCP:8140) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Puppet Master (TCP:8140) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 70, - "fileName": "positive6.json" + "line": 50, + "filename": "positive4.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[6]", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 80, - "fileName": "positive6.json" + "line": 29, + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,21", + "expectedValue": "FTP (TCP:21) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "FTP (TCP:21) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 90, - "fileName": "positive6.json" + "line": 29, + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,2483", + "expectedValue": "Oracle DB SSL (TCP:2483) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle DB SSL (TCP:2483) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 39, - "fileName": "positive7.json" + "line": 22, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,9200", + "expectedValue": "Elastic Search (TCP:9200) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Elastic Search (TCP:9200) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 45, - "fileName": "positive7.json" + "line": 22, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,5601", + "expectedValue": "Kibana (TCP:5601) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Kibana (TCP:5601) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 45, - "fileName": "positive7.json" + "line": 22, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,11215", + "expectedValue": "Memcached SSL (TCP:11215) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached SSL (TCP:11215) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 45, - "fileName": "positive7.json" + "line": 22, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,2483", + "expectedValue": "Oracle DB SSL (UDP:2483) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle DB SSL (UDP:2483) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive8.json" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,6379", + "expectedValue": "Redis (TCP:6379) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Redis (TCP:6379) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 28, - "fileName": "positive8.json" + "line": 29, + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,2375", + "expectedValue": "Docker (TCP:2375) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Docker (TCP:2375) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 34, - "fileName": "positive8.json" + "line": 29, + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,11214", + "expectedValue": "Memcached SSL (UDP:11214) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached SSL (UDP:11214) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 40, - "fileName": "positive8.json" + "line": 29, + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,3389", + "expectedValue": "Remote Desktop (TCP:3389) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Remote Desktop (TCP:3389) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 46, - "fileName": "positive8.json" + "line": 22, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,4506", + "expectedValue": "SaltStack Master (TCP:4506) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SaltStack Master (TCP:4506) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 52, - "fileName": "positive8.json" + "line": 30, + "filename": "positive3.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstancesSecGroup", + "searchKey": "Resources.InstancesSecGroup.Properties.SecurityGroupIngress[2]", + "searchValue": "UDP,1434", + "expectedValue": "MSSQL Browser (UDP:1434) should not be allowed in classic load balancer 'GatewayLoadBalancer'", + "actualValue": "MSSQL Browser (UDP:1434) is allowed in classic load balancer 'GatewayLoadBalancer'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 58, - "fileName": "positive8.json" + "line": 29, + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,139", + "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Session Service (UDP:139) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 64, - "fileName": "positive8.json" + "line": 43, + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_2", + "searchKey": "Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in classic load balancer 'LoadBalancer01'" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elb_using_insecure_protocols/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elb_using_insecure_protocols/test/positive_expected_result.json index d13bf54bd5e..7cf8158b837 100644 --- a/assets/queries/cloudFormation/aws/elb_using_insecure_protocols/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elb_using_insecure_protocols/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "ELB Using Insecure Protocols", "severity": "MEDIUM", - "line": 27, - "fileName": "positive1.yaml" + "line": 35, + "filename": "positive2.json", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.MyLoadBalancer.Properties.Policies.PolicyName=My-SSLNegotiation-Policy.Attributes.Name=Protocol-SSLv2", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.Protocol-SSLv2' should not be an insecure protocol", + "actualValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.Protocol-SSLv2' is an insecure protocol" }, { "queryName": "ELB Using Insecure Protocols", "severity": "MEDIUM", - "line": 34, - "fileName": "positive1.yaml" + "line": 50, + "filename": "positive2.json", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.MyLoadBalancer.Properties.Policies.PolicyName=My-SSLNegotiation-Policy2.Attributes.Name=Protocol-TLSv1", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy2.Attributes.Protocol-TLSv1' should not be an insecure protocol", + "actualValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy2.Attributes.Protocol-TLSv1' is an insecure protocol" }, { "queryName": "ELB Using Insecure Protocols", "severity": "MEDIUM", - "line": 35, - "fileName": "positive2.json" + "line": 27, + "filename": "positive1.yaml", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.MyLoadBalancer.Properties.Policies.PolicyName=My-SSLNegotiation-Policy.Attributes.Name=Protocol-SSLv2", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.Protocol-SSLv2' should not be an insecure protocol", + "actualValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.Protocol-SSLv2' is an insecure protocol" }, { "queryName": "ELB Using Insecure Protocols", "severity": "MEDIUM", - "line": 50, - "fileName": "positive2.json" + "line": 34, + "filename": "positive1.yaml", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.MyLoadBalancer.Properties.Policies.PolicyName=My-SSLNegotiation-Policy2.Attributes.Name=Protocol-TLSv1", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy2.Attributes.Protocol-TLSv1' should not be an insecure protocol", + "actualValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy2.Attributes.Protocol-TLSv1' is an insecure protocol" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elb_using_weak_ciphers/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elb_using_weak_ciphers/test/positive_expected_result.json index 0a839c95974..b86502ca050 100644 --- a/assets/queries/cloudFormation/aws/elb_using_weak_ciphers/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elb_using_weak_ciphers/test/positive_expected_result.json @@ -2,37 +2,73 @@ { "queryName": "ELB Using Weak Ciphers", "severity": "HIGH", - "line": 27, - "fileName": "positive1.yaml" + "line": 29, + "filename": "positive1.yaml", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.MyLoadBalancer.Properties.Policies.PolicyName=My-SSLNegotiation-Policy.Attributes.Name=DHE-DSS-DES-CBC3-SHA", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.DHE-DSS-DES-CBC3-SHA' should not be a weak cipher", + "actualValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.DHE-DSS-DES-CBC3-SHA' is a weak cipher" }, { "queryName": "ELB Using Weak Ciphers", "severity": "HIGH", - "line": 29, - "fileName": "positive1.yaml" + "line": 27, + "filename": "positive1.yaml", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.MyLoadBalancer.Properties.Policies.PolicyName=My-SSLNegotiation-Policy.Attributes.Name=TLS_RSA_NULL_SHA1", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.TLS_RSA_NULL_SHA1' should not be a weak cipher", + "actualValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.TLS_RSA_NULL_SHA1' is a weak cipher" }, { "queryName": "ELB Using Weak Ciphers", "severity": "HIGH", "line": 34, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.MyLoadBalancer.Properties.Policies.PolicyName=My-SSLNegotiation-Policy2.Attributes.Name=TLS_DHE_PSK_WITH_NULL_SHA256", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy2.Attributes.TLS_DHE_PSK_WITH_NULL_SHA256' should not be a weak cipher", + "actualValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy2.Attributes.TLS_DHE_PSK_WITH_NULL_SHA256' is a weak cipher" }, { "queryName": "ELB Using Weak Ciphers", "severity": "HIGH", - "line": 35, - "fileName": "positive2.json" + "line": 40, + "filename": "positive2.json", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.MyLoadBalancer.Properties.Policies.PolicyName=My-SSLNegotiation-Policy.Attributes.Name=DHE-DSS-DES-CBC3-SHA", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.DHE-DSS-DES-CBC3-SHA' should not be a weak cipher", + "actualValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.DHE-DSS-DES-CBC3-SHA' is a weak cipher" }, { "queryName": "ELB Using Weak Ciphers", "severity": "HIGH", - "line": 40, - "fileName": "positive2.json" + "line": 35, + "filename": "positive2.json", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.MyLoadBalancer.Properties.Policies.PolicyName=My-SSLNegotiation-Policy.Attributes.Name=TLS_RSA_NULL_SHA1", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.TLS_RSA_NULL_SHA1' should not be a weak cipher", + "actualValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.TLS_RSA_NULL_SHA1' is a weak cipher" }, { "queryName": "ELB Using Weak Ciphers", "severity": "HIGH", "line": 49, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.MyLoadBalancer.Properties.Policies.PolicyName=My-SSLNegotiation-Policy2.Attributes.Name=TLS_DHE_PSK_WITH_NULL_SHA256", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy2.Attributes.TLS_DHE_PSK_WITH_NULL_SHA256' should not be a weak cipher", + "actualValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy2.Attributes.TLS_DHE_PSK_WITH_NULL_SHA256' is a weak cipher" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elb_v2_alb_access_log_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elb_v2_alb_access_log_disabled/test/positive_expected_result.json index 37ff9f3c3f4..ecd7be7e4d2 100644 --- a/assets/queries/cloudFormation/aws/elb_v2_alb_access_log_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elb_v2_alb_access_log_disabled/test/positive_expected_result.json @@ -2,31 +2,61 @@ { "queryName": "ELBv2 ALB Access Log Disabled", "severity": "MEDIUM", - "line": 22, - "fileName": "positive1.yaml" + "line": 36, + "filename": "positive4.json", + "resourceType": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "resourceName": "EnvironmentName", + "searchKey": "Resources.LoadBalancertest.Properties.LoadBalancerAttributes", + "searchValue": "", + "expectedValue": "'Resources.LoadBalancertest.Properties.LoadBalancerAttributes' has access_logs.s3.enabled with Value true", + "actualValue": "'Resources.LoadBalancertest.Properties.LoadBalancerAttributes' doesn't have access_logs.s3.enabled with Value true" }, { "queryName": "ELBv2 ALB Access Log Disabled", "severity": "MEDIUM", - "line": 30, - "fileName": "positive2.yaml" + "line": 22, + "filename": "positive1.yaml", + "resourceType": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "resourceName": "EnvironmentName", + "searchKey": "Resources.LoadBalancer.Properties", + "searchValue": "", + "expectedValue": "'Resources.LoadBalancer.Properties' has LoadBalancerAttributes defined", + "actualValue": "'Resources.LoadBalancer.Properties' doesn't have LoadBalancerAttributes defined" }, { "queryName": "ELBv2 ALB Access Log Disabled", "severity": "MEDIUM", - "line": 23, - "fileName": "positive3.json" + "line": 30, + "filename": "positive2.yaml", + "resourceType": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "resourceName": "EnvironmentName", + "searchKey": "Resources.LoadBalancertest.Properties.LoadBalancerAttributes", + "searchValue": "", + "expectedValue": "'Resources.LoadBalancertest.Properties.LoadBalancerAttributes' has access_logs.s3.enabled with Value true", + "actualValue": "'Resources.LoadBalancertest.Properties.LoadBalancerAttributes' doesn't have access_logs.s3.enabled with Value true" }, { "queryName": "ELBv2 ALB Access Log Disabled", "severity": "MEDIUM", - "line": 36, - "fileName": "positive4.json" + "line": 30, + "filename": "positive5.yaml", + "resourceType": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "resourceName": "EnvironmentName", + "searchKey": "Resources.LoadBalancertest.Properties.LoadBalancerAttributes", + "searchValue": "", + "expectedValue": "'Resources.LoadBalancertest.Properties.LoadBalancerAttributes' has access_logs.s3.enabled with Value true", + "actualValue": "'Resources.LoadBalancertest.Properties.LoadBalancerAttributes' doesn't have access_logs.s3.enabled with Value true" }, { "queryName": "ELBv2 ALB Access Log Disabled", "severity": "MEDIUM", - "line": 30, - "fileName": "positive5.yaml" + "line": 23, + "filename": "positive3.json", + "resourceType": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "resourceName": "EnvironmentName", + "searchKey": "Resources.LoadBalancer.Properties", + "searchValue": "", + "expectedValue": "'Resources.LoadBalancer.Properties' has LoadBalancerAttributes defined", + "actualValue": "'Resources.LoadBalancer.Properties' doesn't have LoadBalancerAttributes defined" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elb_with_security_group_without_inbound_rules/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elb_with_security_group_without_inbound_rules/test/positive_expected_result.json index 8f2c9fd3032..757cbe6cb21 100644 --- a/assets/queries/cloudFormation/aws/elb_with_security_group_without_inbound_rules/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elb_with_security_group_without_inbound_rules/test/positive_expected_result.json @@ -3,24 +3,24 @@ "queryName": "ELB With Security Group Without Inbound Rules", "severity": "MEDIUM", "line": 5, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.sgwithoutingress.Properties", + "searchValue": "", + "expectedValue": "'Resources.sgwithoutingress.Properties.SecurityGroupIngress' should be defined", + "actualValue": "'Resources.sgwithoutingress.Properties.SecurityGroupIngress' is undefined" }, { "queryName": "ELB With Security Group Without Inbound Rules", "severity": "MEDIUM", "line": 6, - "fileName": "positive2.json" - }, - { - "queryName": "ELB With Security Group Without Inbound Rules", - "severity": "MEDIUM", - "line": 5, - "fileName": "positive3.yaml" - }, - { - "queryName": "ELB With Security Group Without Inbound Rules", - "severity": "MEDIUM", - "line": 6, - "fileName": "positive4.json" + "filename": "positive2.json", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.sgwithoutingress.Properties", + "searchValue": "", + "expectedValue": "'Resources.sgwithoutingress.Properties.SecurityGroupIngress' should be defined", + "actualValue": "'Resources.sgwithoutingress.Properties.SecurityGroupIngress' is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elb_with_security_group_without_outbound_rules/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elb_with_security_group_without_outbound_rules/test/positive_expected_result.json index bcde6e7171f..d3505f79294 100644 --- a/assets/queries/cloudFormation/aws/elb_with_security_group_without_outbound_rules/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elb_with_security_group_without_outbound_rules/test/positive_expected_result.json @@ -3,72 +3,24 @@ "queryName": "ELB With Security Group Without Outbound Rules", "severity": "MEDIUM", "line": 5, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.sgwithoutegress.Properties", + "searchValue": "", + "expectedValue": "'Resources.sgwithoutegress.Properties.SecurityGroupEgress' should be defined", + "actualValue": "'Resources.sgwithoutegress.Properties.SecurityGroupEgress' is undefined" }, { "queryName": "ELB With Security Group Without Outbound Rules", "severity": "MEDIUM", "line": 6, - "fileName": "positive2.json" - }, - { - "queryName": "ELB With Security Group Without Outbound Rules", - "severity": "MEDIUM", - "line": 5, - "fileName": "positive3.yaml" - }, - { - "queryName": "ELB With Security Group Without Outbound Rules", - "severity": "MEDIUM", - "line": 6, - "fileName": "positive4.json" - }, - { - "queryName": "ELB With Security Group Without Outbound Rules", - "severity": "MEDIUM", - "line": 5, - "fileName": "positive5.yaml" - }, - { - "queryName": "ELB With Security Group Without Outbound Rules", - "severity": "MEDIUM", - "line": 6, - "fileName": "positive6.json" - }, - { - "queryName": "ELB With Security Group Without Outbound Rules", - "severity": "MEDIUM", - "line": 8, - "fileName": "positive7.yaml" - }, - { - "queryName": "ELB With Security Group Without Outbound Rules", - "severity": "MEDIUM", - "line": 9, - "fileName": "positive8.json" - }, - { - "queryName": "ELB With Security Group Without Outbound Rules", - "severity": "MEDIUM", - "line": 8, - "fileName": "positive9.yaml" - }, - { - "queryName": "ELB With Security Group Without Outbound Rules", - "severity": "MEDIUM", - "line": 9, - "fileName": "positive10.json" - }, - { - "queryName": "ELB With Security Group Without Outbound Rules", - "severity": "MEDIUM", - "line": 5, - "fileName": "positive11.yaml" - }, - { - "queryName": "ELB With Security Group Without Outbound Rules", - "severity": "MEDIUM", - "line": 6, - "fileName": "positive12.json" + "filename": "positive2.json", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.sgwithoutegress.Properties", + "searchValue": "", + "expectedValue": "'Resources.sgwithoutegress.Properties.SecurityGroupEgress' should be defined", + "actualValue": "'Resources.sgwithoutegress.Properties.SecurityGroupEgress' is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elb_without_secure_protocol/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elb_without_secure_protocol/test/positive_expected_result.json index f4a043eaacb..59e3de8c782 100644 --- a/assets/queries/cloudFormation/aws/elb_without_secure_protocol/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elb_without_secure_protocol/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "ELB Without Secure Protocol", "severity": "MEDIUM", - "line": 11, - "fileName": "positive1.yaml" + "line": 9, + "filename": "positive2.json", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.MyLoadBalancer.Properties.Listeners", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer.Listeners.InstanceProtocol' should be set to 'SSL' or 'HTTPS'", + "actualValue": "'Resources.MyLoadBalancer.Listeners.InstanceProtocol' isn't set to 'SSL' or 'HTTPS'" }, { "queryName": "ELB Without Secure Protocol", "severity": "MEDIUM", - "line": 13, - "fileName": "positive1.yaml" + "line": 11, + "filename": "positive2.json", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.MyLoadBalancer.Properties.Listeners", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer.Listeners.Protocol' should be set to 'SSL' or 'HTTPS'", + "actualValue": "'Resources.MyLoadBalancer.Listeners.Protocol' isn't set to 'SSL' or 'HTTPS'" }, { "queryName": "ELB Without Secure Protocol", "severity": "MEDIUM", - "line": 9, - "fileName": "positive2.json" + "line": 11, + "filename": "positive1.yaml", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.MyLoadBalancer.Properties.Listeners", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer.Listeners.InstanceProtocol' should be set to 'SSL' or 'HTTPS'", + "actualValue": "'Resources.MyLoadBalancer.Listeners.InstanceProtocol' isn't set to 'SSL' or 'HTTPS'" }, { "queryName": "ELB Without Secure Protocol", "severity": "MEDIUM", - "line": 11, - "fileName": "positive2.json" + "line": 13, + "filename": "positive1.yaml", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.MyLoadBalancer.Properties.Listeners", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer.Listeners.Protocol' should be set to 'SSL' or 'HTTPS'", + "actualValue": "'Resources.MyLoadBalancer.Listeners.Protocol' isn't set to 'SSL' or 'HTTPS'" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/empty_roles_for_ecs_cluster_task_definitions/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/empty_roles_for_ecs_cluster_task_definitions/test/positive_expected_result.json index b9e1a5fbe7a..051d5ffae9f 100644 --- a/assets/queries/cloudFormation/aws/empty_roles_for_ecs_cluster_task_definitions/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/empty_roles_for_ecs_cluster_task_definitions/test/positive_expected_result.json @@ -1,38 +1,74 @@ [ { + "queryName": "Empty Roles For ECS Cluster Task Definitions", "severity": "MEDIUM", - "line": 6, - "fileName": "positive1.yaml", - "queryName": "Empty Roles For ECS Cluster Task Definitions" + "line": 41, + "filename": "positive1.yaml", + "resourceType": "AWS::ECS::Service", + "resourceName": "TaskNoRole", + "searchKey": "Resources.TaskNoRole.Properties.TaskDefinition", + "searchValue": "", + "expectedValue": "'Resources.TaskNoRole.Properties.TaskDefinition' refers to a TaskDefinition with Role", + "actualValue": "'Resources.TaskNoRole.Properties.TaskDefinition' does not refer to a TaskDefinition with Role" }, { - "fileName": "positive1.yaml", "queryName": "Empty Roles For ECS Cluster Task Definitions", "severity": "MEDIUM", - "line": 24 + "line": 24, + "filename": "positive1.yaml", + "resourceType": "AWS::ECS::Service", + "resourceName": "InvalidTaskDefinition", + "searchKey": "Resources.InvalidTaskDefinition.Properties.TaskDefinition", + "searchValue": "", + "expectedValue": "'Resources.InvalidTaskDefinition.Properties.Taskdefinition' refers to a valid TaskDefinition", + "actualValue": "'Resources.InvalidTaskDefinition.Properties.Taskdefinition' does not refers to a valid TaskDefinition" }, { "queryName": "Empty Roles For ECS Cluster Task Definitions", "severity": "MEDIUM", - "line": 41, - "fileName": "positive1.yaml" + "line": 6, + "filename": "positive1.yaml", + "resourceType": "AWS::ECS::Service", + "resourceName": "NoTaskDefinition", + "searchKey": "Resources.NoTaskDefinition.Properties", + "searchValue": "", + "expectedValue": "'Resources.NoTaskDefinition.Properties.TaskDefinition' should be set", + "actualValue": "'Resources.NoTaskDefinition.Properties.TaskDefinition' is undefined" }, { "queryName": "Empty Roles For ECS Cluster Task Definitions", "severity": "MEDIUM", - "line": 96, - "fileName": "positive2.json" + "line": 39, + "filename": "positive2.json", + "resourceType": "AWS::ECS::Service", + "resourceName": "TaskNoRole", + "searchKey": "Resources.TaskNoRole.Properties.TaskDefinition", + "searchValue": "", + "expectedValue": "'Resources.TaskNoRole.Properties.TaskDefinition' refers to a TaskDefinition with Role", + "actualValue": "'Resources.TaskNoRole.Properties.TaskDefinition' does not refer to a TaskDefinition with Role" }, { "queryName": "Empty Roles For ECS Cluster Task Definitions", "severity": "MEDIUM", "line": 11, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::ECS::Service", + "resourceName": "InvalidTaskDefinition", + "searchKey": "Resources.InvalidTaskDefinition.Properties.TaskDefinition", + "searchValue": "", + "expectedValue": "'Resources.InvalidTaskDefinition.Properties.Taskdefinition' refers to a valid TaskDefinition", + "actualValue": "'Resources.InvalidTaskDefinition.Properties.Taskdefinition' does not refers to a valid TaskDefinition" }, { "queryName": "Empty Roles For ECS Cluster Task Definitions", "severity": "MEDIUM", - "line": 39, - "fileName": "positive2.json" + "line": 96, + "filename": "positive2.json", + "resourceType": "AWS::ECS::Service", + "resourceName": "NoTaskDefinition", + "searchKey": "Resources.NoTaskDefinition.Properties", + "searchValue": "", + "expectedValue": "'Resources.NoTaskDefinition.Properties.TaskDefinition' should be set", + "actualValue": "'Resources.NoTaskDefinition.Properties.TaskDefinition' is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/emr_cluster_without_security_configuration/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/emr_cluster_without_security_configuration/test/positive_expected_result.json index 10819b82da5..3d74f7c416c 100644 --- a/assets/queries/cloudFormation/aws/emr_cluster_without_security_configuration/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/emr_cluster_without_security_configuration/test/positive_expected_result.json @@ -3,24 +3,48 @@ "queryName": "EMR Cluster Without Security Configuration", "severity": "MEDIUM", "line": 18, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::EMR::Cluster", + "resourceName": "CFNtest2", + "searchKey": "Resources.cluster1.Properties", + "searchValue": "", + "expectedValue": "Resources.cluster1.Properties.SecurityConfiguration should be defined", + "actualValue": "Resources.cluster1.Properties.SecurityConfiguration is undefined" }, { - "line": 18, - "fileName": "positive1.yaml", "queryName": "EMR Cluster Without Security Configuration", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 18, + "filename": "positive1.yaml", + "resourceType": "AWS::EMR::Cluster", + "resourceName": "CFNtest2", + "searchKey": "Resources.cluster.Properties", + "searchValue": "", + "expectedValue": "Resources.cluster has the same name as the AWS::EMR::SecurityConfiguration Resource", + "actualValue": "Resources.cluster has a different name from AWS::EMR::SecurityConfiguration Resource" }, { - "fileName": "positive3.json", "queryName": "EMR Cluster Without Security Configuration", "severity": "MEDIUM", - "line": 43 + "line": 43, + "filename": "positive3.json", + "resourceType": "AWS::EMR::Cluster", + "resourceName": "CFNtest2", + "searchKey": "Resources.cluster.Properties", + "searchValue": "", + "expectedValue": "Resources.cluster has the same name as the AWS::EMR::SecurityConfiguration Resource", + "actualValue": "Resources.cluster has a different name from AWS::EMR::SecurityConfiguration Resource" }, { "queryName": "EMR Cluster Without Security Configuration", "severity": "MEDIUM", "line": 5, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::EMR::Cluster", + "resourceName": "CFNtest2", + "searchKey": "Resources.cluster1.Properties", + "searchValue": "", + "expectedValue": "Resources.cluster1.Properties.SecurityConfiguration should be defined", + "actualValue": "Resources.cluster1.Properties.SecurityConfiguration is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/emr_security_configuration_encryptions_enabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/emr_security_configuration_encryptions_enabled/test/positive_expected_result.json index 69b2e0f60fa..a95012ac28e 100644 --- a/assets/queries/cloudFormation/aws/emr_security_configuration_encryptions_enabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/emr_security_configuration_encryptions_enabled/test/positive_expected_result.json @@ -2,97 +2,193 @@ { "queryName": "EMR Security Configuration Encryption Disabled", "severity": "MEDIUM", - "line": 8, - "fileName": "positive1.yaml" + "line": 10, + "filename": "positive5.json", + "resourceType": "AWS::EMR::SecurityConfiguration", + "resourceName": "String", + "searchKey": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption", + "searchValue": "", + "expectedValue": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption should be true", + "actualValue": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption is false" }, { "queryName": "EMR Security Configuration Encryption Disabled", "severity": "MEDIUM", - "line": 9, - "fileName": "positive1.yaml" + "line": 10, + "filename": "positive6.json", + "resourceType": "AWS::EMR::SecurityConfiguration", + "resourceName": "String", + "searchKey": "Resources.EMRSecurityConfiguration01.Properties.SecurityConfiguration.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration.EnableEbsEncryption", + "searchValue": "", + "expectedValue": "Resources.EMRSecurityConfiguration01.Properties.SecurityConfiguration.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration.EnableEbsEncryption should be true", + "actualValue": "Resources.EMRSecurityConfiguration01.Properties.SecurityConfiguration.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration.EnableEbsEncryption is false" }, { "queryName": "EMR Security Configuration Encryption Disabled", "severity": "MEDIUM", "line": 9, - "fileName": "positive2.yaml" + "filename": "positive6.json", + "resourceType": "AWS::EMR::SecurityConfiguration", + "resourceName": "String", + "searchKey": "Resources.EMRSecurityConfiguration01.Properties.SecurityConfiguration.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration", + "searchValue": "", + "expectedValue": "Resources.EMRSecurityConfiguration01.SecurityConfiguration.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration.EncryptionKeyProviderType must be defined", + "actualValue": "Resources.EMRSecurityConfiguration01.SecurityConfiguration.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration.EncryptionKeyProviderType is undefined" }, { "queryName": "EMR Security Configuration Encryption Disabled", "severity": "MEDIUM", - "line": 10, - "fileName": "positive2.yaml" + "line": 7, + "filename": "positive8.json", + "resourceType": "AWS::EMR::SecurityConfiguration", + "resourceName": "String", + "searchKey": "Resources.EMRSecurityConfiguration04.Properties.SecurityConfiguration", + "searchValue": "", + "expectedValue": "Resources.EMRSecurityConfiguration04.SecurityConfiguration.EncryptionConfiguration must be defined", + "actualValue": "Resources.EMRSecurityConfiguration04.SecurityConfiguration.EncryptionConfiguration is undefined" }, { "queryName": "EMR Security Configuration Encryption Disabled", "severity": "MEDIUM", - "line": 8, - "fileName": "positive3.yaml" + "line": 9, + "filename": "positive1.yaml", + "resourceType": "AWS::EMR::SecurityConfiguration", + "resourceName": "String", + "searchKey": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption", + "searchValue": "", + "expectedValue": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption should be true", + "actualValue": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption is false" }, { "queryName": "EMR Security Configuration Encryption Disabled", "severity": "MEDIUM", - "line": 9, - "fileName": "positive3.yaml" + "line": 8, + "filename": "positive9.yaml", + "resourceType": "AWS::EMR::SecurityConfiguration", + "resourceName": "String", + "searchKey": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption", + "searchValue": "", + "expectedValue": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption should be true", + "actualValue": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption is false" }, { "queryName": "EMR Security Configuration Encryption Disabled", "severity": "MEDIUM", - "line": 6, - "fileName": "positive4.yaml" + "line": 8, + "filename": "positive3.yaml", + "resourceType": "AWS::EMR::SecurityConfiguration", + "resourceName": "String", + "searchKey": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption", + "searchValue": "", + "expectedValue": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption should be true", + "actualValue": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption is false" }, { "queryName": "EMR Security Configuration Encryption Disabled", "severity": "MEDIUM", - "line": 9, - "fileName": "positive5.json" + "line": 6, + "filename": "positive4.yaml", + "resourceType": "AWS::EMR::SecurityConfiguration", + "resourceName": "String", + "searchKey": "Resources.EMRSecurityConfiguration04.Properties.SecurityConfiguration", + "searchValue": "", + "expectedValue": "Resources.EMRSecurityConfiguration04.SecurityConfiguration.EncryptionConfiguration must be defined", + "actualValue": "Resources.EMRSecurityConfiguration04.SecurityConfiguration.EncryptionConfiguration is undefined" }, { "queryName": "EMR Security Configuration Encryption Disabled", "severity": "MEDIUM", - "line": 10, - "fileName": "positive5.json" + "line": 9, + "filename": "positive7.json", + "resourceType": "AWS::EMR::SecurityConfiguration", + "resourceName": "String", + "searchKey": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption", + "searchValue": "", + "expectedValue": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption should be true", + "actualValue": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption is false" }, { "queryName": "EMR Security Configuration Encryption Disabled", "severity": "MEDIUM", "line": 9, - "fileName": "positive6.json" + "filename": "positive5.json", + "resourceType": "AWS::EMR::SecurityConfiguration", + "resourceName": "String", + "searchKey": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption", + "searchValue": "", + "expectedValue": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption should be true", + "actualValue": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption is false" }, { "queryName": "EMR Security Configuration Encryption Disabled", "severity": "MEDIUM", - "line": 10, - "fileName": "positive6.json" + "line": 9, + "filename": "positive9.yaml", + "resourceType": "AWS::EMR::SecurityConfiguration", + "resourceName": "String", + "searchKey": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption", + "searchValue": "", + "expectedValue": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption should be true", + "actualValue": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption is false" }, { "queryName": "EMR Security Configuration Encryption Disabled", "severity": "MEDIUM", - "line": 8, - "fileName": "positive7.json" + "line": 9, + "filename": "positive3.yaml", + "resourceType": "AWS::EMR::SecurityConfiguration", + "resourceName": "String", + "searchKey": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption", + "searchValue": "", + "expectedValue": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption should be true", + "actualValue": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption is false" }, { "queryName": "EMR Security Configuration Encryption Disabled", "severity": "MEDIUM", - "line": 9, - "fileName": "positive7.json" + "line": 10, + "filename": "positive2.yaml", + "resourceType": "AWS::EMR::SecurityConfiguration", + "resourceName": "String", + "searchKey": "Resources.EMRSecurityConfiguration01.Properties.SecurityConfiguration.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration.EnableEbsEncryption", + "searchValue": "", + "expectedValue": "Resources.EMRSecurityConfiguration01.Properties.SecurityConfiguration.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration.EnableEbsEncryption should be true", + "actualValue": "Resources.EMRSecurityConfiguration01.Properties.SecurityConfiguration.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration.EnableEbsEncryption is false" }, { "queryName": "EMR Security Configuration Encryption Disabled", "severity": "MEDIUM", - "line": 7, - "fileName": "positive8.json" + "line": 9, + "filename": "positive2.yaml", + "resourceType": "AWS::EMR::SecurityConfiguration", + "resourceName": "String", + "searchKey": "Resources.EMRSecurityConfiguration01.Properties.SecurityConfiguration.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration", + "searchValue": "", + "expectedValue": "Resources.EMRSecurityConfiguration01.SecurityConfiguration.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration.EncryptionKeyProviderType must be defined", + "actualValue": "Resources.EMRSecurityConfiguration01.SecurityConfiguration.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration.EncryptionKeyProviderType is undefined" }, { "queryName": "EMR Security Configuration Encryption Disabled", "severity": "MEDIUM", "line": 8, - "fileName": "positive9.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EMR::SecurityConfiguration", + "resourceName": "String", + "searchKey": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption", + "searchValue": "", + "expectedValue": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption should be true", + "actualValue": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption is false" }, { "queryName": "EMR Security Configuration Encryption Disabled", "severity": "MEDIUM", - "line": 9, - "fileName": "positive9.yaml" + "line": 8, + "filename": "positive7.json", + "resourceType": "AWS::EMR::SecurityConfiguration", + "resourceName": "String", + "searchKey": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption", + "searchValue": "", + "expectedValue": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption should be true", + "actualValue": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption is false" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/emr_wihout_vpc/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/emr_wihout_vpc/test/positive_expected_result.json index fd870c2a4f7..16447f97039 100644 --- a/assets/queries/cloudFormation/aws/emr_wihout_vpc/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/emr_wihout_vpc/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "EMR Without VPC", "severity": "LOW", - "line": 23, - "fileName": "positive1.yaml" + "line": 32, + "filename": "positive2.json", + "resourceType": "AWS::EMR::Cluster", + "resourceName": "CFNtest", + "searchKey": "Resources.cluster.Properties.Instances", + "searchValue": "", + "expectedValue": "Resources.cluster.Properties.Instances.Ec2SubnetId should be defined and not null", + "actualValue": "Resources.cluster.Properties.Instances.Ec2SubnetId is undefined or null" }, { "queryName": "EMR Without VPC", "severity": "LOW", - "line": 32, - "fileName": "positive2.json" + "line": 23, + "filename": "positive1.yaml", + "resourceType": "AWS::EMR::Cluster", + "resourceName": "CFNtest", + "searchKey": "Resources.cluster.Properties.Instances", + "searchValue": "", + "expectedValue": "Resources.cluster.Properties.Instances.Ec2SubnetId should be defined and not null", + "actualValue": "Resources.cluster.Properties.Instances.Ec2SubnetId is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/fully_open_ingress/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/fully_open_ingress/test/positive_expected_result.json index 152afc34c12..ba12d527e5d 100644 --- a/assets/queries/cloudFormation/aws/fully_open_ingress/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/fully_open_ingress/test/positive_expected_result.json @@ -2,49 +2,97 @@ { "queryName": "Fully Open Ingress", "severity": "HIGH", - "line": 19, - "fileName": "positive1.yaml" - }, - { - "queryName": "Fully Open Ingress", - "severity": "HIGH", - "line": 23, - "fileName": "positive1.yaml" + "line": 32, + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DBEC2SecurityGroupInline", + "searchKey": "Resources.DBEC2SecurityGroupInline.Properties.SecurityGroupIngress[1].CidrIpv6", + "searchValue": "", + "expectedValue": "Resource 'DBEC2SecurityGroupInline' of type 'AWS::EC2::SecurityGroup' should not accept ingress connections from all addresses to all available ports", + "actualValue": "Resource 'DBEC2SecurityGroupInline' of type 'AWS::EC2::SecurityGroup' is accepting ingress connections from all addresses to all available ports" }, { "queryName": "Fully Open Ingress", "severity": "HIGH", "line": 37, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DBEC2SecurityGroupIngress", + "searchKey": "Resources.DBEC2SecurityGroupIngress.Properties.CidrIp", + "searchValue": "", + "expectedValue": "Resource 'DBEC2SecurityGroupIngress' of type 'AWS::EC2::SecurityGroupIngress' should not accept ingress connections from all addresses to all available ports", + "actualValue": "Resource 'DBEC2SecurityGroupIngress' of type 'AWS::EC2::SecurityGroupIngress' is accepting ingress connections from all addresses to all available ports" }, { "queryName": "Fully Open Ingress", "severity": "HIGH", "line": 46, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DBEC2SecurityGroupIngressIPv6", + "searchKey": "Resources.DBEC2SecurityGroupIngressIPv6.Properties.CidrIpv6", + "searchValue": "", + "expectedValue": "Resource 'DBEC2SecurityGroupIngressIPv6' of type 'AWS::EC2::SecurityGroupIngress' should not accept ingress connections from all addresses to all available ports", + "actualValue": "Resource 'DBEC2SecurityGroupIngressIPv6' of type 'AWS::EC2::SecurityGroupIngress' is accepting ingress connections from all addresses to all available ports" }, { "queryName": "Fully Open Ingress", "severity": "HIGH", - "line": 26, - "fileName": "positive2.json" + "line": 19, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DBEC2SecurityGroupInline", + "searchKey": "Resources.DBEC2SecurityGroupInline.Properties.SecurityGroupIngress[0].CidrIp", + "searchValue": "", + "expectedValue": "Resource 'DBEC2SecurityGroupInline' of type 'AWS::EC2::SecurityGroup' should not accept ingress connections from all addresses to all available ports", + "actualValue": "Resource 'DBEC2SecurityGroupInline' of type 'AWS::EC2::SecurityGroup' is accepting ingress connections from all addresses to all available ports" }, { "queryName": "Fully Open Ingress", "severity": "HIGH", - "line": 32, - "fileName": "positive2.json" + "line": 23, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DBEC2SecurityGroupInline", + "searchKey": "Resources.DBEC2SecurityGroupInline.Properties.SecurityGroupIngress[1].CidrIpv6", + "searchValue": "", + "expectedValue": "Resource 'DBEC2SecurityGroupInline' of type 'AWS::EC2::SecurityGroup' should not accept ingress connections from all addresses to all available ports", + "actualValue": "Resource 'DBEC2SecurityGroupInline' of type 'AWS::EC2::SecurityGroup' is accepting ingress connections from all addresses to all available ports" }, { "queryName": "Fully Open Ingress", "severity": "HIGH", "line": 53, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DBEC2SecurityGroupIngress", + "searchKey": "Resources.DBEC2SecurityGroupIngress.Properties.CidrIp", + "searchValue": "", + "expectedValue": "Resource 'DBEC2SecurityGroupIngress' of type 'AWS::EC2::SecurityGroupIngress' should not accept ingress connections from all addresses to all available ports", + "actualValue": "Resource 'DBEC2SecurityGroupIngress' of type 'AWS::EC2::SecurityGroupIngress' is accepting ingress connections from all addresses to all available ports" }, { "queryName": "Fully Open Ingress", "severity": "HIGH", "line": 65, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DBEC2SecurityGroupIngressIPv6", + "searchKey": "Resources.DBEC2SecurityGroupIngressIPv6.Properties.CidrIpv6", + "searchValue": "", + "expectedValue": "Resource 'DBEC2SecurityGroupIngressIPv6' of type 'AWS::EC2::SecurityGroupIngress' should not accept ingress connections from all addresses to all available ports", + "actualValue": "Resource 'DBEC2SecurityGroupIngressIPv6' of type 'AWS::EC2::SecurityGroupIngress' is accepting ingress connections from all addresses to all available ports" + }, + { + "queryName": "Fully Open Ingress", + "severity": "HIGH", + "line": 26, + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DBEC2SecurityGroupInline", + "searchKey": "Resources.DBEC2SecurityGroupInline.Properties.SecurityGroupIngress[0].CidrIp", + "searchValue": "", + "expectedValue": "Resource 'DBEC2SecurityGroupInline' of type 'AWS::EC2::SecurityGroup' should not accept ingress connections from all addresses to all available ports", + "actualValue": "Resource 'DBEC2SecurityGroupInline' of type 'AWS::EC2::SecurityGroup' is accepting ingress connections from all addresses to all available ports" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/gamelift_fleet_ec2_inbound_permissions_with_port_range/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/gamelift_fleet_ec2_inbound_permissions_with_port_range/test/positive_expected_result.json index d49354e3fdc..89a11f2eb36 100644 --- a/assets/queries/cloudFormation/aws/gamelift_fleet_ec2_inbound_permissions_with_port_range/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/gamelift_fleet_ec2_inbound_permissions_with_port_range/test/positive_expected_result.json @@ -1,50 +1,98 @@ [ { + "queryName": "GameLift Fleet EC2 InboundPermissions With Port Range", "severity": "MEDIUM", - "line": 11, - "fileName": "positive1.yaml", - "queryName": "GameLift Fleet EC2 InboundPermissions With Port Range" + "line": 32, + "filename": "positive1.yaml", + "resourceType": "AWS::GameLift::Fleet", + "resourceName": "FleetResource3", + "searchKey": "Resources.FleetResource3.Properties.EC2InboundPermissions", + "searchValue": "", + "expectedValue": "Resources.FleetResource3.Properties.EC2InboundPermissions[1].FromPort is equal to Resources.FleetResource3.Properties.EC2InboundPermissions[1].ToPort", + "actualValue": "Resources.FleetResource3.Properties.EC2InboundPermissions[1].FromPort is not equal to Resources.FleetResource3.Properties.EC2InboundPermissions[1].ToPort" }, { "queryName": "GameLift Fleet EC2 InboundPermissions With Port Range", "severity": "MEDIUM", - "line": 15, - "fileName": "positive1.yaml" + "line": 8, + "filename": "positive2.json", + "resourceType": "AWS::GameLift::Fleet", + "resourceName": "FleetResource1", + "searchKey": "Resources.FleetResource1.Properties.EC2InboundPermissions", + "searchValue": "", + "expectedValue": "Resources.FleetResource1.Properties.EC2InboundPermissions[0].FromPort is equal to Resources.FleetResource1.Properties.EC2InboundPermissions[0].ToPort", + "actualValue": "Resources.FleetResource1.Properties.EC2InboundPermissions[0].FromPort is not equal to Resources.FleetResource1.Properties.EC2InboundPermissions[0].ToPort" }, { + "queryName": "GameLift Fleet EC2 InboundPermissions With Port Range", "severity": "MEDIUM", - "line": 28, - "fileName": "positive1.yaml", - "queryName": "GameLift Fleet EC2 InboundPermissions With Port Range" + "line": 14, + "filename": "positive2.json", + "resourceType": "AWS::GameLift::Fleet", + "resourceName": "FleetResource1", + "searchKey": "Resources.FleetResource1.Properties.EC2InboundPermissions", + "searchValue": "", + "expectedValue": "Resources.FleetResource1.Properties.EC2InboundPermissions[1].FromPort is equal to Resources.FleetResource1.Properties.EC2InboundPermissions[1].ToPort", + "actualValue": "Resources.FleetResource1.Properties.EC2InboundPermissions[1].FromPort is not equal to Resources.FleetResource1.Properties.EC2InboundPermissions[1].ToPort" }, { + "queryName": "GameLift Fleet EC2 InboundPermissions With Port Range", "severity": "MEDIUM", - "line": 32, - "fileName": "positive1.yaml", - "queryName": "GameLift Fleet EC2 InboundPermissions With Port Range" + "line": 39, + "filename": "positive2.json", + "resourceType": "AWS::GameLift::Fleet", + "resourceName": "FleetResource3", + "searchKey": "Resources.FleetResource3.Properties.EC2InboundPermissions", + "searchValue": "", + "expectedValue": "Resources.FleetResource3.Properties.EC2InboundPermissions[0].FromPort is equal to Resources.FleetResource3.Properties.EC2InboundPermissions[0].ToPort", + "actualValue": "Resources.FleetResource3.Properties.EC2InboundPermissions[0].FromPort is not equal to Resources.FleetResource3.Properties.EC2InboundPermissions[0].ToPort" }, { - "line": 8, - "fileName": "positive2.json", "queryName": "GameLift Fleet EC2 InboundPermissions With Port Range", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 45, + "filename": "positive2.json", + "resourceType": "AWS::GameLift::Fleet", + "resourceName": "FleetResource3", + "searchKey": "Resources.FleetResource3.Properties.EC2InboundPermissions", + "searchValue": "", + "expectedValue": "Resources.FleetResource3.Properties.EC2InboundPermissions[1].FromPort is equal to Resources.FleetResource3.Properties.EC2InboundPermissions[1].ToPort", + "actualValue": "Resources.FleetResource3.Properties.EC2InboundPermissions[1].FromPort is not equal to Resources.FleetResource3.Properties.EC2InboundPermissions[1].ToPort" }, { + "queryName": "GameLift Fleet EC2 InboundPermissions With Port Range", "severity": "MEDIUM", - "line": 14, - "fileName": "positive2.json", - "queryName": "GameLift Fleet EC2 InboundPermissions With Port Range" + "line": 11, + "filename": "positive1.yaml", + "resourceType": "AWS::GameLift::Fleet", + "resourceName": "FleetResource1", + "searchKey": "Resources.FleetResource1.Properties.EC2InboundPermissions", + "searchValue": "", + "expectedValue": "Resources.FleetResource1.Properties.EC2InboundPermissions[0].FromPort is equal to Resources.FleetResource1.Properties.EC2InboundPermissions[0].ToPort", + "actualValue": "Resources.FleetResource1.Properties.EC2InboundPermissions[0].FromPort is not equal to Resources.FleetResource1.Properties.EC2InboundPermissions[0].ToPort" }, { "queryName": "GameLift Fleet EC2 InboundPermissions With Port Range", "severity": "MEDIUM", - "line": 39, - "fileName": "positive2.json" + "line": 15, + "filename": "positive1.yaml", + "resourceType": "AWS::GameLift::Fleet", + "resourceName": "FleetResource1", + "searchKey": "Resources.FleetResource1.Properties.EC2InboundPermissions", + "searchValue": "", + "expectedValue": "Resources.FleetResource1.Properties.EC2InboundPermissions[1].FromPort is equal to Resources.FleetResource1.Properties.EC2InboundPermissions[1].ToPort", + "actualValue": "Resources.FleetResource1.Properties.EC2InboundPermissions[1].FromPort is not equal to Resources.FleetResource1.Properties.EC2InboundPermissions[1].ToPort" }, { "queryName": "GameLift Fleet EC2 InboundPermissions With Port Range", "severity": "MEDIUM", - "line": 45, - "fileName": "positive2.json" + "line": 28, + "filename": "positive1.yaml", + "resourceType": "AWS::GameLift::Fleet", + "resourceName": "FleetResource3", + "searchKey": "Resources.FleetResource3.Properties.EC2InboundPermissions", + "searchValue": "", + "expectedValue": "Resources.FleetResource3.Properties.EC2InboundPermissions[0].FromPort is equal to Resources.FleetResource3.Properties.EC2InboundPermissions[0].ToPort", + "actualValue": "Resources.FleetResource3.Properties.EC2InboundPermissions[0].FromPort is not equal to Resources.FleetResource3.Properties.EC2InboundPermissions[0].ToPort" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/geo_restriction_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/geo_restriction_disabled/test/positive_expected_result.json index 364f0f18cd3..0cedff24951 100644 --- a/assets/queries/cloudFormation/aws/geo_restriction_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/geo_restriction_disabled/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ { + "queryName": "Geo Restriction Disabled", "severity": "LOW", "line": 13, - "fileName": "positive1.yaml", - "queryName": "Geo Restriction Disabled" + "filename": "positive1.yaml", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "myDistribution", + "searchKey": "Resources.myDistribution.Properties.Restrictions.GeoRestriction.RestrictionType", + "searchValue": "", + "expectedValue": "Resources.myDistribution.Properties.Restrictions.GeoRestriction.RestrictionType should be enabled with whitelist or blacklist", + "actualValue": "Resources.myDistribution.Properties.Restrictions.GeoRestriction.RestrictionTypeallows is configured with none. Therefore, Geo Restriction is not enabled and it should be" }, { "queryName": "Geo Restriction Disabled", "severity": "LOW", "line": 15, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "myDistribution", + "searchKey": "Resources.myDistribution.Properties.Restrictions.GeoRestriction.RestrictionType", + "searchValue": "", + "expectedValue": "Resources.myDistribution.Properties.Restrictions.GeoRestriction.RestrictionType should be enabled with whitelist or blacklist", + "actualValue": "Resources.myDistribution.Properties.Restrictions.GeoRestriction.RestrictionTypeallows is configured with none. Therefore, Geo Restriction is not enabled and it should be" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/github_repository_set_to_public/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/github_repository_set_to_public/test/positive_expected_result.json index 865819ed241..6597af1f467 100644 --- a/assets/queries/cloudFormation/aws/github_repository_set_to_public/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/github_repository_set_to_public/test/positive_expected_result.json @@ -2,31 +2,61 @@ { "queryName": "GitHub Repository Set To Public", "severity": "MEDIUM", - "line": 12, - "fileName": "positive1.yaml" + "line": 5, + "filename": "positive2.yaml", + "resourceType": "AWS::CodeStar::GitHubRepository", + "resourceName": "my-github-repo", + "searchKey": "Resources.MyRepo4.Properties", + "searchValue": "", + "expectedValue": "'Resources.MyRepo4.IsPrivate' should be set", + "actualValue": "'Resources.MyRepo4.IsPrivate' is undefined" }, { "queryName": "GitHub Repository Set To Public", "severity": "MEDIUM", - "line": 5, - "fileName": "positive3.json" + "line": 14, + "filename": "positive4.json", + "resourceType": "AWS::CodeStar::GitHubRepository", + "resourceName": "my-github-repo", + "searchKey": "Resources.MyRepo6.Properties.IsPrivate", + "searchValue": "", + "expectedValue": "'Resources.MyRepo6.Properties.IsPrivate' should be set to true", + "actualValue": "'Resources.MyRepo6.Properties.IsPrivate' is not set to true" }, { "queryName": "GitHub Repository Set To Public", "severity": "MEDIUM", "line": 5, - "fileName": "positive2.yaml" + "filename": "positive3.json", + "resourceType": "AWS::CodeStar::GitHubRepository", + "resourceName": "my-github-repo", + "searchKey": "Resources.MyRepo5.Properties", + "searchValue": "", + "expectedValue": "'Resources.MyRepo5.IsPrivate' should be set", + "actualValue": "'Resources.MyRepo5.IsPrivate' is undefined" }, { "queryName": "GitHub Repository Set To Public", "severity": "MEDIUM", - "line": 14, - "fileName": "positive4.json" + "line": 12, + "filename": "positive5.yaml", + "resourceType": "AWS::CodeStar::GitHubRepository", + "resourceName": "my-github-repo", + "searchKey": "Resources.MyRepo3.Properties.IsPrivate", + "searchValue": "", + "expectedValue": "'Resources.MyRepo3.Properties.IsPrivate' should be set to true", + "actualValue": "'Resources.MyRepo3.Properties.IsPrivate' is not set to true" }, { "queryName": "GitHub Repository Set To Public", "severity": "MEDIUM", "line": 12, - "fileName": "positive5.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::CodeStar::GitHubRepository", + "resourceName": "my-github-repo", + "searchKey": "Resources.MyRepo3.Properties.IsPrivate", + "searchValue": "", + "expectedValue": "'Resources.MyRepo3.Properties.IsPrivate' should be set to true", + "actualValue": "'Resources.MyRepo3.Properties.IsPrivate' is not set to true" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/guardduty_detector_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/guardduty_detector_disabled/test/positive_expected_result.json index 31c42b15f5e..a2e4eb23384 100644 --- a/assets/queries/cloudFormation/aws/guardduty_detector_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/guardduty_detector_disabled/test/positive_expected_result.json @@ -3,18 +3,36 @@ "queryName": "GuardDuty Detector Disabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive1.yaml" + "filename": "positive2.json", + "resourceType": "AWS::GuardDuty::Detector", + "resourceName": "mydetector4", + "searchKey": "Resources.mydetector4.Properties.Enable", + "searchValue": "", + "expectedValue": "Resources.mydetector4.Properties.Enable should be set to true", + "actualValue": "Resources.mydetector4.Properties.Enable is set to false" }, { "queryName": "GuardDuty Detector Disabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive2.json" + "filename": "positive1.yaml", + "resourceType": "AWS::GuardDuty::Detector", + "resourceName": "mydetector3", + "searchKey": "Resources.mydetector3.Properties.Enable", + "searchValue": "", + "expectedValue": "Resources.mydetector3.Properties.Enable should be set to true", + "actualValue": "Resources.mydetector3.Properties.Enable is set to false" }, { "queryName": "GuardDuty Detector Disabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::GuardDuty::Detector", + "resourceName": "mydetector3", + "searchKey": "Resources.mydetector3.Properties.Enable", + "searchValue": "", + "expectedValue": "Resources.mydetector3.Properties.Enable should be set to true", + "actualValue": "Resources.mydetector3.Properties.Enable is set to false" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/test/positive_expected_result.json index 522d250589f..53c9c477bf5 100644 --- a/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "Hardcoded AWS Access Key In Lambda", "severity": "HIGH", - "line": 10, - "fileName": "positive1.yaml" + "line": 29, + "filename": "positive4.json", + "resourceType": "AWS::Lambda::Function", + "resourceName": "LambdaFunction6", + "searchKey": "Resources.LambdaFunction6.Properties.Environment.Variables", + "searchValue": "", + "expectedValue": "Resources.LambdaFunction6.Properties.Environment.Variables shouldn't contain access key", + "actualValue": "Resources.LambdaFunction6.Properties.Environment.Variables contains access key" }, { "queryName": "Hardcoded AWS Access Key In Lambda", "severity": "HIGH", - "line": 10, - "fileName": "positive2.yaml" + "line": 29, + "filename": "positive3.json", + "resourceType": "AWS::Lambda::Function", + "resourceName": "LambdaFunction5", + "searchKey": "Resources.LambdaFunction5.Properties.Environment.Variables", + "searchValue": "", + "expectedValue": "Resources.LambdaFunction5.Properties.Environment.Variables shouldn't contain access key", + "actualValue": "Resources.LambdaFunction5.Properties.Environment.Variables contains access key" }, { - "line": 29, - "fileName": "positive3.json", "queryName": "Hardcoded AWS Access Key In Lambda", - "severity": "HIGH" + "severity": "HIGH", + "line": 10, + "filename": "positive2.yaml", + "resourceType": "AWS::Lambda::Function", + "resourceName": "LambdaFunction4", + "searchKey": "Resources.LambdaFunction4.Properties.Environment.Variables", + "searchValue": "", + "expectedValue": "Resources.LambdaFunction4.Properties.Environment.Variables shouldn't contain access key", + "actualValue": "Resources.LambdaFunction4.Properties.Environment.Variables contains access key" }, { "queryName": "Hardcoded AWS Access Key In Lambda", "severity": "HIGH", - "line": 29, - "fileName": "positive4.json" + "line": 10, + "filename": "positive1.yaml", + "resourceType": "AWS::Lambda::Function", + "resourceName": "LambdaFunction3", + "searchKey": "Resources.LambdaFunction3.Properties.Environment.Variables", + "searchValue": "", + "expectedValue": "Resources.LambdaFunction3.Properties.Environment.Variables shouldn't contain access key", + "actualValue": "Resources.LambdaFunction3.Properties.Environment.Variables contains access key" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/http_port_open/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/http_port_open/test/positive_expected_result.json index d3ef6c01790..fd1ae10aef4 100644 --- a/assets/queries/cloudFormation/aws/http_port_open/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/http_port_open/test/positive_expected_result.json @@ -3,132 +3,264 @@ "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 10, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]' should not open the HTTP port (80)", + "actualValue": "'Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]' opens the HTTP port (80)" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 22, - "fileName": "positive1.yaml" + "line": 51, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' should not open the HTTP port (80)", + "actualValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' opens the HTTP port (80)" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 38, - "fileName": "positive1.yaml" + "line": 12, + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress1.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv4Ingress1.Properties' should not open the HTTP port (80)", + "actualValue": "'Resources.IPv4Ingress1.Properties' opens the HTTP port (80)" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 51, - "fileName": "positive1.yaml" + "line": 49, + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress3.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv6Ingress3.Properties' should not open the HTTP port (80)", + "actualValue": "'Resources.IPv6Ingress3.Properties' opens the HTTP port (80)" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 63, - "fileName": "positive1.yaml" + "line": 26, + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress2.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv4Ingress2.Properties' should not open the HTTP port (80)", + "actualValue": "'Resources.IPv4Ingress2.Properties' opens the HTTP port (80)" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 79, - "fileName": "positive1.yaml" + "line": 31, + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress1.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv6Ingress1.Properties' should not open the HTTP port (80)", + "actualValue": "'Resources.IPv6Ingress1.Properties' opens the HTTP port (80)" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 12, - "fileName": "positive2.yaml" + "line": 40, + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress2.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv6Ingress2.Properties' should not open the HTTP port (80)", + "actualValue": "'Resources.IPv6Ingress2.Properties' opens the HTTP port (80)" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 21, - "fileName": "positive2.yaml" + "line": 97, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv6", + "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]", + "searchValue": "", + "expectedValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' should not open the HTTP port (80)", + "actualValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' opens the HTTP port (80)" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 31, - "fileName": "positive2.yaml" + "line": 61, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' should not open the HTTP port (80)", + "actualValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' opens the HTTP port (80)" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 40, - "fileName": "positive2.yaml" + "line": 38, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv4", + "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]", + "searchValue": "", + "expectedValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' should not open the HTTP port (80)", + "actualValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' opens the HTTP port (80)" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 49, - "fileName": "positive2.yaml" + "line": 79, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv6", + "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]", + "searchValue": "", + "expectedValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' should not open the HTTP port (80)", + "actualValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' opens the HTTP port (80)" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 10, - "fileName": "positive3.json" + "line": 46, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv4", + "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]", + "searchValue": "", + "expectedValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' should not open the HTTP port (80)", + "actualValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' opens the HTTP port (80)" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 25, - "fileName": "positive3.json" + "line": 10, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]' should not open the HTTP port (80)", + "actualValue": "'Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]' opens the HTTP port (80)" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 46, - "fileName": "positive3.json" + "line": 76, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_2", + "searchKey": "Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]' should not open the HTTP port (80)", + "actualValue": "'Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]' opens the HTTP port (80)" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 61, - "fileName": "positive3.json" + "line": 38, + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress1.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv6Ingress1.Properties' should not open the HTTP port (80)", + "actualValue": "'Resources.IPv6Ingress1.Properties' opens the HTTP port (80)" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 76, - "fileName": "positive3.json" + "line": 50, + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress2.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv6Ingress2.Properties' should not open the HTTP port (80)", + "actualValue": "'Resources.IPv6Ingress2.Properties' opens the HTTP port (80)" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 97, - "fileName": "positive3.json" + "line": 62, + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress3.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv6Ingress3.Properties' should not open the HTTP port (80)", + "actualValue": "'Resources.IPv6Ingress3.Properties' opens the HTTP port (80)" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 14, - "fileName": "positive4.json" + "line": 22, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_2", + "searchKey": "Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' should not open the HTTP port (80)", + "actualValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' opens the HTTP port (80)" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 26, - "fileName": "positive4.json" + "line": 63, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_2", + "searchKey": "Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]' should not open the HTTP port (80)", + "actualValue": "'Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]' opens the HTTP port (80)" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 38, - "fileName": "positive4.json" + "line": 21, + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress2.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv4Ingress2.Properties' should not open the HTTP port (80)", + "actualValue": "'Resources.IPv4Ingress2.Properties' opens the HTTP port (80)" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 50, - "fileName": "positive4.json" + "line": 25, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_2", + "searchKey": "Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' should not open the HTTP port (80)", + "actualValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' opens the HTTP port (80)" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 62, - "fileName": "positive4.json" + "line": 14, + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress1.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv4Ingress1.Properties' should not open the HTTP port (80)", + "actualValue": "'Resources.IPv4Ingress1.Properties' opens the HTTP port (80)" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/test/positive_expected_result.json index c0896937034..4ef8b93f842 100644 --- a/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "IAM Access Analyzer Not Enabled", "severity": "LOW", "line": 3, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "Resources", + "searchValue": "", + "expectedValue": "'AWS::AccessAnalyzer::Analyzer' should be set", + "actualValue": "'AWS::AccessAnalyzer::Analyzer' is undefined" }, { "queryName": "IAM Access Analyzer Not Enabled", "severity": "LOW", "line": 4, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "Resources", + "searchValue": "", + "expectedValue": "'AWS::AccessAnalyzer::Analyzer' should be set", + "actualValue": "'AWS::AccessAnalyzer::Analyzer' is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iam_database_auth_not_enabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_database_auth_not_enabled/test/positive_expected_result.json index 9d7881e32ef..3f0a2810410 100644 --- a/assets/queries/cloudFormation/aws/iam_database_auth_not_enabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_database_auth_not_enabled/test/positive_expected_result.json @@ -2,31 +2,61 @@ { "queryName": "IAM Database Auth Not Enabled", "severity": "MEDIUM", - "line": 19, - "fileName": "positive1.yaml" + "line": 13, + "filename": "positive3.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBSmall", + "searchKey": "Resources.MyDBSmall.Properties", + "searchValue": "", + "expectedValue": "Resources.MyDBSmall.Properties.EnableIAMDatabaseAuthentication should be defined", + "actualValue": "Resources.MyDBSmall.Properties.EnableIAMDatabaseAuthentication is not defined" }, { "queryName": "IAM Database Auth Not Enabled", "severity": "MEDIUM", - "line": 31, - "fileName": "positive2.json" + "line": 19, + "filename": "positive5.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBSmall", + "searchKey": "Resources.MyDBSmall.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "Resources.MyDBSmall.Properties.EnableIAMDatabaseAuthentication should be true", + "actualValue": "Resources.MyDBSmall.Properties.EnableIAMDatabaseAuthentication is false" }, { "queryName": "IAM Database Auth Not Enabled", "severity": "MEDIUM", - "line": 13, - "fileName": "positive3.yaml" + "line": 31, + "filename": "positive2.json", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBSmall", + "searchKey": "Resources.MyDBSmall.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "Resources.MyDBSmall.Properties.EnableIAMDatabaseAuthentication should be true", + "actualValue": "Resources.MyDBSmall.Properties.EnableIAMDatabaseAuthentication is false" }, { "queryName": "IAM Database Auth Not Enabled", "severity": "MEDIUM", "line": 18, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBSmall", + "searchKey": "Resources.MyDBSmall.Properties", + "searchValue": "", + "expectedValue": "Resources.MyDBSmall.Properties.EnableIAMDatabaseAuthentication should be defined", + "actualValue": "Resources.MyDBSmall.Properties.EnableIAMDatabaseAuthentication is not defined" }, { "queryName": "IAM Database Auth Not Enabled", "severity": "MEDIUM", "line": 19, - "fileName": "positive5.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBSmall", + "searchKey": "Resources.MyDBSmall.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "Resources.MyDBSmall.Properties.EnableIAMDatabaseAuthentication should be true", + "actualValue": "Resources.MyDBSmall.Properties.EnableIAMDatabaseAuthentication is false" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iam_db_cluster_auth_not_enabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_db_cluster_auth_not_enabled/test/positive_expected_result.json index 2f42addade3..de4f519e23e 100644 --- a/assets/queries/cloudFormation/aws/iam_db_cluster_auth_not_enabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_db_cluster_auth_not_enabled/test/positive_expected_result.json @@ -3,216 +3,432 @@ "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 15, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 21, - "fileName": "positive2.json" + "line": 14, + "filename": "positive9.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 5, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined (disabled by default)", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 6, - "fileName": "positive4.json" + "line": 14, + "filename": "positive7.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 15, - "fileName": "positive5.yaml" + "line": 14, + "filename": "positive15.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 21, - "fileName": "positive6.json" + "filename": "positive2.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 14, - "fileName": "positive7.yaml" + "line": 6, + "filename": "positive4.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined (disabled by default)", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 22, - "fileName": "positive8.json" + "line": 5, + "filename": "positive11.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined (disabled by default)", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 14, - "fileName": "positive9.yaml" + "line": 5, + "filename": "positive21.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "PostgresDBCluster", + "searchKey": "Resources.PostgresDBCluster.Properties", + "searchValue": "", + "expectedValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' should be defined (disabled by default)", + "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 22, - "fileName": "positive10.json" + "line": 14, + "filename": "positive29.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "PostgresDBCluster", + "searchKey": "Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is defined to false" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 5, - "fileName": "positive11.yaml" + "line": 22, + "filename": "positive14.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive12.json" + "filename": "positive18.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined (disabled by default)", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 14, - "fileName": "positive13.yaml" + "line": 20, + "filename": "positive28.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "PostgresDBCluster", + "searchKey": "Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is defined to false" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 22, - "fileName": "positive14.json" + "line": 6, + "filename": "positive20.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "PostgresDBCluster", + "searchKey": "Resources.PostgresDBCluster.Properties", + "searchValue": "", + "expectedValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' should be defined (disabled by default)", + "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 14, - "fileName": "positive15.yaml" - }, - { - "queryName": "IAM DB Cluster Auth Not Enabled", - "severity": "MEDIUM", - "line": 22, - "fileName": "positive16.json" + "filename": "positive13.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 5, - "fileName": "positive17.yaml" + "filename": "positive17.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined (disabled by default)", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 6, - "fileName": "positive18.json" + "line": 14, + "filename": "positive27.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "PostgresDBCluster", + "searchKey": "Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is defined to false" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 5, - "fileName": "positive19.yaml" + "filename": "positive35.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined (disabled by default)", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 6, - "fileName": "positive20.json" + "line": 20, + "filename": "positive30.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "PostgresDBCluster", + "searchKey": "Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is defined to false" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 5, - "fileName": "positive21.yaml" + "line": 23, + "filename": "positive32.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 6, - "fileName": "positive22.json" + "line": 21, + "filename": "positive24.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "PostgresDBCluster", + "searchKey": "Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is defined to false" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 15, - "fileName": "positive23.yaml" + "line": 22, + "filename": "positive8.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 21, - "fileName": "positive24.json" + "line": 15, + "filename": "positive33.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 15, - "fileName": "positive25.yaml" + "line": 6, + "filename": "positive22.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "PostgresDBCluster", + "searchKey": "Resources.PostgresDBCluster.Properties", + "searchValue": "", + "expectedValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' should be defined (disabled by default)", + "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 21, - "fileName": "positive26.json" + "line": 15, + "filename": "positive5.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 14, - "fileName": "positive27.yaml" + "line": 22, + "filename": "positive16.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 20, - "fileName": "positive28.json" + "line": 6, + "filename": "positive36.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined (disabled by default)", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 14, - "fileName": "positive29.yaml" + "line": 15, + "filename": "positive23.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "PostgresDBCluster", + "searchKey": "Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is defined to false" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 20, - "fileName": "positive30.json" + "line": 15, + "filename": "positive31.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 15, - "fileName": "positive31.yaml" + "filename": "positive25.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "PostgresDBCluster", + "searchKey": "Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is defined to false" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 23, - "fileName": "positive32.json" + "line": 21, + "filename": "positive6.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 15, - "fileName": "positive33.yaml" + "line": 21, + "filename": "positive26.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "PostgresDBCluster", + "searchKey": "Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is defined to false" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 23, - "fileName": "positive34.json" + "filename": "positive34.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 5, - "fileName": "positive35.yaml" + "filename": "positive19.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "PostgresDBCluster", + "searchKey": "Resources.PostgresDBCluster.Properties", + "searchValue": "", + "expectedValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' should be defined (disabled by default)", + "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive36.json" + "filename": "positive12.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined (disabled by default)", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)" + }, + { + "queryName": "IAM DB Cluster Auth Not Enabled", + "severity": "MEDIUM", + "line": 22, + "filename": "positive10.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iam_group_without_users/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_group_without_users/test/positive_expected_result.json index f5bbc9440fb..53abff46382 100644 --- a/assets/queries/cloudFormation/aws/iam_group_without_users/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_group_without_users/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "IAM Group Without Users", "severity": "MEDIUM", - "line": 4, - "fileName": "positive1.yaml" + "line": 5, + "filename": "positive2.json", + "resourceType": "AWS::IAM::Group", + "resourceName": "myuseeer2", + "searchKey": "Resources.myuseeer2", + "searchValue": "", + "expectedValue": "Resources.myuseeer2 has at least one user", + "actualValue": "Resources.myuseeer2 does not have at least one user" }, { "queryName": "IAM Group Without Users", "severity": "MEDIUM", - "line": 5, - "fileName": "positive2.json" + "line": 4, + "filename": "positive1.yaml", + "resourceType": "AWS::IAM::Group", + "resourceName": "myuseeer", + "searchKey": "Resources.myuseeer", + "searchValue": "", + "expectedValue": "Resources.myuseeer has at least one user", + "actualValue": "Resources.myuseeer does not have at least one user" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iam_groups_inline_policies/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_groups_inline_policies/test/positive_expected_result.json index 66be9a07df7..cea754607ac 100644 --- a/assets/queries/cloudFormation/aws/iam_groups_inline_policies/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_groups_inline_policies/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "IAM Group Inline Policies", "severity": "MEDIUM", "line": 10, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::IAM::Group", + "resourceName": "myuser", + "searchKey": "Resources.myuser.Properties.Policies", + "searchValue": "", + "expectedValue": "'Resources.Properties.Policies' should be undefined or empty", + "actualValue": "'Resources.Properties.Policies' is not empty" }, { "queryName": "IAM Group Inline Policies", "severity": "MEDIUM", "line": 12, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::IAM::Group", + "resourceName": "myuser", + "searchKey": "Resources.myuser.Properties.Policies", + "searchValue": "", + "expectedValue": "'Resources.Properties.Policies' should be undefined or empty", + "actualValue": "'Resources.Properties.Policies' is not empty" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iam_managed_policy_applied_to_a_user/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_managed_policy_applied_to_a_user/test/positive_expected_result.json index 3dff9f858cc..d243d0e6a40 100644 --- a/assets/queries/cloudFormation/aws/iam_managed_policy_applied_to_a_user/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_managed_policy_applied_to_a_user/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "IAM Managed Policy Applied to a User", "severity": "MEDIUM", - "line": 10, - "fileName": "positive1.yaml" + "line": 11, + "filename": "positive2.json", + "resourceType": "AWS::IAM::ManagedPolicy", + "resourceName": "CreateTestDBPolicy", + "searchKey": "Resources.CreateTestDBPolicy.Properties.Users", + "searchValue": "", + "expectedValue": "Resources.CreateTestDBPolicy is assigned to a set of users", + "actualValue": "Resources.CreateTestDBPolicy should be assigned to a set of groups" }, { "queryName": "IAM Managed Policy Applied to a User", "severity": "MEDIUM", - "line": 11, - "fileName": "positive2.json" + "line": 10, + "filename": "positive1.yaml", + "resourceType": "AWS::IAM::ManagedPolicy", + "resourceName": "CreateTestDBPolicy", + "searchKey": "Resources.CreateTestDBPolicy.Properties.Users", + "searchValue": "", + "expectedValue": "Resources.CreateTestDBPolicy is assigned to a set of users", + "actualValue": "Resources.CreateTestDBPolicy should be assigned to a set of groups" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iam_password_without_minimum_length/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_password_without_minimum_length/test/positive_expected_result.json index a5765e9f98e..cca619f7794 100644 --- a/assets/queries/cloudFormation/aws/iam_password_without_minimum_length/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_password_without_minimum_length/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "IAM Password Without Minimum Length", "severity": "LOW", "line": 9, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::IAM::User", + "resourceName": "myuser", + "searchKey": "Resources.myuser.Properties.LoginProfile.Password", + "searchValue": "", + "expectedValue": "'Resources.Properties.LoginProfile.Password' has a minimum length of 14", + "actualValue": "'Resources.Properties.LoginProfile.Password' doesn't have a minimum length of 14" }, { "queryName": "IAM Password Without Minimum Length", "severity": "LOW", "line": 10, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::IAM::User", + "resourceName": "myuser", + "searchKey": "Resources.myuser.Properties.LoginProfile.Password", + "searchValue": "", + "expectedValue": "'Resources.Properties.LoginProfile.Password' has a minimum length of 14", + "actualValue": "'Resources.Properties.LoginProfile.Password' doesn't have a minimum length of 14" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iam_policies_attached_to_user/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_policies_attached_to_user/test/positive_expected_result.json index 69799f5eb6f..bac7aaaff24 100644 --- a/assets/queries/cloudFormation/aws/iam_policies_attached_to_user/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_policies_attached_to_user/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "IAM Policies Attached To User", "severity": "MEDIUM", - "line": 14, - "fileName": "positive1.yaml" + "line": 10, + "filename": "positive2.json", + "resourceType": "AWS::IAM::User", + "resourceName": "myuser", + "searchKey": "Resources.myuser.Properties.ManagedPoliciesArns", + "searchValue": "", + "expectedValue": "'Resources.myuser.Properties.ManagedPoliciesArns' is undefined or empty", + "actualValue": "'Resources.myuser.Properties.ManagedPoliciesArns' is not empty" }, { "queryName": "IAM Policies Attached To User", "severity": "MEDIUM", - "line": 10, - "fileName": "positive1.yaml" + "line": 14, + "filename": "positive2.json", + "resourceType": "AWS::IAM::User", + "resourceName": "myuser", + "searchKey": "Resources.myuser.Properties.Policies", + "searchValue": "", + "expectedValue": "'Resources.myuser.Properties.Policies' should be undefined or empty", + "actualValue": "'Resources.myuser.Properties.Policies' is not empty" }, { "queryName": "IAM Policies Attached To User", "severity": "MEDIUM", - "line": 14, - "fileName": "positive2.json" + "line": 10, + "filename": "positive1.yaml", + "resourceType": "AWS::IAM::User", + "resourceName": "myuser", + "searchKey": "Resources.myuser.Properties.ManagedPoliciesArns", + "searchValue": "", + "expectedValue": "'Resources.myuser.Properties.ManagedPoliciesArns' is undefined or empty", + "actualValue": "'Resources.myuser.Properties.ManagedPoliciesArns' is not empty" }, { + "queryName": "IAM Policies Attached To User", "severity": "MEDIUM", - "line": 10, - "fileName": "positive2.json", - "queryName": "IAM Policies Attached To User" + "line": 14, + "filename": "positive1.yaml", + "resourceType": "AWS::IAM::User", + "resourceName": "myuser", + "searchKey": "Resources.myuser.Properties.Policies", + "searchValue": "", + "expectedValue": "'Resources.myuser.Properties.Policies' should be undefined or empty", + "actualValue": "'Resources.myuser.Properties.Policies' is not empty" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iam_policies_with_full_privileges/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_policies_with_full_privileges/test/positive_expected_result.json index 19b16708d30..b70a3eac264 100644 --- a/assets/queries/cloudFormation/aws/iam_policies_with_full_privileges/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_policies_with_full_privileges/test/positive_expected_result.json @@ -3,24 +3,48 @@ "queryName": "IAM Policies With Full Privileges", "severity": "MEDIUM", "line": 8, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::IAM::Policy", + "resourceName": "mygrouppolicy", + "searchKey": "Resources.mypolicy.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "'Resources.Properties.PolicyDocument.Statement' shouldn't contain '*'", + "actualValue": "'Resources.Properties.PolicyDocument.Statement' contains '*'" }, { "queryName": "IAM Policies With Full Privileges", "severity": "MEDIUM", "line": 21, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::IAM::Policy", + "resourceName": "mygrouppolicy", + "searchKey": "Resources.mypolicy2.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "'Resources.Properties.PolicyDocument.Statement' shouldn't contain '*'", + "actualValue": "'Resources.Properties.PolicyDocument.Statement' contains '*'" }, { "queryName": "IAM Policies With Full Privileges", "severity": "MEDIUM", "line": 9, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::IAM::Policy", + "resourceName": "mygrouppolicy", + "searchKey": "Resources.mypolicy.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "'Resources.Properties.PolicyDocument.Statement' shouldn't contain '*'", + "actualValue": "'Resources.Properties.PolicyDocument.Statement' contains '*'" }, { "queryName": "IAM Policies With Full Privileges", "severity": "MEDIUM", "line": 31, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::IAM::Policy", + "resourceName": "mygrouppolicy", + "searchKey": "Resources.mypolicy2.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "'Resources.Properties.PolicyDocument.Statement' shouldn't contain '*'", + "actualValue": "'Resources.Properties.PolicyDocument.Statement' contains '*'" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iam_policies_without_groups/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_policies_without_groups/test/positive_expected_result.json index 8ef4a853721..0bf843d65c3 100644 --- a/assets/queries/cloudFormation/aws/iam_policies_without_groups/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_policies_without_groups/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ { - "fileName": "positive1.yaml", "queryName": "IAM Policies Without Groups", "severity": "LOW", - "line": 25 + "line": 25, + "filename": "positive1.yaml", + "resourceType": "AWS::IAM::Policy", + "resourceName": "myuser", + "searchKey": "Resources.myuser.Properties.Policies.Users", + "searchValue": "", + "expectedValue": "'Resources.Properties.Policies.Users should be replaced by Groups", + "actualValue": "'Resources.Properties.Policies.Users' is not the correct definition." }, { "queryName": "IAM Policies Without Groups", "severity": "LOW", "line": 38, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::IAM::Policy", + "resourceName": "myuser", + "searchKey": "Resources.myuser.Properties.Policies.Users", + "searchValue": "", + "expectedValue": "'Resources.Properties.Policies.Users should be replaced by Groups", + "actualValue": "'Resources.Properties.Policies.Users' is not the correct definition." } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/positive_expected_result.json index 8401007eb80..3f09dc6d6ce 100644 --- a/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/positive_expected_result.json @@ -2,73 +2,145 @@ { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", - "line": 14, - "fileName": "positive1.yaml" + "line": 12, + "filename": "positive2.yaml", + "resourceType": "AWS::IAM::Group", + "resourceName": "RootGroup", + "searchKey": "Resources.RootGroup.Properties.Policies.0.PolicyDocument.Statement.0.Action", + "searchValue": "", + "expectedValue": "'Resources.RootGroup.Properties.Policies[0].PolicyDocument.Statement[0].Action' shouldn't contain ilegal actions", + "actualValue": "'Resources.RootGroup.Properties.Policies[0].PolicyDocument.Statement[0].Action' contains [ssm:GetParameter]" }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", - "line": 12, - "fileName": "positive2.yaml" + "line": 13, + "filename": "positive12.json", + "resourceType": "AWS::IAM::Policy", + "resourceName": "CFNUsers", + "searchKey": "Resources.MyPolicy.Properties.PolicyDocument.Statement.0.Action", + "searchValue": "", + "expectedValue": "'Resources.MyPolicy.Properties.PolicyDocument.Statement[0].Action' shouldn't contain ilegal actions", + "actualValue": "'Resources.MyPolicy.Properties.PolicyDocument.Statement[0].Action' contains [secretsmanager:GetSecretValue]" }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", "line": 11, - "fileName": "positive3.yaml" + "filename": "positive10.json", + "resourceType": "AWS::IAM::ManagedPolicy", + "resourceName": "CreateTestDBPolicy", + "searchKey": "Resources.CreateTestDBPolicy.Properties.PolicyDocument.Statement.0.Action", + "searchValue": "", + "expectedValue": "'Resources.CreateTestDBPolicy.Properties.PolicyDocument.Statement[0].Action' shouldn't contain ilegal actions", + "actualValue": "'Resources.CreateTestDBPolicy.Properties.PolicyDocument.Statement[0].Action' contains [s3:GetObject, ssm:GetParameter, s3:*]" }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", - "line": 12, - "fileName": "positive4.yaml" + "line": 11, + "filename": "positive11.json", + "resourceType": "AWS::IAM::ManagedPolicy", + "resourceName": "CreateTestDBPolicy", + "searchKey": "Resources.CreateTestDBPolicy.Properties.PolicyDocument.Statement.0.Action", + "searchValue": "", + "expectedValue": "'Resources.CreateTestDBPolicy.Properties.PolicyDocument.Statement[0].Action' shouldn't contain ilegal actions", + "actualValue": "'Resources.CreateTestDBPolicy.Properties.PolicyDocument.Statement[0].Action' contains [s3:*]" }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", - "line": 9, - "fileName": "positive5.yaml" + "line": 15, + "filename": "positive9.json", + "resourceType": "AWS::IAM::Role", + "resourceName": "RootRole", + "searchKey": "Resources.RootRole.Properties.Policies.0.PolicyDocument.Statement.0.Action", + "searchValue": "", + "expectedValue": "'Resources.RootRole.Properties.Policies[0].PolicyDocument.Statement[0].Action' shouldn't contain ilegal actions", + "actualValue": "'Resources.RootRole.Properties.Policies[0].PolicyDocument.Statement[0].Action' contains [s3:GetObject, ssm:GetParameter, s3:*]" }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", - "line": 18, - "fileName": "positive6.json" + "line": 12, + "filename": "positive4.yaml", + "resourceType": "AWS::IAM::Role", + "resourceName": "RootRole", + "searchKey": "Resources.RootRole.Properties.Policies.0.PolicyDocument.Statement.0.Action", + "searchValue": "", + "expectedValue": "'Resources.RootRole.Properties.Policies[0].PolicyDocument.Statement[0].Action' shouldn't contain ilegal actions", + "actualValue": "'Resources.RootRole.Properties.Policies[0].PolicyDocument.Statement[0].Action' contains [ssm:GetParametersByPath]" }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", - "line": 15, - "fileName": "positive7.json" + "line": 9, + "filename": "positive5.yaml", + "resourceType": "AWS::IAM::ManagedPolicy", + "resourceName": "CreateTestDBPolicy", + "searchKey": "Resources.CreateTestDBPolicy.Properties.PolicyDocument.Statement.0.Action", + "searchValue": "", + "expectedValue": "'Resources.CreateTestDBPolicy.Properties.PolicyDocument.Statement[0].Action' shouldn't contain ilegal actions", + "actualValue": "'Resources.CreateTestDBPolicy.Properties.PolicyDocument.Statement[0].Action' contains [s3:*]" }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", "line": 13, - "fileName": "positive8.json" + "filename": "positive8.json", + "resourceType": "AWS::IAM::Policy", + "resourceName": "CFNUsers", + "searchKey": "Resources.MyPolicy.Properties.PolicyDocument.Statement.0.Action", + "searchValue": "", + "expectedValue": "'Resources.MyPolicy.Properties.PolicyDocument.Statement[0].Action' shouldn't contain ilegal actions", + "actualValue": "'Resources.MyPolicy.Properties.PolicyDocument.Statement[0].Action' contains [secretsmanager:GetSecretValue]" }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", - "line": 15, - "fileName": "positive9.json" + "line": 18, + "filename": "positive6.json", + "resourceType": "AWS::IAM::User", + "resourceName": "CFNUser", + "searchKey": "Resources.CFNUser.Properties.Policies.0.PolicyDocument.Statement.0.Action", + "searchValue": "", + "expectedValue": "'Resources.CFNUser.Properties.Policies[0].PolicyDocument.Statement[0].Action' shouldn't contain ilegal actions", + "actualValue": "'Resources.CFNUser.Properties.Policies[0].PolicyDocument.Statement[0].Action' contains [*]" }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", - "line": 11, - "fileName": "positive10.json" + "line": 15, + "filename": "positive7.json", + "resourceType": "AWS::IAM::Group", + "resourceName": "RootGroup", + "searchKey": "Resources.RootGroup.Properties.Policies.0.PolicyDocument.Statement.0.Action", + "searchValue": "", + "expectedValue": "'Resources.RootGroup.Properties.Policies[0].PolicyDocument.Statement[0].Action' shouldn't contain ilegal actions", + "actualValue": "'Resources.RootGroup.Properties.Policies[0].PolicyDocument.Statement[0].Action' contains [s3:GetObject]" }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", "line": 11, - "fileName": "positive11.json" + "filename": "positive3.yaml", + "resourceType": "AWS::IAM::Policy", + "resourceName": "CFNUsers", + "searchKey": "Resources.MyPolicy.Properties.PolicyDocument.Statement.0.Action", + "searchValue": "", + "expectedValue": "'Resources.MyPolicy.Properties.PolicyDocument.Statement[0].Action' shouldn't contain ilegal actions", + "actualValue": "'Resources.MyPolicy.Properties.PolicyDocument.Statement[0].Action' contains [ssm:GetParameters]" }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", - "line": 13, - "fileName": "positive12.json" + "line": 14, + "filename": "positive1.yaml", + "resourceType": "AWS::IAM::User", + "resourceName": "CFNUser", + "searchKey": "Resources.CFNUser.Properties.Policies.0.PolicyDocument.Statement.0.Action", + "searchValue": "", + "expectedValue": "'Resources.CFNUser.Properties.Policies[0].PolicyDocument.Statement[0].Action' shouldn't contain ilegal actions", + "actualValue": "'Resources.CFNUser.Properties.Policies[0].PolicyDocument.Statement[0].Action' contains [*]" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iam_policy_grants_assumerole_permission_across_all_services/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_policy_grants_assumerole_permission_across_all_services/test/positive_expected_result.json index f40195f228b..5143947ada0 100644 --- a/assets/queries/cloudFormation/aws/iam_policy_grants_assumerole_permission_across_all_services/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_policy_grants_assumerole_permission_across_all_services/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "IAM Policy Grants 'AssumeRole' Permission Across All Services", "severity": "MEDIUM", "line": 8, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::IAM::Policy", + "resourceName": "mygrouppolicy", + "searchKey": "Resources.mypolicy.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "'Resources.mypolicy.Properties.PolicyDocument.Statement' with AssumeRole action should not grant access in all services ('*')", + "actualValue": "'Resources.mypolicy.Properties.PolicyDocument.Statement' with AssumeRole action is granting access in all services ('*')" }, { "queryName": "IAM Policy Grants 'AssumeRole' Permission Across All Services", "severity": "MEDIUM", "line": 8, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::IAM::Policy", + "resourceName": "mygrouppolicy", + "searchKey": "Resources.mypolicy.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "'Resources.mypolicy.Properties.PolicyDocument.Statement' with AssumeRole action should not grant access in all services ('*')", + "actualValue": "'Resources.mypolicy.Properties.PolicyDocument.Statement' with AssumeRole action is granting access in all services ('*')" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iam_policy_grants_full_permissions/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_policy_grants_full_permissions/test/positive_expected_result.json index 6a9932378db..9f8cd1df8d6 100644 --- a/assets/queries/cloudFormation/aws/iam_policy_grants_full_permissions/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_policy_grants_full_permissions/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "IAM Policy Grants Full Permissions", "severity": "HIGH", - "line": 8, - "fileName": "positive1.yaml" + "line": 29, + "filename": "positive2.json", + "resourceType": "AWS::IAM::Policy", + "resourceName": "mygrouppolicy", + "searchKey": "Resources.mypolicy.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "'PolicyDocument.Statement.Resource' and 'PolicyDocument.Statement.Action' should not equal to '*'", + "actualValue": "'PolicyDocument.Statement.Resource' and 'PolicyDocument.Statement.Action' are equal to '*'" }, { "queryName": "IAM Policy Grants Full Permissions", "severity": "HIGH", - "line": 21, - "fileName": "positive1.yaml" + "line": 9, + "filename": "positive2.json", + "resourceType": "AWS::IAM::Policy", + "resourceName": "mygrouppolicy", + "searchKey": "Resources.mypolicy2.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "'PolicyDocument.Statement.Resource' and 'PolicyDocument.Statement.Action' should not equal to '*'", + "actualValue": "'PolicyDocument.Statement.Resource' and 'PolicyDocument.Statement.Action' are equal to '*'" }, { "queryName": "IAM Policy Grants Full Permissions", "severity": "HIGH", - "line": 29, - "fileName": "positive2.json" + "line": 8, + "filename": "positive1.yaml", + "resourceType": "AWS::IAM::Policy", + "resourceName": "mygrouppolicy", + "searchKey": "Resources.mypolicy.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "'PolicyDocument.Statement.Resource' and 'PolicyDocument.Statement.Action' should not equal to '*'", + "actualValue": "'PolicyDocument.Statement.Resource' and 'PolicyDocument.Statement.Action' are equal to '*'" }, { "queryName": "IAM Policy Grants Full Permissions", "severity": "HIGH", - "line": 9, - "fileName": "positive2.json" + "line": 21, + "filename": "positive1.yaml", + "resourceType": "AWS::IAM::Policy", + "resourceName": "mygrouppolicy", + "searchKey": "Resources.mypolicy2.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "'PolicyDocument.Statement.Resource' and 'PolicyDocument.Statement.Action' should not equal to '*'", + "actualValue": "'PolicyDocument.Statement.Resource' and 'PolicyDocument.Statement.Action' are equal to '*'" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iam_policy_on_user/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_policy_on_user/test/positive_expected_result.json index 21015b58d99..009017b04ea 100644 --- a/assets/queries/cloudFormation/aws/iam_policy_on_user/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_policy_on_user/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "IAM Policy On User", "severity": "MEDIUM", - "line": 11, - "fileName": "positive1.yaml" + "line": 12, + "filename": "positive2.json", + "resourceType": "AWS::IAM::Policy", + "resourceName": "BadPolicy", + "searchKey": "Resources.BadPolicy.Properties.Users", + "searchValue": "", + "expectedValue": "Resources.BadPolicy is assigned to a set of users", + "actualValue": "Resources.BadPolicy should be assigned to a set of groups" }, { + "queryName": "IAM Policy On User", "severity": "MEDIUM", - "line": 12, - "fileName": "positive2.json", - "queryName": "IAM Policy On User" + "line": 11, + "filename": "positive1.yaml", + "resourceType": "AWS::IAM::Policy", + "resourceName": "BadPolicy", + "searchKey": "Resources.BadPolicy.Properties.Users", + "searchValue": "", + "expectedValue": "Resources.BadPolicy is assigned to a set of users", + "actualValue": "Resources.BadPolicy should be assigned to a set of groups" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iam_role_allows_all_principals_to_assume/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_role_allows_all_principals_to_assume/test/positive_expected_result.json index 2781e221e62..0e2bf02135f 100644 --- a/assets/queries/cloudFormation/aws/iam_role_allows_all_principals_to_assume/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_role_allows_all_principals_to_assume/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "IAM Role Allows All Principals To Assume", "severity": "MEDIUM", "line": 6, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::IAM::Role", + "resourceName": "RootRole", + "searchKey": "Resources.RootRole.Properties.AssumeRolePolicyDocument", + "searchValue": "", + "expectedValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument.Statement.Principal.AWS should not contain ':root'", + "actualValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument.Statement.Principal.AWS contains ':root'" }, { "queryName": "IAM Role Allows All Principals To Assume", "severity": "MEDIUM", "line": 7, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::IAM::Role", + "resourceName": "RootRole", + "searchKey": "Resources.RootRole.Properties.AssumeRolePolicyDocument", + "searchValue": "", + "expectedValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument.Statement.Principal.AWS should not contain ':root'", + "actualValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument.Statement.Principal.AWS contains ':root'" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iam_user_login_profile_password_is_in_plaintext/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_user_login_profile_password_is_in_plaintext/test/positive_expected_result.json index 8b39e8ea169..2b17a68912d 100644 --- a/assets/queries/cloudFormation/aws/iam_user_login_profile_password_is_in_plaintext/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_user_login_profile_password_is_in_plaintext/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ { + "queryName": "IAM User LoginProfile Password Is In Plaintext", "severity": "HIGH", "line": 9, - "fileName": "positive1.yaml", - "queryName": "IAM User LoginProfile Password Is In Plaintext" + "filename": "positive2.json", + "resourceType": "AWS::IAM::User", + "resourceName": "myuser", + "searchKey": "Resources.myuser.Properties.LoginProfile.Password", + "searchValue": "", + "expectedValue": "'Resources.myuser.Properties.LoginProfile.Password' should be a ref to a secretsmanager value", + "actualValue": "'Resources.myuser.Properties.LoginProfile.Password' is a string literal" }, { "queryName": "IAM User LoginProfile Password Is In Plaintext", "severity": "HIGH", "line": 9, - "fileName": "positive2.json" + "filename": "positive1.yaml", + "resourceType": "AWS::IAM::User", + "resourceName": "myuser", + "searchKey": "Resources.myuser.Properties.LoginProfile.Password", + "searchValue": "", + "expectedValue": "'Resources.myuser.Properties.LoginProfile.Password' should be a ref to a secretsmanager value", + "actualValue": "'Resources.myuser.Properties.LoginProfile.Password' is a string literal" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iam_user_too_many_access_keys/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_user_too_many_access_keys/test/positive_expected_result.json index 1ed53278e90..6cdceeb22eb 100644 --- a/assets/queries/cloudFormation/aws/iam_user_too_many_access_keys/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_user_too_many_access_keys/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "IAM User Has Too Many Access Keys", "severity": "MEDIUM", - "line": 14, - "fileName": "positive1.yaml" + "line": 10, + "filename": "positive1.yaml", + "resourceType": "AWS::IAM::AccessKey", + "resourceName": "firstKey", + "searchKey": "Resources.firstKey", + "searchValue": "", + "expectedValue": "'Resources.firstKey' is the only AccessKey of user 'myuser'", + "actualValue": "'Resources.firstKey' is not the only AccessKey of user 'myuser'" }, { - "line": 10, - "fileName": "positive1.yaml", "queryName": "IAM User Has Too Many Access Keys", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 14, + "filename": "positive1.yaml", + "resourceType": "AWS::IAM::AccessKey", + "resourceName": "secondKey", + "searchKey": "Resources.secondKey", + "searchValue": "", + "expectedValue": "'Resources.secondKey' is the only AccessKey of user 'myuser'", + "actualValue": "'Resources.secondKey' is not the only AccessKey of user 'myuser'" }, { "queryName": "IAM User Has Too Many Access Keys", "severity": "MEDIUM", "line": 20, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::IAM::AccessKey", + "resourceName": "firstKey", + "searchKey": "Resources.firstKey", + "searchValue": "", + "expectedValue": "'Resources.firstKey' is the only AccessKey of user 'myuser'", + "actualValue": "'Resources.firstKey' is not the only AccessKey of user 'myuser'" }, { "queryName": "IAM User Has Too Many Access Keys", "severity": "MEDIUM", "line": 5, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::IAM::AccessKey", + "resourceName": "secondKey", + "searchKey": "Resources.secondKey", + "searchValue": "", + "expectedValue": "'Resources.secondKey' is the only AccessKey of user 'myuser'", + "actualValue": "'Resources.secondKey' is not the only AccessKey of user 'myuser'" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iam_user_with_no_group/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_user_with_no_group/test/positive_expected_result.json index 83c4042d6dc..cfdf70bcf3a 100644 --- a/assets/queries/cloudFormation/aws/iam_user_with_no_group/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_user_with_no_group/test/positive_expected_result.json @@ -1,26 +1,50 @@ [ { + "queryName": "IAM User With No Group", "severity": "LOW", - "line": 6, - "fileName": "positive1.yaml", - "queryName": "IAM User With No Group" + "line": 7, + "filename": "positive2.yaml", + "resourceType": "AWS::IAM::User", + "resourceName": "TestUser", + "searchKey": "Resources.emptyGroup.Properties.Groups", + "searchValue": "", + "expectedValue": "'Resources.Properties.Groups' should contain groups", + "actualValue": "'Resources.Properties.Groups' is empty" }, { - "fileName": "positive2.yaml", "queryName": "IAM User With No Group", "severity": "LOW", - "line": 7 + "line": 6, + "filename": "positive1.yaml", + "resourceType": "AWS::IAM::User", + "resourceName": "TestUser", + "searchKey": "Resources.MyUser.Properties", + "searchValue": "", + "expectedValue": "'Resources.Properties should contain Groups", + "actualValue": "'Resources.Properties' does not contain Groups" }, { "queryName": "IAM User With No Group", "severity": "LOW", - "line": 5, - "fileName": "positive3.json" + "line": 8, + "filename": "positive4.json", + "resourceType": "AWS::IAM::User", + "resourceName": "TestUser", + "searchKey": "Resources.emptyGroup.Properties.Groups", + "searchValue": "", + "expectedValue": "'Resources.Properties.Groups' should contain groups", + "actualValue": "'Resources.Properties.Groups' is empty" }, { "queryName": "IAM User With No Group", "severity": "LOW", - "line": 8, - "fileName": "positive4.json" + "line": 5, + "filename": "positive3.json", + "resourceType": "AWS::IAM::User", + "resourceName": "TestUser", + "searchKey": "Resources.MyUser.Properties", + "searchValue": "", + "expectedValue": "'Resources.Properties should contain Groups", + "actualValue": "'Resources.Properties' does not contain Groups" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/inline_policies_are_attached_to_ecs_service/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/inline_policies_are_attached_to_ecs_service/test/positive_expected_result.json index 00a1ef6c9c0..f7e9ffc0770 100644 --- a/assets/queries/cloudFormation/aws/inline_policies_are_attached_to_ecs_service/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/inline_policies_are_attached_to_ecs_service/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Inline Policies Are Attached To ECS Service", "severity": "LOW", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::ECS::Service", + "resourceName": "InlinePolicy", + "searchKey": "Resources.InlinePolicy.Properties.Role", + "searchValue": "", + "expectedValue": "'Resources.InlinePolicy.Properties.Role' should not refer an inline IAM Policy", + "actualValue": "'Resources.InlinePolicy.Properties.Role' refers to inline IAM Policy 'IAMPolicy'" }, { "queryName": "Inline Policies Are Attached To ECS Service", "severity": "LOW", "line": 9, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::ECS::Service", + "resourceName": "InlinePolicy", + "searchKey": "Resources.InlinePolicy.Properties.Role", + "searchValue": "", + "expectedValue": "'Resources.InlinePolicy.Properties.Role' should not refer an inline IAM Policy", + "actualValue": "'Resources.InlinePolicy.Properties.Role' refers to inline IAM Policy 'IAMPolicy'" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/instance_uses_metadata_service_IMDSv1/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/instance_uses_metadata_service_IMDSv1/test/positive_expected_result.json index 9b1a06da1f5..d92adb4e17d 100644 --- a/assets/queries/cloudFormation/aws/instance_uses_metadata_service_IMDSv1/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/instance_uses_metadata_service_IMDSv1/test/positive_expected_result.json @@ -1,122 +1,242 @@ [ - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 7, - "fileName": "positive1.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 15, - "fileName": "positive1.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 7, - "fileName": "positive2.json" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 16, - "fileName": "positive2.json" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 11, - "fileName": "positive3.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 23, - "fileName": "positive3.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 11, - "fileName": "positive4.json" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 25, - "fileName": "positive4.json" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 12, - "fileName": "positive5.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 25, - "fileName": "positive5.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 12, - "fileName": "positive6.json" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 27, - "fileName": "positive6.json" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 10, - "fileName": "positive7.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 21, - "fileName": "positive7.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 10, - "fileName": "positive8.json" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 23, - "fileName": "positive8.json" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 10, - "fileName": "positive9.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 22, - "fileName": "positive9.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 10, - "fileName": "positive10.json" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 24, - "fileName": "positive10.json" - } -] + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 25, + "filename": "positive5.yaml", + "resourceType": "AWS::EC2::LaunchTemplate", + "resourceName": "MyLaunchTemplate", + "searchKey": "Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens", + "searchValue": "", + "expectedValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' should be defined to 'required'", + "actualValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' is not defined to 'required'" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 25, + "filename": "positive4.json", + "resourceType": "AWS::EC2::LaunchTemplate", + "resourceName": "MyLaunchTemplate", + "searchKey": "Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens", + "searchValue": "", + "expectedValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' should be defined to 'required'", + "actualValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' is not defined to 'required'" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 10, + "filename": "positive7.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.MetadataOptions", + "searchValue": "", + "expectedValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' should be defined to 'required'", + "actualValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' is not defined" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 11, + "filename": "positive3.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens", + "searchValue": "", + "expectedValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' should be defined to 'required'", + "actualValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' is not defined to 'required'" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 7, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties", + "searchValue": "", + "expectedValue": "'Resources.MyEC2Instance.Properties.MetadataOptions' should be defined with 'HttpTokens' field set to 'required'", + "actualValue": "'Resources.MyEC2Instance.Properties.MetadataOptions' is not defined" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 15, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::LaunchTemplate", + "resourceName": "MyLaunchTemplate", + "searchKey": "Resources.MyLaunchTemplate.Properties.LaunchTemplateData", + "searchValue": "", + "expectedValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions' should be defined with 'HttpTokens' field set to 'required'", + "actualValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions' is not defined" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 10, + "filename": "positive9.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.MetadataOptions", + "searchValue": "", + "expectedValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' should be defined to 'required'", + "actualValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' is not defined" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 12, + "filename": "positive5.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens", + "searchValue": "", + "expectedValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' should be defined to 'required'", + "actualValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' is not defined to 'required'" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 12, + "filename": "positive6.json", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens", + "searchValue": "", + "expectedValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' should be defined to 'required'", + "actualValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' is not defined to 'required'" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 27, + "filename": "positive6.json", + "resourceType": "AWS::EC2::LaunchTemplate", + "resourceName": "MyLaunchTemplate", + "searchKey": "Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens", + "searchValue": "", + "expectedValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' should be defined to 'required'", + "actualValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' is not defined to 'required'" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 23, + "filename": "positive3.yaml", + "resourceType": "AWS::EC2::LaunchTemplate", + "resourceName": "MyLaunchTemplate", + "searchKey": "Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens", + "searchValue": "", + "expectedValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' should be defined to 'required'", + "actualValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' is not defined to 'required'" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 22, + "filename": "positive9.yaml", + "resourceType": "AWS::EC2::LaunchTemplate", + "resourceName": "MyLaunchTemplate", + "searchKey": "Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions", + "searchValue": "", + "expectedValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' should be defined to 'required'", + "actualValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' is not defined" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 7, + "filename": "positive2.json", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties", + "searchValue": "", + "expectedValue": "'Resources.MyEC2Instance.Properties.MetadataOptions' should be defined with 'HttpTokens' field set to 'required'", + "actualValue": "'Resources.MyEC2Instance.Properties.MetadataOptions' is not defined" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 16, + "filename": "positive2.json", + "resourceType": "AWS::EC2::LaunchTemplate", + "resourceName": "MyLaunchTemplate", + "searchKey": "Resources.MyLaunchTemplate.Properties.LaunchTemplateData", + "searchValue": "", + "expectedValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions' should be defined with 'HttpTokens' field set to 'required'", + "actualValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions' is not defined" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 10, + "filename": "positive8.json", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.MetadataOptions", + "searchValue": "", + "expectedValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' should be defined to 'required'", + "actualValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' is not defined" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 23, + "filename": "positive8.json", + "resourceType": "AWS::EC2::LaunchTemplate", + "resourceName": "MyLaunchTemplate", + "searchKey": "Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions", + "searchValue": "", + "expectedValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' should be defined to 'required'", + "actualValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' is not defined" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 24, + "filename": "positive10.json", + "resourceType": "AWS::EC2::LaunchTemplate", + "resourceName": "MyLaunchTemplate", + "searchKey": "Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions", + "searchValue": "", + "expectedValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' should be defined to 'required'", + "actualValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' is not defined" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 21, + "filename": "positive7.yaml", + "resourceType": "AWS::EC2::LaunchTemplate", + "resourceName": "MyLaunchTemplate", + "searchKey": "Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions", + "searchValue": "", + "expectedValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' should be defined to 'required'", + "actualValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' is not defined" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 11, + "filename": "positive4.json", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens", + "searchValue": "", + "expectedValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' should be defined to 'required'", + "actualValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' is not defined to 'required'" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 10, + "filename": "positive10.json", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.MetadataOptions", + "searchValue": "", + "expectedValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' should be defined to 'required'", + "actualValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' is not defined" + } +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/instance_with_no_vpc/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/instance_with_no_vpc/test/positive_expected_result.json index 3def28cba7c..295cbdda370 100644 --- a/assets/queries/cloudFormation/aws/instance_with_no_vpc/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/instance_with_no_vpc/test/positive_expected_result.json @@ -1,26 +1,50 @@ [ { - "line": 21, - "fileName": "positive1.yaml", "queryName": "Instance With No VPC", - "severity": "LOW" + "severity": "LOW", + "line": 21, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::Subnet", + "resourceName": "${AWS::StackName}-Public-A", + "searchKey": "Resources.PublicSubnetA.Properties", + "searchValue": "", + "expectedValue": "Resources.PublicSubnetA.Properties.VpcId should be defined", + "actualValue": "Resources.PublicSubnetA.Properties.VpcId is undefined" }, { "queryName": "Instance With No VPC", "severity": "LOW", "line": 4, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "Ec2Instance-02", + "searchKey": "Resources.Ec2Instance-02.Properties", + "searchValue": "", + "expectedValue": "Resources.Ec2Instance-02.Properties.NetworkInterfaces should be defined", + "actualValue": "Resources.Ec2Instance-02.Properties.NetworkInterfaces is undefined" }, { "queryName": "Instance With No VPC", "severity": "LOW", "line": 35, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::Subnet", + "resourceName": "${AWS::StackName}-Public-A", + "searchKey": "Resources.PublicSubnetA.Properties", + "searchValue": "", + "expectedValue": "Resources.PublicSubnetA.Properties.VpcId should be defined", + "actualValue": "Resources.PublicSubnetA.Properties.VpcId is undefined" }, { - "fileName": "positive4.json", "queryName": "Instance With No VPC", "severity": "LOW", - "line": 5 + "line": 5, + "filename": "positive4.json", + "resourceType": "AWS::EC2::Instance", + "resourceName": "Ec2Instance-02", + "searchKey": "Resources.Ec2Instance-02.Properties", + "searchValue": "", + "expectedValue": "Resources.Ec2Instance-02.Properties.NetworkInterfaces should be defined", + "actualValue": "Resources.Ec2Instance-02.Properties.NetworkInterfaces is undefined" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iot_policy_allows_action_as_wildcard/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iot_policy_allows_action_as_wildcard/test/positive_expected_result.json index b87c98cc150..c45bb65d0ae 100644 --- a/assets/queries/cloudFormation/aws/iot_policy_allows_action_as_wildcard/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iot_policy_allows_action_as_wildcard/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "IoT Policy Allows Action as Wildcard", "severity": "MEDIUM", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::IoT::Policy", + "resourceName": "PolicyName", + "searchKey": "Resources.IoTPolicy.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.IoTPolicy.Properties.PolicyDocument.Statement.Action should not be '*'", + "actualValue": "Resources.IoTPolicy.Properties.PolicyDocument.Statement.Action is '*'" }, { "queryName": "IoT Policy Allows Action as Wildcard", "severity": "MEDIUM", "line": 6, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::IoT::Policy", + "resourceName": "PolicyName", + "searchKey": "Resources.IoTPolicy.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.IoTPolicy.Properties.PolicyDocument.Statement.Action should not be '*'", + "actualValue": "Resources.IoTPolicy.Properties.PolicyDocument.Statement.Action is '*'" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iot_policy_allows_wildcard_resource/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iot_policy_allows_wildcard_resource/test/positive_expected_result.json index f424cf92b1d..bfbc2161327 100644 --- a/assets/queries/cloudFormation/aws/iot_policy_allows_wildcard_resource/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iot_policy_allows_wildcard_resource/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "IoT Policy Allows Wildcard Resource", "severity": "MEDIUM", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive2.json", + "resourceType": "AWS::IoT::Policy", + "resourceName": "PolicyName", + "searchKey": "Resources.IoTPolicy.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.IoTPolicy.Properties.PolicyDocument.Statement.Resource should not be '*'", + "actualValue": "Resources.IoTPolicy.Properties.PolicyDocument.Statement.Recource is '*'" }, { "queryName": "IoT Policy Allows Wildcard Resource", "severity": "MEDIUM", "line": 7, - "fileName": "positive2.json" + "filename": "positive1.yaml", + "resourceType": "AWS::IoT::Policy", + "resourceName": "PolicyName", + "searchKey": "Resources.IoTPolicy.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.IoTPolicy.Properties.PolicyDocument.Statement.Resource should not be '*'", + "actualValue": "Resources.IoTPolicy.Properties.PolicyDocument.Statement.Recource is '*'" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/kinesis_sse_not_configured/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/kinesis_sse_not_configured/test/positive_expected_result.json index ff15c193abc..3b11e972e1d 100644 --- a/assets/queries/cloudFormation/aws/kinesis_sse_not_configured/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/kinesis_sse_not_configured/test/positive_expected_result.json @@ -3,36 +3,72 @@ "queryName": "Kinesis SSE Not Configured", "severity": "HIGH", "line": 26, - "fileName": "positive1.yaml" + "filename": "positive2.json", + "resourceType": "AWS::Kinesis::Stream", + "resourceName": "EventStream", + "searchKey": "Resources.EventStream2.Properties.StreamEncryption", + "searchValue": "EncryptionType", + "expectedValue": "Resources.EventStream2.Properties.StreamEncryption.EncryptionType should be set", + "actualValue": "Resources.EventStream2.Properties.StreamEncryption.EncryptionType is undefined" }, { "queryName": "Kinesis SSE Not Configured", "severity": "HIGH", - "line": 19, - "fileName": "positive1.yaml" + "line": 39, + "filename": "positive2.json", + "resourceType": "AWS::Kinesis::Stream", + "resourceName": "EventStream", + "searchKey": "Resources.EventStream3.Properties", + "searchValue": "", + "expectedValue": "Resources.EventStream3.Properties.StreamEncryption should be set", + "actualValue": "Resources.EventStream3.Properties.StreamEncryption is undefined" }, { "queryName": "Kinesis SSE Not Configured", "severity": "HIGH", "line": 8, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::Kinesis::Stream", + "resourceName": "EventStream", + "searchKey": "Resources.EventStream1.Properties.StreamEncryption", + "searchValue": "KeyId", + "expectedValue": "Resources.EventStream1.Properties.StreamEncryption.KeyId should be set", + "actualValue": "Resources.EventStream1.Properties.StreamEncryption.KeyId is undefined" }, { "queryName": "Kinesis SSE Not Configured", "severity": "HIGH", - "line": 39, - "fileName": "positive2.json" + "line": 19, + "filename": "positive1.yaml", + "resourceType": "AWS::Kinesis::Stream", + "resourceName": "EventStream", + "searchKey": "Resources.EventStream2.Properties.StreamEncryption", + "searchValue": "EncryptionType", + "expectedValue": "Resources.EventStream2.Properties.StreamEncryption.EncryptionType should be set", + "actualValue": "Resources.EventStream2.Properties.StreamEncryption.EncryptionType is undefined" }, { "queryName": "Kinesis SSE Not Configured", "severity": "HIGH", "line": 26, - "fileName": "positive2.json" + "filename": "positive1.yaml", + "resourceType": "AWS::Kinesis::Stream", + "resourceName": "EventStream", + "searchKey": "Resources.EventStream3.Properties", + "searchValue": "", + "expectedValue": "Resources.EventStream3.Properties.StreamEncryption should be set", + "actualValue": "Resources.EventStream3.Properties.StreamEncryption is undefined" }, { "queryName": "Kinesis SSE Not Configured", "severity": "HIGH", "line": 9, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::Kinesis::Stream", + "resourceName": "EventStream", + "searchKey": "Resources.EventStream1.Properties.StreamEncryption", + "searchValue": "KeyId", + "expectedValue": "Resources.EventStream1.Properties.StreamEncryption.KeyId should be set", + "actualValue": "Resources.EventStream1.Properties.StreamEncryption.KeyId is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/kms_allows_wildcard_principal/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/kms_allows_wildcard_principal/test/positive_expected_result.json index e65793703d9..0af298c818b 100644 --- a/assets/queries/cloudFormation/aws/kms_allows_wildcard_principal/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/kms_allows_wildcard_principal/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "KMS Allows Wildcard Principal", "severity": "MEDIUM", "line": 8, - "fileName": "positive1.yaml" + "filename": "positive2.json", + "resourceType": "AWS::KMS::Key", + "resourceName": "myKey", + "searchKey": "Resources.myKey.Properties.KeyPolicy", + "searchValue": "", + "expectedValue": "Resources.myKey.Properties.KeyPolicy.Statement should not be '*'", + "actualValue": "Resources.myKey.Properties.KeyPolicy.Statement is '*'" }, { "queryName": "KMS Allows Wildcard Principal", "severity": "MEDIUM", "line": 8, - "fileName": "positive2.json" + "filename": "positive1.yaml", + "resourceType": "AWS::KMS::Key", + "resourceName": "myKey", + "searchKey": "Resources.myKey.Properties.KeyPolicy", + "searchValue": "", + "expectedValue": "Resources.myKey.Properties.KeyPolicy.Statement should not be '*'", + "actualValue": "Resources.myKey.Properties.KeyPolicy.Statement is '*'" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/kms_enable_key_rotation_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/kms_enable_key_rotation_disabled/test/positive_expected_result.json index 4482b431b9a..565be795d76 100644 --- a/assets/queries/cloudFormation/aws/kms_enable_key_rotation_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/kms_enable_key_rotation_disabled/test/positive_expected_result.json @@ -3,36 +3,72 @@ "queryName": "KMS Key Rotation Disabled", "severity": "MEDIUM", "line": 8, - "fileName": "positive1.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::KMS::Key", + "resourceName": "myKey", + "searchKey": "Resources.myKey.Properties.EnableKeyRotation", + "searchValue": "", + "expectedValue": "Resources.myKey.Properties.EnableKeyRotation should not be 'true'", + "actualValue": "Resources.myKey.Properties.EnableKeyRotation is true" }, { "queryName": "KMS Key Rotation Disabled", "severity": "MEDIUM", "line": 51, - "fileName": "positive1.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::KMS::Key", + "resourceName": "myKey2", + "searchKey": "Resources.myKey2.Properties.EnableKeyRotation", + "searchValue": "", + "expectedValue": "Resources.myKey2.Properties.EnableKeyRotation should be defined", + "actualValue": "Resources.myKey2.Properties.EnableKeyRotation is undefined" }, { "queryName": "KMS Key Rotation Disabled", "severity": "MEDIUM", - "line": 60, - "fileName": "positive2.json" + "line": 8, + "filename": "positive1.yaml", + "resourceType": "AWS::KMS::Key", + "resourceName": "myKey", + "searchKey": "Resources.myKey.Properties.EnableKeyRotation", + "searchValue": "", + "expectedValue": "Resources.myKey.Properties.EnableKeyRotation should not be 'true'", + "actualValue": "Resources.myKey.Properties.EnableKeyRotation is true" }, { "queryName": "KMS Key Rotation Disabled", "severity": "MEDIUM", - "line": 65, - "fileName": "positive2.json" + "line": 51, + "filename": "positive1.yaml", + "resourceType": "AWS::KMS::Key", + "resourceName": "myKey2", + "searchKey": "Resources.myKey2.Properties.EnableKeyRotation", + "searchValue": "", + "expectedValue": "Resources.myKey2.Properties.EnableKeyRotation should be defined", + "actualValue": "Resources.myKey2.Properties.EnableKeyRotation is undefined" }, { "queryName": "KMS Key Rotation Disabled", "severity": "MEDIUM", - "line": 8, - "fileName": "positive3.yaml" + "line": 60, + "filename": "positive2.json", + "resourceType": "AWS::KMS::Key", + "resourceName": "myKey", + "searchKey": "Resources.myKey.Properties.EnableKeyRotation", + "searchValue": "", + "expectedValue": "Resources.myKey.Properties.EnableKeyRotation should not be 'true'", + "actualValue": "Resources.myKey.Properties.EnableKeyRotation is true" }, { "queryName": "KMS Key Rotation Disabled", "severity": "MEDIUM", - "line": 51, - "fileName": "positive3.yaml" + "line": 65, + "filename": "positive2.json", + "resourceType": "AWS::KMS::Key", + "resourceName": "myKey2", + "searchKey": "Resources.myKey2.Properties.EnableKeyRotation", + "searchValue": "", + "expectedValue": "Resources.myKey2.Properties.EnableKeyRotation should be defined", + "actualValue": "Resources.myKey2.Properties.EnableKeyRotation is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/kms_key_with_full_permissions/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/kms_key_with_full_permissions/test/positive_expected_result.json index 93317fe9f38..59cbc1b7cc8 100644 --- a/assets/queries/cloudFormation/aws/kms_key_with_full_permissions/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/kms_key_with_full_permissions/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "KMS Key With Vulnerable Policy", "severity": "HIGH", - "line": 9, - "fileName": "positive.json" + "line": 8, + "filename": "positive.yaml", + "resourceType": "AWS::KMS::Key", + "resourceName": "RSASigningKey", + "searchKey": "Resources.RSASigningKey.Properties.KeyPolicy", + "searchValue": "", + "expectedValue": "Resources.RSASigningKey.Properties.KeyPolicy.Statement should not have wildcard in 'Action' and 'Principal'", + "actualValue": "Resources.RSASigningKey.Properties.KeyPolicy.Statement has wildcard in 'Action' and 'Principal'" }, { "queryName": "KMS Key With Vulnerable Policy", "severity": "HIGH", - "line": 8, - "fileName": "positive.yaml" + "line": 5, + "filename": "positive2.json", + "resourceType": "AWS::KMS::Key", + "resourceName": "RSASigningKey2", + "searchKey": "Resources.RSASigningKey2.Properties", + "searchValue": "", + "expectedValue": "Resources.RSASigningKey2.Properties.KeyPolicy should be defined and not null", + "actualValue": "Resources.RSASigningKey2.Properties.KeyPolicy is undefined or null" }, { "queryName": "KMS Key With Vulnerable Policy", "severity": "HIGH", - "line": 5, - "fileName": "positive2.json" + "line": 9, + "filename": "positive.json", + "resourceType": "AWS::KMS::Key", + "resourceName": "RSASigningKey", + "searchKey": "Resources.RSASigningKey.Properties.KeyPolicy", + "searchValue": "", + "expectedValue": "Resources.RSASigningKey.Properties.KeyPolicy.Statement should not have wildcard in 'Action' and 'Principal'", + "actualValue": "Resources.RSASigningKey.Properties.KeyPolicy.Statement has wildcard in 'Action' and 'Principal'" }, { "queryName": "KMS Key With Vulnerable Policy", "severity": "HIGH", "line": 4, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::KMS::Key", + "resourceName": "RSASigningKey2", + "searchKey": "Resources.RSASigningKey2.Properties", + "searchValue": "", + "expectedValue": "Resources.RSASigningKey2.Properties.KeyPolicy should be defined and not null", + "actualValue": "Resources.RSASigningKey2.Properties.KeyPolicy is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/lambda_function_without_dead_letter_queue/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/lambda_function_without_dead_letter_queue/test/positive_expected_result.json index dbc5630f0cc..5532eeddf83 100644 --- a/assets/queries/cloudFormation/aws/lambda_function_without_dead_letter_queue/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/lambda_function_without_dead_letter_queue/test/positive_expected_result.json @@ -2,19 +2,37 @@ { "queryName": "Lambda Function Without Dead Letter Queue", "severity": "LOW", - "line": 6, - "fileName": "positive1.yaml" + "line": 27, + "filename": "positive2.yaml", + "resourceType": "AWS::Lambda::Function", + "resourceName": "Function2", + "searchKey": "Resources.Function2.Properties.DeadLetterConfig", + "searchValue": "", + "expectedValue": "'Resources.Function2.Properties.DeadLetterConfig.TargetArn' should be defined and not null", + "actualValue": "'Resources.Function2.Properties.DeadLetterConfig.TargetArn' is undefined or null" }, { "queryName": "Lambda Function Without Dead Letter Queue", "severity": "LOW", "line": 6, - "fileName": "positive2.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::Lambda::Function", + "resourceName": "Function", + "searchKey": "Resources.Function.Properties", + "searchValue": "", + "expectedValue": "'Resources.Function.Properties.DeadLetterConfig' should be defined and not null", + "actualValue": "'Resources.Function.Properties.DeadLetterConfig' is undefined or null" }, { "queryName": "Lambda Function Without Dead Letter Queue", "severity": "LOW", - "line": 27, - "fileName": "positive2.yaml" + "line": 6, + "filename": "positive2.yaml", + "resourceType": "AWS::Lambda::Function", + "resourceName": "Function2", + "searchKey": "Resources.Function2.Properties", + "searchValue": "", + "expectedValue": "'Resources.Function2.Properties.DeadLetterConfig' should be defined and not null", + "actualValue": "'Resources.Function2.Properties.DeadLetterConfig' is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/lambda_function_without_tags/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/lambda_function_without_tags/test/positive_expected_result.json index 544806fff4a..b58f06f8aab 100644 --- a/assets/queries/cloudFormation/aws/lambda_function_without_tags/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/lambda_function_without_tags/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Lambda Function Without Tags", "severity": "LOW", "line": 52, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::Lambda::Function", + "resourceName": "AppendItemToListFunction", + "searchKey": "Resources.AppendItemToListFunction.Properties", + "searchValue": "", + "expectedValue": "'Resources.AppendItemToListFunction.Properties.Tags' should be defined", + "actualValue": "'Resources.AppendItemToListFunction.Properties.Tags' is undefined" }, { - "fileName": "positive2.json", "queryName": "Lambda Function Without Tags", "severity": "LOW", - "line": 75 + "line": 75, + "filename": "positive2.json", + "resourceType": "AWS::Lambda::Function", + "resourceName": "AppendItemToListFunction", + "searchKey": "Resources.AppendItemToListFunction.Properties", + "searchValue": "", + "expectedValue": "'Resources.AppendItemToListFunction.Properties.Tags' should be defined", + "actualValue": "'Resources.AppendItemToListFunction.Properties.Tags' is undefined" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/lambda_functions_with_full_privileges/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/lambda_functions_with_full_privileges/test/positive_expected_result.json index d6b555c562e..e51e042c144 100644 --- a/assets/queries/cloudFormation/aws/lambda_functions_with_full_privileges/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/lambda_functions_with_full_privileges/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "Lambda Functions With Full Privileges", "severity": "HIGH", - "line": 76, - "fileName": "positive1.yaml" + "line": 101, + "filename": "positive2.json", + "resourceType": "AWS::Lambda::Function", + "resourceName": "AppendItemToListFunction", + "searchKey": "Resources.LambdaExecutionRole.Properties.Policies.PolicyDocument", + "searchValue": "AppendItemToListFunction", + "expectedValue": "Resources.LambdaExecutionRole.Properties.Policies[root].PolicyDocument should not give admin privileges to Resources.AppendItemToListFunction ", + "actualValue": "Resources.LambdaExecutionRole.Properties.Policies[root].PolicyDocument gives admin privileges to Resources.AppendItemToListFunction " }, { + "queryName": "Lambda Functions With Full Privileges", "severity": "HIGH", - "line": 101, - "fileName": "positive2.json", - "queryName": "Lambda Functions With Full Privileges" + "line": 76, + "filename": "positive1.yaml", + "resourceType": "AWS::Lambda::Function", + "resourceName": "AppendItemToListFunction", + "searchKey": "Resources.LambdaExecutionRole.Properties.Policies.PolicyDocument", + "searchValue": "AppendItemToListFunction", + "expectedValue": "Resources.LambdaExecutionRole.Properties.Policies[root].PolicyDocument should not give admin privileges to Resources.AppendItemToListFunction ", + "actualValue": "Resources.LambdaExecutionRole.Properties.Policies[root].PolicyDocument gives admin privileges to Resources.AppendItemToListFunction " } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/lambda_functions_without_unique_iam_roles/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/lambda_functions_without_unique_iam_roles/test/positive_expected_result.json index ca510107e97..6908c240281 100644 --- a/assets/queries/cloudFormation/aws/lambda_functions_without_unique_iam_roles/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/lambda_functions_without_unique_iam_roles/test/positive_expected_result.json @@ -1,26 +1,50 @@ [ { + "queryName": "Lambda Functions Without Unique IAM Roles", "severity": "HIGH", - "line": 8, - "fileName": "positive1.yaml", - "queryName": "Lambda Functions Without Unique IAM Roles" + "line": 7, + "filename": "positive2.json", + "resourceType": "AWS::Lambda::Function", + "resourceName": "Primer01", + "searchKey": "Resources.Primer01.Properties.Role", + "searchValue": "", + "expectedValue": "Each AWS Lambda Function has a unique role", + "actualValue": "Resource.Primer01.Properties.Role is assigned to another funtion" }, { + "queryName": "Lambda Functions Without Unique IAM Roles", "severity": "HIGH", - "line": 41, - "fileName": "positive1.yaml", - "queryName": "Lambda Functions Without Unique IAM Roles" + "line": 24, + "filename": "positive2.json", + "resourceType": "AWS::Lambda::Function", + "resourceName": "Primer02", + "searchKey": "Resources.Primer02.Properties.Role", + "searchValue": "", + "expectedValue": "Each AWS Lambda Function has a unique role", + "actualValue": "Resource.Primer02.Properties.Role is assigned to another funtion" }, { - "line": 7, - "fileName": "positive2.json", "queryName": "Lambda Functions Without Unique IAM Roles", - "severity": "HIGH" + "severity": "HIGH", + "line": 8, + "filename": "positive1.yaml", + "resourceType": "AWS::Lambda::Function", + "resourceName": "Primer01", + "searchKey": "Resources.Primer01.Properties.Role", + "searchValue": "", + "expectedValue": "Each AWS Lambda Function has a unique role", + "actualValue": "Resource.Primer01.Properties.Role is assigned to another funtion" }, { - "fileName": "positive2.json", "queryName": "Lambda Functions Without Unique IAM Roles", "severity": "HIGH", - "line": 24 + "line": 41, + "filename": "positive1.yaml", + "resourceType": "AWS::Lambda::Function", + "resourceName": "Primer02", + "searchKey": "Resources.Primer02.Properties.Role", + "searchValue": "", + "expectedValue": "Each AWS Lambda Function has a unique role", + "actualValue": "Resource.Primer02.Properties.Role is assigned to another funtion" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/lambda_functions_without_x-ray_tracing/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/lambda_functions_without_x-ray_tracing/test/positive_expected_result.json index a6e44bfe9dd..3197e1a9b92 100644 --- a/assets/queries/cloudFormation/aws/lambda_functions_without_x-ray_tracing/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/lambda_functions_without_x-ray_tracing/test/positive_expected_result.json @@ -1,26 +1,50 @@ [ { - "line": 37, - "fileName": "positive1.yaml", "queryName": "Lambda Functions Without X-Ray Tracing", - "severity": "LOW" + "severity": "LOW", + "line": 4, + "filename": "positive4.json", + "resourceType": "AWS::Lambda::Function", + "resourceName": "Function", + "searchKey": "Resources.Function.Properties", + "searchValue": "", + "expectedValue": "Property 'TracingConfig' should be defined", + "actualValue": "Property 'TracingConfig' is undefined" }, { "queryName": "Lambda Functions Without X-Ray Tracing", "severity": "LOW", "line": 4, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::Lambda::Function", + "resourceName": "Function", + "searchKey": "Resources.Function.Properties", + "searchValue": "", + "expectedValue": "Property 'TracingConfig' should be defined", + "actualValue": "Property 'TracingConfig' is undefined" }, { "queryName": "Lambda Functions Without X-Ray Tracing", "severity": "LOW", - "line": 16, - "fileName": "positive3.json" + "line": 37, + "filename": "positive1.yaml", + "resourceType": "AWS::Lambda::Function", + "resourceName": "primer", + "searchKey": "Resources.primer.Properties.TracingConfig.Mode", + "searchValue": "", + "expectedValue": "TracingConfig.Mode should be set to 'Active'", + "actualValue": "TracingConfig.Mode is set to 'PassThrough'" }, { "queryName": "Lambda Functions Without X-Ray Tracing", "severity": "LOW", - "line": 4, - "fileName": "positive4.json" + "line": 16, + "filename": "positive3.json", + "resourceType": "AWS::Lambda::Function", + "resourceName": "primer", + "searchKey": "Resources.primer.Properties.TracingConfig.Mode", + "searchValue": "", + "expectedValue": "TracingConfig.Mode should be set to 'Active'", + "actualValue": "TracingConfig.Mode is set to 'PassThrough'" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/lambda_permission_misconfigured/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/lambda_permission_misconfigured/test/positive_expected_result.json index f513240e9e9..d7a885d3dbf 100644 --- a/assets/queries/cloudFormation/aws/lambda_permission_misconfigured/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/lambda_permission_misconfigured/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Lambda Permission Misconfigured", "severity": "LOW", "line": 6, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::Lambda::Permission", + "resourceName": "s3Permission", + "searchKey": "Resources.s3Permission.Properties.Action", + "searchValue": "", + "expectedValue": "'Resources.s3Permission.Properties.Action' should be lambda:InvokeFunction ", + "actualValue": "'Resources.s3Permission.Properties.Action' is not lambda:InvokeFunction" }, { - "line": 8, - "fileName": "positive2.json", "queryName": "Lambda Permission Misconfigured", - "severity": "LOW" + "severity": "LOW", + "line": 8, + "filename": "positive2.json", + "resourceType": "AWS::Lambda::Permission", + "resourceName": "s3Permission", + "searchKey": "Resources.s3Permission.Properties.Action", + "searchValue": "", + "expectedValue": "'Resources.s3Permission.Properties.Action' should be lambda:InvokeFunction ", + "actualValue": "'Resources.s3Permission.Properties.Action' is not lambda:InvokeFunction" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/lambda_permission_principal_is_wildcard/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/lambda_permission_principal_is_wildcard/test/positive_expected_result.json index 29464280e4e..ce51ba0ee84 100644 --- a/assets/queries/cloudFormation/aws/lambda_permission_principal_is_wildcard/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/lambda_permission_principal_is_wildcard/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ { - "line": 9, - "fileName": "positive1.yaml", "queryName": "Lambda Permission Principal Is Wildcard", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 9, + "filename": "positive1.yaml", + "resourceType": "AWS::Lambda::Permission", + "resourceName": "s3Permission", + "searchKey": "Resources.s3Permission.Properties.Principal", + "searchValue": "", + "expectedValue": "Resources.s3Permission.Properties.Principal should not be wildcard", + "actualValue": "Resources.s3Permission.Properties.Principal is wildcard" }, { + "queryName": "Lambda Permission Principal Is Wildcard", "severity": "MEDIUM", "line": 10, - "fileName": "positive2.json", - "queryName": "Lambda Permission Principal Is Wildcard" + "filename": "positive2.json", + "resourceType": "AWS::Lambda::Permission", + "resourceName": "s3Permission", + "searchKey": "Resources.s3Permission.Properties.Principal", + "searchValue": "", + "expectedValue": "Resources.s3Permission.Properties.Principal should not be wildcard", + "actualValue": "Resources.s3Permission.Properties.Principal is wildcard" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/low_rds_backup_retention_period/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/low_rds_backup_retention_period/test/positive_expected_result.json index 623b33cff0b..d946d2e091f 100644 --- a/assets/queries/cloudFormation/aws/low_rds_backup_retention_period/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/low_rds_backup_retention_period/test/positive_expected_result.json @@ -1,50 +1,98 @@ [ { - "line": 52, - "fileName": "positive1.yaml", "queryName": "Low RDS Backup Retention Period", - "severity": "LOW" + "severity": "LOW", + "line": 35, + "filename": "positive2.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBSmall", + "searchKey": "Resources.MyDBSmall.Properties.BackupRetentionPeriod", + "searchValue": "", + "expectedValue": "The RDS DBInstance 'MyDBSmall' resource should have backup retention period of at least 7 days", + "actualValue": "The RDS DBCluster 'MyDBSmall' resource has backup retention period of '%!s(int=6)' which is less than the minimum of 7 days, and no RDS Cluster are defined" }, { - "fileName": "positive4.yaml", "queryName": "Low RDS Backup Retention Period", "severity": "LOW", - "line": 43 + "line": 22, + "filename": "positive3.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDB", + "searchKey": "Resources.MyDB.Properties", + "searchValue": "", + "expectedValue": "The RDS DBInstance 'MyDB' resource should have backup retention period of at least 7 days", + "actualValue": "The RDS DBInstance 'MyDB' resource doesn't define a backup retention period and no RDS Cluster are defined" }, { "queryName": "Low RDS Backup Retention Period", "severity": "LOW", - "line": 22, - "fileName": "positive3.yaml" + "line": 43, + "filename": "positive4.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "BadDatabaseCluster", + "searchKey": "Resources.BadDatabaseCluster.Properties", + "searchValue": "", + "expectedValue": "The RDS DBCluster 'BadDatabaseCluster' resource should have backup retention period of at least 7 days", + "actualValue": "The RDS DBCluster 'BadDatabaseCluster' resource doesn't define a backup retention period" }, { "queryName": "Low RDS Backup Retention Period", "severity": "LOW", - "line": 35, - "fileName": "positive2.yaml" + "line": 52, + "filename": "positive1.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "DatabaseCluster", + "searchKey": "Resources.DatabaseCluster.Properties.BackupRetentionPeriod", + "searchValue": "", + "expectedValue": "The RDS DBCluster 'DatabaseCluster' resource should have backup retention period of at least 7 days", + "actualValue": "The RDS DBCluster 'DatabaseCluster' resource has backup retention period of '%!s(int=3)' which is less than the minimum of 7 days" }, { "queryName": "Low RDS Backup Retention Period", "severity": "LOW", - "line": 113, - "fileName": "positive5.json" + "line": 54, + "filename": "positive8.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "BadDatabaseCluster", + "searchKey": "Resources.BadDatabaseCluster.Properties", + "searchValue": "", + "expectedValue": "The RDS DBCluster 'BadDatabaseCluster' resource should have backup retention period of at least 7 days", + "actualValue": "The RDS DBCluster 'BadDatabaseCluster' resource doesn't define a backup retention period" }, { "queryName": "Low RDS Backup Retention Period", "severity": "LOW", - "line": 55, - "fileName": "positive6.json" + "line": 113, + "filename": "positive5.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "DatabaseCluster", + "searchKey": "Resources.DatabaseCluster.Properties.BackupRetentionPeriod", + "searchValue": "", + "expectedValue": "The RDS DBCluster 'DatabaseCluster' resource should have backup retention period of at least 7 days", + "actualValue": "The RDS DBCluster 'DatabaseCluster' resource has backup retention period of '%!s(int=3)' which is less than the minimum of 7 days" }, { "queryName": "Low RDS Backup Retention Period", "severity": "LOW", "line": 26, - "fileName": "positive7.json" + "filename": "positive7.json", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDB", + "searchKey": "Resources.MyDB.Properties", + "searchValue": "", + "expectedValue": "The RDS DBInstance 'MyDB' resource should have backup retention period of at least 7 days", + "actualValue": "The RDS DBInstance 'MyDB' resource doesn't define a backup retention period and no RDS Cluster are defined" }, { "queryName": "Low RDS Backup Retention Period", "severity": "LOW", - "line": 54, - "fileName": "positive8.json" + "line": 55, + "filename": "positive6.json", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBSmall", + "searchKey": "Resources.MyDBSmall.Properties.BackupRetentionPeriod", + "searchValue": "", + "expectedValue": "The RDS DBInstance 'MyDBSmall' resource should have backup retention period of at least 7 days", + "actualValue": "The RDS DBCluster 'MyDBSmall' resource has backup retention period of '%!s(int=6)' which is less than the minimum of 7 days, and no RDS Cluster are defined" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/mq_broker_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/mq_broker_is_publicly_accessible/test/positive_expected_result.json index 501f3544d25..0e17f06c568 100644 --- a/assets/queries/cloudFormation/aws/mq_broker_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/mq_broker_is_publicly_accessible/test/positive_expected_result.json @@ -3,18 +3,36 @@ "queryName": "MQ Broker Is Publicly Accessible", "severity": "HIGH", "line": 15, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::AmazonMQ::Broker", + "resourceName": "MyBasicBroker", + "searchKey": "Resources.BasicBroker.Properties.PubliclyAccessible", + "searchValue": "", + "expectedValue": "Resources.BasicBroker.Properties.PubliclyAccessible should be set to false or undefined", + "actualValue": "Resources.BasicBroker.Properties.PubliclyAccessible is true" }, { "queryName": "MQ Broker Is Publicly Accessible", "severity": "HIGH", "line": 31, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::AmazonMQ::Broker", + "resourceName": "MyBasicBroker", + "searchKey": "Resources.BasicBroker2.Properties.PubliclyAccessible", + "searchValue": "", + "expectedValue": "Resources.BasicBroker2.Properties.PubliclyAccessible should be set to false or undefined", + "actualValue": "Resources.BasicBroker2.Properties.PubliclyAccessible is true" }, { "queryName": "MQ Broker Is Publicly Accessible", "severity": "HIGH", "line": 15, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::AmazonMQ::Broker", + "resourceName": "MyBasicBroker", + "searchKey": "Resources.BasicBroker.Properties.PubliclyAccessible", + "searchValue": "", + "expectedValue": "Resources.BasicBroker.Properties.PubliclyAccessible should be set to false or undefined", + "actualValue": "Resources.BasicBroker.Properties.PubliclyAccessible is true" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/mq_broker_logging_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/mq_broker_logging_disabled/test/positive_expected_result.json index 6445a0adcc4..c6dfcc02c0f 100644 --- a/assets/queries/cloudFormation/aws/mq_broker_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/mq_broker_logging_disabled/test/positive_expected_result.json @@ -2,91 +2,181 @@ { "queryName": "MQ Broker Logging Disabled", "severity": "MEDIUM", - "line": 22, - "fileName": "positive1.yaml" + "line": 88, + "filename": "positive3.yaml", + "resourceType": "AWS::AmazonMQ::Broker", + "resourceName": "MyBasicBroker", + "searchKey": "Resources.BasicBroker7.Properties", + "searchValue": "", + "expectedValue": "Resources.BasicBroker7.Properties.Logs should be set", + "actualValue": "Resources.BasicBroker7.Properties.Logs is undefined" }, { "queryName": "MQ Broker Logging Disabled", "severity": "MEDIUM", - "line": 42, - "fileName": "positive1.yaml" + "line": 84, + "filename": "positive1.yaml", + "resourceType": "AWS::AmazonMQ::Broker", + "resourceName": "MyBasicBroker", + "searchKey": "Resources.BasicBroker6.Properties.Logs.Audit", + "searchValue": "", + "expectedValue": "Resources.BasicBroker6.Properties.Logs.Audit is true", + "actualValue": "Resources.BasicBroker6.Properties.Logs.Audit is false" }, { "queryName": "MQ Broker Logging Disabled", "severity": "MEDIUM", - "line": 63, - "fileName": "positive1.yaml" + "line": 42, + "filename": "positive1.yaml", + "resourceType": "AWS::AmazonMQ::Broker", + "resourceName": "MyBasicBroker", + "searchKey": "Resources.BasicBroker4.Properties.Logs", + "searchValue": "", + "expectedValue": "Resources.BasicBroker4.Properties.Logs.General should be set", + "actualValue": "Resources.BasicBroker4.Properties.Logs.General is undefined" }, { "queryName": "MQ Broker Logging Disabled", "severity": "MEDIUM", - "line": 84, - "fileName": "positive1.yaml" + "line": 121, + "filename": "positive2.json", + "resourceType": "AWS::AmazonMQ::Broker", + "resourceName": "MyBasicBroker", + "searchKey": "Resources.BasicBroker12.Properties", + "searchValue": "", + "expectedValue": "Resources.BasicBroker12.Properties.Logs should be set", + "actualValue": "Resources.BasicBroker12.Properties.Logs is undefined" }, { "queryName": "MQ Broker Logging Disabled", "severity": "MEDIUM", - "line": 88, - "fileName": "positive1.yaml" + "line": 28, + "filename": "positive2.json", + "resourceType": "AWS::AmazonMQ::Broker", + "resourceName": "MyBasicBroker", + "searchKey": "Resources.BasicBroker8.Properties.Logs", + "searchValue": "", + "expectedValue": "Resources.BasicBroker8.Properties.Logs.Audit should be set", + "actualValue": "Resources.BasicBroker8.Properties.Logs.Audit is undefined" }, { "queryName": "MQ Broker Logging Disabled", "severity": "MEDIUM", - "line": 28, - "fileName": "positive2.json" + "line": 84, + "filename": "positive3.yaml", + "resourceType": "AWS::AmazonMQ::Broker", + "resourceName": "MyBasicBroker", + "searchKey": "Resources.BasicBroker6.Properties.Logs.Audit", + "searchValue": "", + "expectedValue": "Resources.BasicBroker6.Properties.Logs.Audit is true", + "actualValue": "Resources.BasicBroker6.Properties.Logs.Audit is false" }, { "queryName": "MQ Broker Logging Disabled", "severity": "MEDIUM", - "line": 56, - "fileName": "positive2.json" + "line": 88, + "filename": "positive1.yaml", + "resourceType": "AWS::AmazonMQ::Broker", + "resourceName": "MyBasicBroker", + "searchKey": "Resources.BasicBroker7.Properties", + "searchValue": "", + "expectedValue": "Resources.BasicBroker7.Properties.Logs should be set", + "actualValue": "Resources.BasicBroker7.Properties.Logs is undefined" }, { "queryName": "MQ Broker Logging Disabled", "severity": "MEDIUM", - "line": 85, - "fileName": "positive2.json" + "line": 63, + "filename": "positive1.yaml", + "resourceType": "AWS::AmazonMQ::Broker", + "resourceName": "MyBasicBroker", + "searchKey": "Resources.BasicBroker5.Properties.Logs.General", + "searchValue": "", + "expectedValue": "Resources.BasicBroker5.Properties.Logs.General is true", + "actualValue": "Resources.BasicBroker5.Properties.Logs.General is false" }, { "queryName": "MQ Broker Logging Disabled", "severity": "MEDIUM", - "line": 115, - "fileName": "positive2.json" + "line": 22, + "filename": "positive1.yaml", + "resourceType": "AWS::AmazonMQ::Broker", + "resourceName": "MyBasicBroker", + "searchKey": "Resources.BasicBroker3.Properties.Logs", + "searchValue": "", + "expectedValue": "Resources.BasicBroker3.Properties.Logs.Audit should be set", + "actualValue": "Resources.BasicBroker3.Properties.Logs.Audit is undefined" }, { "queryName": "MQ Broker Logging Disabled", "severity": "MEDIUM", - "line": 121, - "fileName": "positive2.json" + "line": 85, + "filename": "positive2.json", + "resourceType": "AWS::AmazonMQ::Broker", + "resourceName": "MyBasicBroker", + "searchKey": "Resources.BasicBroker10.Properties.Logs.General", + "searchValue": "", + "expectedValue": "Resources.BasicBroker10.Properties.Logs.General is true", + "actualValue": "Resources.BasicBroker10.Properties.Logs.General is false" }, { "queryName": "MQ Broker Logging Disabled", "severity": "MEDIUM", - "line": 22, - "fileName": "positive3.yaml" + "line": 115, + "filename": "positive2.json", + "resourceType": "AWS::AmazonMQ::Broker", + "resourceName": "MyBasicBroker", + "searchKey": "Resources.BasicBroker11.Properties.Logs.Audit", + "searchValue": "", + "expectedValue": "Resources.BasicBroker11.Properties.Logs.Audit is true", + "actualValue": "Resources.BasicBroker11.Properties.Logs.Audit is false" }, { "queryName": "MQ Broker Logging Disabled", "severity": "MEDIUM", - "line": 42, - "fileName": "positive3.yaml" + "line": 56, + "filename": "positive2.json", + "resourceType": "AWS::AmazonMQ::Broker", + "resourceName": "MyBasicBroker", + "searchKey": "Resources.BasicBroker9.Properties.Logs", + "searchValue": "", + "expectedValue": "Resources.BasicBroker9.Properties.Logs.General should be set", + "actualValue": "Resources.BasicBroker9.Properties.Logs.General is undefined" }, { "queryName": "MQ Broker Logging Disabled", "severity": "MEDIUM", "line": 63, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::AmazonMQ::Broker", + "resourceName": "MyBasicBroker", + "searchKey": "Resources.BasicBroker5.Properties.Logs.General", + "searchValue": "", + "expectedValue": "Resources.BasicBroker5.Properties.Logs.General is true", + "actualValue": "Resources.BasicBroker5.Properties.Logs.General is false" }, { "queryName": "MQ Broker Logging Disabled", "severity": "MEDIUM", - "line": 84, - "fileName": "positive3.yaml" + "line": 22, + "filename": "positive3.yaml", + "resourceType": "AWS::AmazonMQ::Broker", + "resourceName": "MyBasicBroker", + "searchKey": "Resources.BasicBroker3.Properties.Logs", + "searchValue": "", + "expectedValue": "Resources.BasicBroker3.Properties.Logs.Audit should be set", + "actualValue": "Resources.BasicBroker3.Properties.Logs.Audit is undefined" }, { "queryName": "MQ Broker Logging Disabled", "severity": "MEDIUM", - "line": 88, - "fileName": "positive3.yaml" + "line": 42, + "filename": "positive3.yaml", + "resourceType": "AWS::AmazonMQ::Broker", + "resourceName": "MyBasicBroker", + "searchKey": "Resources.BasicBroker4.Properties.Logs", + "searchValue": "", + "expectedValue": "Resources.BasicBroker4.Properties.Logs.General should be set", + "actualValue": "Resources.BasicBroker4.Properties.Logs.General is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/msk_broker_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/msk_broker_is_publicly_accessible/test/positive_expected_result.json index fcc5009075f..505533e50fb 100644 --- a/assets/queries/cloudFormation/aws/msk_broker_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/msk_broker_is_publicly_accessible/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "MSK Broker Is Publicly Accessible", "severity": "HIGH", - "line": 18, - "fileName": "positive1.yaml" + "line": 15, + "filename": "positive2.json", + "resourceType": "AWS::MSK::Cluster", + "resourceName": "ClusterWithRequiredProperties", + "searchKey": "Resources.TestCluster.Properties.BrokerNodeGroupInfo.ConnectivityInfo.PublicAccess.Type", + "searchValue": "", + "expectedValue": "Resources.TestCluster.Properties.BrokerNodeGroupInfo.ConnectivityInfo.PublicAccess.Type should be set to 'DISABLED' or undefined", + "actualValue": "Resources.TestCluster.Properties.BrokerNodeGroupInfo.ConnectivityInfo.PublicAccess.Type is set to 'SERVICE_PROVIDED_EIPS'" }, { "queryName": "MSK Broker Is Publicly Accessible", "severity": "HIGH", - "line": 15, - "fileName": "positive2.json" + "line": 18, + "filename": "positive1.yaml", + "resourceType": "AWS::MSK::Cluster", + "resourceName": "ClusterWithRequiredProperties", + "searchKey": "Resources.TestCluster.Properties.BrokerNodeGroupInfo.ConnectivityInfo.PublicAccess.Type", + "searchValue": "", + "expectedValue": "Resources.TestCluster.Properties.BrokerNodeGroupInfo.ConnectivityInfo.PublicAccess.Type should be set to 'DISABLED' or undefined", + "actualValue": "Resources.TestCluster.Properties.BrokerNodeGroupInfo.ConnectivityInfo.PublicAccess.Type is set to 'SERVICE_PROVIDED_EIPS'" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/msk_cluster_encryption_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/msk_cluster_encryption_disabled/test/positive_expected_result.json index 22713f3e118..ad5f027c1d7 100644 --- a/assets/queries/cloudFormation/aws/msk_cluster_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/msk_cluster_encryption_disabled/test/positive_expected_result.json @@ -1,38 +1,74 @@ [ { + "queryName": "MSK Cluster Encryption Disabled", "severity": "HIGH", - "line": 5, - "fileName": "positive1.yaml", - "queryName": "MSK Cluster Encryption Disabled" + "line": 14, + "filename": "positive2.yaml", + "resourceType": "AWS::MSK::Cluster", + "resourceName": "ClusterWithAllProperties", + "searchKey": "Resources.TestCluster6.Properties.EncryptionInfo.EncryptionInTransit.ClientBroker", + "searchValue": "", + "expectedValue": "Resources.TestCluster6.Properties.EncryptionInfo.EncryptionInTransit.ClientBroker is 'TLS'", + "actualValue": "Resources.TestCluster6.Properties.EncryptionInfo.EncryptionInTransit.ClientBroker is not 'TLS'" }, { "queryName": "MSK Cluster Encryption Disabled", "severity": "HIGH", - "line": 6, - "fileName": "positive4.json" + "line": 14, + "filename": "positive3.yaml", + "resourceType": "AWS::MSK::Cluster", + "resourceName": "ClusterWithAllProperties", + "searchKey": "Resources.TestCluster7.Properties.EncryptionInfo.EncryptionInTransit.InCluster", + "searchValue": "", + "expectedValue": "Resources.TestCluster7.Properties.EncryptionInfo.EncryptionInTransit.InCluster is 'true'", + "actualValue": "Resources.TestCluster7.Properties.EncryptionInfo.EncryptionInTransit.InCluster is 'false'" }, { "queryName": "MSK Cluster Encryption Disabled", "severity": "HIGH", - "line": 14, - "fileName": "positive2.yaml" + "line": 5, + "filename": "positive1.yaml", + "resourceType": "AWS::MSK::Cluster", + "resourceName": "ClusterWithAllProperties", + "searchKey": "Resources.TestCluster5.Properties", + "searchValue": "", + "expectedValue": "Resources.TestCluster5.Properties.EncryptionInfo should be defined", + "actualValue": "Resources.TestCluster5.Properties.EncryptionInfo is undefined" }, { "queryName": "MSK Cluster Encryption Disabled", "severity": "HIGH", "line": 16, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::MSK::Cluster", + "resourceName": "ClusterWithAllProperties", + "searchKey": "Resources.TestCluster9.Properties.EncryptionInfo.EncryptionInTransit.ClientBroker", + "searchValue": "", + "expectedValue": "Resources.TestCluster9.Properties.EncryptionInfo.EncryptionInTransit.ClientBroker is 'TLS'", + "actualValue": "Resources.TestCluster9.Properties.EncryptionInfo.EncryptionInTransit.ClientBroker is not 'TLS'" }, { "queryName": "MSK Cluster Encryption Disabled", "severity": "HIGH", - "line": 14, - "fileName": "positive3.yaml" + "line": 16, + "filename": "positive6.json", + "resourceType": "AWS::MSK::Cluster", + "resourceName": "ClusterWithAllProperties", + "searchKey": "Resources.TestCluster10.Properties.EncryptionInfo.EncryptionInTransit.InCluster", + "searchValue": "", + "expectedValue": "Resources.TestCluster10.Properties.EncryptionInfo.EncryptionInTransit.InCluster is 'true'", + "actualValue": "Resources.TestCluster10.Properties.EncryptionInfo.EncryptionInTransit.InCluster is 'false'" }, { "queryName": "MSK Cluster Encryption Disabled", "severity": "HIGH", - "line": 16, - "fileName": "positive6.json" + "line": 6, + "filename": "positive4.json", + "resourceType": "AWS::MSK::Cluster", + "resourceName": "ClusterWithAllProperties", + "searchKey": "Resources.TestCluster8.Properties", + "searchValue": "", + "expectedValue": "Resources.TestCluster8.Properties.EncryptionInfo should be defined", + "actualValue": "Resources.TestCluster8.Properties.EncryptionInfo is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/msk_cluster_logging_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/msk_cluster_logging_disabled/test/positive_expected_result.json index 18936d80396..129888d5670 100644 --- a/assets/queries/cloudFormation/aws/msk_cluster_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/msk_cluster_logging_disabled/test/positive_expected_result.json @@ -2,79 +2,157 @@ { "queryName": "MSK Cluster Logging Disabled", "severity": "MEDIUM", - "line": 6, - "fileName": "positive1.yaml" + "line": 7, + "filename": "positive4.json", + "resourceType": "AWS::MSK::Cluster", + "resourceName": "ClusterWithRequiredProperties", + "searchKey": "Resources.TestCluster8.Properties", + "searchValue": "", + "expectedValue": "Resources.TestCluster8.Properties.LoggingInfo should be defined", + "actualValue": "Resources.TestCluster8.Properties.LoggingInfo is undefined" }, { "queryName": "MSK Cluster Logging Disabled", "severity": "MEDIUM", - "line": 12, - "fileName": "positive2.yaml" + "line": 17, + "filename": "positive5.json", + "resourceType": "AWS::MSK::Cluster", + "resourceName": "ClusterWithRequiredProperties", + "searchKey": "Resources.TestCluster9.Properties.LoggingInfo.BrokerLogs.Firehose.Enabled", + "searchValue": "", + "expectedValue": "Resources.TestCluster9.Properties.LoggingInfo.BrokerLogs is enabled", + "actualValue": "Resources.TestCluster9.Properties.LoggingInfo.BrokerLogs is disabled" }, { "queryName": "MSK Cluster Logging Disabled", "severity": "MEDIUM", - "line": 15, - "fileName": "positive2.yaml" + "line": 13, + "filename": "positive6.json", + "resourceType": "AWS::MSK::Cluster", + "resourceName": "ClusterWithRequiredProperties", + "searchKey": "Resources.TestCluster10.Properties.LoggingInfo.BrokerLogs.CloudWatchLogs.Enabled", + "searchValue": "", + "expectedValue": "Resources.TestCluster10.Properties.LoggingInfo.BrokerLogs is enabled", + "actualValue": "Resources.TestCluster10.Properties.LoggingInfo.BrokerLogs is disabled" }, { "queryName": "MSK Cluster Logging Disabled", "severity": "MEDIUM", - "line": 18, - "fileName": "positive2.yaml" + "line": 15, + "filename": "positive7.yaml", + "resourceType": "AWS::MSK::Cluster", + "resourceName": "ClusterWithRequiredProperties", + "searchKey": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs.Firehose.Enabled", + "searchValue": "", + "expectedValue": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs is enabled", + "actualValue": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs is disabled" }, { "queryName": "MSK Cluster Logging Disabled", "severity": "MEDIUM", - "line": 12, - "fileName": "positive3.yaml" + "line": 18, + "filename": "positive7.yaml", + "resourceType": "AWS::MSK::Cluster", + "resourceName": "ClusterWithRequiredProperties", + "searchKey": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs.S3.Enabled", + "searchValue": "", + "expectedValue": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs is enabled", + "actualValue": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs is disabled" }, { "queryName": "MSK Cluster Logging Disabled", "severity": "MEDIUM", - "line": 7, - "fileName": "positive4.json" + "line": 6, + "filename": "positive1.yaml", + "resourceType": "AWS::MSK::Cluster", + "resourceName": "ClusterWithRequiredProperties", + "searchKey": "Resources.TestCluster5.Properties", + "searchValue": "", + "expectedValue": "Resources.TestCluster5.Properties.LoggingInfo should be defined", + "actualValue": "Resources.TestCluster5.Properties.LoggingInfo is undefined" }, { "queryName": "MSK Cluster Logging Disabled", "severity": "MEDIUM", - "line": 13, - "fileName": "positive5.json" + "line": 15, + "filename": "positive2.yaml", + "resourceType": "AWS::MSK::Cluster", + "resourceName": "ClusterWithRequiredProperties", + "searchKey": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs.Firehose.Enabled", + "searchValue": "", + "expectedValue": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs is enabled", + "actualValue": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs is disabled" }, { "queryName": "MSK Cluster Logging Disabled", "severity": "MEDIUM", - "line": 17, - "fileName": "positive5.json" + "line": 13, + "filename": "positive5.json", + "resourceType": "AWS::MSK::Cluster", + "resourceName": "ClusterWithRequiredProperties", + "searchKey": "Resources.TestCluster9.Properties.LoggingInfo.BrokerLogs.CloudWatchLogs.Enabled", + "searchValue": "", + "expectedValue": "Resources.TestCluster9.Properties.LoggingInfo.BrokerLogs is enabled", + "actualValue": "Resources.TestCluster9.Properties.LoggingInfo.BrokerLogs is disabled" }, { "queryName": "MSK Cluster Logging Disabled", "severity": "MEDIUM", "line": 21, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::MSK::Cluster", + "resourceName": "ClusterWithRequiredProperties", + "searchKey": "Resources.TestCluster9.Properties.LoggingInfo.BrokerLogs.S3.Enabled", + "searchValue": "", + "expectedValue": "Resources.TestCluster9.Properties.LoggingInfo.BrokerLogs is enabled", + "actualValue": "Resources.TestCluster9.Properties.LoggingInfo.BrokerLogs is disabled" }, { "queryName": "MSK Cluster Logging Disabled", "severity": "MEDIUM", - "line": 13, - "fileName": "positive6.json" + "line": 12, + "filename": "positive7.yaml", + "resourceType": "AWS::MSK::Cluster", + "resourceName": "ClusterWithRequiredProperties", + "searchKey": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs.CloudWatchLogs.Enabled", + "searchValue": "", + "expectedValue": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs is enabled", + "actualValue": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs is disabled" }, { "queryName": "MSK Cluster Logging Disabled", "severity": "MEDIUM", "line": 12, - "fileName": "positive7.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::MSK::Cluster", + "resourceName": "ClusterWithRequiredProperties", + "searchKey": "Resources.TestCluster7.Properties.LoggingInfo.BrokerLogs.CloudWatchLogs.Enabled", + "searchValue": "", + "expectedValue": "Resources.TestCluster7.Properties.LoggingInfo.BrokerLogs is enabled", + "actualValue": "Resources.TestCluster7.Properties.LoggingInfo.BrokerLogs is disabled" }, { "queryName": "MSK Cluster Logging Disabled", "severity": "MEDIUM", - "line": 15, - "fileName": "positive7.yaml" + "line": 12, + "filename": "positive2.yaml", + "resourceType": "AWS::MSK::Cluster", + "resourceName": "ClusterWithRequiredProperties", + "searchKey": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs.CloudWatchLogs.Enabled", + "searchValue": "", + "expectedValue": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs is enabled", + "actualValue": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs is disabled" }, { "queryName": "MSK Cluster Logging Disabled", "severity": "MEDIUM", "line": 18, - "fileName": "positive7.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::MSK::Cluster", + "resourceName": "ClusterWithRequiredProperties", + "searchKey": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs.S3.Enabled", + "searchValue": "", + "expectedValue": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs is enabled", + "actualValue": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs is disabled" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/neptune_cluster_with_iam_database_authentication_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/neptune_cluster_with_iam_database_authentication_disabled/test/positive_expected_result.json index f51982aed87..d1d630ba529 100644 --- a/assets/queries/cloudFormation/aws/neptune_cluster_with_iam_database_authentication_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/neptune_cluster_with_iam_database_authentication_disabled/test/positive_expected_result.json @@ -2,37 +2,73 @@ { "queryName": "Neptune Cluster With IAM Database Authentication Disabled", "severity": "HIGH", - "line": 7, - "fileName": "positive1.yaml" + "line": 8, + "filename": "positive2.json", + "resourceType": "AWS::Neptune::DBCluster", + "resourceName": "NeptuneDBCluster", + "searchKey": "Resources.NeptuneDBCluster.Properties.IamAuthEnabled", + "searchValue": "", + "expectedValue": "Resources.NeptuneDBCluster.Properties.IamAuthEnabled should be set to true", + "actualValue": "Resources.NeptuneDBCluster.Properties.IamAuthEnabled is set to false" }, { "queryName": "Neptune Cluster With IAM Database Authentication Disabled", "severity": "HIGH", - "line": 12, - "fileName": "positive1.yaml" + "line": 15, + "filename": "positive2.json", + "resourceType": "AWS::Neptune::DBCluster", + "resourceName": "NeptuneDBCluster2", + "searchKey": "Resources.NeptuneDBCluster2.Properties.IamAuthEnabled", + "searchValue": "", + "expectedValue": "Resources.NeptuneDBCluster2.Properties.IamAuthEnabled should be set to true", + "actualValue": "Resources.NeptuneDBCluster2.Properties.IamAuthEnabled is set to false" }, { "queryName": "Neptune Cluster With IAM Database Authentication Disabled", "severity": "HIGH", - "line": 8, - "fileName": "positive2.json" + "line": 7, + "filename": "positive1.yaml", + "resourceType": "AWS::Neptune::DBCluster", + "resourceName": "NeptuneDBCluster", + "searchKey": "Resources.NeptuneDBCluster.Properties.IamAuthEnabled", + "searchValue": "", + "expectedValue": "Resources.NeptuneDBCluster.Properties.IamAuthEnabled should be set to true", + "actualValue": "Resources.NeptuneDBCluster.Properties.IamAuthEnabled is set to false" }, { "queryName": "Neptune Cluster With IAM Database Authentication Disabled", "severity": "HIGH", - "line": 15, - "fileName": "positive2.json" + "line": 12, + "filename": "positive1.yaml", + "resourceType": "AWS::Neptune::DBCluster", + "resourceName": "NeptuneDBCluster2", + "searchKey": "Resources.NeptuneDBCluster2.Properties.IamAuthEnabled", + "searchValue": "", + "expectedValue": "Resources.NeptuneDBCluster2.Properties.IamAuthEnabled should be set to true", + "actualValue": "Resources.NeptuneDBCluster2.Properties.IamAuthEnabled is set to false" }, { "queryName": "Neptune Cluster With IAM Database Authentication Disabled", "severity": "HIGH", "line": 7, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::Neptune::DBCluster", + "resourceName": "NeptuneDBCluster", + "searchKey": "Resources.NeptuneDBCluster.Properties.IamAuthEnabled", + "searchValue": "", + "expectedValue": "Resources.NeptuneDBCluster.Properties.IamAuthEnabled should be set to true", + "actualValue": "Resources.NeptuneDBCluster.Properties.IamAuthEnabled is set to false" }, { "queryName": "Neptune Cluster With IAM Database Authentication Disabled", "severity": "HIGH", "line": 12, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::Neptune::DBCluster", + "resourceName": "NeptuneDBCluster2", + "searchKey": "Resources.NeptuneDBCluster2.Properties.IamAuthEnabled", + "searchValue": "", + "expectedValue": "Resources.NeptuneDBCluster2.Properties.IamAuthEnabled should be set to true", + "actualValue": "Resources.NeptuneDBCluster2.Properties.IamAuthEnabled is set to false" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/neptune_database_cluster_encryption_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/neptune_database_cluster_encryption_disabled/test/positive_expected_result.json index 56c1ab81ab8..45b50ce4c8e 100644 --- a/assets/queries/cloudFormation/aws/neptune_database_cluster_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/neptune_database_cluster_encryption_disabled/test/positive_expected_result.json @@ -3,18 +3,36 @@ "queryName": "Neptune Database Cluster Encryption Disabled", "severity": "HIGH", "line": 27, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::Neptune::DBCluster", + "resourceName": "NeptuneDBCluster", + "searchKey": "Resources.NeptuneDBCluster.Properties.StorageEncrypted", + "searchValue": "", + "expectedValue": "Resources.NeptuneDBCluster.Properties.StorageEncrypted should be set to True", + "actualValue": "Resources.NeptuneDBCluster.Properties.StorageEncrypted is False" }, { "queryName": "Neptune Database Cluster Encryption Disabled", "severity": "HIGH", - "line": 21, - "fileName": "positive2.json" + "line": 27, + "filename": "positive3.yaml", + "resourceType": "AWS::Neptune::DBCluster", + "resourceName": "NeptuneDBCluster", + "searchKey": "Resources.NeptuneDBCluster.Properties.StorageEncrypted", + "searchValue": "", + "expectedValue": "Resources.NeptuneDBCluster.Properties.StorageEncrypted should be set to True", + "actualValue": "Resources.NeptuneDBCluster.Properties.StorageEncrypted is False" }, { "queryName": "Neptune Database Cluster Encryption Disabled", "severity": "HIGH", - "line": 27, - "fileName": "positive3.yaml" + "line": 21, + "filename": "positive2.json", + "resourceType": "AWS::Neptune::DBCluster", + "resourceName": "NeptuneDBCluster", + "searchKey": "Resources.NeptuneDBCluster.Properties.StorageEncrypted", + "searchValue": "", + "expectedValue": "Resources.NeptuneDBCluster.Properties.StorageEncrypted should be set to True", + "actualValue": "Resources.NeptuneDBCluster.Properties.StorageEncrypted is False" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/neptune_logging_is_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/neptune_logging_is_disabled/test/positive_expected_result.json index f6adaa3e926..506242e05a6 100644 --- a/assets/queries/cloudFormation/aws/neptune_logging_is_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/neptune_logging_is_disabled/test/positive_expected_result.json @@ -2,49 +2,97 @@ { "queryName": "Neptune Logging Is Disabled", "severity": "MEDIUM", - "line": 6, - "filename": "positive1.json" + "line": 7, + "filename": "positive8.yaml", + "resourceType": "AWS::Neptune::DBCluster", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties.EnableCloudwatchLogsExports", + "searchValue": "", + "expectedValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' should include 'audit'", + "actualValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' does not include 'audit'" }, { "queryName": "Neptune Logging Is Disabled", "severity": "MEDIUM", - "line": 8, - "filename": "positive2.json" + "line": 7, + "filename": "positive7.yaml", + "resourceType": "AWS::Neptune::DBCluster", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties.EnableCloudwatchLogsExports", + "searchValue": "", + "expectedValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' should include 'audit'", + "actualValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' does not include 'audit'" }, { "queryName": "Neptune Logging Is Disabled", "severity": "MEDIUM", - "line": 8, - "filename": "positive3.json" + "line": 7, + "filename": "positive6.yaml", + "resourceType": "AWS::Neptune::DBCluster", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties.EnableCloudwatchLogsExports", + "searchValue": "", + "expectedValue": "'Resources.Prod.Properties' should have 'EnableCloudwatchLogsExports' enabled ", + "actualValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' is set to null" }, { "queryName": "Neptune Logging Is Disabled", "severity": "MEDIUM", - "line": 8, - "filename": "positive4.json" + "line": 5, + "filename": "positive5.yaml", + "resourceType": "AWS::Neptune::DBCluster", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties", + "searchValue": "", + "expectedValue": "'Resources.Prod.Properties' should have 'EnableCloudwatchLogsExports' enabled ", + "actualValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' is undefined" }, { "queryName": "Neptune Logging Is Disabled", "severity": "MEDIUM", - "line": 5, - "filename": "positive5.yaml" + "line": 8, + "filename": "positive2.json", + "resourceType": "AWS::Neptune::DBCluster", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties.EnableCloudwatchLogsExports", + "searchValue": "", + "expectedValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' should include 'audit'", + "actualValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' does not include 'audit'" }, { "queryName": "Neptune Logging Is Disabled", "severity": "MEDIUM", - "line": 7, - "filename": "positive6.yaml" + "line": 8, + "filename": "positive4.json", + "resourceType": "AWS::Neptune::DBCluster", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties.EnableCloudwatchLogsExports", + "searchValue": "", + "expectedValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' should include 'audit'", + "actualValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' does not include 'audit'" }, { "queryName": "Neptune Logging Is Disabled", "severity": "MEDIUM", - "line": 7, - "filename": "positive7.yaml" + "line": 8, + "filename": "positive3.json", + "resourceType": "AWS::Neptune::DBCluster", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties.EnableCloudwatchLogsExports", + "searchValue": "", + "expectedValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' should include 'audit'", + "actualValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' does not include 'audit'" }, { "queryName": "Neptune Logging Is Disabled", "severity": "MEDIUM", - "line": 7, - "filename": "positive8.yaml" + "line": 6, + "filename": "positive1.json", + "resourceType": "AWS::Neptune::DBCluster", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties", + "searchValue": "", + "expectedValue": "'Resources.Prod.Properties' should have 'EnableCloudwatchLogsExports' enabled ", + "actualValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' is undefined" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/public_lambda_via_api_gateway/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/public_lambda_via_api_gateway/test/positive_expected_result.json index 9432662c2fc..8805311d1e4 100644 --- a/assets/queries/cloudFormation/aws/public_lambda_via_api_gateway/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/public_lambda_via_api_gateway/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ { - "line": 11, - "fileName": "positive1.yaml", "queryName": "Public Lambda via API Gateway", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 11, + "filename": "positive1.yaml", + "resourceType": "AWS::Lambda::Permission", + "resourceName": "s3Permission3", + "searchKey": "Resources.s3Permission3.Properties.SourceArn", + "searchValue": "", + "expectedValue": "Resources.s3Permission3.Properties.SourceArn should not equal to '/*/*'", + "actualValue": "Resources.s3Permission3.Properties.SourceArn is equal to '/*/*' or contains '/*/*'" }, { - "line": 18, - "fileName": "positive2.json", "queryName": "Public Lambda via API Gateway", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 18, + "filename": "positive2.json", + "resourceType": "AWS::Lambda::Permission", + "resourceName": "s3Permission", + "searchKey": "Resources.s3Permission.Properties.SourceArn", + "searchValue": "", + "expectedValue": "Resources.s3Permission.Properties.SourceArn should not equal to '/*/*'", + "actualValue": "Resources.s3Permission.Properties.SourceArn is equal to '/*/*' or contains '/*/*'" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/rds_associated_with_public_subnet/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/rds_associated_with_public_subnet/test/positive_expected_result.json index 7f80c9865ef..a880ae7e75d 100644 --- a/assets/queries/cloudFormation/aws/rds_associated_with_public_subnet/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/rds_associated_with_public_subnet/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "RDS Associated with Public Subnet", "severity": "CRITICAL", - "line": 12, - "fileName": "positive1.yaml" + "line": 9, + "filename": "positive2.json", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "Positive1", + "searchKey": "Resources.Positive1.Properties.DBSubnetGroupName", + "searchValue": "", + "expectedValue": "RDS should not be running in a public subnet", + "actualValue": "RDS is running in a public subnet" }, { "queryName": "RDS Associated with Public Subnet", "severity": "CRITICAL", - "line": 9, - "fileName": "positive2.json" + "line": 12, + "filename": "positive1.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "Positive1", + "searchKey": "Resources.Positive1.Properties.DBSubnetGroupName", + "searchValue": "", + "expectedValue": "RDS should not be running in a public subnet", + "actualValue": "RDS is running in a public subnet" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json index 8ab4a9e49bc..60167e71406 100644 --- a/assets/queries/cloudFormation/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json @@ -3,18 +3,36 @@ "queryName": "RDS DB Instance Publicly Accessible", "severity": "CRITICAL", "line": 69, - "fileName": "positive1.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "DBName", + "searchKey": "Resources.MyDB.Properties.PubliclyAccessible", + "searchValue": "", + "expectedValue": "'Resources.MyDB.Properties.PubliclyAccessible' should be set to false", + "actualValue": "'Resources.MyDB.Properties.PubliclyAccessible' is set to true" }, { "queryName": "RDS DB Instance Publicly Accessible", "severity": "CRITICAL", - "line": 61, - "fileName": "positive2.json" + "line": 69, + "filename": "positive1.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "DBName", + "searchKey": "Resources.MyDB.Properties.PubliclyAccessible", + "searchValue": "", + "expectedValue": "'Resources.MyDB.Properties.PubliclyAccessible' should be set to false", + "actualValue": "'Resources.MyDB.Properties.PubliclyAccessible' is set to true" }, { "queryName": "RDS DB Instance Publicly Accessible", "severity": "CRITICAL", - "line": 69, - "fileName": "positive3.yaml" + "line": 61, + "filename": "positive2.json", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "DBName", + "searchKey": "Resources.MyDB.Properties.PubliclyAccessible", + "searchValue": "", + "expectedValue": "'Resources.MyDB.Properties.PubliclyAccessible' should be set to false", + "actualValue": "'Resources.MyDB.Properties.PubliclyAccessible' is set to true" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/rds_db_instance_with_deletion_protection_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/rds_db_instance_with_deletion_protection_disabled/test/positive_expected_result.json index af7ef58369f..3655472f0a1 100644 --- a/assets/queries/cloudFormation/aws/rds_db_instance_with_deletion_protection_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/rds_db_instance_with_deletion_protection_disabled/test/positive_expected_result.json @@ -3,30 +3,60 @@ "queryName": "RDS DB Instance With Deletion Protection Disabled", "severity": "LOW", "line": 34, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBSmall", + "searchKey": "Resources.MyDBSmall.Properties.DeletionProtection", + "searchValue": "", + "expectedValue": "Resources.MyDBSmall.Properties.DeletionProtection should be set to true", + "actualValue": "Resources.MyDBSmall.Properties.DeletionProtection is set to false" }, { "queryName": "RDS DB Instance With Deletion Protection Disabled", "severity": "LOW", - "line": 30, - "fileName": "positive2.yaml" + "line": 49, + "filename": "positive3.json", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBSmall", + "searchKey": "Resources.MyDBSmall.Properties.DeletionProtection", + "searchValue": "", + "expectedValue": "Resources.MyDBSmall.Properties.DeletionProtection should be set to true", + "actualValue": "Resources.MyDBSmall.Properties.DeletionProtection is set to false" }, { "queryName": "RDS DB Instance With Deletion Protection Disabled", "severity": "LOW", - "line": 49, - "fileName": "positive3.json" + "line": 45, + "filename": "positive4.json", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBSmall1", + "searchKey": "Resources.MyDBSmall1.Properties", + "searchValue": "", + "expectedValue": "Resources.MyDBSmall1.Properties.DeletionProtection should be defined", + "actualValue": "Resources.MyDBSmall1.Properties.DeletionProtection is undefined" }, { "queryName": "RDS DB Instance With Deletion Protection Disabled", "severity": "LOW", - "line": 45, - "fileName": "positive4.json" + "line": 34, + "filename": "positive5.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBSmall", + "searchKey": "Resources.MyDBSmall.Properties.DeletionProtection", + "searchValue": "", + "expectedValue": "Resources.MyDBSmall.Properties.DeletionProtection should be set to true", + "actualValue": "Resources.MyDBSmall.Properties.DeletionProtection is set to false" }, { "queryName": "RDS DB Instance With Deletion Protection Disabled", "severity": "LOW", - "line": 34, - "fileName": "positive5.yaml" + "line": 30, + "filename": "positive2.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBSmall1", + "searchKey": "Resources.MyDBSmall1.Properties", + "searchValue": "", + "expectedValue": "Resources.MyDBSmall1.Properties.DeletionProtection should be defined", + "actualValue": "Resources.MyDBSmall1.Properties.DeletionProtection is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/rds_multi_az_deployment_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/rds_multi_az_deployment_disabled/test/positive_expected_result.json index 4787fe06159..863e26fd05f 100644 --- a/assets/queries/cloudFormation/aws/rds_multi_az_deployment_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/rds_multi_az_deployment_disabled/test/positive_expected_result.json @@ -2,31 +2,61 @@ { "queryName": "RDS Multi-AZ Deployment Disabled", "severity": "MEDIUM", - "line": 128, - "fileName": "positive1.yaml" + "line": 89, + "filename": "positive2.json", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "", + "searchKey": "Resources.MasterDB.Properties.MultiAZ", + "searchValue": "", + "expectedValue": "The RDS DBInstance 'MasterDB' should have Multi-Availability Zone enabled", + "actualValue": "The RDS DBInstance 'MasterDB' has MultiAZ value set to false" }, { - "line": 148, - "fileName": "positive1.yaml", "queryName": "RDS Multi-AZ Deployment Disabled", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 124, + "filename": "positive2.json", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "Read Replica Database", + "searchKey": "Resources.ReplicaDB.Properties", + "searchValue": "", + "expectedValue": "The RDS DBInstance 'ReplicaDB' should have Multi-Availability Zone enabled", + "actualValue": "The RDS DBInstance 'ReplicaDB' MultiAZ property is undefined and by default disabled" }, { + "queryName": "RDS Multi-AZ Deployment Disabled", "severity": "MEDIUM", - "line": 89, - "fileName": "positive2.json", - "queryName": "RDS Multi-AZ Deployment Disabled" + "line": 128, + "filename": "positive1.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "", + "searchKey": "Resources.MasterDB.Properties.MultiAZ", + "searchValue": "", + "expectedValue": "The RDS DBInstance 'MasterDB' should have Multi-Availability Zone enabled", + "actualValue": "The RDS DBInstance 'MasterDB' has MultiAZ value set to false" }, { - "line": 124, - "fileName": "positive2.json", "queryName": "RDS Multi-AZ Deployment Disabled", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 148, + "filename": "positive1.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "Read Replica Database", + "searchKey": "Resources.ReplicaDB.Properties", + "searchValue": "", + "expectedValue": "The RDS DBInstance 'ReplicaDB' should have Multi-Availability Zone enabled", + "actualValue": "The RDS DBInstance 'ReplicaDB' MultiAZ property is undefined and by default disabled" }, { "queryName": "RDS Multi-AZ Deployment Disabled", "severity": "MEDIUM", "line": 128, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "", + "searchKey": "Resources.MasterDB.Properties.MultiAZ", + "searchValue": "", + "expectedValue": "The RDS DBInstance 'MasterDB' should have Multi-Availability Zone enabled", + "actualValue": "The RDS DBInstance 'MasterDB' has MultiAZ value set to false" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/rds_storage_encryption_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/rds_storage_encryption_disabled/test/positive_expected_result.json index b91a1a46a5a..8f1dcd7e68d 100644 --- a/assets/queries/cloudFormation/aws/rds_storage_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/rds_storage_encryption_disabled/test/positive_expected_result.json @@ -3,36 +3,72 @@ "queryName": "RDS Storage Encryption Disabled", "severity": "HIGH", "line": 12, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "RDSCluster", + "searchKey": "Resources.RDSCluster.Properties.StorageEncrypted", + "searchValue": "", + "expectedValue": "Resources.RDSCluster.Properties.StorageEncrypted should be set to true", + "actualValue": "Resources.RDSCluster.Properties.StorageEncrypted is false" }, { "queryName": "RDS Storage Encryption Disabled", "severity": "HIGH", "line": 5, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "RDSCluster1", + "searchKey": "Resources.RDSCluster1.Properties", + "searchValue": "", + "expectedValue": "Resources.RDSCluster1.Properties.StorageEncrypted should be defined", + "actualValue": "Resources.RDSCluster1.Properties.StorageEncrypted is undefined" }, { "queryName": "RDS Storage Encryption Disabled", "severity": "HIGH", - "line": 9, - "fileName": "positive3.json" + "line": 5, + "filename": "positive5.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "NoEncryption", + "searchKey": "Resources.NoEncryption.Properties", + "searchValue": "", + "expectedValue": "Resources.NoEncryption.Properties.StorageEncrypted should be defined", + "actualValue": "Resources.NoEncryption.Properties.StorageEncrypted is undefined" }, { "queryName": "RDS Storage Encryption Disabled", "severity": "HIGH", - "line": 59, - "fileName": "positive4.json" + "line": 12, + "filename": "positive6.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "RDSCluster", + "searchKey": "Resources.RDSCluster.Properties.StorageEncrypted", + "searchValue": "", + "expectedValue": "Resources.RDSCluster.Properties.StorageEncrypted should be set to true", + "actualValue": "Resources.RDSCluster.Properties.StorageEncrypted is false" }, { "queryName": "RDS Storage Encryption Disabled", "severity": "HIGH", - "line": 5, - "fileName": "positive5.yaml" + "line": 59, + "filename": "positive4.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "RDSCluster1", + "searchKey": "Resources.RDSCluster1.Properties", + "searchValue": "", + "expectedValue": "Resources.RDSCluster1.Properties.StorageEncrypted should be defined", + "actualValue": "Resources.RDSCluster1.Properties.StorageEncrypted is undefined" }, { "queryName": "RDS Storage Encryption Disabled", "severity": "HIGH", - "line": 12, - "fileName": "positive6.yaml" + "line": 9, + "filename": "positive3.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "RDSCluster", + "searchKey": "Resources.RDSCluster.Properties.StorageEncrypted", + "searchValue": "", + "expectedValue": "Resources.RDSCluster.Properties.StorageEncrypted should be set to true", + "actualValue": "Resources.RDSCluster.Properties.StorageEncrypted is false" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/rds_storage_not_encrypted/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/rds_storage_not_encrypted/test/positive_expected_result.json index 0e49ea3c58c..c9ef5067819 100644 --- a/assets/queries/cloudFormation/aws/rds_storage_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/rds_storage_not_encrypted/test/positive_expected_result.json @@ -2,31 +2,61 @@ { "queryName": "RDS Storage Not Encrypted", "severity": "HIGH", - "line": 35, - "fileName": "positive1.yaml" + "line": 50, + "filename": "positive3.json", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBSmall", + "searchKey": "Resources.MyDBSmall.Properties.StorageEncrypted", + "searchValue": "", + "expectedValue": "Resources.MyDBSmall.Properties.StorageEncrypted should be set to true", + "actualValue": "Resources.MyDBSmall.Properties.StorageEncrypted is set to false" }, { "queryName": "RDS Storage Not Encrypted", "severity": "HIGH", - "line": 30, - "fileName": "positive2.yaml" + "line": 35, + "filename": "positive5.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBSmall", + "searchKey": "Resources.MyDBSmall.Properties.StorageEncrypted", + "searchValue": "", + "expectedValue": "Resources.MyDBSmall.Properties.StorageEncrypted should be set to true", + "actualValue": "Resources.MyDBSmall.Properties.StorageEncrypted is set to false" }, { "queryName": "RDS Storage Not Encrypted", "severity": "HIGH", - "line": 50, - "fileName": "positive3.json" + "line": 30, + "filename": "positive2.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBSmall2", + "searchKey": "Resources.MyDBSmall2.Properties", + "searchValue": "", + "expectedValue": "Resources.MyDBSmall2.Properties.StorageEncrypted should be defined and set to true", + "actualValue": "Resources.MyDBSmall2.Properties.StorageEncrypted is undefined" }, { "queryName": "RDS Storage Not Encrypted", "severity": "HIGH", - "line": 45, - "fileName": "positive4.json" + "line": 35, + "filename": "positive1.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBSmall", + "searchKey": "Resources.MyDBSmall.Properties.StorageEncrypted", + "searchValue": "", + "expectedValue": "Resources.MyDBSmall.Properties.StorageEncrypted should be set to true", + "actualValue": "Resources.MyDBSmall.Properties.StorageEncrypted is set to false" }, { "queryName": "RDS Storage Not Encrypted", "severity": "HIGH", - "line": 35, - "fileName": "positive5.yaml" + "line": 45, + "filename": "positive4.json", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBSmall2", + "searchKey": "Resources.MyDBSmall2.Properties", + "searchValue": "", + "expectedValue": "Resources.MyDBSmall2.Properties.StorageEncrypted should be defined and set to true", + "actualValue": "Resources.MyDBSmall2.Properties.StorageEncrypted is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/rds_using_default_port/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/rds_using_default_port/test/positive_expected_result.json index ac7552bddb2..7859094d3ee 100644 --- a/assets/queries/cloudFormation/aws/rds_using_default_port/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/rds_using_default_port/test/positive_expected_result.json @@ -3,24 +3,48 @@ "queryName": "RDS Using Default Port", "severity": "LOW", "line": 15, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDB", + "searchKey": "Resources.MyDB.Properties.Port", + "searchValue": "", + "expectedValue": "'Resources.MyDB.Properties.Port' should not be set to 1521", + "actualValue": "'Resources.MyDB.Properties.Port' is set to 1521" }, { "queryName": "RDS Using Default Port", "severity": "LOW", - "line": 21, - "fileName": "positive2.json" + "line": 15, + "filename": "positive3.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDB", + "searchKey": "Resources.MyDB.Properties.Port", + "searchValue": "", + "expectedValue": "'Resources.MyDB.Properties.Port' should not be set to 3306", + "actualValue": "'Resources.MyDB.Properties.Port' is set to 3306" }, { "queryName": "RDS Using Default Port", "severity": "LOW", - "line": 15, - "fileName": "positive3.yaml" + "line": 21, + "filename": "positive2.json", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDB", + "searchKey": "Resources.MyDB.Properties.Port", + "searchValue": "", + "expectedValue": "'Resources.MyDB.Properties.Port' should not be set to 1521", + "actualValue": "'Resources.MyDB.Properties.Port' is set to 1521" }, { "queryName": "RDS Using Default Port", "severity": "LOW", "line": 21, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDB", + "searchKey": "Resources.MyDB.Properties.Port", + "searchValue": "", + "expectedValue": "'Resources.MyDB.Properties.Port' should not be set to 3306", + "actualValue": "'Resources.MyDB.Properties.Port' is set to 3306" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/rds_with_backup_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/rds_with_backup_disabled/test/positive_expected_result.json index 18cc5f8c4ec..13216d3c82b 100644 --- a/assets/queries/cloudFormation/aws/rds_with_backup_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/rds_with_backup_disabled/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ { - "fileName": "positive1.yaml", "queryName": "RDS With Backup Disabled", "severity": "MEDIUM", - "line": 14 + "line": 14, + "filename": "positive1.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDB", + "searchKey": "Resources.MyDB.Properties.BackupRetentionPeriod", + "searchValue": "", + "expectedValue": "'Resources.MyDB.Properties.BackupRetentionPeriod' should not equal to zero", + "actualValue": "'Resources.MyDB.Properties.BackupRetentionPeriod' is equal to zero" }, { "queryName": "RDS With Backup Disabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDB", + "searchKey": "Resources.MyDB.Properties.BackupRetentionPeriod", + "searchValue": "", + "expectedValue": "'Resources.MyDB.Properties.BackupRetentionPeriod' should not equal to zero", + "actualValue": "'Resources.MyDB.Properties.BackupRetentionPeriod' is equal to zero" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/redshift_cluster_logging_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/redshift_cluster_logging_disabled/test/positive_expected_result.json index e1389be7964..0ab5f847ec2 100644 --- a/assets/queries/cloudFormation/aws/redshift_cluster_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/redshift_cluster_logging_disabled/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Redshift Cluster Logging Disabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "${DatabaseName}", + "searchKey": "Resources.RedshiftCluster3.Properties", + "searchValue": "", + "expectedValue": "Resources.RedshiftCluster3.Properties.LoggingProperties should be set", + "actualValue": "Resources.RedshiftCluster3.Properties.LoggingProperties is undefined" }, { - "fileName": "positive2.json", "queryName": "Redshift Cluster Logging Disabled", "severity": "MEDIUM", - "line": 6 + "line": 6, + "filename": "positive2.json", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "${DatabaseName}", + "searchKey": "Resources.RedshiftCluster4.Properties", + "searchValue": "", + "expectedValue": "Resources.RedshiftCluster4.Properties.LoggingProperties should be set", + "actualValue": "Resources.RedshiftCluster4.Properties.LoggingProperties is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/redshift_cluster_without_kms_cmk/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/redshift_cluster_without_kms_cmk/test/positive_expected_result.json index bcfc24fec54..3797535d65f 100644 --- a/assets/queries/cloudFormation/aws/redshift_cluster_without_kms_cmk/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/redshift_cluster_without_kms_cmk/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Redshift Cluster Without KMS CMK", "severity": "MEDIUM", "line": 6, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "${DatabaseName}", + "searchKey": "Resources.RedshiftCluster.Properties", + "searchValue": "", + "expectedValue": "Resources.RedshiftCluster.Properties.KmsKeyId should be set", + "actualValue": "Resources.RedshiftCluster.Properties.KmsKeyId is undefined" }, { - "fileName": "positive2.json", "queryName": "Redshift Cluster Without KMS CMK", "severity": "MEDIUM", - "line": 12 + "line": 12, + "filename": "positive2.json", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "${DatabaseName}", + "searchKey": "Resources.RedshiftCluster.Properties", + "searchValue": "", + "expectedValue": "Resources.RedshiftCluster.Properties.KmsKeyId should be set", + "actualValue": "Resources.RedshiftCluster.Properties.KmsKeyId is undefined" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/redshift_cluster_without_vpc/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/redshift_cluster_without_vpc/test/positive_expected_result.json index 9499674a8e3..0d9b1e76bc2 100644 --- a/assets/queries/cloudFormation/aws/redshift_cluster_without_vpc/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/redshift_cluster_without_vpc/test/positive_expected_result.json @@ -3,72 +3,144 @@ "queryName": "Redshift Cluster Without VPC", "severity": "LOW", "line": 5, - "fileName": "positive1.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.RedshiftCluster.Properties", + "searchValue": "", + "expectedValue": "Resources.RedshiftCluster.Properties should have VpcSecurityGroupIds and ClusterSubnetGroupName fields defined", + "actualValue": "Resources.RedshiftCluster.Properties does not define VpcSecurityGroupIds" }, { "queryName": "Redshift Cluster Without VPC", "severity": "LOW", - "line": 5, - "fileName": "positive2.yaml" + "line": 6, + "filename": "positive7.json", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.RedshiftCluster.Properties", + "searchValue": "", + "expectedValue": "Resources.RedshiftCluster.Properties should have VpcSecurityGroupIds and ClusterSubnetGroupName fields defined", + "actualValue": "Resources.RedshiftCluster.Properties does not define VpcSecurityGroupIds or ClusterSubnetGroupName" }, { "queryName": "Redshift Cluster Without VPC", "severity": "LOW", - "line": 5, - "fileName": "positive3.yaml" + "line": 6, + "filename": "positive8.json", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.RedshiftCluster.Properties", + "searchValue": "", + "expectedValue": "Resources.RedshiftCluster.Properties should have VpcSecurityGroupIds and ClusterSubnetGroupName fields defined", + "actualValue": "Resources.RedshiftCluster.Properties does not define VpcSecurityGroupIds" }, { "queryName": "Redshift Cluster Without VPC", "severity": "LOW", "line": 5, - "fileName": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.RedshiftCluster.Properties", + "searchValue": "", + "expectedValue": "Resources.RedshiftCluster.Properties VpcSecurityGroupIds and ClusterSubnetGroupName fields should have valid references", + "actualValue": "Resources.RedshiftCluster.Properties VpcSecurityGroupIds and ClusterSubnetGroupName fields have invalid references" }, { "queryName": "Redshift Cluster Without VPC", "severity": "LOW", - "line": 19, - "fileName": "positive5.yaml" + "line": 5, + "filename": "positive3.yaml", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.RedshiftCluster.Properties", + "searchValue": "", + "expectedValue": "Resources.RedshiftCluster.Properties should have VpcSecurityGroupIds and ClusterSubnetGroupName fields defined", + "actualValue": "Resources.RedshiftCluster.Properties does not define ClusterSubnetGroupName" }, { "queryName": "Redshift Cluster Without VPC", "severity": "LOW", - "line": 18, - "fileName": "positive6.yaml" + "line": 5, + "filename": "positive1.yaml", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.RedshiftCluster.Properties", + "searchValue": "", + "expectedValue": "Resources.RedshiftCluster.Properties should have VpcSecurityGroupIds and ClusterSubnetGroupName fields defined", + "actualValue": "Resources.RedshiftCluster.Properties does not define VpcSecurityGroupIds or ClusterSubnetGroupName" }, { "queryName": "Redshift Cluster Without VPC", "severity": "LOW", "line": 6, - "fileName": "positive7.json" + "filename": "positive9.json", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.RedshiftCluster.Properties", + "searchValue": "", + "expectedValue": "Resources.RedshiftCluster.Properties should have VpcSecurityGroupIds and ClusterSubnetGroupName fields defined", + "actualValue": "Resources.RedshiftCluster.Properties does not define ClusterSubnetGroupName" }, { "queryName": "Redshift Cluster Without VPC", "severity": "LOW", - "line": 6, - "fileName": "positive8.json" + "line": 26, + "filename": "positive11.json", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.RedshiftCluster.Properties.VpcSecurityGroupIds", + "searchValue": "", + "expectedValue": "Resources.RedshiftCluster.Properties VpcSecurityGroupIds and ClusterSubnetGroupName fields should have valid references", + "actualValue": "Resources.RedshiftCluster.Properties VpcSecurityGroupIds field has an invalid reference" }, { "queryName": "Redshift Cluster Without VPC", "severity": "LOW", - "line": 6, - "fileName": "positive9.json" + "line": 24, + "filename": "positive12.json", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.RedshiftCluster.Properties.ClusterSubnetGroupName", + "searchValue": "", + "expectedValue": "Resources.RedshiftCluster.Properties VpcSecurityGroupIds and ClusterSubnetGroupName fields should have valid references", + "actualValue": "Resources.RedshiftCluster.Properties ClusterSubnetGroupName field has an invalid reference" }, { "queryName": "Redshift Cluster Without VPC", "severity": "LOW", "line": 6, - "fileName": "positive10.json" + "filename": "positive10.json", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.RedshiftCluster.Properties", + "searchValue": "", + "expectedValue": "Resources.RedshiftCluster.Properties VpcSecurityGroupIds and ClusterSubnetGroupName fields should have valid references", + "actualValue": "Resources.RedshiftCluster.Properties VpcSecurityGroupIds and ClusterSubnetGroupName fields have invalid references" }, { "queryName": "Redshift Cluster Without VPC", "severity": "LOW", - "line": 26, - "fileName": "positive11.json" + "line": 19, + "filename": "positive5.yaml", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.RedshiftCluster.Properties.VpcSecurityGroupIds", + "searchValue": "", + "expectedValue": "Resources.RedshiftCluster.Properties VpcSecurityGroupIds and ClusterSubnetGroupName fields should have valid references", + "actualValue": "Resources.RedshiftCluster.Properties VpcSecurityGroupIds field has an invalid reference" }, { "queryName": "Redshift Cluster Without VPC", "severity": "LOW", - "line": 24, - "fileName": "positive12.json" + "line": 18, + "filename": "positive6.yaml", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.RedshiftCluster.Properties.ClusterSubnetGroupName", + "searchValue": "", + "expectedValue": "Resources.RedshiftCluster.Properties VpcSecurityGroupIds and ClusterSubnetGroupName fields should have valid references", + "actualValue": "Resources.RedshiftCluster.Properties ClusterSubnetGroupName field has an invalid reference" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/redshift_not_encrypted/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/redshift_not_encrypted/test/positive_expected_result.json index 8c7b0132cf5..b6ac9382455 100644 --- a/assets/queries/cloudFormation/aws/redshift_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/redshift_not_encrypted/test/positive_expected_result.json @@ -2,31 +2,61 @@ { "queryName": "Redshift Not Encrypted", "severity": "HIGH", - "line": 6, - "fileName": "positive1.yaml" + "line": 21, + "filename": "positive2.yaml", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "${DatabaseName}", + "searchKey": "Resources.RedshiftCluster2.Properties.Encrypted", + "searchValue": "", + "expectedValue": "Resources.RedshiftCluster2.Properties.Encrypted should be set to true", + "actualValue": "Resources.RedshiftCluster2.Properties.Encryped is set to false" }, { "queryName": "Redshift Not Encrypted", "severity": "HIGH", - "line": 21, - "fileName": "positive2.yaml" + "line": 6, + "filename": "positive1.yaml", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "${DatabaseName}", + "searchKey": "Resources.RedshiftCluster.Properties", + "searchValue": "", + "expectedValue": "Resources.RedshiftCluster.Properties.Encrypted should be set", + "actualValue": "Resources.RedshiftCluster.Properties.Encrypted is undefined" }, { "queryName": "Redshift Not Encrypted", "severity": "HIGH", - "line": 7, - "fileName": "positive3.json" + "line": 32, + "filename": "positive4.json", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "${DatabaseName}", + "searchKey": "Resources.RedshiftCluster2.Properties.Encrypted", + "searchValue": "", + "expectedValue": "Resources.RedshiftCluster2.Properties.Encrypted should be set to true", + "actualValue": "Resources.RedshiftCluster2.Properties.Encryped is set to false" }, { "queryName": "Redshift Not Encrypted", "severity": "HIGH", - "line": 32, - "fileName": "positive4.json" + "line": 7, + "filename": "positive3.json", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "${DatabaseName}", + "searchKey": "Resources.RedshiftCluster.Properties", + "searchValue": "", + "expectedValue": "Resources.RedshiftCluster.Properties.Encrypted should be set", + "actualValue": "Resources.RedshiftCluster.Properties.Encrypted is undefined" }, { "queryName": "Redshift Not Encrypted", "severity": "HIGH", "line": 6, - "fileName": "positive5.yaml" + "filename": "positive5.yaml", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "${DatabaseName}", + "searchKey": "Resources.RedshiftCluster.Properties", + "searchValue": "", + "expectedValue": "Resources.RedshiftCluster.Properties.Encrypted should be set", + "actualValue": "Resources.RedshiftCluster.Properties.Encrypted is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/redshift_publicly_accessible/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/redshift_publicly_accessible/test/positive_expected_result.json index cb018261b8d..6b1f44ad10e 100644 --- a/assets/queries/cloudFormation/aws/redshift_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/redshift_publicly_accessible/test/positive_expected_result.json @@ -2,37 +2,73 @@ { "queryName": "Redshift Publicly Accessible", "severity": "HIGH", - "line": 4, - "fileName": "positive1.yaml" + "line": 17, + "filename": "positive3.yaml", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.myCluster2.Properties.PubliclyAccessible", + "searchValue": "", + "expectedValue": "'Resources.myCluster2.Properties.PubliclyAccessible' should be set to false", + "actualValue": "'Resources.myCluster2.Properties.PubliclyAccessible' is true" }, { "queryName": "Redshift Publicly Accessible", "severity": "HIGH", - "line": 17, - "fileName": "positive1.yaml" + "line": 4, + "filename": "positive3.yaml", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.myCluster.Properties", + "searchValue": "", + "expectedValue": "'Resources.myCluster.Properties.PubliclyAccessible' should be defined", + "actualValue": "'Resources.myCluster.Properties.PubliclyAccessible' is not defined" }, { "queryName": "Redshift Publicly Accessible", "severity": "HIGH", - "line": 5, - "fileName": "positive2.json" + "line": 17, + "filename": "positive1.yaml", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.myCluster2.Properties.PubliclyAccessible", + "searchValue": "", + "expectedValue": "'Resources.myCluster2.Properties.PubliclyAccessible' should be set to false", + "actualValue": "'Resources.myCluster2.Properties.PubliclyAccessible' is true" }, { "queryName": "Redshift Publicly Accessible", "severity": "HIGH", - "line": 30, - "fileName": "positive2.json" + "line": 4, + "filename": "positive1.yaml", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.myCluster.Properties", + "searchValue": "", + "expectedValue": "'Resources.myCluster.Properties.PubliclyAccessible' should be defined", + "actualValue": "'Resources.myCluster.Properties.PubliclyAccessible' is not defined" }, { "queryName": "Redshift Publicly Accessible", "severity": "HIGH", - "line": 4, - "fileName": "positive3.yaml" + "line": 30, + "filename": "positive2.json", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.myCluster2.Properties.PubliclyAccessible", + "searchValue": "", + "expectedValue": "'Resources.myCluster2.Properties.PubliclyAccessible' should be set to false", + "actualValue": "'Resources.myCluster2.Properties.PubliclyAccessible' is true" }, { "queryName": "Redshift Publicly Accessible", "severity": "HIGH", - "line": 17, - "fileName": "positive3.yaml" + "line": 5, + "filename": "positive2.json", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.myCluster.Properties", + "searchValue": "", + "expectedValue": "'Resources.myCluster.Properties.PubliclyAccessible' should be defined", + "actualValue": "'Resources.myCluster.Properties.PubliclyAccessible' is not defined" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/redshift_using_default_port/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/redshift_using_default_port/test/positive_expected_result.json index f79909eda69..9552b6ded0b 100644 --- a/assets/queries/cloudFormation/aws/redshift_using_default_port/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/redshift_using_default_port/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "Redshift Using Default Port", "severity": "LOW", - "line": 4, - "fileName": "positive1.yaml" + "line": 39, + "filename": "positive2.json", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.myCluster2.Properties.Port", + "searchValue": "", + "expectedValue": "'Resources.myCluster2.Properties.Port' should not be set to 5439", + "actualValue": "'Resources.myCluster2.Properties.Port' is set to 5439" }, { "queryName": "Redshift Using Default Port", "severity": "LOW", - "line": 28, - "fileName": "positive1.yaml" + "line": 5, + "filename": "positive2.json", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.myCluster.Properties", + "searchValue": "", + "expectedValue": "'Resources.myCluster.Properties.Port' should be defined", + "actualValue": "'Resources.myCluster.Properties.Port' is not defined" }, { "queryName": "Redshift Using Default Port", "severity": "LOW", - "line": 5, - "fileName": "positive2.json" + "line": 28, + "filename": "positive1.yaml", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.myCluster2.Properties.Port", + "searchValue": "", + "expectedValue": "'Resources.myCluster2.Properties.Port' should not be set to 5439", + "actualValue": "'Resources.myCluster2.Properties.Port' is set to 5439" }, { "queryName": "Redshift Using Default Port", "severity": "LOW", - "line": 39, - "fileName": "positive2.json" + "line": 4, + "filename": "positive1.yaml", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.myCluster.Properties", + "searchValue": "", + "expectedValue": "'Resources.myCluster.Properties.Port' should be defined", + "actualValue": "'Resources.myCluster.Properties.Port' is not defined" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/refresh_token_is_exposed/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/refresh_token_is_exposed/test/positive_expected_result.json index 7bd2a1e12fc..edaed15c0fb 100644 --- a/assets/queries/cloudFormation/aws/refresh_token_is_exposed/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/refresh_token_is_exposed/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "RefreshToken Is Exposed", "severity": "HIGH", "line": 18, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Alexa::ASK::Skill", + "resourceName": "MySkill", + "searchKey": "Resources.MySkill.Properties.AuthenticationConfiguration.RefreshToken", + "searchValue": "", + "expectedValue": "'Resources.MySkill.Properties.RefreshToken' starts with '{{resolve:secretsmanager:' or starts with '{{resolve:ssm-secure:'", + "actualValue": "'Resources.MySkill.Properties.RefreshToken' does not start with '{{resolve:secretsmanager:' or with '{{resolve:ssm-secure:'" }, { - "fileName": "positive2.json", "queryName": "RefreshToken Is Exposed", "severity": "HIGH", - "line": 26 + "line": 26, + "filename": "positive2.json", + "resourceType": "Alexa::ASK::Skill", + "resourceName": "MySkill", + "searchKey": "Resources.MySkill.Properties.AuthenticationConfiguration.RefreshToken", + "searchValue": "", + "expectedValue": "'Resources.MySkill.Properties.RefreshToken' starts with '{{resolve:secretsmanager:' or starts with '{{resolve:ssm-secure:'", + "actualValue": "'Resources.MySkill.Properties.RefreshToken' does not start with '{{resolve:secretsmanager:' or with '{{resolve:ssm-secure:'" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/remote_desktop_port_open_to_internet/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/remote_desktop_port_open_to_internet/test/positive_expected_result.json index 20adaa883d4..11670d426d8 100644 --- a/assets/queries/cloudFormation/aws/remote_desktop_port_open_to_internet/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/remote_desktop_port_open_to_internet/test/positive_expected_result.json @@ -2,133 +2,265 @@ { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 10, - "fileName": "positive1.yaml" + "line": 61, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' should not open the remote desktop port (3389)", + "actualValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 22, - "fileName": "positive1.yaml" + "line": 76, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_2", + "searchKey": "Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]' should not open the remote desktop port (3389)", + "actualValue": "'Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]' opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 38, - "fileName": "positive1.yaml" + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress1.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv6Ingress1.Properties' should not open the remote desktop port (3389)", + "actualValue": "'Resources.IPv6Ingress1.Properties' opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 51, - "fileName": "positive1.yaml" + "line": 49, + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress3.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv6Ingress3.Properties' should not open the remote desktop port (3389)", + "actualValue": "'Resources.IPv6Ingress3.Properties' opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 63, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_2", + "searchKey": "Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]' should not open the remote desktop port (3389)", + "actualValue": "'Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]' opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 79, - "fileName": "positive1.yaml" + "line": 50, + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress2.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv6Ingress2.Properties' should not open the remote desktop port (3389)", + "actualValue": "'Resources.IPv6Ingress2.Properties' opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 12, - "fileName": "positive2.yaml" + "line": 46, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv4", + "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]", + "searchValue": "", + "expectedValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' should not open the remote desktop port (3389)", + "actualValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 21, - "fileName": "positive2.yaml" + "line": 31, + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress1.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv6Ingress1.Properties' should not open the remote desktop port (3389)", + "actualValue": "'Resources.IPv6Ingress1.Properties' opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 31, - "fileName": "positive2.yaml" + "line": 51, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' should not open the remote desktop port (3389)", + "actualValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 40, - "fileName": "positive2.yaml" + "line": 62, + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress3.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv6Ingress3.Properties' should not open the remote desktop port (3389)", + "actualValue": "'Resources.IPv6Ingress3.Properties' opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 49, - "fileName": "positive2.yaml" + "line": 10, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]' should not open the remote desktop port (3389)", + "actualValue": "'Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]' opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 10, - "fileName": "positive3.json" + "line": 25, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_2", + "searchKey": "Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' should not open the remote desktop port (3389)", + "actualValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 25, - "fileName": "positive3.json" + "line": 26, + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress2.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv4Ingress2.Properties' should not open the remote desktop port (3389)", + "actualValue": "'Resources.IPv4Ingress2.Properties' opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 46, - "fileName": "positive3.json" + "line": 21, + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress2.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv4Ingress2.Properties' should not open the remote desktop port (3389)", + "actualValue": "'Resources.IPv4Ingress2.Properties' opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 61, - "fileName": "positive3.json" + "line": 40, + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress2.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv6Ingress2.Properties' should not open the remote desktop port (3389)", + "actualValue": "'Resources.IPv6Ingress2.Properties' opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 76, - "fileName": "positive3.json" + "line": 38, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv4", + "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]", + "searchValue": "", + "expectedValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' should not open the remote desktop port (3389)", + "actualValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 97, - "fileName": "positive3.json" + "line": 79, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv6", + "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]", + "searchValue": "", + "expectedValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' should not open the remote desktop port (3389)", + "actualValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 14, - "fileName": "positive4.json" + "line": 10, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]' should not open the remote desktop port (3389)", + "actualValue": "'Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]' opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 26, - "fileName": "positive4.json" + "line": 22, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_2", + "searchKey": "Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' should not open the remote desktop port (3389)", + "actualValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 38, - "fileName": "positive4.json" + "line": 97, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv6", + "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]", + "searchValue": "", + "expectedValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' should not open the remote desktop port (3389)", + "actualValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 50, - "fileName": "positive4.json" + "line": 12, + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress1.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv4Ingress1.Properties' should not open the remote desktop port (3389)", + "actualValue": "'Resources.IPv4Ingress1.Properties' opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 62, - "fileName": "positive4.json" + "line": 14, + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress1.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv4Ingress1.Properties' should not open the remote desktop port (3389)", + "actualValue": "'Resources.IPv4Ingress1.Properties' opens the remote desktop port (3389)" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/root_account_has_active_access_keys/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/root_account_has_active_access_keys/test/positive_expected_result.json index 61430847f89..66500ccd67e 100644 --- a/assets/queries/cloudFormation/aws/root_account_has_active_access_keys/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/root_account_has_active_access_keys/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Root Account Has Active Access Keys", "severity": "HIGH", "line": 6, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::IAM::AccessKey", + "resourceName": "CFNKeys", + "searchKey": "Resources.CFNKeys.Properties.UserName", + "searchValue": "", + "expectedValue": "'Resources.CFNKeys.Properties.UserName' should not be asssociated to root account.", + "actualValue": "'Resources.CFNKeys.Properties.UserName' is asssociated to root account." }, { "queryName": "Root Account Has Active Access Keys", "severity": "HIGH", "line": 7, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::IAM::AccessKey", + "resourceName": "CFNKeys", + "searchKey": "Resources.CFNKeys.Properties.UserName", + "searchValue": "", + "expectedValue": "'Resources.CFNKeys.Properties.UserName' should not be asssociated to root account.", + "actualValue": "'Resources.CFNKeys.Properties.UserName' is asssociated to root account." } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/route53_record_undefined/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/route53_record_undefined/test/positive_expected_result.json index 0e67938f892..fa810692739 100644 --- a/assets/queries/cloudFormation/aws/route53_record_undefined/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/route53_record_undefined/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "Route53 Record Undefined", "severity": "HIGH", - "line": 4, - "fileName": "positive1.yaml" + "line": 5, + "filename": "positive2.json", + "resourceType": "AWS::Route53::HostedZone", + "resourceName": "HostedZone", + "searchKey": "Resources.HostedZone", + "searchValue": "", + "expectedValue": "Resources.HostedZone has RecordSet", + "actualValue": "Resources.HostedZone doesn't have RecordSet" }, { "queryName": "Route53 Record Undefined", "severity": "HIGH", - "line": 5, - "fileName": "positive2.json" + "line": 4, + "filename": "positive1.yaml", + "resourceType": "AWS::Route53::HostedZone", + "resourceName": "HostedZone", + "searchKey": "Resources.HostedZone", + "searchValue": "", + "expectedValue": "Resources.HostedZone has RecordSet", + "actualValue": "Resources.HostedZone doesn't have RecordSet" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/routertable_with_default_routing/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/routertable_with_default_routing/test/positive_expected_result.json index 04d3a665aad..a2084cb3860 100644 --- a/assets/queries/cloudFormation/aws/routertable_with_default_routing/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/routertable_with_default_routing/test/positive_expected_result.json @@ -1,38 +1,74 @@ [ { + "queryName": "RouterTable with Default Routing", "severity": "LOW", "line": 54, - "fileName": "positive1.yaml", - "queryName": "RouterTable with Default Routing" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::Route", + "resourceName": "PublicRoute1", + "searchKey": "Resources.PublicRoute1.Properties.DestinationCidrBlock", + "searchValue": "", + "expectedValue": "Resources.PublicRoute1.Properties.DestinationCidrBlock should be different from the default value", + "actualValue": "Resources.PublicRoute1.Properties.DestinationCidrBlock is 0.0.0.0/0" }, { "queryName": "RouterTable with Default Routing", "severity": "LOW", - "line": 66, - "fileName": "positive1.yaml" + "line": 61, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::Route", + "resourceName": "PublicRoute2", + "searchKey": "Resources.PublicRoute2.Properties.DestinationIpv6CidrBlock", + "searchValue": "", + "expectedValue": "Resources.PublicRoute2.Properties.DestinationIpv6CidrBlock should be different from the default value", + "actualValue": "Resources.PublicRoute2.Properties.DestinationIpv6CidrBlock is ::/0" }, { "queryName": "RouterTable with Default Routing", "severity": "LOW", - "line": 61, - "fileName": "positive1.yaml" + "line": 66, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::Route", + "resourceName": "PublicRoute3", + "searchKey": "Resources.PublicRoute3.Properties", + "searchValue": "", + "expectedValue": "Resources.PublicRoute3.Properties.NatGatewayId should be defined", + "actualValue": "Resources.PublicRoute3.Properties.NatGatewayId is undefined" }, { + "queryName": "RouterTable with Default Routing", "severity": "LOW", "line": 37, - "fileName": "positive2.json", - "queryName": "RouterTable with Default Routing" + "filename": "positive2.json", + "resourceType": "AWS::EC2::Route", + "resourceName": "PublicRoute1", + "searchKey": "Resources.PublicRoute1.Properties.DestinationCidrBlock", + "searchValue": "", + "expectedValue": "Resources.PublicRoute1.Properties.DestinationCidrBlock should be different from the default value", + "actualValue": "Resources.PublicRoute1.Properties.DestinationCidrBlock is 0.0.0.0/0" }, { - "line": 108, - "fileName": "positive2.json", "queryName": "RouterTable with Default Routing", - "severity": "LOW" + "severity": "LOW", + "line": 108, + "filename": "positive2.json", + "resourceType": "AWS::EC2::Route", + "resourceName": "PublicRoute2", + "searchKey": "Resources.PublicRoute2.Properties.DestinationIpv6CidrBlock", + "searchValue": "", + "expectedValue": "Resources.PublicRoute2.Properties.DestinationIpv6CidrBlock should be different from the default value", + "actualValue": "Resources.PublicRoute2.Properties.DestinationIpv6CidrBlock is ::/0" }, { "queryName": "RouterTable with Default Routing", "severity": "LOW", "line": 43, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::Route", + "resourceName": "PublicRoute3", + "searchKey": "Resources.PublicRoute3.Properties", + "searchValue": "", + "expectedValue": "Resources.PublicRoute3.Properties.NatGatewayId should be defined", + "actualValue": "Resources.PublicRoute3.Properties.NatGatewayId is undefined" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_access_to_any_principal/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_access_to_any_principal/test/positive_expected_result.json index 7a2db579caf..cf83cd731e2 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_access_to_any_principal/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_access_to_any_principal/test/positive_expected_result.json @@ -2,31 +2,61 @@ { "queryName": "S3 Bucket Access to Any Principal", "severity": "CRITICAL", - "line": 2, - "fileName": "positive1.yaml" + "line": 3, + "filename": "positive2.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket", + "searchKey": "Resources.Bucket", + "searchValue": "", + "expectedValue": "associated Bucket Policy should not allow access to any principal", + "actualValue": "associated Bucket Policy allows access to any principal" }, { "queryName": "S3 Bucket Access to Any Principal", "severity": "CRITICAL", - "line": 27, - "fileName": "positive1.yaml" + "line": 42, + "filename": "positive2.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket2", + "searchKey": "Resources.Bucket2", + "searchValue": "", + "expectedValue": "associated Bucket Policy should not allow access to any principal", + "actualValue": "associated Bucket Policy allows access to any principal" }, { "queryName": "S3 Bucket Access to Any Principal", "severity": "CRITICAL", "line": 3, - "fileName": "positive2.json" + "filename": "positive3.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3BucketName", + "searchKey": "Resources.SWBS3Bucket", + "searchValue": "", + "expectedValue": "associated Bucket Policy should not allow access to any principal", + "actualValue": "associated Bucket Policy allows access to any principal" }, { "queryName": "S3 Bucket Access to Any Principal", "severity": "CRITICAL", - "line": 42, - "fileName": "positive2.json" + "line": 2, + "filename": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket", + "searchKey": "Resources.Bucket", + "searchValue": "", + "expectedValue": "associated Bucket Policy should not allow access to any principal", + "actualValue": "associated Bucket Policy allows access to any principal" }, { "queryName": "S3 Bucket Access to Any Principal", "severity": "CRITICAL", - "line": 3, - "fileName": "positive3.yaml" + "line": 27, + "filename": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket2", + "searchKey": "Resources.Bucket2", + "searchValue": "", + "expectedValue": "associated Bucket Policy should not allow access to any principal", + "actualValue": "associated Bucket Policy allows access to any principal" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_or_write_to_all_users/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_or_write_to_all_users/test/positive_expected_result.json index 8b30d277c16..8063863ddcd 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_or_write_to_all_users/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_or_write_to_all_users/test/positive_expected_result.json @@ -3,48 +3,96 @@ "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", "severity": "CRITICAL", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive4.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3BucketForWebsiteContent", + "searchKey": "Resources.S3BucketForWebsiteContent.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket should not have a public readable and writeble ACL", + "actualValue": "S3 bucket named 'undefined' has ACL set to 'PublicReadWrite'" }, { "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", "severity": "CRITICAL", - "line": 7, - "fileName": "positive2.yaml" + "line": 13, + "filename": "positive5.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "jenkins-artifacts", + "searchKey": "Resources.JenkinsArtifacts01.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket should not have a public readable and writeble ACL", + "actualValue": "S3 bucket named 'jenkins-artifacts' has ACL set to 'PublicReadWrite'" }, { - "fileName": "positive3.yaml", "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", "severity": "CRITICAL", - "line": 7 + "line": 8, + "filename": "positive7.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "jenkins-artifacts-block-public", + "searchKey": "Resources.JenkinsArtifacts02.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket should not have a public readable and writeble ACL", + "actualValue": "S3 bucket named 'jenkins-artifacts-block-public' has ACL set to 'PublicReadWrite'" }, { "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", "severity": "CRITICAL", - "line": 7, - "fileName": "positive4.yaml" + "line": 8, + "filename": "positive8.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3BucketForWebsiteContent", + "searchKey": "Resources.S3BucketForWebsiteContent.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket should not have a public readable and writeble ACL", + "actualValue": "S3 bucket named 'undefined' has ACL set to 'PublicReadWrite'" }, { "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", "severity": "CRITICAL", - "line": 13, - "fileName": "positive5.json" + "line": 8, + "filename": "positive6.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "public-read-static-page01", + "searchKey": "Resources.StaticPage01.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket should not have a public readable and writeble ACL", + "actualValue": "S3 bucket named 'public-read-static-page01' has ACL set to 'PublicReadWrite'" }, { "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", "severity": "CRITICAL", - "line": 8, - "fileName": "positive6.json" + "line": 7, + "filename": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "jenkins-artifacts", + "searchKey": "Resources.JenkinsArtifacts01.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket should not have a public readable and writeble ACL", + "actualValue": "S3 bucket named 'jenkins-artifacts' has ACL set to 'PublicReadWrite'" }, { "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", "severity": "CRITICAL", - "line": 8, - "fileName": "positive7.json" + "line": 7, + "filename": "positive2.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "public-read-static-page01", + "searchKey": "Resources.StaticPage01.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket should not have a public readable and writeble ACL", + "actualValue": "S3 bucket named 'public-read-static-page01' has ACL set to 'PublicReadWrite'" }, { "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", "severity": "CRITICAL", - "line": 8, - "fileName": "positive8.json" + "line": 7, + "filename": "positive3.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "jenkins-artifacts-block-public", + "searchKey": "Resources.JenkinsArtifacts02.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket should not have a public readable and writeble ACL", + "actualValue": "S3 bucket named 'jenkins-artifacts-block-public' has ACL set to 'PublicReadWrite'" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_all_users/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_all_users/test/positive_expected_result.json index 68cd8230646..6145b174da5 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_all_users/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_all_users/test/positive_expected_result.json @@ -3,48 +3,96 @@ "queryName": "S3 Bucket ACL Allows Read to All Users", "severity": "HIGH", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "jenkins-artifacts", + "searchKey": "Resources.JenkinsArtifacts01.Properties.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket should not have a public readable ACL", + "actualValue": "S3 bucket 'JenkinsArtifacts01' has ACL set to 'PublicRead'" }, { "queryName": "S3 Bucket ACL Allows Read to All Users", "severity": "HIGH", "line": 7, - "fileName": "positive2.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "jenkins-artifacts-block-public", + "searchKey": "Resources.JenkinsArtifacts02.Properties.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket should not have a public readable ACL", + "actualValue": "S3 bucket 'JenkinsArtifacts02' has ACL set to 'PublicRead'" }, { "queryName": "S3 Bucket ACL Allows Read to All Users", "severity": "HIGH", - "line": 7, - "fileName": "positive3.yaml" + "line": 13, + "filename": "positive5.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "jenkins-artifacts", + "searchKey": "Resources.JenkinsArtifacts01.Properties.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket should not have a public readable ACL", + "actualValue": "S3 bucket 'JenkinsArtifacts01' has ACL set to 'PublicRead'" }, { "queryName": "S3 Bucket ACL Allows Read to All Users", "severity": "HIGH", - "line": 7, - "fileName": "positive4.yaml" + "line": 8, + "filename": "positive8.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3BucketForWebsiteContent", + "searchKey": "Resources.S3BucketForWebsiteContent.Properties.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket should not have a public readable ACL", + "actualValue": "S3 bucket 'S3BucketForWebsiteContent' has ACL set to 'PublicRead'" }, { "queryName": "S3 Bucket ACL Allows Read to All Users", "severity": "HIGH", - "line": 13, - "fileName": "positive5.json" + "line": 7, + "filename": "positive6.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "public-read-static-page01", + "searchKey": "Resources.StaticPage01.Properties.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket should not have a public readable ACL", + "actualValue": "S3 bucket 'StaticPage01' has ACL set to 'PublicRead'" }, { "queryName": "S3 Bucket ACL Allows Read to All Users", "severity": "HIGH", - "line": 7, - "fileName": "positive6.json" + "line": 8, + "filename": "positive7.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "jenkins-artifacts-block-public", + "searchKey": "Resources.JenkinsArtifacts02.Properties.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket should not have a public readable ACL", + "actualValue": "S3 bucket 'JenkinsArtifacts02' has ACL set to 'PublicRead'" }, { "queryName": "S3 Bucket ACL Allows Read to All Users", "severity": "HIGH", - "line": 8, - "fileName": "positive7.json" + "line": 7, + "filename": "positive4.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3BucketForWebsiteContent", + "searchKey": "Resources.S3BucketForWebsiteContent.Properties.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket should not have a public readable ACL", + "actualValue": "S3 bucket 'S3BucketForWebsiteContent' has ACL set to 'PublicRead'" }, { "queryName": "S3 Bucket ACL Allows Read to All Users", "severity": "HIGH", - "line": 8, - "fileName": "positive8.json" + "line": 7, + "filename": "positive2.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "public-read-static-page01", + "searchKey": "Resources.StaticPage01.Properties.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket should not have a public readable ACL", + "actualValue": "S3 bucket 'StaticPage01' has ACL set to 'PublicRead'" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/test/positive_expected_result.json index 6aeccfaae0e..306f3c9e688 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/test/positive_expected_result.json @@ -3,48 +3,96 @@ "queryName": "S3 Bucket ACL Allows Read to Any Authenticated User", "severity": "HIGH", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive5.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "jenkins-artifacts", + "searchKey": "Resources.JenkinsArtifacts01.Properties.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket ACL shouldn't allow read operations from any authenticated user", + "actualValue": "S3 bucket named 'jenkins-artifacts' has ACL set to 'AuthenticatedRead'" }, { "queryName": "S3 Bucket ACL Allows Read to Any Authenticated User", "severity": "HIGH", "line": 7, - "fileName": "positive2.yaml" + "filename": "positive4.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3BucketForWebsiteContent", + "searchKey": "Resources.S3BucketForWebsiteContent.Properties.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket ACL shouldn't allow read operations from any authenticated user", + "actualValue": "S3 bucket named 'undefined' has ACL set to 'AuthenticatedRead'" }, { "queryName": "S3 Bucket ACL Allows Read to Any Authenticated User", "severity": "HIGH", "line": 7, - "fileName": "positive3.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "jenkins-artifacts", + "searchKey": "Resources.JenkinsArtifacts01.Properties.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket ACL shouldn't allow read operations from any authenticated user", + "actualValue": "S3 bucket named 'jenkins-artifacts' has ACL set to 'AuthenticatedRead'" }, { "queryName": "S3 Bucket ACL Allows Read to Any Authenticated User", "severity": "HIGH", "line": 7, - "fileName": "positive4.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "jenkins-artifacts-block-public", + "searchKey": "Resources.JenkinsArtifacts02.Properties.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket ACL shouldn't allow read operations from any authenticated user", + "actualValue": "S3 bucket named 'jenkins-artifacts-block-public' has ACL set to 'AuthenticatedRead'" }, { "queryName": "S3 Bucket ACL Allows Read to Any Authenticated User", "severity": "HIGH", "line": 7, - "fileName": "positive5.json" + "filename": "positive2.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "public-read-static-page01", + "searchKey": "Resources.StaticPage01.Properties.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket ACL shouldn't allow read operations from any authenticated user", + "actualValue": "S3 bucket named 'public-read-static-page01' has ACL set to 'AuthenticatedRead'" }, { "queryName": "S3 Bucket ACL Allows Read to Any Authenticated User", "severity": "HIGH", "line": 7, - "fileName": "positive6.json" + "filename": "positive6.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "public-read-static-page01", + "searchKey": "Resources.StaticPage01.Properties.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket ACL shouldn't allow read operations from any authenticated user", + "actualValue": "S3 bucket named 'public-read-static-page01' has ACL set to 'AuthenticatedRead'" }, { "queryName": "S3 Bucket ACL Allows Read to Any Authenticated User", "severity": "HIGH", - "line": 20, - "fileName": "positive7.json" + "line": 7, + "filename": "positive8.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3BucketForWebsiteContent", + "searchKey": "Resources.S3BucketForWebsiteContent.Properties.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket ACL shouldn't allow read operations from any authenticated user", + "actualValue": "S3 bucket named 'undefined' has ACL set to 'AuthenticatedRead'" }, { "queryName": "S3 Bucket ACL Allows Read to Any Authenticated User", "severity": "HIGH", - "line": 7, - "fileName": "positive8.json" + "line": 20, + "filename": "positive7.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "jenkins-artifacts-block-public", + "searchKey": "Resources.JenkinsArtifacts02.Properties.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket ACL shouldn't allow read operations from any authenticated user", + "actualValue": "S3 bucket named 'jenkins-artifacts-block-public' has ACL set to 'AuthenticatedRead'" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_allows_delete_actions_from_all_principals/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_allows_delete_actions_from_all_principals/test/positive_expected_result.json index e1a3f16266e..6a32b6dfd9a 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_allows_delete_actions_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_allows_delete_actions_from_all_principals/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "S3 Bucket Allows Delete Action From All Principals", "severity": "CRITICAL", - "line": 7, - "fileName": "positive1.yaml" + "line": 9, + "filename": "positive2.json", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy5", + "searchKey": "Resources.SampleBucketPolicy5.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy5.Properties.PolicyDocument.Statement should not allow a 'Delete' action from all principals", + "actualValue": "Resources.SampleBucketPolicy5.Properties.PolicyDocument.Statement allows a 'Delete' action from all principals" }, { "queryName": "S3 Bucket Allows Delete Action From All Principals", "severity": "CRITICAL", - "line": 22, - "fileName": "positive1.yaml" + "line": 35, + "filename": "positive2.json", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy6", + "searchKey": "Resources.SampleBucketPolicy6.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy6.Properties.PolicyDocument.Statement should not allow a 'Delete' action from all principals", + "actualValue": "Resources.SampleBucketPolicy6.Properties.PolicyDocument.Statement allows a 'Delete' action from all principals" }, { "queryName": "S3 Bucket Allows Delete Action From All Principals", "severity": "CRITICAL", - "line": 9, - "fileName": "positive2.json" + "line": 7, + "filename": "positive1.yaml", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy3", + "searchKey": "Resources.SampleBucketPolicy3.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy3.Properties.PolicyDocument.Statement should not allow a 'Delete' action from all principals", + "actualValue": "Resources.SampleBucketPolicy3.Properties.PolicyDocument.Statement allows a 'Delete' action from all principals" }, { "queryName": "S3 Bucket Allows Delete Action From All Principals", "severity": "CRITICAL", - "line": 35, - "fileName": "positive2.json" + "line": 22, + "filename": "positive1.yaml", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy4", + "searchKey": "Resources.SampleBucketPolicy4.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy4.Properties.PolicyDocument.Statement should not allow a 'Delete' action from all principals", + "actualValue": "Resources.SampleBucketPolicy4.Properties.PolicyDocument.Statement allows a 'Delete' action from all principals" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_allows_get_actions_from_all_principals/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_allows_get_actions_from_all_principals/test/positive_expected_result.json index caffaf97c5f..d32b45f1d83 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_allows_get_actions_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_allows_get_actions_from_all_principals/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "S3 Bucket Allows Get Action From All Principals", "severity": "HIGH", - "line": 7, - "fileName": "positive1.yaml" + "line": 9, + "filename": "positive2.json", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy5", + "searchKey": "Resources.SampleBucketPolicy5.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy5.Properties.PolicyDocument.Statement should not allow a 'Get' action from all principals", + "actualValue": "Resources.SampleBucketPolicy5.Properties.PolicyDocument.Statement allows a 'Get' action from all principals" }, { "queryName": "S3 Bucket Allows Get Action From All Principals", "severity": "HIGH", - "line": 22, - "fileName": "positive1.yaml" + "line": 35, + "filename": "positive2.json", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy6", + "searchKey": "Resources.SampleBucketPolicy6.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy6.Properties.PolicyDocument.Statement should not allow a 'Get' action from all principals", + "actualValue": "Resources.SampleBucketPolicy6.Properties.PolicyDocument.Statement allows a 'Get' action from all principals" }, { "queryName": "S3 Bucket Allows Get Action From All Principals", "severity": "HIGH", - "line": 9, - "fileName": "positive2.json" + "line": 7, + "filename": "positive1.yaml", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy3", + "searchKey": "Resources.SampleBucketPolicy3.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy3.Properties.PolicyDocument.Statement should not allow a 'Get' action from all principals", + "actualValue": "Resources.SampleBucketPolicy3.Properties.PolicyDocument.Statement allows a 'Get' action from all principals" }, { "queryName": "S3 Bucket Allows Get Action From All Principals", "severity": "HIGH", - "line": 35, - "fileName": "positive2.json" + "line": 22, + "filename": "positive1.yaml", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy4", + "searchKey": "Resources.SampleBucketPolicy4.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy4.Properties.PolicyDocument.Statement should not allow a 'Get' action from all principals", + "actualValue": "Resources.SampleBucketPolicy4.Properties.PolicyDocument.Statement allows a 'Get' action from all principals" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_allows_list_actions_from_all_principals/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_allows_list_actions_from_all_principals/test/positive_expected_result.json index 9233283aae5..ac5ed8776c9 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_allows_list_actions_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_allows_list_actions_from_all_principals/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "S3 Bucket Allows List Action From All Principals", "severity": "HIGH", - "line": 7, - "fileName": "positive1.yaml" + "line": 22, + "filename": "positive1.yaml", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy4", + "searchKey": "Resources.SampleBucketPolicy4.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy4.Properties.PolicyDocument.Statement should not allow a 'List' action from all principals", + "actualValue": "Resources.SampleBucketPolicy4.Properties.PolicyDocument.Statement allows a 'List' action from all principals" }, { "queryName": "S3 Bucket Allows List Action From All Principals", "severity": "HIGH", - "line": 22, - "fileName": "positive1.yaml" + "line": 9, + "filename": "positive2.json", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy5", + "searchKey": "Resources.SampleBucketPolicy5.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy5.Properties.PolicyDocument.Statement should not allow a 'List' action from all principals", + "actualValue": "Resources.SampleBucketPolicy5.Properties.PolicyDocument.Statement allows a 'List' action from all principals" }, { "queryName": "S3 Bucket Allows List Action From All Principals", "severity": "HIGH", - "line": 9, - "fileName": "positive2.json" + "line": 35, + "filename": "positive2.json", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy6", + "searchKey": "Resources.SampleBucketPolicy6.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy6.Properties.PolicyDocument.Statement should not allow a 'List' action from all principals", + "actualValue": "Resources.SampleBucketPolicy6.Properties.PolicyDocument.Statement allows a 'List' action from all principals" }, { "queryName": "S3 Bucket Allows List Action From All Principals", "severity": "HIGH", - "line": 35, - "fileName": "positive2.json" + "line": 7, + "filename": "positive1.yaml", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy3", + "searchKey": "Resources.SampleBucketPolicy3.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy3.Properties.PolicyDocument.Statement should not allow a 'List' action from all principals", + "actualValue": "Resources.SampleBucketPolicy3.Properties.PolicyDocument.Statement allows a 'List' action from all principals" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_allows_public_acl/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_allows_public_acl/test/positive_expected_result.json index b40c557aff1..17bea8fba87 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_allows_public_acl/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_allows_public_acl/test/positive_expected_result.json @@ -2,43 +2,85 @@ { "queryName": "S3 Bucket Allows Public ACL", "severity": "MEDIUM", - "line": 4, - "filename": "positive1.yaml" + "line": 20, + "filename": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket13", + "searchKey": "Resources.Bucket13.Properties.PublicAccessBlockConfiguration.BlockPublicAcls", + "searchValue": "", + "expectedValue": "'BlockPublicAcls' should be set to true%!(EXTRA string=Bucket13)", + "actualValue": "'BlockPublicAcls' is set to false%!(EXTRA string=Bucket13)" }, { "queryName": "S3 Bucket Allows Public ACL", "severity": "MEDIUM", - "line": 10, - "filename": "positive1.yaml" + "line": 20, + "filename": "positive3.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket13", + "searchKey": "Resources.Bucket13.Properties.PublicAccessBlockConfiguration.BlockPublicAcls", + "searchValue": "", + "expectedValue": "'BlockPublicAcls' should be set to true%!(EXTRA string=Bucket13)", + "actualValue": "'BlockPublicAcls' is set to false%!(EXTRA string=Bucket13)" }, { "queryName": "S3 Bucket Allows Public ACL", "severity": "MEDIUM", - "line": 20, - "filename": "positive1.yaml" + "line": 7, + "filename": "positive2.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket1", + "searchKey": "Resources.Bucket1.Properties.PublicAccessBlockConfiguration.BlockPublicAcls", + "searchValue": "", + "expectedValue": "'BlockPublicAcls' should be set to true%!(EXTRA string=Bucket1)", + "actualValue": "'BlockPublicAcls' is set to false%!(EXTRA string=Bucket1)" }, { "queryName": "S3 Bucket Allows Public ACL", "severity": "MEDIUM", - "line": 7, - "filename": "positive2.json" + "line": 10, + "filename": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket12", + "searchKey": "Resources.Bucket12.Properties.PublicAccessBlockConfiguration", + "searchValue": "", + "expectedValue": "'BlockPublicAcls' should be defined and set to true in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)", + "actualValue": "'BlockPublicAcls' is not defined in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)" }, { "queryName": "S3 Bucket Allows Public ACL", "severity": "MEDIUM", "line": 4, - "filename": "positive3.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket11", + "searchKey": "Resources.Bucket11.Properties", + "searchValue": "", + "expectedValue": "'PublicAccessBlockConfiguration' should be defined%!(EXTRA string=Bucket11)", + "actualValue": "'PublicAccessBlockConfiguration' is not defined%!(EXTRA string=Bucket11)" }, { "queryName": "S3 Bucket Allows Public ACL", "severity": "MEDIUM", - "line": 10, - "filename": "positive3.yaml" + "line": 4, + "filename": "positive3.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket11", + "searchKey": "Resources.Bucket11.Properties", + "searchValue": "", + "expectedValue": "'PublicAccessBlockConfiguration' should be defined%!(EXTRA string=Bucket11)", + "actualValue": "'PublicAccessBlockConfiguration' is not defined%!(EXTRA string=Bucket11)" }, { "queryName": "S3 Bucket Allows Public ACL", "severity": "MEDIUM", - "line": 20, - "filename": "positive3.yaml" + "line": 10, + "filename": "positive3.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket12", + "searchKey": "Resources.Bucket12.Properties.PublicAccessBlockConfiguration", + "searchValue": "", + "expectedValue": "'BlockPublicAcls' should be defined and set to true in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)", + "actualValue": "'BlockPublicAcls' is not defined in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_allows_put_actions_from_all_principals/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_allows_put_actions_from_all_principals/test/positive_expected_result.json index f503b3c7a06..c49bc6e5b40 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_allows_put_actions_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_allows_put_actions_from_all_principals/test/positive_expected_result.json @@ -3,24 +3,48 @@ "queryName": "S3 Bucket Allows Put Action From All Principals", "severity": "CRITICAL", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy3", + "searchKey": "Resources.SampleBucketPolicy3.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy3.Properties.PolicyDocument.Statement should not allow a 'Put' action from all principals", + "actualValue": "Resources.SampleBucketPolicy3.Properties.PolicyDocument.Statement allows a 'Put' action from all principals" }, { "queryName": "S3 Bucket Allows Put Action From All Principals", "severity": "CRITICAL", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy4", + "searchKey": "Resources.SampleBucketPolicy4.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy4.Properties.PolicyDocument.Statement should not allow a 'Put' action from all principals", + "actualValue": "Resources.SampleBucketPolicy4.Properties.PolicyDocument.Statement allows a 'Put' action from all principals" }, { "queryName": "S3 Bucket Allows Put Action From All Principals", "severity": "CRITICAL", "line": 9, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy5", + "searchKey": "Resources.SampleBucketPolicy5.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy5.Properties.PolicyDocument.Statement should not allow a 'Put' action from all principals", + "actualValue": "Resources.SampleBucketPolicy5.Properties.PolicyDocument.Statement allows a 'Put' action from all principals" }, { "queryName": "S3 Bucket Allows Put Action From All Principals", "severity": "CRITICAL", "line": 35, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy6", + "searchKey": "Resources.SampleBucketPolicy6.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy6.Properties.PolicyDocument.Statement should not allow a 'Put' action from all principals", + "actualValue": "Resources.SampleBucketPolicy6.Properties.PolicyDocument.Statement allows a 'Put' action from all principals" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_allows_restore_actions_from_all_principals/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_allows_restore_actions_from_all_principals/test/positive_expected_result.json index a0cfdc7977d..7f22a682907 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_allows_restore_actions_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_allows_restore_actions_from_all_principals/test/positive_expected_result.json @@ -3,24 +3,48 @@ "queryName": "S3 Bucket Allows Restore Actions From All Principals", "severity": "HIGH", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy3", + "searchKey": "Resources.SampleBucketPolicy3.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy3.Properties.PolicyDocument.Statement should not allow a 'Restore' action from all principals", + "actualValue": "Resources.SampleBucketPolicy3.Properties.PolicyDocument.Statement allows a 'Restore' action from all principals" }, { "queryName": "S3 Bucket Allows Restore Actions From All Principals", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy4", + "searchKey": "Resources.SampleBucketPolicy4.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy4.Properties.PolicyDocument.Statement should not allow a 'Restore' action from all principals", + "actualValue": "Resources.SampleBucketPolicy4.Properties.PolicyDocument.Statement allows a 'Restore' action from all principals" }, { "queryName": "S3 Bucket Allows Restore Actions From All Principals", "severity": "HIGH", "line": 9, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy5", + "searchKey": "Resources.SampleBucketPolicy5.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy5.Properties.PolicyDocument.Statement should not allow a 'Restore' action from all principals", + "actualValue": "Resources.SampleBucketPolicy5.Properties.PolicyDocument.Statement allows a 'Restore' action from all principals" }, { "queryName": "S3 Bucket Allows Restore Actions From All Principals", "severity": "HIGH", "line": 35, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy6", + "searchKey": "Resources.SampleBucketPolicy6.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy6.Properties.PolicyDocument.Statement should not allow a 'Restore' action from all principals", + "actualValue": "Resources.SampleBucketPolicy6.Properties.PolicyDocument.Statement allows a 'Restore' action from all principals" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_cloudtrail_logging_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_cloudtrail_logging_disabled/test/positive_expected_result.json index d1c0f50951b..5261826166e 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_cloudtrail_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_cloudtrail_logging_disabled/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ { + "queryName": "S3 Bucket CloudTrail Logging Disabled", "severity": "MEDIUM", "line": 7, - "fileName": "positive1.yaml", - "queryName": "S3 Bucket CloudTrail Logging Disabled" + "filename": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "mybucketVulnerable", + "searchKey": "Resources.mybucketVulnerable.Properties", + "searchValue": "", + "expectedValue": "S3 bucket 'mybucketVulnerable' should have logging enabled", + "actualValue": "S3 bucket 'mybucketVulnerable' doesn't have logging enabled" }, { "queryName": "S3 Bucket CloudTrail Logging Disabled", "severity": "MEDIUM", "line": 67, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "mybucketVulnerable", + "searchKey": "Resources.mybucketVulnerable.Properties", + "searchValue": "", + "expectedValue": "S3 bucket 'mybucketVulnerable' should have logging enabled", + "actualValue": "S3 bucket 'mybucketVulnerable' doesn't have logging enabled" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_logging_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_logging_disabled/test/positive_expected_result.json index eeab2cbf1b4..684db2a066e 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_logging_disabled/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "S3 Bucket Logging Disabled", "severity": "MEDIUM", - "line": 7, - "fileName": "positive1.yaml" + "line": 113, + "filename": "positive2.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "mybucket", + "searchKey": "Resources.mybucket.Properties", + "searchValue": "", + "expectedValue": "'Resources.mybucket.Properties' should have property 'LoggingConfiguration'", + "actualValue": "'Resources.mybucket.Properties' doesn't have property 'LoggingConfiguration'" }, { - "line": 113, - "fileName": "positive2.json", "queryName": "S3 Bucket Logging Disabled", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 7, + "filename": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "mybucket", + "searchKey": "Resources.mybucket.Properties", + "searchValue": "", + "expectedValue": "'Resources.mybucket.Properties' should have property 'LoggingConfiguration'", + "actualValue": "'Resources.mybucket.Properties' doesn't have property 'LoggingConfiguration'" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_should_have_bucket_policy/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_should_have_bucket_policy/test/positive_expected_result.json index 66e29ec3c19..87cfc1d9d61 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_should_have_bucket_policy/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_should_have_bucket_policy/test/positive_expected_result.json @@ -3,48 +3,96 @@ "queryName": "S3 Bucket Should Have Bucket Policy", "severity": "LOW", "line": 4, - "fileName": "positive1.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "MyS3Bucket2", + "searchKey": "Resources.MyS3Bucket2", + "searchValue": "", + "expectedValue": "'Resources.MyS3Bucket2.Properties.BucketName' or 'Resources.[MyS3Bucket2]' should be associated with an 'AWS::S3::BucketPolicy'", + "actualValue": "'Resources.MyS3Bucket2.Properties.BucketName' or 'Resources.[MyS3Bucket2]' is not associated with an 'AWS::S3::BucketPolicy'" }, { "queryName": "S3 Bucket Should Have Bucket Policy", "severity": "LOW", "line": 31, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3Bucket", + "searchKey": "Resources.S3Bucket", + "searchValue": "", + "expectedValue": "'Resources.S3Bucket.Properties.BucketName' or 'Resources.[S3Bucket]' should be associated with an 'AWS::S3::BucketPolicy'", + "actualValue": "'Resources.S3Bucket.Properties.BucketName' or 'Resources.[S3Bucket]' is not associated with an 'AWS::S3::BucketPolicy'" }, { "queryName": "S3 Bucket Should Have Bucket Policy", "severity": "LOW", - "line": 56, - "fileName": "positive1.yaml" + "line": 4, + "filename": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "docexamplebucket1", + "searchKey": "Resources.S3Bucket3", + "searchValue": "", + "expectedValue": "'Resources.S3Bucket3.Properties.BucketName' or 'Resources.[S3Bucket3]' should be associated with an 'AWS::S3::BucketPolicy'", + "actualValue": "'Resources.S3Bucket3.Properties.BucketName' or 'Resources.[S3Bucket3]' is not associated with an 'AWS::S3::BucketPolicy'" }, { "queryName": "S3 Bucket Should Have Bucket Policy", "severity": "LOW", - "line": 42, - "fileName": "positive2.json" + "line": 56, + "filename": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "docexamplebucket5", + "searchKey": "Resources.S3Bucket7", + "searchValue": "", + "expectedValue": "'Resources.S3Bucket7.Properties.BucketName' or 'Resources.[S3Bucket7]' should be associated with an 'AWS::S3::BucketPolicy'", + "actualValue": "'Resources.S3Bucket7.Properties.BucketName' or 'Resources.[S3Bucket7]' is not associated with an 'AWS::S3::BucketPolicy'" }, { "queryName": "S3 Bucket Should Have Bucket Policy", "severity": "LOW", - "line": 88, - "fileName": "positive2.json" + "line": 5, + "filename": "positive4.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "MyS3Bucket2", + "searchKey": "Resources.MyS3Bucket2", + "searchValue": "", + "expectedValue": "'Resources.MyS3Bucket2.Properties.BucketName' or 'Resources.[MyS3Bucket2]' should be associated with an 'AWS::S3::BucketPolicy'", + "actualValue": "'Resources.MyS3Bucket2.Properties.BucketName' or 'Resources.[MyS3Bucket2]' is not associated with an 'AWS::S3::BucketPolicy'" }, { "queryName": "S3 Bucket Should Have Bucket Policy", "severity": "LOW", - "line": 130, - "fileName": "positive2.json" + "line": 88, + "filename": "positive2.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3Bucket", + "searchKey": "Resources.S3Bucket", + "searchValue": "", + "expectedValue": "'Resources.S3Bucket.Properties.BucketName' or 'Resources.[S3Bucket]' should be associated with an 'AWS::S3::BucketPolicy'", + "actualValue": "'Resources.S3Bucket.Properties.BucketName' or 'Resources.[S3Bucket]' is not associated with an 'AWS::S3::BucketPolicy'" }, { "queryName": "S3 Bucket Should Have Bucket Policy", "severity": "LOW", - "line": 4, - "fileName": "positive3.yaml" + "line": 42, + "filename": "positive2.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "docexamplebucket1", + "searchKey": "Resources.S3Bucket3", + "searchValue": "", + "expectedValue": "'Resources.S3Bucket3.Properties.BucketName' or 'Resources.[S3Bucket3]' should be associated with an 'AWS::S3::BucketPolicy'", + "actualValue": "'Resources.S3Bucket3.Properties.BucketName' or 'Resources.[S3Bucket3]' is not associated with an 'AWS::S3::BucketPolicy'" }, { "queryName": "S3 Bucket Should Have Bucket Policy", "severity": "LOW", - "line": 5, - "fileName": "positive4.json" + "line": 130, + "filename": "positive2.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "docexamplebucket5", + "searchKey": "Resources.S3Bucket7", + "searchValue": "", + "expectedValue": "'Resources.S3Bucket7.Properties.BucketName' or 'Resources.[S3Bucket7]' should be associated with an 'AWS::S3::BucketPolicy'", + "actualValue": "'Resources.S3Bucket7.Properties.BucketName' or 'Resources.[S3Bucket7]' is not associated with an 'AWS::S3::BucketPolicy'" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_with_all_permissions/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_with_all_permissions/test/positive_expected_result.json index 932ba9931df..15435222b5c 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_with_all_permissions/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_with_all_permissions/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "S3 Bucket With All Permissions", "severity": "CRITICAL", - "line": 7, - "fileName": "positive1.yaml" + "line": 9, + "filename": "positive2.json", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy4", + "searchKey": "Resources.SampleBucketPolicy4.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy4.Properties.PolicyDocument.Statement should not allow all actions from all principals", + "actualValue": "Resources.SampleBucketPolicy4.Properties.PolicyDocument.Statement allows all actions from all principals" }, { "queryName": "S3 Bucket With All Permissions", "severity": "CRITICAL", - "line": 9, - "fileName": "positive2.json" + "line": 7, + "filename": "positive1.yaml", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy3", + "searchKey": "Resources.SampleBucketPolicy3.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy3.Properties.PolicyDocument.Statement should not allow all actions from all principals", + "actualValue": "Resources.SampleBucketPolicy3.Properties.PolicyDocument.Statement allows all actions from all principals" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_with_public_policy/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_with_public_policy/test/positive_expected_result.json index c72d95ef9a2..532f92f643b 100755 --- a/assets/queries/cloudFormation/aws/s3_bucket_with_public_policy/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_with_public_policy/test/positive_expected_result.json @@ -2,43 +2,85 @@ { "queryName": "S3 Bucket Allows Public Policy", "severity": "HIGH", - "line": 4, - "filename": "positive1.yaml" + "line": 19, + "filename": "positive3.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket13", + "searchKey": "Resources.Bucket13.Properties.PublicAccessBlockConfiguration.BlockPublicPolicy", + "searchValue": "", + "expectedValue": "'BlockPublicPolicy' should be set to true%!(EXTRA string=Bucket13)", + "actualValue": "'BlockPublicPolicy' is set to false%!(EXTRA string=Bucket13)" }, { "queryName": "S3 Bucket Allows Public Policy", "severity": "HIGH", "line": 10, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket12", + "searchKey": "Resources.Bucket12.Properties.PublicAccessBlockConfiguration", + "searchValue": "", + "expectedValue": "'BlockPublicPolicy' should be defined and set to true in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)", + "actualValue": "'BlockPublicPolicy' is not defined in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)" }, { "queryName": "S3 Bucket Allows Public Policy", "severity": "HIGH", - "line": 19, - "filename": "positive1.yaml" + "line": 8, + "filename": "positive2.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket1", + "searchKey": "Resources.Bucket1.Properties.PublicAccessBlockConfiguration.BlockPublicPolicy", + "searchValue": "", + "expectedValue": "'BlockPublicPolicy' should be set to true%!(EXTRA string=Bucket1)", + "actualValue": "'BlockPublicPolicy' is set to false%!(EXTRA string=Bucket1)" }, { "queryName": "S3 Bucket Allows Public Policy", "severity": "HIGH", - "line": 8, - "filename": "positive2.json" + "line": 4, + "filename": "positive3.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket11", + "searchKey": "Resources.Bucket11.Properties", + "searchValue": "", + "expectedValue": "'PublicAccessBlockConfiguration' should be defined%!(EXTRA string=Bucket11)", + "actualValue": "'PublicAccessBlockConfiguration' is not defined%!(EXTRA string=Bucket11)" }, { "queryName": "S3 Bucket Allows Public Policy", "severity": "HIGH", - "line": 4, - "filename": "positive3.yaml" + "line": 19, + "filename": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket13", + "searchKey": "Resources.Bucket13.Properties.PublicAccessBlockConfiguration.BlockPublicPolicy", + "searchValue": "", + "expectedValue": "'BlockPublicPolicy' should be set to true%!(EXTRA string=Bucket13)", + "actualValue": "'BlockPublicPolicy' is set to false%!(EXTRA string=Bucket13)" }, { "queryName": "S3 Bucket Allows Public Policy", "severity": "HIGH", "line": 10, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket12", + "searchKey": "Resources.Bucket12.Properties.PublicAccessBlockConfiguration", + "searchValue": "", + "expectedValue": "'BlockPublicPolicy' should be defined and set to true in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)", + "actualValue": "'BlockPublicPolicy' is not defined in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)" }, { "queryName": "S3 Bucket Allows Public Policy", "severity": "HIGH", - "line": 19, - "filename": "positive3.yaml" + "line": 4, + "filename": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket11", + "searchKey": "Resources.Bucket11.Properties", + "searchValue": "", + "expectedValue": "'PublicAccessBlockConfiguration' should be defined%!(EXTRA string=Bucket11)", + "actualValue": "'PublicAccessBlockConfiguration' is not defined%!(EXTRA string=Bucket11)" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_with_unsecured_cors_rule/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_with_unsecured_cors_rule/test/positive_expected_result.json index 11bf64846bd..a26bb23160b 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_with_unsecured_cors_rule/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_with_unsecured_cors_rule/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "S3 Bucket With Unsecured CORS Rule", "severity": "MEDIUM", - "line": 9, - "fileName": "positive1.yaml" + "line": 14, + "filename": "positive2.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3Bucket", + "searchKey": "Resources.S3Bucket.Properties.CorsConfiguration.CorsRules", + "searchValue": "", + "expectedValue": "Resources.S3Bucket.Properties.CorsConfiguration.CorsRules[0] should not allow all methods, all headers or several origins", + "actualValue": "Resources.S3Bucket.Properties.CorsConfiguration.CorsRules[0] allows all methods, all headers or several origins" }, { "queryName": "S3 Bucket With Unsecured CORS Rule", "severity": "MEDIUM", - "line": 14, - "fileName": "positive2.json" + "line": 9, + "filename": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3Bucket", + "searchKey": "Resources.S3Bucket.Properties.CorsConfiguration.CorsRules", + "searchValue": "", + "expectedValue": "Resources.S3Bucket.Properties.CorsConfiguration.CorsRules[0] should not allow all methods, all headers or several origins", + "actualValue": "Resources.S3Bucket.Properties.CorsConfiguration.CorsRules[0] allows all methods, all headers or several origins" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_without_ignore_public_acl/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_without_ignore_public_acl/test/positive_expected_result.json index aac17c770d3..f35552a8e40 100755 --- a/assets/queries/cloudFormation/aws/s3_bucket_without_ignore_public_acl/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_without_ignore_public_acl/test/positive_expected_result.json @@ -2,43 +2,85 @@ { "queryName": "S3 Bucket Without Ignore Public ACL", "severity": "MEDIUM", - "line": 4, - "filename": "positive1.yaml" + "line": 10, + "filename": "positive3.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket12", + "searchKey": "Resources.Bucket12.Properties.PublicAccessBlockConfiguration", + "searchValue": "", + "expectedValue": "'IgnorePublicAcls' should be defined and set to true in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)", + "actualValue": "'IgnorePublicAcls' is not defined in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)" }, { "queryName": "S3 Bucket Without Ignore Public ACL", "severity": "MEDIUM", - "line": 10, - "filename": "positive1.yaml" + "line": 21, + "filename": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket13", + "searchKey": "Resources.Bucket13.Properties.PublicAccessBlockConfiguration.IgnorePublicAcls", + "searchValue": "", + "expectedValue": "'IgnorePublicAcls' should be set to true%!(EXTRA string=Bucket13)", + "actualValue": "'IgnorePublicAcls' is set to false%!(EXTRA string=Bucket13)" }, { "queryName": "S3 Bucket Without Ignore Public ACL", "severity": "MEDIUM", - "line": 21, - "filename": "positive1.yaml" + "line": 10, + "filename": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket12", + "searchKey": "Resources.Bucket12.Properties.PublicAccessBlockConfiguration", + "searchValue": "", + "expectedValue": "'IgnorePublicAcls' should be defined and set to true in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)", + "actualValue": "'IgnorePublicAcls' is not defined in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)" }, { "queryName": "S3 Bucket Without Ignore Public ACL", "severity": "MEDIUM", "line": 9, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket1", + "searchKey": "Resources.Bucket1.Properties.PublicAccessBlockConfiguration.IgnorePublicAcls", + "searchValue": "", + "expectedValue": "'IgnorePublicAcls' should be set to true%!(EXTRA string=Bucket1)", + "actualValue": "'IgnorePublicAcls' is set to false%!(EXTRA string=Bucket1)" }, { "queryName": "S3 Bucket Without Ignore Public ACL", "severity": "MEDIUM", "line": 4, - "filename": "positive3.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket11", + "searchKey": "Resources.Bucket11.Properties", + "searchValue": "", + "expectedValue": "'PublicAccessBlockConfiguration' should be defined%!(EXTRA string=Bucket11)", + "actualValue": "'PublicAccessBlockConfiguration' is not defined%!(EXTRA string=Bucket11)" }, { "queryName": "S3 Bucket Without Ignore Public ACL", "severity": "MEDIUM", - "line": 10, - "filename": "positive3.yaml" + "line": 21, + "filename": "positive3.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket13", + "searchKey": "Resources.Bucket13.Properties.PublicAccessBlockConfiguration.IgnorePublicAcls", + "searchValue": "", + "expectedValue": "'IgnorePublicAcls' should be set to true%!(EXTRA string=Bucket13)", + "actualValue": "'IgnorePublicAcls' is set to false%!(EXTRA string=Bucket13)" }, { "queryName": "S3 Bucket Without Ignore Public ACL", "severity": "MEDIUM", - "line": 21, - "filename": "positive3.yaml" + "line": 4, + "filename": "positive3.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket11", + "searchKey": "Resources.Bucket11.Properties", + "searchValue": "", + "expectedValue": "'PublicAccessBlockConfiguration' should be defined%!(EXTRA string=Bucket11)", + "actualValue": "'PublicAccessBlockConfiguration' is not defined%!(EXTRA string=Bucket11)" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_without_restriction_of_public_bucket/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_without_restriction_of_public_bucket/test/positive_expected_result.json index 5f10f50b495..5423566f78c 100755 --- a/assets/queries/cloudFormation/aws/s3_bucket_without_restriction_of_public_bucket/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_without_restriction_of_public_bucket/test/positive_expected_result.json @@ -2,43 +2,85 @@ { "queryName": "S3 Bucket Without Restriction Of Public Bucket", "severity": "MEDIUM", - "line": 4, - "filename": "positive1.yaml" + "line": 10, + "filename": "positive3.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket12", + "searchKey": "Resources.Bucket12.Properties.PublicAccessBlockConfiguration", + "searchValue": "", + "expectedValue": "'RestrictPublicBuckets' should be defined and set to true in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)", + "actualValue": "'RestrictPublicBuckets' is not defined in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)" }, { "queryName": "S3 Bucket Without Restriction Of Public Bucket", "severity": "MEDIUM", - "line": 10, - "filename": "positive1.yaml" + "line": 21, + "filename": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket13", + "searchKey": "Resources.Bucket13.Properties.PublicAccessBlockConfiguration.RestrictPublicBuckets", + "searchValue": "", + "expectedValue": "'RestrictPublicBuckets' should be set to true%!(EXTRA string=Bucket13)", + "actualValue": "'RestrictPublicBuckets' is set to false%!(EXTRA string=Bucket13)" }, { "queryName": "S3 Bucket Without Restriction Of Public Bucket", "severity": "MEDIUM", "line": 21, - "filename": "positive1.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket13", + "searchKey": "Resources.Bucket13.Properties.PublicAccessBlockConfiguration.RestrictPublicBuckets", + "searchValue": "", + "expectedValue": "'RestrictPublicBuckets' should be set to true%!(EXTRA string=Bucket13)", + "actualValue": "'RestrictPublicBuckets' is set to false%!(EXTRA string=Bucket13)" }, { "queryName": "S3 Bucket Without Restriction Of Public Bucket", "severity": "MEDIUM", "line": 10, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket1", + "searchKey": "Resources.Bucket1.Properties.PublicAccessBlockConfiguration.RestrictPublicBuckets", + "searchValue": "", + "expectedValue": "'RestrictPublicBuckets' should be set to true%!(EXTRA string=Bucket1)", + "actualValue": "'RestrictPublicBuckets' is set to false%!(EXTRA string=Bucket1)" }, { "queryName": "S3 Bucket Without Restriction Of Public Bucket", "severity": "MEDIUM", "line": 4, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket11", + "searchKey": "Resources.Bucket11.Properties", + "searchValue": "", + "expectedValue": "'PublicAccessBlockConfiguration' should be defined%!(EXTRA string=Bucket11)", + "actualValue": "'PublicAccessBlockConfiguration' is not defined%!(EXTRA string=Bucket11)" }, { "queryName": "S3 Bucket Without Restriction Of Public Bucket", "severity": "MEDIUM", "line": 10, - "filename": "positive3.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket12", + "searchKey": "Resources.Bucket12.Properties.PublicAccessBlockConfiguration", + "searchValue": "", + "expectedValue": "'RestrictPublicBuckets' should be defined and set to true in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)", + "actualValue": "'RestrictPublicBuckets' is not defined in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)" }, { "queryName": "S3 Bucket Without Restriction Of Public Bucket", "severity": "MEDIUM", - "line": 21, - "filename": "positive3.yaml" + "line": 4, + "filename": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket11", + "searchKey": "Resources.Bucket11.Properties", + "searchValue": "", + "expectedValue": "'PublicAccessBlockConfiguration' should be defined%!(EXTRA string=Bucket11)", + "actualValue": "'PublicAccessBlockConfiguration' is not defined%!(EXTRA string=Bucket11)" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_without_server_side_encryption/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_without_server_side_encryption/test/positive_expected_result.json index 7ff543522df..9d3a92ff395 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_without_server_side_encryption/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_without_server_side_encryption/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "S3 Bucket Without Server-side-encryption", "severity": "HIGH", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "", + "searchKey": "Resources.S3Bucket.Properties", + "searchValue": "", + "expectedValue": "Resources.S3Bucket.Properties.BucketEncryption.ServerSideEncryptionConfiguration should be defined and not empty", + "actualValue": "Resources.S3Bucket.Properties.BucketEncryption.ServerSideEncryptionConfiguration is undefined or empty" }, { + "queryName": "S3 Bucket Without Server-side-encryption", "severity": "HIGH", "line": 5, - "fileName": "positive2.json", - "queryName": "S3 Bucket Without Server-side-encryption" + "filename": "positive2.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "", + "searchKey": "Resources.S3Bucket.Properties", + "searchValue": "", + "expectedValue": "Resources.S3Bucket.Properties.BucketEncryption.ServerSideEncryptionConfiguration should be defined and not empty", + "actualValue": "Resources.S3Bucket.Properties.BucketEncryption.ServerSideEncryptionConfiguration is undefined or empty" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_without_ssl_in_write_actions/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_without_ssl_in_write_actions/test/positive_expected_result.json index e068512fc2a..6c5fc411ab4 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_without_ssl_in_write_actions/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_without_ssl_in_write_actions/test/positive_expected_result.json @@ -2,79 +2,157 @@ { "queryName": "S3 Bucket Without SSL In Write Actions", "severity": "MEDIUM", - "line": 3, - "fileName": "positive1.yaml" + "line": 4, + "filename": "positive8.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3Bucket5", + "searchKey": "Resources.S3Bucket5", + "searchValue": "", + "expectedValue": "Resources.S3Bucket5 bucket has a policy that enforces SSL", + "actualValue": "Resources.S3Bucket5 bucket doesn't have a policy" }, { "queryName": "S3 Bucket Without SSL In Write Actions", "severity": "MEDIUM", - "line": 3, - "fileName": "positive2.yaml" + "line": 15, + "filename": "positive8.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3Bucket6", + "searchKey": "Resources.S3Bucket6", + "searchValue": "", + "expectedValue": "Resources.S3Bucket6 bucket has a policy that enforces SSL", + "actualValue": "Resources.S3Bucket6 bucket doesn't have a policy" }, { "queryName": "S3 Bucket Without SSL In Write Actions", "severity": "MEDIUM", - "line": 3, - "fileName": "positive3.yaml" + "line": 34, + "filename": "positive10.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3Bucket33", + "searchKey": "Resources.S3Bucket33", + "searchValue": "", + "expectedValue": "Resources.S3Bucket33 bucket has a policy that enforces SSL", + "actualValue": "Resources.S3Bucket33 bucket doesn't have a policy or has a policy that doesn't enforce SSL" }, { "queryName": "S3 Bucket Without SSL In Write Actions", "severity": "MEDIUM", - "line": 12, - "fileName": "positive3.yaml" + "line": 4, + "filename": "positive6.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3Bucket2", + "searchKey": "Resources.S3Bucket2", + "searchValue": "", + "expectedValue": "Resources.S3Bucket2 bucket has a policy that enforces SSL", + "actualValue": "Resources.S3Bucket2 bucket doesn't have a policy or has a policy that doesn't enforce SSL" }, { - "fileName": "positive4.yaml", "queryName": "S3 Bucket Without SSL In Write Actions", "severity": "MEDIUM", - "line": 3 + "line": 12, + "filename": "positive4.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3Bucket6", + "searchKey": "Resources.S3Bucket6", + "searchValue": "", + "expectedValue": "Resources.S3Bucket6 bucket has a policy that enforces SSL", + "actualValue": "Resources.S3Bucket6 bucket doesn't have a policy" }, { "queryName": "S3 Bucket Without SSL In Write Actions", "severity": "MEDIUM", - "line": 12, - "fileName": "positive4.yaml" + "line": 3, + "filename": "positive9.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3Bucket33,", + "searchKey": "Resources.S3Bucket33", + "searchValue": "", + "expectedValue": "Resources.S3Bucket33 bucket has a policy that enforces SSL", + "actualValue": "Resources.S3Bucket33 bucket doesn't have a policy or has a policy that doesn't enforce SSL" }, { - "fileName": "positive5.json", "queryName": "S3 Bucket Without SSL In Write Actions", "severity": "MEDIUM", - "line": 30 + "line": 12, + "filename": "positive3.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3Bucket4", + "searchKey": "Resources.S3Bucket4", + "searchValue": "", + "expectedValue": "Resources.S3Bucket4 bucket has a policy that enforces SSL", + "actualValue": "Resources.S3Bucket4 bucket doesn't have a policy" }, { "queryName": "S3 Bucket Without SSL In Write Actions", "severity": "MEDIUM", - "line": 4, - "fileName": "positive6.json" + "line": 47, + "filename": "positive7.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3Bucket4", + "searchKey": "Resources.S3Bucket4", + "searchValue": "", + "expectedValue": "Resources.S3Bucket4 bucket has a policy that enforces SSL", + "actualValue": "Resources.S3Bucket4 bucket doesn't have a policy" }, { "queryName": "S3 Bucket Without SSL In Write Actions", "severity": "MEDIUM", - "line": 47, - "fileName": "positive7.json" + "line": 30, + "filename": "positive5.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3Bucket", + "searchKey": "Resources.S3Bucket", + "searchValue": "", + "expectedValue": "Resources.S3Bucket bucket has a policy that enforces SSL", + "actualValue": "Resources.S3Bucket bucket doesn't have a policy or has a policy that doesn't enforce SSL" }, { "queryName": "S3 Bucket Without SSL In Write Actions", "severity": "MEDIUM", - "line": 4, - "fileName": "positive8.json" + "line": 3, + "filename": "positive4.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3Bucket5", + "searchKey": "Resources.S3Bucket5", + "searchValue": "", + "expectedValue": "Resources.S3Bucket5 bucket has a policy that enforces SSL", + "actualValue": "Resources.S3Bucket5 bucket doesn't have a policy" }, { "queryName": "S3 Bucket Without SSL In Write Actions", "severity": "MEDIUM", - "line": 15, - "fileName": "positive8.json" + "line": 3, + "filename": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3Bucket", + "searchKey": "Resources.S3Bucket", + "searchValue": "", + "expectedValue": "Resources.S3Bucket bucket has a policy that enforces SSL", + "actualValue": "Resources.S3Bucket bucket doesn't have a policy or has a policy that doesn't enforce SSL" }, { "queryName": "S3 Bucket Without SSL In Write Actions", "severity": "MEDIUM", "line": 3, - "fileName": "positive9.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3Bucket2", + "searchKey": "Resources.S3Bucket2", + "searchValue": "", + "expectedValue": "Resources.S3Bucket2 bucket has a policy that enforces SSL", + "actualValue": "Resources.S3Bucket2 bucket doesn't have a policy or has a policy that doesn't enforce SSL" }, { "queryName": "S3 Bucket Without SSL In Write Actions", "severity": "MEDIUM", - "line": 34, - "fileName": "positive10.json" + "line": 3, + "filename": "positive3.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3Bucket3", + "searchKey": "Resources.S3Bucket3", + "searchValue": "", + "expectedValue": "Resources.S3Bucket3 bucket has a policy that enforces SSL", + "actualValue": "Resources.S3Bucket3 bucket doesn't have a policy or has a policy that doesn't enforce SSL" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_without_versioning/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_without_versioning/test/positive_expected_result.json index a47eadc1a3a..4bc605456a4 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_without_versioning/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_without_versioning/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "S3 Bucket Without Versioning", "severity": "MEDIUM", - "line": 5, - "fileName": "positive1.yaml" + "line": 48, + "filename": "positive4.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "RecordServiceS3Bucket2", + "searchKey": "Resources.RecordServiceS3Bucket2.Properties.VersioningConfiguration.Status", + "searchValue": "", + "expectedValue": "Resources.RecordServiceS3Bucket2.Properties.VersioningConfiguration.Status should be set to Enabled", + "actualValue": "Resources.RecordServiceS3Bucket2.Properties.VersioningConfiguration.Status is set to Suspended" }, { "queryName": "S3 Bucket Without Versioning", "severity": "MEDIUM", - "line": 27, - "fileName": "positive2.yaml" + "line": 4, + "filename": "positive3.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "RecordServiceS3Bucket", + "searchKey": "Resources.RecordServiceS3Bucket.Properties", + "searchValue": "", + "expectedValue": "Resources.RecordServiceS3Bucket.Properties.VersioningConfiguration should be defined", + "actualValue": "Resources.RecordServiceS3Bucket.Properties.VersioningConfiguration is undefined" }, { "queryName": "S3 Bucket Without Versioning", "severity": "MEDIUM", - "line": 4, - "fileName": "positive3.json" + "line": 27, + "filename": "positive2.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "RecordServiceS3Bucket2", + "searchKey": "Resources.RecordServiceS3Bucket2.Properties.VersioningConfiguration.Status", + "searchValue": "", + "expectedValue": "Resources.RecordServiceS3Bucket2.Properties.VersioningConfiguration.Status should be set to Enabled", + "actualValue": "Resources.RecordServiceS3Bucket2.Properties.VersioningConfiguration.Status is set to Suspended" }, { "queryName": "S3 Bucket Without Versioning", "severity": "MEDIUM", - "line": 48, - "fileName": "positive4.json" + "line": 5, + "filename": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "RecordServiceS3Bucket", + "searchKey": "Resources.RecordServiceS3Bucket.Properties", + "searchValue": "", + "expectedValue": "Resources.RecordServiceS3Bucket.Properties.VersioningConfiguration should be defined", + "actualValue": "Resources.RecordServiceS3Bucket.Properties.VersioningConfiguration is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_static_website_host_enabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_static_website_host_enabled/test/positive_expected_result.json index 01c68fb878f..e8368628307 100644 --- a/assets/queries/cloudFormation/aws/s3_static_website_host_enabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_static_website_host_enabled/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "S3 Static Website Host Enabled", "severity": "HIGH", "line": 6, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket2", + "searchKey": "Resources.Bucket2.Properties", + "searchValue": "", + "expectedValue": "'Resources.Bucket2.Properties.WebsiteConfiguration' should not be defined", + "actualValue": "'Resources.Bucket2.Properties.WebsiteConfiguration' is defined" }, { "queryName": "S3 Static Website Host Enabled", "severity": "HIGH", "line": 7, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket2", + "searchKey": "Resources.Bucket2.Properties", + "searchValue": "", + "expectedValue": "'Resources.Bucket2.Properties.WebsiteConfiguration' should not be defined", + "actualValue": "'Resources.Bucket2.Properties.WebsiteConfiguration' is defined" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/sagemaker_data_encryption_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/sagemaker_data_encryption_disabled/test/positive_expected_result.json index b23d6d572be..477fe6120a5 100644 --- a/assets/queries/cloudFormation/aws/sagemaker_data_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/sagemaker_data_encryption_disabled/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "SageMaker Data Encryption Disabled", "severity": "HIGH", - "line": 6, - "fileName": "positive1.yaml" + "line": 16, + "filename": "positive2.json", + "resourceType": "AWS::SageMaker::NotebookInstance", + "resourceName": "BasicNotebookInstance3", + "searchKey": "Resources.BasicNotebookInstance3.Properties.KmsKeyId", + "searchValue": "", + "expectedValue": "'Resources.BasicNotebookInstance3.Properties.KmsKeyId' should not be empty", + "actualValue": "'Resources.BasicNotebookInstance3.Properties.KmsKeyId' is empty" }, { - "line": 20, - "fileName": "positive1.yaml", "queryName": "SageMaker Data Encryption Disabled", - "severity": "HIGH" + "severity": "HIGH", + "line": 59, + "filename": "positive2.json", + "resourceType": "AWS::SageMaker::NotebookInstance", + "resourceName": "BasicNotebookInstance", + "searchKey": "Resources.BasicNotebookInstance.Properties", + "searchValue": "", + "expectedValue": "'Resources.BasicNotebookInstance.Properties.KmsKeyId' should be defined", + "actualValue": "'Resources.BasicNotebookInstance.Properties.KmsKeyId' is not defined" }, { "queryName": "SageMaker Data Encryption Disabled", "severity": "HIGH", - "line": 59, - "fileName": "positive2.json" + "line": 20, + "filename": "positive1.yaml", + "resourceType": "AWS::SageMaker::NotebookInstance", + "resourceName": "BasicNotebookInstance3", + "searchKey": "Resources.BasicNotebookInstance3.Properties.KmsKeyId", + "searchValue": "", + "expectedValue": "'Resources.BasicNotebookInstance3.Properties.KmsKeyId' should not be empty", + "actualValue": "'Resources.BasicNotebookInstance3.Properties.KmsKeyId' is empty" }, { - "line": 16, - "fileName": "positive2.json", "queryName": "SageMaker Data Encryption Disabled", - "severity": "HIGH" + "severity": "HIGH", + "line": 6, + "filename": "positive1.yaml", + "resourceType": "AWS::SageMaker::NotebookInstance", + "resourceName": "BasicNotebookInstance", + "searchKey": "Resources.BasicNotebookInstance.Properties", + "searchValue": "", + "expectedValue": "'Resources.BasicNotebookInstance.Properties.KmsKeyId' should be defined", + "actualValue": "'Resources.BasicNotebookInstance.Properties.KmsKeyId' is not defined" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/sagemaker_enabling_internet_access/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/sagemaker_enabling_internet_access/test/positive_expected_result.json index 414d8795ebf..69db90092c4 100644 --- a/assets/queries/cloudFormation/aws/sagemaker_enabling_internet_access/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/sagemaker_enabling_internet_access/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "SageMaker Enabling Internet Access", "severity": "MEDIUM", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::SageMaker::NotebookInstance", + "resourceName": "Notebook", + "searchKey": "Resources.Notebook.Properties.DirectInternetAccess", + "searchValue": "", + "expectedValue": "Resources.Notebook.Properties.DirectInternetAccess is enabled", + "actualValue": "Resources.Notebook.Properties.DirectInternetAccess is disabled" }, { "queryName": "SageMaker Enabling Internet Access", "severity": "MEDIUM", "line": 8, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::SageMaker::NotebookInstance", + "resourceName": "Notebook", + "searchKey": "Resources.Notebook.Properties.DirectInternetAccess", + "searchValue": "", + "expectedValue": "Resources.Notebook.Properties.DirectInternetAccess is enabled", + "actualValue": "Resources.Notebook.Properties.DirectInternetAccess is disabled" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/sagemaker_endpoint_config_should_specify_kms_key_id_attribute/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/sagemaker_endpoint_config_should_specify_kms_key_id_attribute/test/positive_expected_result.json index e7602850e63..101d8eae620 100644 --- a/assets/queries/cloudFormation/aws/sagemaker_endpoint_config_should_specify_kms_key_id_attribute/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/sagemaker_endpoint_config_should_specify_kms_key_id_attribute/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "SageMaker EndPoint Config Should Specify KmsKeyId Attribute", "severity": "MEDIUM", "line": 28, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::SageMaker::EndpointConfig", + "resourceName": "EndpointConfig", + "searchKey": "Resources.EndpointConfig.Properties", + "searchValue": "", + "expectedValue": "Resources.EndpointConfig.Properties.KmsKeyId should be defined", + "actualValue": "Resources.EndpointConfig.Properties.KmsKeyId is undefined" }, { "queryName": "SageMaker EndPoint Config Should Specify KmsKeyId Attribute", "severity": "MEDIUM", "line": 40, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::SageMaker::EndpointConfig", + "resourceName": "EndpointConfig", + "searchKey": "Resources.EndpointConfig.Properties", + "searchValue": "", + "expectedValue": "Resources.EndpointConfig.Properties.KmsKeyId should be defined", + "actualValue": "Resources.EndpointConfig.Properties.KmsKeyId is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/sagemaker_notebook_not_placed_in_vpc/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/sagemaker_notebook_not_placed_in_vpc/test/positive_expected_result.json index 30ff20916eb..e1d7e7f4012 100644 --- a/assets/queries/cloudFormation/aws/sagemaker_notebook_not_placed_in_vpc/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/sagemaker_notebook_not_placed_in_vpc/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "SageMaker Notebook Not Placed In VPC", "severity": "MEDIUM", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::SageMaker::NotebookInstance", + "resourceName": "NotebookInstanceName", + "searchKey": "Resources.NotebookInstance.Properties.SubnetId", + "searchValue": "", + "expectedValue": "Resources.NotebookInstance.Properties.SubnetId should be defined", + "actualValue": "Resources.NotebookInstance.Properties.SubnetId is not defined" }, { "queryName": "SageMaker Notebook Not Placed In VPC", "severity": "MEDIUM", "line": 27, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::SageMaker::NotebookInstance", + "resourceName": "NotebookInstanceName", + "searchKey": "Resources.NotebookInstance.Properties.SubnetId", + "searchValue": "", + "expectedValue": "Resources.NotebookInstance.Properties.SubnetId should be defined", + "actualValue": "Resources.NotebookInstance.Properties.SubnetId is not defined" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/sdb_domain_declared_as_a_resource/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/sdb_domain_declared_as_a_resource/test/positive_expected_result.json index 9e98e5e61e7..30ae2af9d66 100644 --- a/assets/queries/cloudFormation/aws/sdb_domain_declared_as_a_resource/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/sdb_domain_declared_as_a_resource/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ { - "line": 8, - "fileName": "positive1.yaml", "queryName": "SDB Domain Declared As A Resource", - "severity": "LOW" + "severity": "LOW", + "line": 11, + "filename": "positive2.json", + "resourceType": "AWS::SDB::Domain", + "resourceName": "SBDDomain", + "searchKey": "Resources.SBDDomain", + "searchValue": "", + "expectedValue": "Resources.SBDDomain should not be defined", + "actualValue": "Resources.SBDDomain is defined" }, { "queryName": "SDB Domain Declared As A Resource", "severity": "LOW", - "line": 11, - "fileName": "positive2.json" + "line": 8, + "filename": "positive1.yaml", + "resourceType": "AWS::SDB::Domain", + "resourceName": "SBDDomain", + "searchKey": "Resources.SBDDomain", + "searchValue": "", + "expectedValue": "Resources.SBDDomain should not be defined", + "actualValue": "Resources.SBDDomain is defined" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/secrets_manager_should_specify_kms_key_id/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/secrets_manager_should_specify_kms_key_id/test/positive_expected_result.json index d5e3ef62efc..9f6727040e6 100644 --- a/assets/queries/cloudFormation/aws/secrets_manager_should_specify_kms_key_id/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/secrets_manager_should_specify_kms_key_id/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ { + "queryName": "Secrets Manager Should Specify KmsKeyId", "severity": "LOW", - "line": 6, - "fileName": "positive1.yaml", - "queryName": "Secrets Manager Should Specify KmsKeyId" + "line": 7, + "filename": "positive2.json", + "resourceType": "AWS::SecretsManager::Secret", + "resourceName": "String", + "searchKey": "Resources.SecretsManagerSecret.Properties", + "searchValue": "", + "expectedValue": "Resources.SecretsManagerSecret.Properties.KmsKeyId should be defined", + "actualValue": "Resources.SecretsManagerSecret.Properties.KmsKeyId is undefined" }, { - "line": 7, - "fileName": "positive2.json", "queryName": "Secrets Manager Should Specify KmsKeyId", - "severity": "LOW" + "severity": "LOW", + "line": 6, + "filename": "positive1.yaml", + "resourceType": "AWS::SecretsManager::Secret", + "resourceName": "String", + "searchKey": "Resources.SecretsManagerSecret.Properties", + "searchValue": "", + "expectedValue": "Resources.SecretsManagerSecret.Properties.KmsKeyId should be defined", + "actualValue": "Resources.SecretsManagerSecret.Properties.KmsKeyId is undefined" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/secretsmanager_secret_without_kms/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/secretsmanager_secret_without_kms/test/positive_expected_result.json index 4bc0a101074..3b70c9d52cb 100644 --- a/assets/queries/cloudFormation/aws/secretsmanager_secret_without_kms/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/secretsmanager_secret_without_kms/test/positive_expected_result.json @@ -1,26 +1,50 @@ [ { - "severity": "MEDIUM", - "line": 5, "queryName": "Secretsmanager Secret Without KMS", - "fileName": "positive1.json" - }, - { "severity": "MEDIUM", "line": 4, - "queryName": "Secretsmanager Secret Without KMS", - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::SecretsManager::Secret", + "resourceName": "MySecret", + "searchKey": "Resources.MySecret.Properties", + "searchValue": "", + "expectedValue": "'Resources.MySecret.Properties.KmsKeyId' should be defined and not null", + "actualValue": "'Resources.MySecret.Properties.KmsKeyId' is undefined or null" }, { - "severity": "MEDIUM", - "line": 8, "queryName": "Secretsmanager Secret Without KMS", - "fileName": "positive3.json" + "severity": "MEDIUM", + "line": 7, + "filename": "positive4.yaml", + "resourceType": "AWS::SecretsManager::Secret", + "resourceName": "MySecretForAppB", + "searchKey": "Resources.MySecretB.Properties.KmsKeyId", + "searchValue": "", + "expectedValue": "'Resources.MySecretB.Properties.KmsKeyId' should be defined and not null", + "actualValue": "'Resources.MySecretB.Properties.KmsKeyId' is undefined or null" }, { + "queryName": "Secretsmanager Secret Without KMS", "severity": "MEDIUM", - "line": 7, + "line": 5, + "filename": "positive1.json", + "resourceType": "AWS::SecretsManager::Secret", + "resourceName": "MySecret", + "searchKey": "Resources.MySecret.Properties", + "searchValue": "", + "expectedValue": "'Resources.MySecret.Properties.KmsKeyId' should be defined and not null", + "actualValue": "'Resources.MySecret.Properties.KmsKeyId' is undefined or null" + }, + { "queryName": "Secretsmanager Secret Without KMS", - "fileName": "positive4.yaml" + "severity": "MEDIUM", + "line": 8, + "filename": "positive3.json", + "resourceType": "AWS::SecretsManager::Secret", + "resourceName": "MySecretForAppB", + "searchKey": "Resources.MySecretB.Properties.KmsKeyId", + "searchValue": "", + "expectedValue": "'Resources.MySecretB.Properties.KmsKeyId' should be defined and not null", + "actualValue": "'Resources.MySecretB.Properties.KmsKeyId' is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/secure_ciphers_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/secure_ciphers_disabled/test/positive_expected_result.json index 818af741276..36e3446004e 100644 --- a/assets/queries/cloudFormation/aws/secure_ciphers_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/secure_ciphers_disabled/test/positive_expected_result.json @@ -3,18 +3,36 @@ "queryName": "Secure Ciphers Disabled", "severity": "MEDIUM", "line": 26, - "fileName": "positive1.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "cloudfrontdistribution", + "searchKey": "Resources.cloudfrontdistribution.Properties.ViewerCertificate.MinimumProtocolVersion", + "searchValue": "", + "expectedValue": "Resources.cloudfrontdistribution.Properties.ViewerCertificate.MinimumProtocolVersion is TLSv1.1 or TLSv1.2", + "actualValue": "Resources.cloudfrontdistribution.Properties.ViewerCertificate.MinimumProtocolVersion isn't TLSv1.1 or TLSv1.2" }, { "queryName": "Secure Ciphers Disabled", "severity": "MEDIUM", - "line": 44, - "fileName": "positive2.json" + "line": 26, + "filename": "positive1.yaml", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "cloudfrontdistribution", + "searchKey": "Resources.cloudfrontdistribution.Properties.ViewerCertificate.MinimumProtocolVersion", + "searchValue": "", + "expectedValue": "Resources.cloudfrontdistribution.Properties.ViewerCertificate.MinimumProtocolVersion is TLSv1.1 or TLSv1.2", + "actualValue": "Resources.cloudfrontdistribution.Properties.ViewerCertificate.MinimumProtocolVersion isn't TLSv1.1 or TLSv1.2" }, { "queryName": "Secure Ciphers Disabled", "severity": "MEDIUM", - "line": 26, - "fileName": "positive3.yaml" + "line": 44, + "filename": "positive2.json", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "cloudfrontdistribution", + "searchKey": "Resources.cloudfrontdistribution.Properties.ViewerCertificate.MinimumProtocolVersion", + "searchValue": "", + "expectedValue": "Resources.cloudfrontdistribution.Properties.ViewerCertificate.MinimumProtocolVersion is TLSv1.1 or TLSv1.2", + "actualValue": "Resources.cloudfrontdistribution.Properties.ViewerCertificate.MinimumProtocolVersion isn't TLSv1.1 or TLSv1.2" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/security_group_egress_cidr_open_to_world/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/security_group_egress_cidr_open_to_world/test/positive_expected_result.json index 74022745366..63ebb37cecb 100644 --- a/assets/queries/cloudFormation/aws/security_group_egress_cidr_open_to_world/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/security_group_egress_cidr_open_to_world/test/positive_expected_result.json @@ -3,24 +3,48 @@ "queryName": "Security Group Egress CIDR Open To World", "severity": "MEDIUM", "line": 19, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].CidrIp", + "searchValue": "", + "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].CidrIp should not be open to the world", + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].CidrIp is open to the world" }, { "queryName": "Security Group Egress CIDR Open To World", "severity": "MEDIUM", "line": 27, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupEgress", + "resourceName": "OutboundRule", + "searchKey": "Resources.OutboundRule.Properties.CidrIpv6", + "searchValue": "", + "expectedValue": "Resources.OutboundRule.Properties.CidrIpv6 should not be open to the world", + "actualValue": "Resources.OutboundRule.Properties.CidrIpv6 is open to the world" }, { "queryName": "Security Group Egress CIDR Open To World", "severity": "MEDIUM", "line": 17, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].CidrIp", + "searchValue": "", + "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].CidrIp should not be open to the world", + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].CidrIp is open to the world" }, { "queryName": "Security Group Egress CIDR Open To World", "severity": "MEDIUM", "line": 34, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroupEgress", + "resourceName": "OutboundRule", + "searchKey": "Resources.OutboundRule.Properties.CidrIpv6", + "searchValue": "", + "expectedValue": "Resources.OutboundRule.Properties.CidrIpv6 should not be open to the world", + "actualValue": "Resources.OutboundRule.Properties.CidrIpv6 is open to the world" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/security_group_egress_with_all_protocols/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/security_group_egress_with_all_protocols/test/positive_expected_result.json index 7a4d708f261..f24aad6d38c 100644 --- a/assets/queries/cloudFormation/aws/security_group_egress_with_all_protocols/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/security_group_egress_with_all_protocols/test/positive_expected_result.json @@ -3,24 +3,48 @@ "queryName": "Security Group Egress With All Protocols", "severity": "MEDIUM", "line": 14, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress.IpProtocol", + "searchValue": "", + "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].IpProtocol should not be set to '-1'", + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].IpProtocol is set to '-1'" }, { "queryName": "Security Group Egress With All Protocols", "severity": "MEDIUM", "line": 21, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupEgress", + "resourceName": "OutboundRule", + "searchKey": "Resources.OutboundRule.Properties.IpProtocol", + "searchValue": "", + "expectedValue": "Resources.OutboundRule.Properties.IpProtocol should not be set to '-1'", + "actualValue": "Resources.OutboundRule.Properties.IpProtocol is set to '-1'" }, { - "fileName": "positive2.json", "queryName": "Security Group Egress With All Protocols", "severity": "MEDIUM", - "line": 43 + "line": 21, + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress.IpProtocol", + "searchValue": "", + "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].IpProtocol should not be set to '-1'", + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].IpProtocol is set to '-1'" }, { "queryName": "Security Group Egress With All Protocols", "severity": "MEDIUM", - "line": 21, - "fileName": "positive2.json" + "line": 43, + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroupEgress", + "resourceName": "OutboundRule", + "searchKey": "Resources.OutboundRule.Properties.IpProtocol", + "searchValue": "", + "expectedValue": "Resources.OutboundRule.Properties.IpProtocol should not be set to '-1'", + "actualValue": "Resources.OutboundRule.Properties.IpProtocol is set to '-1'" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/security_group_egress_with_port_range/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/security_group_egress_with_port_range/test/positive_expected_result.json index 07c66a046af..53a96cc71c2 100644 --- a/assets/queries/cloudFormation/aws/security_group_egress_with_port_range/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/security_group_egress_with_port_range/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "Security Group Egress With Port Range", "severity": "MEDIUM", - "line": 15, - "fileName": "positive1.yaml" + "line": 21, + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0]", + "searchValue": "", + "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].FromPort should equal to Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].ToPort", + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].FromPort is not equal to Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].ToPort" }, { "queryName": "Security Group Egress With Port Range", "severity": "MEDIUM", - "line": 22, - "fileName": "positive1.yaml" + "line": 32, + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroupEgress", + "resourceName": "OutboundRule", + "searchKey": "Resources.OutboundRule.Properties", + "searchValue": "", + "expectedValue": "Resources.OutboundRule.Properties.FromPort should equal to Resources.OutboundRule.Properties.ToPort", + "actualValue": "Resources.OutboundRule.Properties.FromPort is not equal to Resources.OutboundRule.Properties.ToPort" }, { "queryName": "Security Group Egress With Port Range", "severity": "MEDIUM", - "line": 21, - "fileName": "positive2.json" + "line": 15, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0]", + "searchValue": "", + "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].FromPort should equal to Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].ToPort", + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].FromPort is not equal to Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].ToPort" }, { "queryName": "Security Group Egress With Port Range", "severity": "MEDIUM", - "line": 32, - "fileName": "positive2.json" + "line": 22, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupEgress", + "resourceName": "OutboundRule", + "searchKey": "Resources.OutboundRule.Properties", + "searchValue": "", + "expectedValue": "Resources.OutboundRule.Properties.FromPort should equal to Resources.OutboundRule.Properties.ToPort", + "actualValue": "Resources.OutboundRule.Properties.FromPort is not equal to Resources.OutboundRule.Properties.ToPort" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/security_group_ingress_has_cidr_not_recommended/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/security_group_ingress_has_cidr_not_recommended/test/positive_expected_result.json index e41f59b8056..9792371b3fa 100644 --- a/assets/queries/cloudFormation/aws/security_group_ingress_has_cidr_not_recommended/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/security_group_ingress_has_cidr_not_recommended/test/positive_expected_result.json @@ -1,26 +1,50 @@ [ { + "queryName": "Security Group Ingress Has CIDR Not Recommended", "severity": "LOW", - "line": 13, - "fileName": "positive1.yaml", - "queryName": "Security Group Ingress Has CIDR Not Recommended" + "line": 43, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "InboundRule", + "searchKey": "Resources.InboundRule.Properties.CidrIpv6", + "searchValue": "", + "expectedValue": "Resources.InboundRule.Properties.CidrIpv6 should not be /128", + "actualValue": "Resources.InboundRule.Properties.CidrIpv6 is /128" }, { "queryName": "Security Group Ingress Has CIDR Not Recommended", "severity": "LOW", - "line": 43, - "fileName": "positive1.yaml" + "line": 13, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress.CidrIp", + "searchValue": "", + "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].CidrIp should not be /32", + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].CidrIp is /32" }, { + "queryName": "Security Group Ingress Has CIDR Not Recommended", "severity": "LOW", "line": 44, - "fileName": "positive2.json", - "queryName": "Security Group Ingress Has CIDR Not Recommended" + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "InboundRule", + "searchKey": "Resources.InboundRule.Properties.CidrIpv6", + "searchValue": "", + "expectedValue": "Resources.InboundRule.Properties.CidrIpv6 should not be /128", + "actualValue": "Resources.InboundRule.Properties.CidrIpv6 is /128" }, { "queryName": "Security Group Ingress Has CIDR Not Recommended", "severity": "LOW", "line": 69, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress.CidrIp", + "searchValue": "", + "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].CidrIp should not be /32", + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].CidrIp is /32" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/security_group_ingress_with_all_protocols/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/security_group_ingress_with_all_protocols/test/positive_expected_result.json index 038c167f50c..39fa7df8972 100644 --- a/assets/queries/cloudFormation/aws/security_group_ingress_with_all_protocols/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/security_group_ingress_with_all_protocols/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "Security Group Ingress With All Protocols", "severity": "MEDIUM", - "line": 9, - "fileName": "positive1.yaml" + "line": 35, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "InboundRule", + "searchKey": "Resources.InboundRule.Properties.IpProtocol", + "searchValue": "", + "expectedValue": "Resources.InboundRule.Properties.IpProtocol should not be set to '-1'", + "actualValue": "Resources.InboundRule.Properties.IpProtocol is set to '-1'" }, { - "fileName": "positive1.yaml", "queryName": "Security Group Ingress With All Protocols", "severity": "MEDIUM", - "line": 35 + "line": 9, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress.IpProtocol", + "searchValue": "", + "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].IpProtocol should not be set to '-1'", + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].IpProtocol is set to '-1'" }, { "queryName": "Security Group Ingress With All Protocols", "severity": "MEDIUM", "line": 51, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "InboundRule", + "searchKey": "Resources.InboundRule.Properties.IpProtocol", + "searchValue": "", + "expectedValue": "Resources.InboundRule.Properties.IpProtocol should not be set to '-1'", + "actualValue": "Resources.InboundRule.Properties.IpProtocol is set to '-1'" }, { "queryName": "Security Group Ingress With All Protocols", "severity": "MEDIUM", "line": 11, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress.IpProtocol", + "searchValue": "", + "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].IpProtocol should not be set to '-1'", + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].IpProtocol is set to '-1'" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/security_group_ingress_with_port_range/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/security_group_ingress_with_port_range/test/positive_expected_result.json index 70c0666415a..b39cd79bdc7 100644 --- a/assets/queries/cloudFormation/aws/security_group_ingress_with_port_range/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/security_group_ingress_with_port_range/test/positive_expected_result.json @@ -1,26 +1,50 @@ [ { + "queryName": "Security Group Ingress With Port Range", "severity": "MEDIUM", "line": 9, - "fileName": "positive1.yaml", - "queryName": "Security Group Ingress With Port Range" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress", + "searchValue": "", + "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].FromPort should equal to Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].ToPort", + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].FromPort is not equal to Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].ToPort" }, { "queryName": "Security Group Ingress With Port Range", "severity": "MEDIUM", - "line": 37, - "fileName": "positive1.yaml" + "line": 53, + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "InboundRule", + "searchKey": "Resources.InboundRule.Properties", + "searchValue": "", + "expectedValue": "Resources.InboundRule.Properties.FromPort should equal to Resources.InboundRule.Properties.ToPort", + "actualValue": "Resources.InboundRule.Properties.FromPort is not equal to Resources.InboundRule.Properties.ToPort" }, { + "queryName": "Security Group Ingress With Port Range", "severity": "MEDIUM", - "line": 53, - "fileName": "positive2.json", - "queryName": "Security Group Ingress With Port Range" + "line": 11, + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress", + "searchValue": "", + "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].FromPort should equal to Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].ToPort", + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].FromPort is not equal to Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].ToPort" }, { - "fileName": "positive2.json", "queryName": "Security Group Ingress With Port Range", "severity": "MEDIUM", - "line": 11 + "line": 37, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "InboundRule", + "searchKey": "Resources.InboundRule.Properties", + "searchValue": "", + "expectedValue": "Resources.InboundRule.Properties.FromPort should equal to Resources.InboundRule.Properties.ToPort", + "actualValue": "Resources.InboundRule.Properties.FromPort is not equal to Resources.InboundRule.Properties.ToPort" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/security_group_rule_without_description/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/security_group_rule_without_description/test/positive_expected_result.json index 640f5f33e9e..f027c2e68e9 100644 --- a/assets/queries/cloudFormation/aws/security_group_rule_without_description/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/security_group_rule_without_description/test/positive_expected_result.json @@ -2,73 +2,145 @@ { "queryName": "Security Group Rule Without Description", "severity": "INFO", - "line": 4, - "fileName": "positive1.yaml" + "line": 47, + "filename": "positive1.yaml", + "resourceType": "AWS::RDS::DBSecurityGroup", + "resourceName": "LegacySecurityGroup", + "searchKey": "Resources.LegacySecurityGroup.Properties", + "searchValue": "", + "expectedValue": "Resources.LegacySecurityGroup.Properties.GroupDescription should be set", + "actualValue": "Resources.LegacySecurityGroup.Properties.GroupDescription is undefined" }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", - "line": 8, - "fileName": "positive1.yaml" + "line": 19, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupEgress", + "resourceName": "OutboundRule", + "searchKey": "Resources.OutboundRule.Properties", + "searchValue": "", + "expectedValue": "Resources.OutboundRule.Properties.Description should be set", + "actualValue": "Resources.OutboundRule.Properties.Description is undefined" }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", - "line": 13, - "fileName": "positive1.yaml" + "line": 49, + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "InboundRule", + "searchKey": "Resources.InboundRule.Properties", + "searchValue": "", + "expectedValue": "Resources.InboundRule.Properties.Description should be set", + "actualValue": "Resources.InboundRule.Properties.Description is undefined" }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", - "line": 19, - "fileName": "positive1.yaml" + "line": 13, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress", + "searchValue": "", + "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].Description should be set", + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].Description is undefined" }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", - "line": 33, - "fileName": "positive1.yaml" + "line": 5, + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties", + "searchValue": "", + "expectedValue": "Resources.InstanceSecurityGroup.Properties.GroupDescription should be set", + "actualValue": "Resources.InstanceSecurityGroup.Properties.GroupDescription is undefined" }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", - "line": 47, - "fileName": "positive1.yaml" + "line": 19, + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress", + "searchValue": "", + "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].Description should be set", + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].Description is undefined" }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", - "line": 5, - "fileName": "positive2.json" + "line": 11, + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress", + "searchValue": "", + "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].Description should be set", + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].Description is undefined" }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", - "line": 11, - "fileName": "positive2.json" + "line": 69, + "filename": "positive2.json", + "resourceType": "AWS::RDS::DBSecurityGroup", + "resourceName": "LegacySecurityGroup", + "searchKey": "Resources.LegacySecurityGroup.Properties", + "searchValue": "", + "expectedValue": "Resources.LegacySecurityGroup.Properties.GroupDescription should be set", + "actualValue": "Resources.LegacySecurityGroup.Properties.GroupDescription is undefined" }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", - "line": 19, - "fileName": "positive2.json" + "line": 29, + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroupEgress", + "resourceName": "OutboundRule", + "searchKey": "Resources.OutboundRule.Properties", + "searchValue": "", + "expectedValue": "Resources.OutboundRule.Properties.Description should be set", + "actualValue": "Resources.OutboundRule.Properties.Description is undefined" }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", - "line": 29, - "fileName": "positive2.json" + "line": 33, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "InboundRule", + "searchKey": "Resources.InboundRule.Properties", + "searchValue": "", + "expectedValue": "Resources.InboundRule.Properties.Description should be set", + "actualValue": "Resources.InboundRule.Properties.Description is undefined" }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", - "line": 49, - "fileName": "positive2.json" + "line": 4, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties", + "searchValue": "", + "expectedValue": "Resources.InstanceSecurityGroup.Properties.GroupDescription should be set", + "actualValue": "Resources.InstanceSecurityGroup.Properties.GroupDescription is undefined" }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", - "line": 69, - "fileName": "positive2.json" + "line": 8, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress", + "searchValue": "", + "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].Description should be set", + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].Description is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/security_groups_allows_unrestricted_outbound_traffic/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/security_groups_allows_unrestricted_outbound_traffic/test/positive_expected_result.json index 443ab39a1fd..251b1a93155 100644 --- a/assets/queries/cloudFormation/aws/security_groups_allows_unrestricted_outbound_traffic/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/security_groups_allows_unrestricted_outbound_traffic/test/positive_expected_result.json @@ -3,60 +3,120 @@ "queryName": "Security Groups Allows Unrestricted Outbound Traffic", "severity": "MEDIUM", "line": 8, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1_security_group", + "searchKey": "Resources.Positive1_security_group.Properties.SecurityGroupEgress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1_security_group.Properties.SecurityGroupEgress[0]' should not have IpProtocol set to '-1' and CidrIp set to '0.0.0.0/0' simultaneously", + "actualValue": "'Resources.Positive1_security_group.Properties.SecurityGroupEgress[0]' has IpProtocol set to '-1' and CidrIp set to '0.0.0.0/0'." }, { "queryName": "Security Groups Allows Unrestricted Outbound Traffic", "severity": "MEDIUM", - "line": 16, - "fileName": "positive1.yaml" + "line": 8, + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive2_security_group", + "searchKey": "Resources.Positive2_security_group.Properties.SecurityGroupEgress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive2_security_group.Properties.SecurityGroupEgress[0]' should not have IpProtocol set to '-1' and CidrIpv6 set to '::/0' simultaneously", + "actualValue": "'Resources.Positive2_security_group.Properties.SecurityGroupEgress[0]' has IpProtocol set to '-1' and CidrIpv6 set to '::/0'." }, { "queryName": "Security Groups Allows Unrestricted Outbound Traffic", "severity": "MEDIUM", - "line": 26, - "fileName": "positive1.yaml" + "line": 22, + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupEgress", + "resourceName": "Positive4_security_group", + "searchKey": "Resources.Positive4_egress_ipv6.Properties", + "searchValue": "", + "expectedValue": "'Resources.Positive4_egress_ipv6.Properties' should not have IpProtocol set to '-1' and CidrIpv6 set to '0:0:0:0:0:0:0:0/0' simultaneously", + "actualValue": "'Resources.Positive4_egress_ipv6.Properties' has IpProtocol set to '-1' and CidrIpv6 set to '0:0:0:0:0:0:0:0/0'." }, { "queryName": "Security Groups Allows Unrestricted Outbound Traffic", "severity": "MEDIUM", - "line": 8, - "fileName": "positive2.yaml" + "line": 12, + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive4_security_group", + "searchKey": "Resources.Positive4_security_group.Properties.SecurityGroupEgress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive4_security_group.Properties.SecurityGroupEgress[0]' should not have IpProtocol set to '-1' and CidrIpv6 set to '::/0' simultaneously", + "actualValue": "'Resources.Positive4_security_group.Properties.SecurityGroupEgress[0]' has IpProtocol set to '-1' and CidrIpv6 set to '::/0'." }, { "queryName": "Security Groups Allows Unrestricted Outbound Traffic", "severity": "MEDIUM", - "line": 16, - "fileName": "positive2.yaml" + "line": 12, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive3_security_group", + "searchKey": "Resources.Positive3_security_group.Properties.SecurityGroupEgress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive3_security_group.Properties.SecurityGroupEgress[0]' should not have IpProtocol set to '-1' and CidrIp set to '0.0.0.0/0' simultaneously", + "actualValue": "'Resources.Positive3_security_group.Properties.SecurityGroupEgress[0]' has IpProtocol set to '-1' and CidrIp set to '0.0.0.0/0'." }, { "queryName": "Security Groups Allows Unrestricted Outbound Traffic", "severity": "MEDIUM", - "line": 12, - "fileName": "positive3.json" + "line": 16, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupEgress", + "resourceName": "Positive1_security_group", + "searchKey": "Resources.Positive1_egress_ipv4.Properties", + "searchValue": "", + "expectedValue": "'Resources.Positive1_egress_ipv4.Properties' should not have IpProtocol set to '-1' and CidrIp set to '0.0.0.0/0' simultaneously", + "actualValue": "'Resources.Positive1_egress_ipv4.Properties' has IpProtocol set to '-1' and CidrIp set to '0.0.0.0/0'." }, { "queryName": "Security Groups Allows Unrestricted Outbound Traffic", "severity": "MEDIUM", - "line": 22, - "fileName": "positive3.json" + "line": 26, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupEgress", + "resourceName": "Positive1_security_group", + "searchKey": "Resources.Positive1_egress_ipv6.Properties", + "searchValue": "", + "expectedValue": "'Resources.Positive1_egress_ipv6.Properties' should not have IpProtocol set to '-1' and CidrIpv6 set to '::/0' simultaneously", + "actualValue": "'Resources.Positive1_egress_ipv6.Properties' has IpProtocol set to '-1' and CidrIpv6 set to '::/0'." }, { "queryName": "Security Groups Allows Unrestricted Outbound Traffic", "severity": "MEDIUM", - "line": 34, - "fileName": "positive3.json" + "line": 16, + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupEgress", + "resourceName": "Positive2_security_group", + "searchKey": "Resources.Positive2_egress_ipv6.Properties", + "searchValue": "", + "expectedValue": "'Resources.Positive2_egress_ipv6.Properties' should not have IpProtocol set to '-1' and CidrIpv6 set to '0:0:0:0:0:0:0:0/0' simultaneously", + "actualValue": "'Resources.Positive2_egress_ipv6.Properties' has IpProtocol set to '-1' and CidrIpv6 set to '0:0:0:0:0:0:0:0/0'." }, { "queryName": "Security Groups Allows Unrestricted Outbound Traffic", "severity": "MEDIUM", - "line": 12, - "fileName": "positive4.json" + "line": 22, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroupEgress", + "resourceName": "Positive3_security_group", + "searchKey": "Resources.Positive3_egress_ipv4.Properties", + "searchValue": "", + "expectedValue": "'Resources.Positive3_egress_ipv4.Properties' should not have IpProtocol set to '-1' and CidrIp set to '0.0.0.0/0' simultaneously", + "actualValue": "'Resources.Positive3_egress_ipv4.Properties' has IpProtocol set to '-1' and CidrIp set to '0.0.0.0/0'." }, { "queryName": "Security Groups Allows Unrestricted Outbound Traffic", "severity": "MEDIUM", - "line": 22, - "fileName": "positive4.json" + "line": 34, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroupEgress", + "resourceName": "Positive3_security_group", + "searchKey": "Resources.Positive3_egress_ipv6.Properties", + "searchValue": "", + "expectedValue": "'Resources.Positive3_egress_ipv6.Properties' should not have IpProtocol set to '-1' and CidrIpv6 set to '::/0' simultaneously", + "actualValue": "'Resources.Positive3_egress_ipv6.Properties' has IpProtocol set to '-1' and CidrIpv6 set to '::/0'." } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/security_groups_unrestricted_access_to_rdp/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/security_groups_unrestricted_access_to_rdp/test/positive_expected_result.json index 1e1b42c1df2..e4a8321cae8 100644 --- a/assets/queries/cloudFormation/aws/security_groups_unrestricted_access_to_rdp/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/security_groups_unrestricted_access_to_rdp/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Security Group Unrestricted Access To RDP", "severity": "HIGH", "line": 15, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress", + "searchValue": "", + "expectedValue": "None of the Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress should have port 3389", + "actualValue": "One of the Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress has port 3389" }, { "queryName": "Security Group Unrestricted Access To RDP", "severity": "HIGH", "line": 10, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress", + "searchValue": "", + "expectedValue": "None of the Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress should have port 3389", + "actualValue": "One of the Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress has port 3389" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/security_groups_with_exhibited_admin_ports/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/security_groups_with_exhibited_admin_ports/test/positive_expected_result.json index 3369c2f16fa..11c307dfc7b 100644 --- a/assets/queries/cloudFormation/aws/security_groups_with_exhibited_admin_ports/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/security_groups_with_exhibited_admin_ports/test/positive_expected_result.json @@ -2,97 +2,193 @@ { "queryName": "Security Groups With Exposed Admin Ports", "severity": "HIGH", - "line": 8, - "fileName": "positive1.yaml" + "line": 12, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1_security_group", + "searchKey": "Resources.Positive1_security_group.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", + "actualValue": "'Resources.Positive1_security_group.Properties.SecurityGroupIngress[0]' is exposed and contains port(s): 20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389" }, { "queryName": "Security Groups With Exposed Admin Ports", "severity": "HIGH", - "line": 16, - "fileName": "positive1.yaml" + "line": 34, + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive2_security_group", + "searchKey": "Resources.Positive1_ingress_ipv6.Properties", + "searchValue": "", + "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", + "actualValue": "'Resources.Positive1_ingress_ipv6.Properties' is exposed and contains port(s): 20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389" }, { "queryName": "Security Groups With Exposed Admin Ports", "severity": "HIGH", - "line": 26, - "fileName": "positive1.yaml" + "line": 24, + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive2_security_group", + "searchKey": "Resources.Positive2_ingress_ipv4.Properties", + "searchValue": "", + "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", + "actualValue": "'Resources.Positive2_ingress_ipv4.Properties' is exposed and contains port(s): 20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389" }, { "queryName": "Security Groups With Exposed Admin Ports", "severity": "HIGH", "line": 8, - "fileName": "positive2.yaml" - }, - { - "queryName": "Security Groups With Exposed Admin Ports", - "severity": "HIGH", - "line": 12, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive2_security_group", + "searchKey": "Resources.Positive2_security_group.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", + "actualValue": "'Resources.Positive2_security_group.Properties.SecurityGroupIngress[0]' is exposed and contains port(s): 20, 21, 22, 23" }, { "queryName": "Security Groups With Exposed Admin Ports", "severity": "HIGH", "line": 16, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive2_security_group", + "searchKey": "Resources.Positive2_security_group.Properties.SecurityGroupIngress[2]", + "searchValue": "", + "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", + "actualValue": "'Resources.Positive2_security_group.Properties.SecurityGroupIngress[2]' is exposed and contains port(s): 20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389" }, { "queryName": "Security Groups With Exposed Admin Ports", "severity": "HIGH", - "line": 24, - "fileName": "positive2.yaml" + "line": 26, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive1_security_group", + "searchKey": "Resources.Positive1_ingress_ipv6.Properties", + "searchValue": "", + "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", + "actualValue": "'Resources.Positive1_ingress_ipv6.Properties' is exposed and contains port(s): 2049" }, { "queryName": "Security Groups With Exposed Admin Ports", "severity": "HIGH", "line": 34, - "fileName": "positive2.yaml" + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive2_security_group", + "searchKey": "Resources.Positive2_ingress_ipv4.Properties", + "searchValue": "", + "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", + "actualValue": "'Resources.Positive2_ingress_ipv4.Properties' is exposed and contains port(s): 20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389" }, { "queryName": "Security Groups With Exposed Admin Ports", "severity": "HIGH", "line": 12, - "fileName": "positive3.json" + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive2_security_group", + "searchKey": "Resources.Positive2_security_group.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", + "actualValue": "'Resources.Positive2_security_group.Properties.SecurityGroupIngress[0]' is exposed and contains port(s): 20, 21, 22, 23" }, { "queryName": "Security Groups With Exposed Admin Ports", "severity": "HIGH", "line": 22, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive1_security_group", + "searchKey": "Resources.Positive1_ingress_ipv4.Properties", + "searchValue": "", + "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", + "actualValue": "'Resources.Positive1_ingress_ipv4.Properties' is exposed and contains port(s): 20, 21, 22, 23" }, { "queryName": "Security Groups With Exposed Admin Ports", "severity": "HIGH", - "line": 34, - "fileName": "positive3.json" + "line": 12, + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive2_security_group", + "searchKey": "Resources.Positive2_security_group.Properties.SecurityGroupIngress[1]", + "searchValue": "", + "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", + "actualValue": "'Resources.Positive2_security_group.Properties.SecurityGroupIngress[1]' is exposed and contains port(s): 20, 21, 22, 23" }, { "queryName": "Security Groups With Exposed Admin Ports", "severity": "HIGH", - "line": 12, - "fileName": "positive4.json" + "line": 16, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive1_security_group", + "searchKey": "Resources.Positive1_ingress_ipv4.Properties", + "searchValue": "", + "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", + "actualValue": "'Resources.Positive1_ingress_ipv4.Properties' is exposed and contains port(s): 20, 21, 22, 23" }, { "queryName": "Security Groups With Exposed Admin Ports", "severity": "HIGH", - "line": 18, - "fileName": "positive4.json" + "line": 46, + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive2_security_group", + "searchKey": "Resources.Positive1_ingress_ipv6.Properties", + "searchValue": "", + "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", + "actualValue": "'Resources.Positive1_ingress_ipv6.Properties' is exposed and contains port(s): 20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389" }, { "queryName": "Security Groups With Exposed Admin Ports", "severity": "HIGH", - "line": 24, - "fileName": "positive4.json" + "line": 34, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive1_security_group", + "searchKey": "Resources.Positive1_ingress_ipv6.Properties", + "searchValue": "", + "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", + "actualValue": "'Resources.Positive1_ingress_ipv6.Properties' is exposed and contains port(s): 2049" }, { "queryName": "Security Groups With Exposed Admin Ports", "severity": "HIGH", - "line": 34, - "fileName": "positive4.json" + "line": 8, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1_security_group", + "searchKey": "Resources.Positive1_security_group.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", + "actualValue": "'Resources.Positive1_security_group.Properties.SecurityGroupIngress[0]' is exposed and contains port(s): 20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389" }, { "queryName": "Security Groups With Exposed Admin Ports", "severity": "HIGH", - "line": 46, - "fileName": "positive4.json" + "line": 18, + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive2_security_group", + "searchKey": "Resources.Positive2_security_group.Properties.SecurityGroupIngress[1]", + "searchValue": "", + "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", + "actualValue": "'Resources.Positive2_security_group.Properties.SecurityGroupIngress[1]' is exposed and contains port(s): 20, 21, 22, 23" + }, + { + "queryName": "Security Groups With Exposed Admin Ports", + "severity": "HIGH", + "line": 24, + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive2_security_group", + "searchKey": "Resources.Positive2_security_group.Properties.SecurityGroupIngress[2]", + "searchValue": "", + "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", + "actualValue": "'Resources.Positive2_security_group.Properties.SecurityGroupIngress[2]' is exposed and contains port(s): 20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/security_groups_with_meta_ip/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/security_groups_with_meta_ip/test/positive_expected_result.json index 33ac5943cde..ae86ee6b131 100644 --- a/assets/queries/cloudFormation/aws/security_groups_with_meta_ip/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/security_groups_with_meta_ip/test/positive_expected_result.json @@ -2,97 +2,193 @@ { "queryName": "Security Groups With Meta IP", "severity": "HIGH", - "line": 12, - "fileName": "positive1.yaml" + "line": 41, + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive1_security_group_1", + "searchKey": "Resources.Positive1_ingress_ipv6_1.Properties.CidrIpv6", + "searchValue": "", + "expectedValue": "No ingress should have a 'CidrIpv6' set to '::/0' with 'IpProtocol' set to '-1'.", + "actualValue": "'Resources.Positive1_ingress_ipv6_1.Properties.CidrIpv6' has CidrIpv6 equal to ::/0 with 'IpProtocol' set to '-1'." }, { "queryName": "Security Groups With Meta IP", "severity": "HIGH", - "line": 16, - "fileName": "positive1.yaml" + "line": 48, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1_security_group_2", + "searchKey": "Resources.Positive1_security_group_2.Properties.SecurityGroupIngress[0].CidrIp", + "searchValue": "", + "expectedValue": "No ingress should have a 'CidrIp' set to '0.0.0.0/0' with all 65535 ports open.", + "actualValue": "'Resources.Positive1_security_group_2.Properties.SecurityGroupIngress[0].CidrIp' has CidrIp equal to 0.0.0.0/0 with all 65535 ports open." }, { "queryName": "Security Groups With Meta IP", "severity": "HIGH", - "line": 26, - "fileName": "positive1.yaml" + "line": 31, + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive1_security_group_1", + "searchKey": "Resources.Positive1_ingress_ipv4_1.Properties.CidrIp", + "searchValue": "", + "expectedValue": "No ingress should have a 'CidrIp' set to '0.0.0.0/0' with 'IpProtocol' set to '-1'.", + "actualValue": "'Resources.Positive1_ingress_ipv4_1.Properties.CidrIp' has CidrIp equal to 0.0.0.0/0 with 'IpProtocol' set to '-1'." }, { "queryName": "Security Groups With Meta IP", "severity": "HIGH", "line": 36, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive1_security_group_1", + "searchKey": "Resources.Positive1_ingress_ipv6_1.Properties.CidrIpv6", + "searchValue": "", + "expectedValue": "No ingress should have a 'CidrIpv6' set to '::/0' with 'IpProtocol' set to '-1'.", + "actualValue": "'Resources.Positive1_ingress_ipv6_1.Properties.CidrIpv6' has CidrIpv6 equal to ::/0 with 'IpProtocol' set to '-1'." }, { "queryName": "Security Groups With Meta IP", "severity": "HIGH", - "line": 48, - "fileName": "positive1.yaml" + "line": 12, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1_security_group_1", + "searchKey": "Resources.Positive1_security_group_1.Properties.SecurityGroupIngress[0].CidrIp", + "searchValue": "", + "expectedValue": "No ingress should have a 'CidrIp' set to '0.0.0.0/0' with 'IpProtocol' set to '-1'.", + "actualValue": "'Resources.Positive1_security_group_1.Properties.SecurityGroupIngress[0].CidrIp' has CidrIp equal to 0.0.0.0/0 with 'IpProtocol' set to '-1'." }, { "queryName": "Security Groups With Meta IP", "severity": "HIGH", - "line": 52, - "fileName": "positive1.yaml" + "line": 13, + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1_security_group_1", + "searchKey": "Resources.Positive1_security_group_1.Properties.SecurityGroupIngress[0].CidrIp", + "searchValue": "", + "expectedValue": "No ingress should have a 'CidrIp' set to '0.0.0.0/0' with 'IpProtocol' set to '-1'.", + "actualValue": "'Resources.Positive1_security_group_1.Properties.SecurityGroupIngress[0].CidrIp' has CidrIp equal to 0.0.0.0/0 with 'IpProtocol' set to '-1'." }, { "queryName": "Security Groups With Meta IP", "severity": "HIGH", - "line": 62, - "fileName": "positive1.yaml" + "line": 54, + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1_security_group_2", + "searchKey": "Resources.Positive1_security_group_2.Properties.SecurityGroupIngress[0].CidrIp", + "searchValue": "", + "expectedValue": "No ingress should have a 'CidrIp' set to '0.0.0.0/0' with all 65535 ports open.", + "actualValue": "'Resources.Positive1_security_group_2.Properties.SecurityGroupIngress[0].CidrIp' has CidrIp equal to 0.0.0.0/0 with all 65535 ports open." }, { "queryName": "Security Groups With Meta IP", "severity": "HIGH", - "line": 72, - "fileName": "positive1.yaml" + "line": 60, + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1_security_group_2", + "searchKey": "Resources.Positive1_security_group_2.Properties.SecurityGroupIngress[1].CidrIpv6", + "searchValue": "", + "expectedValue": "No ingress should have a 'CidrIpv6' set to '::/0' with all 65535 ports open.", + "actualValue": "'Resources.Positive1_security_group_2.Properties.SecurityGroupIngress[1].CidrIpv6' has CidrIpv6 equal to ::/0 with all 65535 ports open." }, { "queryName": "Security Groups With Meta IP", "severity": "HIGH", - "line": 13, - "fileName": "positive2.json" + "line": 82, + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive1_security_group_2", + "searchKey": "Resources.Positive1_ingress_ipv6_2.Properties.CidrIpv6", + "searchValue": "", + "expectedValue": "No ingress should have a 'CidrIpv6' set to '::/0' with all 65535 ports open.", + "actualValue": "'Resources.Positive1_ingress_ipv6_2.Properties.CidrIpv6' has CidrIpv6 equal to ::/0 with all 65535 ports open." }, { "queryName": "Security Groups With Meta IP", "severity": "HIGH", "line": 19, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1_security_group_1", + "searchKey": "Resources.Positive1_security_group_1.Properties.SecurityGroupIngress[1].CidrIpv6", + "searchValue": "", + "expectedValue": "No ingress should have a 'CidrIpv6' set to '::/0' with 'IpProtocol' set to '-1'.", + "actualValue": "'Resources.Positive1_security_group_1.Properties.SecurityGroupIngress[1].CidrIpv6' has CidrIpv6 equal to ::/0 with 'IpProtocol' set to '-1'." }, { "queryName": "Security Groups With Meta IP", "severity": "HIGH", - "line": 31, - "fileName": "positive2.json" + "line": 26, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive1_security_group_1", + "searchKey": "Resources.Positive1_ingress_ipv4_1.Properties.CidrIp", + "searchValue": "", + "expectedValue": "No ingress should have a 'CidrIp' set to '0.0.0.0/0' with 'IpProtocol' set to '-1'.", + "actualValue": "'Resources.Positive1_ingress_ipv4_1.Properties.CidrIp' has CidrIp equal to 0.0.0.0/0 with 'IpProtocol' set to '-1'." }, { "queryName": "Security Groups With Meta IP", "severity": "HIGH", - "line": 41, - "fileName": "positive2.json" + "line": 62, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive1_security_group_2", + "searchKey": "Resources.Positive1_ingress_ipv4_2.Properties.CidrIp", + "searchValue": "", + "expectedValue": "No ingress should have a 'CidrIp' set to '0.0.0.0/0' with all 65535 ports open.", + "actualValue": "'Resources.Positive1_ingress_ipv4_2.Properties.CidrIp' has CidrIp equal to 0.0.0.0/0 with all 65535 ports open." }, { "queryName": "Security Groups With Meta IP", "severity": "HIGH", - "line": 54, - "fileName": "positive2.json" + "line": 72, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive1_security_group_2", + "searchKey": "Resources.Positive1_ingress_ipv6_2.Properties.CidrIpv6", + "searchValue": "", + "expectedValue": "No ingress should have a 'CidrIpv6' set to '::/0' with all 65535 ports open.", + "actualValue": "'Resources.Positive1_ingress_ipv6_2.Properties.CidrIpv6' has CidrIpv6 equal to ::/0 with all 65535 ports open." }, { "queryName": "Security Groups With Meta IP", "severity": "HIGH", - "line": 60, - "fileName": "positive2.json" + "line": 16, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1_security_group_1", + "searchKey": "Resources.Positive1_security_group_1.Properties.SecurityGroupIngress[1].CidrIpv6", + "searchValue": "", + "expectedValue": "No ingress should have a 'CidrIpv6' set to '::/0' with 'IpProtocol' set to '-1'.", + "actualValue": "'Resources.Positive1_security_group_1.Properties.SecurityGroupIngress[1].CidrIpv6' has CidrIpv6 equal to ::/0 with 'IpProtocol' set to '-1'." }, { "queryName": "Security Groups With Meta IP", "severity": "HIGH", - "line": 72, - "fileName": "positive2.json" + "line": 52, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1_security_group_2", + "searchKey": "Resources.Positive1_security_group_2.Properties.SecurityGroupIngress[1].CidrIpv6", + "searchValue": "", + "expectedValue": "No ingress should have a 'CidrIpv6' set to '::/0' with all 65535 ports open.", + "actualValue": "'Resources.Positive1_security_group_2.Properties.SecurityGroupIngress[1].CidrIpv6' has CidrIpv6 equal to ::/0 with all 65535 ports open." }, { "queryName": "Security Groups With Meta IP", "severity": "HIGH", - "line": 82, - "fileName": "positive2.json" + "line": 72, + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive1_security_group_2", + "searchKey": "Resources.Positive1_ingress_ipv4_2.Properties.CidrIp", + "searchValue": "", + "expectedValue": "No ingress should have a 'CidrIp' set to '0.0.0.0/0' with all 65535 ports open.", + "actualValue": "'Resources.Positive1_ingress_ipv4_2.Properties.CidrIp' has CidrIp equal to 0.0.0.0/0 with all 65535 ports open." } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/security_groups_with_unrestricted_access_to_ssh/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/security_groups_with_unrestricted_access_to_ssh/test/positive_expected_result.json index 31a2b146d4f..426d89465d8 100644 --- a/assets/queries/cloudFormation/aws/security_groups_with_unrestricted_access_to_ssh/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/security_groups_with_unrestricted_access_to_ssh/test/positive_expected_result.json @@ -2,133 +2,265 @@ { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 10, - "fileName": "positive1.yaml" + "line": 26, + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress2.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv4Ingress2.Properties' should not open the SSH port (22)", + "actualValue": "'Resources.IPv4Ingress2.Properties' opens the SSH port (22)" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 22, - "fileName": "positive1.yaml" + "line": 12, + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress1.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv4Ingress1.Properties' should not open the SSH port (22)", + "actualValue": "'Resources.IPv4Ingress1.Properties' opens the SSH port (22)" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 38, - "fileName": "positive1.yaml" + "line": 21, + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress2.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv4Ingress2.Properties' should not open the SSH port (22)", + "actualValue": "'Resources.IPv4Ingress2.Properties' opens the SSH port (22)" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 51, - "fileName": "positive1.yaml" + "line": 76, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_2", + "searchKey": "Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]' should not open the SSH port (22)", + "actualValue": "'Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]' opens the SSH port (22)" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 63, - "fileName": "positive1.yaml" + "line": 50, + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress2.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv6Ingress2.Properties' should not open the SSH port (22)", + "actualValue": "'Resources.IPv6Ingress2.Properties' opens the SSH port (22)" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 79, - "fileName": "positive1.yaml" + "line": 62, + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress3.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv6Ingress3.Properties' should not open the SSH port (22)", + "actualValue": "'Resources.IPv6Ingress3.Properties' opens the SSH port (22)" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 12, - "fileName": "positive2.yaml" + "line": 40, + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress2.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv6Ingress2.Properties' should not open the SSH port (22)", + "actualValue": "'Resources.IPv6Ingress2.Properties' opens the SSH port (22)" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 21, - "fileName": "positive2.yaml" + "line": 49, + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress3.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv6Ingress3.Properties' should not open the SSH port (22)", + "actualValue": "'Resources.IPv6Ingress3.Properties' opens the SSH port (22)" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 31, - "fileName": "positive2.yaml" + "line": 79, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv6", + "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]", + "searchValue": "", + "expectedValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' should not open the SSH port (22)", + "actualValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' opens the SSH port (22)" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 40, - "fileName": "positive2.yaml" + "line": 10, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]' should not open the SSH port (22)", + "actualValue": "'Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]' opens the SSH port (22)" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 49, - "fileName": "positive2.yaml" + "line": 51, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' should not open the SSH port (22)", + "actualValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' opens the SSH port (22)" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 10, - "fileName": "positive3.json" + "line": 31, + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress1.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv6Ingress1.Properties' should not open the SSH port (22)", + "actualValue": "'Resources.IPv6Ingress1.Properties' opens the SSH port (22)" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 25, - "fileName": "positive3.json" + "line": 38, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv4", + "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]", + "searchValue": "", + "expectedValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' should not open the SSH port (22)", + "actualValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' opens the SSH port (22)" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 46, - "fileName": "positive3.json" + "line": 22, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_2", + "searchKey": "Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' should not open the SSH port (22)", + "actualValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' opens the SSH port (22)" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 61, - "fileName": "positive3.json" + "line": 10, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]' should not open the SSH port (22)", + "actualValue": "'Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]' opens the SSH port (22)" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 76, - "fileName": "positive3.json" + "line": 38, + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress1.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv6Ingress1.Properties' should not open the SSH port (22)", + "actualValue": "'Resources.IPv6Ingress1.Properties' opens the SSH port (22)" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 97, - "fileName": "positive3.json" + "line": 63, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_2", + "searchKey": "Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]' should not open the SSH port (22)", + "actualValue": "'Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]' opens the SSH port (22)" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 14, - "fileName": "positive4.json" + "line": 46, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv4", + "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]", + "searchValue": "", + "expectedValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' should not open the SSH port (22)", + "actualValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' opens the SSH port (22)" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 26, - "fileName": "positive4.json" + "line": 97, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv6", + "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]", + "searchValue": "", + "expectedValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' should not open the SSH port (22)", + "actualValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' opens the SSH port (22)" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 38, - "fileName": "positive4.json" + "line": 25, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_2", + "searchKey": "Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' should not open the SSH port (22)", + "actualValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' opens the SSH port (22)" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 50, - "fileName": "positive4.json" + "line": 61, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' should not open the SSH port (22)", + "actualValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' opens the SSH port (22)" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 62, - "fileName": "positive4.json" + "line": 14, + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress1.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv4Ingress1.Properties' should not open the SSH port (22)", + "actualValue": "'Resources.IPv4Ingress1.Properties' opens the SSH port (22)" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/security_groups_without_vpc_attached/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/security_groups_without_vpc_attached/test/positive_expected_result.json index ef3f5cfa119..e00fb3be657 100644 --- a/assets/queries/cloudFormation/aws/security_groups_without_vpc_attached/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/security_groups_without_vpc_attached/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Security Groups Without VPC Attached", "severity": "LOW", "line": 16, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "My Group Name", + "searchKey": "Resources.InstanceSecurityGroup.Properties.VpcId.Ref", + "searchValue": "", + "expectedValue": "Resources.InstanceSecurityGroup.Properties.VpcId.Ref should be defined", + "actualValue": "Resources.InstanceSecurityGroup.Properties.VpcId.Ref is undefined" }, { "queryName": "Security Groups Without VPC Attached", "severity": "LOW", "line": 22, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "My Group Name", + "searchKey": "Resources.InstanceSecurityGroup.Properties.VpcId.Ref", + "searchValue": "", + "expectedValue": "Resources.InstanceSecurityGroup.Properties.VpcId.Ref should be defined", + "actualValue": "Resources.InstanceSecurityGroup.Properties.VpcId.Ref is undefined" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/shield_advanced_not_in_use/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/shield_advanced_not_in_use/test/positive_expected_result.json index e146f915889..1d558a2fbf5 100644 --- a/assets/queries/cloudFormation/aws/shield_advanced_not_in_use/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/shield_advanced_not_in_use/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "Shield Advanced Not In Use", "severity": "LOW", - "line": 2, - "fileName": "positive1.yaml" + "line": 3, + "filename": "positive2.json", + "resourceType": "AWS::Route53::HostedZone", + "resourceName": "HostedZone", + "searchKey": "Resources.HostedZone", + "searchValue": "", + "expectedValue": "Resources.HostedZone has shield advanced associated", + "actualValue": "Resources.HostedZone does not have shield advanced associated" }, { "queryName": "Shield Advanced Not In Use", "severity": "LOW", - "line": 3, - "fileName": "positive2.json" + "line": 2, + "filename": "positive1.yaml", + "resourceType": "AWS::Route53::HostedZone", + "resourceName": "HostedZone", + "searchKey": "Resources.HostedZone", + "searchValue": "", + "expectedValue": "Resources.HostedZone has shield advanced associated", + "actualValue": "Resources.HostedZone does not have shield advanced associated" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json index 1d2f4f047b0..c6a2f7799c0 100644 --- a/assets/queries/cloudFormation/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json @@ -3,24 +3,48 @@ "queryName": "SNS Topic is Publicly Accessible", "severity": "CRITICAL", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::SNS::TopicPolicy", + "resourceName": "snsPolicy", + "searchKey": "Resources.snsPolicy.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.snsPolicy.Properties.PolicyDocument.Statement shouldn't contain '*' for an AWS Principal", + "actualValue": "Resources.snsPolicy.Properties.PolicyDocument.Statement contains '*' in an AWS Principal" }, { "queryName": "SNS Topic is Publicly Accessible", "severity": "CRITICAL", - "line": 7, - "fileName": "positive2.yaml" + "line": 8, + "filename": "positive3.json", + "resourceType": "AWS::SNS::TopicPolicy", + "resourceName": "mysnspolicy0", + "searchKey": "Resources.mysnspolicy0.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.mysnspolicy0.Properties.PolicyDocument.Statement shouldn't contain '*' for an AWS Principal", + "actualValue": "Resources.mysnspolicy0.Properties.PolicyDocument.Statement contains '*' in an AWS Principal" }, { "queryName": "SNS Topic is Publicly Accessible", "severity": "CRITICAL", "line": 8, - "fileName": "positive3.json" + "filename": "positive4.json", + "resourceType": "AWS::SNS::TopicPolicy", + "resourceName": "snsPolicy", + "searchKey": "Resources.snsPolicy.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.snsPolicy.Properties.PolicyDocument.Statement shouldn't contain '*' for an AWS Principal", + "actualValue": "Resources.snsPolicy.Properties.PolicyDocument.Statement contains '*' in an AWS Principal" }, { "queryName": "SNS Topic is Publicly Accessible", "severity": "CRITICAL", - "line": 8, - "fileName": "positive4.json" + "line": 7, + "filename": "positive2.yaml", + "resourceType": "AWS::SNS::TopicPolicy", + "resourceName": "snsPolicy", + "searchKey": "Resources.snsPolicy.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.snsPolicy.Properties.PolicyDocument.Statement shouldn't contain '*' for an AWS Principal", + "actualValue": "Resources.snsPolicy.Properties.PolicyDocument.Statement contains '*' in an AWS Principal" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/test/positive_expected_result.json index 5441937d0bb..7cb606afb30 100644 --- a/assets/queries/cloudFormation/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "SNS Topic Publicity Has Allow and NotAction Simultaneously", "severity": "MEDIUM", - "line": 7, - "fileName": "positive1.yaml" + "line": 8, + "filename": "positive2.json", + "resourceType": "AWS::SNS::TopicPolicy", + "resourceName": "mysnspolicy", + "searchKey": "Resources.mysnspolicy.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.mysnspolicy.Properties.PolicyDocument.Statement has Effect 'Allow' and Action", + "actualValue": "Resources.mysnspolicy.Properties.PolicyDocument.Statement has Effect 'Allow' and NotAction" }, { "queryName": "SNS Topic Publicity Has Allow and NotAction Simultaneously", "severity": "MEDIUM", - "line": 8, - "fileName": "positive2.json" + "line": 7, + "filename": "positive1.yaml", + "resourceType": "AWS::SNS::TopicPolicy", + "resourceName": "mysnspolicy", + "searchKey": "Resources.mysnspolicy.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.mysnspolicy.Properties.PolicyDocument.Statement has Effect 'Allow' and Action", + "actualValue": "Resources.mysnspolicy.Properties.PolicyDocument.Statement has Effect 'Allow' and NotAction" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/sns_topic_without_kms_master_key_id/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/sns_topic_without_kms_master_key_id/test/positive_expected_result.json index 295f0751270..9e60ce6153d 100644 --- a/assets/queries/cloudFormation/aws/sns_topic_without_kms_master_key_id/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/sns_topic_without_kms_master_key_id/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ { - "line": 5, - "fileName": "positive1.yaml", "queryName": "SNS Topic Without KmsMasterKeyId", - "severity": "LOW" + "severity": "LOW", + "line": 6, + "filename": "positive2.json", + "resourceType": "AWS::SNS::Topic", + "resourceName": "SampleTopic", + "searchKey": "Resources.MySNSTopic.Properties", + "searchValue": "", + "expectedValue": "Resources.MySNSTopic.Properties.KmsMasterKeyId should be defined", + "actualValue": "Resources.MySNSTopic.Properties.KmsMasterKeyId is undefined" }, { - "fileName": "positive2.json", "queryName": "SNS Topic Without KmsMasterKeyId", "severity": "LOW", - "line": 6 + "line": 5, + "filename": "positive1.yaml", + "resourceType": "AWS::SNS::Topic", + "resourceName": "SampleTopic", + "searchKey": "Resources.MySNSTopic.Properties", + "searchValue": "", + "expectedValue": "Resources.MySNSTopic.Properties.KmsMasterKeyId should be defined", + "actualValue": "Resources.MySNSTopic.Properties.KmsMasterKeyId is undefined" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/sqs_policy_with_public_access/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/sqs_policy_with_public_access/test/positive_expected_result.json index 130e5bdfa5f..9c7745effd9 100644 --- a/assets/queries/cloudFormation/aws/sqs_policy_with_public_access/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/sqs_policy_with_public_access/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "SQS Policy With Public Access", "severity": "MEDIUM", - "fileName": "positive1.yaml", - "line": 7 + "line": 7, + "filename": "positive1.yaml", + "resourceType": "AWS::SQS::QueuePolicy", + "resourceName": "SampleSQSPolicy", + "searchKey": "Resources.SampleSQSPolicy.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleSQSPolicy.Properties.PolicyDocument.Statement.Principal should not have wildcards when Effect=Allow and Action contains one of [SQS:AddPermission, SQS:CreateQueue, SQS:DeleteQueue, SQS:RemovePermission, SQS:TagQueue, SQS:UnTagQueue]", + "actualValue": "Resources.SampleSQSPolicy.Properties.PolicyDocument.Statement.Principal has wildcards, Effect is Allow and Action contains SQS:CreateQueue" }, { "queryName": "SQS Policy With Public Access", "severity": "MEDIUM", - "fileName": "positive2.yaml", - "line": 7 + "line": 7, + "filename": "positive2.yaml", + "resourceType": "AWS::SQS::QueuePolicy", + "resourceName": "SampleSQSPolicy", + "searchKey": "Resources.SampleSQSPolicy.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleSQSPolicy.Properties.PolicyDocument.Statement.Principal should not have wildcards when Effect=Allow and Action contains one of [SQS:AddPermission, SQS:CreateQueue, SQS:DeleteQueue, SQS:RemovePermission, SQS:TagQueue, SQS:UnTagQueue]", + "actualValue": "Resources.SampleSQSPolicy.Properties.PolicyDocument.Statement.Principal has wildcards, Effect is Allow and Action contains SQS:AddPermission" }, { "queryName": "SQS Policy With Public Access", "severity": "MEDIUM", - "fileName": "positive3.json", - "line": 9 + "line": 9, + "filename": "positive4.json", + "resourceType": "AWS::SQS::QueuePolicy", + "resourceName": "SampleSQSPolicy", + "searchKey": "Resources.SampleSQSPolicy.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleSQSPolicy.Properties.PolicyDocument.Statement.Principal should not have wildcards when Effect=Allow and Action contains one of [SQS:AddPermission, SQS:CreateQueue, SQS:DeleteQueue, SQS:RemovePermission, SQS:TagQueue, SQS:UnTagQueue]", + "actualValue": "Resources.SampleSQSPolicy.Properties.PolicyDocument.Statement.Principal has wildcards, Effect is Allow and Action contains SQS:AddPermission" }, { "queryName": "SQS Policy With Public Access", "severity": "MEDIUM", - "fileName": "positive4.json", - "line": 9 + "line": 9, + "filename": "positive3.json", + "resourceType": "AWS::SQS::QueuePolicy", + "resourceName": "SampleSQSPolicy", + "searchKey": "Resources.SampleSQSPolicy.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleSQSPolicy.Properties.PolicyDocument.Statement.Principal should not have wildcards when Effect=Allow and Action contains one of [SQS:AddPermission, SQS:CreateQueue, SQS:DeleteQueue, SQS:RemovePermission, SQS:TagQueue, SQS:UnTagQueue]", + "actualValue": "Resources.SampleSQSPolicy.Properties.PolicyDocument.Statement.Principal has wildcards, Effect is Allow and Action contains SQS:CreateQueue" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/sqs_with_sse_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/sqs_with_sse_disabled/test/positive_expected_result.json index daedbd3605d..1b0ee7ccf35 100644 --- a/assets/queries/cloudFormation/aws/sqs_with_sse_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/sqs_with_sse_disabled/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", - "line": 4, - "fileName": "positive1.yaml" + "line": 5, + "filename": "positive2.json", + "resourceType": "AWS::SQS::Queue", + "resourceName": "SampleQueue", + "searchKey": "Resources.MyQueue.Properties", + "searchValue": "", + "expectedValue": "Resources.MyQueue.Properties.KmsMasterKeyId should be set or SqsManagedSseEnabled set to true", + "actualValue": "Resources.MyQueue.Properties.KmsMasterKeyId is undefined and SqsManagedSseEnabled not enabled" }, { "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", - "line": 8, - "fileName": "positive1.yaml" + "line": 11, + "filename": "positive2.json", + "resourceType": "AWS::SQS::Queue", + "resourceName": "SampleQueue", + "searchKey": "Resources.MyQueue2.Properties", + "searchValue": "", + "expectedValue": "Resources.MyQueue2.Properties.KmsMasterKeyId should be set or SqsManagedSseEnabled set to true", + "actualValue": "Resources.MyQueue2.Properties.KmsMasterKeyId is undefined and SqsManagedSseEnabled not enabled" }, { "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", - "line": 5, - "fileName": "positive2.json" + "line": 4, + "filename": "positive1.yaml", + "resourceType": "AWS::SQS::Queue", + "resourceName": "SampleQueue", + "searchKey": "Resources.MyQueue.Properties", + "searchValue": "", + "expectedValue": "Resources.MyQueue.Properties.KmsMasterKeyId should be set or SqsManagedSseEnabled set to true", + "actualValue": "Resources.MyQueue.Properties.KmsMasterKeyId is undefined and SqsManagedSseEnabled not enabled" }, { "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", - "line": 11, - "fileName": "positive2.json" + "line": 8, + "filename": "positive1.yaml", + "resourceType": "AWS::SQS::Queue", + "resourceName": "SampleQueue", + "searchKey": "Resources.MyQueue2.Properties", + "searchValue": "", + "expectedValue": "Resources.MyQueue2.Properties.KmsMasterKeyId should be set or SqsManagedSseEnabled set to true", + "actualValue": "Resources.MyQueue2.Properties.KmsMasterKeyId is undefined and SqsManagedSseEnabled not enabled" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/stack_notifications_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/stack_notifications_disabled/test/positive_expected_result.json index 9d68ba1ee6c..d187c03d952 100644 --- a/assets/queries/cloudFormation/aws/stack_notifications_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/stack_notifications_disabled/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Stack Notifications Disabled", "severity": "LOW", "line": 5, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::CloudFormation::Stack", + "resourceName": "myStackWithParams", + "searchKey": "Resources.myStackWithParams.Properties", + "searchValue": "", + "expectedValue": "Resources.myStackWithParams.Properties.NotificationARNs should be set", + "actualValue": "Resources.myStackWithParams.Properties.NotificationARNs is undefined" }, { "queryName": "Stack Notifications Disabled", "severity": "LOW", "line": 6, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::CloudFormation::Stack", + "resourceName": "myStackWithParams", + "searchKey": "Resources.myStackWithParams.Properties", + "searchValue": "", + "expectedValue": "Resources.myStackWithParams.Properties.NotificationARNs should be set", + "actualValue": "Resources.myStackWithParams.Properties.NotificationARNs is undefined" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/stack_retention_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/stack_retention_disabled/test/positive_expected_result.json index f49d35cf0ce..733ece0572e 100644 --- a/assets/queries/cloudFormation/aws/stack_retention_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/stack_retention_disabled/test/positive_expected_result.json @@ -2,91 +2,181 @@ { "queryName": "Stack Retention Disabled", "severity": "MEDIUM", - "line": 11, - "fileName": "positive1.yaml" + "line": 22, + "filename": "positive2.json", + "resourceType": "AWS::CloudFormation::StackSet", + "resourceName": "some_stack_name", + "searchKey": "Resources.stackset9.Properties.AutoDeployment", + "searchValue": "", + "expectedValue": "Resources.stackset9.Properties.AutoDeployment.RetainStacksOnAccountRemoval should be set", + "actualValue": "Resources.stackset9.Properties.AutoDeployment.RetainStacksOnAccountRemoval is undefined" }, { "queryName": "Stack Retention Disabled", "severity": "MEDIUM", - "line": 18, - "fileName": "positive1.yaml" + "line": 11, + "filename": "positive1.yaml", + "resourceType": "AWS::CloudFormation::StackSet", + "resourceName": "some_stack_name", + "searchKey": "Resources.stackset3.Properties.AutoDeployment.RetainStacksOnAccountRemoval", + "searchValue": "", + "expectedValue": "Resources.stackset3.Properties.AutoDeployment.RetainStacksOnAccountRemoval is true", + "actualValue": "Resources.stackset3.Properties.AutoDeployment.RetainStacksOnAccountRemoval is false" }, { "queryName": "Stack Retention Disabled", "severity": "MEDIUM", - "line": 27, - "fileName": "positive1.yaml" + "line": 35, + "filename": "positive1.yaml", + "resourceType": "AWS::CloudFormation::StackSet", + "resourceName": "some_stack_name", + "searchKey": "Resources.stackset6.Properties.AutoDeployment", + "searchValue": "", + "expectedValue": "Resources.stackset6.Properties.AutoDeployment.Enabled should be set", + "actualValue": "Resources.stackset6.Properties.AutoDeployment.Enabled is undefined" }, { "queryName": "Stack Retention Disabled", "severity": "MEDIUM", - "line": 35, - "fileName": "positive1.yaml" + "line": 18, + "filename": "positive3.yaml", + "resourceType": "AWS::CloudFormation::StackSet", + "resourceName": "some_stack_name", + "searchKey": "Resources.stackset4.Properties.AutoDeployment", + "searchValue": "", + "expectedValue": "Resources.stackset4.Properties.AutoDeployment.RetainStacksOnAccountRemoval should be set", + "actualValue": "Resources.stackset4.Properties.AutoDeployment.RetainStacksOnAccountRemoval is undefined" }, { "queryName": "Stack Retention Disabled", "severity": "MEDIUM", - "line": 39, - "fileName": "positive1.yaml" + "line": 35, + "filename": "positive3.yaml", + "resourceType": "AWS::CloudFormation::StackSet", + "resourceName": "some_stack_name", + "searchKey": "Resources.stackset6.Properties.AutoDeployment", + "searchValue": "", + "expectedValue": "Resources.stackset6.Properties.AutoDeployment.Enabled should be set", + "actualValue": "Resources.stackset6.Properties.AutoDeployment.Enabled is undefined" }, { "queryName": "Stack Retention Disabled", "severity": "MEDIUM", - "line": 12, - "fileName": "positive2.json" + "line": 39, + "filename": "positive3.yaml", + "resourceType": "AWS::CloudFormation::StackSet", + "resourceName": "some_stack_name", + "searchKey": "Resources.stackset7.Properties", + "searchValue": "", + "expectedValue": "Resources.stackset7.Properties.AutoDeployment should be set", + "actualValue": "Resources.stackset7.Properties.AutoDeployment is undefined" }, { "queryName": "Stack Retention Disabled", "severity": "MEDIUM", - "line": 22, - "fileName": "positive2.json" + "line": 34, + "filename": "positive2.json", + "resourceType": "AWS::CloudFormation::StackSet", + "resourceName": "some_stack_name", + "searchKey": "Resources.stackset10.Properties.AutoDeployment.Enabled", + "searchValue": "", + "expectedValue": "Resources.stackset10.Properties.AutoDeployment.Enabled is true", + "actualValue": "Resources.stackset10.Properties.AutoDeployment.Enabled is false" }, { "queryName": "Stack Retention Disabled", "severity": "MEDIUM", - "line": 34, - "fileName": "positive2.json" + "line": 52, + "filename": "positive2.json", + "resourceType": "AWS::CloudFormation::StackSet", + "resourceName": "some_stack_name", + "searchKey": "Resources.stackset12.Properties", + "searchValue": "", + "expectedValue": "Resources.stackset12.Properties.AutoDeployment should be set", + "actualValue": "Resources.stackset12.Properties.AutoDeployment is undefined" }, { "queryName": "Stack Retention Disabled", "severity": "MEDIUM", - "line": 45, - "fileName": "positive2.json" + "line": 27, + "filename": "positive1.yaml", + "resourceType": "AWS::CloudFormation::StackSet", + "resourceName": "some_stack_name", + "searchKey": "Resources.stackset5.Properties.AutoDeployment.Enabled", + "searchValue": "", + "expectedValue": "Resources.stackset5.Properties.AutoDeployment.Enabled is true", + "actualValue": "Resources.stackset5.Properties.AutoDeployment.Enabled is false" }, { "queryName": "Stack Retention Disabled", "severity": "MEDIUM", - "line": 52, - "fileName": "positive2.json" + "line": 18, + "filename": "positive1.yaml", + "resourceType": "AWS::CloudFormation::StackSet", + "resourceName": "some_stack_name", + "searchKey": "Resources.stackset4.Properties.AutoDeployment", + "searchValue": "", + "expectedValue": "Resources.stackset4.Properties.AutoDeployment.RetainStacksOnAccountRemoval should be set", + "actualValue": "Resources.stackset4.Properties.AutoDeployment.RetainStacksOnAccountRemoval is undefined" }, { "queryName": "Stack Retention Disabled", "severity": "MEDIUM", "line": 11, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::CloudFormation::StackSet", + "resourceName": "some_stack_name", + "searchKey": "Resources.stackset3.Properties.AutoDeployment.RetainStacksOnAccountRemoval", + "searchValue": "", + "expectedValue": "Resources.stackset3.Properties.AutoDeployment.RetainStacksOnAccountRemoval is true", + "actualValue": "Resources.stackset3.Properties.AutoDeployment.RetainStacksOnAccountRemoval is false" }, { "queryName": "Stack Retention Disabled", "severity": "MEDIUM", - "line": 18, - "fileName": "positive3.yaml" + "line": 45, + "filename": "positive2.json", + "resourceType": "AWS::CloudFormation::StackSet", + "resourceName": "some_stack_name", + "searchKey": "Resources.stackset11.Properties.AutoDeployment", + "searchValue": "", + "expectedValue": "Resources.stackset11.Properties.AutoDeployment.Enabled should be set", + "actualValue": "Resources.stackset11.Properties.AutoDeployment.Enabled is undefined" }, { "queryName": "Stack Retention Disabled", "severity": "MEDIUM", - "line": 27, - "fileName": "positive3.yaml" + "line": 39, + "filename": "positive1.yaml", + "resourceType": "AWS::CloudFormation::StackSet", + "resourceName": "some_stack_name", + "searchKey": "Resources.stackset7.Properties", + "searchValue": "", + "expectedValue": "Resources.stackset7.Properties.AutoDeployment should be set", + "actualValue": "Resources.stackset7.Properties.AutoDeployment is undefined" }, { "queryName": "Stack Retention Disabled", "severity": "MEDIUM", - "line": 35, - "fileName": "positive3.yaml" + "line": 27, + "filename": "positive3.yaml", + "resourceType": "AWS::CloudFormation::StackSet", + "resourceName": "some_stack_name", + "searchKey": "Resources.stackset5.Properties.AutoDeployment.Enabled", + "searchValue": "", + "expectedValue": "Resources.stackset5.Properties.AutoDeployment.Enabled is true", + "actualValue": "Resources.stackset5.Properties.AutoDeployment.Enabled is false" }, { "queryName": "Stack Retention Disabled", "severity": "MEDIUM", - "line": 39, - "fileName": "positive3.yaml" + "line": 12, + "filename": "positive2.json", + "resourceType": "AWS::CloudFormation::StackSet", + "resourceName": "some_stack_name", + "searchKey": "Resources.stackset8.Properties.AutoDeployment.RetainStacksOnAccountRemoval", + "searchValue": "", + "expectedValue": "Resources.stackset8.Properties.AutoDeployment.RetainStacksOnAccountRemoval is true", + "actualValue": "Resources.stackset8.Properties.AutoDeployment.RetainStacksOnAccountRemoval is false" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/support_has_no_role_associated/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/support_has_no_role_associated/test/positive_expected_result.json index 782cd903677..57c897f7e7e 100644 --- a/assets/queries/cloudFormation/aws/support_has_no_role_associated/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/support_has_no_role_associated/test/positive_expected_result.json @@ -1,38 +1,74 @@ [ { - "line": 4, - "fileName": "positive1.yaml", "queryName": "Support Has No Role Associated", - "severity": "LOW" + "severity": "LOW", + "line": 53, + "filename": "positive2.json", + "resourceType": "AWS::IAM::Policy", + "resourceName": "AWSSupportAccess", + "searchKey": "Resources.noGroups", + "searchValue": "", + "expectedValue": "'Resources.noGroups.Groups' should be set", + "actualValue": "'Resources.noGroups.Groups' is undefined" }, { "queryName": "Support Has No Role Associated", "severity": "LOW", - "line": 16, - "fileName": "positive1.yaml" + "line": 5, + "filename": "positive2.json", + "resourceType": "AWS::IAM::Policy", + "resourceName": "AWSSupportAccess", + "searchKey": "Resources.noRoles", + "searchValue": "", + "expectedValue": "'Resources.noRoles.Roles' should be set", + "actualValue": "'Resources.noRoles.Roles' is undefined" }, { "queryName": "Support Has No Role Associated", "severity": "LOW", - "line": 28, - "fileName": "positive1.yaml" + "line": 29, + "filename": "positive2.json", + "resourceType": "AWS::IAM::Policy", + "resourceName": "AWSSupportAccess", + "searchKey": "Resources.noUsers", + "searchValue": "", + "expectedValue": "'Resources.noUsers.Users' should be set", + "actualValue": "'Resources.noUsers.Users' is undefined" }, { "queryName": "Support Has No Role Associated", "severity": "LOW", - "line": 5, - "fileName": "positive2.json" + "line": 28, + "filename": "positive1.yaml", + "resourceType": "AWS::IAM::Policy", + "resourceName": "AWSSupportAccess", + "searchKey": "Resources.noGroups", + "searchValue": "", + "expectedValue": "'Resources.noGroups.Groups' should be set", + "actualValue": "'Resources.noGroups.Groups' is undefined" }, { "queryName": "Support Has No Role Associated", "severity": "LOW", - "line": 29, - "fileName": "positive2.json" + "line": 4, + "filename": "positive1.yaml", + "resourceType": "AWS::IAM::Policy", + "resourceName": "AWSSupportAccess", + "searchKey": "Resources.noRoles", + "searchValue": "", + "expectedValue": "'Resources.noRoles.Roles' should be set", + "actualValue": "'Resources.noRoles.Roles' is undefined" }, { "queryName": "Support Has No Role Associated", "severity": "LOW", - "line": 53, - "fileName": "positive2.json" + "line": 16, + "filename": "positive1.yaml", + "resourceType": "AWS::IAM::Policy", + "resourceName": "AWSSupportAccess", + "searchKey": "Resources.noUsers", + "searchValue": "", + "expectedValue": "'Resources.noUsers.Users' should be set", + "actualValue": "'Resources.noUsers.Users' is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/tags_not_copied_to_rds_cluster_snapshot/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/tags_not_copied_to_rds_cluster_snapshot/test/positive_expected_result.json index 822c2cc2526..d396bd8c12a 100644 --- a/assets/queries/cloudFormation/aws/tags_not_copied_to_rds_cluster_snapshot/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/tags_not_copied_to_rds_cluster_snapshot/test/positive_expected_result.json @@ -1,74 +1,146 @@ [ - { - "queryName": "Tags Not Copied to RDS Cluster Snapshot", - "severity": "LOW", - "line": 12, - "fileName": "positive1.json" - }, - { - "queryName": "Tags Not Copied to RDS Cluster Snapshot", - "severity": "LOW", - "line": 21, - "fileName": "positive1.json" - }, - { - "queryName": "Tags Not Copied to RDS Cluster Snapshot", - "severity": "LOW", - "line": 12, - "fileName": "positive2.yaml" - }, - { - "queryName": "Tags Not Copied to RDS Cluster Snapshot", - "severity": "LOW", - "line": 19, - "fileName": "positive2.yaml" - }, - { - "queryName": "Tags Not Copied to RDS Cluster Snapshot", - "severity": "LOW", - "line": 12, - "fileName": "positive3.json" - }, - { - "queryName": "Tags Not Copied to RDS Cluster Snapshot", - "severity": "LOW", - "line": 21, - "fileName": "positive3.json" - }, - { - "queryName": "Tags Not Copied to RDS Cluster Snapshot", - "severity": "LOW", - "line": 12, - "fileName": "positive4.yaml" - }, - { - "queryName": "Tags Not Copied to RDS Cluster Snapshot", - "severity": "LOW", - "line": 19, - "fileName": "positive4.yaml" - }, - { - "queryName": "Tags Not Copied to RDS Cluster Snapshot", - "severity": "LOW", - "line": 7, - "fileName": "positive5.json" - }, - { - "queryName": "Tags Not Copied to RDS Cluster Snapshot", - "severity": "LOW", - "line": 17, - "fileName": "positive5.json" - }, - { - "queryName": "Tags Not Copied to RDS Cluster Snapshot", - "severity": "LOW", - "line": 7, - "fileName": "positive6.yaml" - }, - { - "queryName": "Tags Not Copied to RDS Cluster Snapshot", - "severity": "LOW", - "line": 15, - "fileName": "positive6.yaml" - } + { + "queryName": "Tags Not Copied to RDS Cluster Snapshot", + "severity": "LOW", + "line": 17, + "filename": "positive5.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "MyDBCluster", + "searchKey": "Resources.MyDBCluster.Properties", + "searchValue": "", + "expectedValue": "'Resources.MyDBCluster.Properties.CopyTagsToSnapshot' should be set to true", + "actualValue": "'Resources.MyDBCluster.Properties.CopyTagsToSnapshot' is not defined" + }, + { + "queryName": "Tags Not Copied to RDS Cluster Snapshot", + "severity": "LOW", + "line": 7, + "filename": "positive5.json", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBInstance", + "searchKey": "Resources.MyDBInstance.Properties", + "searchValue": "", + "expectedValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' should be set to true", + "actualValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' is not defined" + }, + { + "queryName": "Tags Not Copied to RDS Cluster Snapshot", + "severity": "LOW", + "line": 19, + "filename": "positive4.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "MyDBCluster", + "searchKey": "Resources.MyDBCluster.Properties.CopyTagsToSnapshot", + "searchValue": "", + "expectedValue": "'Resources.MyDBCluster.Properties.CopyTagsToSnapshot' should be set to true", + "actualValue": "'Resources.MyDBCluster.Properties.CopyTagsToSnapshot' is set to false" + }, + { + "queryName": "Tags Not Copied to RDS Cluster Snapshot", + "severity": "LOW", + "line": 12, + "filename": "positive4.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBInstance", + "searchKey": "Resources.MyDBInstance.Properties.CopyTagsToSnapshot", + "searchValue": "", + "expectedValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' should be set to true", + "actualValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' is set to false" + }, + { + "queryName": "Tags Not Copied to RDS Cluster Snapshot", + "severity": "LOW", + "line": 15, + "filename": "positive6.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "MyDBCluster", + "searchKey": "Resources.MyDBCluster.Properties", + "searchValue": "", + "expectedValue": "'Resources.MyDBCluster.Properties.CopyTagsToSnapshot' should be set to true", + "actualValue": "'Resources.MyDBCluster.Properties.CopyTagsToSnapshot' is not defined" + }, + { + "queryName": "Tags Not Copied to RDS Cluster Snapshot", + "severity": "LOW", + "line": 7, + "filename": "positive6.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBInstance", + "searchKey": "Resources.MyDBInstance.Properties", + "searchValue": "", + "expectedValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' should be set to true", + "actualValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' is not defined" + }, + { + "queryName": "Tags Not Copied to RDS Cluster Snapshot", + "severity": "LOW", + "line": 21, + "filename": "positive3.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "MyDBCluster", + "searchKey": "Resources.MyDBCluster.Properties.CopyTagsToSnapshot", + "searchValue": "", + "expectedValue": "'Resources.MyDBCluster.Properties.CopyTagsToSnapshot' should be set to true", + "actualValue": "'Resources.MyDBCluster.Properties.CopyTagsToSnapshot' is set to false" + }, + { + "queryName": "Tags Not Copied to RDS Cluster Snapshot", + "severity": "LOW", + "line": 21, + "filename": "positive1.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "MyDBCluster", + "searchKey": "Resources.MyDBCluster.Properties.CopyTagsToSnapshot", + "searchValue": "", + "expectedValue": "'Resources.MyDBCluster.Properties.CopyTagsToSnapshot' should be set to true", + "actualValue": "'Resources.MyDBCluster.Properties.CopyTagsToSnapshot' is set to false" + }, + { + "queryName": "Tags Not Copied to RDS Cluster Snapshot", + "severity": "LOW", + "line": 19, + "filename": "positive2.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "MyDBCluster", + "searchKey": "Resources.MyDBCluster.Properties.CopyTagsToSnapshot", + "searchValue": "", + "expectedValue": "'Resources.MyDBCluster.Properties.CopyTagsToSnapshot' should be set to true", + "actualValue": "'Resources.MyDBCluster.Properties.CopyTagsToSnapshot' is set to false" + }, + { + "queryName": "Tags Not Copied to RDS Cluster Snapshot", + "severity": "LOW", + "line": 12, + "filename": "positive2.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBInstance", + "searchKey": "Resources.MyDBInstance.Properties.CopyTagsToSnapshot", + "searchValue": "", + "expectedValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' should be set to true", + "actualValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' is set to false" + }, + { + "queryName": "Tags Not Copied to RDS Cluster Snapshot", + "severity": "LOW", + "line": 12, + "filename": "positive3.json", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBInstance", + "searchKey": "Resources.MyDBInstance.Properties.CopyTagsToSnapshot", + "searchValue": "", + "expectedValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' should be set to true", + "actualValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' is set to false" + }, + { + "queryName": "Tags Not Copied to RDS Cluster Snapshot", + "severity": "LOW", + "line": 12, + "filename": "positive1.json", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBInstance", + "searchKey": "Resources.MyDBInstance.Properties.CopyTagsToSnapshot", + "searchValue": "", + "expectedValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' should be set to true", + "actualValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' is set to false" + } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/tcp_or_udp_protocol_network_acl_entry_allows_all_ports/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/tcp_or_udp_protocol_network_acl_entry_allows_all_ports/test/positive_expected_result.json index 084553f4de3..9e3c406de04 100644 --- a/assets/queries/cloudFormation/aws/tcp_or_udp_protocol_network_acl_entry_allows_all_ports/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/tcp_or_udp_protocol_network_acl_entry_allows_all_ports/test/positive_expected_result.json @@ -1,50 +1,98 @@ [ { - "fileName": "positive1.yaml", "queryName": "TCP UDP Protocol Network ACL Entry Allows All Ports", "severity": "MEDIUM", - "line": 33 + "line": 49, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "InboundRule5", + "searchKey": "Resources.InboundRule5.Properties.PortRange", + "searchValue": "", + "expectedValue": "Resources.InboundRule5.Properties.PortRange should not allow all ports", + "actualValue": "Resources.InboundRule5.Properties.PortRange allows all ports" }, { - "line": 18, - "fileName": "positive1.yaml", "queryName": "TCP UDP Protocol Network ACL Entry Allows All Ports", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 21, + "filename": "positive2.json", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "InboundRule2", + "searchKey": "Resources.InboundRule2.Properties.PortRange", + "searchValue": "", + "expectedValue": "Resources.InboundRule2.Properties.PortRange.To should be set", + "actualValue": "Resources.InboundRule2.Properties.PortRange.To is undefined" }, { "queryName": "TCP UDP Protocol Network ACL Entry Allows All Ports", "severity": "MEDIUM", - "line": 29, - "fileName": "positive1.yaml" + "line": 40, + "filename": "positive2.json", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "InboundRule3", + "searchKey": "Resources.InboundRule3.Properties.PortRange", + "searchValue": "", + "expectedValue": "Resources.InboundRule3.Properties.PortRange.From should be set", + "actualValue": "Resources.InboundRule3.Properties.PortRange.From is undefined" }, { "queryName": "TCP UDP Protocol Network ACL Entry Allows All Ports", "severity": "MEDIUM", - "line": 49, - "fileName": "positive1.yaml" + "line": 47, + "filename": "positive2.json", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "InboundRule4", + "searchKey": "Resources.InboundRule4.Properties", + "searchValue": "", + "expectedValue": "Resources.InboundRule4.Properties.PortRange should be set", + "actualValue": "Resources.InboundRule4.Properties.PortRange is undefined" }, { + "queryName": "TCP UDP Protocol Network ACL Entry Allows All Ports", "severity": "MEDIUM", - "line": 47, - "fileName": "positive2.json", - "queryName": "TCP UDP Protocol Network ACL Entry Allows All Ports" + "line": 61, + "filename": "positive2.json", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "InboundRule5", + "searchKey": "Resources.InboundRule5.Properties.PortRange", + "searchValue": "", + "expectedValue": "Resources.InboundRule5.Properties.PortRange should not allow all ports", + "actualValue": "Resources.InboundRule5.Properties.PortRange allows all ports" }, { + "queryName": "TCP UDP Protocol Network ACL Entry Allows All Ports", "severity": "MEDIUM", - "line": 21, - "fileName": "positive2.json", - "queryName": "TCP UDP Protocol Network ACL Entry Allows All Ports" + "line": 18, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "InboundRule2", + "searchKey": "Resources.InboundRule2.Properties.PortRange", + "searchValue": "", + "expectedValue": "Resources.InboundRule2.Properties.PortRange.To should be set", + "actualValue": "Resources.InboundRule2.Properties.PortRange.To is undefined" }, { "queryName": "TCP UDP Protocol Network ACL Entry Allows All Ports", "severity": "MEDIUM", - "line": 40, - "fileName": "positive2.json" + "line": 29, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "InboundRule3", + "searchKey": "Resources.InboundRule3.Properties.PortRange", + "searchValue": "", + "expectedValue": "Resources.InboundRule3.Properties.PortRange.From should be set", + "actualValue": "Resources.InboundRule3.Properties.PortRange.From is undefined" }, { "queryName": "TCP UDP Protocol Network ACL Entry Allows All Ports", "severity": "MEDIUM", - "line": 61, - "fileName": "positive2.json" + "line": 33, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "InboundRule4", + "searchKey": "Resources.InboundRule4.Properties", + "searchValue": "", + "expectedValue": "Resources.InboundRule4.Properties.PortRange should be set", + "actualValue": "Resources.InboundRule4.Properties.PortRange is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/unknown_port_exposed_to_internet/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/unknown_port_exposed_to_internet/test/positive_expected_result.json index 277b995e388..e7f9dd2e146 100644 --- a/assets/queries/cloudFormation/aws/unknown_port_exposed_to_internet/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/unknown_port_exposed_to_internet/test/positive_expected_result.json @@ -2,97 +2,193 @@ { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", - "line": 10, - "fileName": "positive1.yaml" + "line": 49, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6", + "searchKey": "Resources.Positive1IPv6.Properties.SecurityGroupIngress[1]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv6.Properties.SecurityGroupIngress[1]' should not open unknown ports to the Internet", + "actualValue": "'Resources.Positive1IPv6.Properties.SecurityGroupIngress[1]' opens unknown ports to the Internet" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", - "line": 14, - "fileName": "positive1.yaml" + "line": 16, + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4", + "searchKey": "Resources.Positive1IPv4.Properties.SecurityGroupIngress[1]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv4.Properties.SecurityGroupIngress[1]' should not open unknown ports to the Internet", + "actualValue": "'Resources.Positive1IPv4.Properties.SecurityGroupIngress[1]' opens unknown ports to the Internet" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", - "line": 21, - "fileName": "positive1.yaml" + "line": 51, + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6", + "searchKey": "Resources.Positive1IPv6.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv6.Properties.SecurityGroupIngress[0]' should not open unknown ports to the Internet", + "actualValue": "'Resources.Positive1IPv6.Properties.SecurityGroupIngress[0]' opens unknown ports to the Internet" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", - "line": 30, - "fileName": "positive1.yaml" + "line": 21, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive1IPv4", + "searchKey": "Resources.IPv4Ingress1.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv4Ingress1.Properties' should not open unknown ports to the Internet", + "actualValue": "'Resources.IPv4Ingress1.Properties' opens unknown ports to the Internet" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", - "line": 45, - "fileName": "positive1.yaml" + "line": 14, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4", + "searchKey": "Resources.Positive1IPv4.Properties.SecurityGroupIngress[1]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv4.Properties.SecurityGroupIngress[1]' should not open unknown ports to the Internet", + "actualValue": "'Resources.Positive1IPv4.Properties.SecurityGroupIngress[1]' opens unknown ports to the Internet" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", - "line": 49, - "fileName": "positive1.yaml" + "line": 65, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive1IPv6", + "searchKey": "Resources.IPv6Ingress2.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv6Ingress2.Properties' should not open unknown ports to the Internet", + "actualValue": "'Resources.IPv6Ingress2.Properties' opens unknown ports to the Internet" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", - "line": 56, - "fileName": "positive1.yaml" + "line": 36, + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive1IPv4", + "searchKey": "Resources.IPv4Ingress2.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv4Ingress2.Properties' should not open unknown ports to the Internet", + "actualValue": "'Resources.IPv4Ingress2.Properties' opens unknown ports to the Internet" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", - "line": 65, - "fileName": "positive1.yaml" + "line": 77, + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive1IPv6", + "searchKey": "Resources.IPv6Ingress2.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv6Ingress2.Properties' should not open unknown ports to the Internet", + "actualValue": "'Resources.IPv6Ingress2.Properties' opens unknown ports to the Internet" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", - "line": 10, - "fileName": "positive2.json" + "line": 45, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6", + "searchKey": "Resources.Positive1IPv6.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv6.Properties.SecurityGroupIngress[0]' should not open unknown ports to the Internet", + "actualValue": "'Resources.Positive1IPv6.Properties.SecurityGroupIngress[0]' opens unknown ports to the Internet" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", - "line": 16, - "fileName": "positive2.json" + "line": 10, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4", + "searchKey": "Resources.Positive1IPv4.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv4.Properties.SecurityGroupIngress[0]' should not open unknown ports to the Internet", + "actualValue": "'Resources.Positive1IPv4.Properties.SecurityGroupIngress[0]' opens unknown ports to the Internet" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", "line": 26, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive1IPv4", + "searchKey": "Resources.IPv4Ingress1.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv4Ingress1.Properties' should not open unknown ports to the Internet", + "actualValue": "'Resources.IPv4Ingress1.Properties' opens unknown ports to the Internet" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", - "line": 36, - "fileName": "positive2.json" + "line": 67, + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive1IPv6", + "searchKey": "Resources.IPv6Ingress1.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv6Ingress1.Properties' should not open unknown ports to the Internet", + "actualValue": "'Resources.IPv6Ingress1.Properties' opens unknown ports to the Internet" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", - "line": 51, - "fileName": "positive2.json" + "line": 10, + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4", + "searchKey": "Resources.Positive1IPv4.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv4.Properties.SecurityGroupIngress[0]' should not open unknown ports to the Internet", + "actualValue": "'Resources.Positive1IPv4.Properties.SecurityGroupIngress[0]' opens unknown ports to the Internet" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", "line": 57, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6", + "searchKey": "Resources.Positive1IPv6.Properties.SecurityGroupIngress[1]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv6.Properties.SecurityGroupIngress[1]' should not open unknown ports to the Internet", + "actualValue": "'Resources.Positive1IPv6.Properties.SecurityGroupIngress[1]' opens unknown ports to the Internet" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", - "line": 67, - "fileName": "positive2.json" + "line": 30, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive1IPv4", + "searchKey": "Resources.IPv4Ingress2.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv4Ingress2.Properties' should not open unknown ports to the Internet", + "actualValue": "'Resources.IPv4Ingress2.Properties' opens unknown ports to the Internet" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", - "line": 77, - "fileName": "positive2.json" + "line": 56, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive1IPv6", + "searchKey": "Resources.IPv6Ingress1.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv6Ingress1.Properties' should not open unknown ports to the Internet", + "actualValue": "'Resources.IPv6Ingress1.Properties' opens unknown ports to the Internet" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/unrestricted_security_group_ingress/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/unrestricted_security_group_ingress/test/positive_expected_result.json index 8436a1ff378..06b51849630 100644 --- a/assets/queries/cloudFormation/aws/unrestricted_security_group_ingress/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/unrestricted_security_group_ingress/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", - "line": 13, - "fileName": "positive1.yaml" + "line": 43, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "InboundRule", + "searchKey": "Resources.InboundRule.Properties.CidrIpv6", + "searchValue": "", + "expectedValue": "Resources.InboundRule.Properties.CidrIpv6 should not be open to the world (::/0)", + "actualValue": "Resources.InboundRule.Properties.CidrIpv6 is open to the world (::/0)" }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", - "line": 43, - "fileName": "positive1.yaml" + "line": 13, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress", + "searchValue": "", + "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].CidrIp should not be open to the world (0.0.0.0/0)", + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].CidrIp is open to the world (0.0.0.0/0)" }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", "line": 30, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "InboundRule", + "searchKey": "Resources.InboundRule.Properties.CidrIpv6", + "searchValue": "", + "expectedValue": "Resources.InboundRule.Properties.CidrIpv6 should not be open to the world (::/0)", + "actualValue": "Resources.InboundRule.Properties.CidrIpv6 is open to the world (::/0)" }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", "line": 56, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress", + "searchValue": "", + "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].CidrIp should not be open to the world (0.0.0.0/0)", + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].CidrIp is open to the world (0.0.0.0/0)" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/unscanned_ecr_image/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/unscanned_ecr_image/test/positive_expected_result.json index ea5c7178c23..d66f56201ad 100644 --- a/assets/queries/cloudFormation/aws/unscanned_ecr_image/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/unscanned_ecr_image/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "Unscanned ECR Image", "severity": "LOW", - "line": 5, - "fileName": "positive1.yaml" + "line": 6, + "filename": "positive3.json", + "resourceType": "AWS::ECR::Repository", + "resourceName": "test-repository", + "searchKey": "Resources.MyRepository5.Properties", + "searchValue": "", + "expectedValue": "Resources.MyRepository5.Properties.ImageScanningConfiguration should be defined", + "actualValue": "Resources.MyRepository5.Properties.ImageScanningConfiguration is undefined" }, { "queryName": "Unscanned ECR Image", "severity": "LOW", - "line": 8, - "fileName": "positive2.yaml" + "line": 9, + "filename": "positive4.json", + "resourceType": "AWS::ECR::Repository", + "resourceName": "test-repository", + "searchKey": "Resources.MyRepository6.Properties.ImageScanningConfiguration.ScanOnPush", + "searchValue": "", + "expectedValue": "Resources.MyRepository6.Properties.ImageScanningConfiguration.ScanOnPush should be set to true", + "actualValue": "Resources.MyRepository6.Properties.ImageScanningConfiguration.ScanOnPush is set to false" }, { "queryName": "Unscanned ECR Image", "severity": "LOW", - "line": 6, - "fileName": "positive3.json" + "line": 8, + "filename": "positive2.yaml", + "resourceType": "AWS::ECR::Repository", + "resourceName": "test-repository", + "searchKey": "Resources.MyRepository4.Properties.ImageScanningConfiguration.ScanOnPush", + "searchValue": "", + "expectedValue": "Resources.MyRepository4.Properties.ImageScanningConfiguration.ScanOnPush should be set to true", + "actualValue": "Resources.MyRepository4.Properties.ImageScanningConfiguration.ScanOnPush is set to false" }, { "queryName": "Unscanned ECR Image", "severity": "LOW", - "line": 9, - "fileName": "positive4.json" + "line": 5, + "filename": "positive1.yaml", + "resourceType": "AWS::ECR::Repository", + "resourceName": "test-repository", + "searchKey": "Resources.MyRepository3.Properties", + "searchValue": "", + "expectedValue": "Resources.MyRepository3.Properties.ImageScanningConfiguration should be defined", + "actualValue": "Resources.MyRepository3.Properties.ImageScanningConfiguration is undefined" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/user_data_contains_encoded_private_key/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/user_data_contains_encoded_private_key/test/positive_expected_result.json index 951303e8652..2fc3337ad1c 100644 --- a/assets/queries/cloudFormation/aws/user_data_contains_encoded_private_key/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/user_data_contains_encoded_private_key/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ - { - "queryName": "User Data Contains Encoded Private Key", - "severity": "HIGH", - "line": 12, - "fileName": "positive.json" - }, { - "queryName": "User Data Contains Encoded Private Key", - "severity": "HIGH", - "line": 13, - "fileName": "positive.yaml" - } -] + "queryName": "User Data Contains Encoded Private Key", + "severity": "HIGH", + "line": 12, + "filename": "positive.json", + "resourceType": "AWS::AutoScaling::LaunchConfiguration", + "resourceName": "myLaunchConfig3", + "searchKey": "Resources.myLaunchConfig3.Properties.UserData", + "searchValue": "", + "expectedValue": "'Resources.myLaunchConfig3.Properties.UserData' shouldn't contain RSA Private Key", + "actualValue": "'Resources.myLaunchConfig3.Properties.UserData' contains RSA Private Key" + }, + { + "queryName": "User Data Contains Encoded Private Key", + "severity": "HIGH", + "line": 13, + "filename": "positive.yaml", + "resourceType": "AWS::AutoScaling::LaunchConfiguration", + "resourceName": "myLaunchConfig4", + "searchKey": "Resources.myLaunchConfig4.Properties.UserData", + "searchValue": "", + "expectedValue": "'Resources.myLaunchConfig4.Properties.UserData' shouldn't contain RSA Private Key", + "actualValue": "'Resources.myLaunchConfig4.Properties.UserData' contains RSA Private Key" + } +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/user_iam_missing_password_reset_required/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/user_iam_missing_password_reset_required/test/positive_expected_result.json index 9bb7a0524e4..58597757057 100644 --- a/assets/queries/cloudFormation/aws/user_iam_missing_password_reset_required/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/user_iam_missing_password_reset_required/test/positive_expected_result.json @@ -2,43 +2,85 @@ { "queryName": "IAM User Without Password Reset", "severity": "MEDIUM", - "line": 10, - "fileName": "positive1.yaml" + "line": 38, + "filename": "positive4.json", + "resourceType": "AWS::IAM::User", + "resourceName": "myuser", + "searchKey": "Resources.myuser.Properties.LoginProfile.PasswordResetRequired", + "searchValue": "", + "expectedValue": "'Resources.myuser.Properties.LoginProfile.PasswordResetRequired' should be configured as true", + "actualValue": "'Resources.myuser.Properties.LoginProfile.PasswordResetRequired' is configured as false" }, { "queryName": "IAM User Without Password Reset", "severity": "MEDIUM", - "line": 8, - "fileName": "positive2.yaml" + "line": 7, + "filename": "positive6.json", + "resourceType": "AWS::IAM::User", + "resourceName": "topuser", + "searchKey": "Resources.topuser.Properties", + "searchValue": "", + "expectedValue": "'Resources.topuser.Properties' should be configured with LoginProfile with PasswordResetRequired property set to true", + "actualValue": "'Resources.topuser.Properties' does not include LoginProfile" }, { "queryName": "IAM User Without Password Reset", "severity": "MEDIUM", - "line": 6, - "fileName": "positive3.yaml" + "line": 9, + "filename": "positive5.json", + "resourceType": "AWS::IAM::User", + "resourceName": "newuser", + "searchKey": "Resources.newuser.Properties.LoginProfile", + "searchValue": "", + "expectedValue": "'Resources.newuser.Properties.LoginProfile' should also include PasswordResetRequired property set to true", + "actualValue": "'Resources.newuser.Properties.LoginProfile' contains only Password property" }, { "queryName": "IAM User Without Password Reset", "severity": "MEDIUM", - "line": 38, - "fileName": "positive4.json" + "line": 8, + "filename": "positive2.yaml", + "resourceType": "AWS::IAM::User", + "resourceName": "newuser", + "searchKey": "Resources.newuser.Properties.LoginProfile", + "searchValue": "", + "expectedValue": "'Resources.newuser.Properties.LoginProfile' should also include PasswordResetRequired property set to true", + "actualValue": "'Resources.newuser.Properties.LoginProfile' contains only Password property" }, { "queryName": "IAM User Without Password Reset", "severity": "MEDIUM", - "line": 9, - "fileName": "positive5.json" + "line": 10, + "filename": "positive1.yaml", + "resourceType": "AWS::IAM::User", + "resourceName": "myuser", + "searchKey": "Resources.myuser.Properties.LoginProfile.PasswordResetRequired", + "searchValue": "", + "expectedValue": "'Resources.myuser.Properties.LoginProfile.PasswordResetRequired' should be configured as true", + "actualValue": "'Resources.myuser.Properties.LoginProfile.PasswordResetRequired' is configured as false" }, { "queryName": "IAM User Without Password Reset", "severity": "MEDIUM", - "line": 7, - "fileName": "positive6.json" + "line": 6, + "filename": "positive3.yaml", + "resourceType": "AWS::IAM::User", + "resourceName": "topuser", + "searchKey": "Resources.topuser.Properties", + "searchValue": "", + "expectedValue": "'Resources.topuser.Properties' should be configured with LoginProfile with PasswordResetRequired property set to true", + "actualValue": "'Resources.topuser.Properties' does not include LoginProfile" }, { "queryName": "IAM User Without Password Reset", "severity": "MEDIUM", "line": 10, - "fileName": "positive7.yaml" + "filename": "positive7.yaml", + "resourceType": "AWS::IAM::User", + "resourceName": "myuser", + "searchKey": "Resources.myuser.Properties.LoginProfile.PasswordResetRequired", + "searchValue": "", + "expectedValue": "'Resources.myuser.Properties.LoginProfile.PasswordResetRequired' should be configured as true", + "actualValue": "'Resources.myuser.Properties.LoginProfile.PasswordResetRequired' is configured as false" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/vpc_attached_with_too_many_gateways/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/vpc_attached_with_too_many_gateways/test/positive_expected_result.json index c61700e6a95..9df86e231f3 100644 --- a/assets/queries/cloudFormation/aws/vpc_attached_with_too_many_gateways/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/vpc_attached_with_too_many_gateways/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ { - "line": 3, - "fileName": "positive1.yaml", "queryName": "VPC Attached With Too Many Gateways", - "severity": "LOW" + "severity": "LOW", + "line": 7, + "filename": "positive2.json", + "resourceType": "AWS::EC2::VPC", + "resourceName": "myVPC", + "searchKey": "Resources.myVPC", + "searchValue": "", + "expectedValue": "'Resources.myVPC' should not be attached with a number of gateways close to or out of limit (>3)", + "actualValue": "'Resources.myVPC' is attached with a number of gateways close to or out of limit (>3)" }, { + "queryName": "VPC Attached With Too Many Gateways", "severity": "LOW", - "line": 7, - "fileName": "positive2.json", - "queryName": "VPC Attached With Too Many Gateways" + "line": 3, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::VPC", + "resourceName": "myVPC", + "searchKey": "Resources.myVPC", + "searchValue": "", + "expectedValue": "'Resources.myVPC' should not be attached with a number of gateways close to or out of limit (>3)", + "actualValue": "'Resources.myVPC' is attached with a number of gateways close to or out of limit (>3)" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/vpc_without_attached_subnet/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/vpc_without_attached_subnet/test/positive_expected_result.json index f18094de1e3..548a14e7988 100644 --- a/assets/queries/cloudFormation/aws/vpc_without_attached_subnet/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/vpc_without_attached_subnet/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ { + "queryName": "VPC Without Attached Subnet", "severity": "LOW", "line": 3, - "fileName": "positive1.yaml", - "queryName": "VPC Without Attached Subnet" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::VPC", + "resourceName": "myVPC_1", + "searchKey": "Resources.myVPC_1", + "searchValue": "", + "expectedValue": "'Resources.myVPC_1' should be attached to resources", + "actualValue": "'Resources.myVPC_1' is not attached to resources" }, { + "queryName": "VPC Without Attached Subnet", "severity": "LOW", "line": 4, - "fileName": "positive2.json", - "queryName": "VPC Without Attached Subnet" + "filename": "positive2.json", + "resourceType": "AWS::EC2::VPC", + "resourceName": "myVPC_1", + "searchKey": "Resources.myVPC_1", + "searchValue": "", + "expectedValue": "'Resources.myVPC_1' should be attached to resources", + "actualValue": "'Resources.myVPC_1' is not attached to resources" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/vpc_without_network_firewall/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/vpc_without_network_firewall/test/positive_expected_result.json index b950d374c71..0a5e73e0b8c 100644 --- a/assets/queries/cloudFormation/aws/vpc_without_network_firewall/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/vpc_without_network_firewall/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "VPC Without Network Firewall", "severity": "MEDIUM", "line": 3, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::VPC", + "resourceName": "myVPC11", + "searchKey": "Resources.myVPC11", + "searchValue": "", + "expectedValue": "'Resources.myVPC11' should be associated with a AWS Network Firewall", + "actualValue": "'Resources.myVPC11' is not associated with a AWS Network Firewall" }, { "queryName": "VPC Without Network Firewall", "severity": "MEDIUM", "line": 21, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::VPC", + "resourceName": "myVPC11", + "searchKey": "Resources.myVPC11", + "searchValue": "", + "expectedValue": "'Resources.myVPC11' should be associated with a AWS Network Firewall", + "actualValue": "'Resources.myVPC11' is not associated with a AWS Network Firewall" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/vulnerable_default_ssl_certificate/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/vulnerable_default_ssl_certificate/test/positive_expected_result.json index efa932ba894..1385a5404bb 100644 --- a/assets/queries/cloudFormation/aws/vulnerable_default_ssl_certificate/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/vulnerable_default_ssl_certificate/test/positive_expected_result.json @@ -2,37 +2,73 @@ { "queryName": "Vulnerable Default SSL Certificate", "severity": "MEDIUM", - "line": 7, - "fileName": "positive1.yaml" + "line": 8, + "filename": "positive3.json", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "myDistribution", + "searchKey": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate", + "searchValue": "SslSupportMethod", + "expectedValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.SslSupportMethod should be defined", + "actualValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.SslSupportMethod is not defined" }, { "queryName": "Vulnerable Default SSL Certificate", "severity": "MEDIUM", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "myDistribution", + "searchKey": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate", + "searchValue": "MinimumProtocolVersion", + "expectedValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.MinimumProtocolVersion should be defined", + "actualValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.MinimumProtocolVersion is not defined" }, { "queryName": "Vulnerable Default SSL Certificate", "severity": "MEDIUM", - "line": 8, - "fileName": "positive2.yaml" + "line": 7, + "filename": "positive1.yaml", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "myDistribution", + "searchKey": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate", + "searchValue": "SslSupportMethod", + "expectedValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.SslSupportMethod should be defined", + "actualValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.SslSupportMethod is not defined" }, { "queryName": "Vulnerable Default SSL Certificate", "severity": "MEDIUM", "line": 8, - "fileName": "positive3.json" + "filename": "positive2.yaml", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "myDistribution", + "searchKey": "Resources.myDistribution.Properties.DistributionConfig.CloudfrontDefaultCertificate", + "searchValue": "", + "expectedValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.CloudfrontDefaultCertificate should be set to 'false' or not defined.", + "actualValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.CloudfrontDefaultCertificate is 'true'." }, { "queryName": "Vulnerable Default SSL Certificate", "severity": "MEDIUM", - "line": 8, - "fileName": "positive3.json" + "line": 9, + "filename": "positive4.json", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "myDistribution", + "searchKey": "Resources.myDistribution.Properties.DistributionConfig.CloudfrontDefaultCertificate", + "searchValue": "", + "expectedValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.CloudfrontDefaultCertificate should be set to 'false' or not defined.", + "actualValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.CloudfrontDefaultCertificate is 'true'." }, { "queryName": "Vulnerable Default SSL Certificate", "severity": "MEDIUM", - "line": 9, - "fileName": "positive4.json" + "line": 8, + "filename": "positive3.json", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "myDistribution", + "searchKey": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate", + "searchValue": "MinimumProtocolVersion", + "expectedValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.MinimumProtocolVersion should be defined", + "actualValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.MinimumProtocolVersion is not defined" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/webacl_allow_defaultaction/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/webacl_allow_defaultaction/test/positive_expected_result.json index 9261cd50989..a988e698561 100644 --- a/assets/queries/cloudFormation/aws/webacl_allow_defaultaction/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/webacl_allow_defaultaction/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Permissive Web ACL Default Action", "severity": "HIGH", "line": 8, - "fileName": "positive1.yaml" + "filename": "positive2.json", + "resourceType": "AWS::WAF::WebACL", + "resourceName": "WebACL to with three rules", + "searchKey": "Resources.MyWebACL.Properties.DefaultAction.Type", + "searchValue": "", + "expectedValue": "Resources.MyWebACL.Properties.DefaultAction.Type should not be ALLOW", + "actualValue": "Resources.MyWebACL.Properties.DefaultAction.Type is set to ALLOW" }, { - "fileName": "positive2.json", "queryName": "Permissive Web ACL Default Action", "severity": "HIGH", - "line": 8 + "line": 8, + "filename": "positive1.yaml", + "resourceType": "AWS::WAF::WebACL", + "resourceName": "WebACL to with three rules", + "searchKey": "Resources.MyWebACL.Properties.DefaultAction.Type", + "searchValue": "", + "expectedValue": "Resources.MyWebACL.Properties.DefaultAction.Type should not be ALLOW", + "actualValue": "Resources.MyWebACL.Properties.DefaultAction.Type is set to ALLOW" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/wildcard_in_acm_certificate_domain_name/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/wildcard_in_acm_certificate_domain_name/test/positive_expected_result.json index a71ab61a364..0e1366a5e2b 100644 --- a/assets/queries/cloudFormation/aws/wildcard_in_acm_certificate_domain_name/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/wildcard_in_acm_certificate_domain_name/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Wildcard In ACM Certificate Domain Name", "severity": "LOW", "line": 16, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::CertificateManager::Certificate", + "resourceName": "Certificate", + "searchKey": "Resources.Certificate.Properties.DomainName", + "searchValue": "", + "expectedValue": "'Resources.Certificate.Properties.DomainName' should not contain '*'", + "actualValue": "'Resources.Certificate.Properties.DomainName' contains '*'" }, { - "line": 19, - "fileName": "positive2.json", "queryName": "Wildcard In ACM Certificate Domain Name", - "severity": "LOW" + "severity": "LOW", + "line": 19, + "filename": "positive2.json", + "resourceType": "AWS::CertificateManager::Certificate", + "resourceName": "Certificate", + "searchKey": "Resources.Certificate.Properties.DomainName", + "searchValue": "", + "expectedValue": "'Resources.Certificate.Properties.DomainName' should not contain '*'", + "actualValue": "'Resources.Certificate.Properties.DomainName' contains '*'" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/workspace_without_encryption/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/workspace_without_encryption/test/positive_expected_result.json index 492408cd150..ccd82137fd8 100644 --- a/assets/queries/cloudFormation/aws/workspace_without_encryption/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/workspace_without_encryption/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "Workspace Without Encryption", "severity": "HIGH", - "line": 14, - "fileName": "positive2.yaml" + "line": 5, + "filename": "positive3.json", + "resourceType": "AWS::WorkSpaces::Workspace", + "resourceName": "MyWorkSpace", + "searchKey": "Resources.MyWorkSpace.Properties", + "searchValue": "", + "expectedValue": "Resources.MyWorkSpace.Properties should have the property UserVolumeEncryptionEnabled set to true", + "actualValue": "Resources.MyWorkSpace.Properties does not have the UserVolumeEncryptionEnabled property set" }, { "queryName": "Workspace Without Encryption", "severity": "HIGH", - "line": 4, - "fileName": "positive1.yaml" + "line": 17, + "filename": "positive4.json", + "resourceType": "AWS::WorkSpaces::Workspace", + "resourceName": "MyWorkSpace2", + "searchKey": "Resources.MyWorkSpace2.Properties.UserVolumeEncryptionEnabled", + "searchValue": "", + "expectedValue": "Resources.MyWorkSpace2.Properties.UserVolumeEncryptionEnabled should be set to true", + "actualValue": "Resources.MyWorkSpace2.Properties.UserVolumeEncryptionEnabled is not set to true" }, { "queryName": "Workspace Without Encryption", "severity": "HIGH", - "line": 5, - "fileName": "positive3.json" + "line": 4, + "filename": "positive1.yaml", + "resourceType": "AWS::WorkSpaces::Workspace", + "resourceName": "MyWorkSpace", + "searchKey": "Resources.MyWorkSpace.Properties", + "searchValue": "", + "expectedValue": "Resources.MyWorkSpace.Properties should have the property UserVolumeEncryptionEnabled set to true", + "actualValue": "Resources.MyWorkSpace.Properties does not have the UserVolumeEncryptionEnabled property set" }, { "queryName": "Workspace Without Encryption", "severity": "HIGH", - "line": 17, - "fileName": "positive4.json" + "line": 14, + "filename": "positive2.yaml", + "resourceType": "AWS::WorkSpaces::Workspace", + "resourceName": "MyWorkSpace2", + "searchKey": "Resources.MyWorkSpace2.Properties.UserVolumeEncryptionEnabled", + "searchValue": "", + "expectedValue": "Resources.MyWorkSpace2.Properties.UserVolumeEncryptionEnabled should be set to true", + "actualValue": "Resources.MyWorkSpace2.Properties.UserVolumeEncryptionEnabled is not set to true" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_sam/serverless_api_access_logging_setting_undefined/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_sam/serverless_api_access_logging_setting_undefined/test/positive_expected_result.json index 8501c081577..17122460ba1 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_api_access_logging_setting_undefined/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_sam/serverless_api_access_logging_setting_undefined/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Serverless API Access Logging Setting Undefined", "severity": "MEDIUM", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::Serverless::Api", + "resourceName": "ApiGatewayApi", + "searchKey": "Resources.ApiGatewayApi.Properties", + "searchValue": "", + "expectedValue": "Resources.ApiGatewayApi.Properties.%!d(string=AccessLogSetting) should be defined and not null", + "actualValue": "Resources.ApiGatewayApi.Properties.%!d(string=AccessLogSetting) is undefined or null" }, { "queryName": "Serverless API Access Logging Setting Undefined", "severity": "MEDIUM", "line": 7, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::Serverless::HttpApi", + "resourceName": "HttpApi", + "searchKey": "Resources.HttpApi.Properties", + "searchValue": "", + "expectedValue": "Resources.HttpApi.Properties.%!d(string=AccessLogSettings) should be defined and not null", + "actualValue": "Resources.HttpApi.Properties.%!d(string=AccessLogSettings) is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_sam/serverless_api_cache_cluster_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_sam/serverless_api_cache_cluster_disabled/test/positive_expected_result.json index 16af5f0a76b..037a95a5b68 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_api_cache_cluster_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_sam/serverless_api_cache_cluster_disabled/test/positive_expected_result.json @@ -2,19 +2,37 @@ { "queryName": "Serverless API Cache Cluster Disabled", "severity": "LOW", - "line": 7, - "fileName": "positive1.yaml" + "line": 10, + "filename": "positive3.yaml", + "resourceType": "AWS::Serverless::Api", + "resourceName": "ApiGatewayApi2", + "searchKey": "Resources.ApiGatewayApi2.Properties.CacheClusterEnabled", + "searchValue": "", + "expectedValue": "Resources.ApiGatewayApi2.Properties.CacheClusterEnabled should be set to true", + "actualValue": "Resources.ApiGatewayApi2.Properties.CacheClusterEnabled is set to false" }, { "queryName": "Serverless API Cache Cluster Disabled", "severity": "LOW", "line": 10, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::Serverless::Api", + "resourceName": "ApiGatewayApi2", + "searchKey": "Resources.ApiGatewayApi2.Properties.CacheClusterEnabled", + "searchValue": "", + "expectedValue": "Resources.ApiGatewayApi2.Properties.CacheClusterEnabled should be set to true", + "actualValue": "Resources.ApiGatewayApi2.Properties.CacheClusterEnabled is set to false" }, { "queryName": "Serverless API Cache Cluster Disabled", "severity": "LOW", - "line": 10, - "fileName": "positive3.yaml" + "line": 7, + "filename": "positive1.yaml", + "resourceType": "AWS::Serverless::Api", + "resourceName": "ApiGatewayApi", + "searchKey": "Resources.ApiGatewayApi.Properties", + "searchValue": "", + "expectedValue": "Resources.ApiGatewayApi.Properties.CacheClusterEnabled should be defined and not null", + "actualValue": "Resources.ApiGatewayApi.Properties.CacheClusterEnabled is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_sam/serverless_api_endpoint_config_not_private/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_sam/serverless_api_endpoint_config_not_private/test/positive_expected_result.json index 66879c8a540..77cbc417c12 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_api_endpoint_config_not_private/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_sam/serverless_api_endpoint_config_not_private/test/positive_expected_result.json @@ -3,18 +3,36 @@ "queryName": "Serverless API Endpoint Config Not Private", "severity": "MEDIUM", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::Serverless::Api", + "resourceName": "ApiGatewayApi", + "searchKey": "Resources.ApiGatewayApi.Properties", + "searchValue": "", + "expectedValue": "'Resources.ApiGatewayApi.EndpointConfiguration' should be defined and not null", + "actualValue": "'Resources.ApiGatewayApi.EndpointConfiguration' is undefined or null" }, { "queryName": "Serverless API Endpoint Config Not Private", "severity": "MEDIUM", "line": 11, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::Serverless::Api", + "resourceName": "ApiGatewayApi2", + "searchKey": "Resources.ApiGatewayApi2.Properties.EndpointConfiguration", + "searchValue": "", + "expectedValue": "'Resources.ApiGatewayApi2.EndpointConfiguration.Types' should be defined and not null", + "actualValue": "'Resources.ApiGatewayApi2.EndpointConfiguration.Types' is undefined or null" }, { "queryName": "Serverless API Endpoint Config Not Private", "severity": "MEDIUM", "line": 12, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::Serverless::Api", + "resourceName": "ApiGatewayApi3", + "searchKey": "Resources.ApiGatewayApi3.Properties.EndpointConfiguration.Types", + "searchValue": "", + "expectedValue": "'Resources.ApiGatewayApi3.EndpointConfiguration.Types' should contain 'PRIVATE'", + "actualValue": "'Resources.ApiGatewayApi3.EndpointConfiguration.Types' does not contain 'PRIVATE'" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_sam/serverless_api_without_content_encoding/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_sam/serverless_api_without_content_encoding/test/positive_expected_result.json index 7c2c2079915..491e4133a19 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_api_without_content_encoding/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_sam/serverless_api_without_content_encoding/test/positive_expected_result.json @@ -2,19 +2,37 @@ { "queryName": "Serverless API Without Content Encoding", "severity": "LOW", - "line": 7, - "fileName": "positive1.yaml" + "line": 19, + "filename": "positive3.yaml", + "resourceType": "AWS::Serverless::Api", + "resourceName": "ApiGatewayApi3", + "searchKey": "Resources.ApiGatewayApi3.Properties.MinimumCompressionSize", + "searchValue": "", + "expectedValue": "Resources.ApiGatewayApi3.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760", + "actualValue": "Resources.ApiGatewayApi3.Properties.MinimumCompressionSize is set but smaller than 0 or greater than 10485759" }, { "queryName": "Serverless API Without Content Encoding", "severity": "LOW", - "line": 19, - "fileName": "positive2.yaml" + "line": 7, + "filename": "positive1.yaml", + "resourceType": "AWS::Serverless::Api", + "resourceName": "ApiGatewayApi", + "searchKey": "Resources.ApiGatewayApi.Properties", + "searchValue": "", + "expectedValue": "Resources.ApiGatewayApi.Properties.MinimumCompressionSize should be defined and not null", + "actualValue": "Resources.ApiGatewayApi.Properties.MinimumCompressionSize is not defined or null" }, { "queryName": "Serverless API Without Content Encoding", "severity": "LOW", "line": 19, - "fileName": "positive3.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::Serverless::Api", + "resourceName": "ApiGatewayApi2", + "searchKey": "Resources.ApiGatewayApi2.Properties.MinimumCompressionSize", + "searchValue": "", + "expectedValue": "Resources.ApiGatewayApi2.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760", + "actualValue": "Resources.ApiGatewayApi2.Properties.MinimumCompressionSize is set but smaller than 0 or greater than 10485759" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_sam/serverless_api_xray_tracing_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_sam/serverless_api_xray_tracing_disabled/test/positive_expected_result.json index 9b3580ba2f5..0cfc535b451 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_api_xray_tracing_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_sam/serverless_api_xray_tracing_disabled/test/positive_expected_result.json @@ -2,19 +2,37 @@ { "queryName": "Serverless API X-Ray Tracing Disabled", "severity": "MEDIUM", - "line": 7, - "fileName": "positive1.yaml" + "line": 9, + "filename": "positive2.yaml", + "resourceType": "AWS::Serverless::Api", + "resourceName": "ApiGatewayApi2", + "searchKey": "Resources.ApiGatewayApi2.Properties.TracingEnabled", + "searchValue": "", + "expectedValue": "Resources.ApiGatewayApi2.Properties.TracingEnabled should be set to true", + "actualValue": "Resources.ApiGatewayApi2.Properties.TracingEnabled is set to false" }, { "queryName": "Serverless API X-Ray Tracing Disabled", "severity": "MEDIUM", "line": 9, - "fileName": "positive2.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::Serverless::Api", + "resourceName": "ApiGatewayApi2", + "searchKey": "Resources.ApiGatewayApi2.Properties.TracingEnabled", + "searchValue": "", + "expectedValue": "Resources.ApiGatewayApi2.Properties.TracingEnabled should be set to true", + "actualValue": "Resources.ApiGatewayApi2.Properties.TracingEnabled is set to false" }, { "queryName": "Serverless API X-Ray Tracing Disabled", "severity": "MEDIUM", - "line": 9, - "fileName": "positive3.yaml" + "line": 7, + "filename": "positive1.yaml", + "resourceType": "AWS::Serverless::Api", + "resourceName": "ApiGatewayApi", + "searchKey": "Resources.ApiGatewayApi.Properties", + "searchValue": "", + "expectedValue": "Resources.ApiGatewayApi.Properties.TracingEnabled should be defined and not null", + "actualValue": "Resources.ApiGatewayApi.Properties.TracingEnabled is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_sam/serverless_function_environment_variables_not_encrypted/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_sam/serverless_function_environment_variables_not_encrypted/test/positive_expected_result.json index 90ecf9fd811..41347aff1c2 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_function_environment_variables_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_sam/serverless_function_environment_variables_not_encrypted/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Serverless Function Environment Variables Not Encrypted", "severity": "MEDIUM", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::Serverless::Function", + "resourceName": "Function", + "searchKey": "Resources.Function.Properties", + "searchValue": "", + "expectedValue": "'Resources.Function.Properties.KmsKeyArn' should be defined and not null", + "actualValue": "'Resources.Function.Properties.KmsKeyArn' is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_sam/serverless_function_without_dead_letter_queue/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_sam/serverless_function_without_dead_letter_queue/test/positive_expected_result.json index 80a3a4a0aca..e6f93907520 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_function_without_dead_letter_queue/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_sam/serverless_function_without_dead_letter_queue/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Serverless Function Without Dead Letter Queue", "severity": "LOW", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::Serverless::Function", + "resourceName": "Function", + "searchKey": "Resources.Function.Properties", + "searchValue": "", + "expectedValue": "'Resources.Function.Properties.DeadLetterConfig' should be defined and not null", + "actualValue": "'Resources.Function.Properties.DeadLetterConfig' is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_sam/serverless_function_without_tags/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_sam/serverless_function_without_tags/test/positive_expected_result.json index 52d67c40a52..7c7911b51cd 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_function_without_tags/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_sam/serverless_function_without_tags/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Serverless Function Without Tags", "severity": "LOW", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::Serverless::Function", + "resourceName": "Function", + "searchKey": "Resources.Function.Properties", + "searchValue": "", + "expectedValue": "'Resources.Function.Properties.Tags' should be defined and not null", + "actualValue": "'Resources.Function.Properties.Tags' is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_sam/serverless_function_without_unique_iam_role/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_sam/serverless_function_without_unique_iam_role/test/positive_expected_result.json index 97fa6f898f5..8aa1ea90813 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_function_without_unique_iam_role/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_sam/serverless_function_without_unique_iam_role/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "Serverless Function Without Unique IAM Role", "severity": "HIGH", - "line": 19, - "fileName": "positive1.yaml" + "line": 34, + "filename": "positive1.yaml", + "resourceType": "AWS::Serverless::Function", + "resourceName": "Function2", + "searchKey": "Resources.Function2.Properties.Role", + "searchValue": "", + "expectedValue": "Resource.Function2.Properties.Role is only assigned to the function in question", + "actualValue": "Resource.Function2.Properties.Role is assigned to another funtion" }, { "queryName": "Serverless Function Without Unique IAM Role", "severity": "HIGH", - "line": 34, - "fileName": "positive1.yaml" + "line": 19, + "filename": "positive2.yaml", + "resourceType": "AWS::Serverless::Function", + "resourceName": "Function1", + "searchKey": "Resources.Function1.Properties.Role", + "searchValue": "", + "expectedValue": "Resource.Function1.Properties.Role is only assigned to the function in question", + "actualValue": "Resource.Function1.Properties.Role is assigned to another funtion" }, { "queryName": "Serverless Function Without Unique IAM Role", "severity": "HIGH", - "line": 19, - "fileName": "positive2.yaml" + "line": 34, + "filename": "positive2.yaml", + "resourceType": "AWS::Serverless::Function", + "resourceName": "Function2", + "searchKey": "Resources.Function2.Properties.Role", + "searchValue": "", + "expectedValue": "Resource.Function2.Properties.Role is only assigned to the function in question", + "actualValue": "Resource.Function2.Properties.Role is assigned to another funtion" }, { "queryName": "Serverless Function Without Unique IAM Role", "severity": "HIGH", - "line": 34, - "fileName": "positive2.yaml" + "line": 19, + "filename": "positive1.yaml", + "resourceType": "AWS::Serverless::Function", + "resourceName": "Function1", + "searchKey": "Resources.Function1.Properties.Role", + "searchValue": "", + "expectedValue": "Resource.Function1.Properties.Role is only assigned to the function in question", + "actualValue": "Resource.Function1.Properties.Role is assigned to another funtion" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_sam/serverless_function_without_x-ray_tracing/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_sam/serverless_function_without_x-ray_tracing/test/positive_expected_result.json index 14dd9db9ab2..b362e8e7f21 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_function_without_x-ray_tracing/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_sam/serverless_function_without_x-ray_tracing/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "Serverless Function Without X-Ray Tracing", "severity": "LOW", - "line": 7, - "fileName": "positive1.yaml" + "line": 19, + "filename": "positive2.yaml", + "resourceType": "AWS::Serverless::Function", + "resourceName": "Function2", + "searchKey": "Resources.Function2.Properties.Tracing", + "searchValue": "", + "expectedValue": "'Tracing' should be set to 'Active'", + "actualValue": "'Tracing' is set to 'PassThrough'" }, { "queryName": "Serverless Function Without X-Ray Tracing", "severity": "LOW", - "line": 19, - "fileName": "positive2.yaml" + "line": 7, + "filename": "positive1.yaml", + "resourceType": "AWS::Serverless::Function", + "resourceName": "Function1", + "searchKey": "Resources.Function1.Properties", + "searchValue": "", + "expectedValue": "Property 'TracingConfig' should be defined and not null", + "actualValue": "Property 'TracingConfig' is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/crossplane/aws/cloudfront_logging_disabled/test/positive_expected_result.json b/assets/queries/crossplane/aws/cloudfront_logging_disabled/test/positive_expected_result.json index d22a547d757..5fa9e8dcc24 100644 --- a/assets/queries/crossplane/aws/cloudfront_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/crossplane/aws/cloudfront_logging_disabled/test/positive_expected_result.json @@ -2,37 +2,73 @@ { "queryName": "CloudFront Logging Disabled", "severity": "MEDIUM", - "line": 12, - "fileName": "positive.yaml" + "line": 41, + "filename": "positive2.yaml", + "resourceType": "Distribution", + "resourceName": "sample-distribution", + "searchKey": "spec.resources.base.metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig", + "searchValue": "", + "expectedValue": "CloudFront logging enabled attribute should be defined and set to true", + "actualValue": "CloudFront logging is not defined" }, { "queryName": "CloudFront Logging Disabled", "severity": "MEDIUM", - "line": 50, - "fileName": "positive.yaml" + "line": 11, + "filename": "positive3.yaml", + "resourceType": "Distribution", + "resourceName": "sample-distribution", + "searchKey": "metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig.logging", + "searchValue": "", + "expectedValue": "CloudFront logging enabled attribute should be defined and set to true", + "actualValue": "CloudFront enable is not defined" }, { "queryName": "CloudFront Logging Disabled", "severity": "MEDIUM", - "line": 8, - "fileName": "positive2.yaml" + "line": 50, + "filename": "positive.yaml", + "resourceType": "Distribution", + "resourceName": "sample-distribution", + "searchKey": "spec.resources.base.metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig.logging.enabled", + "searchValue": "", + "expectedValue": "CloudFront logging enabled attribute should be set to true", + "actualValue": "CloudFront logging enabled attribute is set to false" }, { "queryName": "CloudFront Logging Disabled", "severity": "MEDIUM", - "line": 41, - "fileName": "positive2.yaml" + "line": 8, + "filename": "positive2.yaml", + "resourceType": "Distribution", + "resourceName": "sample-distribution", + "searchKey": "metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig", + "searchValue": "", + "expectedValue": "CloudFront logging enabled attribute should be defined and set to true", + "actualValue": "CloudFront logging is not defined" }, { "queryName": "CloudFront Logging Disabled", "severity": "MEDIUM", - "line": 11, - "fileName": "positive3.yaml" + "line": 12, + "filename": "positive.yaml", + "resourceType": "Distribution", + "resourceName": "sample-distribution", + "searchKey": "metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig.logging.enabled", + "searchValue": "", + "expectedValue": "CloudFront logging enabled attribute should be set to true", + "actualValue": "CloudFront logging enabled attribute is set to false" }, { "queryName": "CloudFront Logging Disabled", "severity": "MEDIUM", "line": 47, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "Distribution", + "resourceName": "sample-distribution", + "searchKey": "spec.resources.base.metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig.logging", + "searchValue": "", + "expectedValue": "CloudFront logging enabled attribute should be defined and set to true", + "actualValue": "CloudFront enable is not defined" } -] +] \ No newline at end of file diff --git a/assets/queries/crossplane/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json b/assets/queries/crossplane/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json index 7147bac5f34..96376fc6b0b 100644 --- a/assets/queries/crossplane/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json +++ b/assets/queries/crossplane/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json @@ -2,37 +2,73 @@ { "queryName": "CloudFront Without Minimum Protocol TLS 1.2", "severity": "MEDIUM", - "line": 14, - "fileName": "positive.yaml" + "line": 8, + "filename": "positive2.yaml", + "resourceType": "Distribution", + "resourceName": "sample-distribution", + "searchKey": "metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig", + "searchValue": "", + "expectedValue": "'viewerCertificate.minimumProtocolVersion' should be defined and set to TLSv1.2_x", + "actualValue": "'viewerCertificate' is not defined" }, { "queryName": "CloudFront Without Minimum Protocol TLS 1.2", "severity": "MEDIUM", - "line": 54, - "fileName": "positive.yaml" + "line": 11, + "filename": "positive3.yaml", + "resourceType": "Distribution", + "resourceName": "sample-distribution", + "searchKey": "metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig.viewerCertificate", + "searchValue": "", + "expectedValue": "'viewerCertificate.minimumProtocolVersion' should be defined and set to TLSv1.2_x", + "actualValue": "'minimumProtocolVersion' is not defined" }, { "queryName": "CloudFront Without Minimum Protocol TLS 1.2", "severity": "MEDIUM", - "line": 8, - "fileName": "positive2.yaml" + "line": 14, + "filename": "positive.yaml", + "resourceType": "Distribution", + "resourceName": "sample-distribution", + "searchKey": "metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig.viewerCertificate.minimumProtocolVersion", + "searchValue": "", + "expectedValue": "'viewerCertificate.minimumProtocolVersion' should be TLSv1.2_x", + "actualValue": "'viewerCertificate.minimumProtocolVersion' is TLSv1.1_2016" }, { "queryName": "CloudFront Without Minimum Protocol TLS 1.2", "severity": "MEDIUM", - "line": 44, - "fileName": "positive2.yaml" + "line": 50, + "filename": "positive3.yaml", + "resourceType": "Distribution", + "resourceName": "sample-distribution", + "searchKey": "spec.resources.base.metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig.viewerCertificate", + "searchValue": "", + "expectedValue": "'viewerCertificate.minimumProtocolVersion' should be defined and set to TLSv1.2_x", + "actualValue": "'minimumProtocolVersion' is not defined" }, { "queryName": "CloudFront Without Minimum Protocol TLS 1.2", "severity": "MEDIUM", - "line": 11, - "fileName": "positive3.yaml" + "line": 44, + "filename": "positive2.yaml", + "resourceType": "Distribution", + "resourceName": "sample-distribution", + "searchKey": "spec.resources.base.metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig", + "searchValue": "", + "expectedValue": "'viewerCertificate.minimumProtocolVersion' should be defined and set to TLSv1.2_x", + "actualValue": "'viewerCertificate' is not defined" }, { "queryName": "CloudFront Without Minimum Protocol TLS 1.2", "severity": "MEDIUM", - "line": 50, - "fileName": "positive3.yaml" + "line": 54, + "filename": "positive.yaml", + "resourceType": "Distribution", + "resourceName": "sample-distribution", + "searchKey": "spec.resources.base.metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig.viewerCertificate.minimumProtocolVersion", + "searchValue": "", + "expectedValue": "'viewerCertificate.minimumProtocolVersion' should be TLSv1.2_x", + "actualValue": "'viewerCertificate.minimumProtocolVersion' is TLSv1.1_2016" } ] \ No newline at end of file diff --git a/assets/queries/crossplane/aws/cloudfront_without_waf/test/positive_expected_result.json b/assets/queries/crossplane/aws/cloudfront_without_waf/test/positive_expected_result.json index 89078c0250b..599f562d815 100644 --- a/assets/queries/crossplane/aws/cloudfront_without_waf/test/positive_expected_result.json +++ b/assets/queries/crossplane/aws/cloudfront_without_waf/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "CloudFront Without WAF", "severity": "MEDIUM", "line": 8, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "Distribution", + "resourceName": "sample-distribution", + "searchKey": "metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig", + "searchValue": "", + "expectedValue": "'webACLID' should be defined", + "actualValue": "'webACLID' is not defined" }, { "queryName": "CloudFront Without WAF", "severity": "MEDIUM", "line": 48, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "Distribution", + "resourceName": "sample-distribution", + "searchKey": "spec.resources.base.metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig", + "searchValue": "", + "expectedValue": "'webACLID' should be defined", + "actualValue": "'webACLID' is not defined" } ] \ No newline at end of file diff --git a/assets/queries/crossplane/aws/cloudwatch_without_retention_period_specified/test/positive_expected_result.json b/assets/queries/crossplane/aws/cloudwatch_without_retention_period_specified/test/positive_expected_result.json index 077082aa587..37d5371cc70 100644 --- a/assets/queries/crossplane/aws/cloudwatch_without_retention_period_specified/test/positive_expected_result.json +++ b/assets/queries/crossplane/aws/cloudwatch_without_retention_period_specified/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "CloudWatch Without Retention Period Specified", "severity": "INFO", - "line": 9, - "fileName": "positive.yaml" + "line": 34, + "filename": "positive2.yaml", + "resourceType": "LogGroup", + "resourceName": "lg-6", + "searchKey": "spec.resources.base.metadata.name={{lg-6}}.spec.forProvider", + "searchValue": "", + "expectedValue": "retentionInDays should be set to a valid value", + "actualValue": "retentionInDays is undefined" }, { "queryName": "CloudWatch Without Retention Period Specified", "severity": "INFO", "line": 38, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "LogGroup", + "resourceName": "lg-4", + "searchKey": "spec.resources.base.metadata.name={{lg-4}}.spec.forProvider.retentionInDays", + "searchValue": "", + "expectedValue": "retentionInDays should be set to a valid value", + "actualValue": "retentionInDays is set to a invalid value" }, { "queryName": "CloudWatch Without Retention Period Specified", "severity": "INFO", "line": 6, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "LogGroup", + "resourceName": "lg-5", + "searchKey": "metadata.name={{lg-5}}.spec.forProvider", + "searchValue": "", + "expectedValue": "retentionInDays should be set to a valid value", + "actualValue": "retentionInDays is undefined" }, { "queryName": "CloudWatch Without Retention Period Specified", "severity": "INFO", - "line": 34, - "fileName": "positive2.yaml" + "line": 9, + "filename": "positive.yaml", + "resourceType": "LogGroup", + "resourceName": "lg-3", + "searchKey": "metadata.name={{lg-3}}.spec.forProvider.retentionInDays", + "searchValue": "", + "expectedValue": "retentionInDays should be set to a valid value", + "actualValue": "retentionInDays is set to a invalid value" } ] \ No newline at end of file diff --git a/assets/queries/crossplane/aws/db_instance_storage_not_encrypted/test/positive_expected_result.json b/assets/queries/crossplane/aws/db_instance_storage_not_encrypted/test/positive_expected_result.json index 0496d93bb96..05ca36d208b 100644 --- a/assets/queries/crossplane/aws/db_instance_storage_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/crossplane/aws/db_instance_storage_not_encrypted/test/positive_expected_result.json @@ -3,24 +3,48 @@ "queryName": "DB Instance Storage Not Encrypted", "severity": "HIGH", "line": 21, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "RDSInstance", + "resourceName": "rds3", + "searchKey": "metadata.name={{rds3}}.spec.forProvider.storageEncrypted", + "searchValue": "", + "expectedValue": "storageEncrypted should be set to true", + "actualValue": "storageEncrypted is set to false" }, { "queryName": "DB Instance Storage Not Encrypted", "severity": "HIGH", - "line": 63, - "fileName": "positive.yaml" + "line": 6, + "filename": "positive2.yaml", + "resourceType": "RDSInstance", + "resourceName": "rds5", + "searchKey": ".metadata.name={{rds5}}.spec.forProvider", + "searchValue": "", + "expectedValue": "storageEncrypted should be defined and set to true", + "actualValue": "storageEncrypted is not defined" }, { "queryName": "DB Instance Storage Not Encrypted", "severity": "HIGH", - "line": 6, - "fileName": "positive2.yaml" + "line": 63, + "filename": "positive.yaml", + "resourceType": "RDSInstance", + "resourceName": "rds4", + "searchKey": "spec.resources.base.metadata.name={{rds4}}.spec.forProvider.storageEncrypted", + "searchValue": "", + "expectedValue": "storageEncrypted should be set to true", + "actualValue": "storageEncrypted is set to false" }, { "queryName": "DB Instance Storage Not Encrypted", "severity": "HIGH", "line": 47, - "fileName": "positive2.yaml" - } -] + "filename": "positive2.yaml", + "resourceType": "RDSInstance", + "resourceName": "rds6", + "searchKey": "spec.resources.base..metadata.name={{rds6}}.spec.forProvider", + "searchValue": "", + "expectedValue": "storageEncrypted should be defined and set to true", + "actualValue": "storageEncrypted is not defined" + } +] \ No newline at end of file diff --git a/assets/queries/crossplane/aws/db_security_group_has_public_interface/test/positive_expected_result.json b/assets/queries/crossplane/aws/db_security_group_has_public_interface/test/positive_expected_result.json index 388655a694f..621f7bdf1a1 100644 --- a/assets/queries/crossplane/aws/db_security_group_has_public_interface/test/positive_expected_result.json +++ b/assets/queries/crossplane/aws/db_security_group_has_public_interface/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "DB Security Group Has Public Interface", "severity": "HIGH", - "line": 17, - "fileName": "positive.yaml" + "line": 55, + "filename": "positive.yaml", + "resourceType": "SecurityGroup", + "resourceName": "ec2-rule5", + "searchKey": "spec.resources.base.metadata.name={{ec2-rule5}}.spec.forProvider.ingress.ipRanges.cidrIp={{0.0.0.0/0}}", + "searchValue": "", + "expectedValue": "ingress rule should not contain '0.0.0.0/0'", + "actualValue": "ingress rule contains '0.0.0.0/0'" }, { "queryName": "DB Security Group Has Public Interface", "severity": "HIGH", - "line": 55, - "fileName": "positive.yaml" - } -] + "line": 17, + "filename": "positive.yaml", + "resourceType": "SecurityGroup", + "resourceName": "ec2-rule2", + "searchKey": "metadata.name={{ec2-rule2}}.spec.forProvider.ingress.ipRanges.cidrIp={{0.0.0.0/0}}", + "searchValue": "", + "expectedValue": "ingress rule should not contain '0.0.0.0/0'", + "actualValue": "ingress rule contains '0.0.0.0/0'" + } +] \ No newline at end of file diff --git a/assets/queries/crossplane/aws/docdb_logging_disabled/test/positive_expected_result.json b/assets/queries/crossplane/aws/docdb_logging_disabled/test/positive_expected_result.json index c683dbe070f..f3af297e096 100644 --- a/assets/queries/crossplane/aws/docdb_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/crossplane/aws/docdb_logging_disabled/test/positive_expected_result.json @@ -3,18 +3,36 @@ "queryName": "DocDB Logging Is Disabled", "severity": "MEDIUM", "line": 6, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "DBCluster", + "resourceName": "example-cluster-autogen-password", + "searchKey": "metadata.name={{example-cluster-autogen-password}}.spec.forProvider", + "searchValue": "", + "expectedValue": "DBCluster.enableCloudwatchLogsExports should be defined", + "actualValue": "DBCluster.enableCloudwatchLogsExports is undefined" }, { "queryName": "DocDB Logging Is Disabled", "severity": "MEDIUM", "line": 26, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "DBCluster", + "resourceName": "example-cluster-autogen-password", + "searchKey": "metadata.name={{example-cluster-autogen-password}}.spec.forProvider.enableCloudwatchLogsExports", + "searchValue": "", + "expectedValue": "DBCluster.enableCloudwatchLogsExports should have all following values: audit, profiler", + "actualValue": "DBCluster.enableCloudwatchLogsExports has the following missing values: audit, profiler" }, { "queryName": "DocDB Logging Is Disabled", "severity": "MEDIUM", "line": 26, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "DBCluster", + "resourceName": "example-cluster-autogen-password", + "searchKey": "metadata.name={{example-cluster-autogen-password}}.spec.forProvider.enableCloudwatchLogsExports", + "searchValue": "", + "expectedValue": "DBCluster.enableCloudwatchLogsExports should have all following values: audit, profiler", + "actualValue": "DBCluster.enableCloudwatchLogsExports has the following missing values: profiler" } ] \ No newline at end of file diff --git a/assets/queries/crossplane/aws/ecs_cluster_with_container_insights_disabled/test/positive_expected_result.json b/assets/queries/crossplane/aws/ecs_cluster_with_container_insights_disabled/test/positive_expected_result.json index 53fb9b09db0..b43d00b635e 100644 --- a/assets/queries/crossplane/aws/ecs_cluster_with_container_insights_disabled/test/positive_expected_result.json +++ b/assets/queries/crossplane/aws/ecs_cluster_with_container_insights_disabled/test/positive_expected_result.json @@ -3,18 +3,36 @@ "queryName": "ECS Cluster with Container Insights Disabled", "severity": "LOW", "line": 6, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Cluster", + "resourceName": "example", + "searchKey": "metadata.name={{example}}.spec.forProvider", + "searchValue": "", + "expectedValue": "Cluster.spec.forProvider.settings should be defined and have a ClusterSetting which name is 'containerInsights' with 'enabled' value", + "actualValue": "Cluster.spec.forProvider.settings is not defined" }, { "queryName": "ECS Cluster with Container Insights Disabled", "severity": "LOW", "line": 8, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "Cluster", + "resourceName": "example", + "searchKey": "metadata.name={{example}}.spec.forProvider.settings", + "searchValue": "", + "expectedValue": "Cluster.spec.forProvider.settings should have a ClusterSetting which name is 'containerInsights' with 'enabled' value", + "actualValue": "Cluster.spec.forProvider.settings doesn't have a ClusterSetting which name is 'containerInsights' with 'enabled' value" }, { "queryName": "ECS Cluster with Container Insights Disabled", "severity": "LOW", "line": 8, - "fileName": "positive3.yaml" - } -] + "filename": "positive3.yaml", + "resourceType": "Cluster", + "resourceName": "example", + "searchKey": "metadata.name={{example}}.spec.forProvider.settings", + "searchValue": "", + "expectedValue": "Cluster.spec.forProvider.settings should have a ClusterSetting which name is 'containerInsights' with 'enabled' value", + "actualValue": "Cluster.spec.forProvider.settings doesn't have a ClusterSetting which name is 'containerInsights' with 'enabled' value" + } +] \ No newline at end of file diff --git a/assets/queries/crossplane/aws/efs_not_encrypted/test/positive_expected_result.json b/assets/queries/crossplane/aws/efs_not_encrypted/test/positive_expected_result.json index b566c873588..3d1a2d3c1d4 100644 --- a/assets/queries/crossplane/aws/efs_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/crossplane/aws/efs_not_encrypted/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "EFS Not Encrypted", "severity": "HIGH", - "line": 8, - "fileName": "positive.yaml" + "line": 6, + "filename": "positive2.yaml", + "resourceType": "FileSystem", + "resourceName": "example5", + "searchKey": "metadata.name={{example5}}.spec.forProvider", + "searchValue": "", + "expectedValue": "encrypted should be defined and set to true", + "actualValue": "encrypted is not defined" }, { "queryName": "EFS Not Encrypted", "severity": "HIGH", "line": 38, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "FileSystem", + "resourceName": "example4", + "searchKey": "spec.resources.base.metadata.name={{example4}}.spec.forProvider.encrypted", + "searchValue": "", + "expectedValue": "encrypted should be set to true", + "actualValue": "encrypted is set to false" }, { "queryName": "EFS Not Encrypted", "severity": "HIGH", - "line": 6, - "fileName": "positive2.yaml" + "line": 35, + "filename": "positive2.yaml", + "resourceType": "FileSystem", + "resourceName": "example6", + "searchKey": "spec.resources.base.metadata.name={{example6}}.spec.forProvider", + "searchValue": "", + "expectedValue": "encrypted should be defined and set to true", + "actualValue": "encrypted is not defined" }, { "queryName": "EFS Not Encrypted", "severity": "HIGH", - "line": 35, - "fileName": "positive2.yaml" - } -] + "line": 8, + "filename": "positive.yaml", + "resourceType": "FileSystem", + "resourceName": "example3", + "searchKey": "metadata.name={{example3}}.spec.forProvider.encrypted", + "searchValue": "", + "expectedValue": "encrypted should be set to true", + "actualValue": "encrypted is set to false" + } +] \ No newline at end of file diff --git a/assets/queries/crossplane/aws/efs_without_kms/test/positive_expected_result.json b/assets/queries/crossplane/aws/efs_without_kms/test/positive_expected_result.json index d4dd72b8200..fd1feecc9b1 100644 --- a/assets/queries/crossplane/aws/efs_without_kms/test/positive_expected_result.json +++ b/assets/queries/crossplane/aws/efs_without_kms/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "EFS Without KMS", "severity": "LOW", "line": 6, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "FileSystem", + "resourceName": "example3", + "searchKey": "metadata.name={{example3}}.spec.forProvider", + "searchValue": "", + "expectedValue": "kmsKeyID should be defined", + "actualValue": "kmsKeyID is not defined" }, { "queryName": "EFS Without KMS", "severity": "LOW", "line": 36, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "FileSystem", + "resourceName": "example4", + "searchKey": "spec.resources.base.metadata.name={{example4}}.spec.forProvider", + "searchValue": "", + "expectedValue": "kmsKeyID should be defined", + "actualValue": "kmsKeyID is not defined" } ] \ No newline at end of file diff --git a/assets/queries/crossplane/aws/elb_using_weak_ciphers/test/positive_expected_result.json b/assets/queries/crossplane/aws/elb_using_weak_ciphers/test/positive_expected_result.json index 9839c2318a3..63737426ccd 100644 --- a/assets/queries/crossplane/aws/elb_using_weak_ciphers/test/positive_expected_result.json +++ b/assets/queries/crossplane/aws/elb_using_weak_ciphers/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "ELB Using Weak Ciphers", "severity": "HIGH", "line": 18, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "Listener", + "resourceName": "test-listener", + "searchKey": "metadata.name={{test-listener}}.spec.forProvider.sslPolicy", + "searchValue": "", + "expectedValue": "sslPolicy should use a secure protocol or cipher", + "actualValue": "sslPolicy is using a weak cipher" }, { "queryName": "ELB Using Weak Ciphers", "severity": "HIGH", "line": 58, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "Listener", + "resourceName": "test-listener2", + "searchKey": "spec.resources.base.metadata.name={{test-listener2}}.spec.forProvider.sslPolicy", + "searchValue": "", + "expectedValue": "sslPolicy should use a secure protocol or cipher", + "actualValue": "sslPolicy is using a weak cipher" } -] +] \ No newline at end of file diff --git a/assets/queries/crossplane/aws/neptune_database_cluster_encryption_disabled/test/positive_expected_result.json b/assets/queries/crossplane/aws/neptune_database_cluster_encryption_disabled/test/positive_expected_result.json index a9b0dca7046..5d7ef5e14b3 100644 --- a/assets/queries/crossplane/aws/neptune_database_cluster_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/crossplane/aws/neptune_database_cluster_encryption_disabled/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "Neptune Database Cluster Encryption Disabled", "severity": "HIGH", - "line": 6, - "fileName": "positive.yaml" + "line": 40, + "filename": "positive.yaml", + "resourceType": "DBCluster", + "resourceName": "sample-cluster4", + "searchKey": "spec.resources.base.metadata.name={{sample-cluster4}}.spec.forProvider", + "searchValue": "", + "expectedValue": "storageEncrypted should be defined and set to true", + "actualValue": "storageEncrypted is not defined" }, { "queryName": "Neptune Database Cluster Encryption Disabled", "severity": "HIGH", - "line": 40, - "fileName": "positive.yaml" + "line": 15, + "filename": "positive2.yaml", + "resourceType": "DBCluster", + "resourceName": "sample-cluster3", + "searchKey": "metadata.name={{sample-cluster3}}.spec.forProvider.storageEncrypted", + "searchValue": "", + "expectedValue": "storageEncrypted should be defined and set to true", + "actualValue": "storageEncrypted is set to false" }, { "queryName": "Neptune Database Cluster Encryption Disabled", "severity": "HIGH", - "line": 15, - "fileName": "positive2.yaml" + "line": 50, + "filename": "positive2.yaml", + "resourceType": "DBCluster", + "resourceName": "sample-cluster4", + "searchKey": "spec.resources.base.metadata.name={{sample-cluster4}}.spec.forProvider.storageEncrypted", + "searchValue": "", + "expectedValue": "storageEncrypted should be defined and set to true", + "actualValue": "storageEncrypted is set to false" }, { "queryName": "Neptune Database Cluster Encryption Disabled", "severity": "HIGH", - "line": 50, - "fileName": "positive2.yaml" + "line": 6, + "filename": "positive.yaml", + "resourceType": "DBCluster", + "resourceName": "sample-cluster3", + "searchKey": "metadata.name={{sample-cluster3}}.spec.forProvider", + "searchValue": "", + "expectedValue": "storageEncrypted should be defined and set to true", + "actualValue": "storageEncrypted is not defined" } ] \ No newline at end of file diff --git a/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json b/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json index e3a013bb08e..c365eb0f701 100644 --- a/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json @@ -1,14 +1,38 @@ [ + { + "queryName": "RDS DB Instance Publicly Accessible", + "severity": "CRITICAL", + "line": 11, + "filename": "positive2.yaml", + "resourceType": "RDSInstance", + "resourceName": "my-rds-instance", + "searchKey": "metadata.name={{my-rds-instance}}.spec.forProvider.dbSubnetGroupName", + "searchValue": "", + "expectedValue": "dbSubnetGroupName' subnets not being part of a VPC that has an Internet gateway attached to it", + "actualValue": "dbSubnetGroupName' subnets are part of a VPC that has an Internet gateway attached to it" + }, { "queryName": "RDS DB Instance Publicly Accessible", "severity": "CRITICAL", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "RDSInstance", + "resourceName": "sample-cluster3", + "searchKey": "metadata.name={{sample-cluster3}}.spec.forProvider.publiclyAccessible", + "searchValue": "", + "expectedValue": "publiclyAccessible should be set to false", + "actualValue": "publiclyAccessible is set to true" }, { "queryName": "RDS DB Instance Publicly Accessible", "severity": "CRITICAL", "line": 11, - "fileName": "positive2.yaml" + "filename": "negative2.yaml", + "resourceType": "RDSInstance", + "resourceName": "my-rds-instance", + "searchKey": "metadata.name={{my-rds-instance}}.spec.forProvider.dbSubnetGroupName", + "searchValue": "", + "expectedValue": "dbSubnetGroupName' subnets not being part of a VPC that has an Internet gateway attached to it", + "actualValue": "dbSubnetGroupName' subnets are part of a VPC that has an Internet gateway attached to it" } -] +] \ No newline at end of file diff --git a/assets/queries/crossplane/aws/sqs_with_sse_disabled/test/positive_expected_result.json b/assets/queries/crossplane/aws/sqs_with_sse_disabled/test/positive_expected_result.json index 3cfc042ed8d..83095e16d34 100644 --- a/assets/queries/crossplane/aws/sqs_with_sse_disabled/test/positive_expected_result.json +++ b/assets/queries/crossplane/aws/sqs_with_sse_disabled/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "Queue", + "resourceName": "test-queue3", + "searchKey": "metadata.name={{test-queue3}}.spec.forProvider", + "searchValue": "", + "expectedValue": "kmsMasterKeyId should be defined", + "actualValue": "kmsMasterKeyId is not defined" }, { "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", "line": 40, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "Queue", + "resourceName": "test-queue4", + "searchKey": "spec.resources.base.metadata.name={{test-queue4}}.spec.forProvider", + "searchValue": "", + "expectedValue": "kmsMasterKeyId should be defined", + "actualValue": "kmsMasterKeyId is not defined" } -] +] \ No newline at end of file diff --git a/assets/queries/crossplane/azure/aks_rbac_disabled/test/positive_expected_result.json b/assets/queries/crossplane/azure/aks_rbac_disabled/test/positive_expected_result.json index 1c265a231ce..7f956d3a44b 100644 --- a/assets/queries/crossplane/azure/aks_rbac_disabled/test/positive_expected_result.json +++ b/assets/queries/crossplane/azure/aks_rbac_disabled/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "AKS RBAC Disabled", "severity": "MEDIUM", - "line": 13, - "fileName": "positive.yaml" + "line": 40, + "filename": "positive.yaml", + "resourceType": "AKSCluster", + "resourceName": "anais-crossplane-demo", + "searchKey": "spec.resources.base.metadata.name={{anais-crossplane-demo}}.spec.disableRBAC", + "searchValue": "", + "expectedValue": "disableRBAC should be set to false", + "actualValue": "disableRBAC is set to true" }, { "queryName": "AKS RBAC Disabled", "severity": "MEDIUM", - "line": 40, - "fileName": "positive.yaml" + "line": 13, + "filename": "positive.yaml", + "resourceType": "AKSCluster", + "resourceName": "anais-crossplane-demo", + "searchKey": "metadata.name={{anais-crossplane-demo}}.spec.disableRBAC", + "searchValue": "", + "expectedValue": "disableRBAC should be set to false", + "actualValue": "disableRBAC is set to true" } -] +] \ No newline at end of file diff --git a/assets/queries/crossplane/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json b/assets/queries/crossplane/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json index 794ace29ea3..3df89612441 100644 --- a/assets/queries/crossplane/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json +++ b/assets/queries/crossplane/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Redis Cache Allows Non SSL Connections", "severity": "MEDIUM", "line": 14, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "Redis", + "resourceName": "azureRedis3", + "searchKey": "metadata.name={{azureRedis3}}.spec.forProvider.enableNonSslPort", + "searchValue": "", + "expectedValue": "enableNonSslPort should be set to false or undefined", + "actualValue": "enableNonSslPort is set to true" } -] +] \ No newline at end of file diff --git a/assets/queries/crossplane/gcp/cloud_storage_bucket_logging_not_enabled/test/positive_expected_result.json b/assets/queries/crossplane/gcp/cloud_storage_bucket_logging_not_enabled/test/positive_expected_result.json index 011456b8a0d..1cbfa0bdecc 100644 --- a/assets/queries/crossplane/gcp/cloud_storage_bucket_logging_not_enabled/test/positive_expected_result.json +++ b/assets/queries/crossplane/gcp/cloud_storage_bucket_logging_not_enabled/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Cloud Storage Bucket Logging Not Enabled", "severity": "MEDIUM", "line": 5, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "Bucket", + "resourceName": "bucketSample", + "searchKey": "metadata.name={{bucketSample}}.spec", + "searchValue": "", + "expectedValue": "Bucket logging should be defined", + "actualValue": "Bucket logging is not defined" } ] \ No newline at end of file diff --git a/assets/queries/crossplane/gcp/google_container_node_pool_auto_repair_disabled/test/positive_expected_result.json b/assets/queries/crossplane/gcp/google_container_node_pool_auto_repair_disabled/test/positive_expected_result.json index 1c81ab5ef46..dff0eccaed0 100644 --- a/assets/queries/crossplane/gcp/google_container_node_pool_auto_repair_disabled/test/positive_expected_result.json +++ b/assets/queries/crossplane/gcp/google_container_node_pool_auto_repair_disabled/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "Google Container Node Pool Auto Repair Disabled", "severity": "MEDIUM", - "line": 6, - "fileName": "positive.yaml" + "line": 27, + "filename": "positive.yaml", + "resourceType": "NodePool", + "resourceName": "cluster-np", + "searchKey": "metadata.name={{cluster-np}}.spec.forProvider.management.autoRepair", + "searchValue": "", + "expectedValue": "autoRepair should be set to true", + "actualValue": "autoRepair is set to false" }, { "queryName": "Google Container Node Pool Auto Repair Disabled", "severity": "MEDIUM", - "line": 27, - "fileName": "positive.yaml" + "line": 6, + "filename": "positive.yaml", + "resourceType": "NodePool", + "resourceName": "cluster-np", + "searchKey": "metadata.name={{cluster-np}}.spec.forProvider", + "searchValue": "", + "expectedValue": "management should be defined with autoRepair set to true", + "actualValue": "management is not defined" } -] +] \ No newline at end of file diff --git a/assets/queries/dockerCompose/cgroup_not_default/test/positive_expected_result.json b/assets/queries/dockerCompose/cgroup_not_default/test/positive_expected_result.json index 9e2cf0047c4..999c594978f 100644 --- a/assets/queries/dockerCompose/cgroup_not_default/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/cgroup_not_default/test/positive_expected_result.json @@ -1,8 +1,14 @@ [ - { - "queryName": "Cgroup Not Default", - "severity": "MEDIUM", - "line": 9, - "filename": "positive1.yaml" - } -] + { + "queryName": "Cgroup Not Default", + "severity": "MEDIUM", + "line": 9, + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.iperfclient.cgroup_parent", + "searchValue": "", + "expectedValue": "Cgroup_parent should be undefined", + "actualValue": "Cgroup_parent is defined. Only use this when strictly required." + } +] \ No newline at end of file diff --git a/assets/queries/dockerCompose/container_capabilities_unrestricted/test/positive_expected_result.json b/assets/queries/dockerCompose/container_capabilities_unrestricted/test/positive_expected_result.json index 476e375f089..7b6750a25d7 100644 --- a/assets/queries/dockerCompose/container_capabilities_unrestricted/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/container_capabilities_unrestricted/test/positive_expected_result.json @@ -3,30 +3,60 @@ "queryName": "Container Capabilities Unrestricted", "severity": "MEDIUM", "line": 13, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp.cap_add", + "searchValue": "", + "expectedValue": "Make sure you only add the necessary capabilities to your container.", + "actualValue": "Docker compose file has 'cap_add' attribute." }, { "queryName": "Container Capabilities Unrestricted", "severity": "MEDIUM", "line": 4, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp", + "searchValue": "", + "expectedValue": "Docker compose file to have 'cap_drop' attribute", + "actualValue": "Docker compose file doesn't have 'cap_drop' attribute. Make sure your container only has necessary capabilities." }, { "queryName": "Container Capabilities Unrestricted", "severity": "MEDIUM", "line": 13, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp.cap_add", + "searchValue": "", + "expectedValue": "Make sure you only add the necessary capabilities to your container.", + "actualValue": "Docker compose file has 'cap_add' attribute." }, { "queryName": "Container Capabilities Unrestricted", "severity": "MEDIUM", "line": 13, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp.cap_add", + "searchValue": "", + "expectedValue": "Make sure you only add the necessary capabilities to your container.", + "actualValue": "Docker compose file has 'cap_add' attribute." }, { "queryName": "Container Capabilities Unrestricted", "severity": "MEDIUM", "line": 4, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp", + "searchValue": "", + "expectedValue": "Docker compose file to have 'cap_drop' attribute", + "actualValue": "Docker compose file doesn't have 'cap_drop' attribute. Make sure your container only has necessary capabilities." } ] \ No newline at end of file diff --git a/assets/queries/dockerCompose/container_traffic_not_bound_to_host_interface/test/positive_expected_result.json b/assets/queries/dockerCompose/container_traffic_not_bound_to_host_interface/test/positive_expected_result.json index cda368e50d8..0d3313e5d74 100644 --- a/assets/queries/dockerCompose/container_traffic_not_bound_to_host_interface/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/container_traffic_not_bound_to_host_interface/test/positive_expected_result.json @@ -3,18 +3,36 @@ "queryName": "Container Traffic Not Bound To Host Interface", "severity": "MEDIUM", "line": 11, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp.ports", + "searchValue": "", + "expectedValue": "Docker compose file to have 'ports' attribute bound to a specific host interface.", + "actualValue": "Docker compose file doesn't have 'ports' attribute bound to a specific host interface" }, { "queryName": "Container Traffic Not Bound To Host Interface", "severity": "MEDIUM", "line": 11, - "filename": "positive2.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp.ports", + "searchValue": "", + "expectedValue": "Docker compose file to have 'ports' attribute bound to a specific host interface.", + "actualValue": "Docker compose file doesn't have 'ports' attribute bound to a specific host interface" }, { "queryName": "Container Traffic Not Bound To Host Interface", "severity": "MEDIUM", "line": 11, - "filename": "positive3.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp.ports", + "searchValue": "", + "expectedValue": "Docker compose file to have 'ports' attribute bound to a specific host interface.", + "actualValue": "Docker compose file doesn't have 'ports' attribute bound to a specific host interface" } -] +] \ No newline at end of file diff --git a/assets/queries/dockerCompose/cpus_not_limited/test/positive_expected_result.json b/assets/queries/dockerCompose/cpus_not_limited/test/positive_expected_result.json index ba658c797a9..e3e4cb5143d 100644 --- a/assets/queries/dockerCompose/cpus_not_limited/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/cpus_not_limited/test/positive_expected_result.json @@ -2,37 +2,73 @@ { "queryName": "Cpus Not Limited", "severity": "LOW", - "line": 9, - "filename": "positive1.yaml" + "line": 4, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.criwhat", + "searchValue": "", + "expectedValue": "For cpus priority should be declared.", + "actualValue": "There is no cpus priority declared." }, { "queryName": "Cpus Not Limited", "severity": "LOW", - "line": 4, - "filename": "positive2.yaml" + "line": 3, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.zapzop", + "searchValue": "", + "expectedValue": "'deploy.resources.limits.cpus' should be defined", + "actualValue": "'deploy' is not defined" }, { "queryName": "Cpus Not Limited", "severity": "LOW", - "line": 3, - "filename": "positive3.yaml" + "line": 7, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.zapzop.deploy", + "searchValue": "", + "expectedValue": "'deploy.resources' should be defined", + "actualValue": "'deploy.resources' is not defined" }, { "queryName": "Cpus Not Limited", "severity": "LOW", - "line": 7, - "filename": "positive3.yaml" + "line": 9, + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.zapzop.deploy.resources.limits", + "searchValue": "", + "expectedValue": "'deploy.resources.limits.cpus' should be defined", + "actualValue": "'deploy.resources.limits.cpus' is not defined" }, { "queryName": "Cpus Not Limited", "severity": "LOW", "line": 5, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.redis.deploy", + "searchValue": "", + "expectedValue": "'deploy.resources' should be defined", + "actualValue": "'deploy.resources' is not defined" }, { "queryName": "Cpus Not Limited", "severity": "LOW", "line": 8, - "filename": "positive5.yaml" + "filename": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.zapzop.deploy.resources", + "searchValue": "", + "expectedValue": "'deploy.resources.limits' should be defined", + "actualValue": "'deploy.resources.limits' is not defined" } -] +] \ No newline at end of file diff --git a/assets/queries/dockerCompose/default_seccomp_profile_disabled/test/positive_expected_result.json b/assets/queries/dockerCompose/default_seccomp_profile_disabled/test/positive_expected_result.json index 29d6e88b80a..8768fed4cb7 100644 --- a/assets/queries/dockerCompose/default_seccomp_profile_disabled/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/default_seccomp_profile_disabled/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ - { - "queryName": "Default Seccomp Profile Disabled", - "severity": "MEDIUM", - "line": 13, - "filename": "positive1.yaml" - }, - { - "queryName": "Default Seccomp Profile Disabled", - "severity": "MEDIUM", - "line": 10, - "filename": "positive2.yaml" - } -] + { + "queryName": "Default Seccomp Profile Disabled", + "severity": "MEDIUM", + "line": 10, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.example.security_opt", + "searchValue": "", + "expectedValue": "Seccomp default profile to not be disabled.", + "actualValue": "Seccomp default profile is disabled." + }, + { + "queryName": "Default Seccomp Profile Disabled", + "severity": "MEDIUM", + "line": 13, + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.demo.security_opt", + "searchValue": "", + "expectedValue": "Seccomp default profile to not be disabled.", + "actualValue": "Seccomp default profile is disabled." + } +] \ No newline at end of file diff --git a/assets/queries/dockerCompose/docker_socket_mounted_in_container/test/positive_expected_result.json b/assets/queries/dockerCompose/docker_socket_mounted_in_container/test/positive_expected_result.json index c078e90a7fb..a88eef9f96f 100644 --- a/assets/queries/dockerCompose/docker_socket_mounted_in_container/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/docker_socket_mounted_in_container/test/positive_expected_result.json @@ -1,8 +1,14 @@ [ - { - "queryName": "Docker Socket Mounted In Container", - "severity": "HIGH", - "line": 9, - "filename": "positive1.yaml" - } -] + { + "queryName": "Docker Socket Mounted In Container", + "severity": "HIGH", + "line": 9, + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.service1.volumes", + "searchValue": "", + "expectedValue": "To not have docker socket named 'docker.sock' mounted in a volume", + "actualValue": "There is a docker socket named 'docker.sock' mounted in a volume" + } +] \ No newline at end of file diff --git a/assets/queries/dockerCompose/healthcheck_not_set/test/positive_expected_result.json b/assets/queries/dockerCompose/healthcheck_not_set/test/positive_expected_result.json index 22272ad13eb..53479d7aa50 100644 --- a/assets/queries/dockerCompose/healthcheck_not_set/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/healthcheck_not_set/test/positive_expected_result.json @@ -1,20 +1,38 @@ [ - { - "queryName": "Healthcheck Not Set", - "severity": "MEDIUM", - "line": 4, - "filename": "positive1.yaml" - }, - { - "queryName": "Healthcheck Not Set", - "severity": "MEDIUM", - "line": 14, - "filename": "positive2.yaml" - }, - { - "queryName": "Healthcheck Not Set", - "severity": "MEDIUM", - "line": 14, - "filename": "positive3.yaml" - } -] + { + "queryName": "Healthcheck Not Set", + "severity": "MEDIUM", + "line": 14, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.lelele-service.healthcheck.test", + "searchValue": "", + "expectedValue": "Healthcheck should be enabled.", + "actualValue": "Healthcheck is disabled." + }, + { + "queryName": "Healthcheck Not Set", + "severity": "MEDIUM", + "line": 4, + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.lelele-service", + "searchValue": "", + "expectedValue": "Healthcheck should be defined.", + "actualValue": "Healthcheck is not defined." + }, + { + "queryName": "Healthcheck Not Set", + "severity": "MEDIUM", + "line": 14, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.lelele-service.healthcheck.disable", + "searchValue": "", + "expectedValue": "Healthcheck should be enabled.", + "actualValue": "Healthcheck is disabled." + } +] \ No newline at end of file diff --git a/assets/queries/dockerCompose/host_namespace_is_shared/test/positive_expected_result.json b/assets/queries/dockerCompose/host_namespace_is_shared/test/positive_expected_result.json index 3a17ab2508c..d6bc58b1336 100644 --- a/assets/queries/dockerCompose/host_namespace_is_shared/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/host_namespace_is_shared/test/positive_expected_result.json @@ -1,20 +1,38 @@ [ - { - "queryName": "Host Namespace is Shared", - "severity": "MEDIUM", - "line": 10, - "filename": "positive1.yaml" - }, - { - "queryName": "Host Namespace is Shared", - "severity": "MEDIUM", - "line": 6, - "filename": "positive2.yaml" - }, - { - "queryName": "Host Namespace is Shared", - "severity": "MEDIUM", - "line": 11, - "filename": "positive3.yaml" - } - ] + { + "queryName": "Host Namespace is Shared", + "severity": "MEDIUM", + "line": 6, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.service_name_2.pid", + "searchValue": "", + "expectedValue": "There shouldn't be pid mode declared as host", + "actualValue": "There is a pid mode declared as host" + }, + { + "queryName": "Host Namespace is Shared", + "severity": "MEDIUM", + "line": 10, + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.service_name_1.pid", + "searchValue": "", + "expectedValue": "There shouldn't be pid mode declared as host", + "actualValue": "There is a pid mode declared as host" + }, + { + "queryName": "Host Namespace is Shared", + "severity": "MEDIUM", + "line": 11, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.internal.pid", + "searchValue": "", + "expectedValue": "There shouldn't be pid mode declared as host", + "actualValue": "There is a pid mode declared as host" + } +] \ No newline at end of file diff --git a/assets/queries/dockerCompose/memory_not_limited/test/positive_expected_result.json b/assets/queries/dockerCompose/memory_not_limited/test/positive_expected_result.json index dc2ba07fd8e..bcf28bfb354 100644 --- a/assets/queries/dockerCompose/memory_not_limited/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/memory_not_limited/test/positive_expected_result.json @@ -1,38 +1,74 @@ [ - { - "queryName": "Memory Not Limited", - "severity": "MEDIUM", - "line": 9, - "filename": "positive1.yaml" - }, - { - "queryName": "Memory Not Limited", - "severity": "MEDIUM", - "line": 4, - "filename": "positive2.yaml" - }, - { - "queryName": "Memory Not Limited", - "severity": "MEDIUM", - "line": 3, - "filename": "positive3.yaml" - }, - { - "queryName": "Memory Not Limited", - "severity": "MEDIUM", - "line": 7, - "filename": "positive3.yaml" - }, - { - "queryName": "Memory Not Limited", - "severity": "MEDIUM", - "line": 8, - "filename": "positive4.yaml" - }, - { - "queryName": "Memory Not Limited", - "severity": "MEDIUM", - "line": 5, - "filename": "positive5.yaml" - } - ] + { + "queryName": "Memory Not Limited", + "severity": "MEDIUM", + "line": 4, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.criwhat", + "searchValue": "", + "expectedValue": "For mem_limit should be declared.", + "actualValue": "There is no mem_limit declared." + }, + { + "queryName": "Memory Not Limited", + "severity": "MEDIUM", + "line": 5, + "filename": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.redis.deploy", + "searchValue": "", + "expectedValue": "'deploy.resources' should be defined", + "actualValue": "'deploy.resources' is not defined" + }, + { + "queryName": "Memory Not Limited", + "severity": "MEDIUM", + "line": 9, + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.zapzop.deploy.resources.limits", + "searchValue": "", + "expectedValue": "'deploy.resources.limits.memory' should be defined", + "actualValue": "'deploy.resources.limits.memory' is not defined" + }, + { + "queryName": "Memory Not Limited", + "severity": "MEDIUM", + "line": 3, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.zapzop", + "searchValue": "", + "expectedValue": "'deploy.resources.limits.memory' should be defined", + "actualValue": "'deploy' is not defined" + }, + { + "queryName": "Memory Not Limited", + "severity": "MEDIUM", + "line": 7, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.zapzop.deploy", + "searchValue": "", + "expectedValue": "'deploy.resources' should be defined", + "actualValue": "'deploy.resources' is not defined" + }, + { + "queryName": "Memory Not Limited", + "severity": "MEDIUM", + "line": 8, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.zapzop.deploy.resources", + "searchValue": "", + "expectedValue": "'deploy.resources.limits' should be defined", + "actualValue": "'deploy.resources.limits' is not defined" + } +] \ No newline at end of file diff --git a/assets/queries/dockerCompose/no_new_privileges_not_set/test/positive_expected_result.json b/assets/queries/dockerCompose/no_new_privileges_not_set/test/positive_expected_result.json index 904cf5d83a0..d6c8b511d4f 100644 --- a/assets/queries/dockerCompose/no_new_privileges_not_set/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/no_new_privileges_not_set/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ - { - "queryName": "No New Privileges Not Set", - "severity": "HIGH", - "line": 12, - "filename": "positive1.yaml" - }, - { - "queryName": "No New Privileges Not Set", - "severity": "HIGH", - "line": 12, - "filename": "positive2.yaml" - } -] + { + "queryName": "No New Privileges Not Set", + "severity": "HIGH", + "line": 12, + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.service-service-service.security_opt", + "searchValue": "", + "expectedValue": "no-new-privileges should be set in security_opt.", + "actualValue": "no-new-privileges is not set in security_opt" + }, + { + "queryName": "No New Privileges Not Set", + "severity": "HIGH", + "line": 12, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.service-service-service.security_opt", + "searchValue": "", + "expectedValue": "no-new-privileges should be set in security_opt.", + "actualValue": "no-new-privileges is not set in security_opt" + } +] \ No newline at end of file diff --git a/assets/queries/dockerCompose/pids_limit_not_set/test/positive_expected_result.json b/assets/queries/dockerCompose/pids_limit_not_set/test/positive_expected_result.json index c662bfd1292..705c3d1fd6b 100644 --- a/assets/queries/dockerCompose/pids_limit_not_set/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/pids_limit_not_set/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ - { - "queryName": "Pids Limit Not Set", - "severity": "MEDIUM", - "line": 7, - "filename": "positive1.yaml" - }, - { - "queryName": "Pids Limit Not Set", - "severity": "MEDIUM", - "line": 12, - "filename": "positive2.yaml" - } -] + { + "queryName": "Pids Limit Not Set", + "severity": "MEDIUM", + "line": 12, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.auth.pids_limit", + "searchValue": "", + "expectedValue": "Pids_limit should be limited.", + "actualValue": "Pids_limit is not limited." + }, + { + "queryName": "Pids Limit Not Set", + "severity": "MEDIUM", + "line": 7, + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.auth", + "searchValue": "", + "expectedValue": "Pids_limit should be defined.", + "actualValue": "Pids_limit is not defined." + } +] \ No newline at end of file diff --git a/assets/queries/dockerCompose/privileged_containers_enabled/test/positive_expected_result.json b/assets/queries/dockerCompose/privileged_containers_enabled/test/positive_expected_result.json index 880f3c8359a..59dc78bf972 100644 --- a/assets/queries/dockerCompose/privileged_containers_enabled/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/privileged_containers_enabled/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ - { - "queryName": "Privileged Containers Enabled", - "severity": "HIGH", - "line": 10, - "filename": "positive1.yaml" - }, - { - "queryName": "Privileged Containers Enabled", - "severity": "HIGH", - "line": 13, - "filename": "positive2.yaml" - } -] + { + "queryName": "Privileged Containers Enabled", + "severity": "HIGH", + "line": 10, + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp.privileged", + "searchValue": "", + "expectedValue": "Docker compose file to have 'privileged' attribute set to false or not set", + "actualValue": "Docker compose file has 'privileged' attribute as true" + }, + { + "queryName": "Privileged Containers Enabled", + "severity": "HIGH", + "line": 13, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp.privileged", + "searchValue": "", + "expectedValue": "Docker compose file to have 'privileged' attribute set to false or not set", + "actualValue": "Docker compose file has 'privileged' attribute as true" + } +] \ No newline at end of file diff --git a/assets/queries/dockerCompose/privileged_ports_mapped_in_container/test/positive_expected_result.json b/assets/queries/dockerCompose/privileged_ports_mapped_in_container/test/positive_expected_result.json index 4f29698ae01..81282e65e6a 100644 --- a/assets/queries/dockerCompose/privileged_ports_mapped_in_container/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/privileged_ports_mapped_in_container/test/positive_expected_result.json @@ -1,80 +1,158 @@ [ - { - "queryName": "Privileged Ports Mapped In Container", - "severity": "MEDIUM", - "line": 12, - "filename": "positive1.yaml" - }, - { - "queryName": "Privileged Ports Mapped In Container", - "severity": "MEDIUM", - "line": 11, - "filename": "positive7.yaml" - }, - { - "queryName": "Privileged Ports Mapped In Container", - "severity": "MEDIUM", - "line": 11, - "filename": "positive5.yaml" - }, - { - "queryName": "Privileged Ports Mapped In Container", - "severity": "MEDIUM", - "line": 11, - "filename": "positive2.yaml" - }, - { - "queryName": "Privileged Ports Mapped In Container", - "severity": "MEDIUM", - "line": 11, - "filename": "positive4.yaml" - }, - { - "queryName": "Privileged Ports Mapped In Container", - "severity": "MEDIUM", - "line": 11, - "filename": "positive8.yaml" - }, - { - "queryName": "Privileged Ports Mapped In Container", - "severity": "MEDIUM", - "line": 5, - "filename": "positive1.yaml" - }, - { - "queryName": "Privileged Ports Mapped In Container", - "severity": "MEDIUM", - "line": 11, - "filename": "positive10.yaml" - }, - { - "queryName": "Privileged Ports Mapped In Container", - "severity": "MEDIUM", - "line": 11, - "filename": "positive6.yaml" - }, - { - "queryName": "Privileged Ports Mapped In Container", - "severity": "MEDIUM", - "line": 11, - "filename": "positive11.yaml" - }, - { - "queryName": "Privileged Ports Mapped In Container", - "severity": "MEDIUM", - "line": 11, - "filename": "positive3.yaml" - }, - { - "queryName": "Privileged Ports Mapped In Container", - "severity": "MEDIUM", - "line": 11, - "filename": "positive9.yaml" - }, - { - "queryName": "Privileged Ports Mapped In Container", - "severity": "MEDIUM", - "line": 11, - "filename": "positive12.yaml" - } -] + { + "queryName": "Privileged Ports Mapped In Container", + "severity": "MEDIUM", + "line": 11, + "filename": "positive12.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp.ports", + "searchValue": "", + "expectedValue": "Docker compose file to have 'ports' attribute not set to privileged ports (<1024).", + "actualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024)." + }, + { + "queryName": "Privileged Ports Mapped In Container", + "severity": "MEDIUM", + "line": 11, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp.ports", + "searchValue": "", + "expectedValue": "Docker compose file to have 'ports' attribute not set to privileged ports (<1024).", + "actualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024)." + }, + { + "queryName": "Privileged Ports Mapped In Container", + "severity": "MEDIUM", + "line": 11, + "filename": "positive8.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp.ports", + "searchValue": "", + "expectedValue": "Docker compose file to have 'ports' attribute not set to privileged ports (<1024).", + "actualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024)." + }, + { + "queryName": "Privileged Ports Mapped In Container", + "severity": "MEDIUM", + "line": 11, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp.ports", + "searchValue": "", + "expectedValue": "Docker compose file to have 'ports' attribute not set to privileged ports (<1024).", + "actualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024)." + }, + { + "queryName": "Privileged Ports Mapped In Container", + "severity": "MEDIUM", + "line": 12, + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.dhcp_client.ports", + "searchValue": "", + "expectedValue": "Docker compose file to have 'ports' attribute not set to privileged ports (<1024).", + "actualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024)." + }, + { + "queryName": "Privileged Ports Mapped In Container", + "severity": "MEDIUM", + "line": 5, + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.dhcpd.ports", + "searchValue": "", + "expectedValue": "Docker compose file to have 'ports' attribute not set to privileged ports (<1024).", + "actualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024)." + }, + { + "queryName": "Privileged Ports Mapped In Container", + "severity": "MEDIUM", + "line": 11, + "filename": "positive7.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp.ports", + "searchValue": "", + "expectedValue": "Docker compose file to have 'ports' attribute not set to privileged ports (<1024).", + "actualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024)." + }, + { + "queryName": "Privileged Ports Mapped In Container", + "severity": "MEDIUM", + "line": 11, + "filename": "positive11.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp.ports", + "searchValue": "", + "expectedValue": "Docker compose file to have 'ports' attribute not set to privileged ports (<1024).", + "actualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024)." + }, + { + "queryName": "Privileged Ports Mapped In Container", + "severity": "MEDIUM", + "line": 11, + "filename": "positive10.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp.ports", + "searchValue": "", + "expectedValue": "Docker compose file to have 'ports' attribute not set to privileged ports (<1024).", + "actualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024)." + }, + { + "queryName": "Privileged Ports Mapped In Container", + "severity": "MEDIUM", + "line": 11, + "filename": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp.ports", + "searchValue": "", + "expectedValue": "Docker compose file to have 'ports' attribute not set to privileged ports (<1024).", + "actualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024)." + }, + { + "queryName": "Privileged Ports Mapped In Container", + "severity": "MEDIUM", + "line": 11, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp.ports", + "searchValue": "", + "expectedValue": "Docker compose file to have 'ports' attribute not set to privileged ports (<1024).", + "actualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024)." + }, + { + "queryName": "Privileged Ports Mapped In Container", + "severity": "MEDIUM", + "line": 11, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp.ports", + "searchValue": "", + "expectedValue": "Docker compose file to have 'ports' attribute not set to privileged ports (<1024).", + "actualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024)." + }, + { + "queryName": "Privileged Ports Mapped In Container", + "severity": "MEDIUM", + "line": 11, + "filename": "positive9.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp.ports", + "searchValue": "", + "expectedValue": "Docker compose file to have 'ports' attribute not set to privileged ports (<1024).", + "actualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024)." + } +] \ No newline at end of file diff --git a/assets/queries/dockerCompose/restart_policy_on_failure_not_set_to_5/test/positive_expected_result.json b/assets/queries/dockerCompose/restart_policy_on_failure_not_set_to_5/test/positive_expected_result.json index bf96e318d8c..09aeb16c21a 100644 --- a/assets/queries/dockerCompose/restart_policy_on_failure_not_set_to_5/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/restart_policy_on_failure_not_set_to_5/test/positive_expected_result.json @@ -2,31 +2,61 @@ { "queryName": "Restart Policy On Failure Not Set To 5", "severity": "MEDIUM", - "line": 6, - "filename": "positive1.yaml" + "line": 15, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.name_of_service.restart", + "searchValue": "", + "expectedValue": "on-failure restart attempts should be 5", + "actualValue": "on-failure restart attempts are not 5" }, { "queryName": "Restart Policy On Failure Not Set To 5", "severity": "MEDIUM", "line": 17, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.customer.deploy.restart_policy.max_attempts", + "searchValue": "", + "expectedValue": "on-failure restart attempts should be 5", + "actualValue": "on-failure restart attempts are not 5" }, { "queryName": "Restart Policy On Failure Not Set To 5", "severity": "MEDIUM", - "line": 15, - "filename": "positive2.yaml" + "line": 6, + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.customer.restart", + "searchValue": "", + "expectedValue": "on-failure restart attempts should be 5", + "actualValue": "on-failure restart attempts are not 5" }, { "queryName": "Restart Policy On Failure Not Set To 5", "severity": "MEDIUM", "line": 6, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.customer.restart", + "searchValue": "", + "expectedValue": "on-failure restart attempts should be 5", + "actualValue": "on-failure restart attempts are not 5" }, { "queryName": "Restart Policy On Failure Not Set To 5", "severity": "MEDIUM", "line": 17, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.customer.deploy.restart_policy.max_attempts", + "searchValue": "", + "expectedValue": "on-failure restart attempts should be 5", + "actualValue": "on-failure restart attempts are not 5" } -] +] \ No newline at end of file diff --git a/assets/queries/dockerCompose/security_opt_not_set/test/positive_expected_result.json b/assets/queries/dockerCompose/security_opt_not_set/test/positive_expected_result.json index 5f83e948915..359e44f9a7d 100644 --- a/assets/queries/dockerCompose/security_opt_not_set/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/security_opt_not_set/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Security Opt Not Set", "severity": "MEDIUM", "line": 4, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp", + "searchValue": "", + "expectedValue": "Docker compose file to have 'security_opt' attribute", + "actualValue": "Docker compose file does not have 'security_opt' attribute" } -] +] \ No newline at end of file diff --git a/assets/queries/dockerCompose/shared_host_ipc_namespace/test/positive_expected_result.json b/assets/queries/dockerCompose/shared_host_ipc_namespace/test/positive_expected_result.json index 3963d4a3f4e..5b642c780dd 100644 --- a/assets/queries/dockerCompose/shared_host_ipc_namespace/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/shared_host_ipc_namespace/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ - { - "queryName": "Shared Host IPC Namespace", - "severity": "MEDIUM", - "line": 10, - "filename": "positive1.yaml" - }, - { - "queryName": "Shared Host IPC Namespace", - "severity": "MEDIUM", - "line": 13, - "filename": "positive2.yaml" - } -] + { + "queryName": "Shared Host IPC Namespace", + "severity": "MEDIUM", + "line": 13, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp.privileged", + "searchValue": "", + "expectedValue": "Docker compose file to have 'ipc' attribute not set to host, or not set", + "actualValue": "Docker compose file has 'ipc' attribute as host" + }, + { + "queryName": "Shared Host IPC Namespace", + "severity": "MEDIUM", + "line": 10, + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp.privileged", + "searchValue": "", + "expectedValue": "Docker compose file to have 'ipc' attribute not set to host, or not set", + "actualValue": "Docker compose file has 'ipc' attribute as host" + } +] \ No newline at end of file diff --git a/assets/queries/dockerCompose/shared_host_network_namespace/test/positive_expected_result.json b/assets/queries/dockerCompose/shared_host_network_namespace/test/positive_expected_result.json index 049396ca1ed..d6cf0d7fbc7 100644 --- a/assets/queries/dockerCompose/shared_host_network_namespace/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/shared_host_network_namespace/test/positive_expected_result.json @@ -1,9 +1,14 @@ [ - { - "queryName": "Shared Host Network Namespace", - "severity": "MEDIUM", - "line": 11, - "filename": "positive1.yaml" - } - ] - \ No newline at end of file + { + "queryName": "Shared Host Network Namespace", + "severity": "MEDIUM", + "line": 11, + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.mongo.network_mode", + "searchValue": "", + "expectedValue": "There shouldn't be network mode declared as host", + "actualValue": "There is a network mode declared as host" + } +] \ No newline at end of file diff --git a/assets/queries/dockerCompose/shared_host_user_namespace/test/positive_expected_result.json b/assets/queries/dockerCompose/shared_host_user_namespace/test/positive_expected_result.json index 24517d5ef89..b9413b201e6 100644 --- a/assets/queries/dockerCompose/shared_host_user_namespace/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/shared_host_user_namespace/test/positive_expected_result.json @@ -3,7 +3,12 @@ "queryName": "Shared Host User Namespace", "severity": "MEDIUM", "line": 9, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.service1.userns_mode", + "searchValue": "", + "expectedValue": "Attribute 'userns_mode' should not be set or not set to host", + "actualValue": "Attribute 'userns_mode' is set to host" } -] - \ No newline at end of file +] \ No newline at end of file diff --git a/assets/queries/dockerCompose/shared_volumes_between_containers/test/positive_expected_result.json b/assets/queries/dockerCompose/shared_volumes_between_containers/test/positive_expected_result.json index 4036243d3a3..9ac66ec779a 100644 --- a/assets/queries/dockerCompose/shared_volumes_between_containers/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/shared_volumes_between_containers/test/positive_expected_result.json @@ -1,26 +1,50 @@ [ - { - "queryName": "Shared Volumes Between Containers", - "severity": "INFO", - "line": 9, - "filename": "positive1.yaml" - }, - { - "queryName": "Shared Volumes Between Containers", - "severity": "INFO", - "line": 16, - "filename": "positive1.yaml" - }, - { - "queryName": "Shared Volumes Between Containers", - "severity": "INFO", - "line": 8, - "filename": "positive2.yaml" - }, - { - "queryName": "Shared Volumes Between Containers", - "severity": "INFO", - "line": 17, - "filename": "positive2.yaml" - } -] + { + "queryName": "Shared Volumes Between Containers", + "severity": "INFO", + "line": 16, + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.backend.volumes", + "searchValue": "shared", + "expectedValue": "There shouldn't be volumes shared between containers", + "actualValue": "Volume ./logic:/app shared between containers" + }, + { + "queryName": "Shared Volumes Between Containers", + "severity": "INFO", + "line": 9, + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.frontend.volumes", + "searchValue": "shared", + "expectedValue": "There shouldn't be volumes shared between containers", + "actualValue": "Volume ./logic:/app shared between containers" + }, + { + "queryName": "Shared Volumes Between Containers", + "severity": "INFO", + "line": 8, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.app.volumes", + "searchValue": "created-and-shared", + "expectedValue": "There shouldn't be volumes created and shared between containers", + "actualValue": "Volume shared-volume created and shared between containers" + }, + { + "queryName": "Shared Volumes Between Containers", + "severity": "INFO", + "line": 17, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.checker.volumes", + "searchValue": "created-and-shared", + "expectedValue": "There shouldn't be volumes created and shared between containers", + "actualValue": "Volume shared-volume created and shared between containers" + } +] \ No newline at end of file diff --git a/assets/queries/dockerCompose/volume_has_sensitive_host_directory/test/positive_expected_result.json b/assets/queries/dockerCompose/volume_has_sensitive_host_directory/test/positive_expected_result.json index 0c70a091734..87619df51f6 100644 --- a/assets/queries/dockerCompose/volume_has_sensitive_host_directory/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/volume_has_sensitive_host_directory/test/positive_expected_result.json @@ -1,26 +1,50 @@ [ - { - "queryName": "Volume Has Sensitive Host Directory", - "severity": "HIGH", - "line": 11, - "filename": "positive1.yaml" - }, - { - "queryName": "Volume Has Sensitive Host Directory", - "severity": "HIGH", - "line": 18, - "filename": "positive2.yaml" - }, - { - "queryName": "Volume Has Sensitive Host Directory", - "severity": "HIGH", - "line": 14, - "filename": "positive3.yaml" - }, - { - "queryName": "Volume Has Sensitive Host Directory", - "severity": "HIGH", - "line": 11, - "filename": "positive4.yaml" - } -] + { + "queryName": "Volume Has Sensitive Host Directory", + "severity": "HIGH", + "line": 14, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "volumes.wp-content.driver_opts.mountpoint", + "searchValue": "", + "expectedValue": "There shouldn't be sensitive directory mounted as a volume", + "actualValue": "There is a sensitive directory (/var/data) mounted as a volume" + }, + { + "queryName": "Volume Has Sensitive Host Directory", + "severity": "HIGH", + "line": 11, + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.backup.volumes", + "searchValue": "", + "expectedValue": "There shouldn't be sensitive directory mounted as a volume", + "actualValue": "There is a sensitive directory (/var/lib/backup/data) mounted as a volume" + }, + { + "queryName": "Volume Has Sensitive Host Directory", + "severity": "HIGH", + "line": 11, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.yesno.volumes.source", + "searchValue": "", + "expectedValue": "There shouldn't be sensitive directory mounted as a volume", + "actualValue": "There is a sensitive directory (/etc/exercise) mounted as a volume" + }, + { + "queryName": "Volume Has Sensitive Host Directory", + "severity": "HIGH", + "line": 18, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "volumes.vol.driver_opts.device", + "searchValue": "", + "expectedValue": "There shouldn't be sensitive directory mounted as a volume", + "actualValue": "There is a sensitive directory (/var/lib/backup/data) mounted as a volume" + } +] \ No newline at end of file diff --git a/assets/queries/dockerCompose/volume_mounted_in_multiple_containers/test/positive_expected_result.json b/assets/queries/dockerCompose/volume_mounted_in_multiple_containers/test/positive_expected_result.json index 09452900a9e..a68b6f087e0 100644 --- a/assets/queries/dockerCompose/volume_mounted_in_multiple_containers/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/volume_mounted_in_multiple_containers/test/positive_expected_result.json @@ -1,26 +1,50 @@ [ - { - "queryName": "Volume Mounted In Multiple Containers", - "severity": "HIGH", - "line": 15, - "filename": "positive1.yaml" - }, - { - "queryName": "Volume Mounted In Multiple Containers", - "severity": "HIGH", - "line": 15, - "filename": "positive2.yaml" - }, - { - "queryName": "Volume Mounted In Multiple Containers", - "severity": "HIGH", - "line": 15, - "filename": "positive3.yaml" - }, - { - "queryName": "Volume Mounted In Multiple Containers", - "severity": "HIGH", - "line": 15, - "filename": "positive4.yaml" - } -] + { + "queryName": "Volume Mounted In Multiple Containers", + "severity": "HIGH", + "line": 15, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.old8k.volumes.bind.propagation", + "searchValue": "", + "expectedValue": "Volumes should not be mounted in multiple containers", + "actualValue": "Volumes are being mounted in multiple containers, mode: rslave" + }, + { + "queryName": "Volume Mounted In Multiple Containers", + "severity": "HIGH", + "line": 15, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.old8k.volumes.bind.propagation", + "searchValue": "", + "expectedValue": "Volumes should not be mounted in multiple containers", + "actualValue": "Volumes are being mounted in multiple containers, mode: slave" + }, + { + "queryName": "Volume Mounted In Multiple Containers", + "severity": "HIGH", + "line": 15, + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.old8k.volumes.bind.propagation", + "searchValue": "", + "expectedValue": "Volumes should not be mounted in multiple containers", + "actualValue": "Volumes are being mounted in multiple containers, mode: rshared" + }, + { + "queryName": "Volume Mounted In Multiple Containers", + "severity": "HIGH", + "line": 15, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.old8k.volumes.bind.propagation", + "searchValue": "", + "expectedValue": "Volumes should not be mounted in multiple containers", + "actualValue": "Volumes are being mounted in multiple containers, mode: shared" + } +] \ No newline at end of file diff --git a/assets/queries/dockerfile/add_instead_of_copy/test/positive_expected_result.json b/assets/queries/dockerfile/add_instead_of_copy/test/positive_expected_result.json index 7e9efb25dd7..86b794f6305 100644 --- a/assets/queries/dockerfile/add_instead_of_copy/test/positive_expected_result.json +++ b/assets/queries/dockerfile/add_instead_of_copy/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Add Instead of Copy", "severity": "MEDIUM", - "line": 8 + "line": 8, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{openjdk:10-jdk}}.{{ADD ${JAR_FILE} app.jar}}", + "searchValue": "", + "expectedValue": "'COPY' ${JAR_FILE}", + "actualValue": "'ADD' ${JAR_FILE}" } -] +] \ No newline at end of file diff --git a/assets/queries/dockerfile/apk_add_using_local_cache_path/test/positive_expected_result.json b/assets/queries/dockerfile/apk_add_using_local_cache_path/test/positive_expected_result.json index ab094181dbb..c14be805eb3 100644 --- a/assets/queries/dockerfile/apk_add_using_local_cache_path/test/positive_expected_result.json +++ b/assets/queries/dockerfile/apk_add_using_local_cache_path/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ - { - "queryName": "Apk Add Using Local Cache Path", - "severity": "INFO", - "line": 2, - "fileName": "positive.dockerfile" - }, - { - "queryName": "Apk Add Using Local Cache Path", - "severity": "INFO", - "line": 2, - "fileName": "positive2.dockerfile" - } -] + { + "queryName": "Apk Add Using Local Cache Path", + "severity": "INFO", + "line": 2, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{gliderlabs/alpine:3.3}}.{{RUN apk add --update-cache python}}", + "searchValue": "", + "expectedValue": "'RUN' should not contain 'apk add' command without '--no-cache' switch", + "actualValue": "'RUN' contains 'apk add' command without '--no-cache' switch" + }, + { + "queryName": "Apk Add Using Local Cache Path", + "severity": "INFO", + "line": 2, + "filename": "positive2.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{gliderlabs/alpine:3.3}}.{{RUN apk add --update-cache python}}", + "searchValue": "", + "expectedValue": "'RUN' should not contain 'apk add' command without '--no-cache' switch", + "actualValue": "'RUN' contains 'apk add' command without '--no-cache' switch" + } +] \ No newline at end of file diff --git a/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/test/positive_expected_result.json b/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/test/positive_expected_result.json index ab1370df2dd..11e867821b6 100644 --- a/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/test/positive_expected_result.json +++ b/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/test/positive_expected_result.json @@ -2,31 +2,61 @@ { "queryName": "Apt Get Install Lists Were Not Deleted", "severity": "INFO", - "line": 2, - "fileName": "positive.dockerfile" + "line": 5, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox2}}.RUN={{apt-get install python}}", + "searchValue": "", + "expectedValue": "After using apt-get install, the apt-get lists should be deleted", + "actualValue": "After using apt-get install, the apt-get lists were not deleted" }, { "queryName": "Apt Get Install Lists Were Not Deleted", "severity": "INFO", - "line": 5, - "fileName": "positive.dockerfile" + "line": 8, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox3}}.RUN={{apt-get update && apt-get install --no-install-recommends -y python}}", + "searchValue": "", + "expectedValue": "After using apt-get install, the apt-get lists should be deleted", + "actualValue": "After using apt-get install, the apt-get lists were not deleted" }, { "queryName": "Apt Get Install Lists Were Not Deleted", "severity": "INFO", - "line": 8, - "fileName": "positive.dockerfile" + "line": 12, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox4}}.RUN={{apt-get update && apt-get install --no-install-recommends -y python}}", + "searchValue": "", + "expectedValue": "After using apt-get install, the apt-get lists should be deleted", + "actualValue": "After using apt-get install, the apt-get lists were not deleted" }, { "queryName": "Apt Get Install Lists Were Not Deleted", "severity": "INFO", - "line": 12, - "fileName": "positive.dockerfile" + "line": 2, + "filename": "positive2.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox5}}.RUN={{set -eux; \tapt-get update; \tapt-get install -y --no-install-recommends package=0.0.0}}", + "searchValue": "", + "expectedValue": "After using apt-get install, the apt-get lists should be deleted", + "actualValue": "After using apt-get install, the apt-get lists were not deleted" }, { "queryName": "Apt Get Install Lists Were Not Deleted", "severity": "INFO", "line": 2, - "fileName": "positive2.dockerfile" + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox1}}.RUN={{apt-get update && apt-get install --no-install-recommends -y python}}", + "searchValue": "", + "expectedValue": "After using apt-get install, the apt-get lists should be deleted", + "actualValue": "After using apt-get install, the apt-get lists were not deleted" } -] +] \ No newline at end of file diff --git a/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/test/positive_expected_result.json b/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/test/positive_expected_result.json index f2afe4b4ae2..15afdbb7da1 100644 --- a/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/test/positive_expected_result.json +++ b/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/test/positive_expected_result.json @@ -2,97 +2,193 @@ { "queryName": "Apt Get Install Pin Version Not Defined", "severity": "MEDIUM", - "line": 2, - "fileName": "positive.dockerfile" + "line": 9, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox3}}.RUN={{apt-get update && apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", + "searchValue": "python3-pyqt5", + "expectedValue": "Package 'python3-pyqt5' has version defined", + "actualValue": "Package 'python3-pyqt5' does not have version defined" }, { "queryName": "Apt Get Install Pin Version Not Defined", "severity": "MEDIUM", "line": 3, - "fileName": "positive.dockerfile" + "filename": "positive2.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox4}}.{{RUN [\"apt-get\", \"install\", \"python\"]}}", + "searchValue": "python", + "expectedValue": "Package 'python' has version defined", + "actualValue": "Package 'python' does not have version defined" }, { "queryName": "Apt Get Install Pin Version Not Defined", "severity": "MEDIUM", - "line": 6, - "fileName": "positive.dockerfile" + "line": 2, + "filename": "positive2.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox4}}.RUN={{apt-get install python}}", + "searchValue": "python", + "expectedValue": "Package 'python' has version defined", + "actualValue": "Package 'python' does not have version defined" }, { "queryName": "Apt Get Install Pin Version Not Defined", "severity": "MEDIUM", - "line": 9, - "fileName": "positive.dockerfile" + "line": 6, + "filename": "positive2.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox5}}.RUN={{apt-get install -y -t python}}", + "searchValue": "python", + "expectedValue": "Package 'python' has version defined", + "actualValue": "Package 'python' does not have version defined" }, { "queryName": "Apt Get Install Pin Version Not Defined", "severity": "MEDIUM", "line": 9, - "fileName": "positive.dockerfile" + "filename": "positive2.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox6}}.RUN={{apt-get update ; apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", + "searchValue": "python-pyside", + "expectedValue": "Package 'python-pyside' has version defined", + "actualValue": "Package 'python-pyside' does not have version defined" }, { "queryName": "Apt Get Install Pin Version Not Defined", "severity": "MEDIUM", - "line": 9, - "fileName": "positive.dockerfile" + "line": 3, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox}}.{{RUN [\"apt-get\", \"install\", \"python\"]}}", + "searchValue": "python", + "expectedValue": "Package 'python' has version defined", + "actualValue": "Package 'python' does not have version defined" }, { "queryName": "Apt Get Install Pin Version Not Defined", "severity": "MEDIUM", - "line": 9, - "fileName": "positive.dockerfile" + "line": 6, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox2}}.RUN={{apt-get install -y -t python}}", + "searchValue": "python", + "expectedValue": "Package 'python' has version defined", + "actualValue": "Package 'python' does not have version defined" }, { "queryName": "Apt Get Install Pin Version Not Defined", "severity": "MEDIUM", "line": 9, - "fileName": "positive.dockerfile" + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox3}}.RUN={{apt-get update && apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", + "searchValue": "python3-pip", + "expectedValue": "Package 'python3-pip' has version defined", + "actualValue": "Package 'python3-pip' does not have version defined" }, { "queryName": "Apt Get Install Pin Version Not Defined", "severity": "MEDIUM", - "line": 2, - "fileName": "positive2.dockerfile" + "line": 9, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox3}}.RUN={{apt-get update && apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", + "searchValue": "python-pyside", + "expectedValue": "Package 'python-pyside' has version defined", + "actualValue": "Package 'python-pyside' does not have version defined" }, { "queryName": "Apt Get Install Pin Version Not Defined", "severity": "MEDIUM", - "line": 3, - "fileName": "positive2.dockerfile" + "line": 9, + "filename": "positive2.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox6}}.RUN={{apt-get update ; apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", + "searchValue": "python-qt4", + "expectedValue": "Package 'python-qt4' has version defined", + "actualValue": "Package 'python-qt4' does not have version defined" }, { "queryName": "Apt Get Install Pin Version Not Defined", "severity": "MEDIUM", - "line": 6, - "fileName": "positive2.dockerfile" + "line": 9, + "filename": "positive2.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox6}}.RUN={{apt-get update ; apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", + "searchValue": "python3-pip", + "expectedValue": "Package 'python3-pip' has version defined", + "actualValue": "Package 'python3-pip' does not have version defined" }, { "queryName": "Apt Get Install Pin Version Not Defined", "severity": "MEDIUM", - "line": 9, - "fileName": "positive2.dockerfile" + "line": 2, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox}}.RUN={{apt-get install python}}", + "searchValue": "python", + "expectedValue": "Package 'python' has version defined", + "actualValue": "Package 'python' does not have version defined" }, { "queryName": "Apt Get Install Pin Version Not Defined", "severity": "MEDIUM", "line": 9, - "fileName": "positive2.dockerfile" + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox3}}.RUN={{apt-get update && apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", + "searchValue": "python-pip", + "expectedValue": "Package 'python-pip' has version defined", + "actualValue": "Package 'python-pip' does not have version defined" }, { "queryName": "Apt Get Install Pin Version Not Defined", "severity": "MEDIUM", "line": 9, - "fileName": "positive2.dockerfile" + "filename": "positive2.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox6}}.RUN={{apt-get update ; apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", + "searchValue": "python-pip", + "expectedValue": "Package 'python-pip' has version defined", + "actualValue": "Package 'python-pip' does not have version defined" }, { "queryName": "Apt Get Install Pin Version Not Defined", "severity": "MEDIUM", "line": 9, - "fileName": "positive2.dockerfile" + "filename": "positive2.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox6}}.RUN={{apt-get update ; apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", + "searchValue": "python3-pyqt5", + "expectedValue": "Package 'python3-pyqt5' has version defined", + "actualValue": "Package 'python3-pyqt5' does not have version defined" }, { "queryName": "Apt Get Install Pin Version Not Defined", "severity": "MEDIUM", "line": 9, - "fileName": "positive2.dockerfile" + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox3}}.RUN={{apt-get update && apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", + "searchValue": "python-qt4", + "expectedValue": "Package 'python-qt4' has version defined", + "actualValue": "Package 'python-qt4' does not have version defined" } -] +] \ No newline at end of file diff --git a/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/positive_expected_result.json b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/positive_expected_result.json index eb501cf7739..3defd08e956 100644 --- a/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/positive_expected_result.json +++ b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/positive_expected_result.json @@ -3,90 +3,180 @@ "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", "line": 2, - "filename": "positive1.dockerfile" + "filename": "positive6.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN sudo apt-get --quiet install sl}}", + "searchValue": "", + "expectedValue": "{{RUN sudo apt-get --quiet install sl}} should avoid manual input", + "actualValue": "{{RUN sudo apt-get --quiet install sl}} doesn't avoid manual input" }, { "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", - "line": 3, - "filename": "positive1.dockerfile" + "line": 2, + "filename": "positive2.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN sudo apt-get install python=2.7}}", + "searchValue": "", + "expectedValue": "{{RUN sudo apt-get install python=2.7}} should avoid manual input", + "actualValue": "{{RUN sudo apt-get install python=2.7}} doesn't avoid manual input" }, { "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", - "line": 4, - "filename": "positive1.dockerfile" + "line": 2, + "filename": "positive3.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN DUMMY=test apt-get install python=2.7}}", + "searchValue": "", + "expectedValue": "{{RUN DUMMY=test apt-get install python=2.7}} should avoid manual input", + "actualValue": "{{RUN DUMMY=test apt-get install python=2.7}} doesn't avoid manual input" }, { "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", - "line": 2, - "filename": "positive2.dockerfile" + "line": 4, + "filename": "positive1.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN [\"apt-get\", \"install\", \"apt-utils\"]}}", + "searchValue": "", + "expectedValue": "{{RUN [\"apt-get\", \"install\", \"apt-utils\"]}} should avoid manual input", + "actualValue": "{{RUN [\"apt-get\", \"install\", \"apt-utils\"]}} doesn't avoid manual input" }, { "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", "line": 3, - "filename": "positive2.dockerfile" + "filename": "positive7.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN [\"apt-get\", \"-q\", \"install\", \"apt-utils\"] }}", + "searchValue": "", + "expectedValue": "{{RUN [\"apt-get\", \"-q\", \"install\", \"apt-utils\"] }} should avoid manual input", + "actualValue": "{{RUN [\"apt-get\", \"-q\", \"install\", \"apt-utils\"] }} doesn't avoid manual input" }, { "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", - "line": 4, - "filename": "positive2.dockerfile" + "line": 2, + "filename": "positive5.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN [\"sudo\", \"apt-get\", \"--quiet\", \"install\", \"apt-utils\"] }}", + "searchValue": "", + "expectedValue": "{{RUN [\"sudo\", \"apt-get\", \"--quiet\", \"install\", \"apt-utils\"] }} should avoid manual input", + "actualValue": "{{RUN [\"sudo\", \"apt-get\", \"--quiet\", \"install\", \"apt-utils\"] }} doesn't avoid manual input" }, { "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", - "line": 2, - "filename": "positive3.dockerfile" + "line": 3, + "filename": "positive6.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN [\"apt-get\", \"--quiet\" ,\"install\", \"apt-utils\"] }}", + "searchValue": "", + "expectedValue": "{{RUN [\"apt-get\", \"--quiet\" ,\"install\", \"apt-utils\"] }} should avoid manual input", + "actualValue": "{{RUN [\"apt-get\", \"--quiet\" ,\"install\", \"apt-utils\"] }} doesn't avoid manual input" }, { "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", "line": 2, - "filename": "positive4.dockerfile" + "filename": "positive7.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN sudo apt-get -q install sl}}", + "searchValue": "", + "expectedValue": "{{RUN sudo apt-get -q install sl}} should avoid manual input", + "actualValue": "{{RUN sudo apt-get -q install sl}} doesn't avoid manual input" }, { "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", "line": 3, - "filename": "positive4.dockerfile" + "filename": "positive5.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN sudo apt-get --quiet install apt-utils}}", + "searchValue": "", + "expectedValue": "{{RUN sudo apt-get --quiet install apt-utils}} should avoid manual input", + "actualValue": "{{RUN sudo apt-get --quiet install apt-utils}} doesn't avoid manual input" }, { "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", - "line": 3, - "filename": "positive5.dockerfile" - }, + "line": 2, + "filename": "positive1.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN apt-get install python=2.7}}", + "searchValue": "", + "expectedValue": "{{RUN apt-get install python=2.7}} should avoid manual input", + "actualValue": "{{RUN apt-get install python=2.7}} doesn't avoid manual input" + }, { "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", "line": 2, - "filename": "positive5.dockerfile" + "filename": "positive4.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN [\"sudo\", \"apt-get\", \"-q\" ,\"install\", \"apt-utils\"]}}", + "searchValue": "", + "expectedValue": "{{RUN [\"sudo\", \"apt-get\", \"-q\" ,\"install\", \"apt-utils\"]}} should avoid manual input", + "actualValue": "{{RUN [\"sudo\", \"apt-get\", \"-q\" ,\"install\", \"apt-utils\"]}} doesn't avoid manual input" }, { "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", "line": 3, - "filename": "positive6.dockerfile" - }, + "filename": "positive4.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN sudo apt-get -q install apt-utils}}", + "searchValue": "", + "expectedValue": "{{RUN sudo apt-get -q install apt-utils}} should avoid manual input", + "actualValue": "{{RUN sudo apt-get -q install apt-utils}} doesn't avoid manual input" + }, { "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", - "line": 2, - "filename": "positive6.dockerfile" + "line": 4, + "filename": "positive2.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN [\"sudo\", \"apt-get\", \"install\", \"apt-utils\"]}}", + "searchValue": "", + "expectedValue": "{{RUN [\"sudo\", \"apt-get\", \"install\", \"apt-utils\"]}} should avoid manual input", + "actualValue": "{{RUN [\"sudo\", \"apt-get\", \"install\", \"apt-utils\"]}} doesn't avoid manual input" }, { "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", "line": 3, - "filename": "positive7.dockerfile" - }, + "filename": "positive2.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN sudo apt-get install apt-utils}}", + "searchValue": "", + "expectedValue": "{{RUN sudo apt-get install apt-utils}} should avoid manual input", + "actualValue": "{{RUN sudo apt-get install apt-utils}} doesn't avoid manual input" + }, { "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", - "line": 2, - "filename": "positive7.dockerfile" + "line": 3, + "filename": "positive1.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN apt-get install apt-utils}}", + "searchValue": "", + "expectedValue": "{{RUN apt-get install apt-utils}} should avoid manual input", + "actualValue": "{{RUN apt-get install apt-utils}} doesn't avoid manual input" } ] \ No newline at end of file diff --git a/assets/queries/dockerfile/apt_get_not_avoiding_additional_packages/test/positive_expected_result.json b/assets/queries/dockerfile/apt_get_not_avoiding_additional_packages/test/positive_expected_result.json index 224923adbc5..91a31177113 100644 --- a/assets/queries/dockerfile/apt_get_not_avoiding_additional_packages/test/positive_expected_result.json +++ b/assets/queries/dockerfile/apt_get_not_avoiding_additional_packages/test/positive_expected_result.json @@ -1,12 +1,26 @@ [ - { - "queryName": "APT-GET Not Avoiding Additional Packages", - "severity": "INFO", - "line": 2 - }, - { - "queryName": "APT-GET Not Avoiding Additional Packages", - "severity": "INFO", - "line": 3 - } -] + { + "queryName": "APT-GET Not Avoiding Additional Packages", + "severity": "INFO", + "line": 3, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN [\"apt-get\", \"install\", \"apt-utils\"]}}", + "searchValue": "", + "expectedValue": "'RUN [\"apt-get\", \"install\", \"apt-utils\"]' uses '--no-install-recommends' flag to avoid installing additional packages", + "actualValue": "'RUN [\"apt-get\", \"install\", \"apt-utils\"]' does not use '--no-install-recommends' flag to avoid installing additional packages" + }, + { + "queryName": "APT-GET Not Avoiding Additional Packages", + "severity": "INFO", + "line": 2, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN apt-get install apt-utils}}", + "searchValue": "", + "expectedValue": "'RUN apt-get install apt-utils' uses '--no-install-recommends' flag to avoid installing additional packages", + "actualValue": "'RUN apt-get install apt-utils' does not use '--no-install-recommends' flag to avoid installing additional packages" + } +] \ No newline at end of file diff --git a/assets/queries/dockerfile/changing_default_shell_using_run_command/test/positive_expected_result.json b/assets/queries/dockerfile/changing_default_shell_using_run_command/test/positive_expected_result.json index c9854941220..923094cc76c 100644 --- a/assets/queries/dockerfile/changing_default_shell_using_run_command/test/positive_expected_result.json +++ b/assets/queries/dockerfile/changing_default_shell_using_run_command/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ - { - "queryName": "Changing Default Shell Using RUN Command", - "severity": "MEDIUM", - "line": 5, - "filename": "positive1.dockerfile" - }, - { - "queryName": "Changing Default Shell Using RUN Command", - "severity": "MEDIUM", - "line": 5, - "filename": "positive2.dockerfile" - } -] + { + "queryName": "Changing Default Shell Using RUN Command", + "severity": "MEDIUM", + "line": 5, + "filename": "positive1.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:3.5}}.{{RUN ln -sfv /bin/bash /bin/sh}}", + "searchValue": "", + "expectedValue": "{{RUN ln -sfv /bin/bash /bin/sh}} should use the SHELL command to change the default shell", + "actualValue": "{{RUN ln -sfv /bin/bash /bin/sh}} uses the RUN command to change the default shell" + }, + { + "queryName": "Changing Default Shell Using RUN Command", + "severity": "MEDIUM", + "line": 5, + "filename": "positive2.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:3.5}}.{{RUN powershell -command}}", + "searchValue": "", + "expectedValue": "{{RUN powershell -command}} should use the SHELL command to change the default shell", + "actualValue": "{{RUN powershell -command}} uses the RUN command to change the default shell" + } +] \ No newline at end of file diff --git a/assets/queries/dockerfile/chown_flag_exists/test/positive_expected_result.json b/assets/queries/dockerfile/chown_flag_exists/test/positive_expected_result.json index 41cc05a4a3d..54e3c2446ae 100644 --- a/assets/queries/dockerfile/chown_flag_exists/test/positive_expected_result.json +++ b/assets/queries/dockerfile/chown_flag_exists/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Chown Flag Exists", "severity": "LOW", - "line": 4 + "line": 4, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{python:3.7}}.{{COPY --chown=patrick:patrick app /app}}", + "searchValue": "", + "expectedValue": "The 'Dockerfile' shouldn´t contain the 'chown' flag", + "actualValue": "The 'Dockerfile' contains the 'chown' flag" } -] +] \ No newline at end of file diff --git a/assets/queries/dockerfile/copy_from_references_current_from_alias/test/positive_expected_result.json b/assets/queries/dockerfile/copy_from_references_current_from_alias/test/positive_expected_result.json index 0a577a86177..9a13059745b 100644 --- a/assets/queries/dockerfile/copy_from_references_current_from_alias/test/positive_expected_result.json +++ b/assets/queries/dockerfile/copy_from_references_current_from_alias/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "COPY '--from' References Current FROM Alias", "severity": "LOW", - "line": 2 + "line": 2, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{myimage:tag as dep}}.{{COPY --from=dep /binary /}}", + "searchValue": "", + "expectedValue": "COPY --from should not reference the current FROM alias", + "actualValue": "COPY --from references the current FROM alias" } ] \ No newline at end of file diff --git a/assets/queries/dockerfile/copy_with_more_than_two_arguments_not_ending_with_slash/test/positive_expected_result.json b/assets/queries/dockerfile/copy_with_more_than_two_arguments_not_ending_with_slash/test/positive_expected_result.json index 2774ad6013d..e58d7076817 100644 --- a/assets/queries/dockerfile/copy_with_more_than_two_arguments_not_ending_with_slash/test/positive_expected_result.json +++ b/assets/queries/dockerfile/copy_with_more_than_two_arguments_not_ending_with_slash/test/positive_expected_result.json @@ -2,7 +2,13 @@ { "queryName": "Copy With More Than Two Arguments Not Ending With Slash", "severity": "LOW", - "fileName": "positive.dockerfile", - "line": 2 + "line": 2, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:carbon2}}.COPY={{package.json}}", + "searchValue": "", + "expectedValue": "When COPY command has more than two arguments, the last one should end with a slash", + "actualValue": "COPY command has more than two arguments and the last one does not end with a slash" } ] \ No newline at end of file diff --git a/assets/queries/dockerfile/curl_or_wget_instead_of_add/test/positive_expected_result.json b/assets/queries/dockerfile/curl_or_wget_instead_of_add/test/positive_expected_result.json index 914f34a3b1a..3232b33a68b 100644 --- a/assets/queries/dockerfile/curl_or_wget_instead_of_add/test/positive_expected_result.json +++ b/assets/queries/dockerfile/curl_or_wget_instead_of_add/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Curl or Wget Instead of Add", "severity": "LOW", - "line": 3 + "line": 3, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{openjdk:10-jdk}}.{{ADD https://example.com/big.tar.xz /usr/src/things/}}", + "searchValue": "", + "expectedValue": "Should use 'curl' or 'wget' to download https://example.com/big.tar.xz", + "actualValue": "'ADD' https://example.com/big.tar.xz" } -] +] \ No newline at end of file diff --git a/assets/queries/dockerfile/exposing_port_22/test/positive_expected_result.json b/assets/queries/dockerfile/exposing_port_22/test/positive_expected_result.json index 7c697fbb3e4..077cf24c00c 100644 --- a/assets/queries/dockerfile/exposing_port_22/test/positive_expected_result.json +++ b/assets/queries/dockerfile/exposing_port_22/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Exposing Port 22 (SSH)", "severity": "LOW", - "line": 3 + "line": 3, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{gliderlabs/alpine:3.3}}.{{EXPOSE 3000 80 443 22}}", + "searchValue": "", + "expectedValue": "'EXPOSE' shouldn't contain the port 22 ", + "actualValue": "'EXPOSE' contains the port 22 " } -] +] \ No newline at end of file diff --git a/assets/queries/dockerfile/gem_install_without_version/test/positive_expected_result.json b/assets/queries/dockerfile/gem_install_without_version/test/positive_expected_result.json index 9e0dc193dc6..b270d6ed83d 100644 --- a/assets/queries/dockerfile/gem_install_without_version/test/positive_expected_result.json +++ b/assets/queries/dockerfile/gem_install_without_version/test/positive_expected_result.json @@ -2,16 +2,37 @@ { "queryName": "Gem Install Without Version", "severity": "MEDIUM", - "line": 3 + "line": 4, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:3.5}}.{{RUN [\"gem\", \"install\", \"blunder\"]}}", + "searchValue": "", + "expectedValue": "RUN [\"gem\", \"install\", \"blunder\"] is 'gem install :'", + "actualValue": "RUN [\"gem\", \"install\", \"blunder\"] is 'gem install ', you should use 'gem install :" }, { "queryName": "Gem Install Without Version", "severity": "MEDIUM", - "line": 4 + "line": 3, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:3.5}}.{{RUN gem install bundler}}", + "searchValue": "", + "expectedValue": "RUN gem install bundler is 'gem install :'", + "actualValue": "RUN gem install bundler is 'gem install ', you should use 'gem install :" }, { "queryName": "Gem Install Without Version", "severity": "MEDIUM", - "line": 5 + "line": 5, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:3.5}}.{{RUN gem install grpc -v ${GRPC_RUBY_VERSION} blunder}}", + "searchValue": "", + "expectedValue": "RUN gem install grpc -v ${GRPC_RUBY_VERSION} blunder is 'gem install :'", + "actualValue": "RUN gem install grpc -v ${GRPC_RUBY_VERSION} blunder is 'gem install ', you should use 'gem install :" } -] +] \ No newline at end of file diff --git a/assets/queries/dockerfile/healthcheck_instruction_missing/test/positive_expected_result.json b/assets/queries/dockerfile/healthcheck_instruction_missing/test/positive_expected_result.json index 3fff0a3f2f4..a4cb7236894 100644 --- a/assets/queries/dockerfile/healthcheck_instruction_missing/test/positive_expected_result.json +++ b/assets/queries/dockerfile/healthcheck_instruction_missing/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ - { - "queryName": "Healthcheck Instruction Missing", - "severity": "LOW", - "line": 1, - "fileName": "positive.dockerfile" - }, - { - "queryName": "Healthcheck Instruction Missing", - "severity": "LOW", - "line": 7, - "fileName": "positive2.dockerfile" - } -] + { + "queryName": "Healthcheck Instruction Missing", + "severity": "LOW", + "line": 7, + "filename": "positive2.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:latest }}", + "searchValue": "", + "expectedValue": "Dockerfile should contain instruction 'HEALTHCHECK'", + "actualValue": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" + }, + { + "queryName": "Healthcheck Instruction Missing", + "severity": "LOW", + "line": 1, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:alpine}}", + "searchValue": "", + "expectedValue": "Dockerfile should contain instruction 'HEALTHCHECK'", + "actualValue": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" + } +] \ No newline at end of file diff --git a/assets/queries/dockerfile/image_version_not_explicit/test/positive_expected_result.json b/assets/queries/dockerfile/image_version_not_explicit/test/positive_expected_result.json index a5cbb7933e2..65b3eee8bcb 100644 --- a/assets/queries/dockerfile/image_version_not_explicit/test/positive_expected_result.json +++ b/assets/queries/dockerfile/image_version_not_explicit/test/positive_expected_result.json @@ -1,38 +1,62 @@ [ - { - "queryName": "Image Version Not Explicit", - "severity": "MEDIUM", - "fileName": "positive1.dockerfile", - "line": 1 - }, - { - "queryName": "Image Version Not Explicit", - "severity": "MEDIUM", - "fileName": "positive2.dockerfile", - "line": 7 - }, - { - "queryName": "Image Version Not Explicit", - "severity": "MEDIUM", - "fileName": "positive3.dockerfile", - "line": 4 - }, - { - "queryName": "Image Version Not Explicit", - "severity": "MEDIUM", - "fileName": "positive3.dockerfile", - "line": 7 - }, - { - "queryName": "Image Version Not Explicit", - "severity": "MEDIUM", - "fileName": "positive4.dockerfile", - "line": 7 - }, - { - "queryName": "Image Version Not Explicit", - "severity": "MEDIUM", - "fileName": "positive4.dockerfile", - "line": 10 - } -] + { + "queryName": "Image Version Not Explicit", + "severity": "MEDIUM", + "line": 1, + "filename": "positive1.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine}}", + "searchValue": "", + "expectedValue": "FROM alpine:'version'", + "actualValue": "FROM alpine'" + }, + { + "queryName": "Image Version Not Explicit", + "severity": "MEDIUM", + "line": 4, + "filename": "positive3.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{positive4 }}", + "searchValue": "", + "expectedValue": "FROM positive4:'version'", + "actualValue": "FROM positive4'" + }, + { + "queryName": "Image Version Not Explicit", + "severity": "MEDIUM", + "line": 7, + "filename": "positive3.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{positive42}}", + "searchValue": "", + "expectedValue": "FROM positive42:'version'", + "actualValue": "FROM positive42'" + }, + { + "queryName": "Image Version Not Explicit", + "severity": "MEDIUM", + "line": 7, + "filename": "positive2.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{construction AS final}}", + "searchValue": "", + "expectedValue": "FROM construction:'version'", + "actualValue": "FROM construction'" + }, + { + "queryName": "Image Version Not Explicit", + "severity": "MEDIUM", + "line": 7, + "filename": "positive4.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{test_fail_1}}", + "searchValue": "", + "expectedValue": "FROM test_fail_1:'version'", + "actualValue": "FROM test_fail_1'" + } +] \ No newline at end of file diff --git a/assets/queries/dockerfile/image_version_using_latest/test/positive_expected_result.json b/assets/queries/dockerfile/image_version_using_latest/test/positive_expected_result.json index 54fb27a0982..47ad68702c9 100644 --- a/assets/queries/dockerfile/image_version_using_latest/test/positive_expected_result.json +++ b/assets/queries/dockerfile/image_version_using_latest/test/positive_expected_result.json @@ -1,7 +1,14 @@ [ - { - "queryName": "Image Version Using 'latest'", - "severity": "MEDIUM", - "line": 1 - } -] + { + "queryName": "Image Version Using 'latest'", + "severity": "MEDIUM", + "line": 1, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:latest}}", + "searchValue": "", + "expectedValue": "FROM alpine:latest:'version' where version should not be 'latest'", + "actualValue": "FROM alpine:latest'" + } +] \ No newline at end of file diff --git a/assets/queries/dockerfile/last_user_is_root/test/positive_expected_result.json b/assets/queries/dockerfile/last_user_is_root/test/positive_expected_result.json index 751442ed373..79e344543ec 100644 --- a/assets/queries/dockerfile/last_user_is_root/test/positive_expected_result.json +++ b/assets/queries/dockerfile/last_user_is_root/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Last User Is 'root'", "severity": "HIGH", - "line": 2 + "line": 2, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:2.6}}.{{USER root}}", + "searchValue": "", + "expectedValue": "Last User shouldn't be root", + "actualValue": "Last User is root" } ] \ No newline at end of file diff --git a/assets/queries/dockerfile/maintainer_instruction_being_used/test/positive_expected_result.json b/assets/queries/dockerfile/maintainer_instruction_being_used/test/positive_expected_result.json index ae5d0a537f5..30656b7473e 100644 --- a/assets/queries/dockerfile/maintainer_instruction_being_used/test/positive_expected_result.json +++ b/assets/queries/dockerfile/maintainer_instruction_being_used/test/positive_expected_result.json @@ -1,7 +1,14 @@ [ - { - "queryName": "MAINTAINER Instruction Being Used", - "severity": "LOW", - "line": 4 - } -] + { + "queryName": "MAINTAINER Instruction Being Used", + "severity": "LOW", + "line": 4, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:3.5}}.MAINTAINER={{\"SvenDowideit@home.org.au\"}}", + "searchValue": "", + "expectedValue": "Maintainer instruction being used in Label 'LABEL maintainer=\"SvenDowideit@home.org.au\"'", + "actualValue": "Maintainer instruction not being used in Label 'MAINTAINER \"SvenDowideit@home.org.au\"'" + } +] \ No newline at end of file diff --git a/assets/queries/dockerfile/missing_dnf_clean_all/test/positive_expected_result.json b/assets/queries/dockerfile/missing_dnf_clean_all/test/positive_expected_result.json index 0c521996f67..44ebdd411f9 100644 --- a/assets/queries/dockerfile/missing_dnf_clean_all/test/positive_expected_result.json +++ b/assets/queries/dockerfile/missing_dnf_clean_all/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Missing Dnf Clean All", "severity": "LOW", - "line": 2 + "line": 2, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{fedora:27}}.RUN={{set -uex && dnf config-manager --add-repo https://download.docker.com/linux/fedora/docker-ce.repo && sed -i 's/\\$releasever/26/g' /etc/yum.repos.d/docker-ce.repo && dnf install -vy docker-ce}}", + "searchValue": "", + "expectedValue": "After installing a package with dnf, command 'dnf clean all' should run.", + "actualValue": "Command `dnf clean all` is not being run after installing packages." } ] \ No newline at end of file diff --git a/assets/queries/dockerfile/missing_flag_from_dnf_install/test/positive_expected_result.json b/assets/queries/dockerfile/missing_flag_from_dnf_install/test/positive_expected_result.json index 8ca30d102d6..d628b0435a6 100644 --- a/assets/queries/dockerfile/missing_flag_from_dnf_install/test/positive_expected_result.json +++ b/assets/queries/dockerfile/missing_flag_from_dnf_install/test/positive_expected_result.json @@ -3,36 +3,72 @@ "queryName": "Missing Flag From Dnf Install", "severity": "LOW", "line": 2, - "fileName": "positive.dockerfile" + "filename": "positive3.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{fedora:27}}.RUN={{microdnf install openssl-libs-1:1.1.1k-6.el8_5.x86_64 zlib-1.2.11-18.el8_5.x86_64 && microdnf clean all}}", + "searchValue": "microdnf install openssl-libs-1:1.1.1k-6.el8_5.x86_64 zlib-1.2.11-18.el8_5.x86_64", + "expectedValue": "When running `dnf install`, `-y` or `--assumeyes` switch should be set to avoid build failure ", + "actualValue": "Command `RUN={{microdnf install openssl-libs-1:1.1.1k-6.el8_5.x86_64 zlib-1.2.11-18.el8_5.x86_64}}` doesn't have the `-y` or `--assumeyes` switch set" }, { "queryName": "Missing Flag From Dnf Install", "severity": "LOW", "line": 10, - "fileName": "positive.dockerfile" + "filename": "positive2.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{fedora:28}}.RUN={{dnf in docker-ce}}", + "searchValue": "dnf in docker-ce", + "expectedValue": "When running `dnf install`, `-y` or `--assumeyes` switch should be set to avoid build failure ", + "actualValue": "Command `RUN={{dnf in docker-ce}}` doesn't have the `-y` or `--assumeyes` switch set" }, { "queryName": "Missing Flag From Dnf Install", "severity": "LOW", "line": 2, - "fileName": "positive2.dockerfile" + "filename": "positive2.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{fedora:27}}.RUN={{set -uex; dnf config-manager --set-enabled docker-ce-test; dnf install docker-ce; dnf clean all}}", + "searchValue": "set -uex; dnf config-manager --set-enabled docker-ce-test; dnf install docker-ce; dnf clean all", + "expectedValue": "When running `dnf install`, `-y` or `--assumeyes` switch should be set to avoid build failure ", + "actualValue": "Command `RUN={{set -uex; dnf config-manager --set-enabled docker-ce-test; dnf install docker-ce; dnf clean all}}` doesn't have the `-y` or `--assumeyes` switch set" }, { "queryName": "Missing Flag From Dnf Install", "severity": "LOW", "line": 10, - "fileName": "positive2.dockerfile" + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{fedora:28}}.RUN={{dnf in docker-ce}}", + "searchValue": "dnf in docker-ce", + "expectedValue": "When running `dnf install`, `-y` or `--assumeyes` switch should be set to avoid build failure ", + "actualValue": "Command `RUN={{dnf in docker-ce}}` doesn't have the `-y` or `--assumeyes` switch set" }, { "queryName": "Missing Flag From Dnf Install", "severity": "LOW", "line": 2, - "fileName": "positive3.dockerfile" + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{fedora:27}}.RUN={{set -uex && dnf config-manager --set-enabled docker-ce-test && dnf install docker-ce && dnf clean all}}", + "searchValue": "dnf install docker-ce", + "expectedValue": "When running `dnf install`, `-y` or `--assumeyes` switch should be set to avoid build failure ", + "actualValue": "Command `RUN={{dnf install docker-ce}}` doesn't have the `-y` or `--assumeyes` switch set" }, { "queryName": "Missing Flag From Dnf Install", "severity": "LOW", "line": 21, - "fileName": "positive4.dockerfile" + "filename": "positive4.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{${BASE_CONTAINER_REGISTRY:-mcr.microsoft.com}/azure-cli AS installer}}.RUN={{tdnf install jq tar libicu python3-requests python3-yaml}}", + "searchValue": "tdnf install jq tar libicu python3-requests python3-yaml", + "expectedValue": "When running `dnf install`, `-y` or `--assumeyes` switch should be set to avoid build failure ", + "actualValue": "Command `RUN={{tdnf install jq tar libicu python3-requests python3-yaml}}` doesn't have the `-y` or `--assumeyes` switch set" } ] \ No newline at end of file diff --git a/assets/queries/dockerfile/missing_user_instruction/test/positive_expected_result.json b/assets/queries/dockerfile/missing_user_instruction/test/positive_expected_result.json index 8a0833e1de1..98616ff77ad 100644 --- a/assets/queries/dockerfile/missing_user_instruction/test/positive_expected_result.json +++ b/assets/queries/dockerfile/missing_user_instruction/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ - { - "queryName": "Missing User Instruction", - "severity": "HIGH", - "line": 1, - "fileName": "positive.dockerfile" - }, - { - "queryName": "Missing User Instruction", - "severity": "HIGH", - "line": 7, - "fileName": "positive2.dockerfile" - } -] + { + "queryName": "Missing User Instruction", + "severity": "HIGH", + "line": 7, + "filename": "positive2.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:latest }}", + "searchValue": "", + "expectedValue": "The 'Dockerfile' should contain the 'USER' instruction", + "actualValue": "The 'Dockerfile' does not contain any 'USER' instruction" + }, + { + "queryName": "Missing User Instruction", + "severity": "HIGH", + "line": 1, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{python:2.7}}", + "searchValue": "", + "expectedValue": "The 'Dockerfile' should contain the 'USER' instruction", + "actualValue": "The 'Dockerfile' does not contain any 'USER' instruction" + } +] \ No newline at end of file diff --git a/assets/queries/dockerfile/missing_version_specification_in_dnf_install/test/positive_expected_result.json b/assets/queries/dockerfile/missing_version_specification_in_dnf_install/test/positive_expected_result.json index 53dca70b9fb..fd4c123d44c 100644 --- a/assets/queries/dockerfile/missing_version_specification_in_dnf_install/test/positive_expected_result.json +++ b/assets/queries/dockerfile/missing_version_specification_in_dnf_install/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Missing Version Specification In dnf install", "severity": "MEDIUM", - "line": 2 + "line": 3, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{fedora:latest}}.{{RUN [\"dnf\", \"install\", \"httpd\"]}}", + "searchValue": "", + "expectedValue": "Package version should be specified when using 'dnf install'", + "actualValue": "Package version should be pinned when running ´dnf install´" }, { "queryName": "Missing Version Specification In dnf install", "severity": "MEDIUM", - "line": 3 + "line": 2, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{fedora:latest}}.{{RUN dnf -y update && dnf -y install httpd && dnf clean all}}", + "searchValue": "", + "expectedValue": "Package version should be specified when using 'dnf install'", + "actualValue": "Package version should be pinned when running ´dnf install´" } -] +] \ No newline at end of file diff --git a/assets/queries/dockerfile/missing_zypper_clean/test/positive_expected_result.json b/assets/queries/dockerfile/missing_zypper_clean/test/positive_expected_result.json index 5570f022802..aea344f727d 100644 --- a/assets/queries/dockerfile/missing_zypper_clean/test/positive_expected_result.json +++ b/assets/queries/dockerfile/missing_zypper_clean/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Missing Zypper Clean", "severity": "LOW", - "line": 2 + "line": 2, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox:1.0}}.{{RUN zypper install}}", + "searchValue": "", + "expectedValue": "There should be a zypper clean after a zypper usage", + "actualValue": "The command 'zypper install' does not have a zypper clean after it" } ] \ No newline at end of file diff --git a/assets/queries/dockerfile/missing_zypper_non_interactive_switch/test/positive_expected_result.json b/assets/queries/dockerfile/missing_zypper_non_interactive_switch/test/positive_expected_result.json index fa3f05610c9..f71df8e527b 100644 --- a/assets/queries/dockerfile/missing_zypper_non_interactive_switch/test/positive_expected_result.json +++ b/assets/queries/dockerfile/missing_zypper_non_interactive_switch/test/positive_expected_result.json @@ -1,7 +1,14 @@ [ - { - "queryName": "Missing Zypper Non-interactive Switch", - "severity": "MEDIUM", - "line": 2 - } -] + { + "queryName": "Missing Zypper Non-interactive Switch", + "severity": "MEDIUM", + "line": 2, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox:1.0}}.{{RUN zypper install httpd && zypper clean}}", + "searchValue": "", + "expectedValue": "zypper usages should have the non-interactive switch activated", + "actualValue": "The command 'RUN zypper install httpd && zypper clean' does not have the non-interactive switch activated (-y | --no-confirm)" + } +] \ No newline at end of file diff --git a/assets/queries/dockerfile/multiple_cmd_instructions_listed/test/positive_expected_result.json b/assets/queries/dockerfile/multiple_cmd_instructions_listed/test/positive_expected_result.json index 5110e6420af..60a333b9f20 100644 --- a/assets/queries/dockerfile/multiple_cmd_instructions_listed/test/positive_expected_result.json +++ b/assets/queries/dockerfile/multiple_cmd_instructions_listed/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Multiple CMD Instructions Listed", "severity": "LOW", "line": 11, - "fileName": "positive.dockerfile" + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:latest }}.{{CMD [\"./app\"] }}", + "searchValue": "", + "expectedValue": "There should be only one CMD instruction", + "actualValue": "There are 2 CMD instructions" } ] \ No newline at end of file diff --git a/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/test/positive_expected_result.json b/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/test/positive_expected_result.json index c1c67a870ea..428c325df00 100644 --- a/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/test/positive_expected_result.json +++ b/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Multiple ENTRYPOINT Instructions Listed", "severity": "LOW", "line": 11, - "fileName": "positive.dockerfile" + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:latest }}.{{ENTRYPOINT [ \"/opt/app/run.sh\", \"--port\", \"8080\" ]}}", + "searchValue": "", + "expectedValue": "There should be only one ENTRYPOINT instruction", + "actualValue": "There are 2 ENTRYPOINT instructions" } ] \ No newline at end of file diff --git a/assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/test/positive_expected_result.json b/assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/test/positive_expected_result.json index 7474b74c429..69bd3a76e20 100644 --- a/assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/test/positive_expected_result.json +++ b/assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/test/positive_expected_result.json @@ -3,18 +3,36 @@ "queryName": "Multiple RUN, ADD, COPY, Instructions Listed", "severity": "LOW", "line": 2, - "fileName": "positive1.dockerfile" + "filename": "positive2.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{ubuntu}}.{{COPY README.md ./}}", + "searchValue": "", + "expectedValue": "There isn´t any COPY instruction that could be grouped", + "actualValue": "There are COPY instructions that could be grouped" }, { "queryName": "Multiple RUN, ADD, COPY, Instructions Listed", "severity": "LOW", "line": 2, - "fileName": "positive2.dockerfile" + "filename": "positive1.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{ubuntu}}.{{RUN apt-get install -y wget}}", + "searchValue": "", + "expectedValue": "There isn´t any RUN instruction that could be grouped", + "actualValue": "There are RUN instructions that could be grouped" }, { "queryName": "Multiple RUN, ADD, COPY, Instructions Listed", "severity": "LOW", "line": 2, - "fileName": "positive3.dockerfile" + "filename": "positive3.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{ubuntu}}.{{ADD cairo.spec /rpmbuild/SOURCES}}", + "searchValue": "", + "expectedValue": "There isn´t any ADD instruction that could be grouped", + "actualValue": "There are ADD instructions that could be grouped" } -] +] \ No newline at end of file diff --git a/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/test/positive_expected_result.json b/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/test/positive_expected_result.json index 779bfea3ef6..c4699fea866 100644 --- a/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/test/positive_expected_result.json +++ b/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/test/positive_expected_result.json @@ -1,12 +1,26 @@ [ - { - "queryName": "Not Using JSON In CMD And ENTRYPOINT Arguments", - "severity": "MEDIUM", - "line": 10 - }, - { - "queryName": "Not Using JSON In CMD And ENTRYPOINT Arguments", - "severity": "MEDIUM", - "line": 11 - } -] + { + "queryName": "Not Using JSON In CMD And ENTRYPOINT Arguments", + "severity": "MEDIUM", + "line": 10, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:3.5}}.{{CMD [python, /usr/src/app/app.py] }}", + "searchValue": "", + "expectedValue": "{{CMD [python, /usr/src/app/app.py] }} should be in the JSON Notation", + "actualValue": "{{CMD [python, /usr/src/app/app.py] }} isn't in JSON Notation" + }, + { + "queryName": "Not Using JSON In CMD And ENTRYPOINT Arguments", + "severity": "MEDIUM", + "line": 11, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:3.5}}.{{ENTRYPOINT [top, -b]}}", + "searchValue": "", + "expectedValue": "{{ENTRYPOINT [top, -b]}} should be in the JSON Notation", + "actualValue": "{{ENTRYPOINT [top, -b]}} isn't in JSON Notation" + } +] \ No newline at end of file diff --git a/assets/queries/dockerfile/npm_install_without_pinned_version/test/positive_expected_result.json b/assets/queries/dockerfile/npm_install_without_pinned_version/test/positive_expected_result.json index ec6862cd11b..400ea8922ab 100644 --- a/assets/queries/dockerfile/npm_install_without_pinned_version/test/positive_expected_result.json +++ b/assets/queries/dockerfile/npm_install_without_pinned_version/test/positive_expected_result.json @@ -2,43 +2,85 @@ { "queryName": "NPM Install Command Without Pinned Version", "severity": "MEDIUM", - "line": 2, - "filename": "positive1.dockerfile" + "line": 8, + "filename": "positive1.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN [\"npm\",\"add\",\"sax\"]}}", + "searchValue": "", + "expectedValue": "'RUN [\"npm\",\"add\",\"sax\"]' uses npm install with a pinned version", + "actualValue": "'RUN [\"npm\",\"add\",\"sax\"]' does not uses npm install with a pinned version" }, { "queryName": "NPM Install Command Without Pinned Version", "severity": "MEDIUM", - "line": 3, - "filename": "positive1.dockerfile" + "line": 7, + "filename": "positive1.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN npm i -g @angular/cli}}", + "searchValue": "", + "expectedValue": "'RUN npm i -g @angular/cli' uses npm install with a pinned version", + "actualValue": "'RUN npm i -g @angular/cli' does not uses npm install with a pinned version" }, { "queryName": "NPM Install Command Without Pinned Version", "severity": "MEDIUM", - "line": 4, - "filename": "positive1.dockerfile" + "line": 3, + "filename": "positive1.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN npm install sax --no-cache}}", + "searchValue": "", + "expectedValue": "'RUN npm install sax --no-cache' uses npm install with a pinned version", + "actualValue": "'RUN npm install sax --no-cache' does not uses npm install with a pinned version" }, { "queryName": "NPM Install Command Without Pinned Version", "severity": "MEDIUM", - "line": 5, - "filename": "positive1.dockerfile" + "line": 6, + "filename": "positive1.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN npm install sax | grep fail && npm install sax}}", + "searchValue": "", + "expectedValue": "'RUN npm install sax | grep fail && npm install sax' uses npm install with a pinned version", + "actualValue": "'RUN npm install sax | grep fail && npm install sax' does not uses npm install with a pinned version" }, { "queryName": "NPM Install Command Without Pinned Version", "severity": "MEDIUM", - "line": 6, - "filename": "positive1.dockerfile" + "line": 4, + "filename": "positive1.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN npm install sax | grep fail && npm install sax@latest}}", + "searchValue": "", + "expectedValue": "'RUN npm install sax | grep fail && npm install sax@latest' uses npm install with a pinned version", + "actualValue": "'RUN npm install sax | grep fail && npm install sax@latest' does not uses npm install with a pinned version" }, { "queryName": "NPM Install Command Without Pinned Version", "severity": "MEDIUM", - "line": 7, - "filename": "positive1.dockerfile" + "line": 2, + "filename": "positive1.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN npm install sax}}", + "searchValue": "", + "expectedValue": "'RUN npm install sax' uses npm install with a pinned version", + "actualValue": "'RUN npm install sax' does not uses npm install with a pinned version" }, { "queryName": "NPM Install Command Without Pinned Version", "severity": "MEDIUM", - "line": 8, - "filename": "positive1.dockerfile" + "line": 5, + "filename": "positive1.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN npm install sax@latest | grep fail && npm install sax}}", + "searchValue": "", + "expectedValue": "'RUN npm install sax@latest | grep fail && npm install sax' uses npm install with a pinned version", + "actualValue": "'RUN npm install sax@latest | grep fail && npm install sax' does not uses npm install with a pinned version" } ] \ No newline at end of file diff --git a/assets/queries/dockerfile/pip_install_keeping_cached_packages/test/positive_expected_result.json b/assets/queries/dockerfile/pip_install_keeping_cached_packages/test/positive_expected_result.json index 727c06aeff6..127b66a9f60 100644 --- a/assets/queries/dockerfile/pip_install_keeping_cached_packages/test/positive_expected_result.json +++ b/assets/queries/dockerfile/pip_install_keeping_cached_packages/test/positive_expected_result.json @@ -2,26 +2,61 @@ { "queryName": "Pip install Keeping Cached Packages", "severity": "LOW", - "line": 2 + "line": 2, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{python:3}}.{{pip install --upgrade pip && pip install nibabel pydicom matplotlib pillow && pip install med2image}}", + "searchValue": "", + "expectedValue": "The '--no-cache-dir' flag should be set when running 'pip/pip3 install'", + "actualValue": "The '--no-cache-dir' flag isn't set when running 'pip/pip3 install'" }, { "queryName": "Pip install Keeping Cached Packages", "severity": "LOW", - "line": 8 + "line": 11, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{python:3.1}}.{{RUN [\"pip3\", \"install\", \"requests=2.7.0\"]}}", + "searchValue": "", + "expectedValue": "The '--no-cache-dir' flag should be set when running 'pip/pip3 install'", + "actualValue": "The '--no-cache-dir' flag isn't set when running 'pip/pip3 install'" }, { "queryName": "Pip install Keeping Cached Packages", "severity": "LOW", - "line": 9 + "line": 8, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{python:3.1}}.{{pip install --upgrade pip}}", + "searchValue": "", + "expectedValue": "The '--no-cache-dir' flag should be set when running 'pip/pip3 install'", + "actualValue": "The '--no-cache-dir' flag isn't set when running 'pip/pip3 install'" }, { "queryName": "Pip install Keeping Cached Packages", "severity": "LOW", - "line": 10 + "line": 10, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{python:3.1}}.{{pip3 install requests=2.7.0}}", + "searchValue": "", + "expectedValue": "The '--no-cache-dir' flag should be set when running 'pip/pip3 install'", + "actualValue": "The '--no-cache-dir' flag isn't set when running 'pip/pip3 install'" }, { "queryName": "Pip install Keeping Cached Packages", "severity": "LOW", - "line": 11 + "line": 9, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{python:3.1}}.{{python -m pip install nibabel pydicom matplotlib pillow}}", + "searchValue": "", + "expectedValue": "The '--no-cache-dir' flag should be set when running 'pip/pip3 install'", + "actualValue": "The '--no-cache-dir' flag isn't set when running 'pip/pip3 install'" } ] \ No newline at end of file diff --git a/assets/queries/dockerfile/run_command_cd_instead_of_workdir/test/positive_expected_result.json b/assets/queries/dockerfile/run_command_cd_instead_of_workdir/test/positive_expected_result.json index 4cba6c72f3f..4ff1e8a020f 100644 --- a/assets/queries/dockerfile/run_command_cd_instead_of_workdir/test/positive_expected_result.json +++ b/assets/queries/dockerfile/run_command_cd_instead_of_workdir/test/positive_expected_result.json @@ -2,19 +2,37 @@ { "queryName": "RUN Instruction Using 'cd' Instead of WORKDIR", "severity": "LOW", - "line": 3, - "fileName": "positive.dockerfile" + "line": 9, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{nginx}}.RUN={{cd ../share/nginx/html}}", + "searchValue": "", + "expectedValue": "Using WORKDIR to change directory", + "actualValue": "RUN cd ../share/nginx/html'" }, { "queryName": "RUN Instruction Using 'cd' Instead of WORKDIR", "severity": "LOW", - "line": 9, - "fileName": "positive.dockerfile" + "line": 3, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{nginx}}.RUN={{cd /../share/nginx/html}}", + "searchValue": "", + "expectedValue": "Using WORKDIR to change directory", + "actualValue": "RUN cd /../share/nginx/html'" }, { "queryName": "RUN Instruction Using 'cd' Instead of WORKDIR", "severity": "LOW", "line": 15, - "fileName": "positive.dockerfile" + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{nginx}}.RUN={{cd /usr/../share/nginx/html}}", + "searchValue": "", + "expectedValue": "Using WORKDIR to change directory", + "actualValue": "RUN cd /usr/../share/nginx/html'" } ] \ No newline at end of file diff --git a/assets/queries/dockerfile/run_using_apt/test/positive_expected_result.json b/assets/queries/dockerfile/run_using_apt/test/positive_expected_result.json index c6a5e011847..816ea71bd55 100644 --- a/assets/queries/dockerfile/run_using_apt/test/positive_expected_result.json +++ b/assets/queries/dockerfile/run_using_apt/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Run Using apt", "severity": "LOW", - "line": 2 + "line": 2, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox:1.0}}.{{RUN apt install curl}}", + "searchValue": "", + "expectedValue": "RUN instructions should not use the 'apt' program", + "actualValue": "RUN instruction is invoking the 'apt' program" } ] \ No newline at end of file diff --git a/assets/queries/dockerfile/run_using_sudo/test/positive_expected_result.json b/assets/queries/dockerfile/run_using_sudo/test/positive_expected_result.json index 581fa52051a..0c443a95fd8 100644 --- a/assets/queries/dockerfile/run_using_sudo/test/positive_expected_result.json +++ b/assets/queries/dockerfile/run_using_sudo/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Run Using Sudo", "severity": "MEDIUM", - "line": 3 + "line": 3, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:3.5}}.RUN={{sudo pip install --upgrade pip}}", + "searchValue": "", + "expectedValue": "RUN instruction shouldn't contain sudo", + "actualValue": "RUN instruction contains sudo" } ] \ No newline at end of file diff --git a/assets/queries/dockerfile/run_using_wget_and_curl/test/positive_expected_result.json b/assets/queries/dockerfile/run_using_wget_and_curl/test/positive_expected_result.json index 82340b752d6..7fe7288b2fd 100644 --- a/assets/queries/dockerfile/run_using_wget_and_curl/test/positive_expected_result.json +++ b/assets/queries/dockerfile/run_using_wget_and_curl/test/positive_expected_result.json @@ -2,16 +2,37 @@ { "queryName": "Run Using 'wget' and 'curl'", "severity": "LOW", - "line": 3 + "line": 8, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{baseImage}}.{{RUN [\"curl\", \"http://bing.com\"]}}", + "searchValue": "", + "expectedValue": "Exclusively using 'wget' or 'curl'", + "actualValue": "Using both 'wget' and 'curl'" }, { "queryName": "Run Using 'wget' and 'curl'", "severity": "LOW", - "line": 7 + "line": 7, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{baseImage}}.{{RUN curl http://bing.com}}", + "searchValue": "", + "expectedValue": "Exclusively using 'wget' or 'curl'", + "actualValue": "Using both 'wget' and 'curl'" }, { "queryName": "Run Using 'wget' and 'curl'", "severity": "LOW", - "line": 8 + "line": 3, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{debian}}.{{RUN curl http://bing.com}}", + "searchValue": "", + "expectedValue": "Exclusively using 'wget' or 'curl'", + "actualValue": "Using both 'wget' and 'curl'" } ] \ No newline at end of file diff --git a/assets/queries/dockerfile/run_utilities_and_posix_commands/test/positive_expected_result.json b/assets/queries/dockerfile/run_utilities_and_posix_commands/test/positive_expected_result.json index 9f366ada36a..05a5753b0e6 100644 --- a/assets/queries/dockerfile/run_utilities_and_posix_commands/test/positive_expected_result.json +++ b/assets/queries/dockerfile/run_utilities_and_posix_commands/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Run Utilities And POSIX Commands", "severity": "INFO", - "line": 4 + "line": 5, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{golang:1.12.0-stretch}}.{{RUN [\"ps\", \"-d\"]}}", + "searchValue": "", + "expectedValue": "There should be no dangerous commands or utilities executed", + "actualValue": "Run instruction is executing the ps command" }, { "queryName": "Run Utilities And POSIX Commands", "severity": "INFO", - "line": 5 + "line": 4, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{golang:1.12.0-stretch}}.{{RUN top}}", + "searchValue": "", + "expectedValue": "There should be no dangerous commands or utilities executed", + "actualValue": "Run instruction is executing the top command" } -] +] \ No newline at end of file diff --git a/assets/queries/dockerfile/same_alias_in_different_froms/test/positive_expected_result.json b/assets/queries/dockerfile/same_alias_in_different_froms/test/positive_expected_result.json index 9e65369181b..8230525a6a9 100644 --- a/assets/queries/dockerfile/same_alias_in_different_froms/test/positive_expected_result.json +++ b/assets/queries/dockerfile/same_alias_in_different_froms/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Same Alias In Different Froms", "severity": "LOW", - "line": 4 + "line": 4, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{build}}", + "searchValue": "", + "expectedValue": "Different FROM commands don't have the same alias defined", + "actualValue": "Different FROM commands with with the same alias 'build' defined" } ] \ No newline at end of file diff --git a/assets/queries/dockerfile/shell_running_a_pipe_without_pipefail_flag/test/positive_expected_result.json b/assets/queries/dockerfile/shell_running_a_pipe_without_pipefail_flag/test/positive_expected_result.json index 66769b07386..74624538517 100644 --- a/assets/queries/dockerfile/shell_running_a_pipe_without_pipefail_flag/test/positive_expected_result.json +++ b/assets/queries/dockerfile/shell_running_a_pipe_without_pipefail_flag/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Shell Running A Pipe Without Pipefail Flag", "severity": "LOW", - "line": 2 + "line": 3, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN [ \"/bin/bash\", \"./some_output\", \"|\", \"./some_script\" ]}}", + "searchValue": "/bin/bash", + "expectedValue": "'RUN [ '/bin/bash', './some_output', '|', './some_script' ]' has pipefail option set for pipe command with shell /bin/bash.", + "actualValue": "'RUN [ '/bin/bash', './some_output', '|', './some_script' ]' does not have pipefail option set for pipe command with shell /bin/bash." }, { "queryName": "Shell Running A Pipe Without Pipefail Flag", "severity": "LOW", - "line": 3 + "line": 2, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN zsh ./some_output | ./some_script}}", + "searchValue": "zsh", + "expectedValue": "'RUN zsh ./some_output | ./some_script' has pipefail option set for pipe command with shell zsh.", + "actualValue": "'RUN zsh ./some_output | ./some_script' does not have pipefail option set for pipe command with shell zsh." } ] \ No newline at end of file diff --git a/assets/queries/dockerfile/unix_ports_out_of_range/test/positive_expected_result.json b/assets/queries/dockerfile/unix_ports_out_of_range/test/positive_expected_result.json index 5d57ac73d0c..540bbe80f90 100644 --- a/assets/queries/dockerfile/unix_ports_out_of_range/test/positive_expected_result.json +++ b/assets/queries/dockerfile/unix_ports_out_of_range/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "UNIX Ports Out Of Range", "severity": "INFO", - "line": 3 + "line": 3, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{gliderlabs/alpine:3.3}}.{{EXPOSE 65536/tcp 80 443 22}}", + "searchValue": "", + "expectedValue": "'EXPOSE' should not contain ports out of range [0, 65535]", + "actualValue": "'EXPOSE' contains ports out of range [0, 65535]" } ] \ No newline at end of file diff --git a/assets/queries/dockerfile/unpinned_package_version_in_apk_add/test/positive_expected_result.json b/assets/queries/dockerfile/unpinned_package_version_in_apk_add/test/positive_expected_result.json index 9f377d63c28..b101aa5c36e 100644 --- a/assets/queries/dockerfile/unpinned_package_version_in_apk_add/test/positive_expected_result.json +++ b/assets/queries/dockerfile/unpinned_package_version_in_apk_add/test/positive_expected_result.json @@ -2,26 +2,61 @@ { "queryName": "Unpinned Package Version in Apk Add", "severity": "MEDIUM", - "line": 2 + "line": 16, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:3.7}}.{{RUN apk add --dir /dir libimagequant && minidlna}}", + "searchValue": "", + "expectedValue": "RUN instruction with 'apk add ' should use package pinning form 'apk add ='", + "actualValue": "RUN instruction apk add --dir /dir libimagequant && minidlna does not use package pinning form" }, { "queryName": "Unpinned Package Version in Apk Add", "severity": "MEDIUM", - "line": 13 + "line": 2, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:3.9}}.{{RUN apk add --update py-pip}}", + "searchValue": "", + "expectedValue": "RUN instruction with 'apk add ' should use package pinning form 'apk add ='", + "actualValue": "RUN instruction apk add --update py-pip does not use package pinning form" }, { "queryName": "Unpinned Package Version in Apk Add", "severity": "MEDIUM", - "line": 14 + "line": 14, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:3.7}}.{{RUN apk add py-pip && rm -rf /tmp/*}}", + "searchValue": "", + "expectedValue": "RUN instruction with 'apk add ' should use package pinning form 'apk add ='", + "actualValue": "RUN instruction apk add py-pip && rm -rf /tmp/* does not use package pinning form" }, { "queryName": "Unpinned Package Version in Apk Add", "severity": "MEDIUM", - "line": 16 + "line": 13, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:3.7}}.{{RUN apk add py-pip && apk add tea}}", + "searchValue": "", + "expectedValue": "RUN instruction with 'apk add ' should use package pinning form 'apk add ='", + "actualValue": "RUN instruction apk add py-pip && apk add tea does not use package pinning form" }, { "queryName": "Unpinned Package Version in Apk Add", "severity": "MEDIUM", - "line": 18 + "line": 18, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:3.7}}.{{RUN [\"apk\", \"add\", \"py-pip\"]}}", + "searchValue": "py-pip", + "expectedValue": "RUN instruction with 'apk add ' should use package pinning form 'apk add ='", + "actualValue": "RUN instruction py-pip does not use package pinning form" } -] +] \ No newline at end of file diff --git a/assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/positive_expected_result.json b/assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/positive_expected_result.json index 4ffe50570bf..792be694135 100644 --- a/assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/positive_expected_result.json +++ b/assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "Unpinned Package Version in Pip Install", "severity": "MEDIUM", - "line": 3, - "filename": "positive1.dockerfile" + "line": 4, + "filename": "positive1.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:3.9}}.{{RUN [\"pip\", \"install\", \"connexion\"]}}", + "searchValue": "", + "expectedValue": "RUN instruction with 'pip/pip3 install ' should use package pinning form 'pip/pip3 install ='", + "actualValue": "RUN instruction connexion does not use package pinning form" }, { "queryName": "Unpinned Package Version in Pip Install", "severity": "MEDIUM", - "line": 4, - "filename": "positive1.dockerfile" + "line": 3, + "filename": "positive1.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:3.9}}.{{RUN pip install --user pip}}", + "searchValue": "", + "expectedValue": "RUN instruction with 'pip/pip3 install ' should use package pinning form 'pip/pip3 install ='", + "actualValue": "RUN instruction pip install --user pip does not use package pinning form" }, { "queryName": "Unpinned Package Version in Pip Install", "severity": "MEDIUM", "line": 15, - "filename": "positive1.dockerfile" + "filename": "positive1.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:3.7}}.{{RUN pip install connexion}}", + "searchValue": "", + "expectedValue": "RUN instruction with 'pip/pip3 install ' should use package pinning form 'pip/pip3 install ='", + "actualValue": "RUN instruction pip install connexion does not use package pinning form" }, { "queryName": "Unpinned Package Version in Pip Install", "severity": "MEDIUM", "line": 18, - "filename": "positive1.dockerfile" + "filename": "positive1.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:3.7}}.{{RUN pip3 install requests}}", + "searchValue": "", + "expectedValue": "RUN instruction with 'pip/pip3 install ' should use package pinning form 'pip/pip3 install ='", + "actualValue": "RUN instruction pip3 install requests does not use package pinning form" } -] +] \ No newline at end of file diff --git a/assets/queries/dockerfile/update_instruction_alone/test/positive_expected_result.json b/assets/queries/dockerfile/update_instruction_alone/test/positive_expected_result.json index 64b7e65cd1f..2290444f779 100644 --- a/assets/queries/dockerfile/update_instruction_alone/test/positive_expected_result.json +++ b/assets/queries/dockerfile/update_instruction_alone/test/positive_expected_result.json @@ -3,42 +3,84 @@ "queryName": "Update Instruction Alone", "severity": "LOW", "line": 3, - "fileName": "positive1.dockerfile" + "filename": "positive4.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{centos:latest}}.RUN={{yum install nginx}}", + "searchValue": "", + "expectedValue": "Instruction 'RUN yum [\"install\"]' should be combined with 'RUN yum [\"update\"]' in the same 'RUN' statement", + "actualValue": "Instruction 'RUN yum [\"install\"]' isn't combined with 'RUN yum [\"update\"] in the same 'RUN' statement" }, { "queryName": "Update Instruction Alone", "severity": "LOW", "line": 3, - "fileName": "positive2.dockerfile" + "filename": "positive2.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{opensuse:latest}}.RUN={{zypper install nginx}}", + "searchValue": "", + "expectedValue": "Instruction 'RUN zypper [\"install\"]' should be combined with 'RUN zypper [\"refresh\"]' in the same 'RUN' statement", + "actualValue": "Instruction 'RUN zypper [\"install\"]' isn't combined with 'RUN zypper [\"refresh\"] in the same 'RUN' statement" }, { "queryName": "Update Instruction Alone", "severity": "LOW", "line": 3, - "fileName": "positive3.dockerfile" + "filename": "positive1.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:latest}}.RUN={{apk add nginx}}", + "searchValue": "", + "expectedValue": "Instruction 'RUN apk [\"add\"]' should be combined with 'RUN apk [\"update\"]' in the same 'RUN' statement", + "actualValue": "Instruction 'RUN apk [\"add\"]' isn't combined with 'RUN apk [\"update\"] in the same 'RUN' statement" }, { "queryName": "Update Instruction Alone", "severity": "LOW", "line": 3, - "fileName": "positive4.dockerfile" + "filename": "positive3.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{debian:latest}}.RUN={{apt install nginx}}", + "searchValue": "", + "expectedValue": "Instruction 'RUN apt [\"install\"]' should be combined with 'RUN apt [\"update\"]' in the same 'RUN' statement", + "actualValue": "Instruction 'RUN apt [\"install\"]' isn't combined with 'RUN apt [\"update\"] in the same 'RUN' statement" }, { "queryName": "Update Instruction Alone", "severity": "LOW", "line": 3, - "fileName": "positive5.dockerfile" + "filename": "positive6.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{archlinux:latest}}.RUN={{pacman -S nginx}}", + "searchValue": "", + "expectedValue": "Instruction 'RUN pacman [\"-S\"]' should be combined with 'RUN pacman [\"-Syu\"]' in the same 'RUN' statement", + "actualValue": "Instruction 'RUN pacman [\"-S\"]' isn't combined with 'RUN pacman [\"-Syu\"] in the same 'RUN' statement" }, { "queryName": "Update Instruction Alone", "severity": "LOW", "line": 3, - "fileName": "positive6.dockerfile" + "filename": "positive7.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{ubuntu:18.04}}.RUN={{apt-get install -y --no-install-recommends mysql-client && rm -rf /var/lib/apt/lists/*}}", + "searchValue": "", + "expectedValue": "Instruction 'RUN apt-get [\"install\", \"source-install\", \"reinstall\"]' should be combined with 'RUN apt-get [\"update\"]' in the same 'RUN' statement", + "actualValue": "Instruction 'RUN apt-get [\"install\", \"source-install\", \"reinstall\"]' isn't combined with 'RUN apt-get [\"update\"] in the same 'RUN' statement" }, { "queryName": "Update Instruction Alone", "severity": "LOW", "line": 3, - "fileName": "positive7.dockerfile" + "filename": "positive5.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{fedora:latest}}.RUN={{dnf install nginx}}", + "searchValue": "", + "expectedValue": "Instruction 'RUN dnf [\"install\"]' should be combined with 'RUN dnf [\"update\"]' in the same 'RUN' statement", + "actualValue": "Instruction 'RUN dnf [\"install\"]' isn't combined with 'RUN dnf [\"update\"] in the same 'RUN' statement" } ] \ No newline at end of file diff --git a/assets/queries/dockerfile/using_platform_with_from/test/positive_expected_result.json b/assets/queries/dockerfile/using_platform_with_from/test/positive_expected_result.json index 17bce5638c8..64123d2c56a 100644 --- a/assets/queries/dockerfile/using_platform_with_from/test/positive_expected_result.json +++ b/assets/queries/dockerfile/using_platform_with_from/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Using Platform Flag with FROM Command", "severity": "INFO", "line": 6, - "fileName": "positive1.dockerfile" + "filename": "positive1.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{--platform=arm64 baseimage as baseimage-build}}.{{FROM --platform=arm64 baseimage as baseimage-build}}", + "searchValue": "", + "expectedValue": "FROM={{--platform=arm64 baseimage as baseimage-build}}.{{FROM --platform=arm64 baseimage as baseimage-build}} should not use the '--platform' flag", + "actualValue": "FROM={{--platform=arm64 baseimage as baseimage-build}}.{{FROM --platform=arm64 baseimage as baseimage-build}} is using the '--platform' flag" } ] \ No newline at end of file diff --git a/assets/queries/dockerfile/using_unnamed_build_stages/test/positive_expected_result.json b/assets/queries/dockerfile/using_unnamed_build_stages/test/positive_expected_result.json index d0e9eb1f3db..eccad898edb 100644 --- a/assets/queries/dockerfile/using_unnamed_build_stages/test/positive_expected_result.json +++ b/assets/queries/dockerfile/using_unnamed_build_stages/test/positive_expected_result.json @@ -1,8 +1,14 @@ [ - { - "queryName": "Using Unnamed Build Stages", - "severity": "LOW", - "line": 10, - "filename": "positive1.dockerfile" - } -] + { + "queryName": "Using Unnamed Build Stages", + "severity": "LOW", + "line": 10, + "filename": "positive1.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:latest }}.{{COPY --from=0 /go/src/github.com/foo/href-counter/app ./}}", + "searchValue": "", + "expectedValue": "COPY '--from' should reference a previously defined FROM alias", + "actualValue": "COPY '--from' does not reference a previously defined FROM alias" + } +] \ No newline at end of file diff --git a/assets/queries/dockerfile/workdir_path_not_absolute/test/positive_expected_result.json b/assets/queries/dockerfile/workdir_path_not_absolute/test/positive_expected_result.json index ece07faaf7f..97efe4064b6 100644 --- a/assets/queries/dockerfile/workdir_path_not_absolute/test/positive_expected_result.json +++ b/assets/queries/dockerfile/workdir_path_not_absolute/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "WORKDIR Path Not Absolute", "severity": "LOW", - "line": 5 + "line": 5, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:3.5}}.WORKDIR={{workdir}}", + "searchValue": "", + "expectedValue": "'WORKDIR' Command has absolute path", + "actualValue": "'WORKDIR' Command doesn't have absolute path" } ] \ No newline at end of file diff --git a/assets/queries/dockerfile/yum_clean_all_missing/test/positive_expected_result.json b/assets/queries/dockerfile/yum_clean_all_missing/test/positive_expected_result.json index f4e28bb33cf..abf120ee488 100644 --- a/assets/queries/dockerfile/yum_clean_all_missing/test/positive_expected_result.json +++ b/assets/queries/dockerfile/yum_clean_all_missing/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Yum Clean All Missing", "severity": "LOW", "line": 12, - "fileName": "positive.dockerfile" + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:3.4}}.{{RUN yum clean all yum -y install}}", + "searchValue": "", + "expectedValue": "{{RUN yum clean all yum -y install}} should have 'yum clean all' after 'yum install' command", + "actualValue": "{{RUN yum clean all yum -y install}} doesn't have 'yum clean all' after 'yum install' command" } ] \ No newline at end of file diff --git a/assets/queries/dockerfile/yum_install_allows_manual_input/test/positive_expected_result.json b/assets/queries/dockerfile/yum_install_allows_manual_input/test/positive_expected_result.json index c6fa582d3aa..7525534aa3f 100644 --- a/assets/queries/dockerfile/yum_install_allows_manual_input/test/positive_expected_result.json +++ b/assets/queries/dockerfile/yum_install_allows_manual_input/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Yum Install Allows Manual Input", "severity": "LOW", - "line": 3 + "line": 4, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:3.5}}.{{RUN [\"sudo yum\", \"install\", \"bundler\"]}}", + "searchValue": "", + "expectedValue": "{{RUN [\"sudo yum\", \"install\", \"bundler\"]}} should avoid manual input", + "actualValue": "{{RUN [\"sudo yum\", \"install\", \"bundler\"]}} doesn't avoid manual input" }, { "queryName": "Yum Install Allows Manual Input", "severity": "LOW", - "line": 4 + "line": 3, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:3.5}}.{{RUN sudo yum install bundler}}", + "searchValue": "", + "expectedValue": "{{RUN sudo yum install bundler}} should avoid manual input", + "actualValue": "{{RUN sudo yum install bundler}} doesn't avoid manual input" } ] \ No newline at end of file diff --git a/assets/queries/dockerfile/yum_install_without_version/test/positive_expected_result.json b/assets/queries/dockerfile/yum_install_without_version/test/positive_expected_result.json index 2ed431a5849..8056fb26a37 100644 --- a/assets/queries/dockerfile/yum_install_without_version/test/positive_expected_result.json +++ b/assets/queries/dockerfile/yum_install_without_version/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Yum install Without Version", "severity": "MEDIUM", - "line": 2 + "line": 3, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{opensuse/leap:15.2}}.{{RUN [\"yum\", \"install\", \"httpd\"]}}", + "searchValue": "httpd", + "expectedValue": "The package version should always be specified when using yum install", + "actualValue": "No version is specified in package 'httpd'" }, { "queryName": "Yum install Without Version", "severity": "MEDIUM", - "line": 3 + "line": 2, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{opensuse/leap:15.2}}.{{RUN yum install -y httpd && yum clean all}}", + "searchValue": "httpd", + "expectedValue": "The package version should always be specified when using yum install", + "actualValue": "No version is specified in package 'httpd'" } -] +] \ No newline at end of file diff --git a/assets/queries/dockerfile/zypper_install_without_version/test/positive_expected_result.json b/assets/queries/dockerfile/zypper_install_without_version/test/positive_expected_result.json index 7d64d6a1109..3fb2409327b 100644 --- a/assets/queries/dockerfile/zypper_install_without_version/test/positive_expected_result.json +++ b/assets/queries/dockerfile/zypper_install_without_version/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Zypper Install Without Version", "severity": "LOW", - "line": 2 + "line": 2, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{opensuse/leap:15.2}}.{{RUN zypper install -y httpd && zypper clean}}", + "searchValue": "httpd", + "expectedValue": "The package version should always be specified when using zypper install", + "actualValue": "No version is specified in package 'httpd'" }, { "queryName": "Zypper Install Without Version", "severity": "LOW", - "line": 3 + "line": 3, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{opensuse/leap:15.2}}.{{RUN [\"zypper\", \"install\", \"http\"]}}", + "searchValue": "http", + "expectedValue": "The package version should always be specified when using zypper install", + "actualValue": "No version is specified in package 'http'" } ] \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/bigquery_database_is_public/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/bigquery_database_is_public/test/positive_expected_result.json index 588bf368806..95480ce494c 100644 --- a/assets/queries/googleDeploymentManager/gcp/bigquery_database_is_public/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/bigquery_database_is_public/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "BigQuery Dataset Is Public", "severity": "HIGH", "line": 7, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "bigquery.v2.dataset", + "resourceName": "bigquery", + "searchKey": "resources.name={{bigquery}}.properties.access[0].specialGroup", + "searchValue": "", + "expectedValue": "'access[0].specialGroup' should not equal to 'allAuthenticatedUsers'", + "actualValue": "'access[0].specialGroup' is equal to 'allAuthenticatedUsers'" } -] +] \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/bucket_without_versioning/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/bucket_without_versioning/test/positive_expected_result.json index 6bf204bca1f..dcedb4e7105 100644 --- a/assets/queries/googleDeploymentManager/gcp/bucket_without_versioning/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/bucket_without_versioning/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "Bucket Without Versioning", "severity": "MEDIUM", - "line": 4, - "filename": "positive1.yaml" + "line": 7, + "filename": "positive2.yaml", + "resourceType": "storage.v1.bucket", + "resourceName": "bucket", + "searchKey": "resources.name={{bucket}}.properties.versioning.enabled", + "searchValue": "", + "expectedValue": "'versioning.enabled' should be true", + "actualValue": "'versioning.enabled' is false" }, { "queryName": "Bucket Without Versioning", "severity": "MEDIUM", - "line": 7, - "filename": "positive2.yaml" + "line": 4, + "filename": "positive1.yaml", + "resourceType": "storage.v1.bucket", + "resourceName": "bucket", + "searchKey": "resources.name={{bucket}}.properties", + "searchValue": "", + "expectedValue": "'versioning' should be defined and not null", + "actualValue": "'versioning' is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/client_certificate_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/client_certificate_disabled/test/positive_expected_result.json index 52d56a7fb6c..fad2816f1b1 100644 --- a/assets/queries/googleDeploymentManager/gcp/client_certificate_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/client_certificate_disabled/test/positive_expected_result.json @@ -2,19 +2,37 @@ { "queryName": "Client Certificate Disabled", "severity": "HIGH", - "line": 4, - "filename": "positive1.yaml" + "line": 8, + "filename": "positive3.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties.masterAuth.clientCertificateConfig.issueClientCertificate", + "searchValue": "", + "expectedValue": "'masterAuth.clientCertificateConfig.issueClientCertificate' should be true", + "actualValue": "'masterAuth.clientCertificateConfig.issueClientCertificate' is false" }, { "queryName": "Client Certificate Disabled", "severity": "HIGH", "line": 6, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties.masterAuth", + "searchValue": "", + "expectedValue": "'masterAuth.clientCertificateConfig' should be defined and not null", + "actualValue": "'masterAuth.clientCertificateConfig' is undefined or null" }, { "queryName": "Client Certificate Disabled", "severity": "HIGH", - "line": 8, - "filename": "positive3.yaml" + "line": 4, + "filename": "positive1.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties", + "searchValue": "", + "expectedValue": "'masterAuth' should be defined and not null", + "actualValue": "'masterAuth' is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/cloud_dns_without_dnnsec/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/cloud_dns_without_dnnsec/test/positive_expected_result.json index 0cc01b954eb..f1f97cfbe59 100644 --- a/assets/queries/googleDeploymentManager/gcp/cloud_dns_without_dnnsec/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/cloud_dns_without_dnnsec/test/positive_expected_result.json @@ -2,19 +2,37 @@ { "queryName": "Cloud DNS Without DNSSEC", "severity": "MEDIUM", - "line": 4, - "filename": "positive1.yaml" + "line": 6, + "filename": "positive2.yaml", + "resourceType": "dns.v1.managedZone", + "resourceName": "dns2", + "searchKey": "resources.name={{dns2}}.properties.dnssecConfig", + "searchValue": "", + "expectedValue": "'state' should be defined and not null", + "actualValue": "'state' is undefined or null" }, { "queryName": "Cloud DNS Without DNSSEC", "severity": "MEDIUM", - "line": 6, - "filename": "positive2.yaml" + "line": 7, + "filename": "positive3.yaml", + "resourceType": "dns.v1.managedZone", + "resourceName": "dns3", + "searchKey": "resources.name={{dns3}}.properties.dnssecConfig.state", + "searchValue": "", + "expectedValue": "'state' should be set to 'on'", + "actualValue": "'state' is not set to 'on'" }, { "queryName": "Cloud DNS Without DNSSEC", "severity": "MEDIUM", - "line": 7, - "filename": "positive3.yaml" + "line": 4, + "filename": "positive1.yaml", + "resourceType": "dns.v1.managedZone", + "resourceName": "dns", + "searchKey": "resources.name={{dns}}.properties", + "searchValue": "", + "expectedValue": "'dnssecConfig' should be defined and not null", + "actualValue": "'dnssecConfig' is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/cloud_storage_anonymous_or_publicly_accessible/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/cloud_storage_anonymous_or_publicly_accessible/test/positive_expected_result.json index bd96fd1b8e3..31af029d422 100644 --- a/assets/queries/googleDeploymentManager/gcp/cloud_storage_anonymous_or_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/cloud_storage_anonymous_or_publicly_accessible/test/positive_expected_result.json @@ -2,37 +2,73 @@ { "queryName": "Cloud Storage Anonymous or Publicly Accessible", "severity": "CRITICAL", - "line": 4, - "filename": "positive1.yaml" + "line": 7, + "filename": "positive2.yaml", + "resourceType": "storage.v1.bucket", + "resourceName": "storage-bucket", + "searchKey": "resources.name={{storage-bucket}}.properties.defaultObjectAcl[0].entity", + "searchValue": "", + "expectedValue": "properties.defaultObjectAcl[0].entity should not equal to 'allUsers' or 'AllAuthenticatedUsers'", + "actualValue": "properties.defaultObjectAcl[0].entity is equal to 'allUsers' or 'AllAuthenticatedUsers'" }, { "queryName": "Cloud Storage Anonymous or Publicly Accessible", "severity": "CRITICAL", "line": 4, - "filename": "positive1.yaml" + "filename": "positive2.yaml", + "resourceType": "storage.v1.bucket", + "resourceName": "storage-bucket", + "searchKey": "resources.name={{storage-bucket}}.properties", + "searchValue": "acl", + "expectedValue": "'acl' should be defined", + "actualValue": "'acl' is undefined or null" }, { "queryName": "Cloud Storage Anonymous or Publicly Accessible", "severity": "CRITICAL", - "line": 7, - "filename": "positive2.yaml" + "line": 4, + "filename": "positive1.yaml", + "resourceType": "storage.v1.bucket", + "resourceName": "storage-bucket", + "searchKey": "resources.name={{storage-bucket}}.properties", + "searchValue": "acl", + "expectedValue": "'acl' should be defined", + "actualValue": "'acl' is undefined or null" }, { "queryName": "Cloud Storage Anonymous or Publicly Accessible", "severity": "CRITICAL", "line": 4, - "filename": "positive2.yaml" + "filename": "positive1.yaml", + "resourceType": "storage.v1.bucket", + "resourceName": "storage-bucket", + "searchKey": "resources.name={{storage-bucket}}.properties", + "searchValue": "defaultObjectAcl", + "expectedValue": "'defaultObjectAcl' should be defined", + "actualValue": "'defaultObjectAcl' is undefined or null" }, { "queryName": "Cloud Storage Anonymous or Publicly Accessible", "severity": "CRITICAL", "line": 7, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "storage.v1.bucket", + "resourceName": "storage-bucket", + "searchKey": "resources.name={{storage-bucket}}.properties.acl[0].entity", + "searchValue": "", + "expectedValue": "properties.acl[0].entity should not equal to 'allUsers' or 'AllAuthenticatedUsers'", + "actualValue": "properties.acl[0].entity is equal to 'allUsers' or 'AllAuthenticatedUsers'" }, { "queryName": "Cloud Storage Anonymous or Publicly Accessible", "severity": "CRITICAL", "line": 10, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "storage.v1.bucket", + "resourceName": "storage-bucket", + "searchKey": "resources.name={{storage-bucket}}.properties.defaultObjectAcl[0].entity", + "searchValue": "", + "expectedValue": "properties.defaultObjectAcl[0].entity should not equal to 'allUsers' or 'AllAuthenticatedUsers'", + "actualValue": "properties.defaultObjectAcl[0].entity is equal to 'allUsers' or 'AllAuthenticatedUsers'" } ] \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_is_publicly_accessible/test/positive_expected_result.json index d42c2587d0d..15831fba1bc 100644 --- a/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_is_publicly_accessible/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Cloud Storage Bucket Is Publicly Accessible", "severity": "MEDIUM", "line": 5, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "storage.v1.bucketAccessControl", + "resourceName": "bucket-access-control", + "searchKey": "resources.name={{bucket-access-control}}.properties.entity", + "searchValue": "", + "expectedValue": "'entity' should not equal to 'allUsers' or 'allAuthenticatedUsers'", + "actualValue": "'entity' is equal to 'allUsers'" }, { "queryName": "Cloud Storage Bucket Is Publicly Accessible", "severity": "MEDIUM", "line": 5, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "storage.v1.bucketAccessControl", + "resourceName": "bucket-access-control", + "searchKey": "resources.name={{bucket-access-control}}.properties.entity", + "searchValue": "", + "expectedValue": "'entity' should not equal to 'allUsers' or 'allAuthenticatedUsers'", + "actualValue": "'entity' is equal to 'allAuthenticatedUsers'" } ] \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_versioning_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_versioning_disabled/test/positive_expected_result.json index 3eb292cd0a7..7e3a4f6ec01 100644 --- a/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_versioning_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_versioning_disabled/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Cloud Storage Bucket Versioning Disabled", "severity": "MEDIUM", "line": 4, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "storage.v1.bucket", + "resourceName": "a-new-pubsub-topic", + "searchKey": "resources.name={{a-new-pubsub-topic}}.properties", + "searchValue": "", + "expectedValue": "'versioning' should be defined and not null", + "actualValue": "'versioning' is undefined or null" }, { "queryName": "Cloud Storage Bucket Versioning Disabled", "severity": "MEDIUM", "line": 8, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "storage.v1.bucket", + "resourceName": "a-new-pubsub-topic2", + "searchKey": "resources.name={{a-new-pubsub-topic2}}.properties.versioning.enabled", + "searchValue": "", + "expectedValue": "'enabled' should be set to true", + "actualValue": "'enabled' is set to false" } ] \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/cluster_labels_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/cluster_labels_disabled/test/positive_expected_result.json index 6dad84347c3..40ccbde7e14 100644 --- a/assets/queries/googleDeploymentManager/gcp/cluster_labels_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/cluster_labels_disabled/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Cluster Labels Disabled", "severity": "LOW", "line": 4, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties", + "searchValue": "", + "expectedValue": "'resourceLabels' should be defined and not null", + "actualValue": "'resourceLabels' is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/cluster_master_authentication_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/cluster_master_authentication_disabled/test/positive_expected_result.json index 37ca92ffb33..d047a22161d 100644 --- a/assets/queries/googleDeploymentManager/gcp/cluster_master_authentication_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/cluster_master_authentication_disabled/test/positive_expected_result.json @@ -3,18 +3,36 @@ "queryName": "Cluster Master Authentication Disabled", "severity": "MEDIUM", "line": 4, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties", + "searchValue": "", + "expectedValue": "'masterAuth' should be defined and not null", + "actualValue": "'masterAuth' is undefined or null" }, { "queryName": "Cluster Master Authentication Disabled", "severity": "MEDIUM", "line": 5, - "filename": "positive2.yaml" + "filename": "positive3.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties.masterAuth", + "searchValue": "", + "expectedValue": "Attribute 'masterAuth.username' should be defined and Attribute 'masterAuth.password' should be defined", + "actualValue": "Attribute 'masterAuth.username' is undefined or attribute 'masterAuth.password' is undefined" }, { "queryName": "Cluster Master Authentication Disabled", "severity": "MEDIUM", "line": 5, - "filename": "positive3.yaml" + "filename": "positive2.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties.masterAuth", + "searchValue": "", + "expectedValue": "Attribute 'masterAuth.username' should be defined and Attribute 'masterAuth.password' should be defined", + "actualValue": "Attribute 'masterAuth.username' is undefined or attribute 'masterAuth.password' is undefined" } ] \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/compute_instance_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/compute_instance_is_publicly_accessible/test/positive_expected_result.json index 7e5816b6e71..ab3e26fed29 100644 --- a/assets/queries/googleDeploymentManager/gcp/compute_instance_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/compute_instance_is_publicly_accessible/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Compute Instance Is Publicly Accessible", "severity": "MEDIUM", "line": 8, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "compute.v1.instance", + "resourceName": "instance", + "searchKey": "resources.name={{instance}}.properties.networkInterfaces", + "searchValue": "", + "expectedValue": "'accessConfigs' should be undefined", + "actualValue": "'accessConfigs' is defined and not null" } ] \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/cos_node_image_not_used/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/cos_node_image_not_used/test/positive_expected_result.json index 46de3aa0e69..6865f03d752 100644 --- a/assets/queries/googleDeploymentManager/gcp/cos_node_image_not_used/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/cos_node_image_not_used/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "COS Node Image Not Used", "severity": "LOW", "line": 7, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "container.v1.nodePool", + "resourceName": "nodePool", + "searchKey": "resources.name={{nodePool}}.properties.config.imageType", + "searchValue": "", + "expectedValue": "'config.imageType' should start with 'cos'", + "actualValue": "'config.imageType' is ubuntu" } ] \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/disk_encryption_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/disk_encryption_disabled/test/positive_expected_result.json index 7586900135f..332646a83dd 100644 --- a/assets/queries/googleDeploymentManager/gcp/disk_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/disk_encryption_disabled/test/positive_expected_result.json @@ -2,37 +2,73 @@ { "queryName": "Disk Encryption Disabled", "severity": "MEDIUM", - "line": 8, - "filename": "positive1.yaml" + "line": 16, + "filename": "positive3.yaml", + "resourceType": "compute.v1.instance", + "resourceName": "vm-template3", + "searchKey": "resources.name={{vm-template3}}.properties.disks.diskEncryptionKey.rawKey", + "searchValue": "", + "expectedValue": "'diskEncryptionKey.rawKey' should not be empty", + "actualValue": "'diskEncryptionKey.rawKey' is empty" }, { "queryName": "Disk Encryption Disabled", "severity": "MEDIUM", - "line": 14, - "filename": "positive2.yaml" + "line": 23, + "filename": "positive2.yaml", + "resourceType": "compute.v1.disk", + "resourceName": "disk-4-data", + "searchKey": "resources.name={{disk-4-data}}.properties.diskEncryptionKey", + "searchValue": "", + "expectedValue": "'disk_encryption_key.rawKey' or 'disk_encryption_key.kmsKeyName' should be defined and not null", + "actualValue": "'disk_encryption_key.rawKey' and 'disk_encryption_key.kmsKeyName' are undefined or null" }, { "queryName": "Disk Encryption Disabled", "severity": "MEDIUM", - "line": 16, - "filename": "positive3.yaml" + "line": 14, + "filename": "positive2.yaml", + "resourceType": "compute.v1.instance", + "resourceName": "vm-template2", + "searchKey": "resources.name={{vm-template2}}.properties.disks.diskEncryptionKey", + "searchValue": "", + "expectedValue": "'disk_encryption_key.rawKey' or 'disk_encryption_key.kmsKeyName' should be defined and not null", + "actualValue": "'disk_encryption_key.rawKey' and 'disk_encryption_key.kmsKeyName' are undefined or null" }, { "queryName": "Disk Encryption Disabled", "severity": "MEDIUM", "line": 18, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "compute.v1.disk", + "resourceName": "disk-3-data", + "searchKey": "resources.name={{disk-3-data}}.properties.disks", + "searchValue": "", + "expectedValue": "'diskEncryptionKey' should be defined and not null", + "actualValue": "'diskEncryptionKey' is undefined or null" }, { "queryName": "Disk Encryption Disabled", "severity": "MEDIUM", - "line": 23, - "filename": "positive2.yaml" + "line": 8, + "filename": "positive1.yaml", + "resourceType": "compute.v1.instance", + "resourceName": "vm-template", + "searchKey": "resources.name={{vm-template}}.properties.disks", + "searchValue": "", + "expectedValue": "'diskEncryptionKey' should be defined and not null", + "actualValue": "'diskEncryptionKey' is undefined or null" }, { "queryName": "Disk Encryption Disabled", "severity": "MEDIUM", "line": 26, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "compute.v1.disk", + "resourceName": "disk-5-data", + "searchKey": "resources.name={{disk-5-data}}.properties.diskEncryptionKey.rawKey", + "searchValue": "", + "expectedValue": "'diskEncryptionKey.rawKey' should not be empty", + "actualValue": "'diskEncryptionKey.rawKey' is empty" } -] +] \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/dnssec_using_rsasha1/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/dnssec_using_rsasha1/test/positive_expected_result.json index f40a3d8a8a0..cd15a1ba760 100644 --- a/assets/queries/googleDeploymentManager/gcp/dnssec_using_rsasha1/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/dnssec_using_rsasha1/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "DNSSEC Using RSASHA1", "severity": "MEDIUM", "line": 9, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "dns.v1.managedZone", + "resourceName": "dns", + "searchKey": "resources.name={{dns}}.properties.dnssecConfig.defaultKeySpecs", + "searchValue": "", + "expectedValue": "'algorithm' should not equal to 'rsasha1'", + "actualValue": "'algorithm' is equal to 'rsasha1'" } ] \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/gke_legacy_authorization_enabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/gke_legacy_authorization_enabled/test/positive_expected_result.json index a34c5e90f58..70c53794bd5 100644 --- a/assets/queries/googleDeploymentManager/gcp/gke_legacy_authorization_enabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/gke_legacy_authorization_enabled/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "GKE Legacy Authorization Enabled", "severity": "HIGH", "line": 7, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties.legacyAbac.enabled", + "searchValue": "", + "expectedValue": "'legacyAbac.enabled' should be false", + "actualValue": "'legacyAbac.enabled' is true" } -] +] \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/gke_master_authorized_networks_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/gke_master_authorized_networks_disabled/test/positive_expected_result.json index c2a87118b33..389b421cebe 100644 --- a/assets/queries/googleDeploymentManager/gcp/gke_master_authorized_networks_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/gke_master_authorized_networks_disabled/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "GKE Master Authorized Networks Disabled", "severity": "MEDIUM", "line": 4, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "my-cluster", + "searchKey": "resources.name={{my-cluster}}.properties", + "searchValue": "", + "expectedValue": "'masterAuthorizedNetworksConfig' should be defined and not null", + "actualValue": "'masterAuthorizedNetworksConfig' is undefined or null" }, { "queryName": "GKE Master Authorized Networks Disabled", "severity": "MEDIUM", "line": 7, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "my-cluster", + "searchKey": "resources.name={{my-cluster}}.properties.masterAuthorizedNetworksConfig.enabled", + "searchValue": "", + "expectedValue": "'masterAuthorizedNetworksConfig.enabled' should be true", + "actualValue": "'masterAuthorizedNetworksConfig.enabled' is false" } ] \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/google_storage_bucket_level_access_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/google_storage_bucket_level_access_disabled/test/positive_expected_result.json index c73e8f724a2..e594e299b81 100644 --- a/assets/queries/googleDeploymentManager/gcp/google_storage_bucket_level_access_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/google_storage_bucket_level_access_disabled/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Google Storage Bucket Level Access Disabled", "severity": "HIGH", "line": 11, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "storage.v1.bucket", + "resourceName": "a-new-pubsub-topic1", + "searchKey": "resources.name={{a-new-pubsub-topic1}}.properties.iamConfiguration.uniformBucketLevelAccess.enabled", + "searchValue": "", + "expectedValue": "'enabled' should be set to true", + "actualValue": "'enabled' is set to false" } ] \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/ip_aliasing_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/ip_aliasing_disabled/test/positive_expected_result.json index db68ada83e5..6aefa9b9ae7 100644 --- a/assets/queries/googleDeploymentManager/gcp/ip_aliasing_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/ip_aliasing_disabled/test/positive_expected_result.json @@ -3,18 +3,36 @@ "queryName": "IP Aliasing Disabled", "severity": "MEDIUM", "line": 4, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties", + "searchValue": "", + "expectedValue": "'ipAllocationPolicy' should be defined and not null", + "actualValue": "'ipAllocationPolicy' is undefined or null" }, { "queryName": "IP Aliasing Disabled", "severity": "MEDIUM", "line": 6, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties.ipAllocationPolicy", + "searchValue": "", + "expectedValue": "'ipAllocationPolicy.useIpAliases' should be defined and not null", + "actualValue": "'ipAllocationPolicy.useIpAliases' is undefined or null" }, { "queryName": "IP Aliasing Disabled", "severity": "MEDIUM", "line": 8, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties.ipAllocationPolicy.useIpAliases", + "searchValue": "", + "expectedValue": "'ipAllocationPolicy.useIpAliases' should be true", + "actualValue": "'ipAllocationPolicy.useIpAliases' is false" } ] \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/ip_forwarding_enabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/ip_forwarding_enabled/test/positive_expected_result.json index d7d2261870e..0a802b62933 100644 --- a/assets/queries/googleDeploymentManager/gcp/ip_forwarding_enabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/ip_forwarding_enabled/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "IP Forwarding Enabled", "severity": "MEDIUM", "line": 16, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "compute.v1.instance", + "resourceName": "vm-template", + "searchKey": "resources.name={{vm-template}}.properties.canIpForward", + "searchValue": "", + "expectedValue": "'canIpForward' should not be set to true", + "actualValue": "'canIpForward' is set to true" } -] +] \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/mysql_instance_with_local_infile_on/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/mysql_instance_with_local_infile_on/test/positive_expected_result.json index 19d10797fc4..eb81eb611d1 100644 --- a/assets/queries/googleDeploymentManager/gcp/mysql_instance_with_local_infile_on/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/mysql_instance_with_local_infile_on/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "MySQL Instance With Local Infile On", "severity": "HIGH", "line": 8, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "sqladmin.v1beta4.instance", + "resourceName": "db-instance", + "searchKey": "resources.name={{db-instance}}.properties.settings.databaseFlags[0]", + "searchValue": "", + "expectedValue": "'settings.databaseFlags[0]' should be 'off'", + "actualValue": "'settings.databaseFlags[0]' is equal to 'on'" } -] +] \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/network_policy_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/network_policy_disabled/test/positive_expected_result.json index 3d252b3cbfc..3f7a9bcdbad 100644 --- a/assets/queries/googleDeploymentManager/gcp/network_policy_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/network_policy_disabled/test/positive_expected_result.json @@ -2,49 +2,97 @@ { "queryName": "Network Policy Disabled", "severity": "MEDIUM", - "line": 4, - "filename": "positive1.yaml" + "line": 8, + "filename": "positive3.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties.addonsConfig.networkPolicyConfig.disabled", + "searchValue": "", + "expectedValue": "'addonsConfig.networkPolicyConfig.disabled' should be false", + "actualValue": "'addonsConfig.networkPolicyConfig.disabled' is true" }, { "queryName": "Network Policy Disabled", "severity": "MEDIUM", "line": 4, - "filename": "positive1.yaml" + "filename": "positive3.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties", + "searchValue": "networkPolicy", + "expectedValue": "'networkPolicy' should be defined and not null", + "actualValue": "'networkPolicy' is undefined or null" }, { "queryName": "Network Policy Disabled", "severity": "MEDIUM", - "line": 4, - "filename": "positive2.yaml" + "line": 7, + "filename": "positive2.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties.networkPolicy.enabled", + "searchValue": "", + "expectedValue": "'networkPolicy.enabled' should be true", + "actualValue": "'networkPolicy.enabled' is false" }, { "queryName": "Network Policy Disabled", "severity": "MEDIUM", - "line": 7, - "filename": "positive2.yaml" + "line": 4, + "filename": "positive2.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties", + "searchValue": "addonsConfig", + "expectedValue": "'addonsConfig' should be defined and not null", + "actualValue": "'addonsConfig' is undefined or null" }, { "queryName": "Network Policy Disabled", "severity": "MEDIUM", - "line": 8, - "filename": "positive3.yaml" + "line": 10, + "filename": "positive4.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties.addonsConfig.networkPolicyConfig.disabled", + "searchValue": "", + "expectedValue": "'addonsConfig.networkPolicyConfig.disabled' should be false", + "actualValue": "'addonsConfig.networkPolicyConfig.disabled' is true" }, { "queryName": "Network Policy Disabled", "severity": "MEDIUM", - "line": 4, - "filename": "positive3.yaml" + "line": 7, + "filename": "positive4.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties.networkPolicy.enabled", + "searchValue": "", + "expectedValue": "'networkPolicy.enabled' should be true", + "actualValue": "'networkPolicy.enabled' is false" }, { "queryName": "Network Policy Disabled", "severity": "MEDIUM", - "line": 10, - "filename": "positive4.yaml" + "line": 4, + "filename": "positive1.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties", + "searchValue": "addonsConfig", + "expectedValue": "'addonsConfig' should be defined and not null", + "actualValue": "'addonsConfig' is undefined or null" }, { "queryName": "Network Policy Disabled", "severity": "MEDIUM", - "line": 7, - "filename": "positive4.yaml" + "line": 4, + "filename": "positive1.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties", + "searchValue": "networkPolicy", + "expectedValue": "'networkPolicy' should be defined and not null", + "actualValue": "'networkPolicy' is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/node_auto_upgrade_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/node_auto_upgrade_disabled/test/positive_expected_result.json index 41f14f2827f..b6325c907a6 100644 --- a/assets/queries/googleDeploymentManager/gcp/node_auto_upgrade_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/node_auto_upgrade_disabled/test/positive_expected_result.json @@ -3,24 +3,48 @@ "queryName": "Node Auto Upgrade Disabled", "severity": "MEDIUM", "line": 4, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties", + "searchValue": "", + "expectedValue": "'nodePools' should be defined and not null", + "actualValue": "'nodePools' is undefined or null" }, { "queryName": "Node Auto Upgrade Disabled", "severity": "MEDIUM", - "line": 6, - "filename": "positive2.yaml" + "line": 9, + "filename": "positive4.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties.nodePools.management.autoUpgrade", + "searchValue": "", + "expectedValue": "'nodePools.management.autoUpgrade' should be true", + "actualValue": "'nodePools.management.autoUpgrade' is false" }, { "queryName": "Node Auto Upgrade Disabled", "severity": "MEDIUM", "line": 8, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties.nodePools.management", + "searchValue": "", + "expectedValue": "'nodePools.management.autoUpgrade' should be defined and not null", + "actualValue": "'nodePools.management.autoUpgrade' is undefined or null" }, { "queryName": "Node Auto Upgrade Disabled", "severity": "MEDIUM", - "line": 9, - "filename": "positive4.yaml" + "line": 6, + "filename": "positive2.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties.nodePools", + "searchValue": "", + "expectedValue": "'nodePools.management' should be defined and not null", + "actualValue": "'nodePools.management' is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/not_proper_email_account_in_use/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/not_proper_email_account_in_use/test/positive_expected_result.json index d8a159bff9b..ec912321112 100644 --- a/assets/queries/googleDeploymentManager/gcp/not_proper_email_account_in_use/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/not_proper_email_account_in_use/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Not Proper Email Account In Use", "severity": "LOW", "line": 9, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "pubsub.v1.topic", + "resourceName": "a-new-pubsub-topic", + "searchKey": "accessControl.gcpIamPolicy.bindings[%!s(int=0)].members.user:jane@gmail.com", + "searchValue": "", + "expectedValue": "'members' cannot contain Gmail account addresses", + "actualValue": "'members' has email address: user:jane@gmail.com" } ] \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/os_login_is_disabled_for_vm_instance/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/os_login_is_disabled_for_vm_instance/test/positive_expected_result.json index ad76c251278..b1834162f8d 100644 --- a/assets/queries/googleDeploymentManager/gcp/os_login_is_disabled_for_vm_instance/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/os_login_is_disabled_for_vm_instance/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "OSLogin Is Disabled In VM Instance", "severity": "MEDIUM", "line": 10, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "compute.v1.instance", + "resourceName": "vm", + "searchKey": "resources.name={{vm}}.properties.metadata.items[0]", + "searchValue": "", + "expectedValue": "'metadata.items[0]'.value should be true", + "actualValue": "'metadata.items[0]'.value is false" } -] +] \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/private_cluster_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/private_cluster_disabled/test/positive_expected_result.json index a9805abe4bb..51b13f3c6b7 100644 --- a/assets/queries/googleDeploymentManager/gcp/private_cluster_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/private_cluster_disabled/test/positive_expected_result.json @@ -2,19 +2,37 @@ { "queryName": "Private Cluster Disabled", "severity": "MEDIUM", - "line": 4, - "filename": "positive1.yaml" + "line": 7, + "filename": "positive2.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "mycluster2", + "searchKey": "resources.name={{mycluster2}}.properties.privateClusterConfig.enablePrivateEndpoint", + "searchValue": "", + "expectedValue": "'enablePrivateEndpoint' should be set to true", + "actualValue": "'enablePrivateEndpoint' is set to false" }, { "queryName": "Private Cluster Disabled", "severity": "MEDIUM", "line": 6, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "mycluster2", + "searchKey": "resources.name={{mycluster2}}.properties.privateClusterConfig", + "searchValue": "", + "expectedValue": "'enablePrivateNodes' should be defined and not null", + "actualValue": "'enablePrivateNodes' is undefined or null" }, { "queryName": "Private Cluster Disabled", "severity": "MEDIUM", - "line": 7, - "filename": "positive2.yaml" + "line": 4, + "filename": "positive1.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "mycluster", + "searchKey": "resources.name={{mycluster}}.properties", + "searchValue": "", + "expectedValue": "'privateClusterConfig' should be defined and not null", + "actualValue": "'privateClusterConfig' is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/test/positive_expected_result.json index 975ce957b25..7e5ea6f059d 100644 --- a/assets/queries/googleDeploymentManager/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/test/positive_expected_result.json @@ -2,19 +2,37 @@ { "queryName": "Project-wide SSH Keys Are Enabled In VM Instances", "severity": "MEDIUM", - "line": 4, - "filename": "positive1.yaml" + "line": 12, + "filename": "positive3.yaml", + "resourceType": "compute.v1.instance", + "resourceName": "vm", + "searchKey": "resources.name={{vm}}.properties.metadata.items[1].key", + "searchValue": "", + "expectedValue": "'metadata.items[1].value' should be true", + "actualValue": "'metadata.items[1].value' is false" }, { "queryName": "Project-wide SSH Keys Are Enabled In VM Instances", "severity": "MEDIUM", "line": 8, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "compute.v1.instance", + "resourceName": "vm", + "searchKey": "resources.name={{vm}}.properties.metadata.items", + "searchValue": "", + "expectedValue": "'metadata.items' should have 'block-project-ssh-keys'", + "actualValue": "'metadata.items' does not have 'block-project-ssh-keys'" }, { "queryName": "Project-wide SSH Keys Are Enabled In VM Instances", "severity": "MEDIUM", - "line": 12, - "filename": "positive3.yaml" + "line": 4, + "filename": "positive1.yaml", + "resourceType": "compute.v1.instance", + "resourceName": "vm", + "searchKey": "resources.name={{vm}}.properties", + "searchValue": "", + "expectedValue": "'metadata' should be defined and not null", + "actualValue": "'metadata' is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/rdp_access_is_not_restricted/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/rdp_access_is_not_restricted/test/positive_expected_result.json index cc92fb60bc4..177d073a68b 100644 --- a/assets/queries/googleDeploymentManager/gcp/rdp_access_is_not_restricted/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/rdp_access_is_not_restricted/test/positive_expected_result.json @@ -3,18 +3,36 @@ "queryName": "RDP Access Is Not Restricted", "severity": "HIGH", "line": 14, - "filename": "positive1.yaml" + "filename": "positive2.yaml", + "resourceType": "compute.v1.firewall", + "resourceName": "firewall", + "searchKey": "resources.name={{firewall}}.properties.allowed", + "searchValue": "", + "expectedValue": "'allowed.ports' to not include RDP port 3389", + "actualValue": "'allowed.ports' includes RDP port 3389" }, { "queryName": "RDP Access Is Not Restricted", "severity": "HIGH", "line": 14, - "filename": "positive2.yaml" + "filename": "positive1.yaml", + "resourceType": "compute.v1.firewall", + "resourceName": "firewall", + "searchKey": "resources.name={{firewall}}.properties.allowed", + "searchValue": "", + "expectedValue": "'allowed.ports' to not include RDP port 3389", + "actualValue": "'allowed.ports' includes RDP port 3389" }, { "queryName": "RDP Access Is Not Restricted", "severity": "HIGH", "line": 9, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "compute.v1.firewall", + "resourceName": "firewall", + "searchKey": "resources.name={{firewall}}.properties.allowed", + "searchValue": "", + "expectedValue": "'allowed.ports' to not include RDP port 3389", + "actualValue": "'allowed.ports' includes RDP port 3389" } ] \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/shielded_vm_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/shielded_vm_disabled/test/positive_expected_result.json index ee8a1dd650e..9049581f403 100644 --- a/assets/queries/googleDeploymentManager/gcp/shielded_vm_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/shielded_vm_disabled/test/positive_expected_result.json @@ -3,24 +3,48 @@ "queryName": "Shielded VM Disabled", "severity": "MEDIUM", "line": 4, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "compute.v1.instance", + "resourceName": "vm-template", + "searchKey": "resources.name={{vm-template}}.properties", + "searchValue": "", + "expectedValue": "'shieldedInstanceConfig' should be defined and not null", + "actualValue": "'shieldedInstanceConfig' is undefined or null" }, { "queryName": "Shielded VM Disabled", "severity": "MEDIUM", - "line": 17, - "filename": "positive2.yaml" + "line": 18, + "filename": "positive2.yaml", + "resourceType": "compute.v1.instance", + "resourceName": "vm-template2", + "searchKey": "resources.name={{vm-template2}}.properties.shieldedInstanceConfig.enableSecureBoot", + "searchValue": "", + "expectedValue": "'enableSecureBoot' should be set to true", + "actualValue": "'enableSecureBoot' is set to false" }, { "queryName": "Shielded VM Disabled", "severity": "MEDIUM", "line": 17, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "compute.v1.instance", + "resourceName": "vm-template2", + "searchKey": "resources.name={{vm-template2}}.properties.shieldedInstanceConfig", + "searchValue": "enableIntegrityMonitoring", + "expectedValue": "'enableIntegrityMonitoring' should be defined and not null", + "actualValue": "'enableIntegrityMonitoring' is undefined or null" }, { "queryName": "Shielded VM Disabled", "severity": "MEDIUM", - "line": 18, - "filename": "positive2.yaml" + "line": 17, + "filename": "positive2.yaml", + "resourceType": "compute.v1.instance", + "resourceName": "vm-template2", + "searchKey": "resources.name={{vm-template2}}.properties.shieldedInstanceConfig", + "searchValue": "enableVtpm", + "expectedValue": "'enableVtpm' should be defined and not null", + "actualValue": "'enableVtpm' is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/sql_db_instance_backup_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/sql_db_instance_backup_disabled/test/positive_expected_result.json index 98d4feb7317..6e5e8088800 100644 --- a/assets/queries/googleDeploymentManager/gcp/sql_db_instance_backup_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/sql_db_instance_backup_disabled/test/positive_expected_result.json @@ -2,19 +2,37 @@ { "queryName": "SQL DB Instance Backup Disabled", "severity": "MEDIUM", - "line": 5, - "filename": "positive1.yaml" + "line": 7, + "filename": "positive2.yaml", + "resourceType": "sqladmin.v1beta4.instance", + "resourceName": "sql-instance", + "searchKey": "resources.name={{sql-instance}}.properties.settings.backupConfiguration", + "searchValue": "", + "expectedValue": "'settings.backupConfiguration.enabled' should be defined and not null", + "actualValue": "'settings.backupConfiguration.enabled' is undefined or null" }, { "queryName": "SQL DB Instance Backup Disabled", "severity": "MEDIUM", - "line": 7, - "filename": "positive2.yaml" + "line": 5, + "filename": "positive1.yaml", + "resourceType": "sqladmin.v1beta4.instance", + "resourceName": "sql-instance", + "searchKey": "resources.name={{sql-instance}}.properties.settings", + "searchValue": "", + "expectedValue": "'settings.backupConfiguration' should be defined and not null", + "actualValue": "'settings.backupConfiguration' is undefined or null" }, { "queryName": "SQL DB Instance Backup Disabled", "severity": "MEDIUM", "line": 8, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "sqladmin.v1beta4.instance", + "resourceName": "sql-instance", + "searchKey": "resources.name={{sql-instance}}.properties.settings.backupConfiguration.enabled", + "searchValue": "", + "expectedValue": "'settings.backupConfiguration.enabled' should be true", + "actualValue": "'settings.backupConfiguration.enabled' is false" } ] \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json index 137b73b9845..286a84637bd 100644 --- a/assets/queries/googleDeploymentManager/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json @@ -3,18 +3,36 @@ "queryName": "SQL DB Instance With SSL Disabled", "severity": "HIGH", "line": 5, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "sqladmin.v1beta4.instance", + "resourceName": "sql-instance", + "searchKey": "resources.name={{sql-instance}}.properties.settings", + "searchValue": "", + "expectedValue": "'settings.ipConfiguration' should be defined and not null", + "actualValue": "'settings.ipConfiguration' is undefined or null" }, { "queryName": "SQL DB Instance With SSL Disabled", "severity": "HIGH", "line": 7, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "sqladmin.v1beta4.instance", + "resourceName": "sql-instance", + "searchKey": "resources.name={{sql-instance}}.properties.settings.ipConfiguration", + "searchValue": "", + "expectedValue": "'settings.ipConfiguration.requireSsl' should be defined and not null", + "actualValue": "'settings.ipConfiguration.requireSsl' is undefined or null" }, { "queryName": "SQL DB Instance With SSL Disabled", "severity": "HIGH", "line": 9, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "sqladmin.v1beta4.instance", + "resourceName": "sql-instance", + "searchKey": "resources.name={{sql-instance}}.properties.settings.ipConfiguration.requireSsl", + "searchValue": "", + "expectedValue": "'settings.ipConfiguration.requireSsl' should be true", + "actualValue": "'settings.ipConfiguration.requireSsl' is false" } -] +] \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/ssh_access_is_not_restricted/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/ssh_access_is_not_restricted/test/positive_expected_result.json index 19728bf8299..088937e5c88 100644 --- a/assets/queries/googleDeploymentManager/gcp/ssh_access_is_not_restricted/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/ssh_access_is_not_restricted/test/positive_expected_result.json @@ -2,19 +2,37 @@ { "queryName": "SSH Access Is Not Restricted", "severity": "MEDIUM", - "line": 10, - "filename": "positive1.yaml" + "line": 4, + "filename": "positive3.yaml", + "resourceType": "compute.v1.firewall", + "resourceName": "firewall", + "searchKey": "resources.name={{firewall}}.properties.allowed[%!d(string=0-65535)].ports=%!s(MISSING)", + "searchValue": "", + "expectedValue": "'allowed[0].ports' to not include SSH port 22", + "actualValue": "'allowed[0].ports' includes SSH port 22" }, { "queryName": "SSH Access Is Not Restricted", "severity": "MEDIUM", "line": 10, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "compute.v1.firewall", + "resourceName": "firewall", + "searchKey": "resources.name={{firewall}}.properties.allowed[%!d(string=21-3390)].ports=%!s(MISSING)", + "searchValue": "", + "expectedValue": "'allowed[0].ports' to not include SSH port 22", + "actualValue": "'allowed[0].ports' includes SSH port 22" }, { "queryName": "SSH Access Is Not Restricted", "severity": "MEDIUM", - "line": 4, - "filename": "positive3.yaml" + "line": 10, + "filename": "positive1.yaml", + "resourceType": "compute.v1.firewall", + "resourceName": "firewall", + "searchKey": "resources.name={{firewall}}.properties.allowed[%!d(string=22)].ports=%!s(MISSING)", + "searchValue": "", + "expectedValue": "'allowed[0].ports' to not include SSH port 22", + "actualValue": "'allowed[0].ports' includes SSH port 22" } -] +] \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/stackdriver_logging_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/stackdriver_logging_disabled/test/positive_expected_result.json index 54222d9059a..9f8a8c39301 100644 --- a/assets/queries/googleDeploymentManager/gcp/stackdriver_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/stackdriver_logging_disabled/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Stackdriver Logging Disabled", "severity": "MEDIUM", "line": 4, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties", + "searchValue": "", + "expectedValue": "'loggingService' should be defined and not null", + "actualValue": "'loggingService' is undefined or null" }, { "queryName": "Stackdriver Logging Disabled", "severity": "MEDIUM", "line": 6, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties.loggingService", + "searchValue": "", + "expectedValue": "'loggingService' to not be none", + "actualValue": "'loggingService' is none" } ] \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/stackdriver_monitoring_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/stackdriver_monitoring_disabled/test/positive_expected_result.json index 26074b13c9b..6c69f150622 100644 --- a/assets/queries/googleDeploymentManager/gcp/stackdriver_monitoring_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/stackdriver_monitoring_disabled/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Stackdriver Monitoring Disabled", "severity": "MEDIUM", "line": 4, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "my-cluster", + "searchKey": "resources.name={{my-cluster}}.properties", + "searchValue": "", + "expectedValue": "'monitoringService' should be defined and not null", + "actualValue": "'monitoringService' is undefined or null" }, { "queryName": "Stackdriver Monitoring Disabled", "severity": "MEDIUM", "line": 6, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "my-cluster", + "searchKey": "resources.name={{my-cluster}}.properties.monitoringService", + "searchValue": "", + "expectedValue": "'monitoringService' to not be 'none'", + "actualValue": "'monitoringService' is 'none'" } ] \ No newline at end of file diff --git a/assets/queries/grpc/enum_name_not_camel_case/test/positive_expected_result.json b/assets/queries/grpc/enum_name_not_camel_case/test/positive_expected_result.json index abf536df43f..839f4d35f59 100644 --- a/assets/queries/grpc/enum_name_not_camel_case/test/positive_expected_result.json +++ b/assets/queries/grpc/enum_name_not_camel_case/test/positive_expected_result.json @@ -2,16 +2,37 @@ { "queryName": "Enum Name Not CamelCase", "severity": "INFO", - "line": 3 + "line": 10, + "filename": "positive.proto", + "resourceType": "", + "resourceName": "", + "searchKey": "enum[NOT_CAMEL_CASE]", + "searchValue": "", + "expectedValue": "Enum Name should follow CamelCase (Initial Letter is Capital)", + "actualValue": "Enum Name doesn't follow CamelCase" }, { "queryName": "Enum Name Not CamelCase", "severity": "INFO", - "line": 10 + "line": 3, + "filename": "positive.proto", + "resourceType": "", + "resourceName": "", + "searchKey": "enum[noInitCap]", + "searchValue": "", + "expectedValue": "Enum Name should follow CamelCase (Initial Letter is Capital)", + "actualValue": "Enum Name doesn't follow CamelCase" }, { "queryName": "Enum Name Not CamelCase", "severity": "INFO", - "line": 18 + "line": 18, + "filename": "positive.proto", + "resourceType": "", + "resourceName": "", + "searchKey": "enum[ALLCAPS]", + "searchValue": "", + "expectedValue": "Enum Name should follow CamelCase (Initial Letter is Capital)", + "actualValue": "Enum Name doesn't follow CamelCase" } ] \ No newline at end of file diff --git a/assets/queries/k8s/always_admit_admission_control_plugin_set/test/positive_expected_result.json b/assets/queries/k8s/always_admit_admission_control_plugin_set/test/positive_expected_result.json index 31ba5cb355b..dc763817f70 100644 --- a/assets/queries/k8s/always_admit_admission_control_plugin_set/test/positive_expected_result.json +++ b/assets/queries/k8s/always_admit_admission_control_plugin_set/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Always Admit Admission Control Plugin Set", "severity": "MEDIUM", "line": 11, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--enable-admission-plugins flag should not contain 'AlwaysAdmit' plugin", + "actualValue": "--enable-admission-plugins flag contains 'AlwaysAdmit' plugin" } ] \ No newline at end of file diff --git a/assets/queries/k8s/always_pull_images_admission_control_plugin_not_set/test/positive_expected_result.json b/assets/queries/k8s/always_pull_images_admission_control_plugin_not_set/test/positive_expected_result.json index d55ecb5d476..e56989575a4 100644 --- a/assets/queries/k8s/always_pull_images_admission_control_plugin_not_set/test/positive_expected_result.json +++ b/assets/queries/k8s/always_pull_images_admission_control_plugin_not_set/test/positive_expected_result.json @@ -1,8 +1,14 @@ [ - { - "queryName": "Always Pull Images Admission Control Plugin Not Set", - "severity": "MEDIUM", - "line": 11, - "fileName": "positive1.yaml" - } -] + { + "queryName": "Always Pull Images Admission Control Plugin Not Set", + "severity": "MEDIUM", + "line": 11, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--enable-admission-plugins flag should contain 'AlwaysPullImages' plugin", + "actualValue": "--enable-admission-plugins flag does not contain 'AlwaysPullImages' plugin" + } +] \ No newline at end of file diff --git a/assets/queries/k8s/anonymous_auth_is_not_set_to_false/test/positive_expected_result.json b/assets/queries/k8s/anonymous_auth_is_not_set_to_false/test/positive_expected_result.json index 90189e0113d..07d5200a7fb 100644 --- a/assets/queries/k8s/anonymous_auth_is_not_set_to_false/test/positive_expected_result.json +++ b/assets/queries/k8s/anonymous_auth_is_not_set_to_false/test/positive_expected_result.json @@ -3,36 +3,72 @@ "queryName": "Anonymous Auth Is Not Set To False", "severity": "MEDIUM", "line": 11, - "filename": "positive1.yaml" + "filename": "positive3.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--anonymous-auth flag should be set to false", + "actualValue": "--anonymous-auth flag is set to true" }, { "queryName": "Anonymous Auth Is Not Set To False", "severity": "MEDIUM", - "line": 11, - "filename": "positive2.yaml" + "line": 7, + "filename": "positive6.json", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}.authentication.enabled", + "searchValue": "", + "expectedValue": "authentication.anonymous.enabled attribute should be false", + "actualValue": "authentication.anonymous.enabled attribute is true" }, { "queryName": "Anonymous Auth Is Not Set To False", "severity": "MEDIUM", "line": 11, - "filename": "positive3.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--anonymous-auth flag should be set to false", + "actualValue": "--anonymous-auth flag is set to true" }, { "queryName": "Anonymous Auth Is Not Set To False", "severity": "MEDIUM", - "line": 11, - "filename": "positive4.yaml" + "line": 9, + "filename": "positive5.yaml", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}.authentication.enabled", + "searchValue": "", + "expectedValue": "authentication.anonymous.enabled attribute should be false", + "actualValue": "authentication.anonymous.enabled attribute is true" }, { "queryName": "Anonymous Auth Is Not Set To False", "severity": "MEDIUM", - "line": 9, - "filename": "positive5.yaml" + "line": 11, + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--anonymous-auth flag should be set to false", + "actualValue": "--anonymous-auth flag is set to true" }, { "queryName": "Anonymous Auth Is Not Set To False", "severity": "MEDIUM", - "line": 7, - "filename": "positive6.json" + "line": 11, + "filename": "positive4.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--anonymous-auth flag should be set to false", + "actualValue": "--anonymous-auth flag is set to true" } ] \ No newline at end of file diff --git a/assets/queries/k8s/audit_log_maxage_not_properly_set/test/positive_expected_result.json b/assets/queries/k8s/audit_log_maxage_not_properly_set/test/positive_expected_result.json index f6dd72c9d09..7d562a07ea3 100644 --- a/assets/queries/k8s/audit_log_maxage_not_properly_set/test/positive_expected_result.json +++ b/assets/queries/k8s/audit_log_maxage_not_properly_set/test/positive_expected_result.json @@ -1,38 +1,74 @@ [ - { - "queryName": "Audit Log Maxage Not Properly Set", - "severity": "LOW", - "line": 11, - "fileName": "positive1.yaml" - }, - { - "queryName": "Audit Log Maxage Not Properly Set", - "severity": "LOW", - "line": 11, - "fileName": "positive2.yaml" - }, - { - "queryName": "Audit Log Maxage Not Properly Set", - "severity": "LOW", - "line": 12, - "fileName": "positive3.yaml" - }, - { - "queryName": "Audit Log Maxage Not Properly Set", - "severity": "LOW", - "line": 27, - "fileName": "positive3.yaml" - }, - { - "queryName": "Audit Log Maxage Not Properly Set", - "severity": "LOW", - "line": 40, - "fileName": "positive3.yaml" - }, - { - "queryName": "Audit Log Maxage Not Properly Set", - "severity": "LOW", - "line": 55, - "fileName": "positive3.yaml" - } -] + { + "queryName": "Audit Log Maxage Not Properly Set", + "severity": "LOW", + "line": 11, + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-maxage flag should be defined and set to 30 or more days", + "actualValue": "--audit-log-maxage flag is not defined" + }, + { + "queryName": "Audit Log Maxage Not Properly Set", + "severity": "LOW", + "line": 40, + "filename": "positive3.yaml", + "resourceType": "Revision", + "resourceName": "dummy-rev", + "searchKey": "metadata.name={{dummy-rev}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-maxage flag should be defined and set to 30 or more days", + "actualValue": "--audit-log-maxage flag is not defined" + }, + { + "queryName": "Audit Log Maxage Not Properly Set", + "severity": "LOW", + "line": 12, + "filename": "positive3.yaml", + "resourceType": "Service", + "resourceName": "dummy", + "searchKey": "metadata.name={{dummy}}.spec.template.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-maxage flag should be defined and set to 30 or more days", + "actualValue": "--audit-log-maxage flag is not defined" + }, + { + "queryName": "Audit Log Maxage Not Properly Set", + "severity": "LOW", + "line": 27, + "filename": "positive3.yaml", + "resourceType": "Configuration", + "resourceName": "dummy-config", + "searchKey": "metadata.name={{dummy-config}}.spec.template.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-maxage flag should be defined and set to 30 or more days", + "actualValue": "--audit-log-maxage flag is not defined" + }, + { + "queryName": "Audit Log Maxage Not Properly Set", + "severity": "LOW", + "line": 55, + "filename": "positive3.yaml", + "resourceType": "ContainerSource", + "resourceName": "dummy-cs", + "searchKey": "metadata.name={{dummy-cs}}.spec.template.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-maxage flag should be defined and set to 30 or more days", + "actualValue": "--audit-log-maxage flag is not defined" + }, + { + "queryName": "Audit Log Maxage Not Properly Set", + "severity": "LOW", + "line": 11, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-maxage flag should be set to 30 or more days", + "actualValue": "--audit-log-maxage flag is set to less than 30 days" + } +] \ No newline at end of file diff --git a/assets/queries/k8s/audit_log_maxbackup_not_properly_set/test/positive_expected_result.json b/assets/queries/k8s/audit_log_maxbackup_not_properly_set/test/positive_expected_result.json index 7da00e34745..4a9208cb4db 100644 --- a/assets/queries/k8s/audit_log_maxbackup_not_properly_set/test/positive_expected_result.json +++ b/assets/queries/k8s/audit_log_maxbackup_not_properly_set/test/positive_expected_result.json @@ -3,36 +3,72 @@ "queryName": "Audit Log Maxbackup Not Properly Set", "severity": "LOW", "line": 11, - "fileName": "positive1.yaml" + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-maxbackup flag should be defined and set to 10 or more files", + "actualValue": "--audit-log-maxbackup flag is not defined" }, { "queryName": "Audit Log Maxbackup Not Properly Set", "severity": "LOW", - "line": 11, - "fileName": "positive2.yaml" + "line": 27, + "filename": "positive3.yaml", + "resourceType": "Configuration", + "resourceName": "dummy-config", + "searchKey": "metadata.name={{dummy-config}}.spec.template.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-maxbackup flag should be set to 10 or more files", + "actualValue": "--audit-log-maxbackup flag is set to less than 10 files" }, { "queryName": "Audit Log Maxbackup Not Properly Set", "severity": "LOW", - "line": 12, - "fileName": "positive3.yaml" + "line": 11, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-maxbackup flag should be set to 10 or more files", + "actualValue": "--audit-log-maxbackup flag is set to less than 10 files" }, { "queryName": "Audit Log Maxbackup Not Properly Set", "severity": "LOW", - "line": 27, - "fileName": "positive3.yaml" + "line": 55, + "filename": "positive3.yaml", + "resourceType": "ContainerSource", + "resourceName": "dummy-cs", + "searchKey": "metadata.name={{dummy-cs}}.spec.template.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-maxbackup flag should be set to 10 or more files", + "actualValue": "--audit-log-maxbackup flag is set to less than 10 files" }, { "queryName": "Audit Log Maxbackup Not Properly Set", "severity": "LOW", "line": 40, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "Revision", + "resourceName": "dummy-rev", + "searchKey": "metadata.name={{dummy-rev}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-maxbackup flag should be set to 10 or more files", + "actualValue": "--audit-log-maxbackup flag is set to less than 10 files" }, { "queryName": "Audit Log Maxbackup Not Properly Set", "severity": "LOW", - "line": 55, - "fileName": "positive3.yaml" + "line": 12, + "filename": "positive3.yaml", + "resourceType": "Service", + "resourceName": "dummy", + "searchKey": "metadata.name={{dummy}}.spec.template.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-maxbackup flag should be set to 10 or more files", + "actualValue": "--audit-log-maxbackup flag is set to less than 10 files" } -] +] \ No newline at end of file diff --git a/assets/queries/k8s/audit_log_maxsize_not_properly_set/test/positive_expected_result.json b/assets/queries/k8s/audit_log_maxsize_not_properly_set/test/positive_expected_result.json index 50437ce4286..2aabbc0339f 100644 --- a/assets/queries/k8s/audit_log_maxsize_not_properly_set/test/positive_expected_result.json +++ b/assets/queries/k8s/audit_log_maxsize_not_properly_set/test/positive_expected_result.json @@ -2,37 +2,73 @@ { "queryName": "Audit Log Maxsize Not Properly Set", "severity": "LOW", - "line": 11, - "fileName": "positive1.yaml" + "line": 40, + "filename": "positive3.yaml", + "resourceType": "Revision", + "resourceName": "dummy-rev", + "searchKey": "metadata.name={{dummy-rev}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-maxsize flag should be set to 100 or more MegaBytes", + "actualValue": "--audit-log-maxsize flag is set to less than 100 MegaBytes" }, { "queryName": "Audit Log Maxsize Not Properly Set", "severity": "LOW", "line": 11, - "fileName": "positive2.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-maxsize flag should be set to 100 or more MegaBytes", + "actualValue": "--audit-log-maxsize flag is set to less than 100 MegaBytes" }, { "queryName": "Audit Log Maxsize Not Properly Set", "severity": "LOW", "line": 12, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "Service", + "resourceName": "dummy", + "searchKey": "metadata.name={{dummy}}.spec.template.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-maxsize flag should be set to 100 or more MegaBytes", + "actualValue": "--audit-log-maxsize flag is set to less than 100 MegaBytes" }, { "queryName": "Audit Log Maxsize Not Properly Set", "severity": "LOW", "line": 27, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "Configuration", + "resourceName": "dummy-config", + "searchKey": "metadata.name={{dummy-config}}.spec.template.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-maxsize flag should be set to 100 or more MegaBytes", + "actualValue": "--audit-log-maxsize flag is set to less than 100 MegaBytes" }, { "queryName": "Audit Log Maxsize Not Properly Set", "severity": "LOW", - "line": 40, - "fileName": "positive3.yaml" + "line": 55, + "filename": "positive3.yaml", + "resourceType": "ContainerSource", + "resourceName": "dummy-cs", + "searchKey": "metadata.name={{dummy-cs}}.spec.template.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-maxsize flag should be set to 100 or more MegaBytes", + "actualValue": "--audit-log-maxsize flag is set to less than 100 MegaBytes" }, { "queryName": "Audit Log Maxsize Not Properly Set", "severity": "LOW", - "line": 55, - "fileName": "positive3.yaml" + "line": 11, + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-maxsize flag should be defined and set to 100 or more MegaBytes", + "actualValue": "--audit-log-maxsize flag is not defined" } -] +] \ No newline at end of file diff --git a/assets/queries/k8s/audit_log_path_not_set/test/positive_expected_result.json b/assets/queries/k8s/audit_log_path_not_set/test/positive_expected_result.json index d2d9950e15c..18997e91e6c 100644 --- a/assets/queries/k8s/audit_log_path_not_set/test/positive_expected_result.json +++ b/assets/queries/k8s/audit_log_path_not_set/test/positive_expected_result.json @@ -3,30 +3,60 @@ "queryName": "Audit Log Path Not Set", "severity": "MEDIUM", "line": 11, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-path flag should be defined", + "actualValue": "--audit-log-path flag is not defined" }, { "queryName": "Audit Log Path Not Set", "severity": "MEDIUM", "line": 55, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "ContainerSource", + "resourceName": "dummy-cs", + "searchKey": "metadata.name={{dummy-cs}}.spec.template.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-path flag should be defined", + "actualValue": "--audit-log-path flag is not defined" }, { "queryName": "Audit Log Path Not Set", "severity": "MEDIUM", "line": 12, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "Service", + "resourceName": "dummy", + "searchKey": "metadata.name={{dummy}}.spec.template.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-path flag should be defined", + "actualValue": "--audit-log-path flag is not defined" }, { "queryName": "Audit Log Path Not Set", "severity": "MEDIUM", "line": 27, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "Configuration", + "resourceName": "dummy-config", + "searchKey": "metadata.name={{dummy-config}}.spec.template.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-path flag should be defined", + "actualValue": "--audit-log-path flag is not defined" }, { "queryName": "Audit Log Path Not Set", "severity": "MEDIUM", "line": 40, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "Revision", + "resourceName": "dummy-rev", + "searchKey": "metadata.name={{dummy-rev}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-path flag should be defined", + "actualValue": "--audit-log-path flag is not defined" } ] diff --git a/assets/queries/k8s/audit_policy_file_not_defined/test/positive_expected_result.json b/assets/queries/k8s/audit_policy_file_not_defined/test/positive_expected_result.json index feefd2c4b41..b77bbe14598 100644 --- a/assets/queries/k8s/audit_policy_file_not_defined/test/positive_expected_result.json +++ b/assets/queries/k8s/audit_policy_file_not_defined/test/positive_expected_result.json @@ -1,20 +1,38 @@ [ - { - "queryName": "Audit Policy File Not Defined", - "severity": "MEDIUM", - "line": 11, - "fileName": "positive1.yaml" - }, - { - "queryName": "Audit Policy File Not Defined", - "severity": "MEDIUM", - "line": 11, - "fileName": "positive2.yaml" - }, - { - "queryName": "Audit Policy File Not Defined", - "severity": "MEDIUM", - "line": 12, - "fileName": "positive3.yaml" - } -] + { + "queryName": "Audit Policy File Not Defined", + "severity": "MEDIUM", + "line": 11, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-policy-file flag should be defined", + "actualValue": "--audit-policy-file is not defined" + }, + { + "queryName": "Audit Policy File Not Defined", + "severity": "MEDIUM", + "line": 12, + "filename": "positive3.yaml", + "resourceType": "Service", + "resourceName": "dummy", + "searchKey": "metadata.name={{dummy}}.spec.template.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-policy-file flag should be defined", + "actualValue": "--audit-policy-file is not defined" + }, + { + "queryName": "Audit Policy File Not Defined", + "severity": "MEDIUM", + "line": 11, + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-policy-file flag should have a valid file", + "actualValue": "--audit-policy-file does not have a valid file" + } +] \ No newline at end of file diff --git a/assets/queries/k8s/audit_policy_not_cover_key_security_concerns/test/positive_expected_result.json b/assets/queries/k8s/audit_policy_not_cover_key_security_concerns/test/positive_expected_result.json index 6283d929b54..bc1fe79a75e 100644 --- a/assets/queries/k8s/audit_policy_not_cover_key_security_concerns/test/positive_expected_result.json +++ b/assets/queries/k8s/audit_policy_not_cover_key_security_concerns/test/positive_expected_result.json @@ -3,102 +3,204 @@ "queryName": "Audit Policy Not Cover Key Security Concerns", "severity": "LOW", "line": 6, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Policy", + "resourceName": "n/a", + "searchKey": "kind={{Policy}}.rules", + "searchValue": "pods/proxy", + "expectedValue": "Resource 'pods/proxy' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", + "actualValue": "Resource 'pods/proxy' is currently defined with the following levels '[]'" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", "severity": "LOW", - "line": 6, - "filename": "positive1.yaml" + "line": 4, + "filename": "positive2.yaml", + "resourceType": "Policy", + "resourceName": "n/a", + "searchKey": "kind={{Policy}}.rules", + "searchValue": "secrets", + "expectedValue": "Resource 'secrets' should be defined in one of following levels '[\"Metadata\"]'", + "actualValue": "Resource 'secrets' is currently defined with the following levels '[]'" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", "severity": "LOW", - "line": 6, - "filename": "positive1.yaml" + "line": 4, + "filename": "positive2.yaml", + "resourceType": "Policy", + "resourceName": "n/a", + "searchKey": "kind={{Policy}}.rules", + "searchValue": "tokenreviews", + "expectedValue": "Resource 'tokenreviews' should be defined in one of following levels '[\"Metadata\"]'", + "actualValue": "Resource 'tokenreviews' is currently defined with the following levels '[]'" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", "severity": "LOW", "line": 6, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Policy", + "resourceName": "n/a", + "searchKey": "kind={{Policy}}.rules", + "searchValue": "pods", + "expectedValue": "Resource 'pods' should be defined in one of following levels '[\"Metadata\"]'", + "actualValue": "Resource 'pods' is currently defined with the following levels '[]'" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", "severity": "LOW", - "line": 6, - "filename": "positive1.yaml" + "line": 4, + "filename": "positive2.yaml", + "resourceType": "Policy", + "resourceName": "n/a", + "searchKey": "kind={{Policy}}.rules", + "searchValue": "pods/proxy", + "expectedValue": "Resource 'pods/proxy' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", + "actualValue": "Resource 'pods/proxy' is currently defined with the following levels '[]'" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", "severity": "LOW", "line": 6, - "filename": "positive1.yaml" + "filename": "positive3.yaml", + "resourceType": "Policy", + "resourceName": "n/a", + "searchKey": "kind={{Policy}}.rules", + "searchValue": "deployments", + "expectedValue": "Resource 'deployments' should be defined in one of following levels '[\"Metadata\"]'", + "actualValue": "Resource 'deployments' is currently defined with the following levels '[]'" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", "severity": "LOW", "line": 6, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Policy", + "resourceName": "n/a", + "searchKey": "kind={{Policy}}.rules", + "searchValue": "tokenreviews", + "expectedValue": "Resource 'tokenreviews' should be defined in one of following levels '[\"Metadata\"]'", + "actualValue": "Resource 'tokenreviews' is currently defined with the following levels '[]'" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", "severity": "LOW", - "line": 6, - "filename": "positive1.yaml" + "line": 4, + "filename": "positive2.yaml", + "resourceType": "Policy", + "resourceName": "n/a", + "searchKey": "kind={{Policy}}.rules", + "searchValue": "configmaps", + "expectedValue": "Resource 'configmaps' should be defined in one of following levels '[\"Metadata\"]'", + "actualValue": "Resource 'configmaps' is currently defined with the following levels '[]'" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", "severity": "LOW", - "line": 6, - "filename": "positive1.yaml" + "line": 4, + "filename": "positive2.yaml", + "resourceType": "Policy", + "resourceName": "n/a", + "searchKey": "kind={{Policy}}.rules", + "searchValue": "pods/portforward", + "expectedValue": "Resource 'pods/portforward' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", + "actualValue": "Resource 'pods/portforward' is currently defined with the following levels '[]'" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", "severity": "LOW", "line": 4, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "Policy", + "resourceName": "n/a", + "searchKey": "kind={{Policy}}.rules", + "searchValue": "services/proxy", + "expectedValue": "Resource 'services/proxy' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", + "actualValue": "Resource 'services/proxy' is currently defined with the following levels '[]'" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", "severity": "LOW", - "line": 4, - "filename": "positive2.yaml" + "line": 6, + "filename": "positive1.yaml", + "resourceType": "Policy", + "resourceName": "n/a", + "searchKey": "kind={{Policy}}.rules", + "searchValue": "configmaps", + "expectedValue": "Resource 'configmaps' should be defined in one of following levels '[\"Metadata\"]'", + "actualValue": "Resource 'configmaps' is currently defined with the following levels '[]'" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", "severity": "LOW", - "line": 4, - "filename": "positive2.yaml" + "line": 6, + "filename": "positive1.yaml", + "resourceType": "Policy", + "resourceName": "n/a", + "searchKey": "kind={{Policy}}.rules", + "searchValue": "pods/exec", + "expectedValue": "Resource 'pods/exec' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", + "actualValue": "Resource 'pods/exec' is currently defined with the following levels '[]'" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", "severity": "LOW", - "line": 4, - "filename": "positive2.yaml" + "line": 6, + "filename": "positive1.yaml", + "resourceType": "Policy", + "resourceName": "n/a", + "searchKey": "kind={{Policy}}.rules", + "searchValue": "secrets", + "expectedValue": "Resource 'secrets' should be defined in one of following levels '[\"Metadata\"]'", + "actualValue": "Resource 'secrets' is currently defined with the following levels '[]'" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", "severity": "LOW", - "line": 4, - "filename": "positive2.yaml" + "line": 6, + "filename": "positive1.yaml", + "resourceType": "Policy", + "resourceName": "n/a", + "searchKey": "kind={{Policy}}.rules", + "searchValue": "services/proxy", + "expectedValue": "Resource 'services/proxy' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", + "actualValue": "Resource 'services/proxy' is currently defined with the following levels '[]'" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", "severity": "LOW", "line": 4, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "Policy", + "resourceName": "n/a", + "searchKey": "kind={{Policy}}.rules", + "searchValue": "pods/exec", + "expectedValue": "Resource 'pods/exec' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", + "actualValue": "Resource 'pods/exec' is currently defined with the following levels '[]'" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", "severity": "LOW", - "line": 4, - "filename": "positive2.yaml" + "line": 6, + "filename": "positive1.yaml", + "resourceType": "Policy", + "resourceName": "n/a", + "searchKey": "kind={{Policy}}.rules", + "searchValue": "deployments", + "expectedValue": "Resource 'deployments' should be defined in one of following levels '[\"Metadata\"]'", + "actualValue": "Resource 'deployments' is currently defined with the following levels '[]'" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", "severity": "LOW", "line": 6, - "filename": "positive3.yaml" + "filename": "positive1.yaml", + "resourceType": "Policy", + "resourceName": "n/a", + "searchKey": "kind={{Policy}}.rules", + "searchValue": "pods/portforward", + "expectedValue": "Resource 'pods/portforward' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", + "actualValue": "Resource 'pods/portforward' is currently defined with the following levels '[]'" } -] +] \ No newline at end of file diff --git a/assets/queries/k8s/authorization_mode_node_not_set/test/positive_expected_result.json b/assets/queries/k8s/authorization_mode_node_not_set/test/positive_expected_result.json index eea4b0a2e53..afb9494a51e 100644 --- a/assets/queries/k8s/authorization_mode_node_not_set/test/positive_expected_result.json +++ b/assets/queries/k8s/authorization_mode_node_not_set/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Authorization Mode Node Not Set", "severity": "MEDIUM", "line": 11, - "filename": "positive1.yaml" + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--authorization-mode flag should contain 'Node' mode", + "actualValue": "--authorization-mode flag does not contain 'Node' mode" }, { "queryName": "Authorization Mode Node Not Set", "severity": "MEDIUM", "line": 11, - "filename": "positive2.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--authorization-mode flag should contain 'Node' mode", + "actualValue": "--authorization-mode flag does not contain 'Node' mode" } -] +] \ No newline at end of file diff --git a/assets/queries/k8s/authorization_mode_rbac_not_set/test/positive_expected_result.json b/assets/queries/k8s/authorization_mode_rbac_not_set/test/positive_expected_result.json index 80c0e857697..b5b2273905c 100644 --- a/assets/queries/k8s/authorization_mode_rbac_not_set/test/positive_expected_result.json +++ b/assets/queries/k8s/authorization_mode_rbac_not_set/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Authorization Mode RBAC Not Set", "severity": "MEDIUM", "line": 11, - "filename": "positive1.yaml" + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--authorization-mode flag should contain 'RBAC' mode", + "actualValue": "--authorization-mode flag does not contain 'RBAC' mode" }, { "queryName": "Authorization Mode RBAC Not Set", "severity": "MEDIUM", "line": 11, - "filename": "positive2.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--authorization-mode flag should contain 'RBAC' mode", + "actualValue": "--authorization-mode flag does not contain 'RBAC' mode" } ] \ No newline at end of file diff --git a/assets/queries/k8s/authorization_mode_set_to_always_allow/test/positive_expected_result.json b/assets/queries/k8s/authorization_mode_set_to_always_allow/test/positive_expected_result.json index 174d3224c48..bec261b3343 100644 --- a/assets/queries/k8s/authorization_mode_set_to_always_allow/test/positive_expected_result.json +++ b/assets/queries/k8s/authorization_mode_set_to_always_allow/test/positive_expected_result.json @@ -2,37 +2,73 @@ { "queryName": "Authorization Mode Set To Always Allow", "severity": "HIGH", - "line": 11, - "filename": "positive1.yaml" + "line": 6, + "filename": "positive6.json", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}.authorization.mode", + "searchValue": "", + "expectedValue": "authorization.mode attribute should not be 'AlwaysAllow'", + "actualValue": "authorization.mode attribute is equal to 'AlwaysAllow'" }, { "queryName": "Authorization Mode Set To Always Allow", "severity": "HIGH", "line": 11, - "filename": "positive2.yaml" + "filename": "positive4.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--authorization-mode flag to not have 'AlwaysAllow' mode", + "actualValue": "--authorization-mode flag contains 'AlwaysAllow' mode" }, { "queryName": "Authorization Mode Set To Always Allow", "severity": "HIGH", "line": 11, - "filename": "positive3.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--authorization-mode flag to not have 'AlwaysAllow' mode", + "actualValue": "--authorization-mode flag contains 'AlwaysAllow' mode" }, { "queryName": "Authorization Mode Set To Always Allow", "severity": "HIGH", "line": 11, - "filename": "positive4.yaml" + "filename": "positive5.yaml", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}.authorization.mode", + "searchValue": "", + "expectedValue": "authorization.mode attribute should not be 'AlwaysAllow'", + "actualValue": "authorization.mode attribute is equal to 'AlwaysAllow'" }, { "queryName": "Authorization Mode Set To Always Allow", "severity": "HIGH", "line": 11, - "filename": "positive5.yaml" + "filename": "positive3.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--authorization-mode flag to not have 'AlwaysAllow' mode", + "actualValue": "--authorization-mode flag contains 'AlwaysAllow' mode" }, { "queryName": "Authorization Mode Set To Always Allow", "severity": "HIGH", - "line": 6, - "filename": "positive6.json" + "line": 11, + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--authorization-mode flag to not have 'AlwaysAllow' mode", + "actualValue": "--authorization-mode flag contains 'AlwaysAllow' mode" } ] \ No newline at end of file diff --git a/assets/queries/k8s/auto_tls_set_to_true/test/positive_expected_result.json b/assets/queries/k8s/auto_tls_set_to_true/test/positive_expected_result.json index e34115cbfc9..0ab9a6e4207 100644 --- a/assets/queries/k8s/auto_tls_set_to_true/test/positive_expected_result.json +++ b/assets/queries/k8s/auto_tls_set_to_true/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Auto TLS Set To True", "severity": "MEDIUM", "line": 21, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Deployment", + "resourceName": "app-etcd-deployment", + "searchKey": "metadata.name={{app-etcd-deployment}}.spec.template.spec.containers.name={{database}}.command", + "searchValue": "", + "expectedValue": "--auto-tls flag should be set to false or not be defined", + "actualValue": "--auto-tls flag is set to true" } ] \ No newline at end of file diff --git a/assets/queries/k8s/basic_auth_file_is_set/test/positive_expected_result.json b/assets/queries/k8s/basic_auth_file_is_set/test/positive_expected_result.json index c1651f47ffa..44429b617fe 100644 --- a/assets/queries/k8s/basic_auth_file_is_set/test/positive_expected_result.json +++ b/assets/queries/k8s/basic_auth_file_is_set/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Basic Auth File Is Set", "severity": "HIGH", "line": 11, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--basic-auth-file flag should not be set", + "actualValue": "--basic-auth-file flag is set" }, { "queryName": "Basic Auth File Is Set", "severity": "HIGH", "line": 11, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--basic-auth-file flag should not be set", + "actualValue": "--basic-auth-file flag is set" } -] +] \ No newline at end of file diff --git a/assets/queries/k8s/bind_address_not_properly_set/test/positive_expected_result.json b/assets/queries/k8s/bind_address_not_properly_set/test/positive_expected_result.json index 07dd9af49e0..f6df0f8f1eb 100644 --- a/assets/queries/k8s/bind_address_not_properly_set/test/positive_expected_result.json +++ b/assets/queries/k8s/bind_address_not_properly_set/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "Bind Address Not Properly Set", "severity": "INFO", - "line": 11, - "fileName": "positive1.yaml" + "line": 20, + "filename": "positive3.yaml", + "resourceType": "Pod", + "resourceName": "kube-scheduler", + "searchKey": "metadata.name={{kube-scheduler}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--bind-address flag should not be set to 127.0.0.1", + "actualValue": "--bind-address flag is set to a 127.0.01" }, { "queryName": "Bind Address Not Properly Set", "severity": "INFO", "line": 11, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--bind-address flag should not be set to 127.0.0.1", + "actualValue": "--bind-address flag is set to a 127.0.01" }, { "queryName": "Bind Address Not Properly Set", "severity": "INFO", "line": 20, - "fileName": "positive3.yaml" + "filename": "positive4.yaml", + "resourceType": "Pod", + "resourceName": "kube-scheduler", + "searchKey": "metadata.name={{kube-scheduler}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--bind-address flag should not be set to 127.0.0.1", + "actualValue": "--bind-address flag is set to a 127.0.01" }, { "queryName": "Bind Address Not Properly Set", "severity": "INFO", - "line": 20, - "fileName": "positive4.yaml" + "line": 11, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--bind-address flag should not be set to 127.0.0.1", + "actualValue": "--bind-address flag is set to a 127.0.01" } ] \ No newline at end of file diff --git a/assets/queries/k8s/client_certificate_authentication_not_setup_properly/test/positive_expected_result.json b/assets/queries/k8s/client_certificate_authentication_not_setup_properly/test/positive_expected_result.json index 9fe04be75e3..23621f9c6fa 100644 --- a/assets/queries/k8s/client_certificate_authentication_not_setup_properly/test/positive_expected_result.json +++ b/assets/queries/k8s/client_certificate_authentication_not_setup_properly/test/positive_expected_result.json @@ -2,37 +2,73 @@ { "queryName": "Client Certificate Authentication Not Setup Properly", "severity": "HIGH", - "line": 11, - "fileName": "positive1.yaml" + "line": 2, + "filename": "positive4.yaml", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}", + "searchValue": "", + "expectedValue": "Client Certification should have a .pem or .crt file", + "actualValue": "Client Certification is not properly set" }, { "queryName": "Client Certificate Authentication Not Setup Properly", "severity": "HIGH", "line": 11, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "Client Certification should have a .pem or .crt file", + "actualValue": "Client Certification is not properly set" }, { "queryName": "Client Certificate Authentication Not Setup Properly", "severity": "HIGH", - "line": 11, - "fileName": "positive3.yaml" + "line": 2, + "filename": "positive5.yaml", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}", + "searchValue": "", + "expectedValue": "Client Certification should be set", + "actualValue": "Client Certification is not set" }, { "queryName": "Client Certificate Authentication Not Setup Properly", "severity": "HIGH", - "line": 2, - "fileName": "positive4.yaml" + "line": 11, + "filename": "positive3.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "Client Certification should be set", + "actualValue": "Client Certification is not set" }, { "queryName": "Client Certificate Authentication Not Setup Properly", "severity": "HIGH", "line": 2, - "fileName": "positive5.yaml" + "filename": "positive6.yaml", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}", + "searchValue": "", + "expectedValue": "Client Certification should be set", + "actualValue": "Client Certification is not set" }, { "queryName": "Client Certificate Authentication Not Setup Properly", "severity": "HIGH", - "line": 2, - "fileName": "positive6.yaml" + "line": 11, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "Client Certification should have a .pem or .crt file", + "actualValue": "Client Certification is not properly set" } -] +] \ No newline at end of file diff --git a/assets/queries/k8s/cluster_admin_role_binding_with_super_user_permissions/test/positive_expected_result.json b/assets/queries/k8s/cluster_admin_role_binding_with_super_user_permissions/test/positive_expected_result.json index 7dc8cf23ce2..5e006de808d 100644 --- a/assets/queries/k8s/cluster_admin_role_binding_with_super_user_permissions/test/positive_expected_result.json +++ b/assets/queries/k8s/cluster_admin_role_binding_with_super_user_permissions/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Cluster Admin Rolebinding With Superuser Permissions", "severity": "LOW", - "line": 11 + "line": 11, + "filename": "positive.yaml", + "resourceType": "ClusterRoleBinding", + "resourceName": "tiller-clusterrolebinding", + "searchKey": "metadata.name={{tiller-clusterrolebinding}}.roleRef.name=cluster-admin", + "searchValue": "", + "expectedValue": "Resource name 'tiller-clusterrolebinding' of kind 'ClusterRoleBinding' isn't binding 'cluster-admin' role with superuser permissions", + "actualValue": "Resource name 'tiller-clusterrolebinding' of kind 'ClusterRoleBinding' is binding 'cluster-admin' role with superuser permissions" } -] +] \ No newline at end of file diff --git a/assets/queries/k8s/cluster_allows_unsafe_sysctls/test/positive_expected_result.json b/assets/queries/k8s/cluster_allows_unsafe_sysctls/test/positive_expected_result.json index 3f8fa2aa8f3..2a304063247 100644 --- a/assets/queries/k8s/cluster_allows_unsafe_sysctls/test/positive_expected_result.json +++ b/assets/queries/k8s/cluster_allows_unsafe_sysctls/test/positive_expected_result.json @@ -1,26 +1,50 @@ [ - { - "queryName": "Cluster Allows Unsafe Sysctls", - "severity": "HIGH", - "line": 11, - "fileName": "positive1.yaml" - }, - { - "queryName": "Cluster Allows Unsafe Sysctls", - "severity": "HIGH", - "line": 13, - "fileName": "positive1.yaml" - }, - { - "queryName": "Cluster Allows Unsafe Sysctls", - "severity": "HIGH", - "line": 24, - "fileName": "positive1.yaml" - }, - { - "queryName": "Cluster Allows Unsafe Sysctls", - "severity": "HIGH", - "line": 18, - "fileName": "positive2.yaml" - } -] + { + "queryName": "Cluster Allows Unsafe Sysctls", + "severity": "HIGH", + "line": 13, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "sysctl-example", + "searchKey": "metadata.name={{sysctl-example}}.spec.securityContext.sysctls.name={{kernel.msgmax}}", + "searchValue": "", + "expectedValue": "metadata.name={{sysctl-example}}.spec.securityContext.sysctls.name={{kernel.msgmax}} should not be used", + "actualValue": "metadata.name={{sysctl-example}}.spec.securityContext.sysctls.name={{kernel.msgmax}} is an unsafe sysctl" + }, + { + "queryName": "Cluster Allows Unsafe Sysctls", + "severity": "HIGH", + "line": 11, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "sysctl-example", + "searchKey": "metadata.name={{sysctl-example}}.spec.securityContext.sysctls.name={{net.core.somaxconn}}", + "searchValue": "", + "expectedValue": "metadata.name={{sysctl-example}}.spec.securityContext.sysctls.name={{net.core.somaxconn}} should not be used", + "actualValue": "metadata.name={{sysctl-example}}.spec.securityContext.sysctls.name={{net.core.somaxconn}} is an unsafe sysctl" + }, + { + "queryName": "Cluster Allows Unsafe Sysctls", + "severity": "HIGH", + "line": 24, + "filename": "positive1.yaml", + "resourceType": "PodSecurityPolicy", + "resourceName": "sysctl-psp", + "searchKey": "metadata.name={{sysctl-psp}}.spec.allowedUnsafeSysctls", + "searchValue": "", + "expectedValue": "metadata.name={{sysctl-psp}}.spec.allowedUnsafeSysctls should be undefined", + "actualValue": "metadata.name={{sysctl-psp}}.spec.allowedUnsafeSysctls is defined" + }, + { + "queryName": "Cluster Allows Unsafe Sysctls", + "severity": "HIGH", + "line": 18, + "filename": "positive2.yaml", + "resourceType": "Deployment", + "resourceName": "test-app", + "searchKey": "metadata.name={{test-app}}.spec.template.spec.securityContext.sysctls.name={{kernel.sem}}", + "searchValue": "", + "expectedValue": "metadata.name={{test-app}}.spec.template.spec.securityContext.sysctls.name={{kernel.sem}} should not be used", + "actualValue": "metadata.name={{test-app}}.spec.template.spec.securityContext.sysctls.name={{kernel.sem}} is an unsafe sysctl" + } +] \ No newline at end of file diff --git a/assets/queries/k8s/cni_plugin_does_not_support_network_policies/test/positive_expected_result.json b/assets/queries/k8s/cni_plugin_does_not_support_network_policies/test/positive_expected_result.json index 954e413166f..09ae1fd0b4f 100644 --- a/assets/queries/k8s/cni_plugin_does_not_support_network_policies/test/positive_expected_result.json +++ b/assets/queries/k8s/cni_plugin_does_not_support_network_policies/test/positive_expected_result.json @@ -1,14 +1,14 @@ [ - { - "queryName": "CNI Plugin Does Not Support Network Policies", - "severity": "MEDIUM", - "line": 6, - "fileName": "positive.json" - }, { "queryName": "CNI Plugin Does Not Support Network Policies", "severity": "MEDIUM", "line": 10, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "ConfigMap", + "resourceName": "kube-flannel-cfg", + "searchKey": "data.cni-conf.json", + "searchValue": "", + "expectedValue": "Plugins should not contain a plugin that does not support Network Policies", + "actualValue": "Plugins contains a plugin that does not support Network Policies" } -] +] \ No newline at end of file diff --git a/assets/queries/k8s/container_is_privileged/test/positive_expected_result.json b/assets/queries/k8s/container_is_privileged/test/positive_expected_result.json index 82fa1663583..e33293a98af 100644 --- a/assets/queries/k8s/container_is_privileged/test/positive_expected_result.json +++ b/assets/queries/k8s/container_is_privileged/test/positive_expected_result.json @@ -3,18 +3,36 @@ "queryName": "Container Is Privileged", "severity": "HIGH", "line": 10, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "security-context-demo-4", + "searchKey": "metadata.name={{security-context-demo-4}}.spec.containers.name={{sec-ctx-4}}.securityContext.privileged", + "searchValue": "", + "expectedValue": "metadata.name={{security-context-demo-4}}.spec.containers.name={{sec-ctx-4}}.securityContext.privileged is unset or false", + "actualValue": "metadata.name={{security-context-demo-4}}.spec.containers.name={{sec-ctx-4}}.securityContext.privileged is true" }, { "queryName": "Container Is Privileged", "severity": "HIGH", - "line": 23, - "fileName": "positive1.yaml" + "line": 21, + "filename": "positive2.yaml", + "resourceType": "Deployment", + "resourceName": "test-deployment", + "searchKey": "metadata.name={{test-deployment}}.spec.template.spec.containers.name={{pause}}.securityContext.privileged", + "searchValue": "", + "expectedValue": "metadata.name={{test-deployment}}.spec.template.spec.containers.name={{pause}}.securityContext.privileged is unset or false", + "actualValue": "metadata.name={{test-deployment}}.spec.template.spec.containers.name={{pause}}.securityContext.privileged is true" }, { "queryName": "Container Is Privileged", "severity": "HIGH", - "line": 21, - "fileName": "positive2.yaml" + "line": 23, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "security-context-demo-5", + "searchKey": "metadata.name={{security-context-demo-5}}.spec.initContainers.name={{sec-ctx-4}}.securityContext.privileged", + "searchValue": "", + "expectedValue": "metadata.name={{security-context-demo-5}}.spec.initContainers.name={{sec-ctx-4}}.securityContext.privileged is unset or false", + "actualValue": "metadata.name={{security-context-demo-5}}.spec.initContainers.name={{sec-ctx-4}}.securityContext.privileged is true" } -] +] \ No newline at end of file diff --git a/assets/queries/k8s/container_runs_unmasked/test/positive_expected_result.json b/assets/queries/k8s/container_runs_unmasked/test/positive_expected_result.json index 1d2470f17f5..fa8ebb41a9b 100644 --- a/assets/queries/k8s/container_runs_unmasked/test/positive_expected_result.json +++ b/assets/queries/k8s/container_runs_unmasked/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Container Runs Unmasked", "severity": "HIGH", - "line": 12 + "line": 12, + "filename": "positive.yaml", + "resourceType": "PodSecurityPolicy", + "resourceName": "restricted", + "searchKey": "metadata.name={{restricted}}.spec.allowedProcMountTypes", + "searchValue": "", + "expectedValue": "AllowedProcMountTypes should contain the value Default", + "actualValue": "AllowedProcMountTypes contains the value Unmasked" } ] \ No newline at end of file diff --git a/assets/queries/k8s/containers_run_with_low_uid/test/positive_expected_result.json b/assets/queries/k8s/containers_run_with_low_uid/test/positive_expected_result.json index 081d3da70a3..331771560b3 100644 --- a/assets/queries/k8s/containers_run_with_low_uid/test/positive_expected_result.json +++ b/assets/queries/k8s/containers_run_with_low_uid/test/positive_expected_result.json @@ -2,103 +2,205 @@ { "queryName": "Container Running With Low UID", "severity": "MEDIUM", - "line": 12, - "fileName": "positive1.yaml" + "line": 18, + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "security-context-demo-2", + "searchKey": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-200}}.securityContext.runAsUser=340", + "searchValue": "Pod", + "expectedValue": "1 metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-200}}.securityContext.runAsUser should be set to a UID >= 10000", + "actualValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-200}}.securityContext.runAsUser is set to a low UID" }, { "queryName": "Container Running With Low UID", "severity": "MEDIUM", - "line": 13, - "fileName": "positive2.yaml" + "line": 38, + "filename": "positive9.yaml", + "resourceType": "Deployment", + "resourceName": "security-context-demo", + "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser=1000", + "searchValue": "Deployment", + "expectedValue": "2 metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser should be set to a UID >= 10000", + "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser is set to a low UID" }, { "queryName": "Container Running With Low UID", "severity": "MEDIUM", - "line": 18, - "fileName": "positive2.yaml" + "line": 43, + "filename": "positive8.yaml", + "resourceType": "Deployment", + "resourceName": "security-context-demo", + "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser=1", + "searchValue": "Deployment", + "expectedValue": "1 metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser should be set to a UID >= 10000", + "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser is set to a low UID" }, { "queryName": "Container Running With Low UID", "severity": "MEDIUM", - "line": 12, - "fileName": "positive3.yaml" + "line": 21, + "filename": "positive8.yaml", + "resourceType": "StatefulSet", + "resourceName": "security-context-demo", + "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser=1", + "searchValue": "StatefulSet", + "expectedValue": "1 metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser should be set to a UID >= 10000", + "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser is set to a low UID" }, { "queryName": "Container Running With Low UID", "severity": "MEDIUM", "line": 18, - "fileName": "positive4.yaml" + "filename": "positive9.yaml", + "resourceType": "StatefulSet", + "resourceName": "security-context-demo", + "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser=1000", + "searchValue": "StatefulSet", + "expectedValue": "2 metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser should be set to a UID >= 10000", + "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser is set to a low UID" }, { "queryName": "Container Running With Low UID", "severity": "MEDIUM", "line": 18, - "fileName": "positive5.yaml" + "filename": "positive5.yaml", + "resourceType": "Deployment", + "resourceName": "securitydemo", + "searchKey": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext", + "searchValue": "Deployment", + "expectedValue": "3 metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext.runAsUser should be defined", + "actualValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext.runAsUser is undefined" }, { "queryName": "Container Running With Low UID", "severity": "MEDIUM", - "line": 24, - "fileName": "positive5.yaml" + "line": 18, + "filename": "positive10.yaml", + "resourceType": "StatefulSet", + "resourceName": "security-context-demo", + "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}", + "searchValue": "StatefulSet", + "expectedValue": "3 metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser should be defined", + "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser is undefined" }, { "queryName": "Container Running With Low UID", "severity": "MEDIUM", "line": 25, - "fileName": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "Deployment", + "resourceName": "securitydemo", + "searchKey": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext.runAsUser=1234", + "searchValue": "Deployment", + "expectedValue": "1 metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext.runAsUser should be set to a UID >= 10000", + "actualValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext.runAsUser is set to a low UID" }, { "queryName": "Container Running With Low UID", "severity": "MEDIUM", - "line": 32, - "fileName": "positive6.yaml" + "line": 12, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "security-context-demo-2", + "searchKey": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext.runAsUser=2000", + "searchValue": "Pod", + "expectedValue": "1 metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext.runAsUser should be set to a UID >= 10000", + "actualValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext.runAsUser is set to a low UID" }, { "queryName": "Container Running With Low UID", "severity": "MEDIUM", "line": 23, - "fileName": "positive7.yaml" + "filename": "positive7.yaml", + "resourceType": "Deployment", + "resourceName": "securitydemo", + "searchKey": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext.runAsUser=1234", + "searchValue": "Deployment", + "expectedValue": "1 metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext.runAsUser should be set to a UID >= 10000", + "actualValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext.runAsUser is set to a low UID" }, { "queryName": "Container Running With Low UID", "severity": "MEDIUM", "line": 25, - "fileName": "positive7.yaml" + "filename": "positive7.yaml", + "resourceType": "Deployment", + "resourceName": "securitydemo", + "searchKey": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}", + "searchValue": "Deployment", + "expectedValue": "3 metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext.runAsUser should be defined", + "actualValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext.runAsUser is undefined" }, { "queryName": "Container Running With Low UID", "severity": "MEDIUM", - "line": 21, - "fileName": "positive8.yaml" + "line": 13, + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "security-context-demo-2", + "searchKey": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext.runAsUser=333", + "searchValue": "Pod", + "expectedValue": "1 metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext.runAsUser should be set to a UID >= 10000", + "actualValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext.runAsUser is set to a low UID" }, { "queryName": "Container Running With Low UID", "severity": "MEDIUM", - "line": 43, - "fileName": "positive8.yaml" + "line": 32, + "filename": "positive6.yaml", + "resourceType": "Deployment", + "resourceName": "securitydemo", + "searchKey": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext.runAsUser=5678", + "searchValue": "Deployment", + "expectedValue": "1 metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext.runAsUser should be set to a UID >= 10000", + "actualValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext.runAsUser is set to a low UID" }, { "queryName": "Container Running With Low UID", "severity": "MEDIUM", "line": 18, - "fileName": "positive9.yaml" + "filename": "positive4.yaml", + "resourceType": "Deployment", + "resourceName": "securitydemo", + "searchKey": "metadata.name={{securitydemo}}.spec.template.spec.securityContext.runAsUser=1200", + "searchValue": "Deployment", + "expectedValue": "2 metadata.name={{securitydemo}}.spec.template.spec.securityContext.runAsUser should be set to a UID >= 10000", + "actualValue": "metadata.name={{securitydemo}}.spec.template.spec.securityContext.runAsUser is set to a low UID" }, { "queryName": "Container Running With Low UID", "severity": "MEDIUM", - "line": 38, - "fileName": "positive9.yaml" + "line": 24, + "filename": "positive5.yaml", + "resourceType": "Deployment", + "resourceName": "securitydemo", + "searchKey": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext", + "searchValue": "Deployment", + "expectedValue": "3 metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext.runAsUser should be defined", + "actualValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext.runAsUser is undefined" }, { "queryName": "Container Running With Low UID", "severity": "MEDIUM", - "line": 18, - "fileName": "positive10.yaml" + "line": 12, + "filename": "positive3.yaml", + "resourceType": "Pod", + "resourceName": "containers-runs-as-root", + "searchKey": "metadata.name={{containers-runs-as-root}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext.runAsUser=13", + "searchValue": "Pod", + "expectedValue": "1 metadata.name={{containers-runs-as-root}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext.runAsUser should be set to a UID >= 10000", + "actualValue": "metadata.name={{containers-runs-as-root}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext.runAsUser is set to a low UID" }, { "queryName": "Container Running With Low UID", "severity": "MEDIUM", "line": 36, - "fileName": "positive10.yaml" + "filename": "positive10.yaml", + "resourceType": "Deployment", + "resourceName": "security-context-demo", + "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}", + "searchValue": "Deployment", + "expectedValue": "3 metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser should be defined", + "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/k8s/containers_running_as_root/test/positive_expected_result.json b/assets/queries/k8s/containers_running_as_root/test/positive_expected_result.json index a2faab363dc..11019716dbf 100644 --- a/assets/queries/k8s/containers_running_as_root/test/positive_expected_result.json +++ b/assets/queries/k8s/containers_running_as_root/test/positive_expected_result.json @@ -1,86 +1,170 @@ [ - { - "queryName": "Container Running As Root", - "severity": "MEDIUM", - "line": 12, - "fileName": "positive1.yaml" - }, - { - "queryName": "Container Running As Root", - "severity": "MEDIUM", - "line": 28, - "fileName": "positive1.yaml" - }, - { - "queryName": "Container Running As Root", - "severity": "MEDIUM", - "line": 43, - "fileName": "positive1.yaml" - }, - { - "queryName": "Container Running As Root", - "severity": "MEDIUM", - "line": 17, - "fileName": "positive2.yaml" - }, - { - "queryName": "Container Running As Root", - "severity": "MEDIUM", - "line": 12, - "fileName": "positive2.yaml" - }, - { - "queryName": "Container Running As Root", - "severity": "MEDIUM", - "line": 12, - "fileName": "positive3.yaml" - }, - { - "queryName": "Container Running As Root", - "severity": "MEDIUM", - "line": 7, - "fileName": "positive4.yaml" - }, - { - "queryName": "Container Running As Root", - "severity": "MEDIUM", - "line": 11, - "fileName": "positive4.yaml" - }, + { + "queryName": "Container Running As Root", + "severity": "MEDIUM", + "line": 42, + "filename": "positive5.yaml", + "resourceType": "Deployment", + "resourceName": "security-context-demo", + "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser", + "searchValue": "Deployment", + "expectedValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext runAsUser is higher than 0 and/or 'runAsNonRoot' is true", + "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext runAsUser is 0 and 'runAsNonRoot' is false" + }, + { + "queryName": "Container Running As Root", + "severity": "MEDIUM", + "line": 12, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "security-context-demo-2", + "searchKey": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext.runAsUser", + "searchValue": "Pod", + "expectedValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext runAsUser is higher than 0 and/or 'runAsNonRoot' is true", + "actualValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext runAsUser is 0 and 'runAsNonRoot' is false" + }, + { + "queryName": "Container Running As Root", + "severity": "MEDIUM", + "line": 36, + "filename": "positive7.yaml", + "resourceType": "Deployment", + "resourceName": "security-context-demo", + "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}", + "searchValue": "Deployment", + "expectedValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser is higher than 0 and/or 'runAsNonRoot' is true", + "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser is 0 and 'runAsNonRoot' is false" + }, + { + "queryName": "Container Running As Root", + "severity": "MEDIUM", + "line": 7, + "filename": "positive4.yaml", + "resourceType": "Pod", + "resourceName": "security-context-demo-2", + "searchKey": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-1}}", + "searchValue": "Pod", + "expectedValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-1}}.securityContext.runAsUser is higher than 0 and/or 'runAsNonRoot' is true", + "actualValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-1}}.securityContext.runAsUser is 0 and 'runAsNonRoot' is false" + }, + { + "queryName": "Container Running As Root", + "severity": "MEDIUM", + "line": 12, + "filename": "positive3.yaml", + "resourceType": "Pod", + "resourceName": "containers-runs-as-root", + "searchKey": "metadata.name={{containers-runs-as-root}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext.runAsUser", + "searchValue": "Pod", + "expectedValue": "metadata.name={{containers-runs-as-root}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext runAsUser is higher than 0 and/or 'runAsNonRoot' is true", + "actualValue": "metadata.name={{containers-runs-as-root}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext runAsUser is 0 and 'runAsNonRoot' is false" + }, { "queryName": "Container Running As Root", "severity": "MEDIUM", "line": 20, - "fileName": "positive5.yaml" + "filename": "positive5.yaml", + "resourceType": "StatefulSet", + "resourceName": "security-context-demo", + "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser", + "searchValue": "StatefulSet", + "expectedValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext runAsUser is higher than 0 and/or 'runAsNonRoot' is true", + "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext runAsUser is 0 and 'runAsNonRoot' is false" }, { "queryName": "Container Running As Root", "severity": "MEDIUM", - "line": 42, - "fileName": "positive5.yaml" + "line": 28, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "security-context-demo-3", + "searchKey": "metadata.name={{security-context-demo-3}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext.runAsUser", + "searchValue": "Pod", + "expectedValue": "metadata.name={{security-context-demo-3}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext runAsUser is higher than 0 and/or 'runAsNonRoot' is true", + "actualValue": "metadata.name={{security-context-demo-3}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext runAsUser is 0 and 'runAsNonRoot' is false" }, { "queryName": "Container Running As Root", "severity": "MEDIUM", - "line": 17, - "fileName": "positive6.yaml" + "line": 12, + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "security-context-demo-2", + "searchKey": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext.runAsUser", + "searchValue": "Pod", + "expectedValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext runAsUser is higher than 0 and/or 'runAsNonRoot' is true", + "actualValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext runAsUser is 0 and 'runAsNonRoot' is false" }, { "queryName": "Container Running As Root", "severity": "MEDIUM", - "line": 37, - "fileName": "positive6.yaml" + "line": 17, + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "security-context-demo-2", + "searchKey": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-200}}.securityContext.runAsUser", + "searchValue": "Pod", + "expectedValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-200}}.securityContext runAsUser is higher than 0 and/or 'runAsNonRoot' is true", + "actualValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-200}}.securityContext runAsUser is 0 and 'runAsNonRoot' is false" }, { "queryName": "Container Running As Root", "severity": "MEDIUM", "line": 18, - "fileName": "positive7.yaml" + "filename": "positive7.yaml", + "resourceType": "StatefulSet", + "resourceName": "security-context-demo", + "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}", + "searchValue": "StatefulSet", + "expectedValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser is higher than 0 and/or 'runAsNonRoot' is true", + "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser is 0 and 'runAsNonRoot' is false" }, { "queryName": "Container Running As Root", "severity": "MEDIUM", - "line": 36, - "fileName": "positive7.yaml" + "line": 17, + "filename": "positive6.yaml", + "resourceType": "StatefulSet", + "resourceName": "security-context-demo", + "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser", + "searchValue": "StatefulSet", + "expectedValue": "metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser is higher than 0 and/or 'runAsNonRoot' is true", + "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser is 0 and 'runAsNonRoot' is false" + }, + { + "queryName": "Container Running As Root", + "severity": "MEDIUM", + "line": 11, + "filename": "positive4.yaml", + "resourceType": "Pod", + "resourceName": "security-context-demo-2", + "searchKey": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext.runAsUser", + "searchValue": "Pod", + "expectedValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext runAsUser is higher than 0 and/or 'runAsNonRoot' is true", + "actualValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext runAsUser is 0 and 'runAsNonRoot' is false" + }, + { + "queryName": "Container Running As Root", + "severity": "MEDIUM", + "line": 43, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "security-context-demo-4", + "searchKey": "metadata.name={{security-context-demo-4}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext.runAsUser", + "searchValue": "Pod", + "expectedValue": "metadata.name={{security-context-demo-4}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext runAsUser is higher than 0 and/or 'runAsNonRoot' is true", + "actualValue": "metadata.name={{security-context-demo-4}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext runAsUser is 0 and 'runAsNonRoot' is false" + }, + { + "queryName": "Container Running As Root", + "severity": "MEDIUM", + "line": 37, + "filename": "positive6.yaml", + "resourceType": "Deployment", + "resourceName": "security-context-demo", + "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser", + "searchValue": "Deployment", + "expectedValue": "metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser is higher than 0 and/or 'runAsNonRoot' is true", + "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser is 0 and 'runAsNonRoot' is false" } -] +] \ No newline at end of file diff --git a/assets/queries/k8s/containers_with_added_capabilities/test/positive_expected_result.json b/assets/queries/k8s/containers_with_added_capabilities/test/positive_expected_result.json index 6d5c8e6976e..b079a11b61a 100644 --- a/assets/queries/k8s/containers_with_added_capabilities/test/positive_expected_result.json +++ b/assets/queries/k8s/containers_with_added_capabilities/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Containers With Added Capabilities", "severity": "MEDIUM", - "line": 12 + "line": 12, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "pod2", + "searchKey": "metadata.name={{pod2}}.spec.containers.name={{app}}.securityContext.capabilities.add", + "searchValue": "", + "expectedValue": "metadata.name={{pod2}}.spec.containers.name={{app}} has no capability added other than NET_BIND_SERVICE", + "actualValue": "metadata.name={{pod2}}.spec.containers.name={{app}} has a capability added other than NET_BIND_SERVICE" }, { "queryName": "Containers With Added Capabilities", "severity": "MEDIUM", - "line": 43 + "line": 43, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "pod3", + "searchKey": "metadata.name={{pod3}}.spec.initContainers.name={{app}}.securityContext.capabilities.add", + "searchValue": "", + "expectedValue": "metadata.name={{pod3}}.spec.initContainers.name={{app}} has no capability added other than NET_BIND_SERVICE", + "actualValue": "metadata.name={{pod3}}.spec.initContainers.name={{app}} has a capability added other than NET_BIND_SERVICE" } -] +] \ No newline at end of file diff --git a/assets/queries/k8s/containers_with_sys_admin_capabilities/test/positive_expected_result.json b/assets/queries/k8s/containers_with_sys_admin_capabilities/test/positive_expected_result.json index 6882f8cf635..99f93877274 100644 --- a/assets/queries/k8s/containers_with_sys_admin_capabilities/test/positive_expected_result.json +++ b/assets/queries/k8s/containers_with_sys_admin_capabilities/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Containers With Sys Admin Capabilities", "severity": "HIGH", - "line": 12 + "line": 12, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "pod4", + "searchKey": "metadata.name={{pod4}}.spec.containers.name={{app}}.securityContext.capabilities.add", + "searchValue": "", + "expectedValue": "spec.containers.name=app should not use CAP_SYS_ADMIN Linux capability", + "actualValue": "spec.containers.name=app uses CAP_SYS_ADMIN Linux capability" } ] \ No newline at end of file diff --git a/assets/queries/k8s/cpu_limits_not_set/test/positive_expected_result.json b/assets/queries/k8s/cpu_limits_not_set/test/positive_expected_result.json index 3b9e5802174..a038a0f11aa 100644 --- a/assets/queries/k8s/cpu_limits_not_set/test/positive_expected_result.json +++ b/assets/queries/k8s/cpu_limits_not_set/test/positive_expected_result.json @@ -3,24 +3,48 @@ "queryName": "CPU Limits Not Set", "severity": "LOW", "line": 10, - "fineName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "frontend", + "searchKey": "metadata.name={{frontend}}.spec.containers.name={{app}}.resources.limits", + "searchValue": "", + "expectedValue": "spec.containers.name=app has CPU limits", + "actualValue": "spec.containers.name=app doesn't have CPU limits" }, { "queryName": "CPU Limits Not Set", "severity": "LOW", "line": 14, - "fineName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "frontend", + "searchKey": "metadata.name={{frontend}}.spec.containers.name={{log-aggregator}}.resources", + "searchValue": "", + "expectedValue": "spec.containers.name=log-aggregator has limits defined", + "actualValue": "spec.containers.name=log-aggregator doesn't have limits defined" }, { "queryName": "CPU Limits Not Set", "severity": "LOW", "line": 31, - "fineName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "Configuration", + "resourceName": "dummy-config", + "searchKey": "metadata.name={{dummy-config}}.spec.template.spec.containers.name={{app}}.resources.limits", + "searchValue": "", + "expectedValue": "spec.template.spec.containers.name=app has CPU limits", + "actualValue": "spec.template.spec.containers.name=app doesn't have CPU limits" }, { "queryName": "CPU Limits Not Set", "severity": "LOW", "line": 35, - "fineName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "Configuration", + "resourceName": "dummy-config", + "searchKey": "metadata.name={{dummy-config}}.spec.template.spec.containers.name={{log-aggregator}}.resources", + "searchValue": "", + "expectedValue": "spec.template.spec.containers.name=log-aggregator has limits defined", + "actualValue": "spec.template.spec.containers.name=log-aggregator doesn't have limits defined" } ] \ No newline at end of file diff --git a/assets/queries/k8s/cpu_requests_not_set/test/positive_expected_result.json b/assets/queries/k8s/cpu_requests_not_set/test/positive_expected_result.json index 888b2a2deb2..c31bdd4ba58 100644 --- a/assets/queries/k8s/cpu_requests_not_set/test/positive_expected_result.json +++ b/assets/queries/k8s/cpu_requests_not_set/test/positive_expected_result.json @@ -2,21 +2,49 @@ { "queryName": "CPU Requests Not Set", "severity": "LOW", - "line": 10 + "line": 37, + "filename": "positive.yaml", + "resourceType": "Configuration", + "resourceName": "dummy-config", + "searchKey": "metadata.name={{dummy-config}}.spec.template.spec.containers.name={{log-aggregator}}.resources", + "searchValue": "Configuration", + "expectedValue": "spec.template.spec.containers.name=log-aggregator.resources should have requests defined", + "actualValue": "spec.template.spec.containers.name=log-aggregator.resources doesn't have requests defined" }, { "queryName": "CPU Requests Not Set", "severity": "LOW", - "line": 15 + "line": 30, + "filename": "positive.yaml", + "resourceType": "Configuration", + "resourceName": "dummy-config", + "searchKey": "metadata.name={{dummy-config}}.spec.template.spec.containers.name={{app}}.resources.requests", + "searchValue": "Configuration", + "expectedValue": "spec.template.spec.containers.name={{app}}.resources.requests should have CPU requests", + "actualValue": "spec.template.spec.containers.name={{app}}.resources.requests doesn't have CPU requests" }, { "queryName": "CPU Requests Not Set", "severity": "LOW", - "line": 30 + "line": 15, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "frontend", + "searchKey": "metadata.name={{frontend}}.spec.containers.name=log-aggregator", + "searchValue": "Pod", + "expectedValue": "spec.containers.name=log-aggregator should have resources defined", + "actualValue": "spec.containers.name=log-aggregator doesn't have resources defined" }, { "queryName": "CPU Requests Not Set", "severity": "LOW", - "line": 37 + "line": 10, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "frontend", + "searchKey": "metadata.name={{frontend}}.spec.containers.name={{app}}.resources.requests", + "searchValue": "Pod", + "expectedValue": "spec.containers.name={{app}}.resources.requests should have CPU requests", + "actualValue": "spec.containers.name={{app}}.resources.requests doesn't have CPU requests" } -] +] \ No newline at end of file diff --git a/assets/queries/k8s/cronjob_deadline_not_configured/test/positive_expected_result.json b/assets/queries/k8s/cronjob_deadline_not_configured/test/positive_expected_result.json index f0639d33d8a..af74fa5a362 100644 --- a/assets/queries/k8s/cronjob_deadline_not_configured/test/positive_expected_result.json +++ b/assets/queries/k8s/cronjob_deadline_not_configured/test/positive_expected_result.json @@ -1,7 +1,14 @@ [ - { - "queryName": "CronJob Deadline Not Configured", - "severity": "LOW", - "line": 6 - } -] + { + "queryName": "CronJob Deadline Not Configured", + "severity": "LOW", + "line": 6, + "filename": "positive.yaml", + "resourceType": "CronJob", + "resourceName": "hello", + "searchKey": "metadata.name={{hello}}.spec", + "searchValue": "", + "expectedValue": "spec.startingDeadlineSeconds should be defined", + "actualValue": "spec.startingDeadlineSeconds is not defined" + } +] \ No newline at end of file diff --git a/assets/queries/k8s/dashboard_is_enabled/test/positive_expected_result.json b/assets/queries/k8s/dashboard_is_enabled/test/positive_expected_result.json index be1e86defc1..2f631c8ef32 100644 --- a/assets/queries/k8s/dashboard_is_enabled/test/positive_expected_result.json +++ b/assets/queries/k8s/dashboard_is_enabled/test/positive_expected_result.json @@ -1,12 +1,26 @@ [ - { - "queryName": "Dashboard Is Enabled", - "severity": "LOW", - "line": 22 - }, - { - "queryName": "Dashboard Is Enabled", - "severity": "LOW", - "line": 67 - } -] + { + "queryName": "Dashboard Is Enabled", + "severity": "LOW", + "line": 67, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "myapp-pod", + "searchKey": "metadata.name={{myapp-pod}}.spec.initContainers.name={{init-myservice}}.image", + "searchValue": "", + "expectedValue": "metadata.name={{myapp-pod}}.spec.initContainers.name={{init-myservice}}.image has not kubernetes-dashboard deployed", + "actualValue": "metadata.name={{myapp-pod}}.spec.initContainers.name={{init-myservice}}.image has kubernetes-dashboard deployed" + }, + { + "queryName": "Dashboard Is Enabled", + "severity": "LOW", + "line": 22, + "filename": "positive.yaml", + "resourceType": "Deployment", + "resourceName": "kubernetes-dashboard-1", + "searchKey": "metadata.name={{kubernetes-dashboard-1}}.spec.template.spec.containers.name={{kubernetes-dashboard}}.image", + "searchValue": "", + "expectedValue": "metadata.name={{kubernetes-dashboard-1}}.spec.template.spec.containers.name={{kubernetes-dashboard}}.image has not kubernetes-dashboard deployed", + "actualValue": "metadata.name={{kubernetes-dashboard-1}}.spec.template.spec.containers.name={{kubernetes-dashboard}}.image has kubernetes-dashboard deployed" + } +] \ No newline at end of file diff --git a/assets/queries/k8s/deployment_has_no_pod_anti_affinity/test/positive_expected_result.json b/assets/queries/k8s/deployment_has_no_pod_anti_affinity/test/positive_expected_result.json index 54d5837dd84..d3cc37058ed 100644 --- a/assets/queries/k8s/deployment_has_no_pod_anti_affinity/test/positive_expected_result.json +++ b/assets/queries/k8s/deployment_has_no_pod_anti_affinity/test/positive_expected_result.json @@ -1,12 +1,26 @@ [ - { - "queryName": "Deployment Has No PodAntiAffinity", - "severity": "LOW", - "line": 19 - }, - { - "queryName": "Deployment Has No PodAntiAffinity", - "severity": "LOW", - "line": 39 - } -] + { + "queryName": "Deployment Has No PodAntiAffinity", + "severity": "LOW", + "line": 39, + "filename": "positive.yaml", + "resourceType": "Deployment", + "resourceName": "no-affinity", + "searchKey": "metadata.name={{no-affinity}}.spec.template.spec", + "searchValue": "", + "expectedValue": "'spec.template.spec.affinity' should be set", + "actualValue": "'spec.template.spec.affinity' is undefined" + }, + { + "queryName": "Deployment Has No PodAntiAffinity", + "severity": "LOW", + "line": 19, + "filename": "positive.yaml", + "resourceType": "Deployment", + "resourceName": "label-mismatch", + "searchKey": "metadata.name={{label-mismatch}}.spec.template.spec.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution.labelSelector.matchLabels", + "searchValue": "", + "expectedValue": "'spec.template.spec.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].labelSelector.matchLabels' match any label on template metadata", + "actualValue": "'spec.template.spec.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].labelSelector.matchLabels' don't match any label on template metadata" + } +] \ No newline at end of file diff --git a/assets/queries/k8s/deployment_without_pod_disruption_budget/test/positive_expected_result.json b/assets/queries/k8s/deployment_without_pod_disruption_budget/test/positive_expected_result.json index 2576b9bc43d..e9a9dad1a77 100644 --- a/assets/queries/k8s/deployment_without_pod_disruption_budget/test/positive_expected_result.json +++ b/assets/queries/k8s/deployment_without_pod_disruption_budget/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Deployment Without PodDisruptionBudget", "severity": "LOW", - "line": 20 + "line": 20, + "filename": "positive.yaml", + "resourceType": "Deployment", + "resourceName": "nginx-deployment", + "searchKey": "metadata.name={{nginx-deployment}}.spec.selector.matchLabels", + "searchValue": "", + "expectedValue": "metadata.name=nginx-deployment is targeted by a PodDisruptionBudget", + "actualValue": "metadata.name=nginx-deployment is not targeted by a PodDisruptionBudget" } -] +] \ No newline at end of file diff --git a/assets/queries/k8s/docker_daemon_socket_is_exposed_to_containers/test/positive_expected_result.json b/assets/queries/k8s/docker_daemon_socket_is_exposed_to_containers/test/positive_expected_result.json index 4389559e412..ae9ec79f6ac 100644 --- a/assets/queries/k8s/docker_daemon_socket_is_exposed_to_containers/test/positive_expected_result.json +++ b/assets/queries/k8s/docker_daemon_socket_is_exposed_to_containers/test/positive_expected_result.json @@ -2,16 +2,37 @@ { "queryName": "Docker Daemon Socket is Exposed to Containers", "severity": "MEDIUM", - "line": 15 + "line": 15, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "test-pd", + "searchKey": "metadata.name={{test-pd}}.spec.volumes.name={{test-volume}}.hostPath.path", + "searchValue": "", + "expectedValue": "metadata.name={{test-pd}}.spec.volumes.name={{test-volume}}.hostPath.path should not be '/var/run/docker.sock'", + "actualValue": "metadata.name={{test-pd}}.spec.volumes.name={{test-volume}}.hostPath.path is '/var/run/docker.sock'" }, { "queryName": "Docker Daemon Socket is Exposed to Containers", "severity": "MEDIUM", - "line": 43 + "line": 67, + "filename": "positive.yaml", + "resourceType": "CronJob", + "resourceName": "hello", + "searchKey": "metadata.name={{hello}}.spec.jobTemplate.spec.template.spec.volumes.name={{test-volume}}.hostPath.path", + "searchValue": "", + "expectedValue": "metadata.name={{hello}}.spec.jobTemplate.spec.template.spec.volumes.name={{test-volume}}.hostPath.path should not be '/var/run/docker.sock'", + "actualValue": "metadata.name={{hello}}.spec.jobTemplate.spec.template.spec.volumes.name={{test-volume}}.hostPath.path is '/var/run/docker.sock'" }, { "queryName": "Docker Daemon Socket is Exposed to Containers", "severity": "MEDIUM", - "line": 67 + "line": 43, + "filename": "positive.yaml", + "resourceType": "ReplicationController", + "resourceName": "node-manager", + "searchKey": "metadata.name={{node-manager}}.spec.template.spec.volumes.name={{test-volume}}.hostPath.path", + "searchValue": "", + "expectedValue": "metadata.name={{node-manager}}.spec.template.spec.volumes.name={{test-volume}}.hostPath.path should not be '/var/run/docker.sock'", + "actualValue": "metadata.name={{node-manager}}.spec.template.spec.volumes.name={{test-volume}}.hostPath.path is '/var/run/docker.sock'" } ] \ No newline at end of file diff --git a/assets/queries/k8s/encryption_provider_config_is_not_defined/test/positive_expected_result.json b/assets/queries/k8s/encryption_provider_config_is_not_defined/test/positive_expected_result.json index 32144a1d9ff..d782f1221d5 100644 --- a/assets/queries/k8s/encryption_provider_config_is_not_defined/test/positive_expected_result.json +++ b/assets/queries/k8s/encryption_provider_config_is_not_defined/test/positive_expected_result.json @@ -1,8 +1,14 @@ [ - { - "queryName": "Encryption Provider Config Is Not Defined", - "severity": "MEDIUM", - "line": 11, - "fileName": "positive1.yaml" - } -] + { + "queryName": "Encryption Provider Config Is Not Defined", + "severity": "MEDIUM", + "line": 11, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--encryption-provider-config flag should be defined", + "actualValue": "--encryption-provider-config flag is not defined" + } +] \ No newline at end of file diff --git a/assets/queries/k8s/encryption_provider_not_properly_configured/test/positive_expected_result.json b/assets/queries/k8s/encryption_provider_not_properly_configured/test/positive_expected_result.json index 8f74ab86fd4..18ef79f6754 100644 --- a/assets/queries/k8s/encryption_provider_not_properly_configured/test/positive_expected_result.json +++ b/assets/queries/k8s/encryption_provider_not_properly_configured/test/positive_expected_result.json @@ -1,8 +1,14 @@ [ - { - "queryName": "Encryption Provider Not Properly Configured", - "severity": "MEDIUM", - "line": 6, - "fileName": "positive1.yaml" - } -] + { + "queryName": "Encryption Provider Not Properly Configured", + "severity": "MEDIUM", + "line": 6, + "filename": "positive1.yaml", + "resourceType": "EncryptionConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{EncryptionConfiguration}}.providers", + "searchValue": "", + "expectedValue": "aescbc, kms or secretbox provider should be defined", + "actualValue": "aescbc, kms or secretbox provider is not defined" + } +] \ No newline at end of file diff --git a/assets/queries/k8s/ensure_administrative_boundaries_between_resources/test/positive_expected_result.json b/assets/queries/k8s/ensure_administrative_boundaries_between_resources/test/positive_expected_result.json index 90ca7d5c875..e7b6e1ae496 100644 --- a/assets/queries/k8s/ensure_administrative_boundaries_between_resources/test/positive_expected_result.json +++ b/assets/queries/k8s/ensure_administrative_boundaries_between_resources/test/positive_expected_result.json @@ -1,8 +1,14 @@ [ - { - "queryName": "Ensure Administrative Boundaries Between Resources", - "severity": "INFO", - "line": 5, - "fileName": "positive.yaml" - } -] + { + "queryName": "Ensure Administrative Boundaries Between Resources", + "severity": "INFO", + "line": 5, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "frontend", + "searchKey": "metadata.namespace={{cosmic-namespace}}", + "searchValue": "", + "expectedValue": "ensure that these namespaces are the ones you need and are adequately administered as per your requirements.", + "actualValue": "namespaces in use: cosmic-namespace" + } +] \ No newline at end of file diff --git a/assets/queries/k8s/etcd_client_certificate_authentication_set_to_false/test/positive_expected_result.json b/assets/queries/k8s/etcd_client_certificate_authentication_set_to_false/test/positive_expected_result.json index 6d3c14dce1b..ccd0456bfe6 100644 --- a/assets/queries/k8s/etcd_client_certificate_authentication_set_to_false/test/positive_expected_result.json +++ b/assets/queries/k8s/etcd_client_certificate_authentication_set_to_false/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ - { - "queryName": "Etcd Client Certificate Authentication Set To False", - "severity": "MEDIUM", - "line": 21, - "fileName": "positive1.yaml" - }, - { - "queryName": "Etcd Client Certificate Authentication Set To False", - "severity": "MEDIUM", - "line": 21, - "fileName": "positive2.yaml" - } -] + { + "queryName": "Etcd Client Certificate Authentication Set To False", + "severity": "MEDIUM", + "line": 21, + "filename": "positive1.yaml", + "resourceType": "Deployment", + "resourceName": "app-etcd-deployment", + "searchKey": "metadata.name={{app-etcd-deployment}}.spec.template.spec.containers.name={{database}}.command", + "searchValue": "", + "expectedValue": "--client-cert-auth flag should be set to true", + "actualValue": "--client-cert-auth flag is set to false" + }, + { + "queryName": "Etcd Client Certificate Authentication Set To False", + "severity": "MEDIUM", + "line": 21, + "filename": "positive2.yaml", + "resourceType": "Deployment", + "resourceName": "app-etcd-deployment", + "searchKey": "metadata.name={{app-etcd-deployment}}.spec.template.spec.containers.name={{database}}.command", + "searchValue": "", + "expectedValue": "--client-cert-auth flag should be defined and set to true", + "actualValue": "--client-cert-auth flag is not defined" + } +] \ No newline at end of file diff --git a/assets/queries/k8s/etcd_client_certificate_file_not_defined/test/positive_expected_result.json b/assets/queries/k8s/etcd_client_certificate_file_not_defined/test/positive_expected_result.json index 7a9969fbe96..c826b9afd41 100644 --- a/assets/queries/k8s/etcd_client_certificate_file_not_defined/test/positive_expected_result.json +++ b/assets/queries/k8s/etcd_client_certificate_file_not_defined/test/positive_expected_result.json @@ -1,8 +1,14 @@ [ - { - "queryName": "Etcd Client Certificate File Not Defined", - "severity": "MEDIUM", - "line": 11, - "fileName": "positive1.yaml" - } -] + { + "queryName": "Etcd Client Certificate File Not Defined", + "severity": "MEDIUM", + "line": 11, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--etcd-cafile flag should be defined", + "actualValue": "--etcd-cafile flag is not defined" + } +] \ No newline at end of file diff --git a/assets/queries/k8s/etcd_peer_client_certificate_authentication_set_to_false/test/positive_expected_result.json b/assets/queries/k8s/etcd_peer_client_certificate_authentication_set_to_false/test/positive_expected_result.json index 968c9fab2a9..ea8f68fecb0 100644 --- a/assets/queries/k8s/etcd_peer_client_certificate_authentication_set_to_false/test/positive_expected_result.json +++ b/assets/queries/k8s/etcd_peer_client_certificate_authentication_set_to_false/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ - { - "queryName": "Etcd Peer Client Certificate Authentication Set To False", - "severity": "MEDIUM", - "line": 21, - "fileName": "positive1.yaml" - }, - { - "queryName": "Etcd Peer Client Certificate Authentication Set To False", - "severity": "MEDIUM", - "line": 21, - "fileName": "positive2.yaml" - } -] + { + "queryName": "Etcd Peer Client Certificate Authentication Set To False", + "severity": "MEDIUM", + "line": 21, + "filename": "positive2.yaml", + "resourceType": "Deployment", + "resourceName": "app-etcd-deployment", + "searchKey": "metadata.name={{app-etcd-deployment}}.spec.template.spec.containers.name={{database}}.command", + "searchValue": "", + "expectedValue": "--peer-client-cert-auth flag should be defined and set to true", + "actualValue": "--peer-client-cert-auth flag is not defined" + }, + { + "queryName": "Etcd Peer Client Certificate Authentication Set To False", + "severity": "MEDIUM", + "line": 21, + "filename": "positive1.yaml", + "resourceType": "Deployment", + "resourceName": "app-etcd-deployment", + "searchKey": "metadata.name={{app-etcd-deployment}}.spec.template.spec.containers.name={{database}}.command", + "searchValue": "", + "expectedValue": "--peer-client-cert-auth flag should be set to true", + "actualValue": "--peer-client-cert-auth flag is set to false" + } +] \ No newline at end of file diff --git a/assets/queries/k8s/etcd_peer_tls_certificate_files_not_properly_set/test/positive_expected_result.json b/assets/queries/k8s/etcd_peer_tls_certificate_files_not_properly_set/test/positive_expected_result.json index 6c81f41de7e..95560df89b5 100644 --- a/assets/queries/k8s/etcd_peer_tls_certificate_files_not_properly_set/test/positive_expected_result.json +++ b/assets/queries/k8s/etcd_peer_tls_certificate_files_not_properly_set/test/positive_expected_result.json @@ -3,18 +3,36 @@ "queryName": "Etcd Peer TLS Certificate Files Not Properly Set", "severity": "HIGH", "line": 21, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Deployment", + "resourceName": "app-etcd-deployment", + "searchKey": "metadata.name={{app-etcd-deployment}}.spec.template.spec.containers.name={{database}}.command", + "searchValue": "Deployment--peer-key-file", + "expectedValue": "--peer-key-file flag should be defined", + "actualValue": "--peer-key-file flag is not defined" }, { "queryName": "Etcd Peer TLS Certificate Files Not Properly Set", "severity": "HIGH", "line": 46, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Deployment", + "resourceName": "app-etcd-deployment2", + "searchKey": "metadata.name={{app-etcd-deployment2}}.spec.template.spec.containers.name={{database}}.command", + "searchValue": "Deployment--peer-cert-file", + "expectedValue": "--peer-cert-file flag should be defined", + "actualValue": "--peer-cert-file flag is not defined" }, { "queryName": "Etcd Peer TLS Certificate Files Not Properly Set", "severity": "HIGH", "line": 21, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "Deployment", + "resourceName": "app-etcd-deployment", + "searchKey": "metadata.name={{app-etcd-deployment}}.spec.template.spec.containers.name={{database}}.command", + "searchValue": "Deployment--peer-cert-file", + "expectedValue": "--peer-cert-file flag should be defined", + "actualValue": "--peer-cert-file flag is not defined" } -] +] \ No newline at end of file diff --git a/assets/queries/k8s/etcd_tls_certificate_files_not_properly_set/test/positive_expected_result.json b/assets/queries/k8s/etcd_tls_certificate_files_not_properly_set/test/positive_expected_result.json index 2894ecb6935..0e9ff661895 100644 --- a/assets/queries/k8s/etcd_tls_certificate_files_not_properly_set/test/positive_expected_result.json +++ b/assets/queries/k8s/etcd_tls_certificate_files_not_properly_set/test/positive_expected_result.json @@ -3,18 +3,36 @@ "queryName": "Etcd TLS Certificate Files Not Properly Set", "severity": "MEDIUM", "line": 21, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Deployment", + "resourceName": "app-etcd-deployment", + "searchKey": "metadata.name={{app-etcd-deployment}}.spec.template.spec.containers.name={{database}}.command", + "searchValue": "Deployment--key-file", + "expectedValue": "--key-file flag should be defined", + "actualValue": "--key-file flag is not defined" }, { "queryName": "Etcd TLS Certificate Files Not Properly Set", "severity": "MEDIUM", - "line": 46, - "fileName": "positive1.yaml" + "line": 21, + "filename": "positive2.yaml", + "resourceType": "Deployment", + "resourceName": "app-etcd-deployment", + "searchKey": "metadata.name={{app-etcd-deployment}}.spec.template.spec.containers.name={{database}}.command", + "searchValue": "Deployment--cert-file", + "expectedValue": "--cert-file flag should be defined", + "actualValue": "--cert-file flag is not defined" }, { "queryName": "Etcd TLS Certificate Files Not Properly Set", "severity": "MEDIUM", - "line": 21, - "fileName": "positive2.yaml" + "line": 46, + "filename": "positive1.yaml", + "resourceType": "Deployment", + "resourceName": "app-etcd-deployment2", + "searchKey": "metadata.name={{app-etcd-deployment2}}.spec.template.spec.containers.name={{database}}.command", + "searchValue": "Deployment--key-file", + "expectedValue": "--key-file flag should be defined", + "actualValue": "--key-file flag is not defined" } -] +] \ No newline at end of file diff --git a/assets/queries/k8s/etcd_tls_certificate_not_properly_configured/test/positive_expected_result.json b/assets/queries/k8s/etcd_tls_certificate_not_properly_configured/test/positive_expected_result.json index ec4e7429b21..728585e5f21 100644 --- a/assets/queries/k8s/etcd_tls_certificate_not_properly_configured/test/positive_expected_result.json +++ b/assets/queries/k8s/etcd_tls_certificate_not_properly_configured/test/positive_expected_result.json @@ -2,19 +2,37 @@ { "queryName": "Etcd TLS Certificate Not Properly Configured", "severity": "MEDIUM", - "line": 11, - "fileName": "positive1.yaml" + "line": 25, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo2", + "searchKey": "metadata.name={{command-demo2}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "Pod--etcd-keyfile", + "expectedValue": "--etcd-keyfile flag should be defined", + "actualValue": "--etcd-keyfile flag is not defined" }, { "queryName": "Etcd TLS Certificate Not Properly Configured", "severity": "MEDIUM", - "line": 25, - "fileName": "positive1.yaml" + "line": 11, + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "Pod--etcd-keyfile", + "expectedValue": "--etcd-keyfile flag should be defined", + "actualValue": "--etcd-keyfile flag is not defined" }, { "queryName": "Etcd TLS Certificate Not Properly Configured", "severity": "MEDIUM", "line": 11, - "fileName": "positive2.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "Pod--etcd-certfile", + "expectedValue": "--etcd-certfile flag should be defined", + "actualValue": "--etcd-certfile flag is not defined" } -] +] \ No newline at end of file diff --git a/assets/queries/k8s/event_rate_limit_admission_control_plugin_not_set/test/positive_expected_result.json b/assets/queries/k8s/event_rate_limit_admission_control_plugin_not_set/test/positive_expected_result.json index a668b988671..edbae2576b9 100644 --- a/assets/queries/k8s/event_rate_limit_admission_control_plugin_not_set/test/positive_expected_result.json +++ b/assets/queries/k8s/event_rate_limit_admission_control_plugin_not_set/test/positive_expected_result.json @@ -1,8 +1,14 @@ [ - { - "queryName": "Event Rate Limit Admission Control Plugin Not Set", - "severity": "LOW", - "line": 11, - "fileName": "positive1.yaml" - } -] + { + "queryName": "Event Rate Limit Admission Control Plugin Not Set", + "severity": "LOW", + "line": 11, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--enable-admission-plugins flag should contain 'EventRateLimit' plugin", + "actualValue": "--enable-admission-plugins flag does not contain 'EventRateLimit' plugin" + } +] \ No newline at end of file diff --git a/assets/queries/k8s/hpa_targeted_deployments_with_configured_replica_count/test/positive_expected_result.json b/assets/queries/k8s/hpa_targeted_deployments_with_configured_replica_count/test/positive_expected_result.json index d1981d9c340..7951adcb160 100644 --- a/assets/queries/k8s/hpa_targeted_deployments_with_configured_replica_count/test/positive_expected_result.json +++ b/assets/queries/k8s/hpa_targeted_deployments_with_configured_replica_count/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "HPA Targeted Deployments With Configured Replica Count", "severity": "INFO", - "line": 10 + "line": 10, + "filename": "positive.yaml", + "resourceType": "Deployment", + "resourceName": "php-apache-1", + "searchKey": "metadata.name={{php-apache-1}}.spec.replicas", + "searchValue": "", + "expectedValue": "metadata.name={{php-apache-1}}.spec.replicas should be undefined", + "actualValue": "metadata.name={{php-apache-1}}.spec.replicas is defined" } ] \ No newline at end of file diff --git a/assets/queries/k8s/hpa_targets_invalid_object/test/positive_expected_result.json b/assets/queries/k8s/hpa_targets_invalid_object/test/positive_expected_result.json index 0ca04478879..09d491084be 100644 --- a/assets/queries/k8s/hpa_targets_invalid_object/test/positive_expected_result.json +++ b/assets/queries/k8s/hpa_targets_invalid_object/test/positive_expected_result.json @@ -1,7 +1,14 @@ [ - { - "queryName": "HPA Targets Invalid Object", - "severity": "LOW", - "line": 12 - } -] + { + "queryName": "HPA Targets Invalid Object", + "severity": "LOW", + "line": 12, + "filename": "positive.yaml", + "resourceType": "HorizontalPodAutoscaler", + "resourceName": "php-apache", + "searchKey": "spec.metrics", + "searchValue": "", + "expectedValue": "spec.metrics[0] is a valid object ", + "actualValue": "spec.metrics[0] is an invalid object " + } +] \ No newline at end of file diff --git a/assets/queries/k8s/image_policy_webhook_admission_control_plugin_not_set/test/positive_expected_result.json b/assets/queries/k8s/image_policy_webhook_admission_control_plugin_not_set/test/positive_expected_result.json index a4059658917..c749059091b 100644 --- a/assets/queries/k8s/image_policy_webhook_admission_control_plugin_not_set/test/positive_expected_result.json +++ b/assets/queries/k8s/image_policy_webhook_admission_control_plugin_not_set/test/positive_expected_result.json @@ -1,8 +1,14 @@ [ - { - "queryName": "Image Policy Webhook Admission Control Plugin Not Set", - "severity": "LOW", - "line": 11, - "fileName": "positive1.yaml" - } -] + { + "queryName": "Image Policy Webhook Admission Control Plugin Not Set", + "severity": "LOW", + "line": 11, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--enable-admission-plugins flag should contain 'ImagePolicyWebhook' plugin", + "actualValue": "--enable-admission-plugins flag does not contain 'ImagePolicyWebhook' plugin" + } +] \ No newline at end of file diff --git a/assets/queries/k8s/image_pull_policy_of_container_is_not_always/test/positive_expected_result.json b/assets/queries/k8s/image_pull_policy_of_container_is_not_always/test/positive_expected_result.json index 5cbf7249971..1373fdcbed9 100644 --- a/assets/queries/k8s/image_pull_policy_of_container_is_not_always/test/positive_expected_result.json +++ b/assets/queries/k8s/image_pull_policy_of_container_is_not_always/test/positive_expected_result.json @@ -1,20 +1,38 @@ [ - { - "queryName": "Image Pull Policy Of The Container Is Not Set To Always", - "severity": "LOW", - "line": 9, - "fileName": "positive1.yaml" - }, - { - "queryName": "Image Pull Policy Of The Container Is Not Set To Always", - "severity": "LOW", - "line": 18, - "fileName": "positive2.yaml" - }, - { - "queryName": "Image Pull Policy Of The Container Is Not Set To Always", - "severity": "LOW", - "line": 16, - "fileName": "positive3.yaml" - } -] + { + "queryName": "Image Pull Policy Of The Container Is Not Set To Always", + "severity": "LOW", + "line": 9, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "private-image-test-always", + "searchKey": "metadata.name={{private-image-test-always}}.spec.containers.name={{uses-private-image}}.imagePullPolicy", + "searchValue": "Pod", + "expectedValue": "metadata.name={{private-image-test-always}}.spec.containers.name={{uses-private-image}}.imagePullPolicy should be set to 'Always'", + "actualValue": "metadata.name={{private-image-test-always}}.spec.containers.name={{uses-private-image}}.imagePullPolicy relies on mutable images in cache" + }, + { + "queryName": "Image Pull Policy Of The Container Is Not Set To Always", + "severity": "LOW", + "line": 18, + "filename": "positive2.yaml", + "resourceType": "Deployment", + "resourceName": "deployment-with-image-pull-policy", + "searchKey": "metadata.name={{deployment-with-image-pull-policy}}.spec.template.spec.containers.name={{nginx}}.imagePullPolicy", + "searchValue": "Deployment", + "expectedValue": "metadata.name={{deployment-with-image-pull-policy}}.spec.template.spec.containers.name={{nginx}}.imagePullPolicy should be set to 'Always'", + "actualValue": "metadata.name={{deployment-with-image-pull-policy}}.spec.template.spec.containers.name={{nginx}}.imagePullPolicy relies on mutable images in cache" + }, + { + "queryName": "Image Pull Policy Of The Container Is Not Set To Always", + "severity": "LOW", + "line": 16, + "filename": "positive3.yaml", + "resourceType": "Deployment", + "resourceName": "deployment-with-image-pull-policy1", + "searchKey": "metadata.name={{deployment-with-image-pull-policy1}}.spec.template.spec.containers.name={{nginx}}", + "searchValue": "Deployment", + "expectedValue": "metadata.name={{deployment-with-image-pull-policy1}}.spec.template.spec.containers.name={{nginx}}.imagePullPolicy should be set to 'Always'", + "actualValue": "metadata.name={{deployment-with-image-pull-policy1}}.spec.template.spec.containers.name={{nginx}}.imagePullPolicy relies on mutable images in cache" + } +] \ No newline at end of file diff --git a/assets/queries/k8s/image_without_digest/test/positive_expected_result.json b/assets/queries/k8s/image_without_digest/test/positive_expected_result.json index e4028708fbc..c6a8ca7e04c 100644 --- a/assets/queries/k8s/image_without_digest/test/positive_expected_result.json +++ b/assets/queries/k8s/image_without_digest/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Image Without Digest", "severity": "LOW", - "line": 8 + "line": 8, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "private-image-test-1", + "searchKey": "metadata.name={{private-image-test-1}}.spec.containers.name={{uses-private-image}}.image", + "searchValue": "Pod", + "expectedValue": "metadata.name={{private-image-test-1}}.spec.containers.name={{uses-private-image}}.image should specify the image with a digest", + "actualValue": "metadata.name={{private-image-test-1}}.spec.containers.name={{uses-private-image}}.image does not include an image digest" } -] +] \ No newline at end of file diff --git a/assets/queries/k8s/incorrect_volume_claim_access_mode_read_write_once/test/positive_expected_result.json b/assets/queries/k8s/incorrect_volume_claim_access_mode_read_write_once/test/positive_expected_result.json index 8a5e62a2f23..7c637184ebf 100644 --- a/assets/queries/k8s/incorrect_volume_claim_access_mode_read_write_once/test/positive_expected_result.json +++ b/assets/queries/k8s/incorrect_volume_claim_access_mode_read_write_once/test/positive_expected_result.json @@ -1,12 +1,26 @@ [ - { - "queryName": "Incorrect Volume Claim Access Mode ReadWriteOnce", - "severity": "MEDIUM", - "line": 27 - }, - { - "queryName": "Incorrect Volume Claim Access Mode ReadWriteOnce", - "severity": "MEDIUM", - "line": 72 - } -] + { + "queryName": "Incorrect Volume Claim Access Mode ReadWriteOnce", + "severity": "MEDIUM", + "line": 27, + "filename": "positive.yaml", + "resourceType": "StatefulSet", + "resourceName": "web", + "searchKey": "metadata.name=web.spec.volumeClaimTemplates", + "searchValue": "", + "expectedValue": "metadata.name=web.spec.volumeClaimTemplates has only one template with a 'ReadWriteOnce'", + "actualValue": "metadata.name=web.spec.volumeClaimTemplates has multiple templates with 'ReadWriteOnce'" + }, + { + "queryName": "Incorrect Volume Claim Access Mode ReadWriteOnce", + "severity": "MEDIUM", + "line": 72, + "filename": "positive.yaml", + "resourceType": "StatefulSet", + "resourceName": "web2", + "searchKey": "metadata.name=web2.spec.volumeClaimTemplates", + "searchValue": "", + "expectedValue": "metadata.name=web2.spec.volumeClaimTemplates has one template with a 'ReadWriteOnce'", + "actualValue": "metadata.name=web2.spec.volumeClaimTemplates does not have a template with a 'ReadWriteOnce'" + } +] \ No newline at end of file diff --git a/assets/queries/k8s/ingress_controller_exposes_workload/test/positive_expected_result.json b/assets/queries/k8s/ingress_controller_exposes_workload/test/positive_expected_result.json index cd39ebbc112..05f6afb09e5 100644 --- a/assets/queries/k8s/ingress_controller_exposes_workload/test/positive_expected_result.json +++ b/assets/queries/k8s/ingress_controller_exposes_workload/test/positive_expected_result.json @@ -1,7 +1,14 @@ [ - { - "queryName": "Ingress Controller Exposes Workload", - "severity": "MEDIUM", - "line": 31 - } -] + { + "queryName": "Ingress Controller Exposes Workload", + "severity": "MEDIUM", + "line": 31, + "filename": "positive.yaml", + "resourceType": "Ingress", + "resourceName": "app-ingress", + "searchKey": "metadata.name={{app-ingress}}.spec.rules.http.paths.backend", + "searchValue": "", + "expectedValue": "metadata.name=app-ingress should not be exposing the workload", + "actualValue": "metadata.name=app-ingress is exposing the workload" + } +] \ No newline at end of file diff --git a/assets/queries/k8s/insecure_bind_address_set/test/positive_expected_result.json b/assets/queries/k8s/insecure_bind_address_set/test/positive_expected_result.json index 5ad480dadd1..b820259012c 100644 --- a/assets/queries/k8s/insecure_bind_address_set/test/positive_expected_result.json +++ b/assets/queries/k8s/insecure_bind_address_set/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Insecure Bind Address Set", "severity": "HIGH", "line": 11, - "fileName": "positive1.yaml" + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--insecure-bind-address flag should not be set", + "actualValue": "--insecure-bind-address flag is set" }, { "queryName": "Insecure Bind Address Set", "severity": "HIGH", "line": 11, - "fileName": "positive2.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--insecure-bind-address flag should not be set", + "actualValue": "--insecure-bind-address flag is set" } -] +] \ No newline at end of file diff --git a/assets/queries/k8s/insecure_port_not_properly_set/test/positive_expected_result.json b/assets/queries/k8s/insecure_port_not_properly_set/test/positive_expected_result.json index 0220b09dd9d..ae9231adcad 100644 --- a/assets/queries/k8s/insecure_port_not_properly_set/test/positive_expected_result.json +++ b/assets/queries/k8s/insecure_port_not_properly_set/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Insecure Port Not Properly Set", "severity": "HIGH", "line": 11, - "filename": "positive1.yaml" + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--insecure-port flag should be defined and set to 0", + "actualValue": "--insecure-port flag is not defined" }, { "queryName": "Insecure Port Not Properly Set", "severity": "HIGH", "line": 11, - "filename": "positive2.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--insecure-port flag should be set to 0", + "actualValue": "--insecure-port flag is not properly set" } -] +] \ No newline at end of file diff --git a/assets/queries/k8s/invalid_image/test/positive_expected_result.json b/assets/queries/k8s/invalid_image/test/positive_expected_result.json index e0493f320e4..1f782ebafa8 100644 --- a/assets/queries/k8s/invalid_image/test/positive_expected_result.json +++ b/assets/queries/k8s/invalid_image/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Invalid Image Tag", "severity": "LOW", - "line": 8 + "line": 19, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "private-image-test-33", + "searchKey": "metadata.name={{private-image-test-33}}.spec.containers.name={{uses-private-image-container}}.image", + "searchValue": "", + "expectedValue": "metadata.name={{private-image-test-33}}.spec.containers.name={{uses-private-image-container}}.image tag is provided and not latest", + "actualValue": "metadata.name={{private-image-test-33}}.spec.containers.name={{uses-private-image-container}}.image tag is not provided or latest" }, { "queryName": "Invalid Image Tag", "severity": "LOW", - "line": 19 + "line": 8, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "private-image-test-3", + "searchKey": "metadata.name={{private-image-test-3}}.spec.containers.name={{uses-private-image-container}}.image", + "searchValue": "", + "expectedValue": "metadata.name={{private-image-test-3}}.spec.containers.name={{uses-private-image-container}}.image tag is provided and not latest", + "actualValue": "metadata.name={{private-image-test-3}}.spec.containers.name={{uses-private-image-container}}.image tag is not provided or latest" } -] +] \ No newline at end of file diff --git a/assets/queries/k8s/kubelet_certificate_authority_not_set/test/positive_expected_result.json b/assets/queries/k8s/kubelet_certificate_authority_not_set/test/positive_expected_result.json index fbd6365dacf..602bde7ded3 100644 --- a/assets/queries/k8s/kubelet_certificate_authority_not_set/test/positive_expected_result.json +++ b/assets/queries/k8s/kubelet_certificate_authority_not_set/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Kubelet Certificate Authority Not Set", "severity": "MEDIUM", "line": 11, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--kubelet-certificate-authority flag should be set", + "actualValue": "--kubelet-certificate-authority flag is not set" } -] +] \ No newline at end of file diff --git a/assets/queries/k8s/kubelet_client_certificate_or_key_not_set/test/positive_expected_result.json b/assets/queries/k8s/kubelet_client_certificate_or_key_not_set/test/positive_expected_result.json index 56e7122183a..019d83c3a98 100644 --- a/assets/queries/k8s/kubelet_client_certificate_or_key_not_set/test/positive_expected_result.json +++ b/assets/queries/k8s/kubelet_client_certificate_or_key_not_set/test/positive_expected_result.json @@ -3,30 +3,60 @@ "queryName": "Kubelet Client Certificate Or Key Not Set", "severity": "MEDIUM", "line": 11, - "filename": "positive1.yaml" + "filename": "positive3.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "Pod--kubelet-client-certificate", + "expectedValue": "--kubelet-client-certificate flag should be set", + "actualValue": "--kubelet-client-certificate flag is not set" }, { "queryName": "Kubelet Client Certificate Or Key Not Set", "severity": "MEDIUM", - "line": 11, - "filename": "positive1.yaml" + "line": 25, + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo2", + "searchKey": "metadata.name={{command-demo2}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "Pod--kubelet-client-certificate", + "expectedValue": "--kubelet-client-certificate flag should be set", + "actualValue": "--kubelet-client-certificate flag is not set" }, { "queryName": "Kubelet Client Certificate Or Key Not Set", "severity": "MEDIUM", "line": 11, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "Pod--kubelet-client-key", + "expectedValue": "--kubelet-client-key flag should be set", + "actualValue": "--kubelet-client-key flag is not set" }, { "queryName": "Kubelet Client Certificate Or Key Not Set", "severity": "MEDIUM", - "line": 25, - "filename": "positive2.yaml" + "line": 11, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "Pod--kubelet-client-certificate", + "expectedValue": "--kubelet-client-certificate flag should be set", + "actualValue": "--kubelet-client-certificate flag is not set" }, { "queryName": "Kubelet Client Certificate Or Key Not Set", "severity": "MEDIUM", "line": 11, - "filename": "positive3.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "Pod--kubelet-client-key", + "expectedValue": "--kubelet-client-key flag should be set", + "actualValue": "--kubelet-client-key flag is not set" } -] +] \ No newline at end of file diff --git a/assets/queries/k8s/kubelet_client_periodic_certificate_switch_disabled/test/positive_expected_result.json b/assets/queries/k8s/kubelet_client_periodic_certificate_switch_disabled/test/positive_expected_result.json index 186ed212f02..77080f999e5 100644 --- a/assets/queries/k8s/kubelet_client_periodic_certificate_switch_disabled/test/positive_expected_result.json +++ b/assets/queries/k8s/kubelet_client_periodic_certificate_switch_disabled/test/positive_expected_result.json @@ -1,26 +1,50 @@ [ - { - "queryName": "Kubelet Client Periodic Certificate Switch Disabled", - "severity": "MEDIUM", - "line": 2, - "filename": "positive4.yaml" - }, - { - "queryName": "Kubelet Client Periodic Certificate Switch Disabled", - "severity": "MEDIUM", - "line": 8, - "filename": "positive2.yaml" - }, - { - "queryName": "Kubelet Client Periodic Certificate Switch Disabled", - "severity": "MEDIUM", - "line": 11, - "filename": "positive1.yaml" - }, - { - "queryName": "Kubelet Client Periodic Certificate Switch Disabled", - "severity": "MEDIUM", - "line": 6, - "filename": "positive3.json" - } -] + { + "queryName": "Kubelet Client Periodic Certificate Switch Disabled", + "severity": "MEDIUM", + "line": 6, + "filename": "positive3.json", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}.rotateCertificates", + "searchValue": "", + "expectedValue": "rotateCertificates should be true", + "actualValue": "rotateCertificates is not set (default is false)" + }, + { + "queryName": "Kubelet Client Periodic Certificate Switch Disabled", + "severity": "MEDIUM", + "line": 2, + "filename": "positive4.yaml", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}.rotateCertificates", + "searchValue": "", + "expectedValue": "rotateCertificates should be true", + "actualValue": "rotateCertificates is not set (default is false)" + }, + { + "queryName": "Kubelet Client Periodic Certificate Switch Disabled", + "severity": "MEDIUM", + "line": 11, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--rotate-certificates flag should be true", + "actualValue": "--rotate-certificates flag is false" + }, + { + "queryName": "Kubelet Client Periodic Certificate Switch Disabled", + "severity": "MEDIUM", + "line": 8, + "filename": "positive2.yaml", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}.rotateCertificates", + "searchValue": "", + "expectedValue": "rotateCertificates should be true", + "actualValue": "rotateCertificates is false" + } +] \ No newline at end of file diff --git a/assets/queries/k8s/kubelet_event_qps_not_properly_set/test/positive_expected_result.json b/assets/queries/k8s/kubelet_event_qps_not_properly_set/test/positive_expected_result.json index cbbfd67cb87..1c67ad18c85 100644 --- a/assets/queries/k8s/kubelet_event_qps_not_properly_set/test/positive_expected_result.json +++ b/assets/queries/k8s/kubelet_event_qps_not_properly_set/test/positive_expected_result.json @@ -1,26 +1,50 @@ [ - { - "queryName": "Kubelet Event QPS Not Properly Set", - "severity": "LOW", - "line": 11, - "fileName": "positive1.yaml" - }, - { - "queryName": "Kubelet Event QPS Not Properly Set", - "severity": "LOW", - "line": 11, - "fileName": "positive2.yaml" - }, - { - "queryName": "Kubelet Event QPS Not Properly Set", - "severity": "LOW", - "line": 5, - "fileName": "positive3.yaml" - }, - { - "queryName": "Kubelet Event QPS Not Properly Set", - "severity": "LOW", - "line": 2, - "fileName": "positive4.yaml" - } -] + { + "queryName": "Kubelet Event QPS Not Properly Set", + "severity": "LOW", + "line": 11, + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--event-qps flag should be set to 0", + "actualValue": "--event-qps flag is not set to 0" + }, + { + "queryName": "Kubelet Event QPS Not Properly Set", + "severity": "LOW", + "line": 11, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--event-qps flag should be set to 0", + "actualValue": "--event-qps flag is not set to 0" + }, + { + "queryName": "Kubelet Event QPS Not Properly Set", + "severity": "LOW", + "line": 2, + "filename": "positive4.yaml", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}", + "searchValue": "", + "expectedValue": "eventRecordQPS flag should set to 0", + "actualValue": "eventRecordQPS flag is not defined" + }, + { + "queryName": "Kubelet Event QPS Not Properly Set", + "severity": "LOW", + "line": 5, + "filename": "positive3.yaml", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}.eventRecordQPS", + "searchValue": "", + "expectedValue": "eventRecordQPS flag should set to 0", + "actualValue": "eventRecordQPS flag is not set to 0" + } +] \ No newline at end of file diff --git a/assets/queries/k8s/kubelet_hostname_override_is_set/test/positive_expected_result.json b/assets/queries/k8s/kubelet_hostname_override_is_set/test/positive_expected_result.json index 130b1b46734..a3f82622c48 100644 --- a/assets/queries/k8s/kubelet_hostname_override_is_set/test/positive_expected_result.json +++ b/assets/queries/k8s/kubelet_hostname_override_is_set/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ - { - "queryName": "Kubelet Hostname Override Is Set", - "severity": "LOW", - "line": 11, - "fileName": "positive1.yaml" - }, - { - "queryName": "Kubelet Hostname Override Is Set", - "severity": "LOW", - "line": 11, - "fileName": "positive2.yaml" - } -] + { + "queryName": "Kubelet Hostname Override Is Set", + "severity": "LOW", + "line": 11, + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--hostname-override= flag should not be defined", + "actualValue": "--hostname-override= flag is defined" + }, + { + "queryName": "Kubelet Hostname Override Is Set", + "severity": "LOW", + "line": 11, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--hostname-override= flag should not be defined", + "actualValue": "--hostname-override= flag is defined" + } +] \ No newline at end of file diff --git a/assets/queries/k8s/kubelet_https_set_to_false/test/positive_expected_result.json b/assets/queries/k8s/kubelet_https_set_to_false/test/positive_expected_result.json index d63831fc18f..73a603f094c 100644 --- a/assets/queries/k8s/kubelet_https_set_to_false/test/positive_expected_result.json +++ b/assets/queries/k8s/kubelet_https_set_to_false/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Kubelet HTTPS Set To False", "severity": "MEDIUM", "line": 11, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--kubelet-https flag should be set to true or not be defined", + "actualValue": "--kubelet-https flag is set to false" } ] \ No newline at end of file diff --git a/assets/queries/k8s/kubelet_not_managing_ip_tables/test/positive_expected_result.json b/assets/queries/k8s/kubelet_not_managing_ip_tables/test/positive_expected_result.json index 2774b893079..4596f06c0ad 100644 --- a/assets/queries/k8s/kubelet_not_managing_ip_tables/test/positive_expected_result.json +++ b/assets/queries/k8s/kubelet_not_managing_ip_tables/test/positive_expected_result.json @@ -1,20 +1,38 @@ [ - { - "queryName": "Kubelet Not Managing Ip Tables", - "severity": "MEDIUM", - "line": 11, - "filename": "positive1.yaml" - }, - { - "queryName": "Kubelet Not Managing Ip Tables", - "severity": "MEDIUM", - "line": 8, - "filename": "positive2.yaml" - }, - { - "queryName": "Kubelet Not Managing Ip Tables", - "severity": "MEDIUM", - "line": 7, - "filename": "positive3.json" - } - ] + { + "queryName": "Kubelet Not Managing Ip Tables", + "severity": "MEDIUM", + "line": 7, + "filename": "positive3.json", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}.makeIPTablesUtilChains", + "searchValue": "", + "expectedValue": "makeIPTablesUtilChains should be true", + "actualValue": "makeIPTablesUtilChains is false" + }, + { + "queryName": "Kubelet Not Managing Ip Tables", + "severity": "MEDIUM", + "line": 11, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--make-iptables-util-chains flag should be true", + "actualValue": "--make-iptables-util-chains= flag is false" + }, + { + "queryName": "Kubelet Not Managing Ip Tables", + "severity": "MEDIUM", + "line": 8, + "filename": "positive2.yaml", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}.makeIPTablesUtilChains", + "searchValue": "", + "expectedValue": "makeIPTablesUtilChains should be true", + "actualValue": "makeIPTablesUtilChains is false" + } +] \ No newline at end of file diff --git a/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/test/positive_expected_result.json b/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/test/positive_expected_result.json index ada1cee8bcc..6f9f8dc4b9e 100644 --- a/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/test/positive_expected_result.json +++ b/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/test/positive_expected_result.json @@ -1,26 +1,50 @@ [ - { - "queryName": "Kubelet Protect Kernel Defaults Set To False", - "severity": "MEDIUM", - "line": 11, - "fileName": "positive1.yaml" - }, - { - "queryName": "Kubelet Protect Kernel Defaults Set To False", - "severity": "MEDIUM", - "line": 11, - "fileName": "positive2.yaml" - }, - { - "queryName": "Kubelet Protect Kernel Defaults Set To False", - "severity": "MEDIUM", - "line": 5, - "fileName": "positive3.yaml" - }, - { - "queryName": "Kubelet Protect Kernel Defaults Set To False", - "severity": "MEDIUM", - "line": 2, - "fileName": "positive4.yaml" - } -] + { + "queryName": "Kubelet Protect Kernel Defaults Set To False", + "severity": "MEDIUM", + "line": 2, + "filename": "positive4.yaml", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}", + "searchValue": "", + "expectedValue": "protectKernelDefaults flag should defined to true", + "actualValue": "protectKernelDefaults flag is not defined" + }, + { + "queryName": "Kubelet Protect Kernel Defaults Set To False", + "severity": "MEDIUM", + "line": 5, + "filename": "positive3.yaml", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}.protectKernelDefaults", + "searchValue": "", + "expectedValue": "protectKernelDefaults flag should defined to true", + "actualValue": "protectKernelDefaults flag is set to false" + }, + { + "queryName": "Kubelet Protect Kernel Defaults Set To False", + "severity": "MEDIUM", + "line": 11, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--protect-kernel-defaults flag should not be set to false", + "actualValue": "--protect-kernel-defaults flag is set to false" + }, + { + "queryName": "Kubelet Protect Kernel Defaults Set To False", + "severity": "MEDIUM", + "line": 11, + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--protect-kernel-defaults flag should not be set to false", + "actualValue": "--protect-kernel-defaults flag is set to false" + } +] \ No newline at end of file diff --git a/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/test/positive_expected_result.json b/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/test/positive_expected_result.json index 8216d07cc52..266d0dc0727 100644 --- a/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/test/positive_expected_result.json +++ b/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "Kubelet Read Only Port Is Not Set To Zero", "severity": "MEDIUM", - "line": 11, - "filename": "positive1.yaml" + "line": 5, + "filename": "positive4.json", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}.readOnlyPort", + "searchValue": "", + "expectedValue": "readOnlyPort attribute to have value of 0", + "actualValue": "readOnlyPort attribute has value of 1" }, { "queryName": "Kubelet Read Only Port Is Not Set To Zero", "severity": "MEDIUM", - "line": 11, - "filename": "positive2.yaml" + "line": 8, + "filename": "positive3.yaml", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}.readOnlyPort", + "searchValue": "", + "expectedValue": "readOnlyPort attribute to have value of 0", + "actualValue": "readOnlyPort attribute has value of 1" }, { "queryName": "Kubelet Read Only Port Is Not Set To Zero", "severity": "MEDIUM", - "line": 8, - "filename": "positive3.yaml" + "line": 11, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--read-only-port flag should be '0'", + "actualValue": "--read-only-port flag is not set to '0'" }, { "queryName": "Kubelet Read Only Port Is Not Set To Zero", "severity": "MEDIUM", - "line": 5, - "filename": "positive4.json" + "line": 11, + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--read-only-port flag should be '0'", + "actualValue": "--read-only-port flag is not set to '0'" } ] \ No newline at end of file diff --git a/assets/queries/k8s/kubelet_streaming_connection_timeout_disabled/test/positive_expected_result.json b/assets/queries/k8s/kubelet_streaming_connection_timeout_disabled/test/positive_expected_result.json index b566c96215a..2ec96dc2d06 100644 --- a/assets/queries/k8s/kubelet_streaming_connection_timeout_disabled/test/positive_expected_result.json +++ b/assets/queries/k8s/kubelet_streaming_connection_timeout_disabled/test/positive_expected_result.json @@ -3,18 +3,36 @@ "queryName": "Kubelet Streaming Connection Timeout Disabled", "severity": "MEDIUM", "line": 11, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--streaming-connection-idle-timeout flag not should be 0", + "actualValue": "--streaming-connection-idle-timeout flag is 0" }, { "queryName": "Kubelet Streaming Connection Timeout Disabled", "severity": "MEDIUM", "line": 8, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}.streamingConnectionIdleTimeout", + "searchValue": "", + "expectedValue": "streamingConnectionIdleTimeout not should be 0s", + "actualValue": "streamingConnectionIdleTimeout is 0s" }, { "queryName": "Kubelet Streaming Connection Timeout Disabled", "severity": "MEDIUM", "line": 10, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}.streamingConnectionIdleTimeout", + "searchValue": "", + "expectedValue": "streamingConnectionIdleTimeout not should be 0s", + "actualValue": "streamingConnectionIdleTimeout is 0s" } -] +] \ No newline at end of file diff --git a/assets/queries/k8s/liveness_probe_is_not_defined/test/positive_expected_result.json b/assets/queries/k8s/liveness_probe_is_not_defined/test/positive_expected_result.json index 81ec960d567..7157a7620d0 100644 --- a/assets/queries/k8s/liveness_probe_is_not_defined/test/positive_expected_result.json +++ b/assets/queries/k8s/liveness_probe_is_not_defined/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Liveness Probe Is Not Defined", "severity": "INFO", "line": 9, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "liveness-exec", + "searchKey": "metadata.name={{liveness-exec}}.spec.containers.name={{liveness}}", + "searchValue": "Pod", + "expectedValue": "metadata.name={{liveness-exec}}.spec.containers.name={{liveness}}.livenessProbe should be defined", + "actualValue": "metadata.name={{liveness-exec}}.spec.containers.name={{liveness}}.livenessProbe is undefined" } ] \ No newline at end of file diff --git a/assets/queries/k8s/memory_limits_not_defined/test/positive_expected_result.json b/assets/queries/k8s/memory_limits_not_defined/test/positive_expected_result.json index d58246a8c5f..04ab49900ed 100644 --- a/assets/queries/k8s/memory_limits_not_defined/test/positive_expected_result.json +++ b/assets/queries/k8s/memory_limits_not_defined/test/positive_expected_result.json @@ -2,31 +2,61 @@ { "queryName": "Memory Limits Not Defined", "severity": "MEDIUM", - "line": 8, - "fileName": "positive1.yaml" + "line": 57, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "memory-demo-4", + "searchKey": "metadata.name={{memory-demo-4}}.spec.containers.name={{memory-demo-ctr}}", + "searchValue": "", + "expectedValue": "metadata.name={{memory-demo-4}}.spec.containers.name={{memory-demo-ctr}}.resources.limits.memory should be defined", + "actualValue": "metadata.name={{memory-demo-4}}.spec.containers.name={{memory-demo-ctr}}.resources.limits.memory is undefined" }, { "queryName": "Memory Limits Not Defined", "severity": "MEDIUM", "line": 23, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "memory-demo-2", + "searchKey": "metadata.name={{memory-demo-2}}.spec.containers.name={{memory-demo-ctr}}", + "searchValue": "", + "expectedValue": "metadata.name={{memory-demo-2}}.spec.containers.name={{memory-demo-ctr}}.resources.limits.memory should be defined", + "actualValue": "metadata.name={{memory-demo-2}}.spec.containers.name={{memory-demo-ctr}}.resources.limits.memory is undefined" }, { "queryName": "Memory Limits Not Defined", "severity": "MEDIUM", "line": 38, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "memory-demo-3", + "searchKey": "metadata.name={{memory-demo-3}}.spec.containers.name={{memory-demo-ctr}}", + "searchValue": "", + "expectedValue": "metadata.name={{memory-demo-3}}.spec.containers.name={{memory-demo-ctr}}.resources.limits.memory should be defined", + "actualValue": "metadata.name={{memory-demo-3}}.spec.containers.name={{memory-demo-ctr}}.resources.limits.memory is undefined" }, { "queryName": "Memory Limits Not Defined", "severity": "MEDIUM", - "line": 57, - "fileName": "positive1.yaml" + "line": 21, + "filename": "positive2.yaml", + "resourceType": "Deployment", + "resourceName": "test-deployment", + "searchKey": "metadata.name={{test-deployment}}.spec.template.spec.containers.name={{pause}}", + "searchValue": "", + "expectedValue": "metadata.name={{test-deployment}}.spec.template.spec.containers.name={{pause}}.resources.limits.memory should be defined", + "actualValue": "metadata.name={{test-deployment}}.spec.template.spec.containers.name={{pause}}.resources.limits.memory is undefined" }, { "queryName": "Memory Limits Not Defined", "severity": "MEDIUM", - "line": 21, - "fileName": "positive2.yaml" + "line": 8, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "memory-demo-1", + "searchKey": "metadata.name={{memory-demo-1}}.spec.containers.name={{memory-demo-ctr}}", + "searchValue": "", + "expectedValue": "metadata.name={{memory-demo-1}}.spec.containers.name={{memory-demo-ctr}}.resources.limits.memory should be defined", + "actualValue": "metadata.name={{memory-demo-1}}.spec.containers.name={{memory-demo-ctr}}.resources.limits.memory is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/k8s/memory_requests_not_defined/test/positive_expected_result.json b/assets/queries/k8s/memory_requests_not_defined/test/positive_expected_result.json index 5b0984b8d86..13b0a94b5f2 100644 --- a/assets/queries/k8s/memory_requests_not_defined/test/positive_expected_result.json +++ b/assets/queries/k8s/memory_requests_not_defined/test/positive_expected_result.json @@ -2,31 +2,61 @@ { "queryName": "Memory Requests Not Defined", "severity": "MEDIUM", - "line": 13, - "fileName": "positive1.yaml" + "line": 20, + "filename": "positive2.yaml", + "resourceType": "Deployment", + "resourceName": "test-deployment2", + "searchKey": "metadata.name={{test-deployment2}}.spec.template.spec.containers.name={{pause}}", + "searchValue": "Deployment", + "expectedValue": "metadata.name={{test-deployment2}}.spec.template.spec.containers.name={{pause}}.resources.requests.memory should be defined", + "actualValue": "metadata.name={{test-deployment2}}.spec.template.spec.containers.name={{pause}}.resources.requests.memory is undefined" }, { "queryName": "Memory Requests Not Defined", "severity": "MEDIUM", - "line": 27, - "fileName": "positive1.yaml" + "line": 40, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "memory-demo-2", + "searchKey": "metadata.name={{memory-demo-2}}.spec.containers.name={{memory-demo-ctr-3}}", + "searchValue": "Pod", + "expectedValue": "metadata.name={{memory-demo-2}}.spec.containers.name={{memory-demo-ctr-3}}.resources.requests.memory should be defined", + "actualValue": "metadata.name={{memory-demo-2}}.spec.containers.name={{memory-demo-ctr-3}}.resources.requests.memory is undefined" }, { "queryName": "Memory Requests Not Defined", "severity": "MEDIUM", - "line": 40, - "fileName": "positive1.yaml" + "line": 13, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "memory-demo", + "searchKey": "metadata.name={{memory-demo}}.spec.containers.name={{memory-demo-ctr-1}}", + "searchValue": "Pod", + "expectedValue": "metadata.name={{memory-demo}}.spec.containers.name={{memory-demo-ctr-1}}.resources.requests.memory should be defined", + "actualValue": "metadata.name={{memory-demo}}.spec.containers.name={{memory-demo-ctr-1}}.resources.requests.memory is undefined" }, { "queryName": "Memory Requests Not Defined", "severity": "MEDIUM", "line": 59, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "memory-demo-3", + "searchKey": "metadata.name={{memory-demo-3}}.spec.containers.name={{memory-demo-ctr-4}}", + "searchValue": "Pod", + "expectedValue": "metadata.name={{memory-demo-3}}.spec.containers.name={{memory-demo-ctr-4}}.resources.requests.memory should be defined", + "actualValue": "metadata.name={{memory-demo-3}}.spec.containers.name={{memory-demo-ctr-4}}.resources.requests.memory is undefined" }, { "queryName": "Memory Requests Not Defined", "severity": "MEDIUM", - "line": 20, - "fileName": "positive2.yaml" + "line": 27, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "memory-demo-1", + "searchKey": "metadata.name={{memory-demo-1}}.spec.containers.name={{memory-demo-ctr-2}}", + "searchValue": "Pod", + "expectedValue": "metadata.name={{memory-demo-1}}.spec.containers.name={{memory-demo-ctr-2}}.resources.requests.memory should be defined", + "actualValue": "metadata.name={{memory-demo-1}}.spec.containers.name={{memory-demo-ctr-2}}.resources.requests.memory is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/k8s/metadata_label_is_invalid/test/positive_expected_result.json b/assets/queries/k8s/metadata_label_is_invalid/test/positive_expected_result.json index 4602eb0db3e..3d6d292ef8f 100644 --- a/assets/queries/k8s/metadata_label_is_invalid/test/positive_expected_result.json +++ b/assets/queries/k8s/metadata_label_is_invalid/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Metadata Label Is Invalid", "severity": "LOW", - "line": 6 + "line": 6, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "goproxy", + "searchKey": "metadata.name={{goproxy}}.labels.app", + "searchValue": "Pod", + "expectedValue": "'metadata.labels.{{app}}' has valid label g**dy.l+bel.", + "actualValue": "'metadata.labels.{{app}}' has invalid label g**dy.l+bel." } ] \ No newline at end of file diff --git a/assets/queries/k8s/missing_app_armor_config/test/positive_expected_result.json b/assets/queries/k8s/missing_app_armor_config/test/positive_expected_result.json index 9750d762fc9..14ec5ce0118 100644 --- a/assets/queries/k8s/missing_app_armor_config/test/positive_expected_result.json +++ b/assets/queries/k8s/missing_app_armor_config/test/positive_expected_result.json @@ -1,22 +1,50 @@ [ - { - "queryName": "Missing AppArmor Profile", - "severity": "LOW", - "line": 5 - }, - { - "queryName": "Missing AppArmor Profile", - "severity": "LOW", - "line": 5 - }, - { - "queryName": "Missing AppArmor Profile", - "severity": "LOW", - "line": 5 - }, - { - "queryName": "Missing AppArmor Profile", - "severity": "LOW", - "line": 36 - } -] + { + "queryName": "Missing AppArmor Profile", + "severity": "LOW", + "line": 36, + "filename": "positive.yaml", + "resourceType": "Deployment", + "resourceName": "ubuntu-test1", + "searchKey": "metadata.name={{ubuntu-test1}}.spec.template.metadata", + "searchValue": "Deploymentcontainer.apparmor.security.beta.kubernetes.io/ubuntu-1-container", + "expectedValue": "metadata.name={{ubuntu-test1}}.spec.template.metadata.annotations[container.apparmor.security.beta.kubernetes.io/ubuntu-1-container] should be set to 'runtime/default' or 'localhost'", + "actualValue": "metadata.name={{ubuntu-test1}}.spec.template.metadata.annotations[container.apparmor.security.beta.kubernetes.io/ubuntu-1-container] does not specify a valid AppArmor profile" + }, + { + "queryName": "Missing AppArmor Profile", + "severity": "LOW", + "line": 5, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "hello-apparmor-1", + "searchKey": "metadata.name={{hello-apparmor-1}}", + "searchValue": "Podcontainer.apparmor.security.beta.kubernetes.io/hello1", + "expectedValue": "metadata.name={{hello-apparmor-1}}.annotations[container.apparmor.security.beta.kubernetes.io/hello1] should be set to 'runtime/default' or 'localhost'", + "actualValue": "metadata.name={{hello-apparmor-1}}.annotations[container.apparmor.security.beta.kubernetes.io/hello1] does not specify a valid AppArmor profile" + }, + { + "queryName": "Missing AppArmor Profile", + "severity": "LOW", + "line": 5, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "hello-apparmor-1", + "searchKey": "metadata.name={{hello-apparmor-1}}", + "searchValue": "Podcontainer.apparmor.security.beta.kubernetes.io/hello2", + "expectedValue": "metadata.name={{hello-apparmor-1}}.annotations[container.apparmor.security.beta.kubernetes.io/hello2] should be set to 'runtime/default' or 'localhost'", + "actualValue": "metadata.name={{hello-apparmor-1}}.annotations[container.apparmor.security.beta.kubernetes.io/hello2] does not specify a valid AppArmor profile" + }, + { + "queryName": "Missing AppArmor Profile", + "severity": "LOW", + "line": 5, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "hello-apparmor-1", + "searchKey": "metadata.name={{hello-apparmor-1}}.annotations", + "searchValue": "Podcontainers2", + "expectedValue": "metadata.name={{hello-apparmor-1}}.annotations should specify an AppArmor profile for container {{hello3}}", + "actualValue": "metadata.name={{hello-apparmor-1}}.annotations does not specify an AppArmor profile for container {{hello3}}" + } +] \ No newline at end of file diff --git a/assets/queries/k8s/namespace_lifecycle_admission_control_plugin_disabled/test/positive_expected_result.json b/assets/queries/k8s/namespace_lifecycle_admission_control_plugin_disabled/test/positive_expected_result.json index 4b83ee1a4fc..e836f7f1b5e 100644 --- a/assets/queries/k8s/namespace_lifecycle_admission_control_plugin_disabled/test/positive_expected_result.json +++ b/assets/queries/k8s/namespace_lifecycle_admission_control_plugin_disabled/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ - { - "queryName": "Namespace Lifecycle Admission Control Plugin Disabled", - "severity": "LOW", - "line": 11, - "fileName": "positive1.yaml" - }, - { - "queryName": "Namespace Lifecycle Admission Control Plugin Disabled", - "severity": "LOW", - "line": 11, - "fileName": "positive2.yaml" - } -] + { + "queryName": "Namespace Lifecycle Admission Control Plugin Disabled", + "severity": "LOW", + "line": 11, + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--disable-admission-plugins flag should not contain 'NamespaceLifecycle' plugin", + "actualValue": "--disable-admission-plugins flag contains 'NamespaceLifecycle' plugin" + }, + { + "queryName": "Namespace Lifecycle Admission Control Plugin Disabled", + "severity": "LOW", + "line": 11, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--disable-admission-plugins flag should not contain 'NamespaceLifecycle' plugin", + "actualValue": "--disable-admission-plugins flag contains 'NamespaceLifecycle' plugin" + } +] \ No newline at end of file diff --git a/assets/queries/k8s/net_raw_capabilities_disabled_for_psp/test/positive_expected_result.json b/assets/queries/k8s/net_raw_capabilities_disabled_for_psp/test/positive_expected_result.json index 92cae458def..48bb34ebea7 100644 --- a/assets/queries/k8s/net_raw_capabilities_disabled_for_psp/test/positive_expected_result.json +++ b/assets/queries/k8s/net_raw_capabilities_disabled_for_psp/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "NET_RAW Capabilities Disabled for PSP", "severity": "MEDIUM", - "line": 13 + "line": 13, + "filename": "positive.yaml", + "resourceType": "PodSecurityPolicy", + "resourceName": "restricted", + "searchKey": "metadata.name={{restricted}}.spec.requiredDropCapabilities", + "searchValue": "", + "expectedValue": "spec.requiredDropCapabilities 'is ALL or NET_RAW'", + "actualValue": "spec.requiredDropCapabilities 'is not ALL or NET_RAW'" }, { "queryName": "NET_RAW Capabilities Disabled for PSP", "severity": "MEDIUM", - "line": 57 + "line": 57, + "filename": "positive.yaml", + "resourceType": "PodSecurityPolicy", + "resourceName": "restricted2", + "searchKey": "metadata.name={{restricted2}}.spec.requiredDropCapabilities", + "searchValue": "", + "expectedValue": "spec.requiredDropCapabilities 'is ALL or NET_RAW'", + "actualValue": "spec.requiredDropCapabilities 'is not ALL or NET_RAW'" } -] +] \ No newline at end of file diff --git a/assets/queries/k8s/net_raw_capabilities_not_being_dropped/test/positive_expected_result.json b/assets/queries/k8s/net_raw_capabilities_not_being_dropped/test/positive_expected_result.json index b850bf2243a..f6d08915458 100644 --- a/assets/queries/k8s/net_raw_capabilities_not_being_dropped/test/positive_expected_result.json +++ b/assets/queries/k8s/net_raw_capabilities_not_being_dropped/test/positive_expected_result.json @@ -2,31 +2,61 @@ { "queryName": "NET_RAW Capabilities Not Being Dropped", "severity": "MEDIUM", - "line": 11, - "fileName": "positive1.yaml" + "line": 31, + "filename": "positive2.yaml", + "resourceType": "Deployment", + "resourceName": "redis-unhealthy-deployment", + "searchKey": "metadata.name={{redis-unhealthy-deployment}}.spec.template.spec.containers.name={{redis}}", + "searchValue": "Deployment", + "expectedValue": "metadata.name={{redis-unhealthy-deployment}}.spec.template.spec.containers.name={{redis}}.securityContext.capabilities.drop should be defined", + "actualValue": "metadata.name={{redis-unhealthy-deployment}}.spec.template.spec.containers.name={{redis}}.securityContext.capabilities.drop is undefined" }, { "queryName": "NET_RAW Capabilities Not Being Dropped", "severity": "MEDIUM", - "line": 18, - "fileName": "positive1.yaml" + "line": 11, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "example", + "searchKey": "metadata.name={{example}}.spec.containers.name={{payment}}.securityContext.capabilities.drop", + "searchValue": "Pod", + "expectedValue": "metadata.name={{example}}.spec.containers.name={{payment}}.securityContext.capabilities.drop includes ALL or NET_RAW", + "actualValue": "metadata.name={{example}}.spec.containers.name={{payment}}.securityContext.capabilities.drop does not include ALL or NET_RAW" }, { "queryName": "NET_RAW Capabilities Not Being Dropped", "severity": "MEDIUM", - "line": 23, - "fileName": "positive1.yaml" + "line": 13, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "example", + "searchKey": "metadata.name={{example}}.spec.containers.name={{payment2}}", + "searchValue": "Pod", + "expectedValue": "metadata.name={{example}}.spec.containers.name={{payment2}}.securityContext.capabilities.drop should be defined", + "actualValue": "metadata.name={{example}}.spec.containers.name={{payment2}}.securityContext.capabilities.drop is undefined" }, { "queryName": "NET_RAW Capabilities Not Being Dropped", "severity": "MEDIUM", - "line": 13, - "fileName": "positive1.yaml" + "line": 23, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "example", + "searchKey": "metadata.name={{example}}.spec.containers.name={{payment3}}", + "searchValue": "Pod", + "expectedValue": "metadata.name={{example}}.spec.containers.name={{payment3}}.securityContext.capabilities.drop should be defined", + "actualValue": "metadata.name={{example}}.spec.containers.name={{payment3}}.securityContext.capabilities.drop is undefined" }, { "queryName": "NET_RAW Capabilities Not Being Dropped", "severity": "MEDIUM", - "line": 31, - "fileName": "positive2.yaml" + "line": 18, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "example", + "searchKey": "metadata.name={{example}}.spec.containers.name={{payment4}}", + "searchValue": "Pod", + "expectedValue": "metadata.name={{example}}.spec.containers.name={{payment4}}.securityContext.capabilities.drop should be defined", + "actualValue": "metadata.name={{example}}.spec.containers.name={{payment4}}.securityContext.capabilities.drop is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/k8s/network_policy_is_not_targeting_any_pod/test/positive_expected_result.json b/assets/queries/k8s/network_policy_is_not_targeting_any_pod/test/positive_expected_result.json index bb09f21ab6f..fdc6749c295 100644 --- a/assets/queries/k8s/network_policy_is_not_targeting_any_pod/test/positive_expected_result.json +++ b/assets/queries/k8s/network_policy_is_not_targeting_any_pod/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Network Policy Is Not Targeting Any Pod", "severity": "LOW", - "line": 22 + "line": 22, + "filename": "positive.yaml", + "resourceType": "NetworkPolicy", + "resourceName": "test-network-policy", + "searchKey": "metadata.name={{test-network-policy}}.spec.podSelector.matchLabels.app", + "searchValue": "", + "expectedValue": "'spec.podSelector.matchLabels.app' is targeting at least a pod", + "actualValue": "'spec.podSelector.matchLabels.app' is not targeting any pod" } ] \ No newline at end of file diff --git a/assets/queries/k8s/no_drop_capabilities_for_containers/test/positive_expected_result.json b/assets/queries/k8s/no_drop_capabilities_for_containers/test/positive_expected_result.json index c79222edd9c..aff434d705d 100644 --- a/assets/queries/k8s/no_drop_capabilities_for_containers/test/positive_expected_result.json +++ b/assets/queries/k8s/no_drop_capabilities_for_containers/test/positive_expected_result.json @@ -2,16 +2,37 @@ { "queryName": "No Drop Capabilities for Containers", "severity": "LOW", - "line": 21 + "line": 28, + "filename": "positive.yaml", + "resourceType": "Deployment", + "resourceName": "nginx-deployment", + "searchKey": "metadata.name={{nginx-deployment}}.spec.containers.name=payment3", + "searchValue": "Deployment", + "expectedValue": "metadata.name={{nginx-deployment}}.spec.containers.name=payment3.securityContext should be set", + "actualValue": "metadata.name={{nginx-deployment}}.spec.containers.name=payment3.securityContext is undefined" }, { "queryName": "No Drop Capabilities for Containers", "severity": "LOW", - "line": 26 + "line": 26, + "filename": "positive.yaml", + "resourceType": "Deployment", + "resourceName": "nginx-deployment", + "searchKey": "metadata.name={{nginx-deployment}}.spec.containers.name={{payment2}}.securityContext", + "searchValue": "Deployment", + "expectedValue": "metadata.name={{nginx-deployment}}.spec.containers.name={{payment2}}.securityContext.capabilities should be set", + "actualValue": "metadata.name={{nginx-deployment}}.spec.containers.name={{payment2}}.securityContext.capabilities is undefined" }, { "queryName": "No Drop Capabilities for Containers", "severity": "LOW", - "line": 28 + "line": 21, + "filename": "positive.yaml", + "resourceType": "Deployment", + "resourceName": "nginx-deployment", + "searchKey": "metadata.name={{nginx-deployment}}.spec.containers.name={{payment}}.securityContext.capabilities", + "searchValue": "Deployment", + "expectedValue": "spec.containers[payment].securityContext.capabilities.drop should be defined", + "actualValue": "spec.containers[payment].securityContext.capabilities.drop is not defined" } -] +] \ No newline at end of file diff --git a/assets/queries/k8s/node_restriction_admission_control_plugin_not_set/test/positive_expected_result.json b/assets/queries/k8s/node_restriction_admission_control_plugin_not_set/test/positive_expected_result.json index 1a40d67c3d1..564d04938cb 100644 --- a/assets/queries/k8s/node_restriction_admission_control_plugin_not_set/test/positive_expected_result.json +++ b/assets/queries/k8s/node_restriction_admission_control_plugin_not_set/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Node Restriction Admission Control Plugin Not Set", "severity": "MEDIUM", "line": 11, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--enable-admission-plugins flag should contain 'NodeRestriction' plugin", + "actualValue": "--enable-admission-plugins flag does not contain 'NodeRestriction' plugin" } ] \ No newline at end of file diff --git a/assets/queries/k8s/non_kube_system_pod_with_host_mount/test/positive_expected_result.json b/assets/queries/k8s/non_kube_system_pod_with_host_mount/test/positive_expected_result.json index 860b273c2d4..e2f32500c79 100644 --- a/assets/queries/k8s/non_kube_system_pod_with_host_mount/test/positive_expected_result.json +++ b/assets/queries/k8s/non_kube_system_pod_with_host_mount/test/positive_expected_result.json @@ -2,46 +2,109 @@ { "queryName": "Non Kube System Pod With Host Mount", "severity": "HIGH", - "line": 40 + "line": 153, + "filename": "positive.yaml", + "resourceType": "PersistentVolume", + "resourceName": "pv-001", + "searchKey": "metadata.name={{pv-001}}.spec.hostPath.path", + "searchValue": "", + "expectedValue": "PersistentVolume name 'pv-001' of kind 'PersistentVolume' in non kube-system namespace 'default' should not mount a host sensitive OS directory '/' with hostPath", + "actualValue": "PersistentVolume name 'pv-001' of kind 'PersistentVolume' in non kube-system namespace 'default' is mounting a host sensitive OS directory '/' with hostPath" }, { "queryName": "Non Kube System Pod With Host Mount", "severity": "HIGH", - "line": 43 + "line": 185, + "filename": "positive.yaml", + "resourceType": "Revision", + "resourceName": "dummy-rev", + "searchKey": "metadata.name={{dummy-rev}}.spec.volumes.name={{redis-storage}}.hostPath.path", + "searchValue": "", + "expectedValue": "Resource name 'dummy-rev' of kind 'Revision' in non kube-system namespace 'knative-sequence' should not have hostPath '/var/redis/data' mounted", + "actualValue": "Resource name 'dummy-rev' of kind 'Revision' in non kube-system namespace 'knative-sequence' has a hostPath '/var/redis/data' mounted" }, { "queryName": "Non Kube System Pod With Host Mount", "severity": "HIGH", - "line": 59 + "line": 43, + "filename": "positive.yaml", + "resourceType": "DaemonSet", + "resourceName": "fluentd-elasticsearch", + "searchKey": "metadata.name={{fluentd-elasticsearch}}.spec.template.spec.volumes.name={{varlibdockercontainers}}.hostPath.path", + "searchValue": "", + "expectedValue": "Resource name 'fluentd-elasticsearch' of kind 'DaemonSet' in non kube-system namespace 'default' should not have hostPath '/var/lib/docker/containers' mounted", + "actualValue": "Resource name 'fluentd-elasticsearch' of kind 'DaemonSet' in non kube-system namespace 'default' has a hostPath '/var/lib/docker/containers' mounted" }, { "queryName": "Non Kube System Pod With Host Mount", "severity": "HIGH", - "line": 76 + "line": 168, + "filename": "positive.yaml", + "resourceType": "PersistentVolume", + "resourceName": "pv-002", + "searchKey": "metadata.name={{pv-002}}.hostPath.path", + "searchValue": "", + "expectedValue": "PersistentVolume name 'pv-002' of kind 'PersistentVolume' in non kube-system namespace 'default' should not mount a host sensitive OS directory '/boot' with hostPath", + "actualValue": "PersistentVolume name 'pv-002' of kind 'PersistentVolume' in non kube-system namespace 'default' is mounting a host sensitive OS directory '/boot' with hostPath" }, { "queryName": "Non Kube System Pod With Host Mount", "severity": "HIGH", - "line": 106 + "line": 136, + "filename": "positive.yaml", + "resourceType": "Deployment", + "resourceName": "nginx-deployment-undefined-ns", + "searchKey": "metadata.name={{nginx-deployment-undefined-ns}}.spec.template.spec.volumes.name={{static-page-dir}}.hostPath.path", + "searchValue": "", + "expectedValue": "Resource name 'nginx-deployment-undefined-ns' of kind 'Deployment' in a non kube-system namespace 'default' should not have hostPath '/var/local/static' mounted", + "actualValue": "Resource name 'nginx-deployment-undefined-ns' of kind 'Deployment' in a non kube-system namespace 'default' has a hostPath '/var/local/static' mounted" }, { "queryName": "Non Kube System Pod With Host Mount", "severity": "HIGH", - "line": 136 + "line": 76, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "redis-memcache", + "searchKey": "metadata.name={{redis-memcache}}.spec.volumes.name={{redis-storage}}.hostPath.path", + "searchValue": "", + "expectedValue": "Resource name 'redis-memcache' of kind 'Pod' in non kube-system namespace 'memcache' should not have hostPath '/var/redis/data' mounted", + "actualValue": "Resource name 'redis-memcache' of kind 'Pod' in non kube-system namespace 'memcache' has a hostPath '/var/redis/data' mounted" }, { "queryName": "Non Kube System Pod With Host Mount", "severity": "HIGH", - "line": 153 + "line": 59, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "redis", + "searchKey": "metadata.name={{redis}}.spec.volumes.name={{redis-storage}}.hostPath.path", + "searchValue": "", + "expectedValue": "Resource name 'redis' of kind 'Pod' in non kube-system namespace 'default' should not have hostPath '/var/redis/data' mounted", + "actualValue": "Resource name 'redis' of kind 'Pod' in non kube-system namespace 'default' has a hostPath '/var/redis/data' mounted" }, { "queryName": "Non Kube System Pod With Host Mount", "severity": "HIGH", - "line": 168 + "line": 106, + "filename": "positive.yaml", + "resourceType": "Deployment", + "resourceName": "nginx-deployment", + "searchKey": "metadata.name={{nginx-deployment}}.spec.template.spec.volumes.name={{static-page-dir}}.hostPath.path", + "searchValue": "", + "expectedValue": "Resource name 'nginx-deployment' of kind 'Deployment' in non kube-system namespace 'default' should not have hostPath '/var/local/static' mounted", + "actualValue": "Resource name 'nginx-deployment' of kind 'Deployment' in non kube-system namespace 'default' has a hostPath '/var/local/static' mounted" }, { "queryName": "Non Kube System Pod With Host Mount", "severity": "HIGH", - "line": 185 + "line": 40, + "filename": "positive.yaml", + "resourceType": "DaemonSet", + "resourceName": "fluentd-elasticsearch", + "searchKey": "metadata.name={{fluentd-elasticsearch}}.spec.template.spec.volumes.name={{varlog}}.hostPath.path", + "searchValue": "", + "expectedValue": "Resource name 'fluentd-elasticsearch' of kind 'DaemonSet' in non kube-system namespace 'default' should not have hostPath '/var/log' mounted", + "actualValue": "Resource name 'fluentd-elasticsearch' of kind 'DaemonSet' in non kube-system namespace 'default' has a hostPath '/var/log' mounted" } ] \ No newline at end of file diff --git a/assets/queries/k8s/not_limited_capabilities_for_pod_security_policy/test/positive_expected_result.json b/assets/queries/k8s/not_limited_capabilities_for_pod_security_policy/test/positive_expected_result.json index 9bddecf306a..0225bd045ae 100644 --- a/assets/queries/k8s/not_limited_capabilities_for_pod_security_policy/test/positive_expected_result.json +++ b/assets/queries/k8s/not_limited_capabilities_for_pod_security_policy/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Not Limited Capabilities For Pod Security Policy", "severity": "INFO", - "line": 10 + "line": 10, + "filename": "positive.yaml", + "resourceType": "PodSecurityPolicy", + "resourceName": "restricted", + "searchKey": "metadata.name={{restricted}}.spec", + "searchValue": "", + "expectedValue": "metadata.name={{restricted}}.spec.requiredDropCapabilities should be defined", + "actualValue": "metadata.name={{restricted}}.spec.requiredDropCapabilities is undefined" } ] \ No newline at end of file diff --git a/assets/queries/k8s/not_unique_certificate_authority/test/positive_expected_result.json b/assets/queries/k8s/not_unique_certificate_authority/test/positive_expected_result.json index 6b7e077664a..44d93e87928 100644 --- a/assets/queries/k8s/not_unique_certificate_authority/test/positive_expected_result.json +++ b/assets/queries/k8s/not_unique_certificate_authority/test/positive_expected_result.json @@ -1,8 +1,14 @@ [ - { - "queryName": "Not Unique Certificate Authority", - "severity": "MEDIUM", - "line": 22, - "filename": "positive1.yaml" - } -] + { + "queryName": "Not Unique Certificate Authority", + "severity": "MEDIUM", + "line": 22, + "filename": "positive1.yaml", + "resourceType": "Deployment", + "resourceName": "database", + "searchKey": "metadata.name={{database}}.spec.template.spec.containers.name={{database}}.command", + "searchValue": "", + "expectedValue": "Trusted Certificate Authentication File should not be the same of a Client Certificate Authentication File", + "actualValue": "Trusted Certificate Authentication File is the same of a Client Certificate Authentication File" + } +] \ No newline at end of file diff --git a/assets/queries/k8s/object_is_using_a_deprecated_api_version/test/positive_expected_result.json b/assets/queries/k8s/object_is_using_a_deprecated_api_version/test/positive_expected_result.json index aeea421e766..53ff0ea0a89 100644 --- a/assets/queries/k8s/object_is_using_a_deprecated_api_version/test/positive_expected_result.json +++ b/assets/queries/k8s/object_is_using_a_deprecated_api_version/test/positive_expected_result.json @@ -1,27 +1,62 @@ [ - { - "queryName": "Object Is Using A Deprecated API Version", - "severity": "LOW", - "line": 1 - }, - { - "queryName": "Object Is Using A Deprecated API Version", - "severity": "LOW", - "line": 23 - }, - { - "queryName": "Object Is Using A Deprecated API Version", - "severity": "LOW", - "line": 58 - }, - { - "queryName": "Object Is Using A Deprecated API Version", - "severity": "LOW", - "line": 76 - }, - { - "queryName": "Object Is Using A Deprecated API Version", - "severity": "LOW", - "line": 94 - } -] + { + "queryName": "Object Is Using A Deprecated API Version", + "severity": "LOW", + "line": 1, + "filename": "positive.yaml", + "resourceType": "Deployment", + "resourceName": "nginx-deployment", + "searchKey": "apiVersion={{apps/v1beta1}}", + "searchValue": "Deployment", + "expectedValue": "metadata.name={{nginx-deployment}}.apiVersion of Deployment should be {{apps/v1}}", + "actualValue": "metadata.name={{nginx-deployment}}.apiVersion of Deployment is deprecated and is {{apps/v1beta1}}" + }, + { + "queryName": "Object Is Using A Deprecated API Version", + "severity": "LOW", + "line": 58, + "filename": "positive.yaml", + "resourceType": "Ingress", + "resourceName": "minimal-ingress", + "searchKey": "apiVersion={{extensions/v1beta1}}", + "searchValue": "Ingress", + "expectedValue": "metadata.name={{minimal-ingress}}.apiVersion of Ingress should be {{networking.k8s.io/v1}}", + "actualValue": "metadata.name={{minimal-ingress}}.apiVersion of Ingress is deprecated and is {{extensions/v1beta1}}" + }, + { + "queryName": "Object Is Using A Deprecated API Version", + "severity": "LOW", + "line": 76, + "filename": "positive.yaml", + "resourceType": "Ingress", + "resourceName": "minimal-ingress1", + "searchKey": "apiVersion={{networking.k8s.io/v1beta1}}", + "searchValue": "Ingress", + "expectedValue": "metadata.name={{minimal-ingress1}}.apiVersion of Ingress should be {{networking.k8s.io/v1}}", + "actualValue": "metadata.name={{minimal-ingress1}}.apiVersion of Ingress is deprecated and is {{networking.k8s.io/v1beta1}}" + }, + { + "queryName": "Object Is Using A Deprecated API Version", + "severity": "LOW", + "line": 23, + "filename": "positive.yaml", + "resourceType": "DaemonSet", + "resourceName": "fluentd-elasticsearch", + "searchKey": "apiVersion={{apps/v1beta2}}", + "searchValue": "DaemonSet", + "expectedValue": "metadata.name={{fluentd-elasticsearch}}.apiVersion of DaemonSet should be {{apps/v1}}", + "actualValue": "metadata.name={{fluentd-elasticsearch}}.apiVersion of DaemonSet is deprecated and is {{apps/v1beta2}}" + }, + { + "queryName": "Object Is Using A Deprecated API Version", + "severity": "LOW", + "line": 94, + "filename": "positive.yaml", + "resourceType": "CronJob", + "resourceName": "hello", + "searchKey": "apiVersion={{batch/v1beta1}}", + "searchValue": "CronJob", + "expectedValue": "metadata.name={{hello}}.apiVersion of CronJob should be {{batch/v1}}", + "actualValue": "metadata.name={{hello}}.apiVersion of CronJob is deprecated and is {{batch/v1beta1}}" + } +] \ No newline at end of file diff --git a/assets/queries/k8s/peer_auto_tls_set_to_true/test/positive_expected_result.json b/assets/queries/k8s/peer_auto_tls_set_to_true/test/positive_expected_result.json index a13287dd345..a09bf60c8e7 100644 --- a/assets/queries/k8s/peer_auto_tls_set_to_true/test/positive_expected_result.json +++ b/assets/queries/k8s/peer_auto_tls_set_to_true/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Peer Auto TLS Set To True", "severity": "MEDIUM", "line": 21, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Deployment", + "resourceName": "app-etcd-deployment", + "searchKey": "metadata.name={{app-etcd-deployment}}.spec.template.spec.containers.name={{database}}.command", + "searchValue": "", + "expectedValue": "--peer-auto-tls flag should be set to false or not be defined", + "actualValue": "--peer-auto-tls flag is set to true" } ] \ No newline at end of file diff --git a/assets/queries/k8s/permissive_access_to_create_pods/test/positive_expected_result.json b/assets/queries/k8s/permissive_access_to_create_pods/test/positive_expected_result.json index df38f6a5872..8bd523cc41d 100644 --- a/assets/queries/k8s/permissive_access_to_create_pods/test/positive_expected_result.json +++ b/assets/queries/k8s/permissive_access_to_create_pods/test/positive_expected_result.json @@ -1,43 +1,86 @@ -[{ - "queryName": "Permissive Access to Create Pods", - "severity": "MEDIUM", - "line": 12, - "fileName": "positive1.yaml" - }, - { - "queryName": "Permissive Access to Create Pods", - "severity": "MEDIUM", - "line": 21, - "fileName": "positive1.yaml" - }, - { - "queryName": "Permissive Access to Create Pods", - "severity": "MEDIUM", - "line": 30, - "fileName": "positive1.yaml" - }, - { - "queryName": "Permissive Access to Create Pods", - "severity": "MEDIUM", - "line": 39, - "fileName": "positive1.yaml" - }, - { - "queryName": "Permissive Access to Create Pods", - "severity": "MEDIUM", - "line": 48, - "fileName": "positive1.yaml" - }, - { - "queryName": "Permissive Access to Create Pods", - "severity": "MEDIUM", - "line": 60, - "fileName": "positive1.yaml" - }, - { - "queryName": "Permissive Access to Create Pods", - "severity": "MEDIUM", - "line": 26, - "fileName": "positive2.yaml" - } -] +[ + { + "queryName": "Permissive Access to Create Pods", + "severity": "MEDIUM", + "line": 39, + "filename": "positive1.yaml", + "resourceType": "Role", + "resourceName": "secret-reader4", + "searchKey": "metadata.name={{secret-reader4}}.rules.verbs.*", + "searchValue": "Role/*", + "expectedValue": "metadata.name=secret-reader4.rules.verbs should not contain a wildcard value when metadata.name=secret-reader4.rules.resources contains a wildcard value", + "actualValue": "metadata.name=secret-reader4.rules.verbs contains a wildcard value and metadata.name=secret-reader4.rules.resources contains a wildcard value" + }, + { + "queryName": "Permissive Access to Create Pods", + "severity": "MEDIUM", + "line": 12, + "filename": "positive1.yaml", + "resourceType": "ClusterRole", + "resourceName": "secret-reader", + "searchKey": "metadata.name={{secret-reader}}.rules.verbs.create", + "searchValue": "ClusterRole/create", + "expectedValue": "metadata.name=secret-reader.rules.verbs should not contain the value 'create' when metadata.name=secret-reader.rules.resources contains the value 'pods'", + "actualValue": "metadata.name=secret-reader.rules.verbs contains the value 'create' and metadata.name=secret-reader.rules.resources contains the value 'pods'" + }, + { + "queryName": "Permissive Access to Create Pods", + "severity": "MEDIUM", + "line": 21, + "filename": "positive1.yaml", + "resourceType": "Role", + "resourceName": "secret-reader2", + "searchKey": "metadata.name={{secret-reader2}}.rules.verbs.create", + "searchValue": "Role/create", + "expectedValue": "metadata.name=secret-reader2.rules.verbs should not contain the value 'create' when metadata.name=secret-reader2.rules.resources contains a wildcard value", + "actualValue": "metadata.name=secret-reader2.rules.verbs contains the value 'create' and metadata.name=secret-reader2.rules.resources contains a wildcard value" + }, + { + "queryName": "Permissive Access to Create Pods", + "severity": "MEDIUM", + "line": 30, + "filename": "positive1.yaml", + "resourceType": "ClusterRole", + "resourceName": "secret-reader3", + "searchKey": "metadata.name={{secret-reader3}}.rules.verbs.*", + "searchValue": "ClusterRole/*", + "expectedValue": "metadata.name=secret-reader3.rules.verbs should not contain a wildcard value when metadata.name=secret-reader3.rules.resources contains the value 'pods'", + "actualValue": "metadata.name=secret-reader3.rules.verbs contains a wildcard value and metadata.name=secret-reader3.rules.resources contains the value 'pods'" + }, + { + "queryName": "Permissive Access to Create Pods", + "severity": "MEDIUM", + "line": 48, + "filename": "positive1.yaml", + "resourceType": "ClusterRole", + "resourceName": "secret-reader5", + "searchKey": "metadata.name={{secret-reader5}}.rules.verbs.c*e", + "searchValue": "ClusterRole/*", + "expectedValue": "metadata.name=secret-reader5.rules.verbs should not contain a wildcard value when metadata.name=secret-reader5.rules.resources contains the value 'pods'", + "actualValue": "metadata.name=secret-reader5.rules.verbs contains a wildcard value and metadata.name=secret-reader5.rules.resources contains the value 'pods'" + }, + { + "queryName": "Permissive Access to Create Pods", + "severity": "MEDIUM", + "line": 60, + "filename": "positive1.yaml", + "resourceType": "ClusterRole", + "resourceName": "secret-reader6", + "searchKey": "metadata.name={{secret-reader6}}.rules.verbs.create", + "searchValue": "ClusterRole/create", + "expectedValue": "metadata.name=secret-reader6.rules.verbs should not contain the value 'create' when metadata.name=secret-reader6.rules.resources contains a wildcard value", + "actualValue": "metadata.name=secret-reader6.rules.verbs contains the value 'create' and metadata.name=secret-reader6.rules.resources contains a wildcard value" + }, + { + "queryName": "Permissive Access to Create Pods", + "severity": "MEDIUM", + "line": 26, + "filename": "positive2.yaml", + "resourceType": "ClusterRole", + "resourceName": "secret-reader", + "searchKey": "metadata.name={{secret-reader}}.rules.verbs.create", + "searchValue": "ClusterRole/create", + "expectedValue": "metadata.name=secret-reader.rules.verbs should not contain the value 'create' when metadata.name=secret-reader.rules.resources contains a wildcard value", + "actualValue": "metadata.name=secret-reader.rules.verbs contains the value 'create' and metadata.name=secret-reader.rules.resources contains a wildcard value" + } +] \ No newline at end of file diff --git a/assets/queries/k8s/pod_misconfigured_network_policy/test/positive_expected_result.json b/assets/queries/k8s/pod_misconfigured_network_policy/test/positive_expected_result.json index 984dc94bf72..536e57bf60c 100644 --- a/assets/queries/k8s/pod_misconfigured_network_policy/test/positive_expected_result.json +++ b/assets/queries/k8s/pod_misconfigured_network_policy/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Pod Misconfigured Network Policy", "severity": "MEDIUM", "line": 4, - "fileName": "positive2.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "positive1-pod", + "searchKey": "metadata.name=positive1-pod", + "searchValue": "", + "expectedValue": "Pod positive1-pod should have ingress and egress rules in matching NetworkPolicy", + "actualValue": "Pod positive1-pod has no ingress or egress rules in matching NetworkPolicy" }, { "queryName": "Pod Misconfigured Network Policy", "severity": "MEDIUM", "line": 4, - "fileName": "positive1.yaml" + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "positive2-pod", + "searchKey": "metadata.name=positive2-pod", + "searchValue": "", + "expectedValue": "Pod positive2-pod should have ingress and egress rules in matching NetworkPolicy", + "actualValue": "Pod positive2-pod has no ingress or egress rules in matching NetworkPolicy" } -] +] \ No newline at end of file diff --git a/assets/queries/k8s/pod_or_container_without_limit_range/test/positive_expected_result.json b/assets/queries/k8s/pod_or_container_without_limit_range/test/positive_expected_result.json index f5c689151e5..f94cd2ddd63 100644 --- a/assets/queries/k8s/pod_or_container_without_limit_range/test/positive_expected_result.json +++ b/assets/queries/k8s/pod_or_container_without_limit_range/test/positive_expected_result.json @@ -1,26 +1,50 @@ [ - { - "queryName": "Pod or Container Without LimitRange", - "severity": "LOW", - "line": 5, - "fileName": "positive1.yaml" - }, - { - "queryName": "Pod or Container Without LimitRange", - "severity": "LOW", - "line": 4, - "fileName": "positive2.yaml" - }, - { - "queryName": "Pod or Container Without LimitRange", - "severity": "LOW", - "line": 5, - "fileName": "positive3.yaml" - }, - { - "queryName": "Pod or Container Without LimitRange", - "severity": "LOW", - "line": 5, - "fileName": "positive4.yaml" - } -] + { + "queryName": "Pod or Container Without LimitRange", + "severity": "LOW", + "line": 4, + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "frontend2", + "searchKey": "metadata.name={{frontend2}}", + "searchValue": "Pod", + "expectedValue": "metadata.name={{frontend2}} has a 'LimitRange' policy associated", + "actualValue": "metadata.name={{frontend2}} does not have a 'LimitRange' policy associated" + }, + { + "queryName": "Pod or Container Without LimitRange", + "severity": "LOW", + "line": 5, + "filename": "positive4.yaml", + "resourceType": "PersistentVolumeClaim", + "resourceName": "webcontent", + "searchKey": "metadata.name={{webcontent}}", + "searchValue": "PersistentVolumeClaim", + "expectedValue": "metadata.name={{webcontent}} has a 'LimitRange' policy associated", + "actualValue": "metadata.name={{webcontent}} does not have a 'LimitRange' policy associated" + }, + { + "queryName": "Pod or Container Without LimitRange", + "severity": "LOW", + "line": 5, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "frontend1", + "searchKey": "metadata.name={{frontend1}}", + "searchValue": "Pod", + "expectedValue": "metadata.name={{frontend1}} has a 'LimitRange' policy associated", + "actualValue": "metadata.name={{frontend1}} does not have a 'LimitRange' policy associated" + }, + { + "queryName": "Pod or Container Without LimitRange", + "severity": "LOW", + "line": 5, + "filename": "positive3.yaml", + "resourceType": "DaemonSet", + "resourceName": "fluentd-elasticsearch", + "searchKey": "metadata.name={{fluentd-elasticsearch}}", + "searchValue": "DaemonSet", + "expectedValue": "metadata.name={{fluentd-elasticsearch}} has a 'LimitRange' policy associated", + "actualValue": "metadata.name={{fluentd-elasticsearch}} does not have a 'LimitRange' policy associated" + } +] \ No newline at end of file diff --git a/assets/queries/k8s/pod_or_container_without_resource_quota/test/positive_expected_result.json b/assets/queries/k8s/pod_or_container_without_resource_quota/test/positive_expected_result.json index 37773d522e0..4d17bd2e181 100644 --- a/assets/queries/k8s/pod_or_container_without_resource_quota/test/positive_expected_result.json +++ b/assets/queries/k8s/pod_or_container_without_resource_quota/test/positive_expected_result.json @@ -1,26 +1,50 @@ [ - { - "queryName": "Pod or Container Without ResourceQuota", - "severity": "LOW", - "line": 5, - "fileName": "positive1.yaml" - }, - { - "queryName": "Pod or Container Without ResourceQuota", - "severity": "LOW", - "line": 4, - "fileName": "positive2.yaml" - }, - { - "queryName": "Pod or Container Without ResourceQuota", - "severity": "LOW", - "line": 5, - "fileName": "positive3.yaml" - }, - { - "queryName": "Pod or Container Without ResourceQuota", - "severity": "LOW", - "line": 5, - "fileName": "positive4.yaml" - } -] + { + "queryName": "Pod or Container Without ResourceQuota", + "severity": "LOW", + "line": 5, + "filename": "positive4.yaml", + "resourceType": "PersistentVolumeClaim", + "resourceName": "webcontent", + "searchKey": "metadata.name={{webcontent}}", + "searchValue": "PersistentVolumeClaim", + "expectedValue": "metadata.name={{webcontent}} has a 'ResourceQuota' policy associated", + "actualValue": "metadata.name={{webcontent}} does not have a 'ResourceQuota' policy associated" + }, + { + "queryName": "Pod or Container Without ResourceQuota", + "severity": "LOW", + "line": 5, + "filename": "positive3.yaml", + "resourceType": "DaemonSet", + "resourceName": "fluentd-elasticsearch", + "searchKey": "metadata.name={{fluentd-elasticsearch}}", + "searchValue": "DaemonSet", + "expectedValue": "metadata.name={{fluentd-elasticsearch}} has a 'ResourceQuota' policy associated", + "actualValue": "metadata.name={{fluentd-elasticsearch}} does not have a 'ResourceQuota' policy associated" + }, + { + "queryName": "Pod or Container Without ResourceQuota", + "severity": "LOW", + "line": 5, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "pod1", + "searchKey": "metadata.name={{pod1}}", + "searchValue": "Pod", + "expectedValue": "metadata.name={{pod1}} has a 'ResourceQuota' policy associated", + "actualValue": "metadata.name={{pod1}} does not have a 'ResourceQuota' policy associated" + }, + { + "queryName": "Pod or Container Without ResourceQuota", + "severity": "LOW", + "line": 4, + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "pod2", + "searchKey": "metadata.name={{pod2}}", + "searchValue": "Pod", + "expectedValue": "metadata.name={{pod2}} has a 'ResourceQuota' policy associated", + "actualValue": "metadata.name={{pod2}} does not have a 'ResourceQuota' policy associated" + } +] \ No newline at end of file diff --git a/assets/queries/k8s/pod_or_container_without_security_context/test/positive_expected_result.json b/assets/queries/k8s/pod_or_container_without_security_context/test/positive_expected_result.json index 7767c0122ee..1e3825c75ed 100644 --- a/assets/queries/k8s/pod_or_container_without_security_context/test/positive_expected_result.json +++ b/assets/queries/k8s/pod_or_container_without_security_context/test/positive_expected_result.json @@ -1,13 +1,26 @@ [ - { - "queryName": "Pod or Container Without Security Context", - "severity": "LOW", - "line": 5 - }, - - { - "queryName": "Pod or Container Without Security Context", - "severity": "LOW", - "line": 19 - } -] + { + "queryName": "Pod or Container Without Security Context", + "severity": "LOW", + "line": 5, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "frontend", + "searchKey": "metadata.name={{frontend}}.spec", + "searchValue": "", + "expectedValue": "metadata.name={{frontend}}.spec has a security context", + "actualValue": "metadata.name={{frontend}}.spec does not have a security context" + }, + { + "queryName": "Pod or Container Without Security Context", + "severity": "LOW", + "line": 19, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "frontend", + "searchKey": "metadata.name={{frontend}}.spec.containers.name=log-aggregator", + "searchValue": "Pod", + "expectedValue": "spec.containers.name=log-aggregator has a security context", + "actualValue": "spec.containers.name=log-aggregator does not have a security context" + } +] \ No newline at end of file diff --git a/assets/queries/k8s/pod_security_policy_admission_control_plugin_not_set/test/positive_expected_result.json b/assets/queries/k8s/pod_security_policy_admission_control_plugin_not_set/test/positive_expected_result.json index 74190bca4a7..4512b68fda0 100644 --- a/assets/queries/k8s/pod_security_policy_admission_control_plugin_not_set/test/positive_expected_result.json +++ b/assets/queries/k8s/pod_security_policy_admission_control_plugin_not_set/test/positive_expected_result.json @@ -1,8 +1,14 @@ [ - { - "queryName": "Pod Security Policy Admission Control Plugin Not Set", - "severity": "HIGH", - "line": 11, - "fileName": "positive1.yaml" - } -] + { + "queryName": "Pod Security Policy Admission Control Plugin Not Set", + "severity": "HIGH", + "line": 11, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--enable-admission-plugins flag should contain 'PodSecurityPolicy' plugin", + "actualValue": "--enable-admission-plugins flag does not contain 'PodSecurityPolicy' plugin" + } +] \ No newline at end of file diff --git a/assets/queries/k8s/privilege_escalation_allowed/test/positive_expected_result.json b/assets/queries/k8s/privilege_escalation_allowed/test/positive_expected_result.json index 4f333322132..979c3e63085 100644 --- a/assets/queries/k8s/privilege_escalation_allowed/test/positive_expected_result.json +++ b/assets/queries/k8s/privilege_escalation_allowed/test/positive_expected_result.json @@ -1,32 +1,62 @@ [ - { - "queryName": "Privilege Escalation Allowed", - "severity": "HIGH", - "line": 10, - "fileName": "positive1.yaml" - }, - { - "queryName": "Privilege Escalation Allowed", - "severity": "HIGH", - "line": 21, - "fileName": "positive1.yaml" - }, - { - "queryName": "Privilege Escalation Allowed", - "severity": "HIGH", - "line": 9, - "fileName": "positive2.yaml" - }, - { - "queryName": "Privilege Escalation Allowed", - "severity": "HIGH", - "line": 13, - "fileName": "positive2.yaml" - }, - { - "queryName": "Privilege Escalation Allowed", - "severity": "HIGH", - "line": 17, - "fileName": "positive2.yaml" - } -] + { + "queryName": "Privilege Escalation Allowed", + "severity": "HIGH", + "line": 13, + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "example-priv", + "searchKey": "metadata.name={{example-priv}}.spec.containers.name={{payment2}}", + "searchValue": "Pod", + "expectedValue": "metadata.name={{example-priv}}.spec.containers.name={{payment2}}.securityContext.allowPrivilegeEscalation should be set and should be set to false", + "actualValue": "metadata.name={{example-priv}}.spec.containers.name={{payment2}}.securityContext.allowPrivilegeEscalation is undefined" + }, + { + "queryName": "Privilege Escalation Allowed", + "severity": "HIGH", + "line": 17, + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "example-priv", + "searchKey": "metadata.name={{example-priv}}.spec.containers.name={{payment4}}", + "searchValue": "Pod", + "expectedValue": "metadata.name={{example-priv}}.spec.containers.name={{payment4}}.securityContext.allowPrivilegeEscalation should be set and should be set to false", + "actualValue": "metadata.name={{example-priv}}.spec.containers.name={{payment4}}.securityContext.allowPrivilegeEscalation is undefined" + }, + { + "queryName": "Privilege Escalation Allowed", + "severity": "HIGH", + "line": 9, + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "example-priv", + "searchKey": "metadata.name={{example-priv}}.spec.containers.name={{payment}}", + "searchValue": "Pod", + "expectedValue": "metadata.name={{example-priv}}.spec.containers.name={{payment}}.securityContext.allowPrivilegeEscalation should be set and should be set to false", + "actualValue": "metadata.name={{example-priv}}.spec.containers.name={{payment}}.securityContext.allowPrivilegeEscalation is undefined" + }, + { + "queryName": "Privilege Escalation Allowed", + "severity": "HIGH", + "line": 10, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "pod2", + "searchKey": "metadata.name={{pod2}}.spec.containers.name={{app}}.securityContext.allowPrivilegeEscalation", + "searchValue": "Pod", + "expectedValue": "metadata.name={{pod2}}.spec.containers.name={{app}}.securityContext.allowPrivilegeEscalation should be set to false", + "actualValue": "metadata.name={{pod2}}.spec.containers.name={{app}}.securityContext.allowPrivilegeEscalation is true" + }, + { + "queryName": "Privilege Escalation Allowed", + "severity": "HIGH", + "line": 21, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "pod2", + "searchKey": "metadata.name={{pod2}}.spec.containers.name={{log-aggregator}}", + "searchValue": "Pod", + "expectedValue": "metadata.name={{pod2}}.spec.containers.name={{log-aggregator}}.securityContext.allowPrivilegeEscalation should be set and should be set to false", + "actualValue": "metadata.name={{pod2}}.spec.containers.name={{log-aggregator}}.securityContext.allowPrivilegeEscalation is undefined" + } +] \ No newline at end of file diff --git a/assets/queries/k8s/profiling_not_set_to_false/test/positive_expected_result.json b/assets/queries/k8s/profiling_not_set_to_false/test/positive_expected_result.json index 899cc5ca74d..fff96684fd5 100644 --- a/assets/queries/k8s/profiling_not_set_to_false/test/positive_expected_result.json +++ b/assets/queries/k8s/profiling_not_set_to_false/test/positive_expected_result.json @@ -1,44 +1,86 @@ [ - { - "queryName": "Profiling Not Set To False", - "severity": "LOW", - "line": 11, - "fileName": "positive1.yaml" - }, - { - "queryName": "Profiling Not Set To False", - "severity": "LOW", - "line": 11, - "fileName": "positive2.yaml" - }, - { - "queryName": "Profiling Not Set To False", - "severity": "LOW", - "line": 21, - "fileName": "positive3.yaml" - }, - { - "queryName": "Profiling Not Set To False", - "severity": "LOW", - "line": 21, - "fileName": "positive4.yaml" - }, - { - "queryName": "Profiling Not Set To False", - "severity": "LOW", - "line": 2, - "fileName": "positive5.yaml" - }, - { - "queryName": "Profiling Not Set To False", - "severity": "LOW", - "line": 3, - "fileName": "positive6.yaml" - }, - { - "queryName": "Profiling Not Set To False", - "severity": "LOW", - "line": 14, - "fileName": "positive7.yaml" - } -] + { + "queryName": "Profiling Not Set To False", + "severity": "LOW", + "line": 11, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--profiling flag should be set to false", + "actualValue": "--profiling flag is set to true" + }, + { + "queryName": "Profiling Not Set To False", + "severity": "LOW", + "line": 3, + "filename": "positive6.yaml", + "resourceType": "KubeSchedulerConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeSchedulerConfiguration}}.enableProfiling", + "searchValue": "", + "expectedValue": "enableProfiling argument flag should be set to false", + "actualValue": "enableProfiling argument is set to true" + }, + { + "queryName": "Profiling Not Set To False", + "severity": "LOW", + "line": 11, + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo-1", + "searchKey": "metadata.name={{command-demo-1}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--profiling flag should be defined and set to false", + "actualValue": "--profiling flag is not defined" + }, + { + "queryName": "Profiling Not Set To False", + "severity": "LOW", + "line": 2, + "filename": "positive5.yaml", + "resourceType": "KubeSchedulerConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeSchedulerConfiguration}}", + "searchValue": "", + "expectedValue": "enableProfiling argument flag should be defined and set to false", + "actualValue": "enableProfiling argument is not defined" + }, + { + "queryName": "Profiling Not Set To False", + "severity": "LOW", + "line": 21, + "filename": "positive3.yaml", + "resourceType": "Pod", + "resourceName": "kube-controller-manager-master-3", + "searchKey": "metadata.name={{kube-controller-manager-master-3}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--profiling flag should be set to false", + "actualValue": "--profiling flag is set to true" + }, + { + "queryName": "Profiling Not Set To False", + "severity": "LOW", + "line": 21, + "filename": "positive4.yaml", + "resourceType": "Pod", + "resourceName": "kube-controller-manager-master-4", + "searchKey": "metadata.name={{kube-controller-manager-master-4}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--profiling flag should be defined and set to false", + "actualValue": "--profiling flag is not defined" + }, + { + "queryName": "Profiling Not Set To False", + "severity": "LOW", + "line": 14, + "filename": "positive7.yaml", + "resourceType": "Pod", + "resourceName": "kube-scheduler-master-2", + "searchKey": "metadata.name={{kube-scheduler-master-2}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--profiling flag should be set to false", + "actualValue": "--profiling flag is set to true" + } +] \ No newline at end of file diff --git a/assets/queries/k8s/psp_allows_privilege_escalation/test/positive_expected_result.json b/assets/queries/k8s/psp_allows_privilege_escalation/test/positive_expected_result.json index 86ec9f078d3..523aff86e9e 100644 --- a/assets/queries/k8s/psp_allows_privilege_escalation/test/positive_expected_result.json +++ b/assets/queries/k8s/psp_allows_privilege_escalation/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "PSP Allows Privilege Escalation", "severity": "HIGH", - "line": 9 + "line": 32, + "filename": "positive.yaml", + "resourceType": "PodSecurityPolicy", + "resourceName": "privileged2", + "searchKey": "metadata.name={{privileged2}}.spec", + "searchValue": "", + "expectedValue": "Attribute 'allowPrivilegeEscalation' should be set", + "actualValue": "Attribute 'allowPrivilegeEscalation' is undefined" }, { "queryName": "PSP Allows Privilege Escalation", "severity": "HIGH", - "line": 32 + "line": 9, + "filename": "positive.yaml", + "resourceType": "PodSecurityPolicy", + "resourceName": "privileged", + "searchKey": "metadata.name={{privileged}}.spec.allowPrivilegeEscalation", + "searchValue": "", + "expectedValue": "Attribute 'allowPrivilegeEscalation' should be set to false", + "actualValue": "Attribute 'allowPrivilegeEscalation' is true" } ] \ No newline at end of file diff --git a/assets/queries/k8s/psp_allows_sharing_host_ipc/test/positive_expected_result.json b/assets/queries/k8s/psp_allows_sharing_host_ipc/test/positive_expected_result.json index e5f72bb23f2..e3d4910135a 100644 --- a/assets/queries/k8s/psp_allows_sharing_host_ipc/test/positive_expected_result.json +++ b/assets/queries/k8s/psp_allows_sharing_host_ipc/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "PSP Allows Sharing Host IPC", "severity": "HIGH", - "line": 6 + "line": 6, + "filename": "positive.yaml", + "resourceType": "PodSecurityPolicy", + "resourceName": "example", + "searchKey": "metadata.name={{example}}.spec.hostIPC", + "searchValue": "", + "expectedValue": "'spec.hostIPC' should be set to false or undefined", + "actualValue": "'spec.hostIPC' is true" } ] \ No newline at end of file diff --git a/assets/queries/k8s/psp_allows_sharing_host_pid/test/positive_expected_result.json b/assets/queries/k8s/psp_allows_sharing_host_pid/test/positive_expected_result.json index 288f1c94199..a1f811e241a 100644 --- a/assets/queries/k8s/psp_allows_sharing_host_pid/test/positive_expected_result.json +++ b/assets/queries/k8s/psp_allows_sharing_host_pid/test/positive_expected_result.json @@ -1,7 +1,14 @@ [ - { - "queryName": "PSP Allows Sharing Host PID", - "severity": "MEDIUM", - "line": 6 - } -] + { + "queryName": "PSP Allows Sharing Host PID", + "severity": "MEDIUM", + "line": 6, + "filename": "positive.yaml", + "resourceType": "PodSecurityPolicy", + "resourceName": "example", + "searchKey": "metadata.name={{example}}.spec.hostPID", + "searchValue": "", + "expectedValue": "'spec.hostPID' should be set to false or undefined", + "actualValue": "'spec.hostPID' is true" + } +] \ No newline at end of file diff --git a/assets/queries/k8s/psp_containers_share_host_network_namespace/test/positive_expected_result.json b/assets/queries/k8s/psp_containers_share_host_network_namespace/test/positive_expected_result.json index a99cbc0ca3d..e835a809df2 100644 --- a/assets/queries/k8s/psp_containers_share_host_network_namespace/test/positive_expected_result.json +++ b/assets/queries/k8s/psp_containers_share_host_network_namespace/test/positive_expected_result.json @@ -1,7 +1,14 @@ [ - { - "queryName": "PSP Allows Containers To Share The Host Network Namespace", - "severity": "HIGH", - "line": 14 - } -] + { + "queryName": "PSP Allows Containers To Share The Host Network Namespace", + "severity": "HIGH", + "line": 14, + "filename": "positive.yaml", + "resourceType": "PodSecurityPolicy", + "resourceName": "privileged", + "searchKey": "metadata.name={{privileged}}.spec.hostNetwork", + "searchValue": "", + "expectedValue": "'spec.hostNetwork' should be set to false or undefined", + "actualValue": "'spec.hostNetwork' is true" + } +] \ No newline at end of file diff --git a/assets/queries/k8s/psp_set_to_privileged/test/positive_expected_result.json b/assets/queries/k8s/psp_set_to_privileged/test/positive_expected_result.json index 18055bdda6c..893e3ce5440 100644 --- a/assets/queries/k8s/psp_set_to_privileged/test/positive_expected_result.json +++ b/assets/queries/k8s/psp_set_to_privileged/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "PSP Set To Privileged", "severity": "HIGH", - "line": 6 + "line": 6, + "filename": "positive.yaml", + "resourceType": "PodSecurityPolicy", + "resourceName": "example", + "searchKey": "metadata.name={{example}}.spec.privileged", + "searchValue": "", + "expectedValue": "metadata.name={{example}}.spec.privileged should be set to false", + "actualValue": "metadata.name={{example}}.spec.privileged is true" } ] \ No newline at end of file diff --git a/assets/queries/k8s/psp_with_added_capabilities/test/positive_expected_result.json b/assets/queries/k8s/psp_with_added_capabilities/test/positive_expected_result.json index c9d9361f647..2d78278f168 100644 --- a/assets/queries/k8s/psp_with_added_capabilities/test/positive_expected_result.json +++ b/assets/queries/k8s/psp_with_added_capabilities/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "PSP With Added Capabilities", "severity": "HIGH", - "line": 10 + "line": 10, + "filename": "positive.yaml", + "resourceType": "PodSecurityPolicy", + "resourceName": "privileged", + "searchKey": "metadata.name={{privileged}}.spec.allowedCapabilities", + "searchValue": "", + "expectedValue": "PodSecurityPolicy should not have allowed capabilities", + "actualValue": "PodSecurityPolicy has allowed capabilities" } ] \ No newline at end of file diff --git a/assets/queries/k8s/psp_with_unrestricted_access_to_host_path/test/positive_expected_result.json b/assets/queries/k8s/psp_with_unrestricted_access_to_host_path/test/positive_expected_result.json index eb361d4aa64..67e5a0aedc8 100644 --- a/assets/queries/k8s/psp_with_unrestricted_access_to_host_path/test/positive_expected_result.json +++ b/assets/queries/k8s/psp_with_unrestricted_access_to_host_path/test/positive_expected_result.json @@ -1,20 +1,38 @@ [ - { - "queryName": "PSP With Unrestricted Access to Host Path", - "severity": "HIGH", - "line": 5, - "fileName": "positive1.yaml" - }, - { - "queryName": "PSP With Unrestricted Access to Host Path", - "severity": "HIGH", - "line": 8, - "fileName": "positive2.yaml" - }, - { - "queryName": "PSP With Unrestricted Access to Host Path", - "severity": "HIGH", - "line": 9, - "fileName": "positive3.yaml" - } -] + { + "queryName": "PSP With Unrestricted Access to Host Path", + "severity": "HIGH", + "line": 9, + "filename": "positive3.yaml", + "resourceType": "PodSecurityPolicy", + "resourceName": "example", + "searchKey": "metadata.name={{example}}.spec.allowedHostPaths.readOnly", + "searchValue": "", + "expectedValue": "'spec.allowedHostPaths[0].readOnly' should be set to true", + "actualValue": "'spec.allowedHostPaths[0].readOnly' is set to false" + }, + { + "queryName": "PSP With Unrestricted Access to Host Path", + "severity": "HIGH", + "line": 8, + "filename": "positive2.yaml", + "resourceType": "PodSecurityPolicy", + "resourceName": "example", + "searchKey": "metadata.name={{example}}.spec.allowedHostPaths", + "searchValue": "", + "expectedValue": "'spec.allowedHostPaths[0].readOnly' should be set to true", + "actualValue": "'spec.allowedHostPaths[0].readOnly' is undefined or null" + }, + { + "queryName": "PSP With Unrestricted Access to Host Path", + "severity": "HIGH", + "line": 5, + "filename": "positive1.yaml", + "resourceType": "PodSecurityPolicy", + "resourceName": "example", + "searchKey": "metadata.name={{example}}.spec", + "searchValue": "", + "expectedValue": "'spec.allowedHostPaths' should be defined and not null", + "actualValue": "'spec.allowedHostPaths' is undefined or null" + } +] \ No newline at end of file diff --git a/assets/queries/k8s/rbac_roles_allow_privilege_escalation/test/positive_expected_result.json b/assets/queries/k8s/rbac_roles_allow_privilege_escalation/test/positive_expected_result.json index 2d795e4b970..6c7c104a38e 100644 --- a/assets/queries/k8s/rbac_roles_allow_privilege_escalation/test/positive_expected_result.json +++ b/assets/queries/k8s/rbac_roles_allow_privilege_escalation/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "RBAC Roles Allow Privilege Escalation", "severity": "MEDIUM", - "line": 8 + "line": 8, + "filename": "positive.yaml", + "resourceType": "ClusterRole", + "resourceName": "rbac-binder", + "searchKey": "metadata.name={{rbac-binder}}.rules", + "searchValue": "", + "expectedValue": "metadata.name={{rbac-binder}}.rules[0].verbs should not include the 'bind' and/or 'escalate' permission", + "actualValue": "metadata.name={{rbac-binder}}.rules[0].verbs includes the 'bind' and/or 'escalate' permission" } -] +] \ No newline at end of file diff --git a/assets/queries/k8s/rbac_roles_with_attach_permission/test/positive_expected_result.json b/assets/queries/k8s/rbac_roles_with_attach_permission/test/positive_expected_result.json index 3e44d4cb64b..1c472ec7495 100644 --- a/assets/queries/k8s/rbac_roles_with_attach_permission/test/positive_expected_result.json +++ b/assets/queries/k8s/rbac_roles_with_attach_permission/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "RBAC Roles with Attach Permission", "severity": "MEDIUM", - "line": 8 + "line": 8, + "filename": "positive.yaml", + "resourceType": "Role", + "resourceName": "allow-attach", + "searchKey": "metadata.name={{allow-attach}}.rules", + "searchValue": "", + "expectedValue": "metadata.name={{allow-attach}}.rules[0].resources should not include the 'pods/attach' resource", + "actualValue": "metadata.name={{allow-attach}}.rules[0].resources includes the 'pods/attach' resource" } -] +] \ No newline at end of file diff --git a/assets/queries/k8s/rbac_roles_with_exec_permission/test/positive_expected_result.json b/assets/queries/k8s/rbac_roles_with_exec_permission/test/positive_expected_result.json index 22147fdfcd5..b638fe92841 100644 --- a/assets/queries/k8s/rbac_roles_with_exec_permission/test/positive_expected_result.json +++ b/assets/queries/k8s/rbac_roles_with_exec_permission/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "RBAC Roles with Exec Permission", "severity": "MEDIUM", - "line": 8 + "line": 8, + "filename": "positive.yaml", + "resourceType": "Role", + "resourceName": "allow-exec", + "searchKey": "metadata.name={{allow-exec}}.rules", + "searchValue": "", + "expectedValue": "metadata.name={{allow-exec}}.rules[0].resources should not include the 'pods/exec' resource", + "actualValue": "metadata.name={{allow-exec}}.rules[0].resources includes the 'pods/exec' resource" } -] +] \ No newline at end of file diff --git a/assets/queries/k8s/rbac_roles_with_impersonate_permission/test/positive_expected_result.json b/assets/queries/k8s/rbac_roles_with_impersonate_permission/test/positive_expected_result.json index 6e71882dfd1..37ce0180115 100644 --- a/assets/queries/k8s/rbac_roles_with_impersonate_permission/test/positive_expected_result.json +++ b/assets/queries/k8s/rbac_roles_with_impersonate_permission/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "RBAC Roles with Impersonate Permission", "severity": "MEDIUM", - "line": 9 + "line": 9, + "filename": "positive.yaml", + "resourceType": "ClusterRole", + "resourceName": "impersonator-role", + "searchKey": "metadata.name={{impersonator-role}}.rules", + "searchValue": "", + "expectedValue": "metadata.name={{impersonator-role}}.rules[0].verbs should not include the 'impersonate' verb", + "actualValue": "metadata.name={{impersonator-role}}.rules[0].verbs includes the 'impersonate' verb" } -] +] \ No newline at end of file diff --git a/assets/queries/k8s/rbac_roles_with_portforwarding_permissions/test/positive_expected_result.json b/assets/queries/k8s/rbac_roles_with_portforwarding_permissions/test/positive_expected_result.json index d5deff99de9..943434315df 100644 --- a/assets/queries/k8s/rbac_roles_with_portforwarding_permissions/test/positive_expected_result.json +++ b/assets/queries/k8s/rbac_roles_with_portforwarding_permissions/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "RBAC Roles with Port-Forwarding Permission", "severity": "MEDIUM", - "line": 8 + "line": 8, + "filename": "positive.yaml", + "resourceType": "Role", + "resourceName": "allow-port-forward", + "searchKey": "metadata.name={{allow-port-forward}}.rules", + "searchValue": "", + "expectedValue": "metadata.name={{allow-port-forward}}.rules[0].resources should not include the 'pods/portforward' resource", + "actualValue": "metadata.name={{allow-port-forward}}.rules[0].resources includes the 'pods/portforward' resource" } -] +] \ No newline at end of file diff --git a/assets/queries/k8s/rbac_roles_with_read_secrets_permissions/test/positive_expected_result.json b/assets/queries/k8s/rbac_roles_with_read_secrets_permissions/test/positive_expected_result.json index 12920608c50..f1e67d617aa 100644 --- a/assets/queries/k8s/rbac_roles_with_read_secrets_permissions/test/positive_expected_result.json +++ b/assets/queries/k8s/rbac_roles_with_read_secrets_permissions/test/positive_expected_result.json @@ -1,12 +1,26 @@ [ - { - "queryName": "RBAC Roles with Read Secrets Permissions", - "severity": "MEDIUM", - "line": 9 - }, - { - "queryName": "RBAC Roles with Read Secrets Permissions", - "severity": "MEDIUM", - "line": 18 - } -] + { + "queryName": "RBAC Roles with Read Secrets Permissions", + "severity": "MEDIUM", + "line": 18, + "filename": "positive.yaml", + "resourceType": "ClusterRole", + "resourceName": "cluster-role-secret-reader", + "searchKey": "metadata.name={{cluster-role-secret-reader}}.rules", + "searchValue": "ClusterRole0", + "expectedValue": "metadata.name={{cluster-role-secret-reader}}.rules[0] should not be granted read access to Secrets objects", + "actualValue": "metadata.name={{cluster-role-secret-reader}}.rules[0] is granted read access (verbs: get, watch, list) to Secrets objects" + }, + { + "queryName": "RBAC Roles with Read Secrets Permissions", + "severity": "MEDIUM", + "line": 9, + "filename": "positive.yaml", + "resourceType": "Role", + "resourceName": "role-secret-reader", + "searchKey": "metadata.name={{role-secret-reader}}.rules", + "searchValue": "Role0", + "expectedValue": "metadata.name={{role-secret-reader}}.rules[0] should not be granted read access to Secrets objects", + "actualValue": "metadata.name={{role-secret-reader}}.rules[0] is granted read access (verbs: get, watch, list) to Secrets objects" + } +] \ No newline at end of file diff --git a/assets/queries/k8s/rbac_wildcard_in_rule/test/positive_expected_result.json b/assets/queries/k8s/rbac_wildcard_in_rule/test/positive_expected_result.json index a03c04a68d9..dae4d846322 100644 --- a/assets/queries/k8s/rbac_wildcard_in_rule/test/positive_expected_result.json +++ b/assets/queries/k8s/rbac_wildcard_in_rule/test/positive_expected_result.json @@ -2,36 +2,85 @@ { "queryName": "RBAC Wildcard In Rule", "severity": "HIGH", - "line": 7 + "line": 18, + "filename": "positive.yaml", + "resourceType": "Role", + "resourceName": "configmap-modifier1", + "searchKey": "metadata.name={{configmap-modifier1}}.rules", + "searchValue": "", + "expectedValue": "metadata.name={{configmap-modifier1}}.rules[0].apiGroups should list the minimal set of needed objects or actions", + "actualValue": "metadata.name={{configmap-modifier1}}.rules[0].apiGroups uses wildcards to specify objects or actions" }, { "queryName": "RBAC Wildcard In Rule", "severity": "HIGH", - "line": 9 + "line": 19, + "filename": "positive.yaml", + "resourceType": "Role", + "resourceName": "configmap-modifier1", + "searchKey": "metadata.name={{configmap-modifier1}}.rules", + "searchValue": "", + "expectedValue": "metadata.name={{configmap-modifier1}}.rules[0].resources should list the minimal set of needed objects or actions", + "actualValue": "metadata.name={{configmap-modifier1}}.rules[0].resources uses wildcards to specify objects or actions" }, { "queryName": "RBAC Wildcard In Rule", "severity": "HIGH", - "line": 18 + "line": 20, + "filename": "positive.yaml", + "resourceType": "Role", + "resourceName": "configmap-modifier1", + "searchKey": "metadata.name={{configmap-modifier1}}.rules", + "searchValue": "", + "expectedValue": "metadata.name={{configmap-modifier1}}.rules[0].verbs should list the minimal set of needed objects or actions", + "actualValue": "metadata.name={{configmap-modifier1}}.rules[0].verbs uses wildcards to specify objects or actions" }, { "queryName": "RBAC Wildcard In Rule", "severity": "HIGH", - "line": 19 + "line": 29, + "filename": "positive.yaml", + "resourceType": "Role", + "resourceName": "configmap-modifier2", + "searchKey": "metadata.name={{configmap-modifier2}}.rules", + "searchValue": "", + "expectedValue": "metadata.name={{configmap-modifier2}}.rules[0].apiGroups should list the minimal set of needed objects or actions", + "actualValue": "metadata.name={{configmap-modifier2}}.rules[0].apiGroups uses wildcards to specify objects or actions" }, { "queryName": "RBAC Wildcard In Rule", "severity": "HIGH", - "line": 20 + "line": 31, + "filename": "positive.yaml", + "resourceType": "Role", + "resourceName": "configmap-modifier2", + "searchKey": "metadata.name={{configmap-modifier2}}.rules", + "searchValue": "", + "expectedValue": "metadata.name={{configmap-modifier2}}.rules[0].resources should list the minimal set of needed objects or actions", + "actualValue": "metadata.name={{configmap-modifier2}}.rules[0].resources uses wildcards to specify objects or actions" }, { "queryName": "RBAC Wildcard In Rule", "severity": "HIGH", - "line": 29 + "line": 7, + "filename": "positive.yaml", + "resourceType": "ClusterRole", + "resourceName": "configmap-modifier", + "searchKey": "metadata.name={{configmap-modifier}}.rules", + "searchValue": "", + "expectedValue": "metadata.name={{configmap-modifier}}.rules[0].apiGroups should list the minimal set of needed objects or actions", + "actualValue": "metadata.name={{configmap-modifier}}.rules[0].apiGroups uses wildcards to specify objects or actions" }, { "queryName": "RBAC Wildcard In Rule", "severity": "HIGH", - "line": 31 + "line": 9, + "filename": "positive.yaml", + "resourceType": "ClusterRole", + "resourceName": "configmap-modifier", + "searchKey": "metadata.name={{configmap-modifier}}.rules", + "searchValue": "", + "expectedValue": "metadata.name={{configmap-modifier}}.rules[0].verbs should list the minimal set of needed objects or actions", + "actualValue": "metadata.name={{configmap-modifier}}.rules[0].verbs uses wildcards to specify objects or actions" } -] +] \ No newline at end of file diff --git a/assets/queries/k8s/readiness_probe_is_not_configured/test/positive_expected_result.json b/assets/queries/k8s/readiness_probe_is_not_configured/test/positive_expected_result.json index b11c39bb6f5..04c1ddfef68 100644 --- a/assets/queries/k8s/readiness_probe_is_not_configured/test/positive_expected_result.json +++ b/assets/queries/k8s/readiness_probe_is_not_configured/test/positive_expected_result.json @@ -1,7 +1,14 @@ [ - { - "queryName": "Readiness Probe Is Not Configured", - "severity": "MEDIUM", - "line": 9 - } -] + { + "queryName": "Readiness Probe Is Not Configured", + "severity": "MEDIUM", + "line": 9, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "goproxy", + "searchKey": "metadata.name={{goproxy}}.spec.containers.name={{goproxy}}", + "searchValue": "Pod", + "expectedValue": "metadata.name={{goproxy}}.spec.containers.name={{goproxy}}.readinessProbe should be defined", + "actualValue": "metadata.name={{goproxy}}.spec.containers.name={{goproxy}}.readinessProbe is undefined" + } +] \ No newline at end of file diff --git a/assets/queries/k8s/request_timeout_not_properly_set/test/positive_expected_result.json b/assets/queries/k8s/request_timeout_not_properly_set/test/positive_expected_result.json index 54584b5ee4b..3e840b3abfe 100644 --- a/assets/queries/k8s/request_timeout_not_properly_set/test/positive_expected_result.json +++ b/assets/queries/k8s/request_timeout_not_properly_set/test/positive_expected_result.json @@ -1,38 +1,74 @@ [ - { - "queryName": "Request Timeout Not Properly Set", - "severity": "MEDIUM", - "line": 11, - "fileName": "positive1.yaml" - }, - { - "queryName": "Request Timeout Not Properly Set", - "severity": "MEDIUM", - "line": 11, - "fileName": "positive2.yaml" - }, - { - "queryName": "Request Timeout Not Properly Set", - "severity": "MEDIUM", - "line": 11, - "fileName": "positive3.yaml" - }, - { - "queryName": "Request Timeout Not Properly Set", - "severity": "MEDIUM", - "line": 11, - "fileName": "positive4.yaml" - }, - { - "queryName": "Request Timeout Not Properly Set", - "severity": "MEDIUM", - "line": 11, - "fileName": "positive5.yaml" - }, - { - "queryName": "Request Timeout Not Properly Set", - "severity": "MEDIUM", - "line": 11, - "fileName": "positive6.yaml" - } -] + { + "queryName": "Request Timeout Not Properly Set", + "severity": "MEDIUM", + "line": 11, + "filename": "positive3.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--request-timeout flag should not be set to more than 300 seconds", + "actualValue": "--request-timeout flag is set to more than 300 seconds" + }, + { + "queryName": "Request Timeout Not Properly Set", + "severity": "MEDIUM", + "line": 11, + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--request-timeout flag should not be set to more than 300 seconds", + "actualValue": "--request-timeout flag is set to more than 300 seconds" + }, + { + "queryName": "Request Timeout Not Properly Set", + "severity": "MEDIUM", + "line": 11, + "filename": "positive4.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--request-timeout flag should not be set to more than 300 seconds", + "actualValue": "--request-timeout flag is set to more than 300 seconds" + }, + { + "queryName": "Request Timeout Not Properly Set", + "severity": "MEDIUM", + "line": 11, + "filename": "positive6.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--request-timeout flag should not be set to more than 300 seconds", + "actualValue": "--request-timeout flag is set to more than 300 seconds" + }, + { + "queryName": "Request Timeout Not Properly Set", + "severity": "MEDIUM", + "line": 11, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--request-timeout flag should not be set to more than 300 seconds", + "actualValue": "--request-timeout flag is set to more than 300 seconds" + }, + { + "queryName": "Request Timeout Not Properly Set", + "severity": "MEDIUM", + "line": 11, + "filename": "positive5.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--request-timeout flag should not be set to more than 300 seconds", + "actualValue": "--request-timeout flag is set to more than 300 seconds" + } +] \ No newline at end of file diff --git a/assets/queries/k8s/role_binding_to_default_service_account/test/positive_expected_result.json b/assets/queries/k8s/role_binding_to_default_service_account/test/positive_expected_result.json index d9effcde718..238d7302b72 100644 --- a/assets/queries/k8s/role_binding_to_default_service_account/test/positive_expected_result.json +++ b/assets/queries/k8s/role_binding_to_default_service_account/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Role Binding To Default Service Account", "severity": "MEDIUM", - "line": 11 + "line": 11, + "filename": "positive.yaml", + "resourceType": "RoleBinding", + "resourceName": "read-pods", + "searchKey": "subjects.name=default", + "searchValue": "", + "expectedValue": "subjects.kind=ServiceAccount.name should not be default", + "actualValue": "subjects.kind=ServiceAccount.name is default" } ] \ No newline at end of file diff --git a/assets/queries/k8s/root_ca_file_not_defined/test/positive_expected_result.json b/assets/queries/k8s/root_ca_file_not_defined/test/positive_expected_result.json index bea7e048f65..3779ea672ba 100644 --- a/assets/queries/k8s/root_ca_file_not_defined/test/positive_expected_result.json +++ b/assets/queries/k8s/root_ca_file_not_defined/test/positive_expected_result.json @@ -1,8 +1,14 @@ [ - { - "queryName": "Root CA File Not Defined", - "severity": "MEDIUM", - "line": 11, - "fileName": "positive1.yaml" - } -] + { + "queryName": "Root CA File Not Defined", + "severity": "MEDIUM", + "line": 11, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--root-ca-file flag should be defined", + "actualValue": "--root-ca-file flag is not defined" + } +] \ No newline at end of file diff --git a/assets/queries/k8s/root_container_not_mounted_as_read_only/test/positive_expected_result.json b/assets/queries/k8s/root_container_not_mounted_as_read_only/test/positive_expected_result.json index 8de5a2bce6b..9571544079c 100644 --- a/assets/queries/k8s/root_container_not_mounted_as_read_only/test/positive_expected_result.json +++ b/assets/queries/k8s/root_container_not_mounted_as_read_only/test/positive_expected_result.json @@ -1,12 +1,26 @@ [ - { - "queryName": "Root Container Not Mounted Read-only", - "severity": "LOW", - "line": 12 - }, - { - "queryName": "Root Container Not Mounted Read-only", - "severity": "LOW", - "line": 24 - } -] + { + "queryName": "Root Container Not Mounted Read-only", + "severity": "LOW", + "line": 12, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "rootfalse", + "searchKey": "metadata.name={{rootfalse}}.spec.containers.name={{contain1_1}}.securityContext.readOnlyRootFilesystem", + "searchValue": "Pod", + "expectedValue": "metadata.name={{rootfalse}}.spec.containers.name={{contain1_1}}.securityContext.readOnlyRootFilesystem is true", + "actualValue": "metadata.name={{rootfalse}}.spec.containers.name={{contain1_1}}.securityContext.readOnlyRootFilesystem is false" + }, + { + "queryName": "Root Container Not Mounted Read-only", + "severity": "LOW", + "line": 24, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "noroot", + "searchKey": "metadata.name={{noroot}}.spec.containers.name={{contain1_2}}", + "searchValue": "Pod", + "expectedValue": "metadata.name={{noroot}}.spec.containers.name={{contain1_2}}.securityContext.readOnlyRootFilesystem should be set to true", + "actualValue": "metadata.name={{noroot}}.spec.containers.name={{contain1_2}}.securityContext.readOnlyRootFilesystem is undefined" + } +] \ No newline at end of file diff --git a/assets/queries/k8s/root_containers_admitted/test/positive_expected_result.json b/assets/queries/k8s/root_containers_admitted/test/positive_expected_result.json index 208bc44813c..4799ff37cae 100644 --- a/assets/queries/k8s/root_containers_admitted/test/positive_expected_result.json +++ b/assets/queries/k8s/root_containers_admitted/test/positive_expected_result.json @@ -2,26 +2,61 @@ { "queryName": "Root Containers Admitted", "severity": "MEDIUM", - "line": 12 + "line": 32, + "filename": "positive.yaml", + "resourceType": "PodSecurityPolicy", + "resourceName": "restricted", + "searchKey": "metadata.name={{restricted}}.spec.fsGroup", + "searchValue": "", + "expectedValue": "metadata.name{{restricted}}.spec.fsGroup should not allow range '0' (root)", + "actualValue": "metadata.name={{restricted}}.spec.fsGroup allows range '0' (root)" }, { "queryName": "Root Containers Admitted", "severity": "MEDIUM", - "line": 13 + "line": 12, + "filename": "positive.yaml", + "resourceType": "PodSecurityPolicy", + "resourceName": "restricted", + "searchKey": "metadata.name={{restricted}}.spec.privileged", + "searchValue": "", + "expectedValue": "metadata.name={{restricted}}.spec.privileged should be set to 'false'", + "actualValue": "metadata.name={{restricted}}.spec.privileged is set to 'true'" }, { "queryName": "Root Containers Admitted", "severity": "MEDIUM", - "line": 27 + "line": 27, + "filename": "positive.yaml", + "resourceType": "PodSecurityPolicy", + "resourceName": "restricted", + "searchKey": "metadata.name={{restricted}}.spec.runAsUser.rule", + "searchValue": "", + "expectedValue": "metadata.name={{restricted}}.spec.runAsUser.rule is equal to 'MustRunAsNonRoot'", + "actualValue": "metadata.name={{restricted}}.spec.runAsUser.rule is not equal to 'MustRunAsNonRoot'" }, { "queryName": "Root Containers Admitted", "severity": "MEDIUM", - "line": 31 + "line": 31, + "filename": "positive.yaml", + "resourceType": "PodSecurityPolicy", + "resourceName": "restricted", + "searchKey": "metadata.name={{restricted}}.spec.supplementalGroups.rule", + "searchValue": "", + "expectedValue": "metadata.name={{restricted}}.spec.supplementalGroups limits its ranges", + "actualValue": "metadata.name={{restricted}}.spec.supplementalGroups does not limit its ranges" }, { "queryName": "Root Containers Admitted", "severity": "MEDIUM", - "line": 32 + "line": 13, + "filename": "positive.yaml", + "resourceType": "PodSecurityPolicy", + "resourceName": "restricted", + "searchKey": "metadata.name={{restricted}}.spec.allowPrivilegeEscalation", + "searchValue": "", + "expectedValue": "metadata.name={{restricted}}.spec.allowPrivilegeEscalation should be set to 'false'", + "actualValue": "metadata.name={{restricted}}.spec.allowPrivilegeEscalation is set to 'true'" } -] +] \ No newline at end of file diff --git a/assets/queries/k8s/rotate_kubelet_server_certificate_not_active/test/positive_expected_result.json b/assets/queries/k8s/rotate_kubelet_server_certificate_not_active/test/positive_expected_result.json index a1169399df7..972f5fca35a 100644 --- a/assets/queries/k8s/rotate_kubelet_server_certificate_not_active/test/positive_expected_result.json +++ b/assets/queries/k8s/rotate_kubelet_server_certificate_not_active/test/positive_expected_result.json @@ -1,25 +1,50 @@ [ - { - "queryName": "Rotate Kubelet Server Certificate Not Active", - "severity": "MEDIUM", - "line": 8, - "filename": "positive1.yaml" - }, - { - "queryName": "Rotate Kubelet Server Certificate Not Active", - "severity": "MEDIUM", - "line": 11, - "filename": "positive2.yaml" - }, - { - "queryName": "Rotate Kubelet Server Certificate Not Active", - "severity": "MEDIUM", - "line": 8, - "filename": "positive3.json" - },{ - "queryName": "Rotate Kubelet Server Certificate Not Active", - "severity": "MEDIUM", - "line": 11, - "filename": "positive4.yaml" - } -] + { + "queryName": "Rotate Kubelet Server Certificate Not Active", + "severity": "MEDIUM", + "line": 11, + "filename": "positive4.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container7}}.command", + "searchValue": "", + "expectedValue": "--feature-gates=RotateKubeletServerCertificate flag should be true", + "actualValue": "--feature-gates=RotateKubeletServerCertificate flag is false" + }, + { + "queryName": "Rotate Kubelet Server Certificate Not Active", + "severity": "MEDIUM", + "line": 11, + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--feature-gates=RotateKubeletServerCertificate flag should be true", + "actualValue": "--feature-gates=RotateKubeletServerCertificate flag is false" + }, + { + "queryName": "Rotate Kubelet Server Certificate Not Active", + "severity": "MEDIUM", + "line": 8, + "filename": "positive1.yaml", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}.featureGates", + "searchValue": "", + "expectedValue": "RotateKubeletServerCertificates should be true", + "actualValue": "RotateKubeletServerCertificate is false" + }, + { + "queryName": "Rotate Kubelet Server Certificate Not Active", + "severity": "MEDIUM", + "line": 8, + "filename": "positive3.json", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}.featureGates", + "searchValue": "", + "expectedValue": "RotateKubeletServerCertificates should be true", + "actualValue": "RotateKubeletServerCertificate is false" + } +] \ No newline at end of file diff --git a/assets/queries/k8s/seccomp_profile_is_not_configured/test/positive_expected_result.json b/assets/queries/k8s/seccomp_profile_is_not_configured/test/positive_expected_result.json index b5d3b90f179..ec093d8541e 100644 --- a/assets/queries/k8s/seccomp_profile_is_not_configured/test/positive_expected_result.json +++ b/assets/queries/k8s/seccomp_profile_is_not_configured/test/positive_expected_result.json @@ -1,50 +1,98 @@ [ - { - "queryName": "Seccomp Profile Is Not Configured", - "severity": "MEDIUM", - "line": 7, - "fileName": "positive1.yaml" - }, - { - "queryName": "Seccomp Profile Is Not Configured", - "severity": "MEDIUM", - "line": 18, - "fileName": "positive1.yaml" - }, - { - "queryName": "Seccomp Profile Is Not Configured", - "severity": "MEDIUM", - "line": 26, - "fileName": "positive1.yaml" - }, - { - "queryName": "Seccomp Profile Is Not Configured", - "severity": "MEDIUM", - "line": 43, - "fileName": "positive1.yaml" - }, - { - "queryName": "Seccomp Profile Is Not Configured", - "severity": "MEDIUM", - "line": 24, - "fileName": "positive2.yaml" - }, - { - "queryName": "Seccomp Profile Is Not Configured", - "severity": "MEDIUM", - "line": 24, - "fileName": "positive3.yaml" - }, - { - "queryName": "Seccomp Profile Is Not Configured", - "severity": "MEDIUM", - "line": 33, - "fileName": "positive3.yaml" - }, - { - "queryName": "Seccomp Profile Is Not Configured", - "severity": "MEDIUM", - "line": 35, - "fileName": "positive4.yaml" - } -] + { + "queryName": "Seccomp Profile Is Not Configured", + "severity": "MEDIUM", + "line": 24, + "filename": "positive3.yaml", + "resourceType": "Deployment", + "resourceName": "securitydemo", + "searchKey": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext", + "searchValue": "Deployment", + "expectedValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext.seccompProfile.type should be defined", + "actualValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext.seccompProfile.type is undefined" + }, + { + "queryName": "Seccomp Profile Is Not Configured", + "severity": "MEDIUM", + "line": 26, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "pod-test-3", + "searchKey": "metadata.name={{pod-test-3}}.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName", + "searchValue": "Pod", + "expectedValue": "metadata.name={{pod-test-3}}.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is 'runtime/default'", + "actualValue": "metadata.name={{pod-test-3}}.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is 'rntim/dfl'" + }, + { + "queryName": "Seccomp Profile Is Not Configured", + "severity": "MEDIUM", + "line": 43, + "filename": "positive1.yaml", + "resourceType": "CronJob", + "resourceName": "hello", + "searchKey": "metadata.name={{hello}}.spec.jobTemplate.spec.template.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName", + "searchValue": "CronJob", + "expectedValue": "metadata.name={{hello}}.spec.jobTemplate.spec.template.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is 'runtime/default'", + "actualValue": "metadata.name={{hello}}.spec.jobTemplate.spec.template.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is 'rntim/dfl'" + }, + { + "queryName": "Seccomp Profile Is Not Configured", + "severity": "MEDIUM", + "line": 24, + "filename": "positive2.yaml", + "resourceType": "Deployment", + "resourceName": "securitydemo", + "searchKey": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext", + "searchValue": "Deployment", + "expectedValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext.seccompProfile.type should be defined", + "actualValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext.seccompProfile.type is undefined" + }, + { + "queryName": "Seccomp Profile Is Not Configured", + "severity": "MEDIUM", + "line": 7, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "pod-test-1", + "searchKey": "metadata.name={{pod-test-1}}.spec.containers.name={{foobar}}", + "searchValue": "Pod", + "expectedValue": "metadata.name={{pod-test-1}}.spec.containers.name={{foobar}}.securityContext.seccompProfile.type should be defined", + "actualValue": "metadata.name={{pod-test-1}}.spec.containers.name={{foobar}}.securityContext.seccompProfile.type is undefined" + }, + { + "queryName": "Seccomp Profile Is Not Configured", + "severity": "MEDIUM", + "line": 18, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "pod-test-2", + "searchKey": "metadata.name={{pod-test-2}}.spec.containers.name={{foobar}}", + "searchValue": "Pod", + "expectedValue": "metadata.name={{pod-test-2}}.spec.containers.name={{foobar}}.securityContext.seccompProfile.type should be defined", + "actualValue": "metadata.name={{pod-test-2}}.spec.containers.name={{foobar}}.securityContext.seccompProfile.type is undefined" + }, + { + "queryName": "Seccomp Profile Is Not Configured", + "severity": "MEDIUM", + "line": 35, + "filename": "positive4.yaml", + "resourceType": "Deployment", + "resourceName": "securitydemo", + "searchKey": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext.seccompProfile.type=Unconfined", + "searchValue": "Deployment", + "expectedValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext.seccompProfile.type should be set to 'RuntimeDefault' or 'Localhost'", + "actualValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext.seccompProfile.type is set to 'Unconfined'" + }, + { + "queryName": "Seccomp Profile Is Not Configured", + "severity": "MEDIUM", + "line": 33, + "filename": "positive3.yaml", + "resourceType": "Deployment", + "resourceName": "securitydemo", + "searchKey": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext.seccompProfile.type=Unconfined", + "searchValue": "Deployment", + "expectedValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext.seccompProfile.type should be set to 'RuntimeDefault' or 'Localhost'", + "actualValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext.seccompProfile.type is set to 'Unconfined'" + } +] \ No newline at end of file diff --git a/assets/queries/k8s/secrets_as_environment_variables/test/positive_expected_result.json b/assets/queries/k8s/secrets_as_environment_variables/test/positive_expected_result.json index 4f2095e9428..82b11dfc571 100644 --- a/assets/queries/k8s/secrets_as_environment_variables/test/positive_expected_result.json +++ b/assets/queries/k8s/secrets_as_environment_variables/test/positive_expected_result.json @@ -1,17 +1,38 @@ [ - { - "queryName": "Secrets As Environment Variables", - "severity": "LOW", - "line": 12 - }, - { - "queryName": "Secrets As Environment Variables", - "severity": "LOW", - "line": 17 - }, - { - "queryName": "Secrets As Environment Variables", - "severity": "LOW", - "line": 31 - } -] + { + "queryName": "Secrets As Environment Variables", + "severity": "LOW", + "line": 17, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "secret-env-pod", + "searchKey": "metadata.name={{secret-env-pod}}.spec.containers.env.name={{SECRET_PASSWORD}}.valueFrom.secretKeyRef", + "searchValue": "Pod", + "expectedValue": "'spec.containers.name={{mycontainer}}.env.name={{SECRET_PASSWORD}}.valueFrom.secretKeyRef' should be undefined", + "actualValue": "'spec.containers.name={{mycontainer}}.env.name={{SECRET_PASSWORD}}.valueFrom.secretKeyRef' is defined" + }, + { + "queryName": "Secrets As Environment Variables", + "severity": "LOW", + "line": 12, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "secret-env-pod", + "searchKey": "metadata.name={{secret-env-pod}}.spec.containers.env.name={{SECRET_USERNAME}}.valueFrom.secretKeyRef", + "searchValue": "Pod", + "expectedValue": "'spec.containers.name={{mycontainer}}.env.name={{SECRET_USERNAME}}.valueFrom.secretKeyRef' should be undefined", + "actualValue": "'spec.containers.name={{mycontainer}}.env.name={{SECRET_USERNAME}}.valueFrom.secretKeyRef' is defined" + }, + { + "queryName": "Secrets As Environment Variables", + "severity": "LOW", + "line": 31, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "envfrom-secret", + "searchKey": "metadata.name={{envfrom-secret}}.spec.containers.name={{envars-test-container}}.envFrom", + "searchValue": "Pod", + "expectedValue": "'spec.containers.name={{envars-test-container}}.envFrom.secretRef' should be undefined", + "actualValue": "'spec.containers.name={{envars-test-container}}.envFrom.secretRef' is defined" + } +] \ No newline at end of file diff --git a/assets/queries/k8s/secure_port_set_to_zero/test/positive_expected_result.json b/assets/queries/k8s/secure_port_set_to_zero/test/positive_expected_result.json index 32788b10f00..98a3e1a7d5d 100644 --- a/assets/queries/k8s/secure_port_set_to_zero/test/positive_expected_result.json +++ b/assets/queries/k8s/secure_port_set_to_zero/test/positive_expected_result.json @@ -1,8 +1,14 @@ [ - { - "queryName": "Secure Port Set To Zero", - "severity": "HIGH", - "line": 11, - "fileName": "positive1.yaml" - } -] + { + "queryName": "Secure Port Set To Zero", + "severity": "HIGH", + "line": 11, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--secure-port flag should not be set to 0", + "actualValue": "--secure-port flag is set to 0" + } +] \ No newline at end of file diff --git a/assets/queries/k8s/security_context_deny_admission_control_plugin_not_set/test/positive_expected_result.json b/assets/queries/k8s/security_context_deny_admission_control_plugin_not_set/test/positive_expected_result.json index 8e2925f5acc..e4e8916f328 100644 --- a/assets/queries/k8s/security_context_deny_admission_control_plugin_not_set/test/positive_expected_result.json +++ b/assets/queries/k8s/security_context_deny_admission_control_plugin_not_set/test/positive_expected_result.json @@ -1,8 +1,14 @@ [ - { - "queryName": "Security Context Deny Admission Control Plugin Not Set", - "severity": "MEDIUM", - "line": 11, - "fileName": "positive1.yaml" - } -] + { + "queryName": "Security Context Deny Admission Control Plugin Not Set", + "severity": "MEDIUM", + "line": 11, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--enable-admission-plugins flag should contain 'SecurityContextDeny' plugin if 'PodSecurityPolicy' plugin should not be set", + "actualValue": "--enable-admission-plugins flag does not contain 'SecurityContextDeny' plugin" + } +] \ No newline at end of file diff --git a/assets/queries/k8s/service_account_admission_control_plugin_disabled/test/positive_expected_result.json b/assets/queries/k8s/service_account_admission_control_plugin_disabled/test/positive_expected_result.json index 91bac546e59..2baeeabcaa3 100644 --- a/assets/queries/k8s/service_account_admission_control_plugin_disabled/test/positive_expected_result.json +++ b/assets/queries/k8s/service_account_admission_control_plugin_disabled/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ - { - "queryName": "Service Account Admission Control Plugin Disabled", - "severity": "MEDIUM", - "line": 11, - "fileName": "positive1.yaml" - }, - { - "queryName": "Service Account Admission Control Plugin Disabled", - "severity": "MEDIUM", - "line": 11, - "fileName": "positive2.yaml" - } -] + { + "queryName": "Service Account Admission Control Plugin Disabled", + "severity": "MEDIUM", + "line": 11, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--disable-admission-plugins flag should not contain 'ServiceAccount' plugin", + "actualValue": "--disable-admission-plugins flag contains 'ServiceAccount' plugin" + }, + { + "queryName": "Service Account Admission Control Plugin Disabled", + "severity": "MEDIUM", + "line": 11, + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--disable-admission-plugins flag should not contain 'ServiceAccount' plugin", + "actualValue": "--disable-admission-plugins flag contains 'ServiceAccount' plugin" + } +] \ No newline at end of file diff --git a/assets/queries/k8s/service_account_allows_access_secrets/test/positive_expected_result.json b/assets/queries/k8s/service_account_allows_access_secrets/test/positive_expected_result.json index 67513d0289c..b622816697f 100644 --- a/assets/queries/k8s/service_account_allows_access_secrets/test/positive_expected_result.json +++ b/assets/queries/k8s/service_account_allows_access_secrets/test/positive_expected_result.json @@ -1,17 +1,38 @@ [ - { - "queryName": "ServiceAccount Allows Access Secrets", - "severity": "MEDIUM", - "line": 10 - }, - { - "queryName": "ServiceAccount Allows Access Secrets", - "severity": "MEDIUM", - "line": 34 - }, - { - "queryName": "ServiceAccount Allows Access Secrets", - "severity": "MEDIUM", - "line": 58 - } -] + { + "queryName": "ServiceAccount Allows Access Secrets", + "severity": "MEDIUM", + "line": 58, + "filename": "positive.yaml", + "resourceType": "ClusterRole", + "resourceName": "testClusterRoleVulnerable", + "searchKey": "metadata.name={{testClusterRoleVulnerable}}.rules", + "searchValue": "ClusterRole", + "expectedValue": "The metadata.name={{testClusterRoleVulnerable}}.rules.verbs should not contain the following verbs: [[\"update\", \"list\"]]", + "actualValue": "The metadata.name={{testClusterRoleVulnerable}}.rules.verbs contain the following verbs: [[\"update\", \"list\"]]" + }, + { + "queryName": "ServiceAccount Allows Access Secrets", + "severity": "MEDIUM", + "line": 10, + "filename": "positive.yaml", + "resourceType": "Role", + "resourceName": "testRoleVulnerable", + "searchKey": "metadata.name={{testRoleVulnerable}}.rules", + "searchValue": "Role", + "expectedValue": "The metadata.name={{testRoleVulnerable}}.rules.verbs should not contain the following verbs: [[\"get\", \"watch\", \"list\"]]", + "actualValue": "The metadata.name={{testRoleVulnerable}}.rules.verbs contain the following verbs: [[\"get\", \"watch\", \"list\"]]" + }, + { + "queryName": "ServiceAccount Allows Access Secrets", + "severity": "MEDIUM", + "line": 34, + "filename": "positive.yaml", + "resourceType": "Role", + "resourceName": "testRoleVulnerable2", + "searchKey": "metadata.name={{testRoleVulnerable2}}.rules", + "searchValue": "Role", + "expectedValue": "The metadata.name={{testRoleVulnerable2}}.rules.verbs should not contain the following verbs: [[\"*\"]]", + "actualValue": "The metadata.name={{testRoleVulnerable2}}.rules.verbs contain the following verbs: [[\"*\"]]" + } +] \ No newline at end of file diff --git a/assets/queries/k8s/service_account_key_file_not_properly_set/test/positive_expected_result.json b/assets/queries/k8s/service_account_key_file_not_properly_set/test/positive_expected_result.json index f7d31744351..c2028b2d191 100644 --- a/assets/queries/k8s/service_account_key_file_not_properly_set/test/positive_expected_result.json +++ b/assets/queries/k8s/service_account_key_file_not_properly_set/test/positive_expected_result.json @@ -1,8 +1,14 @@ [ - { - "queryName": "Service Account Key File Not Properly Set", - "severity": "MEDIUM", - "line": 11, - "fileName": "positive1.yaml" - } -] + { + "queryName": "Service Account Key File Not Properly Set", + "severity": "MEDIUM", + "line": 11, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--service-account-key-file flag should be defined and have a PEM encoded file", + "actualValue": "--service-account-key-file flag is not defined" + } +] \ No newline at end of file diff --git a/assets/queries/k8s/service_account_lookup_set_to_false/test/positive_expected_result.json b/assets/queries/k8s/service_account_lookup_set_to_false/test/positive_expected_result.json index 88c2e8ff6dd..cd5e4358f69 100644 --- a/assets/queries/k8s/service_account_lookup_set_to_false/test/positive_expected_result.json +++ b/assets/queries/k8s/service_account_lookup_set_to_false/test/positive_expected_result.json @@ -1,8 +1,14 @@ [ - { - "queryName": "Service Account Lookup Set To False", - "severity": "HIGH", - "line": 11, - "fileName": "positive1.yaml" - } -] + { + "queryName": "Service Account Lookup Set To False", + "severity": "HIGH", + "line": 11, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--service-account-lookup flag should be set to true", + "actualValue": "--service-account-lookup flag is set to false" + } +] \ No newline at end of file diff --git a/assets/queries/k8s/service_account_name_undefined_or_empty/test/positive_expected_result.json b/assets/queries/k8s/service_account_name_undefined_or_empty/test/positive_expected_result.json index 31b58aadfee..bacfe6cd36f 100644 --- a/assets/queries/k8s/service_account_name_undefined_or_empty/test/positive_expected_result.json +++ b/assets/queries/k8s/service_account_name_undefined_or_empty/test/positive_expected_result.json @@ -1,17 +1,38 @@ [ - { - "queryName": "Service Account Name Undefined Or Empty", - "severity": "MEDIUM", - "line": 6 - }, - { - "queryName": "Service Account Name Undefined Or Empty", - "severity": "MEDIUM", - "line": 28 - }, - { - "queryName": "Service Account Name Undefined Or Empty", - "severity": "MEDIUM", - "line": 58 - } -] + { + "queryName": "Service Account Name Undefined Or Empty", + "severity": "MEDIUM", + "line": 58, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "nginx3", + "searchKey": "metadata.name={{nginx3}}.spec.serviceAccountName", + "searchValue": "", + "expectedValue": "metadata.name=nginx3.spec.serviceAccountName should not be empty", + "actualValue": "metadata.name=nginx3.spec.serviceAccountName is empty" + }, + { + "queryName": "Service Account Name Undefined Or Empty", + "severity": "MEDIUM", + "line": 6, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "nginx.container", + "searchKey": "metadata.name={{nginx.container}}.spec", + "searchValue": "", + "expectedValue": "metadata.name=nginx.container.spec.serviceAccountName should be defined", + "actualValue": "metadata.name=nginx.container.spec.serviceAccountName is undefined" + }, + { + "queryName": "Service Account Name Undefined Or Empty", + "severity": "MEDIUM", + "line": 28, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "nginx2.container.group", + "searchKey": "metadata.name={{nginx2.container.group}}.spec", + "searchValue": "", + "expectedValue": "metadata.name=nginx2.container.group.spec.serviceAccountName should be defined", + "actualValue": "metadata.name=nginx2.container.group.spec.serviceAccountName is undefined" + } +] \ No newline at end of file diff --git a/assets/queries/k8s/service_account_private_key_file_not_defined/test/positive_expected_result.json b/assets/queries/k8s/service_account_private_key_file_not_defined/test/positive_expected_result.json index 83a1aba8213..e29c93811f6 100644 --- a/assets/queries/k8s/service_account_private_key_file_not_defined/test/positive_expected_result.json +++ b/assets/queries/k8s/service_account_private_key_file_not_defined/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Service Account Private Key File Not Defined", "severity": "MEDIUM", "line": 11, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--service-account-private-key-file flag should be defined", + "actualValue": "--service-account-private-key-file flag is not defined" } ] \ No newline at end of file diff --git a/assets/queries/k8s/service_account_token_automount_not_disabled/test/positive_expected_result.json b/assets/queries/k8s/service_account_token_automount_not_disabled/test/positive_expected_result.json index e9846ad638f..de749c6949b 100644 --- a/assets/queries/k8s/service_account_token_automount_not_disabled/test/positive_expected_result.json +++ b/assets/queries/k8s/service_account_token_automount_not_disabled/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "Service Account Token Automount Not Disabled", "severity": "MEDIUM", - "line": 5, - "fileName": "positive1.yaml" + "line": 54, + "filename": "positive1.yaml", + "resourceType": "Configuration", + "resourceName": "dummy-config", + "searchKey": "metadata.name={{dummy-config}}.spec.template.spec.automountServiceAccountToken", + "searchValue": "Configuration", + "expectedValue": "metadata.name={{dummy-config}}.spec.template.spec.automountServiceAccountToken should be set to false", + "actualValue": "metadata.name={{dummy-config}}.spec.template.spec.automountServiceAccountToken is true" }, { "queryName": "Service Account Token Automount Not Disabled", "severity": "MEDIUM", - "line": 28, - "fileName": "positive1.yaml" + "line": 5, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "security-context-demo", + "searchKey": "metadata.name={{security-context-demo}}.spec", + "searchValue": "Pod", + "expectedValue": "metadata.name={{security-context-demo}}.spec.automountServiceAccountToken should be defined and set to false", + "actualValue": "metadata.name={{security-context-demo}}.spec.automountServiceAccountToken is undefined" }, { "queryName": "Service Account Token Automount Not Disabled", "severity": "MEDIUM", - "line": 54, - "fileName": "positive1.yaml" + "line": 5, + "filename": "positive2.yaml", + "resourceType": "ServiceAccount", + "resourceName": "redistest-sa", + "searchKey": "metadata.name={{redistest-sa}}.automountServiceAccountToken", + "searchValue": "", + "expectedValue": "metadata.name={{redistest-sa}}.automountServiceAccountToken should be set to false", + "actualValue": "metadata.name={{redistest-sa}}.automountServiceAccountToken is true" }, { "queryName": "Service Account Token Automount Not Disabled", "severity": "MEDIUM", - "line": 5, - "fileName": "positive2.yaml" + "line": 28, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "security.context.demo", + "searchKey": "metadata.name={{security.context.demo}}.spec.automountServiceAccountToken", + "searchValue": "Pod", + "expectedValue": "metadata.name={{security.context.demo}}.spec.automountServiceAccountToken should be set to false", + "actualValue": "metadata.name={{security.context.demo}}.spec.automountServiceAccountToken is true" } -] +] \ No newline at end of file diff --git a/assets/queries/k8s/service_does_not_target_pod/test/positive_expected_result.json b/assets/queries/k8s/service_does_not_target_pod/test/positive_expected_result.json index f4133656161..9c643c35c15 100644 --- a/assets/queries/k8s/service_does_not_target_pod/test/positive_expected_result.json +++ b/assets/queries/k8s/service_does_not_target_pod/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "Service Does Not Target Pod", "severity": "LOW", - "line": 7, - "fileName": "positive1.yaml" + "line": 12, + "filename": "positive2.yaml", + "resourceType": "Service", + "resourceName": "helloworld3", + "searchKey": "metadata.name={{helloworld3}}.spec.ports.port={{9377}}", + "searchValue": "", + "expectedValue": "metadata.name={{helloworld3}}.spec.ports.port={{9377}} has a Pod port", + "actualValue": "metadata.name={{helloworld3}}.spec.ports.port={{9377}} does not have a Pod port" }, { "queryName": "Service Does Not Target Pod", "severity": "LOW", - "line": 12, - "fileName": "positive2.yaml" + "line": 7, + "filename": "positive1.yaml", + "resourceType": "Service", + "resourceName": "helloworld2", + "searchKey": "metadata.name={{helloworld2}}.spec.selector", + "searchValue": "", + "expectedValue": "metadata.name={{helloworld2}}.spec.selector label refers to a Pod label", + "actualValue": "metadata.name={{helloworld2}}.spec.selector label does not match with any Pod label" } -] +] \ No newline at end of file diff --git a/assets/queries/k8s/service_type_is_nodeport/test/positive_expected_result.json b/assets/queries/k8s/service_type_is_nodeport/test/positive_expected_result.json index 83be0fdacda..68d6aace0cb 100644 --- a/assets/queries/k8s/service_type_is_nodeport/test/positive_expected_result.json +++ b/assets/queries/k8s/service_type_is_nodeport/test/positive_expected_result.json @@ -1,7 +1,14 @@ [ - { - "queryName": "Service Type is NodePort", - "severity": "LOW", - "line": 6 - } -] + { + "queryName": "Service Type is NodePort", + "severity": "LOW", + "line": 6, + "filename": "positive.yaml", + "resourceType": "Service", + "resourceName": "my-service", + "searchKey": "metadata.name={{my-service}}.spec.type", + "searchValue": "", + "expectedValue": "spec.type should not be 'NodePort'", + "actualValue": "spec.type is 'NodePort'" + } +] \ No newline at end of file diff --git a/assets/queries/k8s/service_with_external_load_balancer/test/positive_expected_result.json b/assets/queries/k8s/service_with_external_load_balancer/test/positive_expected_result.json index 952a4769b95..66ec8b503b8 100644 --- a/assets/queries/k8s/service_with_external_load_balancer/test/positive_expected_result.json +++ b/assets/queries/k8s/service_with_external_load_balancer/test/positive_expected_result.json @@ -1,27 +1,62 @@ [ - { - "queryName": "Service With External Load Balancer", - "severity": "MEDIUM", - "line": 4 - }, { - "queryName": "Service With External Load Balancer", - "severity": "MEDIUM", - "line": 18 - }, + "queryName": "Service With External Load Balancer", + "severity": "MEDIUM", + "line": 48, + "filename": "positive.yaml", + "resourceType": "Service", + "resourceName": "sample-service 08", + "searchKey": "metadata.name={{sample-service 08}}.annotations", + "searchValue": "", + "expectedValue": "metadata.name={{sample-service 08}} using an external Load Balancer provider by cloud provider", + "actualValue": "metadata.name={{sample-service 08}} is exposing a workload, not using an external Load Balancer provider by cloud provider" + }, { - "queryName": "Service With External Load Balancer", - "severity": "MEDIUM", - "line": 33 - }, + "queryName": "Service With External Load Balancer", + "severity": "MEDIUM", + "line": 4, + "filename": "positive.yaml", + "resourceType": "Service", + "resourceName": "sample-service 05", + "searchKey": "metadata.name={{sample-service 05}}", + "searchValue": "", + "expectedValue": "'metadata.annotations' should be set", + "actualValue": "'metadata.annotations' is undefined" + }, { - "queryName": "Service With External Load Balancer", - "severity": "MEDIUM", - "line": 48 - }, + "queryName": "Service With External Load Balancer", + "severity": "MEDIUM", + "line": 33, + "filename": "positive.yaml", + "resourceType": "Service", + "resourceName": "sample-service 07", + "searchKey": "metadata.name={{sample-service 07}}.annotations", + "searchValue": "", + "expectedValue": "metadata.name={{sample-service 07}} using an external Load Balancer provider by cloud provider", + "actualValue": "metadata.name={{sample-service 07}} is exposing a workload, not using an external Load Balancer provider by cloud provider" + }, { - "queryName": "Service With External Load Balancer", - "severity": "MEDIUM", - "line": 63 - } -] + "queryName": "Service With External Load Balancer", + "severity": "MEDIUM", + "line": 18, + "filename": "positive.yaml", + "resourceType": "Service", + "resourceName": "sample-service 05334443", + "searchKey": "metadata.name={{sample-service 05334443}}.annotations", + "searchValue": "", + "expectedValue": "metadata.name={{sample-service 05334443}} using an external Load Balancer provider by cloud provider", + "actualValue": "metadata.name={{sample-service 05334443}} is exposing a workload, not using an external Load Balancer provider by cloud provider" + }, + { + "queryName": "Service With External Load Balancer", + "severity": "MEDIUM", + "line": 63, + "filename": "positive.yaml", + "resourceType": "Service", + "resourceName": "sample-service 09", + "searchKey": "metadata.name={{sample-service 09}}.annotations", + "searchValue": "", + "expectedValue": "metadata.name={{sample-service 09}} using an external Load Balancer provider by cloud provider", + "actualValue": "metadata.name={{sample-service 09}} is exposing a workload, not using an external Load Balancer provider by cloud provider" + } +] \ No newline at end of file diff --git a/assets/queries/k8s/shared_host_ipc_namespace/test/positive_expected_result.json b/assets/queries/k8s/shared_host_ipc_namespace/test/positive_expected_result.json index 703d9dce2af..5035c6adad2 100644 --- a/assets/queries/k8s/shared_host_ipc_namespace/test/positive_expected_result.json +++ b/assets/queries/k8s/shared_host_ipc_namespace/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ - { - "queryName": "Shared Host IPC Namespace", - "severity": "MEDIUM", - "line": 6, - "fileName": "positive.yaml" - }, - { - "queryName": "Shared Host IPC Namespace", - "severity": "MEDIUM", - "line": 9, - "fileName": "positive2.yaml" - } -] + { + "queryName": "Shared Host IPC Namespace", + "severity": "MEDIUM", + "line": 6, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "security-context-demo", + "searchKey": "metadata.name={{security-context-demo}}.spec.hostIPC", + "searchValue": "", + "expectedValue": "'spec.hostIPC' should be set to false or undefined", + "actualValue": "'spec.hostIPC' is true" + }, + { + "queryName": "Shared Host IPC Namespace", + "severity": "MEDIUM", + "line": 9, + "filename": "positive2.yaml", + "resourceType": "Configuration", + "resourceName": "dummy-config", + "searchKey": "metadata.name={{dummy-config}}.spec.template.spec.hostIPC", + "searchValue": "", + "expectedValue": "'spec.template.spec.hostIPC' should be set to false or undefined", + "actualValue": "'spec.template.spec.hostIPC' is true" + } +] \ No newline at end of file diff --git a/assets/queries/k8s/shared_host_network_namespace/test/positive_expected_result.json b/assets/queries/k8s/shared_host_network_namespace/test/positive_expected_result.json index e7e02ec1826..dd377474c99 100644 --- a/assets/queries/k8s/shared_host_network_namespace/test/positive_expected_result.json +++ b/assets/queries/k8s/shared_host_network_namespace/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "Shared Host Network Namespace", "severity": "MEDIUM", - "line": 6, - "fileName": "positive.yaml" + "line": 9, + "filename": "positive2.yaml", + "resourceType": "Configuration", + "resourceName": "dummy-config", + "searchKey": "metadata.name={{dummy-config}}.spec.template.spec.hostNetwork", + "searchValue": "", + "expectedValue": "'spec.template.spec.hostNetwork' should be set to false or undefined", + "actualValue": "'spec.template.spec.hostNetwork' is true" }, { "queryName": "Shared Host Network Namespace", "severity": "MEDIUM", - "line": 9, - "fileName": "positive2.yaml" + "line": 6, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "security-context-demo", + "searchKey": "metadata.name={{security-context-demo}}.spec.hostNetwork", + "searchValue": "", + "expectedValue": "'spec.hostNetwork' should be set to false or undefined", + "actualValue": "'spec.hostNetwork' is true" } -] +] \ No newline at end of file diff --git a/assets/queries/k8s/shared_host_pid_namespace/test/positive_expected_result.json b/assets/queries/k8s/shared_host_pid_namespace/test/positive_expected_result.json index 82c58726498..a49d0e71858 100644 --- a/assets/queries/k8s/shared_host_pid_namespace/test/positive_expected_result.json +++ b/assets/queries/k8s/shared_host_pid_namespace/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Shared Host PID Namespace", "severity": "HIGH", "line": 6, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "security-context-demo", + "searchKey": "metadata.name={{security-context-demo}}.spec.hostPID", + "searchValue": "", + "expectedValue": "'spec.hostPID' should be set to false or undefined", + "actualValue": "'spec.hostPID' is true" }, { "queryName": "Shared Host PID Namespace", "severity": "HIGH", "line": 9, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "Configuration", + "resourceName": "dummy-config", + "searchKey": "metadata.name={{dummy-config}}.spec.template.spec.hostPID", + "searchValue": "", + "expectedValue": "'spec.template.spec.hostPID' should be set to false or undefined", + "actualValue": "'spec.template.spec.hostPID' is true" } -] +] \ No newline at end of file diff --git a/assets/queries/k8s/shared_service_account/test/positive_expected_result.json b/assets/queries/k8s/shared_service_account/test/positive_expected_result.json index 0ac068bac66..22b74a4d246 100644 --- a/assets/queries/k8s/shared_service_account/test/positive_expected_result.json +++ b/assets/queries/k8s/shared_service_account/test/positive_expected_result.json @@ -1,12 +1,38 @@ [ - { - "queryName": "Shared Service Account", - "severity": "MEDIUM", - "line": 6 - }, - { - "queryName": "Shared Service Account", - "severity": "MEDIUM", - "line": 16 - } -] + { + "queryName": "Shared Service Account", + "severity": "MEDIUM", + "line": 16, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "pod2", + "searchKey": "metadata.name={{pod2}}.spec.serviceAccountName", + "searchValue": "", + "expectedValue": "'spec.serviceAccountName' should not be shared with other workloads", + "actualValue": "'spec.serviceAccountName' is shared with other workloads" + }, + { + "queryName": "Shared Service Account", + "severity": "MEDIUM", + "line": 6, + "filename": "negative.yaml", + "resourceType": "Pod", + "resourceName": "pod1", + "searchKey": "metadata.name={{pod1}}.spec.serviceAccountName", + "searchValue": "", + "expectedValue": "'spec.serviceAccountName' should not be shared with other workloads", + "actualValue": "'spec.serviceAccountName' is shared with other workloads" + }, + { + "queryName": "Shared Service Account", + "severity": "MEDIUM", + "line": 6, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "pod1", + "searchKey": "metadata.name={{pod1}}.spec.serviceAccountName", + "searchValue": "", + "expectedValue": "'spec.serviceAccountName' should not be shared with other workloads", + "actualValue": "'spec.serviceAccountName' is shared with other workloads" + } +] \ No newline at end of file diff --git a/assets/queries/k8s/statefulset_has_no_pod_anti_affinity/test/positive_expected_result.json b/assets/queries/k8s/statefulset_has_no_pod_anti_affinity/test/positive_expected_result.json index 7dc6662744b..6453b857040 100644 --- a/assets/queries/k8s/statefulset_has_no_pod_anti_affinity/test/positive_expected_result.json +++ b/assets/queries/k8s/statefulset_has_no_pod_anti_affinity/test/positive_expected_result.json @@ -1,12 +1,26 @@ [ - { - "queryName": "StatefulSet Has No PodAntiAffinity", - "severity": "LOW", - "line": 23 - }, - { - "queryName": "StatefulSet Has No PodAntiAffinity", - "severity": "LOW", - "line": 53 - } -] + { + "queryName": "StatefulSet Has No PodAntiAffinity", + "severity": "LOW", + "line": 23, + "filename": "positive.yaml", + "resourceType": "StatefulSet", + "resourceName": "zk-mismatch", + "searchKey": "metadata.name={{zk-mismatch}}.spec.template.spec.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution.labelSelector.matchLabels", + "searchValue": "", + "expectedValue": "'spec.template.spec.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].labelSelector.matchLabels' match any label on template metadata", + "actualValue": "'spec.template.spec.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].labelSelector.matchLabels' don't match any label on template metadata" + }, + { + "queryName": "StatefulSet Has No PodAntiAffinity", + "severity": "LOW", + "line": 53, + "filename": "positive.yaml", + "resourceType": "StatefulSet", + "resourceName": "zk-noaffinity", + "searchKey": "metadata.name={{zk-noaffinity}}.spec.template.spec.affinity", + "searchValue": "", + "expectedValue": "'spec.template.spec.affinity.podAntiAffinity' should be set", + "actualValue": "'spec.template.spec.affinity.podAntiAffinity' is undefined" + } +] \ No newline at end of file diff --git a/assets/queries/k8s/statefulset_requests_storage/test/positive_expected_result.json b/assets/queries/k8s/statefulset_requests_storage/test/positive_expected_result.json index 4e60ad9727d..b8ccf00eee6 100644 --- a/assets/queries/k8s/statefulset_requests_storage/test/positive_expected_result.json +++ b/assets/queries/k8s/statefulset_requests_storage/test/positive_expected_result.json @@ -1,17 +1,38 @@ [ - { - "queryName": "StatefulSet Requests Storage", - "severity": "LOW", - "line": 33 - }, - { - "queryName": "StatefulSet Requests Storage", - "severity": "LOW", - "line": 66 - }, - { - "queryName": "StatefulSet Requests Storage", - "severity": "LOW", - "line": 73 - } -] + { + "queryName": "StatefulSet Requests Storage", + "severity": "LOW", + "line": 73, + "filename": "positive.yaml", + "resourceType": "StatefulSet", + "resourceName": "web2", + "searchKey": "metadata.name={{web2}}.spec.volumeClaimTemplates.spec.resources.requests.storage=2Gi", + "searchValue": "", + "expectedValue": "metadata.name={{web2}}.spec.volumeClaimTemplates.spec.resources.requests.storage should not be set", + "actualValue": "metadata.name={{web2}}.spec.volumeClaimTemplates.spec.resources.requests.storage is set to 2Gi" + }, + { + "queryName": "StatefulSet Requests Storage", + "severity": "LOW", + "line": 33, + "filename": "positive.yaml", + "resourceType": "StatefulSet", + "resourceName": "web", + "searchKey": "metadata.name={{web}}.spec.volumeClaimTemplates.spec.resources.requests.storage=1Gi", + "searchValue": "", + "expectedValue": "metadata.name={{web}}.spec.volumeClaimTemplates.spec.resources.requests.storage should not be set", + "actualValue": "metadata.name={{web}}.spec.volumeClaimTemplates.spec.resources.requests.storage is set to 1Gi" + }, + { + "queryName": "StatefulSet Requests Storage", + "severity": "LOW", + "line": 66, + "filename": "positive.yaml", + "resourceType": "StatefulSet", + "resourceName": "web2", + "searchKey": "metadata.name={{web2}}.spec.volumeClaimTemplates.spec.resources.requests.storage=1Gi", + "searchValue": "", + "expectedValue": "metadata.name={{web2}}.spec.volumeClaimTemplates.spec.resources.requests.storage should not be set", + "actualValue": "metadata.name={{web2}}.spec.volumeClaimTemplates.spec.resources.requests.storage is set to 1Gi" + } +] \ No newline at end of file diff --git a/assets/queries/k8s/statefulset_without_pod_disruption_budget/test/positive_expected_result.json b/assets/queries/k8s/statefulset_without_pod_disruption_budget/test/positive_expected_result.json index fd1b1bf0c83..c5de8cb9d0a 100644 --- a/assets/queries/k8s/statefulset_without_pod_disruption_budget/test/positive_expected_result.json +++ b/assets/queries/k8s/statefulset_without_pod_disruption_budget/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "StatefulSet Without PodDisruptionBudget", "severity": "LOW", - "line": 19 + "line": 19, + "filename": "positive.yaml", + "resourceType": "StatefulSet", + "resourceName": "web", + "searchKey": "metadata.name={{web}}.spec.selector.matchLabels", + "searchValue": "", + "expectedValue": "metadata.name=web is targeted by a PodDisruptionBudget", + "actualValue": "metadata.name=web is not targeted by a PodDisruptionBudget" } -] +] \ No newline at end of file diff --git a/assets/queries/k8s/statefulset_without_service_name/test/positive_expected_result.json b/assets/queries/k8s/statefulset_without_service_name/test/positive_expected_result.json index 218b390f04b..592e41ae003 100644 --- a/assets/queries/k8s/statefulset_without_service_name/test/positive_expected_result.json +++ b/assets/queries/k8s/statefulset_without_service_name/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "StatefulSet Without Service Name", "severity": "LOW", - "line": 26 + "line": 26, + "filename": "positive.yaml", + "resourceType": "StatefulSet", + "resourceName": "web", + "searchKey": "metadata.name=web.spec.serviceName", + "searchValue": "", + "expectedValue": "metadata.name=web.spec.serviceName should refer to a Headless Service", + "actualValue": "metadata.name=web.spec.serviceName doesn't refers to a Headless Service" } -] +] \ No newline at end of file diff --git a/assets/queries/k8s/terminated_pod_garbage_collector_threshold_not_properly_set/test/positive_expected_result.json b/assets/queries/k8s/terminated_pod_garbage_collector_threshold_not_properly_set/test/positive_expected_result.json index 8d16690b939..c42c54d2fbf 100644 --- a/assets/queries/k8s/terminated_pod_garbage_collector_threshold_not_properly_set/test/positive_expected_result.json +++ b/assets/queries/k8s/terminated_pod_garbage_collector_threshold_not_properly_set/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ - { - "queryName": "Terminated Pod Garbage Collector Threshold Not Properly Set", - "severity": "MEDIUM", - "line": 11, - "fileName": "positive1.yaml" - }, - { - "queryName": "Terminated Pod Garbage Collector Threshold Not Properly Set", - "severity": "MEDIUM", - "line": 11, - "fileName": "positive2.yaml" - } -] + { + "queryName": "Terminated Pod Garbage Collector Threshold Not Properly Set", + "severity": "MEDIUM", + "line": 11, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--terminated-pod-gc-threshold flag should be set between 0 and 12501", + "actualValue": "--terminated-pod-gc-threshold flag is set to a incorrect value" + }, + { + "queryName": "Terminated Pod Garbage Collector Threshold Not Properly Set", + "severity": "MEDIUM", + "line": 11, + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--terminated-pod-gc-threshold flag should be set between 0 and 12501", + "actualValue": "--terminated-pod-gc-threshold flag is set to a incorrect value" + } +] \ No newline at end of file diff --git a/assets/queries/k8s/tiller_deployment_is_accessible_from_within_the_cluster/test/positive_expected_result.json b/assets/queries/k8s/tiller_deployment_is_accessible_from_within_the_cluster/test/positive_expected_result.json index aa5e9b5b2e6..36c742638b9 100644 --- a/assets/queries/k8s/tiller_deployment_is_accessible_from_within_the_cluster/test/positive_expected_result.json +++ b/assets/queries/k8s/tiller_deployment_is_accessible_from_within_the_cluster/test/positive_expected_result.json @@ -1,12 +1,26 @@ [ - { - "queryName": "Tiller Deployment Is Accessible From Within The Cluster", - "severity": "HIGH", - "line": 21 - }, - { - "queryName": "Tiller Deployment Is Accessible From Within The Cluster", - "severity": "HIGH", - "line": 53 - } -] + { + "queryName": "Tiller Deployment Is Accessible From Within The Cluster", + "severity": "HIGH", + "line": 53, + "filename": "positive.yaml", + "resourceType": "Deployment", + "resourceName": "tiller-deploy-no-args", + "searchKey": "metadata.name=tiller-deploy-no-args.spec.template.spec.containers", + "searchValue": "", + "expectedValue": "'spec.template.spec.containers[tiller-v2].args' should be set", + "actualValue": "'spec.template.spec.containers[tiller-v2].args' is undefined" + }, + { + "queryName": "Tiller Deployment Is Accessible From Within The Cluster", + "severity": "HIGH", + "line": 21, + "filename": "positive.yaml", + "resourceType": "Deployment", + "resourceName": "tiller-bad-args", + "searchKey": "metadata.name=tiller-bad-args.spec.template.spec.containers.args", + "searchValue": "", + "expectedValue": "'spec.template.spec.containers[tiller-v2].args' sets the container to listen to localhost", + "actualValue": "'spec.template.spec.containers[tiller-v2].args' is not setting the container to listen to localhost" + } +] \ No newline at end of file diff --git a/assets/queries/k8s/tiller_is_deployed/test/positive_expected_result.json b/assets/queries/k8s/tiller_is_deployed/test/positive_expected_result.json index cbf0d880650..106dbc2ca73 100644 --- a/assets/queries/k8s/tiller_is_deployed/test/positive_expected_result.json +++ b/assets/queries/k8s/tiller_is_deployed/test/positive_expected_result.json @@ -1,23 +1,50 @@ [ - { - "queryName": "Tiller (Helm v2) Is Deployed", - "severity": "HIGH", - "line": 4 - }, - { - "queryName": "Tiller (Helm v2) Is Deployed", - "severity": "HIGH", - "line": 10 - }, - { - "queryName": "Tiller (Helm v2) Is Deployed", - "severity": "HIGH", - "line": 15 - }, - { - "queryName": "Tiller (Helm v2) Is Deployed", - "severity": "HIGH", - "line": 20 - } - -] + { + "queryName": "Tiller (Helm v2) Is Deployed", + "severity": "HIGH", + "line": 8, + "filename": "positive.yaml", + "resourceType": "Deployment", + "resourceName": "tiller-deploy", + "searchKey": "metadata.name={{tiller-deploy}}", + "searchValue": "Deployment", + "expectedValue": "'metadata' of Deployment should not refer to any Tiller resource", + "actualValue": "'metadata' of Deployment refers to a Tiller resource" + }, + { + "queryName": "Tiller (Helm v2) Is Deployed", + "severity": "HIGH", + "line": 10, + "filename": "positive.yaml", + "resourceType": "Deployment", + "resourceName": "tiller-deploy", + "searchKey": "metadata.name={{tiller-deploy}}.spec.containers", + "searchValue": "Deployment", + "expectedValue": "'spec.containers' of Deployment shouldn't have any Tiller containers", + "actualValue": "'spec.containers' of Deployment contains a Tiller container" + }, + { + "queryName": "Tiller (Helm v2) Is Deployed", + "severity": "HIGH", + "line": 15, + "filename": "positive.yaml", + "resourceType": "Deployment", + "resourceName": "tiller-deploy", + "searchKey": "metadata.name={{tiller-deploy}}.spec.template.metadata", + "searchValue": "Deployment", + "expectedValue": "'spec.template.metadata' should not refer to any Tiller resource%!(EXTRA string=Deployment)", + "actualValue": "'spec.template.metadata' refers to a Tiller resource%!(EXTRA string=Deployment)" + }, + { + "queryName": "Tiller (Helm v2) Is Deployed", + "severity": "HIGH", + "line": 20, + "filename": "positive.yaml", + "resourceType": "Deployment", + "resourceName": "tiller-deploy", + "searchKey": "metadata.name={{tiller-deploy}}.spec.template.spec.containers", + "searchValue": "Deployment", + "expectedValue": "'spec.template.spec.containers' of Deployment shouldn't have any Tiller containers", + "actualValue": "'spec.template.spec.containers' of Deployment contains a Tiller container" + } +] \ No newline at end of file diff --git a/assets/queries/k8s/tiller_service_is_not_deleted/test/positive_expected_result.json b/assets/queries/k8s/tiller_service_is_not_deleted/test/positive_expected_result.json index d1f4f0d303e..8d9361d7005 100644 --- a/assets/queries/k8s/tiller_service_is_not_deleted/test/positive_expected_result.json +++ b/assets/queries/k8s/tiller_service_is_not_deleted/test/positive_expected_result.json @@ -1,17 +1,38 @@ [ - { - "queryName": "Tiller Service Is Not Deleted", - "severity": "HIGH", - "line": 4 - }, - { - "queryName": "Tiller Service Is Not Deleted", - "severity": "HIGH", - "line": 7 - }, - { - "queryName": "Tiller Service Is Not Deleted", - "severity": "HIGH", - "line": 12 - } -] + { + "queryName": "Tiller Service Is Not Deleted", + "severity": "HIGH", + "line": 7, + "filename": "positive.yaml", + "resourceType": "Service", + "resourceName": "tiller-deploy", + "searchKey": "metadata.name={{tiller-deploy}}", + "searchValue": "Service", + "expectedValue": "metadata.labels of Service should not have values that contain 'tiller'", + "actualValue": "metadata.labels.Service of name contains 'tiller'" + }, + { + "queryName": "Tiller Service Is Not Deleted", + "severity": "HIGH", + "line": 4, + "filename": "positive.yaml", + "resourceType": "Service", + "resourceName": "tiller-deploy", + "searchKey": "metadata.name={{tiller-deploy}}", + "searchValue": "Service", + "expectedValue": "metadata.name of Service should not contain 'tiller'", + "actualValue": "metadata.name of Service contains 'tiller'" + }, + { + "queryName": "Tiller Service Is Not Deleted", + "severity": "HIGH", + "line": 12, + "filename": "positive.yaml", + "resourceType": "Service", + "resourceName": "tiller-deploy", + "searchKey": "metadata.name={{tiller-deploy}}.spec.selector.name", + "searchValue": "Service", + "expectedValue": "spec.selector of Service should not have values that contain 'tiller'", + "actualValue": "spec.selector.Service of name contains 'tiller'" + } +] \ No newline at end of file diff --git a/assets/queries/k8s/tls_connection_certificate_not_setup/test/positive_expected_result.json b/assets/queries/k8s/tls_connection_certificate_not_setup/test/positive_expected_result.json index 6d46ad24a64..e8cb16c7bd9 100644 --- a/assets/queries/k8s/tls_connection_certificate_not_setup/test/positive_expected_result.json +++ b/assets/queries/k8s/tls_connection_certificate_not_setup/test/positive_expected_result.json @@ -3,30 +3,60 @@ "queryName": "TSL Connection Certificate Not Setup", "severity": "MEDIUM", "line": 11, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "--tls-cert-file", + "expectedValue": "TLS --tls-cert-file connection setting should be set", + "actualValue": "TLS --tls-cert-file connection not set" }, { "queryName": "TSL Connection Certificate Not Setup", "severity": "MEDIUM", "line": 11, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "--tls-private-key-file", + "expectedValue": "TLS --tls-private-key-file connection setting should be set", + "actualValue": "TLS --tls-private-key-file connection not set" }, { "queryName": "TSL Connection Certificate Not Setup", "severity": "MEDIUM", "line": 2, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}", + "searchValue": "tlsCertFile", + "expectedValue": "TLS tlsCertFile connection setting should be set", + "actualValue": "TLS tlsCertFile connection not set" }, { "queryName": "TSL Connection Certificate Not Setup", "severity": "MEDIUM", "line": 2, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}", + "searchValue": "tlsPrivateKeyFile", + "expectedValue": "TLS tlsPrivateKeyFile connection setting should be set", + "actualValue": "TLS tlsPrivateKeyFile connection not set" }, { "queryName": "TSL Connection Certificate Not Setup", "severity": "MEDIUM", "line": 2, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}", + "searchValue": "tlsPrivateKeyFile", + "expectedValue": "TLS tlsPrivateKeyFile connection setting should be set", + "actualValue": "TLS tlsPrivateKeyFile connection not set" } -] +] \ No newline at end of file diff --git a/assets/queries/k8s/token_auth_file_is_set/test/positive_expected_result.json b/assets/queries/k8s/token_auth_file_is_set/test/positive_expected_result.json index 5c25b795c94..a9cadcefad1 100644 --- a/assets/queries/k8s/token_auth_file_is_set/test/positive_expected_result.json +++ b/assets/queries/k8s/token_auth_file_is_set/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Token Auth File Is Set", "severity": "HIGH", "line": 11, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--token-auth-file flag should not be set", + "actualValue": "--token-auth-file flag is set" }, { "queryName": "Token Auth File Is Set", "severity": "HIGH", "line": 11, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--token-auth-file flag should not be set", + "actualValue": "--token-auth-file flag is set" } -] +] \ No newline at end of file diff --git a/assets/queries/k8s/use_service_account_credentials_not_set_to_true/test/positive_expected_result.json b/assets/queries/k8s/use_service_account_credentials_not_set_to_true/test/positive_expected_result.json index 5d48942e668..12ee78355ec 100644 --- a/assets/queries/k8s/use_service_account_credentials_not_set_to_true/test/positive_expected_result.json +++ b/assets/queries/k8s/use_service_account_credentials_not_set_to_true/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Use Service Account Credentials Not Set To True", "severity": "MEDIUM", "line": 11, - "fileName": "positive1.yaml" + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--use-service-account-credentials flag should be defined and set to true", + "actualValue": "--use-service-account-credentials flag is not defined" }, { "queryName": "Use Service Account Credentials Not Set To True", "severity": "MEDIUM", "line": 11, - "fileName": "positive2.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--use-service-account-credentials flag should be set to true", + "actualValue": "--use-service-account-credentials flag is set to false" } ] \ No newline at end of file diff --git a/assets/queries/k8s/using_unrecommended_namespace/test/positive_expected_result.json b/assets/queries/k8s/using_unrecommended_namespace/test/positive_expected_result.json index 08c4f42f9fd..740a4d7b325 100644 --- a/assets/queries/k8s/using_unrecommended_namespace/test/positive_expected_result.json +++ b/assets/queries/k8s/using_unrecommended_namespace/test/positive_expected_result.json @@ -2,31 +2,61 @@ { "queryName": "Using Unrecommended Namespace", "severity": "MEDIUM", - "line": 5, - "filename": "positive1.yaml" + "line": 4, + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "frontend2", + "searchKey": "kind={{Pod}}.metadata.name={{frontend2}}", + "searchValue": "Pod", + "expectedValue": "metadata.namespace should be defined and not null", + "actualValue": "metadata.namespace is undefined or null" }, { "queryName": "Using Unrecommended Namespace", "severity": "MEDIUM", - "line": 4, - "filename": "positive2.yaml" + "line": 5, + "filename": "positive3.yaml", + "resourceType": "Pod", + "resourceName": "mongo.db.collection.com", + "searchKey": "metadata.name={{mongo.db.collection.com}}.namespace", + "searchValue": "Pod", + "expectedValue": "'metadata.namespace' should not be set to default, kube-system or kube-public", + "actualValue": "'metadata.namespace' is set to kube-public" }, { "queryName": "Using Unrecommended Namespace", "severity": "MEDIUM", "line": 5, - "filename": "positive3.yaml" + "filename": "positive4.yaml", + "resourceType": "Pod", + "resourceName": "mongo.db.collection.com", + "searchKey": "metadata.name={{mongo.db.collection.com}}.namespace", + "searchValue": "Pod", + "expectedValue": "'metadata.namespace' should not be set to default, kube-system or kube-public", + "actualValue": "'metadata.namespace' is set to kube-system" }, { "queryName": "Using Unrecommended Namespace", "severity": "MEDIUM", "line": 5, - "filename": "positive4.yaml" + "filename": "positive5.yaml", + "resourceType": "Configuration", + "resourceName": "dummy-config", + "searchKey": "metadata.name={{dummy-config}}.namespace", + "searchValue": "Configuration", + "expectedValue": "'metadata.namespace' should not be set to default, kube-system or kube-public", + "actualValue": "'metadata.namespace' is set to default" }, { "queryName": "Using Unrecommended Namespace", "severity": "MEDIUM", "line": 5, - "filename": "positive5.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "frontend", + "searchKey": "metadata.name={{frontend}}.namespace", + "searchValue": "Pod", + "expectedValue": "'metadata.namespace' should not be set to default, kube-system or kube-public", + "actualValue": "'metadata.namespace' is set to default" } -] +] \ No newline at end of file diff --git a/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/test/positive_expected_result.json b/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/test/positive_expected_result.json index 2882a804407..c5607f08761 100644 --- a/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/test/positive_expected_result.json +++ b/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/test/positive_expected_result.json @@ -2,61 +2,121 @@ { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", - "line": 10, - "fileName": "positive1.yaml" + "line": 40, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "pod-1", + "searchKey": "metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-1}}", + "searchValue": "PodreadOnly", + "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-1}} are set to true and Enabled, respectively", + "actualValue": "The properties readOnly or recursiveReadOnly in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-1}} are set to false or Disabled, respectively" }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", - "line": 12, - "fileName": "positive1.yaml" + "line": 37, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "pod-1", + "searchKey": "metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-0}}", + "searchValue": "PodreadOnly", + "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-0}} should be defined and set to true and Enabled, respectively", + "actualValue": "Either readOnly or recursiveReadOnly is missing in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-0}}%!(EXTRA string=pod-1, string=spec, string=containers, string=pod-1, string=vol-0)" }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", - "line": 12, - "fileName": "positive1.yaml" + "line": 40, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "pod-1", + "searchKey": "metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-1}}", + "searchValue": "PodrecursiveReadOnly", + "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-1}} should be defined and set to true and Enabled, respectively", + "actualValue": "Either readOnly or recursiveReadOnly is missing in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-1}}%!(EXTRA string=pod-1, string=spec, string=containers, string=pod-1, string=vol-1)" }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", - "line": 36, - "fileName": "positive1.yaml" + "line": 13, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "pod-0", + "searchKey": "metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}}", + "searchValue": "PodrecursiveReadOnly", + "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}} are set to true and Enabled, respectively", + "actualValue": "The properties readOnly or recursiveReadOnly in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}} are set to false or Disabled, respectively" }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", - "line": 39, - "fileName": "positive1.yaml" + "line": 11, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "pod-0", + "searchKey": "metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-0}}", + "searchValue": "PodreadOnly", + "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-0}} should be defined and set to true and Enabled, respectively", + "actualValue": "Either readOnly or recursiveReadOnly is missing in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-0}}%!(EXTRA string=pod-0, string=spec, string=containers, string=pod-0, string=vol-0)" }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", - "line": 39, - "fileName": "positive1.yaml" + "line": 13, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "pod-0", + "searchKey": "metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}}", + "searchValue": "PodreadOnly", + "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}} should be defined and set to true and Enabled, respectively", + "actualValue": "Either readOnly or recursiveReadOnly is missing in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}}%!(EXTRA string=pod-0, string=spec, string=containers, string=pod-0, string=vol-1)" }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", - "line": 10, - "fileName": "positive2.yaml" + "line": 11, + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "pod-0", + "searchKey": "metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-0}}", + "searchValue": "PodreadOnly", + "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-0}} are set to true and Enabled, respectively", + "actualValue": "The properties readOnly or recursiveReadOnly in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-0}} are set to false or Disabled, respectively" }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", - "line": 14, - "fileName": "positive2.yaml" + "line": 15, + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "pod-0", + "searchKey": "metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}}", + "searchValue": "PodreadOnly", + "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}} are set to true and Enabled, respectively", + "actualValue": "The properties readOnly or recursiveReadOnly in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}} are set to false or Disabled, respectively" }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", - "line": 33, - "fileName": "positive2.yaml" + "line": 37, + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "pod-1", + "searchKey": "metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-1}}", + "searchValue": "PodrecursiveReadOnly", + "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-1}} are set to true and Enabled, respectively", + "actualValue": "The properties readOnly or recursiveReadOnly in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-1}} are set to false or Disabled, respectively" }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", - "line": 36, - "fileName": "positive2.yaml" + "line": 34, + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "pod-1", + "searchKey": "metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-0}}", + "searchValue": "PodrecursiveReadOnly", + "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-0}} should be defined and set to true and Enabled, respectively", + "actualValue": "Either readOnly or recursiveReadOnly is missing in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-0}}%!(EXTRA string=pod-1, string=spec, string=containers, string=pod-1, string=vol-0)" } -] +] \ No newline at end of file diff --git a/assets/queries/k8s/weak_tls_cipher_suites/test/positive_expected_result.json b/assets/queries/k8s/weak_tls_cipher_suites/test/positive_expected_result.json index 4cf484c04f2..bbec2de3dd2 100644 --- a/assets/queries/k8s/weak_tls_cipher_suites/test/positive_expected_result.json +++ b/assets/queries/k8s/weak_tls_cipher_suites/test/positive_expected_result.json @@ -1,27 +1,50 @@ [ - { - "queryName": "Weak TLS Cipher Suites", - "severity": "MEDIUM", - "line": 11, - "filename": "positive1.yaml" - }, - { - "queryName": "Weak TLS Cipher Suites", - "severity": "MEDIUM", - "line": 11, - "filename": "positive2.yaml" - }, - { - "queryName": "Weak TLS Cipher Suites", - "severity": "MEDIUM", - "line": 9, - "filename": "positive3.yaml" - }, - { - "queryName": "Weak TLS Cipher Suites", - "severity": "MEDIUM", - "line": 2, - "filename": "positive4.json" - } - ] - \ No newline at end of file + { + "queryName": "Weak TLS Cipher Suites", + "severity": "MEDIUM", + "line": 9, + "filename": "positive3.yaml", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}.tlsCipherSuites", + "searchValue": "", + "expectedValue": "TLS cipher suites should use strong ciphers", + "actualValue": "TLS cipher suites uses a weak cipher" + }, + { + "queryName": "Weak TLS Cipher Suites", + "severity": "MEDIUM", + "line": 11, + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "TLS cipher suites should use strong ciphers", + "actualValue": "TLS cipher suites uses a weak cipher" + }, + { + "queryName": "Weak TLS Cipher Suites", + "severity": "MEDIUM", + "line": 11, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "TLS cipher suites should use strong ciphers", + "actualValue": "TLS cipher suites uses a weak cipher" + }, + { + "queryName": "Weak TLS Cipher Suites", + "severity": "MEDIUM", + "line": 2, + "filename": "positive4.json", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}", + "searchValue": "", + "expectedValue": "KubeletConfiguration should have 'tlsCipherSuites' attribute with strong ciphers defined", + "actualValue": "TLS cipher suites are not defined" + } +] \ No newline at end of file diff --git a/assets/queries/k8s/workload_host_port_not_specified/test/positive_expected_result.json b/assets/queries/k8s/workload_host_port_not_specified/test/positive_expected_result.json index 103391eb164..e7c4b1c0aa9 100644 --- a/assets/queries/k8s/workload_host_port_not_specified/test/positive_expected_result.json +++ b/assets/queries/k8s/workload_host_port_not_specified/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Workload Host Port Not Specified", "severity": "LOW", - "line": 9 + "line": 9, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "firstpod", + "searchKey": "metadata.name=firstpod.spec.containers.name=container.ports", + "searchValue": "", + "expectedValue": "spec[firstpod].containers[container].ports[10.0.0.1].hostPort should not be defined", + "actualValue": "spec[firstpod].containers[container].ports[10.0.0.1].hostPort is defined" }, { "queryName": "Workload Host Port Not Specified", "severity": "LOW", - "line": 24 + "line": 24, + "filename": "positive.yaml", + "resourceType": "Deployment", + "resourceName": "secondpod", + "searchKey": "metadata.name=secondpod.spec.template.spec.containers.name=container2.ports", + "searchValue": "", + "expectedValue": "spec[secondpod].template.spec.containers[container2].ports[10.0.0.2].hostPort should not be defined", + "actualValue": "spec[secondpod].template.spec.containers[container2].ports[10.0.0.2].hostPort is defined" } -] +] \ No newline at end of file diff --git a/assets/queries/k8s/workload_mounting_with_sensitive_os_directory/test/positive_expected_result.json b/assets/queries/k8s/workload_mounting_with_sensitive_os_directory/test/positive_expected_result.json index 459bc1f3e8a..f12c113a65a 100644 --- a/assets/queries/k8s/workload_mounting_with_sensitive_os_directory/test/positive_expected_result.json +++ b/assets/queries/k8s/workload_mounting_with_sensitive_os_directory/test/positive_expected_result.json @@ -2,66 +2,157 @@ { "queryName": "Workload Mounting With Sensitive OS Directory", "severity": "HIGH", - "line": 66 + "line": 250, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "dood", + "searchKey": "metadata.name={{dood}}.spec.volumes.name={{docker-sock}}.hostPath.path", + "searchValue": "", + "expectedValue": "Workload name 'dood' of kind 'Pod' should not mount a host sensitive OS directory '/var/run' with hostPath", + "actualValue": "Workload name 'dood' of kind 'Pod' is mounting a host sensitive OS directory '/var/run' with hostPath" }, { "queryName": "Workload Mounting With Sensitive OS Directory", "severity": "HIGH", - "line": 112 + "line": 265, + "filename": "positive.yaml", + "resourceType": "PersistentVolume", + "resourceName": "pv-001", + "searchKey": "metadata.name={{pv-001}}.spec.hostPath.path", + "searchValue": "", + "expectedValue": "PersistentVolume name 'pv-001' of kind 'PersistentVolume' should not mount a host sensitive OS directory '/dev/tty1' with hostPath", + "actualValue": "PersistentVolume name 'pv-001' of kind 'PersistentVolume' is mounting a host sensitive OS directory '/dev/tty1' with hostPath" }, { "queryName": "Workload Mounting With Sensitive OS Directory", "severity": "HIGH", - "line": 115 + "line": 193, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "redis-memcache", + "searchKey": "metadata.name={{redis-memcache}}.spec.volumes.name={{redis-storage}}.hostPath.path", + "searchValue": "", + "expectedValue": "Workload name 'redis-memcache' of kind 'Pod' should not mount a host sensitive OS directory '/var/redis/data' with hostPath", + "actualValue": "Workload name 'redis-memcache' of kind 'Pod' is mounting a host sensitive OS directory '/var/redis/data' with hostPath" }, { "queryName": "Workload Mounting With Sensitive OS Directory", "severity": "HIGH", - "line": 145 + "line": 115, + "filename": "positive.yaml", + "resourceType": "DaemonSet", + "resourceName": "fluentd-elasticsearch", + "searchKey": "metadata.name={{fluentd-elasticsearch}}.spec.template.spec.volumes.name={{varlibdockercontainers}}.hostPath.path", + "searchValue": "", + "expectedValue": "Workload name 'fluentd-elasticsearch' of kind 'DaemonSet' should not mount a host sensitive OS directory '/var/lib/docker/containers' with hostPath", + "actualValue": "Workload name 'fluentd-elasticsearch' of kind 'DaemonSet' is mounting a host sensitive OS directory '/var/lib/docker/containers' with hostPath" }, { "queryName": "Workload Mounting With Sensitive OS Directory", "severity": "HIGH", - "line": 175 + "line": 112, + "filename": "positive.yaml", + "resourceType": "DaemonSet", + "resourceName": "fluentd-elasticsearch", + "searchKey": "metadata.name={{fluentd-elasticsearch}}.spec.template.spec.volumes.name={{varlog}}.hostPath.path", + "searchValue": "", + "expectedValue": "Workload name 'fluentd-elasticsearch' of kind 'DaemonSet' should not mount a host sensitive OS directory '/var/log' with hostPath", + "actualValue": "Workload name 'fluentd-elasticsearch' of kind 'DaemonSet' is mounting a host sensitive OS directory '/var/log' with hostPath" }, { "queryName": "Workload Mounting With Sensitive OS Directory", "severity": "HIGH", - "line": 193 + "line": 299, + "filename": "positive.yaml", + "resourceType": "Configuration", + "resourceName": "dummy-config", + "searchKey": "metadata.name={{dummy-config}}.spec.template.spec.volumes.name={{rootdir}}.hostPath.path", + "searchValue": "", + "expectedValue": "Workload name 'dummy-config' of kind 'Configuration' should not mount a host sensitive OS directory '/' with hostPath", + "actualValue": "Workload name 'dummy-config' of kind 'Configuration' is mounting a host sensitive OS directory '/' with hostPath" }, { "queryName": "Workload Mounting With Sensitive OS Directory", "severity": "HIGH", - "line": 203 + "line": 229, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "malicious-pod", + "searchKey": "metadata.name={{malicious-pod}}.spec.volumes.name={{rootdir}}.hostPath.path", + "searchValue": "", + "expectedValue": "Workload name 'malicious-pod' of kind 'Pod' should not mount a host sensitive OS directory '/' with hostPath", + "actualValue": "Workload name 'malicious-pod' of kind 'Pod' is mounting a host sensitive OS directory '/' with hostPath" }, { "queryName": "Workload Mounting With Sensitive OS Directory", "severity": "HIGH", - "line": 229 + "line": 203, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "web-server-pod", + "searchKey": "metadata.name={{web-server-pod}}.spec.volumes.name={{nginx-host-config}}.hostPath.path", + "searchValue": "", + "expectedValue": "Workload name 'web-server-pod' of kind 'Pod' should not mount a host sensitive OS directory '/etc/nginx' with hostPath", + "actualValue": "Workload name 'web-server-pod' of kind 'Pod' is mounting a host sensitive OS directory '/etc/nginx' with hostPath" }, { "queryName": "Workload Mounting With Sensitive OS Directory", "severity": "HIGH", - "line": 250 + "line": 280, + "filename": "positive.yaml", + "resourceType": "PersistentVolume", + "resourceName": "pv-002", + "searchKey": "metadata.name={{pv-002}}.spec.hostPath.path", + "searchValue": "", + "expectedValue": "PersistentVolume name 'pv-002' of kind 'PersistentVolume' should not mount a host sensitive OS directory '/boot' with hostPath", + "actualValue": "PersistentVolume name 'pv-002' of kind 'PersistentVolume' is mounting a host sensitive OS directory '/boot' with hostPath" }, { "queryName": "Workload Mounting With Sensitive OS Directory", "severity": "HIGH", - "line": 265 + "line": 175, + "filename": "positive.yaml", + "resourceType": "Deployment", + "resourceName": "nginx-deployment-undefined-ns", + "searchKey": "metadata.name={{nginx-deployment-undefined-ns}}.spec.template.spec.volumes.name={{static-page-dir}}.hostPath.path", + "searchValue": "", + "expectedValue": "Workload name 'nginx-deployment-undefined-ns' of kind 'Deployment' should not mount a host sensitive OS directory '/root/local/static' with hostPath", + "actualValue": "Workload name 'nginx-deployment-undefined-ns' of kind 'Deployment' is mounting a host sensitive OS directory '/root/local/static' with hostPath" }, { "queryName": "Workload Mounting With Sensitive OS Directory", "severity": "HIGH", - "line": 280 + "line": 66, + "filename": "positive.yaml", + "resourceType": "DaemonSet", + "resourceName": "exporter-prometheus-node-exporter", + "searchKey": "metadata.name={{exporter-prometheus-node-exporter}}.spec.template.spec.volumes.name={{proc}}.hostPath.path", + "searchValue": "", + "expectedValue": "Workload name 'exporter-prometheus-node-exporter' of kind 'DaemonSet' should not mount a host sensitive OS directory '/proc' with hostPath", + "actualValue": "Workload name 'exporter-prometheus-node-exporter' of kind 'DaemonSet' is mounting a host sensitive OS directory '/proc' with hostPath" }, { "queryName": "Workload Mounting With Sensitive OS Directory", "severity": "HIGH", - "line": 70 + "line": 70, + "filename": "positive.yaml", + "resourceType": "DaemonSet", + "resourceName": "exporter-prometheus-node-exporter", + "searchKey": "metadata.name={{exporter-prometheus-node-exporter}}.spec.template.spec.volumes.name={{sys}}.hostPath.path", + "searchValue": "", + "expectedValue": "Workload name 'exporter-prometheus-node-exporter' of kind 'DaemonSet' should not mount a host sensitive OS directory '/sys' with hostPath", + "actualValue": "Workload name 'exporter-prometheus-node-exporter' of kind 'DaemonSet' is mounting a host sensitive OS directory '/sys' with hostPath" }, { "queryName": "Workload Mounting With Sensitive OS Directory", "severity": "HIGH", - "line": 299 + "line": 145, + "filename": "positive.yaml", + "resourceType": "Deployment", + "resourceName": "nginx-deployment", + "searchKey": "metadata.name={{nginx-deployment}}.spec.template.spec.volumes.name={{static-page-dir}}.hostPath.path", + "searchValue": "", + "expectedValue": "Workload name 'nginx-deployment' of kind 'Deployment' should not mount a host sensitive OS directory '/var/local/static' with hostPath", + "actualValue": "Workload name 'nginx-deployment' of kind 'Deployment' is mounting a host sensitive OS directory '/var/local/static' with hostPath" } ] \ No newline at end of file diff --git a/assets/queries/knative/serving_revision_spec_without_timeout_settings/test/positive_expected_result.json b/assets/queries/knative/serving_revision_spec_without_timeout_settings/test/positive_expected_result.json index 7186c53d487..537d41a52ed 100644 --- a/assets/queries/knative/serving_revision_spec_without_timeout_settings/test/positive_expected_result.json +++ b/assets/queries/knative/serving_revision_spec_without_timeout_settings/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ - { - "queryName": "Serving Revision Spec Without Timeout Seconds", - "severity": "INFO", - "line": 7, - "fileName": "positive1.yaml" - }, - { - "queryName": "Serving Revision Spec Without Timeout Seconds", - "severity": "INFO", - "line": 42, - "fileName": "positive1.yaml" - } -] + { + "queryName": "Serving Revision Spec Without Timeout Seconds", + "severity": "INFO", + "line": 7, + "filename": "positive1.yaml", + "resourceType": "Service", + "resourceName": "dummy", + "searchKey": "metadata.name={{dummy}}.spec.template.spec", + "searchValue": "", + "expectedValue": "Service should have 'timeoutSeconds' defined in 'template.spec'", + "actualValue": "Service 'timeoutSeconds' is not defined in 'template.spec'" + }, + { + "queryName": "Serving Revision Spec Without Timeout Seconds", + "severity": "INFO", + "line": 42, + "filename": "positive1.yaml", + "resourceType": "Service", + "resourceName": "dummy", + "searchKey": "metadata.name={{dummy}}.spec.template.spec.timeoutSeconds", + "searchValue": "", + "expectedValue": "Service should have 'timeoutSeconds' defined to a value higher than '0'", + "actualValue": "Service 'timeoutSeconds' is set to '0'" + } +] \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/basepath_with_wrong_format/test/positive_expected_result.json b/assets/queries/openAPI/2.0/basepath_with_wrong_format/test/positive_expected_result.json index 02fa6c3cbbb..3f986925495 100644 --- a/assets/queries/openAPI/2.0/basepath_with_wrong_format/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/basepath_with_wrong_format/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "BasePath With Wrong Format", "severity": "INFO", "line": 7, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "basePath={{api/incorrect}}", + "searchValue": "", + "expectedValue": "'basePath' value matches the pattern '^/'", + "actualValue": "'basePath' value doesn't match the pattern '^/'" }, { "queryName": "BasePath With Wrong Format", "severity": "INFO", "line": 5, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "basePath={{api/incorrect}}", + "searchValue": "", + "expectedValue": "'basePath' value matches the pattern '^/'", + "actualValue": "'basePath' value doesn't match the pattern '^/'" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/body_parameter_with_wrong_property/test/positive_expected_result.json b/assets/queries/openAPI/2.0/body_parameter_with_wrong_property/test/positive_expected_result.json index a725ff6735c..efe20f5f603 100644 --- a/assets/queries/openAPI/2.0/body_parameter_with_wrong_property/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/body_parameter_with_wrong_property/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "Body Parameter With Wrong Property", "severity": "INFO", - "line": 19, - "filename": "positive1.json" + "line": 30, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.limitParam.desc", + "searchValue": "", + "expectedValue": "{\"type\": \"string\"} is a valid property for body parameter", + "actualValue": "{\"type\": \"string\"} is not a valid property for body parameter" }, { "queryName": "Body Parameter With Wrong Property", "severity": "INFO", - "line": 30, - "filename": "positive2.yaml" + "line": 20, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.desc", + "searchValue": "", + "expectedValue": "{\"type\": \"string\"} is a valid property for body parameter", + "actualValue": "{\"type\": \"string\"} is not a valid property for body parameter" }, { "queryName": "Body Parameter With Wrong Property", "severity": "INFO", "line": 43, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.limitParam.desc", + "searchValue": "", + "expectedValue": "{\"type\": \"string\"} is a valid property for body parameter", + "actualValue": "{\"type\": \"string\"} is not a valid property for body parameter" }, { "queryName": "Body Parameter With Wrong Property", "severity": "INFO", - "line": 20, - "filename": "positive2.yaml" + "line": 19, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.desc", + "searchValue": "", + "expectedValue": "{\"type\": \"string\"} is a valid property for body parameter", + "actualValue": "{\"type\": \"string\"} is not a valid property for body parameter" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/body_parameter_without_schema/test/positive_expected_result.json b/assets/queries/openAPI/2.0/body_parameter_without_schema/test/positive_expected_result.json index 9d10b7eb914..2249fb1e8b8 100644 --- a/assets/queries/openAPI/2.0/body_parameter_without_schema/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/body_parameter_without_schema/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "Body Parameter Without Schema", "severity": "INFO", - "line": 12, - "filename": "positive1.json" + "line": 20, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.name=limit", + "searchValue": "", + "expectedValue": "'schema' should be set", + "actualValue": "'schema' is undefined" }, { "queryName": "Body Parameter Without Schema", "severity": "INFO", "line": 14, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.name=limit2", + "searchValue": "", + "expectedValue": "'schema' should be set", + "actualValue": "'schema' is undefined" }, { "queryName": "Body Parameter Without Schema", "severity": "INFO", "line": 30, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.name=limit", + "searchValue": "", + "expectedValue": "'schema' should be set", + "actualValue": "'schema' is undefined" }, { "queryName": "Body Parameter Without Schema", "severity": "INFO", - "line": 20, - "filename": "positive2.yaml" + "line": 12, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.name=limit2", + "searchValue": "", + "expectedValue": "'schema' should be set", + "actualValue": "'schema' is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/constraining_enum_property/test/positive_expected_result.json b/assets/queries/openAPI/2.0/constraining_enum_property/test/positive_expected_result.json index 0155d666dc8..9e373bb5639 100644 --- a/assets/queries/openAPI/2.0/constraining_enum_property/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/constraining_enum_property/test/positive_expected_result.json @@ -3,48 +3,48 @@ "queryName": "Constraining Enum Property", "severity": "INFO", "line": 38, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.Category.properties.id.minimum", + "searchValue": "", + "expectedValue": "Type numeric should not have enum and constraining keywords", + "actualValue": "Type numeric has enum and minimum" }, { "queryName": "Constraining Enum Property", "severity": "INFO", "line": 49, - "filename": "positive1.json" - }, - { - "queryName": "Constraining Enum Property", - "severity": "INFO", - "line": 24, - "filename": "positive1.json" - }, - { - "queryName": "Constraining Enum Property", - "severity": "INFO", - "line": 24, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.Category.properties.name.maxLength", + "searchValue": "", + "expectedValue": "Type string should not have enum and constraining keywords", + "actualValue": "Type string has enum and maxLength" }, { "queryName": "Constraining Enum Property", "severity": "INFO", "line": 27, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.Category.properties.id.minimum", + "searchValue": "", + "expectedValue": "Type numeric should not have enum and constraining keywords", + "actualValue": "Type numeric has enum and minimum" }, { "queryName": "Constraining Enum Property", "severity": "INFO", "line": 36, - "filename": "positive2.yaml" - }, - { - "queryName": "Constraining Enum Property", - "severity": "INFO", - "line": 19, - "filename": "positive2.yaml" - }, - { - "queryName": "Constraining Enum Property", - "severity": "INFO", - "line": 19, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.Category.properties.name.maxLength", + "searchValue": "", + "expectedValue": "Type string should not have enum and constraining keywords", + "actualValue": "Type string has enum and maxLength" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/file_parameter_with_wrong_consumes_property/test/positive_expected_result.json b/assets/queries/openAPI/2.0/file_parameter_with_wrong_consumes_property/test/positive_expected_result.json index 691824aa1f4..be5216329a1 100644 --- a/assets/queries/openAPI/2.0/file_parameter_with_wrong_consumes_property/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/file_parameter_with_wrong_consumes_property/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "File Parameter With Wrong Consumes Property", "severity": "INFO", - "line": 12, - "filename": "positive1.json" + "line": 10, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters", + "searchValue": "", + "expectedValue": "Operation or global 'consumes' field should have declared 'multipart/form-data', 'application/x-www-form-urlencoded' or both when there is a file type parameter", + "actualValue": "Operation or global 'consumes' field doesn't have declared 'multipart/form-data', 'application/x-www-form-urlencoded' or both when there is a file type parameter" }, { "queryName": "File Parameter With Wrong Consumes Property", "severity": "INFO", - "line": 10, - "filename": "positive2.yaml" + "line": 12, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters", + "searchValue": "", + "expectedValue": "Operation or global 'consumes' field should have declared 'multipart/form-data', 'application/x-www-form-urlencoded' or both when there is a file type parameter", + "actualValue": "Operation or global 'consumes' field doesn't have declared 'multipart/form-data', 'application/x-www-form-urlencoded' or both when there is a file type parameter" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/global_schemes_uses_http/test/positive_expected_result.json b/assets/queries/openAPI/2.0/global_schemes_uses_http/test/positive_expected_result.json index 32928065dce..4d5eeafd560 100644 --- a/assets/queries/openAPI/2.0/global_schemes_uses_http/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/global_schemes_uses_http/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Global Schemes Uses HTTP", "severity": "MEDIUM", "line": 8, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "schemes.http", + "searchValue": "", + "expectedValue": "The Scheme list uses only 'HTTPS' protocol", + "actualValue": "The Scheme list uses 'HTTP' protocol" }, { "queryName": "Global Schemes Uses HTTP", "severity": "MEDIUM", "line": 6, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "schemes.http", + "searchValue": "", + "expectedValue": "The Scheme list uses only 'HTTPS' protocol", + "actualValue": "The Scheme list uses 'HTTP' protocol" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/global_security_using_password_flow/test/positive_expected_result.json b/assets/queries/openAPI/2.0/global_security_using_password_flow/test/positive_expected_result.json index 112159fbaea..397f99d0da0 100644 --- a/assets/queries/openAPI/2.0/global_security_using_password_flow/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/global_security_using_password_flow/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "Global Security Using Password Flow", "severity": "MEDIUM", - "line": 33, - "filename": "positive1.json" + "line": 22, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "security.{{oAuth2AuthCodeNeg2}}", + "searchValue": "", + "expectedValue": "'security' should not be using 'password' flow in OAuth2 authentication", + "actualValue": "'security' is using 'password' flow in OAuth2 authentication" }, { "queryName": "Global Security Using Password Flow", "severity": "MEDIUM", - "line": 22, - "filename": "positive2.yaml" + "line": 33, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "security.{{oAuth2AuthCodeNeg2}}", + "searchValue": "", + "expectedValue": "'security' should not be using 'password' flow in OAuth2 authentication", + "actualValue": "'security' is using 'password' flow in OAuth2 authentication" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/host_with_invalid_pattern/test/positive_expected_result.json b/assets/queries/openAPI/2.0/host_with_invalid_pattern/test/positive_expected_result.json index dd1b9779a6d..f42abb8a572 100644 --- a/assets/queries/openAPI/2.0/host_with_invalid_pattern/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/host_with_invalid_pattern/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "Host With Invalid Pattern", "severity": "INFO", - "line": 7, - "filename": "positive1.json" + "line": 6, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "host", + "searchValue": "", + "expectedValue": "Host should be a valid name or IP", + "actualValue": "kics.io/test is not valid IP or name" }, { "queryName": "Host With Invalid Pattern", "severity": "INFO", - "line": 6, - "filename": "positive2.yaml" + "line": 7, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "host", + "searchValue": "", + "expectedValue": "Host should be a valid name or IP", + "actualValue": "kics.io/test is not valid IP or name" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/implicit_flow_oauth2/test/positive_expected_result.json b/assets/queries/openAPI/2.0/implicit_flow_oauth2/test/positive_expected_result.json index 04cc86c6670..b5449a33cca 100644 --- a/assets/queries/openAPI/2.0/implicit_flow_oauth2/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/implicit_flow_oauth2/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Implicit Flow in OAuth2 (v2)", "severity": "MEDIUM", "line": 27, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "securityDefinitions.oAuth2AuthCodeNeg2.flow=implicit", + "searchValue": "", + "expectedValue": "OAuth2 security definitions flow should not use implicit flow", + "actualValue": "OAuth2 security definitions flow is using implicit flow" }, { "queryName": "Implicit Flow in OAuth2 (v2)", "severity": "MEDIUM", "line": 19, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "securityDefinitions.oAuth2AuthCodeNeg2.flow=implicit", + "searchValue": "", + "expectedValue": "OAuth2 security definitions flow should not use implicit flow", + "actualValue": "OAuth2 security definitions flow is using implicit flow" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/invalid_media_type_value/test/positive_expected_result.json b/assets/queries/openAPI/2.0/invalid_media_type_value/test/positive_expected_result.json index 45a2f1271e1..979ab43ff37 100644 --- a/assets/queries/openAPI/2.0/invalid_media_type_value/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/invalid_media_type_value/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "Invalid Media Type Value (v2)", "severity": "INFO", - "line": 11, - "filename": "positive1.json" + "line": 16, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.consumes.application/ x-www-form-urlencoded", + "searchValue": "", + "expectedValue": "The Media Type should be a valid value", + "actualValue": "The Media Type is a invalid value" }, { "queryName": "Invalid Media Type Value (v2)", "severity": "INFO", - "line": 16, - "filename": "positive1.json" + "line": 11, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.produces.image/ png", + "searchValue": "", + "expectedValue": "The Media Type should be a valid value", + "actualValue": "The Media Type is a invalid value" }, { "queryName": "Invalid Media Type Value (v2)", "severity": "INFO", - "line": 14, - "filename": "positive2.yaml" + "line": 18, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.consumes.application/ x-www-form-urlencoded", + "searchValue": "", + "expectedValue": "The Media Type should be a valid value", + "actualValue": "The Media Type is a invalid value" }, { "queryName": "Invalid Media Type Value (v2)", "severity": "INFO", - "line": 18, - "filename": "positive2.yaml" + "line": 14, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.produces.image/ png", + "searchValue": "", + "expectedValue": "The Media Type should be a valid value", + "actualValue": "The Media Type is a invalid value" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/invalid_oauth2_token_url/test/positive_expected_result.json b/assets/queries/openAPI/2.0/invalid_oauth2_token_url/test/positive_expected_result.json index 083b754fcf3..fef75b1dd8e 100644 --- a/assets/queries/openAPI/2.0/invalid_oauth2_token_url/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/invalid_oauth2_token_url/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "Invalid OAuth2 Token URL (v2)", "severity": "MEDIUM", - "line": 22, - "filename": "positive1.yaml" + "line": 30, + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "securityDefinitions.oAuth2AuthCodeNeg3.tokenUrl", + "searchValue": "", + "expectedValue": "OAuth2 security definition flow tokenUrl must be set with a valid URL", + "actualValue": "OAuth2 security definition flow tokenUrl has an invalid URL" }, { "queryName": "Invalid OAuth2 Token URL (v2)", "severity": "MEDIUM", - "line": 30, - "filename": "positive2.json" + "line": 22, + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "securityDefinitions.oAuth2AuthCodeNeg3.tokenUrl", + "searchValue": "", + "expectedValue": "OAuth2 security definition flow tokenUrl must be set with a valid URL", + "actualValue": "OAuth2 security definition flow tokenUrl has an invalid URL" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/invalid_oauth_authorization_url/test/positive_expected_result.json b/assets/queries/openAPI/2.0/invalid_oauth_authorization_url/test/positive_expected_result.json index b1c9a0d9c05..1270421e349 100644 --- a/assets/queries/openAPI/2.0/invalid_oauth_authorization_url/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/invalid_oauth_authorization_url/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "Invalid OAuth2 Authorization URL (v2)", "severity": "MEDIUM", - "line": 19, - "filename": "positive1.yaml" + "line": 23, + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "securityDefinitions.petstore_auth.authorizationUrl", + "searchValue": "", + "expectedValue": "OAuth2 security schema flow tokenUrl must be set with a valid URL", + "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL" }, { "queryName": "Invalid OAuth2 Authorization URL (v2)", "severity": "MEDIUM", - "line": 23, - "filename": "positive1.yaml" + "line": 27, + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "securityDefinitions.api_key.authorizationUrl", + "searchValue": "", + "expectedValue": "OAuth2 security schema flow tokenUrl must be set with a valid URL", + "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL" }, { "queryName": "Invalid OAuth2 Authorization URL (v2)", "severity": "MEDIUM", - "line": 27, - "filename": "positive2.json" + "line": 32, + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "securityDefinitions.petstore_auth.authorizationUrl", + "searchValue": "", + "expectedValue": "OAuth2 security schema flow tokenUrl must be set with a valid URL", + "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL" }, { "queryName": "Invalid OAuth2 Authorization URL (v2)", "severity": "MEDIUM", - "line": 32, - "filename": "positive2.json" + "line": 19, + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "securityDefinitions.api_key.authorizationUrl", + "searchValue": "", + "expectedValue": "OAuth2 security schema flow tokenUrl must be set with a valid URL", + "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/json_reference_does_not_exists_response/test/positive_expected_result.json b/assets/queries/openAPI/2.0/json_reference_does_not_exists_response/test/positive_expected_result.json index 57036f1a305..c5d3cbc2fac 100644 --- a/assets/queries/openAPI/2.0/json_reference_does_not_exists_response/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/json_reference_does_not_exists_response/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Responses JSON Reference Does Not Exists (v2)", "severity": "INFO", "line": 14, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.$ref", + "searchValue": "", + "expectedValue": "Succes from #/responses/Succes should be declared on responses", + "actualValue": "Succes from #/responses/Succes is not declared on responses" }, { "queryName": "Responses JSON Reference Does Not Exists (v2)", "severity": "INFO", "line": 12, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.$ref", + "searchValue": "", + "expectedValue": "Succes from #/responses/Succes should be declared on responses", + "actualValue": "Succes from #/responses/Succes is not declared on responses" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/json_reference_does_not_exists_schema/test/positive_expected_result.json b/assets/queries/openAPI/2.0/json_reference_does_not_exists_schema/test/positive_expected_result.json index 2220c2b21ec..95cfcd206ad 100644 --- a/assets/queries/openAPI/2.0/json_reference_does_not_exists_schema/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/json_reference_does_not_exists_schema/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Schema JSON Reference Does Not Exist (v2)", "severity": "INFO", "line": 15, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.$ref", + "searchValue": "", + "expectedValue": "Use from #/definitions/Use should be declared on definitions", + "actualValue": "Use from #/definitions/Use is not declared on definitions" }, { "queryName": "Schema JSON Reference Does Not Exist (v2)", "severity": "INFO", "line": 14, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.$ref", + "searchValue": "", + "expectedValue": "Use from #/definitions/Use should be declared on definitions", + "actualValue": "Use from #/definitions/Use is not declared on definitions" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/multi_body_parameters_same_operation/test/positive_expected_result.json b/assets/queries/openAPI/2.0/multi_body_parameters_same_operation/test/positive_expected_result.json index f6cba6674ce..ddc0accae5c 100644 --- a/assets/queries/openAPI/2.0/multi_body_parameters_same_operation/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/multi_body_parameters_same_operation/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Multiple Body Parameters In The Same Operation", "severity": "INFO", "line": 10, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters", + "searchValue": "", + "expectedValue": "Operation's parameters should have just one body type parameter", + "actualValue": "Operation's parameters has more than one body type parameter" }, { "queryName": "Multiple Body Parameters In The Same Operation", "severity": "INFO", "line": 8, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters", + "searchValue": "", + "expectedValue": "Operation's parameters should have just one body type parameter", + "actualValue": "Operation's parameters has more than one body type parameter" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/multi_collectionformat_not_valid_in_parameter/test/positive_expected_result.json b/assets/queries/openAPI/2.0/multi_collectionformat_not_valid_in_parameter/test/positive_expected_result.json index 12cb526c305..596abbccea6 100644 --- a/assets/queries/openAPI/2.0/multi_collectionformat_not_valid_in_parameter/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/multi_collectionformat_not_valid_in_parameter/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "Multi 'collectionformat' Not Valid For 'in' Parameter", "severity": "INFO", - "line": 13, - "filename": "positive1.json" + "line": 26, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.name=limit.in", + "searchValue": "", + "expectedValue": "'in' field should be 'query' or 'formData'", + "actualValue": "'in' field is path" }, { "queryName": "Multi 'collectionformat' Not Valid For 'in' Parameter", "severity": "INFO", "line": 10, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.name=limit2.in", + "searchValue": "", + "expectedValue": "'in' field should be 'query' or 'formData'", + "actualValue": "'in' field is path" }, { "queryName": "Multi 'collectionformat' Not Valid For 'in' Parameter", "severity": "INFO", "line": 37, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.name=limit.in", + "searchValue": "", + "expectedValue": "'in' field should be 'query' or 'formData'", + "actualValue": "'in' field is path" }, { "queryName": "Multi 'collectionformat' Not Valid For 'in' Parameter", "severity": "INFO", - "line": 26, - "filename": "positive2.yaml" + "line": 13, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.name=limit2.in", + "searchValue": "", + "expectedValue": "'in' field should be 'query' or 'formData'", + "actualValue": "'in' field is path" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/non_body_parameter_with_schema/test/positive_expected_result.json b/assets/queries/openAPI/2.0/non_body_parameter_with_schema/test/positive_expected_result.json index a49d349e700..bdeb4b3ba18 100644 --- a/assets/queries/openAPI/2.0/non_body_parameter_with_schema/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/non_body_parameter_with_schema/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "Non Body Parameter Without Schema", "severity": "INFO", - "line": 16, - "filename": "positive1.json" + "line": 37, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.name=limit.schema", + "searchValue": "", + "expectedValue": "'schema' should not be set", + "actualValue": "'schema' is set" }, { "queryName": "Non Body Parameter Without Schema", "severity": "INFO", - "line": 13, - "filename": "positive2.yaml" + "line": 16, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.name=limit2.schema", + "searchValue": "", + "expectedValue": "'schema' should not be set", + "actualValue": "'schema' is set" }, { "queryName": "Non Body Parameter Without Schema", "severity": "INFO", - "line": 37, - "filename": "positive1.json" + "line": 26, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.name=limit.schema", + "searchValue": "", + "expectedValue": "'schema' should not be set", + "actualValue": "'schema' is set" }, { "queryName": "Non Body Parameter Without Schema", "severity": "INFO", - "line": 26, - "filename": "positive2.yaml" + "line": 13, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.name=limit2.schema", + "searchValue": "", + "expectedValue": "'schema' should not be set", + "actualValue": "'schema' is set" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/non_oauth2_security_requirement_defining_oauth2_scopes/test/positive_expected_result.json b/assets/queries/openAPI/2.0/non_oauth2_security_requirement_defining_oauth2_scopes/test/positive_expected_result.json index ead08115961..78f4b18c972 100644 --- a/assets/queries/openAPI/2.0/non_oauth2_security_requirement_defining_oauth2_scopes/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/non_oauth2_security_requirement_defining_oauth2_scopes/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "Non OAuth2 Security Requirement Defining OAuth2 Scopes", "severity": "MEDIUM", - "line": 33, - "filename": "positive1.json" + "line": 21, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "security.petstore_auth", + "searchValue": "", + "expectedValue": "security scheme petstore_auth should specify scopes for type 'basic'", + "actualValue": "security scheme petstore_auth doesn't specify scopes for type 'basic'" }, { "queryName": "Non OAuth2 Security Requirement Defining OAuth2 Scopes", "severity": "MEDIUM", - "line": 21, - "filename": "positive2.yaml" + "line": 33, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "security.petstore_auth", + "searchValue": "", + "expectedValue": "security scheme petstore_auth should specify scopes for type 'basic'", + "actualValue": "security scheme petstore_auth doesn't specify scopes for type 'basic'" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/object_without_required_property/test/positive_expected_result.json b/assets/queries/openAPI/2.0/object_without_required_property/test/positive_expected_result.json index 8be9ac9534d..434e71fb2e2 100644 --- a/assets/queries/openAPI/2.0/object_without_required_property/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/object_without_required_property/test/positive_expected_result.json @@ -3,24 +3,48 @@ "queryName": "Object Without Required Property (v2)", "severity": "INFO", "line": 20, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.{{limitParam}}", + "searchValue": "", + "expectedValue": "Parameter object has 'type' defined", + "actualValue": "Parameter object does not have 'type' defined" }, { "queryName": "Object Without Required Property (v2)", "severity": "INFO", "line": 3, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "info.", + "searchValue": "", + "expectedValue": "info has all required fields", + "actualValue": "info is missing required fields" }, { "queryName": "Object Without Required Property (v2)", "severity": "INFO", - "line": 2, - "filename": "positive2.yaml" + "line": 13, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.{{limitParam}}", + "searchValue": "", + "expectedValue": "Parameter object has 'type' defined", + "actualValue": "Parameter object does not have 'type' defined" }, { "queryName": "Object Without Required Property (v2)", "severity": "INFO", - "line": 13, - "filename": "positive2.yaml" + "line": 2, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "info.", + "searchValue": "", + "expectedValue": "info has all required fields", + "actualValue": "info is missing required fields" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/operation_example_mismatch_produces_mediatype/test/positive_expected_result.json b/assets/queries/openAPI/2.0/operation_example_mismatch_produces_mediatype/test/positive_expected_result.json index 9acfc9fea22..afc715b318a 100644 --- a/assets/queries/openAPI/2.0/operation_example_mismatch_produces_mediatype/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/operation_example_mismatch_produces_mediatype/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Operation Example Mismatch Produces MimeType", "severity": "INFO", "line": 34, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.{{200}}.examples.{{text/csv}}", + "searchValue": "", + "expectedValue": "Example MimeType should be listed on produces", + "actualValue": "Example MimeType is not listed on produces" }, { "queryName": "Operation Example Mismatch Produces MimeType", "severity": "INFO", "line": 27, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.{{200}}.examples.{{text/csv}}", + "searchValue": "", + "expectedValue": "Example MimeType should be listed on produces", + "actualValue": "Example MimeType is not listed on produces" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/operation_object_parameters_with_body_and_formatdata/test/positive_expected_result.json b/assets/queries/openAPI/2.0/operation_object_parameters_with_body_and_formatdata/test/positive_expected_result.json index 9273c0f82cd..b9139a82367 100644 --- a/assets/queries/openAPI/2.0/operation_object_parameters_with_body_and_formatdata/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/operation_object_parameters_with_body_and_formatdata/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "Operation Object Parameters With 'body' And 'formatData' locations", "severity": "INFO", - "line": 17, - "filename": "positive1.json" + "line": 13, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters", + "searchValue": "", + "expectedValue": "operation object parameters only use one of 'body' or 'formatData' locations", + "actualValue": "operation object parameters use both 'body' and 'formatData' locations" }, { "queryName": "Operation Object Parameters With 'body' And 'formatData' locations", "severity": "INFO", - "line": 13, - "filename": "positive2.yaml" + "line": 17, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters", + "searchValue": "", + "expectedValue": "operation object parameters only use one of 'body' or 'formatData' locations", + "actualValue": "operation object parameters use both 'body' and 'formatData' locations" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/operation_object_without_consumes/test/positive_expected_result.json b/assets/queries/openAPI/2.0/operation_object_without_consumes/test/positive_expected_result.json index 8fad06ba31e..203832ebe1d 100644 --- a/assets/queries/openAPI/2.0/operation_object_without_consumes/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/operation_object_without_consumes/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Operation Object Without 'consumes'", "severity": "MEDIUM", "line": 9, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.put", + "searchValue": "", + "expectedValue": "paths.{{/}}.put 'consumes' should be defined", + "actualValue": "paths.{{/}}.put 'consumes' is missing" }, { "queryName": "Operation Object Without 'consumes'", "severity": "MEDIUM", "line": 7, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.put", + "searchValue": "", + "expectedValue": "paths.{{/}}.put 'consumes' should be defined", + "actualValue": "paths.{{/}}.put 'consumes' is missing" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/operation_object_without_produces/test/positive_expected_result.json b/assets/queries/openAPI/2.0/operation_object_without_produces/test/positive_expected_result.json index 8ba5c879c13..7e9bc65dcc4 100644 --- a/assets/queries/openAPI/2.0/operation_object_without_produces/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/operation_object_without_produces/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Operation Object Without 'produces'", "severity": "MEDIUM", "line": 9, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get", + "searchValue": "", + "expectedValue": "paths.{{/}}.get 'produces' should be defined", + "actualValue": "paths.{{/}}.get 'produces' is missing" }, { "queryName": "Operation Object Without 'produces'", "severity": "MEDIUM", "line": 7, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get", + "searchValue": "", + "expectedValue": "paths.{{/}}.get 'produces' should be defined", + "actualValue": "paths.{{/}}.get 'produces' is missing" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/operation_summary_too_long/test/positive_expected_result.json b/assets/queries/openAPI/2.0/operation_summary_too_long/test/positive_expected_result.json index 75ea2ac2f3d..da4e9b5bf97 100644 --- a/assets/queries/openAPI/2.0/operation_summary_too_long/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/operation_summary_too_long/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "Operation Summary Too Long", "severity": "INFO", - "line": 11, - "filename": "positive1.json" + "line": 9, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.summary", + "searchValue": "", + "expectedValue": "Operation summary should not be less than 120 characters", + "actualValue": "Operation summary is less than 120 characters" }, { "queryName": "Operation Summary Too Long", "severity": "INFO", - "line": 9, - "filename": "positive2.yaml" + "line": 11, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.summary", + "searchValue": "", + "expectedValue": "Operation summary should not be less than 120 characters", + "actualValue": "Operation summary is less than 120 characters" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/operation_using_basic_auth/test/positive_expected_result.json b/assets/queries/openAPI/2.0/operation_using_basic_auth/test/positive_expected_result.json index ed4f148d15e..ae4d5f7aa3a 100644 --- a/assets/queries/openAPI/2.0/operation_using_basic_auth/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/operation_using_basic_auth/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Operation Using Basic Auth", "severity": "MEDIUM", "line": 22, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.security.{{oAuth2AuthCodeNeg2}}", + "searchValue": "", + "expectedValue": "Operation Object should not be using basic authentication", + "actualValue": "Operation Object is using basic authentication" }, { "queryName": "Operation Using Basic Auth", "severity": "MEDIUM", "line": 16, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.security.{{oAuth2AuthCodeNeg2}}", + "searchValue": "", + "expectedValue": "Operation Object should not be using basic authentication", + "actualValue": "Operation Object is using basic authentication" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/operation_using_implicit_flow/test/positive_expected_result.json b/assets/queries/openAPI/2.0/operation_using_implicit_flow/test/positive_expected_result.json index ac32c231303..7c231dfb0a0 100644 --- a/assets/queries/openAPI/2.0/operation_using_implicit_flow/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/operation_using_implicit_flow/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "Operation Using Implicit Flow", "severity": "MEDIUM", - "line": 22, - "filename": "positive1.json" + "line": 16, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.security.{{oAuth2AuthCodeNeg2}}", + "searchValue": "", + "expectedValue": "Operation Object should not be using implicit flow", + "actualValue": "Operation Object is using implicit flow" }, { "queryName": "Operation Using Implicit Flow", "severity": "MEDIUM", - "line": 16, - "filename": "positive2.yaml" + "line": 22, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.security.{{oAuth2AuthCodeNeg2}}", + "searchValue": "", + "expectedValue": "Operation Object should not be using implicit flow", + "actualValue": "Operation Object is using implicit flow" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/operation_using_password_flow/test/positive_expected_result.json b/assets/queries/openAPI/2.0/operation_using_password_flow/test/positive_expected_result.json index e2eda6d01d7..1353de23826 100644 --- a/assets/queries/openAPI/2.0/operation_using_password_flow/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/operation_using_password_flow/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "Operation Using Password Flow", "severity": "MEDIUM", - "line": 22, - "filename": "positive1.json" + "line": 16, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.security.{{oAuth2AuthCodeNeg2}}", + "searchValue": "", + "expectedValue": "Operation Object should not be using 'password' flow in OAuth2 authentication", + "actualValue": "Operation Object is using 'password' flow in OAuth2 authentication" }, { "queryName": "Operation Using Password Flow", "severity": "MEDIUM", - "line": 16, - "filename": "positive2.yaml" + "line": 22, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.security.{{oAuth2AuthCodeNeg2}}", + "searchValue": "", + "expectedValue": "Operation Object should not be using 'password' flow in OAuth2 authentication", + "actualValue": "Operation Object is using 'password' flow in OAuth2 authentication" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/parameter_file_type_not_in_formdata/test/positive_expected_result.json b/assets/queries/openAPI/2.0/parameter_file_type_not_in_formdata/test/positive_expected_result.json index 28de0b8b081..a5ccc7e518a 100644 --- a/assets/queries/openAPI/2.0/parameter_file_type_not_in_formdata/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/parameter_file_type_not_in_formdata/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "Parameter File Type Not In 'formData'", "severity": "INFO", - "line": 12, - "filename": "positive1.json" + "line": 10, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.name=limit2", + "searchValue": "", + "expectedValue": "'schema' should be set", + "actualValue": "'schema' is undefined" }, { "queryName": "Parameter File Type Not In 'formData'", "severity": "INFO", - "line": 10, - "filename": "positive2.yaml" + "line": 31, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.name=limit", + "searchValue": "", + "expectedValue": "'schema' should be set", + "actualValue": "'schema' is undefined" }, { "queryName": "Parameter File Type Not In 'formData'", "severity": "INFO", - "line": 31, - "filename": "positive1.json" + "line": 12, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.name=limit2", + "searchValue": "", + "expectedValue": "'schema' should be set", + "actualValue": "'schema' is undefined" }, { "queryName": "Parameter File Type Not In 'formData'", "severity": "INFO", "line": 22, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.name=limit", + "searchValue": "", + "expectedValue": "'schema' should be set", + "actualValue": "'schema' is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/path_scheme_accepts_http/test/positive_expected_result.json b/assets/queries/openAPI/2.0/path_scheme_accepts_http/test/positive_expected_result.json index 63170f665d1..b0d2c0eec64 100644 --- a/assets/queries/openAPI/2.0/path_scheme_accepts_http/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/path_scheme_accepts_http/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Path Scheme Accepts HTTP (v2)", "severity": "MEDIUM", "line": 13, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.schemes.http", + "searchValue": "", + "expectedValue": "The Scheme list uses only 'HTTPS' protocol", + "actualValue": "The Scheme list uses 'HTTP' protocol" }, { "queryName": "Path Scheme Accepts HTTP (v2)", "severity": "MEDIUM", "line": 11, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.schemes.http", + "searchValue": "", + "expectedValue": "The Scheme list uses only 'HTTPS' protocol", + "actualValue": "The Scheme list uses 'HTTP' protocol" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/property_not_unique/test/positive_expected_result.json b/assets/queries/openAPI/2.0/property_not_unique/test/positive_expected_result.json index 4adbe93ae00..a3f903ea443 100644 --- a/assets/queries/openAPI/2.0/property_not_unique/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/property_not_unique/test/positive_expected_result.json @@ -2,73 +2,145 @@ { "queryName": "Property Not Unique", "severity": "INFO", - "line": 54, - "filename": "positive1.json" + "line": 57, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.limitParam.properties.address", + "searchValue": "", + "expectedValue": "'address' property is unique throughout the whole API", + "actualValue": "'address' property is not unique throughout the whole API" }, { "queryName": "Property Not Unique", "severity": "INFO", - "line": 57, - "filename": "positive1.json" + "line": 30, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.schema.properties.address", + "searchValue": "", + "expectedValue": "'address' property is unique throughout the whole API", + "actualValue": "'address' property is not unique throughout the whole API" }, { "queryName": "Property Not Unique", "severity": "INFO", "line": 60, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.limitParam.properties.age", + "searchValue": "", + "expectedValue": "'age' property is unique throughout the whole API", + "actualValue": "'age' property is not unique throughout the whole API" }, { "queryName": "Property Not Unique", "severity": "INFO", - "line": 38, - "filename": "positive2.yaml" + "line": 33, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.schema.properties.age", + "searchValue": "", + "expectedValue": "'age' property is unique throughout the whole API", + "actualValue": "'age' property is not unique throughout the whole API" }, { "queryName": "Property Not Unique", "severity": "INFO", - "line": 40, - "filename": "positive2.yaml" + "line": 27, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.schema.properties.name", + "searchValue": "", + "expectedValue": "'name' property is unique throughout the whole API", + "actualValue": "'name' property is not unique throughout the whole API" }, { "queryName": "Property Not Unique", "severity": "INFO", - "line": 42, - "filename": "positive2.yaml" + "line": 40, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.limitParam.properties.address", + "searchValue": "", + "expectedValue": "'address' property is unique throughout the whole API", + "actualValue": "'address' property is not unique throughout the whole API" }, { "queryName": "Property Not Unique", "severity": "INFO", - "line": 27, - "filename": "positive1.json" + "line": 26, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.schema.properties.age", + "searchValue": "", + "expectedValue": "'age' property is unique throughout the whole API", + "actualValue": "'age' property is not unique throughout the whole API" }, { "queryName": "Property Not Unique", "severity": "INFO", - "line": 30, - "filename": "positive1.json" + "line": 38, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.limitParam.properties.name", + "searchValue": "", + "expectedValue": "'name' property is unique throughout the whole API", + "actualValue": "'name' property is not unique throughout the whole API" }, { "queryName": "Property Not Unique", "severity": "INFO", - "line": 33, - "filename": "positive1.json" + "line": 54, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.limitParam.properties.name", + "searchValue": "", + "expectedValue": "'name' property is unique throughout the whole API", + "actualValue": "'name' property is not unique throughout the whole API" }, { "queryName": "Property Not Unique", "severity": "INFO", - "line": 22, - "filename": "positive2.yaml" + "line": 24, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.schema.properties.address", + "searchValue": "", + "expectedValue": "'address' property is unique throughout the whole API", + "actualValue": "'address' property is not unique throughout the whole API" }, { "queryName": "Property Not Unique", "severity": "INFO", - "line": 24, - "filename": "positive2.yaml" + "line": 42, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.limitParam.properties.age", + "searchValue": "", + "expectedValue": "'age' property is unique throughout the whole API", + "actualValue": "'age' property is not unique throughout the whole API" }, { "queryName": "Property Not Unique", "severity": "INFO", - "line": 26, - "filename": "positive2.yaml" + "line": 22, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.schema.properties.name", + "searchValue": "", + "expectedValue": "'name' property is unique throughout the whole API", + "actualValue": "'name' property is not unique throughout the whole API" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/schema_with_additional_properties_set_as_boolean/test/positive_expected_result.json b/assets/queries/openAPI/2.0/schema_with_additional_properties_set_as_boolean/test/positive_expected_result.json index 906693d3928..c85669d2ab2 100644 --- a/assets/queries/openAPI/2.0/schema_with_additional_properties_set_as_boolean/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/schema_with_additional_properties_set_as_boolean/test/positive_expected_result.json @@ -2,37 +2,49 @@ { "queryName": "Schema with 'additionalProperties' set as Boolean", "severity": "INFO", - "line": 28, - "filename": "positive1.json" + "line": 34, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.User.additionalProperties", + "searchValue": "", + "expectedValue": "'additionalProperties' should be set as an object value", + "actualValue": "'additionalProperties' is set as a boolean value" }, { "queryName": "Schema with 'additionalProperties' set as Boolean", "severity": "INFO", "line": 22, - "filename": "positive2.yaml" - }, - { - "queryName": "Schema with 'additionalProperties' set as Boolean", - "severity": "INFO", - "line": 29, - "filename": "positive3.json" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.additionalProperties", + "searchValue": "", + "expectedValue": "'additionalProperties' should be set as an object value", + "actualValue": "'additionalProperties' is set as a boolean value" }, { "queryName": "Schema with 'additionalProperties' set as Boolean", "severity": "INFO", "line": 51, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.User.additionalProperties", + "searchValue": "", + "expectedValue": "'additionalProperties' should be set as an object value", + "actualValue": "'additionalProperties' is set as a boolean value" }, { "queryName": "Schema with 'additionalProperties' set as Boolean", "severity": "INFO", - "line": 23, - "filename": "positive4.yaml" - }, - { - "queryName": "Schema with 'additionalProperties' set as Boolean", - "severity": "INFO", - "line": 34, - "filename": "positive4.yaml" + "line": 28, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.additionalProperties", + "searchValue": "", + "expectedValue": "'additionalProperties' should be set as an object value", + "actualValue": "'additionalProperties' is set as a boolean value" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/schemes_uses_http copy/test/positive_expected_result.json b/assets/queries/openAPI/2.0/schemes_uses_http copy/test/positive_expected_result.json index 6a968ab699b..a6673f2ab39 100644 --- a/assets/queries/openAPI/2.0/schemes_uses_http copy/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/schemes_uses_http copy/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Schemes Uses HTTP", "severity": "MEDIUM", "line": 13, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.schemes.http", + "searchValue": "", + "expectedValue": "The Scheme list uses only 'HTTPS' protocol", + "actualValue": "The Scheme list uses 'HTTP' protocol" }, { "queryName": "Schemes Uses HTTP", "severity": "MEDIUM", "line": 11, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.schemes.http", + "searchValue": "", + "expectedValue": "The Scheme list uses only 'HTTPS' protocol", + "actualValue": "The Scheme list uses 'HTTP' protocol" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/security_definitions_allows_password_flow/test/positive_expected_result.json b/assets/queries/openAPI/2.0/security_definitions_allows_password_flow/test/positive_expected_result.json index 20b6c9b5305..f13fc256f33 100644 --- a/assets/queries/openAPI/2.0/security_definitions_allows_password_flow/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/security_definitions_allows_password_flow/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "Security Definitions Allows Password Flow", "severity": "MEDIUM", - "line": 27, - "filename": "positive1.json" + "line": 19, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "securityDefinitions.{{oAuth2AuthCodeNeg2}}.flow", + "searchValue": "", + "expectedValue": "security definition should not allow 'password' flow in OAuth2 authentication", + "actualValue": "security definition allows 'password' flow in OAuth2 authentication" }, { "queryName": "Security Definitions Allows Password Flow", "severity": "MEDIUM", - "line": 19, - "filename": "positive2.yaml" + "line": 27, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "securityDefinitions.{{oAuth2AuthCodeNeg2}}.flow", + "searchValue": "", + "expectedValue": "security definition should not allow 'password' flow in OAuth2 authentication", + "actualValue": "security definition allows 'password' flow in OAuth2 authentication" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/security_definitions_undefined_or_empty/test/positive_expected_result.json b/assets/queries/openAPI/2.0/security_definitions_undefined_or_empty/test/positive_expected_result.json index d995a2572d8..4a65081de8b 100644 --- a/assets/queries/openAPI/2.0/security_definitions_undefined_or_empty/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/security_definitions_undefined_or_empty/test/positive_expected_result.json @@ -3,24 +3,48 @@ "queryName": "Security Definitions Undefined or Empty", "severity": "HIGH", "line": 2, - "filename": "positive1.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "swagger", + "searchValue": "", + "expectedValue": "'securityDefinitions' should be set and not empty", + "actualValue": "'securityDefinitions' is undefined or empty" }, { "queryName": "Security Definitions Undefined or Empty", "severity": "HIGH", - "line": 1, - "filename": "positive2.yaml" + "line": 2, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "swagger", + "searchValue": "", + "expectedValue": "'securityDefinitions' should be set and not empty", + "actualValue": "'securityDefinitions' is undefined or empty" }, { "queryName": "Security Definitions Undefined or Empty", "severity": "HIGH", - "line": 2, - "filename": "positive3.json" + "line": 1, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "swagger", + "searchValue": "", + "expectedValue": "'securityDefinitions' should be set and not empty", + "actualValue": "'securityDefinitions' is undefined or empty" }, { "queryName": "Security Definitions Undefined or Empty", "severity": "HIGH", "line": 1, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "swagger", + "searchValue": "", + "expectedValue": "'securityDefinitions' should be set and not empty", + "actualValue": "'securityDefinitions' is undefined or empty" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/security_definitions_using_basic_auth/test/positive_expected_result.json b/assets/queries/openAPI/2.0/security_definitions_using_basic_auth/test/positive_expected_result.json index ec44a6d6bd7..69908135820 100644 --- a/assets/queries/openAPI/2.0/security_definitions_using_basic_auth/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/security_definitions_using_basic_auth/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Security Definitions Using Basic Auth", "severity": "MEDIUM", "line": 25, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "securityDefinitions.{{oAuth2AuthCodeNeg2}}.type", + "searchValue": "", + "expectedValue": "security definition should not be using basic authentication", + "actualValue": "security definition is using basic authentication" }, { "queryName": "Security Definitions Using Basic Auth", "severity": "MEDIUM", "line": 17, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "securityDefinitions.{{oAuth2AuthCodeNeg2}}.type", + "searchValue": "", + "expectedValue": "security definition should not be using basic authentication", + "actualValue": "security definition is using basic authentication" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/security_requirement_not_defined_in_security_definition/test/positive_expected_result.json b/assets/queries/openAPI/2.0/security_requirement_not_defined_in_security_definition/test/positive_expected_result.json index f25b64d1c59..ec82cec42b4 100644 --- a/assets/queries/openAPI/2.0/security_requirement_not_defined_in_security_definition/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/security_requirement_not_defined_in_security_definition/test/positive_expected_result.json @@ -3,24 +3,48 @@ "queryName": "Security Requirement Not Defined In Security Definition", "severity": "HIGH", "line": 33, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "security.petstore_auth", + "searchValue": "", + "expectedValue": "petstore_auth should be defined in 'securityDefinitions'", + "actualValue": "petstore_auth is not defined in 'securityDefinitions'" }, { "queryName": "Security Requirement Not Defined In Security Definition", "severity": "HIGH", "line": 21, - "filename": "positive2.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.security.petstore_auth", + "searchValue": "", + "expectedValue": "petstore_auth should be defined in 'securityDefinitions'", + "actualValue": "petstore_auth is not defined in 'securityDefinitions'" }, { "queryName": "Security Requirement Not Defined In Security Definition", "severity": "HIGH", - "line": 30, - "filename": "positive3.json" + "line": 21, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "security.petstore_auth", + "searchValue": "", + "expectedValue": "petstore_auth should be defined in 'securityDefinitions'", + "actualValue": "petstore_auth is not defined in 'securityDefinitions'" }, { "queryName": "Security Requirement Not Defined In Security Definition", "severity": "HIGH", - "line": 21, - "filename": "positive4.yaml" + "line": 30, + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.security.petstore_auth", + "searchValue": "", + "expectedValue": "petstore_auth should be defined in 'securityDefinitions'", + "actualValue": "petstore_auth is not defined in 'securityDefinitions'" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/undefined_security_scope_global_security/test/positive_expected_result.json b/assets/queries/openAPI/2.0/undefined_security_scope_global_security/test/positive_expected_result.json index 0ebffca7687..b04ee564153 100644 --- a/assets/queries/openAPI/2.0/undefined_security_scope_global_security/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/undefined_security_scope_global_security/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "Undefined Scope 'securityDefinition' On Global 'security' Field", "severity": "LOW", - "line": 23, - "filename": "positive1.yaml" + "line": 33, + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "security.{{oAuth2AuthCodeNeg2}}", + "searchValue": "", + "expectedValue": "scope error:api should be defined on 'securityDefinitions'", + "actualValue": "scope error:api is not defined on 'securityDefinitions'" }, { "queryName": "Undefined Scope 'securityDefinition' On Global 'security' Field", "severity": "LOW", - "line": 33, - "filename": "positive2.json" + "line": 23, + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "security.{{oAuth2AuthCodeNeg2}}", + "searchValue": "", + "expectedValue": "scope error:api should be defined on 'securityDefinitions'", + "actualValue": "scope error:api is not defined on 'securityDefinitions'" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/undefined_security_scope_security_operations/test/positive_expected_result.json b/assets/queries/openAPI/2.0/undefined_security_scope_security_operations/test/positive_expected_result.json index ab06287ffd1..e664260b8ab 100644 --- a/assets/queries/openAPI/2.0/undefined_security_scope_security_operations/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/undefined_security_scope_security_operations/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "Undefined Scope 'securityDefinition' On 'security' Field On Operations", "severity": "LOW", - "line": 13, - "filename": "positive1.yaml" + "line": 12, + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.security", + "searchValue": "", + "expectedValue": "scope error:api should be defined on 'securityDefinitions'", + "actualValue": "scope error:api is not defined on 'securityDefinitions'" }, { "queryName": "Undefined Scope 'securityDefinition' On 'security' Field On Operations", "severity": "LOW", - "line": 16, - "filename": "positive2.json" + "line": 10, + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.security", + "searchValue": "", + "expectedValue": "scope error:api should be defined on 'securityDefinitions'", + "actualValue": "scope error:api is not defined on 'securityDefinitions'" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/unknown_prefix/test/positive_expected_result.json b/assets/queries/openAPI/2.0/unknown_prefix/test/positive_expected_result.json index f84782e1bdb..5f44f46ee22 100644 --- a/assets/queries/openAPI/2.0/unknown_prefix/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/unknown_prefix/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "Unknown Prefix (v2)", "severity": "INFO", - "line": 12, - "filename": "positive1.json" + "line": 24, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "produces", + "searchValue": "", + "expectedValue": "produces has only known prefixes", + "actualValue": "aplication/json on 'produces' is an unknown prefix" }, { "queryName": "Unknown Prefix (v2)", "severity": "INFO", "line": 38, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "produces", + "searchValue": "", + "expectedValue": "produces has only known prefixes", + "actualValue": "aplication/json on 'produces' is an unknown prefix" }, { "queryName": "Unknown Prefix (v2)", "severity": "INFO", - "line": 10, - "filename": "positive3.yaml" + "line": 12, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.produces", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.produces has only known prefixes", + "actualValue": "aplication/json on 'paths.{{/}}.get.produces' is an unknown prefix" }, { "queryName": "Unknown Prefix (v2)", "severity": "INFO", - "line": 24, - "filename": "positive4.yaml" + "line": 10, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.produces", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.produces has only known prefixes", + "actualValue": "aplication/json on 'paths.{{/}}.get.produces' is an unknown prefix" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/unknown_property/test/positive_expected_result.json b/assets/queries/openAPI/2.0/unknown_property/test/positive_expected_result.json index 81b318304d5..d05591e2b5d 100644 --- a/assets/queries/openAPI/2.0/unknown_property/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/unknown_property/test/positive_expected_result.json @@ -2,49 +2,97 @@ { "queryName": "Unknown Property (v2)", "severity": "INFO", - "line": 20, - "filename": "positive1.json" + "line": 6, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "info.contact.nameee", + "searchValue": "", + "expectedValue": "The field 'nameee' is known in the contact object", + "actualValue": "The field 'nameee' is unknown in the contact object" }, { "queryName": "Unknown Property (v2)", "severity": "INFO", - "line": 40, - "filename": "positive1.json" + "line": 17, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "taggs", + "searchValue": "", + "expectedValue": "The field 'taggs' is known in the openapi object", + "actualValue": "The field 'taggs' is unknown in the openapi object" }, { "queryName": "Unknown Property (v2)", "severity": "INFO", - "line": 7, - "filename": "positive2.json" + "line": 20, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.descripption", + "searchValue": "", + "expectedValue": "The field 'descripption' is known in the parameters object", + "actualValue": "The field 'descripption' is unknown in the parameters object" }, { "queryName": "Unknown Property (v2)", "severity": "INFO", - "line": 25, - "filename": "positive2.json" + "line": 40, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.ErrorModel.propppperties", + "searchValue": "", + "expectedValue": "The field 'propppperties' is known in the definitions object", + "actualValue": "The field 'propppperties' is unknown in the definitions object" }, { "queryName": "Unknown Property (v2)", "severity": "INFO", - "line": 16, - "filename": "positive3.yaml" + "line": 7, + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "info.contact.nameee", + "searchValue": "", + "expectedValue": "The field 'nameee' is known in the contact object", + "actualValue": "The field 'nameee' is unknown in the contact object" }, { "queryName": "Unknown Property (v2)", "severity": "INFO", - "line": 28, - "filename": "positive3.yaml" + "line": 25, + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "taggs", + "searchValue": "", + "expectedValue": "The field 'taggs' is known in the openapi object", + "actualValue": "The field 'taggs' is unknown in the openapi object" }, { "queryName": "Unknown Property (v2)", "severity": "INFO", - "line": 6, - "filename": "positive4.yaml" + "line": 16, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.descripption", + "searchValue": "", + "expectedValue": "The field 'descripption' is known in the parameters object", + "actualValue": "The field 'descripption' is unknown in the parameters object" }, { "queryName": "Unknown Property (v2)", "severity": "INFO", - "line": 17, - "filename": "positive4.yaml" + "line": 28, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.ErrorModel.propppperties", + "searchValue": "", + "expectedValue": "The field 'propppperties' is known in the definitions object", + "actualValue": "The field 'propppperties' is unknown in the definitions object" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/unused_parameter_definition/test/positive_expected_result.json b/assets/queries/openAPI/2.0/unused_parameter_definition/test/positive_expected_result.json index 3b9b810e5e9..e39f0bf945a 100644 --- a/assets/queries/openAPI/2.0/unused_parameter_definition/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/unused_parameter_definition/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Global Parameter Definition Not Being Used", "severity": "INFO", "line": 26, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.{{limitParam}}", + "searchValue": "", + "expectedValue": "parameter definition 'limitParam' is used", + "actualValue": "parameter definition 'limitParam' is not being used" }, { "queryName": "Global Parameter Definition Not Being Used", "severity": "INFO", "line": 16, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.{{limitParam}}", + "searchValue": "", + "expectedValue": "parameter definition 'limitParam' is used", + "actualValue": "parameter definition 'limitParam' is not being used" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/unused_response_definition/test/positive_expected_result.json b/assets/queries/openAPI/2.0/unused_response_definition/test/positive_expected_result.json index 3c30d6ec861..21ee9806f0e 100644 --- a/assets/queries/openAPI/2.0/unused_response_definition/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/unused_response_definition/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "Global Responses Definition Not Being Used", "severity": "INFO", - "line": 38, - "filename": "positive1.json" + "line": 41, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "responses.{{GeneralError}}", + "searchValue": "", + "expectedValue": "responses definition 'GeneralError' is used", + "actualValue": "responses definition 'GeneralError' is not being used" }, { "queryName": "Global Responses Definition Not Being Used", "severity": "INFO", - "line": 25, - "filename": "positive2.yaml" + "line": 38, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "responses.{{IllegalInput}}", + "searchValue": "", + "expectedValue": "responses definition 'IllegalInput' is used", + "actualValue": "responses definition 'IllegalInput' is not being used" }, { "queryName": "Global Responses Definition Not Being Used", "severity": "INFO", - "line": 41, - "filename": "positive1.json" + "line": 27, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "responses.{{GeneralError}}", + "searchValue": "", + "expectedValue": "responses definition 'GeneralError' is used", + "actualValue": "responses definition 'GeneralError' is not being used" }, { "queryName": "Global Responses Definition Not Being Used", "severity": "INFO", - "line": 27, - "filename": "positive2.yaml" + "line": 25, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "responses.{{IllegalInput}}", + "searchValue": "", + "expectedValue": "responses definition 'IllegalInput' is used", + "actualValue": "responses definition 'IllegalInput' is not being used" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/unused_schema_definition/test/positive_expected_result.json b/assets/queries/openAPI/2.0/unused_schema_definition/test/positive_expected_result.json index 366d81a471f..e776fcb8070 100644 --- a/assets/queries/openAPI/2.0/unused_schema_definition/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/unused_schema_definition/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Global Schema Definition Not Being Used", "severity": "INFO", "line": 44, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.{{Tag}}", + "searchValue": "", + "expectedValue": "responses definition 'Tag' is used", + "actualValue": "responses definition 'Tag' is not being used" }, { "queryName": "Global Schema Definition Not Being Used", "severity": "INFO", "line": 29, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.{{Tag}}", + "searchValue": "", + "expectedValue": "responses definition 'Tag' is used", + "actualValue": "responses definition 'Tag' is not being used" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/additional_properties_too_permissive/test/positive_expected_result.json b/assets/queries/openAPI/3.0/additional_properties_too_permissive/test/positive_expected_result.json index 663fbbc97d9..f12dc1d5c28 100644 --- a/assets/queries/openAPI/3.0/additional_properties_too_permissive/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/additional_properties_too_permissive/test/positive_expected_result.json @@ -2,37 +2,73 @@ { "queryName": "Additional Properties Too Permissive", "severity": "LOW", - "line": 24, - "filename": "positive1.json" + "line": 23, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.MyObject.oneOf", + "searchValue": "", + "expectedValue": "'additionalProperties' should be set to false", + "actualValue": "'additionalProperties' is set true" }, { "queryName": "Additional Properties Too Permissive", "severity": "LOW", - "line": 34, - "filename": "positive3.json" + "line": 19, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.additionalProperties", + "searchValue": "", + "expectedValue": "'additionalProperties' should be set to false", + "actualValue": "'additionalProperties' is set true" }, { "queryName": "Additional Properties Too Permissive", "severity": "LOW", - "line": 14, - "filename": "positive5.json" + "line": 12, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema", + "searchValue": "", + "expectedValue": "'additionalProperties' needs to be set and to false", + "actualValue": "'additionalProperties' is not set" }, { "queryName": "Additional Properties Too Permissive", "severity": "LOW", - "line": 19, - "filename": "positive2.yaml" + "line": 14, + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema", + "searchValue": "", + "expectedValue": "'additionalProperties' needs to be set and to false", + "actualValue": "'additionalProperties' is not set" }, { "queryName": "Additional Properties Too Permissive", "severity": "LOW", - "line": 23, - "filename": "positive4.yaml" + "line": 24, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.additionalProperties", + "searchValue": "", + "expectedValue": "'additionalProperties' should be set to false", + "actualValue": "'additionalProperties' is set true" }, { "queryName": "Additional Properties Too Permissive", "severity": "LOW", - "line": 12, - "filename": "positive6.yaml" + "line": 34, + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.MyObject.oneOf", + "searchValue": "", + "expectedValue": "'additionalProperties' should be set to false", + "actualValue": "'additionalProperties' is set true" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/additional_properties_too_restrective/test/positive_expected_result.json b/assets/queries/openAPI/3.0/additional_properties_too_restrective/test/positive_expected_result.json index 9abd489058a..bd0836ab89f 100644 --- a/assets/queries/openAPI/3.0/additional_properties_too_restrective/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/additional_properties_too_restrective/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "Additional Properties Too Restrictive", "severity": "LOW", - "line": 41, - "filename": "positive1.json" + "line": 13, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.allOf", + "searchValue": "", + "expectedValue": "'additionalProperties' should not be false", + "actualValue": "'additionalProperties' is false" }, { "queryName": "Additional Properties Too Restrictive", "severity": "LOW", - "line": 15, - "filename": "positive3.json" + "line": 41, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.MyObject.oneOf", + "searchValue": "", + "expectedValue": "'additionalProperties' should not be false", + "actualValue": "'additionalProperties' is false" }, { "queryName": "Additional Properties Too Restrictive", "severity": "LOW", - "line": 25, - "filename": "positive2.yaml" + "line": 15, + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.allOf", + "searchValue": "", + "expectedValue": "'additionalProperties' should not be false", + "actualValue": "'additionalProperties' is false" }, { "queryName": "Additional Properties Too Restrictive", "severity": "LOW", - "line": 13, - "filename": "positive4.yaml" + "line": 25, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.MyObject.oneOf", + "searchValue": "", + "expectedValue": "'additionalProperties' should not be false", + "actualValue": "'additionalProperties' is false" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/api_key_exposed_in_global_security_scheme/test/positive_expected_result.json b/assets/queries/openAPI/3.0/api_key_exposed_in_global_security_scheme/test/positive_expected_result.json index 0ae9ec9454f..937e9f22ce7 100644 --- a/assets/queries/openAPI/3.0/api_key_exposed_in_global_security_scheme/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/api_key_exposed_in_global_security_scheme/test/positive_expected_result.json @@ -2,37 +2,73 @@ { "queryName": "API Key Exposed In Global Security Scheme", "severity": "LOW", - "line": 52, - "filename": "positive1.json" + "line": 31, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.apiKey1", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network" }, { "queryName": "API Key Exposed In Global Security Scheme", "severity": "LOW", - "line": 57, - "filename": "positive1.json" + "line": 35, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.apiKey2", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network" }, { "queryName": "API Key Exposed In Global Security Scheme", "severity": "LOW", - "line": 62, - "filename": "positive1.json" + "line": 39, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.apiKey3", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network" }, { "queryName": "API Key Exposed In Global Security Scheme", "severity": "LOW", - "line": 31, - "filename": "positive2.yaml" + "line": 52, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.apiKey1", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network" }, { "queryName": "API Key Exposed In Global Security Scheme", "severity": "LOW", - "line": 35, - "filename": "positive2.yaml" + "line": 57, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.apiKey2", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network" }, { "queryName": "API Key Exposed In Global Security Scheme", "severity": "LOW", - "line": 39, - "filename": "positive2.yaml" + "line": 62, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.apiKey3", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/cleartext_credentials_with_basic_auth_for_operation/test/positive_expected_result.json b/assets/queries/openAPI/3.0/cleartext_credentials_with_basic_auth_for_operation/test/positive_expected_result.json index 684dadd9441..9b9a32ac872 100644 --- a/assets/queries/openAPI/3.0/cleartext_credentials_with_basic_auth_for_operation/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/cleartext_credentials_with_basic_auth_for_operation/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "Cleartext Credentials With Basic Authentication For Operation", "severity": "MEDIUM", - "line": 28, - "filename": "positive1.json" + "line": 19, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.security.{{regularSecurity}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}} operation should not allow cleartext credentials over unencrypted channel", + "actualValue": "paths.{{/}}.{{get}} operation allows cleartext credentials over unencrypted channel" }, { "queryName": "Cleartext Credentials With Basic Authentication For Operation", "severity": "MEDIUM", - "line": 19, - "filename": "positive2.yaml" + "line": 28, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.security.{{regularSecurity}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}} operation should not allow cleartext credentials over unencrypted channel", + "actualValue": "paths.{{/}}.{{get}} operation allows cleartext credentials over unencrypted channel" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/components_callback_definition_unused/test/positive_expected_result.json b/assets/queries/openAPI/3.0/components_callback_definition_unused/test/positive_expected_result.json index 2a8e672168c..334341c235a 100644 --- a/assets/queries/openAPI/3.0/components_callback_definition_unused/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/components_callback_definition_unused/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Components Callback Definition Is Unused", "severity": "INFO", "line": 22, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.callbacks.{{inProgress}}", + "searchValue": "", + "expectedValue": "Callback should be used as reference somewhere", + "actualValue": "Callback is not used as reference" }, { "queryName": "Components Callback Definition Is Unused", "severity": "INFO", "line": 15, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.callbacks.{{inProgress}}", + "searchValue": "", + "expectedValue": "Callback should be used as reference somewhere", + "actualValue": "Callback is not used as reference" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/components_example_definition_unused/test/positive_expected_result.json b/assets/queries/openAPI/3.0/components_example_definition_unused/test/positive_expected_result.json index b56fe3c1bfc..1f7f5ad8602 100644 --- a/assets/queries/openAPI/3.0/components_example_definition_unused/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/components_example_definition_unused/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "Components Example Definition Is Unused", "severity": "INFO", - "line": 42, - "filename": "positive1.json" + "line": 27, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.examples.{{objectExample}}", + "searchValue": "", + "expectedValue": "Example should be used as reference somewhere", + "actualValue": "Example is not used as reference" }, { "queryName": "Components Example Definition Is Unused", "severity": "INFO", - "line": 27, - "filename": "positive2.yaml" + "line": 42, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.examples.{{objectExample}}", + "searchValue": "", + "expectedValue": "Example should be used as reference somewhere", + "actualValue": "Example is not used as reference" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/components_header_definition_unused/test/positive_expected_result.json b/assets/queries/openAPI/3.0/components_header_definition_unused/test/positive_expected_result.json index 00fd9f860f8..e45a59a885c 100644 --- a/assets/queries/openAPI/3.0/components_header_definition_unused/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/components_header_definition_unused/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "Components Header Definition Is Unused", "severity": "INFO", - "line": 45, - "filename": "positive1.json" + "line": 29, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.headers.{{xPages}}", + "searchValue": "", + "expectedValue": "Header should be used as reference somewhere", + "actualValue": "Header is not used as reference" }, { "queryName": "Components Header Definition Is Unused", "severity": "INFO", - "line": 29, - "filename": "positive2.yaml" + "line": 45, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.headers.{{xPages}}", + "searchValue": "", + "expectedValue": "Header should be used as reference somewhere", + "actualValue": "Header is not used as reference" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/components_link_definition_unused/test/positive_expected_result.json b/assets/queries/openAPI/3.0/components_link_definition_unused/test/positive_expected_result.json index cf760d785ed..7a03f0c5600 100644 --- a/assets/queries/openAPI/3.0/components_link_definition_unused/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/components_link_definition_unused/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Components Link Definition Is Unused", "severity": "INFO", "line": 45, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.links.{{APIRepository}}", + "searchValue": "", + "expectedValue": "Link should be used as reference somewhere", + "actualValue": "Link is not used as reference" }, { "queryName": "Components Link Definition Is Unused", "severity": "INFO", "line": 29, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.links.{{APIRepository}}", + "searchValue": "", + "expectedValue": "Link should be used as reference somewhere", + "actualValue": "Link is not used as reference" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/components_object_fixed_field_key_improperly_named/test/positive_expected_result.json b/assets/queries/openAPI/3.0/components_object_fixed_field_key_improperly_named/test/positive_expected_result.json index f770b39933b..adacf8a258a 100644 --- a/assets/queries/openAPI/3.0/components_object_fixed_field_key_improperly_named/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/components_object_fixed_field_key_improperly_named/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "Components Object Fixed Field Key Improperly Named", "severity": "INFO", - "line": 45, - "filename": "positive1.json" + "line": 27, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.{{schemas}}.{{General Error}}", + "searchValue": "", + "expectedValue": "components.{{schemas}}.{{General Error}} is properly named", + "actualValue": "components.{{schemas}}.{{General Error}}is improperly named" }, { "queryName": "Components Object Fixed Field Key Improperly Named", "severity": "INFO", - "line": 27, - "filename": "positive2.yaml" + "line": 45, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.{{schemas}}.{{General Error}}", + "searchValue": "", + "expectedValue": "components.{{schemas}}.{{General Error}} is properly named", + "actualValue": "components.{{schemas}}.{{General Error}}is improperly named" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/components_parameter_definition_unused/test/positive_expected_result.json b/assets/queries/openAPI/3.0/components_parameter_definition_unused/test/positive_expected_result.json index 6265e35f39b..90502499702 100644 --- a/assets/queries/openAPI/3.0/components_parameter_definition_unused/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/components_parameter_definition_unused/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "Components Parameter Definition Is Unused", "severity": "INFO", - "line": 22, - "filename": "positive1.json" + "line": 15, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.parameters.{{limitParam}}", + "searchValue": "", + "expectedValue": "Parameter should be used as reference somewhere", + "actualValue": "Parameter is not used as reference" }, { "queryName": "Components Parameter Definition Is Unused", "severity": "INFO", - "line": 15, - "filename": "positive2.yaml" + "line": 22, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.parameters.{{limitParam}}", + "searchValue": "", + "expectedValue": "Parameter should be used as reference somewhere", + "actualValue": "Parameter is not used as reference" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/components_request_body_definition_unused/test/positive_expected_result.json b/assets/queries/openAPI/3.0/components_request_body_definition_unused/test/positive_expected_result.json index 05391f42f5c..fd232baf626 100644 --- a/assets/queries/openAPI/3.0/components_request_body_definition_unused/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/components_request_body_definition_unused/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "Components Request Body Definition Is Unused", "severity": "INFO", - "line": 35, - "filename": "positive1.json" + "line": 23, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.{{MyObjectBody}}", + "searchValue": "", + "expectedValue": "Request body should be used as reference somewhere", + "actualValue": "Request body is not used as reference" }, { "queryName": "Components Request Body Definition Is Unused", "severity": "INFO", - "line": 23, - "filename": "positive2.yaml" + "line": 35, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.{{MyObjectBody}}", + "searchValue": "", + "expectedValue": "Request body should be used as reference somewhere", + "actualValue": "Request body is not used as reference" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/components_response_definition_unused/test/positive_expected_result.json b/assets/queries/openAPI/3.0/components_response_definition_unused/test/positive_expected_result.json index 4216cdede49..3e75884d972 100644 --- a/assets/queries/openAPI/3.0/components_response_definition_unused/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/components_response_definition_unused/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Components Response Definition Is Unused", "severity": "INFO", "line": 50, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.responses.{{NotFound}}", + "searchValue": "", + "expectedValue": "Response should be used as reference somewhere", + "actualValue": "Response is not used as reference" }, { "queryName": "Components Response Definition Is Unused", "severity": "INFO", "line": 33, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.responses.{{NotFound}}", + "searchValue": "", + "expectedValue": "Response should be used as reference somewhere", + "actualValue": "Response is not used as reference" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/components_schema_definition_unused/test/positive_expected_result.json b/assets/queries/openAPI/3.0/components_schema_definition_unused/test/positive_expected_result.json index e1644ffcb35..b1791c21965 100644 --- a/assets/queries/openAPI/3.0/components_schema_definition_unused/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/components_schema_definition_unused/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Components Schema Definition Is Unused", "severity": "INFO", "line": 33, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.{{MyObject2}}", + "searchValue": "", + "expectedValue": "Schema should be used as reference somewhere", + "actualValue": "Schema is not used as reference" }, { "queryName": "Components Schema Definition Is Unused", "severity": "INFO", "line": 22, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.{{MyObject2}}", + "searchValue": "", + "expectedValue": "Schema should be used as reference somewhere", + "actualValue": "Schema is not used as reference" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/empty_array/test/positive_expected_result.json b/assets/queries/openAPI/3.0/empty_array/test/positive_expected_result.json index d9ab1c4dd10..cf2f6214f5c 100644 --- a/assets/queries/openAPI/3.0/empty_array/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/empty_array/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "Empty Array", "severity": "INFO", - "line": 43, - "filename": "positive1.json" + "line": 25, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "security", + "searchValue": "", + "expectedValue": "The array should not be empty", + "actualValue": "The array is empty" }, { "queryName": "Empty Array", "severity": "INFO", - "line": 25, - "filename": "positive2.yaml" + "line": 43, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "security", + "searchValue": "", + "expectedValue": "The array should not be empty", + "actualValue": "The array is empty" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/encoding_header_content_type_improperly_defined/test/positive_expected_result.json b/assets/queries/openAPI/3.0/encoding_header_content_type_improperly_defined/test/positive_expected_result.json index 1b3cc6f9b5c..249ba59eb74 100644 --- a/assets/queries/openAPI/3.0/encoding_header_content_type_improperly_defined/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/encoding_header_content_type_improperly_defined/test/positive_expected_result.json @@ -3,24 +3,48 @@ "queryName": "Encoding Header 'Content-Type' Improperly Defined", "severity": "INFO", "line": 70, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.responses.{{ResponseExample}}.content.{{application/json}}.encoding.{{profileImage}}", + "searchValue": "", + "expectedValue": "components.responses.{{ResponseExample}}.content.{{application/json}}.encoding.{{profileImage}} should not define 'Content-Type' in the 'headers' field", + "actualValue": "components.responses.{{ResponseExample}}.content.{{application/json}}.encoding.{{profileImage}} defines 'Content-Type' in the 'headers' field" }, { "queryName": "Encoding Header 'Content-Type' Improperly Defined", "severity": "INFO", - "line": 36, - "filename": "positive2.json" + "line": 26, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.encoding.{{profileImage}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.encoding.{{profileImage}} should not define 'Content-Type' in the 'headers' field", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.encoding.{{profileImage}} defines 'Content-Type' in the 'headers' field" }, { "queryName": "Encoding Header 'Content-Type' Improperly Defined", "severity": "INFO", "line": 42, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.responses.{{ResponseExample}}.content.{{application/json}}.encoding.{{profileImage}}", + "searchValue": "", + "expectedValue": "components.responses.{{ResponseExample}}.content.{{application/json}}.encoding.{{profileImage}} should not define 'Content-Type' in the 'headers' field", + "actualValue": "components.responses.{{ResponseExample}}.content.{{application/json}}.encoding.{{profileImage}} defines 'Content-Type' in the 'headers' field" }, { "queryName": "Encoding Header 'Content-Type' Improperly Defined", "severity": "INFO", - "line": 26, - "filename": "positive4.yaml" + "line": 36, + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.encoding.{{profileImage}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.encoding.{{profileImage}} should not define 'Content-Type' in the 'headers' field", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.encoding.{{profileImage}} defines 'Content-Type' in the 'headers' field" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/encoding_map_key_mismatch_schema_defined_properties/test/positive_expected_result.json b/assets/queries/openAPI/3.0/encoding_map_key_mismatch_schema_defined_properties/test/positive_expected_result.json index e0b95e7d014..77891e167fc 100644 --- a/assets/queries/openAPI/3.0/encoding_map_key_mismatch_schema_defined_properties/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/encoding_map_key_mismatch_schema_defined_properties/test/positive_expected_result.json @@ -3,24 +3,48 @@ "queryName": "Encoding Map Key Mismatch Schema Defined Properties", "severity": "INFO", "line": 70, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.responses.{{ResponseExample}}.content.{{application/json}}.encoding.{{profileImage}}", + "searchValue": "", + "expectedValue": "components.responses.{{ResponseExample}}.content.{{application/json}}.encoding.{{profileImage}} should be set in schema defined properties", + "actualValue": "components.responses.{{ResponseExample}}.content.{{application/json}}.encoding.{{profileImage}} is not set in schema defined properties" }, { "queryName": "Encoding Map Key Mismatch Schema Defined Properties", "severity": "INFO", "line": 36, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.encoding.{{profileImage}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.encoding.{{profileImage}} should be set in schema defined properties", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.encoding.{{profileImage}} is not set in schema defined properties" }, { "queryName": "Encoding Map Key Mismatch Schema Defined Properties", "severity": "INFO", - "line": 42, - "filename": "positive3.yaml" + "line": 26, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.encoding.{{profileImage}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.encoding.{{profileImage}} should be set in schema defined properties", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.encoding.{{profileImage}} is not set in schema defined properties" }, { "queryName": "Encoding Map Key Mismatch Schema Defined Properties", "severity": "INFO", - "line": 26, - "filename": "positive4.yaml" + "line": 42, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.responses.{{ResponseExample}}.content.{{application/json}}.encoding.{{profileImage}}", + "searchValue": "", + "expectedValue": "components.responses.{{ResponseExample}}.content.{{application/json}}.encoding.{{profileImage}} should be set in schema defined properties", + "actualValue": "components.responses.{{ResponseExample}}.content.{{application/json}}.encoding.{{profileImage}} is not set in schema defined properties" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/global_security_scheme_using_basic_authentication/test/positive_expected_result.json b/assets/queries/openAPI/3.0/global_security_scheme_using_basic_authentication/test/positive_expected_result.json index 4d40c6ecaee..850438733dc 100644 --- a/assets/queries/openAPI/3.0/global_security_scheme_using_basic_authentication/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/global_security_scheme_using_basic_authentication/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "Global Security Scheme Using Basic Authentication", "severity": "MEDIUM", - "line": 51, - "filename": "positive1.json" + "line": 30, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.{{regularSecurity}}", + "searchValue": "", + "expectedValue": "components.securitySchemes.{{regularSecurity}} global security should not allow basic authentication", + "actualValue": "components.securitySchemes.{{regularSecurity}} global security allows basic authentication" }, { "queryName": "Global Security Scheme Using Basic Authentication", "severity": "MEDIUM", - "line": 30, - "filename": "positive2.yaml" + "line": 51, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.{{regularSecurity}}", + "searchValue": "", + "expectedValue": "components.securitySchemes.{{regularSecurity}} global security should not allow basic authentication", + "actualValue": "components.securitySchemes.{{regularSecurity}} global security allows basic authentication" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/global_server_uses_http/test/positive_expected_result.json b/assets/queries/openAPI/3.0/global_server_uses_http/test/positive_expected_result.json index f828b3df526..fb9a422dd47 100644 --- a/assets/queries/openAPI/3.0/global_server_uses_http/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/global_server_uses_http/test/positive_expected_result.json @@ -2,19 +2,37 @@ { "queryName": "Global Server Object Uses HTTP", "severity": "MEDIUM", - "line": 13, - "filename": "positive1.json" + "line": 1, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "openapi", + "searchValue": "", + "expectedValue": "Global servers array should be defined", + "actualValue": "Global servers array is not defined" }, { "queryName": "Global Server Object Uses HTTP", "severity": "MEDIUM", "line": 8, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "servers.url.http://staging.gigantic-server.com/v1", + "searchValue": "", + "expectedValue": "Global servers' URL should use HTTPS protocol", + "actualValue": "Global servers' URL are not using HTTPS protocol" }, { "queryName": "Global Server Object Uses HTTP", "severity": "MEDIUM", - "line": 1, - "filename": "positive3.yaml" + "line": 13, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "servers.url.http://staging.gigantic-server.com/v1", + "searchValue": "", + "expectedValue": "Global servers' URL should use HTTPS protocol", + "actualValue": "Global servers' URL are not using HTTPS protocol" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/header_object_without_schema/test/positive_expected_result.json b/assets/queries/openAPI/3.0/header_object_without_schema/test/positive_expected_result.json index 7e572881c5b..c498924370e 100644 --- a/assets/queries/openAPI/3.0/header_object_without_schema/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/header_object_without_schema/test/positive_expected_result.json @@ -3,24 +3,48 @@ "queryName": "Header Object Without Schema", "severity": "MEDIUM", "line": 72, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.responses.ResponseExample.content.{{application/json}}.encoding.code.{{X-Rate-Limit-Limit}}", + "searchValue": "", + "expectedValue": "components.responses.ResponseExample.content.{{application/json}}.encoding.code.{{X-Rate-Limit-Limit}} has schema defined", + "actualValue": "components.responses.ResponseExample.content.{{application/json}}.encoding.code.{{X-Rate-Limit-Limit}} does not have schema defined" }, { "queryName": "Header Object Without Schema", "severity": "MEDIUM", - "line": 42, - "filename": "positive2.json" + "line": 44, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.responses.ResponseExample.content.{{application/json}}.encoding.code.{{X-Rate-Limit-Limit}}", + "searchValue": "", + "expectedValue": "components.responses.ResponseExample.content.{{application/json}}.encoding.code.{{X-Rate-Limit-Limit}} has schema defined", + "actualValue": "components.responses.ResponseExample.content.{{application/json}}.encoding.code.{{X-Rate-Limit-Limit}} does not have schema defined" }, { "queryName": "Header Object Without Schema", "severity": "MEDIUM", - "line": 44, - "filename": "positive3.yaml" + "line": 28, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.6xx.{{X-Rate-Limit-Limit}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.responses.6xx.{{X-Rate-Limit-Limit}} has schema defined", + "actualValue": "paths.{{/}}.get.responses.6xx.{{X-Rate-Limit-Limit}} does not have schema defined" }, { "queryName": "Header Object Without Schema", "severity": "MEDIUM", - "line": 28, - "filename": "positive4.yaml" + "line": 42, + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.6xx.{{X-Rate-Limit-Limit}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.responses.6xx.{{X-Rate-Limit-Limit}} has schema defined", + "actualValue": "paths.{{/}}.get.responses.6xx.{{X-Rate-Limit-Limit}} does not have schema defined" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/invalid_content_type_for_multiple_files_upload/test/positive_expected_result.json b/assets/queries/openAPI/3.0/invalid_content_type_for_multiple_files_upload/test/positive_expected_result.json index 207be6864f4..883827d2500 100644 --- a/assets/queries/openAPI/3.0/invalid_content_type_for_multiple_files_upload/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/invalid_content_type_for_multiple_files_upload/test/positive_expected_result.json @@ -3,24 +3,48 @@ "queryName": "Invalid Content Type For Multiple Files Upload", "severity": "INFO", "line": 16, - "filename": "positive1.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.{{CreateCustomer}}.content.{{application/json}}", + "searchValue": "", + "expectedValue": "components.requestBodies.{{CreateCustomer}}.content.{{application/json}} should be set to 'multipart/form-data'", + "actualValue": "components.requestBodies.{{CreateCustomer}}.content.{{application/json}} is not set to 'multipart/form-data'" }, { "queryName": "Invalid Content Type For Multiple Files Upload", "severity": "INFO", "line": 16, - "filename": "positive2.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.requestBody.content.{{application/json}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.requestBody.content.{{application/json}} should be set to 'multipart/form-data'", + "actualValue": "paths.{{/}}.{{get}}.requestBody.content.{{application/json}} is not set to 'multipart/form-data'" }, { "queryName": "Invalid Content Type For Multiple Files Upload", "severity": "INFO", "line": 13, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.requestBody.content.{{application/json}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.requestBody.content.{{application/json}} should be set to 'multipart/form-data'", + "actualValue": "paths.{{/}}.{{get}}.requestBody.content.{{application/json}} is not set to 'multipart/form-data'" }, { "queryName": "Invalid Content Type For Multiple Files Upload", "severity": "INFO", "line": 13, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.{{CreateCustomer}}.content.{{application/json}}", + "searchValue": "", + "expectedValue": "components.requestBodies.{{CreateCustomer}}.content.{{application/json}} should be set to 'multipart/form-data'", + "actualValue": "components.requestBodies.{{CreateCustomer}}.content.{{application/json}} is not set to 'multipart/form-data'" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/invalid_media_type_value/test/positive_expected_result.json b/assets/queries/openAPI/3.0/invalid_media_type_value/test/positive_expected_result.json index 289093176e1..ca1b251aea1 100644 --- a/assets/queries/openAPI/3.0/invalid_media_type_value/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/invalid_media_type_value/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Invalid Media Type Value (v3)", "severity": "INFO", "line": 28, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.requestBody.content.multipart/form- data", + "searchValue": "", + "expectedValue": "The Media Type should be a valid value", + "actualValue": "The Media Type is an invalid value" }, { "queryName": "Invalid Media Type Value (v3)", "severity": "INFO", "line": 20, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.requestBody.content.multipart/form- data", + "searchValue": "", + "expectedValue": "The Media Type should be a valid value", + "actualValue": "The Media Type is an invalid value" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/invalid_oauth2_token_url/test/positive_expected_result.json b/assets/queries/openAPI/3.0/invalid_oauth2_token_url/test/positive_expected_result.json index 68cd92641b1..47c683c0050 100644 --- a/assets/queries/openAPI/3.0/invalid_oauth2_token_url/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/invalid_oauth2_token_url/test/positive_expected_result.json @@ -2,37 +2,73 @@ { "queryName": "Invalid OAuth2 Token URL (v3)", "severity": "MEDIUM", - "line": 23, - "filename": "positive1.yaml" + "line": 31, + "filename": "positive4.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.oAuth2AuthCodePos1.flows.authorizationCode.tokenUrl", + "searchValue": "", + "expectedValue": "OAuth2 security schema flow tokenUrl must be set with a valid URL", + "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL" }, { "queryName": "Invalid OAuth2 Token URL (v3)", "severity": "MEDIUM", - "line": 12, - "filename": "positive2.yaml" + "line": 14, + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.oAuth2AuthCodePos2.flows.password.tokenUrl", + "searchValue": "", + "expectedValue": "OAuth2 security schema flow tokenUrl must be set with a valid URL", + "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL" }, { "queryName": "Invalid OAuth2 Token URL (v3)", "severity": "MEDIUM", - "line": 22, - "filename": "positive3.yaml" + "line": 12, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.oAuth2AuthCodePos2.flows.password.tokenUrl", + "searchValue": "", + "expectedValue": "OAuth2 security schema flow tokenUrl must be set with a valid URL", + "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL" }, { "queryName": "Invalid OAuth2 Token URL (v3)", "severity": "MEDIUM", - "line": 31, - "filename": "positive4.json" + "line": 22, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.oAuth2AuthCodePos3.flows.clientCredentials.tokenUrl", + "searchValue": "", + "expectedValue": "OAuth2 security schema flow tokenUrl must be set with a valid URL", + "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL" }, { "queryName": "Invalid OAuth2 Token URL (v3)", "severity": "MEDIUM", - "line": 14, - "filename": "positive5.json" + "line": 23, + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.oAuth2AuthCodePos1.flows.authorizationCode.tokenUrl", + "searchValue": "", + "expectedValue": "OAuth2 security schema flow tokenUrl must be set with a valid URL", + "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL" }, { "queryName": "Invalid OAuth2 Token URL (v3)", "severity": "MEDIUM", "line": 30, - "filename": "positive6.json" + "filename": "positive6.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.oAuth2AuthCodePos3.flows.clientCredentials.tokenUrl", + "searchValue": "", + "expectedValue": "OAuth2 security schema flow tokenUrl must be set with a valid URL", + "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/invalid_oauth_authorization_url/test/positive_expected_result.json b/assets/queries/openAPI/3.0/invalid_oauth_authorization_url/test/positive_expected_result.json index 88b2c12e4fe..0d208c71851 100644 --- a/assets/queries/openAPI/3.0/invalid_oauth_authorization_url/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/invalid_oauth_authorization_url/test/positive_expected_result.json @@ -3,24 +3,48 @@ "queryName": "Invalid OAuth2 Authorization URL (v3)", "severity": "MEDIUM", "line": 50, - "filename": "positive1.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.oAuth2AuthCodeNeg2.flows.implicit.authorizationUrl", + "searchValue": "", + "expectedValue": "OAuth2 security schema flow tokenUrl must be set with a valid URL", + "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL" }, { "queryName": "Invalid OAuth2 Authorization URL (v3)", "severity": "MEDIUM", - "line": 50, - "filename": "positive2.json" + "line": 32, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.oAuth2AuthCodeNeg2.flows.authorizationCode.authorizationUrl", + "searchValue": "", + "expectedValue": "OAuth2 security schema flow tokenUrl must be set with a valid URL", + "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL" }, { "queryName": "Invalid OAuth2 Authorization URL (v3)", "severity": "MEDIUM", "line": 32, - "filename": "positive3.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.oAuth2AuthCodeNeg2.flows.implicit.authorizationUrl", + "searchValue": "", + "expectedValue": "OAuth2 security schema flow tokenUrl must be set with a valid URL", + "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL" }, { "queryName": "Invalid OAuth2 Authorization URL (v3)", "severity": "MEDIUM", - "line": 32, - "filename": "positive4.yaml" + "line": 50, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.oAuth2AuthCodeNeg2.flows.authorizationCode.authorizationUrl", + "searchValue": "", + "expectedValue": "OAuth2 security schema flow tokenUrl must be set with a valid URL", + "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/link_object_operation_id_does_not_target_an_operation_object/test/positive_expected_result.json b/assets/queries/openAPI/3.0/link_object_operation_id_does_not_target_an_operation_object/test/positive_expected_result.json index c082fa90f9c..cee0174bbc9 100644 --- a/assets/queries/openAPI/3.0/link_object_operation_id_does_not_target_an_operation_object/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/link_object_operation_id_does_not_target_an_operation_object/test/positive_expected_result.json @@ -2,37 +2,73 @@ { "queryName": "Link Object OperationId Does Not Target Operation Object", "severity": "INFO", - "line": 71, - "filename": "positive1.json" + "line": 43, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.links.{{address}}.operationId", + "searchValue": "", + "expectedValue": "components.links.{{address}}.operationId points to an operationId of an operation object", + "actualValue": "components.links.{{address}}.operationId does not point to an operationId of an operation object" }, { "queryName": "Link Object OperationId Does Not Target Operation Object", "severity": "INFO", - "line": 28, - "filename": "positive2.json" + "line": 51, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.responses.{{200}}.links.{{address}}.operationId", + "searchValue": "", + "expectedValue": "components.responses.200.links.address.operationId points to an operationId of an operation object", + "actualValue": "components.responses.200.links.address.operationId does not point to an operationId of an operation object" }, { "queryName": "Link Object OperationId Does Not Target Operation Object", "severity": "INFO", - "line": 68, - "filename": "positive3.json" + "line": 21, + "filename": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/test}}.{{get}}.responses.{{200}}.links.{{address}}.operationId", + "searchValue": "", + "expectedValue": "paths/test.get.responses.200.links.address.operationId points to an operationId of an operation object", + "actualValue": "paths./test.get.responses.200.links.address.operationId does not point to an operationId of an operation object" }, { "queryName": "Link Object OperationId Does Not Target Operation Object", "severity": "INFO", - "line": 51, - "filename": "positive4.yaml" + "line": 68, + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.links.{{address}}.operationId", + "searchValue": "", + "expectedValue": "components.links.{{address}}.operationId points to an operationId of an operation object", + "actualValue": "components.links.{{address}}.operationId does not point to an operationId of an operation object" }, { "queryName": "Link Object OperationId Does Not Target Operation Object", "severity": "INFO", - "line": 21, - "filename": "positive5.yaml" + "line": 71, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.responses.{{200}}.links.{{address}}.operationId", + "searchValue": "", + "expectedValue": "components.responses.200.links.address.operationId points to an operationId of an operation object", + "actualValue": "components.responses.200.links.address.operationId does not point to an operationId of an operation object" }, { "queryName": "Link Object OperationId Does Not Target Operation Object", "severity": "INFO", - "line": 43, - "filename": "positive6.yaml" + "line": 28, + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/test}}.{{get}}.responses.{{200}}.links.{{address}}.operationId", + "searchValue": "", + "expectedValue": "paths/test.get.responses.200.links.address.operationId points to an operationId of an operation object", + "actualValue": "paths./test.get.responses.200.links.address.operationId does not point to an operationId of an operation object" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/link_object_with_both_operation_id_and_operation_ref/test/positive_expected_result.json b/assets/queries/openAPI/3.0/link_object_with_both_operation_id_and_operation_ref/test/positive_expected_result.json index 162537e1ebe..0fe7ddb44d7 100644 --- a/assets/queries/openAPI/3.0/link_object_with_both_operation_id_and_operation_ref/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/link_object_with_both_operation_id_and_operation_ref/test/positive_expected_result.json @@ -3,36 +3,72 @@ "queryName": "Link Object With Both 'operationId' And 'operationRef'", "severity": "INFO", "line": 70, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.responses.{{200}}.links.{{address}}", + "searchValue": "", + "expectedValue": "components.responses.200.links.address has both 'operationId' and 'operationRef' defined", + "actualValue": "components.responses.200.links.address does not have both 'operationId' and 'operationRef' defined" }, { "queryName": "Link Object With Both 'operationId' And 'operationRef'", "severity": "INFO", - "line": 27, - "filename": "positive2.json" + "line": 67, + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.links.{{address}}", + "searchValue": "", + "expectedValue": "components.links.address has both 'operationId' and 'operationRef' defined", + "actualValue": "components.links.address does not have both 'operationId' and 'operationRef' defined" }, { "queryName": "Link Object With Both 'operationId' And 'operationRef'", "severity": "INFO", - "line": 67, - "filename": "positive3.json" + "line": 27, + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}", + "searchValue": "", + "expectedValue": "paths/.get.responses.200.links.address has both 'operationId' and 'operationRef' defined", + "actualValue": "paths./.get.responses.200.links.address does not have both 'operationId' and 'operationRef' defined" }, { "queryName": "Link Object With Both 'operationId' And 'operationRef'", "severity": "INFO", - "line": 50, - "filename": "positive4.yaml" + "line": 42, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.links.{{address}}", + "searchValue": "", + "expectedValue": "components.links.address has both 'operationId' and 'operationRef' defined", + "actualValue": "components.links.address does not have both 'operationId' and 'operationRef' defined" }, { "queryName": "Link Object With Both 'operationId' And 'operationRef'", "severity": "INFO", "line": 20, - "filename": "positive5.yaml" + "filename": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}", + "searchValue": "", + "expectedValue": "paths/.get.responses.200.links.address has both 'operationId' and 'operationRef' defined", + "actualValue": "paths./.get.responses.200.links.address does not have both 'operationId' and 'operationRef' defined" }, { "queryName": "Link Object With Both 'operationId' And 'operationRef'", "severity": "INFO", - "line": 42, - "filename": "positive6.yaml" + "line": 50, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.responses.{{200}}.links.{{address}}", + "searchValue": "", + "expectedValue": "components.responses.200.links.address has both 'operationId' and 'operationRef' defined", + "actualValue": "components.responses.200.links.address does not have both 'operationId' and 'operationRef' defined" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/media_type_object_without_schema/test/positive_expected_result.json b/assets/queries/openAPI/3.0/media_type_object_without_schema/test/positive_expected_result.json index ec22d4c9219..0bcd7fc122f 100644 --- a/assets/queries/openAPI/3.0/media_type_object_without_schema/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/media_type_object_without_schema/test/positive_expected_result.json @@ -2,61 +2,121 @@ { "queryName": "Media Type Object Without Schema", "severity": "MEDIUM", - "line": 16, - "filename": "positive1.json" + "line": 31, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content[multipart/form-data]", + "searchValue": "", + "expectedValue": "The attribute 'schema' should be set", + "actualValue": "The attribute 'schema' is undefined" }, { "queryName": "Media Type Object Without Schema", "severity": "MEDIUM", - "line": 49, - "filename": "positive1.json" + "line": 20, + "filename": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.requestBody.content[multipart/form-data]", + "searchValue": "", + "expectedValue": "The attribute 'schema' should be set", + "actualValue": "The attribute 'schema' is undefined" }, { "queryName": "Media Type Object Without Schema", "severity": "MEDIUM", - "line": 16, - "filename": "positive2.json" + "line": 14, + "filename": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content[application/json]", + "searchValue": "", + "expectedValue": "The attribute 'schema' should be set", + "actualValue": "The attribute 'schema' is undefined" }, { "queryName": "Media Type Object Without Schema", "severity": "MEDIUM", - "line": 28, - "filename": "positive2.json" + "line": 49, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content[multipart/data]", + "searchValue": "", + "expectedValue": "The attribute 'schema' should be set", + "actualValue": "The attribute 'schema' is undefined" }, { "queryName": "Media Type Object Without Schema", "severity": "MEDIUM", "line": 26, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.requestBody.content[text/plain]", + "searchValue": "", + "expectedValue": "The attribute 'schema' should be set", + "actualValue": "The attribute 'schema' is undefined" }, { "queryName": "Media Type Object Without Schema", "severity": "MEDIUM", "line": 14, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content[application/json]", + "searchValue": "", + "expectedValue": "The attribute 'schema' should be set", + "actualValue": "The attribute 'schema' is undefined" }, { "queryName": "Media Type Object Without Schema", "severity": "MEDIUM", - "line": 31, - "filename": "positive4.yaml" + "line": 20, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.requestBody.content[text/plain]", + "searchValue": "", + "expectedValue": "The attribute 'schema' should be set", + "actualValue": "The attribute 'schema' is undefined" }, { "queryName": "Media Type Object Without Schema", "severity": "MEDIUM", - "line": 14, - "filename": "positive5.yaml" + "line": 16, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content[application/json]", + "searchValue": "", + "expectedValue": "The attribute 'schema' should be set", + "actualValue": "The attribute 'schema' is undefined" }, { "queryName": "Media Type Object Without Schema", "severity": "MEDIUM", - "line": 20, - "filename": "positive5.yaml" + "line": 28, + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.requestBody.content[multipart/form-data]", + "searchValue": "", + "expectedValue": "The attribute 'schema' should be set", + "actualValue": "The attribute 'schema' is undefined" }, { "queryName": "Media Type Object Without Schema", "severity": "MEDIUM", - "line": 20, - "filename": "positive6.yaml" + "line": 16, + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content[application/json]", + "searchValue": "", + "expectedValue": "The attribute 'schema' should be set", + "actualValue": "The attribute 'schema' is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/oauth2_with_implicit_flow/test/positive_expected_result.json b/assets/queries/openAPI/3.0/oauth2_with_implicit_flow/test/positive_expected_result.json index c3483dcaf82..600f0fbd1f3 100644 --- a/assets/queries/openAPI/3.0/oauth2_with_implicit_flow/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/oauth2_with_implicit_flow/test/positive_expected_result.json @@ -3,30 +3,60 @@ "queryName": "OAuth2 With Implicit Flow", "severity": "MEDIUM", "line": 58, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.{{petstore_auth}}.flows.implicit", + "searchValue": "", + "expectedValue": "components.securitySchemes.{{petstore_auth}}.flows should not use 'implicit' flow", + "actualValue": "components.securitySchemes.{{petstore_auth}}.flows is using 'implicit' flow" }, { "queryName": "OAuth2 With Implicit Flow", "severity": "MEDIUM", - "line": 34, - "filename": "positive2.yaml" + "line": 37, + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.{{oAuth2AuthCode}}.flows.implicit", + "searchValue": "", + "expectedValue": "components.securitySchemes.{{oAuth2AuthCode}}.flows should not use 'implicit' flow", + "actualValue": "components.securitySchemes.{{oAuth2AuthCode}}.flows is using 'implicit' flow" }, { "queryName": "OAuth2 With Implicit Flow", "severity": "MEDIUM", - "line": 37, - "filename": "positive3.json" + "line": 27, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.{{oAuth2AuthCode}}.flows.implicit", + "searchValue": "", + "expectedValue": "components.securitySchemes.{{oAuth2AuthCode}}.flows should not use 'implicit' flow", + "actualValue": "components.securitySchemes.{{oAuth2AuthCode}}.flows is using 'implicit' flow" }, { "queryName": "OAuth2 With Implicit Flow", "severity": "MEDIUM", - "line": 27, - "filename": "positive4.yaml" + "line": 34, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.{{petstore_auth}}.flows.implicit", + "searchValue": "", + "expectedValue": "components.securitySchemes.{{petstore_auth}}.flows should not use 'implicit' flow", + "actualValue": "components.securitySchemes.{{petstore_auth}}.flows is using 'implicit' flow" }, { "queryName": "OAuth2 With Implicit Flow", "severity": "MEDIUM", "line": 31, - "filename": "positive5.yaml" + "filename": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.{{oAuth2AuthCode2}}.flows.implicit", + "searchValue": "", + "expectedValue": "components.securitySchemes.{{oAuth2AuthCode2}}.flows should not use 'implicit' flow", + "actualValue": "components.securitySchemes.{{oAuth2AuthCode2}}.flows is using 'implicit' flow" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/oauth2_with_password_flow/test/positive_expected_result.json b/assets/queries/openAPI/3.0/oauth2_with_password_flow/test/positive_expected_result.json index 544127a05d8..9af1ae7febe 100644 --- a/assets/queries/openAPI/3.0/oauth2_with_password_flow/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/oauth2_with_password_flow/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "OAuth2 With Password Flow", "severity": "MEDIUM", "line": 58, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.{{petstore_auth}}.flows.password", + "searchValue": "", + "expectedValue": "components.securitySchemes.{{petstore_auth}}.flows do not contain an 'password' flow", + "actualValue": "components.securitySchemes.{{petstore_auth}}.flows contain an 'password' flow" }, { "queryName": "OAuth2 With Password Flow", "severity": "MEDIUM", "line": 34, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.{{petstore_auth}}.flows.password", + "searchValue": "", + "expectedValue": "components.securitySchemes.{{petstore_auth}}.flows do not contain an 'password' flow", + "actualValue": "components.securitySchemes.{{petstore_auth}}.flows contain an 'password' flow" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/object_without_required_property/test/positive_expected_result.json b/assets/queries/openAPI/3.0/object_without_required_property/test/positive_expected_result.json index f156b8ece08..c7a6ed6e2a1 100644 --- a/assets/queries/openAPI/3.0/object_without_required_property/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/object_without_required_property/test/positive_expected_result.json @@ -2,109 +2,217 @@ { "queryName": "Object Without Required Property (v3)", "severity": "INFO", - "line": 3, - "filename": "positive1.json" + "line": 10, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.servers", + "searchValue": "", + "expectedValue": "servers has all required fields", + "actualValue": "servers is missing required fields" }, { "queryName": "Object Without Required Property (v3)", "severity": "INFO", - "line": 2, - "filename": "positive2.yaml" + "line": 38, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.MyObjectBody_2", + "searchValue": "", + "expectedValue": "requestBodies has all required fields", + "actualValue": "requestBodies is missing required fields" }, { "queryName": "Object Without Required Property (v3)", "severity": "INFO", - "line": 9, - "filename": "positive3.json" + "line": 12, + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.servers", + "searchValue": "", + "expectedValue": "servers has all required fields", + "actualValue": "servers is missing required fields" }, { "queryName": "Object Without Required Property (v3)", "severity": "INFO", - "line": 12, - "filename": "positive3.json" + "line": 3, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "info", + "searchValue": "", + "expectedValue": "info has all required fields", + "actualValue": "info is missing required fields" }, { "queryName": "Object Without Required Property (v3)", "severity": "INFO", - "line": 7, - "filename": "positive4.yaml" + "line": 42, + "filename": "positive8.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.parameters.IdParam", + "searchValue": "", + "expectedValue": "parameters has all required fields", + "actualValue": "parameters is missing required fields" }, { "queryName": "Object Without Required Property (v3)", "severity": "INFO", - "line": 10, - "filename": "positive4.yaml" + "line": 32, + "filename": "positive8.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters", + "searchValue": "", + "expectedValue": "parameters has all required fields", + "actualValue": "parameters is missing required fields" }, { "queryName": "Object Without Required Property (v3)", "severity": "INFO", - "line": 54, - "filename": "positive5.json" + "line": 65, + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.MyObjectBody_2", + "searchValue": "", + "expectedValue": "requestBodies has all required fields", + "actualValue": "requestBodies is missing required fields" }, { "queryName": "Object Without Required Property (v3)", "severity": "INFO", - "line": 62, - "filename": "positive5.json" + "line": 54, + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.requestBody", + "searchValue": "", + "expectedValue": "requestBody has all required fields", + "actualValue": "requestBody is missing required fields" }, { "queryName": "Object Without Required Property (v3)", "severity": "INFO", - "line": 65, - "filename": "positive5.json" + "line": 72, + "filename": "positive7.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.parameters.IdParam", + "searchValue": "", + "expectedValue": "parameters has all required fields", + "actualValue": "parameters is missing required fields" }, { "queryName": "Object Without Required Property (v3)", "severity": "INFO", - "line": 32, - "filename": "positive6.yaml" + "line": 27, + "filename": "positive7.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200", + "searchValue": "", + "expectedValue": "responses has all required fields", + "actualValue": "responses is missing required fields" }, { "queryName": "Object Without Required Property (v3)", "severity": "INFO", - "line": 36, - "filename": "positive6.yaml" + "line": 9, + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get", + "searchValue": "", + "expectedValue": "get has all required fields", + "actualValue": "get is missing required fields" }, { "queryName": "Object Without Required Property (v3)", "severity": "INFO", - "line": 38, - "filename": "positive6.yaml" + "line": 18, + "filename": "positive8.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200", + "searchValue": "", + "expectedValue": "responses has all required fields", + "actualValue": "responses is missing required fields" }, { "queryName": "Object Without Required Property (v3)", "severity": "INFO", - "line": 27, - "filename": "positive7.json" + "line": 7, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get", + "searchValue": "", + "expectedValue": "get has all required fields", + "actualValue": "get is missing required fields" }, { "queryName": "Object Without Required Property (v3)", "severity": "INFO", - "line": 55, - "filename": "positive7.json" + "line": 36, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.MyObjectBody", + "searchValue": "", + "expectedValue": "requestBodies has all required fields", + "actualValue": "requestBodies is missing required fields" }, { "queryName": "Object Without Required Property (v3)", "severity": "INFO", - "line": 72, - "filename": "positive7.json" + "line": 32, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.requestBody", + "searchValue": "", + "expectedValue": "requestBody has all required fields", + "actualValue": "requestBody is missing required fields" }, { "queryName": "Object Without Required Property (v3)", "severity": "INFO", - "line": 18, - "filename": "positive8.yaml" + "line": 2, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "info", + "searchValue": "", + "expectedValue": "info has all required fields", + "actualValue": "info is missing required fields" }, { "queryName": "Object Without Required Property (v3)", "severity": "INFO", - "line": 32, - "filename": "positive8.yaml" + "line": 62, + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.MyObjectBody", + "searchValue": "", + "expectedValue": "requestBodies has all required fields", + "actualValue": "requestBodies is missing required fields" }, { "queryName": "Object Without Required Property (v3)", "severity": "INFO", - "line": 42, - "filename": "positive8.yaml" + "line": 55, + "filename": "positive7.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters", + "searchValue": "", + "expectedValue": "parameters has all required fields", + "actualValue": "parameters is missing required fields" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/parameter_object_content_with_multiple_entries/test/positive_expected_result.json b/assets/queries/openAPI/3.0/parameter_object_content_with_multiple_entries/test/positive_expected_result.json index 99c86a1a63c..2d7276fc3bb 100644 --- a/assets/queries/openAPI/3.0/parameter_object_content_with_multiple_entries/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/parameter_object_content_with_multiple_entries/test/positive_expected_result.json @@ -2,37 +2,73 @@ { "queryName": "Parameter Object Content With Multiple Entries", "severity": "INFO", - "line": 11, - "filename": "positive1.json" + "line": 26, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.parameters", + "searchValue": "", + "expectedValue": "components.parameters.idParam.content has one entry", + "actualValue": "components.parameters.idParam.content has multiple entries" }, { "queryName": "Parameter Object Content With Multiple Entries", "severity": "INFO", - "line": 78, - "filename": "positive1.json" + "line": 10, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./.get.parameters", + "searchValue": "", + "expectedValue": "paths./.get.parameters.0.content has one entry", + "actualValue": "paths./.get.parameters.0.content has multiple entries" }, { "queryName": "Parameter Object Content With Multiple Entries", "severity": "INFO", - "line": 44, - "filename": "positive2.json" + "line": 48, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./user/{id}.parameters", + "searchValue": "", + "expectedValue": "paths./user/{id}.parameters.0.content has one entry", + "actualValue": "paths./user/{id}.parameters.0.content has multiple entries" }, { "queryName": "Parameter Object Content With Multiple Entries", "severity": "INFO", - "line": 10, - "filename": "positive3.yaml" + "line": 44, + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.parameters", + "searchValue": "", + "expectedValue": "components.parameters.idParam.content has one entry", + "actualValue": "components.parameters.idParam.content has multiple entries" }, { "queryName": "Parameter Object Content With Multiple Entries", "severity": "INFO", - "line": 48, - "filename": "positive3.yaml" + "line": 11, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./.get.parameters", + "searchValue": "", + "expectedValue": "paths./.get.parameters.0.content has one entry", + "actualValue": "paths./.get.parameters.0.content has multiple entries" }, { "queryName": "Parameter Object Content With Multiple Entries", "severity": "INFO", - "line": 26, - "filename": "positive4.yaml" + "line": 78, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./user/{id}.parameters", + "searchValue": "", + "expectedValue": "paths./user/{id}.parameters.0.content has one entry", + "actualValue": "paths./user/{id}.parameters.0.content has multiple entries" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/parameter_object_schema_content/test/positive_expected_result.json b/assets/queries/openAPI/3.0/parameter_object_schema_content/test/positive_expected_result.json index 31e4d7c7525..41d3d69a652 100644 --- a/assets/queries/openAPI/3.0/parameter_object_schema_content/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/parameter_object_schema_content/test/positive_expected_result.json @@ -2,37 +2,73 @@ { "queryName": "Parameter Object With Schema And Content", "severity": "INFO", - "line": 43, - "filename": "positive1.json" + "line": 45, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{id}.get.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "Parameter Object shouldn't have both 'schema' and 'content' defined", + "actualValue": "Parameter Object has both 'schema' and 'content' defined" }, { "queryName": "Parameter Object With Schema And Content", "severity": "INFO", - "line": 73, - "filename": "positive1.json" + "line": 26, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "Parameter Object shouldn't have both 'schema' and 'content' defined", + "actualValue": "Parameter Object has both 'schema' and 'content' defined" }, { "queryName": "Parameter Object With Schema And Content", "severity": "INFO", - "line": 26, - "filename": "positive2.yaml" + "line": 16, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "openapi.components.parameters.name={{limit}}", + "searchValue": "", + "expectedValue": "Parameter Object shouldn't have both 'schema' and 'content' defined", + "actualValue": "Parameter Object has both 'schema' and 'content' defined" }, { "queryName": "Parameter Object With Schema And Content", "severity": "INFO", - "line": 45, - "filename": "positive2.yaml" + "line": 20, + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "openapi.components.parameters.name={{limit}}", + "searchValue": "", + "expectedValue": "Parameter Object shouldn't have both 'schema' and 'content' defined", + "actualValue": "Parameter Object has both 'schema' and 'content' defined" }, { "queryName": "Parameter Object With Schema And Content", "severity": "INFO", - "line": 20, - "filename": "positive3.json" + "line": 73, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{id}.get.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "Parameter Object shouldn't have both 'schema' and 'content' defined", + "actualValue": "Parameter Object has both 'schema' and 'content' defined" }, { "queryName": "Parameter Object With Schema And Content", "severity": "INFO", - "line": 16, - "filename": "positive4.yaml" + "line": 43, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "Parameter Object shouldn't have both 'schema' and 'content' defined", + "actualValue": "Parameter Object has both 'schema' and 'content' defined" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/parameter_object_undefined_type/test/positive_expected_result.json b/assets/queries/openAPI/3.0/parameter_object_undefined_type/test/positive_expected_result.json index 45a055a7e39..e5425818eb4 100644 --- a/assets/queries/openAPI/3.0/parameter_object_undefined_type/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/parameter_object_undefined_type/test/positive_expected_result.json @@ -2,37 +2,73 @@ { "queryName": "Parameter Object With Undefined Type", "severity": "INFO", - "line": 43, - "filename": "positive1.json" + "line": 40, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/users/{id}}}.{{get}}.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "paths.{{/users/{id}}}.{{get}}.parameters type should be defined%!(EXTRA string=id)", + "actualValue": "paths.{{/users/{id}}}.{{get}}.parameters type is not defined%!(EXTRA string=id)" }, { "queryName": "Parameter Object With Undefined Type", "severity": "INFO", - "line": 55, - "filename": "positive1.json" + "line": 26, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters type should be defined%!(EXTRA string=id)", + "actualValue": "paths.{{/}}.parameters type is not defined%!(EXTRA string=id)" }, { "queryName": "Parameter Object With Undefined Type", "severity": "INFO", - "line": 26, - "filename": "positive2.yaml" + "line": 8, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "openapi.components.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "openapi.components.parameters type should be defined%!(EXTRA string=id)", + "actualValue": "openapi.components.parameters type is not defined%!(EXTRA string=id)" }, { "queryName": "Parameter Object With Undefined Type", "severity": "INFO", - "line": 40, - "filename": "positive2.yaml" + "line": 10, + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "openapi.components.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "openapi.components.parameters type should be defined%!(EXTRA string=id)", + "actualValue": "openapi.components.parameters type is not defined%!(EXTRA string=id)" }, { "queryName": "Parameter Object With Undefined Type", "severity": "INFO", - "line": 10, - "filename": "positive3.json" + "line": 55, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/users/{id}}}.{{get}}.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "paths.{{/users/{id}}}.{{get}}.parameters type should be defined%!(EXTRA string=id)", + "actualValue": "paths.{{/users/{id}}}.{{get}}.parameters type is not defined%!(EXTRA string=id)" }, { "queryName": "Parameter Object With Undefined Type", "severity": "INFO", - "line": 8, - "filename": "positive4.yaml" + "line": 43, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters type should be defined%!(EXTRA string=id)", + "actualValue": "paths.{{/}}.parameters type is not defined%!(EXTRA string=id)" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/parameter_object_without_schema/test/positive_expected_result.json b/assets/queries/openAPI/3.0/parameter_object_without_schema/test/positive_expected_result.json index b6873a7ca41..cb0c0b6b400 100644 --- a/assets/queries/openAPI/3.0/parameter_object_without_schema/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/parameter_object_without_schema/test/positive_expected_result.json @@ -2,37 +2,73 @@ { "queryName": "Parameter Object Without Schema", "severity": "MEDIUM", - "line": 11, - "filename": "positive1.json" + "line": 39, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/user/}}.parameters", + "searchValue": "", + "expectedValue": "The attribute 'schema' should be set", + "actualValue": "The attribute 'schema' is undefined" }, { "queryName": "Parameter Object Without Schema", "severity": "MEDIUM", - "line": 64, - "filename": "positive1.json" + "line": 10, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters", + "searchValue": "", + "expectedValue": "The attribute 'schema' should be set", + "actualValue": "The attribute 'schema' is undefined" }, { "queryName": "Parameter Object Without Schema", "severity": "MEDIUM", - "line": 44, - "filename": "positive2.json" + "line": 26, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.parameters", + "searchValue": "", + "expectedValue": "The attribute 'schema' should be set", + "actualValue": "The attribute 'schema' is undefined" }, { "queryName": "Parameter Object Without Schema", "severity": "MEDIUM", - "line": 10, - "filename": "positive3.yaml" + "line": 44, + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.parameters", + "searchValue": "", + "expectedValue": "The attribute 'schema' should be set", + "actualValue": "The attribute 'schema' is undefined" }, { "queryName": "Parameter Object Without Schema", "severity": "MEDIUM", - "line": 39, - "filename": "positive3.yaml" + "line": 64, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/user/}}.parameters", + "searchValue": "", + "expectedValue": "The attribute 'schema' should be set", + "actualValue": "The attribute 'schema' is undefined" }, { "queryName": "Parameter Object Without Schema", "severity": "MEDIUM", - "line": 26, - "filename": "positive4.yaml" + "line": 11, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters", + "searchValue": "", + "expectedValue": "The attribute 'schema' should be set", + "actualValue": "The attribute 'schema' is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/path_server_uses_http/test/positive_expected_result.json b/assets/queries/openAPI/3.0/path_server_uses_http/test/positive_expected_result.json index e4d4cafd7a9..8538a7169b1 100644 --- a/assets/queries/openAPI/3.0/path_server_uses_http/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/path_server_uses_http/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "Path Server Object Uses HTTP (v3)", "severity": "MEDIUM", - "line": 18, - "filename": "positive1.json" + "line": 15, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.servers.url={{http://api.gigantic-server.com/v1}}", + "searchValue": "", + "expectedValue": "Path Server Object url uses 'HTTPS' protocol", + "actualValue": "Path Server Object url uses 'HTTP' protocol" }, { "queryName": "Path Server Object Uses HTTP (v3)", "severity": "MEDIUM", - "line": 15, - "filename": "positive2.yaml" + "line": 18, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.servers.url={{http://staging.gigantic-server.com/v1}}", + "searchValue": "", + "expectedValue": "Path Server Object url uses 'HTTPS' protocol", + "actualValue": "Path Server Object url uses 'HTTP' protocol" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/property_allow_empty_value_ignored/test/positive_expected_result.json b/assets/queries/openAPI/3.0/property_allow_empty_value_ignored/test/positive_expected_result.json index a454d70f7e3..ed32a92365e 100644 --- a/assets/queries/openAPI/3.0/property_allow_empty_value_ignored/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/property_allow_empty_value_ignored/test/positive_expected_result.json @@ -3,36 +3,72 @@ "queryName": "Property 'allowEmptyValue' Ignored", "severity": "INFO", "line": 47, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.allowEmptyValue", + "searchValue": "", + "expectedValue": "Property 'allowEmptyValue' should not be ignored", + "actualValue": "Property 'allowEmptyValue' is ignored (due to one of the following cases: {\"sytle\": \"simple\", \"explode\": false}, {\"sytle\": \"simple\", \"explode\": true}, {\"sytle\": \"spaceDelimited\", \"explode\": false}, {\"sytle\": \"pipeDelimited\", \"explode\": false}, or {\"sytle\": \"deepObject\", \"explode\": true})" }, { "queryName": "Property 'allowEmptyValue' Ignored", "severity": "INFO", - "line": 30, - "filename": "positive2.yaml" + "line": 32, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.allowEmptyValue", + "searchValue": "", + "expectedValue": "Property 'allowEmptyValue' should not be ignored", + "actualValue": "Property 'allowEmptyValue' is ignored (due to one of the following cases: {\"sytle\": \"simple\", \"explode\": false}, {\"sytle\": \"simple\", \"explode\": true}, {\"sytle\": \"spaceDelimited\", \"explode\": false}, {\"sytle\": \"pipeDelimited\", \"explode\": false}, or {\"sytle\": \"deepObject\", \"explode\": true})" }, { "queryName": "Property 'allowEmptyValue' Ignored", "severity": "INFO", - "line": 12, - "filename": "positive3.json" + "line": 30, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.allowEmptyValue", + "searchValue": "", + "expectedValue": "Property 'allowEmptyValue' should not be ignored", + "actualValue": "Property 'allowEmptyValue' is ignored (due to one of the following cases: {\"sytle\": \"simple\", \"explode\": false}, {\"sytle\": \"simple\", \"explode\": true}, {\"sytle\": \"spaceDelimited\", \"explode\": false}, {\"sytle\": \"pipeDelimited\", \"explode\": false}, or {\"sytle\": \"deepObject\", \"explode\": true})" }, { "queryName": "Property 'allowEmptyValue' Ignored", "severity": "INFO", - "line": 32, - "filename": "positive4.yaml" + "line": 31, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.allowEmptyValue", + "searchValue": "", + "expectedValue": "Property 'allowEmptyValue' should not be ignored", + "actualValue": "Property 'allowEmptyValue' is ignored (due to one of the following cases: {\"sytle\": \"simple\", \"explode\": false}, {\"sytle\": \"simple\", \"explode\": true}, {\"sytle\": \"spaceDelimited\", \"explode\": false}, {\"sytle\": \"pipeDelimited\", \"explode\": false}, or {\"sytle\": \"deepObject\", \"explode\": true})" }, { "queryName": "Property 'allowEmptyValue' Ignored", "severity": "INFO", "line": 16, - "filename": "positive5.json" + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.allowEmptyValue", + "searchValue": "", + "expectedValue": "Property 'allowEmptyValue' should not be ignored", + "actualValue": "Property 'allowEmptyValue' is ignored (due to one of the following cases: {\"sytle\": \"simple\", \"explode\": false}, {\"sytle\": \"simple\", \"explode\": true}, {\"sytle\": \"spaceDelimited\", \"explode\": false}, {\"sytle\": \"pipeDelimited\", \"explode\": false}, or {\"sytle\": \"deepObject\", \"explode\": true})" }, { "queryName": "Property 'allowEmptyValue' Ignored", "severity": "INFO", - "line": 31, - "filename": "positive6.yaml" + "line": 12, + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.allowEmptyValue", + "searchValue": "", + "expectedValue": "Property 'allowEmptyValue' should not be ignored", + "actualValue": "Property 'allowEmptyValue' is ignored (due to one of the following cases: {\"sytle\": \"simple\", \"explode\": false}, {\"sytle\": \"simple\", \"explode\": true}, {\"sytle\": \"spaceDelimited\", \"explode\": false}, {\"sytle\": \"pipeDelimited\", \"explode\": false}, or {\"sytle\": \"deepObject\", \"explode\": true})" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/property_allow_reserved_encoding_object_ignored/test/positive_expected_result.json b/assets/queries/openAPI/3.0/property_allow_reserved_encoding_object_ignored/test/positive_expected_result.json index cd75a47c8cc..e7168b3ffe5 100644 --- a/assets/queries/openAPI/3.0/property_allow_reserved_encoding_object_ignored/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/property_allow_reserved_encoding_object_ignored/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "Property 'allowReserved' of Encoding Object Ignored", "severity": "INFO", - "line": 49, - "filename": "positive1.json" + "line": 30, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/form-data}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/form-data}} should be 'application/x-www-form-urlencoded' when 'allowReserved' is set", + "actualValue": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/form-data}} is not 'application/x-www-form-urlencoded' when 'allowReserved' is set" }, { "queryName": "Property 'allowReserved' of Encoding Object Ignored", "severity": "INFO", "line": 43, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/form-data}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/form-data}} should be 'application/x-www-form-urlencoded' when 'allowReserved' is set", + "actualValue": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/form-data}} is not 'application/x-www-form-urlencoded' when 'allowReserved' is set" }, { "queryName": "Property 'allowReserved' of Encoding Object Ignored", "severity": "INFO", - "line": 31, - "filename": "positive3.yaml" + "line": 49, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.{{NewItem}}.content.{{multipart/data}}", + "searchValue": "", + "expectedValue": "components.requestBodies.{{NewItem}}.content.{{multipart/data}} should be 'application/x-www-form-urlencoded' when 'allowReserved' is set", + "actualValue": "components.requestBodies.{{NewItem}}.content.{{multipart/data}} is not 'application/x-www-form-urlencoded' when 'allowReserved' is set" }, { "queryName": "Property 'allowReserved' of Encoding Object Ignored", "severity": "INFO", - "line": 30, - "filename": "positive4.yaml" + "line": 31, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.{{NewItem}}.content.{{multipart/form-data}}", + "searchValue": "", + "expectedValue": "components.requestBodies.{{NewItem}}.content.{{multipart/form-data}} should be 'application/x-www-form-urlencoded' when 'allowReserved' is set", + "actualValue": "components.requestBodies.{{NewItem}}.content.{{multipart/form-data}} is not 'application/x-www-form-urlencoded' when 'allowReserved' is set" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/property_allow_reserved_improperly_defined/test/positive_expected_result.json b/assets/queries/openAPI/3.0/property_allow_reserved_improperly_defined/test/positive_expected_result.json index cd1698bb853..c3c0c4f0026 100644 --- a/assets/queries/openAPI/3.0/property_allow_reserved_improperly_defined/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/property_allow_reserved_improperly_defined/test/positive_expected_result.json @@ -2,37 +2,73 @@ { "queryName": "Property 'allowReserved' Improperly Defined", "severity": "INFO", - "line": 59, - "filename": "positive1.json" + "line": 26, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.name={{id}} should have 'in' set to 'query' when 'allowReserved' is set", + "actualValue": "paths.{{/}}.parameters.name={{id}} does not have 'in' set to 'query' when 'allowReserved' is set" }, { "queryName": "Property 'allowReserved' Improperly Defined", "severity": "INFO", "line": 43, - "filename": "positive1.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.name={{id}} should have 'in' set to 'query' when 'allowReserved' is set", + "actualValue": "paths.{{/}}.parameters.name={{id}} does not have 'in' set to 'query' when 'allowReserved' is set" }, { "queryName": "Property 'allowReserved' Improperly Defined", "severity": "INFO", - "line": 26, - "filename": "positive2.yaml" + "line": 59, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{id}.get.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "paths./users/{id}.get.parameters.name={{id}} should have 'in' set to 'query' when 'allowReserved' is set", + "actualValue": "paths./users/{id}.get.parameters.name={{id}} does not have 'in' set to 'query' when 'allowReserved' is set" }, { "queryName": "Property 'allowReserved' Improperly Defined", "severity": "INFO", - "line": 37, - "filename": "positive2.yaml" + "line": 43, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.name={{id}} should have 'in' set to 'query' when 'allowReserved' is set", + "actualValue": "paths.{{/}}.parameters.name={{id}} does not have 'in' set to 'query' when 'allowReserved' is set" }, { "queryName": "Property 'allowReserved' Improperly Defined", "severity": "INFO", - "line": 43, - "filename": "positive3.json" + "line": 37, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{id}.get.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "paths./users/{id}.get.parameters.name={{id}} should have 'in' set to 'query' when 'allowReserved' is set", + "actualValue": "paths./users/{id}.get.parameters.name={{id}} does not have 'in' set to 'query' when 'allowReserved' is set" }, { "queryName": "Property 'allowReserved' Improperly Defined", "severity": "INFO", "line": 26, - "filename": "positive4.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.name={{id}} should have 'in' set to 'query' when 'allowReserved' is set", + "actualValue": "paths.{{/}}.parameters.name={{id}} does not have 'in' set to 'query' when 'allowReserved' is set" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/property_explode_encoding_object_ignored/test/positive_expected_result.json b/assets/queries/openAPI/3.0/property_explode_encoding_object_ignored/test/positive_expected_result.json index bf8e259e7a7..64cbc2a5c1f 100644 --- a/assets/queries/openAPI/3.0/property_explode_encoding_object_ignored/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/property_explode_encoding_object_ignored/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "Property 'explode' of Encoding Object Ignored", "severity": "INFO", - "line": 49, - "filename": "positive1.json" + "line": 31, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.{{NewItem}}.content.{{multipart/form-data}}", + "searchValue": "", + "expectedValue": "components.requestBodies.{{NewItem}}.content.{{multipart/form-data}} should be 'application/x-www-form-urlencoded' when 'explode' is set", + "actualValue": "components.requestBodies.{{NewItem}}.content.{{multipart/form-data}} is not 'application/x-www-form-urlencoded' when 'explode' is set" }, { "queryName": "Property 'explode' of Encoding Object Ignored", "severity": "INFO", - "line": 43, - "filename": "positive2.json" + "line": 30, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/form-data}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/form-data}} should be 'application/x-www-form-urlencoded' when 'explode' is set", + "actualValue": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/form-data}} is not 'application/x-www-form-urlencoded' when 'explode' is set" }, { "queryName": "Property 'explode' of Encoding Object Ignored", "severity": "INFO", - "line": 31, - "filename": "positive3.yaml" + "line": 43, + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/form-data}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/form-data}} should be 'application/x-www-form-urlencoded' when 'explode' is set", + "actualValue": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/form-data}} is not 'application/x-www-form-urlencoded' when 'explode' is set" }, { "queryName": "Property 'explode' of Encoding Object Ignored", "severity": "INFO", - "line": 30, - "filename": "positive4.yaml" + "line": 49, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.{{NewItem}}.content.{{multipart/data}}", + "searchValue": "", + "expectedValue": "components.requestBodies.{{NewItem}}.content.{{multipart/data}} should be 'application/x-www-form-urlencoded' when 'explode' is set", + "actualValue": "components.requestBodies.{{NewItem}}.content.{{multipart/data}} is not 'application/x-www-form-urlencoded' when 'explode' is set" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/property_type_encoding_object_ignored/test/positive_expected_result.json b/assets/queries/openAPI/3.0/property_type_encoding_object_ignored/test/positive_expected_result.json index 3d983fd274a..b0e44f5a428 100644 --- a/assets/queries/openAPI/3.0/property_type_encoding_object_ignored/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/property_type_encoding_object_ignored/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "Property 'style' of Encoding Object Ignored", "severity": "INFO", - "line": 49, - "filename": "positive1.json" + "line": 30, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/data}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/data}} should be 'application/x-www-form-urlencoded' when 'style' is set", + "actualValue": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/data}} is not 'application/x-www-form-urlencoded' when 'style' is set" }, { "queryName": "Property 'style' of Encoding Object Ignored", "severity": "INFO", - "line": 43, - "filename": "positive2.json" + "line": 31, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.{{NewItem}}.content.{{multipart/data}}", + "searchValue": "", + "expectedValue": "components.requestBodies.{{NewItem}}.content.{{multipart/data}} should be 'application/x-www-form-urlencoded' when 'style' is set", + "actualValue": "components.requestBodies.{{NewItem}}.content.{{multipart/data}} is not 'application/x-www-form-urlencoded' when 'style' is set" }, { "queryName": "Property 'style' of Encoding Object Ignored", "severity": "INFO", - "line": 31, - "filename": "positive3.yaml" + "line": 49, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.{{NewItem}}.content.{{multipart/data}}", + "searchValue": "", + "expectedValue": "components.requestBodies.{{NewItem}}.content.{{multipart/data}} should be 'application/x-www-form-urlencoded' when 'style' is set", + "actualValue": "components.requestBodies.{{NewItem}}.content.{{multipart/data}} is not 'application/x-www-form-urlencoded' when 'style' is set" }, { "queryName": "Property 'style' of Encoding Object Ignored", "severity": "INFO", - "line": 30, - "filename": "positive4.yaml" + "line": 43, + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/data}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/data}} should be 'application/x-www-form-urlencoded' when 'style' is set", + "actualValue": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/data}} is not 'application/x-www-form-urlencoded' when 'style' is set" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/request_body_object_with_incorrect_media_type/test/positive_expected_result.json b/assets/queries/openAPI/3.0/request_body_object_with_incorrect_media_type/test/positive_expected_result.json index f86cfec9b30..ef6850e31f5 100644 --- a/assets/queries/openAPI/3.0/request_body_object_with_incorrect_media_type/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/request_body_object_with_incorrect_media_type/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "Request Body Object With Incorrect Media Type", "severity": "INFO", - "line": 64, - "filename": "positive1.json" + "line": 41, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.{{NewItem}}.content.{{application/json}}.encoding", + "searchValue": "", + "expectedValue": "components.requestBodies.{{NewItem}}.content.{{application/json}} should be 'multipart' or 'application/x-www-form-urlencoded' when 'encoding' is set", + "actualValue": "components.requestBodies.{{NewItem}}.content.{{application/json}} is not 'multipart' or 'application/x-www-form-urlencoded' when 'encoding' is set" }, { "queryName": "Request Body Object With Incorrect Media Type", "severity": "INFO", - "line": 43, - "filename": "positive2.json" + "line": 30, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.requestBody.content.{{application/octet-stream}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.requestBody.content.{{application/octet-stream}} should be 'multipart' or 'application/x-www-form-urlencoded' when 'encoding' is set", + "actualValue": "paths.{{/}}.{{get}}.requestBody.content.{{application/octet-stream}} is not 'multipart' or 'application/x-www-form-urlencoded' when 'encoding' is set" }, { "queryName": "Request Body Object With Incorrect Media Type", "severity": "INFO", - "line": 41, - "filename": "positive3.yaml" + "line": 64, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.{{NewItem}}.content.{{application/json}}.encoding", + "searchValue": "", + "expectedValue": "components.requestBodies.{{NewItem}}.content.{{application/json}} should be 'multipart' or 'application/x-www-form-urlencoded' when 'encoding' is set", + "actualValue": "components.requestBodies.{{NewItem}}.content.{{application/json}} is not 'multipart' or 'application/x-www-form-urlencoded' when 'encoding' is set" }, { "queryName": "Request Body Object With Incorrect Media Type", "severity": "INFO", - "line": 30, - "filename": "positive4.yaml" + "line": 43, + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.requestBody.content.{{application/octet-stream}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.requestBody.content.{{application/octet-stream}} should be 'multipart' or 'application/x-www-form-urlencoded' when 'encoding' is set", + "actualValue": "paths.{{/}}.{{get}}.requestBody.content.{{application/octet-stream}} is not 'multipart' or 'application/x-www-form-urlencoded' when 'encoding' is set" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/schema_with_both_read_only_and_write_only/test/positive_expected_result.json b/assets/queries/openAPI/3.0/schema_with_both_read_only_and_write_only/test/positive_expected_result.json index 436d3542a45..78ad1402942 100644 --- a/assets/queries/openAPI/3.0/schema_with_both_read_only_and_write_only/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/schema_with_both_read_only_and_write_only/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "Schema With Both ReadOnly And WriteOnly", "severity": "INFO", - "line": 50, - "filename": "positive1.json" + "line": 22, + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema should not have both 'writeOnly' and 'readOnly' set to true", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema has both 'writeOnly' and 'readOnly' set to true" }, { "queryName": "Schema With Both ReadOnly And WriteOnly", "severity": "INFO", - "line": 22, - "filename": "positive2.json" + "line": 50, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.{{GeneralError}}", + "searchValue": "", + "expectedValue": "components.schemas.{{GeneralError}} should not have both 'writeOnly' and 'readOnly' set to true", + "actualValue": "components.schemas.{{GeneralError}} has both 'writeOnly' and 'readOnly' set to true" }, { "queryName": "Schema With Both ReadOnly And WriteOnly", "severity": "INFO", "line": 27, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.{{GeneralError}}", + "searchValue": "", + "expectedValue": "components.schemas.{{GeneralError}} should not have both 'writeOnly' and 'readOnly' set to true", + "actualValue": "components.schemas.{{GeneralError}} has both 'writeOnly' and 'readOnly' set to true" }, { "queryName": "Schema With Both ReadOnly And WriteOnly", "severity": "INFO", "line": 15, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema should not have both 'writeOnly' and 'readOnly' set to true", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema has both 'writeOnly' and 'readOnly' set to true" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/security_field_undefined/test/positive_expected_result.json b/assets/queries/openAPI/3.0/security_field_undefined/test/positive_expected_result.json index 99678c04b86..1d11547d999 100644 --- a/assets/queries/openAPI/3.0/security_field_undefined/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/security_field_undefined/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "Security Field Undefined", "severity": "INFO", - "line": 45, - "filename": "positive1.json" + "line": 26, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "security.petstore_auth", + "searchValue": "", + "expectedValue": "security[0].petstore_auth should be defined in '#/components/securitySchemes'", + "actualValue": "security[0].petstore_auth is not defined in '#/components/securitySchemes'" }, { "queryName": "Security Field Undefined", "severity": "INFO", - "line": 45, - "filename": "positive2.json" + "line": 26, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "security.petstore_auth", + "searchValue": "", + "expectedValue": "security[0].petstore_auth should be defined in '#/components/securitySchemes'", + "actualValue": "security[0].petstore_auth is not defined in '#/components/securitySchemes'" }, { "queryName": "Security Field Undefined", "severity": "INFO", - "line": 26, - "filename": "positive3.yaml" + "line": 45, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "security.petstore_auth", + "searchValue": "", + "expectedValue": "security[0].petstore_auth should be defined in '#/components/securitySchemes'", + "actualValue": "security[0].petstore_auth is not defined in '#/components/securitySchemes'" }, { "queryName": "Security Field Undefined", "severity": "INFO", - "line": 26, - "filename": "positive4.yaml" + "line": 45, + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "security.petstore_auth", + "searchValue": "", + "expectedValue": "security[0].petstore_auth should be defined in '#/components/securitySchemes'", + "actualValue": "security[0].petstore_auth is not defined in '#/components/securitySchemes'" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/security_operation_field_undefined/test/positive_expected_result.json b/assets/queries/openAPI/3.0/security_operation_field_undefined/test/positive_expected_result.json index 0592b8d8dc9..cbf66a5907c 100644 --- a/assets/queries/openAPI/3.0/security_operation_field_undefined/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/security_operation_field_undefined/test/positive_expected_result.json @@ -3,24 +3,48 @@ "queryName": "Security Operation Field Undefined", "severity": "INFO", "line": 14, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.petstore_auth", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.security[0].petstore_auth should be defined in '#/components/securitySchemes'", + "actualValue": "paths.{{/}}.{{get}}.security[0].petstore_auth is not defined in '#/components/securitySchemes'" }, { "queryName": "Security Operation Field Undefined", "severity": "INFO", "line": 14, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.petstore_auth", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.security[0].petstore_auth should be defined in '#/components/securitySchemes'", + "actualValue": "paths.{{/}}.{{get}}.security[0].petstore_auth is not defined in '#/components/securitySchemes'" }, { "queryName": "Security Operation Field Undefined", "severity": "INFO", "line": 11, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.petstore_auth", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.security[0].petstore_auth should be defined in '#/components/securitySchemes'", + "actualValue": "paths.{{/}}.{{get}}.security[0].petstore_auth is not defined in '#/components/securitySchemes'" }, { "queryName": "Security Operation Field Undefined", "severity": "INFO", "line": 11, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.petstore_auth", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.security[0].petstore_auth should be defined in '#/components/securitySchemes'", + "actualValue": "paths.{{/}}.{{get}}.security[0].petstore_auth is not defined in '#/components/securitySchemes'" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/security_requirement_object_with_wrong_scopes/test/positive_expected_result.json b/assets/queries/openAPI/3.0/security_requirement_object_with_wrong_scopes/test/positive_expected_result.json index 855e0f4389d..e52abcb5f7b 100644 --- a/assets/queries/openAPI/3.0/security_requirement_object_with_wrong_scopes/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/security_requirement_object_with_wrong_scopes/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "Security Requirement Object With Wrong Scopes", "severity": "INFO", - "line": 9, - "filename": "positive1.json" + "line": 19, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/pets}}.get.security.api_key", + "searchValue": "", + "expectedValue": "'security.api_key' has no scopes defined for security scheme of type 'apiKey'", + "actualValue": "'security.api_key' has no scopes defined for security scheme of type 'apiKey'" }, { "queryName": "Security Requirement Object With Wrong Scopes", "severity": "INFO", "line": 6, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "security.api_key", + "searchValue": "", + "expectedValue": "'security.api_key' has no scopes defined for security scheme of type 'apiKey'", + "actualValue": "'security.api_key' has no scopes defined for security scheme of type 'apiKey'" }, { "queryName": "Security Requirement Object With Wrong Scopes", "severity": "INFO", "line": 28, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/pets}}.get.security.api_key", + "searchValue": "", + "expectedValue": "'security.api_key' has no scopes defined for security scheme of type 'apiKey'", + "actualValue": "'security.api_key' has no scopes defined for security scheme of type 'apiKey'" }, { "queryName": "Security Requirement Object With Wrong Scopes", "severity": "INFO", - "line": 19, - "filename": "positive4.yaml" + "line": 9, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "security.api_key", + "searchValue": "", + "expectedValue": "'security.api_key' has no scopes defined for security scheme of type 'apiKey'", + "actualValue": "'security.api_key' has no scopes defined for security scheme of type 'apiKey'" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/security_scheme_undefined/test/positive_expected_result.json b/assets/queries/openAPI/3.0/security_scheme_undefined/test/positive_expected_result.json index 7fe97f3cda0..761222ad366 100644 --- a/assets/queries/openAPI/3.0/security_scheme_undefined/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/security_scheme_undefined/test/positive_expected_result.json @@ -2,37 +2,73 @@ { "queryName": "Field 'securityScheme' On Components Is Undefined", "severity": "MEDIUM", - "line": 2, - "filename": "positive1.json" + "line": 26, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes", + "searchValue": "", + "expectedValue": "A security scheme on components should be defined", + "actualValue": "A security scheme is an empty object" }, { "queryName": "Field 'securityScheme' On Components Is Undefined", "severity": "MEDIUM", "line": 43, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components", + "searchValue": "", + "expectedValue": "A security scheme on components should be defined", + "actualValue": "A security scheme is not defined" }, { "queryName": "Field 'securityScheme' On Components Is Undefined", "severity": "MEDIUM", "line": 44, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes", + "searchValue": "", + "expectedValue": "A security scheme on components should be defined", + "actualValue": "A security scheme is an empty object" }, { "queryName": "Field 'securityScheme' On Components Is Undefined", "severity": "MEDIUM", - "line": 1, - "filename": "positive4.yaml" + "line": 2, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "openapi", + "searchValue": "", + "expectedValue": "A security scheme on components should be defined", + "actualValue": "Components is not defined" }, { "queryName": "Field 'securityScheme' On Components Is Undefined", "severity": "MEDIUM", - "line": 25, - "filename": "positive5.yaml" + "line": 1, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "openapi", + "searchValue": "", + "expectedValue": "A security scheme on components should be defined", + "actualValue": "Components is not defined" }, { "queryName": "Field 'securityScheme' On Components Is Undefined", "severity": "MEDIUM", - "line": 26, - "filename": "positive6.yaml" + "line": 25, + "filename": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components", + "searchValue": "", + "expectedValue": "A security scheme on components should be defined", + "actualValue": "A security scheme is not defined" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/security_scheme_using_http_basic/test/positive_expected_result.json b/assets/queries/openAPI/3.0/security_scheme_using_http_basic/test/positive_expected_result.json index aa4a27d8581..69a5451ca7d 100644 --- a/assets/queries/openAPI/3.0/security_scheme_using_http_basic/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/security_scheme_using_http_basic/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "Security Scheme Using HTTP Basic", "severity": "LOW", - "line": 57, - "filename": "positive1.json" + "line": 33, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.{{petstore_auth}}.scheme", + "searchValue": "", + "expectedValue": "components.securitySchemes.{{petstore_auth}} should not use 'basic' authentication", + "actualValue": "components.securitySchemes.{{petstore_auth}} uses 'basic' authentication" }, { "queryName": "Security Scheme Using HTTP Basic", "severity": "LOW", - "line": 33, - "filename": "positive2.yaml" + "line": 57, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.{{petstore_auth}}.scheme", + "searchValue": "", + "expectedValue": "components.securitySchemes.{{petstore_auth}} should not use 'basic' authentication", + "actualValue": "components.securitySchemes.{{petstore_auth}} uses 'basic' authentication" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/security_scheme_using_http_digest/test/positive_expected_result.json b/assets/queries/openAPI/3.0/security_scheme_using_http_digest/test/positive_expected_result.json index 22356392f89..288fa877959 100644 --- a/assets/queries/openAPI/3.0/security_scheme_using_http_digest/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/security_scheme_using_http_digest/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Security Scheme Using HTTP Digest", "severity": "LOW", "line": 57, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.{{petstore_auth}}.scheme", + "searchValue": "", + "expectedValue": "components.securitySchemes.{{petstore_auth}} should not use 'digest' authentication", + "actualValue": "components.securitySchemes.{{petstore_auth}} uses 'digest' authentication" }, { "queryName": "Security Scheme Using HTTP Digest", "severity": "LOW", "line": 33, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.{{petstore_auth}}.scheme", + "searchValue": "", + "expectedValue": "components.securitySchemes.{{petstore_auth}} should not use 'digest' authentication", + "actualValue": "components.securitySchemes.{{petstore_auth}} uses 'digest' authentication" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/security_scheme_using_http_negotiate/test/positive_expected_result.json b/assets/queries/openAPI/3.0/security_scheme_using_http_negotiate/test/positive_expected_result.json index fe5a5c177ac..959daea3ae1 100644 --- a/assets/queries/openAPI/3.0/security_scheme_using_http_negotiate/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/security_scheme_using_http_negotiate/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Security Scheme Using HTTP Negotiate", "severity": "LOW", "line": 57, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.{{petstore_auth}}.scheme", + "searchValue": "", + "expectedValue": "components.securitySchemes.{{petstore_auth}} should not use 'negotiate' authentication", + "actualValue": "components.securitySchemes.{{petstore_auth}} uses 'negotiate' authentication" }, { "queryName": "Security Scheme Using HTTP Negotiate", "severity": "LOW", "line": 33, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.{{petstore_auth}}.scheme", + "searchValue": "", + "expectedValue": "components.securitySchemes.{{petstore_auth}} should not use 'negotiate' authentication", + "actualValue": "components.securitySchemes.{{petstore_auth}} uses 'negotiate' authentication" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/security_schemes_http_unknown_scheme/test/positive_expected_result.json b/assets/queries/openAPI/3.0/security_schemes_http_unknown_scheme/test/positive_expected_result.json index 14942d4e108..2be7ab9fdab 100644 --- a/assets/queries/openAPI/3.0/security_schemes_http_unknown_scheme/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/security_schemes_http_unknown_scheme/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Security Scheme HTTP Unknown Scheme", "severity": "MEDIUM", "line": 57, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.{{petstore_auth}}.scheme", + "searchValue": "", + "expectedValue": "components.securitySchemes.{{petstore_auth}}.scheme is registered in the IANA Authentication Scheme registry", + "actualValue": "components.securitySchemes.{{petstore_auth}}.scheme is not registered in the IANA Authentication Scheme registry" }, { "queryName": "Security Scheme HTTP Unknown Scheme", "severity": "MEDIUM", "line": 33, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.{{petstore_auth}}.scheme", + "searchValue": "", + "expectedValue": "components.securitySchemes.{{petstore_auth}}.scheme is registered in the IANA Authentication Scheme registry", + "actualValue": "components.securitySchemes.{{petstore_auth}}.scheme is not registered in the IANA Authentication Scheme registry" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/security_schemes_using_oauth/test/positive_expected_result.json b/assets/queries/openAPI/3.0/security_schemes_using_oauth/test/positive_expected_result.json index bab0376f9f5..d09b687171b 100644 --- a/assets/queries/openAPI/3.0/security_schemes_using_oauth/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/security_schemes_using_oauth/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "Security Scheme Using Oauth 1.0", "severity": "LOW", - "line": 55, - "filename": "positive1.json" + "line": 31, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.{{petstore_auth}}", + "searchValue": "", + "expectedValue": "components.securitySchemes.{{petstore_auth}} should not use oauth 1.0 security scheme", + "actualValue": "components.securitySchemes.{{petstore_auth}} uses oauth 1.0 security scheme" }, { "queryName": "Security Scheme Using Oauth 1.0", "severity": "LOW", - "line": 31, - "filename": "positive2.yaml" + "line": 55, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.{{petstore_auth}}", + "searchValue": "", + "expectedValue": "components.securitySchemes.{{petstore_auth}} should not use oauth 1.0 security scheme", + "actualValue": "components.securitySchemes.{{petstore_auth}} uses oauth 1.0 security scheme" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/server_object_variable_not_used/test/positive_expected_result.json b/assets/queries/openAPI/3.0/server_object_variable_not_used/test/positive_expected_result.json index 09f4d215b99..0f8a455a20d 100644 --- a/assets/queries/openAPI/3.0/server_object_variable_not_used/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/server_object_variable_not_used/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "Server Object Variable Not Used", "severity": "INFO", - "line": 38, - "filename": "positive1.json" + "line": 25, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.servers.variables.{{base}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.servers.variables.{{base}} is used in 'paths.{{/}}.{{get}}.servers.{{0}}.url'", + "actualValue": "paths.{{/}}.{{get}}.servers.variables.{{base}} is not used in 'paths.{{/}}.{{get}}.servers.{{0}}.url '" }, { "queryName": "Server Object Variable Not Used", "severity": "INFO", - "line": 35, - "filename": "positive2.json" + "line": 30, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.variables.{{another}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.variables.{{another}} is used in 'paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url'", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.variables.{{another}} is not used in 'paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url'" }, { "queryName": "Server Object Variable Not Used", "severity": "INFO", - "line": 30, - "filename": "positive3.yaml" + "line": 35, + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.servers.variables.{{base}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.servers.variables.{{base}} is used in 'paths.{{/}}.{{get}}.servers.{{0}}.url'", + "actualValue": "paths.{{/}}.{{get}}.servers.variables.{{base}} is not used in 'paths.{{/}}.{{get}}.servers.{{0}}.url '" }, { "queryName": "Server Object Variable Not Used", "severity": "INFO", - "line": 25, - "filename": "positive4.yaml" + "line": 38, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.variables.{{another}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.variables.{{another}} is used in 'paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url'", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.variables.{{another}} is not used in 'paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url'" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/server_url_not_absolute/test/positive_expected_result.json b/assets/queries/openAPI/3.0/server_url_not_absolute/test/positive_expected_result.json index b7f1e790c41..2f2e8f68879 100644 --- a/assets/queries/openAPI/3.0/server_url_not_absolute/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/server_url_not_absolute/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "Server URL Not Absolute", "severity": "INFO", - "line": 30, - "filename": "positive1.json" + "line": 22, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.servers.url=/development.gigantic-server.com/v1", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.servers.{{0}}.url has an absolute URL", + "actualValue": "paths.{{/}}.{{get}}.servers.{{0}}.url does not have an absolute URL" }, { "queryName": "Server URL Not Absolute", "severity": "INFO", - "line": 32, - "filename": "positive2.json" + "line": 24, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url has an absolute URL", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url does not have an absolute URL" }, { "queryName": "Server URL Not Absolute", "severity": "INFO", - "line": 24, - "filename": "positive3.yaml" + "line": 30, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url has an absolute URL", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url does not have an absolute URL" }, { "queryName": "Server URL Not Absolute", "severity": "INFO", - "line": 22, - "filename": "positive4.yaml" + "line": 32, + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.servers.url=/development.gigantic-server.com/v1", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.servers.{{0}}.url has an absolute URL", + "actualValue": "paths.{{/}}.{{get}}.servers.{{0}}.url does not have an absolute URL" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/server_url_uses_undefined_variables/test/positive_expected_result.json b/assets/queries/openAPI/3.0/server_url_uses_undefined_variables/test/positive_expected_result.json index 6816f4e3949..8088438d4b8 100644 --- a/assets/queries/openAPI/3.0/server_url_uses_undefined_variables/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/server_url_uses_undefined_variables/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "Server URL Uses Undefined Variables", "severity": "INFO", - "line": 30, - "filename": "positive1.json" + "line": 32, + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.servers.url=https://development.{server}.com/{base}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.servers.{{0}}.url uses server object variables defined in the server object variables", + "actualValue": "paths.{{/}}.{{get}}.servers.{{0}}.url does not use server object variables defined in the server object variables" }, { "queryName": "Server URL Uses Undefined Variables", "severity": "INFO", - "line": 32, - "filename": "positive2.json" + "line": 30, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url uses server object variables defined in the server object variables", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url does not use server object variables defined in the server object variables" }, { "queryName": "Server URL Uses Undefined Variables", "severity": "INFO", - "line": 24, - "filename": "positive3.yaml" + "line": 22, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.servers.url=https://development.{server}.com/{base}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.servers.{{0}}.url uses server object variables defined in the server object variables", + "actualValue": "paths.{{/}}.{{get}}.servers.{{0}}.url does not use server object variables defined in the server object variables" }, { "queryName": "Server URL Uses Undefined Variables", "severity": "INFO", - "line": 22, - "filename": "positive4.yaml" + "line": 24, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url uses server object variables defined in the server object variables", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url does not use server object variables defined in the server object variables" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/servers_undefined/test/positive_expected_result.json b/assets/queries/openAPI/3.0/servers_undefined/test/positive_expected_result.json index ac32cb6058d..ca66a346189 100644 --- a/assets/queries/openAPI/3.0/servers_undefined/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/servers_undefined/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "Servers Array Undefined", "severity": "INFO", - "line": 2, - "filename": "positive1.json" + "line": 25, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "servers", + "searchValue": "", + "expectedValue": "Servers array has at least one server defined", + "actualValue": "Servers array is empty" }, { "queryName": "Servers Array Undefined", "severity": "INFO", - "line": 43, - "filename": "positive2.json" + "line": 1, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "openapi", + "searchValue": "", + "expectedValue": "Servers array has at least one server defined", + "actualValue": "Servers array does not have at least one server defined" }, { "queryName": "Servers Array Undefined", "severity": "INFO", - "line": 1, - "filename": "positive3.yaml" + "line": 2, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "openapi", + "searchValue": "", + "expectedValue": "Servers array has at least one server defined", + "actualValue": "Servers array does not have at least one server defined" }, { "queryName": "Servers Array Undefined", "severity": "INFO", - "line": 25, - "filename": "positive4.yaml" + "line": 43, + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "servers", + "searchValue": "", + "expectedValue": "Servers array has at least one server defined", + "actualValue": "Servers array is empty" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/success_response_code_undefined_trace_operation/test/positive_expected_result.json b/assets/queries/openAPI/3.0/success_response_code_undefined_trace_operation/test/positive_expected_result.json index ef6cef28d07..04f9e876f4d 100644 --- a/assets/queries/openAPI/3.0/success_response_code_undefined_trace_operation/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/success_response_code_undefined_trace_operation/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "Success Response Code Undefined for Trace Operation", "severity": "LOW", - "line": 12, - "filename": "positive1.json" + "line": 10, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.trace.responses", + "searchValue": "", + "expectedValue": "Trace should have the '200' successful code set", + "actualValue": "Trace does not have the '200' successful code set" }, { "queryName": "Success Response Code Undefined for Trace Operation", "severity": "LOW", - "line": 10, - "filename": "positive2.yaml" + "line": 12, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.trace.responses", + "searchValue": "", + "expectedValue": "Trace should have the '200' successful code set", + "actualValue": "Trace does not have the '200' successful code set" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/undefined_security_scope_global_security/test/positive_expected_result.json b/assets/queries/openAPI/3.0/undefined_security_scope_global_security/test/positive_expected_result.json index f69ced81316..d39f825094e 100644 --- a/assets/queries/openAPI/3.0/undefined_security_scope_global_security/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/undefined_security_scope_global_security/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "Undefined Scope 'securityScheme' On Global 'security' Field", "severity": "LOW", - "line": 26, - "filename": "positive1.json" + "line": 18, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "security.{{oAuth2AuthCodeNeg2}}", + "searchValue": "", + "expectedValue": "scope error:api should be defined on 'securityShemes'", + "actualValue": "scope error:api is not defined on 'securityShemes'" }, { "queryName": "Undefined Scope 'securityScheme' On Global 'security' Field", "severity": "LOW", - "line": 26, - "filename": "positive2.json" + "line": 15, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "security", + "searchValue": "", + "expectedValue": "scope error:api should be defined on 'securityShemes'", + "actualValue": "scope error:api is not defined on 'securityShemes'" }, { "queryName": "Undefined Scope 'securityScheme' On Global 'security' Field", "severity": "LOW", - "line": 18, - "filename": "positive3.yaml" + "line": 26, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "security.{{oAuth2AuthCodeNeg2}}", + "searchValue": "", + "expectedValue": "scope error:api should be defined on 'securityShemes'", + "actualValue": "scope error:api is not defined on 'securityShemes'" }, { "queryName": "Undefined Scope 'securityScheme' On Global 'security' Field", "severity": "LOW", - "line": 17, - "filename": "positive4.yaml" + "line": 23, + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "security", + "searchValue": "", + "expectedValue": "scope error:api should be defined on 'securityShemes'", + "actualValue": "scope error:api is not defined on 'securityShemes'" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/undefined_security_scope_security_operations/test/positive_expected_result.json b/assets/queries/openAPI/3.0/undefined_security_scope_security_operations/test/positive_expected_result.json index 95d8ff3ab0d..4ba24cfc625 100644 --- a/assets/queries/openAPI/3.0/undefined_security_scope_security_operations/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/undefined_security_scope_security_operations/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "Undefined Scope 'securityScheme' On 'security' Field On Operations", "severity": "LOW", - "line": 15, - "filename": "positive1.json" + "line": 13, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.security.{{oAuth2AuthCodeNeg2}}", + "searchValue": "", + "expectedValue": "scope error:api should be defined on 'securityShemes'", + "actualValue": "scope error:api is not defined on 'securityShemes'" }, { "queryName": "Undefined Scope 'securityScheme' On 'security' Field On Operations", "severity": "LOW", - "line": 15, - "filename": "positive2.json" + "line": 10, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.security", + "searchValue": "", + "expectedValue": "scope error:api should be defined on 'securityShemes'", + "actualValue": "scope error:api is not defined on 'securityShemes'" }, { "queryName": "Undefined Scope 'securityScheme' On 'security' Field On Operations", "severity": "LOW", - "line": 13, - "filename": "positive3.yaml" + "line": 15, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.security.{{oAuth2AuthCodeNeg2}}", + "searchValue": "", + "expectedValue": "scope error:api should be defined on 'securityShemes'", + "actualValue": "scope error:api is not defined on 'securityShemes'" }, { "queryName": "Undefined Scope 'securityScheme' On 'security' Field On Operations", "severity": "LOW", "line": 12, - "filename": "positive4.yaml" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.security", + "searchValue": "", + "expectedValue": "scope error:api should be defined on 'securityShemes'", + "actualValue": "scope error:api is not defined on 'securityShemes'" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/unknown_prefix/test/positive_expected_result.json b/assets/queries/openAPI/3.0/unknown_prefix/test/positive_expected_result.json index 0e4a3242196..fd764058889 100644 --- a/assets/queries/openAPI/3.0/unknown_prefix/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/unknown_prefix/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "Unknown Prefix (v3)", "severity": "INFO", - "line": 53, - "filename": "positive1.json" + "line": 30, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.responses.ResponseExample.content.{{sssssss/json}}", + "searchValue": "", + "expectedValue": "components.responses.ResponseExample.content.{{sssssss/json}} is a known prefix", + "actualValue": "components.responses.ResponseExample.content.{{sssssss/json}} is an unknown prefix" }, { "queryName": "Unknown Prefix (v3)", "severity": "INFO", - "line": 19, - "filename": "positive2.json" + "line": 14, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{applicatisdsdsdon/json}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.responses.200.content.{{applicatisdsdsdon/json}} is a known prefix", + "actualValue": "paths.{{/}}.get.responses.200.content.{{applicatisdsdsdon/json}} is an unknown prefix" }, { "queryName": "Unknown Prefix (v3)", "severity": "INFO", - "line": 30, - "filename": "positive3.yaml" + "line": 19, + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{ddddd/json}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.responses.200.content.{{ddddd/json}} is a known prefix", + "actualValue": "paths.{{/}}.get.responses.200.content.{{ddddd/json}} is an unknown prefix" }, { "queryName": "Unknown Prefix (v3)", "severity": "INFO", - "line": 14, - "filename": "positive4.yaml" + "line": 53, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.responses.ResponseExample.content.{{applicasdsadtion/json}}", + "searchValue": "", + "expectedValue": "components.responses.ResponseExample.content.{{applicasdsadtion/json}} is a known prefix", + "actualValue": "components.responses.ResponseExample.content.{{applicasdsadtion/json}} is an unknown prefix" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/unknown_property/test/positive_expected_result.json b/assets/queries/openAPI/3.0/unknown_property/test/positive_expected_result.json index c95c29decd1..de011038a4b 100644 --- a/assets/queries/openAPI/3.0/unknown_property/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/unknown_property/test/positive_expected_result.json @@ -2,61 +2,121 @@ { "queryName": "Unknown Property (v3)", "severity": "INFO", - "line": 14, - "filename": "positive1.json" + "line": 19, + "filename": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.tybhbhbpe", + "searchValue": "", + "expectedValue": "The field 'tybhbhbpe' is known in the schema object", + "actualValue": "The field 'tybhbhbpe' is unknown in the schema object" }, { "queryName": "Unknown Property (v3)", "severity": "INFO", - "line": 28, - "filename": "positive1.json" + "line": 12, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.descrinnption", + "searchValue": "", + "expectedValue": "The field 'descrinnption' is known in the responses object", + "actualValue": "The field 'descrinnption' is unknown in the responses object" }, { "queryName": "Unknown Property (v3)", "severity": "INFO", - "line": 3, - "filename": "positive2.json" + "line": 16, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.callbacks.inProgress.{{{$request.body#/inProgressUrl}}}.pbhbhbost", + "searchValue": "", + "expectedValue": "The field 'pbhbhbost' is known in the callbacks object", + "actualValue": "The field 'pbhbhbost' is unknown in the callbacks object" }, { "queryName": "Unknown Property (v3)", "severity": "INFO", "line": 20, - "filename": "positive2.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.callbacks.inProgress.{{{$request.body#/inProgressUrl}}}.pbhbhbost", + "searchValue": "", + "expectedValue": "The field 'pbhbhbost' is known in the callbacks object", + "actualValue": "The field 'pbhbhbost' is unknown in the callbacks object" }, { "queryName": "Unknown Property (v3)", "severity": "INFO", - "line": 20, - "filename": "positive3.json" + "line": 14, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.descrinnption", + "searchValue": "", + "expectedValue": "The field 'descrinnption' is known in the responses object", + "actualValue": "The field 'descrinnption' is unknown in the responses object" }, { "queryName": "Unknown Property (v3)", "severity": "INFO", - "line": 12, - "filename": "positive4.yaml" + "line": 28, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "tags.desdddcription", + "searchValue": "", + "expectedValue": "The field 'desdddcription' is known in the tags object", + "actualValue": "The field 'desdddcription' is unknown in the tags object" }, { "queryName": "Unknown Property (v3)", "severity": "INFO", - "line": 17, - "filename": "positive4.yaml" + "line": 3, + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "infjnjnjno", + "searchValue": "", + "expectedValue": "The field 'infjnjnjno' is known in the openapi object", + "actualValue": "The field 'infjnjnjno' is unknown in the openapi object" }, { "queryName": "Unknown Property (v3)", "severity": "INFO", "line": 2, - "filename": "positive5.yaml" + "filename": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "infjnjnjno", + "searchValue": "", + "expectedValue": "The field 'infjnjnjno' is known in the openapi object", + "actualValue": "The field 'infjnjnjno' is unknown in the openapi object" }, { "queryName": "Unknown Property (v3)", "severity": "INFO", - "line": 19, - "filename": "positive5.yaml" + "line": 17, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "tags.desdddcription", + "searchValue": "", + "expectedValue": "The field 'desdddcription' is known in the tags object", + "actualValue": "The field 'desdddcription' is unknown in the tags object" }, { "queryName": "Unknown Property (v3)", "severity": "INFO", - "line": 16, - "filename": "positive6.yaml" + "line": 20, + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.tybhbhbpe:", + "searchValue": "", + "expectedValue": "The field 'tybhbhbpe:' is known in the schema object", + "actualValue": "The field 'tybhbhbpe:' is unknown in the schema object" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/general/api_key_exposed_in_global_security/test/positive_expected_result.json b/assets/queries/openAPI/general/api_key_exposed_in_global_security/test/positive_expected_result.json index de1584ca153..ba22ba90418 100644 --- a/assets/queries/openAPI/general/api_key_exposed_in_global_security/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/api_key_exposed_in_global_security/test/positive_expected_result.json @@ -1,62 +1,122 @@ [ { - "queryName": "API Key Exposed In Global Security (v3)", + "queryName": "API Key Exposed In Global Security (v2)", "severity": "LOW", - "line": 45, - "filename": "positive1.json" + "line": 23, + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "security.apiKey1", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network" }, { - "queryName": "API Key Exposed In Global Security (v3)", + "queryName": "API Key Exposed In Global Security (v2)", "severity": "LOW", - "line": 46, - "filename": "positive1.json" + "line": 22, + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "security.apiKey3", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network" }, { - "queryName": "API Key Exposed In Global Security (v3)", + "queryName": "API Key Exposed In Global Security (v2)", "severity": "LOW", - "line": 47, - "filename": "positive1.json" + "line": 14, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "security.apiKey1", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network" }, { - "queryName": "API Key Exposed In Global Security (v3)", + "queryName": "API Key Exposed In Global Security (v2)", "severity": "LOW", - "line": 26, - "filename": "positive2.yaml" + "line": 15, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "security.apiKey3", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network" }, { "queryName": "API Key Exposed In Global Security (v3)", "severity": "LOW", "line": 27, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "security.apiKey2", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network" }, { "queryName": "API Key Exposed In Global Security (v3)", "severity": "LOW", "line": 28, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "security.apiKey3", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network" }, { - "queryName": "API Key Exposed In Global Security (v2)", + "queryName": "API Key Exposed In Global Security (v3)", "severity": "LOW", - "line": 22, - "filename": "positive3.json" + "line": 45, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "security.apiKey2", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network" }, { - "queryName": "API Key Exposed In Global Security (v2)", + "queryName": "API Key Exposed In Global Security (v3)", "severity": "LOW", - "line": 23, - "filename": "positive3.json" + "line": 26, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "security.apiKey1", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network" }, { - "queryName": "API Key Exposed In Global Security (v2)", + "queryName": "API Key Exposed In Global Security (v3)", "severity": "LOW", - "line": 14, - "filename": "positive4.yaml" + "line": 47, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "security.apiKey1", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network" }, { - "queryName": "API Key Exposed In Global Security (v2)", + "queryName": "API Key Exposed In Global Security (v3)", "severity": "LOW", - "line": 15, - "filename": "positive4.yaml" + "line": 46, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "security.apiKey3", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/general/api_key_exposed_in_operation_security/test/positive_expected_result.json b/assets/queries/openAPI/general/api_key_exposed_in_operation_security/test/positive_expected_result.json index 7ecae3a47ac..584f5e2ba27 100644 --- a/assets/queries/openAPI/general/api_key_exposed_in_operation_security/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/api_key_exposed_in_operation_security/test/positive_expected_result.json @@ -1,62 +1,122 @@ [ { - "queryName": "API Key Exposed In Operation Security (v3)", + "queryName": "API Key Exposed In Operation Security (v2)", "severity": "LOW", - "line": 14, - "filename": "positive1.json" + "line": 15, + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./pets.post.security.apiKey3", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network" }, { - "queryName": "API Key Exposed In Operation Security (v3)", + "queryName": "API Key Exposed In Operation Security (v2)", "severity": "LOW", - "line": 15, - "filename": "positive1.json" + "line": 11, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./pets.post.security.apiKey1", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network" }, { - "queryName": "API Key Exposed In Operation Security (v3)", + "queryName": "API Key Exposed In Operation Security (v2)", "severity": "LOW", - "line": 16, - "filename": "positive1.json" + "line": 12, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./pets.post.security.apiKey3", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network" + }, + { + "queryName": "API Key Exposed In Operation Security (v2)", + "severity": "LOW", + "line": 14, + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./pets.post.security.apiKey1", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network" }, { "queryName": "API Key Exposed In Operation Security (v3)", "severity": "LOW", - "line": 11, - "filename": "positive2.yaml" + "line": 16, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./pets.post.security.apiKey3", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network" }, { "queryName": "API Key Exposed In Operation Security (v3)", "severity": "LOW", - "line": 12, - "filename": "positive2.yaml" + "line": 11, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./pets.post.security.apiKey1", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network" }, { "queryName": "API Key Exposed In Operation Security (v3)", "severity": "LOW", "line": 13, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./pets.post.security.apiKey3", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network" }, { - "queryName": "API Key Exposed In Operation Security (v2)", + "queryName": "API Key Exposed In Operation Security (v3)", "severity": "LOW", "line": 14, - "filename": "positive3.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./pets.post.security.apiKey1", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network" }, { - "queryName": "API Key Exposed In Operation Security (v2)", + "queryName": "API Key Exposed In Operation Security (v3)", "severity": "LOW", "line": 15, - "filename": "positive3.json" - }, - { - "queryName": "API Key Exposed In Operation Security (v2)", - "severity": "LOW", - "line": 11, - "filename": "positive4.yaml" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./pets.post.security.apiKey2", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network" }, { - "queryName": "API Key Exposed In Operation Security (v2)", + "queryName": "API Key Exposed In Operation Security (v3)", "severity": "LOW", "line": 12, - "filename": "positive4.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./pets.post.security.apiKey2", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/general/array_items_has_no_type/test/positive_expected_result.json b/assets/queries/openAPI/general/array_items_has_no_type/test/positive_expected_result.json index 55fcc467565..bc793179fcd 100644 --- a/assets/queries/openAPI/general/array_items_has_no_type/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/array_items_has_no_type/test/positive_expected_result.json @@ -1,50 +1,98 @@ [ { - "queryName": "Array Items Has No Type (v3)", + "queryName": "Array Items Has No Type (v2)", "severity": "LOW", - "line": 65, - "filename": "positive1.json" + "line": 25, + "filename": "positive7.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.schema.items", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.parameters.schema.items should have type, anyOf.type, $ref or anyOf.$ref should be defined", + "actualValue": "paths.{{/}}.get.parameters.schema.items have type, anyOf.type, $ref or anyOf.$ref is undefined" + }, + { + "queryName": "Array Items Has No Type (v2)", + "severity": "LOW", + "line": 20, + "filename": "positive8.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.schema.items", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.parameters.schema.items should have type, anyOf.type, $ref or anyOf.$ref should be defined", + "actualValue": "paths.{{/}}.get.parameters.schema.items have type, anyOf.type, $ref or anyOf.$ref is undefined" }, { "queryName": "Array Items Has No Type (v3)", "severity": "LOW", "line": 22, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.201.content.{{application/x-www-form-urlencoded}}.schema.items", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.responses.201.content.{{application/x-www-form-urlencoded}}.schema.items should have type, anyOf.type, $ref or anyOf.$ref should be defined", + "actualValue": "paths.{{/}}.get.responses.201.content.{{application/x-www-form-urlencoded}}.schema.items have type, anyOf.type, $ref or anyOf.$ref is undefined" }, { "queryName": "Array Items Has No Type (v3)", "severity": "LOW", "line": 21, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.201.content.{{application/x-www-form-urlencoded}}.schema.items", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.responses.201.content.{{application/x-www-form-urlencoded}}.schema.items should have type, anyOf.type, $ref or anyOf.$ref should be defined", + "actualValue": "paths.{{/}}.get.responses.201.content.{{application/x-www-form-urlencoded}}.schema.items have type, anyOf.type, $ref or anyOf.$ref is undefined" }, { "queryName": "Array Items Has No Type (v3)", "severity": "LOW", - "line": 42, - "filename": "positive4.yaml" + "line": 65, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.MyIntArray.items", + "searchValue": "", + "expectedValue": "components.schemas.MyIntArray.items should have type, anyOf.type, $ref or anyOf.$ref should be defined", + "actualValue": "components.schemas.MyIntArray.items have type, anyOf.type, $ref or anyOf.$ref is undefined" }, { "queryName": "Array Items Has No Type (v3)", "severity": "LOW", - "line": 19, - "filename": "positive5.yaml" + "line": 42, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.MyIntArray.items", + "searchValue": "", + "expectedValue": "components.schemas.MyIntArray.items should have type, anyOf.type, $ref or anyOf.$ref should be defined", + "actualValue": "components.schemas.MyIntArray.items have type, anyOf.type, $ref or anyOf.$ref is undefined" }, { "queryName": "Array Items Has No Type (v3)", "severity": "LOW", "line": 19, - "filename": "positive6.yaml" + "filename": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.201.content.{{application/x-www-form-urlencoded}}.schema.items", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.responses.201.content.{{application/x-www-form-urlencoded}}.schema.items should have type, anyOf.type, $ref or anyOf.$ref should be defined", + "actualValue": "paths.{{/}}.get.responses.201.content.{{application/x-www-form-urlencoded}}.schema.items have type, anyOf.type, $ref or anyOf.$ref is undefined" }, { - "queryName": "Array Items Has No Type (v2)", - "severity": "LOW", - "line": 25, - "filename": "positive7.json" - }, - { - "queryName": "Array Items Has No Type (v2)", + "queryName": "Array Items Has No Type (v3)", "severity": "LOW", - "line": 20, - "filename": "positive8.yaml" + "line": 19, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.201.content.{{application/x-www-form-urlencoded}}.schema.items", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.responses.201.content.{{application/x-www-form-urlencoded}}.schema.items should have type, anyOf.type, $ref or anyOf.$ref should be defined", + "actualValue": "paths.{{/}}.get.responses.201.content.{{application/x-www-form-urlencoded}}.schema.items have type, anyOf.type, $ref or anyOf.$ref is undefined" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/general/array_without_maximum_number_items/test/positive_expected_result.json b/assets/queries/openAPI/general/array_without_maximum_number_items/test/positive_expected_result.json index 656fed9e496..4be0f386cdc 100644 --- a/assets/queries/openAPI/general/array_without_maximum_number_items/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/array_without_maximum_number_items/test/positive_expected_result.json @@ -1,38 +1,74 @@ [ { - "queryName": "Array Without Maximum Number of Items (v3)", + "queryName": "Array Without Maximum Number of Items (v2)", "severity": "MEDIUM", - "line": 56, - "filename": "positive1.json" + "line": 23, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.schema.properties.message.type", + "searchValue": "", + "expectedValue": "Array schema has 'maxItems' set", + "actualValue": "Array schema has 'maxItems' undefined" + }, + { + "queryName": "Array Without Maximum Number of Items (v2)", + "severity": "MEDIUM", + "line": 31, + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.schema.properties.message.type", + "searchValue": "", + "expectedValue": "Array schema has 'maxItems' set", + "actualValue": "Array schema has 'maxItems' undefined" }, { "queryName": "Array Without Maximum Number of Items (v3)", "severity": "MEDIUM", "line": 28, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.message.type", + "searchValue": "", + "expectedValue": "Array schema has 'maxItems' set", + "actualValue": "Array schema has 'maxItems' undefined" }, { "queryName": "Array Without Maximum Number of Items (v3)", "severity": "MEDIUM", "line": 32, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.properties.message.type", + "searchValue": "", + "expectedValue": "Array schema has 'maxItems' set", + "actualValue": "Array schema has 'maxItems' undefined" }, { "queryName": "Array Without Maximum Number of Items (v3)", "severity": "MEDIUM", "line": 20, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.message.type", + "searchValue": "", + "expectedValue": "Array schema has 'maxItems' set", + "actualValue": "Array schema has 'maxItems' undefined" }, { - "queryName": "Array Without Maximum Number of Items (v2)", - "severity": "MEDIUM", - "line": 31, - "filename": "positive5.json" - }, - { - "queryName": "Array Without Maximum Number of Items (v2)", + "queryName": "Array Without Maximum Number of Items (v3)", "severity": "MEDIUM", - "line": 23, - "filename": "positive6.yaml" + "line": 56, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.properties.message.type", + "searchValue": "", + "expectedValue": "Array schema has 'maxItems' set", + "actualValue": "Array schema has 'maxItems' undefined" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/general/default_invalid/test/positive_expected_result.json b/assets/queries/openAPI/general/default_invalid/test/positive_expected_result.json index 9143a0d4044..390ea4c00d0 100644 --- a/assets/queries/openAPI/general/default_invalid/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/default_invalid/test/positive_expected_result.json @@ -1,62 +1,122 @@ [ { - "queryName": "Default Invalid (v3)", + "queryName": "Default Invalid (v2)", "severity": "INFO", - "line": 21, - "filename": "positive1.json" + "line": 16, + "filename": "positive9.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.default", + "searchValue": "", + "expectedValue": "The field 'default' should be consistent with the type", + "actualValue": "The field 'default' is not consistent with the type" }, { - "queryName": "Default Invalid (v3)", + "queryName": "Default Invalid (v2)", "severity": "INFO", - "line": 22, - "filename": "positive2.json" + "line": 17, + "filename": "positive10.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.default", + "searchValue": "", + "expectedValue": "The field 'default' should be consistent with the type", + "actualValue": "The field 'default' is not consistent with the type" }, { "queryName": "Default Invalid (v3)", "severity": "INFO", - "line": 18, - "filename": "positive3.json" + "line": 19, + "filename": "positive8.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.default", + "searchValue": "", + "expectedValue": "The field 'default' should be consistent with the type", + "actualValue": "The field 'default' is not consistent with the type" }, { "queryName": "Default Invalid (v3)", "severity": "INFO", - "line": 18, - "filename": "positive4.json" + "line": 27, + "filename": "positive7.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.default", + "searchValue": "", + "expectedValue": "The field 'default' should be consistent with the type", + "actualValue": "The field 'default' is not consistent with the type" }, { "queryName": "Default Invalid (v3)", "severity": "INFO", - "line": 19, - "filename": "positive5.yaml" + "line": 18, + "filename": "positive4.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.default", + "searchValue": "", + "expectedValue": "The field 'default' should be consistent with the type", + "actualValue": "The field 'default' is not consistent with the type" }, { "queryName": "Default Invalid (v3)", "severity": "INFO", "line": 20, - "filename": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.default", + "searchValue": "", + "expectedValue": "The field 'default' should be consistent with the type", + "actualValue": "The field 'default' is not consistent with the type" }, { "queryName": "Default Invalid (v3)", "severity": "INFO", - "line": 27, - "filename": "positive7.yaml" + "line": 19, + "filename": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.default", + "searchValue": "", + "expectedValue": "The field 'default' should be consistent with the type", + "actualValue": "The field 'default' is not consistent with the type" }, { "queryName": "Default Invalid (v3)", "severity": "INFO", - "line": 19, - "filename": "positive8.yaml" + "line": 21, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.default", + "searchValue": "", + "expectedValue": "The field 'default' should be consistent with the type", + "actualValue": "The field 'default' is not consistent with the type" }, { - "queryName": "Default Invalid (v2)", + "queryName": "Default Invalid (v3)", "severity": "INFO", - "line": 16, - "filename": "positive9.json" + "line": 18, + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.default", + "searchValue": "", + "expectedValue": "The field 'default' should be consistent with the type", + "actualValue": "The field 'default' is not consistent with the type" }, { - "queryName": "Default Invalid (v2)", + "queryName": "Default Invalid (v3)", "severity": "INFO", - "line": 17, - "filename": "positive10.yaml" + "line": 22, + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.default", + "searchValue": "", + "expectedValue": "The field 'default' should be consistent with the type", + "actualValue": "The field 'default' is not consistent with the type" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/general/default_response_undefined_operations/test/positive_expected_result.json b/assets/queries/openAPI/general/default_response_undefined_operations/test/positive_expected_result.json index 9e94753493a..23ff080b349 100644 --- a/assets/queries/openAPI/general/default_response_undefined_operations/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/default_response_undefined_operations/test/positive_expected_result.json @@ -1,62 +1,122 @@ [ { - "queryName": "Default Response Undefined On Operations (v3)", + "queryName": "Default Response Undefined On Operations (v2)", "severity": "LOW", "line": 12, - "filename": "positive1.json" + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{delete}}.responses", + "searchValue": "", + "expectedValue": "Default field should be defined on responses", + "actualValue": "Default field is not defined on responses" }, { - "queryName": "Default Response Undefined On Operations (v3)", + "queryName": "Default Response Undefined On Operations (v2)", "severity": "LOW", - "line": 12, - "filename": "positive2.json" + "line": 16, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{patch}}.responses", + "searchValue": "", + "expectedValue": "Default field should be defined on responses", + "actualValue": "Default field is not defined on responses" }, { - "queryName": "Default Response Undefined On Operations (v3)", + "queryName": "Default Response Undefined On Operations (v2)", "severity": "LOW", "line": 21, - "filename": "positive2.json" + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{patch}}.responses", + "searchValue": "", + "expectedValue": "Default field should be defined on responses", + "actualValue": "Default field is not defined on responses" }, { - "queryName": "Default Response Undefined On Operations (v3)", + "queryName": "Default Response Undefined On Operations (v2)", "severity": "LOW", "line": 10, - "filename": "positive3.yaml" + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{delete}}.responses", + "searchValue": "", + "expectedValue": "Default field should be defined on responses", + "actualValue": "Default field is not defined on responses" }, { "queryName": "Default Response Undefined On Operations (v3)", "severity": "LOW", - "line": 10, - "filename": "positive4.yaml" + "line": 12, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{patch}}.responses", + "searchValue": "", + "expectedValue": "Default field should be defined on responses", + "actualValue": "Default field is not defined on responses" }, { "queryName": "Default Response Undefined On Operations (v3)", "severity": "LOW", - "line": 16, - "filename": "positive4.yaml" + "line": 21, + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{patch}}.responses", + "searchValue": "", + "expectedValue": "Default field should be defined on responses", + "actualValue": "Default field is not defined on responses" }, { - "queryName": "Default Response Undefined On Operations (v2)", + "queryName": "Default Response Undefined On Operations (v3)", "severity": "LOW", - "line": 12, - "filename": "positive5.json" + "line": 10, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{patch}}.responses", + "searchValue": "", + "expectedValue": "Default field should be defined on responses", + "actualValue": "Default field is not defined on responses" }, { - "queryName": "Default Response Undefined On Operations (v2)", + "queryName": "Default Response Undefined On Operations (v3)", "severity": "LOW", - "line": 21, - "filename": "positive5.json" + "line": 10, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{delete}}.responses", + "searchValue": "", + "expectedValue": "Default field should be defined on responses", + "actualValue": "Default field is not defined on responses" }, { - "queryName": "Default Response Undefined On Operations (v2)", + "queryName": "Default Response Undefined On Operations (v3)", "severity": "LOW", - "line": 10, - "filename": "positive6.yaml" + "line": 12, + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{delete}}.responses", + "searchValue": "", + "expectedValue": "Default field should be defined on responses", + "actualValue": "Default field is not defined on responses" }, { - "queryName": "Default Response Undefined On Operations (v2)", + "queryName": "Default Response Undefined On Operations (v3)", "severity": "LOW", "line": 16, - "filename": "positive6.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{patch}}.responses", + "searchValue": "", + "expectedValue": "Default field should be defined on responses", + "actualValue": "Default field is not defined on responses" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/general/example_not_compliant_with_schema_type/test/positive_expected_result.json b/assets/queries/openAPI/general/example_not_compliant_with_schema_type/test/positive_expected_result.json index 36d238dc9f7..69f6e58144a 100644 --- a/assets/queries/openAPI/general/example_not_compliant_with_schema_type/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/example_not_compliant_with_schema_type/test/positive_expected_result.json @@ -1,86 +1,170 @@ [ { - "queryName": "Example Not Compliant With Schema Type (v3)", - "severity": "INFO", - "line": 21, - "filename": "positive1.json" - }, - { - "queryName": "Example Not Compliant With Schema Type (v3)", + "queryName": "Example Not Compliant With Schema Type (v2)", "severity": "INFO", - "line": 18, - "filename": "positive2.yaml" + "line": 25, + "filename": "positive9.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.example", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.parameters.example should not be compliant with the schema type", + "actualValue": "paths.{{/}}.get.parameters.example is not compliant with the schema type" }, { - "queryName": "Example Not Compliant With Schema Type (v3)", + "queryName": "Example Not Compliant With Schema Type (v2)", "severity": "INFO", - "line": 24, - "filename": "positive3.json" + "line": 30, + "filename": "positive12.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.Tag.example", + "searchValue": "", + "expectedValue": "definitions.Tag.example should not be compliant with the schema type", + "actualValue": "definitions.Tag.example is not compliant with the schema type" }, { - "queryName": "Example Not Compliant With Schema Type (v3)", + "queryName": "Example Not Compliant With Schema Type (v2)", "severity": "INFO", - "line": 20, - "filename": "positive4.yaml" + "line": 44, + "filename": "positive11.json", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.Tag.example", + "searchValue": "", + "expectedValue": "definitions.Tag.example should not be compliant with the schema type", + "actualValue": "definitions.Tag.example is not compliant with the schema type" }, { - "queryName": "Example Not Compliant With Schema Type (v3)", + "queryName": "Example Not Compliant With Schema Type (v2)", "severity": "INFO", "line": 20, - "filename": "positive5.json" + "filename": "positive10.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.example", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.parameters.example should not be compliant with the schema type", + "actualValue": "paths.{{/}}.get.parameters.example is not compliant with the schema type" }, { "queryName": "Example Not Compliant With Schema Type (v3)", "severity": "INFO", "line": 17, - "filename": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.example", + "searchValue": "", + "expectedValue": "paths./.get.responses.200.content.application/json.example should not be compliant with the schema type", + "actualValue": "paths./.get.responses.200.content.application/json.example is not compliant with the schema type" }, { "queryName": "Example Not Compliant With Schema Type (v3)", "severity": "INFO", - "line": 34, - "filename": "positive5.json" + "line": 26, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.400.content.{{application/json}}.example", + "searchValue": "", + "expectedValue": "paths./.get.responses.400.content.application/json.example should not be compliant with the schema type", + "actualValue": "paths./.get.responses.400.content.application/json.example is not compliant with the schema type" }, { "queryName": "Example Not Compliant With Schema Type (v3)", "severity": "INFO", - "line": 26, - "filename": "positive6.yaml" + "line": 24, + "filename": "positive7.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.examples.foo", + "searchValue": "", + "expectedValue": "paths./.get.responses.200.content.application/json.examples.%!s(MISSING)' should not be compliant with the schema type", + "actualValue": "paths./.get.responses.200.content.application/json.examples.%!s(MISSING) is not compliant with the schema type" }, { "queryName": "Example Not Compliant With Schema Type (v3)", "severity": "INFO", "line": 24, - "filename": "positive7.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.examples.foo_2", + "searchValue": "", + "expectedValue": "paths./.get.responses.200.content.application/json.examples.%!s(MISSING)' should not be compliant with the schema type", + "actualValue": "paths./.get.responses.200.content.application/json.examples.%!s(MISSING) is not compliant with the schema type" }, { "queryName": "Example Not Compliant With Schema Type (v3)", "severity": "INFO", "line": 20, - "filename": "positive8.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.examples.foo_2", + "searchValue": "", + "expectedValue": "paths./.get.responses.200.content.application/json.examples.%!s(MISSING)' should not be compliant with the schema type", + "actualValue": "paths./.get.responses.200.content.application/json.examples.%!s(MISSING) is not compliant with the schema type" }, { - "queryName": "Example Not Compliant With Schema Type (v2)", + "queryName": "Example Not Compliant With Schema Type (v3)", "severity": "INFO", - "line": 25, - "filename": "positive9.json" + "line": 21, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.examples.object", + "searchValue": "", + "expectedValue": "paths./.get.responses.200.content.application/json.examples.%!s(MISSING)' should not be compliant with the schema type", + "actualValue": "paths./.get.responses.200.content.application/json.examples.%!s(MISSING) is not compliant with the schema type" }, { - "queryName": "Example Not Compliant With Schema Type (v2)", + "queryName": "Example Not Compliant With Schema Type (v3)", "severity": "INFO", "line": 20, - "filename": "positive10.yaml" + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.example", + "searchValue": "", + "expectedValue": "paths./.get.responses.200.content.application/json.example should not be compliant with the schema type", + "actualValue": "paths./.get.responses.200.content.application/json.example is not compliant with the schema type" }, { - "queryName": "Example Not Compliant With Schema Type (v2)", + "queryName": "Example Not Compliant With Schema Type (v3)", "severity": "INFO", - "line": 44, - "filename": "positive11.json" + "line": 34, + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.400.content.{{application/json}}.example", + "searchValue": "", + "expectedValue": "paths./.get.responses.400.content.application/json.example should not be compliant with the schema type", + "actualValue": "paths./.get.responses.400.content.application/json.example is not compliant with the schema type" }, { - "queryName": "Example Not Compliant With Schema Type (v2)", + "queryName": "Example Not Compliant With Schema Type (v3)", "severity": "INFO", - "line": 30, - "filename": "positive12.yaml" + "line": 20, + "filename": "positive8.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.examples.foo", + "searchValue": "", + "expectedValue": "paths./.get.responses.200.content.application/json.examples.%!s(MISSING)' should not be compliant with the schema type", + "actualValue": "paths./.get.responses.200.content.application/json.examples.%!s(MISSING) is not compliant with the schema type" + }, + { + "queryName": "Example Not Compliant With Schema Type (v3)", + "severity": "INFO", + "line": 18, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.examples.object", + "searchValue": "", + "expectedValue": "paths./.get.responses.200.content.application/json.examples.%!s(MISSING)' should not be compliant with the schema type", + "actualValue": "paths./.get.responses.200.content.application/json.examples.%!s(MISSING) is not compliant with the schema type" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/general/global_security_field_undefined/test/positive_expected_result.json b/assets/queries/openAPI/general/global_security_field_undefined/test/positive_expected_result.json index c7de883faf8..b3ac100a5fc 100644 --- a/assets/queries/openAPI/general/global_security_field_undefined/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/global_security_field_undefined/test/positive_expected_result.json @@ -1,26 +1,50 @@ [ { - "queryName": "Global Security Field Is Undefined (v3)", + "queryName": "Global Security Field Is Undefined (v2)", "severity": "HIGH", "line": 2, - "filename": "positive1.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "swagger", + "searchValue": "", + "expectedValue": "A default security property should be defined", + "actualValue": "A default security property is not defined" }, { - "queryName": "Global Security Field Is Undefined (v3)", + "queryName": "Global Security Field Is Undefined (v2)", "severity": "HIGH", "line": 1, - "filename": "positive2.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "swagger", + "searchValue": "", + "expectedValue": "A default security property should be defined", + "actualValue": "A default security property is not defined" }, { - "queryName": "Global Security Field Is Undefined (v2)", + "queryName": "Global Security Field Is Undefined (v3)", "severity": "HIGH", - "line": 2, - "filename": "positive3.json" + "line": 1, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "openapi", + "searchValue": "", + "expectedValue": "A default security property should be defined", + "actualValue": "A default security property is not defined" }, { - "queryName": "Global Security Field Is Undefined (v2)", + "queryName": "Global Security Field Is Undefined (v3)", "severity": "HIGH", - "line": 1, - "filename": "positive4.yaml" + "line": 2, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "openapi", + "searchValue": "", + "expectedValue": "A default security property should be defined", + "actualValue": "A default security property is not defined" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/general/header_parameter_named_as_accept/test/positive_expected_result.json b/assets/queries/openAPI/general/header_parameter_named_as_accept/test/positive_expected_result.json index fc1a58f1c29..4bf3f9bfe24 100644 --- a/assets/queries/openAPI/general/header_parameter_named_as_accept/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/header_parameter_named_as_accept/test/positive_expected_result.json @@ -1,62 +1,122 @@ [ { - "queryName": "Header Parameter Named as 'Accept' (v3)", + "queryName": "Header Parameter Named as 'Accept' (v2)", "severity": "INFO", - "line": 43, - "filename": "positive1.json" + "line": 21, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.limitParam.name=Accept", + "searchValue": "", + "expectedValue": "parameters.limitParam.name=Accept should not be 'Accept'", + "actualValue": "parameters.limitParam.name=Accept is 'Accept'" }, { - "queryName": "Header Parameter Named as 'Accept' (v3)", + "queryName": "Header Parameter Named as 'Accept' (v2)", "severity": "INFO", - "line": 58, - "filename": "positive1.json" + "line": 38, + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.limitParam.name=Accept", + "searchValue": "", + "expectedValue": "parameters.limitParam.name=Accept should not be 'Accept'", + "actualValue": "parameters.limitParam.name=Accept is 'Accept'" }, { - "queryName": "Header Parameter Named as 'Accept' (v3)", + "queryName": "Header Parameter Named as 'Accept' (v2)", "severity": "INFO", - "line": 26, - "filename": "positive2.yaml" + "line": 14, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=Accept", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.name=Accept should not be 'Accept'", + "actualValue": "paths.{{/}}.parameters.name=Accept is 'Accept'" }, { - "queryName": "Header Parameter Named as 'Accept' (v3)", + "queryName": "Header Parameter Named as 'Accept' (v2)", "severity": "INFO", - "line": 36, - "filename": "positive2.yaml" + "line": 11, + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=Accept", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.name=Accept should not be 'Accept'", + "actualValue": "paths.{{/}}.parameters.name=Accept is 'Accept'" }, { "queryName": "Header Parameter Named as 'Accept' (v3)", "severity": "INFO", - "line": 43, - "filename": "positive3.json" + "line": 26, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=Accept", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.name=Accept should not be 'Accept'", + "actualValue": "paths.{{/}}.parameters.name=Accept is 'Accept'" }, { "queryName": "Header Parameter Named as 'Accept' (v3)", "severity": "INFO", - "line": 26, - "filename": "positive4.yaml" + "line": 43, + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=Accept", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.name=Accept should not be 'Accept'", + "actualValue": "paths.{{/}}.parameters.name=Accept is 'Accept'" }, { - "queryName": "Header Parameter Named as 'Accept' (v2)", + "queryName": "Header Parameter Named as 'Accept' (v3)", "severity": "INFO", - "line": 11, - "filename": "positive5.json" + "line": 58, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/users/{id}}}.get.parameters.name=Accept", + "searchValue": "", + "expectedValue": "paths.{{/users/{id}}}.get.parameters.name=Accept should not be 'Accept'", + "actualValue": "paths.{{/users/{id}}}.get.parameters.name=Accept is 'Accept'" }, { - "queryName": "Header Parameter Named as 'Accept' (v2)", + "queryName": "Header Parameter Named as 'Accept' (v3)", "severity": "INFO", - "line": 38, - "filename": "positive5.json" + "line": 36, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/users/{id}}}.get.parameters.name=Accept", + "searchValue": "", + "expectedValue": "paths.{{/users/{id}}}.get.parameters.name=Accept should not be 'Accept'", + "actualValue": "paths.{{/users/{id}}}.get.parameters.name=Accept is 'Accept'" }, { - "queryName": "Header Parameter Named as 'Accept' (v2)", + "queryName": "Header Parameter Named as 'Accept' (v3)", "severity": "INFO", - "line": 14, - "filename": "positive6.yaml" + "line": 26, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=Accept", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.name=Accept should not be 'Accept'", + "actualValue": "paths.{{/}}.parameters.name=Accept is 'Accept'" }, { - "queryName": "Header Parameter Named as 'Accept' (v2)", + "queryName": "Header Parameter Named as 'Accept' (v3)", "severity": "INFO", - "line": 21, - "filename": "positive6.yaml" + "line": 43, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=Accept", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.name=Accept should not be 'Accept'", + "actualValue": "paths.{{/}}.parameters.name=Accept is 'Accept'" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/general/header_parameter_named_as_authorization/test/positive_expected_result.json b/assets/queries/openAPI/general/header_parameter_named_as_authorization/test/positive_expected_result.json index 91bf763ed24..49fe295d530 100644 --- a/assets/queries/openAPI/general/header_parameter_named_as_authorization/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/header_parameter_named_as_authorization/test/positive_expected_result.json @@ -1,62 +1,122 @@ [ { - "queryName": "Header Parameter Named as 'Authorization' (v3)", + "queryName": "Header Parameter Named as 'Authorization' (v2)", "severity": "INFO", - "line": 43, - "filename": "positive1.json" + "line": 38, + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.limitParam.name=Authorization", + "searchValue": "", + "expectedValue": "parameters.limitParam.name=Authorization should not be 'Authorization", + "actualValue": "parameters.limitParam.name=Authorization is 'Authorization'" }, { - "queryName": "Header Parameter Named as 'Authorization' (v3)", + "queryName": "Header Parameter Named as 'Authorization' (v2)", "severity": "INFO", - "line": 58, - "filename": "positive1.json" + "line": 11, + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=Authorization", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.name=Authorization should not be 'Authorization", + "actualValue": "paths.{{/}}.parameters.name=Authorization is 'Authorization'" }, { - "queryName": "Header Parameter Named as 'Authorization' (v3)", + "queryName": "Header Parameter Named as 'Authorization' (v2)", "severity": "INFO", - "line": 26, - "filename": "positive2.yaml" + "line": 14, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=Authorization", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.name=Authorization should not be 'Authorization", + "actualValue": "paths.{{/}}.parameters.name=Authorization is 'Authorization'" }, { - "queryName": "Header Parameter Named as 'Authorization' (v3)", + "queryName": "Header Parameter Named as 'Authorization' (v2)", "severity": "INFO", - "line": 36, - "filename": "positive2.yaml" + "line": 23, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.limitParam.name=Authorization", + "searchValue": "", + "expectedValue": "parameters.limitParam.name=Authorization should not be 'Authorization", + "actualValue": "parameters.limitParam.name=Authorization is 'Authorization'" }, { "queryName": "Header Parameter Named as 'Authorization' (v3)", "severity": "INFO", "line": 43, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=Authorization", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.name=Authorization should not be 'Authorization", + "actualValue": "paths.{{/}}.parameters.name=Authorization is 'Authorization'" }, { "queryName": "Header Parameter Named as 'Authorization' (v3)", "severity": "INFO", - "line": 26, - "filename": "positive4.yaml" + "line": 36, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/users/{id}}}.get.parameters.name=Authorization", + "searchValue": "", + "expectedValue": "paths.{{/users/{id}}}.get.parameters.name=Authorization should not be 'Authorization", + "actualValue": "paths.{{/users/{id}}}.get.parameters.name=Authorization is 'Authorization'" }, { - "queryName": "Header Parameter Named as 'Authorization' (v2)", + "queryName": "Header Parameter Named as 'Authorization' (v3)", "severity": "INFO", - "line": 11, - "filename": "positive5.json" + "line": 26, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=Authorization", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.name=Authorization should not be 'Authorization", + "actualValue": "paths.{{/}}.parameters.name=Authorization is 'Authorization'" }, { - "queryName": "Header Parameter Named as 'Authorization' (v2)", + "queryName": "Header Parameter Named as 'Authorization' (v3)", "severity": "INFO", - "line": 14, - "filename": "positive6.yaml" + "line": 26, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=Authorization", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.name=Authorization should not be 'Authorization", + "actualValue": "paths.{{/}}.parameters.name=Authorization is 'Authorization'" }, { - "queryName": "Header Parameter Named as 'Authorization' (v2)", + "queryName": "Header Parameter Named as 'Authorization' (v3)", "severity": "INFO", - "line": 38, - "filename": "positive5.json" + "line": 58, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/users/{id}}}.get.parameters.name=Authorization", + "searchValue": "", + "expectedValue": "paths.{{/users/{id}}}.get.parameters.name=Authorization should not be 'Authorization", + "actualValue": "paths.{{/users/{id}}}.get.parameters.name=Authorization is 'Authorization'" }, { - "queryName": "Header Parameter Named as 'Authorization' (v2)", + "queryName": "Header Parameter Named as 'Authorization' (v3)", "severity": "INFO", - "line": 23, - "filename": "positive6.yaml" + "line": 43, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=Authorization", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.name=Authorization should not be 'Authorization", + "actualValue": "paths.{{/}}.parameters.name=Authorization is 'Authorization'" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/general/header_parameter_named_as_content_type/test/positive_expected_result.json b/assets/queries/openAPI/general/header_parameter_named_as_content_type/test/positive_expected_result.json index f88a1ce07e1..b69869df492 100644 --- a/assets/queries/openAPI/general/header_parameter_named_as_content_type/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/header_parameter_named_as_content_type/test/positive_expected_result.json @@ -1,62 +1,122 @@ [ { - "queryName": "Header Parameter Named as 'Content-Type' (v3)", + "queryName": "Header Parameter Named as 'Content-Type' (v2)", "severity": "INFO", - "line": 43, - "filename": "positive1.json" + "line": 14, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=Content-Type", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.name=Content-Type should not be 'Content-Type", + "actualValue": "paths.{{/}}.parameters.name=Content-Type is 'Content-Type'" }, { - "queryName": "Header Parameter Named as 'Content-Type' (v3)", + "queryName": "Header Parameter Named as 'Content-Type' (v2)", "severity": "INFO", - "line": 58, - "filename": "positive1.json" + "line": 23, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.limitParam.name=Content-Type", + "searchValue": "", + "expectedValue": "parameters.limitParam.name=Content-Type should not be 'Content-Type", + "actualValue": "parameters.limitParam.name=Content-Type is 'Content-Type'" }, { - "queryName": "Header Parameter Named as 'Content-Type' (v3)", + "queryName": "Header Parameter Named as 'Content-Type' (v2)", "severity": "INFO", - "line": 26, - "filename": "positive2.yaml" + "line": 38, + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.limitParam.name=Content-Type", + "searchValue": "", + "expectedValue": "parameters.limitParam.name=Content-Type should not be 'Content-Type", + "actualValue": "parameters.limitParam.name=Content-Type is 'Content-Type'" }, { - "queryName": "Header Parameter Named as 'Content-Type' (v3)", + "queryName": "Header Parameter Named as 'Content-Type' (v2)", "severity": "INFO", - "line": 36, - "filename": "positive2.yaml" + "line": 11, + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=Content-Type", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.name=Content-Type should not be 'Content-Type", + "actualValue": "paths.{{/}}.parameters.name=Content-Type is 'Content-Type'" }, { "queryName": "Header Parameter Named as 'Content-Type' (v3)", "severity": "INFO", - "line": 43, - "filename": "positive3.json" + "line": 36, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/users/{id}}}.get.parameters.name=Content-Type", + "searchValue": "", + "expectedValue": "paths.{{/users/{id}}}.get.parameters.name=Content-Type should not be 'Content-Type", + "actualValue": "paths.{{/users/{id}}}.get.parameters.name=Content-Type is 'Content-Type'" }, { "queryName": "Header Parameter Named as 'Content-Type' (v3)", "severity": "INFO", "line": 26, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=Content-Type", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.name=Content-Type should not be 'Content-Type", + "actualValue": "paths.{{/}}.parameters.name=Content-Type is 'Content-Type'" }, { - "queryName": "Header Parameter Named as 'Content-Type' (v2)", + "queryName": "Header Parameter Named as 'Content-Type' (v3)", "severity": "INFO", - "line": 11, - "filename": "positive5.json" + "line": 43, + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=Content-Type", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.name=Content-Type should not be 'Content-Type", + "actualValue": "paths.{{/}}.parameters.name=Content-Type is 'Content-Type'" }, { - "queryName": "Header Parameter Named as 'Content-Type' (v2)", + "queryName": "Header Parameter Named as 'Content-Type' (v3)", "severity": "INFO", - "line": 14, - "filename": "positive6.yaml" + "line": 26, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=Content-Type", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.name=Content-Type should not be 'Content-Type", + "actualValue": "paths.{{/}}.parameters.name=Content-Type is 'Content-Type'" }, { - "queryName": "Header Parameter Named as 'Content-Type' (v2)", + "queryName": "Header Parameter Named as 'Content-Type' (v3)", "severity": "INFO", - "line": 38, - "filename": "positive5.json" + "line": 58, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/users/{id}}}.get.parameters.name=Content-Type", + "searchValue": "", + "expectedValue": "paths.{{/users/{id}}}.get.parameters.name=Content-Type should not be 'Content-Type", + "actualValue": "paths.{{/users/{id}}}.get.parameters.name=Content-Type is 'Content-Type'" }, { - "queryName": "Header Parameter Named as 'Content-Type' (v2)", + "queryName": "Header Parameter Named as 'Content-Type' (v3)", "severity": "INFO", - "line": 23, - "filename": "positive6.yaml" + "line": 43, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=Content-Type", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.name=Content-Type should not be 'Content-Type", + "actualValue": "paths.{{/}}.parameters.name=Content-Type is 'Content-Type'" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/general/header_response_name_is_invalid/test/positive_expected_result.json b/assets/queries/openAPI/general/header_response_name_is_invalid/test/positive_expected_result.json index 59f411c5bbd..fd99dd673e6 100644 --- a/assets/queries/openAPI/general/header_response_name_is_invalid/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/header_response_name_is_invalid/test/positive_expected_result.json @@ -1,38 +1,50 @@ [ - { - "queryName": "Header Response Name Is Invalid (v3)", - "severity": "INFO", - "line": 42, - "filename": "positive1.json" - }, - { - "queryName": "Header Response Name Is Invalid (v3)", - "severity": "INFO", - "line": 28, - "filename": "positive2.yaml" - }, { "queryName": "Header Response Name Is Invalid (v2)", "severity": "INFO", "line": 32, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "responses.{{Success}}.headers.{{Accept}}", + "searchValue": "", + "expectedValue": "responses.{{Success}}.headers should not contain 'Accept'", + "actualValue": "responses.{{Success}}.headers contains 'Accept'" }, { "queryName": "Header Response Name Is Invalid (v2)", "severity": "INFO", - "line": 14, - "filename": "positive3.json" + "line": 21, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "responses.{{Success}}.headers.{{Accept}}", + "searchValue": "", + "expectedValue": "responses.{{Success}}.headers should not contain 'Accept'", + "actualValue": "responses.{{Success}}.headers contains 'Accept'" }, { - "queryName": "Header Response Name Is Invalid (v2)", + "queryName": "Header Response Name Is Invalid (v3)", "severity": "INFO", - "line": 21, - "filename": "positive4.yaml" + "line": 42, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{6xx}}.headers.{{Content-Type}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{6xx}}.headers should not contain 'Content-Type'", + "actualValue": "paths.{{/}}.{{get}}.responses.{{6xx}}.headers contains 'Content-Type'" }, { - "queryName": "Header Response Name Is Invalid (v2)", + "queryName": "Header Response Name Is Invalid (v3)", "severity": "INFO", - "line": 12, - "filename": "positive4.yaml" + "line": 28, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{6xx}}.headers.{{Content-Type}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{6xx}}.headers should not contain 'Content-Type'", + "actualValue": "paths.{{/}}.{{get}}.responses.{{6xx}}.headers contains 'Content-Type'" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/general/invalid_contact_email/test/positive_expected_result.json b/assets/queries/openAPI/general/invalid_contact_email/test/positive_expected_result.json index 02355545843..4a98cc2330f 100644 --- a/assets/queries/openAPI/general/invalid_contact_email/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/invalid_contact_email/test/positive_expected_result.json @@ -1,26 +1,50 @@ [ { - "queryName": "Invalid Contact Email (v3)", - "severity": "INFO", - "line": 9, - "filename": "positive1.json" - }, - { - "queryName": "Invalid Contact Email (v3)", + "queryName": "Invalid Contact Email (v2)", "severity": "INFO", "line": 8, - "filename": "positive2.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "info.contact.email", + "searchValue": "", + "expectedValue": "info.contact.email has a valid email", + "actualValue": "info.contact.email has an invalid email" }, { "queryName": "Invalid Contact Email (v2)", "severity": "INFO", "line": 9, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "info.contact.email", + "searchValue": "", + "expectedValue": "info.contact.email has a valid email", + "actualValue": "info.contact.email has an invalid email" }, { - "queryName": "Invalid Contact Email (v2)", + "queryName": "Invalid Contact Email (v3)", "severity": "INFO", "line": 8, - "filename": "positive4.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "info.contact.email", + "searchValue": "", + "expectedValue": "info.contact.email has a valid email", + "actualValue": "info.contact.email has an invalid email" + }, + { + "queryName": "Invalid Contact Email (v3)", + "severity": "INFO", + "line": 9, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "info.contact.email", + "searchValue": "", + "expectedValue": "info.contact.email has a valid email", + "actualValue": "info.contact.email has an invalid email" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/general/invalid_contact_url/test/positive_expected_result.json b/assets/queries/openAPI/general/invalid_contact_url/test/positive_expected_result.json index be38431be9a..c2c70f54d14 100644 --- a/assets/queries/openAPI/general/invalid_contact_url/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/invalid_contact_url/test/positive_expected_result.json @@ -1,26 +1,50 @@ [ { - "queryName": "Invalid Contact URL (v3)", + "queryName": "Invalid Contact URL (v2)", "severity": "INFO", - "line": 8, - "filename": "positive1.json" + "line": 7, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "info.contact.url", + "searchValue": "", + "expectedValue": "info.contact.url has a valid URL", + "actualValue": "info.contact.url has an invalid URL" }, { - "queryName": "Invalid Contact URL (v3)", + "queryName": "Invalid Contact URL (v2)", "severity": "INFO", - "line": 7, - "filename": "positive2.yaml" + "line": 8, + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "info.contact.url", + "searchValue": "", + "expectedValue": "info.contact.url has a valid URL", + "actualValue": "info.contact.url has an invalid URL" }, { - "queryName": "Invalid Contact URL (v2)", + "queryName": "Invalid Contact URL (v3)", "severity": "INFO", "line": 8, - "filename": "positive3.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "info.contact.url", + "searchValue": "", + "expectedValue": "info.contact.url has a valid URL", + "actualValue": "info.contact.url has an invalid URL" }, { - "queryName": "Invalid Contact URL (v2)", + "queryName": "Invalid Contact URL (v3)", "severity": "INFO", "line": 7, - "filename": "positive4.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "info.contact.url", + "searchValue": "", + "expectedValue": "info.contact.url has a valid URL", + "actualValue": "info.contact.url has an invalid URL" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/general/invalid_format/test/positive_expected_result.json b/assets/queries/openAPI/general/invalid_format/test/positive_expected_result.json index 20563981948..45d1e6d4155 100644 --- a/assets/queries/openAPI/general/invalid_format/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/invalid_format/test/positive_expected_result.json @@ -1,98 +1,98 @@ [ { - "queryName": "Invalid Format (v3)", - "severity": "LOW", - "line": 14, - "filename": "positive1.json" - }, - { - "queryName": "Invalid Format (v3)", - "severity": "LOW", - "line": 14, - "filename": "positive1.json" - }, - { - "queryName": "Invalid Format (v3)", + "queryName": "Invalid Format (v2)", "severity": "LOW", "line": 33, - "filename": "positive1.json" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.schema.items.properties.percentage.format=int32", + "searchValue": "", + "expectedValue": "number is float or double formats", + "actualValue": "number is int32 format" }, { - "queryName": "Invalid Format (v3)", + "queryName": "Invalid Format (v2)", "severity": "LOW", - "line": 33, - "filename": "positive1.json" + "line": 42, + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.schema.items.properties.percentage.format=int32", + "searchValue": "", + "expectedValue": "number is float or double formats", + "actualValue": "number is int32 format" }, { "queryName": "Invalid Format (v3)", "severity": "LOW", "line": 37, - "filename": "positive1.json" - }, - { - "queryName": "Invalid Format (v3)", - "severity": "LOW", - "line": 53, - "filename": "positive1.json" - }, - { - "queryName": "Invalid Format (v3)", - "severity": "LOW", - "line": 61, - "filename": "positive1.json" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.MyObject.properties.id.format=double", + "searchValue": "", + "expectedValue": "integer is int32 or int64 formats", + "actualValue": "integer is double format" }, { "queryName": "Invalid Format (v3)", "severity": "LOW", - "line": 12, - "filename": "positive2.yaml" - }, - { - "queryName": "Invalid Format (v3)", - "severity": "LOW", - "line": 12, - "filename": "positive2.yaml" - }, - { - "queryName": "Invalid Format (v3)", - "severity": "LOW", - "line": 26, - "filename": "positive2.yaml" + "line": 29, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.schema.items.properties.length.format=float", + "searchValue": "", + "expectedValue": "integer is int32 or int64 formats", + "actualValue": "integer is float format" }, { "queryName": "Invalid Format (v3)", "severity": "LOW", - "line": 26, - "filename": "positive2.yaml" + "line": 43, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.MyObject.properties.percentage.format=int32", + "searchValue": "", + "expectedValue": "number is float or double formats", + "actualValue": "number is int32 format" }, { "queryName": "Invalid Format (v3)", "severity": "LOW", - "line": 29, - "filename": "positive2.yaml" + "line": 53, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.MyObject.properties.id.format=double", + "searchValue": "", + "expectedValue": "integer is int32 or int64 formats", + "actualValue": "integer is double format" }, { "queryName": "Invalid Format (v3)", "severity": "LOW", "line": 37, - "filename": "positive2.yaml" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.schema.items.properties.length.format=float", + "searchValue": "", + "expectedValue": "integer is int32 or int64 formats", + "actualValue": "integer is float format" }, { "queryName": "Invalid Format (v3)", "severity": "LOW", - "line": 43, - "filename": "positive2.yaml" - }, - { - "queryName": "Invalid Format (v2)", - "severity": "LOW", - "line": 42, - "filename": "positive3.json" - }, - { - "queryName": "Invalid Format (v2)", - "severity": "LOW", - "line": 33, - "filename": "positive4.yaml" + "line": 61, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.MyObject.properties.percentage.format=int32", + "searchValue": "", + "expectedValue": "number is float or double formats", + "actualValue": "number is int32 format" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/general/invalid_global_external_documentation_url/test/positive_expected_result.json b/assets/queries/openAPI/general/invalid_global_external_documentation_url/test/positive_expected_result.json index 1d7fb0622da..7b7a5a4f2ab 100644 --- a/assets/queries/openAPI/general/invalid_global_external_documentation_url/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/invalid_global_external_documentation_url/test/positive_expected_result.json @@ -1,26 +1,50 @@ [ { - "queryName": "Invalid Global External Documentation URL (v3)", + "queryName": "Invalid Global External Documentation URL (v2)", "severity": "INFO", - "line": 49, - "filename": "positive1.json" + "line": 14, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "externalDocs.url", + "searchValue": "", + "expectedValue": "externalDocs.url has a valid URL", + "actualValue": "externalDocs.url does not have a valid URL" }, { - "queryName": "Invalid Global External Documentation URL (v3)", + "queryName": "Invalid Global External Documentation URL (v2)", "severity": "INFO", "line": 26, - "filename": "positive2.yaml" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "externalDocs.url", + "searchValue": "", + "expectedValue": "externalDocs.url has a valid URL", + "actualValue": "externalDocs.url does not have a valid URL" }, { - "queryName": "Invalid Global External Documentation URL (v2)", + "queryName": "Invalid Global External Documentation URL (v3)", "severity": "INFO", - "line": 26, - "filename": "positive3.json" + "line": 49, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "externalDocs.url", + "searchValue": "", + "expectedValue": "externalDocs.url has a valid URL", + "actualValue": "externalDocs.url does not have a valid URL" }, { - "queryName": "Invalid Global External Documentation URL (v2)", + "queryName": "Invalid Global External Documentation URL (v3)", "severity": "INFO", - "line": 14, - "filename": "positive4.yaml" + "line": 26, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "externalDocs.url", + "searchValue": "", + "expectedValue": "externalDocs.url has a valid URL", + "actualValue": "externalDocs.url does not have a valid URL" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/general/invalid_license_url/test/positive_expected_result.json b/assets/queries/openAPI/general/invalid_license_url/test/positive_expected_result.json index ec8f7d58e7c..472386a1160 100644 --- a/assets/queries/openAPI/general/invalid_license_url/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/invalid_license_url/test/positive_expected_result.json @@ -1,26 +1,50 @@ [ { - "queryName": "Invalid License URL (v3)", - "severity": "INFO", - "line": 8, - "filename": "positive1.json" - }, - { - "queryName": "Invalid License URL (v3)", + "queryName": "Invalid License URL (v2)", "severity": "INFO", "line": 7, - "filename": "positive2.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "info.license.url", + "searchValue": "", + "expectedValue": "info.license.url has a valid URL", + "actualValue": "info.license.url has an invalid URL" }, { "queryName": "Invalid License URL (v2)", "severity": "INFO", "line": 8, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "info.license.url", + "searchValue": "", + "expectedValue": "info.license.url has a valid URL", + "actualValue": "info.license.url has an invalid URL" }, { - "queryName": "Invalid License URL (v2)", + "queryName": "Invalid License URL (v3)", "severity": "INFO", "line": 7, - "filename": "positive4.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "info.license.url", + "searchValue": "", + "expectedValue": "info.license.url has a valid URL", + "actualValue": "info.license.url has an invalid URL" + }, + { + "queryName": "Invalid License URL (v3)", + "severity": "INFO", + "line": 8, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "info.license.url", + "searchValue": "", + "expectedValue": "info.license.url has a valid URL", + "actualValue": "info.license.url has an invalid URL" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/general/invalid_operation_external_documentation_url/test/positive_expected_result.json b/assets/queries/openAPI/general/invalid_operation_external_documentation_url/test/positive_expected_result.json index cebaacbd067..70696b1c296 100644 --- a/assets/queries/openAPI/general/invalid_operation_external_documentation_url/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/invalid_operation_external_documentation_url/test/positive_expected_result.json @@ -1,26 +1,50 @@ [ { - "queryName": "Invalid Operation External Documentation URL (v3)", + "queryName": "Invalid Operation External Documentation URL (v2)", "severity": "INFO", "line": 18, - "filename": "positive1.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.externalDocs.url", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.externalDocs.url has a valid URL", + "actualValue": "paths.{{/}}.{{get}}.externalDocs.url has a invalid URL" }, { - "queryName": "Invalid Operation External Documentation URL (v3)", + "queryName": "Invalid Operation External Documentation URL (v2)", "severity": "INFO", - "line": 11, - "filename": "positive2.yaml" + "line": 15, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.externalDocs.url", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.externalDocs.url has a valid URL", + "actualValue": "paths.{{/}}.{{get}}.externalDocs.url has a invalid URL" }, { - "queryName": "Invalid Operation External Documentation URL (v2)", + "queryName": "Invalid Operation External Documentation URL (v3)", "severity": "INFO", "line": 18, - "filename": "positive3.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.externalDocs.url", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.externalDocs.url has a valid URL", + "actualValue": "paths.{{/}}.{{get}}.externalDocs.url has a invalid URL" }, { - "queryName": "Invalid Operation External Documentation URL (v2)", + "queryName": "Invalid Operation External Documentation URL (v3)", "severity": "INFO", - "line": 15, - "filename": "positive4.yaml" + "line": 11, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.externalDocs.url", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.externalDocs.url has a valid URL", + "actualValue": "paths.{{/}}.{{get}}.externalDocs.url has a invalid URL" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/general/invalid_schema_external_documentation_url/test/positive_expected_result.json b/assets/queries/openAPI/general/invalid_schema_external_documentation_url/test/positive_expected_result.json index bb4b1586ea2..95b41e1d579 100644 --- a/assets/queries/openAPI/general/invalid_schema_external_documentation_url/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/invalid_schema_external_documentation_url/test/positive_expected_result.json @@ -1,50 +1,98 @@ [ { - "queryName": "Invalid Schema External Documentation URL (v3)", + "queryName": "Invalid Schema External Documentation URL (v2)", "severity": "INFO", - "line": 61, - "filename": "positive1.json" + "line": 22, + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.externalDocs.url", + "searchValue": "", + "expectedValue": "Schema External Documentation URL should be a valid URL", + "actualValue": "Schema External Documentation URL is not a valid URL" }, { - "queryName": "Invalid Schema External Documentation URL (v3)", + "queryName": "Invalid Schema External Documentation URL (v2)", "severity": "INFO", - "line": 24, - "filename": "positive2.json" + "line": 37, + "filename": "positive7.json", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.{{User}}.externalDocs.url", + "searchValue": "", + "expectedValue": "Schema External Documentation URL should be a valid URL", + "actualValue": "Schema External Documentation URL is not a valid URL" }, { - "queryName": "Invalid Schema External Documentation URL (v3)", + "queryName": "Invalid Schema External Documentation URL (v2)", "severity": "INFO", - "line": 35, - "filename": "positive3.yaml" + "line": 22, + "filename": "positive8.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.{{User}}.externalDocs.url", + "searchValue": "", + "expectedValue": "Schema External Documentation URL should be a valid URL", + "actualValue": "Schema External Documentation URL is not a valid URL" }, { - "queryName": "Invalid Schema External Documentation URL (v3)", + "queryName": "Invalid Schema External Documentation URL (v2)", "severity": "INFO", - "line": 17, - "filename": "positive4.yaml" + "line": 15, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.externalDocs.url", + "searchValue": "", + "expectedValue": "Schema External Documentation URL should be a valid URL", + "actualValue": "Schema External Documentation URL is not a valid URL" }, { - "queryName": "Invalid Schema External Documentation URL (v2)", + "queryName": "Invalid Schema External Documentation URL (v3)", "severity": "INFO", - "line": 22, - "filename": "positive5.json" + "line": 17, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.externalDocs.url", + "searchValue": "", + "expectedValue": "Schema External Documentation URL should be a valid URL", + "actualValue": "Schema External Documentation URL is not a valid URL" }, { - "queryName": "Invalid Schema External Documentation URL (v2)", + "queryName": "Invalid Schema External Documentation URL (v3)", "severity": "INFO", - "line": 37, - "filename": "positive7.json" + "line": 24, + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.externalDocs.url", + "searchValue": "", + "expectedValue": "Schema External Documentation URL should be a valid URL", + "actualValue": "Schema External Documentation URL is not a valid URL" }, { - "queryName": "Invalid Schema External Documentation URL (v2)", + "queryName": "Invalid Schema External Documentation URL (v3)", "severity": "INFO", - "line": 15, - "filename": "positive6.yaml" + "line": 61, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.{{User}}.externalDocs.url", + "searchValue": "", + "expectedValue": "Schema External Documentation URL should be a valid URL", + "actualValue": "Schema External Documentation URL is not a valid URL" }, { - "queryName": "Invalid Schema External Documentation URL (v2)", + "queryName": "Invalid Schema External Documentation URL (v3)", "severity": "INFO", - "line": 22, - "filename": "positive8.yaml" + "line": 35, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.{{User}}.externalDocs.url", + "searchValue": "", + "expectedValue": "Schema External Documentation URL should be a valid URL", + "actualValue": "Schema External Documentation URL is not a valid URL" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/general/invalid_tag_external_documentation_url/test/positive_expected_result.json b/assets/queries/openAPI/general/invalid_tag_external_documentation_url/test/positive_expected_result.json index 7dd0106fbc0..6c81e9f1f8d 100644 --- a/assets/queries/openAPI/general/invalid_tag_external_documentation_url/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/invalid_tag_external_documentation_url/test/positive_expected_result.json @@ -1,50 +1,98 @@ [ { - "queryName": "Invalid Tag External Documentation URL (v3)", + "queryName": "Invalid Tag External Documentation URL (v2)", "severity": "INFO", - "line": 53, - "filename": "positive1.json" + "line": 18, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "tags.name=pets", + "searchValue": "", + "expectedValue": "tags[0].externalDocs.url has a valid URL", + "actualValue": "tags[0].externalDocs.url has an invalid URL" }, { - "queryName": "Invalid Tag External Documentation URL (v3)", + "queryName": "Invalid Tag External Documentation URL (v2)", "severity": "INFO", - "line": 57, - "filename": "positive1.json" + "line": 22, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "tags.name=store", + "searchValue": "", + "expectedValue": "tags[1].externalDocs.url has a valid URL", + "actualValue": "tags[1].externalDocs.url has an invalid URL" }, { - "queryName": "Invalid Tag External Documentation URL (v3)", + "queryName": "Invalid Tag External Documentation URL (v2)", "severity": "INFO", - "line": 26, - "filename": "positive2.yaml" + "line": 30, + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "tags.name=pets", + "searchValue": "", + "expectedValue": "tags[0].externalDocs.url has a valid URL", + "actualValue": "tags[0].externalDocs.url has an invalid URL" }, { - "queryName": "Invalid Tag External Documentation URL (v3)", + "queryName": "Invalid Tag External Documentation URL (v2)", "severity": "INFO", - "line": 30, - "filename": "positive2.yaml" + "line": 34, + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "tags.name=store", + "searchValue": "", + "expectedValue": "tags[1].externalDocs.url has a valid URL", + "actualValue": "tags[1].externalDocs.url has an invalid URL" }, { - "queryName": "Invalid Tag External Documentation URL (v2)", + "queryName": "Invalid Tag External Documentation URL (v3)", "severity": "INFO", "line": 30, - "filename": "positive3.json" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "tags.name=store", + "searchValue": "", + "expectedValue": "tags[1].externalDocs.url has a valid URL", + "actualValue": "tags[1].externalDocs.url has an invalid URL" }, { - "queryName": "Invalid Tag External Documentation URL (v2)", + "queryName": "Invalid Tag External Documentation URL (v3)", "severity": "INFO", - "line": 34, - "filename": "positive3.json" + "line": 53, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "tags.name=pets", + "searchValue": "", + "expectedValue": "tags[0].externalDocs.url has a valid URL", + "actualValue": "tags[0].externalDocs.url has an invalid URL" }, { - "queryName": "Invalid Tag External Documentation URL (v2)", + "queryName": "Invalid Tag External Documentation URL (v3)", "severity": "INFO", - "line": 18, - "filename": "positive4.yaml" + "line": 57, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "tags.name=store", + "searchValue": "", + "expectedValue": "tags[1].externalDocs.url has a valid URL", + "actualValue": "tags[1].externalDocs.url has an invalid URL" }, { - "queryName": "Invalid Tag External Documentation URL (v2)", + "queryName": "Invalid Tag External Documentation URL (v3)", "severity": "INFO", - "line": 22, - "filename": "positive4.yaml" + "line": 26, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "tags.name=pets", + "searchValue": "", + "expectedValue": "tags[0].externalDocs.url has a valid URL", + "actualValue": "tags[0].externalDocs.url has an invalid URL" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/general/items_undefined/test/positive_expected_result.json b/assets/queries/openAPI/general/items_undefined/test/positive_expected_result.json index 7b8e7e75477..a89433e5f93 100644 --- a/assets/queries/openAPI/general/items_undefined/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/items_undefined/test/positive_expected_result.json @@ -1,38 +1,74 @@ [ { - "queryName": "Items Undefined (v3)", + "queryName": "Items Undefined (v2)", "severity": "INFO", - "line": 50, - "filename": "positive1.json" + "line": 16, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/users}}.get.responses.200.schema", + "searchValue": "", + "expectedValue": "Array items property should be defined", + "actualValue": "Array items property is undefined" }, { - "queryName": "Items Undefined (v3)", + "queryName": "Items Undefined (v2)", "severity": "INFO", - "line": 22, - "filename": "positive2.json" + "line": 19, + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/users}}.get.responses.200.schema", + "searchValue": "", + "expectedValue": "Array items property should be defined", + "actualValue": "Array items property is undefined" }, { "queryName": "Items Undefined (v3)", "severity": "INFO", "line": 27, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError", + "searchValue": "", + "expectedValue": "Array items property should be defined", + "actualValue": "Array items property is undefined" }, { "queryName": "Items Undefined (v3)", "severity": "INFO", - "line": 15, - "filename": "positive4.yaml" + "line": 22, + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema", + "searchValue": "", + "expectedValue": "Array items property should be defined", + "actualValue": "Array items property is undefined" }, { - "queryName": "Items Undefined (v2)", + "queryName": "Items Undefined (v3)", "severity": "INFO", - "line": 19, - "filename": "positive5.json" + "line": 50, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError", + "searchValue": "", + "expectedValue": "Array items property should be defined", + "actualValue": "Array items property is undefined" }, { - "queryName": "Items Undefined (v2)", + "queryName": "Items Undefined (v3)", "severity": "INFO", - "line": 16, - "filename": "positive6.yaml" + "line": 15, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema", + "searchValue": "", + "expectedValue": "Array items property should be defined", + "actualValue": "Array items property is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/general/maximum_length_undefined/test/positive_expected_result.json b/assets/queries/openAPI/general/maximum_length_undefined/test/positive_expected_result.json index 5db48637405..369998bc89d 100644 --- a/assets/queries/openAPI/general/maximum_length_undefined/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/maximum_length_undefined/test/positive_expected_result.json @@ -1,128 +1,206 @@ [ { - "queryName": "Maximum Length Undefined (v3)", - "severity": "LOW", - "line": 58, - "filename": "positive1.json" - }, - { - "queryName": "Maximum Length Undefined (v3)", - "severity": "LOW", - "line": 62, - "filename": "positive1.json" - }, - { - "queryName": "Maximum Length Undefined (v3)", + "queryName": "Maximum Length Undefined (v2)", "severity": "LOW", - "line": 77, - "filename": "positive1.json" + "line": 22, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.message.type", + "searchValue": "", + "expectedValue": "'maxLength' should be defined", + "actualValue": "'maxLength' is undefined" }, { - "queryName": "Maximum Length Undefined (v3)", + "queryName": "Maximum Length Undefined (v2)", "severity": "LOW", - "line": 77, - "filename": "positive1.json" + "line": 28, + "filename": "positive7.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.message.type", + "searchValue": "", + "expectedValue": "'maxLength' should be defined", + "actualValue": "'maxLength' is undefined" }, { - "queryName": "Maximum Length Undefined (v3)", + "queryName": "Maximum Length Undefined (v2)", "severity": "LOW", "line": 27, - "filename": "positive2.json" + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.message.type", + "searchValue": "", + "expectedValue": "'maxLength' should be defined", + "actualValue": "'maxLength' is undefined" }, { - "queryName": "Maximum Length Undefined (v3)", - "severity": "LOW", - "line": 31, - "filename": "positive2.json" - }, - { - "queryName": "Maximum Length Undefined (v3)", + "queryName": "Maximum Length Undefined (v2)", "severity": "LOW", - "line": 34, - "filename": "positive3.yaml" + "line": 23, + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.code.type", + "searchValue": "", + "expectedValue": "'maxLength' should be defined", + "actualValue": "'maxLength' is undefined" }, { - "queryName": "Maximum Length Undefined (v3)", + "queryName": "Maximum Length Undefined (v2)", "severity": "LOW", - "line": 37, - "filename": "positive3.yaml" + "line": 23, + "filename": "positive7.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.code.type", + "searchValue": "", + "expectedValue": "'maxLength' should be defined", + "actualValue": "'maxLength' is undefined" }, { - "queryName": "Maximum Length Undefined (v3)", + "queryName": "Maximum Length Undefined (v2)", "severity": "LOW", - "line": 47, - "filename": "positive3.yaml" + "line": 28, + "filename": "positive8.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.message.type", + "searchValue": "", + "expectedValue": "'maxLength' should be defined", + "actualValue": "'maxLength' is undefined" }, { - "queryName": "Maximum Length Undefined (v3)", + "queryName": "Maximum Length Undefined (v2)", "severity": "LOW", - "line": 47, - "filename": "positive3.yaml" + "line": 19, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.code.type", + "searchValue": "", + "expectedValue": "'maxLength' should be defined", + "actualValue": "'maxLength' is undefined" }, { "queryName": "Maximum Length Undefined (v3)", "severity": "LOW", "line": 22, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code.type", + "searchValue": "", + "expectedValue": "'maxLength' should be defined", + "actualValue": "'maxLength' is undefined" }, { "queryName": "Maximum Length Undefined (v3)", "severity": "LOW", "line": 25, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.message.type", + "searchValue": "", + "expectedValue": "'maxLength' should be defined", + "actualValue": "'maxLength' is undefined" }, { - "queryName": "Maximum Length Undefined (v2)", - "severity": "LOW", - "line": 23, - "filename": "positive5.json" - }, - { - "queryName": "Maximum Length Undefined (v2)", + "queryName": "Maximum Length Undefined (v3)", "severity": "LOW", - "line": 27, - "filename": "positive5.json" + "line": 58, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.properties.code.type", + "searchValue": "", + "expectedValue": "'maxLength' should be defined", + "actualValue": "'maxLength' is undefined" }, { - "queryName": "Maximum Length Undefined (v2)", + "queryName": "Maximum Length Undefined (v3)", "severity": "LOW", - "line": 19, - "filename": "positive6.yaml" + "line": 55, + "filename": "positive9.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/api/adjectives}}.get.parameters.schema.type", + "searchValue": "", + "expectedValue": "'maxLength' should be defined", + "actualValue": "'maxLength' is undefined" }, { - "queryName": "Maximum Length Undefined (v2)", + "queryName": "Maximum Length Undefined (v3)", "severity": "LOW", - "line": 22, - "filename": "positive6.yaml" + "line": 31, + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.message.type", + "searchValue": "", + "expectedValue": "'maxLength' should be defined", + "actualValue": "'maxLength' is undefined" }, { - "queryName": "Maximum Length Undefined (v2)", + "queryName": "Maximum Length Undefined (v3)", "severity": "LOW", - "line": 23, - "filename": "positive7.json" + "line": 34, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.properties.code.type", + "searchValue": "", + "expectedValue": "'maxLength' should be defined", + "actualValue": "'maxLength' is undefined" }, { - "queryName": "Maximum Length Undefined (v2)", + "queryName": "Maximum Length Undefined (v3)", "severity": "LOW", - "line": 28, - "filename": "positive7.json" + "line": 37, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.properties.message.type", + "searchValue": "", + "expectedValue": "'maxLength' should be defined", + "actualValue": "'maxLength' is undefined" }, { - "queryName": "Maximum Length Undefined (v2)", + "queryName": "Maximum Length Undefined (v3)", "severity": "LOW", - "line": 28, - "filename": "positive8.json" + "line": 62, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.properties.message.type", + "searchValue": "", + "expectedValue": "'maxLength' should be defined", + "actualValue": "'maxLength' is undefined" }, { "queryName": "Maximum Length Undefined (v3)", "severity": "LOW", "line": 46, - "filename": "positive9.json" + "filename": "positive9.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/api/adjectives}}.get.parameters.schema.type", + "searchValue": "", + "expectedValue": "'maxLength' should be defined", + "actualValue": "'maxLength' is undefined" }, { "queryName": "Maximum Length Undefined (v3)", "severity": "LOW", - "line": 55, - "filename": "positive9.json" + "line": 27, + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code.type", + "searchValue": "", + "expectedValue": "'maxLength' should be defined", + "actualValue": "'maxLength' is undefined" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/general/no_global_and_operation_security_defined/test/positive_expected_result.json b/assets/queries/openAPI/general/no_global_and_operation_security_defined/test/positive_expected_result.json index a993a6d228d..abb5a76ca0d 100644 --- a/assets/queries/openAPI/general/no_global_and_operation_security_defined/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/no_global_and_operation_security_defined/test/positive_expected_result.json @@ -1,38 +1,74 @@ [ { - "queryName": "No Global And Operation Security Defined (v3)", + "queryName": "No Global And Operation Security Defined (v2)", "severity": "HIGH", "line": 9, - "filename": "positive1.json" + "filename": "positive6.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}", + "searchValue": "", + "expectedValue": "A security schema should be used", + "actualValue": "No security schema is used" }, { - "queryName": "No Global And Operation Security Defined (v3)", + "queryName": "No Global And Operation Security Defined (v2)", "severity": "HIGH", - "line": 46, - "filename": "positive2.json" + "line": 7, + "filename": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}", + "searchValue": "", + "expectedValue": "A security schema should be used", + "actualValue": "No security schema is used" }, { "queryName": "No Global And Operation Security Defined (v3)", "severity": "HIGH", "line": 7, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}", + "searchValue": "", + "expectedValue": "A security schema should be used", + "actualValue": "No security schema is used" }, { "queryName": "No Global And Operation Security Defined (v3)", "severity": "HIGH", "line": 27, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{patch}}", + "searchValue": "", + "expectedValue": "A security schema should be used", + "actualValue": "No security schema is used" }, { - "queryName": "No Global And Operation Security Defined (v2)", + "queryName": "No Global And Operation Security Defined (v3)", "severity": "HIGH", - "line": 7, - "filename": "positive5.yaml" + "line": 9, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}", + "searchValue": "", + "expectedValue": "A security schema should be used", + "actualValue": "No security schema is used" }, { - "queryName": "No Global And Operation Security Defined (v2)", + "queryName": "No Global And Operation Security Defined (v3)", "severity": "HIGH", - "line": 9, - "filename": "positive6.json" + "line": 46, + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{patch}}", + "searchValue": "", + "expectedValue": "A security schema should be used", + "actualValue": "No security schema is used" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/general/non_array_schema_with_items/test/positive_expected_result.json b/assets/queries/openAPI/general/non_array_schema_with_items/test/positive_expected_result.json index 24f9f0d6019..9b2b2d89b8a 100644 --- a/assets/queries/openAPI/general/non_array_schema_with_items/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/non_array_schema_with_items/test/positive_expected_result.json @@ -1,50 +1,74 @@ [ { - "queryName": "Non-Array Schema With Items (v3)", + "queryName": "Non-Array Schema With Items (v2)", "severity": "INFO", - "line": 52, - "filename": "positive1.json" + "line": 32, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.User.properties.name.items", + "searchValue": "", + "expectedValue": "Schema items property should be undefined", + "actualValue": "Schema items property is defined" }, { - "queryName": "Non-Array Schema With Items (v3)", + "queryName": "Non-Array Schema With Items (v2)", "severity": "INFO", - "line": 24, - "filename": "positive2.json" + "line": 44, + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.User.properties.name.items", + "searchValue": "", + "expectedValue": "Schema items property should be undefined", + "actualValue": "Schema items property is defined" }, { "queryName": "Non-Array Schema With Items (v3)", "severity": "INFO", "line": 29, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.items", + "searchValue": "", + "expectedValue": "Schema items property should be undefined", + "actualValue": "Schema items property is defined" }, { "queryName": "Non-Array Schema With Items (v3)", "severity": "INFO", - "line": 17, - "filename": "positive4.yaml" - }, - { - "queryName": "Non-Array Schema With Items (v2)", - "severity": "INFO", - "line": 44, - "filename": "positive5.json" - }, - { - "queryName": "Non-Array Schema With Items (v2)", - "severity": "INFO", - "line": 32, - "filename": "positive6.yaml" + "line": 52, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.items", + "searchValue": "", + "expectedValue": "Schema items property should be undefined", + "actualValue": "Schema items property is defined" }, { - "queryName": "Non-Array Schema With Items (v2)", + "queryName": "Non-Array Schema With Items (v3)", "severity": "INFO", - "line": 22, - "filename": "positive5.json" + "line": 24, + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.items", + "searchValue": "", + "expectedValue": "Schema items property should be undefined", + "actualValue": "Schema items property is defined" }, { - "queryName": "Non-Array Schema With Items (v2)", + "queryName": "Non-Array Schema With Items (v3)", "severity": "INFO", - "line": 19, - "filename": "positive6.yaml" + "line": 17, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.items", + "searchValue": "", + "expectedValue": "Schema items property should be undefined", + "actualValue": "Schema items property is defined" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/general/numeric_schema_without_format/test/positive_expected_result.json b/assets/queries/openAPI/general/numeric_schema_without_format/test/positive_expected_result.json index 86c83d955eb..c61a282219c 100644 --- a/assets/queries/openAPI/general/numeric_schema_without_format/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/numeric_schema_without_format/test/positive_expected_result.json @@ -1,50 +1,74 @@ [ { - "queryName": "Numeric Schema Without Format (v3)", + "queryName": "Numeric Schema Without Format (v2)", "severity": "LOW", - "line": 58, - "filename": "positive1.json" + "line": 23, + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.code.type", + "searchValue": "", + "expectedValue": "Numeric schema should have 'format' defined", + "actualValue": "Numeric schema does not have 'format' defined" }, { - "queryName": "Numeric Schema Without Format (v3)", + "queryName": "Numeric Schema Without Format (v2)", "severity": "LOW", - "line": 75, - "filename": "positive1.json" + "line": 20, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.code.type", + "searchValue": "", + "expectedValue": "Numeric schema should have 'format' defined", + "actualValue": "Numeric schema does not have 'format' defined" }, { "queryName": "Numeric Schema Without Format (v3)", "severity": "LOW", "line": 27, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code.type", + "searchValue": "", + "expectedValue": "Numeric schema should have 'format' defined", + "actualValue": "Numeric schema does not have 'format' defined" }, { "queryName": "Numeric Schema Without Format (v3)", "severity": "LOW", "line": 34, - "filename": "positive3.yaml" - }, - { - "queryName": "Numeric Schema Without Format (v3)", - "severity": "LOW", - "line": 46, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.properties.code.type", + "searchValue": "", + "expectedValue": "Numeric schema should have 'format' defined", + "actualValue": "Numeric schema does not have 'format' defined" }, { "queryName": "Numeric Schema Without Format (v3)", "severity": "LOW", "line": 22, - "filename": "positive4.yaml" - }, - { - "queryName": "Numeric Schema Without Format (v2)", - "severity": "LOW", - "line": 23, - "filename": "positive5.json" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code.type", + "searchValue": "", + "expectedValue": "Numeric schema should have 'format' defined", + "actualValue": "Numeric schema does not have 'format' defined" }, { - "queryName": "Numeric Schema Without Format (v2)", + "queryName": "Numeric Schema Without Format (v3)", "severity": "LOW", - "line": 20, - "filename": "positive6.yaml" + "line": 58, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.properties.code.type", + "searchValue": "", + "expectedValue": "Numeric schema should have 'format' defined", + "actualValue": "Numeric schema does not have 'format' defined" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/general/numeric_schema_without_maximum/test/positive_expected_result.json b/assets/queries/openAPI/general/numeric_schema_without_maximum/test/positive_expected_result.json index 544f422d0eb..2b38b075f99 100644 --- a/assets/queries/openAPI/general/numeric_schema_without_maximum/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/numeric_schema_without_maximum/test/positive_expected_result.json @@ -1,50 +1,74 @@ [ { - "queryName": "Numeric Schema Without Maximum (v3)", + "queryName": "Numeric Schema Without Maximum (v2)", "severity": "LOW", - "line": 58, - "filename": "positive1.json" + "line": 20, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.code.type", + "searchValue": "", + "expectedValue": "Numeric schema should have 'maximum' defined", + "actualValue": "Numeric schema does not have 'maximum' defined" }, { - "queryName": "Numeric Schema Without Maximum (v3)", + "queryName": "Numeric Schema Without Maximum (v2)", "severity": "LOW", - "line": 75, - "filename": "positive1.json" + "line": 23, + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.code.type", + "searchValue": "", + "expectedValue": "Numeric schema should have 'maximum' defined", + "actualValue": "Numeric schema does not have 'maximum' defined" }, { "queryName": "Numeric Schema Without Maximum (v3)", "severity": "LOW", - "line": 27, - "filename": "positive2.json" + "line": 22, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code.type", + "searchValue": "", + "expectedValue": "Numeric schema should have 'maximum' defined", + "actualValue": "Numeric schema does not have 'maximum' defined" }, { "queryName": "Numeric Schema Without Maximum (v3)", "severity": "LOW", "line": 34, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.properties.code.type", + "searchValue": "", + "expectedValue": "Numeric schema should have 'maximum' defined", + "actualValue": "Numeric schema does not have 'maximum' defined" }, { "queryName": "Numeric Schema Without Maximum (v3)", "severity": "LOW", - "line": 46, - "filename": "positive3.yaml" + "line": 58, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.properties.code.type", + "searchValue": "", + "expectedValue": "Numeric schema should have 'maximum' defined", + "actualValue": "Numeric schema does not have 'maximum' defined" }, { "queryName": "Numeric Schema Without Maximum (v3)", "severity": "LOW", - "line": 22, - "filename": "positive4.yaml" - }, - { - "queryName": "Numeric Schema Without Maximum (v2)", - "severity": "LOW", - "line": 23, - "filename": "positive5.json" - }, - { - "queryName": "Numeric Schema Without Maximum (v2)", - "severity": "LOW", - "line": 20, - "filename": "positive6.yaml" + "line": 27, + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code.type", + "searchValue": "", + "expectedValue": "Numeric schema should have 'maximum' defined", + "actualValue": "Numeric schema does not have 'maximum' defined" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/general/numeric_schema_without_minimum/test/positive_expected_result.json b/assets/queries/openAPI/general/numeric_schema_without_minimum/test/positive_expected_result.json index d33e3fd50ff..f2ec496955f 100644 --- a/assets/queries/openAPI/general/numeric_schema_without_minimum/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/numeric_schema_without_minimum/test/positive_expected_result.json @@ -1,50 +1,74 @@ [ { - "queryName": "Numeric Schema Without Minimum (v3)", + "queryName": "Numeric Schema Without Minimum (v2)", "severity": "LOW", - "line": 58, - "filename": "positive1.json" + "line": 20, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.code.type", + "searchValue": "", + "expectedValue": "Numeric schema should have 'minimum' defined", + "actualValue": "Numeric schema does not have 'minimum' defined" }, { - "queryName": "Numeric Schema Without Minimum (v3)", + "queryName": "Numeric Schema Without Minimum (v2)", "severity": "LOW", - "line": 74, - "filename": "positive1.json" + "line": 23, + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.code.type", + "searchValue": "", + "expectedValue": "Numeric schema should have 'minimum' defined", + "actualValue": "Numeric schema does not have 'minimum' defined" }, { "queryName": "Numeric Schema Without Minimum (v3)", "severity": "LOW", - "line": 27, - "filename": "positive2.json" + "line": 22, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code.type", + "searchValue": "", + "expectedValue": "Numeric schema should have 'minimum' defined", + "actualValue": "Numeric schema does not have 'minimum' defined" }, { "queryName": "Numeric Schema Without Minimum (v3)", "severity": "LOW", "line": 34, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.properties.code.type", + "searchValue": "", + "expectedValue": "Numeric schema should have 'minimum' defined", + "actualValue": "Numeric schema does not have 'minimum' defined" }, { "queryName": "Numeric Schema Without Minimum (v3)", "severity": "LOW", - "line": 45, - "filename": "positive3.yaml" + "line": 27, + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code.type", + "searchValue": "", + "expectedValue": "Numeric schema should have 'minimum' defined", + "actualValue": "Numeric schema does not have 'minimum' defined" }, { "queryName": "Numeric Schema Without Minimum (v3)", "severity": "LOW", - "line": 22, - "filename": "positive4.yaml" - }, - { - "queryName": "Numeric Schema Without Minimum (v2)", - "severity": "LOW", - "line": 23, - "filename": "positive5.json" - }, - { - "queryName": "Numeric Schema Without Minimum (v2)", - "severity": "LOW", - "line": 20, - "filename": "positive6.yaml" + "line": 58, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.properties.code.type", + "searchValue": "", + "expectedValue": "Numeric schema should have 'minimum' defined", + "actualValue": "Numeric schema does not have 'minimum' defined" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/general/object_using_enum_with_keyword/test/positive_expected_result.json b/assets/queries/openAPI/general/object_using_enum_with_keyword/test/positive_expected_result.json index 7768016a5b1..6df9534a8e1 100644 --- a/assets/queries/openAPI/general/object_using_enum_with_keyword/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/object_using_enum_with_keyword/test/positive_expected_result.json @@ -1,38 +1,74 @@ [ { - "queryName": "Object Using Enum With Keyword (v3)", + "queryName": "Object Using Enum With Keyword (v2)", "severity": "INFO", - "line": 42, - "filename": "positive1.json" + "line": 29, + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.schema.huntingSkill", + "searchValue": "", + "expectedValue": "/.get.parameters.paths.schema.properties.huntingSkill should not contain 'enum' and schema keyword", + "actualValue": "/.get.parameters.paths.schema.properties.huntingSkill contains 'enum' and schema keyword 'minLength'" }, { - "queryName": "Object Using Enum With Keyword (v3)", + "queryName": "Object Using Enum With Keyword (v2)", "severity": "INFO", - "line": 32, - "filename": "positive2.yaml" + "line": 31, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.schema.huntingSkill", + "searchValue": "", + "expectedValue": "/.get.parameters.paths.schema.properties.huntingSkill should not contain 'enum' and schema keyword", + "actualValue": "/.get.parameters.paths.schema.properties.huntingSkill contains 'enum' and schema keyword 'minLength'" }, { "queryName": "Object Using Enum With Keyword (v2)", "severity": "INFO", - "line": 39, - "filename": "positive3.json" + "line": 38, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.Cat.allOf.huntingSkill", + "searchValue": "", + "expectedValue": "Cat.allOf.definitions.properties.huntingSkill should not contain 'enum' and schema keyword", + "actualValue": "Cat.allOf.definitions.properties.huntingSkill contains 'enum' and schema keyword 'minLength'" }, { "queryName": "Object Using Enum With Keyword (v2)", "severity": "INFO", - "line": 29, - "filename": "positive4.yaml" + "line": 49, + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.Cat.allOf.huntingSkill", + "searchValue": "", + "expectedValue": "Cat.allOf.definitions.properties.huntingSkill should not contain 'enum' and schema keyword", + "actualValue": "Cat.allOf.definitions.properties.huntingSkill contains 'enum' and schema keyword 'minLength'" }, { - "queryName": "Object Using Enum With Keyword (v2)", + "queryName": "Object Using Enum With Keyword (v3)", "severity": "INFO", - "line": 29, - "filename": "positive5.json" + "line": 41, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.Cat.allOf.huntingSkill", + "searchValue": "", + "expectedValue": "Cat.allOf.components.schemas.properties.huntingSkill should not contain 'enum' and schema keyword", + "actualValue": "Cat.allOf.components.schemas.properties.huntingSkill contains 'enum' and schema keyword 'minLength'" }, { - "queryName": "Object Using Enum With Keyword (v2)", + "queryName": "Object Using Enum With Keyword (v3)", "severity": "INFO", - "line": 31, - "filename": "positive6.yaml" + "line": 52, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.Cat.allOf.huntingSkill", + "searchValue": "", + "expectedValue": "Cat.allOf.components.schemas.properties.huntingSkill should not contain 'enum' and schema keyword", + "actualValue": "Cat.allOf.components.schemas.properties.huntingSkill contains 'enum' and schema keyword 'minLength'" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/general/operation_id_not_unique/test/positive_expected_result.json b/assets/queries/openAPI/general/operation_id_not_unique/test/positive_expected_result.json index 9d062f0bb69..b46d3584988 100644 --- a/assets/queries/openAPI/general/operation_id_not_unique/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/operation_id_not_unique/test/positive_expected_result.json @@ -1,50 +1,98 @@ [ { - "queryName": "OperationId Not Unique (v3)", + "queryName": "OperationId Not Unique (v2)", "severity": "INFO", "line": 15, - "filename": "positive1.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.operationId", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.operationId is unique", + "actualValue": "paths.{{/}}.{{get}}.operationId is not unique" }, { - "queryName": "OperationId Not Unique (v3)", + "queryName": "OperationId Not Unique (v2)", "severity": "INFO", - "line": 46, - "filename": "positive1.json" + "line": 23, + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{post}}.operationId", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{post}}.operationId is unique", + "actualValue": "paths.{{/}}.{{post}}.operationId is not unique" }, { - "queryName": "OperationId Not Unique (v3)", + "queryName": "OperationId Not Unique (v2)", "severity": "INFO", "line": 8, - "filename": "positive2.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.operationId", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.operationId is unique", + "actualValue": "paths.{{/}}.{{get}}.operationId is not unique" }, { - "queryName": "OperationId Not Unique (v3)", + "queryName": "OperationId Not Unique (v2)", "severity": "INFO", - "line": 25, - "filename": "positive2.yaml" + "line": 13, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{post}}.operationId", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{post}}.operationId is unique", + "actualValue": "paths.{{/}}.{{post}}.operationId is not unique" }, { - "queryName": "OperationId Not Unique (v2)", + "queryName": "OperationId Not Unique (v3)", "severity": "INFO", - "line": 15, - "filename": "positive3.json" + "line": 8, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.operationId", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.operationId is unique", + "actualValue": "paths.{{/}}.{{get}}.operationId is not unique" }, { - "queryName": "OperationId Not Unique (v2)", + "queryName": "OperationId Not Unique (v3)", "severity": "INFO", - "line": 23, - "filename": "positive3.json" + "line": 25, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{post}}.operationId", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{post}}.operationId is unique", + "actualValue": "paths.{{/}}.{{post}}.operationId is not unique" }, { - "queryName": "OperationId Not Unique (v2)", + "queryName": "OperationId Not Unique (v3)", "severity": "INFO", - "line": 8, - "filename": "positive4.yaml" + "line": 15, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.operationId", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.operationId is unique", + "actualValue": "paths.{{/}}.{{get}}.operationId is not unique" }, { - "queryName": "OperationId Not Unique (v2)", + "queryName": "OperationId Not Unique (v3)", "severity": "INFO", - "line": 13, - "filename": "positive4.yaml" + "line": 46, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{post}}.operationId", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{post}}.operationId is unique", + "actualValue": "paths.{{/}}.{{post}}.operationId is not unique" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/general/operation_without_successful_http_status_code/test/positive_expected_result.json b/assets/queries/openAPI/general/operation_without_successful_http_status_code/test/positive_expected_result.json index f00373706ce..333254b2857 100644 --- a/assets/queries/openAPI/general/operation_without_successful_http_status_code/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/operation_without_successful_http_status_code/test/positive_expected_result.json @@ -1,26 +1,50 @@ [ { - "queryName": "Operation Without Successful HTTP Status Code (v3)", + "queryName": "Operation Without Successful HTTP Status Code (v2)", "severity": "INFO", "line": 12, - "filename": "positive1.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses has at least one successful HTTP status code defined", + "actualValue": "paths.{{/}}.{{get}}.responses does not have at least one successful HTTP status code defined" }, { - "queryName": "Operation Without Successful HTTP Status Code (v3)", + "queryName": "Operation Without Successful HTTP Status Code (v2)", "severity": "INFO", "line": 10, - "filename": "positive2.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses has at least one successful HTTP status code defined", + "actualValue": "paths.{{/}}.{{get}}.responses does not have at least one successful HTTP status code defined" }, { - "queryName": "Operation Without Successful HTTP Status Code (v2)", + "queryName": "Operation Without Successful HTTP Status Code (v3)", "severity": "INFO", "line": 12, - "filename": "positive3.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses has at least one successful HTTP status code defined", + "actualValue": "paths.{{/}}.{{get}}.responses does not have at least one successful HTTP status code defined" }, { - "queryName": "Operation Without Successful HTTP Status Code (v2)", + "queryName": "Operation Without Successful HTTP Status Code (v3)", "severity": "INFO", "line": 10, - "filename": "positive4.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses has at least one successful HTTP status code defined", + "actualValue": "paths.{{/}}.{{get}}.responses does not have at least one successful HTTP status code defined" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/general/parameter_objects_headers_dup_name/test/positive_expected_result.json b/assets/queries/openAPI/general/parameter_objects_headers_dup_name/test/positive_expected_result.json index 89ef84063db..3b97c5e7aca 100644 --- a/assets/queries/openAPI/general/parameter_objects_headers_dup_name/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/parameter_objects_headers_dup_name/test/positive_expected_result.json @@ -1,122 +1,242 @@ [ { - "queryName": "Parameter Objects Headers With Duplicated Name (v3)", + "queryName": "Parameter Objects Headers With Duplicated Name (v2)", "severity": "INFO", - "line": 68, - "filename": "positive1.json" + "line": 11, + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=Token", + "searchValue": "", + "expectedValue": "", + "actualValue": "Parameter Object with location 'header' has duplicate names (name=Token)" }, { - "queryName": "Parameter Objects Headers With Duplicated Name (v3)", + "queryName": "Parameter Objects Headers With Duplicated Name (v2)", "severity": "INFO", - "line": 82, - "filename": "positive1.json" + "line": 14, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=Token", + "searchValue": "", + "expectedValue": "", + "actualValue": "Parameter Object with location 'header' has duplicate names (name=Token)" }, { - "queryName": "Parameter Objects Headers With Duplicated Name (v3)", + "queryName": "Parameter Objects Headers With Duplicated Name (v2)", "severity": "INFO", - "line": 14, - "filename": "positive1.json" + "line": 19, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=token", + "searchValue": "", + "expectedValue": "", + "actualValue": "Parameter Object with location 'header' has duplicate names (name=token)" }, { - "queryName": "Parameter Objects Headers With Duplicated Name (v3)", + "queryName": "Parameter Objects Headers With Duplicated Name (v2)", "severity": "INFO", - "line": 28, - "filename": "positive1.json" + "line": 32, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.anotherParam.name=token2", + "searchValue": "", + "expectedValue": "", + "actualValue": "Parameter Object with location 'header' has duplicate names (name=token2)" }, { - "queryName": "Parameter Objects Headers With Duplicated Name (v3)", + "queryName": "Parameter Objects Headers With Duplicated Name (v2)", "severity": "INFO", - "line": 10, - "filename": "positive3.json" + "line": 39, + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.oneParam.name=Token2", + "searchValue": "", + "expectedValue": "", + "actualValue": "Parameter Object with location 'header' has duplicate names (name=Token2)" }, { - "queryName": "Parameter Objects Headers With Duplicated Name (v3)", + "queryName": "Parameter Objects Headers With Duplicated Name (v2)", "severity": "INFO", - "line": 24, - "filename": "positive3.json" + "line": 18, + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=token", + "searchValue": "", + "expectedValue": "", + "actualValue": "Parameter Object with location 'header' has duplicate names (name=token)" }, { - "queryName": "Parameter Objects Headers With Duplicated Name (v3)", + "queryName": "Parameter Objects Headers With Duplicated Name (v2)", "severity": "INFO", - "line": 53, - "filename": "positive2.yaml" + "line": 47, + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.anotherParam.name=token2", + "searchValue": "", + "expectedValue": "", + "actualValue": "Parameter Object with location 'header' has duplicate names (name=token2)" }, { - "queryName": "Parameter Objects Headers With Duplicated Name (v3)", + "queryName": "Parameter Objects Headers With Duplicated Name (v2)", "severity": "INFO", - "line": 43, - "filename": "positive2.yaml" + "line": 26, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.oneParam.name=Token2", + "searchValue": "", + "expectedValue": "", + "actualValue": "Parameter Object with location 'header' has duplicate names (name=Token2)" }, { "queryName": "Parameter Objects Headers With Duplicated Name (v3)", "severity": "INFO", - "line": 11, - "filename": "positive2.yaml" + "line": 8, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.parameters.token.name=token", + "searchValue": "", + "expectedValue": "", + "actualValue": "Parameter Object with location 'header' has duplicate names (name=token)" }, { "queryName": "Parameter Objects Headers With Duplicated Name (v3)", "severity": "INFO", - "line": 21, - "filename": "positive2.yaml" + "line": 53, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=Token", + "searchValue": "", + "expectedValue": "", + "actualValue": "Parameter Object with location 'header' has duplicate names (name=Token)" }, { "queryName": "Parameter Objects Headers With Duplicated Name (v3)", "severity": "INFO", - "line": 8, - "filename": "positive4.yaml" + "line": 11, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.name=id", + "searchValue": "", + "expectedValue": "", + "actualValue": "Parameter Object with location 'header' has duplicate names (name=id)" }, { "queryName": "Parameter Objects Headers With Duplicated Name (v3)", "severity": "INFO", - "line": 19, - "filename": "positive4.yaml" + "line": 82, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=Token", + "searchValue": "", + "expectedValue": "", + "actualValue": "Parameter Object with location 'header' has duplicate names (name=Token)" }, { - "queryName": "Parameter Objects Headers With Duplicated Name (v2)", + "queryName": "Parameter Objects Headers With Duplicated Name (v3)", "severity": "INFO", - "line": 39, - "filename": "positive5.json" + "line": 68, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=token", + "searchValue": "", + "expectedValue": "", + "actualValue": "Parameter Object with location 'header' has duplicate names (name=token)" }, { - "queryName": "Parameter Objects Headers With Duplicated Name (v2)", + "queryName": "Parameter Objects Headers With Duplicated Name (v3)", "severity": "INFO", - "line": 47, - "filename": "positive5.json" + "line": 24, + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.parameters.Token.name=Token", + "searchValue": "", + "expectedValue": "", + "actualValue": "Parameter Object with location 'header' has duplicate names (name=Token)" }, { - "queryName": "Parameter Objects Headers With Duplicated Name (v2)", + "queryName": "Parameter Objects Headers With Duplicated Name (v3)", "severity": "INFO", - "line": 11, - "filename": "positive5.json" + "line": 10, + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.parameters.token.name=token", + "searchValue": "", + "expectedValue": "", + "actualValue": "Parameter Object with location 'header' has duplicate names (name=token)" }, { - "queryName": "Parameter Objects Headers With Duplicated Name (v2)", + "queryName": "Parameter Objects Headers With Duplicated Name (v3)", "severity": "INFO", - "line": 18, - "filename": "positive5.json" + "line": 21, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.name=ID", + "searchValue": "", + "expectedValue": "", + "actualValue": "Parameter Object with location 'header' has duplicate names (name=ID)" }, { - "queryName": "Parameter Objects Headers With Duplicated Name (v2)", + "queryName": "Parameter Objects Headers With Duplicated Name (v3)", "severity": "INFO", - "line": 32, - "filename": "positive6.yaml" + "line": 28, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.name=ID", + "searchValue": "", + "expectedValue": "", + "actualValue": "Parameter Object with location 'header' has duplicate names (name=ID)" }, { - "queryName": "Parameter Objects Headers With Duplicated Name (v2)", + "queryName": "Parameter Objects Headers With Duplicated Name (v3)", "severity": "INFO", - "line": 26, - "filename": "positive6.yaml" + "line": 14, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.name=id", + "searchValue": "", + "expectedValue": "", + "actualValue": "Parameter Object with location 'header' has duplicate names (name=id)" }, { - "queryName": "Parameter Objects Headers With Duplicated Name (v2)", + "queryName": "Parameter Objects Headers With Duplicated Name (v3)", "severity": "INFO", - "line": 14, - "filename": "positive6.yaml" + "line": 19, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.parameters.Token.name=Token", + "searchValue": "", + "expectedValue": "", + "actualValue": "Parameter Object with location 'header' has duplicate names (name=Token)" }, { - "queryName": "Parameter Objects Headers With Duplicated Name (v2)", + "queryName": "Parameter Objects Headers With Duplicated Name (v3)", "severity": "INFO", - "line": 19, - "filename": "positive6.yaml" + "line": 43, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=token", + "searchValue": "", + "expectedValue": "", + "actualValue": "Parameter Object with location 'header' has duplicate names (name=token)" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/general/parameters_name_in_not_unique/test/positive_expected_result.json b/assets/queries/openAPI/general/parameters_name_in_not_unique/test/positive_expected_result.json index 1ae56a9527b..da53426c6c7 100644 --- a/assets/queries/openAPI/general/parameters_name_in_not_unique/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/parameters_name_in_not_unique/test/positive_expected_result.json @@ -1,38 +1,74 @@ [ { - "queryName": "Parameters Name In Combination Not Unique (v3)", + "queryName": "Parameters Name In Combination Not Unique (v2)", "severity": "INFO", - "line": 28, - "filename": "positive1.json" + "line": 21, + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.name", + "searchValue": "", + "expectedValue": "Parameter has unique 'name' and 'in' combinations", + "actualValue": "Parameter does not have unique 'name' and 'in' combinations" }, { - "queryName": "Parameters Name In Combination Not Unique (v3)", + "queryName": "Parameters Name In Combination Not Unique (v2)", "severity": "INFO", - "line": 18, - "filename": "positive2.yaml" + "line": 14, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.name", + "searchValue": "", + "expectedValue": "Parameter has unique 'name' and 'in' combinations", + "actualValue": "Parameter does not have unique 'name' and 'in' combinations" }, { "queryName": "Parameters Name In Combination Not Unique (v3)", "severity": "INFO", "line": 37, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.parameters.otherJSONParam.name", + "searchValue": "", + "expectedValue": "Parameter has unique 'name' and 'in' combinations", + "actualValue": "Parameter does not have unique 'name' and 'in' combinations" }, { "queryName": "Parameters Name In Combination Not Unique (v3)", "severity": "INFO", - "line": 25, - "filename": "positive2.yaml" + "line": 18, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.parameters.limitParam.name", + "searchValue": "", + "expectedValue": "Parameter has unique 'name' and 'in' combinations", + "actualValue": "Parameter does not have unique 'name' and 'in' combinations" }, { - "queryName": "Parameters Name In Combination Not Unique (v2)", + "queryName": "Parameters Name In Combination Not Unique (v3)", "severity": "INFO", - "line": 21, - "filename": "positive3.json" + "line": 25, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.parameters.otherParam.name", + "searchValue": "", + "expectedValue": "Parameter has unique 'name' and 'in' combinations", + "actualValue": "Parameter does not have unique 'name' and 'in' combinations" }, { - "queryName": "Parameters Name In Combination Not Unique (v2)", + "queryName": "Parameters Name In Combination Not Unique (v3)", "severity": "INFO", - "line": 14, - "filename": "positive4.yaml" + "line": 28, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.parameters.limitJSONParam.name", + "searchValue": "", + "expectedValue": "Parameter has unique 'name' and 'in' combinations", + "actualValue": "Parameter does not have unique 'name' and 'in' combinations" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/general/path_ambiguous/test/positive_expected_result.json b/assets/queries/openAPI/general/path_ambiguous/test/positive_expected_result.json index 3b35fce7422..9363bc789a3 100644 --- a/assets/queries/openAPI/general/path_ambiguous/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/path_ambiguous/test/positive_expected_result.json @@ -1,50 +1,98 @@ [ { - "queryName": "Path Is Ambiguous (v3)", + "queryName": "Path Is Ambiguous (v2)", "severity": "INFO", - "line": 6, - "filename": "positive1.yaml" + "line": 31, + "filename": "positive4.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{ids}", + "searchValue": "", + "expectedValue": "There shouldn't be ambiguous path", + "actualValue": "There is ambiguous path" }, { - "queryName": "Path Is Ambiguous (v3)", + "queryName": "Path Is Ambiguous (v2)", "severity": "INFO", - "line": 19, - "filename": "positive1.yaml" + "line": 13, + "filename": "positive4.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{id}", + "searchValue": "", + "expectedValue": "There shouldn't be ambiguous path", + "actualValue": "There is ambiguous path" }, { - "queryName": "Path Is Ambiguous (v3)", + "queryName": "Path Is Ambiguous (v2)", "severity": "INFO", - "line": 8, - "filename": "positive2.json" + "line": 21, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{ids}", + "searchValue": "", + "expectedValue": "There shouldn't be ambiguous path", + "actualValue": "There is ambiguous path" }, { - "queryName": "Path Is Ambiguous (v3)", + "queryName": "Path Is Ambiguous (v2)", "severity": "INFO", - "line": 29, - "filename": "positive2.json" + "line": 10, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{id}", + "searchValue": "", + "expectedValue": "There shouldn't be ambiguous path", + "actualValue": "There is ambiguous path" }, { - "queryName": "Path Is Ambiguous (v2)", + "queryName": "Path Is Ambiguous (v3)", "severity": "INFO", - "line": 10, - "filename": "positive3.yaml" + "line": 19, + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{ids}", + "searchValue": "", + "expectedValue": "There shouldn't be ambiguous path", + "actualValue": "There is ambiguous path" }, { - "queryName": "Path Is Ambiguous (v2)", + "queryName": "Path Is Ambiguous (v3)", "severity": "INFO", - "line": 21, - "filename": "positive3.yaml" + "line": 6, + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{id}", + "searchValue": "", + "expectedValue": "There shouldn't be ambiguous path", + "actualValue": "There is ambiguous path" }, { - "queryName": "Path Is Ambiguous (v2)", + "queryName": "Path Is Ambiguous (v3)", "severity": "INFO", - "line": 13, - "filename": "positive4.json" + "line": 29, + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{ids}", + "searchValue": "", + "expectedValue": "There shouldn't be ambiguous path", + "actualValue": "There is ambiguous path" }, { - "queryName": "Path Is Ambiguous (v2)", + "queryName": "Path Is Ambiguous (v3)", "severity": "INFO", - "line": 31, - "filename": "positive4.json" + "line": 8, + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{id}", + "searchValue": "", + "expectedValue": "There shouldn't be ambiguous path", + "actualValue": "There is ambiguous path" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/general/path_parameter_not_required/test/positive_expected_result.json b/assets/queries/openAPI/general/path_parameter_not_required/test/positive_expected_result.json index 624a401ce69..a80e56cac7c 100644 --- a/assets/queries/openAPI/general/path_parameter_not_required/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/path_parameter_not_required/test/positive_expected_result.json @@ -1,62 +1,122 @@ [ { - "queryName": "Path Parameter Not Required (v3)", + "queryName": "Path Parameter Not Required (v2)", "severity": "INFO", - "line": 43, - "filename": "positive1.json" + "line": 20, + "filename": "positive7.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "Path parameter should have the field 'required' set to 'true' for location 'path'", + "actualValue": "Path parameter does not have the field 'required' set to 'true' for location 'path'" }, { - "queryName": "Path Parameter Not Required (v3)", + "queryName": "Path Parameter Not Required (v2)", "severity": "INFO", - "line": 26, - "filename": "positive2.yaml" + "line": 14, + "filename": "positive8.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "Path parameter should have the field 'required' set to 'true' for location 'path'", + "actualValue": "Path parameter does not have the field 'required' set to 'true' for location 'path'" }, { "queryName": "Path Parameter Not Required (v3)", "severity": "INFO", "line": 43, - "filename": "positive3.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "Path parameter should have the field 'required' set to 'true' for location 'path'", + "actualValue": "Path parameter does not have the field 'required' set to 'true' for location 'path'" }, { "queryName": "Path Parameter Not Required (v3)", "severity": "INFO", - "line": 26, - "filename": "positive4.yaml" + "line": 10, + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "Path parameter should have the field 'required' set to 'true' for location 'path'", + "actualValue": "Path parameter does not have the field 'required' set to 'true' for location 'path'" }, { "queryName": "Path Parameter Not Required (v3)", "severity": "INFO", - "line": 10, - "filename": "positive5.json" + "line": 43, + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "Path parameter should have the field 'required' set to 'true' for location 'path'", + "actualValue": "Path parameter does not have the field 'required' set to 'true' for location 'path'" }, { "queryName": "Path Parameter Not Required (v3)", "severity": "INFO", "line": 8, - "filename": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "Path parameter should have the field 'required' set to 'true' for location 'path'", + "actualValue": "Path parameter does not have the field 'required' set to 'true' for location 'path'" }, { "queryName": "Path Parameter Not Required (v3)", "severity": "INFO", - "line": 19, - "filename": "positive5.json" + "line": 15, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.parameters.name={{nameAPI}}", + "searchValue": "", + "expectedValue": "Path parameter should have the field 'required' set to 'true' for location 'path'", + "actualValue": "Path parameter does not have the field 'required' set to 'true' for location 'path'" }, { "queryName": "Path Parameter Not Required (v3)", "severity": "INFO", - "line": 15, - "filename": "positive6.yaml" + "line": 19, + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.parameters.name={{nameAPI}}", + "searchValue": "", + "expectedValue": "Path parameter should have the field 'required' set to 'true' for location 'path'", + "actualValue": "Path parameter does not have the field 'required' set to 'true' for location 'path'" }, { - "queryName": "Path Parameter Not Required (v2)", + "queryName": "Path Parameter Not Required (v3)", "severity": "INFO", - "line": 20, - "filename": "positive7.json" + "line": 26, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "Path parameter should have the field 'required' set to 'true' for location 'path'", + "actualValue": "Path parameter does not have the field 'required' set to 'true' for location 'path'" }, { - "queryName": "Path Parameter Not Required (v2)", + "queryName": "Path Parameter Not Required (v3)", "severity": "INFO", - "line": 14, - "filename": "positive8.yaml" + "line": 26, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "Path parameter should have the field 'required' set to 'true' for location 'path'", + "actualValue": "Path parameter does not have the field 'required' set to 'true' for location 'path'" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/general/path_parameter_with_no_corresponding_template_path/test/positive_expected_result.json b/assets/queries/openAPI/general/path_parameter_with_no_corresponding_template_path/test/positive_expected_result.json index f7549912a32..f6689a8b135 100644 --- a/assets/queries/openAPI/general/path_parameter_with_no_corresponding_template_path/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/path_parameter_with_no_corresponding_template_path/test/positive_expected_result.json @@ -1,26 +1,50 @@ [ { - "queryName": "Path Parameter With No Corresponding Template Path (v3)", + "queryName": "Path Parameter With No Corresponding Template Path (v2)", "severity": "INFO", - "line": 37, - "filename": "positive1.yaml" + "line": 32, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./people/foo.get.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "Path parameter 'id' should have an template path parameter with the same name and 'in' set to 'path'", + "actualValue": "Path parameter 'id' does not have an template path parameter with the same name and 'in' set to 'path'" }, { - "queryName": "Path Parameter With No Corresponding Template Path (v3)", + "queryName": "Path Parameter With No Corresponding Template Path (v2)", "severity": "INFO", - "line": 59, - "filename": "positive2.json" + "line": 51, + "filename": "positive4.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./people/foo.get.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "Path parameter 'id' should have an template path parameter with the same name and 'in' set to 'path'", + "actualValue": "Path parameter 'id' does not have an template path parameter with the same name and 'in' set to 'path'" }, { - "queryName": "Path Parameter With No Corresponding Template Path (v2)", + "queryName": "Path Parameter With No Corresponding Template Path (v3)", "severity": "INFO", - "line": 32, - "filename": "positive3.yaml" + "line": 59, + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./.get.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "Path parameter 'id' should have an template path parameter with the same name and 'in' set to 'path'", + "actualValue": "Path parameter 'id' does not have an template path parameter with the same name and 'in' set to 'path'" }, { - "queryName": "Path Parameter With No Corresponding Template Path (v2)", + "queryName": "Path Parameter With No Corresponding Template Path (v3)", "severity": "INFO", - "line": 51, - "filename": "positive4.json" + "line": 37, + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./yada/foo.get.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "Path parameter 'id' should have an template path parameter with the same name and 'in' set to 'path'", + "actualValue": "Path parameter 'id' does not have an template path parameter with the same name and 'in' set to 'path'" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/general/path_template_empty/test/positive_expected_result.json b/assets/queries/openAPI/general/path_template_empty/test/positive_expected_result.json index 020d02d1f96..604b7b0957a 100644 --- a/assets/queries/openAPI/general/path_template_empty/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/path_template_empty/test/positive_expected_result.json @@ -1,26 +1,50 @@ [ { - "queryName": "Path Template is Empty (v3)", + "queryName": "Path Template is Empty (v2)", "severity": "INFO", - "line": 32, - "filename": "positive1.yaml" + "line": 10, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{}", + "searchValue": "", + "expectedValue": "The path template should not be empty", + "actualValue": "The path template is empty" }, { - "queryName": "Path Template is Empty (v3)", + "queryName": "Path Template is Empty (v2)", "severity": "INFO", - "line": 53, - "filename": "positive2.json" + "line": 13, + "filename": "positive4.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{}", + "searchValue": "", + "expectedValue": "The path template should not be empty", + "actualValue": "The path template is empty" }, { - "queryName": "Path Template is Empty (v2)", + "queryName": "Path Template is Empty (v3)", "severity": "INFO", - "line": 10, - "filename": "positive3.yaml" + "line": 32, + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{}", + "searchValue": "", + "expectedValue": "The path template should not be empty", + "actualValue": "The path template is empty" }, { - "queryName": "Path Template is Empty (v2)", + "queryName": "Path Template is Empty (v3)", "severity": "INFO", - "line": 13, - "filename": "positive4.json" + "line": 53, + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{}", + "searchValue": "", + "expectedValue": "The path template should not be empty", + "actualValue": "The path template is empty" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/general/path_without_operation/test/positive_expected_result.json b/assets/queries/openAPI/general/path_without_operation/test/positive_expected_result.json index a2b1f1bb729..ef812e4726c 100644 --- a/assets/queries/openAPI/general/path_without_operation/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/path_without_operation/test/positive_expected_result.json @@ -1,26 +1,50 @@ [ { - "queryName": "Path Without Operation (v3)", + "queryName": "Path Without Operation (v2)", "severity": "INFO", "line": 8, - "filename": "positive1.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}", + "searchValue": "", + "expectedValue": "paths.{{/}} has at least one operation object defined", + "actualValue": "paths.{{/}} does not have at least one operation object defined" }, { - "queryName": "Path Without Operation (v3)", + "queryName": "Path Without Operation (v2)", "severity": "INFO", "line": 6, - "filename": "positive2.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}", + "searchValue": "", + "expectedValue": "paths.{{/}} has at least one operation object defined", + "actualValue": "paths.{{/}} does not have at least one operation object defined" }, { - "queryName": "Path Without Operation (v2)", + "queryName": "Path Without Operation (v3)", "severity": "INFO", "line": 8, - "filename": "positive3.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}", + "searchValue": "", + "expectedValue": "paths.{{/}} has at least one operation object defined", + "actualValue": "paths.{{/}} does not have at least one operation object defined" }, { - "queryName": "Path Without Operation (v2)", + "queryName": "Path Without Operation (v3)", "severity": "INFO", "line": 6, - "filename": "positive4.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}", + "searchValue": "", + "expectedValue": "paths.{{/}} has at least one operation object defined", + "actualValue": "paths.{{/}} does not have at least one operation object defined" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/general/paths_object_empty/test/positive_expected_result.json b/assets/queries/openAPI/general/paths_object_empty/test/positive_expected_result.json index 1e448ad9fca..5aa955823a4 100644 --- a/assets/queries/openAPI/general/paths_object_empty/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/paths_object_empty/test/positive_expected_result.json @@ -1,26 +1,50 @@ [ { - "queryName": "Paths Object is Empty (v3)", + "queryName": "Paths Object is Empty (v2)", "severity": "INFO", - "line": 7, - "filename": "positive1.json" + "line": 5, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths", + "searchValue": "", + "expectedValue": "The Paths Object should should not be empty", + "actualValue": "The Paths Object is empty" }, { "queryName": "Paths Object is Empty (v2)", "severity": "INFO", "line": 7, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths", + "searchValue": "", + "expectedValue": "The Paths Object should should not be empty", + "actualValue": "The Paths Object is empty" }, { "queryName": "Paths Object is Empty (v3)", "severity": "INFO", - "line": 5, - "filename": "positive3.yaml" + "line": 7, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths", + "searchValue": "", + "expectedValue": "The Paths Object should should not be empty", + "actualValue": "The Paths Object is empty" }, { - "queryName": "Paths Object is Empty (v2)", + "queryName": "Paths Object is Empty (v3)", "severity": "INFO", "line": 5, - "filename": "positive4.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths", + "searchValue": "", + "expectedValue": "The Paths Object should should not be empty", + "actualValue": "The Paths Object is empty" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/general/pattern_undefined/test/positive_expected_result.json b/assets/queries/openAPI/general/pattern_undefined/test/positive_expected_result.json index 7ac7f3a8171..f3bc748990d 100644 --- a/assets/queries/openAPI/general/pattern_undefined/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/pattern_undefined/test/positive_expected_result.json @@ -1,98 +1,146 @@ [ { - "queryName": "Pattern Undefined (v3)", + "queryName": "Pattern Undefined (v2)", "severity": "MEDIUM", - "line": 63, - "filename": "positive1.json" + "line": 19, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.code.type", + "searchValue": "", + "expectedValue": "'pattern' should be defined", + "actualValue": "'pattern' is undefined" }, { - "queryName": "Pattern Undefined (v3)", + "queryName": "Pattern Undefined (v2)", "severity": "MEDIUM", - "line": 58, - "filename": "positive1.json" + "line": 23, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.message.type", + "searchValue": "", + "expectedValue": "'pattern' should be defined", + "actualValue": "'pattern' is undefined" }, { - "queryName": "Pattern Undefined (v3)", + "queryName": "Pattern Undefined (v2)", "severity": "MEDIUM", - "line": 79, - "filename": "positive1.json" + "line": 23, + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.code.type", + "searchValue": "", + "expectedValue": "'pattern' should be defined", + "actualValue": "'pattern' is undefined" }, { - "queryName": "Pattern Undefined (v3)", + "queryName": "Pattern Undefined (v2)", "severity": "MEDIUM", - "line": 79, - "filename": "positive1.json" + "line": 28, + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.message.type", + "searchValue": "", + "expectedValue": "'pattern' should be defined", + "actualValue": "'pattern' is undefined" }, { "queryName": "Pattern Undefined (v3)", "severity": "MEDIUM", - "line": 27, - "filename": "positive2.json" + "line": 34, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.properties.code.type", + "searchValue": "", + "expectedValue": "'pattern' should be defined", + "actualValue": "'pattern' is undefined" }, { "queryName": "Pattern Undefined (v3)", "severity": "MEDIUM", - "line": 32, - "filename": "positive2.json" + "line": 22, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code.type", + "searchValue": "", + "expectedValue": "'pattern' should be defined", + "actualValue": "'pattern' is undefined" }, { "queryName": "Pattern Undefined (v3)", "severity": "MEDIUM", - "line": 34, - "filename": "positive3.yaml" + "line": 26, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.message.type", + "searchValue": "", + "expectedValue": "'pattern' should be defined", + "actualValue": "'pattern' is undefined" }, { "queryName": "Pattern Undefined (v3)", "severity": "MEDIUM", - "line": 38, - "filename": "positive3.yaml" + "line": 63, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.properties.message.type", + "searchValue": "", + "expectedValue": "'pattern' should be defined", + "actualValue": "'pattern' is undefined" }, { "queryName": "Pattern Undefined (v3)", "severity": "MEDIUM", - "line": 49, - "filename": "positive3.yaml" + "line": 27, + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code.type", + "searchValue": "", + "expectedValue": "'pattern' should be defined", + "actualValue": "'pattern' is undefined" }, { "queryName": "Pattern Undefined (v3)", "severity": "MEDIUM", - "line": 49, - "filename": "positive3.yaml" + "line": 32, + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.message.type", + "searchValue": "", + "expectedValue": "'pattern' should be defined", + "actualValue": "'pattern' is undefined" }, { "queryName": "Pattern Undefined (v3)", "severity": "MEDIUM", - "line": 22, - "filename": "positive4.yaml" + "line": 38, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.properties.message.type", + "searchValue": "", + "expectedValue": "'pattern' should be defined", + "actualValue": "'pattern' is undefined" }, { "queryName": "Pattern Undefined (v3)", "severity": "MEDIUM", - "line": 26, - "filename": "positive4.yaml" - }, - { - "queryName": "Pattern Undefined (v2)", - "severity": "MEDIUM", - "line": 23, - "filename": "positive5.json" - }, - { - "queryName": "Pattern Undefined (v2)", - "severity": "MEDIUM", - "line": 28, - "filename": "positive5.json" - }, - { - "queryName": "Pattern Undefined (v2)", - "severity": "MEDIUM", - "line": 19, - "filename": "positive6.yaml" - }, - { - "queryName": "Pattern Undefined (v2)", - "severity": "MEDIUM", - "line": 23, - "filename": "positive6.yaml" + "line": 58, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.properties.code.type", + "searchValue": "", + "expectedValue": "'pattern' should be defined", + "actualValue": "'pattern' is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/general/properties_missing_required_property/test/positive_expected_result.json b/assets/queries/openAPI/general/properties_missing_required_property/test/positive_expected_result.json index 0c00d106449..c4bbbe92be4 100644 --- a/assets/queries/openAPI/general/properties_missing_required_property/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/properties_missing_required_property/test/positive_expected_result.json @@ -1,38 +1,74 @@ [ { - "queryName": "Properties Missing Required Property (v3)", + "queryName": "Properties Missing Required Property (v2)", "severity": "INFO", - "line": 56, - "filename": "positive1.json" + "line": 20, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.MyObject.properties.code.required.name", + "searchValue": "", + "expectedValue": "definitions.MyObject.properties.code.required.name should be defined", + "actualValue": "definitions.MyObject.properties.code.required.name is missing" }, { - "queryName": "Properties Missing Required Property (v3)", + "queryName": "Properties Missing Required Property (v2)", "severity": "INFO", - "line": 38, - "filename": "positive2.yaml" + "line": 27, + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.MyObject.properties.code.required.name", + "searchValue": "", + "expectedValue": "definitions.MyObject.properties.code.required.name should be defined", + "actualValue": "definitions.MyObject.properties.code.required.name is missing" }, { "queryName": "Properties Missing Required Property (v3)", "severity": "INFO", - "line": 54, - "filename": "positive3.json" + "line": 38, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{application/x-www-form-urlencoded}}.schema.properties.code.required.name", + "searchValue": "", + "expectedValue": "components.requestBodies.NewItem.content.{{application/x-www-form-urlencoded}}.schema.properties.code.required.name should be defined", + "actualValue": "components.requestBodies.NewItem.content.{{application/x-www-form-urlencoded}}.schema.properties.code.required.name is missing" }, { "queryName": "Properties Missing Required Property (v3)", "severity": "INFO", "line": 37, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.schema.properties.code.required.name", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.schema.properties.code.required.name should be defined", + "actualValue": "paths.{{/}}.parameters.schema.properties.code.required.name is missing" }, { - "queryName": "Properties Missing Required Property (v2)", + "queryName": "Properties Missing Required Property (v3)", "severity": "INFO", - "line": 27, - "filename": "positive5.json" + "line": 56, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{application/x-www-form-urlencoded}}.schema.properties.code.required.name", + "searchValue": "", + "expectedValue": "components.requestBodies.NewItem.content.{{application/x-www-form-urlencoded}}.schema.properties.code.required.name should be defined", + "actualValue": "components.requestBodies.NewItem.content.{{application/x-www-form-urlencoded}}.schema.properties.code.required.name is missing" }, { - "queryName": "Properties Missing Required Property (v2)", + "queryName": "Properties Missing Required Property (v3)", "severity": "INFO", - "line": 20, - "filename": "positive6.yaml" + "line": 54, + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.schema.properties.code.required.name", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.schema.properties.code.required.name should be defined", + "actualValue": "paths.{{/}}.parameters.schema.properties.code.required.name is missing" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/general/property_allow_empty_value_improperly_defined/test/positive_expected_result.json b/assets/queries/openAPI/general/property_allow_empty_value_improperly_defined/test/positive_expected_result.json index 9bd4bcc59f3..614adb5e730 100644 --- a/assets/queries/openAPI/general/property_allow_empty_value_improperly_defined/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/property_allow_empty_value_improperly_defined/test/positive_expected_result.json @@ -1,50 +1,98 @@ [ { - "queryName": "Property 'allowEmptyValue' Improperly Defined (v3)", + "queryName": "Property 'allowEmptyValue' Improperly Defined (v2)", "severity": "INFO", - "line": 59, - "filename": "positive1.json" + "line": 15, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name={{metadata}}", + "searchValue": "", + "expectedValue": "'parameters' should have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set", + "actualValue": "'parameters' does not have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set" }, { - "queryName": "Property 'allowEmptyValue' Improperly Defined (v3)", + "queryName": "Property 'allowEmptyValue' Improperly Defined (v2)", "severity": "INFO", - "line": 43, - "filename": "positive1.json" + "line": 20, + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name={{metadata}}", + "searchValue": "", + "expectedValue": "'parameters' should have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set", + "actualValue": "'parameters' does not have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set" }, { "queryName": "Property 'allowEmptyValue' Improperly Defined (v3)", "severity": "INFO", "line": 26, - "filename": "positive2.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "'parameters' should have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set", + "actualValue": "'parameters' does not have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set" }, { "queryName": "Property 'allowEmptyValue' Improperly Defined (v3)", "severity": "INFO", "line": 37, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/users/{id}}}.get.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "'parameters' should have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set", + "actualValue": "'parameters' does not have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set" }, { "queryName": "Property 'allowEmptyValue' Improperly Defined (v3)", "severity": "INFO", - "line": 43, - "filename": "positive3.json" + "line": 26, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "'parameters' should have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set", + "actualValue": "'parameters' does not have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set" }, { "queryName": "Property 'allowEmptyValue' Improperly Defined (v3)", "severity": "INFO", - "line": 26, - "filename": "positive4.yaml" + "line": 59, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/users/{id}}}.get.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "'parameters' should have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set", + "actualValue": "'parameters' does not have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set" }, { - "queryName": "Property 'allowEmptyValue' Improperly Defined (v2)", + "queryName": "Property 'allowEmptyValue' Improperly Defined (v3)", "severity": "INFO", - "line": 20, - "filename": "positive5.json" + "line": 43, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "'parameters' should have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set", + "actualValue": "'parameters' does not have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set" }, { - "queryName": "Property 'allowEmptyValue' Improperly Defined (v2)", + "queryName": "Property 'allowEmptyValue' Improperly Defined (v3)", "severity": "INFO", - "line": 15, - "filename": "positive6.yaml" + "line": 43, + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "'parameters' should have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set", + "actualValue": "'parameters' does not have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/general/property_defining_maximum_not_greater_than_minimum/test/positive_expected_result.json b/assets/queries/openAPI/general/property_defining_maximum_not_greater_than_minimum/test/positive_expected_result.json index 5b419b8ba0f..8ba46b41c0e 100644 --- a/assets/queries/openAPI/general/property_defining_maximum_not_greater_than_minimum/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/property_defining_maximum_not_greater_than_minimum/test/positive_expected_result.json @@ -1,62 +1,86 @@ [ { - "queryName": "Property Defining Minimum Greater Than Maximum (v3)", + "queryName": "Property Defining Minimum Greater Than Maximum (v2)", "severity": "INFO", - "line": 52, - "filename": "positive1.json" + "line": 25, + "filename": "positive7.json", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.GeneralError.properties.code", + "searchValue": "", + "expectedValue": "Numeric schema value should not have 'minimum' larger than 'maximum'", + "actualValue": "Numeric schema value has 'minimum' larger than 'maximum'" }, { "queryName": "Property Defining Minimum Greater Than Maximum (v3)", "severity": "INFO", - "line": 71, - "filename": "positive1.json" + "line": 32, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.properties.message", + "searchValue": "", + "expectedValue": "Array schema value should not have 'minItems' larger than 'maxItems'", + "actualValue": "Array schema value has 'minItems' larger than 'maxItems'" }, { "queryName": "Property Defining Minimum Greater Than Maximum (v3)", "severity": "INFO", - "line": 24, - "filename": "positive2.json" + "line": 21, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code", + "searchValue": "", + "expectedValue": "Numeric schema value should not have 'minimum' larger than 'maximum'", + "actualValue": "Numeric schema value has 'minimum' larger than 'maximum'" }, { "queryName": "Property Defining Minimum Greater Than Maximum (v3)", "severity": "INFO", "line": 33, - "filename": "positive3.yaml" - }, - { - "queryName": "Property Defining Minimum Greater Than Maximum (v3)", - "severity": "INFO", - "line": 47, - "filename": "positive3.yaml" - }, - { - "queryName": "Property Defining Minimum Greater Than Maximum (v3)", - "severity": "INFO", - "line": 21, - "filename": "positive4.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.properties.code", + "searchValue": "", + "expectedValue": "Numeric schema value should not have 'minimum' larger than 'maximum'", + "actualValue": "Numeric schema value has 'minimum' larger than 'maximum'" }, { "queryName": "Property Defining Minimum Greater Than Maximum (v3)", "severity": "INFO", "line": 33, - "filename": "positive5.yaml" + "filename": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.properties.code", + "searchValue": "", + "expectedValue": "String schema value should not have 'minLength' larger than 'maxLength'", + "actualValue": "String schema value has 'minLength' larger than 'maxLength'" }, { "queryName": "Property Defining Minimum Greater Than Maximum (v3)", "severity": "INFO", - "line": 50, - "filename": "positive5.yaml" + "line": 24, + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code", + "searchValue": "", + "expectedValue": "Numeric schema value should not have 'minimum' larger than 'maximum'", + "actualValue": "Numeric schema value has 'minimum' larger than 'maximum'" }, { "queryName": "Property Defining Minimum Greater Than Maximum (v3)", "severity": "INFO", - "line": 32, - "filename": "positive6.yaml" - }, - { - "queryName": "Property Defining Minimum Greater Than Maximum (v2)", - "severity": "INFO", - "line": 25, - "filename": "positive7.json" + "line": 52, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.properties.code", + "searchValue": "", + "expectedValue": "Numeric schema value should not have 'minimum' larger than 'maximum'", + "actualValue": "Numeric schema value has 'minimum' larger than 'maximum'" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/general/required_property_default_value/test/positive_expected_result.json b/assets/queries/openAPI/general/required_property_default_value/test/positive_expected_result.json index 8eca405487b..9e403445f97 100644 --- a/assets/queries/openAPI/general/required_property_default_value/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/required_property_default_value/test/positive_expected_result.json @@ -1,50 +1,74 @@ [ { - "queryName": "Required Property With Default Value (v3)", + "queryName": "Required Property With Default Value (v2)", "severity": "INFO", - "line": 30, - "filename": "positive1.json" + "line": 23, + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.post.parameters.schema.properties.{{id}}.default", + "searchValue": "", + "expectedValue": "Required properties should not have default defined", + "actualValue": "Required properties with default defined" }, { - "queryName": "Required Property With Default Value (v3)", + "queryName": "Required Property With Default Value (v2)", "severity": "INFO", - "line": 14, - "filename": "positive1.json" + "line": 19, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.post.parameters.schema.properties.{{id}}.default", + "searchValue": "", + "expectedValue": "Required properties should not have default defined", + "actualValue": "Required properties with default defined" }, { "queryName": "Required Property With Default Value (v3)", "severity": "INFO", "line": 25, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.{{id}}.default", + "searchValue": "", + "expectedValue": "Required properties should not have default defined", + "actualValue": "Required properties with default defined" }, { "queryName": "Required Property With Default Value (v3)", "severity": "INFO", - "line": 12, - "filename": "positive3.yaml" + "line": 30, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.MyObject.properties.{{id}}.default", + "searchValue": "", + "expectedValue": "Required properties should not have default defined", + "actualValue": "Required properties with default defined" }, { "queryName": "Required Property With Default Value (v3)", "severity": "INFO", "line": 22, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.MyObject.properties.{{id}}.default", + "searchValue": "", + "expectedValue": "Required properties should not have default defined", + "actualValue": "Required properties with default defined" }, { "queryName": "Required Property With Default Value (v3)", "severity": "INFO", "line": 23, - "filename": "positive4.yaml" - }, - { - "queryName": "Required Property With Default Value (v2)", - "severity": "INFO", - "line": 23, - "filename": "positive5.json" - }, - { - "queryName": "Required Property With Default Value (v2)", - "severity": "INFO", - "line": 19, - "filename": "positive6.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.{{id}}.default", + "searchValue": "", + "expectedValue": "Required properties should not have default defined", + "actualValue": "Required properties with default defined" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/general/response_code_missing/test/positive_expected_result.json b/assets/queries/openAPI/general/response_code_missing/test/positive_expected_result.json index fff2d20fb17..5bae57aeaa2 100644 --- a/assets/queries/openAPI/general/response_code_missing/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/response_code_missing/test/positive_expected_result.json @@ -1,158 +1,314 @@ [ { - "queryName": "Response Code Missing (v3)", + "queryName": "Response Code Missing (v2)", "severity": "LOW", "line": 12, - "filename": "positive1.json" + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{put}}.responses", + "searchValue": "401 response", + "expectedValue": "401 response should be set when security field is defined", + "actualValue": "401 response is undefined when security field is defined" }, { - "queryName": "Response Code Missing (v3)", + "queryName": "Response Code Missing (v2)", "severity": "LOW", "line": 12, - "filename": "positive1.json" + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{put}}.responses", + "searchValue": "403 response", + "expectedValue": "403 response should be set when security field is defined", + "actualValue": "403 response is undefined when security field is defined" }, { - "queryName": "Response Code Missing (v3)", + "queryName": "Response Code Missing (v2)", "severity": "LOW", - "line": 12, - "filename": "positive1.json" + "line": 10, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{put}}.responses", + "searchValue": "401 response", + "expectedValue": "401 response should be set when security field is defined", + "actualValue": "401 response is undefined when security field is defined" }, { - "queryName": "Response Code Missing (v3)", + "queryName": "Response Code Missing (v2)", "severity": "LOW", - "line": 12, - "filename": "positive1.json" + "line": 10, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{put}}.responses", + "searchValue": "403 response", + "expectedValue": "403 response should be set when security field is defined", + "actualValue": "403 response is undefined when security field is defined" }, { "queryName": "Response Code Missing (v3)", "severity": "LOW", "line": 12, - "filename": "positive1.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{put}}.responses", + "searchValue": "401 response", + "expectedValue": "401 response should be set when security field is defined", + "actualValue": "401 response is undefined when security field is defined" }, { "queryName": "Response Code Missing (v3)", "severity": "LOW", "line": 21, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{options}}.responses", + "searchValue": "400 response", + "expectedValue": "400 response should be set", + "actualValue": "400 response is undefined" }, { "queryName": "Response Code Missing (v3)", "severity": "LOW", - "line": 21, - "filename": "positive1.json" + "line": 12, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{put}}.responses", + "searchValue": "415 response", + "expectedValue": "415 response should be set", + "actualValue": "415 response is undefined" }, { "queryName": "Response Code Missing (v3)", "severity": "LOW", "line": 21, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{options}}.responses", + "searchValue": "429 response", + "expectedValue": "429 response should be set", + "actualValue": "429 response is undefined" }, { "queryName": "Response Code Missing (v3)", "severity": "LOW", - "line": 21, - "filename": "positive1.json" + "line": 10, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{put}}.responses", + "searchValue": "404 response", + "expectedValue": "404 response should be set", + "actualValue": "404 response is undefined" }, { "queryName": "Response Code Missing (v3)", "severity": "LOW", - "line": 12, - "filename": "positive2.json" + "line": 10, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{put}}.responses", + "searchValue": "401 response", + "expectedValue": "401 response should be set when security field is defined", + "actualValue": "401 response is undefined when security field is defined" }, { "queryName": "Response Code Missing (v3)", "severity": "LOW", - "line": 12, - "filename": "positive2.json" + "line": 10, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{put}}.responses", + "searchValue": "403 response", + "expectedValue": "403 response should be set when security field is defined", + "actualValue": "403 response is undefined when security field is defined" }, { "queryName": "Response Code Missing (v3)", "severity": "LOW", "line": 10, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{put}}.responses", + "searchValue": "400 response", + "expectedValue": "400 response should be set", + "actualValue": "400 response is undefined" }, { "queryName": "Response Code Missing (v3)", "severity": "LOW", "line": 10, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{put}}.responses", + "searchValue": "415 response", + "expectedValue": "415 response should be set", + "actualValue": "415 response is undefined" }, { "queryName": "Response Code Missing (v3)", "severity": "LOW", - "line": 10, - "filename": "positive3.yaml" + "line": 16, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{options}}.responses", + "searchValue": "500 response", + "expectedValue": "500 response should be set", + "actualValue": "500 response is undefined" }, { "queryName": "Response Code Missing (v3)", "severity": "LOW", "line": 10, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{put}}.responses", + "searchValue": "500 response", + "expectedValue": "500 response should be set", + "actualValue": "500 response is undefined" }, { "queryName": "Response Code Missing (v3)", "severity": "LOW", - "line": 10, - "filename": "positive3.yaml" + "line": 12, + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{put}}.responses", + "searchValue": "403 response", + "expectedValue": "403 response should be set when security field is defined", + "actualValue": "403 response is undefined when security field is defined" }, { "queryName": "Response Code Missing (v3)", "severity": "LOW", - "line": 16, - "filename": "positive3.yaml" + "line": 21, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{options}}.responses", + "searchValue": "200 response", + "expectedValue": "200 response should be set", + "actualValue": "200 response is undefined" }, { "queryName": "Response Code Missing (v3)", "severity": "LOW", - "line": 16, - "filename": "positive3.yaml" + "line": 12, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{put}}.responses", + "searchValue": "404 response", + "expectedValue": "404 response should be set", + "actualValue": "404 response is undefined" }, { "queryName": "Response Code Missing (v3)", "severity": "LOW", "line": 16, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{options}}.responses", + "searchValue": "200 response", + "expectedValue": "200 response should be set", + "actualValue": "200 response is undefined" }, { "queryName": "Response Code Missing (v3)", "severity": "LOW", "line": 16, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{options}}.responses", + "searchValue": "400 response", + "expectedValue": "400 response should be set", + "actualValue": "400 response is undefined" }, { "queryName": "Response Code Missing (v3)", "severity": "LOW", - "line": 10, - "filename": "positive4.yaml" + "line": 16, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{options}}.responses", + "searchValue": "429 response", + "expectedValue": "429 response should be set", + "actualValue": "429 response is undefined" }, { "queryName": "Response Code Missing (v3)", "severity": "LOW", - "line": 10, - "filename": "positive4.yaml" + "line": 12, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{put}}.responses", + "searchValue": "400 response", + "expectedValue": "400 response should be set", + "actualValue": "400 response is undefined" }, { - "queryName": "Response Code Missing (v2)", + "queryName": "Response Code Missing (v3)", "severity": "LOW", "line": 12, - "filename": "positive5.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{put}}.responses", + "searchValue": "429 response", + "expectedValue": "429 response should be set", + "actualValue": "429 response is undefined" }, { - "queryName": "Response Code Missing (v2)", + "queryName": "Response Code Missing (v3)", "severity": "LOW", - "line": 12, - "filename": "positive5.json" + "line": 10, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{put}}.responses", + "searchValue": "429 response", + "expectedValue": "429 response should be set", + "actualValue": "429 response is undefined" }, { - "queryName": "Response Code Missing (v2)", + "queryName": "Response Code Missing (v3)", "severity": "LOW", - "line": 10, - "filename": "positive6.yaml" + "line": 21, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{options}}.responses", + "searchValue": "500 response", + "expectedValue": "500 response should be set", + "actualValue": "500 response is undefined" }, { - "queryName": "Response Code Missing (v2)", + "queryName": "Response Code Missing (v3)", "severity": "LOW", - "line": 10, - "filename": "positive6.yaml" + "line": 12, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{put}}.responses", + "searchValue": "500 response", + "expectedValue": "500 response should be set", + "actualValue": "500 response is undefined" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/general/response_operations_body_schema_incorrect_defined/test/positive_expected_result.json b/assets/queries/openAPI/general/response_operations_body_schema_incorrect_defined/test/positive_expected_result.json index a5b288523c3..182df1f13ce 100644 --- a/assets/queries/openAPI/general/response_operations_body_schema_incorrect_defined/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/response_operations_body_schema_incorrect_defined/test/positive_expected_result.json @@ -1,38 +1,74 @@ [ { - "queryName": "Response on operations that should not have a body has declared content (v3)", + "queryName": "Response on operations that should not have a body has declared content (v2)", "severity": "LOW", - "line": 29, - "filename": "positive1.json" + "line": 15, + "filename": "positive6.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.responses.{{200}}.schema", + "searchValue": "", + "expectedValue": "paths.{{/}}.responses.{{200}}.schema should not be defined", + "actualValue": "paths.{{/}}.responses.{{200}}.schema is defined" }, { - "queryName": "Response on operations that should not have a body has declared content (v3)", + "queryName": "Response on operations that should not have a body has declared content (v2)", "severity": "LOW", - "line": 20, - "filename": "positive2.json" + "line": 13, + "filename": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.responses.{{200}}.schema", + "searchValue": "", + "expectedValue": "paths.{{/}}.responses.{{200}}.schema should not be defined", + "actualValue": "paths.{{/}}.responses.{{200}}.schema is defined" }, { "queryName": "Response on operations that should not have a body has declared content (v3)", "severity": "LOW", "line": 23, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{delete}}.responses.{{204}}.content", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{delete}}.responses.{{204}}.content should not be defined", + "actualValue": "paths.{{/}}.{{delete}}.responses.{{204}}.content is defined" }, { "queryName": "Response on operations that should not have a body has declared content (v3)", "severity": "LOW", "line": 17, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.responses.{{200}}.content", + "searchValue": "", + "expectedValue": "paths.{{/}}.responses.{{200}}.content should not be defined", + "actualValue": "paths.{{/}}.responses.{{200}}.content is defined" }, { - "queryName": "Response on operations that should not have a body has declared content (v2)", + "queryName": "Response on operations that should not have a body has declared content (v3)", "severity": "LOW", - "line": 13, - "filename": "positive5.yaml" + "line": 20, + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.responses.{{200}}.content", + "searchValue": "", + "expectedValue": "paths.{{/}}.responses.{{200}}.content should not be defined", + "actualValue": "paths.{{/}}.responses.{{200}}.content is defined" }, { - "queryName": "Response on operations that should not have a body has declared content (v2)", + "queryName": "Response on operations that should not have a body has declared content (v3)", "severity": "LOW", - "line": 15, - "filename": "positive6.json" + "line": 29, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{delete}}.responses.{{204}}.content", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{delete}}.responses.{{204}}.content should not be defined", + "actualValue": "paths.{{/}}.{{delete}}.responses.{{204}}.content is defined" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/general/response_operations_body_schema_undefined/test/positive_expected_result.json b/assets/queries/openAPI/general/response_operations_body_schema_undefined/test/positive_expected_result.json index 8f1c35ed02e..d01bd05bd69 100644 --- a/assets/queries/openAPI/general/response_operations_body_schema_undefined/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/response_operations_body_schema_undefined/test/positive_expected_result.json @@ -1,74 +1,146 @@ [ { - "queryName": "Response on operations that should have a body has undefined schema (v3)", + "queryName": "Response on operations that should have a body has undefined schema (v2)", "severity": "MEDIUM", "line": 18, - "filename": "positive1.json" + "filename": "positive9.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./.get.responses.200", + "searchValue": "", + "expectedValue": "paths./.get.responses.200.schema should be defined", + "actualValue": "paths./.get.responses.200.schema is undefined" }, { - "queryName": "Response on operations that should have a body has undefined schema (v3)", + "queryName": "Response on operations that should have a body has undefined schema (v2)", "severity": "MEDIUM", - "line": 21, - "filename": "positive2.json" + "line": 15, + "filename": "positive10.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./.get.responses.200", + "searchValue": "", + "expectedValue": "paths./.get.responses.200.schema should be defined", + "actualValue": "paths./.get.responses.200.schema is undefined" }, { "queryName": "Response on operations that should have a body has undefined schema (v3)", "severity": "MEDIUM", - "line": 21, - "filename": "positive3.json" + "line": 22, + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema should be defined", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema is undefined" }, { "queryName": "Response on operations that should have a body has undefined schema (v3)", "severity": "MEDIUM", - "line": 22, - "filename": "positive3.json" + "line": 21, + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/pdf}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/pdf}}.schema should be defined", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/pdf}}.schema is undefined" }, { "queryName": "Response on operations that should have a body has undefined schema (v3)", "severity": "MEDIUM", - "line": 20, - "filename": "positive4.json" + "line": 15, + "filename": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./.get.responses.200", + "searchValue": "", + "expectedValue": "paths./.get.responses.200.content should be defined", + "actualValue": "paths./.get.responses.200.content is undefined" }, { "queryName": "Response on operations that should have a body has undefined schema (v3)", "severity": "MEDIUM", - "line": 15, - "filename": "positive5.yaml" + "line": 19, + "filename": "positive7.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema should be defined", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema is undefined" }, { "queryName": "Response on operations that should have a body has undefined schema (v3)", "severity": "MEDIUM", "line": 18, - "filename": "positive6.yaml" + "filename": "positive7.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/pdf}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/pdf}}.schema should be defined", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/pdf}}.schema is undefined" }, { "queryName": "Response on operations that should have a body has undefined schema (v3)", "severity": "MEDIUM", - "line": 18, - "filename": "positive7.yaml" + "line": 20, + "filename": "positive4.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.content", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.content should have at least one content-type defined", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content has no content-type defined" }, { "queryName": "Response on operations that should have a body has undefined schema (v3)", "severity": "MEDIUM", - "line": 19, - "filename": "positive7.yaml" + "line": 21, + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema should be defined", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema is undefined" }, { "queryName": "Response on operations that should have a body has undefined schema (v3)", "severity": "MEDIUM", "line": 17, - "filename": "positive8.yaml" + "filename": "positive8.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.content", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.content should have at least one content-type defined", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content has no content-type defined" }, { - "queryName": "Response on operations that should have a body has undefined schema (v2)", + "queryName": "Response on operations that should have a body has undefined schema (v3)", "severity": "MEDIUM", "line": 18, - "filename": "positive9.json" + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema should be defined", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema is undefined" }, { - "queryName": "Response on operations that should have a body has undefined schema (v2)", + "queryName": "Response on operations that should have a body has undefined schema (v3)", "severity": "MEDIUM", - "line": 15, - "filename": "positive10.yaml" + "line": 18, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./.get.responses.200", + "searchValue": "", + "expectedValue": "paths./.get.responses.200.content should be defined", + "actualValue": "paths./.get.responses.200.content is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/general/responses_object_is_empty/test/positive_expected_result.json b/assets/queries/openAPI/general/responses_object_is_empty/test/positive_expected_result.json index bdae2a7033f..ba0e8674566 100644 --- a/assets/queries/openAPI/general/responses_object_is_empty/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/responses_object_is_empty/test/positive_expected_result.json @@ -1,38 +1,74 @@ [ { - "queryName": "Responses Object Is Empty (v3)", + "queryName": "Responses Object Is Empty (v2)", "severity": "INFO", - "line": 12, - "filename": "positive1.json" + "line": 10, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses", + "searchValue": "", + "expectedValue": "'responses' should not be empty", + "actualValue": "'responses' is empty" }, { - "queryName": "Responses Object Is Empty (v3)", + "queryName": "Responses Object Is Empty (v2)", "severity": "INFO", - "line": 21, - "filename": "positive2.json" + "line": 12, + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses", + "searchValue": "", + "expectedValue": "'responses' should not be empty", + "actualValue": "'responses' is empty" }, { "queryName": "Responses Object Is Empty (v3)", "severity": "INFO", "line": 10, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses", + "searchValue": "", + "expectedValue": "'responses' should not be empty", + "actualValue": "'responses' is empty" }, { "queryName": "Responses Object Is Empty (v3)", "severity": "INFO", - "line": 14, - "filename": "positive4.yaml" + "line": 12, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses", + "searchValue": "", + "expectedValue": "'responses' should not be empty", + "actualValue": "'responses' is empty" }, { - "queryName": "Responses Object Is Empty (v2)", + "queryName": "Responses Object Is Empty (v3)", "severity": "INFO", - "line": 12, - "filename": "positive5.json" + "line": 21, + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.responses", + "searchValue": "", + "expectedValue": "'responses' should not be empty", + "actualValue": "'responses' is empty" }, { - "queryName": "Responses Object Is Empty (v2)", + "queryName": "Responses Object Is Empty (v3)", "severity": "INFO", - "line": 10, - "filename": "positive6.yaml" + "line": 14, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.responses", + "searchValue": "", + "expectedValue": "'responses' should not be empty", + "actualValue": "'responses' is empty" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/general/responses_wrong_http_status_code/test/positive_expected_result.json b/assets/queries/openAPI/general/responses_wrong_http_status_code/test/positive_expected_result.json index e80d64f6c04..206e3621c51 100644 --- a/assets/queries/openAPI/general/responses_wrong_http_status_code/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/responses_wrong_http_status_code/test/positive_expected_result.json @@ -1,50 +1,98 @@ [ { - "queryName": "Responses With Wrong HTTP Status Code (v3)", + "queryName": "Responses With Wrong HTTP Status Code (v2)", "severity": "INFO", - "line": 13, - "filename": "positive1.json" + "line": 11, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{50}}", + "searchValue": "", + "expectedValue": "HTTP responses status codes should be in range of [200-599]", + "actualValue": "HTTP responses status codes are not in range of [200-599]" }, { - "queryName": "Responses With Wrong HTTP Status Code (v3)", + "queryName": "Responses With Wrong HTTP Status Code (v2)", "severity": "INFO", - "line": 39, - "filename": "positive1.json" + "line": 25, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{6xx}}", + "searchValue": "", + "expectedValue": "HTTP responses status codes should be in range of [200-599]", + "actualValue": "HTTP responses status codes are not in range of [200-599]" }, { - "queryName": "Responses With Wrong HTTP Status Code (v3)", + "queryName": "Responses With Wrong HTTP Status Code (v2)", "severity": "INFO", - "line": 11, - "filename": "positive2.yaml" + "line": 13, + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{50}}", + "searchValue": "", + "expectedValue": "HTTP responses status codes should be in range of [200-599]", + "actualValue": "HTTP responses status codes are not in range of [200-599]" }, { - "queryName": "Responses With Wrong HTTP Status Code (v3)", + "queryName": "Responses With Wrong HTTP Status Code (v2)", "severity": "INFO", - "line": 25, - "filename": "positive2.yaml" + "line": 39, + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{6xx}}", + "searchValue": "", + "expectedValue": "HTTP responses status codes should be in range of [200-599]", + "actualValue": "HTTP responses status codes are not in range of [200-599]" }, { - "queryName": "Responses With Wrong HTTP Status Code (v2)", + "queryName": "Responses With Wrong HTTP Status Code (v3)", "severity": "INFO", "line": 13, - "filename": "positive3.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{50}}", + "searchValue": "", + "expectedValue": "HTTP responses status codes should be in range of [200-599]", + "actualValue": "HTTP responses status codes are not in range of [200-599]" }, { - "queryName": "Responses With Wrong HTTP Status Code (v2)", + "queryName": "Responses With Wrong HTTP Status Code (v3)", "severity": "INFO", "line": 39, - "filename": "positive3.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{6xx}}", + "searchValue": "", + "expectedValue": "HTTP responses status codes should be in range of [200-599]", + "actualValue": "HTTP responses status codes are not in range of [200-599]" }, { - "queryName": "Responses With Wrong HTTP Status Code (v2)", + "queryName": "Responses With Wrong HTTP Status Code (v3)", "severity": "INFO", "line": 11, - "filename": "positive4.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{50}}", + "searchValue": "", + "expectedValue": "HTTP responses status codes should be in range of [200-599]", + "actualValue": "HTTP responses status codes are not in range of [200-599]" }, { - "queryName": "Responses With Wrong HTTP Status Code (v2)", + "queryName": "Responses With Wrong HTTP Status Code (v3)", "severity": "INFO", "line": 25, - "filename": "positive4.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{6xx}}", + "searchValue": "", + "expectedValue": "HTTP responses status codes should be in range of [200-599]", + "actualValue": "HTTP responses status codes are not in range of [200-599]" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/general/schema_discriminator_mismatch_defined_properties/test/positive_expected_result.json b/assets/queries/openAPI/general/schema_discriminator_mismatch_defined_properties/test/positive_expected_result.json index 9a7428a8c86..792d4488bcb 100644 --- a/assets/queries/openAPI/general/schema_discriminator_mismatch_defined_properties/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/schema_discriminator_mismatch_defined_properties/test/positive_expected_result.json @@ -1,50 +1,98 @@ [ { - "queryName": "Schema Discriminator Mismatch Defined Properties (v3)", + "queryName": "Schema Discriminator Mismatch Defined Properties (v2)", "severity": "INFO", - "line": 53, - "filename": "positive1.json" + "line": 16, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.{{GeneralError}}.discriminator", + "searchValue": "", + "expectedValue": "definitions.{{GeneralError}}.discriminator should be set in 'properties'", + "actualValue": "definitions.{{GeneralError}}.discriminator is not set in 'properties'" }, { - "queryName": "Schema Discriminator Mismatch Defined Properties (v3)", + "queryName": "Schema Discriminator Mismatch Defined Properties (v2)", "severity": "INFO", - "line": 25, - "filename": "positive2.json" + "line": 15, + "filename": "positive8.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.discriminator", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) should be set in 'properties'", + "actualValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) is not set in 'properties'" }, { - "queryName": "Schema Discriminator Mismatch Defined Properties (v3)", + "queryName": "Schema Discriminator Mismatch Defined Properties (v2)", "severity": "INFO", - "line": 32, - "filename": "positive3.yaml" + "line": 28, + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.{{GeneralError}}.discriminator", + "searchValue": "", + "expectedValue": "definitions.{{GeneralError}}.discriminator should be set in 'properties'", + "actualValue": "definitions.{{GeneralError}}.discriminator is not set in 'properties'" }, { - "queryName": "Schema Discriminator Mismatch Defined Properties (v3)", + "queryName": "Schema Discriminator Mismatch Defined Properties (v2)", "severity": "INFO", - "line": 18, - "filename": "positive4.yaml" + "line": 25, + "filename": "positive7.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.discriminator", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) should be set in 'properties'", + "actualValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) is not set in 'properties'" }, { - "queryName": "Schema Discriminator Mismatch Defined Properties (v2)", + "queryName": "Schema Discriminator Mismatch Defined Properties (v3)", "severity": "INFO", - "line": 28, - "filename": "positive5.json" + "line": 18, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.discriminator.propertyName", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) should be set in 'properties'", + "actualValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) is not set in 'properties'" }, { - "queryName": "Schema Discriminator Mismatch Defined Properties (v2)", + "queryName": "Schema Discriminator Mismatch Defined Properties (v3)", "severity": "INFO", - "line": 16, - "filename": "positive6.yaml" + "line": 32, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.{{GeneralError}}.discriminator.propertyName", + "searchValue": "", + "expectedValue": "components.schemas.{{GeneralError}}.discriminator.propertyName should be set in 'properties'", + "actualValue": "components.schemas.{{GeneralError}}.discriminator.propertyName is not set in 'properties'" }, { - "queryName": "Schema Discriminator Mismatch Defined Properties (v2)", + "queryName": "Schema Discriminator Mismatch Defined Properties (v3)", "severity": "INFO", "line": 25, - "filename": "positive7.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.discriminator.propertyName", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) should be set in 'properties'", + "actualValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) is not set in 'properties'" }, { - "queryName": "Schema Discriminator Mismatch Defined Properties (v2)", + "queryName": "Schema Discriminator Mismatch Defined Properties (v3)", "severity": "INFO", - "line": 15, - "filename": "positive8.yaml" + "line": 53, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.{{GeneralError}}.discriminator.propertyName", + "searchValue": "", + "expectedValue": "components.schemas.{{GeneralError}}.discriminator.propertyName should be set in 'properties'", + "actualValue": "components.schemas.{{GeneralError}}.discriminator.propertyName is not set in 'properties'" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/general/schema_discriminator_not_required/test/positive_expected_result.json b/assets/queries/openAPI/general/schema_discriminator_not_required/test/positive_expected_result.json index f486155aa9a..6015bf9b664 100644 --- a/assets/queries/openAPI/general/schema_discriminator_not_required/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/schema_discriminator_not_required/test/positive_expected_result.json @@ -1,50 +1,98 @@ [ { - "queryName": "Schema Discriminator Not Required (v3)", + "queryName": "Schema Discriminator Not Required (v2)", "severity": "INFO", - "line": 53, - "filename": "positive1.json" + "line": 35, + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.{{GeneralError}}.discriminator", + "searchValue": "", + "expectedValue": "definitions.{{GeneralError}}.discriminator is a required property", + "actualValue": "definitions.{{GeneralError}}.discriminator is not a required property" }, { - "queryName": "Schema Discriminator Not Required (v3)", + "queryName": "Schema Discriminator Not Required (v2)", "severity": "INFO", - "line": 25, - "filename": "positive2.json" + "line": 16, + "filename": "positive7.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.discriminator", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) is a required property", + "actualValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) is not a required property" }, { - "queryName": "Schema Discriminator Not Required (v3)", + "queryName": "Schema Discriminator Not Required (v2)", "severity": "INFO", - "line": 32, - "filename": "positive3.yaml" + "line": 15, + "filename": "positive8.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.discriminator", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) is a required property", + "actualValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) is not a required property" }, { - "queryName": "Schema Discriminator Not Required (v3)", + "queryName": "Schema Discriminator Not Required (v2)", "severity": "INFO", - "line": 18, - "filename": "positive4.yaml" + "line": 16, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.{{GeneralError}}.discriminator", + "searchValue": "", + "expectedValue": "definitions.{{GeneralError}}.discriminator is a required property", + "actualValue": "definitions.{{GeneralError}}.discriminator is not a required property" }, { - "queryName": "Schema Discriminator Not Required (v2)", + "queryName": "Schema Discriminator Not Required (v3)", "severity": "INFO", - "line": 35, - "filename": "positive5.json" + "line": 25, + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.discriminator.propertyName", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) is a required property", + "actualValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) is not a required property" }, { - "queryName": "Schema Discriminator Not Required (v2)", + "queryName": "Schema Discriminator Not Required (v3)", "severity": "INFO", - "line": 16, - "filename": "positive6.yaml" + "line": 53, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.{{GeneralError}}.discriminator.propertyName", + "searchValue": "", + "expectedValue": "components.schemas.{{GeneralError}}.discriminator.propertyName is a required property", + "actualValue": "components.schemas.{{GeneralError}}.discriminator.propertyName is not a required property" }, { - "queryName": "Schema Discriminator Not Required (v2)", + "queryName": "Schema Discriminator Not Required (v3)", "severity": "INFO", - "line": 16, - "filename": "positive7.json" + "line": 18, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.discriminator.propertyName", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) is a required property", + "actualValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) is not a required property" }, { - "queryName": "Schema Discriminator Not Required (v2)", + "queryName": "Schema Discriminator Not Required (v3)", "severity": "INFO", - "line": 15, - "filename": "positive8.yaml" + "line": 32, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.{{GeneralError}}.discriminator.propertyName", + "searchValue": "", + "expectedValue": "components.schemas.{{GeneralError}}.discriminator.propertyName is a required property", + "actualValue": "components.schemas.{{GeneralError}}.discriminator.propertyName is not a required property" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/general/schema_discriminator_property_not_string/test/positive_expected_result.json b/assets/queries/openAPI/general/schema_discriminator_property_not_string/test/positive_expected_result.json index c74b919f275..dfffdc7044e 100644 --- a/assets/queries/openAPI/general/schema_discriminator_property_not_string/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/schema_discriminator_property_not_string/test/positive_expected_result.json @@ -1,50 +1,98 @@ [ { - "queryName": "Schema Discriminator Property Not String (v3)", + "queryName": "Schema Discriminator Property Not String (v2)", "severity": "INFO", - "line": 53, - "filename": "positive1.json" + "line": 28, + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.{{GeneralError}}.discriminator", + "searchValue": "", + "expectedValue": "definitions.{{GeneralError}}.discriminator should be set to string", + "actualValue": "definitions.{{GeneralError}}.discriminator is not set to string" }, { - "queryName": "Schema Discriminator Property Not String (v3)", + "queryName": "Schema Discriminator Property Not String (v2)", "severity": "INFO", - "line": 25, - "filename": "positive2.json" + "line": 22, + "filename": "positive7.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.discriminator", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) should be set to string", + "actualValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) is not set to string" }, { - "queryName": "Schema Discriminator Property Not String (v3)", + "queryName": "Schema Discriminator Property Not String (v2)", "severity": "INFO", - "line": 32, - "filename": "positive3.yaml" + "line": 15, + "filename": "positive8.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.discriminator", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) should be set to string", + "actualValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) is not set to string" }, { - "queryName": "Schema Discriminator Property Not String (v3)", + "queryName": "Schema Discriminator Property Not String (v2)", "severity": "INFO", - "line": 18, - "filename": "positive4.yaml" + "line": 16, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.{{GeneralError}}.discriminator", + "searchValue": "", + "expectedValue": "definitions.{{GeneralError}}.discriminator should be set to string", + "actualValue": "definitions.{{GeneralError}}.discriminator is not set to string" }, { - "queryName": "Schema Discriminator Property Not String (v2)", + "queryName": "Schema Discriminator Property Not String (v3)", "severity": "INFO", - "line": 28, - "filename": "positive5.json" + "line": 25, + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.discriminator.propertyName", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) should be set to string", + "actualValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) is not set to string" }, { - "queryName": "Schema Discriminator Property Not String (v2)", + "queryName": "Schema Discriminator Property Not String (v3)", "severity": "INFO", - "line": 16, - "filename": "positive6.yaml" + "line": 18, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.discriminator.propertyName", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) should be set to string", + "actualValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) is not set to string" }, { - "queryName": "Schema Discriminator Property Not String (v2)", + "queryName": "Schema Discriminator Property Not String (v3)", "severity": "INFO", - "line": 22, - "filename": "positive7.json" + "line": 32, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.{{GeneralError}}.discriminator.propertyName", + "searchValue": "", + "expectedValue": "components.schemas.{{GeneralError}}.discriminator.propertyName should be set to string", + "actualValue": "components.schemas.{{GeneralError}}.discriminator.propertyName is not set to string" }, { - "queryName": "Schema Discriminator Property Not String (v2)", + "queryName": "Schema Discriminator Property Not String (v3)", "severity": "INFO", - "line": 15, - "filename": "positive8.yaml" + "line": 53, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.{{GeneralError}}.discriminator.propertyName", + "searchValue": "", + "expectedValue": "components.schemas.{{GeneralError}}.discriminator.propertyName should be set to string", + "actualValue": "components.schemas.{{GeneralError}}.discriminator.propertyName is not set to string" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/general/schema_enum_invalid/test/positive_expected_result.json b/assets/queries/openAPI/general/schema_enum_invalid/test/positive_expected_result.json index 4a384929bae..a263d0ae7df 100644 --- a/assets/queries/openAPI/general/schema_enum_invalid/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/schema_enum_invalid/test/positive_expected_result.json @@ -1,50 +1,74 @@ [ { - "queryName": "Schema Enum Invalid (v3)", + "queryName": "Schema Enum Invalid (v2)", "severity": "INFO", - "line": 20, - "filename": "positive1.json" + "line": 37, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.User.properties.name.enum", + "searchValue": "", + "expectedValue": "The field 'enum' should be consistent with the schema's type", + "actualValue": "The field 'enum' is not consistent with the schema's type" }, { - "queryName": "Schema Enum Invalid (v3)", + "queryName": "Schema Enum Invalid (v2)", "severity": "INFO", - "line": 20, - "filename": "positive2.json" + "line": 52, + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.User.properties.name.enum", + "searchValue": "", + "expectedValue": "The field 'enum' should be consistent with the schema's type", + "actualValue": "The field 'enum' is not consistent with the schema's type" }, { "queryName": "Schema Enum Invalid (v3)", "severity": "INFO", "line": 18, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.201.content.{{text/html}}.schema.enum", + "searchValue": "", + "expectedValue": "The field 'enum' should be consistent with the schema's type", + "actualValue": "The field 'enum' is not consistent with the schema's type" }, { "queryName": "Schema Enum Invalid (v3)", "severity": "INFO", "line": 18, - "filename": "positive4.yaml" - }, - { - "queryName": "Schema Enum Invalid (v2)", - "severity": "INFO", - "line": 50, - "filename": "positive5.json" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.201.content.{{text/html}}.schema.enum", + "searchValue": "", + "expectedValue": "The field 'enum' should be consistent with the schema's type", + "actualValue": "The field 'enum' is not consistent with the schema's type" }, { - "queryName": "Schema Enum Invalid (v2)", - "severity": "INFO", - "line": 35, - "filename": "positive6.yaml" - }, - { - "queryName": "Schema Enum Invalid (v2)", + "queryName": "Schema Enum Invalid (v3)", "severity": "INFO", - "line": 14, - "filename": "positive5.json" + "line": 20, + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.201.content.{{text/html}}.schema.enum", + "searchValue": "", + "expectedValue": "The field 'enum' should be consistent with the schema's type", + "actualValue": "The field 'enum' is not consistent with the schema's type" }, { - "queryName": "Schema Enum Invalid (v2)", + "queryName": "Schema Enum Invalid (v3)", "severity": "INFO", - "line": 12, - "filename": "positive6.yaml" + "line": 20, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.201.content.{{text/html}}.schema.enum", + "searchValue": "", + "expectedValue": "The field 'enum' should be consistent with the schema's type", + "actualValue": "The field 'enum' is not consistent with the schema's type" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/general/schema_object_empty/test/positive_expected_result.json b/assets/queries/openAPI/general/schema_object_empty/test/positive_expected_result.json index 28f8a049e58..c139ec6897f 100644 --- a/assets/queries/openAPI/general/schema_object_empty/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/schema_object_empty/test/positive_expected_result.json @@ -1,50 +1,98 @@ [ { - "queryName": "Schema Object is Empty (v3)", + "queryName": "Schema Object is Empty (v2)", "severity": "MEDIUM", - "line": 50, - "filename": "positive1.json" + "line": 26, + "filename": "positive7.json", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.{{GeneralError}}", + "searchValue": "", + "expectedValue": "The Schema Object should not be empty", + "actualValue": "The Schema Object is empty" }, { - "queryName": "Schema Object is Empty (v3)", + "queryName": "Schema Object is Empty (v2)", "severity": "MEDIUM", - "line": 22, - "filename": "positive2.json" + "line": 20, + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema", + "searchValue": "", + "expectedValue": "The Schema Object should not be empty", + "actualValue": "The Schema Object is empty" }, { - "queryName": "Schema Object is Empty (v3)", + "queryName": "Schema Object is Empty (v2)", "severity": "MEDIUM", - "line": 27, - "filename": "positive3.yaml" + "line": 14, + "filename": "positive8.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.{{GeneralError}}", + "searchValue": "", + "expectedValue": "The Schema Object should not be empty", + "actualValue": "The Schema Object is empty" }, { - "queryName": "Schema Object is Empty (v3)", + "queryName": "Schema Object is Empty (v2)", "severity": "MEDIUM", - "line": 15, - "filename": "positive4.yaml" + "line": 13, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema", + "searchValue": "", + "expectedValue": "The Schema Object should not be empty", + "actualValue": "The Schema Object is empty" }, { - "queryName": "Schema Object is Empty (v2)", + "queryName": "Schema Object is Empty (v3)", "severity": "MEDIUM", - "line": 20, - "filename": "positive5.json" + "line": 15, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema", + "searchValue": "", + "expectedValue": "The Schema Object should not be empty", + "actualValue": "The Schema Object is empty" }, { - "queryName": "Schema Object is Empty (v2)", + "queryName": "Schema Object is Empty (v3)", "severity": "MEDIUM", - "line": 26, - "filename": "positive7.json" + "line": 50, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.{{GeneralError}}", + "searchValue": "", + "expectedValue": "The Schema Object should not be empty", + "actualValue": "The Schema Object is empty" }, { - "queryName": "Schema Object is Empty (v2)", + "queryName": "Schema Object is Empty (v3)", "severity": "MEDIUM", - "line": 13, - "filename": "positive6.yaml" + "line": 22, + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema", + "searchValue": "", + "expectedValue": "The Schema Object should not be empty", + "actualValue": "The Schema Object is empty" }, { - "queryName": "Schema Object is Empty (v2)", + "queryName": "Schema Object is Empty (v3)", "severity": "MEDIUM", - "line": 14, - "filename": "positive8.yaml" + "line": 27, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.{{GeneralError}}", + "searchValue": "", + "expectedValue": "The Schema Object should not be empty", + "actualValue": "The Schema Object is empty" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/general/schema_object_properties_with_duplicated_keys/test/positive_expected_result.json b/assets/queries/openAPI/general/schema_object_properties_with_duplicated_keys/test/positive_expected_result.json index b651764ca9b..3529175cdff 100644 --- a/assets/queries/openAPI/general/schema_object_properties_with_duplicated_keys/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/schema_object_properties_with_duplicated_keys/test/positive_expected_result.json @@ -1,110 +1,218 @@ [ { - "queryName": "Schema Object Properties With Duplicated Keys (v3)", + "queryName": "Schema Object Properties With Duplicated Keys (v2)", "severity": "INFO", - "line": 19, - "filename": "positive1.json" + "line": 57, + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.additionalProperties.message", + "searchValue": "", + "expectedValue": "'message' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'" }, { - "queryName": "Schema Object Properties With Duplicated Keys (v3)", + "queryName": "Schema Object Properties With Duplicated Keys (v2)", "severity": "INFO", - "line": 38, - "filename": "positive1.json" + "line": 28, + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.message", + "searchValue": "", + "expectedValue": "'message' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'" }, { - "queryName": "Schema Object Properties With Duplicated Keys (v3)", + "queryName": "Schema Object Properties With Duplicated Keys (v2)", "severity": "INFO", - "line": 53, - "filename": "positive1.json" + "line": 44, + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.allOf.message", + "searchValue": "", + "expectedValue": "'message' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'" }, { - "queryName": "Schema Object Properties With Duplicated Keys (v3)", + "queryName": "Schema Object Properties With Duplicated Keys (v2)", "severity": "INFO", - "line": 16, - "filename": "positive2.yaml" + "line": 41, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.additionalProperties.message", + "searchValue": "", + "expectedValue": "'message' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'" }, { - "queryName": "Schema Object Properties With Duplicated Keys (v3)", + "queryName": "Schema Object Properties With Duplicated Keys (v2)", "severity": "INFO", - "line": 28, - "filename": "positive2.yaml" + "line": 24, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.message", + "searchValue": "", + "expectedValue": "'message' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'" }, { - "queryName": "Schema Object Properties With Duplicated Keys (v3)", + "queryName": "Schema Object Properties With Duplicated Keys (v2)", "severity": "INFO", - "line": 37, - "filename": "positive2.yaml" + "line": 34, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.allOf.message", + "searchValue": "", + "expectedValue": "'message' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'" }, { "queryName": "Schema Object Properties With Duplicated Keys (v3)", "severity": "INFO", - "line": 28, - "filename": "positive3.json" + "line": 19, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.ErrorModel.code", + "searchValue": "", + "expectedValue": "'code' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "actualValue": "'code' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'" }, { "queryName": "Schema Object Properties With Duplicated Keys (v3)", "severity": "INFO", - "line": 44, - "filename": "positive3.json" + "line": 57, + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.additionalProperties.message", + "searchValue": "", + "expectedValue": "'message' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'" }, { "queryName": "Schema Object Properties With Duplicated Keys (v3)", "severity": "INFO", - "line": 57, - "filename": "positive3.json" + "line": 44, + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.allOf.message", + "searchValue": "", + "expectedValue": "'message' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'" }, { "queryName": "Schema Object Properties With Duplicated Keys (v3)", "severity": "INFO", - "line": 24, - "filename": "positive4.yaml" + "line": 28, + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.message", + "searchValue": "", + "expectedValue": "'message' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'" }, { "queryName": "Schema Object Properties With Duplicated Keys (v3)", "severity": "INFO", - "line": 34, - "filename": "positive4.yaml" + "line": 24, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.message", + "searchValue": "", + "expectedValue": "'message' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'" }, { "queryName": "Schema Object Properties With Duplicated Keys (v3)", "severity": "INFO", - "line": 41, - "filename": "positive4.yaml" + "line": 16, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.ErrorModel.code", + "searchValue": "", + "expectedValue": "'code' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "actualValue": "'code' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'" }, { - "queryName": "Schema Object Properties With Duplicated Keys (v2)", + "queryName": "Schema Object Properties With Duplicated Keys (v3)", "severity": "INFO", - "line": 28, - "filename": "positive5.json" + "line": 38, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.ErrorModel.allOf.code", + "searchValue": "", + "expectedValue": "'code' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "actualValue": "'code' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'" }, { - "queryName": "Schema Object Properties With Duplicated Keys (v2)", + "queryName": "Schema Object Properties With Duplicated Keys (v3)", "severity": "INFO", - "line": 44, - "filename": "positive5.json" + "line": 41, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.additionalProperties.message", + "searchValue": "", + "expectedValue": "'message' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'" }, { - "queryName": "Schema Object Properties With Duplicated Keys (v2)", + "queryName": "Schema Object Properties With Duplicated Keys (v3)", "severity": "INFO", - "line": 57, - "filename": "positive5.json" + "line": 37, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.ErrorModel.additionalProperties.code", + "searchValue": "", + "expectedValue": "'code' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "actualValue": "'code' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'" }, { - "queryName": "Schema Object Properties With Duplicated Keys (v2)", + "queryName": "Schema Object Properties With Duplicated Keys (v3)", "severity": "INFO", - "line": 24, - "filename": "positive6.yaml" + "line": 53, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.ErrorModel.additionalProperties.code", + "searchValue": "", + "expectedValue": "'code' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "actualValue": "'code' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'" }, { - "queryName": "Schema Object Properties With Duplicated Keys (v2)", + "queryName": "Schema Object Properties With Duplicated Keys (v3)", "severity": "INFO", "line": 34, - "filename": "positive6.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.allOf.message", + "searchValue": "", + "expectedValue": "'message' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'" }, { - "queryName": "Schema Object Properties With Duplicated Keys (v2)", + "queryName": "Schema Object Properties With Duplicated Keys (v3)", "severity": "INFO", - "line": 41, - "filename": "positive6.yaml" + "line": 28, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.ErrorModel.allOf.code", + "searchValue": "", + "expectedValue": "'code' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "actualValue": "'code' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/general/schema_required_property_undefined/test/positive_expected_result.json b/assets/queries/openAPI/general/schema_required_property_undefined/test/positive_expected_result.json index b7d43de1e87..1e067dc9197 100644 --- a/assets/queries/openAPI/general/schema_required_property_undefined/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/schema_required_property_undefined/test/positive_expected_result.json @@ -1,38 +1,74 @@ [ { - "queryName": "Schema Has A Required Property Undefined (v3)", + "queryName": "Schema Has A Required Property Undefined (v2)", "severity": "INFO", - "line": 50, - "filename": "positive1.json" + "line": 20, + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema", + "searchValue": "", + "expectedValue": "Schema should have all required properties defined", + "actualValue": "Schema has required properties that are not defined" }, { - "queryName": "Schema Has A Required Property Undefined (v3)", + "queryName": "Schema Has A Required Property Undefined (v2)", "severity": "INFO", - "line": 22, - "filename": "positive2.json" + "line": 17, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema", + "searchValue": "", + "expectedValue": "Schema should have all required properties defined", + "actualValue": "Schema has required properties that are not defined" }, { "queryName": "Schema Has A Required Property Undefined (v3)", "severity": "INFO", - "line": 31, - "filename": "positive3.yaml" + "line": 19, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema", + "searchValue": "", + "expectedValue": "Schema should have all required properties defined", + "actualValue": "Schema has required properties that are not defined" }, { "queryName": "Schema Has A Required Property Undefined (v3)", "severity": "INFO", - "line": 19, - "filename": "positive4.yaml" + "line": 50, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.GeneralError.schema", + "searchValue": "", + "expectedValue": "Schema should have all required properties defined", + "actualValue": "Schema has required properties that are not defined" }, { - "queryName": "Schema Has A Required Property Undefined (v2)", + "queryName": "Schema Has A Required Property Undefined (v3)", "severity": "INFO", - "line": 20, - "filename": "positive5.json" + "line": 22, + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema", + "searchValue": "", + "expectedValue": "Schema should have all required properties defined", + "actualValue": "Schema has required properties that are not defined" }, { - "queryName": "Schema Has A Required Property Undefined (v2)", + "queryName": "Schema Has A Required Property Undefined (v3)", "severity": "INFO", - "line": 17, - "filename": "positive6.yaml" + "line": 31, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.GeneralError.schema", + "searchValue": "", + "expectedValue": "Schema should have all required properties defined", + "actualValue": "Schema has required properties that are not defined" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/general/security_empty_array/test/positive_expected_result.json b/assets/queries/openAPI/general/security_empty_array/test/positive_expected_result.json index 19bea1c594e..4a11834a241 100644 --- a/assets/queries/openAPI/general/security_empty_array/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/security_empty_array/test/positive_expected_result.json @@ -1,26 +1,50 @@ [ { - "queryName": "Global Security Field Has An Empty Array (v3)", + "queryName": "Global Security Field Has An Empty Array (v2)", "severity": "HIGH", - "line": 43, - "filename": "positive1.json" + "line": 60, + "filename": "positive4.json", + "resourceType": "", + "resourceName": "", + "searchKey": "security", + "searchValue": "", + "expectedValue": "A default security schema should be defined", + "actualValue": "A default security schema is not defined" }, { - "queryName": "Global Security Field Has An Empty Array (v3)", + "queryName": "Global Security Field Has An Empty Array (v2)", "severity": "HIGH", - "line": 25, - "filename": "positive2.yaml" + "line": 38, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "security", + "searchValue": "", + "expectedValue": "A default security schema should be defined", + "actualValue": "A default security schema is not defined" }, { - "queryName": "Global Security Field Has An Empty Array (v2)", + "queryName": "Global Security Field Has An Empty Array (v3)", "severity": "HIGH", - "line": 60, - "filename": "positive4.json" + "line": 43, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "security", + "searchValue": "", + "expectedValue": "A default security schema should be defined", + "actualValue": "A default security schema is not defined" }, { - "queryName": "Global Security Field Has An Empty Array (v2)", + "queryName": "Global Security Field Has An Empty Array (v3)", "severity": "HIGH", - "line": 38, - "filename": "positive3.yaml" + "line": 25, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "security", + "searchValue": "", + "expectedValue": "A default security schema should be defined", + "actualValue": "A default security schema is not defined" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/general/security_empty_object_definition/test/positive_expected_result.json b/assets/queries/openAPI/general/security_empty_object_definition/test/positive_expected_result.json index 62c6149c85d..7675ba06177 100644 --- a/assets/queries/openAPI/general/security_empty_object_definition/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/security_empty_object_definition/test/positive_expected_result.json @@ -1,74 +1,146 @@ [ { - "queryName": "Global security field has an empty object (v3)", + "queryName": "Global security field has an empty object (v2)", "severity": "HIGH", - "line": 43, - "filename": "positive1.json" + "line": 60, + "filename": "positive10.json", + "resourceType": "", + "resourceName": "", + "searchKey": "security", + "searchValue": "", + "expectedValue": "Global security field definition should not have an empty object", + "actualValue": "Global security field definition has an empty object" }, { - "queryName": "Global security field has an empty object (v3)", + "queryName": "Global security field has an empty object (v2)", "severity": "HIGH", - "line": 43, - "filename": "positive2.json" + "line": 60, + "filename": "positive12.json", + "resourceType": "", + "resourceName": "", + "searchKey": "security", + "searchValue": "", + "expectedValue": "Global security field definition should not have an empty object", + "actualValue": "Global security field definition has an empty object" }, { - "queryName": "Global security field has an empty object (v3)", + "queryName": "Global security field has an empty object (v2)", "severity": "HIGH", - "line": 43, - "filename": "positive3.json" + "line": 38, + "filename": "positive11.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "security", + "searchValue": "", + "expectedValue": "Global security field definition should not have an empty object", + "actualValue": "Global security field definition has an empty object" }, { - "queryName": "Global security field has an empty object (v3)", + "queryName": "Global security field has an empty object (v2)", "severity": "HIGH", - "line": 43, - "filename": "positive4.json" + "line": 38, + "filename": "positive9.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "security", + "searchValue": "", + "expectedValue": "Global security field definition should not have an empty object", + "actualValue": "Global security field definition has an empty object" }, { "queryName": "Global security field has an empty object (v3)", "severity": "HIGH", - "line": 25, - "filename": "positive5.yaml" + "line": 43, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "security", + "searchValue": "", + "expectedValue": "Global security field definition should not have an empty object", + "actualValue": "Global security field definition has an empty object" }, { "queryName": "Global security field has an empty object (v3)", "severity": "HIGH", "line": 25, - "filename": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "security", + "searchValue": "", + "expectedValue": "Global security field definition should not have an empty object", + "actualValue": "Global security field definition has an empty object" }, { "queryName": "Global security field has an empty object (v3)", "severity": "HIGH", "line": 25, - "filename": "positive7.yaml" + "filename": "positive8.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "security", + "searchValue": "", + "expectedValue": "Global security field definition should not have an empty object", + "actualValue": "Global security field definition has an empty object" }, { "queryName": "Global security field has an empty object (v3)", "severity": "HIGH", - "line": 25, - "filename": "positive8.yaml" + "line": 43, + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "security", + "searchValue": "", + "expectedValue": "Global security field definition should not have an empty object", + "actualValue": "Global security field definition has an empty object" }, { - "queryName": "Global security field has an empty object (v2)", + "queryName": "Global security field has an empty object (v3)", "severity": "HIGH", - "line": 38, - "filename": "positive9.yaml" + "line": 43, + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "security", + "searchValue": "", + "expectedValue": "Global security field definition should not have an empty object", + "actualValue": "Global security field definition has an empty object" }, { - "queryName": "Global security field has an empty object (v2)", + "queryName": "Global security field has an empty object (v3)", "severity": "HIGH", - "line": 60, - "filename": "positive10.json" + "line": 25, + "filename": "positive7.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "security", + "searchValue": "", + "expectedValue": "Global security field definition should not have an empty object", + "actualValue": "Global security field definition has an empty object" }, { - "queryName": "Global security field has an empty object (v2)", + "queryName": "Global security field has an empty object (v3)", "severity": "HIGH", - "line": 38, - "filename": "positive11.yaml" + "line": 25, + "filename": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "security", + "searchValue": "", + "expectedValue": "Global security field definition should not have an empty object", + "actualValue": "Global security field definition has an empty object" }, { - "queryName": "Global security field has an empty object (v2)", + "queryName": "Global security field has an empty object (v3)", "severity": "HIGH", - "line": 60, - "filename": "positive12.json" + "line": 43, + "filename": "positive4.json", + "resourceType": "", + "resourceName": "", + "searchKey": "security", + "searchValue": "", + "expectedValue": "Global security field definition should not have an empty object", + "actualValue": "Global security field definition has an empty object" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/general/security_operations_empty_array/test/positive_expected_result.json b/assets/queries/openAPI/general/security_operations_empty_array/test/positive_expected_result.json index 962ab661032..3fe6a7fd6fb 100644 --- a/assets/queries/openAPI/general/security_operations_empty_array/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/security_operations_empty_array/test/positive_expected_result.json @@ -1,62 +1,122 @@ [ { - "queryName": "Security Field On Operations Has An Empty Array (v3)", + "queryName": "Security Field On Operations Has An Empty Array (v2)", "severity": "HIGH", - "line": 12, - "filename": "positive1.json" + "line": 14, + "filename": "positive9.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.security", + "searchValue": "", + "expectedValue": "Security operation field array, when declared, should not be empty", + "actualValue": "Security operation field array is declared and empty" }, { - "queryName": "Security Field On Operations Has An Empty Array (v3)", + "queryName": "Security Field On Operations Has An Empty Array (v2)", "severity": "HIGH", - "line": 51, - "filename": "positive2.json" + "line": 17, + "filename": "positive10.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.security", + "searchValue": "", + "expectedValue": "Security operation field array, when declared, should not be empty", + "actualValue": "Security operation field array is declared and empty" }, { "queryName": "Security Field On Operations Has An Empty Array (v3)", "severity": "HIGH", - "line": 51, - "filename": "positive3.json" + "line": 32, + "filename": "positive8.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/apis}}.{{get}}.security", + "searchValue": "", + "expectedValue": "Security operation field array, when declared, should not be empty", + "actualValue": "Security operation field array is declared and empty" }, { "queryName": "Security Field On Operations Has An Empty Array (v3)", "severity": "HIGH", - "line": 53, - "filename": "positive4.json" + "line": 51, + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{patch}}.security", + "searchValue": "", + "expectedValue": "Security operation field array, when declared, should not be empty", + "actualValue": "Security operation field array is declared and empty" }, { "queryName": "Security Field On Operations Has An Empty Array (v3)", "severity": "HIGH", - "line": 10, - "filename": "positive5.yaml" + "line": 31, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{patch}}.security", + "searchValue": "", + "expectedValue": "Security operation field array, when declared, should not be empty", + "actualValue": "Security operation field array is declared and empty" }, { "queryName": "Security Field On Operations Has An Empty Array (v3)", "severity": "HIGH", "line": 31, - "filename": "positive6.yaml" + "filename": "positive7.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{patch}}.security", + "searchValue": "", + "expectedValue": "Security operation field array, when declared, should not be empty", + "actualValue": "Security operation field array is declared and empty" }, { "queryName": "Security Field On Operations Has An Empty Array (v3)", "severity": "HIGH", - "line": 31, - "filename": "positive7.yaml" + "line": 51, + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{patch}}.security", + "searchValue": "", + "expectedValue": "Security operation field array, when declared, should not be empty", + "actualValue": "Security operation field array is declared and empty" }, { "queryName": "Security Field On Operations Has An Empty Array (v3)", "severity": "HIGH", - "line": 32, - "filename": "positive8.yaml" + "line": 12, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.security", + "searchValue": "", + "expectedValue": "Security operation field array, when declared, should not be empty", + "actualValue": "Security operation field array is declared and empty" }, { - "queryName": "Security Field On Operations Has An Empty Array (v2)", + "queryName": "Security Field On Operations Has An Empty Array (v3)", "severity": "HIGH", - "line": 17, - "filename": "positive10.json" + "line": 53, + "filename": "positive4.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/apis}}.{{get}}.security", + "searchValue": "", + "expectedValue": "Security operation field array, when declared, should not be empty", + "actualValue": "Security operation field array is declared and empty" }, { - "queryName": "Security Field On Operations Has An Empty Array (v2)", + "queryName": "Security Field On Operations Has An Empty Array (v3)", "severity": "HIGH", - "line": 14, - "filename": "positive9.yaml" + "line": 10, + "filename": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.security", + "searchValue": "", + "expectedValue": "Security operation field array, when declared, should not be empty", + "actualValue": "Security operation field array is declared and empty" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/general/security_operations_empty_object_definition/test/positive_expected_result.json b/assets/queries/openAPI/general/security_operations_empty_object_definition/test/positive_expected_result.json index c63557f7866..969260e6ee5 100644 --- a/assets/queries/openAPI/general/security_operations_empty_object_definition/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/security_operations_empty_object_definition/test/positive_expected_result.json @@ -1,62 +1,122 @@ [ { - "queryName": "Security Field On Operations Has An Empty Object Definition (v3)", + "queryName": "Security Field On Operations Has An Empty Object Definition (v2)", "severity": "HIGH", - "line": 12, - "filename": "positive1.json" + "line": 14, + "filename": "positive9.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.security", + "searchValue": "", + "expectedValue": "Security operation field should not be empty object", + "actualValue": "Security operation field is an empty object" }, { - "queryName": "Security Field On Operations Has An Empty Object Definition (v3)", + "queryName": "Security Field On Operations Has An Empty Object Definition (v2)", "severity": "HIGH", - "line": 51, - "filename": "positive2.json" + "line": 17, + "filename": "positive10.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.security", + "searchValue": "", + "expectedValue": "Security operation field should not be empty object", + "actualValue": "Security operation field is an empty object" }, { "queryName": "Security Field On Operations Has An Empty Object Definition (v3)", "severity": "HIGH", "line": 44, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{patch}}.security", + "searchValue": "", + "expectedValue": "Security operation field array should not have an empty object", + "actualValue": "Security operation field array has an empty object" }, { "queryName": "Security Field On Operations Has An Empty Object Definition (v3)", "severity": "HIGH", - "line": 53, - "filename": "positive4.json" + "line": 10, + "filename": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.security", + "searchValue": "", + "expectedValue": "Security operation field should not be empty object", + "actualValue": "Security operation field is an empty object" }, { "queryName": "Security Field On Operations Has An Empty Object Definition (v3)", "severity": "HIGH", - "line": 10, - "filename": "positive5.yaml" + "line": 32, + "filename": "positive8.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/apis}}.{{get}}.security", + "searchValue": "", + "expectedValue": "Security operation field should not be empty object", + "actualValue": "Security operation field is an empty object" }, { "queryName": "Security Field On Operations Has An Empty Object Definition (v3)", "severity": "HIGH", - "line": 31, - "filename": "positive6.yaml" + "line": 51, + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{patch}}.security", + "searchValue": "", + "expectedValue": "Security operation field array should not have an empty object", + "actualValue": "Security operation field array has an empty object" }, { "queryName": "Security Field On Operations Has An Empty Object Definition (v3)", "severity": "HIGH", - "line": 28, - "filename": "positive7.yaml" + "line": 53, + "filename": "positive4.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/apis}}.{{get}}.security", + "searchValue": "", + "expectedValue": "Security operation field should not be empty object", + "actualValue": "Security operation field is an empty object" }, { "queryName": "Security Field On Operations Has An Empty Object Definition (v3)", "severity": "HIGH", - "line": 32, - "filename": "positive8.yaml" + "line": 12, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.security", + "searchValue": "", + "expectedValue": "Security operation field should not be empty object", + "actualValue": "Security operation field is an empty object" }, { - "queryName": "Security Field On Operations Has An Empty Object Definition (v2)", + "queryName": "Security Field On Operations Has An Empty Object Definition (v3)", "severity": "HIGH", - "line": 14, - "filename": "positive9.yaml" + "line": 28, + "filename": "positive7.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{patch}}.security", + "searchValue": "", + "expectedValue": "Security operation field array should not have an empty object", + "actualValue": "Security operation field array has an empty object" }, { - "queryName": "Security Field On Operations Has An Empty Object Definition (v2)", + "queryName": "Security Field On Operations Has An Empty Object Definition (v3)", "severity": "HIGH", - "line": 17, - "filename": "positive10.json" + "line": 31, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{patch}}.security", + "searchValue": "", + "expectedValue": "Security operation field array should not have an empty object", + "actualValue": "Security operation field array has an empty object" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/general/string_schema_with_broad_pattern/test/positive_expected_result.json b/assets/queries/openAPI/general/string_schema_with_broad_pattern/test/positive_expected_result.json index a74d7ffee20..d0c794e412c 100644 --- a/assets/queries/openAPI/general/string_schema_with_broad_pattern/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/string_schema_with_broad_pattern/test/positive_expected_result.json @@ -1,50 +1,74 @@ [ { - "queryName": "String Schema with Broad Pattern (v3)", - "severity": "LOW", - "line": 61, - "filename": "positive1.json" - }, - { - "queryName": "String Schema with Broad Pattern (v3)", + "queryName": "String Schema with Broad Pattern (v2)", "severity": "LOW", - "line": 81, - "filename": "positive1.json" + "line": 30, + "filename": "positive6.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.message.pattern", + "searchValue": "", + "expectedValue": "String schema has 'pattern' restricted", + "actualValue": "String schema does not have 'pattern' restricted" }, { - "queryName": "String Schema with Broad Pattern (v3)", + "queryName": "String Schema with Broad Pattern (v2)", "severity": "LOW", - "line": 30, - "filename": "positive2.json" + "line": 26, + "filename": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.message.pattern", + "searchValue": "", + "expectedValue": "String schema has 'pattern' restricted", + "actualValue": "String schema does not have 'pattern' restricted" }, { "queryName": "String Schema with Broad Pattern (v3)", "severity": "LOW", - "line": 37, - "filename": "positive3.yaml" + "line": 61, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.properties.code.pattern", + "searchValue": "", + "expectedValue": "String schema has 'pattern' restricted", + "actualValue": "String schema does not have 'pattern' restricted" }, { "queryName": "String Schema with Broad Pattern (v3)", "severity": "LOW", - "line": 51, - "filename": "positive3.yaml" + "line": 30, + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code.pattern", + "searchValue": "", + "expectedValue": "String schema has 'pattern' restricted", + "actualValue": "String schema does not have 'pattern' restricted" }, { "queryName": "String Schema with Broad Pattern (v3)", "severity": "LOW", "line": 25, - "filename": "positive4.yaml" - }, - { - "queryName": "String Schema with Broad Pattern (v2)", - "severity": "LOW", - "line": 30, - "filename": "positive6.json" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code.pattern", + "searchValue": "", + "expectedValue": "String schema has 'pattern' restricted", + "actualValue": "String schema does not have 'pattern' restricted" }, { - "queryName": "String Schema with Broad Pattern (v2)", + "queryName": "String Schema with Broad Pattern (v3)", "severity": "LOW", - "line": 26, - "filename": "positive5.yaml" + "line": 37, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.properties.code.pattern", + "searchValue": "", + "expectedValue": "String schema has 'pattern' restricted", + "actualValue": "String schema does not have 'pattern' restricted" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/general/success_response_code_undefined_delete_operation/test/positive_expected_result.json b/assets/queries/openAPI/general/success_response_code_undefined_delete_operation/test/positive_expected_result.json index 085eab862bb..e1e53d98e4f 100644 --- a/assets/queries/openAPI/general/success_response_code_undefined_delete_operation/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/success_response_code_undefined_delete_operation/test/positive_expected_result.json @@ -1,38 +1,74 @@ [ { - "queryName": "Success Response Code Undefined for Delete Operation (v3)", + "queryName": "Success Response Code Undefined for Delete Operation (v2)", "severity": "LOW", - "line": 12, - "filename": "positive1.json" + "line": 10, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.delete.responses", + "searchValue": "", + "expectedValue": "Delete should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Delete does not have any successful code" }, { - "queryName": "Success Response Code Undefined for Delete Operation (v3)", + "queryName": "Success Response Code Undefined for Delete Operation (v2)", "severity": "LOW", "line": 12, - "filename": "positive2.json" + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.delete.responses", + "searchValue": "", + "expectedValue": "Delete should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Delete does not have any successful code" }, { "queryName": "Success Response Code Undefined for Delete Operation (v3)", "severity": "LOW", "line": 10, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.delete.responses", + "searchValue": "", + "expectedValue": "Delete should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Delete does not have any successful code" }, { "queryName": "Success Response Code Undefined for Delete Operation (v3)", "severity": "LOW", "line": 10, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.delete.responses", + "searchValue": "", + "expectedValue": "Delete should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Delete does not have any successful code" }, { - "queryName": "Success Response Code Undefined for Delete Operation (v2)", + "queryName": "Success Response Code Undefined for Delete Operation (v3)", "severity": "LOW", "line": 12, - "filename": "positive5.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.delete.responses", + "searchValue": "", + "expectedValue": "Delete should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Delete does not have any successful code" }, { - "queryName": "Success Response Code Undefined for Delete Operation (v2)", + "queryName": "Success Response Code Undefined for Delete Operation (v3)", "severity": "LOW", - "line": 10, - "filename": "positive6.yaml" + "line": 12, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.delete.responses", + "searchValue": "", + "expectedValue": "Delete should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Delete does not have any successful code" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/general/success_response_code_undefined_get_operation/test/positive_expected_result.json b/assets/queries/openAPI/general/success_response_code_undefined_get_operation/test/positive_expected_result.json index 64cbed3c1b1..3ae17959494 100644 --- a/assets/queries/openAPI/general/success_response_code_undefined_get_operation/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/success_response_code_undefined_get_operation/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "Success Response Code Undefined for Get Operation (v2)", "severity": "LOW", - "line": 12, - "filename": "positive1.json" + "line": 10, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.get.responses", + "searchValue": "", + "expectedValue": "Get should have at least one successful code (200 or 202)", + "actualValue": "Get does not have any successful code" }, { "queryName": "Success Response Code Undefined for Get Operation (v2)", "severity": "LOW", - "line": 10, - "filename": "positive2.yaml" + "line": 12, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.get.responses", + "searchValue": "", + "expectedValue": "Get should have at least one successful code (200 or 202)", + "actualValue": "Get does not have any successful code" }, { "queryName": "Success Response Code Undefined for Get Operation (v3)", "severity": "LOW", - "line": 12, - "filename": "positive3.json" + "line": 10, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.get.responses", + "searchValue": "", + "expectedValue": "Get should have at least one successful code (200 or 202)", + "actualValue": "Get does not have any successful code" }, { "queryName": "Success Response Code Undefined for Get Operation (v3)", "severity": "LOW", - "line": 10, - "filename": "positive4.yaml" + "line": 12, + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.get.responses", + "searchValue": "", + "expectedValue": "Get should have at least one successful code (200 or 202)", + "actualValue": "Get does not have any successful code" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/general/success_response_code_undefined_head_operation/test/positive_expected_result.json b/assets/queries/openAPI/general/success_response_code_undefined_head_operation/test/positive_expected_result.json index 1f6c14dc8f6..c3aa4c4a472 100644 --- a/assets/queries/openAPI/general/success_response_code_undefined_head_operation/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/success_response_code_undefined_head_operation/test/positive_expected_result.json @@ -1,26 +1,50 @@ [ { - "queryName": "Success Response Code Undefined for Head Operation (v3)", - "severity": "LOW", - "line": 12, - "filename": "positive1.json" - }, - { - "queryName": "Success Response Code Undefined for Head Operation (v3)", + "queryName": "Success Response Code Undefined for Head Operation (v2)", "severity": "LOW", "line": 10, - "filename": "positive2.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.head.responses", + "searchValue": "", + "expectedValue": "Head should have at least one successful code (200 or 202)", + "actualValue": "Head does not have any successful code" }, { "queryName": "Success Response Code Undefined for Head Operation (v2)", "severity": "LOW", "line": 12, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.head.responses", + "searchValue": "", + "expectedValue": "Head should have at least one successful code (200 or 202)", + "actualValue": "Head does not have any successful code" }, { - "queryName": "Success Response Code Undefined for Head Operation (v2)", + "queryName": "Success Response Code Undefined for Head Operation (v3)", "severity": "LOW", "line": 10, - "filename": "positive4.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.head.responses", + "searchValue": "", + "expectedValue": "Head should have at least one successful code (200 or 202)", + "actualValue": "Head does not have any successful code" + }, + { + "queryName": "Success Response Code Undefined for Head Operation (v3)", + "severity": "LOW", + "line": 12, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.head.responses", + "searchValue": "", + "expectedValue": "Head should have at least one successful code (200 or 202)", + "actualValue": "Head does not have any successful code" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/general/success_response_code_undefined_patch_operation/test/positive_expected_result.json b/assets/queries/openAPI/general/success_response_code_undefined_patch_operation/test/positive_expected_result.json index 5350ccdf0e7..6a8c11e213c 100644 --- a/assets/queries/openAPI/general/success_response_code_undefined_patch_operation/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/success_response_code_undefined_patch_operation/test/positive_expected_result.json @@ -1,38 +1,74 @@ [ { - "queryName": "Success Response Code Undefined for Patch Operation (v3)", + "queryName": "Success Response Code Undefined for Patch Operation (v2)", "severity": "LOW", - "line": 12, - "filename": "positive1.json" + "line": 24, + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.patch.responses", + "searchValue": "", + "expectedValue": "Patch should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Patch does not have any successful code" }, { - "queryName": "Success Response Code Undefined for Patch Operation (v3)", + "queryName": "Success Response Code Undefined for Patch Operation (v2)", "severity": "LOW", - "line": 24, - "filename": "positive2.json" + "line": 18, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.patch.responses", + "searchValue": "", + "expectedValue": "Patch should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Patch does not have any successful code" }, { "queryName": "Success Response Code Undefined for Patch Operation (v3)", "severity": "LOW", "line": 10, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.patch.responses", + "searchValue": "", + "expectedValue": "Patch should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Patch does not have any successful code" }, { "queryName": "Success Response Code Undefined for Patch Operation (v3)", "severity": "LOW", - "line": 18, - "filename": "positive4.yaml" + "line": 24, + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.patch.responses", + "searchValue": "", + "expectedValue": "Patch should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Patch does not have any successful code" }, { - "queryName": "Success Response Code Undefined for Patch Operation (v2)", + "queryName": "Success Response Code Undefined for Patch Operation (v3)", "severity": "LOW", - "line": 24, - "filename": "positive5.json" + "line": 12, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.patch.responses", + "searchValue": "", + "expectedValue": "Patch should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Patch does not have any successful code" }, { - "queryName": "Success Response Code Undefined for Patch Operation (v2)", + "queryName": "Success Response Code Undefined for Patch Operation (v3)", "severity": "LOW", "line": 18, - "filename": "positive6.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.patch.responses", + "searchValue": "", + "expectedValue": "Patch should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Patch does not have any successful code" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/general/success_response_code_undefined_post_operation/test/positive_expected_result.json b/assets/queries/openAPI/general/success_response_code_undefined_post_operation/test/positive_expected_result.json index f5959207758..eb6dc751ae7 100644 --- a/assets/queries/openAPI/general/success_response_code_undefined_post_operation/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/success_response_code_undefined_post_operation/test/positive_expected_result.json @@ -1,38 +1,74 @@ [ { - "queryName": "Success Response Code Undefined for Post Operation (v3)", + "queryName": "Success Response Code Undefined for Post Operation (v2)", "severity": "LOW", - "line": 12, - "filename": "positive1.json" + "line": 24, + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.post.responses", + "searchValue": "", + "expectedValue": "Post should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Post does not have any successful code" }, { - "queryName": "Success Response Code Undefined for Post Operation (v3)", + "queryName": "Success Response Code Undefined for Post Operation (v2)", "severity": "LOW", - "line": 24, - "filename": "positive2.json" + "line": 18, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.post.responses", + "searchValue": "", + "expectedValue": "Post should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Post does not have any successful code" }, { "queryName": "Success Response Code Undefined for Post Operation (v3)", "severity": "LOW", - "line": 10, - "filename": "positive3.yaml" + "line": 24, + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.post.responses", + "searchValue": "", + "expectedValue": "Post should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Post does not have any successful code" }, { "queryName": "Success Response Code Undefined for Post Operation (v3)", "severity": "LOW", - "line": 18, - "filename": "positive4.yaml" + "line": 12, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.post.responses", + "searchValue": "", + "expectedValue": "Post should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Post does not have any successful code" }, { - "queryName": "Success Response Code Undefined for Post Operation (v2)", + "queryName": "Success Response Code Undefined for Post Operation (v3)", "severity": "LOW", - "line": 24, - "filename": "positive5.json" + "line": 10, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.post.responses", + "searchValue": "", + "expectedValue": "Post should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Post does not have any successful code" }, { - "queryName": "Success Response Code Undefined for Post Operation (v2)", + "queryName": "Success Response Code Undefined for Post Operation (v3)", "severity": "LOW", "line": 18, - "filename": "positive6.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.post.responses", + "searchValue": "", + "expectedValue": "Post should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Post does not have any successful code" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/general/success_response_code_undefined_put_operation/test/positive_expected_result.json b/assets/queries/openAPI/general/success_response_code_undefined_put_operation/test/positive_expected_result.json index ba164e0af40..0f7c12dd852 100644 --- a/assets/queries/openAPI/general/success_response_code_undefined_put_operation/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/success_response_code_undefined_put_operation/test/positive_expected_result.json @@ -1,38 +1,74 @@ [ { - "queryName": "Success Response Code Undefined for Put Operation (v3)", + "queryName": "Success Response Code Undefined for Put Operation (v2)", "severity": "LOW", - "line": 12, - "filename": "positive1.json" + "line": 24, + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.put.responses", + "searchValue": "", + "expectedValue": "Put should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Put does not have any successful code" }, { - "queryName": "Success Response Code Undefined for Put Operation (v3)", + "queryName": "Success Response Code Undefined for Put Operation (v2)", "severity": "LOW", - "line": 24, - "filename": "positive2.json" + "line": 18, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.put.responses", + "searchValue": "", + "expectedValue": "Put should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Put does not have any successful code" }, { "queryName": "Success Response Code Undefined for Put Operation (v3)", "severity": "LOW", - "line": 10, - "filename": "positive3.yaml" + "line": 18, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.put.responses", + "searchValue": "", + "expectedValue": "Put should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Put does not have any successful code" }, { "queryName": "Success Response Code Undefined for Put Operation (v3)", "severity": "LOW", - "line": 18, - "filename": "positive4.yaml" + "line": 10, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.put.responses", + "searchValue": "", + "expectedValue": "Put should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Put does not have any successful code" }, { - "queryName": "Success Response Code Undefined for Put Operation (v2)", + "queryName": "Success Response Code Undefined for Put Operation (v3)", "severity": "LOW", - "line": 24, - "filename": "positive5.json" + "line": 12, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.put.responses", + "searchValue": "", + "expectedValue": "Put should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Put does not have any successful code" }, { - "queryName": "Success Response Code Undefined for Put Operation (v2)", + "queryName": "Success Response Code Undefined for Put Operation (v3)", "severity": "LOW", - "line": 18, - "filename": "positive6.yaml" + "line": 24, + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.put.responses", + "searchValue": "", + "expectedValue": "Put should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Put does not have any successful code" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/general/template_path_parameter_with_no_corresponding_path_parameter/test/positive_expected_result.json b/assets/queries/openAPI/general/template_path_parameter_with_no_corresponding_path_parameter/test/positive_expected_result.json index 1fa501a7423..8e9d336bd69 100644 --- a/assets/queries/openAPI/general/template_path_parameter_with_no_corresponding_path_parameter/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/template_path_parameter_with_no_corresponding_path_parameter/test/positive_expected_result.json @@ -1,74 +1,146 @@ [ { - "queryName": "Template Path With No Corresponding Path Parameter (v3)", + "queryName": "Template Path With No Corresponding Path Parameter (v2)", "severity": "INFO", - "line": 10, - "filename": "positive1.yaml" + "line": 25, + "filename": "positive7.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./people/{id}.get.parameters", + "searchValue": "", + "expectedValue": "Template path parameters should be defined for operation", + "actualValue": "Template path parameters is not defined for operation" }, { - "queryName": "Template Path With No Corresponding Path Parameter (v3)", + "queryName": "Template Path With No Corresponding Path Parameter (v2)", "severity": "INFO", - "line": 58, - "filename": "positive2.json" + "line": 31, + "filename": "positive7.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{id}.get.parameters", + "searchValue": "", + "expectedValue": "Template path parameters should be defined for operation", + "actualValue": "Template path parameters is not defined for operation" }, { - "queryName": "Template Path With No Corresponding Path Parameter (v3)", + "queryName": "Template Path With No Corresponding Path Parameter (v2)", "severity": "INFO", - "line": 34, - "filename": "positive3.yaml" + "line": 14, + "filename": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{test-id}.get.parameters.name=test-id", + "searchValue": "", + "expectedValue": "Template path parameter should have an operation parameter with the same name and 'in' set to 'path'", + "actualValue": "Template path parameter does not have an operation parameter with the same name and 'in' set to 'path'" }, { - "queryName": "Template Path With No Corresponding Path Parameter (v3)", + "queryName": "Template Path With No Corresponding Path Parameter (v2)", "severity": "INFO", - "line": 40, - "filename": "positive3.yaml" + "line": 38, + "filename": "positive6.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{blabla}.get.parameters.name=id", + "searchValue": "", + "expectedValue": "Template path parameter should have an operation parameter with the same name and 'in' set to 'path'", + "actualValue": "Template path parameter does not have an operation parameter with the same name and 'in' set to 'path'" }, { - "queryName": "Template Path With No Corresponding Path Parameter (v3)", + "queryName": "Template Path With No Corresponding Path Parameter (v2)", "severity": "INFO", - "line": 55, - "filename": "positive4.json" + "line": 35, + "filename": "positive8.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./people/{id}.get.parameters", + "searchValue": "", + "expectedValue": "Template path parameters should be defined for operation", + "actualValue": "Template path parameters is not defined for operation" }, { - "queryName": "Template Path With No Corresponding Path Parameter (v3)", + "queryName": "Template Path With No Corresponding Path Parameter (v2)", "severity": "INFO", - "line": 65, - "filename": "positive4.json" + "line": 45, + "filename": "positive8.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{id}.get.parameters", + "searchValue": "", + "expectedValue": "Template path parameters should be defined for operation", + "actualValue": "Template path parameters is not defined for operation" }, { - "queryName": "Template Path With No Corresponding Path Parameter (v2)", + "queryName": "Template Path With No Corresponding Path Parameter (v3)", "severity": "INFO", - "line": 14, - "filename": "positive5.yaml" + "line": 40, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{id}.get.parameters", + "searchValue": "", + "expectedValue": "Template path parameters should be defined for operation", + "actualValue": "Template path parameters is not defined for operation" }, { - "queryName": "Template Path With No Corresponding Path Parameter (v2)", + "queryName": "Template Path With No Corresponding Path Parameter (v3)", "severity": "INFO", - "line": 38, - "filename": "positive6.json" + "line": 10, + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{test-id}.get.parameters.name=test-id", + "searchValue": "", + "expectedValue": "Template path parameter should have an operation parameter with the same name and 'in' set to 'path'", + "actualValue": "Template path parameter does not have an operation parameter with the same name and 'in' set to 'path'" }, { - "queryName": "Template Path With No Corresponding Path Parameter (v2)", + "queryName": "Template Path With No Corresponding Path Parameter (v3)", "severity": "INFO", - "line": 25, - "filename": "positive7.yaml" + "line": 55, + "filename": "positive4.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./people/{id}.get.parameters", + "searchValue": "", + "expectedValue": "Template path parameters should be defined for operation", + "actualValue": "Template path parameters is not defined for operation" }, { - "queryName": "Template Path With No Corresponding Path Parameter (v2)", + "queryName": "Template Path With No Corresponding Path Parameter (v3)", "severity": "INFO", - "line": 31, - "filename": "positive7.yaml" + "line": 65, + "filename": "positive4.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{id}.get.parameters", + "searchValue": "", + "expectedValue": "Template path parameters should be defined for operation", + "actualValue": "Template path parameters is not defined for operation" }, { - "queryName": "Template Path With No Corresponding Path Parameter (v2)", + "queryName": "Template Path With No Corresponding Path Parameter (v3)", "severity": "INFO", - "line": 35, - "filename": "positive8.json" + "line": 58, + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{blabla}.get.parameters.name=id", + "searchValue": "", + "expectedValue": "Template path parameter should have an operation parameter with the same name and 'in' set to 'path'", + "actualValue": "Template path parameter does not have an operation parameter with the same name and 'in' set to 'path'" }, { - "queryName": "Template Path With No Corresponding Path Parameter (v2)", + "queryName": "Template Path With No Corresponding Path Parameter (v3)", "severity": "INFO", - "line": 45, - "filename": "positive8.json" + "line": 34, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./people/{id}.get.parameters", + "searchValue": "", + "expectedValue": "Template path parameters should be defined for operation", + "actualValue": "Template path parameters is not defined for operation" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/general/type_has_invalid_keyword/test/positive_expected_result.json b/assets/queries/openAPI/general/type_has_invalid_keyword/test/positive_expected_result.json index 8050e654697..ef2cac3f430 100644 --- a/assets/queries/openAPI/general/type_has_invalid_keyword/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/type_has_invalid_keyword/test/positive_expected_result.json @@ -1,122 +1,170 @@ [ { - "queryName": "Type Has Invalid Keyword (v3)", + "queryName": "Type Has Invalid Keyword (v2)", "severity": "INFO", - "line": 18, - "filename": "positive1.json" + "line": 19, + "filename": "positive9.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.headers.X-Rate-Limit-Limit.minLength", + "searchValue": "", + "expectedValue": "There shouldn't be any invalid keywords", + "actualValue": "Keyword minLength is not valid for type integer" }, { - "queryName": "Type Has Invalid Keyword (v3)", + "queryName": "Type Has Invalid Keyword (v2)", "severity": "INFO", - "line": 52, - "filename": "positive1.json" + "line": 55, + "filename": "positive7.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.maximum", + "searchValue": "", + "expectedValue": "There shouldn't be any invalid keywords", + "actualValue": "Keyword maximum is not valid for type string" }, { - "queryName": "Type Has Invalid Keyword (v3)", + "queryName": "Type Has Invalid Keyword (v2)", "severity": "INFO", - "line": 18, - "filename": "positive2.json" + "line": 41, + "filename": "positive7.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.schema.properties.phones.items.pattern", + "searchValue": "", + "expectedValue": "There shouldn't be any invalid keywords", + "actualValue": "Keyword pattern is not valid for type number" }, { - "queryName": "Type Has Invalid Keyword (v3)", + "queryName": "Type Has Invalid Keyword (v2)", "severity": "INFO", - "line": 42, - "filename": "positive2.json" + "line": 17, + "filename": "positive10.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.headers.X-Rate-Limit-Limit.minLength", + "searchValue": "", + "expectedValue": "There shouldn't be any invalid keywords", + "actualValue": "Keyword minLength is not valid for type integer" }, { - "queryName": "Type Has Invalid Keyword (v3)", + "queryName": "Type Has Invalid Keyword (v2)", "severity": "INFO", - "line": 18, - "filename": "positive3.json" + "line": 33, + "filename": "positive8.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.schema.properties.phones.items.pattern", + "searchValue": "", + "expectedValue": "There shouldn't be any invalid keywords", + "actualValue": "Keyword pattern is not valid for type number" }, { - "queryName": "Type Has Invalid Keyword (v3)", + "queryName": "Type Has Invalid Keyword (v2)", "severity": "INFO", - "line": 46, - "filename": "positive3.json" + "line": 42, + "filename": "positive8.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.maximum", + "searchValue": "", + "expectedValue": "There shouldn't be any invalid keywords", + "actualValue": "Keyword maximum is not valid for type string" }, { "queryName": "Type Has Invalid Keyword (v3)", "severity": "INFO", - "line": 16, - "filename": "positive4.yaml" + "line": 46, + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.MyObject.properties.name.required", + "searchValue": "", + "expectedValue": "There shouldn't be any invalid keywords", + "actualValue": "Keyword required is not valid for type string" }, { "queryName": "Type Has Invalid Keyword (v3)", "severity": "INFO", - "line": 37, - "filename": "positive4.yaml" + "line": 14, + "filename": "positive11.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.PointGenre.minimum", + "searchValue": "", + "expectedValue": "There shouldn't be any invalid keywords", + "actualValue": "Keyword minimum is not valid for type string" }, { "queryName": "Type Has Invalid Keyword (v3)", "severity": "INFO", - "line": 16, - "filename": "positive5.yaml" + "line": 37, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.MyObject.properties.phones.items.pattern", + "searchValue": "", + "expectedValue": "There shouldn't be any invalid keywords", + "actualValue": "Keyword pattern is not valid for type number" }, { "queryName": "Type Has Invalid Keyword (v3)", "severity": "INFO", - "line": 29, - "filename": "positive5.yaml" + "line": 37, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.MyObject.properties.phones.items.pattern", + "searchValue": "", + "expectedValue": "There shouldn't be any invalid keywords", + "actualValue": "Keyword pattern is not valid for type number" }, { "queryName": "Type Has Invalid Keyword (v3)", "severity": "INFO", - "line": 16, - "filename": "positive6.yaml" + "line": 29, + "filename": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.MyObject.properties.id.minLength", + "searchValue": "", + "expectedValue": "There shouldn't be any invalid keywords", + "actualValue": "Keyword minLength is not valid for type integer" }, { "queryName": "Type Has Invalid Keyword (v3)", "severity": "INFO", - "line": 37, - "filename": "positive6.yaml" - }, - { - "queryName": "Type Has Invalid Keyword (v2)", - "severity": "INFO", - "line": 41, - "filename": "positive7.json" - }, - { - "queryName": "Type Has Invalid Keyword (v2)", - "severity": "INFO", - "line": 55, - "filename": "positive7.json" - }, - { - "queryName": "Type Has Invalid Keyword (v2)", - "severity": "INFO", - "line": 33, - "filename": "positive8.yaml" - }, - { - "queryName": "Type Has Invalid Keyword (v2)", - "severity": "INFO", "line": 42, - "filename": "positive8.yaml" - }, - { - "queryName": "Type Has Invalid Keyword (v2)", - "severity": "INFO", - "line": 19, - "filename": "positive9.json" - }, - { - "queryName": "Type Has Invalid Keyword (v2)", - "severity": "INFO", - "line": 17, - "filename": "positive10.yaml" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.MyObject.properties.id.minLength", + "searchValue": "", + "expectedValue": "There shouldn't be any invalid keywords", + "actualValue": "Keyword minLength is not valid for type integer" }, { "queryName": "Type Has Invalid Keyword (v3)", "severity": "INFO", - "line": 14, - "filename": "positive11.yaml" + "line": 52, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.MyObject.properties.phones.items.pattern", + "searchValue": "", + "expectedValue": "There shouldn't be any invalid keywords", + "actualValue": "Keyword pattern is not valid for type number" }, { "queryName": "Type Has Invalid Keyword (v3)", "severity": "INFO", "line": 15, - "filename": "positive11.yaml" + "filename": "positive11.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.PointGenre.maximum", + "searchValue": "", + "expectedValue": "There shouldn't be any invalid keywords", + "actualValue": "Keyword maximum is not valid for type string" } -] +] \ No newline at end of file diff --git a/assets/queries/pulumi/aws/amazon_dms_replication_instance_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/pulumi/aws/amazon_dms_replication_instance_is_publicly_accessible/test/positive_expected_result.json index 6618f3802ee..48bda14ef30 100644 --- a/assets/queries/pulumi/aws/amazon_dms_replication_instance_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/amazon_dms_replication_instance_is_publicly_accessible/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "Amazon DMS Replication Instance Is Publicly Accessible", "severity": "CRITICAL", - "line": 44, - "fileName": "positive1.yaml" + "line": 35, + "filename": "positive2.yaml", + "resourceType": "aws:dms:ReplicationInstance", + "resourceName": "test", + "searchKey": "resources[test].properties", + "searchValue": "", + "expectedValue": "Attribute 'publiclyAccessible' should be defined", + "actualValue": "Attribute 'publiclyAccessible' is not defined" }, { "queryName": "Amazon DMS Replication Instance Is Publicly Accessible", "severity": "CRITICAL", - "line": 35, - "fileName": "positive2.yaml" + "line": 44, + "filename": "positive1.yaml", + "resourceType": "aws:dms:ReplicationInstance", + "resourceName": "test", + "searchKey": "resources[test].properties.publiclyAccessible", + "searchValue": "", + "expectedValue": "Attribute 'publiclyAccessible' is should be set to 'false'", + "actualValue": "Attribute 'publiclyAccessible' is defined to 'true'" } ] \ No newline at end of file diff --git a/assets/queries/pulumi/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json b/assets/queries/pulumi/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json index d93f28a1060..ba22407898e 100644 --- a/assets/queries/pulumi/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json @@ -1,8 +1,14 @@ [ - { - "queryName": "API Gateway Access Logging Disabled", - "severity": "MEDIUM", - "line": 7, - "fileName": "positive.yaml" - } -] + { + "queryName": "API Gateway Access Logging Disabled", + "severity": "MEDIUM", + "line": 7, + "filename": "positive.yaml", + "resourceType": "aws:apigatewayv2:Stage", + "resourceName": "example", + "searchKey": "resources[example].properties", + "searchValue": "", + "expectedValue": "Attribute 'accessLogSettings' should be defined", + "actualValue": "Attribute 'accessLogSettings' is not defined" + } +] \ No newline at end of file diff --git a/assets/queries/pulumi/aws/api_gateway_without_ssl_certificate/test/positive_expected_result.json b/assets/queries/pulumi/aws/api_gateway_without_ssl_certificate/test/positive_expected_result.json index 3b55e916d68..8c9807ba22d 100644 --- a/assets/queries/pulumi/aws/api_gateway_without_ssl_certificate/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/api_gateway_without_ssl_certificate/test/positive_expected_result.json @@ -1,8 +1,14 @@ [ - { - "queryName": "API Gateway Without SSL Certificate", - "severity": "MEDIUM", - "line": 7, - "fileName": "positive.yaml" - } -] + { + "queryName": "API Gateway Without SSL Certificate", + "severity": "MEDIUM", + "line": 7, + "filename": "positive.yaml", + "resourceType": "aws:apigatewayv2:Stage", + "resourceName": "example", + "searchKey": "resources[example].properties", + "searchValue": "", + "expectedValue": "Attribute 'clientCertificateId' should be defined", + "actualValue": "Attribute 'clientCertificateId' is not defined" + } +] \ No newline at end of file diff --git a/assets/queries/pulumi/aws/docdb_logging_disabled/test/positive_expected_result.json b/assets/queries/pulumi/aws/docdb_logging_disabled/test/positive_expected_result.json index ec989d87754..b5edd23453b 100644 --- a/assets/queries/pulumi/aws/docdb_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/docdb_logging_disabled/test/positive_expected_result.json @@ -2,19 +2,37 @@ { "queryName": "DocDB Logging Is Disabled", "severity": "MEDIUM", - "line": 10, - "filename": "positive1.yaml" + "line": 18, + "filename": "positive3.yaml", + "resourceType": "aws:docdb:Cluster", + "resourceName": "aws:docdb/cluster", + "searchKey": "resources[aws:docdb/cluster].properties.enabledCloudwatchLogsExports", + "searchValue": "", + "expectedValue": "aws:docdb:Cluster.enabledCloudwatchLogsExports should have all following values: audit, profiler", + "actualValue": "aws:docdb:Cluster.enabledCloudwatchLogsExports has the following missing values: profiler" }, { "queryName": "DocDB Logging Is Disabled", "severity": "MEDIUM", "line": 18, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "aws:docdb:Cluster", + "resourceName": "aws:docdb/cluster", + "searchKey": "resources[aws:docdb/cluster].properties.enabledCloudwatchLogsExports", + "searchValue": "", + "expectedValue": "aws:docdb:Cluster.enabledCloudwatchLogsExports should have all following values: audit, profiler", + "actualValue": "aws:docdb:Cluster.enabledCloudwatchLogsExports has the following missing values: audit, profiler" }, { "queryName": "DocDB Logging Is Disabled", "severity": "MEDIUM", - "line": 18, - "filename": "positive3.yaml" + "line": 10, + "filename": "positive1.yaml", + "resourceType": "aws:docdb:Cluster", + "resourceName": "aws:docdb/cluster", + "searchKey": "resources[aws:docdb/cluster].properties", + "searchValue": "", + "expectedValue": "aws:docdb:Cluster.enabledCloudwatchLogsExports should be defined", + "actualValue": "aws:docdb:Cluster.enabledCloudwatchLogsExports is undefined" } ] \ No newline at end of file diff --git a/assets/queries/pulumi/aws/dynamodb_table_not_encrypted/test/positive_expected_result.json b/assets/queries/pulumi/aws/dynamodb_table_not_encrypted/test/positive_expected_result.json index e6fa49800c1..92d4afad49b 100644 --- a/assets/queries/pulumi/aws/dynamodb_table_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/dynamodb_table_not_encrypted/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "DynamoDB Table Not Encrypted", "severity": "HIGH", "line": 7, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "aws:dynamodb:Table", + "resourceName": "example", + "searchKey": "resources[example].properties", + "searchValue": "", + "expectedValue": "Attribute 'serverSideEncryption' should be defined", + "actualValue": "Attribute 'serverSideEncryption' is not defined" }, { "queryName": "DynamoDB Table Not Encrypted", "severity": "HIGH", "line": 17, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "aws:dynamodb:Table", + "resourceName": "example", + "searchKey": "resources[example].properties.serverSideEncryption.enabled", + "searchValue": "", + "expectedValue": "Attribute 'enabled' in 'serverSideEncryption' should be set to true", + "actualValue": "Attribute 'enabled' in 'serverSideEncryption' is set to false" } ] \ No newline at end of file diff --git a/assets/queries/pulumi/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive_expected_result.json b/assets/queries/pulumi/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive_expected_result.json index a258509974c..ca5eb6afda5 100644 --- a/assets/queries/pulumi/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "DynamoDB Table Point In Time Recovery Disabled", "severity": "INFO", "line": 7, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "aws:dynamodb:Table", + "resourceName": "example", + "searchKey": "resources[example].properties", + "searchValue": "", + "expectedValue": "Attribute 'pointInTimeRecovery' should be defined", + "actualValue": "Attribute 'pointInTimeRecovery' is not defined" }, { "queryName": "DynamoDB Table Point In Time Recovery Disabled", "severity": "INFO", "line": 21, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "aws:dynamodb:Table", + "resourceName": "example", + "searchKey": "resources[example].properties.pointInTimeRecovery.enabled", + "searchValue": "", + "expectedValue": "Attribute 'enabled' in 'pointInTimeRecovery' should be set to true", + "actualValue": "Attribute 'enabled' in 'pointInTimeRecovery' is set to false" } ] \ No newline at end of file diff --git a/assets/queries/pulumi/aws/ec2_instance_monitoring_disabled/test/positive_expected_result.json b/assets/queries/pulumi/aws/ec2_instance_monitoring_disabled/test/positive_expected_result.json index 50322c323b5..c43f364e2e4 100644 --- a/assets/queries/pulumi/aws/ec2_instance_monitoring_disabled/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/ec2_instance_monitoring_disabled/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "EC2 Instance Monitoring Disabled", "severity": "MEDIUM", "line": 7, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "aws:ec2:Instance", + "resourceName": "example", + "searchKey": "resources[example].properties", + "searchValue": "", + "expectedValue": "Attribute 'monitoring' should be defined and set to true", + "actualValue": "Attribute 'monitoring' is not defined" }, { "queryName": "EC2 Instance Monitoring Disabled", "severity": "MEDIUM", "line": 16, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "aws:ec2:Instance", + "resourceName": "example", + "searchKey": "resources[example].properties.monitoring", + "searchValue": "", + "expectedValue": "Attribute 'monitoring' should be set to true", + "actualValue": "Attribute 'monitoring' is set to false" } ] \ No newline at end of file diff --git a/assets/queries/pulumi/aws/ec2_not_ebs_optimized/test/positive_expected_result.json b/assets/queries/pulumi/aws/ec2_not_ebs_optimized/test/positive_expected_result.json index 05f043b1d1b..c37b65f9112 100644 --- a/assets/queries/pulumi/aws/ec2_not_ebs_optimized/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/ec2_not_ebs_optimized/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ - { - "queryName": "EC2 Not EBS Optimized", - "severity": "INFO", - "line": 10, - "fileName": "positive.yaml" - }, - { - "queryName": "EC2 Not EBS Optimized", - "severity": "INFO", - "line": 18, - "fileName": "positive.yaml" - } -] + { + "queryName": "EC2 Not EBS Optimized", + "severity": "INFO", + "line": 10, + "filename": "positive.yaml", + "resourceType": "aws:ec2:Instance", + "resourceName": "example", + "searchKey": "resources[example].properties.ebsOptimized", + "searchValue": "", + "expectedValue": "Attribute 'ebsOptimized' should be set to true", + "actualValue": "Attribute 'ebsOptimized' is set to false" + }, + { + "queryName": "EC2 Not EBS Optimized", + "severity": "INFO", + "line": 18, + "filename": "positive.yaml", + "resourceType": "aws:ec2:Instance", + "resourceName": "example", + "searchKey": "resources[example].properties", + "searchValue": "", + "expectedValue": "Attribute 'ebsOptimized' should be defined and set to true", + "actualValue": "Attribute 'ebsOptimized' is not defined" + } +] \ No newline at end of file diff --git a/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/test/positive_expected_result.json b/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/test/positive_expected_result.json index 601fa6515b7..3f2fbb91702 100644 --- a/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/test/positive_expected_result.json @@ -1,20 +1,38 @@ [ - { - "queryName": "ECS Cluster with Container Insights Disabled", - "severity": "LOW", - "line": 8, - "fileName": "positive1.yaml" - }, - { - "queryName": "ECS Cluster with Container Insights Disabled", - "severity": "LOW", - "line": 8, - "fileName": "positive2.yaml" - }, - { - "queryName": "ECS Cluster with Container Insights Disabled", - "severity": "LOW", - "line": 7, - "fileName": "positive3.yaml" - } -] + { + "queryName": "ECS Cluster with Container Insights Disabled", + "severity": "LOW", + "line": 8, + "filename": "positive1.yaml", + "resourceType": "aws:ecs:Cluster", + "resourceName": "foo", + "searchKey": "resources[foo].properties.settings", + "searchValue": "", + "expectedValue": "Attribute 'settings' should have a ClusterSetting named 'containerInsights' which value is 'enabled'", + "actualValue": "Attribute 'settings' doesn't have a ClusterSetting named 'containerInsights' which value is 'enabled'" + }, + { + "queryName": "ECS Cluster with Container Insights Disabled", + "severity": "LOW", + "line": 7, + "filename": "positive3.yaml", + "resourceType": "aws:ecs:Cluster", + "resourceName": "foo", + "searchKey": "resources[foo].properties", + "searchValue": "", + "expectedValue": "Attribute 'settings' should be defined and have a ClusterSetting named 'containerInsights' which value is 'enabled'", + "actualValue": "Attribute 'settings' is not defined" + }, + { + "queryName": "ECS Cluster with Container Insights Disabled", + "severity": "LOW", + "line": 8, + "filename": "positive2.yaml", + "resourceType": "aws:ecs:Cluster", + "resourceName": "foo", + "searchKey": "resources[foo].properties.settings", + "searchValue": "", + "expectedValue": "Attribute 'settings' should have a ClusterSetting named 'containerInsights' which value is 'enabled'", + "actualValue": "Attribute 'settings' doesn't have a ClusterSetting named 'containerInsights' which value is 'enabled'" + } +] \ No newline at end of file diff --git a/assets/queries/pulumi/aws/elasticache_nodes_not_created_across_multi_az/test/positive_expected_result.json b/assets/queries/pulumi/aws/elasticache_nodes_not_created_across_multi_az/test/positive_expected_result.json index f1cf8a75933..135b048670c 100644 --- a/assets/queries/pulumi/aws/elasticache_nodes_not_created_across_multi_az/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/elasticache_nodes_not_created_across_multi_az/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ - { - "queryName": "ElastiCache Nodes Not Created Across Multi AZ", - "severity": "MEDIUM", - "line": 10, - "fileName": "positive.yaml" - }, - { - "queryName": "ElastiCache Nodes Not Created Across Multi AZ", - "severity": "MEDIUM", - "line": 18, - "fileName": "positive.yaml" - } -] + { + "queryName": "ElastiCache Nodes Not Created Across Multi AZ", + "severity": "MEDIUM", + "line": 18, + "filename": "positive.yaml", + "resourceType": "aws:elasticache:Cluster", + "resourceName": "example", + "searchKey": "resources[example].properties", + "searchValue": "", + "expectedValue": "Attribute 'azMode' should be defined and set to 'cross-az' in multi nodes cluster", + "actualValue": "Attribute 'azMode' is not defined" + }, + { + "queryName": "ElastiCache Nodes Not Created Across Multi AZ", + "severity": "MEDIUM", + "line": 10, + "filename": "positive.yaml", + "resourceType": "aws:elasticache:Cluster", + "resourceName": "example", + "searchKey": "resources[example].properties.azMode", + "searchValue": "", + "expectedValue": "Attribute 'azMode' should be set to 'cross-az' in multi nodes cluster", + "actualValue": "Attribute 'azMode' is set to single-az" + } +] \ No newline at end of file diff --git a/assets/queries/pulumi/aws/elasticache_redis_cluster_without_backup/test/positive_expected_result.json b/assets/queries/pulumi/aws/elasticache_redis_cluster_without_backup/test/positive_expected_result.json index f3eb496129c..df12a0dcab4 100644 --- a/assets/queries/pulumi/aws/elasticache_redis_cluster_without_backup/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/elasticache_redis_cluster_without_backup/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ - { - "queryName": "ElastiCache Redis Cluster Without Backup", - "severity": "MEDIUM", - "line": 9, - "fileName": "positive.yaml" - }, - { - "queryName": "ElastiCache Redis Cluster Without Backup", - "severity": "MEDIUM", - "line": 17, - "fileName": "positive.yaml" - } -] + { + "queryName": "ElastiCache Redis Cluster Without Backup", + "severity": "MEDIUM", + "line": 17, + "filename": "positive.yaml", + "resourceType": "aws:elasticache:Cluster", + "resourceName": "example", + "searchKey": "resources[example].properties", + "searchValue": "", + "expectedValue": "Attribute 'snapshotRetentionLimit' should be defined and set to higher than 0", + "actualValue": "Attribute 'snapshotRetentionLimit' is not defined" + }, + { + "queryName": "ElastiCache Redis Cluster Without Backup", + "severity": "MEDIUM", + "line": 9, + "filename": "positive.yaml", + "resourceType": "aws:elasticache:Cluster", + "resourceName": "example", + "searchKey": "resources[example].properties.snapshotRetentionLimit", + "searchValue": "", + "expectedValue": "Attribute 'snapshotRetentionLimit' should be set to higher than 0", + "actualValue": "Attribute 'snapshotRetentionLimit' is set to 0" + } +] \ No newline at end of file diff --git a/assets/queries/pulumi/aws/elasticsearch_logs_disabled/test/positive_expected_result.json b/assets/queries/pulumi/aws/elasticsearch_logs_disabled/test/positive_expected_result.json index f71a9571173..a4193f76da9 100644 --- a/assets/queries/pulumi/aws/elasticsearch_logs_disabled/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/elasticsearch_logs_disabled/test/positive_expected_result.json @@ -1,20 +1,38 @@ [ - { - "queryName": "Elasticsearch Logs Disabled", - "severity": "MEDIUM", - "line": 14, - "fileName": "positive1.yaml" - }, - { - "queryName": "Elasticsearch Logs Disabled", - "severity": "MEDIUM", - "line": 17, - "fileName": "positive2.yaml" - }, - { - "queryName": "Elasticsearch Logs Disabled", - "severity": "MEDIUM", - "line": 18, - "fileName": "positive3.yaml" - } -] + { + "queryName": "Elasticsearch Logs Disabled", + "severity": "MEDIUM", + "line": 18, + "filename": "positive3.yaml", + "resourceType": "aws:elasticsearch:Domain", + "resourceName": "exampleDomain", + "searchKey": "resources.exampleDomain.properties.logPublishingOptions[0].logType", + "searchValue": "", + "expectedValue": "Attribute 'enabled' should be set to 'true'", + "actualValue": "Attribute 'enabled' is set to 'false'" + }, + { + "queryName": "Elasticsearch Logs Disabled", + "severity": "MEDIUM", + "line": 17, + "filename": "positive2.yaml", + "resourceType": "aws:elasticsearch:Domain", + "resourceName": "exampleDomain", + "searchKey": "resources.exampleDomain.properties.logPublishingOptions[0].logType", + "searchValue": "", + "expectedValue": "Attribute 'enabled' should be defined and set to 'true'", + "actualValue": "Attribute 'enabled' is not defined" + }, + { + "queryName": "Elasticsearch Logs Disabled", + "severity": "MEDIUM", + "line": 14, + "filename": "positive1.yaml", + "resourceType": "aws:elasticsearch:Domain", + "resourceName": "exampleDomain", + "searchKey": "resources.exampleDomain.properties", + "searchValue": "", + "expectedValue": "Attribute 'logPublishingOptions' should be defined", + "actualValue": "Attribute 'logPublishingOptions' is not defined" + } +] \ No newline at end of file diff --git a/assets/queries/pulumi/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json b/assets/queries/pulumi/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json index 4a76d1cc1b0..3bc67a746c9 100644 --- a/assets/queries/pulumi/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Elasticsearch with HTTPS disabled", "severity": "MEDIUM", "line": 31, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "aws.elasticsearch.Domain", + "resourceName": "0", + "searchKey": "resources[%!s(int=0)].properties.domainEndpointOptions.enforceHTTPS", + "searchValue": "", + "expectedValue": "resources[%!s(int=0)].properties.domainEndpointOptions.enforceHTTPS should be set to 'true'", + "actualValue": "resources[%!s(int=0)].properties.domainEndpointOptions.enforceHTTPS is set to 'false'" } ] \ No newline at end of file diff --git a/assets/queries/pulumi/aws/iam_password_without_minimum_length/test/positive_expected_result.json b/assets/queries/pulumi/aws/iam_password_without_minimum_length/test/positive_expected_result.json index 152fb7347ec..e72ac4ecadd 100644 --- a/assets/queries/pulumi/aws/iam_password_without_minimum_length/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/iam_password_without_minimum_length/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "IAM Password Without Minimum Length", "severity": "LOW", "line": 7, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "aws:iam:AccountPasswordPolicy", + "resourceName": "example", + "searchKey": "resources[example].properties", + "searchValue": "", + "expectedValue": "Attribute 'minimumPasswordLength' should be defined and set to 14 or higher", + "actualValue": "Attribute 'minimumPasswordLength' is not defined" }, { "queryName": "IAM Password Without Minimum Length", "severity": "LOW", "line": 16, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "aws:iam:AccountPasswordPolicy", + "resourceName": "example", + "searchKey": "resources[example].properties.minimumPasswordLength", + "searchValue": "", + "expectedValue": "Attribute 'minimumPasswordLength' should be set to 14 or higher", + "actualValue": "Attribute 'minimumPasswordLength' is set to less than 14" } ] \ No newline at end of file diff --git a/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json b/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json index 3a0189f4d2f..f2e9651c05b 100644 --- a/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "RDS DB Instance Publicly Accessible", "severity": "CRITICAL", "line": 17, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "aws:rds:Instance", + "resourceName": "default", + "searchKey": "resources[default].properties.publiclyAccessible", + "searchValue": "", + "expectedValue": "'resources.default.properties.publiclyAccessible' should be set to 'false'", + "actualValue": "'resources.default.properties.publiclyAccessible' is set to 'true'" } -] +] \ No newline at end of file diff --git a/assets/queries/pulumi/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json b/assets/queries/pulumi/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json index 74ec4256eda..09a49d6e81c 100644 --- a/assets/queries/pulumi/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json +++ b/assets/queries/pulumi/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json @@ -1,8 +1,14 @@ [ - { - "queryName": "Redis Cache Allows Non SSL Connections", - "severity": "MEDIUM", - "line": 8, - "fileName": "positive.yaml" - } -] + { + "queryName": "Redis Cache Allows Non SSL Connections", + "severity": "MEDIUM", + "line": 8, + "filename": "positive.yaml", + "resourceType": "azure-native:cache:Redis", + "resourceName": "redis", + "searchKey": "resources[redis].properties.enableNonSslPort", + "searchValue": "", + "expectedValue": "Redis Cache should have attribute 'enableNonSslPort' set to false", + "actualValue": "Redis Cache has attribute 'enableNonSslPort' set to true" + } +] \ No newline at end of file diff --git a/assets/queries/pulumi/azure/storage_account_not_forcing_https/test/positive_expected_result.json b/assets/queries/pulumi/azure/storage_account_not_forcing_https/test/positive_expected_result.json index c6ab89b625e..a97d4f1fbc1 100644 --- a/assets/queries/pulumi/azure/storage_account_not_forcing_https/test/positive_expected_result.json +++ b/assets/queries/pulumi/azure/storage_account_not_forcing_https/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Storage Account Not Forcing HTTPS", "severity": "MEDIUM", "line": 9, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "azure-native:storage:StorageAccount", + "resourceName": "storageAccount", + "searchKey": "resources[storageAccount].properties.enableHttpsTrafficOnly", + "searchValue": "", + "expectedValue": "Storage Account should have attribute 'enableHttpsTrafficOnly' set to true", + "actualValue": "Storage Account has attribute 'enableHttpsTrafficOnly' set to false" } ] \ No newline at end of file diff --git a/assets/queries/pulumi/gcp/cloud_storage_bucket_logging_not_enabled/test/positive_expected_result.json b/assets/queries/pulumi/gcp/cloud_storage_bucket_logging_not_enabled/test/positive_expected_result.json index cdc97e3eab8..2b286e65553 100644 --- a/assets/queries/pulumi/gcp/cloud_storage_bucket_logging_not_enabled/test/positive_expected_result.json +++ b/assets/queries/pulumi/gcp/cloud_storage_bucket_logging_not_enabled/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Cloud Storage Bucket Logging Not Enabled", "severity": "MEDIUM", "line": 7, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "gcp:storage:Bucket", + "resourceName": "example", + "searchKey": "resources[example].properties", + "searchValue": "", + "expectedValue": "Storage Bucket should have attribute 'logging' defined", + "actualValue": "Storage Bucket attribute 'logging' is not defined" } ] \ No newline at end of file diff --git a/assets/queries/pulumi/gcp/google_compute_ssl_policy_weak_cipher_in_use/test/positive_expected_result.json b/assets/queries/pulumi/gcp/google_compute_ssl_policy_weak_cipher_in_use/test/positive_expected_result.json index 1075917af2f..e3c45bf4759 100644 --- a/assets/queries/pulumi/gcp/google_compute_ssl_policy_weak_cipher_in_use/test/positive_expected_result.json +++ b/assets/queries/pulumi/gcp/google_compute_ssl_policy_weak_cipher_in_use/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ - { - "queryName": "Google Compute SSL Policy Weak Cipher In Use", - "severity": "MEDIUM", - "line": 7, - "fileName": "positive.yaml" - }, - { - "queryName": "Google Compute SSL Policy Weak Cipher In Use", - "severity": "MEDIUM", - "line": 16, - "fileName": "positive.yaml" - } -] + { + "queryName": "Google Compute SSL Policy Weak Cipher In Use", + "severity": "MEDIUM", + "line": 7, + "filename": "positive.yaml", + "resourceType": "gcp:compute:SSLPolicy", + "resourceName": "example", + "searchKey": "resources[example].properties", + "searchValue": "", + "expectedValue": "SSLPolicy should have 'minTlsVersion' defined and set to 'TLS_1_2'", + "actualValue": "SSLPolicy 'minTlsVersion' attribute is not defined" + }, + { + "queryName": "Google Compute SSL Policy Weak Cipher In Use", + "severity": "MEDIUM", + "line": 16, + "filename": "positive.yaml", + "resourceType": "gcp:compute:SSLPolicy", + "resourceName": "example", + "searchKey": "resources[example].properties.minTlsVersion", + "searchValue": "", + "expectedValue": "SSLPolicy should have 'minTlsVersion' set to 'TLS_1_2'", + "actualValue": "SSLPolicy 'minTlsVersion' attribute is set to TLS_1_1" + } +] \ No newline at end of file diff --git a/assets/queries/pulumi/kubernetes/missing_app_armor_config/test/positive_expected_result.json b/assets/queries/pulumi/kubernetes/missing_app_armor_config/test/positive_expected_result.json index bb03452d61c..9f5c45866b8 100644 --- a/assets/queries/pulumi/kubernetes/missing_app_armor_config/test/positive_expected_result.json +++ b/assets/queries/pulumi/kubernetes/missing_app_armor_config/test/positive_expected_result.json @@ -3,18 +3,36 @@ "queryName": "Missing App Armor Config", "severity": "MEDIUM", "line": 8, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "kubernetes:core/v1:Pod", + "resourceName": "pod", + "searchKey": "resources[pod].properties.metadata", + "searchValue": "", + "expectedValue": "Pod should have annotation 'container.apparmor.security.beta.kubernetes.io' defined", + "actualValue": "Pod does not have annotations defined in metadata" }, { "queryName": "Missing App Armor Config", "severity": "MEDIUM", - "line": 25, - "fileName": "positive.yaml" + "line": 42, + "filename": "positive.yaml", + "resourceType": "kubernetes:core/v1:Pod", + "resourceName": "pod", + "searchKey": "resources[pod].properties.metadata.annotations", + "searchValue": "", + "expectedValue": "Pod should have annotation 'container.apparmor.security.beta.kubernetes.io' defined", + "actualValue": "Pod does not have annotation 'container.apparmor.security.beta.kubernetes.io' defined" }, { "queryName": "Missing App Armor Config", "severity": "MEDIUM", - "line": 42, - "fileName": "positive.yaml" + "line": 25, + "filename": "positive.yaml", + "resourceType": "kubernetes:core/v1:Pod", + "resourceName": "pod", + "searchKey": "resources[pod].properties.metadata", + "searchValue": "", + "expectedValue": "Pod should have annotation 'container.apparmor.security.beta.kubernetes.io' defined", + "actualValue": "Pod does not have annotations defined in metadata" } ] \ No newline at end of file diff --git a/assets/queries/pulumi/kubernetes/psp_set_to_privileged/test/positive_expected_result.json b/assets/queries/pulumi/kubernetes/psp_set_to_privileged/test/positive_expected_result.json index d68ff20ecd3..b3ab3ff2105 100644 --- a/assets/queries/pulumi/kubernetes/psp_set_to_privileged/test/positive_expected_result.json +++ b/assets/queries/pulumi/kubernetes/psp_set_to_privileged/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "PSP Set To Privileged", "severity": "HIGH", "line": 11, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "kubernetes:policy/v1beta1:PodSecurityPolicy", + "resourceName": "example", + "searchKey": "resources[example].properties.spec.privileged", + "searchValue": "", + "expectedValue": "PSP should have 'privileged' set to false or not defined", + "actualValue": "PSP has 'privileged' set to true" } ] \ No newline at end of file diff --git a/assets/queries/serverlessFW/serverless_api_access_logging_setting_undefined/test/positive_expected_result.json b/assets/queries/serverlessFW/serverless_api_access_logging_setting_undefined/test/positive_expected_result.json index 951599524db..09b73040026 100644 --- a/assets/queries/serverlessFW/serverless_api_access_logging_setting_undefined/test/positive_expected_result.json +++ b/assets/queries/serverlessFW/serverless_api_access_logging_setting_undefined/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Serverless API Access Logging Setting Undefined", "severity": "MEDIUM", "line": 17, - "fileName": "positive1.yml" + "filename": "positive1.yml", + "resourceType": "AWS::ApiGateway", + "resourceName": "myservice", + "searchKey": "provider.logs.restApi.accessLogging", + "searchValue": "", + "expectedValue": "provider.logs.restApi should have 'accessLogging' set to true", + "actualValue": "provider.logs.restApi has 'accessLogging' set to false" } -] +] \ No newline at end of file diff --git a/assets/queries/serverlessFW/serverless_api_endpoint_config_not_private/test/positive_expected_result.json b/assets/queries/serverlessFW/serverless_api_endpoint_config_not_private/test/positive_expected_result.json index 3681cfe75d3..e14703c3af5 100644 --- a/assets/queries/serverlessFW/serverless_api_endpoint_config_not_private/test/positive_expected_result.json +++ b/assets/queries/serverlessFW/serverless_api_endpoint_config_not_private/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "Serverless API Endpoint Config Not Private", "severity": "MEDIUM", - "line": 3, - "fileName": "positive1.yml" + "line": 5, + "filename": "positive2.yml", + "resourceType": "AWS::ApiGateway", + "resourceName": "my-service", + "searchKey": "provider.endpointType", + "searchValue": "", + "expectedValue": "endpointType should be set to PRIVATE", + "actualValue": "endpointType is not set to PRIVATE" }, { "queryName": "Serverless API Endpoint Config Not Private", "severity": "MEDIUM", - "line": 5, - "fileName": "positive2.yml" + "line": 3, + "filename": "positive1.yml", + "resourceType": "AWS::ApiGateway", + "resourceName": "my-service", + "searchKey": "provider", + "searchValue": "", + "expectedValue": "endpointType should be defined and set to PRIVATE", + "actualValue": "endpointType is not defined" } -] +] \ No newline at end of file diff --git a/assets/queries/serverlessFW/serverless_api_without_content_encoding/test/positive_expected_result.json b/assets/queries/serverlessFW/serverless_api_without_content_encoding/test/positive_expected_result.json index 3e2ab32bd5a..69b4e7f2969 100644 --- a/assets/queries/serverlessFW/serverless_api_without_content_encoding/test/positive_expected_result.json +++ b/assets/queries/serverlessFW/serverless_api_without_content_encoding/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "Serverless API Without Content Encoding", "severity": "LOW", - "line": 5, - "fileName": "positive1.yml" + "line": 6, + "filename": "positive2.yml", + "resourceType": "AWS::ApiGateway", + "resourceName": "my-service", + "searchKey": "provider.apiGateway.minimumCompressionSize", + "searchValue": "", + "expectedValue": "'minimumCompressionSize' should be set to a recommended value", + "actualValue": "'minimumCompressionSize' is set a unrecommended value" }, { "queryName": "Serverless API Without Content Encoding", "severity": "LOW", - "line": 6, - "fileName": "positive2.yml" + "line": 5, + "filename": "positive1.yml", + "resourceType": "AWS::ApiGateway", + "resourceName": "my-service", + "searchKey": "provider.apiGateway", + "searchValue": "", + "expectedValue": "apiGateway should have 'minimumCompressionSize' defined and set to a recommended value", + "actualValue": "apiGateway does not have 'minimumCompressionSize' defined" } ] \ No newline at end of file diff --git a/assets/queries/serverlessFW/serverless_api_xray_tracing_disabled/test/positive_expected_result.json b/assets/queries/serverlessFW/serverless_api_xray_tracing_disabled/test/positive_expected_result.json index 6e81798ca68..225ccd889e7 100644 --- a/assets/queries/serverlessFW/serverless_api_xray_tracing_disabled/test/positive_expected_result.json +++ b/assets/queries/serverlessFW/serverless_api_xray_tracing_disabled/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Serverless API X-Ray Tracing Disabled", "severity": "MEDIUM", "line": 8, - "fileName": "positive1.yml" + "filename": "positive1.yml", + "resourceType": "AWS::ApiGateway", + "resourceName": "my-service", + "searchKey": "provider.tracing.apiGateway", + "searchValue": "", + "expectedValue": "tracing should have 'apiGateway' set to true", + "actualValue": "'apiGateway' is set to false" }, { "queryName": "Serverless API X-Ray Tracing Disabled", "severity": "MEDIUM", "line": 7, - "fileName": "positive2.yml" + "filename": "positive2.yml", + "resourceType": "AWS::ApiGateway", + "resourceName": "my-service", + "searchKey": "provider.tracing", + "searchValue": "", + "expectedValue": "tracing should have 'apiGateway' defined and set to true", + "actualValue": "'apiGateway' is not defined within tracing" } -] +] \ No newline at end of file diff --git a/assets/queries/serverlessFW/serverless_function_environment_variables_not_encrypted/test/positive_expected_result.json b/assets/queries/serverlessFW/serverless_function_environment_variables_not_encrypted/test/positive_expected_result.json index 8cf9e285b5c..5ca40d7c70b 100644 --- a/assets/queries/serverlessFW/serverless_function_environment_variables_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/serverlessFW/serverless_function_environment_variables_not_encrypted/test/positive_expected_result.json @@ -3,18 +3,36 @@ "queryName": "Serverless Function Environment Variables Not Encrypted", "severity": "MEDIUM", "line": 6, - "fileName": "positive1.yml" + "filename": "positive2.yml", + "resourceType": "", + "resourceName": "", + "searchKey": "provider", + "searchValue": "", + "expectedValue": "'kmsKeyArn' should be defined inside the provider", + "actualValue": "'kmsKeyArn' is not defined" }, { "queryName": "Serverless Function Environment Variables Not Encrypted", "severity": "MEDIUM", "line": 12, - "fileName": "positive1.yml" + "filename": "positive1.yml", + "resourceType": "AWS::Lambda", + "resourceName": "hello", + "searchKey": "functions.hello", + "searchValue": "", + "expectedValue": "'kmsKeyArn' should be defined inside the function", + "actualValue": "'kmsKeyArn' is not defined" }, { "queryName": "Serverless Function Environment Variables Not Encrypted", "severity": "MEDIUM", "line": 6, - "fileName": "positive2.yml" + "filename": "positive1.yml", + "resourceType": "", + "resourceName": "", + "searchKey": "provider", + "searchValue": "", + "expectedValue": "'kmsKeyArn' should be defined inside the provider", + "actualValue": "'kmsKeyArn' is not defined" } ] \ No newline at end of file diff --git a/assets/queries/serverlessFW/serverless_function_without_dead_letter_queue/test/positive_expected_result.json b/assets/queries/serverlessFW/serverless_function_without_dead_letter_queue/test/positive_expected_result.json index 73f4f272ff6..5209c30a8ee 100644 --- a/assets/queries/serverlessFW/serverless_function_without_dead_letter_queue/test/positive_expected_result.json +++ b/assets/queries/serverlessFW/serverless_function_without_dead_letter_queue/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Serverless Function Without Dead Letter Queue", "severity": "LOW", "line": 8, - "fileName": "positive1.yml" + "filename": "positive1.yml", + "resourceType": "AWS::Lambda", + "resourceName": "hello", + "searchKey": "functions.hello", + "searchValue": "", + "expectedValue": "'onError' should be defined inside the function", + "actualValue": "'onError' is not defined" } -] +] \ No newline at end of file diff --git a/assets/queries/serverlessFW/serverless_function_without_tags/test/positive_expected_result.json b/assets/queries/serverlessFW/serverless_function_without_tags/test/positive_expected_result.json index 741020c2f46..69cea04e5fb 100644 --- a/assets/queries/serverlessFW/serverless_function_without_tags/test/positive_expected_result.json +++ b/assets/queries/serverlessFW/serverless_function_without_tags/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Serverless Function Without Tags", "severity": "LOW", "line": 8, - "fileName": "positive1.yml" + "filename": "positive1.yml", + "resourceType": "AWS::Lambda", + "resourceName": "hello", + "searchKey": "functions.hello", + "searchValue": "", + "expectedValue": "'tags' should be defined inside the function", + "actualValue": "'tags' is not defined" } ] \ No newline at end of file diff --git a/assets/queries/serverlessFW/serverless_function_without_unique_iam_role/test/positive_expected_result.json b/assets/queries/serverlessFW/serverless_function_without_unique_iam_role/test/positive_expected_result.json index ecd2c6cc8e9..1f051c636ea 100644 --- a/assets/queries/serverlessFW/serverless_function_without_unique_iam_role/test/positive_expected_result.json +++ b/assets/queries/serverlessFW/serverless_function_without_unique_iam_role/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Serverless Function Without Unique IAM Role", "severity": "HIGH", "line": 8, - "fileName": "positive1.yml" + "filename": "positive2.yml", + "resourceType": "AWS::Lambda", + "resourceName": "hello", + "searchKey": "functions[%!s(int=0)].hello", + "searchValue": "", + "expectedValue": "'role' should be defined inside the function", + "actualValue": "'role' is not defined" }, { "queryName": "Serverless Function Without Unique IAM Role", "severity": "HIGH", "line": 8, - "fileName": "positive2.yml" + "filename": "positive1.yml", + "resourceType": "AWS::Lambda", + "resourceName": "hello", + "searchKey": "functions.hello", + "searchValue": "", + "expectedValue": "'role' should be defined inside the function", + "actualValue": "'role' is not defined" } ] \ No newline at end of file diff --git a/assets/queries/serverlessFW/serverless_function_without_x-ray_tracing/test/positive_expected_result.json b/assets/queries/serverlessFW/serverless_function_without_x-ray_tracing/test/positive_expected_result.json index 9f0f7fb945f..22676bb7d34 100644 --- a/assets/queries/serverlessFW/serverless_function_without_x-ray_tracing/test/positive_expected_result.json +++ b/assets/queries/serverlessFW/serverless_function_without_x-ray_tracing/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "Serverless Function Without X-Ray Tracing", "severity": "LOW", - "line": 14, - "fileName": "positive1.yml" + "line": 8, + "filename": "positive2.yml", + "resourceType": "AWS::Lambda", + "resourceName": "hello", + "searchKey": "functions.hello", + "searchValue": "", + "expectedValue": "'tracing' should be defined and set to Active", + "actualValue": "'tracing' is not defined" }, { "queryName": "Serverless Function Without X-Ray Tracing", "severity": "LOW", - "line": 8, - "fileName": "positive2.yml" + "line": 14, + "filename": "positive1.yml", + "resourceType": "AWS::Lambda", + "resourceName": "hello", + "searchKey": "functions.hello.tracing", + "searchValue": "", + "expectedValue": "'tracing' should be set to Active", + "actualValue": "'tracing' is not set to Active" } -] +] \ No newline at end of file diff --git a/assets/queries/serverlessFW/serverless_role_with_full_privileges/test/positive_expected_result.json b/assets/queries/serverlessFW/serverless_role_with_full_privileges/test/positive_expected_result.json index b3f9f663401..82d3c2dba49 100644 --- a/assets/queries/serverlessFW/serverless_role_with_full_privileges/test/positive_expected_result.json +++ b/assets/queries/serverlessFW/serverless_role_with_full_privileges/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Serverless Role With Full Privileges", "severity": "HIGH", "line": 11, - "fileName": "positive1.yml" + "filename": "positive1.yml", + "resourceType": "AWS::IAM", + "resourceName": "custom-role-name", + "searchKey": "provider.iam.role.statements[0]", + "searchValue": "", + "expectedValue": "Statement should not give admin privileges", + "actualValue": "Statement gives admin privileges" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/action_trail_logging_all_regions_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/action_trail_logging_all_regions_disabled/test/positive_expected_result.json index 0565aeb415a..8bbb6a774d4 100644 --- a/assets/queries/terraform/alicloud/action_trail_logging_all_regions_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/action_trail_logging_all_regions_disabled/test/positive_expected_result.json @@ -2,85 +2,169 @@ { "queryName": "Action Trail Logging For All Regions Disabled", "severity": "MEDIUM", - "line": 6, - "fileName": "positive1.tf" + "line": 1, + "filename": "positive9.tf", + "resourceType": "alicloud_actiontrail_trail", + "resourceName": "action-trail", + "searchKey": "alicloud_actiontrail_trail[actiontrail10]", + "searchValue": "event_rw", + "expectedValue": "'event_rw' should be set.", + "actualValue": "'event_rw' is not set." }, { "queryName": "Action Trail Logging For All Regions Disabled", "severity": "MEDIUM", - "line": 6, - "fileName": "positive2.tf" + "line": 5, + "filename": "positive3.tf", + "resourceType": "alicloud_actiontrail_trail", + "resourceName": "action-trail", + "searchKey": "alicloud_actiontrail_trail[actiontrail4].event_rw", + "searchValue": "", + "expectedValue": "'event_rw' should be set to All", + "actualValue": "'event_rw' is not set to All" }, { "queryName": "Action Trail Logging For All Regions Disabled", "severity": "MEDIUM", - "line": 5, - "fileName": "positive2.tf" + "line": 1, + "filename": "positive8.tf", + "resourceType": "alicloud_actiontrail_trail", + "resourceName": "action-trail", + "searchKey": "alicloud_actiontrail_trail[actiontrail9]", + "searchValue": "event_rw", + "expectedValue": "'event_rw' should be set.", + "actualValue": "'event_rw' is not set." }, { "queryName": "Action Trail Logging For All Regions Disabled", "severity": "MEDIUM", - "line": 6, - "fileName": "positive3.tf" + "line": 5, + "filename": "positive2.tf", + "resourceType": "alicloud_actiontrail_trail", + "resourceName": "action-trail", + "searchKey": "alicloud_actiontrail_trail[actiontrail3].event_rw", + "searchValue": "", + "expectedValue": "'event_rw' should be set to All", + "actualValue": "'event_rw' is not set to All" }, { "queryName": "Action Trail Logging For All Regions Disabled", "severity": "MEDIUM", - "line": 5, - "fileName": "positive3.tf" + "line": 6, + "filename": "positive1.tf", + "resourceType": "alicloud_actiontrail_trail", + "resourceName": "action-trail", + "searchKey": "alicloud_actiontrail_trail[actiontrail2].trail_region", + "searchValue": "", + "expectedValue": "'trail_region' should be set to All", + "actualValue": "'trail_region' is not set to All" }, { "queryName": "Action Trail Logging For All Regions Disabled", "severity": "MEDIUM", - "line": 6, - "fileName": "positive4.tf" + "line": 1, + "filename": "positive7.tf", + "resourceType": "alicloud_actiontrail_trail", + "resourceName": "action-trail", + "searchKey": "alicloud_actiontrail_trail[actiontrail8]", + "searchValue": "trail_region", + "expectedValue": "'trail_region' should be set.", + "actualValue": "'trail_region' is not set." }, { "queryName": "Action Trail Logging For All Regions Disabled", "severity": "MEDIUM", - "line": 5, - "fileName": "positive5.tf" + "line": 1, + "filename": "positive9.tf", + "resourceType": "alicloud_actiontrail_trail", + "resourceName": "action-trail", + "searchKey": "alicloud_actiontrail_trail[actiontrail10]", + "searchValue": "oss_bucket_name", + "expectedValue": "oss_bucket_name should be set.", + "actualValue": "oss_bucket_name is not set." }, { "queryName": "Action Trail Logging For All Regions Disabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive5.tf" + "filename": "positive3.tf", + "resourceType": "alicloud_actiontrail_trail", + "resourceName": "action-trail", + "searchKey": "alicloud_actiontrail_trail[actiontrail4].trail_region", + "searchValue": "", + "expectedValue": "'trail_region' should be set to All", + "actualValue": "'trail_region' is not set to All" }, { "queryName": "Action Trail Logging For All Regions Disabled", "severity": "MEDIUM", "line": 5, - "fileName": "positive6.tf" + "filename": "positive6.tf", + "resourceType": "alicloud_actiontrail_trail", + "resourceName": "action-trail", + "searchKey": "alicloud_actiontrail_trail[actiontrail7].event_rw", + "searchValue": "", + "expectedValue": "'event_rw' should be set to All", + "actualValue": "'event_rw' is not set to All" }, { "queryName": "Action Trail Logging For All Regions Disabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive6.tf" + "filename": "positive6.tf", + "resourceType": "alicloud_actiontrail_trail", + "resourceName": "action-trail", + "searchKey": "alicloud_actiontrail_trail[actiontrail7].trail_region", + "searchValue": "", + "expectedValue": "'trail_region' should be set to All", + "actualValue": "'trail_region' is not set to All" }, { "queryName": "Action Trail Logging For All Regions Disabled", "severity": "MEDIUM", - "line": 1, - "fileName": "positive7.tf" + "line": 5, + "filename": "positive5.tf", + "resourceType": "alicloud_actiontrail_trail", + "resourceName": "action-trail", + "searchKey": "alicloud_actiontrail_trail[actiontrail6].event_rw", + "searchValue": "", + "expectedValue": "'event_rw' should be set to All", + "actualValue": "'event_rw' is not set to All" }, { "queryName": "Action Trail Logging For All Regions Disabled", "severity": "MEDIUM", - "line": 1, - "fileName": "positive8.tf" + "line": 6, + "filename": "positive5.tf", + "resourceType": "alicloud_actiontrail_trail", + "resourceName": "action-trail", + "searchKey": "alicloud_actiontrail_trail[actiontrail6].trail_region", + "searchValue": "", + "expectedValue": "'trail_region' should be set to All", + "actualValue": "'trail_region' is not set to All" }, { "queryName": "Action Trail Logging For All Regions Disabled", "severity": "MEDIUM", - "line": 1, - "fileName": "positive9.tf" + "line": 6, + "filename": "positive2.tf", + "resourceType": "alicloud_actiontrail_trail", + "resourceName": "action-trail", + "searchKey": "alicloud_actiontrail_trail[actiontrail3].trail_region", + "searchValue": "", + "expectedValue": "'trail_region' should be set to All", + "actualValue": "'trail_region' is not set to All" }, { "queryName": "Action Trail Logging For All Regions Disabled", "severity": "MEDIUM", - "line": 1, - "fileName": "positive9.tf" + "line": 6, + "filename": "positive4.tf", + "resourceType": "alicloud_actiontrail_trail", + "resourceName": "action-trail", + "searchKey": "alicloud_actiontrail_trail[actiontrail5].trail_region", + "searchValue": "", + "expectedValue": "'trail_region' should be set to All", + "actualValue": "'trail_region' is not set to All" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/actiontrail_trail_oss_bucket_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/alicloud/actiontrail_trail_oss_bucket_is_publicly_accessible/test/positive_expected_result.json index 2928f9afc52..68322637c34 100644 --- a/assets/queries/terraform/alicloud/actiontrail_trail_oss_bucket_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/actiontrail_trail_oss_bucket_is_publicly_accessible/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "ActionTrail Trail OSS Bucket is Publicly Accessible", "severity": "HIGH", "line": 3, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "actiontrail4", + "searchKey": "alicloud_oss_bucket[actiontrail4].acl", + "searchValue": "", + "expectedValue": "'alicloud_oss_bucket[actiontrail4].oss_bucket_name' is private", + "actualValue": "'alicloud_oss_bucket[actiontrail4].oss_bucket_name' is public-read-write" }, { "queryName": "ActionTrail Trail OSS Bucket is Publicly Accessible", "severity": "HIGH", "line": 3, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "actiontrail3", + "searchKey": "alicloud_oss_bucket[actiontrail3].acl", + "searchValue": "", + "expectedValue": "'alicloud_oss_bucket[actiontrail3].oss_bucket_name' is private", + "actualValue": "'alicloud_oss_bucket[actiontrail3].oss_bucket_name' is public-read" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/alb_listening_on_http/test/positive_expected_result.json b/assets/queries/terraform/alicloud/alb_listening_on_http/test/positive_expected_result.json index 04690e063a8..92ceedcc1e0 100644 --- a/assets/queries/terraform/alicloud/alb_listening_on_http/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/alb_listening_on_http/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "ALB Listening on HTTP", "severity": "MEDIUM", "line": 3, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "alicloud_alb_listener", + "resourceName": "positive", + "searchKey": "alicloud_alb_listener[positive].listener_protocol", + "searchValue": "", + "expectedValue": "'alicloud_alb_listener[positive].listener_protocol' should not be 'HTTP'", + "actualValue": "'alicloud_alb_listener[positive].listener_protocol' is 'HTTP'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/api_gateway_api_protocol_not_https/test/positive_expected_result.json b/assets/queries/terraform/alicloud/api_gateway_api_protocol_not_https/test/positive_expected_result.json index 557e90971b5..d0a5f5803a7 100644 --- a/assets/queries/terraform/alicloud/api_gateway_api_protocol_not_https/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/api_gateway_api_protocol_not_https/test/positive_expected_result.json @@ -3,18 +3,36 @@ "queryName": "API Gateway API Protocol Not HTTPS", "severity": "MEDIUM", "line": 14, - "fileName": "positive1.tf" + "filename": "positive2.tf", + "resourceType": "alicloud_api_gateway_api", + "resourceName": "${alicloud_api_gateway_group.apiGroup.name}", + "searchKey": "alicloud_api_gateway_api[apiGatewayApi].request_config.protocol", + "searchValue": "", + "expectedValue": "'protocol' value should be 'HTTPS'", + "actualValue": "'protocol' value is 'HTTP' or 'HTTP,HTTPS'" }, { "queryName": "API Gateway API Protocol Not HTTPS", "severity": "MEDIUM", - "line": 14, - "fileName": "positive2.tf" + "line": 21, + "filename": "positive2.tf", + "resourceType": "alicloud_api_gateway_api", + "resourceName": "${alicloud_api_gateway_group.apiGroup.name}", + "searchKey": "alicloud_api_gateway_api[apiGatewayApi].request_config.protocol", + "searchValue": "", + "expectedValue": "'protocol' value should be 'HTTPS'", + "actualValue": "'protocol' value is 'HTTP' or 'HTTP,HTTPS'" }, { "queryName": "API Gateway API Protocol Not HTTPS", "severity": "MEDIUM", - "line": 21, - "fileName": "positive2.tf" + "line": 14, + "filename": "positive1.tf", + "resourceType": "alicloud_api_gateway_api", + "resourceName": "${alicloud_api_gateway_group.apiGroup.name}", + "searchKey": "alicloud_api_gateway_api[apiGatewayApi].request_config.protocol", + "searchValue": "", + "expectedValue": "'protocol' value should be 'HTTPS'", + "actualValue": "'protocol' value is 'HTTP' or 'HTTP,HTTPS'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/cmk_is_unusable/test/positive_expected_result.json b/assets/queries/terraform/alicloud/cmk_is_unusable/test/positive_expected_result.json index 3c0a7d0dbae..1673793419c 100644 --- a/assets/queries/terraform/alicloud/cmk_is_unusable/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/cmk_is_unusable/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ - { - "queryName": "CMK Is Unusable", - "severity": "MEDIUM", - "line": 1, - "fileName": "positive1.tf" - }, - { - "queryName": "CMK Is Unusable", - "severity": "MEDIUM", - "line": 5, - "fileName": "positive2.tf" - } -] + { + "queryName": "CMK Is Unusable", + "severity": "MEDIUM", + "line": 5, + "filename": "positive2.tf", + "resourceType": "alicloud_kms_key", + "resourceName": "key", + "searchKey": "alicloud_kms_key[key].is_enabled", + "searchValue": "", + "expectedValue": "alicloud_kms_key[key].is_enabled should be set to true", + "actualValue": "alicloud_kms_key[key].is_enabled is set to false" + }, + { + "queryName": "CMK Is Unusable", + "severity": "MEDIUM", + "line": 1, + "filename": "positive1.tf", + "resourceType": "alicloud_kms_key", + "resourceName": "key", + "searchKey": "alicloud_kms_key[key]", + "searchValue": "", + "expectedValue": "alicloud_kms_key[key].is_enabled should be set to true", + "actualValue": "alicloud_kms_key[key].is_enabled is not set" + } +] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/cs_kubernetes_node_pool_auto_repair_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/cs_kubernetes_node_pool_auto_repair_disabled/test/positive_expected_result.json index 77089e414f3..276e9254d31 100644 --- a/assets/queries/terraform/alicloud/cs_kubernetes_node_pool_auto_repair_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/cs_kubernetes_node_pool_auto_repair_disabled/test/positive_expected_result.json @@ -1,20 +1,38 @@ [ - { - "queryName": "CS Kubernetes Node Pool Auto Repair Disabled", - "severity": "MEDIUM", - "line": 1, - "fileName": "positive1.tf" - }, - { - "queryName": "CS Kubernetes Node Pool Auto Repair Disabled", - "severity": "MEDIUM", - "line": 17, - "fileName": "positive2.tf" - }, - { - "queryName": "CS Kubernetes Node Pool Auto Repair Disabled", - "severity": "MEDIUM", - "line": 16, - "fileName": "positive3.tf" - } -] + { + "queryName": "CS Kubernetes Node Pool Auto Repair Disabled", + "severity": "MEDIUM", + "line": 17, + "filename": "positive2.tf", + "resourceType": "alicloud_cs_kubernetes_node_pool", + "resourceName": "${var.name}", + "searchKey": "alicloud_cs_kubernetes_node_pool[default3].resource.management.auto_repair ", + "searchValue": "", + "expectedValue": "For the resource alicloud_cs_kubernetes_node_pool[default3] to have 'auto_repair' set to true.", + "actualValue": "The resource alicloud_cs_kubernetes_node_pool[default3] has 'auto_repair' set to false." + }, + { + "queryName": "CS Kubernetes Node Pool Auto Repair Disabled", + "severity": "MEDIUM", + "line": 16, + "filename": "positive3.tf", + "resourceType": "alicloud_cs_kubernetes_node_pool", + "resourceName": "${var.name}", + "searchKey": "alicloud_cs_kubernetes_node_pool[default4].management", + "searchValue": "", + "expectedValue": "For the resource alicloud_cs_kubernetes_node_pool[default4] to have a 'management' block containing 'auto_repair' set to true.", + "actualValue": "The resource alicloud_cs_kubernetes_node_pool[default4] has a 'management' block but it doesn't contain 'auto_repair' " + }, + { + "queryName": "CS Kubernetes Node Pool Auto Repair Disabled", + "severity": "MEDIUM", + "line": 1, + "filename": "positive1.tf", + "resourceType": "alicloud_cs_kubernetes_node_pool", + "resourceName": "${var.name}", + "searchKey": "alicloud_cs_kubernetes_node_pool[default2]", + "searchValue": "", + "expectedValue": "For the resource alicloud_cs_kubernetes_node_pool[default2] to have a 'management' block containing 'auto_repair' set to true.", + "actualValue": "The resource alicloud_cs_kubernetes_node_pool[default2] does not have a 'management' block." + } +] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/disk_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/disk_encryption_disabled/test/positive_expected_result.json index 308fd94b288..bfad0468fca 100644 --- a/assets/queries/terraform/alicloud/disk_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/disk_encryption_disabled/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "Disk Encryption Disabled", "severity": "MEDIUM", - "line": 8, - "fileName": "positive2.tf" + "line": 1, + "filename": "positive1.tf", + "resourceType": "alicloud_disk", + "resourceName": "New-disk", + "searchKey": "alicloud_disk[disk_encryption1]", + "searchValue": "", + "expectedValue": "[disk_encryption1] has encryption enabled", + "actualValue": "[disk_encryption1] does not have encryption enabled" }, { "queryName": "Disk Encryption Disabled", "severity": "MEDIUM", - "line": 1, - "fileName": "positive1.tf" + "line": 8, + "filename": "positive2.tf", + "resourceType": "alicloud_disk", + "resourceName": "New-disk", + "searchKey": "alicloud_disk[disk_encryption2].encrypted", + "searchValue": "", + "expectedValue": "[disk_encryption2] has encryption set to true", + "actualValue": "[disk_encryption2] has encryption set to false" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/ecs_data_disk_kms_key_id_undefined/test/positive_expected_result.json b/assets/queries/terraform/alicloud/ecs_data_disk_kms_key_id_undefined/test/positive_expected_result.json index 960092e47e1..71894e81597 100644 --- a/assets/queries/terraform/alicloud/ecs_data_disk_kms_key_id_undefined/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/ecs_data_disk_kms_key_id_undefined/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Ecs Data Disk Kms Key Id Undefined", "severity": "HIGH", "line": 2, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "alicloud_disk", + "resourceName": "New-disk", + "searchKey": "alicloud_disk[ecs_disk]", + "searchValue": "", + "expectedValue": "[ecs_disk] has kms key id defined", + "actualValue": "[ecs_disk] does not have kms key id defined" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/high_kms_key_rotation_period/test/positive_expected_result.json b/assets/queries/terraform/alicloud/high_kms_key_rotation_period/test/positive_expected_result.json index 1d05db81692..641313346ca 100644 --- a/assets/queries/terraform/alicloud/high_kms_key_rotation_period/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/high_kms_key_rotation_period/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "High KMS Key Rotation Period", "severity": "MEDIUM", - "line": 5, - "fileName": "positive.tf" + "line": 6, + "filename": "positive2.tf", + "resourceType": "alicloud_kms_key", + "resourceName": "keypos1", + "searchKey": "alicloud_kms_key[keypos1].rotation_interval", + "searchValue": "", + "expectedValue": "'rotation_interval' value should not be higher than a year", + "actualValue": "'rotation_interval' value is higher than a year" }, { "queryName": "High KMS Key Rotation Period", "severity": "MEDIUM", - "line": 6, - "fileName": "positive2.tf" + "line": 5, + "filename": "positive.tf", + "resourceType": "alicloud_kms_key", + "resourceName": "keypos1", + "searchKey": "alicloud_kms_key[keypos1].rotation_interval", + "searchValue": "", + "expectedValue": "'automatic_rotation' should be set to Enabled", + "actualValue": "'automatic_rotation' is set to Disabled" }, { "queryName": "High KMS Key Rotation Period", "severity": "MEDIUM", - "line": 6, - "fileName": "positive3.tf" + "line": 1, + "filename": "positive4.tf", + "resourceType": "alicloud_kms_key", + "resourceName": "keypos1", + "searchKey": "alicloud_kms_key[keypos1].rotation_interval", + "searchValue": "", + "expectedValue": "'automatic_rotation' should be defined and set to Enabled", + "actualValue": "'automatic_rotation' is not defined" }, { "queryName": "High KMS Key Rotation Period", "severity": "MEDIUM", - "line": 1, - "fileName": "positive4.tf" + "line": 6, + "filename": "positive3.tf", + "resourceType": "alicloud_kms_key", + "resourceName": "keypos1", + "searchKey": "alicloud_kms_key[keypos1].rotation_interval", + "searchValue": "", + "expectedValue": "'rotation_interval' value should not be higher than a year", + "actualValue": "'rotation_interval' value is higher than a year" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/kubernetes_cluster_without_terway_as_cni_network_plugin/test/positive_expected_result.json b/assets/queries/terraform/alicloud/kubernetes_cluster_without_terway_as_cni_network_plugin/test/positive_expected_result.json index d8a89d699eb..db4f4582fbf 100644 --- a/assets/queries/terraform/alicloud/kubernetes_cluster_without_terway_as_cni_network_plugin/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/kubernetes_cluster_without_terway_as_cni_network_plugin/test/positive_expected_result.json @@ -3,24 +3,48 @@ "queryName": "Kubernetes Cluster Without Terway as CNI Network Plugin", "severity": "LOW", "line": 15, - "fileName": "positive1.tf" + "filename": "positive3.tf", + "resourceType": "alicloud_cs_kubernetes", + "resourceName": "positive3", + "searchKey": "alicloud_cs_kubernetes[positive3]", + "searchValue": "terway-eniip", + "expectedValue": "alicloud_cs_kubernetes[positive3].addons specifies the terway-eniip", + "actualValue": "alicloud_cs_kubernetes[positive3].addons does not specify the terway-eniip" }, { "queryName": "Kubernetes Cluster Without Terway as CNI Network Plugin", "severity": "LOW", "line": 15, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "alicloud_cs_kubernetes", + "resourceName": "positive1", + "searchKey": "alicloud_cs_kubernetes[positive1]", + "searchValue": "terway-eniip", + "expectedValue": "alicloud_cs_kubernetes[positive1].addons specifies the terway-eniip", + "actualValue": "alicloud_cs_kubernetes[positive1].addons does not specify the terway-eniip" }, { "queryName": "Kubernetes Cluster Without Terway as CNI Network Plugin", "severity": "LOW", "line": 15, - "fileName": "positive2.tf" + "filename": "positive1.tf", + "resourceType": "alicloud_cs_kubernetes", + "resourceName": "positive1", + "searchKey": "alicloud_cs_kubernetes[positive1]", + "searchValue": "pod_vswitch_ids", + "expectedValue": "alicloud_cs_kubernetes[positive1].pod_vswitch_ids should be defined and not null", + "actualValue": "alicloud_cs_kubernetes[positive1].pod_vswitch_ids is undefined or null" }, { "queryName": "Kubernetes Cluster Without Terway as CNI Network Plugin", "severity": "LOW", "line": 15, - "fileName": "positive3.tf" + "filename": "positive2.tf", + "resourceType": "alicloud_cs_kubernetes", + "resourceName": "positive2", + "searchKey": "alicloud_cs_kubernetes[positive2]", + "searchValue": "pod_vswitch_ids", + "expectedValue": "alicloud_cs_kubernetes[positive2].pod_vswitch_ids should be defined and not null", + "actualValue": "alicloud_cs_kubernetes[positive2].pod_vswitch_ids is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/launch_template_is_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/alicloud/launch_template_is_not_encrypted/test/positive_expected_result.json index 22668d31663..23e72f96df6 100644 --- a/assets/queries/terraform/alicloud/launch_template_is_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/launch_template_is_not_encrypted/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "Launch Template Is Not Encrypted", "severity": "HIGH", - "line": 36, - "fileName": "positive1.tf" + "line": 8, + "filename": "positive2.tf", + "resourceType": "alicloud_launch_template", + "resourceName": "tf-test-template", + "searchKey": "alicloud_launch_template[templatepos2]", + "searchValue": "", + "expectedValue": "alicloud_launch_template[templatepos2] 'encrypted' should be defined and set to true", + "actualValue": "alicloud_launch_template[templatepos2] 'encrypted' argument is not defined" }, { "queryName": "Launch Template Is Not Encrypted", "severity": "HIGH", - "line": 8, - "fileName": "positive2.tf" + "line": 36, + "filename": "positive1.tf", + "resourceType": "alicloud_launch_template", + "resourceName": "tf-test-template", + "searchKey": "alicloud_launch_template[templatepos1].encrypted", + "searchValue": "", + "expectedValue": "alicloud_launch_template[templatepos1].encrypted should be true", + "actualValue": "alicloud_launch_template[templatepos1].encrypted is false" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/log_retention_is_not_greater_than_90_days/test/positive_expected_result.json b/assets/queries/terraform/alicloud/log_retention_is_not_greater_than_90_days/test/positive_expected_result.json index 328dd55e0fd..1e7a509b6f8 100644 --- a/assets/queries/terraform/alicloud/log_retention_is_not_greater_than_90_days/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/log_retention_is_not_greater_than_90_days/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Log Retention Is Not Greater Than 90 Days", "severity": "LOW", "line": 6, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "alicloud_log_store", + "resourceName": "tf-log-store", + "searchKey": "alicloud_log_store[example2]", + "searchValue": "", + "expectedValue": "For attribute 'retention_period' should be set and over 90 days.", + "actualValue": "The attribute 'retention_period' is undefined. The default duration when undefined is 30 days, which is too short." }, { "queryName": "Log Retention Is Not Greater Than 90 Days", "severity": "LOW", "line": 9, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "alicloud_log_store", + "resourceName": "tf-log-store", + "searchKey": "alicloud_log_store[example4].retention_period", + "searchValue": "", + "expectedValue": "For the attribite 'retention_period' should be set to 90+ days", + "actualValue": "The attribute 'retention_period' is not set to 90+ days" } ] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/nas_file_system_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/alicloud/nas_file_system_not_encrypted/test/positive_expected_result.json index be95c4a5441..2acbe514a03 100644 --- a/assets/queries/terraform/alicloud/nas_file_system_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/nas_file_system_not_encrypted/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "NAS File System Not Encrypted", "severity": "HIGH", - "line": 5, - "fileName": "positive.tf" + "line": 1, + "filename": "positive2.tf", + "resourceType": "alicloud_nas_file_system", + "resourceName": "foopos2", + "searchKey": "alicloud_nas_file_system[foopos2]", + "searchValue": "", + "expectedValue": "alicloud_nas_file_system[foopos2].encrypt_type' should be defined and the value different from 0 ", + "actualValue": "alicloud_nas_file_system[foopos2].encrypt_type' is undefined" }, { "queryName": "NAS File System Not Encrypted", "severity": "HIGH", - "line": 1, - "fileName": "positive2.tf" + "line": 5, + "filename": "positive.tf", + "resourceType": "alicloud_nas_file_system", + "resourceName": "foopos", + "searchKey": "alicloud_nas_file_system[foopos].encrypt_type", + "searchValue": "", + "expectedValue": "alicloud_nas_file_system[foopos].encrypt_type' should not be 0", + "actualValue": "alicloud_nas_file_system[foopos].encrypt_type' is 0" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/nas_file_system_without_kms/test/positive_expected_result.json b/assets/queries/terraform/alicloud/nas_file_system_without_kms/test/positive_expected_result.json index 21c252eb2f3..6482da156a7 100644 --- a/assets/queries/terraform/alicloud/nas_file_system_without_kms/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/nas_file_system_without_kms/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ - { - "queryName": "NAS File System Without KMS", - "severity": "HIGH", - "line": 1, - "fileName": "positive.tf" - }, - { - "queryName": "NAS File System Without KMS", - "severity": "HIGH", - "line": 5, - "fileName": "positive2.tf" - } -] + { + "queryName": "NAS File System Without KMS", + "severity": "HIGH", + "line": 5, + "filename": "positive2.tf", + "resourceType": "alicloud_nas_file_system", + "resourceName": "fooabr", + "searchKey": "alicloud_nas_file_system[fooabr]", + "searchValue": "", + "expectedValue": "alicloud_nas_file_system[fooabr].encrypt_type' should be set to 2'", + "actualValue": "alicloud_nas_file_system[fooabr].encrypt_type' is not set to 2 " + }, + { + "queryName": "NAS File System Without KMS", + "severity": "HIGH", + "line": 1, + "filename": "positive.tf", + "resourceType": "alicloud_nas_file_system", + "resourceName": "foo", + "searchKey": "alicloud_nas_file_system[foo]", + "searchValue": "", + "expectedValue": "alicloud_nas_file_system[foo].encrypt_type' should be defined and set to 2'", + "actualValue": "alicloud_nas_file_system[foo].encrypt_type' is not defined" + } +] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/no_ros_stack_policy/test/positive_expected_result.json b/assets/queries/terraform/alicloud/no_ros_stack_policy/test/positive_expected_result.json index 3c52d537f01..250c9066cad 100644 --- a/assets/queries/terraform/alicloud/no_ros_stack_policy/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/no_ros_stack_policy/test/positive_expected_result.json @@ -3,24 +3,48 @@ "queryName": "No ROS Stack Policy", "severity": "MEDIUM", "line": 1, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "alicloud_ros_stack", + "resourceName": "tf-testaccstack", + "searchKey": "alicloud_ros_stack[pos]", + "searchValue": "stack_policy_during_update", + "expectedValue": "The stack should have the attribute 'stack_policy_during_update_body' or 'stack_policy_during_update_url' defined", + "actualValue": "The stack has neither 'stack_policy_during_update_body' nor 'stack_policy_during_update_url' defined" }, { "queryName": "No ROS Stack Policy", "severity": "MEDIUM", "line": 1, - "fileName": "positive.tf" + "filename": "positive2.tf", + "resourceType": "alicloud_ros_stack", + "resourceName": "tf-testaccstack", + "searchKey": "alicloud_ros_stack[pos2]", + "searchValue": "stack_policy_during_update", + "expectedValue": "The stack should have the attribute 'stack_policy_during_update_body' or 'stack_policy_during_update_url' defined", + "actualValue": "The stack has neither 'stack_policy_during_update_body' nor 'stack_policy_during_update_url' defined" }, { "queryName": "No ROS Stack Policy", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "filename": "positive3.tf", + "resourceType": "alicloud_ros_stack", + "resourceName": "tf-testaccstack", + "searchKey": "alicloud_ros_stack[pos3]", + "searchValue": "stack_policy", + "expectedValue": "The stack should have the attribute 'stack_policy_body' or 'stack_policy_url' defined", + "actualValue": "The stack has neither 'stack_policy_body' nor 'stack_policy_url' defined" }, { "queryName": "No ROS Stack Policy", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "filename": "positive.tf", + "resourceType": "alicloud_ros_stack", + "resourceName": "tf-testaccstack", + "searchKey": "alicloud_ros_stack[pos]", + "searchValue": "stack_policy", + "expectedValue": "The stack should have the attribute 'stack_policy_body' or 'stack_policy_url' defined", + "actualValue": "The stack has neither 'stack_policy_body' nor 'stack_policy_url' defined" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/oss_bucket_allows_all_actions_from_all_principals/test/positive_expected_result.json b/assets/queries/terraform/alicloud/oss_bucket_allows_all_actions_from_all_principals/test/positive_expected_result.json index 505f27742ab..5958c046ad0 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_allows_all_actions_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/oss_bucket_allows_all_actions_from_all_principals/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "OSS Bucket Allows All Actions From All Principals", "severity": "CRITICAL", "line": 5, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "bucket-policy1", + "searchKey": "alicloud_oss_bucket[bucket-policy1].policy", + "searchValue": "", + "expectedValue": "alicloud_oss_bucket[bucket-policy1].policy to not accept delete action from all principals", + "actualValue": "alicloud_oss_bucket[bucket-policy1].policy accepts delete action from all principals" } ] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/oss_bucket_allows_delete_from_all_principals/test/positive_expected_result.json b/assets/queries/terraform/alicloud/oss_bucket_allows_delete_from_all_principals/test/positive_expected_result.json index 50ab8630f18..4abf8e62f9d 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_allows_delete_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/oss_bucket_allows_delete_from_all_principals/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "OSS Bucket Allows Delete Action From All Principals", "severity": "CRITICAL", "line": 5, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "bucket-1-policy", + "searchKey": "alicloud_oss_bucket[bucket-policy1].policy", + "searchValue": "", + "expectedValue": "alicloud_oss_bucket[bucket-policy1].policy to not accept delete action from all principals", + "actualValue": "alicloud_oss_bucket[bucket-policy1].policy accepts delete action from all principals" } ] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/oss_bucket_allows_list_action_from_all_principals/test/positive_expected_result.json b/assets/queries/terraform/alicloud/oss_bucket_allows_list_action_from_all_principals/test/positive_expected_result.json index 738e8a0babd..b6a9b8f7062 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_allows_list_action_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/oss_bucket_allows_list_action_from_all_principals/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ - { - "queryName": "OSS Bucket Allows List Action From All Principals", - "severity": "HIGH", - "line": 5, - "fileName": "positive1.tf" - }, - { - "queryName": "OSS Bucket Allows List Action From All Principals", - "severity": "HIGH", - "line": 5, - "fileName": "positive2.tf" - } -] + { + "queryName": "OSS Bucket Allows List Action From All Principals", + "severity": "HIGH", + "line": 5, + "filename": "positive1.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "bucket-1-policy", + "searchKey": "alicloud_oss_bucket[bucket-policy1].policy", + "searchValue": "", + "expectedValue": "alicloud_oss_bucket[bucket-policy1].policy to not accept list action from all principals", + "actualValue": "alicloud_oss_bucket[bucket-policy1].policy accepts list action from all principals" + }, + { + "queryName": "OSS Bucket Allows List Action From All Principals", + "severity": "HIGH", + "line": 5, + "filename": "positive2.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "bucket-5-policy", + "searchKey": "alicloud_oss_bucket[bucket-policy5].policy", + "searchValue": "", + "expectedValue": "alicloud_oss_bucket[bucket-policy5].policy to not accept list action from all principals", + "actualValue": "alicloud_oss_bucket[bucket-policy5].policy accepts list action from all principals" + } +] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/oss_bucket_allows_put_action_from_all_principals/test/positive_expected_result.json b/assets/queries/terraform/alicloud/oss_bucket_allows_put_action_from_all_principals/test/positive_expected_result.json index 2678e6b27c3..b9f7de90805 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_allows_put_action_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/oss_bucket_allows_put_action_from_all_principals/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "OSS Bucket Allows Put Action From All Principals", "severity": "CRITICAL", "line": 5, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "bucket-4-policy", + "searchKey": "alicloud_oss_bucket[bucket-policy4].policy", + "searchValue": "", + "expectedValue": "alicloud_oss_bucket[bucket-policy4].policy to not accept put action from all principals", + "actualValue": "alicloud_oss_bucket[bucket-policy4].policy accepts put action from all principals" }, { "queryName": "OSS Bucket Allows Put Action From All Principals", "severity": "CRITICAL", "line": 5, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "bucket-5-policy", + "searchKey": "alicloud_oss_bucket[bucket-policy5].policy", + "searchValue": "", + "expectedValue": "alicloud_oss_bucket[bucket-policy5].policy to not accept put action from all principals", + "actualValue": "alicloud_oss_bucket[bucket-policy5].policy accepts put action from all principals" } ] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/oss_bucket_cmk_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/oss_bucket_cmk_encryption_disabled/test/positive_expected_result.json index 459adb57314..7aa0bdf28f2 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_cmk_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/oss_bucket_cmk_encryption_disabled/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "OSS Bucket Encryption Using CMK Disabled", "severity": "MEDIUM", "line": 5, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "bucket-170309-sserule", + "searchKey": "alicloud_oss_bucket[bucket_cmk_encryption2].server_side_encryption_rule", + "searchValue": "", + "expectedValue": "[bucket_cmk_encryption2].policy has kms master key id defined", + "actualValue": "[bucket_cmk_encryption2].policy does not kms master key id defined" }, { "queryName": "OSS Bucket Encryption Using CMK Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "bucket-170309-sserule", + "searchKey": "alicloud_oss_bucket[bucket_cmk_encryption3]", + "searchValue": "", + "expectedValue": "[bucket_cmk_encryption3].policy has server side encryption rule and kms master key id defined", + "actualValue": "[bucket_cmk_encryption3].policy does not have server side encryption rule and kms master key id defined" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/oss_bucket_has_static_website/test/positive_expected_result.json b/assets/queries/terraform/alicloud/oss_bucket_has_static_website/test/positive_expected_result.json index 53fa9eee657..a572977805d 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_has_static_website/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/oss_bucket_has_static_website/test/positive_expected_result.json @@ -1,8 +1,14 @@ [ - { - "queryName": "OSS Bucket Has Static Website", - "severity": "HIGH", - "line": 4, - "fileName": "positive1.tf" - } -] + { + "queryName": "OSS Bucket Has Static Website", + "severity": "HIGH", + "line": 4, + "filename": "positive1.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "bucket-1-website", + "searchKey": "alicloud_oss_bucket[bucket-website1].website", + "searchValue": "", + "expectedValue": "'website' to not be used.", + "actualValue": "'website' is being used." + } +] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/oss_bucket_ip_restriction_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/oss_bucket_ip_restriction_disabled/test/positive_expected_result.json index 4c7b05e217f..67810b7795b 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_ip_restriction_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/oss_bucket_ip_restriction_disabled/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "OSS Bucket Ip Restriction Disabled", "severity": "HIGH", "line": 5, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "bucket-170309-policy", + "searchKey": "alicloud_oss_bucket[bucket-policy].policy", + "searchValue": "", + "expectedValue": "[bucket-policy].policy has restricted ip access", + "actualValue": "[bucket-policy].policy does not restrict access via ip" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/oss_bucket_lifecycle_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/oss_bucket_lifecycle_disabled/test/positive_expected_result.json index d6955f3438d..fdb99a9b853 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_lifecycle_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/oss_bucket_lifecycle_disabled/test/positive_expected_result.json @@ -1,15 +1,26 @@ [ - { - "queryName": "OSS Bucket Lifecycle Rule Disabled", - "severity": "LOW", - "line": 8, - "fileName": "positive1.tf" - }, - { - "queryName": "OSS Bucket Lifecycle Rule Disabled", - "severity": "LOW", - "line": 1, - "fileName": "positive2.tf" - } - ] - \ No newline at end of file + { + "queryName": "OSS Bucket Lifecycle Rule Disabled", + "severity": "LOW", + "line": 8, + "filename": "positive1.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "oss_bucket_lifecycle_enabled2", + "searchKey": "alicloud_oss_bucket[oss_bucket_lifecycle_enabled2].lifecycle_rule.enabled", + "searchValue": "", + "expectedValue": "'lifecycle_rule' should be set and enabled", + "actualValue": "'lifecycle_rule' is set but disabled" + }, + { + "queryName": "OSS Bucket Lifecycle Rule Disabled", + "severity": "LOW", + "line": 1, + "filename": "positive2.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "bucket-170309-versioning", + "searchKey": "alicloud_oss_bucket[oss_bucket_lifecycle_enabled3]", + "searchValue": "", + "expectedValue": "'lifecycle_rule' should be set and enabled", + "actualValue": "'lifecycle_rule' is not set" + } +] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/oss_bucket_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/oss_bucket_logging_disabled/test/positive_expected_result.json index ccde2242e31..caa8044296d 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/oss_bucket_logging_disabled/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "OSS Bucket Logging Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "bucket-170309-acl", + "searchKey": "alicloud_oss_bucket[bucket_logging2]", + "searchValue": "", + "expectedValue": "bucket_logging2 has logging enabled", + "actualValue": "bucket_logging2 does not have logging enabled" }, { "queryName": "OSS Bucket Logging Disabled", "severity": "MEDIUM", "line": 3, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "bucket-170309-logging", + "searchKey": "alicloud_oss_bucket[bucket_logging1].logging_isenable", + "searchValue": "", + "expectedValue": "bucket_logging1 'logging_isenable' argument should be set to true", + "actualValue": "bucket_logging1 'logging_isenable' argument is set to false" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/oss_bucket_public_access_enabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/oss_bucket_public_access_enabled/test/positive_expected_result.json index 8c58dcc7975..13a3dc4c63e 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_public_access_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/oss_bucket_public_access_enabled/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "OSS Bucket Public Access Enabled", "severity": "HIGH", "line": 3, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "bucket-170309-acl", + "searchKey": "alicloud_oss_bucket[bucket_public_access_enabled2].acl", + "searchValue": "", + "expectedValue": "'acl' should be set to private or not set", + "actualValue": "'acl' is public-read" }, { "queryName": "OSS Bucket Public Access Enabled", "severity": "HIGH", "line": 3, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "bucket-170309-acl", + "searchKey": "alicloud_oss_bucket[bucket_public_access_enabled3].acl", + "searchValue": "", + "expectedValue": "'acl' should be set to private or not set", + "actualValue": "'acl' is public-read-write" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/oss_bucket_transfer_acceleration_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/oss_bucket_transfer_acceleration_disabled/test/positive_expected_result.json index 0c791280fca..758fc7c84d8 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_transfer_acceleration_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/oss_bucket_transfer_acceleration_disabled/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "OSS Bucket Transfer Acceleration Disabled", "severity": "LOW", "line": 5, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "bucket_name", + "searchKey": "alicloud_oss_bucket[bucket-accelerate].transfer_acceleration.enabled", + "searchValue": "", + "expectedValue": "'transfer_acceleration.enabled' should be defined and set to true", + "actualValue": "'transfer_acceleration.enabled' is false" }, { "queryName": "OSS Bucket Transfer Acceleration Disabled", "severity": "LOW", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "bucket_name", + "searchKey": "alicloud_oss_bucket[bucket-accelerate2]", + "searchValue": "", + "expectedValue": "'transfer_acceleration.enabled' should be defined and set to true", + "actualValue": "'transfer_acceleration' is missing" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/oss_bucket_versioning_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/oss_bucket_versioning_disabled/test/positive_expected_result.json index 23c3f111df9..2e9c81b48c5 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_versioning_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/oss_bucket_versioning_disabled/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ - { - "queryName": "OSS Bucket Versioning Disabled", - "severity": "MEDIUM", - "line": 6, - "fileName": "positive1.tf" - }, - { - "queryName": "OSS Bucket Versioning Disabled", - "severity": "MEDIUM", - "line": 1, - "fileName": "positive2.tf" - } - ] + { + "queryName": "OSS Bucket Versioning Disabled", + "severity": "MEDIUM", + "line": 1, + "filename": "positive2.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "bucket-170309-versioning", + "searchKey": "alicloud_oss_bucket[bucket-versioning3]", + "searchValue": "", + "expectedValue": "'versioning.status' should be defined and set to enabled", + "actualValue": "'versioning' is missing" + }, + { + "queryName": "OSS Bucket Versioning Disabled", + "severity": "MEDIUM", + "line": 6, + "filename": "positive1.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "bucket-170309-versioning", + "searchKey": "alicloud_oss_bucket[bucket-versioning2].versioning.status", + "searchValue": "", + "expectedValue": "'versioning.status' should be enabled", + "actualValue": "'versioning.status' is suspended" + } +] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/oss_buckets_securetransport_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/oss_buckets_securetransport_disabled/test/positive_expected_result.json index abd80438ad1..5dd2b210e92 100644 --- a/assets/queries/terraform/alicloud/oss_buckets_securetransport_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/oss_buckets_securetransport_disabled/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "OSS Buckets Secure Transport Disabled", "severity": "MEDIUM", "line": 2, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "bucket-securetransport1", + "searchKey": "alicloud_oss_bucket[bucket-securetransport1].policy", + "searchValue": "", + "expectedValue": "bucket-securetransport1[%!s(MISSING)].policy should not accept HTTP Requests", + "actualValue": "bucket-securetransport1[%!s(MISSING)].policy accepts HTTP Requests" }, { "queryName": "OSS Buckets Secure Transport Disabled", "severity": "MEDIUM", "line": 5, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "bucket-170309-policy", + "searchKey": "alicloud_oss_bucket[bucket-securetransport3].policy", + "searchValue": "", + "expectedValue": "bucket-securetransport3[%!s(MISSING)].policy should not accept HTTP Requests", + "actualValue": "bucket-securetransport3[%!s(MISSING)].policy accepts HTTP Requests" } ] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/public_security_group_rule_all_ports_or_protocols/test/positive_expected_result.json b/assets/queries/terraform/alicloud/public_security_group_rule_all_ports_or_protocols/test/positive_expected_result.json index d98699c04c7..3a487f3f830 100644 --- a/assets/queries/terraform/alicloud/public_security_group_rule_all_ports_or_protocols/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/public_security_group_rule_all_ports_or_protocols/test/positive_expected_result.json @@ -1,20 +1,38 @@ [ - { - "queryName": "Public Security Group Rule All Ports or Protocols", - "severity": "HIGH", - "line": 13, - "fileName": "positive1.tf" - }, - { - "queryName": "Public Security Group Rule All Ports or Protocols", - "severity": "HIGH", - "line": 13, - "fileName": "positive2.tf" - }, - { - "queryName": "Public Security Group Rule All Ports or Protocols", - "severity": "HIGH", - "line": 13, - "fileName": "positive3.tf" - } -] + { + "queryName": "Public Security Group Rule All Ports or Protocols", + "severity": "HIGH", + "line": 13, + "filename": "positive2.tf", + "resourceType": "alicloud_security_group_rule", + "resourceName": "allow_all_tcp", + "searchKey": "alicloud_security_group_rule[allow_all_tcp].cidr_ip", + "searchValue": "", + "expectedValue": "cidr_ip should not be '0.0.0.0/0' for the specified protocol", + "actualValue": "cidr_ip '0.0.0.0/0' exposes all ports for the gre protocol" + }, + { + "queryName": "Public Security Group Rule All Ports or Protocols", + "severity": "HIGH", + "line": 13, + "filename": "positive3.tf", + "resourceType": "alicloud_security_group_rule", + "resourceName": "allow_all_tcp", + "searchKey": "alicloud_security_group_rule[allow_all_tcp].cidr_ip", + "searchValue": "", + "expectedValue": "cidr_ip should not be '0.0.0.0/0' for the specified protocol", + "actualValue": "cidr_ip '0.0.0.0/0' exposes all ports for the tcp protocol" + }, + { + "queryName": "Public Security Group Rule All Ports or Protocols", + "severity": "HIGH", + "line": 13, + "filename": "positive1.tf", + "resourceType": "alicloud_security_group_rule", + "resourceName": "allow_all_tcp", + "searchKey": "alicloud_security_group_rule[allow_all_tcp].cidr_ip", + "searchValue": "", + "expectedValue": "cidr_ip should not be '0.0.0.0/0' when ip_protocol is equal to all", + "actualValue": "cidr_ip is '0.0.0.0/0' when ip_protocol is equal to all" + } +] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/public_security_group_rule_sensitive_port/test/positive_expected_result.json b/assets/queries/terraform/alicloud/public_security_group_rule_sensitive_port/test/positive_expected_result.json index 8cd21f4cb92..9796f38ce48 100644 --- a/assets/queries/terraform/alicloud/public_security_group_rule_sensitive_port/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/public_security_group_rule_sensitive_port/test/positive_expected_result.json @@ -1,20 +1,38 @@ [ - { - "queryName": "Public Security Group Rule Sensitive Port", - "severity": "HIGH", - "line": 10, - "fileName": "positive1.tf" - }, - { - "queryName": "Public Security Group Rule Sensitive Port", - "severity": "HIGH", - "line": 10, - "fileName": "positive2.tf" - }, - { - "queryName": "Public Security Group Rule Sensitive Port", - "severity": "HIGH", - "line": 10, - "fileName": "positive3.tf" - } -] + { + "queryName": "Public Security Group Rule Sensitive Port", + "severity": "HIGH", + "line": 10, + "filename": "positive3.tf", + "resourceType": "alicloud_security_group_rule", + "resourceName": "allow_all_tcp", + "searchKey": "alicloud_security_group_rule[allow_all_tcp].port_range", + "searchValue": "445", + "expectedValue": "all:445 port should not be allowed", + "actualValue": "all:445 port is allowed" + }, + { + "queryName": "Public Security Group Rule Sensitive Port", + "severity": "HIGH", + "line": 10, + "filename": "positive1.tf", + "resourceType": "alicloud_security_group_rule", + "resourceName": "allow_all_tcp", + "searchKey": "alicloud_security_group_rule[allow_all_tcp].port_range", + "searchValue": "20", + "expectedValue": "tcp:20 port should not be allowed", + "actualValue": "tcp:20 port is allowed" + }, + { + "queryName": "Public Security Group Rule Sensitive Port", + "severity": "HIGH", + "line": 10, + "filename": "positive2.tf", + "resourceType": "alicloud_security_group_rule", + "resourceName": "allow_all_tcp", + "searchKey": "alicloud_security_group_rule[allow_all_tcp].port_range", + "searchValue": "4333", + "expectedValue": "udp:4333 port should not be allowed", + "actualValue": "udp:4333 port is allowed" + } +] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/public_security_group_rule_unknown_port/test/positive_expected_result.json b/assets/queries/terraform/alicloud/public_security_group_rule_unknown_port/test/positive_expected_result.json index 80a2c2a200c..06ad12e8742 100644 --- a/assets/queries/terraform/alicloud/public_security_group_rule_unknown_port/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/public_security_group_rule_unknown_port/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Public Security Group Rule Unknown Port", "severity": "HIGH", "line": 10, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "alicloud_security_group_rule", + "resourceName": "allow_all_tcp", + "searchKey": "alicloud_security_group_rule[allow_all_tcp].port_range", + "searchValue": "", + "expectedValue": "port_range should not contain unknown ports and should not be exposed to the entire Internet", + "actualValue": "port_range contains unknown ports and are exposed to the entire Internet" }, { "queryName": "Public Security Group Rule Unknown Port", "severity": "HIGH", "line": 10, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "alicloud_security_group_rule", + "resourceName": "allow_all_tcp", + "searchKey": "alicloud_security_group_rule[allow_all_tcp].port_range", + "searchValue": "", + "expectedValue": "port_range should not contain ports unknown and should not be exposed to the entire Internet", + "actualValue": "port_range contains ports unknown and are exposed to the entire Internet" } ] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/ram_account_password_policy_max_login_attempts_unrecommended/test/positive_expected_result.json b/assets/queries/terraform/alicloud/ram_account_password_policy_max_login_attempts_unrecommended/test/positive_expected_result.json index d14c93ba305..eaea19ce202 100644 --- a/assets/queries/terraform/alicloud/ram_account_password_policy_max_login_attempts_unrecommended/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/ram_account_password_policy_max_login_attempts_unrecommended/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Ram Account Password Policy Max Login Attempts Unrecommended", "severity": "MEDIUM", "line": 10, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "alicloud_ram_account_password_policy", + "resourceName": "corporate", + "searchKey": "alicloud_ram_account_password_policy[corporate].max_login_attempts", + "searchValue": "", + "expectedValue": "'max_login_attempts' should be set to 5 or less", + "actualValue": "'max_login_attempts' is above than 5" } ] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/ram_account_password_policy_max_password_age_unrecommended/test/positive_expected_result.json b/assets/queries/terraform/alicloud/ram_account_password_policy_max_password_age_unrecommended/test/positive_expected_result.json index cfc7756ec85..8764b1ed27e 100644 --- a/assets/queries/terraform/alicloud/ram_account_password_policy_max_password_age_unrecommended/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/ram_account_password_policy_max_password_age_unrecommended/test/positive_expected_result.json @@ -1,20 +1,38 @@ [ - { - "queryName": "Ram Account Password Policy Max Password Age Unrecommended", - "severity": "MEDIUM", - "line": 1, - "fileName": "positive1.tf" - }, - { - "queryName": "Ram Account Password Policy Max Password Age Unrecommended", - "severity": "MEDIUM", - "line": 8, - "fileName": "positive2.tf" - }, - { - "queryName": "Ram Account Password Policy Max Password Age Unrecommended", - "severity": "MEDIUM", - "line": 8, - "fileName": "positive3.tf" - } - ] + { + "queryName": "Ram Account Password Policy Max Password Age Unrecommended", + "severity": "MEDIUM", + "line": 8, + "filename": "positive2.tf", + "resourceType": "alicloud_ram_account_password_policy", + "resourceName": "corporate", + "searchKey": "alicloud_ram_account_password_policy[corporate].max_password_age", + "searchValue": "", + "expectedValue": "'max_password_age' should be higher than 0 and lower than 91", + "actualValue": "'max_password_age' is higher than 90" + }, + { + "queryName": "Ram Account Password Policy Max Password Age Unrecommended", + "severity": "MEDIUM", + "line": 8, + "filename": "positive3.tf", + "resourceType": "alicloud_ram_account_password_policy", + "resourceName": "corporate", + "searchKey": "alicloud_ram_account_password_policy[corporate].max_password_age", + "searchValue": "", + "expectedValue": "'max_password_age' should be higher than 0 and lower than 91", + "actualValue": "'max_password_age' is equal to 0" + }, + { + "queryName": "Ram Account Password Policy Max Password Age Unrecommended", + "severity": "MEDIUM", + "line": 1, + "filename": "positive1.tf", + "resourceType": "alicloud_ram_account_password_policy", + "resourceName": "corporate", + "searchKey": "alicloud_ram_account_password_policy[corporate]", + "searchValue": "", + "expectedValue": "'max_password_age' should be higher than 0 and lower than 91", + "actualValue": "'max_password_age' is not defined" + } +] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_minimum_length/test/positive_expected_result.json b/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_minimum_length/test/positive_expected_result.json index 8c9c0f8181b..d12d0b2c3c3 100644 --- a/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_minimum_length/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_minimum_length/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "Ram Account Password Policy Not Required Minimum Length", "severity": "LOW", - "line": 2, - "fileName": "positive1.tf" + "line": 1, + "filename": "positive2.tf", + "resourceType": "alicloud_ram_account_password_policy", + "resourceName": "corporate", + "searchKey": "alicloud_ram_account_password_policy[corporate]", + "searchValue": "", + "expectedValue": "'minimum_password_length' should be defined and set to 14 or above ", + "actualValue": "'minimum_password_length' is not defined" }, { "queryName": "Ram Account Password Policy Not Required Minimum Length", "severity": "LOW", - "line": 1, - "fileName": "positive2.tf" + "line": 2, + "filename": "positive1.tf", + "resourceType": "alicloud_ram_account_password_policy", + "resourceName": "corporate", + "searchKey": "alicloud_ram_account_password_policy[corporate].minimum_password_length", + "searchValue": "", + "expectedValue": "'minimum_password_length' should be defined and set to 14 or above", + "actualValue": "'minimum_password_length' is lower than 14" } ] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_numbers/test/positive_expected_result.json b/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_numbers/test/positive_expected_result.json index de07152d6ee..218be58f2e5 100644 --- a/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_numbers/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_numbers/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Ram Account Password Policy Not Required Numbers", "severity": "LOW", "line": 5, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "alicloud_ram_account_password_policy", + "resourceName": "corporate", + "searchKey": "alicloud_ram_account_password_policy[corporate].require_numbers", + "searchValue": "", + "expectedValue": "'require_numbers' should be defined and set to true", + "actualValue": "'require_numbers' is false" } ] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_symbols/test/positive_expected_result.json b/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_symbols/test/positive_expected_result.json index 46255c5cc41..6ff1d6ccc2d 100644 --- a/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_symbols/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_symbols/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "RAM Account Password Policy Not Required Symbols", "severity": "LOW", "line": 6, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "alicloud_ram_account_password_policy", + "resourceName": "corporate2", + "searchKey": "resource.alicloud_ram_account_password_policy[corporate2].require_symbols", + "searchValue": "", + "expectedValue": "resource.alicloud_ram_account_password_policy[corporate2].require_symbols should be set to 'true'", + "actualValue": "resource.alicloud_ram_account_password_policy[corporate2].require_symbols is configured as 'false'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/ram_account_password_policy_without_reuse_prevention/test/positive_expected_result.json b/assets/queries/terraform/alicloud/ram_account_password_policy_without_reuse_prevention/test/positive_expected_result.json index fe5728ac173..a591e517bc5 100644 --- a/assets/queries/terraform/alicloud/ram_account_password_policy_without_reuse_prevention/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/ram_account_password_policy_without_reuse_prevention/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "RAM Account Password Policy without Reuse Prevention", "severity": "MEDIUM", - "line": 1, - "fileName": "positive1.tf" + "line": 9, + "filename": "positive2.tf", + "resourceType": "alicloud_ram_account_password_policy", + "resourceName": "corporate", + "searchKey": "alicloud_ram_account_password_policy[corporate].password_reuse_prevention", + "searchValue": "", + "expectedValue": "'password_reuse_prevention' should be equal or less 24", + "actualValue": "'password_reuse_prevention' is higher than 24" }, { - "queryName": "RAM Account Password Policy without Reuse Prevention", - "severity": "MEDIUM", - "line": 9, - "fileName": "positive2.tf" - } -] + "queryName": "RAM Account Password Policy without Reuse Prevention", + "severity": "MEDIUM", + "line": 1, + "filename": "positive1.tf", + "resourceType": "alicloud_ram_account_password_policy", + "resourceName": "corporate", + "searchKey": "alicloud_ram_account_password_policy[corporate]", + "searchValue": "", + "expectedValue": "'password_reuse_prevention' should be defined and equal or lower than 24", + "actualValue": "'password_reuse_prevention' is not defined" + } +] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_lowercase_character/test/positive_expected_result.json b/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_lowercase_character/test/positive_expected_result.json index 6ff9fbdede7..8d2a35e2bfd 100644 --- a/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_lowercase_character/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_lowercase_character/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Ram Account Password Policy Not Require At Least one Lowercase Character", "severity": "LOW", "line": 3, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "alicloud_ram_account_password_policy", + "resourceName": "corporate", + "searchKey": "alicloud_ram_account_password_policy[corporate].require_lowercase_characters", + "searchValue": "", + "expectedValue": "'require_lowercase_characters' should be defined and set to true", + "actualValue": "'require_lowercase_characters' is false" } ] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_uppercase_character/test/positive_expected_result.json b/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_uppercase_character/test/positive_expected_result.json index c1582b50b4a..d9e05a3c2d3 100644 --- a/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_uppercase_character/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_uppercase_character/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "RAM Account Password Policy Not Require at Least one Uppercase Character", "severity": "LOW", "line": 4, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "alicloud_ram_account_password_policy", + "resourceName": "corporate", + "searchKey": "alicloud_ram_account_password_policy[corporate].require_uppercase_characters", + "searchValue": "", + "expectedValue": "'require_uppercase_characters' should be defined and set to true", + "actualValue": "'require_uppercase_characters' is false" } ] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/ram_policy_admin_access_not_attached_to_users_groups_roles/test/positive_expected_result.json b/assets/queries/terraform/alicloud/ram_policy_admin_access_not_attached_to_users_groups_roles/test/positive_expected_result.json index 497637249cc..59371022391 100644 --- a/assets/queries/terraform/alicloud/ram_policy_admin_access_not_attached_to_users_groups_roles/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/ram_policy_admin_access_not_attached_to_users_groups_roles/test/positive_expected_result.json @@ -3,18 +3,36 @@ "queryName": "Ram Policy Admin Access Not Attached to Users Groups Roles", "severity": "MEDIUM", "line": 35, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "alicloud_ram_user_policy_attachment", + "resourceName": "attach", + "searchKey": "alicloud_ram_user_policy_attachment[attach].policy_name", + "searchValue": "", + "expectedValue": "alicloud_ram_policy[policy4] should not give admin access to any user, group or role", + "actualValue": "alicloud_ram_policy[policy4] is attached to a user, group or role and gives admin access" }, { "queryName": "Ram Policy Admin Access Not Attached to Users Groups Roles", "severity": "MEDIUM", - "line": 32, - "fileName": "positive2.tf" + "line": 49, + "filename": "positive3.tf", + "resourceType": "alicloud_ram_role_policy_attachment", + "resourceName": "attach", + "searchKey": "alicloud_ram_role_policy_attachment[attach].policy_name", + "searchValue": "", + "expectedValue": "alicloud_ram_policy[policy6] should not give admin access to any user, group or role", + "actualValue": "alicloud_ram_policy[policy6] is attached to a user, group or role and gives admin access" }, { "queryName": "Ram Policy Admin Access Not Attached to Users Groups Roles", "severity": "MEDIUM", - "line": 49, - "fileName": "positive3.tf" + "line": 32, + "filename": "positive2.tf", + "resourceType": "alicloud_ram_group_policy_attachment", + "resourceName": "attach", + "searchKey": "alicloud_ram_group_policy_attachment[attach].policy_name", + "searchValue": "", + "expectedValue": "alicloud_ram_policy[policy5] should not give admin access to any user, group or role", + "actualValue": "alicloud_ram_policy[policy5] is attached to a user, group or role and gives admin access" } ] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/ram_policy_attached_to_user/test/positive_expected_result.json b/assets/queries/terraform/alicloud/ram_policy_attached_to_user/test/positive_expected_result.json index 3404fe656f2..300f724f727 100644 --- a/assets/queries/terraform/alicloud/ram_policy_attached_to_user/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/ram_policy_attached_to_user/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Ram Policy Attached to User", "severity": "MEDIUM", "line": 35, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "alicloud_ram_user_policy_attachment", + "resourceName": "attach", + "searchKey": "alicloud_ram_user_policy_attachment[attach]", + "searchValue": "", + "expectedValue": "alicloud_ram_user_policy_attachment[attach] should be undefined", + "actualValue": "alicloud_ram_user_policy_attachment[attach] is defined" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/ram_security_preference_not_enforce_mfa/test/positive_expected_result.json b/assets/queries/terraform/alicloud/ram_security_preference_not_enforce_mfa/test/positive_expected_result.json index 7215cbff00d..325eb040490 100644 --- a/assets/queries/terraform/alicloud/ram_security_preference_not_enforce_mfa/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/ram_security_preference_not_enforce_mfa/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "RAM Security Preference Not Enforce MFA Login", "severity": "LOW", - "line": 11, - "fileName": "positive1.tf" + "line": 14, + "filename": "positive2.tf", + "resourceType": "alicloud_ram_security_preference", + "resourceName": "example2", + "searchKey": "alicloud_ram_security_preference[example2]", + "searchValue": "", + "expectedValue": "'enforce_mfa_for_login' should be set to true", + "actualValue": "'enforce_mfa_for_login' is set to 'false'" }, { "queryName": "RAM Security Preference Not Enforce MFA Login", "severity": "LOW", - "line": 14, - "fileName": "positive2.tf" + "line": 11, + "filename": "positive1.tf", + "resourceType": "alicloud_ram_security_preference", + "resourceName": "example1", + "searchKey": "alicloud_ram_security_preference[example1]", + "searchValue": "", + "expectedValue": "'enforce_mfa_for_login' should be defined and set to true", + "actualValue": "'enforce_mfa_for_login' is not defined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/rds_instance_address_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/alicloud/rds_instance_address_publicly_accessible/test/positive_expected_result.json index 32a9bcec0b0..dc65104a23f 100644 --- a/assets/queries/terraform/alicloud/rds_instance_address_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/rds_instance_address_publicly_accessible/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "RDS DB Instance Publicly Accessible", "severity": "CRITICAL", "line": 10, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "example", + "searchKey": "alicloud_db_instance[example].address", + "searchValue": "", + "expectedValue": "'address' should not be set to '0.0.0.0/0'", + "actualValue": "'address' is set to '0.0.0.0/0'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/rds_instance_events_not_logged/test/positive_expected_result.json b/assets/queries/terraform/alicloud/rds_instance_events_not_logged/test/positive_expected_result.json index d06825af75c..3279b040c89 100644 --- a/assets/queries/terraform/alicloud/rds_instance_events_not_logged/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/rds_instance_events_not_logged/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "RDS Instance Events Not Logged", "severity": "MEDIUM", "line": 15, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "alicloud_log_audit", + "resourceName": "tf-audit-test", + "searchKey": "alicloud_log_audit[example].variable_map.rds_enabled", + "searchValue": "", + "expectedValue": "'rds_enabled' parameter value should be 'true'", + "actualValue": "'rds_enabled' parameter value is 'false'" }, { "queryName": "RDS Instance Events Not Logged", "severity": "MEDIUM", "line": 4, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "alicloud_log_audit", + "resourceName": "tf-audit-test", + "searchKey": "alicloud_log_audit[example].variable_map", + "searchValue": "", + "expectedValue": "'rds_enabled' parameter value should be 'true'", + "actualValue": "'rds_enabled' parameter is not defined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/rds_instance_log_connections_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/rds_instance_log_connections_disabled/test/positive_expected_result.json index ba86d6a30eb..28ff9bf2763 100644 --- a/assets/queries/terraform/alicloud/rds_instance_log_connections_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/rds_instance_log_connections_disabled/test/positive_expected_result.json @@ -2,19 +2,37 @@ { "queryName": "RDS Instance Log Connections Disabled", "severity": "MEDIUM", - "line": 6, - "fileName": "positive1.tf" + "line": 14, + "filename": "positive2.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default].parameters[2].value", + "searchValue": "", + "expectedValue": "'log_connections' parameter value should be 'ON'", + "actualValue": "'log_connections' parameter value is 'OFF'" }, { "queryName": "RDS Instance Log Connections Disabled", "severity": "MEDIUM", - "line": 14, - "fileName": "positive2.tf" + "line": 1, + "filename": "positive3.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default]", + "searchValue": "", + "expectedValue": "'log_connections' parameter should be defined and value should be 'ON' in parameters array", + "actualValue": "'log_connections' parameter is not defined in parameters array" }, { "queryName": "RDS Instance Log Connections Disabled", "severity": "MEDIUM", - "line": 1, - "fileName": "positive3.tf" + "line": 6, + "filename": "positive1.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default].parameters", + "searchValue": "", + "expectedValue": "'log_connections' parameter should be defined and value should be 'ON'", + "actualValue": "'log_connections' parameter is not defined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/rds_instance_log_disconnections_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/rds_instance_log_disconnections_disabled/test/positive_expected_result.json index f75edb57cb9..08517d91a79 100644 --- a/assets/queries/terraform/alicloud/rds_instance_log_disconnections_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/rds_instance_log_disconnections_disabled/test/positive_expected_result.json @@ -2,19 +2,37 @@ { "queryName": "RDS Instance Log Disconnections Disabled", "severity": "MEDIUM", - "line": 14, - "fileName": "positive1.tf" + "line": 6, + "filename": "positive2.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default].parameters", + "searchValue": "", + "expectedValue": "'log_disconnections' parameter should be defined and value should be 'ON'", + "actualValue": "'log_disconnections' parameter is not defined" }, { "queryName": "RDS Instance Log Disconnections Disabled", "severity": "MEDIUM", - "line": 6, - "fileName": "positive2.tf" + "line": 1, + "filename": "positive3.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default]]", + "searchValue": "", + "expectedValue": "'log_disconnections' parameter should be defined and value should be 'ON' in parametes array", + "actualValue": "'log_disconnections' parameter is not defined in parametes array" }, { "queryName": "RDS Instance Log Disconnections Disabled", "severity": "MEDIUM", - "line": 1, - "fileName": "positive3.tf" + "line": 14, + "filename": "positive1.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default].parameters[2].value", + "searchValue": "", + "expectedValue": "'log_disconnections' parameter value should be 'ON'", + "actualValue": "'log_disconnections' parameter value is 'OFF'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/rds_instance_log_duration_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/rds_instance_log_duration_disabled/test/positive_expected_result.json index fbf1412ab90..18b0198c38d 100644 --- a/assets/queries/terraform/alicloud/rds_instance_log_duration_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/rds_instance_log_duration_disabled/test/positive_expected_result.json @@ -2,19 +2,37 @@ { "queryName": "RDS Instance Log Duration Disabled", "severity": "MEDIUM", - "line": 14, - "fileName": "positive1.tf" + "line": 1, + "filename": "positive3.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default]]", + "searchValue": "", + "expectedValue": "'log_duration' parameter should be defined and value should be 'ON' in parameters array", + "actualValue": "'log_duration' parameter is not defined in parameters array" }, { "queryName": "RDS Instance Log Duration Disabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default].parameters", + "searchValue": "", + "expectedValue": "'log_duration' parameter should be defined and value should be 'ON'", + "actualValue": "'log_duration' parameter is not defined" }, { "queryName": "RDS Instance Log Duration Disabled", "severity": "MEDIUM", - "line": 1, - "fileName": "positive3.tf" + "line": 14, + "filename": "positive1.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default].parameters[2].value", + "searchValue": "", + "expectedValue": "'log_duration' parameter value should be 'ON'", + "actualValue": "'log_duration' parameter value is 'OFF'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/rds_instance_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/alicloud/rds_instance_publicly_accessible/test/positive_expected_result.json index 2fa2c88c80a..fe8036a0197 100644 --- a/assets/queries/terraform/alicloud/rds_instance_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/rds_instance_publicly_accessible/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "RDS DB Instance Publicly Accessible", "severity": "CRITICAL", "line": 7, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default].security_ips[0]", + "searchValue": "", + "expectedValue": "'0.0.0.0' should not be in 'security_ips' list", + "actualValue": "'0.0.0.0' is in 'security_ips' list" }, { "queryName": "RDS DB Instance Publicly Accessible", "severity": "CRITICAL", "line": 7, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default].security_ips[0]", + "searchValue": "", + "expectedValue": "'0.0.0.0/0' should not be in 'security_ips' list", + "actualValue": "'0.0.0.0/0' is in 'security_ips' list" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/rds_instance_retention_not_recommended/test/positive_expected_result.json b/assets/queries/terraform/alicloud/rds_instance_retention_not_recommended/test/positive_expected_result.json index 516ef3469b8..6105d98b089 100644 --- a/assets/queries/terraform/alicloud/rds_instance_retention_not_recommended/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/rds_instance_retention_not_recommended/test/positive_expected_result.json @@ -3,36 +3,72 @@ "queryName": "RDS Instance Retention Period Not Recommended", "severity": "LOW", "line": 1, - "fileName": "positive1.tf" + "filename": "positive2.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default]", + "searchValue": "sql_collector_config_value", + "expectedValue": "'sql_collector_status' should be defined and set to Enabled and 'sql_collector_config_value' should be defined and set to 180 or more", + "actualValue": "'sql_collector_config_value' is not defined" }, { "queryName": "RDS Instance Retention Period Not Recommended", "severity": "LOW", "line": 1, - "fileName": "positive1.tf" + "filename": "positive3.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default]", + "searchValue": "sql_collector_config_value", + "expectedValue": "'sql_collector_status' should be defined and set to Enabled and 'sql_collector_config_value' should be defined and set to 180 or more", + "actualValue": "'sql_collector_config_value' is not defined" }, { "queryName": "RDS Instance Retention Period Not Recommended", "severity": "LOW", "line": 1, - "fileName": "positive2.tf" + "filename": "positive1.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default]", + "searchValue": "sql_collector_config_value", + "expectedValue": "'sql_collector_status' should be defined and set to Enabled and 'sql_collector_config_value' should be defined and set to 180 or more", + "actualValue": "'sql_collector_config_value' is not defined" }, { "queryName": "RDS Instance Retention Period Not Recommended", "severity": "LOW", - "line": 6, - "fileName": "positive2.tf" + "line": 1, + "filename": "positive1.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default]", + "searchValue": "sql_collector_status", + "expectedValue": "'sql_collector_status' should be defined and set to Enabled and 'sql_collector_config_value' should be defined and set to 180 or more", + "actualValue": "'sql_collector_status' is not defined" }, { "queryName": "RDS Instance Retention Period Not Recommended", "severity": "LOW", - "line": 1, - "fileName": "positive3.tf" + "line": 7, + "filename": "positive4.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default].sql_collector_config_value", + "searchValue": "", + "expectedValue": "'sql_collector_status' should be defined and set to Enabled and 'sql_collector_config_value' should be defined and set to 180 or more", + "actualValue": "'sql_collector_config_value' is set to 30" }, { "queryName": "RDS Instance Retention Period Not Recommended", "severity": "LOW", - "line": 7, - "fileName": "positive4.tf" + "line": 6, + "filename": "positive2.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default].sql_collector_status", + "searchValue": "", + "expectedValue": "'sql_collector_status' should be defined and set to Enabled and 'sql_collector_config_value' should be defined and set to 180 or more", + "actualValue": "'sql_collector_status' is set to 'Disabled'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/rds_instance_ssl_action_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/rds_instance_ssl_action_disabled/test/positive_expected_result.json index 884e34ebed6..e00fc22e8ef 100644 --- a/assets/queries/terraform/alicloud/rds_instance_ssl_action_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/rds_instance_ssl_action_disabled/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "RDS Instance SSL Action Disabled", "severity": "MEDIUM", - "line": 6, - "fileName": "positive1.tf" + "line": 1, + "filename": "positive2.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default]", + "searchValue": "", + "expectedValue": "'ssl_action' value should be 'Open'", + "actualValue": "'ssl_action' is not defined" }, { "queryName": "RDS Instance SSL Action Disabled", "severity": "MEDIUM", - "line": 1, - "fileName": "positive2.tf" + "line": 6, + "filename": "positive1.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default].ssl_action", + "searchValue": "", + "expectedValue": "'ssl_action' value should be 'Open'", + "actualValue": "'ssl_action' value is 'Close'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/rds_instance_tde_status_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/rds_instance_tde_status_disabled/test/positive_expected_result.json index f9aac5a2630..d00c6d27e28 100644 --- a/assets/queries/terraform/alicloud/rds_instance_tde_status_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/rds_instance_tde_status_disabled/test/positive_expected_result.json @@ -3,24 +3,48 @@ "queryName": "RDS Instance TDE Status Disabled", "severity": "HIGH", "line": 6, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default].tde_status", + "searchValue": "", + "expectedValue": "'tde_status' value should be 'Enabled'", + "actualValue": "'tde_status' value is set to 'Disabled'" }, { "queryName": "RDS Instance TDE Status Disabled", "severity": "HIGH", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default]", + "searchValue": "", + "expectedValue": "'tde_status' value should be 'Enabled'", + "actualValue": "'tde_status' is not declared" }, { "queryName": "RDS Instance TDE Status Disabled", "severity": "HIGH", - "line": 6, - "fileName": "positive3.tf" + "line": 1, + "filename": "positive4.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default]", + "searchValue": "", + "expectedValue": "'tde_status' value should be 'Enabled'", + "actualValue": "'tde_status' is not declared" }, { "queryName": "RDS Instance TDE Status Disabled", "severity": "HIGH", - "line": 1, - "fileName": "positive4.tf" + "line": 6, + "filename": "positive3.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default].tde_status", + "searchValue": "", + "expectedValue": "'tde_status' value should be 'Enabled'", + "actualValue": "'tde_status' value is set to 'Disabled'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/ros_stack_notifications_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/ros_stack_notifications_disabled/test/positive_expected_result.json index 8d96395e757..8fae52d0f45 100644 --- a/assets/queries/terraform/alicloud/ros_stack_notifications_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/ros_stack_notifications_disabled/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "ROS Stack Notifications Disabled", "severity": "LOW", - "line": 3, - "fileName": "positive.tf" + "line": 1, + "filename": "positive2.tf", + "resourceType": "alicloud_ros_stack", + "resourceName": "tf-testaccstack", + "searchKey": "alicloud_ros_stack[example]", + "searchValue": "", + "expectedValue": "stack 'notification_urls' should be defined", + "actualValue": "stack 'notification_urls' is not defined" }, { "queryName": "ROS Stack Notifications Disabled", "severity": "LOW", - "line": 1, - "fileName": "positive2.tf" + "line": 3, + "filename": "positive.tf", + "resourceType": "alicloud_ros_stack", + "resourceName": "tf-testaccstack", + "searchKey": "alicloud_ros_stack[example]", + "searchValue": "", + "expectedValue": "stack 'notification_urls' should have urls", + "actualValue": "stack 'notification_urls' is empty" } ] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/ros_stack_retention_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/ros_stack_retention_disabled/test/positive_expected_result.json index b347e2dd2b1..03d7fffd678 100644 --- a/assets/queries/terraform/alicloud/ros_stack_retention_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/ros_stack_retention_disabled/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "ROS Stack Retention Disabled", "severity": "MEDIUM", - "line": 6, - "fileName": "positive.tf" + "line": 1, + "filename": "positive2.tf", + "resourceType": "alicloud_ros_stack_instance", + "resourceName": "example", + "searchKey": "alicloud_ros_stack_instance[example]", + "searchValue": "", + "expectedValue": "alicloud_ros_stack_instance[example].retain_stacks should be defined and not null", + "actualValue": "alicloud_ros_stack_instance[example].retain_stacks is undefined" }, { "queryName": "ROS Stack Retention Disabled", "severity": "MEDIUM", - "line": 1, - "fileName": "positive2.tf" + "line": 6, + "filename": "positive.tf", + "resourceType": "alicloud_ros_stack_instance", + "resourceName": "example", + "searchKey": "alicloud_ros_stack_instance[example].retain_stacks", + "searchValue": "", + "expectedValue": "alicloud_ros_stack_instance[example].retain_stacks should be true ", + "actualValue": "alicloud_ros_stack_instance[example].retain_stacks is false" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/ros_stack_without_template/test/positive_expected_result.json b/assets/queries/terraform/alicloud/ros_stack_without_template/test/positive_expected_result.json index d53d3d5cbf8..0078b4a6a49 100644 --- a/assets/queries/terraform/alicloud/ros_stack_without_template/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/ros_stack_without_template/test/positive_expected_result.json @@ -1,8 +1,14 @@ [ - { - "queryName": "ROS Stack Without Template", - "severity": "MEDIUM", - "line": 1, - "fileName": "positive1.tf" - } - ] + { + "queryName": "ROS Stack Without Template", + "severity": "MEDIUM", + "line": 1, + "filename": "positive1.tf", + "resourceType": "alicloud_ros_stack", + "resourceName": "tf-testaccstack", + "searchKey": "alicloud_ros_stack[example]", + "searchValue": "", + "expectedValue": "Attribute 'template_body' or Attribute 'template_url' should be set.", + "actualValue": "Both Attribute 'template_body' and Attribute 'template_url' are undefined." + } +] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/slb_policy_with_insecure_tls_version_in_use/test/positive_expected_result.json b/assets/queries/terraform/alicloud/slb_policy_with_insecure_tls_version_in_use/test/positive_expected_result.json index 0787eeaa125..88832f8e675 100644 --- a/assets/queries/terraform/alicloud/slb_policy_with_insecure_tls_version_in_use/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/slb_policy_with_insecure_tls_version_in_use/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "SLB Policy With Insecure TLS Version In Use", "severity": "MEDIUM", "line": 3, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "alicloud_slb_tls_cipher_policy", + "resourceName": "positive", + "searchKey": "alicloud_slb_tls_cipher_policy[positive].tls_versions", + "searchValue": "", + "expectedValue": "alicloud_slb_tls_cipher_policy[positive].tls_versions to use secure TLS versions", + "actualValue": "alicloud_slb_tls_cipher_policy[positive].tls_versions uses insecure TLS versions" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/vpc_flow_logs_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/vpc_flow_logs_disabled/test/positive_expected_result.json index 42b4e6f8dec..519d932de54 100644 --- a/assets/queries/terraform/alicloud/vpc_flow_logs_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/vpc_flow_logs_disabled/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "VPC Flow Logs Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "alicloud_vpc", + "resourceName": "main", + "searchKey": "alicloud_vpc[main]", + "searchValue": "", + "expectedValue": "alicloud_vpc[main] is associated with an 'alicloud_vpc_flow_log'", + "actualValue": "alicloud_vpc[main] is not associated with an 'alicloud_vpc_flow_log'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/alb_deletion_protection_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/alb_deletion_protection_disabled/test/positive_expected_result.json index e663004ce62..2838e914784 100644 --- a/assets/queries/terraform/aws/alb_deletion_protection_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/alb_deletion_protection_disabled/test/positive_expected_result.json @@ -2,37 +2,73 @@ { "queryName": "ALB Deletion Protection Disabled", "severity": "MEDIUM", - "line": 7, - "fileName": "positive1.tf" + "line": 1, + "filename": "positive6.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[alb]", + "searchValue": "", + "expectedValue": "'enable_deletion_protection' should be defined and set to true", + "actualValue": "'enable_deletion_protection' is undefined or null" }, { "queryName": "ALB Deletion Protection Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "filename": "positive4.tf", + "resourceType": "aws_lb", + "resourceName": "test-lb-tf", + "searchKey": "aws_lb[positive4]", + "searchValue": "", + "expectedValue": "'enable_deletion_protection' should be defined and set to true", + "actualValue": "'enable_deletion_protection' is undefined or null" }, { "queryName": "ALB Deletion Protection Disabled", "severity": "MEDIUM", - "line": 7, - "fileName": "positive3.tf" + "line": 9, + "filename": "positive5.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[alb].enable_deletion_protection", + "searchValue": "", + "expectedValue": "'enable_deletion_protection' should be set to true", + "actualValue": "'enable_deletion_protection' is set to false" }, { "queryName": "ALB Deletion Protection Disabled", "severity": "MEDIUM", - "line": 1, - "fileName": "positive4.tf" + "line": 7, + "filename": "positive1.tf", + "resourceType": "aws_alb", + "resourceName": "test-lb-tf", + "searchKey": "aws_alb[positive1].enable_deletion_protection", + "searchValue": "", + "expectedValue": "'enable_deletion_protection' should be set to true", + "actualValue": "'enable_deletion_protection' is set to false" }, { "queryName": "ALB Deletion Protection Disabled", "severity": "MEDIUM", - "line": 9, - "fileName": "positive5.tf" + "line": 1, + "filename": "positive2.tf", + "resourceType": "aws_alb", + "resourceName": "test-lb-tf", + "searchKey": "aws_alb[positive2]", + "searchValue": "", + "expectedValue": "'enable_deletion_protection' should be defined and set to true", + "actualValue": "'enable_deletion_protection' is undefined or null" }, { "queryName": "ALB Deletion Protection Disabled", "severity": "MEDIUM", - "line": 1, - "fileName": "positive6.tf" + "line": 7, + "filename": "positive3.tf", + "resourceType": "aws_lb", + "resourceName": "test-lb-tf", + "searchKey": "aws_lb[positive3].enable_deletion_protection", + "searchValue": "", + "expectedValue": "'enable_deletion_protection' should be set to true", + "actualValue": "'enable_deletion_protection' is set to false" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/positive_expected_result.json b/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/positive_expected_result.json index 412dc085a1f..0a1b53974ab 100644 --- a/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/positive_expected_result.json @@ -3,12 +3,12 @@ "queryName": "ALB Is Not Integrated With WAF", "severity": "MEDIUM", "line": 1, - "filename": "positive1.tf" - }, - { - "queryName": "ALB Is Not Integrated With WAF", - "severity": "MEDIUM", - "line": 1, - "filename": "positive2.tf" + "filename": "positive1.tf", + "resourceType": "aws_alb", + "resourceName": "foo", + "searchKey": "aws_alb[foo]", + "searchValue": "", + "expectedValue": "'aws_alb[foo]' should not be 'internal' and has a 'aws_wafregional_web_acl_association' associated", + "actualValue": "'aws_alb[foo]' is not 'internal' and does not have a 'aws_wafregional_web_acl_association' associated" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/alb_listening_on_http/test/positive_expected_result.json b/assets/queries/terraform/aws/alb_listening_on_http/test/positive_expected_result.json index 8a0e258e845..6b5d68157f3 100644 --- a/assets/queries/terraform/aws/alb_listening_on_http/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/alb_listening_on_http/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "ALB Listening on HTTP", "severity": "MEDIUM", "line": 9, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_lb_listener", + "resourceName": "listener5", + "searchKey": "aws_lb_listener[listener5].default_action.redirect.protocol", + "searchValue": "", + "expectedValue": "'default_action.redirect.protocol' should be equal to 'HTTPS'", + "actualValue": "'default_action.redirect.protocol' is equal 'HTTP'" }, { "queryName": "ALB Listening on HTTP", "severity": "MEDIUM", "line": 70, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_lb_listener", + "resourceName": "listener", + "searchKey": "aws_lb_listener[listener].default_action", + "searchValue": "", + "expectedValue": "'default_action.redirect.protocol' should be equal to 'HTTPS'", + "actualValue": "'default_action.redirect' is missing" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/alb_not_dropping_invalid_headers/test/positive_expected_result.json b/assets/queries/terraform/aws/alb_not_dropping_invalid_headers/test/positive_expected_result.json index 1f97c90fd36..4a624e402b4 100644 --- a/assets/queries/terraform/aws/alb_not_dropping_invalid_headers/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/alb_not_dropping_invalid_headers/test/positive_expected_result.json @@ -2,55 +2,109 @@ { "queryName": "ALB Not Dropping Invalid Headers", "severity": "MEDIUM", - "line": 1, - "filename": "positive1.tf" + "line": 12, + "filename": "positive3.tf", + "resourceType": "aws_lb", + "resourceName": "alb", + "searchKey": "aws_lb[{{disabled_2}}].drop_invalid_header_fields", + "searchValue": "", + "expectedValue": "aws_lb[{{disabled_2}}].drop_invalid_header_fields should be set to true", + "actualValue": "aws_lb[{{disabled_2}}].drop_invalid_header_fields is set to false" }, { "queryName": "ALB Not Dropping Invalid Headers", "severity": "MEDIUM", "line": 14, - "filename": "positive1.tf" + "filename": "positive2.tf", + "resourceType": "aws_lb", + "resourceName": "alb", + "searchKey": "aws_lb[{{disabled_2}}].drop_invalid_header_fields", + "searchValue": "", + "expectedValue": "aws_lb[{{disabled_2}}].drop_invalid_header_fields should be set to true", + "actualValue": "aws_lb[{{disabled_2}}].drop_invalid_header_fields is set to false" }, { "queryName": "ALB Not Dropping Invalid Headers", "severity": "MEDIUM", "line": 1, - "filename": "positive2.tf" + "filename": "positive6.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[alb]", + "searchValue": "", + "expectedValue": "module[alb].drop_invalid_header_fields should be set to true", + "actualValue": "module[alb].drop_invalid_header_fields is missing" }, { "queryName": "ALB Not Dropping Invalid Headers", "severity": "MEDIUM", - "line": 14, - "filename": "positive2.tf" + "line": 1, + "filename": "positive1.tf", + "resourceType": "aws_alb", + "resourceName": "alb", + "searchKey": "aws_alb[{{disabled_1}}]", + "searchValue": "", + "expectedValue": "aws_alb[{{disabled_1}}].drop_invalid_header_fields should be set to true", + "actualValue": "aws_alb[{{disabled_1}}].drop_invalid_header_fields is missing" }, { "queryName": "ALB Not Dropping Invalid Headers", "severity": "MEDIUM", "line": 1, - "filename": "positive3.tf" + "filename": "positive5.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[alb]", + "searchValue": "", + "expectedValue": "module[alb].drop_invalid_header_fields should be set to true", + "actualValue": "module[alb].drop_invalid_header_fields is missing" }, { "queryName": "ALB Not Dropping Invalid Headers", "severity": "MEDIUM", - "line": 12, - "filename": "positive3.tf" + "line": 1, + "filename": "positive3.tf", + "resourceType": "aws_alb", + "resourceName": "alb", + "searchKey": "aws_alb[{{disabled_1}}]", + "searchValue": "", + "expectedValue": "aws_alb[{{disabled_1}}].drop_invalid_header_fields should be set to true", + "actualValue": "aws_alb[{{disabled_1}}].drop_invalid_header_fields is missing" }, { "queryName": "ALB Not Dropping Invalid Headers", "severity": "MEDIUM", - "line": 8, - "filename": "positive4.tf" + "line": 1, + "filename": "positive2.tf", + "resourceType": "aws_lb", + "resourceName": "alb", + "searchKey": "aws_lb[{{disabled_1}}]", + "searchValue": "", + "expectedValue": "aws_lb[{{disabled_1}}].drop_invalid_header_fields should be set to true", + "actualValue": "aws_lb[{{disabled_1}}].drop_invalid_header_fields is missing" }, { "queryName": "ALB Not Dropping Invalid Headers", "severity": "MEDIUM", - "line": 1, - "filename": "positive5.tf" + "line": 14, + "filename": "positive1.tf", + "resourceType": "aws_alb", + "resourceName": "alb", + "searchKey": "aws_alb[{{disabled_2}}].drop_invalid_header_fields", + "searchValue": "", + "expectedValue": "aws_alb[{{disabled_2}}].drop_invalid_header_fields should be set to true", + "actualValue": "aws_alb[{{disabled_2}}].drop_invalid_header_fields is set to false" }, { "queryName": "ALB Not Dropping Invalid Headers", "severity": "MEDIUM", - "line": 1, - "filename": "positive6.tf" + "line": 8, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[alb].drop_invalid_header_fields", + "searchValue": "", + "expectedValue": "module[alb].drop_invalid_header_fields should be set to true", + "actualValue": "module[alb].drop_invalid_header_fields is set to false" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/amazon_dms_replication_instance_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/aws/amazon_dms_replication_instance_is_publicly_accessible/test/positive_expected_result.json index 2497e484f40..1d7750ff86f 100644 --- a/assets/queries/terraform/aws/amazon_dms_replication_instance_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/amazon_dms_replication_instance_is_publicly_accessible/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Amazon DMS Replication Instance Is Publicly Accessible", "severity": "CRITICAL", "line": 10, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_dms_replication_instance", + "resourceName": "test", + "searchKey": "aws_dms_replication_instance[test].publicly_accessible", + "searchValue": "", + "expectedValue": "aws_dms_replication_instance[test].publicly_accessible should be set to false", + "actualValue": "aws_dms_replication_instance[test].publicly_accessible is set to true" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/amazon_mq_broker_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/amazon_mq_broker_encryption_disabled/test/positive_expected_result.json index f2d96094196..66812a61840 100644 --- a/assets/queries/terraform/aws/amazon_mq_broker_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/amazon_mq_broker_encryption_disabled/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "AmazonMQ Broker Encryption Disabled", "severity": "HIGH", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_mq_broker", + "resourceName": "example", + "searchKey": "resource.aws_mq_broker[positive1]", + "searchValue": "", + "expectedValue": "resource.aws_mq_broker[positive1].encryption_options should be defined", + "actualValue": "resource.aws_mq_broker[positive1].encryption_options is not defined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/ami_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/ami_not_encrypted/test/positive_expected_result.json index c602b4411df..a8e1aea64c9 100644 --- a/assets/queries/terraform/aws/ami_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ami_not_encrypted/test/positive_expected_result.json @@ -2,19 +2,37 @@ { "queryName": "AMI Not Encrypted", "severity": "MEDIUM", - "line": 29, - "fileName": "positive.tf" + "line": 25, + "filename": "positive.tf", + "resourceType": "aws_ami", + "resourceName": "terraform-example", + "searchKey": "aws_ami[positive2].ebs_block_device.encrypted", + "searchValue": "", + "expectedValue": "One of 'rule.ebs_block_device.encrypted' should be 'true'", + "actualValue": "One of 'rule.ebs_block_device.encrypted' is not 'true'" }, { "queryName": "AMI Not Encrypted", "severity": "MEDIUM", - "line": 25, - "fileName": "positive.tf" + "line": 7, + "filename": "positive.tf", + "resourceType": "aws_ami", + "resourceName": "terraform-example", + "searchKey": "aws_ami[positive1].ebs_block_device", + "searchValue": "", + "expectedValue": "One of 'rule.ebs_block_device.encrypted' should be 'true'", + "actualValue": "'rule.ebs_block_device' is undefined" }, { "queryName": "AMI Not Encrypted", "severity": "MEDIUM", - "line": 7, - "fileName": "positive.tf" + "line": 29, + "filename": "positive.tf", + "resourceType": "aws_ami", + "resourceName": "terraform-example", + "searchKey": "aws_ami[positive3]", + "searchValue": "", + "expectedValue": "One of 'rule.ebs_block_device.encrypted' should be 'true'", + "actualValue": "One of 'rule.ebs_block_device' is undefined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/ami_shared_with_multiple_accounts/test/positive_expected_result.json b/assets/queries/terraform/aws/ami_shared_with_multiple_accounts/test/positive_expected_result.json index e24986c08b3..47437d0df94 100644 --- a/assets/queries/terraform/aws/ami_shared_with_multiple_accounts/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ami_shared_with_multiple_accounts/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "AMI Shared With Multiple Accounts", "severity": "MEDIUM", - "line": 3 + "line": 3, + "filename": "positive.tf", + "resourceType": "aws_ami_launch_permission", + "resourceName": "positive1", + "searchKey": "aws_ami_launch_permission[positive1].image_id", + "searchValue": "", + "expectedValue": "'aws_ami_launch_permission[positive1].image_id' should not be shared with multiple accounts", + "actualValue": "'aws_ami_launch_permission[positive1].image_id' is shared with multiple accounts" }, { "queryName": "AMI Shared With Multiple Accounts", "severity": "MEDIUM", - "line": 11 + "line": 11, + "filename": "positive.tf", + "resourceType": "aws_ami_launch_permission", + "resourceName": "positive2", + "searchKey": "aws_ami_launch_permission[positive2].image_id", + "searchValue": "", + "expectedValue": "'aws_ami_launch_permission[positive2].image_id' should not be shared with multiple accounts", + "actualValue": "'aws_ami_launch_permission[positive2].image_id' is shared with multiple accounts" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json index 1e3d8fd2c04..913b498c1c7 100644 --- a/assets/queries/terraform/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json @@ -2,79 +2,157 @@ { "queryName": "API Gateway Access Logging Disabled", "severity": "MEDIUM", - "line": 1, - "filename": "positive1.tf" + "line": 28, + "filename": "positive2.tf", + "resourceType": "aws_apigatewayv2_stage", + "resourceName": "positive21", + "searchKey": "aws_apigatewayv2_stage[positive21].default_route_settings.logging_level", + "searchValue": "", + "expectedValue": "aws_apigatewayv2_stage[positive21].default_route_settings.logging_level should be defined and not null", + "actualValue": "aws_apigatewayv2_stage[positive21].default_route_settings.logging_level isn't defined or is null" }, { "queryName": "API Gateway Access Logging Disabled", "severity": "MEDIUM", - "line": 15, - "filename": "positive1.tf" + "line": 10, + "filename": "positive4.tf", + "resourceType": "aws_api_gateway_stage", + "resourceName": "positive40", + "searchKey": "aws_api_gateway_method_settings[allpositive4]", + "searchValue": "", + "expectedValue": "aws_api_gateway_method_settings[allpositive4].settings should be defined and not null", + "actualValue": "aws_api_gateway_method_settings[allpositive4].settings isn't defined or is null" }, { "queryName": "API Gateway Access Logging Disabled", "severity": "MEDIUM", "line": 15, - "filename": "positive2.tf" + "filename": "positive4.tf", + "resourceType": "aws_apigatewayv2_stage", + "resourceName": "positive41", + "searchKey": "aws_apigatewayv2_stage[positive41]", + "searchValue": "default_route_settings", + "expectedValue": "aws_apigatewayv2_stage[positive41].default_route_settings should be defined and not null", + "actualValue": "aws_apigatewayv2_stage[positive41].default_route_settings isn't defined or is null" }, { "queryName": "API Gateway Access Logging Disabled", "severity": "MEDIUM", - "line": 28, - "filename": "positive2.tf" + "line": 27, + "filename": "positive3.tf", + "resourceType": "aws_apigatewayv2_stage", + "resourceName": "positive31", + "searchKey": "aws_apigatewayv2_stage[positive31].default_route_settings", + "searchValue": "", + "expectedValue": "aws_apigatewayv2_stage[positive31].default_route_settings.logging_level should be defined and not null", + "actualValue": "aws_apigatewayv2_stage[positive31].default_route_settings.logging_level isn't defined or is null" }, { "queryName": "API Gateway Access Logging Disabled", "severity": "MEDIUM", "line": 14, - "filename": "positive3.tf" + "filename": "positive6.tf", + "resourceType": "aws_api_gateway_stage", + "resourceName": "positive60", + "searchKey": "aws_api_gateway_method_settings[allpositive6].settings", + "searchValue": "", + "expectedValue": "aws_api_gateway_method_settings[allpositive6].settings.logging_level should be defined and not null", + "actualValue": "aws_api_gateway_method_settings[allpositive6].settings.logging_level isn't defined or is null" }, { "queryName": "API Gateway Access Logging Disabled", "severity": "MEDIUM", - "line": 27, - "filename": "positive3.tf" + "line": 15, + "filename": "positive5.tf", + "resourceType": "aws_api_gateway_stage", + "resourceName": "positive50", + "searchKey": "aws_api_gateway_method_settings[allpositive5].settings.logging_level", + "searchValue": "", + "expectedValue": "aws_api_gateway_method_settings[allpositive5].settings.logging_level should not be set to OFF", + "actualValue": "aws_api_gateway_method_settings[allpositive5].settings.logging_level is set to OFF" }, { "queryName": "API Gateway Access Logging Disabled", "severity": "MEDIUM", - "line": 10, - "filename": "positive4.tf" + "line": 1, + "filename": "positive1.tf", + "resourceType": "aws_api_gateway_stage", + "resourceName": "positive10", + "searchKey": "aws_api_gateway_stage[positive10]", + "searchValue": "access_log_settings", + "expectedValue": "'access_log_settings' should be defined", + "actualValue": "'access_log_settings' is not defined" }, { "queryName": "API Gateway Access Logging Disabled", "severity": "MEDIUM", "line": 15, - "filename": "positive4.tf" + "filename": "positive1.tf", + "resourceType": "aws_apigatewayv2_stage", + "resourceName": "positive11", + "searchKey": "aws_apigatewayv2_stage[positive11]", + "searchValue": "access_log_settings", + "expectedValue": "'access_log_settings' should be defined", + "actualValue": "'access_log_settings' is not defined" }, { "queryName": "API Gateway Access Logging Disabled", "severity": "MEDIUM", - "line": 15, - "filename": "positive5.tf" + "line": 1, + "filename": "positive7.tf", + "resourceType": "aws_api_gateway_stage", + "resourceName": "positive70", + "searchKey": "aws_api_gateway_stage[positive70]", + "searchValue": "aws_api_gateway_method_settings", + "expectedValue": "aws_api_gateway_stage[positive70]'s corresponding aws_api_gateway_method_settings should be defined and not null", + "actualValue": "aws_api_gateway_stage[positive70]'s corresponding aws_api_gateway_method_settings isn't defined or is null" }, { "queryName": "API Gateway Access Logging Disabled", "severity": "MEDIUM", - "line": 28, - "filename": "positive5.tf" + "line": 14, + "filename": "positive3.tf", + "resourceType": "aws_api_gateway_stage", + "resourceName": "positive30", + "searchKey": "aws_api_gateway_method_settings[allpositive3].settings", + "searchValue": "", + "expectedValue": "aws_api_gateway_method_settings[allpositive3].settings.logging_level should be defined and not null", + "actualValue": "aws_api_gateway_method_settings[allpositive3].settings.logging_level isn't defined or is null" }, { "queryName": "API Gateway Access Logging Disabled", "severity": "MEDIUM", - "line": 14, - "filename": "positive6.tf" + "line": 27, + "filename": "positive6.tf", + "resourceType": "aws_apigatewayv2_stage", + "resourceName": "positive61", + "searchKey": "aws_apigatewayv2_stage[positive61].default_route_settings", + "searchValue": "", + "expectedValue": "aws_apigatewayv2_stage[positive61].default_route_settings.logging_level should be defined and not null", + "actualValue": "aws_apigatewayv2_stage[positive61].default_route_settings.logging_level isn't defined or is null" }, { "queryName": "API Gateway Access Logging Disabled", "severity": "MEDIUM", - "line": 27, - "filename": "positive6.tf" + "line": 28, + "filename": "positive5.tf", + "resourceType": "aws_apigatewayv2_stage", + "resourceName": "positive51", + "searchKey": "aws_apigatewayv2_stage[positive51].default_route_settings.logging_level", + "searchValue": "", + "expectedValue": "aws_apigatewayv2_stage[positive51].default_route_settings.logging_level should not be set to OFF", + "actualValue": "aws_apigatewayv2_stage[positive51].default_route_settings.logging_level is set to OFF" }, { "queryName": "API Gateway Access Logging Disabled", "severity": "MEDIUM", - "line": 1, - "filename": "positive7.tf" + "line": 15, + "filename": "positive2.tf", + "resourceType": "aws_api_gateway_stage", + "resourceName": "positive20", + "searchKey": "aws_api_gateway_method_settings[allpositive2].settings.logging_level", + "searchValue": "", + "expectedValue": "aws_api_gateway_method_settings[allpositive2].settings.logging_level should be defined and not null", + "actualValue": "aws_api_gateway_method_settings[allpositive2].settings.logging_level isn't defined or is null" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/api_gateway_deployment_without_access_log_setting/test/positive_expected_result.json b/assets/queries/terraform/aws/api_gateway_deployment_without_access_log_setting/test/positive_expected_result.json index c77dbf0991b..ff651b3358c 100644 --- a/assets/queries/terraform/aws/api_gateway_deployment_without_access_log_setting/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/api_gateway_deployment_without_access_log_setting/test/positive_expected_result.json @@ -3,18 +3,36 @@ "queryName": "API Gateway Deployment Without Access Log Setting", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive3.tf", + "resourceType": "aws_api_gateway_deployment", + "resourceName": "example4", + "searchKey": "aws_api_gateway_deployment[example4]", + "searchValue": "", + "expectedValue": "aws_api_gateway_deployment[example4].stage_description should be set", + "actualValue": "aws_api_gateway_deployment[example4].stage_description is undefined" }, { "queryName": "API Gateway Deployment Without Access Log Setting", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_api_gateway_deployment", + "resourceName": "example3", + "searchKey": "aws_api_gateway_deployment[example3]", + "searchValue": "", + "expectedValue": "aws_api_gateway_deployment[example3] has a 'aws_api_gateway_stage' resource associated with 'access_log_settings' set", + "actualValue": "aws_api_gateway_deployment[example3] doesn't have a 'aws_api_gateway_stage' resource associated with 'access_log_settings' set" }, { "queryName": "API Gateway Deployment Without Access Log Setting", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "filename": "positive1.tf", + "resourceType": "aws_api_gateway_deployment", + "resourceName": "examplee", + "searchKey": "aws_api_gateway_deployment[examplee]", + "searchValue": "", + "expectedValue": "aws_api_gateway_deployment[examplee] has a 'aws_api_gateway_stage' resource associated with 'access_log_settings' set", + "actualValue": "aws_api_gateway_deployment[examplee] doesn't have a 'aws_api_gateway_stage' resource associated with 'access_log_settings' set" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/test/positive_expected_result.json b/assets/queries/terraform/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/test/positive_expected_result.json index c90c5d51934..bea16938911 100644 --- a/assets/queries/terraform/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "API Gateway Deployment Without API Gateway UsagePlan Associated", "severity": "LOW", - "line": 1, - "filename": "positive1.tf" + "line": 9, + "filename": "positive1.tf", + "resourceType": "aws_api_gateway_deployment", + "resourceName": "positive2", + "searchKey": "aws_api_gateway_deployment[positive2]", + "searchValue": "", + "expectedValue": "aws_api_gateway_deployment[positive2] has a 'aws_api_gateway_usage_plan' resource associated. ", + "actualValue": "aws_api_gateway_deployment[positive2] doesn't have a 'aws_api_gateway_usage_plan' resource associated." }, { "queryName": "API Gateway Deployment Without API Gateway UsagePlan Associated", "severity": "LOW", - "line": 9, - "filename": "positive1.tf" + "line": 14, + "filename": "positive2.json", + "resourceType": "aws_api_gateway_deployment", + "resourceName": "aws_api_gateway_deployment.positive1", + "searchKey": "aws_api_gateway_deployment[aws_api_gateway_deployment.positive1]", + "searchValue": "", + "expectedValue": "aws_api_gateway_deployment[aws_api_gateway_deployment.positive1] has a 'aws_api_gateway_usage_plan' resource associated. ", + "actualValue": "aws_api_gateway_deployment[aws_api_gateway_deployment.positive1] doesn't have a 'aws_api_gateway_usage_plan' resource associated." }, { "queryName": "API Gateway Deployment Without API Gateway UsagePlan Associated", "severity": "LOW", - "line": 14, - "filename": "positive2.json" + "line": 31, + "filename": "positive2.json", + "resourceType": "aws_api_gateway_deployment", + "resourceName": "aws_api_gateway_deployment.positive2", + "searchKey": "aws_api_gateway_deployment[aws_api_gateway_deployment.positive2]", + "searchValue": "", + "expectedValue": "aws_api_gateway_deployment[aws_api_gateway_deployment.positive2] has a 'aws_api_gateway_usage_plan' resource associated. ", + "actualValue": "aws_api_gateway_deployment[aws_api_gateway_deployment.positive2] doesn't have a 'aws_api_gateway_usage_plan' resource associated." }, { "queryName": "API Gateway Deployment Without API Gateway UsagePlan Associated", "severity": "LOW", - "line": 31, - "filename": "positive2.json" + "line": 1, + "filename": "positive1.tf", + "resourceType": "aws_api_gateway_deployment", + "resourceName": "positive1", + "searchKey": "aws_api_gateway_deployment[positive1]", + "searchValue": "", + "expectedValue": "aws_api_gateway_deployment[positive1] has a 'aws_api_gateway_usage_plan' resource associated. ", + "actualValue": "aws_api_gateway_deployment[positive1] doesn't have a 'aws_api_gateway_usage_plan' resource associated." } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/api_gateway_endpoint_config_is_not_private/test/positive_expected_result.json b/assets/queries/terraform/aws/api_gateway_endpoint_config_is_not_private/test/positive_expected_result.json index 312133f896e..63f3e25a8b5 100644 --- a/assets/queries/terraform/aws/api_gateway_endpoint_config_is_not_private/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/api_gateway_endpoint_config_is_not_private/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "API Gateway Endpoint Config is Not Private", "severity": "MEDIUM", - "line": 5 + "line": 5, + "filename": "positive.tf", + "resourceType": "aws_api_gateway_rest_api", + "resourceName": "positive1", + "searchKey": "aws_api_gateway_rest_api[positive1].endpoint_configuration.types[%!s(int=0)]", + "searchValue": "", + "expectedValue": "'aws_api_gateway_rest_api.aws_api_gateway_rest_api.types' should be 'PRIVATE'.", + "actualValue": "'aws_api_gateway_rest_api.aws_api_gateway_rest_api.types' is not 'PRIVATE'." } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/api_gateway_method_does_not_contains_an_api_key/test/positive_expected_result.json b/assets/queries/terraform/aws/api_gateway_method_does_not_contains_an_api_key/test/positive_expected_result.json index 96be3ea7103..f9668ec9804 100644 --- a/assets/queries/terraform/aws/api_gateway_method_does_not_contains_an_api_key/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/api_gateway_method_does_not_contains_an_api_key/test/positive_expected_result.json @@ -1,12 +1,26 @@ [ { - "line": 1, "queryName": "API Gateway Method Does Not Contains An API Key", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 13, + "filename": "positive.tf", + "resourceType": "aws_api_gateway_method", + "resourceName": "positive2", + "searchKey": "resource.aws_api_gateway_method[positive2].api_key_required", + "searchValue": "", + "expectedValue": "resource.aws_api_gateway_method[positive2].api_key_required should be 'true'", + "actualValue": "resource.aws_api_gateway_method[positive2].api_key_required is 'false'" }, { - "line": 13, "queryName": "API Gateway Method Does Not Contains An API Key", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_api_gateway_method", + "resourceName": "positive1", + "searchKey": "resource.aws_api_gateway_method[positive1]", + "searchValue": "", + "expectedValue": "resource.aws_api_gateway_method[positive1].api_key_required should be defined", + "actualValue": "resource.aws_api_gateway_method[positive1].api_key_required is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/api_gateway_method_settings_cache_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/api_gateway_method_settings_cache_not_encrypted/test/positive_expected_result.json index e8ac44bb382..91157d40427 100644 --- a/assets/queries/terraform/aws/api_gateway_method_settings_cache_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/api_gateway_method_settings_cache_not_encrypted/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "API Gateway Method Settings Cache Not Encrypted", "severity": "HIGH", "line": 40, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_api_gateway_method_settings", + "resourceName": "path_specific", + "searchKey": "aws_api_gateway_method_settings[{{path_specific}}].settings.cache_data_encrypted", + "searchValue": "", + "expectedValue": "aws_api_gateway_method_settings.settings.cache_data_encrypted should be set to true", + "actualValue": "aws_api_gateway_method_settings.settings.cache_data_encrypted is set to false" }, { "queryName": "API Gateway Method Settings Cache Not Encrypted", "severity": "HIGH", "line": 48, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_api_gateway_method_settings", + "resourceName": "path_specific_2", + "searchKey": "aws_api_gateway_method_settings[{{path_specific_2}}].settings", + "searchValue": "", + "expectedValue": "aws_api_gateway_method_settings.settings.cache_data_encrypted should be set to true", + "actualValue": "aws_api_gateway_method_settings.settings.cache_data_encrypted is missing" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/api_gateway_stage_without_api_gateway_usage_plan_associated/test/positive_expected_result.json b/assets/queries/terraform/aws/api_gateway_stage_without_api_gateway_usage_plan_associated/test/positive_expected_result.json index 622bd75d7de..8fd77034128 100644 --- a/assets/queries/terraform/aws/api_gateway_stage_without_api_gateway_usage_plan_associated/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/api_gateway_stage_without_api_gateway_usage_plan_associated/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "API Gateway Stage Without API Gateway UsagePlan Associated", "severity": "LOW", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_api_gateway_stage", + "resourceName": "positive1", + "searchKey": "aws_api_gateway_stage[positive1]", + "searchValue": "", + "expectedValue": "aws_api_gateway_stage[positive1] has a 'aws_api_gateway_usage_plan' resource associated. ", + "actualValue": "aws_api_gateway_stage[positive1] doesn't have a 'aws_api_gateway_usage_plan' resource associated." }, { "queryName": "API Gateway Stage Without API Gateway UsagePlan Associated", "severity": "LOW", - "line": 10 + "line": 10, + "filename": "positive.tf", + "resourceType": "aws_api_gateway_stage", + "resourceName": "positive2", + "searchKey": "aws_api_gateway_stage[positive2]", + "searchValue": "", + "expectedValue": "aws_api_gateway_stage[positive2] has a 'aws_api_gateway_usage_plan' resource associated. ", + "actualValue": "aws_api_gateway_stage[positive2] doesn't have a 'aws_api_gateway_usage_plan' resource associated." } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/api_gateway_with_cloudwatch_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/api_gateway_with_cloudwatch_logging_disabled/test/positive_expected_result.json index 4b6ad1bccab..d0cc2fc246d 100644 --- a/assets/queries/terraform/aws/api_gateway_with_cloudwatch_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/api_gateway_with_cloudwatch_logging_disabled/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "API Gateway With CloudWatch Logging Disabled", "severity": "MEDIUM", - "line": 14, - "fileName": "positive1.tf" + "line": 5, + "filename": "positive4.tf", + "resourceType": "aws_api_gateway_stage", + "resourceName": "positive4", + "searchKey": "aws_api_gateway_stage[positive4]", + "searchValue": "", + "expectedValue": "'aws_cloudwatch_log_group' for 'aws_api_gateway_stage[positive4]' should be defined and use the correct naming convention", + "actualValue": "'aws_cloudwatch_log_group' for 'aws_api_gateway_stage[positive4]' is undefined or is not using the correct naming convention" }, { "queryName": "API Gateway With CloudWatch Logging Disabled", "severity": "MEDIUM", "line": 9, - "fileName": "positive2.tf" + "filename": "positive3.tf", + "resourceType": "aws_api_gateway_stage", + "resourceName": "positive3", + "searchKey": "aws_api_gateway_stage[positive3].access_log_settings.destination_arn", + "searchValue": "", + "expectedValue": "'aws_api_gateway_stage[positive3].access_log_settings.destination_arn' should reference a valid 'aws_cloudwatch_log_group' arn", + "actualValue": "'aws_api_gateway_stage[positive3].access_log_settings.destination_arn' does not reference a valid 'aws_cloudwatch_log_group' arn" }, { "queryName": "API Gateway With CloudWatch Logging Disabled", "severity": "MEDIUM", - "line": 9, - "fileName": "positive3.tf" + "line": 14, + "filename": "positive1.tf", + "resourceType": "aws_api_gateway_stage", + "resourceName": "positive1", + "searchKey": "aws_api_gateway_stage[positive1]", + "searchValue": "", + "expectedValue": "'aws_cloudwatch_log_group' for 'aws_api_gateway_stage[positive1]' should be defined and use the correct naming convention", + "actualValue": "'aws_cloudwatch_log_group' for 'aws_api_gateway_stage[positive1]' is undefined or is not using the correct naming convention" }, { "queryName": "API Gateway With CloudWatch Logging Disabled", "severity": "MEDIUM", - "line": 5, - "fileName": "positive4.tf" + "line": 9, + "filename": "positive2.tf", + "resourceType": "aws_api_gateway_stage", + "resourceName": "positive2", + "searchKey": "aws_api_gateway_stage[positive2].access_log_settings.destination_arn", + "searchValue": "", + "expectedValue": "'aws_api_gateway_stage[positive2].access_log_settings.destination_arn' should reference a valid 'aws_cloudwatch_log_group' arn", + "actualValue": "'aws_api_gateway_stage[positive2].access_log_settings.destination_arn' does not reference a valid 'aws_cloudwatch_log_group' arn" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/api_gateway_with_invalid_compression/test/positive_expected_result.json b/assets/queries/terraform/aws/api_gateway_with_invalid_compression/test/positive_expected_result.json index 173ab08fb39..7ad8a4a563c 100644 --- a/assets/queries/terraform/aws/api_gateway_with_invalid_compression/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/api_gateway_with_invalid_compression/test/positive_expected_result.json @@ -2,16 +2,37 @@ { "queryName": "API Gateway With Invalid Compression", "severity": "LOW", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_api_gateway_rest_api", + "resourceName": "regional-example", + "searchKey": "aws_api_gateway_rest_api[positive1]", + "searchValue": "", + "expectedValue": "Attribute 'minimum_compression_size' should be set and have a value greater than -1 and smaller than 10485760", + "actualValue": "Attribute 'minimum_compression_size' is undefined" }, { "queryName": "API Gateway With Invalid Compression", "severity": "LOW", - "line": 17 + "line": 17, + "filename": "positive.tf", + "resourceType": "aws_api_gateway_rest_api", + "resourceName": "regional-example", + "searchKey": "aws_api_gateway_rest_api[positive2].minimum_compression_size", + "searchValue": "", + "expectedValue": "Attribute 'minimum_compression_size' should be greater than -1 and smaller than 10485760", + "actualValue": "Attribute 'minimum_compression_size' is -1" }, { "queryName": "API Gateway With Invalid Compression", "severity": "LOW", - "line": 28 + "line": 28, + "filename": "positive.tf", + "resourceType": "aws_api_gateway_rest_api", + "resourceName": "regional-example", + "searchKey": "aws_api_gateway_rest_api[positive3].minimum_compression_size", + "searchValue": "", + "expectedValue": "Attribute 'minimum_compression_size' should be greater than -1 and smaller than 10485760", + "actualValue": "Attribute 'minimum_compression_size' is 10485760" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/api_gateway_with_open_access/test/positive_expected_result.json b/assets/queries/terraform/aws/api_gateway_with_open_access/test/positive_expected_result.json index ca54d5a0e5d..810be375519 100644 --- a/assets/queries/terraform/aws/api_gateway_with_open_access/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/api_gateway_with_open_access/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "API Gateway With Open Access", "severity": "MEDIUM", - "line": 4 + "line": 4, + "filename": "positive.tf", + "resourceType": "aws_api_gateway_method", + "resourceName": "positive1", + "searchKey": "aws_api_gateway_method[positive1].http_method", + "searchValue": "", + "expectedValue": "aws_api_gateway_method.authorization should only be 'NONE' if http_method is 'OPTIONS'", + "actualValue": "aws_api_gateway_method[positive1].authorization type is 'NONE' and http_method is not ''OPTIONS'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/api_gateway_without_configured_authorizer/test/positive_expected_result.json b/assets/queries/terraform/aws/api_gateway_without_configured_authorizer/test/positive_expected_result.json index 1f2ddd7d112..635729b3eb5 100644 --- a/assets/queries/terraform/aws/api_gateway_without_configured_authorizer/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/api_gateway_without_configured_authorizer/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "API Gateway Without Configured Authorizer", "severity": "MEDIUM", "line": 8, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "aws_api_gateway_rest_api", + "resourceName": "auth-demo", + "searchKey": "aws_api_gateway_rest_api[demo2]", + "searchValue": "", + "expectedValue": "API Gateway REST API should be associated with an API Gateway Authorizer", + "actualValue": "API Gateway REST API is not associated with an API Gateway Authorizer" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/api_gateway_without_security_policy/test/positive_expected_result.json b/assets/queries/terraform/aws/api_gateway_without_security_policy/test/positive_expected_result.json index dabda1db530..09a4ee40679 100644 --- a/assets/queries/terraform/aws/api_gateway_without_security_policy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/api_gateway_without_security_policy/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "API Gateway Without Security Policy", "severity": "MEDIUM", - "line": 1, - "fileName": "positive1.tf" + "line": 3, + "filename": "positive2.tf", + "resourceType": "aws_api_gateway_domain_name", + "resourceName": "example2", + "searchKey": "aws_api_gateway_domain_name[example2].security_policy", + "searchValue": "", + "expectedValue": "aws_api_gateway_domain_name[example2].security_policy should be set to TLS_1_2", + "actualValue": "aws_api_gateway_domain_name[example2].security_policy is set to TLS_1_0" }, { "queryName": "API Gateway Without Security Policy", "severity": "MEDIUM", - "line": 3, - "fileName": "positive2.tf" + "line": 1, + "filename": "positive1.tf", + "resourceType": "aws_api_gateway_domain_name", + "resourceName": "example", + "searchKey": "aws_api_gateway_domain_name[example]", + "searchValue": "", + "expectedValue": "aws_api_gateway_domain_name[example].security_policy should be set", + "actualValue": "aws_api_gateway_domain_name[example].security_policy is undefined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/api_gateway_without_ssl_certificate/test/positive_expected_result.json b/assets/queries/terraform/aws/api_gateway_without_ssl_certificate/test/positive_expected_result.json index f463395207b..fc8f01acdc4 100644 --- a/assets/queries/terraform/aws/api_gateway_without_ssl_certificate/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/api_gateway_without_ssl_certificate/test/positive_expected_result.json @@ -1,7 +1,14 @@ [ - { - "queryName": "API Gateway Without SSL Certificate", - "severity": "MEDIUM", - "line": 1 - } -] + { + "queryName": "API Gateway Without SSL Certificate", + "severity": "MEDIUM", + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_api_gateway_stage", + "resourceName": "positive1", + "searchKey": "aws_api_gateway_stage[positive1]", + "searchValue": "", + "expectedValue": "Attribute 'client_certificate_id' should be set", + "actualValue": "Attribute 'client_certificate_id' is undefined" + } +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/api_gateway_without_waf/test/positive_expected_result.json b/assets/queries/terraform/aws/api_gateway_without_waf/test/positive_expected_result.json index f27dbae4e51..48890cad7ec 100644 --- a/assets/queries/terraform/aws/api_gateway_without_waf/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/api_gateway_without_waf/test/positive_expected_result.json @@ -1,8 +1,14 @@ [ - { - "queryName": "API Gateway without WAF", - "severity": "MEDIUM", - "line": 75, - "fileName": "positive.tf" - } -] + { + "queryName": "API Gateway without WAF", + "severity": "MEDIUM", + "line": 75, + "filename": "positive.tf", + "resourceType": "aws_api_gateway_stage", + "resourceName": "positive1", + "searchKey": "aws_api_gateway_stage[positive1]", + "searchValue": "", + "expectedValue": "API Gateway Stage should be associated with a Web Application Firewall", + "actualValue": "API Gateway Stage is not associated with a Web Application Firewall" + } +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/api_gateway_xray_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/api_gateway_xray_disabled/test/positive_expected_result.json index 1af365e3611..6343aa7764c 100644 --- a/assets/queries/terraform/aws/api_gateway_xray_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/api_gateway_xray_disabled/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "API Gateway X-Ray Disabled", "severity": "LOW", - "line": 5 + "line": 5, + "filename": "positive.tf", + "resourceType": "aws_api_gateway_stage", + "resourceName": "positive1", + "searchKey": "aws_api_gateway_stage[positive1].xray_tracing_enabled", + "searchValue": "", + "expectedValue": "'aws_api_gateway_stage[positive1].xray_tracing_enabled' should be true", + "actualValue": "'aws_api_gateway_stage[positive1].xray_tracing_enabled' is false" }, { "queryName": "API Gateway X-Ray Disabled", "severity": "LOW", - "line": 8 + "line": 8, + "filename": "positive.tf", + "resourceType": "aws_api_gateway_stage", + "resourceName": "positive2", + "searchKey": "aws_api_gateway_stage[positive2].xray_tracing_enabled", + "searchValue": "", + "expectedValue": "'aws_api_gateway_stage[positive2].xray_tracing_enabled' should be set", + "actualValue": "'aws_api_gateway_stage[positive2].xray_tracing_enabled' is undefined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/athena_database_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/athena_database_not_encrypted/test/positive_expected_result.json index 18c66e3bef2..f6b719e087c 100644 --- a/assets/queries/terraform/aws/athena_database_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/athena_database_not_encrypted/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Athena Database Not Encrypted", "severity": "HIGH", "line": 5, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_athena_database", + "resourceName": "database_name", + "searchKey": "aws_athena_database[{{hoge}}]", + "searchValue": "", + "expectedValue": "aws_athena_database[{{hoge}}] encryption_configuration should be defined", + "actualValue": "aws_athena_database[{{hoge}}] encryption_configuration is missing" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/athena_workgroup_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/athena_workgroup_not_encrypted/test/positive_expected_result.json index 20026ebe822..689e505bb7d 100644 --- a/assets/queries/terraform/aws/athena_workgroup_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/athena_workgroup_not_encrypted/test/positive_expected_result.json @@ -2,19 +2,37 @@ { "queryName": "Athena Workgroup Not Encrypted", "severity": "HIGH", - "line": 1, - "filename": "positive1.tf" + "line": 8, + "filename": "positive1.tf", + "resourceType": "aws_athena_workgroup", + "resourceName": "example", + "searchKey": "aws_athena_workgroup[{{example_2}}].configuration", + "searchValue": "", + "expectedValue": "aws_athena_workgroup[{{example_2}}].configuration.result_configuration.encryption_configuration should be defined", + "actualValue": "aws_athena_workgroup[{{example_2}}].configuration.result_configuration is missing" }, { "queryName": "Athena Workgroup Not Encrypted", "severity": "HIGH", - "line": 8, - "filename": "positive1.tf" + "line": 21, + "filename": "positive1.tf", + "resourceType": "aws_athena_workgroup", + "resourceName": "example", + "searchKey": "aws_athena_workgroup[{{example_3}}].configuration.result_configuration", + "searchValue": "", + "expectedValue": "aws_athena_workgroup[{{example_3}}].configuration.result_configuration.encryption_configuration should be defined", + "actualValue": "aws_athena_workgroup[{{example_3}}].configuration.result_configuration.encryption_configuration is missing" }, { "queryName": "Athena Workgroup Not Encrypted", "severity": "HIGH", - "line": 21, - "filename": "positive1.tf" + "line": 1, + "filename": "positive1.tf", + "resourceType": "aws_athena_workgroup", + "resourceName": "example", + "searchKey": "aws_athena_workgroup[{{example}}]", + "searchValue": "", + "expectedValue": "aws_athena_workgroup[{{example}}].configuration.result_configuration.encryption_configuration should be defined", + "actualValue": "aws_athena_workgroup[{{example}}].configuration is missing" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/aurora_with_disabled_at_rest_encryption/test/positive_expected_result.json b/assets/queries/terraform/aws/aurora_with_disabled_at_rest_encryption/test/positive_expected_result.json index 9477d4c16c9..b8ecc769598 100644 --- a/assets/queries/terraform/aws/aurora_with_disabled_at_rest_encryption/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/aurora_with_disabled_at_rest_encryption/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "Aurora With Disabled at Rest Encryption", "severity": "HIGH", - "line": 16, - "filename": "positive1.tf" + "line": 5, + "filename": "positive2.tf", + "resourceType": "aws_rds_cluster", + "resourceName": "my_cluster", + "searchKey": "aws_rds_cluster[{{my_cluster}}]", + "searchValue": "", + "expectedValue": "aws_rds_cluster.storage_encrypted should be defined and set to 'true'", + "actualValue": "aws_rds_cluster.storage_encrypted is undefined" }, { "queryName": "Aurora With Disabled at Rest Encryption", "severity": "HIGH", - "line": 5, - "filename": "positive2.tf" + "line": 16, + "filename": "positive1.tf", + "resourceType": "aws_rds_cluster", + "resourceName": "my_cluster", + "searchKey": "aws_rds_cluster[{{my_cluster}}].storage_encrypted", + "searchValue": "", + "expectedValue": "aws_rds_cluster.storage_encrypted should be set to 'true'", + "actualValue": "aws_rds_cluster.storage_encrypted is set to 'false'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/authentication_without_mfa/test/positive_expected_result.json b/assets/queries/terraform/aws/authentication_without_mfa/test/positive_expected_result.json index b19f10f0100..91c1eb54c0b 100644 --- a/assets/queries/terraform/aws/authentication_without_mfa/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/authentication_without_mfa/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Authentication Without MFA", "severity": "LOW", "line": 23, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_user_policy", + "resourceName": "aws-foundations-benchmark-1-4-0-terraform-user", + "searchKey": "aws_iam_user_policy[positive1].policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Principal.AWS' should contain ':mfa/' or 'policy.Statement.Condition.BoolIfExists.aws:MultiFactorAuthPresent' should be set to true", + "actualValue": "'policy.Statement.Principal.AWS' doesn't contain ':mfa/' or 'policy.Statement.Condition.BoolIfExists.aws:MultiFactorAuthPresent' is set to false" }, { "queryName": "Authentication Without MFA", "severity": "LOW", "line": 19, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_iam_user_policy", + "resourceName": "aws-foundations-benchmark-1-4-0-terraform-user", + "searchKey": "aws_iam_user_policy[positive2].policy", + "searchValue": "", + "expectedValue": "The attributes 'policy.Statement.Condition', 'policy.Statement.Condition.BoolIfExists', and 'policy.Statement.Condition.BoolIfExists.aws:MultiFactorAuthPresent' should be defined and not null", + "actualValue": "The attribute(s) 'policy.Statement.Condition' or/and 'policy.Statement.Condition.BoolIfExists' or/and 'policy.Statement.Condition.BoolIfExists.aws:MultiFactorAuthPresent' is/are undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/auto_scaling_group_with_no_associated_elb/test/positive_expected_result.json b/assets/queries/terraform/aws/auto_scaling_group_with_no_associated_elb/test/positive_expected_result.json index e75a9075e68..7e7226db2e7 100644 --- a/assets/queries/terraform/aws/auto_scaling_group_with_no_associated_elb/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/auto_scaling_group_with_no_associated_elb/test/positive_expected_result.json @@ -3,36 +3,72 @@ "queryName": "Auto Scaling Group With No Associated ELB", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive6.tf", + "resourceType": "aws_autoscaling_group", + "resourceName": "bar-", + "searchKey": "aws_autoscaling_group[foo]", + "searchValue": "", + "expectedValue": "aws_autoscaling_group[foo].load_balancers should be set and not empty", + "actualValue": "aws_autoscaling_group[foo].load_balancers is undefined" }, { "queryName": "Auto Scaling Group With No Associated ELB", "severity": "MEDIUM", - "line": 12, - "fileName": "positive2.tf" + "line": 1, + "filename": "positive5.tf", + "resourceType": "aws_autoscaling_group", + "resourceName": "bar-", + "searchKey": "aws_autoscaling_group[foo]", + "searchValue": "", + "expectedValue": "aws_autoscaling_group[foo].load_balancers should be set and not empty", + "actualValue": "aws_autoscaling_group[foo].load_balancers is undefined" }, { "queryName": "Auto Scaling Group With No Associated ELB", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "filename": "positive1.tf", + "resourceType": "aws_autoscaling_group", + "resourceName": "bar", + "searchKey": "aws_autoscaling_group[bar]", + "searchValue": "", + "expectedValue": "aws_autoscaling_group[bar].load_balancers should be set and not empty", + "actualValue": "aws_autoscaling_group[bar].load_balancers is undefined" }, { "queryName": "Auto Scaling Group With No Associated ELB", "severity": "MEDIUM", - "line": 14, - "fileName": "positive4.tf" + "line": 1, + "filename": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive3]", + "searchValue": "", + "expectedValue": "'load_balancers' should be set and not empty", + "actualValue": "'load_balancers' is undefined" }, { "queryName": "Auto Scaling Group With No Associated ELB", "severity": "MEDIUM", - "line": 1, - "fileName": "positive5.tf" + "line": 14, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4].load_balancers", + "searchValue": "", + "expectedValue": "'load_balancers' should be set and not empty", + "actualValue": "'load_balancers' is undefined" }, { "queryName": "Auto Scaling Group With No Associated ELB", "severity": "MEDIUM", - "line": 1, - "fileName": "positive6.tf" + "line": 12, + "filename": "positive2.tf", + "resourceType": "aws_autoscaling_group", + "resourceName": "positive2", + "searchKey": "aws_autoscaling_group[positive2].load_balancers", + "searchValue": "", + "expectedValue": "aws_autoscaling_group[positive2].load_balancers should be set and not empty", + "actualValue": "aws_autoscaling_group[positive2].load_balancers is empty" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/automatic_minor_upgrades_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/automatic_minor_upgrades_disabled/test/positive_expected_result.json index 83ba730529e..bbc4a955a35 100644 --- a/assets/queries/terraform/aws/automatic_minor_upgrades_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/automatic_minor_upgrades_disabled/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "Automatic Minor Upgrades Disabled", "severity": "LOW", - "line": 13, - "fileName": "positive1.tf" + "line": 11, + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[db].auto_minor_version_upgrade", + "searchValue": "", + "expectedValue": "'auto_minor_version_upgrade' should be set to true", + "actualValue": "'auto_minor_version_upgrade' is set to false" }, { "queryName": "Automatic Minor Upgrades Disabled", "severity": "LOW", - "line": 11, - "fileName": "positive2.tf" + "line": 13, + "filename": "positive1.tf", + "resourceType": "aws_db_instance", + "resourceName": "mydb", + "searchKey": "aws_db_instance[positive1].auto_minor_version_upgrade", + "searchValue": "", + "expectedValue": "'auto_minor_version_upgrade' should be set to true", + "actualValue": "'auto_minor_version_upgrade' is set to false" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/autoscaling_groups_supply_tags/test/positive_expected_result.json b/assets/queries/terraform/aws/autoscaling_groups_supply_tags/test/positive_expected_result.json index fe9dda79ff0..0343d474c7d 100644 --- a/assets/queries/terraform/aws/autoscaling_groups_supply_tags/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/autoscaling_groups_supply_tags/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Autoscaling Groups Supply Tags", "severity": "LOW", "line": 1, - "fileName": "positive1.tf" + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[asg]", + "searchValue": "", + "expectedValue": "'tags' should be defined and not null", + "actualValue": "'tags' is undefined or null" }, { "queryName": "Autoscaling Groups Supply Tags", "severity": "LOW", "line": 1, - "fileName": "positive2.tf" + "filename": "positive1.tf", + "resourceType": "aws_autoscaling_group", + "resourceName": "foobar3-terraform-test", + "searchKey": "aws_autoscaling_group[positive1]", + "searchValue": "", + "expectedValue": "'tags' or 'tag' should be defined and not null", + "actualValue": "'tags' and 'tag' are undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/aws_eip_not_attached_to_any_instance/test/positive_expected_result.json b/assets/queries/terraform/aws/aws_eip_not_attached_to_any_instance/test/positive_expected_result.json index aee6e567c5a..8f94d0f65e1 100644 --- a/assets/queries/terraform/aws/aws_eip_not_attached_to_any_instance/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/aws_eip_not_attached_to_any_instance/test/positive_expected_result.json @@ -2,55 +2,109 @@ { "queryName": "AWS EIP not attached to any instance", "severity": "LOW", - "line": 1, - "fileName": "positive1.tf" + "line": 6, + "filename": "positive2.tf", + "resourceType": "aws_eip", + "resourceName": "web_eip", + "searchKey": "aws_eip[web_eip]", + "searchValue": "", + "expectedValue": "All EIPs should be attached", + "actualValue": "EIP is missing domain field set to \"vpc\"" }, { "queryName": "AWS EIP not attached to any instance", "severity": "LOW", - "line": 6, - "fileName": "positive2.tf" + "line": 1, + "filename": "positive6.tf", + "resourceType": "aws_eip", + "resourceName": "ok_eip", + "searchKey": "aws_eip[ok_eip]", + "searchValue": "", + "expectedValue": "All EIPs should be attached", + "actualValue": "Vpc is not set to true" }, { "queryName": "AWS EIP not attached to any instance", "severity": "LOW", - "line": 1, - "fileName": "positive3.tf" + "line": 6, + "filename": "positive9.tf", + "resourceType": "aws_eip", + "resourceName": "web_eip", + "searchKey": "aws_eip[web_eip]", + "searchValue": "", + "expectedValue": "All EIPs should be attached", + "actualValue": "EIP is not attached" }, { "queryName": "AWS EIP not attached to any instance", "severity": "LOW", "line": 1, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "aws_eip", + "resourceName": "transfer_eip", + "searchKey": "aws_eip[transfer_eip]", + "searchValue": "", + "expectedValue": "All EIPs should be attached", + "actualValue": "EIP is not attached" }, { "queryName": "AWS EIP not attached to any instance", "severity": "LOW", - "line": 5, - "fileName": "positive5.tf" + "line": 1, + "filename": "positive1.tf", + "resourceType": "aws_eip", + "resourceName": "ok_eip", + "searchKey": "aws_eip[ok_eip]", + "searchValue": "", + "expectedValue": "All EIPs should be attached", + "actualValue": "EIP is missing domain field set to \"vpc\"" }, { "queryName": "AWS EIP not attached to any instance", "severity": "LOW", "line": 1, - "fileName": "positive6.tf" + "filename": "positive8.tf", + "resourceType": "aws_eip", + "resourceName": "eip_example", + "searchKey": "aws_eip[eip_example]", + "searchValue": "", + "expectedValue": "All EIPs should be attached", + "actualValue": "EIP is not attached" }, { "queryName": "AWS EIP not attached to any instance", "severity": "LOW", - "line": 1, - "fileName": "positive7.tf" + "line": 5, + "filename": "positive5.tf", + "resourceType": "aws_eip", + "resourceName": "one", + "searchKey": "aws_eip[one]", + "searchValue": "", + "expectedValue": "All EIPs should be attached", + "actualValue": "EIP is not attached" }, { "queryName": "AWS EIP not attached to any instance", "severity": "LOW", "line": 1, - "fileName": "positive8.tf" + "filename": "positive3.tf", + "resourceType": "aws_eip", + "resourceName": "nat_eip", + "searchKey": "aws_eip[nat_eip]", + "searchValue": "", + "expectedValue": "All EIPs should be attached", + "actualValue": "EIP is not attached" }, { "queryName": "AWS EIP not attached to any instance", "severity": "LOW", - "line": 6, - "fileName": "positive9.tf" + "line": 1, + "filename": "positive7.tf", + "resourceType": "aws_eip", + "resourceName": "ok_eip", + "searchKey": "aws_eip[ok_eip]", + "searchValue": "", + "expectedValue": "All EIPs should be attached", + "actualValue": "Domain is not set to \"vpc\"" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/aws_password_policy_with_unchangeable_passwords/test/positive_expected_result.json b/assets/queries/terraform/aws/aws_password_policy_with_unchangeable_passwords/test/positive_expected_result.json index 27c0f9f9aa7..33071341077 100644 --- a/assets/queries/terraform/aws/aws_password_policy_with_unchangeable_passwords/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/aws_password_policy_with_unchangeable_passwords/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "AWS Password Policy With Unchangeable Passwords", "severity": "LOW", - "line": 12 + "line": 12, + "filename": "positive.tf", + "resourceType": "aws_iam_account_password_policy", + "resourceName": "positive2", + "searchKey": "aws_iam_account_password_policy[positive2].allow_users_to_change_password", + "searchValue": "", + "expectedValue": "'allow_users_to_change_password' should equal 'true'", + "actualValue": "'allow_users_to_change_password' is equal 'false'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/batch_job_definition_with_privileged_container_properties/test/positive_expected_result.json b/assets/queries/terraform/aws/batch_job_definition_with_privileged_container_properties/test/positive_expected_result.json index 02df24b24d5..605456dca1e 100644 --- a/assets/queries/terraform/aws/batch_job_definition_with_privileged_container_properties/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/batch_job_definition_with_privileged_container_properties/test/positive_expected_result.json @@ -1,7 +1,14 @@ [ { - "line": 11, "queryName": "Batch Job Definition With Privileged Container Properties", - "severity": "HIGH" + "severity": "HIGH", + "line": 11, + "filename": "positive.tf", + "resourceType": "aws_batch_job_definition", + "resourceName": "tf_test_batch_job_definition", + "searchKey": "aws_batch_job_definition[positive1].container_properties.privileged", + "searchValue": "", + "expectedValue": "aws_batch_job_definition[positive1].container_properties.privileged should be 'false' or not set", + "actualValue": "aws_batch_job_definition[positive1].container_properties.privileged is 'true'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/block_device_is_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/block_device_is_not_encrypted/test/positive_expected_result.json index 9ae3e7fd697..27a7602d948 100644 --- a/assets/queries/terraform/aws/block_device_is_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/block_device_is_not_encrypted/test/positive_expected_result.json @@ -3,150 +3,300 @@ "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 11, - "fileName": "positive1.tf" + "filename": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[asg].ebs_block_device.0.encrypted", + "searchValue": "", + "expectedValue": "'encrypted' should be true", + "actualValue": "'encrypted' is false" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", - "line": 28, - "fileName": "positive1.tf" + "line": 29, + "filename": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[asg2].block_device_mappings.0.ebs", + "searchValue": "", + "expectedValue": "'encrypted' should be defined", + "actualValue": "'encrypted' is undefined" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", - "line": 36, - "fileName": "positive1.tf" + "line": 7, + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[asg].ebs_block_device.0", + "searchValue": "", + "expectedValue": "'encrypted' should be defined", + "actualValue": "'encrypted' is undefined" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", - "line": 7, - "fileName": "positive2.tf" + "line": 36, + "filename": "positive1.tf", + "resourceType": "aws_launch_configuration", + "resourceName": "test-launch-config", + "searchKey": "aws_launch_configuration[example3].root_block_device.encrypted", + "searchValue": "", + "expectedValue": "aws_launch_configuration[example3].root_block_device.encrypted should be true", + "actualValue": "aws_launch_configuration[example3].root_block_device.encrypted is false" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", - "line": 16, - "fileName": "positive2.tf" + "line": 26, + "filename": "positive9.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive9-legacy].root_block_device.0", + "searchValue": "", + "expectedValue": "'encrypted' should be defined", + "actualValue": "'encrypted' is undefined" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", - "line": 28, - "fileName": "positive2.tf" + "line": 24, + "filename": "positive6.tf", + "resourceType": "aws_instance", + "resourceName": "web-app-instance", + "searchKey": "aws_instance[example2].ebs_block_device", + "searchValue": "", + "expectedValue": "aws_instance[example2].ebs_block_device.encrypted should be set", + "actualValue": "aws_instance[example2].ebs_block_device.encrypted is undefined" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", - "line": 35, - "fileName": "positive2.tf" + "line": 18, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[asg].root_block_device.0.encrypted", + "searchValue": "", + "expectedValue": "'encrypted' should be true", + "actualValue": "'encrypted' is false" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", - "line": 11, - "fileName": "positive3.tf" + "line": 7, + "filename": "positive5.tf", + "resourceType": "aws_instance", + "resourceName": "web-app-instance", + "searchKey": "aws_instance[example1].root_block_device.encrypted", + "searchValue": "", + "expectedValue": "aws_instance[example1].root_block_device.encrypted should be true", + "actualValue": "aws_instance[example1].root_block_device.encrypted is false" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", - "line": 17, - "fileName": "positive3.tf" + "line": 27, + "filename": "positive8.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive8-legacy].root_block_device.0.encrypted", + "searchValue": "", + "expectedValue": "'encrypted' should be true", + "actualValue": "'encrypted' is false" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", - "line": 27, - "fileName": "positive3.tf" + "line": 41, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[asg2].block_device_mappings.0.ebs.encrypted", + "searchValue": "", + "expectedValue": "'encrypted' should be true", + "actualValue": "'encrypted' is false" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", - "line": 29, - "fileName": "positive3.tf" + "line": 31, + "filename": "positive5.tf", + "resourceType": "aws_instance", + "resourceName": "positive5", + "searchKey": "aws_instance[example2].ebs_block_device.encrypted", + "searchValue": "", + "expectedValue": "aws_instance[example2].ebs_block_device.encrypted should be true", + "actualValue": "aws_instance[example2].ebs_block_device.encrypted is false" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", - "line": 7, - "fileName": "positive4.tf" + "line": 10, + "filename": "positive8.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive8-aws6].root_block_device.encrypted", + "searchValue": "", + "expectedValue": "'encrypted' should be true", + "actualValue": "'encrypted' is false" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", - "line": 18, - "fileName": "positive4.tf" + "line": 16, + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[asg].root_block_device.0", + "searchValue": "", + "expectedValue": "'encrypted' should be defined", + "actualValue": "'encrypted' is undefined" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", - "line": 27, - "fileName": "positive4.tf" + "line": 9, + "filename": "positive9.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive9-aws6].root_block_device", + "searchValue": "", + "expectedValue": "'encrypted' should be defined", + "actualValue": "'encrypted' is undefined" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", - "line": 41, - "fileName": "positive4.tf" + "line": 5, + "filename": "positive6.tf", + "resourceType": "aws_instance", + "resourceName": "web-app-instance", + "searchKey": "aws_instance[example1].root_block_device", + "searchValue": "", + "expectedValue": "aws_instance[example1].root_block_device.encrypted should be set", + "actualValue": "aws_instance[example1].root_block_device.encrypted is undefined" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", - "line": 7, - "fileName": "positive5.tf" + "line": 11, + "filename": "positive7.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive7-aws6].root_block_device.encrypted", + "searchValue": "", + "expectedValue": "'encrypted' should be true", + "actualValue": "'encrypted' is false" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", - "line": 31, - "fileName": "positive5.tf" + "line": 29, + "filename": "positive7.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive7-legacy].root_block_device.0.encrypted", + "searchValue": "", + "expectedValue": "'encrypted' should be true", + "actualValue": "'encrypted' is false" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", - "line": 5, - "fileName": "positive6.tf" + "line": 35, + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[asg2].block_device_mappings.1.ebs", + "searchValue": "", + "expectedValue": "'encrypted' should be defined", + "actualValue": "'encrypted' is undefined" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", - "line": 24, - "fileName": "positive6.tf" + "line": 27, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[asg2].block_device_mappings.1.ebs.encrypted", + "searchValue": "", + "expectedValue": "'encrypted' should be true", + "actualValue": "'encrypted' is false" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", - "line": 11, - "fileName": "positive7.tf" + "line": 17, + "filename": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[asg].root_block_device.0", + "searchValue": "", + "expectedValue": "'encrypted' should be defined", + "actualValue": "'encrypted' is undefined" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", - "line": 29, - "fileName": "positive7.tf" + "line": 28, + "filename": "positive1.tf", + "resourceType": "aws_launch_configuration", + "resourceName": "example2", + "searchKey": "aws_launch_configuration[example2].ebs_block_device.encrypted", + "searchValue": "", + "expectedValue": "aws_launch_configuration[example2].ebs_block_device.encrypted should be true", + "actualValue": "aws_launch_configuration[example2].ebs_block_device.encrypted is false" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", - "line": 10, - "fileName": "positive8.tf" + "line": 11, + "filename": "positive1.tf", + "resourceType": "aws_launch_configuration", + "resourceName": "example1", + "searchKey": "aws_launch_configuration[example1].ebs_block_device", + "searchValue": "", + "expectedValue": "aws_launch_configuration[example1].ebs_block_device.encrypted should be set", + "actualValue": "aws_launch_configuration[example1].ebs_block_device.encrypted is undefined" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", - "line": 27, - "fileName": "positive8.tf" + "line": 28, + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[asg2].block_device_mappings.0.ebs", + "searchValue": "", + "expectedValue": "'encrypted' should be defined", + "actualValue": "'encrypted' is undefined" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", - "line": 9, - "fileName": "positive9.tf" + "line": 7, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[asg].ebs_block_device.0", + "searchValue": "", + "expectedValue": "'encrypted' should be defined", + "actualValue": "'encrypted' is undefined" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", - "line": 26, - "fileName": "positive9.tf" + "line": 27, + "filename": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[asg2].block_device_mappings.1.ebs.encrypted", + "searchValue": "", + "expectedValue": "'encrypted' should be true", + "actualValue": "'encrypted' is false" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/ca_certificate_identifier_is_outdated/test/positive_expected_result.json b/assets/queries/terraform/aws/ca_certificate_identifier_is_outdated/test/positive_expected_result.json index 245876f319a..324d1659b1d 100644 --- a/assets/queries/terraform/aws/ca_certificate_identifier_is_outdated/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ca_certificate_identifier_is_outdated/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "CA Certificate Identifier Is Outdated", "severity": "MEDIUM", "line": 12, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_db_instance", + "resourceName": "mydb", + "searchKey": "aws_db_instance[positive1].ca_cert_identifier", + "searchValue": "", + "expectedValue": "'aws_db_instance.ca_cert_identifier' should be one provided by Amazon RDS.", + "actualValue": "'aws_db_instance.ca_cert_identifier' is 'rds-ca-2015'" }, { "queryName": "CA Certificate Identifier Is Outdated", "severity": "MEDIUM", "line": 11, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[db].ca_cert_identifier", + "searchValue": "", + "expectedValue": "'ca_cert_identifier' should be one provided by Amazon RDS.", + "actualValue": "'ca_cert_identifier' is 'rds-ca-2015'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/cdn_configuration_is_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cdn_configuration_is_missing/test/positive_expected_result.json index 2a75eeb2298..0155c8b9646 100644 --- a/assets/queries/terraform/aws/cdn_configuration_is_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cdn_configuration_is_missing/test/positive_expected_result.json @@ -2,16 +2,37 @@ { "queryName": "CDN Configuration Is Missing", "severity": "LOW", - "line": 11 + "line": 11, + "filename": "positive.tf", + "resourceType": "aws_cloudfront_distribution", + "resourceName": "positive1", + "searchKey": "resource.aws_cloudfront_distribution[positive1].enabled", + "searchValue": "", + "expectedValue": "resource.aws_cloudfront_distribution[positive1].enabled should be set to 'true'", + "actualValue": "resource.aws_cloudfront_distribution[positive1].enabled is configured as 'false'" }, { "queryName": "CDN Configuration Is Missing", "severity": "LOW", - "line": 61 + "line": 61, + "filename": "positive.tf", + "resourceType": "aws_cloudfront_distribution", + "resourceName": "positive2", + "searchKey": "resource.aws_cloudfront_distribution[positive2]", + "searchValue": "enabled", + "expectedValue": "resource.aws_cloudfront_distribution[positive2].enabled should be set to 'true'", + "actualValue": "resource.aws_cloudfront_distribution[positive2].enabled is not defined" }, { "queryName": "CDN Configuration Is Missing", "severity": "LOW", - "line": 61 + "line": 61, + "filename": "positive.tf", + "resourceType": "aws_cloudfront_distribution", + "resourceName": "positive2", + "searchKey": "resource.aws_cloudfront_distribution[positive2]", + "searchValue": "origin", + "expectedValue": "resource.aws_cloudfront_distribution[positive2].origin should be defined", + "actualValue": "resource.aws_cloudfront_distribution[positive2].origin is not defined" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/certificate_has_expired/test/positive_expected_result.json b/assets/queries/terraform/aws/certificate_has_expired/test/positive_expected_result.json index e7adcba6c9b..557332fb54e 100644 --- a/assets/queries/terraform/aws/certificate_has_expired/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/certificate_has_expired/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Certificate Has Expired", "severity": "MEDIUM", - "line": 2 + "line": 2, + "filename": "positive.tf", + "resourceType": "aws_api_gateway_domain_name", + "resourceName": "example2", + "searchKey": "aws_api_gateway_domain_name[example2].certificate_body", + "searchValue": "", + "expectedValue": "aws_api_gateway_domain_name[example2].certificate_body should not have expired", + "actualValue": "aws_api_gateway_domain_name[example2].certificate_body has expired" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/certificate_rsa_key_bytes_lower_than_256/test/positive_expected_result.json b/assets/queries/terraform/aws/certificate_rsa_key_bytes_lower_than_256/test/positive_expected_result.json index e03996e371c..8cfe0569d03 100644 --- a/assets/queries/terraform/aws/certificate_rsa_key_bytes_lower_than_256/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/certificate_rsa_key_bytes_lower_than_256/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "Certificate RSA Key Bytes Lower Than 256", "severity": "MEDIUM", - "line": 2, - "fileName": "positive1.tf" + "line": 3, + "filename": "positive2.tf", + "resourceType": "aws_iam_server_certificate", + "resourceName": "test_cert2", + "searchKey": "aws_iam_server_certificate[test_cert2].certificate_body", + "searchValue": "", + "expectedValue": "aws_iam_server_certificate[test_cert2].certificate_body uses a RSA key with a length equal to or higher than 256 bytes", + "actualValue": "aws_iam_server_certificate[test_cert2].certificate_body does not use a RSA key with a length equal to or higher than 256 bytes" }, { "queryName": "Certificate RSA Key Bytes Lower Than 256", "severity": "MEDIUM", - "line": 3, - "fileName": "positive2.tf" + "line": 2, + "filename": "positive1.tf", + "resourceType": "aws_api_gateway_domain_name", + "resourceName": "example", + "searchKey": "aws_api_gateway_domain_name[example].certificate_body", + "searchValue": "", + "expectedValue": "aws_api_gateway_domain_name[example].certificate_body uses a RSA key with a length equal to or higher than 256 bytes", + "actualValue": "aws_api_gateway_domain_name[example].certificate_body does not use a RSA key with a length equal to or higher than 256 bytes" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudfront_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudfront_logging_disabled/test/positive_expected_result.json index 0e8947653f8..572d3200d74 100644 --- a/assets/queries/terraform/aws/cloudfront_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudfront_logging_disabled/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "CloudFront Logging Disabled", "severity": "MEDIUM", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_cloudfront_distribution", + "resourceName": "positive1", + "searchKey": "aws_cloudfront_distribution[positive1]", + "searchValue": "", + "expectedValue": "aws_cloudfront_distribution[positive1].logging_config should be defined", + "actualValue": "aws_cloudfront_distribution[positive1].logging_config is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudfront_viewer_protocol_policy_allows_http/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudfront_viewer_protocol_policy_allows_http/test/positive_expected_result.json index d994045fcec..585f9b3379b 100644 --- a/assets/queries/terraform/aws/cloudfront_viewer_protocol_policy_allows_http/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudfront_viewer_protocol_policy_allows_http/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Cloudfront Viewer Protocol Policy Allows HTTP", "severity": "MEDIUM", - "line": 27 + "line": 27, + "filename": "positive.tf", + "resourceType": "aws_cloudfront_distribution", + "resourceName": "positive1", + "searchKey": "resource.aws_cloudfront_distribution[positive1].default_cache_behavior.viewer_protocol_policy", + "searchValue": "", + "expectedValue": "resource.aws_cloudfront_distribution[positive1].default_cache_behavior.viewer_protocol_policy should be 'https-only' or 'redirect-to-https'", + "actualValue": "resource.aws_cloudfront_distribution[positive1].default_cache_behavior.viewer_protocol_policy isn't 'https-only' or 'redirect-to-https'" }, { "queryName": "Cloudfront Viewer Protocol Policy Allows HTTP", "severity": "MEDIUM", - "line": 96 + "line": 96, + "filename": "positive.tf", + "resourceType": "aws_cloudfront_distribution", + "resourceName": "positive2", + "searchKey": "resource.aws_cloudfront_distribution[positive2].ordered_cache_behavior.{{/content/immutable/*}}.viewer_protocol_policy", + "searchValue": "", + "expectedValue": "resource.aws_cloudfront_distribution[positive2].ordered_cache_behavior.viewer_protocol_policy should be 'https-only' or 'redirect-to-https'", + "actualValue": "resource.aws_cloudfront_distribution[positive2].ordered_cache_behavior.viewer_protocol_policy isn't 'https-only' or 'redirect-to-https'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json index 6885c67a30f..88aa044040f 100644 --- a/assets/queries/terraform/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "CloudFront Without Minimum Protocol TLS 1.2", "severity": "MEDIUM", - "line": 1, - "fileName": "positive1.tf" + "line": 25, + "filename": "positive2.tf", + "resourceType": "aws_cloudfront_distribution", + "resourceName": "positive2", + "searchKey": "resource.aws_cloudfront_distribution[positive2].viewer_certificate.minimum_protocol_version", + "searchValue": "", + "expectedValue": "resource.aws_cloudfront_distribution[positive2].viewer_certificate.minimum_protocol_version' should be TLSv1.2_x", + "actualValue": "resource.aws_cloudfront_distribution[positive2].viewer_certificate.minimum_protocol_version' is TLSv1_2016" }, { "queryName": "CloudFront Without Minimum Protocol TLS 1.2", "severity": "MEDIUM", - "line": 25, - "fileName": "positive2.tf" + "line": 23, + "filename": "positive4.tf", + "resourceType": "aws_cloudfront_distribution", + "resourceName": "positive4", + "searchKey": "resource.aws_cloudfront_distribution[positive4].viewer_certificate", + "searchValue": "", + "expectedValue": "resource.aws_cloudfront_distribution[positive4].viewer_certificate.minimum_protocol_version' should be defined and not null", + "actualValue": "resource.aws_cloudfront_distribution[positive4].viewer_certificate.minimum_protocol_version' is undefined or null" }, { "queryName": "CloudFront Without Minimum Protocol TLS 1.2", "severity": "MEDIUM", "line": 24, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_cloudfront_distribution", + "resourceName": "positive3", + "searchKey": "resource.aws_cloudfront_distribution[positive3].viewer_certificate.cloudfront_default_certificate", + "searchValue": "", + "expectedValue": "resource.aws_cloudfront_distribution[positive3].viewer_certificate.cloudfront_default_certificate' should be 'false'", + "actualValue": "resource.aws_cloudfront_distribution[positive3].viewer_certificate.cloudfront_default_certificate' is 'true'" }, { "queryName": "CloudFront Without Minimum Protocol TLS 1.2", "severity": "MEDIUM", - "line": 23, - "fileName": "positive4.tf" + "line": 1, + "filename": "positive1.tf", + "resourceType": "aws_cloudfront_distribution", + "resourceName": "positive1", + "searchKey": "resource.aws_cloudfront_distribution[positive1]", + "searchValue": "", + "expectedValue": "resource.aws_cloudfront_distribution[positive1].viewer_certificate' should be defined and not null", + "actualValue": "resource.aws_cloudfront_distribution[positive1].viewer_certificate' is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudfront_without_waf/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudfront_without_waf/test/positive_expected_result.json index 109793cfe3c..5913946941e 100755 --- a/assets/queries/terraform/aws/cloudfront_without_waf/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudfront_without_waf/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "CloudFront Without WAF", "severity": "MEDIUM", - "line": 15 + "line": 15, + "filename": "positive.tf", + "resourceType": "aws_cloudfront_distribution", + "resourceName": "positive1", + "searchKey": "aws_cloudfront_distribution[positive1].web_acl_id", + "searchValue": "", + "expectedValue": "'web_acl_id' should exist", + "actualValue": "'web_acl_id' is missing" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudtrail_log_file_validation_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudtrail_log_file_validation_disabled/test/positive_expected_result.json index 38519cfef6e..2003ccc8096 100644 --- a/assets/queries/terraform/aws/cloudtrail_log_file_validation_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudtrail_log_file_validation_disabled/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "CloudTrail Log File Validation Disabled", "severity": "LOW", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_cloudtrail", + "resourceName": "positive1", + "searchKey": "aws_cloudtrail[positive1]", + "searchValue": "", + "expectedValue": "'aws_cloudtrail[positive1].enable_log_file_validation' should be set", + "actualValue": "'aws_cloudtrail[positive1].enable_log_file_validation' is undefined" }, { "queryName": "CloudTrail Log File Validation Disabled", "severity": "LOW", - "line": 9 + "line": 9, + "filename": "positive.tf", + "resourceType": "aws_cloudtrail", + "resourceName": "positive2", + "searchKey": "aws_cloudtrail[positive2].enable_log_file_validation", + "searchValue": "", + "expectedValue": "'aws_cloudtrail[positive2].enable_log_file_validation' should be true", + "actualValue": "'aws_cloudtrail[positive2].enable_log_file_validation' is false" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudtrail_log_files_not_encrypted_with_kms/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudtrail_log_files_not_encrypted_with_kms/test/positive_expected_result.json index 1b50e20f3e9..f966105eab2 100644 --- a/assets/queries/terraform/aws/cloudtrail_log_files_not_encrypted_with_kms/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudtrail_log_files_not_encrypted_with_kms/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "CloudTrail Log Files Not Encrypted With KMS", "severity": "LOW", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_cloudtrail", + "resourceName": "npositive_1", + "searchKey": "aws_cloudtrail[positive1]", + "searchValue": "", + "expectedValue": "aws_cloudtrail[positive1].kms_key_id should be defined and not null", + "actualValue": "aws_cloudtrail[positive1].kms_key_id is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_is_publicly_accessible/test/positive_expected_result.json index f1f9a1ab388..5810fe2df83 100644 --- a/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_is_publicly_accessible/test/positive_expected_result.json @@ -2,19 +2,37 @@ { "queryName": "CloudTrail Log Files S3 Bucket is Publicly Accessible", "severity": "HIGH", - "line": 25, - "filename": "positive1.tf" + "line": 24, + "filename": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].acl", + "searchValue": "", + "expectedValue": "module[s3_bucket] to not be publicly accessible", + "actualValue": "module[s3_bucket] is publicly accessible" }, { "queryName": "CloudTrail Log Files S3 Bucket is Publicly Accessible", "severity": "HIGH", - "line": 23, - "filename": "positive2.tf" + "line": 25, + "filename": "positive1.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "my-tf-test-bucket", + "searchKey": "aws_s3_bucket[b].acl", + "searchValue": "", + "expectedValue": "aws_s3_bucket[b] to not be publicly accessible", + "actualValue": "aws_s3_bucket[b] is publicly accessible" }, { "queryName": "CloudTrail Log Files S3 Bucket is Publicly Accessible", "severity": "HIGH", - "line": 24, - "filename": "positive3.tf" + "line": 23, + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].acl", + "searchValue": "", + "expectedValue": "module[s3_bucket] to not be publicly accessible", + "actualValue": "module[s3_bucket] is publicly accessible" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_with_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_with_logging_disabled/test/positive_expected_result.json index 3a2437a6896..1b834eaa2bf 100644 --- a/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_with_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_with_logging_disabled/test/positive_expected_result.json @@ -3,18 +3,36 @@ "queryName": "CloudTrail Log Files S3 Bucket with Logging Disabled", "severity": "MEDIUM", "line": 23, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "tf-test-trail", + "searchKey": "aws_s3_bucket[foo]", + "searchValue": "", + "expectedValue": "aws_s3_bucket[foo] to have 'logging' defined", + "actualValue": "aws_s3_bucket[foo] does not have 'logging' defined" }, { "queryName": "CloudTrail Log Files S3 Bucket with Logging Disabled", "severity": "MEDIUM", - "line": 1, - "fileName": "positive2.tf" + "line": 21, + "filename": "positive3.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "my-tf-example-bucket", + "searchKey": "aws_s3_bucket[bb]", + "searchValue": "", + "expectedValue": "aws_s3_bucket[bb] to have 'logging' defined", + "actualValue": "aws_s3_bucket[bb] does not have 'logging' defined" }, { "queryName": "CloudTrail Log Files S3 Bucket with Logging Disabled", "severity": "MEDIUM", - "line": 21, - "fileName": "positive3.tf" + "line": 1, + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[foo]", + "searchValue": "", + "expectedValue": "'logging' should be defined", + "actualValue": "'logging' is undefined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudtrail_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudtrail_logging_disabled/test/positive_expected_result.json index 8e57b93dc88..b9076c93df5 100644 --- a/assets/queries/terraform/aws/cloudtrail_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudtrail_logging_disabled/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "CloudTrail Logging Disabled", "severity": "MEDIUM", - "line": 5 + "line": 5, + "filename": "positive.tf", + "resourceType": "aws_cloudtrail", + "resourceName": "positive", + "searchKey": "aws_cloudtrail.positive1.enable_logging", + "searchValue": "", + "expectedValue": "aws_cloudtrail.positive1.enable_logging should be true", + "actualValue": "aws_cloudtrail.positive1.enable_logging is false" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudtrail_multi_region_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudtrail_multi_region_disabled/test/positive_expected_result.json index 64b89e0ab91..ab5752c9c51 100644 --- a/assets/queries/terraform/aws/cloudtrail_multi_region_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudtrail_multi_region_disabled/test/positive_expected_result.json @@ -3,18 +3,36 @@ "queryName": "CloudTrail Multi Region Disabled", "severity": "LOW", "line": 2, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_cloudtrail", + "resourceName": "npositive_1", + "searchKey": "aws_cloudtrail[positive1]", + "searchValue": "", + "expectedValue": "aws_cloudtrail[positive1].is_multi_region_trail should be defined and not null", + "actualValue": "aws_cloudtrail[positive1].is_multi_region_trail is undefined or null" }, { "queryName": "CloudTrail Multi Region Disabled", "severity": "LOW", - "line": 4, - "fileName": "positive2.tf" + "line": 5, + "filename": "positive3.tf", + "resourceType": "aws_cloudtrail", + "resourceName": "npositive_3", + "searchKey": "aws_cloudtrail[positive3].include_global_service_events", + "searchValue": "", + "expectedValue": "aws_cloudtrail[positive3].include_global_service_events should be undefined or set to true", + "actualValue": "aws_cloudtrail[positive3].include_global_service_events is set to false" }, { "queryName": "CloudTrail Multi Region Disabled", "severity": "LOW", - "line": 5, - "fileName": "positive3.tf" + "line": 4, + "filename": "positive2.tf", + "resourceType": "aws_cloudtrail", + "resourceName": "npositive_2", + "searchKey": "aws_cloudtrail[positive2].is_multi_region_trail", + "searchValue": "", + "expectedValue": "aws_cloudtrail[positive2].is_multi_region_trail should be set to true", + "actualValue": "aws_cloudtrail[positive2].is_multi_region_trail is set to false" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudtrail_not_integrated_with_cloudwatch/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudtrail_not_integrated_with_cloudwatch/test/positive_expected_result.json index 8f79cf0b981..5409436d20a 100644 --- a/assets/queries/terraform/aws/cloudtrail_not_integrated_with_cloudwatch/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudtrail_not_integrated_with_cloudwatch/test/positive_expected_result.json @@ -1,12 +1,26 @@ [ { + "queryName": "CloudTrail Not Integrated With CloudWatch", "severity": "LOW", "line": 1, - "queryName": "CloudTrail Not Integrated With CloudWatch" + "filename": "positive.tf", + "resourceType": "aws_cloudtrail", + "resourceName": "tf-trail-foobar", + "searchKey": "aws_cloudtrail[positive1]", + "searchValue": "cloud_watch_logs_group_arn", + "expectedValue": "aws_cloudtrail[positive1].cloud_watch_logs_group_arn should be defined and not null", + "actualValue": "aws_cloudtrail[positive1].cloud_watch_logs_group_arn is undefined or null" }, { + "queryName": "CloudTrail Not Integrated With CloudWatch", "severity": "LOW", "line": 1, - "queryName": "CloudTrail Not Integrated With CloudWatch" + "filename": "positive.tf", + "resourceType": "aws_cloudtrail", + "resourceName": "tf-trail-foobar", + "searchKey": "aws_cloudtrail[positive1]", + "searchValue": "cloud_watch_logs_role_arn", + "expectedValue": "aws_cloudtrail[positive1].cloud_watch_logs_role_arn should be defined and not null", + "actualValue": "aws_cloudtrail[positive1].cloud_watch_logs_role_arn is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudtrail_sns_topic_name_undefined/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudtrail_sns_topic_name_undefined/test/positive_expected_result.json index ab5ba6bb6b4..85bd3ca51d8 100644 --- a/assets/queries/terraform/aws/cloudtrail_sns_topic_name_undefined/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudtrail_sns_topic_name_undefined/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "CloudTrail SNS Topic Name Undefined", "severity": "LOW", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_cloudtrail", + "resourceName": "positive1", + "searchKey": "aws_cloudtrail[positive1]", + "searchValue": "", + "expectedValue": "'aws_cloudtrail[positive1].sns_topic_name' should be set and should not be null", + "actualValue": "'aws_cloudtrail[positive1].sns_topic_name' is undefined or null" }, { "queryName": "CloudTrail SNS Topic Name Undefined", "severity": "LOW", - "line": 5 + "line": 5, + "filename": "positive.tf", + "resourceType": "aws_cloudtrail", + "resourceName": "positive2", + "searchKey": "aws_cloudtrail[positive2]", + "searchValue": "", + "expectedValue": "'aws_cloudtrail[positive2].sns_topic_name' should be set and should not be null", + "actualValue": "'aws_cloudtrail[positive2].sns_topic_name' is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_aws_config_configuration_changes_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_aws_config_configuration_changes_alarm_missing/test/positive_expected_result.json index 1459de355bb..45231079711 100644 --- a/assets/queries/terraform/aws/cloudwatch_aws_config_configuration_changes_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_aws_config_configuration_changes_alarm_missing/test/positive_expected_result.json @@ -3,24 +3,48 @@ "queryName": "CloudWatch AWS Config Configuration Changes Alarm Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive2.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) } or not associated with any aws_cloudwatch_metric_alarm" }, { "queryName": "CloudWatch AWS Config Configuration Changes Alarm Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "filename": "positive1.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) } or not associated with any aws_cloudwatch_metric_alarm" }, { "queryName": "CloudWatch AWS Config Configuration Changes Alarm Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "filename": "positive4.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) } or not associated with any aws_cloudwatch_metric_alarm" }, { "queryName": "CloudWatch AWS Config Configuration Changes Alarm Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive4.tf" + "filename": "positive3.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) } or not associated with any aws_cloudwatch_metric_alarm" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_aws_organizations_changes_missing_alarm/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_aws_organizations_changes_missing_alarm/test/positive_expected_result.json index b56668d3c45..be32284b090 100644 --- a/assets/queries/terraform/aws/cloudwatch_aws_organizations_changes_missing_alarm/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_aws_organizations_changes_missing_alarm/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "CloudWatch AWS Organizations Changes Missing Alarm", "severity": "INFO", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventSource = \"organizations.amazonaws.com\") && (($.eventName = AcceptHandshake) || ($.eventName = AttachPolicy) || ($.eventName = CreateAccount) || ($.eventName = PutBucketLifecycle) || ($.eventName = CreateOrganizationalUnit) || ($.eventName = CreatePolicy) || ($.eventName = DeclineHandshake) || ($.eventName = DeleteOrganization) || ($.eventName = DeleteOrganizationalUnit) || ($.eventName = DeletePolicy) || ($.eventName = DetachPolicy) || ($.eventName = DisablePolicyType) || ($.eventName = EnablePolicyType) || ($.eventName = InviteAccountToOrganization) || ($.eventName = LeaveOrganization) || ($.eventName = MoveAccount) || ($.eventName = RemoveAccountFromOrganization) || ($.eventName = UpdatePolicy) || ($.eventName = UpdateOrganizationalUni)) } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventSource = \"organizations.amazonaws.com\") && (($.eventName = AcceptHandshake) || ($.eventName = AttachPolicy) || ($.eventName = CreateAccount) || ($.eventName = PutBucketLifecycle) || ($.eventName = CreateOrganizationalUnit) || ($.eventName = CreatePolicy) || ($.eventName = DeclineHandshake) || ($.eventName = DeleteOrganization) || ($.eventName = DeleteOrganizationalUnit) || ($.eventName = DeletePolicy) || ($.eventName = DetachPolicy) || ($.eventName = DisablePolicyType) || ($.eventName = EnablePolicyType) || ($.eventName = InviteAccountToOrganization) || ($.eventName = LeaveOrganization) || ($.eventName = MoveAccount) || ($.eventName = RemoveAccountFromOrganization) || ($.eventName = UpdatePolicy) || ($.eventName = UpdateOrganizationalUni)) } or not associated with any aws_cloudwatch_metric_alarm" }, { "queryName": "CloudWatch AWS Organizations Changes Missing Alarm", "severity": "INFO", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventSource = \"organizations.amazonaws.com\") && (($.eventName = AcceptHandshake) || ($.eventName = AttachPolicy) || ($.eventName = CreateAccount) || ($.eventName = PutBucketLifecycle) || ($.eventName = CreateOrganizationalUnit) || ($.eventName = CreatePolicy) || ($.eventName = DeclineHandshake) || ($.eventName = DeleteOrganization) || ($.eventName = DeleteOrganizationalUnit) || ($.eventName = DeletePolicy) || ($.eventName = DetachPolicy) || ($.eventName = DisablePolicyType) || ($.eventName = EnablePolicyType) || ($.eventName = InviteAccountToOrganization) || ($.eventName = LeaveOrganization) || ($.eventName = MoveAccount) || ($.eventName = RemoveAccountFromOrganization) || ($.eventName = UpdatePolicy) || ($.eventName = UpdateOrganizationalUni)) } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventSource = \"organizations.amazonaws.com\") && (($.eventName = AcceptHandshake) || ($.eventName = AttachPolicy) || ($.eventName = CreateAccount) || ($.eventName = PutBucketLifecycle) || ($.eventName = CreateOrganizationalUnit) || ($.eventName = CreatePolicy) || ($.eventName = DeclineHandshake) || ($.eventName = DeleteOrganization) || ($.eventName = DeleteOrganizationalUnit) || ($.eventName = DeletePolicy) || ($.eventName = DetachPolicy) || ($.eventName = DisablePolicyType) || ($.eventName = EnablePolicyType) || ($.eventName = InviteAccountToOrganization) || ($.eventName = LeaveOrganization) || ($.eventName = MoveAccount) || ($.eventName = RemoveAccountFromOrganization) || ($.eventName = UpdatePolicy) || ($.eventName = UpdateOrganizationalUni)) } or not associated with any aws_cloudwatch_metric_alarm" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_changes_to_nacl_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_changes_to_nacl_alarm_missing/test/positive_expected_result.json index 89ee21fe61c..abc9d08c593 100644 --- a/assets/queries/terraform/aws/cloudwatch_changes_to_nacl_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_changes_to_nacl_alarm_missing/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "CloudWatch Changes To NACL Alarm Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) } or not associated with any aws_cloudwatch_metric_alarm" }, { "queryName": "CloudWatch Changes To NACL Alarm Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) } or not associated with any aws_cloudwatch_metric_alarm" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_cloudtrail_configuration_changes_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_cloudtrail_configuration_changes_alarm_missing/test/positive_expected_result.json index 01f6d72185c..ac029f2565d 100644 --- a/assets/queries/terraform/aws/cloudwatch_cloudtrail_configuration_changes_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_cloudtrail_configuration_changes_alarm_missing/test/positive_expected_result.json @@ -3,18 +3,36 @@ "queryName": "Cloudwatch Cloudtrail Configuration Changes Alarm Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive2.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) } or not associated with any aws_cloudwatch_metric_alarm" }, { "queryName": "Cloudwatch Cloudtrail Configuration Changes Alarm Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "filename": "positive3.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) } or not associated with any aws_cloudwatch_metric_alarm" }, { "queryName": "Cloudwatch Cloudtrail Configuration Changes Alarm Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "filename": "positive1.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) } or not associated with any aws_cloudwatch_metric_alarm" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_disabling_or_scheduled_deletion_of_customer_created_cmk_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_disabling_or_scheduled_deletion_of_customer_created_cmk_alarm_missing/test/positive_expected_result.json index 524dfb593ab..19b601944a7 100644 --- a/assets/queries/terraform/aws/cloudwatch_disabling_or_scheduled_deletion_of_customer_created_cmk_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_disabling_or_scheduled_deletion_of_customer_created_cmk_alarm_missing/test/positive_expected_result.json @@ -3,18 +3,36 @@ "queryName": "CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive2.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern{ ($.eventSource = kms.amazonaws.com) && (($.eventName = DisableKey) || ($.eventName = ScheduleKeyDeletion)) } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern{ ($.eventSource = kms.amazonaws.com) && (($.eventName = DisableKey) || ($.eventName = ScheduleKeyDeletion)) } or not associated with any aws_cloudwatch_metric_alarm" }, { "queryName": "CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "filename": "positive3.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern{ ($.eventSource = kms.amazonaws.com) && (($.eventName = DisableKey) || ($.eventName = ScheduleKeyDeletion)) } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern{ ($.eventSource = kms.amazonaws.com) && (($.eventName = DisableKey) || ($.eventName = ScheduleKeyDeletion)) } or not associated with any aws_cloudwatch_metric_alarm" }, { "queryName": "CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "filename": "positive1.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern{ ($.eventSource = kms.amazonaws.com) && (($.eventName = DisableKey) || ($.eventName = ScheduleKeyDeletion)) } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern{ ($.eventSource = kms.amazonaws.com) && (($.eventName = DisableKey) || ($.eventName = ScheduleKeyDeletion)) } or not associated with any aws_cloudwatch_metric_alarm" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_iam_policy_changes_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_iam_policy_changes_alarm_missing/test/positive_expected_result.json index 8dcb4abaef3..7c33a865651 100644 --- a/assets/queries/terraform/aws/cloudwatch_iam_policy_changes_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_iam_policy_changes_alarm_missing/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "CloudWatch IAM Policy Changes Alarm Missing", "severity": "LOW", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern {($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)} and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern {($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)} or not associated with any aws_cloudwatch_metric_alarm" }, { "queryName": "CloudWatch IAM Policy Changes Alarm Missing", "severity": "LOW", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern {($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)} and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern {($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)} or not associated with any aws_cloudwatch_metric_alarm" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_log_group_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_log_group_not_encrypted/test/positive_expected_result.json index 0300572746a..e2d2cc06d80 100644 --- a/assets/queries/terraform/aws/cloudwatch_log_group_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_log_group_not_encrypted/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "CloudWatch Log Group Without KMS", "severity": "MEDIUM", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_cloudwatch_log_group", + "resourceName": "Yada", + "searchKey": "aws_cloudwatch_log_group[negative1]", + "searchValue": "", + "expectedValue": "Attribute 'kms_key_id' should be set", + "actualValue": "Attribute 'kms_key_id' is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_logging_disabled/test/positive_expected_result.json index a8111fc9274..c83b148e562 100644 --- a/assets/queries/terraform/aws/cloudwatch_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_logging_disabled/test/positive_expected_result.json @@ -1,12 +1,26 @@ [ - { - "queryName": "CloudWatch Logging Disabled", - "severity": "MEDIUM", - "line": 1 - }, - { - "queryName": "CloudWatch Logging Disabled", - "severity": "MEDIUM", - "line": 10 - } -] + { + "queryName": "CloudWatch Logging Disabled", + "severity": "MEDIUM", + "line": 10, + "filename": "positive.tf", + "resourceType": "aws_route53_query_log", + "resourceName": "log_group_mismatch", + "searchKey": "aws_route53_query_log[log_group_mismatch].cloudwatch_log_group_arn", + "searchValue": "", + "expectedValue": "'aws_route53_query_log' log group refers to the query log", + "actualValue": "'aws_route53_query_log' log group does not match with the log name" + }, + { + "queryName": "CloudWatch Logging Disabled", + "severity": "MEDIUM", + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_route53_zone", + "resourceName": "example.com", + "searchKey": "aws_route53_zone[no_query_log]", + "searchValue": "", + "expectedValue": "'aws_route53_query_log' should be set for respective 'aws_route53_zone'", + "actualValue": "'aws_route53_query_log' is undefined" + } +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_logs_destination_with_vulnerable_policy/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_logs_destination_with_vulnerable_policy/test/positive_expected_result.json index 98c3bff2732..5323eee3f3b 100644 --- a/assets/queries/terraform/aws/cloudwatch_logs_destination_with_vulnerable_policy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_logs_destination_with_vulnerable_policy/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "CloudWatch Logs Destination With Vulnerable Policy", "severity": "LOW", "line": 22, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "aws_cloudwatch_log_destination_policy", + "resourceName": "test_destination_policy", + "searchKey": "aws_cloudwatch_log_destination_policy[test_destination_policy].access_policy", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_destination_policy[test_destination_policy].access_policy should not have wildcard in 'principals' and 'actions'", + "actualValue": "aws_cloudwatch_log_destination_policy[test_destination_policy].access_policy has wildcard in 'principals' or 'actions'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_management_console_auth_failed_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_management_console_auth_failed_alarm_missing/test/positive_expected_result.json index 3ea9b674763..c1d0797ca68 100644 --- a/assets/queries/terraform/aws/cloudwatch_management_console_auth_failed_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_management_console_auth_failed_alarm_missing/test/positive_expected_result.json @@ -3,24 +3,48 @@ "queryName": "CloudWatch Management Console Auth Failed Alarm Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive4.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { $.eventName = ConsoleLogin && $.errorMessage = \"Failed authentication\" } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { $.eventName = ConsoleLogin && $.errorMessage = \"Failed authentication\" } or not associated with any aws_cloudwatch_metric_alarm" }, { "queryName": "CloudWatch Management Console Auth Failed Alarm Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "filename": "positive1.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { $.eventName = ConsoleLogin && $.errorMessage = \"Failed authentication\" } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { $.eventName = ConsoleLogin && $.errorMessage = \"Failed authentication\" } or not associated with any aws_cloudwatch_metric_alarm" }, { "queryName": "CloudWatch Management Console Auth Failed Alarm Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { $.eventName = ConsoleLogin && $.errorMessage = \"Failed authentication\" } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { $.eventName = ConsoleLogin && $.errorMessage = \"Failed authentication\" } or not associated with any aws_cloudwatch_metric_alarm" }, { "queryName": "CloudWatch Management Console Auth Failed Alarm Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive4.tf" + "filename": "positive2.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { $.eventName = ConsoleLogin && $.errorMessage = \"Failed authentication\" } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { $.eventName = ConsoleLogin && $.errorMessage = \"Failed authentication\" } or not associated with any aws_cloudwatch_metric_alarm" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_management_console_sign_in_without_mfa_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_management_console_sign_in_without_mfa_alarm_missing/test/positive_expected_result.json index 66cbc78e523..fba844ce283 100644 --- a/assets/queries/terraform/aws/cloudwatch_management_console_sign_in_without_mfa_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_management_console_sign_in_without_mfa_alarm_missing/test/positive_expected_result.json @@ -3,24 +3,48 @@ "queryName": "CloudWatch Console Sign-in Without MFA Alarm Missing", "severity": "LOW", "line": 1, - "fileName": "positive1.tf" + "filename": "positive2.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") } or not associated with any aws_cloudwatch_metric_alarm" }, { "queryName": "CloudWatch Console Sign-in Without MFA Alarm Missing", "severity": "LOW", "line": 1, - "fileName": "positive2.tf" + "filename": "positive1.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") } or not associated with any aws_cloudwatch_metric_alarm" }, { "queryName": "CloudWatch Console Sign-in Without MFA Alarm Missing", "severity": "LOW", "line": 1, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") } or not associated with any aws_cloudwatch_metric_alarm" }, { "queryName": "CloudWatch Console Sign-in Without MFA Alarm Missing", "severity": "LOW", "line": 1, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") } or not associated with any aws_cloudwatch_metric_alarm" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_metrics_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_metrics_disabled/test/positive_expected_result.json index fda8b64338a..6179f223ddf 100644 --- a/assets/queries/terraform/aws/cloudwatch_metrics_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_metrics_disabled/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "CloudWatch Metrics Disabled", "severity": "MEDIUM", - "line": 8 + "line": 8, + "filename": "positive.tf", + "resourceType": "aws_api_gateway_method_settings", + "resourceName": "positive1", + "searchKey": "aws_api_gateway_method_settings[positive1].settings.metrics_enabled", + "searchValue": "", + "expectedValue": "aws_api_gateway_method_settings[positive1].settings.metrics_enabled should be true", + "actualValue": "aws_api_gateway_method_settings[positive1].settings.metrics_enabled is false" }, { "queryName": "CloudWatch Metrics Disabled", "severity": "MEDIUM", - "line": 18 + "line": 18, + "filename": "positive.tf", + "resourceType": "aws_api_gateway_method_settings", + "resourceName": "positive2", + "searchKey": "aws_api_gateway_method_settings[positive2].settings", + "searchValue": "", + "expectedValue": "aws_api_gateway_method_settings[positive2].settings.metrics_enabled should be defined and not null", + "actualValue": "aws_api_gateway_method_settings[positive2].settings.metrics_enabled is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_network_gateways_changes_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_network_gateways_changes_alarm_missing/test/positive_expected_result.json index a206a39b44e..8b100393498 100644 --- a/assets/queries/terraform/aws/cloudwatch_network_gateways_changes_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_network_gateways_changes_alarm_missing/test/positive_expected_result.json @@ -3,18 +3,36 @@ "queryName": "CloudWatch Network Gateways Changes Alarm Missing", "severity": "LOW", "line": 1, - "fileName": "positive1.tf" + "filename": "positive3.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) } or not associated with any aws_cloudwatch_metric_alarm" }, { "queryName": "CloudWatch Network Gateways Changes Alarm Missing", "severity": "LOW", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) } or not associated with any aws_cloudwatch_metric_alarm" }, { "queryName": "CloudWatch Network Gateways Changes Alarm Missing", "severity": "LOW", "line": 1, - "fileName": "positive3.tf" + "filename": "positive1.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) } or not associated with any aws_cloudwatch_metric_alarm" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_root_account_use_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_root_account_use_alarm_missing/test/positive_expected_result.json index 1e6878d363a..32b2ac78cab 100644 --- a/assets/queries/terraform/aws/cloudwatch_root_account_use_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_root_account_use_alarm_missing/test/positive_expected_result.json @@ -3,24 +3,48 @@ "queryName": "CloudWatch Root Account Use Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive2.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" } or not associated with any aws_cloudwatch_metric_alarm" }, { "queryName": "CloudWatch Root Account Use Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "filename": "positive3.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" } or not associated with any aws_cloudwatch_metric_alarm" }, { "queryName": "CloudWatch Root Account Use Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "filename": "positive4.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" } or not associated with any aws_cloudwatch_metric_alarm" }, { "queryName": "CloudWatch Root Account Use Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive4.tf" + "filename": "positive1.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" } or not associated with any aws_cloudwatch_metric_alarm" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_route_table_changes_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_route_table_changes_alarm_missing/test/positive_expected_result.json index d146a964901..288d51b51d5 100644 --- a/assets/queries/terraform/aws/cloudwatch_route_table_changes_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_route_table_changes_alarm_missing/test/positive_expected_result.json @@ -3,18 +3,36 @@ "queryName": "CloudWatch Route Table Changes Alarm Missing", "severity": "LOW", "line": 1, - "fileName": "positive1.tf" + "filename": "positive3.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) } or not associated with any aws_cloudwatch_metric_alarm" }, { "queryName": "CloudWatch Route Table Changes Alarm Missing", "severity": "LOW", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) } or not associated with any aws_cloudwatch_metric_alarm" }, { "queryName": "CloudWatch Route Table Changes Alarm Missing", "severity": "LOW", "line": 1, - "fileName": "positive3.tf" + "filename": "positive1.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) } or not associated with any aws_cloudwatch_metric_alarm" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_s3_policy_change_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_s3_policy_change_alarm_missing/test/positive_expected_result.json index 6e6bdca530c..29daa1a4b97 100644 --- a/assets/queries/terraform/aws/cloudwatch_s3_policy_change_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_s3_policy_change_alarm_missing/test/positive_expected_result.json @@ -2,49 +2,97 @@ { "queryName": "CloudWatch S3 policy Change Alarm Missing", "severity": "MEDIUM", - "line": 1, - "fileName": "positive1.tf" + "line": 3, + "filename": "positive4.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "cis_s3_bucket_policy_change_metric_filter", + "searchKey": "aws_cloudwatch_log_metric_filter.cis_s3_bucket_policy_change_metric_filter", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern $.eventSource equal to `s3.amazonaws.com` and $.eventName equal to `PutBucketAcl`, `PutBucketPolicy`, `PutBucketCors`, `PutBucketLifecycle`, `PutBucketReplication`, `DeleteBucketPolicy`, `DeleteBucketCors`, `DeleteBucketLifecycle` and `DeleteBucketReplication`", + "actualValue": "aws_cloudwatch_log_metric_filter with wrong pattern" }, { "queryName": "CloudWatch S3 policy Change Alarm Missing", "severity": "MEDIUM", - "line": 3, - "fileName": "positive1.tf" + "line": 1, + "filename": "positive1.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "cis_s3_bucket_policy_change_metric_filter", + "searchKey": "aws_cloudwatch_log_metric_filter[cis_s3_bucket_policy_change_metric_filter]", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not associated with any aws_cloudwatch_metric_alarm" }, { "queryName": "CloudWatch S3 policy Change Alarm Missing", "severity": "MEDIUM", "line": 30, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "cis_no_mfa_console_signin_metric_filter", + "searchKey": "aws_cloudwatch_log_metric_filter.cis_no_mfa_console_signin_metric_filter", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern $.eventSource equal to `s3.amazonaws.com` and $.eventName equal to `PutBucketAcl`, `PutBucketPolicy`, `PutBucketCors`, `PutBucketLifecycle`, `PutBucketReplication`, `DeleteBucketPolicy`, `DeleteBucketCors`, `DeleteBucketLifecycle` and `DeleteBucketReplication`", + "actualValue": "aws_cloudwatch_log_metric_filter with wrong pattern" }, { "queryName": "CloudWatch S3 policy Change Alarm Missing", "severity": "MEDIUM", "line": 3, - "fileName": "positive2.tf" + "filename": "positive1.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "cis_s3_bucket_policy_change_metric_filter", + "searchKey": "aws_cloudwatch_log_metric_filter.cis_s3_bucket_policy_change_metric_filter", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern $.eventSource equal to `s3.amazonaws.com` and $.eventName equal to `PutBucketAcl`, `PutBucketPolicy`, `PutBucketCors`, `PutBucketLifecycle`, `PutBucketReplication`, `DeleteBucketPolicy`, `DeleteBucketCors`, `DeleteBucketLifecycle` and `DeleteBucketReplication`", + "actualValue": "aws_cloudwatch_log_metric_filter with wrong pattern" }, { "queryName": "CloudWatch S3 policy Change Alarm Missing", "severity": "MEDIUM", "line": 3, - "fileName": "positive3.tf" + "filename": "positive2.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "cis_s3_bucket_policy_change_metric_filter", + "searchKey": "aws_cloudwatch_log_metric_filter.cis_s3_bucket_policy_change_metric_filter", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern $.eventSource equal to `s3.amazonaws.com` and $.eventName equal to `PutBucketAcl`, `PutBucketPolicy`, `PutBucketCors`, `PutBucketLifecycle`, `PutBucketReplication`, `DeleteBucketPolicy`, `DeleteBucketCors`, `DeleteBucketLifecycle` and `DeleteBucketReplication`", + "actualValue": "aws_cloudwatch_log_metric_filter with wrong pattern" }, { "queryName": "CloudWatch S3 policy Change Alarm Missing", "severity": "MEDIUM", - "line": 3, - "fileName": "positive4.tf" + "line": 31, + "filename": "positive5.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "cis_no_mfa_console_signin_metric_filter", + "searchKey": "aws_cloudwatch_log_metric_filter.cis_no_mfa_console_signin_metric_filter", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern $.eventSource equal to `s3.amazonaws.com` and $.eventName equal to `PutBucketAcl`, `PutBucketPolicy`, `PutBucketCors`, `PutBucketLifecycle`, `PutBucketReplication`, `DeleteBucketPolicy`, `DeleteBucketCors`, `DeleteBucketLifecycle` and `DeleteBucketReplication`", + "actualValue": "aws_cloudwatch_log_metric_filter with wrong pattern" }, { "queryName": "CloudWatch S3 policy Change Alarm Missing", "severity": "MEDIUM", "line": 4, - "fileName": "positive5.tf" + "filename": "positive5.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "cis_s3_bucket_policy_change_metric_filter", + "searchKey": "aws_cloudwatch_log_metric_filter.cis_s3_bucket_policy_change_metric_filter", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern $.eventSource equal to `s3.amazonaws.com` and $.eventName equal to `PutBucketAcl`, `PutBucketPolicy`, `PutBucketCors`, `PutBucketLifecycle`, `PutBucketReplication`, `DeleteBucketPolicy`, `DeleteBucketCors`, `DeleteBucketLifecycle` and `DeleteBucketReplication`", + "actualValue": "aws_cloudwatch_log_metric_filter with wrong pattern" }, { "queryName": "CloudWatch S3 policy Change Alarm Missing", "severity": "MEDIUM", - "line": 31, - "fileName": "positive5.tf" + "line": 3, + "filename": "positive3.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "cis_s3_bucket_policy_change_metric_filter", + "searchKey": "aws_cloudwatch_log_metric_filter.cis_s3_bucket_policy_change_metric_filter", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern $.eventSource equal to `s3.amazonaws.com` and $.eventName equal to `PutBucketAcl`, `PutBucketPolicy`, `PutBucketCors`, `PutBucketLifecycle`, `PutBucketReplication`, `DeleteBucketPolicy`, `DeleteBucketCors`, `DeleteBucketLifecycle` and `DeleteBucketReplication`", + "actualValue": "aws_cloudwatch_log_metric_filter with wrong pattern" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_security_group_changes_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_security_group_changes_alarm_missing/test/positive_expected_result.json index 378c98dd2b2..3cdab796a70 100644 --- a/assets/queries/terraform/aws/cloudwatch_security_group_changes_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_security_group_changes_alarm_missing/test/positive_expected_result.json @@ -3,18 +3,36 @@ "queryName": "Cloudwatch Security Group Changes Alarm Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive2.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup)} and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup)} or not associated with any aws_cloudwatch_metric_alarm" }, { "queryName": "Cloudwatch Security Group Changes Alarm Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "filename": "positive1.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup)} and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup)} or not associated with any aws_cloudwatch_metric_alarm" }, { "queryName": "Cloudwatch Security Group Changes Alarm Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup)} and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup)} or not associated with any aws_cloudwatch_metric_alarm" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_unauthorized_access_defined_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_unauthorized_access_defined_alarm_missing/test/positive_expected_result.json index a85b9cc9ec1..8a16ec399c9 100644 --- a/assets/queries/terraform/aws/cloudwatch_unauthorized_access_defined_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_unauthorized_access_defined_alarm_missing/test/positive_expected_result.json @@ -3,24 +3,48 @@ "queryName": "CloudWatch Unauthorized Access Alarm Missing", "severity": "CRITICAL", "line": 1, - "fileName": "positive1.tf" + "filename": "positive2.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { $.errorCode = *UnauthorizedOperation || $.errorCode = AccessDenied* } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { $.errorCode = *UnauthorizedOperation || $.errorCode = AccessDenied* } or not associated with any aws_cloudwatch_metric_alarm" }, { "queryName": "CloudWatch Unauthorized Access Alarm Missing", "severity": "CRITICAL", "line": 1, - "fileName": "positive2.tf" + "filename": "positive4.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { $.errorCode = *UnauthorizedOperation || $.errorCode = AccessDenied* } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { $.errorCode = *UnauthorizedOperation || $.errorCode = AccessDenied* } or not associated with any aws_cloudwatch_metric_alarm" }, { "queryName": "CloudWatch Unauthorized Access Alarm Missing", "severity": "CRITICAL", "line": 1, - "fileName": "positive3.tf" + "filename": "positive1.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { $.errorCode = *UnauthorizedOperation || $.errorCode = AccessDenied* } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { $.errorCode = *UnauthorizedOperation || $.errorCode = AccessDenied* } or not associated with any aws_cloudwatch_metric_alarm" }, { "queryName": "CloudWatch Unauthorized Access Alarm Missing", "severity": "CRITICAL", "line": 1, - "fileName": "positive4.tf" + "filename": "positive3.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { $.errorCode = *UnauthorizedOperation || $.errorCode = AccessDenied* } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { $.errorCode = *UnauthorizedOperation || $.errorCode = AccessDenied* } or not associated with any aws_cloudwatch_metric_alarm" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_vpc_changes_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_vpc_changes_alarm_missing/test/positive_expected_result.json index b13d90ce06d..83e864459c8 100644 --- a/assets/queries/terraform/aws/cloudwatch_vpc_changes_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_vpc_changes_alarm_missing/test/positive_expected_result.json @@ -3,18 +3,36 @@ "queryName": "CloudWatch VPC Changes Alarm Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive2.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) } or not associated with any aws_cloudwatch_metric_alarm" }, { "queryName": "CloudWatch VPC Changes Alarm Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "filename": "positive3.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) } or not associated with any aws_cloudwatch_metric_alarm" }, { "queryName": "CloudWatch VPC Changes Alarm Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "filename": "positive1.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) } or not associated with any aws_cloudwatch_metric_alarm" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_without_retention_period_specified/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_without_retention_period_specified/test/positive_expected_result.json index f2071da151f..635797e514b 100644 --- a/assets/queries/terraform/aws/cloudwatch_without_retention_period_specified/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_without_retention_period_specified/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "CloudWatch Without Retention Period Specified", "severity": "INFO", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_cloudwatch_log_group", + "resourceName": "Yada", + "searchKey": "aws_cloudwatch_log_group[positive1]", + "searchValue": "", + "expectedValue": "Attribute 'retention_in_days' should be set and valid", + "actualValue": "Attribute 'retention_in_days' is undefined" }, { "queryName": "CloudWatch Without Retention Period Specified", "severity": "INFO", - "line": 18 + "line": 18, + "filename": "positive.tf", + "resourceType": "aws_cloudwatch_log_group", + "resourceName": "Yada", + "searchKey": "aws_cloudwatch_log_group[positive2].retention_in_days", + "searchValue": "", + "expectedValue": "Attribute 'retention_in_days' should be set and valid", + "actualValue": "Attribute 'retention_in_days' is set but invalid" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/cmk_is_unusable/test/positive_expected_result.json b/assets/queries/terraform/aws/cmk_is_unusable/test/positive_expected_result.json index d08e5c00762..4089042d009 100644 --- a/assets/queries/terraform/aws/cmk_is_unusable/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cmk_is_unusable/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "CMK Is Unusable", "severity": "MEDIUM", - "line": 3 + "line": 3, + "filename": "positive.tf", + "resourceType": "aws_kms_key", + "resourceName": "a", + "searchKey": "aws_kms_key[a].is_enabled", + "searchValue": "", + "expectedValue": "aws_kms_key[a].is_enabled should be set to true", + "actualValue": "aws_kms_key[a].is_enabled is set to false" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/cmk_rotation_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/cmk_rotation_disabled/test/positive_expected_result.json index 09a15bd8446..90fd3d10529 100644 --- a/assets/queries/terraform/aws/cmk_rotation_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cmk_rotation_disabled/test/positive_expected_result.json @@ -3,30 +3,60 @@ "queryName": "CMK Rotation Disabled", "severity": "LOW", "line": 1, - "fileName": "positive1.tf" + "filename": "positive3.tf", + "resourceType": "aws_kms_key", + "resourceName": "positive3", + "searchKey": "aws_kms_key[positive3]", + "searchValue": "", + "expectedValue": "aws_kms_key[positive3].enable_key_rotation should be set to true", + "actualValue": "aws_kms_key[positive3].enable_key_rotation is false" }, { "queryName": "CMK Rotation Disabled", "severity": "LOW", "line": 1, - "fileName": "positive2.tf" + "filename": "positive4.tf", + "resourceType": "aws_kms_key", + "resourceName": "positive4", + "searchKey": "aws_kms_key[positive4]", + "searchValue": "", + "expectedValue": "aws_kms_key[positive4].enable_key_rotation should be set to true", + "actualValue": "aws_kms_key[positive4].enable_key_rotation is false" }, { "queryName": "CMK Rotation Disabled", "severity": "LOW", "line": 1, - "fileName": "positive3.tf" + "filename": "positive2.tf", + "resourceType": "aws_kms_key", + "resourceName": "positive2", + "searchKey": "aws_kms_key[positive2]", + "searchValue": "", + "expectedValue": "aws_kms_key[positive2].enable_key_rotation should be set to true", + "actualValue": "aws_kms_key[positive2].enable_key_rotation is false" }, { "queryName": "CMK Rotation Disabled", "severity": "LOW", "line": 1, - "fileName": "positive4.tf" + "filename": "positive5.tf", + "resourceType": "aws_kms_key", + "resourceName": "positive5", + "searchKey": "aws_kms_key[positive5]", + "searchValue": "", + "expectedValue": "aws_kms_key[positive5].enable_key_rotation should be set to false", + "actualValue": "aws_kms_key[positive5].enable_key_rotation is true" }, { "queryName": "CMK Rotation Disabled", "severity": "LOW", "line": 1, - "fileName": "positive5.tf" + "filename": "positive1.tf", + "resourceType": "aws_kms_key", + "resourceName": "positive1", + "searchKey": "aws_kms_key[positive1]", + "searchValue": "", + "expectedValue": "aws_kms_key[positive1].enable_key_rotation should be set to true", + "actualValue": "aws_kms_key[positive1].enable_key_rotation is undefined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/codebuild_project_encrypted_with_aws_managed_key/test/positive_expected_result.json b/assets/queries/terraform/aws/codebuild_project_encrypted_with_aws_managed_key/test/positive_expected_result.json index 7c4547c7354..f3c5e321f47 100644 --- a/assets/queries/terraform/aws/codebuild_project_encrypted_with_aws_managed_key/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/codebuild_project_encrypted_with_aws_managed_key/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "CodeBuild Project Encrypted With AWS Managed Key", "severity": "LOW", - "line": 35 + "line": 35, + "filename": "positive.tf", + "resourceType": "aws_codebuild_project", + "resourceName": "project-cloudrail-test", + "searchKey": "aws_codebuild_project[project-cloudrail-test].encryption_key", + "searchValue": "", + "expectedValue": "CodeBuild Project should not be encrypted with AWS managed key", + "actualValue": "CodeBuild Project is encrypted with AWS managed key" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/cognito_userpool_without_mfa/test/positive_expected_result.json b/assets/queries/terraform/aws/cognito_userpool_without_mfa/test/positive_expected_result.json index 0942578b863..a051efc8616 100644 --- a/assets/queries/terraform/aws/cognito_userpool_without_mfa/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cognito_userpool_without_mfa/test/positive_expected_result.json @@ -2,16 +2,37 @@ { "queryName": "Cognito UserPool Without MFA", "severity": "LOW", - "line": 1 + "line": 16, + "filename": "positive.tf", + "resourceType": "aws_cognito_user_pool", + "resourceName": "positive2", + "searchKey": "aws_cognito_user_pool[positive2]", + "searchValue": "", + "expectedValue": "aws_cognito_user_pool[positive2].mfa_configuration should be set to 'ON' or 'OPTIONAL", + "actualValue": "aws_cognito_user_pool[positive2].mfa_configuration is set to 'OFF'" }, { "queryName": "Cognito UserPool Without MFA", "severity": "LOW", - "line": 16 + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_cognito_user_pool", + "resourceName": "positive1", + "searchKey": "aws_cognito_user_pool[positive1]", + "searchValue": "", + "expectedValue": "aws_cognito_user_pool[positive1].mfa_configuration should be set", + "actualValue": "aws_cognito_user_pool[positive1].mfa_configuration is undefined" }, { "queryName": "Cognito UserPool Without MFA", "severity": "LOW", - "line": 32 + "line": 32, + "filename": "positive.tf", + "resourceType": "aws_cognito_user_pool", + "resourceName": "positive3", + "searchKey": "aws_cognito_user_pool[positive3]", + "searchValue": "", + "expectedValue": "aws_cognito_user_pool[positive3] should have 'sms_configuration' or 'software_token_mfa_configuration' defined", + "actualValue": "aws_cognito_user_pool[positive3] doesn't have 'sms_configuration' or 'software_token_mfa_configuration' defined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/config_configuration_aggregator_to_all_regions_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/config_configuration_aggregator_to_all_regions_disabled/test/positive_expected_result.json index 66411526a70..75b84b80a6a 100644 --- a/assets/queries/terraform/aws/config_configuration_aggregator_to_all_regions_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/config_configuration_aggregator_to_all_regions_disabled/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "Configuration Aggregator to All Regions Disabled", "severity": "LOW", - "line": 4, - "fileName": "positive.tf" + "line": 16, + "filename": "positive.tf", + "resourceType": "aws_config_configuration_aggregator", + "resourceName": "example", + "searchKey": "aws_config_configuration_aggregator[positive2].organization_aggregation_source.all_regions", + "searchValue": "", + "expectedValue": "'aws_config_configuration_aggregator[positive2].organization_aggregation_source.all_regions' should be set to true", + "actualValue": "'aws_config_configuration_aggregator[positive2].organization_aggregation_source.all_regions' is set to false" }, { "queryName": "Configuration Aggregator to All Regions Disabled", "severity": "LOW", - "line": 16, - "fileName": "positive.tf" + "line": 4, + "filename": "positive.tf", + "resourceType": "aws_config_configuration_aggregator", + "resourceName": "example", + "searchKey": "aws_config_configuration_aggregator[positive1].account_aggregation_source", + "searchValue": "", + "expectedValue": "'aws_config_configuration_aggregator[positive1].account_aggregation_source.all_regions' should be set to true", + "actualValue": "'aws_config_configuration_aggregator[positive1].account_aggregation_source.all_regions' is undefined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/config_rule_for_encrypted_volumes_is_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/config_rule_for_encrypted_volumes_is_disabled/test/positive_expected_result.json index 2130cceed2f..03ac1b43fcf 100644 --- a/assets/queries/terraform/aws/config_rule_for_encrypted_volumes_is_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/config_rule_for_encrypted_volumes_is_disabled/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Config Rule For Encrypted Volumes Disabled", "severity": "HIGH", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_config_config_rule", + "resourceName": "unknown", + "searchKey": "aws_config_config_rule", + "searchValue": "", + "expectedValue": "There should be a 'aws_config_config_rule' resource with source id: 'ENCRYPTED_VOLUMES'", + "actualValue": "No 'aws_config_config_rule' resource has source id: 'ENCRYPTED_VOLUMES'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/test/positive_expected_result.json b/assets/queries/terraform/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/test/positive_expected_result.json index ba8676020d4..8cc81735d89 100644 --- a/assets/queries/terraform/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/test/positive_expected_result.json @@ -3,18 +3,36 @@ "queryName": "Cross-Account IAM Assume Role Policy Without ExternalId or MFA", "severity": "HIGH", "line": 4, - "fileName": "positive1.tf" + "filename": "positive2.tf", + "resourceType": "aws_iam_role", + "resourceName": "test_role", + "searchKey": "aws_iam_role[positive2].assume_role_policy", + "searchValue": "", + "expectedValue": "'assume_role_policy' requires external ID or MFA", + "actualValue": "'assume_role_policy' does not require external ID or MFA" }, { "queryName": "Cross-Account IAM Assume Role Policy Without ExternalId or MFA", "severity": "HIGH", "line": 4, - "fileName": "positive2.tf" + "filename": "positive3.tf", + "resourceType": "aws_iam_role", + "resourceName": "test_role", + "searchKey": "aws_iam_role[positive3].assume_role_policy", + "searchValue": "", + "expectedValue": "'assume_role_policy' requires external ID or MFA", + "actualValue": "'assume_role_policy' does not require external ID or MFA" }, { "queryName": "Cross-Account IAM Assume Role Policy Without ExternalId or MFA", "severity": "HIGH", "line": 4, - "fileName": "positive3.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_role", + "resourceName": "test_role", + "searchKey": "aws_iam_role[positive1].assume_role_policy", + "searchValue": "", + "expectedValue": "'assume_role_policy' requires external ID or MFA", + "actualValue": "'assume_role_policy' does not require external ID or MFA" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/dax_cluster_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/dax_cluster_not_encrypted/test/positive_expected_result.json index d4de57a7a33..c7e30f7c680 100644 --- a/assets/queries/terraform/aws/dax_cluster_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/dax_cluster_not_encrypted/test/positive_expected_result.json @@ -2,19 +2,37 @@ { "queryName": "DAX Cluster Not Encrypted", "severity": "HIGH", - "line": 1, - "filename": "positive1.tf" + "line": 25, + "filename": "positive1.tf", + "resourceType": "aws_dax_cluster", + "resourceName": "bar_3", + "searchKey": "aws_dax_cluster[{{bar_3}}].server_side_encryption.enabled", + "searchValue": "", + "expectedValue": "aws_dax_cluster.server_side_encryption.enabled should be set to true", + "actualValue": "aws_dax_cluster.server_side_encryption.enabled is set to false" }, { "queryName": "DAX Cluster Not Encrypted", "severity": "HIGH", - "line": 14, - "filename": "positive1.tf" + "line": 1, + "filename": "positive1.tf", + "resourceType": "aws_dax_cluster", + "resourceName": "bar_1", + "searchKey": "aws_dax_cluster[{{bar_1}}]", + "searchValue": "", + "expectedValue": "aws_dax_cluster.server_side_encryption.enabled should be set to true", + "actualValue": "aws_dax_cluster.server_side_encryption is missing" }, { "queryName": "DAX Cluster Not Encrypted", "severity": "HIGH", - "line": 25, - "filename": "positive1.tf" + "line": 14, + "filename": "positive1.tf", + "resourceType": "aws_dax_cluster", + "resourceName": "bar_2", + "searchKey": "aws_dax_cluster[{{bar_2}}].server_side_encryption", + "searchValue": "", + "expectedValue": "aws_dax_cluster.server_side_encryption.enabled should be set to true", + "actualValue": "aws_dax_cluster.server_side_encryption.enabled is missing" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/db_instance_storage_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/db_instance_storage_not_encrypted/test/positive_expected_result.json index 9fc13b5371e..77fe1a32cf2 100644 --- a/assets/queries/terraform/aws/db_instance_storage_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/db_instance_storage_not_encrypted/test/positive_expected_result.json @@ -1,26 +1,50 @@ [ - { - "queryName": "DB Instance Storage Not Encrypted", - "severity": "HIGH", - "line": 11, - "fileName": "positive1.tf" - }, - { - "queryName": "DB Instance Storage Not Encrypted", - "severity": "HIGH", - "line": 14, - "fileName": "positive1.tf" - }, - { - "queryName": "DB Instance Storage Not Encrypted", - "severity": "HIGH", - "line": 1, - "fileName": "positive2.tf" - }, - { - "queryName": "DB Instance Storage Not Encrypted", - "severity": "HIGH", - "line": 11, - "fileName": "positive3.tf" - } -] + { + "queryName": "DB Instance Storage Not Encrypted", + "severity": "HIGH", + "line": 1, + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[db]", + "searchValue": "", + "expectedValue": "'storage_encrypted' should be set to true", + "actualValue": "'storage_encrypted' is undefined or null" + }, + { + "queryName": "DB Instance Storage Not Encrypted", + "severity": "HIGH", + "line": 11, + "filename": "positive1.tf", + "resourceType": "aws_db_instance", + "resourceName": "mydb", + "searchKey": "aws_db_instance[positive1].storage_encrypted", + "searchValue": "", + "expectedValue": "'storage_encrypted' should be set to true", + "actualValue": "'storage_encrypted' is set to false" + }, + { + "queryName": "DB Instance Storage Not Encrypted", + "severity": "HIGH", + "line": 14, + "filename": "positive1.tf", + "resourceType": "aws_db_instance", + "resourceName": "mydb", + "searchKey": "aws_db_instance[positive2]", + "searchValue": "", + "expectedValue": "'storage_encrypted' should be set to true", + "actualValue": "'storage_encrypted' is undefined or null" + }, + { + "queryName": "DB Instance Storage Not Encrypted", + "severity": "HIGH", + "line": 11, + "filename": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[db].storage_encrypted", + "searchValue": "", + "expectedValue": "'storage_encrypted' should be set to true", + "actualValue": "'storage_encrypted' is set to false" + } +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/db_security_group_has_public_interface/test/positive_expected_result.json b/assets/queries/terraform/aws/db_security_group_has_public_interface/test/positive_expected_result.json index 3190fe513b0..017bb765229 100644 --- a/assets/queries/terraform/aws/db_security_group_has_public_interface/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/db_security_group_has_public_interface/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ - { - "queryName": "DB Security Group Has Public Interface", - "severity": "HIGH", - "line": 5, - "fileName": "positive1.tf" - }, - { - "queryName": "DB Security Group Has Public Interface", - "severity": "HIGH", - "line": 9, - "fileName": "positive2.tf" - } -] + { + "queryName": "DB Security Group Has Public Interface", + "severity": "HIGH", + "line": 5, + "filename": "positive1.tf", + "resourceType": "aws_db_security_group", + "resourceName": "rds_sg", + "searchKey": "aws_db_security_group[positive1].ingress.cidr", + "searchValue": "", + "expectedValue": "'aws_db_security_group[positive1].ingress.cidr' should not be '0.0.0.0/0' or '::/0'", + "actualValue": "'aws_db_security_group[positive1].ingress.cidr' is '0.0.0.0/0'" + }, + { + "queryName": "DB Security Group Has Public Interface", + "severity": "HIGH", + "line": 9, + "filename": "positive2.tf", + "resourceType": "aws_db_security_group", + "resourceName": "rds_sg", + "searchKey": "aws_db_security_group[positive1].ingress.cidr", + "searchValue": "", + "expectedValue": "'aws_db_security_group[positive1].ingress[1].cidr' should not be '0.0.0.0/0' or '::/0'", + "actualValue": "'aws_db_security_group[positive1].ingress[1].cidr' is '0.0.0.0/0'" + } +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/db_security_group_open_to_large_scope/test/positive_expected_result.json b/assets/queries/terraform/aws/db_security_group_open_to_large_scope/test/positive_expected_result.json index a231edd750c..daebc1d0802 100644 --- a/assets/queries/terraform/aws/db_security_group_open_to_large_scope/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/db_security_group_open_to_large_scope/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "DB Security Group Open To Large Scope", "severity": "HIGH", - "line": 5 + "line": 5, + "filename": "positive.tf", + "resourceType": "aws_db_security_group", + "resourceName": "positive1", + "searchKey": "aws_db_security_group[positive1].ingress.cidr", + "searchValue": "", + "expectedValue": "'aws_db_security_group.ingress.cidr' > 24", + "actualValue": "'aws_db_security_group.ingress.cidr' <= 24" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/db_security_group_with_public_scope/test/positive_expected_result.json b/assets/queries/terraform/aws/db_security_group_with_public_scope/test/positive_expected_result.json index 48e1b64a9c2..144be67a3d9 100644 --- a/assets/queries/terraform/aws/db_security_group_with_public_scope/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/db_security_group_with_public_scope/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "DB Security Group With Public Scope", "severity": "CRITICAL", - "line": 5 + "line": 5, + "filename": "positive.tf", + "resourceType": "aws_db_security_group", + "resourceName": "positive1", + "searchKey": "aws_db_security_group[positive1].ingress.cidr", + "searchValue": "", + "expectedValue": "'aws_db_security_group.ingress.cidr' != 0.0.0.0/0", + "actualValue": "'aws_db_security_group.ingress.cidr'= 0.0.0.0/0" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/default_security_groups_with_unrestricted_traffic/test/positive_expected_result.json b/assets/queries/terraform/aws/default_security_groups_with_unrestricted_traffic/test/positive_expected_result.json index 3cc3958c7b9..97d0dee825a 100644 --- a/assets/queries/terraform/aws/default_security_groups_with_unrestricted_traffic/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/default_security_groups_with_unrestricted_traffic/test/positive_expected_result.json @@ -2,16 +2,37 @@ { "queryName": "Default Security Groups With Unrestricted Traffic", "severity": "HIGH", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_db_security_group", + "resourceName": "positive1", + "searchKey": "aws_default_security_group[positive1]", + "searchValue": "", + "expectedValue": "ingress.cidr_blocks or egress.cidr_blocks diferent from '0.0.0.0/0' and '::/0'", + "actualValue": "ingress.cidr_blocks or egress.cidr_blocks are equal to '0.0.0.0/0' or '::/0'" }, { "queryName": "Default Security Groups With Unrestricted Traffic", "severity": "HIGH", - "line": 13 + "line": 13, + "filename": "positive.tf", + "resourceType": "aws_db_security_group", + "resourceName": "positive2", + "searchKey": "aws_default_security_group[positive2]", + "searchValue": "", + "expectedValue": "ingress.cidr_blocks or egress.cidr_blocks diferent from '0.0.0.0/0' and '::/0'", + "actualValue": "ingress.cidr_blocks or egress.cidr_blocks are equal to '0.0.0.0/0' or '::/0'" }, { "queryName": "Default Security Groups With Unrestricted Traffic", "severity": "HIGH", - "line": 24 + "line": 24, + "filename": "positive.tf", + "resourceType": "aws_db_security_group", + "resourceName": "positive3", + "searchKey": "aws_default_security_group[positive3]", + "searchValue": "", + "expectedValue": "ingress.cidr_blocks or egress.cidr_blocks diferent from '0.0.0.0/0' and '::/0'", + "actualValue": "ingress.cidr_blocks or egress.cidr_blocks are equal to '0.0.0.0/0' or '::/0'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/default_vpc_exists/test/positive_expected_result.json b/assets/queries/terraform/aws/default_vpc_exists/test/positive_expected_result.json index 67846e5982e..bcb92c7fcef 100644 --- a/assets/queries/terraform/aws/default_vpc_exists/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/default_vpc_exists/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "Default VPC Exists", "severity": "MEDIUM", - "line": 1, - "filename": "positive1.tf" + "line": 14, + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "vpc.default_vpc_name", + "searchValue": "", + "expectedValue": "'aws_default_vpc' should not exist", + "actualValue": "'aws_default_vpc' exists" }, { "queryName": "Default VPC Exists", "severity": "MEDIUM", - "line": 14, - "filename": "positive2.tf" + "line": 1, + "filename": "positive1.tf", + "resourceType": "aws_default_vpc", + "resourceName": "Default VPC", + "searchKey": "aws_default_vpc[positive1]", + "searchValue": "", + "expectedValue": "'aws_default_vpc' should not exist", + "actualValue": "'aws_default_vpc' exists" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/docdb_cluster_encrypted_with_aws_managed_key/test/positive_expected_result.json b/assets/queries/terraform/aws/docdb_cluster_encrypted_with_aws_managed_key/test/positive_expected_result.json index 8788d51d849..5908642ae0f 100644 --- a/assets/queries/terraform/aws/docdb_cluster_encrypted_with_aws_managed_key/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/docdb_cluster_encrypted_with_aws_managed_key/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "DOCDB Cluster Encrypted With AWS Managed Key", "severity": "LOW", - "line": 16 + "line": 16, + "filename": "positive.tf", + "resourceType": "aws_docdb_cluster", + "resourceName": "test2", + "searchKey": "aws_docdb_cluster[test2].kms_key_id", + "searchValue": "", + "expectedValue": "DOCDB Cluster should not be encrypted with AWS managed key", + "actualValue": "DOCDB Cluster is encrypted with AWS managed key" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/docdb_cluster_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/docdb_cluster_not_encrypted/test/positive_expected_result.json index bf3c7122305..ff59b96eec9 100644 --- a/assets/queries/terraform/aws/docdb_cluster_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/docdb_cluster_not_encrypted/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "DOCDB Cluster Not Encrypted", "severity": "HIGH", "line": 1, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_docdb_cluster", + "resourceName": "docdb", + "searchKey": "aws_docdb_cluster[{{docdb}}]", + "searchValue": "", + "expectedValue": "aws_docdb_cluster.storage_encrypted should be set to true", + "actualValue": "aws_docdb_cluster.storage_encrypted is missing" }, { "queryName": "DOCDB Cluster Not Encrypted", "severity": "HIGH", "line": 19, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_docdb_cluster", + "resourceName": "docdb_2", + "searchKey": "aws_docdb_cluster[{{docdb_2}}].storage_encrypted", + "searchValue": "", + "expectedValue": "aws_docdb_cluster.storage_encrypted should be set to true", + "actualValue": "aws_docdb_cluster.storage_encrypted is set to false" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/docdb_cluster_without_kms/test/positive_expected_result.json b/assets/queries/terraform/aws/docdb_cluster_without_kms/test/positive_expected_result.json index 6556e064692..19960badf32 100644 --- a/assets/queries/terraform/aws/docdb_cluster_without_kms/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/docdb_cluster_without_kms/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "DOCDB Cluster Without KMS", "severity": "HIGH", "line": 1, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_docdb_cluster", + "resourceName": "docdb", + "searchKey": "aws_docdb_cluster[{{docdb}}]", + "searchValue": "", + "expectedValue": "aws_docdb_cluster.kms_key_id should be defined and not null", + "actualValue": "aws_docdb_cluster.kms_key_id is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/docdb_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/docdb_logging_disabled/test/positive_expected_result.json index 0c84ccf6804..5d5546daed3 100644 --- a/assets/queries/terraform/aws/docdb_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/docdb_logging_disabled/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "DocDB Logging Is Disabled", "severity": "MEDIUM", - "line": 1, - "filename": "positive1.tf" + "line": 10, + "filename": "positive3.tf", + "resourceType": "aws_docdb_cluster", + "resourceName": "positive3", + "searchKey": "aws_docdb_cluster[{{positive3}}].enabled_cloudwatch_logs_exports", + "searchValue": "", + "expectedValue": "aws_docdb_cluster.enabled_cloudwatch_logs_exports should have all following values: audit, profiler", + "actualValue": "aws_docdb_cluster.enabled_cloudwatch_logs_exports has the following missing values: audit" }, { "queryName": "DocDB Logging Is Disabled", "severity": "MEDIUM", "line": 10, - "filename": "positive2.tf" + "filename": "positive4.tf", + "resourceType": "aws_docdb_cluster", + "resourceName": "positive4", + "searchKey": "aws_docdb_cluster[{{positive4}}].enabled_cloudwatch_logs_exports", + "searchValue": "", + "expectedValue": "aws_docdb_cluster.enabled_cloudwatch_logs_exports should have all following values: audit, profiler", + "actualValue": "aws_docdb_cluster.enabled_cloudwatch_logs_exports has the following missing values: profiler" }, { "queryName": "DocDB Logging Is Disabled", "severity": "MEDIUM", "line": 10, - "filename": "positive3.tf" + "filename": "positive2.tf", + "resourceType": "aws_docdb_cluster", + "resourceName": "positive2", + "searchKey": "aws_docdb_cluster[{{positive2}}].enabled_cloudwatch_logs_exports", + "searchValue": "", + "expectedValue": "aws_docdb_cluster.enabled_cloudwatch_logs_exports should have all following values: audit, profiler", + "actualValue": "aws_docdb_cluster.enabled_cloudwatch_logs_exports is empty" }, { "queryName": "DocDB Logging Is Disabled", "severity": "MEDIUM", - "line": 10, - "filename": "positive4.tf" + "line": 1, + "filename": "positive1.tf", + "resourceType": "aws_docdb_cluster", + "resourceName": "positive1", + "searchKey": "aws_docdb_cluster[{{positive1}}]", + "searchValue": "", + "expectedValue": "aws_docdb_cluster.enabled_cloudwatch_logs_exports should be defined", + "actualValue": "aws_docdb_cluster.enabled_cloudwatch_logs_exports is undefined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/dynamodb_table_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/dynamodb_table_not_encrypted/test/positive_expected_result.json index 4fe338ed241..20f6697a608 100644 --- a/assets/queries/terraform/aws/dynamodb_table_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/dynamodb_table_not_encrypted/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "DynamoDB Table Not Encrypted", "severity": "HIGH", - "line": 1, - "filename": "positive1.tf" + "line": 30, + "filename": "positive1.tf", + "resourceType": "aws_dynamodb_table", + "resourceName": "example", + "searchKey": "aws_dynamodb_table[{{example_2}}].server_side_encryption.enabled", + "searchValue": "", + "expectedValue": "aws_dynamodb_table.server_side_encryption.enabled should be set to true", + "actualValue": "aws_dynamodb_table.server_side_encryption.enabled is set to false" }, { "queryName": "DynamoDB Table Not Encrypted", "severity": "HIGH", - "line": 30, - "filename": "positive1.tf" + "line": 1, + "filename": "positive1.tf", + "resourceType": "aws_dynamodb_table", + "resourceName": "example", + "searchKey": "aws_dynamodb_table[{{example}}]", + "searchValue": "", + "expectedValue": "aws_dynamodb_table.server_side_encryption.enabled should be set to true", + "actualValue": "aws_dynamodb_table.server_side_encryption is missing" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive_expected_result.json index bb0ed6d24e4..229e2d1482e 100644 --- a/assets/queries/terraform/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "DynamoDB Table Point In Time Recovery Disabled", "severity": "INFO", - "line": 10, - "filename": "positive1.tf" + "line": 1, + "filename": "positive2.tf", + "resourceType": "aws_dynamodb_table", + "resourceName": "aws_dynamodb_table", + "searchKey": "aws_dynamodb_table[{{basic-dynamodb-table}}]", + "searchValue": "", + "expectedValue": "aws_dynamodb_table.point_in_time_recovery.enabled should be enabled", + "actualValue": "aws_dynamodb_table.point_in_time_recovery is missing" }, { "queryName": "DynamoDB Table Point In Time Recovery Disabled", "severity": "INFO", - "line": 1, - "filename": "positive2.tf" + "line": 10, + "filename": "positive1.tf", + "resourceType": "aws_dynamodb_table", + "resourceName": "aws_dynamodb_table", + "searchKey": "aws_dynamodb_table[{{basic-dynamodb-table}}].point_in_time_recovery.enabled", + "searchValue": "", + "expectedValue": "aws_dynamodb_table.point_in_time_recovery.enabled should be set to true", + "actualValue": "aws_dynamodb_table.point_in_time_recovery.enabled is set to false" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/dynamodb_vpc_endpoint_without_route_table_association/test/positive_expected_result.json b/assets/queries/terraform/aws/dynamodb_vpc_endpoint_without_route_table_association/test/positive_expected_result.json index 2d63fdae815..1aec53fef37 100644 --- a/assets/queries/terraform/aws/dynamodb_vpc_endpoint_without_route_table_association/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/dynamodb_vpc_endpoint_without_route_table_association/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Dynamodb VPC Endpoint Without Route Table Association", "severity": "LOW", - "line": 31 + "line": 31, + "filename": "positive.tf", + "resourceType": "aws_vpc_endpoint", + "resourceName": "dynamodb-vpce-gw", + "searchKey": "aws_vpc_endpoint[dynamodb-vpce-gw].vpc_id", + "searchValue": "", + "expectedValue": "Dynamodb VPC Endpoint should be associated with Route Table Association", + "actualValue": "Dynamodb VPC Endpoint is not associated with Route Table Association" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/ebs_default_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/ebs_default_encryption_disabled/test/positive_expected_result.json index 65ef7abe96e..fdb3ffdef27 100644 --- a/assets/queries/terraform/aws/ebs_default_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ebs_default_encryption_disabled/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "EBS Default Encryption Disabled", "severity": "HIGH", - "line": 2 + "line": 2, + "filename": "positive.tf", + "resourceType": "aws_ebs_encryption_by_default", + "resourceName": "positive1", + "searchKey": "aws_ebs_encryption_by_default[positive1].enabled", + "searchValue": "", + "expectedValue": "'aws_ebs_encryption_by_default.encrypted' should be true", + "actualValue": "'aws_ebs_encryption_by_default.encrypted' is false" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/ebs_volume_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/ebs_volume_encryption_disabled/test/positive_expected_result.json index 8ba140c64e7..451210d4427 100644 --- a/assets/queries/terraform/aws/ebs_volume_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ebs_volume_encryption_disabled/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "EBS Volume Encryption Disabled", "severity": "HIGH", - "line": 4, - "fileName": "positive1.tf" + "line": 1, + "filename": "positive2.tf", + "resourceType": "aws_ebs_volume", + "resourceName": "HelloWorld", + "searchKey": "aws_ebs_volume[positive2]", + "searchValue": "", + "expectedValue": "One of 'aws_ebs_volume.encrypted' should be defined", + "actualValue": "One of 'aws_ebs_volume.encrypted' is undefined" }, { "queryName": "EBS Volume Encryption Disabled", "severity": "HIGH", - "line": 1, - "fileName": "positive2.tf" + "line": 4, + "filename": "positive1.tf", + "resourceType": "aws_ebs_volume", + "resourceName": "HelloWorld", + "searchKey": "aws_ebs_volume[positive1].encrypted", + "searchValue": "", + "expectedValue": "One of 'aws_ebs_volume.encrypted' should be 'true'", + "actualValue": "One of 'aws_ebs_volume.encrypted' is 'false'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/ebs_volume_snapshot_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/ebs_volume_snapshot_not_encrypted/test/positive_expected_result.json index da1650285d8..a5687b4cc2d 100644 --- a/assets/queries/terraform/aws/ebs_volume_snapshot_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ebs_volume_snapshot_not_encrypted/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "EBS Volume Snapshot Not Encrypted", "severity": "HIGH", - "line": 4, - "fileName": "positive1.tf" + "line": 10, + "filename": "positive2.tf", + "resourceType": "aws_ebs_snapshot", + "resourceName": "positive2", + "searchKey": "aws_ebs_snapshot[positive2]", + "searchValue": "", + "expectedValue": "'aws_ebs_volume[positive2].encrypted' associated with aws_ebs_snapshot[positive2] should be set", + "actualValue": "'aws_ebs_volume[positive2].encrypted' associated with aws_ebs_snapshot[positive2] is undefined" }, { "queryName": "EBS Volume Snapshot Not Encrypted", "severity": "HIGH", - "line": 10, - "fileName": "positive2.tf" + "line": 4, + "filename": "positive1.tf", + "resourceType": "aws_ebs_volume", + "resourceName": "positive1", + "searchKey": "aws_ebs_volume[positive1].encrypted", + "searchValue": "", + "expectedValue": "'aws_ebs_volume[positive1].encrypted' associated with aws_ebs_snapshot[positive1] should be true", + "actualValue": "'aws_ebs_volume[positive1].encrypted' associated with aws_ebs_snapshot[positive1] is false" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/ec2_instance_has_public_ip/test/positive_expected_result.json b/assets/queries/terraform/aws/ec2_instance_has_public_ip/test/positive_expected_result.json index 71d37ca807f..b724c7a5558 100644 --- a/assets/queries/terraform/aws/ec2_instance_has_public_ip/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ec2_instance_has_public_ip/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "EC2 Instance Has Public IP", "severity": "MEDIUM", - "line": 17, - "fileName": "positive1.tf" + "line": 1, + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[ec2_instance]", + "searchValue": "", + "expectedValue": "'associate_public_ip_address' should be defined and not null", + "actualValue": "'associate_public_ip_address' is undefined or null" }, { "queryName": "EC2 Instance Has Public IP", "severity": "MEDIUM", - "line": 28, - "fileName": "positive1.tf" + "line": 13, + "filename": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[ec2_instance].associate_public_ip_address", + "searchValue": "", + "expectedValue": "'associate_public_ip_address' should be set to false", + "actualValue": "'associate_public_ip_address' is true" }, { "queryName": "EC2 Instance Has Public IP", "severity": "MEDIUM", - "line": 1, - "fileName": "positive2.tf" + "line": 28, + "filename": "positive1.tf", + "resourceType": "aws_instance", + "resourceName": "HelloWorld", + "searchKey": "aws_instance.web3.associate_public_ip_address", + "searchValue": "", + "expectedValue": "'associate_public_ip_address' should be set to false", + "actualValue": "'associate_public_ip_address' is true" }, { "queryName": "EC2 Instance Has Public IP", "severity": "MEDIUM", - "line": 13, - "fileName": "positive3.tf" + "line": 17, + "filename": "positive1.tf", + "resourceType": "aws_instance", + "resourceName": "HelloWorld", + "searchKey": "aws_instance.web2", + "searchValue": "", + "expectedValue": "'associate_public_ip_address' should be defined and not null", + "actualValue": "'associate_public_ip_address' is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/ec2_instance_monitoring_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/ec2_instance_monitoring_disabled/test/positive_expected_result.json index edc9aa0da27..a5313c4f01f 100644 --- a/assets/queries/terraform/aws/ec2_instance_monitoring_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ec2_instance_monitoring_disabled/test/positive_expected_result.json @@ -2,31 +2,61 @@ { "queryName": "EC2 Instance Monitoring Disabled", "severity": "MEDIUM", - "line": 17, - "fileName": "positive1.tf" + "line": 10, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[ec2_instance].monitoring", + "searchValue": "", + "expectedValue": "ec2_instance.'monitoring' should be set to true", + "actualValue": "ec2_instance.'monitoring' is set to false" }, { "queryName": "EC2 Instance Monitoring Disabled", "severity": "MEDIUM", "line": 20, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_instance", + "resourceName": "HelloWorld", + "searchKey": "aws_instance.{{monitoring_positive2}}.monitoring", + "searchValue": "", + "expectedValue": "monitoring_positive2.'monitoring' should be set to true", + "actualValue": "monitoring_positive2.'monitoring' is set to false" }, { "queryName": "EC2 Instance Monitoring Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[ec2_instance]", + "searchValue": "", + "expectedValue": "'monitoring' should be defined and not null", + "actualValue": "'monitoring' is undefined or null" }, { "queryName": "EC2 Instance Monitoring Disabled", "severity": "MEDIUM", - "line": 10, - "fileName": "positive4.tf" + "line": 17, + "filename": "positive1.tf", + "resourceType": "aws_instance", + "resourceName": "HelloWorld", + "searchKey": "aws_instance.{{monitoring_positive1}}", + "searchValue": "", + "expectedValue": "'monitoring' should be defined and not null", + "actualValue": "'monitoring' is undefined or null" }, { "queryName": "EC2 Instance Monitoring Disabled", "severity": "MEDIUM", "line": 28, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "aws_instance", + "resourceName": "cdktf-test", + "searchKey": "aws_instance.{{cdktf-test}}.monitoring", + "searchValue": "", + "expectedValue": "cdktf-test.'monitoring' should be set to true", + "actualValue": "cdktf-test.'monitoring' is set to false" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/ec2_instance_using_api_keys/test/positive_expected_result.json b/assets/queries/terraform/aws/ec2_instance_using_api_keys/test/positive_expected_result.json index 715b290c48f..572e2040761 100644 --- a/assets/queries/terraform/aws/ec2_instance_using_api_keys/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ec2_instance_using_api_keys/test/positive_expected_result.json @@ -2,73 +2,145 @@ { "queryName": "EC2 Instance Using API Keys", "severity": "LOW", - "line": 5, - "fileName": "positive1.tf" + "line": 13, + "filename": "positive7.tf", + "resourceType": "aws_instance", + "resourceName": "test", + "searchKey": "aws_instance[positive7].provisioner", + "searchValue": "", + "expectedValue": "aws_instance[positive7].provisioner.remote-exec should be used to configure AWS API keys", + "actualValue": "aws_instance[positive7] should be using iam_instance_profile to assign a role with permissions" }, { "queryName": "EC2 Instance Using API Keys", "severity": "LOW", - "line": 5, - "fileName": "positive2.tf" + "line": 13, + "filename": "positive9.tf", + "resourceType": "aws_instance", + "resourceName": "test", + "searchKey": "aws_instance[positive9].provisioner", + "searchValue": "", + "expectedValue": "aws_instance[positive9].provisioner.remote-exec should be used to configure AWS API keys", + "actualValue": "aws_instance[positive9] should be using iam_instance_profile to assign a role with permissions" }, { "queryName": "EC2 Instance Using API Keys", "severity": "LOW", "line": 5, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_instance", + "resourceName": "test", + "searchKey": "aws_instance[positive3]", + "searchValue": "", + "expectedValue": "aws_instance[positive3] should be using iam_instance_profile to assign a role with permissions", + "actualValue": "aws_instance[positive3].user_data is being used to configure AWS API keys" }, { "queryName": "EC2 Instance Using API Keys", "severity": "LOW", - "line": 5, - "fileName": "positive4.tf" + "line": 13, + "filename": "positive8.tf", + "resourceType": "aws_instance", + "resourceName": "test", + "searchKey": "aws_instance[positive8].provisioner", + "searchValue": "", + "expectedValue": "aws_instance[positive8].provisioner.file should be used to configure AWS API keys", + "actualValue": "aws_instance[positive8] should be using iam_instance_profile to assign a role with permissions" }, { "queryName": "EC2 Instance Using API Keys", "severity": "LOW", "line": 5, - "fileName": "positive5.tf" + "filename": "positive2.tf", + "resourceType": "aws_instance", + "resourceName": "test", + "searchKey": "aws_instance[positive2]", + "searchValue": "", + "expectedValue": "aws_instance[positive2] should be using iam_instance_profile to assign a role with permissions", + "actualValue": "aws_instance[positive2].user_data is being used to configure AWS API keys" }, { "queryName": "EC2 Instance Using API Keys", "severity": "LOW", "line": 5, - "fileName": "positive6.tf" + "filename": "positive4.tf", + "resourceType": "aws_instance", + "resourceName": "test", + "searchKey": "aws_instance[positive4]", + "searchValue": "", + "expectedValue": "aws_instance[positive4] should be using iam_instance_profile to assign a role with permissions", + "actualValue": "aws_instance[positive4].user_data is being used to configure AWS API keys" }, { "queryName": "EC2 Instance Using API Keys", "severity": "LOW", - "line": 13, - "fileName": "positive7.tf" + "line": 1, + "filename": "positive10.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[ec2_instance]", + "searchValue": "", + "expectedValue": "module[ec2_instance] should be using iam_instance_profile to assign a role with permissions", + "actualValue": "module[ec2_instance].user_data is being used to configure AWS API keys" }, { "queryName": "EC2 Instance Using API Keys", "severity": "LOW", - "line": 13, - "fileName": "positive8.tf" + "line": 5, + "filename": "positive6.tf", + "resourceType": "aws_instance", + "resourceName": "test", + "searchKey": "aws_instance[positive6]", + "searchValue": "", + "expectedValue": "aws_instance[positive6] should be using iam_instance_profile to assign a role with permissions", + "actualValue": "aws_instance[positive6].user_data is being used to configure AWS API keys" }, { "queryName": "EC2 Instance Using API Keys", "severity": "LOW", - "line": 13, - "fileName": "positive9.tf" + "line": 1, + "filename": "positive12.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[ec2_instance]", + "searchValue": "", + "expectedValue": "module[ec2_instance] should be using iam_instance_profile to assign a role with permissions", + "actualValue": "module[ec2_instance].user_data is being used to configure AWS API keys" }, { "queryName": "EC2 Instance Using API Keys", "severity": "LOW", - "line": 1, - "fileName": "positive10.tf" + "line": 5, + "filename": "positive5.tf", + "resourceType": "aws_instance", + "resourceName": "test", + "searchKey": "aws_instance[positive5]", + "searchValue": "", + "expectedValue": "aws_instance[positive5] should be using iam_instance_profile to assign a role with permissions", + "actualValue": "aws_instance[positive5].user_data is being used to configure AWS API keys" }, { "queryName": "EC2 Instance Using API Keys", "severity": "LOW", "line": 1, - "fileName": "positive11.tf" + "filename": "positive11.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[ec2_instance]", + "searchValue": "", + "expectedValue": "module[ec2_instance] should be using iam_instance_profile to assign a role with permissions", + "actualValue": "module[ec2_instance].user_data is being used to configure AWS API keys" }, { "queryName": "EC2 Instance Using API Keys", "severity": "LOW", - "line": 1, - "fileName": "positive12.tf" + "line": 5, + "filename": "positive1.tf", + "resourceType": "aws_instance", + "resourceName": "test", + "searchKey": "aws_instance[positive1]", + "searchValue": "", + "expectedValue": "aws_instance[positive1] should be using iam_instance_profile to assign a role with permissions", + "actualValue": "aws_instance[positive1].user_data is being used to configure AWS API keys" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/ec2_instance_using_default_security_group/test/positive_expected_result.json b/assets/queries/terraform/aws/ec2_instance_using_default_security_group/test/positive_expected_result.json index 60974d84ff2..99ba448a0e1 100644 --- a/assets/queries/terraform/aws/ec2_instance_using_default_security_group/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ec2_instance_using_default_security_group/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "EC2 Instance Using Default Security Group", "severity": "MEDIUM", "line": 9, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_instance", + "resourceName": "HelloWorld", + "searchKey": "aws_instance[positive1].security_groups", + "searchValue": "", + "expectedValue": "aws_instance[positive1].security_groups should not be using default security group", + "actualValue": "aws_instance[positive1].security_groups is using at least one default security group" }, { "queryName": "EC2 Instance Using Default Security Group", "severity": "MEDIUM", "line": 6, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_instance", + "resourceName": "positive2", + "searchKey": "aws_instance[positive2].vpc_security_group_ids", + "searchValue": "", + "expectedValue": "aws_instance[positive2].vpc_security_group_ids should not be using default security group", + "actualValue": "aws_instance[positive2].vpc_security_group_ids is using at least one default security group" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/ec2_instance_using_default_vpc/test/positive_expected_result.json b/assets/queries/terraform/aws/ec2_instance_using_default_vpc/test/positive_expected_result.json index 9d70d60ac40..0e607948d02 100644 --- a/assets/queries/terraform/aws/ec2_instance_using_default_vpc/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ec2_instance_using_default_vpc/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "EC2 Instance Using Default VPC", "severity": "LOW", "line": 6, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_instance", + "resourceName": "positive1", + "searchKey": "aws_instance[positive1].subnet_id", + "searchValue": "", + "expectedValue": "aws_instance[positive1].subnet_id should not be associated with a default VPC", + "actualValue": "aws_instance[positive1].subnet_id is associated with a default VPC" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/ec2_not_ebs_optimized/test/positive_expected_result.json b/assets/queries/terraform/aws/ec2_not_ebs_optimized/test/positive_expected_result.json index 98335b48ae9..feb8e425bce 100644 --- a/assets/queries/terraform/aws/ec2_not_ebs_optimized/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ec2_not_ebs_optimized/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "EC2 Not EBS Optimized", "severity": "INFO", - "line": 17, - "filename": "positive1.tf" + "line": 1, + "filename": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[ec2_instance]", + "searchValue": "", + "expectedValue": "'ebs_optimized' should be set to true", + "actualValue": "'ebs_optimized' is undefined or null" }, { "queryName": "EC2 Not EBS Optimized", "severity": "INFO", - "line": 20, - "filename": "positive2.tf" + "line": 9, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[ec2_instance].ebs_optimized", + "searchValue": "", + "expectedValue": "'ebs_optimized' should be set to true", + "actualValue": "'ebs_optimized' is set to false" }, { "queryName": "EC2 Not EBS Optimized", "severity": "INFO", - "line": 1, - "filename": "positive3.tf" + "line": 20, + "filename": "positive2.tf", + "resourceType": "aws_instance", + "resourceName": "HelloWorld", + "searchKey": "aws_instance[{{web}}].ebs_optimized", + "searchValue": "", + "expectedValue": "'ebs_optimized' should be set to true", + "actualValue": "'ebs_optimized' is set to false" }, { "queryName": "EC2 Not EBS Optimized", "severity": "INFO", - "line": 9, - "filename": "positive4.tf" + "line": 17, + "filename": "positive1.tf", + "resourceType": "aws_instance", + "resourceName": "HelloWorld", + "searchKey": "aws_instance[{{web}}]", + "searchValue": "", + "expectedValue": "'ebs_optimized' should be set to true", + "actualValue": "'ebs_optimized' is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/ecr_image_tag_not_immutable/test/positive_expected_result.json b/assets/queries/terraform/aws/ecr_image_tag_not_immutable/test/positive_expected_result.json index 5f98584ec05..6cb99b686a1 100644 --- a/assets/queries/terraform/aws/ecr_image_tag_not_immutable/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ecr_image_tag_not_immutable/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "ECR Image Tag Not Immutable", "severity": "MEDIUM", "line": 3, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "aws_ecr_repository", + "resourceName": "bar", + "searchKey": "aws_ecr_repository.foo2.image_tag_mutability", + "searchValue": "", + "expectedValue": "aws_ecr_repository.foo2.image_tag_mutability should be 'IMMUTABLE'", + "actualValue": "aws_ecr_repository.foo2.image_tag_mutability is 'MUTABLE'" }, { "queryName": "ECR Image Tag Not Immutable", "severity": "MEDIUM", "line": 10, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "aws_ecr_repository", + "resourceName": "bar", + "searchKey": "aws_ecr_repository.foo3", + "searchValue": "", + "expectedValue": "aws_ecr_repository.foo3.image_tag_mutability should be defined and not null", + "actualValue": "aws_ecr_repository.foo3.image_tag_mutability is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/ecr_repository_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/aws/ecr_repository_is_publicly_accessible/test/positive_expected_result.json index 6a419b1981b..ed568773a62 100644 --- a/assets/queries/terraform/aws/ecr_repository_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ecr_repository_is_publicly_accessible/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "ECR Repository Is Publicly Accessible", "severity": "CRITICAL", - "line": 8 + "line": 8, + "filename": "positive.tf", + "resourceType": "aws_ecr_repository_policy", + "resourceName": "positive2", + "searchKey": "aws_ecr_repository_policy[positive2].policy", + "searchValue": "", + "expectedValue": "'Statement.Principal' shouldn't contain '*'", + "actualValue": "'Statement.Principal' contains '*'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/ecr_repository_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/ecr_repository_not_encrypted/test/positive_expected_result.json index ff2bfc9644f..2a51cbcee2c 100644 --- a/assets/queries/terraform/aws/ecr_repository_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ecr_repository_not_encrypted/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "ECR Repository Not Encrypted With CMK", "severity": "LOW", - "line": 1 + "line": 18, + "filename": "positive.tf", + "resourceType": "aws_ecr_repository", + "resourceName": "barX", + "searchKey": "aws_ecr_repository[fooX].encryption_configuration", + "searchValue": "", + "expectedValue": "'encryption_configuration.encryption_type' should be set to 'KMS' and 'encryption_configuration.kms_key' specifies a KMS key ARN", + "actualValue": "'encryption_configuration.encryption_type' is not set to 'KMS' and/or 'encryption_configuration.kms_key' does not specify a KMS key ARN" }, { "queryName": "ECR Repository Not Encrypted With CMK", "severity": "LOW", - "line": 18 + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_ecr_repository", + "resourceName": "bar", + "searchKey": "aws_ecr_repository[foo]", + "searchValue": "", + "expectedValue": "'encryption_configuration' should be defined with 'KMS' as encryption type and a KMS key ARN", + "actualValue": "'encryption_configuration' is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/ecr_repository_without_policy/test/positive_expected_result.json b/assets/queries/terraform/aws/ecr_repository_without_policy/test/positive_expected_result.json index 8733ccfe1b0..8e0da04b887 100644 --- a/assets/queries/terraform/aws/ecr_repository_without_policy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ecr_repository_without_policy/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "ECR Repository Without Policy", "severity": "LOW", "line": 1, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_ecr_repository", + "resourceName": "foo", + "searchKey": "aws_ecr_repository[foo]", + "searchValue": "", + "expectedValue": "aws_ecr_repository[foo] has policies attached", + "actualValue": "aws_ecr_repository[foo] doesn't have policies attached" }, { "queryName": "ECR Repository Without Policy", "severity": "LOW", "line": 1, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_ecr_repository", + "resourceName": "foo2", + "searchKey": "aws_ecr_repository[foo2]", + "searchValue": "", + "expectedValue": "aws_ecr_repository[foo2] has policies attached", + "actualValue": "aws_ecr_repository[foo2] doesn't have policies attached" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/ecs_cluster_container_insights_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/ecs_cluster_container_insights_disabled/test/positive_expected_result.json index 14338d961fd..d294c36ba80 100644 --- a/assets/queries/terraform/aws/ecs_cluster_container_insights_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ecs_cluster_container_insights_disabled/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "ECS Cluster with Container Insights Disabled", "severity": "LOW", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_ecs_cluster", + "resourceName": "white-hart", + "searchKey": "aws_ecs_cluster[foo]", + "searchValue": "", + "expectedValue": "'aws_ecs_cluster[foo].setting.name' should be set to 'containerInsights' and 'aws_ecs_cluster[foo].setting.value' should be set to 'enabled'", + "actualValue": "'aws_ecs_cluster[foo].setting.name' is not set to 'containerInsights' and/or 'aws_ecs_cluster[foo].setting.value' is not set to 'enabled'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/ecs_service_admin_role_is_present/test/positive_expected_result.json b/assets/queries/terraform/aws/ecs_service_admin_role_is_present/test/positive_expected_result.json index c472ceefe5b..037a254a6ea 100644 --- a/assets/queries/terraform/aws/ecs_service_admin_role_is_present/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ecs_service_admin_role_is_present/test/positive_expected_result.json @@ -1,7 +1,14 @@ [ - { - "queryName": "ECS Service Admin Role Is Present", - "severity": "HIGH", - "line": 7 - } -] + { + "queryName": "ECS Service Admin Role Is Present", + "severity": "HIGH", + "line": 7, + "filename": "positive.tf", + "resourceType": "aws_ecs_service", + "resourceName": "mongodb", + "searchKey": "aws_ecs_service[positive1].iam_role", + "searchValue": "", + "expectedValue": "'aws_ecs_service[positive1].iam_role' should not equal to 'admin'", + "actualValue": "'aws_ecs_service[positive1].iam_role' is equal to 'admin'" + } +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/ecs_service_without_running_tasks/test/positive_expected_result.json b/assets/queries/terraform/aws/ecs_service_without_running_tasks/test/positive_expected_result.json index 038245c2cee..eb466e32790 100644 --- a/assets/queries/terraform/aws/ecs_service_without_running_tasks/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ecs_service_without_running_tasks/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "ECS Service Without Running Tasks", "severity": "LOW", "line": 1, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "aws_ecs_service", + "resourceName": "positive1", + "searchKey": "aws_ecs_service[positive1]", + "searchValue": "", + "expectedValue": "'aws_ecs_service[positive1]' has at least 1 task running", + "actualValue": "'aws_ecs_service[positive1]' must have at least 1 task running" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/ecs_services_assigned_with_public_ip_address/test/positive_expected_result.json b/assets/queries/terraform/aws/ecs_services_assigned_with_public_ip_address/test/positive_expected_result.json index 18ccc7a1c7e..036d18e16fa 100644 --- a/assets/queries/terraform/aws/ecs_services_assigned_with_public_ip_address/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ecs_services_assigned_with_public_ip_address/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ { - "severity": "MEDIUM", - "line": 15, "queryName": "ECS Services assigned with public IP address", - "fileName": "positive1.tf" - }, - { "severity": "MEDIUM", "line": 17, + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[ecs].services.frontend.assign_public_ip", + "searchValue": "", + "expectedValue": "'module[ecs].services.frontend.assign_public_ip' should be set to 'false'(default value is 'false')", + "actualValue": "'module[ecs].services.frontend.assign_public_ip' is set to true" + }, + { "queryName": "ECS Services assigned with public IP address", - "fileName": "positive2.tf" + "severity": "MEDIUM", + "line": 15, + "filename": "positive1.tf", + "resourceType": "aws_ecs_service", + "resourceName": "example_service_dev", + "searchKey": "aws_ecs_service[example_ecs_service].network_configuration.assign_public_ip", + "searchValue": "", + "expectedValue": "'aws_ecs_service[example_ecs_service].network_configuration.assign_public_ip' should be set to 'false'(default value is 'false')", + "actualValue": "'aws_ecs_service[example_ecs_service].network_configuration.assign_public_ip' is set to true" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/ecs_task_definition_network_mode_not_recommended/test/positive_expected_result.json b/assets/queries/terraform/aws/ecs_task_definition_network_mode_not_recommended/test/positive_expected_result.json index be1f04a0a99..01781e2a6a2 100644 --- a/assets/queries/terraform/aws/ecs_task_definition_network_mode_not_recommended/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ecs_task_definition_network_mode_not_recommended/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "ECS Task Definition Network Mode Not Recommended", "severity": "MEDIUM", - "line": 3 + "line": 3, + "filename": "positive.tf", + "resourceType": "aws_ecs_task_definition", + "resourceName": "positive1", + "searchKey": "aws_ecs_task_definition[positive1].network_mode", + "searchValue": "", + "expectedValue": "'network_mode' should equal to 'awsvpc'", + "actualValue": "'network_mode' is equal to 'none'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/efs_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/efs_not_encrypted/test/positive_expected_result.json index 2eaa672c30d..d51fa40144a 100644 --- a/assets/queries/terraform/aws/efs_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/efs_not_encrypted/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "EFS Not Encrypted", "severity": "HIGH", - "line": 1 + "line": 11, + "filename": "positive.tf", + "resourceType": "aws_efs_file_system", + "resourceName": "MyProduct", + "searchKey": "aws_efs_file_system[positive2].encrypted", + "searchValue": "", + "expectedValue": "aws_efs_file_system[positive2].encrypted' should be true", + "actualValue": "aws_efs_file_system[positive2].encrypted' is false" }, { "queryName": "EFS Not Encrypted", "severity": "HIGH", - "line": 11 + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_efs_file_system", + "resourceName": "MyProduct", + "searchKey": "aws_efs_file_system[positive1]", + "searchValue": "", + "expectedValue": "aws_efs_file_system[positive1].encrypted' should be defined and not null", + "actualValue": "aws_efs_file_system[positive1].encrypted' is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/efs_volume_with_disabled_transit_encryption/test/positive_expected_result.json b/assets/queries/terraform/aws/efs_volume_with_disabled_transit_encryption/test/positive_expected_result.json index 7623b36b6d3..4fc6e3f1825 100644 --- a/assets/queries/terraform/aws/efs_volume_with_disabled_transit_encryption/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/efs_volume_with_disabled_transit_encryption/test/positive_expected_result.json @@ -3,18 +3,36 @@ "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 11, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_ecs_task_definition", + "resourceName": "service", + "searchKey": "aws_ecs_task_definition[{{service}}].volume.efs_volume_configuration.transit_encryption", + "searchValue": "", + "expectedValue": "aws_ecs_task_definition.volume.efs_volume_configuration.transit_encryption value should be 'ENABLED'", + "actualValue": "aws_ecs_task_definition.volume.efs_volume_configuration.transit_encryption value is 'DISABLED'" }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 8, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_ecs_task_definition", + "resourceName": "service_2", + "searchKey": "aws_ecs_task_definition[{{service_2}}].volume.efs_volume_configuration", + "searchValue": "", + "expectedValue": "aws_ecs_task_definition.volume.efs_volume_configuration.transit_encryption value should be 'ENABLED'", + "actualValue": "aws_ecs_task_definition.volume.efs_volume_configuration.transit_encryption is missing" }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 5, - "filename": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_ecs_task_definition", + "resourceName": "service_2", + "searchKey": "aws_ecs_task_definition[{{service_2}}].volume", + "searchValue": "", + "expectedValue": "aws_ecs_task_definition.volume.efs_volume_configuration value should be defined", + "actualValue": "aws_ecs_task_definition.volume.efs_volume_configuration is not set" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/efs_with_vulnerable_policy/test/positive_expected_result.json b/assets/queries/terraform/aws/efs_with_vulnerable_policy/test/positive_expected_result.json index c8af7a301f9..0637e361f12 100644 --- a/assets/queries/terraform/aws/efs_with_vulnerable_policy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/efs_with_vulnerable_policy/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "EFS With Vulnerable Policy", "severity": "MEDIUM", "line": 16, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "aws_efs_file_system_policy", + "resourceName": "not_secure_policy", + "searchKey": "aws_efs_file_system_policy[not_secure_policy].policy", + "searchValue": "", + "expectedValue": "aws_efs_file_system_policy[not_secure_policy].policy should not have wildcard in 'Action' and 'Principal'", + "actualValue": "aws_efs_file_system_policy[not_secure_policy].policy has wildcard in 'Action' or 'Principal'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/efs_without_kms/test/positive_expected_result.json b/assets/queries/terraform/aws/efs_without_kms/test/positive_expected_result.json index ba63f84dca0..09ed987a26d 100644 --- a/assets/queries/terraform/aws/efs_without_kms/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/efs_without_kms/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "EFS Without KMS", "severity": "LOW", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_efs_file_system", + "resourceName": "MyProduct", + "searchKey": "aws_efs_file_system[positive1]", + "searchValue": "", + "expectedValue": "aws_efs_file_system[positive1].kms_key_id' should be defined'", + "actualValue": "aws_efs_file_system[positive1].kms_key_id' is undefined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/eks_cluster_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/eks_cluster_encryption_disabled/test/positive_expected_result.json index 1dc99e33f29..e11b5998df9 100644 --- a/assets/queries/terraform/aws/eks_cluster_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/eks_cluster_encryption_disabled/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "EKS Cluster Encryption Disabled", "severity": "HIGH", - "line": 6, - "fileName": "positive1.tf" + "line": 11, + "filename": "positive2.tf", + "resourceType": "aws_eks_cluster", + "resourceName": "example", + "searchKey": "aws_eks_cluster[positive2].encryption_config.resources", + "searchValue": "", + "expectedValue": "'secrets' should be defined", + "actualValue": "'secrets' is undefined" }, { "queryName": "EKS Cluster Encryption Disabled", "severity": "HIGH", - "line": 11, - "fileName": "positive2.tf" + "line": 6, + "filename": "positive1.tf", + "resourceType": "aws_eks_cluster", + "resourceName": "example", + "searchKey": "aws_eks_cluster[positive1]", + "searchValue": "", + "expectedValue": "'encryption_config' should be defined and not null", + "actualValue": "'encryption_config' is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/eks_cluster_has_public_access/test/positive_expected_result.json b/assets/queries/terraform/aws/eks_cluster_has_public_access/test/positive_expected_result.json index d8b401a6a00..ff70284f637 100644 --- a/assets/queries/terraform/aws/eks_cluster_has_public_access/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/eks_cluster_has_public_access/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "EKS Cluster Has Public Access", "severity": "MEDIUM", - "line": 7 + "line": 7, + "filename": "positive.tf", + "resourceType": "aws_eks_cluster", + "resourceName": "example", + "searchKey": "aws_eks_cluster[positive1].vpc_config.endpoint_public_access", + "searchValue": "", + "expectedValue": "'vpc_config.endpoint_public_access' should equal 'false'", + "actualValue": "'vpc_config.endpoint_public_access' is equal 'true'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/eks_cluster_has_public_access_cidrs/test/positive_expected_result.json b/assets/queries/terraform/aws/eks_cluster_has_public_access_cidrs/test/positive_expected_result.json index fc8b1649bfe..8207e36976e 100644 --- a/assets/queries/terraform/aws/eks_cluster_has_public_access_cidrs/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/eks_cluster_has_public_access_cidrs/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "EKS Cluster Has Public Access CIDRs", "severity": "MEDIUM", - "line": 8 + "line": 8, + "filename": "positive.tf", + "resourceType": "aws_eks_cluster", + "resourceName": "example", + "searchKey": "aws_eks_cluster[positive1].vpc_config.public_access_cidrs", + "searchValue": "", + "expectedValue": "One of 'vpc_config.public_access_cidrs' not equal '0.0.0.0/0'", + "actualValue": "One of 'vpc_config.public_access_cidrs' is equal '0.0.0.0/0'" }, { "queryName": "EKS Cluster Has Public Access CIDRs", "severity": "MEDIUM", - "line": 30 + "line": 30, + "filename": "positive.tf", + "resourceType": "aws_eks_cluster", + "resourceName": "without_example", + "searchKey": "aws_eks_cluster[positive2].vpc_config.public_access_cidrs", + "searchValue": "", + "expectedValue": "'vpc_config.public_access_cidrs' should exist", + "actualValue": "'vpc_config.public_access_cidrs' is missing" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/eks_cluster_log_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/eks_cluster_log_disabled/test/positive_expected_result.json index 5f09bd406dd..0dd0e7242ae 100644 --- a/assets/queries/terraform/aws/eks_cluster_log_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/eks_cluster_log_disabled/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "EKS cluster logging is not enabled", "severity": "MEDIUM", "line": 6, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_eks_cluster", + "resourceName": "example", + "searchKey": "aws_eks_cluster[positive1]", + "searchValue": "", + "expectedValue": "'enabled_cluster_log_types' should be defined and not null", + "actualValue": "'enabled_cluster_log_types' is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/eks_node_group_remote_access_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/eks_node_group_remote_access_disabled/test/positive_expected_result.json index 56ceeded77b..78901ccb38e 100644 --- a/assets/queries/terraform/aws/eks_node_group_remote_access_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/eks_node_group_remote_access_disabled/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "EKS node group remote access disabled", "severity": "MEDIUM", "line": 13, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "aws_eks_node_group", + "resourceName": "positive", + "searchKey": "aws_eks_node_group[positive].remote_access", + "searchValue": "", + "expectedValue": "'aws_eks_node_group[positive].remote_access.source_security_groups_ids' should be defined and not null", + "actualValue": "'aws_eks_node_group[positive].remote_access.source_security_groups_ids' is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/elasticache_nodes_not_created_across_multi_az/test/positive_expected_result.json b/assets/queries/terraform/aws/elasticache_nodes_not_created_across_multi_az/test/positive_expected_result.json index 21916a4ecf0..b8e87933e8e 100644 --- a/assets/queries/terraform/aws/elasticache_nodes_not_created_across_multi_az/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elasticache_nodes_not_created_across_multi_az/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "ElastiCache Nodes Not Created Across Multi AZ", "severity": "MEDIUM", - "line": 1 + "line": 12, + "filename": "positive.tf", + "resourceType": "aws_elasticache_cluster", + "resourceName": "cluster-example", + "searchKey": "aws_elasticache_cluster[positive2].az_mode", + "searchValue": "", + "expectedValue": "'az_mode' should be 'cross-az' in multi nodes cluster", + "actualValue": "'az_mode' is 'single-az'" }, { "queryName": "ElastiCache Nodes Not Created Across Multi AZ", "severity": "MEDIUM", - "line": 12 + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_elasticache_cluster", + "resourceName": "cluster-example", + "searchKey": "aws_elasticache_cluster[positive1]", + "searchValue": "", + "expectedValue": "'az_mode' should be set and must be 'cross-az' in multi nodes cluster", + "actualValue": "'az_mode' is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/elasticache_redis_cluster_without_backup/test/positive_expected_result.json b/assets/queries/terraform/aws/elasticache_redis_cluster_without_backup/test/positive_expected_result.json index e6c9f8ed3cc..5d378fd4270 100644 --- a/assets/queries/terraform/aws/elasticache_redis_cluster_without_backup/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elasticache_redis_cluster_without_backup/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "ElastiCache Redis Cluster Without Backup", "severity": "MEDIUM", - "line": 1 + "line": 16, + "filename": "positive.tf", + "resourceType": "aws_elasticache_cluster", + "resourceName": "cluster", + "searchKey": "aws_elasticache_cluster[positive2].snapshot_retention_limit", + "searchValue": "", + "expectedValue": "'snapshot_retention_limit' should be higher than 0", + "actualValue": "'snapshot_retention_limit' is 0" }, { "queryName": "ElastiCache Redis Cluster Without Backup", "severity": "MEDIUM", - "line": 16 + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_elasticache_cluster", + "resourceName": "cluster", + "searchKey": "aws_elasticache_cluster[positive1]", + "searchValue": "", + "expectedValue": "'snapshot_retention_limit' should be higher than 0", + "actualValue": "'snapshot_retention_limit' is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_rest/test/positive_expected_result.json b/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_rest/test/positive_expected_result.json index 97de094b1b1..6344eca82b9 100644 --- a/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_rest/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_rest/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "ElastiCache Replication Group Not Encrypted At Rest", "severity": "HIGH", - "line": 1, - "fileName": "positive1.tf" + "line": 9, + "filename": "positive2.tf", + "resourceType": "aws_elasticache_replication_group", + "resourceName": "example2", + "searchKey": "aws_elasticache_replication_group[example2].at_rest_encryption_enabled", + "searchValue": "", + "expectedValue": "The attribute 'at_rest_encryption_enabled' should be set to true", + "actualValue": "The attribute 'at_rest_encryption_enabled' is not set to true" }, { "queryName": "ElastiCache Replication Group Not Encrypted At Rest", "severity": "HIGH", - "line": 9, - "fileName": "positive2.tf" + "line": 1, + "filename": "positive1.tf", + "resourceType": "aws_elasticache_replication_group", + "resourceName": "example", + "searchKey": "aws_elasticache_replication_group[example]", + "searchValue": "", + "expectedValue": "The attribute 'at_rest_encryption_enabled' should be set to true", + "actualValue": "The attribute 'at_rest_encryption_enabled' is undefined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_transit/test/positive_expected_result.json b/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_transit/test/positive_expected_result.json index f12eb88b6db..bda5f5fcd0a 100644 --- a/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_transit/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_transit/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "ElastiCache Replication Group Not Encrypted At Transit", "severity": "MEDIUM", - "line": 1, - "filename": "positive1.tf" + "line": 9, + "filename": "positive2.tf", + "resourceType": "aws_elasticache_replication_group", + "resourceName": "example", + "searchKey": "aws_elasticache_replication_group[example].transit_encryption_enabled", + "searchValue": "", + "expectedValue": "The attribute 'transit_encryption_enabled' should be set to true", + "actualValue": "The attribute 'transit_encryption_enabled' is not set to true" }, { "queryName": "ElastiCache Replication Group Not Encrypted At Transit", "severity": "MEDIUM", - "line": 9, - "filename": "positive2.tf" + "line": 1, + "filename": "positive1.tf", + "resourceType": "aws_elasticache_replication_group", + "resourceName": "example", + "searchKey": "aws_elasticache_replication_group[example]", + "searchValue": "", + "expectedValue": "The attribute 'transit_encryption_enabled' should be set to true", + "actualValue": "The attribute 'transit_encryption_enabled' is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/elasticache_using_default_port/test/positive_expected_result.json b/assets/queries/terraform/aws/elasticache_using_default_port/test/positive_expected_result.json index c99229d5c61..d9d3a7e9703 100644 --- a/assets/queries/terraform/aws/elasticache_using_default_port/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elasticache_using_default_port/test/positive_expected_result.json @@ -3,24 +3,48 @@ "queryName": "ElastiCache Using Default Port", "severity": "LOW", "line": 1, - "fileName": "positive1.tf" + "filename": "positive2.tf", + "resourceType": "aws_elasticache_cluster", + "resourceName": "cluster", + "searchKey": "aws_elasticache_cluster[positive2]", + "searchValue": "", + "expectedValue": "aws_elasticache_cluster.port should be defined and not null", + "actualValue": "aws_elasticache_cluster.port is undefined or null" }, { "queryName": "ElastiCache Using Default Port", "severity": "LOW", - "line": 1, - "fileName": "positive2.tf" + "line": 7, + "filename": "positive3.tf", + "resourceType": "aws_elasticache_cluster", + "resourceName": "cluster", + "searchKey": "aws_elasticache_cluster[positive3].port", + "searchValue": "", + "expectedValue": "'port' should not be set to 6379", + "actualValue": "'port' is set to 6379" }, { "queryName": "ElastiCache Using Default Port", "severity": "LOW", "line": 7, - "fileName": "positive3.tf" + "filename": "positive4.tf", + "resourceType": "aws_elasticache_cluster", + "resourceName": "cluster", + "searchKey": "aws_elasticache_cluster[positive2].port", + "searchValue": "", + "expectedValue": "'port' should not be set to 11211", + "actualValue": "'port' is set to 11211" }, { "queryName": "ElastiCache Using Default Port", "severity": "LOW", - "line": 7, - "fileName": "positive4.tf" + "line": 1, + "filename": "positive1.tf", + "resourceType": "aws_elasticache_cluster", + "resourceName": "cluster", + "searchKey": "aws_elasticache_cluster[positive1]", + "searchValue": "", + "expectedValue": "aws_elasticache_cluster.port should be defined and not null", + "actualValue": "aws_elasticache_cluster.port is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/elasticache_without_vpc/test/positive_expected_result.json b/assets/queries/terraform/aws/elasticache_without_vpc/test/positive_expected_result.json index a1992dd7bdd..eeee4d47f1c 100644 --- a/assets/queries/terraform/aws/elasticache_without_vpc/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elasticache_without_vpc/test/positive_expected_result.json @@ -1,8 +1,14 @@ [ - { - "queryName": "ElastiCache Without VPC", - "severity": "LOW", - "line": 1, - "fileName": "positive.tf" - } -] + { + "queryName": "ElastiCache Without VPC", + "severity": "LOW", + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_elasticache_cluster", + "resourceName": "cluster-example", + "searchKey": "aws_elasticache_cluster[positive1]", + "searchValue": "", + "expectedValue": "'aws_elasticache_cluster[positive1].subnet_group_name' should be defined and not null'", + "actualValue": "'aws_elasticache_cluster[positive1].subnet_group_name' is undefined or null" + } +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/elasticsearch_domain_not_encrypted_node_to_node/test/positive_expected_result.json b/assets/queries/terraform/aws/elasticsearch_domain_not_encrypted_node_to_node/test/positive_expected_result.json index 97643939504..03f6691eac1 100644 --- a/assets/queries/terraform/aws/elasticsearch_domain_not_encrypted_node_to_node/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elasticsearch_domain_not_encrypted_node_to_node/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "Elasticsearch Domain Not Encrypted Node To Node", "severity": "MEDIUM", - "line": 1, - "fileName": "positive1.tf" + "line": 14, + "filename": "positive2.tf", + "resourceType": "aws_elasticsearch_domain", + "resourceName": "positive1", + "searchKey": "aws_elasticsearch_domain[{{positive1}}].node_to_node_encryption.enabled", + "searchValue": "", + "expectedValue": "The attribute 'node_to_node_encryption' should be set to true", + "actualValue": "The attribute 'node_to_node_encryption' is not set to true" }, { "queryName": "Elasticsearch Domain Not Encrypted Node To Node", "severity": "MEDIUM", - "line": 14, - "fileName": "positive2.tf" + "line": 1, + "filename": "positive1.tf", + "resourceType": "aws_elasticsearch_domain", + "resourceName": "positive1", + "searchKey": "aws_elasticsearch_domain[{{positive1}}]", + "searchValue": "", + "expectedValue": "The attribute 'node_to_node_encryption' should be set to true", + "actualValue": "The attribute 'node_to_node_encryption' is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/elasticsearch_domain_with_vulnerable_policy/test/positive_expected_result.json b/assets/queries/terraform/aws/elasticsearch_domain_with_vulnerable_policy/test/positive_expected_result.json index 2b1845daf6d..c3f30adae2e 100644 --- a/assets/queries/terraform/aws/elasticsearch_domain_with_vulnerable_policy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elasticsearch_domain_with_vulnerable_policy/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Elasticsearch Domain With Vulnerable Policy", "severity": "MEDIUM", "line": 18, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "aws_elasticsearch_domain_policy", + "resourceName": "main", + "searchKey": "aws_elasticsearch_domain_policy[main].access_policies", + "searchValue": "", + "expectedValue": "aws_elasticsearch_domain_policy[main].access_policies should not have wildcard in 'Action' and 'Principal'", + "actualValue": "aws_elasticsearch_domain_policy[main].access_policies has wildcard in 'Action' or 'Principal'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/elasticsearch_encryption_with_kms_is_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/elasticsearch_encryption_with_kms_is_disabled/test/positive_expected_result.json index 35a08640780..e024e33c995 100644 --- a/assets/queries/terraform/aws/elasticsearch_encryption_with_kms_is_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elasticsearch_encryption_with_kms_is_disabled/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "ElasticSearch Encryption With KMS Disabled", "severity": "HIGH", - "line": 5 + "line": 5, + "filename": "positive.tf", + "resourceType": "aws_elasticsearch_domain", + "resourceName": "positive1", + "searchKey": "aws_elasticsearch_domain[positive1].encrypt_at_rest", + "searchValue": "", + "expectedValue": "'aws_elasticsearch_domain[positive1].encrypt_at_rest.kms_key_id' should be set with encryption at rest", + "actualValue": "'aws_elasticsearch_domain[positive1].encrypt_at_rest.kms_key_id' is undefined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/elasticsearch_logs_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/elasticsearch_logs_disabled/test/positive_expected_result.json index a22034a740d..7757e53fdc1 100644 --- a/assets/queries/terraform/aws/elasticsearch_logs_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elasticsearch_logs_disabled/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "Elasticsearch Log Disabled", "severity": "MEDIUM", - "line": 6, - "filename": "positive1.tf" + "line": 1, + "filename": "positive2.tf", + "resourceType": "aws_elasticsearch_domain", + "resourceName": "positive2", + "searchKey": "aws_elasticsearch_domain[{{positive2}}]", + "searchValue": "", + "expectedValue": "'log_publishing_options' should be defined and not null", + "actualValue": "'log_publishing_options' is undefined or null" }, { "queryName": "Elasticsearch Log Disabled", "severity": "MEDIUM", - "line": 1, - "filename": "positive2.tf" + "line": 6, + "filename": "positive1.tf", + "resourceType": "aws_elasticsearch_domain", + "resourceName": "positive1", + "searchKey": "aws_elasticsearch_domain[{{positive1}}].log_publishing_options.enabled", + "searchValue": "", + "expectedValue": "'log_publishing_options.enabled' should be true", + "actualValue": "'log_publishing_options.enabled' is false" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/elasticsearch_not_encrypted_at_rest/test/positive_expected_result.json b/assets/queries/terraform/aws/elasticsearch_not_encrypted_at_rest/test/positive_expected_result.json index 7a0f9115878..4c69509cbf9 100644 --- a/assets/queries/terraform/aws/elasticsearch_not_encrypted_at_rest/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elasticsearch_not_encrypted_at_rest/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "ElasticSearch Not Encrypted At Rest", "severity": "HIGH", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_elasticsearch_domain", + "resourceName": "positive1", + "searchKey": "aws_elasticsearch_domain[positive1]", + "searchValue": "", + "expectedValue": "'encrypt_at_rest' should be set and enabled", + "actualValue": "'encrypt_at_rest' is undefined" }, { "queryName": "ElasticSearch Not Encrypted At Rest", "severity": "HIGH", - "line": 11 + "line": 11, + "filename": "positive.tf", + "resourceType": "aws_elasticsearch_domain", + "resourceName": "positive2", + "searchKey": "aws_elasticsearch_domain[positive2].encrypt_at_rest.enabled", + "searchValue": "", + "expectedValue": "'encrypt_at_rest.enabled' should be true", + "actualValue": "'encrypt_at_rest.enabled' is false" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json index 982f13b43ec..310b0513d3e 100644 --- a/assets/queries/terraform/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Elasticsearch with HTTPS disabled", "severity": "MEDIUM", "line": 27, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_elasticsearch_domain", + "resourceName": "my-elasticsearch-domain", + "searchKey": "aws_elasticsearch_domain[{{example}}]", + "searchValue": "", + "expectedValue": "The attribute 'enforce_https' should be set to 'true'", + "actualValue": "The attribute 'enforce_https' is set to 'false'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/elasticsearch_without_iam_authentication/test/positive_expected_result.json b/assets/queries/terraform/aws/elasticsearch_without_iam_authentication/test/positive_expected_result.json index dd2e7e151b2..c931b6699a9 100644 --- a/assets/queries/terraform/aws/elasticsearch_without_iam_authentication/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elasticsearch_without_iam_authentication/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Elasticsearch Without IAM Authentication", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_elasticsearch_domain", + "resourceName": "example", + "searchKey": "aws_elasticsearch_domain[example]", + "searchValue": "", + "expectedValue": "Elasticsearch Domain ensure IAM Authentication", + "actualValue": "Elasticsearch Domain does not ensure IAM Authentication" }, { "queryName": "Elasticsearch Without IAM Authentication", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_elasticsearch_domain", + "resourceName": "example2", + "searchKey": "aws_elasticsearch_domain[example2]", + "searchValue": "", + "expectedValue": "Elasticsearch Domain ensure IAM Authentication", + "actualValue": "Elasticsearch Domain does not ensure IAM Authentication" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/elasticsearch_without_slow_logs/test/positive_expected_result.json b/assets/queries/terraform/aws/elasticsearch_without_slow_logs/test/positive_expected_result.json index 023e30233ed..6aff8d5b8c3 100644 --- a/assets/queries/terraform/aws/elasticsearch_without_slow_logs/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elasticsearch_without_slow_logs/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", "line": 4, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_elasticsearch_domain", + "resourceName": "positive1", + "searchKey": "aws_elasticsearch_domain[{{positive1}}].log_publishing_options.log_type", + "searchValue": "", + "expectedValue": "'log_publishing_options.log_type' should not be INDEX_SLOW_LOGS or SEARCH_SLOW_LOGS ", + "actualValue": "'log_publishing_options.enabled' is ES_APPLICATION_LOGS or AUDIT_LOGS" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/elb_access_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/elb_access_logging_disabled/test/positive_expected_result.json index 6c46eb0bbaf..5942f88f1bd 100644 --- a/assets/queries/terraform/aws/elb_access_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elb_access_logging_disabled/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "ELB Access Log Disabled", "severity": "MEDIUM", - "line": 9, - "filename": "positive1.tf" + "line": 1, + "filename": "positive2.tf", + "resourceType": "aws_elb", + "resourceName": "foobar-terraform-elb", + "searchKey": "aws_elb[{{postive2}}]", + "searchValue": "", + "expectedValue": "'aws_elb[{{postive2}}].access_logs' should be defined and not null", + "actualValue": "'aws_elb[{{postive2}}].access_logs' is undefined or null" }, { "queryName": "ELB Access Log Disabled", "severity": "MEDIUM", "line": 1, - "filename": "positive2.tf" + "filename": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[elb_http]", + "searchValue": "", + "expectedValue": "'access_logs' should be defined and not null", + "actualValue": "'access_logs' is undefined or null" }, { "queryName": "ELB Access Log Disabled", "severity": "MEDIUM", - "line": 39, - "filename": "positive4.tf" + "line": 9, + "filename": "positive1.tf", + "resourceType": "aws_elb", + "resourceName": "foobar-terraform-elb", + "searchKey": "aws_elb[{{postive1}}].access_logs.enabled", + "searchValue": "", + "expectedValue": "'aws_elb[{{postive1}}].access_logs.enabled' should be true", + "actualValue": "'aws_elb[{{postive1}}].access_logs.enabled' is false" }, { "queryName": "ELB Access Log Disabled", "severity": "MEDIUM", - "line": 1, - "filename": "positive3.tf" + "line": 39, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[elb_http].access_logs.enabled", + "searchValue": "", + "expectedValue": "'access_logs.enabled' should be true", + "actualValue": "'access_logs.enabled' is false" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/elb_using_insecure_protocols/test/positive_expected_result.json b/assets/queries/terraform/aws/elb_using_insecure_protocols/test/positive_expected_result.json index d3475be6d2a..c23197e54a8 100644 --- a/assets/queries/terraform/aws/elb_using_insecure_protocols/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elb_using_insecure_protocols/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "ELB Using Insecure Protocols", "severity": "MEDIUM", - "line": 41 + "line": 41, + "filename": "positive.tf", + "resourceType": "aws_load_balancer_policy", + "resourceName": "positive5", + "searchKey": "aws_load_balancer_policy[positive5].policy_attribute.name", + "searchValue": "", + "expectedValue": "'aws_load_balancer_policy[positive5].policy_attribute[Protocol-SSLv3]' should not be an insecure protocol", + "actualValue": "'aws_load_balancer_policy[positive5].policy_attribute[Protocol-SSLv3]' is an insecure protocol" }, { "queryName": "ELB Using Insecure Protocols", "severity": "MEDIUM", - "line": 30 + "line": 30, + "filename": "positive.tf", + "resourceType": "aws_load_balancer_policy", + "resourceName": "positive4", + "searchKey": "aws_load_balancer_policy[positive4].policy_attribute[1].name", + "searchValue": "", + "expectedValue": "'aws_load_balancer_policy[positive4].policy_attribute[Protocol-TLSv1]' should not be an insecure protocol", + "actualValue": "'aws_load_balancer_policy[positive4].policy_attribute[Protocol-TLSv1]' is an insecure protocol" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/elb_using_weak_ciphers/test/positive_expected_result.json b/assets/queries/terraform/aws/elb_using_weak_ciphers/test/positive_expected_result.json index 7e31718727b..0f17deed02f 100644 --- a/assets/queries/terraform/aws/elb_using_weak_ciphers/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elb_using_weak_ciphers/test/positive_expected_result.json @@ -2,16 +2,37 @@ { "queryName": "ELB Using Weak Ciphers", "severity": "HIGH", - "line": 41 + "line": 41, + "filename": "positive.tf", + "resourceType": "aws_load_balancer_policy", + "resourceName": "positive4", + "searchKey": "aws_load_balancer_policy[positive4]", + "searchValue": "", + "expectedValue": "'aws_load_balancer_policy[positive4].policy_attribute[TLS_RSA_ARCFOUR_128_SHA1].name' should not be a weak cipher", + "actualValue": "'aws_load_balancer_policy[positive4].policy_attribute[TLS_RSA_ARCFOUR_128_SHA1].name' is a weak cipher" }, { "queryName": "ELB Using Weak Ciphers", "severity": "HIGH", - "line": 63 + "line": 63, + "filename": "positive.tf", + "resourceType": "aws_load_balancer_policy", + "resourceName": "positive5", + "searchKey": "aws_load_balancer_policy[positive5].policy_attribute.name", + "searchValue": "", + "expectedValue": "'aws_load_balancer_policy[positive5].policy_attribute[DES-CBC3-SHA].name' should not be a weak cipher", + "actualValue": "'aws_load_balancer_policy[positive5].policy_attribute[DES-CBC3-SHA].name' is a weak cipher" }, { "queryName": "ELB Using Weak Ciphers", "severity": "HIGH", - "line": 74 + "line": 74, + "filename": "positive.tf", + "resourceType": "aws_load_balancer_policy", + "resourceName": "positive6", + "searchKey": "aws_load_balancer_policy[positive6].policy_attribute.name", + "searchValue": "", + "expectedValue": "'aws_load_balancer_policy[positive6].policy_attribute[TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384].name' should not be a weak cipher", + "actualValue": "'aws_load_balancer_policy[positive6].policy_attribute[TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384].name' is a weak cipher" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/elb_v2_lb_access_log_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/elb_v2_lb_access_log_disabled/test/positive_expected_result.json index 585f9f8c48e..38c6d921a9a 100644 --- a/assets/queries/terraform/aws/elb_v2_lb_access_log_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elb_v2_lb_access_log_disabled/test/positive_expected_result.json @@ -2,37 +2,73 @@ { "queryName": "ELBv2 LB Access Log Disabled", "severity": "MEDIUM", - "line": 13, - "fileName": "positive1.tf" + "line": 11, + "filename": "positive5.tf", + "resourceType": "aws_alb", + "resourceName": "test-lb-tf", + "searchKey": "aws_alb[test].access_logs", + "searchValue": "", + "expectedValue": "'access_logs.enabled' should be defined and set to true", + "actualValue": "'access_logs.enabled' is undefined" }, { "queryName": "ELBv2 LB Access Log Disabled", "severity": "MEDIUM", - "line": 10, - "fileName": "positive2.tf" + "line": 13, + "filename": "positive1.tf", + "resourceType": "aws_lb", + "resourceName": "test-lb-tf", + "searchKey": "aws_lb[test].access_logs.enabled", + "searchValue": "", + "expectedValue": "'access_logs.enabled' should be defined and set to true", + "actualValue": "'access_logs.enabled' is not set to true" }, { "queryName": "ELBv2 LB Access Log Disabled", "severity": "MEDIUM", - "line": 1, - "fileName": "positive3.tf" + "line": 2, + "filename": "positive6.tf", + "resourceType": "aws_alb", + "resourceName": "test-lb-tf", + "searchKey": "aws_alb[test]", + "searchValue": "", + "expectedValue": "'access_logs.enabled' should be defined and set to true", + "actualValue": "'access_logs' is undefined" }, { "queryName": "ELBv2 LB Access Log Disabled", "severity": "MEDIUM", - "line": 14, - "fileName": "positive4.tf" + "line": 10, + "filename": "positive2.tf", + "resourceType": "aws_lb", + "resourceName": "test-lb-tf", + "searchKey": "aws_lb[test].access_logs", + "searchValue": "", + "expectedValue": "'access_logs.enabled' should be defined and set to true", + "actualValue": "'access_logs.enabled' is undefined" }, { "queryName": "ELBv2 LB Access Log Disabled", "severity": "MEDIUM", - "line": 11, - "fileName": "positive5.tf" + "line": 1, + "filename": "positive3.tf", + "resourceType": "aws_lb", + "resourceName": "test-lb-tf", + "searchKey": "aws_lb[test]", + "searchValue": "", + "expectedValue": "'access_logs.enabled' should be defined and set to true", + "actualValue": "'access_logs' is undefined" }, { "queryName": "ELBv2 LB Access Log Disabled", "severity": "MEDIUM", - "line": 2, - "fileName": "positive6.tf" + "line": 14, + "filename": "positive4.tf", + "resourceType": "aws_alb", + "resourceName": "test-lb-tf", + "searchKey": "aws_alb[test].access_logs.enabled", + "searchValue": "", + "expectedValue": "'access_logs.enabled' should be defined and set to true", + "actualValue": "'access_logs.enabled' is not set to true" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/emr_without_vpc/test/positive_expected_result.json b/assets/queries/terraform/aws/emr_without_vpc/test/positive_expected_result.json index c1fd09e9e54..33b7e847667 100644 --- a/assets/queries/terraform/aws/emr_without_vpc/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/emr_without_vpc/test/positive_expected_result.json @@ -1,8 +1,14 @@ [ - { - "queryName": "EMR Without VPC", - "severity": "LOW", - "line": 1, - "fileName": "positive.tf" - } -] + { + "queryName": "EMR Without VPC", + "severity": "LOW", + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_emr_cluster", + "resourceName": "emr-test-arn", + "searchKey": "aws_emr_cluster[positive1]", + "searchValue": "", + "expectedValue": "'aws_emr_cluster[positive1].subnet_id' or 'aws_emr_cluster[positive1].subnet_ids' should be defined and not null'", + "actualValue": "'aws_emr_cluster[positive1].subnet_id' or 'aws_emr_cluster[positive1].subnet_ids' is undefined or null" + } +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/global_accelerator_flow_logs_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/global_accelerator_flow_logs_disabled/test/positive_expected_result.json index 660a6a6953f..c9082aef103 100644 --- a/assets/queries/terraform/aws/global_accelerator_flow_logs_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/global_accelerator_flow_logs_disabled/test/positive_expected_result.json @@ -3,18 +3,36 @@ "queryName": "Global Accelerator Flow Logs Disabled", "severity": "MEDIUM", "line": 1, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_globalaccelerator_accelerator", + "resourceName": "Example", + "searchKey": "aws_globalaccelerator_accelerator[{{positive1}}]", + "searchValue": "", + "expectedValue": "aws_globalaccelerator_accelerator[{{positive1}}].flow_logs_enabled should be defined and not null", + "actualValue": "aws_globalaccelerator_accelerator[{{positive1}}].flow_logs_enabled is undefined or null" }, { "queryName": "Global Accelerator Flow Logs Disabled", "severity": "MEDIUM", - "line": 6, - "filename": "positive2.tf" + "line": 7, + "filename": "positive3.tf", + "resourceType": "aws_globalaccelerator_accelerator", + "resourceName": "Example", + "searchKey": "aws_globalaccelerator_accelerator[{{positive3}}].attributes.flow_logs_enabled", + "searchValue": "", + "expectedValue": "aws_globalaccelerator_accelerator[{{positive3}}].flow_logs_enabled should be true", + "actualValue": "aws_globalaccelerator_accelerator[{{positive3}}].flow_logs_enabled is false" }, { "queryName": "Global Accelerator Flow Logs Disabled", "severity": "MEDIUM", - "line": 7, - "filename": "positive3.tf" + "line": 6, + "filename": "positive2.tf", + "resourceType": "aws_globalaccelerator_accelerator", + "resourceName": "Example", + "searchKey": "aws_globalaccelerator_accelerator[{{positive2}}].attributes", + "searchValue": "", + "expectedValue": "aws_globalaccelerator_accelerator[{{positive2}}].flow_logs_enabled should be defined and not null", + "actualValue": "aws_globalaccelerator_accelerator[{{positive2}}].flow_logs_enabled is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/glue_data_catalog_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/glue_data_catalog_encryption_disabled/test/positive_expected_result.json index 053cddb8eb5..5ab0d7ab5ed 100644 --- a/assets/queries/terraform/aws/glue_data_catalog_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/glue_data_catalog_encryption_disabled/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "Glue Data Catalog Encryption Disabled", "severity": "HIGH", - "line": 5, - "fileName": "positive1.tf" + "line": 9, + "filename": "positive3.tf", + "resourceType": "aws_glue_data_catalog_encryption_settings", + "resourceName": "positive3", + "searchKey": "aws_glue_data_catalog_encryption_settings[positive3].data_catalog_encryption_settings.encryption_at_rest.catalog_encryption_mode", + "searchValue": "", + "expectedValue": "'catalog_encryption_mode' should be set to 'SSE-KMS'", + "actualValue": "'catalog_encryption_mode' is not set to 'SSE-KMS'" }, { "queryName": "Glue Data Catalog Encryption Disabled", "severity": "HIGH", - "line": 3, - "fileName": "positive2.tf" + "line": 5, + "filename": "positive1.tf", + "resourceType": "aws_glue_data_catalog_encryption_settings", + "resourceName": "positive1", + "searchKey": "aws_glue_data_catalog_encryption_settings[positive1].data_catalog_encryption_settings.connection_password_encryption.return_connection_password_encrypted", + "searchValue": "", + "expectedValue": "'return_connection_password_encrypted' should be set to true", + "actualValue": "'return_connection_password_encrypted' is not set to true" }, { "queryName": "Glue Data Catalog Encryption Disabled", "severity": "HIGH", - "line": 9, - "fileName": "positive3.tf" + "line": 8, + "filename": "positive4.tf", + "resourceType": "aws_glue_data_catalog_encryption_settings", + "resourceName": "positive4", + "searchKey": "aws_glue_data_catalog_encryption_settings[positive4].data_catalog_encryption_settings.encryption_at_rest", + "searchValue": "", + "expectedValue": "'sse_aws_kms_key_id' should be defined and not null", + "actualValue": "'sse_aws_kms_key_id' is undefined or null" }, { "queryName": "Glue Data Catalog Encryption Disabled", "severity": "HIGH", - "line": 8, - "fileName": "positive4.tf" + "line": 3, + "filename": "positive2.tf", + "resourceType": "aws_glue_data_catalog_encryption_settings", + "resourceName": "positive2", + "searchKey": "aws_glue_data_catalog_encryption_settings[positive2].data_catalog_encryption_settings.connection_password_encryption", + "searchValue": "", + "expectedValue": "'aws_kms_key_id' should be defined and not null", + "actualValue": "'aws_kms_key_id' is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/glue_security_configuration_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/glue_security_configuration_encryption_disabled/test/positive_expected_result.json index 99f94932214..1c02e67459b 100644 --- a/assets/queries/terraform/aws/glue_security_configuration_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/glue_security_configuration_encryption_disabled/test/positive_expected_result.json @@ -2,19 +2,37 @@ { "queryName": "Glue Security Configuration Encryption Disabled", "severity": "HIGH", - "line": 5, - "fileName": "positive1.tf" + "line": 10, + "filename": "positive3.tf", + "resourceType": "aws_glue_security_configuration", + "resourceName": "example", + "searchKey": "aws_glue_security_configuration[positive2].job_bookmarks_encryption", + "searchValue": "", + "expectedValue": "aws_glue_security_configuration[positive2].job_bookmarks_encryption has 'job_bookmarks_encryption_mode' defined and not null", + "actualValue": "aws_glue_security_configKeyiguration[positive2].job_bookmarks_encryption has 'job_bookmarks_encryption_mode' undefined or null" }, { "queryName": "Glue Security Configuration Encryption Disabled", "severity": "HIGH", - "line": 11, - "fileName": "positive2.tf" + "line": 5, + "filename": "positive1.tf", + "resourceType": "aws_glue_security_configuration", + "resourceName": "example", + "searchKey": "aws_glue_security_configuration[positive1].encryption_configuration.cloudwatch_encryption", + "searchValue": "", + "expectedValue": "aws_glue_security_configuration[positive1].encryption_configuration.cloudwatch_encryption has 'kms_key_arn' defined and not null", + "actualValue": "aws_glue_security_configuration[positive1].encryption_configuration.cloudwatch_encryption has 'kms_key_arn' undefined or null" }, { "queryName": "Glue Security Configuration Encryption Disabled", "severity": "HIGH", - "line": 10, - "fileName": "positive3.tf" + "line": 11, + "filename": "positive2.tf", + "resourceType": "aws_glue_security_configuration", + "resourceName": "example", + "searchKey": "aws_glue_security_configuration[positive2].encryption_configuration.job_bookmarks_encryption.job_bookmarks_encryption_mode", + "searchValue": "", + "expectedValue": "'job_bookmarks_encryption_mode' should be set to 'CSE-KMS'", + "actualValue": "'job_bookmarks_encryption_mode' is not set to 'CSE-KMS'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/glue_with_vulnerable_policy/test/positive_expected_result.json b/assets/queries/terraform/aws/glue_with_vulnerable_policy/test/positive_expected_result.json index 60c40b691d5..efba0f17bcc 100644 --- a/assets/queries/terraform/aws/glue_with_vulnerable_policy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/glue_with_vulnerable_policy/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Glue With Vulnerable Policy", "severity": "MEDIUM", "line": 15, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "aws_glue_resource_policy", + "resourceName": "example", + "searchKey": "aws_glue_resource_policy[example].policy", + "searchValue": "", + "expectedValue": "aws_glue_resource_policy[example].policy should not have wildcard in 'principals' and 'actions'", + "actualValue": "aws_glue_resource_policy[example].policy has wildcard in 'principals' or 'actions'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive_expected_result.json index 767d9dbbb2a..46afccf8074 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Group With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_group", + "resourceName": "cosmic", + "searchKey": "aws_iam_group[cosmic]", + "searchValue": "", + "expectedValue": "group cosmic shouldn't be associated with a policy that has Action set to 'glue:UpdateDevEndpoint' and Resource set to '*'", + "actualValue": "group cosmic is associated with a policy that has Action set to 'glue:UpdateDevEndpoint' and Resource set to '*'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive_expected_result.json index dca2ecc1114..519cbc203f1 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Group With Privilege Escalation By Actions 'iam:AddUserToGroup'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_group", + "resourceName": "cosmic", + "searchKey": "aws_iam_group[cosmic]", + "searchValue": "", + "expectedValue": "group cosmic should not be associated with a policy that has Action set to 'iam:AddUserToGroup' and Resource set to '*'", + "actualValue": "group cosmic is associated with a policy that has Action set to 'iam:AddUserToGroup' and Resource set to '*'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive_expected_result.json index 3c3fd030c44..b39d394a828 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Group With Privilege Escalation By Actions 'iam:AttachGroupPolicy'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_group", + "resourceName": "cosmic", + "searchKey": "aws_iam_group[cosmic]", + "searchValue": "", + "expectedValue": "group cosmic shouldn't be associated with a policy that has Action set to 'iam:AttachGroupPolicy' and Resource set to '*'", + "actualValue": "group cosmic is associated with a policy that has Action set to 'iam:AttachGroupPolicy' and Resource set to '*'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive_expected_result.json index 1e87698084e..880d18cfdfa 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Group With Privilege Escalation By Actions 'iam:AttachRolePolicy'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_group", + "resourceName": "cosmic", + "searchKey": "aws_iam_group[cosmic]", + "searchValue": "", + "expectedValue": "group cosmic should not be associated with a policy that has Action set to 'iam:AttachRolePolicy' and Resource set to '*'", + "actualValue": "group cosmic is associated with a policy that has Action set to 'iam:AttachRolePolicy' and Resource set to '*'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive_expected_result.json index 528dfaa32ea..5b5681cf5b9 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Group With Privilege Escalation By Actions 'iam:AttachUserPolicy'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_group", + "resourceName": "cosmic", + "searchKey": "aws_iam_group[cosmic]", + "searchValue": "", + "expectedValue": "group cosmic shouldn't be associated with a policy that has Action set to 'iam:AttachUserPolicy' and Resource set to '*'", + "actualValue": "group cosmic is associated with a policy that has Action set to 'iam:AttachUserPolicy' and Resource set to '*'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive_expected_result.json index 96eba745bcc..acb504d1ca9 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Group With Privilege Escalation By Actions 'iam:CreateAccessKey'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_group", + "resourceName": "cosmic", + "searchKey": "aws_iam_group[cosmic]", + "searchValue": "", + "expectedValue": "group cosmic should not be associated with a policy that has Action set to 'iam:CreateAccessKey' and Resource set to '*'", + "actualValue": "group cosmic is associated with a policy that has Action set to 'iam:CreateAccessKey' and Resource set to '*'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive_expected_result.json index 423c580bd76..c348efe0f7d 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Group With Privilege Escalation By Actions 'iam:CreateLoginProfile'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_group", + "resourceName": "cosmic", + "searchKey": "aws_iam_group[cosmic]", + "searchValue": "", + "expectedValue": "group cosmic shouldn't be associated with a policy that has Action set to 'iam:CreateLoginProfile' and Resource set to '*'", + "actualValue": "group cosmic is associated with a policy that has Action set to 'iam:CreateLoginProfile' and Resource set to '*'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive_expected_result.json index b08389ad245..96ac75d21d5 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Group With Privilege Escalation By Actions 'iam:CreatePolicyVersion'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_group", + "resourceName": "cosmic", + "searchKey": "aws_iam_group[cosmic]", + "searchValue": "", + "expectedValue": "group cosmic shouldn't be associated with a policy that has Action set to 'iam:CreatePolicyVersion' and Resource set to '*'", + "actualValue": "group cosmic is associated with a policy that has Action set to 'iam:CreatePolicyVersion' and Resource set to '*'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive_expected_result.json index e012e5db9e4..e7e72a7b15d 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Group With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_group", + "resourceName": "cosmic", + "searchKey": "aws_iam_group[cosmic]", + "searchValue": "", + "expectedValue": "group cosmic shouldn't be associated with a policy that has Action set to 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'", + "actualValue": "group cosmic is associated with a policy that has Action set to 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive_expected_result.json index e269c9d79e7..324d63e5618 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Group With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_group", + "resourceName": "cosmic", + "searchKey": "aws_iam_group[cosmic]", + "searchValue": "", + "expectedValue": "group cosmic shouldn't be associated with a policy that has Action set to 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'", + "actualValue": "group cosmic is associated with a policy that has Action set to 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive_expected_result.json index 03396830fe3..6a6fcc01075 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Group With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_group", + "resourceName": "cosmic", + "searchKey": "aws_iam_group[cosmic]", + "searchValue": "", + "expectedValue": "group cosmic shouldn't be associated with a policy that has Action set to 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'", + "actualValue": "group cosmic is associated with a policy that has Action set to 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/test/positive_expected_result.json index 3a5cbe039fe..2f230c7ff41 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Group With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_group", + "resourceName": "cosmic", + "searchKey": "aws_iam_group[cosmic]", + "searchValue": "", + "expectedValue": "group cosmic shouldn't be associated with a policy that has Action set to 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'", + "actualValue": "group cosmic is associated with a policy that has Action set to 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive_expected_result.json index e9e97ad162b..e918e315ffd 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Group With Privilege Escalation By Actions 'iam:PutGroupPolicy'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_group", + "resourceName": "cosmic", + "searchKey": "aws_iam_group[cosmic]", + "searchValue": "", + "expectedValue": "group cosmic shouldn't be associated with a policy that has Action set to 'iam:PutGroupPolicy' and Resource set to '*'", + "actualValue": "group cosmic is associated with a policy that has Action set to 'iam:PutGroupPolicy' and Resource set to '*'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive_expected_result.json index a989eecfd2a..1b78fd177dc 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Group With Privilege Escalation By Actions 'iam:PutRolePolicy'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_group", + "resourceName": "cosmic", + "searchKey": "aws_iam_group[cosmic]", + "searchValue": "", + "expectedValue": "group cosmic should not be associated with a policy that has Action set to 'iam:PutRolePolicy' and Resource set to '*'", + "actualValue": "group cosmic is associated with a policy that has Action set to 'iam:PutRolePolicy' and Resource set to '*'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive_expected_result.json index 490028dfcbc..e8fc952c59b 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Group With Privilege Escalation By Actions 'iam:PutUserPolicy'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_group", + "resourceName": "cosmic", + "searchKey": "aws_iam_group[cosmic]", + "searchValue": "", + "expectedValue": "group cosmic should not be associated with a policy that has Action set to 'iam:PutUserPolicy' and Resource set to '*'", + "actualValue": "group cosmic is associated with a policy that has Action set to 'iam:PutUserPolicy' and Resource set to '*'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive_expected_result.json index 891da8391d0..7f9977e6320 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Group With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_group", + "resourceName": "cosmic", + "searchKey": "aws_iam_group[cosmic]", + "searchValue": "", + "expectedValue": "group cosmic shouldn't be associated with a policy that has Action set to 'iam:SetDefaultPolicyVersion' and Resource set to '*'", + "actualValue": "group cosmic is associated with a policy that has Action set to 'iam:SetDefaultPolicyVersion' and Resource set to '*'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive_expected_result.json index d94146558e8..d34c3f5cec2 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Group With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_group", + "resourceName": "cosmic", + "searchKey": "aws_iam_group[cosmic]", + "searchValue": "", + "expectedValue": "group cosmic shouldn't be associated with a policy that has Action set to 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'", + "actualValue": "group cosmic is associated with a policy that has Action set to 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive_expected_result.json index 550cd399885..af3ba554011 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Group With Privilege Escalation By Actions 'iam:UpdateLoginProfile'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_group", + "resourceName": "cosmic", + "searchKey": "aws_iam_group[cosmic]", + "searchValue": "", + "expectedValue": "group cosmic shouldn't be associated with a policy that has Action set to 'iam:UpdateLoginProfile' and Resource set to '*'", + "actualValue": "group cosmic is associated with a policy that has Action set to 'iam:UpdateLoginProfile' and Resource set to '*'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive_expected_result.json index 87b739574ab..2b12ddf844f 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Group With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_group", + "resourceName": "cosmic", + "searchKey": "aws_iam_group[cosmic]", + "searchValue": "", + "expectedValue": "group cosmic shouldn't be associated with a policy that has Action set to 'lambda:UpdateFunctionCode' and Resource set to '*'", + "actualValue": "group cosmic is associated with a policy that has Action set to 'lambda:UpdateFunctionCode' and Resource set to '*'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/guardduty_detector_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/guardduty_detector_disabled/test/positive_expected_result.json index 2908de223bb..b081585b2d5 100644 --- a/assets/queries/terraform/aws/guardduty_detector_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/guardduty_detector_disabled/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "GuardDuty Detector Disabled", "severity": "MEDIUM", - "line": 2 + "line": 2, + "filename": "positive.tf", + "resourceType": "aws_guardduty_detector", + "resourceName": "positive1", + "searchKey": "aws_guardduty_detector[positive1].enable", + "searchValue": "", + "expectedValue": "GuardDuty Detector should be Enabled", + "actualValue": "GuardDuty Detector is not Enabled" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/hardcoded_aws_access_key/test/positive_expected_result.json b/assets/queries/terraform/aws/hardcoded_aws_access_key/test/positive_expected_result.json index 7cfc634073e..8c0374e7e53 100644 --- a/assets/queries/terraform/aws/hardcoded_aws_access_key/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/hardcoded_aws_access_key/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Hardcoded AWS Access Key", "severity": "HIGH", "line": 5, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_instance", + "resourceName": "HelloWorld", + "searchKey": "aws_instance[positive1].user_data", + "searchValue": "", + "expectedValue": "'user_data' shouldn't contain hardcoded access key", + "actualValue": "'user_data' contains hardcoded access key" }, { "queryName": "Hardcoded AWS Access Key", "severity": "HIGH", "line": 13, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[ec2_instance].user_data", + "searchValue": "", + "expectedValue": "'user_data' shouldn't contain hardcoded access key", + "actualValue": "'user_data' contains hardcoded access key" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/hardcoded_aws_access_key_in_lambda/test/positive_expected_result.json b/assets/queries/terraform/aws/hardcoded_aws_access_key_in_lambda/test/positive_expected_result.json index f633fc224fd..fd9566bb969 100644 --- a/assets/queries/terraform/aws/hardcoded_aws_access_key_in_lambda/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/hardcoded_aws_access_key_in_lambda/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Hardcoded AWS Access Key In Lambda", "severity": "HIGH", "line": 57, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "aws_lambda_function", + "resourceName": "positive3", + "searchKey": "aws_lambda_function[positive3].environment.variables.foo", + "searchValue": "", + "expectedValue": "'environment.variables' shouldn't contain AWS Access Key", + "actualValue": "'environment.variables' contains AWS Access Key" }, { "queryName": "Hardcoded AWS Access Key In Lambda", "severity": "HIGH", "line": 36, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "aws_lambda_function", + "resourceName": "positive2", + "searchKey": "aws_lambda_function[positive2].environment.variables.foo", + "searchValue": "", + "expectedValue": "'environment.variables' shouldn't contain AWS Access Key", + "actualValue": "'environment.variables' contains AWS Access Key" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/http_port_open/test/positive_expected_result.json b/assets/queries/terraform/aws/http_port_open/test/positive_expected_result.json index 2fcdca8b230..133fc8b9075 100644 --- a/assets/queries/terraform/aws/http_port_open/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/http_port_open/test/positive_expected_result.json @@ -2,103 +2,205 @@ { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 5, - "fileName": "positive1.tf" + "line": 7, + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2-1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2-1]", + "searchValue": "", + "expectedValue": "aws_vpc_security_group_ingress_rule[positive2-1] should not open the HTTP port (80)", + "actualValue": "aws_vpc_security_group_ingress_rule[positive2-1] opens the HTTP port (80)" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 26, - "fileName": "positive1.tf" + "line": 63, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2 should not open the HTTP port (80)", + "actualValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2 opens the HTTP port (80)" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 39, - "fileName": "positive1.tf" + "line": 82, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0 should not open the HTTP port (80)", + "actualValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0 opens the HTTP port (80)" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 60, - "fileName": "positive1.tf" + "line": 5, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-1].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-1].ingress should not open the HTTP port (80)", + "actualValue": "aws_security_group[positive1-1].ingress opens the HTTP port (80)" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 73, - "fileName": "positive1.tf" + "line": 60, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-4].ingress[1]", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-4].ingress[1] should not open the HTTP port (80)", + "actualValue": "aws_security_group[positive1-4].ingress[1] opens the HTTP port (80)" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 87, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-6].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-6].ingress should not open the HTTP port (80)", + "actualValue": "aws_security_group[positive1-6].ingress opens the HTTP port (80)" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 101, - "fileName": "positive1.tf" + "line": 49, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0 should not open the HTTP port (80)", + "actualValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0 opens the HTTP port (80)" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 7, - "fileName": "positive2.tf" + "line": 30, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0 should not open the HTTP port (80)", + "actualValue": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0 opens the HTTP port (80)" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 17, - "fileName": "positive2.tf" + "line": 96, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2 should not open the HTTP port (80)", + "actualValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2 opens the HTTP port (80)" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 7, - "fileName": "positive3.tf" + "line": 101, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-7].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-7].ingress should not open the HTTP port (80)", + "actualValue": "aws_security_group[positive1-7].ingress opens the HTTP port (80)" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 17, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3-2", + "searchKey": "aws_security_group_rule[positive3-2]", + "searchValue": "", + "expectedValue": "aws_security_group_rule[positive3-2] should not open the HTTP port (80)", + "actualValue": "aws_security_group_rule[positive3-2] opens the HTTP port (80)" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 11, - "fileName": "positive4.tf" + "line": 17, + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2-2", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2-2]", + "searchValue": "", + "expectedValue": "aws_vpc_security_group_ingress_rule[positive2-2] should not open the HTTP port (80)", + "actualValue": "aws_vpc_security_group_ingress_rule[positive2-2] opens the HTTP port (80)" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 30, - "fileName": "positive4.tf" + "line": 26, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-2].ingress[1]", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-2].ingress[1] should not open the HTTP port (80)", + "actualValue": "aws_security_group[positive1-2].ingress[1] opens the HTTP port (80)" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 49, - "fileName": "positive4.tf" + "line": 39, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-3].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-3].ingress should not open the HTTP port (80)", + "actualValue": "aws_security_group[positive1-3].ingress opens the HTTP port (80)" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 63, - "fileName": "positive4.tf" + "line": 73, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-5].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-5].ingress should not open the HTTP port (80)", + "actualValue": "aws_security_group[positive1-5].ingress opens the HTTP port (80)" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 82, - "fileName": "positive4.tf" + "line": 7, + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3-1", + "searchKey": "aws_security_group_rule[positive3-1]", + "searchValue": "", + "expectedValue": "aws_security_group_rule[positive3-1] should not open the HTTP port (80)", + "actualValue": "aws_security_group_rule[positive3-1] opens the HTTP port (80)" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 96, - "fileName": "positive4.tf" + "line": 11, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0 should not open the HTTP port (80)", + "actualValue": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0 opens the HTTP port (80)" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_access_analyzer_not_enabled/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_access_analyzer_not_enabled/test/positive_expected_result.json index 9ffd7769e25..8e53334bc5a 100644 --- a/assets/queries/terraform/aws/iam_access_analyzer_not_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_access_analyzer_not_enabled/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "IAM Access Analyzer Not Enabled", "severity": "LOW", - "line": 1, - "fileName": "positive1.tf" + "line": 6, + "filename": "positive2.json", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "'aws_accessanalyzer_analyzer' should be set", + "actualValue": "'aws_accessanalyzer_analyzer' is undefined" }, { "queryName": "IAM Access Analyzer Not Enabled", "severity": "LOW", - "line": 6, - "fileName": "positive2.json" + "line": 1, + "filename": "positive1.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "'aws_accessanalyzer_analyzer' should be set", + "actualValue": "'aws_accessanalyzer_analyzer' is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_access_key_is_exposed/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_access_key_is_exposed/test/positive_expected_result.json index 5cd10b3b788..70afe79455b 100644 --- a/assets/queries/terraform/aws/iam_access_key_is_exposed/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_access_key_is_exposed/test/positive_expected_result.json @@ -1,12 +1,26 @@ [ - { - "queryName": "IAM Access Key Is Exposed", - "severity": "MEDIUM", - "line": 2 - }, - { - "queryName": "IAM Access Key Is Exposed", - "severity": "MEDIUM", - "line": 7 - } -] + { + "queryName": "IAM Access Key Is Exposed", + "severity": "MEDIUM", + "line": 2, + "filename": "positive.tf", + "resourceType": "aws_iam_access_key", + "resourceName": "positive1", + "searchKey": "aws_iam_access_key[positive1].user", + "searchValue": "", + "expectedValue": "'aws_iam_access_key[positive1].user' should not be 'root' for an active access key", + "actualValue": "'aws_iam_access_key[positive1].user' is 'root' for an active access key" + }, + { + "queryName": "IAM Access Key Is Exposed", + "severity": "MEDIUM", + "line": 7, + "filename": "positive.tf", + "resourceType": "aws_iam_access_key", + "resourceName": "positive2", + "searchKey": "aws_iam_access_key[positive2].user", + "searchValue": "", + "expectedValue": "'aws_iam_access_key[positive2].user' should not be 'root' for an active access key", + "actualValue": "'aws_iam_access_key[positive2].user' is 'root' for an active access key" + } +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_database_auth_not_enabled/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_database_auth_not_enabled/test/positive_expected_result.json index be5ed3840b6..80042cb9566 100644 --- a/assets/queries/terraform/aws/iam_database_auth_not_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_database_auth_not_enabled/test/positive_expected_result.json @@ -3,24 +3,48 @@ "queryName": "IAM Database Auth Not Enabled", "severity": "MEDIUM", "line": 10, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_db_instance", + "resourceName": "mydb", + "searchKey": "aws_db_instance[positive1].iam_database_authentication_enabled", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is set to false" }, { "queryName": "IAM Database Auth Not Enabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_db_instance", + "resourceName": "mydb", + "searchKey": "aws_db_instance[positive1]", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is undefined or null" }, { "queryName": "IAM Database Auth Not Enabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[db]", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is undefined or null" }, { "queryName": "IAM Database Auth Not Enabled", "severity": "MEDIUM", "line": 17, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[db].iam_database_authentication_enabled", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is set to false" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_db_cluster_auth_not_enabled/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_db_cluster_auth_not_enabled/test/positive_expected_result.json index 9e6e6fe4df8..fa15635d98f 100644 --- a/assets/queries/terraform/aws/iam_db_cluster_auth_not_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_db_cluster_auth_not_enabled/test/positive_expected_result.json @@ -2,121 +2,241 @@ { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 10, - "fileName": "positive1.tf" + "line": 1, + "filename": "positive6.tf", + "resourceType": "aws_rds_cluster", + "resourceName": "positive6", + "searchKey": "aws_rds_cluster[positive6]", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is undefined" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "filename": "positive13.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[aurora_cluster]", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is undefined" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "filename": "positive10.tf", + "resourceType": "aws_rds_cluster", + "resourceName": "example_postgres", + "searchKey": "aws_rds_cluster[example_postgres]", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is undefined" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 8, - "fileName": "positive4.tf" + "line": 1, + "filename": "positive16.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[aurora_cluster]", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is undefined" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 9, - "fileName": "positive5.tf" + "line": 10, + "filename": "positive15.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[aurora_cluster].iam_database_authentication_enabled", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is defined to false" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 1, - "fileName": "positive6.tf" + "line": 8, + "filename": "positive14.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[aurora_cluster].iam_database_authentication_enabled", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is defined to false" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 10, - "fileName": "positive7.tf" + "filename": "positive17.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[aurora_cluster].iam_database_authentication_enabled", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is defined to false" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive8.tf" + "filename": "positive8.tf", + "resourceType": "aws_rds_cluster", + "resourceName": "example_postgres", + "searchKey": "aws_rds_cluster[example_postgres]", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is undefined" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 9, - "fileName": "positive9.tf" + "line": 1, + "filename": "positive2.tf", + "resourceType": "aws_rds_cluster", + "resourceName": "positive2", + "searchKey": "aws_rds_cluster[positive2]", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is undefined" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 1, - "fileName": "positive10.tf" + "line": 10, + "filename": "positive11.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[aurora_cluster].iam_database_authentication_enabled", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is defined to false" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 10, - "fileName": "positive11.tf" + "line": 9, + "filename": "positive19.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[aurora_cluster].iam_database_authentication_enabled", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is defined to false" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive12.tf" + "filename": "positive18.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[aurora_cluster]", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is undefined" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 1, - "fileName": "positive13.tf" + "line": 10, + "filename": "positive1.tf", + "resourceType": "aws_rds_cluster", + "resourceName": "positive1", + "searchKey": "aws_rds_cluster[positive1].iam_database_authentication_enabled", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is defined to false" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 8, - "fileName": "positive14.tf" + "filename": "positive4.tf", + "resourceType": "aws_rds_cluster", + "resourceName": "positive4", + "searchKey": "aws_rds_cluster[positive4].iam_database_authentication_enabled", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is defined to false" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 10, - "fileName": "positive15.tf" + "line": 9, + "filename": "positive5.tf", + "resourceType": "aws_rds_cluster", + "resourceName": "positive5", + "searchKey": "aws_rds_cluster[positive5].iam_database_authentication_enabled", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is defined to false" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive16.tf" + "filename": "positive20.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[aurora_cluster]", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is undefined" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 10, - "fileName": "positive17.tf" + "line": 1, + "filename": "positive3.tf", + "resourceType": "aws_rds_cluster", + "resourceName": "positive3", + "searchKey": "aws_rds_cluster[positive3]", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is undefined" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive18.tf" + "filename": "positive12.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[aurora_cluster]", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is undefined" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 9, - "fileName": "positive19.tf" + "filename": "positive9.tf", + "resourceType": "aws_rds_cluster", + "resourceName": "example_postgres", + "searchKey": "aws_rds_cluster[example_postgres].iam_database_authentication_enabled", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is defined to false" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 1, - "fileName": "positive20.tf" + "line": 10, + "filename": "positive7.tf", + "resourceType": "aws_rds_cluster", + "resourceName": "example_postgres", + "searchKey": "aws_rds_cluster[example_postgres].iam_database_authentication_enabled", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is defined to false" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_group_without_users/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_group_without_users/test/positive_expected_result.json index 88912a3df2c..8466656a2df 100644 --- a/assets/queries/terraform/aws/iam_group_without_users/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_group_without_users/test/positive_expected_result.json @@ -2,13 +2,49 @@ { "queryName": "IAM Group Without Users", "severity": "MEDIUM", - "fileName": "positive1.tf", - "line": 12 + "line": 1, + "filename": "positive2_1.tf", + "resourceType": "aws_iam_group", + "resourceName": "test-group", + "searchKey": "aws_iam_group[group2]", + "searchValue": "", + "expectedValue": "aws_iam_group[group2] should be associated with an aws_iam_group_membership that has at least one user set", + "actualValue": "aws_iam_group[group2] is not associated with an aws_iam_group_membership that has at least one user set" }, { "queryName": "IAM Group Without Users", "severity": "MEDIUM", - "fileName": "positive1.tf", - "line": 33 + "line": 5, + "filename": "positive2_1.tf", + "resourceType": "aws_iam_group", + "resourceName": "test-group", + "searchKey": "aws_iam_group[group3]", + "searchValue": "", + "expectedValue": "aws_iam_group[group3] should be associated with an aws_iam_group_membership that has at least one user set", + "actualValue": "aws_iam_group[group3] is not associated with an aws_iam_group_membership that has at least one user set" + }, + { + "queryName": "IAM Group Without Users", + "severity": "MEDIUM", + "line": 12, + "filename": "positive1.tf", + "resourceType": "aws_iam_group", + "resourceName": "test-group", + "searchKey": "aws_iam_group[group2]", + "searchValue": "", + "expectedValue": "aws_iam_group[group2] should be associated with an aws_iam_group_membership that has at least one user set", + "actualValue": "aws_iam_group[group2] is not associated with an aws_iam_group_membership that has at least one user set" + }, + { + "queryName": "IAM Group Without Users", + "severity": "MEDIUM", + "line": 33, + "filename": "positive1.tf", + "resourceType": "aws_iam_group", + "resourceName": "test-group", + "searchKey": "aws_iam_group[group3]", + "searchValue": "", + "expectedValue": "aws_iam_group[group3] should be associated with an aws_iam_group_membership that has at least one user set", + "actualValue": "aws_iam_group[group3] is not associated with an aws_iam_group_membership that has at least one user set" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_password_without_minimum_length/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_password_without_minimum_length/test/positive_expected_result.json index fe66c904973..c383e354881 100644 --- a/assets/queries/terraform/aws/iam_password_without_minimum_length/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_password_without_minimum_length/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "IAM Password Without Minimum Length", "severity": "LOW", - "line": 1 + "line": 10, + "filename": "positive.tf", + "resourceType": "aws_iam_account_password_policy", + "resourceName": "positive2", + "searchKey": "aws_iam_account_password_policy[positive2].minimum_password_length", + "searchValue": "", + "expectedValue": "'minimum_password_length' should be set and no less than 14", + "actualValue": "'minimum_password_length' is less than 14" }, { "queryName": "IAM Password Without Minimum Length", "severity": "LOW", - "line": 10 + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_iam_account_password_policy", + "resourceName": "positive1", + "searchKey": "aws_iam_account_password_policy[positive1]", + "searchValue": "", + "expectedValue": "'minimum_password_length' should be set and no less than 14", + "actualValue": "'minimum_password_length' is undefined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_policies_attached_to_user/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_policies_attached_to_user/test/positive_expected_result.json index 4d1f265f81a..5b70bc603d4 100755 --- a/assets/queries/terraform/aws/iam_policies_attached_to_user/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_policies_attached_to_user/test/positive_expected_result.json @@ -3,18 +3,36 @@ "queryName": "IAM Policies Attached To User", "severity": "MEDIUM", "line": 18, - "filename": "positive1.tf" + "filename": "positive2.tf", + "resourceType": "aws_iam_user_policy", + "resourceName": "excess_policy", + "searchKey": "aws_iam_user_policy[{{positive2_3}}].user", + "searchValue": "", + "expectedValue": "'user' is redundant", + "actualValue": "'user' exists" }, { "queryName": "IAM Policies Attached To User", "severity": "MEDIUM", - "line": 18, - "filename": "positive2.tf" + "line": 27, + "filename": "positive3.tf", + "resourceType": "aws_iam_user_policy_attachment", + "resourceName": "test-attach", + "searchKey": "aws_iam_user_policy_attachment[{{test-attach}}].user", + "searchValue": "", + "expectedValue": "'user' is redundant", + "actualValue": "'user' exists" }, { "queryName": "IAM Policies Attached To User", "severity": "MEDIUM", - "line": 27, - "filename": "positive3.tf" + "line": 18, + "filename": "positive1.tf", + "resourceType": "aws_iam_policy_attachment", + "resourceName": "excess_policy", + "searchKey": "aws_iam_policy_attachment[{{positive1_3}}].users", + "searchValue": "", + "expectedValue": "'users' is redundant", + "actualValue": "'users' exists" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_policies_with_full_privileges/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_policies_with_full_privileges/test/positive_expected_result.json index 3c68baf6f98..9173cbe346f 100644 --- a/assets/queries/terraform/aws/iam_policies_with_full_privileges/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_policies_with_full_privileges/test/positive_expected_result.json @@ -2,73 +2,145 @@ { "queryName": "IAM Policies With Full Privileges", "severity": "MEDIUM", - "line": 5, - "fileName": "positive1.tf" + "line": 4, + "filename": "positive4.tf", + "resourceType": "aws_iam_user_policy", + "resourceName": "test", + "searchKey": "aws_iam_user_policy[positive4-1].policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Action' shouldn't contain '*' or 'iam:*'", + "actualValue": "'policy.Statement.Action' contains '*' or 'iam:*'" }, { "queryName": "IAM Policies With Full Privileges", "severity": "MEDIUM", - "line": 20, - "fileName": "positive1.tf" + "line": 21, + "filename": "positive4.tf", + "resourceType": "aws_iam_user_policy", + "resourceName": "test", + "searchKey": "aws_iam_user_policy[positive4-2].policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Action' shouldn't contain '*' or 'iam:*'", + "actualValue": "'policy.Statement.Action' contains '*' or 'iam:*'" }, { "queryName": "IAM Policies With Full Privileges", "severity": "MEDIUM", "line": 13, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_iam_policy_document", + "resourceName": "example", + "searchKey": "aws_iam_policy_document[example].statement[1]", + "searchValue": "", + "expectedValue": "'statement.actions' shouldn't contain '*' or 'iam:*'", + "actualValue": "'statement.actions' contains '*' or 'iam:*'" }, { "queryName": "IAM Policies With Full Privileges", "severity": "MEDIUM", "line": 24, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_iam_policy_document", + "resourceName": "example", + "searchKey": "aws_iam_policy_document[example].statement[2]", + "searchValue": "", + "expectedValue": "'statement.actions' shouldn't contain '*' or 'iam:*'", + "actualValue": "'statement.actions' contains '*' or 'iam:*'" }, { "queryName": "IAM Policies With Full Privileges", "severity": "MEDIUM", "line": 5, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_iam_role_policy", + "resourceName": "apigateway-cloudwatch-logging", + "searchKey": "aws_iam_role_policy[positive3].policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Action' shouldn't contain '*' or 'iam:*'", + "actualValue": "'policy.Statement.Action' contains '*' or 'iam:*'" }, { "queryName": "IAM Policies With Full Privileges", "severity": "MEDIUM", "line": 20, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_iam_policy_document", + "resourceName": "example", + "searchKey": "aws_iam_policy_document[example].statement", + "searchValue": "", + "expectedValue": "'statement.actions' shouldn't contain '*' or 'iam:*'", + "actualValue": "'statement.actions' contains '*' or 'iam:*'" }, { "queryName": "IAM Policies With Full Privileges", "severity": "MEDIUM", - "line": 4, - "fileName": "positive4.tf" + "line": 2, + "filename": "positive6.tf", + "resourceType": "aws_iam_policy", + "resourceName": "positive6-1", + "searchKey": "aws_iam_policy[positive6-1].policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Action' shouldn't contain '*' or 'iam:*'", + "actualValue": "'policy.Statement.Action' contains '*' or 'iam:*'" }, { "queryName": "IAM Policies With Full Privileges", "severity": "MEDIUM", - "line": 21, - "fileName": "positive4.tf" + "line": 17, + "filename": "positive6.tf", + "resourceType": "aws_iam_policy", + "resourceName": "positive6-2", + "searchKey": "aws_iam_policy[positive6-2].policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Action' shouldn't contain '*' or 'iam:*'", + "actualValue": "'policy.Statement.Action' contains '*' or 'iam:*'" }, { "queryName": "IAM Policies With Full Privileges", "severity": "MEDIUM", - "line": 4, - "fileName": "positive5.tf" + "line": 5, + "filename": "positive1.tf", + "resourceType": "aws_iam_role_policy", + "resourceName": "apigateway-cloudwatch-logging", + "searchKey": "aws_iam_role_policy[positive1].policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Action' shouldn't contain '*' or 'iam:*'", + "actualValue": "'policy.Statement.Action' contains '*' or 'iam:*'" }, { "queryName": "IAM Policies With Full Privileges", "severity": "MEDIUM", - "line": 21, - "fileName": "positive5.tf" + "line": 20, + "filename": "positive1.tf", + "resourceType": "aws_iam_policy_document", + "resourceName": "example", + "searchKey": "aws_iam_policy_document[example].statement", + "searchValue": "", + "expectedValue": "'statement.actions' shouldn't contain '*' or 'iam:*'", + "actualValue": "'statement.actions' contains '*' or 'iam:*'" }, { "queryName": "IAM Policies With Full Privileges", "severity": "MEDIUM", - "line": 2, - "fileName": "positive6.tf" + "line": 4, + "filename": "positive5.tf", + "resourceType": "aws_iam_group_policy", + "resourceName": "my_developer_policy", + "searchKey": "aws_iam_group_policy[positive5-1].policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Action' shouldn't contain '*' or 'iam:*'", + "actualValue": "'policy.Statement.Action' contains '*' or 'iam:*'" }, { "queryName": "IAM Policies With Full Privileges", "severity": "MEDIUM", - "line": 17, - "fileName": "positive6.tf" + "line": 21, + "filename": "positive5.tf", + "resourceType": "aws_iam_group_policy", + "resourceName": "my_developer_policy", + "searchKey": "aws_iam_group_policy[positive5-2].policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Action' shouldn't contain '*' or 'iam:*'", + "actualValue": "'policy.Statement.Action' contains '*' or 'iam:*'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_policy_allows_for_data_exfiltration/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_policy_allows_for_data_exfiltration/test/positive_expected_result.json index 15320368fd3..cf60684f787 100644 --- a/assets/queries/terraform/aws/iam_policy_allows_for_data_exfiltration/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_policy_allows_for_data_exfiltration/test/positive_expected_result.json @@ -2,79 +2,157 @@ { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", - "line": 5, - "fileName": "positive1.tf" + "line": 4, + "filename": "positive2.tf", + "resourceType": "aws_iam_policy", + "resourceName": "positive2", + "searchKey": "aws_iam_policy[positive2].policy", + "searchValue": "*", + "expectedValue": "'positive2.policy.Statement.Action[0]' shouldn't contain illegal actions", + "actualValue": "'positive2.policy.Statement.Action[0]' contains [*]" }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", "line": 5, - "fileName": "positive1.tf" + "filename": "positive4.tf", + "resourceType": "aws_iam_user_policy", + "resourceName": "positive4_${var.environment}", + "searchKey": "aws_iam_user_policy[positive4].policy", + "searchValue": "s3:GetObject", + "expectedValue": "'positive4.policy.Statement.Action[0]' shouldn't contain illegal actions", + "actualValue": "'positive4.policy.Statement.Action[0]' contains [s3:GetObject]" }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", - "line": 4, - "fileName": "positive2.tf" + "line": 5, + "filename": "positive4.tf", + "resourceType": "aws_iam_user_policy", + "resourceName": "positive4_${var.environment}", + "searchKey": "aws_iam_user_policy[positive4].policy", + "searchValue": "s3:GetObject", + "expectedValue": "'positive4.policy.Statement.Action[1]' shouldn't contain illegal actions", + "actualValue": "'positive4.policy.Statement.Action[1]' contains [s3:GetObject]" }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", - "line": 5, - "fileName": "positive3.tf" + "line": 8, + "filename": "positive7.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "iam_policy.policy", + "searchValue": "secretsmanager:GetSecretValue", + "expectedValue": "'iam_policy.policy.Statement.Action[0]' shouldn't contain illegal actions", + "actualValue": "'iam_policy.policy.Statement.Action[0]' contains [secretsmanager:GetSecretValue]" }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", "line": 5, - "fileName": "positive3.tf" + "filename": "positive6.tf", + "resourceType": "aws_iam_policy_document", + "resourceName": "positive6", + "searchKey": "aws_iam_policy_document[positive6].statement.actions", + "searchValue": "s3:GetObject, ssm:GetParameter, ssm:GetParameters, ssm:GetParametersByPath, secretsmanager:GetSecretValue, *, s3:*", + "expectedValue": "'aws_iam_policy_document[positive6].statement.actions' shouldn't contain illegal actions", + "actualValue": "'aws_iam_policy_document[positive6].statement.actions' contains [s3:GetObject, ssm:GetParameter, ssm:GetParameters, ssm:GetParametersByPath, secretsmanager:GetSecretValue, *, s3:*]" }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", "line": 5, - "fileName": "positive4.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_policy", + "resourceName": "positive1_${var.environment}", + "searchKey": "aws_iam_policy[positive1].policy", + "searchValue": "secretsmanager:GetSecretValue", + "expectedValue": "'positive1.policy.Statement.Action[0]' shouldn't contain illegal actions", + "actualValue": "'positive1.policy.Statement.Action[0]' contains [secretsmanager:GetSecretValue]" }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", "line": 5, - "fileName": "positive4.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_policy", + "resourceName": "positive1_${var.environment}", + "searchKey": "aws_iam_policy[positive1].policy", + "searchValue": "ssm:GetParameters, ssm:GetParameter, s3:GetObject, ssm:GetParametersByPath, secretsmanager:GetSecretValue", + "expectedValue": "'positive1.policy.Statement.Action[1]' shouldn't contain illegal actions", + "actualValue": "'positive1.policy.Statement.Action[1]' contains [ssm:GetParameters, ssm:GetParameter, s3:GetObject, ssm:GetParametersByPath, secretsmanager:GetSecretValue]" }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", "line": 5, - "fileName": "positive5.tf" + "filename": "positive5.tf", + "resourceType": "aws_iam_role_policy", + "resourceName": "positive5_${var.environment}", + "searchKey": "aws_iam_role_policy[positive5].policy", + "searchValue": "ssm:GetParameters", + "expectedValue": "'positive5.policy.Statement.Action[0]' shouldn't contain illegal actions", + "actualValue": "'positive5.policy.Statement.Action[0]' contains [ssm:GetParameters]" }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", "line": 5, - "fileName": "positive5.tf" + "filename": "positive5.tf", + "resourceType": "aws_iam_role_policy", + "resourceName": "positive5_${var.environment}", + "searchKey": "aws_iam_role_policy[positive5].policy", + "searchValue": "ssm:GetParameters", + "expectedValue": "'positive5.policy.Statement.Action[1]' shouldn't contain illegal actions", + "actualValue": "'positive5.policy.Statement.Action[1]' contains [ssm:GetParameters]" }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", - "line": 5, - "fileName": "positive6.tf" + "line": 22, + "filename": "positive6.tf", + "resourceType": "aws_iam_policy_document", + "resourceName": "positive6_array", + "searchKey": "aws_iam_policy_document[positive6_array].statement[0].actions", + "searchValue": "s3:GetObject", + "expectedValue": "'aws_iam_policy_document[positive6_array].statement[0].actions' shouldn't contain illegal actions", + "actualValue": "'aws_iam_policy_document[positive6_array].statement[0].actions' contains [s3:GetObject]" }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", - "line": 22, - "fileName": "positive6.tf" + "line": 30, + "filename": "positive6.tf", + "resourceType": "aws_iam_policy_document", + "resourceName": "positive6_array", + "searchKey": "aws_iam_policy_document[positive6_array].statement[1].actions", + "searchValue": "*", + "expectedValue": "'aws_iam_policy_document[positive6_array].statement[1].actions' shouldn't contain illegal actions", + "actualValue": "'aws_iam_policy_document[positive6_array].statement[1].actions' contains [*]" }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", - "line": 30, - "fileName": "positive6.tf" + "line": 5, + "filename": "positive3.tf", + "resourceType": "aws_iam_group_policy", + "resourceName": "positive3_${var.environment}", + "searchKey": "aws_iam_group_policy[positive3].policy", + "searchValue": "*", + "expectedValue": "'positive3.policy.Statement.Action[0]' shouldn't contain illegal actions", + "actualValue": "'positive3.policy.Statement.Action[0]' contains [*]" }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", - "line": 8, - "fileName": "positive7.tf" + "line": 5, + "filename": "positive3.tf", + "resourceType": "aws_iam_group_policy", + "resourceName": "positive3_${var.environment}", + "searchKey": "aws_iam_group_policy[positive3].policy", + "searchValue": "*", + "expectedValue": "'positive3.policy.Statement.Action[1]' shouldn't contain illegal actions", + "actualValue": "'positive3.policy.Statement.Action[1]' contains [*]" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_policy_grants_assumerole_permission_across_all_services/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_policy_grants_assumerole_permission_across_all_services/test/positive_expected_result.json index ceff30e7ae2..972ef06895c 100644 --- a/assets/queries/terraform/aws/iam_policy_grants_assumerole_permission_across_all_services/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_policy_grants_assumerole_permission_across_all_services/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "IAM Policy Grants 'AssumeRole' Permission Across All Services", "severity": "MEDIUM", - "line": 7 + "line": 7, + "filename": "positive.tf", + "resourceType": "aws_iam_role", + "resourceName": "${var.name_tag_prefix}-openshift-instance-role", + "searchKey": "aws_iam_role[positive1].assume_role_policy", + "searchValue": "", + "expectedValue": "'assume_role_policy.Statement.Principal' shouldn't contain '*'", + "actualValue": "'assume_role_policy.Statement.Principal' contains '*'" }, { "queryName": "IAM Policy Grants 'AssumeRole' Permission Across All Services", "severity": "MEDIUM", - "line": 70 + "line": 70, + "filename": "positive.tf", + "resourceType": "aws_iam_role", + "resourceName": "${var.name_tag_prefix}-openshift-instance-role", + "searchKey": "aws_iam_role[positive2].assume_role_policy", + "searchValue": "", + "expectedValue": "'assume_role_policy.Statement.Principal' shouldn't contain '*'", + "actualValue": "'assume_role_policy.Statement.Principal' contains '*'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_policy_grants_full_permissions/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_policy_grants_full_permissions/test/positive_expected_result.json index 8a981228a0e..356539aa701 100644 --- a/assets/queries/terraform/aws/iam_policy_grants_full_permissions/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_policy_grants_full_permissions/test/positive_expected_result.json @@ -2,31 +2,61 @@ { "queryName": "IAM Policy Grants Full Permissions", "severity": "HIGH", - "line": 20, - "fileName": "positive1.tf" + "line": 12, + "filename": "positive3.tf", + "resourceType": "aws_iam_policy_document", + "resourceName": "example-0", + "searchKey": "aws_iam_policy_document[example-0]", + "searchValue": "", + "expectedValue": "'statement.resources' and 'statement.actions' should not contain '*'", + "actualValue": "'statement.resources' and 'statement.actions' contain '*'" }, { "queryName": "IAM Policy Grants Full Permissions", "severity": "HIGH", - "line": 3, - "fileName": "positive2.tf" + "line": 38, + "filename": "positive3.tf", + "resourceType": "aws_iam_policy_document", + "resourceName": "example-1", + "searchKey": "aws_iam_policy_document[example-1]", + "searchValue": "", + "expectedValue": "'statement.resources' and 'statement.actions' should not contain '*'", + "actualValue": "'statement.resources' and 'statement.actions' contain '*'" }, { "queryName": "IAM Policy Grants Full Permissions", "severity": "HIGH", - "line": 12, - "fileName": "positive3.tf" + "line": 64, + "filename": "positive3.tf", + "resourceType": "aws_iam_policy_document", + "resourceName": "example-2", + "searchKey": "aws_iam_policy_document[example-2]", + "searchValue": "", + "expectedValue": "'statement.resources' and 'statement.actions' should not contain '*'", + "actualValue": "'statement.resources' and 'statement.actions' contain '*'" }, { "queryName": "IAM Policy Grants Full Permissions", "severity": "HIGH", - "line": 38, - "fileName": "positive3.tf" + "line": 3, + "filename": "positive2.tf", + "resourceType": "aws_iam_policy", + "resourceName": "s3-permission", + "searchKey": "aws_iam_policy[s3-permission].policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Resource' and 'policy.Statement.Action' should not equal '*'", + "actualValue": "'policy.Statement.Resource' and 'policy.Statement.Action' are equal to '*'" }, { "queryName": "IAM Policy Grants Full Permissions", "severity": "HIGH", - "line": 64, - "fileName": "positive3.tf" + "line": 20, + "filename": "positive1.tf", + "resourceType": "aws_iam_user_policy", + "resourceName": "excess_policy", + "searchKey": "aws_iam_user_policy[positive3].policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Resource' and 'policy.Statement.Action' should not equal '*'", + "actualValue": "'policy.Statement.Resource' and 'policy.Statement.Action' are equal to '*'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_role_allows_all_principals_to_assume/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_role_allows_all_principals_to_assume/test/positive_expected_result.json index cd0a7ead479..fb4154fcd27 100644 --- a/assets/queries/terraform/aws/iam_role_allows_all_principals_to_assume/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_role_allows_all_principals_to_assume/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "IAM Role Allows All Principals To Assume", "severity": "MEDIUM", - "line": 37 + "line": 37, + "filename": "positive.tf", + "resourceType": "aws_iam_role", + "resourceName": "${var.name_tag_prefix}-openshift-instance-forward-logs", + "searchKey": "aws_iam_role[positive2].assume_role_policy.Principal.AWS", + "searchValue": "", + "expectedValue": "'assume_role_policy.Statement.Principal.AWS' should not contain ':root'", + "actualValue": "'assume_role_policy.Statement.Principal.AWS' contains ':root'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_role_policy_passrole_allows_all/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_role_policy_passrole_allows_all/test/positive_expected_result.json index 08ff9253edb..eca5f595a0f 100644 --- a/assets/queries/terraform/aws/iam_role_policy_passrole_allows_all/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_role_policy_passrole_allows_all/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "IAM Role Policy passRole Allows All", "severity": "MEDIUM", "line": 5, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_role_policy", + "resourceName": "test_policy", + "searchKey": "aws_iam_role_policy[test_policy].policy", + "searchValue": "", + "expectedValue": "'aws_iam_role_policy.policy.Statement.Action' iam:passrole shouldn't have Resource '*'", + "actualValue": "'aws_iam_role_policy.policy.Statement.Action' iam:passrole has Resource '*'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_role_with_full_privileges/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_role_with_full_privileges/test/positive_expected_result.json index 9382f8cea04..4731bdf5e28 100644 --- a/assets/queries/terraform/aws/iam_role_with_full_privileges/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_role_with_full_privileges/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "IAM Role With Full Privileges", "severity": "HIGH", - "line": 4 + "line": 4, + "filename": "positive.tf", + "resourceType": "aws_iam_role", + "resourceName": "test_role", + "searchKey": "aws_iam_role[positive1].assume_role_policy", + "searchValue": "", + "expectedValue": "assume_role_policy.Statement.Action should not equal to, nor contain '*'", + "actualValue": "assume_role_policy.Statement.Action is equal to or contains '*'" }, { "queryName": "IAM Role With Full Privileges", "severity": "HIGH", - "line": 29 + "line": 29, + "filename": "positive.tf", + "resourceType": "aws_iam_role", + "resourceName": "test_role2", + "searchKey": "aws_iam_role[positive2].assume_role_policy", + "searchValue": "", + "expectedValue": "assume_role_policy.Statement.Action should not equal to, nor contain '*'", + "actualValue": "assume_role_policy.Statement.Action is equal to or contains '*'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_user_policy_without_mfa/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_user_policy_without_mfa/test/positive_expected_result.json index 9aeb404ff39..e6c056029c5 100644 --- a/assets/queries/terraform/aws/iam_user_policy_without_mfa/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_user_policy_without_mfa/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "IAM User Policy Without MFA", "severity": "LOW", - "line": 18 + "line": 18, + "filename": "positive.tf", + "resourceType": "aws_iam_user_policy", + "resourceName": "test", + "searchKey": "aws_iam_user_policy[positive3].policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Principal.AWS' should contain ':mfa/' or 'policy.Statement.Condition.BoolIfExists.aws:MultiFactorAuthPresent' should be set to true", + "actualValue": "'policy.Statement.Principal.AWS' doesn't contain ':mfa/' or 'policy.Statement.Condition.BoolIfExists.aws:MultiFactorAuthPresent' is set to false" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_user_too_many_access_keys/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_user_too_many_access_keys/test/positive_expected_result.json index ff82e6a3810..c0a23f6865a 100644 --- a/assets/queries/terraform/aws/iam_user_too_many_access_keys/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_user_too_many_access_keys/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "IAM User Has Too Many Access Keys", "severity": "MEDIUM", - "line": 2 + "line": 2, + "filename": "positive.tf", + "resourceType": "aws_iam_access_key", + "resourceName": "positive1", + "searchKey": "aws_iam_access_key[positive1].user", + "searchValue": "", + "expectedValue": "One Access Key associated with the same IAM User", + "actualValue": "More than one Access Key associated with the same IAM User" }, { "queryName": "IAM User Has Too Many Access Keys", "severity": "MEDIUM", - "line": 7 + "line": 7, + "filename": "positive.tf", + "resourceType": "aws_iam_access_key", + "resourceName": "positive2", + "searchKey": "aws_iam_access_key[positive2].user", + "searchValue": "", + "expectedValue": "One Access Key associated with the same IAM User", + "actualValue": "More than one Access Key associated with the same IAM User" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_user_with_access_to_console/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_user_with_access_to_console/test/positive_expected_result.json index 80c7bbe8b3e..5824109ffb3 100644 --- a/assets/queries/terraform/aws/iam_user_with_access_to_console/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_user_with_access_to_console/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "IAM User With Access To Console", "severity": "MEDIUM", "line": 2, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_user_login_profile", + "resourceName": "example_login", + "searchKey": "aws_iam_user.example.name", + "searchValue": "", + "expectedValue": "aws_iam_user.example.name shouldn't have aws_iam_user_login_profile", + "actualValue": "aws_iam_user.example.name has aws_iam_user_login_profile" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/instance_uses_metadata_service_IMDSv1/test/positive_expected_result.json b/assets/queries/terraform/aws/instance_uses_metadata_service_IMDSv1/test/positive_expected_result.json index 43fdf288455..6eadd9b97f4 100644 --- a/assets/queries/terraform/aws/instance_uses_metadata_service_IMDSv1/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/instance_uses_metadata_service_IMDSv1/test/positive_expected_result.json @@ -1,152 +1,302 @@ [ - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 10, - "fileName": "positive1.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 19, - "fileName": "positive1.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 28, - "fileName": "positive1.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 11, - "fileName": "positive2.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 21, - "fileName": "positive2.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 31, - "fileName": "positive2.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 9, - "fileName": "positive3.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 18, - "fileName": "positive3.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 27, - "fileName": "positive3.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 5, - "fileName": "positive4.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 10, - "fileName": "positive4.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 15, - "fileName": "positive4.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 9, - "fileName": "positive5.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 18, - "fileName": "positive5.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 27, - "fileName": "positive5.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 10, - "fileName": "positive6.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 19, - "fileName": "positive6.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 11, - "fileName": "positive7.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 21, - "fileName": "positive7.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 9, - "fileName": "positive8.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 18, - "fileName": "positive8.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 5, - "fileName": "positive9.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 13, - "fileName": "positive9.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 9, - "fileName": "positive10.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 18, - "fileName": "positive10.tf" - } -] + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 21, + "filename": "positive7.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive7_launch_config].metadata_options.http_tokens", + "searchValue": "", + "expectedValue": "'module[positive7_launch_config].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'module[positive7_launch_config].metadata_options.http_tokens' is not defined to 'required'" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 11, + "filename": "positive2.tf", + "resourceType": "aws_instance", + "resourceName": "positive2_1", + "searchKey": "aws_instance[positive2_1].metadata_options.http_tokens", + "searchValue": "", + "expectedValue": "'aws_instance[positive2_1].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'aws_instance[positive2_1].metadata_options.http_tokens' is not defined to 'required'" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 9, + "filename": "positive3.tf", + "resourceType": "aws_instance", + "resourceName": "positive3_1", + "searchKey": "aws_instance[positive3_1].metadata_options", + "searchValue": "", + "expectedValue": "'aws_instance[positive3_1].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'aws_instance[positive3_1].metadata_options.http_tokens' is not defined" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 27, + "filename": "positive3.tf", + "resourceType": "aws_instance", + "resourceName": "positive3_3", + "searchKey": "aws_launch_template[positive3_3].metadata_options", + "searchValue": "", + "expectedValue": "'aws_launch_template[positive3_3].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'aws_launch_template[positive3_3].metadata_options.http_tokens' is not defined" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 5, + "filename": "positive4.tf", + "resourceType": "aws_instance", + "resourceName": "positive4_1", + "searchKey": "aws_instance[positive4_1]", + "searchValue": "", + "expectedValue": "'aws_instance[positive4_1].metadata_options' should be defined with 'http_tokens' field set to 'required'", + "actualValue": "'aws_instance[positive4_1].metadata_options' is not defined" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 10, + "filename": "positive1.tf", + "resourceType": "aws_instance", + "resourceName": "positive1_1", + "searchKey": "aws_instance[positive1_1].metadata_options.http_tokens", + "searchValue": "", + "expectedValue": "'aws_instance[positive1_1].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'aws_instance[positive1_1].metadata_options.http_tokens' is not defined to 'required'" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 9, + "filename": "positive5.tf", + "resourceType": "aws_instance", + "resourceName": "positive5_1", + "searchKey": "aws_instance[positive5_1].metadata_options", + "searchValue": "", + "expectedValue": "'aws_instance[positive5_1].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'aws_instance[positive5_1].metadata_options.http_tokens' is not defined" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 18, + "filename": "positive5.tf", + "resourceType": "aws_instance", + "resourceName": "positive5_2", + "searchKey": "aws_launch_configuration[positive5_2].metadata_options", + "searchValue": "", + "expectedValue": "'aws_launch_configuration[positive5_2].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'aws_launch_configuration[positive5_2].metadata_options.http_tokens' is not defined" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 21, + "filename": "positive2.tf", + "resourceType": "aws_instance", + "resourceName": "positive2_2", + "searchKey": "aws_launch_configuration[positive2_2].metadata_options.http_tokens", + "searchValue": "", + "expectedValue": "'aws_launch_configuration[positive2_2].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'aws_launch_configuration[positive2_2].metadata_options.http_tokens' is not defined to 'required'" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 31, + "filename": "positive2.tf", + "resourceType": "aws_instance", + "resourceName": "positive2_3", + "searchKey": "aws_launch_template[positive2_3].metadata_options.http_tokens", + "searchValue": "", + "expectedValue": "'aws_launch_template[positive2_3].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'aws_launch_template[positive2_3].metadata_options.http_tokens' is not defined to 'required'" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 15, + "filename": "positive4.tf", + "resourceType": "aws_instance", + "resourceName": "positive4_3", + "searchKey": "aws_launch_template[positive4_3]", + "searchValue": "", + "expectedValue": "'aws_launch_template[positive4_3].metadata_options' should be defined with 'http_tokens' field set to 'required'", + "actualValue": "'aws_launch_template[positive4_3].metadata_options' is not defined" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 28, + "filename": "positive1.tf", + "resourceType": "aws_instance", + "resourceName": "positive1_3", + "searchKey": "aws_launch_template[positive1_3].metadata_options.http_tokens", + "searchValue": "", + "expectedValue": "'aws_launch_template[positive1_3].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'aws_launch_template[positive1_3].metadata_options.http_tokens' is not defined to 'required'" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 27, + "filename": "positive5.tf", + "resourceType": "aws_instance", + "resourceName": "positive5_3", + "searchKey": "aws_launch_template[positive5_3].metadata_options", + "searchValue": "", + "expectedValue": "'aws_launch_template[positive5_3].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'aws_launch_template[positive5_3].metadata_options.http_tokens' is not defined" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 5, + "filename": "positive9.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive9_instance]", + "searchValue": "", + "expectedValue": "'module[positive9_instance].metadata_options' should be defined with 'http_tokens' field set to 'required'", + "actualValue": "'module[positive9_instance].metadata_options' is not defined" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 13, + "filename": "positive9.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive9_launch_config]", + "searchValue": "", + "expectedValue": "'module[positive9_launch_config].metadata_options' should be defined with 'http_tokens' field set to 'required'", + "actualValue": "'module[positive9_launch_config].metadata_options' is not defined" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 9, + "filename": "positive8.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive8_instance].metadata_options", + "searchValue": "", + "expectedValue": "'module[positive8_instance].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'module[positive8_instance].metadata_options.http_tokens' is not defined" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 19, + "filename": "positive1.tf", + "resourceType": "aws_instance", + "resourceName": "positive1_2", + "searchKey": "aws_launch_configuration[positive1_2].metadata_options.http_tokens", + "searchValue": "", + "expectedValue": "'aws_launch_configuration[positive1_2].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'aws_launch_configuration[positive1_2].metadata_options.http_tokens' is not defined to 'required'" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 18, + "filename": "positive3.tf", + "resourceType": "aws_instance", + "resourceName": "positive3_2", + "searchKey": "aws_launch_configuration[positive3_2].metadata_options", + "searchValue": "", + "expectedValue": "'aws_launch_configuration[positive3_2].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'aws_launch_configuration[positive3_2].metadata_options.http_tokens' is not defined" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 10, + "filename": "positive4.tf", + "resourceType": "aws_instance", + "resourceName": "positive4_2", + "searchKey": "aws_launch_configuration[positive4_2]", + "searchValue": "", + "expectedValue": "'aws_launch_configuration[positive4_2].metadata_options' should be defined with 'http_tokens' field set to 'required'", + "actualValue": "'aws_launch_configuration[positive4_2].metadata_options' is not defined" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 9, + "filename": "positive10.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive10_instance].metadata_options", + "searchValue": "", + "expectedValue": "'module[positive10_instance].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'module[positive10_instance].metadata_options.http_tokens' is not defined" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 18, + "filename": "positive10.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive10_launch_config].metadata_options", + "searchValue": "", + "expectedValue": "'module[positive10_launch_config].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'module[positive10_launch_config].metadata_options.http_tokens' is not defined" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 18, + "filename": "positive8.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive8_launch_config].metadata_options", + "searchValue": "", + "expectedValue": "'module[positive8_launch_config].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'module[positive8_launch_config].metadata_options.http_tokens' is not defined" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 10, + "filename": "positive6.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive6_instance].metadata_options.http_tokens", + "searchValue": "", + "expectedValue": "'module[positive6_instance].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'module[positive6_instance].metadata_options.http_tokens' is not defined to 'required'" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 11, + "filename": "positive7.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive7_instance].metadata_options.http_tokens", + "searchValue": "", + "expectedValue": "'module[positive7_instance].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'module[positive7_instance].metadata_options.http_tokens' is not defined to 'required'" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 19, + "filename": "positive6.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive6_launch_config].metadata_options.http_tokens", + "searchValue": "", + "expectedValue": "'module[positive6_launch_config].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'module[positive6_launch_config].metadata_options.http_tokens' is not defined to 'required'" + } +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/instance_with_no_vpc/test/positive_expected_result.json b/assets/queries/terraform/aws/instance_with_no_vpc/test/positive_expected_result.json index 83a88cc559d..0c24669cbe7 100644 --- a/assets/queries/terraform/aws/instance_with_no_vpc/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/instance_with_no_vpc/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Instance With No VPC", "severity": "LOW", "line": 1, - "fileName": "positive1.tf" + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[ec2_instance]", + "searchValue": "", + "expectedValue": "Attribute 'vpc_security_group_ids' should be defined and not null", + "actualValue": "Attribute 'vpc_security_group_ids' is undefined or null" }, { "queryName": "Instance With No VPC", "severity": "LOW", "line": 1, - "fileName": "positive2.tf" + "filename": "positive1.tf", + "resourceType": "aws_instance", + "resourceName": "positive1", + "searchKey": "aws_instance[positive1]", + "searchValue": "", + "expectedValue": "Attribute 'vpc_security_group_ids' should be defined and not null", + "actualValue": "Attribute 'vpc_security_group_ids' is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/kinesis_not_encrypted_with_kms/test/positive_expected_result.json b/assets/queries/terraform/aws/kinesis_not_encrypted_with_kms/test/positive_expected_result.json index 96de2c7e663..fcc17eaa6a6 100644 --- a/assets/queries/terraform/aws/kinesis_not_encrypted_with_kms/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/kinesis_not_encrypted_with_kms/test/positive_expected_result.json @@ -2,16 +2,37 @@ { "queryName": "Kinesis Not Encrypted With KMS", "severity": "HIGH", - "line": 1 + "line": 34, + "filename": "positive.tf", + "resourceType": "aws_kinesis_stream", + "resourceName": "terraform-kinesis-test", + "searchKey": "aws_kinesis_stream[positive2].encryption_type", + "searchValue": "", + "expectedValue": "aws_kinesis_stream[positive2].encryption_type should be set and not NONE", + "actualValue": "aws_kinesis_stream[positive2].encryption_type is set but NONE" }, { "queryName": "Kinesis Not Encrypted With KMS", "severity": "HIGH", - "line": 34 + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_kinesis_stream", + "resourceName": "terraform-kinesis-test", + "searchKey": "aws_kinesis_stream[positive1]", + "searchValue": "", + "expectedValue": "aws_kinesis_stream[positive1].encryption_type should be set", + "actualValue": "aws_kinesis_stream[positive1].encryption_type is undefined" }, { "queryName": "Kinesis Not Encrypted With KMS", "severity": "HIGH", - "line": 41 + "line": 41, + "filename": "positive.tf", + "resourceType": "aws_kinesis_stream", + "resourceName": "terraform-kinesis-test", + "searchKey": "aws_kinesis_stream[positive3]", + "searchValue": "", + "expectedValue": "aws_kinesis_stream[positive3].kms_key_id should be set", + "actualValue": "aws_kinesis_stream[positive3].kms_key_id is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/kinesis_sse_not_configured/test/positive_expected_result.json b/assets/queries/terraform/aws/kinesis_sse_not_configured/test/positive_expected_result.json index abc47c8bd1f..dbb7247473f 100644 --- a/assets/queries/terraform/aws/kinesis_sse_not_configured/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/kinesis_sse_not_configured/test/positive_expected_result.json @@ -2,21 +2,49 @@ { "queryName": "Kinesis SSE Not Configured", "severity": "HIGH", - "line": 12 + "line": 34, + "filename": "positive.tf", + "resourceType": "aws_kinesis_firehose_delivery_stream", + "resourceName": "${aws_s3_bucket.logs.bucket}-firehose", + "searchKey": "aws_kinesis_firehose_delivery_stream[positive4].server_side_encryption.key_type", + "searchValue": "", + "expectedValue": "Attribute 'key_type' should be valid", + "actualValue": "Attribute 'key_type' is invalid" }, { "queryName": "Kinesis SSE Not Configured", "severity": "HIGH", - "line": 23 + "line": 23, + "filename": "positive.tf", + "resourceType": "aws_kinesis_firehose_delivery_stream", + "resourceName": "${aws_s3_bucket.logs.bucket}-firehose", + "searchKey": "aws_kinesis_firehose_delivery_stream[positive3].server_side_encryption.enabled", + "searchValue": "", + "expectedValue": "Attribute 'server_side_encryption' should be enabled", + "actualValue": "Attribute 'server_side_encryption' is not enabled" }, { "queryName": "Kinesis SSE Not Configured", "severity": "HIGH", - "line": 34 + "line": 42, + "filename": "positive.tf", + "resourceType": "aws_kinesis_firehose_delivery_stream", + "resourceName": "${aws_s3_bucket.logs.bucket}-firehose", + "searchKey": "aws_kinesis_firehose_delivery_stream[positive5].server_side_encryption", + "searchValue": "", + "expectedValue": "Attribute 'key_type' should be CUSTOMER_MANAGED_CMK and attribute 'key_arn' should be set", + "actualValue": "Attribute 'key_type' is CUSTOMER_MANAGED_CMK and attribute 'key_arn' is undefined" }, { "queryName": "Kinesis SSE Not Configured", "severity": "HIGH", - "line": 42 + "line": 12, + "filename": "positive.tf", + "resourceType": "aws_kinesis_firehose_delivery_stream", + "resourceName": "${aws_s3_bucket.logs.bucket}-firehose", + "searchKey": "aws_kinesis_firehose_delivery_stream[positive2]", + "searchValue": "", + "expectedValue": "Attribute 'server_side_encryption' should be set", + "actualValue": "Attribute 'server_side_encryption' is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/kms_key_with_full_permissions/test/positive_expected_result.json b/assets/queries/terraform/aws/kms_key_with_full_permissions/test/positive_expected_result.json index ecd69b65494..95674958bd7 100644 --- a/assets/queries/terraform/aws/kms_key_with_full_permissions/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/kms_key_with_full_permissions/test/positive_expected_result.json @@ -3,18 +3,36 @@ "queryName": "KMS Key With Vulnerable Policy", "severity": "HIGH", "line": 5, - "fileName": "positive1.tf" + "filename": "positive2.tf", + "resourceType": "aws_kms_key", + "resourceName": "positive1", + "searchKey": "aws_kms_key[positive1].policy", + "searchValue": "", + "expectedValue": "aws_kms_key[positive1].policy should not have wildcard in 'Action' and 'Principal'", + "actualValue": "aws_kms_key[positive1].policy has wildcard in 'Action' or 'Principal'" }, { "queryName": "KMS Key With Vulnerable Policy", "severity": "HIGH", "line": 5, - "fileName": "positive2.tf" + "filename": "positive1.tf", + "resourceType": "aws_kms_key", + "resourceName": "positive1", + "searchKey": "aws_kms_key[positive1].policy", + "searchValue": "", + "expectedValue": "aws_kms_key[positive1].policy should not have wildcard in 'Action' and 'Principal'", + "actualValue": "aws_kms_key[positive1].policy has wildcard in 'Action' or 'Principal'" }, { "queryName": "KMS Key With Vulnerable Policy", "severity": "HIGH", "line": 1, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_kms_key", + "resourceName": "positive3", + "searchKey": "aws_kms_key[positive3]", + "searchValue": "", + "expectedValue": "aws_kms_key[positive3].policy should be defined and not null", + "actualValue": "aws_kms_key[positive3].policy is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/kms_key_with_no_deletion_window/test/positive_expected_result.json b/assets/queries/terraform/aws/kms_key_with_no_deletion_window/test/positive_expected_result.json index 086ae05195e..0f0ebf53919 100644 --- a/assets/queries/terraform/aws/kms_key_with_no_deletion_window/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/kms_key_with_no_deletion_window/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "KMS Key With No Deletion Window", "severity": "LOW", - "line": 1 + "line": 18, + "filename": "positive.tf", + "resourceType": "aws_kms_key", + "resourceName": "positive2", + "searchKey": "aws_kms_key[positive2].deletion_window_in_days", + "searchValue": "", + "expectedValue": "aws_kms_key[positive2].deletion_window_in_days should be set and valid", + "actualValue": "aws_kms_key[positive2].deletion_window_in_days is set but invalid" }, { "queryName": "KMS Key With No Deletion Window", "severity": "LOW", - "line": 18 + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_kms_key", + "resourceName": "positive1", + "searchKey": "aws_kms_key[positive1]", + "searchValue": "", + "expectedValue": "aws_kms_key[positive1].deletion_window_in_days should be set and valid", + "actualValue": "aws_kms_key[positive1].deletion_window_in_days is undefined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/lambda_function_with_privileged_role/test/positive_expected_result.json b/assets/queries/terraform/aws/lambda_function_with_privileged_role/test/positive_expected_result.json index 526c7c5a52c..e491b6e7fa2 100644 --- a/assets/queries/terraform/aws/lambda_function_with_privileged_role/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/lambda_function_with_privileged_role/test/positive_expected_result.json @@ -3,30 +3,60 @@ "queryName": "Lambda Function With Privileged Role", "severity": "HIGH", "line": 4, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "aws_lambda_function", + "resourceName": "lambda", + "searchKey": "aws_lambda_function[positivefunction1].role", + "searchValue": "positiverole1/aws_iam_policy_attachment[positivedirectpolicyattachment1]/positivecustomermanagedpolicy2/0", + "expectedValue": "aws_lambda_function[positivefunction1].role shouldn't have privileged permissions through attached managed policy", + "actualValue": "aws_lambda_function[positivefunction1].role has been provided privileged permissions through attached managed policy 'positivecustomermanagedpolicy2'. Provided privileged permissions: 'sts:AssumeRole'. List of privileged permissions '[\"iam:CreatePolicyVersion\", \"iam:SetDefaultPolicyVersion\", \"iam:CreateAccessKey\", \"iam:CreateLoginProfile\", \"iam:UpdateLoginProfile\", \"iam:AttachUserPolicy\", \"iam:AttachGroupPolicy\", \"iam:AttachRolePolicy\", \"iam:PutUserPolicy\", \"iam:PutGroupPolicy\", \"iam:PutRolePolicy\", \"iam:AddUserToGroup\", \"iam:UpdateAssumeRolePolicy\", \"iam:PassRole\", \"iam:CreateServiceLinkedRole\", \"sts:AssumeRole\", \"iam:*\", \"sts:*\"]'" }, { "queryName": "Lambda Function With Privileged Role", "severity": "HIGH", - "line": 4, - "fileName": "positive.tf" + "line": 23, + "filename": "positive.tf", + "resourceType": "aws_lambda_function", + "resourceName": "lambda", + "searchKey": "aws_lambda_function[positivefunction2].role", + "searchValue": "positiverole2/aws_iam_policy_attachment[positivedirectpolicyattachment2]", + "expectedValue": "aws_lambda_function[positivefunction2].role shouldn't have privileged permissions", + "actualValue": "aws_lambda_function[positivefunction2].role has been provided privileged permissions through attached pre-existing managed policy 'arn:aws:iam::policy/AmazonPersonalizeFullAccess'." }, { "queryName": "Lambda Function With Privileged Role", "severity": "HIGH", "line": 4, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "aws_lambda_function", + "resourceName": "lambda", + "searchKey": "aws_lambda_function[positivefunction1].role", + "searchValue": "positiverole1/positiveinlinepolicy1/0", + "expectedValue": "aws_lambda_function[positivefunction1].role shouldn't have privileged permissions through attached inline policy.", + "actualValue": "aws_lambda_function[positivefunction1].role has been provided privileged permissions through attached inline policy. Provided privileged permissions: 'iam:*'. List of privileged permissions '[\"iam:CreatePolicyVersion\", \"iam:SetDefaultPolicyVersion\", \"iam:CreateAccessKey\", \"iam:CreateLoginProfile\", \"iam:UpdateLoginProfile\", \"iam:AttachUserPolicy\", \"iam:AttachGroupPolicy\", \"iam:AttachRolePolicy\", \"iam:PutUserPolicy\", \"iam:PutGroupPolicy\", \"iam:PutRolePolicy\", \"iam:AddUserToGroup\", \"iam:UpdateAssumeRolePolicy\", \"iam:PassRole\", \"iam:CreateServiceLinkedRole\", \"sts:AssumeRole\", \"iam:*\", \"sts:*\"]'" }, { "queryName": "Lambda Function With Privileged Role", "severity": "HIGH", "line": 4, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "aws_lambda_function", + "resourceName": "lambda", + "searchKey": "aws_lambda_function[positivefunction1].role", + "searchValue": "positiverole1/aws_iam_role_policy_attachment[positiverolepolicyattachment1]/positivecustomermanagedpolicy1/1", + "expectedValue": "aws_lambda_function[positivefunction1].role shouldn't have privileged permissions through attached managed policy", + "actualValue": "aws_lambda_function[positivefunction1].role has been provided privileged permissions through attached managed policy 'positivecustomermanagedpolicy1'. Provided privileged permissions: 'iam:CreateLoginProfile'. List of privileged permissions '[\"iam:CreatePolicyVersion\", \"iam:SetDefaultPolicyVersion\", \"iam:CreateAccessKey\", \"iam:CreateLoginProfile\", \"iam:UpdateLoginProfile\", \"iam:AttachUserPolicy\", \"iam:AttachGroupPolicy\", \"iam:AttachRolePolicy\", \"iam:PutUserPolicy\", \"iam:PutGroupPolicy\", \"iam:PutRolePolicy\", \"iam:AddUserToGroup\", \"iam:UpdateAssumeRolePolicy\", \"iam:PassRole\", \"iam:CreateServiceLinkedRole\", \"sts:AssumeRole\", \"iam:*\", \"sts:*\"]'" }, { "queryName": "Lambda Function With Privileged Role", "severity": "HIGH", - "line": 23, - "fileName": "positive.tf" + "line": 4, + "filename": "positive.tf", + "resourceType": "aws_lambda_function", + "resourceName": "lambda", + "searchKey": "aws_lambda_function[positivefunction1].role", + "searchValue": "positiverole1/aws_iam_role_policy_attachment[positiverolepolicyattachment1]/positivecustomermanagedpolicy1/0", + "expectedValue": "aws_lambda_function[positivefunction1].role shouldn't have privileged permissions through attached managed policy", + "actualValue": "aws_lambda_function[positivefunction1].role has been provided privileged permissions through attached managed policy 'positivecustomermanagedpolicy1'. Provided privileged permissions: 'sts:AssumeRole'. List of privileged permissions '[\"iam:CreatePolicyVersion\", \"iam:SetDefaultPolicyVersion\", \"iam:CreateAccessKey\", \"iam:CreateLoginProfile\", \"iam:UpdateLoginProfile\", \"iam:AttachUserPolicy\", \"iam:AttachGroupPolicy\", \"iam:AttachRolePolicy\", \"iam:PutUserPolicy\", \"iam:PutGroupPolicy\", \"iam:PutRolePolicy\", \"iam:AddUserToGroup\", \"iam:UpdateAssumeRolePolicy\", \"iam:PassRole\", \"iam:CreateServiceLinkedRole\", \"sts:AssumeRole\", \"iam:*\", \"sts:*\"]'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/lambda_function_without_dead_letter_queue/test/positive_expected_result.json b/assets/queries/terraform/aws/lambda_function_without_dead_letter_queue/test/positive_expected_result.json index 11ef1ad0bc3..f0f5a464aa7 100644 --- a/assets/queries/terraform/aws/lambda_function_without_dead_letter_queue/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/lambda_function_without_dead_letter_queue/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "Lambda Function Without Dead Letter Queue", "severity": "LOW", - "line": 16, - "fileName": "positive1.tf" + "line": 26, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[lambda_with_incomplete_dlq].dead_letter_target_arn", + "searchValue": "", + "expectedValue": "'module[lambda_with_incomplete_dlq].dead_letter_target_arn' should be defined and not empty", + "actualValue": "'module[lambda_with_incomplete_dlq].dead_letter_target_arn' is empty" }, { "queryName": "Lambda Function Without Dead Letter Queue", "severity": "LOW", - "line": 24, - "fileName": "positive2.tf" + "line": 16, + "filename": "positive1.tf", + "resourceType": "aws_lambda_function", + "resourceName": "lambda_without_dlq", + "searchKey": "aws_lambda_function[lambda_without_dlq]", + "searchValue": "", + "expectedValue": "'aws_lambda_function[lambda_without_dlq].dead_letter_config' should be defined and not null", + "actualValue": "'aws_lambda_function[lambda_without_dlq].dead_letter_config' is undefined or null" }, { "queryName": "Lambda Function Without Dead Letter Queue", "severity": "LOW", - "line": 16, - "fileName": "positive3.tf" + "line": 24, + "filename": "positive2.tf", + "resourceType": "aws_lambda_function", + "resourceName": "lambda_with_incomplete_dlq", + "searchKey": "aws_lambda_function[lambda_with_incomplete_dlq].dead_letter_config.target_arn", + "searchValue": "", + "expectedValue": "'aws_lambda_function[lambda_with_incomplete_dlq].dead_letter_config.target_arn' should be defined and not empty", + "actualValue": "'aws_lambda_function[lambda_with_incomplete_dlq].dead_letter_config.target_arn' is empty" }, { "queryName": "Lambda Function Without Dead Letter Queue", "severity": "LOW", - "line": 26, - "fileName": "positive4.tf" + "line": 16, + "filename": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[lambda_with_incomplete_dlq]", + "searchValue": "", + "expectedValue": "'module[lambda_with_incomplete_dlq].dead_letter_target_arn' should be defined and not null", + "actualValue": "'module[lambda_with_incomplete_dlq].dead_letter_target_arn' is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/lambda_functions_without_x-ray_tracing/test/positive_expected_result.json b/assets/queries/terraform/aws/lambda_functions_without_x-ray_tracing/test/positive_expected_result.json index 806f660a9a0..6a3539f69ad 100644 --- a/assets/queries/terraform/aws/lambda_functions_without_x-ray_tracing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/lambda_functions_without_x-ray_tracing/test/positive_expected_result.json @@ -1,12 +1,26 @@ [ { - "line": 28, "queryName": "Lambda Functions Without X-Ray Tracing", - "severity": "LOW" + "severity": "LOW", + "line": 28, + "filename": "positive.tf", + "resourceType": "aws_lambda_function", + "resourceName": "test_lambda2", + "searchKey": "aws_lambda_function[test_lambda2].tracing_config.mode", + "searchValue": "", + "expectedValue": "aws_lambda_function[test_lambda2].tracing_config.mode should be set to 'Active'", + "actualValue": "aws_lambda_function[test_lambda2].tracing_config.mode is set to 'PassThrough'" }, { "queryName": "Lambda Functions Without X-Ray Tracing", "severity": "LOW", - "line": 45 + "line": 45, + "filename": "positive.tf", + "resourceType": "aws_lambda_function", + "resourceName": "test_lambda3", + "searchKey": "aws_lambda_function[test_lambda3]", + "searchValue": "", + "expectedValue": "aws_lambda_function[test_lambda3].tracing_config should be defined and not null", + "actualValue": "aws_lambda_function[test_lambda3].tracing_config is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/lambda_iam_invokefunction_misconfigured/test/positive_expected_result.json b/assets/queries/terraform/aws/lambda_iam_invokefunction_misconfigured/test/positive_expected_result.json index 7951f5675f9..0edef940cbb 100644 --- a/assets/queries/terraform/aws/lambda_iam_invokefunction_misconfigured/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/lambda_iam_invokefunction_misconfigured/test/positive_expected_result.json @@ -1,38 +1,74 @@ [ - { - "queryName": "Lambda IAM InvokeFunction Misconfigured", - "severity": "LOW", - "line": 8, - "filename": "positive1.tf" - }, - { - "queryName": "Lambda IAM InvokeFunction Misconfigured", - "severity": "LOW", - "line": 8, - "filename": "positive2.tf" - }, - { - "queryName": "Lambda IAM InvokeFunction Misconfigured", - "severity": "LOW", - "line": 8, - "filename": "positive3.tf" - }, - { - "queryName": "Lambda IAM InvokeFunction Misconfigured", - "severity": "LOW", - "line": 5, - "filename": "positive4.tf" - }, - { - "queryName": "Lambda IAM InvokeFunction Misconfigured", - "severity": "LOW", - "line": 8, - "filename": "positive5.tf" - }, - { - "queryName": "Lambda IAM InvokeFunction Misconfigured", - "severity": "LOW", - "line": 8, - "filename": "positive6.tf" - } -] + { + "queryName": "Lambda IAM InvokeFunction Misconfigured", + "severity": "LOW", + "line": 5, + "filename": "positive4.tf", + "resourceType": "aws_iam_policy", + "resourceName": "positive4policy", + "searchKey": "aws_iam_policy[positive4policy].policy", + "searchValue": "", + "expectedValue": "[positive4policy].policy should be misconfigured", + "actualValue": "[positive4policy].policy allows access to function (unqualified ARN) and its sub-resources, add another statement with \":*\" to function name" + }, + { + "queryName": "Lambda IAM InvokeFunction Misconfigured", + "severity": "LOW", + "line": 8, + "filename": "positive3.tf", + "resourceType": "aws_iam_policy", + "resourceName": "positive3policy", + "searchKey": "aws_iam_policy[positive3policy].policy", + "searchValue": "", + "expectedValue": "[positive3policy].policy should be misconfigured", + "actualValue": "[positive3policy].policy allows access to function (unqualified ARN) and its sub-resources, add another statement with \":*\" to function name" + }, + { + "queryName": "Lambda IAM InvokeFunction Misconfigured", + "severity": "LOW", + "line": 8, + "filename": "positive1.tf", + "resourceType": "aws_iam_policy", + "resourceName": "positive1policy", + "searchKey": "aws_iam_policy[positive1policy].policy", + "searchValue": "", + "expectedValue": "[positive1policy].policy should be misconfigured", + "actualValue": "[positive1policy].policy allows access to function (unqualified ARN) and its sub-resources, add another statement with \":*\" to function name" + }, + { + "queryName": "Lambda IAM InvokeFunction Misconfigured", + "severity": "LOW", + "line": 8, + "filename": "positive6.tf", + "resourceType": "aws_iam_policy", + "resourceName": "positive6policy", + "searchKey": "aws_iam_policy[positive6policy].policy", + "searchValue": "", + "expectedValue": "[positive6policy].policy should be misconfigured", + "actualValue": "[positive6policy].policy allows access to function (unqualified ARN) and its sub-resources, add another statement with \":*\" to function name" + }, + { + "queryName": "Lambda IAM InvokeFunction Misconfigured", + "severity": "LOW", + "line": 8, + "filename": "positive5.tf", + "resourceType": "aws_iam_policy", + "resourceName": "positive5policy", + "searchKey": "aws_iam_policy[positive5policy].policy", + "searchValue": "", + "expectedValue": "[positive5policy].policy should be misconfigured", + "actualValue": "[positive5policy].policy allows access to function (unqualified ARN) and its sub-resources, add another statement with \":*\" to function name" + }, + { + "queryName": "Lambda IAM InvokeFunction Misconfigured", + "severity": "LOW", + "line": 8, + "filename": "positive2.tf", + "resourceType": "aws_iam_policy", + "resourceName": "positive2policy", + "searchKey": "aws_iam_policy[positive2policy].policy", + "searchValue": "", + "expectedValue": "[positive2policy].policy should be misconfigured", + "actualValue": "[positive2policy].policy allows access to function (unqualified ARN) and its sub-resources, add another statement with \":*\" to function name" + } +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/lambda_permission_misconfigured/test/positive_expected_result.json b/assets/queries/terraform/aws/lambda_permission_misconfigured/test/positive_expected_result.json index 4d4185aebc6..e2062a47879 100644 --- a/assets/queries/terraform/aws/lambda_permission_misconfigured/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/lambda_permission_misconfigured/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Lambda Permission Misconfigured", "severity": "LOW", - "line": 2 + "line": 2, + "filename": "positive.tf", + "resourceType": "aws_lambda_permission", + "resourceName": "positive1", + "searchKey": "aws_lambda_permission[positive1].action", + "searchValue": "", + "expectedValue": "aws_lambda_permission[name].action should be 'lambda:InvokeFunction'%!(EXTRA string=positive1)", + "actualValue": "aws_lambda_permission[name].action is positive1%!(EXTRA string=lambda:DeleteFunction)" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/lambda_permission_principal_is_wildcard/test/positive_expected_result.json b/assets/queries/terraform/aws/lambda_permission_principal_is_wildcard/test/positive_expected_result.json index bfc56e78a38..64c72a56c5e 100644 --- a/assets/queries/terraform/aws/lambda_permission_principal_is_wildcard/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/lambda_permission_principal_is_wildcard/test/positive_expected_result.json @@ -1,7 +1,14 @@ [ { - "line": 5, "queryName": "Lambda Permission Principal Is Wildcard", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 5, + "filename": "positive.tf", + "resourceType": "aws_lambda_permission", + "resourceName": "positive1", + "searchKey": "aws_lambda_permission[positive1].principal", + "searchValue": "", + "expectedValue": "aws_lambda_permission[positive1].principal shouldn't contain a wildcard", + "actualValue": "aws_lambda_permission[positive1].principal contains a wildcard" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/lambda_with_vulnerable_policy/test/positive_expected_result.json b/assets/queries/terraform/aws/lambda_with_vulnerable_policy/test/positive_expected_result.json index 971cd176054..f5acc0f9159 100644 --- a/assets/queries/terraform/aws/lambda_with_vulnerable_policy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/lambda_with_vulnerable_policy/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Lambda With Vulnerable Policy", "severity": "HIGH", "line": 35, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "aws_lambda_permission", + "resourceName": "all", + "searchKey": "aws_lambda_permission[all].action", + "searchValue": "", + "expectedValue": "aws_lambda_permission[all].action should not have wildcard", + "actualValue": "aws_lambda_permission[all].action has wildcard" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/misconfigured_password_policy_expiration/test/positive_expected_result.json b/assets/queries/terraform/aws/misconfigured_password_policy_expiration/test/positive_expected_result.json index 94deefb61b9..c124b17d0c5 100644 --- a/assets/queries/terraform/aws/misconfigured_password_policy_expiration/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/misconfigured_password_policy_expiration/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Misconfigured Password Policy Expiration", "severity": "LOW", - "line": 12 + "line": 8, + "filename": "positive.tf", + "resourceType": "aws_iam_account_password_policy", + "resourceName": "positive1", + "searchKey": "aws_iam_account_password_policy[positive1].max_password_age", + "searchValue": "", + "expectedValue": "'max_password_age' should be lower than 90", + "actualValue": "'max_password_age' is higher than 90" }, { "queryName": "Misconfigured Password Policy Expiration", "severity": "LOW", - "line": 8 + "line": 12, + "filename": "positive.tf", + "resourceType": "aws_iam_account_password_policy", + "resourceName": "positive2", + "searchKey": "aws_iam_account_password_policy[positive2]", + "searchValue": "", + "expectedValue": "'max_password_age' should exist", + "actualValue": "'max_password_age' is missing" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/missing_cluster_log_types/test/positive_expected_result.json b/assets/queries/terraform/aws/missing_cluster_log_types/test/positive_expected_result.json index 137f7b0ae88..b2f85ef073f 100755 --- a/assets/queries/terraform/aws/missing_cluster_log_types/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/missing_cluster_log_types/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Missing Cluster Log Types", "severity": "MEDIUM", - "line": 9 + "line": 9, + "filename": "positive.tf", + "resourceType": "aws_eks_cluster", + "resourceName": "example", + "searchKey": "aws_eks_cluster[positive1].enabled_cluster_log_types", + "searchValue": "", + "expectedValue": "'enabled_cluster_log_types' has all log types", + "actualValue": "'enabled_cluster_log_types' has missing log types" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/mq_broker_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/aws/mq_broker_is_publicly_accessible/test/positive_expected_result.json index 144dcfe9c92..bee4623dde4 100644 --- a/assets/queries/terraform/aws/mq_broker_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/mq_broker_is_publicly_accessible/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "MQ Broker Is Publicly Accessible", "severity": "HIGH", - "line": 19 + "line": 19, + "filename": "positive.tf", + "resourceType": "aws_mq_broker", + "resourceName": "example", + "searchKey": "aws_mq_broker[positive1].publicly_accessible", + "searchValue": "", + "expectedValue": "'publicly_accessible' should be undefined or set to false", + "actualValue": "'publicly_accessible' is set to true" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/mq_broker_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/mq_broker_logging_disabled/test/positive_expected_result.json index 3aa5e012477..7a66766dc09 100644 --- a/assets/queries/terraform/aws/mq_broker_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/mq_broker_logging_disabled/test/positive_expected_result.json @@ -1,17 +1,38 @@ [ - { - "queryName": "MQ Broker Logging Disabled", - "severity": "MEDIUM", - "line": 1 - }, - { - "queryName": "MQ Broker Logging Disabled", - "severity": "MEDIUM", - "line": 8 - }, - { - "queryName": "MQ Broker Logging Disabled", - "severity": "MEDIUM", - "line": 17 - } -] + { + "queryName": "MQ Broker Logging Disabled", + "severity": "MEDIUM", + "line": 17, + "filename": "positive.tf", + "resourceType": "aws_mq_broker", + "resourceName": "disabled-logging", + "searchKey": "aws_mq_broker[positive3].logs.general", + "searchValue": "", + "expectedValue": "'general' and 'audit' logging should be set to true", + "actualValue": "'general' is set to false" + }, + { + "queryName": "MQ Broker Logging Disabled", + "severity": "MEDIUM", + "line": 8, + "filename": "positive.tf", + "resourceType": "aws_mq_broker", + "resourceName": "partial-logging", + "searchKey": "aws_mq_broker[positive2].logs", + "searchValue": "", + "expectedValue": "'general' and 'audit' logging should be set to true", + "actualValue": "'general' and/or 'audit' is undefined" + }, + { + "queryName": "MQ Broker Logging Disabled", + "severity": "MEDIUM", + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_mq_broker", + "resourceName": "no-logging", + "searchKey": "aws_mq_broker[positive1]", + "searchValue": "", + "expectedValue": "'logs' should be set and enabling general AND audit logging", + "actualValue": "'logs' is undefined" + } +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/msk_broker_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/aws/msk_broker_is_publicly_accessible/test/positive_expected_result.json index ff0007ac59d..64470411842 100644 --- a/assets/queries/terraform/aws/msk_broker_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/msk_broker_is_publicly_accessible/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "MSK Broker Is Publicly Accessible", "severity": "HIGH", "line": 9, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_msk_cluster", + "resourceName": "example", + "searchKey": "aws_msk_cluster[positive1].broker_node_group_info.connectivity_info.public_access.type", + "searchValue": "", + "expectedValue": "aws_msk_cluster[positive1].broker_node_group_info.connectivity_info.public_access.type should be set to 'DISABLED' or undefined", + "actualValue": "aws_msk_cluster[positive1].broker_node_group_info.connectivity_info.public_access.type is set to 'SERVICE_PROVIDED_EIPS'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/msk_cluster_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/msk_cluster_encryption_disabled/test/positive_expected_result.json index 87cb85d9130..bdda2aac938 100644 --- a/assets/queries/terraform/aws/msk_cluster_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/msk_cluster_encryption_disabled/test/positive_expected_result.json @@ -2,21 +2,49 @@ { "queryName": "MSK Cluster Encryption Disabled", "severity": "HIGH", - "line": 1 + "line": 37, + "filename": "positive.tf", + "resourceType": "aws_msk_cluster", + "resourceName": "example", + "searchKey": "msk_cluster[positive4].encryption_info.encryption_in_transit.in_cluster and msk_cluster[positive4].encryption_infoencryption_in_transit.client_broker", + "searchValue": "", + "expectedValue": "Should have 'rule.encryption_info' and, if 'rule.encryption_info.encryption_in_transit' is assigned, 'in_cluster' should be 'true' and 'client_broker' should be TLS", + "actualValue": "'rule.encryption_info' is unassigned or property 'in_cluster' is 'false' or property 'client_broker' is not 'TLS'" }, { "queryName": "MSK Cluster Encryption Disabled", "severity": "HIGH", - "line": 14 + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_msk_cluster", + "resourceName": "example", + "searchKey": "msk_cluster[positive1]", + "searchValue": "", + "expectedValue": "Should have 'rule.encryption_info' and, if 'rule.encryption_info.encryption_in_transit' is assigned, 'in_cluster' should be 'true' and 'client_broker' should be TLS", + "actualValue": "'rule.encryption_info' is unassigned or property 'in_cluster' is 'false' or property 'client_broker' is not 'TLS'" }, { "queryName": "MSK Cluster Encryption Disabled", "severity": "HIGH", - "line": 26 + "line": 14, + "filename": "positive.tf", + "resourceType": "aws_msk_cluster", + "resourceName": "example", + "searchKey": "msk_cluster[positive2].encryption_info.encryption_in_transit.client_broker", + "searchValue": "", + "expectedValue": "Should have 'rule.encryption_info' and, if 'rule.encryption_info.encryption_in_transit' is assigned, 'in_cluster' should be 'true' and 'client_broker' should be TLS", + "actualValue": "'rule.encryption_info' is unassigned or property 'in_cluster' is 'false' or property 'client_broker' is not 'TLS'" }, { "queryName": "MSK Cluster Encryption Disabled", "severity": "HIGH", - "line": 37 + "line": 26, + "filename": "positive.tf", + "resourceType": "aws_msk_cluster", + "resourceName": "example", + "searchKey": "msk_cluster[positive3].encryption_info.encryption_in_transit.in_cluster", + "searchValue": "", + "expectedValue": "Should have 'rule.encryption_info' and, if 'rule.encryption_info.encryption_in_transit' is assigned, 'in_cluster' should be 'true' and 'client_broker' should be TLS", + "actualValue": "'rule.encryption_info' is unassigned or property 'in_cluster' is 'false' or property 'client_broker' is not 'TLS'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/msk_cluster_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/msk_cluster_logging_disabled/test/positive_expected_result.json index 77aee52c4db..7cb2c5f3b86 100644 --- a/assets/queries/terraform/aws/msk_cluster_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/msk_cluster_logging_disabled/test/positive_expected_result.json @@ -2,16 +2,37 @@ { "queryName": "MSK Cluster Logging Disabled", "severity": "MEDIUM", - "line": 5 + "line": 5, + "filename": "positive.tf", + "resourceType": "aws_msk_cluster", + "resourceName": "positive1", + "searchKey": "aws_msk_cluster[positive1].logging_info.broker_logs.cloudwatch_logs.enabled", + "searchValue": "", + "expectedValue": "'rule.logging_info.broker_logs.enabled' should be 'true' in every entry", + "actualValue": "msk_cluster[positive1].logging_info.broker_logs.cloudwatch_logs.enabled is false" }, { "queryName": "MSK Cluster Logging Disabled", "severity": "MEDIUM", - "line": 8 + "line": 15, + "filename": "positive.tf", + "resourceType": "aws_msk_cluster", + "resourceName": "positive2", + "searchKey": "aws_msk_cluster[positive2]", + "searchValue": "", + "expectedValue": "'rule.logging_info' should exist", + "actualValue": "'rule.logging_info' does not exist" }, { "queryName": "MSK Cluster Logging Disabled", "severity": "MEDIUM", - "line": 15 + "line": 8, + "filename": "positive.tf", + "resourceType": "aws_msk_cluster", + "resourceName": "positive1", + "searchKey": "aws_msk_cluster[positive1].logging_info.broker_logs.firehose", + "searchValue": "", + "expectedValue": "'rule.logging_info.broker_logs.enabled' should be 'true' in every entry", + "actualValue": "msk_cluster[positive1].logging_info.broker_logs.firehose.enabled is missing" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/neptune_cluster_instance_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/aws/neptune_cluster_instance_is_publicly_accessible/test/positive_expected_result.json index 5ff36a69dda..7cb2e58e1bd 100644 --- a/assets/queries/terraform/aws/neptune_cluster_instance_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/neptune_cluster_instance_is_publicly_accessible/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Neptune Cluster Instance is Publicly Accessible", "severity": "HIGH", "line": 7, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "aws_neptune_cluster_instance", + "resourceName": "example", + "searchKey": "aws_neptune_cluster_instance[example].publicly_accessible", + "searchValue": "", + "expectedValue": "aws_neptune_cluster_instance[example].publicly_accessible should be set to false", + "actualValue": "aws_neptune_cluster_instance[example].publicly_accessible is set to true" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/neptune_cluster_with_iam_database_authentication_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/neptune_cluster_with_iam_database_authentication_disabled/test/positive_expected_result.json index b659dde30dd..d41d1757e9c 100644 --- a/assets/queries/terraform/aws/neptune_cluster_with_iam_database_authentication_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/neptune_cluster_with_iam_database_authentication_disabled/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Neptune Cluster With IAM Database Authentication Disabled", "severity": "HIGH", - "line": 1 + "line": 17, + "filename": "positive.tf", + "resourceType": "aws_neptune_cluster", + "resourceName": "positive2", + "searchKey": "aws_neptune_cluster[positive2].iam_database_authentication_enabled", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is set to false" }, { "queryName": "Neptune Cluster With IAM Database Authentication Disabled", "severity": "HIGH", - "line": 17 + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_neptune_cluster", + "resourceName": "positive1", + "searchKey": "aws_neptune_cluster[positive1]", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is undefined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/neptune_database_cluster_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/neptune_database_cluster_encryption_disabled/test/positive_expected_result.json index 9847f928c55..582f60391a7 100644 --- a/assets/queries/terraform/aws/neptune_database_cluster_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/neptune_database_cluster_encryption_disabled/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Neptune Database Cluster Encryption Disabled", "severity": "HIGH", - "line": 1 + "line": 19, + "filename": "positive.tf", + "resourceType": "aws_neptune_cluster", + "resourceName": "positive2", + "searchKey": "aws_neptune_cluster[positive2].storage_encrypted", + "searchValue": "", + "expectedValue": "'storage_encrypted' should be true", + "actualValue": "'storage_encrypted' is false" }, { "queryName": "Neptune Database Cluster Encryption Disabled", "severity": "HIGH", - "line": 19 + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_neptune_cluster", + "resourceName": "positive1", + "searchKey": "aws_neptune_cluster[positive1]", + "searchValue": "", + "expectedValue": "'storage_encrypted' should be set with value true", + "actualValue": "'storage_encrypted' is undefined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/neptune_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/neptune_logging_disabled/test/positive_expected_result.json index 0b3cecc98a8..bc1ec12ac10 100644 --- a/assets/queries/terraform/aws/neptune_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/neptune_logging_disabled/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "Neptune Logging Is Disabled", "severity": "MEDIUM", - "line": 1, - "filename": "positive1.tf" + "line": 9, + "filename": "positive2.tf", + "resourceType": "aws_neptune_cluster", + "resourceName": "postive2", + "searchKey": "aws_neptune_cluster[{{postive2}}].enable_cloudwatch_logs_exports", + "searchValue": "", + "expectedValue": "aws_neptune_cluster.enable_cloudwatch_logs_exports should have all following values: audit", + "actualValue": "aws_neptune_cluster.enable_cloudwatch_logs_exports is empty" }, { "queryName": "Neptune Logging Is Disabled", "severity": "MEDIUM", "line": 9, - "filename": "positive2.tf" + "filename": "positive4.tf", + "resourceType": "aws_neptune_cluster", + "resourceName": "postive3", + "searchKey": "aws_neptune_cluster[{{postive3}}].enable_cloudwatch_logs_exports", + "searchValue": "", + "expectedValue": "aws_neptune_cluster.enable_cloudwatch_logs_exports should have all following values: audit", + "actualValue": "aws_neptune_cluster.enable_cloudwatch_logs_exports has the following missing values: audit" }, { "queryName": "Neptune Logging Is Disabled", "severity": "MEDIUM", "line": 9, - "filename": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_neptune_cluster", + "resourceName": "postive3", + "searchKey": "aws_neptune_cluster[{{postive3}}].enable_cloudwatch_logs_exports", + "searchValue": "", + "expectedValue": "aws_neptune_cluster.enable_cloudwatch_logs_exports should have all following values: audit", + "actualValue": "aws_neptune_cluster.enable_cloudwatch_logs_exports has the following missing values: audit" }, { "queryName": "Neptune Logging Is Disabled", "severity": "MEDIUM", - "line": 9, - "filename": "positive4.tf" + "line": 1, + "filename": "positive1.tf", + "resourceType": "aws_neptune_cluster", + "resourceName": "postive1", + "searchKey": "aws_neptune_cluster[{{postive1}}]", + "searchValue": "", + "expectedValue": "aws_neptune_cluster.enable_cloudwatch_logs_exports should be defined", + "actualValue": "aws_neptune_cluster.enable_cloudwatch_logs_exports is undefined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_rdp/test/positive_expected_result.json b/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_rdp/test/positive_expected_result.json index 37fe8ca81bf..9ebb51dc835 100644 --- a/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_rdp/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_rdp/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "Network ACL With Unrestricted Access To RDP", "severity": "HIGH", - "line": 30, - "fileName": "positive1.tf" + "line": 14, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vpc].default_network_acl_ingress", + "searchValue": "", + "expectedValue": "module[vpc].default_network_acl_ingress[0] 'RDP' (TCP:3389) should not be public", + "actualValue": "module[vpc].default_network_acl_ingress[0] 'RDP' (TCP:3389) is public" }, { "queryName": "Network ACL With Unrestricted Access To RDP", "severity": "HIGH", "line": 22, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_network_acl_rule", + "resourceName": "postive2", + "searchKey": "aws_network_acl_rule[postive2]", + "searchValue": "", + "expectedValue": "aws_network_acl[postive2] 'RDP' (TCP:3389) should not be public", + "actualValue": "aws_network_acl[postive2] 'RDP' (TCP:3389) is public" }, { "queryName": "Network ACL With Unrestricted Access To RDP", "severity": "HIGH", - "line": 26, - "fileName": "positive3.tf" + "line": 30, + "filename": "positive1.tf", + "resourceType": "aws_network_acl", + "resourceName": "main", + "searchKey": "aws_network_acl[positive1].ingress", + "searchValue": "", + "expectedValue": "aws_network_acl[positive1].ingress[0] 'RDP' (TCP:3389) should not be public", + "actualValue": "aws_network_acl[positive1].ingress[0] 'RDP' (TCP:3389) is public" }, { "queryName": "Network ACL With Unrestricted Access To RDP", "severity": "HIGH", - "line": 14, - "fileName": "positive4.tf" + "line": 26, + "filename": "positive3.tf", + "resourceType": "aws_network_acl", + "resourceName": "main", + "searchKey": "aws_network_acl[positive3].ingress", + "searchValue": "", + "expectedValue": "aws_network_acl[positive3].ingress 'RDP' (TCP:3389) should not be public", + "actualValue": "aws_network_acl[positive3].ingress 'RDP' (TCP:3389) is public" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_ssh/test/positive_expected_result.json b/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_ssh/test/positive_expected_result.json index ffe49a69896..5e2a34db643 100644 --- a/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_ssh/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_ssh/test/positive_expected_result.json @@ -3,24 +3,48 @@ "queryName": "Network ACL With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 30, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_network_acl", + "resourceName": "main", + "searchKey": "aws_network_acl[positive1].ingress", + "searchValue": "", + "expectedValue": "aws_network_acl[positive1].ingress[0] 'SSH' (Port:22) should not be public", + "actualValue": "aws_network_acl[positive1].ingress[0] 'SSH' (Port:22) is public" }, { "queryName": "Network ACL With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 22, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aaws_network_acl_rule", + "resourceName": "postive2", + "searchKey": "aws_network_acl_rule[postive2]", + "searchValue": "", + "expectedValue": "aws_network_acl[postive2] 'SSH' (TCP:22) should not be public", + "actualValue": "aws_network_acl[postive2] 'SSH' (TCP:22) is public" }, { "queryName": "Network ACL With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 26, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_network_acl", + "resourceName": "main", + "searchKey": "aws_network_acl[positive3].ingress", + "searchValue": "", + "expectedValue": "aws_network_acl[positive3].ingress 'SSH' (TCP:22) should not be public", + "actualValue": "aws_network_acl[positive3].ingress 'SSH' (TCP:22) is public" }, { "queryName": "Network ACL With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 14, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vpc].default_network_acl_ingress", + "searchValue": "", + "expectedValue": "aws_network_acl[vpc].ingress[0] 'SSH' (Port:22) should not be public", + "actualValue": "aws_network_acl[vpc].ingress[0] 'SSH' (Port:22) is public" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/no_password_policy_enabled/test/positive_expected_result.json b/assets/queries/terraform/aws/no_password_policy_enabled/test/positive_expected_result.json index 1c1519b011a..925305264cd 100644 --- a/assets/queries/terraform/aws/no_password_policy_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/no_password_policy_enabled/test/positive_expected_result.json @@ -2,26 +2,61 @@ { "queryName": "No Password Policy Enabled", "severity": "MEDIUM", - "line": 5 + "line": 16, + "filename": "positive.tf", + "resourceType": "aws_iam_user_login_profile", + "resourceName": "positive3", + "searchKey": "aws_iam_user_login_profile[positive3].password_length", + "searchValue": "", + "expectedValue": "Attribute 'password_length' should be 14 or greater", + "actualValue": "Attribute 'password_length' is smaller than 14" }, { "queryName": "No Password Policy Enabled", "severity": "MEDIUM", - "line": 16 + "line": 23, + "filename": "positive.tf", + "resourceType": "aws_iam_user_login_profile", + "resourceName": "positive6", + "searchKey": "aws_iam_user_login_profile[positive6].password_length", + "searchValue": "", + "expectedValue": "Attribute 'password_length' should be 14 or greater", + "actualValue": "Attribute 'password_length' is smaller than 14" }, { "queryName": "No Password Policy Enabled", "severity": "MEDIUM", - "line": 23 + "line": 31, + "filename": "positive.tf", + "resourceType": "aws_iam_user_login_profile", + "resourceName": "positive7", + "searchKey": "aws_iam_user_login_profile[positive7].password_length", + "searchValue": "", + "expectedValue": "Attribute 'password_length' should be 14 or greater", + "actualValue": "Attribute 'password_length' is smaller than 14" }, { "queryName": "No Password Policy Enabled", "severity": "MEDIUM", - "line": 30 + "line": 5, + "filename": "positive.tf", + "resourceType": "aws_iam_user_login_profile", + "resourceName": "positive2", + "searchKey": "aws_iam_user_login_profile[positive2].password_reset_required", + "searchValue": "", + "expectedValue": "Attribute 'password_reset_required' should be true", + "actualValue": "Attribute 'password_reset_required' is false" }, { "queryName": "No Password Policy Enabled", "severity": "MEDIUM", - "line": 31 + "line": 30, + "filename": "positive.tf", + "resourceType": "aws_iam_user_login_profile", + "resourceName": "positive7", + "searchKey": "aws_iam_user_login_profile[positive7].password_reset_required", + "searchValue": "", + "expectedValue": "Attribute 'password_reset_required' should be true", + "actualValue": "Attribute 'password_reset_required' is false" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/no_stack_policy/test/positive_expected_result.json b/assets/queries/terraform/aws/no_stack_policy/test/positive_expected_result.json index cc22479597c..79e34ffe9a1 100644 --- a/assets/queries/terraform/aws/no_stack_policy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/no_stack_policy/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "No Stack Policy", "severity": "MEDIUM", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_cloudformation_stack", + "resourceName": "networking-stack", + "searchKey": "aws_cloudformation_stack[positive1]", + "searchValue": "", + "expectedValue": "Attribute 'policy_body' or Attribute 'policy_url' should be set", + "actualValue": "Both Attribute 'policy_body' and Attribute 'policy_url' are undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/password_without_reuse_prevention/test/positive_expected_result.json b/assets/queries/terraform/aws/password_without_reuse_prevention/test/positive_expected_result.json index 14744faebfc..06d53a4ba48 100644 --- a/assets/queries/terraform/aws/password_without_reuse_prevention/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/password_without_reuse_prevention/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Password Without Reuse Prevention", "severity": "LOW", - "line": 7 + "line": 7, + "filename": "positive.tf", + "resourceType": "aws_iam_account_password_policy", + "resourceName": "positive1", + "searchKey": "aws_iam_account_password_policy[positive1].password_reuse_prevention", + "searchValue": "", + "expectedValue": "'password_reuse_prevention' should be 24", + "actualValue": "'password_reuse_prevention' is lower than 24" }, { "queryName": "Password Without Reuse Prevention", "severity": "LOW", - "line": 10 + "line": 10, + "filename": "positive.tf", + "resourceType": "aws_iam_account_password_policy", + "resourceName": "positive2", + "searchKey": "aws_iam_account_password_policy[positive2]", + "searchValue": "", + "expectedValue": "'password_reuse_prevention' should be set with value 24", + "actualValue": "'password_reuse_prevention' is undefined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/policy_without_principal/test/positive_expected_result.json b/assets/queries/terraform/aws/policy_without_principal/test/positive_expected_result.json index 47916ac2a8f..464291507d2 100644 --- a/assets/queries/terraform/aws/policy_without_principal/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/policy_without_principal/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Policy Without Principal", "severity": "MEDIUM", "line": 9, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "aws_kms_key", + "resourceName": "secure_policy", + "searchKey": "aws_kms_key[secure_policy].policy", + "searchValue": "", + "expectedValue": "'Principal' should be defined", + "actualValue": "'Principal' is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/postgres_rds_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/postgres_rds_logging_disabled/test/positive_expected_result.json index 945f584ea83..46fb82be7f4 100644 --- a/assets/queries/terraform/aws/postgres_rds_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/postgres_rds_logging_disabled/test/positive_expected_result.json @@ -3,36 +3,72 @@ "queryName": "Postgres RDS logging disabled", "severity": "LOW", "line": 1, - "fileName": "positive1.tf" + "filename": "positive6.tf", + "resourceType": "aws_db_parameter_group", + "resourceName": "postgres-logging", + "searchKey": "aws_db_parameter_group.example", + "searchValue": "", + "expectedValue": "aws_db_parameter_group's log_statement and log_min_duration_statement should be defined", + "actualValue": "aws_db_parameter_group's log_statement and log_min_duration_statement are undefined" }, { "queryName": "Postgres RDS logging disabled", "severity": "LOW", - "line": 6, - "fileName": "positive2.tf" + "line": 1, + "filename": "positive5.tf", + "resourceType": "aws_db_parameter_group", + "resourceName": "postgres-logging", + "searchKey": "aws_db_parameter_group.example", + "searchValue": "", + "expectedValue": "aws_db_parameter_group's log_statement and log_min_duration_statement should be defined", + "actualValue": "aws_db_parameter_group's log_statement and log_min_duration_statement are undefined" }, { "queryName": "Postgres RDS logging disabled", "severity": "LOW", - "line": 10, - "fileName": "positive3.tf" + "line": 1, + "filename": "positive1.tf", + "resourceType": "aws_db_parameter_group", + "resourceName": "postgres-logging", + "searchKey": "aws_db_parameter_group.postgres_logging", + "searchValue": "", + "expectedValue": "aws_db_parameter_group's log_statement and log_min_duration_statement should be set to 'all' and '1'", + "actualValue": "aws_db_parameter_group's log_statement and log_min_duration_statement are not set or both have the wrong value" }, { "queryName": "Postgres RDS logging disabled", "severity": "LOW", - "line": 1, - "fileName": "positive4.tf" + "line": 10, + "filename": "positive3.tf", + "resourceType": "aws_db_parameter_group", + "resourceName": "postgres-logging", + "searchKey": "aws_db_parameter_group.postgres_logging", + "searchValue": "", + "expectedValue": "aws_db_parameter_group's log_statement and log_min_duration_statement should be set to 'all' and '1'", + "actualValue": "aws_db_parameter_group's log_min_duration_statement has the wrong value" }, { "queryName": "Postgres RDS logging disabled", "severity": "LOW", "line": 1, - "fileName": "positive5.tf" + "filename": "positive4.tf", + "resourceType": "aws_db_parameter_group", + "resourceName": "postgres-logging", + "searchKey": "aws_db_parameter_group.postgres_logging", + "searchValue": "", + "expectedValue": "aws_db_parameter_group's log_statement and log_min_duration_statement should be defined", + "actualValue": "aws_db_parameter_group's log_statement and log_min_duration_statement are undefined" }, { "queryName": "Postgres RDS logging disabled", "severity": "LOW", - "line": 1, - "fileName": "positive6.tf" + "line": 6, + "filename": "positive2.tf", + "resourceType": "aws_db_parameter_group", + "resourceName": "postgres-logging", + "searchKey": "aws_db_parameter_group.postgres_logging", + "searchValue": "", + "expectedValue": "aws_db_parameter_group's log_statement and log_min_duration_statement should be set to 'all' and '1'", + "actualValue": "aws_db_parameter_group's log_statement has the wrong value" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/public_and_private_ec2_share_role/test/positive_expected_result.json b/assets/queries/terraform/aws/public_and_private_ec2_share_role/test/positive_expected_result.json index b398ade46bc..ea00471d1db 100644 --- a/assets/queries/terraform/aws/public_and_private_ec2_share_role/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/public_and_private_ec2_share_role/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "Public and Private EC2 Share Role", "severity": "MEDIUM", - "line": 103, - "filename": "positive1.tf" + "line": 38, + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[ec2_public_instance].iam_instance_profile", + "searchValue": "", + "expectedValue": "Public and private instances should not share the same role", + "actualValue": "Public and private instances share the same role" }, { "queryName": "Public and Private EC2 Share Role", "severity": "MEDIUM", - "line": 38, - "filename": "positive2.tf" + "line": 103, + "filename": "positive1.tf", + "resourceType": "aws_instance", + "resourceName": "pub_ins", + "searchKey": "aws_instance[pub_ins].iam_instance_profile", + "searchValue": "", + "expectedValue": "Public and private instances should not share the same role", + "actualValue": "Public and private instances share the same role" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/public_lambda_via_api_gateway/test/positive_expected_result.json b/assets/queries/terraform/aws/public_lambda_via_api_gateway/test/positive_expected_result.json index 8452e076a79..0a473b8b38a 100755 --- a/assets/queries/terraform/aws/public_lambda_via_api_gateway/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/public_lambda_via_api_gateway/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Public Lambda via API Gateway", "severity": "MEDIUM", - "line": 9 + "line": 9, + "filename": "positive.tf", + "resourceType": "aws_lambda_permission", + "resourceName": "example", + "searchKey": "aws_lambda_permission[apigw].source_arn", + "searchValue": "", + "expectedValue": "'source_arn' should not equal '/*/*'", + "actualValue": "'source_arn' is equal '/*/*'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/rds_associated_with_public_subnet/test/positive_expected_result.json b/assets/queries/terraform/aws/rds_associated_with_public_subnet/test/positive_expected_result.json index 3acfce4737d..e9da2391bc9 100644 --- a/assets/queries/terraform/aws/rds_associated_with_public_subnet/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/rds_associated_with_public_subnet/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "RDS Associated with Public Subnet", "severity": "CRITICAL", "line": 11, - "fileName": "positive1.tf" + "filename": "positive2.tf", + "resourceType": "aws_db_instance", + "resourceName": "mydb", + "searchKey": "aws_db_instance[positive2].db_subnet_group_name", + "searchValue": "", + "expectedValue": "RDS should not be running in a public subnet", + "actualValue": "RDS is running in a public subnet" }, { "queryName": "RDS Associated with Public Subnet", "severity": "CRITICAL", "line": 11, - "fileName": "positive2.tf" + "filename": "positive1.tf", + "resourceType": "aws_db_instance", + "resourceName": "mydb", + "searchKey": "aws_db_instance[positive1].db_subnet_group_name", + "searchValue": "", + "expectedValue": "RDS should not be running in a public subnet", + "actualValue": "RDS is running in a public subnet" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/rds_cluster_with_backup_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/rds_cluster_with_backup_disabled/test/positive_expected_result.json index ea9389945c2..996b5495d93 100644 --- a/assets/queries/terraform/aws/rds_cluster_with_backup_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/rds_cluster_with_backup_disabled/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "RDS Cluster With Backup Disabled", "severity": "MEDIUM", "line": 1, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_rds_cluster", + "resourceName": "postgresql", + "searchKey": "aws_rds_cluster[{{postgresql}}]", + "searchValue": "", + "expectedValue": "aws_rds_cluster.backup_retention_period should be defined and not null", + "actualValue": "aws_rds_cluster.backup_retention_period is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/rds_database_cluster_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/rds_database_cluster_not_encrypted/test/positive_expected_result.json index 187a78096da..e76d9bbe638 100644 --- a/assets/queries/terraform/aws/rds_database_cluster_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/rds_database_cluster_not_encrypted/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "RDS Database Cluster not Encrypted", "severity": "HIGH", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_db_cluster_snapshot", + "resourceName": "positive1", + "searchKey": "aws_db_cluster_snapshot[positive1]", + "searchValue": "", + "expectedValue": "aws_db_cluster_snapshot.db_cluster_identifier' should be encrypted", + "actualValue": "aws_db_cluster_snapshot.db_cluster_identifier' is not encrypted" }, { "queryName": "RDS Database Cluster not Encrypted", "severity": "HIGH", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_db_cluster_snapshot", + "resourceName": "positive2", + "searchKey": "aws_db_cluster_snapshot[positive2]", + "searchValue": "", + "expectedValue": "aws_db_cluster_snapshot.db_cluster_identifier' should be encrypted", + "actualValue": "aws_db_cluster_snapshot.db_cluster_identifier' is not encrypted" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json index a79d457a603..99682da0ed1 100644 --- a/assets/queries/terraform/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "RDS DB Instance Publicly Accessible", "severity": "CRITICAL", "line": 10, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_db_instance", + "resourceName": "mydb", + "searchKey": "aws_db_instance[positive1].publicly_accessible", + "searchValue": "", + "expectedValue": "'publicly_accessible' should be set to false or undefined", + "actualValue": "'publicly_accessible' is set to true" }, { "queryName": "RDS DB Instance Publicly Accessible", "severity": "CRITICAL", "line": 11, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[db].publicly_accessible", + "searchValue": "", + "expectedValue": "'publicly_accessible' should be set to false or undefined", + "actualValue": "'publicly_accessible' is set to true" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/rds_storage_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/rds_storage_not_encrypted/test/positive_expected_result.json index 2869dacdeb1..b57858d721a 100644 --- a/assets/queries/terraform/aws/rds_storage_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/rds_storage_not_encrypted/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "RDS Storage Not Encrypted", "severity": "HIGH", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_rds_cluster", + "resourceName": "positive1", + "searchKey": "aws_rds_cluster[positive1]", + "searchValue": "", + "expectedValue": "aws_rds_cluster.storage_encrypted should be set to true", + "actualValue": "aws_rds_cluster.storage_encrypted is undefined" }, { "queryName": "RDS Storage Not Encrypted", "severity": "HIGH", "line": 10, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_rds_cluster", + "resourceName": "positive3", + "searchKey": "aws_rds_cluster[positive3].storage_encrypted", + "searchValue": "", + "expectedValue": "aws_rds_cluster.storage_encrypted should be set to true", + "actualValue": "aws_rds_cluster.storage_encrypted is set to false" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/rds_using_default_port/test/positive_expected_result.json b/assets/queries/terraform/aws/rds_using_default_port/test/positive_expected_result.json index b82590880cb..492b97ec704 100644 --- a/assets/queries/terraform/aws/rds_using_default_port/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/rds_using_default_port/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "RDS Using Default Port", "severity": "LOW", - "line": 11, - "fileName": "positive1.tf" + "line": 10, + "filename": "positive2.tf", + "resourceType": "aws_db_instance", + "resourceName": "mydb", + "searchKey": "aws_db_instance[positive2].port", + "searchValue": "", + "expectedValue": "aws_db_instance[positive2].port should not be set to 5432", + "actualValue": "aws_db_instance[positive2].port is set to 5432" }, { "queryName": "RDS Using Default Port", "severity": "LOW", "line": 10, - "fileName": "positive2.tf" + "filename": "positive4.tf", + "resourceType": "aws_db_instance", + "resourceName": "mydb", + "searchKey": "aws_db_instance[positive4].port", + "searchValue": "", + "expectedValue": "aws_db_instance[positive4].port should not be set to 1433", + "actualValue": "aws_db_instance[positive4].port is set to 1433" }, { "queryName": "RDS Using Default Port", "severity": "LOW", - "line": 10, - "fileName": "positive3.tf" + "line": 11, + "filename": "positive1.tf", + "resourceType": "aws_db_instance", + "resourceName": "mydb", + "searchKey": "aws_db_instance[positive1].port", + "searchValue": "", + "expectedValue": "aws_db_instance[positive1].port should not be set to 3306", + "actualValue": "aws_db_instance[positive1].port is set to 3306" }, { "queryName": "RDS Using Default Port", "severity": "LOW", "line": 10, - "fileName": "positive4.tf" + "filename": "positive3.tf", + "resourceType": "aws_db_instance", + "resourceName": "mydb", + "searchKey": "aws_db_instance[positive3].port", + "searchValue": "", + "expectedValue": "aws_db_instance[positive3].port should not be set to 1521", + "actualValue": "aws_db_instance[positive3].port is set to 1521" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/rds_with_backup_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/rds_with_backup_disabled/test/positive_expected_result.json index 0d3fdfe8f93..7519dcb4c1b 100644 --- a/assets/queries/terraform/aws/rds_with_backup_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/rds_with_backup_disabled/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "RDS With Backup Disabled", "severity": "MEDIUM", - "line": 12, - "fileName": "positive1.tf" + "line": 1, + "filename": "positive3.tf", + "resourceType": "aws_db_instance", + "resourceName": "mydb", + "searchKey": "aws_db_instance[positive1]", + "searchValue": "", + "expectedValue": "'backup_retention_period' should be defined, and bigger than '0'", + "actualValue": "'backup_retention_period' is not defined" }, { "queryName": "RDS With Backup Disabled", "severity": "MEDIUM", "line": 12, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[db].backup_retention_period", + "searchValue": "", + "expectedValue": "'backup_retention_period' should not equal '0'", + "actualValue": "'backup_retention_period' is equal '0'" }, { "queryName": "RDS With Backup Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[db]", + "searchValue": "", + "expectedValue": "'backup_retention_period' should be defined, and bigger than '0'", + "actualValue": "'backup_retention_period' is not defined" }, { "queryName": "RDS With Backup Disabled", "severity": "MEDIUM", - "line": 1, - "fileName": "positive4.tf" + "line": 12, + "filename": "positive1.tf", + "resourceType": "aws_db_instance", + "resourceName": "mydb", + "searchKey": "aws_db_instance[positive1].backup_retention_period", + "searchValue": "", + "expectedValue": "'backup_retention_period' should not equal '0'", + "actualValue": "'backup_retention_period' is equal '0'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/rds_without_logging/test/positive_expected_result.json b/assets/queries/terraform/aws/rds_without_logging/test/positive_expected_result.json index 9454580d871..3f869c1e9ca 100644 --- a/assets/queries/terraform/aws/rds_without_logging/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/rds_without_logging/test/positive_expected_result.json @@ -3,24 +3,48 @@ "queryName": "RDS Without Logging", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[db]", + "searchValue": "", + "expectedValue": "'enabled_cloudwatch_logs_exports' should be defined", + "actualValue": "'enabled_cloudwatch_logs_exports' is undefined" }, { "queryName": "RDS Without Logging", "severity": "MEDIUM", - "line": 7, - "fileName": "positive2.tf" + "line": 11, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[db].enabled_cloudwatch_logs_exports", + "searchValue": "", + "expectedValue": "'enabled_cloudwatch_logs_exports' has one or more values", + "actualValue": "'enabled_cloudwatch_logs_exports' is empty" }, { "queryName": "RDS Without Logging", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "filename": "positive1.tf", + "resourceType": "aws_db_instance", + "resourceName": "positive1", + "searchKey": "aws_db_instance[positive1]", + "searchValue": "", + "expectedValue": "'enabled_cloudwatch_logs_exports' should be defined", + "actualValue": "'enabled_cloudwatch_logs_exports' is undefined" }, { "queryName": "RDS Without Logging", "severity": "MEDIUM", - "line": 11, - "fileName": "positive4.tf" + "line": 7, + "filename": "positive2.tf", + "resourceType": "aws_db_instance", + "resourceName": "positive2", + "searchKey": "aws_db_instance[positive2].enabled_cloudwatch_logs_exports", + "searchValue": "", + "expectedValue": "'enabled_cloudwatch_logs_exports' has one or more values", + "actualValue": "'enabled_cloudwatch_logs_exports' is empty" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/redis_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/redis_disabled/test/positive_expected_result.json index 39222e69fa7..88331d705b4 100644 --- a/assets/queries/terraform/aws/redis_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/redis_disabled/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Redis Disabled", "severity": "LOW", "line": 4, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "aws_elasticache_cluster", + "resourceName": "cluster-example", + "searchKey": "resource.aws_elasticache_cluster[positive1].engine", + "searchValue": "", + "expectedValue": "resource.aws_elasticache_cluster[positive1].engine should have Redis enabled", + "actualValue": "resource.aws_elasticache_cluster[positive1].engine doesn't enable Redis" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/redis_not_compliant/test/positive_expected_result.json b/assets/queries/terraform/aws/redis_not_compliant/test/positive_expected_result.json index 2563388f8fa..7061cabe7bf 100644 --- a/assets/queries/terraform/aws/redis_not_compliant/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/redis_not_compliant/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Redis Not Compliant", "severity": "HIGH", - "line": 7 + "line": 7, + "filename": "positive.tf", + "resourceType": "aws_elasticache_cluster", + "resourceName": "cluster-example", + "searchKey": "aws_elasticache_cluster[positive1].engine_version", + "searchValue": "", + "expectedValue": "aws_elasticache_cluster[positive1].engine_version should be compliant with the requirements", + "actualValue": "aws_elasticache_cluster[positive1].engine_version isn't compliant with the requirements" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/redshift_cluster_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/redshift_cluster_logging_disabled/test/positive_expected_result.json index 40533ee61d3..3ddeaa127c5 100644 --- a/assets/queries/terraform/aws/redshift_cluster_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/redshift_cluster_logging_disabled/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Redshift Cluster Logging Disabled", "severity": "MEDIUM", - "line": 9 + "line": 9, + "filename": "positive.tf", + "resourceType": "aws_redshift_cluster", + "resourceName": "positive1", + "searchKey": "aws_redshift_cluster[positive1].logging.enable", + "searchValue": "", + "expectedValue": "'aws_redshift_cluster.logging' should be true", + "actualValue": "'aws_redshift_cluster.logging' is false" }, { "queryName": "Redshift Cluster Logging Disabled", "severity": "MEDIUM", - "line": 13 + "line": 13, + "filename": "positive.tf", + "resourceType": "aws_redshift_cluster", + "resourceName": "positive2", + "searchKey": "aws_redshift_cluster[positive2]", + "searchValue": "", + "expectedValue": "'aws_redshift_cluster.logging' should be true", + "actualValue": "'aws_redshift_cluster.logging' is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/redshift_cluster_without_vpc/test/positive_expected_result.json b/assets/queries/terraform/aws/redshift_cluster_without_vpc/test/positive_expected_result.json index 25d75271b2d..611c2843e92 100644 --- a/assets/queries/terraform/aws/redshift_cluster_without_vpc/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/redshift_cluster_without_vpc/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Redshift Cluster Without VPC", "severity": "LOW", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_redshift_cluster", + "resourceName": "positive1", + "searchKey": "aws_redshift_cluster[positive1]", + "searchValue": "cluster_subnet_group_name", + "expectedValue": "aws_redshift_cluster[positive1].cluster_subnet_group_name should be set", + "actualValue": "aws_redshift_cluster[positive1].cluster_subnet_group_name is undefined" }, { "queryName": "Redshift Cluster Without VPC", "severity": "LOW", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_redshift_cluster", + "resourceName": "positive1", + "searchKey": "aws_redshift_cluster[positive1]", + "searchValue": "vpc_security_group_ids", + "expectedValue": "aws_redshift_cluster[positive1].vpc_security_group_ids should be set", + "actualValue": "aws_redshift_cluster[positive1].vpc_security_group_ids is undefined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/redshift_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/redshift_not_encrypted/test/positive_expected_result.json index 5b4ce2d77c9..c19babbf203 100644 --- a/assets/queries/terraform/aws/redshift_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/redshift_not_encrypted/test/positive_expected_result.json @@ -1,12 +1,26 @@ [ - { - "queryName": "Redshift Not Encrypted", - "severity": "HIGH", - "line": 1 - }, - { - "queryName": "Redshift Not Encrypted", - "severity": "HIGH", - "line": 17 - } -] + { + "queryName": "Redshift Not Encrypted", + "severity": "HIGH", + "line": 17, + "filename": "positive.tf", + "resourceType": "aws_redshift_cluster", + "resourceName": "positive2", + "searchKey": "aws_redshift_cluster[positive2].encrypted", + "searchValue": "", + "expectedValue": "aws_redshift_cluster.encrypted should be set to false", + "actualValue": "aws_redshift_cluster.encrypted is true" + }, + { + "queryName": "Redshift Not Encrypted", + "severity": "HIGH", + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_redshift_cluster", + "resourceName": "positive1", + "searchKey": "aws_redshift_cluster[positive1]", + "searchValue": "", + "expectedValue": "aws_redshift_cluster.encrypted should be defined and not null", + "actualValue": "aws_redshift_cluster.encrypted is undefined or null" + } +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/redshift_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/aws/redshift_publicly_accessible/test/positive_expected_result.json index 548637b2980..36fa395216b 100644 --- a/assets/queries/terraform/aws/redshift_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/redshift_publicly_accessible/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Redshift Publicly Accessible", "severity": "HIGH", - "line": 1 + "line": 17, + "filename": "positive.tf", + "resourceType": "aws_redshift_cluster", + "resourceName": "positive2", + "searchKey": "aws_redshift_cluster[positive2].publicly_accessible", + "searchValue": "", + "expectedValue": "aws_redshift_cluster.publicly_accessible should be set to false", + "actualValue": "aws_redshift_cluster.publicly_accessible is true" }, { "queryName": "Redshift Publicly Accessible", "severity": "HIGH", - "line": 17 + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_redshift_cluster", + "resourceName": "positive1", + "searchKey": "aws_redshift_cluster[positive1]", + "searchValue": "", + "expectedValue": "aws_redshift_cluster.publicly_accessible should be defined and not null", + "actualValue": "aws_redshift_cluster.publicly_accessible is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/redshift_using_default_port/test/positive_expected_result.json b/assets/queries/terraform/aws/redshift_using_default_port/test/positive_expected_result.json index e8e8737ce7a..1b2e553b8f4 100644 --- a/assets/queries/terraform/aws/redshift_using_default_port/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/redshift_using_default_port/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Redshift Using Default Port", "severity": "LOW", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_redshift_cluster", + "resourceName": "positive1", + "searchKey": "aws_redshift_cluster[positive1]", + "searchValue": "", + "expectedValue": "aws_redshift_cluster.port should be defined and not null", + "actualValue": "aws_redshift_cluster.port is undefined or null" }, { "queryName": "Redshift Using Default Port", "severity": "LOW", "line": 9, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_redshift_cluster", + "resourceName": "positive2", + "searchKey": "aws_redshift_cluster[positive2].port", + "searchValue": "", + "expectedValue": "aws_redshift_cluster.port should not be set to 5439", + "actualValue": "aws_redshift_cluster.port is set to 5439" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/remote_desktop_port_open_to_internet/test/positive_expected_result.json b/assets/queries/terraform/aws/remote_desktop_port_open_to_internet/test/positive_expected_result.json index 8ea304c9c6f..6a3cc345561 100644 --- a/assets/queries/terraform/aws/remote_desktop_port_open_to_internet/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/remote_desktop_port_open_to_internet/test/positive_expected_result.json @@ -2,103 +2,205 @@ { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 5, - "fileName": "positive1.tf" + "line": 49, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0 shouldn't open the remote desktop port (3389)", + "actualValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0 opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 26, - "fileName": "positive1.tf" + "line": 63, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2 shouldn't open the remote desktop port (3389)", + "actualValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2 opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 39, - "fileName": "positive1.tf" + "line": 17, + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2-2", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2-2]", + "searchValue": "", + "expectedValue": "aws_vpc_security_group_ingress_rule[positive2-2] shouldn't open the remote desktop port (3389)", + "actualValue": "aws_vpc_security_group_ingress_rule[positive2-2] opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 60, - "fileName": "positive1.tf" + "line": 26, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-2].ingress[1]", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-2].ingress[1] shouldn't open the remote desktop port (3389)", + "actualValue": "aws_security_group[positive1-2].ingress[1] opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 73, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-5].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-5].ingress shouldn't open the remote desktop port (3389)", + "actualValue": "aws_security_group[positive1-5].ingress opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 87, - "fileName": "positive1.tf" + "line": 17, + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3-2", + "searchKey": "aws_security_group_rule[positive3-2]", + "searchValue": "", + "expectedValue": "aws_security_group_rule[positive3-2] shouldn't open the remote desktop port (3389)", + "actualValue": "aws_security_group_rule[positive3-2] opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 101, - "fileName": "positive1.tf" + "line": 11, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0 shouldn't open the remote desktop port (3389)", + "actualValue": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0 opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 7, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2-1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2-1]", + "searchValue": "", + "expectedValue": "aws_vpc_security_group_ingress_rule[positive2-1] shouldn't open the remote desktop port (3389)", + "actualValue": "aws_vpc_security_group_ingress_rule[positive2-1] opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 17, - "fileName": "positive2.tf" + "line": 82, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0 shouldn't open the remote desktop port (3389)", + "actualValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0 opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 7, - "fileName": "positive3.tf" + "line": 60, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-4].ingress[1]", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-4].ingress[1] shouldn't open the remote desktop port (3389)", + "actualValue": "aws_security_group[positive1-4].ingress[1] opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 17, - "fileName": "positive3.tf" + "line": 87, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-6].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-6].ingress shouldn't open the remote desktop port (3389)", + "actualValue": "aws_security_group[positive1-6].ingress opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 11, - "fileName": "positive4.tf" + "line": 96, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2 shouldn't open the remote desktop port (3389)", + "actualValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2 opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 30, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0 shouldn't open the remote desktop port (3389)", + "actualValue": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0 opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 49, - "fileName": "positive4.tf" + "line": 5, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-1].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-1].ingress shouldn't open the remote desktop port (3389)", + "actualValue": "aws_security_group[positive1-1].ingress opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 63, - "fileName": "positive4.tf" + "line": 39, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-3].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-3].ingress shouldn't open the remote desktop port (3389)", + "actualValue": "aws_security_group[positive1-3].ingress opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 82, - "fileName": "positive4.tf" + "line": 101, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-7].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-7].ingress shouldn't open the remote desktop port (3389)", + "actualValue": "aws_security_group[positive1-7].ingress opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 96, - "fileName": "positive4.tf" + "line": 7, + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3-1", + "searchKey": "aws_security_group_rule[positive3-1]", + "searchValue": "", + "expectedValue": "aws_security_group_rule[positive3-1] shouldn't open the remote desktop port (3389)", + "actualValue": "aws_security_group_rule[positive3-1] opens the remote desktop port (3389)" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/resource_not_using_tags/test/positive_expected_result.json b/assets/queries/terraform/aws/resource_not_using_tags/test/positive_expected_result.json index 337633981da..f159166253a 100644 --- a/assets/queries/terraform/aws/resource_not_using_tags/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/resource_not_using_tags/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "Resource Not Using Tags", "severity": "INFO", - "line": 1, - "filename": "positive1.tf" + "line": 14, + "filename": "positive1.tf", + "resourceType": "aws_acm_certificate", + "resourceName": "test", + "searchKey": "aws_acm_certificate[{{cert_2}}].tags", + "searchValue": "", + "expectedValue": "aws_acm_certificate[{{cert_2}}].tags has additional tags defined other than 'Name'", + "actualValue": "aws_acm_certificate[{{cert_2}}].tags does not have additional tags defined other than 'Name'" }, { "queryName": "Resource Not Using Tags", "severity": "INFO", - "line": 14, - "filename": "positive1.tf" + "line": 1, + "filename": "positive1.tf", + "resourceType": "aws_acm_certificate", + "resourceName": "cert", + "searchKey": "aws_acm_certificate[{{cert}}]", + "searchValue": "", + "expectedValue": "aws_acm_certificate[{{cert}}].tags should be defined and not null", + "actualValue": "aws_acm_certificate[{{cert}}].tags is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/rest_api_with_vulnerable_policy/test/positive_expected_result.json b/assets/queries/terraform/aws/rest_api_with_vulnerable_policy/test/positive_expected_result.json index 33e55eeedda..2f50451221e 100644 --- a/assets/queries/terraform/aws/rest_api_with_vulnerable_policy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/rest_api_with_vulnerable_policy/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "REST API With Vulnerable Policy", "severity": "MEDIUM", "line": 15, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "aws_api_gateway_rest_api_policy", + "resourceName": "test", + "searchKey": "aws_api_gateway_rest_api_policy[test].policy", + "searchValue": "", + "expectedValue": "aws_api_gateway_rest_api_policy[test].policy should not have wildcard in 'Action' and 'Principal'", + "actualValue": "aws_api_gateway_rest_api_policy[test].policy has wildcard in 'Action' or 'Principal'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive_expected_result.json index b9701be2aa2..346ad53db77 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Role With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_role", + "resourceName": "cosmic", + "searchKey": "aws_iam_role[cosmic]", + "searchValue": "", + "expectedValue": "role cosmic shouldn't be associated with a policy that has Action set to 'glue:UpdateDevEndpoint' and Resource set to '*'", + "actualValue": "role cosmic is associated with a policy that has Action set to 'glue:UpdateDevEndpoint' and Resource set to '*'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive_expected_result.json index 87e158ac96f..b8aa0eea650 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Role With Privilege Escalation By Actions 'iam:AddUserToGroup'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_role", + "resourceName": "cosmic", + "searchKey": "aws_iam_role[cosmic]", + "searchValue": "", + "expectedValue": "role cosmic shouldn't be associated with a policy that has Action set to 'iam:AddUserToGroup' and Resource set to '*'", + "actualValue": "role cosmic is associated with a policy that has Action set to 'iam:AddUserToGroup' and Resource set to '*'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive_expected_result.json index a5ef5c51455..5c51971ad56 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Role With Privilege Escalation By Actions 'iam:AttachGroupPolicy'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_role", + "resourceName": "cosmic", + "searchKey": "aws_iam_role[cosmic]", + "searchValue": "", + "expectedValue": "role cosmic shouldn't be associated with a policy that has Action set to 'iam:AttachGroupPolicy' and Resource set to '*'", + "actualValue": "role cosmic is associated with a policy that has Action set to 'iam:AttachGroupPolicy' and Resource set to '*'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive_expected_result.json index 778b7cad94f..0c5076fb9fe 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Role With Privilege Escalation By Actions 'iam:AttachRolePolicy'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_role", + "resourceName": "cosmic", + "searchKey": "aws_iam_role[cosmic]", + "searchValue": "", + "expectedValue": "role cosmic shouldn't be associated with a policy that has Action set to 'iam:AttachRolePolicy' and Resource set to '*'", + "actualValue": "role cosmic is associated with a policy that has Action set to 'iam:AttachRolePolicy' and Resource set to '*'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive_expected_result.json index 235e2957902..49ea6c17007 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Role With Privilege Escalation By Actions 'iam:AttachUserPolicy'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_role", + "resourceName": "cosmic", + "searchKey": "aws_iam_role[cosmic]", + "searchValue": "", + "expectedValue": "role cosmic shouldn't be associated with a policy that has Action set to 'iam:AttachUserPolicy' and Resource set to '*'", + "actualValue": "role cosmic is associated with a policy that has Action set to 'iam:AttachUserPolicy' and Resource set to '*'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive_expected_result.json index 26052310d14..305c71805ad 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Role With Privilege Escalation By Actions 'iam:CreateAccessKey'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_role", + "resourceName": "cosmic", + "searchKey": "aws_iam_role[cosmic]", + "searchValue": "", + "expectedValue": "role cosmic shouldn't be associated with a policy that has Action set to 'iam:CreateAccessKey' and Resource set to '*'", + "actualValue": "role cosmic is associated with a policy that has Action set to 'iam:CreateAccessKey' and Resource set to '*'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive_expected_result.json index b95a680f239..efb1c9dd352 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Role With Privilege Escalation By Actions 'iam:CreateLoginProfile'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_role", + "resourceName": "cosmic", + "searchKey": "aws_iam_role[cosmic]", + "searchValue": "", + "expectedValue": "role cosmic shouldn't be associated with a policy that has Action set to 'iam:CreateLoginProfile' and Resource set to '*'", + "actualValue": "role cosmic is associated with a policy that has Action set to 'iam:CreateLoginProfile' and Resource set to '*'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive_expected_result.json index ed344d9f4b6..e1d81329d60 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Role With Privilege Escalation By Actions 'iam:CreatePolicyVersion'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_role", + "resourceName": "cosmic", + "searchKey": "aws_iam_role[cosmic]", + "searchValue": "", + "expectedValue": "role cosmic shouldn't be associated with a policy that has Action set to 'iam:CreatePolicyVersion' and Resource set to '*'", + "actualValue": "role cosmic is associated with a policy that has Action set to 'iam:CreatePolicyVersion' and Resource set to '*'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive_expected_result.json index 525fe5c1c92..9d798ec4014 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Role With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_role", + "resourceName": "cosmic", + "searchKey": "aws_iam_role[cosmic]", + "searchValue": "", + "expectedValue": "role cosmic shouldn't be associated with a policy that has Action set to 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'", + "actualValue": "role cosmic is associated with a policy that has Action set to 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive_expected_result.json index 832085a4c0e..47105681bc7 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Role With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_role", + "resourceName": "cosmic", + "searchKey": "aws_iam_role[cosmic]", + "searchValue": "", + "expectedValue": "role cosmic shouldn't be associated with a policy that has Action set to 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'", + "actualValue": "role cosmic is associated with a policy that has Action set to 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive_expected_result.json index ab36af18cc2..2aa287cdfcf 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Role With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_role", + "resourceName": "cosmic", + "searchKey": "aws_iam_role[cosmic]", + "searchValue": "", + "expectedValue": "role cosmic shouldn't be associated with a policy that has Action set to 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'", + "actualValue": "role cosmic is associated with a policy that has Action set to 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction/test/positive_expected_result.json index 15cbd75d72d..0a6877fa64f 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Role With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_role", + "resourceName": "cosmic", + "searchKey": "aws_iam_role[cosmic]", + "searchValue": "", + "expectedValue": "role cosmic shouldn't be associated with a policy that has Action set to 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'", + "actualValue": "role cosmic is associated with a policy that has Action set to 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive_expected_result.json index fd4e74f0462..9cd0ad6703a 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Role With Privilege Escalation By Actions 'iam:PutGroupPolicy'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_role", + "resourceName": "cosmic", + "searchKey": "aws_iam_role[cosmic]", + "searchValue": "", + "expectedValue": "role cosmic shouldn't be associated with a policy that has Action set to 'iam:PutGroupPolicy' and Resource set to '*'", + "actualValue": "role cosmic is associated with a policy that has Action set to 'iam:PutGroupPolicy' and Resource set to '*'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive_expected_result.json index 6d0b68ceaa4..c89df2361a1 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Role With Privilege Escalation By Actions 'iam:PutRolePolicy'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_role", + "resourceName": "cosmic", + "searchKey": "aws_iam_role[cosmic]", + "searchValue": "", + "expectedValue": "role cosmic should not be associated with a policy that has Action set to 'iam:PutRolePolicy' and Resource set to '*'", + "actualValue": "role cosmic is associated with a policy that has Action set to 'iam:PutRolePolicy' and Resource set to '*'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive_expected_result.json index f69e886cad1..1dc78bdb5d2 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Role With Privilege Escalation By Actions 'iam:PutUserPolicy'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_role", + "resourceName": "cosmic", + "searchKey": "aws_iam_role[cosmic]", + "searchValue": "", + "expectedValue": "role cosmic should not be associated with a policy that has Action set to 'iam:PutUserPolicy' and Resource set to '*'", + "actualValue": "role cosmic is associated with a policy that has Action set to 'iam:PutUserPolicy' and Resource set to '*'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive_expected_result.json index 4c3ee4591ee..0b6a24e2c12 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Role With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_role", + "resourceName": "cosmic", + "searchKey": "aws_iam_role[cosmic]", + "searchValue": "", + "expectedValue": "role cosmic shouldn't be associated with a policy that has Action set to 'iam:SetDefaultPolicyVersion' and Resource set to '*'", + "actualValue": "role cosmic is associated with a policy that has Action set to 'iam:SetDefaultPolicyVersion' and Resource set to '*'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive_expected_result.json index eff25985df7..0069f76ecb9 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Role With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_role", + "resourceName": "cosmic", + "searchKey": "aws_iam_role[cosmic]", + "searchValue": "", + "expectedValue": "role cosmic shouldn't be associated with a policy that has Action set to 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'", + "actualValue": "role cosmic is associated with a policy that has Action set to 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive_expected_result.json index d8772c4e53d..fd11bdc17a1 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Role With Privilege Escalation By Actions 'iam:UpdateLoginProfile'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_role", + "resourceName": "cosmic", + "searchKey": "aws_iam_role[cosmic]", + "searchValue": "", + "expectedValue": "role cosmic shouldn't be associated with a policy that has Action set to 'iam:UpdateLoginProfile' and Resource set to '*'", + "actualValue": "role cosmic is associated with a policy that has Action set to 'iam:UpdateLoginProfile' and Resource set to '*'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive_expected_result.json index c0d1c5dc6c7..ad32b6503e8 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Role With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_role", + "resourceName": "cosmic", + "searchKey": "aws_iam_role[cosmic]", + "searchValue": "", + "expectedValue": "role cosmic shouldn't be associated with a policy that has Action set to 'lambda:UpdateFunctionCode' and Resource set to '*'", + "actualValue": "role cosmic is associated with a policy that has Action set to 'lambda:UpdateFunctionCode' and Resource set to '*'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/root_account_has_active_access_keys/test/positive_expected_result.json b/assets/queries/terraform/aws/root_account_has_active_access_keys/test/positive_expected_result.json index 8ba4d93171e..ead7cfbf6a7 100644 --- a/assets/queries/terraform/aws/root_account_has_active_access_keys/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/root_account_has_active_access_keys/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "Root Account Has Active Access Keys", "severity": "HIGH", - "line": 2, - "fileName": "positive1.tf" + "line": 4, + "filename": "positive2.tf", + "resourceType": "aws_iam_access_key", + "resourceName": "positive2", + "searchKey": "aws_iam_access_key[positive2].status", + "searchValue": "", + "expectedValue": "'aws_iam_access_key[positive2].status' should be defined and set to 'Inactive'", + "actualValue": "'aws_iam_access_key[positive2].status' is set to 'Active'" }, { "queryName": "Root Account Has Active Access Keys", "severity": "HIGH", - "line": 4, - "fileName": "positive2.tf" + "line": 2, + "filename": "positive1.tf", + "resourceType": "aws_iam_access_key", + "resourceName": "positive1", + "searchKey": "aws_iam_access_key[positive1]", + "searchValue": "", + "expectedValue": "'aws_iam_access_key[positive1].status' should be defined and set to 'Inactive'", + "actualValue": "'aws_iam_access_key[positive1].status' is undefined, that defaults to 'Active'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/route53_record_undefined/test/positive_expected_result.json b/assets/queries/terraform/aws/route53_record_undefined/test/positive_expected_result.json index 77946d4c1b8..65d6c98fc0f 100644 --- a/assets/queries/terraform/aws/route53_record_undefined/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/route53_record_undefined/test/positive_expected_result.json @@ -1,7 +1,14 @@ [ - { - "queryName": "Route53 Record Undefined", - "severity": "HIGH", - "line": 8 - } -] + { + "queryName": "Route53 Record Undefined", + "severity": "HIGH", + "line": 8, + "filename": "positive.tf", + "resourceType": "aws_route53_record", + "resourceName": "test.example.com", + "searchKey": "aws_route53_record[example].records", + "searchValue": "", + "expectedValue": "aws_route53_record.records should be defined", + "actualValue": "aws_route53_record.records is undefined" + } +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_access_to_any_principal/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_access_to_any_principal/test/positive_expected_result.json index 6bbb854489c..2432cba3b11 100644 --- a/assets/queries/terraform/aws/s3_bucket_access_to_any_principal/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_access_to_any_principal/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "S3 Bucket Access to Any Principal", "severity": "CRITICAL", "line": 4, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_s3_bucket_policy", + "resourceName": "${aws_s3_bucket.b.id}", + "searchKey": "aws_s3_bucket_policy[positive1].policy", + "searchValue": "", + "expectedValue": "aws_s3_bucket_policy[positive1].policy.Principal should not equal to, nor contain '*'", + "actualValue": "aws_s3_bucket_policy[positive1].policy.Principal is equal to or contains '*'" }, { "queryName": "S3 Bucket Access to Any Principal", "severity": "CRITICAL", "line": 12, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].policy", + "searchValue": "", + "expectedValue": "'policy.Principal' should not equal to, nor contain '*'", + "actualValue": "'policy.Principal' is equal to or contains '*'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_acl_allows_read_or_write_to_all_users/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_acl_allows_read_or_write_to_all_users/test/positive_expected_result.json index 67dc0436485..302dd6aef79 100644 --- a/assets/queries/terraform/aws/s3_bucket_acl_allows_read_or_write_to_all_users/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_acl_allows_read_or_write_to_all_users/test/positive_expected_result.json @@ -3,36 +3,72 @@ "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", "severity": "CRITICAL", "line": 15, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "my-tf-test-bucket", + "searchKey": "aws_s3_bucket[positive1].acl=public-read", + "searchValue": "", + "expectedValue": "'acl' should equal to 'private'", + "actualValue": "'acl' is equal 'public-read'" }, { "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", "severity": "CRITICAL", - "line": 16, - "fileName": "positive2.tf" + "line": 20, + "filename": "positive5.tf", + "resourceType": "aws_s3_bucket_acl", + "resourceName": "example_bucket_acl", + "searchKey": "aws_s3_bucket_acl[example_bucket_acl].acl", + "searchValue": "", + "expectedValue": "aws_s3_bucket_acl[example_bucket_acl].acl should be private", + "actualValue": "aws_s3_bucket_acl[public-read].acl is %!s(MISSING)" }, { "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", "severity": "CRITICAL", "line": 6, - "fileName": "positive3.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].acl", + "searchValue": "", + "expectedValue": "'acl' should equal to 'private'", + "actualValue": "'acl' is equal 'public-read-write'" }, { "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", "severity": "CRITICAL", - "line": 6, - "fileName": "positive4.tf" + "line": 16, + "filename": "positive2.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "my-tf-test-bucket", + "searchKey": "aws_s3_bucket[positive2].acl=public-read-write", + "searchValue": "", + "expectedValue": "'acl' should equal to 'private'", + "actualValue": "'acl' is equal 'public-read-write'" }, { "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", "severity": "CRITICAL", "line": 20, - "fileName": "positive5.tf" + "filename": "positive6.tf", + "resourceType": "aws_s3_bucket_acl", + "resourceName": "example_bucket_acl", + "searchKey": "aws_s3_bucket_acl[example_bucket_acl].acl", + "searchValue": "", + "expectedValue": "aws_s3_bucket_acl[example_bucket_acl].acl should be private", + "actualValue": "aws_s3_bucket_acl[public-read-write].acl is %!s(MISSING)" }, { "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", "severity": "CRITICAL", - "line": 20, - "fileName": "positive6.tf" + "line": 6, + "filename": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].acl", + "searchValue": "", + "expectedValue": "'acl' should equal to 'private'", + "actualValue": "'acl' is equal 'public-read'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/test/positive_expected_result.json index 61a32dc2ac8..8619423f1d7 100644 --- a/assets/queries/terraform/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/test/positive_expected_result.json @@ -3,18 +3,36 @@ "queryName": "S3 Bucket ACL Allows Read to Any Authenticated User", "severity": "HIGH", "line": 16, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "my-tf-test-bucket", + "searchKey": "aws_s3_bucket[positive1].acl", + "searchValue": "", + "expectedValue": "aws_s3_bucket[positive1].acl should be private", + "actualValue": "aws_s3_bucket[positive1].acl is authenticated-read" }, { "queryName": "S3 Bucket ACL Allows Read to Any Authenticated User", "severity": "HIGH", "line": 6, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].acl", + "searchValue": "", + "expectedValue": "'acl' should be private", + "actualValue": "'acl' is authenticated-read" }, { "queryName": "S3 Bucket ACL Allows Read to Any Authenticated User", "severity": "HIGH", "line": 20, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_s3_bucket_acl", + "resourceName": "example_bucket_acl", + "searchKey": "aws_s3_bucket_acl[example_bucket_acl].acl", + "searchValue": "", + "expectedValue": "aws_s3_bucket_acl[example_bucket_acl].acl should be private", + "actualValue": "aws_s3_bucket_acl[example_bucket_acl].acl is authenticated-read" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_acl_grants_write_acp_permission/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_acl_grants_write_acp_permission/test/positive_expected_result.json index 856b0ebf754..bc6051dbe53 100644 --- a/assets/queries/terraform/aws/s3_bucket_acl_grants_write_acp_permission/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_acl_grants_write_acp_permission/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "S3 Bucket ACL Grants WRITE_ACP Permission", "severity": "CRITICAL", "line": 16, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_s3_bucket_acl", + "resourceName": "example", + "searchKey": "aws_s3_bucket_acl[example].access_control_policy.grant.permission", + "searchValue": "", + "expectedValue": "Should not be granted Write_ACP permission to the aws_s3_bucket_acl", + "actualValue": "Write_ACP permission is granted to the aws_s3_bucket_acl" }, { "queryName": "S3 Bucket ACL Grants WRITE_ACP Permission", "severity": "CRITICAL", "line": 23, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_s3_bucket_acl", + "resourceName": "example", + "searchKey": "aws_s3_bucket_acl[example].access_control_policy.grant[1].permission", + "searchValue": "", + "expectedValue": "Should not be granted Write_ACP permission to the aws_s3_bucket_acl", + "actualValue": "Write_ACP permission is granted to the aws_s3_bucket_acl" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_allows_delete_action_from_all_principals/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_allows_delete_action_from_all_principals/test/positive_expected_result.json index 41c4374ceb8..dddc1b03634 100644 --- a/assets/queries/terraform/aws/s3_bucket_allows_delete_action_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_allows_delete_action_from_all_principals/test/positive_expected_result.json @@ -3,36 +3,72 @@ "queryName": "S3 Bucket Allows Delete Action From All Principals", "severity": "CRITICAL", "line": 4, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_s3_bucket_policy", + "resourceName": "${aws_s3_bucket.b.id}", + "searchKey": "aws_s3_bucket_policy[positive1].policy", + "searchValue": "", + "expectedValue": "aws_s3_bucket_policy[positive1].policy.Action should not be a 'Delete' action", + "actualValue": "aws_s3_bucket_policy[positive1].policy.Action is a 'Delete' action" }, { "queryName": "S3 Bucket Allows Delete Action From All Principals", "severity": "CRITICAL", - "line": 4, - "fileName": "positive2.tf" + "line": 37, + "filename": "positive6.tf", + "resourceType": "aws_s3_bucket_policy", + "resourceName": "${var.positive6}", + "searchKey": "aws_s3_bucket_policy[positive6].policy", + "searchValue": "", + "expectedValue": "aws_s3_bucket_policy[positive6].policy.Action should not be a 'Delete' action", + "actualValue": "aws_s3_bucket_policy[positive6].policy.Action is a 'Delete' action" }, { "queryName": "S3 Bucket Allows Delete Action From All Principals", "severity": "CRITICAL", "line": 12, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Action' should not be a 'Delete' action", + "actualValue": "'policy.Statement.Action' is a 'Delete' action" }, { "queryName": "S3 Bucket Allows Delete Action From All Principals", "severity": "CRITICAL", - "line": 37, - "fileName": "positive4.tf" + "line": 4, + "filename": "positive2.tf", + "resourceType": "aws_s3_bucket_policy", + "resourceName": "${aws_s3_bucket.b.id}", + "searchKey": "aws_s3_bucket_policy[positive2].policy", + "searchValue": "", + "expectedValue": "aws_s3_bucket_policy[positive2].policy.Action should not be a 'Delete' action", + "actualValue": "aws_s3_bucket_policy[positive2].policy.Action is a 'Delete' action" }, { "queryName": "S3 Bucket Allows Delete Action From All Principals", "severity": "CRITICAL", "line": 37, - "fileName": "positive5.tf" + "filename": "positive4.tf", + "resourceType": "aws_s3_bucket_policy", + "resourceName": "${var.positive4}", + "searchKey": "aws_s3_bucket_policy[positive4].policy", + "searchValue": "", + "expectedValue": "aws_s3_bucket_policy[positive4].policy.Action should not be a 'Delete' action", + "actualValue": "aws_s3_bucket_policy[positive4].policy.Action is a 'Delete' action" }, { "queryName": "S3 Bucket Allows Delete Action From All Principals", "severity": "CRITICAL", "line": 37, - "fileName": "positive6.tf" + "filename": "positive5.tf", + "resourceType": "aws_s3_bucket_policy", + "resourceName": "${var.positive5}", + "searchKey": "aws_s3_bucket_policy[positive5].policy", + "searchValue": "", + "expectedValue": "aws_s3_bucket_policy[positive5].policy.Action should not be a 'Delete' action", + "actualValue": "aws_s3_bucket_policy[positive5].policy.Action is a 'Delete' action" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_allows_get_action_from_all_principals/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_allows_get_action_from_all_principals/test/positive_expected_result.json index 7981794f047..458993abfc3 100644 --- a/assets/queries/terraform/aws/s3_bucket_allows_get_action_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_allows_get_action_from_all_principals/test/positive_expected_result.json @@ -3,18 +3,36 @@ "queryName": "S3 Bucket Allows Get Action From All Principals", "severity": "HIGH", "line": 17, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_s3_bucket_policy", + "resourceName": "${aws_s3_bucket.b.id}", + "searchKey": "aws_s3_bucket_policy[positive2].policy.Action", + "searchValue": "", + "expectedValue": "aws_s3_bucket_policy[positive2].policy.Action should not be a 'Get' action", + "actualValue": "aws_s3_bucket_policy[positive2].policy.Action is a 'Get' action" }, { "queryName": "S3 Bucket Allows Get Action From All Principals", "severity": "HIGH", "line": 42, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_s3_bucket_policy", + "resourceName": "${aws_s3_bucket.b.id}", + "searchKey": "aws_s3_bucket_policy[positive3].policy.Action", + "searchValue": "", + "expectedValue": "aws_s3_bucket_policy[positive3].policy.Action should not be a 'Get' action", + "actualValue": "aws_s3_bucket_policy[positive3].policy.Action is a 'Get' action" }, { "queryName": "S3 Bucket Allows Get Action From All Principals", "severity": "HIGH", "line": 23, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].policy.Action", + "searchValue": "", + "expectedValue": "module[s3_bucket].policy.Action should not be a 'Get' action", + "actualValue": "module[s3_bucket].policy.Action is a 'Get' action" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_allows_list_action_from_all_principals/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_allows_list_action_from_all_principals/test/positive_expected_result.json index 1e69808740d..d543e5d5943 100644 --- a/assets/queries/terraform/aws/s3_bucket_allows_list_action_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_allows_list_action_from_all_principals/test/positive_expected_result.json @@ -3,18 +3,36 @@ "queryName": "S3 Bucket Allows List Action From All Principals", "severity": "HIGH", "line": 4, - "fileName": "positive1.tf" + "filename": "positive2.tf", + "resourceType": "aws_s3_bucket_policy", + "resourceName": "${aws_s3_bucket.b.id}", + "searchKey": "aws_s3_bucket_policy[positive2].policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Action' should not be a 'List' action when 'policy.Statement.Principal' contains '*'", + "actualValue": "'policy.Statement.Action' is a 'List' action when 'policy.Statement.Principal' contains '*'" }, { "queryName": "S3 Bucket Allows List Action From All Principals", "severity": "HIGH", - "line": 4, - "fileName": "positive2.tf" + "line": 12, + "filename": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Action' should not be a 'List' action when 'policy.Statement.Principal' contains '*'", + "actualValue": "'policy.Statement.Action' is a 'List' action when 'policy.Statement.Principal' contains '*'" }, { "queryName": "S3 Bucket Allows List Action From All Principals", "severity": "HIGH", - "line": 12, - "fileName": "positive3.tf" + "line": 4, + "filename": "positive1.tf", + "resourceType": "aws_s3_bucket_policy", + "resourceName": "${aws_s3_bucket.b.id}", + "searchKey": "aws_s3_bucket_policy[positive1].policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Action' should not be a 'List' action when 'policy.Statement.Principal' contains '*'", + "actualValue": "'policy.Statement.Action' is a 'List' action when 'policy.Statement.Principal' contains '*'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_allows_public_acl/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_allows_public_acl/test/positive_expected_result.json index dfa66d99198..37d5aeced43 100644 --- a/assets/queries/terraform/aws/s3_bucket_allows_public_acl/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_allows_public_acl/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "S3 Bucket Allows Public ACL", "severity": "MEDIUM", - "line": 18, - "filename": "positive1.tf" + "line": 8, + "filename": "positive1.tf", + "resourceType": "aws_s3_bucket_public_access_block", + "resourceName": "positive2", + "searchKey": "aws_s3_bucket_public_access_block[positive2].block_public_acls", + "searchValue": "", + "expectedValue": "'block_public_acls' should equal 'true'", + "actualValue": "'block_public_acls' is equal 'false'" }, { "queryName": "S3 Bucket Allows Public ACL", "severity": "MEDIUM", - "line": 8, - "filename": "positive1.tf" + "line": 18, + "filename": "positive1.tf", + "resourceType": "aws_s3_bucket_public_access_block", + "resourceName": "positive3", + "searchKey": "aws_s3_bucket_public_access_block[positive3]", + "searchValue": "", + "expectedValue": "'block_public_acls' should equal 'true'", + "actualValue": "'block_public_acls' is missing" }, { "queryName": "S3 Bucket Allows Public ACL", "severity": "MEDIUM", "line": 1, - "filename": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket]", + "searchValue": "", + "expectedValue": "'block_public_acls' should equal 'true'", + "actualValue": "'block_public_acls' is missing" }, { "queryName": "S3 Bucket Allows Public ACL", "severity": "MEDIUM", "line": 8, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].block_public_acls", + "searchValue": "", + "expectedValue": "'block_public_acls' should equal 'true'", + "actualValue": "'block_public_acls' is equal 'false'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_allows_put_action_from_all_principals/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_allows_put_action_from_all_principals/test/positive_expected_result.json index 0e3bc74d02b..1c44261a301 100644 --- a/assets/queries/terraform/aws/s3_bucket_allows_put_action_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_allows_put_action_from_all_principals/test/positive_expected_result.json @@ -3,18 +3,36 @@ "queryName": "S3 Bucket Allows Put Action From All Principals", "severity": "CRITICAL", "line": 4, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_s3_bucket_policy", + "resourceName": "${aws_s3_bucket.b.id}", + "searchKey": "aws_s3_bucket_policy[positive1].policy", + "searchValue": "", + "expectedValue": "aws_s3_bucket_policy[positive1].policy.Statement.Action should not be a 'Put' action", + "actualValue": "aws_s3_bucket_policy[positive1].policy.Statement.Action is a 'Put' action" }, { "queryName": "S3 Bucket Allows Put Action From All Principals", "severity": "CRITICAL", - "line": 5, - "fileName": "positive2.tf" + "line": 12, + "filename": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Action' should not be a 'Put' action", + "actualValue": "'policy.Statement.Action' is a 'Put' action" }, { "queryName": "S3 Bucket Allows Put Action From All Principals", "severity": "CRITICAL", - "line": 12, - "fileName": "positive3.tf" + "line": 5, + "filename": "positive2.tf", + "resourceType": "aws_s3_bucket_policy", + "resourceName": "${aws_s3_bucket.b.id}", + "searchKey": "aws_s3_bucket_policy[positive2].policy", + "searchValue": "", + "expectedValue": "aws_s3_bucket_policy[positive2].policy.Statement.Action should not be a 'Put' action", + "actualValue": "aws_s3_bucket_policy[positive2].policy.Statement.Action is a 'Put' action" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_logging_disabled/test/positive_expected_result.json index 7bfe21c6235..6584d99c955 100644 --- a/assets/queries/terraform/aws/s3_bucket_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_logging_disabled/test/positive_expected_result.json @@ -2,19 +2,37 @@ { "queryName": "S3 Bucket Logging Disabled", "severity": "MEDIUM", - "line": 14, - "fileName": "positive1.tf" + "line": 1, + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket]", + "searchValue": "", + "expectedValue": "'logging' should be defined and not null", + "actualValue": "'logging' is undefined or null" }, { "queryName": "S3 Bucket Logging Disabled", "severity": "MEDIUM", - "line": 1, - "fileName": "positive2.tf" + "line": 14, + "filename": "positive3.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "my-tf-example-bucket", + "searchKey": "aws_s3_bucket[examplee]", + "searchValue": "", + "expectedValue": "'logging' should be defined and not null", + "actualValue": "'logging' is undefined or null" }, { "queryName": "S3 Bucket Logging Disabled", "severity": "MEDIUM", "line": 14, - "fileName": "positive3.tf" + "filename": "positive1.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "my-tf-test-bucket", + "searchKey": "aws_s3_bucket[positive1]", + "searchValue": "", + "expectedValue": "'logging' should be defined and not null", + "actualValue": "'logging' is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_notifications_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_notifications_disabled/test/positive_expected_result.json index d2ca784af21..6fa8daf276e 100644 --- a/assets/queries/terraform/aws/s3_bucket_notifications_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_notifications_disabled/test/positive_expected_result.json @@ -2,73 +2,145 @@ { "queryName": "S3 bucket notifications disabled", "severity": "LOW", - "line": 6, - "fileName": "positive1.tf" - }, - { - "queryName": "S3 bucket notifications disabled", - "severity": "LOW", - "line": 6, - "fileName": "positive2.tf" + "line": 1, + "filename": "positive10.tf", + "resourceType": "aws_sns_topic", + "resourceName": "s3-event-notification-topic", + "searchKey": "aws_sns_topic[topic1]", + "searchValue": "", + "expectedValue": "'aws_s3_bucket_notification' should be defined and not null", + "actualValue": "'aws_s3_bucket_notification' is undefined or null" }, { "queryName": "S3 bucket notifications disabled", "severity": "LOW", - "line": 14, - "fileName": "positive3.tf" + "line": 1, + "filename": "positive4.tf", + "resourceType": "aws_sns_topic", + "resourceName": "s3-event-notification-topic", + "searchKey": "aws_sns_topic[topic]", + "searchValue": "", + "expectedValue": "aws_sns_topic.topic should be evoked in aws_s3_bucket_notification ", + "actualValue": "aws_sns_topic.topic is not properly evoked in aws_s3_bucket_notification " }, { "queryName": "S3 bucket notifications disabled", "severity": "LOW", "line": 1, - "fileName": "positive4.tf" + "filename": "positive11.tf", + "resourceType": "aws_sqs_queue", + "resourceName": "s3-event-notification-queue", + "searchKey": "aws_sqs_queue[queue]", + "searchValue": "", + "expectedValue": "'aws_s3_bucket_notification' should be defined and not null", + "actualValue": "'aws_s3_bucket_notification' is undefined or null" }, { "queryName": "S3 bucket notifications disabled", "severity": "LOW", - "line": 1, - "fileName": "positive5.tf" + "line": 6, + "filename": "positive2.tf", + "resourceType": "aws_sqs_queue", + "resourceName": "s3-event-notification-queue", + "searchKey": "aws_sqs_queue[queue2]", + "searchValue": "", + "expectedValue": "aws_sqs_queue.queue2 should be evoked in aws_s3_bucket_notification ", + "actualValue": "aws_sqs_queue.queue2 is not properly evoked in aws_s3_bucket_notification " }, { "queryName": "S3 bucket notifications disabled", "severity": "LOW", "line": 6, - "fileName": "positive6.tf" + "filename": "positive1.tf", + "resourceType": "aws_sns_topic", + "resourceName": "s3-event-notification-topic", + "searchKey": "aws_sns_topic[topic2]", + "searchValue": "", + "expectedValue": "aws_sns_topic.topic2 should be evoked in aws_s3_bucket_notification ", + "actualValue": "aws_sns_topic.topic2 is not properly evoked in aws_s3_bucket_notification " }, { "queryName": "S3 bucket notifications disabled", "severity": "LOW", "line": 1, - "fileName": "positive7.tf" + "filename": "positive5.tf", + "resourceType": "aws_sqs_queue", + "resourceName": "s3-event-notification-queue", + "searchKey": "aws_sqs_queue[queue]", + "searchValue": "", + "expectedValue": "aws_sqs_queue.queue should be evoked in aws_s3_bucket_notification ", + "actualValue": "aws_sqs_queue.queue is not properly evoked in aws_s3_bucket_notification " }, { "queryName": "S3 bucket notifications disabled", "severity": "LOW", "line": 1, - "fileName": "positive8.tf" + "filename": "positive7.tf", + "resourceType": "aws_sns_topic", + "resourceName": "s3-event-notification-topic", + "searchKey": "aws_sns_topic[topic]", + "searchValue": "", + "expectedValue": "aws_sns_topic.topic should be evoked in aws_s3_bucket_notification ", + "actualValue": "aws_sns_topic.topic is not properly evoked in aws_s3_bucket_notification " }, { "queryName": "S3 bucket notifications disabled", "severity": "LOW", "line": 6, - "fileName": "positive9.tf" + "filename": "positive6.tf", + "resourceType": "aws_lambda_function", + "resourceName": "func", + "searchKey": "aws_lambda_function[func]", + "searchValue": "", + "expectedValue": "aws_lambda_function.func should be evoked in aws_s3_bucket_notification ", + "actualValue": "aws_lambda_function.func is not properly evoked in aws_s3_bucket_notification " }, { "queryName": "S3 bucket notifications disabled", "severity": "LOW", "line": 1, - "fileName": "positive10.tf" + "filename": "positive8.tf", + "resourceType": "aws_sqs_queue", + "resourceName": "s3-event-notification-queue", + "searchKey": "aws_sqs_queue[queue]", + "searchValue": "", + "expectedValue": "aws_sqs_queue.queue should be evoked in aws_s3_bucket_notification ", + "actualValue": "aws_sqs_queue.queue is not properly evoked in aws_s3_bucket_notification " }, { "queryName": "S3 bucket notifications disabled", "severity": "LOW", "line": 1, - "fileName": "positive11.tf" + "filename": "positive12.tf", + "resourceType": "aws_lambda_function", + "resourceName": "aws_lambda_function", + "searchKey": "aws_lambda_function[func]", + "searchValue": "", + "expectedValue": "'aws_s3_bucket_notification' should be defined and not null", + "actualValue": "'aws_s3_bucket_notification' is undefined or null" }, { "queryName": "S3 bucket notifications disabled", "severity": "LOW", - "line": 1, - "fileName": "positive12.tf" + "line": 6, + "filename": "positive9.tf", + "resourceType": "aws_lambda_function", + "resourceName": "func", + "searchKey": "aws_lambda_function[func]", + "searchValue": "", + "expectedValue": "aws_lambda_function.func should be evoked in aws_s3_bucket_notification ", + "actualValue": "aws_lambda_function.func is not properly evoked in aws_s3_bucket_notification " + }, + { + "queryName": "S3 bucket notifications disabled", + "severity": "LOW", + "line": 14, + "filename": "positive3.tf", + "resourceType": "aws_lambda_function", + "resourceName": "func2", + "searchKey": "aws_lambda_function[func2]", + "searchValue": "", + "expectedValue": "aws_lambda_function.func2 should be evoked in aws_s3_bucket_notification ", + "actualValue": "aws_lambda_function.func2 is not properly evoked in aws_s3_bucket_notification " } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_object_level_cloudtrail_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_object_level_cloudtrail_logging_disabled/test/positive_expected_result.json index 63d60edca4a..24aec265596 100644 --- a/assets/queries/terraform/aws/s3_bucket_object_level_cloudtrail_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_object_level_cloudtrail_logging_disabled/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "S3 Bucket Object Level CloudTrail Logging Disabled", "severity": "MEDIUM", "line": 9, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_cloudtrail", + "resourceName": "tf-trail-foobar", + "searchKey": "aws_cloudtrail[example].event_selector", + "searchValue": "", + "expectedValue": "'read_write_type' should be defined and not null", + "actualValue": "'read_write_type' is undefined or null" }, { "queryName": "S3 Bucket Object Level CloudTrail Logging Disabled", "severity": "MEDIUM", "line": 10, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_cloudtrail", + "resourceName": "tf-trail-foobar", + "searchKey": "aws_cloudtrail[example2].event_selector.read_write_type", + "searchValue": "", + "expectedValue": "'read_write_type' should be set to 'All'", + "actualValue": "'read_write_type' is not set to 'All'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_object_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_object_not_encrypted/test/positive_expected_result.json index 56dd83eff00..deed22ebeff 100644 --- a/assets/queries/terraform/aws/s3_bucket_object_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_object_not_encrypted/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "S3 Bucket Object Not Encrypted", "severity": "HIGH", "line": 14, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_s3_bucket_object", + "resourceName": "${aws_s3_bucket.examplebucket.id}", + "searchKey": "aws_s3_bucket_object[{{examplebucket_object}}]", + "searchValue": "", + "expectedValue": "aws_s3_bucket_object.server_side_encryption should be defined and not null", + "actualValue": "aws_s3_bucket_object.server_side_encryption is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_policy_accepts_http_requests/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_policy_accepts_http_requests/test/positive_expected_result.json index 8aeb9a50521..3c1d1bbd1fa 100644 --- a/assets/queries/terraform/aws/s3_bucket_policy_accepts_http_requests/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_policy_accepts_http_requests/test/positive_expected_result.json @@ -2,31 +2,61 @@ { "queryName": "S3 Bucket Policy Accepts HTTP Requests", "severity": "MEDIUM", - "line": 8, - "fileName": "positive1.tf" + "line": 12, + "filename": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].policy", + "searchValue": "", + "expectedValue": "'policy' should not accept HTTP Requests", + "actualValue": "'policy' accepts HTTP Requests" }, { "queryName": "S3 Bucket Policy Accepts HTTP Requests", "severity": "MEDIUM", - "line": 4, - "fileName": "positive2.tf" + "line": 8, + "filename": "positive1.tf", + "resourceType": "aws_s3_bucket_policy", + "resourceName": "${aws_s3_bucket.b.id}", + "searchKey": "aws_s3_bucket_policy[b].policy", + "searchValue": "", + "expectedValue": "aws_s3_bucket_policy[b].policy should not accept HTTP Requests", + "actualValue": "aws_s3_bucket_policy[b].policy accepts HTTP Requests" }, { "queryName": "S3 Bucket Policy Accepts HTTP Requests", "severity": "MEDIUM", - "line": 12, - "fileName": "positive3.tf" + "line": 32, + "filename": "positive5.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "a", + "searchKey": "aws_s3_bucket[pos5].policy", + "searchValue": "", + "expectedValue": "aws_s3_bucket[pos5].policy should not accept HTTP Requests", + "actualValue": "aws_s3_bucket[pos5].policy accepts HTTP Requests" }, { "queryName": "S3 Bucket Policy Accepts HTTP Requests", "severity": "MEDIUM", "line": 32, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "a", + "searchKey": "aws_s3_bucket[pos4].policy", + "searchValue": "", + "expectedValue": "aws_s3_bucket[pos4].policy should not accept HTTP Requests", + "actualValue": "aws_s3_bucket[pos4].policy accepts HTTP Requests" }, { "queryName": "S3 Bucket Policy Accepts HTTP Requests", "severity": "MEDIUM", - "line": 32, - "fileName": "positive5.tf" + "line": 4, + "filename": "positive2.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "my-tf-test-bucket", + "searchKey": "aws_s3_bucket[b2].policy", + "searchValue": "", + "expectedValue": "aws_s3_bucket[b2].policy should not accept HTTP Requests", + "actualValue": "aws_s3_bucket[b2].policy accepts HTTP Requests" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_public_acl_overridden_by_public_access_block/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_public_acl_overridden_by_public_access_block/test/positive_expected_result.json index ad88c555262..20e75ae1f4e 100644 --- a/assets/queries/terraform/aws/s3_bucket_public_acl_overridden_by_public_access_block/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_public_acl_overridden_by_public_access_block/test/positive_expected_result.json @@ -2,19 +2,37 @@ { "queryName": "S3 Bucket Public ACL Overridden By Public Access Block", "severity": "HIGH", - "line": 16, - "filename": "positive1.tf" + "line": 7, + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].acl", + "searchValue": "", + "expectedValue": "S3 Bucket public ACL to not be overridden by public access block", + "actualValue": "S3 Bucket public ACL is overridden by public access block" }, { "queryName": "S3 Bucket Public ACL Overridden By Public Access Block", "severity": "HIGH", - "line": 7, - "filename": "positive2.tf" + "line": 16, + "filename": "positive1.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "bucket-with-public-acl-3", + "searchKey": "aws_s3_bucket[public-bucket].acl", + "searchValue": "", + "expectedValue": "S3 Bucket public ACL to not be overridden by S3 bucket Public Access Block", + "actualValue": "S3 Bucket public ACL is overridden by S3 bucket Public Access Block" }, { "queryName": "S3 Bucket Public ACL Overridden By Public Access Block", "severity": "HIGH", "line": 20, - "filename": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_s3_bucket_acl", + "resourceName": "example_bucket_acl", + "searchKey": "aws_s3_bucket_acl[example_bucket_acl].acl", + "searchValue": "", + "expectedValue": "S3 Bucket public ACL to not be overridden by S3 bucket Public Access Block", + "actualValue": "S3 Bucket public ACL is overridden by S3 bucket Public Access Block" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_with_all_permissions/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_with_all_permissions/test/positive_expected_result.json index 8d782699d0b..0bab1bb9504 100644 --- a/assets/queries/terraform/aws/s3_bucket_with_all_permissions/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_with_all_permissions/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "S3 Bucket With All Permissions", "severity": "CRITICAL", - "line": 5, - "fileName": "positive1.tf" + "line": 12, + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].policy", + "searchValue": "", + "expectedValue": "'policy.Statement' should not allow all actions to all principal", + "actualValue": "'policy.Statement' allows all actions to all principal" }, { "queryName": "S3 Bucket With All Permissions", "severity": "CRITICAL", - "line": 12, - "fileName": "positive2.tf" + "line": 5, + "filename": "positive1.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "S3B_181355", + "searchKey": "aws_s3_bucket[positive1].policy", + "searchValue": "", + "expectedValue": "'policy.Statement' should not allow all actions to all principal", + "actualValue": "'policy.Statement' allows all actions to all principal" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_with_public_policy/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_with_public_policy/test/positive_expected_result.json index 8eb282dc0e2..229983e651f 100644 --- a/assets/queries/terraform/aws/s3_bucket_with_public_policy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_with_public_policy/test/positive_expected_result.json @@ -2,61 +2,121 @@ { "queryName": "S3 Bucket Allows Public Policy", "severity": "MEDIUM", - "line": 11, - "filename": "positive1.tf" + "line": 7, + "filename": "positive7.tf", + "resourceType": "aws_s3_bucket_public_access_block", + "resourceName": "allow_public", + "searchKey": "aws_s3_bucket_public_access_block[allow_public].block_public_policy", + "searchValue": "", + "expectedValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' should be defined to true", + "actualValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' is defined to false" }, { "queryName": "S3 Bucket Allows Public Policy", "severity": "MEDIUM", - "line": 12, - "filename": "positive2.tf" + "line": 5, + "filename": "positive6.tf", + "resourceType": "aws_s3_bucket_public_access_block", + "resourceName": "allow_public", + "searchKey": "aws_s3_bucket_public_access_block[allow_public]", + "searchValue": "", + "expectedValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' should be defined to true", + "actualValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' is not defined (defaults to false)" }, { "queryName": "S3 Bucket Allows Public Policy", "severity": "MEDIUM", - "line": 9, - "filename": "positive3.tf" + "line": 11, + "filename": "positive8.tf", + "resourceType": "aws_s3_bucket_public_access_block", + "resourceName": "allow_public", + "searchKey": "aws_s3_bucket_public_access_block[allow_public].block_public_policy", + "searchValue": "", + "expectedValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' should be defined to true", + "actualValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' is defined to false" }, { "queryName": "S3 Bucket Allows Public Policy", "severity": "MEDIUM", - "line": 9, - "filename": "positive4.tf" + "line": 2, + "filename": "positive9.tf", + "resourceType": "aws_s3_account_public_access_block", + "resourceName": "allow_public_acc", + "searchKey": "aws_s3_account_public_access_block[allow_public_acc].block_public_policy", + "searchValue": "", + "expectedValue": "'aws_s3_account_public_access_block[allow_public_acc].block_public_policy' should be defined to true", + "actualValue": "'aws_s3_account_public_access_block[allow_public_acc].block_public_policy' is defined to false" }, { "queryName": "S3 Bucket Allows Public Policy", "severity": "MEDIUM", - "line": 11, - "filename": "positive5.tf" + "line": 9, + "filename": "positive3.tf", + "resourceType": "aws_s3_bucket_public_access_block", + "resourceName": "allow_public", + "searchKey": "aws_s3_bucket_public_access_block[allow_public]", + "searchValue": "", + "expectedValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' should be defined to true", + "actualValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' is not defined (defaults to false)" }, { "queryName": "S3 Bucket Allows Public Policy", "severity": "MEDIUM", - "line": 5, - "filename": "positive6.tf" + "line": 9, + "filename": "positive4.tf", + "resourceType": "aws_s3_bucket_public_access_block", + "resourceName": "allow_public", + "searchKey": "aws_s3_bucket_public_access_block[allow_public]", + "searchValue": "", + "expectedValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' should be defined to true", + "actualValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' is not defined (defaults to false)" }, { "queryName": "S3 Bucket Allows Public Policy", "severity": "MEDIUM", - "line": 7, - "filename": "positive7.tf" + "line": 1, + "filename": "positive10.tf", + "resourceType": "aws_s3_account_public_access_block", + "resourceName": "allow_public_acc", + "searchKey": "aws_s3_account_public_access_block[allow_public_acc]", + "searchValue": "", + "expectedValue": "'aws_s3_account_public_access_block[allow_public_acc].block_public_policy' should be defined to true", + "actualValue": "'aws_s3_account_public_access_block[allow_public_acc].block_public_policy' is not defined (defaults to false)" }, { "queryName": "S3 Bucket Allows Public Policy", "severity": "MEDIUM", "line": 11, - "filename": "positive8.tf" + "filename": "positive5.tf", + "resourceType": "aws_s3_bucket_public_access_block", + "resourceName": "allow_public", + "searchKey": "aws_s3_bucket_public_access_block[allow_public].block_public_policy", + "searchValue": "", + "expectedValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' should be defined to true", + "actualValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' is defined to false" }, { "queryName": "S3 Bucket Allows Public Policy", "severity": "MEDIUM", - "line": 2, - "filename": "positive9.tf" + "line": 11, + "filename": "positive1.tf", + "resourceType": "aws_s3_bucket_public_access_block", + "resourceName": "allow_public", + "searchKey": "aws_s3_bucket_public_access_block[allow_public].block_public_policy", + "searchValue": "", + "expectedValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' should be defined to true", + "actualValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' is defined to false" }, { "queryName": "S3 Bucket Allows Public Policy", "severity": "MEDIUM", - "line": 1, - "filename": "positive10.tf" + "line": 12, + "filename": "positive2.tf", + "resourceType": "aws_s3_bucket_public_access_block", + "resourceName": "allow_public", + "searchKey": "aws_s3_bucket_public_access_block[allow_public].block_public_policy", + "searchValue": "", + "expectedValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' should be defined to true", + "actualValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' is defined to false" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_with_unsecured_cors_rule/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_with_unsecured_cors_rule/test/positive_expected_result.json index 77bc3176924..23df0f100be 100644 --- a/assets/queries/terraform/aws/s3_bucket_with_unsecured_cors_rule/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_with_unsecured_cors_rule/test/positive_expected_result.json @@ -2,31 +2,61 @@ { "queryName": "S3 Bucket with Unsecured CORS Rule", "severity": "MEDIUM", - "line": 27, - "fileName": "positive1.tf" + "line": 16, + "filename": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].cors_rule", + "searchValue": "", + "expectedValue": "'cors_rule' to not allow all methods, all headers or several origins", + "actualValue": "'cors_rule' allows all methods, all headers or several origins" }, { "queryName": "S3 Bucket with Unsecured CORS Rule", "severity": "MEDIUM", "line": 27, - "fileName": "positive2.tf" + "filename": "positive1.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "my-tf-test-bucket", + "searchKey": "aws_s3_bucket[positive1].cors_rule", + "searchValue": "", + "expectedValue": "'cors_rule' to not allow all methods, all headers or several origins", + "actualValue": "'cors_rule' allows all methods, all headers or several origins" }, { "queryName": "S3 Bucket with Unsecured CORS Rule", "severity": "MEDIUM", - "line": 16, - "fileName": "positive3.tf" + "line": 26, + "filename": "positive5.tf", + "resourceType": "aws_s3_bucket_cors_configuration", + "resourceName": "example", + "searchKey": "aws_s3_bucket_cors_configuration[example].cors_rule", + "searchValue": "", + "expectedValue": "'cors_rule' to not allow all methods, all headers or several origins", + "actualValue": "'cors_rule' allows all methods, all headers or several origins" }, { "queryName": "S3 Bucket with Unsecured CORS Rule", "severity": "MEDIUM", "line": 16, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].cors_rule", + "searchValue": "", + "expectedValue": "'cors_rule' to not allow all methods, all headers or several origins", + "actualValue": "'cors_rule' allows all methods, all headers or several origins" }, { "queryName": "S3 Bucket with Unsecured CORS Rule", "severity": "MEDIUM", - "line": 26, - "fileName": "positive5.tf" + "line": 27, + "filename": "positive2.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "my-tf-test-bucket", + "searchKey": "aws_s3_bucket[positive2].cors_rule", + "searchValue": "", + "expectedValue": "'cors_rule' to not allow all methods, all headers or several origins", + "actualValue": "'cors_rule' allows all methods, all headers or several origins" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive_expected_result.json index 63c2be9e202..78281432282 100755 --- a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive_expected_result.json @@ -3,60 +3,120 @@ "queryName": "S3 Bucket Without Enabled MFA Delete", "severity": "LOW", "line": 23, - "fileName": "positive1.tf" + "filename": "positive3.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "my-tf-test-bucket", + "searchKey": "aws_s3_bucket[positive3].versioning", + "searchValue": "mfa_delete", + "expectedValue": "'mfa_delete' should be set to true", + "actualValue": "'mfa_delete' is undefined or null" }, { "queryName": "S3 Bucket Without Enabled MFA Delete", "severity": "LOW", - "line": 25, - "fileName": "positive2.tf" + "line": 10, + "filename": "positive5.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].versioning.mfa_delete", + "searchValue": "", + "expectedValue": "'mfa_delete' should be set to true", + "actualValue": "'mfa_delete' is set to false" }, { "queryName": "S3 Bucket Without Enabled MFA Delete", "severity": "LOW", - "line": 24, - "fileName": "positive3.tf" + "line": 25, + "filename": "positive2.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "my-tf-test-bucket", + "searchKey": "aws_s3_bucket[positive2].versioning.mfa_delete", + "searchValue": "", + "expectedValue": "'mfa_delete' should be set to true", + "actualValue": "'mfa_delete' is set to false" }, { "queryName": "S3 Bucket Without Enabled MFA Delete", "severity": "LOW", - "line": 23, - "fileName": "positive3.tf" + "line": 9, + "filename": "positive6.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].versioning.enabled", + "searchValue": "", + "expectedValue": "'enabled' should be set to true", + "actualValue": "'enabled' is set to false" }, { "queryName": "S3 Bucket Without Enabled MFA Delete", "severity": "LOW", - "line": 8, - "fileName": "positive4.tf" + "line": 28, + "filename": "positive7.tf", + "resourceType": "aws_s3_bucket_versioning", + "resourceName": "example2", + "searchKey": "aws_s3_bucket_versioning[example2].versioning_configuration.mfa_delete", + "searchValue": "", + "expectedValue": "'versioning_configuration.mfa_delete' should be set to 'Enabled'", + "actualValue": "'versioning_configuration.mfa_delete' is set to 'Disabled'" }, { "queryName": "S3 Bucket Without Enabled MFA Delete", "severity": "LOW", - "line": 10, - "fileName": "positive5.tf" + "line": 8, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].versioning", + "searchValue": "mfa_delete", + "expectedValue": "'mfa_delete' should be set to true", + "actualValue": "'mfa_delete' is undefined or null" }, { "queryName": "S3 Bucket Without Enabled MFA Delete", "severity": "LOW", - "line": 8, - "fileName": "positive6.tf" + "line": 23, + "filename": "positive1.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "my-tf-test-bucket", + "searchKey": "aws_s3_bucket[positive1].versioning", + "searchValue": "mfa_delete", + "expectedValue": "'mfa_delete' should be set to true", + "actualValue": "'mfa_delete' is undefined or null" }, { "queryName": "S3 Bucket Without Enabled MFA Delete", "severity": "LOW", - "line": 9, - "fileName": "positive6.tf" + "line": 24, + "filename": "positive3.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "my-tf-test-bucket", + "searchKey": "aws_s3_bucket[positive3].versioning.enabled", + "searchValue": "", + "expectedValue": "'enabled' should be set to true", + "actualValue": "'enabled' is set to false" }, { "queryName": "S3 Bucket Without Enabled MFA Delete", "severity": "LOW", - "line": 28, - "fileName": "positive7.tf" + "line": 8, + "filename": "positive6.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].versioning", + "searchValue": "mfa_delete", + "expectedValue": "'mfa_delete' should be set to true", + "actualValue": "'mfa_delete' is undefined or null" }, { "queryName": "S3 Bucket Without Enabled MFA Delete", "severity": "LOW", "line": 27, - "fileName": "positive8.tf" + "filename": "positive8.tf", + "resourceType": "aws_s3_bucket_versioning", + "resourceName": "example", + "searchKey": "aws_s3_bucket_versioning[example].versioning_configuration.status", + "searchValue": "", + "expectedValue": "'versioning_configuration.status' should be set to 'Enabled'", + "actualValue": "'versioning_configuration.status' is set to 'Disabled'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_without_ignore_public_acl/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_without_ignore_public_acl/test/positive_expected_result.json index 1eaad588316..22f5f6c0897 100755 --- a/assets/queries/terraform/aws/s3_bucket_without_ignore_public_acl/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_without_ignore_public_acl/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "S3 Bucket Without Ignore Public ACL", "severity": "MEDIUM", - "line": 10, - "filename": "positive1.tf" + "line": 1, + "filename": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].ignore_public_acls", + "searchValue": "", + "expectedValue": "'ignore_public_acls' should equal 'true'", + "actualValue": "'ignore_public_acls' is missing" }, { "queryName": "S3 Bucket Without Ignore Public ACL", "severity": "MEDIUM", - "line": 7, - "filename": "positive2.tf" + "line": 10, + "filename": "positive1.tf", + "resourceType": "aws_s3_bucket_public_access_block", + "resourceName": "positive2", + "searchKey": "aws_s3_bucket_public_access_block[positive2].ignore_public_acls", + "searchValue": "", + "expectedValue": "'ignore_public_acls' should equal 'true'", + "actualValue": "'ignore_public_acls' is equal 'false'" }, { "queryName": "S3 Bucket Without Ignore Public ACL", "severity": "MEDIUM", - "line": 1, - "filename": "positive3.tf" + "line": 5, + "filename": "positive4.tf", + "resourceType": "aws_s3_bucket_public_access_block", + "resourceName": "positive2", + "searchKey": "aws_s3_bucket_public_access_block[positive2]", + "searchValue": "", + "expectedValue": "'ignore_public_acls' should equal 'true'", + "actualValue": "'ignore_public_acls' is missing" }, { "queryName": "S3 Bucket Without Ignore Public ACL", "severity": "MEDIUM", - "line": 5, - "filename": "positive4.tf" + "line": 7, + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].ignore_public_acls", + "searchValue": "", + "expectedValue": "'ignore_public_acls' should equal 'true'", + "actualValue": "'ignore_public_acls' is equal 'false'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_without_restriction_of_public_bucket/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_without_restriction_of_public_bucket/test/positive_expected_result.json index e50007430c7..f643854c265 100755 --- a/assets/queries/terraform/aws/s3_bucket_without_restriction_of_public_bucket/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_without_restriction_of_public_bucket/test/positive_expected_result.json @@ -3,12 +3,48 @@ "queryName": "S3 Bucket Without Restriction Of Public Bucket", "severity": "MEDIUM", "line": 13, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_s3_bucket_public_access_block", + "resourceName": "restrict_public", + "searchKey": "aws_s3_bucket_public_access_block[restrict_public].restrict_public_buckets", + "searchValue": "", + "expectedValue": "'restrict_public_buckets' should equal 'true'", + "actualValue": "'restrict_public_buckets' is equal to 'false'" }, { "queryName": "S3 Bucket Without Restriction Of Public Bucket", "severity": "MEDIUM", "line": 14, - "filename": "positive2.tf" + "filename": "negative1.tf", + "resourceType": "aws_s3_bucket_public_access_block", + "resourceName": "restrict_public", + "searchKey": "aws_s3_bucket_public_access_block[restrict_public].restrict_public_buckets", + "searchValue": "", + "expectedValue": "'restrict_public_buckets' should equal 'true'", + "actualValue": "'restrict_public_buckets' is equal to 'false'" + }, + { + "queryName": "S3 Bucket Without Restriction Of Public Bucket", + "severity": "MEDIUM", + "line": 14, + "filename": "positive2.tf", + "resourceType": "aws_s3_bucket_public_access_block", + "resourceName": "restrict_public", + "searchKey": "aws_s3_bucket_public_access_block[restrict_public].restrict_public_buckets", + "searchValue": "", + "expectedValue": "'restrict_public_buckets' should equal 'true'", + "actualValue": "'restrict_public_buckets' is equal to 'false'" + }, + { + "queryName": "S3 Bucket Without Restriction Of Public Bucket", + "severity": "MEDIUM", + "line": 8, + "filename": "negative2.tf", + "resourceType": "aws_s3_bucket_public_access_block", + "resourceName": "restrict_public", + "searchKey": "aws_s3_bucket_public_access_block[restrict_public].restrict_public_buckets", + "searchValue": "", + "expectedValue": "'restrict_public_buckets' should equal 'true'", + "actualValue": "'restrict_public_buckets' is equal to 'false'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_without_versioning/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_without_versioning/test/positive_expected_result.json index 4676cedc78b..ca513978298 100755 --- a/assets/queries/terraform/aws/s3_bucket_without_versioning/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_without_versioning/test/positive_expected_result.json @@ -2,49 +2,97 @@ { "queryName": "S3 Bucket Without Versioning", "severity": "MEDIUM", - "line": 24, - "fileName": "positive1.tf" + "line": 14, + "filename": "positive2.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "my-tf-test-bucket", + "searchKey": "aws_s3_bucket[positive2]", + "searchValue": "", + "expectedValue": "'versioning' should be true", + "actualValue": "'versioning' is undefined or null" }, { "queryName": "S3 Bucket Without Versioning", "severity": "MEDIUM", - "line": 14, - "fileName": "positive2.tf" + "line": 10, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].versioning.enabled", + "searchValue": "", + "expectedValue": "'versioning.enabled' should be true", + "actualValue": "'versioning.enabled' is set to false" }, { "queryName": "S3 Bucket Without Versioning", "severity": "MEDIUM", - "line": 23, - "fileName": "positive3.tf" + "line": 27, + "filename": "positive7.tf", + "resourceType": "aws_s3_bucket_versioning", + "resourceName": "example", + "searchKey": "aws_s3_bucket_versioning[example].versioning_configuration.status", + "searchValue": "", + "expectedValue": "'versioning_configuration.status' should be set to 'Enabled'", + "actualValue": "'versioning_configuration.status' is set to 'Suspended'" }, { "queryName": "S3 Bucket Without Versioning", "severity": "MEDIUM", - "line": 10, - "fileName": "positive4.tf" + "line": 24, + "filename": "positive1.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "my-tf-test-bucket", + "searchKey": "aws_s3_bucket[positive1].versioning.enabled", + "searchValue": "", + "expectedValue": "'versioning.enabled' should be true", + "actualValue": "'versioning.enabled' is set to false" }, { "queryName": "S3 Bucket Without Versioning", "severity": "MEDIUM", "line": 9, - "fileName": "positive5.tf" + "filename": "positive5.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].versioning", + "searchValue": "", + "expectedValue": "'versioning.enabled' should be true", + "actualValue": "'versioning.enabled' is undefined or null" }, { "queryName": "S3 Bucket Without Versioning", "severity": "MEDIUM", - "line": 1, - "fileName": "positive6.tf" + "line": 14, + "filename": "positive8.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "my-tf-test-bucket", + "searchKey": "aws_s3_bucket[b2]", + "searchValue": "", + "expectedValue": "'versioning' should be true", + "actualValue": "'versioning' is undefined or null" }, { "queryName": "S3 Bucket Without Versioning", "severity": "MEDIUM", - "line": 27, - "fileName": "positive7.tf" + "line": 1, + "filename": "positive6.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket]", + "searchValue": "", + "expectedValue": "'versioning' should be true", + "actualValue": "'versioning' is undefined or null" }, { "queryName": "S3 Bucket Without Versioning", "severity": "MEDIUM", - "line": 14, - "fileName": "positive8.tf" + "line": 23, + "filename": "positive3.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "my-tf-test-bucket", + "searchKey": "aws_s3_bucket[positive3].versioning", + "searchValue": "", + "expectedValue": "'versioning.enabled' should be true", + "actualValue": "'versioning.enabled' is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_static_website_host_enabled/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_static_website_host_enabled/test/positive_expected_result.json index 1f7bdb12744..386b433f72a 100644 --- a/assets/queries/terraform/aws/s3_static_website_host_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_static_website_host_enabled/test/positive_expected_result.json @@ -2,19 +2,37 @@ { "queryName": "S3 Static Website Host Enabled", "severity": "HIGH", - "line": 18, - "fileName": "positive1.tf" + "line": 12, + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].website", + "searchValue": "", + "expectedValue": "'website' to not have static websites inside", + "actualValue": "'website' does have static websites inside" }, { "queryName": "S3 Static Website Host Enabled", "severity": "HIGH", - "line": 12, - "fileName": "positive2.tf" + "line": 18, + "filename": "positive1.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "s3-website-test.hashicorp.com", + "searchKey": "resource.aws_s3_bucket[positive1].website", + "searchValue": "", + "expectedValue": "resource.aws_s3_bucket[positive1].website to not have static websites inside", + "actualValue": "resource.aws_s3_bucket[positive1].website does have static websites inside" }, { "queryName": "S3 Static Website Host Enabled", "severity": "HIGH", "line": 15, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "my-tf-test-bucket", + "searchKey": "aws_s3_bucket[buc]", + "searchValue": "", + "expectedValue": "'aws_s3_bucket' to not have 'aws_s3_bucket_website_configuration' associated", + "actualValue": "'aws_s3_bucket' has 'aws_s3_bucket_website_configuration' associated" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/sagemaker_endpoint_configuration_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/sagemaker_endpoint_configuration_encryption_disabled/test/positive_expected_result.json index fdcc66ac487..19c75c3aa0a 100644 --- a/assets/queries/terraform/aws/sagemaker_endpoint_configuration_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sagemaker_endpoint_configuration_encryption_disabled/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Sagemaker Endpoint Configuration Encryption Disabled", "severity": "HIGH", "line": 1, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "aws_sagemaker_endpoint_configuration", + "resourceName": "my-endpoint-config", + "searchKey": "aws_sagemaker_endpoint_configuration[positive]", + "searchValue": "", + "expectedValue": "aws_sagemaker_endpoint_configuration[positive] should be defined and not null", + "actualValue": "aws_sagemaker_endpoint_configuration[positive] is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/sagemaker_notebook_instance_without_kms/test/positive_expected_result.json b/assets/queries/terraform/aws/sagemaker_notebook_instance_without_kms/test/positive_expected_result.json index 44f24216665..a02f3e70535 100644 --- a/assets/queries/terraform/aws/sagemaker_notebook_instance_without_kms/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sagemaker_notebook_instance_without_kms/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Sagemaker Notebook Instance Without KMS", "severity": "HIGH", "line": 1, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_sagemaker_notebook_instance", + "resourceName": "my-notebook-instance", + "searchKey": "aws_sagemaker_notebook_instance[{{ni}}]", + "searchValue": "", + "expectedValue": "aws_sagemaker_notebook_instance.kms_key_id should be defined and not null", + "actualValue": "aws_sagemaker_notebook_instance.kms_key_id is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/secrets_manager_with_vulnerable_policy/test/positive_expected_result.json b/assets/queries/terraform/aws/secrets_manager_with_vulnerable_policy/test/positive_expected_result.json index cf616bbf4f3..22e18c5763c 100644 --- a/assets/queries/terraform/aws/secrets_manager_with_vulnerable_policy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/secrets_manager_with_vulnerable_policy/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Secrets Manager With Vulnerable Policy", "severity": "HIGH", "line": 12, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "aws_secretsmanager_secret_policy", + "resourceName": "example", + "searchKey": "aws_secretsmanager_secret_policy[example].policy", + "searchValue": "", + "expectedValue": "aws_secretsmanager_secret_policy[example].policy should not have wildcard in 'Principal' and 'Action'", + "actualValue": "aws_secretsmanager_secret_policy[example].policy has wildcard in 'Principal' or 'Action'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/secretsmanager_secret_encrypted_with_aws_managed_key/test/positive_expected_result.json b/assets/queries/terraform/aws/secretsmanager_secret_encrypted_with_aws_managed_key/test/positive_expected_result.json index aeec1843978..59ab109cd2f 100644 --- a/assets/queries/terraform/aws/secretsmanager_secret_encrypted_with_aws_managed_key/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/secretsmanager_secret_encrypted_with_aws_managed_key/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Secretsmanager Secret Encrypted With AWS Managed Key", "severity": "MEDIUM", "line": 3, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_secretsmanager_secret", + "resourceName": "test-cloudrail-1", + "searchKey": "aws_secretsmanager_secret[test2].kms_key_id", + "searchValue": "", + "expectedValue": "Secrets Manager secret should not be encrypted with AWS managed key", + "actualValue": "Secrets Manager secret is encrypted with AWS managed key" }, { "queryName": "Secretsmanager Secret Encrypted With AWS Managed Key", "severity": "MEDIUM", "line": 11, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_secretsmanager_secret", + "resourceName": "test-cloudrail-1", + "searchKey": "aws_secretsmanager_secret[test].kms_key_id", + "searchValue": "", + "expectedValue": "Secrets Manager secret should not be encrypted with AWS managed key", + "actualValue": "Secrets Manager secret is encrypted with AWS managed key" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/secretsmanager_secret_without_kms/test/positive_expected_result.json b/assets/queries/terraform/aws/secretsmanager_secret_without_kms/test/positive_expected_result.json index d3799197712..354203060d9 100644 --- a/assets/queries/terraform/aws/secretsmanager_secret_without_kms/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/secretsmanager_secret_without_kms/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Secretsmanager Secret Without KMS", "severity": "MEDIUM", "line": 1, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_secretsmanager_secret", + "resourceName": "example", + "searchKey": "aws_secretsmanager_secret[{{example}}]", + "searchValue": "", + "expectedValue": "aws_secretsmanager_secret.kms_key_id should be defined and not null", + "actualValue": "aws_secretsmanager_secret.kms_key_id is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/secure_ciphers_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/secure_ciphers_disabled/test/positive_expected_result.json index 7de94a38420..32f6bb5d90e 100644 --- a/assets/queries/terraform/aws/secure_ciphers_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/secure_ciphers_disabled/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Secure Ciphers Disabled", "severity": "MEDIUM", - "line": 42 + "line": 42, + "filename": "positive.tf", + "resourceType": "aws_cloudfront_distribution", + "resourceName": "positive1", + "searchKey": "resource.aws_cloudfront_distribution[positive1].viewer_certificate.minimum_protocol_version", + "searchValue": "", + "expectedValue": "resource.aws_cloudfront_distribution[positive1].viewer_certificate.minimum_protocol_version should start with TLSv1.1 or TLSv1.2", + "actualValue": "resource.aws_cloudfront_distribution[positive1].viewer_certificate.minimum_protocol_version doesn't start with TLSv1.1 or TLSv1.2" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/security_group_rules_without_description/test/positive_expected_result.json b/assets/queries/terraform/aws/security_group_rules_without_description/test/positive_expected_result.json index d8ffad946ed..93cbfa14b8d 100644 --- a/assets/queries/terraform/aws/security_group_rules_without_description/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/security_group_rules_without_description/test/positive_expected_result.json @@ -2,109 +2,217 @@ { "queryName": "Security Group Rule Without Description", "severity": "INFO", - "line": 3, - "filename": "positive1.tf" + "line": 10, + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3-2", + "searchKey": "aws_security_group_rule[positive3-2]", + "searchValue": "", + "expectedValue": "aws_security_group_rule[positive3-2].description should be defined and not null", + "actualValue": "aws_security_group_rule[positive3-2].description is undefined or null" }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", - "line": 11, - "filename": "positive1.tf" + "line": 10, + "filename": "positive2.tf", + "resourceType": "aws_security_group", + "resourceName": "positive2-1", + "searchKey": "aws_security_group[positive2-1].ingress.1", + "searchValue": "", + "expectedValue": "aws_security_group[positive2-1].ingress[1].description should be defined and not null", + "actualValue": "aws_security_group[positive2-1].ingress[1].description is undefined or null" }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", - "line": 3, - "filename": "positive2.tf" + "line": 11, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1", + "searchKey": "aws_security_group[positive1].egress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1].egress.description should be defined and not null", + "actualValue": "aws_security_group[positive1].egress.description is undefined or null" }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", - "line": 10, - "filename": "positive2.tf" + "line": 55, + "filename": "positive5.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive5_ipv6_array].egress_with_ipv6_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[positive5_ipv6_array].egress_with_ipv6_cidr_blocks.0.description should be defined and not null", + "actualValue": "module[positive5_ipv6_array].egress_with_ipv6_cidr_blocks.0.description is undefined or null" }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", - "line": 20, - "filename": "positive2.tf" + "line": 40, + "filename": "positive5.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive5_ipv6_array].ingress_with_ipv6_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[positive5_ipv6_array].ingress_with_ipv6_cidr_blocks.0.description should be defined and not null", + "actualValue": "module[positive5_ipv6_array].ingress_with_ipv6_cidr_blocks.0.description is undefined or null" }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", - "line": 27, - "filename": "positive2.tf" + "line": 8, + "filename": "positive4.tf", + "resourceType": "aws_vpc_security_group_egress_rule", + "resourceName": "positive4-2", + "searchKey": "aws_vpc_security_group_egress_rule[positive4-2]", + "searchValue": "", + "expectedValue": "aws_vpc_security_group_egress_rule[positive4-2].description should be defined and not null", + "actualValue": "aws_vpc_security_group_egress_rule[positive4-2].description is undefined or null" }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", - "line": 1, - "filename": "positive3.tf" + "line": 21, + "filename": "positive5.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive5_ipv4_array].egress_with_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[positive5_ipv4_array].egress_with_cidr_blocks.0.description should be defined and not null", + "actualValue": "module[positive5_ipv4_array].egress_with_cidr_blocks.0.description is undefined or null" }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", - "line": 10, - "filename": "positive3.tf" + "line": 12, + "filename": "positive5.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive5_ipv4_array].ingress_with_cidr_blocks.1", + "searchValue": "", + "expectedValue": "module[positive5_ipv4_array].ingress_with_cidr_blocks.1.description should be defined and not null", + "actualValue": "module[positive5_ipv4_array].ingress_with_cidr_blocks.1.description is undefined or null" }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", - "line": 1, - "filename": "positive4.tf" + "line": 20, + "filename": "positive2.tf", + "resourceType": "aws_security_group", + "resourceName": "positive2-2", + "searchKey": "aws_security_group[positive2-2].egress.0", + "searchValue": "", + "expectedValue": "aws_security_group[positive2-2].egress[0].description should be defined and not null", + "actualValue": "aws_security_group[positive2-2].egress[0].description is undefined or null" }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", - "line": 8, - "filename": "positive4.tf" + "line": 3, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1", + "searchKey": "aws_security_group[positive1].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1].ingress.description should be defined and not null", + "actualValue": "aws_security_group[positive1].ingress.description is undefined or null" }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", - "line": 6, - "filename": "positive5.tf" + "line": 1, + "filename": "positive4.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive4-1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive4-1]", + "searchValue": "", + "expectedValue": "aws_vpc_security_group_ingress_rule[positive4-1].description should be defined and not null", + "actualValue": "aws_vpc_security_group_ingress_rule[positive4-1].description is undefined or null" }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", - "line": 12, - "filename": "positive5.tf" + "line": 6, + "filename": "positive5.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive5_ipv4_array].ingress_with_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[positive5_ipv4_array].ingress_with_cidr_blocks.0.description should be defined and not null", + "actualValue": "module[positive5_ipv4_array].ingress_with_cidr_blocks.0.description is undefined or null" }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", - "line": 21, - "filename": "positive5.tf" + "line": 46, + "filename": "positive5.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive5_ipv6_array].ingress_with_ipv6_cidr_blocks.1", + "searchValue": "", + "expectedValue": "module[positive5_ipv6_array].ingress_with_ipv6_cidr_blocks.1.description should be defined and not null", + "actualValue": "module[positive5_ipv6_array].ingress_with_ipv6_cidr_blocks.1.description is undefined or null" }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", - "line": 27, - "filename": "positive5.tf" + "line": 3, + "filename": "positive2.tf", + "resourceType": "aws_security_group", + "resourceName": "positive2-1", + "searchKey": "aws_security_group[positive2-1].ingress.0", + "searchValue": "", + "expectedValue": "aws_security_group[positive2-1].ingress[0].description should be defined and not null", + "actualValue": "aws_security_group[positive2-1].ingress[0].description is undefined or null" }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", - "line": 40, - "filename": "positive5.tf" + "line": 27, + "filename": "positive2.tf", + "resourceType": "aws_security_group", + "resourceName": "positive2-2", + "searchKey": "aws_security_group[positive2-2].egress.1", + "searchValue": "", + "expectedValue": "aws_security_group[positive2-2].egress[1].description should be defined and not null", + "actualValue": "aws_security_group[positive2-2].egress[1].description is undefined or null" }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", - "line": 46, - "filename": "positive5.tf" + "line": 27, + "filename": "positive5.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive5_ipv4_array].egress_with_cidr_blocks.1", + "searchValue": "", + "expectedValue": "module[positive5_ipv4_array].egress_with_cidr_blocks.1.description should be defined and not null", + "actualValue": "module[positive5_ipv4_array].egress_with_cidr_blocks.1.description is undefined or null" }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", - "line": 55, - "filename": "positive5.tf" + "line": 61, + "filename": "positive5.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive5_ipv6_array].egress_with_ipv6_cidr_blocks.1", + "searchValue": "", + "expectedValue": "module[positive5_ipv6_array].egress_with_ipv6_cidr_blocks.1.description should be defined and not null", + "actualValue": "module[positive5_ipv6_array].egress_with_ipv6_cidr_blocks.1.description is undefined or null" }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", - "line": 61, - "filename": "positive5.tf" + "line": 1, + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3-1", + "searchKey": "aws_security_group_rule[positive3-1]", + "searchValue": "", + "expectedValue": "aws_security_group_rule[positive3-1].description should be defined and not null", + "actualValue": "aws_security_group_rule[positive3-1].description is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/security_group_with_unrestricted_access_to_ssh/test/positive_expected_result.json b/assets/queries/terraform/aws/security_group_with_unrestricted_access_to_ssh/test/positive_expected_result.json index 989ca124d35..42c3bd738b4 100644 --- a/assets/queries/terraform/aws/security_group_with_unrestricted_access_to_ssh/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/security_group_with_unrestricted_access_to_ssh/test/positive_expected_result.json @@ -2,103 +2,205 @@ { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 5, - "fileName": "positive1.tf" + "line": 39, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-3].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-3].ingress 'SSH' (Port:22) should not be open", + "actualValue": "aws_security_group[positive1-3].ingress 'SSH' (Port:22) is open" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 26, - "fileName": "positive1.tf" + "line": 101, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-7].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-7].ingress 'SSH' (Port:22) should not be open", + "actualValue": "aws_security_group[positive1-7].ingress 'SSH' (Port:22) is open" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 39, - "fileName": "positive1.tf" + "line": 49, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0 'SSH' (Port:22) should not be open", + "actualValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0 'SSH' (Port:22) is open" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 60, - "fileName": "positive1.tf" + "line": 7, + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2-1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2-1]", + "searchValue": "", + "expectedValue": "aws_vpc_security_group_ingress_rule[positive2-1] 'SSH' (Port:22) should not be open", + "actualValue": "aws_vpc_security_group_ingress_rule[positive2-1] 'SSH' (Port:22) is open" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 73, - "fileName": "positive1.tf" + "line": 17, + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2-2", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2-2]", + "searchValue": "", + "expectedValue": "aws_vpc_security_group_ingress_rule[positive2-2] 'SSH' (Port:22) should not be open", + "actualValue": "aws_vpc_security_group_ingress_rule[positive2-2] 'SSH' (Port:22) is open" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 87, - "fileName": "positive1.tf" + "line": 73, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-5].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-5].ingress 'SSH' (Port:22) should not be open", + "actualValue": "aws_security_group[positive1-5].ingress 'SSH' (Port:22) is open" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 101, - "fileName": "positive1.tf" + "line": 7, + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3-1", + "searchKey": "aws_security_group_rule[positive3-1]", + "searchValue": "", + "expectedValue": "aws_security_group_rule[positive3-1] 'SSH' (Port:22) should not be open", + "actualValue": "aws_security_group_rule[positive3-1] 'SSH' (Port:22) is open" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 7, - "fileName": "positive2.tf" + "line": 30, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0 'SSH' (Port:22) should not be open", + "actualValue": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0 'SSH' (Port:22) is open" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 17, - "fileName": "positive2.tf" + "line": 60, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-4].ingress[1]", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-4].ingress[1] 'SSH' (Port:22) should not be open", + "actualValue": "aws_security_group[positive1-4].ingress[1] 'SSH' (Port:22) is open" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 7, - "fileName": "positive3.tf" + "line": 17, + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3-2", + "searchKey": "aws_security_group_rule[positive3-2]", + "searchValue": "", + "expectedValue": "aws_security_group_rule[positive3-2] 'SSH' (Port:22) should not be open", + "actualValue": "aws_security_group_rule[positive3-2] 'SSH' (Port:22) is open" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 17, - "fileName": "positive3.tf" + "line": 11, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0 'SSH' (Port:22) should not be open", + "actualValue": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0 'SSH' (Port:22) is open" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 11, - "fileName": "positive4.tf" + "line": 63, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2 'SSH' (Port:22) should not be open", + "actualValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2 'SSH' (Port:22) is open" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 30, - "fileName": "positive4.tf" + "line": 96, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2 'SSH' (Port:22) should not be open", + "actualValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2 'SSH' (Port:22) is open" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 49, - "fileName": "positive4.tf" + "line": 5, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-1].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-1].ingress 'SSH' (Port:22) should not be open", + "actualValue": "aws_security_group[positive1-1].ingress 'SSH' (Port:22) is open" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 63, - "fileName": "positive4.tf" + "line": 87, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-6].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-6].ingress 'SSH' (Port:22) should not be open", + "actualValue": "aws_security_group[positive1-6].ingress 'SSH' (Port:22) is open" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 82, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0 'SSH' (Port:22) should not be open", + "actualValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0 'SSH' (Port:22) is open" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 96, - "fileName": "positive4.tf" + "line": 26, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-2].ingress[1]", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-2].ingress[1] 'SSH' (Port:22) should not be open", + "actualValue": "aws_security_group[positive1-2].ingress[1] 'SSH' (Port:22) is open" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/security_group_without_description/test/positive_expected_result.json b/assets/queries/terraform/aws/security_group_without_description/test/positive_expected_result.json index a5367983018..511bd389136 100644 --- a/assets/queries/terraform/aws/security_group_without_description/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/security_group_without_description/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "Security Group Without Description", "severity": "INFO", - "line": 1, - "filename": "positive1.tf" + "line": 7, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1-2", + "searchKey": "aws_security_group[positive1-2]", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-2] description should be defined and not null", + "actualValue": "aws_security_group[positive1-2] description is undefined or null" }, { "queryName": "Security Group Without Description", "severity": "INFO", - "line": 7, - "filename": "positive1.tf" + "line": 1, + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive2-1]", + "searchValue": "", + "expectedValue": "module[positive2-1] description should be defined and not null", + "actualValue": "module[positive2-1] description is undefined or null" }, { "queryName": "Security Group Without Description", "severity": "INFO", - "line": 1, - "filename": "positive2.tf" + "line": 10, + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive2-2]", + "searchValue": "", + "expectedValue": "module[positive2-2] description should be defined and not null", + "actualValue": "module[positive2-2] description is undefined or null" }, { "queryName": "Security Group Without Description", "severity": "INFO", - "line": 10, - "filename": "positive2.tf" + "line": 1, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1-1", + "searchKey": "aws_security_group[positive1-1]", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-1] description should be defined and not null", + "actualValue": "aws_security_group[positive1-1] description is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/security_groups_not_used/test/positive_expected_result.json b/assets/queries/terraform/aws/security_groups_not_used/test/positive_expected_result.json index 3ccca1415d6..7c0cd43dfdd 100644 --- a/assets/queries/terraform/aws/security_groups_not_used/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/security_groups_not_used/test/positive_expected_result.json @@ -2,49 +2,97 @@ { "queryName": "Security Group Not Used", "severity": "INFO", - "line": 8, - "filename": "positive1.tf" + "line": 15, + "filename": "positive2.tf", + "resourceType": "aws_security_group", + "resourceName": "unused-sg", + "searchKey": "aws_security_group[unused-sg]", + "searchValue": "", + "expectedValue": "'aws_security_group[unused-sg]' should be used", + "actualValue": "'aws_security_group[unused-sg]' is not used" }, { "queryName": "Security Group Not Used", "severity": "INFO", - "line": 15, - "filename": "positive2.tf" + "line": 19, + "filename": "positive3.tf", + "resourceType": "aws_security_group", + "resourceName": "unused-sg", + "searchKey": "aws_security_group[unused_sg]", + "searchValue": "", + "expectedValue": "'aws_security_group[unused_sg]' should be used", + "actualValue": "'aws_security_group[unused_sg]' is not used" }, { "queryName": "Security Group Not Used", "severity": "INFO", - "line": 19, - "filename": "positive3.tf" + "line": 1, + "filename": "positive8.tf", + "resourceType": "aws_security_group", + "resourceName": "default_name", + "searchKey": "aws_security_group[default_name]", + "searchValue": "", + "expectedValue": "'aws_security_group[default_name]' should be used", + "actualValue": "'aws_security_group[default_name]' is not used" }, { "queryName": "Security Group Not Used", "severity": "INFO", - "line": 21, - "filename": "positive4.tf" + "line": 8, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[allow_tls]", + "searchValue": "", + "expectedValue": "'aws_security_group[allow_tls]' should be used", + "actualValue": "'aws_security_group[allow_tls]' is not used" }, { "queryName": "Security Group Not Used", "severity": "INFO", "line": 1, - "filename": "positive5.tf" + "filename": "positive6.tf", + "resourceType": "aws_security_group", + "resourceName": "default_name", + "searchKey": "aws_security_group[default_name]", + "searchValue": "", + "expectedValue": "'aws_security_group[default_name]' should be used", + "actualValue": "'aws_security_group[default_name]' is not used" }, { "queryName": "Security Group Not Used", "severity": "INFO", - "line": 1, - "filename": "positive6.tf" + "line": 21, + "filename": "positive4.tf", + "resourceType": "aws_security_group", + "resourceName": "unused-sg", + "searchKey": "aws_security_group[unused_sg]", + "searchValue": "", + "expectedValue": "'aws_security_group[unused_sg]' should be used", + "actualValue": "'aws_security_group[unused_sg]' is not used" }, { "queryName": "Security Group Not Used", "severity": "INFO", - "line": 19, - "filename": "positive7.tf" + "line": 1, + "filename": "positive5.tf", + "resourceType": "aws_security_group", + "resourceName": "example", + "searchKey": "aws_security_group[example]", + "searchValue": "", + "expectedValue": "'aws_security_group[example]' should be used", + "actualValue": "'aws_security_group[example]' is not used" }, { "queryName": "Security Group Not Used", "severity": "INFO", - "line": 1, - "filename": "positive8.tf" + "line": 19, + "filename": "positive7.tf", + "resourceType": "aws_security_group", + "resourceName": "unused-sg", + "searchKey": "aws_security_group[unused_sg]", + "searchValue": "", + "expectedValue": "'aws_security_group[unused_sg]' should be used", + "actualValue": "'aws_security_group[unused_sg]' is not used" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json b/assets/queries/terraform/aws/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json index c23d7e9ca83..74b44bb662e 100644 --- a/assets/queries/terraform/aws/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json @@ -2,241 +2,481 @@ { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 3, - "filename": "positive1.tf" + "line": 46, + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv6_3", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_3]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 3, - "filename": "positive1.tf" + "line": 47, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.2", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 12, - "filename": "positive1.tf" + "line": 44, + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv6_2", + "searchKey": "aws_security_group_rule[positive3_ipv6_2]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 21, - "filename": "positive1.tf" + "line": 52, + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv6_3", + "searchKey": "aws_security_group_rule[positive3_ipv6_3]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 27, - "filename": "positive1.tf" + "line": 3, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_ipv4_1", + "searchKey": "aws_security_group[positive1_ipv4_1].ingress", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 38, - "filename": "positive1.tf" + "line": 23, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.3", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 38, - "filename": "positive1.tf" + "line": 60, + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv6_4", + "searchKey": "aws_security_group_rule[positive3_ipv6_4]", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 47, - "filename": "positive1.tf" + "line": 2, + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv4_1", + "searchKey": "aws_security_group_rule[positive3_ipv4_1]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 56, - "filename": "positive1.tf" + "line": 21, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_array_test_ipv4", + "searchKey": "aws_security_group[positive1_array_test_ipv4].ingress[0]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 63, - "filename": "positive1.tf" + "line": 53, + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv6_4", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_4]", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 2, - "filename": "positive2.tf" + "line": 39, + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv6_2", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_2]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 2, - "filename": "positive2.tf" + "line": 5, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.0", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 9, - "filename": "positive2.tf" + "line": 41, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.1", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 16, - "filename": "positive2.tf" + "line": 2, + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv4_1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_1]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 23, - "filename": "positive2.tf" + "line": 16, + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv4_3", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_3]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 32, - "filename": "positive2.tf" + "line": 53, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.3", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 32, - "filename": "positive2.tf" + "line": 35, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.0", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 39, - "filename": "positive2.tf" + "line": 35, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.0", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 46, - "filename": "positive2.tf" + "line": 36, + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv6_1", + "searchKey": "aws_security_group_rule[positive3_ipv6_1]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 53, - "filename": "positive2.tf" + "line": 27, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_array_test_ipv4", + "searchKey": "aws_security_group[positive1_array_test_ipv4].ingress[1]", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 2, - "filename": "positive3.tf" + "line": 63, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_array_test_ipv6", + "searchKey": "aws_security_group[positive1_array_test_ipv6].ingress[1]", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 2, - "filename": "positive3.tf" + "line": 17, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.2", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 10, - "filename": "positive3.tf" + "line": 2, + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv4_1", + "searchKey": "aws_security_group_rule[positive3_ipv4_1]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 18, - "filename": "positive3.tf" + "line": 10, + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv4_2", + "searchKey": "aws_security_group_rule[positive3_ipv4_2]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 26, - "filename": "positive3.tf" + "line": 47, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_ipv6_2", + "searchKey": "aws_security_group[positive1_ipv6_2].ingress", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 36, - "filename": "positive3.tf" + "line": 23, + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv4_4", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_4]", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 36, - "filename": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv6_1", + "searchKey": "aws_security_group_rule[positive3_ipv6_1]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 44, - "filename": "positive3.tf" + "line": 3, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_ipv4_1", + "searchKey": "aws_security_group[positive1_ipv4_1].ingress", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 52, - "filename": "positive3.tf" + "line": 38, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_ipv6_1", + "searchKey": "aws_security_group[positive1_ipv6_1].ingress", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 60, - "filename": "positive3.tf" + "line": 9, + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv4_2", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_2]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 5, - "filename": "positive4.tf" + "line": 32, + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv6_1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_1]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 5, - "filename": "positive4.tf" + "line": 26, + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv4_4", + "searchKey": "aws_security_group_rule[positive3_ipv4_4]", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 11, - "filename": "positive4.tf" + "line": 5, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.0", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 17, - "filename": "positive4.tf" + "line": 2, + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv4_1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_1]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 23, - "filename": "positive4.tf" + "line": 32, + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv6_1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_1]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 35, - "filename": "positive4.tf" + "line": 11, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.1", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 35, - "filename": "positive4.tf" + "line": 18, + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv4_3", + "searchKey": "aws_security_group_rule[positive3_ipv4_3]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 41, - "filename": "positive4.tf" + "line": 12, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_ipv4_2", + "searchKey": "aws_security_group[positive1_ipv4_2].ingress", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 47, - "filename": "positive4.tf" + "line": 38, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_ipv6_1", + "searchKey": "aws_security_group[positive1_ipv6_1].ingress", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 53, - "filename": "positive4.tf" + "line": 56, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_array_test_ipv6", + "searchKey": "aws_security_group[positive1_array_test_ipv6].ingress[0]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/sensitive_port_is_exposed_to_small_public_network/test/positive_expected_result.json b/assets/queries/terraform/aws/sensitive_port_is_exposed_to_small_public_network/test/positive_expected_result.json index 96931d2a0c3..81b82411ff7 100644 --- a/assets/queries/terraform/aws/sensitive_port_is_exposed_to_small_public_network/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sensitive_port_is_exposed_to_small_public_network/test/positive_expected_result.json @@ -1,242 +1,482 @@ [ { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", - "line": 3, - "filename": "positive1.tf" + "severity": "MEDIUM", + "line": 63, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_array_test_ipv6", + "searchKey": "aws_security_group[positive1_array_test_ipv6].ingress[1]", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", - "line": 3, - "filename": "positive1.tf" + "severity": "MEDIUM", + "line": 38, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_ipv6_1", + "searchKey": "aws_security_group[positive1_ipv6_1].ingress", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", - "line": 12, - "filename": "positive1.tf" + "severity": "MEDIUM", + "line": 23, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.3", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", - "line": 21, - "filename": "positive1.tf" + "severity": "MEDIUM", + "line": 2, + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv4_1", + "searchKey": "aws_security_group_rule[positive3_ipv4_1]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", - "line": 27, - "filename": "positive1.tf" + "severity": "MEDIUM", + "line": 32, + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv6_1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_1]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 38, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_ipv6_1", + "searchKey": "aws_security_group[positive1_ipv6_1].ingress", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", - "line": 38, - "filename": "positive1.tf" + "severity": "MEDIUM", + "line": 41, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.1", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", - "line": 47, - "filename": "positive1.tf" + "severity": "MEDIUM", + "line": 60, + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv6_4", + "searchKey": "aws_security_group_rule[positive3_ipv6_4]", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", - "line": 56, - "filename": "positive1.tf" + "severity": "MEDIUM", + "line": 2, + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv4_1", + "searchKey": "aws_security_group_rule[positive3_ipv4_1]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", - "line": 63, - "filename": "positive1.tf" + "severity": "MEDIUM", + "line": 52, + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv6_3", + "searchKey": "aws_security_group_rule[positive3_ipv6_3]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", - "line": 2, - "filename": "positive2.tf" + "severity": "MEDIUM", + "line": 53, + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv6_4", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_4]", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", - "line": 2, - "filename": "positive2.tf" + "severity": "MEDIUM", + "line": 32, + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv6_1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_1]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", - "line": 9, - "filename": "positive2.tf" + "severity": "MEDIUM", + "line": 3, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_ipv4_1", + "searchKey": "aws_security_group[positive1_ipv4_1].ingress", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", - "line": 16, - "filename": "positive2.tf" + "severity": "MEDIUM", + "line": 5, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.0", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", - "line": 23, - "filename": "positive2.tf" + "severity": "MEDIUM", + "line": 26, + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv4_4", + "searchKey": "aws_security_group_rule[positive3_ipv4_4]", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", - "line": 32, - "filename": "positive2.tf" + "severity": "MEDIUM", + "line": 36, + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv6_1", + "searchKey": "aws_security_group_rule[positive3_ipv6_1]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", - "line": 32, - "filename": "positive2.tf" + "severity": "MEDIUM", + "line": 16, + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv4_3", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_3]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", - "line": 39, - "filename": "positive2.tf" + "severity": "MEDIUM", + "line": 3, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_ipv4_1", + "searchKey": "aws_security_group[positive1_ipv4_1].ingress", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", - "line": 46, - "filename": "positive2.tf" + "severity": "MEDIUM", + "line": 47, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.2", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", - "line": 53, - "filename": "positive2.tf" + "severity": "MEDIUM", + "line": 12, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_ipv4_2", + "searchKey": "aws_security_group[positive1_ipv4_2].ingress", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", - "line": 2, - "filename": "positive3.tf" + "severity": "MEDIUM", + "line": 56, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_array_test_ipv6", + "searchKey": "aws_security_group[positive1_array_test_ipv6].ingress[0]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", - "line": 2, - "filename": "positive3.tf" + "severity": "MEDIUM", + "line": 35, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.0", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", - "line": 10, - "filename": "positive3.tf" + "severity": "MEDIUM", + "line": 18, + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv4_3", + "searchKey": "aws_security_group_rule[positive3_ipv4_3]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", - "line": 18, - "filename": "positive3.tf" + "severity": "MEDIUM", + "line": 27, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_array_test_ipv4", + "searchKey": "aws_security_group[positive1_array_test_ipv4].ingress[1]", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", - "line": 26, - "filename": "positive3.tf" + "severity": "MEDIUM", + "line": 21, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_array_test_ipv4", + "searchKey": "aws_security_group[positive1_array_test_ipv4].ingress[0]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", - "line": 36, - "filename": "positive3.tf" + "severity": "MEDIUM", + "line": 17, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.2", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", - "line": 36, - "filename": "positive3.tf" + "severity": "MEDIUM", + "line": 44, + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv6_2", + "searchKey": "aws_security_group_rule[positive3_ipv6_2]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", - "line": 44, - "filename": "positive3.tf" + "severity": "MEDIUM", + "line": 23, + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv4_4", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_4]", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", - "line": 52, - "filename": "positive3.tf" + "severity": "MEDIUM", + "line": 2, + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv4_1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_1]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", - "line": 60, - "filename": "positive3.tf" + "severity": "MEDIUM", + "line": 9, + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv4_2", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_2]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", - "line": 5, - "filename": "positive4.tf" + "severity": "MEDIUM", + "line": 47, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_ipv6_2", + "searchKey": "aws_security_group[positive1_ipv6_2].ingress", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", - "line": 5, - "filename": "positive4.tf" + "severity": "MEDIUM", + "line": 53, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.3", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", - "line": 11, - "filename": "positive4.tf" + "severity": "MEDIUM", + "line": 5, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.0", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", - "line": 17, - "filename": "positive4.tf" + "severity": "MEDIUM", + "line": 2, + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv4_1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_1]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", - "line": 23, - "filename": "positive4.tf" + "severity": "MEDIUM", + "line": 11, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.1", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 35, - "filename": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.0", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", - "line": 35, - "filename": "positive4.tf" + "severity": "MEDIUM", + "line": 10, + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv4_2", + "searchKey": "aws_security_group_rule[positive3_ipv4_2]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", - "line": 41, - "filename": "positive4.tf" + "severity": "MEDIUM", + "line": 36, + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv6_1", + "searchKey": "aws_security_group_rule[positive3_ipv6_1]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", - "line": 47, - "filename": "positive4.tf" + "severity": "MEDIUM", + "line": 39, + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv6_2", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_2]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", - "line": 53, - "filename": "positive4.tf" + "severity": "MEDIUM", + "line": 46, + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv6_3", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_3]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/sensitive_port_is_exposed_to_wide_private_network/test/positive_expected_result.json b/assets/queries/terraform/aws/sensitive_port_is_exposed_to_wide_private_network/test/positive_expected_result.json index 721ee508a9a..119c50c640d 100644 --- a/assets/queries/terraform/aws/sensitive_port_is_exposed_to_wide_private_network/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sensitive_port_is_exposed_to_wide_private_network/test/positive_expected_result.json @@ -2,241 +2,481 @@ { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 3, - "filename": "positive1.tf" + "line": 26, + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv4_4", + "searchKey": "aws_security_group_rule[positive3_ipv4_4]", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 3, - "filename": "positive1.tf" + "line": 2, + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv4_1", + "searchKey": "aws_security_group_rule[positive3_ipv4_1]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 12, - "filename": "positive1.tf" + "line": 16, + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv4_3", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_3]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 21, - "filename": "positive1.tf" + "line": 23, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.3", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 27, - "filename": "positive1.tf" + "line": 53, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.3", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 38, - "filename": "positive1.tf" + "line": 27, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_array_test_ipv4", + "searchKey": "aws_security_group[positive1_array_test_ipv4].ingress[1]", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 38, - "filename": "positive1.tf" + "line": 56, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_array_test_ipv6", + "searchKey": "aws_security_group[positive1_array_test_ipv6].ingress[0]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 47, - "filename": "positive1.tf" + "line": 53, + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv6_4", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_4]", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 56, - "filename": "positive1.tf" + "line": 32, + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv6_1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_1]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 63, - "filename": "positive1.tf" + "line": 60, + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv6_4", + "searchKey": "aws_security_group_rule[positive3_ipv6_4]", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 2, - "filename": "positive2.tf" + "line": 5, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.0", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 2, - "filename": "positive2.tf" + "line": 41, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.1", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 9, - "filename": "positive2.tf" + "line": 3, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_ipv4_1", + "searchKey": "aws_security_group[positive1_ipv4_1].ingress", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 16, - "filename": "positive2.tf" + "line": 12, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_ipv4_2", + "searchKey": "aws_security_group[positive1_ipv4_2].ingress", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 23, - "filename": "positive2.tf" + "line": 32, + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv6_1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_1]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 32, - "filename": "positive2.tf" + "line": 39, + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv6_2", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_2]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 32, - "filename": "positive2.tf" + "line": 52, + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv6_3", + "searchKey": "aws_security_group_rule[positive3_ipv6_3]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 39, - "filename": "positive2.tf" + "line": 11, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.1", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 46, - "filename": "positive2.tf" + "line": 38, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_ipv6_1", + "searchKey": "aws_security_group[positive1_ipv6_1].ingress", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 53, - "filename": "positive2.tf" + "line": 23, + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv4_4", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_4]", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 2, - "filename": "positive3.tf" + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv4_1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_1]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 2, - "filename": "positive3.tf" + "line": 44, + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv6_2", + "searchKey": "aws_security_group_rule[positive3_ipv6_2]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 10, - "filename": "positive3.tf" + "line": 18, + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv4_3", + "searchKey": "aws_security_group_rule[positive3_ipv4_3]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 18, - "filename": "positive3.tf" + "line": 47, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.2", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 26, - "filename": "positive3.tf" + "line": 35, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.0", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 36, - "filename": "positive3.tf" + "line": 3, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_ipv4_1", + "searchKey": "aws_security_group[positive1_ipv4_1].ingress", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 36, - "filename": "positive3.tf" + "line": 2, + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv4_1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_1]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 44, - "filename": "positive3.tf" + "line": 36, + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv6_1", + "searchKey": "aws_security_group_rule[positive3_ipv6_1]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 52, - "filename": "positive3.tf" + "line": 47, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_ipv6_2", + "searchKey": "aws_security_group[positive1_ipv6_2].ingress", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 60, - "filename": "positive3.tf" + "line": 9, + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv4_2", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_2]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 5, - "filename": "positive4.tf" + "line": 2, + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv4_1", + "searchKey": "aws_security_group_rule[positive3_ipv4_1]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 5, - "filename": "positive4.tf" + "line": 36, + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv6_1", + "searchKey": "aws_security_group_rule[positive3_ipv6_1]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 11, - "filename": "positive4.tf" + "line": 35, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.0", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 17, - "filename": "positive4.tf" + "line": 5, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.0", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 23, - "filename": "positive4.tf" + "line": 17, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.2", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 35, - "filename": "positive4.tf" + "line": 63, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_array_test_ipv6", + "searchKey": "aws_security_group[positive1_array_test_ipv6].ingress[1]", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 35, - "filename": "positive4.tf" + "line": 21, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_array_test_ipv4", + "searchKey": "aws_security_group[positive1_array_test_ipv4].ingress[0]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 41, - "filename": "positive4.tf" + "line": 10, + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv4_2", + "searchKey": "aws_security_group_rule[positive3_ipv4_2]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 47, - "filename": "positive4.tf" + "line": 38, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_ipv6_1", + "searchKey": "aws_security_group[positive1_ipv6_1].ingress", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 53, - "filename": "positive4.tf" + "line": 46, + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv6_3", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_3]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/service_control_policies_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/service_control_policies_disabled/test/positive_expected_result.json index 54eabf1329b..bb9e8c49ce6 100644 --- a/assets/queries/terraform/aws/service_control_policies_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/service_control_policies_disabled/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Service Control Policies Disabled", "severity": "MEDIUM", "line": 7, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "aws_organizations_organization", + "resourceName": "positive1", + "searchKey": "aws_organizations_organization[positive1].feature_set", + "searchValue": "", + "expectedValue": "'feature_set' should be set to 'ALL' or undefined", + "actualValue": "'feature_set' is set to 'CONSOLIDATED_BILLING'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/ses_policy_with_allowed_iam_actions/test/positive_expected_result.json b/assets/queries/terraform/aws/ses_policy_with_allowed_iam_actions/test/positive_expected_result.json index e4ff470c989..cd1745c3c87 100644 --- a/assets/queries/terraform/aws/ses_policy_with_allowed_iam_actions/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ses_policy_with_allowed_iam_actions/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "SES Policy With Allowed IAM Actions", "severity": "HIGH", "line": 4, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "aws_ses_identity_policy", + "resourceName": "example", + "searchKey": "aws_ses_identity_policy[positive1].policy", + "searchValue": "", + "expectedValue": "'policy' should not allow IAM actions to all principals", + "actualValue": "'policy' allows IAM actions to all principals" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/shield_advanced_not_in_use/test/positive_expected_result.json b/assets/queries/terraform/aws/shield_advanced_not_in_use/test/positive_expected_result.json index 28729391b1d..b40736a9407 100644 --- a/assets/queries/terraform/aws/shield_advanced_not_in_use/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/shield_advanced_not_in_use/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Shield Advanced Not In Use", "severity": "LOW", "line": 5, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_eip", + "resourceName": "positive1", + "searchKey": "aws_eip[positive1]", + "searchValue": "", + "expectedValue": "aws_eip has shield advanced associated", + "actualValue": "aws_eip does not have shield advanced associated" }, { "queryName": "Shield Advanced Not In Use", "severity": "LOW", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_route53_zone", + "resourceName": "example.com", + "searchKey": "aws_route53_zone[positive2]", + "searchValue": "", + "expectedValue": "aws_route53_zone has shield advanced associated", + "actualValue": "aws_route53_zone does not have shield advanced associated" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/sns_topic_encrypted_with_aws_managed_key/test/positive_expected_result.json b/assets/queries/terraform/aws/sns_topic_encrypted_with_aws_managed_key/test/positive_expected_result.json index 0981ea3bf62..0e0a29db2ad 100644 --- a/assets/queries/terraform/aws/sns_topic_encrypted_with_aws_managed_key/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sns_topic_encrypted_with_aws_managed_key/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "SNS Topic Encrypted With AWS Managed Key", "severity": "MEDIUM", - "line": 3, - "fileName": "positive1.tf" + "line": 11, + "filename": "positive2.tf", + "resourceType": "aws_sns_topic", + "resourceName": "sns_ecnrypted", + "searchKey": "aws_sns_topic[test].kms_master_key_id", + "searchValue": "", + "expectedValue": "SNS Topic should not be encrypted with AWS managed key", + "actualValue": "SNS Topic is encrypted with AWS managed key" }, { "queryName": "SNS Topic Encrypted With AWS Managed Key", "severity": "MEDIUM", - "line": 11, - "fileName": "positive2.tf" + "line": 3, + "filename": "positive1.tf", + "resourceType": "aws_sns_topic", + "resourceName": "user-updates-topic", + "searchKey": "aws_sns_topic[user_updates].kms_master_key_id", + "searchValue": "", + "expectedValue": "SNS Topic should not be encrypted with AWS managed key", + "actualValue": "SNS Topic is encrypted with AWS managed key" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json index cd70fcac674..d3531f51f30 100644 --- a/assets/queries/terraform/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json @@ -2,61 +2,121 @@ { "queryName": "SNS Topic is Publicly Accessible", "severity": "CRITICAL", - "line": 2, - "fileName": "positive1.tf" + "line": 7, + "filename": "positive6.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "topic_policy", + "searchValue": "0", + "expectedValue": "'Statement[0].Principal.AWS' shouldn't contain '*'", + "actualValue": "'Statement[0].Principal.AWS' contains '*'" }, { "queryName": "SNS Topic is Publicly Accessible", "severity": "CRITICAL", "line": 7, - "fileName": "positive2.tf" + "filename": "positive6.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "topic_policy", + "searchValue": "2", + "expectedValue": "'Statement[2].Principal.AWS' shouldn't contain '*'", + "actualValue": "'Statement[2].Principal.AWS' contains '*'" }, { "queryName": "SNS Topic is Publicly Accessible", "severity": "CRITICAL", - "line": 12, - "fileName": "positive3.tf" + "line": 2, + "filename": "positive5.tf", + "resourceType": "aws_sns_topic", + "resourceName": "positive1", + "searchKey": "aws_sns_topic[positive1].policy", + "searchValue": "0", + "expectedValue": "'Statement[0].Principal.AWS' shouldn't contain '*'", + "actualValue": "'Statement[0].Principal.AWS' contains '*'" }, { "queryName": "SNS Topic is Publicly Accessible", "severity": "CRITICAL", - "line": 12, - "fileName": "positive4.tf" + "line": 2, + "filename": "positive5.tf", + "resourceType": "aws_sns_topic", + "resourceName": "positive1", + "searchKey": "aws_sns_topic[positive1].policy", + "searchValue": "2", + "expectedValue": "'Statement[2].Principal.AWS' shouldn't contain '*'", + "actualValue": "'Statement[2].Principal.AWS' contains '*'" }, { "queryName": "SNS Topic is Publicly Accessible", "severity": "CRITICAL", - "line": 2, - "fileName": "positive5.tf" + "line": 12, + "filename": "positive7.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[sns_topic_with_policy_statements_valid].topic_policy_statements[0].principals", + "searchValue": "", + "expectedValue": "'topic_policy_statements[0].principals[0].identifiers' shouldn't contain '*' for an AWS Principal", + "actualValue": "'topic_policy_statements[0].principals[0].identifiers' contains '*' for an AWS Principal" }, { "queryName": "SNS Topic is Publicly Accessible", "severity": "CRITICAL", - "line": 2, - "fileName": "positive5.tf" + "line": 12, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[sns_topic_with_policy_statements_not_limited_access].topic_policy_statements[0].principals", + "searchValue": "", + "expectedValue": "'topic_policy_statements[0].principals[0].identifiers' shouldn't contain '*' for an AWS Principal", + "actualValue": "'topic_policy_statements[0].principals[0].identifiers' contains '*' for an AWS Principal" }, { "queryName": "SNS Topic is Publicly Accessible", "severity": "CRITICAL", - "line": 7, - "fileName": "positive6.tf" + "line": 2, + "filename": "positive1.tf", + "resourceType": "aws_sns_topic", + "resourceName": "positive1", + "searchKey": "aws_sns_topic[positive1].policy", + "searchValue": "0", + "expectedValue": "'Statement[0].Principal.AWS' shouldn't contain '*'", + "actualValue": "'Statement[0].Principal.AWS' contains '*'" }, { "queryName": "SNS Topic is Publicly Accessible", "severity": "CRITICAL", "line": 7, - "fileName": "positive6.tf" + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "topic_policy", + "searchValue": "0", + "expectedValue": "'Statement[0].Principal.AWS' shouldn't contain '*'", + "actualValue": "'Statement[0].Principal.AWS' contains '*'" }, { "queryName": "SNS Topic is Publicly Accessible", "severity": "CRITICAL", "line": 12, - "fileName": "positive7.tf" + "filename": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[sns_topic_with_policy_statements_valid].topic_policy_statements[0].principals", + "searchValue": "", + "expectedValue": "'topic_policy_statements[0].principals[0].identifiers' shouldn't contain '*' for an AWS Principal", + "actualValue": "'topic_policy_statements[0].principals[0].identifiers' contains '*' for an AWS Principal" }, { "queryName": "SNS Topic is Publicly Accessible", "severity": "CRITICAL", "line": 34, - "fileName": "positive7.tf" + "filename": "positive7.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[sns_topic_with_policy_statements_valid].topic_policy_statements[2].principals", + "searchValue": "", + "expectedValue": "'topic_policy_statements[2].principals[0].identifiers' shouldn't contain '*' for an AWS Principal", + "actualValue": "'topic_policy_statements[2].principals[0].identifiers' contains '*' for an AWS Principal" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/sns_topic_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/sns_topic_not_encrypted/test/positive_expected_result.json index 3e178210b87..21523b98c59 100644 --- a/assets/queries/terraform/aws/sns_topic_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sns_topic_not_encrypted/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "SNS Topic Not Encrypted", "severity": "HIGH", "line": 3, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_sns_topic", + "resourceName": "user-updates-topic", + "searchKey": "aws_sns_topic[user_updates].kms_master_key_id", + "searchValue": "", + "expectedValue": "SNS Topic should be encrypted", + "actualValue": "SNS Topic is not encrypted" }, { "queryName": "SNS Topic Not Encrypted", "severity": "HIGH", "line": 5, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_sns_topic", + "resourceName": "sns_not_ecnrypted", + "searchKey": "aws_sns_topic[test]", + "searchValue": "", + "expectedValue": "SNS Topic should be encrypted", + "actualValue": "SNS Topic is not encrypted" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/test/positive_expected_result.json b/assets/queries/terraform/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/test/positive_expected_result.json index 560428c2142..81bd7ccf7c3 100644 --- a/assets/queries/terraform/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "SNS Topic Publicity Has Allow and NotAction Simultaneously", "severity": "MEDIUM", - "line": 8, - "filename": "positive1.tf" + "line": 12, + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].policy", + "searchValue": "", + "expectedValue": "module[s3_bucket].policy shouldn't have 'Effect: Allow' and 'NotAction' simultaneously", + "actualValue": "module[s3_bucket].policy has 'Effect: Allow' and 'NotAction' simultaneously" }, { "queryName": "SNS Topic Publicity Has Allow and NotAction Simultaneously", "severity": "MEDIUM", - "line": 12, - "filename": "positive2.tf" + "line": 8, + "filename": "positive1.tf", + "resourceType": "aws_sns_topic_policy", + "resourceName": "positive2", + "searchKey": "aws_sns_topic_policy[positive2].policy", + "searchValue": "", + "expectedValue": "aws_sns_topic_policy[positive2].policy shouldn't have 'Effect: Allow' and 'NotAction' simultaneously", + "actualValue": "aws_sns_topic_policy[positive2].policy has 'Effect: Allow' and 'NotAction' simultaneously" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/sql_analysis_services_port_2383_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/aws/sql_analysis_services_port_2383_is_publicly_accessible/test/positive_expected_result.json index 9f4fb9ef38f..5433d1090b5 100644 --- a/assets/queries/terraform/aws/sql_analysis_services_port_2383_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sql_analysis_services_port_2383_is_publicly_accessible/test/positive_expected_result.json @@ -3,102 +3,204 @@ "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", "line": 5, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-1].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-1].ingress shouldn't open SQL Analysis Services Port 2383", + "actualValue": "aws_security_group[positive1-1].ingress opens SQL Analysis Services Port 2383" }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", "line": 26, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-2].ingress[1]", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-2].ingress[1] shouldn't open SQL Analysis Services Port 2383", + "actualValue": "aws_security_group[positive1-2].ingress[1] opens SQL Analysis Services Port 2383" }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", - "line": 39, - "fileName": "positive1.tf" + "line": 101, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-7].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-7].ingress shouldn't open SQL Analysis Services Port 2383", + "actualValue": "aws_security_group[positive1-7].ingress opens SQL Analysis Services Port 2383" }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", - "line": 60, - "fileName": "positive1.tf" + "line": 7, + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2-1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2-1]", + "searchValue": "", + "expectedValue": "aws_vpc_security_group_ingress_rule[positive2-1] shouldn't open SQL Analysis Services Port 2383", + "actualValue": "aws_vpc_security_group_ingress_rule[positive2-1] opens SQL Analysis Services Port 2383" }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", - "line": 73, - "fileName": "positive1.tf" + "line": 96, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2 shouldn't open SQL Analysis Services Port 2383", + "actualValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2 opens SQL Analysis Services Port 2383" }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", - "line": 87, - "fileName": "positive1.tf" + "line": 17, + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3-2", + "searchKey": "aws_security_group_rule[positive3-2]", + "searchValue": "", + "expectedValue": "aws_security_group_rule[positive3-2] shouldn't open SQL Analysis Services Port 2383", + "actualValue": "aws_security_group_rule[positive3-2] opens SQL Analysis Services Port 2383" }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", - "line": 101, - "fileName": "positive1.tf" + "line": 60, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-4].ingress[1]", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-4].ingress[1] shouldn't open SQL Analysis Services Port 2383", + "actualValue": "aws_security_group[positive1-4].ingress[1] opens SQL Analysis Services Port 2383" }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", - "line": 7, - "fileName": "positive2.tf" + "line": 11, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0 shouldn't open SQL Analysis Services Port 2383", + "actualValue": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0 opens SQL Analysis Services Port 2383" }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", - "line": 17, - "fileName": "positive2.tf" + "line": 49, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0 shouldn't open SQL Analysis Services Port 2383", + "actualValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0 opens SQL Analysis Services Port 2383" }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", - "line": 7, - "fileName": "positive3.tf" + "line": 63, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2 shouldn't open SQL Analysis Services Port 2383", + "actualValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2 opens SQL Analysis Services Port 2383" }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", - "line": 17, - "fileName": "positive3.tf" + "line": 82, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0 shouldn't open SQL Analysis Services Port 2383", + "actualValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0 opens SQL Analysis Services Port 2383" }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", - "line": 11, - "fileName": "positive4.tf" + "line": 7, + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3-1", + "searchKey": "aws_security_group_rule[positive3-1]", + "searchValue": "", + "expectedValue": "aws_security_group_rule[positive3-1] shouldn't open SQL Analysis Services Port 2383", + "actualValue": "aws_security_group_rule[positive3-1] opens SQL Analysis Services Port 2383" }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", - "line": 30, - "fileName": "positive4.tf" + "line": 73, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-5].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-5].ingress shouldn't open SQL Analysis Services Port 2383", + "actualValue": "aws_security_group[positive1-5].ingress opens SQL Analysis Services Port 2383" }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", - "line": 49, - "fileName": "positive4.tf" + "line": 87, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-6].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-6].ingress shouldn't open SQL Analysis Services Port 2383", + "actualValue": "aws_security_group[positive1-6].ingress opens SQL Analysis Services Port 2383" }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", - "line": 63, - "fileName": "positive4.tf" + "line": 39, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-3].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-3].ingress shouldn't open SQL Analysis Services Port 2383", + "actualValue": "aws_security_group[positive1-3].ingress opens SQL Analysis Services Port 2383" }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", - "line": 82, - "fileName": "positive4.tf" + "line": 17, + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2-2", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2-2]", + "searchValue": "", + "expectedValue": "aws_vpc_security_group_ingress_rule[positive2-2] shouldn't open SQL Analysis Services Port 2383", + "actualValue": "aws_vpc_security_group_ingress_rule[positive2-2] opens SQL Analysis Services Port 2383" }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", - "line": 96, - "fileName": "positive4.tf" + "line": 30, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0 shouldn't open SQL Analysis Services Port 2383", + "actualValue": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0 opens SQL Analysis Services Port 2383" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/sqs_policy_allows_all_actions/test/positive_expected_result.json b/assets/queries/terraform/aws/sqs_policy_allows_all_actions/test/positive_expected_result.json index 28b216d8473..0f9204212f6 100644 --- a/assets/queries/terraform/aws/sqs_policy_allows_all_actions/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sqs_policy_allows_all_actions/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "SQS Policy Allows All Actions", "severity": "HIGH", "line": 8, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_sqs_queue_policy", + "resourceName": "positive2", + "searchKey": "aws_sqs_queue_policy[positive2].policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Action' should not equal '*'", + "actualValue": "'policy.Statement.Action' is equal '*'" }, { "queryName": "SQS Policy Allows All Actions", "severity": "HIGH", "line": 12, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Action' should not equal '*'", + "actualValue": "'policy.Statement.Action' is equal '*'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/sqs_policy_with_public_access/test/positive_expected_result.json b/assets/queries/terraform/aws/sqs_policy_with_public_access/test/positive_expected_result.json index 6e7fbd9b231..73312d39cdc 100755 --- a/assets/queries/terraform/aws/sqs_policy_with_public_access/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sqs_policy_with_public_access/test/positive_expected_result.json @@ -2,16 +2,37 @@ { "queryName": "SQS Policy With Public Access", "severity": "MEDIUM", - "line": 8 + "line": 8, + "filename": "positive.tf", + "resourceType": "aws_sqs_queue_policy", + "resourceName": "test", + "searchKey": "aws_sqs_queue_policy[test].policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Principal.AWS' should not equal '*'", + "actualValue": "'policy.Statement.Principal.AWS' is equal '*'" }, { "queryName": "SQS Policy With Public Access", "severity": "MEDIUM", - "line": 39 + "line": 39, + "filename": "positive.tf", + "resourceType": "aws_sqs_queue_policy", + "resourceName": "test_aws", + "searchKey": "aws_sqs_queue_policy[test_aws].policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Principal.AWS' should not equal '*'", + "actualValue": "'policy.Statement.Principal.AWS' is equal '*'" }, { "queryName": "SQS Policy With Public Access", "severity": "MEDIUM", - "line": 64 + "line": 64, + "filename": "positive.tf", + "resourceType": "aws_sqs_queue_policy", + "resourceName": "test_aws_array", + "searchKey": "aws_sqs_queue_policy[test_aws_array].policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Principal.AWS' should not equal '*'", + "actualValue": "'policy.Statement.Principal.AWS' is equal '*'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/sqs_queue_exposed/test/positive_expected_result.json b/assets/queries/terraform/aws/sqs_queue_exposed/test/positive_expected_result.json index f2110c7add2..1c2db859a4a 100644 --- a/assets/queries/terraform/aws/sqs_queue_exposed/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sqs_queue_exposed/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "SQS Queue Exposed", "severity": "HIGH", "line": 4, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_sqs_queue", + "resourceName": "examplequeue", + "searchKey": "aws_sqs_queue[positive1].policy", + "searchValue": "", + "expectedValue": "resource.aws_sqs_queue[positive1].policy.Principal shouldn't get the queue publicly accessible", + "actualValue": "resource.aws_sqs_queue[positive1].policy.Principal does get the queue publicly accessible" }, { "queryName": "SQS Queue Exposed", "severity": "HIGH", "line": 12, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[user_queue]", + "searchValue": "", + "expectedValue": "'policy.Principal' shouldn't get the queue publicly accessible", + "actualValue": "'policy.Principal' does get the queue publicly accessible" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/sqs_vpc_endpoint_without_dns_resolution/test/positive_expected_result.json b/assets/queries/terraform/aws/sqs_vpc_endpoint_without_dns_resolution/test/positive_expected_result.json index eb09d54acff..9e18a9b5a68 100644 --- a/assets/queries/terraform/aws/sqs_vpc_endpoint_without_dns_resolution/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sqs_vpc_endpoint_without_dns_resolution/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "SQS VPC Endpoint Without DNS Resolution", "severity": "LOW", "line": 95, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_vpc_endpoint", + "resourceName": "sqs-vpc-endpoint", + "searchKey": "aws_vpc_endpoint[sqs-vpc-endpoint].vpc_id", + "searchValue": "", + "expectedValue": "'enable_dns_support' should be set to true or undefined", + "actualValue": "'enable_dns_support' is set to false" }, { "queryName": "SQS VPC Endpoint Without DNS Resolution", "severity": "LOW", "line": 13, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vpc].enable_dns_support", + "searchValue": "", + "expectedValue": "'enable_dns_support' should be set to true or undefined", + "actualValue": "'enable_dns_support' is set to false" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/sqs_with_sse_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/sqs_with_sse_disabled/test/positive_expected_result.json index b83429dea8f..99b8e26dbdb 100644 --- a/assets/queries/terraform/aws/sqs_with_sse_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sqs_with_sse_disabled/test/positive_expected_result.json @@ -2,43 +2,85 @@ { "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", - "line": 1, - "fileName": "positive1.tf" + "line": 3, + "filename": "positive7.tf", + "resourceType": "aws_sqs_queue", + "resourceName": "terraform-example-queue", + "searchKey": "aws_sqs_queue[positive7].sqs_managed_sse_enabled", + "searchValue": "", + "expectedValue": "aws_sqs_queue[positive7].sqs_managed_sse_enabled must be set to true", + "actualValue": "aws_sqs_queue[positive7].sqs_managed_sse_enabled is set to false" }, { "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", "line": 3, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_sqs_queue", + "resourceName": "terraform-example-queue", + "searchKey": "aws_sqs_queue[positive2].kms_master_key_id", + "searchValue": "", + "expectedValue": "aws_sqs_queue.kms_master_key_id should not be ''", + "actualValue": "aws_sqs_queue.kms_master_key_id is ''" }, { "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", - "line": 1, - "fileName": "positive3.tf" + "line": 12, + "filename": "positive5.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[user_queue]", + "searchValue": "", + "expectedValue": "'kms_master_key_id' should not be empty", + "actualValue": "'kms_master_key_id' is empty" }, { "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive4.tf" + "filename": "positive6.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[user_queue]", + "searchValue": "", + "expectedValue": "'kms_master_key_id' should be defined and not null", + "actualValue": "'kms_master_key_id' is undefined or null" }, { "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", - "line": 12, - "fileName": "positive5.tf" + "line": 1, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[user_queue]", + "searchValue": "", + "expectedValue": "'kms_master_key_id' should be defined and not null", + "actualValue": "'kms_master_key_id' is undefined or null" }, { "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive6.tf" + "filename": "positive3.tf", + "resourceType": "aws_sqs_queue", + "resourceName": "terraform-example-queue", + "searchKey": "aws_sqs_queue[positive3]", + "searchValue": "", + "expectedValue": "aws_sqs_queue[positive3].kms_master_key_id or aws_sqs_queue[positive3].sqs_managed_sse_enabled should be defined and not null", + "actualValue": "aws_sqs_queue[positive3].kms_master_key_id and aws_sqs_queue[positive3].sqs_managed_sse_enabled are undefined or null" }, { "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", - "line": 3, - "fileName": "positive7.tf" + "line": 1, + "filename": "positive1.tf", + "resourceType": "aws_sqs_queue", + "resourceName": "terraform-example-queue", + "searchKey": "aws_sqs_queue[positive1]", + "searchValue": "", + "expectedValue": "aws_sqs_queue[positive1].kms_master_key_id or aws_sqs_queue[positive1].sqs_managed_sse_enabled should be defined and not null", + "actualValue": "aws_sqs_queue[positive1].kms_master_key_id and aws_sqs_queue[positive1].sqs_managed_sse_enabled are undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/ssm_session_transit_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/ssm_session_transit_encryption_disabled/test/positive_expected_result.json index f7a3c9b578d..1207888783f 100644 --- a/assets/queries/terraform/aws/ssm_session_transit_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ssm_session_transit_encryption_disabled/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "SSM Session Transit Encryption Disabled", "severity": "MEDIUM", "line": 5, - "fileName": "positive1.tf" + "filename": "positive2.tf", + "resourceType": "aws_ssm_document", + "resourceName": "test_document", + "searchKey": "aws_ssm_document[positive2].content", + "searchValue": "", + "expectedValue": "'inputs.kmsKeyId' should be defined and not null", + "actualValue": "'inputs.kmsKeyId' is undefined or null" }, { "queryName": "SSM Session Transit Encryption Disabled", "severity": "MEDIUM", "line": 5, - "fileName": "positive2.tf" + "filename": "positive1.tf", + "resourceType": "aws_ssm_document", + "resourceName": "test_document", + "searchKey": "aws_ssm_document[positive1].content", + "searchValue": "", + "expectedValue": "'inputs' should be defined and not null", + "actualValue": "'inputs' is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/sso_permission_with_inadequate_user_session_duration/test/positive_expected_result.json b/assets/queries/terraform/aws/sso_permission_with_inadequate_user_session_duration/test/positive_expected_result.json index 2cf5ed333b9..436bd617b0b 100644 --- a/assets/queries/terraform/aws/sso_permission_with_inadequate_user_session_duration/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sso_permission_with_inadequate_user_session_duration/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "SSO Permission With Inadequate User Session Duration", "severity": "LOW", "line": 6, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "aws_ssoadmin_permission_set_inline_policy", + "resourceName": "Example", + "searchKey": "aws_ssoadmin_permission_set[example3].session_duration", + "searchValue": "", + "expectedValue": "session_duration should not be higher than 1 hour", + "actualValue": "session_duration is higher than 1 hour" }, { "queryName": "SSO Permission With Inadequate User Session Duration", "severity": "LOW", "line": 14, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "aws_ssoadmin_permission_set_inline_policy", + "resourceName": "Example", + "searchKey": "aws_ssoadmin_permission_set[example4].session_duration", + "searchValue": "", + "expectedValue": "session_duration should not be higher than 1 hour", + "actualValue": "session_duration is higher than 1 hour" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/sso_policy_with_full_priveleges/test/positive_expected_result.json b/assets/queries/terraform/aws/sso_policy_with_full_priveleges/test/positive_expected_result.json index 664f7349db6..ee54a85e47f 100644 --- a/assets/queries/terraform/aws/sso_policy_with_full_priveleges/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sso_policy_with_full_priveleges/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "SSO Policy with full privileges", "severity": "MEDIUM", "line": 4, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "aws_ssoadmin_permission_set_inline_policy", + "resourceName": "pos1", + "searchKey": "aws_ssoadmin_permission_set_inline_policy[pos1].inline_policy", + "searchValue": "", + "expectedValue": "inline_policy.Statement.Action should not equal to, nor contain '*'", + "actualValue": "inline_policy.Statement.Action is equal to or contains '*'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/sso_policy_with_full_priveleges_copy/test/positive_expected_result.json b/assets/queries/terraform/aws/sso_policy_with_full_priveleges_copy/test/positive_expected_result.json index 68cd68bf846..a1559043527 100644 --- a/assets/queries/terraform/aws/sso_policy_with_full_priveleges_copy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sso_policy_with_full_priveleges_copy/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "SSO Identity User Unsafe Creation", "severity": "MEDIUM", "line": 1, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "aws_identitystore_user", + "resourceName": "", + "searchKey": "aws_identitystore_user[example]", + "searchValue": "", + "expectedValue": "aws_identitystore_user resource should not be used", + "actualValue": "aws_identitystore_user resource is used" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/stack_notifications_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/stack_notifications_disabled/test/positive_expected_result.json index 43f3b791e09..5631fa5a5d1 100644 --- a/assets/queries/terraform/aws/stack_notifications_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/stack_notifications_disabled/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Stack Notifications Disabled", "severity": "LOW", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_cloudformation_stack", + "resourceName": "networking-stack", + "searchKey": "aws_cloudformation_stack[positive1]", + "searchValue": "", + "expectedValue": "Attribute 'notification_arns' should be set", + "actualValue": "Attribute 'notification_arns' is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/stack_retention_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/stack_retention_disabled/test/positive_expected_result.json index 7a4a46d716e..887207cb36b 100644 --- a/assets/queries/terraform/aws/stack_retention_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/stack_retention_disabled/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Stack Retention Disabled", "severity": "MEDIUM", - "line": 5 + "line": 5, + "filename": "positive.tf", + "resourceType": "aws_cloudformation_stack_set_instance", + "resourceName": "positive1", + "searchKey": "aws_cloudformation_stack_set_instance[positive1].retain_stack", + "searchValue": "", + "expectedValue": "aws_cloudformation_stack_set_instance[positive1].retain_stack should be true ", + "actualValue": "aws_cloudformation_stack_set_instance[positive1].retain_stack is false" }, { "queryName": "Stack Retention Disabled", "severity": "MEDIUM", - "line": 8 + "line": 8, + "filename": "positive.tf", + "resourceType": "aws_cloudformation_stack_set_instance", + "resourceName": "positive2", + "searchKey": "aws_cloudformation_stack_set_instance[positive2]", + "searchValue": "", + "expectedValue": "aws_cloudformation_stack_set_instance[positive2].retain_stack should be defined and not null", + "actualValue": "aws_cloudformation_stack_set_instance[positive2].retain_stack is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/stack_without_template/test/positive_expected_result.json b/assets/queries/terraform/aws/stack_without_template/test/positive_expected_result.json index eb17c05fc24..cab9abd7791 100644 --- a/assets/queries/terraform/aws/stack_without_template/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/stack_without_template/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Stack Without Template", "severity": "LOW", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_cloudformation_stack", + "resourceName": "networking-stack", + "searchKey": "aws_cloudformation_stack[positive1]", + "searchValue": "", + "expectedValue": "Attribute 'template_body' or Attribute 'template_url' should be set", + "actualValue": "Both Attribute 'template_body' and Attribute 'template_url' are undefined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/tags_not_copied_to_rds_cluster_snapshot/test/positive_expected_result.json b/assets/queries/terraform/aws/tags_not_copied_to_rds_cluster_snapshot/test/positive_expected_result.json index db60b61449e..b885f5cbaac 100644 --- a/assets/queries/terraform/aws/tags_not_copied_to_rds_cluster_snapshot/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/tags_not_copied_to_rds_cluster_snapshot/test/positive_expected_result.json @@ -1,38 +1,74 @@ [ - { - "queryName": "Tags Not Copied to RDS Cluster Snapshot", - "severity": "LOW", - "line": 8, - "fileName": "positive1.tf" - }, - { - "queryName": "Tags Not Copied to RDS Cluster Snapshot", - "severity": "LOW", - "line": 1, - "fileName": "positive2.tf" - }, - { - "queryName": "Tags Not Copied to RDS Cluster Snapshot", - "severity": "LOW", - "line": 11, - "fileName": "positive3.tf" - }, - { - "queryName": "Tags Not Copied to RDS Cluster Snapshot", - "severity": "LOW", - "line": 1, - "fileName": "positive4.tf" - }, - { - "queryName": "Tags Not Copied to RDS Cluster Snapshot", - "severity": "LOW", - "line": 9, - "fileName": "positive5.tf" - }, - { - "queryName": "Tags Not Copied to RDS Cluster Snapshot", - "severity": "LOW", - "line": 1, - "fileName": "positive6.tf" - } + { + "queryName": "Tags Not Copied to RDS Cluster Snapshot", + "severity": "LOW", + "line": 9, + "filename": "positive5.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[rds_cluster].copy_tags_to_snapshot", + "searchValue": "", + "expectedValue": "'module[rds_cluster].copy_tags_to_snapshot' should be set to true", + "actualValue": "'module[rds_cluster].copy_tags_to_snapshot' is set to false" + }, + { + "queryName": "Tags Not Copied to RDS Cluster Snapshot", + "severity": "LOW", + "line": 1, + "filename": "positive6.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[rds_cluster]", + "searchValue": "", + "expectedValue": "'module[rds_cluster].copy_tags_to_snapshot' should be defined to true", + "actualValue": "'module[rds_cluster].copy_tags_to_snapshot' is not defined" + }, + { + "queryName": "Tags Not Copied to RDS Cluster Snapshot", + "severity": "LOW", + "line": 8, + "filename": "positive1.tf", + "resourceType": "aws_rds_cluster", + "resourceName": "example", + "searchKey": "aws_rds_cluster[example].copy_tags_to_snapshot", + "searchValue": "", + "expectedValue": "'aws_rds_cluster[example].copy_tags_to_snapshot' should be set to true", + "actualValue": "'aws_rds_cluster[example].copy_tags_to_snapshot' is set to false" + }, + { + "queryName": "Tags Not Copied to RDS Cluster Snapshot", + "severity": "LOW", + "line": 1, + "filename": "positive2.tf", + "resourceType": "aws_rds_cluster", + "resourceName": "example", + "searchKey": "aws_rds_cluster[example]", + "searchValue": "", + "expectedValue": "'aws_rds_cluster[example].copy_tags_to_snapshot' should be defined to true", + "actualValue": "'aws_rds_cluster[example].copy_tags_to_snapshot' is not defined" + }, + { + "queryName": "Tags Not Copied to RDS Cluster Snapshot", + "severity": "LOW", + "line": 11, + "filename": "positive3.tf", + "resourceType": "aws_db_instance", + "resourceName": "example", + "searchKey": "aws_db_instance[example].copy_tags_to_snapshot", + "searchValue": "", + "expectedValue": "'aws_db_instance[example].copy_tags_to_snapshot' should be set to true", + "actualValue": "'aws_db_instance[example].copy_tags_to_snapshot' is set to false" + }, + { + "queryName": "Tags Not Copied to RDS Cluster Snapshot", + "severity": "LOW", + "line": 1, + "filename": "positive4.tf", + "resourceType": "aws_db_instance", + "resourceName": "example", + "searchKey": "aws_db_instance[example]", + "searchValue": "", + "expectedValue": "'aws_db_instance[example].copy_tags_to_snapshot' should be defined to true", + "actualValue": "'aws_db_instance[example].copy_tags_to_snapshot' is not defined" + } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/unknown_port_exposed_to_internet/test/positive_expected_result.json b/assets/queries/terraform/aws/unknown_port_exposed_to_internet/test/positive_expected_result.json index cf294ab2f7e..f439fb66b43 100644 --- a/assets/queries/terraform/aws/unknown_port_exposed_to_internet/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/unknown_port_exposed_to_internet/test/positive_expected_result.json @@ -2,103 +2,205 @@ { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", - "line": 5, - "fileName": "positive1.tf" + "line": 11, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0 ports are known", + "actualValue": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0 ports are unknown and exposed to the entire Internet" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", - "line": 26, - "fileName": "positive1.tf" + "line": 30, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0 ports are known", + "actualValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0 ports are unknown and exposed to the entire Internet" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", - "line": 39, - "fileName": "positive1.tf" + "line": 26, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-2].ingress[1]", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-2].ingress[1] ports are known", + "actualValue": "aws_security_group[positive1-2].ingress[1] ports are unknown and exposed to the entire Internet" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", - "line": 60, - "fileName": "positive1.tf" + "line": 73, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-5].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-5].ingress ports are known", + "actualValue": "aws_security_group[positive1-5].ingress ports are unknown and exposed to the entire Internet" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", - "line": 73, - "fileName": "positive1.tf" + "line": 7, + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2-1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2-1]", + "searchValue": "", + "expectedValue": "aws_vpc_security_group_ingress_rule[positive2-1] ports are known", + "actualValue": "aws_vpc_security_group_ingress_rule[positive2-1] ports are unknown and exposed to the entire Internet" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", - "line": 87, - "fileName": "positive1.tf" + "line": 82, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0 ports are known", + "actualValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0 ports are unknown and exposed to the entire Internet" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", - "line": 101, - "fileName": "positive1.tf" + "line": 96, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2 ports are known", + "actualValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2 ports are unknown and exposed to the entire Internet" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", - "line": 7, - "fileName": "positive2.tf" + "line": 39, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-3].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-3].ingress ports are known", + "actualValue": "aws_security_group[positive1-3].ingress ports are unknown and exposed to the entire Internet" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", - "line": 17, - "fileName": "positive2.tf" + "line": 87, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-6].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-6].ingress ports are known", + "actualValue": "aws_security_group[positive1-6].ingress ports are unknown and exposed to the entire Internet" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", - "line": 7, - "fileName": "positive3.tf" + "line": 17, + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2-2", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2-2]", + "searchValue": "", + "expectedValue": "aws_vpc_security_group_ingress_rule[positive2-2] ports are known", + "actualValue": "aws_vpc_security_group_ingress_rule[positive2-2] ports are unknown and exposed to the entire Internet" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", - "line": 17, - "fileName": "positive3.tf" + "line": 44, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2 ports are known", + "actualValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2 ports are unknown and exposed to the entire Internet" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", - "line": 11, - "fileName": "positive4.tf" + "line": 63, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0 ports are known", + "actualValue": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0 ports are unknown and exposed to the entire Internet" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", - "line": 30, - "fileName": "positive4.tf" + "line": 5, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-1].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-1].ingress ports are known", + "actualValue": "aws_security_group[positive1-1].ingress ports are unknown and exposed to the entire Internet" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", - "line": 44, - "fileName": "positive4.tf" + "line": 60, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-4].ingress[1]", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-4].ingress[1] ports are known", + "actualValue": "aws_security_group[positive1-4].ingress[1] ports are unknown and exposed to the entire Internet" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", - "line": 63, - "fileName": "positive4.tf" + "line": 101, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-7].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-7].ingress ports are known", + "actualValue": "aws_security_group[positive1-7].ingress ports are unknown and exposed to the entire Internet" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", - "line": 82, - "fileName": "positive4.tf" + "line": 7, + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3-1", + "searchKey": "aws_security_group_rule[positive3-1]", + "searchValue": "", + "expectedValue": "aws_security_group_rule[positive3-1] ports are known", + "actualValue": "aws_security_group_rule[positive3-1] ports are unknown and exposed to the entire Internet" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", - "line": 96, - "fileName": "positive4.tf" + "line": 17, + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3-2", + "searchKey": "aws_security_group_rule[positive3-2]", + "searchValue": "", + "expectedValue": "aws_security_group_rule[positive3-2] ports are known", + "actualValue": "aws_security_group_rule[positive3-2] ports are unknown and exposed to the entire Internet" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/unrestricted_security_group_ingress/test/positive_expected_result.json b/assets/queries/terraform/aws/unrestricted_security_group_ingress/test/positive_expected_result.json index 7dd42051ddc..63521eba9bb 100644 --- a/assets/queries/terraform/aws/unrestricted_security_group_ingress/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/unrestricted_security_group_ingress/test/positive_expected_result.json @@ -2,109 +2,217 @@ { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", - "line": 6, - "filename": "positive1.tf" - }, - { - "queryName": "Unrestricted Security Group Ingress", - "severity": "HIGH", - "line": 16, - "filename": "positive1.tf" + "line": 10, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4-ipv4_array].ingress_cidr_blocks", + "searchValue": "", + "expectedValue": "module[positive4-ipv4_array].ingress_cidr_blocks should not contain '0.0.0.0/0'", + "actualValue": "module[positive4-ipv4_array].ingress_cidr_blocks contains '0.0.0.0/0'" }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", - "line": 33, - "filename": "positive1.tf" + "line": 22, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4-ipv6_array].ingress_ipv6_cidr_blocks", + "searchValue": "", + "expectedValue": "module[positive4-ipv6_array].ingress_ipv6_cidr_blocks should not contain '::/0'", + "actualValue": "module[positive4-ipv6_array].ingress_ipv6_cidr_blocks contains '::/0'" }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", - "line": 49, - "filename": "positive1.tf" + "line": 48, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4-whole_ingresses].ingress_with_cidr_blocks[2].cidr_blocks", + "searchValue": "", + "expectedValue": "module[positive4-whole_ingresses].ingress_with_cidr_blocks[2].cidr_blocks should not contain '0.0.0.0/0'", + "actualValue": "module[positive4-whole_ingresses].ingress_with_cidr_blocks[2].cidr_blocks contains '0.0.0.0/0'" }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", "line": 6, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2-ipv4", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2-ipv4].cidr_ipv4", + "searchValue": "", + "expectedValue": "aws_vpc_security_group_ingress_rule[positive2-ipv4].cidr_ipv4 should not be equal to '0.0.0.0/0'", + "actualValue": "aws_vpc_security_group_ingress_rule[positive2-ipv4].cidr_ipv4 is equal to '0.0.0.0/0'" }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", "line": 15, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2-ipv6_1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2-ipv6_1].cidr_ipv6", + "searchValue": "", + "expectedValue": "aws_vpc_security_group_ingress_rule[positive2-ipv6_1].cidr_ipv6 should not be equal to '::/0'", + "actualValue": "aws_vpc_security_group_ingress_rule[positive2-ipv6_1].cidr_ipv6 is equal to '::/0'" }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", "line": 24, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2-ipv6_2", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2-ipv6_2].cidr_ipv6", + "searchValue": "", + "expectedValue": "aws_vpc_security_group_ingress_rule[positive2-ipv6_2].cidr_ipv6 should not be equal to '0000:0000:0000:0000:0000:0000:0000:0000/0'", + "actualValue": "aws_vpc_security_group_ingress_rule[positive2-ipv6_2].cidr_ipv6 is equal to '0000:0000:0000:0000:0000:0000:0000:0000/0'" }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", "line": 6, - "filename": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3-ipv4", + "searchKey": "aws_security_group_rule[positive3-ipv4].cidr_blocks", + "searchValue": "", + "expectedValue": "aws_security_group_rule[positive3-ipv4].cidr_blocks' should not contain '0.0.0.0/0'", + "actualValue": "aws_security_group_rule[positive3-ipv4].cidr_blocks' contains '0.0.0.0/0'" }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", - "line": 15, - "filename": "positive3.tf" + "line": 16, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4-ipv6].ingress_ipv6_cidr_blocks", + "searchValue": "", + "expectedValue": "module[positive4-ipv6].ingress_ipv6_cidr_blocks should not contain '::/0'", + "actualValue": "module[positive4-ipv6].ingress_ipv6_cidr_blocks contains '::/0'" }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", - "line": 24, - "filename": "positive3.tf" + "line": 58, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4-whole_ingresses].ingress_with_ipv6_cidr_blocks[0].ipv6_cidr_blocks", + "searchValue": "", + "expectedValue": "module[positive4-whole_ingresses].ingress_with_ipv6_cidr_blocks[0].ipv6_cidr_blocks should not contain '::/0'", + "actualValue": "module[positive4-whole_ingresses].ingress_with_ipv6_cidr_blocks[0].ipv6_cidr_blocks contains '::/0'" }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", - "line": 4, - "filename": "positive4.tf" + "line": 15, + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3-ipv6_1", + "searchKey": "aws_security_group_rule[positive3-ipv6_1].ipv6_cidr_blocks", + "searchValue": "", + "expectedValue": "aws_security_group_rule[positive3-ipv6_1].ipv6_cidr_blocks should not contain '::/0'", + "actualValue": "aws_security_group_rule[positive3-ipv6_1].ipv6_cidr_blocks contains '::/0'" }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", - "line": 10, - "filename": "positive4.tf" + "line": 33, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1-ipv4_array", + "searchKey": "aws_security_group[positive1-ipv4_array].ingress[1].cidr_blocks", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-ipv4_array].ingress[1].cidr_blocks should not contain '0.0.0.0/0'", + "actualValue": "aws_security_group[positive1-ipv4_array].ingress[1].cidr_blocks contains '0.0.0.0/0'" }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", - "line": 16, - "filename": "positive4.tf" + "line": 24, + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3-ipv6_2", + "searchKey": "aws_security_group_rule[positive3-ipv6_2].ipv6_cidr_blocks", + "searchValue": "", + "expectedValue": "aws_security_group_rule[positive3-ipv6_2].ipv6_cidr_blocks should not contain '0:0:0:0:0:0:0:0/0'", + "actualValue": "aws_security_group_rule[positive3-ipv6_2].ipv6_cidr_blocks contains '0:0:0:0:0:0:0:0/0'" }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", - "line": 22, - "filename": "positive4.tf" + "line": 4, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4-ipv4].ingress_cidr_blocks", + "searchValue": "", + "expectedValue": "module[positive4-ipv4].ingress_cidr_blocks should not contain '0.0.0.0/0'", + "actualValue": "module[positive4-ipv4].ingress_cidr_blocks contains '0.0.0.0/0'" + }, + { + "queryName": "Unrestricted Security Group Ingress", + "severity": "HIGH", + "line": 6, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1-ipv4", + "searchKey": "aws_security_group[positive1-ipv4].ingress.cidr_blocks", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-ipv4].ingress.cidr_blocks should not contain '0.0.0.0/0'", + "actualValue": "aws_security_group[positive1-ipv4].ingress.cidr_blocks contains '0.0.0.0/0'" }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", "line": 34, - "filename": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4-whole_ingresses].ingress_with_cidr_blocks[0].cidr_blocks", + "searchValue": "", + "expectedValue": "module[positive4-whole_ingresses].ingress_with_cidr_blocks[0].cidr_blocks should not contain '0.0.0.0/0'", + "actualValue": "module[positive4-whole_ingresses].ingress_with_cidr_blocks[0].cidr_blocks contains '0.0.0.0/0'" }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", - "line": 48, - "filename": "positive4.tf" + "line": 72, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4-whole_ingresses].ingress_with_ipv6_cidr_blocks[2].ipv6_cidr_blocks", + "searchValue": "", + "expectedValue": "module[positive4-whole_ingresses].ingress_with_ipv6_cidr_blocks[2].ipv6_cidr_blocks should not contain '::/0'", + "actualValue": "module[positive4-whole_ingresses].ingress_with_ipv6_cidr_blocks[2].ipv6_cidr_blocks contains '::/0'" }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", - "line": 58, - "filename": "positive4.tf" + "line": 16, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1-ipv6", + "searchKey": "aws_security_group[positive1-ipv6].ingress.ipv6_cidr_blocks", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-ipv6].ingress.ipv6_cidr_blocks should not contain '::/0'", + "actualValue": "aws_security_group[positive1-ipv6].ingress.ipv6_cidr_blocks contains '::/0'" }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", - "line": 72, - "filename": "positive4.tf" + "line": 49, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1-ipv6_array", + "searchKey": "aws_security_group[positive1-ipv6_array].ingress[1].ipv6_cidr_blocks", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-ipv6_array].ingress[1].ipv6_cidr_blocks should not contain '::/0'", + "actualValue": "aws_security_group[positive1-ipv6_array].ingress[1].ipv6_cidr_blocks contains '::/0'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/unscanned_ecr_image/test/positive_expected_result.json b/assets/queries/terraform/aws/unscanned_ecr_image/test/positive_expected_result.json index 7b15042be08..55527841a3e 100644 --- a/assets/queries/terraform/aws/unscanned_ecr_image/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/unscanned_ecr_image/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Unscanned ECR Image", "severity": "LOW", - "line": 1 + "line": 11, + "filename": "positive.tf", + "resourceType": "aws_ecr_repository", + "resourceName": "img_p_1", + "searchKey": "aws_ecr_repository[positive2].image_scanning_configuration.scan_on_push", + "searchValue": "", + "expectedValue": "aws_ecr_repository[positive2].image_scanning_configuration.scan_on_push is true", + "actualValue": "aws_ecr_repository[positive2].image_scanning_configuration.scan_on_push is false" }, { "queryName": "Unscanned ECR Image", "severity": "LOW", - "line": 11 + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_ecr_repository", + "resourceName": "img_p_2", + "searchKey": "aws_ecr_repository[positive1]", + "searchValue": "", + "expectedValue": "aws_ecr_repository[positive1].image_scanning_configuration should be defined", + "actualValue": "aws_ecr_repository[positive1].image_scanning_configuration is undefined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_data_contains_encoded_private_key/test/positive_expected_result.json b/assets/queries/terraform/aws/user_data_contains_encoded_private_key/test/positive_expected_result.json index fed5ff19d06..7b43a67badb 100644 --- a/assets/queries/terraform/aws/user_data_contains_encoded_private_key/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_data_contains_encoded_private_key/test/positive_expected_result.json @@ -2,19 +2,37 @@ { "queryName": "User Data Contains Encoded Private Key", "severity": "HIGH", - "line": 5, - "fileName": "positive1.tf" + "line": 11, + "filename": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive3].user_data_base64", + "searchValue": "", + "expectedValue": "'user_data_base64' shouldn't contain RSA Private Key", + "actualValue": "'user_data_base64' contains RSA Private Key" }, { "queryName": "User Data Contains Encoded Private Key", "severity": "HIGH", "line": 11, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive2].user_data_base64", + "searchValue": "", + "expectedValue": "'user_data_base64' shouldn't contain RSA Private Key", + "actualValue": "'user_data_base64' contains RSA Private Key" }, { "queryName": "User Data Contains Encoded Private Key", "severity": "HIGH", - "line": 11, - "fileName": "positive3.tf" + "line": 5, + "filename": "positive1.tf", + "resourceType": "aws_launch_configuration", + "resourceName": "positive1", + "searchKey": "aws_launch_configuration[positive1].user_data_base64", + "searchValue": "", + "expectedValue": "aws_launch_configuration[positive1].user_data_base64 shouldn't contain RSA Private Key", + "actualValue": "aws_launch_configuration[positive1].user_data_base64 contains RSA Private Key" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive_expected_result.json index a5187a85df5..86fece58bd3 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "User With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_user", + "resourceName": "cosmic", + "searchKey": "aws_iam_user[cosmic]", + "searchValue": "", + "expectedValue": "user cosmic shouldn't be associated with a policy that has Action set to 'glue:UpdateDevEndpoint' and Resource set to '*'", + "actualValue": "user cosmic is associated with a policy that has Action set to 'glue:UpdateDevEndpoint' and Resource set to '*'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive_expected_result.json index fadf1f82e70..6506b6d3887 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "User With Privilege Escalation By Actions 'iam:AddUserToGroup'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_user", + "resourceName": "cosmic", + "searchKey": "aws_iam_user[cosmic]", + "searchValue": "", + "expectedValue": "user cosmic should not be associated with a policy that has Action set to 'iam:AddUserToGroup' and Resource set to '*'", + "actualValue": "user cosmic is associated with a policy that has Action set to 'iam:AddUserToGroup' and Resource set to '*'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive_expected_result.json index cc364849975..bfe335e4541 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "User With Privilege Escalation By Actions 'iam:AttachGroupPolicy'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_user", + "resourceName": "cosmic", + "searchKey": "aws_iam_user[cosmic]", + "searchValue": "", + "expectedValue": "user cosmic shouldn't be associated with a policy that has Action set to 'iam:AttachGroupPolicy' and Resource set to '*'", + "actualValue": "user cosmic is associated with a policy that has Action set to 'iam:AttachGroupPolicy' and Resource set to '*'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive_expected_result.json index f13a564510c..65dec54b285 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "User With Privilege Escalation By Actions 'iam:AttachRolePolicy'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_user", + "resourceName": "cosmic", + "searchKey": "aws_iam_user[cosmic]", + "searchValue": "", + "expectedValue": "user cosmic shouldn't be associated with a policy that has Action set to 'iam:AttachRolePolicy' and Resource set to '*'", + "actualValue": "user cosmic is associated with a policy that has Action set to 'iam:AttachRolePolicy' and Resource set to '*'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive_expected_result.json index cfa007e434e..7b68a3acc0f 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "User With Privilege Escalation By Actions 'iam:AttachUserPolicy'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_user", + "resourceName": "cosmic", + "searchKey": "aws_iam_user[cosmic]", + "searchValue": "", + "expectedValue": "user cosmic shouldn't be associated with a policy that has Action set to 'iam:AttachUserPolicy' and Resource set to '*'", + "actualValue": "user cosmic is associated with a policy that has Action set to 'iam:AttachUserPolicy' and Resource set to '*'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive_expected_result.json index 91f4cdc0430..221f4ff9051 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "User With Privilege Escalation By Actions 'iam:CreateAccessKey'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_user", + "resourceName": "cosmic", + "searchKey": "aws_iam_user[cosmic]", + "searchValue": "", + "expectedValue": "user cosmic shouldn't be associated with a policy that has Action set to 'iam:CreateAccessKey' and Resource set to '*'", + "actualValue": "user cosmic is associated with a policy that has Action set to 'iam:CreateAccessKey' and Resource set to '*'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive_expected_result.json index 143dfff1de7..7743f71e7f9 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "User With Privilege Escalation By Actions 'iam:CreateLoginProfile'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_user", + "resourceName": "cosmic", + "searchKey": "aws_iam_user[cosmic]", + "searchValue": "", + "expectedValue": "user cosmic shouldn't be associated with a policy that has Action set to 'iam:CreateLoginProfile' and Resource set to '*'", + "actualValue": "user cosmic is associated with a policy that has Action set to 'iam:CreateLoginProfile' and Resource set to '*'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive_expected_result.json index b352f43641b..cc76bb32da3 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "User With Privilege Escalation By Actions 'iam:CreatePolicyVersion'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_user", + "resourceName": "cosmic", + "searchKey": "aws_iam_user[cosmic]", + "searchValue": "", + "expectedValue": "user cosmic shouldn't be associated with a policy that has Action set to 'iam:CreatePolicyVersion' and Resource set to '*'", + "actualValue": "user cosmic is associated with a policy that has Action set to 'iam:CreatePolicyVersion' and Resource set to '*'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive_expected_result.json index 879bd188148..d836714b8fc 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "User With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_user", + "resourceName": "cosmic", + "searchKey": "aws_iam_user[cosmic]", + "searchValue": "", + "expectedValue": "user cosmic shouldn't be associated with a policy that has Action set to 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'", + "actualValue": "user cosmic is associated with a policy that has Action set to 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive_expected_result.json index 0c13f4076a7..243d3547686 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "User With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_user", + "resourceName": "cosmic", + "searchKey": "aws_iam_user[cosmic]", + "searchValue": "", + "expectedValue": "user cosmic shouldn't be associated with a policy that has Action set to 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'", + "actualValue": "user cosmic is associated with a policy that has Action set to 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive_expected_result.json index 1a3d09d345f..607020b0631 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "User With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_user", + "resourceName": "cosmic", + "searchKey": "aws_iam_user[cosmic]", + "searchValue": "", + "expectedValue": "user cosmic shouldn't be associated with a policy that has Action set to 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'", + "actualValue": "user cosmic is associated with a policy that has Action set to 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/test/positive_expected_result.json index 4cee4fa0fd8..89e1f94c3c0 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "User With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_user", + "resourceName": "cosmic", + "searchKey": "aws_iam_user[cosmic]", + "searchValue": "", + "expectedValue": "user cosmic shouldn't be associated with a policy that has Action set to 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'", + "actualValue": "user cosmic is associated with a policy that has Action set to 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive_expected_result.json index a91dbda2cc9..02631e87c98 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "User With Privilege Escalation By Actions 'iam:PutGroupPolicy'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_user", + "resourceName": "cosmic", + "searchKey": "aws_iam_user[cosmic]", + "searchValue": "", + "expectedValue": "user cosmic should not be associated with a policy that has Action set to 'iam:PutGroupPolicy' and Resource set to '*'", + "actualValue": "user cosmic is associated with a policy that has Action set to 'iam:PutGroupPolicy' and Resource set to '*'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive_expected_result.json index 8b92368e2b1..36eac1c4ad6 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "User With Privilege Escalation By Actions 'iam:PutRolePolicy'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_user", + "resourceName": "cosmic", + "searchKey": "aws_iam_user[cosmic]", + "searchValue": "", + "expectedValue": "user cosmic should not be associated with a policy that has Action set to 'iam:PutRolePolicy' and Resource set to '*'", + "actualValue": "user cosmic is associated with a policy that has Action set to 'iam:PutRolePolicy' and Resource set to '*'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive_expected_result.json index 77d75f77411..addbd6ba4de 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "User With Privilege Escalation By Actions 'iam:PutUserPolicy'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_user", + "resourceName": "cosmic", + "searchKey": "aws_iam_user[cosmic]", + "searchValue": "", + "expectedValue": "user cosmic should not be associated with a policy that has Action set to 'iam:PutUserPolicy' and Resource set to '*'", + "actualValue": "user cosmic is associated with a policy that has Action set to 'iam:PutUserPolicy' and Resource set to '*'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive_expected_result.json index 2f7cf644813..50d9b999ae7 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "User With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_user", + "resourceName": "cosmic", + "searchKey": "aws_iam_user[cosmic]", + "searchValue": "", + "expectedValue": "user cosmic shouldn't be associated with a policy that has Action set to 'iam:SetDefaultPolicyVersion' and Resource set to '*'", + "actualValue": "user cosmic is associated with a policy that has Action set to 'iam:SetDefaultPolicyVersion' and Resource set to '*'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive_expected_result.json index 89f59bd7941..6aa1d8472a4 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "User With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_user", + "resourceName": "cosmic", + "searchKey": "aws_iam_user[cosmic]", + "searchValue": "", + "expectedValue": "user cosmic shouldn't be associated with a policy that has Action set to 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'", + "actualValue": "user cosmic is associated with a policy that has Action set to 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive_expected_result.json index f7792753ab7..d2c8c2832d0 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "User With Privilege Escalation By Actions 'iam:UpdateLoginProfile'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_user", + "resourceName": "cosmic", + "searchKey": "aws_iam_user[cosmic]", + "searchValue": "", + "expectedValue": "user cosmic shouldn't be associated with a policy that has Action set to 'iam:UpdateLoginProfile' and Resource set to '*'", + "actualValue": "user cosmic is associated with a policy that has Action set to 'iam:UpdateLoginProfile' and Resource set to '*'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive_expected_result.json index 86b7d699b34..34e08533f35 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "User With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_user", + "resourceName": "cosmic", + "searchKey": "aws_iam_user[cosmic]", + "searchValue": "", + "expectedValue": "user cosmic shouldn't be associated with a policy that has Action set to 'lambda:UpdateFunctionCode' and Resource set to '*'", + "actualValue": "user cosmic is associated with a policy that has Action set to 'lambda:UpdateFunctionCode' and Resource set to '*'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/vpc_default_security_group_accepts_all_traffic/test/positive_expected_result.json b/assets/queries/terraform/aws/vpc_default_security_group_accepts_all_traffic/test/positive_expected_result.json index 01328bc7e3e..9eaad036e10 100644 --- a/assets/queries/terraform/aws/vpc_default_security_group_accepts_all_traffic/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/vpc_default_security_group_accepts_all_traffic/test/positive_expected_result.json @@ -2,37 +2,73 @@ { "queryName": "VPC Default Security Group Accepts All Traffic", "severity": "HIGH", - "line": 8, - "fileName": "positive1.tf" + "line": 17, + "filename": "positive1.tf", + "resourceType": "aws_default_security_group", + "resourceName": "default", + "searchKey": "aws_default_security_group[{{default}}].egress", + "searchValue": "", + "expectedValue": "aws_default_security_group[{{default}}] should not have 'egress' defined", + "actualValue": "aws_default_security_group[{{default}}] has 'egress' defined" }, { "queryName": "VPC Default Security Group Accepts All Traffic", "severity": "HIGH", - "line": 17, - "fileName": "positive1.tf" + "line": 8, + "filename": "positive1.tf", + "resourceType": "aws_default_security_group", + "resourceName": "default", + "searchKey": "aws_default_security_group[{{default}}].ingress", + "searchValue": "", + "expectedValue": "aws_default_security_group[{{default}}] should not have 'ingress' defined", + "actualValue": "aws_default_security_group[{{default}}] has 'ingress' defined" }, { "queryName": "VPC Default Security Group Accepts All Traffic", "severity": "HIGH", - "line": 8, - "fileName": "positive2.tf" + "line": 23, + "filename": "positive2.tf", + "resourceType": "aws_default_security_group", + "resourceName": "default3", + "searchKey": "aws_default_security_group[{{default3}}].egress.cidr_blocks", + "searchValue": "", + "expectedValue": "'egress' should be undefined", + "actualValue": "'egress' accepts all traffic" }, { "queryName": "VPC Default Security Group Accepts All Traffic", "severity": "HIGH", - "line": 18, - "fileName": "positive2.tf" + "line": 14, + "filename": "positive2.tf", + "resourceType": "aws_default_security_group", + "resourceName": "default3", + "searchKey": "aws_default_security_group[{{default3}}].ingress.ipv6_cidr_blocks", + "searchValue": "", + "expectedValue": "'ingress' should be undefined", + "actualValue": "'ingress' accepts all traffic" }, { "queryName": "VPC Default Security Group Accepts All Traffic", "severity": "HIGH", - "line": 14, - "fileName": "positive2.tf" + "line": 18, + "filename": "positive2.tf", + "resourceType": "aws_default_security_group", + "resourceName": "default3", + "searchKey": "aws_default_security_group[{{default3}}].egress", + "searchValue": "", + "expectedValue": "aws_default_security_group[{{default3}}] should not have 'egress' defined", + "actualValue": "aws_default_security_group[{{default3}}] has 'egress' defined" }, { "queryName": "VPC Default Security Group Accepts All Traffic", "severity": "HIGH", - "line": 23, - "fileName": "positive2.tf" + "line": 8, + "filename": "positive2.tf", + "resourceType": "aws_default_security_group", + "resourceName": "default3", + "searchKey": "aws_default_security_group[{{default3}}].ingress", + "searchValue": "", + "expectedValue": "aws_default_security_group[{{default3}}] should not have 'ingress' defined", + "actualValue": "aws_default_security_group[{{default3}}] has 'ingress' defined" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/vpc_flowlogs_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/vpc_flowlogs_disabled/test/positive_expected_result.json index 3785d8deeae..48a40278c01 100644 --- a/assets/queries/terraform/aws/vpc_flowlogs_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/vpc_flowlogs_disabled/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "VPC FlowLogs Disabled", "severity": "MEDIUM", - "line": 5, - "filename": "positive1.tf" + "line": 14, + "filename": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "vpc.enable_flow_log", + "searchValue": "", + "expectedValue": "vpc.enable_flow_log should be set to true", + "actualValue": "vpc.enable_flow_log is set to false" }, { "queryName": "VPC FlowLogs Disabled", "severity": "MEDIUM", "line": 1, - "filename": "positive2.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "vpc", + "searchValue": "", + "expectedValue": "vpc.enable_flow_log should be set to true", + "actualValue": "vpc.enable_flow_log is undefined" }, { "queryName": "VPC FlowLogs Disabled", "severity": "MEDIUM", - "line": 14, - "filename": "positive3.tf" + "line": 1, + "filename": "positive2.tf", + "resourceType": "aws_vpc", + "resourceName": "main", + "searchKey": "aws_vpc[main]", + "searchValue": "", + "expectedValue": "aws_vpc[main] should be the same as Flow Logs VPC id", + "actualValue": "aws_vpc[main] is not the same as Flow Logs VPC id" }, { "queryName": "VPC FlowLogs Disabled", "severity": "MEDIUM", - "line": 1, - "filename": "positive4.tf" + "line": 5, + "filename": "positive1.tf", + "resourceType": "aws_flow_log", + "resourceName": "example", + "searchKey": "aws_flow_log[example]", + "searchValue": "", + "expectedValue": "aws_flow_log[example].vpc_id should be defined and not null", + "actualValue": "aws_flow_log[example].vpc_id is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/vpc_peering_route_table_with_unrestricted_cidr/test/positive_expected_result.json b/assets/queries/terraform/aws/vpc_peering_route_table_with_unrestricted_cidr/test/positive_expected_result.json index ba50c0dd7dd..30bf43d9f5a 100644 --- a/assets/queries/terraform/aws/vpc_peering_route_table_with_unrestricted_cidr/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/vpc_peering_route_table_with_unrestricted_cidr/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "VPC Peering Route Table with Unrestricted CIDR", "severity": "HIGH", - "line": 118, - "fileName": "positive1.tf" + "line": 132, + "filename": "positive2.tf", + "resourceType": "aws_route", + "resourceName": "private_route2", + "searchKey": "aws_route[private_route2]", + "searchValue": "", + "expectedValue": "aws_route[private_route2] restricts CIDR", + "actualValue": "aws_route[private_route2] does not restrict CIDR" }, { "queryName": "VPC Peering Route Table with Unrestricted CIDR", "severity": "HIGH", - "line": 132, - "fileName": "positive2.tf" + "line": 118, + "filename": "positive1.tf", + "resourceType": "aws_route", + "resourceName": "public_route_table", + "searchKey": "aws_route_table[public_route_table].route", + "searchValue": "", + "expectedValue": "aws_route_table[public_route_table].route restricts CIDR", + "actualValue": "aws_route_table[public_route_table].route does not restrict CIDR" }, { "queryName": "VPC Peering Route Table with Unrestricted CIDR", "severity": "HIGH", - "line": 118, - "fileName": "positive3.tf" + "line": 9, + "filename": "positive4.tf", + "resourceType": "aws_route", + "resourceName": "art_nat_gw_out", + "searchKey": "aws_route_table[art_nat_gw_out].route", + "searchValue": "", + "expectedValue": "aws_route_table[art_nat_gw_out].route restricts CIDR", + "actualValue": "aws_route_table[art_nat_gw_out].route does not restrict CIDR" }, { "queryName": "VPC Peering Route Table with Unrestricted CIDR", "severity": "HIGH", - "line": 9, - "fileName": "positive4.tf" + "line": 118, + "filename": "positive3.tf", + "resourceType": "aws_route", + "resourceName": "public_route_table", + "searchKey": "aws_route_table[public_route_table].route", + "searchValue": "", + "expectedValue": "aws_route_table[public_route_table].route restricts CIDR", + "actualValue": "aws_route_table[public_route_table].route does not restrict CIDR" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/vpc_subnet_assigns_public_ip/test/positive_expected_result.json b/assets/queries/terraform/aws/vpc_subnet_assigns_public_ip/test/positive_expected_result.json index a34fb706958..116bb1b1db6 100644 --- a/assets/queries/terraform/aws/vpc_subnet_assigns_public_ip/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/vpc_subnet_assigns_public_ip/test/positive_expected_result.json @@ -2,19 +2,37 @@ { "queryName": "VPC Subnet Assigns Public IP", "severity": "MEDIUM", - "line": 13, - "fileName": "positive1.tf" + "line": 1, + "filename": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "vpc", + "searchValue": "", + "expectedValue": "vpc.map_public_ip_on_launch should be set to false", + "actualValue": "vpc.map_public_ip_on_launch is set undefined" }, { "queryName": "VPC Subnet Assigns Public IP", "severity": "MEDIUM", - "line": 11, - "fileName": "positive2.tf" + "line": 13, + "filename": "positive1.tf", + "resourceType": "aws_subnet", + "resourceName": "Positive", + "searchKey": "aws_subnet[positive].map_public_ip_on_launch", + "searchValue": "", + "expectedValue": "aws_subnet[positive].map_public_ip_on_launch should be set to false or undefined", + "actualValue": "aws_subnet[positive].map_public_ip_on_launch is set to true" }, { "queryName": "VPC Subnet Assigns Public IP", "severity": "MEDIUM", - "line": 1, - "fileName": "positive3.tf" + "line": 11, + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "vpc.map_public_ip_on_launch", + "searchValue": "", + "expectedValue": "vpc.map_public_ip_on_launch should be set to false", + "actualValue": "vpc.map_public_ip_on_launch is set to true" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/vpc_without_network_firewall/test/positive_expected_result.json b/assets/queries/terraform/aws/vpc_without_network_firewall/test/positive_expected_result.json index 6894110f441..b58d641838c 100644 --- a/assets/queries/terraform/aws/vpc_without_network_firewall/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/vpc_without_network_firewall/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "VPC Without Network Firewall", "severity": "MEDIUM", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_vpc", + "resourceName": "positive", + "searchKey": "aws_vpc[positive]", + "searchValue": "", + "expectedValue": "aws_vpc[positive] has an 'aws_networkfirewall_firewall' associated", + "actualValue": "aws_vpc[positive] does not have an 'aws_networkfirewall_firewall' associated" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/vulnerable_default_ssl_certificate/test/positive_expected_result.json b/assets/queries/terraform/aws/vulnerable_default_ssl_certificate/test/positive_expected_result.json index 4c65ef315d2..e133d7def4a 100644 --- a/assets/queries/terraform/aws/vulnerable_default_ssl_certificate/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/vulnerable_default_ssl_certificate/test/positive_expected_result.json @@ -2,21 +2,49 @@ { "queryName": "Vulnerable Default SSL Certificate", "severity": "MEDIUM", - "line": 5 + "line": 88, + "filename": "positive.tf", + "resourceType": "aws_cloudfront_distribution", + "resourceName": "positive3", + "searchKey": "aws_cloudfront_distribution[positive3].viewer_certificate", + "searchValue": "cloudfront_default_certificate", + "expectedValue": "Attribute 'cloudfront_default_certificate' should be 'false' or not defined", + "actualValue": "Attribute 'cloudfront_default_certificate' is 'true'" }, { "queryName": "Vulnerable Default SSL Certificate", "severity": "MEDIUM", - "line": 88 + "line": 134, + "filename": "positive.tf", + "resourceType": "aws_cloudfront_distribution", + "resourceName": "positive4", + "searchKey": "aws_cloudfront_distribution[positive4].viewer_certificate", + "searchValue": "minimum_protocol_version", + "expectedValue": "Attributes 'ssl_support_method' and 'minimum_protocol_version' should be defined when one of 'acm_certificate_arn' or 'iam_certificate_id' is declared.", + "actualValue": "Attribute 'minimum_protocol_version' is not defined" }, { "queryName": "Vulnerable Default SSL Certificate", "severity": "MEDIUM", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "aws_cloudfront_distribution", + "resourceName": "positive4", + "searchKey": "aws_cloudfront_distribution[positive4].viewer_certificate", + "searchValue": "ssl_support_method", + "expectedValue": "Attributes 'ssl_support_method' and 'minimum_protocol_version' should be defined when one of 'acm_certificate_arn' or 'iam_certificate_id' is declared.", + "actualValue": "Attribute 'ssl_support_method' is not defined" }, { "queryName": "Vulnerable Default SSL Certificate", "severity": "MEDIUM", - "line": 134 + "line": 5, + "filename": "positive.tf", + "resourceType": "aws_cloudfront_distribution", + "resourceName": "positive2", + "searchKey": "aws_cloudfront_distribution[positive2]", + "searchValue": "", + "expectedValue": "aws_cloudfront_distribution[positive2].viewer_certificate should be defined and not null", + "actualValue": "aws_cloudfront_distribution[positive2].viewer_certificate is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/workspaces_workspace_volume_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/workspaces_workspace_volume_not_encrypted/test/positive_expected_result.json index 73ed7cba6aa..d060b8049e8 100644 --- a/assets/queries/terraform/aws/workspaces_workspace_volume_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/workspaces_workspace_volume_not_encrypted/test/positive_expected_result.json @@ -2,37 +2,73 @@ { "queryName": "Workspaces Workspace Volume Not Encrypted", "severity": "HIGH", - "line": 11, - "filename": "positive1.tf" + "line": 7, + "filename": "positive4.tf", + "resourceType": "aws_workspaces_workspace", + "resourceName": "example_4", + "searchKey": "aws_workspaces_workspace[{{example_4}}].user_volume_encryption_enabled", + "searchValue": "", + "expectedValue": "aws_workspaces_workspace.user_volume_encryption_enabled should be set to true", + "actualValue": "aws_workspaces_workspace.user_volume_encryption_enabled is set to false" }, { "queryName": "Workspaces Workspace Volume Not Encrypted", "severity": "HIGH", - "line": 12, - "filename": "positive2.tf" + "line": 11, + "filename": "positive1.tf", + "resourceType": "aws_workspaces_workspace", + "resourceName": "example", + "searchKey": "aws_workspaces_workspace[{{example}}].workspace_properties.user_volume_size_gib", + "searchValue": "", + "expectedValue": "aws_workspaces_workspace.user_volume_encryption_enabled should be set to true", + "actualValue": "aws_workspaces_workspace.user_volume_encryption_enabled is missing" }, { "queryName": "Workspaces Workspace Volume Not Encrypted", "severity": "HIGH", "line": 11, - "filename": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_workspaces_workspace", + "resourceName": "example_3", + "searchKey": "aws_workspaces_workspace[{{example_3}}].workspace_properties.root_volume_size_gib", + "searchValue": "", + "expectedValue": "aws_workspaces_workspace.root_volume_encryption_enabled should be set to true", + "actualValue": "aws_workspaces_workspace.root_volume_encryption_enabled is missing" }, { "queryName": "Workspaces Workspace Volume Not Encrypted", "severity": "HIGH", "line": 10, - "filename": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_workspaces_workspace", + "resourceName": "example_3", + "searchKey": "aws_workspaces_workspace[{{example_3}}].workspace_properties.user_volume_size_gib", + "searchValue": "", + "expectedValue": "aws_workspaces_workspace.user_volume_encryption_enabled should be set to true", + "actualValue": "aws_workspaces_workspace.user_volume_encryption_enabled is missing" }, { "queryName": "Workspaces Workspace Volume Not Encrypted", "severity": "HIGH", - "line": 6, - "filename": "positive4.tf" + "line": 12, + "filename": "positive2.tf", + "resourceType": "aws_workspaces_workspace", + "resourceName": "example_2", + "searchKey": "aws_workspaces_workspace[{{example_2}}].workspace_properties.root_volume_size_gib", + "searchValue": "", + "expectedValue": "aws_workspaces_workspace.root_volume_encryption_enabled should be set to true", + "actualValue": "aws_workspaces_workspace.root_volume_encryption_enabled is missing" }, { "queryName": "Workspaces Workspace Volume Not Encrypted", "severity": "HIGH", - "line": 7, - "filename": "positive4.tf" + "line": 6, + "filename": "positive4.tf", + "resourceType": "aws_workspaces_workspace", + "resourceName": "example_4", + "searchKey": "aws_workspaces_workspace[{{example_4}}].root_volume_encryption_enabled", + "searchValue": "", + "expectedValue": "aws_workspaces_workspace.root_volume_encryption_enabled should be set to true", + "actualValue": "aws_workspaces_workspace.root_volume_encryption_enabled is set to false" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive_expected_result.json index 3947db2a18e..3d390cdb6ff 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive_expected_result.json @@ -2,13 +2,13 @@ { "queryName": "Beta - Activity Log Alert For Service Health Not Configured", "severity": "MEDIUM", - "line": 8, - "fileName": "positive1.tf" - }, - { - "queryName": "Beta - Activity Log Alert For Service Health Not Configured", - "severity": "MEDIUM", - "line": 28, - "fileName": "positive1.tf" + "line": 3, + "filename": "positive6_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "", + "searchKey": "azurerm_subscription[positive6]", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'ServiceHealth' events should be defined for each subscription", + "actualValue": "There is not a single 'azurerm_monitor_activity_log_alert' resource associated with the 'positive6' subscription" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/ad_admin_not_configured_for_sql_server/test/positive_expected_result.json b/assets/queries/terraform/azure/ad_admin_not_configured_for_sql_server/test/positive_expected_result.json index 8ef8308aeee..0375911bc73 100644 --- a/assets/queries/terraform/azure/ad_admin_not_configured_for_sql_server/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/ad_admin_not_configured_for_sql_server/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "AD Admin Not Configured For SQL Server", "severity": "MEDIUM", - "line": 6 + "line": 6, + "filename": "positive.tf", + "resourceType": "azurerm_sql_server", + "resourceName": "mysqlserver1", + "searchKey": "azurerm_sql_server[positive2]", + "searchValue": "", + "expectedValue": "A 'azurerm_sql_active_directory_administrator' should be defined for 'azurerm_sql_server[positive2]'", + "actualValue": "A 'azurerm_sql_active_directory_administrator' is not defined for 'azurerm_sql_server[positive2]'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/admin_user_enabled_for_container_registry/test/positive_expected_result.json b/assets/queries/terraform/azure/admin_user_enabled_for_container_registry/test/positive_expected_result.json index 2c7d9931142..9a8f6feb23a 100644 --- a/assets/queries/terraform/azure/admin_user_enabled_for_container_registry/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/admin_user_enabled_for_container_registry/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Admin User Enabled For Container Registry", "severity": "MEDIUM", - "line": 11 + "line": 11, + "filename": "positive.tf", + "resourceType": "azurerm_container_registry", + "resourceName": "containerRegistry1", + "searchKey": "azurerm_container_registry[positive2].admin_enabled", + "searchValue": "", + "expectedValue": "'admin_enabled' equal 'false'", + "actualValue": "'admin_enabled' equal 'true'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/aks_disk_encryption_set_id_undefined/test/positive_expected_result.json b/assets/queries/terraform/azure/aks_disk_encryption_set_id_undefined/test/positive_expected_result.json index 05ecb80f66a..1955cf168bc 100644 --- a/assets/queries/terraform/azure/aks_disk_encryption_set_id_undefined/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/aks_disk_encryption_set_id_undefined/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "AKS Disk Encryption Set ID Undefined", "severity": "LOW", "line": 1, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "azurerm_kubernetes_cluster", + "resourceName": "example-aks1", + "searchKey": "azurerm_kubernetes_cluster[positive]", + "searchValue": "", + "expectedValue": "'azurerm_kubernetes_cluster[positive].disk_encryption_set_id' should be defined and not null", + "actualValue": "'azurerm_kubernetes_cluster[positive].disk_encryption_set_id' is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/aks_network_policy_misconfigured/test/positive_expected_result.json b/assets/queries/terraform/azure/aks_network_policy_misconfigured/test/positive_expected_result.json index 7006cce495b..747d34c4761 100644 --- a/assets/queries/terraform/azure/aks_network_policy_misconfigured/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/aks_network_policy_misconfigured/test/positive_expected_result.json @@ -2,16 +2,37 @@ { "queryName": "AKS Network Policy Misconfigured", "severity": "LOW", - "line": 21 + "line": 69, + "filename": "positive.tf", + "resourceType": "azurerm_kubernetes_cluster", + "resourceName": "example-aks1", + "searchKey": "azurerm_kubernetes_cluster[positive3].network_profile.network_policy", + "searchValue": "", + "expectedValue": "'azurerm_kubernetes_cluster[positive3].network_profile.network_policy' should be either 'azure' or 'calico'", + "actualValue": "'azurerm_kubernetes_cluster[positive3].network_profile.network_policy' is roxanne" }, { "queryName": "AKS Network Policy Misconfigured", "severity": "LOW", - "line": 26 + "line": 21, + "filename": "positive.tf", + "resourceType": "azurerm_kubernetes_cluster", + "resourceName": "example-aks1", + "searchKey": "azurerm_kubernetes_cluster[positive1].network_profile", + "searchValue": "", + "expectedValue": "'azurerm_kubernetes_cluster[positive1].network_profile.network_policy' should be set to either 'azure' or 'calico'", + "actualValue": "'azurerm_kubernetes_cluster[positive1].network_profile.network_policy' is undefined" }, { "queryName": "AKS Network Policy Misconfigured", "severity": "LOW", - "line": 69 + "line": 26, + "filename": "positive.tf", + "resourceType": "azurerm_kubernetes_cluster", + "resourceName": "example-aks2", + "searchKey": "azurerm_kubernetes_cluster[positive2]", + "searchValue": "", + "expectedValue": "'azurerm_kubernetes_cluster[positive2].network_profile' should be set", + "actualValue": "'azurerm_kubernetes_cluster[positive2].network_profile' is undefined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/aks_private_cluster_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/aks_private_cluster_disabled/test/positive_expected_result.json index 96f56ad6e79..c4a68c0df33 100644 --- a/assets/queries/terraform/azure/aks_private_cluster_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/aks_private_cluster_disabled/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "AKS Private Cluster Disabled", "severity": "MEDIUM", - "line": 7, - "fileName": "positive1.tf" + "line": 1, + "filename": "positive2.tf", + "resourceType": "azurerm_kubernetes_cluster", + "resourceName": "example-aks1", + "searchKey": "azurerm_kubernetes_cluster[positive2]", + "searchValue": "", + "expectedValue": "'azurerm_kubernetes_cluster[positive2].private_cluster_enabled' should be defined and set to true", + "actualValue": "'azurerm_kubernetes_cluster[positive2].private_cluster_enabled' is undefined" }, { "queryName": "AKS Private Cluster Disabled", "severity": "MEDIUM", - "line": 1, - "fileName": "positive2.tf" + "line": 7, + "filename": "positive1.tf", + "resourceType": "azurerm_kubernetes_cluster", + "resourceName": "example-aks1", + "searchKey": "azurerm_kubernetes_cluster[positive1].private_cluster_enabled", + "searchValue": "", + "expectedValue": "'azurerm_kubernetes_cluster[positive1].private_cluster_enabled' should be set to true", + "actualValue": "'azurerm_kubernetes_cluster[positive1].private_cluster_enabled' is set to false" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/aks_rbac_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/aks_rbac_disabled/test/positive_expected_result.json index c846921fc48..5d7789ec977 100644 --- a/assets/queries/terraform/azure/aks_rbac_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/aks_rbac_disabled/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "AKS RBAC Disabled", "severity": "MEDIUM", "line": 7, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "azurerm_kubernetes_cluster", + "resourceName": "example-aks1", + "searchKey": "azurerm_kubernetes_cluster[positive1].role_based_access_control_enabled", + "searchValue": "", + "expectedValue": "'azurerm_kubernetes_cluster[positive1].role_based_access_control_enabled' should be set to true", + "actualValue": "'azurerm_kubernetes_cluster[positive1].role_based_access_control_enabled' is not set to true" }, { "queryName": "AKS RBAC Disabled", "severity": "MEDIUM", "line": 35, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "azurerm_kubernetes_cluster", + "resourceName": "example-aks2", + "searchKey": "azurerm_kubernetes_cluster[positive2].role_based_access_control.enabled", + "searchValue": "", + "expectedValue": "'azurerm_kubernetes_cluster[positive2].role_based_access_control.enabled' should be set to true", + "actualValue": "'azurerm_kubernetes_cluster[positive2].role_based_access_control.enabled' is not set to true" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/aks_uses_azure_policies_addon_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/aks_uses_azure_policies_addon_disabled/test/positive_expected_result.json index b2c5b7e2db4..fa3e4b791cf 100644 --- a/assets/queries/terraform/azure/aks_uses_azure_policies_addon_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/aks_uses_azure_policies_addon_disabled/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "AKS Uses Azure Policies Add-On Disabled", "severity": "LOW", - "line": 11, - "fileName": "positive1.tf" + "line": 1, + "filename": "positive4.tf", + "resourceType": "azurerm_kubernetes_cluster", + "resourceName": "example-aks1", + "searchKey": "azurerm_kubernetes_cluster[positive4]", + "searchValue": "", + "expectedValue": "'azurerm_kubernetes_cluster[positive4]' should use Azure Policies", + "actualValue": "'azurerm_kubernetes_cluster[positive4]' does not use Azure Policies" }, { "queryName": "AKS Uses Azure Policies Add-On Disabled", "severity": "LOW", "line": 7, - "fileName": "positive2.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_kubernetes_cluster", + "resourceName": "positive3", + "searchKey": "azurerm_kubernetes_cluster[positive3].addon_profile", + "searchValue": "", + "expectedValue": "'azurerm_kubernetes_cluster[positive3].addon_profile.azure_policy' should be defined and set to true", + "actualValue": "'azurerm_kubernetes_cluster[positive3].addon_profile.azure_policy' is undefined or null" }, { "queryName": "AKS Uses Azure Policies Add-On Disabled", "severity": "LOW", "line": 7, - "fileName": "positive3.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_kubernetes_cluster", + "resourceName": "example-aks1", + "searchKey": "azurerm_kubernetes_cluster[positive2].azure_policy_enabled", + "searchValue": "", + "expectedValue": "'azurerm_kubernetes_cluster[positive2].azure_policy_enabled' should be set to true", + "actualValue": "'azurerm_kubernetes_cluster[positive2].azure_policy_enabled' is set to false" }, { "queryName": "AKS Uses Azure Policies Add-On Disabled", "severity": "LOW", - "line": 1, - "fileName": "positive4.tf" + "line": 11, + "filename": "positive1.tf", + "resourceType": "azurerm_kubernetes_cluster", + "resourceName": "positive1", + "searchKey": "azurerm_kubernetes_cluster[positive1].addon_profile.azure_policy.enabled", + "searchValue": "", + "expectedValue": "'azurerm_kubernetes_cluster[positive1].addon_profile.azure_policy.enabled' should be set to true", + "actualValue": "'azurerm_kubernetes_cluster[positive1].addon_profile.azure_policy.enabled' is set to false" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/aks_without_audit_logs/test/positive_expected_result.json b/assets/queries/terraform/azure/aks_without_audit_logs/test/positive_expected_result.json index 2ff2155dcde..06b84da28f1 100644 --- a/assets/queries/terraform/azure/aks_without_audit_logs/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/aks_without_audit_logs/test/positive_expected_result.json @@ -3,54 +3,108 @@ "queryName": "Beta - AKS Without Audit Logs", "severity": "MEDIUM", "line": 14, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_monitor_diagnostic_setting", + "resourceName": "myAKSClusterLogs", + "searchKey": "azurerm_monitor_diagnostic_setting[aks_diagnostics_pos1_1].enabled_log.category", + "searchValue": "", + "expectedValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos1_1].enabled_log.category' should be defined to 'kube-audit' or 'kube-audit-admin'", + "actualValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos1_1].enabled_log.category' is not defined to 'kube-audit' or 'kube-audit-admin'" }, { "queryName": "Beta - AKS Without Audit Logs", "severity": "MEDIUM", - "line": 31, - "fileName": "positive1.tf" + "line": 34, + "filename": "positive3.tf", + "resourceType": "azurerm_monitor_diagnostic_setting", + "resourceName": "myAKSClusterLogs", + "searchKey": "azurerm_monitor_diagnostic_setting[aks_diagnostics_pos3_2].log[0].enabled", + "searchValue": "", + "expectedValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos3_2]' should enable audit logging through a 'azurerm_monitor_diagnostic_setting'", + "actualValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos3_2]' has the 'enabled' field set to 'false' instead of 'true'" }, { "queryName": "Beta - AKS Without Audit Logs", "severity": "MEDIUM", - "line": 35, - "fileName": "positive1.tf" + "line": 39, + "filename": "positive3.tf", + "resourceType": "azurerm_monitor_diagnostic_setting", + "resourceName": "myAKSClusterLogs", + "searchKey": "azurerm_monitor_diagnostic_setting[aks_diagnostics_pos3_2].log[1].enabled", + "searchValue": "", + "expectedValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos3_2]' should enable audit logging through a 'azurerm_monitor_diagnostic_setting'", + "actualValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos3_2]' has the 'enabled' field set to 'false' instead of 'true'" }, { "queryName": "Beta - AKS Without Audit Logs", "severity": "MEDIUM", - "line": 15, - "fileName": "positive2.tf" + "line": 38, + "filename": "positive2.tf", + "resourceType": "azurerm_monitor_diagnostic_setting", + "resourceName": "myAKSClusterLogs", + "searchKey": "azurerm_monitor_diagnostic_setting[aks_diagnostics_pos2_2].log[1].category", + "searchValue": "", + "expectedValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos2_2].log[1].category' should be defined to 'kube-audit' or 'kube-audit-admin' and 'enabled' field set to 'true'", + "actualValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos2_2].log[1].category' is not defined to 'kube-audit' or 'kube-audit-admin'" }, { "queryName": "Beta - AKS Without Audit Logs", "severity": "MEDIUM", - "line": 33, - "fileName": "positive2.tf" + "line": 31, + "filename": "positive1.tf", + "resourceType": "azurerm_monitor_diagnostic_setting", + "resourceName": "myAKSClusterLogs", + "searchKey": "azurerm_monitor_diagnostic_setting[aks_diagnostics_pos1_2].enabled_log[0].category", + "searchValue": "", + "expectedValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos1_2].enabled_log[0].category' should be defined to 'kube-audit' or 'kube-audit-admin'", + "actualValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos1_2].enabled_log[0].category' is not defined to 'kube-audit' or 'kube-audit-admin'" }, { "queryName": "Beta - AKS Without Audit Logs", "severity": "MEDIUM", - "line": 38, - "fileName": "positive2.tf" + "line": 35, + "filename": "positive1.tf", + "resourceType": "azurerm_monitor_diagnostic_setting", + "resourceName": "myAKSClusterLogs", + "searchKey": "azurerm_monitor_diagnostic_setting[aks_diagnostics_pos1_2].enabled_log[1].category", + "searchValue": "", + "expectedValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos1_2].enabled_log[1].category' should be defined to 'kube-audit' or 'kube-audit-admin'", + "actualValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos1_2].enabled_log[1].category' is not defined to 'kube-audit' or 'kube-audit-admin'" }, { "queryName": "Beta - AKS Without Audit Logs", "severity": "MEDIUM", "line": 16, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_monitor_diagnostic_setting", + "resourceName": "myAKSClusterLogs", + "searchKey": "azurerm_monitor_diagnostic_setting[aks_diagnostics_pos3_1].log.enabled", + "searchValue": "", + "expectedValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos3_1]' should enable audit logging through a 'azurerm_monitor_diagnostic_setting'", + "actualValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos3_1]' has the 'enabled' field set to 'false' instead of 'true'" }, { "queryName": "Beta - AKS Without Audit Logs", "severity": "MEDIUM", - "line": 34, - "fileName": "positive3.tf" + "line": 15, + "filename": "positive2.tf", + "resourceType": "azurerm_monitor_diagnostic_setting", + "resourceName": "myAKSClusterLogs", + "searchKey": "azurerm_monitor_diagnostic_setting[aks_diagnostics_pos2_1].log.category", + "searchValue": "", + "expectedValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos2_1].log.category' should be defined to 'kube-audit' or 'kube-audit-admin' and 'enabled' field set to 'true'", + "actualValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos2_1].log.category' is not defined to 'kube-audit' or 'kube-audit-admin'" }, { "queryName": "Beta - AKS Without Audit Logs", "severity": "MEDIUM", - "line": 39, - "fileName": "positive3.tf" + "line": 33, + "filename": "positive2.tf", + "resourceType": "azurerm_monitor_diagnostic_setting", + "resourceName": "myAKSClusterLogs", + "searchKey": "azurerm_monitor_diagnostic_setting[aks_diagnostics_pos2_2].log[0].category", + "searchValue": "", + "expectedValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos2_2].log[0].category' should be defined to 'kube-audit' or 'kube-audit-admin' and 'enabled' field set to 'true'", + "actualValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos2_2].log[0].category' is not defined to 'kube-audit' or 'kube-audit-admin'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/app_service_authentication_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/app_service_authentication_disabled/test/positive_expected_result.json index d85adf37378..8b1f8faa537 100644 --- a/assets/queries/terraform/azure/app_service_authentication_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/app_service_authentication_disabled/test/positive_expected_result.json @@ -2,85 +2,169 @@ { "queryName": "App Service Authentication Disabled", "severity": "MEDIUM", - "line": 1, - "fileName": "positive1.tf" + "line": 8, + "filename": "positive6.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_web_app[positive6].auth_settings_v2.auth_enabled", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app[positive6].auth_settings_v2.auth_enabled' should be defined to 'true'", + "actualValue": "'azurerm_linux_web_app[positive6].auth_settings_v2.auth_enabled' is defined to 'false'" }, { "queryName": "App Service Authentication Disabled", "severity": "MEDIUM", - "line": 17, - "fileName": "positive2.tf" + "line": 1, + "filename": "positive7.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_web_app[positive7]", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[positive7].auth_settings' or 'azurerm_windows_web_app[positive7].auth_settings_v2' should be defined", + "actualValue": "'azurerm_windows_web_app[positive7].auth_settings' and 'azurerm_windows_web_app[positive7].auth_settings_v2' are not defined" }, { "queryName": "App Service Authentication Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_web_app[positive3]", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app[positive3].auth_settings' or 'azurerm_linux_web_app[positive3].auth_settings_v2' should be defined", + "actualValue": "'azurerm_linux_web_app[positive3].auth_settings' and 'azurerm_linux_web_app[positive3].auth_settings_v2' are not defined" }, { "queryName": "App Service Authentication Disabled", "severity": "MEDIUM", "line": 7, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "example-app-service", + "searchKey": "'azurerm_linux_web_app[positive4].auth_settings.enabled'", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app[positive4].auth_settings.enabled' should be defined to 'true'", + "actualValue": "'azurerm_linux_web_app[positive4].auth_settings.enabled' is defined to 'false'" }, { "queryName": "App Service Authentication Disabled", "severity": "MEDIUM", - "line": 6, - "fileName": "positive5.tf" + "line": 11, + "filename": "positive14.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_web_app[positive14].auth_settings_v2.auth_enabled", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app[positive14].auth_settings_v2.auth_enabled' should be defined to 'true'", + "actualValue": "'azurerm_linux_web_app[positive14].auth_settings_v2.auth_enabled' is defined to 'false'" }, { "queryName": "App Service Authentication Disabled", "severity": "MEDIUM", "line": 8, - "fileName": "positive6.tf" + "filename": "positive10.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_web_app[positive10].auth_settings_v2.auth_enabled", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[positive10].auth_settings_v2.auth_enabled' should be defined to 'true'", + "actualValue": "'azurerm_windows_web_app[positive10].auth_settings_v2.auth_enabled' is defined to 'false'" }, { "queryName": "App Service Authentication Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive7.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_app_service", + "resourceName": "example-app-service", + "searchKey": "azurerm_app_service[positive1]", + "searchValue": "", + "expectedValue": "'azurerm_app_service[positive1].auth_settings' should be defined", + "actualValue": "'azurerm_app_service[positive1].auth_settings' is not defined" }, { "queryName": "App Service Authentication Disabled", "severity": "MEDIUM", - "line": 7, - "fileName": "positive8.tf" + "line": 6, + "filename": "positive9.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_web_app[positive9].auth_settings_v2", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[positive9].auth_settings_v2.auth_enabled' should be defined (default value is 'false')", + "actualValue": "'azurerm_windows_web_app[positive9].auth_settings_v2.auth_enabled' is not defined" }, { "queryName": "App Service Authentication Disabled", "severity": "MEDIUM", - "line": 6, - "fileName": "positive9.tf" + "line": 9, + "filename": "positive11.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_web_app[positive11].auth_settings_v2", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[positive11].auth_settings_v2.auth_enabled' should be defined (default value is 'false')", + "actualValue": "'azurerm_windows_web_app[positive11].auth_settings_v2.auth_enabled' is not defined" }, { "queryName": "App Service Authentication Disabled", "severity": "MEDIUM", - "line": 8, - "fileName": "positive10.tf" + "line": 6, + "filename": "positive5.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_web_app[positive5].auth_settings_v2", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app[positive5].auth_settings_v2.auth_enabled' should be defined (default value is 'false')", + "actualValue": "'azurerm_linux_web_app[positive5].auth_settings_v2.auth_enabled' is not defined" }, { "queryName": "App Service Authentication Disabled", "severity": "MEDIUM", - "line": 9, - "fileName": "positive11.tf" + "line": 11, + "filename": "positive12.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_web_app[positive12].auth_settings_v2.auth_enabled", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[positive12].auth_settings_v2.auth_enabled' should be defined to 'true'", + "actualValue": "'azurerm_windows_web_app[positive12].auth_settings_v2.auth_enabled' is defined to 'false'" }, { "queryName": "App Service Authentication Disabled", "severity": "MEDIUM", - "line": 11, - "fileName": "positive12.tf" + "line": 17, + "filename": "positive2.tf", + "resourceType": "azurerm_app_service", + "resourceName": "example-app-service", + "searchKey": "'azurerm_app_service[positive2].auth_settings.enabled'", + "searchValue": "", + "expectedValue": "'azurerm_app_service[positive2].auth_settings.enabled' should be defined to 'true'", + "actualValue": "'azurerm_app_service[positive2].auth_settings.enabled' is defined to 'false'" }, { "queryName": "App Service Authentication Disabled", "severity": "MEDIUM", "line": 9, - "fileName": "positive13.tf" + "filename": "positive13.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_web_app[positive13].auth_settings_v2", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app[positive13].auth_settings_v2.auth_enabled' should be defined (default value is 'false')", + "actualValue": "'azurerm_linux_web_app[positive13].auth_settings_v2.auth_enabled' is not defined" }, { "queryName": "App Service Authentication Disabled", "severity": "MEDIUM", - "line": 11, - "fileName": "positive14.tf" + "line": 7, + "filename": "positive8.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example-app-service", + "searchKey": "'azurerm_windows_web_app[positive8].auth_settings.enabled'", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[positive8].auth_settings.enabled' should be defined to 'true'", + "actualValue": "'azurerm_windows_web_app[positive8].auth_settings.enabled' is defined to 'false'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/app_service_ftps_enforce_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/app_service_ftps_enforce_disabled/test/positive_expected_result.json index b0b891fa9e1..c841fdd1796 100644 --- a/assets/queries/terraform/azure/app_service_ftps_enforce_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/app_service_ftps_enforce_disabled/test/positive_expected_result.json @@ -3,18 +3,36 @@ "queryName": "App Service FTPS Enforce Disabled", "severity": "MEDIUM", "line": 10, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_app_service", + "resourceName": "example-app-service", + "searchKey": "azurerm_app_service[positive1].site_config.ftps_state", + "searchValue": "", + "expectedValue": "'azurerm_app_service[positive1].site_config.ftps_state' should not be set to 'AllAllowed'", + "actualValue": "'azurerm_app_service[positive1].site_config.ftps_state' is set to 'AllAllowed'" }, { "queryName": "App Service FTPS Enforce Disabled", "severity": "MEDIUM", "line": 8, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "positive2", + "searchKey": "azurerm_linux_web_app[positive2].site_config.ftps_state", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app[positive2].site_config.ftps_state' should not be set to 'AllAllowed'", + "actualValue": "'azurerm_linux_web_app[positive2].site_config.ftps_state' is set to 'AllAllowed'" }, { "queryName": "App Service FTPS Enforce Disabled", "severity": "MEDIUM", "line": 8, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "positive3", + "searchKey": "azurerm_windows_web_app[positive3].site_config.ftps_state", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[positive3].site_config.ftps_state' should not be set to 'AllAllowed'", + "actualValue": "'azurerm_windows_web_app[positive3].site_config.ftps_state' is set to 'AllAllowed'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/app_service_http2_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/app_service_http2_disabled/test/positive_expected_result.json index bd6cfd298dd..e6cabb3e6ef 100644 --- a/assets/queries/terraform/azure/app_service_http2_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/app_service_http2_disabled/test/positive_expected_result.json @@ -3,54 +3,108 @@ "queryName": "App Service HTTP2 Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive9.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_web_app[positive9]", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[positive9].site_config' should be defined and not null", + "actualValue": "'azurerm_windows_web_app[positive9].site_config' is undefined or null" }, { "queryName": "App Service HTTP2 Disabled", "severity": "MEDIUM", - "line": 17, - "fileName": "positive2.tf" + "line": 8, + "filename": "positive6.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_web_app[positive6].site_config.http2_enabled", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[positive6].site_config.http2_enabled' should be set to true", + "actualValue": "'azurerm_windows_web_app[positive6].site_config.http2_enabled' is set to false" }, { "queryName": "App Service HTTP2 Disabled", "severity": "MEDIUM", - "line": 21, - "fileName": "positive3.tf" + "line": 7, + "filename": "positive4.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_web_app[positive4].site_config", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app[positive4].site_config.http2_enabled' should be defined and not null", + "actualValue": "'azurerm_linux_web_app[positive4].site_config.http2_enabled' is undefined or null" }, { "queryName": "App Service HTTP2 Disabled", "severity": "MEDIUM", - "line": 7, - "fileName": "positive4.tf" + "line": 1, + "filename": "positive1.tf", + "resourceType": "azurerm_app_service", + "resourceName": "example-app-service", + "searchKey": "azurerm_app_service[positive1]", + "searchValue": "", + "expectedValue": "'azurerm_app_service[positive1].site_config' should be defined and not null", + "actualValue": "'azurerm_app_service[positive1].site_config' is undefined or null" }, { "queryName": "App Service HTTP2 Disabled", "severity": "MEDIUM", - "line": 8, - "fileName": "positive5.tf" + "line": 21, + "filename": "positive3.tf", + "resourceType": "azurerm_app_service", + "resourceName": "example-app-service", + "searchKey": "azurerm_app_service[positive3].site_config.http2_enabled", + "searchValue": "", + "expectedValue": "'azurerm_app_service[positive3].site_config.http2_enabled' should be set to true", + "actualValue": "'azurerm_app_service[positive3].site_config.http2_enabled' is set to false" }, { "queryName": "App Service HTTP2 Disabled", "severity": "MEDIUM", "line": 8, - "fileName": "positive6.tf" + "filename": "positive5.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_web_app[positive5].site_config.http2_enabled", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app[positive5].site_config.http2_enabled' should be set to true", + "actualValue": "'azurerm_linux_web_app[positive5].site_config.http2_enabled' is set to false" }, { "queryName": "App Service HTTP2 Disabled", "severity": "MEDIUM", "line": 7, - "fileName": "positive7.tf" + "filename": "positive7.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_web_app[positive7].site_config", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[positive7].site_config.http2_enabled' should be defined and not null", + "actualValue": "'azurerm_windows_web_app[positive7].site_config.http2_enabled' is undefined or null" }, { "queryName": "App Service HTTP2 Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive8.tf" + "filename": "positive8.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_web_app[positive8]", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app[positive8].site_config' should be defined and not null", + "actualValue": "'azurerm_linux_web_app[positive8].site_config' is undefined or null" }, { "queryName": "App Service HTTP2 Disabled", "severity": "MEDIUM", - "line": 1, - "fileName": "positive9.tf" + "line": 17, + "filename": "positive2.tf", + "resourceType": "azurerm_app_service", + "resourceName": "example-app-service", + "searchKey": "azurerm_app_service[positive2].site_config", + "searchValue": "", + "expectedValue": "'azurerm_app_service[positive2].site_config.http2_enabled' should be defined and not null", + "actualValue": "'azurerm_app_service[positive2].site_config.http2_enabled' is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/app_service_managed_identity_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/app_service_managed_identity_disabled/test/positive_expected_result.json index b37828fec54..a4db467da03 100644 --- a/assets/queries/terraform/azure/app_service_managed_identity_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/app_service_managed_identity_disabled/test/positive_expected_result.json @@ -3,18 +3,36 @@ "queryName": "App Service Managed Identity Disabled", "severity": "LOW", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_app_service", + "resourceName": "example-app-service", + "searchKey": "azurerm_app_service[positive1-1]", + "searchValue": "", + "expectedValue": "'azurerm_app_service[positive1-1].identity' should be defined and not null", + "actualValue": "'azurerm_app_service[positive1-1].identity' is undefined or null" }, { "queryName": "App Service Managed Identity Disabled", "severity": "LOW", "line": 8, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_web_app[positive1-2]", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app[positive1-2].identity' should be defined and not null", + "actualValue": "'azurerm_linux_web_app[positive1-2].identity' is undefined or null" }, { "queryName": "App Service Managed Identity Disabled", "severity": "LOW", "line": 15, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_web_app[positive1-3]", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[positive1-3].identity' should be defined and not null", + "actualValue": "'azurerm_windows_web_app[positive1-3].identity' is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/app_service_not_using_latest_tls_encryption_version/test/positive_expected_result.json b/assets/queries/terraform/azure/app_service_not_using_latest_tls_encryption_version/test/positive_expected_result.json index 94a103e1fcd..84ba11e0fd5 100644 --- a/assets/queries/terraform/azure/app_service_not_using_latest_tls_encryption_version/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/app_service_not_using_latest_tls_encryption_version/test/positive_expected_result.json @@ -2,61 +2,121 @@ { "queryName": "App Service Not Using Latest TLS Encryption Version", "severity": "MEDIUM", - "line": 10, - "fileName": "positive1.tf" + "line": 43, + "filename": "positive3.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_web_app[positive3-4].site_config.minimum_tls_version", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[positive3-4].site_config.minimum_tls_version' should be set to '1.3'", + "actualValue": "'azurerm_windows_web_app[positive3-4].site_config.minimum_tls_version' is not set to '1.3'" }, { "queryName": "App Service Not Using Latest TLS Encryption Version", "severity": "MEDIUM", - "line": 23, - "fileName": "positive1.tf" + "line": 20, + "filename": "positive3.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_web_app[positive3-2].site_config", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[positive3-2].site_config.minimum_tls_version' should be defined and set to '1.3'", + "actualValue": "'azurerm_windows_web_app[positive3-2].site_config.minimum_tls_version' is not defined" }, { "queryName": "App Service Not Using Latest TLS Encryption Version", "severity": "MEDIUM", - "line": 10, - "fileName": "positive2.tf" + "line": 26, + "filename": "positive3.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_web_app[positive3-3]", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[positive3-3].site_config.minimum_tls_version' should be defined and set to '1.3'", + "actualValue": "'azurerm_windows_web_app[positive3-3].site_config' is not defined" }, { "queryName": "App Service Not Using Latest TLS Encryption Version", "severity": "MEDIUM", - "line": 20, - "fileName": "positive2.tf" + "line": 23, + "filename": "positive1.tf", + "resourceType": "azurerm_app_service", + "resourceName": "example-app-service", + "searchKey": "azurerm_app_service[positive1-2].site_config.min_tls_version", + "searchValue": "", + "expectedValue": "'azurerm_app_service[positive1-2].site_config.min_tls_version' should be set to '1.2'", + "actualValue": "'azurerm_app_service[positive1-2].site_config.min_tls_version' is not set to '1.2'" }, { "queryName": "App Service Not Using Latest TLS Encryption Version", "severity": "MEDIUM", - "line": 26, - "fileName": "positive2.tf" + "line": 10, + "filename": "positive2.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_web_app[positive2-1].site_config.minimum_tls_version", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app[positive2-1].site_config.minimum_tls_version' should be set to '1.3'", + "actualValue": "'azurerm_linux_web_app[positive2-1].site_config.minimum_tls_version' is not set to '1.3'" }, { "queryName": "App Service Not Using Latest TLS Encryption Version", "severity": "MEDIUM", - "line": 43, - "fileName": "positive2.tf" + "line": 20, + "filename": "positive2.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_web_app[positive2-2].site_config", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app[positive2-2].site_config.minimum_tls_version' should be defined and set to '1.3'", + "actualValue": "'azurerm_linux_web_app[positive2-2].site_config.minimum_tls_version' is not defined" }, { "queryName": "App Service Not Using Latest TLS Encryption Version", "severity": "MEDIUM", "line": 10, - "fileName": "positive3.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_app_service", + "resourceName": "example-app-service", + "searchKey": "azurerm_app_service[positive1-1].site_config.min_tls_version", + "searchValue": "", + "expectedValue": "'azurerm_app_service[positive1-1].site_config.min_tls_version' should be set to '1.2'", + "actualValue": "'azurerm_app_service[positive1-1].site_config.min_tls_version' is not set to '1.2'" }, { "queryName": "App Service Not Using Latest TLS Encryption Version", "severity": "MEDIUM", - "line": 20, - "fileName": "positive3.tf" + "line": 43, + "filename": "positive2.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_web_app[positive2-4].site_config.minimum_tls_version", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app[positive2-4].site_config.minimum_tls_version' should be set to '1.3'", + "actualValue": "'azurerm_linux_web_app[positive2-4].site_config.minimum_tls_version' is not set to '1.3'" }, { "queryName": "App Service Not Using Latest TLS Encryption Version", "severity": "MEDIUM", "line": 26, - "fileName": "positive3.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_web_app[positive2-3]", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app[positive2-3].site_config.minimum_tls_version' should be defined and set to '1.3'", + "actualValue": "'azurerm_linux_web_app[positive2-3].site_config' is not defined" }, { "queryName": "App Service Not Using Latest TLS Encryption Version", "severity": "MEDIUM", - "line": 43, - "fileName": "positive3.tf" + "line": 10, + "filename": "positive3.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_web_app[positive3-1].site_config.minimum_tls_version", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[positive3-1].site_config.minimum_tls_version' should be set to '1.3'", + "actualValue": "'azurerm_windows_web_app[positive3-1].site_config.minimum_tls_version' is not set to '1.3'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/app_service_slot_managed_identity_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/app_service_slot_managed_identity_disabled/test/positive_expected_result.json index af3369be556..def7188ed86 100644 --- a/assets/queries/terraform/azure/app_service_slot_managed_identity_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/app_service_slot_managed_identity_disabled/test/positive_expected_result.json @@ -3,18 +3,36 @@ "queryName": "Beta - App Service Slot Managed Identity Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_linux_web_app_slot", + "resourceName": "example-slot", + "searchKey": "azurerm_linux_web_app_slot[positive2]", + "searchValue": "", + "expectedValue": "'type' field should have the values 'SystemAssigned' or 'UserAssigned' defined inside the 'identity' block", + "actualValue": "'identity' block is not defined" }, { "queryName": "Beta - App Service Slot Managed Identity Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_app_service_slot", + "resourceName": "${random_id.server.hex}", + "searchKey": "azurerm_app_service_slot[positive1]", + "searchValue": "", + "expectedValue": "'type' field should have the values 'SystemAssigned' or 'UserAssigned' defined inside the 'identity' block", + "actualValue": "'identity' block is not defined" }, { "queryName": "Beta - App Service Slot Managed Identity Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_windows_web_app_slot", + "resourceName": "example-slot", + "searchKey": "azurerm_windows_web_app_slot[positive3]", + "searchValue": "", + "expectedValue": "'type' field should have the values 'SystemAssigned' or 'UserAssigned' defined inside the 'identity' block", + "actualValue": "'identity' block is not defined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/app_service_without_latest_php_version/test/positive_expected_result.json b/assets/queries/terraform/azure/app_service_without_latest_php_version/test/positive_expected_result.json index bbc8ad57827..3b41e59e79d 100644 --- a/assets/queries/terraform/azure/app_service_without_latest_php_version/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/app_service_without_latest_php_version/test/positive_expected_result.json @@ -3,18 +3,36 @@ "queryName": "App Service Without Latest PHP Version", "severity": "LOW", "line": 11, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_app_service", + "resourceName": "example4-app-service", + "searchKey": "azurerm_app_service[example4].site_config.php_version", + "searchValue": "", + "expectedValue": "for the attribute 'php_version' should be the latest avaliable stable version (8.1)", + "actualValue": "'php_version' is not the latest avaliable stable version (8.1)" }, { "queryName": "App Service Without Latest PHP Version", "severity": "LOW", - "line": 25, - "fileName": "positive2.tf" + "line": 26, + "filename": "positive3.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "example6", + "searchKey": "azurerm_linux_web_app[example6].site_config.application_stack.php_version", + "searchValue": "", + "expectedValue": "for the attribute 'php_version' should be the latest avaliable stable version (8.1)", + "actualValue": "'php_version' is not the latest avaliable stable version (8.1)" }, { "queryName": "App Service Without Latest PHP Version", "severity": "LOW", - "line": 26, - "fileName": "positive3.tf" + "line": 25, + "filename": "positive2.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example5", + "searchKey": "azurerm_windows_web_app[example5].site_config.application_stack.php_version", + "searchValue": "", + "expectedValue": "for the attribute 'php_version' should be the latest avaliable stable version (8.1)", + "actualValue": "'php_version' is not the latest avaliable stable version (8.1)" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/app_service_without_latest_python_version/test/positive_expected_result.json b/assets/queries/terraform/azure/app_service_without_latest_python_version/test/positive_expected_result.json index 1f732fee823..27ab98de006 100644 --- a/assets/queries/terraform/azure/app_service_without_latest_python_version/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/app_service_without_latest_python_version/test/positive_expected_result.json @@ -3,18 +3,36 @@ "queryName": "App Service Without Latest Python Version", "severity": "LOW", "line": 11, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_app_service", + "resourceName": "example4-app-service", + "searchKey": "azurerm_app_service[example4].site_config.python_version", + "searchValue": "", + "expectedValue": "attribute 'python_version' should be the latest avaliable stable version (3.10)", + "actualValue": "'python_version' is not the latest avaliable stable version (3.10)" }, { "queryName": "App Service Without Latest Python Version", "severity": "LOW", "line": 25, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example5", + "searchKey": "azurerm_windows_web_app[example5].site_config.application_stack.python_version", + "searchValue": "", + "expectedValue": "attribute 'python_version' should be the latest avaliable stable version (3.10)", + "actualValue": "'python_version' is not the latest avaliable stable version (3.10)" }, { "queryName": "App Service Without Latest Python Version", "severity": "LOW", "line": 26, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "example6", + "searchKey": "azurerm_linux_web_app[example6].site_config.application_stack.python_version", + "searchValue": "", + "expectedValue": "attribute 'python_version' should be the latest avaliable stable version (3.10)", + "actualValue": "'python_version' is not the latest avaliable stable version (3.10)" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/azure_active_directory_authentication/test/positive_expected_result.json b/assets/queries/terraform/azure/azure_active_directory_authentication/test/positive_expected_result.json index 91d2eee41fa..8180cb3c0a7 100644 --- a/assets/queries/terraform/azure/azure_active_directory_authentication/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/azure_active_directory_authentication/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "Azure Active Directory Authentication", "severity": "LOW", - "line": 19, - "fileName": "positive1.tf" + "line": 1, + "filename": "positive2.tf", + "resourceType": "azurerm_service_fabric_cluster", + "resourceName": "example-servicefabric", + "searchKey": "azurerm_service_fabric_cluster[positive2]", + "searchValue": "", + "expectedValue": "'azurerm_service_fabric_cluster[positive2].azure_active_directory' should be defined and not null", + "actualValue": "'azurerm_service_fabric_cluster[positive2].azure_active_directory' is undefined or null" }, { "queryName": "Azure Active Directory Authentication", "severity": "LOW", - "line": 1, - "fileName": "positive2.tf" + "line": 19, + "filename": "positive1.tf", + "resourceType": "azurerm_service_fabric_cluster", + "resourceName": "positive1", + "searchKey": "azurerm_service_fabric_cluster[positive1].azure_active_directory", + "searchValue": "", + "expectedValue": "'azurerm_service_fabric_cluster[positive1].azure_active_directory.tenant_id' should be defined and not null", + "actualValue": "'azurerm_service_fabric_cluster[positive1].azure_active_directory.tenant_id' is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/azure_app_service_client_certificate_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/azure_app_service_client_certificate_disabled/test/positive_expected_result.json index 51f53fa12ff..e1a3e6ad839 100644 --- a/assets/queries/terraform/azure/azure_app_service_client_certificate_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/azure_app_service_client_certificate_disabled/test/positive_expected_result.json @@ -2,85 +2,169 @@ { "queryName": "Azure App Service Client Certificate Disabled", "severity": "MEDIUM", - "line": 1, - "fileName": "positive1.tf" + "line": 27, + "filename": "positive1.tf", + "resourceType": "azurerm_app_service", + "resourceName": "example-app-service", + "searchKey": "azurerm_app_service[positive1-3].client_cert_enabled", + "searchValue": "", + "expectedValue": "'azurerm_app_service[positive1-3].client_cert_enabled' or 'azurerm_app_service[positive1-3].site_config.http2_enabled' is true", + "actualValue": "'azurerm_app_service[positive1-3].client_cert_enabled' and 'azurerm_app_service[positive1-3].site_config.http2_enabled' are set to false" }, { "queryName": "Azure App Service Client Certificate Disabled", "severity": "MEDIUM", - "line": 14, - "fileName": "positive1.tf" + "line": 58, + "filename": "positive1.tf", + "resourceType": "azurerm_app_service", + "resourceName": "example-app-service", + "searchKey": "azurerm_app_service[positive1-6].client_cert_enabled", + "searchValue": "", + "expectedValue": "'azurerm_app_service[positive1-6].client_cert_enabled' should be set to true", + "actualValue": "'azurerm_app_service[positive1-6].client_cert_enabled' is set to false" }, { "queryName": "Azure App Service Client Certificate Disabled", "severity": "MEDIUM", - "line": 27, - "fileName": "positive1.tf" + "line": 1, + "filename": "positive2.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_web_app[positive2-1]", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app[positive2-1].client_certificate_enabled' should be defined and set to true", + "actualValue": "'azurerm_linux_web_app[positive2-1].client_cert_enabled' is undefined" }, { "queryName": "Azure App Service Client Certificate Disabled", "severity": "MEDIUM", - "line": 30, - "fileName": "positive1.tf" + "line": 1, + "filename": "positive3.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_web_app[positive3-1]", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[positive3-1].client_certificate_enabled' should be defined and set to true", + "actualValue": "'azurerm_windows_web_app[positive3-1].client_cert_enabled' is undefined" }, { "queryName": "Azure App Service Client Certificate Disabled", "severity": "MEDIUM", - "line": 41, - "fileName": "positive1.tf" + "line": 33, + "filename": "positive3.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_web_app[positive3-4]", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[positive3-4].client_certificate_enabled' should be defined and set to true", + "actualValue": "'azurerm_windows_web_app[positive3-4].client_cert_enabled' is undefined" }, { "queryName": "Azure App Service Client Certificate Disabled", "severity": "MEDIUM", - "line": 58, - "fileName": "positive1.tf" + "line": 1, + "filename": "positive1.tf", + "resourceType": "azurerm_app_service", + "resourceName": "example-app-service", + "searchKey": "azurerm_app_service[positive1-1]", + "searchValue": "", + "expectedValue": "'azurerm_app_service[positive1-1].client_cert_enabled' should be defined and set to true", + "actualValue": "'azurerm_app_service[positive1-1].client_cert_enabled' is undefined" }, { "queryName": "Azure App Service Client Certificate Disabled", "severity": "MEDIUM", - "line": 1, - "fileName": "positive2.tf" + "line": 30, + "filename": "positive1.tf", + "resourceType": "azurerm_app_service", + "resourceName": "example-app-service", + "searchKey": "azurerm_app_service[positive1-4]", + "searchValue": "", + "expectedValue": "'azurerm_app_service[positive1-4].client_cert_enabled' should be defined and set to true", + "actualValue": "'azurerm_app_service[positive1-4].client_cert_enabled' is undefined" }, { "queryName": "Azure App Service Client Certificate Disabled", "severity": "MEDIUM", - "line": 17, - "fileName": "positive2.tf" + "line": 41, + "filename": "positive1.tf", + "resourceType": "azurerm_app_service", + "resourceName": "example-app-service", + "searchKey": "azurerm_app_service[positive1-5]", + "searchValue": "", + "expectedValue": "'azurerm_app_service[positive1-5].client_cert_enabled' should be defined and set to true", + "actualValue": "'azurerm_app_service[positive1-5].client_cert_enabled' is undefined" }, { "queryName": "Azure App Service Client Certificate Disabled", "severity": "MEDIUM", - "line": 30, - "fileName": "positive2.tf" + "line": 17, + "filename": "positive2.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_web_app[positive2-2].client_certificate_enabled", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app[positive2-2].client_certificate_enabled' should be set to true", + "actualValue": "'azurerm_linux_web_app[positive2-2].client_certificate_enabled' is set to false" }, { "queryName": "Azure App Service Client Certificate Disabled", "severity": "MEDIUM", - "line": 33, - "fileName": "positive2.tf" + "line": 30, + "filename": "positive2.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_web_app[positive2-3].client_certificate_enabled", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app[positive2-3].client_certificate_enabled' or 'azurerm_linux_web_app[positive2-3].site_config.http2_enabled' is true", + "actualValue": "'azurerm_linux_web_app[positive2-3].client_certificate_enabled' and 'azurerm_linux_web_app[positive2-3].site_config.http2_enabled' are set to false" }, { "queryName": "Azure App Service Client Certificate Disabled", "severity": "MEDIUM", - "line": 1, - "fileName": "positive3.tf" + "line": 33, + "filename": "positive2.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_web_app[positive2-4]", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app[positive2-4].client_certificate_enabled' should be defined and set to true", + "actualValue": "'azurerm_linux_web_app[positive2-4].client_cert_enabled' is undefined" }, { "queryName": "Azure App Service Client Certificate Disabled", "severity": "MEDIUM", "line": 17, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_web_app[positive3-2].client_certificate_enabled", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[positive3-2].client_certificate_enabled' should be set to true", + "actualValue": "'azurerm_windows_web_app[positive3-2].client_certificate_enabled' is set to false" }, { "queryName": "Azure App Service Client Certificate Disabled", "severity": "MEDIUM", "line": 30, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_web_app[positive3-3].client_certificate_enabled", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[positive3-3].client_certificate_enabled' or 'azurerm_windows_web_app[positive3-3].site_config.http2_enabled' is true", + "actualValue": "'azurerm_windows_web_app[positive3-3].client_certificate_enabled' and 'azurerm_windows_web_app[positive3-3].site_config.http2_enabled' are set to false" }, { "queryName": "Azure App Service Client Certificate Disabled", "severity": "MEDIUM", - "line": 33, - "fileName": "positive3.tf" + "line": 14, + "filename": "positive1.tf", + "resourceType": "azurerm_app_service", + "resourceName": "example-app-service", + "searchKey": "azurerm_app_service[positive1-2].client_cert_enabled", + "searchValue": "", + "expectedValue": "'azurerm_app_service[positive1-2].client_cert_enabled' should be set to true", + "actualValue": "'azurerm_app_service[positive1-2].client_cert_enabled' is set to false" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/azure_cognitive_search_public_network_access_enabled/test/positive_expected_result.json b/assets/queries/terraform/azure/azure_cognitive_search_public_network_access_enabled/test/positive_expected_result.json index 3e237b95c0c..4ab1be8e9fa 100644 --- a/assets/queries/terraform/azure/azure_cognitive_search_public_network_access_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/azure_cognitive_search_public_network_access_enabled/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "Azure Cognitive Search Public Network Access Enabled", "severity": "MEDIUM", - "line": 6, - "fileName": "positive1.tf" + "line": 1, + "filename": "positive2.tf", + "resourceType": "azurerm_search_service", + "resourceName": "example-search-service", + "searchKey": "azurerm_search_service[positive2]", + "searchValue": "", + "expectedValue": "'azurerm_search_service[positive2].public_network_access_enabled' should be defined and set to false", + "actualValue": "'azurerm_search_service[positive2].public_network_access_enabled' is undefined or null" }, { "queryName": "Azure Cognitive Search Public Network Access Enabled", "severity": "MEDIUM", - "line": 1, - "fileName": "positive2.tf" + "line": 6, + "filename": "positive1.tf", + "resourceType": "azurerm_search_service", + "resourceName": "example-search-service", + "searchKey": "azurerm_search_service[positive1].public_network_access_enabled", + "searchValue": "", + "expectedValue": "'azurerm_search_service[positive1].public_network_access_enabled' should be set to false", + "actualValue": "'azurerm_search_service[positive1].public_network_access_enabled' is set to true" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/azure_container_registry_with_broad_permissions/test/positive_expected_result.json b/assets/queries/terraform/azure/azure_container_registry_with_broad_permissions/test/positive_expected_result.json index a55c056c993..29b1e9898c5 100644 --- a/assets/queries/terraform/azure/azure_container_registry_with_broad_permissions/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/azure_container_registry_with_broad_permissions/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Beta - Azure Container Registry With Broad Permissions", "severity": "HIGH", - "line": 11 + "line": 17, + "filename": "positive.tf", + "resourceType": "azurerm_role_assignment", + "resourceName": "positive2", + "searchKey": "azurerm_role_assignment[positive2].role_definition_id", + "searchValue": "", + "expectedValue": "'azurerm_role_assignment[positive2].role_definition_id' should be set to '7f951dda-4ed3-4680-a7ca-43fe172d538d'", + "actualValue": "'azurerm_role_assignment[positive2].role_definition_id' is set to '8311e382-0749-4cb8-b61a-304f252e45ec'" }, { "queryName": "Beta - Azure Container Registry With Broad Permissions", "severity": "HIGH", - "line": 17 + "line": 11, + "filename": "positive.tf", + "resourceType": "azurerm_role_assignment", + "resourceName": "positive1", + "searchKey": "azurerm_role_assignment[positive1].role_definition_name", + "searchValue": "", + "expectedValue": "'azurerm_role_assignment[positive1].role_definition_name' should be set to 'AcrPull'", + "actualValue": "'azurerm_role_assignment[positive1].role_definition_name' is set to 'AcrPush'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/azure_container_registry_with_no_locks/test/positive_expected_result.json b/assets/queries/terraform/azure/azure_container_registry_with_no_locks/test/positive_expected_result.json index a1135b0d7d6..5559bd7ad67 100644 --- a/assets/queries/terraform/azure/azure_container_registry_with_no_locks/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/azure_container_registry_with_no_locks/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Azure Container Registry With No Locks", "severity": "HIGH", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "azurerm_container_registry", + "resourceName": "containerRegistry1", + "searchKey": "azurerm_container_registry[acr]", + "searchValue": "", + "expectedValue": "'azurerm_container_registry[acr] scope' should contain azurerm_management_lock'", + "actualValue": "'azurerm_container_registry[acr] scope' does not contain azurerm_management_lock'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/azure_front_door_waf_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/azure_front_door_waf_disabled/test/positive_expected_result.json index 2963574a101..92d0ab2ff1c 100644 --- a/assets/queries/terraform/azure/azure_front_door_waf_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/azure_front_door_waf_disabled/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Azure Front Door WAF Disabled", "severity": "LOW", "line": 38, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "azurerm_frontdoor", + "resourceName": "exampleFrontendEndpoint1", + "searchKey": "azurerm_frontdoor[positive].frontend_endpoint", + "searchValue": "", + "expectedValue": "'azurerm_frontdoor[positive].frontend_endpoint.web_application_firewall_policy_link_id' should be defined and not null", + "actualValue": "'azurerm_frontdoor[positive].frontend_endpoint.web_application_firewall_policy_link_id' is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/azure_instance_using_basic_authentication/test/positive_expected_result.json b/assets/queries/terraform/azure/azure_instance_using_basic_authentication/test/positive_expected_result.json index 43fe5a014b0..6238af28ed6 100644 --- a/assets/queries/terraform/azure/azure_instance_using_basic_authentication/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/azure_instance_using_basic_authentication/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "Azure Instance Using Basic Authentication", "severity": "MEDIUM", - "line": 9, - "fileName": "positive1.tf" + "line": 7, + "filename": "positive4.tf", + "resourceType": "azurerm_virtual_machine_scale_set", + "resourceName": "${var.prefix}-vm", + "searchKey": "azurerm_virtual_machine_scale_set[positive4].os_profile_linux_config.disable_password_authentication", + "searchValue": "", + "expectedValue": "'azurerm_virtual_machine_scale_set[positive4].os_profile_linux_config.disable_password_authentication' should be set to 'true'", + "actualValue": "'azurerm_virtual_machine_scale_set[positive4].os_profile_linux_config.disable_password_authentication' is set to 'false'" }, { "queryName": "Azure Instance Using Basic Authentication", "severity": "MEDIUM", - "line": 8, - "fileName": "positive2.tf" + "line": 9, + "filename": "positive3.tf", + "resourceType": "azurerm_linux_virtual_machine_scale_set", + "resourceName": "positive3-vmss", + "searchKey": "azurerm_linux_virtual_machine_scale_set[positive3].disable_password_authentication", + "searchValue": "", + "expectedValue": "'azurerm_linux_virtual_machine_scale_set[positive3].disable_password_authentication' should be set to 'true'", + "actualValue": "'azurerm_linux_virtual_machine_scale_set[positive3].disable_password_authentication' is set to 'false'" }, { "queryName": "Azure Instance Using Basic Authentication", "severity": "MEDIUM", "line": 9, - "fileName": "positive3.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_virtual_machine", + "resourceName": "${var.prefix}-vm", + "searchKey": "azurerm_virtual_machine[positive1].os_profile_linux_config.disable_password_authentication", + "searchValue": "", + "expectedValue": "'azurerm_virtual_machine[positive1].os_profile_linux_config.disable_password_authentication' should be set to 'true'", + "actualValue": "'azurerm_virtual_machine[positive1].os_profile_linux_config.disable_password_authentication' is set to 'false'" }, { "queryName": "Azure Instance Using Basic Authentication", "severity": "MEDIUM", - "line": 7, - "fileName": "positive4.tf" + "line": 8, + "filename": "positive2.tf", + "resourceType": "azurerm_linux_virtual_machine", + "resourceName": "${var.prefix}-vm", + "searchKey": "azurerm_linux_virtual_machine[positive2].disable_password_authentication", + "searchValue": "", + "expectedValue": "'azurerm_linux_virtual_machine[positive2].disable_password_authentication' should be set to 'true'", + "actualValue": "'azurerm_linux_virtual_machine[positive2].disable_password_authentication' is set to 'false'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/backup_vault_without_immutability/test/positive_expected_result.json b/assets/queries/terraform/azure/backup_vault_without_immutability/test/positive_expected_result.json index 28409aaffa7..d329150101b 100644 --- a/assets/queries/terraform/azure/backup_vault_without_immutability/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/backup_vault_without_immutability/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Beta - Backup Vault Without Immutability", "severity": "HIGH", - "line": 1 + "line": 18, + "filename": "positive1.tf", + "resourceType": "azurerm_data_protection_backup_vault", + "resourceName": "positive2-backup-vault", + "searchKey": "azurerm_data_protection_backup_vault[positive2].immutability", + "searchValue": "", + "expectedValue": "'azurerm_data_protection_backup_vault[positive2].immutability' should be set and enabled", + "actualValue": "'azurerm_data_protection_backup_vault[positive2].immutability' is set to 'Disabled'" }, { "queryName": "Beta - Backup Vault Without Immutability", "severity": "HIGH", - "line": 18 + "line": 1, + "filename": "positive1.tf", + "resourceType": "azurerm_data_protection_backup_vault", + "resourceName": "positive1-backup-vault", + "searchKey": "azurerm_data_protection_backup_vault[positive1]", + "searchValue": "", + "expectedValue": "'azurerm_data_protection_backup_vault[positive1].immutability' should be set and enabled", + "actualValue": "'azurerm_data_protection_backup_vault[positive1].immutability' is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/backup_vault_without_soft_delete/test/positive_expected_result.json b/assets/queries/terraform/azure/backup_vault_without_soft_delete/test/positive_expected_result.json index e8f3a037e3a..b5bfbf55d1f 100644 --- a/assets/queries/terraform/azure/backup_vault_without_soft_delete/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/backup_vault_without_soft_delete/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Beta - Backup Vault Without Soft Delete", "severity": "HIGH", - "line": 8 + "line": 8, + "filename": "positive.tf", + "resourceType": "azurerm_data_protection_backup_vault", + "resourceName": "positive-backup-vault", + "searchKey": "azurerm_data_protection_backup_vault[positive].soft_delete", + "searchValue": "", + "expectedValue": "'azurerm_data_protection_backup_vault[positive].soft_delete' should not be set to 'off'", + "actualValue": "'azurerm_data_protection_backup_vault[positive].soft_delete' is set to 'off'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/blob_storage_without_soft_delete/test/positive_expected_result.json b/assets/queries/terraform/azure/blob_storage_without_soft_delete/test/positive_expected_result.json index a64968ceb9f..5ad59cb1506 100644 --- a/assets/queries/terraform/azure/blob_storage_without_soft_delete/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/blob_storage_without_soft_delete/test/positive_expected_result.json @@ -2,16 +2,37 @@ { "queryName": "Beta - Blob Storage Without Soft Delete", "severity": "HIGH", - "line": 1 + "line": 32, + "filename": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive3", + "searchKey": "azurerm_storage_account[positive3].blob_properties.delete_retention_policy.days", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive3].blob_properties.delete_retention_policy.days' should be set to a value higher than '6'", + "actualValue": "'azurerm_storage_account[positive3].blob_properties.delete_retention_policy.days' is set to '5'" }, { "queryName": "Beta - Blob Storage Without Soft Delete", "severity": "HIGH", - "line": 18 + "line": 1, + "filename": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive1", + "searchKey": "azurerm_storage_account[positive1]", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive1].blob_properties.delete_retention_policy' should be defined and not null", + "actualValue": "'azurerm_storage_account[positive1].blob_properties' is undefined or null" }, { "queryName": "Beta - Blob Storage Without Soft Delete", "severity": "HIGH", - "line": 32 + "line": 18, + "filename": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive2", + "searchKey": "azurerm_storage_account[positive2].blob_properties", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive2].blob_properties.delete_retention_policy' should be defined and not null", + "actualValue": "'azurerm_storage_account[positive2].blob_properties.delete_retention_policy' is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/container_app_managed_identity_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/container_app_managed_identity_disabled/test/positive_expected_result.json index c7e794f2269..4e6dd734eec 100644 --- a/assets/queries/terraform/azure/container_app_managed_identity_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/container_app_managed_identity_disabled/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Beta - Container App Managed Identity Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "azurerm_container_app", + "resourceName": "example-app", + "searchKey": "azurerm_container_app[positive]", + "searchValue": "", + "expectedValue": "'type' field should have the values 'SystemAssigned' or 'UserAssigned' defined inside the 'identity' block", + "actualValue": "'identity' block is not defined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/container_group_managed_identity_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/container_group_managed_identity_disabled/test/positive_expected_result.json index 14401d8bbd1..79d7eac8029 100644 --- a/assets/queries/terraform/azure/container_group_managed_identity_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/container_group_managed_identity_disabled/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Beta - Container Group Managed Identity Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "azurerm_container_group", + "resourceName": "example-continst", + "searchKey": "azurerm_container_group[positive]", + "searchValue": "", + "expectedValue": "'type' field should have the values 'SystemAssigned' and 'UserAssigned' defined inside the 'identity' block", + "actualValue": "'identity' block is not defined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/container_instances_not_using_private_virtual_networks/test/positive_expected_result.json b/assets/queries/terraform/azure/container_instances_not_using_private_virtual_networks/test/positive_expected_result.json index 56b4b8144b1..9b9d81e09b6 100644 --- a/assets/queries/terraform/azure/container_instances_not_using_private_virtual_networks/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/container_instances_not_using_private_virtual_networks/test/positive_expected_result.json @@ -2,19 +2,37 @@ { "queryName": "Beta - Container Instances Not Using Private Virtual Networks", "severity": "LOW", - "line": 1, - "filename": "positive1.tf" + "line": 7, + "filename": "positive2.tf", + "resourceType": "azurerm_container_group", + "resourceName": "cg-positive2", + "searchKey": "azurerm_container_group[positive2].ip_address_type", + "searchValue": "", + "expectedValue": "'ip_address_type' should be set to 'Private'", + "actualValue": "'ip_address_type' is defined to 'Public'" }, { "queryName": "Beta - Container Instances Not Using Private Virtual Networks", "severity": "LOW", "line": 7, - "filename": "positive2.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_container_group", + "resourceName": "cg-positive3", + "searchKey": "azurerm_container_group[positive3].ip_address_type", + "searchValue": "", + "expectedValue": "'ip_address_type' should be set to 'Private'", + "actualValue": "'ip_address_type' is defined to 'None'" }, { "queryName": "Beta - Container Instances Not Using Private Virtual Networks", "severity": "LOW", - "line": 7, - "filename": "positive3.tf" + "line": 1, + "filename": "positive1.tf", + "resourceType": "azurerm_container_group", + "resourceName": "cg-positive1", + "searchKey": "azurerm_container_group[positive1]", + "searchValue": "", + "expectedValue": "'ip_address_type' should be set to 'Private'", + "actualValue": "'ip_address_type' is not defined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/containers_without_soft_delete/test/positive_expected_result.json b/assets/queries/terraform/azure/containers_without_soft_delete/test/positive_expected_result.json index a7af79fc475..a14a31a34f7 100644 --- a/assets/queries/terraform/azure/containers_without_soft_delete/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/containers_without_soft_delete/test/positive_expected_result.json @@ -2,16 +2,37 @@ { "queryName": "Beta - Containers Without Soft Delete", "severity": "HIGH", - "line": 1 + "line": 32, + "filename": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive3", + "searchKey": "azurerm_storage_account[positive3].blob_properties.container_delete_retention_policy.days", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive3].blob_properties.container_delete_retention_policy.days' should be set to a value higher than '6'", + "actualValue": "'azurerm_storage_account[positive3].blob_properties.container_delete_retention_policy' is set to '5'" }, { "queryName": "Beta - Containers Without Soft Delete", "severity": "HIGH", - "line": 18 + "line": 1, + "filename": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive1", + "searchKey": "azurerm_storage_account[positive1]", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive1].blob_properties.container_delete_retention_policy' should be defined and not null", + "actualValue": "'azurerm_storage_account[positive1].blob_properties' is undefined or null" }, { "queryName": "Beta - Containers Without Soft Delete", "severity": "HIGH", - "line": 32 + "line": 18, + "filename": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive2", + "searchKey": "azurerm_storage_account[positive2].blob_properties", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive2].blob_properties.container_delete_retention_policy' should be defined and not null", + "actualValue": "'azurerm_storage_account[positive2].blob_properties.container_delete_retention_policy' is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/cosmos_db_account_without_tags/test/positive_expected_result.json b/assets/queries/terraform/azure/cosmos_db_account_without_tags/test/positive_expected_result.json index e8c803b83b9..c0795748e77 100644 --- a/assets/queries/terraform/azure/cosmos_db_account_without_tags/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/cosmos_db_account_without_tags/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Cosmos DB Account Without Tags", "severity": "LOW", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "azurerm_cosmosdb_account", + "resourceName": "tfex-cosmos-db-${random_integer.ri.result}", + "searchKey": "azurerm_cosmosdb_account[positive1]", + "searchValue": "", + "expectedValue": "azurerm_cosmosdb_account[positive1].tags should be defined'", + "actualValue": "azurerm_cosmosdb_account[positive1].tags is undefined'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/cosmosdb_account_ip_range_filter_not_set/test/positive_expected_result.json b/assets/queries/terraform/azure/cosmosdb_account_ip_range_filter_not_set/test/positive_expected_result.json index fedbf8ded29..55e88234f96 100644 --- a/assets/queries/terraform/azure/cosmosdb_account_ip_range_filter_not_set/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/cosmosdb_account_ip_range_filter_not_set/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "CosmosDB Account IP Range Filter Not Set", "severity": "CRITICAL", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "azurerm_cosmosdb_account", + "resourceName": "example", + "searchKey": "azurerm_cosmosdb_account[positive1].ip_range_filter", + "searchValue": "", + "expectedValue": "'azurerm_cosmosdb_account[positive1].ip_range_filter' should be set", + "actualValue": "'azurerm_cosmosdb_account[positive1].ip_range_filter' is undefined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/dashboard_is_enabled/test/positive_expected_result.json b/assets/queries/terraform/azure/dashboard_is_enabled/test/positive_expected_result.json index 923c8c0a0e3..80d637ea683 100644 --- a/assets/queries/terraform/azure/dashboard_is_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/dashboard_is_enabled/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Dashboard Is Enabled", "severity": "LOW", - "line": 23 + "line": 23, + "filename": "positive.tf", + "resourceType": "azurerm_kubernetes_cluster", + "resourceName": "example-aks1", + "searchKey": "azurerm_kubernetes_cluster[positive1].addon_profile.kube_dashboard.enabled", + "searchValue": "", + "expectedValue": "'azurerm_kubernetes_cluster[positive1].addon_profile.kube_dashboard.enabled' should be set to false or undefined", + "actualValue": "'azurerm_kubernetes_cluster[positive1].addon_profile.kube_dashboard.enabled' is true" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/databricks_diagnostic_logging_not_configured/test/positive_expected_result.json b/assets/queries/terraform/azure/databricks_diagnostic_logging_not_configured/test/positive_expected_result.json index 187af373e28..48d2026cda3 100644 --- a/assets/queries/terraform/azure/databricks_diagnostic_logging_not_configured/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/databricks_diagnostic_logging_not_configured/test/positive_expected_result.json @@ -2,31 +2,61 @@ { "queryName": "Beta - Databricks Diagnostic Logging Not Configured", "severity": "MEDIUM", - "line": 1, - "fileName": "positive1.tf" + "line": 60, + "filename": "positive5.tf", + "resourceType": "azurerm_databricks_workspace", + "resourceName": "secure-databricks-ws", + "searchKey": "azurerm_databricks_workspace[example_pos5]", + "searchValue": "", + "expectedValue": "'azurerm_databricks_workspace' should be associated with 'azurerm_monitor_diagnostic_setting' resources that log all required logs to valid destinations", + "actualValue": "'azurerm_databricks_workspace' is associated with 2 'azurerm_monitor_diagnostic_setting' resource(s), but is missing logs for 5 category(s): 'Filesystem', 'accounts', 'clusters', 'jobs', 'notebook'" }, { "queryName": "Beta - Databricks Diagnostic Logging Not Configured", "severity": "MEDIUM", - "line": 36, - "fileName": "positive2.tf" + "line": 27, + "filename": "positive4.tf", + "resourceType": "azurerm_databricks_workspace", + "resourceName": "secure-databricks-ws", + "searchKey": "azurerm_databricks_workspace[example_pos4]", + "searchValue": "", + "expectedValue": "'azurerm_databricks_workspace' should be associated with 'azurerm_monitor_diagnostic_setting' resources that log all required logs to valid destinations", + "actualValue": "'azurerm_databricks_workspace' is not associated with an 'azurerm_monitor_diagnostic_setting' resource" }, { "queryName": "Beta - Databricks Diagnostic Logging Not Configured", "severity": "MEDIUM", "line": 73, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_databricks_workspace", + "resourceName": "secure-databricks-ws", + "searchKey": "azurerm_databricks_workspace[example_pos3]", + "searchValue": "", + "expectedValue": "'azurerm_databricks_workspace' should be associated with 'azurerm_monitor_diagnostic_setting' resources that log all required logs to valid destinations", + "actualValue": "'azurerm_databricks_workspace' is associated with 4 'azurerm_monitor_diagnostic_setting' resource(s), but is missing logs for 1 category(s): 'notebook'" }, { "queryName": "Beta - Databricks Diagnostic Logging Not Configured", "severity": "MEDIUM", - "line": 27, - "fileName": "positive4.tf" + "line": 1, + "filename": "positive1.tf", + "resourceType": "azurerm_databricks_workspace", + "resourceName": "secure-databricks-ws", + "searchKey": "azurerm_databricks_workspace[example_pos1]", + "searchValue": "", + "expectedValue": "'azurerm_databricks_workspace' should be associated with 'azurerm_monitor_diagnostic_setting' resources that log all required logs to valid destinations", + "actualValue": "'azurerm_databricks_workspace' is not associated with an 'azurerm_monitor_diagnostic_setting' resource" }, { "queryName": "Beta - Databricks Diagnostic Logging Not Configured", "severity": "MEDIUM", - "line": 60, - "fileName": "positive5.tf" + "line": 36, + "filename": "positive2.tf", + "resourceType": "azurerm_databricks_workspace", + "resourceName": "secure-databricks-ws", + "searchKey": "azurerm_databricks_workspace[example_pos2]", + "searchValue": "", + "expectedValue": "'azurerm_databricks_workspace' should be associated with 'azurerm_monitor_diagnostic_setting' resources that log all required logs to valid destinations", + "actualValue": "'azurerm_databricks_workspace' is associated with 3 'azurerm_monitor_diagnostic_setting' resource(s), but is missing logs for 3 category(s): 'Filesystem', 'jobs', 'notebook'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/databricks_workspace_using_default_virtual_network/test/positive_expected_result.json b/assets/queries/terraform/azure/databricks_workspace_using_default_virtual_network/test/positive_expected_result.json index cc33fc2692e..1459e304643 100644 --- a/assets/queries/terraform/azure/databricks_workspace_using_default_virtual_network/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/databricks_workspace_using_default_virtual_network/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Beta - Databricks Workspace Using Default Virtual Network", "severity": "MEDIUM", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "azurerm_databricks_workspace", + "resourceName": "example-dbw", + "searchKey": "azurerm_databricks_workspace[example_1]", + "searchValue": "", + "expectedValue": "'azurerm_databricks_workspace[example_1].custom_parameters.virtual_network_id' should be defined and not empty", + "actualValue": "'azurerm_databricks_workspace[example_1].custom_parameters' is undefined or empty" }, { "queryName": "Beta - Databricks Workspace Using Default Virtual Network", "severity": "MEDIUM", - "line": 18 + "line": 18, + "filename": "positive.tf", + "resourceType": "azurerm_databricks_workspace", + "resourceName": "example-dbw", + "searchKey": "azurerm_databricks_workspace[example_2].custom_parameters", + "searchValue": "", + "expectedValue": "'azurerm_databricks_workspace[example_2].custom_parameters.virtual_network_id' should be defined and not null", + "actualValue": "'azurerm_databricks_workspace[example_2].custom_parameters.virtual_network_id' is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/databricks_workspace_without_cmk/test/positive_expected_result.json b/assets/queries/terraform/azure/databricks_workspace_without_cmk/test/positive_expected_result.json index 332b460e838..9e3a2781faa 100644 --- a/assets/queries/terraform/azure/databricks_workspace_without_cmk/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/databricks_workspace_without_cmk/test/positive_expected_result.json @@ -2,26 +2,61 @@ { "queryName": "Beta - Databricks Workspace Without CMK", "severity": "MEDIUM", - "line": 1 + "line": 17, + "filename": "positive.tf", + "resourceType": "azurerm_databricks_workspace", + "resourceName": "my-databricks-workspace", + "searchKey": "azurerm_databricks_workspace[positive2].customer_managed_key_enabled", + "searchValue": "", + "expectedValue": "'azurerm_databricks_workspace[positive2].customer_managed_key_enabled' should be defined and set to true", + "actualValue": "'azurerm_databricks_workspace[positive2].customer_managed_key_enabled' is set to false" }, { "queryName": "Beta - Databricks Workspace Without CMK", "severity": "MEDIUM", - "line": 17 + "line": 27, + "filename": "positive.tf", + "resourceType": "azurerm_databricks_workspace", + "resourceName": "my-databricks-workspace", + "searchKey": "azurerm_databricks_workspace[positive3].customer_managed_key_enabled", + "searchValue": "", + "expectedValue": "'azurerm_databricks_workspace[positive3].customer_managed_key_enabled' should be defined and set to true", + "actualValue": "'azurerm_databricks_workspace[positive3].customer_managed_key_enabled' is set to false" }, { "queryName": "Beta - Databricks Workspace Without CMK", "severity": "MEDIUM", - "line": 27 + "line": 1, + "filename": "positive.tf", + "resourceType": "azurerm_databricks_workspace", + "resourceName": "my-databricks-workspace", + "searchKey": "azurerm_databricks_workspace[positive1]", + "searchValue": "", + "expectedValue": "'azurerm_databricks_workspace[positive1].managed_disk_cmk_key_vault_key_id' should be defined and not null", + "actualValue": "'azurerm_databricks_workspace[positive1].managed_disk_cmk_key_vault_key_id' is undefined or null" }, { "queryName": "Beta - Databricks Workspace Without CMK", "severity": "MEDIUM", - "line": 31 + "line": 31, + "filename": "positive.tf", + "resourceType": "azurerm_databricks_workspace", + "resourceName": "my-databricks-workspace", + "searchKey": "azurerm_databricks_workspace[positive4]", + "searchValue": "", + "expectedValue": "'azurerm_databricks_workspace[positive4].customer_managed_key_enabled' should be defined and set to true", + "actualValue": "'azurerm_databricks_workspace[positive4].customer_managed_key_enabled' is undefined or null" }, { "queryName": "Beta - Databricks Workspace Without CMK", "severity": "MEDIUM", - "line": 41 + "line": 41, + "filename": "positive.tf", + "resourceType": "azurerm_databricks_workspace", + "resourceName": "my-databricks-workspace", + "searchKey": "azurerm_databricks_workspace[positive5]", + "searchValue": "", + "expectedValue": "'azurerm_databricks_workspace[positive5].customer_managed_key_enabled' should be defined and set to true", + "actualValue": "'azurerm_databricks_workspace[positive5].customer_managed_key_enabled' is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/default_azure_storage_account_network_access_is_too_permissive/test/positive_expected_result.json b/assets/queries/terraform/azure/default_azure_storage_account_network_access_is_too_permissive/test/positive_expected_result.json index eb2a0914d74..8acc99a4a49 100644 --- a/assets/queries/terraform/azure/default_azure_storage_account_network_access_is_too_permissive/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/default_azure_storage_account_network_access_is_too_permissive/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "Default Azure Storage Account Network Access Is Too Permissive", "severity": "HIGH", - "line": 30, - "filename": "positive1.tf" + "line": 6, + "filename": "positive4.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive4storageaccount", + "searchKey": "azurerm_storage_account[positive4].public_network_access_enabled", + "searchValue": "", + "expectedValue": "azurerm_storage_account.public_network_access_enabled should be set to 'false'", + "actualValue": "azurerm_storage_account.public_network_access_enabled is not set (default is 'true')" }, { "queryName": "Default Azure Storage Account Network Access Is Too Permissive", "severity": "HIGH", - "line": 38, - "filename": "positive2.tf" + "line": 12, + "filename": "positive3.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive3storageaccount", + "searchKey": "azurerm_storage_account[positive3].public_network_access_enabled", + "searchValue": "", + "expectedValue": "azurerm_storage_account.public_network_access_enabled should be set to 'false'", + "actualValue": "azurerm_storage_account.public_network_access_enabled set to 'true'" }, - { + { "queryName": "Default Azure Storage Account Network Access Is Too Permissive", "severity": "HIGH", - "line": 12, - "fileName": "positive3.tf" + "line": 30, + "filename": "positive1.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive1storageaccount", + "searchKey": "azurerm_storage_account[positive1].network_rules.default_action", + "searchValue": "", + "expectedValue": "azurerm_storage_account.network_rules.default_action should be set to 'Deny'", + "actualValue": "azurerm_storage_account.network_rules.default_action is set to 'Allow'" }, { "queryName": "Default Azure Storage Account Network Access Is Too Permissive", "severity": "HIGH", - "line": 6, - "fileName": "positive4.tf" + "line": 38, + "filename": "positive2.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive2storageaccount", + "searchKey": "azurerm_storage_account_network_rules[positive2].default_action", + "searchValue": "", + "expectedValue": "azurerm_storage_account_network_rules.default_action should be set to 'Deny'", + "actualValue": "azurerm_storage_account_network_rules.default_action is set to 'Allow'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/diagnostic_settings_without_appropriate_logging/test/positive_expected_result.json b/assets/queries/terraform/azure/diagnostic_settings_without_appropriate_logging/test/positive_expected_result.json index b1c5948ab12..a24a1d12c10 100644 --- a/assets/queries/terraform/azure/diagnostic_settings_without_appropriate_logging/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/diagnostic_settings_without_appropriate_logging/test/positive_expected_result.json @@ -2,43 +2,85 @@ { "queryName": "Beta - Diagnostic Settings Without Appropriate Logging", "severity": "MEDIUM", - "line": 1, - "fileName": "positive1.tf" + "line": 39, + "filename": "positive2.tf", + "resourceType": "azurerm_monitor_diagnostic_setting", + "resourceName": "diagnostic-settings-name", + "searchKey": "azurerm_monitor_diagnostic_setting[positive2_4]", + "searchValue": "", + "expectedValue": "'azurerm_monitor_diagnostic_setting[positive2_4].log' objects should enable logging for all 4 main categories", + "actualValue": "'azurerm_monitor_diagnostic_setting[positive2_4].log' objects do not enable logging for 1 of the main categories: 'Administrative'" }, { "queryName": "Beta - Diagnostic Settings Without Appropriate Logging", "severity": "MEDIUM", - "line": 8, - "fileName": "positive1.tf" + "line": 3, + "filename": "positive2.tf", + "resourceType": "azurerm_monitor_diagnostic_setting", + "resourceName": "diagnostic-settings-name", + "searchKey": "azurerm_monitor_diagnostic_setting[positive2_1]", + "searchValue": "", + "expectedValue": "'azurerm_monitor_diagnostic_setting[positive2_1].log' objects should enable logging for all 4 main categories", + "actualValue": "'azurerm_monitor_diagnostic_setting[positive2_1].log' objects do not enable logging for 3 of the main categories: 'Alert', 'Policy', 'Security'" }, { "queryName": "Beta - Diagnostic Settings Without Appropriate Logging", "severity": "MEDIUM", - "line": 18, - "fileName": "positive1.tf" + "line": 23, + "filename": "positive2.tf", + "resourceType": "azurerm_monitor_diagnostic_setting", + "resourceName": "diagnostic-settings-name", + "searchKey": "azurerm_monitor_diagnostic_setting[positive2_3]", + "searchValue": "", + "expectedValue": "'azurerm_monitor_diagnostic_setting[positive2_3].log' objects should enable logging for all 4 main categories", + "actualValue": "'azurerm_monitor_diagnostic_setting[positive2_3].log' objects do not enable logging for 2 of the main categories: 'Alert', 'Policy'" }, { "queryName": "Beta - Diagnostic Settings Without Appropriate Logging", "severity": "MEDIUM", - "line": 3, - "fileName": "positive2.tf" + "line": 1, + "filename": "positive1.tf", + "resourceType": "azurerm_monitor_diagnostic_setting", + "resourceName": "diagnostic-settings-name", + "searchKey": "azurerm_monitor_diagnostic_setting[positive1_1]", + "searchValue": "", + "expectedValue": "'azurerm_monitor_diagnostic_setting[positive1_1].enabled_log' objects should be defined for all 4 main categories", + "actualValue": "'azurerm_monitor_diagnostic_setting[positive1_1]' does not define a single 'enabled_log' object" }, { "queryName": "Beta - Diagnostic Settings Without Appropriate Logging", "severity": "MEDIUM", - "line": 13, - "fileName": "positive2.tf" + "line": 8, + "filename": "positive1.tf", + "resourceType": "azurerm_monitor_diagnostic_setting", + "resourceName": "diagnostic-settings-name", + "searchKey": "azurerm_monitor_diagnostic_setting[positive1_2]", + "searchValue": "", + "expectedValue": "'azurerm_monitor_diagnostic_setting[positive1_2].enabled_log' objects should enable logging for all 4 main categories", + "actualValue": "'azurerm_monitor_diagnostic_setting[positive1_2].enabled_log' objects do not enable logging for 3 of the main categories: 'Alert', 'Policy', 'Security'" }, { "queryName": "Beta - Diagnostic Settings Without Appropriate Logging", "severity": "MEDIUM", - "line": 23, - "fileName": "positive2.tf" + "line": 18, + "filename": "positive1.tf", + "resourceType": "azurerm_monitor_diagnostic_setting", + "resourceName": "diagnostic-settings-name", + "searchKey": "azurerm_monitor_diagnostic_setting[positive1_3]", + "searchValue": "", + "expectedValue": "'azurerm_monitor_diagnostic_setting[positive1_3].enabled_log' objects should enable logging for all 4 main categories", + "actualValue": "'azurerm_monitor_diagnostic_setting[positive1_3].enabled_log' objects do not enable logging for 2 of the main categories: 'Policy', 'Security'" }, { "queryName": "Beta - Diagnostic Settings Without Appropriate Logging", "severity": "MEDIUM", - "line": 39, - "fileName": "positive2.tf" + "line": 13, + "filename": "positive2.tf", + "resourceType": "azurerm_monitor_diagnostic_setting", + "resourceName": "diagnostic-settings-name", + "searchKey": "azurerm_monitor_diagnostic_setting[positive2_2]", + "searchValue": "", + "expectedValue": "'azurerm_monitor_diagnostic_setting[positive2_2].log' objects should enable logging for all 4 main categories", + "actualValue": "'azurerm_monitor_diagnostic_setting[positive2_2].log' objects do not enable logging for 4 of the main categories: 'Administrative', 'Alert', 'Policy', 'Security'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/disk_encryption_on_managed_disk_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/disk_encryption_on_managed_disk_disabled/test/positive_expected_result.json index 578e1f6b4c9..e9f875bcb95 100644 --- a/assets/queries/terraform/azure/disk_encryption_on_managed_disk_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/disk_encryption_on_managed_disk_disabled/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Beta - Disk Encryption On Managed Disk Disabled", "severity": "MEDIUM", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "azurerm_managed_disk", + "resourceName": "secure-vm-disk", + "searchKey": "azurerm_managed_disk[positive1]", + "searchValue": "", + "expectedValue": "'azurerm_managed_disk[positive1]' should set a 'disk_encryption_set_id' or 'secure_vm_disk_encryption_set_id'", + "actualValue": "'azurerm_managed_disk[positive1]' does not set a disk encryption id field" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/email_alerts_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/email_alerts_disabled/test/positive_expected_result.json index 4c12200c167..ea1ef930a27 100644 --- a/assets/queries/terraform/azure/email_alerts_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/email_alerts_disabled/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Email Alerts Disabled", "severity": "MEDIUM", - "line": 4 + "line": 4, + "filename": "positive.tf", + "resourceType": "azurerm_security_center_contact", + "resourceName": "positive1", + "searchKey": "azurerm_security_center_contact[positive1].alert_notifications", + "searchValue": "", + "expectedValue": "'azurerm_security_center_contact.positive1.alert_notifications' should be true", + "actualValue": "'azurerm_security_center_contact.positive1.alert_notifications' is false" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/encryption_on_managed_disk_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/encryption_on_managed_disk_disabled/test/positive_expected_result.json index 22ca038752f..f663358fef8 100644 --- a/assets/queries/terraform/azure/encryption_on_managed_disk_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/encryption_on_managed_disk_disabled/test/positive_expected_result.json @@ -2,21 +2,49 @@ { "queryName": "Encryption On Managed Disk Disabled", "severity": "MEDIUM", - "line": 10 + "line": 44, + "filename": "positive.tf", + "resourceType": "azurerm_managed_disk", + "resourceName": "acctestmd", + "searchKey": "azurerm_managed_disk[positive4].encryption_settings", + "searchValue": "", + "expectedValue": "'azurerm_managed_disk[positive4].encryption_settings' should be defined and not null", + "actualValue": "'azurerm_managed_disk[positive4].encryption_settings' is set to '[]" }, { "queryName": "Encryption On Managed Disk Disabled", "severity": "MEDIUM", - "line": 14 + "line": 14, + "filename": "positive.tf", + "resourceType": "azurerm_managed_disk", + "resourceName": "acctestmd", + "searchKey": "azurerm_managed_disk[positive2]", + "searchValue": "", + "expectedValue": "'azurerm_managed_disk[positive2].encryption_settings' should be defined and not null", + "actualValue": "'azurerm_managed_disk[positive2].encryption_settings' is undefined or null" }, { "queryName": "Encryption On Managed Disk Disabled", "severity": "MEDIUM", - "line": 33 + "line": 10, + "filename": "positive.tf", + "resourceType": "azurerm_managed_disk", + "resourceName": "acctestmd", + "searchKey": "azurerm_managed_disk[positive1].encryption_settings.enabled", + "searchValue": "", + "expectedValue": "'azurerm_managed_disk[positive1].encryption_settings.enabled' should be set to true", + "actualValue": "'azurerm_managed_disk[positive1].encryption_settings.enabled' is set to false" }, { "queryName": "Encryption On Managed Disk Disabled", "severity": "MEDIUM", - "line": 44 + "line": 33, + "filename": "positive.tf", + "resourceType": "azurerm_managed_disk", + "resourceName": "acctestmd", + "searchKey": "azurerm_managed_disk[positive3].encryption_settings", + "searchValue": "", + "expectedValue": "'azurerm_managed_disk[positive3].encryption_settings' should be defined and not null", + "actualValue": "'azurerm_managed_disk[positive3].encryption_settings' is set to '{}" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/file_share_without_soft_delete/test/positive_expected_result.json b/assets/queries/terraform/azure/file_share_without_soft_delete/test/positive_expected_result.json index d4b428e8a74..1c0dacbaa22 100644 --- a/assets/queries/terraform/azure/file_share_without_soft_delete/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/file_share_without_soft_delete/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Beta - File Share Without Soft Delete", "severity": "HIGH", - "line": 1 + "line": 18, + "filename": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive2", + "searchKey": "azurerm_storage_account[positive2].share_properties", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive2].share_properties.retention_policy' should be defined and not null", + "actualValue": "'azurerm_storage_account[positive2].share_properties.retention_policy' is undefined or null" }, { "queryName": "Beta - File Share Without Soft Delete", "severity": "HIGH", - "line": 18 + "line": 1, + "filename": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive1", + "searchKey": "azurerm_storage_account[positive1]", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive1].share_properties.retention_policy' should be defined and not null", + "actualValue": "'azurerm_storage_account[positive1].share_properties' is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/test/positive_expected_result.json b/assets/queries/terraform/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/test/positive_expected_result.json index 7e4bf7c151c..e747a7e1905 100644 --- a/assets/queries/terraform/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Firewall Rule Allows Too Many Hosts To Access Redis Cache", "severity": "MEDIUM", - "line": 5 + "line": 5, + "filename": "positive.tf", + "resourceType": "azurerm_redis_firewall_rule", + "resourceName": "someIPrange", + "searchKey": "azurerm_redis_firewall_rule[positive1].start_ip", + "searchValue": "", + "expectedValue": "'azurerm_redis_firewall_rule[positive1].start_ip' and 'end_ip' should allow no more than 255 hosts", + "actualValue": "'azurerm_redis_firewall_rule[positive1].start_ip' and 'end_ip' allow %!s(int=33554432) hosts" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/function_app_authentication_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/function_app_authentication_disabled/test/positive_expected_result.json index fa06e87e1af..d8843239a74 100644 --- a/assets/queries/terraform/azure/function_app_authentication_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/function_app_authentication_disabled/test/positive_expected_result.json @@ -2,85 +2,169 @@ { "queryName": "Function App Authentication Disabled", "severity": "MEDIUM", - "line": 1, - "fileName": "positive1.tf" + "line": 39, + "filename": "positive2.tf", + "resourceType": "azurerm_linux_function_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_function_app[positive2-4].auth_settings_v2.auth_enabled", + "searchValue": "", + "expectedValue": "'azurerm_linux_function_app[positive2-4].auth_settings_v2.auth_enabled' should be defined to 'true'", + "actualValue": "'azurerm_linux_function_app[positive2-4].auth_settings_v2.auth_enabled' is defined to 'false'" }, { "queryName": "Function App Authentication Disabled", "severity": "MEDIUM", - "line": 25, - "fileName": "positive1.tf" + "line": 1, + "filename": "positive2.tf", + "resourceType": "azurerm_linux_function_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_function_app[positive2-1]", + "searchValue": "", + "expectedValue": "'azurerm_linux_function_app[positive2-1].auth_settings' or 'azurerm_linux_function_app[positive2-1].auth_settings_v2' should be defined", + "actualValue": "'azurerm_linux_function_app[positive2-1].auth_settings' and 'azurerm_linux_function_app[positive2-1].auth_settings_v2' are not defined" }, { "queryName": "Function App Authentication Disabled", "severity": "MEDIUM", - "line": 1, - "fileName": "positive2.tf" + "line": 26, + "filename": "positive2.tf", + "resourceType": "azurerm_linux_function_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_function_app[positive2-3].auth_settings_v2", + "searchValue": "", + "expectedValue": "'azurerm_linux_function_app[positive2-3].auth_settings_v2.auth_enabled' should be defined (default value is 'false')", + "actualValue": "'azurerm_linux_function_app[positive2-3].auth_settings_v2.auth_enabled' is not defined" }, { "queryName": "Function App Authentication Disabled", "severity": "MEDIUM", - "line": 16, - "fileName": "positive2.tf" + "line": 52, + "filename": "positive2.tf", + "resourceType": "azurerm_linux_function_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_function_app[positive2-5].auth_settings_v2", + "searchValue": "", + "expectedValue": "'azurerm_linux_function_app[positive2-5].auth_settings_v2.auth_enabled' should be defined (default value is 'false')", + "actualValue": "'azurerm_linux_function_app[positive2-5].auth_settings_v2.auth_enabled' is not defined" }, { "queryName": "Function App Authentication Disabled", "severity": "MEDIUM", - "line": 26, - "fileName": "positive2.tf" + "line": 25, + "filename": "positive1.tf", + "resourceType": "azurerm_function_app", + "resourceName": "example-app-service", + "searchKey": "'azurerm_function_app[positive1-2].auth_settings.enabled'", + "searchValue": "", + "expectedValue": "'azurerm_function_app[positive1-2].auth_settings.enabled' should be defined to 'true'", + "actualValue": "'azurerm_function_app[positive1-2].auth_settings.enabled' is defined to 'false'" }, { "queryName": "Function App Authentication Disabled", "severity": "MEDIUM", - "line": 39, - "fileName": "positive2.tf" + "line": 16, + "filename": "positive3.tf", + "resourceType": "azurerm_windows_function_app", + "resourceName": "example-app-service", + "searchKey": "'azurerm_windows_function_app[positive3-2].auth_settings.enabled'", + "searchValue": "", + "expectedValue": "'azurerm_windows_function_app[positive3-2].auth_settings.enabled' should be defined to 'true'", + "actualValue": "'azurerm_windows_function_app[positive3-2].auth_settings.enabled' is defined to 'false'" }, { "queryName": "Function App Authentication Disabled", "severity": "MEDIUM", - "line": 52, - "fileName": "positive2.tf" + "line": 39, + "filename": "positive3.tf", + "resourceType": "azurerm_windows_function_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_function_app[positive3-4].auth_settings_v2.auth_enabled", + "searchValue": "", + "expectedValue": "'azurerm_windows_function_app[positive3-4].auth_settings_v2.auth_enabled' should be defined to 'true'", + "actualValue": "'azurerm_windows_function_app[positive3-4].auth_settings_v2.auth_enabled' is defined to 'false'" }, { "queryName": "Function App Authentication Disabled", "severity": "MEDIUM", "line": 68, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_linux_function_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_function_app[positive2-6].auth_settings_v2.auth_enabled", + "searchValue": "", + "expectedValue": "'azurerm_linux_function_app[positive2-6].auth_settings_v2.auth_enabled' should be defined to 'true'", + "actualValue": "'azurerm_linux_function_app[positive2-6].auth_settings_v2.auth_enabled' is defined to 'false'" }, { "queryName": "Function App Authentication Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_function_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_function_app[positive1-1]", + "searchValue": "", + "expectedValue": "'azurerm_function_app[positive1-1].auth_settings' should be defined", + "actualValue": "'azurerm_function_app[positive1-1].auth_settings' is not defined" }, { "queryName": "Function App Authentication Disabled", "severity": "MEDIUM", - "line": 16, - "fileName": "positive3.tf" + "line": 68, + "filename": "positive3.tf", + "resourceType": "azurerm_windows_function_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_function_app[positive3-6].auth_settings_v2.auth_enabled", + "searchValue": "", + "expectedValue": "'azurerm_windows_function_app[positive3-6].auth_settings_v2.auth_enabled' should be defined to 'true'", + "actualValue": "'azurerm_windows_function_app[positive3-6].auth_settings_v2.auth_enabled' is defined to 'false'" }, { "queryName": "Function App Authentication Disabled", "severity": "MEDIUM", - "line": 26, - "fileName": "positive3.tf" + "line": 1, + "filename": "positive3.tf", + "resourceType": "azurerm_windows_function_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_function_app[positive3-1]", + "searchValue": "", + "expectedValue": "'azurerm_windows_function_app[positive3-1].auth_settings' or 'azurerm_windows_function_app[positive3-1].auth_settings_v2' should be defined", + "actualValue": "'azurerm_windows_function_app[positive3-1].auth_settings' and 'azurerm_windows_function_app[positive3-1].auth_settings_v2' are not defined" }, { "queryName": "Function App Authentication Disabled", "severity": "MEDIUM", - "line": 39, - "fileName": "positive3.tf" + "line": 26, + "filename": "positive3.tf", + "resourceType": "azurerm_windows_function_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_function_app[positive3-3].auth_settings_v2", + "searchValue": "", + "expectedValue": "'azurerm_windows_function_app[positive3-3].auth_settings_v2.auth_enabled' should be defined (default value is 'false')", + "actualValue": "'azurerm_windows_function_app[positive3-3].auth_settings_v2.auth_enabled' is not defined" }, { "queryName": "Function App Authentication Disabled", "severity": "MEDIUM", "line": 52, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_windows_function_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_function_app[positive3-5].auth_settings_v2", + "searchValue": "", + "expectedValue": "'azurerm_windows_function_app[positive3-5].auth_settings_v2.auth_enabled' should be defined (default value is 'false')", + "actualValue": "'azurerm_windows_function_app[positive3-5].auth_settings_v2.auth_enabled' is not defined" }, { "queryName": "Function App Authentication Disabled", "severity": "MEDIUM", - "line": 68, - "fileName": "positive3.tf" + "line": 16, + "filename": "positive2.tf", + "resourceType": "azurerm_linux_function_app", + "resourceName": "example-app-service", + "searchKey": "'azurerm_linux_function_app[positive2-2].auth_settings.enabled'", + "searchValue": "", + "expectedValue": "'azurerm_linux_function_app[positive2-2].auth_settings.enabled' should be defined to 'true'", + "actualValue": "'azurerm_linux_function_app[positive2-2].auth_settings.enabled' is defined to 'false'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/positive_expected_result.json b/assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/positive_expected_result.json index 08a4877d02b..37f79457c24 100644 --- a/assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/positive_expected_result.json @@ -1,38 +1,74 @@ [ - { - "queryName": "Function App Client Certificates Unrequired", - "severity": "MEDIUM", - "line": 1, - "fileName": "positive1.tf" - }, { "queryName": "Function App Client Certificates Unrequired", "severity": "MEDIUM", "line": 14, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_function_app[positive1-2].client_cert_mode", + "searchValue": "", + "expectedValue": "'azurerm_function_app[positive1-2].client_cert_mode' should be set to 'Required'", + "actualValue": "'azurerm_function_app[positive1-2].client_cert_mode' is not set to 'Required'" }, { "queryName": "Function App Client Certificates Unrequired", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_function_app[positive1-1]", + "searchValue": "", + "expectedValue": "'azurerm_function_app[positive1-1].client_cert_mode' should be defined and not null", + "actualValue": "'azurerm_function_app[positive1-1].client_cert_mode' is undefined or null" }, { "queryName": "Function App Client Certificates Unrequired", "severity": "MEDIUM", "line": 14, - "fileName": "positive2.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_windows_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_windows_function_app[positive3-2].client_certificate_mode", + "searchValue": "", + "expectedValue": "'azurerm_windows_function_app[positive3-2].client_certificate_mode' should be set to 'Required'", + "actualValue": "'azurerm_windows_function_app[positive3-2].client_certificate_mode' is not set to 'Required'" }, { "queryName": "Function App Client Certificates Unrequired", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_windows_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_windows_function_app[positive3-1]", + "searchValue": "", + "expectedValue": "'azurerm_windows_function_app[positive3-1].client_certificate_mode' should be defined and not null", + "actualValue": "'azurerm_windows_function_app[positive3-1].client_certificate_mode' is undefined or null" }, { "queryName": "Function App Client Certificates Unrequired", "severity": "MEDIUM", "line": 14, - "fileName": "positive3.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_linux_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_linux_function_app[positive2-2].client_certificate_mode", + "searchValue": "", + "expectedValue": "'azurerm_linux_function_app[positive2-2].client_certificate_mode' should be set to 'Required'", + "actualValue": "'azurerm_linux_function_app[positive2-2].client_certificate_mode' is not set to 'Required'" + }, + { + "queryName": "Function App Client Certificates Unrequired", + "severity": "MEDIUM", + "line": 1, + "filename": "positive2.tf", + "resourceType": "azurerm_linux_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_linux_function_app[positive2-1]", + "searchValue": "", + "expectedValue": "'azurerm_linux_function_app[positive2-1].client_certificate_mode' should be defined and not null", + "actualValue": "'azurerm_linux_function_app[positive2-1].client_certificate_mode' is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/function_app_deployment_slot_not_using_latest_tls_encryption_version/test/positive_expected_result.json b/assets/queries/terraform/azure/function_app_deployment_slot_not_using_latest_tls_encryption_version/test/positive_expected_result.json index 2853e315054..e5968afd266 100644 --- a/assets/queries/terraform/azure/function_app_deployment_slot_not_using_latest_tls_encryption_version/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/function_app_deployment_slot_not_using_latest_tls_encryption_version/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Beta - Function App Deployment Slot Not Using Latest TLS Encryption Version", "severity": "MEDIUM", "line": 7, - "fileName": "positive1.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_windows_function_app_slot", + "resourceName": "example-slot", + "searchKey": "azurerm_windows_function_app_slot[positive2].site_config.minimum_tls_version", + "searchValue": "", + "expectedValue": "'site_config.minimum_tls_version' should be defined to '1.2' or higher", + "actualValue": "'site_config.minimum_tls_version' is defined to '1.1'" }, { "queryName": "Beta - Function App Deployment Slot Not Using Latest TLS Encryption Version", "severity": "MEDIUM", "line": 7, - "fileName": "positive2.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_linux_function_app_slot", + "resourceName": "example-linux-function-app-slot", + "searchKey": "azurerm_linux_function_app_slot[positive1].site_config.minimum_tls_version", + "searchValue": "", + "expectedValue": "'site_config.minimum_tls_version' should be defined to '1.2' or higher", + "actualValue": "'site_config.minimum_tls_version' is defined to '1.1'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/test/positive_expected_result.json index add34a22f4a..39787a060a1 100644 --- a/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/test/positive_expected_result.json @@ -3,30 +3,60 @@ "queryName": "Function App FTPS Enforce Disabled", "severity": "MEDIUM", "line": 9, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_function_app[positive1-1].site_config.ftps_state", + "searchValue": "", + "expectedValue": "'azurerm_function_app[positive1-1].site_config.ftps_state' should not be set to 'AllAllowed'", + "actualValue": "'azurerm_function_app[positive1-1].site_config.ftps_state' is set to 'AllAllowed'" }, { "queryName": "Function App FTPS Enforce Disabled", "severity": "MEDIUM", "line": 19, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_function_app[positive1-2].site_config'", + "searchValue": "", + "expectedValue": "'azurerm_function_app[positive1-2].site_config.ftps_state' should be defined and not null", + "actualValue": "'azurerm_function_app[positive1-2].site_config.ftps_state' is undefined or null" }, { "queryName": "Function App FTPS Enforce Disabled", "severity": "MEDIUM", "line": 24, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_function_app[positive1-3]'", + "searchValue": "", + "expectedValue": "'azurerm_function_app[positive1-3].site_config.ftps_state' should be defined and not null", + "actualValue": "'azurerm_function_app[positive1-3].site_config.ftps_state' is undefined or null" }, { "queryName": "Function App FTPS Enforce Disabled", "severity": "MEDIUM", "line": 9, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_linux_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_linux_function_app[positive2].site_config.ftps_state", + "searchValue": "", + "expectedValue": "'azurerm_linux_function_app[positive2].site_config.ftps_state' should not be set to 'AllAllowed'", + "actualValue": "'azurerm_linux_function_app[positive2].site_config.ftps_state' is set to 'AllAllowed'" }, { "queryName": "Function App FTPS Enforce Disabled", "severity": "MEDIUM", "line": 9, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_windows_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_windows_function_app[positive3].site_config.ftps_state", + "searchValue": "", + "expectedValue": "'azurerm_windows_function_app[positive3].site_config.ftps_state' should not be set to 'AllAllowed'", + "actualValue": "'azurerm_windows_function_app[positive3].site_config.ftps_state' is set to 'AllAllowed'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/function_app_http2_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/function_app_http2_disabled/test/positive_expected_result.json index d82199717ca..48fa88962f0 100644 --- a/assets/queries/terraform/azure/function_app_http2_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/function_app_http2_disabled/test/positive_expected_result.json @@ -2,55 +2,109 @@ { "queryName": "Function App HTTP2 Disabled", "severity": "MEDIUM", - "line": 1, - "fileName": "positive1.tf" + "line": 29, + "filename": "positive3.tf", + "resourceType": "azurerm_windows_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_windows_function_app[positive3-3].site_config.http2_enabled", + "searchValue": "", + "expectedValue": "'azurerm_windows_function_app[positive3-3].site_config.http2_enabled' should be set to true", + "actualValue": "'azurerm_windows_function_app[positive3-3].site_config.http2_enabled' is set to false" }, { "queryName": "Function App HTTP2 Disabled", "severity": "MEDIUM", - "line": 14, - "fileName": "positive1.tf" + "line": 1, + "filename": "positive3.tf", + "resourceType": "azurerm_windows_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_windows_function_app[positive3-1]", + "searchValue": "", + "expectedValue": "'azurerm_windows_function_app[positive3-1].site_config' should be defined and not null", + "actualValue": "'azurerm_windows_function_app[positive3-1].site_config' is undefined or null" }, { "queryName": "Function App HTTP2 Disabled", "severity": "MEDIUM", "line": 29, - "fileName": "positive1.tf" - }, - { - "queryName": "Function App HTTP2 Disabled", - "severity": "MEDIUM", - "line": 1, - "fileName": "positive2.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_function_app[positive1-3].site_config.http2_enabled", + "searchValue": "", + "expectedValue": "'azurerm_function_app[positive1-3].site_config.http2_enabled' should be set to true", + "actualValue": "'azurerm_function_app[positive1-3].site_config.http2_enabled' is set to false" }, { "queryName": "Function App HTTP2 Disabled", "severity": "MEDIUM", "line": 14, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_linux_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_linux_function_app[positive2-2].site_config", + "searchValue": "", + "expectedValue": "'azurerm_linux_function_app[positive2-2].site_config.http2_enabled' should be defined and not null", + "actualValue": "'azurerm_linux_function_app[positive2-2].site_config.http2_enabled' is undefined or null" }, { "queryName": "Function App HTTP2 Disabled", "severity": "MEDIUM", "line": 29, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_linux_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_linux_function_app[positive2-3].site_config.http2_enabled", + "searchValue": "", + "expectedValue": "'azurerm_linux_function_app[positive2-3].site_config.http2_enabled' should be set to true", + "actualValue": "'azurerm_linux_function_app[positive2-3].site_config.http2_enabled' is set to false" }, { "queryName": "Function App HTTP2 Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_linux_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_linux_function_app[positive2-1]", + "searchValue": "", + "expectedValue": "'azurerm_linux_function_app[positive2-1].site_config' should be defined and not null", + "actualValue": "'azurerm_linux_function_app[positive2-1].site_config' is undefined or null" }, { "queryName": "Function App HTTP2 Disabled", "severity": "MEDIUM", "line": 14, - "fileName": "positive3.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_function_app[positive1-2].site_config", + "searchValue": "", + "expectedValue": "'azurerm_function_app[positive1-2].site_config.http2_enabled' should be defined and not null", + "actualValue": "'azurerm_function_app[positive1-2].site_config.http2_enabled' is undefined or null" }, { "queryName": "Function App HTTP2 Disabled", "severity": "MEDIUM", - "line": 29, - "fileName": "positive3.tf" + "line": 1, + "filename": "positive1.tf", + "resourceType": "azurerm_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_function_app[positive1-1]", + "searchValue": "", + "expectedValue": "'azurerm_function_app[positive1-1].site_config' should be defined and not null", + "actualValue": "'azurerm_function_app[positive1-1].site_config' is undefined or null" + }, + { + "queryName": "Function App HTTP2 Disabled", + "severity": "MEDIUM", + "line": 14, + "filename": "positive3.tf", + "resourceType": "azurerm_windows_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_windows_function_app[positive3-2].site_config", + "searchValue": "", + "expectedValue": "'azurerm_windows_function_app[positive3-2].site_config.http2_enabled' should be defined and not null", + "actualValue": "'azurerm_windows_function_app[positive3-2].site_config.http2_enabled' is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/function_app_managed_identity_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/function_app_managed_identity_disabled/test/positive_expected_result.json index 260582022d7..9f6f7ca3b96 100644 --- a/assets/queries/terraform/azure/function_app_managed_identity_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/function_app_managed_identity_disabled/test/positive_expected_result.json @@ -2,16 +2,37 @@ { "queryName": "Function App Managed Identity Disabled", "severity": "MEDIUM", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "azurerm_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_function_app[positive1]", + "searchValue": "", + "expectedValue": "'azurerm_function_app[positive1].identity' should be defined and not null", + "actualValue": "'azurerm_function_app[positive1].identity' is undefined or null" }, { "queryName": "Function App Managed Identity Disabled", "severity": "MEDIUM", - "line": 8 + "line": 8, + "filename": "positive.tf", + "resourceType": "azurerm_linux_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_linux_function_app[positive2]", + "searchValue": "", + "expectedValue": "'azurerm_linux_function_app[positive2].identity' should be defined and not null", + "actualValue": "'azurerm_linux_function_app[positive2].identity' is undefined or null" }, { "queryName": "Function App Managed Identity Disabled", "severity": "MEDIUM", - "line": 15 + "line": 15, + "filename": "positive.tf", + "resourceType": "azurerm_windows_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_windows_function_app[positive3]", + "searchValue": "", + "expectedValue": "'azurerm_windows_function_app[positive3].identity' should be defined and not null", + "actualValue": "'azurerm_windows_function_app[positive3].identity' is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/test/positive_expected_result.json b/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/test/positive_expected_result.json index ba44ed4278c..f19f54b90d7 100644 --- a/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/test/positive_expected_result.json @@ -2,61 +2,121 @@ { "queryName": "Function App Not Using Latest TLS Encryption Version", "severity": "MEDIUM", - "line": 9, - "fileName": "positive1.tf" + "line": 21, + "filename": "positive2.tf", + "resourceType": "azurerm_linux_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_linux_function_app[positive2-2].site_config.minimum_tls_version", + "searchValue": "", + "expectedValue": "'azurerm_linux_function_app[positive2-2].site_config.minimum_tls_version' should be set to '1.3'", + "actualValue": "'azurerm_linux_function_app[positive2-2].site_config.minimum_tls_version' is not set to '1.3'" }, { "queryName": "Function App Not Using Latest TLS Encryption Version", "severity": "MEDIUM", - "line": 21, - "fileName": "positive1.tf" + "line": 31, + "filename": "positive2.tf", + "resourceType": "azurerm_linux_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_linux_function_app[positive2-3].site_config", + "searchValue": "", + "expectedValue": "'azurerm_linux_function_app[positive2-3].site_config.minimum_tls_version' should be defined and set to '1.3'", + "actualValue": "'azurerm_linux_function_app[positive2-3].site_config.minimum_tls_version' is not defined" }, { "queryName": "Function App Not Using Latest TLS Encryption Version", "severity": "MEDIUM", - "line": 9, - "fileName": "positive2.tf" + "line": 37, + "filename": "positive2.tf", + "resourceType": "azurerm_linux_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_linux_function_app[positive2-4]", + "searchValue": "", + "expectedValue": "'azurerm_linux_function_app[positive2-4].site_config.minimum_tls_version' should be defined and set to '1.3'", + "actualValue": "'azurerm_linux_function_app[positive2-4].site_config' is not defined" }, { "queryName": "Function App Not Using Latest TLS Encryption Version", "severity": "MEDIUM", "line": 21, - "fileName": "positive2.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_function_app[positive1-2].site_config.min_tls_version", + "searchValue": "", + "expectedValue": "'azurerm_function_app[positive1-2].site_config.min_tls_version' should be set to '1.2'", + "actualValue": "'azurerm_function_app[positive1-2].site_config.min_tls_version' is not set to '1.2'" }, { "queryName": "Function App Not Using Latest TLS Encryption Version", "severity": "MEDIUM", - "line": 31, - "fileName": "positive2.tf" + "line": 9, + "filename": "positive3.tf", + "resourceType": "azurerm_windows_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_windows_function_app[positive3-1].site_config.minimum_tls_version", + "searchValue": "", + "expectedValue": "'azurerm_windows_function_app[positive3-1].site_config.minimum_tls_version' should be set to '1.3'", + "actualValue": "'azurerm_windows_function_app[positive3-1].site_config.minimum_tls_version' is not set to '1.3'" }, { "queryName": "Function App Not Using Latest TLS Encryption Version", "severity": "MEDIUM", - "line": 37, - "fileName": "positive2.tf" + "line": 21, + "filename": "positive3.tf", + "resourceType": "azurerm_windows_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_windows_function_app[positive3-2].site_config.minimum_tls_version", + "searchValue": "", + "expectedValue": "'azurerm_windows_function_app[positive3-2].site_config.minimum_tls_version' should be set to '1.3'", + "actualValue": "'azurerm_windows_function_app[positive3-2].site_config.minimum_tls_version' is not set to '1.3'" }, { "queryName": "Function App Not Using Latest TLS Encryption Version", "severity": "MEDIUM", - "line": 9, - "fileName": "positive3.tf" + "line": 31, + "filename": "positive3.tf", + "resourceType": "azurerm_windows_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_windows_function_app[positive3-3].site_config", + "searchValue": "", + "expectedValue": "'azurerm_windows_function_app[positive3-3].site_config.minimum_tls_version' should be defined and set to '1.3'", + "actualValue": "'azurerm_windows_function_app[positive3-3].site_config.minimum_tls_version' is not defined" }, { "queryName": "Function App Not Using Latest TLS Encryption Version", "severity": "MEDIUM", - "line": 21, - "fileName": "positive3.tf" + "line": 37, + "filename": "positive3.tf", + "resourceType": "azurerm_windows_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_windows_function_app[positive3-4]", + "searchValue": "", + "expectedValue": "'azurerm_windows_function_app[positive3-4].site_config.minimum_tls_version' should be defined and set to '1.3'", + "actualValue": "'azurerm_windows_function_app[positive3-4].site_config' is not defined" }, { "queryName": "Function App Not Using Latest TLS Encryption Version", "severity": "MEDIUM", - "line": 31, - "fileName": "positive3.tf" + "line": 9, + "filename": "positive2.tf", + "resourceType": "azurerm_linux_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_linux_function_app[positive2-1].site_config.minimum_tls_version", + "searchValue": "", + "expectedValue": "'azurerm_linux_function_app[positive2-1].site_config.minimum_tls_version' should be set to '1.3'", + "actualValue": "'azurerm_linux_function_app[positive2-1].site_config.minimum_tls_version' is not set to '1.3'" }, { "queryName": "Function App Not Using Latest TLS Encryption Version", "severity": "MEDIUM", - "line": 37, - "fileName": "positive3.tf" + "line": 9, + "filename": "positive1.tf", + "resourceType": "azurerm_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_function_app[positive1-1].site_config.min_tls_version", + "searchValue": "", + "expectedValue": "'azurerm_function_app[positive1-1].site_config.min_tls_version' should be set to '1.2'", + "actualValue": "'azurerm_function_app[positive1-1].site_config.min_tls_version' is not set to '1.2'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/geo_redundancy_is_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/geo_redundancy_is_disabled/test/positive_expected_result.json index 46237c30c6e..85d13dda2c5 100644 --- a/assets/queries/terraform/azure/geo_redundancy_is_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/geo_redundancy_is_disabled/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Geo Redundancy Is Disabled", "severity": "LOW", - "line": 2 + "line": 31, + "filename": "positive.tf", + "resourceType": "azurerm_postgresql_server", + "resourceName": "dbserver", + "searchKey": "azurerm_postgresql_server[positive2].geo_redundant_backup_enabled", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_server.positive2.geo_redundant_backup_enabled' should be true", + "actualValue": "'azurerm_postgresql_server.positive2.geo_redundant_backup_enabled' is false" }, { "queryName": "Geo Redundancy Is Disabled", "severity": "LOW", - "line": 31 + "line": 2, + "filename": "positive.tf", + "resourceType": "azurerm_postgresql_server", + "resourceName": "dbserver", + "searchKey": "azurerm_postgresql_server[positive1]", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_server.positive1.geo_redundant_backup_enabled' should be set", + "actualValue": "'azurerm_postgresql_server.positive1.geo_redundant_backup_enabled' is undefined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/key_expiration_not_set/test/positive_expected_result.json b/assets/queries/terraform/azure/key_expiration_not_set/test/positive_expected_result.json index d7155771566..fdabadd4f83 100644 --- a/assets/queries/terraform/azure/key_expiration_not_set/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/key_expiration_not_set/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Key Expiration Not Set", "severity": "MEDIUM", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "azurerm_key_vault_key", + "resourceName": "generated-certificate", + "searchKey": "azurerm_key_vault_key[positive1]", + "searchValue": "", + "expectedValue": "'expiration_date' should exist", + "actualValue": "'expiration_date' is missing" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/key_vault_purge_protection_is_enabled/test/positive_expected_result.json b/assets/queries/terraform/azure/key_vault_purge_protection_is_enabled/test/positive_expected_result.json index 97bfb0544c9..516d2a36d59 100644 --- a/assets/queries/terraform/azure/key_vault_purge_protection_is_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/key_vault_purge_protection_is_enabled/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Beta - Key Vault Purge Protection Is Enabled", "severity": "HIGH", "line": 8, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_key_vault", + "resourceName": "examplekeyvault", + "searchKey": "azurerm_key_vault[positive1].purge_protection_enabled", + "searchValue": "", + "expectedValue": "'purge_protection_enabled' field should be set to true", + "actualValue": "'purge_protection_enabled' is not set to true" }, { "queryName": "Beta - Key Vault Purge Protection Is Enabled", "severity": "HIGH", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_key_vault", + "resourceName": "examplekeyvault", + "searchKey": "azurerm_key_vault[positive2]", + "searchValue": "", + "expectedValue": "'purge_protection_enabled' should be defined and set to true", + "actualValue": "'purge_protection_enabled' is not defined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/key_vault_secrets_content_type_undefined/test/positive_expected_result.json b/assets/queries/terraform/azure/key_vault_secrets_content_type_undefined/test/positive_expected_result.json index ec725ac34b4..0739a212202 100644 --- a/assets/queries/terraform/azure/key_vault_secrets_content_type_undefined/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/key_vault_secrets_content_type_undefined/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Key Vault Secrets Content Type Undefined", "severity": "MEDIUM", "line": 1, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "azurerm_key_vault_secret", + "resourceName": "secret-sauce", + "searchKey": "azurerm_key_vault_secret[positive]", + "searchValue": "", + "expectedValue": "'azurerm_key_vault_secret[positive].content_type' should be defined and not null", + "actualValue": "'azurerm_key_vault_secret[positive].content_type' is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/key_vault_without_hsm_protection/test/positive_expected_result.json b/assets/queries/terraform/azure/key_vault_without_hsm_protection/test/positive_expected_result.json index 4193e97f2e6..93a60fd1403 100644 --- a/assets/queries/terraform/azure/key_vault_without_hsm_protection/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/key_vault_without_hsm_protection/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Beta - Key Vault Without HSM Protection", "severity": "LOW", - "line": 4 + "line": 4, + "filename": "positive.tf", + "resourceType": "azurerm_key_vault_key", + "resourceName": "positive1-certificate", + "searchKey": "azurerm_key_vault_key[positive1].key_type", + "searchValue": "", + "expectedValue": "'azurerm_key_vault_key[positive1].key_type' should be set to an HSM-backed type ('RSA-HSM' or 'EC-HSM')", + "actualValue": "'azurerm_key_vault_key[positive1].key_type' is set to 'RSA'" }, { "queryName": "Beta - Key Vault Without HSM Protection", "severity": "LOW", - "line": 11 + "line": 11, + "filename": "positive.tf", + "resourceType": "azurerm_key_vault_key", + "resourceName": "positive2-certificate", + "searchKey": "azurerm_key_vault_key[positive2].key_type", + "searchValue": "", + "expectedValue": "'azurerm_key_vault_key[positive2].key_type' should be set to an HSM-backed type ('RSA-HSM' or 'EC-HSM')", + "actualValue": "'azurerm_key_vault_key[positive2].key_type' is set to 'EC'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/kubernetes_cluster_managed_identity_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/kubernetes_cluster_managed_identity_disabled/test/positive_expected_result.json index 4fdc0d7828c..e3faac5991c 100644 --- a/assets/queries/terraform/azure/kubernetes_cluster_managed_identity_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/kubernetes_cluster_managed_identity_disabled/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Beta - Kubernetes Cluster Managed Identity Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "azurerm_kubernetes_cluster", + "resourceName": "example-aks1", + "searchKey": "azurerm_kubernetes_cluster[positive]", + "searchValue": "", + "expectedValue": "'type' field should have the values 'SystemAssigned' or 'UserAssigned' defined inside the 'identity' block", + "actualValue": "'identity' block is not defined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/log_retention_is_not_set/test/positive_expected_result.json b/assets/queries/terraform/azure/log_retention_is_not_set/test/positive_expected_result.json index 96fbc631e30..ff08cc3c965 100644 --- a/assets/queries/terraform/azure/log_retention_is_not_set/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/log_retention_is_not_set/test/positive_expected_result.json @@ -2,16 +2,37 @@ { "queryName": "Log Retention Is Not Set", "severity": "MEDIUM", - "line": 5 + "line": 19, + "filename": "positive.tf", + "resourceType": "azurerm_postgresql_configuration", + "resourceName": "log_retention", + "searchKey": "azurerm_postgresql_configuration[positive3].value", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_configuration.positive3.value' should be 'ON'", + "actualValue": "'azurerm_postgresql_configuration.positive3.value' is 'OFF'" }, { "queryName": "Log Retention Is Not Set", "severity": "MEDIUM", - "line": 12 + "line": 5, + "filename": "positive.tf", + "resourceType": "azurerm_postgresql_configuration", + "resourceName": "log_retention", + "searchKey": "azurerm_postgresql_configuration[positive1].value", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_configuration.positive1.value' should be 'ON'", + "actualValue": "'azurerm_postgresql_configuration.positive1.value' is 'OFF'" }, { "queryName": "Log Retention Is Not Set", "severity": "MEDIUM", - "line": 19 + "line": 12, + "filename": "positive.tf", + "resourceType": "azurerm_postgresql_configuration", + "resourceName": "log_retention", + "searchKey": "azurerm_postgresql_configuration[positive2].value", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_configuration.positive2.value' should be 'ON'", + "actualValue": "'azurerm_postgresql_configuration.positive2.value' is 'OFF'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/logic_app_managed_identity_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/logic_app_managed_identity_disabled/test/positive_expected_result.json index 80f99405d25..521b01e54e4 100644 --- a/assets/queries/terraform/azure/logic_app_managed_identity_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/logic_app_managed_identity_disabled/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Beta - Logic App Managed Identity Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "azurerm_logic_app_standard", + "resourceName": "example-logic-app", + "searchKey": "azurerm_logic_app_standard[positive]", + "searchValue": "", + "expectedValue": "'type' field should have the values 'SystemAssigned' or 'UserAssigned' defined inside the 'identity' block", + "actualValue": "'identity' block is not defined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/mariadb_public_network_access_enabled/test/positive_expected_result.json b/assets/queries/terraform/azure/mariadb_public_network_access_enabled/test/positive_expected_result.json index 0501fb48609..1c72a55b7d2 100644 --- a/assets/queries/terraform/azure/mariadb_public_network_access_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/mariadb_public_network_access_enabled/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "MariaDB Server Public Network Access Enabled", "severity": "HIGH", "line": 16, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "azurerm_mariadb_server", + "resourceName": "example-mariadb-server", + "searchKey": "azurerm_mariadb_server[positive].public_network_access_enabled", + "searchValue": "", + "expectedValue": "'azurerm_mariadb_server[positive].public_network_access_enabled.enabled' should be set to false", + "actualValue": "'azurerm_mariadb_server[positive].public_network_access_enabled.enabled' is not set to false" }, { "queryName": "MariaDB Server Public Network Access Enabled", "severity": "HIGH", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_mariadb_server", + "resourceName": "example-mariadb-server", + "searchKey": "azurerm_mariadb_server[positive2]", + "searchValue": "", + "expectedValue": "'azurerm_mariadb_server[positive2].public_network_access_enabled' should be defined and not null", + "actualValue": "'azurerm_mariadb_server[positive2].public_network_access_enabled' is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/mariadb_server_georedundant_backup_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/mariadb_server_georedundant_backup_disabled/test/positive_expected_result.json index 8fd6749c698..36090bec04b 100644 --- a/assets/queries/terraform/azure/mariadb_server_georedundant_backup_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/mariadb_server_georedundant_backup_disabled/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "MariaDB Server Geo-redundant Backup Disabled", "severity": "LOW", "line": 15, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_mariadb_server", + "resourceName": "example-mariadb-server", + "searchKey": "azurerm_mariadb_server[positive1].geo_redundant_backup_enabled", + "searchValue": "", + "expectedValue": "'azurerm_mariadb_server[positive1].geo_redundant_backup_enabled' should be set to true", + "actualValue": "'azurerm_mariadb_server[positive1].geo_redundant_backup_enabled' is set to false" }, { "queryName": "MariaDB Server Geo-redundant Backup Disabled", "severity": "LOW", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_mariadb_server", + "resourceName": "example-mariadb-server", + "searchKey": "azurerm_mariadb_server[positive2]", + "searchValue": "", + "expectedValue": "'azurerm_mariadb_server[positive2].geo_redundant_backup_enabled' should be defined and set to true", + "actualValue": "'azurerm_mariadb_server[positive2].geo_redundant_backup_enabled' is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/mssql_not_using_latest_tls_encryption_version/test/positive_expected_result.json b/assets/queries/terraform/azure/mssql_not_using_latest_tls_encryption_version/test/positive_expected_result.json index 73376a87e9c..91babeb91cd 100644 --- a/assets/queries/terraform/azure/mssql_not_using_latest_tls_encryption_version/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/mssql_not_using_latest_tls_encryption_version/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Beta - MSSQL Not Using Latest TLS Encryption Version", "severity": "MEDIUM", "line": 8, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "azurerm_mssql_server", + "resourceName": "example-resource", + "searchKey": "azurerm_mssql_server[positive1].minimum_tls_version", + "searchValue": "", + "expectedValue": "'minimum_tls_version' should be defined to '1.2'", + "actualValue": "'minimum_tls_version' is defined to '1.1'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/mssql_server_database_with_alerts_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/mssql_server_database_with_alerts_disabled/test/positive_expected_result.json index fa15c8d1679..0d963602343 100644 --- a/assets/queries/terraform/azure/mssql_server_database_with_alerts_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/mssql_server_database_with_alerts_disabled/test/positive_expected_result.json @@ -2,19 +2,37 @@ { "queryName": "MSSQL Server Database With Alerts Disabled", "severity": "MEDIUM", - "line": 17, - "filename": "positive1.tf" + "line": 1, + "filename": "positive3.tf", + "resourceType": "azurerm_mssql_server", + "resourceName": "my-mssql-server", + "searchKey": "azurerm_mssql_server[example]", + "searchValue": "", + "expectedValue": "Security alert policy should be defined and enabled", + "actualValue": "Security alert policy is undefined" }, { "queryName": "MSSQL Server Database With Alerts Disabled", "severity": "MEDIUM", - "line": 14, - "filename": "positive2.tf" + "line": 17, + "filename": "positive1.tf", + "resourceType": "azurerm_mssql_server_security_alert_policy", + "resourceName": "positive1", + "searchKey": "azurerm_mssql_server_security_alert_policy[positive1].disabled_alerts", + "searchValue": "", + "expectedValue": "'azurerm_mssql_server_security_alert_policy.positive1.disabled_alerts' should be empty", + "actualValue": "'azurerm_mssql_server_security_alert_policy.positive1.disabled_alerts' is not empty" }, { "queryName": "MSSQL Server Database With Alerts Disabled", "severity": "MEDIUM", - "line": 1, - "filename": "positive3.tf" + "line": 14, + "filename": "positive2.tf", + "resourceType": "azurerm_mssql_server_security_alert_policy", + "resourceName": "positive2", + "searchKey": "azurerm_mssql_server_security_alert_policy[positive2].state", + "searchValue": "", + "expectedValue": "'azurerm_mssql_server_security_alert_policy.positive2.state' should be enabled", + "actualValue": "'azurerm_mssql_server_security_alert_policy.positive2.state' is not enabled" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/mssql_server_public_network_access_enabled/test/positive_expected_result.json b/assets/queries/terraform/azure/mssql_server_public_network_access_enabled/test/positive_expected_result.json index a44857a9524..89ab1f6d079 100644 --- a/assets/queries/terraform/azure/mssql_server_public_network_access_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/mssql_server_public_network_access_enabled/test/positive_expected_result.json @@ -3,13 +3,24 @@ "queryName": "MSSQL Server Public Network Access Enabled", "severity": "HIGH", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_mssql_server", + "resourceName": "mssqlserver", + "searchKey": "azurerm_mssql_server[positive1]", + "searchValue": "", + "expectedValue": "'azurerm_mssql_server[positive1].public_network_access_enabled' should be defined and not null", + "actualValue": "'azurerm_mssql_server[positive1].public_network_access_enabled' is undefined or null" }, { "queryName": "MSSQL Server Public Network Access Enabled", "severity": "HIGH", "line": 16, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_mssql_server", + "resourceName": "mssqlserver", + "searchKey": "azurerm_mssql_server[positive2].public_network_access_enabled", + "searchValue": "", + "expectedValue": "'azurerm_mssql_server[positive2].public_network_access_enabled' should be set to false", + "actualValue": "'azurerm_mssql_server[positive2].public_network_access_enabled' is set to true" } -] - +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/mysql_server_public_access_enabled/test/positive_expected_result.json b/assets/queries/terraform/azure/mysql_server_public_access_enabled/test/positive_expected_result.json index e7f08b088ba..5431c4b09cf 100644 --- a/assets/queries/terraform/azure/mysql_server_public_access_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/mysql_server_public_access_enabled/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "MySQL Server Public Access Enabled", "severity": "HIGH", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_mssql_server", + "resourceName": "example-mysqlserver", + "searchKey": "azurerm_mysql_server[positive1]", + "searchValue": "", + "expectedValue": "'azurerm_mysql_server[positive1].public_network_access_enabled' should be defined", + "actualValue": "'azurerm_mysql_server[positive1].public_network_access_enabled' is undefined" }, { "queryName": "MySQL Server Public Access Enabled", "severity": "HIGH", "line": 17, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_mssql_server", + "resourceName": "example-mysqlserver", + "searchKey": "azurerm_mysql_server[positive2].public_network_access_enabled", + "searchValue": "", + "expectedValue": "'azurerm_mysql_server[positive2].public_network_access_enabled' should be set to false", + "actualValue": "'azurerm_mysql_server[positive2].public_network_access_enabled' is set to true" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/mysql_ssl_connection_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/mysql_ssl_connection_disabled/test/positive_expected_result.json index 573fae9c01b..56b951271d6 100644 --- a/assets/queries/terraform/azure/mysql_ssl_connection_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/mysql_ssl_connection_disabled/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "MySQL SSL Connection Disabled", "severity": "MEDIUM", - "line": 17 + "line": 17, + "filename": "positive.tf", + "resourceType": "azurerm_mssql_server", + "resourceName": "webflux-mysql-${var.environment}${random_integer.rnd_int.result}", + "searchKey": "azurerm_mysql_server[positive1].ssl_enforcement_enabled", + "searchValue": "", + "expectedValue": "'azurerm_mysql_server.positive1.ssl_enforcement_enabled' should equal 'true'", + "actualValue": "'azurerm_mysql_server.positive1.ssl_enforcement_enabled' is equal 'false'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/network_interfaces_ip_forwarding_enabled/test/positive_expected_result.json b/assets/queries/terraform/azure/network_interfaces_ip_forwarding_enabled/test/positive_expected_result.json index 5f4588091b6..d13858fb296 100644 --- a/assets/queries/terraform/azure/network_interfaces_ip_forwarding_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/network_interfaces_ip_forwarding_enabled/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Network Interfaces IP Forwarding Enabled", "severity": "MEDIUM", "line": 12, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "azurerm_network_interface", + "resourceName": "example-nic", + "searchKey": "azurerm_network_interface[positive].enable_ip_forwarding", + "searchValue": "", + "expectedValue": "'azurerm_network_interface[positive].enable_ip_forwarding' should be set to false or undefined", + "actualValue": "'azurerm_network_interface[positive].enable_ip_forwarding' is set to true" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/network_interfaces_with_public_ip/test/positive_expected_result.json b/assets/queries/terraform/azure/network_interfaces_with_public_ip/test/positive_expected_result.json index e0ea3ebc646..5303ec34f32 100644 --- a/assets/queries/terraform/azure/network_interfaces_with_public_ip/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/network_interfaces_with_public_ip/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Network Interfaces With Public IP", "severity": "MEDIUM", "line": 10, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "azurerm_network_interface", + "resourceName": "example-nic", + "searchKey": "azurerm_network_interface[positive].ip_configuration.public_ip_address_id", + "searchValue": "", + "expectedValue": "'azurerm_network_interface[positive].ip_configuration.public_ip_address_id' should be undefined", + "actualValue": "'azurerm_network_interface[positive].ip_configuration.public_ip_address_id' is defined" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/network_watcher_flow_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/network_watcher_flow_disabled/test/positive_expected_result.json index b287a8f30d5..eb6aace7d7e 100644 --- a/assets/queries/terraform/azure/network_watcher_flow_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/network_watcher_flow_disabled/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Network Watcher Flow Disabled", "severity": "MEDIUM", - "line": 7 + "line": 7, + "filename": "positive.tf", + "resourceType": "azurerm_network_watcher_flow_log", + "resourceName": "positive1", + "searchKey": "azurerm_network_watcher_flow_log[positive1].enable", + "searchValue": "", + "expectedValue": "azurerm_network_watcher_flow_log.enabled should be true", + "actualValue": "azurerm_network_watcher_flow_log.enabled is false" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/postgresql_log_checkpoints_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/postgresql_log_checkpoints_disabled/test/positive_expected_result.json index b35ff583b46..a407f8db2eb 100644 --- a/assets/queries/terraform/azure/postgresql_log_checkpoints_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/postgresql_log_checkpoints_disabled/test/positive_expected_result.json @@ -2,16 +2,37 @@ { "queryName": "PostgreSQL Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 5 + "line": 5, + "filename": "positive.tf", + "resourceType": "azurerm_postgresql_configuration", + "resourceName": "log_checkpoints", + "searchKey": "azurerm_postgresql_configuration[positive1].value", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_configuration.positive1.value' should be 'ON'", + "actualValue": "'azurerm_postgresql_configuration.positive1.value' is 'OFF'" }, { "queryName": "PostgreSQL Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 12 + "line": 12, + "filename": "positive.tf", + "resourceType": "azurerm_postgresql_configuration", + "resourceName": "log_checkpoints", + "searchKey": "azurerm_postgresql_configuration[positive2].value", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_configuration.positive2.value' should be 'ON'", + "actualValue": "'azurerm_postgresql_configuration.positive2.value' is 'OFF'" }, { "queryName": "PostgreSQL Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 19 + "line": 19, + "filename": "positive.tf", + "resourceType": "azurerm_postgresql_configuration", + "resourceName": "log_checkpoints", + "searchKey": "azurerm_postgresql_configuration[positive3].value", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_configuration.positive3.value' should be 'ON'", + "actualValue": "'azurerm_postgresql_configuration.positive3.value' is 'OFF'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/postgresql_log_connections_not_set/test/positive_expected_result.json b/assets/queries/terraform/azure/postgresql_log_connections_not_set/test/positive_expected_result.json index abd85e253b5..b804c0729f8 100644 --- a/assets/queries/terraform/azure/postgresql_log_connections_not_set/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/postgresql_log_connections_not_set/test/positive_expected_result.json @@ -2,16 +2,37 @@ { "queryName": "PostgreSQL Log Connections Not Set", "severity": "MEDIUM", - "line": 5 + "line": 5, + "filename": "positive.tf", + "resourceType": "azurerm_postgresql_configuration", + "resourceName": "log_connections", + "searchKey": "azurerm_postgresql_configuration[positive1].value", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_configuration.positive1.value' should be 'ON'", + "actualValue": "'azurerm_postgresql_configuration.positive1.value' is 'OFF'" }, { "queryName": "PostgreSQL Log Connections Not Set", "severity": "MEDIUM", - "line": 12 + "line": 12, + "filename": "positive.tf", + "resourceType": "azurerm_postgresql_configuration", + "resourceName": "log_connections", + "searchKey": "azurerm_postgresql_configuration[positive2].value", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_configuration.positive2.value' should be 'ON'", + "actualValue": "'azurerm_postgresql_configuration.positive2.value' is 'OFF'" }, { "queryName": "PostgreSQL Log Connections Not Set", "severity": "MEDIUM", - "line": 19 + "line": 19, + "filename": "positive.tf", + "resourceType": "azurerm_postgresql_configuration", + "resourceName": "log_connections", + "searchKey": "azurerm_postgresql_configuration[positive3].value", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_configuration.positive3.value' should be 'ON'", + "actualValue": "'azurerm_postgresql_configuration.positive3.value' is 'OFF'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/postgresql_log_disconnections_not_set/test/positive_expected_result.json b/assets/queries/terraform/azure/postgresql_log_disconnections_not_set/test/positive_expected_result.json index 067ff6d8970..3c28765b2aa 100644 --- a/assets/queries/terraform/azure/postgresql_log_disconnections_not_set/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/postgresql_log_disconnections_not_set/test/positive_expected_result.json @@ -2,16 +2,37 @@ { "queryName": "PostgreSQL Log Disconnections Not Set", "severity": "MEDIUM", - "line": 5 + "line": 5, + "filename": "positive.tf", + "resourceType": "azurerm_postgresql_configuration", + "resourceName": "log_disconnections", + "searchKey": "azurerm_postgresql_configuration[positive1].value", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_configuration.positive1.value' should be 'ON'", + "actualValue": "'azurerm_postgresql_configuration.positive1.value' is 'OFF'" }, { "queryName": "PostgreSQL Log Disconnections Not Set", "severity": "MEDIUM", - "line": 12 + "line": 12, + "filename": "positive.tf", + "resourceType": "azurerm_postgresql_configuration", + "resourceName": "log_disconnections", + "searchKey": "azurerm_postgresql_configuration[positive2].value", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_configuration.positive2.value' should be 'ON'", + "actualValue": "'azurerm_postgresql_configuration.positive2.value' is 'OFF'" }, { "queryName": "PostgreSQL Log Disconnections Not Set", "severity": "MEDIUM", - "line": 19 + "line": 19, + "filename": "positive.tf", + "resourceType": "azurerm_postgresql_configuration", + "resourceName": "log_disconnections", + "searchKey": "azurerm_postgresql_configuration[positive3].value", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_configuration.positive3.value' should be 'ON'", + "actualValue": "'azurerm_postgresql_configuration.positive3.value' is 'OFF'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/postgresql_log_duration_not_set/test/positive_expected_result.json b/assets/queries/terraform/azure/postgresql_log_duration_not_set/test/positive_expected_result.json index 3863748c49d..23a63868c9c 100644 --- a/assets/queries/terraform/azure/postgresql_log_duration_not_set/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/postgresql_log_duration_not_set/test/positive_expected_result.json @@ -2,16 +2,37 @@ { "queryName": "PostgreSQL Log Duration Not Set", "severity": "MEDIUM", - "line": 6 + "line": 6, + "filename": "positive.tf", + "resourceType": "azurerm_postgresql_configuration", + "resourceName": "log_duration", + "searchKey": "azurerm_postgresql_configuration[positive1].value", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_configuration.positive1.value' should be 'ON'", + "actualValue": "'azurerm_postgresql_configuration.positive1.value' is 'OFF'" }, { "queryName": "PostgreSQL Log Duration Not Set", "severity": "MEDIUM", - "line": 13 + "line": 13, + "filename": "positive.tf", + "resourceType": "azurerm_postgresql_configuration", + "resourceName": "log_duration", + "searchKey": "azurerm_postgresql_configuration[positive2].value", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_configuration.positive2.value' should be 'ON'", + "actualValue": "'azurerm_postgresql_configuration.positive2.value' is 'OFF'" }, { "queryName": "PostgreSQL Log Duration Not Set", "severity": "MEDIUM", - "line": 20 + "line": 20, + "filename": "positive.tf", + "resourceType": "azurerm_postgresql_configuration", + "resourceName": "log_duration", + "searchKey": "azurerm_postgresql_configuration[positive3].value", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_configuration.positive3.value' should be 'ON'", + "actualValue": "'azurerm_postgresql_configuration.positive3.value' is 'OFF'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/postgresql_not_using_latest_tls_encryption_version/test/positive_expected_result.json b/assets/queries/terraform/azure/postgresql_not_using_latest_tls_encryption_version/test/positive_expected_result.json index f316f34f23f..517d31e5c16 100644 --- a/assets/queries/terraform/azure/postgresql_not_using_latest_tls_encryption_version/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/postgresql_not_using_latest_tls_encryption_version/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Beta - PostgreSQL Not Using Latest TLS Encryption Version", "severity": "MEDIUM", "line": 10, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "azurerm_postgresql_server", + "resourceName": "example-psqlserver", + "searchKey": "azurerm_postgresql_server[negative2].minimum_tls_version", + "searchValue": "", + "expectedValue": "'ssl_minimal_tls_version_enforced' should be defined to 'TLS1_2'", + "actualValue": "'ssl_minimal_tls_version_enforced' is defined to 'TLS1_1'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/postgresql_server_infrastructure_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/postgresql_server_infrastructure_encryption_disabled/test/positive_expected_result.json index ad6c13e0928..c00c73e4b7f 100644 --- a/assets/queries/terraform/azure/postgresql_server_infrastructure_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/postgresql_server_infrastructure_encryption_disabled/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "PostgreSQL Server Infrastructure Encryption Disabled", "severity": "LOW", "line": 21, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_postgresql_server", + "resourceName": "example-psqlserver", + "searchKey": "azurerm_postgresql_server[positive1].infrastructure_encryption_enabled", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_server[positive1].infrastructure_encryption_enabled' should be set to true", + "actualValue": "'azurerm_postgresql_server[positive1].infrastructure_encryption_enabled' is set to false" }, { "queryName": "PostgreSQL Server Infrastructure Encryption Disabled", "severity": "LOW", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_postgresql_server", + "resourceName": "example-psqlserver", + "searchKey": "azurerm_postgresql_server[positive2]", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_server[positive2].infrastructure_encryption_enabled' should be defined and set to true", + "actualValue": "'azurerm_postgresql_server[positive2].infrastructure_encryption_enabled' is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/postgresql_server_threat_detection_policy_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/postgresql_server_threat_detection_policy_disabled/test/positive_expected_result.json index 14af965003f..a11538fcdcd 100644 --- a/assets/queries/terraform/azure/postgresql_server_threat_detection_policy_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/postgresql_server_threat_detection_policy_disabled/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "PostgreSQL Server Threat Detection Policy Disabled", "severity": "MEDIUM", - "line": 22, - "fileName": "positive1.tf" + "line": 1, + "filename": "positive2.tf", + "resourceType": "azurerm_postgresql_server", + "resourceName": "example-psqlserver", + "searchKey": "azurerm_postgresql_server[positive2]", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_server[positive2].threat_detection_policy' is a defined object", + "actualValue": "'azurerm_postgresql_server[positive2].threat_detection_policy' is undefined or null" }, { "queryName": "PostgreSQL Server Threat Detection Policy Disabled", "severity": "MEDIUM", - "line": 1, - "fileName": "positive2.tf" + "line": 22, + "filename": "positive1.tf", + "resourceType": "azurerm_postgresql_server", + "resourceName": "example-psqlserver", + "searchKey": "azurerm_postgresql_server[positive1].threat_detection_policy.enabled", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_server[positive1].threat_detection_policy.enabled' should be set to true", + "actualValue": "'azurerm_postgresql_server[positive1].threat_detection_policy.enabled' is set to false" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/postgresql_server_without_connection_throttling/test/positive_expected_result.json b/assets/queries/terraform/azure/postgresql_server_without_connection_throttling/test/positive_expected_result.json index 943c8a24cdc..a0d83f6a76f 100644 --- a/assets/queries/terraform/azure/postgresql_server_without_connection_throttling/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/postgresql_server_without_connection_throttling/test/positive_expected_result.json @@ -2,16 +2,37 @@ { "queryName": "PostgreSQL Server Without Connection Throttling", "severity": "MEDIUM", - "line": 5 + "line": 5, + "filename": "positive.tf", + "resourceType": "azurerm_postgresql_configuration", + "resourceName": "connection_throttling", + "searchKey": "azurerm_postgresql_configuration[positive1].value", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_configuration.positive1.value' should be 'ON'", + "actualValue": "'azurerm_postgresql_configuration.positive1.value' is 'OFF'" }, { "queryName": "PostgreSQL Server Without Connection Throttling", "severity": "MEDIUM", - "line": 12 + "line": 12, + "filename": "positive.tf", + "resourceType": "azurerm_postgresql_configuration", + "resourceName": "connection_throttling", + "searchKey": "azurerm_postgresql_configuration[positive2].value", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_configuration.positive2.value' should be 'ON'", + "actualValue": "'azurerm_postgresql_configuration.positive2.value' is 'OFF'" }, { "queryName": "PostgreSQL Server Without Connection Throttling", "severity": "MEDIUM", - "line": 19 + "line": 19, + "filename": "positive.tf", + "resourceType": "azurerm_postgresql_configuration", + "resourceName": "connection_throttling", + "searchKey": "azurerm_postgresql_configuration[positive3].value", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_configuration.positive3.value' should be 'ON'", + "actualValue": "'azurerm_postgresql_configuration.positive3.value' is 'OFF'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/public_storage_account/test/positive_expected_result.json b/assets/queries/terraform/azure/public_storage_account/test/positive_expected_result.json index ea162bbcc22..0724deda635 100644 --- a/assets/queries/terraform/azure/public_storage_account/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/public_storage_account/test/positive_expected_result.json @@ -1,32 +1,62 @@ [ - { - "queryName": "Public Storage Account", - "severity": "HIGH", - "line": 11, - "fileName": "positive1.tf" - }, - { - "queryName": "Public Storage Account", - "severity": "HIGH", - "line": 28, - "fileName": "positive1.tf" - }, - { - "queryName": "Public Storage Account", - "severity": "HIGH", - "line": 43, - "fileName": "positive1.tf" - }, - { - "queryName": "Public Storage Account", - "severity": "HIGH", - "line": 48, - "fileName": "positive1.tf" - }, - { - "queryName": "Public Storage Account", - "severity": "HIGH", - "line": 8, - "fileName": "positive2.tf" - } -] + { + "queryName": "Public Storage Account", + "severity": "HIGH", + "line": 43, + "filename": "positive1.tf", + "resourceType": "azurerm_storage_account_network_rules", + "resourceName": "positive3", + "searchKey": "azurerm_storage_account_network_rules[positive3].ip_rules", + "searchValue": "", + "expectedValue": "ip_rules[0] should not contain 0.0.0.0/0", + "actualValue": "ip_rules[0] contains 0.0.0.0/0" + }, + { + "queryName": "Public Storage Account", + "severity": "HIGH", + "line": 48, + "filename": "positive1.tf", + "resourceType": "azurerm_storage_account_network_rules", + "resourceName": "positive4", + "searchKey": "azurerm_storage_account_network_rules[positive4]", + "searchValue": "", + "expectedValue": "'ip_rules' should be defined and not null", + "actualValue": "'default_action' is set to 'Allow' and 'ip_rules' is undefined or null" + }, + { + "queryName": "Public Storage Account", + "severity": "HIGH", + "line": 28, + "filename": "positive1.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "storageaccountname", + "searchKey": "azurerm_storage_account[positive2].network_rules", + "searchValue": "", + "expectedValue": "'network_rules.ip_rules' should be defined and not null", + "actualValue": "'network_rules.default_action' is 'Allow' and 'network_rules.ip_rules' is undefined or null" + }, + { + "queryName": "Public Storage Account", + "severity": "HIGH", + "line": 8, + "filename": "positive2.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "storageaccountname", + "searchKey": "azurerm_storage_account[positive5].allow_blob_public_access", + "searchValue": "", + "expectedValue": "'allow_blob_public_access' should be set to false or undefined", + "actualValue": "'allow_blob_public_access' is set to true" + }, + { + "queryName": "Public Storage Account", + "severity": "HIGH", + "line": 11, + "filename": "positive1.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "storageaccountname", + "searchKey": "azurerm_storage_account[positive1].network_rules.ip_rules", + "searchValue": "", + "expectedValue": "'network_rules.ip_rules' should not contain 0.0.0.0/0", + "actualValue": "'network_rules.ip_rules' contains 0.0.0.0/0" + } +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/rdp_is_exposed_to_the_internet/test/positive_expected_result.json b/assets/queries/terraform/azure/rdp_is_exposed_to_the_internet/test/positive_expected_result.json index ebd333666de..9c866999cdf 100644 --- a/assets/queries/terraform/azure/rdp_is_exposed_to_the_internet/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/rdp_is_exposed_to_the_internet/test/positive_expected_result.json @@ -1,102 +1,242 @@ [ - { - "queryName": "RDP Is Exposed To The Internet", - "severity": "HIGH", - "line": 8 - }, - { - "queryName": "RDP Is Exposed To The Internet", - "severity": "HIGH", - "line": 22 - }, - { - "queryName": "RDP Is Exposed To The Internet", - "severity": "HIGH", - "line": 36 - }, - { - "queryName": "RDP Is Exposed To The Internet", - "severity": "HIGH", - "line": 50 - }, - { - "queryName": "RDP Is Exposed To The Internet", - "severity": "HIGH", - "line": 64 - }, - { - "queryName": "RDP Is Exposed To The Internet", - "severity": "HIGH", - "line": 78 - }, - { - "queryName": "RDP Is Exposed To The Internet", - "severity": "HIGH", - "line": 92 - }, - { - "queryName": "RDP Is Exposed To The Internet", - "severity": "HIGH", - "line": 106 - }, - { - "queryName": "RDP Is Exposed To The Internet", - "severity": "HIGH", - "line": 120 - }, - { - "queryName": "RDP Is Exposed To The Internet", - "severity": "HIGH", - "line": 134 - }, - { - "queryName": "RDP Is Exposed To The Internet", - "severity": "HIGH", - "line": 153 - }, - { - "queryName": "RDP Is Exposed To The Internet", - "severity": "HIGH", - "line": 165 - }, - { - "queryName": "RDP Is Exposed To The Internet", - "severity": "HIGH", - "line": 177 - }, - { - "queryName": "RDP Is Exposed To The Internet", - "severity": "HIGH", - "line": 189 - }, - { - "queryName": "RDP Is Exposed To The Internet", - "severity": "HIGH", - "line": 201 - }, - { - "queryName": "RDP Is Exposed To The Internet", - "severity": "HIGH", - "line": 213 - }, - { - "queryName": "RDP Is Exposed To The Internet", - "severity": "HIGH", - "line": 225 - }, - { - "queryName": "RDP Is Exposed To The Internet", - "severity": "HIGH", - "line": 237 - }, - { - "queryName": "RDP Is Exposed To The Internet", - "severity": "HIGH", - "line": 249 - }, - { - "queryName": "RDP Is Exposed To The Internet", - "severity": "HIGH", - "line": 261 - } + { + "queryName": "RDP Is Exposed To The Internet", + "severity": "HIGH", + "line": 64, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive5].destination_port_range", + "searchValue": "", + "expectedValue": "'azurerm_network_security_rule.positive5.destination_port_range' cannot be 3389", + "actualValue": "'azurerm_network_security_rule.positive5.destination_port_range' might be 3389" + }, + { + "queryName": "RDP Is Exposed To The Internet", + "severity": "HIGH", + "line": 92, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", + "searchValue": "", + "expectedValue": "'azurerm_network_security_rule.positive7.destination_port_range' cannot be 3389", + "actualValue": "'azurerm_network_security_rule.positive7.destination_port_range' might be 3389" + }, + { + "queryName": "RDP Is Exposed To The Internet", + "severity": "HIGH", + "line": 106, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive8].destination_port_range", + "searchValue": "", + "expectedValue": "'azurerm_network_security_rule.positive8.destination_port_range' cannot be 3389", + "actualValue": "'azurerm_network_security_rule.positive8.destination_port_range' might be 3389" + }, + { + "queryName": "RDP Is Exposed To The Internet", + "severity": "HIGH", + "line": 120, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive9].destination_port_range", + "searchValue": "", + "expectedValue": "'azurerm_network_security_rule.positive9.destination_port_range' cannot be 3389", + "actualValue": "'azurerm_network_security_rule.positive9.destination_port_range' might be 3389" + }, + { + "queryName": "RDP Is Exposed To The Internet", + "severity": "HIGH", + "line": 153, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_group", + "resourceName": "positive11", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive11}}.destination_port_range", + "searchValue": "", + "expectedValue": "'destination_port_range' cannot be 3389", + "actualValue": "'destination_port_range' might be 3389" + }, + { + "queryName": "RDP Is Exposed To The Internet", + "severity": "HIGH", + "line": 213, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_group", + "resourceName": "positive16", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive16}}.destination_port_range", + "searchValue": "", + "expectedValue": "'destination_port_range' cannot be 3389", + "actualValue": "'destination_port_range' might be 3389" + }, + { + "queryName": "RDP Is Exposed To The Internet", + "severity": "HIGH", + "line": 261, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_group", + "resourceName": "positive20", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive20}}.destination_port_range", + "searchValue": "", + "expectedValue": "'destination_port_range' cannot be 3389", + "actualValue": "'destination_port_range' might be 3389" + }, + { + "queryName": "RDP Is Exposed To The Internet", + "severity": "HIGH", + "line": 78, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive6].destination_port_range", + "searchValue": "", + "expectedValue": "'azurerm_network_security_rule.positive6.destination_port_range' cannot be 3389", + "actualValue": "'azurerm_network_security_rule.positive6.destination_port_range' might be 3389" + }, + { + "queryName": "RDP Is Exposed To The Internet", + "severity": "HIGH", + "line": 50, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive4].destination_port_range", + "searchValue": "", + "expectedValue": "'azurerm_network_security_rule.positive4.destination_port_range' cannot be 3389", + "actualValue": "'azurerm_network_security_rule.positive4.destination_port_range' might be 3389" + }, + { + "queryName": "RDP Is Exposed To The Internet", + "severity": "HIGH", + "line": 189, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_group", + "resourceName": "positive14", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive14}}.destination_port_range", + "searchValue": "", + "expectedValue": "'destination_port_range' cannot be 3389", + "actualValue": "'destination_port_range' might be 3389" + }, + { + "queryName": "RDP Is Exposed To The Internet", + "severity": "HIGH", + "line": 201, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_group", + "resourceName": "positive15", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive15}}.destination_port_range", + "searchValue": "", + "expectedValue": "'destination_port_range' cannot be 3389", + "actualValue": "'destination_port_range' might be 3389" + }, + { + "queryName": "RDP Is Exposed To The Internet", + "severity": "HIGH", + "line": 225, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_group", + "resourceName": "positive17", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive17}}.destination_port_range", + "searchValue": "", + "expectedValue": "'destination_port_range' cannot be 3389", + "actualValue": "'destination_port_range' might be 3389" + }, + { + "queryName": "RDP Is Exposed To The Internet", + "severity": "HIGH", + "line": 249, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_group", + "resourceName": "positive19", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive19}}.destination_port_range", + "searchValue": "", + "expectedValue": "'destination_port_range' cannot be 3389", + "actualValue": "'destination_port_range' might be 3389" + }, + { + "queryName": "RDP Is Exposed To The Internet", + "severity": "HIGH", + "line": 8, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive1].destination_port_range", + "searchValue": "", + "expectedValue": "'azurerm_network_security_rule.positive1.destination_port_range' cannot be 3389", + "actualValue": "'azurerm_network_security_rule.positive1.destination_port_range' might be 3389" + }, + { + "queryName": "RDP Is Exposed To The Internet", + "severity": "HIGH", + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "", + "expectedValue": "'azurerm_network_security_rule.positive10.destination_port_range' cannot be 3389", + "actualValue": "'azurerm_network_security_rule.positive10.destination_port_range' might be 3389" + }, + { + "queryName": "RDP Is Exposed To The Internet", + "severity": "HIGH", + "line": 36, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "", + "expectedValue": "'azurerm_network_security_rule.positive3.destination_port_range' cannot be 3389", + "actualValue": "'azurerm_network_security_rule.positive3.destination_port_range' might be 3389" + }, + { + "queryName": "RDP Is Exposed To The Internet", + "severity": "HIGH", + "line": 165, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_group", + "resourceName": "positive12", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive12}}.destination_port_range", + "searchValue": "", + "expectedValue": "'destination_port_range' cannot be 3389", + "actualValue": "'destination_port_range' might be 3389" + }, + { + "queryName": "RDP Is Exposed To The Internet", + "severity": "HIGH", + "line": 177, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_group", + "resourceName": "positive13", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive13}}.destination_port_range", + "searchValue": "", + "expectedValue": "'destination_port_range' cannot be 3389", + "actualValue": "'destination_port_range' might be 3389" + }, + { + "queryName": "RDP Is Exposed To The Internet", + "severity": "HIGH", + "line": 237, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_group", + "resourceName": "positive18", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive18}}.destination_port_range", + "searchValue": "", + "expectedValue": "'destination_port_range' cannot be 3389", + "actualValue": "'destination_port_range' might be 3389" + }, + { + "queryName": "RDP Is Exposed To The Internet", + "severity": "HIGH", + "line": 22, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive2].destination_port_range", + "searchValue": "", + "expectedValue": "'azurerm_network_security_rule.positive2.destination_port_range' cannot be 3389", + "actualValue": "'azurerm_network_security_rule.positive2.destination_port_range' might be 3389" + } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/recovery_services_vaut_with_public_network_access/test/positive_expected_result.json b/assets/queries/terraform/azure/recovery_services_vaut_with_public_network_access/test/positive_expected_result.json index e36c55b3819..c659befe235 100644 --- a/assets/queries/terraform/azure/recovery_services_vaut_with_public_network_access/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/recovery_services_vaut_with_public_network_access/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Beta - Recovery Services Vault With Public Network Access", "severity": "HIGH", - "line": 1 + "line": 16, + "filename": "positive.tf", + "resourceType": "azurerm_recovery_services_vault", + "resourceName": "positive2-recovery-vault", + "searchKey": "azurerm_recovery_services_vault[positive2].public_network_access_enabled", + "searchValue": "", + "expectedValue": "'azurerm_recovery_services_vault[positive2].public_network_access_enabled' should be defined and set to false", + "actualValue": "'azurerm_recovery_services_vault[positive2].public_network_access_enabled' is set to true" }, { "queryName": "Beta - Recovery Services Vault With Public Network Access", "severity": "HIGH", - "line": 16 + "line": 1, + "filename": "positive.tf", + "resourceType": "azurerm_recovery_services_vault", + "resourceName": "positive1-recovery-vault", + "searchKey": "azurerm_recovery_services_vault[positive1]", + "searchValue": "", + "expectedValue": "'azurerm_recovery_services_vault[positive1].public_network_access_enabled' should be defined and set to false", + "actualValue": "'azurerm_recovery_services_vault[positive1].public_network_access_enabled' is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/recovery_services_vaut_without_immutability/test/positive_expected_result.json b/assets/queries/terraform/azure/recovery_services_vaut_without_immutability/test/positive_expected_result.json index 3a18b5b238f..867065cffd1 100644 --- a/assets/queries/terraform/azure/recovery_services_vaut_without_immutability/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/recovery_services_vaut_without_immutability/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Beta - Recovery Services Vault Without Immutability", "severity": "HIGH", - "line": 1 + "line": 16, + "filename": "positive.tf", + "resourceType": "azurerm_recovery_services_vault", + "resourceName": "positive2-recovery-vault", + "searchKey": "azurerm_recovery_services_vault[positive2].immutability", + "searchValue": "", + "expectedValue": "'azurerm_recovery_services_vault[positive2].immutability' should be set and enabled", + "actualValue": "'azurerm_recovery_services_vault[positive2].immutability' is set to 'Disabled'" }, { "queryName": "Beta - Recovery Services Vault Without Immutability", "severity": "HIGH", - "line": 16 + "line": 1, + "filename": "positive.tf", + "resourceType": "azurerm_recovery_services_vault", + "resourceName": "positive1-recovery-vault", + "searchKey": "azurerm_recovery_services_vault[positive1]", + "searchValue": "", + "expectedValue": "'azurerm_recovery_services_vault[positive1].immutability' should be set and enabled", + "actualValue": "'azurerm_recovery_services_vault[positive1].immutability' is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/recovery_services_vaut_without_soft_delete/test/positive_expected_result.json b/assets/queries/terraform/azure/recovery_services_vaut_without_soft_delete/test/positive_expected_result.json index e5d1b57eeb7..cf12c8fddb7 100644 --- a/assets/queries/terraform/azure/recovery_services_vaut_without_soft_delete/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/recovery_services_vaut_without_soft_delete/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Beta - Recovery Services Vault Without Soft Delete", "severity": "HIGH", - "line": 7 + "line": 7, + "filename": "positive.tf", + "resourceType": "azurerm_recovery_services_vault", + "resourceName": "positive-recovery-vault", + "searchKey": "azurerm_recovery_services_vault[positive].soft_delete_enabled", + "searchValue": "", + "expectedValue": "'azurerm_recovery_services_vault[positive].soft_delete_enabled' should not be set to false", + "actualValue": "'azurerm_recovery_services_vault[positive].soft_delete_enabled' is set to false" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json b/assets/queries/terraform/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json index c06ca607b78..e6ad11a14f1 100644 --- a/assets/queries/terraform/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json @@ -1,7 +1,14 @@ [ - { - "queryName": "Redis Cache Allows Non SSL Connections", - "severity": "MEDIUM", - "line": 8 - } -] + { + "queryName": "Redis Cache Allows Non SSL Connections", + "severity": "MEDIUM", + "line": 8, + "filename": "positive.tf", + "resourceType": "azurerm_redis_cache", + "resourceName": "example-cache", + "searchKey": "azurerm_redis_cache[positive1].enable_non_ssl_port", + "searchValue": "", + "expectedValue": "'azurerm_redis_cache[positive1].enable_non_ssl_port' should be set to false or undefined (false as default)", + "actualValue": "'azurerm_redis_cache[positive1].enable_non_ssl_port' is true" + } +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/redis_cache_managed_identity_is_not_set_to_system_assigned/test/positive_expected_result.json b/assets/queries/terraform/azure/redis_cache_managed_identity_is_not_set_to_system_assigned/test/positive_expected_result.json index 1aacb551ed4..383ff588558 100644 --- a/assets/queries/terraform/azure/redis_cache_managed_identity_is_not_set_to_system_assigned/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/redis_cache_managed_identity_is_not_set_to_system_assigned/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "Beta - Redis Cache Managed Identity Is Not Set To System Assigned", "severity": "MEDIUM", - "line": 1, - "fileName": "positive1.tf" + "line": 10, + "filename": "positive2.tf", + "resourceType": "azurerm_redis_cache", + "resourceName": "example-cache-negative2", + "searchKey": "azurerm_redis_cache[positive2]", + "searchValue": "", + "expectedValue": "'identity' block should have 'SystemAssigned' defined on 'type' field", + "actualValue": "'identity' block does not have 'SystemAssigned' defined on 'type' field" }, { "queryName": "Beta - Redis Cache Managed Identity Is Not Set To System Assigned", "severity": "MEDIUM", - "line": 10, - "fileName": "positive2.tf" + "line": 1, + "filename": "positive1.tf", + "resourceType": "azurerm_redis_cache", + "resourceName": "example-cache-positive1", + "searchKey": "azurerm_redis_cache[positive1]", + "searchValue": "", + "expectedValue": "'identity' block should have 'SystemAssigned' defined on 'type' field", + "actualValue": "'identity' block is not defined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/redis_cache_not_using_latest_tls_encryption_version/test/positive_expected_result.json b/assets/queries/terraform/azure/redis_cache_not_using_latest_tls_encryption_version/test/positive_expected_result.json index 3d4cbf732c2..c0a06065027 100644 --- a/assets/queries/terraform/azure/redis_cache_not_using_latest_tls_encryption_version/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/redis_cache_not_using_latest_tls_encryption_version/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Beta - Redis Cache Not Using Latest TLS Encryption Version", "severity": "MEDIUM", "line": 9, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_redis_cache", + "resourceName": "example-cache", + "searchKey": "azurerm_redis_cache[positive1].minimum_tls_version", + "searchValue": "", + "expectedValue": "'minimum_tls_version' should be defined and set to '1.2'", + "actualValue": "'minimum_tls_version' is defined to '1.1'" }, { "queryName": "Beta - Redis Cache Not Using Latest TLS Encryption Version", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_redis_cache", + "resourceName": "example-cache", + "searchKey": "azurerm_redis_cache[positive2]", + "searchValue": "", + "expectedValue": "'minimum_tls_version' should be defined and set to '1.2'", + "actualValue": "'minimum_tls_version' is not defined" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/redis_entirely_accessible/test/positive_expected_result.json b/assets/queries/terraform/azure/redis_entirely_accessible/test/positive_expected_result.json index 102713534e5..2f28393dba9 100644 --- a/assets/queries/terraform/azure/redis_entirely_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/redis_entirely_accessible/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Redis Entirely Accessible", "severity": "CRITICAL", - "line": 22 + "line": 22, + "filename": "positive.tf", + "resourceType": "azurerm_redis_firewall_rule", + "resourceName": "someIPrange", + "searchKey": "azurerm_redis_firewall_rule[positive2].start_ip", + "searchValue": "", + "expectedValue": "'azurerm_redis_firewall_rule[positive2]' start_ip and end_ip should not equal to '0.0.0.0'", + "actualValue": "'azurerm_redis_firewall_rule[positive2]' start_ip and end_ip are equal to '0.0.0.0'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/redis_not_updated_regularly/test/positive_expected_result.json b/assets/queries/terraform/azure/redis_not_updated_regularly/test/positive_expected_result.json index 01189c2c454..86d4c053381 100644 --- a/assets/queries/terraform/azure/redis_not_updated_regularly/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/redis_not_updated_regularly/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Redis Not Updated Regularly", "severity": "MEDIUM", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "azurerm_redis_cache", + "resourceName": "timeout-redis", + "searchKey": "azurerm_redis_cache[positive1]", + "searchValue": "", + "expectedValue": "'azurerm_redis_cache[positive1].patch_schedule' should be defined and not null", + "actualValue": "'azurerm_redis_cache[positive1].patch_schedule' is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/redis_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/azure/redis_publicly_accessible/test/positive_expected_result.json index 9786674c7d7..69793b960f5 100644 --- a/assets/queries/terraform/azure/redis_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/redis_publicly_accessible/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Redis Publicly Accessible", "severity": "CRITICAL", - "line": 22 + "line": 22, + "filename": "positive.tf", + "resourceType": "azurerm_redis_firewall_rule", + "resourceName": "someIPrange", + "searchKey": "azurerm_redis_firewall_rule[positive2].start_ip", + "searchValue": "", + "expectedValue": "'azurerm_redis_firewall_rule[positive2]' ip range should be private", + "actualValue": "'azurerm_redis_firewall_rule[positive2]' ip range is not private" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/resource_without_diagnostic_settings/test/positive_expected_result.json b/assets/queries/terraform/azure/resource_without_diagnostic_settings/test/positive_expected_result.json index 4df38e6a9f5..0572c4dea96 100644 --- a/assets/queries/terraform/azure/resource_without_diagnostic_settings/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/resource_without_diagnostic_settings/test/positive_expected_result.json @@ -2,157 +2,313 @@ { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", - "line": 1, - "filename": "positive1.tf" + "line": 75, + "filename": "positive2.tf", + "resourceType": "azurerm_mssql_server", + "resourceName": "mssqlserver", + "searchKey": "azurerm_mssql_server[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_mssql_server[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_mssql_server[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", - "line": 5, - "filename": "positive1.tf" + "line": 118, + "filename": "positive2.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "pos_example", + "searchKey": "azurerm_windows_web_app[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_windows_web_app[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", - "line": 1, - "filename": "positive2.tf" + "line": 5, + "filename": "positive1.tf", + "resourceType": "azurerm_subscription", + "resourceName": "positive1_2", + "searchKey": "azurerm_subscription[positive1_2]", + "searchValue": "", + "expectedValue": "'azurerm_subscription[positive1_2]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_subscription[positive1_2]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", "line": 9, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_application_gateway", + "resourceName": "example-appgateway", + "searchKey": "azurerm_application_gateway[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_application_gateway[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_application_gateway[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", - "line": 15, - "filename": "positive2.tf" + "line": 41, + "filename": "positive2.tf", + "resourceType": "azurerm_cdn_frontdoor_profile", + "resourceName": "example-cdn-profile", + "searchKey": "azurerm_cdn_frontdoor_profile[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_cdn_frontdoor_profile[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_cdn_frontdoor_profile[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", - "line": 23, - "filename": "positive2.tf" + "line": 173, + "filename": "positive2.tf", + "resourceType": "azurerm_container_registry", + "resourceName": "containerRegistry1", + "searchKey": "azurerm_container_registry[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_container_registry[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_container_registry[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", - "line": 29, - "filename": "positive2.tf" + "line": 158, + "filename": "positive2.tf", + "resourceType": "azurerm_eventhub_namespace", + "resourceName": "example-namespace", + "searchKey": "azurerm_eventhub_namespace[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_eventhub_namespace[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_eventhub_namespace[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", - "line": 36, - "filename": "positive2.tf" + "line": 91, + "filename": "positive2.tf", + "resourceType": "azurerm_mssql_database", + "resourceName": "example-db", + "searchKey": "azurerm_mssql_database[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_mssql_database[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_mssql_database[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", - "line": 41, - "filename": "positive2.tf" + "line": 85, + "filename": "positive2.tf", + "resourceType": "azurerm_mssql_managed_instance", + "resourceName": "managedsqlinstance", + "searchKey": "azurerm_mssql_managed_instance[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_mssql_managed_instance[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_mssql_managed_instance[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", - "line": 48, - "filename": "positive2.tf" + "line": 29, + "filename": "positive2.tf", + "resourceType": "azurerm_public_ip", + "resourceName": "acceptanceTestPublicIp1", + "searchKey": "azurerm_public_ip[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_public_ip[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_public_ip[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", - "line": 53, - "filename": "positive2.tf" + "line": 1, + "filename": "positive1.tf", + "resourceType": "azurerm_subscription", + "resourceName": "positive1_1", + "searchKey": "azurerm_subscription[positive1_1]", + "searchValue": "", + "expectedValue": "'azurerm_subscription[positive1_1]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_subscription[positive1_1]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", - "line": 60, - "filename": "positive2.tf" + "line": 181, + "filename": "positive2.tf", + "resourceType": "azurerm_api_management", + "resourceName": "example-apim", + "searchKey": "azurerm_api_management[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_api_management[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_api_management[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", - "line": 67, - "filename": "positive2.tf" + "line": 48, + "filename": "positive2.tf", + "resourceType": "azurerm_cdn_frontdoor_endpoint", + "resourceName": "example-endpoint", + "searchKey": "azurerm_cdn_frontdoor_endpoint[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_cdn_frontdoor_endpoint[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_cdn_frontdoor_endpoint[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", - "line": 75, - "filename": "positive2.tf" + "line": 53, + "filename": "positive2.tf", + "resourceType": "azurerm_cdn_profile", + "resourceName": "exampleCdnProfile", + "searchKey": "azurerm_cdn_profile[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_cdn_profile[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_cdn_profile[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", - "line": 85, - "filename": "positive2.tf" + "line": 1, + "filename": "positive2.tf", + "resourceType": "azurerm_key_vault", + "resourceName": "example-keyvault", + "searchKey": "azurerm_key_vault[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_key_vault[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_key_vault[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", - "line": 91, - "filename": "positive2.tf" + "line": 139, + "filename": "positive2.tf", + "resourceType": "azurerm_windows_function_app", + "resourceName": "example-windows-function-app", + "searchKey": "azurerm_windows_function_app[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_windows_function_app[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_windows_function_app[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", - "line": 101, - "filename": "positive2.tf" + "line": 60, + "filename": "positive2.tf", + "resourceType": "azurerm_cdn_endpoint", + "resourceName": "pos_example", + "searchKey": "azurerm_cdn_endpoint[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_cdn_endpoint[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_cdn_endpoint[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", - "line": 109, - "filename": "positive2.tf" + "line": 23, + "filename": "positive2.tf", + "resourceType": "azurerm_lb", + "resourceName": "TestLoadBalancer", + "searchKey": "azurerm_lb[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_lb[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_lb[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", - "line": 118, - "filename": "positive2.tf" + "line": 127, + "filename": "positive2.tf", + "resourceType": "azurerm_linux_function_app", + "resourceName": "example-linux-function-app", + "searchKey": "azurerm_linux_function_app[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_linux_function_app[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_linux_function_app[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", - "line": 127, - "filename": "positive2.tf" + "line": 109, + "filename": "positive2.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "pos_example", + "searchKey": "azurerm_linux_web_app[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_linux_web_app[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", - "line": 139, - "filename": "positive2.tf" + "line": 166, + "filename": "positive2.tf", + "resourceType": "azurerm_servicebus_namespace", + "resourceName": "tfex-servicebus-namespace", + "searchKey": "azurerm_servicebus_namespace[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_servicebus_namespace[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_servicebus_namespace[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", - "line": 151, - "filename": "positive2.tf" + "line": 67, + "filename": "positive2.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "storageaccountname", + "searchKey": "azurerm_storage_account[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_storage_account[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", - "line": 158, - "filename": "positive2.tf" + "line": 101, + "filename": "positive2.tf", + "resourceType": "azurerm_cosmosdb_account", + "resourceName": "tfex-cosmos-db-${random_integer.ri.result}", + "searchKey": "azurerm_cosmosdb_account[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_cosmosdb_account[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_cosmosdb_account[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", - "line": 166, - "filename": "positive2.tf" + "line": 15, + "filename": "positive2.tf", + "resourceType": "azurerm_firewall", + "resourceName": "testfirewall", + "searchKey": "azurerm_firewall[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_firewall[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_firewall[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", - "line": 173, - "filename": "positive2.tf" + "line": 36, + "filename": "positive2.tf", + "resourceType": "azurerm_frontdoor", + "resourceName": "example-FrontDoor", + "searchKey": "azurerm_frontdoor[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_frontdoor[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_frontdoor[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", - "line": 181, - "filename": "positive2.tf" + "line": 151, + "filename": "positive2.tf", + "resourceType": "azurerm_kubernetes_cluster", + "resourceName": "example-aks1", + "searchKey": "azurerm_kubernetes_cluster[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_kubernetes_cluster[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_kubernetes_cluster[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/role_assignment_not_limit_guest_users_permissions/test/positive_expected_result.json b/assets/queries/terraform/azure/role_assignment_not_limit_guest_users_permissions/test/positive_expected_result.json index f1c73a909a0..a3e9ec8e4fa 100644 --- a/assets/queries/terraform/azure/role_assignment_not_limit_guest_users_permissions/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/role_assignment_not_limit_guest_users_permissions/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Role Assignment Not Limit Guest User Permissions", "severity": "MEDIUM", - "line": 20 + "line": 20, + "filename": "positive.tf", + "resourceType": "azurerm_role_assignment", + "resourceName": "00000000-0000-0000-0000-000000000000", + "searchKey": "azurerm_role_assignment[example].role_definition_id", + "searchValue": "", + "expectedValue": "azurerm_role_assignment[example].role_definition_id limits guest user permissions", + "actualValue": "azurerm_role_assignment[example].role_definition_id does not limit guest user permissions" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/role_definition_allows_custom_role_creation/test/positive_expected_result.json b/assets/queries/terraform/azure/role_definition_allows_custom_role_creation/test/positive_expected_result.json index 023084640e8..875b65870a8 100644 --- a/assets/queries/terraform/azure/role_definition_allows_custom_role_creation/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/role_definition_allows_custom_role_creation/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Role Definition Allows Custom Role Creation", "severity": "MEDIUM", "line": 7, - "fileName": "positive1.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_role_definition", + "resourceName": "my-custom-role", + "searchKey": "azurerm_role_definition[example].permissions.actions", + "searchValue": "", + "expectedValue": "azurerm_role_definition[example].permissions.actions should not allow custom role creation", + "actualValue": "azurerm_role_definition[example].permissions.actions allows custom role creation" }, { "queryName": "Role Definition Allows Custom Role Creation", "severity": "MEDIUM", "line": 7, - "fileName": "positive2.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_role_definition", + "resourceName": "my-custom-role-definition", + "searchKey": "azurerm_role_definition[example2].permissions.actions", + "searchValue": "", + "expectedValue": "azurerm_role_definition[example2].permissions.actions should not allow custom role creation", + "actualValue": "azurerm_role_definition[example2].permissions.actions allows custom role creation" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/secret_expiration_not_set/test/positive_expected_result.json b/assets/queries/terraform/azure/secret_expiration_not_set/test/positive_expected_result.json index cfc5b5902ae..4cb2b292e08 100644 --- a/assets/queries/terraform/azure/secret_expiration_not_set/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/secret_expiration_not_set/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Secret Expiration Not Set", "severity": "MEDIUM", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "azurerm_key_vault_secret", + "resourceName": "secret-sauce", + "searchKey": "azurerm_key_vault_secret[positive1]", + "searchValue": "", + "expectedValue": "'expiration_date' should exist", + "actualValue": "'expiration_date' is missing" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/security_center_pricing_tier_is_not_standard/test/positive_expected_result.json b/assets/queries/terraform/azure/security_center_pricing_tier_is_not_standard/test/positive_expected_result.json index d3bb1c8c36f..42168377f15 100644 --- a/assets/queries/terraform/azure/security_center_pricing_tier_is_not_standard/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/security_center_pricing_tier_is_not_standard/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Security Center Pricing Tier Is Not Standard", "severity": "MEDIUM", - "line": 2 + "line": 2, + "filename": "positive.tf", + "resourceType": "azurerm_security_center_subscription_pricing", + "resourceName": "positive1", + "searchKey": "azurerm_security_center_subscription_pricing[positive1].tier", + "searchValue": "", + "expectedValue": "'azurerm_security_center_subscription_pricing.positive1.tier' is 'Standard'", + "actualValue": "'azurerm_security_center_subscription_pricing.positive1.tier' is 'Free'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/security_contact_email/test/positive_expected_result.json b/assets/queries/terraform/azure/security_contact_email/test/positive_expected_result.json index 69e048d540b..b3e43cc4697 100644 --- a/assets/queries/terraform/azure/security_contact_email/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/security_contact_email/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Security Contact Email", "severity": "MEDIUM", "line": 1, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "azurerm_security_center_contact", + "resourceName": "positive", + "searchKey": "azurerm_security_center_contact[positive]", + "searchValue": "", + "expectedValue": "'azurerm_security_center_contact[positive].email' should be defined and not null", + "actualValue": "'azurerm_security_center_contact[positive].email' is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/security_group_is_not_configured/test/positive_expected_result.json b/assets/queries/terraform/azure/security_group_is_not_configured/test/positive_expected_result.json index ed4b49e11b4..361a8d153a6 100644 --- a/assets/queries/terraform/azure/security_group_is_not_configured/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/security_group_is_not_configured/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Security Group is Not Configured", "severity": "HIGH", - "line": 7 + "line": 21, + "filename": "positive.tf", + "resourceType": "azure_virtual_network", + "resourceName": "test-network", + "searchKey": "azure_virtual_network[positive2].subnet.security_group", + "searchValue": "", + "expectedValue": "'azure_virtual_network[positive2].subnet.security_group' should not be empty", + "actualValue": "'azure_virtual_network[positive2].subnet.security_group' is empty" }, { "queryName": "Security Group is Not Configured", "severity": "HIGH", - "line": 21 + "line": 7, + "filename": "positive.tf", + "resourceType": "azure_virtual_network", + "resourceName": "test-network", + "searchKey": "azure_virtual_network[positive1].subnet", + "searchValue": "", + "expectedValue": "'azure_virtual_network[positive1].subnet.security_group' should be defined and not null", + "actualValue": "'azure_virtual_network[positive1].subnet.security_group' is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json index 15e0b4e60c0..81a2ca62f3d 100644 --- a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json @@ -2,221 +2,529 @@ { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 8 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,25", + "expectedValue": "SMTP (UDP:25) should not be allowed", + "actualValue": "SMTP (UDP25) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22 + "line": 92, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", + "searchValue": "UDP,25", + "expectedValue": "SMTP (UDP:25) should not be allowed", + "actualValue": "SMTP (UDP25) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 36 + "line": 36, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 36 + "line": 36, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 36 + "line": 36, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "TCP,21", + "expectedValue": "FTP (TCP:21) should not be allowed", + "actualValue": "FTP (TCP21) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 36 + "line": 36, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "UDP,21", + "expectedValue": "FTP (UDP:21) should not be allowed", + "actualValue": "FTP (UDP21) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 36 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed", + "actualValue": "NetBIOS Name Service (UDP137) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 36 + "line": 22, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive2].destination_port_range", + "searchValue": "TCP,25", + "expectedValue": "SMTP (TCP:25) should not be allowed", + "actualValue": "SMTP (TCP25) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 50 + "line": 36, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 50 + "line": 22, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive2].destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 64 + "line": 106, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive8].destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 78 + "line": 8, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive1].destination_port_range", + "searchValue": "UDP,61621", + "expectedValue": "Cassandra OpsCenter (UDP:61621) should not be allowed", + "actualValue": "Cassandra OpsCenter (UDP61621) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 92 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,53", + "expectedValue": "DNS (TCP:53) should not be allowed", + "actualValue": "DNS (TCP53) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 92 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,20", + "expectedValue": "FTP (TCP:20) should not be allowed", + "actualValue": "FTP (TCP20) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 92 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,138", + "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed", + "actualValue": "NetBIOS Datagram Service (TCP138) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 92 + "line": 36, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 106 + "line": 120, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive9].destination_port_range", + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 120 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,80", + "expectedValue": "HTTP (TCP:80) should not be allowed", + "actualValue": "HTTP (TCP80) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 120 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,135", + "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed", + "actualValue": "MSSQL Debugger (TCP135) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,110", + "expectedValue": "POP3 (TCP:110) should not be allowed", + "actualValue": "POP3 (TCP110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 120, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive9].destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,20", + "expectedValue": "FTP (UDP:20) should not be allowed", + "actualValue": "FTP (UDP20) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed", + "actualValue": "NetBIOS Datagram Service (UDP138) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 50, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive4].destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 64, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive5].destination_port_range", + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,80", + "expectedValue": "HTTP (UDP:80) should not be allowed", + "actualValue": "HTTP (UDP80) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,135", + "expectedValue": "MSSQL Debugger (UDP:135) should not be allowed", + "actualValue": "MSSQL Debugger (UDP135) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 92, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 92, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", + "searchValue": "UDP,53", + "expectedValue": "DNS (UDP:53) should not be allowed", + "actualValue": "DNS (UDP53) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,139", + "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed", + "actualValue": "NetBIOS Session Service (UDP139) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 92, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 78, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive6].destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,137", + "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed", + "actualValue": "NetBIOS Name Service (TCP137) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,139", + "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed", + "actualValue": "NetBIOS Session Service (TCP139) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,25", + "expectedValue": "SMTP (TCP:25) should not be allowed", + "actualValue": "SMTP (TCP25) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 50, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive4].destination_port_range", + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,53", + "expectedValue": "DNS (UDP:53) should not be allowed", + "actualValue": "DNS (UDP53) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,21", + "expectedValue": "FTP (TCP:21) should not be allowed", + "actualValue": "FTP (TCP21) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,21", + "expectedValue": "FTP (UDP:21) should not be allowed", + "actualValue": "FTP (UDP21) is allowed" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_small_public_network/test/positive_expected_result.json b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_small_public_network/test/positive_expected_result.json index 896720bbcf2..a5524c7360f 100644 --- a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_small_public_network/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_small_public_network/test/positive_expected_result.json @@ -2,221 +2,529 @@ { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 8 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,135", + "expectedValue": "MSSQL Debugger (UDP:135) should not be allowed", + "actualValue": "MSSQL Debugger (UDP:135) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 22 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,138", + "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed", + "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 22 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 36 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,139", + "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed", + "actualValue": "NetBIOS Session Service (UDP:139) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 36 + "line": 36, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 36 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 36 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,21", + "expectedValue": "FTP (TCP:21) should not be allowed", + "actualValue": "FTP (TCP:21) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 36 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,25", + "expectedValue": "SMTP (TCP:25) should not be allowed", + "actualValue": "SMTP (TCP:25) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 36 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,25", + "expectedValue": "SMTP (UDP:25) should not be allowed", + "actualValue": "SMTP (UDP:25) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 50 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 50 + "line": 92, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 64 + "line": 120, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive9].destination_port_range", + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 78 + "line": 8, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive1].destination_port_range", + "searchValue": "UDP,61621", + "expectedValue": "Cassandra OpsCenter (UDP:61621) should not be allowed", + "actualValue": "Cassandra OpsCenter (UDP:61621) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 92 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,53", + "expectedValue": "DNS (UDP:53) should not be allowed", + "actualValue": "DNS (UDP:53) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 92 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,21", + "expectedValue": "FTP (UDP:21) should not be allowed", + "actualValue": "FTP (UDP:21) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 92 + "line": 92, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", + "searchValue": "UDP,25", + "expectedValue": "SMTP (UDP:25) should not be allowed", + "actualValue": "SMTP (UDP:25) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 92 + "line": 106, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive8].destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 106 + "line": 36, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 120 + "line": 36, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "TCP,21", + "expectedValue": "FTP (TCP:21) should not be allowed", + "actualValue": "FTP (TCP:21) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 120 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,20", + "expectedValue": "FTP (UDP:20) should not be allowed", + "actualValue": "FTP (UDP:20) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 50, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive4].destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 50, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive4].destination_port_range", + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,53", + "expectedValue": "DNS (TCP:53) should not be allowed", + "actualValue": "DNS (TCP:53) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,20", + "expectedValue": "FTP (TCP:20) should not be allowed", + "actualValue": "FTP (TCP:20) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,139", + "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed", + "actualValue": "NetBIOS Session Service (TCP:139) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 78, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive6].destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 64, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive5].destination_port_range", + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 36, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "UDP,21", + "expectedValue": "FTP (UDP:21) should not be allowed", + "actualValue": "FTP (UDP:21) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,135", + "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed", + "actualValue": "MSSQL Debugger (TCP:135) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,137", + "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed", + "actualValue": "NetBIOS Name Service (TCP:137) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 36, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 120, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive9].destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,80", + "expectedValue": "HTTP (TCP:80) should not be allowed", + "actualValue": "HTTP (TCP:80) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,110", + "expectedValue": "POP3 (TCP:110) should not be allowed", + "actualValue": "POP3 (TCP:110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 22, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive2].destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 92, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", + "searchValue": "UDP,53", + "expectedValue": "DNS (UDP:53) should not be allowed", + "actualValue": "DNS (UDP:53) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,80", + "expectedValue": "HTTP (UDP:80) should not be allowed", + "actualValue": "HTTP (UDP:80) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 22, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive2].destination_port_range", + "searchValue": "TCP,25", + "expectedValue": "SMTP (TCP:25) should not be allowed", + "actualValue": "SMTP (TCP:25) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 92, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 36, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_wide_private_network/test/positive_expected_result.json b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_wide_private_network/test/positive_expected_result.json index 39b9174ff5a..0e4b4976e38 100644 --- a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_wide_private_network/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_wide_private_network/test/positive_expected_result.json @@ -2,221 +2,529 @@ { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 8 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP:20", + "expectedValue": "FTP (UDP:20) should not be allowed", + "actualValue": "FTP (UDP:20) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 22 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP:21", + "expectedValue": "FTP (UDP:21) should not be allowed", + "actualValue": "FTP (UDP:21) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 22 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP:135", + "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed", + "actualValue": "MSSQL Debugger (TCP:135) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 36 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP:137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 36 + "line": 50, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive4].destination_port_range", + "searchValue": "UDP:23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 36 + "line": 64, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive5].destination_port_range", + "searchValue": "UDP:23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 36 + "line": 92, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", + "searchValue": "UDP:23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 36 + "line": 92, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", + "searchValue": "UDP:25", + "expectedValue": "SMTP (UDP:25) should not be allowed", + "actualValue": "SMTP (UDP:25) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 36 + "line": 36, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "TCP:22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 50 + "line": 22, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive2].destination_port_range", + "searchValue": "TCP:23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 50 + "line": 78, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive6].destination_port_range", + "searchValue": "TCP:23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 64 + "line": 36, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "UDP:23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 78 + "line": 120, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive9].destination_port_range", + "searchValue": "UDP:23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 92 + "line": 8, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive1].destination_port_range", + "searchValue": "UDP:61621", + "expectedValue": "Cassandra OpsCenter (UDP:61621) should not be allowed", + "actualValue": "Cassandra OpsCenter (UDP:61621) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 92 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP:80", + "expectedValue": "HTTP (TCP:80) should not be allowed", + "actualValue": "HTTP (TCP:80) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 92 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP:138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 92 + "line": 22, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive2].destination_port_range", + "searchValue": "TCP:25", + "expectedValue": "SMTP (TCP:25) should not be allowed", + "actualValue": "SMTP (TCP:25) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 106 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP:25", + "expectedValue": "SMTP (UDP:25) should not be allowed", + "actualValue": "SMTP (UDP:25) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 120 + "line": 92, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", + "searchValue": "UDP:22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 120 + "line": 120, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive9].destination_port_range", + "searchValue": "TCP:23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP:53", + "expectedValue": "DNS (TCP:53) should not be allowed", + "actualValue": "DNS (TCP:53) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP:139", + "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed", + "actualValue": "NetBIOS Session Service (UDP:139) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP:22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 36, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "UDP:22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP:23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP:80", + "expectedValue": "HTTP (UDP:80) should not be allowed", + "actualValue": "HTTP (UDP:80) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP:110", + "expectedValue": "POP3 (TCP:110) should not be allowed", + "actualValue": "POP3 (TCP:110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 36, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "TCP:23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP:20", + "expectedValue": "FTP (TCP:20) should not be allowed", + "actualValue": "FTP (TCP:20) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP:21", + "expectedValue": "FTP (TCP:21) should not be allowed", + "actualValue": "FTP (TCP:21) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 36, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "TCP:21", + "expectedValue": "FTP (TCP:21) should not be allowed", + "actualValue": "FTP (TCP:21) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP:138", + "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed", + "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP:25", + "expectedValue": "SMTP (TCP:25) should not be allowed", + "actualValue": "SMTP (TCP:25) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP:22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 50, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive4].destination_port_range", + "searchValue": "TCP:23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 106, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive8].destination_port_range", + "searchValue": "TCP:23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 36, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "UDP:21", + "expectedValue": "FTP (UDP:21) should not be allowed", + "actualValue": "FTP (UDP:21) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP:137", + "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed", + "actualValue": "NetBIOS Name Service (TCP:137) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP:139", + "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed", + "actualValue": "NetBIOS Session Service (TCP:139) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP:110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP:53", + "expectedValue": "DNS (UDP:53) should not be allowed", + "actualValue": "DNS (UDP:53) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP:135", + "expectedValue": "MSSQL Debugger (UDP:135) should not be allowed", + "actualValue": "MSSQL Debugger (UDP:135) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP:23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 92, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", + "searchValue": "UDP:53", + "expectedValue": "DNS (UDP:53) should not be allowed", + "actualValue": "DNS (UDP:53) is allowed" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/service_without_resource_logging/test/positive_expected_result.json b/assets/queries/terraform/azure/service_without_resource_logging/test/positive_expected_result.json index 2781952c731..3e6ea5582b5 100644 --- a/assets/queries/terraform/azure/service_without_resource_logging/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/service_without_resource_logging/test/positive_expected_result.json @@ -2,85 +2,169 @@ { "queryName": "Beta - Service Without Resource Logging", "severity": "MEDIUM", - "line": 1, - "fileName": "positive1.tf" + "line": 87, + "filename": "positive1.tf", + "resourceType": "azurerm_application_gateway", + "resourceName": "positive1_11-appgateway", + "searchKey": "azurerm_application_gateway[positive1_11]", + "searchValue": "", + "expectedValue": "'azurerm_application_gateway' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_application_gateway' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" }, { "queryName": "Beta - Service Without Resource Logging", "severity": "MEDIUM", - "line": 8, - "fileName": "positive1.tf" + "line": 26, + "filename": "positive1.tf", + "resourceType": "azurerm_batch_account", + "resourceName": "testbatchaccount", + "searchKey": "azurerm_batch_account[positive1_4]", + "searchValue": "", + "expectedValue": "'azurerm_batch_account' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_batch_account' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" }, { "queryName": "Beta - Service Without Resource Logging", "severity": "MEDIUM", - "line": 17, - "fileName": "positive1.tf" + "line": 55, + "filename": "positive1.tf", + "resourceType": "azurerm_iothub", + "resourceName": "positive1_7-IoTHub", + "searchKey": "azurerm_iothub[positive1_7]", + "searchValue": "", + "expectedValue": "'azurerm_iothub' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_iothub' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" }, { "queryName": "Beta - Service Without Resource Logging", "severity": "MEDIUM", - "line": 26, - "fileName": "positive1.tf" + "line": 17, + "filename": "positive1.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "positive1_3", + "searchKey": "azurerm_linux_web_app[positive1_3]", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_linux_web_app' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" }, { "queryName": "Beta - Service Without Resource Logging", "severity": "MEDIUM", - "line": 35, - "fileName": "positive1.tf" + "line": 99, + "filename": "positive1.tf", + "resourceType": "azurerm_logic_app_standard", + "resourceName": "positive1_12-logic-app", + "searchKey": "azurerm_logic_app_standard[positive1_12]", + "searchValue": "", + "expectedValue": "'azurerm_logic_app_standard' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_logic_app_standard' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" }, { "queryName": "Beta - Service Without Resource Logging", "severity": "MEDIUM", "line": 42, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "storageaccountname", + "searchKey": "azurerm_storage_account[positive1_6]", + "searchValue": "", + "expectedValue": "'azurerm_storage_account' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_storage_account' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" }, { "queryName": "Beta - Service Without Resource Logging", "severity": "MEDIUM", - "line": 55, - "fileName": "positive1.tf" + "line": 80, + "filename": "positive1.tf", + "resourceType": "azurerm_stream_analytics_job", + "resourceName": "positive1_10-job", + "searchKey": "azurerm_stream_analytics_job[positive1_10]", + "searchValue": "", + "expectedValue": "'azurerm_stream_analytics_job' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_stream_analytics_job' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" }, { "queryName": "Beta - Service Without Resource Logging", "severity": "MEDIUM", - "line": 66, - "fileName": "positive1.tf" + "line": 8, + "filename": "positive1.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "positive1_2", + "searchKey": "azurerm_windows_web_app[positive1_2]", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_windows_web_app' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" }, { "queryName": "Beta - Service Without Resource Logging", "severity": "MEDIUM", - "line": 73, - "fileName": "positive1.tf" + "line": 1, + "filename": "positive1.tf", + "resourceType": "azurerm_app_service", + "resourceName": "positive1_1-app-service", + "searchKey": "azurerm_app_service[positive1_1]", + "searchValue": "", + "expectedValue": "'azurerm_app_service' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_app_service' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" }, { "queryName": "Beta - Service Without Resource Logging", "severity": "MEDIUM", - "line": 80, - "fileName": "positive1.tf" + "line": 35, + "filename": "positive1.tf", + "resourceType": "azurerm_eventhub", + "resourceName": "acceptanceTestEventHub", + "searchKey": "azurerm_eventhub[positive1_5]", + "searchValue": "", + "expectedValue": "'azurerm_eventhub' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_eventhub' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" }, { "queryName": "Beta - Service Without Resource Logging", "severity": "MEDIUM", - "line": 87, - "fileName": "positive1.tf" + "line": 66, + "filename": "positive1.tf", + "resourceType": "azurerm_search_service", + "resourceName": "positive1_8-resource", + "searchKey": "azurerm_search_service[positive1_8]", + "searchValue": "", + "expectedValue": "'azurerm_search_service' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_search_service' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" }, { "queryName": "Beta - Service Without Resource Logging", "severity": "MEDIUM", - "line": 99, - "fileName": "positive1.tf" + "line": 73, + "filename": "positive1.tf", + "resourceType": "azurerm_servicebus_namespace", + "resourceName": "tfex-servicebus-namespace", + "searchKey": "azurerm_servicebus_namespace[positive1_9]", + "searchValue": "", + "expectedValue": "'azurerm_servicebus_namespace' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_servicebus_namespace' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" }, { "queryName": "Beta - Service Without Resource Logging", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_data_lake_analytics_account", + "resourceName": "${var.name}", + "searchKey": "azurerm_data_lake_analytics_account[positive2_1]", + "searchValue": "", + "expectedValue": "'azurerm_data_lake_analytics_account' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_data_lake_analytics_account' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" }, { "queryName": "Beta - Service Without Resource Logging", "severity": "MEDIUM", "line": 9, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_data_lake_store", + "resourceName": "consumptiondatalake", + "searchKey": "azurerm_data_lake_store[positive2_2]", + "searchValue": "", + "expectedValue": "'azurerm_data_lake_store' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_data_lake_store' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/small_activity_log_retention_period/test/positive_expected_result.json b/assets/queries/terraform/azure/small_activity_log_retention_period/test/positive_expected_result.json index 25015f4c442..1aae6129936 100644 --- a/assets/queries/terraform/azure/small_activity_log_retention_period/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/small_activity_log_retention_period/test/positive_expected_result.json @@ -2,16 +2,37 @@ { "queryName": "Small Activity Log Retention Period", "severity": "LOW", - "line": 20 + "line": 20, + "filename": "positive.tf", + "resourceType": "azurerm_monitor_log_profile", + "resourceName": "default", + "searchKey": "azurerm_monitor_log_profile[positive1].retention_policy.days", + "searchValue": "", + "expectedValue": "'azurerm_monitor_log_profile[positive1].retention_policy.days' should be greater than or equal to 365 days or 0 (indefinitely)", + "actualValue": "'azurerm_monitor_log_profile[positive1].retention_policy.days' is less than 365 days or different than 0 (indefinitely)" }, { "queryName": "Small Activity Log Retention Period", "severity": "LOW", - "line": 41 + "line": 64, + "filename": "positive.tf", + "resourceType": "azurerm_monitor_log_profile", + "resourceName": "default", + "searchKey": "azurerm_monitor_log_profile[positive3].retention_policy.enabled", + "searchValue": "", + "expectedValue": "'azurerm_monitor_log_profile[positive3].retention_policy.enabled' should be set to true", + "actualValue": "'azurerm_monitor_log_profile[positive3].retention_policy.enabled' is set to false" }, { "queryName": "Small Activity Log Retention Period", "severity": "LOW", - "line": 64 + "line": 41, + "filename": "positive.tf", + "resourceType": "azurerm_monitor_log_profile", + "resourceName": "default", + "searchKey": "azurerm_monitor_log_profile[positive2].retention_policy", + "searchValue": "", + "expectedValue": "'azurerm_monitor_log_profile[positive2].retention_policy.days' should be defined and not null", + "actualValue": "'azurerm_monitor_log_profile[positive2].retention_policy.days' is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/small_flow_logs_retention_period/test/positive_expected_result.json b/assets/queries/terraform/azure/small_flow_logs_retention_period/test/positive_expected_result.json index 357ca0c6436..8b9c9a53413 100644 --- a/assets/queries/terraform/azure/small_flow_logs_retention_period/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/small_flow_logs_retention_period/test/positive_expected_result.json @@ -2,21 +2,49 @@ { "queryName": "Small Flow Logs Retention Period", "severity": "MEDIUM", - "line": 10 + "line": 43, + "filename": "positive.tf", + "resourceType": "azurerm_network_watcher_flow_log", + "resourceName": "positive4", + "searchKey": "azurerm_network_watcher_flow_log[positive4].retention_policy.enabled", + "searchValue": "", + "expectedValue": "'positive4.retention_policy' should be enabled)", + "actualValue": "'positive4.retention_policy' is disabled)" }, { "queryName": "Small Flow Logs Retention Period", "severity": "MEDIUM", - "line": 23 + "line": 23, + "filename": "positive.tf", + "resourceType": "azurerm_network_watcher_flow_log", + "resourceName": "positive2", + "searchKey": "azurerm_network_watcher_flow_log[positive2].retention_policy.days", + "searchValue": "", + "expectedValue": "'positive2.retention_policy.days' should be bigger than 90)", + "actualValue": "'retention_policy.days' is less than 90 [3])" }, { "queryName": "Small Flow Logs Retention Period", "severity": "MEDIUM", - "line": 27 + "line": 10, + "filename": "positive.tf", + "resourceType": "azurerm_network_watcher_flow_log", + "resourceName": "positive1", + "searchKey": "azurerm_network_watcher_flow_log[positive1].retention_policy.days", + "searchValue": "", + "expectedValue": "'positive1.retention_policy.days' should be bigger than 90)", + "actualValue": "'retention_policy.days' is less than 90 [89])" }, { "queryName": "Small Flow Logs Retention Period", "severity": "MEDIUM", - "line": 43 + "line": 27, + "filename": "positive.tf", + "resourceType": "azurerm_network_watcher_flow_log", + "resourceName": "positive3", + "searchKey": "azurerm_network_watcher_flow_log[positive3]", + "searchValue": "", + "expectedValue": "'positive3.retention_policy' should exist)", + "actualValue": "'positive3.retention_policy' doesn't exist)" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/small_msql_server_audit_retention/test/positive_expected_result.json b/assets/queries/terraform/azure/small_msql_server_audit_retention/test/positive_expected_result.json index 904c4f524c5..9fb6d7673d3 100644 --- a/assets/queries/terraform/azure/small_msql_server_audit_retention/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/small_msql_server_audit_retention/test/positive_expected_result.json @@ -2,21 +2,49 @@ { "queryName": "Small MSSQL Server Audit Retention", "severity": "LOW", - "line": 7 + "line": 46, + "filename": "positive.tf", + "resourceType": "azurerm_sql_database", + "resourceName": "myexamplesqldatabase", + "searchKey": "azurerm_sql_database[positive3].extended_auditing_policy.retention_in_days", + "searchValue": "", + "expectedValue": "'positive3.extended_auditing_policy.retention_in_days' should be bigger than 90", + "actualValue": "'extended_auditing_policy.retention_in_days' is 0" }, { "queryName": "Small MSSQL Server Audit Retention", "severity": "LOW", - "line": 28 + "line": 66, + "filename": "positive.tf", + "resourceType": "azurerm_sql_server", + "resourceName": "sqlserver", + "searchKey": "azurerm_sql_server[positive4].extended_auditing_policy.retention_in_days", + "searchValue": "", + "expectedValue": "'positive4.extended_auditing_policy.retention_in_days' should be bigger than 90", + "actualValue": "'extended_auditing_policy.retention_in_days' is 20" }, { "queryName": "Small MSSQL Server Audit Retention", "severity": "LOW", - "line": 46 + "line": 28, + "filename": "positive.tf", + "resourceType": "azurerm_sql_database", + "resourceName": "myexamplesqldatabase", + "searchKey": "azurerm_sql_database[positive2].extended_auditing_policy.retention_in_days", + "searchValue": "", + "expectedValue": "'positive2.extended_auditing_policy.retention_in_days' should be bigger than 90", + "actualValue": "'extended_auditing_policy.retention_in_days' is 90" }, { "queryName": "Small MSSQL Server Audit Retention", "severity": "LOW", - "line": 66 + "line": 7, + "filename": "positive.tf", + "resourceType": "azurerm_sql_database", + "resourceName": "myexamplesqldatabase", + "searchKey": "azurerm_sql_database[positive1].extended_auditing_policy", + "searchValue": "", + "expectedValue": "extended_auditing_policy.retention_in_days should be defined and bigger than 90", + "actualValue": "extended_auditing_policy.retention_in_days is not defined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/small_mssql_audit_retention_period/test/positive_expected_result.json b/assets/queries/terraform/azure/small_mssql_audit_retention_period/test/positive_expected_result.json index ac111615ad6..36b5614214e 100644 --- a/assets/queries/terraform/azure/small_mssql_audit_retention_period/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/small_mssql_audit_retention_period/test/positive_expected_result.json @@ -2,21 +2,49 @@ { "queryName": "Small MSSQL Audit Retention Period", "severity": "LOW", - "line": 11 + "line": 47, + "filename": "positive.tf", + "resourceType": "azurerm_mssql_database", + "resourceName": "myexamplesqldatabase", + "searchKey": "azurerm_mssql_database[positive3].extended_auditing_policy.retention_in_days", + "searchValue": "", + "expectedValue": "'positive3.extended_auditing_policy.retention_in_days' should be bigger than 90", + "actualValue": "'extended_auditing_policy.retention_in_days' is 0" }, { "queryName": "Small MSSQL Audit Retention Period", "severity": "LOW", - "line": 29 + "line": 67, + "filename": "positive.tf", + "resourceType": "azurerm_mssql_server", + "resourceName": "mssqlserver", + "searchKey": "azurerm_mssql_server[positive4].extended_auditing_policy.retention_in_days", + "searchValue": "", + "expectedValue": "'positive4.extended_auditing_policy.retention_in_days' should be bigger than 90", + "actualValue": "'extended_auditing_policy.retention_in_days' is 20" }, { "queryName": "Small MSSQL Audit Retention Period", "severity": "LOW", - "line": 47 + "line": 11, + "filename": "positive.tf", + "resourceType": "azurerm_mssql_database", + "resourceName": "myexamplesqldatabase", + "searchKey": "azurerm_mssql_database[positive1].extended_auditing_policy.retention_in_days", + "searchValue": "", + "expectedValue": "'positive1.extended_auditing_policy.retention_in_days' should be bigger than 90", + "actualValue": "'extended_auditing_policy.retention_in_days' is 6" }, { "queryName": "Small MSSQL Audit Retention Period", "severity": "LOW", - "line": 67 + "line": 29, + "filename": "positive.tf", + "resourceType": "azurerm_mssql_database", + "resourceName": "myexamplesqldatabase", + "searchKey": "azurerm_mssql_database[positive2].extended_auditing_policy.retention_in_days", + "searchValue": "", + "expectedValue": "'positive2.extended_auditing_policy.retention_in_days' should be bigger than 90", + "actualValue": "'extended_auditing_policy.retention_in_days' is 90" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/small_postgresql_db_server_log_retention_period/test/positive_expected_result.json b/assets/queries/terraform/azure/small_postgresql_db_server_log_retention_period/test/positive_expected_result.json index 5bf802a4381..72fb759a8fb 100644 --- a/assets/queries/terraform/azure/small_postgresql_db_server_log_retention_period/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/small_postgresql_db_server_log_retention_period/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Small PostgreSQL DB Server Log Retention Period", "severity": "LOW", - "line": 5 + "line": 5, + "filename": "positive.tf", + "resourceType": "azurerm_postgresql_configuration", + "resourceName": "log_retention_days", + "searchKey": "azurerm_postgresql_configuration[positive1].value", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_configuration[positive1].value' is greater than 3 and less than 8", + "actualValue": "'azurerm_postgresql_configuration[positive1].value' is %!s(int=2)" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/sql_database_audit_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/sql_database_audit_disabled/test/positive_expected_result.json index f29978bdc55..4c9abb5934d 100644 --- a/assets/queries/terraform/azure/sql_database_audit_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/sql_database_audit_disabled/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "SQL Database Audit Disabled", "severity": "MEDIUM", - "line": 50 + "line": 34, + "filename": "positive.tf", + "resourceType": "azurerm_sql_database", + "resourceName": "myexamplesqldatabase", + "searchKey": "azurerm_sql_database[positive4].threat_detection_policy.state", + "searchValue": "", + "expectedValue": "'threat_detection_policy.state' equal 'Enabled'", + "actualValue": "'threat_detection_policy.state' equal 'Disabled'" }, { "queryName": "SQL Database Audit Disabled", "severity": "MEDIUM", - "line": 34 + "line": 50, + "filename": "positive.tf", + "resourceType": "azurerm_sql_database", + "resourceName": "myexamplesqldatabase", + "searchKey": "azurerm_sql_database[positive5].threat_detection_policy", + "searchValue": "", + "expectedValue": "'threat_detection_policy' should exist", + "actualValue": "'threat_detection_policy' is missing" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/sql_database_without_data_encryption/test/positive_expected_result.json b/assets/queries/terraform/azure/sql_database_without_data_encryption/test/positive_expected_result.json index 93f9af90d07..ad97f8258d8 100644 --- a/assets/queries/terraform/azure/sql_database_without_data_encryption/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/sql_database_without_data_encryption/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Beta - SQL Database Without Data Encryption", "severity": "HIGH", - "line": 12 + "line": 12, + "filename": "positive.tf", + "resourceType": "azurerm_mssql_database", + "resourceName": "example-db", + "searchKey": "azurerm_mssql_database[example].transparent_data_encryption_enabled", + "searchValue": "", + "expectedValue": "'azurerm_mssql_database[example].transparent_data_encryption_enabled' should be set to 'true'", + "actualValue": "'azurerm_mssql_database[example].transparent_data_encryption_enabled' is set to 'false'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/sql_server_alert_email_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/sql_server_alert_email_disabled/test/positive_expected_result.json index 829b77ac1d8..75ea3555180 100644 --- a/assets/queries/terraform/azure/sql_server_alert_email_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/sql_server_alert_email_disabled/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "SQL Server Alert Email Disabled", "severity": "INFO", - "line": 1, - "fileName": "positive1.tf" + "line": 12, + "filename": "positive2.tf", + "resourceType": "azurerm_mssql_server_security_alert_policy", + "resourceName": "positive2", + "searchKey": "azurerm_mssql_server_security_alert_policy[positive2].email_account_admins", + "searchValue": "", + "expectedValue": "'azurerm_mssql_server_security_alert_policy[positive2].email_account_admins' should be true", + "actualValue": "'azurerm_mssql_server_security_alert_policy[positive2].email_account_admins' is false" }, { "queryName": "SQL Server Alert Email Disabled", "severity": "INFO", - "line": 12, - "fileName": "positive2.tf" + "line": 1, + "filename": "positive1.tf", + "resourceType": "azurerm_mssql_server_security_alert_policy", + "resourceName": "positive1", + "searchKey": "azurerm_mssql_server_security_alert_policy[positive1]", + "searchValue": "", + "expectedValue": "'azurerm_mssql_server_security_alert_policy[positive1].email_account_admins' should be defined", + "actualValue": "'azurerm_mssql_server_security_alert_policy[positive1].email_account_admins' is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/sql_server_auditing_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/sql_server_auditing_disabled/test/positive_expected_result.json index 558004dd187..88786df09c2 100644 --- a/assets/queries/terraform/azure/sql_server_auditing_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/sql_server_auditing_disabled/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "SQL Server Auditing Disabled", "severity": "MEDIUM", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "azurerm_sql_server", + "resourceName": "mssqlserver", + "searchKey": "azurerm_sql_server[positive1]", + "searchValue": "", + "expectedValue": "'azurerm_sql_server.positive1.extended_auditing_policy' should exist", + "actualValue": "'azurerm_sql_server.positive1.extended_auditing_policy' does not exist" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test/positive_expected_result.json b/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test/positive_expected_result.json index 7c1b06e5a73..23e5384994a 100644 --- a/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test/positive_expected_result.json @@ -3,36 +3,72 @@ "queryName": "SQLServer Ingress From Any IP", "severity": "CRITICAL", "line": 1, - "fileName": "positive1.tf" + "filename": "positive6.tf", + "resourceType": "azurerm_mysql_flexible_server_firewall_rule", + "resourceName": "office", + "searchKey": "azurerm_mysql_flexible_server_firewall_rule[example]", + "searchValue": "", + "expectedValue": "azurerm_mysql_flexible_server_firewall_rule.start_ip_address different from 0.0.0.0 and end_ip_address different from 0.0.0.0 or 255.255.255.255", + "actualValue": "azurerm_mysql_flexible_server_firewall_rule.start_ip_address equal to 0.0.0.0 and end_ip_address equal to 0.0.0.0 or 255.255.255.255" }, { "queryName": "SQLServer Ingress From Any IP", "severity": "CRITICAL", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_mssql_firewall_rule", + "resourceName": "FirewallRule1", + "searchKey": "azurerm_mssql_firewall_rule[positive1]", + "searchValue": "", + "expectedValue": "azurerm_mssql_firewall_rule.start_ip_address different from 0.0.0.0 and end_ip_address different from 0.0.0.0 or 255.255.255.255", + "actualValue": "azurerm_mssql_firewall_rule.start_ip_address equal to 0.0.0.0 and end_ip_address equal to 0.0.0.0 or 255.255.255.255" }, { "queryName": "SQLServer Ingress From Any IP", "severity": "CRITICAL", "line": 1, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_mariadb_firewall_rule", + "resourceName": "test-rule", + "searchKey": "azurerm_mariadb_firewall_rule[example]", + "searchValue": "", + "expectedValue": "azurerm_mariadb_firewall_rule.start_ip_address different from 0.0.0.0 and end_ip_address different from 0.0.0.0 or 255.255.255.255", + "actualValue": "azurerm_mariadb_firewall_rule.start_ip_address equal to 0.0.0.0 and end_ip_address equal to 0.0.0.0 or 255.255.255.255" }, { "queryName": "SQLServer Ingress From Any IP", "severity": "CRITICAL", "line": 1, - "fileName": "positive4.tf" + "filename": "positive5.tf", + "resourceType": "azurerm_postgresql_flexible_server_firewall_rule", + "resourceName": "example-fw", + "searchKey": "azurerm_postgresql_flexible_server_firewall_rule[example]", + "searchValue": "", + "expectedValue": "azurerm_postgresql_flexible_server_firewall_rule.start_ip_address different from 0.0.0.0 and end_ip_address different from 0.0.0.0 or 255.255.255.255", + "actualValue": "azurerm_postgresql_flexible_server_firewall_rule.start_ip_address equal to 0.0.0.0 and end_ip_address equal to 0.0.0.0 or 255.255.255.255" }, { "queryName": "SQLServer Ingress From Any IP", "severity": "CRITICAL", "line": 1, - "fileName": "positive5.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_sql_firewall_rule", + "resourceName": "FirewallRule1", + "searchKey": "azurerm_sql_firewall_rule[positive1]", + "searchValue": "", + "expectedValue": "azurerm_sql_firewall_rule.start_ip_address different from 0.0.0.0 and end_ip_address different from 0.0.0.0 or 255.255.255.255", + "actualValue": "azurerm_sql_firewall_rule.start_ip_address equal to 0.0.0.0 and end_ip_address equal to 0.0.0.0 or 255.255.255.255" }, { "queryName": "SQLServer Ingress From Any IP", "severity": "CRITICAL", "line": 1, - "fileName": "positive6.tf" + "filename": "positive4.tf", + "resourceType": "azurerm_postgresql_firewall_rule", + "resourceName": "office", + "searchKey": "azurerm_postgresql_firewall_rule[example]", + "searchValue": "", + "expectedValue": "azurerm_postgresql_firewall_rule.start_ip_address different from 0.0.0.0 and end_ip_address different from 0.0.0.0 or 255.255.255.255", + "actualValue": "azurerm_postgresql_firewall_rule.start_ip_address equal to 0.0.0.0 and end_ip_address equal to 0.0.0.0 or 255.255.255.255" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/sql_server_predictable_active_directory_admin_account_name/test/positive_expected_result.json b/assets/queries/terraform/azure/sql_server_predictable_active_directory_admin_account_name/test/positive_expected_result.json index f1a0a9de803..ca094f36ca7 100644 --- a/assets/queries/terraform/azure/sql_server_predictable_active_directory_admin_account_name/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/sql_server_predictable_active_directory_admin_account_name/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "SQL Server Predictable Active Directory Account Name", "severity": "LOW", - "line": 21 + "line": 21, + "filename": "positive.tf", + "resourceType": "azurerm_sql_active_directory_administrator", + "resourceName": "positive3", + "searchKey": "azurerm_sql_active_directory_administrator[positive3].login", + "searchValue": "", + "expectedValue": "'azurerm_sql_active_directory_administrator[positive3].login' should not be empty'", + "actualValue": "'azurerm_sql_active_directory_administrator[positive3].login' is empty" }, { "queryName": "SQL Server Predictable Active Directory Account Name", "severity": "LOW", - "line": 29 + "line": 29, + "filename": "positive.tf", + "resourceType": "azurerm_sql_active_directory_administrator", + "resourceName": "positive4", + "searchKey": "azurerm_sql_active_directory_administrator[positive4].login", + "searchValue": "", + "expectedValue": "'azurerm_sql_active_directory_administrator[positive4].login' should not be predictable'", + "actualValue": "'azurerm_sql_active_directory_administrator[positive4].login' is predictable" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/sql_server_predictable_admin_account_name/test/positive_expected_result.json b/assets/queries/terraform/azure/sql_server_predictable_admin_account_name/test/positive_expected_result.json index 6c2df2f3069..c70a25e5c41 100644 --- a/assets/queries/terraform/azure/sql_server_predictable_admin_account_name/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/sql_server_predictable_admin_account_name/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "SQL Server Predictable Admin Account Name", "severity": "LOW", - "line": 20 + "line": 20, + "filename": "positive.tf", + "resourceType": "azurerm_sql_server", + "resourceName": "mssqlserver", + "searchKey": "azurerm_sql_server[positive3].administrator_login", + "searchValue": "", + "expectedValue": "'azurerm_sql_server[positive3].administrator_login' should not be empty'", + "actualValue": "'azurerm_sql_server[positive3].administrator_login' is empty" }, { "queryName": "SQL Server Predictable Admin Account Name", "severity": "LOW", - "line": 40 + "line": 40, + "filename": "positive.tf", + "resourceType": "azurerm_sql_server", + "resourceName": "mssqlserver", + "searchKey": "azurerm_sql_server[positive4].administrator_login", + "searchValue": "", + "expectedValue": "'azurerm_sql_server[positive4].administrator_login' should not be predictable'", + "actualValue": "'azurerm_sql_server[positive4].administrator_login' is predictable" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/ssh_is_exposed_to_the_internet/test/positive_expected_result.json b/assets/queries/terraform/azure/ssh_is_exposed_to_the_internet/test/positive_expected_result.json index 8c0a501291d..3786903bfd1 100644 --- a/assets/queries/terraform/azure/ssh_is_exposed_to_the_internet/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/ssh_is_exposed_to_the_internet/test/positive_expected_result.json @@ -2,101 +2,241 @@ { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 8 + "line": 50, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive4].destination_port_range", + "searchValue": "", + "expectedValue": "'azurerm_network_security_rule.positive4.destination_port_range' cannot be 22", + "actualValue": "'azurerm_network_security_rule.positive4.destination_port_range' might be 22" }, { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 22 + "line": 78, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive6].destination_port_range", + "searchValue": "", + "expectedValue": "'azurerm_network_security_rule.positive6.destination_port_range' cannot be 22", + "actualValue": "'azurerm_network_security_rule.positive6.destination_port_range' might be 22" }, { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 36 + "line": 106, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive8].destination_port_range", + "searchValue": "", + "expectedValue": "'azurerm_network_security_rule.positive8.destination_port_range' cannot be 22", + "actualValue": "'azurerm_network_security_rule.positive8.destination_port_range' might be 22" }, { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 50 + "line": 153, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_group", + "resourceName": "positive11", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive11}}.destination_port_range", + "searchValue": "", + "expectedValue": "'destination_port_range' cannot be 22", + "actualValue": "'destination_port_range' might be 22" }, { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 64 + "line": 225, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_group", + "resourceName": "positive17", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive17}}.destination_port_range", + "searchValue": "", + "expectedValue": "'destination_port_range' cannot be 22", + "actualValue": "'destination_port_range' might be 22" }, { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 78 + "line": 64, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive5].destination_port_range", + "searchValue": "", + "expectedValue": "'azurerm_network_security_rule.positive5.destination_port_range' cannot be 22", + "actualValue": "'azurerm_network_security_rule.positive5.destination_port_range' might be 22" }, { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 92 + "line": 120, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive9].destination_port_range", + "searchValue": "", + "expectedValue": "'azurerm_network_security_rule.positive9.destination_port_range' cannot be 22", + "actualValue": "'azurerm_network_security_rule.positive9.destination_port_range' might be 22" }, { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 106 + "line": 237, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_group", + "resourceName": "positive18", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive18}}.destination_port_range", + "searchValue": "", + "expectedValue": "'destination_port_range' cannot be 22", + "actualValue": "'destination_port_range' might be 22" }, { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 120 + "line": 249, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_group", + "resourceName": "positive19", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive19}}.destination_port_range", + "searchValue": "", + "expectedValue": "'destination_port_range' cannot be 22", + "actualValue": "'destination_port_range' might be 22" }, { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 134 + "line": 8, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive1].destination_port_range", + "searchValue": "", + "expectedValue": "'azurerm_network_security_rule.positive1.destination_port_range' cannot be 22", + "actualValue": "'azurerm_network_security_rule.positive1.destination_port_range' might be 22" }, { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 153 + "line": 92, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", + "searchValue": "", + "expectedValue": "'azurerm_network_security_rule.positive7.destination_port_range' cannot be 22", + "actualValue": "'azurerm_network_security_rule.positive7.destination_port_range' might be 22" }, { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 165 + "line": 165, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_group", + "resourceName": "positive12", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive12}}.destination_port_range", + "searchValue": "", + "expectedValue": "'destination_port_range' cannot be 22", + "actualValue": "'destination_port_range' might be 22" }, { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 177 + "line": 213, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_group", + "resourceName": "positive16", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive16}}.destination_port_range", + "searchValue": "", + "expectedValue": "'destination_port_range' cannot be 22", + "actualValue": "'destination_port_range' might be 22" }, { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 189 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "", + "expectedValue": "'azurerm_network_security_rule.positive10.destination_port_range' cannot be 22", + "actualValue": "'azurerm_network_security_rule.positive10.destination_port_range' might be 22" }, { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 201 + "line": 177, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_group", + "resourceName": "positive13", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive13}}.destination_port_range", + "searchValue": "", + "expectedValue": "'destination_port_range' cannot be 22", + "actualValue": "'destination_port_range' might be 22" }, { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 213 + "line": 189, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_group", + "resourceName": "positive14", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive14}}.destination_port_range", + "searchValue": "", + "expectedValue": "'destination_port_range' cannot be 22", + "actualValue": "'destination_port_range' might be 22" }, { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 225 + "line": 201, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_group", + "resourceName": "positive15", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive15}}.destination_port_range", + "searchValue": "", + "expectedValue": "'destination_port_range' cannot be 22", + "actualValue": "'destination_port_range' might be 22" }, { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 237 + "line": 261, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_group", + "resourceName": "positive20", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive20}}.destination_port_range", + "searchValue": "", + "expectedValue": "'destination_port_range' cannot be 22", + "actualValue": "'destination_port_range' might be 22" }, { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 249 + "line": 22, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive2].destination_port_range", + "searchValue": "", + "expectedValue": "'azurerm_network_security_rule.positive2.destination_port_range' cannot be 22", + "actualValue": "'azurerm_network_security_rule.positive2.destination_port_range' might be 22" }, { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 261 + "line": 36, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "", + "expectedValue": "'azurerm_network_security_rule.positive3.destination_port_range' cannot be 22", + "actualValue": "'azurerm_network_security_rule.positive3.destination_port_range' might be 22" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/ssl_enforce_is_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/ssl_enforce_is_disabled/test/positive_expected_result.json index e62b1c19066..718cba9c4af 100644 --- a/assets/queries/terraform/azure/ssl_enforce_is_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/ssl_enforce_is_disabled/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "SSL Enforce Disabled", "severity": "MEDIUM", - "line": 18 + "line": 18, + "filename": "positive.tf", + "resourceType": "azurerm_postgresql_server", + "resourceName": "example-psqlserver", + "searchKey": "azurerm_postgresql_server[positive1].ssl_enforcement_enabled", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_server.positive1.ssl_enforcement_enabled' should equal 'true'", + "actualValue": "'azurerm_postgresql_server.positive1.ssl_enforcement_enabled' is equal 'false'" }, { "queryName": "SSL Enforce Disabled", "severity": "MEDIUM", - "line": 22 + "line": 22, + "filename": "positive.tf", + "resourceType": "azurerm_postgresql_server", + "resourceName": "example-psqlserver", + "searchKey": "azurerm_postgresql_server[positive2].ssl_enforcement_enabled", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_server.positive2.ssl_enforcement_enabled' should equal 'true'", + "actualValue": "'azurerm_postgresql_server.positive2.ssl_enforcement_enabled' is not defined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/storage_account_not_forcing_https/test/positive_expected_result.json b/assets/queries/terraform/azure/storage_account_not_forcing_https/test/positive_expected_result.json index 87ed2953656..89f1fab2e37 100644 --- a/assets/queries/terraform/azure/storage_account_not_forcing_https/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/storage_account_not_forcing_https/test/positive_expected_result.json @@ -3,24 +3,48 @@ "queryName": "Storage Account Not Forcing HTTPS", "severity": "MEDIUM", "line": 8, - "fileName": "positive1.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "example1", + "searchKey": "azurerm_storage_account[example1].https_traffic_only_enabled", + "searchValue": "", + "expectedValue": "'azurerm_storage_account.example1.https_traffic_only_enabled' equals 'true'", + "actualValue": "'azurerm_storage_account.example1.https_traffic_only_enabled' equals 'false'" }, { "queryName": "Storage Account Not Forcing HTTPS", "severity": "MEDIUM", "line": 12, - "fileName": "positive1.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "example2", + "searchKey": "azurerm_storage_account[example2]", + "searchValue": "", + "expectedValue": "'azurerm_storage_account.example2.enable_https_traffic_only' equals 'true', or (since Terraform v4.0) 'azurerm_storage_account.example2.https_traffic_only_enabled' equals 'true'", + "actualValue": "Neither 'azurerm_storage_account.example2.enable_https_traffic_only' nor 'azurerm_storage_account.example2.https_traffic_only_enabled' exists" }, { "queryName": "Storage Account Not Forcing HTTPS", "severity": "MEDIUM", "line": 8, - "fileName": "positive2.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "example1", + "searchKey": "azurerm_storage_account[example1].enable_https_traffic_only", + "searchValue": "", + "expectedValue": "'azurerm_storage_account.example1.enable_https_traffic_only' equals 'true'", + "actualValue": "'azurerm_storage_account.example1.enable_https_traffic_only' equals 'false'" }, { "queryName": "Storage Account Not Forcing HTTPS", "severity": "MEDIUM", "line": 12, - "fileName": "positive2.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "example2", + "searchKey": "azurerm_storage_account[example2]", + "searchValue": "", + "expectedValue": "'azurerm_storage_account.example2.enable_https_traffic_only' equals 'true', or (since Terraform v4.0) 'azurerm_storage_account.example2.https_traffic_only_enabled' equals 'true'", + "actualValue": "Neither 'azurerm_storage_account.example2.enable_https_traffic_only' nor 'azurerm_storage_account.example2.https_traffic_only_enabled' exists" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/storage_account_not_using_latest_smb_protocol_version/test/positive_expected_result.json b/assets/queries/terraform/azure/storage_account_not_using_latest_smb_protocol_version/test/positive_expected_result.json index 13b4ae0d843..afefea58f0c 100644 --- a/assets/queries/terraform/azure/storage_account_not_using_latest_smb_protocol_version/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/storage_account_not_using_latest_smb_protocol_version/test/positive_expected_result.json @@ -2,31 +2,73 @@ { "queryName": "Beta - Storage Account Not Using Latest SMB Protocol Version", "severity": "HIGH", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive1", + "searchKey": "azurerm_storage_account[positive1]", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive1].share_properties.smb.versions' should be defined and exclusively include 'SMB3.1.1'", + "actualValue": "'azurerm_storage_account[positive1].share_properties' is undefined or null" }, { "queryName": "Beta - Storage Account Not Using Latest SMB Protocol Version", "severity": "HIGH", - "line": 18 + "line": 18, + "filename": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive2", + "searchKey": "azurerm_storage_account[positive2].share_properties", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive2].share_properties.smb.versions' should be defined and exclusively include 'SMB3.1.1'", + "actualValue": "'azurerm_storage_account[positive2].share_properties.smb' is undefined or null" }, { "queryName": "Beta - Storage Account Not Using Latest SMB Protocol Version", "severity": "HIGH", - "line": 32 + "line": 32, + "filename": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive3", + "searchKey": "azurerm_storage_account[positive3].share_properties.smb", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive3].share_properties.smb.versions' should be defined and exclusively include 'SMB3.1.1'", + "actualValue": "'azurerm_storage_account[positive3].share_properties.smb.versions' is undefined or null" }, { "queryName": "Beta - Storage Account Not Using Latest SMB Protocol Version", "severity": "HIGH", - "line": 47 + "line": 47, + "filename": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive4", + "searchKey": "azurerm_storage_account[positive4].share_properties.smb.versions", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive4].share_properties.smb.versions' should be defined and exclusively include 'SMB3.1.1'", + "actualValue": "'azurerm_storage_account[positive4].share_properties.smb.versions' is empty or null" }, { "queryName": "Beta - Storage Account Not Using Latest SMB Protocol Version", "severity": "HIGH", - "line": 61 + "line": 61, + "filename": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive5", + "searchKey": "azurerm_storage_account[positive5].share_properties.smb.versions", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive5].share_properties.smb.versions' should be defined and exclusively include 'SMB3.1.1'", + "actualValue": "'azurerm_storage_account[positive5].share_properties.smb.versions' does not include 'SMB3.1.1' and instead includes 2 outdated version(s)" }, { "queryName": "Beta - Storage Account Not Using Latest SMB Protocol Version", "severity": "HIGH", - "line": 75 + "line": 75, + "filename": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive6", + "searchKey": "azurerm_storage_account[positive6].share_properties.smb.versions", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive6].share_properties.smb.versions' should be defined and exclusively include 'SMB3.1.1'", + "actualValue": "'azurerm_storage_account[positive6].share_properties.smb.versions' includes 'SMB3.1.1' but also includes 1 outdated version(s)" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/storage_account_not_using_latest_tls_encryption_version/test/positive_expected_result.json b/assets/queries/terraform/azure/storage_account_not_using_latest_tls_encryption_version/test/positive_expected_result.json index f58b0acc496..e10e07298fe 100644 --- a/assets/queries/terraform/azure/storage_account_not_using_latest_tls_encryption_version/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/storage_account_not_using_latest_tls_encryption_version/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Storage Account Not Using Latest TLS Encryption Version", "severity": "MEDIUM", "line": 7, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "storageaccountname", + "searchKey": "azurerm_storage_account[positive2].min_tls_version", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive2].min_tls_version' is 'TLS1_2'", + "actualValue": "'azurerm_storage_account[positive2].min_tls_version' is not 'TLS1_2'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/storage_account_using_unsafe_smb_channel_encryption/test/positive_expected_result.json b/assets/queries/terraform/azure/storage_account_using_unsafe_smb_channel_encryption/test/positive_expected_result.json index b938673842c..a82d2f3eef8 100644 --- a/assets/queries/terraform/azure/storage_account_using_unsafe_smb_channel_encryption/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/storage_account_using_unsafe_smb_channel_encryption/test/positive_expected_result.json @@ -2,31 +2,73 @@ { "queryName": "Beta - Storage Account Using Unsafe SMB Channel Encryption", "severity": "HIGH", - "line": 1 + "line": 18, + "filename": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive2", + "searchKey": "azurerm_storage_account[positive2].share_properties", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive2].share_properties.smb.channel_encryption_type' should be defined and exclusively include 'AES-256-GCM'", + "actualValue": "'azurerm_storage_account[positive2].share_properties.smb' is undefined or null" }, { "queryName": "Beta - Storage Account Using Unsafe SMB Channel Encryption", "severity": "HIGH", - "line": 18 + "line": 31, + "filename": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive3", + "searchKey": "azurerm_storage_account[positive3].share_properties.smb", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive3].share_properties.smb.channel_encryption_type' should be defined and exclusively include 'AES-256-GCM'", + "actualValue": "'azurerm_storage_account[positive3].share_properties.smb.channel_encryption_type' is undefined or null" }, { "queryName": "Beta - Storage Account Using Unsafe SMB Channel Encryption", "severity": "HIGH", - "line": 31 + "line": 46, + "filename": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive4", + "searchKey": "azurerm_storage_account[positive4].share_properties.smb.channel_encryption_type", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive4].share_properties.smb.channel_encryption_type' should be defined and exclusively include 'AES-256-GCM'", + "actualValue": "'azurerm_storage_account[positive4].share_properties.smb.channel_encryption_type' is empty or null" }, { "queryName": "Beta - Storage Account Using Unsafe SMB Channel Encryption", "severity": "HIGH", - "line": 46 + "line": 60, + "filename": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive5", + "searchKey": "azurerm_storage_account[positive5].share_properties.smb.channel_encryption_type", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive5].share_properties.smb.channel_encryption_type' should be defined and exclusively include 'AES-256-GCM'", + "actualValue": "'azurerm_storage_account[positive5].share_properties.smb.channel_encryption_type' does not include 'AES-256-GCM' and instead includes 2 weaker encryption standard(s)" }, { "queryName": "Beta - Storage Account Using Unsafe SMB Channel Encryption", "severity": "HIGH", - "line": 60 + "line": 74, + "filename": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive6", + "searchKey": "azurerm_storage_account[positive6].share_properties.smb.channel_encryption_type", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive6].share_properties.smb.channel_encryption_type' should be defined and exclusively include 'AES-256-GCM'", + "actualValue": "'azurerm_storage_account[positive6].share_properties.smb.channel_encryption_type' includes 'AES-256-GCM' but also includes 1 weaker encryption standard(s)" }, { "queryName": "Beta - Storage Account Using Unsafe SMB Channel Encryption", "severity": "HIGH", - "line": 74 + "line": 1, + "filename": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive1", + "searchKey": "azurerm_storage_account[positive1]", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive1].share_properties.smb.channel_encryption_type' should be defined and exclusively include 'AES-256-GCM'", + "actualValue": "'azurerm_storage_account[positive1].share_properties' is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/storage_account_with_cross_tenant_replication_enabled/test/positive_expected_result.json b/assets/queries/terraform/azure/storage_account_with_cross_tenant_replication_enabled/test/positive_expected_result.json index 232f7ba3365..6825db819a6 100644 --- a/assets/queries/terraform/azure/storage_account_with_cross_tenant_replication_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/storage_account_with_cross_tenant_replication_enabled/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Beta - Storage Account With Cross Tenant Replication Enabled", "severity": "MEDIUM", - "line": 8 + "line": 8, + "filename": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive1", + "searchKey": "azurerm_storage_account[positive1].cross_tenant_replication_enabled", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive1].cross_tenant_replication_enabled' should be set to false", + "actualValue": "'azurerm_storage_account[positive1].cross_tenant_replication_enabled' is set to true" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/storage_account_with_shared_access_key/test/positive_expected_result.json b/assets/queries/terraform/azure/storage_account_with_shared_access_key/test/positive_expected_result.json index 3aabd7181b9..5c5f08c4c33 100644 --- a/assets/queries/terraform/azure/storage_account_with_shared_access_key/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/storage_account_with_shared_access_key/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Beta - Storage Account With Shared Access Key", "severity": "MEDIUM", - "line": 1 + "line": 18, + "filename": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive2", + "searchKey": "azurerm_storage_account[positive2].shared_access_key_enabled", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive2].shared_access_key_enabled' should be defined and set to false", + "actualValue": "'azurerm_storage_account[positive2].shared_access_key_enabled' is set to 'true'" }, { "queryName": "Beta - Storage Account With Shared Access Key", "severity": "MEDIUM", - "line": 18 + "line": 1, + "filename": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive1", + "searchKey": "azurerm_storage_account[positive1]", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive1].shared_access_key_enabled' should be defined and set to false", + "actualValue": "'azurerm_storage_account[positive1].shared_access_key_enabled' is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/storage_account_without_cmk/test/positive_expected_result.json b/assets/queries/terraform/azure/storage_account_without_cmk/test/positive_expected_result.json index 12468537f01..61dfca38b3b 100644 --- a/assets/queries/terraform/azure/storage_account_without_cmk/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/storage_account_without_cmk/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Beta - Storage Account Without CMK", "severity": "MEDIUM", "line": 1, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "storageaccountname", + "searchKey": "azurerm_storage_account[positive1_1]", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive1_1] must be associated with a 'azurerm_storage_account_customer_managed_key' resource and the block 'customer_managed_key' should be set", + "actualValue": "'azurerm_storage_account[positive1_1] is not associated with a 'azurerm_storage_account_customer_managed_key' resource and the 'customer_managed_key' block is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/storage_account_without_delete_lock/test/positive_expected_result.json b/assets/queries/terraform/azure/storage_account_without_delete_lock/test/positive_expected_result.json index 940bf434657..6e7250ccaaf 100644 --- a/assets/queries/terraform/azure/storage_account_without_delete_lock/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/storage_account_without_delete_lock/test/positive_expected_result.json @@ -3,30 +3,60 @@ "queryName": "Beta - Storage Account Without Delete Lock", "severity": "LOW", "line": 1, - "fileName": "positive1.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "examplestorageacct", + "searchKey": "azurerm_storage_account[example_pos2]", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[example_pos2]' should be associated with an 'azurerm_management_lock' where lock_level is set to 'CanNotDelete'", + "actualValue": "'azurerm_storage_account[example_pos2]' is not associated with an 'azurerm_management_lock'" }, { "queryName": "Beta - Storage Account Without Delete Lock", "severity": "LOW", - "line": 1, - "fileName": "positive2.tf" + "line": 6, + "filename": "positive4.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "examplestorageacct", + "searchKey": "azurerm_storage_account[example_pos4]", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[example_pos4]' should be associated with an 'azurerm_management_lock' where lock_level is set to 'CanNotDelete'", + "actualValue": "'azurerm_storage_account[example_pos4]' is not associated with an 'azurerm_management_lock'" }, { "queryName": "Beta - Storage Account Without Delete Lock", "severity": "LOW", "line": 6, - "fileName": "positive3.tf" + "filename": "positive5.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "examplestorageacct", + "searchKey": "azurerm_storage_account[example_pos5]", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[example_pos5]' should be associated with an 'azurerm_management_lock' where lock_level is set to 'CanNotDelete'", + "actualValue": "'azurerm_storage_account[example_pos5]' is not associated with an 'azurerm_management_lock'" }, { "queryName": "Beta - Storage Account Without Delete Lock", "severity": "LOW", "line": 6, - "fileName": "positive4.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "examplestorageacct", + "searchKey": "azurerm_storage_account[example_pos3]", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[example_pos3]' should be associated with an 'azurerm_management_lock' where lock_level is set to 'CanNotDelete'", + "actualValue": "'azurerm_storage_account[example_pos3]' is associated with 'azurerm_management_lock[storage_delete_lock_pos3]' but lock_level is 'ReadOnly'" }, { "queryName": "Beta - Storage Account Without Delete Lock", "severity": "LOW", - "line": 6, - "fileName": "positive5.tf" + "line": 1, + "filename": "positive1.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "examplestorageacct", + "searchKey": "azurerm_storage_account[example_pos1]", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[example_pos1]' should be associated with an 'azurerm_management_lock' where lock_level is set to 'CanNotDelete'", + "actualValue": "'azurerm_storage_account[example_pos1]' is not associated with an 'azurerm_management_lock'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/storage_container_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/azure/storage_container_is_publicly_accessible/test/positive_expected_result.json index 680aa200d65..4dd402a0587 100644 --- a/assets/queries/terraform/azure/storage_container_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/storage_container_is_publicly_accessible/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Storage Container Is Publicly Accessible", "severity": "HIGH", - "line": 4 + "line": 4, + "filename": "positive.tf", + "resourceType": "azurerm_storage_container", + "resourceName": "vhds", + "searchKey": "azurerm_storage_container[positive1].container_access_type", + "searchValue": "", + "expectedValue": "'container_access_type' should equal to 'private'", + "actualValue": "'container_access_type' is not equal to 'private'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/storage_share_allows_all_acl_permissions/test/positive_expected_result.json b/assets/queries/terraform/azure/storage_share_allows_all_acl_permissions/test/positive_expected_result.json index 61688033065..8b51c3de3a3 100644 --- a/assets/queries/terraform/azure/storage_share_allows_all_acl_permissions/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/storage_share_allows_all_acl_permissions/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Storage Share Allows All ACL Permissions", "severity": "MEDIUM", "line": 16, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_storage_share", + "resourceName": "my-awesome-content.zip", + "searchKey": "azurerm_storage_share[default_storage_share].acl.access_policy.permissions", + "searchValue": "", + "expectedValue": "azurerm_storage_share[default_storage_share].acl.access_policy.permissions should not allow all ACL permissions", + "actualValue": "azurerm_storage_share[default_storage_share].acl.access_policy.permissions allows all ACL permissions" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/storage_table_allows_all_acl_permissions/test/positive_expected_result.json b/assets/queries/terraform/azure/storage_table_allows_all_acl_permissions/test/positive_expected_result.json index 533a2db0fd7..f3b56d753c9 100644 --- a/assets/queries/terraform/azure/storage_table_allows_all_acl_permissions/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/storage_table_allows_all_acl_permissions/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Storage Table Allows All ACL Permissions", "severity": "MEDIUM", - "line": 8 + "line": 8, + "filename": "positive.tf", + "resourceType": "azurerm_storage_table", + "resourceName": "my_table_name", + "searchKey": "azurerm_storage_table[table_resource].acl.permissions", + "searchValue": "", + "expectedValue": "azurerm_storage_table[table_resource].acl.permissions should not allow all ACL permissions", + "actualValue": "azurerm_storage_table[table_resource].acl.permissions allows all ACL permissions" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/trusted_microsoft_services_not_enabled/test/positive_expected_result.json b/assets/queries/terraform/azure/trusted_microsoft_services_not_enabled/test/positive_expected_result.json index 923845f4cad..b7223da96ec 100644 --- a/assets/queries/terraform/azure/trusted_microsoft_services_not_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/trusted_microsoft_services_not_enabled/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", - "line": 8 + "line": 21, + "filename": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "storageaccountname", + "searchKey": "azurerm_storage_account[positive2].network_rules.bypass", + "searchValue": "", + "expectedValue": "'network_rules.bypass' should contain 'AzureServices'", + "actualValue": "'network_rules.bypass' does not contain 'AzureServices'" }, { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", - "line": 21 + "line": 8, + "filename": "positive.tf", + "resourceType": "azurerm_storage_account_network_rules", + "resourceName": "positive1", + "searchKey": "azurerm_storage_account_network_rules[positive1].bypass", + "searchValue": "", + "expectedValue": "'bypass' should contain 'AzureServices'", + "actualValue": "'bypass' does not contain 'AzureServices'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/unrestricted_sql_server_access/test/positive_expected_result.json b/assets/queries/terraform/azure/unrestricted_sql_server_access/test/positive_expected_result.json index 2bb3208cf1d..70522104494 100644 --- a/assets/queries/terraform/azure/unrestricted_sql_server_access/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/unrestricted_sql_server_access/test/positive_expected_result.json @@ -2,109 +2,217 @@ { "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", - "line": 19, - "fileName": "positive1.tf" + "line": 26, + "filename": "positive2.tf", + "resourceType": "azurerm_mssql_firewall_rule", + "resourceName": "FirewallRule2", + "searchKey": "azurerm_mssql_firewall_rule[positive4].start_ip_address", + "searchValue": "", + "expectedValue": "'azurerm_mssql_firewall_rule[positive4].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' should be less than 256", + "actualValue": "'azurerm_mssql_firewall_rule[positive4].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256" }, { "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", "line": 27, - "fileName": "positive1.tf" + "filename": "positive5.tf", + "resourceType": "azurerm_postgresql_flexible_server_firewall_rule", + "resourceName": "FirewallRule2", + "searchKey": "azurerm_postgresql_flexible_server_firewall_rule[psqlflex_fw2].start_ip_address", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_flexible_server_firewall_rule[psqlflex_fw2].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' should be less than 256", + "actualValue": "'azurerm_postgresql_flexible_server_firewall_rule[psqlflex_fw2].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256" }, { "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", - "line": 35, - "fileName": "positive1.tf" + "line": 19, + "filename": "positive2.tf", + "resourceType": "azurerm_mssql_firewall_rule", + "resourceName": "FirewallRule1", + "searchKey": "azurerm_mssql_firewall_rule[positive3].start_ip_address", + "searchValue": "", + "expectedValue": "'azurerm_mssql_firewall_rule[positive3].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' should be less than 256", + "actualValue": "'azurerm_mssql_firewall_rule[positive3].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256" }, { "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", - "line": 19, - "fileName": "positive2.tf" + "line": 27, + "filename": "positive6.tf", + "resourceType": "azurerm_mysql_flexible_server_firewall_rule", + "resourceName": "FirewallRule2", + "searchKey": "azurerm_mysql_flexible_server_firewall_rule[mysqlflex_fw2].start_ip_address", + "searchValue": "", + "expectedValue": "'azurerm_mysql_flexible_server_firewall_rule[mysqlflex_fw2].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' should be less than 256", + "actualValue": "'azurerm_mysql_flexible_server_firewall_rule[mysqlflex_fw2].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256" }, { "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", - "line": 26, - "fileName": "positive2.tf" + "line": 41, + "filename": "positive4.tf", + "resourceType": "azurerm_postgresql_firewall_rule", + "resourceName": "AllowAzure", + "searchKey": "azurerm_postgresql_firewall_rule[psql_fw3].start_ip_address", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_firewall_rule[psql_fw3].start_ip_address' Firewall rules should not have both 'start_ip_address' and 'end_ip_address' set to '0.0.0.0'.", + "actualValue": "'azurerm_postgresql_firewall_rule[psql_fw3].start_ip_address' Both 'start_ip_address' and 'end_ip_address' are set to '0.0.0.0'" }, { "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", - "line": 33, - "fileName": "positive2.tf" + "line": 25, + "filename": "positive3.tf", + "resourceType": "azurerm_mariadb_firewall_rule", + "resourceName": "FirewallRule1", + "searchKey": "azurerm_mariadb_firewall_rule[mariadb_fw1].start_ip_address", + "searchValue": "", + "expectedValue": "'azurerm_mariadb_firewall_rule[mariadb_fw1].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' should be less than 256", + "actualValue": "'azurerm_mariadb_firewall_rule[mariadb_fw1].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256" }, { "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", - "line": 25, - "fileName": "positive3.tf" + "line": 41, + "filename": "positive3.tf", + "resourceType": "azurerm_mariadb_firewall_rule", + "resourceName": "AllowAzure", + "searchKey": "azurerm_mariadb_firewall_rule[mariadb_fw3].start_ip_address", + "searchValue": "", + "expectedValue": "'azurerm_mariadb_firewall_rule[mariadb_fw3].start_ip_address' Firewall rules should not have both 'start_ip_address' and 'end_ip_address' set to '0.0.0.0'.", + "actualValue": "'azurerm_mariadb_firewall_rule[mariadb_fw3].start_ip_address' Both 'start_ip_address' and 'end_ip_address' are set to '0.0.0.0'" }, { "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", "line": 33, - "fileName": "positive3.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_mssql_firewall_rule", + "resourceName": "positive5", + "searchKey": "azurerm_mssql_firewall_rule[positive5].start_ip_address", + "searchValue": "", + "expectedValue": "'azurerm_mssql_firewall_rule[positive5].start_ip_address' Firewall rules should not have both 'start_ip_address' and 'end_ip_address' set to '0.0.0.0'.", + "actualValue": "'azurerm_mssql_firewall_rule[positive5].start_ip_address' Both 'start_ip_address' and 'end_ip_address' are set to '0.0.0.0'" }, { "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", - "line": 41, - "fileName": "positive3.tf" + "line": 35, + "filename": "positive6.tf", + "resourceType": "azurerm_mysql_flexible_server_firewall_rule", + "resourceName": "AllowAzure", + "searchKey": "azurerm_mysql_flexible_server_firewall_rule[mysqlflex_fw3].start_ip_address", + "searchValue": "", + "expectedValue": "'azurerm_mysql_flexible_server_firewall_rule[mysqlflex_fw3].start_ip_address' Firewall rules should not have both 'start_ip_address' and 'end_ip_address' set to '0.0.0.0'.", + "actualValue": "'azurerm_mysql_flexible_server_firewall_rule[mysqlflex_fw3].start_ip_address' Both 'start_ip_address' and 'end_ip_address' are set to '0.0.0.0'" }, { "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", - "line": 24, - "fileName": "positive4.tf" + "line": 32, + "filename": "positive4.tf", + "resourceType": "azurerm_postgresql_firewall_rule", + "resourceName": "FirewallRule2", + "searchKey": "azurerm_postgresql_firewall_rule[psql_fw2].start_ip_address", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_firewall_rule[psql_fw2].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' should be less than 256", + "actualValue": "'azurerm_postgresql_firewall_rule[psql_fw2].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256" }, { "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", - "line": 32, - "fileName": "positive4.tf" + "line": 27, + "filename": "positive1.tf", + "resourceType": "azurerm_sql_firewall_rule", + "resourceName": "FirewallRule1", + "searchKey": "azurerm_sql_firewall_rule[positive4-legacy].start_ip_address", + "searchValue": "", + "expectedValue": "'azurerm_sql_firewall_rule[positive4-legacy].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' should be less than 256", + "actualValue": "'azurerm_sql_firewall_rule[positive4-legacy].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256" }, { "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", - "line": 41, - "fileName": "positive4.tf" + "line": 20, + "filename": "positive5.tf", + "resourceType": "azurerm_postgresql_flexible_server_firewall_rule", + "resourceName": "FirewallRule1", + "searchKey": "azurerm_postgresql_flexible_server_firewall_rule[psqlflex_fw1].start_ip_address", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_flexible_server_firewall_rule[psqlflex_fw1].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' should be less than 256", + "actualValue": "'azurerm_postgresql_flexible_server_firewall_rule[psqlflex_fw1].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256" }, { "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", - "line": 20, - "fileName": "positive5.tf" + "line": 33, + "filename": "positive3.tf", + "resourceType": "azurerm_mariadb_firewall_rule", + "resourceName": "FirewallRule2", + "searchKey": "azurerm_mariadb_firewall_rule[mariadb_fw2].start_ip_address", + "searchValue": "", + "expectedValue": "'azurerm_mariadb_firewall_rule[mariadb_fw2].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' should be less than 256", + "actualValue": "'azurerm_mariadb_firewall_rule[mariadb_fw2].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256" }, { "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", - "line": 27, - "fileName": "positive5.tf" + "line": 20, + "filename": "positive6.tf", + "resourceType": "azurerm_mysql_flexible_server_firewall_rule", + "resourceName": "FirewallRule1", + "searchKey": "azurerm_mysql_flexible_server_firewall_rule[mysqlflex_fw1].start_ip_address", + "searchValue": "", + "expectedValue": "'azurerm_mysql_flexible_server_firewall_rule[mysqlflex_fw1].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' should be less than 256", + "actualValue": "'azurerm_mysql_flexible_server_firewall_rule[mysqlflex_fw1].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256" }, { "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", - "line": 35, - "fileName": "positive5.tf" + "line": 24, + "filename": "positive4.tf", + "resourceType": "azurerm_postgresql_firewall_rule", + "resourceName": "FirewallRule1", + "searchKey": "azurerm_postgresql_firewall_rule[psql_fw1].start_ip_address", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_firewall_rule[psql_fw1].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' should be less than 256", + "actualValue": "'azurerm_postgresql_firewall_rule[psql_fw1].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256" }, { "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", - "line": 20, - "fileName": "positive6.tf" + "line": 19, + "filename": "positive1.tf", + "resourceType": "azurerm_sql_firewall_rule", + "resourceName": "FirewallRule1", + "searchKey": "azurerm_sql_firewall_rule[positive3-legacy].start_ip_address", + "searchValue": "", + "expectedValue": "'azurerm_sql_firewall_rule[positive3-legacy].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' should be less than 256", + "actualValue": "'azurerm_sql_firewall_rule[positive3-legacy].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256" }, { "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", - "line": 27, - "fileName": "positive6.tf" + "line": 35, + "filename": "positive1.tf", + "resourceType": "azurerm_sql_firewall_rule", + "resourceName": "positive5-legacy", + "searchKey": "azurerm_sql_firewall_rule[positive5-legacy].start_ip_address", + "searchValue": "", + "expectedValue": "'azurerm_sql_firewall_rule[positive5-legacy].start_ip_address' Firewall rules should not have both 'start_ip_address' and 'end_ip_address' set to '0.0.0.0'.", + "actualValue": "'azurerm_sql_firewall_rule[positive5-legacy].start_ip_address' Both 'start_ip_address' and 'end_ip_address' are set to '0.0.0.0'" }, { "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", "line": 35, - "fileName": "positive6.tf" + "filename": "positive5.tf", + "resourceType": "azurerm_postgresql_flexible_server_firewall_rule", + "resourceName": "AllowAzure", + "searchKey": "azurerm_postgresql_flexible_server_firewall_rule[psqlflex_fw3].start_ip_address", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_flexible_server_firewall_rule[psqlflex_fw3].start_ip_address' Firewall rules should not have both 'start_ip_address' and 'end_ip_address' set to '0.0.0.0'.", + "actualValue": "'azurerm_postgresql_flexible_server_firewall_rule[psqlflex_fw3].start_ip_address' Both 'start_ip_address' and 'end_ip_address' are set to '0.0.0.0'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/use_of_user_access_administrator_role_is_not_restricted/test/positive_expected_result.json b/assets/queries/terraform/azure/use_of_user_access_administrator_role_is_not_restricted/test/positive_expected_result.json index 9201445fe72..3a14a4551a1 100644 --- a/assets/queries/terraform/azure/use_of_user_access_administrator_role_is_not_restricted/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/use_of_user_access_administrator_role_is_not_restricted/test/positive_expected_result.json @@ -3,36 +3,72 @@ "queryName": "Beta - Use Of User Access Administrator Role Is Not Restricted", "severity": "MEDIUM", "line": 2, - "fileName": "positive1.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_role_assignment", + "resourceName": "positive3", + "searchKey": "azurerm_role_assignment[positive3].role_definition_name", + "searchValue": "", + "expectedValue": "'role_definition_name' field should not be defined to 'User Access Administrator'", + "actualValue": "'role_definition_name' field is defined with 'User Access Administrator'" }, { "queryName": "Beta - Use Of User Access Administrator Role Is Not Restricted", "severity": "MEDIUM", "line": 2, - "fileName": "positive2.tf" + "filename": "positive6.tf", + "resourceType": "azurerm_role_assignment", + "resourceName": "positive6", + "searchKey": "azurerm_role_assignment[positive6].role_definition_id", + "searchValue": "", + "expectedValue": "'role_definition_id' field should not have an id associated with the 'User Access Administrator' role.", + "actualValue": "'role_definition_id' field have an id associated with the 'User Access Administrator' role." }, { "queryName": "Beta - Use Of User Access Administrator Role Is Not Restricted", "severity": "MEDIUM", "line": 2, - "fileName": "positive3.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_role_assignment", + "resourceName": "positive1", + "searchKey": "azurerm_role_assignment[positive1].role_definition_name", + "searchValue": "", + "expectedValue": "'role_definition_name' field should not be defined to 'User Access Administrator'", + "actualValue": "'role_definition_name' field is defined with 'User Access Administrator'" }, { "queryName": "Beta - Use Of User Access Administrator Role Is Not Restricted", "severity": "MEDIUM", "line": 2, - "fileName": "positive4.tf" + "filename": "positive5.tf", + "resourceType": "azurerm_role_assignment", + "resourceName": "positive5", + "searchKey": "azurerm_role_assignment[positive5].role_definition_name", + "searchValue": "", + "expectedValue": "'role_definition_name' field should not be defined to 'User Access Administrator'", + "actualValue": "'role_definition_name' field is defined with 'User Access Administrator'" }, { "queryName": "Beta - Use Of User Access Administrator Role Is Not Restricted", "severity": "MEDIUM", "line": 2, - "fileName": "positive5.tf" + "filename": "positive4.tf", + "resourceType": "azurerm_role_assignment", + "resourceName": "positive4", + "searchKey": "azurerm_role_assignment[positive4].role_definition_id", + "searchValue": "", + "expectedValue": "'role_definition_id' field should not have an id associated with the 'User Access Administrator' role.", + "actualValue": "'role_definition_id' field have an id associated with the 'User Access Administrator' role." }, { "queryName": "Beta - Use Of User Access Administrator Role Is Not Restricted", "severity": "MEDIUM", "line": 2, - "fileName": "positive6.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_role_assignment", + "resourceName": "positive2", + "searchKey": "azurerm_role_assignment[positive2].role_definition_id", + "searchValue": "", + "expectedValue": "'role_definition_id' field should not have an id associated with the 'User Access Administrator' role.", + "actualValue": "'role_definition_id' field have an id associated with the 'User Access Administrator' role." } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/vault_auditing_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/vault_auditing_disabled/test/positive_expected_result.json index 5b955eb3023..ad756c56662 100644 --- a/assets/queries/terraform/azure/vault_auditing_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/vault_auditing_disabled/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Vault Auditing Disabled", "severity": "MEDIUM", - "line": 16 + "line": 16, + "filename": "positive.tf", + "resourceType": "azurerm_key_vault", + "resourceName": "testvault", + "searchKey": "azurerm_key_vault[example1]", + "searchValue": "", + "expectedValue": "'azurerm_key_vault' should be associated with 'azurerm_monitor_diagnostic_setting'", + "actualValue": "'azurerm_key_vault' is not associated with 'azurerm_monitor_diagnostic_setting'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/virtual_network_with_ddos_protection_plan_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/virtual_network_with_ddos_protection_plan_disabled/test/positive_expected_result.json index e47a40f00a2..2a13f8bc1b5 100644 --- a/assets/queries/terraform/azure/virtual_network_with_ddos_protection_plan_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/virtual_network_with_ddos_protection_plan_disabled/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Virtual Network with DDoS Protection Plan disabled", "severity": "LOW", "line": 18, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_virtual_network", + "resourceName": "virtualNetwork1", + "searchKey": "azurerm_virtual_network[positive1]", + "searchValue": "", + "expectedValue": "'azurerm_virtual_network[positive1].ddos_protection_plan' should be defined and not null", + "actualValue": "'azurerm_virtual_network[positive1].ddos_protection_plan' is undefined or null" }, { "queryName": "Virtual Network with DDoS Protection Plan disabled", "severity": "LOW", "line": 27, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_virtual_network", + "resourceName": "virtualNetwork1", + "searchKey": "azurerm_virtual_network[positive1].ddos_protection_plan.enable", + "searchValue": "", + "expectedValue": "'azurerm_virtual_network[positive1].ddos_protection_plan.enable' should be set to true", + "actualValue": "'azurerm_virtual_network[positive1].ddos_protection_plan.enable' is set to false" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/vm_not_attached_to_network/test/positive_expected_result.json b/assets/queries/terraform/azure/vm_not_attached_to_network/test/positive_expected_result.json index 344ed2f15ef..16edfac11ba 100644 --- a/assets/queries/terraform/azure/vm_not_attached_to_network/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/vm_not_attached_to_network/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "VM Not Attached To Network", "severity": "MEDIUM", - "line": 5 + "line": 5, + "filename": "positive.tf", + "resourceType": "azurerm_virtual_machine", + "resourceName": "${var.prefix}-vm", + "searchKey": "azurerm_virtual_machine[positive1].network_interface_ids", + "searchValue": "", + "expectedValue": "'azurerm_virtual_machine[positive1].network_interface_ids' list should not be empty", + "actualValue": "'azurerm_virtual_machine[positive1].network_interface_ids' list is empty" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/vm_with_automatic_updates_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/vm_with_automatic_updates_disabled/test/positive_expected_result.json index 2370f2b2431..25ff5885ca9 100644 --- a/assets/queries/terraform/azure/vm_with_automatic_updates_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/vm_with_automatic_updates_disabled/test/positive_expected_result.json @@ -2,16 +2,37 @@ { "queryName": "Beta - VM With Automatic Updates Disabled", "severity": "MEDIUM", - "line": 11 + "line": 24, + "filename": "positive.tf", + "resourceType": "azurerm_windows_virtual_machine", + "resourceName": "positive2-machine", + "searchKey": "azurerm_windows_virtual_machine[positive2].automatic_updates_enabled", + "searchValue": "", + "expectedValue": "'azurerm_windows_virtual_machine[positive2].automatic_updates_enabled' should be set to 'true'", + "actualValue": "'azurerm_windows_virtual_machine[positive2].automatic_updates_enabled' is set to 'false'" }, { "queryName": "Beta - VM With Automatic Updates Disabled", "severity": "MEDIUM", - "line": 24 + "line": 37, + "filename": "positive.tf", + "resourceType": "azurerm_windows_virtual_machine_scale_set", + "resourceName": "positive3-vmss", + "searchKey": "azurerm_windows_virtual_machine_scale_set[positive3].enable_automatic_updates", + "searchValue": "", + "expectedValue": "'azurerm_windows_virtual_machine_scale_set[positive3].enable_automatic_updates' should be set to 'true'", + "actualValue": "'azurerm_windows_virtual_machine_scale_set[positive3].enable_automatic_updates' is set to 'false'" }, { "queryName": "Beta - VM With Automatic Updates Disabled", "severity": "MEDIUM", - "line": 37 + "line": 11, + "filename": "positive.tf", + "resourceType": "azurerm_windows_virtual_machine", + "resourceName": "positive1-machine", + "searchKey": "azurerm_windows_virtual_machine[positive1].enable_automatic_updates", + "searchValue": "", + "expectedValue": "'azurerm_windows_virtual_machine[positive1].enable_automatic_updates' should be set to 'true'", + "actualValue": "'azurerm_windows_virtual_machine[positive1].enable_automatic_updates' is set to 'false'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/vm_with_extension_operations_enabled/test/positive_expected_result.json b/assets/queries/terraform/azure/vm_with_extension_operations_enabled/test/positive_expected_result.json index 10913b2c611..f266775fdd2 100644 --- a/assets/queries/terraform/azure/vm_with_extension_operations_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/vm_with_extension_operations_enabled/test/positive_expected_result.json @@ -3,48 +3,96 @@ "queryName": "Beta - VM With Extension Operations Enabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_windows_virtual_machine", + "resourceName": "positive3_1-machine", + "searchKey": "azurerm_windows_virtual_machine[positive3_1]", + "searchValue": "", + "expectedValue": "'azurerm_windows_virtual_machine[positive3_1].allow_extension_operations' should be defined and set to 'false'", + "actualValue": "'azurerm_windows_virtual_machine[positive3_1].allow_extension_operations' is undefined or null" }, { "queryName": "Beta - VM With Extension Operations Enabled", "severity": "MEDIUM", - "line": 24, - "fileName": "positive1.tf" + "line": 20, + "filename": "positive4.tf", + "resourceType": "azurerm_windows_virtual_machine_scale_set", + "resourceName": "positive4_2-machine", + "searchKey": "azurerm_windows_virtual_machine_scale_set[positive4_2].extension_operations_enabled", + "searchValue": "", + "expectedValue": "'azurerm_windows_virtual_machine_scale_set[positive4_2].extension_operations_enabled' should be defined and set to 'false'", + "actualValue": "'azurerm_windows_virtual_machine_scale_set[positive4_2].extension_operations_enabled' is set to 'true'" }, { "queryName": "Beta - VM With Extension Operations Enabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "filename": "positive4.tf", + "resourceType": "azurerm_windows_virtual_machine_scale_set", + "resourceName": "positive4_1-vmss", + "searchKey": "azurerm_windows_virtual_machine_scale_set[positive4_1]", + "searchValue": "", + "expectedValue": "'azurerm_windows_virtual_machine_scale_set[positive4_1].extension_operations_enabled' should be defined and set to 'false'", + "actualValue": "'azurerm_windows_virtual_machine_scale_set[positive4_1].extension_operations_enabled' is undefined or null" }, { "queryName": "Beta - VM With Extension Operations Enabled", "severity": "MEDIUM", - "line": 20, - "fileName": "positive2.tf" + "line": 24, + "filename": "positive1.tf", + "resourceType": "azurerm_linux_virtual_machine", + "resourceName": "positive1_2-machine", + "searchKey": "azurerm_linux_virtual_machine[positive1_2].allow_extension_operations", + "searchValue": "", + "expectedValue": "'azurerm_linux_virtual_machine[positive1_2].allow_extension_operations' should be defined and set to 'false'", + "actualValue": "'azurerm_linux_virtual_machine[positive1_2].allow_extension_operations' is set to 'true'" }, { "queryName": "Beta - VM With Extension Operations Enabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_linux_virtual_machine", + "resourceName": "positive1_1-machine", + "searchKey": "azurerm_linux_virtual_machine[positive1_1]", + "searchValue": "", + "expectedValue": "'azurerm_linux_virtual_machine[positive1_1].allow_extension_operations' should be defined and set to 'false'", + "actualValue": "'azurerm_linux_virtual_machine[positive1_1].allow_extension_operations' is undefined or null" }, { "queryName": "Beta - VM With Extension Operations Enabled", "severity": "MEDIUM", - "line": 22, - "fileName": "positive3.tf" + "line": 20, + "filename": "positive2.tf", + "resourceType": "azurerm_linux_virtual_machine_scale_set", + "resourceName": "positive2_2-vmss", + "searchKey": "azurerm_linux_virtual_machine_scale_set[positive2_2].extension_operations_enabled", + "searchValue": "", + "expectedValue": "'azurerm_linux_virtual_machine_scale_set[positive2_2].extension_operations_enabled' should be defined and set to 'false'", + "actualValue": "'azurerm_linux_virtual_machine_scale_set[positive2_2].extension_operations_enabled' is set to 'true'" }, { "queryName": "Beta - VM With Extension Operations Enabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive4.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_linux_virtual_machine_scale_set", + "resourceName": "positive2_1-vmss", + "searchKey": "azurerm_linux_virtual_machine_scale_set[positive2_1]", + "searchValue": "", + "expectedValue": "'azurerm_linux_virtual_machine_scale_set[positive2_1].extension_operations_enabled' should be defined and set to 'false'", + "actualValue": "'azurerm_linux_virtual_machine_scale_set[positive2_1].extension_operations_enabled' is undefined or null" }, { "queryName": "Beta - VM With Extension Operations Enabled", "severity": "MEDIUM", - "line": 20, - "fileName": "positive4.tf" + "line": 22, + "filename": "positive3.tf", + "resourceType": "azurerm_windows_virtual_machine", + "resourceName": "positive3_2-machine", + "searchKey": "azurerm_windows_virtual_machine[positive3_2].allow_extension_operations", + "searchValue": "", + "expectedValue": "'azurerm_windows_virtual_machine[positive3_2].allow_extension_operations' should be defined and set to 'false'", + "actualValue": "'azurerm_windows_virtual_machine[positive3_2].allow_extension_operations' is set to 'true'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/vm_without_admin_ssh_public_key_set/test/positive_expected_result.json b/assets/queries/terraform/azure/vm_without_admin_ssh_public_key_set/test/positive_expected_result.json index e7c8041e0ee..7c597c26155 100644 --- a/assets/queries/terraform/azure/vm_without_admin_ssh_public_key_set/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/vm_without_admin_ssh_public_key_set/test/positive_expected_result.json @@ -3,54 +3,108 @@ "queryName": "Beta - VM Without Admin SSH Public Key Set", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_linux_virtual_machine", + "resourceName": "positive1_1-machine", + "searchKey": "azurerm_linux_virtual_machine[positive1_1]", + "searchValue": "", + "expectedValue": "'azurerm_linux_virtual_machine[positive1_1].admin_ssh_key.public_key' should be defined and not null", + "actualValue": "'azurerm_linux_virtual_machine[positive1_1].admin_ssh_key' is undefined or null" }, { "queryName": "Beta - VM Without Admin SSH Public Key Set", "severity": "MEDIUM", "line": 24, - "fileName": "positive1.tf" - }, - { - "queryName": "Beta - VM Without Admin SSH Public Key Set", - "severity": "MEDIUM", - "line": 40, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_linux_virtual_machine", + "resourceName": "positive1_2-machine", + "searchKey": "azurerm_linux_virtual_machine[positive1_2].admin_ssh_key", + "searchValue": "", + "expectedValue": "'azurerm_linux_virtual_machine[positive1_2].admin_ssh_key.public_key' should be defined and not null", + "actualValue": "'azurerm_linux_virtual_machine[positive1_2].admin_ssh_key.public_key' is undefined or null" }, { "queryName": "Beta - VM Without Admin SSH Public Key Set", "severity": "MEDIUM", "line": 45, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_linux_virtual_machine", + "resourceName": "positive1_3-machine", + "searchKey": "azurerm_linux_virtual_machine[positive1_3].admin_ssh_key[1]", + "searchValue": "", + "expectedValue": "'azurerm_linux_virtual_machine[positive1_3].admin_ssh_key.public_key' should be defined and not null", + "actualValue": "'azurerm_linux_virtual_machine[positive1_3].admin_ssh_key[1].public_key' is undefined or null" }, { "queryName": "Beta - VM Without Admin SSH Public Key Set", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_linux_virtual_machine_scale_set", + "resourceName": "positive2_1-machine", + "searchKey": "azurerm_linux_virtual_machine_scale_set[positive2_1]", + "searchValue": "", + "expectedValue": "'azurerm_linux_virtual_machine_scale_set[positive2_1].admin_ssh_key.public_key' should be defined and not null", + "actualValue": "'azurerm_linux_virtual_machine_scale_set[positive2_1].admin_ssh_key' is undefined or null" }, { "queryName": "Beta - VM Without Admin SSH Public Key Set", "severity": "MEDIUM", "line": 24, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_linux_virtual_machine_scale_set", + "resourceName": "positive2_2-machine", + "searchKey": "azurerm_linux_virtual_machine_scale_set[positive2_2].admin_ssh_key", + "searchValue": "", + "expectedValue": "'azurerm_linux_virtual_machine_scale_set[positive2_2].admin_ssh_key.public_key' should be defined and not null", + "actualValue": "'azurerm_linux_virtual_machine_scale_set[positive2_2].admin_ssh_key.public_key' is undefined or null" }, { "queryName": "Beta - VM Without Admin SSH Public Key Set", "severity": "MEDIUM", "line": 40, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_linux_virtual_machine_scale_set", + "resourceName": "positive2_3-machine", + "searchKey": "azurerm_linux_virtual_machine_scale_set[positive2_3].admin_ssh_key[0]", + "searchValue": "", + "expectedValue": "'azurerm_linux_virtual_machine_scale_set[positive2_3].admin_ssh_key.public_key' should be defined and not null", + "actualValue": "'azurerm_linux_virtual_machine_scale_set[positive2_3].admin_ssh_key[0].public_key' is undefined or null" }, { "queryName": "Beta - VM Without Admin SSH Public Key Set", "severity": "MEDIUM", "line": 45, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_linux_virtual_machine_scale_set", + "resourceName": "positive2_3-machine", + "searchKey": "azurerm_linux_virtual_machine_scale_set[positive2_3].admin_ssh_key[1]", + "searchValue": "", + "expectedValue": "'azurerm_linux_virtual_machine_scale_set[positive2_3].admin_ssh_key.public_key' should be defined and not null", + "actualValue": "'azurerm_linux_virtual_machine_scale_set[positive2_3].admin_ssh_key[1].public_key' is undefined or null" }, { "queryName": "Beta - VM Without Admin SSH Public Key Set", "severity": "MEDIUM", "line": 20, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "azurerm_linux_virtual_machine", + "resourceName": "example-vm", + "searchKey": "azurerm_linux_virtual_machine[module.example_module.azurerm_linux_virtual_machine.example_vm[0]].admin_ssh_key", + "searchValue": "", + "expectedValue": "'azurerm_linux_virtual_machine[module.example_module.azurerm_linux_virtual_machine.example_vm[0]].admin_ssh_key.public_key' should be defined and not null", + "actualValue": "'azurerm_linux_virtual_machine[module.example_module.azurerm_linux_virtual_machine.example_vm[0]].admin_ssh_key' is undefined or null" + }, + { + "queryName": "Beta - VM Without Admin SSH Public Key Set", + "severity": "MEDIUM", + "line": 40, + "filename": "positive1.tf", + "resourceType": "azurerm_linux_virtual_machine", + "resourceName": "positive1_3-machine", + "searchKey": "azurerm_linux_virtual_machine[positive1_3].admin_ssh_key[0]", + "searchValue": "", + "expectedValue": "'azurerm_linux_virtual_machine[positive1_3].admin_ssh_key.public_key' should be defined and not null", + "actualValue": "'azurerm_linux_virtual_machine[positive1_3].admin_ssh_key[0].public_key' is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/vm_without_encryption_at_host/test/positive_expected_result.json b/assets/queries/terraform/azure/vm_without_encryption_at_host/test/positive_expected_result.json index 96ca9c2ebfc..f56c6f08256 100644 --- a/assets/queries/terraform/azure/vm_without_encryption_at_host/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/vm_without_encryption_at_host/test/positive_expected_result.json @@ -1,50 +1,98 @@ [ + { + "queryName": "Beta - VM Without Encryption At Host", + "severity": "LOW", + "line": 20, + "filename": "positive2.tf", + "resourceType": "azurerm_linux_virtual_machine_scale_set", + "resourceName": "positive2_2-vmss", + "searchKey": "azurerm_linux_virtual_machine_scale_set[positive2_2].encryption_at_host_enabled", + "searchValue": "", + "expectedValue": "'azurerm_linux_virtual_machine_scale_set[positive2_2].encryption_at_host_enabled' should be defined and set to 'true'", + "actualValue": "'azurerm_linux_virtual_machine_scale_set[positive2_2].encryption_at_host_enabled' is set to 'false'" + }, { "queryName": "Beta - VM Without Encryption At Host", "severity": "LOW", "line": 1, - "fileName": "positive1.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_linux_virtual_machine_scale_set", + "resourceName": "positive2_1-vmss", + "searchKey": "azurerm_linux_virtual_machine_scale_set[positive2_1]", + "searchValue": "", + "expectedValue": "'azurerm_linux_virtual_machine_scale_set[positive2_1].encryption_at_host_enabled' should be defined and set to 'true'", + "actualValue": "'azurerm_linux_virtual_machine_scale_set[positive2_1].encryption_at_host_enabled' is undefined or null" }, { "queryName": "Beta - VM Without Encryption At Host", "severity": "LOW", - "line": 24, - "fileName": "positive1.tf" + "line": 22, + "filename": "positive3.tf", + "resourceType": "azurerm_windows_virtual_machine", + "resourceName": "positive3_2-machine", + "searchKey": "azurerm_windows_virtual_machine[positive3_2].encryption_at_host_enabled", + "searchValue": "", + "expectedValue": "'azurerm_windows_virtual_machine[positive3_2].encryption_at_host_enabled' should be defined and set to 'true'", + "actualValue": "'azurerm_windows_virtual_machine[positive3_2].encryption_at_host_enabled' is set to 'false'" }, { "queryName": "Beta - VM Without Encryption At Host", "severity": "LOW", "line": 1, - "fileName": "positive2.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_windows_virtual_machine", + "resourceName": "positive3_1-machine", + "searchKey": "azurerm_windows_virtual_machine[positive3_1]", + "searchValue": "", + "expectedValue": "'azurerm_windows_virtual_machine[positive3_1].encryption_at_host_enabled' should be defined and set to 'true'", + "actualValue": "'azurerm_windows_virtual_machine[positive3_1].encryption_at_host_enabled' is undefined or null" }, { "queryName": "Beta - VM Without Encryption At Host", "severity": "LOW", "line": 20, - "fileName": "positive2.tf" + "filename": "positive4.tf", + "resourceType": "azurerm_windows_virtual_machine_scale_set", + "resourceName": "positive4_2-machine", + "searchKey": "azurerm_windows_virtual_machine_scale_set[positive4_2].encryption_at_host_enabled", + "searchValue": "", + "expectedValue": "'azurerm_windows_virtual_machine_scale_set[positive4_2].encryption_at_host_enabled' should be defined and set to 'true'", + "actualValue": "'azurerm_windows_virtual_machine_scale_set[positive4_2].encryption_at_host_enabled' is set to 'false'" }, { "queryName": "Beta - VM Without Encryption At Host", "severity": "LOW", "line": 1, - "fileName": "positive3.tf" + "filename": "positive4.tf", + "resourceType": "azurerm_windows_virtual_machine_scale_set", + "resourceName": "positive4_1-vmss", + "searchKey": "azurerm_windows_virtual_machine_scale_set[positive4_1]", + "searchValue": "", + "expectedValue": "'azurerm_windows_virtual_machine_scale_set[positive4_1].encryption_at_host_enabled' should be defined and set to 'true'", + "actualValue": "'azurerm_windows_virtual_machine_scale_set[positive4_1].encryption_at_host_enabled' is undefined or null" }, { "queryName": "Beta - VM Without Encryption At Host", "severity": "LOW", - "line": 22, - "fileName": "positive3.tf" + "line": 24, + "filename": "positive1.tf", + "resourceType": "azurerm_linux_virtual_machine", + "resourceName": "positive1_2-machine", + "searchKey": "azurerm_linux_virtual_machine[positive1_2].encryption_at_host_enabled", + "searchValue": "", + "expectedValue": "'azurerm_linux_virtual_machine[positive1_2].encryption_at_host_enabled' should be defined and set to 'true'", + "actualValue": "'azurerm_linux_virtual_machine[positive1_2].encryption_at_host_enabled' is set to 'false'" }, { "queryName": "Beta - VM Without Encryption At Host", "severity": "LOW", "line": 1, - "fileName": "positive4.tf" - }, - { - "queryName": "Beta - VM Without Encryption At Host", - "severity": "LOW", - "line": 20, - "fileName": "positive4.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_linux_virtual_machine", + "resourceName": "positive1_1-machine", + "searchKey": "azurerm_linux_virtual_machine[positive1_1]", + "searchValue": "", + "expectedValue": "'azurerm_linux_virtual_machine[positive1_1].encryption_at_host_enabled' should be defined and set to 'true'", + "actualValue": "'azurerm_linux_virtual_machine[positive1_1].encryption_at_host_enabled' is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/vm_without_managed_disk/test/positive_expected_result.json b/assets/queries/terraform/azure/vm_without_managed_disk/test/positive_expected_result.json index f38283bec56..93ca9d3dc58 100644 --- a/assets/queries/terraform/azure/vm_without_managed_disk/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/vm_without_managed_disk/test/positive_expected_result.json @@ -3,54 +3,108 @@ "queryName": "Beta - VM Without Managed Disk", "severity": "MEDIUM", "line": 1, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_virtual_machine", + "resourceName": "${var.prefix}-vm", + "searchKey": "azurerm_virtual_machine[positive1]", + "searchValue": "", + "expectedValue": "'azurerm_virtual_machine[positive1].storage_os_disk' should be defined and not null", + "actualValue": "'azurerm_virtual_machine[positive1].storage_os_disk' is undefined or null" }, { "queryName": "Beta - VM Without Managed Disk", "severity": "MEDIUM", - "line": 21, - "filename": "positive1.tf" + "line": 34, + "filename": "positive1.tf", + "resourceType": "azurerm_virtual_machine", + "resourceName": "${var.prefix}-vm", + "searchKey": "azurerm_virtual_machine[positive1_3].storage_os_disk", + "searchValue": "", + "expectedValue": "'azurerm_virtual_machine[positive1_3].storage_os_disk' should define a 'managed_disk_id' or 'managed_disk_type'", + "actualValue": "'azurerm_virtual_machine[positive1_3].storage_os_disk' does not define or sets to null 'managed_disk_id' and 'managed_disk_type'" }, { "queryName": "Beta - VM Without Managed Disk", "severity": "MEDIUM", - "line": 34, - "filename": "positive1.tf" + "line": 23, + "filename": "positive4.tf", + "resourceType": "azurerm_virtual_machine_scale_set", + "resourceName": "vmss-premium-positive4_2", + "searchKey": "azurerm_virtual_machine_scale_set[positive4_2].storage_profile_os_disk", + "searchValue": "", + "expectedValue": "'azurerm_virtual_machine_scale_set[positive4_2].storage_profile_os_disk.managed_disk_type' should be defined and not null", + "actualValue": "'azurerm_virtual_machine_scale_set[positive4_2].storage_profile_os_disk.managed_disk_type' is undefined or null" }, { "queryName": "Beta - VM Without Managed Disk", "severity": "MEDIUM", "line": 1, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_linux_virtual_machine", + "resourceName": "positive2-machine", + "searchKey": "azurerm_linux_virtual_machine[positive2]", + "searchValue": "", + "expectedValue": "'azurerm_linux_virtual_machine[positive2].os_managed_disk_id' should be defined and not null", + "actualValue": "'azurerm_linux_virtual_machine[positive2].os_managed_disk_id' is undefined or null" }, { "queryName": "Beta - VM Without Managed Disk", "severity": "MEDIUM", - "line": 1, - "filename": "positive3.tf" + "line": 18, + "filename": "positive5.tf", + "resourceType": "azurerm_virtual_machine", + "resourceName": "${var.prefix}-vm", + "searchKey": "azurerm_virtual_machine[positive5].storage_os_disk.vhd_uri", + "searchValue": "", + "expectedValue": "'azurerm_virtual_machine[positive5].storage_os_disk.vhd_uri' should not be set", + "actualValue": "'azurerm_virtual_machine[positive5].storage_os_disk.vhd_uri' is set" }, { "queryName": "Beta - VM Without Managed Disk", "severity": "MEDIUM", - "line": 10, - "filename": "positive4.tf" + "line": 1, + "filename": "positive3.tf", + "resourceType": "azurerm_windows_virtual_machine", + "resourceName": "positive3-machine", + "searchKey": "azurerm_windows_virtual_machine[positive3]", + "searchValue": "", + "expectedValue": "'azurerm_windows_virtual_machine[positive3].os_managed_disk_id' should be defined and not null", + "actualValue": "'azurerm_windows_virtual_machine[positive3].os_managed_disk_id' is undefined or null" }, { "queryName": "Beta - VM Without Managed Disk", "severity": "MEDIUM", - "line": 23, - "filename": "positive4.tf" + "line": 21, + "filename": "positive1.tf", + "resourceType": "azurerm_virtual_machine", + "resourceName": "${var.prefix}-vm", + "searchKey": "azurerm_virtual_machine[positive1_2].storage_os_disk.vhd_uri", + "searchValue": "", + "expectedValue": "'azurerm_virtual_machine[positive1_2].storage_os_disk.vhd_uri' should not be set", + "actualValue": "'azurerm_virtual_machine[positive1_2].storage_os_disk.vhd_uri' is set" }, { "queryName": "Beta - VM Without Managed Disk", "severity": "MEDIUM", - "line": 18, - "filename": "positive5.tf" + "line": 10, + "filename": "positive4.tf", + "resourceType": "azurerm_virtual_machine_scale_set", + "resourceName": "vmss-premium-positive4_1", + "searchKey": "azurerm_virtual_machine_scale_set[positive4_1].storage_profile_os_disk.vhd_containers", + "searchValue": "", + "expectedValue": "'azurerm_virtual_machine_scale_set[positive4_1].storage_profile_os_disk.vhd_containers' should not be set", + "actualValue": "'azurerm_virtual_machine_scale_set[positive4_1].storage_profile_os_disk.vhd_containers' is set" }, { "queryName": "Beta - VM Without Managed Disk", "severity": "MEDIUM", "line": 16, - "filename": "positive6.tf" + "filename": "positive6.tf", + "resourceType": "azurerm_virtual_machine", + "resourceName": "${var.prefix}-vm", + "searchKey": "azurerm_virtual_machine[positive6].storage_os_disk", + "searchValue": "", + "expectedValue": "'azurerm_virtual_machine[positive6].storage_os_disk' should define a 'managed_disk_id' or 'managed_disk_type'", + "actualValue": "'azurerm_virtual_machine[positive6].storage_os_disk' does not define or sets to null 'managed_disk_id' and 'managed_disk_type'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/waf_is_disabled_for_azure_application_gateway/test/positive_expected_result.json b/assets/queries/terraform/azure/waf_is_disabled_for_azure_application_gateway/test/positive_expected_result.json index ed082b15181..d96c7a5700e 100644 --- a/assets/queries/terraform/azure/waf_is_disabled_for_azure_application_gateway/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/waf_is_disabled_for_azure_application_gateway/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "WAF Is Disabled For Azure Application Gateway", "severity": "MEDIUM", - "line": 7 + "line": 7, + "filename": "positive.tf", + "resourceType": "azurerm_application_gateway", + "resourceName": "example-appgateway", + "searchKey": "azurerm_application_gateway[positive1].waf_configuration.enabled", + "searchValue": "", + "expectedValue": "'azurerm_application_gateway[positive1].waf_configuration.enabled' is true", + "actualValue": "'azurerm_application_gateway[positive1].waf_configuration.enabled' is false" }, { "queryName": "WAF Is Disabled For Azure Application Gateway", "severity": "MEDIUM", - "line": 11 + "line": 11, + "filename": "positive.tf", + "resourceType": "azurerm_application_gateway", + "resourceName": "example-appgateway", + "searchKey": "azurerm_application_gateway[positive2]", + "searchValue": "", + "expectedValue": "'azurerm_application_gateway[positive2]' should be set", + "actualValue": "'azurerm_application_gateway[positive2]' is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/web_app_accepting_traffic_other_than_https/test/positive_expected_result.json b/assets/queries/terraform/azure/web_app_accepting_traffic_other_than_https/test/positive_expected_result.json index a85ef677c82..7145270bf15 100644 --- a/assets/queries/terraform/azure/web_app_accepting_traffic_other_than_https/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/web_app_accepting_traffic_other_than_https/test/positive_expected_result.json @@ -3,36 +3,72 @@ "queryName": "Web App Accepting Traffic Other Than HTTPS", "severity": "MEDIUM", "line": 12, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_app_service", + "resourceName": "example-app-service", + "searchKey": "azurerm_app_service[positive1-1].https_only", + "searchValue": "", + "expectedValue": "'azurerm_app_service[positive1-1].https_only' should be set to true", + "actualValue": "'azurerm_app_service[positive1-1].https_only' is not set to true" }, { "queryName": "Web App Accepting Traffic Other Than HTTPS", "severity": "MEDIUM", "line": 15, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_app_service", + "resourceName": "example-app-service", + "searchKey": "azurerm_app_service[positive1-2]", + "searchValue": "", + "expectedValue": "'azurerm_app_service[positive1-2].https_only' should be defined and set to true", + "actualValue": "'azurerm_app_service[positive1-2].https_only' is undefined" }, { "queryName": "Web App Accepting Traffic Other Than HTTPS", "severity": "MEDIUM", "line": 12, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_web_app[positive2-1].https_only", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app[positive2-1].https_only' should be set to true", + "actualValue": "'azurerm_linux_web_app[positive2-1].https_only' is not set to true" }, { "queryName": "Web App Accepting Traffic Other Than HTTPS", "severity": "MEDIUM", "line": 15, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_web_app[positive2-2]", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app[positive2-2].https_only' should be defined and set to true", + "actualValue": "'azurerm_linux_web_app[positive2-2].https_only' is undefined" }, { "queryName": "Web App Accepting Traffic Other Than HTTPS", "severity": "MEDIUM", "line": 12, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_web_app[positive3-1].https_only", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[positive3-1].https_only' should be set to true", + "actualValue": "'azurerm_windows_web_app[positive3-1].https_only' is not set to true" }, { "queryName": "Web App Accepting Traffic Other Than HTTPS", "severity": "MEDIUM", "line": 15, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_web_app[positive3-2]", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[positive3-2].https_only' should be defined and set to true", + "actualValue": "'azurerm_windows_web_app[positive3-2].https_only' is undefined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/databricks/autoscale_badly_setup/test/positive_expected_result.json b/assets/queries/terraform/databricks/autoscale_badly_setup/test/positive_expected_result.json index 7b122be2d1e..92c217ca658 100644 --- a/assets/queries/terraform/databricks/autoscale_badly_setup/test/positive_expected_result.json +++ b/assets/queries/terraform/databricks/autoscale_badly_setup/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ - { - "queryName": "Databricks Autoscale Badly Setup", - "severity": "MEDIUM", - "line": 6, - "fileName": "positive1.tf" - }, - { - "queryName": "Databricks Autoscale Badly Setup", - "severity": "MEDIUM", - "line": 6, - "fileName": "positive2.tf" - } -] + { + "queryName": "Databricks Autoscale Badly Setup", + "severity": "MEDIUM", + "line": 6, + "filename": "positive2.tf", + "resourceType": "databricks_cluster", + "resourceName": "positive2", + "searchKey": "databricks_cluster[positive2].autoscale", + "searchValue": "min_workers", + "expectedValue": "'databricks_cluster[positive2].autoscale.min_workers' should not be empty", + "actualValue": "'databricks_cluster[positive2].autoscale.min_workers' is not setup'" + }, + { + "queryName": "Databricks Autoscale Badly Setup", + "severity": "MEDIUM", + "line": 6, + "filename": "positive1.tf", + "resourceType": "databricks_cluster", + "resourceName": "positive1", + "searchKey": "databricks_cluster[positive1].autoscale", + "searchValue": "max_workers", + "expectedValue": "'databricks_cluster[positive1].autoscale.max_workers' should not be empty", + "actualValue": "'databricks_cluster[positive1].autoscale.max_workers' is not setup'" + } +] \ No newline at end of file diff --git a/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive_expected_result.json b/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive_expected_result.json index aecb1ae2f97..a507859c6b4 100644 --- a/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive_expected_result.json +++ b/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive_expected_result.json @@ -3,24 +3,48 @@ "queryName": "Check Databricks Cluster AWS Attribute Best Practices", "severity": "LOW", "line": 11, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "databricks_cluster", + "resourceName": "positive1", + "searchKey": "databricks_cluster[positive1].aws_attributes.availability", + "searchValue": "", + "expectedValue": "'databricks_cluster[positive1].aws_attributes.availability' should not be equal to 'SPOT'", + "actualValue": "'databricks_cluster[positive1].aws_attributes.availability' is equal to 'SPOT'" }, { "queryName": "Check Databricks Cluster AWS Attribute Best Practices", "severity": "LOW", "line": 13, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "databricks_cluster", + "resourceName": "positive2", + "searchKey": "databricks_cluster[positive2].aws_attributes.first_on_demand", + "searchValue": "", + "expectedValue": "'databricks_cluster[positive2].aws_attributes.first_on_demand' should not be equal to '0'", + "actualValue": "'databricks_cluster[positive2].aws_attributes.first_on_demand' is equal to '0'" }, { "queryName": "Check Databricks Cluster AWS Attribute Best Practices", "severity": "LOW", "line": 10, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "databricks_cluster", + "resourceName": "positive3", + "searchKey": "databricks_cluster[positive3].aws_attributes.first_on_demand", + "searchValue": "", + "expectedValue": "'databricks_cluster[positive3].aws_attributes.first_on_demand' should present", + "actualValue": "'databricks_cluster[positive3].aws_attributes.first_on_demand' is not present" }, { "queryName": "Check Databricks Cluster AWS Attribute Best Practices", "severity": "LOW", "line": 12, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "databricks_cluster", + "resourceName": "positive4", + "searchKey": "databricks_cluster[positive4].aws_attributes.zone_id", + "searchValue": "", + "expectedValue": "'databricks_cluster[positive4].aws_attributes.zone_id' should be egal to 'auto'", + "actualValue": "'databricks_cluster[positive4].aws_attributes.zone_id' is not equal to 'auto'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/databricks/cluster_azure_attributes/test/positive_expected_result.json b/assets/queries/terraform/databricks/cluster_azure_attributes/test/positive_expected_result.json index 088648d2169..ebdc206d407 100644 --- a/assets/queries/terraform/databricks/cluster_azure_attributes/test/positive_expected_result.json +++ b/assets/queries/terraform/databricks/cluster_azure_attributes/test/positive_expected_result.json @@ -3,18 +3,36 @@ "queryName": "Check Databricks Cluster Azure Attribute Best Practices", "severity": "LOW", "line": 11, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "databricks_cluster", + "resourceName": "positive1", + "searchKey": "databricks_cluster[positive1].azure_attributes.availability", + "searchValue": "", + "expectedValue": "'databricks_cluster[positive1].azure_attributes.availability' should not be equal to 'SPOT'", + "actualValue": "'databricks_cluster[positive1].azure_attributes.availability' is equal to 'SPOT'" }, { "queryName": "Check Databricks Cluster Azure Attribute Best Practices", "severity": "LOW", - "line": 12, - "fileName": "positive2.tf" + "line": 10, + "filename": "positive3.tf", + "resourceType": "databricks_cluster", + "resourceName": "positive3", + "searchKey": "databricks_cluster[positive3].azure_attributes.first_on_demand", + "searchValue": "", + "expectedValue": "'databricks_cluster[positive3].azure_attributes.first_on_demand' should present", + "actualValue": "'databricks_cluster[positive3].azure_attributes.first_on_demand' is not present" }, { "queryName": "Check Databricks Cluster Azure Attribute Best Practices", "severity": "LOW", - "line": 10, - "fileName": "positive3.tf" + "line": 12, + "filename": "positive2.tf", + "resourceType": "databricks_cluster", + "resourceName": "positive2", + "searchKey": "databricks_cluster[positive2].azure_attributes.first_on_demand", + "searchValue": "", + "expectedValue": "'databricks_cluster[positive2].azure_attributes.first_on_demand' should not be equal to '0'", + "actualValue": "'databricks_cluster[positive2].azure_attributes.first_on_demand' is equal to '0'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/databricks/cluster_gcp_attributes/test/positive_expected_result.json b/assets/queries/terraform/databricks/cluster_gcp_attributes/test/positive_expected_result.json index 25a6cb6b10d..456c8c9a43e 100644 --- a/assets/queries/terraform/databricks/cluster_gcp_attributes/test/positive_expected_result.json +++ b/assets/queries/terraform/databricks/cluster_gcp_attributes/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Check Databricks Cluster GCP Attribute Best Practices", "severity": "LOW", "line": 11, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "databricks_cluster", + "resourceName": "positive", + "searchKey": "databricks_cluster[positive].gcp_attributes.availability", + "searchValue": "", + "expectedValue": "'databricks_cluster[positive].gcp_attributes.availability' should not be equal to 'SPOT'", + "actualValue": "'databricks_cluster[positive].gcp_attributes.availability' is equal to 'SPOT'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/databricks/databricks_permissions/test/positive_expected_result.json b/assets/queries/terraform/databricks/databricks_permissions/test/positive_expected_result.json index fa8ae3b3161..eec7fb48ceb 100755 --- a/assets/queries/terraform/databricks/databricks_permissions/test/positive_expected_result.json +++ b/assets/queries/terraform/databricks/databricks_permissions/test/positive_expected_result.json @@ -3,24 +3,48 @@ "queryName": "Databricks Cluster or Job With None Or Insecure Permission(s)", "severity": "HIGH", "line": 16, - "fileName": "positive1.tf" + "filename": "positive3.tf", + "resourceType": "databricks_permissions", + "resourceName": "positive3", + "searchKey": "databricks_permissions.[positive3]", + "searchValue": "", + "expectedValue": "'databricks_permissions[positive3]' should not have permission_level == 'IS_OWNER' without service_principal_name associated", + "actualValue": "'databricks_permissions[positive3]' have permission_level == 'IS_OWNER' without service_principal_name associated" }, { "queryName": "Databricks Cluster or Job With None Or Insecure Permission(s)", "severity": "HIGH", - "line": 12, - "fileName": "positive2.tf" + "line": 16, + "filename": "positive1.tf", + "resourceType": "databricks_job", + "resourceName": "Featurization", + "searchKey": "databricks_job[positive1_error]", + "searchValue": "", + "expectedValue": "'databricks_job[positive1_error]' should have permissions", + "actualValue": "'databricks_job[positive1_error]' doesn't have permission associated" }, { "queryName": "Databricks Cluster or Job With None Or Insecure Permission(s)", "severity": "HIGH", - "line": 16, - "fileName": "positive3.tf" + "line": 12, + "filename": "positive2.tf", + "resourceType": "databricks_cluster", + "resourceName": "positive2_error", + "searchKey": "databricks_cluster[positive2_error]", + "searchValue": "", + "expectedValue": "'databricks_cluster[positive2_error]' should have permissions", + "actualValue": "'databricks_cluster[positive2_error]' doesn't have permission associated" }, { "queryName": "Databricks Cluster or Job With None Or Insecure Permission(s)", "severity": "HIGH", "line": 16, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "databricks_permissions", + "resourceName": "positive4", + "searchKey": "databricks_permissions.[positive4]", + "searchValue": "", + "expectedValue": "'databricks_permissions[positive4]' should not have permission_level == 'IS_OWNER' without service_principal_name associated", + "actualValue": "'databricks_permissions[positive4]' have permission_level == 'IS_OWNER' without service_principal_name associated" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/databricks/group_without_user_or_instance_profile/test/positive_expected_result.json b/assets/queries/terraform/databricks/group_without_user_or_instance_profile/test/positive_expected_result.json index 0fadf818ea4..95d3fe2c25a 100644 --- a/assets/queries/terraform/databricks/group_without_user_or_instance_profile/test/positive_expected_result.json +++ b/assets/queries/terraform/databricks/group_without_user_or_instance_profile/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ - { - "queryName": "Databricks Group Without User Or Instance Profile", - "severity": "LOW", - "line": 16, - "fileName": "positive1.tf" - }, - { - "queryName": "Databricks Group Without User Or Instance Profile", - "severity": "LOW", - "line": 14, - "fileName": "positive2.tf" - } -] + { + "queryName": "Databricks Group Without User Or Instance Profile", + "severity": "LOW", + "line": 16, + "filename": "positive1.tf", + "resourceType": "aws_databricks_group", + "resourceName": "Some Group", + "searchKey": "databricks_group[positive_group_2]", + "searchValue": "", + "expectedValue": "aws_databricks_group[positive_group_2] should be associated with an databricks_group_member that has at least one user set", + "actualValue": "aws_databricks_group[positive_group_2] is not associated with an databricks_group_member that has at least one user set" + }, + { + "queryName": "Databricks Group Without User Or Instance Profile", + "severity": "LOW", + "line": 14, + "filename": "positive2.tf", + "resourceType": "aws_databricks_group", + "resourceName": "my_group_name", + "searchKey": "databricks_group[positive_group2]", + "searchValue": "", + "expectedValue": "aws_databricks_group[positive_group2] should be associated with an databricks_group_member that has at least one user set", + "actualValue": "aws_databricks_group[positive_group2] is not associated with an databricks_group_member that has at least one user set" + } +] \ No newline at end of file diff --git a/assets/queries/terraform/databricks/indefinitely_obo_token/test/positive_expected_result.json b/assets/queries/terraform/databricks/indefinitely_obo_token/test/positive_expected_result.json index cc134659b5a..b27290565ac 100644 --- a/assets/queries/terraform/databricks/indefinitely_obo_token/test/positive_expected_result.json +++ b/assets/queries/terraform/databricks/indefinitely_obo_token/test/positive_expected_result.json @@ -1,8 +1,14 @@ [ - { - "queryName": "Indefinitely Databricks OBO Token Lifetime", - "severity": "MEDIUM", - "line": 1, - "fileName": "positive.tf" - } -] + { + "queryName": "Indefinitely Databricks OBO Token Lifetime", + "severity": "MEDIUM", + "line": 1, + "filename": "positive.tf", + "resourceType": "databricks_obo_token", + "resourceName": "positive", + "searchKey": "databricks_obo_token[positive]", + "searchValue": "", + "expectedValue": "'databricks_obo_token[positive]' should not have indefinitely lifetime", + "actualValue": "'databricks_obo_token[positive]' have an indefinitely lifetime" + } +] \ No newline at end of file diff --git a/assets/queries/terraform/databricks/indefinitely_token/test/positive_expected_result.json b/assets/queries/terraform/databricks/indefinitely_token/test/positive_expected_result.json index 804551b008f..039e9ee6f61 100644 --- a/assets/queries/terraform/databricks/indefinitely_token/test/positive_expected_result.json +++ b/assets/queries/terraform/databricks/indefinitely_token/test/positive_expected_result.json @@ -1,8 +1,14 @@ [ - { - "queryName": "Indefinitely Databricks Token Lifetime", - "severity": "MEDIUM", - "line": 1, - "fileName": "positive.tf" - } -] + { + "queryName": "Indefinitely Databricks Token Lifetime", + "severity": "MEDIUM", + "line": 1, + "filename": "positive.tf", + "resourceType": "databricks_token", + "resourceName": "positive", + "searchKey": "databricks_token[positive]", + "searchValue": "", + "expectedValue": "'databricks_token[positive]' should not have indefinitely lifetime", + "actualValue": "'databricks_token[positive]' have an indefinitely lifetime" + } +] \ No newline at end of file diff --git a/assets/queries/terraform/databricks/unrestricted_acl/test/positive_expected_result.json b/assets/queries/terraform/databricks/unrestricted_acl/test/positive_expected_result.json index a70c25b0fd1..0c05d569d7c 100644 --- a/assets/queries/terraform/databricks/unrestricted_acl/test/positive_expected_result.json +++ b/assets/queries/terraform/databricks/unrestricted_acl/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ - { - "queryName": "Unrestricted Databricks ACL", - "severity": "HIGH", - "line": 10, - "fileName": "positive1.tf" - }, - { - "queryName": "Unrestricted Databricks ACL", - "severity": "HIGH", - "line": 10, - "fileName": "positive2.tf" - } -] + { + "queryName": "Unrestricted Databricks ACL", + "severity": "HIGH", + "line": 10, + "filename": "positive1.tf", + "resourceType": "databricks_ip_access_list", + "resourceName": "positive1", + "searchKey": "databricks_ip_access_list[positive1].ip_addresses", + "searchValue": "", + "expectedValue": "'databricks_ip_access_list[positive1].ip_addresses' should not be equal to '0.0.0.0/0' or '::/0'", + "actualValue": "'databricks_ip_access_list[positive1].ip_addresses' is equal to '0.0.0.0/0' or '::/0'" + }, + { + "queryName": "Unrestricted Databricks ACL", + "severity": "HIGH", + "line": 10, + "filename": "positive2.tf", + "resourceType": "databricks_ip_access_list", + "resourceName": "positive2", + "searchKey": "databricks_ip_access_list[positive2].ip_addresses", + "searchValue": "", + "expectedValue": "'databricks_ip_access_list[positive2].ip_addresses' should not be equal to '0.0.0.0/0' or '::/0'", + "actualValue": "'databricks_ip_access_list[positive2].ip_addresses' is equal to '0.0.0.0/0' or '::/0'" + } +] \ No newline at end of file diff --git a/assets/queries/terraform/databricks/use_lts_spark_version/test/positive_expected_result.json b/assets/queries/terraform/databricks/use_lts_spark_version/test/positive_expected_result.json index 470a1b1b315..2cfe91a140a 100644 --- a/assets/queries/terraform/databricks/use_lts_spark_version/test/positive_expected_result.json +++ b/assets/queries/terraform/databricks/use_lts_spark_version/test/positive_expected_result.json @@ -3,18 +3,36 @@ "queryName": "Check use no LTS Spark Version", "severity": "LOW", "line": 8, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "databricks_spark_version", + "resourceName": "postive1_gpu_ml", + "searchKey": "databricks_spark_version[postive1_gpu_ml].long_term_support", + "searchValue": "", + "expectedValue": "'databricks_spark_version[postive1_gpu_ml]' should be a LTS version'", + "actualValue": "'databricks_spark_version[postive1_gpu_ml]' is not a LTS version'" }, { "queryName": "Check use no LTS Spark Version", "severity": "LOW", "line": 11, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "databricks_spark_version", + "resourceName": "positive2_gpu_ml", + "searchKey": "databricks_spark_version[positive2_gpu_ml].long_term_support", + "searchValue": "", + "expectedValue": "'databricks_spark_version[positive2_gpu_ml]' should be a LTS version'", + "actualValue": "'databricks_spark_version[positive2_gpu_ml]' is not a LTS version'" }, { "queryName": "Check use no LTS Spark Version", "severity": "LOW", "line": 10, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "databricks_spark_version", + "resourceName": "positive3_research", + "searchKey": "databricks_cluster[positive3_research].spark_version", + "searchValue": "", + "expectedValue": "'databricks_cluster[positive3_research].spark_version' should be a LTS version'", + "actualValue": "'databricks_cluster[positive3_research].spark_version' is not a LTS version'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/databricks/use_spark_submit_task/test/positive_expected_result.json b/assets/queries/terraform/databricks/use_spark_submit_task/test/positive_expected_result.json index 435ab8cd80c..0a5e783f5f8 100644 --- a/assets/queries/terraform/databricks/use_spark_submit_task/test/positive_expected_result.json +++ b/assets/queries/terraform/databricks/use_spark_submit_task/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ - { - "queryName": "Job's Task is Legacy (spark_submit_task)", - "severity": "MEDIUM", - "line": 36, - "fileName": "positive1.tf" - }, - { - "queryName": "Job's Task is Legacy (spark_submit_task)", - "severity": "MEDIUM", - "line": 18, - "fileName": "positive2.tf" - } -] + { + "queryName": "Job's Task is Legacy (spark_submit_task)", + "severity": "MEDIUM", + "line": 18, + "filename": "positive2.tf", + "resourceType": "databricks_job", + "resourceName": "Job with multiple tasks", + "searchKey": "databricks_job[positive].task.spark_submit_task", + "searchValue": "", + "expectedValue": "'databricks_job[positive].task.spark_submit_task' should not contains to 'spark_submit_task'", + "actualValue": "'databricks_job[positive].task.spark_submit_task' contains to 'spark_submit_task'" + }, + { + "queryName": "Job's Task is Legacy (spark_submit_task)", + "severity": "MEDIUM", + "line": 36, + "filename": "positive1.tf", + "resourceType": "databricks_job", + "resourceName": "Job with multiple tasks", + "searchKey": "databricks_job[positive].task.spark_submit_task", + "searchValue": "", + "expectedValue": "'databricks_job[positive].task.spark_submit_task' should not contains to 'spark_submit_task'", + "actualValue": "'databricks_job[positive].task.spark_submit_task' contains to 'spark_submit_task'" + } +] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/bigquery_dataset_is_public/test/positive_expected_result.json b/assets/queries/terraform/gcp/bigquery_dataset_is_public/test/positive_expected_result.json index 227af76ed82..31997baa8f5 100644 --- a/assets/queries/terraform/gcp/bigquery_dataset_is_public/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/bigquery_dataset_is_public/test/positive_expected_result.json @@ -1,7 +1,14 @@ [ - { - "queryName": "BigQuery Dataset Is Public", - "severity": "HIGH", - "line": 14 - } -] + { + "queryName": "BigQuery Dataset Is Public", + "severity": "HIGH", + "line": 14, + "filename": "positive.tf", + "resourceType": "google_bigquery_dataset", + "resourceName": "test", + "searchKey": "google_bigquery_dataset[positive1].access.special_group", + "searchValue": "", + "expectedValue": "'access.special_group' should not equal to 'allAuthenticatedUsers'", + "actualValue": "'access.special_group' is equal to 'allAuthenticatedUsers'" + } +] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/cloud_asset_inventory_disabled/metadata.json b/assets/queries/terraform/gcp/cloud_asset_inventory_disabled/metadata.json index 2522abd8e3b..6bec3a60ffe 100644 --- a/assets/queries/terraform/gcp/cloud_asset_inventory_disabled/metadata.json +++ b/assets/queries/terraform/gcp/cloud_asset_inventory_disabled/metadata.json @@ -9,6 +9,5 @@ "descriptionID": "4f60da73", "cloudProvider": "gcp", "cwe": "778", - "riskScore": "3.0", - "experimental": "true" + "riskScore": "3.0" } diff --git a/assets/queries/terraform/gcp/cloud_dns_without_dnssec/test/positive_expected_result.json b/assets/queries/terraform/gcp/cloud_dns_without_dnssec/test/positive_expected_result.json index 331cfe387e7..0f2ddcdfb0c 100755 --- a/assets/queries/terraform/gcp/cloud_dns_without_dnssec/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/cloud_dns_without_dnssec/test/positive_expected_result.json @@ -1,7 +1,14 @@ [ - { - "queryName": "Cloud DNS Without DNSSEC", - "severity": "MEDIUM", - "line": 10 - } -] + { + "queryName": "Cloud DNS Without DNSSEC", + "severity": "MEDIUM", + "line": 10, + "filename": "positive.tf", + "resourceType": "google_dns_managed_zone", + "resourceName": "foobar", + "searchKey": "google_dns_managed_zone[positive1].dnssec_config.state", + "searchValue": "", + "expectedValue": "'dnssec_config.state' should equal to 'on'", + "actualValue": "'dnssec_config.state' is not equal to 'on'" + } +] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/cloud_storage_anonymous_or_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/gcp/cloud_storage_anonymous_or_publicly_accessible/test/positive_expected_result.json index 37abd5f3a06..b765ddbb451 100644 --- a/assets/queries/terraform/gcp/cloud_storage_anonymous_or_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/cloud_storage_anonymous_or_publicly_accessible/test/positive_expected_result.json @@ -2,16 +2,37 @@ { "queryName": "Cloud Storage Anonymous or Publicly Accessible", "severity": "CRITICAL", - "line": 5 + "line": 5, + "filename": "positive.tf", + "resourceType": "google_storage_bucket_iam_binding", + "resourceName": "positive1", + "searchKey": "google_storage_bucket_iam_binding[positive1].members", + "searchValue": "", + "expectedValue": "'google_storage_bucket_iam_binding[positive1].members' should not be null", + "actualValue": "'google_storage_bucket_iam_binding[positive1].members' is null" }, { "queryName": "Cloud Storage Anonymous or Publicly Accessible", "severity": "CRITICAL", - "line": 11 + "line": 11, + "filename": "positive.tf", + "resourceType": "google_storage_bucket_iam_binding", + "resourceName": "positive2", + "searchKey": "google_storage_bucket_iam_binding[positive2].members", + "searchValue": "", + "expectedValue": "'google_storage_bucket_iam_binding[positive2].members' should not have 'allUsers'", + "actualValue": "'google_storage_bucket_iam_binding[positive2].members' has 'allUsers'" }, { "queryName": "Cloud Storage Anonymous or Publicly Accessible", "severity": "CRITICAL", - "line": 17 + "line": 17, + "filename": "positive.tf", + "resourceType": "google_storage_bucket_iam_binding", + "resourceName": "positive3", + "searchKey": "google_storage_bucket_iam_binding[positive3].members", + "searchValue": "", + "expectedValue": "'google_storage_bucket_iam_binding[positive3].members' should not have 'allAuthenticatedUsers'", + "actualValue": "'google_storage_bucket_iam_binding[positive3].members' has 'allAuthenticatedUsers'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/cloud_storage_bucket_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/gcp/cloud_storage_bucket_is_publicly_accessible/test/positive_expected_result.json index e6f735ed5d3..e499b24b7fe 100644 --- a/assets/queries/terraform/gcp/cloud_storage_bucket_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/cloud_storage_bucket_is_publicly_accessible/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Cloud Storage Bucket Is Publicly Accessible", "severity": "MEDIUM", - "line": 4 + "line": 4, + "filename": "positive.tf", + "resourceType": "google_storage_bucket_iam_member", + "resourceName": "positive1", + "searchKey": "google_storage_bucket_iam_member[positive1].member", + "searchValue": "", + "expectedValue": "'member' not equal to 'allUsers' nor 'allAuthenticatedUsers'", + "actualValue": "'member' equal to 'allUsers'" }, { "queryName": "Cloud Storage Bucket Is Publicly Accessible", "severity": "MEDIUM", - "line": 17 + "line": 17, + "filename": "positive.tf", + "resourceType": "google_storage_bucket_iam_member", + "resourceName": "positive2", + "searchKey": "google_storage_bucket_iam_member[positive2].members", + "searchValue": "", + "expectedValue": "None of the 'members' equal to 'allUsers' nor 'allAuthenticatedUsers'", + "actualValue": "One of the 'members' equal to 'allUsers' or 'allAuthenticatedUsers'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/cloud_storage_bucket_logging_not_enabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/cloud_storage_bucket_logging_not_enabled/test/positive_expected_result.json index 01998d13ef7..cf8705c56d0 100644 --- a/assets/queries/terraform/gcp/cloud_storage_bucket_logging_not_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/cloud_storage_bucket_logging_not_enabled/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Cloud Storage Bucket Logging Not Enabled", "severity": "MEDIUM", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "google_storage_bucket", + "resourceName": "auto-expiring-bucket", + "searchKey": "google_storage_bucket[positive1]", + "searchValue": "", + "expectedValue": "'google_storage_bucket.logging' should be set", + "actualValue": "'google_storage_bucket.logging' is undefined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/cloud_storage_bucket_versioning_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/cloud_storage_bucket_versioning_disabled/test/positive_expected_result.json index af8d756621b..370ce45bc1f 100644 --- a/assets/queries/terraform/gcp/cloud_storage_bucket_versioning_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/cloud_storage_bucket_versioning_disabled/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Cloud Storage Bucket Versioning Disabled", "severity": "MEDIUM", - "line": 6 + "line": 6, + "filename": "positive.tf", + "resourceType": "google_storage_bucket", + "resourceName": "foo", + "searchKey": "google_storage_bucket[positive1].versioning.enabled", + "searchValue": "", + "expectedValue": "'versioning.enabled' should be true", + "actualValue": "'versioning.enabled' is false" }, { "queryName": "Cloud Storage Bucket Versioning Disabled", "severity": "MEDIUM", - "line": 10 + "line": 10, + "filename": "positive.tf", + "resourceType": "google_storage_bucket", + "resourceName": "foo", + "searchKey": "google_storage_bucket[positive2]", + "searchValue": "", + "expectedValue": "'versioning' should be defined and not null", + "actualValue": "'versioning' it undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/cluster_labels_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/cluster_labels_disabled/test/positive_expected_result.json index 42d70de1c7a..6fd8e847f03 100644 --- a/assets/queries/terraform/gcp/cluster_labels_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/cluster_labels_disabled/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Cluster Labels Disabled", "severity": "LOW", - "line": 2 + "line": 2, + "filename": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive1]", + "searchValue": "", + "expectedValue": "Attribute 'resource_labels' should be defined", + "actualValue": "Attribute 'resource_labels' is undefined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/cluster_without_network_policy_support_enabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/cluster_without_network_policy_support_enabled/test/positive_expected_result.json index 58bbf39ea53..5879c64df16 100644 --- a/assets/queries/terraform/gcp/cluster_without_network_policy_support_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/cluster_without_network_policy_support_enabled/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Beta - Cluster Without Network Policy Support Enabled", "severity": "MEDIUM", - "line": 1 + "line": 17, + "filename": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "gke-network-policy-cluster", + "searchKey": "google_container_cluster[positive2].network_policy.enabled", + "searchValue": "", + "expectedValue": "'google_container_cluster[positive2].network_policy.enabled' should be set to 'true'", + "actualValue": "'google_container_cluster[positive2].network_policy.enabled' is set to 'false'" }, { "queryName": "Beta - Cluster Without Network Policy Support Enabled", "severity": "MEDIUM", - "line": 17 + "line": 1, + "filename": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "gke-network-policy-cluster", + "searchKey": "google_container_cluster[positive1]", + "searchValue": "", + "expectedValue": "'google_container_cluster[positive1].network_policy' should be defined and not null", + "actualValue": "'google_container_cluster[positive1].network_policy' is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/cos_node_image_not_used/test/positive_expected_result.json b/assets/queries/terraform/gcp/cos_node_image_not_used/test/positive_expected_result.json index 893e73a5d31..88694892264 100644 --- a/assets/queries/terraform/gcp/cos_node_image_not_used/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/cos_node_image_not_used/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "COS Node Image Not Used", "severity": "LOW", - "line": 16 + "line": 16, + "filename": "positive.tf", + "resourceType": "google_container_node_pool", + "resourceName": "primary-pool", + "searchKey": "google_container_node_pool[positive2].node_config.image_type", + "searchValue": "", + "expectedValue": "'node_config.image_type' should start with 'COS'", + "actualValue": "'node_config.image_type' does not start with 'COS'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/disk_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/disk_encryption_disabled/test/positive_expected_result.json index db3426b9872..e4609576843 100644 --- a/assets/queries/terraform/gcp/disk_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/disk_encryption_disabled/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "Disk Encryption Disabled", "severity": "MEDIUM", - "line": 1, - "filename": "positive1.tf" + "line": 12, + "filename": "positive2.tf", + "resourceType": "google_compute_disk", + "resourceName": "test-disk", + "searchKey": "google_compute_disk[positive3].disk_encryption_key.raw_key", + "searchValue": "", + "expectedValue": "'google_compute_disk[positive3].disk_encryption_key.raw_key' should not be empty or null", + "actualValue": "'google_compute_disk[positive3].disk_encryption_key.raw_key' is not empty or null" }, { "queryName": "Disk Encryption Disabled", "severity": "MEDIUM", - "line": 22, - "filename": "positive1.tf" + "line": 12, + "filename": "positive3.tf", + "resourceType": "google_compute_disk", + "resourceName": "test-disk", + "searchKey": "google_compute_disk[positive4].disk_encryption_key.kms_key_self_link", + "searchValue": "", + "expectedValue": "'google_compute_disk[positive4].disk_encryption_key.kms_key_self_link' should not be empty or null", + "actualValue": "'google_compute_disk[positive4].disk_encryption_key.kms_key_self_link' is not empty or null" }, { "queryName": "Disk Encryption Disabled", "severity": "MEDIUM", - "line": 12, - "filename": "positive2.tf" + "line": 1, + "filename": "positive1.tf", + "resourceType": "google_compute_disk", + "resourceName": "test-disk", + "searchKey": "google_compute_disk[positive1]", + "searchValue": "", + "expectedValue": "'google_compute_disk[positive1].disk_encryption_key' should be defined and not null", + "actualValue": "'google_compute_disk[positive1].disk_encryption_key' is undefined or null" }, { "queryName": "Disk Encryption Disabled", "severity": "MEDIUM", - "line": 12, - "filename": "positive3.tf" + "line": 22, + "filename": "positive1.tf", + "resourceType": "google_compute_disk", + "resourceName": "test-disk", + "searchKey": "google_compute_disk[positive2].disk_encryption_key", + "searchValue": "", + "expectedValue": "'google_compute_disk[positive2].disk_encryption_key.raw_key' or 'google_compute_disk[%!s(MISSING)].disk_encryption_key.kms_key_self_link' should be defined and not null", + "actualValue": "'google_compute_disk[positive2].disk_encryption_key.raw_key' and 'google_compute_disk[%!s(MISSING)].disk_encryption_key.kms_key_self_link' are undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/dnssec_using_rsasha1/test/positive_expected_result.json b/assets/queries/terraform/gcp/dnssec_using_rsasha1/test/positive_expected_result.json index e62c82567da..dd883e0e11a 100644 --- a/assets/queries/terraform/gcp/dnssec_using_rsasha1/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/dnssec_using_rsasha1/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "DNSSEC Using RSASHA1", "severity": "MEDIUM", - "line": 11 + "line": 11, + "filename": "positive.tf", + "resourceType": "google_dns_managed_zone", + "resourceName": "positive1", + "searchKey": "google_dns_managed_zone[positive1].dnssec_config.default_key_specs.algorithm", + "searchValue": "", + "expectedValue": "dnssec_config.default_key_specs.algorithm shouldn't be 'rsasha1'", + "actualValue": "dnssec_config.default_key_specs.algorithm is 'rsasha1'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/ensure_essential_contacts_is_configured_for_organization/test/positive_expected_result.json b/assets/queries/terraform/gcp/ensure_essential_contacts_is_configured_for_organization/test/positive_expected_result.json index 7d7a85318de..f87b80b0aff 100644 --- a/assets/queries/terraform/gcp/ensure_essential_contacts_is_configured_for_organization/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/ensure_essential_contacts_is_configured_for_organization/test/positive_expected_result.json @@ -3,24 +3,48 @@ "queryName": "Beta - Ensure Essential Contacts Is Configured For Organization", "severity": "LOW", "line": 10, - "fileName": "positive1.tf" + "filename": "positive2.tf", + "resourceType": "google_essential_contacts_contact", + "resourceName": "positive2", + "searchKey": "google_essential_contacts_contact[positive2].notification_category_subscription_field", + "searchValue": "", + "expectedValue": "'notification_category_subscription_field' should have 'ALL' value or all 'LEGAL', 'SUSPENSION', 'TECHNICAL' and 'SECURITY' values defined", + "actualValue": "'notification_category_subscription_field' does not have 'ALL' value or all 'LEGAL', 'SUSPENSION', 'TECHNICAL' and 'SECURITY' values defined" }, { "queryName": "Beta - Ensure Essential Contacts Is Configured For Organization", "severity": "LOW", "line": 10, - "fileName": "positive2.tf" + "filename": "positive1.tf", + "resourceType": "google_essential_contacts_contact", + "resourceName": "positive1", + "searchKey": "google_essential_contacts_contact[positive1].notification_category_subscription_field", + "searchValue": "", + "expectedValue": "'notification_category_subscription_field' should have 'ALL' value or all 'LEGAL', 'SUSPENSION', 'TECHNICAL' and 'SECURITY' values defined", + "actualValue": "'notification_category_subscription_field' does not have 'ALL' value or all 'LEGAL', 'SUSPENSION', 'TECHNICAL' and 'SECURITY' values defined" }, { "queryName": "Beta - Ensure Essential Contacts Is Configured For Organization", "severity": "LOW", "line": 6, - "fileName": "positive3.tf" + "filename": "positive4.tf", + "resourceType": "google_essential_contacts_contact", + "resourceName": "positive4", + "searchKey": "google_essential_contacts_contact[positive4].notification_category_subscription_field", + "searchValue": "", + "expectedValue": "'notification_category_subscription_field' should have 'ALL' value or all 'LEGAL', 'SUSPENSION', 'TECHNICAL' and 'SECURITY' values defined", + "actualValue": "'notification_category_subscription_field' does not have 'ALL' value or all 'LEGAL', 'SUSPENSION', 'TECHNICAL' and 'SECURITY' values defined" }, { "queryName": "Beta - Ensure Essential Contacts Is Configured For Organization", "severity": "LOW", "line": 6, - "fileName": "positive4.tf" + "filename": "positive3.tf", + "resourceType": "google_essential_contacts_contact", + "resourceName": "positive3", + "searchKey": "google_essential_contacts_contact[positive3].notification_category_subscription_field", + "searchValue": "", + "expectedValue": "'notification_category_subscription_field' should have 'ALL' value or all 'LEGAL', 'SUSPENSION', 'TECHNICAL' and 'SECURITY' values defined", + "actualValue": "'notification_category_subscription_field' does not have 'ALL' value or all 'LEGAL', 'SUSPENSION', 'TECHNICAL' and 'SECURITY' values defined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/ensure_gke_version_management_is_automated_using_release_channels/test/positive_expected_result.json b/assets/queries/terraform/gcp/ensure_gke_version_management_is_automated_using_release_channels/test/positive_expected_result.json index aecabd2ef92..4efb3196258 100644 --- a/assets/queries/terraform/gcp/ensure_gke_version_management_is_automated_using_release_channels/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/ensure_gke_version_management_is_automated_using_release_channels/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "Beta - Ensure GKE Version Management Is Automated Using Release Channels", "severity": "LOW", - "line": 1, - "fileName": "positive1.tf" + "line": 6, + "filename": "positive2.tf", + "resourceType": "google_container_cluster", + "resourceName": "my-gke-cluster", + "searchKey": "google_container_cluster[positive2].release_channel.channel", + "searchValue": "", + "expectedValue": "'channel' should be defined to 'STABLE' or 'REGULAR' inside the 'release_channel' block", + "actualValue": "'release_channel.channel' is defined to 'UNSPECIFIED'" }, { "queryName": "Beta - Ensure GKE Version Management Is Automated Using Release Channels", "severity": "LOW", "line": 6, - "fileName": "positive2.tf" + "filename": "positive4.tf", + "resourceType": "google_container_cluster", + "resourceName": "my-gke-cluster", + "searchKey": "google_container_cluster[positive4].release_channel.channel", + "searchValue": "", + "expectedValue": "'channel' should be defined to 'STABLE' or 'REGULAR' inside the 'release_channel' block", + "actualValue": "'release_channel.channel' is defined to 'EXTENDED'" }, { "queryName": "Beta - Ensure GKE Version Management Is Automated Using Release Channels", "severity": "LOW", "line": 6, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "google_container_cluster", + "resourceName": "my-gke-cluster", + "searchKey": "google_container_cluster[positive3].release_channel.channel", + "searchValue": "", + "expectedValue": "'channel' should be defined to 'STABLE' or 'REGULAR' inside the 'release_channel' block", + "actualValue": "'release_channel.channel' is defined to 'RAPID'" }, { "queryName": "Beta - Ensure GKE Version Management Is Automated Using Release Channels", "severity": "LOW", - "line": 6, - "fileName": "positive4.tf" + "line": 1, + "filename": "positive1.tf", + "resourceType": "google_container_cluster", + "resourceName": "my-gke-cluster", + "searchKey": "google_container_cluster[positive1]", + "searchValue": "", + "expectedValue": "'channel' should be defined to 'STABLE' or 'REGULAR' inside the 'release_channel' block", + "actualValue": "'release_channel' block is not defined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/gke_legacy_authorization_enabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/gke_legacy_authorization_enabled/test/positive_expected_result.json index d36000f3652..57435e11e34 100644 --- a/assets/queries/terraform/gcp/gke_legacy_authorization_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/gke_legacy_authorization_enabled/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "GKE Legacy Authorization Enabled", "severity": "HIGH", - "line": 6 + "line": 6, + "filename": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive1].enable_legacy_abac", + "searchValue": "", + "expectedValue": "Attribute 'enable_legacy_abac' should be set to false", + "actualValue": "Attribute 'enable_legacy_abac' is true" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/gke_using_default_service_account/test/positive_expected_result.json b/assets/queries/terraform/gcp/gke_using_default_service_account/test/positive_expected_result.json index e781a03f475..2bb7a5fb29b 100644 --- a/assets/queries/terraform/gcp/gke_using_default_service_account/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/gke_using_default_service_account/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "GKE Using Default Service Account", "severity": "MEDIUM", - "line": 7, - "fileName": "positive1.tf" + "line": 8, + "filename": "positive2.tf", + "resourceType": "google_container_cluster", + "resourceName": "my-gke-cluster", + "searchKey": "google_container_cluster[positive2].node_config.service_account", + "searchValue": "", + "expectedValue": "'service_account' should not be default", + "actualValue": "'service_account' is default" }, { "queryName": "GKE Using Default Service Account", "severity": "MEDIUM", - "line": 8, - "fileName": "positive2.tf" + "line": 7, + "filename": "positive1.tf", + "resourceType": "google_container_cluster", + "resourceName": "my-gke-cluster", + "searchKey": "google_container_cluster[positive1].node_config", + "searchValue": "", + "expectedValue": "'service_account' should not be default", + "actualValue": "'service_account' is default" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/google_compute_network_using_default_firewall_rule/test/positive_expected_result.json b/assets/queries/terraform/gcp/google_compute_network_using_default_firewall_rule/test/positive_expected_result.json index 9366231c0bb..543a1a3435e 100644 --- a/assets/queries/terraform/gcp/google_compute_network_using_default_firewall_rule/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/google_compute_network_using_default_firewall_rule/test/positive_expected_result.json @@ -1,8 +1,14 @@ [ - { - "queryName": "Google Compute Network Using Default Firewall Rule", - "severity": "MEDIUM", - "line": 6, - "fileName": "positive.tf" - } -] + { + "queryName": "Google Compute Network Using Default Firewall Rule", + "severity": "MEDIUM", + "line": 6, + "filename": "positive.tf", + "resourceType": "google_compute_network", + "resourceName": "test-network", + "searchKey": "google_compute_network[positive1]", + "searchValue": "", + "expectedValue": "'google_compute_network[positive1]' should not be using a default firewall rule", + "actualValue": "'google_compute_network[positive1]' is using a default firewall rule" + } +] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_all_ports/test/positive_expected_result.json b/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_all_ports/test/positive_expected_result.json index 6a20d45ece2..6a49d5cdbd4 100644 --- a/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_all_ports/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_all_ports/test/positive_expected_result.json @@ -1,8 +1,14 @@ [ - { - "queryName": "Google Compute Network Using Firewall Rule that Allows All Ports", - "severity": "MEDIUM", - "line": 17, - "fileName": "positive.tf" - } -] + { + "queryName": "Google Compute Network Using Firewall Rule that Allows All Ports", + "severity": "MEDIUM", + "line": 17, + "filename": "positive.tf", + "resourceType": "google_compute_network", + "resourceName": "test-network", + "searchKey": "google_compute_network[positive1]", + "searchValue": "", + "expectedValue": "'google_compute_network[positive1]' should not be using a firewall rule that allows access to all ports", + "actualValue": "'google_compute_network[positive1]' is using a firewall rule that allows access to all ports" + } +] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_port_range/test/positive_expected_result.json b/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_port_range/test/positive_expected_result.json index 0aca9fb3041..0d857e1adcd 100644 --- a/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_port_range/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_port_range/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Google Compute Network Using Firewall Rule that Allows Port Range", "severity": "LOW", "line": 17, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "google_compute_network", + "resourceName": "test-network", + "searchKey": "google_compute_network[positive1]", + "searchValue": "", + "expectedValue": "'google_compute_network[positive1]' should not be using a firewall rule that allows access to port range", + "actualValue": "'google_compute_network[positive1]' is using a firewall rule that allows access to port range" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/google_compute_ssl_policy_weak_cipher_in_use/test/positive_expected_result.json b/assets/queries/terraform/gcp/google_compute_ssl_policy_weak_cipher_in_use/test/positive_expected_result.json index f00a4dda68f..75ca6b58cf9 100644 --- a/assets/queries/terraform/gcp/google_compute_ssl_policy_weak_cipher_in_use/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/google_compute_ssl_policy_weak_cipher_in_use/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Google Compute SSL Policy Weak Cipher In Use", "severity": "MEDIUM", - "line": 3 + "line": 3, + "filename": "positive.tf", + "resourceType": "google_compute_ssl_policy", + "resourceName": "custom-ssl-policy", + "searchKey": "google_compute_ssl_policy[positive1].min_tls_version", + "searchValue": "", + "expectedValue": "google_compute_ssl_policy[positive1].min_tls_version should be TLS_1_2", + "actualValue": "google_compute_ssl_policy[positive1].min_tls_version is not TLS_1_2" }, { "queryName": "Google Compute SSL Policy Weak Cipher In Use", "severity": "MEDIUM", - "line": 8 + "line": 8, + "filename": "positive.tf", + "resourceType": "google_compute_ssl_policy", + "resourceName": "custom-ssl-policy", + "searchKey": "google_compute_ssl_policy[positive2].min_tls_version", + "searchValue": "", + "expectedValue": "google_compute_ssl_policy[positive2].min_tls_version should be TLS_1_2", + "actualValue": "google_compute_ssl_policy[positive2].min_tls_version is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/google_compute_subnetwork_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/google_compute_subnetwork_logging_disabled/test/positive_expected_result.json index 22bb34d3a69..abb439a3ebc 100644 --- a/assets/queries/terraform/gcp/google_compute_subnetwork_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/google_compute_subnetwork_logging_disabled/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Google Compute Subnetwork Logging Disabled", "severity": "MEDIUM", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "google_compute_subnetwork", + "resourceName": "log-test-subnetwork", + "searchKey": "google_compute_subnetwork[positive1]", + "searchValue": "", + "expectedValue": "'google_compute_subnetwork[positive1].log_config' should be defined and not null", + "actualValue": "'google_compute_subnetwork[positive1].log_config' is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/google_compute_subnetwork_with_private_google_access_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/google_compute_subnetwork_with_private_google_access_disabled/test/positive_expected_result.json index 3f44181858e..5e20ebd5a35 100644 --- a/assets/queries/terraform/gcp/google_compute_subnetwork_with_private_google_access_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/google_compute_subnetwork_with_private_google_access_disabled/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Google Compute Subnetwork with Private Google Access Disabled", "severity": "LOW", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "google_compute_subnetwork", + "resourceName": "test-subnetwork", + "searchKey": "google_compute_subnetwork[positive1]", + "searchValue": "", + "expectedValue": "'google_compute_subnetwork[positive1].private_ip_google_access' should be defined and not null", + "actualValue": "'google_compute_subnetwork[positive1].private_ip_google_access' is undefined or null" }, { "queryName": "Google Compute Subnetwork with Private Google Access Disabled", "severity": "LOW", "line": 10, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "google_compute_subnetwork", + "resourceName": "test-subnetwork", + "searchKey": "google_compute_subnetwork[positive2].private_ip_google_access", + "searchValue": "", + "expectedValue": "'google_compute_subnetwork[positive2].private_ip_google_access' should be set to true", + "actualValue": "'google_compute_subnetwork[positive2].private_ip_google_access' is set to false" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/google_container_node_pool_auto_repair_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/google_container_node_pool_auto_repair_disabled/test/positive_expected_result.json index c65451aec83..8ddf3fedd08 100644 --- a/assets/queries/terraform/gcp/google_container_node_pool_auto_repair_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/google_container_node_pool_auto_repair_disabled/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Google Container Node Pool Auto Repair Disabled", "severity": "MEDIUM", - "line": 15 + "line": 15, + "filename": "positive.tf", + "resourceType": "google_container_node_pool", + "resourceName": "my-node-pool", + "searchKey": "google_container_node_pool[positive2].management.auto_repair", + "searchValue": "", + "expectedValue": "google_container_node_pool[positive2].management.auto_repair should be true", + "actualValue": "google_container_node_pool[positive2].management.auto_repair is false" }, { "queryName": "Google Container Node Pool Auto Repair Disabled", "severity": "MEDIUM", - "line": 19 + "line": 19, + "filename": "positive.tf", + "resourceType": "google_container_node_pool", + "resourceName": "my-node-pool", + "searchKey": "google_container_node_pool[positive3].management", + "searchValue": "", + "expectedValue": "google_container_node_pool[positive3].management.auto_repair should be defined and not null", + "actualValue": "google_container_node_pool[positive3].management.auto_repair is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/google_dns_policy_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/google_dns_policy_logging_disabled/test/positive_expected_result.json index 437c9a69345..84306d8dd2f 100644 --- a/assets/queries/terraform/gcp/google_dns_policy_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/google_dns_policy_logging_disabled/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Beta - Google DNS Policy Logging Disabled", "severity": "MEDIUM", - "line": 1 + "line": 11, + "filename": "positive.tf", + "resourceType": "google_dns_policy", + "resourceName": "example-policy-2", + "searchKey": "google_dns_policy[example-policy-2].enable_logging", + "searchValue": "", + "expectedValue": "'google_dns_policy[example-policy-2].enable_logging' should be defined and set to true", + "actualValue": "'google_dns_policy[example-policy-2].enable_logging' is set to false" }, { "queryName": "Beta - Google DNS Policy Logging Disabled", "severity": "MEDIUM", - "line": 11 + "line": 1, + "filename": "positive.tf", + "resourceType": "google_dns_policy", + "resourceName": "example-policy", + "searchKey": "google_dns_policy[example-policy]", + "searchValue": "", + "expectedValue": "'google_dns_policy[example-policy].enable_logging' should be defined and set to true", + "actualValue": "'google_dns_policy[example-policy].enable_logging' is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/google_kubernetes_engine_cluster_has_alpha_features_enabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/google_kubernetes_engine_cluster_has_alpha_features_enabled/test/positive_expected_result.json index e3d8c46a398..f46a02d75a1 100644 --- a/assets/queries/terraform/gcp/google_kubernetes_engine_cluster_has_alpha_features_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/google_kubernetes_engine_cluster_has_alpha_features_enabled/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Beta - Google Kubernetes Engine Cluster Has Alpha Features Enabled", "severity": "LOW", "line": 4, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "pud-example-rg", + "searchKey": "google_container_cluster[positive].enable_kubernetes_alpha", + "searchValue": "", + "expectedValue": "'enable_kubernetes_alpha' should only be defined to 'false'", + "actualValue": "'enable_kubernetes_alpha' is defined to 'true'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/google_project_auto_create_network_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/google_project_auto_create_network_disabled/test/positive_expected_result.json index 20775ac6816..dfb5da09a24 100644 --- a/assets/queries/terraform/gcp/google_project_auto_create_network_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/google_project_auto_create_network_disabled/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Google Project Auto Create Network Disabled", "severity": "MEDIUM", - "line": 8 + "line": 8, + "filename": "positive.tf", + "resourceType": "google_project", + "resourceName": "My Project", + "searchKey": "google_project[positive2]", + "searchValue": "", + "expectedValue": "google_project[positive2].auto_create_network should be set to false", + "actualValue": "google_project[positive2].auto_create_network is undefined" }, { "queryName": "Google Project Auto Create Network Disabled", "severity": "MEDIUM", - "line": 5 + "line": 5, + "filename": "positive.tf", + "resourceType": "google_project", + "resourceName": "My Project", + "searchKey": "google_project[positive1].auto_create_network", + "searchValue": "", + "expectedValue": "google_project[positive1].auto_create_network should be set to false", + "actualValue": "google_project[positive1].auto_create_network is true" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/google_project_iam_binding_service_account_has_token_creator_or_account_user_role/test/positive_expected_result.json b/assets/queries/terraform/gcp/google_project_iam_binding_service_account_has_token_creator_or_account_user_role/test/positive_expected_result.json index 9879c8c4b8b..40a38fc5e82 100644 --- a/assets/queries/terraform/gcp/google_project_iam_binding_service_account_has_token_creator_or_account_user_role/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/google_project_iam_binding_service_account_has_token_creator_or_account_user_role/test/positive_expected_result.json @@ -2,21 +2,49 @@ { "queryName": "Google Project IAM Binding Service Account has Token Creator or Account User Role", "severity": "HIGH", - "line": 3 + "line": 3, + "filename": "positive.tf", + "resourceType": "google_project_iam_binding", + "resourceName": "positive1", + "searchKey": "google_project_iam_binding[positive1].role", + "searchValue": "", + "expectedValue": "google_project_iam_binding[positive1].role should not be Service Account Token Creator", + "actualValue": "google_project_iam_binding[positive1].role is Service Account Token Creator" }, { "queryName": "Google Project IAM Binding Service Account has Token Creator or Account User Role", "severity": "HIGH", - "line": 13 + "line": 13, + "filename": "positive.tf", + "resourceType": "google_project_iam_binding", + "resourceName": "positive2", + "searchKey": "google_project_iam_binding[positive2].role", + "searchValue": "", + "expectedValue": "google_project_iam_binding[positive2].role should not be Service Account Token Creator", + "actualValue": "google_project_iam_binding[positive2].role is Service Account Token Creator" }, { "queryName": "Google Project IAM Binding Service Account has Token Creator or Account User Role", "severity": "HIGH", - "line": 19 + "line": 19, + "filename": "positive.tf", + "resourceType": "google_project_iam_binding", + "resourceName": "positive3", + "searchKey": "google_project_iam_binding[positive3].role", + "searchValue": "", + "expectedValue": "google_project_iam_binding[positive3].role should not be Service Account User", + "actualValue": "google_project_iam_binding[positive3].role is Service Account User" }, { "queryName": "Google Project IAM Binding Service Account has Token Creator or Account User Role", "severity": "HIGH", - "line": 29 + "line": 29, + "filename": "positive.tf", + "resourceType": "google_project_iam_binding", + "resourceName": "positive4", + "searchKey": "google_project_iam_binding[positive4].role", + "searchValue": "", + "expectedValue": "google_project_iam_binding[positive4].role should not be Service Account User", + "actualValue": "google_project_iam_binding[positive4].role is Service Account User" } ] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_admin_role/test/positive_expected_result.json b/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_admin_role/test/positive_expected_result.json index 74849105787..1ef4e26e886 100644 --- a/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_admin_role/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_admin_role/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Google Project IAM Member Service Account Has Admin Role", "severity": "HIGH", - "line": 3 + "line": 3, + "filename": "positive.tf", + "resourceType": "google_project_iam_member", + "resourceName": "positive1", + "searchKey": "google_project_iam_member[positive1].role", + "searchValue": "", + "expectedValue": "google_project_iam_member[positive1].role should not be admin", + "actualValue": "google_project_iam_member[positive1].role is admin" }, { "queryName": "Google Project IAM Member Service Account Has Admin Role", "severity": "HIGH", - "line": 9 + "line": 9, + "filename": "positive.tf", + "resourceType": "google_project_iam_member", + "resourceName": "positive2", + "searchKey": "google_project_iam_member[positive2].role", + "searchValue": "", + "expectedValue": "google_project_iam_member[positive2].role should not be admin", + "actualValue": "google_project_iam_member[positive2].role is admin" } ] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_token_creator_or_account_user_role/test/positive_expected_result.json b/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_token_creator_or_account_user_role/test/positive_expected_result.json index 1c8cd5e2d32..4f5b136e606 100644 --- a/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_token_creator_or_account_user_role/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_token_creator_or_account_user_role/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Google Project IAM Member Service Account has Token Creator or Account User Role", "severity": "HIGH", - "line": 3 + "line": 3, + "filename": "positive.tf", + "resourceType": "google_project_iam_member", + "resourceName": "positive1", + "searchKey": "google_project_iam_member[positive1].role", + "searchValue": "", + "expectedValue": "google_project_iam_member[positive1].role should be Service Account Token Creator", + "actualValue": "google_project_iam_member[positive1].role is not Service Account Token Creator" }, { "queryName": "Google Project IAM Member Service Account has Token Creator or Account User Role", "severity": "HIGH", - "line": 9 + "line": 9, + "filename": "positive.tf", + "resourceType": "google_project_iam_member", + "resourceName": "positive2", + "searchKey": "google_project_iam_member[positive2].role", + "searchValue": "", + "expectedValue": "google_project_iam_member[positive2].role should be Service Account User", + "actualValue": "google_project_iam_member[positive2].role is not Service Account User" } ] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/google_storage_bucket_level_access_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/google_storage_bucket_level_access_disabled/test/positive_expected_result.json index dfbb79594bf..1e0c6561458 100644 --- a/assets/queries/terraform/gcp/google_storage_bucket_level_access_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/google_storage_bucket_level_access_disabled/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Google Storage Bucket Level Access Disabled", "severity": "HIGH", - "line": 6 + "line": 6, + "filename": "positive.tf", + "resourceType": "google_storage_bucket", + "resourceName": "image-store.com", + "searchKey": "google_storage_bucket[positive1].uniform_bucket_level_access", + "searchValue": "", + "expectedValue": "google_storage_bucket[positive1].uniform_bucket_level_access should be true", + "actualValue": "google_storage_bucket[positive1].uniform_bucket_level_access is false" }, { "queryName": "Google Storage Bucket Level Access Disabled", "severity": "HIGH", - "line": 20 + "line": 20, + "filename": "positive.tf", + "resourceType": "google_storage_bucket", + "resourceName": "image-store.com", + "searchKey": "google_storage_bucket[positive2]", + "searchValue": "", + "expectedValue": "google_storage_bucket[positive2].uniform_bucket_level_access should be defined and not null", + "actualValue": "google_storage_bucket[positive2].uniform_bucket_level_access is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/high_google_kms_crypto_key_rotation_period/test/positive_expected_result.json b/assets/queries/terraform/gcp/high_google_kms_crypto_key_rotation_period/test/positive_expected_result.json index 748598a9f3a..5b59125a37e 100644 --- a/assets/queries/terraform/gcp/high_google_kms_crypto_key_rotation_period/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/high_google_kms_crypto_key_rotation_period/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "High Google KMS Crypto Key Rotation Period", "severity": "MEDIUM", - "line": 4 + "line": 4, + "filename": "positive.tf", + "resourceType": "google_kms_crypto_key", + "resourceName": "crypto-key-example", + "searchKey": "google_kms_crypto_key[positive1].rotation_period", + "searchValue": "", + "expectedValue": "'google_kms_crypto_key.rotation_period' should be less or equal to 7776000", + "actualValue": "'google_kms_crypto_key.rotation_period' exceeds 7776000" }, { "queryName": "High Google KMS Crypto Key Rotation Period", "severity": "MEDIUM", - "line": 10 + "line": 10, + "filename": "positive.tf", + "resourceType": "google_kms_crypto_key", + "resourceName": "crypto-key-example", + "searchKey": "google_kms_crypto_key[positive2]", + "searchValue": "", + "expectedValue": "'google_kms_crypto_key.rotation_period' should be defined with a value less or equal to 7776000", + "actualValue": "'google_kms_crypto_key.rotation_period' is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/iam_audit_not_properly_configured/test/positive_expected_result.json b/assets/queries/terraform/gcp/iam_audit_not_properly_configured/test/positive_expected_result.json index c22fd7d0919..fcfb8e6aafb 100644 --- a/assets/queries/terraform/gcp/iam_audit_not_properly_configured/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/iam_audit_not_properly_configured/test/positive_expected_result.json @@ -2,21 +2,49 @@ { "queryName": "IAM Audit Not Properly Configured", "severity": "LOW", - "line": 3 + "line": 9, + "filename": "positive.tf", + "resourceType": "google_project_iam_audit_config", + "resourceName": "positive1", + "searchKey": "google_project_iam_audit_config[positive1].audit_log_config.exempted_members", + "searchValue": "", + "expectedValue": "'exempted_members' should be empty", + "actualValue": "'exempted_members' is not empty" }, { "queryName": "IAM Audit Not Properly Configured", "severity": "LOW", - "line": 9 + "line": 23, + "filename": "positive.tf", + "resourceType": "google_project_iam_audit_config", + "resourceName": "positive2", + "searchKey": "google_project_iam_audit_config[positive2].audit_log_config.exempted_members", + "searchValue": "", + "expectedValue": "'exempted_members' should be empty", + "actualValue": "'exempted_members' is not empty" }, { "queryName": "IAM Audit Not Properly Configured", "severity": "LOW", - "line": 19 + "line": 19, + "filename": "positive.tf", + "resourceType": "google_project_iam_audit_config", + "resourceName": "positive2", + "searchKey": "google_project_iam_audit_config[positive2].audit_log_config.log_type", + "searchValue": "", + "expectedValue": "'log_type' must be one of 'DATA_READ', 'DATA_WRITE', or 'ADMIN_READ'", + "actualValue": "'log_type' is INVALID_TYPE" }, { "queryName": "IAM Audit Not Properly Configured", "severity": "LOW", - "line": 23 + "line": 3, + "filename": "positive.tf", + "resourceType": "google_project_iam_audit_config", + "resourceName": "positive1", + "searchKey": "google_project_iam_audit_config[positive1].service", + "searchValue": "", + "expectedValue": "'service' must be 'allServices'", + "actualValue": "'service' is 'some_specific_service'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/ip_aliasing_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/ip_aliasing_disabled/test/positive_expected_result.json index 7aeca99b89a..0bd0d745b71 100644 --- a/assets/queries/terraform/gcp/ip_aliasing_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/ip_aliasing_disabled/test/positive_expected_result.json @@ -2,16 +2,37 @@ { "queryName": "IP Aliasing Disabled", "severity": "MEDIUM", - "line": 2 + "line": 13, + "filename": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive2]", + "searchValue": "", + "expectedValue": "Attribute 'ip_allocation_policy' should be defined", + "actualValue": "Attribute 'ip_allocation_policy' is undefined" }, { "queryName": "IP Aliasing Disabled", "severity": "MEDIUM", - "line": 13 + "line": 2, + "filename": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive1]", + "searchValue": "", + "expectedValue": "Attributes 'ip_allocation_policy' and 'networking_mode' should be defined", + "actualValue": "Attributes 'ip_allocation_policy' and 'networking_mode' are undefined" }, { "queryName": "IP Aliasing Disabled", "severity": "MEDIUM", - "line": 26 + "line": 26, + "filename": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive3]", + "searchValue": "", + "expectedValue": "Attribute 'networking_mode' should be VPC_NATIVE", + "actualValue": "Attribute 'networking_mode' is ROUTES" } ] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/ip_forwarding_enabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/ip_forwarding_enabled/test/positive_expected_result.json index e88a3bf1ab4..90192b2d63d 100644 --- a/assets/queries/terraform/gcp/ip_forwarding_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/ip_forwarding_enabled/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "IP Forwarding Enabled", "severity": "MEDIUM", - "line": 4 + "line": 4, + "filename": "positive.tf", + "resourceType": "google_compute_instance", + "resourceName": "primary-application-server", + "searchKey": "google_compute_instance[appserver].can_ip_forward", + "searchValue": "", + "expectedValue": "Attribute 'can_ip_forward' should be set to false or Attribute 'can_ip_forward' should be undefined", + "actualValue": "Attribute 'can_ip_forward' is true" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/kms_admin_and_crypto_key_roles_in_use/test/positive_expected_result.json b/assets/queries/terraform/gcp/kms_admin_and_crypto_key_roles_in_use/test/positive_expected_result.json index e42c4e728af..ab4e384dc9d 100644 --- a/assets/queries/terraform/gcp/kms_admin_and_crypto_key_roles_in_use/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/kms_admin_and_crypto_key_roles_in_use/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "KMS Admin and CryptoKey Roles In Use", "severity": "MEDIUM", "line": 3, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "google_project_iam_policy", + "resourceName": "positive1", + "searchKey": "google_project_iam_policy[positive1].policy_data", + "searchValue": "", + "expectedValue": "google_iam_policy[positive1].policy_data should not assign a KMS admin role and CryptoKey role to the same member", + "actualValue": "google_iam_policy[positive1].policy_data assigns a KMS admin role and CryptoKey role to the same member" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/kms_crypto_key_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/gcp/kms_crypto_key_publicly_accessible/test/positive_expected_result.json index ae82865f667..b166ad9aa63 100644 --- a/assets/queries/terraform/gcp/kms_crypto_key_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/kms_crypto_key_publicly_accessible/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "KMS Crypto Key is Publicly Accessible", "severity": "HIGH", "line": 24, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "google_kms_crypto_key_iam_policy", + "resourceName": "positive1", + "searchKey": "google_kms_crypto_key_iam_policy[positive1].policy_data", + "searchValue": "", + "expectedValue": "KMS crypto key should not be publicly accessible", + "actualValue": "KMS crypto key is publicly accessible" }, { "queryName": "KMS Crypto Key is Publicly Accessible", "severity": "HIGH", "line": 24, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "google_kms_crypto_key_iam_policy", + "resourceName": "positive2", + "searchKey": "google_kms_crypto_key_iam_policy[positive2].policy_data", + "searchValue": "", + "expectedValue": "KMS crypto key should not be publicly accessible", + "actualValue": "KMS crypto key is publicly accessible" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/kubernetes_web_ui_is_not_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/kubernetes_web_ui_is_not_disabled/test/positive_expected_result.json index caebb0a4b0c..8cc2e1d1cab 100644 --- a/assets/queries/terraform/gcp/kubernetes_web_ui_is_not_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/kubernetes_web_ui_is_not_disabled/test/positive_expected_result.json @@ -3,30 +3,60 @@ "queryName": "Beta - Kubernetes Web UI Is Not Disabled", "severity": "LOW", "line": 8, - "fileName": "positive1.tf" + "filename": "positive4.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive4].addons_config.kubernetes_dashboard.disabled", + "searchValue": "", + "expectedValue": "'kuberneters_dashboard' should not be enabled inside the 'addons_config block'", + "actualValue": "'kuberneters_dashboard' is enabled inside the 'addons_config block'" }, { "queryName": "Beta - Kubernetes Web UI Is Not Disabled", "severity": "LOW", - "line": 1, - "fileName": "positive2.tf" + "line": 8, + "filename": "positive1.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive1].addons_config.kubernetes_dashboard.disabled", + "searchValue": "", + "expectedValue": "'kuberneters_dashboard' should not be enabled inside the 'addons_config block'", + "actualValue": "'kuberneters_dashboard' is enabled inside the 'addons_config block'" }, { "queryName": "Beta - Kubernetes Web UI Is Not Disabled", "severity": "LOW", "line": 6, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive3].addons_config", + "searchValue": "", + "expectedValue": "'kubernetes_dashboard' should be defined and disabled inside the 'addons_config_version' block for GKE versions below 1.10", + "actualValue": "'kubernetes_dashboard' is not defined inside the 'addons_config_version' block" }, { "queryName": "Beta - Kubernetes Web UI Is Not Disabled", "severity": "LOW", - "line": 8, - "fileName": "positive4.tf" + "line": 1, + "filename": "positive2.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive2]", + "searchValue": "", + "expectedValue": "'kubernetes_dashboard' should be defined and disabled inside the 'addons_config_version' block for GKE versions below 1.10", + "actualValue": "'addons_config' block is not defined with the 'kubernetes_dashboard' disabled" }, { "queryName": "Beta - Kubernetes Web UI Is Not Disabled", "severity": "LOW", "line": 9, - "fileName": "positive5.tf" + "filename": "positive5.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive5].addons_config.kubernetes_dashboard.disabled", + "searchValue": "", + "expectedValue": "'kuberneters_dashboard' should not be enabled inside the 'addons_config block'", + "actualValue": "'kuberneters_dashboard' is enabled inside the 'addons_config block'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/legacy_client_certificate_auth_enabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/legacy_client_certificate_auth_enabled/test/positive_expected_result.json index c979a788738..8e58a8d4ee0 100644 --- a/assets/queries/terraform/gcp/legacy_client_certificate_auth_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/legacy_client_certificate_auth_enabled/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Legacy Client Certificate Auth Enabled", "severity": "LOW", "line": 7, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive1].master_auth", + "searchValue": "", + "expectedValue": "If 'master_auth' is defined, subattribute 'client_certificate_config' should be defined", + "actualValue": "Attribute 'client_certificate_config' in 'master_auth' is undefined" }, { "queryName": "Legacy Client Certificate Auth Enabled", "severity": "LOW", "line": 24, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive2].master_auth.client_certificate_config.issue_client_certificate", + "searchValue": "", + "expectedValue": "Attribute 'issue_client_certificate' in 'client_certificate_config' should be false", + "actualValue": "Attribute 'issue_client_certificate' in 'client_certificate_config' is true" } ] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/legacy_networks_do_not_exist_for_older_google_projects/test/positive_expected_result.json b/assets/queries/terraform/gcp/legacy_networks_do_not_exist_for_older_google_projects/test/positive_expected_result.json index 5bac758f86c..aa4129767ec 100644 --- a/assets/queries/terraform/gcp/legacy_networks_do_not_exist_for_older_google_projects/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/legacy_networks_do_not_exist_for_older_google_projects/test/positive_expected_result.json @@ -3,36 +3,72 @@ "queryName": "Beta - Legacy Networks Do Not Exist For Older Google Projects", "severity": "MEDIUM", "line": 9, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "google_compute_network", + "resourceName": "vpc-legacy", + "searchKey": "google_compute_network[vpc_network_network].auto_create_subnetworks", + "searchValue": "", + "expectedValue": "'auto_create_subnetworks' should be defined to false", + "actualValue": "'auto_create_subnetworks' is defined to true" }, { "queryName": "Beta - Legacy Networks Do Not Exist For Older Google Projects", "severity": "MEDIUM", - "line": 14, - "fileName": "positive2.tf" + "line": 7, + "filename": "positive4.tf", + "resourceType": "google_compute_network", + "resourceName": "vpc-legacy", + "searchKey": "google_compute_network[vpc_network_network]", + "searchValue": "", + "expectedValue": "'auto_create_subnetworks' should be defined to false", + "actualValue": "'auto_create_subnetworks' is not defined" }, { "queryName": "Beta - Legacy Networks Do Not Exist For Older Google Projects", "severity": "MEDIUM", - "line": 14, - "fileName": "positive3.tf" + "line": 12, + "filename": "positive5.tf", + "resourceType": "google_compute_network", + "resourceName": "legacy-network", + "searchKey": "google_compute_network[legacy_network]", + "searchValue": "", + "expectedValue": "'auto_create_subnetworks' should be defined to false", + "actualValue": "'auto_create_subnetworks' is not defined" }, { "queryName": "Beta - Legacy Networks Do Not Exist For Older Google Projects", "severity": "MEDIUM", - "line": 7, - "fileName": "positive4.tf" + "line": 14, + "filename": "positive3.tf", + "resourceType": "google_compute_network", + "resourceName": "legacy-network", + "searchKey": "google_compute_network[legacy_network].auto_create_subnetworks", + "searchValue": "", + "expectedValue": "'auto_create_subnetworks' should be defined to false", + "actualValue": "'auto_create_subnetworks' is defined to true" }, { "queryName": "Beta - Legacy Networks Do Not Exist For Older Google Projects", "severity": "MEDIUM", "line": 12, - "fileName": "positive5.tf" + "filename": "positive6.tf", + "resourceType": "google_compute_network", + "resourceName": "legacy-network", + "searchKey": "google_compute_network[legacy_network]", + "searchValue": "", + "expectedValue": "'auto_create_subnetworks' should be defined to false", + "actualValue": "'auto_create_subnetworks' is not defined" }, { "queryName": "Beta - Legacy Networks Do Not Exist For Older Google Projects", "severity": "MEDIUM", - "line": 12, - "fileName": "positive6.tf" + "line": 14, + "filename": "positive2.tf", + "resourceType": "google_compute_network", + "resourceName": "legacy-network", + "searchKey": "google_compute_network[legacy_network].auto_create_subnetworks", + "searchValue": "", + "expectedValue": "'auto_create_subnetworks' should be defined to false", + "actualValue": "'auto_create_subnetworks' is defined to true" } ] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/logs_and_alerts_missing_audit_configuration_changes/test/positive_expected_result.json b/assets/queries/terraform/gcp/logs_and_alerts_missing_audit_configuration_changes/test/positive_expected_result.json index 31f830c43f3..25688424051 100644 --- a/assets/queries/terraform/gcp/logs_and_alerts_missing_audit_configuration_changes/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/logs_and_alerts_missing_audit_configuration_changes/test/positive_expected_result.json @@ -3,66 +3,132 @@ "queryName": "Beta - Logs And Alerts Missing Audit Configuration Changes", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive11.tf", + "resourceType": "google_logging_metric", + "resourceName": "audit_config_change", + "searchKey": "google_logging_metric[audit_config_change].filter", + "searchValue": "", + "expectedValue": "At least one 'google_logging_metric' resource should capture all audit configuration changes", + "actualValue": "No 'google_logging_metric' resource captures all audit configuration changes" }, { "queryName": "Beta - Logs And Alerts Missing Audit Configuration Changes", "severity": "MEDIUM", - "line": 7, - "fileName": "positive2.tf" + "line": 1, + "filename": "positive1.tf", + "resourceType": "google_logging_metric", + "resourceName": "audit_config_change", + "searchKey": "google_logging_metric[audit_config_change].filter", + "searchValue": "", + "expectedValue": "At least one 'google_logging_metric' resource should capture all audit configuration changes", + "actualValue": "No 'google_logging_metric' resource captures all audit configuration changes" }, { "queryName": "Beta - Logs And Alerts Missing Audit Configuration Changes", "severity": "MEDIUM", - "line": 7, - "fileName": "positive3.tf" + "line": 1, + "filename": "positive5.tf", + "resourceType": "google_monitoring_alert_policy", + "resourceName": "Audit Config Change Alert (Log Match)", + "searchKey": "google_monitoring_alert_policy[audit_config_alert]", + "searchValue": "", + "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture all audit configuration changes", + "actualValue": "The 'google_monitoring_alert_policy[audit_config_alert]' resource captures all audit configuration changes but does not define a proper 'notification_channels'" }, { "queryName": "Beta - Logs And Alerts Missing Audit Configuration Changes", "severity": "MEDIUM", "line": 7, - "fileName": "positive4.tf" + "filename": "positive3.tf", + "resourceType": "google_monitoring_alert_policy", + "resourceName": "Audit Config Change Alert (Log Match)", + "searchKey": "google_monitoring_alert_policy[audit_config_alert].conditions.condition_matched_log.filter", + "searchValue": "", + "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture all audit configuration changes", + "actualValue": "No 'google_monitoring_alert_policy' resource captures all audit configuration changes" }, { "queryName": "Beta - Logs And Alerts Missing Audit Configuration Changes", "severity": "MEDIUM", "line": 1, - "fileName": "positive5.tf" + "filename": "positive7.tf", + "resourceType": "google_logging_metric", + "resourceName": "audit_config_change", + "searchKey": "google_logging_metric[audit_config_change].filter", + "searchValue": "", + "expectedValue": "At least one 'google_logging_metric' resource should capture all audit configuration changes", + "actualValue": "No 'google_logging_metric' resource captures all audit configuration changes" }, { "queryName": "Beta - Logs And Alerts Missing Audit Configuration Changes", "severity": "MEDIUM", "line": 1, - "fileName": "positive6.tf" + "filename": "positive9.tf", + "resourceType": "google_logging_metric", + "resourceName": "audit_config_change", + "searchKey": "google_logging_metric[audit_config_change].filter", + "searchValue": "", + "expectedValue": "At least one 'google_logging_metric' resource should capture all audit configuration changes", + "actualValue": "No 'google_logging_metric' resource captures all audit configuration changes" }, { "queryName": "Beta - Logs And Alerts Missing Audit Configuration Changes", "severity": "MEDIUM", "line": 1, - "fileName": "positive7.tf" + "filename": "positive6.tf", + "resourceType": "google_monitoring_alert_policy", + "resourceName": "Audit Config Change Alert", + "searchKey": "google_monitoring_alert_policy[audit_config_alert].conditions.condition_threshold.filter", + "searchValue": "", + "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture all audit configuration changes", + "actualValue": "No 'google_monitoring_alert_policy' resource captures all audit configuration changes" }, { "queryName": "Beta - Logs And Alerts Missing Audit Configuration Changes", "severity": "MEDIUM", - "line": 1, - "fileName": "positive8.tf" + "line": 7, + "filename": "positive4.tf", + "resourceType": "google_monitoring_alert_policy", + "resourceName": "Audit Config Change Alert", + "searchKey": "google_monitoring_alert_policy[audit_config_alert]", + "searchValue": "", + "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture all audit configuration changes", + "actualValue": "The 'google_monitoring_alert_policy[audit_config_alert]' resource captures all audit configuration changes but does not define a proper 'notification_channels'" }, { "queryName": "Beta - Logs And Alerts Missing Audit Configuration Changes", "severity": "MEDIUM", "line": 1, - "fileName": "positive9.tf" + "filename": "positive8.tf", + "resourceType": "google_logging_metric", + "resourceName": "audit_config_change", + "searchKey": "google_logging_metric[audit_config_change].filter", + "searchValue": "", + "expectedValue": "At least one 'google_logging_metric' resource should capture all audit configuration changes", + "actualValue": "No 'google_logging_metric' resource captures all audit configuration changes" }, { "queryName": "Beta - Logs And Alerts Missing Audit Configuration Changes", "severity": "MEDIUM", "line": 1, - "fileName": "positive10.tf" + "filename": "positive10.tf", + "resourceType": "google_logging_metric", + "resourceName": "audit_config_change", + "searchKey": "google_logging_metric[audit_config_change].filter", + "searchValue": "", + "expectedValue": "At least one 'google_logging_metric' resource should capture all audit configuration changes", + "actualValue": "No 'google_logging_metric' resource captures all audit configuration changes" }, { "queryName": "Beta - Logs And Alerts Missing Audit Configuration Changes", "severity": "MEDIUM", - "line": 1, - "fileName": "positive11.tf" + "line": 7, + "filename": "positive2.tf", + "resourceType": "google_monitoring_alert_policy", + "resourceName": "Audit Config Change Alert", + "searchKey": "google_monitoring_alert_policy[audit_config_alert].conditions.condition_threshold.filter", + "searchValue": "", + "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture all audit configuration changes", + "actualValue": "No 'google_monitoring_alert_policy' resource captures all audit configuration changes" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/logs_and_alerts_missing_custom_role_changes/test/positive_expected_result.json b/assets/queries/terraform/gcp/logs_and_alerts_missing_custom_role_changes/test/positive_expected_result.json index 9e27031c977..7b3cc49e33b 100644 --- a/assets/queries/terraform/gcp/logs_and_alerts_missing_custom_role_changes/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/logs_and_alerts_missing_custom_role_changes/test/positive_expected_result.json @@ -3,54 +3,108 @@ "queryName": "Beta - Logs And Alerts Missing Custom Role Changes", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive5.tf", + "resourceType": "google_monitoring_alert_policy", + "resourceName": "Audit Config Change Alert (Log Match)", + "searchKey": "google_monitoring_alert_policy[audit_config_alert]", + "searchValue": "", + "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture all custom role changes", + "actualValue": "The 'google_monitoring_alert_policy[audit_config_alert]' resource captures all custom role changes but does not define a proper 'notification_channels'" }, { "queryName": "Beta - Logs And Alerts Missing Custom Role Changes", "severity": "MEDIUM", "line": 13, - "fileName": "positive2.tf" + "filename": "positive3.tf", + "resourceType": "google_monitoring_alert_policy", + "resourceName": "Audit Config Change Alert (Log Match)", + "searchKey": "google_monitoring_alert_policy[audit_config_alert].conditions.condition_matched_log.filter", + "searchValue": "", + "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture all custom role changes", + "actualValue": "No 'google_monitoring_alert_policy' resource captures all custom role changes" }, { "queryName": "Beta - Logs And Alerts Missing Custom Role Changes", "severity": "MEDIUM", - "line": 13, - "fileName": "positive3.tf" + "line": 1, + "filename": "positive1.tf", + "resourceType": "google_logging_metric", + "resourceName": "audit_config_change", + "searchKey": "google_logging_metric[audit_config_change].filter", + "searchValue": "", + "expectedValue": "At least one 'google_logging_metric' resource should capture all custom role changes", + "actualValue": "'google_logging_metric[audit_config_change].filter' is applied to the wrong resource type" }, { "queryName": "Beta - Logs And Alerts Missing Custom Role Changes", "severity": "MEDIUM", "line": 13, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "google_monitoring_alert_policy", + "resourceName": "Audit Config Change Alert", + "searchKey": "google_monitoring_alert_policy[audit_config_alert]", + "searchValue": "", + "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture all custom role changes", + "actualValue": "The 'google_monitoring_alert_policy[audit_config_alert]' resource captures all custom role changes but does not define a proper 'notification_channels'" }, { "queryName": "Beta - Logs And Alerts Missing Custom Role Changes", "severity": "MEDIUM", - "line": 1, - "fileName": "positive5.tf" + "line": 13, + "filename": "positive2.tf", + "resourceType": "google_monitoring_alert_policy", + "resourceName": "Audit Config Change Alert", + "searchKey": "google_monitoring_alert_policy[audit_config_alert].conditions.condition_threshold.filter", + "searchValue": "", + "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture all custom role changes", + "actualValue": "No 'google_monitoring_alert_policy' resource captures all custom role changes" }, { "queryName": "Beta - Logs And Alerts Missing Custom Role Changes", "severity": "MEDIUM", "line": 1, - "fileName": "positive6.tf" + "filename": "positive8.tf", + "resourceType": "google_logging_metric", + "resourceName": "audit_config_change_1", + "searchKey": "google_logging_metric[audit_config_change].filter", + "searchValue": "", + "expectedValue": "At least one 'google_logging_metric' resource should capture all custom role changes", + "actualValue": "'google_logging_metric[audit_config_change].filter' does not capture all custom role changes for resource type 'iam_role'" }, { "queryName": "Beta - Logs And Alerts Missing Custom Role Changes", "severity": "MEDIUM", "line": 1, - "fileName": "positive7.tf" + "filename": "positive6.tf", + "resourceType": "google_monitoring_alert_policy", + "resourceName": "Audit Config Change Alert", + "searchKey": "google_monitoring_alert_policy[audit_config_alert].conditions.condition_threshold.filter", + "searchValue": "", + "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture all custom role changes", + "actualValue": "No 'google_monitoring_alert_policy' resource captures all custom role changes" }, { "queryName": "Beta - Logs And Alerts Missing Custom Role Changes", "severity": "MEDIUM", "line": 1, - "fileName": "positive8.tf" + "filename": "positive9.tf", + "resourceType": "google_logging_metric", + "resourceName": "audit_config_change", + "searchKey": "google_logging_metric[audit_config_change].filter", + "searchValue": "", + "expectedValue": "At least one 'google_logging_metric' resource should capture all custom role changes", + "actualValue": "'google_logging_metric[audit_config_change].filter' does not capture all custom role changes for resource type 'iam_role'" }, { "queryName": "Beta - Logs And Alerts Missing Custom Role Changes", "severity": "MEDIUM", "line": 1, - "fileName": "positive9.tf" + "filename": "positive7.tf", + "resourceType": "google_logging_metric", + "resourceName": "audit_config_change", + "searchKey": "google_logging_metric[audit_config_change].filter", + "searchValue": "", + "expectedValue": "At least one 'google_logging_metric' resource should capture all custom role changes", + "actualValue": "'google_logging_metric[audit_config_change].filter' is applied to the wrong resource type" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/logs_and_alerts_missing_project_ownership_assignment_and_changes/test/positive_expected_result.json b/assets/queries/terraform/gcp/logs_and_alerts_missing_project_ownership_assignment_and_changes/test/positive_expected_result.json index 3b5d13ac9cb..358d761fe21 100644 --- a/assets/queries/terraform/gcp/logs_and_alerts_missing_project_ownership_assignment_and_changes/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/logs_and_alerts_missing_project_ownership_assignment_and_changes/test/positive_expected_result.json @@ -3,84 +3,168 @@ "queryName": "Beta - Logs And Alerts Missing Project Ownership Assignment And Changes", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive12.tf", + "resourceType": "google_logging_metric", + "resourceName": "audit_config_change", + "searchKey": "google_logging_metric[audit_config_change].filter", + "searchValue": "", + "expectedValue": "At least one 'google_logging_metric' resource should capture project ownership assignment and changes", + "actualValue": "No 'google_logging_metric' resource captures project ownership assignment and changes" }, { "queryName": "Beta - Logs And Alerts Missing Project Ownership Assignment And Changes", "severity": "MEDIUM", - "line": 14, - "fileName": "positive2.tf" + "line": 1, + "filename": "positive9.tf", + "resourceType": "google_logging_metric", + "resourceName": "project_ownership_with_not_remove", + "searchKey": "google_logging_metric[positive9].filter", + "searchValue": "", + "expectedValue": "At least one 'google_logging_metric' resource should capture project ownership assignment and changes", + "actualValue": "No 'google_logging_metric' resource captures project ownership assignment and changes" }, { "queryName": "Beta - Logs And Alerts Missing Project Ownership Assignment And Changes", "severity": "MEDIUM", - "line": 14, - "fileName": "positive3.tf" + "line": 1, + "filename": "positive1.tf", + "resourceType": "google_logging_metric", + "resourceName": "audit_config_change", + "searchKey": "google_logging_metric[audit_config_change].filter", + "searchValue": "", + "expectedValue": "At least one 'google_logging_metric' resource should capture project ownership assignment and changes", + "actualValue": "No 'google_logging_metric' resource captures project ownership assignment and changes" }, { "queryName": "Beta - Logs And Alerts Missing Project Ownership Assignment And Changes", "severity": "MEDIUM", - "line": 14, - "fileName": "positive4.tf" + "line": 1, + "filename": "positive13.tf", + "resourceType": "google_logging_metric", + "resourceName": "audit_config_change", + "searchKey": "google_logging_metric[audit_config_change].filter", + "searchValue": "", + "expectedValue": "At least one 'google_logging_metric' resource should capture project ownership assignment and changes", + "actualValue": "No 'google_logging_metric' resource captures project ownership assignment and changes" }, { "queryName": "Beta - Logs And Alerts Missing Project Ownership Assignment And Changes", "severity": "MEDIUM", "line": 1, - "fileName": "positive5.tf" + "filename": "positive11.tf", + "resourceType": "google_logging_metric", + "resourceName": "audit_config_change", + "searchKey": "google_logging_metric[audit_config_change].filter", + "searchValue": "", + "expectedValue": "At least one 'google_logging_metric' resource should capture project ownership assignment and changes", + "actualValue": "No 'google_logging_metric' resource captures project ownership assignment and changes" }, { "queryName": "Beta - Logs And Alerts Missing Project Ownership Assignment And Changes", "severity": "MEDIUM", "line": 1, - "fileName": "positive6.tf" + "filename": "positive7.tf", + "resourceType": "google_logging_metric", + "resourceName": "audit_config_change", + "searchKey": "google_logging_metric[audit_config_change].filter", + "searchValue": "", + "expectedValue": "At least one 'google_logging_metric' resource should capture project ownership assignment and changes", + "actualValue": "No 'google_logging_metric' resource captures project ownership assignment and changes" }, { "queryName": "Beta - Logs And Alerts Missing Project Ownership Assignment And Changes", "severity": "MEDIUM", "line": 1, - "fileName": "positive7.tf" + "filename": "positive8.tf", + "resourceType": "google_logging_metric", + "resourceName": "project_ownership_with_not", + "searchKey": "google_logging_metric[positive8].filter", + "searchValue": "", + "expectedValue": "At least one 'google_logging_metric' resource should capture project ownership assignment and changes", + "actualValue": "No 'google_logging_metric' resource captures project ownership assignment and changes" }, { "queryName": "Beta - Logs And Alerts Missing Project Ownership Assignment And Changes", "severity": "MEDIUM", - "line": 1, - "fileName": "positive8.tf" + "line": 14, + "filename": "positive4.tf", + "resourceType": "google_monitoring_alert_policy", + "resourceName": "Audit Config Change Alert", + "searchKey": "google_monitoring_alert_policy[audit_config_alert]", + "searchValue": "", + "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture project ownership assignment and changes", + "actualValue": "The 'google_monitoring_alert_policy[audit_config_alert]' resource captures project ownership assignment and changes but does not define a proper 'notification_channels'" }, { "queryName": "Beta - Logs And Alerts Missing Project Ownership Assignment And Changes", "severity": "MEDIUM", "line": 1, - "fileName": "positive9.tf" + "filename": "positive10.tf", + "resourceType": "google_logging_metric", + "resourceName": "audit_config_change", + "searchKey": "google_logging_metric[audit_config_change].filter", + "searchValue": "", + "expectedValue": "At least one 'google_logging_metric' resource should capture project ownership assignment and changes", + "actualValue": "No 'google_logging_metric' resource captures project ownership assignment and changes" }, { "queryName": "Beta - Logs And Alerts Missing Project Ownership Assignment And Changes", "severity": "MEDIUM", - "line": 1, - "fileName": "positive10.tf" + "line": 14, + "filename": "positive2.tf", + "resourceType": "google_monitoring_alert_policy", + "resourceName": "Audit Config Change Alert", + "searchKey": "google_monitoring_alert_policy[audit_config_alert].conditions.condition_threshold.filter", + "searchValue": "", + "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture project ownership assignment and changes", + "actualValue": "No 'google_monitoring_alert_policy' resource captures project ownership assignment and changes" }, { "queryName": "Beta - Logs And Alerts Missing Project Ownership Assignment And Changes", "severity": "MEDIUM", - "line": 1, - "fileName": "positive11.tf" + "line": 14, + "filename": "positive3.tf", + "resourceType": "google_monitoring_alert_policy", + "resourceName": "Audit Config Change Alert (Log Match)", + "searchKey": "google_monitoring_alert_policy[audit_config_alert].conditions.condition_matched_log.filter", + "searchValue": "", + "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture project ownership assignment and changes", + "actualValue": "No 'google_monitoring_alert_policy' resource captures project ownership assignment and changes" }, { "queryName": "Beta - Logs And Alerts Missing Project Ownership Assignment And Changes", "severity": "MEDIUM", "line": 1, - "fileName": "positive12.tf" + "filename": "positive14.tf", + "resourceType": "google_logging_metric", + "resourceName": "audit_config_change", + "searchKey": "google_logging_metric[audit_config_change].filter", + "searchValue": "", + "expectedValue": "At least one 'google_logging_metric' resource should capture project ownership assignment and changes", + "actualValue": "No 'google_logging_metric' resource captures project ownership assignment and changes" }, { "queryName": "Beta - Logs And Alerts Missing Project Ownership Assignment And Changes", "severity": "MEDIUM", "line": 1, - "fileName": "positive13.tf" + "filename": "positive6.tf", + "resourceType": "google_monitoring_alert_policy", + "resourceName": "Audit Config Change Alert", + "searchKey": "google_monitoring_alert_policy[audit_config_alert].conditions.condition_threshold.filter", + "searchValue": "", + "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture project ownership assignment and changes", + "actualValue": "No 'google_monitoring_alert_policy' resource captures project ownership assignment and changes" }, { "queryName": "Beta - Logs And Alerts Missing Project Ownership Assignment And Changes", "severity": "MEDIUM", "line": 1, - "fileName": "positive14.tf" + "filename": "positive5.tf", + "resourceType": "google_monitoring_alert_policy", + "resourceName": "Audit Config Change Alert (Log Match)", + "searchKey": "google_monitoring_alert_policy[audit_config_alert]", + "searchValue": "", + "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture project ownership assignment and changes", + "actualValue": "The 'google_monitoring_alert_policy[audit_config_alert]' resource captures project ownership assignment and changes but does not define a proper 'notification_channels'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/network_policy_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/network_policy_disabled/test/positive_expected_result.json index ff7d73107ec..f9f17ff6580 100644 --- a/assets/queries/terraform/gcp/network_policy_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/network_policy_disabled/test/positive_expected_result.json @@ -2,31 +2,73 @@ { "queryName": "Network Policy Disabled", "severity": "MEDIUM", - "line": 2 + "line": 16, + "filename": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive2]", + "searchValue": "", + "expectedValue": "Attribute 'network_policy' should be defined and Attribute 'addons_config' should be defined", + "actualValue": "Attribute 'network_policy' is undefined or Attribute 'addons_config' is undefined" }, { "queryName": "Network Policy Disabled", "severity": "MEDIUM", - "line": 16 + "line": 30, + "filename": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive3]", + "searchValue": "", + "expectedValue": "Attribute 'network_policy' should be defined and Attribute 'addons_config' should be defined", + "actualValue": "Attribute 'network_policy' is undefined or Attribute 'addons_config' is undefined" }, { "queryName": "Network Policy Disabled", "severity": "MEDIUM", - "line": 30 + "line": 86, + "filename": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive6].addons_config.network_policy_config.disabled", + "searchValue": "", + "expectedValue": "Attribute 'addons_config.network_policy_config.disabled' should be set to false", + "actualValue": "Attribute 'addons_config.network_policy_config.disabled' is true" }, { "queryName": "Network Policy Disabled", "severity": "MEDIUM", - "line": 48 + "line": 63, + "filename": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive5].network_policy.enabled", + "searchValue": "", + "expectedValue": "Attribute 'network_policy.enabled' should be true", + "actualValue": "Attribute 'network_policy.enabled' is false" }, { "queryName": "Network Policy Disabled", "severity": "MEDIUM", - "line": 63 + "line": 48, + "filename": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive4].addons_config", + "searchValue": "", + "expectedValue": "Attribute 'addons_config.network_policy_config' should be defined", + "actualValue": "Attribute 'addons_config.network_policy_config' is undefined" }, { "queryName": "Network Policy Disabled", "severity": "MEDIUM", - "line": 86 + "line": 2, + "filename": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive1]", + "searchValue": "", + "expectedValue": "Attribute 'network_policy' should be defined and Attribute 'addons_config' should be defined", + "actualValue": "Attribute 'network_policy' is undefined or Attribute 'addons_config' is undefined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/node_auto_upgrade_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/node_auto_upgrade_disabled/test/positive_expected_result.json index 6f474f0d075..3c008f11ade 100644 --- a/assets/queries/terraform/gcp/node_auto_upgrade_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/node_auto_upgrade_disabled/test/positive_expected_result.json @@ -2,16 +2,37 @@ { "queryName": "Node Auto Upgrade Disabled", "severity": "MEDIUM", - "line": 1 + "line": 19, + "filename": "positive.tf", + "resourceType": "google_container_node_pool", + "resourceName": "my-node-pool", + "searchKey": "google_container_node_pool[positive2].management", + "searchValue": "", + "expectedValue": "management.auto_upgrade should be defined and not null", + "actualValue": "management.auto_upgrade is undefined or null" }, { "queryName": "Node Auto Upgrade Disabled", "severity": "MEDIUM", - "line": 19 + "line": 36, + "filename": "positive.tf", + "resourceType": "google_container_node_pool", + "resourceName": "my-node-pool", + "searchKey": "google_container_node_pool[positive3].management.auto_upgrade", + "searchValue": "", + "expectedValue": "management.auto_upgrade should be true", + "actualValue": "management.auto_upgrade is false" }, { "queryName": "Node Auto Upgrade Disabled", "severity": "MEDIUM", - "line": 36 + "line": 1, + "filename": "positive.tf", + "resourceType": "google_container_node_pool", + "resourceName": "my-node-pool", + "searchKey": "google_container_node_pool[positive1]", + "searchValue": "", + "expectedValue": "google_container_node_pool.management should be defined and not null", + "actualValue": "google_container_node_pool.management is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/not_proper_email_account_in_use/test/positive_expected_result.json b/assets/queries/terraform/gcp/not_proper_email_account_in_use/test/positive_expected_result.json index ef78f29a1c7..75f93b0726a 100644 --- a/assets/queries/terraform/gcp/not_proper_email_account_in_use/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/not_proper_email_account_in_use/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Not Proper Email Account In Use", "severity": "LOW", - "line": 6 + "line": 6, + "filename": "positive.tf", + "resourceType": "google_project_iam_binding", + "resourceName": "positive1", + "searchKey": "google_project_iam_binding[positive1].members.user:jane@gmail.com", + "searchValue": "", + "expectedValue": "'members' cannot contain Gmail account addresses", + "actualValue": "'members' has email address: user:jane@gmail.com" } ] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/os_login_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/os_login_disabled/test/positive_expected_result.json index f8e4466defc..591b6328cdb 100644 --- a/assets/queries/terraform/gcp/os_login_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/os_login_disabled/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "OSLogin Disabled", "severity": "MEDIUM", - "line": 3 + "line": 3, + "filename": "positive.tf", + "resourceType": "google_compute_project_metadata", + "resourceName": "positive1", + "searchKey": "google_compute_project_metadata[positive1].metadata.enable-oslogin", + "searchValue": "", + "expectedValue": "google_compute_project_metadata[positive1].metadata['enable-oslogin'] should be true", + "actualValue": "google_compute_project_metadata[positive1].metadata['enable-oslogin'] is false" }, { "queryName": "OSLogin Disabled", "severity": "MEDIUM", - "line": 8 + "line": 8, + "filename": "positive.tf", + "resourceType": "google_compute_project_metadata", + "resourceName": "positive2", + "searchKey": "google_compute_project_metadata[positive2].metadata", + "searchValue": "", + "expectedValue": "google_compute_project_metadata[positive2].metadata['enable-oslogin'] should be true", + "actualValue": "google_compute_project_metadata[positive2].metadata['enable-oslogin'] is undefined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/os_login_is_disabled_for_vm_instance/test/positive_expected_result.json b/assets/queries/terraform/gcp/os_login_is_disabled_for_vm_instance/test/positive_expected_result.json index 901a453aacf..2cd77f1f7f5 100644 --- a/assets/queries/terraform/gcp/os_login_is_disabled_for_vm_instance/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/os_login_is_disabled_for_vm_instance/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "OSLogin Is Disabled For VM Instance", "severity": "MEDIUM", - "line": 30 + "line": 30, + "filename": "positive.tf", + "resourceType": "google_compute_instance", + "resourceName": "test", + "searchKey": "google_compute_instance[positive1].metadata.enable-oslogin", + "searchValue": "", + "expectedValue": "google_compute_instance[positive1].metadata.enable-oslogin should be true or undefined", + "actualValue": "google_compute_instance[positive1].metadata.enable-oslogin is false" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/outdated_gke_version/test/positive_expected_result.json b/assets/queries/terraform/gcp/outdated_gke_version/test/positive_expected_result.json index 94ec761d1b6..9c8f7a90535 100644 --- a/assets/queries/terraform/gcp/outdated_gke_version/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/outdated_gke_version/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Outdated GKE Version", "severity": "LOW", "line": 2, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive1]", + "searchValue": "", + "expectedValue": "GKE should not be using outated versions on min_master_version or node_version 1.25", + "actualValue": "GKE is using outated versions on min_master_version or node_version" }, { "queryName": "Outdated GKE Version", "severity": "LOW", "line": 25, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive2]", + "searchValue": "", + "expectedValue": "GKE should not be using outated versions on min_master_version or node_version 1.25", + "actualValue": "GKE is using outated versions on min_master_version or node_version" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/pod_security_policy_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/pod_security_policy_disabled/test/positive_expected_result.json index bcfcc520208..a88b492b6f2 100644 --- a/assets/queries/terraform/gcp/pod_security_policy_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/pod_security_policy_disabled/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Pod Security Policy Disabled", "severity": "MEDIUM", - "line": 2 + "line": 18, + "filename": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive2].pod_security_policy_config.enabled", + "searchValue": "", + "expectedValue": "Attribute 'enabled' of 'pod_security_policy_config' should be true", + "actualValue": "Attribute 'enabled' of 'pod_security_policy_config' is false" }, { "queryName": "Pod Security Policy Disabled", "severity": "MEDIUM", - "line": 18 + "line": 2, + "filename": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive1]", + "searchValue": "", + "expectedValue": "Attribute 'pod_security_policy_config' should be defined", + "actualValue": "Attribute 'pod_security_policy_config' is undefined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/private_cluster_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/private_cluster_disabled/test/positive_expected_result.json index c7baabbd4f9..1b2af48abe7 100644 --- a/assets/queries/terraform/gcp/private_cluster_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/private_cluster_disabled/test/positive_expected_result.json @@ -2,36 +2,85 @@ { "queryName": "Private Cluster Disabled", "severity": "MEDIUM", - "line": 1 + "line": 30, + "filename": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive3].private_cluster_config", + "searchValue": "", + "expectedValue": "Attribute 'private_cluster_config.enable_private_endpoint' should be defined and Attribute 'private_cluster_config.enable_private_nodes' should be defined", + "actualValue": "Attribute 'private_cluster_config.enable_private_endpoint' is undefined or Attribute 'private_cluster_config.enable_private_nodes' is undefined" }, { "queryName": "Private Cluster Disabled", "severity": "MEDIUM", - "line": 16 + "line": 44, + "filename": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive4].private_cluster_config", + "searchValue": "", + "expectedValue": "Attribute 'private_cluster_config.enable_private_endpoint' should be defined and Attribute 'private_cluster_config.enable_private_nodes' should be defined", + "actualValue": "Attribute 'private_cluster_config.enable_private_endpoint' is undefined or Attribute 'private_cluster_config.enable_private_nodes' is undefined" }, { "queryName": "Private Cluster Disabled", "severity": "MEDIUM", - "line": 30 + "line": 58, + "filename": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive5].private_cluster_config", + "searchValue": "", + "expectedValue": "Attribute 'private_cluster_config.enable_private_endpoint' should be true and Attribute 'private_cluster_config.enable_private_nodes' should be true", + "actualValue": "Attribute 'private_cluster_config.enable_private_endpoint' is false or Attribute 'private_cluster_config.enable_private_nodes' is false" }, { "queryName": "Private Cluster Disabled", "severity": "MEDIUM", - "line": 44 + "line": 73, + "filename": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive6].private_cluster_config", + "searchValue": "", + "expectedValue": "Attribute 'private_cluster_config.enable_private_endpoint' should be true and Attribute 'private_cluster_config.enable_private_nodes' should be true", + "actualValue": "Attribute 'private_cluster_config.enable_private_endpoint' is false or Attribute 'private_cluster_config.enable_private_nodes' is false" }, { "queryName": "Private Cluster Disabled", "severity": "MEDIUM", - "line": 58 + "line": 88, + "filename": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive7].private_cluster_config", + "searchValue": "", + "expectedValue": "Attribute 'private_cluster_config.enable_private_endpoint' should be true and Attribute 'private_cluster_config.enable_private_nodes' should be true", + "actualValue": "Attribute 'private_cluster_config.enable_private_endpoint' is false or Attribute 'private_cluster_config.enable_private_nodes' is false" }, { "queryName": "Private Cluster Disabled", "severity": "MEDIUM", - "line": 73 + "line": 1, + "filename": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive1]", + "searchValue": "", + "expectedValue": "Attribute 'private_cluster_config' should be defined and not null", + "actualValue": "Attribute 'private_cluster_config' is undefined or null" }, { "queryName": "Private Cluster Disabled", "severity": "MEDIUM", - "line": 88 + "line": 16, + "filename": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive2].private_cluster_config", + "searchValue": "", + "expectedValue": "Attribute 'private_cluster_config.enable_private_endpoint' should be defined and Attribute 'private_cluster_config.enable_private_nodes' should be defined", + "actualValue": "Attribute 'private_cluster_config.enable_private_endpoint' is undefined or Attribute 'private_cluster_config.enable_private_nodes' is undefined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/test/positive_expected_result.json b/assets/queries/terraform/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/test/positive_expected_result.json index a808b73efe3..c2e18dab666 100644 --- a/assets/queries/terraform/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/test/positive_expected_result.json @@ -1,12 +1,26 @@ [ - { - "queryName": "Project-wide SSH Keys Are Enabled In VM Instances", - "severity": "MEDIUM", - "line": 29 - }, - { - "queryName": "Project-wide SSH Keys Are Enabled In VM Instances", - "severity": "MEDIUM", - "line": 39 - } -] + { + "queryName": "Project-wide SSH Keys Are Enabled In VM Instances", + "severity": "MEDIUM", + "line": 29, + "filename": "positive.tf", + "resourceType": "google_compute_instance", + "resourceName": "test", + "searchKey": "google_compute_instance[positive1].metadata.block-project-ssh-keys", + "searchValue": "", + "expectedValue": "google_compute_instance[positive1].metadata.block-project-ssh-keys should be true", + "actualValue": "google_compute_instance[positive1].metadata.block-project-ssh-keys is false" + }, + { + "queryName": "Project-wide SSH Keys Are Enabled In VM Instances", + "severity": "MEDIUM", + "line": 39, + "filename": "positive.tf", + "resourceType": "google_compute_instance", + "resourceName": "test", + "searchKey": "google_compute_instance[positive2]", + "searchValue": "", + "expectedValue": "google_compute_instance[positive2].metadata should be set", + "actualValue": "google_compute_instance[positive2].metadata is undefined" + } +] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/rdp_access_is_not_restricted/test/positive_expected_result.json b/assets/queries/terraform/gcp/rdp_access_is_not_restricted/test/positive_expected_result.json index 4f41a4dff84..ac8e4bad842 100644 --- a/assets/queries/terraform/gcp/rdp_access_is_not_restricted/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/rdp_access_is_not_restricted/test/positive_expected_result.json @@ -2,16 +2,37 @@ { "queryName": "RDP Access Is Not Restricted", "severity": "HIGH", - "line": 12 + "line": 12, + "filename": "positive.tf", + "resourceType": "google_compute_firewall", + "resourceName": "test-firewall", + "searchKey": "google_compute_firewall[positive1].allow.ports", + "searchValue": "", + "expectedValue": "'google_compute_firewall[positive1].allow.ports' should not include RDP port 3389", + "actualValue": "'google_compute_firewall[positive1].allow.ports' includes RDP port 3389" }, { "queryName": "RDP Access Is Not Restricted", "severity": "HIGH", - "line": 25 + "line": 25, + "filename": "positive.tf", + "resourceType": "google_compute_firewall", + "resourceName": "test-firewall", + "searchKey": "google_compute_firewall[positive2].allow.ports", + "searchValue": "", + "expectedValue": "'google_compute_firewall[positive2].allow.ports' should not include RDP port 3389", + "actualValue": "'google_compute_firewall[positive2].allow.ports' includes RDP port 3389" }, { "queryName": "RDP Access Is Not Restricted", "severity": "HIGH", - "line": 36 + "line": 36, + "filename": "positive.tf", + "resourceType": "google_compute_firewall", + "resourceName": "test-firewall", + "searchKey": "google_compute_firewall[positive3].allow.ports", + "searchValue": "", + "expectedValue": "'google_compute_firewall[positive3].allow.ports' should not include RDP port 3389", + "actualValue": "'google_compute_firewall[positive3].allow.ports' includes RDP port 3389" } ] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/service_account_with_improper_privileges/test/positive_expected_result.json b/assets/queries/terraform/gcp/service_account_with_improper_privileges/test/positive_expected_result.json index e27bdc8039a..8e1b4304746 100644 --- a/assets/queries/terraform/gcp/service_account_with_improper_privileges/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/service_account_with_improper_privileges/test/positive_expected_result.json @@ -2,37 +2,73 @@ { "queryName": "Service Account with Improper Privileges", "severity": "MEDIUM", - "line": 3, - "fileName": "positive1.tf" + "line": 10, + "filename": "positive3.tf", + "resourceType": "google_iam_policy", + "resourceName": "admin", + "searchKey": "google_iam_policy[admin].binding[1].role", + "searchValue": "", + "expectedValue": "google_iam_policy[admin].binding[1].role should not have admin, editor, owner, or write privileges for service account member", + "actualValue": "google_iam_policy[admin].binding[1].role has admin, editor, owner, or write privilege for service account member" }, { "queryName": "Service Account with Improper Privileges", "severity": "MEDIUM", "line": 3, - "fileName": "positive2.tf" + "filename": "positive4.tf", + "resourceType": "google_iam_policy", + "resourceName": "admin", + "searchKey": "google_iam_policy[admin].binding[0].role", + "searchValue": "", + "expectedValue": "google_iam_policy[admin].binding[0].role should not have admin, editor, owner, or write privileges for service account member", + "actualValue": "google_iam_policy[admin].binding[0].role has admin, editor, owner, or write privilege for service account member" }, { "queryName": "Service Account with Improper Privileges", "severity": "MEDIUM", - "line": 18, - "fileName": "positive2.tf" + "line": 9, + "filename": "positive4.tf", + "resourceType": "google_iam_policy", + "resourceName": "admin", + "searchKey": "google_iam_policy[admin].binding[1].role", + "searchValue": "", + "expectedValue": "google_iam_policy[admin].binding[1].role should not have admin, editor, owner, or write privileges for service account member", + "actualValue": "google_iam_policy[admin].binding[1].role has admin, editor, owner, or write privilege for service account member" }, { "queryName": "Service Account with Improper Privileges", "severity": "MEDIUM", - "line": 10, - "fileName": "positive3.tf" + "line": 3, + "filename": "positive2.tf", + "resourceType": "google_project_iam_binding", + "resourceName": "project1", + "searchKey": "google_project_iam_binding[project1].role", + "searchValue": "", + "expectedValue": "google_project_iam_binding[project1].role should not have admin, editor, owner, or write privileges for service account member", + "actualValue": "google_project_iam_binding[project1].role has admin, editor, owner, or write privilege for service account member" }, { "queryName": "Service Account with Improper Privileges", "severity": "MEDIUM", - "line": 3, - "fileName": "positive4.tf" + "line": 18, + "filename": "positive2.tf", + "resourceType": "google_project_iam_member", + "resourceName": "project2", + "searchKey": "google_project_iam_member[project2].role", + "searchValue": "", + "expectedValue": "google_project_iam_member[project2].role should not have admin, editor, owner, or write privileges for service account member", + "actualValue": "google_project_iam_member[project2].role has admin, editor, owner, or write privilege for service account member" }, { "queryName": "Service Account with Improper Privileges", "severity": "MEDIUM", - "line": 9, - "fileName": "positive4.tf" + "line": 3, + "filename": "positive1.tf", + "resourceType": "google_iam_policy", + "resourceName": "admin", + "searchKey": "google_iam_policy[admin].binding.role", + "searchValue": "", + "expectedValue": "google_iam_policy[admin].binding.role should not have admin, editor, owner, or write privileges for service account member", + "actualValue": "google_iam_policy[admin].binding.role has admin, editor, owner, or write privilege for service account member" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/shielded_gke_node_do_not_have_integrity_monitoring_enabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/shielded_gke_node_do_not_have_integrity_monitoring_enabled/test/positive_expected_result.json index 5a5da1c5c11..ec52c83ebc2 100644 --- a/assets/queries/terraform/gcp/shielded_gke_node_do_not_have_integrity_monitoring_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/shielded_gke_node_do_not_have_integrity_monitoring_enabled/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Beta - Shielded GKE Node Do Not Have Integrity Monitoring Enabled", "severity": "MEDIUM", "line": 8, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive1].node_config.shielded_instance_config.enable_integrity_monitoring", + "searchValue": "", + "expectedValue": "'node_config.shielded_instance_config.enable_integrity_monitoring' should be defined to 'true'", + "actualValue": "'node_config.shielded_instance_config.enable_integrity_monitoring' is not defined to 'true'" }, { "queryName": "Beta - Shielded GKE Node Do Not Have Integrity Monitoring Enabled", "severity": "MEDIUM", "line": 11, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "google_container_node_pool", + "resourceName": "my-node-pool", + "searchKey": "google_container_node_pool[positive2].node_config.shielded_instance_config.enable_integrity_monitoring", + "searchValue": "", + "expectedValue": "'node_config.shielded_instance_config.enable_integrity_monitoring' should be defined to 'true'", + "actualValue": "'node_config.shielded_instance_config.enable_integrity_monitoring' is not defined to 'true'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/shielded_gke_nodes_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/shielded_gke_nodes_disabled/test/positive_expected_result.json index 220d7612bc8..1edc3f22f57 100644 --- a/assets/queries/terraform/gcp/shielded_gke_nodes_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/shielded_gke_nodes_disabled/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Shielded GKE Nodes Disabled", "severity": "MEDIUM", "line": 4, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "my-gke-cluster", + "searchKey": "google_container_cluster[false].enable_shielded_nodes", + "searchValue": "", + "expectedValue": "google_container_cluster.enable_shielded_nodes should be set to true", + "actualValue": "google_container_cluster.enable_shielded_nodes is set to false" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/shielded_vm_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/shielded_vm_disabled/test/positive_expected_result.json index 79d4d0df9eb..c2c8ee42ed0 100644 --- a/assets/queries/terraform/gcp/shielded_vm_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/shielded_vm_disabled/test/positive_expected_result.json @@ -2,36 +2,85 @@ { "queryName": "Shielded VM Disabled", "severity": "MEDIUM", - "line": 2 + "line": 49, + "filename": "positive.tf", + "resourceType": "google_compute_instance", + "resourceName": "primary-application-server", + "searchKey": "google_compute_instance[appserver6].shielded_instance_config.enable_vtpm", + "searchValue": "", + "expectedValue": "Attribute 'shielded_instance_config.enable_vtpm' should be true", + "actualValue": "Attribute 'shielded_instance_config.enable_vtpm' is false" }, { "queryName": "Shielded VM Disabled", "severity": "MEDIUM", - "line": 10 + "line": 2, + "filename": "positive.tf", + "resourceType": "google_compute_instance", + "resourceName": "primary-application-server", + "searchKey": "google_compute_instance[appserver1]", + "searchValue": "", + "expectedValue": "Attribute 'shielded_instance_config' should be defined and not null", + "actualValue": "Attribute 'shielded_instance_config' is undefined or null" }, { "queryName": "Shielded VM Disabled", "severity": "MEDIUM", - "line": 19 + "line": 10, + "filename": "positive.tf", + "resourceType": "google_compute_instance", + "resourceName": "primary-application-server", + "searchKey": "google_compute_instance[appserver2].shielded_instance_config", + "searchValue": "", + "expectedValue": "Attribute 'shielded_instance_config.enable_integrity_monitoring' should be defined", + "actualValue": "Attribute 'shielded_instance_config.enable_integrity_monitoring' is undefined" }, { "queryName": "Shielded VM Disabled", "severity": "MEDIUM", - "line": 28 + "line": 28, + "filename": "positive.tf", + "resourceType": "google_compute_instance", + "resourceName": "primary-application-server", + "searchKey": "google_compute_instance[appserver4].shielded_instance_config", + "searchValue": "", + "expectedValue": "Attribute 'shielded_instance_config.enable_secure_boot' should be defined", + "actualValue": "Attribute 'shielded_instance_config.enable_secure_boot' is undefined" }, { "queryName": "Shielded VM Disabled", "severity": "MEDIUM", - "line": 38 + "line": 19, + "filename": "positive.tf", + "resourceType": "google_compute_instance", + "resourceName": "primary-application-server", + "searchKey": "google_compute_instance[appserver3].shielded_instance_config", + "searchValue": "", + "expectedValue": "Attribute 'shielded_instance_config.enable_vtpm' should be defined", + "actualValue": "Attribute 'shielded_instance_config.enable_vtpm' is undefined" }, { "queryName": "Shielded VM Disabled", "severity": "MEDIUM", - "line": 49 + "line": 60, + "filename": "positive.tf", + "resourceType": "google_compute_instance", + "resourceName": "primary-application-server", + "searchKey": "google_compute_instance[appserver7].shielded_instance_config.enable_integrity_monitoring", + "searchValue": "", + "expectedValue": "Attribute 'shielded_instance_config.enable_integrity_monitoring' should be true", + "actualValue": "Attribute 'shielded_instance_config.enable_integrity_monitoring' is false" }, { "queryName": "Shielded VM Disabled", "severity": "MEDIUM", - "line": 60 + "line": 38, + "filename": "positive.tf", + "resourceType": "google_compute_instance", + "resourceName": "primary-application-server", + "searchKey": "google_compute_instance[appserver5].shielded_instance_config.enable_secure_boot", + "searchValue": "", + "expectedValue": "Attribute 'shielded_instance_config.enable_secure_boot' should be true", + "actualValue": "Attribute 'shielded_instance_config.enable_secure_boot' is false" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/sql_db_instance_backup_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_backup_disabled/test/positive_expected_result.json index 393569dc81e..7090be1140b 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_backup_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_backup_disabled/test/positive_expected_result.json @@ -2,16 +2,37 @@ { "queryName": "SQL DB Instance Backup Disabled", "severity": "MEDIUM", - "line": 6 + "line": 31, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "master-instance", + "searchKey": "google_sql_database_instance[positive3].settings.backup_configuration.enabled", + "searchValue": "", + "expectedValue": "settings.backup_configuration.enabled should be true", + "actualValue": "settings.backup_configuration.enabled is false" }, { "queryName": "SQL DB Instance Backup Disabled", "severity": "MEDIUM", - "line": 18 + "line": 6, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "master-instance", + "searchKey": "google_sql_database_instance[positive1].settings", + "searchValue": "", + "expectedValue": "settings.backup_configuration should be defined and not null", + "actualValue": "settings.backup_configuration is undefined or null" }, { "queryName": "SQL DB Instance Backup Disabled", "severity": "MEDIUM", - "line": 31 + "line": 18, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "master-instance", + "searchKey": "google_sql_database_instance[positive2].settings.backup_configuration", + "searchValue": "", + "expectedValue": "settings.backup_configuration.enabled should be defined and not null", + "actualValue": "settings.backup_configuration.enabled is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/sql_db_instance_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_is_publicly_accessible/test/positive_expected_result.json index 2806d2b8c15..33cf3a2f375 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_is_publicly_accessible/test/positive_expected_result.json @@ -2,21 +2,49 @@ { "queryName": "SQL DB Instance Publicly Accessible", "severity": "CRITICAL", - "line": 6 + "line": 56, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "master-instance", + "searchKey": "google_sql_database_instance[positive4].settings.ip_configuration", + "searchValue": "", + "expectedValue": "'ipv4_enabled' should be disabled and 'private_network' should be defined when there are no authorized networks", + "actualValue": "'private_network' is not defined when there are no authorized networks" }, { "queryName": "SQL DB Instance Publicly Accessible", "severity": "CRITICAL", - "line": 24 + "line": 24, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "postgres-instance-2", + "searchKey": "google_sql_database_instance[positive2].settings.ip_configuration.authorized_networks.value=0.0.0.0/0", + "searchValue": "", + "expectedValue": "'authorized_network' address should be trusted", + "actualValue": "'authorized_network' address is not restricted: '0.0.0.0/0'" }, { "queryName": "SQL DB Instance Publicly Accessible", "severity": "CRITICAL", - "line": 41 + "line": 41, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "master-instance", + "searchKey": "google_sql_database_instance[positive3].settings.ip_configuration.ipv4_enabled", + "searchValue": "", + "expectedValue": "'ipv4_enabled' should be disabled and 'private_network' should be defined when there are no authorized networks", + "actualValue": "'ipv4_enabled' is enabled when there are no authorized networks" }, { "queryName": "SQL DB Instance Publicly Accessible", "severity": "CRITICAL", - "line": 56 + "line": 6, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "master-instance", + "searchKey": "google_sql_database_instance[positive1].settings", + "searchValue": "", + "expectedValue": "'ip_configuration' should be defined and allow only trusted networks", + "actualValue": "'ip_configuration' is not defined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_contained_database_authentication/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_contained_database_authentication/test/positive_expected_result.json index 420abab1a70..01eb85d321a 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_contained_database_authentication/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_contained_database_authentication/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Beta - SQL DB Instance With Contained Database Authentication", "severity": "HIGH", - "line": 13 + "line": 13, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "sqlserver-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_1].settings.database_flags[1].name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_1].settings.database_flags' should set 'contained database authentication' to 'off'", + "actualValue": "'google_sql_database_instance[positive_1].settings.database_flags' sets 'contained database authentication' to 'on'" }, { "queryName": "Beta - SQL DB Instance With Contained Database Authentication", "severity": "HIGH", - "line": 31 + "line": 31, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "sqlserver-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_2].settings.database_flags.name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_2].settings.database_flags' should set 'contained database authentication' to 'off'", + "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' sets 'contained database authentication' to 'on'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/positive_expected_result.json index e6bd2e4af21..09c0fb85dab 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/positive_expected_result.json @@ -2,26 +2,61 @@ { "queryName": "Beta - SQL DB Instance With Exposed Show Privileges", "severity": "MEDIUM", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "mysql-instance-without-flag", + "searchKey": "google_sql_database_instance[positive_1]", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_1].settings.database_flags' should be defined and set 'skip_show_database' to 'on'", + "actualValue": "'google_sql_database_instance[positive_1].settings' is undefined or null" }, { "queryName": "Beta - SQL DB Instance With Exposed Show Privileges", "severity": "MEDIUM", - "line": 14 + "line": 14, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "mysql-instance-without-flag", + "searchKey": "google_sql_database_instance[positive_2].settings", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_2].settings.database_flags' should be defined and set 'skip_show_database' to 'on'", + "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' is undefined or null" }, { "queryName": "Beta - SQL DB Instance With Exposed Show Privileges", "severity": "MEDIUM", - "line": 23 + "line": 23, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "mysql-instance-without-flag", + "searchKey": "google_sql_database_instance[positive_3].settings.database_flags", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_3].settings.database_flags' should be defined and set 'skip_show_database' to 'on'", + "actualValue": "'google_sql_database_instance[positive_3].settings.database_flags' does not set 'skip_show_database'" }, { "queryName": "Beta - SQL DB Instance With Exposed Show Privileges", "severity": "MEDIUM", - "line": 42 + "line": 42, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "mysql-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_4].settings.database_flags[1].name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_4].settings.database_flags' should be defined and set 'skip_show_database' to 'on'", + "actualValue": "'google_sql_database_instance[positive_4].settings.database_flags' sets 'skip_show_database' to 'off'" }, { "queryName": "Beta - SQL DB Instance With Exposed Show Privileges", "severity": "MEDIUM", - "line": 60 + "line": 60, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "mysql-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_5].settings.database_flags.name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_5].settings.database_flags' should be defined and set 'skip_show_database' to 'on'", + "actualValue": "'google_sql_database_instance[positive_5].settings.database_flags' sets 'skip_show_database' to 'off'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_exposed_trace_logs/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_exposed_trace_logs/test/positive_expected_result.json index 02d611da5aa..6c3d7f35c0e 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_exposed_trace_logs/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_exposed_trace_logs/test/positive_expected_result.json @@ -2,26 +2,61 @@ { "queryName": "Beta - SQL DB Instance With Exposed Trace Logs", "severity": "MEDIUM", - "line": 1 + "line": 42, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "sqlserver-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_4].settings.database_flags[1].name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_4].settings.database_flags' should be defined and set '3625' to 'on'", + "actualValue": "'google_sql_database_instance[positive_4].settings.database_flags' sets '3625' to 'off'" }, { "queryName": "Beta - SQL DB Instance With Exposed Trace Logs", "severity": "MEDIUM", - "line": 14 + "line": 60, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "sqlserver-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_5].settings.database_flags.name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_5].settings.database_flags' should be defined and set '3625' to 'on'", + "actualValue": "'google_sql_database_instance[positive_5].settings.database_flags' sets '3625' to 'off'" }, { "queryName": "Beta - SQL DB Instance With Exposed Trace Logs", "severity": "MEDIUM", - "line": 23 + "line": 1, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "mysql-instance-without-flag", + "searchKey": "google_sql_database_instance[positive_1]", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_1].settings.database_flags' should be defined and set '3625' to 'on'", + "actualValue": "'google_sql_database_instance[positive_1].settings' is undefined or null" }, { "queryName": "Beta - SQL DB Instance With Exposed Trace Logs", "severity": "MEDIUM", - "line": 42 + "line": 14, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "sqlserver-instance-without-flag", + "searchKey": "google_sql_database_instance[positive_2].settings", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_2].settings.database_flags' should be defined and set '3625' to 'on'", + "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' is undefined or null" }, { "queryName": "Beta - SQL DB Instance With Exposed Trace Logs", "severity": "MEDIUM", - "line": 60 + "line": 23, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "sqlserver-instance-without-flag", + "searchKey": "google_sql_database_instance[positive_3].settings.database_flags", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_3].settings.database_flags' should be defined and set '3625' to 'on'", + "actualValue": "'google_sql_database_instance[positive_3].settings.database_flags' does not set '3625'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_external_scripts_enabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_external_scripts_enabled/test/positive_expected_result.json index 207109252b2..7af09017f05 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_external_scripts_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_external_scripts_enabled/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Beta - SQL DB Instance With External Scripts Enabled", "severity": "HIGH", - "line": 13 + "line": 13, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "sqlserver-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_1].settings.database_flags[1].name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_1].settings.database_flags' should set 'external scripts enabled' to 'off'", + "actualValue": "'google_sql_database_instance[positive_1].settings.database_flags' sets 'external scripts enabled' to 'on'" }, { "queryName": "Beta - SQL DB Instance With External Scripts Enabled", "severity": "HIGH", - "line": 31 + "line": 31, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "sqlserver-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_2].settings.database_flags.name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_2].settings.database_flags' should set 'external scripts enabled' to 'off'", + "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' sets 'external scripts enabled' to 'on'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_global_user_options/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_global_user_options/test/positive_expected_result.json index b435c637f0e..7fbd0a41efc 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_global_user_options/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_global_user_options/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Beta - SQL DB Instance With Global User Options", "severity": "MEDIUM", - "line": 13 + "line": 31, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "sqlserver-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_2].settings.database_flags.name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_2].settings.database_flags' should set 'user options' to '0'", + "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' sets 'user options' to '16'" }, { "queryName": "Beta - SQL DB Instance With Global User Options", "severity": "MEDIUM", - "line": 31 + "line": 13, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "sqlserver-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_1].settings.database_flags[1].name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_1].settings.database_flags' should set 'user options' to '0'", + "actualValue": "'google_sql_database_instance[positive_1].settings.database_flags' sets 'user options' to '32'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_limited_user_connections/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_limited_user_connections/test/positive_expected_result.json index 169c9cccca4..2adfedd5499 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_limited_user_connections/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_limited_user_connections/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Beta - SQL DB Instance With Limited User Connections", "severity": "MEDIUM", - "line": 13 + "line": 13, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "sqlserver-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_1].settings.database_flags[1].name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_1].settings.database_flags' should be defined and set 'user connections' to '0'", + "actualValue": "'google_sql_database_instance[positive_1].settings.database_flags' sets 'user connections' to '1001'" }, { "queryName": "Beta - SQL DB Instance With Limited User Connections", "severity": "MEDIUM", - "line": 31 + "line": 31, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "sqlserver-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_2].settings.database_flags.name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_2].settings.database_flags' should be defined and set 'user connections' to '0'", + "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' sets 'user connections' to '1000'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test/positive_expected_result.json index 162410cf2b9..4bf1b9faefb 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test/positive_expected_result.json @@ -2,26 +2,61 @@ { "queryName": "Beta - SQL DB Instance With Local Data Loading Enabled", "severity": "MEDIUM", - "line": 1 + "line": 60, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "mysql-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_5].settings.database_flags.name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_5].settings.database_flags' should be defined and set 'local_infile' to 'off'", + "actualValue": "'google_sql_database_instance[positive_5].settings.database_flags' sets 'local_infile' to 'on'" }, { "queryName": "Beta - SQL DB Instance With Local Data Loading Enabled", "severity": "MEDIUM", - "line": 14 + "line": 1, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "mysql-instance-without-flag", + "searchKey": "google_sql_database_instance[positive_1]", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_1].settings.database_flags' should be defined and set 'local_infile' to 'off'", + "actualValue": "'google_sql_database_instance[positive_1].settings' is undefined or null" }, { "queryName": "Beta - SQL DB Instance With Local Data Loading Enabled", "severity": "MEDIUM", - "line": 23 + "line": 14, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "mysql-instance-without-flag", + "searchKey": "google_sql_database_instance[positive_2].settings", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_2].settings.database_flags' should be defined and set 'local_infile' to 'off'", + "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' is undefined or null" }, { "queryName": "Beta - SQL DB Instance With Local Data Loading Enabled", "severity": "MEDIUM", - "line": 42 + "line": 23, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "mysql-instance-without-flag", + "searchKey": "google_sql_database_instance[positive_3].settings.database_flags", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_3].settings.database_flags' should be defined and set 'local_infile' to 'off'", + "actualValue": "'google_sql_database_instance[positive_3].settings.database_flags' does not set 'local_infile'" }, { "queryName": "Beta - SQL DB Instance With Local Data Loading Enabled", "severity": "MEDIUM", - "line": 60 + "line": 42, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "mysql-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_4].settings.database_flags[1].name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_4].settings.database_flags' should be defined and set 'local_infile' to 'off'", + "actualValue": "'google_sql_database_instance[positive_4].settings.database_flags' sets 'local_infile' to 'on'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_minimum_log_duration/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_minimum_log_duration/test/positive_expected_result.json index 3838bb1e30e..006197a5e63 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_minimum_log_duration/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_minimum_log_duration/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Beta - SQL DB Instance With Minimum Log Duration", "severity": "MEDIUM", - "line": 13 + "line": 13, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "postgres-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_1].settings.database_flags[1].name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_1].settings.database_flags' should set 'log_min_duration_statement' to '-1'", + "actualValue": "'google_sql_database_instance[positive_1].settings.database_flags' sets 'log_min_duration_statement' to '2'" }, { "queryName": "Beta - SQL DB Instance With Minimum Log Duration", "severity": "MEDIUM", - "line": 31 + "line": 31, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "postgres-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_2].settings.database_flags.name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_2].settings.database_flags' should set 'log_min_duration_statement' to '-1'", + "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' sets 'log_min_duration_statement' to '3'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_ownership_chaining_enabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_ownership_chaining_enabled/test/positive_expected_result.json index 794a4aa3bf3..99744d70d9b 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_ownership_chaining_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_ownership_chaining_enabled/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Beta - SQL DB Instance With Ownership Chaining Enabled", "severity": "MEDIUM", - "line": 13 + "line": 31, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "sqlserver-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_2].settings.database_flags.name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_2].settings.database_flags' should set 'cross db ownership chaining' to 'off'", + "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' sets 'cross db ownership chaining' to 'on'" }, { "queryName": "Beta - SQL DB Instance With Ownership Chaining Enabled", "severity": "MEDIUM", - "line": 31 + "line": 13, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "sqlserver-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_1].settings.database_flags[1].name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_1].settings.database_flags' should set 'cross db ownership chaining' to 'off'", + "actualValue": "'google_sql_database_instance[positive_1].settings.database_flags' sets 'cross db ownership chaining' to 'on'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_remote_access_enabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_remote_access_enabled/test/positive_expected_result.json index 65ddff52d04..98870452457 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_remote_access_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_remote_access_enabled/test/positive_expected_result.json @@ -2,26 +2,61 @@ { "queryName": "Beta - SQL DB Instance With Remote Access Enabled", "severity": "HIGH", - "line": 1 + "line": 14, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "sqlserver-instance-without-flag", + "searchKey": "google_sql_database_instance[positive_2].settings", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_2].settings.database_flags' should be defined and set 'remote access' to 'off'", + "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' is undefined or null" }, { "queryName": "Beta - SQL DB Instance With Remote Access Enabled", "severity": "HIGH", - "line": 14 + "line": 23, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "sqlserver-instance-without-flag", + "searchKey": "google_sql_database_instance[positive_3].settings.database_flags", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_3].settings.database_flags' should be defined and set 'remote access' to 'off'", + "actualValue": "'google_sql_database_instance[positive_3].settings.database_flags' does not set 'remote access'" }, { "queryName": "Beta - SQL DB Instance With Remote Access Enabled", "severity": "HIGH", - "line": 23 + "line": 42, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "sqlserver-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_4].settings.database_flags[1].name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_4].settings.database_flags' should be defined and set 'remote access' to 'off'", + "actualValue": "'google_sql_database_instance[positive_4].settings.database_flags' sets 'remote access' to 'on'" }, { "queryName": "Beta - SQL DB Instance With Remote Access Enabled", "severity": "HIGH", - "line": 42 + "line": 60, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "sqlserver-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_5].settings.database_flags.name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_5].settings.database_flags' should be defined and set 'remote access' to 'off'", + "actualValue": "'google_sql_database_instance[positive_5].settings.database_flags' sets 'remote access' to 'on'" }, { "queryName": "Beta - SQL DB Instance With Remote Access Enabled", "severity": "HIGH", - "line": 60 + "line": 1, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "mysql-instance-without-flag", + "searchKey": "google_sql_database_instance[positive_1]", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_1].settings.database_flags' should be defined and set 'remote access' to 'off'", + "actualValue": "'google_sql_database_instance[positive_1].settings' is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json index 842962c52cb..d2841da72e8 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json @@ -2,16 +2,37 @@ { "queryName": "SQL DB Instance With SSL Disabled", "severity": "HIGH", - "line": 9 + "line": 44, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "positive3", + "searchKey": "google_sql_database_instance[positive3].settings.ip_configuration.require_ssl", + "searchValue": "", + "expectedValue": "'settings.ip_configuration.require_ssl' should be true", + "actualValue": "'settings.ip_configuration.require_ssl' is false" }, { "queryName": "SQL DB Instance With SSL Disabled", "severity": "HIGH", - "line": 24 + "line": 9, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "positive1", + "searchKey": "google_sql_database_instance[positive1].settings", + "searchValue": "", + "expectedValue": "'settings.ip_configuration' should be defined and not null", + "actualValue": "'settings.ip_configuration' is undefined or null" }, { "queryName": "SQL DB Instance With SSL Disabled", "severity": "HIGH", - "line": 44 + "line": 24, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "positive2", + "searchKey": "google_sql_database_instance[positive2].settings.ip_configuration", + "searchValue": "", + "expectedValue": "'settings.ip_configuration.require_ssl' should be defined and not null", + "actualValue": "'settings.ip_configuration.require_ssl' is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_error_logging_threshold/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_error_logging_threshold/test/positive_expected_result.json index d80d2459e37..fd09f3081ee 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_error_logging_threshold/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_error_logging_threshold/test/positive_expected_result.json @@ -2,16 +2,37 @@ { "queryName": "Beta - SQL DB Instance With Unrecommended Error Logging Threshold", "severity": "LOW", - "line": 13 + "line": 13, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "postgres-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_1].settings.database_flags[1].name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_1].settings.database_flags' should set 'log_min_error_statement' to 'ERROR' or a higher severity", + "actualValue": "'google_sql_database_instance[positive_1].settings.database_flags' sets 'log_min_error_statement' to 'NOTICE'" }, { "queryName": "Beta - SQL DB Instance With Unrecommended Error Logging Threshold", "severity": "LOW", - "line": 31 + "line": 31, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "postgres-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_2].settings.database_flags.name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_2].settings.database_flags' should set 'log_min_error_statement' to 'ERROR' or a higher severity", + "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' sets 'log_min_error_statement' to 'DEBUG5'" }, { "queryName": "Beta - SQL DB Instance With Unrecommended Error Logging Threshold", "severity": "LOW", - "line": 44 + "line": 44, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "postgres-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_3].settings.database_flags.name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_3].settings.database_flags' should set 'log_min_error_statement' to 'ERROR' or a higher severity", + "actualValue": "'google_sql_database_instance[positive_3].settings.database_flags' sets 'log_min_error_statement' to 'DEBUG4'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/test/positive_expected_result.json index 970ae9b2077..baeef356b57 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/test/positive_expected_result.json @@ -2,16 +2,37 @@ { "queryName": "Beta - SQL DB Instance With Unrecommended Logging Threshold", "severity": "LOW", - "line": 13 + "line": 13, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "postgres-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_1].settings.database_flags[1].name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_1].settings.database_flags' should set 'log_min_messages' to 'WARNING' or a higher severity", + "actualValue": "'google_sql_database_instance[positive_1].settings.database_flags' sets 'log_min_messages' to 'NOTICE'" }, { "queryName": "Beta - SQL DB Instance With Unrecommended Logging Threshold", "severity": "LOW", - "line": 31 + "line": 31, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "postgres-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_2].settings.database_flags.name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_2].settings.database_flags' should set 'log_min_messages' to 'WARNING' or a higher severity", + "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' sets 'log_min_messages' to 'DEBUG5'" }, { "queryName": "Beta - SQL DB Instance With Unrecommended Logging Threshold", "severity": "LOW", - "line": 44 + "line": 44, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "postgres-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_3].settings.database_flags.name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_3].settings.database_flags' should set 'log_min_messages' to 'WARNING' or a higher severity", + "actualValue": "'google_sql_database_instance[positive_3].settings.database_flags' sets 'log_min_messages' to 'INFO'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/sql_db_instance_without_centralized_logging/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_without_centralized_logging/test/positive_expected_result.json index 097504c3cca..c45513f8add 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_without_centralized_logging/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_without_centralized_logging/test/positive_expected_result.json @@ -2,26 +2,61 @@ { "queryName": "Beta - SQL DB Instance Without Centralized Logging", "severity": "LOW", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "mysql-instance-without-flag", + "searchKey": "google_sql_database_instance[positive_1]", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_1].settings.database_flags' should be defined and set 'cloudsql.enable_pgaudit' to 'on'", + "actualValue": "'google_sql_database_instance[positive_1].settings' is undefined or null" }, { "queryName": "Beta - SQL DB Instance Without Centralized Logging", "severity": "LOW", - "line": 14 + "line": 14, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "postgres-instance-without-flag", + "searchKey": "google_sql_database_instance[positive_2].settings", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_2].settings.database_flags' should be defined and set 'cloudsql.enable_pgaudit' to 'on'", + "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' is undefined or null" }, { "queryName": "Beta - SQL DB Instance Without Centralized Logging", "severity": "LOW", - "line": 23 + "line": 23, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "postgres-instance-without-flag", + "searchKey": "google_sql_database_instance[positive_3].settings.database_flags", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_3].settings.database_flags' should set 'cloudsql.enable_pgaudit' to 'on'", + "actualValue": "'google_sql_database_instance[positive_3].settings.database_flags' does not set 'cloudsql.enable_pgaudit'" }, { "queryName": "Beta - SQL DB Instance Without Centralized Logging", "severity": "LOW", - "line": 42 + "line": 42, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "postgres-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_4].settings.database_flags[1].name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_4].settings.database_flags' should set 'cloudsql.enable_pgaudit' to 'on'", + "actualValue": "'google_sql_database_instance[positive_4].settings.database_flags' sets 'cloudsql.enable_pgaudit' to 'off'" }, { "queryName": "Beta - SQL DB Instance Without Centralized Logging", "severity": "LOW", - "line": 60 + "line": 60, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "postgres-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_5].settings.database_flags.name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_5].settings.database_flags' should set 'cloudsql.enable_pgaudit' to 'on'", + "actualValue": "'google_sql_database_instance[positive_5].settings.database_flags' sets 'cloudsql.enable_pgaudit' to 'off'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/sql_db_instance_without_connections_logging/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_without_connections_logging/test/positive_expected_result.json index 35ce66f2aee..e025e9d4173 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_without_connections_logging/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_without_connections_logging/test/positive_expected_result.json @@ -2,26 +2,61 @@ { "queryName": "Beta - SQL DB Instance Without Connections Logging", "severity": "MEDIUM", - "line": 1 + "line": 42, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "postgres-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_4].settings.database_flags[1].name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_4].settings.database_flags' should be defined and set 'log_connections' to 'on'", + "actualValue": "'google_sql_database_instance[positive_4].settings.database_flags' sets 'log_connections' to 'off'" }, { "queryName": "Beta - SQL DB Instance Without Connections Logging", "severity": "MEDIUM", - "line": 14 + "line": 60, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "postgres-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_5].settings.database_flags.name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_5].settings.database_flags' should be defined and set 'log_connections' to 'on'", + "actualValue": "'google_sql_database_instance[positive_5].settings.database_flags' sets 'log_connections' to 'off'" }, { "queryName": "Beta - SQL DB Instance Without Connections Logging", "severity": "MEDIUM", - "line": 23 + "line": 1, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "mysql-instance-without-flag", + "searchKey": "google_sql_database_instance[positive_1]", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_1].settings.database_flags' should be defined and set 'log_connections' to 'on'", + "actualValue": "'google_sql_database_instance[positive_1].settings' is undefined or null" }, { "queryName": "Beta - SQL DB Instance Without Connections Logging", "severity": "MEDIUM", - "line": 42 + "line": 14, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "postgres-instance-without-flag", + "searchKey": "google_sql_database_instance[positive_2].settings", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_2].settings.database_flags' should be defined and set 'log_connections' to 'on'", + "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' is undefined or null" }, { "queryName": "Beta - SQL DB Instance Without Connections Logging", "severity": "MEDIUM", - "line": 60 + "line": 23, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "postgres-instance-without-flag", + "searchKey": "google_sql_database_instance[positive_3].settings.database_flags", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_3].settings.database_flags' should be defined and set 'log_connections' to 'on'", + "actualValue": "'google_sql_database_instance[positive_3].settings.database_flags' does not set 'log_connections'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/sql_db_instance_without_disconnections_logging/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_without_disconnections_logging/test/positive_expected_result.json index bc25ddc5352..020d920de67 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_without_disconnections_logging/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_without_disconnections_logging/test/positive_expected_result.json @@ -2,26 +2,61 @@ { "queryName": "Beta - SQL DB Instance Without Disconnections Logging", "severity": "MEDIUM", - "line": 1 + "line": 60, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "postgres-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_5].settings.database_flags.name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_5].settings.database_flags' should be defined and set 'log_disconnections' to 'on'", + "actualValue": "'google_sql_database_instance[positive_5].settings.database_flags' sets 'log_disconnections' to 'off'" }, { "queryName": "Beta - SQL DB Instance Without Disconnections Logging", "severity": "MEDIUM", - "line": 14 + "line": 1, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "mysql-instance-without-flag", + "searchKey": "google_sql_database_instance[positive_1]", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_1].settings.database_flags' should be defined and set 'log_disconnections' to 'on'", + "actualValue": "'google_sql_database_instance[positive_1].settings' is undefined or null" }, { "queryName": "Beta - SQL DB Instance Without Disconnections Logging", "severity": "MEDIUM", - "line": 23 + "line": 14, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "postgres-instance-without-flag", + "searchKey": "google_sql_database_instance[positive_2].settings", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_2].settings.database_flags' should be defined and set 'log_disconnections' to 'on'", + "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' is undefined or null" }, { "queryName": "Beta - SQL DB Instance Without Disconnections Logging", "severity": "MEDIUM", - "line": 42 + "line": 23, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "postgres-instance-without-flag", + "searchKey": "google_sql_database_instance[positive_3].settings.database_flags", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_3].settings.database_flags' should be defined and set 'log_disconnections' to 'on'", + "actualValue": "'google_sql_database_instance[positive_3].settings.database_flags' does not set 'log_disconnections'" }, { "queryName": "Beta - SQL DB Instance Without Disconnections Logging", "severity": "MEDIUM", - "line": 60 + "line": 42, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "postgres-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_4].settings.database_flags[1].name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_4].settings.database_flags' should be defined and set 'log_disconnections' to 'on'", + "actualValue": "'google_sql_database_instance[positive_4].settings.database_flags' sets 'log_disconnections' to 'off'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/ssh_access_is_not_restricted/test/positive_expected_result.json b/assets/queries/terraform/gcp/ssh_access_is_not_restricted/test/positive_expected_result.json index 20101062af0..cae0f257390 100644 --- a/assets/queries/terraform/gcp/ssh_access_is_not_restricted/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/ssh_access_is_not_restricted/test/positive_expected_result.json @@ -2,16 +2,37 @@ { "queryName": "SSH Access Is Not Restricted", "severity": "MEDIUM", - "line": 13 + "line": 13, + "filename": "positive.tf", + "resourceType": "google_compute_firewall", + "resourceName": "test-firewall", + "searchKey": "google_compute_firewall[positive1].allow.ports=22", + "searchValue": "", + "expectedValue": "'google_compute_firewall[positive1].allow.ports' should not include SSH port 22", + "actualValue": "'google_compute_firewall[positive1].allow.ports' includes SSH port 22" }, { "queryName": "SSH Access Is Not Restricted", "severity": "MEDIUM", - "line": 31 + "line": 31, + "filename": "positive.tf", + "resourceType": "google_compute_firewall", + "resourceName": "test-firewall", + "searchKey": "google_compute_firewall[positive2].allow.ports=21-3390", + "searchValue": "", + "expectedValue": "'google_compute_firewall[positive2].allow.ports' should not include SSH port 22", + "actualValue": "'google_compute_firewall[positive2].allow.ports' includes SSH port 22" }, { "queryName": "SSH Access Is Not Restricted", "severity": "MEDIUM", - "line": 43 + "line": 43, + "filename": "positive.tf", + "resourceType": "google_compute_firewall", + "resourceName": "test-firewall", + "searchKey": "google_compute_firewall[positive3].allow.ports=0-65535", + "searchValue": "", + "expectedValue": "'google_compute_firewall[positive3].allow.ports' should not include SSH port 22", + "actualValue": "'google_compute_firewall[positive3].allow.ports' includes SSH port 22" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/stackdriver_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/stackdriver_logging_disabled/test/positive_expected_result.json index 6977ed3614c..aff6e9447d2 100644 --- a/assets/queries/terraform/gcp/stackdriver_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/stackdriver_logging_disabled/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "Stackdriver Logging Disabled", "severity": "MEDIUM", - "line": 6, - "fileName": "positive.tf" + "line": 18, + "filename": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive2].logging_service", + "searchValue": "", + "expectedValue": "Attribute 'logging_service' should be undefined or 'logging.googleapis.com/kubernetes'", + "actualValue": "Attribute 'logging_service' is 'logging.googleapis.com'" }, { "queryName": "Stackdriver Logging Disabled", "severity": "MEDIUM", - "line": 18, - "fileName": "positive.tf" + "line": 6, + "filename": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive1].logging_service", + "searchValue": "", + "expectedValue": "Attribute 'logging_service' should be undefined or 'logging.googleapis.com/kubernetes'", + "actualValue": "Attribute 'logging_service' is 'none'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/stackdriver_monitoring_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/stackdriver_monitoring_disabled/test/positive_expected_result.json index c36541dc9e3..1c08eb0cfa0 100644 --- a/assets/queries/terraform/gcp/stackdriver_monitoring_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/stackdriver_monitoring_disabled/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "Stackdriver Monitoring Disabled", "severity": "MEDIUM", - "line": 6, - "fileName": "positive.tf" + "line": 18, + "filename": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive2].monitoring_service", + "searchValue": "", + "expectedValue": "Attribute 'monitoring_service' should be undefined or 'monitoring.googleapis.com/kubernetes'", + "actualValue": "Attribute 'monitoring_service' is 'monitoring.googleapis.com'" }, { "queryName": "Stackdriver Monitoring Disabled", "severity": "MEDIUM", - "line": 18, - "fileName": "positive.tf" + "line": 6, + "filename": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive1].monitoring_service", + "searchValue": "", + "expectedValue": "Attribute 'monitoring_service' should be undefined or 'monitoring.googleapis.com/kubernetes'", + "actualValue": "Attribute 'monitoring_service' is 'none'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/user_with_iam_role/test/positive_expected_result.json b/assets/queries/terraform/gcp/user_with_iam_role/test/positive_expected_result.json index aeb24e47caa..a6616936da0 100644 --- a/assets/queries/terraform/gcp/user_with_iam_role/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/user_with_iam_role/test/positive_expected_result.json @@ -3,18 +3,36 @@ "queryName": "User with IAM Role", "severity": "LOW", "line": 3, - "fileName": "positive1.tf" + "filename": "positive2.tf", + "resourceType": "google_project_iam_binding", + "resourceName": "positive2", + "searchKey": "google_project_iam_binding[positive2].role", + "searchValue": "", + "expectedValue": "google_project_iam_binding[positive2].role should not be set", + "actualValue": "google_project_iam_binding[positive2].role is set" }, { "queryName": "User with IAM Role", "severity": "LOW", - "line": 3, - "fileName": "positive2.tf" + "line": 18, + "filename": "positive2.tf", + "resourceType": "google_project_iam_member", + "resourceName": "positive3", + "searchKey": "google_project_iam_member[positive3].role", + "searchValue": "", + "expectedValue": "google_project_iam_member[positive3].role should not be set", + "actualValue": "google_project_iam_member[positive3].role is set" }, { "queryName": "User with IAM Role", "severity": "LOW", - "line": 18, - "fileName": "positive2.tf" + "line": 3, + "filename": "positive1.tf", + "resourceType": "google_iam_policy", + "resourceName": "positive", + "searchKey": "google_iam_policy[positive].binding.role", + "searchValue": "", + "expectedValue": "google_iam_policy[positive].binding.role should not be set", + "actualValue": "google_iam_policy[positive].binding.role is set" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/using_default_service_account/test/positive_expected_result.json b/assets/queries/terraform/gcp/using_default_service_account/test/positive_expected_result.json index 1b71e217068..afdce40ce30 100644 --- a/assets/queries/terraform/gcp/using_default_service_account/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/using_default_service_account/test/positive_expected_result.json @@ -1,27 +1,62 @@ [ - { - "queryName": "Using Default Service Account", - "severity": "MEDIUM", - "line": 2 - }, - { - "queryName": "Using Default Service Account", - "severity": "MEDIUM", - "line": 46 - }, - { - "queryName": "Using Default Service Account", - "severity": "MEDIUM", - "line": 73 - }, - { - "queryName": "Using Default Service Account", - "severity": "MEDIUM", - "line": 100 - }, - { - "queryName": "Using Default Service Account", - "severity": "MEDIUM", - "line": 127 - } -] + { + "queryName": "Using Default Service Account", + "severity": "MEDIUM", + "line": 73, + "filename": "positive.tf", + "resourceType": "google_compute_instance", + "resourceName": "test", + "searchKey": "google_compute_instance[positive3].service_account.email", + "searchValue": "", + "expectedValue": "'google_compute_instance[positive3].service_account.email' should not be empty", + "actualValue": "'google_compute_instance[positive3].service_account.email' is empty" + }, + { + "queryName": "Using Default Service Account", + "severity": "MEDIUM", + "line": 100, + "filename": "positive.tf", + "resourceType": "google_compute_instance", + "resourceName": "test", + "searchKey": "google_compute_instance[positive4].service_account.email", + "searchValue": "", + "expectedValue": "'google_compute_instance[positive4].service_account.email' should not be an email", + "actualValue": "'google_compute_instance[positive4].service_account.email' is an email" + }, + { + "queryName": "Using Default Service Account", + "severity": "MEDIUM", + "line": 127, + "filename": "positive.tf", + "resourceType": "google_compute_instance", + "resourceName": "test", + "searchKey": "google_compute_instance[positive5].service_account.email", + "searchValue": "", + "expectedValue": "'google_compute_instance[positive5].service_account.email' should not be a default Google Compute Engine service account", + "actualValue": "'google_compute_instance[positive5].service_account.email' is a default Google Compute Engine service account" + }, + { + "queryName": "Using Default Service Account", + "severity": "MEDIUM", + "line": 2, + "filename": "positive.tf", + "resourceType": "google_compute_instance", + "resourceName": "test", + "searchKey": "google_compute_instance[positive1]", + "searchValue": "", + "expectedValue": "'google_compute_instance[positive1].service_account' should be defined and not null", + "actualValue": "'google_compute_instance[positive1].service_account' is undefined or null" + }, + { + "queryName": "Using Default Service Account", + "severity": "MEDIUM", + "line": 46, + "filename": "positive.tf", + "resourceType": "google_compute_instance", + "resourceName": "test", + "searchKey": "google_compute_instance[positive2].service_account", + "searchValue": "", + "expectedValue": "'google_compute_instance[positive2].service_account.email' should be defined and not null", + "actualValue": "'google_compute_instance[positive2].service_account.email' is undefined or null" + } +] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/vm_serial_ports_are_enabled_for_vm_instances/test/positive_expected_result.json b/assets/queries/terraform/gcp/vm_serial_ports_are_enabled_for_vm_instances/test/positive_expected_result.json index ff4d783bffd..c9f380ae5ce 100644 --- a/assets/queries/terraform/gcp/vm_serial_ports_are_enabled_for_vm_instances/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/vm_serial_ports_are_enabled_for_vm_instances/test/positive_expected_result.json @@ -1,17 +1,38 @@ [ - { - "queryName": "Serial Ports Are Enabled For VM Instances", - "severity": "MEDIUM", - "line": 26 - }, - { - "queryName": "Serial Ports Are Enabled For VM Instances", - "severity": "MEDIUM", - "line": 38 - }, - { - "queryName": "Serial Ports Are Enabled For VM Instances", - "severity": "MEDIUM", - "line": 44 - } -] + { + "queryName": "Serial Ports Are Enabled For VM Instances", + "severity": "MEDIUM", + "line": 44, + "filename": "positive.tf", + "resourceType": "google_compute_project_metadata_item", + "resourceName": "positive3", + "searchKey": "google_compute_project_metadata_item[positive3].value", + "searchValue": "", + "expectedValue": "google_compute_project_metadata[positive3].value should be set to false", + "actualValue": "google_compute_project_metadata[positive3].value is true" + }, + { + "queryName": "Serial Ports Are Enabled For VM Instances", + "severity": "MEDIUM", + "line": 26, + "filename": "positive.tf", + "resourceType": "google_compute_instance", + "resourceName": "test", + "searchKey": "google_compute_instance[positive1].metadata.serial-port-enable", + "searchValue": "", + "expectedValue": "google_compute_instance[positive1].metadata.serial-port-enable should be set to false or undefined", + "actualValue": "google_compute_instance[positive1].metadata.serial-port-enable is true" + }, + { + "queryName": "Serial Ports Are Enabled For VM Instances", + "severity": "MEDIUM", + "line": 38, + "filename": "positive.tf", + "resourceType": "google_compute_project_metadata", + "resourceName": "positive2", + "searchKey": "google_compute_project_metadata[positive2].metadata.serial-port-enable", + "searchValue": "", + "expectedValue": "google_compute_project_metadata[positive2].metadata.serial-port-enable should be set to false or undefined", + "actualValue": "google_compute_project_metadata[positive2].metadata.serial-port-enable is true" + } +] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/vm_with_full_cloud_access/test/positive_expected_result.json b/assets/queries/terraform/gcp/vm_with_full_cloud_access/test/positive_expected_result.json index ccabae58b6c..5dcd78396d1 100644 --- a/assets/queries/terraform/gcp/vm_with_full_cloud_access/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/vm_with_full_cloud_access/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "VM With Full Cloud Access", "severity": "MEDIUM", - "line": 20 + "line": 20, + "filename": "positive.tf", + "resourceType": "google_compute_instance", + "resourceName": "test", + "searchKey": "google_compute_instance[positive1].service_account.scopes", + "searchValue": "", + "expectedValue": "'service_account.scopes' should not contain 'cloud-platform'", + "actualValue": "'service_account.scopes' contains 'cloud-platform'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/general/generic_git_module_without_revision/test/positive_expected_result.json b/assets/queries/terraform/general/generic_git_module_without_revision/test/positive_expected_result.json index 8aa4d1411b4..6ffadfb72dc 100644 --- a/assets/queries/terraform/general/generic_git_module_without_revision/test/positive_expected_result.json +++ b/assets/queries/terraform/general/generic_git_module_without_revision/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Generic Git Module Without Revision", "severity": "INFO", "line": 8, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module.{{acm}}.source", + "searchValue": "", + "expectedValue": "Module 'source' field should have a reference", + "actualValue": "Module 'source' field does not have reference" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/general/name_is_not_snake_case/test/positive_expected_result.json b/assets/queries/terraform/general/name_is_not_snake_case/test/positive_expected_result.json index d0bdb653511..7a60a1b3e9f 100644 --- a/assets/queries/terraform/general/name_is_not_snake_case/test/positive_expected_result.json +++ b/assets/queries/terraform/general/name_is_not_snake_case/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "Name Is Not Snake Case", "severity": "INFO", - "line": 7, - "filename": "positive1.tf" + "line": 14, + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module.ACMPositive2", + "searchValue": "", + "expectedValue": "All names should be on snake case pattern", + "actualValue": "'ACMPositive2' is not in snake case" }, { "queryName": "Name Is Not Snake Case", "severity": "INFO", - "line": 14, - "filename": "positive2.tf" + "line": 7, + "filename": "positive1.tf", + "resourceType": "aws_eks_cluster", + "resourceName": "positiveExample", + "searchKey": "resource.aws_eks_cluster.positiveExample", + "searchValue": "", + "expectedValue": "All names should be on snake case pattern", + "actualValue": "'positiveExample' is not in snake case" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/general/output_without_description/test/positive_expected_result.json b/assets/queries/terraform/general/output_without_description/test/positive_expected_result.json index 3e3b2d3dd02..18140773c0c 100644 --- a/assets/queries/terraform/general/output_without_description/test/positive_expected_result.json +++ b/assets/queries/terraform/general/output_without_description/test/positive_expected_result.json @@ -2,19 +2,37 @@ { "queryName": "Output Without Description", "severity": "INFO", - "line": 1, - "filename": "positive1.tf" + "line": 3, + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "output.{{cluster_name}}.description", + "searchValue": "", + "expectedValue": "'description' should not be empty", + "actualValue": "'description' is empty" }, { "queryName": "Output Without Description", "severity": "INFO", "line": 3, - "filename": "positive2.tf" + "filename": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "output.{{cluster_name}}.description", + "searchValue": "", + "expectedValue": "'description' should not be empty", + "actualValue": "'description' is empty" }, { "queryName": "Output Without Description", "severity": "INFO", - "line": 3, - "filename": "positive3.tf" + "line": 1, + "filename": "positive1.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "output.{{cluster_name}}", + "searchValue": "", + "expectedValue": "'description' should be defined and not null", + "actualValue": "'description' is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/general/variable_without_description/test/positive_expected_result.json b/assets/queries/terraform/general/variable_without_description/test/positive_expected_result.json index 258a22c6d70..42ab5c21164 100644 --- a/assets/queries/terraform/general/variable_without_description/test/positive_expected_result.json +++ b/assets/queries/terraform/general/variable_without_description/test/positive_expected_result.json @@ -2,19 +2,37 @@ { "queryName": "Variable Without Description", "severity": "INFO", - "line": 1, - "filename": "positive1.tf" + "line": 4, + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "variable.{{cluster_name}}.description", + "searchValue": "", + "expectedValue": "'description' should not be empty", + "actualValue": "'description' is empty" }, { "queryName": "Variable Without Description", "severity": "INFO", - "line": 4, - "filename": "positive2.tf" + "line": 1, + "filename": "positive1.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "variable.{{cluster_name}}", + "searchValue": "", + "expectedValue": "'description' should be defined and not null", + "actualValue": "'description' is undefined or null" }, { "queryName": "Variable Without Description", "severity": "INFO", "line": 4, - "filename": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "variable.{{cluster_name}}.description", + "searchValue": "", + "expectedValue": "'description' should not be empty", + "actualValue": "'description' is empty" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/general/variable_without_type/test/positive_expected_result.json b/assets/queries/terraform/general/variable_without_type/test/positive_expected_result.json index 23a84ef45c7..3e75f724027 100644 --- a/assets/queries/terraform/general/variable_without_type/test/positive_expected_result.json +++ b/assets/queries/terraform/general/variable_without_type/test/positive_expected_result.json @@ -2,19 +2,37 @@ { "queryName": "Variable Without Type", "severity": "INFO", - "line": 1, - "filename": "positive1.tf" + "line": 3, + "filename": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "variable.{{cluster_name}}.type", + "searchValue": "", + "expectedValue": "'type' should not be empty", + "actualValue": "'type' is empty" }, { "queryName": "Variable Without Type", "severity": "INFO", "line": 3, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "variable.{{cluster_name}}.type", + "searchValue": "", + "expectedValue": "'type' should not be empty", + "actualValue": "'type' is empty" }, { "queryName": "Variable Without Type", "severity": "INFO", - "line": 3, - "filename": "positive3.tf" + "line": 1, + "filename": "positive1.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "variable.{{cluster_name}}", + "searchValue": "", + "expectedValue": "'type' should be defined and not null", + "actualValue": "'type' is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/github/github_organization_webhook_with_ssl_disabled/test/positive_expected_result.json b/assets/queries/terraform/github/github_organization_webhook_with_ssl_disabled/test/positive_expected_result.json index 6805a9ad4ae..6fa0c3ad331 100644 --- a/assets/queries/terraform/github/github_organization_webhook_with_ssl_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/github/github_organization_webhook_with_ssl_disabled/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Github Organization Webhook With SSL Disabled", "severity": "MEDIUM", - "line": 7 + "line": 7, + "filename": "positive.tf", + "resourceType": "github_organization_webhook", + "resourceName": "web", + "searchKey": "github_organization_webhook[positive1].configuration.insecure_ssl", + "searchValue": "", + "expectedValue": "github_organization_webhook[positive1].configuration.insecure_ssl should be set to false", + "actualValue": "github_organization_webhook[positive1].configuration.insecure_ssl is true" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/github/github_repository_set_to_public/test/positive_expected_result.json b/assets/queries/terraform/github/github_repository_set_to_public/test/positive_expected_result.json index 31ec489c64d..b8b60880450 100644 --- a/assets/queries/terraform/github/github_repository_set_to_public/test/positive_expected_result.json +++ b/assets/queries/terraform/github/github_repository_set_to_public/test/positive_expected_result.json @@ -2,16 +2,37 @@ { "queryName": "GitHub Repository Set To Public", "severity": "MEDIUM", - "line": 1 + "line": 15, + "filename": "positive.tf", + "resourceType": "github_repository", + "resourceName": "example", + "searchKey": "github_repository[positive2].private", + "searchValue": "", + "expectedValue": "Attribute 'private' should be true", + "actualValue": "Attribute 'private' is false" }, { "queryName": "GitHub Repository Set To Public", "severity": "MEDIUM", - "line": 15 + "line": 28, + "filename": "positive.tf", + "resourceType": "github_repository", + "resourceName": "example", + "searchKey": "github_repository[positive3].visibility", + "searchValue": "", + "expectedValue": "Attribute 'visibility' should be 'private'", + "actualValue": "Attribute 'visibility' is 'public'" }, { "queryName": "GitHub Repository Set To Public", "severity": "MEDIUM", - "line": 28 + "line": 1, + "filename": "positive.tf", + "resourceType": "github_repository", + "resourceName": "example", + "searchKey": "github_repository[positive1]", + "searchValue": "", + "expectedValue": "Attribute 'private' or Attribute 'visibility' should be defined and not null", + "actualValue": "Attribute 'private' and Attribute 'visibility' are undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/cluster_admin_role_binding_with_super_user_permissions/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/cluster_admin_role_binding_with_super_user_permissions/test/positive_expected_result.json index b65157cbf48..402f65437b2 100644 --- a/assets/queries/terraform/kubernetes/cluster_admin_role_binding_with_super_user_permissions/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/cluster_admin_role_binding_with_super_user_permissions/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Cluster Admin Rolebinding With Superuser Permissions", "severity": "LOW", - "line": 8 + "line": 8, + "filename": "positive.tf", + "resourceType": "kubernetes_cluster_role_binding", + "resourceName": "terraform-example2", + "searchKey": "kubernetes_cluster_role_binding[example2].role_ref.name", + "searchValue": "", + "expectedValue": "Resource name 'example2' isn't binding 'cluster-admin' role with superuser permissions", + "actualValue": "Resource name 'example2' is binding 'cluster-admin' role with superuser permissions" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/cluster_allows_unsafe_sysctls/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/cluster_allows_unsafe_sysctls/test/positive_expected_result.json index d60af26b460..09af88ddfc2 100644 --- a/assets/queries/terraform/kubernetes/cluster_allows_unsafe_sysctls/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/cluster_allows_unsafe_sysctls/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Cluster Allows Unsafe Sysctls", "severity": "HIGH", "line": 6, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "kubernetes_pod_security_policy", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod_security_policy[example].spec.allowed_unsafe_sysctls", + "searchValue": "", + "expectedValue": "kubernetes_pod_security_policy[example].spec.allowed_unsafe_sysctls should be undefined", + "actualValue": "kubernetes_pod_security_policy[example].spec.allowed_unsafe_sysctls is set" }, { "queryName": "Cluster Allows Unsafe Sysctls", "severity": "HIGH", "line": 9, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "kubernetes_pod", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod[test].spec.security_context.sysctl", + "searchValue": "", + "expectedValue": "kubernetes_pod[test].spec.security_context.sysctl[%!s(int=0)].name should not have an unsafe sysctl", + "actualValue": "kubernetes_pod[test].spec.security_context.sysctl[%!s(int=0)].name has an unsafe sysctl" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/container_host_pid_is_true/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/container_host_pid_is_true/test/positive_expected_result.json index a17728b6472..8d97436071f 100644 --- a/assets/queries/terraform/kubernetes/container_host_pid_is_true/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/container_host_pid_is_true/test/positive_expected_result.json @@ -1,7 +1,14 @@ [ - { - "queryName": "Container Host Pid Is True", - "severity": "MEDIUM", - "line": 8 - } -] + { + "queryName": "Container Host Pid Is True", + "severity": "MEDIUM", + "line": 8, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.host_pid", + "searchValue": "", + "expectedValue": "Attribute 'host_pid' should be undefined or false", + "actualValue": "Attribute 'host_pid' is true" + } +] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/container_is_privileged/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/container_is_privileged/test/positive_expected_result.json index 5f763d57597..b719a87f01f 100644 --- a/assets/queries/terraform/kubernetes/container_is_privileged/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/container_is_privileged/test/positive_expected_result.json @@ -2,16 +2,37 @@ { "queryName": "Container Is Privileged", "severity": "HIGH", - "line": 14 + "line": 14, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container.name={{example22}}.security_context.privileged", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[0].security_context.privileged should be set to false", + "actualValue": "kubernetes_pod[positive1].spec.container[0].security_context.privileged is set to true" }, { "queryName": "Container Is Privileged", "severity": "HIGH", - "line": 47 + "line": 47, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container.name={{example22222}}.security_context.privileged", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[1].security_context.privileged should be set to false", + "actualValue": "kubernetes_pod[positive1].spec.container[1].security_context.privileged is set to true" }, { "queryName": "Container Is Privileged", "severity": "HIGH", - "line": 108 + "line": 108, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive2", + "searchKey": "kubernetes_pod[positive2].spec.container.security_context.privileged", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive2].spec.container.security_context.privileged should not be set to true", + "actualValue": "kubernetes_pod[positive2].spec.container.security_context.privileged is set to true" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/container_resources_limits_undefined/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/container_resources_limits_undefined/test/positive_expected_result.json index 4b76be95a1c..76c50ff5100 100644 --- a/assets/queries/terraform/kubernetes/container_resources_limits_undefined/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/container_resources_limits_undefined/test/positive_expected_result.json @@ -2,26 +2,61 @@ { "queryName": "Container Resources Limits Undefined", "severity": "MEDIUM", - "line": 8 + "line": 224, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive4", + "searchKey": "kubernetes_pod[positive4].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive4].spec.container.resources should be set", + "actualValue": "kubernetes_pod[positive4].spec.container.resources is undefined" }, { "queryName": "Container Resources Limits Undefined", "severity": "MEDIUM", - "line": 42 + "line": 8, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[0].resources should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[0].resources is undefined" }, { "queryName": "Container Resources Limits Undefined", "severity": "MEDIUM", - "line": 106 + "line": 42, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "limits", + "expectedValue": "kubernetes_pod[positive1].spec.container[1].resources.limits should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[1].resources.limits is undefined" }, { "queryName": "Container Resources Limits Undefined", "severity": "MEDIUM", - "line": 167 + "line": 106, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive2", + "searchKey": "kubernetes_pod[positive2].spec.container.resources", + "searchValue": "requests", + "expectedValue": "kubernetes_pod[positive2].spec.container.resources.requests should be set", + "actualValue": "kubernetes_pod[positive2].spec.container.resources.requests is undefined" }, { "queryName": "Container Resources Limits Undefined", "severity": "MEDIUM", - "line": 224 + "line": 167, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive3", + "searchKey": "kubernetes_pod[positive3].spec.container.resources", + "searchValue": "limits", + "expectedValue": "kubernetes_pod[positive3].spec.container.resources.limits should be set", + "actualValue": "kubernetes_pod[positive3].spec.container.resources.limits is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/container_runs_unmasked/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/container_runs_unmasked/test/positive_expected_result.json index 5476f5249cd..42b11726037 100644 --- a/assets/queries/terraform/kubernetes/container_runs_unmasked/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/container_runs_unmasked/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Container Runs Unmasked", "severity": "HIGH", - "line": 8 + "line": 8, + "filename": "positive.tf", + "resourceType": "kubernetes_pod_security_policy", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod_security_policy[example].spec.allowed_proc_mount_types", + "searchValue": "", + "expectedValue": "allowed_proc_mount_types should contain the value Default", + "actualValue": "allowed_proc_mount_types contains the value Unmasked" } ] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/container_with_added_capabilities/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/container_with_added_capabilities/test/positive_expected_result.json index e0511da2eca..08044c3a68a 100644 --- a/assets/queries/terraform/kubernetes/container_with_added_capabilities/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/container_with_added_capabilities/test/positive_expected_result.json @@ -2,16 +2,37 @@ { "queryName": "Containers With Added Capabilities", "severity": "MEDIUM", - "line": 14 + "line": 110, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive2", + "searchKey": "kubernetes_pod[positive2].spec.container.security_context.capabilities.add", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive2].spec.container.security_context.capabilities.add should be undefined", + "actualValue": "kkubernetes_pod[positive2].spec.container.security_context.capabilities.add is set" }, { "queryName": "Containers With Added Capabilities", "severity": "MEDIUM", - "line": 49 + "line": 14, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[0].security_context.capabilities.add should be undefined", + "actualValue": "kubernetes_pod[positive1].spec.container[0].security_context.capabilities.add is set" }, { "queryName": "Containers With Added Capabilities", "severity": "MEDIUM", - "line": 110 + "line": 49, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[1].security_context.capabilities.add should be undefined", + "actualValue": "kubernetes_pod[positive1].spec.container[1].security_context.capabilities.add is set" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/containers_with_sys_admin_capabilities/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/containers_with_sys_admin_capabilities/test/positive_expected_result.json index 1431edfff6d..79cc5427ae9 100644 --- a/assets/queries/terraform/kubernetes/containers_with_sys_admin_capabilities/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/containers_with_sys_admin_capabilities/test/positive_expected_result.json @@ -2,16 +2,37 @@ { "queryName": "Containers With Sys Admin Capabilities", "severity": "HIGH", - "line": 14 + "line": 14, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[0].security_context.capabilities.add should not have 'SYS_ADMIN'", + "actualValue": "kubernetes_pod[positive1].spec.container[0].security_context.capabilities.add has 'SYS_ADMIN'" }, { "queryName": "Containers With Sys Admin Capabilities", "severity": "HIGH", - "line": 49 + "line": 49, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[1].security_context.capabilities.add should not have 'SYS_ADMIN'", + "actualValue": "kubernetes_pod[positive1].spec.container[1].security_context.capabilities.add has 'SYS_ADMIN'" }, { "queryName": "Containers With Sys Admin Capabilities", "severity": "HIGH", - "line": 110 + "line": 110, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive2", + "searchKey": "kubernetes_pod[positive2].spec.container.security_context.capabilities.add", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive2].spec.container.security_context.capabilities.add should not have 'SYS_ADMIN'", + "actualValue": "kubernetes_pod[positive2].spec.container.security_context.capabilities.add has 'SYS_ADMIN'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/cpu_limits_not_set/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/cpu_limits_not_set/test/positive_expected_result.json index b7b26baf05f..fbbf2b2a3e4 100644 --- a/assets/queries/terraform/kubernetes/cpu_limits_not_set/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/cpu_limits_not_set/test/positive_expected_result.json @@ -2,31 +2,73 @@ { "queryName": "CPU Limits Not Set", "severity": "LOW", - "line": 8 + "line": 192, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive3", + "searchKey": "kubernetes_pod[positive3].spec.container.resources", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive3].spec.container.resources.limits should be set", + "actualValue": "kubernetes_pod[positive3].spec.container.resources.limits is undefined" }, { "queryName": "CPU Limits Not Set", "severity": "LOW", - "line": 41 + "line": 249, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive4", + "searchKey": "kubernetes_pod[positive4].spec.container.resources.limits", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive4].spec.container.resources.limits.cpu should be set", + "actualValue": "kubernetes_pod[positive4].spec.container.resources.limits.cpu is undefined" }, { "queryName": "CPU Limits Not Set", "severity": "LOW", - "line": 80 + "line": 8, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[0].resources should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[0].resources is undefined" }, { "queryName": "CPU Limits Not Set", "severity": "LOW", - "line": 134 + "line": 41, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[1].resources.limits should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[1].resources.limits is undefined" }, { "queryName": "CPU Limits Not Set", "severity": "LOW", - "line": 192 + "line": 80, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[2].resources.limits.cpu should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[2].resources.limits.cpu is undefined" }, { "queryName": "CPU Limits Not Set", "severity": "LOW", - "line": 249 + "line": 134, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive2", + "searchKey": "kubernetes_pod[positive2].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive2].spec.container.resources should be set", + "actualValue": "kubernetes_pod[positive2].spec.container.resources is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/cpu_requests_not_set/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/cpu_requests_not_set/test/positive_expected_result.json index 49ffaaccfbb..e1ecd1d747e 100644 --- a/assets/queries/terraform/kubernetes/cpu_requests_not_set/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/cpu_requests_not_set/test/positive_expected_result.json @@ -2,31 +2,73 @@ { "queryName": "CPU Requests Not Set", "severity": "LOW", - "line": 8 + "line": 8, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[0].resources should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[0].resources is undefined" }, { "queryName": "CPU Requests Not Set", "severity": "LOW", - "line": 42 + "line": 42, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[1].resources.requests.cpu should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[1].resources.requests.cpu is undefined" }, { "queryName": "CPU Requests Not Set", "severity": "LOW", - "line": 77 + "line": 77, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[2].resources.requests.cpu should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[2].resources.requests.cpu is undefined" }, { "queryName": "CPU Requests Not Set", "severity": "LOW", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive2", + "searchKey": "kubernetes_pod[positive2].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive2].spec.container.resources should be set", + "actualValue": "kubernetes_pod[positive2].spec.container.resources is undefined" }, { "queryName": "CPU Requests Not Set", "severity": "LOW", - "line": 192 + "line": 192, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive3", + "searchKey": "kubernetes_pod[positive3].spec.container.resources", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive3].spec.container.resources.requests should be set", + "actualValue": "kubernetes_pod[positive3].spec.container.resources.requests is undefined" }, { "queryName": "CPU Requests Not Set", "severity": "LOW", - "line": 258 + "line": 258, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive4", + "searchKey": "kubernetes_pod[positive4].spec.container.resources.requests", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive4].spec.container.resources.requests.cpu should be set", + "actualValue": "kubernetes_pod[positive4].spec.container.resources.requests.cpu is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/cronjob_deadline_not_configured/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/cronjob_deadline_not_configured/test/positive_expected_result.json index 7c8db3abbdc..8583640db19 100644 --- a/assets/queries/terraform/kubernetes/cronjob_deadline_not_configured/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/cronjob_deadline_not_configured/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "CronJob Deadline Not Configured", "severity": "LOW", - "line": 5 + "line": 5, + "filename": "positive.tf", + "resourceType": "kubernetes_cron_job", + "resourceName": "demo", + "searchKey": "kubernetes_cron_job[demo].spec", + "searchValue": "", + "expectedValue": "kubernetes_cron_job[demo].spec.starting_deadline_seconds should be set", + "actualValue": "kubernetes_cron_job[demo].spec.starting_deadline_seconds is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/default_service_account_in_use/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/default_service_account_in_use/test/positive_expected_result.json index d4612a934f1..265cd82d5ad 100644 --- a/assets/queries/terraform/kubernetes/default_service_account_in_use/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/default_service_account_in_use/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Default Service Account In Use", "severity": "LOW", - "line": 1 + "line": 12, + "filename": "positive.tf", + "resourceType": "kubernetes_service_account", + "resourceName": "default", + "searchKey": "kubernetes_service_account[example2].automount_service_account_token", + "searchValue": "", + "expectedValue": "kubernetes_service_account[example2].automount_service_account_token should be set to false", + "actualValue": "kubernetes_service_account[example2].automount_service_account_token is not set to false" }, { "queryName": "Default Service Account In Use", "severity": "LOW", - "line": 12 + "line": 1, + "filename": "positive.tf", + "resourceType": "kubernetes_service_account", + "resourceName": "default", + "searchKey": "kubernetes_service_account[example]", + "searchValue": "", + "expectedValue": "kubernetes_service_account[example].automount_service_account_token should be set", + "actualValue": "kubernetes_service_account[example].automount_service_account_token is undefined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/deployment_has_no_pod_anti_affinity/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/deployment_has_no_pod_anti_affinity/test/positive_expected_result.json index 403b8010754..f196ec5cdd5 100644 --- a/assets/queries/terraform/kubernetes/deployment_has_no_pod_anti_affinity/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/deployment_has_no_pod_anti_affinity/test/positive_expected_result.json @@ -2,25 +2,49 @@ { "queryName": "Deployment Has No PodAntiAffinity", "severity": "LOW", - "line": 25, - "fileName": "positive1.tf" + "line": 28, + "filename": "positive3.tf", + "resourceType": "kubernetes_deployment", + "resourceName": "terraform-example", + "searchKey": "kubernetes_deployment[example3].spec.template.spec.affinity", + "searchValue": "", + "expectedValue": "kubernetes_deployment[example3].spec.template.spec.affinity.pod_anti_affinity.preferred_during_scheduling_ignored_during_execution.pod_affinity_term.topology_key should be set to 'kubernetes.io/hostname'", + "actualValue": "kubernetes_deployment[example3].spec.template.spec.affinity.pod_anti_affinity.preferred_during_scheduling_ignored_during_execution.pod_affinity_term.topology_key is invalid or undefined" }, { "queryName": "Deployment Has No PodAntiAffinity", "severity": "LOW", "line": 26, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "kubernetes_deployment", + "resourceName": "terraform-example", + "searchKey": "kubernetes_deployment[example2].spec.template.spec.affinity", + "searchValue": "", + "expectedValue": "kubernetes_deployment[example2].spec.template.spec.affinity.pod_anti_affinity should be set", + "actualValue": "kubernetes_deployment[example2].spec.template.spec.affinity.pod_anti_affinity is undefined" }, { "queryName": "Deployment Has No PodAntiAffinity", "severity": "LOW", - "line": 28, - "fileName": "positive3.tf" + "line": 33, + "filename": "positive4.tf", + "resourceType": "kubernetes_deployment", + "resourceName": "terraform-example", + "searchKey": "kubernetes_deployment[example4].spec.template.spec.affinity", + "searchValue": "", + "expectedValue": "kubernetes_deployment[example4].spec.template.spec.affinity.pod_anti_affinity.preferred_during_scheduling_ignored_during_execution.pod_affinity_term.label_selector.match_labels match any label on template metadata", + "actualValue": "kubernetes_deployment[example4].spec.template.spec.affinity.pod_anti_affinity.preferred_during_scheduling_ignored_during_execution.pod_affinity_term.label_selector.match_labels don't match any label on template metadata" }, { "queryName": "Deployment Has No PodAntiAffinity", "severity": "LOW", - "line": 33, - "fileName": "positive4.tf" + "line": 25, + "filename": "positive1.tf", + "resourceType": "kubernetes_deployment", + "resourceName": "terraform-example", + "searchKey": "kubernetes_deployment[example].spec.template.spec", + "searchValue": "", + "expectedValue": "kubernetes_deployment[example].spec.template.spec.affinity should be set", + "actualValue": "kubernetes_deployment[example].spec.template.spec.affinity is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/deployment_without_pod_disruption_budget/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/deployment_without_pod_disruption_budget/test/positive_expected_result.json index 5d71a40a159..f87e0bcc98a 100644 --- a/assets/queries/terraform/kubernetes/deployment_without_pod_disruption_budget/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/deployment_without_pod_disruption_budget/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Deployment Without PodDisruptionBudget", "severity": "LOW", - "line": 13 + "line": 13, + "filename": "positive.tf", + "resourceType": "kubernetes_deployment", + "resourceName": "terraform-example", + "searchKey": "kubernetes_deployment[example].spec.selector.match_labels", + "searchValue": "", + "expectedValue": "kubernetes_deployment[example].spec.selector.match_labels is targeted by a PodDisruptionBudget", + "actualValue": "kubernetes_deployment[example].spec.selector.match_labels is not targeted by a PodDisruptionBudget" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/docker_daemon_socket_is_exposed_to_containers/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/docker_daemon_socket_is_exposed_to_containers/test/positive_expected_result.json index 396c3aff1e1..33178672a2c 100644 --- a/assets/queries/terraform/kubernetes/docker_daemon_socket_is_exposed_to_containers/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/docker_daemon_socket_is_exposed_to_containers/test/positive_expected_result.json @@ -2,31 +2,73 @@ { "queryName": "Docker Daemon Socket is Exposed to Containers", "severity": "MEDIUM", - "line": 9 + "line": 103, + "filename": "positive.tf", + "resourceType": "kubernetes_deployment", + "resourceName": "example", + "searchKey": "kubernetes_deployment[example].spec.template.spec.volume", + "searchValue": "", + "expectedValue": "spec.template.spec.volume[1].host_path.path should not be '/var/run/docker.sock'", + "actualValue": "spec.template.spec.volume[1].host_path.path is '/var/run/docker.sock'" }, { "queryName": "Docker Daemon Socket is Exposed to Containers", "severity": "MEDIUM", - "line": 16 + "line": 9, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod[test].spec.volume", + "searchValue": "", + "expectedValue": "spec.volume[0].host_path.path should not be '/var/run/docker.sock'", + "actualValue": "spec.volume[0].host_path.path is '/var/run/docker.sock'" }, { "queryName": "Docker Daemon Socket is Exposed to Containers", "severity": "MEDIUM", - "line": 96 + "line": 16, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod[test].spec.volume", + "searchValue": "", + "expectedValue": "spec.volume[1].host_path.path should not be '/var/run/docker.sock'", + "actualValue": "spec.volume[1].host_path.path is '/var/run/docker.sock'" }, { "queryName": "Docker Daemon Socket is Exposed to Containers", "severity": "MEDIUM", - "line": 103 + "line": 164, + "filename": "positive.tf", + "resourceType": "kubernetes_cron_job", + "resourceName": "demo", + "searchKey": "kubernetes_cron_job[demo2].spec.job_template.spec.template.spec.volume", + "searchValue": "", + "expectedValue": "spec.job_template.spec.template.spec.volume[0].host_path.path should not be '/var/run/docker.sock'", + "actualValue": "spec.job_template.spec.template.spec.volume[0].host_path.path is '/var/run/docker.sock'" }, { "queryName": "Docker Daemon Socket is Exposed to Containers", "severity": "MEDIUM", - "line": 164 + "line": 171, + "filename": "positive.tf", + "resourceType": "kubernetes_cron_job", + "resourceName": "demo", + "searchKey": "kubernetes_cron_job[demo2].spec.job_template.spec.template.spec.volume", + "searchValue": "", + "expectedValue": "spec.job_template.spec.template.spec.volume[1].host_path.path should not be '/var/run/docker.sock'", + "actualValue": "spec.job_template.spec.template.spec.volume[1].host_path.path is '/var/run/docker.sock'" }, { "queryName": "Docker Daemon Socket is Exposed to Containers", "severity": "MEDIUM", - "line": 171 + "line": 96, + "filename": "positive.tf", + "resourceType": "kubernetes_deployment", + "resourceName": "example", + "searchKey": "kubernetes_deployment[example].spec.template.spec.volume", + "searchValue": "", + "expectedValue": "spec.template.spec.volume[0].host_path.path should not be '/var/run/docker.sock'", + "actualValue": "spec.template.spec.volume[0].host_path.path is '/var/run/docker.sock'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/hpa_targets_invalid_object/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/hpa_targets_invalid_object/test/positive_expected_result.json index 6dbd73ffe61..0e82039c21c 100644 --- a/assets/queries/terraform/kubernetes/hpa_targets_invalid_object/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/hpa_targets_invalid_object/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "HPA Targets Invalid Object", "severity": "LOW", - "line": 15 + "line": 49, + "filename": "positive.tf", + "resourceType": "kubernetes_horizontal_pod_autoscaler", + "resourceName": "test", + "searchKey": "kubernetes_horizontal_pod_autoscaler[example2].spec.metric", + "searchValue": "", + "expectedValue": "kubernetes_horizontal_pod_autoscaler[example2].spec.metric is a valid object", + "actualValue": "kubernetes_horizontal_pod_autoscaler[example2].spec.metric is a invalid object" }, { "queryName": "HPA Targets Invalid Object", "severity": "LOW", - "line": 49 + "line": 15, + "filename": "positive.tf", + "resourceType": "kubernetes_horizontal_pod_autoscaler", + "resourceName": "test", + "searchKey": "kubernetes_horizontal_pod_autoscaler[example].spec.metric", + "searchValue": "", + "expectedValue": "kubernetes_horizontal_pod_autoscaler[example].spec.metric is a valid object", + "actualValue": "kubernetes_horizontal_pod_autoscaler[example].spec.metric is a invalid object" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/image_pull_policy_of_container_is_not_always/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/image_pull_policy_of_container_is_not_always/test/positive_expected_result.json index be0213dc98f..c7957540264 100644 --- a/assets/queries/terraform/kubernetes/image_pull_policy_of_container_is_not_always/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/image_pull_policy_of_container_is_not_always/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "Image Pull Policy Of The Container Is Not Set To Always", "severity": "LOW", - "line": 12, - "fileName": "positive1.tf" + "line": 30, + "filename": "positive2.tf", + "resourceType": "kubernetes_deployment", + "resourceName": "terraform-example", + "searchKey": "kubernetes_deployment[example].spec.template.spec.container.image_pull_policy", + "searchValue": "", + "expectedValue": "Attribute 'image_pull_policy' should be defined as 'Always'", + "actualValue": "Attribute 'image_pull_policy' is incorrect" }, { "queryName": "Image Pull Policy Of The Container Is Not Set To Always", "severity": "LOW", - "line": 30, - "fileName": "positive2.tf" + "line": 12, + "filename": "positive1.tf", + "resourceType": "kubernetes_pod", + "resourceName": "busybox-tf", + "searchKey": "kubernetes_pod[busybox].spec.container.image_pull_policy", + "searchValue": "", + "expectedValue": "Attribute 'image_pull_policy' should be defined as 'Always'", + "actualValue": "Attribute 'image_pull_policy' is incorrect" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/image_without_digest/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/image_without_digest/test/positive_expected_result.json index 95f2aae226c..701d992f582 100644 --- a/assets/queries/terraform/kubernetes/image_without_digest/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/image_without_digest/test/positive_expected_result.json @@ -2,31 +2,73 @@ { "queryName": "Image Without Digest", "severity": "LOW", - "line": 9 + "line": 88, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive2", + "searchKey": "kubernetes_pod[positive2].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive2].spec.container.image should be set", + "actualValue": "kubernetes_pod[positive2].spec.container.image is undefined" }, { "queryName": "Image Without Digest", "severity": "LOW", - "line": 36 + "line": 142, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive3", + "searchKey": "kubernetes_pod[positive3].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive3].spec.container[0].image has '@'", + "actualValue": "kubernetes_pod[positive3].spec.container[0].image does not have '@'" }, { "queryName": "Image Without Digest", "severity": "LOW", - "line": 88 + "line": 170, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive3", + "searchKey": "kubernetes_pod[positive3].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive3].spec.container[1].image has '@'", + "actualValue": "kubernetes_pod[positive3].spec.container[1].image does not have '@'" }, { "queryName": "Image Without Digest", "severity": "LOW", - "line": 142 + "line": 224, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive4", + "searchKey": "kubernetes_pod[positive4].spec.container.image", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive4].spec.container.image has '@'", + "actualValue": "kubernetes_pod[positive4].spec.container.image does not have '@'" }, { "queryName": "Image Without Digest", "severity": "LOW", - "line": 170 + "line": 9, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[0].image should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[0].image is undefined" }, { "queryName": "Image Without Digest", "severity": "LOW", - "line": 224 + "line": 36, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[1].image should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[1].image is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/incorrect_volume_claim_access_mode_read_write_once/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/incorrect_volume_claim_access_mode_read_write_once/test/positive_expected_result.json index 94f5dfadaaf..9e7625f7e10 100644 --- a/assets/queries/terraform/kubernetes/incorrect_volume_claim_access_mode_read_write_once/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/incorrect_volume_claim_access_mode_read_write_once/test/positive_expected_result.json @@ -1,12 +1,26 @@ [ - { - "queryName": "Incorrect Volume Claim Access Mode ReadWriteOnce", - "severity": "MEDIUM", - "line": 166 + { + "queryName": "Incorrect Volume Claim Access Mode ReadWriteOnce", + "severity": "MEDIUM", + "line": 166, + "filename": "positive.tf", + "resourceType": "kubernetes_stateful_set", + "resourceName": "prometheus", + "searchKey": "kubernetes_stateful_set[prometheus-1].spec.volume_claim_template", + "searchValue": "", + "expectedValue": "kubernetes_stateful_set[prometheus-1].spec.volume_claim_template has only one template with a 'ReadWriteOnce'", + "actualValue": "kubernetes_stateful_set[prometheus-1].spec.volume_claim_template has multiple templates with 'ReadWriteOnce'" }, { - "queryName": "Incorrect Volume Claim Access Mode ReadWriteOnce", - "severity": "MEDIUM", - "line": 367 + "queryName": "Incorrect Volume Claim Access Mode ReadWriteOnce", + "severity": "MEDIUM", + "line": 367, + "filename": "positive.tf", + "resourceType": "kubernetes_stateful_set", + "resourceName": "prometheus", + "searchKey": "kubernetes_stateful_set[prometheus-2].spec.volume_claim_template", + "searchValue": "", + "expectedValue": "kubernetes_stateful_set[prometheus-2].spec.volume_claim_template has one template with a 'ReadWriteOnce'", + "actualValue": "kubernetes_stateful_set[prometheus-2].spec.volume_claim_template does not have a template with a 'ReadWriteOnce'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/ingress_controller_exposes_workload/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/ingress_controller_exposes_workload/test/positive_expected_result.json index 65dc81ee597..7b03dc649a5 100644 --- a/assets/queries/terraform/kubernetes/ingress_controller_exposes_workload/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/ingress_controller_exposes_workload/test/positive_expected_result.json @@ -1,20 +1,38 @@ [ - { - "queryName": "Ingress Controller Exposes Workload", - "severity": "MEDIUM", - "line": 28, - "fileName": "positive1.tf" - }, { - "queryName": "Ingress Controller Exposes Workload", - "severity": "MEDIUM", - "line": 32, - "fileName": "positive2.tf" - }, + "queryName": "Ingress Controller Exposes Workload", + "severity": "MEDIUM", + "line": 28, + "filename": "positive3.tf", + "resourceType": "kubernetes_ingress", + "resourceName": "example-4", + "searchKey": "kubernetes_ingress[example-4].spec.rule.http.path.backend", + "searchValue": "", + "expectedValue": "kubernetes_ingress[example-4] should not be exposing the workload", + "actualValue": "kubernetes_ingress[example-4] is exposing the workload" + }, { - "queryName": "Ingress Controller Exposes Workload", - "severity": "MEDIUM", - "line": 28, - "fileName": "positive3.tf" - } -] + "queryName": "Ingress Controller Exposes Workload", + "severity": "MEDIUM", + "line": 28, + "filename": "positive1.tf", + "resourceType": "kubernetes_ingress", + "resourceName": "example", + "searchKey": "kubernetes_ingress[example].spec.rule.http.path.backend", + "searchValue": "", + "expectedValue": "kubernetes_ingress[example] should not be exposing the workload", + "actualValue": "kubernetes_ingress[example] is exposing the workload" + }, + { + "queryName": "Ingress Controller Exposes Workload", + "severity": "MEDIUM", + "line": 32, + "filename": "positive2.tf", + "resourceType": "kubernetes_ingress", + "resourceName": "example-ingress", + "searchKey": "kubernetes_ingress[example-ingress-2].spec.rule.http.path.backend", + "searchValue": "", + "expectedValue": "kubernetes_ingress[example-ingress-2] should not be exposing the workload", + "actualValue": "kubernetes_ingress[example-ingress-2] is exposing the workload" + } +] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/invalid_image/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/invalid_image/test/positive_expected_result.json index e716875d876..4e4cf07a283 100644 --- a/assets/queries/terraform/kubernetes/invalid_image/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/invalid_image/test/positive_expected_result.json @@ -2,16 +2,37 @@ { "queryName": "Invalid Image", "severity": "LOW", - "line": 8 + "line": 8, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container.image", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container.image should not be empty or latest", + "actualValue": "kubernetes_pod[positive1].spec.container.image is empty or latest" }, { "queryName": "Invalid Image", "severity": "LOW", - "line": 60 + "line": 113, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive3", + "searchKey": "kubernetes_pod[positive3].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive3].spec.container[0].image should not be empty or latest", + "actualValue": "kubernetes_pod[positive3].spec.container[0].image is empty or latest" }, { "queryName": "Invalid Image", "severity": "LOW", - "line": 113 + "line": 60, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive2", + "searchKey": "kubernetes_pod[positive2].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive2].spec.container.image should be set", + "actualValue": "kubernetes_pod[positive2].spec.container.image is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/liveness_probe_is_not_defined/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/liveness_probe_is_not_defined/test/positive_expected_result.json index 85c9711ffc6..1a93bb893aa 100644 --- a/assets/queries/terraform/kubernetes/liveness_probe_is_not_defined/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/liveness_probe_is_not_defined/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Liveness Probe Is Not Defined", "severity": "INFO", "line": 7, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "kubernetes_pod", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod[test].spec.container", + "searchValue": "", + "expectedValue": "Attribute 'livenessProbe' should be defined and not null", + "actualValue": "Attribute 'livenessProbe' is undefined or null" }, { "queryName": "Liveness Probe Is Not Defined", "severity": "INFO", "line": 27, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "kubernetes_deployment", + "resourceName": "terraform-example", + "searchKey": "kubernetes_deployment[example].spec.template.spec.container", + "searchValue": "", + "expectedValue": "Attribute 'livenessProbe' should be defined and not null", + "actualValue": "Attribute 'livenessProbe' is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/memory_limits_not_defined/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/memory_limits_not_defined/test/positive_expected_result.json index c597226e123..9218a95860d 100644 --- a/assets/queries/terraform/kubernetes/memory_limits_not_defined/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/memory_limits_not_defined/test/positive_expected_result.json @@ -2,46 +2,109 @@ { "queryName": "Memory Limits Not Defined", "severity": "MEDIUM", - "line": 15 + "line": 53, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[1].resources.limits.memory should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[1].resources.limits.memory is undefined" }, { "queryName": "Memory Limits Not Defined", "severity": "MEDIUM", - "line": 53 + "line": 136, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive2", + "searchKey": "kubernetes_pod[positive2].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive2].spec.container[1].resources should be set", + "actualValue": "kubernetes_pod[positive2].spec.container[1].resources is undefined" }, { "queryName": "Memory Limits Not Defined", "severity": "MEDIUM", - "line": 107 + "line": 288, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive4", + "searchKey": "kubernetes_pod[positive4].spec.container.resources.limits", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive4].spec.container.resources.limits.memory should be set", + "actualValue": "kubernetes_pod[positive4].spec.container.resources.limits.memory is undefined" }, { "queryName": "Memory Limits Not Defined", "severity": "MEDIUM", - "line": 136 + "line": 15, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[0].resources.limits.memory should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[0].resources.limits.memory is undefined" }, { "queryName": "Memory Limits Not Defined", "severity": "MEDIUM", - "line": 193 + "line": 107, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive2", + "searchKey": "kubernetes_pod[positive2].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive2].spec.container[0].resources should be set", + "actualValue": "kubernetes_pod[positive2].spec.container[0].resources is undefined" }, { "queryName": "Memory Limits Not Defined", "severity": "MEDIUM", - "line": 228 + "line": 193, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive3", + "searchKey": "kubernetes_pod[positive3].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive3].spec.container[0].resources.limits should be set", + "actualValue": "kubernetes_pod[positive3].spec.container[0].resources.limits is undefined" }, { "queryName": "Memory Limits Not Defined", "severity": "MEDIUM", - "line": 288 + "line": 228, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive3", + "searchKey": "kubernetes_pod[positive3].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive3].spec.container[1].resources.limits should be set", + "actualValue": "kubernetes_pod[positive3].spec.container[1].resources.limits is undefined" }, { "queryName": "Memory Limits Not Defined", "severity": "MEDIUM", - "line": 343 + "line": 343, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive5", + "searchKey": "kubernetes_pod[positive5].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive5].spec.container.resources should be set", + "actualValue": "kubernetes_pod[positive5].spec.container.resources is undefined" }, { "queryName": "Memory Limits Not Defined", "severity": "MEDIUM", - "line": 400 + "line": 400, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive6", + "searchKey": "kubernetes_pod[positive6].spec.container.resources", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive6].spec.container.resources.limits should be set", + "actualValue": "kubernetes_pod[positive6].spec.container.resources.limits is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/memory_requests_not_defined/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/memory_requests_not_defined/test/positive_expected_result.json index 3c6c5a5ea26..b0bdbcd6406 100644 --- a/assets/queries/terraform/kubernetes/memory_requests_not_defined/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/memory_requests_not_defined/test/positive_expected_result.json @@ -2,46 +2,109 @@ { "queryName": "Memory Requests Not Defined", "severity": "MEDIUM", - "line": 12 + "line": 109, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive2", + "searchKey": "kubernetes_pod[positive2].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive2].spec.container[0].resources should be set", + "actualValue": "kubernetes_pod[positive2].spec.container[0].resources is undefined" }, { "queryName": "Memory Requests Not Defined", "severity": "MEDIUM", - "line": 51 + "line": 138, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive2", + "searchKey": "kubernetes_pod[positive2].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive2].spec.container[1].resources should be set", + "actualValue": "kubernetes_pod[positive2].spec.container[1].resources is undefined" }, { "queryName": "Memory Requests Not Defined", "severity": "MEDIUM", - "line": 109 + "line": 231, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive3", + "searchKey": "kubernetes_pod[positive3].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive3].spec.container[1].resources.requests should be set", + "actualValue": "kubernetes_pod[positive3].spec.container[1].resources.requests is undefined" }, { "queryName": "Memory Requests Not Defined", "severity": "MEDIUM", - "line": 138 + "line": 350, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive5", + "searchKey": "kubernetes_pod[positive5].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive5].spec.container.resources should be set", + "actualValue": "kubernetes_pod[positive5].spec.container.resources is undefined" }, { "queryName": "Memory Requests Not Defined", "severity": "MEDIUM", - "line": 195 + "line": 12, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[0].resources.requests.memory should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[0].resources.requests.memory is undefined" }, { "queryName": "Memory Requests Not Defined", "severity": "MEDIUM", - "line": 231 + "line": 51, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[1].resources.requests.memory should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[1].resources.requests.memory is undefined" }, { "queryName": "Memory Requests Not Defined", "severity": "MEDIUM", - "line": 296 + "line": 195, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive3", + "searchKey": "kubernetes_pod[positive3].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive3].spec.container[0].resources.requests should be set", + "actualValue": "kubernetes_pod[positive3].spec.container[0].resources.requests is undefined" }, { "queryName": "Memory Requests Not Defined", "severity": "MEDIUM", - "line": 350 + "line": 296, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive4", + "searchKey": "kubernetes_pod[positive4].spec.container.resources.requests", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive4].spec.container.resources.requests.memory should be set", + "actualValue": "kubernetes_pod[positive4].spec.container.resources.requests.memory is undefined" }, { "queryName": "Memory Requests Not Defined", "severity": "MEDIUM", - "line": 408 + "line": 408, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive6", + "searchKey": "kubernetes_pod[positive6].spec.container.resources", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive6].spec.container.resources.requests should be set", + "actualValue": "kubernetes_pod[positive6].spec.container.resources.requests is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/metadata_label_is_invalid/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/metadata_label_is_invalid/test/positive_expected_result.json index be2692d29e4..a15e0f9bb04 100644 --- a/assets/queries/terraform/kubernetes/metadata_label_is_invalid/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/metadata_label_is_invalid/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Metadata Label Is Invalid", "severity": "LOW", - "line": 5 + "line": 5, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test", + "searchKey": "kubernetes_pod[test].metadata.labels", + "searchValue": "", + "expectedValue": "kubernetes_pod[test].metada.labels[app] has valid label", + "actualValue": "kubernetes_pod[test].metada.labels[app] has invalid label" } ] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/missing_app_armor_config/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/missing_app_armor_config/test/positive_expected_result.json index c43d7e7304b..64d8e121b55 100644 --- a/assets/queries/terraform/kubernetes/missing_app_armor_config/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/missing_app_armor_config/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Missing App Armor Config", "severity": "MEDIUM", - "line": 4 + "line": 4, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "terraform-example1", + "searchKey": "kubernetes_pod[example1].metadata.annotations", + "searchValue": "", + "expectedValue": "kubernetes_pod[example1].metadata.annotations should contain AppArmor profile config: 'container.apparmor.security.beta.kubernetes.io'", + "actualValue": "kubernetes_pod[example1].metadata.annotations doesn't contain AppArmor profile config: 'container.apparmor.security.beta.kubernetes.io'" }, { "queryName": "Missing App Armor Config", "severity": "MEDIUM", - "line": 58 + "line": 58, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "terraform-example2", + "searchKey": "kubernetes_pod[example2].metadata", + "searchValue": "", + "expectedValue": "kubernetes_pod[example2].metadata should include annotations for AppArmor profile config", + "actualValue": "kubernetes_pod[example2].metadata doesn't contain AppArmor profile config in annotations" } ] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/net_raw_capabilities_disabled_for_psp/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/net_raw_capabilities_disabled_for_psp/test/positive_expected_result.json index 5d875e4801c..79d621865c1 100644 --- a/assets/queries/terraform/kubernetes/net_raw_capabilities_disabled_for_psp/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/net_raw_capabilities_disabled_for_psp/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "NET_RAW Capabilities Disabled for PSP", "severity": "MEDIUM", - "line": 17 + "line": 17, + "filename": "positive.tf", + "resourceType": "kubernetes_pod_security_policy", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod_security_policy[example].spec.required_drop_capabilities", + "searchValue": "", + "expectedValue": "spec.required_drop_capabilities 'is ALL or NET_RAW'", + "actualValue": "spec.required_drop_capabilities 'is not ALL or NET_RAW'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/net_raw_capabilities_not_being_dropped/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/net_raw_capabilities_not_being_dropped/test/positive_expected_result.json index 163f143b573..65298b681d5 100644 --- a/assets/queries/terraform/kubernetes/net_raw_capabilities_not_being_dropped/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/net_raw_capabilities_not_being_dropped/test/positive_expected_result.json @@ -2,61 +2,145 @@ { "queryName": "NET_RAW Capabilities Not Being Dropped", "severity": "MEDIUM", - "line": 13 + "line": 82, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[2].security_context.capabilities.drop is ALL or NET_RAW", + "actualValue": "kubernetes_pod[positive1].spec.container[2].security_context.capabilities.drop is not ALL or NET_RAW" }, { "queryName": "NET_RAW Capabilities Not Being Dropped", "severity": "MEDIUM", - "line": 47 + "line": 358, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive3", + "searchKey": "kubernetes_pod[positive3].spec.container.security_context.capabilities.drop", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive3].spec.container.security_context.capabilities.drop is ALL or NET_RAW", + "actualValue": "kubernetes_pod[positive3].spec.container.security_context.capabilities.drop is not ALL or NET_RAW" }, { "queryName": "NET_RAW Capabilities Not Being Dropped", "severity": "MEDIUM", - "line": 82 + "line": 13, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[0].security_context.capabilities.drop should be set", + "actualValue": "kkubernetes_pod[positive1].spec.container[0].security_context.capabilities.drop is undefined" }, { "queryName": "NET_RAW Capabilities Not Being Dropped", "severity": "MEDIUM", - "line": 117 + "line": 241, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[7].security_context should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[7].security_context is undefined" }, { "queryName": "NET_RAW Capabilities Not Being Dropped", "severity": "MEDIUM", - "line": 150 + "line": 299, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive2", + "searchKey": "kubernetes_pod[positive2].spec.container.security_context.capabilities", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive2].spec.container.security_context.capabilities.drop should be set", + "actualValue": "kubernetes_pod[positive2].spec.container.security_context.capabilities.drop is undefined" }, { "queryName": "NET_RAW Capabilities Not Being Dropped", "severity": "MEDIUM", - "line": 183 + "line": 415, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive4", + "searchKey": "kubernetes_pod[positive4].spec.container.security_context", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive4].spec.container.security_context.capabilities should be set", + "actualValue": "kubernetes_pod[positive4].spec.container.security_context.capabilities is undefined" }, { "queryName": "NET_RAW Capabilities Not Being Dropped", "severity": "MEDIUM", - "line": 212 + "line": 467, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive5", + "searchKey": "kubernetes_pod[positive5].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive5].spec.container.security_context should be set", + "actualValue": "kubernetes_pod[positive5].spec.container.security_context is undefined" }, { "queryName": "NET_RAW Capabilities Not Being Dropped", "severity": "MEDIUM", - "line": 241 + "line": 117, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[3].security_context.capabilities.drop is ALL or NET_RAW", + "actualValue": "kubernetes_pod[positive1].spec.container[3].security_context.capabilities.drop is not ALL or NET_RAW" }, { "queryName": "NET_RAW Capabilities Not Being Dropped", "severity": "MEDIUM", - "line": 299 + "line": 47, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[1].security_context.capabilities.drop should be set", + "actualValue": "kkubernetes_pod[positive1].spec.container[1].security_context.capabilities.drop is undefined" }, { "queryName": "NET_RAW Capabilities Not Being Dropped", "severity": "MEDIUM", - "line": 358 + "line": 150, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[4].security_context.capabilities should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[4].security_context.capabilities is undefined" }, { "queryName": "NET_RAW Capabilities Not Being Dropped", "severity": "MEDIUM", - "line": 415 + "line": 183, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[5].security_context.capabilities should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[5].security_context.capabilities is undefined" }, { "queryName": "NET_RAW Capabilities Not Being Dropped", "severity": "MEDIUM", - "line": 467 + "line": 212, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[6].security_context should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[6].security_context is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/network_policy_is_not_targeting_any_pod/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/network_policy_is_not_targeting_any_pod/test/positive_expected_result.json index 8db62c08375..5ec7cf83b42 100644 --- a/assets/queries/terraform/kubernetes/network_policy_is_not_targeting_any_pod/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/network_policy_is_not_targeting_any_pod/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Network Policy Is Not Targeting Any Pod", "severity": "LOW", - "line": 14 + "line": 14, + "filename": "positive.tf", + "resourceType": "kubernetes_network_policy", + "resourceName": "terraform-example-network-policy", + "searchKey": "kubernetes_network_policy[example].spec.pod_selector.match_labels", + "searchValue": "", + "expectedValue": "kubernetes_network_policy[example].spec.pod_selector.match_labels is targeting at least a pod", + "actualValue": "kubernetes_network_policy[example].spec.pod_selector.match_labels is not targeting any pod" } ] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/no_drop_capabilities_for_containers/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/no_drop_capabilities_for_containers/test/positive_expected_result.json index 27f74e88b00..b5214b2d11c 100644 --- a/assets/queries/terraform/kubernetes/no_drop_capabilities_for_containers/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/no_drop_capabilities_for_containers/test/positive_expected_result.json @@ -2,55 +2,109 @@ { "queryName": "No Drop Capabilities for Containers", "severity": "LOW", - "line": 12, - "fileName": "positive1.tf" + "line": 47, + "filename": "positive1.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test10", + "searchKey": "kubernetes_pod[test10].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[test10].spec.container[1].security_context.capabilities.drop should be set", + "actualValue": "kubernetes_pod[test10].spec.container[1].security_context.capabilities.drop is undefined" }, { "queryName": "No Drop Capabilities for Containers", "severity": "LOW", - "line": 47, - "fileName": "positive1.tf" + "line": 7, + "filename": "positive3.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test30", + "searchKey": "kubernetes_pod[test30].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[test30].spec.container[0].security_context should be set", + "actualValue": "kubernetes_pod[test30].spec.container[0].security_context is undefined" }, { "queryName": "No Drop Capabilities for Containers", "severity": "LOW", - "line": 141, - "fileName": "positive1.tf" + "line": 36, + "filename": "positive3.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test30", + "searchKey": "kubernetes_pod[test30].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[test30].spec.container[1].security_context should be set", + "actualValue": "kubernetes_pod[test30].spec.container[1].security_context is undefined" }, { "queryName": "No Drop Capabilities for Containers", "severity": "LOW", - "line": 11, - "fileName": "positive2.tf" + "line": 124, + "filename": "positive3.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test31", + "searchKey": "kubernetes_pod[test31].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[test31].spec.container.security_context should be set", + "actualValue": "kubernetes_pod[test31].spec.container.security_context is undefined" }, { "queryName": "No Drop Capabilities for Containers", "severity": "LOW", - "line": 44, - "fileName": "positive2.tf" + "line": 141, + "filename": "positive1.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test11", + "searchKey": "kubernetes_pod[test11].spec.container.security_context.capabilities", + "searchValue": "", + "expectedValue": "kubernetes_pod[test11].spec.container.security_context.capabilities.drop should be set", + "actualValue": "kubernetes_pod[test11].spec.container.security_context.capabilities.drop is undefined" }, { "queryName": "No Drop Capabilities for Containers", "severity": "LOW", - "line": 136, - "fileName": "positive2.tf" + "line": 12, + "filename": "positive1.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test10", + "searchKey": "kubernetes_pod[test10].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[test10].spec.container[0].security_context.capabilities.drop should be set", + "actualValue": "kubernetes_pod[test10].spec.container[0].security_context.capabilities.drop is undefined" }, { "queryName": "No Drop Capabilities for Containers", "severity": "LOW", - "line": 7, - "fileName": "positive3.tf" + "line": 11, + "filename": "positive2.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test20", + "searchKey": "kubernetes_pod[test20].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[test20].spec.container[0].security_context.capabilities should be set", + "actualValue": "kubernetes_pod[test20].spec.container[0].security_context.capabilities is undefined" }, { "queryName": "No Drop Capabilities for Containers", "severity": "LOW", - "line": 36, - "fileName": "positive3.tf" + "line": 44, + "filename": "positive2.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test20", + "searchKey": "kubernetes_pod[test20].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[test20].spec.container[1].security_context.capabilities should be set", + "actualValue": "kubernetes_pod[test20].spec.container[1].security_context.capabilities is undefined" }, { "queryName": "No Drop Capabilities for Containers", "severity": "LOW", - "line": 124, - "fileName": "positive3.tf" + "line": 136, + "filename": "positive2.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test21", + "searchKey": "kubernetes_pod[test21].spec.container.security_context", + "searchValue": "", + "expectedValue": "kubernetes_pod[test21].spec.container.security_context.capabilities should be set", + "actualValue": "kubernetes_pod[test21].spec.container.security_context.capabilities is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/non_kube_system_pod_with_host_mount/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/non_kube_system_pod_with_host_mount/test/positive_expected_result.json index be69b39ed6f..f2871f432db 100644 --- a/assets/queries/terraform/kubernetes/non_kube_system_pod_with_host_mount/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/non_kube_system_pod_with_host_mount/test/positive_expected_result.json @@ -2,21 +2,49 @@ { "queryName": "Non Kube System Pod With Host Mount", "severity": "HIGH", - "line": 53 + "line": 173, + "filename": "positive.tf", + "resourceType": "kubernetes_persistent_volume", + "resourceName": "terraform-example3", + "searchKey": "kubernetes_persistent_volume[test3].spec.volume.host_path.path", + "searchValue": "", + "expectedValue": "Resource name 'terraform-example3' in non kube-system namespace 'kube' should not have host_path '/var/log' mounted", + "actualValue": "Resource name 'terraform-example3' in non kube-system namespace 'kube' has a host_path '/var/log' mounted" }, { "queryName": "Non Kube System Pod With Host Mount", "severity": "HIGH", - "line": 113 + "line": 233, + "filename": "positive.tf", + "resourceType": "kubernetes_persistent_volume", + "resourceName": "terraform-example4", + "searchKey": "kubernetes_persistent_volume[test4].spec.volume.host_path.path", + "searchValue": "", + "expectedValue": "Resource name 'terraform-example4' in non kube-system namespace 'default' should not have host_path '/var/log' mounted", + "actualValue": "Resource name 'terraform-example4' in non kube-system namespace 'default' has a host_path '/var/log' mounted" }, { "queryName": "Non Kube System Pod With Host Mount", "severity": "HIGH", - "line": 173 + "line": 53, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod[test].spec.volume.host_path.path", + "searchValue": "", + "expectedValue": "Resource name 'terraform-example' in non kube-system namespace 'kube' should not have host_path '/var/log' mounted", + "actualValue": "Resource name 'terraform-example' in non kube-system namespace 'kube' has a host_path '/var/log' mounted" }, { "queryName": "Non Kube System Pod With Host Mount", "severity": "HIGH", - "line": 233 + "line": 113, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "terraform-example2", + "searchKey": "kubernetes_pod[test2].spec.volume.host_path.path", + "searchValue": "", + "expectedValue": "Resource name 'terraform-example2' in non kube-system namespace 'default' should not have host_path '/var/log' mounted", + "actualValue": "Resource name 'terraform-example2' in non kube-system namespace 'default' has a host_path '/var/log' mounted" } ] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/permissive_access_to_create_pods/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/permissive_access_to_create_pods/test/positive_expected_result.json index 407515d5dbd..2abc3101b60 100644 --- a/assets/queries/terraform/kubernetes/permissive_access_to_create_pods/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/permissive_access_to_create_pods/test/positive_expected_result.json @@ -1,50 +1,98 @@ [ - { - "queryName": "Permissive Access to Create Pods", - "severity": "MEDIUM", - "line": 13, - "fileName": "positive1.tf" - }, { "queryName": "Permissive Access to Create Pods", "severity": "MEDIUM", "line": 35, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "kubernetes_role", + "resourceName": "terraform-example2", + "searchKey": "kubernetes_role[example2].rule.verbs.create", + "searchValue": "create/*", + "expectedValue": "kubernetes_role[example2].rule.verbs should not contain the value 'create' when kubernetes_role[example2].rule.resources contains a wildcard value", + "actualValue": "kubernetes_role[example2].rule.verbs contains the value 'create' and kubernetes_role[example2].rule.resources contains a wildcard value" }, { "queryName": "Permissive Access to Create Pods", "severity": "MEDIUM", "line": 57, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "kubernetes_role", + "resourceName": "terraform-example3", + "searchKey": "kubernetes_role[example3].rule.verbs.*", + "searchValue": "*/pods", + "expectedValue": "kubernetes_role[example3].rule.verbs should not contain a wildcard value when kubernetes_role[example3].rule.resources contains the value 'pods'", + "actualValue": "kubernetes_role[example3].rule.verbs contains a wildcard value and kubernetes_role[example3].rule.resources contains the value 'pods'" }, { "queryName": "Permissive Access to Create Pods", "severity": "MEDIUM", "line": 79, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "kubernetes_role", + "resourceName": "terraform-example4", + "searchKey": "kubernetes_role[example4].rule.verbs.*", + "searchValue": "*/*", + "expectedValue": "kubernetes_role[example4].rule.verbs should not contain a wildcard value when kubernetes_role[example4].rule.resources contains a wildcard value", + "actualValue": "kubernetes_role[example4].rule.verbs contains a wildcard value and kubernetes_role[example4].rule.resources contains a wildcard value" }, { "queryName": "Permissive Access to Create Pods", "severity": "MEDIUM", "line": 9, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "kubernetes_cluster_role", + "resourceName": "terraform-example1", + "searchKey": "kubernetes_cluster_role[example1].rule.verbs.create", + "searchValue": "create/pods", + "expectedValue": "kubernetes_cluster_role[example1].rule.verbs should not contain the value 'create' when kubernetes_cluster_role[example1].rule.resources contains the value 'pods'", + "actualValue": "kubernetes_cluster_role[example1].rule.verbs contains the value 'create' and kubernetes_cluster_role[example1].rule.resources contains the value 'pods'" }, { "queryName": "Permissive Access to Create Pods", "severity": "MEDIUM", "line": 21, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "kubernetes_cluster_role", + "resourceName": "terraform-example2", + "searchKey": "kubernetes_cluster_role[example2].rule.verbs.create", + "searchValue": "create/*", + "expectedValue": "kubernetes_cluster_role[example2].rule.verbs should not contain the value 'create' when kubernetes_cluster_role[example2].rule.resources contains a wildcard value", + "actualValue": "kubernetes_cluster_role[example2].rule.verbs contains the value 'create' and kubernetes_cluster_role[example2].rule.resources contains a wildcard value" }, { "queryName": "Permissive Access to Create Pods", "severity": "MEDIUM", "line": 33, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "kubernetes_cluster_role", + "resourceName": "terraform-example3", + "searchKey": "kubernetes_cluster_role[example3].rule.verbs.*", + "searchValue": "*/*", + "expectedValue": "kubernetes_cluster_role[example3].rule.verbs should not contain a wildcard value when kubernetes_cluster_role[example3].rule.resources contains a wildcard value", + "actualValue": "kubernetes_cluster_role[example3].rule.verbs contains a wildcard value and kubernetes_cluster_role[example3].rule.resources contains a wildcard value" }, { "queryName": "Permissive Access to Create Pods", "severity": "MEDIUM", "line": 45, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "kubernetes_cluster_role", + "resourceName": "terraform-example4", + "searchKey": "kubernetes_cluster_role[example4].rule.verbs.*", + "searchValue": "*/pods", + "expectedValue": "kubernetes_cluster_role[example4].rule.verb should not contain a wildcard value when kubernetes_cluster_role[example4].rule.resources contains the value 'pods'", + "actualValue": "kubernetes_cluster_role[example4].rule.verb contains a wildcard value and kubernetes_cluster_role[example4].rule.resources contains the value 'pods'" + }, + { + "queryName": "Permissive Access to Create Pods", + "severity": "MEDIUM", + "line": 13, + "filename": "positive1.tf", + "resourceType": "kubernetes_role", + "resourceName": "terraform-example1", + "searchKey": "kubernetes_role[example1].rule.verbs.create", + "searchValue": "create/pods", + "expectedValue": "kubernetes_role[example1].rule.verbs should not contain the value 'create' when kubernetes_role[example1].rule.resources contains the value 'pods'", + "actualValue": "kubernetes_role[example1].rule.verbs contains the value 'create' and kubernetes_role[example1].rule.resources contains the value 'pods'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/pod_or_container_without_security_context/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/pod_or_container_without_security_context/test/positive_expected_result.json index 597ff9f41c0..92315ce2a0f 100644 --- a/assets/queries/terraform/kubernetes/pod_or_container_without_security_context/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/pod_or_container_without_security_context/test/positive_expected_result.json @@ -2,26 +2,61 @@ { "queryName": "Pod or Container Without Security Context", "severity": "LOW", - "line": 6 + "line": 89, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive2", + "searchKey": "kubernetes_pod[positive2].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive2].spec.container.security_context should be set", + "actualValue": "kubernetes_pod[positive2].spec.container.security_context is undefined" }, { "queryName": "Pod or Container Without Security Context", "severity": "LOW", - "line": 7 + "line": 88, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod[positive2].spec", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive2].spec.security_context should be set", + "actualValue": "kubernetes_pod[positive2].spec.security_context is undefined" }, { "queryName": "Pod or Container Without Security Context", "severity": "LOW", - "line": 36 + "line": 7, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[0].security_context should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[0].security_context is undefined" }, { "queryName": "Pod or Container Without Security Context", "severity": "LOW", - "line": 88 + "line": 36, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[1].security_context should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[1].security_context is undefined" }, { "queryName": "Pod or Container Without Security Context", "severity": "LOW", - "line": 89 + "line": 6, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod[positive1].spec", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.security_context should be set", + "actualValue": "kubernetes_pod[positive1].spec.security_context is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/privilege_escalation_allowed/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/privilege_escalation_allowed/test/positive_expected_result.json index 291dc7b524f..13381cb4761 100644 --- a/assets/queries/terraform/kubernetes/privilege_escalation_allowed/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/privilege_escalation_allowed/test/positive_expected_result.json @@ -2,16 +2,37 @@ { "queryName": "Privilege Escalation Allowed", "severity": "HIGH", - "line": 14 + "line": 14, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container.name={{example22}}.security_context.allow_privilege_escalation", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[0].security_context.allow_privilege_escalation should not be set to true", + "actualValue": "kubernetes_pod[positive1].spec.container[0].security_context.allow_privilege_escalation is set to true" }, { "queryName": "Privilege Escalation Allowed", "severity": "HIGH", - "line": 47 + "line": 47, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container.name={{example22222}}.security_context.allow_privilege_escalation", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[1].security_context.allow_privilege_escalation should not be set to true", + "actualValue": "kubernetes_pod[positive1].spec.container[1].security_context.allow_privilege_escalation is set to true" }, { "queryName": "Privilege Escalation Allowed", "severity": "HIGH", - "line": 108 + "line": 108, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive2", + "searchKey": "kubernetes_pod[positive2].spec.container.security_context.allow_privilege_escalation", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive2].spec.container.security_context.allow_privilege_escalation should not be set to true", + "actualValue": "kubernetes_pod[positive2].spec.container.security_context.allow_privilege_escalation is set to true" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/psp_allows_containers_to_share_the_host_network_namespace/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/psp_allows_containers_to_share_the_host_network_namespace/test/positive_expected_result.json index 116cddb31d2..49d7c37a7a9 100644 --- a/assets/queries/terraform/kubernetes/psp_allows_containers_to_share_the_host_network_namespace/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/psp_allows_containers_to_share_the_host_network_namespace/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "PSP Allows Containers To Share The Host Network Namespace", "severity": "HIGH", - "line": 8 + "line": 8, + "filename": "positive.tf", + "resourceType": "kubernetes_pod_security_policy", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod_security_policy[example].spec.host_network", + "searchValue": "", + "expectedValue": "'spec.hostNetwork' should be set to false or undefined", + "actualValue": "'spec.hostNetwork' is true" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/psp_allows_privilege_escalation/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/psp_allows_privilege_escalation/test/positive_expected_result.json index fb790fc97db..a332d08a775 100644 --- a/assets/queries/terraform/kubernetes/psp_allows_privilege_escalation/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/psp_allows_privilege_escalation/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "PSP Allows Privilege Escalation", "severity": "HIGH", - "line": 7 + "line": 7, + "filename": "positive.tf", + "resourceType": "kubernetes_pod_security_policy", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod_security_policy[example].spec.allow_privilege_escalation", + "searchValue": "", + "expectedValue": "kubernetes_pod_security_policy[example].spec.allow_privilege_escalation should be set to false", + "actualValue": "kubernetes_pod_security_policy[example].spec.allow_privilege_escalation is set to true" }, { "queryName": "PSP Allows Privilege Escalation", "severity": "HIGH", - "line": 50 + "line": 50, + "filename": "positive.tf", + "resourceType": "kubernetes_pod_security_policy", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod_security_policy[example2].spec", + "searchValue": "", + "expectedValue": "kubernetes_pod_security_policy[example2].spec.allow_privilege_escalation should be set", + "actualValue": "kubernetes_pod_security_policy[example2].spec.allow_privilege_escalation is undefined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/psp_allows_sharing_host_ipc/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/psp_allows_sharing_host_ipc/test/positive_expected_result.json index 65f43ef0cb9..0e9b5f8636e 100644 --- a/assets/queries/terraform/kubernetes/psp_allows_sharing_host_ipc/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/psp_allows_sharing_host_ipc/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "PSP Allows Sharing Host IPC", "severity": "HIGH", - "line": 8 + "line": 8, + "filename": "positive.tf", + "resourceType": "kubernetes_pod_security_policy", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod_security_policy[example2].spec.host_ipc", + "searchValue": "", + "expectedValue": "Attribute 'host_ipc' should be undefined or false", + "actualValue": "Attribute 'host_ipc' is true" } ] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/psp_set_to_privileged/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/psp_set_to_privileged/test/positive_expected_result.json index 18055bdda6c..68ce8a91dd8 100644 --- a/assets/queries/terraform/kubernetes/psp_set_to_privileged/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/psp_set_to_privileged/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "PSP Set To Privileged", "severity": "HIGH", - "line": 6 + "line": 6, + "filename": "positive.tf", + "resourceType": "kubernetes_pod_security_policy", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod_security_policy[example].spec.privileged", + "searchValue": "", + "expectedValue": "kubernetes_pod_security_policy[example].spec.privileged should be set to false", + "actualValue": "kubernetes_pod_security_policy[example].spec.privileged is not set to false" } ] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/psp_with_added_capabilities/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/psp_with_added_capabilities/test/positive_expected_result.json index 9721fb8119a..25bf35f3042 100644 --- a/assets/queries/terraform/kubernetes/psp_with_added_capabilities/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/psp_with_added_capabilities/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "PSP With Added Capabilities", "severity": "HIGH", - "line": 6 + "line": 6, + "filename": "positive.tf", + "resourceType": "kubernetes_pod_security_policy", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod_security_policy[example].spec.allowed_capabilities", + "searchValue": "", + "expectedValue": "Pod Security Policy example should not have allowed capabilities", + "actualValue": "Pod Security Policy example has allowed capabilities" } ] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/rbac_roles_with_read_secrets_permissions/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/rbac_roles_with_read_secrets_permissions/test/positive_expected_result.json index 8a2bf2e74fc..0beccff2319 100644 --- a/assets/queries/terraform/kubernetes/rbac_roles_with_read_secrets_permissions/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/rbac_roles_with_read_secrets_permissions/test/positive_expected_result.json @@ -2,21 +2,49 @@ { "queryName": "RBAC Roles with Read Secrets Permissions", "severity": "MEDIUM", - "line": 9 + "line": 48, + "filename": "positive.tf", + "resourceType": "kubernetes_role", + "resourceName": "terraform-example3", + "searchKey": "kubernetes_role[example3].rule", + "searchValue": "", + "expectedValue": "Rules don't give access to 'secrets' resources", + "actualValue": "Some rule is giving access to 'secrets' resources" }, { "queryName": "RBAC Roles with Read Secrets Permissions", "severity": "MEDIUM", - "line": 27 + "line": 62, + "filename": "positive.tf", + "resourceType": "kubernetes_cluster_role", + "resourceName": "terraform-example4", + "searchKey": "kubernetes_cluster_role[example4].rule", + "searchValue": "", + "expectedValue": "Rules don't give access to 'secrets' resources", + "actualValue": "Some rule is giving access to 'secrets' resources" }, { "queryName": "RBAC Roles with Read Secrets Permissions", "severity": "MEDIUM", - "line": 48 + "line": 9, + "filename": "positive.tf", + "resourceType": "kubernetes_role", + "resourceName": "terraform-example1", + "searchKey": "kubernetes_role[example1].rule", + "searchValue": "", + "expectedValue": "Rules don't give access to 'secrets' resources", + "actualValue": "Some rule is giving access to 'secrets' resources" }, { "queryName": "RBAC Roles with Read Secrets Permissions", "severity": "MEDIUM", - "line": 62 + "line": 27, + "filename": "positive.tf", + "resourceType": "kubernetes_cluster_role", + "resourceName": "terraform-example2", + "searchKey": "kubernetes_cluster_role[example2].rule", + "searchValue": "", + "expectedValue": "Rules don't give access to 'secrets' resources", + "actualValue": "Some rule is giving access to 'secrets' resources" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/readiness_probe_is_not_configured/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/readiness_probe_is_not_configured/test/positive_expected_result.json index ffe1dad2b4d..7226d1e7c82 100644 --- a/assets/queries/terraform/kubernetes/readiness_probe_is_not_configured/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/readiness_probe_is_not_configured/test/positive_expected_result.json @@ -2,16 +2,37 @@ { "queryName": "Readiness Probe Is Not Configured", "severity": "MEDIUM", - "line": 7 + "line": 60, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test2", + "searchKey": "kubernetes_pod[test2].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[test2].spec.container[0].readiness_probe should be set", + "actualValue": "kubernetes_pod[test2].spec.container[0].readiness_probe is undefined" }, { "queryName": "Readiness Probe Is Not Configured", "severity": "MEDIUM", - "line": 60 + "line": 89, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test2", + "searchKey": "kubernetes_pod[test2].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[test2].spec.container[1].readiness_probe should be set", + "actualValue": "kubernetes_pod[test2].spec.container[1].readiness_probe is undefined" }, { "queryName": "Readiness Probe Is Not Configured", "severity": "MEDIUM", - "line": 89 + "line": 7, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test", + "searchKey": "kubernetes_pod[test].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[test].spec.container.readiness_probe should be set", + "actualValue": "kubernetes_pod[test].spec.container.readiness_probe is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/role_binding_to_default_service_account/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/role_binding_to_default_service_account/test/positive_expected_result.json index 72f7c8c2f21..f36e75c76ee 100644 --- a/assets/queries/terraform/kubernetes/role_binding_to_default_service_account/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/role_binding_to_default_service_account/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Role Binding To Default Service Account", "severity": "MEDIUM", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "kubernetes_role_binding", + "resourceName": "terraform-example", + "searchKey": "resource.kubernetes_role_binding[example]", + "searchValue": "", + "expectedValue": "resource.kubernetes_role_binding[example].subject[1].name should not be default", + "actualValue": "resource.kubernetes_role_binding[example].subject[1].name is default" } ] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/root_container_not_mounted_as_read_only/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/root_container_not_mounted_as_read_only/test/positive_expected_result.json index 0bf69a1330c..4d596eb5cfb 100644 --- a/assets/queries/terraform/kubernetes/root_container_not_mounted_as_read_only/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/root_container_not_mounted_as_read_only/test/positive_expected_result.json @@ -2,16 +2,37 @@ { "queryName": "Root Container Not Mounted As Read-only", "severity": "LOW", - "line": 14 + "line": 44, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container.name={{example22222}}", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[%!d(string={\"env\": {\"name\": \"environment\", \"value\": \"test\"}, \"image\": \"nginx:1.7.9\", \"liveness_probe\": {\"http_get\": {\"http_header\": {\"name\": \"X-Custom-Header\", \"value\": \"Awesome\"}, \"path\": \"/nginx_status\", \"port\": 80}, \"initial_delay_seconds\": 3, \"period_seconds\": 3}, \"name\": \"example22222\", \"port\": {\"container_port\": 8080}})].security_context should be set", + "actualValue": "kkubernetes_pod[positive1].spec.container[%!d(string={\"env\": {\"name\": \"environment\", \"value\": \"test\"}, \"image\": \"nginx:1.7.9\", \"liveness_probe\": {\"http_get\": {\"http_header\": {\"name\": \"X-Custom-Header\", \"value\": \"Awesome\"}, \"path\": \"/nginx_status\", \"port\": 80}, \"initial_delay_seconds\": 3, \"period_seconds\": 3}, \"name\": \"example22222\", \"port\": {\"container_port\": 8080}})].security_context is undefined" }, { "queryName": "Root Container Not Mounted As Read-only", "severity": "LOW", - "line": 44 + "line": 14, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container.name={{example22}}.security_context.read_only_root_filesystem", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[0].security_context.read_only_root_filesystem should be set to true", + "actualValue": "kubernetes_pod[positive1].spec.container[0].security_context.read_only_root_filesystem is not set to true" }, { "queryName": "Root Container Not Mounted As Read-only", "severity": "LOW", - "line": 103 + "line": 103, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive2", + "searchKey": "kubernetes_pod[positive2].spec.container.security_context", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive2].spec.container.security_context.read_only_root_filesystem should be set", + "actualValue": "kubernetes_pod[positive2].spec.container.security_context.read_only_root_filesystem is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/root_containers_admitted/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/root_containers_admitted/test/positive_expected_result.json index cef67ea3ebd..487770eb817 100644 --- a/assets/queries/terraform/kubernetes/root_containers_admitted/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/root_containers_admitted/test/positive_expected_result.json @@ -2,26 +2,61 @@ { "queryName": "Root Containers Admitted", "severity": "MEDIUM", - "line": 6 + "line": 7, + "filename": "positive.tf", + "resourceType": "kubernetes_pod_security_policy", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod_security_policy[example].spec.allow_privilege_escalation", + "searchValue": "", + "expectedValue": "kubernetes_pod_security_policy[example].spec.allow_privilege_escalation should be set to false", + "actualValue": "kubernetes_pod_security_policy[example].spec.allow_privilege_escalation is set to true" }, { "queryName": "Root Containers Admitted", "severity": "MEDIUM", - "line": 7 + "line": 37, + "filename": "positive.tf", + "resourceType": "kubernetes_pod_security_policy", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod_security_policy[example].spec.fs_group.range.min", + "searchValue": "", + "expectedValue": "kubernetes_pod_security_policy[example].spec.fs_group.range.min should not allow range '0' (root)", + "actualValue": "kubernetes_pod_security_policy[example].spec.fs_group.range.min allows range '0' (root)" }, { "queryName": "Root Containers Admitted", "severity": "MEDIUM", - "line": 19 + "line": 6, + "filename": "positive.tf", + "resourceType": "kubernetes_pod_security_policy", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod_security_policy[example].spec.privileged", + "searchValue": "", + "expectedValue": "kubernetes_pod_security_policy[example].spec.privileged should be set to false", + "actualValue": "kubernetes_pod_security_policy[example].spec.privileged is set to true" }, { "queryName": "Root Containers Admitted", "severity": "MEDIUM", - "line": 27 + "line": 19, + "filename": "positive.tf", + "resourceType": "kubernetes_pod_security_policy", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod_security_policy[example].spec.run_as_user.rule", + "searchValue": "", + "expectedValue": "kubernetes_pod_security_policy[example].spec.run_as_user.rule is equal to 'MustRunAsNonRoot'", + "actualValue": "kubernetes_pod_security_policy[example].spec.run_as_user.rule is not equal to 'MustRunAsNonRoot'" }, { "queryName": "Root Containers Admitted", "severity": "MEDIUM", - "line": 37 + "line": 27, + "filename": "positive.tf", + "resourceType": "kubernetes_pod_security_policy", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod_security_policy[example].spec.supplemental_groups.rule", + "searchValue": "", + "expectedValue": "kubernetes_pod_security_policy[example].spec.supplemental_groups.rule limits its ranges", + "actualValue": "kubernetes_pod_security_policy[example].spec.supplemental_groups.rule does not limit its ranges" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/secoomp_profile_is_not_configured/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/secoomp_profile_is_not_configured/test/positive_expected_result.json index d0fae507cba..5ae73389335 100644 --- a/assets/queries/terraform/kubernetes/secoomp_profile_is_not_configured/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/secoomp_profile_is_not_configured/test/positive_expected_result.json @@ -2,46 +2,109 @@ { "queryName": "Seccomp Profile Is Not Configured", "severity": "MEDIUM", - "line": 2 + "line": 411, + "filename": "positive.tf", + "resourceType": "kubernetes_deployment", + "resourceName": "deployment3", + "searchKey": "kubernetes_deployment[deployment3].spec.template.metadata.annotations", + "searchValue": "", + "expectedValue": "kubernetes_deployment[deployment3].spec.template.metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is 'runtime/default'", + "actualValue": "kubernetes_deployment[deployment3].spec.template.metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is 'rntim/dfl'" }, { "queryName": "Seccomp Profile Is Not Configured", "severity": "MEDIUM", - "line": 58 + "line": 115, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod[pod3].metadata.annotations", + "searchValue": "", + "expectedValue": "kubernetes_pod[pod3].metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is 'runtime/default'", + "actualValue": "kubernetes_pod[pod3].metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is 'rntim/dfl'" }, { "queryName": "Seccomp Profile Is Not Configured", "severity": "MEDIUM", - "line": 115 + "line": 348, + "filename": "positive.tf", + "resourceType": "kubernetes_deployment", + "resourceName": "deployment2", + "searchKey": "kubernetes_deployment[deployment2].spec.template.metadata.annotations", + "searchValue": "", + "expectedValue": "kubernetes_deployment[deployment2].spec.template.metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName should be set", + "actualValue": "kubernetes_deployment[deployment2].spec.template.metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is undefined" }, { "queryName": "Seccomp Profile Is Not Configured", "severity": "MEDIUM", - "line": 184 + "line": 58, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod[pod2].metadata.annotations", + "searchValue": "", + "expectedValue": "kubernetes_pod[pod2].metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName should be set", + "actualValue": "kubernetes_pod[pod2].metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is undefined" }, { "queryName": "Seccomp Profile Is Not Configured", "severity": "MEDIUM", - "line": 215 + "line": 249, + "filename": "positive.tf", + "resourceType": "kubernetes_cron_job", + "resourceName": "demo", + "searchKey": "kubernetes_cron_job[cron3].spec.job_template.spec.template.metadata.annotations", + "searchValue": "", + "expectedValue": "kubernetes_cron_job[cron3].spec.job_template.spec.template.metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is 'runtime/default'", + "actualValue": "kubernetes_cron_job[cron3].spec.job_template.spec.template.metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is 'rntim/dfl'" }, { "queryName": "Seccomp Profile Is Not Configured", "severity": "MEDIUM", - "line": 249 + "line": 184, + "filename": "positive.tf", + "resourceType": "kubernetes_cron_job", + "resourceName": "demo", + "searchKey": "kubernetes_cron_job[cron1].spec.job_template.spec.template.metadata", + "searchValue": "", + "expectedValue": "kubernetes_cron_job[cron1].spec.job_template.spec.template.metadata.annotations should be set", + "actualValue": "kubernetes_cron_job[cron1].spec.job_template.spec.template.metadata.annotations is undefined" }, { "queryName": "Seccomp Profile Is Not Configured", "severity": "MEDIUM", - "line": 284 + "line": 215, + "filename": "positive.tf", + "resourceType": "kubernetes_cron_job", + "resourceName": "demo", + "searchKey": "kubernetes_cron_job[cron2].spec.job_template.spec.template.metadata.annotations", + "searchValue": "", + "expectedValue": "kubernetes_cron_job[cron2].spec.job_template.spec.template.metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName should be set", + "actualValue": "kubernetes_cron_job[cron2].spec.job_template.spec.template.metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is undefined" }, { "queryName": "Seccomp Profile Is Not Configured", "severity": "MEDIUM", - "line": 348 + "line": 284, + "filename": "positive.tf", + "resourceType": "kubernetes_deployment", + "resourceName": "deployment1", + "searchKey": "kubernetes_deployment[deployment1].spec.template.metadata", + "searchValue": "", + "expectedValue": "kubernetes_deployment[deployment1].spec.template.metadata.annotations should be set", + "actualValue": "kubernetes_deployment[deployment1].spec.template.metadata.annotations is undefined" }, { "queryName": "Seccomp Profile Is Not Configured", "severity": "MEDIUM", - "line": 411 + "line": 2, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod[pod1].metadata", + "searchValue": "", + "expectedValue": "kubernetes_pod[pod1].metadata.annotations should be set", + "actualValue": "kubernetes_pod[pod1].metadata.annotations is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/secrets_as_environment_variables/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/secrets_as_environment_variables/test/positive_expected_result.json index 369bb9a954f..46945ccf300 100644 --- a/assets/queries/terraform/kubernetes/secrets_as_environment_variables/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/secrets_as_environment_variables/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Secrets As Environment Variables", "severity": "LOW", - "line": 11 + "line": 11, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test", + "searchKey": "kubernetes_pod[test].spec.container.env", + "searchValue": "", + "expectedValue": "kubernetes_pod[test].spec.container.env.value_from.secret_key_ref should be undefined", + "actualValue": "kubernetes_pod[test].spec.container.env.value_from.secret_key_ref is set" }, { "queryName": "Secrets As Environment Variables", "severity": "LOW", - "line": 20 + "line": 20, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test", + "searchKey": "kubernetes_pod[test].spec.container.env_from", + "searchValue": "", + "expectedValue": "kubernetes_pod[test].spec.container.env_from.secret_ref should be undefined", + "actualValue": "kubernetes_pod[test].spec.container.env_from.secret_ref is set" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/service_account_allows_access_secrets/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/service_account_allows_access_secrets/test/positive_expected_result.json index fe3d702c932..e03300ed3a7 100644 --- a/assets/queries/terraform/kubernetes/service_account_allows_access_secrets/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/service_account_allows_access_secrets/test/positive_expected_result.json @@ -1,12 +1,26 @@ [ - { - "queryName": "Service Account Allows Access Secrets", - "severity": "MEDIUM", - "line": 7 - }, { - "queryName": "Service Account Allows Access Secrets", - "severity": "MEDIUM", - "line": 49 - } -] + "queryName": "Service Account Allows Access Secrets", + "severity": "MEDIUM", + "line": 7, + "filename": "positive.tf", + "resourceType": "kubernetes_cluster_role", + "resourceName": "cluster_role_name", + "searchKey": "kubernetes_cluster_role[cluster_role_name].rule", + "searchValue": "", + "expectedValue": "kubernetes_cluster_role[cluster_role_name].rule.verbs should not contain the following verbs: [\"get\", \"watch\", \"list\", \"*\"]", + "actualValue": "kubernetes_cluster_role[cluster_role_name].rule.verbs contain one of the following verbs: [\"get\", \"watch\", \"list\", \"*\"]" + }, + { + "queryName": "Service Account Allows Access Secrets", + "severity": "MEDIUM", + "line": 49, + "filename": "positive.tf", + "resourceType": "kubernetes_role", + "resourceName": "role_name", + "searchKey": "kubernetes_role[role_name].rule", + "searchValue": "", + "expectedValue": "kubernetes_role[role_name].rule.verbs should not contain the following verbs: [\"get\", \"watch\", \"list\", \"*\"]", + "actualValue": "kubernetes_role[role_name].rule.verbs contain one of the following verbs: [\"get\", \"watch\", \"list\", \"*\"]" + } +] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/service_account_name_undefined_or_empty/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/service_account_name_undefined_or_empty/test/positive_expected_result.json index 27d1d3d2d7e..45c98992695 100644 --- a/assets/queries/terraform/kubernetes/service_account_name_undefined_or_empty/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/service_account_name_undefined_or_empty/test/positive_expected_result.json @@ -1,20 +1,38 @@ [ - { - "queryName": "Service Account Name Undefined Or Empty", - "severity": "MEDIUM", - "line": 6, - "fileName": "positive1.tf" - }, { - "queryName": "Service Account Name Undefined Or Empty", - "severity": "MEDIUM", - "line": 6, - "fileName": "positive2.tf" - }, + "queryName": "Service Account Name Undefined Or Empty", + "severity": "MEDIUM", + "line": 36, + "filename": "positive3.tf", + "resourceType": "kubernetes_pod", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod[test3].spec.service_account_name", + "searchValue": "", + "expectedValue": "kubernetes_pod[test3].spec.service_account_name is correct", + "actualValue": "kubernetes_pod[test3].spec.service_account_name is null or empty" + }, { - "queryName": "Service Account Name Undefined Or Empty", - "severity": "MEDIUM", - "line": 36, - "fileName": "positive3.tf" - } -] + "queryName": "Service Account Name Undefined Or Empty", + "severity": "MEDIUM", + "line": 6, + "filename": "positive1.tf", + "resourceType": "kubernetes_pod", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod[test1].spec", + "searchValue": "", + "expectedValue": "kubernetes_pod[test1].spec.service_account_name should be defined and not null", + "actualValue": "kubernetes_pod[test1].spec.service_account_name is undefined or null" + }, + { + "queryName": "Service Account Name Undefined Or Empty", + "severity": "MEDIUM", + "line": 6, + "filename": "positive2.tf", + "resourceType": "kubernetes_pod", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod[test2].spec", + "searchValue": "", + "expectedValue": "kubernetes_pod[test2].spec.service_account_name should be defined and not null", + "actualValue": "kubernetes_pod[test2].spec.service_account_name is undefined or null" + } +] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/service_account_token_automount_not_disabled/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/service_account_token_automount_not_disabled/test/positive_expected_result.json index 426e5be9aa5..2fc06aae9a6 100644 --- a/assets/queries/terraform/kubernetes/service_account_token_automount_not_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/service_account_token_automount_not_disabled/test/positive_expected_result.json @@ -2,21 +2,49 @@ { "queryName": "Service Account Token Automount Not Disabled", "severity": "MEDIUM", - "line": 25 + "line": 162, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod[test6].spec", + "searchValue": "", + "expectedValue": "kubernetes_pod[test6].spec.automount_service_account_token should be set", + "actualValue": "kubernetes_pod[test6].spec.automount_service_account_token is undefined" }, { "queryName": "Service Account Token Automount Not Disabled", "severity": "MEDIUM", - "line": 88 + "line": 144, + "filename": "positive.tf", + "resourceType": "kubernetes_cron_job", + "resourceName": "demo", + "searchKey": "kubernetes_cron_job[demo3].spec.job_template.spec.template.spec.automount_service_account_token", + "searchValue": "", + "expectedValue": "kubernetes_cron_job[demo3].spec.job_template.spec.template.spec.automount_service_account_token should be set to false", + "actualValue": "kubernetes_cron_job[demo3].spec.job_template.spec.template.spec.automount_service_account_token is set to true" }, { "queryName": "Service Account Token Automount Not Disabled", "severity": "MEDIUM", - "line": 144 + "line": 88, + "filename": "positive.tf", + "resourceType": "kubernetes_daemonset", + "resourceName": "example2", + "searchKey": "kubernetes_daemonset[example2].spec.template.spec.automount_service_account_token", + "searchValue": "", + "expectedValue": "kubernetes_daemonset[example2].spec.template.spec.automount_service_account_token should be set to false", + "actualValue": "kubernetes_daemonset[example2].spec.template.spec.automount_service_account_token is set to true" }, { "queryName": "Service Account Token Automount Not Disabled", "severity": "MEDIUM", - "line": 162 + "line": 25, + "filename": "positive.tf", + "resourceType": "kubernetes_deployment", + "resourceName": "example", + "searchKey": "kubernetes_deployment[example].spec.template.spec", + "searchValue": "", + "expectedValue": "kubernetes_deployment[example].spec.template.spec.automount_service_account_token should be set", + "actualValue": "kubernetes_deployment[example].spec.template.spec.automount_service_account_token is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/service_type_is_nodeport/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/service_type_is_nodeport/test/positive_expected_result.json index 2a1207f9ac7..832a53c4f06 100644 --- a/assets/queries/terraform/kubernetes/service_type_is_nodeport/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/service_type_is_nodeport/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Service Type is NodePort", "severity": "LOW", - "line": 15 + "line": 15, + "filename": "positive.tf", + "resourceType": "kubernetes_service", + "resourceName": "terraform-example", + "searchKey": "kubernetes_service[example].spec.type", + "searchValue": "", + "expectedValue": "kubernetes_service[example].spec.type should not be 'NodePort'", + "actualValue": "kubernetes_service[example].spec.type is 'NodePort'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/service_with_external_load_balancer/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/service_with_external_load_balancer/test/positive_expected_result.json index 0dea266ccaf..d29964838cc 100644 --- a/assets/queries/terraform/kubernetes/service_with_external_load_balancer/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/service_with_external_load_balancer/test/positive_expected_result.json @@ -3,30 +3,60 @@ "queryName": "Service With External Load Balancer", "severity": "MEDIUM", "line": 4, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "kubernetes_service", + "resourceName": "terraform-example1", + "searchKey": "kubernetes_service[example1].metadata.name.annotations", + "searchValue": "", + "expectedValue": "metadata.annotations using an external Load Balancer provider by cloud provider%!(EXTRA string=example1)", + "actualValue": "metadata.annotations is exposing a workload, not using an external Load Balancer provider by cloud provider%!(EXTRA string=example1)" }, { "queryName": "Service With External Load Balancer", "severity": "MEDIUM", "line": 24, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "kubernetes_service", + "resourceName": "terraform-example2", + "searchKey": "kubernetes_service[example2].metadata.name", + "searchValue": "", + "expectedValue": "'metadata.annotations' should be set", + "actualValue": "'metadata.annotations' is undefined" }, { "queryName": "Service With External Load Balancer", "severity": "MEDIUM", "line": 4, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "kubernetes_service", + "resourceName": "terraform-example2", + "searchKey": "kubernetes_service[example2].metadata.name.annotations", + "searchValue": "", + "expectedValue": "metadata.annotations using an external Load Balancer provider by cloud provider%!(EXTRA string=example2)", + "actualValue": "metadata.annotations is exposing a workload, not using an external Load Balancer provider by cloud provider%!(EXTRA string=example2)" }, { "queryName": "Service With External Load Balancer", "severity": "MEDIUM", "line": 25, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "kubernetes_service", + "resourceName": "terraform-example3", + "searchKey": "kubernetes_service[example3].metadata.name.annotations", + "searchValue": "", + "expectedValue": "metadata.annotations using an external Load Balancer provider by cloud provider%!(EXTRA string=example3)", + "actualValue": "metadata.annotations is exposing a workload, not using an external Load Balancer provider by cloud provider%!(EXTRA string=example3)" }, { "queryName": "Service With External Load Balancer", "severity": "MEDIUM", "line": 46, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "kubernetes_service", + "resourceName": "terraform-example4", + "searchKey": "kubernetes_service[example4].metadata.name.annotations", + "searchValue": "", + "expectedValue": "metadata.annotations using an external Load Balancer provider by cloud provider%!(EXTRA string=example4)", + "actualValue": "metadata.annotations is exposing a workload, not using an external Load Balancer provider by cloud provider%!(EXTRA string=example4)" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/shared_host_ipc_namespace/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/shared_host_ipc_namespace/test/positive_expected_result.json index 31f178f754c..f7d12d51c1f 100644 --- a/assets/queries/terraform/kubernetes/shared_host_ipc_namespace/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/shared_host_ipc_namespace/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Shared Host IPC Namespace", "severity": "MEDIUM", - "line": 8 + "line": 8, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.host_ipc", + "searchValue": "", + "expectedValue": "Attribute 'host_ipc' should be undefined or false", + "actualValue": "Attribute 'host_ipc' is true" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/shared_host_network_namespace/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/shared_host_network_namespace/test/positive_expected_result.json index 1b6b06fed37..3cd08925eba 100644 --- a/assets/queries/terraform/kubernetes/shared_host_network_namespace/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/shared_host_network_namespace/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Shared Host Network Namespace", "severity": "MEDIUM", - "line": 7 + "line": 7, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test", + "searchKey": "kubernetes_pod[test].spec.host_network", + "searchValue": "", + "expectedValue": "kubernetes_pod[test].spec.host_network should be undefined or set to false", + "actualValue": "kubernetes_pod[test].spec.host_network is set to true" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/shared_service_account/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/shared_service_account/test/positive_expected_result.json index e78930ea639..67ef70c8822 100644 --- a/assets/queries/terraform/kubernetes/shared_service_account/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/shared_service_account/test/positive_expected_result.json @@ -1,7 +1,14 @@ [ - { - "queryName": "Shared Service Account", - "severity": "MEDIUM", - "line": 46 - } -] + { + "queryName": "Shared Service Account", + "severity": "MEDIUM", + "line": 46, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "with_pod_affinity", + "searchKey": "kubernetes_pod[with_pod_affinity].spec.service_account_name", + "searchValue": "", + "expectedValue": "kubernetes_pod[with_pod_affinity].spec.service_account_name should not be shared with other workloads", + "actualValue": "kubernetes_pod[with_pod_affinity].spec.service_account_name is shared with other workloads" + } +] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/statefulset_requests_storage/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/statefulset_requests_storage/test/positive_expected_result.json index 6c3a8961b44..4b339980c99 100644 --- a/assets/queries/terraform/kubernetes/statefulset_requests_storage/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/statefulset_requests_storage/test/positive_expected_result.json @@ -1,7 +1,14 @@ [ - { - "queryName": "StatefulSet Requests Storage", - "severity": "LOW", - "line": 177 - } -] + { + "queryName": "StatefulSet Requests Storage", + "severity": "LOW", + "line": 177, + "filename": "positive.tf", + "resourceType": "kubernetes_stateful_set", + "resourceName": "prometheus", + "searchKey": "kubernetes_stateful_set[prometheus].spec.volume_claim_template.spec.resources.requests.storage", + "searchValue": "", + "expectedValue": "kubernetes_stateful_set[prometheus].spec.volume_claim_template.spec.resources.requests.storage should not be set", + "actualValue": "kubernetes_stateful_set[prometheus].spec.volume_claim_template.spec.resources.requests.storage is set to 16Gi" + } +] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/statefulset_without_pod_disruption_budget/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/statefulset_without_pod_disruption_budget/test/positive_expected_result.json index d73ea9ec410..74c4d5deb17 100644 --- a/assets/queries/terraform/kubernetes/statefulset_without_pod_disruption_budget/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/statefulset_without_pod_disruption_budget/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "StatefulSet Without PodDisruptionBudget", "severity": "LOW", - "line": 23 + "line": 23, + "filename": "positive.tf", + "resourceType": "kubernetes_stateful_set", + "resourceName": "prometheus", + "searchKey": "kubernetes_stateful_set[prometheus].spec.selector.match_labels", + "searchValue": "", + "expectedValue": "kubernetes_stateful_set[prometheus].spec.selector.match_labels is targeted by a PodDisruptionBudget", + "actualValue": "kubernetes_stateful_set[prometheus].spec.selector.match_labels is not targeted by a PodDisruptionBudget" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/statefulset_without_service_name/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/statefulset_without_service_name/test/positive_expected_result.json index 027d6c8df6f..3e60fe36654 100644 --- a/assets/queries/terraform/kubernetes/statefulset_without_service_name/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/statefulset_without_service_name/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "StatefulSet Without Service Name", "severity": "LOW", - "line": 49 + "line": 49, + "filename": "positive.tf", + "resourceType": "kubernetes_stateful_set", + "resourceName": "prometheus", + "searchKey": "kubernetes_stateful_set[prometheus].spec.service_name", + "searchValue": "", + "expectedValue": "kubernetes_stateful_set[prometheus].spec.service_name should refer to a Headless Service", + "actualValue": "kubernetes_stateful_set[prometheus].spec.service_name does not refer to a Headless Service" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/tiller_is_deployed/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/tiller_is_deployed/test/positive_expected_result.json index 7c94b93083e..e4a678078ed 100644 --- a/assets/queries/terraform/kubernetes/tiller_is_deployed/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/tiller_is_deployed/test/positive_expected_result.json @@ -2,26 +2,61 @@ { "queryName": "Tiller (Helm v2) Is Deployed", "severity": "HIGH", - "line": 3 + "line": 200, + "filename": "positive.tf", + "resourceType": "kubernetes_deployment", + "resourceName": "example", + "searchKey": "kubernetes_deployment[example].spec.template.spec.container.image", + "searchValue": "", + "expectedValue": "kubernetes_deployment[example].spec.template.spec.container.image shouldn't have any Tiller containers", + "actualValue": "kubernetes_deployment[example].spec.template.spec.container.image contains a Tiller container" }, { "queryName": "Tiller (Helm v2) Is Deployed", "severity": "HIGH", - "line": 8 + "line": 3, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].metadata", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].metadata should not refer any to a Tiller resource", + "actualValue": "kubernetes_pod[positive1].metadata refers to a Tiller resource" }, { "queryName": "Tiller (Helm v2) Is Deployed", "severity": "HIGH", - "line": 103 + "line": 8, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[0].image shouldn't have any Tiller containers", + "actualValue": "kubernetes_pod[positive1].spec.container[0].image contains a Tiller container" }, { "queryName": "Tiller (Helm v2) Is Deployed", "severity": "HIGH", - "line": 175 + "line": 103, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive2", + "searchKey": "kubernetes_pod[positive2].spec.container.image", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive2].spec.container.image shouldn't have any Tiller containers", + "actualValue": "kubernetes_pod[positive2].spec.container.image contains a Tiller container" }, { "queryName": "Tiller (Helm v2) Is Deployed", "severity": "HIGH", - "line": 200 + "line": 175, + "filename": "positive.tf", + "resourceType": "kubernetes_deployment", + "resourceName": "example", + "searchKey": "kubernetes_deployment[example].spec.template.metadata", + "searchValue": "", + "expectedValue": "kubernetes_deployment[example].spec.template.metadata should not refer to any Tiller resource", + "actualValue": "kubernetes_deployment[example].spec.template.metadata does not refer to any Tiller resource" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/using_default_namespace/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/using_default_namespace/test/positive_expected_result.json index a87047d0ac8..dae7713c256 100644 --- a/assets/queries/terraform/kubernetes/using_default_namespace/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/using_default_namespace/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Using Default Namespace", "severity": "LOW", - "line": 4 + "line": 4, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test", + "searchKey": "kubernetes_pod[test].metadata.namespace", + "searchValue": "", + "expectedValue": "kubernetes_pod[test].metadata.namespace should not be set to 'default'", + "actualValue": "kubernetes_pod[test].metadata.namespace is set to 'default'" }, { "queryName": "Using Default Namespace", "severity": "LOW", - "line": 9 + "line": 9, + "filename": "positive.tf", + "resourceType": "kubernetes_cron_job", + "resourceName": "test2", + "searchKey": "kubernetes_cron_job[test2].metadata", + "searchValue": "", + "expectedValue": "kubernetes_cron_job[test2].metadata should be set", + "actualValue": "kubernetes_cron_job[test2].metadata is undefined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/volume_mount_with_os_directory_write_permissions/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/volume_mount_with_os_directory_write_permissions/test/positive_expected_result.json index 99f3567bd50..07438b91720 100644 --- a/assets/queries/terraform/kubernetes/volume_mount_with_os_directory_write_permissions/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/volume_mount_with_os_directory_write_permissions/test/positive_expected_result.json @@ -2,85 +2,169 @@ { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", - "line": 8, - "fileName": "positive1.tf" + "line": 100, + "filename": "positive1.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test11", + "searchKey": "kubernetes_pod[test11].spec.container.volume_mount", + "searchValue": "", + "expectedValue": "kubernetes_pod[test11].spec.container[1].volume_mount.read_only should be set", + "actualValue": "kubernetes_pod[test11].spec.container[1].volume_mount.read_only is undefined" }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", - "line": 66, - "fileName": "positive1.tf" + "line": 158, + "filename": "positive1.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test12", + "searchKey": "kubernetes_pod[test12].spec.container.volume_mount", + "searchValue": "", + "expectedValue": "kubernetes_pod[test12].spec.container[0].volume_mount[0].read_only should be set", + "actualValue": "kubernetes_pod[test12].spec.container[0].volume_mount[0].read_only is undefined" }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", - "line": 100, - "fileName": "positive1.tf" + "line": 105, + "filename": "positive2.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test21", + "searchKey": "kubernetes_pod[test21].spec.container.volume_mount.read_only", + "searchValue": "", + "expectedValue": "kubernetes_pod[test21].spec.container[1].volume_mount.read_only should be set to true", + "actualValue": "kubernetes_pod[test21].spec.container[1].volume_mount.read_only is set to false" }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", - "line": 158, - "fileName": "positive1.tf" + "line": 164, + "filename": "positive2.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test22", + "searchKey": "kubernetes_pod[test22].spec.container.volume_mount.read_only", + "searchValue": "", + "expectedValue": "kubernetes_pod[test22].spec.container[0].volume_mount[0].read_only should be set to true", + "actualValue": "kubernetes_pod[test22].spec.container[0].volume_mount[0].read_only is set to false" + }, + { + "queryName": "Volume Mount With OS Directory Write Permissions", + "severity": "HIGH", + "line": 170, + "filename": "positive2.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test22", + "searchKey": "kubernetes_pod[test22].spec.container.volume_mount.read_only", + "searchValue": "", + "expectedValue": "kubernetes_pod[test22].spec.container[0].volume_mount[1].read_only should be set to true", + "actualValue": "kubernetes_pod[test22].spec.container[0].volume_mount[1].read_only is set to false" }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", "line": 163, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test12", + "searchKey": "kubernetes_pod[test12].spec.container.volume_mount", + "searchValue": "", + "expectedValue": "kubernetes_pod[test12].spec.container[0].volume_mount[1].read_only should be set", + "actualValue": "kubernetes_pod[test12].spec.container[0].volume_mount[1].read_only is undefined" }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", "line": 250, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test13", + "searchKey": "kubernetes_pod[test13].spec.container.volume_mount", + "searchValue": "", + "expectedValue": "kubernetes_pod[test13].spec.container.volume_mount[0].read_only should be set", + "actualValue": "kubernetes_pod[test13].spec.container.volume_mount[0].read_only is undefined" }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", "line": 255, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test13", + "searchKey": "kubernetes_pod[test13].spec.container.volume_mount", + "searchValue": "", + "expectedValue": "kubernetes_pod[test13].spec.container.volume_mount[1].read_only should be set", + "actualValue": "kubernetes_pod[test13].spec.container.volume_mount[1].read_only is undefined" }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", "line": 11, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test20", + "searchKey": "kubernetes_pod[test20].spec.container.volume_mount.read_only", + "searchValue": "", + "expectedValue": "kubernetes_pod[test20].spec.container.volume_mount.read_only should be set to true", + "actualValue": "kubernetes_pod[test20].spec.container.volume_mount.read_only is set to false" }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", "line": 70, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test21", + "searchKey": "kubernetes_pod[test21].spec.container.volume_mount.read_only", + "searchValue": "", + "expectedValue": "kubernetes_pod[test21].spec.container[0].volume_mount.read_only should be set to true", + "actualValue": "kubernetes_pod[test21].spec.container[0].volume_mount.read_only is set to false" }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", - "line": 105, - "fileName": "positive2.tf" - }, - { - "queryName": "Volume Mount With OS Directory Write Permissions", - "severity": "HIGH", - "line": 164, - "fileName": "positive2.tf" + "line": 258, + "filename": "positive2.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test23", + "searchKey": "kubernetes_pod[test23].spec.container.volume_mount.read_only", + "searchValue": "", + "expectedValue": "kubernetes_pod[test23].spec.container.volume_mount[0].read_only should be set to true", + "actualValue": "kubernetes_pod[test23].spec.container.volume_mount[0].read_only is set to false" }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", - "line": 170, - "fileName": "positive2.tf" + "line": 264, + "filename": "positive2.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test23", + "searchKey": "kubernetes_pod[test23].spec.container.volume_mount.read_only", + "searchValue": "", + "expectedValue": "kubernetes_pod[test23].spec.container.volume_mount[1].read_only should be set to true", + "actualValue": "kubernetes_pod[test23].spec.container.volume_mount[1].read_only is set to false" }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", - "line": 258, - "fileName": "positive2.tf" + "line": 8, + "filename": "positive1.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test10", + "searchKey": "kubernetes_pod[test10].spec.container.volume_mount", + "searchValue": "", + "expectedValue": "kubernetes_pod[test10].spec.container.volume_mount.read_only should be set", + "actualValue": "kubernetes_pod[test10].spec.container.volume_mount.read_only is undefined" }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", - "line": 264, - "fileName": "positive2.tf" + "line": 66, + "filename": "positive1.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test11", + "searchKey": "kubernetes_pod[test11].spec.container.volume_mount", + "searchValue": "", + "expectedValue": "kubernetes_pod[test11].spec.container[0].volume_mount.read_only should be set", + "actualValue": "kubernetes_pod[test11].spec.container[0].volume_mount.read_only is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/workload_host_port_not_specified/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/workload_host_port_not_specified/test/positive_expected_result.json index 980fe8919ff..9793dffd904 100644 --- a/assets/queries/terraform/kubernetes/workload_host_port_not_specified/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/workload_host_port_not_specified/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "Workload Host Port Not Specified", "severity": "LOW", - "line": 16, - "fileName": "positive1.tf" + "line": 41, + "filename": "positive2.tf", + "resourceType": "kubernetes_deployment", + "resourceName": "terraform-example", + "searchKey": "kubernetes_deployment[example].spec.template.spec.container.port", + "searchValue": "", + "expectedValue": "Attribute 'host_port' should be defined and not null", + "actualValue": "Attribute 'host_port' is undefined or null" }, { "queryName": "Workload Host Port Not Specified", "severity": "LOW", - "line": 41, - "fileName": "positive2.tf" + "line": 16, + "filename": "positive1.tf", + "resourceType": "kubernetes_pod", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod[test].spec.container.port", + "searchValue": "", + "expectedValue": "Attribute 'host_port' should be defined and not null", + "actualValue": "Attribute 'host_port' is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/workload_mounting_with_sensitive_os_directory/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/workload_mounting_with_sensitive_os_directory/test/positive_expected_result.json index af7be5fa4ba..79715364995 100644 --- a/assets/queries/terraform/kubernetes/workload_mounting_with_sensitive_os_directory/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/workload_mounting_with_sensitive_os_directory/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Workload Mounting With Sensitive OS Directory", "severity": "HIGH", - "line": 53 + "line": 53, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "terraform-example1", + "searchKey": "kubernetes_pod[test1].spec.volume.host_path.path", + "searchValue": "", + "expectedValue": "Workload name 'terraform-example1' should not mount a host sensitive OS directory '/var/log' with host_path", + "actualValue": "Workload name 'terraform-example1' is mounting a host sensitive OS directory '/var/log' with host_path" }, { "queryName": "Workload Mounting With Sensitive OS Directory", "severity": "HIGH", - "line": 112 + "line": 112, + "filename": "positive.tf", + "resourceType": "kubernetes_persistent_volume", + "resourceName": "terraform-example2", + "searchKey": "kubernetes_persistent_volume[test2].spec.volume.host_path.path", + "searchValue": "", + "expectedValue": "Workload name 'terraform-example2' should not mount a host sensitive OS directory '/var/log' with host_path", + "actualValue": "Workload name 'terraform-example2' is mounting a host sensitive OS directory '/var/log' with host_path" } ] \ No newline at end of file diff --git a/assets/queries/terraform/nifcloud/computing_instance_has_common_private/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/computing_instance_has_common_private/test/positive_expected_result.json index 3b339c90f90..0891e73e269 100644 --- a/assets/queries/terraform/nifcloud/computing_instance_has_common_private/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/computing_instance_has_common_private/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ - { - "queryName": "Nifcloud Computing Has Common Private Network", - "severity": "LOW", - "line": 1, - "fileName": "positive1.tf" - }, - { - "queryName": "Nifcloud Computing Has Common Private Network", - "severity": "LOW", - "line": 1, - "fileName": "positive2.tf" - } -] + { + "queryName": "Nifcloud Computing Has Common Private Network", + "severity": "LOW", + "line": 1, + "filename": "positive2.tf", + "resourceType": "nifcloud_instance", + "resourceName": "positive", + "searchKey": "nifcloud_instance[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_instance[positive]' should use a private LAN to isolate the private side network from the shared network", + "actualValue": "'nifcloud_instance[positive]' has common private network" + }, + { + "queryName": "Nifcloud Computing Has Common Private Network", + "severity": "LOW", + "line": 1, + "filename": "positive1.tf", + "resourceType": "nifcloud_instance", + "resourceName": "positive", + "searchKey": "nifcloud_instance[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_instance[positive]' should use a private LAN to isolate the private side network from the shared network", + "actualValue": "'nifcloud_instance[positive]' has common private network" + } +] \ No newline at end of file diff --git a/assets/queries/terraform/nifcloud/computing_instance_has_public_ingress_sgr/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/computing_instance_has_public_ingress_sgr/test/positive_expected_result.json index c155888d657..a1ce6f1c761 100644 --- a/assets/queries/terraform/nifcloud/computing_instance_has_public_ingress_sgr/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/computing_instance_has_public_ingress_sgr/test/positive_expected_result.json @@ -1,8 +1,14 @@ [ - { - "queryName": "Nifcloud Computing Has Public Ingress Security Group Rule", - "severity": "HIGH", - "line": 1, - "fileName": "positive.tf" - } -] + { + "queryName": "Nifcloud Computing Has Public Ingress Security Group Rule", + "severity": "HIGH", + "line": 1, + "filename": "positive.tf", + "resourceType": "nifcloud_security_group_rule", + "resourceName": "positive", + "searchKey": "nifcloud_security_group_rule[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_security_group_rule[positive]' set a more restrictive cidr range", + "actualValue": "'nifcloud_security_group_rule[positive]' allows traffic from /0" + } +] \ No newline at end of file diff --git a/assets/queries/terraform/nifcloud/computing_instance_security_group_undefined/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/computing_instance_security_group_undefined/test/positive_expected_result.json index 9aa880cd9a9..d15a907a398 100644 --- a/assets/queries/terraform/nifcloud/computing_instance_security_group_undefined/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/computing_instance_security_group_undefined/test/positive_expected_result.json @@ -1,8 +1,14 @@ [ - { - "queryName": "Nifcloud Computing Undefined Security Group To Instance", - "severity": "HIGH", - "line": 1, - "fileName": "positive.tf" - } -] + { + "queryName": "Nifcloud Computing Undefined Security Group To Instance", + "severity": "HIGH", + "line": 1, + "filename": "positive.tf", + "resourceType": "nifcloud_instance", + "resourceName": "positive", + "searchKey": "nifcloud_instance[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_instance[positive]' should include a security_group for security purposes", + "actualValue": "'nifcloud_instance[positive]' does not have a security_group" + } +] \ No newline at end of file diff --git a/assets/queries/terraform/nifcloud/computing_security_group_description_undefined/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/computing_security_group_description_undefined/test/positive_expected_result.json index 1b4ae154932..7d507ebf978 100644 --- a/assets/queries/terraform/nifcloud/computing_security_group_description_undefined/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/computing_security_group_description_undefined/test/positive_expected_result.json @@ -1,8 +1,14 @@ [ - { - "queryName": "Nifcloud Computing Undefined Description To Security Group", - "severity": "INFO", - "line": 1, - "fileName": "positive.tf" - } -] + { + "queryName": "Nifcloud Computing Undefined Description To Security Group", + "severity": "INFO", + "line": 1, + "filename": "positive.tf", + "resourceType": "nifcloud_security_group", + "resourceName": "positive", + "searchKey": "nifcloud_security_group[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_security_group[positive]' should include a description for auditing purposes", + "actualValue": "'nifcloud_security_group[positive]' does not have a description" + } +] \ No newline at end of file diff --git a/assets/queries/terraform/nifcloud/computing_security_group_rule_description_undefined/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/computing_security_group_rule_description_undefined/test/positive_expected_result.json index 9bd94917eb8..59f236db36f 100644 --- a/assets/queries/terraform/nifcloud/computing_security_group_rule_description_undefined/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/computing_security_group_rule_description_undefined/test/positive_expected_result.json @@ -1,8 +1,14 @@ [ - { - "queryName": "Nifcloud Computing Undefined Description To Security Group Rule", - "severity": "INFO", - "line": 1, - "fileName": "positive.tf" - } -] + { + "queryName": "Nifcloud Computing Undefined Description To Security Group Rule", + "severity": "INFO", + "line": 1, + "filename": "positive.tf", + "resourceType": "nifcloud_security_group_rule", + "resourceName": "positive", + "searchKey": "nifcloud_security_group_rule[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_security_group_rule[positive]' should include a description for auditing purposes", + "actualValue": "'nifcloud_security_group_rule[positive]' does not have a description" + } +] \ No newline at end of file diff --git a/assets/queries/terraform/nifcloud/db_does_not_have_long_backup_retention/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/db_does_not_have_long_backup_retention/test/positive_expected_result.json index 27c28135d5e..1bac7c5632d 100644 --- a/assets/queries/terraform/nifcloud/db_does_not_have_long_backup_retention/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/db_does_not_have_long_backup_retention/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ - { - "queryName": "Nifcloud Low RDB Backup Retention Period", - "severity": "LOW", - "line": 1, - "fileName": "positive1.tf" - }, - { - "queryName": "Nifcloud Low RDB Backup Retention Period", - "severity": "LOW", - "line": 1, - "fileName": "positive2.tf" - } -] + { + "queryName": "Nifcloud Low RDB Backup Retention Period", + "severity": "LOW", + "line": 1, + "filename": "positive1.tf", + "resourceType": "nifcloud_db_instance", + "resourceName": "positive", + "searchKey": "nifcloud_db_instance[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_db_instance[positive]' should have backup retention of at least 7 days", + "actualValue": "'nifcloud_db_instance[positive]' doesn't have a backup retention period defined" + }, + { + "queryName": "Nifcloud Low RDB Backup Retention Period", + "severity": "LOW", + "line": 1, + "filename": "positive2.tf", + "resourceType": "nifcloud_db_instance", + "resourceName": "positive", + "searchKey": "nifcloud_db_instance[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_db_instance[positive]' should have backup retention of at least 7 days", + "actualValue": "'nifcloud_db_instance[positive]' has backup retention period of '%!s(int=5)' which is less than minimum of 7 days" + } +] \ No newline at end of file diff --git a/assets/queries/terraform/nifcloud/db_has_public_access/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/db_has_public_access/test/positive_expected_result.json index f1c041a3ef5..6593714ee40 100644 --- a/assets/queries/terraform/nifcloud/db_has_public_access/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/db_has_public_access/test/positive_expected_result.json @@ -1,8 +1,14 @@ [ - { - "queryName": "Nifcloud RDB Has Public DB Access", - "severity": "HIGH", - "line": 1, - "fileName": "positive.tf" - } -] + { + "queryName": "Nifcloud RDB Has Public DB Access", + "severity": "HIGH", + "line": 1, + "filename": "positive.tf", + "resourceType": "nifcloud_db_instance", + "resourceName": "positive", + "searchKey": "nifcloud_db_instance[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_db_instance[positive]' should not use publicly accessible set to true. You should limit all access to the minimum that is required for your application to function.", + "actualValue": "'nifcloud_db_instance[positive]' has publicly accessible set to true." + } +] \ No newline at end of file diff --git a/assets/queries/terraform/nifcloud/db_instance_has_common_private/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/db_instance_has_common_private/test/positive_expected_result.json index 0c41e6b1eb8..921652ee7d1 100644 --- a/assets/queries/terraform/nifcloud/db_instance_has_common_private/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/db_instance_has_common_private/test/positive_expected_result.json @@ -1,8 +1,14 @@ [ - { - "queryName": "Nifcloud RDB Has Common Private Network", - "severity": "LOW", - "line": 1, - "fileName": "positive.tf" - } -] + { + "queryName": "Nifcloud RDB Has Common Private Network", + "severity": "LOW", + "line": 1, + "filename": "positive.tf", + "resourceType": "nifcloud_db_instance", + "resourceName": "positive", + "searchKey": "nifcloud_db_instance[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_db_instance[positive]' should use a private LAN to isolate the private side network from the shared network", + "actualValue": "'nifcloud_db_instance[positive]' has common private network" + } +] \ No newline at end of file diff --git a/assets/queries/terraform/nifcloud/db_security_group_description_undefined/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/db_security_group_description_undefined/test/positive_expected_result.json index 547983c13bf..5b8de087c84 100644 --- a/assets/queries/terraform/nifcloud/db_security_group_description_undefined/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/db_security_group_description_undefined/test/positive_expected_result.json @@ -1,8 +1,14 @@ [ - { - "queryName": "Nifcloud RDB Undefined Description To DB Security Group", - "severity": "INFO", - "line": 1, - "fileName": "positive.tf" - } -] + { + "queryName": "Nifcloud RDB Undefined Description To DB Security Group", + "severity": "INFO", + "line": 1, + "filename": "positive.tf", + "resourceType": "nifcloud_db_security_group", + "resourceName": "positive", + "searchKey": "nifcloud_db_security_group[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_db_security_group[positive]' should include a description for auditing purposes.", + "actualValue": "'nifcloud_db_security_group[positive]' does not have a description." + } +] \ No newline at end of file diff --git a/assets/queries/terraform/nifcloud/db_security_group_has_public_ingress_sgr/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/db_security_group_has_public_ingress_sgr/test/positive_expected_result.json index 425cc5d611a..c6e97ff1ff0 100644 --- a/assets/queries/terraform/nifcloud/db_security_group_has_public_ingress_sgr/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/db_security_group_has_public_ingress_sgr/test/positive_expected_result.json @@ -1,8 +1,14 @@ [ - { - "queryName": "Nifcloud RDB Has Public DB Ingress Security Group Rule", - "severity": "HIGH", - "line": 1, - "fileName": "positive.tf" - } -] + { + "queryName": "Nifcloud RDB Has Public DB Ingress Security Group Rule", + "severity": "HIGH", + "line": 1, + "filename": "positive.tf", + "resourceType": "nifcloud_db_security_group", + "resourceName": "positive", + "searchKey": "nifcloud_db_security_group[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_db_security_group[positive]' set a more restrictive cidr range", + "actualValue": "'nifcloud_db_security_group[positive]' allows traffic from /0" + } +] \ No newline at end of file diff --git a/assets/queries/terraform/nifcloud/dns_has_verified_record/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/dns_has_verified_record/test/positive_expected_result.json index b6523967215..f3776357501 100644 --- a/assets/queries/terraform/nifcloud/dns_has_verified_record/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/dns_has_verified_record/test/positive_expected_result.json @@ -1,8 +1,14 @@ [ - { - "queryName": "Nifcloud DNS Has Verified Record", - "severity": "LOW", - "line": 1, - "fileName": "positive.tf" - } -] + { + "queryName": "Nifcloud DNS Has Verified Record", + "severity": "LOW", + "line": 1, + "filename": "positive.tf", + "resourceType": "nifcloud_dns_record", + "resourceName": "test.example.test", + "searchKey": "nifcloud_dns_record[positive]", + "searchValue": "", + "expectedValue": "Verified records should be removed from 'nifcloud_dns_record[positive]'.", + "actualValue": "'nifcloud_dns_record[positive]' has risk of DNS records being used by others." + } +] \ No newline at end of file diff --git a/assets/queries/terraform/nifcloud/elb_has_common_private/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/elb_has_common_private/test/positive_expected_result.json index 93ef9fa8953..c10c24a5b08 100644 --- a/assets/queries/terraform/nifcloud/elb_has_common_private/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/elb_has_common_private/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ - { - "queryName": "Nifcloud ELB Has Common Private Network", - "severity": "LOW", - "line": 1, - "fileName": "positive1.tf" - }, - { - "queryName": "Nifcloud ELB Has Common Private Network", - "severity": "LOW", - "line": 1, - "fileName": "positive2.tf" - } -] + { + "queryName": "Nifcloud ELB Has Common Private Network", + "severity": "LOW", + "line": 1, + "filename": "positive2.tf", + "resourceType": "nifcloud_elb", + "resourceName": "positive", + "searchKey": "nifcloud_elb[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_elb[positive]' should use a private LAN to isolate the private side network from the shared network", + "actualValue": "'nifcloud_elb[positive]' has common private network" + }, + { + "queryName": "Nifcloud ELB Has Common Private Network", + "severity": "LOW", + "line": 1, + "filename": "positive1.tf", + "resourceType": "nifcloud_elb", + "resourceName": "positive", + "searchKey": "nifcloud_elb[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_elb[positive]' should use a private LAN to isolate the private side network from the shared network", + "actualValue": "'nifcloud_elb[positive]' has common private network" + } +] \ No newline at end of file diff --git a/assets/queries/terraform/nifcloud/elb_listener_use_http/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/elb_listener_use_http/test/positive_expected_result.json index 1c910a5b611..1a81466118c 100644 --- a/assets/queries/terraform/nifcloud/elb_listener_use_http/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/elb_listener_use_http/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ - { - "queryName": "Nifcloud ELB Listener Using HTTP Protocol", - "severity": "MEDIUM", - "line": 1, - "fileName": "positive1.tf" - }, - { - "queryName": "Nifcloud ELB Listener Using HTTP Protocol", - "severity": "MEDIUM", - "line": 1, - "fileName": "positive2.tf" - } -] + { + "queryName": "Nifcloud ELB Listener Using HTTP Protocol", + "severity": "MEDIUM", + "line": 1, + "filename": "positive1.tf", + "resourceType": "nifcloud_elb_listener", + "resourceName": "positive", + "searchKey": "nifcloud_elb_listener[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_elb_listener[positive]' should switch to HTTPS to benefit from TLS security features.", + "actualValue": "'nifcloud_elb_listener[positive]' using HTTP protocol." + }, + { + "queryName": "Nifcloud ELB Listener Using HTTP Protocol", + "severity": "MEDIUM", + "line": 1, + "filename": "positive2.tf", + "resourceType": "nifcloud_elb_listener", + "resourceName": "positive", + "searchKey": "nifcloud_elb_listener[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_elb_listener[positive]' should switch to HTTPS to benefit from TLS security features.", + "actualValue": "'nifcloud_elb_listener[positive]' using HTTP protocol." + } +] \ No newline at end of file diff --git a/assets/queries/terraform/nifcloud/elb_use_http/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/elb_use_http/test/positive_expected_result.json index 8234db197e2..8b42737b72e 100644 --- a/assets/queries/terraform/nifcloud/elb_use_http/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/elb_use_http/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ - { - "queryName": "Nifcloud ELB Using HTTP Protocol", - "severity": "MEDIUM", - "line": 1, - "fileName": "positive1.tf" - }, - { - "queryName": "Nifcloud ELB Using HTTP Protocol", - "severity": "MEDIUM", - "line": 1, - "fileName": "positive2.tf" - } -] + { + "queryName": "Nifcloud ELB Using HTTP Protocol", + "severity": "MEDIUM", + "line": 1, + "filename": "positive1.tf", + "resourceType": "nifcloud_elb", + "resourceName": "positive", + "searchKey": "nifcloud_elb[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_elb[positive]' should switch to HTTPS to benefit from TLS security features.", + "actualValue": "'nifcloud_elb[positive]' using HTTP protocol." + }, + { + "queryName": "Nifcloud ELB Using HTTP Protocol", + "severity": "MEDIUM", + "line": 1, + "filename": "positive2.tf", + "resourceType": "nifcloud_elb", + "resourceName": "positive", + "searchKey": "nifcloud_elb[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_elb[positive]' should switch to HTTPS to benefit from TLS security features", + "actualValue": "'nifcloud_elb[positive]' use HTTP protocol" + } +] \ No newline at end of file diff --git a/assets/queries/terraform/nifcloud/load_balancer_listener_use_http/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/load_balancer_listener_use_http/test/positive_expected_result.json index 2546d14e399..694f40e0f9a 100644 --- a/assets/queries/terraform/nifcloud/load_balancer_listener_use_http/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/load_balancer_listener_use_http/test/positive_expected_result.json @@ -1,8 +1,14 @@ [ - { - "queryName": "Nifcloud LB Listener Using HTTP Port", - "severity": "MEDIUM", - "line": 1, - "fileName": "positive.tf" - } -] + { + "queryName": "Nifcloud LB Listener Using HTTP Port", + "severity": "MEDIUM", + "line": 1, + "filename": "positive.tf", + "resourceType": "nifcloud_load_balancer_listener", + "resourceName": "positive", + "searchKey": "nifcloud_load_balancer_listener[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_load_balancer_listener[positive]' should switch to HTTPS to benefit from TLS security features.", + "actualValue": "'nifcloud_load_balancer_listener[positive]' using HTTP port." + } +] \ No newline at end of file diff --git a/assets/queries/terraform/nifcloud/load_balancer_use_http/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/load_balancer_use_http/test/positive_expected_result.json index 9e59261f27a..befc9333dce 100644 --- a/assets/queries/terraform/nifcloud/load_balancer_use_http/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/load_balancer_use_http/test/positive_expected_result.json @@ -1,8 +1,14 @@ [ - { - "queryName": "Nifcloud LB Using HTTP Port", - "severity": "MEDIUM", - "line": 1, - "fileName": "positive.tf" - } -] + { + "queryName": "Nifcloud LB Using HTTP Port", + "severity": "MEDIUM", + "line": 1, + "filename": "positive.tf", + "resourceType": "nifcloud_load_balancer", + "resourceName": "positive", + "searchKey": "nifcloud_load_balancer[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_load_balancer[positive]' should switch to HTTPS to benefit from TLS security features.", + "actualValue": "'nifcloud_load_balancer[positive]' using HTTP port." + } +] \ No newline at end of file diff --git a/assets/queries/terraform/nifcloud/load_balancer_use_insecure_tls_policy_id/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/load_balancer_use_insecure_tls_policy_id/test/positive_expected_result.json index 7cc8afe871c..8811ea933a6 100644 --- a/assets/queries/terraform/nifcloud/load_balancer_use_insecure_tls_policy_id/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/load_balancer_use_insecure_tls_policy_id/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ - { - "queryName": "Nifcloud LB Using Insecure TLS Policy ID", - "severity": "MEDIUM", - "line": 1, - "fileName": "positive1.tf" - }, - { - "queryName": "Nifcloud LB Using Insecure TLS Policy ID", - "severity": "MEDIUM", - "line": 1, - "fileName": "positive2.tf" - } -] + { + "queryName": "Nifcloud LB Using Insecure TLS Policy ID", + "severity": "MEDIUM", + "line": 1, + "filename": "positive2.tf", + "resourceType": "nifcloud_load_balancer", + "resourceName": "positive", + "searchKey": "nifcloud_load_balancer[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_load_balancer[positive]' should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.", + "actualValue": "'nifcloud_load_balancer[positive]' using outdated SSL policy." + }, + { + "queryName": "Nifcloud LB Using Insecure TLS Policy ID", + "severity": "MEDIUM", + "line": 1, + "filename": "positive1.tf", + "resourceType": "nifcloud_load_balancer", + "resourceName": "positive", + "searchKey": "nifcloud_load_balancer[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_load_balancer[positive]' should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.", + "actualValue": "'nifcloud_load_balancer[positive]' using outdated SSL policy." + } +] \ No newline at end of file diff --git a/assets/queries/terraform/nifcloud/load_balancer_use_insecure_tls_policy_name/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/load_balancer_use_insecure_tls_policy_name/test/positive_expected_result.json index 7bb192e65b9..51043d96ebb 100644 --- a/assets/queries/terraform/nifcloud/load_balancer_use_insecure_tls_policy_name/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/load_balancer_use_insecure_tls_policy_name/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ - { - "queryName": "Nifcloud LB Using Insecure TLS Policy Name", - "severity": "MEDIUM", - "line": 1, - "fileName": "positive1.tf" - }, - { - "queryName": "Nifcloud LB Using Insecure TLS Policy Name", - "severity": "MEDIUM", - "line": 1, - "fileName": "positive2.tf" - } -] + { + "queryName": "Nifcloud LB Using Insecure TLS Policy Name", + "severity": "MEDIUM", + "line": 1, + "filename": "positive1.tf", + "resourceType": "nifcloud_load_balancer", + "resourceName": "positive", + "searchKey": "nifcloud_load_balancer[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_load_balancer[positive]' should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.", + "actualValue": "'nifcloud_load_balancer[positive]' using outdated SSL policy." + }, + { + "queryName": "Nifcloud LB Using Insecure TLS Policy Name", + "severity": "MEDIUM", + "line": 1, + "filename": "positive2.tf", + "resourceType": "nifcloud_load_balancer", + "resourceName": "positive", + "searchKey": "nifcloud_load_balancer[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_load_balancer[positive]' should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.", + "actualValue": "'nifcloud_load_balancer[positive]' using outdated SSL policy." + } +] \ No newline at end of file diff --git a/assets/queries/terraform/nifcloud/nas_instance_has_common_private/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/nas_instance_has_common_private/test/positive_expected_result.json index 25d43939456..075eac54bdf 100644 --- a/assets/queries/terraform/nifcloud/nas_instance_has_common_private/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/nas_instance_has_common_private/test/positive_expected_result.json @@ -1,8 +1,14 @@ [ - { - "queryName": "Nifcloud NAS Has Common Private Network", - "severity": "LOW", - "line": 1, - "fileName": "positive.tf" - } -] + { + "queryName": "Nifcloud NAS Has Common Private Network", + "severity": "LOW", + "line": 1, + "filename": "positive.tf", + "resourceType": "nifcloud_nas_instance", + "resourceName": "positive", + "searchKey": "nifcloud_nas_instance[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_nas_instance[positive]' should use a private LAN to isolate the private side network from the shared network", + "actualValue": "'nifcloud_nas_instance[positive]' has common private network" + } +] \ No newline at end of file diff --git a/assets/queries/terraform/nifcloud/nas_security_group_description_undefined/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/nas_security_group_description_undefined/test/positive_expected_result.json index 7a29f969aee..55369ab2f26 100644 --- a/assets/queries/terraform/nifcloud/nas_security_group_description_undefined/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/nas_security_group_description_undefined/test/positive_expected_result.json @@ -1,8 +1,14 @@ [ - { - "queryName": "Nifcloud NAS Undefined Description To NAS Security Group", - "severity": "INFO", - "line": 1, - "fileName": "positive.tf" - } -] + { + "queryName": "Nifcloud NAS Undefined Description To NAS Security Group", + "severity": "INFO", + "line": 1, + "filename": "positive.tf", + "resourceType": "nifcloud_nas_security_group", + "resourceName": "positive", + "searchKey": "nifcloud_nas_security_group[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_nas_security_group[positive]' should include a description for auditing purposes", + "actualValue": "'nifcloud_nas_security_group[positive]' does not have a description" + } +] \ No newline at end of file diff --git a/assets/queries/terraform/nifcloud/nas_security_group_has_public_ingress_sgr/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/nas_security_group_has_public_ingress_sgr/test/positive_expected_result.json index 3aa266359bb..813017e4797 100644 --- a/assets/queries/terraform/nifcloud/nas_security_group_has_public_ingress_sgr/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/nas_security_group_has_public_ingress_sgr/test/positive_expected_result.json @@ -1,8 +1,14 @@ [ - { - "queryName": "Nifcloud NAS Has Public Ingress NAS Security Group Rule", - "severity": "HIGH", - "line": 1, - "fileName": "positive.tf" - } -] + { + "queryName": "Nifcloud NAS Has Public Ingress NAS Security Group Rule", + "severity": "HIGH", + "line": 1, + "filename": "positive.tf", + "resourceType": "nifcloud_nas_security_group", + "resourceName": "positive", + "searchKey": "nifcloud_nas_security_group[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_nas_security_group[positive]' set a more restrictive cidr range", + "actualValue": "'nifcloud_nas_security_group[positive]' allows traffic from /0" + } +] \ No newline at end of file diff --git a/assets/queries/terraform/nifcloud/router_has_common_private/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/router_has_common_private/test/positive_expected_result.json index 4ee87233b90..1b2fbf2ce33 100644 --- a/assets/queries/terraform/nifcloud/router_has_common_private/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/router_has_common_private/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ - { - "queryName": "Nifcloud Router Has Common Private Network", - "severity": "LOW", - "line": 1, - "fileName": "positive1.tf" - }, - { - "queryName": "Nifcloud Router Has Common Private Network", - "severity": "LOW", - "line": 1, - "fileName": "positive2.tf" - } -] + { + "queryName": "Nifcloud Router Has Common Private Network", + "severity": "LOW", + "line": 1, + "filename": "positive1.tf", + "resourceType": "nifcloud_router", + "resourceName": "positive", + "searchKey": "nifcloud_router[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_router[positive]' should use a private LAN to isolate the private side network from the shared network.", + "actualValue": "'nifcloud_router[positive]' has common private network." + }, + { + "queryName": "Nifcloud Router Has Common Private Network", + "severity": "LOW", + "line": 1, + "filename": "positive2.tf", + "resourceType": "nifcloud_router", + "resourceName": "positive", + "searchKey": "nifcloud_router[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_router[positive]' should use a private LAN to isolate the private side network from the shared network.", + "actualValue": "'nifcloud_router[positive]' has common private network." + } +] \ No newline at end of file diff --git a/assets/queries/terraform/nifcloud/router_security_group_undefined/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/router_security_group_undefined/test/positive_expected_result.json index 56e9ea411de..485d0e333fe 100644 --- a/assets/queries/terraform/nifcloud/router_security_group_undefined/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/router_security_group_undefined/test/positive_expected_result.json @@ -1,8 +1,14 @@ [ - { - "queryName": "Nifcloud Router Undefined Security Group", - "severity": "HIGH", - "line": 1, - "fileName": "positive.tf" - } -] + { + "queryName": "Nifcloud Router Undefined Security Group", + "severity": "HIGH", + "line": 1, + "filename": "positive.tf", + "resourceType": "nifcloud_router", + "resourceName": "positive", + "searchKey": "nifcloud_router[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_router[positive]' should include a security_group for security purposes", + "actualValue": "'nifcloud_router[positive]' does not have a security_group" + } +] \ No newline at end of file diff --git a/assets/queries/terraform/nifcloud/vpn_gateway_security_group_undefined/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/vpn_gateway_security_group_undefined/test/positive_expected_result.json index 78ad7248b59..adf042d30ab 100644 --- a/assets/queries/terraform/nifcloud/vpn_gateway_security_group_undefined/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/vpn_gateway_security_group_undefined/test/positive_expected_result.json @@ -1,8 +1,14 @@ [ - { - "queryName": "Nifcloud VPN Gateway Undefined Security Group", - "severity": "HIGH", - "line": 1, - "fileName": "positive.tf" - } -] + { + "queryName": "Nifcloud VPN Gateway Undefined Security Group", + "severity": "HIGH", + "line": 1, + "filename": "positive.tf", + "resourceType": "nifcloud_vpn_gateway", + "resourceName": "positive", + "searchKey": "nifcloud_vpn_gateway[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_vpn_gateway[positive]' should include a security_group for security purposes.", + "actualValue": "'nifcloud_vpn_gateway[positive]' does not have a security_group defined." + } +] \ No newline at end of file diff --git a/assets/queries/terraform/tencentcloud/cdb_instance_internet_service_enabled/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/cdb_instance_internet_service_enabled/test/positive_expected_result.json index b8625c07b33..f65d667b077 100644 --- a/assets/queries/terraform/tencentcloud/cdb_instance_internet_service_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/tencentcloud/cdb_instance_internet_service_enabled/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "CDB Instance Internet Service Enabled", "severity": "HIGH", "line": 24, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "tencentcloud_mysql_instance", + "resourceName": "example", + "searchKey": "tencentcloud_mysql_instance[example].internet_service", + "searchValue": "", + "expectedValue": "[example] has 'internet_service' set to 0 or undefined", + "actualValue": "[example] has 'internet_service' set to 1" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/tencentcloud/cdb_instance_using_default_intranet_port/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/cdb_instance_using_default_intranet_port/test/positive_expected_result.json index 3cc7d62ea51..4c092144c44 100644 --- a/assets/queries/terraform/tencentcloud/cdb_instance_using_default_intranet_port/test/positive_expected_result.json +++ b/assets/queries/terraform/tencentcloud/cdb_instance_using_default_intranet_port/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "CDB Instance Internet Using Default Intranet Port", "severity": "LOW", "line": 34, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "tencentcloud_mysql_instance", + "resourceName": "example", + "searchKey": "tencentcloud_mysql_instance[example].intranet_port", + "searchValue": "", + "expectedValue": "[example] has 'intranet_port' set to non 3306", + "actualValue": "[example] has 'intranet_port' set to 3306" }, { "queryName": "CDB Instance Internet Using Default Intranet Port", "severity": "LOW", "line": 23, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "tencentcloud_mysql_instance", + "resourceName": "example", + "searchKey": "tencentcloud_mysql_instance[example]", + "searchValue": "", + "expectedValue": "[example] 'intranet_port' should be set and the value should not be 3306", + "actualValue": "[example] does not set 'intranet_port'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/tencentcloud/cdb_instance_without_backup_policy/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/cdb_instance_without_backup_policy/test/positive_expected_result.json index 7f87513f7f5..e842b2d7764 100644 --- a/assets/queries/terraform/tencentcloud/cdb_instance_without_backup_policy/test/positive_expected_result.json +++ b/assets/queries/terraform/tencentcloud/cdb_instance_without_backup_policy/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "CDB Instance Without Backup Policy", "severity": "MEDIUM", "line": 23, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "tencentcloud_mysql_instance", + "resourceName": "none_backup_policy", + "searchKey": "tencentcloud_mysql_instance[none_backup_policy]", + "searchValue": "", + "expectedValue": "tencentcloud_mysql_instance[none_backup_policy] should have 'tencentcloud_mysql_backup_policy'", + "actualValue": "tencentcloud_mysql_instance[none_backup_policy] does not have 'tencentcloud_mysql_backup_policy'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/tencentcloud/clb_instance_log_setting_disabled/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/clb_instance_log_setting_disabled/test/positive_expected_result.json index 2ee3ae8ebaf..41f06a32f6e 100644 --- a/assets/queries/terraform/tencentcloud/clb_instance_log_setting_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/tencentcloud/clb_instance_log_setting_disabled/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "CLB Instance Log Setting Disabled", "severity": "MEDIUM", "line": 19, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "tencentcloud_clb_instance", + "resourceName": "internal_clb", + "searchKey": "tencentcloud_clb_instance[internal_clb]", + "searchValue": "", + "expectedValue": "tencentcloud_clb_instance[internal_clb] should set 'log_set_id' and 'log_topic_id'", + "actualValue": "tencentcloud_clb_instance[internal_clb] not set 'log_set_id' and 'log_topic_id'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/tencentcloud/clb_listener_using_insecure_protocols/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/clb_listener_using_insecure_protocols/test/positive_expected_result.json index 6cce5eb28da..52e12932b84 100644 --- a/assets/queries/terraform/tencentcloud/clb_listener_using_insecure_protocols/test/positive_expected_result.json +++ b/assets/queries/terraform/tencentcloud/clb_listener_using_insecure_protocols/test/positive_expected_result.json @@ -3,18 +3,36 @@ "queryName": "CLB Listener Using Insecure Protocols", "severity": "HIGH", "line": 4, - "fileName": "positive1.tf" + "filename": "positive2.tf", + "resourceType": "tencentcloud_clb_listener", + "resourceName": "listener", + "searchKey": "tencentcloud_clb_listener[listener].protocol", + "searchValue": "", + "expectedValue": "tencentcloud_clb_listener[listener].protocol[TCP] should not be an insecure protocol", + "actualValue": "tencentcloud_clb_listener[listener].protocol[TCP] is an insecure protocol" }, { "queryName": "CLB Listener Using Insecure Protocols", "severity": "HIGH", "line": 4, - "fileName": "positive2.tf" + "filename": "positive1.tf", + "resourceType": "tencentcloud_clb_listener", + "resourceName": "listener", + "searchKey": "tencentcloud_clb_listener[listener].protocol", + "searchValue": "", + "expectedValue": "tencentcloud_clb_listener[listener].protocol[HTTP] should not be an insecure protocol", + "actualValue": "tencentcloud_clb_listener[listener].protocol[HTTP] is an insecure protocol" }, { "queryName": "CLB Listener Using Insecure Protocols", "severity": "HIGH", "line": 4, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "tencentcloud_clb_listener", + "resourceName": "listener", + "searchKey": "tencentcloud_clb_listener[listener].protocol", + "searchValue": "", + "expectedValue": "tencentcloud_clb_listener[listener].protocol[UDP] should not be an insecure protocol", + "actualValue": "tencentcloud_clb_listener[listener].protocol[UDP] is an insecure protocol" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/tencentcloud/cvm_instance_disable_monitor_service/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/cvm_instance_disable_monitor_service/test/positive_expected_result.json index b48c8f1787d..1e7fb34d727 100644 --- a/assets/queries/terraform/tencentcloud/cvm_instance_disable_monitor_service/test/positive_expected_result.json +++ b/assets/queries/terraform/tencentcloud/cvm_instance_disable_monitor_service/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "CVM Instance Disable Monitor Service", "severity": "INFO", "line": 13, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "tencentcloud_instance", + "resourceName": "cvm_postpaid", + "searchKey": "tencentcloud_instance[cvm_postpaid].disable_monitor_service", + "searchValue": "", + "expectedValue": "[cvm_postpaid] 'disable_monitor_service' should be set to false", + "actualValue": "[cvm_postpaid] 'disable_monitor_service' is true" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/tencentcloud/cvm_instance_has_public_ip/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/cvm_instance_has_public_ip/test/positive_expected_result.json index a37d3770f89..ff3e4a9b91a 100644 --- a/assets/queries/terraform/tencentcloud/cvm_instance_has_public_ip/test/positive_expected_result.json +++ b/assets/queries/terraform/tencentcloud/cvm_instance_has_public_ip/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "CVM Instance Has Public IP", "severity": "HIGH", "line": 13, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "tencentcloud_instance", + "resourceName": "cvm_postpaid", + "searchKey": "tencentcloud_instance[cvm_postpaid].allocate_public_ip", + "searchValue": "", + "expectedValue": "[cvm_postpaid] 'allocate_public_ip' should be set to false", + "actualValue": "[cvm_postpaid] 'allocate_public_ip' is true" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/tencentcloud/cvm_instance_using_default_security_group/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/cvm_instance_using_default_security_group/test/positive_expected_result.json index 86122a808e3..d8800abe35f 100644 --- a/assets/queries/terraform/tencentcloud/cvm_instance_using_default_security_group/test/positive_expected_result.json +++ b/assets/queries/terraform/tencentcloud/cvm_instance_using_default_security_group/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "CVM Instance Using Default Security Group", "severity": "LOW", "line": 18, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "tencentcloud_instance", + "resourceName": "cvm_postpaid", + "searchKey": "tencentcloud_instance[cvm_postpaid].orderly_security_groups", + "searchValue": "", + "expectedValue": "tencentcloud_instance[cvm_postpaid].orderly_security_groups should not contain 'default'", + "actualValue": "tencentcloud_instance[cvm_postpaid].orderly_security_groups contains 'default'" }, { "queryName": "CVM Instance Using Default Security Group", "severity": "LOW", "line": 18, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "tencentcloud_instance", + "resourceName": "cvm_postpaid", + "searchKey": "tencentcloud_instance[cvm_postpaid].security_groups", + "searchValue": "", + "expectedValue": "tencentcloud_instance[cvm_postpaid].security_groups should not contain 'default'", + "actualValue": "tencentcloud_instance[cvm_postpaid].security_groups contains 'default'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/tencentcloud/cvm_instance_using_default_vpc/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/cvm_instance_using_default_vpc/test/positive_expected_result.json index 7f70cb7a4d3..b8dff543959 100644 --- a/assets/queries/terraform/tencentcloud/cvm_instance_using_default_vpc/test/positive_expected_result.json +++ b/assets/queries/terraform/tencentcloud/cvm_instance_using_default_vpc/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "CVM Instance Using Default VPC", "severity": "LOW", - "line": 22, - "fileName": "positive1.tf" + "line": 23, + "filename": "positive1.tf", + "resourceType": "tencentcloud_instance", + "resourceName": "cvm_postpaid", + "searchKey": "tencentcloud_instance[cvm_postpaid].subnet_id", + "searchValue": "", + "expectedValue": "tencentcloud_instance[cvm_postpaid].subnet_id should not be associated with a default Subnet", + "actualValue": "tencentcloud_instance[cvm_postpaid].subnet_id is associated with a default Subnet" }, { "queryName": "CVM Instance Using Default VPC", "severity": "LOW", - "line": 23, - "fileName": "positive1.tf" + "line": 22, + "filename": "positive1.tf", + "resourceType": "tencentcloud_instance", + "resourceName": "cvm_postpaid", + "searchKey": "tencentcloud_instance[cvm_postpaid].vpc_id", + "searchValue": "", + "expectedValue": "tencentcloud_instance[cvm_postpaid].vpc_id should not contain 'default'", + "actualValue": "tencentcloud_instance[cvm_postpaid].vpc_id contains 'default'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/tencentcloud/cvm_instance_using_user_data/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/cvm_instance_using_user_data/test/positive_expected_result.json index b65024bc18b..67095c53c01 100644 --- a/assets/queries/terraform/tencentcloud/cvm_instance_using_user_data/test/positive_expected_result.json +++ b/assets/queries/terraform/tencentcloud/cvm_instance_using_user_data/test/positive_expected_result.json @@ -3,24 +3,48 @@ "queryName": "CVM Instance Using User Data", "severity": "LOW", "line": 41, - "fileName": "positive1.tf" + "filename": "positive2.tf", + "resourceType": "tencentcloud_instance", + "resourceName": "cvm_postpaid", + "searchKey": "tencentcloud_instance[cvm_postpaid].user_data", + "searchValue": "", + "expectedValue": "tencentcloud_instance[cvm_postpaid] should be using 'cam_role_name' to assign a role with permissions", + "actualValue": "tencentcloud_instance[cvm_postpaid].user_data is being used to configure API secret keys" }, { "queryName": "CVM Instance Using User Data", "severity": "LOW", "line": 41, - "fileName": "positive2.tf" + "filename": "positive1.tf", + "resourceType": "tencentcloud_instance", + "resourceName": "cvm_postpaid", + "searchKey": "tencentcloud_instance[cvm_postpaid].user_data", + "searchValue": "", + "expectedValue": "tencentcloud_instance[cvm_postpaid] should be using 'cam_role_name' to assign a role with permissions", + "actualValue": "tencentcloud_instance[cvm_postpaid].user_data is being used to configure API secret keys" }, { "queryName": "CVM Instance Using User Data", "severity": "LOW", "line": 41, - "fileName": "positive3.tf" + "filename": "positive4.tf", + "resourceType": "tencentcloud_instance", + "resourceName": "cvm_postpaid", + "searchKey": "tencentcloud_instance[cvm_postpaid].user_data", + "searchValue": "", + "expectedValue": "tencentcloud_instance[cvm_postpaid] should be using 'cam_role_name' to assign a role with permissions", + "actualValue": "tencentcloud_instance[cvm_postpaid].user_data is being used to configure API secret keys" }, { "queryName": "CVM Instance Using User Data", "severity": "LOW", "line": 41, - "fileName": "positive4.tf" + "filename": "positive3.tf", + "resourceType": "tencentcloud_instance", + "resourceName": "cvm_postpaid", + "searchKey": "tencentcloud_instance[cvm_postpaid].user_data", + "searchValue": "", + "expectedValue": "tencentcloud_instance[cvm_postpaid] should be using 'cam_role_name' to assign a role with permissions", + "actualValue": "tencentcloud_instance[cvm_postpaid].user_data is being used to configure API secret keys" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/tencentcloud/disk_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/disk_encryption_disabled/test/positive_expected_result.json index 7ff48719112..c86aebfbef7 100644 --- a/assets/queries/terraform/tencentcloud/disk_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/tencentcloud/disk_encryption_disabled/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "Disk Encryption Disabled", "severity": "MEDIUM", - "line": 6, - "fileName": "positive2.tf" + "line": 1, + "filename": "positive1.tf", + "resourceType": "tencentcloud_cbs_storage", + "resourceName": "encrytion_positive1", + "searchKey": "tencentcloud_cbs_storage[encrytion_positive1]", + "searchValue": "", + "expectedValue": "[encrytion_positive1] has encryption enabled", + "actualValue": "[encrytion_positive1] does not have encryption enabled" }, { "queryName": "Disk Encryption Disabled", "severity": "MEDIUM", - "line": 1, - "fileName": "positive1.tf" + "line": 6, + "filename": "positive2.tf", + "resourceType": "tencentcloud_cbs_storage", + "resourceName": "encrytion_positive2", + "searchKey": "tencentcloud_cbs_storage[encrytion_positive2].encrypt", + "searchValue": "", + "expectedValue": "[encrytion_positive2] has encryption set to true", + "actualValue": "[encrytion_positive2] has encryption set to false" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/tencentcloud/security_group_rule_set_accepts_all_traffic/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/security_group_rule_set_accepts_all_traffic/test/positive_expected_result.json index d75322bb8b9..4aeeb750a1f 100644 --- a/assets/queries/terraform/tencentcloud/security_group_rule_set_accepts_all_traffic/test/positive_expected_result.json +++ b/assets/queries/terraform/tencentcloud/security_group_rule_set_accepts_all_traffic/test/positive_expected_result.json @@ -3,24 +3,48 @@ "queryName": "Security Group Rule Set Accepts All Traffic", "severity": "HIGH", "line": 9, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "tencentcloud_security_group_rule_set", + "resourceName": "base", + "searchKey": "tencentcloud_security_group_rule_set[base].ingress", + "searchValue": "", + "expectedValue": "tencentcloud_security_group_rule_set[base] ingress should not be set to accept all traffic", + "actualValue": "tencentcloud_security_group_rule_set[base] ingress is set to accept all traffic" }, { "queryName": "Security Group Rule Set Accepts All Traffic", "severity": "HIGH", "line": 9, - "fileName": "positive2.tf" + "filename": "positive4.tf", + "resourceType": "tencentcloud_security_group_rule_set", + "resourceName": "base", + "searchKey": "tencentcloud_security_group_rule_set[base].ingress", + "searchValue": "", + "expectedValue": "tencentcloud_security_group_rule_set[base] ingress should not be set to accept all traffic", + "actualValue": "tencentcloud_security_group_rule_set[base] ingress is set to accept all traffic" }, { "queryName": "Security Group Rule Set Accepts All Traffic", "severity": "HIGH", "line": 9, - "fileName": "positive3.tf" + "filename": "positive2.tf", + "resourceType": "tencentcloud_security_group_rule_set", + "resourceName": "base", + "searchKey": "tencentcloud_security_group_rule_set[base].ingress", + "searchValue": "", + "expectedValue": "tencentcloud_security_group_rule_set[base] ingress should not be set to accept all traffic", + "actualValue": "tencentcloud_security_group_rule_set[base] ingress accept all traffic" }, { "queryName": "Security Group Rule Set Accepts All Traffic", "severity": "HIGH", "line": 9, - "fileName": "positive4.tf" + "filename": "positive3.tf", + "resourceType": "tencentcloud_security_group_rule_set", + "resourceName": "base", + "searchKey": "tencentcloud_security_group_rule_set[base].ingress", + "searchValue": "", + "expectedValue": "tencentcloud_security_group_rule_set[base] ingress should not set accept all traffic", + "actualValue": "tencentcloud_security_group_rule_set[base] ingress accept all traffic" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/tencentcloud/tke_cluster_encryption_protection_disabled/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/tke_cluster_encryption_protection_disabled/test/positive_expected_result.json index 836133453de..5804192e93c 100644 --- a/assets/queries/terraform/tencentcloud/tke_cluster_encryption_protection_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/tencentcloud/tke_cluster_encryption_protection_disabled/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "TKE Cluster Encryption Protection Disabled", "severity": "HIGH", "line": 6, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "tencentcloud_kubernetes_cluster", + "resourceName": "none_encryption_protection", + "searchKey": "tencentcloud_kubernetes_cluster[none_encryption_protection]", + "searchValue": "", + "expectedValue": "tencentcloud_kubernetes_cluster[none_encryption_protection] should have 'tencentcloud_kubernetes_encryption_protection' enabled", + "actualValue": "tencentcloud_kubernetes_cluster[none_encryption_protection] does not have 'tencentcloud_kubernetes_encryption_protection' enabled or is undefined" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/test/positive_expected_result.json index d1b2cf1e2a6..e7f3cb7220d 100644 --- a/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/test/positive_expected_result.json +++ b/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/test/positive_expected_result.json @@ -3,72 +3,144 @@ "queryName": "TKE Cluster Has Public Access", "severity": "MEDIUM", "line": 63, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "tencentcloud_kubernetes_cluster", + "resourceName": "example", + "searchKey": "tencentcloud_kubernetes_cluster[example].master_config.public_ip_assigned", + "searchValue": "", + "expectedValue": "tencentcloud_kubernetes_cluster[example].master_config.public_ip_assigned should be equal to 'false'", + "actualValue": "tencentcloud_kubernetes_cluster[example].master_config.public_ip_assigned is equal to 'true'" }, { "queryName": "TKE Cluster Has Public Access", "severity": "MEDIUM", "line": 84, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "tencentcloud_kubernetes_cluster", + "resourceName": "example", + "searchKey": "tencentcloud_kubernetes_cluster[example].worker_config.public_ip_assigned", + "searchValue": "", + "expectedValue": "tencentcloud_kubernetes_cluster[example].worker_config.public_ip_assigned should equal 'false'", + "actualValue": "tencentcloud_kubernetes_cluster[example].worker_config.public_ip_assigned is equal 'true'" }, { "queryName": "TKE Cluster Has Public Access", "severity": "MEDIUM", "line": 62, - "fileName": "positive2.tf" + "filename": "positive4.tf", + "resourceType": "tencentcloud_kubernetes_cluster", + "resourceName": "example", + "searchKey": "tencentcloud_kubernetes_cluster[example].master_config.internet_max_bandwidth_out", + "searchValue": "", + "expectedValue": "tencentcloud_kubernetes_cluster[example].master_config.internet_max_bandwidth_out should equal '0' or null", + "actualValue": "tencentcloud_kubernetes_cluster[example].master_config.internet_max_bandwidth_out is not equal '0'" }, { "queryName": "TKE Cluster Has Public Access", "severity": "MEDIUM", - "line": 83, - "fileName": "positive2.tf" + "line": 104, + "filename": "positive4.tf", + "resourceType": "tencentcloud_kubernetes_cluster", + "resourceName": "example", + "searchKey": "tencentcloud_kubernetes_cluster[example].worker_config.internet_max_bandwidth_out", + "searchValue": "", + "expectedValue": "tencentcloud_kubernetes_cluster[example].worker_config.internet_max_bandwidth_out should be equal to '0' or null", + "actualValue": "tencentcloud_kubernetes_cluster[example].worker_config.internet_max_bandwidth_out is defined and not equal to '0'" }, { "queryName": "TKE Cluster Has Public Access", "severity": "MEDIUM", - "line": 63, - "fileName": "positive3.tf" + "line": 124, + "filename": "positive4.tf", + "resourceType": "tencentcloud_kubernetes_cluster", + "resourceName": "example", + "searchKey": "tencentcloud_kubernetes_cluster[example].worker_config.internet_max_bandwidth_out", + "searchValue": "", + "expectedValue": "tencentcloud_kubernetes_cluster[example].worker_config.internet_max_bandwidth_out should be equal to '0' or null", + "actualValue": "tencentcloud_kubernetes_cluster[example].worker_config.internet_max_bandwidth_out is defined and not equal to '0'" }, { "queryName": "TKE Cluster Has Public Access", "severity": "MEDIUM", - "line": 84, - "fileName": "positive3.tf" + "line": 63, + "filename": "positive3.tf", + "resourceType": "tencentcloud_kubernetes_cluster", + "resourceName": "example", + "searchKey": "tencentcloud_kubernetes_cluster[example].master_config.public_ip_assigned", + "searchValue": "", + "expectedValue": "tencentcloud_kubernetes_cluster[example].master_config.public_ip_assigned should be equal to 'false'", + "actualValue": "tencentcloud_kubernetes_cluster[example].master_config.public_ip_assigned is equal 'true'" }, { "queryName": "TKE Cluster Has Public Access", "severity": "MEDIUM", - "line": 105, - "fileName": "positive3.tf" + "line": 83, + "filename": "positive4.tf", + "resourceType": "tencentcloud_kubernetes_cluster", + "resourceName": "example", + "searchKey": "tencentcloud_kubernetes_cluster[example].master_config.internet_max_bandwidth_out", + "searchValue": "", + "expectedValue": "tencentcloud_kubernetes_cluster[example].master_config.internet_max_bandwidth_out should equal '0' or null", + "actualValue": "tencentcloud_kubernetes_cluster[example].master_config.internet_max_bandwidth_out is not equal '0'" }, { "queryName": "TKE Cluster Has Public Access", "severity": "MEDIUM", - "line": 126, - "fileName": "positive3.tf" + "line": 62, + "filename": "positive2.tf", + "resourceType": "tencentcloud_kubernetes_cluster", + "resourceName": "example", + "searchKey": "tencentcloud_kubernetes_cluster[example].master_config.internet_max_bandwidth_out", + "searchValue": "", + "expectedValue": "tencentcloud_kubernetes_cluster[example].master_config.internet_max_bandwidth_out should equal '0' or undefined", + "actualValue": "tencentcloud_kubernetes_cluster[example].master_config.internet_max_bandwidth_out is not equal '0'" }, { "queryName": "TKE Cluster Has Public Access", "severity": "MEDIUM", - "line": 62, - "fileName": "positive4.tf" + "line": 83, + "filename": "positive2.tf", + "resourceType": "tencentcloud_kubernetes_cluster", + "resourceName": "example", + "searchKey": "tencentcloud_kubernetes_cluster[example].worker_config.internet_max_bandwidth_out", + "searchValue": "", + "expectedValue": "tencentcloud_kubernetes_cluster[example].worker_config.internet_max_bandwidth_out should equal '0' or undefined", + "actualValue": "tencentcloud_kubernetes_cluster[example].worker_config.internet_max_bandwidth_out is defined and not equal to '0'" }, { "queryName": "TKE Cluster Has Public Access", "severity": "MEDIUM", - "line": 83, - "fileName": "positive4.tf" + "line": 84, + "filename": "positive3.tf", + "resourceType": "tencentcloud_kubernetes_cluster", + "resourceName": "example", + "searchKey": "tencentcloud_kubernetes_cluster[example].master_config.public_ip_assigned", + "searchValue": "", + "expectedValue": "tencentcloud_kubernetes_cluster[example].master_config.public_ip_assigned should be equal to 'false'", + "actualValue": "tencentcloud_kubernetes_cluster[example].master_config.public_ip_assigned is equal 'true'" }, { "queryName": "TKE Cluster Has Public Access", "severity": "MEDIUM", - "line": 104, - "fileName": "positive4.tf" + "line": 105, + "filename": "positive3.tf", + "resourceType": "tencentcloud_kubernetes_cluster", + "resourceName": "example", + "searchKey": "tencentcloud_kubernetes_cluster[example].worker_config.public_ip_assigned", + "searchValue": "", + "expectedValue": "tencentcloud_kubernetes_cluster[example].worker_config.public_ip_assigned should equal 'false'", + "actualValue": "tencentcloud_kubernetes_cluster[example].worker_config.public_ip_assigned is equal 'true'" }, { "queryName": "TKE Cluster Has Public Access", "severity": "MEDIUM", - "line": 124, - "fileName": "positive4.tf" + "line": 126, + "filename": "positive3.tf", + "resourceType": "tencentcloud_kubernetes_cluster", + "resourceName": "example", + "searchKey": "tencentcloud_kubernetes_cluster[example].worker_config.public_ip_assigned", + "searchValue": "", + "expectedValue": "tencentcloud_kubernetes_cluster[example].worker_config.public_ip_assigned should equal 'false'", + "actualValue": "tencentcloud_kubernetes_cluster[example].worker_config.public_ip_assigned is equal 'true'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/tencentcloud/tke_cluster_log_disabled/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/tke_cluster_log_disabled/test/positive_expected_result.json index 70d98bf6e03..d77060a7ec6 100644 --- a/assets/queries/terraform/tencentcloud/tke_cluster_log_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/tencentcloud/tke_cluster_log_disabled/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "TKE Cluster Log Agent Is Not Enabled", "severity": "LOW", "line": 39, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "tencentcloud_kubernetes_cluster", + "resourceName": "managed_cluster", + "searchKey": "tencentcloud_kubernetes_cluster[managed_cluster].log_agent.enabled", + "searchValue": "", + "expectedValue": "tencentcloud_kubernetes_cluster[managed_cluster].log_agent.enabled should be set to 'true'", + "actualValue": "tencentcloud_kubernetes_cluster[managed_cluster].log_agent.enabled is not set to 'true'" }, { "queryName": "TKE Cluster Log Agent Is Not Enabled", "severity": "LOW", "line": 6, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "tencentcloud_kubernetes_cluster", + "resourceName": "managed_cluster", + "searchKey": "tencentcloud_kubernetes_cluster[managed_cluster]", + "searchValue": "", + "expectedValue": "'log_agent' should be defined and not null", + "actualValue": "'log_agent' is undefined or null" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/tencentcloud/vpc_flow_log_disabled/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/vpc_flow_log_disabled/test/positive_expected_result.json index db64c91d062..486fc25d222 100644 --- a/assets/queries/terraform/tencentcloud/vpc_flow_log_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/tencentcloud/vpc_flow_log_disabled/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "VPC Flow Logs Disabled", "severity": "LOW", "line": 97, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "tencentcloud_vpc_flow_log_config", + "resourceName": "config", + "searchKey": "tencentcloud_vpc_flow_log_config[config].enable", + "searchValue": "", + "expectedValue": "[config] should have enable set to true", + "actualValue": "[config] has enable set to false" } -] +] \ No newline at end of file diff --git a/test/queries_test.go b/test/queries_test.go index 88e593d30cd..958ebda1580 100644 --- a/test/queries_test.go +++ b/test/queries_test.go @@ -380,6 +380,12 @@ func requireEqualVulnerabilities(tb testing.TB, expected, actual []model.Vulnera require.NotNil(tb, actualItem.Value) require.Equal(tb, *expectedItem.Value, *actualItem.Value) } + require.Equal(tb, expectedItem.ResourceType, actualItem.ResourceType, "Invalid resource type for query %s\n Expected: %s\n Actual: %s", dir, expectedItem.ResourceType, actualItem.ResourceType) + require.Equal(tb, expectedItem.ResourceName, actualItem.ResourceName, "Invalid resource name for query %s\n Expected: %s\n Actual: %s", dir, expectedItem.ResourceName, actualItem.ResourceName) + require.Equal(tb, expectedItem.SearchKey, actualItem.SearchKey, "Invalid searchKey for query %s\n Expected: %s\n Actual: %s", dir, expectedItem.SearchKey, actualItem.SearchKey) + require.Equal(tb, expectedItem.SearchValue, actualItem.SearchValue, "Invalid searchValue for query %s\n Expected: %s\n Actual: %s", dir, expectedItem.SearchValue, actualItem.SearchValue) + require.Equal(tb, expectedItem.KeyExpectedValue, actualItem.KeyExpectedValue, "Invalid expected value for query: %s\n Expected: %s\n Actual: %s", dir, expectedItem.KeyExpectedValue, actualItem.KeyExpectedValue) + require.Equal(tb, expectedItem.KeyActualValue, actualItem.KeyActualValue, "Invalid actual value for query: %s\n Expected: %s\n Actual: %s", dir, actualItem.KeyActualValue, actualItem.KeyActualValue) } } From b2edcd776500c25199d29dcc6c9f034140339507 Mon Sep 17 00:00:00 2001 From: Ricardo Jesus <219317970+cx-ricardo-jesus@users.noreply.github.com> Date: Mon, 9 Mar 2026 10:48:10 +0000 Subject: [PATCH 03/22] inserted more field into positive_expected_result.json file --- .../__pycache__/generate.cpython-312.pyc | Bin 0 -> 3294 bytes .../__pycache__/models.cpython-312.pyc | Bin 0 -> 1488 bytes .../__pycache__/runner.cpython-312.pyc | Bin 0 -> 4901 bytes .../write_expected_results.cpython-312.pyc | Bin 0 -> 5029 bytes .../generate.py | 65 + .../main.py | 21 + .../models.py | 27 + .../runner.py | 98 + .../skipped_queries_report.json | 4467 +++++++ .../test_list_output_personal_computer.json | 10864 ++++++++++++++++ .../write_expected_results.py | 99 + .../test/positive_expected_result.json | 12 +- .../test/positive_expected_result.json | 36 +- .../test/positive_expected_result.json | 36 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 12 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 12 +- .../test/positive_expected_result.json | 48 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 44 +- .../test/positive_expected_result.json | 54 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 12 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 200 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 40 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 12 +- .../test/positive_expected_result.json | 12 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 42 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 32 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 44 +- .../test/positive_expected_result.json | 12 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 12 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 36 +- .../test/positive_expected_result.json | 36 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 12 +- .../test/positive_expected_result.json | 46 +- .../test/positive_expected_result.json | 378 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 54 +- .../test/positive_expected_result.json | 12 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 32 +- .../test/positive_expected_result.json | 34 +- .../test/positive_expected_result.json | 30 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 48 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 12 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 44 +- .../test/positive_expected_result.json | 96 +- .../test/positive_expected_result.json | 192 +- .../test/positive_expected_result.json | 12 +- .../test/positive_expected_result.json | 54 +- .../test/positive_expected_result.json | 60 +- .../test/positive_expected_result.json | 56 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 138 +- .../test/positive_expected_result.json | 116 +- .../test/positive_expected_result.json | 54 +- .../test/positive_expected_result.json | 48 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 208 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 88 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 48 +- .../test/positive_expected_result.json | 84 +- .../test/positive_expected_result.json | 122 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 74 +- .../test/positive_expected_result.json | 166 +- .../test/positive_expected_result.json | 138 +- .../test/positive_expected_result.json | 48 +- .../test/positive_expected_result.json | 28 +- .../test/positive_expected_result.json | 56 +- .../test/positive_expected_result.json | 94 +- .../test/positive_expected_result.json | 52 +- .../test/positive_expected_result.json | 160 +- .../test/positive_expected_result.json | 132 +- .../test/positive_expected_result.json | 100 +- .../test/positive_expected_result.json | 50 +- .../test/positive_expected_result.json | 102 +- .../test/positive_expected_result.json | 92 +- .../test/positive_expected_result.json | 90 +- .../test/positive_expected_result.json | 370 +- .../test/positive_expected_result.json | 106 +- .../test/positive_expected_result.json | 64 +- .../test/positive_expected_result.json | 194 +- .../test/positive_expected_result.json | 130 +- .../test/positive_expected_result.json | 120 +- .../test/positive_expected_result.json | 58 +- .../test/positive_expected_result.json | 86 +- .../test/positive_expected_result.json | 98 +- .../test/positive_expected_result.json | 34 +- .../test/positive_expected_result.json | 30 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 48 +- .../test/positive_expected_result.json | 36 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 4 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 40 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 28 +- .../test/positive_expected_result.json | 28 +- .../test/positive_expected_result.json | 216 +- .../test/positive_expected_result.json | 32 +- .../test/positive_expected_result.json | 32 +- .../test/positive_expected_result.json | 36 +- .../test/positive_expected_result.json | 48 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 48 +- .../test/positive_expected_result.json | 36 +- .../test/positive_expected_result.json | 60 +- .../test/positive_expected_result.json | 52 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 32 +- .../test/positive_expected_result.json | 32 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 64 +- .../test/positive_expected_result.json | 32 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 28 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 12 +- .../test/positive_expected_result.json | 48 +- .../test/positive_expected_result.json | 48 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 48 +- .../test/positive_expected_result.json | 36 +- .../test/positive_expected_result.json | 36 +- .../test/positive_expected_result.json | 76 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 72 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 42 +- .../test/positive_expected_result.json | 88 +- .../test/positive_expected_result.json | 166 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 30 +- .../test/positive_expected_result.json | 40 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 48 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 36 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 46 +- .../test/positive_expected_result.json | 52 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 64 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 4 +- .../test/positive_expected_result.json | 54 +- .../test/positive_expected_result.json | 104 +- .../test/positive_expected_result.json | 40 +- .../test/positive_expected_result.json | 1760 +-- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 70 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 50 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 36 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 114 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 28 +- .../test/positive_expected_result.json | 166 +- .../test/positive_expected_result.json | 176 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 262 +- .../test/positive_expected_result.json | 36 +- .../test/positive_expected_result.json | 2214 ++-- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 32 +- .../test/positive_expected_result.json | 36 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 36 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 130 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 36 +- .../test/positive_expected_result.json | 50 +- .../test/positive_expected_result.json | 32 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 48 +- .../test/positive_expected_result.json | 206 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 260 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 96 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 4 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 28 +- .../test/positive_expected_result.json | 164 +- .../test/positive_expected_result.json | 4 +- .../test/positive_expected_result.json | 44 +- .../test/positive_expected_result.json | 4 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 28 +- .../test/positive_expected_result.json | 56 +- .../test/positive_expected_result.json | 112 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 34 +- .../test/positive_expected_result.json | 94 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 56 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 32 +- .../test/positive_expected_result.json | 30 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 78 +- .../test/positive_expected_result.json | 28 +- .../test/positive_expected_result.json | 34 +- .../test/positive_expected_result.json | 32 +- .../test/positive_expected_result.json | 220 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 30 +- .../test/positive_expected_result.json | 62 +- .../test/positive_expected_result.json | 48 +- .../test/positive_expected_result.json | 54 +- .../test/positive_expected_result.json | 48 +- .../test/positive_expected_result.json | 48 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 58 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 68 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 48 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 48 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 132 +- .../test/positive_expected_result.json | 32 +- .../test/positive_expected_result.json | 32 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 32 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 28 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 106 +- .../test/positive_expected_result.json | 96 +- .../test/positive_expected_result.json | 126 +- .../test/positive_expected_result.json | 136 +- .../test/positive_expected_result.json | 254 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 120 +- .../test/positive_expected_result.json | 40 +- .../test/positive_expected_result.json | 100 +- .../test/positive_expected_result.json | 50 +- .../test/positive_expected_result.json | 136 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 40 +- .../test/positive_expected_result.json | 52 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 42 +- .../test/positive_expected_result.json | 4 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 722 +- .../test/positive_expected_result.json | 44 +- .../test/positive_expected_result.json | 56 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 12 +- .../test/positive_expected_result.json | 30 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 4 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 4 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 12 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 12 +- .../test/positive_expected_result.json | 44 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 40 +- .../test/positive_expected_result.json | 12 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 30 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 114 +- .../test/positive_expected_result.json | 138 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 12 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 12 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 56 +- .../test/positive_expected_result.json | 12 +- .../test/positive_expected_result.json | 12 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 12 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 12 +- .../test/positive_expected_result.json | 48 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 34 +- .../test/positive_expected_result.json | 4 +- .../test/positive_expected_result.json | 48 +- .../test/positive_expected_result.json | 62 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 4 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 12 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 54 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 44 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 124 +- .../test/positive_expected_result.json | 4 +- .../test/positive_expected_result.json | 4 +- .../test/positive_expected_result.json | 54 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 50 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 196 +- .../test/positive_expected_result.json | 162 +- .../test/positive_expected_result.json | 52 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 12 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 4 +- .../test/positive_expected_result.json | 12 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 32 +- .../test/positive_expected_result.json | 40 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 4 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 48 +- .../test/positive_expected_result.json | 48 +- .../test/positive_expected_result.json | 34 +- .../test/positive_expected_result.json | 52 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 4 +- .../test/positive_expected_result.json | 40 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 106 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 48 +- .../test/positive_expected_result.json | 48 +- .../test/positive_expected_result.json | 48 +- .../test/positive_expected_result.json | 48 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 48 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 30 +- .../test/positive_expected_result.json | 64 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 48 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 30 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 12 +- .../test/positive_expected_result.json | 12 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 84 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 130 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 28 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 76 +- .../test/positive_expected_result.json | 12 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 48 +- .../test/positive_expected_result.json | 28 +- .../test/positive_expected_result.json | 46 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 40 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 42 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 166 +- .../test/positive_expected_result.json | 40 +- .../test/positive_expected_result.json | 36 +- .../test/positive_expected_result.json | 48 +- .../test/positive_expected_result.json | 32 +- .../test/positive_expected_result.json | 12 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 30 +- .../test/positive_expected_result.json | 32 +- .../test/positive_expected_result.json | 34 +- .../test/positive_expected_result.json | 28 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 12 +- .../test/positive_expected_result.json | 28 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 32 +- .../test/positive_expected_result.json | 28 +- .../test/positive_expected_result.json | 28 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 40 +- .../test/positive_expected_result.json | 82 +- .../test/positive_expected_result.json | 54 +- .../test/positive_expected_result.json | 68 +- .../test/positive_expected_result.json | 60 +- .../test/positive_expected_result.json | 40 +- .../test/positive_expected_result.json | 40 +- .../test/positive_expected_result.json | 60 +- .../test/positive_expected_result.json | 110 +- .../test/positive_expected_result.json | 28 +- .../test/positive_expected_result.json | 92 +- .../test/positive_expected_result.json | 92 +- .../test/positive_expected_result.json | 80 +- .../test/positive_expected_result.json | 48 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 72 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 64 +- .../test/positive_expected_result.json | 60 +- .../test/positive_expected_result.json | 36 +- .../test/positive_expected_result.json | 120 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 40 +- .../test/positive_expected_result.json | 44 +- .../test/positive_expected_result.json | 44 +- .../test/positive_expected_result.json | 56 +- .../test/positive_expected_result.json | 44 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 180 +- .../test/positive_expected_result.json | 40 +- .../test/positive_expected_result.json | 60 +- .../test/positive_expected_result.json | 52 +- .../test/positive_expected_result.json | 32 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 80 +- .../test/positive_expected_result.json | 58 +- .../test/positive_expected_result.json | 44 +- .../test/positive_expected_result.json | 48 +- .../test/positive_expected_result.json | 44 +- .../test/positive_expected_result.json | 218 +- .../test/positive_expected_result.json | 48 +- .../test/positive_expected_result.json | 76 +- .../test/positive_expected_result.json | 36 +- .../test/positive_expected_result.json | 40 +- .../test/positive_expected_result.json | 94 +- .../test/positive_expected_result.json | 96 +- .../test/positive_expected_result.json | 96 +- .../test/positive_expected_result.json | 32 +- .../test/positive_expected_result.json | 64 +- .../test/positive_expected_result.json | 166 +- .../test/positive_expected_result.json | 44 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 44 +- .../test/positive_expected_result.json | 74 +- .../test/positive_expected_result.json | 40 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 30 +- .../test/positive_expected_result.json | 32 +- .../test/positive_expected_result.json | 112 +- .../test/positive_expected_result.json | 122 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 12 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 4 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 112 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 32 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 64 +- .../test/positive_expected_result.json | 102 +- .../test/positive_expected_result.json | 12 +- .../test/positive_expected_result.json | 158 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 46 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 58 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 70 +- .../test/positive_expected_result.json | 256 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 36 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 12 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 6 +- .../test/positive_expected_result.json | 6 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 6 +- .../test/positive_expected_result.json | 4 +- .../test/positive_expected_result.json | 4 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 4 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 4 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 6 +- .../test/positive_expected_result.json | 48 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 12 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 40 +- .../test/positive_expected_result.json | 12 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 44 +- .../test/positive_expected_result.json | 28 +- .../test/positive_expected_result.json | 124 +- .../test/positive_expected_result.json | 44 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 12 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 48 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 48 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 12 +- .../test/positive_expected_result.json | 192 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 132 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 88 +- .../test/positive_expected_result.json | 136 +- .../test/positive_expected_result.json | 48 +- .../test/positive_expected_result.json | 282 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 4 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 36 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 54 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 28 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 36 +- .../test/positive_expected_result.json | 46 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 36 +- .../test/positive_expected_result.json | 32 +- .../test/positive_expected_result.json | 36 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 184 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 46 +- .../test/positive_expected_result.json | 36 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 100 +- .../test/positive_expected_result.json | 48 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 76 +- .../test/positive_expected_result.json | 34 +- .../test/positive_expected_result.json | 94 +- .../test/positive_expected_result.json | 42 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 80 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 202 +- .../test/positive_expected_result.json | 162 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 62 +- .../test/positive_expected_result.json | 428 +- .../test/positive_expected_result.json | 450 +- .../test/positive_expected_result.json | 444 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 68 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 164 +- .../test/positive_expected_result.json | 56 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 48 +- .../test/positive_expected_result.json | 202 +- .../test/positive_expected_result.json | 164 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 28 +- .../test/positive_expected_result.json | 32 +- .../test/positive_expected_result.json | 48 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 40 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 44 +- .../test/positive_expected_result.json | 68 +- .../test/positive_expected_result.json | 146 +- .../test/positive_expected_result.json | 80 +- .../test/positive_expected_result.json | 90 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 104 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 48 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 30 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 48 +- .../test/positive_expected_result.json | 68 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 122 +- .../test/positive_expected_result.json | 54 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 76 +- .../test/positive_expected_result.json | 72 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 48 +- .../test/positive_expected_result.json | 180 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 292 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 348 +- .../test/positive_expected_result.json | 332 +- .../test/positive_expected_result.json | 328 +- .../test/positive_expected_result.json | 132 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 30 +- .../test/positive_expected_result.json | 40 +- .../test/positive_expected_result.json | 40 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 46 +- .../test/positive_expected_result.json | 174 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 44 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 188 +- .../test/positive_expected_result.json | 44 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 84 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 80 +- .../test/positive_expected_result.json | 70 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 40 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 12 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 78 +- .../test/positive_expected_result.json | 70 +- .../test/positive_expected_result.json | 96 +- .../test/positive_expected_result.json | 40 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 48 +- .../test/positive_expected_result.json | 64 +- .../test/positive_expected_result.json | 48 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 48 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 48 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 12 +- .../test/positive_expected_result.json | 12 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 40 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 48 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 30 +- .../test/positive_expected_result.json | 48 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 48 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 56 +- .../test/positive_expected_result.json | 80 +- .../test/positive_expected_result.json | 104 +- .../test/positive_expected_result.json | 90 +- .../test/positive_expected_result.json | 48 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 40 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 40 +- .../test/positive_expected_result.json | 80 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 48 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 112 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 4 +- .../test/positive_expected_result.json | 4 +- .../test/positive_expected_result.json | 4 +- .../test/positive_expected_result.json | 12 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 82 +- 965 files changed, 38461 insertions(+), 22358 deletions(-) create mode 100644 .github/scripts/generate-positive-expective-results/__pycache__/generate.cpython-312.pyc create mode 100644 .github/scripts/generate-positive-expective-results/__pycache__/models.cpython-312.pyc create mode 100644 .github/scripts/generate-positive-expective-results/__pycache__/runner.cpython-312.pyc create mode 100644 .github/scripts/generate-positive-expective-results/__pycache__/write_expected_results.cpython-312.pyc create mode 100644 .github/scripts/generate-positive-expective-results/generate.py create mode 100644 .github/scripts/generate-positive-expective-results/main.py create mode 100644 .github/scripts/generate-positive-expective-results/models.py create mode 100644 .github/scripts/generate-positive-expective-results/runner.py create mode 100644 .github/scripts/generate-positive-expective-results/skipped_queries_report.json create mode 100644 .github/scripts/generate-positive-expective-results/test_list_output_personal_computer.json create mode 100644 .github/scripts/generate-positive-expective-results/write_expected_results.py diff --git a/.github/scripts/generate-positive-expective-results/__pycache__/generate.cpython-312.pyc b/.github/scripts/generate-positive-expective-results/__pycache__/generate.cpython-312.pyc new file mode 100644 index 0000000000000000000000000000000000000000..68d7e12ee700b71c9c8fc79ec5a0e19d413aeb24 GIT binary patch literal 3294 zcma)8O>7&-6`m!RZKR1$%67i1yaP9+?c3n0HKGz8FHzg z7O98e{Ji<*&CHu`zS+M90xbyAU)*0P|MDR8HEr0*-KgySn?q;=-9$2yITg*((xGxW z$DD(!+njSw2f_}_Zv&F1tgl`k&bJ$ltpBjJUYDKiP?7lpjFVk7pYwo6!5%Z`#R6`j z80?eXV-)Mb4q3qd3@>{>MPaOw- z81e)lFT5186_A%+3K;?9<(EO)vEb0d6pvQ86)xWP4ITJSoU{0MCFAxtPH0(fN!PKV zTb{d1m?&7c0+YXdHm&i{v7=JW_hJu)i&kjEs7y9)2$5M_nnw4sp|QPD+7q?>_iMpO(j zt>q0#$?IYc89zlwNo2OwFuz|NsxHG7twx6lV%++7%+!ICV(!HWHg+%IMn ztjc1BXgOwM(ds`&hJ?kDf@{gh435I_2{@nDWF^1wj^$9~xYOdbMVz;IN*jw;H3@7a z49l^&j3wCI(CO|(Q6vG{6UNI1kw-#fwfl`ryW;=y={Z~xwPq`9wCVto|5uiG+%MG1rjcvh9ZbVxX+owjGpm^O)@80(JZYg5zD~e(1f>xrc3l zpusto4(78xt~pj6SxVz$Np?^Y7&P=O-9vK(fmK?WMd7SKu6>3?WoIEZ)GnVR;&wV+o7W3MIZCcUfNA#iYPG(dcJt z$4sP+j`la;b(G&mDKL9HWVv&ij8)wdX2H?h3e4lyHDX}dYQ2$6PR=G%(>Et)rY4j0 z1+rXZLDl9hHz*xwoaG}}m8c%349#*aO2p6!eDWYBd+d@~-sV;JjDn~#Nc6^bK#vhDt_L#oT-vvz2aev#3P){*l3B5+Ek+a3Ary;ZV zdO7lwbpfWTM*GZY-)^jZGhWP?9j}#RgS%aT-%`voSIS+ZJE4=i?VX#qwmQty!{zqN zJME|b>2t?g)>~>}Xf)+yJp#7_}= zQ!Ni2r7H7;Y8>fptb)F_sTAX@rryI8MQ|Rd(N6(R_`<1^WRNyPsg#t@!+H%x%j+mtv`7!l&Or8i#NxxA zf_-5O_zqta<75K5=nJX$LSA!n9Jh;ne@Cx;jRN1gQLJNg;FI^O(eq~Xd^tK;jgFYn zk*AUw9sP3DjK1+_#f<*Egj%0>oPOMQKd`Pp8h)@`M%^_x&&_h1vo%D^qP)k-T9D^D ziWAh>u?6oq6t!R{7u}5gw);2TdkCtvam4%A3(uVG&%@n}pa0;!C4bM8vqh!)>X`ZJ zSozG4OFiRX&X-zlRQR9n1W#6jy=JiYJLGbO*B#G=Kq)L1TR)3Fi55Mj;6O!)H*K9y zI*Y+laHt|&ux-_z5wmBcB)(n>Ua1J9w)wN}C*39SVkvm3A`FA^*Pd^E;J@ZYdl*O6uu)ViK3*~mLog$(4vmhh6NIJ=#n5vJQN6mrYc&bD4-4pmVAmCQ>1)% zGRjN=l+mgR@mxlG7B)GZK-ACS*wabZGT0N`PAAHi@jqB(jh3UA>NrAJVs%s)K6f z9o1Q?Ra9&5sFmFH>woD?zNP9>AcHUogiw`13`rC&k1#*>GC1W(o)I8@8j-&BJpmh> zh~B_m!>p3oC38wvDOt5-wUW6dtC!5vEN}Qt<$VWYoX9)rAXDDK7 zxpI;?#dr`WV3ZaIk&Sr>Oy(m{|At2O1Oz;NCr$uY8pMfX0Wzyk?aMwy6ZdkIveu>jo$7|ozDFH z=G57ow>vYZ!#B@zy?+=Il>g5#SOh9iJ*ga1On|FjgDSWmAj4rYqY>5mb?~Cv!M^NTGjj#P6L63SoKtcgBrFdOCEw6{#<~ld zZJog?5^)^?8?w@#^yZseQ)g@LHYT^xZ}k4ROP{^?Vs>fw(cPn+qldq?x2MkT{KM@> zUmdL<$){U0XS+zNGrqqgpQG|-N6=}!peM9+x&jVVjnlQrT-Mz79p&CbEAQ%hKEed5 zsqa?|g6R@_zWcTlx_*99!>1ZdfyS7(D*r^Q8uWoeKk3@BLczo3>&)(kIhLY>wiyr?cONv;Z5%28+xq7J%oi#DgB*Xeo4JomPa=h n1mV;sR%2np3&>tsReEtj5SD@tSB*gFE?p3fM*7>*)O_tfw9{vl literal 0 HcmV?d00001 diff --git a/.github/scripts/generate-positive-expective-results/__pycache__/runner.cpython-312.pyc b/.github/scripts/generate-positive-expective-results/__pycache__/runner.cpython-312.pyc new file mode 100644 index 0000000000000000000000000000000000000000..f530ee01a6ea3477817d39cdb2f0b8321bd2b2ff GIT binary patch literal 4901 zcmbtYU2Gf25#Hk+$s>6rMN!nhrIRe#W+F&UcO$SZWrl5J+OduWNDc*7)kR{qx4_bZ+G z_Ihf$&FS%kX&Xqf^ES>9w;;qB)tbh&CU?4lGx0QM<{i8p&zPY&%LmkSW0h*EP#K^) zfzLdn$HCD%jtnm)%seCGjK+Z zhB1RiseL&U(CJ!VYu!bh`JRrmaLjDO6mnbR!zZx$tUSlFvtd?@hFHn(3$gxiFz5?$ z>`Yi>eXJyeW&=E{S~jTYz)BK06$-P)b)E?P!f~s|6OPJ}sO$;(g8XKKFA(sG>h4K{ z^HLZy3h?9NjYD`S;)?~sKCU`;Bi`)s@b5)GS*HNh_p4bBSkT=eRYXAd@x8|N2Vits>1N`P<>8u-aI&_2+HidpT!&1!zT@Ejdh#p@d9&!v@GjTb#@Z1l7s@1Fm!j z$yEp3*}1g)#u51TEf5J}UW*x6bfsvwNYc%sDI^;;dIDUSBOg%ru|_Bd(1K1jmD>;- z)VQSe%HM=e)3`u#di;04;_?KVMGMp~$a%bB+X`oxMH=52N)eY~d_kYk@5l?6LgQU9 zJcGwn$76g3kGWpw<j zYh!+_En!OR%xkUjK7+&dTn_tlIU1hJ;dm}bV~yj1^M1vLwB01otv^xV0k=pBC8#O1 z8x6z7z6tPl2@&uIBYp3Ym(WeZ-4s7P$@@5Vdmv(QVB_DDMW0`0Yw?|hsDtB;8uPTv z&f>5l4T|`z6he&aqw;_2uDRf@0DYb`mV}jmUy4&pYvYhV+vDg-|z*Zykf&)(l7Izx7=sI zkf<+E?zzok7c5p}akU#So5p&vNU;yo`f;@fS9@^rlRRsNnob zZvS}RIllOM(bBSJ>CRiaS1mn7yCZ3O0?{{+9?kAuHI0-Iq3?X?TemxJ$ChGg$A^g| z^#chs2+}>f7f(I5I&QzS^iE31G#0FV8>mrlPZC8}^PP(yT}&U&HWpk1NpsQJbmzcF z2h#1C$%1oVl78IYvC_ZXpE1IC`@mCVGue}8*IPQ$XICbcC$fhg=?a~P3N44%T8`&i zjweq)W}LStmL@(vSnTL8w)L#LTGQ<-UCUir!$V!6ZGXY_5>Sg>`&L5Bp{)1O)k4?t zZM}~Em7~i?vjZTx<4|$e-jyrMSF#h2P84<>D|WkA-d}z{H+b|jU7>q)>)`h;OQ-E$ z$YQlWHNq-OCa|xx4>8Wgi68dEF8mX3&!&V=^Y_i;!{i@__2Y+(e&|*UJ|^rj8)Hz{ zBaMa@3rNP}YS}r3(Qfqu0kL0K!xav22vQZ@JyPQ!Pz_ghmZjoQ1xv=z<$ojeGw3al z3zUqlD6fLj-4=Iz_L5lZMaZZ+kq zx1$>O=NosLSBv^`vo@~DdSIzTHp4tlFSeBg<*njpVn+^+x%LWN^Aic({H|@2p}Vv7 zn*J@8TX*IKdu=;wR(GPhF9Zs;)$ODGnbI1zctN+e=0x=@!DgIVtL4^zsru6~a}GGU zYR<7`{f!Bt&OfU>aq#P^H#m3VfYGLV#@e1FbRt`4iK~7DJQ3EmV5}Q&P8heY=~g3P z8RS*&miXDpN(NqrA%HG5>&CEzQLFr@V6}$`dlPb1AmS&A9c`8cCV8yp-oe}_{;fHJ)#`$Tz@cz2T+iaRc|Q;^lG^Hexv;}(`3Ek6ei zvYQ0_Gs7g(f0GmOZHwZ|!m@w+O@@6FzkJwuBY>*_D=4oHP?BdgrjLK6F}30+MkK&v zJ}K(=^O7_Z4FqE5_~9e}M~RzH3L!z7vlP7=5yRLF z5k~`Y1do}1dS-OWJ9+;61;t!>55jIJmU7#Rw?-Vs+!)SkpotICO;=ty_)V(l+AGUz+&*74o{kN%+a9A!ivljqo_}f**;KFmwcdQnC!04c&!?p2aik zj6G#qYuJ--*i&HkE{+$i_QjJ=C{vEvmFClLXU^r!BdgT@Cr!K3!dll$`L3599baua z`V`sqBTICWNFG?Xb)?4&w%#PUPFqt%swd@49Z&J8w{xAIEdRT?Pv^4JIoqqN^lNzB zk{(?-y?i<|b@yEQShhE3^Q_W?PaGY0x<2a4kPn;>F5T~1b-bE16gzv@Iz9PLPg1{1 zw>`Ev)-0WQOJ|1o640D!ynSxzT)KZ{-}1gyX7@VdNWGqM{kHX!){Hs#!r@16tsR-j zADPGF7Wi;0~w#tluZ$MoyW)Bp04JY+q(e0&fuq&Fu|ByS|= zlAcwnb)7OL&!(auOPQDN{yg9ELazD6>~QvC_SD0}pOc@R{DbAu!WXA<<_oLT#cz#P zurX)rS*3f6&bFtBFtN!|yt=WpGp$bze8qH^NFYLz!MJi%lZgKpL!rH1{ND#&ue(|F z06{#3siYK>6eE7p2863>Zl=)MYqadDh9G!QKoaqbO-;f?j7wOYno@bygex4l!DBHZ zWLT1T8na^O6fyWfN(b&$_GavZs*~XPIKA_FKSk>LR7cvR4}-R7fIli;0Ztq{q)(s% za|q%aWcda;zCq@{pw@q&zQ3Z8JR13yX-KtxII+g`=9%6C)3?S9WAq?rZ5`s@g&W?T(+rZ6IXE))*WcUF2Y<}-6 m8@OE>BYFr|s&xawr*xV?6qAg9Nw$4WS$=t@L?WtPHQ|3T#d}Tw literal 0 HcmV?d00001 diff --git a/.github/scripts/generate-positive-expective-results/__pycache__/write_expected_results.cpython-312.pyc b/.github/scripts/generate-positive-expective-results/__pycache__/write_expected_results.cpython-312.pyc new file mode 100644 index 0000000000000000000000000000000000000000..e07ee618dae9c1fa2ef827d14bccfb68f64fc399 GIT binary patch literal 5029 zcmbtYTTC3+89uW+vpcghuz+E?!>sXz4L1|)mbi}NYXI9JiHwUvVr@1%gBe(M$(dPW zR*S+z9+t?Gw@p=pVhbuo6|PZ3)JmmKO)qI9^<~#!?Pf|Ow{@lF4F^Y-cUCT5@qDX!Xa_*GXtFL zl3XK=2;t*4Bs=crrXJv-CP=&_e1vY>?oy_jLWZ{Bsk&3!Wn~wSYDRCEF*f+66_`Kz8D2*dGXmbWQ`MKLlFcfn_a~Z zSiSS5x?kh0nncIxkKmT#6yy%DH&9@;nkBS2Z#%7(Q7CSgY%##dr2TrQ2Bn#xZ=ogU zORLwUBkmY3&g(5nVkLHwv(^t|J0w?(hq0Yk&?LM2`p=-tpMnJ!XNUJ#(r~pUc323pJFPC%w-+lykY z)q}qLHfPlURkj>rZAt3-k7=}R#EQ5LtSjSo$g6HM`92e+4X7Qd)HryzHxLDX*Uw(F zzk$XnUv=!&mm^q|1HmEj-KdNwn#FOfXtFpKQ58+OD*NSYV{%ZFB|nzcXh>@vRwH3i z35(j0EE@h|3_OY`DHyCGc%l`P2mCeh4d7ZBRSRHklX`QLYKs+L7B7w{V`EDAiaD1U zB`!t$$J9^6a6~l6SNnW6-8mM(a#&M!R=x(_$R8Pr)&AE7`CK|@EWbA}D(kE&UzK4O z6FMDI!cZSnLUNe22rx+`ii2|B#Mri)(Th{%01ghFmnU@I6n_{9MPL^dho*0 zoU{Qw2$1X}a4ppMCKJ^LTRQJR0F%SPhy+mjnw;j#cWk;t2}=MPU68|S6wCgA8dQ|t z7<*al#}PpErcG>&aTd&cF{kTHBrG2lV?`pthiU*{lf%toj1^S^R9W&>>2`pQE)Z}j zvT6oLP7X&$jdL^r1+PN&E8)S2&WvHW6y2ssn7EBxKqU`EXGTZhjp&X53>%homw{G4 z0VOU1Q{$F(r=m&A+qiwbz(TBFBaqEk4LrL{p!&(_2s!zxf!aa~wSKcMn6S;& zXf=X0osPg-begN2v2rL{9krtWaM?(p)-)zae|sDUY)W)oE6NY-7NaeME%y=y{o@?uqXNM^o2xMRw#YAr+kK)bI-b0_B1Bg zEL(J=aJq0tTaXfkt8B*uPhHA;BJDYm;2%`irr3&XNqMGZU%F)9H%Q>ziBnmjCL=VY zg@$Zx{oLi*%h{T`x%0E4iuGy|z!ZQBd_;1H8BXMs= zJd_p>Ww(UfAobq4_h#SAdK)s{=hNQjvu6EK8Na{qTf`T**X=O*dJW<#Gi+^|t$l>- z4XzYh`xx0d{;>-cmL!{I)P?@lf+OpQ;(Dm%;x(b@M$dFl%5z|WTJnCj|Gv=u#7>$X zI}lfxq>|p`9ym5R*+0`g|K|KFOC`TPo$BmfIoy-#IQNAwRoJ)6UdpoWWc#%6fpfi! zf`fm2jzWwp(Vgs1_M~cC7OpJ3u{4x&y>y>G@uYx^ZBD+a3UIfdzfjdx&itjE=@Pju zFp)PC-13uPMQENuK0gL6cvotwDeqaeElVrt4R29R=$A_t@!5??LQn;SPEuh$KWdz^ zMw_I7!r6ed5-jdWK;b?n1Tt>ljc{V>dJ#}xdfTY>VY2HT$(l*B8|xr+m&C>$$=U&K z*0u;}oRMgWS#)e8Dh_RnOzuh`9oB4vIe!RN+$;iuw+P`l(5wzN2r?Q7d<>zu%xz0rA|$S9>AwjDgb?BZCI{fnWj@DxisD zI3h)Zvb2o?H3Pp2hN2|888izA#zi$42#cntZS9R!=Nz)%ic99;204or!M9wFt*M3v zlcUFbNk+EnV=$q)_z+}zan4U0?%QvKD&G9|^Fw@eD6582C@5cF7u!RKJ@ zxn<<`cvQqb(#%Nsxc$gj=^9Ea;LZ-%)dwaoiM`G17}IfS+(Y=y4Cq%IOAzfdzx1~tr^dewC6~w z^HSP#X_|lNshau0isvB24^PF^s}G8+GQ|he#RtDZMGT){vV2j7uf50DLL_?NsY>u` z<<&E1Gc_IQnvRw7!>RB0q|18}LY6Pj@bziFewFvG6_+JL^QV^%t`;8!|60(r99XN{ zJEzPl3)DxUBoAJ_plKbPdPRns#dD`1LYa*5iH1RhSr==~yUV<=SBm<_xv;`Wh?T;HJ4`+kE@N>&ut! zv!`JuXo2{_xKhGCD`+gcR}OclI(ojSOt~)Jr~97NlJ$^a4^5r=!eSJNLPRIqP=nfS}QU688HyDOc>+i~mQ8wUOsZ-q^Eftof~Dki*v2 zR#$AV)gcE13*I@{6B{4Z>nkwf3Li1rP)K>lM80DbUQ$&Qu4Ak8i(k?W^F6C{>#hcEtMs8S SX>q>tKHaoliRdb0FaH54GQhI{ literal 0 HcmV?d00001 diff --git a/.github/scripts/generate-positive-expective-results/generate.py b/.github/scripts/generate-positive-expective-results/generate.py new file mode 100644 index 00000000000..cb314e42567 --- /dev/null +++ b/.github/scripts/generate-positive-expective-results/generate.py @@ -0,0 +1,65 @@ +import json +from pathlib import Path + +import models + + +ASSETS_QUERIES_DIR = Path(__file__).resolve().parents[3] / "assets" / "queries" +EXCLUDED_DIRS: set[str] = set() + + +def is_query_directory(path: Path) -> bool: + """A directory is a query if it contains metadata.json and either query.rego or regex_rules.json.""" + if not (path / "metadata.json").is_file(): + return False + return (path / "query.rego").is_file() or (path / "regex_rules.json").is_file() + + +def extract_query_id(metadata_path: Path) -> str: + """Read the 'id' field from the query's metadata.json.""" + with open(metadata_path, "r", encoding="utf-8") as f: + metadata = json.load(f) + return metadata["id"] + + +def build_test_list() -> models.TestList: + """Walk assets/queries (excluding 'common') and collect QueryInfo for every query found.""" + test_list = models.TestList() + + for query_dir in sorted(ASSETS_QUERIES_DIR.rglob("*")): + if not query_dir.is_dir(): + continue + + # Skip anything under the 'common' top-level directory + relative = query_dir.relative_to(ASSETS_QUERIES_DIR) + if relative.parts[0] in EXCLUDED_DIRS: + continue + + if not is_query_directory(query_dir): + continue + + query_id = extract_query_id(query_dir / "metadata.json") + + query_info = models.QueryInfo( + test_path=str(query_dir / "test"), + results_file_path=str(query_dir / "results"), + id=query_id, + payload_path=str(query_dir / "payloads"), + results_info=[], + ) + + test_list.queries_list.append(query_info) + + return test_list + + +if __name__ == "__main__": + test_list = build_test_list() + + print(f"Total queries found: {len(test_list.queries_list)}\n") + for qi in test_list.queries_list: + print(f" ID: {qi.id}") + print(f" Test path: {qi.test_path}") + print(f" Results path: {qi.results_file_path}") + print(f" Payload path: {qi.payload_path}") + print() diff --git a/.github/scripts/generate-positive-expective-results/main.py b/.github/scripts/generate-positive-expective-results/main.py new file mode 100644 index 00000000000..30838ee51f5 --- /dev/null +++ b/.github/scripts/generate-positive-expective-results/main.py @@ -0,0 +1,21 @@ +from runner import run_all +from write_expected_results import write_positive_expected_results, write_skipped_queries_report + + +def main(): + # 1. Build test list, run scans and populate results_info + test_list = run_all() + + # 2. Write positive_expected_result.json for each query + print(f"\n{'='*60}") + print("Writing positive_expected_result.json files...\n") + write_positive_expected_results(test_list) + + # 3. Write skipped queries report + print(f"\n{'='*60}") + print("Writing skipped queries report...\n") + write_skipped_queries_report(test_list) + + +if __name__ == "__main__": + main() diff --git a/.github/scripts/generate-positive-expective-results/models.py b/.github/scripts/generate-positive-expective-results/models.py new file mode 100644 index 00000000000..1e91f410fad --- /dev/null +++ b/.github/scripts/generate-positive-expective-results/models.py @@ -0,0 +1,27 @@ +from dataclasses import dataclass, field + +@dataclass +class ResultInfo: + query_name: str + severity: str + line: str + filename: str + resource_type: str + resource_name: str + search_key: str + search_value: str + expected_value: str + actual_value: str + +@dataclass +class QueryInfo: + test_path: str + results_file_path: str + id: str + payload_path: str + results_info: list[ResultInfo] = field(default_factory=list) + return_code: int | None = None + +@dataclass +class TestList: + queries_list: list[QueryInfo] = field(default_factory=list) diff --git a/.github/scripts/generate-positive-expective-results/runner.py b/.github/scripts/generate-positive-expective-results/runner.py new file mode 100644 index 00000000000..b6c0a2e83b3 --- /dev/null +++ b/.github/scripts/generate-positive-expective-results/runner.py @@ -0,0 +1,98 @@ +import json +import subprocess +import sys +from pathlib import Path + +from generate import build_test_list +from models import QueryInfo, ResultInfo, TestList + +KICS_ROOT = Path(__file__).resolve().parents[3] +GO_ENTRY_POINT = str(KICS_ROOT / "cmd" / "console" / "main.go") + + +def build_command(query: QueryInfo) -> list[str]: + """Build the go run scan command for a single query.""" + return [ + "go", "run", GO_ENTRY_POINT, "scan", + "-p", query.test_path, + "-o", query.results_file_path, + "--output-name", "all_results.json", + "-i", query.id, + "-d", f"{query.payload_path}/all_payloads.json", + "-v", + "--experimental-queries", + ] + + +def parse_results(query: QueryInfo) -> list[ResultInfo]: + """Read all_results.json and extract ResultInfo entries for positive files.""" + results_file = Path(query.results_file_path) / "all_results.json" + if not results_file.is_file(): + return [] + + with open(results_file, "r", encoding="utf-8") as f: + data = json.load(f) + + results: list[ResultInfo] = [] + + for q in data.get("queries", []): + query_name = q.get("query_name", "") + severity = q.get("severity", "") + + for file_entry in q.get("files", []): + filename = Path(file_entry.get("file_name", "")).name + + results.append(ResultInfo( + query_name=query_name, + severity=severity, + line=str(file_entry.get("line", "")), + filename=filename, + resource_type=file_entry.get("resource_type", ""), + resource_name=file_entry.get("resource_name", ""), + search_key=file_entry.get("search_key", ""), + search_value=file_entry.get("search_value", ""), + expected_value=file_entry.get("expected_value", ""), + actual_value=file_entry.get("actual_value", ""), + )) + + return results + + +def run_all() -> TestList: + """Run scans for all queries and return TestList with results_info populated.""" + test_list = build_test_list() + total = len(test_list.queries_list) + failed = [] + + print(f"Running scan for {total} queries...\n") + + for i, query in enumerate(test_list.queries_list, start=1): + cmd = build_command(query) + print(f"[{i}/{total}] Scanning query {query.id}") + print(f" Command: {' '.join(cmd)}\n") + + result = subprocess.run(cmd, cwd=str(KICS_ROOT)) + query.return_code = result.returncode + + if result.returncode != 0: + failed.append(query.id) + print(f" ⚠ Query {query.id} exited with code {result.returncode}\n") + else: + print(f" ✓ Query {query.id} completed successfully\n") + + # Populate results_info from the generated all_results.json + query.results_info = parse_results(query) + + print(f"\n{'='*60}") + print(f"Finished: {total - len(failed)}/{total} succeeded, {len(failed)} failed") + + if failed: + print("\nFailed queries:") + for qid in failed: + print(f" - {qid}") + + return test_list + + +if __name__ == "__main__": + run_all() diff --git a/.github/scripts/generate-positive-expective-results/skipped_queries_report.json b/.github/scripts/generate-positive-expective-results/skipped_queries_report.json new file mode 100644 index 00000000000..4f4fa562adc --- /dev/null +++ b/.github/scripts/generate-positive-expective-results/skipped_queries_report.json @@ -0,0 +1,4467 @@ +[ + { + "id": "1819ac03-542b-4026-976b-f37addd59f3b", + "test_path": "/home/ricardo/kics/assets/queries/cloudFormation/aws/ebs_volume_not_attached_to_instances/test", + "results_file_path": "/home/ricardo/kics/assets/queries/cloudFormation/aws/ebs_volume_not_attached_to_instances/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 4, + "lines_scanned": 54, + "files_parsed": 4, + "lines_parsed": 54, + "lines_ignored": 0, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 0 + }, + "total_counter": 0, + "total_bom_resources": 0, + "start": "2026-03-09T09:32:46.800174148Z", + "end": "2026-03-09T09:32:47.420617652Z", + "paths": [ + "/home/ricardo/kics/assets/queries/cloudFormation/aws/ebs_volume_not_attached_to_instances/test" + ], + "queries": [] + } + }, + { + "id": "f6d299d2-21eb-41cc-b1e1-fe12d857500b", + "test_path": "/home/ricardo/kics/assets/queries/cloudFormation/aws/vpc_flowlogs_disabled/test", + "results_file_path": "/home/ricardo/kics/assets/queries/cloudFormation/aws/vpc_flowlogs_disabled/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 4, + "lines_scanned": 280, + "files_parsed": 4, + "lines_parsed": 280, + "lines_ignored": 0, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 0 + }, + "total_counter": 0, + "total_bom_resources": 0, + "start": "2026-03-09T09:39:19.582140442Z", + "end": "2026-03-09T09:39:19.998238133Z", + "paths": [ + "/home/ricardo/kics/assets/queries/cloudFormation/aws/vpc_flowlogs_disabled/test" + ], + "queries": [] + } + }, + { + "id": "124b173b-e06d-48a6-8acd-f889443d97a4", + "test_path": "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/cassandra/test", + "results_file_path": "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/cassandra/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 3, + "lines_scanned": 31, + "files_parsed": 3, + "lines_parsed": 31, + "lines_ignored": 0, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 2 + }, + "total_counter": 0, + "total_bom_resources": 2, + "start": "2026-03-09T09:39:33.621317947Z", + "end": "2026-03-09T09:39:34.057060952Z", + "paths": [ + "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/cassandra/test" + ], + "queries": [], + "bill_of_materials": [ + { + "query_name": "BOM - AWS Cassandra", + "query_id": "124b173b-e06d-48a6-8acd-f889443d97a4", + "query_url": "https://kics.io", + "severity": "TRACE", + "platform": "CloudFormation", + "cwe": "532", + "risk_score": "0.0", + "cloud_provider": "AWS", + "category": "Bill Of Materials", + "experimental": false, + "description": "A list of Cassandra resources found. Amazon Cassandra is an open-source NoSQL database designed to store data for applications that require fast read and write performance", + "description_id": "bd2db07c", + "files": [ + { + "file_name": "assets/queries/cloudFormation/aws_bom/cassandra/test/positive1.yaml", + "similarity_id": "cf7a5253ec063fc07a17492a1094d19cb8ee6588a487e1489c94badcd5786d22", + "line": 3, + "issue_type": "BillOfMaterials", + "search_key": "Resources.myNewTable1", + "search_line": 3, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"myNewTable1\",\"resource_type\":\"AWS::Cassandra::Table\",\"resource_vendor\":\"AWS\"}" + }, + { + "file_name": "assets/queries/cloudFormation/aws_bom/cassandra/test/positive2.yaml", + "similarity_id": "c8f4328271ad118dee81cc8a6ef4e381719cbd0625966224dd3b1c961c3ecd6b", + "line": 3, + "issue_type": "BillOfMaterials", + "search_key": "Resources.myNewTable2", + "search_line": 3, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Storage\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"myNewTable2\",\"resource_type\":\"AWS::Cassandra::Table\",\"resource_vendor\":\"AWS\"}" + } + ] + } + ] + } + }, + { + "id": "4e67c0ae-38a0-47f4-a50c-f0c9b75826df", + "test_path": "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/dynamo/test", + "results_file_path": "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/dynamo/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 6, + "lines_scanned": 189, + "files_parsed": 6, + "lines_parsed": 189, + "lines_ignored": 0, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 5 + }, + "total_counter": 0, + "total_bom_resources": 5, + "start": "2026-03-09T09:39:35.628416208Z", + "end": "2026-03-09T09:39:36.14340248Z", + "paths": [ + "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/dynamo/test" + ], + "queries": [], + "bill_of_materials": [ + { + "query_name": "BOM - AWS DynamoDB", + "query_id": "4e67c0ae-38a0-47f4-a50c-f0c9b75826df", + "query_url": "https://kics.io", + "severity": "TRACE", + "platform": "CloudFormation", + "cwe": "532", + "risk_score": "0.0", + "cloud_provider": "AWS", + "category": "Bill Of Materials", + "experimental": false, + "description": "A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale.", + "description_id": "b0d40495", + "files": [ + { + "file_name": "assets/queries/cloudFormation/aws_bom/dynamo/test/positive4.yaml", + "similarity_id": "d3e3d7f0f6b1a5c83c8dd49daefd3354b11058b71bb71d40caab6461af7766ed", + "line": 3, + "issue_type": "BillOfMaterials", + "search_key": "Resources.DynamoDBOnDemandTable2", + "search_line": 3, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"test4\",\"resource_type\":\"AWS::DynamoDB::Table\",\"resource_vendor\":\"AWS\"}" + }, + { + "file_name": "assets/queries/cloudFormation/aws_bom/dynamo/test/positive2.yaml", + "similarity_id": "dd7b50c6ab79b9db23badd92b800ca8941a9f7f9dee2958b80223e53f48392fb", + "line": 27, + "issue_type": "BillOfMaterials", + "search_key": "Resources.DynamoDBOnDemandTable2", + "search_line": 27, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"test2\",\"resource_type\":\"AWS::DynamoDB::Table\",\"resource_vendor\":\"AWS\"}" + }, + { + "file_name": "assets/queries/cloudFormation/aws_bom/dynamo/test/positive1.yaml", + "similarity_id": "cd564d683868c3440f871016300a0c991a2798823d61328bbd4696ec944a3c21", + "line": 27, + "issue_type": "BillOfMaterials", + "search_key": "Resources.DynamoDBOnDemandTable2", + "search_line": 27, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"test\",\"resource_type\":\"AWS::DynamoDB::Table\",\"resource_vendor\":\"AWS\"}" + }, + { + "file_name": "assets/queries/cloudFormation/aws_bom/dynamo/test/positive5.yaml", + "similarity_id": "20646266ea6e73c87cdfa62ce4d0bc34da4ef8ca82c6196698659f4c10d44171", + "line": 27, + "issue_type": "BillOfMaterials", + "search_key": "Resources.DynamoDBOnDemandTable2", + "search_line": 27, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"test\",\"resource_type\":\"AWS::DynamoDB::Table\",\"resource_vendor\":\"AWS\"}" + }, + { + "file_name": "assets/queries/cloudFormation/aws_bom/dynamo/test/positive3.yaml", + "similarity_id": "5908df1c2e0f1eabea2d89ec9efe40f40e6341c7cc0084f2f13cc33661897f98", + "line": 27, + "issue_type": "BillOfMaterials", + "search_key": "Resources.DynamoDBOnDemandTable2", + "search_line": 27, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"test3\",\"resource_type\":\"AWS::DynamoDB::Table\",\"resource_vendor\":\"AWS\"}" + } + ] + } + ] + } + }, + { + "id": "0b0556ea-9cd9-476f-862e-20679dda752b", + "test_path": "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/ebs/test", + "results_file_path": "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/ebs/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 8, + "lines_scanned": 128, + "files_parsed": 8, + "lines_parsed": 128, + "lines_ignored": 0, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 6 + }, + "total_counter": 0, + "total_bom_resources": 6, + "start": "2026-03-09T09:39:37.856769268Z", + "end": "2026-03-09T09:39:38.278517537Z", + "paths": [ + "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/ebs/test" + ], + "queries": [], + "bill_of_materials": [ + { + "query_name": "BOM - AWS EBS", + "query_id": "0b0556ea-9cd9-476f-862e-20679dda752b", + "query_url": "https://kics.io", + "severity": "TRACE", + "platform": "CloudFormation", + "cwe": "532", + "risk_score": "0.0", + "cloud_provider": "AWS", + "category": "Bill Of Materials", + "experimental": false, + "description": "A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2).", + "description_id": "6869b929", + "files": [ + { + "file_name": "assets/queries/cloudFormation/aws_bom/ebs/test/positive2.json", + "similarity_id": "35dbc5db0a8c9a30ac70ed0d652028b9a0cae32464fd3561cc0f9e2314ada1fe", + "line": 5, + "issue_type": "BillOfMaterials", + "search_key": "Resources.NewVolume", + "search_line": 5, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Storage\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"NewVolume\",\"resource_type\":\"AWS::EC2::Volume\",\"resource_vendor\":\"AWS\"}" + }, + { + "file_name": "assets/queries/cloudFormation/aws_bom/ebs/test/positive6.json", + "similarity_id": "948b6104f5bde62901e2c7823f1e7656d8cd444d279263b357d33020b44d7762", + "line": 5, + "issue_type": "BillOfMaterials", + "search_key": "Resources.NewVolume", + "search_line": 5, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"NewVolume\",\"resource_type\":\"AWS::EC2::Volume\",\"resource_vendor\":\"AWS\"}" + }, + { + "file_name": "assets/queries/cloudFormation/aws_bom/ebs/test/positive5.yaml", + "similarity_id": "b303390a57eff74d8d91f38594a0bbd59c590fda69f43cf5f0e31c5ce41dd889", + "line": 4, + "issue_type": "BillOfMaterials", + "search_key": "Resources.NewVolume", + "search_line": 4, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"NewVolume\",\"resource_type\":\"AWS::EC2::Volume\",\"resource_vendor\":\"AWS\"}" + }, + { + "file_name": "assets/queries/cloudFormation/aws_bom/ebs/test/positive3.yaml", + "similarity_id": "83658baa6ae1329b12fe5f5afe67d04ae1bf999a8b747f42d275eccd80b56dcd", + "line": 4, + "issue_type": "BillOfMaterials", + "search_key": "Resources.NewVolume", + "search_line": 4, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"NewVolume\",\"resource_type\":\"AWS::EC2::Volume\",\"resource_vendor\":\"AWS\"}" + }, + { + "file_name": "assets/queries/cloudFormation/aws_bom/ebs/test/positive1.yaml", + "similarity_id": "9f9e21fbce603b2a82f565acd4d7d51064f79a4f979ed5f3118217739f537386", + "line": 4, + "issue_type": "BillOfMaterials", + "search_key": "Resources.NewVolume", + "search_line": 4, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Storage\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"NewVolume\",\"resource_type\":\"AWS::EC2::Volume\",\"resource_vendor\":\"AWS\"}" + }, + { + "file_name": "assets/queries/cloudFormation/aws_bom/ebs/test/positive4.json", + "similarity_id": "06bd775bbdbf876bbdd7f312907caa7a89a84bf295b851cd554e31ceff3f6881", + "line": 5, + "issue_type": "BillOfMaterials", + "search_key": "Resources.NewVolume", + "search_line": 5, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"NewVolume\",\"resource_type\":\"AWS::EC2::Volume\",\"resource_vendor\":\"AWS\"}" + } + ] + } + ] + } + }, + { + "id": "ef05a925-8568-4054-8ff1-f5ba82631c16", + "test_path": "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/efs/test", + "results_file_path": "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/efs/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 6, + "lines_scanned": 141, + "files_parsed": 6, + "lines_parsed": 141, + "lines_ignored": 0, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 4 + }, + "total_counter": 0, + "total_bom_resources": 4, + "start": "2026-03-09T09:39:39.633334188Z", + "end": "2026-03-09T09:39:39.95586813Z", + "paths": [ + "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/efs/test" + ], + "queries": [], + "bill_of_materials": [ + { + "query_name": "BOM - AWS EFS", + "query_id": "ef05a925-8568-4054-8ff1-f5ba82631c16", + "query_url": "https://kics.io", + "severity": "TRACE", + "platform": "CloudFormation", + "cwe": "532", + "risk_score": "0.0", + "cloud_provider": "AWS", + "category": "Bill Of Materials", + "experimental": false, + "description": "A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning.", + "description_id": "f6d4e4b8", + "files": [ + { + "file_name": "assets/queries/cloudFormation/aws_bom/efs/test/positive1.yaml", + "similarity_id": "15f1867317e27cb1d592c3004de6a519396c9cc38b18c5aefe95c97353b7f6d0", + "line": 4, + "issue_type": "BillOfMaterials", + "search_key": "Resources.FileSystemResource", + "search_line": 4, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Storage\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"TestFileSystem\",\"resource_type\":\"AWS::EFS::FileSystem\",\"resource_vendor\":\"AWS\"}" + }, + { + "file_name": "assets/queries/cloudFormation/aws_bom/efs/test/positive3.yaml", + "similarity_id": "08902adb0230f388141eea24c1490a30ad5ffb029bbfc2af4a9ed5acf5079ab5", + "line": 4, + "issue_type": "BillOfMaterials", + "search_key": "Resources.FileSystemResource", + "search_line": 4, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"TestFileSystem\",\"resource_type\":\"AWS::EFS::FileSystem\",\"resource_vendor\":\"AWS\"}" + }, + { + "file_name": "assets/queries/cloudFormation/aws_bom/efs/test/positive2.json", + "similarity_id": "eec590ffb1d8a01adb3312249a32b804fceac800ddfba132599977e415e543e4", + "line": 4, + "issue_type": "BillOfMaterials", + "search_key": "Resources.FileSystemResource", + "search_line": 4, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Storage\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"TestFileSystem\",\"resource_type\":\"AWS::EFS::FileSystem\",\"resource_vendor\":\"AWS\"}" + }, + { + "file_name": "assets/queries/cloudFormation/aws_bom/efs/test/positive4.json", + "similarity_id": "f22820832038022e83ccb7e551dfbe556a5e4fee9ac50f127b95cae13c03a566", + "line": 4, + "issue_type": "BillOfMaterials", + "search_key": "Resources.FileSystemResource", + "search_line": 4, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"TestFileSystem\",\"resource_type\":\"AWS::EFS::FileSystem\",\"resource_vendor\":\"AWS\"}" + } + ] + } + ] + } + }, + { + "id": "c689f51b-9203-43b3-9d8b-caed123f706c", + "test_path": "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/elasticache/test", + "results_file_path": "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/elasticache/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 5, + "lines_scanned": 101, + "files_parsed": 5, + "lines_parsed": 101, + "lines_ignored": 0, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 3 + }, + "total_counter": 0, + "total_bom_resources": 3, + "start": "2026-03-09T09:39:41.152428023Z", + "end": "2026-03-09T09:39:41.566123528Z", + "paths": [ + "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/elasticache/test" + ], + "queries": [], + "bill_of_materials": [ + { + "query_name": "BOM - AWS Elasticache", + "query_id": "c689f51b-9203-43b3-9d8b-caed123f706c", + "query_url": "https://kics.io", + "severity": "TRACE", + "platform": "CloudFormation", + "cwe": "532", + "risk_score": "0.0", + "cloud_provider": "AWS", + "category": "Bill Of Materials", + "experimental": false, + "description": "A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached.", + "description_id": "deea2b5c", + "files": [ + { + "file_name": "assets/queries/cloudFormation/aws_bom/elasticache/test/positive2.json", + "similarity_id": "9a857b97727630406960519cb8fcd30e370d5bc6f24a9ceede66d8b200a28b56", + "line": 3, + "issue_type": "BillOfMaterials", + "search_key": "Resources.ElasticacheCluster", + "search_line": 3, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"In Memory Data Structure\",\"resource_encryption\":\"unknown\",\"resource_engine\":\"memcached\",\"resource_name\":\"ElasticacheCluster\",\"resource_type\":\"AWS::ElastiCache::CacheCluster\",\"resource_vendor\":\"AWS\"}" + }, + { + "file_name": "assets/queries/cloudFormation/aws_bom/elasticache/test/positive1.yaml", + "similarity_id": "0951669f6e87b1ca8a164c4c71fb3ff4a1921745ad6c426f3456958c93bdb4b6", + "line": 2, + "issue_type": "BillOfMaterials", + "search_key": "Resources.ElasticacheCluster", + "search_line": 2, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"at least one security group associated with the elasticache is unrestricted\",\"resource_category\":\"In Memory Data Structure\",\"resource_encryption\":\"unknown\",\"resource_engine\":\"memcached\",\"resource_name\":\"ElasticacheCluster\",\"resource_type\":\"AWS::ElastiCache::CacheCluster\",\"resource_vendor\":\"AWS\"}" + }, + { + "file_name": "assets/queries/cloudFormation/aws_bom/elasticache/test/positive3.yaml", + "similarity_id": "8564117e4ff4464bd3b9b59fd2ead8070591acbcdf04e804cc3238968cce4cd3", + "line": 2, + "issue_type": "BillOfMaterials", + "search_key": "Resources.ElasticacheCluster", + "search_line": 2, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"all security groups associated with the elasticache are restricted\",\"resource_category\":\"In Memory Data Structure\",\"resource_encryption\":\"unknown\",\"resource_engine\":\"memcached\",\"resource_name\":\"ElasticacheCluster\",\"resource_type\":\"AWS::ElastiCache::CacheCluster\",\"resource_vendor\":\"AWS\"}" + } + ] + } + ] + } + }, + { + "id": "d53323be-dde6-4457-9a43-42df737e71d2", + "test_path": "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/kinesis/test", + "results_file_path": "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/kinesis/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 4, + "lines_scanned": 48, + "files_parsed": 4, + "lines_parsed": 48, + "lines_ignored": 0, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 2 + }, + "total_counter": 0, + "total_bom_resources": 2, + "start": "2026-03-09T09:39:42.915771229Z", + "end": "2026-03-09T09:39:43.668867078Z", + "paths": [ + "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/kinesis/test" + ], + "queries": [], + "bill_of_materials": [ + { + "query_name": "BOM - AWS Kinesis", + "query_id": "d53323be-dde6-4457-9a43-42df737e71d2", + "query_url": "https://kics.io", + "severity": "TRACE", + "platform": "CloudFormation", + "cwe": "532", + "risk_score": "0.0", + "cloud_provider": "AWS", + "category": "Bill Of Materials", + "experimental": false, + "description": "A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time", + "description_id": "4b8f3b90", + "files": [ + { + "file_name": "assets/queries/cloudFormation/aws_bom/kinesis/test/positive1.yaml", + "similarity_id": "a510b0c07f025705029a3f761b89b73d66246f2be5914c5b94d21d7fcffae3f6", + "line": 3, + "issue_type": "BillOfMaterials", + "search_key": "Resources.MyStream", + "search_line": 3, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Streaming\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"MyKinesisStream1\",\"resource_type\":\"AWS::Kinesis::Stream\",\"resource_vendor\":\"AWS\"}" + }, + { + "file_name": "assets/queries/cloudFormation/aws_bom/kinesis/test/positive2.json", + "similarity_id": "9678dcd7f0118bae0b4a369ecb1d95ce6da485bb261fed7c1fcfd524c8882910", + "line": 4, + "issue_type": "BillOfMaterials", + "search_key": "Resources.MyStream2", + "search_line": 4, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Streaming\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"MyKinesisStream2\",\"resource_type\":\"AWS::Kinesis::Stream\",\"resource_vendor\":\"AWS\"}" + } + ] + } + ] + } + }, + { + "id": "209189f3-c879-48a7-9703-fbcfa96d0cef", + "test_path": "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/mq/test", + "results_file_path": "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/mq/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 5, + "lines_scanned": 104, + "files_parsed": 5, + "lines_parsed": 104, + "lines_ignored": 0, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 3 + }, + "total_counter": 0, + "total_bom_resources": 3, + "start": "2026-03-09T09:39:45.263899826Z", + "end": "2026-03-09T09:39:45.651336799Z", + "paths": [ + "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/mq/test" + ], + "queries": [], + "bill_of_materials": [ + { + "query_name": "BOM - AWS MQ", + "query_id": "209189f3-c879-48a7-9703-fbcfa96d0cef", + "query_url": "https://kics.io", + "severity": "TRACE", + "platform": "CloudFormation", + "cwe": "532", + "risk_score": "0.0", + "cloud_provider": "AWS", + "category": "Bill Of Materials", + "experimental": false, + "description": "A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS.", + "description_id": "93a9e162", + "files": [ + { + "file_name": "assets/queries/cloudFormation/aws_bom/mq/test/positive2.json", + "similarity_id": "f953fb95af7da6488a8bcd76d56044700c9bd942df83b1ed0881eb9437cfe507", + "line": 5, + "issue_type": "BillOfMaterials", + "search_key": "Resources.BasicBroker2", + "search_line": 5, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"private\",\"resource_category\":\"Queues\",\"resource_encryption\":\"unencrypted\",\"resource_engine\":\"ActiveMQ\",\"resource_name\":\"MyBasicBroker\",\"resource_type\":\"AWS::AmazonMQ::Broker\",\"resource_vendor\":\"AWS\"}" + }, + { + "file_name": "assets/queries/cloudFormation/aws_bom/mq/test/positive3.yaml", + "similarity_id": "86d1a91df9e5c5e298df8ef319e60b3b6b8028959b23a090e3c7981451e3544a", + "line": 4, + "issue_type": "BillOfMaterials", + "search_key": "Resources.BasicBroker", + "search_line": 4, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Queues\",\"resource_encryption\":\"encrypted\",\"resource_engine\":\"ActiveMQ\",\"resource_name\":\"MyBasicBroker\",\"resource_type\":\"AWS::AmazonMQ::Broker\",\"resource_vendor\":\"AWS\"}" + }, + { + "file_name": "assets/queries/cloudFormation/aws_bom/mq/test/positive1.yaml", + "similarity_id": "087f6e3fe1bf6c289cf195331f3de394a07caa7fd41b2c144b3cfa83d3972cf2", + "line": 4, + "issue_type": "BillOfMaterials", + "search_key": "Resources.BasicBroker", + "search_line": 4, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Queues\",\"resource_encryption\":\"encrypted\",\"resource_engine\":\"ActiveMQ\",\"resource_name\":\"MyBasicBroker\",\"resource_type\":\"AWS::AmazonMQ::Broker\",\"resource_vendor\":\"AWS\"}" + } + ] + } + ] + } + }, + { + "id": "2730c169-51d7-4ae7-99b5-584379eff1bb", + "test_path": "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/msk/test", + "results_file_path": "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/msk/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 4, + "lines_scanned": 126, + "files_parsed": 4, + "lines_parsed": 126, + "lines_ignored": 0, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 2 + }, + "total_counter": 0, + "total_bom_resources": 2, + "start": "2026-03-09T09:39:46.903221305Z", + "end": "2026-03-09T09:39:47.223442445Z", + "paths": [ + "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/msk/test" + ], + "queries": [], + "bill_of_materials": [ + { + "query_name": "BOM - AWS MSK", + "query_id": "2730c169-51d7-4ae7-99b5-584379eff1bb", + "query_url": "https://kics.io", + "severity": "TRACE", + "platform": "CloudFormation", + "cwe": "532", + "risk_score": "0.0", + "cloud_provider": "AWS", + "category": "Bill Of Materials", + "experimental": false, + "description": "A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data.", + "description_id": "7413f967", + "files": [ + { + "file_name": "assets/queries/cloudFormation/aws_bom/msk/test/positive2.json", + "similarity_id": "2f8974366a0bd8435b2f2d2fd972d85900a9a92ee5b50f8ff59c4ce1b6e6558d", + "line": 4, + "issue_type": "BillOfMaterials", + "search_key": "Resources.TestCluster3", + "search_line": 4, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"private\",\"resource_category\":\"Streaming\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"ClusterWithAllProperties\",\"resource_type\":\"AWS::MSK::Cluster\",\"resource_vendor\":\"AWS\"}" + }, + { + "file_name": "assets/queries/cloudFormation/aws_bom/msk/test/positive1.yaml", + "similarity_id": "65e20ebdc816a38212a1a278e0af6a47bf5bc874d1fee76c8d9fd453d8ebd1ec", + "line": 3, + "issue_type": "BillOfMaterials", + "search_key": "Resources.TestCluster", + "search_line": 3, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Streaming\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"ClusterWithAllProperties\",\"resource_type\":\"AWS::MSK::Cluster\",\"resource_vendor\":\"AWS\"}" + } + ] + } + ] + } + }, + { + "id": "6ef03ff6-a2bd-483c-851f-631f248bc0ea", + "test_path": "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/rds/test", + "results_file_path": "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/rds/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 8, + "lines_scanned": 276, + "files_parsed": 8, + "lines_parsed": 276, + "lines_ignored": 0, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 9 + }, + "total_counter": 0, + "total_bom_resources": 9, + "start": "2026-03-09T09:39:48.523869356Z", + "end": "2026-03-09T09:39:48.887913661Z", + "paths": [ + "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/rds/test" + ], + "queries": [], + "bill_of_materials": [ + { + "query_name": "BOM - AWS RDS", + "query_id": "6ef03ff6-a2bd-483c-851f-631f248bc0ea", + "query_url": "https://kics.io", + "severity": "TRACE", + "platform": "CloudFormation", + "cwe": "532", + "risk_score": "0.0", + "cloud_provider": "AWS", + "category": "Bill Of Materials", + "experimental": false, + "description": "A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud.", + "description_id": "77215b57", + "files": [ + { + "file_name": "assets/queries/cloudFormation/aws_bom/rds/test/positive7.yaml", + "similarity_id": "b1d4b85126b2e1ffbcfc01d2815a41dd1516ab57d60f58632239dd5aa624986a", + "line": 3, + "issue_type": "BillOfMaterials", + "search_key": "Resources.DBInstanceSample5", + "search_line": 3, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Storage\",\"resource_encryption\":\"encrypted\",\"resource_engine\":\"aurora\",\"resource_name\":\"DBInstanceSample5\",\"resource_type\":\"AWS::RDS::DBInstance\",\"resource_vendor\":\"AWS\"}" + }, + { + "file_name": "assets/queries/cloudFormation/aws_bom/rds/test/positive3.json", + "similarity_id": "41755ce4875227ad626298119043c7bcb4ed3c452b893b8b051e480b62180c3e", + "line": 14, + "issue_type": "BillOfMaterials", + "search_key": "Resources.DBInstanceRefSample3", + "search_line": 14, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"private\",\"resource_category\":\"Storage\",\"resource_encryption\":\"encrypted\",\"resource_engine\":\"oracle-ee\",\"resource_name\":\"DBInstanceRefSample3\",\"resource_type\":\"AWS::RDS::DBInstance\",\"resource_vendor\":\"AWS\"}" + }, + { + "file_name": "assets/queries/cloudFormation/aws_bom/rds/test/positive2.json", + "similarity_id": "5acc77c55ca85fdc8fdd8417c47da1565e786741a9a3707ebbe2f4cb1a419bfc", + "line": 4, + "issue_type": "BillOfMaterials", + "search_key": "Resources.DBInstanceSample2", + "search_line": 4, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"private\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_engine\":\"oracle-ee\",\"resource_name\":\"DBInstanceSample2\",\"resource_type\":\"AWS::RDS::DBInstance\",\"resource_vendor\":\"AWS\"}" + }, + { + "file_name": "assets/queries/cloudFormation/aws_bom/rds/test/positive5.yaml", + "similarity_id": "ebc5f4c292f404c8dc54917aa4a26d0bc491a68d8551389aa10966ded9aeee36", + "line": 3, + "issue_type": "BillOfMaterials", + "search_key": "Resources.DBInstanceSample5", + "search_line": 3, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Storage\",\"resource_encryption\":\"encrypted\",\"resource_engine\":\"aurora\",\"resource_name\":\"DBInstanceSample5\",\"resource_type\":\"AWS::RDS::DBInstance\",\"resource_vendor\":\"AWS\"}" + }, + { + "file_name": "assets/queries/cloudFormation/aws_bom/rds/test/positive4.yaml", + "similarity_id": "93c5a73659ce8c5ab856fa6bf2e58e5a80b8b9323ee43658c1890f0b44bd9c55", + "line": 3, + "issue_type": "BillOfMaterials", + "search_key": "Resources.DBInstanceSample4", + "search_line": 3, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Storage\",\"resource_encryption\":\"encrypted\",\"resource_engine\":\"aurora\",\"resource_name\":\"DBInstanceSample4\",\"resource_type\":\"AWS::RDS::DBInstance\",\"resource_vendor\":\"AWS\"}" + }, + { + "file_name": "assets/queries/cloudFormation/aws_bom/rds/test/positive6.yaml", + "similarity_id": "e72b6cf611ed31aca306e0bbafbd54add9303b4c1e841d1302a9972a387d3913", + "line": 3, + "issue_type": "BillOfMaterials", + "search_key": "Resources.DBInstanceSample6", + "search_line": 3, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Storage\",\"resource_encryption\":\"encrypted\",\"resource_engine\":\"aurora\",\"resource_name\":\"DBInstanceSample6\",\"resource_type\":\"AWS::RDS::DBInstance\",\"resource_vendor\":\"AWS\"}" + }, + { + "file_name": "assets/queries/cloudFormation/aws_bom/rds/test/positive1.json", + "similarity_id": "88885662c6157f23d2f26d709d1cee31d686be67c6c95278a809ea7ac1a6ff4b", + "line": 4, + "issue_type": "BillOfMaterials", + "search_key": "Resources.DBInstanceSample1", + "search_line": 4, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_engine\":\"oracle-ee\",\"resource_name\":\"DBInstanceSample1\",\"resource_type\":\"AWS::RDS::DBInstance\",\"resource_vendor\":\"AWS\"}" + }, + { + "file_name": "assets/queries/cloudFormation/aws_bom/rds/test/positive3.json", + "similarity_id": "bb3a6a778d62442e0c43eee6b61a368b20129e06b6ba0d6d1f264f0e5a2aa6a6", + "line": 4, + "issue_type": "BillOfMaterials", + "search_key": "Resources.DBInstanceSample3", + "search_line": 4, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"private\",\"resource_category\":\"Storage\",\"resource_encryption\":\"encrypted\",\"resource_engine\":\"oracle-ee\",\"resource_name\":\"DBInstanceSample3\",\"resource_type\":\"AWS::RDS::DBInstance\",\"resource_vendor\":\"AWS\"}" + }, + { + "file_name": "assets/queries/cloudFormation/aws_bom/rds/test/positive2.json", + "similarity_id": "7fc5daf0204755894d5b3fbb5e06ea86fcbe622acea2a10d756dd69e9f8c299e", + "line": 14, + "issue_type": "BillOfMaterials", + "search_key": "Resources.DBInstanceRefSample2", + "search_line": 14, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"private\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_engine\":\"oracle-ee\",\"resource_name\":\"DBInstanceRefSample2\",\"resource_type\":\"AWS::RDS::DBInstance\",\"resource_vendor\":\"AWS\"}" + } + ] + } + ] + } + }, + { + "id": "b5d6a2e0-8f15-4664-bd5b-68ec5c9bab83", + "test_path": "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/s3_bucket/test", + "results_file_path": "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/s3_bucket/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 4, + "lines_scanned": 91, + "files_parsed": 4, + "lines_parsed": 91, + "lines_ignored": 0, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 2 + }, + "total_counter": 0, + "total_bom_resources": 2, + "start": "2026-03-09T09:39:50.286676834Z", + "end": "2026-03-09T09:39:50.62670615Z", + "paths": [ + "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/s3_bucket/test" + ], + "queries": [], + "bill_of_materials": [ + { + "query_name": "BOM - AWS S3 Buckets", + "query_id": "b5d6a2e0-8f15-4664-bd5b-68ec5c9bab83", + "query_url": "https://kics.io", + "severity": "TRACE", + "platform": "CloudFormation", + "cwe": "532", + "risk_score": "0.0", + "cloud_provider": "AWS", + "category": "Bill Of Materials", + "experimental": false, + "description": "A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance.", + "description_id": "a46851fb", + "files": [ + { + "file_name": "assets/queries/cloudFormation/aws_bom/s3_bucket/test/positive1.yaml", + "similarity_id": "83b05c898afe18c5d86fdc17d01687a9018c5245083b668e2ce3ff5ae7216dec", + "line": 4, + "issue_type": "BillOfMaterials", + "search_key": "Resources.MyBucket", + "search_line": 4, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"acl\":\"BucketOwnerFullControl\",\"resource_accessibility\":\"public\",\"resource_category\":\"Storage\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"jenkins-artifacts\",\"resource_type\":\"AWS::S3::Bucket\",\"resource_vendor\":\"AWS\"}" + }, + { + "file_name": "assets/queries/cloudFormation/aws_bom/s3_bucket/test/positive2.json", + "similarity_id": "f39d35e153d84d94dc27ca59ec732bd3a8450a9d87c8aef49acf5e670c8add2f", + "line": 5, + "issue_type": "BillOfMaterials", + "search_key": "Resources.JenkinsArtifacts03", + "search_line": 5, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"acl\":\"BucketOwnerFullControl\",\"resource_accessibility\":\"public\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"jenkins-artifacts\",\"resource_type\":\"AWS::S3::Bucket\",\"resource_vendor\":\"AWS\"}" + } + ] + } + ] + } + }, + { + "id": "42e7dca3-8cce-4325-8df0-108888259136", + "test_path": "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/sns/test", + "results_file_path": "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/sns/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 4, + "lines_scanned": 67, + "files_parsed": 4, + "lines_parsed": 67, + "lines_ignored": 0, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 2 + }, + "total_counter": 0, + "total_bom_resources": 2, + "start": "2026-03-09T09:39:52.027735449Z", + "end": "2026-03-09T09:39:52.393462787Z", + "paths": [ + "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/sns/test" + ], + "queries": [], + "bill_of_materials": [ + { + "query_name": "BOM - AWS SNS", + "query_id": "42e7dca3-8cce-4325-8df0-108888259136", + "query_url": "https://kics.io", + "severity": "TRACE", + "platform": "CloudFormation", + "cwe": "532", + "risk_score": "0.0", + "cloud_provider": "AWS", + "category": "Bill Of Materials", + "experimental": false, + "description": "A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication.", + "description_id": "3cd7a815", + "files": [ + { + "file_name": "assets/queries/cloudFormation/aws_bom/sns/test/positive2.json", + "similarity_id": "59cfb12ee6a5d78a93dfa26e43507b9061ff2afc2184995d0a0fb557aa5b0cdf", + "line": 5, + "issue_type": "BillOfMaterials", + "search_key": "Resources.SnsTopic", + "search_line": 5, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Messaging\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"alarm-action\",\"resource_type\":\"AWS::SNS::Topic\",\"resource_vendor\":\"AWS\"}" + }, + { + "file_name": "assets/queries/cloudFormation/aws_bom/sns/test/positive1.yaml", + "similarity_id": "3fbfe5c8466f3dc9a882014bdcb855a004187784fd714fafbfa0208ead65cecd", + "line": 4, + "issue_type": "BillOfMaterials", + "search_key": "Resources.SnsTopic", + "search_line": 4, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Messaging\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"alarm-action\",\"resource_type\":\"AWS::SNS::Topic\",\"resource_vendor\":\"AWS\"}" + } + ] + } + ] + } + }, + { + "id": "59a849c2-1127-4023-85a5-ef906dcd458c", + "test_path": "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/sqs/test", + "results_file_path": "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/sqs/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 4, + "lines_scanned": 56, + "files_parsed": 4, + "lines_parsed": 56, + "lines_ignored": 0, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 2 + }, + "total_counter": 0, + "total_bom_resources": 2, + "start": "2026-03-09T09:39:53.699817733Z", + "end": "2026-03-09T09:39:54.022150513Z", + "paths": [ + "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/sqs/test" + ], + "queries": [], + "bill_of_materials": [ + { + "query_name": "BOM - AWS SQS", + "query_id": "59a849c2-1127-4023-85a5-ef906dcd458c", + "query_url": "https://kics.io", + "severity": "TRACE", + "platform": "CloudFormation", + "cwe": "532", + "risk_score": "0.0", + "cloud_provider": "AWS", + "category": "Bill Of Materials", + "experimental": false, + "description": "A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.", + "description_id": "c57e306b", + "files": [ + { + "file_name": "assets/queries/cloudFormation/aws_bom/sqs/test/positive2.json", + "similarity_id": "149b9a5e9a4b7ebd26cdd1cafe08cdb343a3b5cd46e6581a0e5c4f68b4b134fc", + "line": 3, + "issue_type": "BillOfMaterials", + "search_key": "Resources.MyQueue", + "search_line": 3, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Queues\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"SampleQueue\",\"resource_type\":\"AWS::SQS::Queue\",\"resource_vendor\":\"AWS\"}" + }, + { + "file_name": "assets/queries/cloudFormation/aws_bom/sqs/test/positive1.yaml", + "similarity_id": "5532a7f3ccb0bdbc1d4dcb9c90830482fb8eeab451661eca80e4a0221df51b97", + "line": 2, + "issue_type": "BillOfMaterials", + "search_key": "Resources.MyQueue", + "search_line": 2, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Queues\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"SampleQueue\",\"resource_type\":\"AWS::SQS::Queue\",\"resource_vendor\":\"AWS\"}" + } + ] + } + ] + } + }, + { + "id": "268c65a8-58ad-43e4-9019-1a9bbc56749f", + "test_path": "/home/ricardo/kics/assets/queries/googleDeploymentManager/gcp_bom/pd/test", + "results_file_path": "/home/ricardo/kics/assets/queries/googleDeploymentManager/gcp_bom/pd/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 2, + "lines_scanned": 58, + "files_parsed": 2, + "lines_parsed": 58, + "lines_ignored": 0, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 5 + }, + "total_counter": 0, + "total_bom_resources": 5, + "start": "2026-03-09T09:43:58.843023518Z", + "end": "2026-03-09T09:43:59.167793482Z", + "paths": [ + "/home/ricardo/kics/assets/queries/googleDeploymentManager/gcp_bom/pd/test" + ], + "queries": [], + "bill_of_materials": [ + { + "query_name": "BOM - GCP PD", + "query_id": "268c65a8-58ad-43e4-9019-1a9bbc56749f", + "query_url": "https://kics.io", + "severity": "TRACE", + "platform": "GoogleDeploymentManager", + "cwe": "200", + "risk_score": "0.0", + "cloud_provider": "GCP", + "category": "Bill Of Materials", + "experimental": false, + "description": "A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine.", + "description_id": "3db91dc6", + "files": [ + { + "file_name": "assets/queries/googleDeploymentManager/gcp_bom/pd/test/positive.yaml", + "similarity_id": "09202abab426ee50aedb7ac84453dd1afcf043686fc4f12ff8bc98aa957ddaf4", + "line": 3, + "issue_type": "BillOfMaterials", + "search_key": "resources.name={{disk-1-data}}", + "search_line": -1, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"disk-1-data\",\"resource_type\":\"compute.v1.disk\",\"resource_vendor\":\"GCP\"}" + }, + { + "file_name": "assets/queries/googleDeploymentManager/gcp_bom/pd/test/positive.yaml", + "similarity_id": "2d3bebd769cfb6587648738fb830f2a44abddd69bd5de993032409cd882beccd", + "line": 11, + "issue_type": "BillOfMaterials", + "search_key": "resources.name={{disk-2-data}}", + "search_line": -1, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"disk-2-data\",\"resource_type\":\"compute.v1.disk\",\"resource_vendor\":\"GCP\"}" + }, + { + "file_name": "assets/queries/googleDeploymentManager/gcp_bom/pd/test/positive.yaml", + "similarity_id": "d7ebe593bcea4e7af520b4092449620f7957ebfbf656efdd6cb9ca11343ee985", + "line": 19, + "issue_type": "BillOfMaterials", + "search_key": "resources.name={{disk-3-data}}", + "search_line": -1, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"disk-3-data\",\"resource_type\":\"compute.v1.disk\",\"resource_vendor\":\"GCP\"}" + }, + { + "file_name": "assets/queries/googleDeploymentManager/gcp_bom/pd/test/positive.yaml", + "similarity_id": "e853a12d7676044042c98b987904a749c33f75770c2992d35713681f939e4a42", + "line": 24, + "issue_type": "BillOfMaterials", + "search_key": "resources.name={{disk-4-data}}", + "search_line": -1, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"disk-4-data\",\"resource_type\":\"compute.v1.disk\",\"resource_vendor\":\"GCP\"}" + }, + { + "file_name": "assets/queries/googleDeploymentManager/gcp_bom/pd/test/positive.yaml", + "similarity_id": "f2a17cd07cdb9153b7c4e2c22b76a00085b0df14ba8e90831e757d46e640a47f", + "line": 31, + "issue_type": "BillOfMaterials", + "search_key": "resources.name={{disk-5-data}}", + "search_line": -1, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"disk-5-data\",\"resource_type\":\"compute.v1.disk\",\"resource_vendor\":\"GCP\"}" + } + ] + } + ] + } + }, + { + "id": "9ed08714-b2f3-4c6d-8fb0-ac0b74ad71d8", + "test_path": "/home/ricardo/kics/assets/queries/googleDeploymentManager/gcp_bom/pst/test", + "results_file_path": "/home/ricardo/kics/assets/queries/googleDeploymentManager/gcp_bom/pst/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 2, + "lines_scanned": 30, + "files_parsed": 2, + "lines_parsed": 30, + "lines_ignored": 0, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 2 + }, + "total_counter": 0, + "total_bom_resources": 2, + "start": "2026-03-09T09:44:00.320717162Z", + "end": "2026-03-09T09:44:00.610455878Z", + "paths": [ + "/home/ricardo/kics/assets/queries/googleDeploymentManager/gcp_bom/pst/test" + ], + "queries": [], + "bill_of_materials": [ + { + "query_name": "BOM - GCP PST", + "query_id": "9ed08714-b2f3-4c6d-8fb0-ac0b74ad71d8", + "query_url": "https://kics.io", + "severity": "TRACE", + "platform": "GoogleDeploymentManager", + "cwe": "200", + "risk_score": "0.0", + "cloud_provider": "GCP", + "category": "Bill Of Materials", + "experimental": false, + "description": "A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages.", + "description_id": "e96debd4", + "files": [ + { + "file_name": "assets/queries/googleDeploymentManager/gcp_bom/pst/test/positive.yaml", + "similarity_id": "f2126d2a0aa3e7620efb6359cc3e8c4887f1f93d89abefe267ec45922869f308", + "line": 3, + "issue_type": "BillOfMaterials", + "search_key": "resources.name={{topic-1}}", + "search_line": -1, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Messaging\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"topic-1\",\"resource_type\":\"pubsub.v1.topic\",\"resource_vendor\":\"GCP\"}" + }, + { + "file_name": "assets/queries/googleDeploymentManager/gcp_bom/pst/test/positive.yaml", + "similarity_id": "3f3749ec8f9648b223ccdf33c627e8d638cdc46116438403fd3fbdab7e56037e", + "line": 8, + "issue_type": "BillOfMaterials", + "search_key": "resources.name={{topic-2}}", + "search_line": -1, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Messaging\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"topic-2\",\"resource_type\":\"pubsub.v1.topic\",\"resource_vendor\":\"GCP\"}" + } + ] + } + ] + } + }, + { + "id": "c7781feb-a955-4f9f-b9cf-0d7c6f54bb59", + "test_path": "/home/ricardo/kics/assets/queries/googleDeploymentManager/gcp_bom/sb/test", + "results_file_path": "/home/ricardo/kics/assets/queries/googleDeploymentManager/gcp_bom/sb/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 2, + "lines_scanned": 79, + "files_parsed": 2, + "lines_parsed": 79, + "lines_ignored": 0, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 5 + }, + "total_counter": 0, + "total_bom_resources": 5, + "start": "2026-03-09T09:44:01.727235408Z", + "end": "2026-03-09T09:44:02.045571848Z", + "paths": [ + "/home/ricardo/kics/assets/queries/googleDeploymentManager/gcp_bom/sb/test" + ], + "queries": [], + "bill_of_materials": [ + { + "query_name": "BOM - GCP SB", + "query_id": "c7781feb-a955-4f9f-b9cf-0d7c6f54bb59", + "query_url": "https://kics.io", + "severity": "TRACE", + "platform": "GoogleDeploymentManager", + "cwe": "200", + "risk_score": "0.0", + "cloud_provider": "GCP", + "category": "Bill Of Materials", + "experimental": false, + "description": "A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket.", + "description_id": "7f40edaa", + "files": [ + { + "file_name": "assets/queries/googleDeploymentManager/gcp_bom/sb/test/positive.yaml", + "similarity_id": "058098daca1fa02dd63bfc2aeabcdbdbc58fb81d4a71ceceafe12d5be87d8acd", + "line": 12, + "issue_type": "BillOfMaterials", + "search_key": "resources.name={{sample-input2}}", + "search_line": -1, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"sample-input2\",\"resource_type\":\"storage.v1.bucket\",\"resource_vendor\":\"GCP\"}" + }, + { + "file_name": "assets/queries/googleDeploymentManager/gcp_bom/sb/test/positive.yaml", + "similarity_id": "9f29e8fb0bc3dfd0052cb5c96a5e98b10be4325b1fc5877896d7b34750773263", + "line": 20, + "issue_type": "BillOfMaterials", + "search_key": "resources.name={{sample-input3}}", + "search_line": -1, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"sample-input3\",\"resource_type\":\"storage.v1.bucket\",\"resource_vendor\":\"GCP\"}" + }, + { + "file_name": "assets/queries/googleDeploymentManager/gcp_bom/sb/test/positive.yaml", + "similarity_id": "e24ab4f5f3e303af3b41bc9191a0d8fef924efb85486a27cb67188d38ef2e29f", + "line": 33, + "issue_type": "BillOfMaterials", + "search_key": "resources.name={{sample-input4}}", + "search_line": -1, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"sample-input4\",\"resource_type\":\"storage.v1.bucket\",\"resource_vendor\":\"GCP\"}" + }, + { + "file_name": "assets/queries/googleDeploymentManager/gcp_bom/sb/test/positive.yaml", + "similarity_id": "84b1c1ed7834d4382b8ce6087a593b4d080a50384dace3ae6320c64a722f8e6c", + "line": 44, + "issue_type": "BillOfMaterials", + "search_key": "resources.name={{sample-input5}}", + "search_line": -1, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"sample-input5\",\"resource_type\":\"storage.v1.bucket\",\"resource_vendor\":\"GCP\"}" + }, + { + "file_name": "assets/queries/googleDeploymentManager/gcp_bom/sb/test/positive.yaml", + "similarity_id": "3343669c4a0731690f024b31cea7796118f04f91421cdb2fc409ef437065fe2f", + "line": 2, + "issue_type": "BillOfMaterials", + "search_key": "resources.name={{sample-input}}", + "search_line": -1, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Storage\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"sample-input\",\"resource_type\":\"storage.v1.bucket\",\"resource_vendor\":\"GCP\"}" + } + ] + } + ] + } + }, + { + "id": "b9c83569-459b-4110-8f79-6305aa33cb37", + "test_path": "/home/ricardo/kics/assets/queries/k8s/using_kubernetes_native_secret_management/test", + "results_file_path": "/home/ricardo/kics/assets/queries/k8s/using_kubernetes_native_secret_management/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 3, + "lines_scanned": 70, + "files_parsed": 3, + "lines_parsed": 66, + "lines_ignored": 4, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 0 + }, + "total_counter": 0, + "total_bom_resources": 0, + "start": "2026-03-09T09:47:43.950731293Z", + "end": "2026-03-09T09:47:44.278806776Z", + "paths": [ + "/home/ricardo/kics/assets/queries/k8s/using_kubernetes_native_secret_management/test" + ], + "queries": [] + } + }, + { + "id": "fb889ae9-2d16-40b5-b41f-9da716c5abc1", + "test_path": "/home/ricardo/kics/assets/queries/openAPI/2.0/json_reference_does_not_exists_parameter/test", + "results_file_path": "/home/ricardo/kics/assets/queries/openAPI/2.0/json_reference_does_not_exists_parameter/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 4, + "lines_scanned": 184, + "files_parsed": 4, + "lines_parsed": 184, + "lines_ignored": 0, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 0 + }, + "total_counter": 0, + "total_bom_resources": 0, + "start": "2026-03-09T09:48:18.659706645Z", + "end": "2026-03-09T09:48:19.028935138Z", + "paths": [ + "/home/ricardo/kics/assets/queries/openAPI/2.0/json_reference_does_not_exists_parameter/test" + ], + "queries": [] + } + }, + { + "id": "2596545e-1757-4ff7-a15a-8a9a180a42f3", + "test_path": "/home/ricardo/kics/assets/queries/openAPI/2.0/parameter_object_incorrect_ref/test", + "results_file_path": "/home/ricardo/kics/assets/queries/openAPI/2.0/parameter_object_incorrect_ref/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 4, + "lines_scanned": 190, + "files_parsed": 4, + "lines_parsed": 190, + "lines_ignored": 0, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 0 + }, + "total_counter": 0, + "total_bom_resources": 0, + "start": "2026-03-09T09:48:48.581640914Z", + "end": "2026-03-09T09:48:48.965880154Z", + "paths": [ + "/home/ricardo/kics/assets/queries/openAPI/2.0/parameter_object_incorrect_ref/test" + ], + "queries": [] + } + }, + { + "id": "bccfa089-89e4-47e0-a0e5-185fe6902220", + "test_path": "/home/ricardo/kics/assets/queries/openAPI/2.0/response_object_incorrect_ref/test", + "results_file_path": "/home/ricardo/kics/assets/queries/openAPI/2.0/response_object_incorrect_ref/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 4, + "lines_scanned": 206, + "files_parsed": 4, + "lines_parsed": 206, + "lines_ignored": 0, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 0 + }, + "total_counter": 0, + "total_bom_resources": 0, + "start": "2026-03-09T09:48:53.966179229Z", + "end": "2026-03-09T09:48:54.398177483Z", + "paths": [ + "/home/ricardo/kics/assets/queries/openAPI/2.0/response_object_incorrect_ref/test" + ], + "queries": [] + } + }, + { + "id": "0220e1c5-65d1-49dd-b7c2-cef6d6cb5283", + "test_path": "/home/ricardo/kics/assets/queries/openAPI/2.0/schema_object_incorrect_ref/test", + "results_file_path": "/home/ricardo/kics/assets/queries/openAPI/2.0/schema_object_incorrect_ref/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 4, + "lines_scanned": 206, + "files_parsed": 4, + "lines_parsed": 206, + "lines_ignored": 0, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 0 + }, + "total_counter": 0, + "total_bom_resources": 0, + "start": "2026-03-09T09:48:56.107844112Z", + "end": "2026-03-09T09:48:56.529061505Z", + "paths": [ + "/home/ricardo/kics/assets/queries/openAPI/2.0/schema_object_incorrect_ref/test" + ], + "queries": [] + } + }, + { + "id": "ba066cda-e808-450d-92b6-f29109754d45", + "test_path": "/home/ricardo/kics/assets/queries/openAPI/3.0/callback_object_incorrect_ref/test", + "results_file_path": "/home/ricardo/kics/assets/queries/openAPI/3.0/callback_object_incorrect_ref/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 4, + "lines_scanned": 140, + "files_parsed": 4, + "lines_parsed": 140, + "lines_ignored": 0, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 0 + }, + "total_counter": 0, + "total_bom_resources": 0, + "start": "2026-03-09T09:49:29.41444685Z", + "end": "2026-03-09T09:49:29.789228108Z", + "paths": [ + "/home/ricardo/kics/assets/queries/openAPI/3.0/callback_object_incorrect_ref/test" + ], + "queries": [] + } + }, + { + "id": "bac56e3c-1f71-4a74-8ae6-2fba07efcddb", + "test_path": "/home/ricardo/kics/assets/queries/openAPI/3.0/example_json_reference_outside_components_examples/test", + "results_file_path": "/home/ricardo/kics/assets/queries/openAPI/3.0/example_json_reference_outside_components_examples/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 4, + "lines_scanned": 290, + "files_parsed": 4, + "lines_parsed": 290, + "lines_ignored": 0, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 0 + }, + "total_counter": 0, + "total_bom_resources": 0, + "start": "2026-03-09T09:49:52.377154779Z", + "end": "2026-03-09T09:49:52.714125831Z", + "paths": [ + "/home/ricardo/kics/assets/queries/openAPI/3.0/example_json_reference_outside_components_examples/test" + ], + "queries": [] + } + }, + { + "id": "2d6646f4-2946-420f-8c14-3232d49ae0cb", + "test_path": "/home/ricardo/kics/assets/queries/openAPI/3.0/header_object_with_incorrect_ref/test", + "results_file_path": "/home/ricardo/kics/assets/queries/openAPI/3.0/header_object_with_incorrect_ref/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 8, + "lines_scanned": 494, + "files_parsed": 8, + "lines_parsed": 494, + "lines_ignored": 0, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 0 + }, + "total_counter": 0, + "total_bom_resources": 0, + "start": "2026-03-09T09:49:57.049539025Z", + "end": "2026-03-09T09:49:57.404325431Z", + "paths": [ + "/home/ricardo/kics/assets/queries/openAPI/3.0/header_object_with_incorrect_ref/test" + ], + "queries": [] + } + }, + { + "id": "f29904c8-6041-4bca-b043-dfa0546b8079", + "test_path": "/home/ricardo/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_callback/test", + "results_file_path": "/home/ricardo/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_callback/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 4, + "lines_scanned": 130, + "files_parsed": 4, + "lines_parsed": 130, + "lines_ignored": 0, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 0 + }, + "total_counter": 0, + "total_bom_resources": 0, + "start": "2026-03-09T09:50:10.339535674Z", + "end": "2026-03-09T09:50:10.769235875Z", + "paths": [ + "/home/ricardo/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_callback/test" + ], + "queries": [] + } + }, + { + "id": "6a2c219f-da5e-4745-941e-5ea8cde23356", + "test_path": "/home/ricardo/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_example/test", + "results_file_path": "/home/ricardo/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_example/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 4, + "lines_scanned": 184, + "files_parsed": 4, + "lines_parsed": 184, + "lines_ignored": 0, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 0 + }, + "total_counter": 0, + "total_bom_resources": 0, + "start": "2026-03-09T09:50:12.167057495Z", + "end": "2026-03-09T09:50:12.566896545Z", + "paths": [ + "/home/ricardo/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_example/test" + ], + "queries": [] + } + }, + { + "id": "376c9390-7e9e-4cb8-a067-fd31c05451fd", + "test_path": "/home/ricardo/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_header/test", + "results_file_path": "/home/ricardo/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_header/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 4, + "lines_scanned": 191, + "files_parsed": 4, + "lines_parsed": 191, + "lines_ignored": 0, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 0 + }, + "total_counter": 0, + "total_bom_resources": 0, + "start": "2026-03-09T09:50:13.894986842Z", + "end": "2026-03-09T09:50:14.272081539Z", + "paths": [ + "/home/ricardo/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_header/test" + ], + "queries": [] + } + }, + { + "id": "801f0c6a-a834-4467-89c6-ddecffb46b5a", + "test_path": "/home/ricardo/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_link/test", + "results_file_path": "/home/ricardo/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_link/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 4, + "lines_scanned": 174, + "files_parsed": 4, + "lines_parsed": 174, + "lines_ignored": 0, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 0 + }, + "total_counter": 0, + "total_bom_resources": 0, + "start": "2026-03-09T09:50:15.570461479Z", + "end": "2026-03-09T09:50:15.959039448Z", + "paths": [ + "/home/ricardo/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_link/test" + ], + "queries": [] + } + }, + { + "id": "2e275f16-b627-4d3f-ae73-a6153a23ae8f", + "test_path": "/home/ricardo/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_parameter/test", + "results_file_path": "/home/ricardo/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_parameter/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 4, + "lines_scanned": 126, + "files_parsed": 4, + "lines_parsed": 126, + "lines_ignored": 0, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 0 + }, + "total_counter": 0, + "total_bom_resources": 0, + "start": "2026-03-09T09:50:17.186218682Z", + "end": "2026-03-09T09:50:17.565655992Z", + "paths": [ + "/home/ricardo/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_parameter/test" + ], + "queries": [] + } + }, + { + "id": "ca02f4e8-d3ae-4832-b7db-bb037516d9e7", + "test_path": "/home/ricardo/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_request_body/test", + "results_file_path": "/home/ricardo/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_request_body/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 4, + "lines_scanned": 164, + "files_parsed": 4, + "lines_parsed": 164, + "lines_ignored": 0, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 0 + }, + "total_counter": 0, + "total_bom_resources": 0, + "start": "2026-03-09T09:50:18.854609137Z", + "end": "2026-03-09T09:50:19.251965247Z", + "paths": [ + "/home/ricardo/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_request_body/test" + ], + "queries": [] + } + }, + { + "id": "7a01dfbd-da62-4165-aed7-71349ad42ab4", + "test_path": "/home/ricardo/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_response/test", + "results_file_path": "/home/ricardo/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_response/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 4, + "lines_scanned": 168, + "files_parsed": 4, + "lines_parsed": 168, + "lines_ignored": 0, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 0 + }, + "total_counter": 0, + "total_bom_resources": 0, + "start": "2026-03-09T09:50:20.605560504Z", + "end": "2026-03-09T09:50:20.961653336Z", + "paths": [ + "/home/ricardo/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_response/test" + ], + "queries": [] + } + }, + { + "id": "015eac96-6313-43c0-84e5-81b1374fa637", + "test_path": "/home/ricardo/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_schema/test", + "results_file_path": "/home/ricardo/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_schema/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 4, + "lines_scanned": 117, + "files_parsed": 4, + "lines_parsed": 117, + "lines_ignored": 0, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 0 + }, + "total_counter": 0, + "total_bom_resources": 0, + "start": "2026-03-09T09:50:22.188100468Z", + "end": "2026-03-09T09:50:22.587987606Z", + "paths": [ + "/home/ricardo/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_schema/test" + ], + "queries": [] + } + }, + { + "id": "b9db8a10-020c-49ca-88c6-780e5fdb4328", + "test_path": "/home/ricardo/kics/assets/queries/openAPI/3.0/link_object_incorrect_ref/test", + "results_file_path": "/home/ricardo/kics/assets/queries/openAPI/3.0/link_object_incorrect_ref/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 8, + "lines_scanned": 406, + "files_parsed": 8, + "lines_parsed": 406, + "lines_ignored": 0, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 0 + }, + "total_counter": 0, + "total_bom_resources": 0, + "start": "2026-03-09T09:50:23.874918823Z", + "end": "2026-03-09T09:50:24.272886894Z", + "paths": [ + "/home/ricardo/kics/assets/queries/openAPI/3.0/link_object_incorrect_ref/test" + ], + "queries": [] + } + }, + { + "id": "d40f27e6-15fb-4b56-90f8-fc0ff0291c51", + "test_path": "/home/ricardo/kics/assets/queries/openAPI/3.0/parameter_object_incorrect_ref/test", + "results_file_path": "/home/ricardo/kics/assets/queries/openAPI/3.0/parameter_object_incorrect_ref/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 4, + "lines_scanned": 225, + "files_parsed": 4, + "lines_parsed": 225, + "lines_ignored": 0, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 0 + }, + "total_counter": 0, + "total_bom_resources": 0, + "start": "2026-03-09T09:50:37.18262663Z", + "end": "2026-03-09T09:50:37.596920722Z", + "paths": [ + "/home/ricardo/kics/assets/queries/openAPI/3.0/parameter_object_incorrect_ref/test" + ], + "queries": [] + } + }, + { + "id": "0f6cd0ab-c366-4595-84fc-fbd8b9901e4d", + "test_path": "/home/ricardo/kics/assets/queries/openAPI/3.0/request_body_incorrect_ref/test", + "results_file_path": "/home/ricardo/kics/assets/queries/openAPI/3.0/request_body_incorrect_ref/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 4, + "lines_scanned": 204, + "files_parsed": 4, + "lines_parsed": 204, + "lines_ignored": 0, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 0 + }, + "total_counter": 0, + "total_bom_resources": 0, + "start": "2026-03-09T09:50:53.114728703Z", + "end": "2026-03-09T09:50:53.454107435Z", + "paths": [ + "/home/ricardo/kics/assets/queries/openAPI/3.0/request_body_incorrect_ref/test" + ], + "queries": [] + } + }, + { + "id": "b3871dd8-9333-4d6c-bd52-67eb898b71ab", + "test_path": "/home/ricardo/kics/assets/queries/openAPI/3.0/response_object_incorrect_ref/test", + "results_file_path": "/home/ricardo/kics/assets/queries/openAPI/3.0/response_object_incorrect_ref/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 4, + "lines_scanned": 159, + "files_parsed": 4, + "lines_parsed": 159, + "lines_ignored": 0, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 0 + }, + "total_counter": 0, + "total_bom_resources": 0, + "start": "2026-03-09T09:50:56.14232327Z", + "end": "2026-03-09T09:50:56.464437526Z", + "paths": [ + "/home/ricardo/kics/assets/queries/openAPI/3.0/response_object_incorrect_ref/test" + ], + "queries": [] + } + }, + { + "id": "4cac7ace-b0fb-477d-830d-65395d9109d9", + "test_path": "/home/ricardo/kics/assets/queries/openAPI/3.0/schema_object_incorrect_ref/test", + "results_file_path": "/home/ricardo/kics/assets/queries/openAPI/3.0/schema_object_incorrect_ref/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 8, + "lines_scanned": 503, + "files_parsed": 8, + "lines_parsed": 503, + "lines_ignored": 0, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 0 + }, + "total_counter": 0, + "total_bom_resources": 0, + "start": "2026-03-09T09:50:57.630693004Z", + "end": "2026-03-09T09:50:57.971033018Z", + "paths": [ + "/home/ricardo/kics/assets/queries/openAPI/3.0/schema_object_incorrect_ref/test" + ], + "queries": [] + } + }, + { + "id": "9d967a2b-9d64-41a6-abea-dfc4960299bd", + "test_path": "/home/ricardo/kics/assets/queries/openAPI/general/json_object_schema_without_properties/test", + "results_file_path": "/home/ricardo/kics/assets/queries/openAPI/general/json_object_schema_without_properties/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 12, + "lines_scanned": 584, + "files_parsed": 12, + "lines_parsed": 584, + "lines_ignored": 0, + "files_failed_to_scan": 0, + "queries_total": 2, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 0 + }, + "total_counter": 0, + "total_bom_resources": 0, + "start": "2026-03-09T09:52:00.280453072Z", + "end": "2026-03-09T09:52:00.626235794Z", + "paths": [ + "/home/ricardo/kics/assets/queries/openAPI/general/json_object_schema_without_properties/test" + ], + "queries": [] + } + }, + { + "id": "e2ffa504-d22a-4c94-b6c5-f661849d2db7", + "test_path": "/home/ricardo/kics/assets/queries/openAPI/general/json_object_schema_without_type/test", + "results_file_path": "/home/ricardo/kics/assets/queries/openAPI/general/json_object_schema_without_type/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 12, + "lines_scanned": 626, + "files_parsed": 12, + "lines_parsed": 626, + "lines_ignored": 0, + "files_failed_to_scan": 0, + "queries_total": 2, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 0 + }, + "total_counter": 0, + "total_bom_resources": 0, + "start": "2026-03-09T09:52:02.137167343Z", + "end": "2026-03-09T09:52:02.629391769Z", + "paths": [ + "/home/ricardo/kics/assets/queries/openAPI/general/json_object_schema_without_type/test" + ], + "queries": [] + } + }, + { + "id": "96beb800-566f-49a9-a0ea-dbdf4bc80429", + "test_path": "/home/ricardo/kics/assets/queries/openAPI/general/json_ref_alongside_properties/test", + "results_file_path": "/home/ricardo/kics/assets/queries/openAPI/general/json_ref_alongside_properties/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 8, + "lines_scanned": 272, + "files_parsed": 8, + "lines_parsed": 272, + "lines_ignored": 0, + "files_failed_to_scan": 0, + "queries_total": 2, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 0 + }, + "total_counter": 0, + "total_bom_resources": 0, + "start": "2026-03-09T09:52:04.430604886Z", + "end": "2026-03-09T09:52:04.844519019Z", + "paths": [ + "/home/ricardo/kics/assets/queries/openAPI/general/json_ref_alongside_properties/test" + ], + "queries": [] + } + }, + { + "id": "1a1aea94-745b-40a7-b860-0702ea6ee636", + "test_path": "/home/ricardo/kics/assets/queries/openAPI/general/schema_object_with_circular_ref/test", + "results_file_path": "/home/ricardo/kics/assets/queries/openAPI/general/schema_object_with_circular_ref/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 8, + "lines_scanned": 484, + "files_parsed": 8, + "lines_parsed": 484, + "lines_ignored": 0, + "files_failed_to_scan": 0, + "queries_total": 2, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 0 + }, + "total_counter": 0, + "total_bom_resources": 0, + "start": "2026-03-09T09:52:56.653566424Z", + "end": "2026-03-09T09:52:56.994313752Z", + "paths": [ + "/home/ricardo/kics/assets/queries/openAPI/general/schema_object_with_circular_ref/test" + ], + "queries": [] + } + }, + { + "id": "23edf35f-7c22-4ff9-87e6-0ca74261cfbf", + "test_path": "/home/ricardo/kics/assets/queries/terraform/aws_bom/dynamo/test", + "results_file_path": "/home/ricardo/kics/assets/queries/terraform/aws_bom/dynamo/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 5, + "lines_scanned": 261, + "files_parsed": 5, + "lines_parsed": 261, + "lines_ignored": 0, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 4 + }, + "total_counter": 0, + "total_bom_resources": 4, + "start": "2026-03-09T10:07:18.92729647Z", + "end": "2026-03-09T10:07:19.556905796Z", + "paths": [ + "/home/ricardo/kics/assets/queries/terraform/aws_bom/dynamo/test" + ], + "queries": [], + "bill_of_materials": [ + { + "query_name": "BOM - AWS DynamoDB", + "query_id": "23edf35f-7c22-4ff9-87e6-0ca74261cfbf", + "query_url": "https://kics.io", + "severity": "TRACE", + "platform": "Terraform", + "cwe": "532", + "risk_score": "0.0", + "cloud_provider": "AWS", + "category": "Bill Of Materials", + "experimental": false, + "description": "A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale.", + "description_id": "c9007e7c", + "files": [ + { + "file_name": "assets/queries/terraform/aws_bom/dynamo/test/positive1.tf", + "similarity_id": "a688628f8f494ab21c1fe105db84b9a5caa859c8f9e8e359ccf3a7c46d64aabb", + "line": 21, + "issue_type": "BillOfMaterials", + "search_key": "aws_dynamodb_table[basic-dynamodb-table]", + "search_line": 21, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"GameScores\",\"resource_type\":\"aws_dynamodb_table\",\"resource_vendor\":\"AWS\"}" + }, + { + "file_name": "assets/queries/terraform/aws_bom/dynamo/test/positive4.tf", + "similarity_id": "babb019e4356747925dcc712c2a5940d396c97ece2671dfa6285bbd2f6a0f435", + "line": 1, + "issue_type": "BillOfMaterials", + "search_key": "aws_dynamodb_table[example3-table]", + "search_line": 1, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"GameScores3\",\"resource_type\":\"aws_dynamodb_table\",\"resource_vendor\":\"AWS\"}" + }, + { + "file_name": "assets/queries/terraform/aws_bom/dynamo/test/positive2.tf", + "similarity_id": "a28cf9c3a6cb0794fa3e3a0a805d4944f7dbb3efeade8620fc09c93ea4ae92b4", + "line": 21, + "issue_type": "BillOfMaterials", + "search_key": "aws_dynamodb_table[example2-table]", + "search_line": 21, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"GameScores2\",\"resource_type\":\"aws_dynamodb_table\",\"resource_vendor\":\"AWS\"}" + }, + { + "file_name": "assets/queries/terraform/aws_bom/dynamo/test/positive3.tf", + "similarity_id": "ad2f2a12485e108e26277af0268a7c3b9114edbb6cdf356c0aadedf859b5521c", + "line": 21, + "issue_type": "BillOfMaterials", + "search_key": "aws_dynamodb_table[example3-table]", + "search_line": 21, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"GameScores3\",\"resource_type\":\"aws_dynamodb_table\",\"resource_vendor\":\"AWS\"}" + } + ] + } + ] + } + }, + { + "id": "86571149-eef3-4280-a645-01e60df854b0", + "test_path": "/home/ricardo/kics/assets/queries/terraform/aws_bom/ebs/test", + "results_file_path": "/home/ricardo/kics/assets/queries/terraform/aws_bom/ebs/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 3, + "lines_scanned": 37, + "files_parsed": 3, + "lines_parsed": 37, + "lines_ignored": 0, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 2 + }, + "total_counter": 0, + "total_bom_resources": 2, + "start": "2026-03-09T10:07:22.024620118Z", + "end": "2026-03-09T10:07:22.599658585Z", + "paths": [ + "/home/ricardo/kics/assets/queries/terraform/aws_bom/ebs/test" + ], + "queries": [], + "bill_of_materials": [ + { + "query_name": "BOM - AWS EBS", + "query_id": "86571149-eef3-4280-a645-01e60df854b0", + "query_url": "https://kics.io", + "severity": "TRACE", + "platform": "Terraform", + "cwe": "532", + "risk_score": "0.0", + "cloud_provider": "AWS", + "category": "Bill Of Materials", + "experimental": false, + "description": "A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2).", + "description_id": "fd141699", + "files": [ + { + "file_name": "assets/queries/terraform/aws_bom/ebs/test/positive1.tf", + "similarity_id": "4d8f36af2e84d7cb28b112c8e8d635f04c7947104305cecf6c86a7bbe2c7fe2a", + "line": 1, + "issue_type": "BillOfMaterials", + "search_key": "aws_ebs_volume[positive1]", + "search_line": 1, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"HelloWorld\",\"resource_type\":\"aws_ebs_volume\",\"resource_vendor\":\"AWS\"}" + }, + { + "file_name": "assets/queries/terraform/aws_bom/ebs/test/positive2.tf", + "similarity_id": "8f256b1e26d47e315b73e4cebe2adbd15c45597b21a0d58695758f242b67ca0c", + "line": 1, + "issue_type": "BillOfMaterials", + "search_key": "aws_ebs_volume[positive2]", + "search_line": 1, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Storage\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"HelloWorld2\",\"resource_type\":\"aws_ebs_volume\",\"resource_vendor\":\"AWS\"}" + } + ] + } + ] + } + }, + { + "id": "f53f16d6-46a9-4277-9fbe-617b1e24cdca", + "test_path": "/home/ricardo/kics/assets/queries/terraform/aws_bom/efs/test", + "results_file_path": "/home/ricardo/kics/assets/queries/terraform/aws_bom/efs/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 3, + "lines_scanned": 63, + "files_parsed": 3, + "lines_parsed": 63, + "lines_ignored": 0, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 2 + }, + "total_counter": 0, + "total_bom_resources": 2, + "start": "2026-03-09T10:07:24.791631455Z", + "end": "2026-03-09T10:07:25.908126874Z", + "paths": [ + "/home/ricardo/kics/assets/queries/terraform/aws_bom/efs/test" + ], + "queries": [], + "bill_of_materials": [ + { + "query_name": "BOM - AWS EFS", + "query_id": "f53f16d6-46a9-4277-9fbe-617b1e24cdca", + "query_url": "https://kics.io", + "severity": "TRACE", + "platform": "Terraform", + "cwe": "532", + "risk_score": "0.0", + "cloud_provider": "AWS", + "category": "Bill Of Materials", + "experimental": false, + "description": "A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning.", + "description_id": "5522243f", + "files": [ + { + "file_name": "assets/queries/terraform/aws_bom/efs/test/positive1.tf", + "similarity_id": "a5b0f7d6730685996c338e8c7e6f4e49f2a3a72bc1ffcb3fe0624e511bc2ffbc", + "line": 1, + "issue_type": "BillOfMaterials", + "search_key": "aws_efs_file_system[positive1]", + "search_line": 1, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Storage\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"MyProduct\",\"resource_type\":\"aws_efs_file_system\",\"resource_vendor\":\"AWS\"}" + }, + { + "file_name": "assets/queries/terraform/aws_bom/efs/test/positive2.tf", + "similarity_id": "06464310f0d43eb349c3fff2e6587e7437a5684957b470702f7a008343764e2c", + "line": 1, + "issue_type": "BillOfMaterials", + "search_key": "aws_efs_file_system[positive2]", + "search_line": 1, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Storage\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"MyProduct\",\"resource_type\":\"aws_efs_file_system\",\"resource_vendor\":\"AWS\"}" + } + ] + } + ] + } + }, + { + "id": "54229498-850b-4f78-b3a7-218d24ef2c37", + "test_path": "/home/ricardo/kics/assets/queries/terraform/aws_bom/elasticache/test", + "results_file_path": "/home/ricardo/kics/assets/queries/terraform/aws_bom/elasticache/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 7, + "lines_scanned": 206, + "files_parsed": 7, + "lines_parsed": 206, + "lines_ignored": 0, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 6 + }, + "total_counter": 0, + "total_bom_resources": 6, + "start": "2026-03-09T10:07:27.774375496Z", + "end": "2026-03-09T10:07:28.344589595Z", + "paths": [ + "/home/ricardo/kics/assets/queries/terraform/aws_bom/elasticache/test" + ], + "queries": [], + "bill_of_materials": [ + { + "query_name": "BOM - AWS Elasticache", + "query_id": "54229498-850b-4f78-b3a7-218d24ef2c37", + "query_url": "https://kics.io", + "severity": "TRACE", + "platform": "Terraform", + "cwe": "532", + "risk_score": "0.0", + "cloud_provider": "AWS", + "category": "Bill Of Materials", + "experimental": false, + "description": "A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached.", + "description_id": "34559ecd", + "files": [ + { + "file_name": "assets/queries/terraform/aws_bom/elasticache/test/positive6.tf", + "similarity_id": "16bfdc91d7f8584245d9da2ba7bf6f274c27b09e6e2e04ce667fe8480f16531c", + "line": 13, + "issue_type": "BillOfMaterials", + "search_key": "aws_elasticache_cluster[positive6]", + "search_line": 13, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"at least one security group associated with the elasticache is unrestricted\",\"resource_category\":\"In Memory Data Structure\",\"resource_encryption\":\"unknown\",\"resource_engine\":\"redis\",\"resource_name\":\"test-cache\",\"resource_type\":\"aws_elasticache_cluster\",\"resource_vendor\":\"AWS\"}" + }, + { + "file_name": "assets/queries/terraform/aws_bom/elasticache/test/positive2.tf", + "similarity_id": "5c4b00e3a4a384c86e708ca4b8d7b417d71240bd1ded323b63282352307a7009", + "line": 1, + "issue_type": "BillOfMaterials", + "search_key": "aws_elasticache_cluster[positive2]", + "search_line": 1, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"In Memory Data Structure\",\"resource_encryption\":\"unknown\",\"resource_engine\":\"redis\",\"resource_name\":\"cluster-example\",\"resource_type\":\"aws_elasticache_cluster\",\"resource_vendor\":\"AWS\"}" + }, + { + "file_name": "assets/queries/terraform/aws_bom/elasticache/test/positive5.tf", + "similarity_id": "fdb7e16c2955a8816dfe4a1b052052de7715a1bcb67d861fb75378e68f7015ab", + "line": 13, + "issue_type": "BillOfMaterials", + "search_key": "aws_elasticache_cluster[positive5]", + "search_line": 13, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"all security groups associated with the elasticache are restricted\",\"resource_category\":\"In Memory Data Structure\",\"resource_encryption\":\"unknown\",\"resource_engine\":\"redis\",\"resource_name\":\"test-cache\",\"resource_type\":\"aws_elasticache_cluster\",\"resource_vendor\":\"AWS\"}" + }, + { + "file_name": "assets/queries/terraform/aws_bom/elasticache/test/positive4.tf", + "similarity_id": "275f666c390b50e088e7781ffa4b47cd6e84f143a4b2583efcd65ec06339a97b", + "line": 33, + "issue_type": "BillOfMaterials", + "search_key": "aws_elasticache_cluster[positive4]", + "search_line": 33, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"all security groups associated with the elasticache are restricted\",\"resource_category\":\"In Memory Data Structure\",\"resource_encryption\":\"unknown\",\"resource_engine\":\"redis\",\"resource_name\":\"test-cache\",\"resource_type\":\"aws_elasticache_cluster\",\"resource_vendor\":\"AWS\"}" + }, + { + "file_name": "assets/queries/terraform/aws_bom/elasticache/test/positive1.tf", + "similarity_id": "e757a53e34b7bd24f2beea2a6b7084dc6355f55824f13bc8d292b280c41decc7", + "line": 1, + "issue_type": "BillOfMaterials", + "search_key": "aws_elasticache_cluster[positive1]", + "search_line": 1, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"In Memory Data Structure\",\"resource_encryption\":\"unknown\",\"resource_engine\":\"memcached\",\"resource_name\":\"cluster-example\",\"resource_type\":\"aws_elasticache_cluster\",\"resource_vendor\":\"AWS\"}" + }, + { + "file_name": "assets/queries/terraform/aws_bom/elasticache/test/positive3.tf", + "similarity_id": "16c15c14d3784c9762dbdb31769901b5a428a7d48202e3e543e5c08f57efaf0f", + "line": 33, + "issue_type": "BillOfMaterials", + "search_key": "aws_elasticache_cluster[positive3]", + "search_line": 33, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"at least one security group associated with the elasticache is unrestricted\",\"resource_category\":\"In Memory Data Structure\",\"resource_encryption\":\"unknown\",\"resource_engine\":\"redis\",\"resource_name\":\"test-cache\",\"resource_type\":\"aws_elasticache_cluster\",\"resource_vendor\":\"AWS\"}" + } + ] + } + ] + } + }, + { + "id": "0e59d33e-bba2-4037-8f88-9765647ca7ad", + "test_path": "/home/ricardo/kics/assets/queries/terraform/aws_bom/kinesis/test", + "results_file_path": "/home/ricardo/kics/assets/queries/terraform/aws_bom/kinesis/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 2, + "lines_scanned": 58, + "files_parsed": 2, + "lines_parsed": 58, + "lines_ignored": 0, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 2 + }, + "total_counter": 0, + "total_bom_resources": 2, + "start": "2026-03-09T10:07:31.176454558Z", + "end": "2026-03-09T10:07:32.10544652Z", + "paths": [ + "/home/ricardo/kics/assets/queries/terraform/aws_bom/kinesis/test" + ], + "queries": [], + "bill_of_materials": [ + { + "query_name": "BOM - AWS Kinesis", + "query_id": "0e59d33e-bba2-4037-8f88-9765647ca7ad", + "query_url": "https://kics.io", + "severity": "TRACE", + "platform": "Terraform", + "cwe": "532", + "risk_score": "0.0", + "cloud_provider": "AWS", + "category": "Bill Of Materials", + "experimental": false, + "description": "A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time", + "description_id": "45271dee", + "files": [ + { + "file_name": "assets/queries/terraform/aws_bom/kinesis/test/positive1.tf", + "similarity_id": "9b840abafc0548d657e04f603c5bc1e3b92c5031146a20809c0a24bd2b6ee3b2", + "line": 1, + "issue_type": "BillOfMaterials", + "search_key": "aws_kinesis_stream[positive1]", + "search_line": 1, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Streaming\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"terraform-kinesis-test\",\"resource_type\":\"aws_kinesis_stream\",\"resource_vendor\":\"AWS\"}" + }, + { + "file_name": "assets/queries/terraform/aws_bom/kinesis/test/positive1.tf", + "similarity_id": "1ca83bb6d86b8b32a35729f9e8e2b659439ec246c43ac8f4b3ed27aa45994daf", + "line": 20, + "issue_type": "BillOfMaterials", + "search_key": "aws_kinesis_stream[positive2]", + "search_line": 20, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Streaming\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"terraform-kinesis-test2\",\"resource_type\":\"aws_kinesis_stream\",\"resource_vendor\":\"AWS\"}" + } + ] + } + ] + } + }, + { + "id": "fcb1b388-f558-4b7f-9b6e-f4e98abb7380", + "test_path": "/home/ricardo/kics/assets/queries/terraform/aws_bom/mq/test", + "results_file_path": "/home/ricardo/kics/assets/queries/terraform/aws_bom/mq/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 3, + "lines_scanned": 70, + "files_parsed": 3, + "lines_parsed": 70, + "lines_ignored": 0, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 2 + }, + "total_counter": 0, + "total_bom_resources": 2, + "start": "2026-03-09T10:07:35.16610123Z", + "end": "2026-03-09T10:07:35.805597952Z", + "paths": [ + "/home/ricardo/kics/assets/queries/terraform/aws_bom/mq/test" + ], + "queries": [], + "bill_of_materials": [ + { + "query_name": "BOM - AWS MQ", + "query_id": "fcb1b388-f558-4b7f-9b6e-f4e98abb7380", + "query_url": "https://kics.io", + "severity": "TRACE", + "platform": "Terraform", + "cwe": "532", + "risk_score": "0.0", + "cloud_provider": "AWS", + "category": "Bill Of Materials", + "experimental": false, + "description": "A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS.", + "description_id": "5f5ba9bc", + "files": [ + { + "file_name": "assets/queries/terraform/aws_bom/mq/test/positive1.tf", + "similarity_id": "41fc993a63f16f0b851073ffc7b913288f60b17b48a8757a669b9341173703a3", + "line": 1, + "issue_type": "BillOfMaterials", + "search_key": "aws_mq_broker[positive1]", + "search_line": 1, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"private\",\"resource_category\":\"Queues\",\"resource_encryption\":\"unencrypted\",\"resource_engine\":\"ActiveMQ\",\"resource_name\":\"example\",\"resource_type\":\"aws_mq_broker\",\"resource_vendor\":\"AWS\"}" + }, + { + "file_name": "assets/queries/terraform/aws_bom/mq/test/positive2.tf", + "similarity_id": "b0dbc9a8c1bb61a40a0b8e60052d5d5c01c88528f407e6d3fc64e46cc0554076", + "line": 1, + "issue_type": "BillOfMaterials", + "search_key": "aws_mq_broker[positive2]", + "search_line": 1, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"private\",\"resource_category\":\"Queues\",\"resource_encryption\":\"encrypted\",\"resource_engine\":\"RabbitMQ\",\"resource_name\":\"example\",\"resource_type\":\"aws_mq_broker\",\"resource_vendor\":\"AWS\"}" + } + ] + } + ] + } + }, + { + "id": "051f2063-2517-4295-ad8e-ba88c1bf5cfc", + "test_path": "/home/ricardo/kics/assets/queries/terraform/aws_bom/msk/test", + "results_file_path": "/home/ricardo/kics/assets/queries/terraform/aws_bom/msk/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 3, + "lines_scanned": 291, + "files_parsed": 3, + "lines_parsed": 291, + "lines_ignored": 0, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 2 + }, + "total_counter": 0, + "total_bom_resources": 2, + "start": "2026-03-09T10:07:37.889778016Z", + "end": "2026-03-09T10:07:38.867648205Z", + "paths": [ + "/home/ricardo/kics/assets/queries/terraform/aws_bom/msk/test" + ], + "queries": [], + "bill_of_materials": [ + { + "query_name": "BOM - AWS MSK", + "query_id": "051f2063-2517-4295-ad8e-ba88c1bf5cfc", + "query_url": "https://kics.io", + "severity": "TRACE", + "platform": "Terraform", + "cwe": "532", + "risk_score": "0.0", + "cloud_provider": "AWS", + "category": "Bill Of Materials", + "experimental": false, + "description": "A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data.", + "description_id": "cf7ae008", + "files": [ + { + "file_name": "assets/queries/terraform/aws_bom/msk/test/positive2.tf", + "similarity_id": "495dad700d20b8570ab7994a2340362eb4a0bb54d48dfedeafb74dff5f96f7a5", + "line": 84, + "issue_type": "BillOfMaterials", + "search_key": "aws_msk_cluster[positive2]", + "search_line": -1, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"private\",\"resource_category\":\"Streaming\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"positive2\",\"resource_type\":\"aws_msk_cluster\",\"resource_vendor\":\"AWS\"}" + }, + { + "file_name": "assets/queries/terraform/aws_bom/msk/test/positive1.tf", + "similarity_id": "c7a5a95e075a45104b5ddf644b2ceb054924a3a646f264c3b5db725c12521c2f", + "line": 84, + "issue_type": "BillOfMaterials", + "search_key": "aws_msk_cluster[positive1]", + "search_line": -1, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Streaming\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"positive1\",\"resource_type\":\"aws_msk_cluster\",\"resource_vendor\":\"AWS\"}" + } + ] + } + ] + } + }, + { + "id": "12933609-c5bf-44b4-9a41-a6467c3b685b", + "test_path": "/home/ricardo/kics/assets/queries/terraform/aws_bom/rds/test", + "results_file_path": "/home/ricardo/kics/assets/queries/terraform/aws_bom/rds/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 2, + "lines_scanned": 62, + "files_parsed": 2, + "lines_parsed": 62, + "lines_ignored": 0, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 3 + }, + "total_counter": 0, + "total_bom_resources": 3, + "start": "2026-03-09T10:07:43.589402709Z", + "end": "2026-03-09T10:07:45.036509119Z", + "paths": [ + "/home/ricardo/kics/assets/queries/terraform/aws_bom/rds/test" + ], + "queries": [], + "bill_of_materials": [ + { + "query_name": "BOM - AWS RDS", + "query_id": "12933609-c5bf-44b4-9a41-a6467c3b685b", + "query_url": "https://kics.io", + "severity": "TRACE", + "platform": "Terraform", + "cwe": "532", + "risk_score": "0.0", + "cloud_provider": "AWS", + "category": "Bill Of Materials", + "experimental": false, + "description": "A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud.", + "description_id": "b621abbb", + "files": [ + { + "file_name": "assets/queries/terraform/aws_bom/rds/test/positive1.tf", + "similarity_id": "59a8bd36bdce2661e626e470a6d980349acc274b6d190d784482d6a1e2ecae24", + "line": 23, + "issue_type": "BillOfMaterials", + "search_key": "aws_db_instance[default]", + "search_line": 23, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"private\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_engine\":\"mysql\",\"resource_name\":\"default\",\"resource_type\":\"aws_db_instance\",\"resource_vendor\":\"AWS\"}" + }, + { + "file_name": "assets/queries/terraform/aws_bom/rds/test/positive1.tf", + "similarity_id": "561de55e9a71394f3d7bb2260195e3d13885513366b0a55e0c3b19d4984a3b6b", + "line": 35, + "issue_type": "BillOfMaterials", + "search_key": "aws_db_instance[sample3]", + "search_line": 35, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"private\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_engine\":\"mysql\",\"resource_name\":\"sample3\",\"resource_type\":\"aws_db_instance\",\"resource_vendor\":\"AWS\"}" + }, + { + "file_name": "assets/queries/terraform/aws_bom/rds/test/positive1.tf", + "similarity_id": "419f26bdd3c83ecb7a5e41a631be94a3d55f515a2553fbb47feb532e0c3dcd22", + "line": 1, + "issue_type": "BillOfMaterials", + "search_key": "aws_rds_cluster_instance[cluster_instances]", + "search_line": 1, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"private\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_engine\":\"aurora-mysql\",\"resource_name\":\"cluster_instances\",\"resource_type\":\"aws_rds_cluster_instance\",\"resource_vendor\":\"AWS\"}" + } + ] + } + ] + } + }, + { + "id": "2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045", + "test_path": "/home/ricardo/kics/assets/queries/terraform/aws_bom/s3_bucket/test", + "results_file_path": "/home/ricardo/kics/assets/queries/terraform/aws_bom/s3_bucket/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 11, + "lines_scanned": 459, + "files_parsed": 11, + "lines_parsed": 457, + "lines_ignored": 2, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 10 + }, + "total_counter": 0, + "total_bom_resources": 10, + "start": "2026-03-09T10:07:48.72639731Z", + "end": "2026-03-09T10:07:49.828912812Z", + "paths": [ + "/home/ricardo/kics/assets/queries/terraform/aws_bom/s3_bucket/test" + ], + "queries": [], + "bill_of_materials": [ + { + "query_name": "BOM - AWS S3 Buckets", + "query_id": "2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045", + "query_url": "https://kics.io", + "severity": "TRACE", + "platform": "Terraform", + "cwe": "532", + "risk_score": "0.0", + "cloud_provider": "AWS", + "category": "Bill Of Materials", + "experimental": false, + "description": "A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance.", + "description_id": "0bdf2341", + "files": [ + { + "file_name": "assets/queries/terraform/aws_bom/s3_bucket/test/positive6.tf", + "similarity_id": "da2d70344def4ff9dcf4b9e4b452eccff2c365d29ceeed122cdfe53e01682887", + "line": 14, + "issue_type": "BillOfMaterials", + "search_key": "aws_s3_bucket[positive6]", + "search_line": 14, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"acl\":\"private\",\"resource_accessibility\":\"private\",\"resource_category\":\"Storage\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"my-tf-test-bucket\",\"resource_type\":\"aws_s3_bucket\",\"resource_vendor\":\"AWS\"}" + }, + { + "file_name": "assets/queries/terraform/aws_bom/s3_bucket/test/positive2.tf", + "similarity_id": "58fccd4caaf8023d0e3915ffff0b0c341cd991a40881f661bd011a6b9f56e1bc", + "line": 14, + "issue_type": "BillOfMaterials", + "search_key": "aws_s3_bucket[positive2]", + "search_line": 14, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"acl\":\"private\",\"resource_accessibility\":\"private\",\"resource_category\":\"Storage\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"my-tf-test-bucket\",\"resource_type\":\"aws_s3_bucket\",\"resource_vendor\":\"AWS\"}" + }, + { + "file_name": "assets/queries/terraform/aws_bom/s3_bucket/test/positive1.tf", + "similarity_id": "5e57dcb6f4edeab49dd489d0c79219ac6d6912ded0e2a0289be99a4f6b36de65", + "line": 14, + "issue_type": "BillOfMaterials", + "search_key": "aws_s3_bucket[positive1]", + "search_line": 14, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"acl\":\"private\",\"resource_accessibility\":\"private\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"my-tf-test-bucket\",\"resource_type\":\"aws_s3_bucket\",\"resource_vendor\":\"AWS\"}" + }, + { + "file_name": "assets/queries/terraform/aws_bom/s3_bucket/test/positive9.tf", + "similarity_id": "f0989da79c6532b9767c95eb80cb14ce98bfab960143d8d7a1419b4cdfdc5b31", + "line": 14, + "issue_type": "BillOfMaterials", + "search_key": "aws_s3_bucket[positive9]", + "search_line": 14, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"acl\":\"private\",\"resource_accessibility\":\"private\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"my-tf-test-bucket\",\"resource_type\":\"aws_s3_bucket\",\"resource_vendor\":\"AWS\"}" + }, + { + "file_name": "assets/queries/terraform/aws_bom/s3_bucket/test/positive4.tf", + "similarity_id": "3e68de88fcf4ab2fd46318782c143c05141b290abf97330dd7df3bbd893a552a", + "line": 14, + "issue_type": "BillOfMaterials", + "search_key": "aws_s3_bucket[positive4]", + "search_line": 14, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"acl\":\"private\",\"resource_accessibility\":\"private\",\"resource_category\":\"Storage\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"my-tf-test-bucket\",\"resource_type\":\"aws_s3_bucket\",\"resource_vendor\":\"AWS\"}" + }, + { + "file_name": "assets/queries/terraform/aws_bom/s3_bucket/test/positive8.tf", + "similarity_id": "14b334cb9a98d8a42dcc64465a50fab5defb3f6d11292ae1eb7b38c37b02f703", + "line": 14, + "issue_type": "BillOfMaterials", + "search_key": "aws_s3_bucket[positive8]", + "search_line": 14, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"acl\":\"public-read\",\"policy\":{\"Id\":\"MYBUCKETPOLICY\",\"Statement\":[{\"Action\":\"s3:GetObject\",\"Condition\":{\"IpAddress\":{\"aws:SourceIp\":\"8.8.8.8/32\"}},\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam::123456789012:root\",\"arn:aws:iam::555555555555:root\"]},\"Resource\":\"arn:aws:s3:::my_tf_test_bucket/*\",\"Sid\":\"IPAllow\"}],\"Version\":\"2012-10-17\"},\"resource_accessibility\":\"hasPolicy\",\"resource_category\":\"Storage\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"my-tf-test-bucket\",\"resource_type\":\"aws_s3_bucket\",\"resource_vendor\":\"AWS\"}" + }, + { + "file_name": "assets/queries/terraform/aws_bom/s3_bucket/test/positive5.tf", + "similarity_id": "0a147aac1b60d48a54fadb1290ea731737959a6f1e44be8b6e81738b7fd4eeac", + "line": 14, + "issue_type": "BillOfMaterials", + "search_key": "aws_s3_bucket[positive5]", + "search_line": 14, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"acl\":\"private\",\"resource_accessibility\":\"private\",\"resource_category\":\"Storage\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"my-tf-test-bucket\",\"resource_type\":\"aws_s3_bucket\",\"resource_vendor\":\"AWS\"}" + }, + { + "file_name": "assets/queries/terraform/aws_bom/s3_bucket/test/positive10.tf", + "similarity_id": "60ee2d022cfddee8056f6af2c3c5914ff535635ecb15b42b3bc7c15268bf29dd", + "line": 14, + "issue_type": "BillOfMaterials", + "search_key": "aws_s3_bucket[positive10]", + "search_line": 14, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"acl\":\"private\",\"resource_accessibility\":\"private\",\"resource_category\":\"Storage\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"my-tf-test-bucket\",\"resource_type\":\"aws_s3_bucket\",\"resource_vendor\":\"AWS\"}" + }, + { + "file_name": "assets/queries/terraform/aws_bom/s3_bucket/test/positive3.tf", + "similarity_id": "3264a6566dc9a3e362e2e590f5ac094dbee9364c92c6f0ea53070e5a9c0a56bb", + "line": 14, + "issue_type": "BillOfMaterials", + "search_key": "aws_s3_bucket[positive3]", + "search_line": 14, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"acl\":\"private\",\"resource_accessibility\":\"private\",\"resource_category\":\"Storage\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"my-tf-test-bucket\",\"resource_type\":\"aws_s3_bucket\",\"resource_vendor\":\"AWS\"}" + }, + { + "file_name": "assets/queries/terraform/aws_bom/s3_bucket/test/positive7.tf", + "similarity_id": "e688b25abb549afda48f834ea47cc6ef1dff6137b06e000a4b63e2cb1a741ea6", + "line": 14, + "issue_type": "BillOfMaterials", + "search_key": "aws_s3_bucket[positive7]", + "search_line": 14, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"acl\":\"private\",\"resource_accessibility\":\"private\",\"resource_category\":\"Storage\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"my-tf-test-bucket\",\"resource_type\":\"aws_s3_bucket\",\"resource_vendor\":\"AWS\"}" + } + ] + } + ] + } + }, + { + "id": "eccc4d59-74b9-4974-86f1-74386e0c7f33", + "test_path": "/home/ricardo/kics/assets/queries/terraform/aws_bom/sns/test", + "results_file_path": "/home/ricardo/kics/assets/queries/terraform/aws_bom/sns/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 6, + "lines_scanned": 121, + "files_parsed": 6, + "lines_parsed": 121, + "lines_ignored": 0, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 5 + }, + "total_counter": 0, + "total_bom_resources": 5, + "start": "2026-03-09T10:07:53.127208138Z", + "end": "2026-03-09T10:07:54.006295081Z", + "paths": [ + "/home/ricardo/kics/assets/queries/terraform/aws_bom/sns/test" + ], + "queries": [], + "bill_of_materials": [ + { + "query_name": "BOM - AWS SNS", + "query_id": "eccc4d59-74b9-4974-86f1-74386e0c7f33", + "query_url": "https://kics.io", + "severity": "TRACE", + "platform": "Terraform", + "cwe": "532", + "risk_score": "0.0", + "cloud_provider": "AWS", + "category": "Bill Of Materials", + "experimental": false, + "description": "A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication.", + "description_id": "4c016c6f", + "files": [ + { + "file_name": "assets/queries/terraform/aws_bom/sns/test/positive1.tf", + "similarity_id": "c562a3a715b0c93a8f04f5f9a723f409debb38a0dfcb78b3afebbc5a566aef0a", + "line": 1, + "issue_type": "BillOfMaterials", + "search_key": "aws_sns_topic[positive1]", + "search_line": 1, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Messaging\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"user-updates-topic\",\"resource_type\":\"aws_sns_topic\",\"resource_vendor\":\"AWS\"}" + }, + { + "file_name": "assets/queries/terraform/aws_bom/sns/test/positive5.tf", + "similarity_id": "04cec60e37b1bd2b698c215f6f989aeb451280f6208ee3e1c7492329894b8184", + "line": 1, + "issue_type": "BillOfMaterials", + "search_key": "aws_sns_topic[positive5]", + "search_line": 1, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"policy\":{\"Statement\":[{\"Action\":[\"*\"],\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam::123456789012:root\",\"arn:aws:iam::555555555555:root\"]},\"Resource\":\"aws_sns_topic.positive5.arn\",\"Sid\":\"AWSConfigSNSPolicy20180202\"}],\"Version\":\"2012-10-17\"},\"resource_accessibility\":\"hasPolicy\",\"resource_category\":\"Messaging\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"SNS Topic\",\"resource_type\":\"aws_sns_topic\",\"resource_vendor\":\"AWS\"}" + }, + { + "file_name": "assets/queries/terraform/aws_bom/sns/test/positive2.tf", + "similarity_id": "59953404d92d099671ff06905b6c6f7891a124feb22de621276baa4fa3398857", + "line": 1, + "issue_type": "BillOfMaterials", + "search_key": "aws_sns_topic[positive2]", + "search_line": 1, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Messaging\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"user-updates-topic\",\"resource_type\":\"aws_sns_topic\",\"resource_vendor\":\"AWS\"}" + }, + { + "file_name": "assets/queries/terraform/aws_bom/sns/test/positive4.tf", + "similarity_id": "2f6a079f820f16fbd192f6f57b369cd844fab0f1fdd83d770e013f7dfde0768f", + "line": 1, + "issue_type": "BillOfMaterials", + "search_key": "aws_sns_topic[positive4]", + "search_line": 1, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Messaging\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"user-updates-topic\",\"resource_type\":\"aws_sns_topic\",\"resource_vendor\":\"AWS\"}" + }, + { + "file_name": "assets/queries/terraform/aws_bom/sns/test/positive3.tf", + "similarity_id": "1a91e56419ed044bc064e54443071d5b1697615fd2fe63f482d7a63e8d0bce42", + "line": 1, + "issue_type": "BillOfMaterials", + "search_key": "aws_sns_topic[positive3]", + "search_line": 1, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"policy\":{\"Statement\":[{\"Action\":[\"*\"],\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam::123456789012:root\",\"arn:aws:iam::555555555555:root\"]},\"Resource\":\"aws_sns_topic.positive3.arn\",\"Sid\":\"AWSConfigSNSPolicy20180202\"}],\"Version\":\"2012-10-17\"},\"resource_accessibility\":\"hasPolicy\",\"resource_category\":\"Messaging\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"user-updates-topic\",\"resource_type\":\"aws_sns_topic\",\"resource_vendor\":\"AWS\"}" + } + ] + } + ] + } + }, + { + "id": "baecd2da-492a-4d59-b9dc-29540a1398e0", + "test_path": "/home/ricardo/kics/assets/queries/terraform/aws_bom/sqs/test", + "results_file_path": "/home/ricardo/kics/assets/queries/terraform/aws_bom/sqs/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 6, + "lines_scanned": 178, + "files_parsed": 6, + "lines_parsed": 178, + "lines_ignored": 0, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 5 + }, + "total_counter": 0, + "total_bom_resources": 5, + "start": "2026-03-09T10:07:56.573338121Z", + "end": "2026-03-09T10:07:57.477490859Z", + "paths": [ + "/home/ricardo/kics/assets/queries/terraform/aws_bom/sqs/test" + ], + "queries": [], + "bill_of_materials": [ + { + "query_name": "BOM - AWS SQS", + "query_id": "baecd2da-492a-4d59-b9dc-29540a1398e0", + "query_url": "https://kics.io", + "severity": "TRACE", + "platform": "Terraform", + "cwe": "532", + "risk_score": "0.0", + "cloud_provider": "AWS", + "category": "Bill Of Materials", + "experimental": false, + "description": "A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.", + "description_id": "63fc27c2", + "files": [ + { + "file_name": "assets/queries/terraform/aws_bom/sqs/test/positive5.tf", + "similarity_id": "270592766a30916ef9e37b9b80a9ea23f0051365b60c0200a2474b76cc8ea127", + "line": 1, + "issue_type": "BillOfMaterials", + "search_key": "aws_sqs_queue[positive5]", + "search_line": 1, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Queues\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"terraform-example-queue\",\"resource_type\":\"aws_sqs_queue\",\"resource_vendor\":\"AWS\"}" + }, + { + "file_name": "assets/queries/terraform/aws_bom/sqs/test/positive3.tf", + "similarity_id": "4c1f945f424abaa50d9666409e0650b91121ace763be1eb79f2dac5e61eb04f5", + "line": 1, + "issue_type": "BillOfMaterials", + "search_key": "aws_sqs_queue[positive3]", + "search_line": 1, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Queues\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"terraform-example-queue\",\"resource_type\":\"aws_sqs_queue\",\"resource_vendor\":\"AWS\"}" + }, + { + "file_name": "assets/queries/terraform/aws_bom/sqs/test/positive2.tf", + "similarity_id": "f99c8ad7c0318d326af34c293ae571794377a811786a83eb940779729d354f82", + "line": 1, + "issue_type": "BillOfMaterials", + "search_key": "aws_sqs_queue[positive2]", + "search_line": 1, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"policy\":{\"Id\":\"sqspolicy\",\"Statement\":[{\"Action\":\"sqs:SendMessage\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam::123456789012:root\",\"arn:aws:iam::555555555555:root\"]},\"Resource\":\"aws_sqs_queue.positive2.arn\",\"Sid\":\"First\"}],\"Version\":\"2012-10-17\"},\"resource_accessibility\":\"hasPolicy\",\"resource_category\":\"Queues\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"terraform-example-queue\",\"resource_type\":\"aws_sqs_queue\",\"resource_vendor\":\"AWS\"}" + }, + { + "file_name": "assets/queries/terraform/aws_bom/sqs/test/positive4.tf", + "similarity_id": "84235e750d64b613aee6d9365eea3377b3de78ce4f5e6e2b0c1b3d084a926b91", + "line": 1, + "issue_type": "BillOfMaterials", + "search_key": "aws_sqs_queue[positive4]", + "search_line": 1, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"policy\":{\"Id\":\"sqspolicy\",\"Statement\":[{\"Action\":\"sqs:SendMessage\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam::123456789012:root\",\"arn:aws:iam::555555555555:root\"]},\"Resource\":\"aws_sqs_queue.positive4.arn\",\"Sid\":\"First\"}],\"Version\":\"2012-10-17\"},\"resource_accessibility\":\"hasPolicy\",\"resource_category\":\"Queues\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"terraform-example-queue\",\"resource_type\":\"aws_sqs_queue\",\"resource_vendor\":\"AWS\"}" + }, + { + "file_name": "assets/queries/terraform/aws_bom/sqs/test/positive1.tf", + "similarity_id": "7562b9d31cf04b34e4e57a5fa16a156e4793e039da59b14f4d8b3db997cb2952", + "line": 1, + "issue_type": "BillOfMaterials", + "search_key": "aws_sqs_queue[positive1]", + "search_line": 1, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Queues\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"terraform-example-queue\",\"resource_type\":\"aws_sqs_queue\",\"resource_vendor\":\"AWS\"}" + } + ] + } + ] + } + }, + { + "id": "1ec163d0-a9be-4695-89a8-a4028a2cbae7", + "test_path": "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test", + "results_file_path": "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 8, + "lines_scanned": 285, + "files_parsed": 8, + "lines_parsed": 277, + "lines_ignored": 8, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 0 + }, + "total_counter": 0, + "total_bom_resources": 0, + "start": "2026-03-09T10:08:00.918992652Z", + "end": "2026-03-09T10:08:01.796919615Z", + "paths": [ + "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test" + ], + "queries": [] + } + }, + { + "id": "99b47957-c575-4555-b8c0-ff92384249b4", + "test_path": "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test", + "results_file_path": "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 8, + "lines_scanned": 285, + "files_parsed": 8, + "lines_parsed": 277, + "lines_ignored": 8, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 0 + }, + "total_counter": 0, + "total_bom_resources": 0, + "start": "2026-03-09T10:08:04.074377978Z", + "end": "2026-03-09T10:08:04.768385499Z", + "paths": [ + "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test" + ], + "queries": [] + } + }, + { + "id": "8553d83f-fe77-4c96-8850-a95c5895b336", + "test_path": "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test", + "results_file_path": "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 8, + "lines_scanned": 285, + "files_parsed": 8, + "lines_parsed": 277, + "lines_ignored": 8, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 0 + }, + "total_counter": 0, + "total_bom_resources": 0, + "start": "2026-03-09T10:08:07.700724436Z", + "end": "2026-03-09T10:08:09.202455976Z", + "paths": [ + "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test" + ], + "queries": [] + } + }, + { + "id": "1219a37a-9a2c-420d-8b8c-30bdbc3bfeb1", + "test_path": "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test", + "results_file_path": "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 8, + "lines_scanned": 285, + "files_parsed": 8, + "lines_parsed": 277, + "lines_ignored": 8, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 0 + }, + "total_counter": 0, + "total_bom_resources": 0, + "start": "2026-03-09T10:08:11.436451282Z", + "end": "2026-03-09T10:08:12.030759227Z", + "paths": [ + "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test" + ], + "queries": [] + } + }, + { + "id": "d0514e4b-9e95-4a7a-9bc5-0adb32514122", + "test_path": "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test", + "results_file_path": "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 8, + "lines_scanned": 285, + "files_parsed": 8, + "lines_parsed": 277, + "lines_ignored": 8, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 0 + }, + "total_counter": 0, + "total_bom_resources": 0, + "start": "2026-03-09T10:08:14.077808707Z", + "end": "2026-03-09T10:08:14.660795198Z", + "paths": [ + "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test" + ], + "queries": [] + } + }, + { + "id": "62d120b1-b1e0-40ef-a81d-a4994ac88b3b", + "test_path": "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test", + "results_file_path": "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 8, + "lines_scanned": 285, + "files_parsed": 8, + "lines_parsed": 277, + "lines_ignored": 8, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 0 + }, + "total_counter": 0, + "total_bom_resources": 0, + "start": "2026-03-09T10:08:16.678307786Z", + "end": "2026-03-09T10:08:17.20995775Z", + "paths": [ + "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test" + ], + "queries": [] + } + }, + { + "id": "a7b422e3-0b2f-4795-a43a-136dbbd6cbb3", + "test_path": "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test", + "results_file_path": "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 8, + "lines_scanned": 285, + "files_parsed": 8, + "lines_parsed": 277, + "lines_ignored": 8, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 0 + }, + "total_counter": 0, + "total_bom_resources": 0, + "start": "2026-03-09T10:08:19.462236424Z", + "end": "2026-03-09T10:08:20.11967605Z", + "paths": [ + "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test" + ], + "queries": [] + } + }, + { + "id": "b3b9ce2f-c229-4133-9a2b-4e649cf2347e", + "test_path": "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test", + "results_file_path": "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 8, + "lines_scanned": 285, + "files_parsed": 8, + "lines_parsed": 277, + "lines_ignored": 8, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 0 + }, + "total_counter": 0, + "total_bom_resources": 0, + "start": "2026-03-09T10:08:21.988393802Z", + "end": "2026-03-09T10:08:22.668073796Z", + "paths": [ + "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test" + ], + "queries": [] + } + }, + { + "id": "b97a1065-a86b-442f-86c4-f95afd9b3ac6", + "test_path": "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test", + "results_file_path": "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 8, + "lines_scanned": 285, + "files_parsed": 8, + "lines_parsed": 277, + "lines_ignored": 8, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 0 + }, + "total_counter": 0, + "total_bom_resources": 0, + "start": "2026-03-09T10:08:25.238654558Z", + "end": "2026-03-09T10:08:25.789712384Z", + "paths": [ + "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test" + ], + "queries": [] + } + }, + { + "id": "8ce5c61f-5cd1-41bc-b7d9-b26b18efd505", + "test_path": "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test", + "results_file_path": "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 8, + "lines_scanned": 285, + "files_parsed": 8, + "lines_parsed": 277, + "lines_ignored": 8, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 0 + }, + "total_counter": 0, + "total_bom_resources": 0, + "start": "2026-03-09T10:08:27.65907742Z", + "end": "2026-03-09T10:08:28.249153919Z", + "paths": [ + "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test" + ], + "queries": [] + } + }, + { + "id": "609839ae-bd81-4375-9910-5bce72ae7b92", + "test_path": "/home/ricardo/kics/assets/queries/terraform/azure/mssql_server_auditing_disabled/test", + "results_file_path": "/home/ricardo/kics/assets/queries/terraform/azure/mssql_server_auditing_disabled/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 3, + "lines_scanned": 103, + "files_parsed": 3, + "lines_parsed": 103, + "lines_ignored": 0, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 0 + }, + "total_counter": 0, + "total_bom_resources": 0, + "start": "2026-03-09T10:11:42.314631827Z", + "end": "2026-03-09T10:11:43.043770936Z", + "paths": [ + "/home/ricardo/kics/assets/queries/terraform/azure/mssql_server_auditing_disabled/test" + ], + "queries": [] + } + }, + { + "id": "4f60da73-190e-4048-8e1d-cc5a3974cd15", + "test_path": "/home/ricardo/kics/assets/queries/terraform/gcp/cloud_asset_inventory_disabled/test", + "results_file_path": "/home/ricardo/kics/assets/queries/terraform/gcp/cloud_asset_inventory_disabled/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 12, + "lines_scanned": 112, + "files_parsed": 12, + "lines_parsed": 112, + "lines_ignored": 0, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 0 + }, + "total_counter": 0, + "total_bom_resources": 0, + "start": "2026-03-09T10:17:02.728660527Z", + "end": "2026-03-09T10:17:03.596888318Z", + "paths": [ + "/home/ricardo/kics/assets/queries/terraform/gcp/cloud_asset_inventory_disabled/test" + ], + "queries": [] + } + }, + { + "id": "895ed0d9-6fec-4567-8614-d7a74b599a53", + "test_path": "/home/ricardo/kics/assets/queries/terraform/gcp_bom/dataflow/test", + "results_file_path": "/home/ricardo/kics/assets/queries/terraform/gcp_bom/dataflow/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 2, + "lines_scanned": 57, + "files_parsed": 2, + "lines_parsed": 56, + "lines_ignored": 1, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 2 + }, + "total_counter": 0, + "total_bom_resources": 2, + "start": "2026-03-09T10:22:54.077886497Z", + "end": "2026-03-09T10:22:54.868465419Z", + "paths": [ + "/home/ricardo/kics/assets/queries/terraform/gcp_bom/dataflow/test" + ], + "queries": [], + "bill_of_materials": [ + { + "query_name": "BOM - GCP Dataflow", + "query_id": "895ed0d9-6fec-4567-8614-d7a74b599a53", + "query_url": "https://kics.io", + "severity": "TRACE", + "platform": "Terraform", + "cwe": "532", + "risk_score": "0.0", + "cloud_provider": "GCP", + "category": "Bill Of Materials", + "experimental": false, + "description": "A list of Dataflow resources found. Unified stream and batch data processing that's serverless, fast, and cost-effective.", + "description_id": "5d614ad5", + "files": [ + { + "file_name": "assets/queries/terraform/gcp_bom/dataflow/test/positive.tf", + "similarity_id": "14da088a3d13e2a488e9498cbf078b3123e6b5db1a7f222e39b4c3c1ca189af7", + "line": 17, + "issue_type": "BillOfMaterials", + "search_key": "google_dataflow_job[pubsub_stream2]", + "search_line": 17, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Streaming\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"tf-test-dataflow-job1\",\"resource_type\":\"google_dataflow_job\",\"resource_vendor\":\"GCP\"}" + }, + { + "file_name": "assets/queries/terraform/gcp_bom/dataflow/test/positive.tf", + "similarity_id": "dc6e5815b35abb3bcfa9818944daad5a16bd4c4145294ba6c5e25ed0e33b8064", + "line": 1, + "issue_type": "BillOfMaterials", + "search_key": "google_dataflow_job[pubsub_stream]", + "search_line": 1, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Streaming\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"tf-test-dataflow-job1\",\"resource_type\":\"google_dataflow_job\",\"resource_vendor\":\"GCP\"}" + } + ] + } + ] + } + }, + { + "id": "c9d81239-c818-4869-9917-1570c62b81fd", + "test_path": "/home/ricardo/kics/assets/queries/terraform/gcp_bom/fi/test", + "results_file_path": "/home/ricardo/kics/assets/queries/terraform/gcp_bom/fi/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 2, + "lines_scanned": 104, + "files_parsed": 2, + "lines_parsed": 103, + "lines_ignored": 1, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 3 + }, + "total_counter": 0, + "total_bom_resources": 3, + "start": "2026-03-09T10:22:57.433586093Z", + "end": "2026-03-09T10:22:58.258149175Z", + "paths": [ + "/home/ricardo/kics/assets/queries/terraform/gcp_bom/fi/test" + ], + "queries": [], + "bill_of_materials": [ + { + "query_name": "BOM - GCP FI", + "query_id": "c9d81239-c818-4869-9917-1570c62b81fd", + "query_url": "https://kics.io", + "severity": "TRACE", + "platform": "Terraform", + "cwe": "532", + "risk_score": "0.0", + "cloud_provider": "GCP", + "category": "Bill Of Materials", + "experimental": false, + "description": "A list of Filestore Instance resources found. Filestore instances are fully managed file servers on Google Cloud that can be connected to Compute Engine VMs, GKE clusters, and your on-premises machines. Once provisioned, you can scale the capacity of your instances according to need without any downtime.", + "description_id": "4a45b126", + "files": [ + { + "file_name": "assets/queries/terraform/gcp_bom/fi/test/positive.tf", + "similarity_id": "8149542ed0c03690d9b70081cf46010e94c3cfc7bff29e6b13a1d8130522e79b", + "line": 32, + "issue_type": "BillOfMaterials", + "search_key": "google_filestore_instance[instance2]", + "search_line": 32, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"test-instance\",\"resource_type\":\"google_filestore_instance\",\"resource_vendor\":\"GCP\"}" + }, + { + "file_name": "assets/queries/terraform/gcp_bom/fi/test/positive.tf", + "similarity_id": "cdac01a41238e8694925cf9e27f160be4f5984c7ed3469cded298bb7ef9d6064", + "line": 59, + "issue_type": "BillOfMaterials", + "search_key": "google_filestore_instance[instance3]", + "search_line": 59, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Storage\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"test-instance\",\"resource_type\":\"google_filestore_instance\",\"resource_vendor\":\"GCP\"}" + }, + { + "file_name": "assets/queries/terraform/gcp_bom/fi/test/positive.tf", + "similarity_id": "be804ed120315b359617885b02a37d5dabda144e420a661a3ed53700b77f3a5f", + "line": 1, + "issue_type": "BillOfMaterials", + "search_key": "google_filestore_instance[instance]", + "search_line": 1, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Storage\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"test-instance\",\"resource_type\":\"google_filestore_instance\",\"resource_vendor\":\"GCP\"}" + } + ] + } + ] + } + }, + { + "id": "dd7d70aa-a6ec-460d-b5d2-38b40253b16f", + "test_path": "/home/ricardo/kics/assets/queries/terraform/gcp_bom/pd/test", + "results_file_path": "/home/ricardo/kics/assets/queries/terraform/gcp_bom/pd/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 2, + "lines_scanned": 115, + "files_parsed": 2, + "lines_parsed": 114, + "lines_ignored": 1, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 6 + }, + "total_counter": 0, + "total_bom_resources": 6, + "start": "2026-03-09T10:23:01.158773406Z", + "end": "2026-03-09T10:23:02.223732891Z", + "paths": [ + "/home/ricardo/kics/assets/queries/terraform/gcp_bom/pd/test" + ], + "queries": [], + "bill_of_materials": [ + { + "query_name": "BOM - GCP PD", + "query_id": "dd7d70aa-a6ec-460d-b5d2-38b40253b16f", + "query_url": "https://kics.io", + "severity": "TRACE", + "platform": "Terraform", + "cwe": "532", + "risk_score": "0.0", + "cloud_provider": "GCP", + "category": "Bill Of Materials", + "experimental": false, + "description": "A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine.", + "description_id": "4b72e52d", + "files": [ + { + "file_name": "assets/queries/terraform/gcp_bom/pd/test/positive.tf", + "similarity_id": "f2ddd27a41ebc1dc9c62cb77beb38420bb61b9feae52f5b78b581f63e7cdd7ba", + "line": 44, + "issue_type": "BillOfMaterials", + "search_key": "google_compute_disk[positive4]", + "search_line": 44, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"test-disk\",\"resource_type\":\"google_compute_disk\",\"resource_vendor\":\"GCP\"}" + }, + { + "file_name": "assets/queries/terraform/gcp_bom/pd/test/positive.tf", + "similarity_id": "258753377be972cab9c7375d16f76f577806e4eaf8808c13a2ed8cfbbee0bc6b", + "line": 60, + "issue_type": "BillOfMaterials", + "search_key": "google_compute_disk[negative1]", + "search_line": 60, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Storage\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"test-disk\",\"resource_type\":\"google_compute_disk\",\"resource_vendor\":\"GCP\"}" + }, + { + "file_name": "assets/queries/terraform/gcp_bom/pd/test/positive.tf", + "similarity_id": "17b6d52800b62d4608cde011613db686f789bf1db53194a16bbe183fe20335d6", + "line": 76, + "issue_type": "BillOfMaterials", + "search_key": "google_compute_disk[negative2]", + "search_line": 76, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Storage\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"test-disk\",\"resource_type\":\"google_compute_disk\",\"resource_vendor\":\"GCP\"}" + }, + { + "file_name": "assets/queries/terraform/gcp_bom/pd/test/positive.tf", + "similarity_id": "8b1460302c9ff26037fd43ef76ed658ef118c8ec783f237143d10860770d7feb", + "line": 1, + "issue_type": "BillOfMaterials", + "search_key": "google_compute_disk[positive1]", + "search_line": 1, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"test-disk\",\"resource_type\":\"google_compute_disk\",\"resource_vendor\":\"GCP\"}" + }, + { + "file_name": "assets/queries/terraform/gcp_bom/pd/test/positive.tf", + "similarity_id": "b2f9aff9c6f6e6c9ce6ffedd9779ca0a47d1d1315e44475859dd4860824e055f", + "line": 12, + "issue_type": "BillOfMaterials", + "search_key": "google_compute_disk[positive2]", + "search_line": 12, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"test-disk\",\"resource_type\":\"google_compute_disk\",\"resource_vendor\":\"GCP\"}" + }, + { + "file_name": "assets/queries/terraform/gcp_bom/pd/test/positive.tf", + "similarity_id": "66ea313536579a7a9c7149d8fb5fb2e051cbd4a9f1dd8c05c2e930fc21440fdc", + "line": 28, + "issue_type": "BillOfMaterials", + "search_key": "google_compute_disk[positive3]", + "search_line": 28, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"test-disk\",\"resource_type\":\"google_compute_disk\",\"resource_vendor\":\"GCP\"}" + } + ] + } + ] + } + }, + { + "id": "4b82202a-b18e-4891-a1eb-a0989850bbb3", + "test_path": "/home/ricardo/kics/assets/queries/terraform/gcp_bom/pst/test", + "results_file_path": "/home/ricardo/kics/assets/queries/terraform/gcp_bom/pst/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 2, + "lines_scanned": 86, + "files_parsed": 2, + "lines_parsed": 85, + "lines_ignored": 1, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 4 + }, + "total_counter": 0, + "total_bom_resources": 4, + "start": "2026-03-09T10:23:05.503500775Z", + "end": "2026-03-09T10:23:07.855625291Z", + "paths": [ + "/home/ricardo/kics/assets/queries/terraform/gcp_bom/pst/test" + ], + "queries": [], + "bill_of_materials": [ + { + "query_name": "BOM - GCP PST", + "query_id": "4b82202a-b18e-4891-a1eb-a0989850bbb3", + "query_url": "https://kics.io", + "severity": "TRACE", + "platform": "Terraform", + "cwe": "532", + "risk_score": "0.0", + "cloud_provider": "GCP", + "category": "Bill Of Materials", + "experimental": false, + "description": "A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages.", + "description_id": "aa371a3b", + "files": [ + { + "file_name": "assets/queries/terraform/gcp_bom/pst/test/positive.tf", + "similarity_id": "cfb6ffe2b4d5d2f434b6455b9831665d6c1334ba9096294683f0e2476ace815a", + "line": 54, + "issue_type": "BillOfMaterials", + "search_key": "google_pubsub_topic[example4]", + "search_line": 54, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Messaging\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"example-topic\",\"resource_type\":\"google_pubsub_topic\",\"resource_vendor\":\"GCP\"}" + }, + { + "file_name": "assets/queries/terraform/gcp_bom/pst/test/positive.tf", + "similarity_id": "e79d3d9fdabefc5bd1c7c487bbdb5e9bf107fff4da675f8c7865914be4d1454d", + "line": 34, + "issue_type": "BillOfMaterials", + "search_key": "google_pubsub_topic[example1]", + "search_line": 34, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Messaging\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"example-topic\",\"resource_type\":\"google_pubsub_topic\",\"resource_vendor\":\"GCP\"}" + }, + { + "file_name": "assets/queries/terraform/gcp_bom/pst/test/positive.tf", + "similarity_id": "b7f4814219d6c83e3ba809cc50e49b9bd9d99d1f5e1ff10466454128323f121d", + "line": 39, + "issue_type": "BillOfMaterials", + "search_key": "google_pubsub_topic[example2]", + "search_line": 39, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Messaging\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"example-topic\",\"resource_type\":\"google_pubsub_topic\",\"resource_vendor\":\"GCP\"}" + }, + { + "file_name": "assets/queries/terraform/gcp_bom/pst/test/positive.tf", + "similarity_id": "8053dc098605ade9e48af7eb35916952bfacfa78d04137695b0fdeb14a004a7a", + "line": 44, + "issue_type": "BillOfMaterials", + "search_key": "google_pubsub_topic[example3]", + "search_line": 44, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Messaging\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"example-topic\",\"resource_type\":\"google_pubsub_topic\",\"resource_vendor\":\"GCP\"}" + } + ] + } + ] + } + }, + { + "id": "bc75ce52-a60a-4660-b533-bce837a5019b", + "test_path": "/home/ricardo/kics/assets/queries/terraform/gcp_bom/redis/test", + "results_file_path": "/home/ricardo/kics/assets/queries/terraform/gcp_bom/redis/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 2, + "lines_scanned": 78, + "files_parsed": 2, + "lines_parsed": 77, + "lines_ignored": 1, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 2 + }, + "total_counter": 0, + "total_bom_resources": 2, + "start": "2026-03-09T10:23:12.528455929Z", + "end": "2026-03-09T10:23:13.655799834Z", + "paths": [ + "/home/ricardo/kics/assets/queries/terraform/gcp_bom/redis/test" + ], + "queries": [], + "bill_of_materials": [ + { + "query_name": "BOM - GCP Redis", + "query_id": "bc75ce52-a60a-4660-b533-bce837a5019b", + "query_url": "https://kics.io", + "severity": "TRACE", + "platform": "Terraform", + "cwe": "532", + "risk_score": "0.0", + "cloud_provider": "GCP", + "category": "Bill Of Materials", + "experimental": false, + "description": "A list of Redis Instance resources found. Memorystore for Redis is a fully managed Redis service for Google Cloud. Applications running on Google Cloud can achieve extreme performance by leveraging the highly scalable, available, secure Redis service without the burden of managing complex Redis deployments.", + "description_id": "1db9d01f", + "files": [ + { + "file_name": "assets/queries/terraform/gcp_bom/redis/test/positive.tf", + "similarity_id": "239e99ca63fd9449ab66f45b2c359d88033076182f41d59e5a8d363ce11b8c87", + "line": 20, + "issue_type": "BillOfMaterials", + "search_key": "google_redis_instance[cache2]", + "search_line": 20, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"In Memory Data Structure\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"private-cache\",\"resource_type\":\"google_redis_instance\",\"resource_vendor\":\"GCP\"}" + }, + { + "file_name": "assets/queries/terraform/gcp_bom/redis/test/positive.tf", + "similarity_id": "dc6c51484ff06cc85798bc42b423e37c956b1f442f1bac6c91b8549dd0c7b789", + "line": 1, + "issue_type": "BillOfMaterials", + "search_key": "google_redis_instance[cache]", + "search_line": 1, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"In Memory Data Structure\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"memory-cache\",\"resource_type\":\"google_redis_instance\",\"resource_vendor\":\"GCP\"}" + } + ] + } + ] + } + }, + { + "id": "2f06d22c-56bd-4f73-8a51-db001fcf2150", + "test_path": "/home/ricardo/kics/assets/queries/terraform/gcp_bom/sb/test", + "results_file_path": "/home/ricardo/kics/assets/queries/terraform/gcp_bom/sb/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 2, + "lines_scanned": 62, + "files_parsed": 2, + "lines_parsed": 61, + "lines_ignored": 1, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 3 + }, + "total_counter": 0, + "total_bom_resources": 3, + "start": "2026-03-09T10:23:18.741883234Z", + "end": "2026-03-09T10:23:20.452102045Z", + "paths": [ + "/home/ricardo/kics/assets/queries/terraform/gcp_bom/sb/test" + ], + "queries": [], + "bill_of_materials": [ + { + "query_name": "BOM - GCP SB", + "query_id": "2f06d22c-56bd-4f73-8a51-db001fcf2150", + "query_url": "https://kics.io", + "severity": "TRACE", + "platform": "Terraform", + "cwe": "532", + "risk_score": "0.0", + "cloud_provider": "GCP", + "category": "Bill Of Materials", + "experimental": false, + "description": "A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket.", + "description_id": "38a18539", + "files": [ + { + "file_name": "assets/queries/terraform/gcp_bom/sb/test/positive.tf", + "similarity_id": "79b1b75db372e0a3127efdbe4eaa9e0065b6480b953945f5e90cc00f86689386", + "line": 21, + "issue_type": "BillOfMaterials", + "search_key": "google_storage_bucket[bucket2]", + "search_line": 21, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Storage\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"static-content-bucket\",\"resource_type\":\"google_storage_bucket\",\"resource_vendor\":\"GCP\"}" + }, + { + "file_name": "assets/queries/terraform/gcp_bom/sb/test/positive.tf", + "similarity_id": "334ab83ad1641021d18d4f53ca6986e029e9a3dc4039f59f24c262ee7e73a542", + "line": 35, + "issue_type": "BillOfMaterials", + "search_key": "google_storage_bucket[bucket3]", + "search_line": 35, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"static-content-bucket\",\"resource_type\":\"google_storage_bucket\",\"resource_vendor\":\"GCP\"}" + }, + { + "file_name": "assets/queries/terraform/gcp_bom/sb/test/positive.tf", + "similarity_id": "d3532b5fafe273c7489124c321138ff536b5503d6e338c8035a5e544ec582bdc", + "line": 7, + "issue_type": "BillOfMaterials", + "search_key": "google_storage_bucket[bucket]", + "search_line": 7, + "search_value": "", + "expected_value": "", + "actual_value": "", + "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"static-content-bucket\",\"resource_type\":\"google_storage_bucket\",\"resource_vendor\":\"GCP\"}" + } + ] + } + ] + } + } +] \ No newline at end of file diff --git a/.github/scripts/generate-positive-expective-results/test_list_output_personal_computer.json b/.github/scripts/generate-positive-expective-results/test_list_output_personal_computer.json new file mode 100644 index 00000000000..9cebc19c866 --- /dev/null +++ b/.github/scripts/generate-positive-expective-results/test_list_output_personal_computer.json @@ -0,0 +1,10864 @@ +{ + "queries_list": [ + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/alb_listening_on_http/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/alb_listening_on_http/results", + "id": "f81d63d2-c5d7-43a4-a5b5-66717a41c895", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/alb_listening_on_http/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ami_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ami_not_encrypted/results", + "id": "97707503-a22c-4cd7-b7c0-f088fa7cf830", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ami_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ami_shared_with_multiple_accounts/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ami_shared_with_multiple_accounts/results", + "id": "a19b2942-142e-4e2b-93b7-6cf6a6c8d90f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ami_shared_with_multiple_accounts/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/api_gateway_endpoint_config_is_not_private/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/api_gateway_endpoint_config_is_not_private/results", + "id": "559439b2-3e9c-4739-ac46-17e3b24ec215", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/api_gateway_endpoint_config_is_not_private/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/api_gateway_with_cloudwatch_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/api_gateway_with_cloudwatch_logging_disabled/results", + "id": "72a931c2-12f5-40d1-93cc-47bff2f7aa2a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/api_gateway_with_cloudwatch_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/api_gateway_without_configured_authorizer/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/api_gateway_without_configured_authorizer/results", + "id": "b16cdb37-ce15-4ab2-8401-d42b05d123fc", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/api_gateway_without_configured_authorizer/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/api_gateway_without_ssl_certificate/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/api_gateway_without_ssl_certificate/results", + "id": "b47b98ab-e481-4a82-8bb1-1ab39fd36e33", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/api_gateway_without_ssl_certificate/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/api_gateway_without_waf/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/api_gateway_without_waf/results", + "id": "f5f38943-664b-4acc-ab11-f292fa10ed0b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/api_gateway_without_waf/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/api_gateway_xray_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/api_gateway_xray_disabled/results", + "id": "2059155b-27fd-441e-b616-6966c468561f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/api_gateway_xray_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/authentication_without_mfa/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/authentication_without_mfa/results", + "id": "eee107f9-b3d8-45d3-b9c6-43b5a7263ce1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/authentication_without_mfa/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/auto_scaling_group_with_no_associated_elb/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/auto_scaling_group_with_no_associated_elb/results", + "id": "050f085f-a8db-4072-9010-2cca235cc02f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/auto_scaling_group_with_no_associated_elb/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/automatic_minor_upgrades_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/automatic_minor_upgrades_disabled/results", + "id": "857f8808-e96a-4ba8-a9b7-f2d4ec6cad94", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/automatic_minor_upgrades_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/aws_password_policy_with_unchangeable_passwords/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/aws_password_policy_with_unchangeable_passwords/results", + "id": "e28ceb92-d588-4166-aac5-766c8f5b7472", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/aws_password_policy_with_unchangeable_passwords/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/batch_job_definition_with_privileged_container_properties/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/batch_job_definition_with_privileged_container_properties/results", + "id": "defe5b18-978d-4722-9325-4d1975d3699f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/batch_job_definition_with_privileged_container_properties/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ca_certificate_identifier_is_outdated/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ca_certificate_identifier_is_outdated/results", + "id": "5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ca_certificate_identifier_is_outdated/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cdn_configuration_is_missing/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cdn_configuration_is_missing/results", + "id": "b25398a2-0625-4e61-8e4d-a1bb23905bf6", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cdn_configuration_is_missing/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/certificate_has_expired/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/certificate_has_expired/results", + "id": "5a443297-19d4-4381-9e5b-24faf947ec22", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/certificate_has_expired/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/certificate_rsa_key_bytes_lower_than_256/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/certificate_rsa_key_bytes_lower_than_256/results", + "id": "d5ec2080-340a-4259-b885-f833c4ea6a31", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/certificate_rsa_key_bytes_lower_than_256/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cloudfront_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cloudfront_logging_disabled/results", + "id": "d31cb911-bf5b-4eb6-9fc3-16780c77c7bd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cloudfront_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cloudfront_without_minimum_protocol_tls_1.2/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cloudfront_without_minimum_protocol_tls_1.2/results", + "id": "d0c13053-d2c8-44a6-95da-d592996e9e67", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cloudfront_without_minimum_protocol_tls_1.2/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cloudfront_without_waf/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cloudfront_without_waf/results", + "id": "22c80725-e390-4055-8d14-a872230f6607", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cloudfront_without_waf/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cloudtrail_log_file_validation_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cloudtrail_log_file_validation_disabled/results", + "id": "4d8681a2-3d30-4c89-8070-08acd142748e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cloudtrail_log_file_validation_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cloudtrail_log_files_not_encrypted_with_kms/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cloudtrail_log_files_not_encrypted_with_kms/results", + "id": "f5587077-3f57-4370-9b4e-4eb5b1bac85b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cloudtrail_log_files_not_encrypted_with_kms/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cloudtrail_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cloudtrail_logging_disabled/results", + "id": "d4a73c49-cbaa-4c6f-80ee-d6ef5a3a26f5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cloudtrail_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cloudtrail_multi_region_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cloudtrail_multi_region_disabled/results", + "id": "6ad087d7-a509-4b20-b853-9ef6f5ebaa98", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cloudtrail_multi_region_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cloudtrail_not_integrated_with_cloudwatch/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cloudtrail_not_integrated_with_cloudwatch/results", + "id": "ebb2118a-03bc-4d53-ab43-d8750f5cb8d3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cloudtrail_not_integrated_with_cloudwatch/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cloudtrail_sns_topic_name_undefined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cloudtrail_sns_topic_name_undefined/results", + "id": "5ba316a9-c466-4ec1-8d5b-bc6107dc9a92", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cloudtrail_sns_topic_name_undefined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cloudwatch_without_retention_period_specified/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cloudwatch_without_retention_period_specified/results", + "id": "e24e18d9-4c2b-4649-b3d0-18c088145e24", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cloudwatch_without_retention_period_specified/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cmk_is_unusable/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cmk_is_unusable/results", + "id": "133fee21-37ef-45df-a563-4d07edc169f4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cmk_is_unusable/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cmk_rotation_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cmk_rotation_disabled/results", + "id": "af96d737-0818-4162-8c41-40d969bd65d1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cmk_rotation_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/codebuild_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/codebuild_not_encrypted/results", + "id": "a1423864-2fbc-4f46-bfe1-fbbf125c71c9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/codebuild_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/config_configuration_aggregator_to_all_regions_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/config_configuration_aggregator_to_all_regions_disabled/results", + "id": "a2fdf451-89dd-451e-af92-bf6c0f4bab96", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/config_configuration_aggregator_to_all_regions_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/config_rule_for_encrypted_volumes_is_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/config_rule_for_encrypted_volumes_is_disabled/results", + "id": "7674a686-e4b1-4a95-83d4-1fd53c623d84", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/config_rule_for_encrypted_volumes_is_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/results", + "id": "af167837-9636-4086-b815-c239186b9dda", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/db_instance_storage_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/db_instance_storage_not_encrypted/results", + "id": "7dfb316c-a6c2-454d-b8a2-97f147b0c0ff", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/db_instance_storage_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/db_security_group_open_to_large_scope/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/db_security_group_open_to_large_scope/results", + "id": "ea0ed1c7-9aef-4464-b7c7-94c762da3640", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/db_security_group_open_to_large_scope/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/db_security_group_with_public_scope/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/db_security_group_with_public_scope/results", + "id": "0956aedf-6a7a-478b-ab56-63e2b19923ad", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/db_security_group_with_public_scope/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/default_security_groups_with_unrestricted_traffic/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/default_security_groups_with_unrestricted_traffic/results", + "id": "8010e17a-00e9-4635-a692-90d6bcec68bd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/default_security_groups_with_unrestricted_traffic/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ebs_volume_encryption_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ebs_volume_encryption_disabled/results", + "id": "4b6012e7-7176-46e4-8108-e441785eae57", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ebs_volume_encryption_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ec2_group_has_public_interface/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ec2_group_has_public_interface/results", + "id": "5330b503-3319-44ff-9b1c-00ee873f728a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ec2_group_has_public_interface/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ec2_instance_has_public_ip/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ec2_instance_has_public_ip/results", + "id": "a8b0c58b-cd25-4b53-9ad0-55bca0be0bc1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ec2_instance_has_public_ip/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ec2_instance_using_default_security_group/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ec2_instance_using_default_security_group/results", + "id": "8d03993b-8384-419b-a681-d1f55149397c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ec2_instance_using_default_security_group/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ec2_instance_using_default_vpc/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ec2_instance_using_default_vpc/results", + "id": "8833f180-96f1-46f4-9147-849aafa56029", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ec2_instance_using_default_vpc/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ec2_not_ebs_optimized/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ec2_not_ebs_optimized/results", + "id": "338b6cab-961d-4998-bb49-e5b6a11c9a5c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ec2_not_ebs_optimized/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ecr_image_tag_not_immutable/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ecr_image_tag_not_immutable/results", + "id": "60bfbb8a-c72f-467f-a6dd-a46b7d612789", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ecr_image_tag_not_immutable/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ecr_repository_is_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ecr_repository_is_publicly_accessible/results", + "id": "fb5a5df7-6d74-4243-ab82-ff779a958bfd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ecr_repository_is_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ecs_service_admin_role_is_present/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ecs_service_admin_role_is_present/results", + "id": "7db727c1-1720-468e-b80e-06697f71e09e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ecs_service_admin_role_is_present/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ecs_service_without_running_tasks/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ecs_service_without_running_tasks/results", + "id": "f5c45127-1d28-4b49-a692-0b97da1c3a84", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ecs_service_without_running_tasks/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ecs_services_assigned_with_public_ip_address/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ecs_services_assigned_with_public_ip_address/results", + "id": "560f256b-0b45-4496-bcb5-733681e7d38d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ecs_services_assigned_with_public_ip_address/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ecs_task_definition_network_mode_not_recommended/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ecs_task_definition_network_mode_not_recommended/results", + "id": "01aec7c2-3e4d-4274-ae47-2b8fea22fd1f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ecs_task_definition_network_mode_not_recommended/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/efs_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/efs_not_encrypted/results", + "id": "727c4fd4-d604-4df6-a179-7713d3c85e20", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/efs_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/efs_without_kms/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/efs_without_kms/results", + "id": "bd77554e-f138-40c5-91b2-2a09f878608e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/efs_without_kms/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/efs_without_tags/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/efs_without_tags/results", + "id": "b8a9852c-9943-4973-b8d5-77dae9352851", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/efs_without_tags/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/elasticache_using_default_port/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/elasticache_using_default_port/results", + "id": "7cc6c791-5f68-4816-a564-b9b699f9d26e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/elasticache_using_default_port/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/elasticache_without_vpc/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/elasticache_without_vpc/results", + "id": "5527dcfc-94f9-4bf6-b7d4-1b78850cf41f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/elasticache_without_vpc/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/elasticsearch_with_https_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/elasticsearch_with_https_disabled/results", + "id": "d6c2d06f-43c1-488a-9ba1-8d75b40fc62d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/elasticsearch_with_https_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/elb_using_insecure_protocols/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/elb_using_insecure_protocols/results", + "id": "730a5951-2760-407a-b032-dd629b55c23a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/elb_using_insecure_protocols/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/elb_using_weak_ciphers/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/elb_using_weak_ciphers/results", + "id": "2034fb37-bc23-4ca0-8d95-2b9f15829ab5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/elb_using_weak_ciphers/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/hardcoded_aws_access_key/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/hardcoded_aws_access_key/results", + "id": "c2f15af3-66a0-4176-a56e-e4711e502e5c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/hardcoded_aws_access_key/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/hardcoded_aws_access_key_in_lambda/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/hardcoded_aws_access_key_in_lambda/results", + "id": "f34508b9-f574-4330-b42d-88c44cced645", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/hardcoded_aws_access_key_in_lambda/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/http_port_open_to_internet/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/http_port_open_to_internet/results", + "id": "a14ad534-acbe-4a8e-9404-2f7e1045646e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/http_port_open_to_internet/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/iam_access_key_is_exposed/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/iam_access_key_is_exposed/results", + "id": "7f79f858-fbe8-4186-8a2c-dfd0d958a40f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/iam_access_key_is_exposed/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/iam_database_auth_not_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/iam_database_auth_not_enabled/results", + "id": "0ed012a4-9199-43d2-b9e4-9bd049a48aa4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/iam_database_auth_not_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/iam_group_without_users/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/iam_group_without_users/results", + "id": "f509931b-bbb0-443c-bd9b-10e92ecf2193", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/iam_group_without_users/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/iam_password_without_minimum_length/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/iam_password_without_minimum_length/results", + "id": "8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/iam_password_without_minimum_length/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/iam_policies_attached_to_user/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/iam_policies_attached_to_user/results", + "id": "eafe4bc3-1042-4f88-b988-1939e64bf060", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/iam_policies_attached_to_user/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/iam_policies_with_full_privileges/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/iam_policies_with_full_privileges/results", + "id": "e401d614-8026-4f4b-9af9-75d1197461ba", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/iam_policies_with_full_privileges/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/iam_policy_grants_assumerole_permission_across_all_services/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/iam_policy_grants_assumerole_permission_across_all_services/results", + "id": "12a7a7ce-39d6-49dd-923d-aeb4564eb66c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/iam_policy_grants_assumerole_permission_across_all_services/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/iam_policy_grants_full_permissions/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/iam_policy_grants_full_permissions/results", + "id": "b5ed026d-a772-4f07-97f9-664ba0b116f8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/iam_policy_grants_full_permissions/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/iam_role_allows_all_principals_to_assume/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/iam_role_allows_all_principals_to_assume/results", + "id": "babdedcf-d859-43da-9a7b-6d72e661a8fd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/iam_role_allows_all_principals_to_assume/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/instance_uses_metadata_service_IMDSv1/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/instance_uses_metadata_service_IMDSv1/results", + "id": "b9ef8c0e-1392-4df4-aa84-2e0f95681c75", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/instance_uses_metadata_service_IMDSv1/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/instance_with_no_vpc/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/instance_with_no_vpc/results", + "id": "61d1a2d0-4db8-405a-913d-5d2ce49dff6f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/instance_with_no_vpc/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/kinesis_not_encrypted_with_kms/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/kinesis_not_encrypted_with_kms/results", + "id": "f2ea6481-1d31-4d40-946a-520dc6321dd7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/kinesis_not_encrypted_with_kms/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/kms_key_with_full_permissions/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/kms_key_with_full_permissions/results", + "id": "5b9d237a-57d5-4177-be0e-71434b0fef47", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/kms_key_with_full_permissions/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/lambda_function_without_tags/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/lambda_function_without_tags/results", + "id": "265d9725-2fb8-42a2-bc57-3279c5db82d5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/lambda_function_without_tags/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/lambda_functions_without_x-ray_tracing/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/lambda_functions_without_x-ray_tracing/results", + "id": "71397b34-1d50-4ee1-97cb-c96c34676f74", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/lambda_functions_without_x-ray_tracing/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/lambda_permission_misconfigured/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/lambda_permission_misconfigured/results", + "id": "3ddf3417-424d-420d-8275-0724dc426520", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/lambda_permission_misconfigured/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/lambda_permission_principal_is_wildcard/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/lambda_permission_principal_is_wildcard/results", + "id": "1d972c56-8ec2-48c1-a578-887adb09c57a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/lambda_permission_principal_is_wildcard/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/launch_configuration_is_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/launch_configuration_is_not_encrypted/results", + "id": "66477506-6abb-49ed-803d-3fa174cd5f6a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/launch_configuration_is_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/misconfigured_password_policy_expiration/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/misconfigured_password_policy_expiration/results", + "id": "3f2cf811-88fa-4eda-be45-7a191a18aba9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/misconfigured_password_policy_expiration/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/no_stack_policy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/no_stack_policy/results", + "id": "ffe0fd52-7a8b-4a5c-8fc7-49844418e6c9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/no_stack_policy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/password_without_reuse_prevention/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/password_without_reuse_prevention/results", + "id": "6f5f5444-1422-495f-81ef-24cefd61ed2c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/password_without_reuse_prevention/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/public_lambda_via_api_gateway/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/public_lambda_via_api_gateway/results", + "id": "5e92d816-2177-4083-85b4-f61b4f7176d9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/public_lambda_via_api_gateway/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/public_port_wide/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/public_port_wide/results", + "id": "71ea648a-d31a-4b5a-a589-5674243f1c33", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/public_port_wide/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/rds_associated_with_public_subnet/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/rds_associated_with_public_subnet/results", + "id": "16732649-4ff6-4cd2-8746-e72c13fae4b8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/rds_associated_with_public_subnet/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/rds_db_instance_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/rds_db_instance_publicly_accessible/results", + "id": "c09e3ca5-f08a-4717-9c87-3919c5e6d209", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/rds_db_instance_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/rds_using_default_port/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/rds_using_default_port/results", + "id": "2cb674f6-32f9-40be-97f2-62c0dc38f0d5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/rds_using_default_port/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/rds_with_backup_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/rds_with_backup_disabled/results", + "id": "e69890e6-fce5-461d-98ad-cb98318dfc96", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/rds_with_backup_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/redis_not_compliant/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/redis_not_compliant/results", + "id": "9f34885e-c08f-4d13-a7d1-cf190c5bd268", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/redis_not_compliant/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/redshift_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/redshift_not_encrypted/results", + "id": "6a647814-def5-4b85-88f5-897c19f509cd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/redshift_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/redshift_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/redshift_publicly_accessible/results", + "id": "5c6b727b-1382-4629-8ba9-abd1365e5610", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/redshift_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/redshift_using_default_port/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/redshift_using_default_port/results", + "id": "e01de151-a7bd-4db4-b49b-3c4775a5e881", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/redshift_using_default_port/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/remote_desktop_port_open/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/remote_desktop_port_open/results", + "id": "eda7301d-1f3e-47cf-8d4e-976debc64341", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/remote_desktop_port_open/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/root_account_has_active_access_keys/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/root_account_has_active_access_keys/results", + "id": "e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/root_account_has_active_access_keys/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/route53_record_undefined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/route53_record_undefined/results", + "id": "445dce51-7e53-4e50-80ef-7f94f14169e4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/route53_record_undefined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_access_to_any_principal/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_access_to_any_principal/results", + "id": "3ab1f27d-52cc-4943-af1d-43c1939e739a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_access_to_any_principal/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_all_users/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_all_users/results", + "id": "a1ef9d2e-4163-40cb-bd92-04f0d602a15d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_all_users/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/results", + "id": "75480b31-f349-4b9a-861f-bce19588e674", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_allows_delete_action_from_all_principals/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_allows_delete_action_from_all_principals/results", + "id": "6fa44721-ef21-41c6-8665-330d59461163", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_allows_delete_action_from_all_principals/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_allows_get_action_from_all_principals/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_allows_get_action_from_all_principals/results", + "id": "53bce6a8-5492-4b1b-81cf-664385f0c4bf", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_allows_get_action_from_all_principals/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_allows_list_action_from_all_principals/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_allows_list_action_from_all_principals/results", + "id": "d395a950-12ce-4314-a742-ac5a785ab44e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_allows_list_action_from_all_principals/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_allows_put_action_from_all_principals/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_allows_put_action_from_all_principals/results", + "id": "a0f1bfe0-741e-473f-b3b2-13e66f856fab", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_allows_put_action_from_all_principals/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_logging_disabled/results", + "id": "c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_with_all_permissions/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_with_all_permissions/results", + "id": "6a6d7e56-c913-4549-b5c5-5221e624d2ec", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_with_all_permissions/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_with_public_access/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_with_public_access/results", + "id": "c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_with_public_access/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_with_unsecured_cors_rule/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_with_unsecured_cors_rule/results", + "id": "3505094c-f77c-4ba0-95da-f83db712f86c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_with_unsecured_cors_rule/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_without_server-side_encryption/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_without_server-side_encryption/results", + "id": "594f54e7-f744-45ab-93e4-c6dbaf6cd571", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_without_server-side_encryption/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_without_versioning/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_without_versioning/results", + "id": "9232306a-f839-40aa-b3ef-b352001da9a5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_without_versioning/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/secure_ciphers_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/secure_ciphers_disabled/results", + "id": "218413a0-c716-4b94-9e08-0bb70d854709", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/secure_ciphers_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/security_group_ingress_not_restricted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/security_group_ingress_not_restricted/results", + "id": "ea6bc7a6-d696-4dcf-a788-17fa03c17c81", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/security_group_ingress_not_restricted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/security_group_with_unrestricted_access_to_ssh/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/security_group_with_unrestricted_access_to_ssh/results", + "id": "57ced4b9-6ba4-487b-8843-b65562b90c77", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/security_group_with_unrestricted_access_to_ssh/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ses_policy_with_allowed_iam_actions/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ses_policy_with_allowed_iam_actions/results", + "id": "8ed0bfce-f780-46d4-b086-21c3628f09ad", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ses_policy_with_allowed_iam_actions/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/sns_topic_is_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/sns_topic_is_publicly_accessible/results", + "id": "905f4741-f965-45c1-98db-f7a00a0e5c73", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/sns_topic_is_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/sql_analysis_services_port_2383_is_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/sql_analysis_services_port_2383_is_publicly_accessible/results", + "id": "7af1c447-c014-4f05-bd8b-ebe3a15734ac", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/sql_analysis_services_port_2383_is_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/sqs_policy_allows_all_actions/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/sqs_policy_allows_all_actions/results", + "id": "ed9b3beb-92cf-44d9-a9d2-171eeba569d4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/sqs_policy_allows_all_actions/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/sqs_policy_with_public_access/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/sqs_policy_with_public_access/results", + "id": "d994585f-defb-4b51-b6d2-c70f020ceb10", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/sqs_policy_with_public_access/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/sqs_queue_exposed/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/sqs_queue_exposed/results", + "id": "86b0efa7-4901-4edd-a37a-c034bec6645a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/sqs_queue_exposed/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/sqs_with_sse_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/sqs_with_sse_disabled/results", + "id": "e1e7b278-2a8b-49bd-a26e-66a7f70b17eb", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/sqs_with_sse_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/stack_notifications_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/stack_notifications_disabled/results", + "id": "d39761d7-94ab-45b0-ab5e-27c44e381d58", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/stack_notifications_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/stack_retention_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/stack_retention_disabled/results", + "id": "17d5ba1d-7667-4729-b1a6-b11fde3db7f7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/stack_retention_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/stack_without_template/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/stack_without_template/results", + "id": "32d31f1f-0f83-4721-b7ec-1e6948c60145", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/stack_without_template/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/unknown_port_exposed_to_internet/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/unknown_port_exposed_to_internet/results", + "id": "722b0f24-5a64-4cca-aa96-cfc26b7e3a5b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/unknown_port_exposed_to_internet/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/unrestricted_security_group_ingress/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/unrestricted_security_group_ingress/results", + "id": "83c5fa4c-e098-48fc-84ee-0a537287ddd2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/unrestricted_security_group_ingress/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/user_data_contains_encoded_private_key/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/user_data_contains_encoded_private_key/results", + "id": "c09f4d3e-27d2-4d46-9453-abbe9687a64e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/user_data_contains_encoded_private_key/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/viewer_protocol_policy_allows_http/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/viewer_protocol_policy_allows_http/results", + "id": "a6d27cf7-61dc-4bde-ae08-3b353b609f76", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/viewer_protocol_policy_allows_http/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/vulnerable_default_ssl_certificate/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/vulnerable_default_ssl_certificate/results", + "id": "fb8f8929-afeb-4c46-99f0-a6cf410f7df4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/vulnerable_default_ssl_certificate/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/ad_admin_not_configured_for_sql_server/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/ad_admin_not_configured_for_sql_server/results", + "id": "b176e927-bbe2-44a6-a9c3-041417137e5f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/ad_admin_not_configured_for_sql_server/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/admin_user_enabled_for_container_registry/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/admin_user_enabled_for_container_registry/results", + "id": "29f35127-98e6-43af-8ec1-201b79f99604", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/admin_user_enabled_for_container_registry/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/aks_monitoring_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/aks_monitoring_logging_disabled/results", + "id": "d5e83b32-56dd-4247-8c2e-074f43b38a5e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/aks_monitoring_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/aks_network_policy_misconfigured/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/aks_network_policy_misconfigured/results", + "id": "8c3bedf1-c570-4c3b-b414-d068cd39a00c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/aks_network_policy_misconfigured/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/aks_rbac_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/aks_rbac_disabled/results", + "id": "149fa56c-4404-4f90-9e25-d34b676d5b39", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/aks_rbac_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/azure_container_registry_with_no_locks/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/azure_container_registry_with_no_locks/results", + "id": "581dae78-307d-45d5-aae4-fe2b0db267a5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/azure_container_registry_with_no_locks/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/azure_instance_using_basic_authentication/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/azure_instance_using_basic_authentication/results", + "id": "e2d834b7-8b25-4935-af53-4a60668dcbe0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/azure_instance_using_basic_authentication/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/cosmosdb_account_ip_range_filter_not_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/cosmosdb_account_ip_range_filter_not_set/results", + "id": "e8c80448-31d8-4755-85fc-6dbab69c2717", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/cosmosdb_account_ip_range_filter_not_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/cosmosdb_account_without_tags/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/cosmosdb_account_without_tags/results", + "id": "23a4dc83-4959-4d99-8056-8e051a82bc1e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/cosmosdb_account_without_tags/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/default_azure_storage_account_network_access_is_too_permissive/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/default_azure_storage_account_network_access_is_too_permissive/results", + "id": "ca4df748-613a-4fbf-9c76-f02cbd580307", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/default_azure_storage_account_network_access_is_too_permissive/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/results", + "id": "69f72007-502e-457b-bd2d-5012e31ac049", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/key_vault_soft_delete_is_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/key_vault_soft_delete_is_disabled/results", + "id": "881696a8-68c5-4073-85bc-7c38a3deb854", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/key_vault_soft_delete_is_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/log_retention_is_not_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/log_retention_is_not_set/results", + "id": "0461b4fd-21ef-4687-929e-484ee4796785", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/log_retention_is_not_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/monitoring_log_profile_without_all_activities/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/monitoring_log_profile_without_all_activities/results", + "id": "89f84a1e-75f8-47c5-83b5-bee8e2de4168", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/monitoring_log_profile_without_all_activities/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/mysql_ssl_connection_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/mysql_ssl_connection_disabled/results", + "id": "2a901825-0f3b-4655-a0fe-e0470e50f8e6", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/mysql_ssl_connection_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/postgresql_log_checkpoints_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/postgresql_log_checkpoints_disabled/results", + "id": "7ab33ac0-e4a3-418f-a673-50da4e34df21", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/postgresql_log_checkpoints_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/postgresql_log_connections_not_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/postgresql_log_connections_not_set/results", + "id": "7b47138f-ec0e-47dc-8516-e7728fe3cc17", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/postgresql_log_connections_not_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/postgresql_log_disconnections_not_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/postgresql_log_disconnections_not_set/results", + "id": "054d07b5-941b-4c28-8eef-18989dc62323", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/postgresql_log_disconnections_not_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/postgresql_log_duration_not_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/postgresql_log_duration_not_set/results", + "id": "729ebb15-8060-40f7-9017-cb72676a5487", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/postgresql_log_duration_not_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/postgresql_server_without_connection_throttling/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/postgresql_server_without_connection_throttling/results", + "id": "a9becca7-892a-4af7-b9e1-44bf20a4cd9a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/postgresql_server_without_connection_throttling/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/public_storage_account/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/public_storage_account/results", + "id": "35e2f133-a395-40de-a79d-b260d973d1bd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/public_storage_account/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/redis_cache_allows_non_ssl_connections/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/redis_cache_allows_non_ssl_connections/results", + "id": "869e7fb4-30f0-4bdb-b360-ad548f337f2f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/redis_cache_allows_non_ssl_connections/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/redis_entirely_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/redis_entirely_accessible/results", + "id": "0d0c12b9-edce-4510-9065-13f6a758750c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/redis_entirely_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/redis_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/redis_publicly_accessible/results", + "id": "0632d0db-9190-450a-8bb3-c283bffea445", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/redis_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/role_definition_allows_custom_role_creation/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/role_definition_allows_custom_role_creation/results", + "id": "5c80db8e-03f5-43a2-b4af-1f3f87018157", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/role_definition_allows_custom_role_creation/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/security_group_is_not_configured/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/security_group_is_not_configured/results", + "id": "da4f2739-174f-4cdd-b9ef-dc3f14b5931f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/security_group_is_not_configured/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/sensitive_port_is_exposed_to_entire_network/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/sensitive_port_is_exposed_to_entire_network/results", + "id": "0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/sensitive_port_is_exposed_to_entire_network/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/small_activity_log_retention_period/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/small_activity_log_retention_period/results", + "id": "37fafbea-dedb-4e0d-852e-d16ee0589326", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/small_activity_log_retention_period/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/sql_server_ingress_from_any_ip/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/sql_server_ingress_from_any_ip/results", + "id": "f4e9ff70-0f3b-4c50-a713-26cbe7ec4039", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/sql_server_ingress_from_any_ip/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/sql_server_predictable_active_directory_admin_account_name/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/sql_server_predictable_active_directory_admin_account_name/results", + "id": "530e8291-2f22-4bab-b7ea-306f1bc2a308", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/sql_server_predictable_active_directory_admin_account_name/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/sql_server_predictable_admin_account_name/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/sql_server_predictable_admin_account_name/results", + "id": "663062e9-473d-4e87-99bc-6f3684b3df40", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/sql_server_predictable_admin_account_name/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/ssl_enforce_is_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/ssl_enforce_is_disabled/results", + "id": "961ce567-a16d-4d7d-9027-f0ec2628a555", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/ssl_enforce_is_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/storage_account_not_forcing_https/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/storage_account_not_forcing_https/results", + "id": "2c99a474-2a3c-4c17-8294-53ffa5ed0522", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/storage_account_not_forcing_https/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/storage_account_not_using_latest_tls_encryption_version/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/storage_account_not_using_latest_tls_encryption_version/results", + "id": "c62746cf-92d5-4649-9acf-7d48d086f2ee", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/storage_account_not_using_latest_tls_encryption_version/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/storage_container_is_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/storage_container_is_publicly_accessible/results", + "id": "4d3817db-dd35-4de4-a80d-3867157e7f7f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/storage_container_is_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/trusted_microsoft_services_not_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/trusted_microsoft_services_not_enabled/results", + "id": "1bc398a8-d274-47de-a4c8-6ac867b353de", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/trusted_microsoft_services_not_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/unrestricted_sql_server_acess/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/unrestricted_sql_server_acess/results", + "id": "3f23c96c-f9f5-488d-9b17-605b8da5842f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/unrestricted_sql_server_acess/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/vm_not_attached_to_network/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/vm_not_attached_to_network/results", + "id": "1e5f5307-3e01-438d-8da6-985307ed25ce", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/vm_not_attached_to_network/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/waf_is_disabled_for_azure_application_gateway/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/waf_is_disabled_for_azure_application_gateway/results", + "id": "2fc5ab5a-c5eb-4ae4-b687-0f16fe77c255", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/waf_is_disabled_for_azure_application_gateway/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/web_app_accepting_traffic_other_than_https/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/web_app_accepting_traffic_other_than_https/results", + "id": "eb8c2560-8bee-4248-9d0d-e80c8641dd91", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/web_app_accepting_traffic_other_than_https/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/config/allow_unsafe_lookups_enabled_in_defaults/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/config/allow_unsafe_lookups_enabled_in_defaults/results", + "id": "86b97bb4-85c9-462d-8635-cbc057c5c8c5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/config/allow_unsafe_lookups_enabled_in_defaults/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/config/communication_over_http_in_defaults/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/config/communication_over_http_in_defaults/results", + "id": "d7dc9350-74bc-485b-8c85-fed22d276c43", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/config/communication_over_http_in_defaults/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/config/logging_of_sensitive_data_in_defaults/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/config/logging_of_sensitive_data_in_defaults/results", + "id": "c6473dae-8477-4119-88b7-b909b435ce7b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/config/logging_of_sensitive_data_in_defaults/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/config/privilege_escalation_using_become_plugin_in_defaults/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/config/privilege_escalation_using_become_plugin_in_defaults/results", + "id": "404908b6-4954-4611-98f0-e8ceacdabcb1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/config/privilege_escalation_using_become_plugin_in_defaults/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/bigquery_dataset_is_public/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/bigquery_dataset_is_public/results", + "id": "2263b286-2fe9-4747-a0ae-8b4768a2bbd2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/bigquery_dataset_is_public/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/client_certificate_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/client_certificate_disabled/results", + "id": "20180133-a0d0-4745-bfe0-94049fbb12a9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/client_certificate_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/cloud_dns_without_dnnsec/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/cloud_dns_without_dnnsec/results", + "id": "80b15fb1-6207-40f4-a803-6915ae619a03", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/cloud_dns_without_dnnsec/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/cloud_sql_instance_with_contained_database_authentication_on/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/cloud_sql_instance_with_contained_database_authentication_on/results", + "id": "6d34aff3-fdd2-460c-8190-756a3b4969e8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/cloud_sql_instance_with_contained_database_authentication_on/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/cloud_sql_instance_with_cross_db_ownership_chaining_on/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/cloud_sql_instance_with_cross_db_ownership_chaining_on/results", + "id": "9e0c33ed-97f3-4ed6-8be9-bcbf3f65439f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/cloud_sql_instance_with_cross_db_ownership_chaining_on/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/cloud_storage_anonymous_or_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/cloud_storage_anonymous_or_publicly_accessible/results", + "id": "086031e1-9d4a-4249-acb3-5bfe4c363db2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/cloud_storage_anonymous_or_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/cloud_storage_bucket_logging_not_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/cloud_storage_bucket_logging_not_enabled/results", + "id": "507df964-ad97-4035-ab14-94a82eabdfdd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/cloud_storage_bucket_logging_not_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/cloud_storage_bucket_versioning_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/cloud_storage_bucket_versioning_disabled/results", + "id": "7814ddda-e758-4a56-8be3-289a81ded929", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/cloud_storage_bucket_versioning_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/cluster_labels_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/cluster_labels_disabled/results", + "id": "fbe9b2d0-a2b7-47a1-a534-03775f3013f7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/cluster_labels_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/cluster_master_authentication_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/cluster_master_authentication_disabled/results", + "id": "9df7f78f-ebe3-432e-ac3b-b67189c15518", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/cluster_master_authentication_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/compute_instance_is_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/compute_instance_is_publicly_accessible/results", + "id": "829f1c60-2bab-44c6-8a21-5cd9d39a2c82", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/compute_instance_is_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/cos_node_image_not_used/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/cos_node_image_not_used/results", + "id": "be41f891-96b1-4b9d-b74f-b922a918c778", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/cos_node_image_not_used/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/disk_encryption_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/disk_encryption_disabled/results", + "id": "092bae86-6105-4802-99d2-99cd7e7431f3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/disk_encryption_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/dnssec_using_rsasha1/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/dnssec_using_rsasha1/results", + "id": "6cf4c3a7-ceb0-4475-8892-3745b84be24a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/dnssec_using_rsasha1/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/gke_basic_authentication_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/gke_basic_authentication_enabled/results", + "id": "344bf8ab-9308-462b-a6b2-697432e40ba1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/gke_basic_authentication_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/gke_legacy_authorization_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/gke_legacy_authorization_enabled/results", + "id": "300a9964-b086-41f7-9378-b6de3ba1c32b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/gke_legacy_authorization_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/gke_master_authorized_networks_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/gke_master_authorized_networks_disabled/results", + "id": "d43366c5-80b0-45de-bbe8-2338f4ab0a83", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/gke_master_authorized_networks_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/gke_using_default_service_account/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/gke_using_default_service_account/results", + "id": "dc126833-125a-40fb-905a-ce5f2afde240", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/gke_using_default_service_account/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/google_compute_network_using_default_firewall_rule/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/google_compute_network_using_default_firewall_rule/results", + "id": "29b8224a-60e9-4011-8ac2-7916a659841f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/google_compute_network_using_default_firewall_rule/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/google_compute_network_using_firewall_allows_port_range/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/google_compute_network_using_firewall_allows_port_range/results", + "id": "7289eebd-a477-4064-8ad4-3c044bd70b00", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/google_compute_network_using_firewall_allows_port_range/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/google_compute_network_using_firewall_rule_allows_all_ports/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/google_compute_network_using_firewall_rule_allows_all_ports/results", + "id": "3602d273-3290-47b2-80fa-720162b1a8af", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/google_compute_network_using_firewall_rule_allows_all_ports/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/google_compute_ssl_policy_weak_cipher_in_use/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/google_compute_ssl_policy_weak_cipher_in_use/results", + "id": "b28bcd2f-c309-490e-ab7c-35fc4023eb26", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/google_compute_ssl_policy_weak_cipher_in_use/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/google_compute_subnetwork_with_private_google_access_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/google_compute_subnetwork_with_private_google_access_disabled/results", + "id": "6a4080ae-79bd-42f6-a924-8f534c1c018b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/google_compute_subnetwork_with_private_google_access_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/google_container_node_pool_auto_repair_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/google_container_node_pool_auto_repair_disabled/results", + "id": "d58c6f24-3763-4269-9f5b-86b2569a003b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/google_container_node_pool_auto_repair_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/high_google_kms_crypto_key_rotation_period/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/high_google_kms_crypto_key_rotation_period/results", + "id": "f9b7086b-deb8-4034-9330-d7fd38f1b8de", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/high_google_kms_crypto_key_rotation_period/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/ip_aliasing_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/ip_aliasing_disabled/results", + "id": "ed672a9f-fbf0-44d8-a47d-779501b0db05", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/ip_aliasing_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/ip_forwarding_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/ip_forwarding_enabled/results", + "id": "11bd3554-cd56-4257-8e25-7aaf30cf8f5f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/ip_forwarding_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/mysql_instance_with_local_infile_on/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/mysql_instance_with_local_infile_on/results", + "id": "a7b520bb-2509-4fb0-be05-bc38f54c7a4c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/mysql_instance_with_local_infile_on/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/network_policy_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/network_policy_disabled/results", + "id": "98e04ca0-34f5-4c74-8fec-d2e611ce2790", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/network_policy_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/node_auto_upgrade_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/node_auto_upgrade_disabled/results", + "id": "d6e10477-2e19-4bcd-b8a8-19c65b89ccdf", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/node_auto_upgrade_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/oslogin_is_disabled_for_vm_instance/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/oslogin_is_disabled_for_vm_instance/results", + "id": "66dae697-507b-4aef-be18-eec5bd707f33", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/oslogin_is_disabled_for_vm_instance/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/postgresql_log_checkpoints_flag_not_set_to_on/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/postgresql_log_checkpoints_flag_not_set_to_on/results", + "id": "89afe3f0-4681-4ce3-89ed-896cebd4277c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/postgresql_log_checkpoints_flag_not_set_to_on/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/postgresql_log_connections_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/postgresql_log_connections_disabled/results", + "id": "d7a5616f-0a3f-4d43-bc2b-29d1a183e317", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/postgresql_log_connections_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/postgresql_logging_of_temporary_files_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/postgresql_logging_of_temporary_files_disabled/results", + "id": "d6fae5b6-ada9-46c0-8b36-3108a2a2f77b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/postgresql_logging_of_temporary_files_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/postgresql_misconfigured_log_messages_flag/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/postgresql_misconfigured_log_messages_flag/results", + "id": "28a757fc-3d8f-424a-90c0-4233363b2711", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/postgresql_misconfigured_log_messages_flag/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/postgresql_misconfigured_logging_duration_flag/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/postgresql_misconfigured_logging_duration_flag/results", + "id": "aed98a2a-e680-497a-8886-277cea0f4514", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/postgresql_misconfigured_logging_duration_flag/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/private_cluster_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/private_cluster_disabled/results", + "id": "3b30e3d6-c99b-4318-b38f-b99db74578b5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/private_cluster_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/results", + "id": "099b4411-d11e-4537-a0fc-146b19762a79", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/rdp_access_is_not_restricted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/rdp_access_is_not_restricted/results", + "id": "75418eb9-39ec-465f-913c-6f2b6a80dc77", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/rdp_access_is_not_restricted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/serial_ports_enabled_for_vm_instances/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/serial_ports_enabled_for_vm_instances/results", + "id": "c6fc6f29-dc04-46b6-99ba-683c01aff350", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/serial_ports_enabled_for_vm_instances/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/shielded_vm_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/shielded_vm_disabled/results", + "id": "18d3a83d-4414-49dc-90ea-f0387b2856cc", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/shielded_vm_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/sql_db_instance_backup_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/sql_db_instance_backup_disabled/results", + "id": "0c82eae2-aca0-401f-93e4-fb37a0f9e5e8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/sql_db_instance_backup_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/sql_db_instance_is_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/sql_db_instance_is_publicly_accessible/results", + "id": "7d7054c0-3a52-4e9b-b9ff-cbfe16a2378b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/sql_db_instance_is_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/sql_db_instance_with_ssl_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/sql_db_instance_with_ssl_disabled/results", + "id": "d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/sql_db_instance_with_ssl_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/ssh_access_is_not_restricted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/ssh_access_is_not_restricted/results", + "id": "b2fbf1df-76dd-4d78-a6c0-e538f4a9b016", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/ssh_access_is_not_restricted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/stackdriver_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/stackdriver_logging_disabled/results", + "id": "19c9e2a0-fc33-4264-bba1-e3682661e8f7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/stackdriver_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/stackdriver_monitoring_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/stackdriver_monitoring_disabled/results", + "id": "20dcd953-a8b8-4892-9026-9afa6d05a525", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/stackdriver_monitoring_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/using_default_service_account/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/using_default_service_account/results", + "id": "2775e169-e708-42a9-9305-b58aadd2c4dd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/using_default_service_account/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/vm_with_full_cloud_access/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/vm_with_full_cloud_access/results", + "id": "bc20bbc6-0697-4568-9a73-85af1dd97bdd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/vm_with_full_cloud_access/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/general/communication_over_http/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/general/communication_over_http/results", + "id": "2e8d4922-8362-4606-8c14-aa10466a1ce3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/general/communication_over_http/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/general/insecure_relative_path_resolution/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/general/insecure_relative_path_resolution/results", + "id": "8d22ae91-6ac1-459f-95be-d37bd373f244", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/general/insecure_relative_path_resolution/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/general/logging_of_sensitive_data/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/general/logging_of_sensitive_data/results", + "id": "59029ddf-e651-412b-ae7b-ff6d403184bc", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/general/logging_of_sensitive_data/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/general/privilege_escalation_using_become_plugin/results", + "id": "0e75052f-cc02-41b8-ac39-a78017527e95", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/general/privilege_escalation_using_become_plugin/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/general/risky_file_permissions/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/general/risky_file_permissions/results", + "id": "88841d5c-d22d-4b7e-a6a0-89ca50e44b9f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/general/risky_file_permissions/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/general/unpinned_package_version/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/general/unpinned_package_version/results", + "id": "c05e2c20-0a2c-4686-b1f8-5f0a5612d4e8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/general/unpinned_package_version/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/hosts/ansible_tower_exposed_to_internet/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/hosts/ansible_tower_exposed_to_internet/results", + "id": "1b2bf3ff-31e9-460e-bbfb-45e48f4f20cc", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/hosts/ansible_tower_exposed_to_internet/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/account_admins_not_notified_by_email/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/account_admins_not_notified_by_email/results", + "id": "a8852cc0-fd4b-4fc7-9372-1e43fad0732e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/account_admins_not_notified_by_email/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/aks_cluster_network_policy_not_configured/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/aks_cluster_network_policy_not_configured/results", + "id": "25c0228e-4444-459b-a2df-93c7df40b7ed", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/aks_cluster_network_policy_not_configured/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/aks_cluster_rbac_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/aks_cluster_rbac_disabled/results", + "id": "9307a2ed-35c2-413d-94de-a1a0682c2158", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/aks_cluster_rbac_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/aks_dashboard_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/aks_dashboard_enabled/results", + "id": "c62d3b92-9a11-4ffd-b7b7-6faaae83faed", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/aks_dashboard_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/aks_logging_azure_monitoring_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/aks_logging_azure_monitoring_disabled/results", + "id": "9b09dee1-f09b-4013-91d2-158fa4695f4b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/aks_logging_azure_monitoring_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/aks_with_authorized_ip_ranges_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/aks_with_authorized_ip_ranges_disabled/results", + "id": "2583fab1-953b-4fae-bd02-4a136a6c21f9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/aks_with_authorized_ip_ranges_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/app_service_authentication_not_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/app_service_authentication_not_set/results", + "id": "83130a07-235b-4a80-918b-a370e53f0bd9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/app_service_authentication_not_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/azure_instance_using_basic_authentication/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/azure_instance_using_basic_authentication/results", + "id": "6797f581-0433-4768-ae3e-7ceb2f8b138e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/azure_instance_using_basic_authentication/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/azure_managed_disk_without_encryption/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/azure_managed_disk_without_encryption/results", + "id": "350f3955-b5be-436f-afaa-3d2be2fa6cdd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/azure_managed_disk_without_encryption/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/default_azure_storage_account_network_access_is_too_permissive/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/default_azure_storage_account_network_access_is_too_permissive/results", + "id": "d855ced8-6157-448f-9f1d-f05a41d046f7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/default_azure_storage_account_network_access_is_too_permissive/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/email_notifications_set_off/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/email_notifications_set_off/results", + "id": "79c2c2c0-eb00-47c0-ac16-f8b0e2c81c92", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/email_notifications_set_off/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/hardcoded_securestring_parameter_default_value/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/hardcoded_securestring_parameter_default_value/results", + "id": "4d2cf896-c053-4be5-9c95-8b4771112f29", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/hardcoded_securestring_parameter_default_value/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/key_vault_not_recoverable/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/key_vault_not_recoverable/results", + "id": "7c25f361-7c66-44bf-9b69-022acd5eb4bd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/key_vault_not_recoverable/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/log_profile_incorrect_category/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/log_profile_incorrect_category/results", + "id": "4d522e7b-f938-4d51-a3b1-974ada528bd3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/log_profile_incorrect_category/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/mysql_server_ssl_enforcement_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/mysql_server_ssl_enforcement_disabled/results", + "id": "90120147-f2e7-4fda-bb21-6fa9109afd63", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/mysql_server_ssl_enforcement_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_rdp/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_rdp/results", + "id": "59cb3da7-f206-4ae6-b827-7abf0a9cab9d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_rdp/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/results", + "id": "2ade1579-4b2c-4590-bebb-f99bf597f612", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/phone_number_not_set_security_contacts/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/phone_number_not_set_security_contacts/results", + "id": "3e9fcc67-1f64-405f-b2f9-0a6be17598f0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/phone_number_not_set_security_contacts/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/postgresql_database_server_connection_throttling_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/postgresql_database_server_connection_throttling_disabled/results", + "id": "a6d774b6-d9ea-4bf4-8433-217bf15d2fb8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/postgresql_database_server_connection_throttling_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/postgresql_server_log_checkpoint_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/postgresql_server_log_checkpoint_disabled/results", + "id": "f9112910-c7bb-4864-9f5e-2059ba413bb7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/postgresql_server_log_checkpoint_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/postgresql_server_log_connections_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/postgresql_server_log_connections_disabled/results", + "id": "e69bda39-e1e2-47ca-b9ee-b6531b23aedd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/postgresql_server_log_connections_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/postgresql_server_ssl_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/postgresql_server_ssl_disabled/results", + "id": "bf500309-da53-4dd3-bcf7-95f7974545a5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/postgresql_server_ssl_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/role_definitions_allow_custom_subscription_role_creation/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/role_definitions_allow_custom_subscription_role_creation/results", + "id": "8fa9ceea-881f-4ef0-b0b8-728f589699a7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/role_definitions_allow_custom_subscription_role_creation/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/secret_without_expiration_date/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/secret_without_expiration_date/results", + "id": "cff9c3f7-e8f0-455f-9fb4-5f72326da96e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/secret_without_expiration_date/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/sql_alert_policy_without_emails/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/sql_alert_policy_without_emails/results", + "id": "89b79fe5-49bd-4d39-84ce-55f5fc6f7764", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/sql_alert_policy_without_emails/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/sql_database_server_firewall_allows_all_ips/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/sql_database_server_firewall_allows_all_ips/results", + "id": "6a3201a5-1630-494b-b294-3129d06b0eca", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/sql_database_server_firewall_allows_all_ips/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/sql_server_database_with_alerts_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/sql_server_database_with_alerts_disabled/results", + "id": "574e8d82-1db2-4b9c-b526-e320ede9a9ff", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/sql_server_database_with_alerts_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/sql_server_database_with_low_retention_days/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/sql_server_database_with_low_retention_days/results", + "id": "c09cdac2-7670-458a-bf6c-efad6880973a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/sql_server_database_with_low_retention_days/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/sql_server_database_without_auditing/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/sql_server_database_without_auditing/results", + "id": "e055285c-bc01-48b4-8aa5-8a54acdd29df", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/sql_server_database_without_auditing/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/standard_price_not_selected/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/standard_price_not_selected/results", + "id": "2081c7d6-2851-4cce-bda5-cb49d462da42", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/standard_price_not_selected/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/storage_account_allows_network_default_access/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/storage_account_allows_network_default_access/results", + "id": "9073f073-5d60-4b46-b569-0d6baa80ed95", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/storage_account_allows_network_default_access/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/storage_account_allows_unsecure_transfer/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/storage_account_allows_unsecure_transfer/results", + "id": "1367dd13-2c90-4020-80b7-e4339a3dc2c4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/storage_account_allows_unsecure_transfer/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/storage_blob_service_container_with_public_access/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/storage_blob_service_container_with_public_access/results", + "id": "a0ab985d-660b-41f7-ac81-70957ee8e627", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/storage_blob_service_container_with_public_access/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/storage_logging_for_read_write_delete_requests_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/storage_logging_for_read_write_delete_requests_disabled/results", + "id": "43f6e60c-9cdb-4e77-864d-a66595d26518", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/storage_logging_for_read_write_delete_requests_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/trusted_microsoft_services_not_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/trusted_microsoft_services_not_enabled/results", + "id": "e25b56cd-a4d6-498f-ab92-e6296a082097", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/trusted_microsoft_services_not_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/unrecommended_log_profile_retention_policy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/unrecommended_log_profile_retention_policy/results", + "id": "25684eac-daaa-4c2c-94b4-8d2dbb627909", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/unrecommended_log_profile_retention_policy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/unrecommended_network_watcher_flow_log_retention_policy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/unrecommended_network_watcher_flow_log_retention_policy/results", + "id": "564b70f8-41cd-4690-aff8-bb53add86bc9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/unrecommended_network_watcher_flow_log_retention_policy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/web_app_not_using_tls_last_version/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/web_app_not_using_tls_last_version/results", + "id": "b5c851d5-00f1-43dc-a8de-3218fd6f71be", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/web_app_not_using_tls_last_version/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/website_azure_active_directory_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/website_azure_active_directory_disabled/results", + "id": "e9c133e5-c2dd-4b7b-8fff-40f2de367b56", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/website_azure_active_directory_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/website_not_forcing_https/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/website_not_forcing_https/results", + "id": "488847ff-6031-487c-bf42-98fd6ac5c9a0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/website_not_forcing_https/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/website_with_client_certificate_auth_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/website_with_client_certificate_auth_disabled/results", + "id": "92302b47-b0cc-46cb-a28f-5610ecda140b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/website_with_client_certificate_auth_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/website_with_http20enabled_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/website_with_http20enabled_disabled/results", + "id": "70111098-7f85-48f0-b1b4-e4261cf5f61b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/website_with_http20enabled_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/buildah/run_using_apt/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/buildah/run_using_apt/results", + "id": "a1bc27c6-7115-48d8-bf9d-5a7e836845ba", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/buildah/run_using_apt/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cicd/github/run_block_injection/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cicd/github/run_block_injection/results", + "id": "20f14e1a-a899-4e79-9f09-b6a84cd4649b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cicd/github/run_block_injection/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cicd/github/script_block_injection/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cicd/github/script_block_injection/results", + "id": "62ff6823-927a-427f-acf9-f1ea2932d616", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cicd/github/script_block_injection/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cicd/github/unpinned_actions_full_length_commit_sha/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cicd/github/unpinned_actions_full_length_commit_sha/results", + "id": "555ab8f9-2001-455e-a077-f2d0f41e2fb9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cicd/github/unpinned_actions_full_length_commit_sha/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cicd/github/unsecured_commands/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cicd/github/unsecured_commands/results", + "id": "60fd272d-15f4-4d8f-afe4-77d9c6cc0453", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cicd/github/unsecured_commands/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/access_key_not_rotated_within_90_days/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/access_key_not_rotated_within_90_days/results", + "id": "800fa019-49dd-421b-9042-7331fdd83fa2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/access_key_not_rotated_within_90_days/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/alb_is_not_integrated_with_waf/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/alb_is_not_integrated_with_waf/results", + "id": "105ba098-1e34-48cd-b0f2-a8a43a51bf9b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/alb_is_not_integrated_with_waf/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/alb_listening_on_http/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/alb_listening_on_http/results", + "id": "275a3217-ca37-40c1-a6cf-bb57d245ab32", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/alb_listening_on_http/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/alexa_skill_plaintext_client_secret_exposed/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/alexa_skill_plaintext_client_secret_exposed/results", + "id": "3c3b7a58-b018-4d07-9444-d9ee7156e111", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/alexa_skill_plaintext_client_secret_exposed/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/amazon_dms_replication_instance_is_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/amazon_dms_replication_instance_is_publicly_accessible/results", + "id": "5864fb39-d719-4182-80e2-89dbe627be63", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/amazon_dms_replication_instance_is_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/amazon_mq_broker_encryption_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/amazon_mq_broker_encryption_disabled/results", + "id": "316278b3-87ac-444c-8f8f-a733a28da60f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/amazon_mq_broker_encryption_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/amplify_app_access_token_exposed/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/amplify_app_access_token_exposed/results", + "id": "73980e43-f399-4fcc-a373-658228f7adf7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/amplify_app_access_token_exposed/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/amplify_app_basic_auth_config_password_exposed/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/amplify_app_basic_auth_config_password_exposed/results", + "id": "71493c8b-3014-404c-9802-078b74496fb7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/amplify_app_basic_auth_config_password_exposed/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/amplify_app_oauth_token_exposed/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/amplify_app_oauth_token_exposed/results", + "id": "03b38885-8f4e-480c-a0e4-12c1affd15db", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/amplify_app_oauth_token_exposed/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/amplify_branch_basic_auth_config_password_exposed/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/amplify_branch_basic_auth_config_password_exposed/results", + "id": "dfb56e5d-ee68-446e-b32a-657b62befe69", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/amplify_branch_basic_auth_config_password_exposed/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/results", + "id": "80d45af4-4920-4236-a56e-b7ef419d1941", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_cache_cluster_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_cache_cluster_disabled/results", + "id": "52790cad-d60d-41d5-8483-146f9f21208d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_cache_cluster_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_cache_encrypted_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_cache_encrypted_disabled/results", + "id": "37cca703-b74c-48ba-ac81-595b53398e9b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_cache_encrypted_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_deployment_without_access_log_setting/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_deployment_without_access_log_setting/results", + "id": "06ec63e3-9f72-4fe2-a218-2eb9200b8db5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_deployment_without_access_log_setting/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/results", + "id": "783860a3-6dca-4c8b-81d0-7b62769ccbca", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_endpoint_config_is_not_private/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_endpoint_config_is_not_private/results", + "id": "4a8daf95-709d-4a36-9132-d3e19878fa34", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_endpoint_config_is_not_private/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_method_does_not_contains_an_api_key/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_method_does_not_contains_an_api_key/results", + "id": "3641d5b4-d339-4bc2-bfb9-208fe8d3477f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_method_does_not_contains_an_api_key/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_stage_without_api_gateway_usage_plan_associated/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_stage_without_api_gateway_usage_plan_associated/results", + "id": "7f8f1b60-43df-4c28-aa21-fb836dbd8071", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_stage_without_api_gateway_usage_plan_associated/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_with_invalid_compression/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_with_invalid_compression/results", + "id": "d6653eee-2d4d-4e6a-976f-6794a497999a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_with_invalid_compression/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_with_open_access/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_with_open_access/results", + "id": "1056dfbb-5802-4762-bf2b-8b9b9684b1b0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_with_open_access/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_without_configured_authorizer/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_without_configured_authorizer/results", + "id": "7fd0d461-5b8c-4815-898c-f2b4b117eb28", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_without_configured_authorizer/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_without_security_policy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_without_security_policy/results", + "id": "8275fab0-68ec-4705-bbf4-86975edb170e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_without_security_policy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_without_ssl_certificate/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_without_ssl_certificate/results", + "id": "ed4c48b8-eccc-4881-95c1-09fdae23db25", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_without_ssl_certificate/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_without_waf/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_without_waf/results", + "id": "fcbf9019-566c-4832-a65c-af00d8137d2b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_without_waf/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_xray_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_xray_disabled/results", + "id": "4ab10c48-bedb-4deb-8f3b-ff12783b61de", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_xray_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/auto_scaling_group_with_no_associated_elb/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/auto_scaling_group_with_no_associated_elb/results", + "id": "ad21e616-5026-4b9d-990d-5b007bfe679c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/auto_scaling_group_with_no_associated_elb/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/automatic_minor_upgrades_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/automatic_minor_upgrades_disabled/results", + "id": "f0104061-8bfc-4b45-8a7d-630eb502f281", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/automatic_minor_upgrades_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/batch_job_definition_with_privileged_container_properties/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/batch_job_definition_with_privileged_container_properties/results", + "id": "76ddf32c-85b1-4808-8935-7eef8030ab36", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/batch_job_definition_with_privileged_container_properties/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/block_device_is_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/block_device_is_not_encrypted/results", + "id": "40078463-6806-4bc0-b86e-7f121df601c1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/block_device_is_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cdn_configuration_is_missing/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cdn_configuration_is_missing/results", + "id": "e4f54ff4-d352-40e8-a096-5141073c37a2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cdn_configuration_is_missing/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudformation_specifying_credentials_not_safe/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudformation_specifying_credentials_not_safe/results", + "id": "9ecb6b21-18bc-4aa7-bd07-db20f1c746db", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudformation_specifying_credentials_not_safe/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudfront_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudfront_logging_disabled/results", + "id": "de77cd9f-0e8b-46cc-b4a4-b6b436838642", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudfront_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudfront_viewer_protocol_policy_allows_http/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudfront_viewer_protocol_policy_allows_http/results", + "id": "31733ee2-fef0-4e87-9778-65da22a8ecf1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudfront_viewer_protocol_policy_allows_http/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudfront_without_minimum_protocol_tls_1.2/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudfront_without_minimum_protocol_tls_1.2/results", + "id": "dc17ee4b-ddf2-4e23-96e8-7a36abad1303", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudfront_without_minimum_protocol_tls_1.2/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudfront_without_waf/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudfront_without_waf/results", + "id": "0f139403-303f-467c-96bd-e717e6cfd62d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudfront_without_waf/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudtrail_log_file_validation_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudtrail_log_file_validation_disabled/results", + "id": "2a3560fe-52ca-4443-b34f-bf0ed5eb74c8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudtrail_log_file_validation_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_kms/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_kms/results", + "id": "050a9ba8-d1cb-4c61-a5e8-8805a70d3b85", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_kms/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudtrail_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudtrail_logging_disabled/results", + "id": "5c0b06d5-b7a4-484c-aeb0-75a836269ff0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudtrail_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudtrail_multi_region_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudtrail_multi_region_disabled/results", + "id": "058ac855-989f-4378-ba4d-52d004020da7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudtrail_multi_region_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudtrail_not_integrated_with_cloudwatch/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudtrail_not_integrated_with_cloudwatch/results", + "id": "65d07da5-9af5-44df-8983-52d2e6f24c44", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudtrail_not_integrated_with_cloudwatch/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudtrail_sns_topic_name_undefined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudtrail_sns_topic_name_undefined/results", + "id": "3e09413f-471e-40f3-8626-990c79ae63f3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudtrail_sns_topic_name_undefined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudwatch_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudwatch_logging_disabled/results", + "id": "0f0fb06b-0f2f-4374-8588-f2c7c348c7a0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudwatch_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudwatch_metrics_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudwatch_metrics_disabled/results", + "id": "5d3c1807-acb3-4bb0-be4e-0440230feeaf", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudwatch_metrics_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cmk_is_unusable/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cmk_is_unusable/results", + "id": "2844c749-bd78-4cd1-90e8-b179df827602", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cmk_is_unusable/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cmk_rotation_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cmk_rotation_disabled/results", + "id": "1c07bfaf-663c-4f6f-b22b-8e2d481e4df5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cmk_rotation_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cmk_unencrypted_storage/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cmk_unencrypted_storage/results", + "id": "ffee2785-c347-451e-89f3-11aeb08e5c84", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cmk_unencrypted_storage/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/codebuild_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/codebuild_not_encrypted/results", + "id": "d7467bb6-3ed1-4c82-8095-5e7a818d0aad", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/codebuild_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cognito_userpool_without_mfa/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cognito_userpool_without_mfa/results", + "id": "74a18d1a-cf02-4a31-8791-ed0967ad7fdc", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cognito_userpool_without_mfa/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/config_configuration_aggregator_to_all_regions_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/config_configuration_aggregator_to_all_regions_disabled/results", + "id": "9f3cf08e-72a2-4eb1-8007-e3b1b0e10d4d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/config_configuration_aggregator_to_all_regions_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/config_rule_for_encryption_volumes_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/config_rule_for_encryption_volumes_disabled/results", + "id": "1b6322d9-c755-4f8c-b804-32c19250f2d9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/config_rule_for_encryption_volumes_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/connection_between_cloudfront_origin_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/connection_between_cloudfront_origin_not_encrypted/results", + "id": "a5366a50-932f-4085-896b-41402714a388", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/connection_between_cloudfront_origin_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/results", + "id": "85138beb-ce7c-4ca3-a09f-e8fbcc57ddd7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/dax_cluster_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/dax_cluster_not_encrypted/results", + "id": "e5849a68-bdbe-4b70-97c6-6901f39f8094", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/dax_cluster_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/db_security_group_open_to_large_scope/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/db_security_group_open_to_large_scope/results", + "id": "0104165b-02d5-426f-abc9-91fb48189899", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/db_security_group_open_to_large_scope/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/db_security_group_with_public_scope/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/db_security_group_with_public_scope/results", + "id": "9564406d-e761-4e61-b8d7-5926e3ab8e79", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/db_security_group_with_public_scope/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/default_kms_key_usage/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/default_kms_key_usage/results", + "id": "e52395b4-250b-4c60-81d5-2e58c1d37abc", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/default_kms_key_usage/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/default_security_groups_with_unrestricted_traffic/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/default_security_groups_with_unrestricted_traffic/results", + "id": "ea33fcf7-394b-4d11-a228-985c5d08f205", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/default_security_groups_with_unrestricted_traffic/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/directory_service_microsoft_ad_password_set_to_plaintext_or_default_ref/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/directory_service_microsoft_ad_password_set_to_plaintext_or_default_ref/results", + "id": "06b9f52a-8cd5-459b-bdc6-21a22521e1be", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/directory_service_microsoft_ad_password_set_to_plaintext_or_default_ref/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/directory_service_simple_ad_password_exposed/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/directory_service_simple_ad_password_exposed/results", + "id": "6685d912-d81f-4cfa-95ad-e316ea31c989", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/directory_service_simple_ad_password_exposed/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/dms_endpoint_mongo_db_settings_password_exposed/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/dms_endpoint_mongo_db_settings_password_exposed/results", + "id": "f988a17f-1139-46a3-8928-f27eafd8b024", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/dms_endpoint_mongo_db_settings_password_exposed/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/dms_endpoint_password_exposed/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/dms_endpoint_password_exposed/results", + "id": "5f700072-b7ce-4e84-b3f3-497bf1c24a4d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/dms_endpoint_password_exposed/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/docdb_cluster_master_password_in_plaintext/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/docdb_cluster_master_password_in_plaintext/results", + "id": "39423ce4-9011-46cd-b6b1-009edcd9385d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/docdb_cluster_master_password_in_plaintext/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/docdb_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/docdb_logging_disabled/results", + "id": "1bf3b3d4-f373-4d7c-afbb-7d85948a67a5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/docdb_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/dynamodb_table_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/dynamodb_table_not_encrypted/results", + "id": "4bd21e68-38c1-4d58-acdc-6a14b203237f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/dynamodb_table_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/dynamodb_table_point_in_time_recovery_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/dynamodb_table_point_in_time_recovery_disabled/results", + "id": "0f04217d-488f-4e7a-bec8-f16159686cd6", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/dynamodb_table_point_in_time_recovery_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/dynamodb_with_aws_owned_cmk/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/dynamodb_with_aws_owned_cmk/results", + "id": "c8dee387-a2e6-4a73-a942-183c975549ac", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/dynamodb_with_aws_owned_cmk/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/dynamodb_with_table_billing_mode_not_recommended/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/dynamodb_with_table_billing_mode_not_recommended/results", + "id": "c333e906-8d8b-4275-b999-78b6318f8dc6", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/dynamodb_with_table_billing_mode_not_recommended/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ebs_volume_encryption_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ebs_volume_encryption_disabled/results", + "id": "80b7ac3f-d2b7-4577-9b10-df7913497162", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ebs_volume_encryption_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ebs_volume_not_attached_to_instances/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ebs_volume_not_attached_to_instances/results", + "id": "1819ac03-542b-4026-976b-f37addd59f3b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ebs_volume_not_attached_to_instances/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ebs_volume_without_kms_key_id/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ebs_volume_without_kms_key_id/results", + "id": "b7063015-6c31-4658-a8e7-14f98f37fd42", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ebs_volume_without_kms_key_id/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_instance_has_no_iam_role/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_instance_has_no_iam_role/results", + "id": "f914357d-8386-4d56-9ba6-456e5723f9a6", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_instance_has_no_iam_role/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_instance_monitoring_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_instance_monitoring_disabled/results", + "id": "0264093f-6791-4475-af34-4b8102dcbcd0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_instance_monitoring_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_instance_subnet_has_public_ip_mapping_on_launch/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_instance_subnet_has_public_ip_mapping_on_launch/results", + "id": "b3de4e4c-14be-4159-b99d-9ad194365e4c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_instance_subnet_has_public_ip_mapping_on_launch/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_instance_using_default_security_group/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_instance_using_default_security_group/results", + "id": "08b81bb3-0985-4023-8602-b606ad81d279", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_instance_using_default_security_group/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_instance_using_default_vpc/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_instance_using_default_vpc/results", + "id": "e42a3ef0-5325-4667-84bf-075ba1c9d58e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_instance_using_default_vpc/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_network_acl_duplicate_rule/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_network_acl_duplicate_rule/results", + "id": "045ddb54-cfc5-4abb-9e05-e427b2bc96fe", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_network_acl_duplicate_rule/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_network_acl_ineffective_denied_traffic/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_network_acl_ineffective_denied_traffic/results", + "id": "2623d682-dccb-44cd-99d0-54d9fd62f8f2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_network_acl_ineffective_denied_traffic/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_network_acl_overlapping_ports/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_network_acl_overlapping_ports/results", + "id": "77b6f1e2-bde4-4a6a-ae7e-a40659ff1576", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_network_acl_overlapping_ports/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_not_ebs_optimized/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_not_ebs_optimized/results", + "id": "8dd0ff1f-0da4-48df-9bb3-7f338ae36a40", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_not_ebs_optimized/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_permissive_network_acl_protocols/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_permissive_network_acl_protocols/results", + "id": "03879981-efa2-47a0-a818-c843e1441b88", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_permissive_network_acl_protocols/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_public_instance_exposed_through_subnet/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_public_instance_exposed_through_subnet/results", + "id": "c44c95fc-ae92-4bb8-bdf8-bb9bc412004a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_public_instance_exposed_through_subnet/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_sensitive_port_is_publicly_exposed/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_sensitive_port_is_publicly_exposed/results", + "id": "494b03d3-bf40-4464-8524-7c56ad0700ed", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_sensitive_port_is_publicly_exposed/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecr_image_tag_not_immutable/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecr_image_tag_not_immutable/results", + "id": "33f41d31-86b1-46a4-81f7-9c9a671f59ac", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecr_image_tag_not_immutable/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecr_repository_is_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecr_repository_is_publicly_accessible/results", + "id": "75be209d-1948-41f6-a8c8-e22dd0121134", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecr_repository_is_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecr_repository_not_encrypted_with_CMK/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecr_repository_not_encrypted_with_CMK/results", + "id": "77a92b0e-b578-4a2e-bb0d-3c53ec4cfb7e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecr_repository_not_encrypted_with_CMK/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecs_cluster_container_insights_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecs_cluster_container_insights_disabled/results", + "id": "ab759fde-e1e8-4b0e-ad73-ba856e490ed8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecs_cluster_container_insights_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/results", + "id": "6c131358-c54d-419b-9dd6-1f7dd41d180c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecs_no_load_balancer_attached/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecs_no_load_balancer_attached/results", + "id": "fb2b0ecf-1492-491a-a70d-ba1df579175d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecs_no_load_balancer_attached/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecs_service_admin_role_is_present/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecs_service_admin_role_is_present/results", + "id": "01986452-bdd8-4aaa-b5df-d6bf61d616ff", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecs_service_admin_role_is_present/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecs_service_without_running_tasks/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecs_service_without_running_tasks/results", + "id": "79d745f0-d5f3-46db-9504-bef73e9fd528", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecs_service_without_running_tasks/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecs_services_assigned_with_public_ip_address/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecs_services_assigned_with_public_ip_address/results", + "id": "c0c26068-fdf0-40e5-9b3b-fc8a5f585d2e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecs_services_assigned_with_public_ip_address/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecs_task_definition_healthcheck_missing/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecs_task_definition_healthcheck_missing/results", + "id": "d24389b4-b209-4ff0-8345-dc7a4569dcdd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecs_task_definition_healthcheck_missing/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecs_task_definition_invalid_cpu_or_memory/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecs_task_definition_invalid_cpu_or_memory/results", + "id": "f4c9b5f5-68b8-491f-9e48-4f96644a1d51", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecs_task_definition_invalid_cpu_or_memory/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecs_task_definition_network_mode_not_recommended/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecs_task_definition_network_mode_not_recommended/results", + "id": "027a4b7a-8a59-4938-a04f-ed532512cf45", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecs_task_definition_network_mode_not_recommended/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/efs_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/efs_not_encrypted/results", + "id": "2ff8e83c-90e1-4d68-a300-6d652112e622", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/efs_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/efs_volume_with_disabled_transit_encryption/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/efs_volume_with_disabled_transit_encryption/results", + "id": "c1282e03-b285-4637-aee7-eefe3a7bb658", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/efs_volume_with_disabled_transit_encryption/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/efs_without_kms/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/efs_without_kms/results", + "id": "6d087495-2a42-4735-abf7-02ef5660a7e6", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/efs_without_kms/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/efs_without_tags/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/efs_without_tags/results", + "id": "08e39832-5e42-4304-98a0-aa5b43393162", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/efs_without_tags/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/eks_cluster_encryption_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/eks_cluster_encryption_disabled/results", + "id": "8e5ef52b-e673-4c3f-9b2e-99cdd0139059", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/eks_cluster_encryption_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/eks_node_group_remote_access/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/eks_node_group_remote_access/results", + "id": "73d59e76-a12c-4b74-a3d8-d3e1e19c25b3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/eks_node_group_remote_access/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticache_nodes_not_created_across_multi_az/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticache_nodes_not_created_across_multi_az/results", + "id": "cfdef2e5-1fe4-4ef4-bea8-c56e08963150", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticache_nodes_not_created_across_multi_az/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticache_using_default_port/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticache_using_default_port/results", + "id": "323db967-c68e-44e6-916c-a777f95af34b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticache_using_default_port/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticache_with_disabled_at_rest_encryption/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticache_with_disabled_at_rest_encryption/results", + "id": "e4ee3903-9225-4b6a-bdfb-e62dbadef821", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticache_with_disabled_at_rest_encryption/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticache_with_disabled_transit_encryption/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticache_with_disabled_transit_encryption/results", + "id": "3b02569b-fc6f-4153-b3a3-ba91022fed68", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticache_with_disabled_transit_encryption/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticache_without_vpc/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticache_without_vpc/results", + "id": "ba766c53-fe71-4bbb-be35-b6803f2ef13e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticache_without_vpc/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticsearch_domain_encryption_with_kms_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticsearch_domain_encryption_with_kms_disabled/results", + "id": "d926aa95-0a04-4abc-b20c-acf54afe38a1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticsearch_domain_encryption_with_kms_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticsearch_domain_not_encrypted_node_to_node/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticsearch_domain_not_encrypted_node_to_node/results", + "id": "43ed6fe0-edb6-43c2-97be-6501cf563d53", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticsearch_domain_not_encrypted_node_to_node/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticsearch_not_encrypted_at_rest/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticsearch_not_encrypted_at_rest/results", + "id": "86a248ab-0e01-4564-a82a-878303e253bb", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticsearch_not_encrypted_at_rest/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticsearch_with_https_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticsearch_with_https_disabled/results", + "id": "4cdc88e6-c0c8-4081-a639-bb3a557cbedf", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticsearch_with_https_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticsearch_without_audit_logs/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticsearch_without_audit_logs/results", + "id": "c420748a-bd4a-46c8-9541-93dd1e0ccf38", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticsearch_without_audit_logs/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticsearch_without_es_application_logs/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticsearch_without_es_application_logs/results", + "id": "f3a2dfb1-c8ff-47d1-a08a-aa329613a73c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticsearch_without_es_application_logs/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticsearch_without_iam_authentication/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticsearch_without_iam_authentication/results", + "id": "5c666ed9-b586-49ab-9873-c495a833b705", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticsearch_without_iam_authentication/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticsearch_without_slow_logs/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticsearch_without_slow_logs/results", + "id": "086ea2eb-14a6-4fd4-914b-38e0bc8703e8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticsearch_without_slow_logs/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elb_access_log_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elb_access_log_disabled/results", + "id": "ee12ad32-2863-4c0f-b13f-28272d115028", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elb_access_log_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elb_sensitive_port_is_exposed_to_entire_network/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elb_sensitive_port_is_exposed_to_entire_network/results", + "id": "78055456-f670-4d2e-94d5-392d1cf4f5e4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elb_sensitive_port_is_exposed_to_entire_network/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elb_using_insecure_protocols/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elb_using_insecure_protocols/results", + "id": "61a94903-3cd3-4780-88ec-fc918819b9c8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elb_using_insecure_protocols/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elb_using_weak_ciphers/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elb_using_weak_ciphers/results", + "id": "809f77f8-d10e-4842-a84f-3be7b6ff1190", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elb_using_weak_ciphers/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elb_v2_alb_access_log_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elb_v2_alb_access_log_disabled/results", + "id": "c62e8b7d-1fdf-4050-ac4c-76ba9e1d9621", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elb_v2_alb_access_log_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elb_with_security_group_without_inbound_rules/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elb_with_security_group_without_inbound_rules/results", + "id": "e200a6f3-c589-49ec-9143-7421d4a2c845", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elb_with_security_group_without_inbound_rules/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elb_with_security_group_without_outbound_rules/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elb_with_security_group_without_outbound_rules/results", + "id": "01d5a458-a6c4-452a-ac50-054d59275b7c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elb_with_security_group_without_outbound_rules/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elb_without_secure_protocol/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elb_without_secure_protocol/results", + "id": "80908a75-586b-4c61-ab04-490f4f4525b8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elb_without_secure_protocol/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/empty_roles_for_ecs_cluster_task_definitions/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/empty_roles_for_ecs_cluster_task_definitions/results", + "id": "7f384a5f-b5a2-4d84-8ca3-ee0a5247becb", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/empty_roles_for_ecs_cluster_task_definitions/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/emr_cluster_without_security_configuration/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/emr_cluster_without_security_configuration/results", + "id": "48af92a5-c89b-4936-bc62-1086fe2bab23", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/emr_cluster_without_security_configuration/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/emr_security_configuration_encryptions_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/emr_security_configuration_encryptions_enabled/results", + "id": "5b033ec8-f079-4323-b5c8-99d4620433a9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/emr_security_configuration_encryptions_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/emr_wihout_vpc/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/emr_wihout_vpc/results", + "id": "bf89373a-be40-4c04-99f5-746742dfd7f3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/emr_wihout_vpc/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/fully_open_ingress/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/fully_open_ingress/results", + "id": "e415f8d3-fc2b-4f52-88ab-1129e8c8d3f5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/fully_open_ingress/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/gamelift_fleet_ec2_inbound_permissions_with_port_range/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/gamelift_fleet_ec2_inbound_permissions_with_port_range/results", + "id": "43356255-495d-4148-ad8d-f6af5eac09dd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/gamelift_fleet_ec2_inbound_permissions_with_port_range/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/geo_restriction_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/geo_restriction_disabled/results", + "id": "7f8843f0-9ea5-42b4-a02b-753055113195", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/geo_restriction_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/github_repository_set_to_public/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/github_repository_set_to_public/results", + "id": "5906092d-5f74-490d-9a03-78febe0f65e1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/github_repository_set_to_public/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/guardduty_detector_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/guardduty_detector_disabled/results", + "id": "a25cd877-375c-4121-a640-730929936fac", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/guardduty_detector_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/results", + "id": "2564172f-c92b-4261-9acd-464aed511696", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/http_port_open/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/http_port_open/results", + "id": "ddfc4eaa-af23-409f-b96c-bf5c45dc4daa", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/http_port_open/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/results", + "id": "8d29754a-2a18-460d-a1ba-9509f8d359da", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_database_auth_not_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_database_auth_not_enabled/results", + "id": "9fcd0a0a-9b6f-4670-a215-d94e6bf3f184", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_database_auth_not_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_db_cluster_auth_not_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_db_cluster_auth_not_enabled/results", + "id": "6282794f-def8-4d6f-9df6-289318aa42b8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_db_cluster_auth_not_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_group_without_users/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_group_without_users/results", + "id": "8f957abd-9703-413d-87d3-c578950a753c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_group_without_users/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_groups_inline_policies/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_groups_inline_policies/results", + "id": "a58d1a2d-4078-4b80-855b-84cc3f7f4540", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_groups_inline_policies/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_managed_policy_applied_to_a_user/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_managed_policy_applied_to_a_user/results", + "id": "0e5872b4-19a0-4165-8b2f-56d9e14b909f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_managed_policy_applied_to_a_user/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_password_without_minimum_length/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_password_without_minimum_length/results", + "id": "b1b20ae3-8fa7-4af5-a74d-a2145920fcb1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_password_without_minimum_length/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_policies_attached_to_user/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_policies_attached_to_user/results", + "id": "edc95c10-7366-4f30-9b4b-f995c84eceb5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_policies_attached_to_user/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_policies_with_full_privileges/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_policies_with_full_privileges/results", + "id": "953b3cdb-ce13-428a-aa12-318726506661", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_policies_with_full_privileges/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_policies_without_groups/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_policies_without_groups/results", + "id": "5e7acff5-095b-40ac-9073-ac2e4ad8a512", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_policies_without_groups/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/results", + "id": "022f8938-4b17-420c-aca3-f917f290f322", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_policy_grants_assumerole_permission_across_all_services/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_policy_grants_assumerole_permission_across_all_services/results", + "id": "e835bd0d-65da-49f7-b6d1-b646da8727e6", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_policy_grants_assumerole_permission_across_all_services/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_policy_grants_full_permissions/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_policy_grants_full_permissions/results", + "id": "f62aa827-4ade-4dc4-89e4-1433d384a368", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_policy_grants_full_permissions/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_policy_on_user/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_policy_on_user/results", + "id": "e4239438-e639-44aa-adb8-866e400e3ade", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_policy_on_user/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_role_allows_all_principals_to_assume/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_role_allows_all_principals_to_assume/results", + "id": "f80e3aa7-7b34-4185-954e-440a6894dde6", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_role_allows_all_principals_to_assume/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_user_login_profile_password_is_in_plaintext/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_user_login_profile_password_is_in_plaintext/results", + "id": "06adef8c-c284-4de7-aad2-af43b07a8ca1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_user_login_profile_password_is_in_plaintext/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_user_too_many_access_keys/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_user_too_many_access_keys/results", + "id": "48677914-6fdf-40ec-80c4-2b0e94079f54", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_user_too_many_access_keys/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_user_with_no_group/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_user_with_no_group/results", + "id": "06933df4-0ea7-461c-b9b5-104d27390e0e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_user_with_no_group/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/inline_policies_are_attached_to_ecs_service/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/inline_policies_are_attached_to_ecs_service/results", + "id": "9e8c89b3-7997-4d15-93e4-7911b9db99fd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/inline_policies_are_attached_to_ecs_service/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/instance_uses_metadata_service_IMDSv1/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/instance_uses_metadata_service_IMDSv1/results", + "id": "a4f5f706-80fd-4c96-9a24-6ab317d33d24", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/instance_uses_metadata_service_IMDSv1/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/instance_with_no_vpc/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/instance_with_no_vpc/results", + "id": "8a6d36cd-0bc6-42b7-92c4-67acc8576861", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/instance_with_no_vpc/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iot_policy_allows_action_as_wildcard/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iot_policy_allows_action_as_wildcard/results", + "id": "4d32780f-43a4-424a-a06d-943c543576a5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iot_policy_allows_action_as_wildcard/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iot_policy_allows_wildcard_resource/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iot_policy_allows_wildcard_resource/results", + "id": "be5b230d-4371-4a28-a441-85dc760e2aa3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iot_policy_allows_wildcard_resource/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/kinesis_sse_not_configured/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/kinesis_sse_not_configured/results", + "id": "7f65be75-90ab-4036-8c2a-410aef7bb650", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/kinesis_sse_not_configured/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/kms_allows_wildcard_principal/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/kms_allows_wildcard_principal/results", + "id": "f6049677-ec4a-43af-8779-5190b6d03cba", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/kms_allows_wildcard_principal/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/kms_enable_key_rotation_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/kms_enable_key_rotation_disabled/results", + "id": "235ca980-eb71-48f4-9030-df0c371029eb", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/kms_enable_key_rotation_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/kms_key_with_full_permissions/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/kms_key_with_full_permissions/results", + "id": "da905474-7454-43c0-b8d2-5756ab951aba", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/kms_key_with_full_permissions/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/lambda_function_without_dead_letter_queue/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/lambda_function_without_dead_letter_queue/results", + "id": "c2eae442-d3ba-4cb1-84ca-1db4f80eae3d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/lambda_function_without_dead_letter_queue/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/lambda_function_without_tags/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/lambda_function_without_tags/results", + "id": "8df8e857-bd59-44fa-9f4c-d77594b95b46", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/lambda_function_without_tags/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/lambda_functions_with_full_privileges/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/lambda_functions_with_full_privileges/results", + "id": "a0ae0a4e-712b-4115-8112-51b9eeed9d69", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/lambda_functions_with_full_privileges/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/lambda_functions_without_unique_iam_roles/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/lambda_functions_without_unique_iam_roles/results", + "id": "ae03f542-1423-402f-9cef-c834e7ee9583", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/lambda_functions_without_unique_iam_roles/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/lambda_functions_without_x-ray_tracing/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/lambda_functions_without_x-ray_tracing/results", + "id": "9488c451-074e-4cd3-aee3-7db6104f542c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/lambda_functions_without_x-ray_tracing/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/lambda_permission_misconfigured/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/lambda_permission_misconfigured/results", + "id": "9b83114b-b2a1-4534-990d-06da015e47aa", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/lambda_permission_misconfigured/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/lambda_permission_principal_is_wildcard/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/lambda_permission_principal_is_wildcard/results", + "id": "1d6e16f1-5d8a-4379-bfb3-2dadd38ed5a7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/lambda_permission_principal_is_wildcard/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/low_rds_backup_retention_period/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/low_rds_backup_retention_period/results", + "id": "e649a218-d099-4550-86a4-1231e1fcb60d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/low_rds_backup_retention_period/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/mq_broker_is_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/mq_broker_is_publicly_accessible/results", + "id": "68b6a789-82f8-4cfd-85de-e95332fe6a61", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/mq_broker_is_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/mq_broker_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/mq_broker_logging_disabled/results", + "id": "e519ed6a-8328-4b69-8eb7-8fa549ac3050", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/mq_broker_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/msk_broker_is_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/msk_broker_is_publicly_accessible/results", + "id": "0ce1ba20-8ba8-4364-836f-40c24b8cb0ab", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/msk_broker_is_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/msk_cluster_encryption_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/msk_cluster_encryption_disabled/results", + "id": "a976d63f-af0e-46e8-b714-8c1a9c4bf768", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/msk_cluster_encryption_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/msk_cluster_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/msk_cluster_logging_disabled/results", + "id": "fc7c2c15-f5d0-4b80-adb2-c89019f8f62b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/msk_cluster_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/neptune_cluster_with_iam_database_authentication_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/neptune_cluster_with_iam_database_authentication_disabled/results", + "id": "a3aa0087-8228-4e7e-b202-dc9036972d02", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/neptune_cluster_with_iam_database_authentication_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/neptune_database_cluster_encryption_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/neptune_database_cluster_encryption_disabled/results", + "id": "bf4473f1-c8a2-4b1b-8134-bd32efabab93", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/neptune_database_cluster_encryption_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/neptune_logging_is_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/neptune_logging_is_disabled/results", + "id": "63a847b2-3782-4dbb-b452-524bf038984b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/neptune_logging_is_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/public_lambda_via_api_gateway/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/public_lambda_via_api_gateway/results", + "id": "57b12981-3816-4c31-b190-a1e614361dd2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/public_lambda_via_api_gateway/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/rds_associated_with_public_subnet/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/rds_associated_with_public_subnet/results", + "id": "4e88adee-a8eb-4605-a78d-9fb1096e3091", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/rds_associated_with_public_subnet/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/rds_db_instance_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/rds_db_instance_publicly_accessible/results", + "id": "de38e1d5-54cb-4111-a868-6f7722695007", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/rds_db_instance_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/rds_db_instance_with_deletion_protection_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/rds_db_instance_with_deletion_protection_disabled/results", + "id": "2c161e58-cb52-454f-abea-6470c37b5e6e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/rds_db_instance_with_deletion_protection_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/rds_multi_az_deployment_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/rds_multi_az_deployment_disabled/results", + "id": "2b1d4935-9acf-48a7-8466-10d18bf51a69", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/rds_multi_az_deployment_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/rds_storage_encryption_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/rds_storage_encryption_disabled/results", + "id": "65844ba3-03a1-40a8-b3dd-919f122e8c95", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/rds_storage_encryption_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/rds_storage_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/rds_storage_not_encrypted/results", + "id": "5beacce3-4020-4a3d-9e1d-a36f953df630", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/rds_storage_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/rds_using_default_port/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/rds_using_default_port/results", + "id": "1fe9d958-ddce-4228-a124-05265a959a8b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/rds_using_default_port/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/rds_with_backup_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/rds_with_backup_disabled/results", + "id": "8c415f6f-7b90-4a27-a44a-51047e1506f9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/rds_with_backup_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/redshift_cluster_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/redshift_cluster_logging_disabled/results", + "id": "3de2d4ff-fe53-4fc9-95d3-2f8a69bf90d6", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/redshift_cluster_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/redshift_cluster_without_kms_cmk/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/redshift_cluster_without_kms_cmk/results", + "id": "de76a0d6-66d5-45c9-9022-f05545b85c78", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/redshift_cluster_without_kms_cmk/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/redshift_cluster_without_vpc/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/redshift_cluster_without_vpc/results", + "id": "40d5e9cd-5cfd-41f9-be60-b6cf4e907917", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/redshift_cluster_without_vpc/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/redshift_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/redshift_not_encrypted/results", + "id": "3b316b05-564c-44a7-9c3f-405bb95e211e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/redshift_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/redshift_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/redshift_publicly_accessible/results", + "id": "bdf8dcb4-75df-4370-92c4-606e4ae6c4d3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/redshift_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/redshift_using_default_port/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/redshift_using_default_port/results", + "id": "a478af30-8c3a-404d-aa64-0b673cee509a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/redshift_using_default_port/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/refresh_token_is_exposed/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/refresh_token_is_exposed/results", + "id": "5b48c507-0d1f-41b0-a630-76817c6b4189", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/refresh_token_is_exposed/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/remote_desktop_port_open_to_internet/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/remote_desktop_port_open_to_internet/results", + "id": "c9846969-d066-431f-9b34-8c4abafe422a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/remote_desktop_port_open_to_internet/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/root_account_has_active_access_keys/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/root_account_has_active_access_keys/results", + "id": "4c137350-7307-4803-8c04-17c09a7a9fcf", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/root_account_has_active_access_keys/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/route53_record_undefined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/route53_record_undefined/results", + "id": "24d932e1-91f0-46ea-836f-fdbd81694151", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/route53_record_undefined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/routertable_with_default_routing/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/routertable_with_default_routing/results", + "id": "4f0908b9-eb66-433f-9145-134274e1e944", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/routertable_with_default_routing/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_access_to_any_principal/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_access_to_any_principal/results", + "id": "7772bb8c-c0f3-42d4-8e4e-f1b8939ad085", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_access_to_any_principal/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_or_write_to_all_users/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_or_write_to_all_users/results", + "id": "07dda8de-d90d-469e-9b37-1aca53526ced", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_or_write_to_all_users/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_all_users/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_all_users/results", + "id": "219f4c95-aa50-44e0-97de-cf71f4641170", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_all_users/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/results", + "id": "835d5497-a526-4aea-a23f-98a9afd1635f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_allows_delete_actions_from_all_principals/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_allows_delete_actions_from_all_principals/results", + "id": "acc78859-765e-4011-a229-a65ea57db252", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_allows_delete_actions_from_all_principals/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_allows_get_actions_from_all_principals/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_allows_get_actions_from_all_principals/results", + "id": "f97b7d23-568f-4bcc-9ac9-02df0d57fbba", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_allows_get_actions_from_all_principals/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_allows_list_actions_from_all_principals/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_allows_list_actions_from_all_principals/results", + "id": "faa8fddf-c0aa-4b2d-84ff-e993e233ebe9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_allows_list_actions_from_all_principals/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_allows_public_acl/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_allows_public_acl/results", + "id": "48f100d9-f499-4c6d-b2b8-deafe47ffb26", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_allows_public_acl/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_allows_put_actions_from_all_principals/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_allows_put_actions_from_all_principals/results", + "id": "f6397a20-4cf1-4540-a997-1d363c25ef58", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_allows_put_actions_from_all_principals/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_allows_restore_actions_from_all_principals/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_allows_restore_actions_from_all_principals/results", + "id": "456b00a3-1072-4149-9740-6b8bb60251b0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_allows_restore_actions_from_all_principals/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_cloudtrail_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_cloudtrail_logging_disabled/results", + "id": "c3ce69fd-e3df-49c6-be78-1db3f802261c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_cloudtrail_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_logging_disabled/results", + "id": "4552b71f-0a2a-4bc4-92dd-ed7ec1b4674c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_should_have_bucket_policy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_should_have_bucket_policy/results", + "id": "37fa8188-738b-42c8-bf82-6334ea567738", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_should_have_bucket_policy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_with_all_permissions/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_with_all_permissions/results", + "id": "4ae8af91-5108-42cb-9471-3bdbe596eac9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_with_all_permissions/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_with_public_policy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_with_public_policy/results", + "id": "860ba89b-b8de-4e72-af54-d6aee4138a69", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_with_public_policy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_with_unsecured_cors_rule/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_with_unsecured_cors_rule/results", + "id": "3609d27c-3698-483a-9402-13af6ae80583", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_with_unsecured_cors_rule/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_without_ignore_public_acl/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_without_ignore_public_acl/results", + "id": "6c8d51af-218d-4bfb-94a9-94eabaa0703a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_without_ignore_public_acl/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_without_restriction_of_public_bucket/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_without_restriction_of_public_bucket/results", + "id": "350cd468-0e2c-44ef-9d22-cfb73a62523c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_without_restriction_of_public_bucket/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_without_server_side_encryption/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_without_server_side_encryption/results", + "id": "b2e8752c-3497-4255-98d2-e4ae5b46bbf5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_without_server_side_encryption/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_without_ssl_in_write_actions/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_without_ssl_in_write_actions/results", + "id": "38c64e76-c71e-4d92-a337-60174d1de1c9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_without_ssl_in_write_actions/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_without_versioning/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_without_versioning/results", + "id": "a227ec01-f97a-4084-91a4-47b350c1db54", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_without_versioning/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_static_website_host_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_static_website_host_enabled/results", + "id": "90501b1b-cded-4cc1-9e8b-206b85cda317", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_static_website_host_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/sagemaker_data_encryption_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/sagemaker_data_encryption_disabled/results", + "id": "709e6da6-fa1f-44cc-8f17-7f25f96dadbe", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/sagemaker_data_encryption_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/sagemaker_enabling_internet_access/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/sagemaker_enabling_internet_access/results", + "id": "88d55d94-315d-4564-beee-d2d725feab11", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/sagemaker_enabling_internet_access/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/sagemaker_endpoint_config_should_specify_kms_key_id_attribute/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/sagemaker_endpoint_config_should_specify_kms_key_id_attribute/results", + "id": "44034eda-1c3f-486a-831d-e09a7dd94354", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/sagemaker_endpoint_config_should_specify_kms_key_id_attribute/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/sagemaker_notebook_not_placed_in_vpc/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/sagemaker_notebook_not_placed_in_vpc/results", + "id": "9c7028d9-04c2-45be-b8b2-1188ccaefb36", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/sagemaker_notebook_not_placed_in_vpc/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/sdb_domain_declared_as_a_resource/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/sdb_domain_declared_as_a_resource/results", + "id": "6ea57c8b-f9c0-4ec7-bae3-bd75a9dee27d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/sdb_domain_declared_as_a_resource/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/secrets_manager_should_specify_kms_key_id/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/secrets_manager_should_specify_kms_key_id/results", + "id": "c8ae9ba9-c2f7-4e5c-b32e-a4b7712d4d22", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/secrets_manager_should_specify_kms_key_id/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/secretsmanager_secret_without_kms/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/secretsmanager_secret_without_kms/results", + "id": "bed9762b-9bf6-4823-98e2-b1752bee0bf7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/secretsmanager_secret_without_kms/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/secure_ciphers_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/secure_ciphers_disabled/results", + "id": "be96849c-3df6-49c2-bc16-778a7be2519c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/secure_ciphers_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_group_egress_cidr_open_to_world/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_group_egress_cidr_open_to_world/results", + "id": "1cc2fbd7-816c-4fbf-ad6d-38a4afa4312a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_group_egress_cidr_open_to_world/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_group_egress_with_all_protocols/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_group_egress_with_all_protocols/results", + "id": "ee464fc2-54a6-4e22-b10a-c6dcd2474d0c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_group_egress_with_all_protocols/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_group_egress_with_port_range/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_group_egress_with_port_range/results", + "id": "dae9c373-8287-462f-8746-6f93dad93610", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_group_egress_with_port_range/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_group_ingress_has_cidr_not_recommended/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_group_ingress_has_cidr_not_recommended/results", + "id": "a3e4e39a-e5fc-4ee9-8cf5-700febfa86dd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_group_ingress_has_cidr_not_recommended/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_group_ingress_with_all_protocols/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_group_ingress_with_all_protocols/results", + "id": "1a427b25-2e9e-4298-9530-0499a55e736b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_group_ingress_with_all_protocols/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_group_ingress_with_port_range/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_group_ingress_with_port_range/results", + "id": "87482183-a8e7-4e42-a566-7a23ec231c16", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_group_ingress_with_port_range/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_group_rule_without_description/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_group_rule_without_description/results", + "id": "5e6c9c68-8a82-408e-8749-ddad78cbb9c5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_group_rule_without_description/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_groups_allows_unrestricted_outbound_traffic/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_groups_allows_unrestricted_outbound_traffic/results", + "id": "66f2d8f9-a911-4ced-ae27-34f09690bb2c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_groups_allows_unrestricted_outbound_traffic/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_groups_unrestricted_access_to_rdp/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_groups_unrestricted_access_to_rdp/results", + "id": "3ae83918-7ec7-4cb8-80db-b91ef0f94002", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_groups_unrestricted_access_to_rdp/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_groups_with_exhibited_admin_ports/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_groups_with_exhibited_admin_ports/results", + "id": "cdbb0467-2957-4a77-9992-7b55b29df7b7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_groups_with_exhibited_admin_ports/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_groups_with_meta_ip/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_groups_with_meta_ip/results", + "id": "adcd0082-e90b-4b63-862b-21899f6e6a48", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_groups_with_meta_ip/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_groups_with_unrestricted_access_to_ssh/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_groups_with_unrestricted_access_to_ssh/results", + "id": "6e856af2-62d7-4ba2-adc1-73b62cef9cc1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_groups_with_unrestricted_access_to_ssh/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_groups_without_vpc_attached/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_groups_without_vpc_attached/results", + "id": "493d9591-6249-47bf-8dc0-5c10161cc558", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_groups_without_vpc_attached/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/shield_advanced_not_in_use/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/shield_advanced_not_in_use/results", + "id": "ad7444cf-817a-4765-a79e-2145f7981faf", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/shield_advanced_not_in_use/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/sns_topic_is_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/sns_topic_is_publicly_accessible/results", + "id": "ae53ce91-42b5-46bf-a84f-9a13366a4f13", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/sns_topic_is_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/results", + "id": "818f38ed-8446-4132-9c03-474d49e10195", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/sns_topic_without_kms_master_key_id/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/sns_topic_without_kms_master_key_id/results", + "id": "9d13b150-a2ab-42a1-b6f4-142e41f81e52", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/sns_topic_without_kms_master_key_id/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/sqs_policy_with_public_access/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/sqs_policy_with_public_access/results", + "id": "9b6a3f5b-5fd6-40ee-9bc0-ed604911212d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/sqs_policy_with_public_access/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/sqs_with_sse_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/sqs_with_sse_disabled/results", + "id": "12726829-93ed-4d51-9cbe-13423f4299e1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/sqs_with_sse_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/stack_notifications_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/stack_notifications_disabled/results", + "id": "837e033c-4717-40bd-807e-6abaa30161b7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/stack_notifications_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/stack_retention_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/stack_retention_disabled/results", + "id": "fe974ae9-858e-4991-bbd5-e040a834679f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/stack_retention_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/support_has_no_role_associated/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/support_has_no_role_associated/results", + "id": "d71b5fd7-9020-4b2d-9ec8-b3839faa2744", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/support_has_no_role_associated/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/tags_not_copied_to_rds_cluster_snapshot/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/tags_not_copied_to_rds_cluster_snapshot/results", + "id": "9c30655c-f9a1-4296-b365-53c0bba80c76", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/tags_not_copied_to_rds_cluster_snapshot/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/tcp_or_udp_protocol_network_acl_entry_allows_all_ports/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/tcp_or_udp_protocol_network_acl_entry_allows_all_ports/results", + "id": "f57f849c-883b-4cb7-85e7-f7b199dff163", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/tcp_or_udp_protocol_network_acl_entry_allows_all_ports/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/unknown_port_exposed_to_internet/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/unknown_port_exposed_to_internet/results", + "id": "829ce3b8-065c-41a3-ad57-e0accfea82d2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/unknown_port_exposed_to_internet/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/unrestricted_security_group_ingress/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/unrestricted_security_group_ingress/results", + "id": "4a1e6b34-1008-4e61-a5f2-1f7c276f8d14", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/unrestricted_security_group_ingress/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/unscanned_ecr_image/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/unscanned_ecr_image/results", + "id": "9025b2b3-e554-4842-ba87-db7aeec36d35", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/unscanned_ecr_image/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/user_data_contains_encoded_private_key/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/user_data_contains_encoded_private_key/results", + "id": "568cc372-ca64-420d-9015-ee347d00d288", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/user_data_contains_encoded_private_key/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/user_iam_missing_password_reset_required/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/user_iam_missing_password_reset_required/results", + "id": "a964d6e3-8e1e-4d93-8120-61fa640dd55a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/user_iam_missing_password_reset_required/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/vpc_attached_with_too_many_gateways/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/vpc_attached_with_too_many_gateways/results", + "id": "97e94d17-e2c7-4109-a53b-6536ac1bb64e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/vpc_attached_with_too_many_gateways/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/vpc_flowlogs_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/vpc_flowlogs_disabled/results", + "id": "f6d299d2-21eb-41cc-b1e1-fe12d857500b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/vpc_flowlogs_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/vpc_without_attached_subnet/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/vpc_without_attached_subnet/results", + "id": "3b3b4411-ad1f-40e7-b257-a78a6bb9673a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/vpc_without_attached_subnet/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/vpc_without_network_firewall/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/vpc_without_network_firewall/results", + "id": "3e293410-d5b8-411f-85fd-7d26294f20c9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/vpc_without_network_firewall/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/vulnerable_default_ssl_certificate/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/vulnerable_default_ssl_certificate/results", + "id": "b4d9c12b-bfba-4aeb-9cb8-2358546d8041", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/vulnerable_default_ssl_certificate/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/webacl_allow_defaultaction/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/webacl_allow_defaultaction/results", + "id": "6d64f311-3da6-45f3-80f1-14db9771ea40", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/webacl_allow_defaultaction/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/wildcard_in_acm_certificate_domain_name/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/wildcard_in_acm_certificate_domain_name/results", + "id": "cc8b294f-006f-4f8f-b5bb-0a9140c33131", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/wildcard_in_acm_certificate_domain_name/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/workspace_without_encryption/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/workspace_without_encryption/results", + "id": "89827c57-5a8a-49eb-9731-976a606d70db", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/workspace_without_encryption/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/cassandra/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/cassandra/results", + "id": "124b173b-e06d-48a6-8acd-f889443d97a4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/cassandra/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/dynamo/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/dynamo/results", + "id": "4e67c0ae-38a0-47f4-a50c-f0c9b75826df", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/dynamo/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/ebs/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/ebs/results", + "id": "0b0556ea-9cd9-476f-862e-20679dda752b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/ebs/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/efs/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/efs/results", + "id": "ef05a925-8568-4054-8ff1-f5ba82631c16", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/efs/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/elasticache/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/elasticache/results", + "id": "c689f51b-9203-43b3-9d8b-caed123f706c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/elasticache/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/kinesis/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/kinesis/results", + "id": "d53323be-dde6-4457-9a43-42df737e71d2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/kinesis/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/mq/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/mq/results", + "id": "209189f3-c879-48a7-9703-fbcfa96d0cef", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/mq/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/msk/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/msk/results", + "id": "2730c169-51d7-4ae7-99b5-584379eff1bb", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/msk/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/rds/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/rds/results", + "id": "6ef03ff6-a2bd-483c-851f-631f248bc0ea", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/rds/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/s3_bucket/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/s3_bucket/results", + "id": "b5d6a2e0-8f15-4664-bd5b-68ec5c9bab83", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/s3_bucket/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/sns/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/sns/results", + "id": "42e7dca3-8cce-4325-8df0-108888259136", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/sns/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/sqs/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/sqs/results", + "id": "59a849c2-1127-4023-85a5-ef906dcd458c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/sqs/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_sam/serverless_api_access_logging_setting_undefined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_sam/serverless_api_access_logging_setting_undefined/results", + "id": "0a994e04-c6dc-471d-817e-d37451d18a3b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_sam/serverless_api_access_logging_setting_undefined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_sam/serverless_api_cache_cluster_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_sam/serverless_api_cache_cluster_disabled/results", + "id": "60a05ede-0a68-4d0d-a58f-f538cf55ff79", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_sam/serverless_api_cache_cluster_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_sam/serverless_api_endpoint_config_not_private/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_sam/serverless_api_endpoint_config_not_private/results", + "id": "6b5b0313-771b-4319-ad7a-122ee78700ef", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_sam/serverless_api_endpoint_config_not_private/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_sam/serverless_api_without_content_encoding/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_sam/serverless_api_without_content_encoding/results", + "id": "a2f2800e-614b-4bc8-89e6-fec8afd24800", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_sam/serverless_api_without_content_encoding/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_sam/serverless_api_xray_tracing_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_sam/serverless_api_xray_tracing_disabled/results", + "id": "c757c6a3-ac87-4b9d-b28d-e5a5add6a315", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_sam/serverless_api_xray_tracing_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_sam/serverless_function_environment_variables_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_sam/serverless_function_environment_variables_not_encrypted/results", + "id": "a7f8ac28-eed1-483d-87c8-4c325f022572", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_sam/serverless_function_environment_variables_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_sam/serverless_function_without_dead_letter_queue/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_sam/serverless_function_without_dead_letter_queue/results", + "id": "cb2f612b-ed42-4ff5-9fb9-255c73d39a18", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_sam/serverless_function_without_dead_letter_queue/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_sam/serverless_function_without_tags/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_sam/serverless_function_without_tags/results", + "id": "a71ecabe-03b6-456a-b3bc-d1a39aa20c98", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_sam/serverless_function_without_tags/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_sam/serverless_function_without_unique_iam_role/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_sam/serverless_function_without_unique_iam_role/results", + "id": "4ba74f01-aba5-4be2-83bc-be79ff1a3b92", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_sam/serverless_function_without_unique_iam_role/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_sam/serverless_function_without_x-ray_tracing/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_sam/serverless_function_without_x-ray_tracing/results", + "id": "dc1ab429-1481-4540-9b1d-280e3f15f1f8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_sam/serverless_function_without_x-ray_tracing/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/cloudfront_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/cloudfront_logging_disabled/results", + "id": "7b590235-1ff4-421b-b9ff-5227134be9bb", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/cloudfront_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/cloudfront_without_minimum_protocol_tls_1.2/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/cloudfront_without_minimum_protocol_tls_1.2/results", + "id": "255b0fcc-9f82-41fe-9229-01b163e3376b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/cloudfront_without_minimum_protocol_tls_1.2/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/cloudfront_without_waf/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/cloudfront_without_waf/results", + "id": "6d19ce0f-b3d8-4128-ac3d-1064e0f00494", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/cloudfront_without_waf/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/cloudwatch_without_retention_period_specified/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/cloudwatch_without_retention_period_specified/results", + "id": "934613fe-b12c-4e5a-95f5-c1dcdffac1ff", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/cloudwatch_without_retention_period_specified/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/db_instance_storage_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/db_instance_storage_not_encrypted/results", + "id": "e50eb68a-a4af-4048-8bbe-8ec324421469", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/db_instance_storage_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/db_security_group_has_public_interface/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/db_security_group_has_public_interface/results", + "id": "dd667399-8d9d-4a8d-bbb4-e49ab53b2f52", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/db_security_group_has_public_interface/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/docdb_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/docdb_logging_disabled/results", + "id": "e6cd49ba-77ed-417f-9bca-4f5303554308", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/docdb_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/ecs_cluster_with_container_insights_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/ecs_cluster_with_container_insights_disabled/results", + "id": "0c7a76d9-7dc5-499e-81ac-9245839177cb", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/ecs_cluster_with_container_insights_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/efs_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/efs_not_encrypted/results", + "id": "72840c35-3876-48be-900d-f21b2f0c2ea1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/efs_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/efs_without_kms/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/efs_without_kms/results", + "id": "bdecd6db-2600-47dd-a10c-72c97cf17ae9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/efs_without_kms/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/elb_using_weak_ciphers/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/elb_using_weak_ciphers/results", + "id": "a507daa5-0795-4380-960b-dd7bb7c56661", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/elb_using_weak_ciphers/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/neptune_database_cluster_encryption_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/neptune_database_cluster_encryption_disabled/results", + "id": "83bf5aca-138a-498e-b9cd-ad5bc5e117b4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/neptune_database_cluster_encryption_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/results", + "id": "d9dc6429-5140-498a-8f55-a10daac5f000", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/sqs_with_sse_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/sqs_with_sse_disabled/results", + "id": "9296f1cc-7a40-45de-bd41-f31745488a0e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/sqs_with_sse_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/azure/aks_rbac_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/azure/aks_rbac_disabled/results", + "id": "b2418936-cd47-4ea2-8346-623c0bdb87bd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/azure/aks_rbac_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/azure/redis_cache_allows_non_ssl_connections/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/azure/redis_cache_allows_non_ssl_connections/results", + "id": "6c7cfec3-c686-4ed2-bf58-a1ec054b63fc", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/azure/redis_cache_allows_non_ssl_connections/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/gcp/cloud_storage_bucket_logging_not_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/gcp/cloud_storage_bucket_logging_not_enabled/results", + "id": "6c2d627c-de0f-45fb-b33d-dad9bffbb421", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/gcp/cloud_storage_bucket_logging_not_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/gcp/google_container_node_pool_auto_repair_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/gcp/google_container_node_pool_auto_repair_disabled/results", + "id": "b4f65d13-a609-4dc1-af7c-63d2e08bffe9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/gcp/google_container_node_pool_auto_repair_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/cgroup_not_default/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/cgroup_not_default/results", + "id": "4d9f44c6-2f4a-4317-9bb5-267adbea0232", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/cgroup_not_default/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/container_capabilities_unrestricted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/container_capabilities_unrestricted/results", + "id": "ce76b7d0-9e77-464d-b86f-c5c48e03e22d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/container_capabilities_unrestricted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/container_traffic_not_bound_to_host_interface/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/container_traffic_not_bound_to_host_interface/results", + "id": "451d79dc-0588-476a-ad03-3c7f0320abb3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/container_traffic_not_bound_to_host_interface/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/cpus_not_limited/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/cpus_not_limited/results", + "id": "6b610c50-99fb-4ef0-a5f3-e312fd945bc3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/cpus_not_limited/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/default_seccomp_profile_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/default_seccomp_profile_disabled/results", + "id": "404fde2c-bc4b-4371-9747-7054132ac953", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/default_seccomp_profile_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/docker_socket_mounted_in_container/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/docker_socket_mounted_in_container/results", + "id": "d6355c88-1e8d-49e9-b2f2-f8a1ca12c75b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/docker_socket_mounted_in_container/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/healthcheck_not_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/healthcheck_not_set/results", + "id": "698ed579-b239-4f8f-a388-baa4bcb13ef8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/healthcheck_not_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/host_namespace_is_shared/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/host_namespace_is_shared/results", + "id": "4f31dd9f-2cc3-4751-9b53-67e4af83dac0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/host_namespace_is_shared/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/memory_not_limited/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/memory_not_limited/results", + "id": "bb9ac4f7-e13b-423d-a010-c74a1bfbe492", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/memory_not_limited/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/no_new_privileges_not_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/no_new_privileges_not_set/results", + "id": "27fcc7d6-c49b-46e0-98f1-6c082a6a2750", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/no_new_privileges_not_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/pids_limit_not_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/pids_limit_not_set/results", + "id": "221e0658-cb2a-44e3-b08a-db96a341d6fa", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/pids_limit_not_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/privileged_containers_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/privileged_containers_enabled/results", + "id": "ae5b6871-7f45-42e0-bb4c-ab300c4d2026", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/privileged_containers_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/privileged_ports_mapped_in_container/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/privileged_ports_mapped_in_container/results", + "id": "bc2908f3-f73c-40a9-8793-c1b7d5544f79", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/privileged_ports_mapped_in_container/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/restart_policy_on_failure_not_set_to_5/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/restart_policy_on_failure_not_set_to_5/results", + "id": "2fc99041-ddad-49d5-853f-e35e70a48391", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/restart_policy_on_failure_not_set_to_5/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/security_opt_not_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/security_opt_not_set/results", + "id": "610e266e-6c12-4bca-9925-1ed0cd29742b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/security_opt_not_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/shared_host_ipc_namespace/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/shared_host_ipc_namespace/results", + "id": "baa3890f-bed7-46f5-ab8f-1da8fc91c729", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/shared_host_ipc_namespace/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/shared_host_network_namespace/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/shared_host_network_namespace/results", + "id": "071a71ff-f868-47a4-ac0b-3c59e4ab5443", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/shared_host_network_namespace/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/shared_host_user_namespace/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/shared_host_user_namespace/results", + "id": "8af7162d-6c98-482f-868e-0d33fb675ca8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/shared_host_user_namespace/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/shared_volumes_between_containers/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/shared_volumes_between_containers/results", + "id": "8c978947-0ff6-485c-b0c2-0bfca6026466", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/shared_volumes_between_containers/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/volume_has_sensitive_host_directory/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/volume_has_sensitive_host_directory/results", + "id": "1c1325ff-831d-43a1-973e-839ae57dfcc0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/volume_has_sensitive_host_directory/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/volume_mounted_in_multiple_containers/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/volume_mounted_in_multiple_containers/results", + "id": "baa452f0-1f21-4a25-ace5-844e7a5f410d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/volume_mounted_in_multiple_containers/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/add_instead_of_copy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/add_instead_of_copy/results", + "id": "9513a694-aa0d-41d8-be61-3271e056f36b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/add_instead_of_copy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/apk_add_using_local_cache_path/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/apk_add_using_local_cache_path/results", + "id": "ae9c56a6-3ed1-4ac0-9b54-31267f51151d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/apk_add_using_local_cache_path/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/results", + "id": "df746b39-6564-4fed-bf85-e9c44382303c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/results", + "id": "965a08d7-ef86-4f14-8792-4a3b2098937e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/results", + "id": "77783205-c4ca-4f80-bb80-c777f267c547", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/apt_get_not_avoiding_additional_packages/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/apt_get_not_avoiding_additional_packages/results", + "id": "7384dfb2-fcd1-4fbf-91cd-6c44c318c33c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/apt_get_not_avoiding_additional_packages/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/changing_default_shell_using_run_command/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/changing_default_shell_using_run_command/results", + "id": "8a301064-c291-4b20-adcb-403fe7fd95fd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/changing_default_shell_using_run_command/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/chown_flag_exists/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/chown_flag_exists/results", + "id": "aa93e17f-b6db-4162-9334-c70334e7ac28", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/chown_flag_exists/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/copy_from_references_current_from_alias/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/copy_from_references_current_from_alias/results", + "id": "cdddb86f-95f6-4fc4-b5a1-483d9afceb2b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/copy_from_references_current_from_alias/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/copy_with_more_than_two_arguments_not_ending_with_slash/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/copy_with_more_than_two_arguments_not_ending_with_slash/results", + "id": "6db6e0c2-32a3-4a2e-93b5-72c35f4119db", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/copy_with_more_than_two_arguments_not_ending_with_slash/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/curl_or_wget_instead_of_add/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/curl_or_wget_instead_of_add/results", + "id": "4b410d24-1cbe-4430-a632-62c9a931cf1c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/curl_or_wget_instead_of_add/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/exposing_port_22/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/exposing_port_22/results", + "id": "5907595b-5b6d-4142-b173-dbb0e73fbff8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/exposing_port_22/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/gem_install_without_version/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/gem_install_without_version/results", + "id": "22cd11f7-9c6c-4f6e-84c0-02058120b341", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/gem_install_without_version/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/healthcheck_instruction_missing/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/healthcheck_instruction_missing/results", + "id": "b03a748a-542d-44f4-bb86-9199ab4fd2d5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/healthcheck_instruction_missing/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/image_version_not_explicit/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/image_version_not_explicit/results", + "id": "9efb0b2d-89c9-41a3-91ca-dcc0aec911fd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/image_version_not_explicit/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/image_version_using_latest/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/image_version_using_latest/results", + "id": "f45ea400-6bbe-4501-9fc7-1c3d75c32067", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/image_version_using_latest/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/last_user_is_root/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/last_user_is_root/results", + "id": "67fd0c4a-68cf-46d7-8c41-bc9fba7e40ae", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/last_user_is_root/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/maintainer_instruction_being_used/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/maintainer_instruction_being_used/results", + "id": "99614418-f82b-4852-a9ae-5051402b741c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/maintainer_instruction_being_used/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/missing_dnf_clean_all/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/missing_dnf_clean_all/results", + "id": "295acb63-9246-4b21-b441-7c1f1fb62dc0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/missing_dnf_clean_all/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/missing_flag_from_dnf_install/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/missing_flag_from_dnf_install/results", + "id": "7ebd323c-31b7-4e5b-b26f-de5e9e477af8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/missing_flag_from_dnf_install/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/missing_user_instruction/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/missing_user_instruction/results", + "id": "fd54f200-402c-4333-a5a4-36ef6709af2f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/missing_user_instruction/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/missing_version_specification_in_dnf_install/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/missing_version_specification_in_dnf_install/results", + "id": "93d88cf7-f078-46a8-8ddc-178e03aeacf1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/missing_version_specification_in_dnf_install/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/missing_zypper_clean/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/missing_zypper_clean/results", + "id": "38300d1a-feb2-4a48-936a-d1ef1cd24313", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/missing_zypper_clean/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/missing_zypper_non_interactive_switch/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/missing_zypper_non_interactive_switch/results", + "id": "45e1fca5-f90e-465d-825f-c2cb63fa3944", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/missing_zypper_non_interactive_switch/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/multiple_cmd_instructions_listed/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/multiple_cmd_instructions_listed/results", + "id": "41c195f4-fc31-4a5c-8a1b-90605538d49f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/multiple_cmd_instructions_listed/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/results", + "id": "6938958b-3f1a-451c-909b-baeee14bdc97", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/results", + "id": "0008c003-79aa-42d8-95b8-1c2fe37dbfe6", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/results", + "id": "b86987e1-6397-4619-81d5-8807f2387c79", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/npm_install_without_pinned_version/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/npm_install_without_pinned_version/results", + "id": "e36d8880-3f78-4546-b9a1-12f0745ca0d5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/npm_install_without_pinned_version/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/pip_install_keeping_cached_packages/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/pip_install_keeping_cached_packages/results", + "id": "f2f903fb-b977-461e-98d7-b3e2185c6118", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/pip_install_keeping_cached_packages/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/run_command_cd_instead_of_workdir/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/run_command_cd_instead_of_workdir/results", + "id": "f4a6bcd3-e231-4acf-993c-aa027be50d2e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/run_command_cd_instead_of_workdir/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/run_using_apt/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/run_using_apt/results", + "id": "b84a0b47-2e99-4c9f-8933-98bcabe2b94d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/run_using_apt/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/run_using_sudo/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/run_using_sudo/results", + "id": "8ada6e80-0ade-439e-b176-0b28f6bce35a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/run_using_sudo/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/run_using_wget_and_curl/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/run_using_wget_and_curl/results", + "id": "fc775e75-fcfb-4c98-b2f2-910c5858b359", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/run_using_wget_and_curl/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/run_utilities_and_posix_commands/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/run_utilities_and_posix_commands/results", + "id": "9b6b0f38-92a2-41f9-b881-3a1083d99f1b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/run_utilities_and_posix_commands/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/same_alias_in_different_froms/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/same_alias_in_different_froms/results", + "id": "f2daed12-c802-49cd-afed-fe41d0b82fed", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/same_alias_in_different_froms/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/shell_running_a_pipe_without_pipefail_flag/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/shell_running_a_pipe_without_pipefail_flag/results", + "id": "efbf148a-67e9-42d2-ac47-02fa1c0d0b22", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/shell_running_a_pipe_without_pipefail_flag/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/unix_ports_out_of_range/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/unix_ports_out_of_range/results", + "id": "71bf8cf8-f0a1-42fa-b9d2-d10525e0a38e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/unix_ports_out_of_range/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/unpinned_package_version_in_apk_add/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/unpinned_package_version_in_apk_add/results", + "id": "d3499f6d-1651-41bb-a9a7-de925fea487b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/unpinned_package_version_in_apk_add/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/unpinned_package_version_in_pip_install/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/unpinned_package_version_in_pip_install/results", + "id": "02d9c71f-3ee8-4986-9c27-1a20d0d19bfc", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/unpinned_package_version_in_pip_install/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/update_instruction_alone/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/update_instruction_alone/results", + "id": "9bae49be-0aa3-4de5-bab2-4c3a069e40cd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/update_instruction_alone/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/using_platform_with_from/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/using_platform_with_from/results", + "id": "b16e8501-ef3c-44e1-a543-a093238099c9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/using_platform_with_from/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/using_unnamed_build_stages/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/using_unnamed_build_stages/results", + "id": "68a51e22-ae5a-4d48-8e87-b01a323605c9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/using_unnamed_build_stages/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/workdir_path_not_absolute/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/workdir_path_not_absolute/results", + "id": "6b376af8-cfe8-49ab-a08d-f32de23661a4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/workdir_path_not_absolute/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/yum_clean_all_missing/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/yum_clean_all_missing/results", + "id": "00481784-25aa-4a55-8633-3136dfcf4f37", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/yum_clean_all_missing/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/yum_install_allows_manual_input/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/yum_install_allows_manual_input/results", + "id": "6e19193a-8753-436d-8a09-76dcff91bb03", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/yum_install_allows_manual_input/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/yum_install_without_version/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/yum_install_without_version/results", + "id": "6452c424-1d92-4deb-bb18-a03e95d579c4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/yum_install_without_version/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/zypper_install_without_version/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/zypper_install_without_version/results", + "id": "562952e4-0348-4dea-9826-44f3a2c6117b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/zypper_install_without_version/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/bigquery_database_is_public/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/bigquery_database_is_public/results", + "id": "83103dff-d57f-42a8-bd81-40abab64c1a7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/bigquery_database_is_public/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/bucket_without_versioning/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/bucket_without_versioning/results", + "id": "227c2f58-70c6-4432-8e9a-a89c1a548cf5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/bucket_without_versioning/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/client_certificate_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/client_certificate_disabled/results", + "id": "dd690686-2bf9-4012-a821-f61912dd77be", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/client_certificate_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/cloud_dns_without_dnnsec/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/cloud_dns_without_dnnsec/results", + "id": "313d6deb-3b67-4948-b41d-35b699c2492e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/cloud_dns_without_dnnsec/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/cloud_storage_anonymous_or_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/cloud_storage_anonymous_or_publicly_accessible/results", + "id": "63ae3638-a38c-4ff4-b616-6e1f72a31a6a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/cloud_storage_anonymous_or_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_is_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_is_publicly_accessible/results", + "id": "77c1fa3f-83dc-4c9d-bfed-e1d0cc8fd9dc", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_is_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_versioning_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_versioning_disabled/results", + "id": "ad0875c1-0b39-4890-9149-173158ba3bba", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_versioning_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/cluster_labels_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/cluster_labels_disabled/results", + "id": "8810968b-4b15-421d-918b-d91eb4bb8d1d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/cluster_labels_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/cluster_master_authentication_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/cluster_master_authentication_disabled/results", + "id": "7ef7d141-9fbb-4679-a977-fd0883436906", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/cluster_master_authentication_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/compute_instance_is_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/compute_instance_is_publicly_accessible/results", + "id": "8212e2d7-e683-49bc-bf78-d6799075c5a7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/compute_instance_is_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/cos_node_image_not_used/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/cos_node_image_not_used/results", + "id": "dbe058d7-b82e-430b-8426-992b2e4677e7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/cos_node_image_not_used/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/disk_encryption_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/disk_encryption_disabled/results", + "id": "fc040fb6-4c23-4c0d-b12a-39edac35debb", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/disk_encryption_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/dnssec_using_rsasha1/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/dnssec_using_rsasha1/results", + "id": "6d7b121a-a2ed-4e37-bd2f-80d9df1dfd35", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/dnssec_using_rsasha1/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/gke_legacy_authorization_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/gke_legacy_authorization_enabled/results", + "id": "df58d46c-783b-43e0-bdd0-d99164f712ee", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/gke_legacy_authorization_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/gke_master_authorized_networks_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/gke_master_authorized_networks_disabled/results", + "id": "62c8cf50-87f0-4295-a974-8184ed78fe02", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/gke_master_authorized_networks_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/google_storage_bucket_level_access_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/google_storage_bucket_level_access_disabled/results", + "id": "1239f54b-33de-482a-8132-faebe288e6a6", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/google_storage_bucket_level_access_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/ip_aliasing_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/ip_aliasing_disabled/results", + "id": "28727987-e398-49b8-aef1-8a3e7789d111", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/ip_aliasing_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/ip_forwarding_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/ip_forwarding_enabled/results", + "id": "7c98538a-81c6-444b-bf04-e60bc3ceeec0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/ip_forwarding_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/mysql_instance_with_local_infile_on/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/mysql_instance_with_local_infile_on/results", + "id": "c759d6f2-4dd3-4160-82d3-89202ef10d87", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/mysql_instance_with_local_infile_on/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/network_policy_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/network_policy_disabled/results", + "id": "c47f90e8-4a19-43f0-8413-cc434d286c4e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/network_policy_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/node_auto_upgrade_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/node_auto_upgrade_disabled/results", + "id": "dc5c5fee-6c53-43b0-ab11-4c660e064aaf", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/node_auto_upgrade_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/not_proper_email_account_in_use/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/not_proper_email_account_in_use/results", + "id": "a21b8df3-c840-4b3d-a41a-10fb2afda171", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/not_proper_email_account_in_use/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/os_login_is_disabled_for_vm_instance/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/os_login_is_disabled_for_vm_instance/results", + "id": "e66e1b71-c810-4b4e-a737-0ab59e7f5e41", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/os_login_is_disabled_for_vm_instance/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/private_cluster_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/private_cluster_disabled/results", + "id": "48c61fbd-09c9-46cc-a521-012e0c325412", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/private_cluster_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/results", + "id": "6e2b1ec1-1eca-4eb7-9d4d-2882680b4811", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/rdp_access_is_not_restricted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/rdp_access_is_not_restricted/results", + "id": "50cb6c3b-c878-4b88-b50e-d1421bada9e8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/rdp_access_is_not_restricted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/shielded_vm_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/shielded_vm_disabled/results", + "id": "9038b526-4c19-4928-bca2-c03d503bdb79", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/shielded_vm_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/sql_db_instance_backup_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/sql_db_instance_backup_disabled/results", + "id": "a5bf1a1c-92c7-401c-b4c6-ebdc8b686c01", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/sql_db_instance_backup_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/sql_db_instance_with_ssl_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/sql_db_instance_with_ssl_disabled/results", + "id": "660360d3-9ca7-46d1-b147-3acc4002953f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/sql_db_instance_with_ssl_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/ssh_access_is_not_restricted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/ssh_access_is_not_restricted/results", + "id": "dee21308-2a7a-49de-8ff7-c9b87e188575", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/ssh_access_is_not_restricted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/stackdriver_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/stackdriver_logging_disabled/results", + "id": "95601b9a-7fe8-4aee-9b58-d36fd9382dfc", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/stackdriver_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/stackdriver_monitoring_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/stackdriver_monitoring_disabled/results", + "id": "bbfc97ab-e92a-4a7b-954c-e88cec815011", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/stackdriver_monitoring_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp_bom/pd/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp_bom/pd/results", + "id": "268c65a8-58ad-43e4-9019-1a9bbc56749f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp_bom/pd/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp_bom/pst/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp_bom/pst/results", + "id": "9ed08714-b2f3-4c6d-8fb0-ac0b74ad71d8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp_bom/pst/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp_bom/sb/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp_bom/sb/results", + "id": "c7781feb-a955-4f9f-b9cf-0d7c6f54bb59", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp_bom/sb/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/grpc/enum_name_not_camel_case/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/grpc/enum_name_not_camel_case/results", + "id": "daaace5f-c0dc-4835-b526-7a116b7f4b4e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/grpc/enum_name_not_camel_case/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/always_admit_admission_control_plugin_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/always_admit_admission_control_plugin_set/results", + "id": "ce30e584-b33f-4c7d-b418-a3d7027f8f60", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/always_admit_admission_control_plugin_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/always_pull_images_admission_control_plugin_not_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/always_pull_images_admission_control_plugin_not_set/results", + "id": "a77f4d07-c6e0-4a48-8b35-0eeb51576f4f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/always_pull_images_admission_control_plugin_not_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/anonymous_auth_is_not_set_to_false/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/anonymous_auth_is_not_set_to_false/results", + "id": "1de5cc51-f376-4638-a940-20f2e85ae238", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/anonymous_auth_is_not_set_to_false/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/audit_log_maxage_not_properly_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/audit_log_maxage_not_properly_set/results", + "id": "da9f3aa8-fbfb-472f-b5a1-576127944218", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/audit_log_maxage_not_properly_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/audit_log_maxbackup_not_properly_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/audit_log_maxbackup_not_properly_set/results", + "id": "768aab52-2504-4a2f-a3e3-329d5a679848", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/audit_log_maxbackup_not_properly_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/audit_log_maxsize_not_properly_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/audit_log_maxsize_not_properly_set/results", + "id": "35c0a471-f7c8-4993-aa2c-503a3c712a66", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/audit_log_maxsize_not_properly_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/audit_log_path_not_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/audit_log_path_not_set/results", + "id": "73e251f0-363d-4e53-86e2-0a93592437eb", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/audit_log_path_not_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/audit_policy_file_not_defined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/audit_policy_file_not_defined/results", + "id": "13a49a2e-488e-4309-a7c0-d6b05577a5fb", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/audit_policy_file_not_defined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/audit_policy_not_cover_key_security_concerns/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/audit_policy_not_cover_key_security_concerns/results", + "id": "1828a670-5957-4bc5-9974-47da228f75e2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/audit_policy_not_cover_key_security_concerns/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/authorization_mode_node_not_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/authorization_mode_node_not_set/results", + "id": "4d7ee40f-fc5d-427d-8cac-dffbe22d42d1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/authorization_mode_node_not_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/authorization_mode_rbac_not_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/authorization_mode_rbac_not_set/results", + "id": "1aa4a1ae-5dbb-48a1-9aa2-630ea4be208e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/authorization_mode_rbac_not_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/authorization_mode_set_to_always_allow/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/authorization_mode_set_to_always_allow/results", + "id": "f1f4d8da-1ac4-47d0-b1aa-91e69d33f7d5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/authorization_mode_set_to_always_allow/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/auto_tls_set_to_true/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/auto_tls_set_to_true/results", + "id": "98ce8b81-7707-4734-aa39-627c6db3d84b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/auto_tls_set_to_true/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/basic_auth_file_is_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/basic_auth_file_is_set/results", + "id": "5da47109-f8d6-4585-9e2b-96a8958a12f5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/basic_auth_file_is_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/bind_address_not_properly_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/bind_address_not_properly_set/results", + "id": "46a2e9ec-6a5f-4faa-9d39-4ea44d5d87a2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/bind_address_not_properly_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/client_certificate_authentication_not_setup_properly/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/client_certificate_authentication_not_setup_properly/results", + "id": "e0e00aba-5f1c-4981-a542-9a9563c0ee20", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/client_certificate_authentication_not_setup_properly/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/cluster_admin_role_binding_with_super_user_permissions/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/cluster_admin_role_binding_with_super_user_permissions/results", + "id": "249328b8-5f0f-409f-b1dd-029f07882e11", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/cluster_admin_role_binding_with_super_user_permissions/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/cluster_allows_unsafe_sysctls/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/cluster_allows_unsafe_sysctls/results", + "id": "9127f0d9-2310-42e7-866f-5fd9d20dcbad", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/cluster_allows_unsafe_sysctls/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/cni_plugin_does_not_support_network_policies/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/cni_plugin_does_not_support_network_policies/results", + "id": "03aabc8c-35d6-481e-9c85-20139cf72d23", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/cni_plugin_does_not_support_network_policies/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/container_is_privileged/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/container_is_privileged/results", + "id": "dd29336b-fe57-445b-a26e-e6aa867ae609", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/container_is_privileged/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/container_runs_unmasked/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/container_runs_unmasked/results", + "id": "f922827f-aab6-447c-832a-e1ff63312bd3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/container_runs_unmasked/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/containers_run_with_low_uid/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/containers_run_with_low_uid/results", + "id": "02323c00-cdc3-4fdc-a310-4f2b3e7a1660", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/containers_run_with_low_uid/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/containers_running_as_root/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/containers_running_as_root/results", + "id": "cf34805e-3872-4c08-bf92-6ff7bb0cfadb", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/containers_running_as_root/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/containers_with_added_capabilities/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/containers_with_added_capabilities/results", + "id": "19ebaa28-fc86-4a58-bcfa-015c9e22fe40", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/containers_with_added_capabilities/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/containers_with_sys_admin_capabilities/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/containers_with_sys_admin_capabilities/results", + "id": "235236ee-ad78-4065-bd29-61b061f28ce0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/containers_with_sys_admin_capabilities/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/cpu_limits_not_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/cpu_limits_not_set/results", + "id": "4ac0e2b7-d2d2-4af7-8799-e8de6721ccda", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/cpu_limits_not_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/cpu_requests_not_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/cpu_requests_not_set/results", + "id": "ca469dd4-c736-448f-8ac1-30a642705e0a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/cpu_requests_not_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/cronjob_deadline_not_configured/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/cronjob_deadline_not_configured/results", + "id": "192fe40b-b1c3-448a-aba2-6cc19a300fe3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/cronjob_deadline_not_configured/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/dashboard_is_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/dashboard_is_enabled/results", + "id": "d2ad057f-0928-41ef-a83c-f59203bb855b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/dashboard_is_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/deployment_has_no_pod_anti_affinity/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/deployment_has_no_pod_anti_affinity/results", + "id": "a31b7b82-d994-48c4-bd21-3bab6c31827a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/deployment_has_no_pod_anti_affinity/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/deployment_without_pod_disruption_budget/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/deployment_without_pod_disruption_budget/results", + "id": "b23e9b98-0cb6-4fc9-b257-1f3270442678", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/deployment_without_pod_disruption_budget/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/docker_daemon_socket_is_exposed_to_containers/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/docker_daemon_socket_is_exposed_to_containers/results", + "id": "a6f34658-fdfb-4154-9536-56d516f65828", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/docker_daemon_socket_is_exposed_to_containers/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/encryption_provider_config_is_not_defined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/encryption_provider_config_is_not_defined/results", + "id": "cbd2db69-0b21-4c14-8a40-7710a50571a9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/encryption_provider_config_is_not_defined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/encryption_provider_not_properly_configured/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/encryption_provider_not_properly_configured/results", + "id": "10efce34-5af6-4d83-b414-9e096d5a06a9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/encryption_provider_not_properly_configured/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/ensure_administrative_boundaries_between_resources/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/ensure_administrative_boundaries_between_resources/results", + "id": "e84eaf4d-2f45-47b2-abe8-e581b06deb66", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/ensure_administrative_boundaries_between_resources/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/etcd_client_certificate_authentication_set_to_false/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/etcd_client_certificate_authentication_set_to_false/results", + "id": "9391103a-d8d7-4671-ac5d-606ba7ccb0ac", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/etcd_client_certificate_authentication_set_to_false/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/etcd_client_certificate_file_not_defined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/etcd_client_certificate_file_not_defined/results", + "id": "3f5ff8a7-5ad6-4d02-86f5-666307da1b20", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/etcd_client_certificate_file_not_defined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/etcd_peer_client_certificate_authentication_set_to_false/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/etcd_peer_client_certificate_authentication_set_to_false/results", + "id": "b7d0181d-0a9b-4611-9d1c-1ad4f0b620ff", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/etcd_peer_client_certificate_authentication_set_to_false/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/etcd_peer_tls_certificate_files_not_properly_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/etcd_peer_tls_certificate_files_not_properly_set/results", + "id": "09bb9e96-8da3-4736-b89a-b36814acca60", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/etcd_peer_tls_certificate_files_not_properly_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/etcd_tls_certificate_files_not_properly_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/etcd_tls_certificate_files_not_properly_set/results", + "id": "075ca296-6768-4322-aea2-ba5063b969a9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/etcd_tls_certificate_files_not_properly_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/etcd_tls_certificate_not_properly_configured/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/etcd_tls_certificate_not_properly_configured/results", + "id": "895a5a95-3756-4b04-9924-2f3bc93181bd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/etcd_tls_certificate_not_properly_configured/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/event_rate_limit_admission_control_plugin_not_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/event_rate_limit_admission_control_plugin_not_set/results", + "id": "e0099af2-fe17-411f-9991-0de28fe15f3c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/event_rate_limit_admission_control_plugin_not_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/hpa_targeted_deployments_with_configured_replica_count/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/hpa_targeted_deployments_with_configured_replica_count/results", + "id": "5744cbb8-5946-4b75-a196-ade44449525b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/hpa_targeted_deployments_with_configured_replica_count/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/hpa_targets_invalid_object/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/hpa_targets_invalid_object/results", + "id": "2f652c42-619d-4361-b361-9f599688f8ca", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/hpa_targets_invalid_object/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/image_policy_webhook_admission_control_plugin_not_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/image_policy_webhook_admission_control_plugin_not_set/results", + "id": "14abda69-8e91-4acb-9931-76e2bee90284", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/image_policy_webhook_admission_control_plugin_not_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/image_pull_policy_of_container_is_not_always/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/image_pull_policy_of_container_is_not_always/results", + "id": "caa3479d-885d-4882-9aac-95e5e78ef5c2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/image_pull_policy_of_container_is_not_always/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/image_without_digest/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/image_without_digest/results", + "id": "7c81d34c-8e5a-402b-9798-9f442630e678", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/image_without_digest/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/incorrect_volume_claim_access_mode_read_write_once/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/incorrect_volume_claim_access_mode_read_write_once/results", + "id": "3878dc92-8e5d-47cf-9cdd-7590f71d21b9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/incorrect_volume_claim_access_mode_read_write_once/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/ingress_controller_exposes_workload/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/ingress_controller_exposes_workload/results", + "id": "69bbc5e3-0818-4150-89cc-1e989b48f23b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/ingress_controller_exposes_workload/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/insecure_bind_address_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/insecure_bind_address_set/results", + "id": "b9380fd3-5ffe-4d10-9290-13e18e71eee1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/insecure_bind_address_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/insecure_port_not_properly_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/insecure_port_not_properly_set/results", + "id": "fa4def8c-1898-4a35-a139-7b76b1acdef0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/insecure_port_not_properly_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/invalid_image/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/invalid_image/results", + "id": "583053b7-e632-46f0-b989-f81ff8045385", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/invalid_image/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/kubelet_certificate_authority_not_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/kubelet_certificate_authority_not_set/results", + "id": "ec18a0d3-0069-4a58-a7fb-fbfe0b4bbbe0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/kubelet_certificate_authority_not_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/kubelet_client_certificate_or_key_not_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/kubelet_client_certificate_or_key_not_set/results", + "id": "36a27826-1bf5-49da-aeb0-a60a30c0e834", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/kubelet_client_certificate_or_key_not_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/kubelet_client_periodic_certificate_switch_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/kubelet_client_periodic_certificate_switch_disabled/results", + "id": "52d70f2e-3257-474c-b3dc-8ad9ba6a061a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/kubelet_client_periodic_certificate_switch_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/kubelet_event_qps_not_properly_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/kubelet_event_qps_not_properly_set/results", + "id": "1a07a446-8e61-4e4d-bc16-b0781fcb8211", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/kubelet_event_qps_not_properly_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/kubelet_hostname_override_is_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/kubelet_hostname_override_is_set/results", + "id": "bf36b900-b5ef-4828-adb7-70eb543b7cfb", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/kubelet_hostname_override_is_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/kubelet_https_set_to_false/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/kubelet_https_set_to_false/results", + "id": "cdc8b54e-6b16-4538-a1b0-35849dbe29cf", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/kubelet_https_set_to_false/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/kubelet_not_managing_ip_tables/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/kubelet_not_managing_ip_tables/results", + "id": "5f89001f-6dd9-49ff-9b15-d8cd71b617f4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/kubelet_not_managing_ip_tables/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/results", + "id": "6cf42c97-facd-4fda-b8af-ea4529123355", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/results", + "id": "2940d48a-dc5e-4178-a3f8-bfbd80720b41", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/kubelet_streaming_connection_timeout_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/kubelet_streaming_connection_timeout_disabled/results", + "id": "ed89b97d-04e9-4fd4-919f-ee5b27e555e9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/kubelet_streaming_connection_timeout_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/liveness_probe_is_not_defined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/liveness_probe_is_not_defined/results", + "id": "ade74944-a674-4e00-859e-c6eab5bde441", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/liveness_probe_is_not_defined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/memory_limits_not_defined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/memory_limits_not_defined/results", + "id": "b14d1bc4-a208-45db-92f0-e21f8e2588e9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/memory_limits_not_defined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/memory_requests_not_defined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/memory_requests_not_defined/results", + "id": "229588ef-8fde-40c8-8756-f4f2b5825ded", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/memory_requests_not_defined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/metadata_label_is_invalid/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/metadata_label_is_invalid/results", + "id": "1123031a-f921-4c5b-bd86-ef354ecfd37a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/metadata_label_is_invalid/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/missing_app_armor_config/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/missing_app_armor_config/results", + "id": "8b36775e-183d-4d46-b0f7-96a6f34a723f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/missing_app_armor_config/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/namespace_lifecycle_admission_control_plugin_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/namespace_lifecycle_admission_control_plugin_disabled/results", + "id": "1ffe7bf7-563b-4b3d-a71d-ba6bd8d49b37", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/namespace_lifecycle_admission_control_plugin_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/net_raw_capabilities_disabled_for_psp/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/net_raw_capabilities_disabled_for_psp/results", + "id": "2270987f-bb51-479f-b8be-3ca73e5ad648", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/net_raw_capabilities_disabled_for_psp/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/net_raw_capabilities_not_being_dropped/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/net_raw_capabilities_not_being_dropped/results", + "id": "dbbc6705-d541-43b0-b166-dd4be8208b54", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/net_raw_capabilities_not_being_dropped/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/network_policy_is_not_targeting_any_pod/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/network_policy_is_not_targeting_any_pod/results", + "id": "85ab1c5b-014e-4352-b5f8-d7dea3bb4fd3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/network_policy_is_not_targeting_any_pod/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/no_drop_capabilities_for_containers/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/no_drop_capabilities_for_containers/results", + "id": "268ca686-7fb7-4ae9-b129-955a2a89064e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/no_drop_capabilities_for_containers/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/node_restriction_admission_control_plugin_not_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/node_restriction_admission_control_plugin_not_set/results", + "id": "33fc6923-6553-4fe6-9d3a-4efa51eb874b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/node_restriction_admission_control_plugin_not_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/non_kube_system_pod_with_host_mount/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/non_kube_system_pod_with_host_mount/results", + "id": "aa8f7a35-9923-4cad-bd61-a19b7f6aac91", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/non_kube_system_pod_with_host_mount/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/not_limited_capabilities_for_pod_security_policy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/not_limited_capabilities_for_pod_security_policy/results", + "id": "caa93370-791f-4fc6-814b-ba6ce0cb4032", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/not_limited_capabilities_for_pod_security_policy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/not_unique_certificate_authority/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/not_unique_certificate_authority/results", + "id": "cb7e695d-6a85-495c-b15f-23aed2519303", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/not_unique_certificate_authority/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/object_is_using_a_deprecated_api_version/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/object_is_using_a_deprecated_api_version/results", + "id": "94b76ea5-e074-4ca2-8a03-c5a606e30645", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/object_is_using_a_deprecated_api_version/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/peer_auto_tls_set_to_true/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/peer_auto_tls_set_to_true/results", + "id": "ae8827e2-4af9-4baa-9998-87539ae0d6f0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/peer_auto_tls_set_to_true/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/permissive_access_to_create_pods/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/permissive_access_to_create_pods/results", + "id": "592ad21d-ad9b-46c6-8d2d-fad09d62a942", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/permissive_access_to_create_pods/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/pod_misconfigured_network_policy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/pod_misconfigured_network_policy/results", + "id": "0401f71b-9c1e-4821-ab15-a955caa621be", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/pod_misconfigured_network_policy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/pod_or_container_without_limit_range/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/pod_or_container_without_limit_range/results", + "id": "4a20ebac-1060-4c81-95d1-1f7f620e983b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/pod_or_container_without_limit_range/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/pod_or_container_without_resource_quota/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/pod_or_container_without_resource_quota/results", + "id": "48a5beba-e4c0-4584-a2aa-e6894e4cf424", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/pod_or_container_without_resource_quota/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/pod_or_container_without_security_context/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/pod_or_container_without_security_context/results", + "id": "a97a340a-0063-418e-b3a1-3028941d0995", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/pod_or_container_without_security_context/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/pod_security_policy_admission_control_plugin_not_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/pod_security_policy_admission_control_plugin_not_set/results", + "id": "afa36afb-39fe-4d94-b9b6-afb236f7a03d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/pod_security_policy_admission_control_plugin_not_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/privilege_escalation_allowed/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/privilege_escalation_allowed/results", + "id": "5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/privilege_escalation_allowed/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/profiling_not_set_to_false/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/profiling_not_set_to_false/results", + "id": "2f491173-6375-4a84-b28e-a4e2b9a58a69", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/profiling_not_set_to_false/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/psp_allows_privilege_escalation/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/psp_allows_privilege_escalation/results", + "id": "87554eef-154d-411d-bdce-9dbd91e56851", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/psp_allows_privilege_escalation/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/psp_allows_sharing_host_ipc/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/psp_allows_sharing_host_ipc/results", + "id": "80f93444-b240-4ebb-a4c6-5c40b76c04ea", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/psp_allows_sharing_host_ipc/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/psp_allows_sharing_host_pid/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/psp_allows_sharing_host_pid/results", + "id": "91dacd0e-d189-4a9c-8272-5999a3cc32d9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/psp_allows_sharing_host_pid/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/psp_containers_share_host_network_namespace/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/psp_containers_share_host_network_namespace/results", + "id": "a33e9173-b674-4dfb-9d82-cf3754816e4b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/psp_containers_share_host_network_namespace/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/psp_set_to_privileged/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/psp_set_to_privileged/results", + "id": "c48e57d3-d642-4e0b-90db-37f807b41b91", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/psp_set_to_privileged/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/psp_with_added_capabilities/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/psp_with_added_capabilities/results", + "id": "7307579a-3abb-46ad-9ce5-2a915634d5c8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/psp_with_added_capabilities/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/psp_with_unrestricted_access_to_host_path/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/psp_with_unrestricted_access_to_host_path/results", + "id": "de4421f1-4e35-43b4-9783-737dd4e4a47e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/psp_with_unrestricted_access_to_host_path/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/rbac_roles_allow_privilege_escalation/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/rbac_roles_allow_privilege_escalation/results", + "id": "8320826e-7a9c-4b0b-9535-578333193432", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/rbac_roles_allow_privilege_escalation/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/rbac_roles_with_attach_permission/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/rbac_roles_with_attach_permission/results", + "id": "d45330fd-f58d-45fb-a682-6481477a0f84", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/rbac_roles_with_attach_permission/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/rbac_roles_with_exec_permission/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/rbac_roles_with_exec_permission/results", + "id": "c589f42c-7924-4871-aee2-1cede9bc7cbc", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/rbac_roles_with_exec_permission/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/rbac_roles_with_impersonate_permission/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/rbac_roles_with_impersonate_permission/results", + "id": "9f85c3f6-26fd-4007-938a-2e0cb0100980", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/rbac_roles_with_impersonate_permission/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/rbac_roles_with_portforwarding_permissions/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/rbac_roles_with_portforwarding_permissions/results", + "id": "38fa11ef-dbcc-4da8-9680-7e1fd855b6fb", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/rbac_roles_with_portforwarding_permissions/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/rbac_roles_with_read_secrets_permissions/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/rbac_roles_with_read_secrets_permissions/results", + "id": "b7bca5c4-1dab-4c2c-8cbe-3050b9d59b14", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/rbac_roles_with_read_secrets_permissions/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/rbac_wildcard_in_rule/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/rbac_wildcard_in_rule/results", + "id": "6b896afb-ca07-467a-b256-1a0077a1c08e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/rbac_wildcard_in_rule/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/readiness_probe_is_not_configured/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/readiness_probe_is_not_configured/results", + "id": "a659f3b5-9bf0-438a-bd9a-7d3a6427f1e3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/readiness_probe_is_not_configured/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/request_timeout_not_properly_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/request_timeout_not_properly_set/results", + "id": "d89a15bb-8dba-4c71-9529-bef6729b9c09", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/request_timeout_not_properly_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/role_binding_to_default_service_account/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/role_binding_to_default_service_account/results", + "id": "1e749bc9-fde8-471c-af0c-8254efd2dee5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/role_binding_to_default_service_account/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/root_ca_file_not_defined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/root_ca_file_not_defined/results", + "id": "05fb986f-ac73-4ebb-a5b2-7faafa93d882", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/root_ca_file_not_defined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/root_container_not_mounted_as_read_only/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/root_container_not_mounted_as_read_only/results", + "id": "a9c2f49d-0671-4fc9-9ece-f4e261e128d0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/root_container_not_mounted_as_read_only/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/root_containers_admitted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/root_containers_admitted/results", + "id": "e3aa0612-4351-4a0d-983f-aefea25cf203", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/root_containers_admitted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/rotate_kubelet_server_certificate_not_active/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/rotate_kubelet_server_certificate_not_active/results", + "id": "1c621b8e-2c6a-44f5-bd6a-fb0fb7ba33e2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/rotate_kubelet_server_certificate_not_active/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/seccomp_profile_is_not_configured/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/seccomp_profile_is_not_configured/results", + "id": "f377b83e-bd07-4f48-a591-60c82b14a78b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/seccomp_profile_is_not_configured/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/secrets_as_environment_variables/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/secrets_as_environment_variables/results", + "id": "3d658f8b-d988-41a0-a841-40043121de1e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/secrets_as_environment_variables/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/secure_port_set_to_zero/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/secure_port_set_to_zero/results", + "id": "3d24b204-b73d-42cb-b0bf-1a5438c5f71e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/secure_port_set_to_zero/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/security_context_deny_admission_control_plugin_not_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/security_context_deny_admission_control_plugin_not_set/results", + "id": "6a68bebe-c021-492e-8ddb-55b0567fb768", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/security_context_deny_admission_control_plugin_not_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/service_account_admission_control_plugin_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/service_account_admission_control_plugin_disabled/results", + "id": "9587c890-0524-40c2-9ce2-663af7c2f063", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/service_account_admission_control_plugin_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/service_account_allows_access_secrets/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/service_account_allows_access_secrets/results", + "id": "056ac60e-fe07-4acc-9b34-8e1d51716ab9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/service_account_allows_access_secrets/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/service_account_key_file_not_properly_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/service_account_key_file_not_properly_set/results", + "id": "dab4ec72-ce2e-4732-b7c3-1757dcce01a1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/service_account_key_file_not_properly_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/service_account_lookup_set_to_false/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/service_account_lookup_set_to_false/results", + "id": "a5530bd7-225a-48f9-91bb-f40b04200165", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/service_account_lookup_set_to_false/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/service_account_name_undefined_or_empty/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/service_account_name_undefined_or_empty/results", + "id": "591ade62-d6b0-4580-b1ae-209f80ba1cd9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/service_account_name_undefined_or_empty/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/service_account_private_key_file_not_defined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/service_account_private_key_file_not_defined/results", + "id": "ccc98ff7-68a7-436e-9218-185cb0b0b780", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/service_account_private_key_file_not_defined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/service_account_token_automount_not_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/service_account_token_automount_not_disabled/results", + "id": "48471392-d4d0-47c0-b135-cdec95eb3eef", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/service_account_token_automount_not_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/service_does_not_target_pod/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/service_does_not_target_pod/results", + "id": "3ca03a61-3249-4c16-8427-6f8e47dda729", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/service_does_not_target_pod/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/service_type_is_nodeport/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/service_type_is_nodeport/results", + "id": "845acfbe-3e10-4b8e-b656-3b404d36dfb2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/service_type_is_nodeport/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/service_with_external_load_balancer/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/service_with_external_load_balancer/results", + "id": "26763a1c-5dda-4772-b507-5fca7fb5f165", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/service_with_external_load_balancer/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/shared_host_ipc_namespace/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/shared_host_ipc_namespace/results", + "id": "cd290efd-6c82-4e9d-a698-be12ae31d536", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/shared_host_ipc_namespace/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/shared_host_network_namespace/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/shared_host_network_namespace/results", + "id": "6b6bdfb3-c3ae-44cb-88e4-7405c1ba2c8a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/shared_host_network_namespace/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/shared_host_pid_namespace/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/shared_host_pid_namespace/results", + "id": "302736f4-b16c-41b8-befe-c0baffa0bd9d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/shared_host_pid_namespace/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/shared_service_account/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/shared_service_account/results", + "id": "c1032cf7-3628-44e2-bd53-38c17cf31b6b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/shared_service_account/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/statefulset_has_no_pod_anti_affinity/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/statefulset_has_no_pod_anti_affinity/results", + "id": "d740d048-8ed3-49d3-b77b-6f072f3b669e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/statefulset_has_no_pod_anti_affinity/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/statefulset_requests_storage/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/statefulset_requests_storage/results", + "id": "8cf4671a-cf3d-46fc-8389-21e7405063a2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/statefulset_requests_storage/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/statefulset_without_pod_disruption_budget/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/statefulset_without_pod_disruption_budget/results", + "id": "1db3a5a5-bf75-44e5-9e44-c56cfc8b1ac5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/statefulset_without_pod_disruption_budget/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/statefulset_without_service_name/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/statefulset_without_service_name/results", + "id": "bb241e61-77c3-4b97-9575-c0f8a1e008d0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/statefulset_without_service_name/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/terminated_pod_garbage_collector_threshold_not_properly_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/terminated_pod_garbage_collector_threshold_not_properly_set/results", + "id": "49113af4-29ca-458e-b8d4-724c01a4a24f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/terminated_pod_garbage_collector_threshold_not_properly_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/tiller_deployment_is_accessible_from_within_the_cluster/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/tiller_deployment_is_accessible_from_within_the_cluster/results", + "id": "e17fa86a-6222-4584-a914-56e8f6c87e06", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/tiller_deployment_is_accessible_from_within_the_cluster/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/tiller_is_deployed/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/tiller_is_deployed/results", + "id": "6d173be7-545a-46c6-a81d-2ae52ed1605d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/tiller_is_deployed/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/tiller_service_is_not_deleted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/tiller_service_is_not_deleted/results", + "id": "8b862ca9-0fbd-4959-ad72-b6609bdaa22d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/tiller_service_is_not_deleted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/tls_connection_certificate_not_setup/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/tls_connection_certificate_not_setup/results", + "id": "fa750c81-93c2-4fab-9c6d-d3fd3ce3b89f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/tls_connection_certificate_not_setup/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/token_auth_file_is_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/token_auth_file_is_set/results", + "id": "32ecd76e-7bbf-402e-bf48-8b9485749558", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/token_auth_file_is_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/use_service_account_credentials_not_set_to_true/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/use_service_account_credentials_not_set_to_true/results", + "id": "1acd93f1-5a37-45c0-aaac-82ece818be7d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/use_service_account_credentials_not_set_to_true/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/using_kubernetes_native_secret_management/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/using_kubernetes_native_secret_management/results", + "id": "b9c83569-459b-4110-8f79-6305aa33cb37", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/using_kubernetes_native_secret_management/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/using_unrecommended_namespace/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/using_unrecommended_namespace/results", + "id": "611ab018-c4aa-4ba2-b0f6-a448337509a6", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/using_unrecommended_namespace/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/results", + "id": "b7652612-de4e-4466-a0bf-1cd81f0c6063", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/weak_tls_cipher_suites/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/weak_tls_cipher_suites/results", + "id": "510d5810-9a30-443a-817d-5c1fa527b110", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/weak_tls_cipher_suites/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/workload_host_port_not_specified/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/workload_host_port_not_specified/results", + "id": "2b1836f1-dcce-416e-8e16-da8c71920633", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/workload_host_port_not_specified/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/workload_mounting_with_sensitive_os_directory/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/workload_mounting_with_sensitive_os_directory/results", + "id": "5308a7a8-06f8-45ac-bf10-791fe21de46e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/workload_mounting_with_sensitive_os_directory/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/knative/serving_revision_spec_without_timeout_settings/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/knative/serving_revision_spec_without_timeout_settings/results", + "id": "e8bb41e4-2f24-4e84-8bea-8c7c070cf93d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/knative/serving_revision_spec_without_timeout_settings/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/basepath_with_wrong_format/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/basepath_with_wrong_format/results", + "id": "b4803607-ed72-4d60-99e2-3fa6edf471c6", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/basepath_with_wrong_format/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/body_parameter_with_wrong_property/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/body_parameter_with_wrong_property/results", + "id": "c38d630d-a415-4e3e-bac2-65475979ba88", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/body_parameter_with_wrong_property/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/body_parameter_without_schema/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/body_parameter_without_schema/results", + "id": "ed48229d-d43e-4da7-b453-5f98d964a57a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/body_parameter_without_schema/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/constraining_enum_property/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/constraining_enum_property/results", + "id": "be1d8733-3731-40c7-a845-734741c6871d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/constraining_enum_property/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/file_parameter_with_wrong_consumes_property/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/file_parameter_with_wrong_consumes_property/results", + "id": "7f91992f-b4c8-43bf-9bf9-fae9ecdb6e3a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/file_parameter_with_wrong_consumes_property/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/global_schemes_uses_http/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/global_schemes_uses_http/results", + "id": "f30ee711-0082-4480-85ab-31d922d9a2b2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/global_schemes_uses_http/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/global_security_using_password_flow/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/global_security_using_password_flow/results", + "id": "2da46be4-4317-4650-9285-56d7103c4f93", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/global_security_using_password_flow/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/host_with_invalid_pattern/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/host_with_invalid_pattern/results", + "id": "3d7d7b6c-fb0a-475e-8a28-c125e30d15f0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/host_with_invalid_pattern/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/implicit_flow_oauth2/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/implicit_flow_oauth2/results", + "id": "e9817ad8-a8c9-4038-8a2f-db0e6e7b284b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/implicit_flow_oauth2/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/invalid_media_type_value/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/invalid_media_type_value/results", + "id": "f985a7d2-d404-4a7f-9814-f645f791e46e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/invalid_media_type_value/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/invalid_oauth2_token_url/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/invalid_oauth2_token_url/results", + "id": "274f910a-0665-4f08-b66d-7058fe927dba", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/invalid_oauth2_token_url/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/invalid_oauth_authorization_url/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/invalid_oauth_authorization_url/results", + "id": "33d96c65-977d-4c33-943f-440baca49185", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/invalid_oauth_authorization_url/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/json_reference_does_not_exists_parameter/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/json_reference_does_not_exists_parameter/results", + "id": "fb889ae9-2d16-40b5-b41f-9da716c5abc1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/json_reference_does_not_exists_parameter/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/json_reference_does_not_exists_response/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/json_reference_does_not_exists_response/results", + "id": "e9db5fb4-6a84-4abb-b4af-3b94fbdace6d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/json_reference_does_not_exists_response/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/json_reference_does_not_exists_schema/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/json_reference_does_not_exists_schema/results", + "id": "98295b32-ec09-4b5b-89a9-39853197f914", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/json_reference_does_not_exists_schema/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/multi_body_parameters_same_operation/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/multi_body_parameters_same_operation/results", + "id": "b90033cf-ad9f-4fb9-acd1-1b9d6d278c87", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/multi_body_parameters_same_operation/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/multi_collectionformat_not_valid_in_parameter/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/multi_collectionformat_not_valid_in_parameter/results", + "id": "750f6448-27c0-49f8-a153-b81735c1e19c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/multi_collectionformat_not_valid_in_parameter/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/non_body_parameter_with_schema/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/non_body_parameter_with_schema/results", + "id": "73c3bc54-3cc6-4c0a-b30a-e19f2abfc951", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/non_body_parameter_with_schema/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/non_oauth2_security_requirement_defining_oauth2_scopes/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/non_oauth2_security_requirement_defining_oauth2_scopes/results", + "id": "ba239cb9-f342-4c20-812d-7b5a2aa6969e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/non_oauth2_security_requirement_defining_oauth2_scopes/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/object_without_required_property/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/object_without_required_property/results", + "id": "5e5ecb9d-04b5-4e4f-b5a5-6ee04279b275", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/object_without_required_property/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/operation_example_mismatch_produces_mediatype/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/operation_example_mismatch_produces_mediatype/results", + "id": "2cf35b40-ded3-43d6-9633-c8dcc8bcc822", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/operation_example_mismatch_produces_mediatype/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/operation_object_parameters_with_body_and_formatdata/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/operation_object_parameters_with_body_and_formatdata/results", + "id": "eb3f9744-d24e-4614-b1ff-2a9514eca21c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/operation_object_parameters_with_body_and_formatdata/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/operation_object_without_consumes/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/operation_object_without_consumes/results", + "id": "0c79e50e-b3cf-490c-b8f6-587c644d4d0c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/operation_object_without_consumes/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/operation_object_without_produces/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/operation_object_without_produces/results", + "id": "be3e170e-1572-461e-a8b6-d963def581ec", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/operation_object_without_produces/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/operation_summary_too_long/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/operation_summary_too_long/results", + "id": "d47940ca-5970-45cc-bdd1-4d81398cee1f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/operation_summary_too_long/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/operation_using_basic_auth/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/operation_using_basic_auth/results", + "id": "ceefb058-8065-418f-9c4c-584a78c7e104", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/operation_using_basic_auth/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/operation_using_implicit_flow/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/operation_using_implicit_flow/results", + "id": "f42dfe7e-787d-4478-a75e-a5f3d8a2269e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/operation_using_implicit_flow/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/operation_using_password_flow/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/operation_using_password_flow/results", + "id": "2e44e632-d617-43cb-b294-6bfe72a08938", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/operation_using_password_flow/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/parameter_file_type_not_in_formdata/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/parameter_file_type_not_in_formdata/results", + "id": "c3cab8c4-6c52-47a9-942b-c27f26fbd7d2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/parameter_file_type_not_in_formdata/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/parameter_object_incorrect_ref/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/parameter_object_incorrect_ref/results", + "id": "2596545e-1757-4ff7-a15a-8a9a180a42f3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/parameter_object_incorrect_ref/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/path_scheme_accepts_http/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/path_scheme_accepts_http/results", + "id": "a6847dc6-f4ea-45ac-a81f-93291ae6c573", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/path_scheme_accepts_http/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/property_not_unique/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/property_not_unique/results", + "id": "750b40be-4bac-4f59-bdc4-1ca0e6c3450e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/property_not_unique/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/response_object_incorrect_ref/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/response_object_incorrect_ref/results", + "id": "bccfa089-89e4-47e0-a0e5-185fe6902220", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/response_object_incorrect_ref/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/schema_object_incorrect_ref/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/schema_object_incorrect_ref/results", + "id": "0220e1c5-65d1-49dd-b7c2-cef6d6cb5283", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/schema_object_incorrect_ref/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/schema_with_additional_properties_set_as_boolean/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/schema_with_additional_properties_set_as_boolean/results", + "id": "3a01790c-ebee-4da6-8fd3-e78657383b75", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/schema_with_additional_properties_set_as_boolean/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/schemes_uses_http copy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/schemes_uses_http copy/results", + "id": "a46928f1-43d7-4671-94e0-2dd99746f389", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/schemes_uses_http copy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/security_definitions_allows_password_flow/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/security_definitions_allows_password_flow/results", + "id": "773116aa-2e6d-416f-bd85-f0301cc05d76", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/security_definitions_allows_password_flow/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/security_definitions_undefined_or_empty/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/security_definitions_undefined_or_empty/results", + "id": "e3f026e8-fdb4-4d5a-bcfd-bd94452073fe", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/security_definitions_undefined_or_empty/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/security_definitions_using_basic_auth/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/security_definitions_using_basic_auth/results", + "id": "221015a8-aa2a-43f5-b00b-ad7d2b1d47a8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/security_definitions_using_basic_auth/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/security_requirement_not_defined_in_security_definition/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/security_requirement_not_defined_in_security_definition/results", + "id": "a599b0d1-ff89-4cb8-9ece-9951854c06f6", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/security_requirement_not_defined_in_security_definition/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/undefined_security_scope_global_security/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/undefined_security_scope_global_security/results", + "id": "9aa6e95c-d964-4239-a3a8-9f37a3c5a31f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/undefined_security_scope_global_security/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/undefined_security_scope_security_operations/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/undefined_security_scope_security_operations/results", + "id": "3847280c-9193-40bc-8009-76168e822ce2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/undefined_security_scope_security_operations/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/unknown_prefix/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/unknown_prefix/results", + "id": "3b615f00-c443-4ba9-acc4-7c308716917d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/unknown_prefix/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/unknown_property/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/unknown_property/results", + "id": "429b2106-ba37-43ba-9727-7f699cc611e1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/unknown_property/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/unused_parameter_definition/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/unused_parameter_definition/results", + "id": "b30981fa-a12e-49c7-a5bb-eeafb61d0f0f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/unused_parameter_definition/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/unused_response_definition/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/unused_response_definition/results", + "id": "0b76d993-ee52-43e0-8b39-3787d2ddabf1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/unused_response_definition/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/unused_schema_definition/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/unused_schema_definition/results", + "id": "6d2e0790-cc3d-4c74-b973-d4e8b09f4455", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/unused_schema_definition/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/additional_properties_too_permissive/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/additional_properties_too_permissive/results", + "id": "9f88c88d-824d-4d9a-b985-e22977046042", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/additional_properties_too_permissive/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/additional_properties_too_restrective/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/additional_properties_too_restrective/results", + "id": "a19c3bbd-c056-40d7-9e1c-eeb0634e320d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/additional_properties_too_restrective/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/api_key_exposed_in_global_security_scheme/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/api_key_exposed_in_global_security_scheme/results", + "id": "40e1d1bf-11a9-4f63-a3a2-a8b84c602839", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/api_key_exposed_in_global_security_scheme/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/callback_object_incorrect_ref/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/callback_object_incorrect_ref/results", + "id": "ba066cda-e808-450d-92b6-f29109754d45", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/callback_object_incorrect_ref/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/cleartext_credentials_with_basic_auth_for_operation/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/cleartext_credentials_with_basic_auth_for_operation/results", + "id": "86b1fa30-9790-4980-994d-a27e0f6f27c1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/cleartext_credentials_with_basic_auth_for_operation/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/components_callback_definition_unused/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/components_callback_definition_unused/results", + "id": "d15db953-a553-4b8a-9a14-a3d62ea3d79d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/components_callback_definition_unused/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/components_example_definition_unused/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/components_example_definition_unused/results", + "id": "b05bb927-2df5-43cc-8d7b-6825c0e71625", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/components_example_definition_unused/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/components_header_definition_unused/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/components_header_definition_unused/results", + "id": "a68da022-e95a-4bc2-97d3-481e0bd6d446", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/components_header_definition_unused/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/components_link_definition_unused/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/components_link_definition_unused/results", + "id": "c19779a9-5774-4d2f-a3a1-a99831730375", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/components_link_definition_unused/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/components_object_fixed_field_key_improperly_named/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/components_object_fixed_field_key_improperly_named/results", + "id": "151331e2-11f4-4bb6-bd35-9a005e695087", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/components_object_fixed_field_key_improperly_named/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/components_parameter_definition_unused/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/components_parameter_definition_unused/results", + "id": "698a464e-bb3e-4ba8-ab5e-e6599b7644a0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/components_parameter_definition_unused/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/components_request_body_definition_unused/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/components_request_body_definition_unused/results", + "id": "6b76f589-9713-44ab-97f5-59a3dba1a285", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/components_request_body_definition_unused/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/components_response_definition_unused/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/components_response_definition_unused/results", + "id": "9c3ea128-7e9a-4b4c-8a32-75ad17a2d3ae", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/components_response_definition_unused/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/components_schema_definition_unused/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/components_schema_definition_unused/results", + "id": "962fa01e-b791-4dcc-b04a-4a3e7389be5e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/components_schema_definition_unused/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/empty_array/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/empty_array/results", + "id": "5915c20f-dffa-4cee-b5d4-f457ddc0151a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/empty_array/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/encoding_header_content_type_improperly_defined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/encoding_header_content_type_improperly_defined/results", + "id": "4cd8de87-b595-48b6-ab3c-1904567135ab", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/encoding_header_content_type_improperly_defined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/encoding_map_key_mismatch_schema_defined_properties/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/encoding_map_key_mismatch_schema_defined_properties/results", + "id": "cd7a52cf-8d7f-4cfe-bbeb-6306d23f576b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/encoding_map_key_mismatch_schema_defined_properties/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/example_json_reference_outside_components_examples/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/example_json_reference_outside_components_examples/results", + "id": "bac56e3c-1f71-4a74-8ae6-2fba07efcddb", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/example_json_reference_outside_components_examples/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/global_security_scheme_using_basic_authentication/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/global_security_scheme_using_basic_authentication/results", + "id": "77276d82-4f45-4cf1-8e2b-4d345b936228", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/global_security_scheme_using_basic_authentication/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/global_server_uses_http/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/global_server_uses_http/results", + "id": "2d8c175a-6d90-412b-8b0e-e034ea49a1fe", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/global_server_uses_http/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/header_object_with_incorrect_ref/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/header_object_with_incorrect_ref/results", + "id": "2d6646f4-2946-420f-8c14-3232d49ae0cb", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/header_object_with_incorrect_ref/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/header_object_without_schema/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/header_object_without_schema/results", + "id": "50de3b5b-6465-4e06-a9b0-b4c2ba34326b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/header_object_without_schema/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/invalid_content_type_for_multiple_files_upload/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/invalid_content_type_for_multiple_files_upload/results", + "id": "26f06397-36d8-4ce7-b993-17711261d777", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/invalid_content_type_for_multiple_files_upload/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/invalid_media_type_value/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/invalid_media_type_value/results", + "id": "cf4a5f45-a27b-49df-843a-9911dbfe71d4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/invalid_media_type_value/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/invalid_oauth2_token_url/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/invalid_oauth2_token_url/results", + "id": "3ba0cca1-b815-47bf-ac62-1e584eb64a05", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/invalid_oauth2_token_url/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/invalid_oauth_authorization_url/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/invalid_oauth_authorization_url/results", + "id": "52c0d841-60d6-4a81-88dd-c35fef36d315", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/invalid_oauth_authorization_url/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_callback/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_callback/results", + "id": "f29904c8-6041-4bca-b043-dfa0546b8079", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_callback/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_example/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_example/results", + "id": "6a2c219f-da5e-4745-941e-5ea8cde23356", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_example/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_header/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_header/results", + "id": "376c9390-7e9e-4cb8-a067-fd31c05451fd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_header/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_link/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_link/results", + "id": "801f0c6a-a834-4467-89c6-ddecffb46b5a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_link/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_parameter/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_parameter/results", + "id": "2e275f16-b627-4d3f-ae73-a6153a23ae8f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_parameter/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_request_body/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_request_body/results", + "id": "ca02f4e8-d3ae-4832-b7db-bb037516d9e7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_request_body/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_response/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_response/results", + "id": "7a01dfbd-da62-4165-aed7-71349ad42ab4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_response/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_schema/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_schema/results", + "id": "015eac96-6313-43c0-84e5-81b1374fa637", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_schema/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/link_object_incorrect_ref/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/link_object_incorrect_ref/results", + "id": "b9db8a10-020c-49ca-88c6-780e5fdb4328", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/link_object_incorrect_ref/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/link_object_operation_id_does_not_target_an_operation_object/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/link_object_operation_id_does_not_target_an_operation_object/results", + "id": "c5bb7461-aa57-470b-a714-3bc3d74f4669", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/link_object_operation_id_does_not_target_an_operation_object/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/link_object_with_both_operation_id_and_operation_ref/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/link_object_with_both_operation_id_and_operation_ref/results", + "id": "60fb6621-9f02-473b-9424-ba9a825747d3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/link_object_with_both_operation_id_and_operation_ref/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/media_type_object_without_schema/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/media_type_object_without_schema/results", + "id": "f79b9d26-e945-44e7-98a1-b93f0f7a68a0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/media_type_object_without_schema/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/oauth2_with_implicit_flow/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/oauth2_with_implicit_flow/results", + "id": "39cb32f2-3a42-4af0-8037-82a7a9654b6c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/oauth2_with_implicit_flow/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/oauth2_with_password_flow/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/oauth2_with_password_flow/results", + "id": "3979b0a4-532c-4ea7-86e4-34c090eaa4f2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/oauth2_with_password_flow/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/object_without_required_property/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/object_without_required_property/results", + "id": "d172a060-8569-4412-8045-3560ebd477e8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/object_without_required_property/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/parameter_object_content_with_multiple_entries/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/parameter_object_content_with_multiple_entries/results", + "id": "8bfed1c6-2d59-4924-bc7f-9b9d793ed0df", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/parameter_object_content_with_multiple_entries/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/parameter_object_incorrect_ref/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/parameter_object_incorrect_ref/results", + "id": "d40f27e6-15fb-4b56-90f8-fc0ff0291c51", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/parameter_object_incorrect_ref/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/parameter_object_schema_content/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/parameter_object_schema_content/results", + "id": "31dd6fc0-f274-493b-9614-e063086c19fc", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/parameter_object_schema_content/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/parameter_object_undefined_type/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/parameter_object_undefined_type/results", + "id": "46facedc-f243-4108-ab33-583b807d50b0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/parameter_object_undefined_type/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/parameter_object_without_schema/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/parameter_object_without_schema/results", + "id": "8fe1846f-52cc-4413-ace9-1933d7d23672", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/parameter_object_without_schema/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/path_server_uses_http/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/path_server_uses_http/results", + "id": "9670f240-7b4d-4955-bd93-edaa9fa38b58", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/path_server_uses_http/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/property_allow_empty_value_ignored/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/property_allow_empty_value_ignored/results", + "id": "59c2f769-7cc2-49c8-a3de-4e211135cfab", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/property_allow_empty_value_ignored/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/property_allow_reserved_encoding_object_ignored/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/property_allow_reserved_encoding_object_ignored/results", + "id": "4190dda7-af03-4cf0-a128-70ac1661ca09", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/property_allow_reserved_encoding_object_ignored/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/property_allow_reserved_improperly_defined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/property_allow_reserved_improperly_defined/results", + "id": "7f203940-39c4-4ea7-91ee-7aba16bca9e2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/property_allow_reserved_improperly_defined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/property_explode_encoding_object_ignored/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/property_explode_encoding_object_ignored/results", + "id": "a4dd69b8-49fa-45d2-a060-c76655405b05", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/property_explode_encoding_object_ignored/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/property_type_encoding_object_ignored/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/property_type_encoding_object_ignored/results", + "id": "d3ea644a-9a5c-4fee-941f-f8a6786c0470", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/property_type_encoding_object_ignored/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/request_body_incorrect_ref/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/request_body_incorrect_ref/results", + "id": "0f6cd0ab-c366-4595-84fc-fbd8b9901e4d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/request_body_incorrect_ref/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/request_body_object_with_incorrect_media_type/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/request_body_object_with_incorrect_media_type/results", + "id": "58f06434-a88c-4f74-826c-db7e10cc7def", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/request_body_object_with_incorrect_media_type/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/response_object_incorrect_ref/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/response_object_incorrect_ref/results", + "id": "b3871dd8-9333-4d6c-bd52-67eb898b71ab", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/response_object_incorrect_ref/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/schema_object_incorrect_ref/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/schema_object_incorrect_ref/results", + "id": "4cac7ace-b0fb-477d-830d-65395d9109d9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/schema_object_incorrect_ref/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/schema_with_both_read_only_and_write_only/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/schema_with_both_read_only_and_write_only/results", + "id": "d2361d58-361c-49f0-9e50-b957fd608b29", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/schema_with_both_read_only_and_write_only/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/security_field_undefined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/security_field_undefined/results", + "id": "ab1263c2-81df-46f0-9f2c-0b62fdb68419", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/security_field_undefined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/security_operation_field_undefined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/security_operation_field_undefined/results", + "id": "20a482d5-c5d9-4a7a-b7a4-60d0805047b4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/security_operation_field_undefined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/security_requirement_object_with_wrong_scopes/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/security_requirement_object_with_wrong_scopes/results", + "id": "37140f7f-724a-4c87-a536-e9cee1d61533", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/security_requirement_object_with_wrong_scopes/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/security_scheme_undefined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/security_scheme_undefined/results", + "id": "8db5544e-4874-4baa-9322-e9f75a2d219e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/security_scheme_undefined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/security_scheme_using_http_basic/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/security_scheme_using_http_basic/results", + "id": "68e5fcac-390c-4939-a373-6074b7be7c71", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/security_scheme_using_http_basic/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/security_scheme_using_http_digest/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/security_scheme_using_http_digest/results", + "id": "a4247b11-890b-45df-bf42-350a7a3af9be", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/security_scheme_using_http_digest/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/security_scheme_using_http_negotiate/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/security_scheme_using_http_negotiate/results", + "id": "f525cc92-9050-4c41-a75c-890dc6f64449", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/security_scheme_using_http_negotiate/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/security_schemes_http_unknown_scheme/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/security_schemes_http_unknown_scheme/results", + "id": "06764426-3c56-407e-981f-caa25db1c149", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/security_schemes_http_unknown_scheme/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/security_schemes_using_oauth/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/security_schemes_using_oauth/results", + "id": "1bc3205c-0d60-44e6-84f3-44fbf4dac5b3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/security_schemes_using_oauth/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/server_object_variable_not_used/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/server_object_variable_not_used/results", + "id": "8aee4754-970d-4c5f-8142-a49dfe388b1a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/server_object_variable_not_used/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/server_url_not_absolute/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/server_url_not_absolute/results", + "id": "a0bf7382-5d5a-4224-924c-3db8466026c9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/server_url_not_absolute/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/server_url_uses_undefined_variables/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/server_url_uses_undefined_variables/results", + "id": "8d0921d6-4131-461f-a253-99e873f8f77e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/server_url_uses_undefined_variables/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/servers_undefined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/servers_undefined/results", + "id": "c66ebeaa-676c-40dc-a3ff-3e49395dcd5e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/servers_undefined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/success_response_code_undefined_trace_operation/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/success_response_code_undefined_trace_operation/results", + "id": "105e20dd-8449-4d71-95c6-d5dac96639af", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/success_response_code_undefined_trace_operation/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/undefined_security_scope_global_security/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/undefined_security_scope_global_security/results", + "id": "23a9e2d9-8738-4556-a71c-2802b6ffa022", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/undefined_security_scope_global_security/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/undefined_security_scope_security_operations/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/undefined_security_scope_security_operations/results", + "id": "462d6a1d-fed9-4d75-bb9e-3de902f35e6e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/undefined_security_scope_security_operations/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/unknown_prefix/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/unknown_prefix/results", + "id": "a5375be3-521c-43bb-9eab-e2432e368ee4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/unknown_prefix/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/unknown_property/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/unknown_property/results", + "id": "fb7d81e7-4150-48c4-b914-92fc05da6a2f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/unknown_property/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/api_key_exposed_in_global_security/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/api_key_exposed_in_global_security/results", + "id": "aecee30b-8ea1-4776-a99c-d6d600f0862f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/api_key_exposed_in_global_security/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/api_key_exposed_in_operation_security/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/api_key_exposed_in_operation_security/results", + "id": "281b8071-6226-4a43-911d-fec246d422c2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/api_key_exposed_in_operation_security/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/array_items_has_no_type/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/array_items_has_no_type/results", + "id": "be0e0df7-f3d9-42a1-9b6f-d425f94872c4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/array_items_has_no_type/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/array_without_maximum_number_items/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/array_without_maximum_number_items/results", + "id": "6998389e-66b2-473d-8d05-c8d71ac4d04d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/array_without_maximum_number_items/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/default_invalid/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/default_invalid/results", + "id": "a96bbc06-8cde-4295-ad3c-ee343a7f658e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/default_invalid/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/default_response_undefined_operations/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/default_response_undefined_operations/results", + "id": "86e3702f-c868-44b2-b61d-ea5316c18110", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/default_response_undefined_operations/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/example_not_compliant_with_schema_type/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/example_not_compliant_with_schema_type/results", + "id": "881a6e71-c2a7-4fe2-b9c3-dfcf08895331", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/example_not_compliant_with_schema_type/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/global_security_field_undefined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/global_security_field_undefined/results", + "id": "8af270ce-298b-4405-9922-82a10aee7a4f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/global_security_field_undefined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/header_parameter_named_as_accept/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/header_parameter_named_as_accept/results", + "id": "f2702af5-6016-46cb-bbc8-84c766032095", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/header_parameter_named_as_accept/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/header_parameter_named_as_authorization/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/header_parameter_named_as_authorization/results", + "id": "8c84f75e-5048-4926-a4cb-33e7b3431300", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/header_parameter_named_as_authorization/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/header_parameter_named_as_content_type/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/header_parameter_named_as_content_type/results", + "id": "72d259ca-9741-48dd-9f62-eb11f2936b37", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/header_parameter_named_as_content_type/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/header_response_name_is_invalid/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/header_response_name_is_invalid/results", + "id": "d4e43db5-54d8-4dda-b3c2-0dc6f31a46bd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/header_response_name_is_invalid/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/invalid_contact_email/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/invalid_contact_email/results", + "id": "b1a7fcb0-2afe-4d5c-a6a1-4e6311fc29e7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/invalid_contact_email/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/invalid_contact_url/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/invalid_contact_url/results", + "id": "332cf2ad-380d-4b90-b436-46f8e635cf38", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/invalid_contact_url/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/invalid_format/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/invalid_format/results", + "id": "d929c031-078f-4241-b802-e224656ad890", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/invalid_format/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/invalid_global_external_documentation_url/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/invalid_global_external_documentation_url/results", + "id": "b2d9dbf6-539c-4374-a1fd-210ddf5563a8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/invalid_global_external_documentation_url/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/invalid_license_url/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/invalid_license_url/results", + "id": "9239c289-9e4c-4d92-8be1-9d506057c971", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/invalid_license_url/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/invalid_operation_external_documentation_url/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/invalid_operation_external_documentation_url/results", + "id": "5ea61624-3733-4a3a-8ca4-b96fec9c5aeb", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/invalid_operation_external_documentation_url/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/invalid_schema_external_documentation_url/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/invalid_schema_external_documentation_url/results", + "id": "6952a7e0-6e48-4285-bbc1-27c64e60f888", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/invalid_schema_external_documentation_url/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/invalid_tag_external_documentation_url/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/invalid_tag_external_documentation_url/results", + "id": "5aea1d7e-b834-4749-b143-2c7ec3bd5922", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/invalid_tag_external_documentation_url/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/items_undefined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/items_undefined/results", + "id": "a8e859da-4a43-4e7f-94b8-25d6e3bf8e90", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/items_undefined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/json_object_schema_without_properties/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/json_object_schema_without_properties/results", + "id": "9d967a2b-9d64-41a6-abea-dfc4960299bd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/json_object_schema_without_properties/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/json_object_schema_without_type/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/json_object_schema_without_type/results", + "id": "e2ffa504-d22a-4c94-b6c5-f661849d2db7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/json_object_schema_without_type/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/json_ref_alongside_properties/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/json_ref_alongside_properties/results", + "id": "96beb800-566f-49a9-a0ea-dbdf4bc80429", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/json_ref_alongside_properties/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/maximum_length_undefined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/maximum_length_undefined/results", + "id": "8c8261c2-19a9-4ef7-ad37-b8bc7bdd4d85", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/maximum_length_undefined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/no_global_and_operation_security_defined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/no_global_and_operation_security_defined/results", + "id": "96729c6b-7400-4d9e-9807-17f00cdde4d2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/no_global_and_operation_security_defined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/non_array_schema_with_items/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/non_array_schema_with_items/results", + "id": "20cb3159-b219-496b-8dac-54ae3ab2021a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/non_array_schema_with_items/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/numeric_schema_without_format/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/numeric_schema_without_format/results", + "id": "fbf699b5-ef74-4542-9cf1-f6eeac379373", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/numeric_schema_without_format/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/numeric_schema_without_maximum/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/numeric_schema_without_maximum/results", + "id": "2ea04bef-c769-409e-9179-ee3a50b5c0ac", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/numeric_schema_without_maximum/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/numeric_schema_without_minimum/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/numeric_schema_without_minimum/results", + "id": "181bd815-767e-4e95-a24d-bb3c87328e19", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/numeric_schema_without_minimum/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/object_using_enum_with_keyword/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/object_using_enum_with_keyword/results", + "id": "2e9b6612-8f69-42e0-a5b8-ed17739c2f3a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/object_using_enum_with_keyword/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/operation_id_not_unique/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/operation_id_not_unique/results", + "id": "c254adc4-ef25-46e1-8270-b7944adb4198", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/operation_id_not_unique/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/operation_without_successful_http_status_code/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/operation_without_successful_http_status_code/results", + "id": "48e9e1fe-cf79-45b5-93e6-8b55ae5dadfd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/operation_without_successful_http_status_code/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/parameter_objects_headers_dup_name/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/parameter_objects_headers_dup_name/results", + "id": "05505192-ba2c-4a81-9b25-dcdbcc973746", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/parameter_objects_headers_dup_name/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/parameters_name_in_not_unique/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/parameters_name_in_not_unique/results", + "id": "f5b2e6af-76f5-496d-8482-8f898c5fdb4a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/parameters_name_in_not_unique/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/path_ambiguous/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/path_ambiguous/results", + "id": "237402e2-c2f0-46c9-9cf5-286160cf7bfc", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/path_ambiguous/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/path_parameter_not_required/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/path_parameter_not_required/results", + "id": "0de50145-e845-47f4-9a15-23bcf2125710", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/path_parameter_not_required/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/path_parameter_with_no_corresponding_template_path/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/path_parameter_with_no_corresponding_template_path/results", + "id": "69d7aefd-149d-47b8-8d89-1c2181a8067b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/path_parameter_with_no_corresponding_template_path/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/path_template_empty/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/path_template_empty/results", + "id": "ae13a37d-943b-47a7-a970-83c8598bcca3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/path_template_empty/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/path_without_operation/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/path_without_operation/results", + "id": "84c826c9-1893-4b34-8cdd-db97645b4bf3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/path_without_operation/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/paths_object_empty/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/paths_object_empty/results", + "id": "815021c8-a50c-46d9-b192-24f71072c400", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/paths_object_empty/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/pattern_undefined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/pattern_undefined/results", + "id": "00b78adf-b83f-419c-8ed8-c6018441dd3a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/pattern_undefined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/properties_missing_required_property/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/properties_missing_required_property/results", + "id": "3fb03214-25d4-4bd4-867c-c2d8d708a483", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/properties_missing_required_property/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/property_allow_empty_value_improperly_defined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/property_allow_empty_value_improperly_defined/results", + "id": "4bcbcd52-3028-469f-bc14-02c7dbba2df2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/property_allow_empty_value_improperly_defined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/property_defining_maximum_not_greater_than_minimum/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/property_defining_maximum_not_greater_than_minimum/results", + "id": "ab2af219-cd08-4233-b5a1-a788aac88b51", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/property_defining_maximum_not_greater_than_minimum/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/required_property_default_value/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/required_property_default_value/results", + "id": "013bdb4b-9246-4248-b0c3-7fb0fee42a29", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/required_property_default_value/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/response_code_missing/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/response_code_missing/results", + "id": "6c35d2c6-09f2-4e5c-a094-e0e91327071d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/response_code_missing/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/response_operations_body_schema_incorrect_defined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/response_operations_body_schema_incorrect_defined/results", + "id": "12a7210b-f4b4-47d0-acac-0a819e2a0ca3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/response_operations_body_schema_incorrect_defined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/response_operations_body_schema_undefined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/response_operations_body_schema_undefined/results", + "id": "a92be1d5-d762-484a-86d6-8cd0907ba100", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/response_operations_body_schema_undefined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/responses_object_is_empty/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/responses_object_is_empty/results", + "id": "990eaf09-d6f1-4c3c-b174-a517b1de8917", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/responses_object_is_empty/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/responses_wrong_http_status_code/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/responses_wrong_http_status_code/results", + "id": "d86655c0-92f6-4ffc-b4d5-5b5775804c27", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/responses_wrong_http_status_code/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/schema_discriminator_mismatch_defined_properties/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/schema_discriminator_mismatch_defined_properties/results", + "id": "40d3df21-c170-4dbe-9c02-4289b51f994f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/schema_discriminator_mismatch_defined_properties/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/schema_discriminator_not_required/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/schema_discriminator_not_required/results", + "id": "b481d46c-9c61-480f-86d9-af07146dc4a4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/schema_discriminator_not_required/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/schema_discriminator_property_not_string/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/schema_discriminator_property_not_string/results", + "id": "dadc2f36-1f5a-46c0-8289-75e626583123", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/schema_discriminator_property_not_string/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/schema_enum_invalid/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/schema_enum_invalid/results", + "id": "03856cb2-e46c-4daf-bfbf-214ec93c882b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/schema_enum_invalid/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/schema_object_empty/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/schema_object_empty/results", + "id": "500ce696-d501-41dd-86eb-eceb011a386f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/schema_object_empty/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/schema_object_properties_with_duplicated_keys/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/schema_object_properties_with_duplicated_keys/results", + "id": "10c61e4b-eed5-49cf-9c7d-d4bf02e9edfa", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/schema_object_properties_with_duplicated_keys/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/schema_object_with_circular_ref/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/schema_object_with_circular_ref/results", + "id": "1a1aea94-745b-40a7-b860-0702ea6ee636", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/schema_object_with_circular_ref/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/schema_required_property_undefined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/schema_required_property_undefined/results", + "id": "2bd608ae-8a1f-457f-b710-c237883cb313", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/schema_required_property_undefined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/security_empty_array/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/security_empty_array/results", + "id": "d674aea4-ba8b-454b-bb97-88a772ea33f0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/security_empty_array/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/security_empty_object_definition/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/security_empty_object_definition/results", + "id": "543e38f4-1eee-479e-8eb0-15257013aa0a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/security_empty_object_definition/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/security_operations_empty_array/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/security_operations_empty_array/results", + "id": "663c442d-f918-4f62-b096-0bf5dcbeb655", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/security_operations_empty_array/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/security_operations_empty_object_definition/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/security_operations_empty_object_definition/results", + "id": "baade968-7467-41e4-bf22-83ca222f5800", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/security_operations_empty_object_definition/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/string_schema_with_broad_pattern/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/string_schema_with_broad_pattern/results", + "id": "8c81d6c0-716b-49ec-afa5-2d62da4e3f3c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/string_schema_with_broad_pattern/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/success_response_code_undefined_delete_operation/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/success_response_code_undefined_delete_operation/results", + "id": "3b497874-ae59-46dd-8d72-1868a3b8f150", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/success_response_code_undefined_delete_operation/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/success_response_code_undefined_get_operation/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/success_response_code_undefined_get_operation/results", + "id": "b2f275be-7d64-4064-b418-be6b431363a7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/success_response_code_undefined_get_operation/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/success_response_code_undefined_head_operation/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/success_response_code_undefined_head_operation/results", + "id": "3b066059-f411-4554-ac8d-96f32bff90da", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/success_response_code_undefined_head_operation/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/success_response_code_undefined_patch_operation/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/success_response_code_undefined_patch_operation/results", + "id": "1908a8ee-927d-4166-8f18-241152170cc1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/success_response_code_undefined_patch_operation/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/success_response_code_undefined_post_operation/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/success_response_code_undefined_post_operation/results", + "id": "f368dd2d-9344-4146-a05b-7c6faa1269ad", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/success_response_code_undefined_post_operation/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/success_response_code_undefined_put_operation/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/success_response_code_undefined_put_operation/results", + "id": "60b5f56b-66ff-4e1c-9b62-5753e16825bc", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/success_response_code_undefined_put_operation/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/template_path_parameter_with_no_corresponding_path_parameter/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/template_path_parameter_with_no_corresponding_path_parameter/results", + "id": "561710b1-b845-4562-95ce-2397a05ccef4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/template_path_parameter_with_no_corresponding_path_parameter/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/type_has_invalid_keyword/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/type_has_invalid_keyword/results", + "id": "a9228976-10cf-4b5f-b902-9e962aad037a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/type_has_invalid_keyword/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/amazon_dms_replication_instance_is_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/amazon_dms_replication_instance_is_publicly_accessible/results", + "id": "bccb296f-362c-4b05-9221-86d1437a1016", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/amazon_dms_replication_instance_is_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/api_gateway_access_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/api_gateway_access_logging_disabled/results", + "id": "bf4b48b9-fc1f-4552-984a-4becdb5bf503", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/api_gateway_access_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/api_gateway_without_ssl_certificate/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/api_gateway_without_ssl_certificate/results", + "id": "f27791a5-e2ae-4905-8910-6f995c576d09", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/api_gateway_without_ssl_certificate/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/docdb_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/docdb_logging_disabled/results", + "id": "2ca87964-fe7e-4cdc-899c-427f0f3525f8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/docdb_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/dynamodb_table_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/dynamodb_table_not_encrypted/results", + "id": "b6a7e0ae-aed8-4a19-a993-a95760bf8836", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/dynamodb_table_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/dynamodb_table_point_in_time_recovery_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/dynamodb_table_point_in_time_recovery_disabled/results", + "id": "327b0729-4c5c-4c44-8b5c-e476cd9c7290", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/dynamodb_table_point_in_time_recovery_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/ec2_instance_monitoring_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/ec2_instance_monitoring_disabled/results", + "id": "daa581ef-731c-4121-832d-cf078f67759d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/ec2_instance_monitoring_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/ec2_not_ebs_optimized/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/ec2_not_ebs_optimized/results", + "id": "d991e4ae-42ab-429b-ab43-d5e5fa9ca633", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/ec2_not_ebs_optimized/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/results", + "id": "abcefee4-a0c1-4245-9f82-a473f79a9e2f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/elasticache_nodes_not_created_across_multi_az/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/elasticache_nodes_not_created_across_multi_az/results", + "id": "9b18fc19-7fb8-49b1-8452-9c757c70f926", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/elasticache_nodes_not_created_across_multi_az/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/elasticache_redis_cluster_without_backup/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/elasticache_redis_cluster_without_backup/results", + "id": "e93bbe63-a631-4c0f-b6ef-700d48441ff2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/elasticache_redis_cluster_without_backup/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/elasticsearch_logs_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/elasticsearch_logs_disabled/results", + "id": "a1120ee4-a712-42d9-8fb5-22595fed643b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/elasticsearch_logs_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/elasticsearch_with_https_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/elasticsearch_with_https_disabled/results", + "id": "00603add-7f72-448f-a6c0-9e456a7a3f94", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/elasticsearch_with_https_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/iam_password_without_minimum_length/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/iam_password_without_minimum_length/results", + "id": "9850d621-7485-44f7-8bdd-b3cf426315cf", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/iam_password_without_minimum_length/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/results", + "id": "647de8aa-5a42-41b5-9faf-22136f117380", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/azure/redis_cache_allows_non_ssl_connections/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/azure/redis_cache_allows_non_ssl_connections/results", + "id": "49e30ac8-f58e-4222-b488-3dcb90158ec1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/azure/redis_cache_allows_non_ssl_connections/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/azure/storage_account_not_forcing_https/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/azure/storage_account_not_forcing_https/results", + "id": "cb8e4bf0-903d-45c6-a278-9a947d82a27b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/azure/storage_account_not_forcing_https/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/gcp/cloud_storage_bucket_logging_not_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/gcp/cloud_storage_bucket_logging_not_enabled/results", + "id": "48f7e44d-d1d1-44c2-b336-9f11b65c4fb0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/gcp/cloud_storage_bucket_logging_not_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/gcp/google_compute_ssl_policy_weak_cipher_in_use/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/gcp/google_compute_ssl_policy_weak_cipher_in_use/results", + "id": "965e8830-2bec-4b9b-a7f0-24dbc200a68f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/gcp/google_compute_ssl_policy_weak_cipher_in_use/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/kubernetes/missing_app_armor_config/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/kubernetes/missing_app_armor_config/results", + "id": "95588189-1abd-4df1-9588-b0a5034f9e87", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/kubernetes/missing_app_armor_config/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/kubernetes/psp_set_to_privileged/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/kubernetes/psp_set_to_privileged/results", + "id": "ee305555-6b1d-4055-94cf-e22131143c34", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/kubernetes/psp_set_to_privileged/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/serverlessFW/serverless_api_access_logging_setting_undefined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/serverlessFW/serverless_api_access_logging_setting_undefined/results", + "id": "a4d32883-aac7-42e1-b403-9415af0f3846", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/serverlessFW/serverless_api_access_logging_setting_undefined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/serverlessFW/serverless_api_endpoint_config_not_private/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/serverlessFW/serverless_api_endpoint_config_not_private/results", + "id": "4d424558-c6d1-453c-be98-9a7f877abd9a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/serverlessFW/serverless_api_endpoint_config_not_private/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/serverlessFW/serverless_api_without_content_encoding/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/serverlessFW/serverless_api_without_content_encoding/results", + "id": "d5d1fe08-89db-440c-8725-b93223387309", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/serverlessFW/serverless_api_without_content_encoding/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/serverlessFW/serverless_api_xray_tracing_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/serverlessFW/serverless_api_xray_tracing_disabled/results", + "id": "434945e5-4dfd-41b1-aba1-47075ccd9265", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/serverlessFW/serverless_api_xray_tracing_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/serverlessFW/serverless_function_environment_variables_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/serverlessFW/serverless_function_environment_variables_not_encrypted/results", + "id": "4495bc5d-4d1e-4a26-ae92-152d18195648", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/serverlessFW/serverless_function_environment_variables_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/serverlessFW/serverless_function_without_dead_letter_queue/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/serverlessFW/serverless_function_without_dead_letter_queue/results", + "id": "dec7bc85-d156-4f64-9a33-96ed3d9f3fed", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/serverlessFW/serverless_function_without_dead_letter_queue/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/serverlessFW/serverless_function_without_tags/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/serverlessFW/serverless_function_without_tags/results", + "id": "f99d3482-fa8c-4f79-bad9-35212dded164", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/serverlessFW/serverless_function_without_tags/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/serverlessFW/serverless_function_without_unique_iam_role/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/serverlessFW/serverless_function_without_unique_iam_role/results", + "id": "165aae3b-a56a-48f3-b76d-d2b5083f5b8f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/serverlessFW/serverless_function_without_unique_iam_role/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/serverlessFW/serverless_function_without_x-ray_tracing/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/serverlessFW/serverless_function_without_x-ray_tracing/results", + "id": "0d7ef70f-e176-44e6-bdba-add3e429788d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/serverlessFW/serverless_function_without_x-ray_tracing/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/serverlessFW/serverless_role_with_full_privileges/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/serverlessFW/serverless_role_with_full_privileges/results", + "id": "59ebb4f3-2a6c-46dc-b4f0-cc5418dcddcd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/serverlessFW/serverless_role_with_full_privileges/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/action_trail_logging_all_regions_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/action_trail_logging_all_regions_disabled/results", + "id": "c065b98e-1515-4991-9dca-b602bd6a2fbb", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/action_trail_logging_all_regions_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/actiontrail_trail_oss_bucket_is_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/actiontrail_trail_oss_bucket_is_publicly_accessible/results", + "id": "69b5d7da-a5db-4db9-a42e-90b65d0efb0b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/actiontrail_trail_oss_bucket_is_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/alb_listening_on_http/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/alb_listening_on_http/results", + "id": "ee3b1557-9fb5-4685-a95d-93f1edf2a0d7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/alb_listening_on_http/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/api_gateway_api_protocol_not_https/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/api_gateway_api_protocol_not_https/results", + "id": "1bcdf9f0-b1aa-40a4-b8c6-cd7785836843", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/api_gateway_api_protocol_not_https/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/cmk_is_unusable/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/cmk_is_unusable/results", + "id": "ed6e3ba0-278f-47b6-a1f5-173576b40b7e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/cmk_is_unusable/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/cs_kubernetes_node_pool_auto_repair_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/cs_kubernetes_node_pool_auto_repair_disabled/results", + "id": "81ce9394-013d-4731-8fcc-9d229b474073", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/cs_kubernetes_node_pool_auto_repair_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/disk_encryption_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/disk_encryption_disabled/results", + "id": "39750e32-3fe9-453b-8c33-dd277acdb2cc", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/disk_encryption_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ecs_data_disk_kms_key_id_undefined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ecs_data_disk_kms_key_id_undefined/results", + "id": "f262118c-1ac6-4bb3-8495-cc48f1775b85", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ecs_data_disk_kms_key_id_undefined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/high_kms_key_rotation_period/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/high_kms_key_rotation_period/results", + "id": "cb319d87-b90f-485e-a7e7-f2408380f309", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/high_kms_key_rotation_period/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/kubernetes_cluster_without_terway_as_cni_network_plugin/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/kubernetes_cluster_without_terway_as_cni_network_plugin/results", + "id": "b9b7ada8-3868-4a35-854e-6100a2bb863d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/kubernetes_cluster_without_terway_as_cni_network_plugin/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/launch_template_is_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/launch_template_is_not_encrypted/results", + "id": "1455cb21-1d48-46d6-8ae3-cef911b71fd5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/launch_template_is_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/log_retention_is_not_greater_than_90_days/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/log_retention_is_not_greater_than_90_days/results", + "id": "ed6cf6ff-9a1f-491c-9f88-e03c0807f390", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/log_retention_is_not_greater_than_90_days/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/nas_file_system_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/nas_file_system_not_encrypted/results", + "id": "67bfdff1-31ce-4525-b564-e94368735360", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/nas_file_system_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/nas_file_system_without_kms/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/nas_file_system_without_kms/results", + "id": "5f670f9d-b1b4-4c90-8618-2288f1ab9676", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/nas_file_system_without_kms/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/no_ros_stack_policy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/no_ros_stack_policy/results", + "id": "72ceb736-0aee-43ea-a191-3a69ab135681", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/no_ros_stack_policy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_allows_all_actions_from_all_principals/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_allows_all_actions_from_all_principals/results", + "id": "ec62a32c-a297-41ca-a850-cab40b42094a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_allows_all_actions_from_all_principals/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_allows_delete_from_all_principals/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_allows_delete_from_all_principals/results", + "id": "8c0695d8-2378-4cd6-8243-7fd5894fa574", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_allows_delete_from_all_principals/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_allows_list_action_from_all_principals/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_allows_list_action_from_all_principals/results", + "id": "88541597-6f88-42c8-bac6-7e0b855e8ff6", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_allows_list_action_from_all_principals/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_allows_put_action_from_all_principals/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_allows_put_action_from_all_principals/results", + "id": "fe286195-e75c-4359-bd58-00847c4f855a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_allows_put_action_from_all_principals/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_cmk_encryption_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_cmk_encryption_disabled/results", + "id": "f20e97f9-4919-43f1-9be9-f203cd339cdd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_cmk_encryption_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_has_static_website/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_has_static_website/results", + "id": "2b13c6ff-b87a-484d-86fd-21ef6e97d426", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_has_static_website/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_ip_restriction_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_ip_restriction_disabled/results", + "id": "6107c530-7178-464a-88bc-df9cdd364ac8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_ip_restriction_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_lifecycle_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_lifecycle_disabled/results", + "id": "7db8bd7e-9772-478c-9ec5-4bc202c5686f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_lifecycle_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_logging_disabled/results", + "id": "05db341e-de7d-4972-a106-3e2bd5ee53e1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_public_access_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_public_access_enabled/results", + "id": "62232513-b16f-4010-83d7-51d0e1d45426", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_public_access_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_transfer_acceleration_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_transfer_acceleration_disabled/results", + "id": "8f98334a-99aa-4d85-b72a-1399ca010413", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_transfer_acceleration_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_versioning_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_versioning_disabled/results", + "id": "70919c0b-2548-4e6b-8d7a-3d84ab6dabba", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_versioning_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_buckets_securetransport_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_buckets_securetransport_disabled/results", + "id": "c01d10de-c468-4790-b3a0-fc887a56f289", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_buckets_securetransport_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/public_security_group_rule_all_ports_or_protocols/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/public_security_group_rule_all_ports_or_protocols/results", + "id": "60587dbd-6b67-432e-90f7-a8cf1892d968", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/public_security_group_rule_all_ports_or_protocols/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/public_security_group_rule_sensitive_port/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/public_security_group_rule_sensitive_port/results", + "id": "2ae9d554-23fb-4065-bfd1-fe43d5f7c419", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/public_security_group_rule_sensitive_port/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/public_security_group_rule_unknown_port/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/public_security_group_rule_unknown_port/results", + "id": "dd706080-b7a8-47dc-81fb-3e8184430ec0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/public_security_group_rule_unknown_port/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ram_account_password_policy_max_login_attempts_unrecommended/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ram_account_password_policy_max_login_attempts_unrecommended/results", + "id": "e76fd7ab-7333-40c6-a2d8-ea28af4a319e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ram_account_password_policy_max_login_attempts_unrecommended/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ram_account_password_policy_max_password_age_unrecommended/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ram_account_password_policy_max_password_age_unrecommended/results", + "id": "2bb13841-7575-439e-8e0a-cccd9ede2fa8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ram_account_password_policy_max_password_age_unrecommended/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_minimum_length/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_minimum_length/results", + "id": "a9dfec39-a740-4105-bbd6-721ba163c053", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_minimum_length/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_numbers/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_numbers/results", + "id": "063234c0-91c0-4ab5-bbd0-47ddb5f23786", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_numbers/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_symbols/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_symbols/results", + "id": "41a38329-d81b-4be4-aef4-55b2615d3282", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_symbols/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ram_account_password_policy_without_reuse_prevention/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ram_account_password_policy_without_reuse_prevention/results", + "id": "a8128dd2-89b0-464b-98e9-5d629041dfe0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ram_account_password_policy_without_reuse_prevention/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_lowercase_character/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_lowercase_character/results", + "id": "89143358-cec6-49f5-9392-920c591c669c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_lowercase_character/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_uppercase_character/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_uppercase_character/results", + "id": "5e0fb613-ba9b-44c3-88f0-b44188466bfd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_uppercase_character/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ram_policy_admin_access_not_attached_to_users_groups_roles/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ram_policy_admin_access_not_attached_to_users_groups_roles/results", + "id": "e8e62026-da63-4904-b402-65adfe3ca975", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ram_policy_admin_access_not_attached_to_users_groups_roles/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ram_policy_attached_to_user/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ram_policy_attached_to_user/results", + "id": "66505003-7aba-45a1-8d83-5162d5706ef5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ram_policy_attached_to_user/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ram_security_preference_not_enforce_mfa/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ram_security_preference_not_enforce_mfa/results", + "id": "dcda2d32-e482-43ee-a926-75eaabeaa4e0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ram_security_preference_not_enforce_mfa/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/rds_instance_address_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/rds_instance_address_publicly_accessible/results", + "id": "faaefc15-51a5-419e-bb5e-51a4b5ab3485", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/rds_instance_address_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/rds_instance_events_not_logged/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/rds_instance_events_not_logged/results", + "id": "b9c524a4-fe76-4021-a6a2-cb978fb4fde1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/rds_instance_events_not_logged/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/rds_instance_log_connections_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/rds_instance_log_connections_disabled/results", + "id": "140869ea-25f2-40d4-a595-0c0da135114e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/rds_instance_log_connections_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/rds_instance_log_disconnections_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/rds_instance_log_disconnections_disabled/results", + "id": "d53f4123-f8d8-4224-8cb3-f920b151cc98", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/rds_instance_log_disconnections_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/rds_instance_log_duration_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/rds_instance_log_duration_disabled/results", + "id": "a597e05a-c065-44e7-9cc8-742f572a504a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/rds_instance_log_duration_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/rds_instance_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/rds_instance_publicly_accessible/results", + "id": "1b4565c0-4877-49ac-ab03-adebbccd42ae", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/rds_instance_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/rds_instance_retention_not_recommended/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/rds_instance_retention_not_recommended/results", + "id": "dc158941-28ce-481d-a7fa-dc80761edf46", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/rds_instance_retention_not_recommended/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/rds_instance_ssl_action_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/rds_instance_ssl_action_disabled/results", + "id": "7a1ee8a9-71be-4b11-bb70-efb62d16863b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/rds_instance_ssl_action_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/rds_instance_tde_status_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/rds_instance_tde_status_disabled/results", + "id": "44d434ca-a9bf-4203-8828-4c81a8d5a598", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/rds_instance_tde_status_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ros_stack_notifications_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ros_stack_notifications_disabled/results", + "id": "9ef08939-ea40-489c-8851-667870b2ef50", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ros_stack_notifications_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ros_stack_retention_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ros_stack_retention_disabled/results", + "id": "4bb06fa1-2114-4a00-b7b5-6aeab8b896f0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ros_stack_retention_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ros_stack_without_template/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ros_stack_without_template/results", + "id": "92d65c51-5d82-4507-a2a1-d252e9706855", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ros_stack_without_template/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/slb_policy_with_insecure_tls_version_in_use/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/slb_policy_with_insecure_tls_version_in_use/results", + "id": "dbfc834a-56e5-4750-b5da-73fda8e73f70", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/slb_policy_with_insecure_tls_version_in_use/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/vpc_flow_logs_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/vpc_flow_logs_disabled/results", + "id": "d2731f3d-a992-44ed-812e-f4f1c2747d71", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/vpc_flow_logs_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/alb_deletion_protection_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/alb_deletion_protection_disabled/results", + "id": "afecd1f1-6378-4f7e-bb3b-60c35801fdd4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/alb_deletion_protection_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/results", + "id": "0afa6ab8-a047-48cf-be07-93a2f8c34cf7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/alb_listening_on_http/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/alb_listening_on_http/results", + "id": "de7f5e83-da88-4046-871f-ea18504b1d43", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/alb_listening_on_http/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/alb_not_dropping_invalid_headers/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/alb_not_dropping_invalid_headers/results", + "id": "6e3fd2ed-5c83-4c68-9679-7700d224d379", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/alb_not_dropping_invalid_headers/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/amazon_dms_replication_instance_is_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/amazon_dms_replication_instance_is_publicly_accessible/results", + "id": "030d3b18-1821-45b4-9e08-50efbe7becbb", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/amazon_dms_replication_instance_is_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/amazon_mq_broker_encryption_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/amazon_mq_broker_encryption_disabled/results", + "id": "3db3f534-e3a3-487f-88c7-0a9fbf64b702", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/amazon_mq_broker_encryption_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ami_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ami_not_encrypted/results", + "id": "8bbb242f-6e38-4127-86d4-d8f0b2687ae2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ami_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ami_shared_with_multiple_accounts/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ami_shared_with_multiple_accounts/results", + "id": "ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ami_shared_with_multiple_accounts/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_access_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_access_logging_disabled/results", + "id": "1b6799eb-4a7a-4b04-9001-8cceb9999326", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_access_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_deployment_without_access_log_setting/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_deployment_without_access_log_setting/results", + "id": "625abc0e-f980-4ac9-a775-f7519ee34296", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_deployment_without_access_log_setting/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/results", + "id": "b3a59b8e-94a3-403e-b6e2-527abaf12034", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_endpoint_config_is_not_private/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_endpoint_config_is_not_private/results", + "id": "6b2739db-9c49-4db7-b980-7816e0c248c1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_endpoint_config_is_not_private/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_method_does_not_contains_an_api_key/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_method_does_not_contains_an_api_key/results", + "id": "671211c5-5d2a-4e97-8867-30fc28b02216", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_method_does_not_contains_an_api_key/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_method_settings_cache_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_method_settings_cache_not_encrypted/results", + "id": "b7c9a40c-23e4-4a2d-8d39-a3352f10f288", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_method_settings_cache_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_stage_without_api_gateway_usage_plan_associated/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_stage_without_api_gateway_usage_plan_associated/results", + "id": "c999cf62-0920-40f8-8dda-0caccd66ed7e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_stage_without_api_gateway_usage_plan_associated/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_with_cloudwatch_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_with_cloudwatch_logging_disabled/results", + "id": "982aa526-6970-4c59-8b9b-2ce7e019fe36", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_with_cloudwatch_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_with_invalid_compression/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_with_invalid_compression/results", + "id": "ed35928e-195c-4405-a252-98ccb664ab7b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_with_invalid_compression/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_with_open_access/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_with_open_access/results", + "id": "15ccec05-5476-4890-ad19-53991eba1db8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_with_open_access/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_without_configured_authorizer/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_without_configured_authorizer/results", + "id": "0a96ce49-4163-4ee6-8169-eb3b0797d694", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_without_configured_authorizer/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_without_security_policy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_without_security_policy/results", + "id": "4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_without_security_policy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_without_ssl_certificate/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_without_ssl_certificate/results", + "id": "0b4869fc-a842-4597-aa00-1294df425440", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_without_ssl_certificate/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_without_waf/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_without_waf/results", + "id": "a186e82c-1078-4a7b-85d8-579561fde884", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_without_waf/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_xray_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_xray_disabled/results", + "id": "5813ef56-fa94-406a-b35d-977d4a56ff2b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_xray_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/athena_database_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/athena_database_not_encrypted/results", + "id": "b2315cae-b110-4426-81e0-80bb8640cdd3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/athena_database_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/athena_workgroup_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/athena_workgroup_not_encrypted/results", + "id": "d364984a-a222-4b5f-a8b0-e23ab19ebff3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/athena_workgroup_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/aurora_with_disabled_at_rest_encryption/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/aurora_with_disabled_at_rest_encryption/results", + "id": "1a690d1d-0ae7-49fa-b2db-b75ae0dd1d3e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/aurora_with_disabled_at_rest_encryption/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/authentication_without_mfa/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/authentication_without_mfa/results", + "id": "3ddfa124-6407-4845-a501-179f90c65097", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/authentication_without_mfa/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/auto_scaling_group_with_no_associated_elb/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/auto_scaling_group_with_no_associated_elb/results", + "id": "8e94dced-9bcc-4203-8eb7-7e41202b2505", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/auto_scaling_group_with_no_associated_elb/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/automatic_minor_upgrades_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/automatic_minor_upgrades_disabled/results", + "id": "3b6d777b-76e3-4133-80a3-0d6f667ade7f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/automatic_minor_upgrades_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/autoscaling_groups_supply_tags/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/autoscaling_groups_supply_tags/results", + "id": "ba48df05-eaa1-4d64-905e-4a4b051e7587", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/autoscaling_groups_supply_tags/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/aws_eip_not_attached_to_any_instance/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/aws_eip_not_attached_to_any_instance/results", + "id": "cd1d93f2-8ed2-4eb5-b536-776619f1869b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/aws_eip_not_attached_to_any_instance/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/aws_password_policy_with_unchangeable_passwords/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/aws_password_policy_with_unchangeable_passwords/results", + "id": "9ef7d25d-9764-4224-9968-fa321c56ef76", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/aws_password_policy_with_unchangeable_passwords/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/batch_job_definition_with_privileged_container_properties/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/batch_job_definition_with_privileged_container_properties/results", + "id": "66cd88ac-9ddf-424a-b77e-e55e17630bee", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/batch_job_definition_with_privileged_container_properties/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/block_device_is_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/block_device_is_not_encrypted/results", + "id": "1f624961-9a18-4387-91c8-3856e1974b6f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/block_device_is_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ca_certificate_identifier_is_outdated/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ca_certificate_identifier_is_outdated/results", + "id": "9f40c07e-699e-4410-8856-3ba0f2e3a2dd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ca_certificate_identifier_is_outdated/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cdn_configuration_is_missing/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cdn_configuration_is_missing/results", + "id": "1bc367f6-901d-4870-ad0c-71d79762ef52", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cdn_configuration_is_missing/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/certificate_has_expired/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/certificate_has_expired/results", + "id": "c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/certificate_has_expired/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/certificate_rsa_key_bytes_lower_than_256/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/certificate_rsa_key_bytes_lower_than_256/results", + "id": "874d68a3-bfbe-4a4b-aaa0-9e74d7da634b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/certificate_rsa_key_bytes_lower_than_256/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudfront_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudfront_logging_disabled/results", + "id": "94690d79-b3b0-43de-b656-84ebef5753e5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudfront_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudfront_viewer_protocol_policy_allows_http/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudfront_viewer_protocol_policy_allows_http/results", + "id": "55af1353-2f62-4fa0-a8e1-a210ca2708f5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudfront_viewer_protocol_policy_allows_http/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudfront_without_minimum_protocol_tls_1.2/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudfront_without_minimum_protocol_tls_1.2/results", + "id": "00e5e55e-c2ff-46b3-a757-a7a1cd802456", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudfront_without_minimum_protocol_tls_1.2/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudfront_without_waf/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudfront_without_waf/results", + "id": "1419b4c6-6d5c-4534-9cf6-6a5266085333", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudfront_without_waf/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudtrail_log_file_validation_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudtrail_log_file_validation_disabled/results", + "id": "52ffcfa6-6c70-4ea6-8376-d828d3961669", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudtrail_log_file_validation_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudtrail_log_files_not_encrypted_with_kms/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudtrail_log_files_not_encrypted_with_kms/results", + "id": "5d9e3164-9265-470c-9a10-57ae454ac0c7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudtrail_log_files_not_encrypted_with_kms/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_is_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_is_publicly_accessible/results", + "id": "bd0088a5-c133-4b20-b129-ec9968b16ef3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_is_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_with_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_with_logging_disabled/results", + "id": "ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_with_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudtrail_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudtrail_logging_disabled/results", + "id": "4bb76f17-3d63-4529-bdca-2b454529d774", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudtrail_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudtrail_multi_region_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudtrail_multi_region_disabled/results", + "id": "8173d5eb-96b5-4aa6-a71b-ecfa153c123d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudtrail_multi_region_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudtrail_not_integrated_with_cloudwatch/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudtrail_not_integrated_with_cloudwatch/results", + "id": "17b30f8f-8dfb-4597-adf6-57600b6cf25e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudtrail_not_integrated_with_cloudwatch/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudtrail_sns_topic_name_undefined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudtrail_sns_topic_name_undefined/results", + "id": "482b7d26-0bdb-4b5f-bf6f-545826c0a3dd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudtrail_sns_topic_name_undefined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_aws_config_configuration_changes_alarm_missing/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_aws_config_configuration_changes_alarm_missing/results", + "id": "5b8d7527-de8e-4114-b9dd-9d988f1f418f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_aws_config_configuration_changes_alarm_missing/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_aws_organizations_changes_missing_alarm/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_aws_organizations_changes_missing_alarm/results", + "id": "38b85c45-e772-4de8-a247-69619ca137b3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_aws_organizations_changes_missing_alarm/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_changes_to_nacl_alarm_missing/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_changes_to_nacl_alarm_missing/results", + "id": "0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_changes_to_nacl_alarm_missing/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_cloudtrail_configuration_changes_alarm_missing/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_cloudtrail_configuration_changes_alarm_missing/results", + "id": "0f6cbf69-41bb-47dc-93f3-3844640bf480", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_cloudtrail_configuration_changes_alarm_missing/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_disabling_or_scheduled_deletion_of_customer_created_cmk_alarm_missing/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_disabling_or_scheduled_deletion_of_customer_created_cmk_alarm_missing/results", + "id": "56a585f5-555c-48b2-8395-e64e4740a9cf", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_disabling_or_scheduled_deletion_of_customer_created_cmk_alarm_missing/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_iam_policy_changes_alarm_missing/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_iam_policy_changes_alarm_missing/results", + "id": "eaaba502-2f94-411a-a3c2-83d63cc1776d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_iam_policy_changes_alarm_missing/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_log_group_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_log_group_not_encrypted/results", + "id": "0afbcfe9-d341-4b92-a64c-7e6de0543879", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_log_group_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_logging_disabled/results", + "id": "7dbba512-e244-42dc-98bb-422339827967", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_logs_destination_with_vulnerable_policy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_logs_destination_with_vulnerable_policy/results", + "id": "db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_logs_destination_with_vulnerable_policy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_management_console_auth_failed_alarm_missing/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_management_console_auth_failed_alarm_missing/results", + "id": "5864d189-ee9a-4009-ac0c-8a582e6b7919", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_management_console_auth_failed_alarm_missing/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_management_console_sign_in_without_mfa_alarm_missing/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_management_console_sign_in_without_mfa_alarm_missing/results", + "id": "44ceb4fa-0897-4fd2-b676-30e7a58f2933", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_management_console_sign_in_without_mfa_alarm_missing/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_metrics_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_metrics_disabled/results", + "id": "081069cb-588b-4ce1-884c-2a1ce3029fe5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_metrics_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_network_gateways_changes_alarm_missing/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_network_gateways_changes_alarm_missing/results", + "id": "6b6874fe-4c2f-4eea-8b90-7cceaa4a125e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_network_gateways_changes_alarm_missing/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_root_account_use_alarm_missing/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_root_account_use_alarm_missing/results", + "id": "8b1b1e67-6248-4dca-bbad-93486bb181c0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_root_account_use_alarm_missing/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_route_table_changes_alarm_missing/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_route_table_changes_alarm_missing/results", + "id": "2285e608-ddbc-47f3-ba54-ce7121e31216", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_route_table_changes_alarm_missing/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_s3_policy_change_alarm_missing/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_s3_policy_change_alarm_missing/results", + "id": "27c6a499-895a-4dc7-9617-5c485218db13", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_s3_policy_change_alarm_missing/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_security_group_changes_alarm_missing/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_security_group_changes_alarm_missing/results", + "id": "4beaf898-9f8b-4237-89e2-5ffdc7ee6006", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_security_group_changes_alarm_missing/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_unauthorized_access_defined_alarm_missing/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_unauthorized_access_defined_alarm_missing/results", + "id": "4c18a45b-4ab1-4790-9f83-399ac695f1e5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_unauthorized_access_defined_alarm_missing/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_vpc_changes_alarm_missing/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_vpc_changes_alarm_missing/results", + "id": "9d0d4512-1959-43a2-a17f-72360ff06d1b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_vpc_changes_alarm_missing/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_without_retention_period_specified/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_without_retention_period_specified/results", + "id": "ef0b316a-211e-42f1-888e-64efe172b755", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_without_retention_period_specified/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cmk_is_unusable/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cmk_is_unusable/results", + "id": "7350fa23-dcf7-4938-916d-6a60b0c73b50", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cmk_is_unusable/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cmk_rotation_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cmk_rotation_disabled/results", + "id": "22fbfeac-7b5a-421a-8a27-7a2178bb910b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cmk_rotation_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/codebuild_project_encrypted_with_aws_managed_key/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/codebuild_project_encrypted_with_aws_managed_key/results", + "id": "3deec14b-03d2-4d27-9670-7d79322e3340", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/codebuild_project_encrypted_with_aws_managed_key/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cognito_userpool_without_mfa/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cognito_userpool_without_mfa/results", + "id": "ec28bf61-a474-4dbe-b414-6dd3a067d6f0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cognito_userpool_without_mfa/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/config_configuration_aggregator_to_all_regions_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/config_configuration_aggregator_to_all_regions_disabled/results", + "id": "ac5a0bc0-a54c-45aa-90c3-15f7703b9132", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/config_configuration_aggregator_to_all_regions_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/config_rule_for_encrypted_volumes_is_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/config_rule_for_encrypted_volumes_is_disabled/results", + "id": "abdb29d4-5ca1-4e91-800b-b3569bbd788c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/config_rule_for_encrypted_volumes_is_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/results", + "id": "09c35abf-5852-4622-ac7a-b987b331232e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/dax_cluster_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/dax_cluster_not_encrypted/results", + "id": "f11aec39-858f-4b6f-b946-0a1bf46c0c87", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/dax_cluster_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/db_instance_storage_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/db_instance_storage_not_encrypted/results", + "id": "08bd0760-8752-44e1-9779-7bb369b2b4e4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/db_instance_storage_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/db_security_group_has_public_interface/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/db_security_group_has_public_interface/results", + "id": "f0d8781f-99bf-4958-9917-d39283b168a0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/db_security_group_has_public_interface/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/db_security_group_open_to_large_scope/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/db_security_group_open_to_large_scope/results", + "id": "4f615f3e-fb9c-4fad-8b70-2e9f781806ce", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/db_security_group_open_to_large_scope/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/db_security_group_with_public_scope/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/db_security_group_with_public_scope/results", + "id": "1e0ef61b-ad85-4518-a3d3-85eaad164885", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/db_security_group_with_public_scope/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/default_security_groups_with_unrestricted_traffic/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/default_security_groups_with_unrestricted_traffic/results", + "id": "46883ce1-dc3e-4b17-9195-c6a601624c73", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/default_security_groups_with_unrestricted_traffic/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/default_vpc_exists/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/default_vpc_exists/results", + "id": "96ed3526-0179-4c73-b1b2-372fde2e0d13", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/default_vpc_exists/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/docdb_cluster_encrypted_with_aws_managed_key/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/docdb_cluster_encrypted_with_aws_managed_key/results", + "id": "2134641d-30a4-4b16-8ffc-2cd4c4ffd15d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/docdb_cluster_encrypted_with_aws_managed_key/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/docdb_cluster_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/docdb_cluster_not_encrypted/results", + "id": "bc1f9009-84a0-490f-ae09-3e0ea6d74ad6", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/docdb_cluster_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/docdb_cluster_without_kms/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/docdb_cluster_without_kms/results", + "id": "4766d3ea-241c-4ee6-93ff-c380c996bd1a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/docdb_cluster_without_kms/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/docdb_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/docdb_logging_disabled/results", + "id": "56f6a008-1b14-4af4-b9b2-ab7cf7e27641", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/docdb_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/dynamodb_table_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/dynamodb_table_not_encrypted/results", + "id": "ce089fd4-1406-47bd-8aad-c259772bb294", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/dynamodb_table_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/dynamodb_table_point_in_time_recovery_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/dynamodb_table_point_in_time_recovery_disabled/results", + "id": "741f1291-47ac-4a85-a07b-3d32a9d6bd3e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/dynamodb_table_point_in_time_recovery_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/dynamodb_vpc_endpoint_without_route_table_association/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/dynamodb_vpc_endpoint_without_route_table_association/results", + "id": "0bc534c5-13d1-4353-a7fe-b8665d5c1d7d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/dynamodb_vpc_endpoint_without_route_table_association/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ebs_default_encryption_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ebs_default_encryption_disabled/results", + "id": "3d3f6270-546b-443c-adb4-bb6fb2187ca6", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ebs_default_encryption_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ebs_volume_encryption_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ebs_volume_encryption_disabled/results", + "id": "cc997676-481b-4e93-aa81-d19f8c5e9b12", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ebs_volume_encryption_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ebs_volume_snapshot_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ebs_volume_snapshot_not_encrypted/results", + "id": "e6b4b943-6883-47a9-9739-7ada9568f8ca", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ebs_volume_snapshot_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ec2_instance_has_public_ip/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ec2_instance_has_public_ip/results", + "id": "5a2486aa-facf-477d-a5c1-b010789459ce", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ec2_instance_has_public_ip/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ec2_instance_monitoring_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ec2_instance_monitoring_disabled/results", + "id": "23b70e32-032e-4fa6-ba5c-82f56b9980e6", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ec2_instance_monitoring_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ec2_instance_using_api_keys/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ec2_instance_using_api_keys/results", + "id": "0b93729a-d882-4803-bdc3-ac429a21f158", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ec2_instance_using_api_keys/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ec2_instance_using_default_security_group/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ec2_instance_using_default_security_group/results", + "id": "f1adc521-f79a-4d71-b55b-a68294687432", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ec2_instance_using_default_security_group/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ec2_instance_using_default_vpc/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ec2_instance_using_default_vpc/results", + "id": "7e4a6e76-568d-43ef-8c4e-36dea481bff1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ec2_instance_using_default_vpc/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ec2_not_ebs_optimized/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ec2_not_ebs_optimized/results", + "id": "60224630-175a-472a-9e23-133827040766", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ec2_not_ebs_optimized/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ecr_image_tag_not_immutable/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ecr_image_tag_not_immutable/results", + "id": "d1846b12-20c5-4d45-8798-fc35b79268eb", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ecr_image_tag_not_immutable/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ecr_repository_is_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ecr_repository_is_publicly_accessible/results", + "id": "e86e26fc-489e-44f0-9bcd-97305e4ba69a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ecr_repository_is_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ecr_repository_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ecr_repository_not_encrypted/results", + "id": "0e32d561-4b5a-4664-a6e3-a3fa85649157", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ecr_repository_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ecr_repository_without_policy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ecr_repository_without_policy/results", + "id": "69e7c320-b65d-41bb-be02-d63ecc0bcc9d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ecr_repository_without_policy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ecs_cluster_container_insights_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ecs_cluster_container_insights_disabled/results", + "id": "97cb0688-369a-4d26-b1f7-86c4c91231bc", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ecs_cluster_container_insights_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ecs_service_admin_role_is_present/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ecs_service_admin_role_is_present/results", + "id": "3206240f-2e87-4e58-8d24-3e19e7c83d7c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ecs_service_admin_role_is_present/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ecs_service_without_running_tasks/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ecs_service_without_running_tasks/results", + "id": "91f16d09-689e-4926-aca7-155157f634ed", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ecs_service_without_running_tasks/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ecs_services_assigned_with_public_ip_address/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ecs_services_assigned_with_public_ip_address/results", + "id": "bafe7989-3c4b-47f0-910b-e6e1cba7f146", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ecs_services_assigned_with_public_ip_address/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ecs_task_definition_network_mode_not_recommended/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ecs_task_definition_network_mode_not_recommended/results", + "id": "9f4a9409-9c60-4671-be96-9716dbf63db1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ecs_task_definition_network_mode_not_recommended/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/efs_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/efs_not_encrypted/results", + "id": "48207659-729f-4b5c-9402-f884257d794f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/efs_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/efs_volume_with_disabled_transit_encryption/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/efs_volume_with_disabled_transit_encryption/results", + "id": "4d46ff3b-7160-41d1-a310-71d6d370b08f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/efs_volume_with_disabled_transit_encryption/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/efs_with_vulnerable_policy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/efs_with_vulnerable_policy/results", + "id": "fae52418-bb8b-4ac2-b287-0b9082d6a3fd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/efs_with_vulnerable_policy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/efs_without_kms/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/efs_without_kms/results", + "id": "25d251f3-f348-4f95-845c-1090e41a615c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/efs_without_kms/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/eks_cluster_encryption_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/eks_cluster_encryption_disabled/results", + "id": "63ebcb19-2739-4d3f-aa5c-e8bbb9b85281", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/eks_cluster_encryption_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/eks_cluster_has_public_access/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/eks_cluster_has_public_access/results", + "id": "42f4b905-3736-4213-bfe9-c0660518cda8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/eks_cluster_has_public_access/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/eks_cluster_has_public_access_cidrs/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/eks_cluster_has_public_access_cidrs/results", + "id": "61cf9883-1752-4768-b18c-0d57f2737709", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/eks_cluster_has_public_access_cidrs/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/eks_cluster_log_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/eks_cluster_log_disabled/results", + "id": "37304d3f-f852-40b8-ae3f-725e87a7cedf", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/eks_cluster_log_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/eks_node_group_remote_access_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/eks_node_group_remote_access_disabled/results", + "id": "ba40ace1-a047-483c-8a8d-bc2d3a67a82d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/eks_node_group_remote_access_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticache_nodes_not_created_across_multi_az/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticache_nodes_not_created_across_multi_az/results", + "id": "6db03a91-f933-4f13-ab38-a8b87a7de54d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticache_nodes_not_created_across_multi_az/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticache_redis_cluster_without_backup/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticache_redis_cluster_without_backup/results", + "id": "8fdb08a0-a868-4fdf-9c27-ccab0237f1ab", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticache_redis_cluster_without_backup/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_rest/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_rest/results", + "id": "76976de7-c7b1-4f64-a94f-90c1345914c2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_rest/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_transit/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_transit/results", + "id": "1afbb3fa-cf6c-4a3d-b730-95e9f4df343e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_transit/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticache_using_default_port/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticache_using_default_port/results", + "id": "5d89db57-8b51-4b38-bb76-b9bd42bd40f0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticache_using_default_port/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticache_without_vpc/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticache_without_vpc/results", + "id": "8c849af7-a399-46f7-a34c-32d3dc96f1fc", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticache_without_vpc/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticsearch_domain_not_encrypted_node_to_node/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticsearch_domain_not_encrypted_node_to_node/results", + "id": "967eb3e6-26fc-497d-8895-6428beb6e8e2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticsearch_domain_not_encrypted_node_to_node/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticsearch_domain_with_vulnerable_policy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticsearch_domain_with_vulnerable_policy/results", + "id": "16c4216a-50d3-4785-bfb2-4adb5144a8ba", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticsearch_domain_with_vulnerable_policy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticsearch_encryption_with_kms_is_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticsearch_encryption_with_kms_is_disabled/results", + "id": "7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticsearch_encryption_with_kms_is_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticsearch_logs_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticsearch_logs_disabled/results", + "id": "acb6b4e2-a086-4f35-aefd-4db6ea51ada2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticsearch_logs_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticsearch_not_encrypted_at_rest/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticsearch_not_encrypted_at_rest/results", + "id": "24e16922-4330-4e9d-be8a-caa90299466a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticsearch_not_encrypted_at_rest/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticsearch_with_https_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticsearch_with_https_disabled/results", + "id": "2e9e0729-66d5-4148-9d39-5e6fb4bf2a4e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticsearch_with_https_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticsearch_without_iam_authentication/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticsearch_without_iam_authentication/results", + "id": "e7530c3c-b7cf-4149-8db9-d037a0b5268e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticsearch_without_iam_authentication/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticsearch_without_slow_logs/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticsearch_without_slow_logs/results", + "id": "e979fcbc-df6c-422d-9458-c33d65e71c45", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticsearch_without_slow_logs/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elb_access_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elb_access_logging_disabled/results", + "id": "20018359-6fd7-4d05-ab26-d4dffccbdf79", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elb_access_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elb_using_insecure_protocols/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elb_using_insecure_protocols/results", + "id": "126c1788-23c2-4a10-906c-ef179f4f96ec", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elb_using_insecure_protocols/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elb_using_weak_ciphers/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elb_using_weak_ciphers/results", + "id": "4a800e14-c94a-442d-9067-5a2e9f6c0a4c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elb_using_weak_ciphers/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elb_v2_lb_access_log_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elb_v2_lb_access_log_disabled/results", + "id": "3e34db4f-0ad9-4290-bfd0-4a9ee884acaf", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elb_v2_lb_access_log_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/emr_without_vpc/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/emr_without_vpc/results", + "id": "2b3c8a6d-9856-43e6-ab1d-d651094f03b4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/emr_without_vpc/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/global_accelerator_flow_logs_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/global_accelerator_flow_logs_disabled/results", + "id": "96e8183b-e985-457b-90cd-61c0503a3369", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/global_accelerator_flow_logs_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/glue_data_catalog_encryption_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/glue_data_catalog_encryption_disabled/results", + "id": "01d50b14-e933-4c99-b314-6d08cd37ad35", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/glue_data_catalog_encryption_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/glue_security_configuration_encryption_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/glue_security_configuration_encryption_disabled/results", + "id": "ad5b4e97-2850-4adf-be17-1d293e0b85ee", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/glue_security_configuration_encryption_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/glue_with_vulnerable_policy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/glue_with_vulnerable_policy/results", + "id": "d25edb51-07fb-4a73-97d4-41cecdc53a22", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/glue_with_vulnerable_policy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/results", + "id": "8f3c16b3-354d-45db-8ad5-5066778a9485", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AddUserToGroup/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AddUserToGroup/results", + "id": "970ed7a2-0aca-4425-acf1-0453c9ecbca1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AddUserToGroup/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/results", + "id": "70b42736-efee-4bce-80d5-50358ed94990", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachRolePolicy/results", + "id": "3dd96caa-0b5f-4a85-b929-acfac4646cc2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachRolePolicy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachUserPolicy/results", + "id": "db78d14b-10e5-4e6e-84b1-dace6327b1ec", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachUserPolicy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateAccessKey/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateAccessKey/results", + "id": "846646e3-2af1-428c-ac5d-271eccfa6faf", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateAccessKey/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateLoginProfile/results", + "id": "04c686f1-e0cd-4812-88e1-4e038410074c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateLoginProfile/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/results", + "id": "ec49cbfd-fae4-45f3-81b1-860526d66e3f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/results", + "id": "9b0ffadc-a61f-4c2a-b1e6-68fab60f6267", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/results", + "id": "15e6ad8c-f420-49a6-bafb-074f5eb1ec74", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/results", + "id": "7d544dad-8a6c-431c-84c1-5f07fe9afc0e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/results", + "id": "034d0aee-620f-4bf7-b7fb-efdf661fdb9e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutGroupPolicy/results", + "id": "e77c89f6-9c85-49ea-b95b-5f960fe5be92", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutGroupPolicy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutRolePolicy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutRolePolicy/results", + "id": "c0c1e744-0f37-445e-924a-1846f0839f69", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutRolePolicy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutUserPolicy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutUserPolicy/results", + "id": "60263b4a-6801-4587-911d-919c37ed733b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutUserPolicy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/results", + "id": "7782d4b3-e23e-432b-9742-d9528432e771", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/results", + "id": "78f1ec6f-5659-41ea-bd48-d0a142dce4f2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/results", + "id": "ad296c0d-8131-4d6b-b030-1b0e73a99ad3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/results", + "id": "571254d8-aa6a-432e-9725-535d3ef04d69", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/guardduty_detector_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/guardduty_detector_disabled/results", + "id": "704dadd3-54fc-48ac-b6a0-02f170011473", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/guardduty_detector_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/hardcoded_aws_access_key/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/hardcoded_aws_access_key/results", + "id": "d7b9d850-3e06-4a75-852f-c46c2e92240b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/hardcoded_aws_access_key/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/hardcoded_aws_access_key_in_lambda/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/hardcoded_aws_access_key_in_lambda/results", + "id": "1402afd8-a95c-4e84-8b0b-6fb43758e6ce", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/hardcoded_aws_access_key_in_lambda/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/http_port_open/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/http_port_open/results", + "id": "ffac8a12-322e-42c1-b9b9-81ff85c39ef7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/http_port_open/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_access_analyzer_not_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_access_analyzer_not_enabled/results", + "id": "e592a0c5-5bdb-414c-9066-5dba7cdea370", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_access_analyzer_not_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_access_key_is_exposed/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_access_key_is_exposed/results", + "id": "7081f85c-b94d-40fd-8b45-a4f1cac75e46", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_access_key_is_exposed/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_database_auth_not_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_database_auth_not_enabled/results", + "id": "88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_database_auth_not_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_db_cluster_auth_not_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_db_cluster_auth_not_enabled/results", + "id": "228497f6-414f-41c8-9113-f36a2b1b7975", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_db_cluster_auth_not_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_group_without_users/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_group_without_users/results", + "id": "fc101ca7-c9dd-4198-a1eb-0fbe92e80044", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_group_without_users/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_password_without_minimum_length/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_password_without_minimum_length/results", + "id": "1bc1c685-e593-450e-88fb-19db4c82aa1d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_password_without_minimum_length/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_policies_attached_to_user/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_policies_attached_to_user/results", + "id": "b4378389-a9aa-44ee-91e7-ef183f11079e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_policies_attached_to_user/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_policies_with_full_privileges/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_policies_with_full_privileges/results", + "id": "2f37c4a3-58b9-4afe-8a87-d7f1d2286f84", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_policies_with_full_privileges/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_policy_allows_for_data_exfiltration/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_policy_allows_for_data_exfiltration/results", + "id": "ba2ed23b-52d3-45ca-be25-f6c358d45abd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_policy_allows_for_data_exfiltration/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_policy_grants_assumerole_permission_across_all_services/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_policy_grants_assumerole_permission_across_all_services/results", + "id": "bcdcbdc6-a350-4855-ae7c-d1e6436f7c97", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_policy_grants_assumerole_permission_across_all_services/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_policy_grants_full_permissions/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_policy_grants_full_permissions/results", + "id": "575a2155-6af1-4026-b1af-d5bc8fe2a904", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_policy_grants_full_permissions/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_role_allows_all_principals_to_assume/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_role_allows_all_principals_to_assume/results", + "id": "12b7e704-37f0-4d1e-911a-44bf60c48c21", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_role_allows_all_principals_to_assume/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_role_policy_passrole_allows_all/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_role_policy_passrole_allows_all/results", + "id": "e39bee8c-fe54-4a3f-824d-e5e2d1cca40a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_role_policy_passrole_allows_all/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_role_with_full_privileges/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_role_with_full_privileges/results", + "id": "b1ffa705-19a3-4b73-b9d0-0c97d0663842", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_role_with_full_privileges/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_user_policy_without_mfa/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_user_policy_without_mfa/results", + "id": "b5681959-6c09-4f55-b42b-c40fa12d03ec", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_user_policy_without_mfa/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_user_too_many_access_keys/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_user_too_many_access_keys/results", + "id": "3561130e-9c5f-485b-9e16-2764c82763e5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_user_too_many_access_keys/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_user_with_access_to_console/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_user_with_access_to_console/results", + "id": "9ec311bf-dfd9-421f-8498-0b063c8bc552", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_user_with_access_to_console/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/instance_uses_metadata_service_IMDSv1/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/instance_uses_metadata_service_IMDSv1/results", + "id": "c306ac53-ee5b-41d3-86a9-0fd2722b4e67", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/instance_uses_metadata_service_IMDSv1/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/instance_with_no_vpc/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/instance_with_no_vpc/results", + "id": "a31a5a29-718a-4ff4-8001-a69e5e4d029e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/instance_with_no_vpc/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/kinesis_not_encrypted_with_kms/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/kinesis_not_encrypted_with_kms/results", + "id": "862fe4bf-3eec-4767-a517-40f378886b88", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/kinesis_not_encrypted_with_kms/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/kinesis_sse_not_configured/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/kinesis_sse_not_configured/results", + "id": "5c6dd5e7-1fe0-4cae-8f81-4c122717cef3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/kinesis_sse_not_configured/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/kms_key_with_full_permissions/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/kms_key_with_full_permissions/results", + "id": "7ebc9038-0bde-479a-acc4-6ed7b6758899", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/kms_key_with_full_permissions/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/kms_key_with_no_deletion_window/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/kms_key_with_no_deletion_window/results", + "id": "0b530315-0ea4-497f-b34c-4ff86268f59d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/kms_key_with_no_deletion_window/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/lambda_function_with_privileged_role/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/lambda_function_with_privileged_role/results", + "id": "1b3af2f9-af8c-4dfc-a0f1-a03adb70deb2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/lambda_function_with_privileged_role/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/lambda_function_without_dead_letter_queue/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/lambda_function_without_dead_letter_queue/results", + "id": "720f44cf-285e-4b69-8f72-835e6bc1dceb", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/lambda_function_without_dead_letter_queue/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/lambda_functions_without_x-ray_tracing/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/lambda_functions_without_x-ray_tracing/results", + "id": "8152e0cf-d2f0-47ad-96d5-d003a76eabd1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/lambda_functions_without_x-ray_tracing/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/lambda_iam_invokefunction_misconfigured/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/lambda_iam_invokefunction_misconfigured/results", + "id": "0ca1017d-3b80-423e-bb9c-6cd5898d34bd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/lambda_iam_invokefunction_misconfigured/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/lambda_permission_misconfigured/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/lambda_permission_misconfigured/results", + "id": "75ec6890-83af-4bf1-9f16-e83726df0bd0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/lambda_permission_misconfigured/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/lambda_permission_principal_is_wildcard/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/lambda_permission_principal_is_wildcard/results", + "id": "e08ed7eb-f3ef-494d-9d22-2e3db756a347", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/lambda_permission_principal_is_wildcard/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/lambda_with_vulnerable_policy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/lambda_with_vulnerable_policy/results", + "id": "ad9dabc7-7839-4bae-a957-aa9120013f39", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/lambda_with_vulnerable_policy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/misconfigured_password_policy_expiration/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/misconfigured_password_policy_expiration/results", + "id": "ce60d060-efb8-4bfd-9cf7-ff8945d00d90", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/misconfigured_password_policy_expiration/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/missing_cluster_log_types/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/missing_cluster_log_types/results", + "id": "66f130d9-b81d-4e8e-9b08-da74b9c891df", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/missing_cluster_log_types/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/mq_broker_is_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/mq_broker_is_publicly_accessible/results", + "id": "4eb5f791-c861-4afd-9f94-f2a6a3fe49cb", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/mq_broker_is_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/mq_broker_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/mq_broker_logging_disabled/results", + "id": "31245f98-a6a9-4182-9fc1-45482b9d030a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/mq_broker_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/msk_broker_is_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/msk_broker_is_publicly_accessible/results", + "id": "54378d69-dd7c-4b08-a43e-80d563396857", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/msk_broker_is_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/msk_cluster_encryption_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/msk_cluster_encryption_disabled/results", + "id": "6db52fa6-d4da-4608-908a-89f0c59e743e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/msk_cluster_encryption_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/msk_cluster_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/msk_cluster_logging_disabled/results", + "id": "2f56b7ab-7fba-4e93-82f0-247e5ddeb239", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/msk_cluster_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/neptune_cluster_instance_is_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/neptune_cluster_instance_is_publicly_accessible/results", + "id": "9ba198e0-fef4-464a-8a4d-75ea55300de7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/neptune_cluster_instance_is_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/neptune_cluster_with_iam_database_authentication_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/neptune_cluster_with_iam_database_authentication_disabled/results", + "id": "c91d7ea0-d4d1-403b-8fe1-c9961ac082c5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/neptune_cluster_with_iam_database_authentication_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/neptune_database_cluster_encryption_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/neptune_database_cluster_encryption_disabled/results", + "id": "98d59056-f745-4ef5-8613-32bca8d40b7e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/neptune_database_cluster_encryption_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/neptune_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/neptune_logging_disabled/results", + "id": "45cff7b6-3b80-40c1-ba7b-2cf480678bb8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/neptune_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_rdp/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_rdp/results", + "id": "a20be318-cac7-457b-911d-04cc6e812c25", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_rdp/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_ssh/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_ssh/results", + "id": "3af7f2fd-06e6-4dab-b996-2912bea19ba4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_ssh/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/no_password_policy_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/no_password_policy_enabled/results", + "id": "b592ffd4-0577-44b6-bd35-8c5ee81b5918", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/no_password_policy_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/no_stack_policy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/no_stack_policy/results", + "id": "2f01fb2d-828a-499d-b98e-b83747305052", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/no_stack_policy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/password_without_reuse_prevention/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/password_without_reuse_prevention/results", + "id": "89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/password_without_reuse_prevention/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/policy_without_principal/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/policy_without_principal/results", + "id": "bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/policy_without_principal/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/postgres_rds_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/postgres_rds_logging_disabled/results", + "id": "820882c4-0c07-4686-b1ca-c69241c57470", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/postgres_rds_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/public_and_private_ec2_share_role/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/public_and_private_ec2_share_role/results", + "id": "c53c7a89-f9d7-4c7b-8b66-8a555be99593", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/public_and_private_ec2_share_role/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/public_lambda_via_api_gateway/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/public_lambda_via_api_gateway/results", + "id": "3ef8696c-e4ae-4872-92c7-520bb44dfe77", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/public_lambda_via_api_gateway/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/rds_associated_with_public_subnet/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/rds_associated_with_public_subnet/results", + "id": "2f737336-b18a-4602-8ea0-b200312e1ac1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/rds_associated_with_public_subnet/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/rds_cluster_with_backup_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/rds_cluster_with_backup_disabled/results", + "id": "e542bd46-58c4-4e0f-a52a-1fb4f9548e02", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/rds_cluster_with_backup_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/rds_database_cluster_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/rds_database_cluster_not_encrypted/results", + "id": "656880aa-1388-488f-a6d4-8f73c23149b2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/rds_database_cluster_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/rds_db_instance_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/rds_db_instance_publicly_accessible/results", + "id": "35113e6f-2c6b-414d-beec-7a9482d3b2d1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/rds_db_instance_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/rds_storage_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/rds_storage_not_encrypted/results", + "id": "3199c26c-7871-4cb3-99c2-10a59244ce7f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/rds_storage_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/rds_using_default_port/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/rds_using_default_port/results", + "id": "bca7cc4d-b3a4-4345-9461-eb69c68fcd26", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/rds_using_default_port/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/rds_with_backup_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/rds_with_backup_disabled/results", + "id": "1dc73fb4-5b51-430c-8c5f-25dcf9090b02", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/rds_with_backup_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/rds_without_logging/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/rds_without_logging/results", + "id": "8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/rds_without_logging/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/redis_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/redis_disabled/results", + "id": "4bd15dd9-8d5e-4008-8532-27eb0c3706d3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/redis_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/redis_not_compliant/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/redis_not_compliant/results", + "id": "254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/redis_not_compliant/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/redshift_cluster_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/redshift_cluster_logging_disabled/results", + "id": "15ffbacc-fa42-4f6f-a57d-2feac7365caa", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/redshift_cluster_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/redshift_cluster_without_vpc/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/redshift_cluster_without_vpc/results", + "id": "0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/redshift_cluster_without_vpc/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/redshift_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/redshift_not_encrypted/results", + "id": "cfdcabb0-fc06-427c-865b-c59f13e898ce", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/redshift_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/redshift_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/redshift_publicly_accessible/results", + "id": "af173fde-95ea-4584-b904-bb3923ac4bda", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/redshift_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/redshift_using_default_port/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/redshift_using_default_port/results", + "id": "41abc6cc-dde1-4217-83d3-fb5f0cc09d8f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/redshift_using_default_port/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/remote_desktop_port_open_to_internet/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/remote_desktop_port_open_to_internet/results", + "id": "151187cb-0efc-481c-babd-ad24e3c9bc22", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/remote_desktop_port_open_to_internet/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/resource_not_using_tags/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/resource_not_using_tags/results", + "id": "e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/resource_not_using_tags/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/rest_api_with_vulnerable_policy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/rest_api_with_vulnerable_policy/results", + "id": "b161c11b-a59b-4431-9a29-4e19f63e6b27", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/rest_api_with_vulnerable_policy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/results", + "id": "eda48c88-2b7d-4e34-b6ca-04c0194aee17", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AddUserToGroup/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AddUserToGroup/results", + "id": "b8a31292-509d-4b61-bc40-13b167db7e9c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AddUserToGroup/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/results", + "id": "f906113d-cdc0-415a-ba60-609cc6daaf4d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachRolePolicy/results", + "id": "f465fff1-0a0f-457d-aa4d-1bddb6f204ff", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachRolePolicy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachUserPolicy/results", + "id": "7c96920c-6fd0-449d-9a52-0aa431b6beaf", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachUserPolicy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateAccessKey/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateAccessKey/results", + "id": "5b4d4aee-ac94-4810-9611-833636e5916d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateAccessKey/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateLoginProfile/results", + "id": "9a205ba3-0dd1-42eb-8d54-2ffec836b51a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateLoginProfile/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/results", + "id": "ee49557d-750c-4cc1-aa95-94ab36cbefde", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/results", + "id": "be2aa235-bd93-4b68-978a-1cc65d49082f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/results", + "id": "30b88745-eebe-4ecb-a3a9-5cf886e96204", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/results", + "id": "0a592060-8166-49f5-8e65-99ac6dce9871", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction/results", + "id": "fa62ac4f-f5b9-45b9-97c1-625c8b6253ca", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutGroupPolicy/results", + "id": "d6047119-a0b2-4b59-a4f2-127a36fb685b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutGroupPolicy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutRolePolicy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutRolePolicy/results", + "id": "eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutRolePolicy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutUserPolicy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutUserPolicy/results", + "id": "8f75840d-9ee7-42f3-b203-b40e3979eb12", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutUserPolicy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/results", + "id": "118281d0-6471-422e-a7c5-051bc667926e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/results", + "id": "f1173d8c-3264-4148-9fdb-61181e031b51", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/results", + "id": "35ccf766-0e4d-41ed-9ec4-2dab155082b4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/results", + "id": "c583f0f9-7dfd-476b-a056-f47c62b47b46", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/root_account_has_active_access_keys/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/root_account_has_active_access_keys/results", + "id": "970d224d-b42a-416b-81f9-8f4dfe70c4bc", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/root_account_has_active_access_keys/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/route53_record_undefined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/route53_record_undefined/results", + "id": "25db74bf-fa3b-44da-934e-8c3e005c0453", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/route53_record_undefined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_access_to_any_principal/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_access_to_any_principal/results", + "id": "7af43613-6bb9-4a0e-8c4d-1314b799425e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_access_to_any_principal/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_acl_allows_read_or_write_to_all_users/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_acl_allows_read_or_write_to_all_users/results", + "id": "38c5ee0d-7f22-4260-ab72-5073048df100", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_acl_allows_read_or_write_to_all_users/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/results", + "id": "57b9893d-33b1-4419-bcea-a717ea87e139", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_acl_grants_write_acp_permission/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_acl_grants_write_acp_permission/results", + "id": "64a222aa-7793-4e40-915f-4b302c76e4d4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_acl_grants_write_acp_permission/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_allows_delete_action_from_all_principals/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_allows_delete_action_from_all_principals/results", + "id": "ffdf4b37-7703-4dfe-a682-9d2e99bc6c09", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_allows_delete_action_from_all_principals/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_allows_get_action_from_all_principals/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_allows_get_action_from_all_principals/results", + "id": "1df37f4b-7197-45ce-83f8-9994d2fcf885", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_allows_get_action_from_all_principals/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_allows_list_action_from_all_principals/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_allows_list_action_from_all_principals/results", + "id": "66c6f96f-2d9e-417e-a998-9058aeeecd44", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_allows_list_action_from_all_principals/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_allows_public_acl/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_allows_public_acl/results", + "id": "d0cc8694-fcad-43ff-ac86-32331d7e867f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_allows_public_acl/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_allows_put_action_from_all_principals/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_allows_put_action_from_all_principals/results", + "id": "d24c0755-c028-44b1-b503-8e719c898832", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_allows_put_action_from_all_principals/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_logging_disabled/results", + "id": "f861041c-8c9f-4156-acfc-5e6e524f5884", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_notifications_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_notifications_disabled/results", + "id": "e39f87f5-0abf-488b-864c-63ee1f588140", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_notifications_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_object_level_cloudtrail_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_object_level_cloudtrail_logging_disabled/results", + "id": "a8fc2180-b3ac-4c93-bd0d-a55b974e4b07", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_object_level_cloudtrail_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_object_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_object_not_encrypted/results", + "id": "5fb49a69-8d46-4495-a2f8-9c8c622b2b6e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_object_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_policy_accepts_http_requests/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_policy_accepts_http_requests/results", + "id": "4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_policy_accepts_http_requests/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_public_acl_overridden_by_public_access_block/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_public_acl_overridden_by_public_access_block/results", + "id": "bf878b1a-7418-4de3-b13c-3a86cf894920", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_public_acl_overridden_by_public_access_block/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_with_all_permissions/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_with_all_permissions/results", + "id": "a4966c4f-9141-48b8-a564-ffe9959945bc", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_with_all_permissions/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_with_public_policy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_with_public_policy/results", + "id": "1a4bc881-9f69-4d44-8c9a-d37d08f54c50", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_with_public_policy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_with_unsecured_cors_rule/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_with_unsecured_cors_rule/results", + "id": "98a8f708-121b-455b-ae2f-da3fb59d17e1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_with_unsecured_cors_rule/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/results", + "id": "c5b31ab9-0f26-4a49-b8aa-4cc064392f4d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_without_ignore_public_acl/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_without_ignore_public_acl/results", + "id": "4fa66806-0dd9-4f8d-9480-3174d39c7c91", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_without_ignore_public_acl/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_without_restriction_of_public_bucket/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_without_restriction_of_public_bucket/results", + "id": "1ec253ab-c220-4d63-b2de-5b40e0af9293", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_without_restriction_of_public_bucket/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_without_versioning/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_without_versioning/results", + "id": "568a4d22-3517-44a6-a7ad-6a7eed88722c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_without_versioning/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_static_website_host_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_static_website_host_enabled/results", + "id": "42bb6b7f-6d54-4428-b707-666f669d94fb", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_static_website_host_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sagemaker_endpoint_configuration_encryption_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sagemaker_endpoint_configuration_encryption_disabled/results", + "id": "58b35504-0287-4154-bf69-02c0573deab8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sagemaker_endpoint_configuration_encryption_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sagemaker_notebook_instance_without_kms/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sagemaker_notebook_instance_without_kms/results", + "id": "f3674e0c-f6be-43fa-b71c-bf346d1aed99", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sagemaker_notebook_instance_without_kms/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/secrets_manager_with_vulnerable_policy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/secrets_manager_with_vulnerable_policy/results", + "id": "fa00ce45-386d-4718-8392-fb485e1f3c5b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/secrets_manager_with_vulnerable_policy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/secretsmanager_secret_encrypted_with_aws_managed_key/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/secretsmanager_secret_encrypted_with_aws_managed_key/results", + "id": "b0d3ef3f-845d-4b1b-83d6-63a5a380375f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/secretsmanager_secret_encrypted_with_aws_managed_key/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/secretsmanager_secret_without_kms/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/secretsmanager_secret_without_kms/results", + "id": "a2f548f2-188c-4fff-b172-e9a6acb216bd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/secretsmanager_secret_without_kms/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/secure_ciphers_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/secure_ciphers_disabled/results", + "id": "5c0003fb-9aa0-42c1-9da3-eb0e332bef21", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/secure_ciphers_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/security_group_rules_without_description/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/security_group_rules_without_description/results", + "id": "68eb4bf3-f9bf-463d-b5cf-e029bb446d2e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/security_group_rules_without_description/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/security_group_with_unrestricted_access_to_ssh/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/security_group_with_unrestricted_access_to_ssh/results", + "id": "65905cec-d691-4320-b320-2000436cb696", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/security_group_with_unrestricted_access_to_ssh/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/security_group_without_description/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/security_group_without_description/results", + "id": "cb3f5ed6-0d18-40de-a93d-b3538db31e8c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/security_group_without_description/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/security_groups_not_used/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/security_groups_not_used/results", + "id": "4849211b-ac39-479e-ae78-5694d506cb24", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/security_groups_not_used/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sensitive_port_is_exposed_to_entire_network/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sensitive_port_is_exposed_to_entire_network/results", + "id": "381c3f2a-ef6f-4eff-99f7-b169cda3422c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sensitive_port_is_exposed_to_entire_network/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sensitive_port_is_exposed_to_small_public_network/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sensitive_port_is_exposed_to_small_public_network/results", + "id": "e35c16a2-d54e-419d-8546-a804d8e024d0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sensitive_port_is_exposed_to_small_public_network/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sensitive_port_is_exposed_to_wide_private_network/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sensitive_port_is_exposed_to_wide_private_network/results", + "id": "92fe237e-074c-4262-81a4-2077acb928c1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sensitive_port_is_exposed_to_wide_private_network/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/service_control_policies_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/service_control_policies_disabled/results", + "id": "5ba6229c-8057-433e-91d0-21cf13569ca9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/service_control_policies_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ses_policy_with_allowed_iam_actions/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ses_policy_with_allowed_iam_actions/results", + "id": "34b921bd-90a0-402e-a0a5-dc73371fd963", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ses_policy_with_allowed_iam_actions/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/shield_advanced_not_in_use/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/shield_advanced_not_in_use/results", + "id": "084c6686-2a70-4710-91b1-000393e54c12", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/shield_advanced_not_in_use/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sns_topic_encrypted_with_aws_managed_key/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sns_topic_encrypted_with_aws_managed_key/results", + "id": "b1a72f66-2236-4f3b-87ba-0da1b366956f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sns_topic_encrypted_with_aws_managed_key/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sns_topic_is_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sns_topic_is_publicly_accessible/results", + "id": "b26d2b7e-60f6-413d-a3a1-a57db24aa2b3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sns_topic_is_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sns_topic_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sns_topic_not_encrypted/results", + "id": "28545147-2fc6-42d5-a1f9-cf226658e591", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sns_topic_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/results", + "id": "5ea624e4-c8b1-4bb3-87a4-4235a776adcc", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sql_analysis_services_port_2383_is_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sql_analysis_services_port_2383_is_publicly_accessible/results", + "id": "54c417bf-c762-48b9-9d31-b3d87047e3f0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sql_analysis_services_port_2383_is_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sqs_policy_allows_all_actions/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sqs_policy_allows_all_actions/results", + "id": "816ea8cf-d589-442d-a917-2dd0ce0e45e3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sqs_policy_allows_all_actions/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sqs_policy_with_public_access/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sqs_policy_with_public_access/results", + "id": "730675f9-52ed-49b6-8ead-0acb5dd7df7f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sqs_policy_with_public_access/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sqs_queue_exposed/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sqs_queue_exposed/results", + "id": "abb06e5f-ef9a-4a99-98c6-376d396bfcdf", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sqs_queue_exposed/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sqs_vpc_endpoint_without_dns_resolution/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sqs_vpc_endpoint_without_dns_resolution/results", + "id": "e9b7acf9-9ba0-4837-a744-31e7df1e434d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sqs_vpc_endpoint_without_dns_resolution/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sqs_with_sse_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sqs_with_sse_disabled/results", + "id": "6e8849c1-3aa7-40e3-9063-b85ee300f29f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sqs_with_sse_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ssm_session_transit_encryption_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ssm_session_transit_encryption_disabled/results", + "id": "ce60cc6b-6831-4bd7-84a2-cc7f8ee71433", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ssm_session_transit_encryption_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sso_permission_with_inadequate_user_session_duration/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sso_permission_with_inadequate_user_session_duration/results", + "id": "ce9dfce0-5fc8-433b-944a-3b16153111a8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sso_permission_with_inadequate_user_session_duration/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sso_policy_with_full_priveleges/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sso_policy_with_full_priveleges/results", + "id": "132a8c31-9837-4203-9fd1-15ca210c7b73", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sso_policy_with_full_priveleges/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sso_policy_with_full_priveleges_copy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sso_policy_with_full_priveleges_copy/results", + "id": "4003118b-046b-4640-b200-b8c7a4c8b89f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sso_policy_with_full_priveleges_copy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/stack_notifications_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/stack_notifications_disabled/results", + "id": "b72d0026-f649-4c91-a9ea-15d8f681ac09", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/stack_notifications_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/stack_retention_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/stack_retention_disabled/results", + "id": "6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/stack_retention_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/stack_without_template/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/stack_without_template/results", + "id": "91bea7b8-0c31-4863-adc9-93f6177266c4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/stack_without_template/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/tags_not_copied_to_rds_cluster_snapshot/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/tags_not_copied_to_rds_cluster_snapshot/results", + "id": "6d3dead4-c6b2-4db7-81bd-3a83eae8f255", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/tags_not_copied_to_rds_cluster_snapshot/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/unknown_port_exposed_to_internet/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/unknown_port_exposed_to_internet/results", + "id": "590d878b-abdc-428f-895a-e2b68a0e1998", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/unknown_port_exposed_to_internet/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/unrestricted_security_group_ingress/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/unrestricted_security_group_ingress/results", + "id": "4728cd65-a20c-49da-8b31-9c08b423e4db", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/unrestricted_security_group_ingress/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/unscanned_ecr_image/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/unscanned_ecr_image/results", + "id": "9630336b-3fed-4096-8173-b9afdfe346a7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/unscanned_ecr_image/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_data_contains_encoded_private_key/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_data_contains_encoded_private_key/results", + "id": "443488f5-c734-460b-a36d-5b3f330174dc", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_data_contains_encoded_private_key/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/results", + "id": "9b877bd8-94b4-4c10-a060-8e0436cc09fa", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AddUserToGroup/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AddUserToGroup/results", + "id": "bf9d42c7-c2f9-4dfe-942c-c8cc8249a081", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AddUserToGroup/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/results", + "id": "6d23d87e-1c5b-4308-b224-92624300f29b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachRolePolicy/results", + "id": "e227091e-2228-4b40-b046-fc13650d8e88", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachRolePolicy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachUserPolicy/results", + "id": "70cb518c-d990-46f6-bc05-44a5041493d6", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachUserPolicy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateAccessKey/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateAccessKey/results", + "id": "113208f2-a886-4526-9ecc-f3218600e12c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateAccessKey/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateLoginProfile/results", + "id": "0fd7d920-4711-46bd-aff2-d307d82cd8b7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateLoginProfile/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/results", + "id": "1743f5f1-0bb0-4934-acef-c80baa5dadfa", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/results", + "id": "19ffbe31-9d72-4379-9768-431195eae328", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/results", + "id": "89561b03-cb35-44a9-a7e9-8356e71606f4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/results", + "id": "94fbe150-27e3-4eba-9ca6-af32865e4503", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/results", + "id": "8055dec2-efb8-4fe6-8837-d9bed6ff202a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutGroupPolicy/results", + "id": "8bfbf7ab-d5e8-4100-8618-798956e101e0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutGroupPolicy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutRolePolicy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutRolePolicy/results", + "id": "eeb4d37a-3c59-4789-a00c-1509bc3af1e5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutRolePolicy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutUserPolicy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutUserPolicy/results", + "id": "0c10d7da-85c4-4d62-b2a8-d6c104f1bd77", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutUserPolicy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/results", + "id": "43a41523-386a-4cb1-becb-42af6b414433", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/results", + "id": "33627268-1445-4385-988a-318fd9d1a512", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/results", + "id": "6deb34e2-5d9c-499a-801b-ea6d9eda894f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/results", + "id": "b69247e5-7e73-464e-ba74-ec9b715c6e12", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/vpc_default_security_group_accepts_all_traffic/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/vpc_default_security_group_accepts_all_traffic/results", + "id": "9a4ef195-74b9-4c58-b8ed-2b2fe4353a75", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/vpc_default_security_group_accepts_all_traffic/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/vpc_flowlogs_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/vpc_flowlogs_disabled/results", + "id": "f83121ea-03da-434f-9277-9cd247ab3047", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/vpc_flowlogs_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/vpc_peering_route_table_with_unrestricted_cidr/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/vpc_peering_route_table_with_unrestricted_cidr/results", + "id": "b3a41501-f712-4c4f-81e5-db9a7dc0e34e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/vpc_peering_route_table_with_unrestricted_cidr/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/vpc_subnet_assigns_public_ip/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/vpc_subnet_assigns_public_ip/results", + "id": "52f04a44-6bfa-4c41-b1d3-4ae99a2de05c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/vpc_subnet_assigns_public_ip/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/vpc_without_network_firewall/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/vpc_without_network_firewall/results", + "id": "fd632aaf-b8a1-424d-a4d1-0de22fd3247a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/vpc_without_network_firewall/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/vulnerable_default_ssl_certificate/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/vulnerable_default_ssl_certificate/results", + "id": "3a1e94df-6847-4c0e-a3b6-6c6af4e128ef", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/vulnerable_default_ssl_certificate/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/workspaces_workspace_volume_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/workspaces_workspace_volume_not_encrypted/results", + "id": "b9033580-6886-401a-8631-5f19f5bb24c7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/workspaces_workspace_volume_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws_bom/dynamo/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws_bom/dynamo/results", + "id": "23edf35f-7c22-4ff9-87e6-0ca74261cfbf", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws_bom/dynamo/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws_bom/ebs/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws_bom/ebs/results", + "id": "86571149-eef3-4280-a645-01e60df854b0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws_bom/ebs/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws_bom/efs/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws_bom/efs/results", + "id": "f53f16d6-46a9-4277-9fbe-617b1e24cdca", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws_bom/efs/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws_bom/elasticache/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws_bom/elasticache/results", + "id": "54229498-850b-4f78-b3a7-218d24ef2c37", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws_bom/elasticache/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws_bom/kinesis/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws_bom/kinesis/results", + "id": "0e59d33e-bba2-4037-8f88-9765647ca7ad", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws_bom/kinesis/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws_bom/mq/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws_bom/mq/results", + "id": "fcb1b388-f558-4b7f-9b6e-f4e98abb7380", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws_bom/mq/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws_bom/msk/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws_bom/msk/results", + "id": "051f2063-2517-4295-ad8e-ba88c1bf5cfc", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws_bom/msk/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws_bom/rds/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws_bom/rds/results", + "id": "12933609-c5bf-44b4-9a41-a6467c3b685b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws_bom/rds/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws_bom/s3_bucket/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws_bom/s3_bucket/results", + "id": "2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws_bom/s3_bucket/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws_bom/sns/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws_bom/sns/results", + "id": "eccc4d59-74b9-4974-86f1-74386e0c7f33", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws_bom/sns/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws_bom/sqs/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws_bom/sqs/results", + "id": "baecd2da-492a-4d59-b9dc-29540a1398e0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws_bom/sqs/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/results", + "id": "1ec163d0-a9be-4695-89a8-a4028a2cbae7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/results", + "id": "99b47957-c575-4555-b8c0-ff92384249b4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/results", + "id": "8553d83f-fe77-4c96-8850-a95c5895b336", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/results", + "id": "1219a37a-9a2c-420d-8b8c-30bdbc3bfeb1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/results", + "id": "d0514e4b-9e95-4a7a-9bc5-0adb32514122", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/results", + "id": "62d120b1-b1e0-40ef-a81d-a4994ac88b3b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/results", + "id": "a7b422e3-0b2f-4795-a43a-136dbbd6cbb3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/results", + "id": "b3b9ce2f-c229-4133-9a2b-4e649cf2347e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/results", + "id": "b97a1065-a86b-442f-86c4-f95afd9b3ac6", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/results", + "id": "8ce5c61f-5cd1-41bc-b7d9-b26b18efd505", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/results", + "id": "f677bd92-3922-4e75-8f0c-2c0f8fbc9609", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/ad_admin_not_configured_for_sql_server/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/ad_admin_not_configured_for_sql_server/results", + "id": "a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/ad_admin_not_configured_for_sql_server/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/admin_user_enabled_for_container_registry/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/admin_user_enabled_for_container_registry/results", + "id": "b897dfbf-322c-45a8-b67c-1e698beeaa51", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/admin_user_enabled_for_container_registry/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/aks_disk_encryption_set_id_undefined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/aks_disk_encryption_set_id_undefined/results", + "id": "b17d8bb8-4c08-4785-867e-cb9e62a622aa", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/aks_disk_encryption_set_id_undefined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/aks_network_policy_misconfigured/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/aks_network_policy_misconfigured/results", + "id": "f5342045-b935-402d-adf1-8dbbd09c0eef", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/aks_network_policy_misconfigured/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/aks_private_cluster_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/aks_private_cluster_disabled/results", + "id": "599318f2-6653-4569-9e21-041d06c63a89", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/aks_private_cluster_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/aks_rbac_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/aks_rbac_disabled/results", + "id": "86f92117-eed8-4614-9c6c-b26da20ff37f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/aks_rbac_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/aks_uses_azure_policies_addon_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/aks_uses_azure_policies_addon_disabled/results", + "id": "43789711-161b-4708-b5bb-9d1c626f7492", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/aks_uses_azure_policies_addon_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/aks_without_audit_logs/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/aks_without_audit_logs/results", + "id": "0493b840-50e8-430c-93bc-d794d72931a9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/aks_without_audit_logs/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/app_service_authentication_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/app_service_authentication_disabled/results", + "id": "c7fc1481-2899-4490-bbd8-544a3a61a2f3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/app_service_authentication_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/app_service_ftps_enforce_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/app_service_ftps_enforce_disabled/results", + "id": "85da374f-b00f-4832-9d44-84a1ca1e89f8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/app_service_ftps_enforce_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/app_service_http2_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/app_service_http2_disabled/results", + "id": "525b53be-62ed-4244-b4df-41aecfcb4071", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/app_service_http2_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/app_service_managed_identity_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/app_service_managed_identity_disabled/results", + "id": "b61cce4b-0cc4-472b-8096-15617a6d769b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/app_service_managed_identity_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/app_service_not_using_latest_tls_encryption_version/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/app_service_not_using_latest_tls_encryption_version/results", + "id": "b7b9d1c7-2d3b-49b4-b867-ebbe68d0b643", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/app_service_not_using_latest_tls_encryption_version/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/app_service_slot_managed_identity_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/app_service_slot_managed_identity_disabled/results", + "id": "0f7964fa-96fd-4a72-9fb7-3cdef71479db", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/app_service_slot_managed_identity_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/app_service_without_latest_php_version/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/app_service_without_latest_php_version/results", + "id": "96fe318e-d631-4156-99fa-9080d57280ae", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/app_service_without_latest_php_version/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/app_service_without_latest_python_version/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/app_service_without_latest_python_version/results", + "id": "cc4aaa9d-1070-461a-b519-04e00f42db8a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/app_service_without_latest_python_version/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/azure_active_directory_authentication/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/azure_active_directory_authentication/results", + "id": "a21c8da9-41bf-40cf-941d-330cf0d11fc7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/azure_active_directory_authentication/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/azure_app_service_client_certificate_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/azure_app_service_client_certificate_disabled/results", + "id": "a81573f9-3691-4d83-88a0-7d4af63e17a3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/azure_app_service_client_certificate_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/azure_cognitive_search_public_network_access_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/azure_cognitive_search_public_network_access_enabled/results", + "id": "4a9e0f00-0765-4f72-a0d4-d31110b78279", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/azure_cognitive_search_public_network_access_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/azure_container_registry_with_broad_permissions/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/azure_container_registry_with_broad_permissions/results", + "id": "77deea6a-155e-4865-bf04-153d23e488e8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/azure_container_registry_with_broad_permissions/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/azure_container_registry_with_no_locks/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/azure_container_registry_with_no_locks/results", + "id": "a187ac47-8163-42ce-8a63-c115236be6fb", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/azure_container_registry_with_no_locks/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/azure_front_door_waf_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/azure_front_door_waf_disabled/results", + "id": "835a4f2f-df43-437d-9943-545ccfc55961", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/azure_front_door_waf_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/azure_instance_using_basic_authentication/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/azure_instance_using_basic_authentication/results", + "id": "dafe30ec-325d-4516-85d1-e8e6776f012c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/azure_instance_using_basic_authentication/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/backup_vault_without_immutability/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/backup_vault_without_immutability/results", + "id": "7a0164a5-ec6e-40b2-938d-ab3edfd37dcd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/backup_vault_without_immutability/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/backup_vault_without_soft_delete/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/backup_vault_without_soft_delete/results", + "id": "8d407b28-c746-4650-8bbd-d27df54a795f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/backup_vault_without_soft_delete/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/blob_storage_without_soft_delete/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/blob_storage_without_soft_delete/results", + "id": "056d28cc-7ee9-4b12-b2d1-16b7b66db72d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/blob_storage_without_soft_delete/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/container_app_managed_identity_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/container_app_managed_identity_disabled/results", + "id": "829246df-02c5-490c-993b-10a07a7242e9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/container_app_managed_identity_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/container_group_managed_identity_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/container_group_managed_identity_disabled/results", + "id": "02f0e3e7-2550-4d75-a23b-ab5254a3ebeb", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/container_group_managed_identity_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/container_instances_not_using_private_virtual_networks/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/container_instances_not_using_private_virtual_networks/results", + "id": "71884fcb-ae03-41c8-87b9-22c90353f256", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/container_instances_not_using_private_virtual_networks/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/containers_without_soft_delete/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/containers_without_soft_delete/results", + "id": "12ecec8a-7961-48db-b644-86be8845d8fd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/containers_without_soft_delete/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/cosmos_db_account_without_tags/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/cosmos_db_account_without_tags/results", + "id": "56dad03e-e94f-4dd6-93a4-c253a03ff7a0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/cosmos_db_account_without_tags/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/cosmosdb_account_ip_range_filter_not_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/cosmosdb_account_ip_range_filter_not_set/results", + "id": "c2a3efb6-8a58-481c-82f2-bfddf34bb4b7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/cosmosdb_account_ip_range_filter_not_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/dashboard_is_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/dashboard_is_enabled/results", + "id": "61c3cb8b-0715-47e4-b788-86dde40dd2db", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/dashboard_is_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/databricks_diagnostic_logging_not_configured/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/databricks_diagnostic_logging_not_configured/results", + "id": "0bd3630a-2ae9-4522-9d66-04049654b1df", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/databricks_diagnostic_logging_not_configured/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/databricks_workspace_using_default_virtual_network/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/databricks_workspace_using_default_virtual_network/results", + "id": "05d6b52e-11ca-453d-bb3a-21c7c853ee92", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/databricks_workspace_using_default_virtual_network/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/databricks_workspace_without_cmk/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/databricks_workspace_without_cmk/results", + "id": "416ac446-9a2e-4f6d-84d2-82add788c7da", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/databricks_workspace_without_cmk/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/default_azure_storage_account_network_access_is_too_permissive/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/default_azure_storage_account_network_access_is_too_permissive/results", + "id": "a5613650-32ec-4975-a305-31af783153ea", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/default_azure_storage_account_network_access_is_too_permissive/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/diagnostic_settings_without_appropriate_logging/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/diagnostic_settings_without_appropriate_logging/results", + "id": "21fa1872-47b3-46ec-9775-f41e85d80cb4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/diagnostic_settings_without_appropriate_logging/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/disk_encryption_on_managed_disk_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/disk_encryption_on_managed_disk_disabled/results", + "id": "68403c84-8497-449b-9946-ae848765813f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/disk_encryption_on_managed_disk_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/email_alerts_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/email_alerts_disabled/results", + "id": "9db38e87-f6aa-4b5e-a1ec-7266df259409", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/email_alerts_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/encryption_on_managed_disk_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/encryption_on_managed_disk_disabled/results", + "id": "a99130ab-4c0e-43aa-97f8-78d4fcb30024", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/encryption_on_managed_disk_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/file_share_without_soft_delete/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/file_share_without_soft_delete/results", + "id": "54087baa-8719-48a8-8460-9cc0962117aa", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/file_share_without_soft_delete/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/results", + "id": "a829b715-cf75-4e92-b645-54c9b739edfb", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/function_app_authentication_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/function_app_authentication_disabled/results", + "id": "e65a0733-94a0-4826-82f4-df529f4c593f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/function_app_authentication_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/function_app_client_certificates_unrequired/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/function_app_client_certificates_unrequired/results", + "id": "9bb3c639-5edf-458c-8ee5-30c17c7d671d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/function_app_client_certificates_unrequired/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/function_app_deployment_slot_not_using_latest_tls_encryption_version/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/function_app_deployment_slot_not_using_latest_tls_encryption_version/results", + "id": "03928f0d-bff0-4feb-a31a-615d093e6026", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/function_app_deployment_slot_not_using_latest_tls_encryption_version/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/results", + "id": "9dab0179-433d-4dff-af8f-0091025691df", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/function_app_http2_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/function_app_http2_disabled/results", + "id": "ace823d1-4432-4dee-945b-cdf11a5a6bd0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/function_app_http2_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/function_app_managed_identity_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/function_app_managed_identity_disabled/results", + "id": "c87749b3-ff10-41f5-9df2-c421e8151759", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/function_app_managed_identity_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/results", + "id": "45fc717a-bd86-415c-bdd8-677901be1aa6", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/geo_redundancy_is_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/geo_redundancy_is_disabled/results", + "id": "8b042c30-e441-453f-b162-7696982ebc58", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/geo_redundancy_is_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/key_expiration_not_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/key_expiration_not_set/results", + "id": "4d080822-5ee2-49a4-8984-68f3d4c890fc", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/key_expiration_not_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/key_vault_purge_protection_is_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/key_vault_purge_protection_is_enabled/results", + "id": "cec6e005-9309-46eb-b34b-456f6eae818b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/key_vault_purge_protection_is_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/key_vault_secrets_content_type_undefined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/key_vault_secrets_content_type_undefined/results", + "id": "f8e08a38-fc6e-4915-abbe-a7aadf1d59ef", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/key_vault_secrets_content_type_undefined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/key_vault_without_hsm_protection/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/key_vault_without_hsm_protection/results", + "id": "fbb8e5e0-6dea-41d3-8739-4f2405b0e22a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/key_vault_without_hsm_protection/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/kubernetes_cluster_managed_identity_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/kubernetes_cluster_managed_identity_disabled/results", + "id": "9b0140d1-50c1-4deb-ba58-472315c7a1ae", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/kubernetes_cluster_managed_identity_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/log_retention_is_not_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/log_retention_is_not_set/results", + "id": "ffb02aca-0d12-475e-b77c-a726f7aeff4b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/log_retention_is_not_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/logic_app_managed_identity_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/logic_app_managed_identity_disabled/results", + "id": "7fa50094-0ca5-4253-aa71-f1a3b575d4a5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/logic_app_managed_identity_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/mariadb_public_network_access_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/mariadb_public_network_access_enabled/results", + "id": "7f0a8696-7159-4337-ad0d-8a3ab4a78195", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/mariadb_public_network_access_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/mariadb_server_georedundant_backup_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/mariadb_server_georedundant_backup_disabled/results", + "id": "0a70d5f3-1ecd-4c8e-9292-928fc9a8c4f1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/mariadb_server_georedundant_backup_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/mssql_not_using_latest_tls_encryption_version/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/mssql_not_using_latest_tls_encryption_version/results", + "id": "22cb3507-1ef4-44ac-9c9a-cab31167e31e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/mssql_not_using_latest_tls_encryption_version/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/mssql_server_auditing_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/mssql_server_auditing_disabled/results", + "id": "609839ae-bd81-4375-9910-5bce72ae7b92", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/mssql_server_auditing_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/mssql_server_database_with_alerts_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/mssql_server_database_with_alerts_disabled/results", + "id": "25cd1853-7e80-4106-9ac3-03f8636c25be", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/mssql_server_database_with_alerts_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/mssql_server_public_network_access_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/mssql_server_public_network_access_enabled/results", + "id": "ade36cf4-329f-4830-a83d-9db72c800507", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/mssql_server_public_network_access_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/mysql_server_public_access_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/mysql_server_public_access_enabled/results", + "id": "f118890b-2468-42b1-9ce9-af35146b425b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/mysql_server_public_access_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/mysql_ssl_connection_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/mysql_ssl_connection_disabled/results", + "id": "73e42469-3a86-4f39-ad78-098f325b4e9f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/mysql_ssl_connection_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/network_interfaces_ip_forwarding_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/network_interfaces_ip_forwarding_enabled/results", + "id": "4216ebac-d74c-4423-b437-35025cb88af5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/network_interfaces_ip_forwarding_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/network_interfaces_with_public_ip/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/network_interfaces_with_public_ip/results", + "id": "c1573577-e494-4417-8854-7e119368dc8b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/network_interfaces_with_public_ip/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/network_watcher_flow_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/network_watcher_flow_disabled/results", + "id": "b90842e5-6779-44d4-9760-972f4c03ba1c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/network_watcher_flow_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/postgresql_log_checkpoints_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/postgresql_log_checkpoints_disabled/results", + "id": "3790d386-be81-4dcf-9850-eaa7df6c10d9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/postgresql_log_checkpoints_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/postgresql_log_connections_not_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/postgresql_log_connections_not_set/results", + "id": "c640d783-10c5-4071-b6c1-23507300d333", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/postgresql_log_connections_not_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/postgresql_log_disconnections_not_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/postgresql_log_disconnections_not_set/results", + "id": "07f7134f-9f37-476e-8664-670c218e4702", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/postgresql_log_disconnections_not_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/postgresql_log_duration_not_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/postgresql_log_duration_not_set/results", + "id": "16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/postgresql_log_duration_not_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/postgresql_not_using_latest_tls_encryption_version/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/postgresql_not_using_latest_tls_encryption_version/results", + "id": "9f15ecc4-d9df-44ba-bb88-28c97e946114", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/postgresql_not_using_latest_tls_encryption_version/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/postgresql_server_infrastructure_encryption_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/postgresql_server_infrastructure_encryption_disabled/results", + "id": "6425c98b-ca4e-41fe-896a-c78772c131f8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/postgresql_server_infrastructure_encryption_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/postgresql_server_threat_detection_policy_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/postgresql_server_threat_detection_policy_disabled/results", + "id": "c407c3cf-c409-4b29-b590-db5f4138d332", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/postgresql_server_threat_detection_policy_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/postgresql_server_without_connection_throttling/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/postgresql_server_without_connection_throttling/results", + "id": "2b3c671f-1b76-4741-8789-ed1fe0785dc4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/postgresql_server_without_connection_throttling/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/public_storage_account/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/public_storage_account/results", + "id": "17f75827-0684-48f4-8747-61129c7e4198", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/public_storage_account/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/rdp_is_exposed_to_the_internet/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/rdp_is_exposed_to_the_internet/results", + "id": "efbf6449-5ec5-4cfe-8f15-acc51e0d787c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/rdp_is_exposed_to_the_internet/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/recovery_services_vaut_with_public_network_access/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/recovery_services_vaut_with_public_network_access/results", + "id": "d3ba7d62-bd07-4102-88ca-9668e5f08e7d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/recovery_services_vaut_with_public_network_access/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/recovery_services_vaut_without_immutability/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/recovery_services_vaut_without_immutability/results", + "id": "0af1814d-23d7-472e-a1b8-b265e7b0d88f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/recovery_services_vaut_without_immutability/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/recovery_services_vaut_without_soft_delete/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/recovery_services_vaut_without_soft_delete/results", + "id": "b373043c-f3bf-40db-b67a-c982732c7781", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/recovery_services_vaut_without_soft_delete/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/redis_cache_allows_non_ssl_connections/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/redis_cache_allows_non_ssl_connections/results", + "id": "e29a75e6-aba3-4896-b42d-b87818c16b58", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/redis_cache_allows_non_ssl_connections/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/redis_cache_managed_identity_is_not_set_to_system_assigned/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/redis_cache_managed_identity_is_not_set_to_system_assigned/results", + "id": "d501246e-45d4-48fd-8975-a23e7124bdfc", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/redis_cache_managed_identity_is_not_set_to_system_assigned/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/redis_cache_not_using_latest_tls_encryption_version/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/redis_cache_not_using_latest_tls_encryption_version/results", + "id": "e22e5620-3679-418e-bb74-c9f71731ab0f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/redis_cache_not_using_latest_tls_encryption_version/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/redis_entirely_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/redis_entirely_accessible/results", + "id": "fd8da341-6760-4450-b26c-9f6d8850575e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/redis_entirely_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/redis_not_updated_regularly/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/redis_not_updated_regularly/results", + "id": "b947809d-dd2f-4de9-b724-04d101c515aa", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/redis_not_updated_regularly/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/redis_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/redis_publicly_accessible/results", + "id": "5089d055-53ff-421b-9482-a5267bdce629", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/redis_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/resource_without_diagnostic_settings/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/resource_without_diagnostic_settings/results", + "id": "50f32d3c-096e-406a-bb26-71b3c91c11c0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/resource_without_diagnostic_settings/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/role_assignment_not_limit_guest_users_permissions/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/role_assignment_not_limit_guest_users_permissions/results", + "id": "8e75e431-449f-49e9-b56a-c8f1378025cf", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/role_assignment_not_limit_guest_users_permissions/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/role_definition_allows_custom_role_creation/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/role_definition_allows_custom_role_creation/results", + "id": "3fa5900f-9aac-4982-96b2-a6143d9c99fb", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/role_definition_allows_custom_role_creation/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/secret_expiration_not_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/secret_expiration_not_set/results", + "id": "dfa20ffa-f476-428f-a490-424b41e91c7f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/secret_expiration_not_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/security_center_pricing_tier_is_not_standard/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/security_center_pricing_tier_is_not_standard/results", + "id": "819d50fd-1cdf-45c3-9936-be408aaad93e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/security_center_pricing_tier_is_not_standard/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/security_contact_email/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/security_contact_email/results", + "id": "34664094-59e0-4524-b69f-deaa1a68cce3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/security_contact_email/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/security_group_is_not_configured/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/security_group_is_not_configured/results", + "id": "5c822443-e1ea-46b8-84eb-758ec602e844", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/security_group_is_not_configured/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/sensitive_port_is_exposed_to_entire_network/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/sensitive_port_is_exposed_to_entire_network/results", + "id": "594c198b-4d79-41b8-9b36-fde13348b619", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/sensitive_port_is_exposed_to_entire_network/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/sensitive_port_is_exposed_to_small_public_network/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/sensitive_port_is_exposed_to_small_public_network/results", + "id": "e9dee01f-2505-4df2-b9bf-7804d1fd9082", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/sensitive_port_is_exposed_to_small_public_network/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/sensitive_port_is_exposed_to_wide_private_network/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/sensitive_port_is_exposed_to_wide_private_network/results", + "id": "c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/sensitive_port_is_exposed_to_wide_private_network/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/service_without_resource_logging/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/service_without_resource_logging/results", + "id": "8a0628ed-6256-4a24-a1ab-54696fb69197", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/service_without_resource_logging/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/small_activity_log_retention_period/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/small_activity_log_retention_period/results", + "id": "2b856bf9-8e8c-4005-875f-303a8cba3918", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/small_activity_log_retention_period/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/small_flow_logs_retention_period/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/small_flow_logs_retention_period/results", + "id": "7750fcca-dd03-4d38-b663-4b70289bcfd4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/small_flow_logs_retention_period/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/small_msql_server_audit_retention/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/small_msql_server_audit_retention/results", + "id": "59acb56b-2b10-4c2c-ba38-f2223c3f5cfc", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/small_msql_server_audit_retention/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/small_mssql_audit_retention_period/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/small_mssql_audit_retention_period/results", + "id": "9c301481-e6ec-44f7-8a49-8ec63e2969ea", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/small_mssql_audit_retention_period/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/small_postgresql_db_server_log_retention_period/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/small_postgresql_db_server_log_retention_period/results", + "id": "261a83f8-dd72-4e8c-b5e1-ebf06e8fe606", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/small_postgresql_db_server_log_retention_period/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/sql_database_audit_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/sql_database_audit_disabled/results", + "id": "83a229ba-483e-47c6-8db7-dc96969bce5a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/sql_database_audit_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/sql_database_without_data_encryption/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/sql_database_without_data_encryption/results", + "id": "0745bb3f-60dc-43b6-90ae-67bb01fd1775", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/sql_database_without_data_encryption/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/sql_server_alert_email_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/sql_server_alert_email_disabled/results", + "id": "55975007-f6e7-4134-83c3-298f1fe4b519", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/sql_server_alert_email_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/sql_server_auditing_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/sql_server_auditing_disabled/results", + "id": "f7e296b0-6660-4bc5-8f87-22ac4a815edf", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/sql_server_auditing_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/results", + "id": "25c0ea09-f1c5-4380-b055-3b83863f2bb8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/sql_server_predictable_active_directory_admin_account_name/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/sql_server_predictable_active_directory_admin_account_name/results", + "id": "bcd3fc01-5902-4f2a-b05a-227f9bbf5450", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/sql_server_predictable_active_directory_admin_account_name/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/sql_server_predictable_admin_account_name/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/sql_server_predictable_admin_account_name/results", + "id": "2ab6de9a-0136-415c-be92-79d2e4fd750f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/sql_server_predictable_admin_account_name/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/ssh_is_exposed_to_the_internet/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/ssh_is_exposed_to_the_internet/results", + "id": "3e3c175e-aadf-4e2b-a464-3fdac5748d24", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/ssh_is_exposed_to_the_internet/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/ssl_enforce_is_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/ssl_enforce_is_disabled/results", + "id": "0437633b-daa6-4bbc-8526-c0d2443b946e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/ssl_enforce_is_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/storage_account_not_forcing_https/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/storage_account_not_forcing_https/results", + "id": "12944ec4-1fa0-47be-8b17-42a034f937c2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/storage_account_not_forcing_https/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/storage_account_not_using_latest_smb_protocol_version/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/storage_account_not_using_latest_smb_protocol_version/results", + "id": "621fc7c5-c342-4223-b3dd-d1530acb43ae", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/storage_account_not_using_latest_smb_protocol_version/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/storage_account_not_using_latest_tls_encryption_version/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/storage_account_not_using_latest_tls_encryption_version/results", + "id": "8263f146-5e03-43e0-9cfe-db960d56d1e7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/storage_account_not_using_latest_tls_encryption_version/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/storage_account_using_unsafe_smb_channel_encryption/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/storage_account_using_unsafe_smb_channel_encryption/results", + "id": "233ab26d-8f17-4dce-9616-41479da9ffe3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/storage_account_using_unsafe_smb_channel_encryption/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/storage_account_with_cross_tenant_replication_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/storage_account_with_cross_tenant_replication_enabled/results", + "id": "50e0a9e3-7360-483c-9873-ba1ea1a7faf8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/storage_account_with_cross_tenant_replication_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/storage_account_with_shared_access_key/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/storage_account_with_shared_access_key/results", + "id": "45f3e879-f8a7-4102-a3fa-46da5a849870", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/storage_account_with_shared_access_key/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/storage_account_without_cmk/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/storage_account_without_cmk/results", + "id": "9bf1568d-4cd2-4581-81ef-d2efabee1178", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/storage_account_without_cmk/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/storage_account_without_delete_lock/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/storage_account_without_delete_lock/results", + "id": "0cc95bf8-9b98-4278-ad9f-fea4aed3d271", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/storage_account_without_delete_lock/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/storage_container_is_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/storage_container_is_publicly_accessible/results", + "id": "dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/storage_container_is_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/storage_share_allows_all_acl_permissions/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/storage_share_allows_all_acl_permissions/results", + "id": "5ed0a5f3-6b81-4a6c-a7d1-0f1d8d9ae806", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/storage_share_allows_all_acl_permissions/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/storage_table_allows_all_acl_permissions/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/storage_table_allows_all_acl_permissions/results", + "id": "3ac3e75c-6374-4a32-8ba0-6ed69bda404e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/storage_table_allows_all_acl_permissions/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/trusted_microsoft_services_not_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/trusted_microsoft_services_not_enabled/results", + "id": "5400f379-a347-4bdd-a032-446465fdcc6f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/trusted_microsoft_services_not_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/unrestricted_sql_server_access/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/unrestricted_sql_server_access/results", + "id": "d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/unrestricted_sql_server_access/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/use_of_user_access_administrator_role_is_not_restricted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/use_of_user_access_administrator_role_is_not_restricted/results", + "id": "41d7989b-3be2-4081-8c79-cf903dd174c5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/use_of_user_access_administrator_role_is_not_restricted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/vault_auditing_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/vault_auditing_disabled/results", + "id": "38c71c00-c177-4cd7-8d36-cd1007cdb190", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/vault_auditing_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/virtual_network_with_ddos_protection_plan_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/virtual_network_with_ddos_protection_plan_disabled/results", + "id": "b4cc2c52-34a6-4b43-b57c-4bdeb4514a5a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/virtual_network_with_ddos_protection_plan_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/vm_not_attached_to_network/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/vm_not_attached_to_network/results", + "id": "bbf6b3df-4b65-4f87-82cc-da9f30f8c033", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/vm_not_attached_to_network/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/vm_with_automatic_updates_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/vm_with_automatic_updates_disabled/results", + "id": "187e6d39-5e1e-4afa-9c0a-b79632eef346", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/vm_with_automatic_updates_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/vm_with_extension_operations_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/vm_with_extension_operations_enabled/results", + "id": "59528fe9-0c8e-4153-8016-445911a2d933", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/vm_with_extension_operations_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/vm_without_admin_ssh_public_key_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/vm_without_admin_ssh_public_key_set/results", + "id": "a5cfef8f-910e-4fd6-8155-f381b236a492", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/vm_without_admin_ssh_public_key_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/vm_without_encryption_at_host/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/vm_without_encryption_at_host/results", + "id": "30c7c2f1-c048-49ba-81a4-ae465bbb3335", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/vm_without_encryption_at_host/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/vm_without_managed_disk/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/vm_without_managed_disk/results", + "id": "0536c90c-714e-4184-991e-3fed8d8b7b46", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/vm_without_managed_disk/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/waf_is_disabled_for_azure_application_gateway/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/waf_is_disabled_for_azure_application_gateway/results", + "id": "2e48d91c-50e4-45c8-9312-27b625868a72", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/waf_is_disabled_for_azure_application_gateway/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/web_app_accepting_traffic_other_than_https/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/web_app_accepting_traffic_other_than_https/results", + "id": "11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/web_app_accepting_traffic_other_than_https/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/databricks/autoscale_badly_setup/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/databricks/autoscale_badly_setup/results", + "id": "953c0cc6-5f30-44cb-a803-bf4ef2571be8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/databricks/autoscale_badly_setup/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/databricks/cluster_aws_attributes/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/databricks/cluster_aws_attributes/results", + "id": "b0749c53-e3ff-4d09-bbe4-dca94e2e7a38", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/databricks/cluster_aws_attributes/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/databricks/cluster_azure_attributes/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/databricks/cluster_azure_attributes/results", + "id": "38028698-e663-4ef7-aa92-773fef0ca86f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/databricks/cluster_azure_attributes/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/databricks/cluster_gcp_attributes/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/databricks/cluster_gcp_attributes/results", + "id": "539e4557-d2b5-4d57-a001-cb01140a4e2d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/databricks/cluster_gcp_attributes/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/databricks/databricks_permissions/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/databricks/databricks_permissions/results", + "id": "a4edb7e1-c0e0-4f7f-9d7c-d1b603e81ad5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/databricks/databricks_permissions/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/databricks/group_without_user_or_instance_profile/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/databricks/group_without_user_or_instance_profile/results", + "id": "23c3067a-8cc9-480c-b645-7c1e0ad4bf60", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/databricks/group_without_user_or_instance_profile/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/databricks/indefinitely_obo_token/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/databricks/indefinitely_obo_token/results", + "id": "23e1f5f0-12b7-4d7e-9087-f60f42ccd514", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/databricks/indefinitely_obo_token/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/databricks/indefinitely_token/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/databricks/indefinitely_token/results", + "id": "7d05ca25-91b4-42ee-b6f6-b06611a87ce8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/databricks/indefinitely_token/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/databricks/unrestricted_acl/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/databricks/unrestricted_acl/results", + "id": "2c4fe4a9-f44b-4c70-b09b-5b75cd251805", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/databricks/unrestricted_acl/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/databricks/use_lts_spark_version/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/databricks/use_lts_spark_version/results", + "id": "5a627dfa-a4dd-4020-a4c6-5f3caf4abcd6", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/databricks/use_lts_spark_version/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/databricks/use_spark_submit_task/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/databricks/use_spark_submit_task/results", + "id": "375cdab9-3f94-4ae0-b1e3-8fbdf9cdf4d7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/databricks/use_spark_submit_task/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/bigquery_dataset_is_public/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/bigquery_dataset_is_public/results", + "id": "e576ce44-dd03-4022-a8c0-3906acca2ab4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/bigquery_dataset_is_public/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/cloud_asset_inventory_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/cloud_asset_inventory_disabled/results", + "id": "4f60da73-190e-4048-8e1d-cc5a3974cd15", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/cloud_asset_inventory_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/cloud_dns_without_dnssec/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/cloud_dns_without_dnssec/results", + "id": "5ef61c88-bbb4-4725-b1df-55d23c9676bb", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/cloud_dns_without_dnssec/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/cloud_storage_anonymous_or_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/cloud_storage_anonymous_or_publicly_accessible/results", + "id": "a6cd52a1-3056-4910-96a5-894de9f3f3b3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/cloud_storage_anonymous_or_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/cloud_storage_bucket_is_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/cloud_storage_bucket_is_publicly_accessible/results", + "id": "c010082c-76e0-4b91-91d9-6e8439e455dd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/cloud_storage_bucket_is_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/cloud_storage_bucket_logging_not_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/cloud_storage_bucket_logging_not_enabled/results", + "id": "d6cabc3a-d57e-48c2-b341-bf3dd4f4a120", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/cloud_storage_bucket_logging_not_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/cloud_storage_bucket_versioning_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/cloud_storage_bucket_versioning_disabled/results", + "id": "e7e961ac-d17e-4413-84bc-8a1fbe242944", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/cloud_storage_bucket_versioning_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/cluster_labels_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/cluster_labels_disabled/results", + "id": "65c1bc7a-4835-4ac4-a2b6-13d310b0648d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/cluster_labels_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/cluster_without_network_policy_support_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/cluster_without_network_policy_support_enabled/results", + "id": "99976ba0-aa37-4745-93a6-5f1d55997f67", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/cluster_without_network_policy_support_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/cos_node_image_not_used/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/cos_node_image_not_used/results", + "id": "8a893e46-e267-485a-8690-51f39951de58", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/cos_node_image_not_used/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/disk_encryption_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/disk_encryption_disabled/results", + "id": "b1d51728-7270-4991-ac2f-fc26e2695b38", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/disk_encryption_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/dnssec_using_rsasha1/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/dnssec_using_rsasha1/results", + "id": "ccc3100c-0fdd-4a5e-9908-c10107291860", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/dnssec_using_rsasha1/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/ensure_essential_contacts_is_configured_for_organization/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/ensure_essential_contacts_is_configured_for_organization/results", + "id": "7bd9c6a8-3b1f-495c-9752-a4a9c4e1b29f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/ensure_essential_contacts_is_configured_for_organization/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/ensure_gke_version_management_is_automated_using_release_channels/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/ensure_gke_version_management_is_automated_using_release_channels/results", + "id": "c1701dcf-24df-4675-b863-340233c4e34f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/ensure_gke_version_management_is_automated_using_release_channels/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/gke_legacy_authorization_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/gke_legacy_authorization_enabled/results", + "id": "5baa92d2-d8ee-4c75-88a4-52d9d8bb8067", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/gke_legacy_authorization_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/gke_using_default_service_account/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/gke_using_default_service_account/results", + "id": "1c8eef02-17b1-4a3e-b01d-dcc3292d2c38", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/gke_using_default_service_account/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_compute_network_using_default_firewall_rule/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_compute_network_using_default_firewall_rule/results", + "id": "40abce54-95b1-478c-8e5f-ea0bf0bb0e33", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_compute_network_using_default_firewall_rule/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_all_ports/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_all_ports/results", + "id": "22ef1d26-80f8-4a6c-8c15-f35aab3cac78", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_all_ports/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_port_range/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_port_range/results", + "id": "e6f61c37-106b-449f-a5bb-81bfcaceb8b4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_port_range/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_compute_ssl_policy_weak_cipher_in_use/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_compute_ssl_policy_weak_cipher_in_use/results", + "id": "14a457f0-473d-4d1d-9e37-6d99b355b336", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_compute_ssl_policy_weak_cipher_in_use/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_compute_subnetwork_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_compute_subnetwork_logging_disabled/results", + "id": "40430747-442d-450a-a34f-dc57149f4609", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_compute_subnetwork_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_compute_subnetwork_with_private_google_access_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_compute_subnetwork_with_private_google_access_disabled/results", + "id": "ee7b93c1-b3f8-4a3b-9588-146d481814f5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_compute_subnetwork_with_private_google_access_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_container_node_pool_auto_repair_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_container_node_pool_auto_repair_disabled/results", + "id": "acfdbec6-4a17-471f-b412-169d77553332", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_container_node_pool_auto_repair_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_dns_policy_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_dns_policy_logging_disabled/results", + "id": "cc9e464e-5abc-4c8f-8077-a9aa7ebe6a05", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_dns_policy_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_kubernetes_engine_cluster_has_alpha_features_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_kubernetes_engine_cluster_has_alpha_features_enabled/results", + "id": "8ca7e731-56f6-4fb4-9b98-fcb0a93518c8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_kubernetes_engine_cluster_has_alpha_features_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_project_auto_create_network_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_project_auto_create_network_disabled/results", + "id": "59571246-3f62-4965-a96f-c7d97e269351", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_project_auto_create_network_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_project_iam_binding_service_account_has_token_creator_or_account_user_role/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_project_iam_binding_service_account_has_token_creator_or_account_user_role/results", + "id": "617ef6ff-711e-4bd7-94ae-e965911b1b40", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_project_iam_binding_service_account_has_token_creator_or_account_user_role/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_admin_role/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_admin_role/results", + "id": "84d36481-fd63-48cb-838e-635c44806ec2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_admin_role/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_token_creator_or_account_user_role/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_token_creator_or_account_user_role/results", + "id": "c68b4e6d-4e01-4ca1-b256-1e18e875785c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_token_creator_or_account_user_role/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_storage_bucket_level_access_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_storage_bucket_level_access_disabled/results", + "id": "bb0db090-5509-4853-a827-75ced0b3caa0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_storage_bucket_level_access_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/high_google_kms_crypto_key_rotation_period/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/high_google_kms_crypto_key_rotation_period/results", + "id": "d8c57c4e-bf6f-4e32-a2bf-8643532de77b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/high_google_kms_crypto_key_rotation_period/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/iam_audit_not_properly_configured/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/iam_audit_not_properly_configured/results", + "id": "89fe890f-b480-460c-8b6b-7d8b1468adb4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/iam_audit_not_properly_configured/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/ip_aliasing_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/ip_aliasing_disabled/results", + "id": "c606ba1d-d736-43eb-ac24-e16108f3a9e0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/ip_aliasing_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/ip_forwarding_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/ip_forwarding_enabled/results", + "id": "f34c0c25-47b4-41eb-9c79-249b4dd47b89", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/ip_forwarding_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/kms_admin_and_crypto_key_roles_in_use/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/kms_admin_and_crypto_key_roles_in_use/results", + "id": "92e4464a-4139-4d57-8742-b5acc0347680", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/kms_admin_and_crypto_key_roles_in_use/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/kms_crypto_key_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/kms_crypto_key_publicly_accessible/results", + "id": "16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/kms_crypto_key_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/kubernetes_web_ui_is_not_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/kubernetes_web_ui_is_not_disabled/results", + "id": "ced11de2-e701-4e63-83ab-4fdb1ab8c5dd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/kubernetes_web_ui_is_not_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/legacy_client_certificate_auth_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/legacy_client_certificate_auth_enabled/results", + "id": "73fb21a1-b19a-45b1-b648-b47b1678681e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/legacy_client_certificate_auth_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/legacy_networks_do_not_exist_for_older_google_projects/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/legacy_networks_do_not_exist_for_older_google_projects/results", + "id": "700f1049-7fa0-4cb0-971b-3efebfb6a91f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/legacy_networks_do_not_exist_for_older_google_projects/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/logs_and_alerts_missing_audit_configuration_changes/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/logs_and_alerts_missing_audit_configuration_changes/results", + "id": "39d83c5a-2df4-4a2c-8ffb-b96b1bc3a813", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/logs_and_alerts_missing_audit_configuration_changes/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/logs_and_alerts_missing_custom_role_changes/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/logs_and_alerts_missing_custom_role_changes/results", + "id": "69d4f245-d534-479e-8bcc-f6a836276dc8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/logs_and_alerts_missing_custom_role_changes/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/logs_and_alerts_missing_project_ownership_assignment_and_changes/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/logs_and_alerts_missing_project_ownership_assignment_and_changes/results", + "id": "a881b71c-73ac-4358-879c-e3271db5a3c5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/logs_and_alerts_missing_project_ownership_assignment_and_changes/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/network_policy_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/network_policy_disabled/results", + "id": "11e7550e-c4b6-472e-adff-c698f157cdd7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/network_policy_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/node_auto_upgrade_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/node_auto_upgrade_disabled/results", + "id": "b139213e-7d24-49c2-8025-c18faa21ecaa", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/node_auto_upgrade_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/not_proper_email_account_in_use/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/not_proper_email_account_in_use/results", + "id": "9356962e-4a4f-4d06-ac59-dc8008775eaa", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/not_proper_email_account_in_use/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/os_login_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/os_login_disabled/results", + "id": "32ecd6eb-0711-421f-9627-1a28d9eff217", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/os_login_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/os_login_is_disabled_for_vm_instance/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/os_login_is_disabled_for_vm_instance/results", + "id": "d0b4d550-c001-46c3-bbdb-d5d75d33f05f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/os_login_is_disabled_for_vm_instance/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/outdated_gke_version/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/outdated_gke_version/results", + "id": "128df7ec-f185-48bc-8913-ce756a3ccb85", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/outdated_gke_version/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/pod_security_policy_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/pod_security_policy_disabled/results", + "id": "9192e0f9-eca5-4056-9282-ae2a736a4088", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/pod_security_policy_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/private_cluster_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/private_cluster_disabled/results", + "id": "6ccb85d7-0420-4907-9380-50313f80946b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/private_cluster_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/results", + "id": "3e4d5ce6-3280-4027-8010-c26eeea1ec01", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/rdp_access_is_not_restricted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/rdp_access_is_not_restricted/results", + "id": "678fd659-96f2-454a-a2a0-c2571f83a4a3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/rdp_access_is_not_restricted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/service_account_with_improper_privileges/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/service_account_with_improper_privileges/results", + "id": "cefdad16-0dd5-4ac5-8ed2-a37502c78672", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/service_account_with_improper_privileges/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/shielded_gke_node_do_not_have_integrity_monitoring_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/shielded_gke_node_do_not_have_integrity_monitoring_enabled/results", + "id": "4b5ee6a4-5682-4725-8a7a-d9e9a51986c8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/shielded_gke_node_do_not_have_integrity_monitoring_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/shielded_gke_nodes_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/shielded_gke_nodes_disabled/results", + "id": "579a0727-9c29-4d58-8195-fc5802a8bdb4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/shielded_gke_nodes_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/shielded_vm_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/shielded_vm_disabled/results", + "id": "1b44e234-3d73-41a8-9954-0b154135280e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/shielded_vm_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_backup_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_backup_disabled/results", + "id": "cf3c7631-cd1e-42f3-8801-a561214a6e79", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_backup_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_is_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_is_publicly_accessible/results", + "id": "b187edca-b81e-4fdc-aff4-aab57db45edb", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_is_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_contained_database_authentication/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_contained_database_authentication/results", + "id": "c3655703-569b-42ec-8027-ef8835d989c0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_contained_database_authentication/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/results", + "id": "b5b70198-2a34-4792-b0d9-ce99abe485bb", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_exposed_trace_logs/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_exposed_trace_logs/results", + "id": "f5aff735-fd1c-4751-a5e9-98bfe4893fa2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_exposed_trace_logs/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_external_scripts_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_external_scripts_enabled/results", + "id": "1c329b9b-8221-4b55-8d5f-f0959faf9cee", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_external_scripts_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_global_user_options/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_global_user_options/results", + "id": "c8e4444e-d9a9-4426-be8e-9f1b8c43133c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_global_user_options/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_limited_user_connections/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_limited_user_connections/results", + "id": "18cb7d28-57df-4d6b-9fb4-02828cb15660", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_limited_user_connections/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/results", + "id": "51a2c34d-dfd0-436f-aa34-e8f796e052fd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_minimum_log_duration/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_minimum_log_duration/results", + "id": "00335e17-674c-442e-a64c-9436e60e6efb", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_minimum_log_duration/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_ownership_chaining_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_ownership_chaining_enabled/results", + "id": "5a8c5d26-c592-4c98-afac-9762c54cc868", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_ownership_chaining_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_remote_access_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_remote_access_enabled/results", + "id": "d4436ca8-1caf-427c-8911-8b4d31ff6b40", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_remote_access_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/results", + "id": "02474449-71aa-40a1-87ae-e14497747b00", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_error_logging_threshold/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_error_logging_threshold/results", + "id": "13de4e49-d407-4277-ba5a-d7f59283902f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_error_logging_threshold/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/results", + "id": "ecbbe763-95dc-47e6-8660-84ff751e5acf", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_without_centralized_logging/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_without_centralized_logging/results", + "id": "245eb024-d08a-449b-a1f2-02f7bba00fc2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_without_centralized_logging/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_without_connections_logging/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_without_connections_logging/results", + "id": "fc7187e5-b9a2-46c0-950d-3bfcaaacc5ca", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_without_connections_logging/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_without_disconnections_logging/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_without_disconnections_logging/results", + "id": "8895abb4-6491-4ae6-9c33-c2f360752b7a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_without_disconnections_logging/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/ssh_access_is_not_restricted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/ssh_access_is_not_restricted/results", + "id": "c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/ssh_access_is_not_restricted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/stackdriver_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/stackdriver_logging_disabled/results", + "id": "4c7ebcb2-eae2-461e-bc83-456ee2d4f694", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/stackdriver_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/stackdriver_monitoring_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/stackdriver_monitoring_disabled/results", + "id": "30e8dfd2-3591-4d19-8d11-79e93106c93d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/stackdriver_monitoring_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/user_with_iam_role/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/user_with_iam_role/results", + "id": "704fcc44-a58f-4af5-82e2-93f2a58ef918", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/user_with_iam_role/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/using_default_service_account/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/using_default_service_account/results", + "id": "3cb4af0b-056d-4fb1-8b95-fdc4593625ff", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/using_default_service_account/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/vm_serial_ports_are_enabled_for_vm_instances/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/vm_serial_ports_are_enabled_for_vm_instances/results", + "id": "97fa667a-d05b-4f16-9071-58b939f34751", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/vm_serial_ports_are_enabled_for_vm_instances/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/vm_with_full_cloud_access/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/vm_with_full_cloud_access/results", + "id": "bc280331-27b9-4acb-a010-018e8098aa5d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/vm_with_full_cloud_access/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp_bom/dataflow/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp_bom/dataflow/results", + "id": "895ed0d9-6fec-4567-8614-d7a74b599a53", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp_bom/dataflow/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp_bom/fi/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp_bom/fi/results", + "id": "c9d81239-c818-4869-9917-1570c62b81fd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp_bom/fi/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp_bom/pd/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp_bom/pd/results", + "id": "dd7d70aa-a6ec-460d-b5d2-38b40253b16f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp_bom/pd/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp_bom/pst/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp_bom/pst/results", + "id": "4b82202a-b18e-4891-a1eb-a0989850bbb3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp_bom/pst/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp_bom/redis/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp_bom/redis/results", + "id": "bc75ce52-a60a-4660-b533-bce837a5019b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp_bom/redis/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp_bom/sb/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp_bom/sb/results", + "id": "2f06d22c-56bd-4f73-8a51-db001fcf2150", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp_bom/sb/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/general/generic_git_module_without_revision/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/general/generic_git_module_without_revision/results", + "id": "3a81fc06-566f-492a-91dd-7448e409e2cd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/general/generic_git_module_without_revision/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/general/name_is_not_snake_case/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/general/name_is_not_snake_case/results", + "id": "1e434b25-8763-4b00-a5ca-ca03b7abbb66", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/general/name_is_not_snake_case/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/general/output_without_description/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/general/output_without_description/results", + "id": "59312e8a-a64e-41e7-a252-618533dd1ea8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/general/output_without_description/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/general/variable_without_description/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/general/variable_without_description/results", + "id": "2a153952-2544-4687-bcc9-cc8fea814a9b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/general/variable_without_description/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/general/variable_without_type/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/general/variable_without_type/results", + "id": "fc5109bf-01fd-49fb-8bde-4492b543c34a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/general/variable_without_type/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/github/github_organization_webhook_with_ssl_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/github/github_organization_webhook_with_ssl_disabled/results", + "id": "ce7c874e-1b88-450b-a5e4-cb76ada3c8a9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/github/github_organization_webhook_with_ssl_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/github/github_repository_set_to_public/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/github/github_repository_set_to_public/results", + "id": "15d8a7fd-465a-4d15-a868-add86552f17b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/github/github_repository_set_to_public/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/cluster_admin_role_binding_with_super_user_permissions/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/cluster_admin_role_binding_with_super_user_permissions/results", + "id": "17172bc2-56fb-4f17-916f-a014147706cd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/cluster_admin_role_binding_with_super_user_permissions/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/cluster_allows_unsafe_sysctls/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/cluster_allows_unsafe_sysctls/results", + "id": "a9174d31-d526-4ad9-ace4-ce7ddbf52e03", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/cluster_allows_unsafe_sysctls/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/container_host_pid_is_true/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/container_host_pid_is_true/results", + "id": "587d5d82-70cf-449b-9817-f60f9bccb88c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/container_host_pid_is_true/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/container_is_privileged/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/container_is_privileged/results", + "id": "87065ef8-de9b-40d8-9753-f4a4303e27a4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/container_is_privileged/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/container_resources_limits_undefined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/container_resources_limits_undefined/results", + "id": "60af03ff-a421-45c8-b214-6741035476fa", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/container_resources_limits_undefined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/container_runs_unmasked/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/container_runs_unmasked/results", + "id": "0ad60203-c050-4115-83b6-b94bde92541d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/container_runs_unmasked/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/container_with_added_capabilities/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/container_with_added_capabilities/results", + "id": "fe771ff7-ba15-4f8f-ad7a-8aa232b49a28", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/container_with_added_capabilities/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/containers_with_sys_admin_capabilities/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/containers_with_sys_admin_capabilities/results", + "id": "3f55386d-75cd-4e9a-ac47-167b26c04724", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/containers_with_sys_admin_capabilities/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/cpu_limits_not_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/cpu_limits_not_set/results", + "id": "5f4735ce-b9ba-4d95-a089-a37a767b716f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/cpu_limits_not_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/cpu_requests_not_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/cpu_requests_not_set/results", + "id": "577ac19c-6a77-46d7-9f14-e049cdd15ec2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/cpu_requests_not_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/cronjob_deadline_not_configured/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/cronjob_deadline_not_configured/results", + "id": "58876b44-a690-4e9f-9214-7735fa0dd15d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/cronjob_deadline_not_configured/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/default_service_account_in_use/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/default_service_account_in_use/results", + "id": "737a0dd9-0aaa-4145-8118-f01778262b8a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/default_service_account_in_use/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/deployment_has_no_pod_anti_affinity/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/deployment_has_no_pod_anti_affinity/results", + "id": "461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/deployment_has_no_pod_anti_affinity/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/deployment_without_pod_disruption_budget/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/deployment_without_pod_disruption_budget/results", + "id": "a05331ee-1653-45cb-91e6-13637a76e4f0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/deployment_without_pod_disruption_budget/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/docker_daemon_socket_is_exposed_to_containers/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/docker_daemon_socket_is_exposed_to_containers/results", + "id": "4e203a65-c8d8-49a2-b749-b124d43c9dc1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/docker_daemon_socket_is_exposed_to_containers/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/hpa_targets_invalid_object/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/hpa_targets_invalid_object/results", + "id": "17e52ca3-ddd0-4610-9d56-ce107442e110", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/hpa_targets_invalid_object/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/image_pull_policy_of_container_is_not_always/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/image_pull_policy_of_container_is_not_always/results", + "id": "aa737abf-6b1d-4aba-95aa-5c160bd7f96e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/image_pull_policy_of_container_is_not_always/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/image_without_digest/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/image_without_digest/results", + "id": "228c4c19-feeb-4c18-848c-800ac70fdfb7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/image_without_digest/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/incorrect_volume_claim_access_mode_read_write_once/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/incorrect_volume_claim_access_mode_read_write_once/results", + "id": "26b047a9-0329-48fd-8fb7-05bbe5ba80ee", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/incorrect_volume_claim_access_mode_read_write_once/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/ingress_controller_exposes_workload/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/ingress_controller_exposes_workload/results", + "id": "e2c83c1f-84d7-4467-966c-ed41fd015bb9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/ingress_controller_exposes_workload/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/invalid_image/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/invalid_image/results", + "id": "e76cca7c-c3f9-4fc9-884c-b2831168ebd8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/invalid_image/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/liveness_probe_is_not_defined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/liveness_probe_is_not_defined/results", + "id": "5b6d53dd-3ba3-4269-b4d7-f82e880e43c3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/liveness_probe_is_not_defined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/memory_limits_not_defined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/memory_limits_not_defined/results", + "id": "fd097ed0-7fe6-4f58-8b71-fef9f0820a21", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/memory_limits_not_defined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/memory_requests_not_defined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/memory_requests_not_defined/results", + "id": "21719347-d02b-497d-bda4-04a03c8e5b61", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/memory_requests_not_defined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/metadata_label_is_invalid/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/metadata_label_is_invalid/results", + "id": "bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/metadata_label_is_invalid/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/missing_app_armor_config/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/missing_app_armor_config/results", + "id": "bd6bd46c-57db-4887-956d-d372f21291b6", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/missing_app_armor_config/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/net_raw_capabilities_disabled_for_psp/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/net_raw_capabilities_disabled_for_psp/results", + "id": "9aa32890-ac1a-45ee-81ca-5164e2098556", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/net_raw_capabilities_disabled_for_psp/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/net_raw_capabilities_not_being_dropped/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/net_raw_capabilities_not_being_dropped/results", + "id": "e5587d53-a673-4a6b-b3f2-ba07ec274def", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/net_raw_capabilities_not_being_dropped/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/network_policy_is_not_targeting_any_pod/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/network_policy_is_not_targeting_any_pod/results", + "id": "b80b14c6-aaa2-4876-b651-8a48b6c32fbf", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/network_policy_is_not_targeting_any_pod/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/no_drop_capabilities_for_containers/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/no_drop_capabilities_for_containers/results", + "id": "21cef75f-289f-470e-8038-c7cee0664164", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/no_drop_capabilities_for_containers/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/non_kube_system_pod_with_host_mount/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/non_kube_system_pod_with_host_mount/results", + "id": "86a947ea-f577-4efb-a8b0-5fc00257d521", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/non_kube_system_pod_with_host_mount/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/permissive_access_to_create_pods/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/permissive_access_to_create_pods/results", + "id": "522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/permissive_access_to_create_pods/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/pod_or_container_without_security_context/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/pod_or_container_without_security_context/results", + "id": "ad69e38a-d92e-4357-a8da-f2f29d545883", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/pod_or_container_without_security_context/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/privilege_escalation_allowed/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/privilege_escalation_allowed/results", + "id": "c878abb4-cca5-4724-92b9-289be68bd47c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/privilege_escalation_allowed/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/psp_allows_containers_to_share_the_host_network_namespace/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/psp_allows_containers_to_share_the_host_network_namespace/results", + "id": "4950837c-0ce5-4e42-9bee-a25eae73740b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/psp_allows_containers_to_share_the_host_network_namespace/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/psp_allows_privilege_escalation/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/psp_allows_privilege_escalation/results", + "id": "2bff9906-4e9b-4f71-9346-8ebedfdf43ef", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/psp_allows_privilege_escalation/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/psp_allows_sharing_host_ipc/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/psp_allows_sharing_host_ipc/results", + "id": "51bed0ac-a8ae-407a-895e-90c6cb0610ce", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/psp_allows_sharing_host_ipc/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/psp_set_to_privileged/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/psp_set_to_privileged/results", + "id": "a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/psp_set_to_privileged/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/psp_with_added_capabilities/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/psp_with_added_capabilities/results", + "id": "48388bd2-7201-4dcc-b56d-e8a9efa58fad", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/psp_with_added_capabilities/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/rbac_roles_with_read_secrets_permissions/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/rbac_roles_with_read_secrets_permissions/results", + "id": "826abb30-3cd5-4e0b-a93b-67729b4f7e63", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/rbac_roles_with_read_secrets_permissions/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/readiness_probe_is_not_configured/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/readiness_probe_is_not_configured/results", + "id": "8657197e-3f87-4694-892b-8144701d83c1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/readiness_probe_is_not_configured/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/role_binding_to_default_service_account/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/role_binding_to_default_service_account/results", + "id": "3360c01e-c8c0-4812-96a2-a6329b9b7f9f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/role_binding_to_default_service_account/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/root_container_not_mounted_as_read_only/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/root_container_not_mounted_as_read_only/results", + "id": "d532566b-8d9d-4f3b-80bd-361fe802f9c2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/root_container_not_mounted_as_read_only/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/root_containers_admitted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/root_containers_admitted/results", + "id": "4c415497-7410-4559-90e8-f2c8ac64ee38", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/root_containers_admitted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/secoomp_profile_is_not_configured/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/secoomp_profile_is_not_configured/results", + "id": "455f2e0c-686d-4fcb-8b5f-3f953f12c43c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/secoomp_profile_is_not_configured/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/secrets_as_environment_variables/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/secrets_as_environment_variables/results", + "id": "6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/secrets_as_environment_variables/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/service_account_allows_access_secrets/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/service_account_allows_access_secrets/results", + "id": "07fc3413-e572-42f7-9877-5c8fc6fccfb5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/service_account_allows_access_secrets/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/service_account_name_undefined_or_empty/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/service_account_name_undefined_or_empty/results", + "id": "24b132df-5cc7-4823-8029-f898e1c50b72", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/service_account_name_undefined_or_empty/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/service_account_token_automount_not_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/service_account_token_automount_not_disabled/results", + "id": "a9a13d4f-f17a-491b-b074-f54bffffcb4a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/service_account_token_automount_not_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/service_type_is_nodeport/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/service_type_is_nodeport/results", + "id": "5c281bf8-d9bb-47f2-b909-3f6bb11874ad", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/service_type_is_nodeport/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/service_with_external_load_balancer/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/service_with_external_load_balancer/results", + "id": "2a52567c-abb8-4651-a038-52fa27c77aed", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/service_with_external_load_balancer/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/shared_host_ipc_namespace/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/shared_host_ipc_namespace/results", + "id": "e94d3121-c2d1-4e34-a295-139bfeb73ea3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/shared_host_ipc_namespace/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/shared_host_network_namespace/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/shared_host_network_namespace/results", + "id": "ac1564a3-c324-4747-9fa1-9dfc234dace0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/shared_host_network_namespace/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/shared_service_account/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/shared_service_account/results", + "id": "f74b9c43-161a-4799-bc95-0b0ec81801b9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/shared_service_account/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/statefulset_requests_storage/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/statefulset_requests_storage/results", + "id": "fcc2612a-1dfe-46e4-8ce6-0320959f0040", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/statefulset_requests_storage/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/statefulset_without_pod_disruption_budget/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/statefulset_without_pod_disruption_budget/results", + "id": "7249e3b0-9231-4af3-bc5f-5daf4988ecbf", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/statefulset_without_pod_disruption_budget/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/statefulset_without_service_name/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/statefulset_without_service_name/results", + "id": "420e6360-47bb-46f6-9072-b20ed22c842d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/statefulset_without_service_name/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/tiller_is_deployed/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/tiller_is_deployed/results", + "id": "ca2fba76-c1a7-4afd-be67-5249f861cb0e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/tiller_is_deployed/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/using_default_namespace/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/using_default_namespace/results", + "id": "abcb818b-5af7-4d72-aba9-6dd84956b451", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/using_default_namespace/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/volume_mount_with_os_directory_write_permissions/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/volume_mount_with_os_directory_write_permissions/results", + "id": "a62a99d1-8196-432f-8f80-3c100b05d62a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/volume_mount_with_os_directory_write_permissions/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/workload_host_port_not_specified/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/workload_host_port_not_specified/results", + "id": "4e74cf4f-ff65-4c1a-885c-67ab608206ce", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/workload_host_port_not_specified/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/workload_mounting_with_sensitive_os_directory/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/workload_mounting_with_sensitive_os_directory/results", + "id": "a737be28-37d8-4bff-aa6d-1be8aa0a0015", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/workload_mounting_with_sensitive_os_directory/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/computing_instance_has_common_private/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/computing_instance_has_common_private/results", + "id": "df58dd45-8009-43c2-90f7-c90eb9d53ed9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/computing_instance_has_common_private/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/computing_instance_has_public_ingress_sgr/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/computing_instance_has_public_ingress_sgr/results", + "id": "b2ea2367-8dc9-4231-a035-d0b28bfa3dde", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/computing_instance_has_public_ingress_sgr/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/computing_instance_security_group_undefined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/computing_instance_security_group_undefined/results", + "id": "89218b48-75c9-4cb3-aaba-5299e852e8bc", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/computing_instance_security_group_undefined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/computing_security_group_description_undefined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/computing_security_group_description_undefined/results", + "id": "41c127a9-3a85-4bc3-a333-ed374eb9c3e4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/computing_security_group_description_undefined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/computing_security_group_rule_description_undefined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/computing_security_group_rule_description_undefined/results", + "id": "e4610872-0b1c-4fb7-ab57-d81c0afdb291", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/computing_security_group_rule_description_undefined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/db_does_not_have_long_backup_retention/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/db_does_not_have_long_backup_retention/results", + "id": "e5071f76-cbe7-468d-bb2b-d10f02d2b713", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/db_does_not_have_long_backup_retention/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/db_has_public_access/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/db_has_public_access/results", + "id": "fb387023-e4bb-42a8-9a70-6708aa7ff21b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/db_has_public_access/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/db_instance_has_common_private/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/db_instance_has_common_private/results", + "id": "9bf57c23-fbab-4222-85f3-3f207a53c6a8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/db_instance_has_common_private/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/db_security_group_description_undefined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/db_security_group_description_undefined/results", + "id": "940ddce2-26bd-4e31-a9b4-382714f73231", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/db_security_group_description_undefined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/db_security_group_has_public_ingress_sgr/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/db_security_group_has_public_ingress_sgr/results", + "id": "a0b846e8-815f-4f15-b660-bc4ab9fa1e1a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/db_security_group_has_public_ingress_sgr/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/dns_has_verified_record/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/dns_has_verified_record/results", + "id": "a1defcb6-55e8-4511-8c2a-30b615b0e057", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/dns_has_verified_record/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/elb_has_common_private/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/elb_has_common_private/results", + "id": "5061f84c-ab66-4660-90b9-680c9df346c0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/elb_has_common_private/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/elb_listener_use_http/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/elb_listener_use_http/results", + "id": "afcb0771-4f94-44ed-ad4a-9f73f11ce6e0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/elb_listener_use_http/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/elb_use_http/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/elb_use_http/results", + "id": "e2de2b80-2fc2-4502-a764-40930dfcc70a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/elb_use_http/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/load_balancer_listener_use_http/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/load_balancer_listener_use_http/results", + "id": "9f751a80-31f0-43a3-926c-20772791a038", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/load_balancer_listener_use_http/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/load_balancer_use_http/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/load_balancer_use_http/results", + "id": "94e47f3f-b90b-43a1-a36d-521580bae863", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/load_balancer_use_http/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/load_balancer_use_insecure_tls_policy_id/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/load_balancer_use_insecure_tls_policy_id/results", + "id": "944439c7-b4b8-476a-8f83-14641ea876ba", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/load_balancer_use_insecure_tls_policy_id/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/load_balancer_use_insecure_tls_policy_name/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/load_balancer_use_insecure_tls_policy_name/results", + "id": "675e8eaa-2754-42b7-bf33-bfa295d1601d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/load_balancer_use_insecure_tls_policy_name/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/nas_instance_has_common_private/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/nas_instance_has_common_private/results", + "id": "4b801c38-ebb4-4c81-984b-1ba525d43adf", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/nas_instance_has_common_private/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/nas_security_group_description_undefined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/nas_security_group_description_undefined/results", + "id": "e840c54a-7a4c-405f-b8c1-c49a54b87d11", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/nas_security_group_description_undefined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/nas_security_group_has_public_ingress_sgr/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/nas_security_group_has_public_ingress_sgr/results", + "id": "8d7758a7-d9cd-499a-a83e-c9bdcbff728d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/nas_security_group_has_public_ingress_sgr/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/router_has_common_private/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/router_has_common_private/results", + "id": "30c2760c-740e-4672-9d7f-2c29e0cb385d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/router_has_common_private/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/router_security_group_undefined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/router_security_group_undefined/results", + "id": "e7dada38-af20-4899-8955-dabea84ab1f0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/router_security_group_undefined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/vpn_gateway_security_group_undefined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/vpn_gateway_security_group_undefined/results", + "id": "b3535a48-910c-47f8-8b3b-14222f29ef80", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/vpn_gateway_security_group_undefined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/cdb_instance_internet_service_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/cdb_instance_internet_service_enabled/results", + "id": "5d820574-4a60-4916-b049-0810b8629731", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/cdb_instance_internet_service_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/cdb_instance_using_default_intranet_port/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/cdb_instance_using_default_intranet_port/results", + "id": "18d6aa4b-7570-4d95-9c75-90363ef1abd9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/cdb_instance_using_default_intranet_port/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/cdb_instance_without_backup_policy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/cdb_instance_without_backup_policy/results", + "id": "ca94be07-7de3-4ae7-85ef-67e0462ec694", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/cdb_instance_without_backup_policy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/clb_instance_log_setting_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/clb_instance_log_setting_disabled/results", + "id": "ada01ed1-b10c-4f2a-b110-b20fa4f9baa6", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/clb_instance_log_setting_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/clb_listener_using_insecure_protocols/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/clb_listener_using_insecure_protocols/results", + "id": "fe08b81c-12e9-4b5e-9006-4218fca750fd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/clb_listener_using_insecure_protocols/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/cvm_instance_disable_monitor_service/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/cvm_instance_disable_monitor_service/results", + "id": "966ed4f7-b8a5-4e8d-b2bf-098657c98960", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/cvm_instance_disable_monitor_service/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/cvm_instance_has_public_ip/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/cvm_instance_has_public_ip/results", + "id": "a74b4602-a62c-4a02-956a-e19f86ea24b5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/cvm_instance_has_public_ip/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/cvm_instance_using_default_security_group/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/cvm_instance_using_default_security_group/results", + "id": "93bb2065-63ec-45a2-a466-f106b56f2e32", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/cvm_instance_using_default_security_group/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/cvm_instance_using_default_vpc/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/cvm_instance_using_default_vpc/results", + "id": "b4e75c5c-83d5-4568-90e3-57ed5ec4051b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/cvm_instance_using_default_vpc/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/cvm_instance_using_user_data/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/cvm_instance_using_user_data/results", + "id": "5bb6fa08-5e84-4760-a54a-cdcd66626976", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/cvm_instance_using_user_data/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/disk_encryption_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/disk_encryption_disabled/results", + "id": "1ee0f202-31da-49ba-bbce-04a989912e4b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/disk_encryption_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/security_group_rule_set_accepts_all_traffic/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/security_group_rule_set_accepts_all_traffic/results", + "id": "d135a36e-c474-452f-b891-76db1e6d1cd5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/security_group_rule_set_accepts_all_traffic/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/tke_cluster_encryption_protection_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/tke_cluster_encryption_protection_disabled/results", + "id": "3ed47402-e322-465f-a0f0-8681135a17b0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/tke_cluster_encryption_protection_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/results", + "id": "df6928ed-02f4-421f-9a67-a529860dd7e7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/tke_cluster_log_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/tke_cluster_log_disabled/results", + "id": "fe405074-7e18-40f9-9aef-024aa1d0a889", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/tke_cluster_log_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/vpc_flow_log_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/vpc_flow_log_disabled/results", + "id": "a3240001-40db-47b7-abb9-2bcd6a04c430", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/vpc_flow_log_disabled/payloads" + } + ] +} \ No newline at end of file diff --git a/.github/scripts/generate-positive-expective-results/write_expected_results.py b/.github/scripts/generate-positive-expective-results/write_expected_results.py new file mode 100644 index 00000000000..53955ea0063 --- /dev/null +++ b/.github/scripts/generate-positive-expective-results/write_expected_results.py @@ -0,0 +1,99 @@ +import json +from pathlib import Path + +from models import TestList +from runner import run_all + + +def write_positive_expected_results(test_list: TestList) -> None: + """For each query, write positive_expected_result.json in the test_path directory.""" + total = len(test_list.queries_list) + written = 0 + skipped = 0 + + for i, query in enumerate(test_list.queries_list, start=1): + if not query.results_info: + print(f"[{i}/{total}] Skipping query {query.id} — no results") + skipped += 1 + continue + + test_dir = Path(query.test_path) + test_dir.mkdir(parents=True, exist_ok=True) + + output_file = test_dir / "positive_expected_result.json" + + expected_results = [] + for ri in query.results_info: + expected_results.append({ + "queryName": ri.query_name, + "severity": ri.severity, + "line": int(ri.line) if ri.line.isdigit() else ri.line, + "filename": ri.filename, + "resourceType": ri.resource_type, + "resourceName": ri.resource_name, + "searchKey": ri.search_key, + "searchValue": ri.search_value, + "expectedValue": ri.expected_value, + "actualValue": ri.actual_value, + }) + + expected_results.sort(key=lambda r: ( + r["filename"], + r["line"] if isinstance(r["line"], int) else 0, + )) + + with open(output_file, "w", encoding="utf-8") as f: + json.dump(expected_results, f, indent=2, ensure_ascii=False) + + print(f"[{i}/{total}] Wrote {output_file} ({len(expected_results)} results)") + written += 1 + + print(f"\nDone: {written} files written, {skipped} skipped") + + +def write_skipped_queries_report(test_list: TestList, output_path: str | Path | None = None) -> None: + """Write a JSON report of queries that produced no results, including the raw scan output.""" + if output_path is None: + output_path = Path(__file__).resolve().parent / "skipped_queries_report.json" + else: + output_path = Path(output_path) + + skipped_queries = [] + + for query in test_list.queries_list: + if query.results_info: + continue + + raw_results = None + results_file = Path(query.results_file_path) / "all_results.json" + if results_file.is_file(): + with open(results_file, "r", encoding="utf-8") as f: + raw_results = json.load(f) + + skipped_queries.append({ + "id": query.id, + "test_path": query.test_path, + "results_file_path": query.results_file_path, + "return_code": query.return_code, + "all_results": raw_results, + }) + + with open(output_path, "w", encoding="utf-8") as f: + json.dump(skipped_queries, f, indent=2, ensure_ascii=False) + + print(f"Skipped queries report: {output_path} ({len(skipped_queries)} queries)") + + +if __name__ == "__main__": + # 1. Run scans and get TestList with results_info populated + test_list = run_all() + + # 2. Write positive_expected_result.json for each query + print(f"\n{'='*60}") + print("Writing positive_expected_result.json files...\n") + write_positive_expected_results(test_list) + + # 3. Write skipped queries report + print(f"\n{'='*60}") + print("Writing skipped queries report...\n") + write_skipped_queries_report(test_list) diff --git a/assets/queries/ansible/aws/ami_shared_with_multiple_accounts/test/positive_expected_result.json b/assets/queries/ansible/aws/ami_shared_with_multiple_accounts/test/positive_expected_result.json index 964d4c3ea8e..aaed40b51c8 100644 --- a/assets/queries/ansible/aws/ami_shared_with_multiple_accounts/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ami_shared_with_multiple_accounts/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "AMI Shared With Multiple Accounts", "severity": "MEDIUM", - "line": 11, + "line": 5, "filename": "positive.yaml", "resourceType": "amazon.aws.ec2_ami", - "resourceName": "Allow AMI to be launched by another account", - "searchKey": "name={{Allow AMI to be launched by another account}}.{{amazon.aws.ec2_ami}}.launch_permissions", + "resourceName": "Update AMI Launch Permissions, making it public", + "searchKey": "name={{Update AMI Launch Permissions, making it public}}.{{amazon.aws.ec2_ami}}.launch_permissions", "searchValue": "", "expectedValue": "ec2_ami.launch_permissions just allows one user to launch the AMI", "actualValue": "ec2_ami.launch_permissions allows more than one user to launch the AMI" @@ -14,11 +14,11 @@ { "queryName": "AMI Shared With Multiple Accounts", "severity": "MEDIUM", - "line": 5, + "line": 11, "filename": "positive.yaml", "resourceType": "amazon.aws.ec2_ami", - "resourceName": "Update AMI Launch Permissions, making it public", - "searchKey": "name={{Update AMI Launch Permissions, making it public}}.{{amazon.aws.ec2_ami}}.launch_permissions", + "resourceName": "Allow AMI to be launched by another account", + "searchKey": "name={{Allow AMI to be launched by another account}}.{{amazon.aws.ec2_ami}}.launch_permissions", "searchValue": "", "expectedValue": "ec2_ami.launch_permissions just allows one user to launch the AMI", "actualValue": "ec2_ami.launch_permissions allows more than one user to launch the AMI" diff --git a/assets/queries/ansible/aws/api_gateway_without_configured_authorizer/test/positive_expected_result.json b/assets/queries/ansible/aws/api_gateway_without_configured_authorizer/test/positive_expected_result.json index 44dafeb2d5f..891e9b3d019 100644 --- a/assets/queries/ansible/aws/api_gateway_without_configured_authorizer/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/api_gateway_without_configured_authorizer/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "API Gateway Without Configured Authorizer", - "severity": "MEDIUM", - "line": 2, - "filename": "positive2.yaml", - "resourceType": "aws_api_gateway", - "resourceName": "Setup AWS API Gateway setup on AWS and deploy API definition2", - "searchKey": "name={{Setup AWS API Gateway setup on AWS and deploy API definition2}}.{{aws_api_gateway}}", - "searchValue": "", - "expectedValue": "'aws_api_gateway' should have swagger_file, swagger_text or swagger_dict set", - "actualValue": "'aws_api_gateway' does not have swagger_file, swagger_text or swagger_dict set" - }, { "queryName": "API Gateway Without Configured Authorizer", "severity": "MEDIUM", @@ -26,14 +14,14 @@ { "queryName": "API Gateway Without Configured Authorizer", "severity": "MEDIUM", - "line": 3, - "filename": "positive4.yaml", + "line": 2, + "filename": "positive2.yaml", "resourceType": "aws_api_gateway", - "resourceName": "Setup AWS API Gateway setup on AWS and deploy API 222", - "searchKey": "name={{Setup AWS API Gateway setup on AWS and deploy API 222}}.{{aws_api_gateway}}.swagger_text", + "resourceName": "Setup AWS API Gateway setup on AWS and deploy API definition2", + "searchKey": "name={{Setup AWS API Gateway setup on AWS and deploy API definition2}}.{{aws_api_gateway}}", "searchValue": "", - "expectedValue": "'aws_api_gateway.swagger_text' should have an authorizer set", - "actualValue": "'aws_api_gateway.swagger_text' does not have a authorizer set" + "expectedValue": "'aws_api_gateway' should have swagger_file, swagger_text or swagger_dict set", + "actualValue": "'aws_api_gateway' does not have swagger_file, swagger_text or swagger_dict set" }, { "queryName": "API Gateway Without Configured Authorizer", @@ -46,5 +34,17 @@ "searchValue": "", "expectedValue": "'aws_api_gateway.swagger_file' should have an authorizer set", "actualValue": "'aws_api_gateway.swagger_file' does not have a authorizer set" + }, + { + "queryName": "API Gateway Without Configured Authorizer", + "severity": "MEDIUM", + "line": 3, + "filename": "positive4.yaml", + "resourceType": "aws_api_gateway", + "resourceName": "Setup AWS API Gateway setup on AWS and deploy API 222", + "searchKey": "name={{Setup AWS API Gateway setup on AWS and deploy API 222}}.{{aws_api_gateway}}.swagger_text", + "searchValue": "", + "expectedValue": "'aws_api_gateway.swagger_text' should have an authorizer set", + "actualValue": "'aws_api_gateway.swagger_text' does not have a authorizer set" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/api_gateway_without_ssl_certificate/test/positive_expected_result.json b/assets/queries/ansible/aws/api_gateway_without_ssl_certificate/test/positive_expected_result.json index 271927e2b0d..f8443639cec 100644 --- a/assets/queries/ansible/aws/api_gateway_without_ssl_certificate/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/api_gateway_without_ssl_certificate/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "API Gateway Without SSL Certificate", "severity": "MEDIUM", - "line": 21, + "line": 6, "filename": "positive.yaml", - "resourceType": "community.aws.aws_api_gateway", - "resourceName": "Setup AWS API Gateway setup on AWS and deploy API definition", - "searchKey": "name={{Setup AWS API Gateway setup on AWS and deploy API definition}}.{{community.aws.aws_api_gateway}}.validate_certs", + "resourceType": "aws_api_gateway", + "resourceName": "update API", + "searchKey": "name={{update API}}.{{aws_api_gateway}}.validate_certs", "searchValue": "", "expectedValue": "aws_api_gateway.validate_certs should be set to yes", "actualValue": "aws_api_gateway.validate_certs is not set to yes" @@ -14,35 +14,35 @@ { "queryName": "API Gateway Without SSL Certificate", "severity": "MEDIUM", - "line": 6, + "line": 8, "filename": "positive.yaml", "resourceType": "aws_api_gateway", - "resourceName": "update API", - "searchKey": "name={{update API}}.{{aws_api_gateway}}.validate_certs", + "resourceName": "update API v1", + "searchKey": "name={{update API v1}}.{{aws_api_gateway}}", "searchValue": "", - "expectedValue": "aws_api_gateway.validate_certs should be set to yes", - "actualValue": "aws_api_gateway.validate_certs is not set to yes" + "expectedValue": "aws_api_gateway.validate_certs should be set", + "actualValue": "aws_api_gateway.validate_certs is undefined" }, { "queryName": "API Gateway Without SSL Certificate", "severity": "MEDIUM", - "line": 23, + "line": 21, "filename": "positive.yaml", "resourceType": "community.aws.aws_api_gateway", - "resourceName": "Setup AWS API Gateway setup on AWS and deploy API definition v1", - "searchKey": "name={{Setup AWS API Gateway setup on AWS and deploy API definition v1}}.{{community.aws.aws_api_gateway}}", + "resourceName": "Setup AWS API Gateway setup on AWS and deploy API definition", + "searchKey": "name={{Setup AWS API Gateway setup on AWS and deploy API definition}}.{{community.aws.aws_api_gateway}}.validate_certs", "searchValue": "", - "expectedValue": "aws_api_gateway.validate_certs should be set", - "actualValue": "aws_api_gateway.validate_certs is undefined" + "expectedValue": "aws_api_gateway.validate_certs should be set to yes", + "actualValue": "aws_api_gateway.validate_certs is not set to yes" }, { "queryName": "API Gateway Without SSL Certificate", "severity": "MEDIUM", - "line": 8, + "line": 23, "filename": "positive.yaml", - "resourceType": "aws_api_gateway", - "resourceName": "update API v1", - "searchKey": "name={{update API v1}}.{{aws_api_gateway}}", + "resourceType": "community.aws.aws_api_gateway", + "resourceName": "Setup AWS API Gateway setup on AWS and deploy API definition v1", + "searchKey": "name={{Setup AWS API Gateway setup on AWS and deploy API definition v1}}.{{community.aws.aws_api_gateway}}", "searchValue": "", "expectedValue": "aws_api_gateway.validate_certs should be set", "actualValue": "aws_api_gateway.validate_certs is undefined" diff --git a/assets/queries/ansible/aws/authentication_without_mfa/test/positive_expected_result.json b/assets/queries/ansible/aws/authentication_without_mfa/test/positive_expected_result.json index 319048178e8..c7ce7e7db88 100644 --- a/assets/queries/ansible/aws/authentication_without_mfa/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/authentication_without_mfa/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "Authentication Without MFA", "severity": "LOW", - "line": 9, + "line": 2, "filename": "positive.yaml", - "resourceType": "sts_assume_role", - "resourceName": "Hello", - "searchKey": "name={{Hello}}.{{sts_assume_role}}", + "resourceType": "community.aws.sts_assume_role", + "resourceName": "Assume an existing role", + "searchKey": "name={{Assume an existing role}}.{{community.aws.sts_assume_role}}", "searchValue": "mfa_token", "expectedValue": "sts_assume_role.mfa_token should be set", "actualValue": "sts_assume_role.mfa_token is undefined" @@ -26,11 +26,11 @@ { "queryName": "Authentication Without MFA", "severity": "LOW", - "line": 2, + "line": 9, "filename": "positive.yaml", - "resourceType": "community.aws.sts_assume_role", - "resourceName": "Assume an existing role", - "searchKey": "name={{Assume an existing role}}.{{community.aws.sts_assume_role}}", + "resourceType": "sts_assume_role", + "resourceName": "Hello", + "searchKey": "name={{Hello}}.{{sts_assume_role}}", "searchValue": "mfa_token", "expectedValue": "sts_assume_role.mfa_token should be set", "actualValue": "sts_assume_role.mfa_token is undefined" diff --git a/assets/queries/ansible/aws/auto_scaling_group_with_no_associated_elb/test/positive_expected_result.json b/assets/queries/ansible/aws/auto_scaling_group_with_no_associated_elb/test/positive_expected_result.json index d77e1ed0bc8..5008d689631 100644 --- a/assets/queries/ansible/aws/auto_scaling_group_with_no_associated_elb/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/auto_scaling_group_with_no_associated_elb/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "Auto Scaling Group With No Associated ELB", - "severity": "MEDIUM", - "line": 2, - "filename": "positive2.yaml", - "resourceType": "ec2_asg", - "resourceName": "elb2", - "searchKey": "name={{elb2}}.{{ec2_asg}}", - "searchValue": "", - "expectedValue": "ec2_asg.load_balancers should be set and not empty", - "actualValue": "ec2_asg.load_balancers is undefined" - }, { "queryName": "Auto Scaling Group With No Associated ELB", "severity": "MEDIUM", @@ -22,5 +10,17 @@ "searchValue": "", "expectedValue": "community.aws.ec2_asg.load_balancers should not be empty", "actualValue": "community.aws.ec2_asg.load_balancers is empty" + }, + { + "queryName": "Auto Scaling Group With No Associated ELB", + "severity": "MEDIUM", + "line": 2, + "filename": "positive2.yaml", + "resourceType": "ec2_asg", + "resourceName": "elb2", + "searchKey": "name={{elb2}}.{{ec2_asg}}", + "searchValue": "", + "expectedValue": "ec2_asg.load_balancers should be set and not empty", + "actualValue": "ec2_asg.load_balancers is undefined" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/automatic_minor_upgrades_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/automatic_minor_upgrades_disabled/test/positive_expected_result.json index 90fad5f9a7a..d62e0e779b1 100644 --- a/assets/queries/ansible/aws/automatic_minor_upgrades_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/automatic_minor_upgrades_disabled/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "Automatic Minor Upgrades Disabled", "severity": "LOW", - "line": 12, + "line": 10, "filename": "positive.yaml", "resourceType": "community.aws.rds_instance", - "resourceName": "community - Create a DB instance using the default AWS KMS encryption key", - "searchKey": "name={{community - Create a DB instance using the default AWS KMS encryption key}}.{{community.aws.rds_instance}}", + "resourceName": "community - create minimal aurora instance in default VPC and default subnet group", + "searchKey": "name={{community - create minimal aurora instance in default VPC and default subnet group}}.{{community.aws.rds_instance}}.auto_minor_version_upgrade", "searchValue": "", - "expectedValue": "rds_instance.auto_minor_version_upgrade should be set", - "actualValue": "rds_instance.auto_minor_version_upgrade is undefined" + "expectedValue": "rds_instance.auto_minor_version_upgrade should be true", + "actualValue": "rds_instance.auto_minor_version_upgrade is false" }, { "queryName": "Automatic Minor Upgrades Disabled", "severity": "LOW", - "line": 10, + "line": 12, "filename": "positive.yaml", "resourceType": "community.aws.rds_instance", - "resourceName": "community - create minimal aurora instance in default VPC and default subnet group", - "searchKey": "name={{community - create minimal aurora instance in default VPC and default subnet group}}.{{community.aws.rds_instance}}.auto_minor_version_upgrade", + "resourceName": "community - Create a DB instance using the default AWS KMS encryption key", + "searchKey": "name={{community - Create a DB instance using the default AWS KMS encryption key}}.{{community.aws.rds_instance}}", "searchValue": "", - "expectedValue": "rds_instance.auto_minor_version_upgrade should be true", - "actualValue": "rds_instance.auto_minor_version_upgrade is false" + "expectedValue": "rds_instance.auto_minor_version_upgrade should be set", + "actualValue": "rds_instance.auto_minor_version_upgrade is undefined" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/aws_password_policy_with_unchangeable_passwords/test/positive_expected_result.json b/assets/queries/ansible/aws/aws_password_policy_with_unchangeable_passwords/test/positive_expected_result.json index 1c0b9d6d7ba..c5dff31403d 100644 --- a/assets/queries/ansible/aws/aws_password_policy_with_unchangeable_passwords/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/aws_password_policy_with_unchangeable_passwords/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "AWS Password Policy With Unchangeable Passwords", "severity": "LOW", - "line": 21, + "line": 9, "filename": "positive.yaml", "resourceType": "community.aws.iam_password_policy", - "resourceName": "Alias Password policy for AWS account", - "searchKey": "name={{Alias Password policy for AWS account}}.{{community.aws.iam_password_policy}}.allow_password_change", + "resourceName": "Password policy for AWS account", + "searchKey": "name={{Password policy for AWS account}}.{{community.aws.iam_password_policy}}.allow_pw_change", "searchValue": "", "expectedValue": "iam_password_policy should have the property 'allow_pw_change/allow_password_change' true", "actualValue": "iam_password_policy has the property 'allow_pw_change/allow_password_change' undefined or false" @@ -14,11 +14,11 @@ { "queryName": "AWS Password Policy With Unchangeable Passwords", "severity": "LOW", - "line": 9, + "line": 21, "filename": "positive.yaml", "resourceType": "community.aws.iam_password_policy", - "resourceName": "Password policy for AWS account", - "searchKey": "name={{Password policy for AWS account}}.{{community.aws.iam_password_policy}}.allow_pw_change", + "resourceName": "Alias Password policy for AWS account", + "searchKey": "name={{Alias Password policy for AWS account}}.{{community.aws.iam_password_policy}}.allow_password_change", "searchValue": "", "expectedValue": "iam_password_policy should have the property 'allow_pw_change/allow_password_change' true", "actualValue": "iam_password_policy has the property 'allow_pw_change/allow_password_change' undefined or false" diff --git a/assets/queries/ansible/aws/cdn_configuration_is_missing/test/positive_expected_result.json b/assets/queries/ansible/aws/cdn_configuration_is_missing/test/positive_expected_result.json index 41255f89f7e..f2666fec60c 100644 --- a/assets/queries/ansible/aws/cdn_configuration_is_missing/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cdn_configuration_is_missing/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "CDN Configuration Is Missing", "severity": "LOW", - "line": 23, + "line": 2, "filename": "positive.yaml", "resourceType": "community.aws.cloudfront_distribution", "resourceName": "create a distribution without an origin and with enabled=false", - "searchKey": "name={{create a distribution without an origin and with enabled=false}}.{{community.aws.cloudfront_distribution}}.enabled", - "searchValue": "", - "expectedValue": "name={{create a distribution without an origin and with enabled=false}}.{{community.aws.cloudfront_distribution}}.enabled should be set to 'true'", - "actualValue": "name={{create a distribution without an origin and with enabled=false}}.{{community.aws.cloudfront_distribution}}.enabled is set to 'false'" + "searchKey": "name={{create a distribution without an origin and with enabled=false}}.{{community.aws.cloudfront_distribution}}", + "searchValue": "origins", + "expectedValue": "name={{create a distribution without an origin and with enabled=false}}.{{community.aws.cloudfront_distribution}}.origins should be defined", + "actualValue": "name={{create a distribution without an origin and with enabled=false}}.{{community.aws.cloudfront_distribution}}.origins is not defined" }, { "queryName": "CDN Configuration Is Missing", "severity": "LOW", - "line": 2, + "line": 23, "filename": "positive.yaml", "resourceType": "community.aws.cloudfront_distribution", "resourceName": "create a distribution without an origin and with enabled=false", - "searchKey": "name={{create a distribution without an origin and with enabled=false}}.{{community.aws.cloudfront_distribution}}", - "searchValue": "origins", - "expectedValue": "name={{create a distribution without an origin and with enabled=false}}.{{community.aws.cloudfront_distribution}}.origins should be defined", - "actualValue": "name={{create a distribution without an origin and with enabled=false}}.{{community.aws.cloudfront_distribution}}.origins is not defined" + "searchKey": "name={{create a distribution without an origin and with enabled=false}}.{{community.aws.cloudfront_distribution}}.enabled", + "searchValue": "", + "expectedValue": "name={{create a distribution without an origin and with enabled=false}}.{{community.aws.cloudfront_distribution}}.enabled should be set to 'true'", + "actualValue": "name={{create a distribution without an origin and with enabled=false}}.{{community.aws.cloudfront_distribution}}.enabled is set to 'false'" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/cloudfront_logging_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/cloudfront_logging_disabled/test/positive_expected_result.json index dfdfd381cb7..a6912488d53 100644 --- a/assets/queries/ansible/aws/cloudfront_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cloudfront_logging_disabled/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "CloudFront Logging Disabled", "severity": "MEDIUM", - "line": 62, + "line": 2, "filename": "positive.yaml", "resourceType": "community.aws.cloudfront_distribution", - "resourceName": "create a second distribution with an origin, logging and default cache behavior", - "searchKey": "name={{create a second distribution with an origin, logging and default cache behavior}}.{{community.aws.cloudfront_distribution}}.logging.enabled", + "resourceName": "create a distribution with an origin, logging and default cache behavior", + "searchKey": "name={{create a distribution with an origin, logging and default cache behavior}}.{{community.aws.cloudfront_distribution}}", "searchValue": "", - "expectedValue": "cloudfront_distribution.logging.enabled should be true", - "actualValue": "cloudfront_distribution.logging.enabled is false" + "expectedValue": "cloudfront_distribution.logging should be defined", + "actualValue": "cloudfront_distribution.logging is undefined" }, { "queryName": "CloudFront Logging Disabled", "severity": "MEDIUM", - "line": 2, + "line": 62, "filename": "positive.yaml", "resourceType": "community.aws.cloudfront_distribution", - "resourceName": "create a distribution with an origin, logging and default cache behavior", - "searchKey": "name={{create a distribution with an origin, logging and default cache behavior}}.{{community.aws.cloudfront_distribution}}", + "resourceName": "create a second distribution with an origin, logging and default cache behavior", + "searchKey": "name={{create a second distribution with an origin, logging and default cache behavior}}.{{community.aws.cloudfront_distribution}}.logging.enabled", "searchValue": "", - "expectedValue": "cloudfront_distribution.logging should be defined", - "actualValue": "cloudfront_distribution.logging is undefined" + "expectedValue": "cloudfront_distribution.logging.enabled should be true", + "actualValue": "cloudfront_distribution.logging.enabled is false" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json b/assets/queries/ansible/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json index c22c014fdd1..6398cca8e71 100644 --- a/assets/queries/ansible/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json @@ -1,4 +1,16 @@ [ + { + "queryName": "CloudFront Without Minimum Protocol TLS 1.2", + "severity": "MEDIUM", + "line": 18, + "filename": "positive.yaml", + "resourceType": "community.aws.cloudfront_distribution", + "resourceName": "create a distribution with an origin and logging", + "searchKey": "name={{create a distribution with an origin and logging}}.{{community.aws.cloudfront_distribution}}.viewer_certificate.minimum_protocol_version", + "searchValue": "", + "expectedValue": "name={{create a distribution with an origin and logging}}.{{community.aws.cloudfront_distribution}}.viewer_certificate.minimum_protocol_version' should be TLSv1.2_x", + "actualValue": "name={{create a distribution with an origin and logging}}.{{community.aws.cloudfront_distribution}}.viewer_certificate.minimum_protocol_version' is TLSv1" + }, { "queryName": "CloudFront Without Minimum Protocol TLS 1.2", "severity": "MEDIUM", @@ -22,17 +34,5 @@ "searchValue": "", "expectedValue": "cloudfront_distribution.viewer_certificate should be defined", "actualValue": "cloudfront_distribution.viewer_certificate is undefined" - }, - { - "queryName": "CloudFront Without Minimum Protocol TLS 1.2", - "severity": "MEDIUM", - "line": 18, - "filename": "positive.yaml", - "resourceType": "community.aws.cloudfront_distribution", - "resourceName": "create a distribution with an origin and logging", - "searchKey": "name={{create a distribution with an origin and logging}}.{{community.aws.cloudfront_distribution}}.viewer_certificate.minimum_protocol_version", - "searchValue": "", - "expectedValue": "name={{create a distribution with an origin and logging}}.{{community.aws.cloudfront_distribution}}.viewer_certificate.minimum_protocol_version' should be TLSv1.2_x", - "actualValue": "name={{create a distribution with an origin and logging}}.{{community.aws.cloudfront_distribution}}.viewer_certificate.minimum_protocol_version' is TLSv1" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/cloudtrail_multi_region_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/cloudtrail_multi_region_disabled/test/positive_expected_result.json index cc0d03ebe82..44c9bef2a9d 100644 --- a/assets/queries/ansible/aws/cloudtrail_multi_region_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cloudtrail_multi_region_disabled/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "CloudTrail Multi Region Disabled", "severity": "LOW", - "line": 18, + "line": 7, "filename": "positive.yaml", "resourceType": "community.aws.cloudtrail", - "resourceName": "example2", - "searchKey": "name={{example2}}.{{community.aws.cloudtrail}}", + "resourceName": "example1", + "searchKey": "name={{example1}}.{{community.aws.cloudtrail}}.is_multi_region_trail", "searchValue": "", - "expectedValue": "cloudtrail.is_multi_region_trail should be defined and set to true", - "actualValue": "cloudtrail.is_multi_region_trail is undefined" + "expectedValue": "cloudtrail.is_multi_region_trail should be true", + "actualValue": "cloudtrail.is_multi_region_trail is false" }, { "queryName": "CloudTrail Multi Region Disabled", "severity": "LOW", - "line": 7, + "line": 18, "filename": "positive.yaml", "resourceType": "community.aws.cloudtrail", - "resourceName": "example1", - "searchKey": "name={{example1}}.{{community.aws.cloudtrail}}.is_multi_region_trail", + "resourceName": "example2", + "searchKey": "name={{example2}}.{{community.aws.cloudtrail}}", "searchValue": "", - "expectedValue": "cloudtrail.is_multi_region_trail should be true", - "actualValue": "cloudtrail.is_multi_region_trail is false" + "expectedValue": "cloudtrail.is_multi_region_trail should be defined and set to true", + "actualValue": "cloudtrail.is_multi_region_trail is undefined" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/cloudtrail_sns_topic_name_undefined/test/positive_expected_result.json b/assets/queries/ansible/aws/cloudtrail_sns_topic_name_undefined/test/positive_expected_result.json index 13c83791139..6866090c790 100644 --- a/assets/queries/ansible/aws/cloudtrail_sns_topic_name_undefined/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cloudtrail_sns_topic_name_undefined/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "CloudTrail SNS Topic Name Undefined", "severity": "LOW", - "line": 15, + "line": 2, "filename": "positive.yaml", "resourceType": "community.aws.cloudtrail", - "resourceName": "sns topic name defined", - "searchKey": "name={{sns topic name defined}}.{{community.aws.cloudtrail}}.sns_topic_name", + "resourceName": "no sns topic name", + "searchKey": "name={{no sns topic name}}.{{community.aws.cloudtrail}}", "searchValue": "", "expectedValue": "cloudtrail.sns_topic_name should be set", - "actualValue": "cloudtrail.sns_topic_name is empty" + "actualValue": "cloudtrail.sns_topic_name is undefined" }, { "queryName": "CloudTrail SNS Topic Name Undefined", "severity": "LOW", - "line": 2, + "line": 15, "filename": "positive.yaml", "resourceType": "community.aws.cloudtrail", - "resourceName": "no sns topic name", - "searchKey": "name={{no sns topic name}}.{{community.aws.cloudtrail}}", + "resourceName": "sns topic name defined", + "searchKey": "name={{sns topic name defined}}.{{community.aws.cloudtrail}}.sns_topic_name", "searchValue": "", "expectedValue": "cloudtrail.sns_topic_name should be set", - "actualValue": "cloudtrail.sns_topic_name is undefined" + "actualValue": "cloudtrail.sns_topic_name is empty" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/cloudwatch_without_retention_period_specified/test/positive_expected_result.json b/assets/queries/ansible/aws/cloudwatch_without_retention_period_specified/test/positive_expected_result.json index 22df8b8b6fa..80e515cc001 100644 --- a/assets/queries/ansible/aws/cloudwatch_without_retention_period_specified/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cloudwatch_without_retention_period_specified/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "CloudWatch Without Retention Period Specified", "severity": "INFO", - "line": 7, + "line": 2, "filename": "positive.yaml", "resourceType": "community.aws.cloudwatchlogs_log_group", - "resourceName": "example2 ec2 group", - "searchKey": "name={{example2 ec2 group}}.{{community.aws.cloudwatchlogs_log_group}}.retention", + "resourceName": "example ec2 group", + "searchKey": "name={{example ec2 group}}.{{community.aws.cloudwatchlogs_log_group}}", "searchValue": "", - "expectedValue": "cloudwatchlogs_log_group.retention should be set and valid", - "actualValue": "cloudwatchlogs_log_group.retention is set and invalid" + "expectedValue": "cloudwatchlogs_log_group.retention should be set", + "actualValue": "cloudwatchlogs_log_group.retention is undefined" }, { "queryName": "CloudWatch Without Retention Period Specified", "severity": "INFO", - "line": 2, + "line": 7, "filename": "positive.yaml", "resourceType": "community.aws.cloudwatchlogs_log_group", - "resourceName": "example ec2 group", - "searchKey": "name={{example ec2 group}}.{{community.aws.cloudwatchlogs_log_group}}", + "resourceName": "example2 ec2 group", + "searchKey": "name={{example2 ec2 group}}.{{community.aws.cloudwatchlogs_log_group}}.retention", "searchValue": "", - "expectedValue": "cloudwatchlogs_log_group.retention should be set", - "actualValue": "cloudwatchlogs_log_group.retention is undefined" + "expectedValue": "cloudwatchlogs_log_group.retention should be set and valid", + "actualValue": "cloudwatchlogs_log_group.retention is set and invalid" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/cmk_is_unusable/test/positive_expected_result.json b/assets/queries/ansible/aws/cmk_is_unusable/test/positive_expected_result.json index c0e999606df..994d0f0f5a0 100644 --- a/assets/queries/ansible/aws/cmk_is_unusable/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cmk_is_unusable/test/positive_expected_result.json @@ -3,24 +3,24 @@ "queryName": "CMK Is Unusable", "severity": "MEDIUM", "line": 6, - "filename": "positive2.yaml", + "filename": "positive1.yaml", "resourceType": "community.aws.aws_kms", - "resourceName": "Update IAM policy on an existing KMS key2", - "searchKey": "name={{Update IAM policy on an existing KMS key2}}.{{community.aws.aws_kms}}.pending_window", + "resourceName": "Update IAM policy on an existing KMS key1", + "searchKey": "name={{Update IAM policy on an existing KMS key1}}.{{community.aws.aws_kms}}.enabled", "searchValue": "", - "expectedValue": "community.aws.aws_kms.pending_window should be undefined", - "actualValue": "community.aws.aws_kms.pending_windowis is set" + "expectedValue": "community.aws.aws_kms.enabled should be set to true", + "actualValue": "community.aws.aws_kms.enabled is set to false" }, { "queryName": "CMK Is Unusable", "severity": "MEDIUM", "line": 6, - "filename": "positive1.yaml", + "filename": "positive2.yaml", "resourceType": "community.aws.aws_kms", - "resourceName": "Update IAM policy on an existing KMS key1", - "searchKey": "name={{Update IAM policy on an existing KMS key1}}.{{community.aws.aws_kms}}.enabled", + "resourceName": "Update IAM policy on an existing KMS key2", + "searchKey": "name={{Update IAM policy on an existing KMS key2}}.{{community.aws.aws_kms}}.pending_window", "searchValue": "", - "expectedValue": "community.aws.aws_kms.enabled should be set to true", - "actualValue": "community.aws.aws_kms.enabled is set to false" + "expectedValue": "community.aws.aws_kms.pending_window should be undefined", + "actualValue": "community.aws.aws_kms.pending_windowis is set" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/cmk_rotation_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/cmk_rotation_disabled/test/positive_expected_result.json index f79f8576508..21941ab7d90 100644 --- a/assets/queries/ansible/aws/cmk_rotation_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cmk_rotation_disabled/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "CMK Rotation Disabled", - "severity": "LOW", - "line": 7, - "filename": "positive2.yaml", - "resourceType": "community.aws.aws_kms", - "resourceName": "Update IAM policy on an existing KMS key2", - "searchKey": "name={{Update IAM policy on an existing KMS key2}}.{{community.aws.aws_kms}}.enable_key_rotation", - "searchValue": "", - "expectedValue": "community.aws.aws_kms.enable_key_rotation should be set to true", - "actualValue": "community.aws.aws_kms.enable_key_rotation is set to false" - }, { "queryName": "CMK Rotation Disabled", "severity": "LOW", @@ -22,5 +10,17 @@ "searchValue": "", "expectedValue": "community.aws.aws_kms.enable_key_rotation should be set", "actualValue": "community.aws.aws_kms.enable_key_rotation is undefined" + }, + { + "queryName": "CMK Rotation Disabled", + "severity": "LOW", + "line": 7, + "filename": "positive2.yaml", + "resourceType": "community.aws.aws_kms", + "resourceName": "Update IAM policy on an existing KMS key2", + "searchKey": "name={{Update IAM policy on an existing KMS key2}}.{{community.aws.aws_kms}}.enable_key_rotation", + "searchValue": "", + "expectedValue": "community.aws.aws_kms.enable_key_rotation should be set to true", + "actualValue": "community.aws.aws_kms.enable_key_rotation is set to false" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/test/positive_expected_result.json b/assets/queries/ansible/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/test/positive_expected_result.json index a8a67ef881f..8ff8f9e1898 100644 --- a/assets/queries/ansible/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/test/positive_expected_result.json @@ -3,10 +3,10 @@ "queryName": "Cross-Account IAM Assume Role Policy Without ExternalId or MFA", "severity": "HIGH", "line": 4, - "filename": "positive3.yaml", + "filename": "positive1.yaml", "resourceType": "community.aws.iam_role", - "resourceName": "Create a role with description and tags3", - "searchKey": "name={{Create a role with description and tags3}}.{{community.aws.iam_role}}.assume_role_policy_document", + "resourceName": "Create a role with description and tags", + "searchKey": "name={{Create a role with description and tags}}.{{community.aws.iam_role}}.assume_role_policy_document", "searchValue": "", "expectedValue": "assume_role_policy_document should not contain ':root", "actualValue": "assume_role_policy_document contains ':root'" @@ -27,10 +27,10 @@ "queryName": "Cross-Account IAM Assume Role Policy Without ExternalId or MFA", "severity": "HIGH", "line": 4, - "filename": "positive1.yaml", + "filename": "positive3.yaml", "resourceType": "community.aws.iam_role", - "resourceName": "Create a role with description and tags", - "searchKey": "name={{Create a role with description and tags}}.{{community.aws.iam_role}}.assume_role_policy_document", + "resourceName": "Create a role with description and tags3", + "searchKey": "name={{Create a role with description and tags3}}.{{community.aws.iam_role}}.assume_role_policy_document", "searchValue": "", "expectedValue": "assume_role_policy_document should not contain ':root", "actualValue": "assume_role_policy_document contains ':root'" diff --git a/assets/queries/ansible/aws/default_security_groups_with_unrestricted_traffic/test/positive_expected_result.json b/assets/queries/ansible/aws/default_security_groups_with_unrestricted_traffic/test/positive_expected_result.json index 0935555d82e..00e0ee45c9c 100644 --- a/assets/queries/ansible/aws/default_security_groups_with_unrestricted_traffic/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/default_security_groups_with_unrestricted_traffic/test/positive_expected_result.json @@ -1,4 +1,16 @@ [ + { + "queryName": "Default Security Groups With Unrestricted Traffic", + "severity": "HIGH", + "line": 17, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group", + "searchKey": "name={{example ec2 group}}.{{amazon.aws.ec2_group}}.rules.cidr_ip.{{0.0.0.0/0}}", + "searchValue": "", + "expectedValue": "ec2_group.rules.cidr_ip should not contain the value '0.0.0.0/0'", + "actualValue": "ec2_group.rules.cidr_ip contains value '0.0.0.0/0'" + }, { "queryName": "Default Security Groups With Unrestricted Traffic", "severity": "HIGH", @@ -11,6 +23,18 @@ "expectedValue": "ec2_group.rules_egress.cidr_ip should not contain the value '0.0.0.0/0'", "actualValue": "ec2_group.rules_egress.cidr_ip contains value '0.0.0.0/0'" }, + { + "queryName": "Default Security Groups With Unrestricted Traffic", + "severity": "HIGH", + "line": 48, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example3 ec2 group", + "searchKey": "name={{example3 ec2 group}}.{{amazon.aws.ec2_group}}.rules.cidr_ipv6={{::/0}}", + "searchValue": "", + "expectedValue": "ec2_group.rules.cidr_ipv6 should not contain the value '::/0'", + "actualValue": "ec2_group.rules.cidr_ipv6 contains value '::/0'" + }, { "queryName": "Default Security Groups With Unrestricted Traffic", "severity": "HIGH", @@ -34,29 +58,5 @@ "searchValue": "", "expectedValue": "ec2_group.rules_egress.cidr_ipv6 should not contain the value '::/0'", "actualValue": "ec2_group.rules_egress.cidr_ipv6 contains value '::/0'" - }, - { - "queryName": "Default Security Groups With Unrestricted Traffic", - "severity": "HIGH", - "line": 17, - "filename": "positive.yaml", - "resourceType": "amazon.aws.ec2_group", - "resourceName": "example ec2 group", - "searchKey": "name={{example ec2 group}}.{{amazon.aws.ec2_group}}.rules.cidr_ip.{{0.0.0.0/0}}", - "searchValue": "", - "expectedValue": "ec2_group.rules.cidr_ip should not contain the value '0.0.0.0/0'", - "actualValue": "ec2_group.rules.cidr_ip contains value '0.0.0.0/0'" - }, - { - "queryName": "Default Security Groups With Unrestricted Traffic", - "severity": "HIGH", - "line": 48, - "filename": "positive.yaml", - "resourceType": "amazon.aws.ec2_group", - "resourceName": "example3 ec2 group", - "searchKey": "name={{example3 ec2 group}}.{{amazon.aws.ec2_group}}.rules.cidr_ipv6={{::/0}}", - "searchValue": "", - "expectedValue": "ec2_group.rules.cidr_ipv6 should not contain the value '::/0'", - "actualValue": "ec2_group.rules.cidr_ipv6 contains value '::/0'" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/ebs_volume_encryption_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/ebs_volume_encryption_disabled/test/positive_expected_result.json index 23d89c7c259..ac66cc422cd 100644 --- a/assets/queries/ansible/aws/ebs_volume_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ebs_volume_encryption_disabled/test/positive_expected_result.json @@ -1,4 +1,16 @@ [ + { + "queryName": "EBS Volume Encryption Disabled", + "severity": "HIGH", + "line": 5, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_vol", + "resourceName": "Creating EBS volume01", + "searchKey": "name={{Creating EBS volume01}}.{{amazon.aws.ec2_vol}}.encrypted", + "searchValue": "", + "expectedValue": "ec2_vol.encrypted should be enabled", + "actualValue": "ec2_vol.encrypted is disabled" + }, { "queryName": "EBS Volume Encryption Disabled", "severity": "HIGH", @@ -34,17 +46,5 @@ "searchValue": "", "expectedValue": "ec2_vol.encrypted should be defined", "actualValue": "ec2_vol.encrypted is undefined" - }, - { - "queryName": "EBS Volume Encryption Disabled", - "severity": "HIGH", - "line": 5, - "filename": "positive.yaml", - "resourceType": "amazon.aws.ec2_vol", - "resourceName": "Creating EBS volume01", - "searchKey": "name={{Creating EBS volume01}}.{{amazon.aws.ec2_vol}}.encrypted", - "searchValue": "", - "expectedValue": "ec2_vol.encrypted should be enabled", - "actualValue": "ec2_vol.encrypted is disabled" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/ec2_instance_has_public_ip/test/positive_expected_result.json b/assets/queries/ansible/aws/ec2_instance_has_public_ip/test/positive_expected_result.json index 48552cb2fb6..15309e9b8e2 100644 --- a/assets/queries/ansible/aws/ec2_instance_has_public_ip/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ec2_instance_has_public_ip/test/positive_expected_result.json @@ -11,18 +11,6 @@ "expectedValue": "ec2.assign_public_ip should be set to false, 'no' or undefined", "actualValue": "ec2.assign_public_ip is 'yes'" }, - { - "queryName": "EC2 Instance Has Public IP", - "severity": "MEDIUM", - "line": 24, - "filename": "positive.yaml", - "resourceType": "community.aws.ec2_instance", - "resourceName": "start an instance with a public IP address", - "searchKey": "name={{start an instance with a public IP address}}.{{community.aws.ec2_instance}}.network.assign_public_ip", - "searchValue": "", - "expectedValue": "ec2_instance.network.assign_public_ip should be set to false, 'no' or undefined", - "actualValue": "ec2_instance.network.assign_public_ip is 'true'" - }, { "queryName": "EC2 Instance Has Public IP", "severity": "MEDIUM", @@ -34,5 +22,17 @@ "searchValue": "", "expectedValue": "ec2_launch_template.network_interfaces.associate_public_ip_address should be set to false, 'no' or undefined", "actualValue": "ec2_launch_template.network_interfaces.associate_public_ip_address is 'true'" + }, + { + "queryName": "EC2 Instance Has Public IP", + "severity": "MEDIUM", + "line": 24, + "filename": "positive.yaml", + "resourceType": "community.aws.ec2_instance", + "resourceName": "start an instance with a public IP address", + "searchKey": "name={{start an instance with a public IP address}}.{{community.aws.ec2_instance}}.network.assign_public_ip", + "searchValue": "", + "expectedValue": "ec2_instance.network.assign_public_ip should be set to false, 'no' or undefined", + "actualValue": "ec2_instance.network.assign_public_ip is 'true'" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/ecr_image_tag_not_immutable/test/positive_expected_result.json b/assets/queries/ansible/aws/ecr_image_tag_not_immutable/test/positive_expected_result.json index b1d6c129797..ae74631c528 100644 --- a/assets/queries/ansible/aws/ecr_image_tag_not_immutable/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ecr_image_tag_not_immutable/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "ECR Image Tag Not Immutable", "severity": "MEDIUM", - "line": 7, + "line": 2, "filename": "positive.yaml", "resourceType": "community.aws.ecs_ecr", - "resourceName": "create immutable ecr-repo v2", - "searchKey": "name={{create immutable ecr-repo v2}}.{{community.aws.ecs_ecr}}.image_tag_mutability", + "resourceName": "create immutable ecr-repo", + "searchKey": "name={{create immutable ecr-repo}}.{{community.aws.ecs_ecr}}", "searchValue": "", - "expectedValue": "ecs_ecr.image_tag_mutability should be set to 'immutable'", - "actualValue": "ecs_ecr.image_tag_mutability is not set to 'immutable'" + "expectedValue": "ecs_ecr.image_tag_mutability should be set ", + "actualValue": "ecs_ecr.image_tag_mutability is undefined" }, { "queryName": "ECR Image Tag Not Immutable", "severity": "MEDIUM", - "line": 2, + "line": 7, "filename": "positive.yaml", "resourceType": "community.aws.ecs_ecr", - "resourceName": "create immutable ecr-repo", - "searchKey": "name={{create immutable ecr-repo}}.{{community.aws.ecs_ecr}}", + "resourceName": "create immutable ecr-repo v2", + "searchKey": "name={{create immutable ecr-repo v2}}.{{community.aws.ecs_ecr}}.image_tag_mutability", "searchValue": "", - "expectedValue": "ecs_ecr.image_tag_mutability should be set ", - "actualValue": "ecs_ecr.image_tag_mutability is undefined" + "expectedValue": "ecs_ecr.image_tag_mutability should be set to 'immutable'", + "actualValue": "ecs_ecr.image_tag_mutability is not set to 'immutable'" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/efs_not_encrypted/test/positive_expected_result.json b/assets/queries/ansible/aws/efs_not_encrypted/test/positive_expected_result.json index fd763f8516d..5a472366b28 100644 --- a/assets/queries/ansible/aws/efs_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/efs_not_encrypted/test/positive_expected_result.json @@ -2,23 +2,23 @@ { "queryName": "EFS Not Encrypted", "severity": "HIGH", - "line": 25, + "line": 6, "filename": "positive.yaml", "resourceType": "community.aws.efs", - "resourceName": "foo3", - "searchKey": "name={{foo3}}.{{community.aws.efs}}", + "resourceName": "foo", + "searchKey": "name={{foo}}.{{community.aws.efs}}.encrypt", "searchValue": "", "expectedValue": "efs.encrypt should be set to true", - "actualValue": "efs.encrypt is undefined" + "actualValue": "efs.encrypt is set to false" }, { "queryName": "EFS Not Encrypted", "severity": "HIGH", - "line": 6, + "line": 17, "filename": "positive.yaml", "resourceType": "community.aws.efs", - "resourceName": "foo", - "searchKey": "name={{foo}}.{{community.aws.efs}}.encrypt", + "resourceName": "foo2", + "searchKey": "name={{foo2}}.{{community.aws.efs}}.encrypt", "searchValue": "", "expectedValue": "efs.encrypt should be set to true", "actualValue": "efs.encrypt is set to false" @@ -26,13 +26,13 @@ { "queryName": "EFS Not Encrypted", "severity": "HIGH", - "line": 17, + "line": 25, "filename": "positive.yaml", "resourceType": "community.aws.efs", - "resourceName": "foo2", - "searchKey": "name={{foo2}}.{{community.aws.efs}}.encrypt", + "resourceName": "foo3", + "searchKey": "name={{foo3}}.{{community.aws.efs}}", "searchValue": "", "expectedValue": "efs.encrypt should be set to true", - "actualValue": "efs.encrypt is set to false" + "actualValue": "efs.encrypt is undefined" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/elasticache_using_default_port/test/positive_expected_result.json b/assets/queries/ansible/aws/elasticache_using_default_port/test/positive_expected_result.json index ec2cbe69f14..4341c33c536 100644 --- a/assets/queries/ansible/aws/elasticache_using_default_port/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/elasticache_using_default_port/test/positive_expected_result.json @@ -3,24 +3,24 @@ "queryName": "ElastiCache Using Default Port", "severity": "LOW", "line": 9, - "filename": "positive2.yaml", + "filename": "positive1.yaml", "resourceType": "community.aws.elasticache", - "resourceName": "Basic example2", - "searchKey": "name={{Basic example2}}.{{community.aws.elasticache}}.cache_port", + "resourceName": "Basic example", + "searchKey": "name={{Basic example}}.{{community.aws.elasticache}}.cache_port", "searchValue": "", - "expectedValue": "'cache_port' should not be set to 6379", - "actualValue": "'cache_port' is set to 6379" + "expectedValue": "'cache_port' should not be set to 11211", + "actualValue": "'cache_port' is set to 11211" }, { "queryName": "ElastiCache Using Default Port", "severity": "LOW", "line": 9, - "filename": "positive1.yaml", + "filename": "positive2.yaml", "resourceType": "community.aws.elasticache", - "resourceName": "Basic example", - "searchKey": "name={{Basic example}}.{{community.aws.elasticache}}.cache_port", + "resourceName": "Basic example2", + "searchKey": "name={{Basic example2}}.{{community.aws.elasticache}}.cache_port", "searchValue": "", - "expectedValue": "'cache_port' should not be set to 11211", - "actualValue": "'cache_port' is set to 11211" + "expectedValue": "'cache_port' should not be set to 6379", + "actualValue": "'cache_port' is set to 6379" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json index 6d2387e8020..eff91b8ef50 100644 --- a/assets/queries/ansible/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json @@ -2,26 +2,26 @@ { "queryName": "Elasticsearch with HTTPS disabled", "severity": "MEDIUM", - "line": 10, - "filename": "positive2.yaml", + "line": 11, + "filename": "positive1.yaml", "resourceType": "community.aws.opensearch", "resourceName": "Create OpenSearch domain for dev environment, no zone awareness, no dedicated masters", - "searchKey": "name={{Create OpenSearch domain for dev environment, no zone awareness, no dedicated masters}}.{{community.aws.opensearch}}.domain_endpoint_options", + "searchKey": "name={{Create OpenSearch domain for dev environment, no zone awareness, no dedicated masters}}.{{community.aws.opensearch}}.domain_endpoint_options.enforce_https", "searchValue": "", - "expectedValue": "name={{Create OpenSearch domain for dev environment, no zone awareness, no dedicated masters}}.{{community.aws.opensearch}}.domain_endpoint_options.enforce_https should be defined and set to 'true'", - "actualValue": "name={{Create OpenSearch domain for dev environment, no zone awareness, no dedicated masters}}.{{community.aws.opensearch}}.domain_endpoint_options.enforce_https is not set" + "expectedValue": "name={{Create OpenSearch domain for dev environment, no zone awareness, no dedicated masters}}.{{community.aws.opensearch}}.domain_endpoint_options.enforce_https should be set to 'true'", + "actualValue": "name={{Create OpenSearch domain for dev environment, no zone awareness, no dedicated masters}}.{{community.aws.opensearch}}.domain_endpoint_options.enforce_https is set to 'false'" }, { "queryName": "Elasticsearch with HTTPS disabled", "severity": "MEDIUM", - "line": 11, - "filename": "positive1.yaml", + "line": 10, + "filename": "positive2.yaml", "resourceType": "community.aws.opensearch", "resourceName": "Create OpenSearch domain for dev environment, no zone awareness, no dedicated masters", - "searchKey": "name={{Create OpenSearch domain for dev environment, no zone awareness, no dedicated masters}}.{{community.aws.opensearch}}.domain_endpoint_options.enforce_https", + "searchKey": "name={{Create OpenSearch domain for dev environment, no zone awareness, no dedicated masters}}.{{community.aws.opensearch}}.domain_endpoint_options", "searchValue": "", - "expectedValue": "name={{Create OpenSearch domain for dev environment, no zone awareness, no dedicated masters}}.{{community.aws.opensearch}}.domain_endpoint_options.enforce_https should be set to 'true'", - "actualValue": "name={{Create OpenSearch domain for dev environment, no zone awareness, no dedicated masters}}.{{community.aws.opensearch}}.domain_endpoint_options.enforce_https is set to 'false'" + "expectedValue": "name={{Create OpenSearch domain for dev environment, no zone awareness, no dedicated masters}}.{{community.aws.opensearch}}.domain_endpoint_options.enforce_https should be defined and set to 'true'", + "actualValue": "name={{Create OpenSearch domain for dev environment, no zone awareness, no dedicated masters}}.{{community.aws.opensearch}}.domain_endpoint_options.enforce_https is not set" }, { "queryName": "Elasticsearch with HTTPS disabled", diff --git a/assets/queries/ansible/aws/elb_using_insecure_protocols/test/positive_expected_result.json b/assets/queries/ansible/aws/elb_using_insecure_protocols/test/positive_expected_result.json index 20632feb1c5..4165504e86e 100644 --- a/assets/queries/ansible/aws/elb_using_insecure_protocols/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/elb_using_insecure_protocols/test/positive_expected_result.json @@ -14,50 +14,50 @@ { "queryName": "ELB Using Insecure Protocols", "severity": "MEDIUM", - "line": 52, + "line": 21, "filename": "positive.yaml", - "resourceType": "community.aws.elb_network_lb", - "resourceName": "elb4", - "searchKey": "name={{elb4}}.{{community.aws.elb_network_lb}}", + "resourceType": "community.aws.elb_application_lb", + "resourceName": "elb2", + "searchKey": "name={{elb2}}.{{community.aws.elb_application_lb}}.listeners.%!s(int=0)", "searchValue": "", - "expectedValue": "community.aws.elb_network_lb.listeners should be defined", - "actualValue": "%!&(string=community.aws.elb_network_lb)s.listeners is undefined" + "expectedValue": "community.aws.elb_application_lb.listeners.SslPolicy should be defined", + "actualValue": "community.aws.elb_application_lb.listeners.SslPolicy is undefined" }, { "queryName": "ELB Using Insecure Protocols", "severity": "MEDIUM", - "line": 21, + "line": 40, "filename": "positive.yaml", "resourceType": "community.aws.elb_application_lb", - "resourceName": "elb2", - "searchKey": "name={{elb2}}.{{community.aws.elb_application_lb}}.listeners.%!s(int=0)", + "resourceName": "elb3", + "searchKey": "name={{elb3}}.{{community.aws.elb_application_lb}}.listeners.%!s(int=0)", "searchValue": "", - "expectedValue": "community.aws.elb_application_lb.listeners.SslPolicy should be defined", - "actualValue": "community.aws.elb_application_lb.listeners.SslPolicy is undefined" + "expectedValue": "community.aws.elb_application_lb.listeners.SslPolicy is a secure protocol", + "actualValue": "community.aws.elb_application_lb.listeners.SslPolicy is an insecure protocol" }, { "queryName": "ELB Using Insecure Protocols", "severity": "MEDIUM", - "line": 70, + "line": 52, "filename": "positive.yaml", "resourceType": "community.aws.elb_network_lb", - "resourceName": "elb5", - "searchKey": "name={{elb5}}.{{community.aws.elb_network_lb}}.listeners.%!s(int=0)", + "resourceName": "elb4", + "searchKey": "name={{elb4}}.{{community.aws.elb_network_lb}}", "searchValue": "", - "expectedValue": "community.aws.elb_network_lb.listeners.SslPolicy should be defined", - "actualValue": "community.aws.elb_network_lb.listeners.SslPolicy is undefined" + "expectedValue": "community.aws.elb_network_lb.listeners should be defined", + "actualValue": "%!&(string=community.aws.elb_network_lb)s.listeners is undefined" }, { "queryName": "ELB Using Insecure Protocols", "severity": "MEDIUM", - "line": 40, + "line": 70, "filename": "positive.yaml", - "resourceType": "community.aws.elb_application_lb", - "resourceName": "elb3", - "searchKey": "name={{elb3}}.{{community.aws.elb_application_lb}}.listeners.%!s(int=0)", + "resourceType": "community.aws.elb_network_lb", + "resourceName": "elb5", + "searchKey": "name={{elb5}}.{{community.aws.elb_network_lb}}.listeners.%!s(int=0)", "searchValue": "", - "expectedValue": "community.aws.elb_application_lb.listeners.SslPolicy is a secure protocol", - "actualValue": "community.aws.elb_application_lb.listeners.SslPolicy is an insecure protocol" + "expectedValue": "community.aws.elb_network_lb.listeners.SslPolicy should be defined", + "actualValue": "community.aws.elb_network_lb.listeners.SslPolicy is undefined" }, { "queryName": "ELB Using Insecure Protocols", diff --git a/assets/queries/ansible/aws/elb_using_weak_ciphers/test/positive_expected_result.json b/assets/queries/ansible/aws/elb_using_weak_ciphers/test/positive_expected_result.json index c594becca83..721f0d5fd93 100644 --- a/assets/queries/ansible/aws/elb_using_weak_ciphers/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/elb_using_weak_ciphers/test/positive_expected_result.json @@ -2,38 +2,38 @@ { "queryName": "ELB Using Weak Ciphers", "severity": "HIGH", - "line": 40, + "line": 3, "filename": "positive.yaml", "resourceType": "community.aws.elb_application_lb", - "resourceName": "elb3", - "searchKey": "name={{elb3}}.{{community.aws.elb_application_lb}}.listeners.%!s(int=0)", + "resourceName": "elb1", + "searchKey": "name={{elb1}}.{{community.aws.elb_application_lb}}", "searchValue": "", - "expectedValue": "community.aws.elb_application_lb.listeners.SslPolicy should not be a weak cipher", - "actualValue": "community.aws.elb_application_lb.listeners.SslPolicy is a weak cipher" + "expectedValue": "community.aws.elb_application_lb.listeners should be defined", + "actualValue": "%!&(string=community.aws.elb_application_lb)s.listeners is undefined" }, { "queryName": "ELB Using Weak Ciphers", "severity": "HIGH", - "line": 89, + "line": 21, "filename": "positive.yaml", - "resourceType": "community.aws.elb_network_lb", - "resourceName": "elb6", - "searchKey": "name={{elb6}}.{{community.aws.elb_network_lb}}.listeners.%!s(int=0)", + "resourceType": "community.aws.elb_application_lb", + "resourceName": "elb2", + "searchKey": "name={{elb2}}.{{community.aws.elb_application_lb}}.listeners.%!s(int=0)", "searchValue": "", - "expectedValue": "community.aws.elb_network_lb.listeners.SslPolicy should not be a weak cipher", - "actualValue": "community.aws.elb_network_lb.listeners.SslPolicy is a weak cipher" + "expectedValue": "community.aws.elb_application_lb.listeners.SslPolicy should be defined", + "actualValue": "community.aws.elb_application_lb.listeners.SslPolicy is undefined" }, { "queryName": "ELB Using Weak Ciphers", "severity": "HIGH", - "line": 3, + "line": 40, "filename": "positive.yaml", "resourceType": "community.aws.elb_application_lb", - "resourceName": "elb1", - "searchKey": "name={{elb1}}.{{community.aws.elb_application_lb}}", + "resourceName": "elb3", + "searchKey": "name={{elb3}}.{{community.aws.elb_application_lb}}.listeners.%!s(int=0)", "searchValue": "", - "expectedValue": "community.aws.elb_application_lb.listeners should be defined", - "actualValue": "%!&(string=community.aws.elb_application_lb)s.listeners is undefined" + "expectedValue": "community.aws.elb_application_lb.listeners.SslPolicy should not be a weak cipher", + "actualValue": "community.aws.elb_application_lb.listeners.SslPolicy is a weak cipher" }, { "queryName": "ELB Using Weak Ciphers", @@ -50,25 +50,25 @@ { "queryName": "ELB Using Weak Ciphers", "severity": "HIGH", - "line": 21, + "line": 70, "filename": "positive.yaml", - "resourceType": "community.aws.elb_application_lb", - "resourceName": "elb2", - "searchKey": "name={{elb2}}.{{community.aws.elb_application_lb}}.listeners.%!s(int=0)", + "resourceType": "community.aws.elb_network_lb", + "resourceName": "elb5", + "searchKey": "name={{elb5}}.{{community.aws.elb_network_lb}}.listeners.%!s(int=0)", "searchValue": "", - "expectedValue": "community.aws.elb_application_lb.listeners.SslPolicy should be defined", - "actualValue": "community.aws.elb_application_lb.listeners.SslPolicy is undefined" + "expectedValue": "community.aws.elb_network_lb.listeners.SslPolicy should be defined", + "actualValue": "community.aws.elb_network_lb.listeners.SslPolicy is undefined" }, { "queryName": "ELB Using Weak Ciphers", "severity": "HIGH", - "line": 70, + "line": 89, "filename": "positive.yaml", "resourceType": "community.aws.elb_network_lb", - "resourceName": "elb5", - "searchKey": "name={{elb5}}.{{community.aws.elb_network_lb}}.listeners.%!s(int=0)", + "resourceName": "elb6", + "searchKey": "name={{elb6}}.{{community.aws.elb_network_lb}}.listeners.%!s(int=0)", "searchValue": "", - "expectedValue": "community.aws.elb_network_lb.listeners.SslPolicy should be defined", - "actualValue": "community.aws.elb_network_lb.listeners.SslPolicy is undefined" + "expectedValue": "community.aws.elb_network_lb.listeners.SslPolicy should not be a weak cipher", + "actualValue": "community.aws.elb_network_lb.listeners.SslPolicy is a weak cipher" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/http_port_open_to_internet/test/positive_expected_result.json b/assets/queries/ansible/aws/http_port_open_to_internet/test/positive_expected_result.json index 4f2d32bfe5b..7584b54c08c 100644 --- a/assets/queries/ansible/aws/http_port_open_to_internet/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/http_port_open_to_internet/test/positive_expected_result.json @@ -1,4 +1,16 @@ [ + { + "queryName": "HTTP Port Open To Internet", + "severity": "MEDIUM", + "line": 9, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group1", + "searchKey": "name={{example ec2 group1}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[0] shouldn't open the http port (80)", + "actualValue": "ec2_group.rules[0] opens the http port (80)" + }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", @@ -70,17 +82,5 @@ "searchValue": "", "expectedValue": "ec2_group.rules[0] shouldn't open the http port (80)", "actualValue": "ec2_group.rules[0] opens the http port (80)" - }, - { - "queryName": "HTTP Port Open To Internet", - "severity": "MEDIUM", - "line": 9, - "filename": "positive.yaml", - "resourceType": "amazon.aws.ec2_group", - "resourceName": "example ec2 group1", - "searchKey": "name={{example ec2 group1}}.{{amazon.aws.ec2_group}}.rules", - "searchValue": "", - "expectedValue": "ec2_group.rules[0] shouldn't open the http port (80)", - "actualValue": "ec2_group.rules[0] opens the http port (80)" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/iam_access_key_is_exposed/test/positive_expected_result.json b/assets/queries/ansible/aws/iam_access_key_is_exposed/test/positive_expected_result.json index 29a898ed721..ced48a52445 100644 --- a/assets/queries/ansible/aws/iam_access_key_is_exposed/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/iam_access_key_is_exposed/test/positive_expected_result.json @@ -2,14 +2,14 @@ { "queryName": "IAM Access Key Is Exposed", "severity": "MEDIUM", - "line": 36, + "line": 7, "filename": "positive.yaml", "resourceType": "community.aws.iam", - "resourceName": "Update user", - "searchKey": "name={{Update user}}.{{community.aws.iam}}.access_key_state", + "resourceName": "Create two new IAM users with API keys", + "searchKey": "name={{Create two new IAM users with API keys}}.{{community.aws.iam}}.access_key_state", "searchValue": "", "expectedValue": "iam.name should be 'root' for an active access key", - "actualValue": "iam.name is 'jdavila' for an active access key" + "actualValue": "iam.name is '{{ item }}' for an active access key" }, { "queryName": "IAM Access Key Is Exposed", @@ -26,13 +26,13 @@ { "queryName": "IAM Access Key Is Exposed", "severity": "MEDIUM", - "line": 7, + "line": 36, "filename": "positive.yaml", "resourceType": "community.aws.iam", - "resourceName": "Create two new IAM users with API keys", - "searchKey": "name={{Create two new IAM users with API keys}}.{{community.aws.iam}}.access_key_state", + "resourceName": "Update user", + "searchKey": "name={{Update user}}.{{community.aws.iam}}.access_key_state", "searchValue": "", "expectedValue": "iam.name should be 'root' for an active access key", - "actualValue": "iam.name is '{{ item }}' for an active access key" + "actualValue": "iam.name is 'jdavila' for an active access key" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/iam_database_auth_not_enabled/test/positive_expected_result.json b/assets/queries/ansible/aws/iam_database_auth_not_enabled/test/positive_expected_result.json index ace2ce64747..1ea7e50a82d 100644 --- a/assets/queries/ansible/aws/iam_database_auth_not_enabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/iam_database_auth_not_enabled/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "IAM Database Auth Not Enabled", "severity": "MEDIUM", - "line": 22, + "line": 9, "filename": "positive.yaml", "resourceType": "community.aws.rds_instance", - "resourceName": "Create a DB instance using the default AWS KMS encryption key", - "searchKey": "name={{Create a DB instance using the default AWS KMS encryption key}}.{{community.aws.rds_instance}}.enable_iam_database_authentication", + "resourceName": "create minimal aurora instance in default VPC and default subnet group", + "searchKey": "name={{create minimal aurora instance in default VPC and default subnet group}}.{{community.aws.rds_instance}}.enable_iam_database_authentication", "searchValue": "", "expectedValue": "rds_instance.enable_iam_database_authentication should be enabled", "actualValue": "rds_instance.enable_iam_database_authentication is disabled" @@ -14,11 +14,11 @@ { "queryName": "IAM Database Auth Not Enabled", "severity": "MEDIUM", - "line": 9, + "line": 22, "filename": "positive.yaml", "resourceType": "community.aws.rds_instance", - "resourceName": "create minimal aurora instance in default VPC and default subnet group", - "searchKey": "name={{create minimal aurora instance in default VPC and default subnet group}}.{{community.aws.rds_instance}}.enable_iam_database_authentication", + "resourceName": "Create a DB instance using the default AWS KMS encryption key", + "searchKey": "name={{Create a DB instance using the default AWS KMS encryption key}}.{{community.aws.rds_instance}}.enable_iam_database_authentication", "searchValue": "", "expectedValue": "rds_instance.enable_iam_database_authentication should be enabled", "actualValue": "rds_instance.enable_iam_database_authentication is disabled" diff --git a/assets/queries/ansible/aws/iam_password_without_minimum_length/test/positive_expected_result.json b/assets/queries/ansible/aws/iam_password_without_minimum_length/test/positive_expected_result.json index 7c52e075185..7e9314655bd 100644 --- a/assets/queries/ansible/aws/iam_password_without_minimum_length/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/iam_password_without_minimum_length/test/positive_expected_result.json @@ -1,4 +1,16 @@ [ + { + "queryName": "IAM Password Without Minimum Length", + "severity": "LOW", + "line": 2, + "filename": "positive.yaml", + "resourceType": "community.aws.iam_password_policy", + "resourceName": "Password policy for AWS account", + "searchKey": "name={{Password policy for AWS account}}.{{community.aws.iam_password_policy}}", + "searchValue": "", + "expectedValue": "iam_password_policy.min_pw_length/minimum_password_length should be set and no less than 8", + "actualValue": "iam_password_policy.min_pw_length/minimum_password_length is undefined" + }, { "queryName": "IAM Password Without Minimum Length", "severity": "LOW", @@ -22,17 +34,5 @@ "searchValue": "", "expectedValue": "iam_password_policy.minimum_password_length should be set and no less than 8", "actualValue": "iam_password_policy.minimum_password_length is less than 8" - }, - { - "queryName": "IAM Password Without Minimum Length", - "severity": "LOW", - "line": 2, - "filename": "positive.yaml", - "resourceType": "community.aws.iam_password_policy", - "resourceName": "Password policy for AWS account", - "searchKey": "name={{Password policy for AWS account}}.{{community.aws.iam_password_policy}}", - "searchValue": "", - "expectedValue": "iam_password_policy.min_pw_length/minimum_password_length should be set and no less than 8", - "actualValue": "iam_password_policy.min_pw_length/minimum_password_length is undefined" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/instance_uses_metadata_service_IMDSv1/test/positive_expected_result.json b/assets/queries/ansible/aws/instance_uses_metadata_service_IMDSv1/test/positive_expected_result.json index a1ff963da54..42512939e8f 100644 --- a/assets/queries/ansible/aws/instance_uses_metadata_service_IMDSv1/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/instance_uses_metadata_service_IMDSv1/test/positive_expected_result.json @@ -2,26 +2,26 @@ { "queryName": "Instance Uses Metadata Service IMDSv1", "severity": "LOW", - "line": 20, - "filename": "positive2.yaml", - "resourceType": "community.aws.ec2_instance", - "resourceName": "start an instance with legacy naming", - "searchKey": "name={{start an instance with legacy naming}}.{{community.aws.ec2_instance}}", + "line": 10, + "filename": "positive1.yaml", + "resourceType": "amazon.aws.ec2_instance", + "resourceName": "start an instance with metadata options", + "searchKey": "name={{start an instance with metadata options}}.{{amazon.aws.ec2_instance}}.metadata_options.http_tokens", "searchValue": "", - "expectedValue": "'community.aws.ec2_instance.metadata_options' should be defined with 'http_tokens' field set to 'required'", - "actualValue": "'community.aws.ec2_instance.metadata_options' is not defined" + "expectedValue": "'amazon.aws.ec2_instance.metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'amazon.aws.ec2_instance.metadata_options.http_tokens' is not defined to 'required'" }, { "queryName": "Instance Uses Metadata Service IMDSv1", "severity": "LOW", - "line": 29, - "filename": "positive2.yaml", - "resourceType": "community.aws.ec2_lc", - "resourceName": "create launch configuration with legacy naming", - "searchKey": "name={{create launch configuration with legacy naming}}.{{community.aws.ec2_lc}}", + "line": 20, + "filename": "positive1.yaml", + "resourceType": "community.aws.autoscaling_launch_config", + "resourceName": "create launch configuration with metadata options", + "searchKey": "name={{create launch configuration with metadata options}}.{{community.aws.autoscaling_launch_config}}.metadata_options.http_tokens", "searchValue": "", - "expectedValue": "'community.aws.ec2_lc.metadata_options' should be defined with 'http_tokens' field set to 'required'", - "actualValue": "'community.aws.ec2_lc.metadata_options' is not defined" + "expectedValue": "'community.aws.autoscaling_launch_config.metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'community.aws.autoscaling_launch_config.metadata_options.http_tokens' is not defined to 'required'" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -38,20 +38,8 @@ { "queryName": "Instance Uses Metadata Service IMDSv1", "severity": "LOW", - "line": 31, - "filename": "positive4.yaml", - "resourceType": "community.aws.ec2_instance", - "resourceName": "start an instance with legacy naming and metadata options", - "searchKey": "name={{start an instance with legacy naming and metadata options}}.{{community.aws.ec2_instance}}.metadata_options", - "searchValue": "", - "expectedValue": "'community.aws.ec2_instance.metadata_options.http_tokens' should be defined to 'required'", - "actualValue": "'community.aws.ec2_instance.metadata_options.http_tokens' is not defined" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 47, - "filename": "positive3.yaml", + "line": 42, + "filename": "positive1.yaml", "resourceType": "community.aws.ec2_lc", "resourceName": "create launch configuration with legacy naming and metadata options", "searchKey": "name={{create launch configuration with legacy naming and metadata options}}.{{community.aws.ec2_lc}}.metadata_options.http_tokens", @@ -62,62 +50,62 @@ { "queryName": "Instance Uses Metadata Service IMDSv1", "severity": "LOW", - "line": 9, - "filename": "positive5.yaml", + "line": 2, + "filename": "positive2.yaml", "resourceType": "amazon.aws.ec2_instance", - "resourceName": "start an instance with metadata options", - "searchKey": "name={{start an instance with metadata options}}.{{amazon.aws.ec2_instance}}.metadata_options", + "resourceName": "start an instance", + "searchKey": "name={{start an instance}}.{{amazon.aws.ec2_instance}}", "searchValue": "", - "expectedValue": "'amazon.aws.ec2_instance.metadata_options.http_tokens' should be defined to 'required'", - "actualValue": "'amazon.aws.ec2_instance.metadata_options.http_tokens' is not defined" + "expectedValue": "'amazon.aws.ec2_instance.metadata_options' should be defined with 'http_tokens' field set to 'required'", + "actualValue": "'amazon.aws.ec2_instance.metadata_options' is not defined" }, { "queryName": "Instance Uses Metadata Service IMDSv1", "severity": "LOW", - "line": 31, - "filename": "positive5.yaml", - "resourceType": "community.aws.ec2_instance", - "resourceName": "start an instance with legacy naming and metadata options", - "searchKey": "name={{start an instance with legacy naming and metadata options}}.{{community.aws.ec2_instance}}.metadata_options", + "line": 11, + "filename": "positive2.yaml", + "resourceType": "community.aws.autoscaling_launch_config", + "resourceName": "create launch configuration", + "searchKey": "name={{create launch configuration}}.{{community.aws.autoscaling_launch_config}}", "searchValue": "", - "expectedValue": "'community.aws.ec2_instance.metadata_options.http_tokens' should be defined to 'required'", - "actualValue": "'community.aws.ec2_instance.metadata_options.http_tokens' is not defined" + "expectedValue": "'community.aws.autoscaling_launch_config.metadata_options' should be defined with 'http_tokens' field set to 'required'", + "actualValue": "'community.aws.autoscaling_launch_config.metadata_options' is not defined" }, { "queryName": "Instance Uses Metadata Service IMDSv1", "severity": "LOW", - "line": 10, - "filename": "positive1.yaml", - "resourceType": "amazon.aws.ec2_instance", - "resourceName": "start an instance with metadata options", - "searchKey": "name={{start an instance with metadata options}}.{{amazon.aws.ec2_instance}}.metadata_options.http_tokens", + "line": 20, + "filename": "positive2.yaml", + "resourceType": "community.aws.ec2_instance", + "resourceName": "start an instance with legacy naming", + "searchKey": "name={{start an instance with legacy naming}}.{{community.aws.ec2_instance}}", "searchValue": "", - "expectedValue": "'amazon.aws.ec2_instance.metadata_options.http_tokens' should be defined to 'required'", - "actualValue": "'amazon.aws.ec2_instance.metadata_options.http_tokens' is not defined to 'required'" + "expectedValue": "'community.aws.ec2_instance.metadata_options' should be defined with 'http_tokens' field set to 'required'", + "actualValue": "'community.aws.ec2_instance.metadata_options' is not defined" }, { "queryName": "Instance Uses Metadata Service IMDSv1", "severity": "LOW", - "line": 42, - "filename": "positive1.yaml", + "line": 29, + "filename": "positive2.yaml", "resourceType": "community.aws.ec2_lc", - "resourceName": "create launch configuration with legacy naming and metadata options", - "searchKey": "name={{create launch configuration with legacy naming and metadata options}}.{{community.aws.ec2_lc}}.metadata_options.http_tokens", + "resourceName": "create launch configuration with legacy naming", + "searchKey": "name={{create launch configuration with legacy naming}}.{{community.aws.ec2_lc}}", "searchValue": "", - "expectedValue": "'community.aws.ec2_lc.metadata_options.http_tokens' should be defined to 'required'", - "actualValue": "'community.aws.ec2_lc.metadata_options.http_tokens' is not defined to 'required'" + "expectedValue": "'community.aws.ec2_lc.metadata_options' should be defined with 'http_tokens' field set to 'required'", + "actualValue": "'community.aws.ec2_lc.metadata_options' is not defined" }, { "queryName": "Instance Uses Metadata Service IMDSv1", "severity": "LOW", - "line": 9, - "filename": "positive4.yaml", + "line": 11, + "filename": "positive3.yaml", "resourceType": "amazon.aws.ec2_instance", "resourceName": "start an instance with metadata options", - "searchKey": "name={{start an instance with metadata options}}.{{amazon.aws.ec2_instance}}.metadata_options", + "searchKey": "name={{start an instance with metadata options}}.{{amazon.aws.ec2_instance}}.metadata_options.http_tokens", "searchValue": "", "expectedValue": "'amazon.aws.ec2_instance.metadata_options.http_tokens' should be defined to 'required'", - "actualValue": "'amazon.aws.ec2_instance.metadata_options.http_tokens' is not defined" + "actualValue": "'amazon.aws.ec2_instance.metadata_options.http_tokens' is not defined to 'required'" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -134,26 +122,38 @@ { "queryName": "Instance Uses Metadata Service IMDSv1", "severity": "LOW", - "line": 11, - "filename": "positive2.yaml", - "resourceType": "community.aws.autoscaling_launch_config", - "resourceName": "create launch configuration", - "searchKey": "name={{create launch configuration}}.{{community.aws.autoscaling_launch_config}}", + "line": 35, + "filename": "positive3.yaml", + "resourceType": "community.aws.ec2_instance", + "resourceName": "start an instance with legacy naming and metadata options", + "searchKey": "name={{start an instance with legacy naming and metadata options}}.{{community.aws.ec2_instance}}.metadata_options.http_tokens", "searchValue": "", - "expectedValue": "'community.aws.autoscaling_launch_config.metadata_options' should be defined with 'http_tokens' field set to 'required'", - "actualValue": "'community.aws.autoscaling_launch_config.metadata_options' is not defined" + "expectedValue": "'community.aws.ec2_instance.metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'community.aws.ec2_instance.metadata_options.http_tokens' is not defined to 'required'" }, { "queryName": "Instance Uses Metadata Service IMDSv1", "severity": "LOW", - "line": 20, - "filename": "positive1.yaml", - "resourceType": "community.aws.autoscaling_launch_config", - "resourceName": "create launch configuration with metadata options", - "searchKey": "name={{create launch configuration with metadata options}}.{{community.aws.autoscaling_launch_config}}.metadata_options.http_tokens", + "line": 47, + "filename": "positive3.yaml", + "resourceType": "community.aws.ec2_lc", + "resourceName": "create launch configuration with legacy naming and metadata options", + "searchKey": "name={{create launch configuration with legacy naming and metadata options}}.{{community.aws.ec2_lc}}.metadata_options.http_tokens", "searchValue": "", - "expectedValue": "'community.aws.autoscaling_launch_config.metadata_options.http_tokens' should be defined to 'required'", - "actualValue": "'community.aws.autoscaling_launch_config.metadata_options.http_tokens' is not defined to 'required'" + "expectedValue": "'community.aws.ec2_lc.metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'community.aws.ec2_lc.metadata_options.http_tokens' is not defined to 'required'" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 9, + "filename": "positive4.yaml", + "resourceType": "amazon.aws.ec2_instance", + "resourceName": "start an instance with metadata options", + "searchKey": "name={{start an instance with metadata options}}.{{amazon.aws.ec2_instance}}.metadata_options", + "searchValue": "", + "expectedValue": "'amazon.aws.ec2_instance.metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'amazon.aws.ec2_instance.metadata_options.http_tokens' is not defined" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -170,26 +170,14 @@ { "queryName": "Instance Uses Metadata Service IMDSv1", "severity": "LOW", - "line": 11, - "filename": "positive3.yaml", - "resourceType": "amazon.aws.ec2_instance", - "resourceName": "start an instance with metadata options", - "searchKey": "name={{start an instance with metadata options}}.{{amazon.aws.ec2_instance}}.metadata_options.http_tokens", - "searchValue": "", - "expectedValue": "'amazon.aws.ec2_instance.metadata_options.http_tokens' should be defined to 'required'", - "actualValue": "'amazon.aws.ec2_instance.metadata_options.http_tokens' is not defined to 'required'" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 35, - "filename": "positive3.yaml", + "line": 31, + "filename": "positive4.yaml", "resourceType": "community.aws.ec2_instance", "resourceName": "start an instance with legacy naming and metadata options", - "searchKey": "name={{start an instance with legacy naming and metadata options}}.{{community.aws.ec2_instance}}.metadata_options.http_tokens", + "searchKey": "name={{start an instance with legacy naming and metadata options}}.{{community.aws.ec2_instance}}.metadata_options", "searchValue": "", "expectedValue": "'community.aws.ec2_instance.metadata_options.http_tokens' should be defined to 'required'", - "actualValue": "'community.aws.ec2_instance.metadata_options.http_tokens' is not defined to 'required'" + "actualValue": "'community.aws.ec2_instance.metadata_options.http_tokens' is not defined" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -203,6 +191,18 @@ "expectedValue": "'community.aws.ec2_lc.metadata_options.http_tokens' should be defined to 'required'", "actualValue": "'community.aws.ec2_lc.metadata_options.http_tokens' is not defined" }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 9, + "filename": "positive5.yaml", + "resourceType": "amazon.aws.ec2_instance", + "resourceName": "start an instance with metadata options", + "searchKey": "name={{start an instance with metadata options}}.{{amazon.aws.ec2_instance}}.metadata_options", + "searchValue": "", + "expectedValue": "'amazon.aws.ec2_instance.metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'amazon.aws.ec2_instance.metadata_options.http_tokens' is not defined" + }, { "queryName": "Instance Uses Metadata Service IMDSv1", "severity": "LOW", @@ -215,6 +215,18 @@ "expectedValue": "'community.aws.autoscaling_launch_config.metadata_options.http_tokens' should be defined to 'required'", "actualValue": "'community.aws.autoscaling_launch_config.metadata_options.http_tokens' is not defined" }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 31, + "filename": "positive5.yaml", + "resourceType": "community.aws.ec2_instance", + "resourceName": "start an instance with legacy naming and metadata options", + "searchKey": "name={{start an instance with legacy naming and metadata options}}.{{community.aws.ec2_instance}}.metadata_options", + "searchValue": "", + "expectedValue": "'community.aws.ec2_instance.metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'community.aws.ec2_instance.metadata_options.http_tokens' is not defined" + }, { "queryName": "Instance Uses Metadata Service IMDSv1", "severity": "LOW", @@ -226,17 +238,5 @@ "searchValue": "", "expectedValue": "'community.aws.ec2_lc.metadata_options.http_tokens' should be defined to 'required'", "actualValue": "'community.aws.ec2_lc.metadata_options.http_tokens' is not defined" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 2, - "filename": "positive2.yaml", - "resourceType": "amazon.aws.ec2_instance", - "resourceName": "start an instance", - "searchKey": "name={{start an instance}}.{{amazon.aws.ec2_instance}}", - "searchValue": "", - "expectedValue": "'amazon.aws.ec2_instance.metadata_options' should be defined with 'http_tokens' field set to 'required'", - "actualValue": "'amazon.aws.ec2_instance.metadata_options' is not defined" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/instance_with_no_vpc/test/positive_expected_result.json b/assets/queries/ansible/aws/instance_with_no_vpc/test/positive_expected_result.json index 98cc820a642..69951e1ee11 100644 --- a/assets/queries/ansible/aws/instance_with_no_vpc/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/instance_with_no_vpc/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "Instance With No VPC", - "severity": "LOW", - "line": 18, - "filename": "positive.yaml", - "resourceType": "amazon.aws.ec2", - "resourceName": "Start an instance and have it begin a Tower callback on boot v2", - "searchKey": "name={{Start an instance and have it begin a Tower callback on boot v2}}.{{amazon.aws.ec2}}", - "searchValue": "", - "expectedValue": "amazon.aws.ec2.vpc_subnet_id should be set", - "actualValue": "amazon.aws.ec2.vpc_subnet_id is undefined" - }, { "queryName": "Instance With No VPC", "severity": "LOW", @@ -22,5 +10,17 @@ "searchValue": "", "expectedValue": "community.aws.ec2_instance.vpc_subnet_id should be set", "actualValue": "community.aws.ec2_instance.vpc_subnet_id is undefined" + }, + { + "queryName": "Instance With No VPC", + "severity": "LOW", + "line": 18, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2", + "resourceName": "Start an instance and have it begin a Tower callback on boot v2", + "searchKey": "name={{Start an instance and have it begin a Tower callback on boot v2}}.{{amazon.aws.ec2}}", + "searchValue": "", + "expectedValue": "amazon.aws.ec2.vpc_subnet_id should be set", + "actualValue": "amazon.aws.ec2.vpc_subnet_id is undefined" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/kinesis_not_encrypted_with_kms/test/positive_expected_result.json b/assets/queries/ansible/aws/kinesis_not_encrypted_with_kms/test/positive_expected_result.json index f9c40ffa4bf..288076551df 100644 --- a/assets/queries/ansible/aws/kinesis_not_encrypted_with_kms/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/kinesis_not_encrypted_with_kms/test/positive_expected_result.json @@ -2,38 +2,38 @@ { "queryName": "Kinesis Not Encrypted With KMS", "severity": "HIGH", - "line": 23, + "line": 2, "filename": "positive.yaml", "resourceType": "community.aws.kinesis_stream", - "resourceName": "Encrypt Kinesis Stream test-stream. v3", - "searchKey": "name={{Encrypt Kinesis Stream test-stream. v3}}.{{community.aws.kinesis_stream}}", + "resourceName": "Encrypt Kinesis Stream test-stream.", + "searchKey": "name={{Encrypt Kinesis Stream test-stream.}}.{{community.aws.kinesis_stream}}", "searchValue": "", - "expectedValue": "kinesis_stream.encryption_type should be set", - "actualValue": "kinesis_stream.encryption_type is undefined" + "expectedValue": "kinesis_stream.encryption_state should be set", + "actualValue": "kinesis_stream.encryption_state is undefined" }, { "queryName": "Kinesis Not Encrypted With KMS", "severity": "HIGH", - "line": 44, + "line": 16, "filename": "positive.yaml", "resourceType": "community.aws.kinesis_stream", - "resourceName": "Encrypt Kinesis Stream test-stream. v5", - "searchKey": "name={{Encrypt Kinesis Stream test-stream. v5}}.{{community.aws.kinesis_stream}}", + "resourceName": "Encrypt Kinesis Stream test-stream. v2", + "searchKey": "name={{Encrypt Kinesis Stream test-stream. v2}}.{{community.aws.kinesis_stream}}.encryption_state", "searchValue": "", - "expectedValue": "kinesis_stream.key_id should be set", - "actualValue": "kinesis_stream.key_id is undefined" + "expectedValue": "kinesis_stream.encryption_state should be set to enabled", + "actualValue": "kinesis_stream.encryption_state is not set to enabled" }, { "queryName": "Kinesis Not Encrypted With KMS", "severity": "HIGH", - "line": 16, + "line": 23, "filename": "positive.yaml", "resourceType": "community.aws.kinesis_stream", - "resourceName": "Encrypt Kinesis Stream test-stream. v2", - "searchKey": "name={{Encrypt Kinesis Stream test-stream. v2}}.{{community.aws.kinesis_stream}}.encryption_state", + "resourceName": "Encrypt Kinesis Stream test-stream. v3", + "searchKey": "name={{Encrypt Kinesis Stream test-stream. v3}}.{{community.aws.kinesis_stream}}", "searchValue": "", - "expectedValue": "kinesis_stream.encryption_state should be set to enabled", - "actualValue": "kinesis_stream.encryption_state is not set to enabled" + "expectedValue": "kinesis_stream.encryption_type should be set", + "actualValue": "kinesis_stream.encryption_type is undefined" }, { "queryName": "Kinesis Not Encrypted With KMS", @@ -50,13 +50,13 @@ { "queryName": "Kinesis Not Encrypted With KMS", "severity": "HIGH", - "line": 2, + "line": 44, "filename": "positive.yaml", "resourceType": "community.aws.kinesis_stream", - "resourceName": "Encrypt Kinesis Stream test-stream.", - "searchKey": "name={{Encrypt Kinesis Stream test-stream.}}.{{community.aws.kinesis_stream}}", + "resourceName": "Encrypt Kinesis Stream test-stream. v5", + "searchKey": "name={{Encrypt Kinesis Stream test-stream. v5}}.{{community.aws.kinesis_stream}}", "searchValue": "", - "expectedValue": "kinesis_stream.encryption_state should be set", - "actualValue": "kinesis_stream.encryption_state is undefined" + "expectedValue": "kinesis_stream.key_id should be set", + "actualValue": "kinesis_stream.key_id is undefined" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/kms_key_with_full_permissions/test/positive_expected_result.json b/assets/queries/ansible/aws/kms_key_with_full_permissions/test/positive_expected_result.json index 3b5ad678cbe..81b3af821ae 100644 --- a/assets/queries/ansible/aws/kms_key_with_full_permissions/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/kms_key_with_full_permissions/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "KMS Key With Vulnerable Policy", - "severity": "HIGH", - "line": 3, - "filename": "positive2.yaml", - "resourceType": "community.aws.aws_kms", - "resourceName": "Update IAM policy on an existing KMS key2", - "searchKey": "name={{Update IAM policy on an existing KMS key2}}.{{community.aws.aws_kms}}", - "searchValue": "", - "expectedValue": "'policy' should be undefined or null", - "actualValue": "'policy' is defined and not null" - }, { "queryName": "KMS Key With Vulnerable Policy", "severity": "HIGH", @@ -22,5 +10,17 @@ "searchValue": "", "expectedValue": "aws_kms.policy should not have wildcard in 'Action' and 'Principal'", "actualValue": "aws_kms.policy has wildcard in 'Action' or 'Principal'" + }, + { + "queryName": "KMS Key With Vulnerable Policy", + "severity": "HIGH", + "line": 3, + "filename": "positive2.yaml", + "resourceType": "community.aws.aws_kms", + "resourceName": "Update IAM policy on an existing KMS key2", + "searchKey": "name={{Update IAM policy on an existing KMS key2}}.{{community.aws.aws_kms}}", + "searchValue": "", + "expectedValue": "'policy' should be undefined or null", + "actualValue": "'policy' is defined and not null" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/launch_configuration_is_not_encrypted/test/positive_expected_result.json b/assets/queries/ansible/aws/launch_configuration_is_not_encrypted/test/positive_expected_result.json index 96c27a80ee6..b70c5692640 100644 --- a/assets/queries/ansible/aws/launch_configuration_is_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/launch_configuration_is_not_encrypted/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "Launch Configuration Is Not Encrypted", - "severity": "HIGH", - "line": 22, - "filename": "positive.yaml", - "resourceType": "ec2_lc", - "resourceName": "note that encrypted volumes are only supported in >= Ansible 2.4 v2", - "searchKey": "name={{note that encrypted volumes are only supported in >= Ansible 2.4 v2}}.{{ec2_lc}}.volumes", - "searchValue": "", - "expectedValue": "ec2_lc.volumes[0].encrypted should be set", - "actualValue": "ec2_lc.volumes[0].encrypted is undefined" - }, { "queryName": "Launch Configuration Is Not Encrypted", "severity": "HIGH", @@ -23,6 +11,18 @@ "expectedValue": "ec2_lc.volumes[0].encrypted should be set to true or yes", "actualValue": "ec2_lc.volumes[0].encrypted is not set to true or yes" }, + { + "queryName": "Launch Configuration Is Not Encrypted", + "severity": "HIGH", + "line": 22, + "filename": "positive.yaml", + "resourceType": "ec2_lc", + "resourceName": "note that encrypted volumes are only supported in >= Ansible 2.4 v2", + "searchKey": "name={{note that encrypted volumes are only supported in >= Ansible 2.4 v2}}.{{ec2_lc}}.volumes", + "searchValue": "", + "expectedValue": "ec2_lc.volumes[0].encrypted should be set", + "actualValue": "ec2_lc.volumes[0].encrypted is undefined" + }, { "queryName": "Launch Configuration Is Not Encrypted", "severity": "HIGH", diff --git a/assets/queries/ansible/aws/misconfigured_password_policy_expiration/test/positive_expected_result.json b/assets/queries/ansible/aws/misconfigured_password_policy_expiration/test/positive_expected_result.json index 606842f2f1b..6e33d25f567 100644 --- a/assets/queries/ansible/aws/misconfigured_password_policy_expiration/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/misconfigured_password_policy_expiration/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "Misconfigured Password Policy Expiration", "severity": "LOW", - "line": 21, + "line": 2, "filename": "positive.yaml", "resourceType": "community.aws.iam_password_policy", - "resourceName": "Extreme Password policy for AWS account", - "searchKey": "name={{Extreme Password policy for AWS account}}.{{community.aws.iam_password_policy}}.pw_max_age", + "resourceName": "Missing Password policy for AWS account", + "searchKey": "name={{Missing Password policy for AWS account}}.{{community.aws.iam_password_policy}}", "searchValue": "", "expectedValue": "iam_password_policy should have the property 'pw_max_age/password_max_age' lower than 90", "actualValue": "iam_password_policy has the property 'pw_max_age/password_max_age' unassigned or greater than 90" @@ -14,11 +14,11 @@ { "queryName": "Misconfigured Password Policy Expiration", "severity": "LOW", - "line": 2, + "line": 21, "filename": "positive.yaml", "resourceType": "community.aws.iam_password_policy", - "resourceName": "Missing Password policy for AWS account", - "searchKey": "name={{Missing Password policy for AWS account}}.{{community.aws.iam_password_policy}}", + "resourceName": "Extreme Password policy for AWS account", + "searchKey": "name={{Extreme Password policy for AWS account}}.{{community.aws.iam_password_policy}}.pw_max_age", "searchValue": "", "expectedValue": "iam_password_policy should have the property 'pw_max_age/password_max_age' lower than 90", "actualValue": "iam_password_policy has the property 'pw_max_age/password_max_age' unassigned or greater than 90" diff --git a/assets/queries/ansible/aws/password_without_reuse_prevention/test/positive_expected_result.json b/assets/queries/ansible/aws/password_without_reuse_prevention/test/positive_expected_result.json index 8afdfe7dca6..85f56edad0e 100644 --- a/assets/queries/ansible/aws/password_without_reuse_prevention/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/password_without_reuse_prevention/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "Password Without Reuse Prevention", "severity": "LOW", - "line": 23, + "line": 3, "filename": "positive.yaml", "resourceType": "community.aws.iam_password_policy", - "resourceName": "Password policy for AWS account2", - "searchKey": "name={{Password policy for AWS account2}}.{{community.aws.iam_password_policy}}.password_reuse_prevent", + "resourceName": "Password policy for AWS account", + "searchKey": "name={{Password policy for AWS account}}.{{community.aws.iam_password_policy}}", "searchValue": "", "expectedValue": "iam_password_policy should have the property 'password_reuse_prevent' greater than 0", "actualValue": "iam_password_policy has the property 'password_reuse_prevent' unassigned or assigned to 0" @@ -14,11 +14,11 @@ { "queryName": "Password Without Reuse Prevention", "severity": "LOW", - "line": 3, + "line": 23, "filename": "positive.yaml", "resourceType": "community.aws.iam_password_policy", - "resourceName": "Password policy for AWS account", - "searchKey": "name={{Password policy for AWS account}}.{{community.aws.iam_password_policy}}", + "resourceName": "Password policy for AWS account2", + "searchKey": "name={{Password policy for AWS account2}}.{{community.aws.iam_password_policy}}.password_reuse_prevent", "searchValue": "", "expectedValue": "iam_password_policy should have the property 'password_reuse_prevent' greater than 0", "actualValue": "iam_password_policy has the property 'password_reuse_prevent' unassigned or assigned to 0" diff --git a/assets/queries/ansible/aws/rds_using_default_port/test/positive_expected_result.json b/assets/queries/ansible/aws/rds_using_default_port/test/positive_expected_result.json index 255dcaa56be..fb62e6fb994 100644 --- a/assets/queries/ansible/aws/rds_using_default_port/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/rds_using_default_port/test/positive_expected_result.json @@ -15,36 +15,36 @@ "queryName": "RDS Using Default Port", "severity": "LOW", "line": 10, - "filename": "positive4.yaml", + "filename": "positive2.yaml", "resourceType": "community.aws.rds_instance", "resourceName": "create minimal aurora instance in default VPC and default subnet group2", "searchKey": "name={{create minimal aurora instance in default VPC and default subnet group2}}.{{community.aws.rds_instance}}.port", "searchValue": "", - "expectedValue": "'port' should not be set to 1433", - "actualValue": "'port' is set to 1433" + "expectedValue": "'port' should not be set to 5432", + "actualValue": "'port' is set to 5432" }, { "queryName": "RDS Using Default Port", "severity": "LOW", "line": 10, - "filename": "positive2.yaml", + "filename": "positive3.yaml", "resourceType": "community.aws.rds_instance", "resourceName": "create minimal aurora instance in default VPC and default subnet group2", "searchKey": "name={{create minimal aurora instance in default VPC and default subnet group2}}.{{community.aws.rds_instance}}.port", "searchValue": "", - "expectedValue": "'port' should not be set to 5432", - "actualValue": "'port' is set to 5432" + "expectedValue": "'port' should not be set to 1521", + "actualValue": "'port' is set to 1521" }, { "queryName": "RDS Using Default Port", "severity": "LOW", "line": 10, - "filename": "positive3.yaml", + "filename": "positive4.yaml", "resourceType": "community.aws.rds_instance", "resourceName": "create minimal aurora instance in default VPC and default subnet group2", "searchKey": "name={{create minimal aurora instance in default VPC and default subnet group2}}.{{community.aws.rds_instance}}.port", "searchValue": "", - "expectedValue": "'port' should not be set to 1521", - "actualValue": "'port' is set to 1521" + "expectedValue": "'port' should not be set to 1433", + "actualValue": "'port' is set to 1433" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/redshift_not_encrypted/test/positive_expected_result.json b/assets/queries/ansible/aws/redshift_not_encrypted/test/positive_expected_result.json index 211a9cc4d55..34257c3a30d 100644 --- a/assets/queries/ansible/aws/redshift_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/redshift_not_encrypted/test/positive_expected_result.json @@ -2,23 +2,23 @@ { "queryName": "Redshift Not Encrypted", "severity": "HIGH", - "line": 19, + "line": 2, "filename": "positive.yaml", "resourceType": "community.aws.redshift", - "resourceName": "Basic cluster provisioning example2", - "searchKey": "name={{Basic cluster provisioning example2}}.{{community.aws.redshift}}.encrypted", + "resourceName": "Basic cluster provisioning example", + "searchKey": "name={{Basic cluster provisioning example}}.{{community.aws.redshift}}", "searchValue": "", "expectedValue": "redshift.encrypted should be set to true", - "actualValue": "redshift.encrypted is set to false" + "actualValue": "redshift.encrypted is undefined" }, { "queryName": "Redshift Not Encrypted", "severity": "HIGH", - "line": 29, + "line": 19, "filename": "positive.yaml", "resourceType": "community.aws.redshift", - "resourceName": "Basic cluster provisioning example3", - "searchKey": "name={{Basic cluster provisioning example3}}.{{community.aws.redshift}}.encrypted", + "resourceName": "Basic cluster provisioning example2", + "searchKey": "name={{Basic cluster provisioning example2}}.{{community.aws.redshift}}.encrypted", "searchValue": "", "expectedValue": "redshift.encrypted should be set to true", "actualValue": "redshift.encrypted is set to false" @@ -26,13 +26,13 @@ { "queryName": "Redshift Not Encrypted", "severity": "HIGH", - "line": 2, + "line": 29, "filename": "positive.yaml", "resourceType": "community.aws.redshift", - "resourceName": "Basic cluster provisioning example", - "searchKey": "name={{Basic cluster provisioning example}}.{{community.aws.redshift}}", + "resourceName": "Basic cluster provisioning example3", + "searchKey": "name={{Basic cluster provisioning example3}}.{{community.aws.redshift}}.encrypted", "searchValue": "", "expectedValue": "redshift.encrypted should be set to true", - "actualValue": "redshift.encrypted is undefined" + "actualValue": "redshift.encrypted is set to false" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/redshift_publicly_accessible/test/positive_expected_result.json b/assets/queries/ansible/aws/redshift_publicly_accessible/test/positive_expected_result.json index 0fe28c33a65..f924660f341 100644 --- a/assets/queries/ansible/aws/redshift_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/redshift_publicly_accessible/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "Redshift Publicly Accessible", "severity": "HIGH", - "line": 17, + "line": 9, "filename": "positive.yaml", "resourceType": "community.aws.redshift", - "resourceName": "Basic cluster provisioning example05", - "searchKey": "name={{Basic cluster provisioning example05}}.{{community.aws.redshift}}.publicly_accessible", + "resourceName": "Basic cluster provisioning example04", + "searchKey": "name={{Basic cluster provisioning example04}}.{{community.aws.redshift}}.publicly_accessible", "searchValue": "", "expectedValue": "redshift.publicly_accessible should be set to false", "actualValue": "redshift.publicly_accessible is true" @@ -14,11 +14,11 @@ { "queryName": "Redshift Publicly Accessible", "severity": "HIGH", - "line": 25, + "line": 17, "filename": "positive.yaml", - "resourceType": "redshift", - "resourceName": "Basic cluster provisioning example06", - "searchKey": "name={{Basic cluster provisioning example06}}.{{redshift}}.publicly_accessible", + "resourceType": "community.aws.redshift", + "resourceName": "Basic cluster provisioning example05", + "searchKey": "name={{Basic cluster provisioning example05}}.{{community.aws.redshift}}.publicly_accessible", "searchValue": "", "expectedValue": "redshift.publicly_accessible should be set to false", "actualValue": "redshift.publicly_accessible is true" @@ -26,11 +26,11 @@ { "queryName": "Redshift Publicly Accessible", "severity": "HIGH", - "line": 9, + "line": 25, "filename": "positive.yaml", - "resourceType": "community.aws.redshift", - "resourceName": "Basic cluster provisioning example04", - "searchKey": "name={{Basic cluster provisioning example04}}.{{community.aws.redshift}}.publicly_accessible", + "resourceType": "redshift", + "resourceName": "Basic cluster provisioning example06", + "searchKey": "name={{Basic cluster provisioning example06}}.{{redshift}}.publicly_accessible", "searchValue": "", "expectedValue": "redshift.publicly_accessible should be set to false", "actualValue": "redshift.publicly_accessible is true" diff --git a/assets/queries/ansible/aws/remote_desktop_port_open/test/positive_expected_result.json b/assets/queries/ansible/aws/remote_desktop_port_open/test/positive_expected_result.json index 2eade52c07b..3a5794b4881 100644 --- a/assets/queries/ansible/aws/remote_desktop_port_open/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/remote_desktop_port_open/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 79, + "line": 9, "filename": "positive.yaml", "resourceType": "amazon.aws.ec2_group", - "resourceName": "example ec2 group6", - "searchKey": "name={{example ec2 group6}}.{{amazon.aws.ec2_group}}.rules", + "resourceName": "example ec2 group1", + "searchKey": "name={{example ec2 group1}}.{{amazon.aws.ec2_group}}.rules", "searchValue": "", "expectedValue": "ec2_group.rules shouldn't open the remote desktop port (3389)", "actualValue": "ec2_group.rules opens the remote desktop port (3389)" @@ -14,11 +14,11 @@ { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 93, + "line": 23, "filename": "positive.yaml", "resourceType": "amazon.aws.ec2_group", - "resourceName": "example ec2 group7", - "searchKey": "name={{example ec2 group7}}.{{amazon.aws.ec2_group}}.rules", + "resourceName": "example ec2 group2", + "searchKey": "name={{example ec2 group2}}.{{amazon.aws.ec2_group}}.rules", "searchValue": "", "expectedValue": "ec2_group.rules shouldn't open the remote desktop port (3389)", "actualValue": "ec2_group.rules opens the remote desktop port (3389)" @@ -26,11 +26,11 @@ { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 9, + "line": 36, "filename": "positive.yaml", "resourceType": "amazon.aws.ec2_group", - "resourceName": "example ec2 group1", - "searchKey": "name={{example ec2 group1}}.{{amazon.aws.ec2_group}}.rules", + "resourceName": "example ec2 group3", + "searchKey": "name={{example ec2 group3}}.{{amazon.aws.ec2_group}}.rules", "searchValue": "", "expectedValue": "ec2_group.rules shouldn't open the remote desktop port (3389)", "actualValue": "ec2_group.rules opens the remote desktop port (3389)" @@ -38,11 +38,11 @@ { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 23, + "line": 49, "filename": "positive.yaml", "resourceType": "amazon.aws.ec2_group", - "resourceName": "example ec2 group2", - "searchKey": "name={{example ec2 group2}}.{{amazon.aws.ec2_group}}.rules", + "resourceName": "example ec2 group4", + "searchKey": "name={{example ec2 group4}}.{{amazon.aws.ec2_group}}.rules", "searchValue": "", "expectedValue": "ec2_group.rules shouldn't open the remote desktop port (3389)", "actualValue": "ec2_group.rules opens the remote desktop port (3389)" @@ -50,11 +50,11 @@ { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 36, + "line": 64, "filename": "positive.yaml", "resourceType": "amazon.aws.ec2_group", - "resourceName": "example ec2 group3", - "searchKey": "name={{example ec2 group3}}.{{amazon.aws.ec2_group}}.rules", + "resourceName": "example ec2 group5", + "searchKey": "name={{example ec2 group5}}.{{amazon.aws.ec2_group}}.rules", "searchValue": "", "expectedValue": "ec2_group.rules shouldn't open the remote desktop port (3389)", "actualValue": "ec2_group.rules opens the remote desktop port (3389)" @@ -62,11 +62,11 @@ { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 49, + "line": 79, "filename": "positive.yaml", "resourceType": "amazon.aws.ec2_group", - "resourceName": "example ec2 group4", - "searchKey": "name={{example ec2 group4}}.{{amazon.aws.ec2_group}}.rules", + "resourceName": "example ec2 group6", + "searchKey": "name={{example ec2 group6}}.{{amazon.aws.ec2_group}}.rules", "searchValue": "", "expectedValue": "ec2_group.rules shouldn't open the remote desktop port (3389)", "actualValue": "ec2_group.rules opens the remote desktop port (3389)" @@ -74,11 +74,11 @@ { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 64, + "line": 93, "filename": "positive.yaml", "resourceType": "amazon.aws.ec2_group", - "resourceName": "example ec2 group5", - "searchKey": "name={{example ec2 group5}}.{{amazon.aws.ec2_group}}.rules", + "resourceName": "example ec2 group7", + "searchKey": "name={{example ec2 group7}}.{{amazon.aws.ec2_group}}.rules", "searchValue": "", "expectedValue": "ec2_group.rules shouldn't open the remote desktop port (3389)", "actualValue": "ec2_group.rules opens the remote desktop port (3389)" diff --git a/assets/queries/ansible/aws/s3_bucket_without_versioning/test/positive_expected_result.json b/assets/queries/ansible/aws/s3_bucket_without_versioning/test/positive_expected_result.json index 419111f5de2..5454b62e65e 100644 --- a/assets/queries/ansible/aws/s3_bucket_without_versioning/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/s3_bucket_without_versioning/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "S3 Bucket Without Versioning", "severity": "MEDIUM", - "line": 15, + "line": 3, "filename": "positive.yaml", "resourceType": "amazon.aws.s3_bucket", - "resourceName": "foo2", - "searchKey": "name={{foo2}}.{{amazon.aws.s3_bucket}}.versioning", + "resourceName": "foo", + "searchKey": "name={{foo}}.{{amazon.aws.s3_bucket}}", "searchValue": "", "expectedValue": "s3_bucket should have versioning set to true", - "actualValue": "s3_bucket does has versioning set to false" + "actualValue": "s3_bucket does not have versioning (defaults to false)" }, { "queryName": "S3 Bucket Without Versioning", "severity": "MEDIUM", - "line": 3, + "line": 15, "filename": "positive.yaml", "resourceType": "amazon.aws.s3_bucket", - "resourceName": "foo", - "searchKey": "name={{foo}}.{{amazon.aws.s3_bucket}}", + "resourceName": "foo2", + "searchKey": "name={{foo2}}.{{amazon.aws.s3_bucket}}.versioning", "searchValue": "", "expectedValue": "s3_bucket should have versioning set to true", - "actualValue": "s3_bucket does not have versioning (defaults to false)" + "actualValue": "s3_bucket does has versioning set to false" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/security_group_ingress_not_restricted/test/positive_expected_result.json b/assets/queries/ansible/aws/security_group_ingress_not_restricted/test/positive_expected_result.json index ccddfef5fd2..2faf14ab8e7 100644 --- a/assets/queries/ansible/aws/security_group_ingress_not_restricted/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/security_group_ingress_not_restricted/test/positive_expected_result.json @@ -14,50 +14,50 @@ { "queryName": "Security Group Ingress Not Restricted", "severity": "HIGH", - "line": 27, + "line": 12, "filename": "positive.yaml", "resourceType": "amazon.aws.ec2_group", - "resourceName": "example ec2 group v2", - "searchKey": "name={{example ec2 group v2}}.{{amazon.aws.ec2_group}}.rules", + "resourceName": "example ec2 group", + "searchKey": "name={{example ec2 group}}.{{amazon.aws.ec2_group}}.rules", "searchValue": "", - "expectedValue": "ec2_group.rules[0] should be restricted", - "actualValue": "ec2_group.rules[0] is not restricted" + "expectedValue": "ec2_group.rules[1] should be restricted", + "actualValue": "ec2_group.rules[1] is not restricted" }, { "queryName": "Security Group Ingress Not Restricted", "severity": "HIGH", - "line": 12, + "line": 16, "filename": "positive.yaml", "resourceType": "amazon.aws.ec2_group", "resourceName": "example ec2 group", "searchKey": "name={{example ec2 group}}.{{amazon.aws.ec2_group}}.rules", "searchValue": "", - "expectedValue": "ec2_group.rules[1] should be restricted", - "actualValue": "ec2_group.rules[1] is not restricted" + "expectedValue": "ec2_group.rules[2] should be restricted", + "actualValue": "ec2_group.rules[2] is not restricted" }, { "queryName": "Security Group Ingress Not Restricted", "severity": "HIGH", - "line": 31, + "line": 27, "filename": "positive.yaml", "resourceType": "amazon.aws.ec2_group", "resourceName": "example ec2 group v2", "searchKey": "name={{example ec2 group v2}}.{{amazon.aws.ec2_group}}.rules", "searchValue": "", - "expectedValue": "ec2_group.rules[1] should be restricted", - "actualValue": "ec2_group.rules[1] is not restricted" + "expectedValue": "ec2_group.rules[0] should be restricted", + "actualValue": "ec2_group.rules[0] is not restricted" }, { "queryName": "Security Group Ingress Not Restricted", "severity": "HIGH", - "line": 16, + "line": 31, "filename": "positive.yaml", "resourceType": "amazon.aws.ec2_group", - "resourceName": "example ec2 group", - "searchKey": "name={{example ec2 group}}.{{amazon.aws.ec2_group}}.rules", + "resourceName": "example ec2 group v2", + "searchKey": "name={{example ec2 group v2}}.{{amazon.aws.ec2_group}}.rules", "searchValue": "", - "expectedValue": "ec2_group.rules[2] should be restricted", - "actualValue": "ec2_group.rules[2] is not restricted" + "expectedValue": "ec2_group.rules[1] should be restricted", + "actualValue": "ec2_group.rules[1] is not restricted" }, { "queryName": "Security Group Ingress Not Restricted", diff --git a/assets/queries/ansible/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/ansible/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json index 1dcc880b001..58439061fb4 100644 --- a/assets/queries/ansible/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json @@ -1,4 +1,16 @@ [ + { + "queryName": "SNS Topic is Publicly Accessible", + "severity": "CRITICAL", + "line": 23, + "filename": "positive1.yaml", + "resourceType": "community.aws.sns_topic", + "resourceName": "Create alarm SNS topic community", + "searchKey": "name={{Create alarm SNS topic community}}.{{community.aws.sns_topic}}.policy", + "searchValue": "", + "expectedValue": "sns_topic.policy.Statement shouldn't contain '*' for an AWS Principal", + "actualValue": "sns_topic.policy.Statement contains '*' in an AWS Principal" + }, { "queryName": "SNS Topic is Publicly Accessible", "severity": "CRITICAL", @@ -15,7 +27,7 @@ "queryName": "SNS Topic is Publicly Accessible", "severity": "CRITICAL", "line": 23, - "filename": "positive1.yaml", + "filename": "positive2.yaml", "resourceType": "community.aws.sns_topic", "resourceName": "Create alarm SNS topic community", "searchKey": "name={{Create alarm SNS topic community}}.{{community.aws.sns_topic}}.policy", @@ -34,17 +46,5 @@ "searchValue": "", "expectedValue": "sns_topic.policy.Statement shouldn't contain '*' for an AWS Principal", "actualValue": "sns_topic.policy.Statement contains '*' in an AWS Principal" - }, - { - "queryName": "SNS Topic is Publicly Accessible", - "severity": "CRITICAL", - "line": 23, - "filename": "positive2.yaml", - "resourceType": "community.aws.sns_topic", - "resourceName": "Create alarm SNS topic community", - "searchKey": "name={{Create alarm SNS topic community}}.{{community.aws.sns_topic}}.policy", - "searchValue": "", - "expectedValue": "sns_topic.policy.Statement shouldn't contain '*' for an AWS Principal", - "actualValue": "sns_topic.policy.Statement contains '*' in an AWS Principal" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/sql_analysis_services_port_2383_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/ansible/aws/sql_analysis_services_port_2383_is_publicly_accessible/test/positive_expected_result.json index 476a6ce835c..7ad15eb99a6 100644 --- a/assets/queries/ansible/aws/sql_analysis_services_port_2383_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/sql_analysis_services_port_2383_is_publicly_accessible/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", - "severity": "MEDIUM", - "line": 65, - "filename": "positive.yaml", - "resourceType": "amazon.aws.ec2_group", - "resourceName": "example using security group rule descriptions 5", - "searchKey": "name={{example using security group rule descriptions 5}}.{{amazon.aws.ec2_group}}.rules", - "searchValue": "", - "expectedValue": "ec2_group.rules[0] shouldn't open the SQL analysis services port (2383)", - "actualValue": "ec2_group.rules[0] opens the SQL analysis services port (2383)" - }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", @@ -58,5 +46,17 @@ "searchValue": "", "expectedValue": "ec2_group.rules[0] shouldn't open the SQL analysis services port (2383)", "actualValue": "ec2_group.rules[0] opens the SQL analysis services port (2383)" + }, + { + "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", + "severity": "MEDIUM", + "line": 65, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example using security group rule descriptions 5", + "searchKey": "name={{example using security group rule descriptions 5}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[0] shouldn't open the SQL analysis services port (2383)", + "actualValue": "ec2_group.rules[0] opens the SQL analysis services port (2383)" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/sqs_with_sse_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/sqs_with_sse_disabled/test/positive_expected_result.json index d99f390e4dc..511a119521e 100644 --- a/assets/queries/ansible/aws/sqs_with_sse_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/sqs_with_sse_disabled/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", - "line": 22, + "line": 2, "filename": "positive.yaml", "resourceType": "community.aws.sqs_queue", - "resourceName": "Create FIFO queue", - "searchKey": "name={{Create FIFO queue}}.{{community.aws.sqs_queue}}.kms_master_key_id", + "resourceName": "Create SQS queue with redrive policy", + "searchKey": "name={{Create SQS queue with redrive policy}}.{{community.aws.sqs_queue}}.kms_master_key_id", "searchValue": "", "expectedValue": "'kms_master_key_id' should be set", "actualValue": "'kms_master_key_id' is undefined" @@ -14,11 +14,11 @@ { "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", - "line": 2, + "line": 16, "filename": "positive.yaml", "resourceType": "community.aws.sqs_queue", - "resourceName": "Create SQS queue with redrive policy", - "searchKey": "name={{Create SQS queue with redrive policy}}.{{community.aws.sqs_queue}}.kms_master_key_id", + "resourceName": "Drop redrive policy", + "searchKey": "name={{Drop redrive policy}}.{{community.aws.sqs_queue}}.kms_master_key_id", "searchValue": "", "expectedValue": "'kms_master_key_id' should be set", "actualValue": "'kms_master_key_id' is undefined" @@ -26,11 +26,11 @@ { "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", - "line": 16, + "line": 22, "filename": "positive.yaml", "resourceType": "community.aws.sqs_queue", - "resourceName": "Drop redrive policy", - "searchKey": "name={{Drop redrive policy}}.{{community.aws.sqs_queue}}.kms_master_key_id", + "resourceName": "Create FIFO queue", + "searchKey": "name={{Create FIFO queue}}.{{community.aws.sqs_queue}}.kms_master_key_id", "searchValue": "", "expectedValue": "'kms_master_key_id' should be set", "actualValue": "'kms_master_key_id' is undefined" diff --git a/assets/queries/ansible/aws/stack_retention_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/stack_retention_disabled/test/positive_expected_result.json index affb9286dd7..dda5d34d59b 100644 --- a/assets/queries/ansible/aws/stack_retention_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/stack_retention_disabled/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "Stack Retention Disabled", "severity": "MEDIUM", - "line": 23, + "line": 2, "filename": "positive.yaml", "resourceType": "community.aws.cloudformation_stack_set", - "resourceName": "on subsequent calls, templates are optional but parameters and tags can be altered", - "searchKey": "name={{on subsequent calls, templates are optional but parameters and tags can be altered}}.{{community.aws.cloudformation_stack_set}}.purge_stacks", + "resourceName": "Create a stack set with instances in two accounts", + "searchKey": "name={{Create a stack set with instances in two accounts}}.{{community.aws.cloudformation_stack_set}}", "searchValue": "", - "expectedValue": "cloudformation_stack_set.purge_stacks should be set to false", - "actualValue": "cloudformation_stack_set.purge_stacks is true" + "expectedValue": "cloudformation_stack_set.purge_stacks should be set", + "actualValue": "cloudformation_stack_set.purge_stacks is undefined" }, { "queryName": "Stack Retention Disabled", "severity": "MEDIUM", - "line": 2, + "line": 23, "filename": "positive.yaml", "resourceType": "community.aws.cloudformation_stack_set", - "resourceName": "Create a stack set with instances in two accounts", - "searchKey": "name={{Create a stack set with instances in two accounts}}.{{community.aws.cloudformation_stack_set}}", + "resourceName": "on subsequent calls, templates are optional but parameters and tags can be altered", + "searchKey": "name={{on subsequent calls, templates are optional but parameters and tags can be altered}}.{{community.aws.cloudformation_stack_set}}.purge_stacks", "searchValue": "", - "expectedValue": "cloudformation_stack_set.purge_stacks should be set", - "actualValue": "cloudformation_stack_set.purge_stacks is undefined" + "expectedValue": "cloudformation_stack_set.purge_stacks should be set to false", + "actualValue": "cloudformation_stack_set.purge_stacks is true" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/stack_without_template/test/positive_expected_result.json b/assets/queries/ansible/aws/stack_without_template/test/positive_expected_result.json index 93130f55db0..0bdeb7135f0 100644 --- a/assets/queries/ansible/aws/stack_without_template/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/stack_without_template/test/positive_expected_result.json @@ -2,49 +2,49 @@ { "queryName": "Stack Without Template", "severity": "LOW", - "line": 30, + "line": 2, "filename": "positive.yaml", - "resourceType": "community.aws.cloudformation_stack_set", - "resourceName": "Create a stack set with instances in two accounts", - "searchKey": "name={{Create a stack set with instances in two accounts}}.{{community.aws.cloudformation_stack_set}}", + "resourceType": "amazon.aws.cloudformation", + "resourceName": "create a stack, pass in the template via an URL", + "searchKey": "name={{create a stack, pass in the template via an URL}}.{{amazon.aws.cloudformation}}", "searchValue": "", - "expectedValue": "community.aws.cloudformation_stack_set should not have more than one of the attributes template, template_body and template_url set", - "actualValue": "community.aws.cloudformation_stack_set has more than one of the attributes template, template_body and template_url set" + "expectedValue": "amazon.aws.cloudformation has template, template_body or template_url set", + "actualValue": "amazon.aws.cloudformation does not have template, template_body or template_url set" }, { "queryName": "Stack Without Template", "severity": "LOW", - "line": 2, + "line": 15, "filename": "positive.yaml", "resourceType": "amazon.aws.cloudformation", - "resourceName": "create a stack, pass in the template via an URL", - "searchKey": "name={{create a stack, pass in the template via an URL}}.{{amazon.aws.cloudformation}}", + "resourceName": "create a stack, pass in the template via an URL v2", + "searchKey": "name={{create a stack, pass in the template via an URL v2}}.{{amazon.aws.cloudformation}}", "searchValue": "", - "expectedValue": "amazon.aws.cloudformation has template, template_body or template_url set", - "actualValue": "amazon.aws.cloudformation does not have template, template_body or template_url set" + "expectedValue": "amazon.aws.cloudformation should not have more than one of the attributes template, template_body and template_url set", + "actualValue": "amazon.aws.cloudformation has more than one of the attributes template, template_body and template_url set" }, { "queryName": "Stack Without Template", "severity": "LOW", - "line": 40, + "line": 30, "filename": "positive.yaml", "resourceType": "community.aws.cloudformation_stack_set", - "resourceName": "Create a stack set with instances in two accounts v2", - "searchKey": "name={{Create a stack set with instances in two accounts v2}}.{{community.aws.cloudformation_stack_set}}", + "resourceName": "Create a stack set with instances in two accounts", + "searchKey": "name={{Create a stack set with instances in two accounts}}.{{community.aws.cloudformation_stack_set}}", "searchValue": "", - "expectedValue": "community.aws.cloudformation_stack_set has template, template_body or template_url set", - "actualValue": "community.aws.cloudformation_stack_set does not have template, template_body or template_url set" + "expectedValue": "community.aws.cloudformation_stack_set should not have more than one of the attributes template, template_body and template_url set", + "actualValue": "community.aws.cloudformation_stack_set has more than one of the attributes template, template_body and template_url set" }, { "queryName": "Stack Without Template", "severity": "LOW", - "line": 15, + "line": 40, "filename": "positive.yaml", - "resourceType": "amazon.aws.cloudformation", - "resourceName": "create a stack, pass in the template via an URL v2", - "searchKey": "name={{create a stack, pass in the template via an URL v2}}.{{amazon.aws.cloudformation}}", + "resourceType": "community.aws.cloudformation_stack_set", + "resourceName": "Create a stack set with instances in two accounts v2", + "searchKey": "name={{Create a stack set with instances in two accounts v2}}.{{community.aws.cloudformation_stack_set}}", "searchValue": "", - "expectedValue": "amazon.aws.cloudformation should not have more than one of the attributes template, template_body and template_url set", - "actualValue": "amazon.aws.cloudformation has more than one of the attributes template, template_body and template_url set" + "expectedValue": "community.aws.cloudformation_stack_set has template, template_body or template_url set", + "actualValue": "community.aws.cloudformation_stack_set does not have template, template_body or template_url set" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/unknown_port_exposed_to_internet/test/positive_expected_result.json b/assets/queries/ansible/aws/unknown_port_exposed_to_internet/test/positive_expected_result.json index d4e07ea469c..3299419b53e 100644 --- a/assets/queries/ansible/aws/unknown_port_exposed_to_internet/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/unknown_port_exposed_to_internet/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", - "line": 13, + "line": 9, "filename": "positive.yaml", "resourceType": "amazon.aws.ec2_group", "resourceName": "example ec2 group", "searchKey": "name={{example ec2 group}}.{{amazon.aws.ec2_group}}.rules", "searchValue": "", - "expectedValue": "ec2_group.rules[1] port_range should not contain unknown ports and should not be exposed to the entire Internet", - "actualValue": "ec2_group.rules[1] port_range contains unknown ports and are exposed to the entire Internet" + "expectedValue": "ec2_group.rules[0] port_range should not contain unknown ports and should not be exposed to the entire Internet", + "actualValue": "ec2_group.rules[0] port_range contains unknown ports and are exposed to the entire Internet" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", - "line": 9, + "line": 13, "filename": "positive.yaml", "resourceType": "amazon.aws.ec2_group", "resourceName": "example ec2 group", "searchKey": "name={{example ec2 group}}.{{amazon.aws.ec2_group}}.rules", "searchValue": "", - "expectedValue": "ec2_group.rules[0] port_range should not contain unknown ports and should not be exposed to the entire Internet", - "actualValue": "ec2_group.rules[0] port_range contains unknown ports and are exposed to the entire Internet" + "expectedValue": "ec2_group.rules[1] port_range should not contain unknown ports and should not be exposed to the entire Internet", + "actualValue": "ec2_group.rules[1] port_range contains unknown ports and are exposed to the entire Internet" } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/viewer_protocol_policy_allows_http/test/positive_expected_result.json b/assets/queries/ansible/aws/viewer_protocol_policy_allows_http/test/positive_expected_result.json index 2c5a93aa87f..2b82ac8e8cf 100644 --- a/assets/queries/ansible/aws/viewer_protocol_policy_allows_http/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/viewer_protocol_policy_allows_http/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "Cloudfront Viewer Protocol Policy Allows HTTP", "severity": "MEDIUM", - "line": 50, + "line": 20, "filename": "positive.yaml", "resourceType": "community.aws.cloudfront_distribution", - "resourceName": "example2", - "searchKey": "name={{example2}}.{{community.aws.cloudfront_distribution}}.cache_behaviors.viewer_protocol_policy", + "resourceName": "example1", + "searchKey": "name={{example1}}.{{community.aws.cloudfront_distribution}}.default_cache_behavior.viewer_protocol_policy", "searchValue": "", - "expectedValue": "cloudfront_distribution.cache_behaviors.viewer_protocol_policy should be 'https-only' or 'redirect-to-https'", - "actualValue": "cloudfront_distribution.cache_behaviors.viewer_protocol_policy isn't 'https-only' or 'redirect-to-https'" + "expectedValue": "cloudfront_distribution.default_cache_behavior.viewer_protocol_policy should be 'https-only' or 'redirect-to-https'", + "actualValue": "cloudfront_distribution.default_cache_behavior.viewer_protocol_policy isn't 'https-only' or 'redirect-to-https'" }, { "queryName": "Cloudfront Viewer Protocol Policy Allows HTTP", "severity": "MEDIUM", - "line": 20, + "line": 50, "filename": "positive.yaml", "resourceType": "community.aws.cloudfront_distribution", - "resourceName": "example1", - "searchKey": "name={{example1}}.{{community.aws.cloudfront_distribution}}.default_cache_behavior.viewer_protocol_policy", + "resourceName": "example2", + "searchKey": "name={{example2}}.{{community.aws.cloudfront_distribution}}.cache_behaviors.viewer_protocol_policy", "searchValue": "", - "expectedValue": "cloudfront_distribution.default_cache_behavior.viewer_protocol_policy should be 'https-only' or 'redirect-to-https'", - "actualValue": "cloudfront_distribution.default_cache_behavior.viewer_protocol_policy isn't 'https-only' or 'redirect-to-https'" + "expectedValue": "cloudfront_distribution.cache_behaviors.viewer_protocol_policy should be 'https-only' or 'redirect-to-https'", + "actualValue": "cloudfront_distribution.cache_behaviors.viewer_protocol_policy isn't 'https-only' or 'redirect-to-https'" } ] \ No newline at end of file diff --git a/assets/queries/ansible/azure/aks_monitoring_logging_disabled/test/positive_expected_result.json b/assets/queries/ansible/azure/aks_monitoring_logging_disabled/test/positive_expected_result.json index 82c165377f6..4c5c0b34577 100644 --- a/assets/queries/ansible/azure/aks_monitoring_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/aks_monitoring_logging_disabled/test/positive_expected_result.json @@ -1,4 +1,16 @@ [ + { + "queryName": "AKS Monitoring Logging Disabled", + "severity": "MEDIUM", + "line": 2, + "filename": "positive.yaml", + "resourceType": "azure_rm_aks", + "resourceName": "Create an AKS instance v0", + "searchKey": "name={{Create an AKS instance v0}}.{{azure_rm_aks}}", + "searchValue": "", + "expectedValue": "azure_rm_aks.addon should be set", + "actualValue": "azure_rm_aks.addon is undefined" + }, { "queryName": "AKS Monitoring Logging Disabled", "severity": "MEDIUM", @@ -34,17 +46,5 @@ "searchValue": "", "expectedValue": "azure_rm_aks.addon.monitoring.enabled should be set to 'yes' or 'false'", "actualValue": "azure_rm_aks.addon.monitoring.enabled is not set to 'yes' or 'false'" - }, - { - "queryName": "AKS Monitoring Logging Disabled", - "severity": "MEDIUM", - "line": 2, - "filename": "positive.yaml", - "resourceType": "azure_rm_aks", - "resourceName": "Create an AKS instance v0", - "searchKey": "name={{Create an AKS instance v0}}.{{azure_rm_aks}}", - "searchValue": "", - "expectedValue": "azure_rm_aks.addon should be set", - "actualValue": "azure_rm_aks.addon is undefined" } ] \ No newline at end of file diff --git a/assets/queries/ansible/azure/azure_container_registry_with_no_locks/test/positive_expected_result.json b/assets/queries/ansible/azure/azure_container_registry_with_no_locks/test/positive_expected_result.json index e745140ce7c..23b77b67327 100644 --- a/assets/queries/ansible/azure/azure_container_registry_with_no_locks/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/azure_container_registry_with_no_locks/test/positive_expected_result.json @@ -3,13 +3,13 @@ "queryName": "Azure Container Registry With No Locks", "severity": "HIGH", "line": 2, - "filename": "positive2.yaml", - "resourceType": "azure.azcollection.azure_rm_containerregistry", - "resourceName": "Create an azure container registryy1", - "searchKey": "name={{Create an azure container registryy1}}.{{azure.azcollection.azure_rm_containerregistry}}", + "filename": "positive1.yaml", + "resourceType": "azure_rm_containerregistry", + "resourceName": "Create an azure container registry", + "searchKey": "name={{Create an azure container registry}}.{{azure_rm_containerregistry}}", "searchValue": "", - "expectedValue": "'azure.azcollection.azure_rm_containerregistry' should be referenced by an existing lock", - "actualValue": "'azure.azcollection.azure_rm_containerregistry' is not referenced by an existing lock" + "expectedValue": "'azure_rm_containerregistry' should be referenced by an existing lock", + "actualValue": "'azure_rm_containerregistry' is not referenced by an existing lock" }, { "queryName": "Azure Container Registry With No Locks", @@ -27,12 +27,12 @@ "queryName": "Azure Container Registry With No Locks", "severity": "HIGH", "line": 2, - "filename": "positive1.yaml", - "resourceType": "azure_rm_containerregistry", - "resourceName": "Create an azure container registry", - "searchKey": "name={{Create an azure container registry}}.{{azure_rm_containerregistry}}", + "filename": "positive2.yaml", + "resourceType": "azure.azcollection.azure_rm_containerregistry", + "resourceName": "Create an azure container registryy1", + "searchKey": "name={{Create an azure container registryy1}}.{{azure.azcollection.azure_rm_containerregistry}}", "searchValue": "", - "expectedValue": "'azure_rm_containerregistry' should be referenced by an existing lock", - "actualValue": "'azure_rm_containerregistry' is not referenced by an existing lock" + "expectedValue": "'azure.azcollection.azure_rm_containerregistry' should be referenced by an existing lock", + "actualValue": "'azure.azcollection.azure_rm_containerregistry' is not referenced by an existing lock" } ] \ No newline at end of file diff --git a/assets/queries/ansible/azure/default_azure_storage_account_network_access_is_too_permissive/test/positive_expected_result.json b/assets/queries/ansible/azure/default_azure_storage_account_network_access_is_too_permissive/test/positive_expected_result.json index 282f667b107..40d9a90726f 100644 --- a/assets/queries/ansible/azure/default_azure_storage_account_network_access_is_too_permissive/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/default_azure_storage_account_network_access_is_too_permissive/test/positive_expected_result.json @@ -3,13 +3,13 @@ "queryName": "Default Azure Storage Account Network Access Is Too Permissive", "severity": "HIGH", "line": 3, - "filename": "positive3.yaml", + "filename": "positive1.yaml", "resourceType": "azure.azcollection.azure_rm_storageaccount", "resourceName": "create an account", "searchKey": "name={{create an account}}.{{azure.azcollection.azure_rm_storageaccount}}", "searchValue": "", - "expectedValue": "azure_rm_storageaccountnetworkAcls.network_acls.default_action should be set to 'Deny'", - "actualValue": "azure_rm_storageaccountnetworkAcls.network_acls.default_action is set to 'Allow'" + "expectedValue": "azure_rm_storageaccount.public_network_access should be set to 'Disabled'", + "actualValue": "azure_rm_storageaccount.public_network_access is set to 'Enabled'" }, { "queryName": "Default Azure Storage Account Network Access Is Too Permissive", @@ -27,12 +27,12 @@ "queryName": "Default Azure Storage Account Network Access Is Too Permissive", "severity": "HIGH", "line": 3, - "filename": "positive1.yaml", + "filename": "positive3.yaml", "resourceType": "azure.azcollection.azure_rm_storageaccount", "resourceName": "create an account", "searchKey": "name={{create an account}}.{{azure.azcollection.azure_rm_storageaccount}}", "searchValue": "", - "expectedValue": "azure_rm_storageaccount.public_network_access should be set to 'Disabled'", - "actualValue": "azure_rm_storageaccount.public_network_access is set to 'Enabled'" + "expectedValue": "azure_rm_storageaccountnetworkAcls.network_acls.default_action should be set to 'Deny'", + "actualValue": "azure_rm_storageaccountnetworkAcls.network_acls.default_action is set to 'Allow'" } ] \ No newline at end of file diff --git a/assets/queries/ansible/azure/key_vault_soft_delete_is_disabled/test/positive_expected_result.json b/assets/queries/ansible/azure/key_vault_soft_delete_is_disabled/test/positive_expected_result.json index 8557a42d902..c87e0fdb7d3 100644 --- a/assets/queries/ansible/azure/key_vault_soft_delete_is_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/key_vault_soft_delete_is_disabled/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "Key Vault Soft Delete Is Disabled", "severity": "MEDIUM", - "line": 18, + "line": 7, "filename": "positive.yaml", "resourceType": "azure_rm_keyvault", - "resourceName": "Create instance of Key Vault 02", - "searchKey": "name={{Create instance of Key Vault 02}}.{{azure_rm_keyvault}}", + "resourceName": "Create instance of Key Vault", + "searchKey": "name={{Create instance of Key Vault}}.{{azure_rm_keyvault}}.enable_soft_delete", "searchValue": "", - "expectedValue": "azure_rm_keyvault.enable_soft_delete should be defined", - "actualValue": "azure_rm_keyvault.enable_soft_delete is undefined" + "expectedValue": "azure_rm_keyvault.enable_soft_delete should be true", + "actualValue": "azure_rm_keyvault.enable_soft_delete is false" }, { "queryName": "Key Vault Soft Delete Is Disabled", "severity": "MEDIUM", - "line": 7, + "line": 18, "filename": "positive.yaml", "resourceType": "azure_rm_keyvault", - "resourceName": "Create instance of Key Vault", - "searchKey": "name={{Create instance of Key Vault}}.{{azure_rm_keyvault}}.enable_soft_delete", + "resourceName": "Create instance of Key Vault 02", + "searchKey": "name={{Create instance of Key Vault 02}}.{{azure_rm_keyvault}}", "searchValue": "", - "expectedValue": "azure_rm_keyvault.enable_soft_delete should be true", - "actualValue": "azure_rm_keyvault.enable_soft_delete is false" + "expectedValue": "azure_rm_keyvault.enable_soft_delete should be defined", + "actualValue": "azure_rm_keyvault.enable_soft_delete is undefined" } ] \ No newline at end of file diff --git a/assets/queries/ansible/azure/mysql_ssl_connection_disabled/test/positive_expected_result.json b/assets/queries/ansible/azure/mysql_ssl_connection_disabled/test/positive_expected_result.json index 2eb7e6340e4..ff553f401da 100644 --- a/assets/queries/ansible/azure/mysql_ssl_connection_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/mysql_ssl_connection_disabled/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "MySQL SSL Connection Disabled", "severity": "MEDIUM", - "line": 23, + "line": 3, "filename": "positive.yaml", "resourceType": "azure.azcollection.azure_rm_mysqlserver", - "resourceName": "Create (or update) MySQL Server2", - "searchKey": "name={{Create (or update) MySQL Server2}}.{{azure.azcollection.azure_rm_mysqlserver}}.enforce_ssl", + "resourceName": "Create (or update) MySQL Server", + "searchKey": "name={{Create (or update) MySQL Server}}.{{azure.azcollection.azure_rm_mysqlserver}}", "searchValue": "", "expectedValue": "azure_rm_mysqlserver should have enforce_ssl set to true", - "actualValue": "azure_rm_mysqlserver does has enforce_ssl set to false" + "actualValue": "azure_rm_mysqlserver does not have enforce_ssl (defaults to false)" }, { "queryName": "MySQL SSL Connection Disabled", "severity": "MEDIUM", - "line": 3, + "line": 23, "filename": "positive.yaml", "resourceType": "azure.azcollection.azure_rm_mysqlserver", - "resourceName": "Create (or update) MySQL Server", - "searchKey": "name={{Create (or update) MySQL Server}}.{{azure.azcollection.azure_rm_mysqlserver}}", + "resourceName": "Create (or update) MySQL Server2", + "searchKey": "name={{Create (or update) MySQL Server2}}.{{azure.azcollection.azure_rm_mysqlserver}}.enforce_ssl", "searchValue": "", "expectedValue": "azure_rm_mysqlserver should have enforce_ssl set to true", - "actualValue": "azure_rm_mysqlserver does not have enforce_ssl (defaults to false)" + "actualValue": "azure_rm_mysqlserver does has enforce_ssl set to false" } ] \ No newline at end of file diff --git a/assets/queries/ansible/azure/postgresql_log_checkpoints_disabled/test/positive_expected_result.json b/assets/queries/ansible/azure/postgresql_log_checkpoints_disabled/test/positive_expected_result.json index 40063113608..00724d2a907 100644 --- a/assets/queries/ansible/azure/postgresql_log_checkpoints_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/postgresql_log_checkpoints_disabled/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "PostgreSQL Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 25, + "line": 7, "filename": "positive.yaml", "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", - "resourceName": "Update PostgreSQL Server setting4", - "searchKey": "name={{Update PostgreSQL Server setting4}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "resourceName": "Update PostgreSQL Server setting", + "searchKey": "name={{Update PostgreSQL Server setting}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", "searchValue": "", "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_checkpoints'", "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'" @@ -14,11 +14,11 @@ { "queryName": "PostgreSQL Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 31, + "line": 13, "filename": "positive.yaml", "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", - "resourceName": "Update PostgreSQL Server setting5", - "searchKey": "name={{Update PostgreSQL Server setting5}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "resourceName": "Update PostgreSQL Server setting2", + "searchKey": "name={{Update PostgreSQL Server setting2}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", "searchValue": "", "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_checkpoints'", "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'" @@ -26,11 +26,11 @@ { "queryName": "PostgreSQL Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 37, + "line": 19, "filename": "positive.yaml", "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", - "resourceName": "Update PostgreSQL Server setting6", - "searchKey": "name={{Update PostgreSQL Server setting6}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "resourceName": "Update PostgreSQL Server setting3", + "searchKey": "name={{Update PostgreSQL Server setting3}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", "searchValue": "", "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_checkpoints'", "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'" @@ -38,11 +38,11 @@ { "queryName": "PostgreSQL Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 7, + "line": 25, "filename": "positive.yaml", "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", - "resourceName": "Update PostgreSQL Server setting", - "searchKey": "name={{Update PostgreSQL Server setting}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "resourceName": "Update PostgreSQL Server setting4", + "searchKey": "name={{Update PostgreSQL Server setting4}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", "searchValue": "", "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_checkpoints'", "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'" @@ -50,11 +50,11 @@ { "queryName": "PostgreSQL Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 13, + "line": 31, "filename": "positive.yaml", "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", - "resourceName": "Update PostgreSQL Server setting2", - "searchKey": "name={{Update PostgreSQL Server setting2}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "resourceName": "Update PostgreSQL Server setting5", + "searchKey": "name={{Update PostgreSQL Server setting5}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", "searchValue": "", "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_checkpoints'", "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'" @@ -62,11 +62,11 @@ { "queryName": "PostgreSQL Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 19, + "line": 37, "filename": "positive.yaml", "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", - "resourceName": "Update PostgreSQL Server setting3", - "searchKey": "name={{Update PostgreSQL Server setting3}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "resourceName": "Update PostgreSQL Server setting6", + "searchKey": "name={{Update PostgreSQL Server setting6}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", "searchValue": "", "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_checkpoints'", "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'" diff --git a/assets/queries/ansible/azure/postgresql_server_without_connection_throttling/test/positive_expected_result.json b/assets/queries/ansible/azure/postgresql_server_without_connection_throttling/test/positive_expected_result.json index 5d3a91fae00..be8afed87ce 100644 --- a/assets/queries/ansible/azure/postgresql_server_without_connection_throttling/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/postgresql_server_without_connection_throttling/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "PostgreSQL Server Without Connection Throttling", "severity": "MEDIUM", - "line": 19, + "line": 7, "filename": "positive.yaml", "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", - "resourceName": "Update PostgreSQL Server setting3", - "searchKey": "name={{Update PostgreSQL Server setting3}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "resourceName": "Update PostgreSQL Server setting", + "searchKey": "name={{Update PostgreSQL Server setting}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", "searchValue": "", "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'connection_throttling'", "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'" @@ -14,11 +14,11 @@ { "queryName": "PostgreSQL Server Without Connection Throttling", "severity": "MEDIUM", - "line": 25, + "line": 13, "filename": "positive.yaml", "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", - "resourceName": "Update PostgreSQL Server setting4", - "searchKey": "name={{Update PostgreSQL Server setting4}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "resourceName": "Update PostgreSQL Server setting2", + "searchKey": "name={{Update PostgreSQL Server setting2}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", "searchValue": "", "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'connection_throttling'", "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'" @@ -26,11 +26,11 @@ { "queryName": "PostgreSQL Server Without Connection Throttling", "severity": "MEDIUM", - "line": 31, + "line": 19, "filename": "positive.yaml", "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", - "resourceName": "Update PostgreSQL Server setting5", - "searchKey": "name={{Update PostgreSQL Server setting5}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "resourceName": "Update PostgreSQL Server setting3", + "searchKey": "name={{Update PostgreSQL Server setting3}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", "searchValue": "", "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'connection_throttling'", "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'" @@ -38,11 +38,11 @@ { "queryName": "PostgreSQL Server Without Connection Throttling", "severity": "MEDIUM", - "line": 37, + "line": 25, "filename": "positive.yaml", "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", - "resourceName": "Update PostgreSQL Server setting6", - "searchKey": "name={{Update PostgreSQL Server setting6}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "resourceName": "Update PostgreSQL Server setting4", + "searchKey": "name={{Update PostgreSQL Server setting4}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", "searchValue": "", "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'connection_throttling'", "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'" @@ -50,11 +50,11 @@ { "queryName": "PostgreSQL Server Without Connection Throttling", "severity": "MEDIUM", - "line": 7, + "line": 31, "filename": "positive.yaml", "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", - "resourceName": "Update PostgreSQL Server setting", - "searchKey": "name={{Update PostgreSQL Server setting}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "resourceName": "Update PostgreSQL Server setting5", + "searchKey": "name={{Update PostgreSQL Server setting5}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", "searchValue": "", "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'connection_throttling'", "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'" @@ -62,11 +62,11 @@ { "queryName": "PostgreSQL Server Without Connection Throttling", "severity": "MEDIUM", - "line": 13, + "line": 37, "filename": "positive.yaml", "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", - "resourceName": "Update PostgreSQL Server setting2", - "searchKey": "name={{Update PostgreSQL Server setting2}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "resourceName": "Update PostgreSQL Server setting6", + "searchKey": "name={{Update PostgreSQL Server setting6}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", "searchValue": "", "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'connection_throttling'", "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'" diff --git a/assets/queries/ansible/azure/public_storage_account/test/positive_expected_result.json b/assets/queries/ansible/azure/public_storage_account/test/positive_expected_result.json index 3fba890ab64..061697d9acd 100644 --- a/assets/queries/ansible/azure/public_storage_account/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/public_storage_account/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "Public Storage Account", "severity": "HIGH", - "line": 19, + "line": 9, "filename": "positive.yaml", "resourceType": "azure_rm_storageaccount", - "resourceName": "configure firewall and more virtual networks", - "searchKey": "name={{configure firewall and more virtual networks}}.{{azure_rm_storageaccount}}.network_acls.default_action", + "resourceName": "configure firewall and virtual networks", + "searchKey": "name={{configure firewall and virtual networks}}.{{azure_rm_storageaccount}}.network_acls.ip_rules", "searchValue": "", - "expectedValue": "azure_rm_storageaccount.network_acls.default_action should not be set", - "actualValue": "azure_rm_storageaccount.network_acls.default_action is 'Allow'" + "expectedValue": "azure_rm_storageaccount.network_acls.default_action should be set to 'Deny' and azure_rm_storageaccount.network_acls.ip_rules should not contain value '0.0.0.0/0' ", + "actualValue": "azure_rm_storageaccount.network_acls.default_action is 'Deny' and azure_rm_storageaccount.network_acls.ip_rules contains value '0.0.0.0/0'" }, { "queryName": "Public Storage Account", "severity": "HIGH", - "line": 9, + "line": 19, "filename": "positive.yaml", "resourceType": "azure_rm_storageaccount", - "resourceName": "configure firewall and virtual networks", - "searchKey": "name={{configure firewall and virtual networks}}.{{azure_rm_storageaccount}}.network_acls.ip_rules", + "resourceName": "configure firewall and more virtual networks", + "searchKey": "name={{configure firewall and more virtual networks}}.{{azure_rm_storageaccount}}.network_acls.default_action", "searchValue": "", - "expectedValue": "azure_rm_storageaccount.network_acls.default_action should be set to 'Deny' and azure_rm_storageaccount.network_acls.ip_rules should not contain value '0.0.0.0/0' ", - "actualValue": "azure_rm_storageaccount.network_acls.default_action is 'Deny' and azure_rm_storageaccount.network_acls.ip_rules contains value '0.0.0.0/0'" + "expectedValue": "azure_rm_storageaccount.network_acls.default_action should not be set", + "actualValue": "azure_rm_storageaccount.network_acls.default_action is 'Allow'" } ] \ No newline at end of file diff --git a/assets/queries/ansible/azure/role_definition_allows_custom_role_creation/test/positive_expected_result.json b/assets/queries/ansible/azure/role_definition_allows_custom_role_creation/test/positive_expected_result.json index 7adad92197d..8d402bbd624 100644 --- a/assets/queries/ansible/azure/role_definition_allows_custom_role_creation/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/role_definition_allows_custom_role_creation/test/positive_expected_result.json @@ -3,10 +3,10 @@ "queryName": "Role Definition Allows Custom Role Creation", "severity": "MEDIUM", "line": 7, - "filename": "positive2.yaml", + "filename": "positive1.yaml", "resourceType": "azure_rm_roledefinition", - "resourceName": "Create a role definition2", - "searchKey": "name={{Create a role definition2}}.{{azure_rm_roledefinition}}.permissions.actions", + "resourceName": "Create a role definition", + "searchKey": "name={{Create a role definition}}.{{azure_rm_roledefinition}}.permissions.actions", "searchValue": "", "expectedValue": "azure_rm_roledefinition.permissions[0].actions should not allow custom role creation", "actualValue": "azure_rm_roledefinition.permissions[0].actions allows custom role creation" @@ -15,10 +15,10 @@ "queryName": "Role Definition Allows Custom Role Creation", "severity": "MEDIUM", "line": 7, - "filename": "positive1.yaml", + "filename": "positive2.yaml", "resourceType": "azure_rm_roledefinition", - "resourceName": "Create a role definition", - "searchKey": "name={{Create a role definition}}.{{azure_rm_roledefinition}}.permissions.actions", + "resourceName": "Create a role definition2", + "searchKey": "name={{Create a role definition2}}.{{azure_rm_roledefinition}}.permissions.actions", "searchValue": "", "expectedValue": "azure_rm_roledefinition.permissions[0].actions should not allow custom role creation", "actualValue": "azure_rm_roledefinition.permissions[0].actions allows custom role creation" diff --git a/assets/queries/ansible/azure/security_group_is_not_configured/test/positive_expected_result.json b/assets/queries/ansible/azure/security_group_is_not_configured/test/positive_expected_result.json index 8dfa84f75ec..a0aa26f342e 100644 --- a/assets/queries/ansible/azure/security_group_is_not_configured/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/security_group_is_not_configured/test/positive_expected_result.json @@ -2,35 +2,35 @@ { "queryName": "Security Group is Not Configured", "severity": "HIGH", - "line": 28, + "line": 3, "filename": "positive.yaml", "resourceType": "azure_rm_subnet", - "resourceName": "Create a subnet4", - "searchKey": "name={{Create a subnet4}}.{{azure_rm_subnet}}.security_group", + "resourceName": "Create a subnet1", + "searchKey": "name={{Create a subnet1}}.{{azure_rm_subnet}}", "searchValue": "", - "expectedValue": "azure_rm_subnet.security_group should not be empty", - "actualValue": "azure_rm_subnet.security_group is empty" + "expectedValue": "azure_rm_subnet.security_group should be defined and not null", + "actualValue": "azure_rm_subnet.security_group is undefined or null" }, { "queryName": "Security Group is Not Configured", "severity": "HIGH", - "line": 35, + "line": 9, "filename": "positive.yaml", "resourceType": "azure_rm_subnet", - "resourceName": "Create a subnet5", - "searchKey": "name={{Create a subnet5}}.{{azure_rm_subnet}}.security_group_name", + "resourceName": "Create a subnet2", + "searchKey": "name={{Create a subnet2}}.{{azure_rm_subnet}}", "searchValue": "", - "expectedValue": "azure_rm_subnet.security_group_name should not be empty", - "actualValue": "azure_rm_subnet.security_group_name is empty" + "expectedValue": "azure_rm_subnet.security_group should be defined and not null", + "actualValue": "azure_rm_subnet.security_group is undefined or null" }, { "queryName": "Security Group is Not Configured", "severity": "HIGH", - "line": 3, + "line": 16, "filename": "positive.yaml", "resourceType": "azure_rm_subnet", - "resourceName": "Create a subnet1", - "searchKey": "name={{Create a subnet1}}.{{azure_rm_subnet}}", + "resourceName": "Create a subnet3", + "searchKey": "name={{Create a subnet3}}.{{azure_rm_subnet}}", "searchValue": "", "expectedValue": "azure_rm_subnet.security_group should be defined and not null", "actualValue": "azure_rm_subnet.security_group is undefined or null" @@ -38,25 +38,25 @@ { "queryName": "Security Group is Not Configured", "severity": "HIGH", - "line": 9, + "line": 28, "filename": "positive.yaml", "resourceType": "azure_rm_subnet", - "resourceName": "Create a subnet2", - "searchKey": "name={{Create a subnet2}}.{{azure_rm_subnet}}", + "resourceName": "Create a subnet4", + "searchKey": "name={{Create a subnet4}}.{{azure_rm_subnet}}.security_group", "searchValue": "", - "expectedValue": "azure_rm_subnet.security_group should be defined and not null", - "actualValue": "azure_rm_subnet.security_group is undefined or null" + "expectedValue": "azure_rm_subnet.security_group should not be empty", + "actualValue": "azure_rm_subnet.security_group is empty" }, { "queryName": "Security Group is Not Configured", "severity": "HIGH", - "line": 16, + "line": 35, "filename": "positive.yaml", "resourceType": "azure_rm_subnet", - "resourceName": "Create a subnet3", - "searchKey": "name={{Create a subnet3}}.{{azure_rm_subnet}}", + "resourceName": "Create a subnet5", + "searchKey": "name={{Create a subnet5}}.{{azure_rm_subnet}}.security_group_name", "searchValue": "", - "expectedValue": "azure_rm_subnet.security_group should be defined and not null", - "actualValue": "azure_rm_subnet.security_group is undefined or null" + "expectedValue": "azure_rm_subnet.security_group_name should not be empty", + "actualValue": "azure_rm_subnet.security_group_name is empty" } ] \ No newline at end of file diff --git a/assets/queries/ansible/azure/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json b/assets/queries/ansible/azure/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json index 87cf440b21b..7f93ba7c360 100644 --- a/assets/queries/ansible/azure/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json @@ -2,47 +2,47 @@ { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 130, + "line": 13, "filename": "positive.yaml", "resourceType": "azure_rm_securitygroup", - "resourceName": "foo9", - "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example9}}.destination_port_range", - "searchValue": "UDP,23", - "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP:23) is allowed" + "resourceName": "foo1", + "searchKey": "name={{foo1}}.{{azure_rm_securitygroup}}.rules.name={{example1}}.destination_port_range", + "searchValue": "UDP,61621", + "expectedValue": "Cassandra OpsCenter (UDP:61621) should not be allowed", + "actualValue": "Cassandra OpsCenter (UDP:61621) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142, + "line": 27, "filename": "positive.yaml", "resourceType": "azure_rm_securitygroup", - "resourceName": "foo9", - "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "TCP,138", - "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed", - "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed" + "resourceName": "foo2", + "searchKey": "name={{foo2}}.{{azure_rm_securitygroup}}.rules.name={{example2}}.destination_port_range", + "searchValue": "TCP,25", + "expectedValue": "SMTP (TCP:25) should not be allowed", + "actualValue": "SMTP (TCP:25) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142, + "line": 27, "filename": "positive.yaml", "resourceType": "azure_rm_securitygroup", - "resourceName": "foo9", - "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "UDP,25", - "expectedValue": "SMTP (UDP:25) should not be allowed", - "actualValue": "SMTP (UDP:25) is allowed" + "resourceName": "foo2", + "searchKey": "name={{foo2}}.{{azure_rm_securitygroup}}.rules.name={{example2}}.destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142, + "line": 41, "filename": "positive.yaml", "resourceType": "azure_rm_securitygroup", - "resourceName": "foo9", - "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "resourceName": "foo3", + "searchKey": "name={{foo3}}.{{azure_rm_securitygroup}}.rules.name={{example3}}.destination_port_range", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", "actualValue": "SSH (TCP:22) is allowed" @@ -50,35 +50,23 @@ { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 27, - "filename": "positive.yaml", - "resourceType": "azure_rm_securitygroup", - "resourceName": "foo2", - "searchKey": "name={{foo2}}.{{azure_rm_securitygroup}}.rules.name={{example2}}.destination_port_range", - "searchValue": "TCP,23", - "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP:23) is allowed" - }, - { - "queryName": "Sensitive Port Is Exposed To Entire Network", - "severity": "HIGH", - "line": 142, + "line": 41, "filename": "positive.yaml", "resourceType": "azure_rm_securitygroup", - "resourceName": "foo9", - "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "TCP,23", - "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP:23) is allowed" + "resourceName": "foo3", + "searchKey": "name={{foo3}}.{{azure_rm_securitygroup}}.rules.name={{example3}}.destination_port_range", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142, + "line": 41, "filename": "positive.yaml", "resourceType": "azure_rm_securitygroup", - "resourceName": "foo9", - "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "resourceName": "foo3", + "searchKey": "name={{foo3}}.{{azure_rm_securitygroup}}.rules.name={{example3}}.destination_port_range", "searchValue": "TCP,21", "expectedValue": "FTP (TCP:21) should not be allowed", "actualValue": "FTP (TCP:21) is allowed" @@ -86,26 +74,26 @@ { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142, + "line": 41, "filename": "positive.yaml", "resourceType": "azure_rm_securitygroup", - "resourceName": "foo9", - "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "UDP,21", - "expectedValue": "FTP (UDP:21) should not be allowed", - "actualValue": "FTP (UDP:21) is allowed" + "resourceName": "foo3", + "searchKey": "name={{foo3}}.{{azure_rm_securitygroup}}.rules.name={{example3}}.destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142, + "line": 41, "filename": "positive.yaml", "resourceType": "azure_rm_securitygroup", - "resourceName": "foo9", - "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "UDP,80", - "expectedValue": "HTTP (UDP:80) should not be allowed", - "actualValue": "HTTP (UDP:80) is allowed" + "resourceName": "foo3", + "searchKey": "name={{foo3}}.{{azure_rm_securitygroup}}.rules.name={{example3}}.destination_port_range", + "searchValue": "UDP,21", + "expectedValue": "FTP (UDP:21) should not be allowed", + "actualValue": "FTP (UDP:21) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -115,30 +103,30 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo3", "searchKey": "name={{foo3}}.{{azure_rm_securitygroup}}.rules.name={{example3}}.destination_port_range", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 41, + "line": 55, "filename": "positive.yaml", "resourceType": "azure_rm_securitygroup", - "resourceName": "foo3", - "searchKey": "name={{foo3}}.{{azure_rm_securitygroup}}.rules.name={{example3}}.destination_port_range", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "resourceName": "foo4", + "searchKey": "name={{foo4}}.{{azure_rm_securitygroup}}.rules.name={{example4}}.destination_port_range", + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 113, + "line": 55, "filename": "positive.yaml", "resourceType": "azure_rm_securitygroup", - "resourceName": "foo8", - "searchKey": "name={{foo8}}.{{azure_rm_securitygroup}}.rules.name={{example8}}.destination_port_range", + "resourceName": "foo4", + "searchKey": "name={{foo4}}.{{azure_rm_securitygroup}}.rules.name={{example4}}.destination_port_range", "searchValue": "TCP,23", "expectedValue": "Telnet (TCP:23) should not be allowed", "actualValue": "Telnet (TCP:23) is allowed" @@ -146,11 +134,23 @@ { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 130, + "line": 69, "filename": "positive.yaml", "resourceType": "azure_rm_securitygroup", - "resourceName": "foo9", - "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example9}}.destination_port_range", + "resourceName": "foo5", + "searchKey": "name={{foo5}}.{{azure_rm_securitygroup}}.rules.name={{example5}}.destination_port_range", + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed" + }, + { + "queryName": "Sensitive Port Is Exposed To Entire Network", + "severity": "HIGH", + "line": 85, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo6", + "searchKey": "name={{foo6}}.{{azure_rm_securitygroup}}.rules.name={{example6}}.destination_port_range", "searchValue": "TCP,23", "expectedValue": "Telnet (TCP:23) should not be allowed", "actualValue": "Telnet (TCP:23) is allowed" @@ -158,26 +158,26 @@ { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142, + "line": 99, "filename": "positive.yaml", "resourceType": "azure_rm_securitygroup", - "resourceName": "foo9", - "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "TCP,53", - "expectedValue": "DNS (TCP:53) should not be allowed", - "actualValue": "DNS (TCP:53) is allowed" + "resourceName": "foo7", + "searchKey": "name={{foo7}}.{{azure_rm_securitygroup}}.rules.name={{example7}}.destination_port_range", + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 27, + "line": 99, "filename": "positive.yaml", "resourceType": "azure_rm_securitygroup", - "resourceName": "foo2", - "searchKey": "name={{foo2}}.{{azure_rm_securitygroup}}.rules.name={{example2}}.destination_port_range", - "searchValue": "TCP,25", - "expectedValue": "SMTP (TCP:25) should not be allowed", - "actualValue": "SMTP (TCP:25) is allowed" + "resourceName": "foo7", + "searchKey": "name={{foo7}}.{{azure_rm_securitygroup}}.rules.name={{example7}}.destination_port_range", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -194,11 +194,23 @@ { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 55, + "line": 99, "filename": "positive.yaml", "resourceType": "azure_rm_securitygroup", - "resourceName": "foo4", - "searchKey": "name={{foo4}}.{{azure_rm_securitygroup}}.rules.name={{example4}}.destination_port_range", + "resourceName": "foo7", + "searchKey": "name={{foo7}}.{{azure_rm_securitygroup}}.rules.name={{example7}}.destination_port_range", + "searchValue": "UDP,53", + "expectedValue": "DNS (UDP:53) should not be allowed", + "actualValue": "DNS (UDP:53) is allowed" + }, + { + "queryName": "Sensitive Port Is Exposed To Entire Network", + "severity": "HIGH", + "line": 113, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo8", + "searchKey": "name={{foo8}}.{{azure_rm_securitygroup}}.rules.name={{example8}}.destination_port_range", "searchValue": "TCP,23", "expectedValue": "Telnet (TCP:23) should not be allowed", "actualValue": "Telnet (TCP:23) is allowed" @@ -206,11 +218,11 @@ { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 85, + "line": 130, "filename": "positive.yaml", "resourceType": "azure_rm_securitygroup", - "resourceName": "foo6", - "searchKey": "name={{foo6}}.{{azure_rm_securitygroup}}.rules.name={{example6}}.destination_port_range", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example9}}.destination_port_range", "searchValue": "TCP,23", "expectedValue": "Telnet (TCP:23) should not be allowed", "actualValue": "Telnet (TCP:23) is allowed" @@ -218,11 +230,11 @@ { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 99, + "line": 130, "filename": "positive.yaml", "resourceType": "azure_rm_securitygroup", - "resourceName": "foo7", - "searchKey": "name={{foo7}}.{{azure_rm_securitygroup}}.rules.name={{example7}}.destination_port_range", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example9}}.destination_port_range", "searchValue": "UDP,23", "expectedValue": "Telnet (UDP:23) should not be allowed", "actualValue": "Telnet (UDP:23) is allowed" @@ -235,9 +247,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "UDP,53", - "expectedValue": "DNS (UDP:53) should not be allowed", - "actualValue": "DNS (UDP:53) is allowed" + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -247,9 +259,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "TCP,137", - "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed", - "actualValue": "NetBIOS Name Service (TCP:137) is allowed" + "searchValue": "TCP,53", + "expectedValue": "DNS (TCP:53) should not be allowed", + "actualValue": "DNS (TCP:53) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -259,9 +271,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "UDP,137", - "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed" + "searchValue": "TCP,25", + "expectedValue": "SMTP (TCP:25) should not be allowed", + "actualValue": "SMTP (TCP:25) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -271,21 +283,21 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "UDP,23", - "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP:23) is allowed" + "searchValue": "TCP,20", + "expectedValue": "FTP (TCP:20) should not be allowed", + "actualValue": "FTP (TCP:20) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 13, + "line": 142, "filename": "positive.yaml", "resourceType": "azure_rm_securitygroup", - "resourceName": "foo1", - "searchKey": "name={{foo1}}.{{azure_rm_securitygroup}}.rules.name={{example1}}.destination_port_range", - "searchValue": "UDP,61621", - "expectedValue": "Cassandra OpsCenter (UDP:61621) should not be allowed", - "actualValue": "Cassandra OpsCenter (UDP:61621) is allowed" + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "UDP,20", + "expectedValue": "FTP (UDP:20) should not be allowed", + "actualValue": "FTP (UDP:20) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -295,9 +307,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "UDP,138", - "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed", - "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed" + "searchValue": "UDP,135", + "expectedValue": "MSSQL Debugger (UDP:135) should not be allowed", + "actualValue": "MSSQL Debugger (UDP:135) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -307,9 +319,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "TCP,139", - "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed", - "actualValue": "NetBIOS Session Service (TCP:139) is allowed" + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -319,21 +331,21 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "TCP,25", - "expectedValue": "SMTP (TCP:25) should not be allowed", - "actualValue": "SMTP (TCP:25) is allowed" + "searchValue": "UDP,80", + "expectedValue": "HTTP (UDP:80) should not be allowed", + "actualValue": "HTTP (UDP:80) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 41, + "line": 142, "filename": "positive.yaml", "resourceType": "azure_rm_securitygroup", - "resourceName": "foo3", - "searchKey": "name={{foo3}}.{{azure_rm_securitygroup}}.rules.name={{example3}}.destination_port_range", - "searchValue": "UDP,21", - "expectedValue": "FTP (UDP:21) should not be allowed", - "actualValue": "FTP (UDP:21) is allowed" + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "TCP,110", + "expectedValue": "POP3 (TCP:110) should not be allowed", + "actualValue": "POP3 (TCP:110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -343,9 +355,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "TCP,135", - "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed", - "actualValue": "MSSQL Debugger (TCP:135) is allowed" + "searchValue": "UDP,21", + "expectedValue": "FTP (UDP:21) should not be allowed", + "actualValue": "FTP (UDP:21) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -355,18 +367,18 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "TCP,20", - "expectedValue": "FTP (TCP:20) should not be allowed", - "actualValue": "FTP (TCP:20) is allowed" + "searchValue": "TCP,138", + "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed", + "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 41, + "line": 142, "filename": "positive.yaml", "resourceType": "azure_rm_securitygroup", - "resourceName": "foo3", - "searchKey": "name={{foo3}}.{{azure_rm_securitygroup}}.rules.name={{example3}}.destination_port_range", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", "searchValue": "TCP,21", "expectedValue": "FTP (TCP:21) should not be allowed", "actualValue": "FTP (TCP:21) is allowed" @@ -379,9 +391,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "UDP,135", - "expectedValue": "MSSQL Debugger (UDP:135) should not be allowed", - "actualValue": "MSSQL Debugger (UDP:135) is allowed" + "searchValue": "TCP,137", + "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed", + "actualValue": "NetBIOS Name Service (TCP:137) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -391,9 +403,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "UDP,139", - "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed", - "actualValue": "NetBIOS Session Service (UDP:139) is allowed" + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -403,18 +415,6 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "UDP,110", - "expectedValue": "POP3 (UDP:110) should not be allowed", - "actualValue": "POP3 (UDP:110) is allowed" - }, - { - "queryName": "Sensitive Port Is Exposed To Entire Network", - "severity": "HIGH", - "line": 99, - "filename": "positive.yaml", - "resourceType": "azure_rm_securitygroup", - "resourceName": "foo7", - "searchKey": "name={{foo7}}.{{azure_rm_securitygroup}}.rules.name={{example7}}.destination_port_range", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", "actualValue": "SSH (UDP:22) is allowed" @@ -427,30 +427,30 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "searchValue": "TCP,139", + "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed", + "actualValue": "NetBIOS Session Service (TCP:139) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 41, + "line": 142, "filename": "positive.yaml", "resourceType": "azure_rm_securitygroup", - "resourceName": "foo3", - "searchKey": "name={{foo3}}.{{azure_rm_securitygroup}}.rules.name={{example3}}.destination_port_range", - "searchValue": "UDP,23", - "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP:23) is allowed" + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "UDP,139", + "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed", + "actualValue": "NetBIOS Session Service (UDP:139) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 99, + "line": 142, "filename": "positive.yaml", "resourceType": "azure_rm_securitygroup", - "resourceName": "foo7", - "searchKey": "name={{foo7}}.{{azure_rm_securitygroup}}.rules.name={{example7}}.destination_port_range", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", "searchValue": "UDP,53", "expectedValue": "DNS (UDP:53) should not be allowed", "actualValue": "DNS (UDP:53) is allowed" @@ -463,9 +463,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "UDP,20", - "expectedValue": "FTP (UDP:20) should not be allowed", - "actualValue": "FTP (UDP:20) is allowed" + "searchValue": "TCP,135", + "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed", + "actualValue": "MSSQL Debugger (TCP:135) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -475,9 +475,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "TCP,80", - "expectedValue": "HTTP (TCP:80) should not be allowed", - "actualValue": "HTTP (TCP:80) is allowed" + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -487,44 +487,44 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "TCP,110", - "expectedValue": "POP3 (TCP:110) should not be allowed", - "actualValue": "POP3 (TCP:110) is allowed" + "searchValue": "TCP,80", + "expectedValue": "HTTP (TCP:80) should not be allowed", + "actualValue": "HTTP (TCP:80) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 41, + "line": 142, "filename": "positive.yaml", "resourceType": "azure_rm_securitygroup", - "resourceName": "foo3", - "searchKey": "name={{foo3}}.{{azure_rm_securitygroup}}.rules.name={{example3}}.destination_port_range", - "searchValue": "TCP,23", - "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP:23) is allowed" + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 55, + "line": 142, "filename": "positive.yaml", "resourceType": "azure_rm_securitygroup", - "resourceName": "foo4", - "searchKey": "name={{foo4}}.{{azure_rm_securitygroup}}.rules.name={{example4}}.destination_port_range", - "searchValue": "UDP,23", - "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP:23) is allowed" + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "UDP,25", + "expectedValue": "SMTP (UDP:25) should not be allowed", + "actualValue": "SMTP (UDP:25) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 69, + "line": 142, "filename": "positive.yaml", "resourceType": "azure_rm_securitygroup", - "resourceName": "foo5", - "searchKey": "name={{foo5}}.{{azure_rm_securitygroup}}.rules.name={{example5}}.destination_port_range", - "searchValue": "UDP,23", - "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP:23) is allowed" + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed" } ] \ No newline at end of file diff --git a/assets/queries/ansible/azure/small_activity_log_retention_period/test/positive_expected_result.json b/assets/queries/ansible/azure/small_activity_log_retention_period/test/positive_expected_result.json index 1a9ea084c15..070979105b7 100644 --- a/assets/queries/ansible/azure/small_activity_log_retention_period/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/small_activity_log_retention_period/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "Small Activity Log Retention Period", - "severity": "LOW", - "line": 46, - "filename": "positive.yaml", - "resourceType": "azure_rm_monitorlogprofile", - "resourceName": "Create a log profile3", - "searchKey": "name={{Create a log profile3}}.{{azure_rm_monitorlogprofile}}.retention_policy.days", - "searchValue": "", - "expectedValue": "azure_rm_monitorlogprofile.retention_policy.days should be greater than or equal to 365 days or 0 (indefinitely)", - "actualValue": "azure_rm_monitorlogprofile.retention_policy.days is less than 365 days or different than 0 (indefinitely)" - }, { "queryName": "Small Activity Log Retention Period", "severity": "LOW", @@ -34,5 +22,17 @@ "searchValue": "", "expectedValue": "azure_rm_monitorlogprofile.retention_policy should be defined", "actualValue": "azure_rm_monitorlogprofile.retention_policy is undefined" + }, + { + "queryName": "Small Activity Log Retention Period", + "severity": "LOW", + "line": 46, + "filename": "positive.yaml", + "resourceType": "azure_rm_monitorlogprofile", + "resourceName": "Create a log profile3", + "searchKey": "name={{Create a log profile3}}.{{azure_rm_monitorlogprofile}}.retention_policy.days", + "searchValue": "", + "expectedValue": "azure_rm_monitorlogprofile.retention_policy.days should be greater than or equal to 365 days or 0 (indefinitely)", + "actualValue": "azure_rm_monitorlogprofile.retention_policy.days is less than 365 days or different than 0 (indefinitely)" } ] \ No newline at end of file diff --git a/assets/queries/ansible/azure/sql_server_predictable_active_directory_admin_account_name/test/positive_expected_result.json b/assets/queries/ansible/azure/sql_server_predictable_active_directory_admin_account_name/test/positive_expected_result.json index a56c07a500d..445711d293c 100644 --- a/assets/queries/ansible/azure/sql_server_predictable_active_directory_admin_account_name/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/sql_server_predictable_active_directory_admin_account_name/test/positive_expected_result.json @@ -1,4 +1,16 @@ [ + { + "queryName": "SQL Server Predictable Active Directory Account Name", + "severity": "LOW", + "line": 7, + "filename": "positive.yaml", + "resourceType": "azure_ad_serviceprincipal", + "resourceName": "create ad sp", + "searchKey": "name={{create ad sp}}.{{azure_ad_serviceprincipal}}.ad_user", + "searchValue": "", + "expectedValue": "azure_ad_serviceprincipal.ad_user should not be predictable", + "actualValue": "azure_ad_serviceprincipal.ad_user is predictable" + }, { "queryName": "SQL Server Predictable Active Directory Account Name", "severity": "LOW", @@ -22,17 +34,5 @@ "searchValue": "", "expectedValue": "azure_ad_serviceprincipal.ad_user should be neither empty nor null", "actualValue": "azure_ad_serviceprincipal.ad_user is empty or null" - }, - { - "queryName": "SQL Server Predictable Active Directory Account Name", - "severity": "LOW", - "line": 7, - "filename": "positive.yaml", - "resourceType": "azure_ad_serviceprincipal", - "resourceName": "create ad sp", - "searchKey": "name={{create ad sp}}.{{azure_ad_serviceprincipal}}.ad_user", - "searchValue": "", - "expectedValue": "azure_ad_serviceprincipal.ad_user should not be predictable", - "actualValue": "azure_ad_serviceprincipal.ad_user is predictable" } ] \ No newline at end of file diff --git a/assets/queries/ansible/azure/ssl_enforce_is_disabled/test/positive_expected_result.json b/assets/queries/ansible/azure/ssl_enforce_is_disabled/test/positive_expected_result.json index d27557aea1c..f64e01b5eca 100644 --- a/assets/queries/ansible/azure/ssl_enforce_is_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/ssl_enforce_is_disabled/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "SSL Enforce Disabled", "severity": "MEDIUM", - "line": 21, + "line": 2, "filename": "positive.yaml", "resourceType": "azure.azcollection.azure_rm_postgresqlserver", - "resourceName": "Create (or update) PostgreSQL Server2", - "searchKey": "name={{Create (or update) PostgreSQL Server2}}.{{azure.azcollection.azure_rm_postgresqlserver}}.enforce_ssl", + "resourceName": "Create (or update) PostgreSQL Server", + "searchKey": "name={{Create (or update) PostgreSQL Server}}.{{azure.azcollection.azure_rm_postgresqlserver}}", "searchValue": "", "expectedValue": "azure_rm_postgresqlserver should have enforce_ssl set to true", - "actualValue": "azure_rm_postgresqlserver does has enforce_ssl set to false" + "actualValue": "azure_rm_postgresqlserver does not have enforce_ssl (defaults to false)" }, { "queryName": "SSL Enforce Disabled", "severity": "MEDIUM", - "line": 2, + "line": 21, "filename": "positive.yaml", "resourceType": "azure.azcollection.azure_rm_postgresqlserver", - "resourceName": "Create (or update) PostgreSQL Server", - "searchKey": "name={{Create (or update) PostgreSQL Server}}.{{azure.azcollection.azure_rm_postgresqlserver}}", + "resourceName": "Create (or update) PostgreSQL Server2", + "searchKey": "name={{Create (or update) PostgreSQL Server2}}.{{azure.azcollection.azure_rm_postgresqlserver}}.enforce_ssl", "searchValue": "", "expectedValue": "azure_rm_postgresqlserver should have enforce_ssl set to true", - "actualValue": "azure_rm_postgresqlserver does not have enforce_ssl (defaults to false)" + "actualValue": "azure_rm_postgresqlserver does has enforce_ssl set to false" } ] \ No newline at end of file diff --git a/assets/queries/ansible/azure/storage_account_not_forcing_https/test/positive_expected_result.json b/assets/queries/ansible/azure/storage_account_not_forcing_https/test/positive_expected_result.json index 83db86d559d..3228fb834d5 100644 --- a/assets/queries/ansible/azure/storage_account_not_forcing_https/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/storage_account_not_forcing_https/test/positive_expected_result.json @@ -2,11 +2,23 @@ { "queryName": "Storage Account Not Forcing HTTPS", "severity": "MEDIUM", - "line": 33, + "line": 3, "filename": "positive.yaml", "resourceType": "azure.azcollection.azure_rm_storageaccount", - "resourceName": "create an account4", - "searchKey": "name={{create an account4}}.{{azure.azcollection.azure_rm_storageaccount}}.https_only", + "resourceName": "create an account", + "searchKey": "name={{create an account}}.{{azure.azcollection.azure_rm_storageaccount}}", + "searchValue": "", + "expectedValue": "azure_rm_storageaccount.https_only should be defined", + "actualValue": "azure_rm_storageaccount.https_only is undefined (defaults to false)" + }, + { + "queryName": "Storage Account Not Forcing HTTPS", + "severity": "MEDIUM", + "line": 15, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_storageaccount", + "resourceName": "create an account2", + "searchKey": "name={{create an account2}}.{{azure.azcollection.azure_rm_storageaccount}}.https_only", "searchValue": "", "expectedValue": "azure_rm_storageaccount should have https_only set to true", "actualValue": "azure_rm_storageaccount has https_only set to false" @@ -23,6 +35,18 @@ "expectedValue": "azure_rm_storageaccount should have https_only set to true", "actualValue": "azure_rm_storageaccount has https_only set to false" }, + { + "queryName": "Storage Account Not Forcing HTTPS", + "severity": "MEDIUM", + "line": 33, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_storageaccount", + "resourceName": "create an account4", + "searchKey": "name={{create an account4}}.{{azure.azcollection.azure_rm_storageaccount}}.https_only", + "searchValue": "", + "expectedValue": "azure_rm_storageaccount should have https_only set to true", + "actualValue": "azure_rm_storageaccount has https_only set to false" + }, { "queryName": "Storage Account Not Forcing HTTPS", "severity": "MEDIUM", @@ -82,29 +106,5 @@ "searchValue": "", "expectedValue": "azure_rm_storageaccount should have https_only set to true", "actualValue": "azure_rm_storageaccount has https_only set to false" - }, - { - "queryName": "Storage Account Not Forcing HTTPS", - "severity": "MEDIUM", - "line": 3, - "filename": "positive.yaml", - "resourceType": "azure.azcollection.azure_rm_storageaccount", - "resourceName": "create an account", - "searchKey": "name={{create an account}}.{{azure.azcollection.azure_rm_storageaccount}}", - "searchValue": "", - "expectedValue": "azure_rm_storageaccount.https_only should be defined", - "actualValue": "azure_rm_storageaccount.https_only is undefined (defaults to false)" - }, - { - "queryName": "Storage Account Not Forcing HTTPS", - "severity": "MEDIUM", - "line": 15, - "filename": "positive.yaml", - "resourceType": "azure.azcollection.azure_rm_storageaccount", - "resourceName": "create an account2", - "searchKey": "name={{create an account2}}.{{azure.azcollection.azure_rm_storageaccount}}.https_only", - "searchValue": "", - "expectedValue": "azure_rm_storageaccount should have https_only set to true", - "actualValue": "azure_rm_storageaccount has https_only set to false" } ] \ No newline at end of file diff --git a/assets/queries/ansible/azure/storage_container_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/ansible/azure/storage_container_is_publicly_accessible/test/positive_expected_result.json index 9d6cccf3901..0089607b3e2 100644 --- a/assets/queries/ansible/azure/storage_container_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/storage_container_is_publicly_accessible/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "Storage Container Is Publicly Accessible", "severity": "HIGH", - "line": 17, + "line": 9, "filename": "positive.yaml", "resourceType": "azure_rm_storageblob", - "resourceName": "Create container foo2 and upload a file", - "searchKey": "name={{Create container foo2 and upload a file}}.{{azure_rm_storageblob}}.public_access", + "resourceName": "Create container foo and upload a file", + "searchKey": "name={{Create container foo and upload a file}}.{{azure_rm_storageblob}}.public_access", "searchValue": "", "expectedValue": "azure_rm_storageblob.public_access should not be set", "actualValue": "azure_rm_storageblob.public_access is equal to 'blob' or 'container'" @@ -14,11 +14,11 @@ { "queryName": "Storage Container Is Publicly Accessible", "severity": "HIGH", - "line": 9, + "line": 17, "filename": "positive.yaml", "resourceType": "azure_rm_storageblob", - "resourceName": "Create container foo and upload a file", - "searchKey": "name={{Create container foo and upload a file}}.{{azure_rm_storageblob}}.public_access", + "resourceName": "Create container foo2 and upload a file", + "searchKey": "name={{Create container foo2 and upload a file}}.{{azure_rm_storageblob}}.public_access", "searchValue": "", "expectedValue": "azure_rm_storageblob.public_access should not be set", "actualValue": "azure_rm_storageblob.public_access is equal to 'blob' or 'container'" diff --git a/assets/queries/ansible/config/logging_of_sensitive_data_in_defaults/test/positive_expected_result.json b/assets/queries/ansible/config/logging_of_sensitive_data_in_defaults/test/positive_expected_result.json index 7c93162624a..6299050594b 100644 --- a/assets/queries/ansible/config/logging_of_sensitive_data_in_defaults/test/positive_expected_result.json +++ b/assets/queries/ansible/config/logging_of_sensitive_data_in_defaults/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "Logging of Sensitive Data In Defaults", "severity": "LOW", - "line": 39, - "filename": "positive2.cfg", + "line": 1, + "filename": "positive1.cfg", "resourceType": "n/a", "resourceName": "n/a", - "searchKey": "defaults.no_log", + "searchKey": "defaults", "searchValue": "", - "expectedValue": "no_log should be set to 'true'", - "actualValue": "no_log is set to 'false'" + "expectedValue": "no_log should be defined and set to 'true'", + "actualValue": "no_log is not defined" }, { "queryName": "Logging of Sensitive Data In Defaults", "severity": "LOW", - "line": 1, - "filename": "positive1.cfg", + "line": 39, + "filename": "positive2.cfg", "resourceType": "n/a", "resourceName": "n/a", - "searchKey": "defaults", + "searchKey": "defaults.no_log", "searchValue": "", - "expectedValue": "no_log should be defined and set to 'true'", - "actualValue": "no_log is not defined" + "expectedValue": "no_log should be set to 'true'", + "actualValue": "no_log is set to 'false'" } ] \ No newline at end of file diff --git a/assets/queries/ansible/config/privilege_escalation_using_become_plugin_in_defaults/test/positive_expected_result.json b/assets/queries/ansible/config/privilege_escalation_using_become_plugin_in_defaults/test/positive_expected_result.json index 69a240fe00d..9c852a596e3 100644 --- a/assets/queries/ansible/config/privilege_escalation_using_become_plugin_in_defaults/test/positive_expected_result.json +++ b/assets/queries/ansible/config/privilege_escalation_using_become_plugin_in_defaults/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "Privilege Escalation Using Become Plugin In Defaults", "severity": "MEDIUM", - "line": 12, - "filename": "positive2.cfg", + "line": 10, + "filename": "positive1.cfg", "resourceType": "n/a", "resourceName": "n/a", - "searchKey": "defaults.become_user", + "searchKey": "defaults.become", "searchValue": "", - "expectedValue": "'become' should be defined and set to 'true'", - "actualValue": "'become' is not defined" + "expectedValue": "'become' should be set to 'true'", + "actualValue": "'become' is set to 'false'" }, { "queryName": "Privilege Escalation Using Become Plugin In Defaults", "severity": "MEDIUM", - "line": 10, - "filename": "positive1.cfg", + "line": 12, + "filename": "positive2.cfg", "resourceType": "n/a", "resourceName": "n/a", - "searchKey": "defaults.become", + "searchKey": "defaults.become_user", "searchValue": "", - "expectedValue": "'become' should be set to 'true'", - "actualValue": "'become' is set to 'false'" + "expectedValue": "'become' should be defined and set to 'true'", + "actualValue": "'become' is not defined" } ] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/client_certificate_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/client_certificate_disabled/test/positive_expected_result.json index 369174de97e..9132a260950 100644 --- a/assets/queries/ansible/gcp/client_certificate_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/client_certificate_disabled/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "Client Certificate Disabled", - "severity": "HIGH", - "line": 37, - "filename": "positive.yaml", - "resourceType": "google.cloud.gcp_container_cluster", - "resourceName": "create a cluster3", - "searchKey": "name={{create a cluster3}}.{{google.cloud.gcp_container_cluster}}.master_auth.client_certificate_config.issue_client_certificate", - "searchValue": "", - "expectedValue": "gcp_container_cluster.master_auth.password should be true", - "actualValue": "gcp_container_cluster.master_auth.password is false" - }, { "queryName": "Client Certificate Disabled", "severity": "HIGH", @@ -34,5 +22,17 @@ "searchValue": "", "expectedValue": "gcp_container_cluster.master_auth.client_certificate_config should be defined", "actualValue": "gcp_container_cluster.master_auth.client_certificate_config is undefined" + }, + { + "queryName": "Client Certificate Disabled", + "severity": "HIGH", + "line": 37, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster3", + "searchKey": "name={{create a cluster3}}.{{google.cloud.gcp_container_cluster}}.master_auth.client_certificate_config.issue_client_certificate", + "searchValue": "", + "expectedValue": "gcp_container_cluster.master_auth.password should be true", + "actualValue": "gcp_container_cluster.master_auth.password is false" } ] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/cloud_dns_without_dnnsec/test/positive_expected_result.json b/assets/queries/ansible/gcp/cloud_dns_without_dnnsec/test/positive_expected_result.json index cb272a360c7..d60f10c5f05 100644 --- a/assets/queries/ansible/gcp/cloud_dns_without_dnnsec/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/cloud_dns_without_dnnsec/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "Cloud DNS Without DNSSEC", - "severity": "MEDIUM", - "line": 33, - "filename": "positive.yaml", - "resourceType": "google.cloud.gcp_dns_managed_zone", - "resourceName": "create a third managed zone", - "searchKey": "name={{create a third managed zone}}.{{google.cloud.gcp_dns_managed_zone}}.dnssec_config.state", - "searchValue": "", - "expectedValue": "gcp_dns_managed_zone.dnssec_config.state should equal to 'on'", - "actualValue": "gcp_dns_managed_zone.dnssec_config.state is not equal to 'on'" - }, { "queryName": "Cloud DNS Without DNSSEC", "severity": "MEDIUM", @@ -34,5 +22,17 @@ "searchValue": "", "expectedValue": "gcp_dns_managed_zone.dnssec_config.state should be defined", "actualValue": "gcp_dns_managed_zone.dnssec_config.state is undefined" + }, + { + "queryName": "Cloud DNS Without DNSSEC", + "severity": "MEDIUM", + "line": 33, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_dns_managed_zone", + "resourceName": "create a third managed zone", + "searchKey": "name={{create a third managed zone}}.{{google.cloud.gcp_dns_managed_zone}}.dnssec_config.state", + "searchValue": "", + "expectedValue": "gcp_dns_managed_zone.dnssec_config.state should equal to 'on'", + "actualValue": "gcp_dns_managed_zone.dnssec_config.state is not equal to 'on'" } ] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/cloud_storage_anonymous_or_publicly_accessible/test/positive_expected_result.json b/assets/queries/ansible/gcp/cloud_storage_anonymous_or_publicly_accessible/test/positive_expected_result.json index ba659ff9fee..3fe9396e63a 100644 --- a/assets/queries/ansible/gcp/cloud_storage_anonymous_or_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/cloud_storage_anonymous_or_publicly_accessible/test/positive_expected_result.json @@ -2,26 +2,26 @@ { "queryName": "Cloud Storage Anonymous or Publicly Accessible", "severity": "CRITICAL", - "line": 22, + "line": 11, "filename": "positive.yaml", "resourceType": "google.cloud.gcp_storage_bucket", - "resourceName": "create a bucket2", - "searchKey": "name={{create a bucket2}}.{{google.cloud.gcp_storage_bucket}}.acl.entity", + "resourceName": "create a bucket1", + "searchKey": "name={{create a bucket1}}.{{google.cloud.gcp_storage_bucket}}.default_object_acl.entity", "searchValue": "", - "expectedValue": "gcp_storage_bucket.acl.entity should not be 'allUsers' or 'allAuthenticatedUsers'", - "actualValue": "gcp_storage_bucket.acl.entity is 'allUsers' or 'allAuthenticatedUsers'" + "expectedValue": "gcp_storage_bucket.default_object_acl.entity should not be 'allUsers' or 'allAuthenticatedUsers'", + "actualValue": "gcp_storage_bucket.default_object_acl.entity is 'allUsers' or 'allAuthenticatedUsers'" }, { "queryName": "Cloud Storage Anonymous or Publicly Accessible", "severity": "CRITICAL", - "line": 11, + "line": 22, "filename": "positive.yaml", "resourceType": "google.cloud.gcp_storage_bucket", - "resourceName": "create a bucket1", - "searchKey": "name={{create a bucket1}}.{{google.cloud.gcp_storage_bucket}}.default_object_acl.entity", + "resourceName": "create a bucket2", + "searchKey": "name={{create a bucket2}}.{{google.cloud.gcp_storage_bucket}}.acl.entity", "searchValue": "", - "expectedValue": "gcp_storage_bucket.default_object_acl.entity should not be 'allUsers' or 'allAuthenticatedUsers'", - "actualValue": "gcp_storage_bucket.default_object_acl.entity is 'allUsers' or 'allAuthenticatedUsers'" + "expectedValue": "gcp_storage_bucket.acl.entity should not be 'allUsers' or 'allAuthenticatedUsers'", + "actualValue": "gcp_storage_bucket.acl.entity is 'allUsers' or 'allAuthenticatedUsers'" }, { "queryName": "Cloud Storage Anonymous or Publicly Accessible", diff --git a/assets/queries/ansible/gcp/cloud_storage_bucket_versioning_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/cloud_storage_bucket_versioning_disabled/test/positive_expected_result.json index 0fe3a9605b5..fd3e30a84ab 100644 --- a/assets/queries/ansible/gcp/cloud_storage_bucket_versioning_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/cloud_storage_bucket_versioning_disabled/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "Cloud Storage Bucket Versioning Disabled", "severity": "MEDIUM", - "line": 17, + "line": 3, "filename": "positive.yaml", "resourceType": "google.cloud.gcp_storage_bucket", - "resourceName": "create a second bucket", - "searchKey": "name={{create a second bucket}}.{{google.cloud.gcp_storage_bucket}}.versioning.enabled", + "resourceName": "create a bucket", + "searchKey": "name={{create a bucket}}.{{google.cloud.gcp_storage_bucket}}", "searchValue": "", - "expectedValue": "gcp_storage_bucket.versioning.enabled should be true", - "actualValue": "gcp_storage_bucket.versioning.enabled is false" + "expectedValue": "gcp_storage_bucket.versioning should be defined", + "actualValue": "gcp_storage_bucket.versioning is undefined" }, { "queryName": "Cloud Storage Bucket Versioning Disabled", "severity": "MEDIUM", - "line": 3, + "line": 17, "filename": "positive.yaml", "resourceType": "google.cloud.gcp_storage_bucket", - "resourceName": "create a bucket", - "searchKey": "name={{create a bucket}}.{{google.cloud.gcp_storage_bucket}}", + "resourceName": "create a second bucket", + "searchKey": "name={{create a second bucket}}.{{google.cloud.gcp_storage_bucket}}.versioning.enabled", "searchValue": "", - "expectedValue": "gcp_storage_bucket.versioning should be defined", - "actualValue": "gcp_storage_bucket.versioning is undefined" + "expectedValue": "gcp_storage_bucket.versioning.enabled should be true", + "actualValue": "gcp_storage_bucket.versioning.enabled is false" } ] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/cluster_labels_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/cluster_labels_disabled/test/positive_expected_result.json index 905b1fdf4b2..a534d26413d 100644 --- a/assets/queries/ansible/gcp/cluster_labels_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/cluster_labels_disabled/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "Cluster Labels Disabled", - "severity": "LOW", - "line": 47, - "filename": "positive.yaml", - "resourceType": "google.cloud.gcp_container_cluster", - "resourceName": "create a cluster3", - "searchKey": "name={{create a cluster3}}.{{google.cloud.gcp_container_cluster}}.resource_labels", - "searchValue": "", - "expectedValue": "google.cloud.gcp_container_cluster should not be empty", - "actualValue": "google.cloud.gcp_container_cluster is empty" - }, { "queryName": "Cluster Labels Disabled", "severity": "LOW", @@ -34,5 +22,17 @@ "searchValue": "", "expectedValue": "google.cloud.gcp_container_cluster should be defined and not null", "actualValue": "google.cloud.gcp_container_cluster is undefined and null" + }, + { + "queryName": "Cluster Labels Disabled", + "severity": "LOW", + "line": 47, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster3", + "searchKey": "name={{create a cluster3}}.{{google.cloud.gcp_container_cluster}}.resource_labels", + "searchValue": "", + "expectedValue": "google.cloud.gcp_container_cluster should not be empty", + "actualValue": "google.cloud.gcp_container_cluster is empty" } ] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/cluster_master_authentication_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/cluster_master_authentication_disabled/test/positive_expected_result.json index 4b35f9aa817..d0406153fc5 100644 --- a/assets/queries/ansible/gcp/cluster_master_authentication_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/cluster_master_authentication_disabled/test/positive_expected_result.json @@ -14,23 +14,23 @@ { "queryName": "Cluster Master Authentication Disabled", "severity": "MEDIUM", - "line": 32, + "line": 18, "filename": "positive.yaml", "resourceType": "google.cloud.gcp_container_cluster", - "resourceName": "create a cluster3", - "searchKey": "name={{create a cluster3}}.{{google.cloud.gcp_container_cluster}}.master_auth", + "resourceName": "create a cluster2", + "searchKey": "name={{create a cluster2}}.{{google.cloud.gcp_container_cluster}}.master_auth", "searchValue": "", - "expectedValue": "gcp_container_cluster.master_auth.password should be defined and not null", - "actualValue": "gcp_container_cluster.master_auth.password is undefined or null" + "expectedValue": "gcp_container_cluster.master_auth.username should be defined and not null", + "actualValue": "gcp_container_cluster.master_auth.username is undefined or null" }, { "queryName": "Cluster Master Authentication Disabled", "severity": "MEDIUM", - "line": 61, + "line": 32, "filename": "positive.yaml", "resourceType": "google.cloud.gcp_container_cluster", - "resourceName": "create a cluster5", - "searchKey": "name={{create a cluster5}}.{{google.cloud.gcp_container_cluster}}.master_auth", + "resourceName": "create a cluster3", + "searchKey": "name={{create a cluster3}}.{{google.cloud.gcp_container_cluster}}.master_auth", "searchValue": "", "expectedValue": "gcp_container_cluster.master_auth.password should be defined and not null", "actualValue": "gcp_container_cluster.master_auth.password is undefined or null" @@ -38,11 +38,11 @@ { "queryName": "Cluster Master Authentication Disabled", "severity": "MEDIUM", - "line": 18, + "line": 46, "filename": "positive.yaml", "resourceType": "google.cloud.gcp_container_cluster", - "resourceName": "create a cluster2", - "searchKey": "name={{create a cluster2}}.{{google.cloud.gcp_container_cluster}}.master_auth", + "resourceName": "create a cluster4", + "searchKey": "name={{create a cluster4}}.{{google.cloud.gcp_container_cluster}}.master_auth", "searchValue": "", "expectedValue": "gcp_container_cluster.master_auth.username should be defined and not null", "actualValue": "gcp_container_cluster.master_auth.username is undefined or null" @@ -50,13 +50,13 @@ { "queryName": "Cluster Master Authentication Disabled", "severity": "MEDIUM", - "line": 46, + "line": 61, "filename": "positive.yaml", "resourceType": "google.cloud.gcp_container_cluster", - "resourceName": "create a cluster4", - "searchKey": "name={{create a cluster4}}.{{google.cloud.gcp_container_cluster}}.master_auth", + "resourceName": "create a cluster5", + "searchKey": "name={{create a cluster5}}.{{google.cloud.gcp_container_cluster}}.master_auth", "searchValue": "", - "expectedValue": "gcp_container_cluster.master_auth.username should be defined and not null", - "actualValue": "gcp_container_cluster.master_auth.username is undefined or null" + "expectedValue": "gcp_container_cluster.master_auth.password should be defined and not null", + "actualValue": "gcp_container_cluster.master_auth.password is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/disk_encryption_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/disk_encryption_disabled/test/positive_expected_result.json index c3cc4df5013..d9fdf6f6e8a 100644 --- a/assets/queries/ansible/gcp/disk_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/disk_encryption_disabled/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "Disk Encryption Disabled", - "severity": "MEDIUM", - "line": 27, - "filename": "positive1.yaml", - "resourceType": "google.cloud.gcp_compute_disk", - "resourceName": "create a disk4", - "searchKey": "name={{create a disk4}}.{{google.cloud.gcp_compute_disk}}.disk_encryption_key.raw_key", - "searchValue": "", - "expectedValue": "gcp_compute_disk.disk_encryption_key.raw_key should not be empty", - "actualValue": "gcp_compute_disk.disk_encryption_key.raw_key is empty" - }, { "queryName": "Disk Encryption Disabled", "severity": "MEDIUM", @@ -38,14 +26,14 @@ { "queryName": "Disk Encryption Disabled", "severity": "MEDIUM", - "line": 17, - "filename": "positive2.yaml", + "line": 27, + "filename": "positive1.yaml", "resourceType": "google.cloud.gcp_compute_disk", "resourceName": "create a disk4", - "searchKey": "name={{create a disk4}}.{{google.cloud.gcp_compute_disk}}.disk_encryption_key.kms_key_name", + "searchKey": "name={{create a disk4}}.{{google.cloud.gcp_compute_disk}}.disk_encryption_key.raw_key", "searchValue": "", - "expectedValue": "gcp_compute_disk.disk_encryption_key.kms_key_name should not be empty", - "actualValue": "gcp_compute_disk.disk_encryption_key.kms_key_name is empty" + "expectedValue": "gcp_compute_disk.disk_encryption_key.raw_key should not be empty", + "actualValue": "gcp_compute_disk.disk_encryption_key.raw_key is empty" }, { "queryName": "Disk Encryption Disabled", @@ -58,5 +46,17 @@ "searchValue": "", "expectedValue": "gcp_compute_disk.disk_encryption_key.raw_key or gcp_compute_disk.disk_encryption_key.kms_key_name should be defined and not null", "actualValue": "gcp_compute_disk.disk_encryption_key.raw_key and gcp_compute_disk.disk_encryption_key.kms_key_name are undefined or null" + }, + { + "queryName": "Disk Encryption Disabled", + "severity": "MEDIUM", + "line": 17, + "filename": "positive2.yaml", + "resourceType": "google.cloud.gcp_compute_disk", + "resourceName": "create a disk4", + "searchKey": "name={{create a disk4}}.{{google.cloud.gcp_compute_disk}}.disk_encryption_key.kms_key_name", + "searchValue": "", + "expectedValue": "gcp_compute_disk.disk_encryption_key.kms_key_name should not be empty", + "actualValue": "gcp_compute_disk.disk_encryption_key.kms_key_name is empty" } ] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/gke_basic_authentication_enabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/gke_basic_authentication_enabled/test/positive_expected_result.json index fb7ecfb191e..8329718ffee 100644 --- a/assets/queries/ansible/gcp/gke_basic_authentication_enabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/gke_basic_authentication_enabled/test/positive_expected_result.json @@ -2,26 +2,26 @@ { "queryName": "GKE Basic Authentication Enabled", "severity": "MEDIUM", - "line": 47, + "line": 3, "filename": "positive.yaml", "resourceType": "google.cloud.gcp_container_cluster", - "resourceName": "create a cluster4", - "searchKey": "name={{create a cluster4}}.{{google.cloud.gcp_container_cluster}}.master_auth.username", + "resourceName": "create a cluster1", + "searchKey": "name={{create a cluster1}}.{{google.cloud.gcp_container_cluster}}", "searchValue": "", - "expectedValue": "gcp_container_cluster.master_auth.username should be empty", - "actualValue": "gcp_container_cluster.master_auth.username is not empty" + "expectedValue": "gcp_container_cluster.master_auth should be defined", + "actualValue": "gcp_container_cluster.master_auth is undefined" }, { "queryName": "GKE Basic Authentication Enabled", "severity": "MEDIUM", - "line": 3, + "line": 18, "filename": "positive.yaml", "resourceType": "google.cloud.gcp_container_cluster", - "resourceName": "create a cluster1", - "searchKey": "name={{create a cluster1}}.{{google.cloud.gcp_container_cluster}}", + "resourceName": "create a cluster2", + "searchKey": "name={{create a cluster2}}.{{google.cloud.gcp_container_cluster}}.master_auth", "searchValue": "", - "expectedValue": "gcp_container_cluster.master_auth should be defined", - "actualValue": "gcp_container_cluster.master_auth is undefined" + "expectedValue": "gcp_container_cluster.master_auth.username should be defined", + "actualValue": "gcp_container_cluster.master_auth.username is undefined" }, { "queryName": "GKE Basic Authentication Enabled", @@ -38,14 +38,14 @@ { "queryName": "GKE Basic Authentication Enabled", "severity": "MEDIUM", - "line": 18, + "line": 47, "filename": "positive.yaml", "resourceType": "google.cloud.gcp_container_cluster", - "resourceName": "create a cluster2", - "searchKey": "name={{create a cluster2}}.{{google.cloud.gcp_container_cluster}}.master_auth", + "resourceName": "create a cluster4", + "searchKey": "name={{create a cluster4}}.{{google.cloud.gcp_container_cluster}}.master_auth.username", "searchValue": "", - "expectedValue": "gcp_container_cluster.master_auth.username should be defined", - "actualValue": "gcp_container_cluster.master_auth.username is undefined" + "expectedValue": "gcp_container_cluster.master_auth.username should be empty", + "actualValue": "gcp_container_cluster.master_auth.username is not empty" }, { "queryName": "GKE Basic Authentication Enabled", diff --git a/assets/queries/ansible/gcp/gke_master_authorized_networks_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/gke_master_authorized_networks_disabled/test/positive_expected_result.json index 35effb5a6ee..7d3a7c54091 100644 --- a/assets/queries/ansible/gcp/gke_master_authorized_networks_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/gke_master_authorized_networks_disabled/test/positive_expected_result.json @@ -14,25 +14,25 @@ { "queryName": "GKE Master Authorized Networks Disabled", "severity": "MEDIUM", - "line": 22, + "line": 17, "filename": "positive.yaml", "resourceType": "google.cloud.gcp_container_cluster", - "resourceName": "create a third cluster", - "searchKey": "name={{create a third cluster}}.{{google.cloud.gcp_container_cluster}}", + "resourceName": "create a second cluster", + "searchKey": "name={{create a second cluster}}.{{google.cloud.gcp_container_cluster}}.master_authorized_networks_config", "searchValue": "", - "expectedValue": "gcp_container_cluster.master_authorized_networks_config should be defined", - "actualValue": "gcp_container_cluster.master_authorized_networks_config is undefined" + "expectedValue": "gcp_container_cluster.master_authorized_networks_config.enabled should be defined", + "actualValue": "gcp_container_cluster.master_authorized_networks_config.enabled is undefined" }, { "queryName": "GKE Master Authorized Networks Disabled", "severity": "MEDIUM", - "line": 17, + "line": 22, "filename": "positive.yaml", "resourceType": "google.cloud.gcp_container_cluster", - "resourceName": "create a second cluster", - "searchKey": "name={{create a second cluster}}.{{google.cloud.gcp_container_cluster}}.master_authorized_networks_config", + "resourceName": "create a third cluster", + "searchKey": "name={{create a third cluster}}.{{google.cloud.gcp_container_cluster}}", "searchValue": "", - "expectedValue": "gcp_container_cluster.master_authorized_networks_config.enabled should be defined", - "actualValue": "gcp_container_cluster.master_authorized_networks_config.enabled is undefined" + "expectedValue": "gcp_container_cluster.master_authorized_networks_config should be defined", + "actualValue": "gcp_container_cluster.master_authorized_networks_config is undefined" } ] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/gke_using_default_service_account/test/positive_expected_result.json b/assets/queries/ansible/gcp/gke_using_default_service_account/test/positive_expected_result.json index b8801cf1c3e..1958481135f 100644 --- a/assets/queries/ansible/gcp/gke_using_default_service_account/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/gke_using_default_service_account/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "GKE Using Default Service Account", "severity": "MEDIUM", - "line": 11, - "filename": "positive2.yaml", + "line": 8, + "filename": "positive1.yaml", "resourceType": "google.cloud.gcp_container_cluster", "resourceName": "create a cluster", - "searchKey": "name={{create a cluster}}.{{google.cloud.gcp_container_cluster}}.node_config.service_account", + "searchKey": "name={{create a cluster}}.{{google.cloud.gcp_container_cluster}}.node_config", "searchValue": "", "expectedValue": "'service_account' should not be default", - "actualValue": "'service_account' is default" + "actualValue": "'service_account' is missing" }, { "queryName": "GKE Using Default Service Account", "severity": "MEDIUM", - "line": 8, - "filename": "positive1.yaml", + "line": 11, + "filename": "positive2.yaml", "resourceType": "google.cloud.gcp_container_cluster", "resourceName": "create a cluster", - "searchKey": "name={{create a cluster}}.{{google.cloud.gcp_container_cluster}}.node_config", + "searchKey": "name={{create a cluster}}.{{google.cloud.gcp_container_cluster}}.node_config.service_account", "searchValue": "", "expectedValue": "'service_account' should not be default", - "actualValue": "'service_account' is missing" + "actualValue": "'service_account' is default" } ] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/google_compute_ssl_policy_weak_cipher_in_use/test/positive_expected_result.json b/assets/queries/ansible/gcp/google_compute_ssl_policy_weak_cipher_in_use/test/positive_expected_result.json index c2cd9a64e9b..401c93188b2 100644 --- a/assets/queries/ansible/gcp/google_compute_ssl_policy_weak_cipher_in_use/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/google_compute_ssl_policy_weak_cipher_in_use/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "Google Compute SSL Policy Weak Cipher In Use", "severity": "MEDIUM", - "line": 16, + "line": 2, "filename": "positive.yaml", "resourceType": "google.cloud.gcp_compute_ssl_policy", - "resourceName": "create a SSL policy2", - "searchKey": "name={{create a SSL policy2}}.{{google.cloud.gcp_compute_ssl_policy}}.min_tls_version", + "resourceName": "create a SSL policy", + "searchKey": "name={{create a SSL policy}}.{{google.cloud.gcp_compute_ssl_policy}}", "searchValue": "", - "expectedValue": "gcp_compute_ssl_policy.min_tls_version has min_tls_version should be set to 'TLS_1_2'", - "actualValue": "gcp_compute_ssl_policy.min_tls_version does not have min_tls_version set to 'TLS_1_2'" + "expectedValue": "gcp_compute_ssl_policy has min_tls_version should be set to 'TLS_1_2'", + "actualValue": "gcp_compute_ssl_policy does not have min_tls_version set to 'TLS_1_2'" }, { "queryName": "Google Compute SSL Policy Weak Cipher In Use", "severity": "MEDIUM", - "line": 2, + "line": 16, "filename": "positive.yaml", "resourceType": "google.cloud.gcp_compute_ssl_policy", - "resourceName": "create a SSL policy", - "searchKey": "name={{create a SSL policy}}.{{google.cloud.gcp_compute_ssl_policy}}", + "resourceName": "create a SSL policy2", + "searchKey": "name={{create a SSL policy2}}.{{google.cloud.gcp_compute_ssl_policy}}.min_tls_version", "searchValue": "", - "expectedValue": "gcp_compute_ssl_policy has min_tls_version should be set to 'TLS_1_2'", - "actualValue": "gcp_compute_ssl_policy does not have min_tls_version set to 'TLS_1_2'" + "expectedValue": "gcp_compute_ssl_policy.min_tls_version has min_tls_version should be set to 'TLS_1_2'", + "actualValue": "gcp_compute_ssl_policy.min_tls_version does not have min_tls_version set to 'TLS_1_2'" } ] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/high_google_kms_crypto_key_rotation_period/test/positive_expected_result.json b/assets/queries/ansible/gcp/high_google_kms_crypto_key_rotation_period/test/positive_expected_result.json index 3707a8c39d4..846afd659cc 100644 --- a/assets/queries/ansible/gcp/high_google_kms_crypto_key_rotation_period/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/high_google_kms_crypto_key_rotation_period/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "High Google KMS Crypto Key Rotation Period", "severity": "MEDIUM", - "line": 23, + "line": 18, "filename": "positive.yaml", "resourceType": "google.cloud.gcp_kms_crypto_key", - "resourceName": "create a crypto key2", - "searchKey": "name={{create a crypto key2}}.{{google.cloud.gcp_kms_crypto_key}}", + "resourceName": "create a crypto key", + "searchKey": "name={{create a crypto key}}.{{google.cloud.gcp_kms_crypto_key}}.rotation_period", "searchValue": "", - "expectedValue": "gcp_kms_crypto_key.rotation_period should be defined with a value less or equal to 7776000", - "actualValue": "gcp_kms_crypto_key.rotation_period is undefined" + "expectedValue": "gcp_kms_crypto_key.rotation_period should be less or equal to 7776000", + "actualValue": "gcp_kms_crypto_key.rotation_period exceeds 7776000" }, { "queryName": "High Google KMS Crypto Key Rotation Period", "severity": "MEDIUM", - "line": 18, + "line": 23, "filename": "positive.yaml", "resourceType": "google.cloud.gcp_kms_crypto_key", - "resourceName": "create a crypto key", - "searchKey": "name={{create a crypto key}}.{{google.cloud.gcp_kms_crypto_key}}.rotation_period", + "resourceName": "create a crypto key2", + "searchKey": "name={{create a crypto key2}}.{{google.cloud.gcp_kms_crypto_key}}", "searchValue": "", - "expectedValue": "gcp_kms_crypto_key.rotation_period should be less or equal to 7776000", - "actualValue": "gcp_kms_crypto_key.rotation_period exceeds 7776000" + "expectedValue": "gcp_kms_crypto_key.rotation_period should be defined with a value less or equal to 7776000", + "actualValue": "gcp_kms_crypto_key.rotation_period is undefined" } ] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/ip_aliasing_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/ip_aliasing_disabled/test/positive_expected_result.json index 3d82b62569a..246d07b6d92 100644 --- a/assets/queries/ansible/gcp/ip_aliasing_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/ip_aliasing_disabled/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "IP Aliasing Disabled", - "severity": "MEDIUM", - "line": 50, - "filename": "positive.yaml", - "resourceType": "google.cloud.gcp_container_cluster", - "resourceName": "create a cluster3", - "searchKey": "name={{create a cluster3}}.{{google.cloud.gcp_container_cluster}}.ip_allocation_policy.use_ip_aliases", - "searchValue": "", - "expectedValue": "gcp_container_cluster.ip_allocation_policy.use_ip_aliases should be true", - "actualValue": "gcp_container_cluster.ip_allocation_policy.use_ip_aliases is false" - }, { "queryName": "IP Aliasing Disabled", "severity": "MEDIUM", @@ -34,5 +22,17 @@ "searchValue": "", "expectedValue": "gcp_container_cluster.ip_allocation_policy.use_ip_aliases should be set to true", "actualValue": "gcp_container_cluster.ip_allocation_policy.use_ip_aliases is undefined" + }, + { + "queryName": "IP Aliasing Disabled", + "severity": "MEDIUM", + "line": 50, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster3", + "searchKey": "name={{create a cluster3}}.{{google.cloud.gcp_container_cluster}}.ip_allocation_policy.use_ip_aliases", + "searchValue": "", + "expectedValue": "gcp_container_cluster.ip_allocation_policy.use_ip_aliases should be true", + "actualValue": "gcp_container_cluster.ip_allocation_policy.use_ip_aliases is false" } ] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/network_policy_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/network_policy_disabled/test/positive_expected_result.json index eca41504d64..423c27e6538 100644 --- a/assets/queries/ansible/gcp/network_policy_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/network_policy_disabled/test/positive_expected_result.json @@ -2,26 +2,14 @@ { "queryName": "Network Policy Disabled", "severity": "MEDIUM", - "line": 96, - "filename": "positive.yaml", - "resourceType": "google.cloud.gcp_container_cluster", - "resourceName": "create a cluster5", - "searchKey": "name={{create a cluster5}}.{{google.cloud.gcp_container_cluster}}.addons_config.network_policy_config.disabled", - "searchValue": "", - "expectedValue": "gcp_container_cluster.addons_config.network_policy_config.disabled should be set to false", - "actualValue": "gcp_container_cluster.addons_config.network_policy_config.disabled is true" - }, - { - "queryName": "Network Policy Disabled", - "severity": "MEDIUM", - "line": 73, + "line": 3, "filename": "positive.yaml", "resourceType": "google.cloud.gcp_container_cluster", - "resourceName": "create a cluster4", - "searchKey": "name={{create a cluster4}}.{{google.cloud.gcp_container_cluster}}.network_policy.enabled", - "searchValue": "", - "expectedValue": "gcp_container_cluster.network_policy.enabled should be true", - "actualValue": "gcp_container_cluster.network_policy.enabled is false" + "resourceName": "create a cluster1", + "searchKey": "name={{create a cluster1}}.{{google.cloud.gcp_container_cluster}}", + "searchValue": "network_policy", + "expectedValue": "gcp_container_cluster.network_policy should be defined", + "actualValue": "gcp_container_cluster.network_policy is undefined" }, { "queryName": "Network Policy Disabled", @@ -50,13 +38,25 @@ { "queryName": "Network Policy Disabled", "severity": "MEDIUM", - "line": 3, + "line": 73, "filename": "positive.yaml", "resourceType": "google.cloud.gcp_container_cluster", - "resourceName": "create a cluster1", - "searchKey": "name={{create a cluster1}}.{{google.cloud.gcp_container_cluster}}", - "searchValue": "network_policy", - "expectedValue": "gcp_container_cluster.network_policy should be defined", - "actualValue": "gcp_container_cluster.network_policy is undefined" + "resourceName": "create a cluster4", + "searchKey": "name={{create a cluster4}}.{{google.cloud.gcp_container_cluster}}.network_policy.enabled", + "searchValue": "", + "expectedValue": "gcp_container_cluster.network_policy.enabled should be true", + "actualValue": "gcp_container_cluster.network_policy.enabled is false" + }, + { + "queryName": "Network Policy Disabled", + "severity": "MEDIUM", + "line": 96, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster5", + "searchKey": "name={{create a cluster5}}.{{google.cloud.gcp_container_cluster}}.addons_config.network_policy_config.disabled", + "searchValue": "", + "expectedValue": "gcp_container_cluster.addons_config.network_policy_config.disabled should be set to false", + "actualValue": "gcp_container_cluster.addons_config.network_policy_config.disabled is true" } ] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/node_auto_upgrade_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/node_auto_upgrade_disabled/test/positive_expected_result.json index 8a73ae29c17..052b5f52e6d 100644 --- a/assets/queries/ansible/gcp/node_auto_upgrade_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/node_auto_upgrade_disabled/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "Node Auto Upgrade Disabled", - "severity": "MEDIUM", - "line": 36, - "filename": "positive.yaml", - "resourceType": "google.cloud.gcp_container_node_pool", - "resourceName": "create a third node pool", - "searchKey": "name={{create a third node pool}}.{{google.cloud.gcp_container_node_pool}}.management.auto_upgrade", - "searchValue": "", - "expectedValue": "gcp_container_node_pool.management.auto_upgrade should be true", - "actualValue": "gcp_container_node_pool.management.auto_upgrade is false" - }, { "queryName": "Node Auto Upgrade Disabled", "severity": "MEDIUM", @@ -34,5 +22,17 @@ "searchValue": "", "expectedValue": "gcp_container_node_pool.management.auto_upgrade should be defined", "actualValue": "gcp_container_node_pool.management.auto_upgrade is undefined" + }, + { + "queryName": "Node Auto Upgrade Disabled", + "severity": "MEDIUM", + "line": 36, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_node_pool", + "resourceName": "create a third node pool", + "searchKey": "name={{create a third node pool}}.{{google.cloud.gcp_container_node_pool}}.management.auto_upgrade", + "searchValue": "", + "expectedValue": "gcp_container_node_pool.management.auto_upgrade should be true", + "actualValue": "gcp_container_node_pool.management.auto_upgrade is false" } ] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/postgresql_log_checkpoints_flag_not_set_to_on/test/positive_expected_result.json b/assets/queries/ansible/gcp/postgresql_log_checkpoints_flag_not_set_to_on/test/positive_expected_result.json index eba18d9a9cd..20cbdcc5647 100644 --- a/assets/queries/ansible/gcp/postgresql_log_checkpoints_flag_not_set_to_on/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/postgresql_log_checkpoints_flag_not_set_to_on/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "PostgreSQL log_checkpoints Flag Not Set To ON", "severity": "MEDIUM", - "line": 16, + "line": 5, "filename": "positive.yaml", "resourceType": "google.cloud.gcp_sql_instance", - "resourceName": "create another instance", - "searchKey": "name={{create another instance}}.{{google.cloud.gcp_sql_instance}}", + "resourceName": "create instance", + "searchKey": "name={{create instance}}.{{google.cloud.gcp_sql_instance}}.settings.databaseFlags", "searchValue": "", - "expectedValue": "gcp_sql_instance.settings.databaseFlags should be defined", - "actualValue": "gcp_sql_instance.settings.databaseFlags is not defined" + "expectedValue": "gcp_sql_instance.settings.databaseFlags should have 'log_checkpoints' flag set to 'on'", + "actualValue": "gcp_sql_instance.settings.databaseFlags has 'log_checkpoints' flag set to 'off'" }, { "queryName": "PostgreSQL log_checkpoints Flag Not Set To ON", "severity": "MEDIUM", - "line": 5, + "line": 16, "filename": "positive.yaml", "resourceType": "google.cloud.gcp_sql_instance", - "resourceName": "create instance", - "searchKey": "name={{create instance}}.{{google.cloud.gcp_sql_instance}}.settings.databaseFlags", + "resourceName": "create another instance", + "searchKey": "name={{create another instance}}.{{google.cloud.gcp_sql_instance}}", "searchValue": "", - "expectedValue": "gcp_sql_instance.settings.databaseFlags should have 'log_checkpoints' flag set to 'on'", - "actualValue": "gcp_sql_instance.settings.databaseFlags has 'log_checkpoints' flag set to 'off'" + "expectedValue": "gcp_sql_instance.settings.databaseFlags should be defined", + "actualValue": "gcp_sql_instance.settings.databaseFlags is not defined" } ] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/private_cluster_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/private_cluster_disabled/test/positive_expected_result.json index 563aa3989bd..c35e772cedc 100644 --- a/assets/queries/ansible/gcp/private_cluster_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/private_cluster_disabled/test/positive_expected_result.json @@ -14,26 +14,26 @@ { "queryName": "Private Cluster Disabled", "severity": "MEDIUM", - "line": 48, + "line": 31, "filename": "positive.yaml", "resourceType": "google.cloud.gcp_container_cluster", - "resourceName": "create a cluster3", - "searchKey": "name={{create a cluster3}}.{{google.cloud.gcp_container_cluster}}.private_cluster_config", + "resourceName": "create a cluster2", + "searchKey": "name={{create a cluster2}}.{{google.cloud.gcp_container_cluster}}.private_cluster_config", "searchValue": "", - "expectedValue": "gcp_container_cluster.private_cluster_config.enable_private_endpoint should be defined", - "actualValue": "gcp_container_cluster.private_cluster_config.enable_private_endpoint is undefined" + "expectedValue": "gcp_container_cluster.private_cluster_config.enable_private_nodes should be defined", + "actualValue": "gcp_container_cluster.private_cluster_config.enable_private_nodes is undefined" }, { "queryName": "Private Cluster Disabled", "severity": "MEDIUM", - "line": 31, + "line": 48, "filename": "positive.yaml", "resourceType": "google.cloud.gcp_container_cluster", - "resourceName": "create a cluster2", - "searchKey": "name={{create a cluster2}}.{{google.cloud.gcp_container_cluster}}.private_cluster_config", + "resourceName": "create a cluster3", + "searchKey": "name={{create a cluster3}}.{{google.cloud.gcp_container_cluster}}.private_cluster_config", "searchValue": "", - "expectedValue": "gcp_container_cluster.private_cluster_config.enable_private_nodes should be defined", - "actualValue": "gcp_container_cluster.private_cluster_config.enable_private_nodes is undefined" + "expectedValue": "gcp_container_cluster.private_cluster_config.enable_private_endpoint should be defined", + "actualValue": "gcp_container_cluster.private_cluster_config.enable_private_endpoint is undefined" }, { "queryName": "Private Cluster Disabled", diff --git a/assets/queries/ansible/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/test/positive_expected_result.json b/assets/queries/ansible/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/test/positive_expected_result.json index a6e78f0e583..7ab68879601 100644 --- a/assets/queries/ansible/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/test/positive_expected_result.json @@ -14,25 +14,25 @@ { "queryName": "Project-wide SSH Keys Are Enabled In VM Instances", "severity": "MEDIUM", - "line": 15, + "line": 9, "filename": "positive.yaml", "resourceType": "google.cloud.gcp_compute_instance", - "resourceName": "no_metadata", - "searchKey": "name={{no_metadata}}.{{google.cloud.gcp_compute_instance}}", + "resourceName": "ssh_keys_missing", + "searchKey": "name={{ssh_keys_missing}}.{{google.cloud.gcp_compute_instance}}.metadata", "searchValue": "", - "expectedValue": "gcp_compute_instance.metadata should be set", - "actualValue": "gcp_compute_instance.metadata is undefined" + "expectedValue": "gcp_compute_instance.metadata.block-project-ssh-keys should be set to true", + "actualValue": "gcp_compute_instance.metadata.block-project-ssh-keys is undefined" }, { "queryName": "Project-wide SSH Keys Are Enabled In VM Instances", "severity": "MEDIUM", - "line": 9, + "line": 15, "filename": "positive.yaml", "resourceType": "google.cloud.gcp_compute_instance", - "resourceName": "ssh_keys_missing", - "searchKey": "name={{ssh_keys_missing}}.{{google.cloud.gcp_compute_instance}}.metadata", + "resourceName": "no_metadata", + "searchKey": "name={{no_metadata}}.{{google.cloud.gcp_compute_instance}}", "searchValue": "", - "expectedValue": "gcp_compute_instance.metadata.block-project-ssh-keys should be set to true", - "actualValue": "gcp_compute_instance.metadata.block-project-ssh-keys is undefined" + "expectedValue": "gcp_compute_instance.metadata should be set", + "actualValue": "gcp_compute_instance.metadata is undefined" } ] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/rdp_access_is_not_restricted/test/positive_expected_result.json b/assets/queries/ansible/gcp/rdp_access_is_not_restricted/test/positive_expected_result.json index 30453d63495..e5d5f03d384 100644 --- a/assets/queries/ansible/gcp/rdp_access_is_not_restricted/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/rdp_access_is_not_restricted/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "RDP Access Is Not Restricted", "severity": "HIGH", - "line": 29, + "line": 8, "filename": "positive.yaml", "resourceType": "google.cloud.gcp_compute_firewall", - "resourceName": "rdp_in_port", - "searchKey": "name={{rdp_in_port}}.{{google.cloud.gcp_compute_firewall}}.allowed.ip_protocol=tcp.ports", + "resourceName": "rdp_in_range", + "searchKey": "name={{rdp_in_range}}.{{google.cloud.gcp_compute_firewall}}.allowed.ip_protocol=tcp.ports", "searchValue": "", "expectedValue": "gcp_compute_firewall.allowed.ip_protocol=tcp.ports shouldn't contain RDP port (3389) with unrestricted ingress traffic", "actualValue": "gcp_compute_firewall.allowed.ip_protocol=tcp.ports contain RDP port (3389) with unrestricted ingress traffic" @@ -14,11 +14,11 @@ { "queryName": "RDP Access Is Not Restricted", "severity": "HIGH", - "line": 8, + "line": 29, "filename": "positive.yaml", "resourceType": "google.cloud.gcp_compute_firewall", - "resourceName": "rdp_in_range", - "searchKey": "name={{rdp_in_range}}.{{google.cloud.gcp_compute_firewall}}.allowed.ip_protocol=tcp.ports", + "resourceName": "rdp_in_port", + "searchKey": "name={{rdp_in_port}}.{{google.cloud.gcp_compute_firewall}}.allowed.ip_protocol=tcp.ports", "searchValue": "", "expectedValue": "gcp_compute_firewall.allowed.ip_protocol=tcp.ports shouldn't contain RDP port (3389) with unrestricted ingress traffic", "actualValue": "gcp_compute_firewall.allowed.ip_protocol=tcp.ports contain RDP port (3389) with unrestricted ingress traffic" diff --git a/assets/queries/ansible/gcp/shielded_vm_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/shielded_vm_disabled/test/positive_expected_result.json index a50fa2728da..ef8f448e40f 100644 --- a/assets/queries/ansible/gcp/shielded_vm_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/shielded_vm_disabled/test/positive_expected_result.json @@ -1,4 +1,16 @@ [ + { + "queryName": "Shielded VM Disabled", + "severity": "MEDIUM", + "line": 3, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_instance", + "resourceName": "create a instance1", + "searchKey": "name={{create a instance1}}.{{google.cloud.gcp_compute_instance}}", + "searchValue": "", + "expectedValue": "gcp_compute_instance.shielded_instance_config should be defined", + "actualValue": "gcp_compute_instance.shielded_instance_config is undefined" + }, { "queryName": "Shielded VM Disabled", "severity": "MEDIUM", @@ -70,17 +82,5 @@ "searchValue": "", "expectedValue": "gcp_compute_instance.shielded_instance_config.enable_vtpm should be true", "actualValue": "gcp_compute_instance.shielded_instance_config.enable_vtpm is false" - }, - { - "queryName": "Shielded VM Disabled", - "severity": "MEDIUM", - "line": 3, - "filename": "positive.yaml", - "resourceType": "google.cloud.gcp_compute_instance", - "resourceName": "create a instance1", - "searchKey": "name={{create a instance1}}.{{google.cloud.gcp_compute_instance}}", - "searchValue": "", - "expectedValue": "gcp_compute_instance.shielded_instance_config should be defined", - "actualValue": "gcp_compute_instance.shielded_instance_config is undefined" } ] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/sql_db_instance_backup_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/sql_db_instance_backup_disabled/test/positive_expected_result.json index c960978ef14..bd62898e7ee 100644 --- a/assets/queries/ansible/gcp/sql_db_instance_backup_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/sql_db_instance_backup_disabled/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "SQL DB Instance Backup Disabled", - "severity": "MEDIUM", - "line": 38, - "filename": "positive.yaml", - "resourceType": "google.cloud.gcp_sql_instance", - "resourceName": "create a forth instance", - "searchKey": "name={{create a forth instance}}.{{google.cloud.gcp_sql_instance}}.settings.backup_configuration.enabled", - "searchValue": "", - "expectedValue": "gcp_sql_instance.settings.backup_configuration.require_ssl should be true", - "actualValue": "gcp_sql_instance.settings.backup_configuration.require_ssl is false" - }, { "queryName": "SQL DB Instance Backup Disabled", "severity": "MEDIUM", @@ -46,5 +34,17 @@ "searchValue": "", "expectedValue": "gcp_sql_instance.settings.backup_configuration.enabled should be defined", "actualValue": "gcp_sql_instance.settings.backup_configuration.enabled is undefined" + }, + { + "queryName": "SQL DB Instance Backup Disabled", + "severity": "MEDIUM", + "line": 38, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_sql_instance", + "resourceName": "create a forth instance", + "searchKey": "name={{create a forth instance}}.{{google.cloud.gcp_sql_instance}}.settings.backup_configuration.enabled", + "searchValue": "", + "expectedValue": "gcp_sql_instance.settings.backup_configuration.require_ssl should be true", + "actualValue": "gcp_sql_instance.settings.backup_configuration.require_ssl is false" } ] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json index 6adc8bf7ac5..d037cc44041 100644 --- a/assets/queries/ansible/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "SQL DB Instance With SSL Disabled", - "severity": "HIGH", - "line": 39, - "filename": "positive.yaml", - "resourceType": "google.cloud.gcp_sql_instance", - "resourceName": "create a forth instance", - "searchKey": "name={{create a forth instance}}.{{google.cloud.gcp_sql_instance}}.settings.ip_configuration.require_ssl", - "searchValue": "", - "expectedValue": "gcp_sql_instance.settings.ip_configuration.require_ssl should be true", - "actualValue": "gcp_sql_instance.settings.ip_configuration.require_ssl is false" - }, { "queryName": "SQL DB Instance With SSL Disabled", "severity": "HIGH", @@ -46,5 +34,17 @@ "searchValue": "", "expectedValue": "gcp_sql_instance.settings.ip_configuration.require_ssl should be defined", "actualValue": "gcp_sql_instance.settings.ip_configuration.require_ssl is undefined" + }, + { + "queryName": "SQL DB Instance With SSL Disabled", + "severity": "HIGH", + "line": 39, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_sql_instance", + "resourceName": "create a forth instance", + "searchKey": "name={{create a forth instance}}.{{google.cloud.gcp_sql_instance}}.settings.ip_configuration.require_ssl", + "searchValue": "", + "expectedValue": "gcp_sql_instance.settings.ip_configuration.require_ssl should be true", + "actualValue": "gcp_sql_instance.settings.ip_configuration.require_ssl is false" } ] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/stackdriver_logging_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/stackdriver_logging_disabled/test/positive_expected_result.json index 4b040a25953..621ff9b8464 100644 --- a/assets/queries/ansible/gcp/stackdriver_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/stackdriver_logging_disabled/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "Stackdriver Logging Disabled", "severity": "MEDIUM", - "line": 32, + "line": 3, "filename": "positive.yaml", "resourceType": "google.cloud.gcp_container_cluster", - "resourceName": "create a cluster2", - "searchKey": "name={{create a cluster2}}.{{google.cloud.gcp_container_cluster}}.logging_service", + "resourceName": "create a cluster1", + "searchKey": "name={{create a cluster1}}.{{google.cloud.gcp_container_cluster}}", "searchValue": "", - "expectedValue": "gcp_container_cluster.logging_service should not be 'none'", - "actualValue": "gcp_container_cluster.logging_service is 'none'" + "expectedValue": "gcp_container_cluster.logging_service should be defined", + "actualValue": "gcp_container_cluster.logging_service is undefined" }, { "queryName": "Stackdriver Logging Disabled", "severity": "MEDIUM", - "line": 3, + "line": 32, "filename": "positive.yaml", "resourceType": "google.cloud.gcp_container_cluster", - "resourceName": "create a cluster1", - "searchKey": "name={{create a cluster1}}.{{google.cloud.gcp_container_cluster}}", + "resourceName": "create a cluster2", + "searchKey": "name={{create a cluster2}}.{{google.cloud.gcp_container_cluster}}.logging_service", "searchValue": "", - "expectedValue": "gcp_container_cluster.logging_service should be defined", - "actualValue": "gcp_container_cluster.logging_service is undefined" + "expectedValue": "gcp_container_cluster.logging_service should not be 'none'", + "actualValue": "gcp_container_cluster.logging_service is 'none'" } ] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/stackdriver_monitoring_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/stackdriver_monitoring_disabled/test/positive_expected_result.json index 22b71908c49..a90878e001a 100644 --- a/assets/queries/ansible/gcp/stackdriver_monitoring_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/stackdriver_monitoring_disabled/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "Stackdriver Monitoring Disabled", "severity": "MEDIUM", - "line": 32, + "line": 3, "filename": "positive.yaml", "resourceType": "google.cloud.gcp_container_cluster", - "resourceName": "create a cluster2", - "searchKey": "name={{create a cluster2}}.{{google.cloud.gcp_container_cluster}}.monitoring_service", + "resourceName": "create a cluster1", + "searchKey": "name={{create a cluster1}}.{{google.cloud.gcp_container_cluster}}", "searchValue": "", - "expectedValue": "gcp_container_cluster.monitoring_service should not be 'none'", - "actualValue": "gcp_container_cluster.monitoring_service is 'none'" + "expectedValue": "gcp_container_cluster.monitoring_service should be defined", + "actualValue": "gcp_container_cluster.monitoring_service is undefined" }, { "queryName": "Stackdriver Monitoring Disabled", "severity": "MEDIUM", - "line": 3, + "line": 32, "filename": "positive.yaml", "resourceType": "google.cloud.gcp_container_cluster", - "resourceName": "create a cluster1", - "searchKey": "name={{create a cluster1}}.{{google.cloud.gcp_container_cluster}}", + "resourceName": "create a cluster2", + "searchKey": "name={{create a cluster2}}.{{google.cloud.gcp_container_cluster}}.monitoring_service", "searchValue": "", - "expectedValue": "gcp_container_cluster.monitoring_service should be defined", - "actualValue": "gcp_container_cluster.monitoring_service is undefined" + "expectedValue": "gcp_container_cluster.monitoring_service should not be 'none'", + "actualValue": "gcp_container_cluster.monitoring_service is 'none'" } ] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/using_default_service_account/test/positive_expected_result.json b/assets/queries/ansible/gcp/using_default_service_account/test/positive_expected_result.json index fc7d5a2e3fb..041c50b7741 100644 --- a/assets/queries/ansible/gcp/using_default_service_account/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/using_default_service_account/test/positive_expected_result.json @@ -2,14 +2,14 @@ { "queryName": "Using Default Service Account", "severity": "MEDIUM", - "line": 115, + "line": 3, "filename": "positive.yaml", "resourceType": "google.cloud.gcp_compute_instance", - "resourceName": "create a instance4", - "searchKey": "name={{create a instance4}}.{{google.cloud.gcp_compute_instance}}.service_account_email", + "resourceName": "create a instance1", + "searchKey": "name={{create a instance1}}.{{google.cloud.gcp_compute_instance}}", "searchValue": "", - "expectedValue": "gcp_compute_instance.service_account_email should not be a default Google Compute Engine service account", - "actualValue": "gcp_compute_instance.service_account_email is a default Google Compute Engine service account" + "expectedValue": "gcp_compute_instance.service_account_email should be defined", + "actualValue": "gcp_compute_instance.service_account_email is undefined" }, { "queryName": "Using Default Service Account", @@ -38,13 +38,13 @@ { "queryName": "Using Default Service Account", "severity": "MEDIUM", - "line": 3, + "line": 115, "filename": "positive.yaml", "resourceType": "google.cloud.gcp_compute_instance", - "resourceName": "create a instance1", - "searchKey": "name={{create a instance1}}.{{google.cloud.gcp_compute_instance}}", + "resourceName": "create a instance4", + "searchKey": "name={{create a instance4}}.{{google.cloud.gcp_compute_instance}}.service_account_email", "searchValue": "", - "expectedValue": "gcp_compute_instance.service_account_email should be defined", - "actualValue": "gcp_compute_instance.service_account_email is undefined" + "expectedValue": "gcp_compute_instance.service_account_email should not be a default Google Compute Engine service account", + "actualValue": "gcp_compute_instance.service_account_email is a default Google Compute Engine service account" } ] \ No newline at end of file diff --git a/assets/queries/ansible/general/insecure_relative_path_resolution/test/positive_expected_result.json b/assets/queries/ansible/general/insecure_relative_path_resolution/test/positive_expected_result.json index 9a83fd5ab90..563e8631804 100644 --- a/assets/queries/ansible/general/insecure_relative_path_resolution/test/positive_expected_result.json +++ b/assets/queries/ansible/general/insecure_relative_path_resolution/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "Insecure Relative Path Resolution", - "severity": "LOW", - "line": 12, - "filename": "positive1.yaml", - "resourceType": "ansible.builtin.copy", - "resourceName": "Two", - "searchKey": "name={{Two}}.{{ansible.builtin.copy}}.src", - "searchValue": "", - "expectedValue": "ansible.builtin.copy.src should not be a relative path", - "actualValue": "ansible.builtin.copy.src is a relative path" - }, { "queryName": "Insecure Relative Path Resolution", "severity": "LOW", @@ -22,5 +10,17 @@ "searchValue": "", "expectedValue": "ansible.builtin.template.src should not be a relative path", "actualValue": "ansible.builtin.template.src is a relative path" + }, + { + "queryName": "Insecure Relative Path Resolution", + "severity": "LOW", + "line": 12, + "filename": "positive1.yaml", + "resourceType": "ansible.builtin.copy", + "resourceName": "Two", + "searchKey": "name={{Two}}.{{ansible.builtin.copy}}.src", + "searchValue": "", + "expectedValue": "ansible.builtin.copy.src should not be a relative path", + "actualValue": "ansible.builtin.copy.src is a relative path" } ] \ No newline at end of file diff --git a/assets/queries/ansible/general/logging_of_sensitive_data/test/positive_expected_result.json b/assets/queries/ansible/general/logging_of_sensitive_data/test/positive_expected_result.json index 2cc0c111a8f..0e03a53b26f 100644 --- a/assets/queries/ansible/general/logging_of_sensitive_data/test/positive_expected_result.json +++ b/assets/queries/ansible/general/logging_of_sensitive_data/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "Logging of Sensitive Data", "severity": "LOW", - "line": 5, - "filename": "positive2.yaml", + "line": 14, + "filename": "positive1.yaml", "resourceType": "ansible.builtin.user", "resourceName": "bar", - "searchKey": "name={{bar}}", + "searchKey": "name={{bar}}.no_log", "searchValue": "", - "expectedValue": "'no_log' should be defined and set to 'true' in order to not expose sensitive data", - "actualValue": "'no_log' is not defined" + "expectedValue": "'no_log' should be set to 'true' in order to not expose sensitive data", + "actualValue": "'no_log' is set to false" }, { "queryName": "Logging of Sensitive Data", "severity": "LOW", - "line": 14, - "filename": "positive1.yaml", + "line": 5, + "filename": "positive2.yaml", "resourceType": "ansible.builtin.user", "resourceName": "bar", - "searchKey": "name={{bar}}.no_log", + "searchKey": "name={{bar}}", "searchValue": "", - "expectedValue": "'no_log' should be set to 'true' in order to not expose sensitive data", - "actualValue": "'no_log' is set to false" + "expectedValue": "'no_log' should be defined and set to 'true' in order to not expose sensitive data", + "actualValue": "'no_log' is not defined" } ] \ No newline at end of file diff --git a/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive_expected_result.json b/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive_expected_result.json index 6f7ad039389..1c72300ddd0 100644 --- a/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive_expected_result.json +++ b/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive_expected_result.json @@ -2,73 +2,73 @@ { "queryName": "Privilege Escalation Using Become Plugin", "severity": "MEDIUM", - "line": 53, + "line": 4, "filename": "positive1.yaml", "resourceType": "n/a", "resourceName": "n/a", - "searchKey": "name={{become_user with become task as false}}.become_user={{mongodb}}.become", + "searchKey": "become_user={{bar}}", "searchValue": "", - "expectedValue": "'become' should be to 'true' in order to perform an action with mongodb", - "actualValue": "'become' is set to 'false'" + "expectedValue": "'become' should be defined and set to 'true' in order to perform an action with bar", + "actualValue": "'become' is not defined" }, { "queryName": "Privilege Escalation Using Become Plugin", "severity": "MEDIUM", - "line": 61, + "line": 15, "filename": "positive1.yaml", "resourceType": "n/a", "resourceName": "n/a", - "searchKey": "name={{become_user without become}}.become_user={{mysql}}", + "searchKey": "become", "searchValue": "", - "expectedValue": "'become' should be defined and set to 'true' in order to perform an action with mysql", - "actualValue": "'become' is not defined" + "expectedValue": "'become' should be defined and set to 'true' in order to perform an action with root", + "actualValue": "'become' is set to 'false'" }, { "queryName": "Privilege Escalation Using Become Plugin", "severity": "MEDIUM", - "line": 44, + "line": 31, "filename": "positive1.yaml", "resourceType": "n/a", "resourceName": "n/a", - "searchKey": "name={{Sample become_user}}.become_user={{postgres}}.become", + "searchKey": "name={{Sample become_user}}.become_user={{foo}}", "searchValue": "", - "expectedValue": "'become' should be to 'true' in order to perform an action with postgres", - "actualValue": "'become' is set to 'false'" + "expectedValue": "'become' should be defined and set to 'true' in order to perform an action with foo", + "actualValue": "'become' is not defined" }, { "queryName": "Privilege Escalation Using Become Plugin", "severity": "MEDIUM", - "line": 15, + "line": 44, "filename": "positive1.yaml", "resourceType": "n/a", "resourceName": "n/a", - "searchKey": "become", + "searchKey": "name={{Sample become_user}}.become_user={{postgres}}.become", "searchValue": "", - "expectedValue": "'become' should be defined and set to 'true' in order to perform an action with root", + "expectedValue": "'become' should be to 'true' in order to perform an action with postgres", "actualValue": "'become' is set to 'false'" }, { "queryName": "Privilege Escalation Using Become Plugin", "severity": "MEDIUM", - "line": 31, + "line": 53, "filename": "positive1.yaml", "resourceType": "n/a", "resourceName": "n/a", - "searchKey": "name={{Sample become_user}}.become_user={{foo}}", + "searchKey": "name={{become_user with become task as false}}.become_user={{mongodb}}.become", "searchValue": "", - "expectedValue": "'become' should be defined and set to 'true' in order to perform an action with foo", - "actualValue": "'become' is not defined" + "expectedValue": "'become' should be to 'true' in order to perform an action with mongodb", + "actualValue": "'become' is set to 'false'" }, { "queryName": "Privilege Escalation Using Become Plugin", "severity": "MEDIUM", - "line": 4, + "line": 61, "filename": "positive1.yaml", "resourceType": "n/a", "resourceName": "n/a", - "searchKey": "become_user={{bar}}", + "searchKey": "name={{become_user without become}}.become_user={{mysql}}", "searchValue": "", - "expectedValue": "'become' should be defined and set to 'true' in order to perform an action with bar", + "expectedValue": "'become' should be defined and set to 'true' in order to perform an action with mysql", "actualValue": "'become' is not defined" } ] \ No newline at end of file diff --git a/assets/queries/ansible/general/risky_file_permissions/test/positive_expected_result.json b/assets/queries/ansible/general/risky_file_permissions/test/positive_expected_result.json index 0bdc72b5ced..1263c988eae 100644 --- a/assets/queries/ansible/general/risky_file_permissions/test/positive_expected_result.json +++ b/assets/queries/ansible/general/risky_file_permissions/test/positive_expected_result.json @@ -2,23 +2,23 @@ { "queryName": "Risky File Permissions", "severity": "INFO", - "line": 46, + "line": 5, "filename": "positive1.yaml", - "resourceType": "false", - "resourceName": "create is true 2x", - "searchKey": "name={{create is true 2x}}.{{ansible.builtin.lineinfile}}", + "resourceType": "ansible.builtin.file", + "resourceName": "not preserve value", + "searchKey": "name={{not preserve value}}.{{ansible.builtin.file}}", "searchValue": "", - "expectedValue": "ansible.builtin.lineinfile 'create' key should set to 'false' or 'mode' key should be defined", - "actualValue": "ansible.builtin.lineinfile 'create' key is set to 'true' and 'mode' key is not defined" + "expectedValue": "ansible.builtin.file does not allow setting 'preserve' value for 'mode' key", + "actualValue": "'Mode' key of ansible.builtin.file is set to 'preserve'" }, { "queryName": "Risky File Permissions", "severity": "INFO", - "line": 25, + "line": 13, "filename": "positive1.yaml", "resourceType": "file", - "resourceName": "Permissions missing 3x", - "searchKey": "name={{Permissions missing 3x}}.{{file}}", + "resourceName": "Permissions missing", + "searchKey": "name={{Permissions missing}}.{{file}}", "searchValue": "", "expectedValue": "All the permissions set in file about creating files/directories", "actualValue": "There are some permissions missing in file and might create directory/file" @@ -26,15 +26,39 @@ { "queryName": "Risky File Permissions", "severity": "INFO", - "line": 64, + "line": 17, + "filename": "positive1.yaml", + "resourceType": "ansible.builtin.file", + "resourceName": "Permissions missing 2x", + "searchKey": "name={{Permissions missing 2x}}.{{ansible.builtin.file}}", + "searchValue": "", + "expectedValue": "All the permissions set in ansible.builtin.file about creating files/directories", + "actualValue": "There are some permissions missing in ansible.builtin.file and might create directory/file" + }, + { + "queryName": "Risky File Permissions", + "severity": "INFO", + "line": 25, "filename": "positive1.yaml", "resourceType": "file", - "resourceName": "Not Permissions", - "searchKey": "name={{Not Permissions}}.{{file}}", + "resourceName": "Permissions missing 3x", + "searchKey": "name={{Permissions missing 3x}}.{{file}}", "searchValue": "", "expectedValue": "All the permissions set in file about creating files/directories", "actualValue": "There are some permissions missing in file and might create directory/file" }, + { + "queryName": "Risky File Permissions", + "severity": "INFO", + "line": 29, + "filename": "positive1.yaml", + "resourceType": "false", + "resourceName": "create is true", + "searchKey": "name={{create is true}}.{{ansible.builtin.lineinfile}}", + "searchValue": "", + "expectedValue": "ansible.builtin.lineinfile 'create' key should set to 'false' or 'mode' key should be defined", + "actualValue": "ansible.builtin.lineinfile 'create' key is set to 'true' and 'mode' key is not defined" + }, { "queryName": "Risky File Permissions", "severity": "INFO", @@ -50,14 +74,14 @@ { "queryName": "Risky File Permissions", "severity": "INFO", - "line": 13, + "line": 46, "filename": "positive1.yaml", - "resourceType": "file", - "resourceName": "Permissions missing", - "searchKey": "name={{Permissions missing}}.{{file}}", + "resourceType": "false", + "resourceName": "create is true 2x", + "searchKey": "name={{create is true 2x}}.{{ansible.builtin.lineinfile}}", "searchValue": "", - "expectedValue": "All the permissions set in file about creating files/directories", - "actualValue": "There are some permissions missing in file and might create directory/file" + "expectedValue": "ansible.builtin.lineinfile 'create' key should set to 'false' or 'mode' key should be defined", + "actualValue": "ansible.builtin.lineinfile 'create' key is set to 'true' and 'mode' key is not defined" }, { "queryName": "Risky File Permissions", @@ -74,38 +98,14 @@ { "queryName": "Risky File Permissions", "severity": "INFO", - "line": 5, - "filename": "positive1.yaml", - "resourceType": "ansible.builtin.file", - "resourceName": "not preserve value", - "searchKey": "name={{not preserve value}}.{{ansible.builtin.file}}", - "searchValue": "", - "expectedValue": "ansible.builtin.file does not allow setting 'preserve' value for 'mode' key", - "actualValue": "'Mode' key of ansible.builtin.file is set to 'preserve'" - }, - { - "queryName": "Risky File Permissions", - "severity": "INFO", - "line": 29, - "filename": "positive1.yaml", - "resourceType": "false", - "resourceName": "create is true", - "searchKey": "name={{create is true}}.{{ansible.builtin.lineinfile}}", - "searchValue": "", - "expectedValue": "ansible.builtin.lineinfile 'create' key should set to 'false' or 'mode' key should be defined", - "actualValue": "ansible.builtin.lineinfile 'create' key is set to 'true' and 'mode' key is not defined" - }, - { - "queryName": "Risky File Permissions", - "severity": "INFO", - "line": 17, + "line": 64, "filename": "positive1.yaml", - "resourceType": "ansible.builtin.file", - "resourceName": "Permissions missing 2x", - "searchKey": "name={{Permissions missing 2x}}.{{ansible.builtin.file}}", + "resourceType": "file", + "resourceName": "Not Permissions", + "searchKey": "name={{Not Permissions}}.{{file}}", "searchValue": "", - "expectedValue": "All the permissions set in ansible.builtin.file about creating files/directories", - "actualValue": "There are some permissions missing in ansible.builtin.file and might create directory/file" + "expectedValue": "All the permissions set in file about creating files/directories", + "actualValue": "There are some permissions missing in file and might create directory/file" }, { "queryName": "Risky File Permissions", diff --git a/assets/queries/ansible/general/unpinned_package_version/test/positive_expected_result.json b/assets/queries/ansible/general/unpinned_package_version/test/positive_expected_result.json index f2e2679d87c..c5dfbf4a36f 100644 --- a/assets/queries/ansible/general/unpinned_package_version/test/positive_expected_result.json +++ b/assets/queries/ansible/general/unpinned_package_version/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "Unpinned Package Version", "severity": "LOW", - "line": 29, + "line": 8, "filename": "positive1.yaml", - "resourceType": "community.general.zypper", - "resourceName": "Install nmap", - "searchKey": "name={{Install nmap}}.{{community.general.zypper}}.state", + "resourceType": "ansible.builtin.yum", + "resourceName": "Install Ansible", + "searchKey": "name={{Install Ansible}}.{{ansible.builtin.yum}}.state", "searchValue": "", "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", "actualValue": "State's task is set to 'latest'" @@ -14,11 +14,11 @@ { "queryName": "Unpinned Package Version", "severity": "LOW", - "line": 101, + "line": 13, "filename": "positive1.yaml", - "resourceType": "community.general.pkgutil", - "resourceName": "Install several packages", - "searchKey": "name={{Install several packages}}.{{community.general.pkgutil}}.state", + "resourceType": "ansible.builtin.pip", + "resourceName": "Install Ansible-lint", + "searchKey": "name={{Install Ansible-lint}}.{{ansible.builtin.pip}}.state", "searchValue": "", "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", "actualValue": "State's task is set to 'latest'" @@ -38,11 +38,11 @@ { "queryName": "Unpinned Package Version", "severity": "LOW", - "line": 44, + "line": 23, "filename": "positive1.yaml", - "resourceType": "community.general.bundler", - "resourceName": "Update Gemfile in another directory", - "searchKey": "name={{Update Gemfile in another directory}}.{{community.general.bundler}}.state", + "resourceType": "ansible.builtin.yum", + "resourceName": "Install Ansible with update_only to false", + "searchKey": "name={{Install Ansible with update_only to false}}.{{ansible.builtin.yum}}.state", "searchValue": "", "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", "actualValue": "State's task is set to 'latest'" @@ -50,11 +50,11 @@ { "queryName": "Unpinned Package Version", "severity": "LOW", - "line": 8, + "line": 29, "filename": "positive1.yaml", - "resourceType": "ansible.builtin.yum", - "resourceName": "Install Ansible", - "searchKey": "name={{Install Ansible}}.{{ansible.builtin.yum}}.state", + "resourceType": "community.general.zypper", + "resourceName": "Install nmap", + "searchKey": "name={{Install nmap}}.{{community.general.zypper}}.state", "searchValue": "", "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", "actualValue": "State's task is set to 'latest'" @@ -62,11 +62,11 @@ { "queryName": "Unpinned Package Version", "severity": "LOW", - "line": 144, + "line": 34, "filename": "positive1.yaml", - "resourceType": "ansible.builtin.yum", - "resourceName": "Install a list of packages (suitable replacement for 2.11 loop deprecation warning)", - "searchKey": "name={{Install a list of packages (suitable replacement for 2.11 loop deprecation warning)}}.{{ansible.builtin.yum}}.state", + "resourceType": "community.general.apk", + "resourceName": "Install package without using cache", + "searchKey": "name={{Install package without using cache}}.{{community.general.apk}}.state", "searchValue": "", "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", "actualValue": "State's task is set to 'latest'" @@ -74,11 +74,11 @@ { "queryName": "Unpinned Package Version", "severity": "LOW", - "line": 50, + "line": 40, "filename": "positive1.yaml", - "resourceType": "ansible.builtin.dnf", - "resourceName": "Install a modularity appstream with defined profile", - "searchKey": "name={{Install a modularity appstream with defined profile}}.{{ansible.builtin.dnf}}.state", + "resourceType": "ansible.builtin.apt", + "resourceName": "Install apache httpd", + "searchKey": "name={{Install apache httpd}}.{{ansible.builtin.apt}}.state", "searchValue": "", "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", "actualValue": "State's task is set to 'latest'" @@ -86,11 +86,11 @@ { "queryName": "Unpinned Package Version", "severity": "LOW", - "line": 55, + "line": 44, "filename": "positive1.yaml", - "resourceType": "community.general.gem", - "resourceName": "Install rake", - "searchKey": "name={{Install rake}}.{{community.general.gem}}.state", + "resourceType": "community.general.bundler", + "resourceName": "Update Gemfile in another directory", + "searchKey": "name={{Update Gemfile in another directory}}.{{community.general.bundler}}.state", "searchValue": "", "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", "actualValue": "State's task is set to 'latest'" @@ -98,11 +98,11 @@ { "queryName": "Unpinned Package Version", "severity": "LOW", - "line": 111, + "line": 50, "filename": "positive1.yaml", - "resourceType": "community.general.slackpkg", - "resourceName": "Make sure that it is the most updated package", - "searchKey": "name={{Make sure that it is the most updated package}}.{{community.general.slackpkg}}.state", + "resourceType": "ansible.builtin.dnf", + "resourceName": "Install a modularity appstream with defined profile", + "searchKey": "name={{Install a modularity appstream with defined profile}}.{{ansible.builtin.dnf}}.state", "searchValue": "", "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", "actualValue": "State's task is set to 'latest'" @@ -110,11 +110,11 @@ { "queryName": "Unpinned Package Version", "severity": "LOW", - "line": 94, + "line": 55, "filename": "positive1.yaml", - "resourceType": "community.general.pkg5", - "resourceName": "Install finger daemon", - "searchKey": "name={{Install finger daemon}}.{{community.general.pkg5}}.state", + "resourceType": "community.general.gem", + "resourceName": "Install rake", + "searchKey": "name={{Install rake}}.{{community.general.gem}}.state", "searchValue": "", "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", "actualValue": "State's task is set to 'latest'" @@ -134,11 +134,11 @@ { "queryName": "Unpinned Package Version", "severity": "LOW", - "line": 84, + "line": 65, "filename": "positive1.yaml", - "resourceType": "ansible.builtin.package", - "resourceName": "Install ntpdate", - "searchKey": "name={{Install ntpdate}}.{{ansible.builtin.package}}.state", + "resourceType": "community.general.jenkins_plugin", + "resourceName": "Install Green Balls plugin", + "searchKey": "name={{Install Green Balls plugin}}.{{community.general.jenkins_plugin}}.state", "searchValue": "", "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", "actualValue": "State's task is set to 'latest'" @@ -146,11 +146,11 @@ { "queryName": "Unpinned Package Version", "severity": "LOW", - "line": 121, + "line": 74, "filename": "positive1.yaml", - "resourceType": "community.general.swdepot", - "resourceName": "Install package unzip", - "searchKey": "name={{Install package unzip}}.{{community.general.swdepot}}.state", + "resourceType": "community.general.npm", + "resourceName": "Install packages based on package.json", + "searchKey": "name={{Install packages based on package.json}}.{{community.general.npm}}.state", "searchValue": "", "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", "actualValue": "State's task is set to 'latest'" @@ -158,11 +158,11 @@ { "queryName": "Unpinned Package Version", "severity": "LOW", - "line": 34, + "line": 79, "filename": "positive1.yaml", - "resourceType": "community.general.apk", - "resourceName": "Install package without using cache", - "searchKey": "name={{Install package without using cache}}.{{community.general.apk}}.state", + "resourceType": "community.general.openbsd_pkg", + "resourceName": "Install nmap", + "searchKey": "name={{Install nmap}}.{{community.general.openbsd_pkg}}.state", "searchValue": "", "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", "actualValue": "State's task is set to 'latest'" @@ -170,11 +170,11 @@ { "queryName": "Unpinned Package Version", "severity": "LOW", - "line": 74, + "line": 84, "filename": "positive1.yaml", - "resourceType": "community.general.npm", - "resourceName": "Install packages based on package.json", - "searchKey": "name={{Install packages based on package.json}}.{{community.general.npm}}.state", + "resourceType": "ansible.builtin.package", + "resourceName": "Install ntpdate", + "searchKey": "name={{Install ntpdate}}.{{ansible.builtin.package}}.state", "searchValue": "", "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", "actualValue": "State's task is set to 'latest'" @@ -182,11 +182,11 @@ { "queryName": "Unpinned Package Version", "severity": "LOW", - "line": 116, + "line": 89, "filename": "positive1.yaml", - "resourceType": "community.general.sorcery", - "resourceName": "Make sure spell foo is installed", - "searchKey": "name={{Make sure spell foo is installed}}.{{community.general.sorcery}}.state", + "resourceType": "community.general.pacman", + "resourceName": "Install package bar from file", + "searchKey": "name={{Install package bar from file}}.{{community.general.pacman}}.state", "searchValue": "", "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", "actualValue": "State's task is set to 'latest'" @@ -194,11 +194,11 @@ { "queryName": "Unpinned Package Version", "severity": "LOW", - "line": 136, + "line": 94, "filename": "positive1.yaml", - "resourceType": "community.general.yarn", - "resourceName": "Install \"imagemin\" node.js package globally.", - "searchKey": "name={{Install \"imagemin\" node.js package globally.}}.{{community.general.yarn}}.state", + "resourceType": "community.general.pkg5", + "resourceName": "Install finger daemon", + "searchKey": "name={{Install finger daemon}}.{{community.general.pkg5}}.state", "searchValue": "", "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", "actualValue": "State's task is set to 'latest'" @@ -206,11 +206,11 @@ { "queryName": "Unpinned Package Version", "severity": "LOW", - "line": 40, + "line": 101, "filename": "positive1.yaml", - "resourceType": "ansible.builtin.apt", - "resourceName": "Install apache httpd", - "searchKey": "name={{Install apache httpd}}.{{ansible.builtin.apt}}.state", + "resourceType": "community.general.pkgutil", + "resourceName": "Install several packages", + "searchKey": "name={{Install several packages}}.{{community.general.pkgutil}}.state", "searchValue": "", "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", "actualValue": "State's task is set to 'latest'" @@ -218,11 +218,11 @@ { "queryName": "Unpinned Package Version", "severity": "LOW", - "line": 149, + "line": 106, "filename": "positive1.yaml", - "resourceType": "community.general.zypper", - "resourceName": "Install local rpm file", - "searchKey": "name={{Install local rpm file}}.{{community.general.zypper}}.state", + "resourceType": "community.general.portage", + "resourceName": "Install package foo", + "searchKey": "name={{Install package foo}}.{{community.general.portage}}.state", "searchValue": "", "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", "actualValue": "State's task is set to 'latest'" @@ -230,11 +230,11 @@ { "queryName": "Unpinned Package Version", "severity": "LOW", - "line": 79, + "line": 111, "filename": "positive1.yaml", - "resourceType": "community.general.openbsd_pkg", - "resourceName": "Install nmap", - "searchKey": "name={{Install nmap}}.{{community.general.openbsd_pkg}}.state", + "resourceType": "community.general.slackpkg", + "resourceName": "Make sure that it is the most updated package", + "searchKey": "name={{Make sure that it is the most updated package}}.{{community.general.slackpkg}}.state", "searchValue": "", "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", "actualValue": "State's task is set to 'latest'" @@ -242,11 +242,11 @@ { "queryName": "Unpinned Package Version", "severity": "LOW", - "line": 89, + "line": 116, "filename": "positive1.yaml", - "resourceType": "community.general.pacman", - "resourceName": "Install package bar from file", - "searchKey": "name={{Install package bar from file}}.{{community.general.pacman}}.state", + "resourceType": "community.general.sorcery", + "resourceName": "Make sure spell foo is installed", + "searchKey": "name={{Make sure spell foo is installed}}.{{community.general.sorcery}}.state", "searchValue": "", "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", "actualValue": "State's task is set to 'latest'" @@ -254,11 +254,11 @@ { "queryName": "Unpinned Package Version", "severity": "LOW", - "line": 106, + "line": 121, "filename": "positive1.yaml", - "resourceType": "community.general.portage", - "resourceName": "Install package foo", - "searchKey": "name={{Install package foo}}.{{community.general.portage}}.state", + "resourceType": "community.general.swdepot", + "resourceName": "Install package unzip", + "searchKey": "name={{Install package unzip}}.{{community.general.swdepot}}.state", "searchValue": "", "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", "actualValue": "State's task is set to 'latest'" @@ -266,11 +266,11 @@ { "queryName": "Unpinned Package Version", "severity": "LOW", - "line": 23, + "line": 130, "filename": "positive1.yaml", - "resourceType": "ansible.builtin.yum", - "resourceName": "Install Ansible with update_only to false", - "searchKey": "name={{Install Ansible with update_only to false}}.{{ansible.builtin.yum}}.state", + "resourceType": "win_chocolatey", + "resourceName": "Install multiple packages", + "searchKey": "name={{Install multiple packages}}.{{win_chocolatey}}.state", "searchValue": "", "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", "actualValue": "State's task is set to 'latest'" @@ -278,11 +278,11 @@ { "queryName": "Unpinned Package Version", "severity": "LOW", - "line": 13, + "line": 136, "filename": "positive1.yaml", - "resourceType": "ansible.builtin.pip", - "resourceName": "Install Ansible-lint", - "searchKey": "name={{Install Ansible-lint}}.{{ansible.builtin.pip}}.state", + "resourceType": "community.general.yarn", + "resourceName": "Install \"imagemin\" node.js package globally.", + "searchKey": "name={{Install \"imagemin\" node.js package globally.}}.{{community.general.yarn}}.state", "searchValue": "", "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", "actualValue": "State's task is set to 'latest'" @@ -290,11 +290,11 @@ { "queryName": "Unpinned Package Version", "severity": "LOW", - "line": 65, + "line": 144, "filename": "positive1.yaml", - "resourceType": "community.general.jenkins_plugin", - "resourceName": "Install Green Balls plugin", - "searchKey": "name={{Install Green Balls plugin}}.{{community.general.jenkins_plugin}}.state", + "resourceType": "ansible.builtin.yum", + "resourceName": "Install a list of packages (suitable replacement for 2.11 loop deprecation warning)", + "searchKey": "name={{Install a list of packages (suitable replacement for 2.11 loop deprecation warning)}}.{{ansible.builtin.yum}}.state", "searchValue": "", "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", "actualValue": "State's task is set to 'latest'" @@ -302,11 +302,11 @@ { "queryName": "Unpinned Package Version", "severity": "LOW", - "line": 130, + "line": 149, "filename": "positive1.yaml", - "resourceType": "win_chocolatey", - "resourceName": "Install multiple packages", - "searchKey": "name={{Install multiple packages}}.{{win_chocolatey}}.state", + "resourceType": "community.general.zypper", + "resourceName": "Install local rpm file", + "searchKey": "name={{Install local rpm file}}.{{community.general.zypper}}.state", "searchValue": "", "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", "actualValue": "State's task is set to 'latest'" diff --git a/assets/queries/ansible/hosts/ansible_tower_exposed_to_internet/test/positive_expected_result.json b/assets/queries/ansible/hosts/ansible_tower_exposed_to_internet/test/positive_expected_result.json index 0e62f1eb4e8..87e5f1496ac 100644 --- a/assets/queries/ansible/hosts/ansible_tower_exposed_to_internet/test/positive_expected_result.json +++ b/assets/queries/ansible/hosts/ansible_tower_exposed_to_internet/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "Ansible Tower Exposed To Internet", "severity": "MEDIUM", - "line": 24, - "filename": "positive2.yaml", + "line": 1, + "filename": "positive1.ini", "resourceType": "n/a", "resourceName": "children", - "searchKey": "all.children.tower.hosts", + "searchKey": "[tower]", "searchValue": "", "expectedValue": "Ansible Tower IP should be private", "actualValue": "Ansible Tower IP is public" @@ -14,11 +14,11 @@ { "queryName": "Ansible Tower Exposed To Internet", "severity": "MEDIUM", - "line": 1, - "filename": "positive1.ini", + "line": 24, + "filename": "positive2.yaml", "resourceType": "n/a", "resourceName": "children", - "searchKey": "[tower]", + "searchKey": "all.children.tower.hosts", "searchValue": "", "expectedValue": "Ansible Tower IP should be private", "actualValue": "Ansible Tower IP is public" diff --git a/assets/queries/azureResourceManager/account_admins_not_notified_by_email/test/positive_expected_result.json b/assets/queries/azureResourceManager/account_admins_not_notified_by_email/test/positive_expected_result.json index c5662cd4d87..a8fac6bb91e 100644 --- a/assets/queries/azureResourceManager/account_admins_not_notified_by_email/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/account_admins_not_notified_by_email/test/positive_expected_result.json @@ -2,44 +2,44 @@ { "queryName": "Account Admins Not Notified By Email", "severity": "INFO", - "line": 15, - "filename": "positive4.json", + "line": 4, + "filename": "positive1.bicep", "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", "resourceName": "sample/server/default", - "searchKey": "properties.template.resources.name={{sample/server/default}}.properties", + "searchKey": "resources.name={{sample/server/default}}.properties.emailAccountAdmins", "searchValue": "", - "expectedValue": "securityAlertPolicies.properties.emailAccountAdmins should be set to true", - "actualValue": "securityAlertPolicies.properties.emailAccountAdmins is missing" + "expectedValue": "securityAlertPolicies.properties.emailAccountAdmins property value should be set to true", + "actualValue": "securityAlertPolicies.properties.emailAccountAdmins property value is set to false" }, { "queryName": "Account Admins Not Notified By Email", "severity": "INFO", - "line": 3, - "filename": "positive2.bicep", + "line": 14, + "filename": "positive1.json", "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", "resourceName": "sample/server/default", - "searchKey": "resources.name={{sample/server/default}}.properties", + "searchKey": "resources.name={{sample/server/default}}.properties.emailAccountAdmins", "searchValue": "", - "expectedValue": "securityAlertPolicies.properties.emailAccountAdmins should be set to true", - "actualValue": "securityAlertPolicies.properties.emailAccountAdmins is missing" + "expectedValue": "securityAlertPolicies.properties.emailAccountAdmins property value should be set to true", + "actualValue": "securityAlertPolicies.properties.emailAccountAdmins property value is set to false" }, { "queryName": "Account Admins Not Notified By Email", "severity": "INFO", - "line": 4, - "filename": "positive1.bicep", + "line": 3, + "filename": "positive2.bicep", "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", "resourceName": "sample/server/default", - "searchKey": "resources.name={{sample/server/default}}.properties.emailAccountAdmins", + "searchKey": "resources.name={{sample/server/default}}.properties", "searchValue": "", - "expectedValue": "securityAlertPolicies.properties.emailAccountAdmins property value should be set to true", - "actualValue": "securityAlertPolicies.properties.emailAccountAdmins property value is set to false" + "expectedValue": "securityAlertPolicies.properties.emailAccountAdmins should be set to true", + "actualValue": "securityAlertPolicies.properties.emailAccountAdmins is missing" }, { "queryName": "Account Admins Not Notified By Email", "severity": "INFO", - "line": 3, - "filename": "positive4.bicep", + "line": 13, + "filename": "positive2.json", "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", "resourceName": "sample/server/default", "searchKey": "resources.name={{sample/server/default}}.properties", @@ -62,11 +62,11 @@ { "queryName": "Account Admins Not Notified By Email", "severity": "INFO", - "line": 14, - "filename": "positive1.json", + "line": 16, + "filename": "positive3.json", "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", "resourceName": "sample/server/default", - "searchKey": "resources.name={{sample/server/default}}.properties.emailAccountAdmins", + "searchKey": "properties.template.resources.name={{sample/server/default}}.properties.emailAccountAdmins", "searchValue": "", "expectedValue": "securityAlertPolicies.properties.emailAccountAdmins property value should be set to true", "actualValue": "securityAlertPolicies.properties.emailAccountAdmins property value is set to false" @@ -74,8 +74,8 @@ { "queryName": "Account Admins Not Notified By Email", "severity": "INFO", - "line": 13, - "filename": "positive2.json", + "line": 3, + "filename": "positive4.bicep", "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", "resourceName": "sample/server/default", "searchKey": "resources.name={{sample/server/default}}.properties", @@ -86,13 +86,13 @@ { "queryName": "Account Admins Not Notified By Email", "severity": "INFO", - "line": 16, - "filename": "positive3.json", + "line": 15, + "filename": "positive4.json", "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", "resourceName": "sample/server/default", - "searchKey": "properties.template.resources.name={{sample/server/default}}.properties.emailAccountAdmins", + "searchKey": "properties.template.resources.name={{sample/server/default}}.properties", "searchValue": "", - "expectedValue": "securityAlertPolicies.properties.emailAccountAdmins property value should be set to true", - "actualValue": "securityAlertPolicies.properties.emailAccountAdmins property value is set to false" + "expectedValue": "securityAlertPolicies.properties.emailAccountAdmins should be set to true", + "actualValue": "securityAlertPolicies.properties.emailAccountAdmins is missing" } ] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/aks_cluster_network_policy_not_configured/test/positive_expected_result.json b/assets/queries/azureResourceManager/aks_cluster_network_policy_not_configured/test/positive_expected_result.json index 147acc45e96..cf949e5a63e 100644 --- a/assets/queries/azureResourceManager/aks_cluster_network_policy_not_configured/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/aks_cluster_network_policy_not_configured/test/positive_expected_result.json @@ -2,14 +2,26 @@ { "queryName": "AKS Cluster Network Policy Not Configured", "severity": "MEDIUM", - "line": 31, - "filename": "positive4.bicep", + "line": 2, + "filename": "positive1.bicep", "resourceType": "Microsoft.ContainerService/managedClusters", "resourceName": "aksCluster1", - "searchKey": "resources.name=aksCluster1.properties.networkProfile.networkPolicy", + "searchKey": "resources.name=aksCluster1", "searchValue": "", "expectedValue": "'networkProfile.networkPolicy' should be defined and not empty", - "actualValue": "'networkProfile.networkPolicy' is empty" + "actualValue": "'networkProfile.networkPolicy' is undefined" + }, + { + "queryName": "AKS Cluster Network Policy Not Configured", + "severity": "MEDIUM", + "line": 6, + "filename": "positive1.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1", + "searchValue": "", + "expectedValue": "'networkProfile.networkPolicy' should be defined and not empty", + "actualValue": "'networkProfile.networkPolicy' is undefined" }, { "queryName": "AKS Cluster Network Policy Not Configured", @@ -26,14 +38,14 @@ { "queryName": "AKS Cluster Network Policy Not Configured", "severity": "MEDIUM", - "line": 2, - "filename": "positive1.bicep", + "line": 37, + "filename": "positive2.json", "resourceType": "Microsoft.ContainerService/managedClusters", "resourceName": "aksCluster1", - "searchKey": "resources.name=aksCluster1", + "searchKey": "resources.name=aksCluster1.properties.networkProfile.networkPolicy", "searchValue": "", "expectedValue": "'networkProfile.networkPolicy' should be defined and not empty", - "actualValue": "'networkProfile.networkPolicy' is undefined" + "actualValue": "'networkProfile.networkPolicy' is empty" }, { "queryName": "AKS Cluster Network Policy Not Configured", @@ -50,20 +62,20 @@ { "queryName": "AKS Cluster Network Policy Not Configured", "severity": "MEDIUM", - "line": 39, - "filename": "positive4.json", + "line": 8, + "filename": "positive3.json", "resourceType": "Microsoft.ContainerService/managedClusters", "resourceName": "aksCluster1", - "searchKey": "properties.template.resources.name=aksCluster1.properties.networkProfile.networkPolicy", + "searchKey": "properties.template.resources.name=aksCluster1", "searchValue": "", "expectedValue": "'networkProfile.networkPolicy' should be defined and not empty", - "actualValue": "'networkProfile.networkPolicy' is empty" + "actualValue": "'networkProfile.networkPolicy' is undefined" }, { "queryName": "AKS Cluster Network Policy Not Configured", "severity": "MEDIUM", - "line": 37, - "filename": "positive2.json", + "line": 31, + "filename": "positive4.bicep", "resourceType": "Microsoft.ContainerService/managedClusters", "resourceName": "aksCluster1", "searchKey": "resources.name=aksCluster1.properties.networkProfile.networkPolicy", @@ -74,25 +86,13 @@ { "queryName": "AKS Cluster Network Policy Not Configured", "severity": "MEDIUM", - "line": 6, - "filename": "positive1.json", - "resourceType": "Microsoft.ContainerService/managedClusters", - "resourceName": "aksCluster1", - "searchKey": "resources.name=aksCluster1", - "searchValue": "", - "expectedValue": "'networkProfile.networkPolicy' should be defined and not empty", - "actualValue": "'networkProfile.networkPolicy' is undefined" - }, - { - "queryName": "AKS Cluster Network Policy Not Configured", - "severity": "MEDIUM", - "line": 8, - "filename": "positive3.json", + "line": 39, + "filename": "positive4.json", "resourceType": "Microsoft.ContainerService/managedClusters", "resourceName": "aksCluster1", - "searchKey": "properties.template.resources.name=aksCluster1", + "searchKey": "properties.template.resources.name=aksCluster1.properties.networkProfile.networkPolicy", "searchValue": "", "expectedValue": "'networkProfile.networkPolicy' should be defined and not empty", - "actualValue": "'networkProfile.networkPolicy' is undefined" + "actualValue": "'networkProfile.networkPolicy' is empty" } ] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/aks_cluster_rbac_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/aks_cluster_rbac_disabled/test/positive_expected_result.json index 433c9007612..b7c248c26c2 100644 --- a/assets/queries/azureResourceManager/aks_cluster_rbac_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/aks_cluster_rbac_disabled/test/positive_expected_result.json @@ -2,20 +2,20 @@ { "queryName": "AKS Cluster RBAC Disabled", "severity": "HIGH", - "line": 26, - "filename": "positive4.bicep", + "line": 4, + "filename": "positive1.bicep", "resourceType": "Microsoft.ContainerService/managedClusters", "resourceName": "aksCluster1", - "searchKey": "resources.name={{aksCluster1}}.properties.enableRBAC", + "searchKey": "resources.name={{aksCluster1}}.properties", "searchValue": "", - "expectedValue": "resource with type 'Microsoft.ContainerService/managedClusters' should have the 'enableRBAC' property value set to true", - "actualValue": "resource with type 'Microsoft.ContainerService/managedClusters' doesn't have 'enableRBAC' set to true%!(EXTRA string=property value)" + "expectedValue": "resource with type 'Microsoft.ContainerService/managedClusters' should have the 'enableRBAC' property defined", + "actualValue": "resource with type 'Microsoft.ContainerService/managedClusters' doesn't have 'enableRBAC' property defined" }, { "queryName": "AKS Cluster RBAC Disabled", "severity": "HIGH", - "line": 4, - "filename": "positive3.bicep", + "line": 14, + "filename": "positive1.json", "resourceType": "Microsoft.ContainerService/managedClusters", "resourceName": "aksCluster1", "searchKey": "resources.name={{aksCluster1}}.properties", @@ -26,27 +26,15 @@ { "queryName": "AKS Cluster RBAC Disabled", "severity": "HIGH", - "line": 38, - "filename": "positive4.json", + "line": 26, + "filename": "positive2.bicep", "resourceType": "Microsoft.ContainerService/managedClusters", "resourceName": "aksCluster1", - "searchKey": "properties.template.resources.name={{aksCluster1}}.properties.enableRBAC", + "searchKey": "resources.name={{aksCluster1}}.properties.enableRBAC", "searchValue": "", "expectedValue": "resource with type 'Microsoft.ContainerService/managedClusters' should have the 'enableRBAC' property value set to true", "actualValue": "resource with type 'Microsoft.ContainerService/managedClusters' doesn't have 'enableRBAC' set to true%!(EXTRA string=property value)" }, - { - "queryName": "AKS Cluster RBAC Disabled", - "severity": "HIGH", - "line": 16, - "filename": "positive3.json", - "resourceType": "Microsoft.ContainerService/managedClusters", - "resourceName": "aksCluster1", - "searchKey": "properties.template.resources.name={{aksCluster1}}.properties", - "searchValue": "", - "expectedValue": "resource with type 'Microsoft.ContainerService/managedClusters' should have the 'enableRBAC' property defined", - "actualValue": "resource with type 'Microsoft.ContainerService/managedClusters' doesn't have 'enableRBAC' property defined" - }, { "queryName": "AKS Cluster RBAC Disabled", "severity": "HIGH", @@ -62,8 +50,8 @@ { "queryName": "AKS Cluster RBAC Disabled", "severity": "HIGH", - "line": 14, - "filename": "positive1.json", + "line": 4, + "filename": "positive3.bicep", "resourceType": "Microsoft.ContainerService/managedClusters", "resourceName": "aksCluster1", "searchKey": "resources.name={{aksCluster1}}.properties", @@ -74,11 +62,11 @@ { "queryName": "AKS Cluster RBAC Disabled", "severity": "HIGH", - "line": 4, - "filename": "positive1.bicep", + "line": 16, + "filename": "positive3.json", "resourceType": "Microsoft.ContainerService/managedClusters", "resourceName": "aksCluster1", - "searchKey": "resources.name={{aksCluster1}}.properties", + "searchKey": "properties.template.resources.name={{aksCluster1}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.ContainerService/managedClusters' should have the 'enableRBAC' property defined", "actualValue": "resource with type 'Microsoft.ContainerService/managedClusters' doesn't have 'enableRBAC' property defined" @@ -87,12 +75,24 @@ "queryName": "AKS Cluster RBAC Disabled", "severity": "HIGH", "line": 26, - "filename": "positive2.bicep", + "filename": "positive4.bicep", "resourceType": "Microsoft.ContainerService/managedClusters", "resourceName": "aksCluster1", "searchKey": "resources.name={{aksCluster1}}.properties.enableRBAC", "searchValue": "", "expectedValue": "resource with type 'Microsoft.ContainerService/managedClusters' should have the 'enableRBAC' property value set to true", "actualValue": "resource with type 'Microsoft.ContainerService/managedClusters' doesn't have 'enableRBAC' set to true%!(EXTRA string=property value)" + }, + { + "queryName": "AKS Cluster RBAC Disabled", + "severity": "HIGH", + "line": 38, + "filename": "positive4.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "properties.template.resources.name={{aksCluster1}}.properties.enableRBAC", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.ContainerService/managedClusters' should have the 'enableRBAC' property value set to true", + "actualValue": "resource with type 'Microsoft.ContainerService/managedClusters' doesn't have 'enableRBAC' set to true%!(EXTRA string=property value)" } ] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/aks_dashboard_enabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/aks_dashboard_enabled/test/positive_expected_result.json index e64d0f9020d..7aed5e777db 100644 --- a/assets/queries/azureResourceManager/aks_dashboard_enabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/aks_dashboard_enabled/test/positive_expected_result.json @@ -14,8 +14,8 @@ { "queryName": "AKS Dashboard Is Enabled", "severity": "LOW", - "line": 8, - "filename": "positive2.bicep", + "line": 14, + "filename": "positive1.json", "resourceType": "Microsoft.ContainerService/managedClusters", "resourceName": "aksCluster1", "searchKey": "resources.name=aksCluster1.properties.addonProfiles.kubeDashboard.enabled", @@ -26,11 +26,11 @@ { "queryName": "AKS Dashboard Is Enabled", "severity": "LOW", - "line": 16, - "filename": "positive2.json", + "line": 8, + "filename": "positive2.bicep", "resourceType": "Microsoft.ContainerService/managedClusters", "resourceName": "aksCluster1", - "searchKey": "properties.template.resources.name=aksCluster1.properties.addonProfiles.kubeDashboard.enabled", + "searchKey": "resources.name=aksCluster1.properties.addonProfiles.kubeDashboard.enabled", "searchValue": "", "expectedValue": "'addonProfiles.kubeDashboard.enabled' should be defined and false", "actualValue": "'addonProfiles.kubeDashboard.enabled' property value is false" @@ -38,11 +38,11 @@ { "queryName": "AKS Dashboard Is Enabled", "severity": "LOW", - "line": 14, - "filename": "positive1.json", + "line": 16, + "filename": "positive2.json", "resourceType": "Microsoft.ContainerService/managedClusters", "resourceName": "aksCluster1", - "searchKey": "resources.name=aksCluster1.properties.addonProfiles.kubeDashboard.enabled", + "searchKey": "properties.template.resources.name=aksCluster1.properties.addonProfiles.kubeDashboard.enabled", "searchValue": "", "expectedValue": "'addonProfiles.kubeDashboard.enabled' should be defined and false", "actualValue": "'addonProfiles.kubeDashboard.enabled' property value is false" diff --git a/assets/queries/azureResourceManager/aks_logging_azure_monitoring_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/aks_logging_azure_monitoring_disabled/test/positive_expected_result.json index 7cd01cc74ad..38ac5ae227b 100644 --- a/assets/queries/azureResourceManager/aks_logging_azure_monitoring_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/aks_logging_azure_monitoring_disabled/test/positive_expected_result.json @@ -2,14 +2,14 @@ { "queryName": "AKS Logging To Azure Monitoring Is Disabled", "severity": "MEDIUM", - "line": 6, - "filename": "positive2.json", + "line": 8, + "filename": "positive1.bicep", "resourceType": "Microsoft.ContainerService/managedClusters", "resourceName": "aksCluster1", - "searchKey": "resources.name=aksCluster1", + "searchKey": "resources.name=aksCluster1.properties.addonProfiles.omsagent.enabled", "searchValue": "", "expectedValue": "'addonProfiles.omsagent.enabled' should be defined and false", - "actualValue": "'addonProfiles.omsagent.enabled' is undefined" + "actualValue": "'addonProfiles.omsagent.enabled' property value is set to false" }, { "queryName": "AKS Logging To Azure Monitoring Is Disabled", @@ -26,11 +26,11 @@ { "queryName": "AKS Logging To Azure Monitoring Is Disabled", "severity": "MEDIUM", - "line": 8, - "filename": "positive4.json", + "line": 2, + "filename": "positive2.bicep", "resourceType": "Microsoft.ContainerService/managedClusters", "resourceName": "aksCluster1", - "searchKey": "properties.template.resources.name=aksCluster1", + "searchKey": "resources.name=aksCluster1", "searchValue": "", "expectedValue": "'addonProfiles.omsagent.enabled' should be defined and false", "actualValue": "'addonProfiles.omsagent.enabled' is undefined" @@ -38,14 +38,14 @@ { "queryName": "AKS Logging To Azure Monitoring Is Disabled", "severity": "MEDIUM", - "line": 8, - "filename": "positive1.bicep", + "line": 6, + "filename": "positive2.json", "resourceType": "Microsoft.ContainerService/managedClusters", "resourceName": "aksCluster1", - "searchKey": "resources.name=aksCluster1.properties.addonProfiles.omsagent.enabled", + "searchKey": "resources.name=aksCluster1", "searchValue": "", "expectedValue": "'addonProfiles.omsagent.enabled' should be defined and false", - "actualValue": "'addonProfiles.omsagent.enabled' property value is set to false" + "actualValue": "'addonProfiles.omsagent.enabled' is undefined" }, { "queryName": "AKS Logging To Azure Monitoring Is Disabled", @@ -62,14 +62,14 @@ { "queryName": "AKS Logging To Azure Monitoring Is Disabled", "severity": "MEDIUM", - "line": 2, - "filename": "positive2.bicep", + "line": 16, + "filename": "positive3.json", "resourceType": "Microsoft.ContainerService/managedClusters", "resourceName": "aksCluster1", - "searchKey": "resources.name=aksCluster1", + "searchKey": "properties.template.resources.name=aksCluster1.properties.addonProfiles.omsagent.enabled", "searchValue": "", "expectedValue": "'addonProfiles.omsagent.enabled' should be defined and false", - "actualValue": "'addonProfiles.omsagent.enabled' is undefined" + "actualValue": "'addonProfiles.omsagent.enabled' property value is set to false" }, { "queryName": "AKS Logging To Azure Monitoring Is Disabled", @@ -86,13 +86,13 @@ { "queryName": "AKS Logging To Azure Monitoring Is Disabled", "severity": "MEDIUM", - "line": 16, - "filename": "positive3.json", + "line": 8, + "filename": "positive4.json", "resourceType": "Microsoft.ContainerService/managedClusters", "resourceName": "aksCluster1", - "searchKey": "properties.template.resources.name=aksCluster1.properties.addonProfiles.omsagent.enabled", + "searchKey": "properties.template.resources.name=aksCluster1", "searchValue": "", "expectedValue": "'addonProfiles.omsagent.enabled' should be defined and false", - "actualValue": "'addonProfiles.omsagent.enabled' property value is set to false" + "actualValue": "'addonProfiles.omsagent.enabled' is undefined" } ] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/aks_with_authorized_ip_ranges_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/aks_with_authorized_ip_ranges_disabled/test/positive_expected_result.json index 5279a23b05b..4b55e8c5ed0 100644 --- a/assets/queries/azureResourceManager/aks_with_authorized_ip_ranges_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/aks_with_authorized_ip_ranges_disabled/test/positive_expected_result.json @@ -14,11 +14,11 @@ { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", - "line": 10, - "filename": "positive6.json", + "line": 8, + "filename": "positive1.json", "resourceType": "Microsoft.ContainerService/managedClusters", "resourceName": "aksCluster1", - "searchKey": "properties.template.resources.name=aksCluster1.apiVersion", + "searchKey": "resources.name=aksCluster1.apiVersion", "searchValue": "", "expectedValue": "'apiVersion' should be '2019-02-01' or newer", "actualValue": "'apiVersion' is 2017-08-31" @@ -26,8 +26,8 @@ { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", - "line": 37, - "filename": "positive5.json", + "line": 31, + "filename": "positive10.bicep", "resourceType": "Microsoft.ContainerService/managedClusters", "resourceName": "aksCluster1", "searchKey": "resources.name=aksCluster1.properties.apiServerAccessProfile.authorizedIPRanges", @@ -38,20 +38,20 @@ { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", - "line": 2, - "filename": "positive9.bicep", + "line": 39, + "filename": "positive10.json", "resourceType": "Microsoft.ContainerService/managedClusters", "resourceName": "aksCluster1", - "searchKey": "resources.name=aksCluster1", + "searchKey": "properties.template.resources.name=aksCluster1.properties.apiServerAccessProfile.authorizedIPRanges", "searchValue": "", "expectedValue": "'apiServerAccessProfile.authorizedIPRanges' should be defined as an array", - "actualValue": "'apiServerAccessProfile.authorizedIPRanges' is undefined" + "actualValue": "'apiServerAccessProfile.authorizedIPRanges' is empty" }, { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", "line": 2, - "filename": "positive7.bicep", + "filename": "positive2.bicep", "resourceType": "Microsoft.ContainerService/managedClusters", "resourceName": "aksCluster1", "searchKey": "resources.name=aksCluster1", @@ -62,11 +62,11 @@ { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", - "line": 8, - "filename": "positive7.json", + "line": 6, + "filename": "positive2.json", "resourceType": "Microsoft.ContainerService/managedClusters", "resourceName": "aksCluster1", - "searchKey": "properties.template.resources.name=aksCluster1", + "searchKey": "resources.name=aksCluster1", "searchValue": "", "expectedValue": "'apiServerAuthorizedIPRanges' should be a defined as an array", "actualValue": "'apiServerAuthorizedIPRanges' is undefined" @@ -74,14 +74,14 @@ { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", - "line": 8, - "filename": "positive9.json", + "line": 30, + "filename": "positive3.bicep", "resourceType": "Microsoft.ContainerService/managedClusters", "resourceName": "aksCluster1", - "searchKey": "properties.template.resources.name=aksCluster1", + "searchKey": "resources.name=aksCluster1.properties.apiServerAuthorizedIPRanges", "searchValue": "", - "expectedValue": "'apiServerAccessProfile.authorizedIPRanges' should be defined as an array", - "actualValue": "'apiServerAccessProfile.authorizedIPRanges' is undefined" + "expectedValue": "'apiServerAuthorizedIPRanges' should be a defined as an array", + "actualValue": "'apiServerAuthorizedIPRanges' is empty" }, { "queryName": "AKS With Authorized IP Ranges Disabled", @@ -98,20 +98,32 @@ { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", - "line": 31, - "filename": "positive5.bicep", + "line": 2, + "filename": "positive4.bicep", "resourceType": "Microsoft.ContainerService/managedClusters", "resourceName": "aksCluster1", - "searchKey": "resources.name=aksCluster1.properties.apiServerAccessProfile.authorizedIPRanges", + "searchKey": "resources.name=aksCluster1", "searchValue": "", "expectedValue": "'apiServerAccessProfile.authorizedIPRanges' should be defined as an array", - "actualValue": "'apiServerAccessProfile.authorizedIPRanges' is empty" + "actualValue": "'apiServerAccessProfile.authorizedIPRanges' is undefined" + }, + { + "queryName": "AKS With Authorized IP Ranges Disabled", + "severity": "LOW", + "line": 6, + "filename": "positive4.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1", + "searchValue": "", + "expectedValue": "'apiServerAccessProfile.authorizedIPRanges' should be defined as an array", + "actualValue": "'apiServerAccessProfile.authorizedIPRanges' is undefined" }, { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", "line": 31, - "filename": "positive10.bicep", + "filename": "positive5.bicep", "resourceType": "Microsoft.ContainerService/managedClusters", "resourceName": "aksCluster1", "searchKey": "resources.name=aksCluster1.properties.apiServerAccessProfile.authorizedIPRanges", @@ -122,20 +134,20 @@ { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", - "line": 6, - "filename": "positive4.json", + "line": 37, + "filename": "positive5.json", "resourceType": "Microsoft.ContainerService/managedClusters", "resourceName": "aksCluster1", - "searchKey": "resources.name=aksCluster1", + "searchKey": "resources.name=aksCluster1.properties.apiServerAccessProfile.authorizedIPRanges", "searchValue": "", "expectedValue": "'apiServerAccessProfile.authorizedIPRanges' should be defined as an array", - "actualValue": "'apiServerAccessProfile.authorizedIPRanges' is undefined" + "actualValue": "'apiServerAccessProfile.authorizedIPRanges' is empty" }, { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", - "line": 8, - "filename": "positive1.json", + "line": 1, + "filename": "positive6.bicep", "resourceType": "Microsoft.ContainerService/managedClusters", "resourceName": "aksCluster1", "searchKey": "resources.name=aksCluster1.apiVersion", @@ -146,35 +158,35 @@ { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", - "line": 6, - "filename": "positive2.json", + "line": 10, + "filename": "positive6.json", "resourceType": "Microsoft.ContainerService/managedClusters", "resourceName": "aksCluster1", - "searchKey": "resources.name=aksCluster1", + "searchKey": "properties.template.resources.name=aksCluster1.apiVersion", "searchValue": "", - "expectedValue": "'apiServerAuthorizedIPRanges' should be a defined as an array", - "actualValue": "'apiServerAuthorizedIPRanges' is undefined" + "expectedValue": "'apiVersion' should be '2019-02-01' or newer", + "actualValue": "'apiVersion' is 2017-08-31" }, { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", - "line": 38, - "filename": "positive8.json", + "line": 2, + "filename": "positive7.bicep", "resourceType": "Microsoft.ContainerService/managedClusters", "resourceName": "aksCluster1", - "searchKey": "properties.template.resources.name=aksCluster1.properties.apiServerAuthorizedIPRanges", + "searchKey": "resources.name=aksCluster1", "searchValue": "", "expectedValue": "'apiServerAuthorizedIPRanges' should be a defined as an array", - "actualValue": "'apiServerAuthorizedIPRanges' is empty" + "actualValue": "'apiServerAuthorizedIPRanges' is undefined" }, { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", - "line": 2, - "filename": "positive2.bicep", + "line": 8, + "filename": "positive7.json", "resourceType": "Microsoft.ContainerService/managedClusters", "resourceName": "aksCluster1", - "searchKey": "resources.name=aksCluster1", + "searchKey": "properties.template.resources.name=aksCluster1", "searchValue": "", "expectedValue": "'apiServerAuthorizedIPRanges' should be a defined as an array", "actualValue": "'apiServerAuthorizedIPRanges' is undefined" @@ -182,32 +194,32 @@ { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", - "line": 1, - "filename": "positive6.bicep", + "line": 30, + "filename": "positive8.bicep", "resourceType": "Microsoft.ContainerService/managedClusters", "resourceName": "aksCluster1", - "searchKey": "resources.name=aksCluster1.apiVersion", + "searchKey": "resources.name=aksCluster1.properties.apiServerAuthorizedIPRanges", "searchValue": "", - "expectedValue": "'apiVersion' should be '2019-02-01' or newer", - "actualValue": "'apiVersion' is 2017-08-31" + "expectedValue": "'apiServerAuthorizedIPRanges' should be a defined as an array", + "actualValue": "'apiServerAuthorizedIPRanges' is empty" }, { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", - "line": 39, - "filename": "positive10.json", + "line": 38, + "filename": "positive8.json", "resourceType": "Microsoft.ContainerService/managedClusters", "resourceName": "aksCluster1", - "searchKey": "properties.template.resources.name=aksCluster1.properties.apiServerAccessProfile.authorizedIPRanges", + "searchKey": "properties.template.resources.name=aksCluster1.properties.apiServerAuthorizedIPRanges", "searchValue": "", - "expectedValue": "'apiServerAccessProfile.authorizedIPRanges' should be defined as an array", - "actualValue": "'apiServerAccessProfile.authorizedIPRanges' is empty" + "expectedValue": "'apiServerAuthorizedIPRanges' should be a defined as an array", + "actualValue": "'apiServerAuthorizedIPRanges' is empty" }, { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", "line": 2, - "filename": "positive4.bicep", + "filename": "positive9.bicep", "resourceType": "Microsoft.ContainerService/managedClusters", "resourceName": "aksCluster1", "searchKey": "resources.name=aksCluster1", @@ -218,25 +230,13 @@ { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", - "line": 30, - "filename": "positive8.bicep", - "resourceType": "Microsoft.ContainerService/managedClusters", - "resourceName": "aksCluster1", - "searchKey": "resources.name=aksCluster1.properties.apiServerAuthorizedIPRanges", - "searchValue": "", - "expectedValue": "'apiServerAuthorizedIPRanges' should be a defined as an array", - "actualValue": "'apiServerAuthorizedIPRanges' is empty" - }, - { - "queryName": "AKS With Authorized IP Ranges Disabled", - "severity": "LOW", - "line": 30, - "filename": "positive3.bicep", + "line": 8, + "filename": "positive9.json", "resourceType": "Microsoft.ContainerService/managedClusters", "resourceName": "aksCluster1", - "searchKey": "resources.name=aksCluster1.properties.apiServerAuthorizedIPRanges", + "searchKey": "properties.template.resources.name=aksCluster1", "searchValue": "", - "expectedValue": "'apiServerAuthorizedIPRanges' should be a defined as an array", - "actualValue": "'apiServerAuthorizedIPRanges' is empty" + "expectedValue": "'apiServerAccessProfile.authorizedIPRanges' should be defined as an array", + "actualValue": "'apiServerAccessProfile.authorizedIPRanges' is undefined" } ] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/app_service_authentication_not_set/test/positive_expected_result.json b/assets/queries/azureResourceManager/app_service_authentication_not_set/test/positive_expected_result.json index 72df6c24056..1e9fa2ca622 100644 --- a/assets/queries/azureResourceManager/app_service_authentication_not_set/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/app_service_authentication_not_set/test/positive_expected_result.json @@ -2,20 +2,20 @@ { "queryName": "App Service Authentication Is Not Set", "severity": "MEDIUM", - "line": 31, - "filename": "positive6.bicep", + "line": 33, + "filename": "positive1.bicep", "resourceType": "Microsoft.Web/sites", "resourceName": "webApp1", - "searchKey": "resources.name=webApp1.resources.name=authsettings", + "searchKey": "resources.name=webApp1.resources.name=authsettings.properties.enabled", "searchValue": "", "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", - "actualValue": "'enabled' is undefined" + "actualValue": "'enabled' property value is false on authsettings properties" }, { "queryName": "App Service Authentication Is Not Set", "severity": "MEDIUM", - "line": 33, - "filename": "positive5.bicep", + "line": 37, + "filename": "positive1.json", "resourceType": "Microsoft.Web/sites", "resourceName": "webApp1", "searchKey": "resources.name=webApp1.resources.name=authsettings.properties.enabled", @@ -26,11 +26,11 @@ { "queryName": "App Service Authentication Is Not Set", "severity": "MEDIUM", - "line": 42, - "filename": "positive8.json", - "resourceType": "Microsoft.Web/sites/config", - "resourceName": "webApp1/authsettings", - "searchKey": "properties.template.resources.name=webApp1/authsettings", + "line": 31, + "filename": "positive2.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webApp1", + "searchKey": "resources.name=webApp1.resources.name=authsettings", "searchValue": "", "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", "actualValue": "'enabled' is undefined" @@ -38,20 +38,8 @@ { "queryName": "App Service Authentication Is Not Set", "severity": "MEDIUM", - "line": 44, - "filename": "positive3.json", - "resourceType": "Microsoft.Web/sites/config", - "resourceName": "webApp1/authsettings", - "searchKey": "resources.name=webApp1/authsettings.properties.enabled", - "searchValue": "", - "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", - "actualValue": "'enabled' property value is false on authsettings properties" - }, - { - "queryName": "App Service Authentication Is Not Set", - "severity": "MEDIUM", - "line": 31, - "filename": "positive8.bicep", + "line": 33, + "filename": "positive2.json", "resourceType": "Microsoft.Web/sites", "resourceName": "webApp1", "searchKey": "resources.name=webApp1.resources.name=authsettings", @@ -63,7 +51,7 @@ "queryName": "App Service Authentication Is Not Set", "severity": "MEDIUM", "line": 33, - "filename": "positive7.bicep", + "filename": "positive3.bicep", "resourceType": "Microsoft.Web/sites", "resourceName": "webApp1", "searchKey": "resources.name=webApp1.resources.name=authsettings.properties.enabled", @@ -74,11 +62,11 @@ { "queryName": "App Service Authentication Is Not Set", "severity": "MEDIUM", - "line": 39, - "filename": "positive5.json", - "resourceType": "Microsoft.Web/sites", - "resourceName": "webApp1", - "searchKey": "properties.template.resources.name=webApp1.resources.name=authsettings.properties.enabled", + "line": 44, + "filename": "positive3.json", + "resourceType": "Microsoft.Web/sites/config", + "resourceName": "webApp1/authsettings", + "searchKey": "resources.name=webApp1/authsettings.properties.enabled", "searchValue": "", "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", "actualValue": "'enabled' property value is false on authsettings properties" @@ -98,11 +86,11 @@ { "queryName": "App Service Authentication Is Not Set", "severity": "MEDIUM", - "line": 31, - "filename": "positive2.bicep", - "resourceType": "Microsoft.Web/sites", - "resourceName": "webApp1", - "searchKey": "resources.name=webApp1.resources.name=authsettings", + "line": 40, + "filename": "positive4.json", + "resourceType": "Microsoft.Web/sites/config", + "resourceName": "webApp1/authsettings", + "searchKey": "resources.name=webApp1/authsettings", "searchValue": "", "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", "actualValue": "'enabled' is undefined" @@ -110,8 +98,8 @@ { "queryName": "App Service Authentication Is Not Set", "severity": "MEDIUM", - "line": 37, - "filename": "positive1.json", + "line": 33, + "filename": "positive5.bicep", "resourceType": "Microsoft.Web/sites", "resourceName": "webApp1", "searchKey": "resources.name=webApp1.resources.name=authsettings.properties.enabled", @@ -122,20 +110,20 @@ { "queryName": "App Service Authentication Is Not Set", "severity": "MEDIUM", - "line": 35, - "filename": "positive6.json", + "line": 39, + "filename": "positive5.json", "resourceType": "Microsoft.Web/sites", "resourceName": "webApp1", - "searchKey": "properties.template.resources.name=webApp1.resources.name=authsettings", + "searchKey": "properties.template.resources.name=webApp1.resources.name=authsettings.properties.enabled", "searchValue": "", "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", - "actualValue": "'enabled' is undefined" + "actualValue": "'enabled' property value is false on authsettings properties" }, { "queryName": "App Service Authentication Is Not Set", "severity": "MEDIUM", - "line": 33, - "filename": "positive2.json", + "line": 31, + "filename": "positive6.bicep", "resourceType": "Microsoft.Web/sites", "resourceName": "webApp1", "searchKey": "resources.name=webApp1.resources.name=authsettings", @@ -146,11 +134,11 @@ { "queryName": "App Service Authentication Is Not Set", "severity": "MEDIUM", - "line": 40, - "filename": "positive4.json", - "resourceType": "Microsoft.Web/sites/config", - "resourceName": "webApp1/authsettings", - "searchKey": "resources.name=webApp1/authsettings", + "line": 35, + "filename": "positive6.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webApp1", + "searchKey": "properties.template.resources.name=webApp1.resources.name=authsettings", "searchValue": "", "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", "actualValue": "'enabled' is undefined" @@ -159,7 +147,7 @@ "queryName": "App Service Authentication Is Not Set", "severity": "MEDIUM", "line": 33, - "filename": "positive3.bicep", + "filename": "positive7.bicep", "resourceType": "Microsoft.Web/sites", "resourceName": "webApp1", "searchKey": "resources.name=webApp1.resources.name=authsettings.properties.enabled", @@ -170,25 +158,37 @@ { "queryName": "App Service Authentication Is Not Set", "severity": "MEDIUM", - "line": 33, - "filename": "positive1.bicep", + "line": 46, + "filename": "positive7.json", + "resourceType": "Microsoft.Web/sites/config", + "resourceName": "webApp1/authsettings", + "searchKey": "properties.template.resources.name=webApp1/authsettings.properties.enabled", + "searchValue": "", + "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", + "actualValue": "'enabled' property value is false on authsettings properties" + }, + { + "queryName": "App Service Authentication Is Not Set", + "severity": "MEDIUM", + "line": 31, + "filename": "positive8.bicep", "resourceType": "Microsoft.Web/sites", "resourceName": "webApp1", - "searchKey": "resources.name=webApp1.resources.name=authsettings.properties.enabled", + "searchKey": "resources.name=webApp1.resources.name=authsettings", "searchValue": "", "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", - "actualValue": "'enabled' property value is false on authsettings properties" + "actualValue": "'enabled' is undefined" }, { "queryName": "App Service Authentication Is Not Set", "severity": "MEDIUM", - "line": 46, - "filename": "positive7.json", + "line": 42, + "filename": "positive8.json", "resourceType": "Microsoft.Web/sites/config", "resourceName": "webApp1/authsettings", - "searchKey": "properties.template.resources.name=webApp1/authsettings.properties.enabled", + "searchKey": "properties.template.resources.name=webApp1/authsettings", "searchValue": "", "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", - "actualValue": "'enabled' property value is false on authsettings properties" + "actualValue": "'enabled' is undefined" } ] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/azure_instance_using_basic_authentication/test/positive_expected_result.json b/assets/queries/azureResourceManager/azure_instance_using_basic_authentication/test/positive_expected_result.json index 068c5b8543b..5bae76f613f 100644 --- a/assets/queries/azureResourceManager/azure_instance_using_basic_authentication/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/azure_instance_using_basic_authentication/test/positive_expected_result.json @@ -2,47 +2,47 @@ { "queryName": "Azure Instance Using Basic Authentication", "severity": "MEDIUM", - "line": 17, - "filename": "positive4.bicep", + "line": 27, + "filename": "positive1.bicep", "resourceType": "Microsoft.Compute/virtualMachines", "resourceName": "[variables('vmName')]", - "searchKey": "resources.name=[variables('vmName')]", + "searchKey": "resources.name=[variables('vmName')].properties.osProfile.linuxConfiguration.disablePasswordAuthentication", "searchValue": "", "expectedValue": "'disablePasswordAuthentication' should be set to true", - "actualValue": "'linuxConfiguration.disablePasswordAuthentication' is not defined" + "actualValue": "'disablePasswordAuthentication' property value is set to false" }, { "queryName": "Azure Instance Using Basic Authentication", "severity": "MEDIUM", - "line": 40, - "filename": "positive2.json", + "line": 53, + "filename": "positive1.json", "resourceType": "Microsoft.Compute/virtualMachines", "resourceName": "[variables('vmName')]", - "searchKey": "resources.name=[variables('vmName')]", + "searchKey": "resources.name=[variables('vmName')].properties.osProfile.linuxConfiguration.disablePasswordAuthentication", "searchValue": "", "expectedValue": "'disablePasswordAuthentication' should be set to true", - "actualValue": "'linuxConfiguration.disablePasswordAuthentication' is not defined" + "actualValue": "'disablePasswordAuthentication' property value is set to false" }, { "queryName": "Azure Instance Using Basic Authentication", "severity": "MEDIUM", - "line": 55, - "filename": "positive3.json", + "line": 17, + "filename": "positive2.bicep", "resourceType": "Microsoft.Compute/virtualMachines", "resourceName": "[variables('vmName')]", - "searchKey": "properties.template.resources.name=[variables('vmName')].properties.osProfile.linuxConfiguration.disablePasswordAuthentication", + "searchKey": "resources.name=[variables('vmName')]", "searchValue": "", "expectedValue": "'disablePasswordAuthentication' should be set to true", - "actualValue": "'disablePasswordAuthentication' property value is set to false" + "actualValue": "'linuxConfiguration.disablePasswordAuthentication' is not defined" }, { "queryName": "Azure Instance Using Basic Authentication", "severity": "MEDIUM", - "line": 42, - "filename": "positive4.json", + "line": 40, + "filename": "positive2.json", "resourceType": "Microsoft.Compute/virtualMachines", "resourceName": "[variables('vmName')]", - "searchKey": "properties.template.resources.name=[variables('vmName')]", + "searchKey": "resources.name=[variables('vmName')]", "searchValue": "", "expectedValue": "'disablePasswordAuthentication' should be set to true", "actualValue": "'linuxConfiguration.disablePasswordAuthentication' is not defined" @@ -50,8 +50,8 @@ { "queryName": "Azure Instance Using Basic Authentication", "severity": "MEDIUM", - "line": 53, - "filename": "positive1.json", + "line": 27, + "filename": "positive3.bicep", "resourceType": "Microsoft.Compute/virtualMachines", "resourceName": "[variables('vmName')]", "searchKey": "resources.name=[variables('vmName')].properties.osProfile.linuxConfiguration.disablePasswordAuthentication", @@ -62,11 +62,11 @@ { "queryName": "Azure Instance Using Basic Authentication", "severity": "MEDIUM", - "line": 27, - "filename": "positive1.bicep", + "line": 55, + "filename": "positive3.json", "resourceType": "Microsoft.Compute/virtualMachines", "resourceName": "[variables('vmName')]", - "searchKey": "resources.name=[variables('vmName')].properties.osProfile.linuxConfiguration.disablePasswordAuthentication", + "searchKey": "properties.template.resources.name=[variables('vmName')].properties.osProfile.linuxConfiguration.disablePasswordAuthentication", "searchValue": "", "expectedValue": "'disablePasswordAuthentication' should be set to true", "actualValue": "'disablePasswordAuthentication' property value is set to false" @@ -74,23 +74,23 @@ { "queryName": "Azure Instance Using Basic Authentication", "severity": "MEDIUM", - "line": 27, - "filename": "positive3.bicep", + "line": 17, + "filename": "positive4.bicep", "resourceType": "Microsoft.Compute/virtualMachines", "resourceName": "[variables('vmName')]", - "searchKey": "resources.name=[variables('vmName')].properties.osProfile.linuxConfiguration.disablePasswordAuthentication", + "searchKey": "resources.name=[variables('vmName')]", "searchValue": "", "expectedValue": "'disablePasswordAuthentication' should be set to true", - "actualValue": "'disablePasswordAuthentication' property value is set to false" + "actualValue": "'linuxConfiguration.disablePasswordAuthentication' is not defined" }, { "queryName": "Azure Instance Using Basic Authentication", "severity": "MEDIUM", - "line": 17, - "filename": "positive2.bicep", + "line": 42, + "filename": "positive4.json", "resourceType": "Microsoft.Compute/virtualMachines", "resourceName": "[variables('vmName')]", - "searchKey": "resources.name=[variables('vmName')]", + "searchKey": "properties.template.resources.name=[variables('vmName')]", "searchValue": "", "expectedValue": "'disablePasswordAuthentication' should be set to true", "actualValue": "'linuxConfiguration.disablePasswordAuthentication' is not defined" diff --git a/assets/queries/azureResourceManager/azure_managed_disk_without_encryption/test/positive_expected_result.json b/assets/queries/azureResourceManager/azure_managed_disk_without_encryption/test/positive_expected_result.json index 00f2c6d603f..707b817c960 100644 --- a/assets/queries/azureResourceManager/azure_managed_disk_without_encryption/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/azure_managed_disk_without_encryption/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "Azure Managed Disk Without Encryption", "severity": "HIGH", - "line": 32, - "filename": "positive3.json", + "line": 18, + "filename": "positive1.bicep", "resourceType": "Microsoft.Compute/disks", - "resourceName": "[concat(variables('vmName'),'-disk1')]", - "searchKey": "properties.template.resources.name=[concat(variables('vmName'),'-disk1')].properties.encryptionSettingsCollection.enabled", + "resourceName": "['${variables('vmName')}-disk1']", + "searchKey": "resources.name=['${variables('vmName')}-disk1'].properties.encryptionSettingsCollection.enabled", "searchValue": "", "expectedValue": "'encryptionSettingsCollection.enabled' should be set to true", "actualValue": "'encryptionSettingsCollection.enabled' property value is set to false" @@ -14,35 +14,35 @@ { "queryName": "Azure Managed Disk Without Encryption", "severity": "HIGH", - "line": 19, - "filename": "positive2.json", + "line": 30, + "filename": "positive1.json", "resourceType": "Microsoft.Compute/disks", "resourceName": "[concat(variables('vmName'),'-disk1')]", - "searchKey": "resources.name=[concat(variables('vmName'),'-disk1')]", + "searchKey": "resources.name=[concat(variables('vmName'),'-disk1')].properties.encryptionSettingsCollection.enabled", "searchValue": "", "expectedValue": "'encryptionSettingsCollection.enabled' should be set to true", - "actualValue": "'encryptionSettingsCollection.enabled' is undefined" + "actualValue": "'encryptionSettingsCollection.enabled' property value is set to false" }, { "queryName": "Azure Managed Disk Without Encryption", "severity": "HIGH", - "line": 30, - "filename": "positive1.json", + "line": 7, + "filename": "positive2.bicep", "resourceType": "Microsoft.Compute/disks", - "resourceName": "[concat(variables('vmName'),'-disk1')]", - "searchKey": "resources.name=[concat(variables('vmName'),'-disk1')].properties.encryptionSettingsCollection.enabled", + "resourceName": "['${variables('vmName')}-disk1']", + "searchKey": "resources.name=['${variables('vmName')}-disk1']", "searchValue": "", "expectedValue": "'encryptionSettingsCollection.enabled' should be set to true", - "actualValue": "'encryptionSettingsCollection.enabled' property value is set to false" + "actualValue": "'encryptionSettingsCollection.enabled' is undefined" }, { "queryName": "Azure Managed Disk Without Encryption", "severity": "HIGH", - "line": 21, - "filename": "positive4.json", + "line": 19, + "filename": "positive2.json", "resourceType": "Microsoft.Compute/disks", "resourceName": "[concat(variables('vmName'),'-disk1')]", - "searchKey": "properties.template.resources.name=[concat(variables('vmName'),'-disk1')]", + "searchKey": "resources.name=[concat(variables('vmName'),'-disk1')]", "searchValue": "", "expectedValue": "'encryptionSettingsCollection.enabled' should be set to true", "actualValue": "'encryptionSettingsCollection.enabled' is undefined" @@ -62,11 +62,11 @@ { "queryName": "Azure Managed Disk Without Encryption", "severity": "HIGH", - "line": 18, - "filename": "positive1.bicep", + "line": 32, + "filename": "positive3.json", "resourceType": "Microsoft.Compute/disks", - "resourceName": "['${variables('vmName')}-disk1']", - "searchKey": "resources.name=['${variables('vmName')}-disk1'].properties.encryptionSettingsCollection.enabled", + "resourceName": "[concat(variables('vmName'),'-disk1')]", + "searchKey": "properties.template.resources.name=[concat(variables('vmName'),'-disk1')].properties.encryptionSettingsCollection.enabled", "searchValue": "", "expectedValue": "'encryptionSettingsCollection.enabled' should be set to true", "actualValue": "'encryptionSettingsCollection.enabled' property value is set to false" @@ -86,11 +86,11 @@ { "queryName": "Azure Managed Disk Without Encryption", "severity": "HIGH", - "line": 7, - "filename": "positive2.bicep", + "line": 21, + "filename": "positive4.json", "resourceType": "Microsoft.Compute/disks", - "resourceName": "['${variables('vmName')}-disk1']", - "searchKey": "resources.name=['${variables('vmName')}-disk1']", + "resourceName": "[concat(variables('vmName'),'-disk1')]", + "searchKey": "properties.template.resources.name=[concat(variables('vmName'),'-disk1')]", "searchValue": "", "expectedValue": "'encryptionSettingsCollection.enabled' should be set to true", "actualValue": "'encryptionSettingsCollection.enabled' is undefined" diff --git a/assets/queries/azureResourceManager/default_azure_storage_account_network_access_is_too_permissive/test/positive_expected_result.json b/assets/queries/azureResourceManager/default_azure_storage_account_network_access_is_too_permissive/test/positive_expected_result.json index 5f963c1b932..b7ece2b7004 100644 --- a/assets/queries/azureResourceManager/default_azure_storage_account_network_access_is_too_permissive/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/default_azure_storage_account_network_access_is_too_permissive/test/positive_expected_result.json @@ -2,20 +2,20 @@ { "queryName": "Default Azure Storage Account Network Access Is Too Permissive", "severity": "HIGH", - "line": 11, - "filename": "positive3.bicep", + "line": 12, + "filename": "positive1.bicep", "resourceType": "Microsoft.Storage/storageAccounts", - "resourceName": "positive3", - "searchKey": "resources.name=positive3.properties.publicNetworkAccess", + "resourceName": "positive1", + "searchKey": "resources.name=positive1.properties.networkAcls.defaultAction", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' publicNetworkAccess should be set to false, and/or networkAcls.defaultAction should be set to deny", - "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' publicNetworkAccess is set to 'Enabled')" + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' networkAcls.defaultAction is set to 'Allow')" }, { "queryName": "Default Azure Storage Account Network Access Is Too Permissive", "severity": "HIGH", - "line": 12, - "filename": "positive1.bicep", + "line": 13, + "filename": "positive1.json", "resourceType": "Microsoft.Storage/storageAccounts", "resourceName": "positive1", "searchKey": "resources.name=positive1.properties.networkAcls.defaultAction", @@ -38,20 +38,20 @@ { "queryName": "Default Azure Storage Account Network Access Is Too Permissive", "severity": "HIGH", - "line": 13, - "filename": "positive1.json", + "line": 11, + "filename": "positive2.json", "resourceType": "Microsoft.Storage/storageAccounts", - "resourceName": "positive1", - "searchKey": "resources.name=positive1.properties.networkAcls.defaultAction", + "resourceName": "positive2", + "searchKey": "resources.name=positive2.properties.publicNetworkAccess", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' publicNetworkAccess should be set to false, and/or networkAcls.defaultAction should be set to deny", - "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' networkAcls.defaultAction is set to 'Allow')" + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' publicNetworkAccess is not set (default is 'Enabled')" }, { "queryName": "Default Azure Storage Account Network Access Is Too Permissive", "severity": "HIGH", - "line": 12, - "filename": "positive3.json", + "line": 11, + "filename": "positive3.bicep", "resourceType": "Microsoft.Storage/storageAccounts", "resourceName": "positive3", "searchKey": "resources.name=positive3.properties.publicNetworkAccess", @@ -62,13 +62,13 @@ { "queryName": "Default Azure Storage Account Network Access Is Too Permissive", "severity": "HIGH", - "line": 11, - "filename": "positive2.json", + "line": 12, + "filename": "positive3.json", "resourceType": "Microsoft.Storage/storageAccounts", - "resourceName": "positive2", - "searchKey": "resources.name=positive2.properties.publicNetworkAccess", + "resourceName": "positive3", + "searchKey": "resources.name=positive3.properties.publicNetworkAccess", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' publicNetworkAccess should be set to false, and/or networkAcls.defaultAction should be set to deny", - "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' publicNetworkAccess is not set (default is 'Enabled')" + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' publicNetworkAccess is set to 'Enabled')" } ] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/email_notifications_set_off/test/positive_expected_result.json b/assets/queries/azureResourceManager/email_notifications_set_off/test/positive_expected_result.json index 79fd5037dd6..30b338a9475 100644 --- a/assets/queries/azureResourceManager/email_notifications_set_off/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/email_notifications_set_off/test/positive_expected_result.json @@ -2,35 +2,23 @@ { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 6, - "filename": "positive3.bicep", - "resourceType": "Microsoft.Security/securityContacts", - "resourceName": "security contact", - "searchKey": "resources.name={{security contact}}.properties.alertNotifications", - "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'On'", - "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'alertNotifications.state' property defined" - }, - { - "queryName": "Email Notifications Disabled", - "severity": "INFO", - "line": 16, - "filename": "positive3.json", + "line": 7, + "filename": "positive1.bicep", "resourceType": "Microsoft.Security/securityContacts", "resourceName": "security contact", - "searchKey": "resources.name={{security contact}}.properties.alertNotifications", + "searchKey": "resources.name={{security contact}}.properties.alertNotifications.state", "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'On'", - "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'alertNotifications.state' property defined" + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' property value should have 'alertNotifications.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'Off'" }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 19, - "filename": "positive7.json", + "line": 17, + "filename": "positive1.json", "resourceType": "Microsoft.Security/securityContacts", "resourceName": "security contact", - "searchKey": "properties.template.resources.name={{security contact}}.properties.alertNotifications.state", + "searchKey": "resources.name={{security contact}}.properties.alertNotifications.state", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Security/securityContacts' property value should have 'alertNotifications.state' property set to 'On'", "actualValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'Off'" @@ -38,23 +26,23 @@ { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 6, - "filename": "positive9.bicep", + "line": 3, + "filename": "positive10.bicep", "resourceType": "Microsoft.Security/securityContacts", "resourceName": "security contact", - "searchKey": "resources.name={{security contact}}.properties.alertNotifications", + "searchKey": "resources.name={{security contact}}.properties", "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'On'", - "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'alertNotifications.state' property defined" + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'notificationsByRole.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'notificationsByRole' property defined" }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 3, - "filename": "positive10.bicep", + "line": 15, + "filename": "positive10.json", "resourceType": "Microsoft.Security/securityContacts", "resourceName": "security contact", - "searchKey": "resources.name={{security contact}}.properties", + "searchKey": "properties.template.resources.name={{security contact}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'notificationsByRole.state' property set to 'On'", "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'notificationsByRole' property defined" @@ -62,71 +50,71 @@ { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 10, - "filename": "positive12.bicep", + "line": 11, + "filename": "positive11.bicep", "resourceType": "Microsoft.Security/securityContacts", "resourceName": "security contact", - "searchKey": "resources.name={{security contact}}.properties.notificationsByRole", + "searchKey": "resources.name={{security contact}}.properties.notificationsByRole.state", "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'notificationsByRole.state' property set to 'On'", - "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'notificationsByRole.state' property defined" + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' property value should have 'notificationsByRole.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' should have 'notificationsByRole.state' property set to 'Off'" }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 3, - "filename": "positive2.bicep", + "line": 23, + "filename": "positive11.json", "resourceType": "Microsoft.Security/securityContacts", "resourceName": "security contact", - "searchKey": "resources.name={{security contact}}.properties", + "searchKey": "properties.template.resources.name={{security contact}}.properties.notificationsByRole.state", "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'On'", - "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'alertNotifications' property defined" + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' property value should have 'notificationsByRole.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' should have 'notificationsByRole.state' property set to 'Off'" }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 3, - "filename": "positive8.bicep", + "line": 10, + "filename": "positive12.bicep", "resourceType": "Microsoft.Security/securityContacts", "resourceName": "security contact", - "searchKey": "resources.name={{security contact}}.properties", + "searchKey": "resources.name={{security contact}}.properties.notificationsByRole", "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'On'", - "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'alertNotifications' property defined" + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'notificationsByRole.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'notificationsByRole.state' property defined" }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 3, - "filename": "positive4.bicep", + "line": 22, + "filename": "positive12.json", "resourceType": "Microsoft.Security/securityContacts", "resourceName": "security contact", - "searchKey": "resources.name={{security contact}}.properties", + "searchKey": "properties.template.resources.name={{security contact}}.properties.notificationsByRole", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'notificationsByRole.state' property set to 'On'", - "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'notificationsByRole' property defined" + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'notificationsByRole.state' property defined" }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 18, - "filename": "positive9.json", + "line": 3, + "filename": "positive2.bicep", "resourceType": "Microsoft.Security/securityContacts", "resourceName": "security contact", - "searchKey": "properties.template.resources.name={{security contact}}.properties.alertNotifications", + "searchKey": "resources.name={{security contact}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'On'", - "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'alertNotifications.state' property defined" + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'alertNotifications' property defined" }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 15, - "filename": "positive8.json", + "line": 13, + "filename": "positive2.json", "resourceType": "Microsoft.Security/securityContacts", "resourceName": "security contact", - "searchKey": "properties.template.resources.name={{security contact}}.properties", + "searchKey": "resources.name={{security contact}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'On'", "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'alertNotifications' property defined" @@ -134,47 +122,47 @@ { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 11, - "filename": "positive11.bicep", + "line": 6, + "filename": "positive3.bicep", "resourceType": "Microsoft.Security/securityContacts", "resourceName": "security contact", - "searchKey": "resources.name={{security contact}}.properties.notificationsByRole.state", + "searchKey": "resources.name={{security contact}}.properties.alertNotifications", "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Security/securityContacts' property value should have 'notificationsByRole.state' property set to 'On'", - "actualValue": "resource with type 'Microsoft.Security/securityContacts' should have 'notificationsByRole.state' property set to 'Off'" + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'alertNotifications.state' property defined" }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 7, - "filename": "positive7.bicep", + "line": 16, + "filename": "positive3.json", "resourceType": "Microsoft.Security/securityContacts", "resourceName": "security contact", - "searchKey": "resources.name={{security contact}}.properties.alertNotifications.state", + "searchKey": "resources.name={{security contact}}.properties.alertNotifications", "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Security/securityContacts' property value should have 'alertNotifications.state' property set to 'On'", - "actualValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'Off'" + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'alertNotifications.state' property defined" }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 10, - "filename": "positive6.bicep", + "line": 3, + "filename": "positive4.bicep", "resourceType": "Microsoft.Security/securityContacts", "resourceName": "security contact", - "searchKey": "resources.name={{security contact}}.properties.notificationsByRole", + "searchKey": "resources.name={{security contact}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'notificationsByRole.state' property set to 'On'", - "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'notificationsByRole.state' property defined" + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'notificationsByRole' property defined" }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 15, - "filename": "positive10.json", + "line": 13, + "filename": "positive4.json", "resourceType": "Microsoft.Security/securityContacts", "resourceName": "security contact", - "searchKey": "properties.template.resources.name={{security contact}}.properties", + "searchKey": "resources.name={{security contact}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'notificationsByRole.state' property set to 'On'", "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'notificationsByRole' property defined" @@ -182,11 +170,11 @@ { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 23, - "filename": "positive11.json", + "line": 11, + "filename": "positive5.bicep", "resourceType": "Microsoft.Security/securityContacts", "resourceName": "security contact", - "searchKey": "properties.template.resources.name={{security contact}}.properties.notificationsByRole.state", + "searchKey": "resources.name={{security contact}}.properties.notificationsByRole.state", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Security/securityContacts' property value should have 'notificationsByRole.state' property set to 'On'", "actualValue": "resource with type 'Microsoft.Security/securityContacts' should have 'notificationsByRole.state' property set to 'Off'" @@ -206,32 +194,32 @@ { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 13, - "filename": "positive4.json", + "line": 10, + "filename": "positive6.bicep", "resourceType": "Microsoft.Security/securityContacts", "resourceName": "security contact", - "searchKey": "resources.name={{security contact}}.properties", + "searchKey": "resources.name={{security contact}}.properties.notificationsByRole", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'notificationsByRole.state' property set to 'On'", - "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'notificationsByRole' property defined" + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'notificationsByRole.state' property defined" }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 13, - "filename": "positive2.json", + "line": 20, + "filename": "positive6.json", "resourceType": "Microsoft.Security/securityContacts", "resourceName": "security contact", - "searchKey": "resources.name={{security contact}}.properties", + "searchKey": "resources.name={{security contact}}.properties.notificationsByRole", "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'On'", - "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'alertNotifications' property defined" + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'notificationsByRole.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'notificationsByRole.state' property defined" }, { "queryName": "Email Notifications Disabled", "severity": "INFO", "line": 7, - "filename": "positive1.bicep", + "filename": "positive7.bicep", "resourceType": "Microsoft.Security/securityContacts", "resourceName": "security contact", "searchKey": "resources.name={{security contact}}.properties.alertNotifications.state", @@ -242,49 +230,61 @@ { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 22, - "filename": "positive12.json", + "line": 19, + "filename": "positive7.json", "resourceType": "Microsoft.Security/securityContacts", "resourceName": "security contact", - "searchKey": "properties.template.resources.name={{security contact}}.properties.notificationsByRole", + "searchKey": "properties.template.resources.name={{security contact}}.properties.alertNotifications.state", "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'notificationsByRole.state' property set to 'On'", - "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'notificationsByRole.state' property defined" + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' property value should have 'alertNotifications.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'Off'" }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 17, - "filename": "positive1.json", + "line": 3, + "filename": "positive8.bicep", "resourceType": "Microsoft.Security/securityContacts", "resourceName": "security contact", - "searchKey": "resources.name={{security contact}}.properties.alertNotifications.state", + "searchKey": "resources.name={{security contact}}.properties", "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Security/securityContacts' property value should have 'alertNotifications.state' property set to 'On'", - "actualValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'Off'" + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'alertNotifications' property defined" }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 20, - "filename": "positive6.json", + "line": 15, + "filename": "positive8.json", "resourceType": "Microsoft.Security/securityContacts", "resourceName": "security contact", - "searchKey": "resources.name={{security contact}}.properties.notificationsByRole", + "searchKey": "properties.template.resources.name={{security contact}}.properties", "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'notificationsByRole.state' property set to 'On'", - "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'notificationsByRole.state' property defined" + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'alertNotifications' property defined" }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 11, - "filename": "positive5.bicep", + "line": 6, + "filename": "positive9.bicep", "resourceType": "Microsoft.Security/securityContacts", "resourceName": "security contact", - "searchKey": "resources.name={{security contact}}.properties.notificationsByRole.state", + "searchKey": "resources.name={{security contact}}.properties.alertNotifications", "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Security/securityContacts' property value should have 'notificationsByRole.state' property set to 'On'", - "actualValue": "resource with type 'Microsoft.Security/securityContacts' should have 'notificationsByRole.state' property set to 'Off'" + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'alertNotifications.state' property defined" + }, + { + "queryName": "Email Notifications Disabled", + "severity": "INFO", + "line": 18, + "filename": "positive9.json", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "properties.template.resources.name={{security contact}}.properties.alertNotifications", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'alertNotifications.state' property defined" } ] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/hardcoded_securestring_parameter_default_value/test/positive_expected_result.json b/assets/queries/azureResourceManager/hardcoded_securestring_parameter_default_value/test/positive_expected_result.json index 09b4ce7224d..6b24cc74621 100644 --- a/assets/queries/azureResourceManager/hardcoded_securestring_parameter_default_value/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/hardcoded_securestring_parameter_default_value/test/positive_expected_result.json @@ -3,7 +3,7 @@ "queryName": "Hardcoded SecureString Parameter Default Value", "severity": "HIGH", "line": 2, - "filename": "positive2.bicep", + "filename": "positive1.bicep", "resourceType": "n/a", "resourceName": "n/a", "searchKey": "parameters.adminPassword.defaultValue", @@ -14,8 +14,8 @@ { "queryName": "Hardcoded SecureString Parameter Default Value", "severity": "HIGH", - "line": 2, - "filename": "positive1.bicep", + "line": 7, + "filename": "positive1.json", "resourceType": "n/a", "resourceName": "n/a", "searchKey": "parameters.adminPassword.defaultValue", @@ -26,8 +26,8 @@ { "queryName": "Hardcoded SecureString Parameter Default Value", "severity": "HIGH", - "line": 9, - "filename": "positive2.json", + "line": 2, + "filename": "positive2.bicep", "resourceType": "n/a", "resourceName": "n/a", "searchKey": "parameters.adminPassword.defaultValue", @@ -38,8 +38,8 @@ { "queryName": "Hardcoded SecureString Parameter Default Value", "severity": "HIGH", - "line": 7, - "filename": "positive1.json", + "line": 9, + "filename": "positive2.json", "resourceType": "n/a", "resourceName": "n/a", "searchKey": "parameters.adminPassword.defaultValue", diff --git a/assets/queries/azureResourceManager/key_vault_not_recoverable/test/positive_expected_result.json b/assets/queries/azureResourceManager/key_vault_not_recoverable/test/positive_expected_result.json index b5d9c9d8b19..a13935f8428 100644 --- a/assets/queries/azureResourceManager/key_vault_not_recoverable/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/key_vault_not_recoverable/test/positive_expected_result.json @@ -26,14 +26,38 @@ { "queryName": "Key Vault Not Recoverable", "severity": "HIGH", - "line": 23, - "filename": "positive5.json", + "line": 27, + "filename": "positive2.bicep", "resourceType": "Microsoft.KeyVault/vaults", - "resourceName": "[parameters('vaults_pgs_bot_prod_name')]", - "searchKey": "resources.name={{[parameters('vaults_pgs_bot_prod_name')]}}.properties", - "searchValue": "enableSoftDelete", - "expectedValue": "resource with type 'Microsoft.KeyVault/vaults' should have 'enableSoftDelete' property defined", - "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enableSoftDelete' property defined" + "resourceName": "keyVaultInstance", + "searchKey": "resources.name={{keyVaultInstance}}.properties.enablePurgeProtection", + "searchValue": "enablePurgeProtection", + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults' property value should have 'enablePurgeProtection' property set to true", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enablePurgeProtection' property set to true" + }, + { + "queryName": "Key Vault Not Recoverable", + "severity": "HIGH", + "line": 39, + "filename": "positive2.json", + "resourceType": "Microsoft.KeyVault/vaults", + "resourceName": "keyVaultInstance", + "searchKey": "resources.name={{keyVaultInstance}}.properties.enablePurgeProtection", + "searchValue": "enablePurgeProtection", + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults' property value should have 'enablePurgeProtection' property set to true", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enablePurgeProtection' property set to true" + }, + { + "queryName": "Key Vault Not Recoverable", + "severity": "HIGH", + "line": 5, + "filename": "positive3.bicep", + "resourceType": "Microsoft.KeyVault/vaults", + "resourceName": "keyVaultInstance", + "searchKey": "resources.name={{keyVaultInstance}}.properties", + "searchValue": "enablePurgeProtection", + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults' should have 'enablePurgeProtection' property defined", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enablePurgeProtection' property defined" }, { "queryName": "Key Vault Not Recoverable", @@ -51,7 +75,7 @@ "queryName": "Key Vault Not Recoverable", "severity": "HIGH", "line": 27, - "filename": "positive2.bicep", + "filename": "positive4.bicep", "resourceType": "Microsoft.KeyVault/vaults", "resourceName": "keyVaultInstance", "searchKey": "resources.name={{keyVaultInstance}}.properties.enablePurgeProtection", @@ -62,14 +86,14 @@ { "queryName": "Key Vault Not Recoverable", "severity": "HIGH", - "line": 5, - "filename": "positive3.bicep", + "line": 41, + "filename": "positive4.json", "resourceType": "Microsoft.KeyVault/vaults", "resourceName": "keyVaultInstance", - "searchKey": "resources.name={{keyVaultInstance}}.properties", + "searchKey": "properties.template.resources.name={{keyVaultInstance}}.properties.enablePurgeProtection", "searchValue": "enablePurgeProtection", - "expectedValue": "resource with type 'Microsoft.KeyVault/vaults' should have 'enablePurgeProtection' property defined", - "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enablePurgeProtection' property defined" + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults' property value should have 'enablePurgeProtection' property set to true", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enablePurgeProtection' property set to true" }, { "queryName": "Key Vault Not Recoverable", @@ -95,18 +119,6 @@ "expectedValue": "resource with type 'Microsoft.KeyVault/vaults' should have 'enableSoftDelete' property defined", "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enableSoftDelete' property defined" }, - { - "queryName": "Key Vault Not Recoverable", - "severity": "HIGH", - "line": 39, - "filename": "positive2.json", - "resourceType": "Microsoft.KeyVault/vaults", - "resourceName": "keyVaultInstance", - "searchKey": "resources.name={{keyVaultInstance}}.properties.enablePurgeProtection", - "searchValue": "enablePurgeProtection", - "expectedValue": "resource with type 'Microsoft.KeyVault/vaults' property value should have 'enablePurgeProtection' property set to true", - "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enablePurgeProtection' property set to true" - }, { "queryName": "Key Vault Not Recoverable", "severity": "HIGH", @@ -122,25 +134,13 @@ { "queryName": "Key Vault Not Recoverable", "severity": "HIGH", - "line": 41, - "filename": "positive4.json", - "resourceType": "Microsoft.KeyVault/vaults", - "resourceName": "keyVaultInstance", - "searchKey": "properties.template.resources.name={{keyVaultInstance}}.properties.enablePurgeProtection", - "searchValue": "enablePurgeProtection", - "expectedValue": "resource with type 'Microsoft.KeyVault/vaults' property value should have 'enablePurgeProtection' property set to true", - "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enablePurgeProtection' property set to true" - }, - { - "queryName": "Key Vault Not Recoverable", - "severity": "HIGH", - "line": 27, - "filename": "positive4.bicep", + "line": 23, + "filename": "positive5.json", "resourceType": "Microsoft.KeyVault/vaults", - "resourceName": "keyVaultInstance", - "searchKey": "resources.name={{keyVaultInstance}}.properties.enablePurgeProtection", - "searchValue": "enablePurgeProtection", - "expectedValue": "resource with type 'Microsoft.KeyVault/vaults' property value should have 'enablePurgeProtection' property set to true", - "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enablePurgeProtection' property set to true" + "resourceName": "[parameters('vaults_pgs_bot_prod_name')]", + "searchKey": "resources.name={{[parameters('vaults_pgs_bot_prod_name')]}}.properties", + "searchValue": "enableSoftDelete", + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults' should have 'enableSoftDelete' property defined", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enableSoftDelete' property defined" } ] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/log_profile_incorrect_category/test/positive_expected_result.json b/assets/queries/azureResourceManager/log_profile_incorrect_category/test/positive_expected_result.json index 1f41a47223a..c36e341e07c 100644 --- a/assets/queries/azureResourceManager/log_profile_incorrect_category/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/log_profile_incorrect_category/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "Log Profile Incorrect Category", "severity": "LOW", - "line": 22, - "filename": "positive1.json", + "line": 9, + "filename": "positive1.bicep", "resourceType": "microsoft.insights/logprofiles", "resourceName": "string", "searchKey": "resources.name={{string}}.properties.categories", @@ -14,11 +14,11 @@ { "queryName": "Log Profile Incorrect Category", "severity": "LOW", - "line": 24, - "filename": "positive2.json", + "line": 22, + "filename": "positive1.json", "resourceType": "microsoft.insights/logprofiles", "resourceName": "string", - "searchKey": "properties.template.resources.name={{string}}.properties.categories", + "searchKey": "resources.name={{string}}.properties.categories", "searchValue": "", "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have categories[%!d(string=property value)] %!s(int=0) set to 'Write', 'Delete' or 'Action'", "actualValue": "resource with type 'microsoft.insights/logprofiles' has categories[0] set to 'Writ'" @@ -27,7 +27,7 @@ "queryName": "Log Profile Incorrect Category", "severity": "LOW", "line": 9, - "filename": "positive1.bicep", + "filename": "positive2.bicep", "resourceType": "microsoft.insights/logprofiles", "resourceName": "string", "searchKey": "resources.name={{string}}.properties.categories", @@ -38,11 +38,11 @@ { "queryName": "Log Profile Incorrect Category", "severity": "LOW", - "line": 9, - "filename": "positive2.bicep", + "line": 24, + "filename": "positive2.json", "resourceType": "microsoft.insights/logprofiles", "resourceName": "string", - "searchKey": "resources.name={{string}}.properties.categories", + "searchKey": "properties.template.resources.name={{string}}.properties.categories", "searchValue": "", "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have categories[%!d(string=property value)] %!s(int=0) set to 'Write', 'Delete' or 'Action'", "actualValue": "resource with type 'microsoft.insights/logprofiles' has categories[0] set to 'Writ'" diff --git a/assets/queries/azureResourceManager/mysql_server_ssl_enforcement_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/mysql_server_ssl_enforcement_disabled/test/positive_expected_result.json index 85bd6c85c1e..dda23090044 100644 --- a/assets/queries/azureResourceManager/mysql_server_ssl_enforcement_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/mysql_server_ssl_enforcement_disabled/test/positive_expected_result.json @@ -2,14 +2,14 @@ { "queryName": "MySQL Server SSL Enforcement Disabled", "severity": "MEDIUM", - "line": 18, - "filename": "positive2.json", + "line": 6, + "filename": "positive1.bicep", "resourceType": "Microsoft.DBforMySQL/servers", "resourceName": "server", - "searchKey": "resources.name={{server}}.properties.sslEnforcement", + "searchKey": "resources.name={{server}}.properties", "searchValue": "", - "expectedValue": "resource with type 'Microsoft.DBforMySQL/servers' should have the 'sslEnforcement' property value set to 'Enabled'", - "actualValue": "resource with type 'Microsoft.DBforMySQL/servers' doesn't have 'sslEnforcement' set to 'Enabled'" + "expectedValue": "resource with type 'Microsoft.DBforMySQL/servers' should have the 'sslEnforcement' property defined", + "actualValue": "resource with type 'Microsoft.DBforMySQL/servers' doesn't have 'sslEnforcement' property defined" }, { "queryName": "MySQL Server SSL Enforcement Disabled", @@ -26,47 +26,47 @@ { "queryName": "MySQL Server SSL Enforcement Disabled", "severity": "MEDIUM", - "line": 18, - "filename": "positive3.json", + "line": 8, + "filename": "positive2.bicep", "resourceType": "Microsoft.DBforMySQL/servers", "resourceName": "server", - "searchKey": "properties.template.resources.name={{server}}.properties", + "searchKey": "resources.name={{server}}.properties.sslEnforcement", "searchValue": "", - "expectedValue": "resource with type 'Microsoft.DBforMySQL/servers' should have the 'sslEnforcement' property defined", - "actualValue": "resource with type 'Microsoft.DBforMySQL/servers' doesn't have 'sslEnforcement' property defined" + "expectedValue": "resource with type 'Microsoft.DBforMySQL/servers' should have the 'sslEnforcement' property value set to 'Enabled'", + "actualValue": "resource with type 'Microsoft.DBforMySQL/servers' doesn't have 'sslEnforcement' set to 'Enabled'" }, { "queryName": "MySQL Server SSL Enforcement Disabled", "severity": "MEDIUM", - "line": 6, - "filename": "positive3.bicep", + "line": 18, + "filename": "positive2.json", "resourceType": "Microsoft.DBforMySQL/servers", "resourceName": "server", - "searchKey": "resources.name={{server}}.properties", + "searchKey": "resources.name={{server}}.properties.sslEnforcement", "searchValue": "", - "expectedValue": "resource with type 'Microsoft.DBforMySQL/servers' should have the 'sslEnforcement' property defined", - "actualValue": "resource with type 'Microsoft.DBforMySQL/servers' doesn't have 'sslEnforcement' property defined" + "expectedValue": "resource with type 'Microsoft.DBforMySQL/servers' should have the 'sslEnforcement' property value set to 'Enabled'", + "actualValue": "resource with type 'Microsoft.DBforMySQL/servers' doesn't have 'sslEnforcement' set to 'Enabled'" }, { "queryName": "MySQL Server SSL Enforcement Disabled", "severity": "MEDIUM", - "line": 8, - "filename": "positive4.bicep", + "line": 6, + "filename": "positive3.bicep", "resourceType": "Microsoft.DBforMySQL/servers", "resourceName": "server", - "searchKey": "resources.name={{server}}.properties.sslEnforcement", + "searchKey": "resources.name={{server}}.properties", "searchValue": "", - "expectedValue": "resource with type 'Microsoft.DBforMySQL/servers' should have the 'sslEnforcement' property value set to 'Enabled'", - "actualValue": "resource with type 'Microsoft.DBforMySQL/servers' doesn't have 'sslEnforcement' set to 'Enabled'" + "expectedValue": "resource with type 'Microsoft.DBforMySQL/servers' should have the 'sslEnforcement' property defined", + "actualValue": "resource with type 'Microsoft.DBforMySQL/servers' doesn't have 'sslEnforcement' property defined" }, { "queryName": "MySQL Server SSL Enforcement Disabled", "severity": "MEDIUM", - "line": 6, - "filename": "positive1.bicep", + "line": 18, + "filename": "positive3.json", "resourceType": "Microsoft.DBforMySQL/servers", "resourceName": "server", - "searchKey": "resources.name={{server}}.properties", + "searchKey": "properties.template.resources.name={{server}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.DBforMySQL/servers' should have the 'sslEnforcement' property defined", "actualValue": "resource with type 'Microsoft.DBforMySQL/servers' doesn't have 'sslEnforcement' property defined" @@ -75,7 +75,7 @@ "queryName": "MySQL Server SSL Enforcement Disabled", "severity": "MEDIUM", "line": 8, - "filename": "positive2.bicep", + "filename": "positive4.bicep", "resourceType": "Microsoft.DBforMySQL/servers", "resourceName": "server", "searchKey": "resources.name={{server}}.properties.sslEnforcement", diff --git a/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_rdp/test/positive_expected_result.json b/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_rdp/test/positive_expected_result.json index 94184bac639..95382dedda6 100644 --- a/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_rdp/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_rdp/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "Network Security Group With Unrestricted Access To RDP", "severity": "HIGH", - "line": 21, - "filename": "positive4.json", + "line": 9, + "filename": "positive1.bicep", "resourceType": "Microsoft.Network/networkSecurityGroups", "resourceName": "security group", - "searchKey": "properties.template.resources.name={{security group}}.properties.securityRules", + "searchKey": "resources.name={{security group}}.properties.securityRules", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups' should restrict access to RDP", "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups' does not restrict access to RDP" @@ -23,6 +23,18 @@ "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups' should restrict access to RDP", "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups' does not restrict access to RDP" }, + { + "queryName": "Network Security Group With Unrestricted Access To RDP", + "severity": "HIGH", + "line": 3, + "filename": "positive2.bicep", + "resourceType": "Microsoft.Network/networkSecurityGroups/securityRules", + "resourceName": "sample/securitygroup", + "searchKey": "resources.type={{Microsoft.Network/networkSecurityGroups/securityRules}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' should restrict access to RDP", + "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' does not restrict access to RDP" + }, { "queryName": "Network Security Group With Unrestricted Access To RDP", "severity": "HIGH", @@ -39,7 +51,19 @@ "queryName": "Network Security Group With Unrestricted Access To RDP", "severity": "HIGH", "line": 10, - "filename": "positive6.bicep", + "filename": "positive3.bicep", + "resourceType": "securityRules", + "resourceName": "sr", + "searchKey": "resources.type={{securityRules}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'securityRules' should restrict access to RDP", + "actualValue": "resource with type 'securityRules' does not restrict access to RDP" + }, + { + "queryName": "Network Security Group With Unrestricted Access To RDP", + "severity": "HIGH", + "line": 20, + "filename": "positive3.json", "resourceType": "securityRules", "resourceName": "sr", "searchKey": "resources.type={{securityRules}}.properties", @@ -59,6 +83,18 @@ "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups' should restrict access to RDP", "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups' does not restrict access to RDP" }, + { + "queryName": "Network Security Group With Unrestricted Access To RDP", + "severity": "HIGH", + "line": 21, + "filename": "positive4.json", + "resourceType": "Microsoft.Network/networkSecurityGroups", + "resourceName": "security group", + "searchKey": "properties.template.resources.name={{security group}}.properties.securityRules", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups' should restrict access to RDP", + "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups' does not restrict access to RDP" + }, { "queryName": "Network Security Group With Unrestricted Access To RDP", "severity": "HIGH", @@ -86,8 +122,8 @@ { "queryName": "Network Security Group With Unrestricted Access To RDP", "severity": "HIGH", - "line": 20, - "filename": "positive3.json", + "line": 10, + "filename": "positive6.bicep", "resourceType": "securityRules", "resourceName": "sr", "searchKey": "resources.type={{securityRules}}.properties", @@ -106,41 +142,5 @@ "searchValue": "", "expectedValue": "resource with type 'securityRules' should restrict access to RDP", "actualValue": "resource with type 'securityRules' does not restrict access to RDP" - }, - { - "queryName": "Network Security Group With Unrestricted Access To RDP", - "severity": "HIGH", - "line": 9, - "filename": "positive1.bicep", - "resourceType": "Microsoft.Network/networkSecurityGroups", - "resourceName": "security group", - "searchKey": "resources.name={{security group}}.properties.securityRules", - "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups' should restrict access to RDP", - "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups' does not restrict access to RDP" - }, - { - "queryName": "Network Security Group With Unrestricted Access To RDP", - "severity": "HIGH", - "line": 3, - "filename": "positive2.bicep", - "resourceType": "Microsoft.Network/networkSecurityGroups/securityRules", - "resourceName": "sample/securitygroup", - "searchKey": "resources.type={{Microsoft.Network/networkSecurityGroups/securityRules}}.properties", - "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' should restrict access to RDP", - "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' does not restrict access to RDP" - }, - { - "queryName": "Network Security Group With Unrestricted Access To RDP", - "severity": "HIGH", - "line": 10, - "filename": "positive3.bicep", - "resourceType": "securityRules", - "resourceName": "sr", - "searchKey": "resources.type={{securityRules}}.properties", - "searchValue": "", - "expectedValue": "resource with type 'securityRules' should restrict access to RDP", - "actualValue": "resource with type 'securityRules' does not restrict access to RDP" } ] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/test/positive_expected_result.json b/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/test/positive_expected_result.json index d112363b065..e134357d75c 100644 --- a/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "Network Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 21, - "filename": "positive4.json", + "line": 9, + "filename": "positive1.bicep", "resourceType": "Microsoft.Network/networkSecurityGroups", "resourceName": "security group", - "searchKey": "properties.template.resources.name={{security group}}.properties.securityRules", + "searchKey": "resources.name={{security group}}.properties.securityRules", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups' restricts access to SSH", "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups' does not restrict access to SSH" @@ -14,20 +14,8 @@ { "queryName": "Network Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 15, - "filename": "positive5.json", - "resourceType": "Microsoft.Network/networkSecurityGroups/securityRules", - "resourceName": "sample/securitygroup", - "searchKey": "resources.type={{Microsoft.Network/networkSecurityGroups/securityRules}}.properties", - "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' restricts access to SSH", - "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' does not restrict access to SSH" - }, - { - "queryName": "Network Security Group With Unrestricted Access To SSH", - "severity": "MEDIUM", - "line": 9, - "filename": "positive1.bicep", + "line": 19, + "filename": "positive1.json", "resourceType": "Microsoft.Network/networkSecurityGroups", "resourceName": "security group", "searchKey": "resources.name={{security group}}.properties.securityRules", @@ -38,26 +26,14 @@ { "queryName": "Network Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 10, - "filename": "positive3.bicep", - "resourceType": "securityRules", - "resourceName": "sr", - "searchKey": "resources.type={{securityRules}}.properties", - "searchValue": "", - "expectedValue": "resource with type 'securityRules' restricts access to SSH", - "actualValue": "resource with type 'securityRules' does not restrict access to SSH" - }, - { - "queryName": "Network Security Group With Unrestricted Access To SSH", - "severity": "MEDIUM", - "line": 9, - "filename": "positive4.bicep", - "resourceType": "Microsoft.Network/networkSecurityGroups", - "resourceName": "security group", - "searchKey": "resources.name={{security group}}.properties.securityRules", + "line": 3, + "filename": "positive2.bicep", + "resourceType": "Microsoft.Network/networkSecurityGroups/securityRules", + "resourceName": "sample/securitygroup", + "searchKey": "resources.type={{Microsoft.Network/networkSecurityGroups/securityRules}}.properties", "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups' restricts access to SSH", - "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups' does not restrict access to SSH" + "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' restricts access to SSH", + "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' does not restrict access to SSH" }, { "queryName": "Network Security Group With Unrestricted Access To SSH", @@ -74,8 +50,8 @@ { "queryName": "Network Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 22, - "filename": "positive6.json", + "line": 10, + "filename": "positive3.bicep", "resourceType": "securityRules", "resourceName": "sr", "searchKey": "resources.type={{securityRules}}.properties", @@ -86,20 +62,8 @@ { "queryName": "Network Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 19, - "filename": "positive1.json", - "resourceType": "Microsoft.Network/networkSecurityGroups", - "resourceName": "security group", - "searchKey": "resources.name={{security group}}.properties.securityRules", - "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups' restricts access to SSH", - "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups' does not restrict access to SSH" - }, - { - "queryName": "Network Security Group With Unrestricted Access To SSH", - "severity": "MEDIUM", - "line": 22, - "filename": "positive7.json", + "line": 20, + "filename": "positive3.json", "resourceType": "securityRules", "resourceName": "sr", "searchKey": "resources.type={{securityRules}}.properties", @@ -110,14 +74,26 @@ { "queryName": "Network Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 20, - "filename": "positive3.json", - "resourceType": "securityRules", - "resourceName": "sr", - "searchKey": "resources.type={{securityRules}}.properties", + "line": 9, + "filename": "positive4.bicep", + "resourceType": "Microsoft.Network/networkSecurityGroups", + "resourceName": "security group", + "searchKey": "resources.name={{security group}}.properties.securityRules", "searchValue": "", - "expectedValue": "resource with type 'securityRules' restricts access to SSH", - "actualValue": "resource with type 'securityRules' does not restrict access to SSH" + "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups' restricts access to SSH", + "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups' does not restrict access to SSH" + }, + { + "queryName": "Network Security Group With Unrestricted Access To SSH", + "severity": "MEDIUM", + "line": 21, + "filename": "positive4.json", + "resourceType": "Microsoft.Network/networkSecurityGroups", + "resourceName": "security group", + "searchKey": "properties.template.resources.name={{security group}}.properties.securityRules", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups' restricts access to SSH", + "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups' does not restrict access to SSH" }, { "queryName": "Network Security Group With Unrestricted Access To SSH", @@ -134,8 +110,8 @@ { "queryName": "Network Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 3, - "filename": "positive2.bicep", + "line": 15, + "filename": "positive5.json", "resourceType": "Microsoft.Network/networkSecurityGroups/securityRules", "resourceName": "sample/securitygroup", "searchKey": "resources.type={{Microsoft.Network/networkSecurityGroups/securityRules}}.properties", @@ -154,5 +130,29 @@ "searchValue": "", "expectedValue": "resource with type 'securityRules' restricts access to SSH", "actualValue": "resource with type 'securityRules' does not restrict access to SSH" + }, + { + "queryName": "Network Security Group With Unrestricted Access To SSH", + "severity": "MEDIUM", + "line": 22, + "filename": "positive6.json", + "resourceType": "securityRules", + "resourceName": "sr", + "searchKey": "resources.type={{securityRules}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'securityRules' restricts access to SSH", + "actualValue": "resource with type 'securityRules' does not restrict access to SSH" + }, + { + "queryName": "Network Security Group With Unrestricted Access To SSH", + "severity": "MEDIUM", + "line": 22, + "filename": "positive7.json", + "resourceType": "securityRules", + "resourceName": "sr", + "searchKey": "resources.type={{securityRules}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'securityRules' restricts access to SSH", + "actualValue": "resource with type 'securityRules' does not restrict access to SSH" } ] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/phone_number_not_set_security_contacts/test/positive_expected_result.json b/assets/queries/azureResourceManager/phone_number_not_set_security_contacts/test/positive_expected_result.json index 0841a6f26f1..87779b82b4b 100644 --- a/assets/queries/azureResourceManager/phone_number_not_set_security_contacts/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/phone_number_not_set_security_contacts/test/positive_expected_result.json @@ -3,7 +3,7 @@ "queryName": "Phone Number Not Set For Security Contacts", "severity": "LOW", "line": 3, - "filename": "positive2.bicep", + "filename": "positive1.bicep", "resourceType": "Microsoft.Security/securityContacts", "resourceName": "security contact", "searchKey": "resources.name={{security contact}}.properties", @@ -14,8 +14,8 @@ { "queryName": "Phone Number Not Set For Security Contacts", "severity": "LOW", - "line": 3, - "filename": "positive1.bicep", + "line": 13, + "filename": "positive1.json", "resourceType": "Microsoft.Security/securityContacts", "resourceName": "security contact", "searchKey": "resources.name={{security contact}}.properties", @@ -26,8 +26,8 @@ { "queryName": "Phone Number Not Set For Security Contacts", "severity": "LOW", - "line": 13, - "filename": "positive1.json", + "line": 3, + "filename": "positive2.bicep", "resourceType": "Microsoft.Security/securityContacts", "resourceName": "security contact", "searchKey": "resources.name={{security contact}}.properties", diff --git a/assets/queries/azureResourceManager/postgresql_database_server_connection_throttling_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/postgresql_database_server_connection_throttling_disabled/test/positive_expected_result.json index 6a8b37e689a..7d15bee9ecc 100644 --- a/assets/queries/azureResourceManager/postgresql_database_server_connection_throttling_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/postgresql_database_server_connection_throttling_disabled/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "PostgreSQL Database Server Connection Throttling Disabled", "severity": "MEDIUM", - "line": 47, - "filename": "positive4.json", + "line": 36, + "filename": "positive1.bicep", "resourceType": "configurations", "resourceName": "connection_throttling", - "searchKey": "properties.template.resources.resources.name=connection_throttling.properties.value", + "searchKey": "resources.resources.name=connection_throttling.properties.value", "searchValue": "", "expectedValue": "resource 'property value' should have an 'auditingsettings' servers1 resource enabled", "actualValue": "resource 'servers1' doesn't have an 'auditingsettings' resource enabled" @@ -26,11 +26,11 @@ { "queryName": "PostgreSQL Database Server Connection Throttling Disabled", "severity": "MEDIUM", - "line": 11, - "filename": "positive5.json", + "line": 2, + "filename": "positive2.bicep", "resourceType": "Microsoft.DBforPostgreSQL/servers", "resourceName": "servers1", - "searchKey": "properties.template.resources.name=servers1", + "searchKey": "resources.name=servers1", "searchValue": "", "expectedValue": "resource 'servers1' should have an 'auditingsettings' resource enabled", "actualValue": "resource 'servers1' doesn't have an 'auditingsettings' resource enabled" @@ -51,7 +51,7 @@ "queryName": "PostgreSQL Database Server Connection Throttling Disabled", "severity": "MEDIUM", "line": 2, - "filename": "positive6.bicep", + "filename": "positive3.bicep", "resourceType": "Microsoft.DBforPostgreSQL/servers", "resourceName": "servers1", "searchKey": "resources.name=servers1", @@ -62,8 +62,8 @@ { "queryName": "PostgreSQL Database Server Connection Throttling Disabled", "severity": "MEDIUM", - "line": 2, - "filename": "positive5.bicep", + "line": 9, + "filename": "positive3.json", "resourceType": "Microsoft.DBforPostgreSQL/servers", "resourceName": "servers1", "searchKey": "resources.name=servers1", @@ -74,32 +74,32 @@ { "queryName": "PostgreSQL Database Server Connection Throttling Disabled", "severity": "MEDIUM", - "line": 9, - "filename": "positive3.json", - "resourceType": "Microsoft.DBforPostgreSQL/servers", - "resourceName": "servers1", - "searchKey": "resources.name=servers1", + "line": 36, + "filename": "positive4.bicep", + "resourceType": "configurations", + "resourceName": "connection_throttling", + "searchKey": "resources.resources.name=connection_throttling.properties.value", "searchValue": "", - "expectedValue": "resource 'servers1' should have an 'auditingsettings' resource enabled", + "expectedValue": "resource 'property value' should have an 'auditingsettings' servers1 resource enabled", "actualValue": "resource 'servers1' doesn't have an 'auditingsettings' resource enabled" }, { "queryName": "PostgreSQL Database Server Connection Throttling Disabled", "severity": "MEDIUM", - "line": 11, - "filename": "positive6.json", - "resourceType": "Microsoft.DBforPostgreSQL/servers", - "resourceName": "servers1", - "searchKey": "properties.template.resources.name=servers1", + "line": 47, + "filename": "positive4.json", + "resourceType": "configurations", + "resourceName": "connection_throttling", + "searchKey": "properties.template.resources.resources.name=connection_throttling.properties.value", "searchValue": "", - "expectedValue": "resource 'servers1' should have an 'auditingsettings' resource enabled", + "expectedValue": "resource 'property value' should have an 'auditingsettings' servers1 resource enabled", "actualValue": "resource 'servers1' doesn't have an 'auditingsettings' resource enabled" }, { "queryName": "PostgreSQL Database Server Connection Throttling Disabled", "severity": "MEDIUM", "line": 2, - "filename": "positive3.bicep", + "filename": "positive5.bicep", "resourceType": "Microsoft.DBforPostgreSQL/servers", "resourceName": "servers1", "searchKey": "resources.name=servers1", @@ -110,11 +110,11 @@ { "queryName": "PostgreSQL Database Server Connection Throttling Disabled", "severity": "MEDIUM", - "line": 2, - "filename": "positive2.bicep", + "line": 11, + "filename": "positive5.json", "resourceType": "Microsoft.DBforPostgreSQL/servers", "resourceName": "servers1", - "searchKey": "resources.name=servers1", + "searchKey": "properties.template.resources.name=servers1", "searchValue": "", "expectedValue": "resource 'servers1' should have an 'auditingsettings' resource enabled", "actualValue": "resource 'servers1' doesn't have an 'auditingsettings' resource enabled" @@ -122,25 +122,25 @@ { "queryName": "PostgreSQL Database Server Connection Throttling Disabled", "severity": "MEDIUM", - "line": 36, - "filename": "positive1.bicep", - "resourceType": "configurations", - "resourceName": "connection_throttling", - "searchKey": "resources.resources.name=connection_throttling.properties.value", + "line": 2, + "filename": "positive6.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "servers1", + "searchKey": "resources.name=servers1", "searchValue": "", - "expectedValue": "resource 'property value' should have an 'auditingsettings' servers1 resource enabled", + "expectedValue": "resource 'servers1' should have an 'auditingsettings' resource enabled", "actualValue": "resource 'servers1' doesn't have an 'auditingsettings' resource enabled" }, { "queryName": "PostgreSQL Database Server Connection Throttling Disabled", "severity": "MEDIUM", - "line": 36, - "filename": "positive4.bicep", - "resourceType": "configurations", - "resourceName": "connection_throttling", - "searchKey": "resources.resources.name=connection_throttling.properties.value", + "line": 11, + "filename": "positive6.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "servers1", + "searchKey": "properties.template.resources.name=servers1", "searchValue": "", - "expectedValue": "resource 'property value' should have an 'auditingsettings' servers1 resource enabled", + "expectedValue": "resource 'servers1' should have an 'auditingsettings' resource enabled", "actualValue": "resource 'servers1' doesn't have an 'auditingsettings' resource enabled" } ] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/postgresql_server_log_checkpoint_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/postgresql_server_log_checkpoint_disabled/test/positive_expected_result.json index 79c403a9823..1ad135cb0a9 100644 --- a/assets/queries/azureResourceManager/postgresql_server_log_checkpoint_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/postgresql_server_log_checkpoint_disabled/test/positive_expected_result.json @@ -2,47 +2,23 @@ { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 33, - "filename": "positive2.bicep", - "resourceType": "Microsoft.DBforPostgreSQL/servers", - "resourceName": "MyDBServer2", - "searchKey": "resources.name={{MyDBServer2}}.resources.name=log_checkpoints.properties.value", - "searchValue": "", - "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_checkpoints' property value set to 'on'", - "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_checkpoints' set to 'off'" - }, - { - "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", - "severity": "MEDIUM", - "line": 47, - "filename": "positive6.json", + "line": 40, + "filename": "positive1.bicep", "resourceType": "Microsoft.DBforPostgreSQL/servers", - "resourceName": "MyDBServer2", - "searchKey": "properties.template.resources.name={{MyDBServer2}}.resources.name=log_checkpoints.properties.value", - "searchValue": "", - "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_checkpoints' property value set to 'on'", - "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_checkpoints' set to 'off'" - }, - { - "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", - "severity": "MEDIUM", - "line": 31, - "filename": "positive4.bicep", - "resourceType": "Microsoft.DBforPostgreSQL/servers/configurations", - "resourceName": "MyDBServer/log_checkpoints", - "searchKey": "resources.name={{MyDBServer/log_checkpoints}}.properties", + "resourceName": "MyDBServer1", + "searchKey": "resources.name={{MyDBServer1}}.resources.name=log_checkpoints", "searchValue": "", - "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_checkpoints' property set to 'off'", - "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' 'log_checkpoints' is not defined" + "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_checkpoints' set to 'on'", + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' 'log_checkpoints' is not defined" }, { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 45, - "filename": "positive5.json", + "line": 43, + "filename": "positive1.json", "resourceType": "Microsoft.DBforPostgreSQL/servers", "resourceName": "MyDBServer1", - "searchKey": "properties.template.resources.name={{MyDBServer1}}.resources.name=log_checkpoints", + "searchKey": "resources.name={{MyDBServer1}}.resources.name=log_checkpoints", "searchValue": "", "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_checkpoints' set to 'on'", "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' 'log_checkpoints' is not defined" @@ -50,26 +26,14 @@ { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 45, - "filename": "positive8.json", - "resourceType": "Microsoft.DBforPostgreSQL/servers/configurations", - "resourceName": "MyDBServer/log_checkpoints", - "searchKey": "properties.template.resources.name={{MyDBServer/log_checkpoints}}.properties", - "searchValue": "", - "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_checkpoints' property set to 'off'", - "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' 'log_checkpoints' is not defined" - }, - { - "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", - "severity": "MEDIUM", - "line": 44, - "filename": "positive3.json", - "resourceType": "Microsoft.DBforPostgreSQL/servers/configurations", - "resourceName": "MyDBServer/log_checkpoints", - "searchKey": "resources.name={{MyDBServer/log_checkpoints}}.properties.value", + "line": 33, + "filename": "positive2.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer2", + "searchKey": "resources.name={{MyDBServer2}}.resources.name=log_checkpoints.properties.value", "searchValue": "", - "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_checkpoints' property value set to 'on'", - "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_checkpoints' property set to 'off'" + "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_checkpoints' property value set to 'on'", + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_checkpoints' set to 'off'" }, { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", @@ -87,7 +51,7 @@ "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", "severity": "MEDIUM", "line": 32, - "filename": "positive7.bicep", + "filename": "positive3.bicep", "resourceType": "Microsoft.DBforPostgreSQL/servers/configurations", "resourceName": "MyDBServer/log_checkpoints", "searchKey": "resources.name={{MyDBServer/log_checkpoints}}.properties.value", @@ -98,23 +62,11 @@ { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 33, - "filename": "positive6.bicep", - "resourceType": "Microsoft.DBforPostgreSQL/servers", - "resourceName": "MyDBServer2", - "searchKey": "resources.name={{MyDBServer2}}.resources.name=log_checkpoints.properties.value", - "searchValue": "", - "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_checkpoints' property value set to 'on'", - "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_checkpoints' set to 'off'" - }, - { - "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", - "severity": "MEDIUM", - "line": 46, - "filename": "positive7.json", + "line": 44, + "filename": "positive3.json", "resourceType": "Microsoft.DBforPostgreSQL/servers/configurations", "resourceName": "MyDBServer/log_checkpoints", - "searchKey": "properties.template.resources.name={{MyDBServer/log_checkpoints}}.properties.value", + "searchKey": "resources.name={{MyDBServer/log_checkpoints}}.properties.value", "searchValue": "", "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_checkpoints' property value set to 'on'", "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_checkpoints' property set to 'off'" @@ -122,14 +74,14 @@ { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 43, - "filename": "positive1.json", - "resourceType": "Microsoft.DBforPostgreSQL/servers", - "resourceName": "MyDBServer1", - "searchKey": "resources.name={{MyDBServer1}}.resources.name=log_checkpoints", + "line": 31, + "filename": "positive4.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers/configurations", + "resourceName": "MyDBServer/log_checkpoints", + "searchKey": "resources.name={{MyDBServer/log_checkpoints}}.properties", "searchValue": "", - "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_checkpoints' set to 'on'", - "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' 'log_checkpoints' is not defined" + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_checkpoints' property set to 'off'", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' 'log_checkpoints' is not defined" }, { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", @@ -155,11 +107,47 @@ "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_checkpoints' set to 'on'", "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' 'log_checkpoints' is not defined" }, + { + "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", + "severity": "MEDIUM", + "line": 45, + "filename": "positive5.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer1", + "searchKey": "properties.template.resources.name={{MyDBServer1}}.resources.name=log_checkpoints", + "searchValue": "", + "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_checkpoints' set to 'on'", + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' 'log_checkpoints' is not defined" + }, + { + "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", + "severity": "MEDIUM", + "line": 33, + "filename": "positive6.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer2", + "searchKey": "resources.name={{MyDBServer2}}.resources.name=log_checkpoints.properties.value", + "searchValue": "", + "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_checkpoints' property value set to 'on'", + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_checkpoints' set to 'off'" + }, + { + "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", + "severity": "MEDIUM", + "line": 47, + "filename": "positive6.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer2", + "searchKey": "properties.template.resources.name={{MyDBServer2}}.resources.name=log_checkpoints.properties.value", + "searchValue": "", + "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_checkpoints' property value set to 'on'", + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_checkpoints' set to 'off'" + }, { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", "severity": "MEDIUM", "line": 32, - "filename": "positive3.bicep", + "filename": "positive7.bicep", "resourceType": "Microsoft.DBforPostgreSQL/servers/configurations", "resourceName": "MyDBServer/log_checkpoints", "searchKey": "resources.name={{MyDBServer/log_checkpoints}}.properties.value", @@ -170,14 +158,14 @@ { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 40, - "filename": "positive1.bicep", - "resourceType": "Microsoft.DBforPostgreSQL/servers", - "resourceName": "MyDBServer1", - "searchKey": "resources.name={{MyDBServer1}}.resources.name=log_checkpoints", + "line": 46, + "filename": "positive7.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers/configurations", + "resourceName": "MyDBServer/log_checkpoints", + "searchKey": "properties.template.resources.name={{MyDBServer/log_checkpoints}}.properties.value", "searchValue": "", - "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_checkpoints' set to 'on'", - "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' 'log_checkpoints' is not defined" + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_checkpoints' property value set to 'on'", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_checkpoints' property set to 'off'" }, { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", @@ -190,5 +178,17 @@ "searchValue": "", "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_checkpoints' property set to 'off'", "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' 'log_checkpoints' is not defined" + }, + { + "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", + "severity": "MEDIUM", + "line": 45, + "filename": "positive8.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers/configurations", + "resourceName": "MyDBServer/log_checkpoints", + "searchKey": "properties.template.resources.name={{MyDBServer/log_checkpoints}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_checkpoints' property set to 'off'", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' 'log_checkpoints' is not defined" } ] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/postgresql_server_log_connections_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/postgresql_server_log_connections_disabled/test/positive_expected_result.json index a43b800fb0d..2c295b3ef3e 100644 --- a/assets/queries/azureResourceManager/postgresql_server_log_connections_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/postgresql_server_log_connections_disabled/test/positive_expected_result.json @@ -3,7 +3,7 @@ "queryName": "PostgreSQL Database Server Log Connections Disabled", "severity": "MEDIUM", "line": 31, - "filename": "positive5.bicep", + "filename": "positive1.bicep", "resourceType": "Microsoft.DBforPostgreSQL/servers", "resourceName": "MyDBServer1", "searchKey": "resources.name={{MyDBServer1}}.resources.name=log_connections", @@ -14,23 +14,35 @@ { "queryName": "PostgreSQL Database Server Log Connections Disabled", "severity": "MEDIUM", - "line": 31, - "filename": "positive8.bicep", - "resourceType": "Microsoft.DBforPostgreSQL/servers/configurations", - "resourceName": "MyDBServer/log_connections", - "searchKey": "resources.name={{MyDBServer/log_connections}}.properties", + "line": 40, + "filename": "positive1.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer1", + "searchKey": "resources.name={{MyDBServer1}}.resources.name=log_connections", "searchValue": "", - "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_connections' property set to 'on'", - "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_connections' value undefined" + "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_connections' set to 'on'", + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_connections' value undefined" }, { "queryName": "PostgreSQL Database Server Log Connections Disabled", "severity": "MEDIUM", - "line": 47, - "filename": "positive6.json", + "line": 33, + "filename": "positive2.bicep", "resourceType": "Microsoft.DBforPostgreSQL/servers", "resourceName": "MyDBServer2", - "searchKey": "properties.template.resources.name={{MyDBServer2}}.resources.name=log_connections.properties.value", + "searchKey": "resources.name={{MyDBServer2}}.resources.name=log_connections.properties.value", + "searchValue": "", + "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_connections' property value set to 'on'", + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_connections' set to 'off'" + }, + { + "queryName": "PostgreSQL Database Server Log Connections Disabled", + "severity": "MEDIUM", + "line": 45, + "filename": "positive2.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer2", + "searchKey": "resources.name={{MyDBServer2}}.resources.name=log_connections.properties.value", "searchValue": "", "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_connections' property value set to 'on'", "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_connections' set to 'off'" @@ -47,38 +59,50 @@ "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_connections' property value set to 'on'", "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_connections' property set to 'on'" }, + { + "queryName": "PostgreSQL Database Server Log Connections Disabled", + "severity": "MEDIUM", + "line": 44, + "filename": "positive3.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers/configurations", + "resourceName": "MyDBServer/log_connections", + "searchKey": "resources.name={{MyDBServer/log_connections}}.properties.value", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_connections' property value set to 'on'", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_connections' property set to 'on'" + }, { "queryName": "PostgreSQL Database Server Log Connections Disabled", "severity": "MEDIUM", "line": 31, - "filename": "positive1.bicep", - "resourceType": "Microsoft.DBforPostgreSQL/servers", - "resourceName": "MyDBServer1", - "searchKey": "resources.name={{MyDBServer1}}.resources.name=log_connections", + "filename": "positive4.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers/configurations", + "resourceName": "MyDBServer/log_connections", + "searchKey": "resources.name={{MyDBServer/log_connections}}.properties", "searchValue": "", - "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_connections' set to 'on'", - "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_connections' value undefined" + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_connections' property set to 'on'", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_connections' value undefined" }, { "queryName": "PostgreSQL Database Server Log Connections Disabled", "severity": "MEDIUM", - "line": 32, - "filename": "positive7.bicep", + "line": 43, + "filename": "positive4.json", "resourceType": "Microsoft.DBforPostgreSQL/servers/configurations", "resourceName": "MyDBServer/log_connections", - "searchKey": "resources.name={{MyDBServer/log_connections}}.properties.value", + "searchKey": "resources.name={{MyDBServer/log_connections}}.properties", "searchValue": "", - "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_connections' property value set to 'on'", - "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_connections' property set to 'on'" + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_connections' property set to 'on'", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_connections' value undefined" }, { "queryName": "PostgreSQL Database Server Log Connections Disabled", "severity": "MEDIUM", - "line": 42, - "filename": "positive5.json", + "line": 31, + "filename": "positive5.bicep", "resourceType": "Microsoft.DBforPostgreSQL/servers", "resourceName": "MyDBServer1", - "searchKey": "properties.template.resources.name={{MyDBServer1}}.resources.name=log_connections", + "searchKey": "resources.name={{MyDBServer1}}.resources.name=log_connections", "searchValue": "", "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_connections' set to 'on'", "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_connections' value undefined" @@ -86,14 +110,14 @@ { "queryName": "PostgreSQL Database Server Log Connections Disabled", "severity": "MEDIUM", - "line": 31, - "filename": "positive4.bicep", - "resourceType": "Microsoft.DBforPostgreSQL/servers/configurations", - "resourceName": "MyDBServer/log_connections", - "searchKey": "resources.name={{MyDBServer/log_connections}}.properties", + "line": 42, + "filename": "positive5.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer1", + "searchKey": "properties.template.resources.name={{MyDBServer1}}.resources.name=log_connections", "searchValue": "", - "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_connections' property set to 'on'", - "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_connections' value undefined" + "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_connections' set to 'on'", + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_connections' value undefined" }, { "queryName": "PostgreSQL Database Server Log Connections Disabled", @@ -110,11 +134,11 @@ { "queryName": "PostgreSQL Database Server Log Connections Disabled", "severity": "MEDIUM", - "line": 33, - "filename": "positive2.bicep", + "line": 47, + "filename": "positive6.json", "resourceType": "Microsoft.DBforPostgreSQL/servers", "resourceName": "MyDBServer2", - "searchKey": "resources.name={{MyDBServer2}}.resources.name=log_connections.properties.value", + "searchKey": "properties.template.resources.name={{MyDBServer2}}.resources.name=log_connections.properties.value", "searchValue": "", "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_connections' property value set to 'on'", "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_connections' set to 'off'" @@ -122,14 +146,14 @@ { "queryName": "PostgreSQL Database Server Log Connections Disabled", "severity": "MEDIUM", - "line": 43, - "filename": "positive4.json", + "line": 32, + "filename": "positive7.bicep", "resourceType": "Microsoft.DBforPostgreSQL/servers/configurations", "resourceName": "MyDBServer/log_connections", - "searchKey": "resources.name={{MyDBServer/log_connections}}.properties", + "searchKey": "resources.name={{MyDBServer/log_connections}}.properties.value", "searchValue": "", - "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_connections' property set to 'on'", - "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_connections' value undefined" + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_connections' property value set to 'on'", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_connections' property set to 'on'" }, { "queryName": "PostgreSQL Database Server Log Connections Disabled", @@ -146,38 +170,14 @@ { "queryName": "PostgreSQL Database Server Log Connections Disabled", "severity": "MEDIUM", - "line": 45, - "filename": "positive2.json", - "resourceType": "Microsoft.DBforPostgreSQL/servers", - "resourceName": "MyDBServer2", - "searchKey": "resources.name={{MyDBServer2}}.resources.name=log_connections.properties.value", - "searchValue": "", - "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_connections' property value set to 'on'", - "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_connections' set to 'off'" - }, - { - "queryName": "PostgreSQL Database Server Log Connections Disabled", - "severity": "MEDIUM", - "line": 44, - "filename": "positive3.json", + "line": 31, + "filename": "positive8.bicep", "resourceType": "Microsoft.DBforPostgreSQL/servers/configurations", "resourceName": "MyDBServer/log_connections", - "searchKey": "resources.name={{MyDBServer/log_connections}}.properties.value", - "searchValue": "", - "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_connections' property value set to 'on'", - "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_connections' property set to 'on'" - }, - { - "queryName": "PostgreSQL Database Server Log Connections Disabled", - "severity": "MEDIUM", - "line": 40, - "filename": "positive1.json", - "resourceType": "Microsoft.DBforPostgreSQL/servers", - "resourceName": "MyDBServer1", - "searchKey": "resources.name={{MyDBServer1}}.resources.name=log_connections", + "searchKey": "resources.name={{MyDBServer/log_connections}}.properties", "searchValue": "", - "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_connections' set to 'on'", - "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_connections' value undefined" + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_connections' property set to 'on'", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_connections' value undefined" }, { "queryName": "PostgreSQL Database Server Log Connections Disabled", diff --git a/assets/queries/azureResourceManager/postgresql_server_ssl_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/postgresql_server_ssl_disabled/test/positive_expected_result.json index 6e9d68c65c3..e1d587dcf5d 100644 --- a/assets/queries/azureResourceManager/postgresql_server_ssl_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/postgresql_server_ssl_disabled/test/positive_expected_result.json @@ -2,27 +2,15 @@ { "queryName": "PostgreSQL Database Server SSL Disabled", "severity": "MEDIUM", - "line": 16, - "filename": "positive3.json", + "line": 13, + "filename": "positive1.bicep", "resourceType": "Microsoft.DBforPostgreSQL/servers", "resourceName": "MyDBServer", - "searchKey": "properties.template.resources.name={{MyDBServer}}.properties.sslEnforcement", + "searchKey": "resources.name={{MyDBServer}}.properties.sslEnforcement", "searchValue": "", "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' should have 'sslEnforcement' property value set to 'Enabled'", "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' doesn't have 'sslEnforcement' property set to 'Enabled'" }, - { - "queryName": "PostgreSQL Database Server SSL Disabled", - "severity": "MEDIUM", - "line": 15, - "filename": "positive4.json", - "resourceType": "Microsoft.DBforPostgreSQL/servers", - "resourceName": "MyDBServer", - "searchKey": "properties.template.resources.name={{MyDBServer}}.properties", - "searchValue": "", - "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' should have 'sslEnforcement' property defined", - "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' doesn't have 'sslEnforcement' property defined" - }, { "queryName": "PostgreSQL Database Server SSL Disabled", "severity": "MEDIUM", @@ -39,7 +27,7 @@ "queryName": "PostgreSQL Database Server SSL Disabled", "severity": "MEDIUM", "line": 12, - "filename": "positive4.bicep", + "filename": "positive2.bicep", "resourceType": "Microsoft.DBforPostgreSQL/servers", "resourceName": "MyDBServer", "searchKey": "resources.name={{MyDBServer}}.properties", @@ -50,8 +38,8 @@ { "queryName": "PostgreSQL Database Server SSL Disabled", "severity": "MEDIUM", - "line": 12, - "filename": "positive2.bicep", + "line": 13, + "filename": "positive2.json", "resourceType": "Microsoft.DBforPostgreSQL/servers", "resourceName": "MyDBServer", "searchKey": "resources.name={{MyDBServer}}.properties", @@ -63,7 +51,7 @@ "queryName": "PostgreSQL Database Server SSL Disabled", "severity": "MEDIUM", "line": 13, - "filename": "positive1.bicep", + "filename": "positive3.bicep", "resourceType": "Microsoft.DBforPostgreSQL/servers", "resourceName": "MyDBServer", "searchKey": "resources.name={{MyDBServer}}.properties.sslEnforcement", @@ -74,11 +62,11 @@ { "queryName": "PostgreSQL Database Server SSL Disabled", "severity": "MEDIUM", - "line": 13, - "filename": "positive3.bicep", + "line": 16, + "filename": "positive3.json", "resourceType": "Microsoft.DBforPostgreSQL/servers", "resourceName": "MyDBServer", - "searchKey": "resources.name={{MyDBServer}}.properties.sslEnforcement", + "searchKey": "properties.template.resources.name={{MyDBServer}}.properties.sslEnforcement", "searchValue": "", "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' should have 'sslEnforcement' property value set to 'Enabled'", "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' doesn't have 'sslEnforcement' property set to 'Enabled'" @@ -86,13 +74,25 @@ { "queryName": "PostgreSQL Database Server SSL Disabled", "severity": "MEDIUM", - "line": 13, - "filename": "positive2.json", + "line": 12, + "filename": "positive4.bicep", "resourceType": "Microsoft.DBforPostgreSQL/servers", "resourceName": "MyDBServer", "searchKey": "resources.name={{MyDBServer}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' should have 'sslEnforcement' property defined", "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' doesn't have 'sslEnforcement' property defined" + }, + { + "queryName": "PostgreSQL Database Server SSL Disabled", + "severity": "MEDIUM", + "line": 15, + "filename": "positive4.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer", + "searchKey": "properties.template.resources.name={{MyDBServer}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' should have 'sslEnforcement' property defined", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' doesn't have 'sslEnforcement' property defined" } ] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/role_definitions_allow_custom_subscription_role_creation/test/positive_expected_result.json b/assets/queries/azureResourceManager/role_definitions_allow_custom_subscription_role_creation/test/positive_expected_result.json index a4f0247830b..95bf2128548 100644 --- a/assets/queries/azureResourceManager/role_definitions_allow_custom_subscription_role_creation/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/role_definitions_allow_custom_subscription_role_creation/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "Role Definitions Allow Custom Subscription Role Creation", "severity": "HIGH", - "line": 18, - "filename": "positive2.json", + "line": 8, + "filename": "positive1.bicep", "resourceType": "Microsoft.Authorization/roleDefinitions", "resourceName": "roleDef", "searchKey": "resources.name={{roleDef}}.properties.permissions.actions", @@ -14,11 +14,11 @@ { "queryName": "Role Definitions Allow Custom Subscription Role Creation", "severity": "HIGH", - "line": 20, - "filename": "positive3.json", + "line": 18, + "filename": "positive1.json", "resourceType": "Microsoft.Authorization/roleDefinitions", "resourceName": "roleDef", - "searchKey": "properties.template.resources.name={{roleDef}}.properties.permissions.actions", + "searchKey": "resources.name={{roleDef}}.properties.permissions.actions", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Authorization/roleDefinitions' should not allow custom role creation", "actualValue": "resource with type 'Microsoft.Authorization/roleDefinitions' allows custom role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write')" @@ -26,8 +26,8 @@ { "queryName": "Role Definitions Allow Custom Subscription Role Creation", "severity": "HIGH", - "line": 18, - "filename": "positive1.json", + "line": 8, + "filename": "positive2.bicep", "resourceType": "Microsoft.Authorization/roleDefinitions", "resourceName": "roleDef", "searchKey": "resources.name={{roleDef}}.properties.permissions.actions", @@ -38,8 +38,8 @@ { "queryName": "Role Definitions Allow Custom Subscription Role Creation", "severity": "HIGH", - "line": 8, - "filename": "positive2.bicep", + "line": 18, + "filename": "positive2.json", "resourceType": "Microsoft.Authorization/roleDefinitions", "resourceName": "roleDef", "searchKey": "resources.name={{roleDef}}.properties.permissions.actions", @@ -51,7 +51,7 @@ "queryName": "Role Definitions Allow Custom Subscription Role Creation", "severity": "HIGH", "line": 8, - "filename": "positive1.bicep", + "filename": "positive3.bicep", "resourceType": "Microsoft.Authorization/roleDefinitions", "resourceName": "roleDef", "searchKey": "resources.name={{roleDef}}.properties.permissions.actions", @@ -62,11 +62,11 @@ { "queryName": "Role Definitions Allow Custom Subscription Role Creation", "severity": "HIGH", - "line": 8, - "filename": "positive4.bicep", + "line": 20, + "filename": "positive3.json", "resourceType": "Microsoft.Authorization/roleDefinitions", "resourceName": "roleDef", - "searchKey": "resources.name={{roleDef}}.properties.permissions.actions", + "searchKey": "properties.template.resources.name={{roleDef}}.properties.permissions.actions", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Authorization/roleDefinitions' should not allow custom role creation", "actualValue": "resource with type 'Microsoft.Authorization/roleDefinitions' allows custom role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write')" @@ -75,7 +75,7 @@ "queryName": "Role Definitions Allow Custom Subscription Role Creation", "severity": "HIGH", "line": 8, - "filename": "positive3.bicep", + "filename": "positive4.bicep", "resourceType": "Microsoft.Authorization/roleDefinitions", "resourceName": "roleDef", "searchKey": "resources.name={{roleDef}}.properties.permissions.actions", diff --git a/assets/queries/azureResourceManager/secret_without_expiration_date/test/positive_expected_result.json b/assets/queries/azureResourceManager/secret_without_expiration_date/test/positive_expected_result.json index 906c97b31fb..7c7872cb129 100644 --- a/assets/queries/azureResourceManager/secret_without_expiration_date/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/secret_without_expiration_date/test/positive_expected_result.json @@ -2,26 +2,14 @@ { "queryName": "Secret Without Expiration Date", "severity": "MEDIUM", - "line": 56, - "filename": "positive4.json", - "resourceType": "secrets", - "resourceName": "keyVaultSecret1", - "searchKey": "properties.template.resources.resources.name={{keyVaultSecret1}}.properties.attributes", - "searchValue": "", - "expectedValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' should have 'attributes.exp' property id defined", - "actualValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' doesn't have 'attributes.exp' property defined" - }, - { - "queryName": "Secret Without Expiration Date", - "severity": "MEDIUM", - "line": 54, - "filename": "positive2.json", + "line": 33, + "filename": "positive1.bicep", "resourceType": "secrets", - "resourceName": "keyVaultSecret1", - "searchKey": "resources.resources.name={{keyVaultSecret1}}.properties.attributes", + "resourceName": "secretid1", + "searchKey": "resources.resources.name={{secretid1}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' should have 'attributes.exp' property id defined", - "actualValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' doesn't have 'attributes.exp' property defined" + "actualValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' doesn't have 'attributes' property defined" }, { "queryName": "Secret Without Expiration Date", @@ -47,6 +35,18 @@ "expectedValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' should have 'attributes.exp' property id defined", "actualValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' doesn't have 'attributes.exp' property defined" }, + { + "queryName": "Secret Without Expiration Date", + "severity": "MEDIUM", + "line": 54, + "filename": "positive2.json", + "resourceType": "secrets", + "resourceName": "keyVaultSecret1", + "searchKey": "resources.resources.name={{keyVaultSecret1}}.properties.attributes", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' should have 'attributes.exp' property id defined", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' doesn't have 'attributes.exp' property defined" + }, { "queryName": "Secret Without Expiration Date", "severity": "MEDIUM", @@ -62,11 +62,11 @@ { "queryName": "Secret Without Expiration Date", "severity": "MEDIUM", - "line": 33, - "filename": "positive1.bicep", - "resourceType": "secrets", - "resourceName": "secretid1", - "searchKey": "resources.resources.name={{secretid1}}.properties", + "line": 51, + "filename": "positive3.json", + "resourceType": "Microsoft.KeyVault/vaults/secrets", + "resourceName": "keyVault1/secretid1", + "searchKey": "properties.template.resources.name={{keyVault1/secretid1}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' should have 'attributes.exp' property id defined", "actualValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' doesn't have 'attributes' property defined" @@ -86,13 +86,13 @@ { "queryName": "Secret Without Expiration Date", "severity": "MEDIUM", - "line": 51, - "filename": "positive3.json", - "resourceType": "Microsoft.KeyVault/vaults/secrets", - "resourceName": "keyVault1/secretid1", - "searchKey": "properties.template.resources.name={{keyVault1/secretid1}}.properties", + "line": 56, + "filename": "positive4.json", + "resourceType": "secrets", + "resourceName": "keyVaultSecret1", + "searchKey": "properties.template.resources.resources.name={{keyVaultSecret1}}.properties.attributes", "searchValue": "", "expectedValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' should have 'attributes.exp' property id defined", - "actualValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' doesn't have 'attributes' property defined" + "actualValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' doesn't have 'attributes.exp' property defined" } ] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/sql_alert_policy_without_emails/test/positive_expected_result.json b/assets/queries/azureResourceManager/sql_alert_policy_without_emails/test/positive_expected_result.json index 132e2321e00..7d90153dc8b 100644 --- a/assets/queries/azureResourceManager/sql_alert_policy_without_emails/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/sql_alert_policy_without_emails/test/positive_expected_result.json @@ -2,23 +2,23 @@ { "queryName": "SQL Alert Policy Without Emails", "severity": "INFO", - "line": 50, - "filename": "positive6.json", - "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", - "resourceName": "sqlServer1/sqlDatabase1/securityPolicy1", - "searchKey": "properties.template.resources.resources.name={{sqlServer1/sqlDatabase1/securityPolicy1}}.properties.emailAddresses", + "line": 31, + "filename": "positive1.bicep", + "resourceType": "securityAlertPolicies", + "resourceName": "securityPolicy1", + "searchKey": "resources.resources.resources.name={{securityPolicy1}}.properties", "searchValue": "", "expectedValue": "securityAlertPolicies.properties.emailAddresses should be defined and contain emails", - "actualValue": "securityAlertPolicies.properties.emailAddresses doesn't contain emails" + "actualValue": "securityAlertPolicies.properties.emailAddresses is not defined" }, { "queryName": "SQL Alert Policy Without Emails", "severity": "INFO", - "line": 48, - "filename": "positive4.json", + "line": 46, + "filename": "positive1.json", "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", "resourceName": "sqlServer1/sqlDatabase1/securityPolicy1", - "searchKey": "properties.template.resources.resources.name={{sqlServer1/sqlDatabase1/securityPolicy1}}.properties", + "searchKey": "resources.resources.name={{sqlServer1/sqlDatabase1/securityPolicy1}}.properties", "searchValue": "", "expectedValue": "securityAlertPolicies.properties.emailAddresses should be defined and contain emails", "actualValue": "securityAlertPolicies.properties.emailAddresses is not defined" @@ -27,7 +27,7 @@ "queryName": "SQL Alert Policy Without Emails", "severity": "INFO", "line": 33, - "filename": "positive6.bicep", + "filename": "positive2.bicep", "resourceType": "securityAlertPolicies", "resourceName": "securityPolicy1", "searchKey": "resources.resources.resources.name={{securityPolicy1}}.properties.emailAddresses", @@ -38,20 +38,20 @@ { "queryName": "SQL Alert Policy Without Emails", "severity": "INFO", - "line": 31, - "filename": "positive1.bicep", - "resourceType": "securityAlertPolicies", - "resourceName": "securityPolicy1", - "searchKey": "resources.resources.resources.name={{securityPolicy1}}.properties", + "line": 48, + "filename": "positive2.json", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sqlServer1/sqlDatabase1/securityPolicy1", + "searchKey": "resources.resources.name={{sqlServer1/sqlDatabase1/securityPolicy1}}.properties.emailAddresses", "searchValue": "", "expectedValue": "securityAlertPolicies.properties.emailAddresses should be defined and contain emails", - "actualValue": "securityAlertPolicies.properties.emailAddresses is not defined" + "actualValue": "securityAlertPolicies.properties.emailAddresses doesn't contain emails" }, { "queryName": "SQL Alert Policy Without Emails", "severity": "INFO", "line": 33, - "filename": "positive2.bicep", + "filename": "positive3.bicep", "resourceType": "securityAlertPolicies", "resourceName": "securityPolicy1", "searchKey": "resources.resources.resources.name={{securityPolicy1}}.properties.emailAddresses", @@ -62,47 +62,47 @@ { "queryName": "SQL Alert Policy Without Emails", "severity": "INFO", - "line": 31, - "filename": "positive4.bicep", - "resourceType": "securityAlertPolicies", - "resourceName": "securityPolicy1", - "searchKey": "resources.resources.resources.name={{securityPolicy1}}.properties", + "line": 48, + "filename": "positive3.json", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sqlServer1/sqlDatabase1/securityPolicy1", + "searchKey": "resources.resources.name={{sqlServer1/sqlDatabase1/securityPolicy1}}.properties.emailAddresses", "searchValue": "", "expectedValue": "securityAlertPolicies.properties.emailAddresses should be defined and contain emails", - "actualValue": "securityAlertPolicies.properties.emailAddresses is not defined" + "actualValue": "securityAlertPolicies.properties.emailAddresses doesn't contain emails" }, { "queryName": "SQL Alert Policy Without Emails", "severity": "INFO", - "line": 50, - "filename": "positive5.json", - "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", - "resourceName": "sqlServer1/sqlDatabase1/securityPolicy1", - "searchKey": "properties.template.resources.resources.name={{sqlServer1/sqlDatabase1/securityPolicy1}}.properties.emailAddresses", + "line": 31, + "filename": "positive4.bicep", + "resourceType": "securityAlertPolicies", + "resourceName": "securityPolicy1", + "searchKey": "resources.resources.resources.name={{securityPolicy1}}.properties", "searchValue": "", "expectedValue": "securityAlertPolicies.properties.emailAddresses should be defined and contain emails", - "actualValue": "securityAlertPolicies.properties.emailAddresses doesn't contain emails" + "actualValue": "securityAlertPolicies.properties.emailAddresses is not defined" }, { "queryName": "SQL Alert Policy Without Emails", "severity": "INFO", "line": 48, - "filename": "positive2.json", + "filename": "positive4.json", "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", "resourceName": "sqlServer1/sqlDatabase1/securityPolicy1", - "searchKey": "resources.resources.name={{sqlServer1/sqlDatabase1/securityPolicy1}}.properties.emailAddresses", + "searchKey": "properties.template.resources.resources.name={{sqlServer1/sqlDatabase1/securityPolicy1}}.properties", "searchValue": "", "expectedValue": "securityAlertPolicies.properties.emailAddresses should be defined and contain emails", - "actualValue": "securityAlertPolicies.properties.emailAddresses doesn't contain emails" + "actualValue": "securityAlertPolicies.properties.emailAddresses is not defined" }, { "queryName": "SQL Alert Policy Without Emails", "severity": "INFO", - "line": 48, - "filename": "positive3.json", - "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", - "resourceName": "sqlServer1/sqlDatabase1/securityPolicy1", - "searchKey": "resources.resources.name={{sqlServer1/sqlDatabase1/securityPolicy1}}.properties.emailAddresses", + "line": 33, + "filename": "positive5.bicep", + "resourceType": "securityAlertPolicies", + "resourceName": "securityPolicy1", + "searchKey": "resources.resources.resources.name={{securityPolicy1}}.properties.emailAddresses", "searchValue": "", "expectedValue": "securityAlertPolicies.properties.emailAddresses should be defined and contain emails", "actualValue": "securityAlertPolicies.properties.emailAddresses doesn't contain emails" @@ -110,20 +110,20 @@ { "queryName": "SQL Alert Policy Without Emails", "severity": "INFO", - "line": 46, - "filename": "positive1.json", + "line": 50, + "filename": "positive5.json", "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", "resourceName": "sqlServer1/sqlDatabase1/securityPolicy1", - "searchKey": "resources.resources.name={{sqlServer1/sqlDatabase1/securityPolicy1}}.properties", + "searchKey": "properties.template.resources.resources.name={{sqlServer1/sqlDatabase1/securityPolicy1}}.properties.emailAddresses", "searchValue": "", "expectedValue": "securityAlertPolicies.properties.emailAddresses should be defined and contain emails", - "actualValue": "securityAlertPolicies.properties.emailAddresses is not defined" + "actualValue": "securityAlertPolicies.properties.emailAddresses doesn't contain emails" }, { "queryName": "SQL Alert Policy Without Emails", "severity": "INFO", "line": 33, - "filename": "positive3.bicep", + "filename": "positive6.bicep", "resourceType": "securityAlertPolicies", "resourceName": "securityPolicy1", "searchKey": "resources.resources.resources.name={{securityPolicy1}}.properties.emailAddresses", @@ -134,11 +134,11 @@ { "queryName": "SQL Alert Policy Without Emails", "severity": "INFO", - "line": 33, - "filename": "positive5.bicep", - "resourceType": "securityAlertPolicies", - "resourceName": "securityPolicy1", - "searchKey": "resources.resources.resources.name={{securityPolicy1}}.properties.emailAddresses", + "line": 50, + "filename": "positive6.json", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sqlServer1/sqlDatabase1/securityPolicy1", + "searchKey": "properties.template.resources.resources.name={{sqlServer1/sqlDatabase1/securityPolicy1}}.properties.emailAddresses", "searchValue": "", "expectedValue": "securityAlertPolicies.properties.emailAddresses should be defined and contain emails", "actualValue": "securityAlertPolicies.properties.emailAddresses doesn't contain emails" diff --git a/assets/queries/azureResourceManager/sql_database_server_firewall_allows_all_ips/test/positive_expected_result.json b/assets/queries/azureResourceManager/sql_database_server_firewall_allows_all_ips/test/positive_expected_result.json index 723d041e45f..42a0f5f17f7 100644 --- a/assets/queries/azureResourceManager/sql_database_server_firewall_allows_all_ips/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/sql_database_server_firewall_allows_all_ips/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "SQL Database Server Firewall Allows All IPS", "severity": "CRITICAL", - "line": 31, - "filename": "positive1.json", + "line": 18, + "filename": "positive1.bicep", "resourceType": "firewallRules", "resourceName": "AllowAllWindowsAzureIps", "searchKey": "resources.resources.name={{AllowAllWindowsAzureIps}}.properties.endIpAddress", @@ -14,11 +14,11 @@ { "queryName": "SQL Database Server Firewall Allows All IPS", "severity": "CRITICAL", - "line": 33, - "filename": "positive3.json", + "line": 31, + "filename": "positive1.json", "resourceType": "firewallRules", "resourceName": "AllowAllWindowsAzureIps", - "searchKey": "properties.template.resources.resources.name={{AllowAllWindowsAzureIps}}.properties.endIpAddress", + "searchKey": "resources.resources.name={{AllowAllWindowsAzureIps}}.properties.endIpAddress", "searchValue": "", "expectedValue": "endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0'", "actualValue": "endIpAddress is '255.255.255.255' and startIpAddress is '0.0.0.0'" @@ -26,11 +26,11 @@ { "queryName": "SQL Database Server Firewall Allows All IPS", "severity": "CRITICAL", - "line": 16, - "filename": "positive4.json", + "line": 4, + "filename": "positive2.bicep", "resourceType": "Microsoft.Sql/servers/firewallRules", "resourceName": "sample/firewall", - "searchKey": "properties.template.resources.name={{sample/firewall}}.properties.endIpAddress", + "searchKey": "resources.name={{sample/firewall}}.properties.endIpAddress", "searchValue": "", "expectedValue": "endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0'", "actualValue": "endIpAddress is '255.255.255.255' and startIpAddress is '0.0.0.0/0'" @@ -38,8 +38,8 @@ { "queryName": "SQL Database Server Firewall Allows All IPS", "severity": "CRITICAL", - "line": 4, - "filename": "positive2.bicep", + "line": 14, + "filename": "positive2.json", "resourceType": "Microsoft.Sql/servers/firewallRules", "resourceName": "sample/firewall", "searchKey": "resources.name={{sample/firewall}}.properties.endIpAddress", @@ -51,7 +51,7 @@ "queryName": "SQL Database Server Firewall Allows All IPS", "severity": "CRITICAL", "line": 18, - "filename": "positive1.bicep", + "filename": "positive3.bicep", "resourceType": "firewallRules", "resourceName": "AllowAllWindowsAzureIps", "searchKey": "resources.resources.name={{AllowAllWindowsAzureIps}}.properties.endIpAddress", @@ -62,35 +62,35 @@ { "queryName": "SQL Database Server Firewall Allows All IPS", "severity": "CRITICAL", - "line": 4, - "filename": "positive4.bicep", - "resourceType": "Microsoft.Sql/servers/firewallRules", - "resourceName": "sample/firewall", - "searchKey": "resources.name={{sample/firewall}}.properties.endIpAddress", + "line": 33, + "filename": "positive3.json", + "resourceType": "firewallRules", + "resourceName": "AllowAllWindowsAzureIps", + "searchKey": "properties.template.resources.resources.name={{AllowAllWindowsAzureIps}}.properties.endIpAddress", "searchValue": "", "expectedValue": "endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0'", - "actualValue": "endIpAddress is '255.255.255.255' and startIpAddress is '0.0.0.0/0'" + "actualValue": "endIpAddress is '255.255.255.255' and startIpAddress is '0.0.0.0'" }, { "queryName": "SQL Database Server Firewall Allows All IPS", "severity": "CRITICAL", - "line": 18, - "filename": "positive3.bicep", - "resourceType": "firewallRules", - "resourceName": "AllowAllWindowsAzureIps", - "searchKey": "resources.resources.name={{AllowAllWindowsAzureIps}}.properties.endIpAddress", + "line": 4, + "filename": "positive4.bicep", + "resourceType": "Microsoft.Sql/servers/firewallRules", + "resourceName": "sample/firewall", + "searchKey": "resources.name={{sample/firewall}}.properties.endIpAddress", "searchValue": "", "expectedValue": "endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0'", - "actualValue": "endIpAddress is '255.255.255.255' and startIpAddress is '0.0.0.0'" + "actualValue": "endIpAddress is '255.255.255.255' and startIpAddress is '0.0.0.0/0'" }, { "queryName": "SQL Database Server Firewall Allows All IPS", "severity": "CRITICAL", - "line": 14, - "filename": "positive2.json", + "line": 16, + "filename": "positive4.json", "resourceType": "Microsoft.Sql/servers/firewallRules", "resourceName": "sample/firewall", - "searchKey": "resources.name={{sample/firewall}}.properties.endIpAddress", + "searchKey": "properties.template.resources.name={{sample/firewall}}.properties.endIpAddress", "searchValue": "", "expectedValue": "endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0'", "actualValue": "endIpAddress is '255.255.255.255' and startIpAddress is '0.0.0.0/0'" diff --git a/assets/queries/azureResourceManager/sql_server_database_with_alerts_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/sql_server_database_with_alerts_disabled/test/positive_expected_result.json index 255f4feb76a..f241bbe6444 100644 --- a/assets/queries/azureResourceManager/sql_server_database_with_alerts_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/sql_server_database_with_alerts_disabled/test/positive_expected_result.json @@ -3,25 +3,25 @@ "queryName": "SQL Server Database With Alerts Disabled", "severity": "MEDIUM", "line": 4, - "filename": "positive6.bicep", - "resourceType": "Microsoft.Sql/servers/securityAlertPolicies", - "resourceName": "sampleServer/default", - "searchKey": "resources.name={{sampleServer/default}}.properties.disabledAlerts", + "filename": "positive1.bicep", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sample/databases/default", + "searchKey": "resources.name={{sample/databases/default}}.properties.disabledAlerts", "searchValue": "", - "expectedValue": "'resources.name=sampleServer/default.disabledAlerts' should be empty", - "actualValue": "'resources.name=sampleServer/default.disabledAlerts' is not empty" + "expectedValue": "'resources.name=sample/databases/default.disabledAlerts' should be empty", + "actualValue": "'resources.name=sample/databases/default.disabledAlerts' is not empty" }, { "queryName": "SQL Server Database With Alerts Disabled", "severity": "MEDIUM", - "line": 7, - "filename": "positive3.bicep", + "line": 14, + "filename": "positive1.json", "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", "resourceName": "sample/databases/default", - "searchKey": "resources.name={{sample/databases/default}}.properties", + "searchKey": "resources.name={{sample/databases/default}}.properties.disabledAlerts", "searchValue": "", - "expectedValue": "'resources.name=sample/databases/default.state' should be enabled", - "actualValue": "'resources.name=sample/databases/default.state' is not enabled" + "expectedValue": "'resources.name=sample/databases/default.disabledAlerts' should be empty", + "actualValue": "'resources.name=sample/databases/default.disabledAlerts' is not empty" }, { "queryName": "SQL Server Database With Alerts Disabled", @@ -38,38 +38,38 @@ { "queryName": "SQL Server Database With Alerts Disabled", "severity": "MEDIUM", - "line": 17, - "filename": "positive3.json", + "line": 16, + "filename": "positive2.json", "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", "resourceName": "sample/databases/default", - "searchKey": "resources.name={{sample/databases/default}}.properties", + "searchKey": "properties.template.resources.name={{sample/databases/default}}.properties.disabledAlerts", "searchValue": "", - "expectedValue": "'resources.name=sample/databases/default.state' should be enabled", - "actualValue": "'resources.name=sample/databases/default.state' is not enabled" + "expectedValue": "'properties.template.resources.name=sample/databases/default.disabledAlerts' should be empty", + "actualValue": "'properties.template.resources.name=sample/databases/default.disabledAlerts' is not empty" }, { "queryName": "SQL Server Database With Alerts Disabled", "severity": "MEDIUM", - "line": 17, - "filename": "positive6.json", - "resourceType": "Microsoft.Sql/servers/securityAlertPolicies", - "resourceName": "sampleServer/default", - "searchKey": "resources.name={{sampleServer/default}}.properties.disabledAlerts", + "line": 7, + "filename": "positive3.bicep", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sample/databases/default", + "searchKey": "resources.name={{sample/databases/default}}.properties", "searchValue": "", - "expectedValue": "'resources.name=sampleServer/default.disabledAlerts' should be empty", - "actualValue": "'resources.name=sampleServer/default.disabledAlerts' is not empty" + "expectedValue": "'resources.name=sample/databases/default.state' should be enabled", + "actualValue": "'resources.name=sample/databases/default.state' is not enabled" }, { "queryName": "SQL Server Database With Alerts Disabled", "severity": "MEDIUM", - "line": 8, - "filename": "positive7.bicep", - "resourceType": "Microsoft.Sql/servers/securityAlertPolicies", - "resourceName": "sampleServer/default", - "searchKey": "resources.name={{sampleServer/default}}.properties", + "line": 17, + "filename": "positive3.json", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sample/databases/default", + "searchKey": "resources.name={{sample/databases/default}}.properties", "searchValue": "", - "expectedValue": "'resources.name=sampleServer/default.state' should be enabled", - "actualValue": "'resources.name=sampleServer/default.state' is not enabled" + "expectedValue": "'resources.name=sample/databases/default.state' should be enabled", + "actualValue": "'resources.name=sample/databases/default.state' is not enabled" }, { "queryName": "SQL Server Database With Alerts Disabled", @@ -83,6 +83,30 @@ "expectedValue": "'resources.name=sample/databases/default.state' should be enabled", "actualValue": "'resources.name=sample/databases/default.state' is not enabled" }, + { + "queryName": "SQL Server Database With Alerts Disabled", + "severity": "MEDIUM", + "line": 19, + "filename": "positive4.json", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sample/databases/default", + "searchKey": "properties.template.resources.name={{sample/databases/default}}.properties", + "searchValue": "", + "expectedValue": "'properties.template.resources.name=sample/databases/default.state' should be enabled", + "actualValue": "'properties.template.resources.name=sample/databases/default.state' is not enabled" + }, + { + "queryName": "SQL Server Database With Alerts Disabled", + "severity": "MEDIUM", + "line": 1, + "filename": "positive5.bicep", + "resourceType": "Microsoft.Sql/servers/databases", + "resourceName": "sample/default", + "searchKey": "resources.name={{sample/default}}", + "searchValue": "", + "expectedValue": "Security alert policy should be defined and enabled", + "actualValue": "Security alert policy is undefined" + }, { "queryName": "SQL Server Database With Alerts Disabled", "severity": "MEDIUM", @@ -98,50 +122,50 @@ { "queryName": "SQL Server Database With Alerts Disabled", "severity": "MEDIUM", - "line": 19, - "filename": "positive4.json", - "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", - "resourceName": "sample/databases/default", - "searchKey": "properties.template.resources.name={{sample/databases/default}}.properties", + "line": 4, + "filename": "positive6.bicep", + "resourceType": "Microsoft.Sql/servers/securityAlertPolicies", + "resourceName": "sampleServer/default", + "searchKey": "resources.name={{sampleServer/default}}.properties.disabledAlerts", "searchValue": "", - "expectedValue": "'properties.template.resources.name=sample/databases/default.state' should be enabled", - "actualValue": "'properties.template.resources.name=sample/databases/default.state' is not enabled" + "expectedValue": "'resources.name=sampleServer/default.disabledAlerts' should be empty", + "actualValue": "'resources.name=sampleServer/default.disabledAlerts' is not empty" }, { "queryName": "SQL Server Database With Alerts Disabled", "severity": "MEDIUM", - "line": 23, - "filename": "positive7.json", + "line": 17, + "filename": "positive6.json", "resourceType": "Microsoft.Sql/servers/securityAlertPolicies", "resourceName": "sampleServer/default", - "searchKey": "resources.name={{sampleServer/default}}.properties", + "searchKey": "resources.name={{sampleServer/default}}.properties.disabledAlerts", "searchValue": "", - "expectedValue": "'resources.name=sampleServer/default.state' should be enabled", - "actualValue": "'resources.name=sampleServer/default.state' is not enabled" + "expectedValue": "'resources.name=sampleServer/default.disabledAlerts' should be empty", + "actualValue": "'resources.name=sampleServer/default.disabledAlerts' is not empty" }, { "queryName": "SQL Server Database With Alerts Disabled", "severity": "MEDIUM", - "line": 14, - "filename": "positive1.json", - "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", - "resourceName": "sample/databases/default", - "searchKey": "resources.name={{sample/databases/default}}.properties.disabledAlerts", + "line": 8, + "filename": "positive7.bicep", + "resourceType": "Microsoft.Sql/servers/securityAlertPolicies", + "resourceName": "sampleServer/default", + "searchKey": "resources.name={{sampleServer/default}}.properties", "searchValue": "", - "expectedValue": "'resources.name=sample/databases/default.disabledAlerts' should be empty", - "actualValue": "'resources.name=sample/databases/default.disabledAlerts' is not empty" + "expectedValue": "'resources.name=sampleServer/default.state' should be enabled", + "actualValue": "'resources.name=sampleServer/default.state' is not enabled" }, { "queryName": "SQL Server Database With Alerts Disabled", "severity": "MEDIUM", - "line": 1, - "filename": "positive5.bicep", - "resourceType": "Microsoft.Sql/servers/databases", - "resourceName": "sample/default", - "searchKey": "resources.name={{sample/default}}", + "line": 23, + "filename": "positive7.json", + "resourceType": "Microsoft.Sql/servers/securityAlertPolicies", + "resourceName": "sampleServer/default", + "searchKey": "resources.name={{sampleServer/default}}.properties", "searchValue": "", - "expectedValue": "Security alert policy should be defined and enabled", - "actualValue": "Security alert policy is undefined" + "expectedValue": "'resources.name=sampleServer/default.state' should be enabled", + "actualValue": "'resources.name=sampleServer/default.state' is not enabled" }, { "queryName": "SQL Server Database With Alerts Disabled", @@ -155,18 +179,6 @@ "expectedValue": "Security alert policy should be defined and enabled", "actualValue": "Security alert policy is undefined" }, - { - "queryName": "SQL Server Database With Alerts Disabled", - "severity": "MEDIUM", - "line": 4, - "filename": "positive1.bicep", - "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", - "resourceName": "sample/databases/default", - "searchKey": "resources.name={{sample/databases/default}}.properties.disabledAlerts", - "searchValue": "", - "expectedValue": "'resources.name=sample/databases/default.disabledAlerts' should be empty", - "actualValue": "'resources.name=sample/databases/default.disabledAlerts' is not empty" - }, { "queryName": "SQL Server Database With Alerts Disabled", "severity": "MEDIUM", @@ -178,17 +190,5 @@ "searchValue": "", "expectedValue": "Security alert policy should be defined and enabled", "actualValue": "Security alert policy is undefined" - }, - { - "queryName": "SQL Server Database With Alerts Disabled", - "severity": "MEDIUM", - "line": 16, - "filename": "positive2.json", - "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", - "resourceName": "sample/databases/default", - "searchKey": "properties.template.resources.name={{sample/databases/default}}.properties.disabledAlerts", - "searchValue": "", - "expectedValue": "'properties.template.resources.name=sample/databases/default.disabledAlerts' should be empty", - "actualValue": "'properties.template.resources.name=sample/databases/default.disabledAlerts' is not empty" } ] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/sql_server_database_with_low_retention_days/test/positive_expected_result.json b/assets/queries/azureResourceManager/sql_server_database_with_low_retention_days/test/positive_expected_result.json index 72b2335c096..7d9e8085827 100644 --- a/assets/queries/azureResourceManager/sql_server_database_with_low_retention_days/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/sql_server_database_with_low_retention_days/test/positive_expected_result.json @@ -3,7 +3,7 @@ "queryName": "SQL Server Database With Unrecommended Retention Days", "severity": "LOW", "line": 36, - "filename": "positive3.bicep", + "filename": "positive1.bicep", "resourceType": "auditingSettings", "resourceName": "default", "searchKey": "resources.resources.resources.name={{default}}.properties.retentionDays", @@ -14,32 +14,20 @@ { "queryName": "SQL Server Database With Unrecommended Retention Days", "severity": "LOW", - "line": 31, - "filename": "positive4.bicep", - "resourceType": "auditingSettings", - "resourceName": "default", - "searchKey": "resources.resources.resources.name={{default}}.properties", - "searchValue": "", - "expectedValue": "'auditingSettings.properties.retentionDays' should be defined and above 90 days", - "actualValue": "'auditingSettings.properties.retentionDays' is missing" - }, - { - "queryName": "SQL Server Database With Unrecommended Retention Days", - "severity": "LOW", - "line": 19, - "filename": "positive5.bicep", - "resourceType": "auditingSettings", - "resourceName": "default", - "searchKey": "resources.resources.name={{default}}.properties.retentionDays", + "line": 48, + "filename": "positive1.json", + "resourceType": "Microsoft.Sql/servers/databases/auditingSettings", + "resourceName": "sqlServer1/sqlDatabase1/default", + "searchKey": "resources.resources.resources.name={{sqlServer1/sqlDatabase1/default}}.properties.retentionDays", "searchValue": "", "expectedValue": "'auditingSettings.properties.retentionDays' property value should be defined and above 90 days", - "actualValue": "'auditingSettings.properties.retentionDays' property value is 89" + "actualValue": "'auditingSettings.properties.retentionDays' property value is 50" }, { "queryName": "SQL Server Database With Unrecommended Retention Days", "severity": "LOW", "line": 31, - "filename": "positive7.bicep", + "filename": "positive2.bicep", "resourceType": "auditingSettings", "resourceName": "default", "searchKey": "resources.resources.resources.name={{default}}.properties", @@ -50,11 +38,11 @@ { "queryName": "SQL Server Database With Unrecommended Retention Days", "severity": "LOW", - "line": 16, - "filename": "positive6.bicep", - "resourceType": "auditingSettings", - "resourceName": "default", - "searchKey": "resources.resources.name={{default}}.properties", + "line": 43, + "filename": "positive2.json", + "resourceType": "Microsoft.Sql/servers/databases/auditingSettings", + "resourceName": "sqlServer1/sqlDatabase1/default", + "searchKey": "resources.resources.resources.name={{sqlServer1/sqlDatabase1/default}}.properties", "searchValue": "", "expectedValue": "'auditingSettings.properties.retentionDays' should be defined and above 90 days", "actualValue": "'auditingSettings.properties.retentionDays' is missing" @@ -62,32 +50,32 @@ { "queryName": "SQL Server Database With Unrecommended Retention Days", "severity": "LOW", - "line": 29, - "filename": "positive6.json", - "resourceType": "Microsoft.Sql/servers/auditingSettings", - "resourceName": "[format('{0}/{1}', 'sqlServer1', 'default')]", - "searchKey": "resources.name={{[format('{0}/{1}', 'sqlServer1', 'default')]}}.properties", + "line": 36, + "filename": "positive3.bicep", + "resourceType": "auditingSettings", + "resourceName": "default", + "searchKey": "resources.resources.resources.name={{default}}.properties.retentionDays", "searchValue": "", - "expectedValue": "'auditingSettings.properties.retentionDays' should be defined and above 90 days", - "actualValue": "'auditingSettings.properties.retentionDays' is missing" + "expectedValue": "'auditingSettings.properties.retentionDays' property value should be defined and above 90 days", + "actualValue": "'auditingSettings.properties.retentionDays' property value is 50" }, { "queryName": "SQL Server Database With Unrecommended Retention Days", "severity": "LOW", - "line": 32, - "filename": "positive5.json", - "resourceType": "Microsoft.Sql/servers/auditingSettings", - "resourceName": "sqlServer1/default", - "searchKey": "resources.name={{sqlServer1/default}}.properties.retentionDays", + "line": 50, + "filename": "positive3.json", + "resourceType": "Microsoft.Sql/servers/databases/auditingSettings", + "resourceName": "sqlServer1/sqlDatabase1/default", + "searchKey": "properties.template.resources.resources.resources.name={{sqlServer1/sqlDatabase1/default}}.properties.retentionDays", "searchValue": "", "expectedValue": "'auditingSettings.properties.retentionDays' property value should be defined and above 90 days", - "actualValue": "'auditingSettings.properties.retentionDays' property value is 89" + "actualValue": "'auditingSettings.properties.retentionDays' property value is 50" }, { "queryName": "SQL Server Database With Unrecommended Retention Days", "severity": "LOW", "line": 31, - "filename": "positive2.bicep", + "filename": "positive4.bicep", "resourceType": "auditingSettings", "resourceName": "default", "searchKey": "resources.resources.resources.name={{default}}.properties", @@ -110,35 +98,35 @@ { "queryName": "SQL Server Database With Unrecommended Retention Days", "severity": "LOW", - "line": 48, - "filename": "positive1.json", - "resourceType": "Microsoft.Sql/servers/databases/auditingSettings", - "resourceName": "sqlServer1/sqlDatabase1/default", - "searchKey": "resources.resources.resources.name={{sqlServer1/sqlDatabase1/default}}.properties.retentionDays", + "line": 19, + "filename": "positive5.bicep", + "resourceType": "auditingSettings", + "resourceName": "default", + "searchKey": "resources.resources.name={{default}}.properties.retentionDays", "searchValue": "", "expectedValue": "'auditingSettings.properties.retentionDays' property value should be defined and above 90 days", - "actualValue": "'auditingSettings.properties.retentionDays' property value is 50" + "actualValue": "'auditingSettings.properties.retentionDays' property value is 89" }, { "queryName": "SQL Server Database With Unrecommended Retention Days", "severity": "LOW", - "line": 50, - "filename": "positive3.json", - "resourceType": "Microsoft.Sql/servers/databases/auditingSettings", - "resourceName": "sqlServer1/sqlDatabase1/default", - "searchKey": "properties.template.resources.resources.resources.name={{sqlServer1/sqlDatabase1/default}}.properties.retentionDays", + "line": 32, + "filename": "positive5.json", + "resourceType": "Microsoft.Sql/servers/auditingSettings", + "resourceName": "sqlServer1/default", + "searchKey": "resources.name={{sqlServer1/default}}.properties.retentionDays", "searchValue": "", "expectedValue": "'auditingSettings.properties.retentionDays' property value should be defined and above 90 days", - "actualValue": "'auditingSettings.properties.retentionDays' property value is 50" + "actualValue": "'auditingSettings.properties.retentionDays' property value is 89" }, { "queryName": "SQL Server Database With Unrecommended Retention Days", "severity": "LOW", - "line": 40, - "filename": "positive7.json", - "resourceType": "Microsoft.Sql/servers/databases/auditingSettings", - "resourceName": "sqlServer1/sqlDatabase1/default", - "searchKey": "resources.resources.resources.name={{sqlServer1/sqlDatabase1/default}}.properties", + "line": 16, + "filename": "positive6.bicep", + "resourceType": "auditingSettings", + "resourceName": "default", + "searchKey": "resources.resources.name={{default}}.properties", "searchValue": "", "expectedValue": "'auditingSettings.properties.retentionDays' should be defined and above 90 days", "actualValue": "'auditingSettings.properties.retentionDays' is missing" @@ -146,11 +134,11 @@ { "queryName": "SQL Server Database With Unrecommended Retention Days", "severity": "LOW", - "line": 43, - "filename": "positive2.json", - "resourceType": "Microsoft.Sql/servers/databases/auditingSettings", - "resourceName": "sqlServer1/sqlDatabase1/default", - "searchKey": "resources.resources.resources.name={{sqlServer1/sqlDatabase1/default}}.properties", + "line": 29, + "filename": "positive6.json", + "resourceType": "Microsoft.Sql/servers/auditingSettings", + "resourceName": "[format('{0}/{1}', 'sqlServer1', 'default')]", + "searchKey": "resources.name={{[format('{0}/{1}', 'sqlServer1', 'default')]}}.properties", "searchValue": "", "expectedValue": "'auditingSettings.properties.retentionDays' should be defined and above 90 days", "actualValue": "'auditingSettings.properties.retentionDays' is missing" @@ -158,13 +146,25 @@ { "queryName": "SQL Server Database With Unrecommended Retention Days", "severity": "LOW", - "line": 36, - "filename": "positive1.bicep", + "line": 31, + "filename": "positive7.bicep", "resourceType": "auditingSettings", "resourceName": "default", - "searchKey": "resources.resources.resources.name={{default}}.properties.retentionDays", + "searchKey": "resources.resources.resources.name={{default}}.properties", "searchValue": "", - "expectedValue": "'auditingSettings.properties.retentionDays' property value should be defined and above 90 days", - "actualValue": "'auditingSettings.properties.retentionDays' property value is 50" + "expectedValue": "'auditingSettings.properties.retentionDays' should be defined and above 90 days", + "actualValue": "'auditingSettings.properties.retentionDays' is missing" + }, + { + "queryName": "SQL Server Database With Unrecommended Retention Days", + "severity": "LOW", + "line": 40, + "filename": "positive7.json", + "resourceType": "Microsoft.Sql/servers/databases/auditingSettings", + "resourceName": "sqlServer1/sqlDatabase1/default", + "searchKey": "resources.resources.resources.name={{sqlServer1/sqlDatabase1/default}}.properties", + "searchValue": "", + "expectedValue": "'auditingSettings.properties.retentionDays' should be defined and above 90 days", + "actualValue": "'auditingSettings.properties.retentionDays' is missing" } ] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/sql_server_database_without_auditing/test/positive_expected_result.json b/assets/queries/azureResourceManager/sql_server_database_without_auditing/test/positive_expected_result.json index 592dc08bb0f..74e5eb8f1a6 100644 --- a/assets/queries/azureResourceManager/sql_server_database_without_auditing/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/sql_server_database_without_auditing/test/positive_expected_result.json @@ -3,7 +3,7 @@ "queryName": "SQL Server Database Without Auditing", "severity": "MEDIUM", "line": 2, - "filename": "positive3.bicep", + "filename": "positive1.bicep", "resourceType": "Microsoft.Sql/servers", "resourceName": "sqlServer1", "searchKey": "resources.name=sqlServer1", @@ -14,20 +14,20 @@ { "queryName": "SQL Server Database Without Auditing", "severity": "MEDIUM", - "line": 2, + "line": 8, "filename": "positive1.bicep", - "resourceType": "Microsoft.Sql/servers", - "resourceName": "sqlServer1", - "searchKey": "resources.name=sqlServer1", + "resourceType": "databases", + "resourceName": "sqlDatabase1", + "searchKey": "resources.resources.name=sqlDatabase1", "searchValue": "", - "expectedValue": "resource 'sqlServer1' should have an enabled 'auditingsettings' resource", - "actualValue": "resource 'sqlServer1' is missing an enabled 'auditingsettings' resource" + "expectedValue": "resource 'sqlDatabase1' should have an enabled 'auditingsettings' resource", + "actualValue": "resource 'sqlDatabase1' is missing an enabled 'auditingsettings' resource" }, { "queryName": "SQL Server Database Without Auditing", "severity": "MEDIUM", - "line": 8, - "filename": "positive9.json", + "line": 2, + "filename": "positive2.bicep", "resourceType": "Microsoft.Sql/servers", "resourceName": "sqlServer1", "searchKey": "resources.name=sqlServer1", @@ -38,8 +38,8 @@ { "queryName": "SQL Server Database Without Auditing", "severity": "MEDIUM", - "line": 15, - "filename": "positive5.json", + "line": 16, + "filename": "positive2.bicep", "resourceType": "databases", "resourceName": "sqlDatabase1", "searchKey": "resources.resources.name=sqlDatabase1", @@ -47,6 +47,30 @@ "expectedValue": "resource 'sqlDatabase1' should have an enabled 'auditingsettings' resource", "actualValue": "resource 'sqlDatabase1' is missing an enabled 'auditingsettings' resource" }, + { + "queryName": "SQL Server Database Without Auditing", + "severity": "MEDIUM", + "line": 2, + "filename": "positive3.bicep", + "resourceType": "Microsoft.Sql/servers", + "resourceName": "sqlServer1", + "searchKey": "resources.name=sqlServer1", + "searchValue": "", + "expectedValue": "resource 'sqlServer1' should have an enabled 'auditingsettings' resource", + "actualValue": "resource 'sqlServer1' is missing an enabled 'auditingsettings' resource" + }, + { + "queryName": "SQL Server Database Without Auditing", + "severity": "MEDIUM", + "line": 8, + "filename": "positive4.json", + "resourceType": "Microsoft.Sql/servers", + "resourceName": "sqlServer1", + "searchKey": "resources.name=sqlServer1", + "searchValue": "", + "expectedValue": "resource 'sqlServer1' should have an enabled 'auditingsettings' resource", + "actualValue": "resource 'sqlServer1' is missing an enabled 'auditingsettings' resource" + }, { "queryName": "SQL Server Database Without Auditing", "severity": "MEDIUM", @@ -63,7 +87,7 @@ "queryName": "SQL Server Database Without Auditing", "severity": "MEDIUM", "line": 8, - "filename": "positive6.json", + "filename": "positive5.json", "resourceType": "Microsoft.Sql/servers", "resourceName": "sqlServer1", "searchKey": "resources.name=sqlServer1", @@ -74,8 +98,8 @@ { "queryName": "SQL Server Database Without Auditing", "severity": "MEDIUM", - "line": 16, - "filename": "positive2.bicep", + "line": 15, + "filename": "positive5.json", "resourceType": "databases", "resourceName": "sqlDatabase1", "searchKey": "resources.resources.name=sqlDatabase1", @@ -86,20 +110,8 @@ { "queryName": "SQL Server Database Without Auditing", "severity": "MEDIUM", - "line": 23, + "line": 8, "filename": "positive6.json", - "resourceType": "Microsoft.Sql/servers/databases", - "resourceName": "sqlServer1/sqlDatabase1", - "searchKey": "resources.name=sqlServer1/sqlDatabase1", - "searchValue": "", - "expectedValue": "resource 'sqlServer1/sqlDatabase1' should have an enabled 'auditingsettings' resource", - "actualValue": "resource 'sqlServer1/sqlDatabase1' is missing an enabled 'auditingsettings' resource" - }, - { - "queryName": "SQL Server Database Without Auditing", - "severity": "MEDIUM", - "line": 2, - "filename": "positive2.bicep", "resourceType": "Microsoft.Sql/servers", "resourceName": "sqlServer1", "searchKey": "resources.name=sqlServer1", @@ -110,14 +122,14 @@ { "queryName": "SQL Server Database Without Auditing", "severity": "MEDIUM", - "line": 8, - "filename": "positive4.json", - "resourceType": "Microsoft.Sql/servers", - "resourceName": "sqlServer1", - "searchKey": "resources.name=sqlServer1", + "line": 23, + "filename": "positive6.json", + "resourceType": "Microsoft.Sql/servers/databases", + "resourceName": "sqlServer1/sqlDatabase1", + "searchKey": "resources.name=sqlServer1/sqlDatabase1", "searchValue": "", - "expectedValue": "resource 'sqlServer1' should have an enabled 'auditingsettings' resource", - "actualValue": "resource 'sqlServer1' is missing an enabled 'auditingsettings' resource" + "expectedValue": "resource 'sqlServer1/sqlDatabase1' should have an enabled 'auditingsettings' resource", + "actualValue": "resource 'sqlServer1/sqlDatabase1' is missing an enabled 'auditingsettings' resource" }, { "queryName": "SQL Server Database Without Auditing", @@ -134,8 +146,8 @@ { "queryName": "SQL Server Database Without Auditing", "severity": "MEDIUM", - "line": 8, - "filename": "positive1.bicep", + "line": 23, + "filename": "positive7.json", "resourceType": "databases", "resourceName": "sqlDatabase1", "searchKey": "resources.resources.name=sqlDatabase1", @@ -147,7 +159,7 @@ "queryName": "SQL Server Database Without Auditing", "severity": "MEDIUM", "line": 8, - "filename": "positive5.json", + "filename": "positive8.json", "resourceType": "Microsoft.Sql/servers", "resourceName": "sqlServer1", "searchKey": "resources.name=sqlServer1", @@ -159,24 +171,12 @@ "queryName": "SQL Server Database Without Auditing", "severity": "MEDIUM", "line": 8, - "filename": "positive8.json", + "filename": "positive9.json", "resourceType": "Microsoft.Sql/servers", "resourceName": "sqlServer1", "searchKey": "resources.name=sqlServer1", "searchValue": "", "expectedValue": "resource 'sqlServer1' should have an enabled 'auditingsettings' resource", "actualValue": "resource 'sqlServer1' is missing an enabled 'auditingsettings' resource" - }, - { - "queryName": "SQL Server Database Without Auditing", - "severity": "MEDIUM", - "line": 23, - "filename": "positive7.json", - "resourceType": "databases", - "resourceName": "sqlDatabase1", - "searchKey": "resources.resources.name=sqlDatabase1", - "searchValue": "", - "expectedValue": "resource 'sqlDatabase1' should have an enabled 'auditingsettings' resource", - "actualValue": "resource 'sqlDatabase1' is missing an enabled 'auditingsettings' resource" } ] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/standard_price_not_selected/test/positive_expected_result.json b/assets/queries/azureResourceManager/standard_price_not_selected/test/positive_expected_result.json index ab77885e17b..00ffa26b884 100644 --- a/assets/queries/azureResourceManager/standard_price_not_selected/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/standard_price_not_selected/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "Standard Price Is Not Selected", "severity": "LOW", - "line": 27, - "filename": "positive1.json", + "line": 18, + "filename": "positive1.bicep", "resourceType": "Microsoft.Security/pricings", "resourceName": "Princing", "searchKey": "resources.name=Princing.properties.pricingTier", @@ -14,35 +14,35 @@ { "queryName": "Standard Price Is Not Selected", "severity": "LOW", - "line": 23, - "filename": "positive3.json", + "line": 27, + "filename": "positive1.json", "resourceType": "Microsoft.Security/pricings", - "resourceName": "VirtualMachines", - "searchKey": "resources.name=VirtualMachines.properties.pricingTier", + "resourceName": "Princing", + "searchKey": "resources.name=Princing.properties.pricingTier", "searchValue": "", "expectedValue": "'pricingTier' should be set to standard", - "actualValue": "'pricingTier' parameter default value is set to Free" + "actualValue": "'pricingTier' property value is set to Free" }, { "queryName": "Standard Price Is Not Selected", "severity": "LOW", - "line": 10, - "filename": "positive3.bicep", + "line": 18, + "filename": "positive2.bicep", "resourceType": "Microsoft.Security/pricings", - "resourceName": "VirtualMachines", - "searchKey": "resources.name=VirtualMachines.properties.pricingTier", + "resourceName": "Princing", + "searchKey": "resources.name=Princing.properties.pricingTier", "searchValue": "", "expectedValue": "'pricingTier' should be set to standard", - "actualValue": "'pricingTier' parameter default value is set to Free" + "actualValue": "'pricingTier' property value is set to Free" }, { "queryName": "Standard Price Is Not Selected", "severity": "LOW", - "line": 18, - "filename": "positive2.bicep", + "line": 29, + "filename": "positive2.json", "resourceType": "Microsoft.Security/pricings", "resourceName": "Princing", - "searchKey": "resources.name=Princing.properties.pricingTier", + "searchKey": "properties.template.resources.name=Princing.properties.pricingTier", "searchValue": "", "expectedValue": "'pricingTier' should be set to standard", "actualValue": "'pricingTier' property value is set to Free" @@ -50,25 +50,25 @@ { "queryName": "Standard Price Is Not Selected", "severity": "LOW", - "line": 18, - "filename": "positive1.bicep", + "line": 10, + "filename": "positive3.bicep", "resourceType": "Microsoft.Security/pricings", - "resourceName": "Princing", - "searchKey": "resources.name=Princing.properties.pricingTier", + "resourceName": "VirtualMachines", + "searchKey": "resources.name=VirtualMachines.properties.pricingTier", "searchValue": "", "expectedValue": "'pricingTier' should be set to standard", - "actualValue": "'pricingTier' property value is set to Free" + "actualValue": "'pricingTier' parameter default value is set to Free" }, { "queryName": "Standard Price Is Not Selected", "severity": "LOW", - "line": 29, - "filename": "positive2.json", + "line": 23, + "filename": "positive3.json", "resourceType": "Microsoft.Security/pricings", - "resourceName": "Princing", - "searchKey": "properties.template.resources.name=Princing.properties.pricingTier", + "resourceName": "VirtualMachines", + "searchKey": "resources.name=VirtualMachines.properties.pricingTier", "searchValue": "", "expectedValue": "'pricingTier' should be set to standard", - "actualValue": "'pricingTier' property value is set to Free" + "actualValue": "'pricingTier' parameter default value is set to Free" } ] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/storage_account_allows_network_default_access/test/positive_expected_result.json b/assets/queries/azureResourceManager/storage_account_allows_network_default_access/test/positive_expected_result.json index 658595eafef..4fbf46225fc 100644 --- a/assets/queries/azureResourceManager/storage_account_allows_network_default_access/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/storage_account_allows_network_default_access/test/positive_expected_result.json @@ -1,21 +1,9 @@ [ - { - "queryName": "Storage Account Allows Default Network Access", - "severity": "LOW", - "line": 12, - "filename": "positive5.bicep", - "resourceType": "Microsoft.Storage/storageAccounts", - "resourceName": "storageaccount1Positive2", - "searchKey": "resources.name=storageaccount1Positive2.properties", - "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have the 'properties.networkAcls.defaultAction' defined", - "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'properties.networkAcls.defaultAction' defined" - }, { "queryName": "Storage Account Allows Default Network Access", "severity": "LOW", "line": 19, - "filename": "positive4.bicep", + "filename": "positive1.bicep", "resourceType": "Microsoft.Storage/storageAccounts", "resourceName": "[variables('storageAccountName')]", "searchKey": "resources.name=[variables('storageAccountName')].properties.networkAcls.defaultAction", @@ -26,23 +14,11 @@ { "queryName": "Storage Account Allows Default Network Access", "severity": "LOW", - "line": 1, - "filename": "positive3.bicep", - "resourceType": "Microsoft.Storage/storageAccounts", - "resourceName": "storageaccount1Positive3", - "searchKey": "resources.name=storageaccount1Positive3.apiVersion=2016-12-01", - "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' apiVersion should be newer than 2017 and enable setting networkAcls", - "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' apiVersion is older than 2017 and doesn't enable setting networkAcls" - }, - { - "queryName": "Storage Account Allows Default Network Access", - "severity": "LOW", - "line": 43, - "filename": "positive4.json", + "line": 41, + "filename": "positive1.json", "resourceType": "Microsoft.Storage/storageAccounts", "resourceName": "[variables('storageAccountName')]", - "searchKey": "properties.template.resources.name=[variables('storageAccountName')].properties.networkAcls.defaultAction", + "searchKey": "resources.name=[variables('storageAccountName')].properties.networkAcls.defaultAction", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' property value should have the 'properties.networkAcls.defaultAction' set to 'Deny'", "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' has the 'properties.networkAcls.defaultAction' set to 'Allow'" @@ -50,11 +26,11 @@ { "queryName": "Storage Account Allows Default Network Access", "severity": "LOW", - "line": 20, - "filename": "positive5.json", + "line": 12, + "filename": "positive2.bicep", "resourceType": "Microsoft.Storage/storageAccounts", "resourceName": "storageaccount1Positive2", - "searchKey": "properties.template.resources.name=storageaccount1Positive2.properties", + "searchKey": "resources.name=storageaccount1Positive2.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have the 'properties.networkAcls.defaultAction' defined", "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'properties.networkAcls.defaultAction' defined" @@ -74,8 +50,8 @@ { "queryName": "Storage Account Allows Default Network Access", "severity": "LOW", - "line": 8, - "filename": "positive3.json", + "line": 1, + "filename": "positive3.bicep", "resourceType": "Microsoft.Storage/storageAccounts", "resourceName": "storageaccount1Positive3", "searchKey": "resources.name=storageaccount1Positive3.apiVersion=2016-12-01", @@ -86,11 +62,11 @@ { "queryName": "Storage Account Allows Default Network Access", "severity": "LOW", - "line": 10, - "filename": "positive6.json", + "line": 8, + "filename": "positive3.json", "resourceType": "Microsoft.Storage/storageAccounts", "resourceName": "storageaccount1Positive3", - "searchKey": "properties.template.resources.name=storageaccount1Positive3.apiVersion=2016-12-01", + "searchKey": "resources.name=storageaccount1Positive3.apiVersion=2016-12-01", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' apiVersion should be newer than 2017 and enable setting networkAcls", "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' apiVersion is older than 2017 and doesn't enable setting networkAcls" @@ -98,8 +74,8 @@ { "queryName": "Storage Account Allows Default Network Access", "severity": "LOW", - "line": 41, - "filename": "positive1.json", + "line": 19, + "filename": "positive4.bicep", "resourceType": "Microsoft.Storage/storageAccounts", "resourceName": "[variables('storageAccountName')]", "searchKey": "resources.name=[variables('storageAccountName')].properties.networkAcls.defaultAction", @@ -110,20 +86,20 @@ { "queryName": "Storage Account Allows Default Network Access", "severity": "LOW", - "line": 1, - "filename": "positive6.bicep", + "line": 43, + "filename": "positive4.json", "resourceType": "Microsoft.Storage/storageAccounts", - "resourceName": "storageaccount1Positive3", - "searchKey": "resources.name=storageaccount1Positive3.apiVersion=2016-12-01", + "resourceName": "[variables('storageAccountName')]", + "searchKey": "properties.template.resources.name=[variables('storageAccountName')].properties.networkAcls.defaultAction", "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' apiVersion should be newer than 2017 and enable setting networkAcls", - "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' apiVersion is older than 2017 and doesn't enable setting networkAcls" + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' property value should have the 'properties.networkAcls.defaultAction' set to 'Deny'", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' has the 'properties.networkAcls.defaultAction' set to 'Allow'" }, { "queryName": "Storage Account Allows Default Network Access", "severity": "LOW", "line": 12, - "filename": "positive2.bicep", + "filename": "positive5.bicep", "resourceType": "Microsoft.Storage/storageAccounts", "resourceName": "storageaccount1Positive2", "searchKey": "resources.name=storageaccount1Positive2.properties", @@ -134,13 +110,37 @@ { "queryName": "Storage Account Allows Default Network Access", "severity": "LOW", - "line": 19, - "filename": "positive1.bicep", + "line": 20, + "filename": "positive5.json", "resourceType": "Microsoft.Storage/storageAccounts", - "resourceName": "[variables('storageAccountName')]", - "searchKey": "resources.name=[variables('storageAccountName')].properties.networkAcls.defaultAction", + "resourceName": "storageaccount1Positive2", + "searchKey": "properties.template.resources.name=storageaccount1Positive2.properties", "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' property value should have the 'properties.networkAcls.defaultAction' set to 'Deny'", - "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' has the 'properties.networkAcls.defaultAction' set to 'Allow'" + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have the 'properties.networkAcls.defaultAction' defined", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'properties.networkAcls.defaultAction' defined" + }, + { + "queryName": "Storage Account Allows Default Network Access", + "severity": "LOW", + "line": 1, + "filename": "positive6.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storageaccount1Positive3", + "searchKey": "resources.name=storageaccount1Positive3.apiVersion=2016-12-01", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' apiVersion should be newer than 2017 and enable setting networkAcls", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' apiVersion is older than 2017 and doesn't enable setting networkAcls" + }, + { + "queryName": "Storage Account Allows Default Network Access", + "severity": "LOW", + "line": 10, + "filename": "positive6.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storageaccount1Positive3", + "searchKey": "properties.template.resources.name=storageaccount1Positive3.apiVersion=2016-12-01", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' apiVersion should be newer than 2017 and enable setting networkAcls", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' apiVersion is older than 2017 and doesn't enable setting networkAcls" } ] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/storage_account_allows_unsecure_transfer/test/positive_expected_result.json b/assets/queries/azureResourceManager/storage_account_allows_unsecure_transfer/test/positive_expected_result.json index 2aca8487050..728aef5f4b0 100644 --- a/assets/queries/azureResourceManager/storage_account_allows_unsecure_transfer/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/storage_account_allows_unsecure_transfer/test/positive_expected_result.json @@ -2,23 +2,23 @@ { "queryName": "Storage Account Allows Unsecure Transfer", "severity": "MEDIUM", - "line": 6, - "filename": "positive2.json", + "line": 13, + "filename": "positive1.bicep", "resourceType": "Microsoft.Storage/storageAccounts", - "resourceName": "storageaccount1Positive2", - "searchKey": "resources.name={{storageaccount1Positive2}}", + "resourceName": "storageaccount1", + "searchKey": "resources.name=storageaccount1.properties.supportsHttpsTrafficOnly", "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have the 'supportsHttpsTrafficOnly' property defined", - "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'supportsHttpsTrafficOnly' property defined" + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' property value should have the 'supportsHttpsTrafficOnly' property set to true", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'supportsHttpsTrafficOnly' set to true" }, { "queryName": "Storage Account Allows Unsecure Transfer", "severity": "MEDIUM", - "line": 21, - "filename": "positive4.json", + "line": 19, + "filename": "positive1.json", "resourceType": "Microsoft.Storage/storageAccounts", "resourceName": "storageaccount1", - "searchKey": "properties.template.resources.name=storageaccount1.properties.supportsHttpsTrafficOnly", + "searchKey": "resources.name=storageaccount1.properties.supportsHttpsTrafficOnly", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' property value should have the 'supportsHttpsTrafficOnly' property set to true", "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'supportsHttpsTrafficOnly' set to true" @@ -27,7 +27,7 @@ "queryName": "Storage Account Allows Unsecure Transfer", "severity": "MEDIUM", "line": 2, - "filename": "positive5.bicep", + "filename": "positive2.bicep", "resourceType": "Microsoft.Storage/storageAccounts", "resourceName": "storageaccount1Positive2", "searchKey": "resources.name={{storageaccount1Positive2}}", @@ -38,32 +38,8 @@ { "queryName": "Storage Account Allows Unsecure Transfer", "severity": "MEDIUM", - "line": 13, - "filename": "positive1.bicep", - "resourceType": "Microsoft.Storage/storageAccounts", - "resourceName": "storageaccount1", - "searchKey": "resources.name=storageaccount1.properties.supportsHttpsTrafficOnly", - "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' property value should have the 'supportsHttpsTrafficOnly' property set to true", - "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'supportsHttpsTrafficOnly' set to true" - }, - { - "queryName": "Storage Account Allows Unsecure Transfer", - "severity": "MEDIUM", - "line": 19, - "filename": "positive1.json", - "resourceType": "Microsoft.Storage/storageAccounts", - "resourceName": "storageaccount1", - "searchKey": "resources.name=storageaccount1.properties.supportsHttpsTrafficOnly", - "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' property value should have the 'supportsHttpsTrafficOnly' property set to true", - "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'supportsHttpsTrafficOnly' set to true" - }, - { - "queryName": "Storage Account Allows Unsecure Transfer", - "severity": "MEDIUM", - "line": 8, - "filename": "positive5.json", + "line": 6, + "filename": "positive2.json", "resourceType": "Microsoft.Storage/storageAccounts", "resourceName": "storageaccount1Positive2", "searchKey": "resources.name={{storageaccount1Positive2}}", @@ -74,8 +50,8 @@ { "queryName": "Storage Account Allows Unsecure Transfer", "severity": "MEDIUM", - "line": 18, - "filename": "positive3.json", + "line": 12, + "filename": "positive3.bicep", "resourceType": "Microsoft.Storage/storageAccounts", "resourceName": "storageaccount1Positive3", "searchKey": "resources.name={{storageaccount1Positive3}}properties", @@ -86,8 +62,8 @@ { "queryName": "Storage Account Allows Unsecure Transfer", "severity": "MEDIUM", - "line": 20, - "filename": "positive6.json", + "line": 18, + "filename": "positive3.json", "resourceType": "Microsoft.Storage/storageAccounts", "resourceName": "storageaccount1Positive3", "searchKey": "resources.name={{storageaccount1Positive3}}properties", @@ -110,11 +86,23 @@ { "queryName": "Storage Account Allows Unsecure Transfer", "severity": "MEDIUM", - "line": 12, - "filename": "positive3.bicep", + "line": 21, + "filename": "positive4.json", "resourceType": "Microsoft.Storage/storageAccounts", - "resourceName": "storageaccount1Positive3", - "searchKey": "resources.name={{storageaccount1Positive3}}properties", + "resourceName": "storageaccount1", + "searchKey": "properties.template.resources.name=storageaccount1.properties.supportsHttpsTrafficOnly", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' property value should have the 'supportsHttpsTrafficOnly' property set to true", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'supportsHttpsTrafficOnly' set to true" + }, + { + "queryName": "Storage Account Allows Unsecure Transfer", + "severity": "MEDIUM", + "line": 2, + "filename": "positive5.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storageaccount1Positive2", + "searchKey": "resources.name={{storageaccount1Positive2}}", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have the 'supportsHttpsTrafficOnly' property defined", "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'supportsHttpsTrafficOnly' property defined" @@ -122,8 +110,8 @@ { "queryName": "Storage Account Allows Unsecure Transfer", "severity": "MEDIUM", - "line": 2, - "filename": "positive2.bicep", + "line": 8, + "filename": "positive5.json", "resourceType": "Microsoft.Storage/storageAccounts", "resourceName": "storageaccount1Positive2", "searchKey": "resources.name={{storageaccount1Positive2}}", @@ -142,5 +130,17 @@ "searchValue": "", "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have the 'supportsHttpsTrafficOnly' property defined", "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'supportsHttpsTrafficOnly' property defined" + }, + { + "queryName": "Storage Account Allows Unsecure Transfer", + "severity": "MEDIUM", + "line": 20, + "filename": "positive6.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storageaccount1Positive3", + "searchKey": "resources.name={{storageaccount1Positive3}}properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have the 'supportsHttpsTrafficOnly' property defined", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'supportsHttpsTrafficOnly' property defined" } ] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/storage_blob_service_container_with_public_access/test/positive_expected_result.json b/assets/queries/azureResourceManager/storage_blob_service_container_with_public_access/test/positive_expected_result.json index b436c45db90..3951d5f0122 100644 --- a/assets/queries/azureResourceManager/storage_blob_service_container_with_public_access/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/storage_blob_service_container_with_public_access/test/positive_expected_result.json @@ -2,23 +2,23 @@ { "queryName": "Storage Blob Service Container With Public Access", "severity": "HIGH", - "line": 29, - "filename": "positive3.bicep", + "line": 5, + "filename": "positive1.bicep", "resourceType": "Microsoft.Storage/storageAccounts/blobServices/containers", - "resourceName": "['${parameters('storageAccountName')}/default/${parameters('containerName')}']", - "searchKey": "resources.name=['${parameters('storageAccountName')}/default/${parameters('containerName')}'].properties.publicAccess", + "resourceName": "blob/container/example", + "searchKey": "resources.name=blob/container/example.properties.publicAccess", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts/blobServices/containers' shouldn't have 'publicAccess' property value set to 'Container' or 'Blob'", - "actualValue": "resource with type 'Microsoft.Storage/storageAccounts/blobServices/containers' has 'publicAccess' property set to 'Blob'" + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts/blobServices/containers' has 'publicAccess' property set to 'Container'" }, { "queryName": "Storage Blob Service Container With Public Access", "severity": "HIGH", - "line": 17, - "filename": "positive4.json", + "line": 15, + "filename": "positive1.json", "resourceType": "Microsoft.Storage/storageAccounts/blobServices/containers", "resourceName": "blob/container/example", - "searchKey": "properties.template.resources.name=blob/container/example.properties.publicAccess", + "searchKey": "resources.name=blob/container/example.properties.publicAccess", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts/blobServices/containers' shouldn't have 'publicAccess' property value set to 'Container' or 'Blob'", "actualValue": "resource with type 'Microsoft.Storage/storageAccounts/blobServices/containers' has 'publicAccess' property set to 'Container'" @@ -26,11 +26,11 @@ { "queryName": "Storage Blob Service Container With Public Access", "severity": "HIGH", - "line": 107, - "filename": "positive2.json", - "resourceType": "Microsoft.Storage/storageAccounts/blobServices", - "resourceName": "[concat(parameters('storageAccountName'), '/default')]", - "searchKey": "resources.name=[concat(parameters('storageAccountName'), '/default')].resources.name=container.properties.publicAccess", + "line": 87, + "filename": "positive2.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "[parameters('storageAccountName')]", + "searchKey": "resources.name=[parameters('storageAccountName')].resources.name=default.resources.name=container.properties.publicAccess", "searchValue": "", "expectedValue": "resource with type 'containers' shouldn't have 'publicAccess' property value set to 'Container' or 'Blob'", "actualValue": "resource with type 'containers' has 'publicAccess' property set to 'Blob'" @@ -38,26 +38,26 @@ { "queryName": "Storage Blob Service Container With Public Access", "severity": "HIGH", - "line": 52, - "filename": "positive6.json", - "resourceType": "Microsoft.Storage/storageAccounts", - "resourceName": "[parameters('storageAccountName')]", - "searchKey": "properties.template.resources.name=[parameters('storageAccountName')].resources.name=[concat('default/', parameters('containerName'))].properties.publicAccess", + "line": 107, + "filename": "positive2.json", + "resourceType": "Microsoft.Storage/storageAccounts/blobServices", + "resourceName": "[concat(parameters('storageAccountName'), '/default')]", + "searchKey": "resources.name=[concat(parameters('storageAccountName'), '/default')].resources.name=container.properties.publicAccess", "searchValue": "", - "expectedValue": "resource with type 'blobServices/containers' shouldn't have 'publicAccess' property value set to 'Container' or 'Blob'", - "actualValue": "resource with type 'blobServices/containers' has 'publicAccess' property set to 'Blob'" + "expectedValue": "resource with type 'containers' shouldn't have 'publicAccess' property value set to 'Container' or 'Blob'", + "actualValue": "resource with type 'containers' has 'publicAccess' property set to 'Blob'" }, { "queryName": "Storage Blob Service Container With Public Access", "severity": "HIGH", - "line": 109, - "filename": "positive5.json", - "resourceType": "Microsoft.Storage/storageAccounts/blobServices", - "resourceName": "[concat(parameters('storageAccountName'), '/default')]", - "searchKey": "properties.template.resources.name=[concat(parameters('storageAccountName'), '/default')].resources.name=container.properties.publicAccess", + "line": 29, + "filename": "positive3.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/blobServices/containers", + "resourceName": "['${parameters('storageAccountName')}/default/${parameters('containerName')}']", + "searchKey": "resources.name=['${parameters('storageAccountName')}/default/${parameters('containerName')}'].properties.publicAccess", "searchValue": "", - "expectedValue": "resource with type 'containers' shouldn't have 'publicAccess' property value set to 'Container' or 'Blob'", - "actualValue": "resource with type 'containers' has 'publicAccess' property set to 'Blob'" + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts/blobServices/containers' shouldn't have 'publicAccess' property value set to 'Container' or 'Blob'", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts/blobServices/containers' has 'publicAccess' property set to 'Blob'" }, { "queryName": "Storage Blob Service Container With Public Access", @@ -74,11 +74,11 @@ { "queryName": "Storage Blob Service Container With Public Access", "severity": "HIGH", - "line": 5, - "filename": "positive1.bicep", + "line": 17, + "filename": "positive4.json", "resourceType": "Microsoft.Storage/storageAccounts/blobServices/containers", "resourceName": "blob/container/example", - "searchKey": "resources.name=blob/container/example.properties.publicAccess", + "searchKey": "properties.template.resources.name=blob/container/example.properties.publicAccess", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts/blobServices/containers' shouldn't have 'publicAccess' property value set to 'Container' or 'Blob'", "actualValue": "resource with type 'Microsoft.Storage/storageAccounts/blobServices/containers' has 'publicAccess' property set to 'Container'" @@ -86,35 +86,35 @@ { "queryName": "Storage Blob Service Container With Public Access", "severity": "HIGH", - "line": 15, - "filename": "positive1.json", - "resourceType": "Microsoft.Storage/storageAccounts/blobServices/containers", - "resourceName": "blob/container/example", - "searchKey": "resources.name=blob/container/example.properties.publicAccess", + "line": 109, + "filename": "positive5.json", + "resourceType": "Microsoft.Storage/storageAccounts/blobServices", + "resourceName": "[concat(parameters('storageAccountName'), '/default')]", + "searchKey": "properties.template.resources.name=[concat(parameters('storageAccountName'), '/default')].resources.name=container.properties.publicAccess", "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts/blobServices/containers' shouldn't have 'publicAccess' property value set to 'Container' or 'Blob'", - "actualValue": "resource with type 'Microsoft.Storage/storageAccounts/blobServices/containers' has 'publicAccess' property set to 'Container'" + "expectedValue": "resource with type 'containers' shouldn't have 'publicAccess' property value set to 'Container' or 'Blob'", + "actualValue": "resource with type 'containers' has 'publicAccess' property set to 'Blob'" }, { "queryName": "Storage Blob Service Container With Public Access", "severity": "HIGH", - "line": 96, - "filename": "positive7.json", + "line": 52, + "filename": "positive6.json", "resourceType": "Microsoft.Storage/storageAccounts", "resourceName": "[parameters('storageAccountName')]", - "searchKey": "resources.name=[parameters('storageAccountName')].resources.name=[concat(parameters('storageAccountName'), '/default')].resources.name=container.properties.publicAccess", + "searchKey": "properties.template.resources.name=[parameters('storageAccountName')].resources.name=[concat('default/', parameters('containerName'))].properties.publicAccess", "searchValue": "", - "expectedValue": "resource with type 'containers' shouldn't have 'publicAccess' property value set to 'Container' or 'Blob'", - "actualValue": "resource with type 'containers' has 'publicAccess' property set to 'Blob'" + "expectedValue": "resource with type 'blobServices/containers' shouldn't have 'publicAccess' property value set to 'Container' or 'Blob'", + "actualValue": "resource with type 'blobServices/containers' has 'publicAccess' property set to 'Blob'" }, { "queryName": "Storage Blob Service Container With Public Access", "severity": "HIGH", - "line": 87, - "filename": "positive2.bicep", + "line": 96, + "filename": "positive7.json", "resourceType": "Microsoft.Storage/storageAccounts", "resourceName": "[parameters('storageAccountName')]", - "searchKey": "resources.name=[parameters('storageAccountName')].resources.name=default.resources.name=container.properties.publicAccess", + "searchKey": "resources.name=[parameters('storageAccountName')].resources.name=[concat(parameters('storageAccountName'), '/default')].resources.name=container.properties.publicAccess", "searchValue": "", "expectedValue": "resource with type 'containers' shouldn't have 'publicAccess' property value set to 'Container' or 'Blob'", "actualValue": "resource with type 'containers' has 'publicAccess' property set to 'Blob'" diff --git a/assets/queries/azureResourceManager/storage_logging_for_read_write_delete_requests_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/storage_logging_for_read_write_delete_requests_disabled/test/positive_expected_result.json index 8cdf7e3b02a..aa87bf21601 100644 --- a/assets/queries/azureResourceManager/storage_logging_for_read_write_delete_requests_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/storage_logging_for_read_write_delete_requests_disabled/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "Storage Logging For Read Write And Delete Requests Disabled", - "severity": "MEDIUM", - "line": 4, - "filename": "positive2.bicep", - "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", - "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", - "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageRead", - "searchValue": "StorageRead", - "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageRead' method", - "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageRead' method" - }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", @@ -38,47 +26,35 @@ { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 3, - "filename": "positive7.bicep", + "line": 15, + "filename": "positive1.bicep", "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", - "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageWrite", - "searchValue": "StorageWrite", - "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageWrite' method", - "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageWrite' method" + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageDelete", + "searchValue": "", + "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Delete' method", + "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Delete' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 67, - "filename": "positive3.json", + "line": 80, + "filename": "positive1.json", "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", - "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageDelete", - "searchValue": "StorageDelete", - "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", - "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method" + "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageRead", + "searchValue": "", + "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Read' method", + "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Read' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 69, - "filename": "positive6.json", + "line": 84, + "filename": "positive1.json", "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", - "searchKey": "properties.template.resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageRead", - "searchValue": "StorageRead", - "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageRead' method", - "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageRead' method" - }, - { - "queryName": "Storage Logging For Read Write And Delete Requests Disabled", - "severity": "MEDIUM", - "line": 7, - "filename": "positive5.bicep", - "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", - "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", - "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageWrite", + "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageWrite", "searchValue": "", "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Write' method", "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Write' method" @@ -86,71 +62,71 @@ { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 2, - "filename": "positive6.bicep", + "line": 88, + "filename": "positive1.json", "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", - "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", - "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageDelete", - "searchValue": "StorageDelete", - "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", - "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method" + "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", + "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageDelete", + "searchValue": "", + "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Delete' method", + "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Delete' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 15, - "filename": "positive1.bicep", + "line": 4, + "filename": "positive2.bicep", "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", - "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageDelete", - "searchValue": "", - "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Delete' method", - "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Delete' method" + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageRead", + "searchValue": "StorageRead", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageRead' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageRead' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 15, - "filename": "positive3.bicep", + "line": 4, + "filename": "positive2.bicep", "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", - "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageDelete", - "searchValue": "", - "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Delete' method", - "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Delete' method" + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageWrite", + "searchValue": "StorageWrite", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageWrite' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageWrite' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 2, - "filename": "positive6.bicep", + "line": 4, + "filename": "positive2.bicep", "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", - "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageRead", - "searchValue": "StorageRead", - "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageRead' method", - "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageRead' method" + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageDelete", + "searchValue": "StorageDelete", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 80, + "line": 77, "filename": "positive2.json", "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", - "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageRead", - "searchValue": "", - "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Read' method", - "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Read' method" + "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageDelete", + "searchValue": "StorageDelete", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 79, - "filename": "positive5.json", + "line": 77, + "filename": "positive2.json", "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", - "searchKey": "properties.template.resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageWrite", + "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageWrite", "searchValue": "StorageWrite", "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageWrite' method", "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageWrite' method" @@ -159,7 +135,7 @@ "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", "line": 80, - "filename": "positive1.json", + "filename": "positive2.json", "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageRead", @@ -170,35 +146,59 @@ { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 69, - "filename": "positive6.json", + "line": 7, + "filename": "positive3.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageRead", + "searchValue": "", + "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Read' method", + "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Read' method" + }, + { + "queryName": "Storage Logging For Read Write And Delete Requests Disabled", + "severity": "MEDIUM", + "line": 15, + "filename": "positive3.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageDelete", + "searchValue": "", + "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Delete' method", + "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Delete' method" + }, + { + "queryName": "Storage Logging For Read Write And Delete Requests Disabled", + "severity": "MEDIUM", + "line": 67, + "filename": "positive3.json", "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", - "searchKey": "properties.template.resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageDelete", - "searchValue": "StorageDelete", - "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", - "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method" + "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageRead", + "searchValue": "StorageRead", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageRead' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageRead' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 79, - "filename": "positive5.json", + "line": 67, + "filename": "positive3.json", "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", - "searchKey": "properties.template.resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageDelete", - "searchValue": "StorageDelete", - "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", - "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method" + "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageWrite", + "searchValue": "StorageWrite", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageWrite' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageWrite' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 4, - "filename": "positive5.bicep", + "line": 67, + "filename": "positive3.json", "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", - "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", - "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageDelete", + "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", + "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageDelete", "searchValue": "StorageDelete", "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method" @@ -207,13 +207,13 @@ "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", "line": 4, - "filename": "positive2.bicep", + "filename": "positive4.bicep", "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", - "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageWrite", - "searchValue": "StorageWrite", - "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageWrite' method", - "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageWrite' method" + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageRead", + "searchValue": "StorageRead", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageRead' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageRead' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -231,7 +231,7 @@ "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", "line": 82, - "filename": "positive5.json", + "filename": "positive4.json", "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", "searchKey": "properties.template.resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageRead", @@ -242,56 +242,32 @@ { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 2, - "filename": "positive6.bicep", - "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", - "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", - "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageWrite", - "searchValue": "StorageWrite", - "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageWrite' method", - "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageWrite' method" - }, - { - "queryName": "Storage Logging For Read Write And Delete Requests Disabled", - "severity": "MEDIUM", - "line": 3, - "filename": "positive7.bicep", + "line": 86, + "filename": "positive4.json", "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", - "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", - "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageRead", - "searchValue": "StorageRead", - "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageRead' method", - "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageRead' method" + "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", + "searchKey": "properties.template.resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageWrite", + "searchValue": "", + "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Write' method", + "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Write' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 88, - "filename": "positive1.json", + "line": 90, + "filename": "positive4.json", "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", - "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageDelete", + "searchKey": "properties.template.resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageDelete", "searchValue": "", "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Delete' method", "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Delete' method" }, - { - "queryName": "Storage Logging For Read Write And Delete Requests Disabled", - "severity": "MEDIUM", - "line": 67, - "filename": "positive3.json", - "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", - "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", - "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageWrite", - "searchValue": "StorageWrite", - "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageWrite' method", - "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageWrite' method" - }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", "line": 4, - "filename": "positive2.bicep", + "filename": "positive5.bicep", "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageDelete", @@ -303,7 +279,7 @@ "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", "line": 4, - "filename": "positive4.bicep", + "filename": "positive5.bicep", "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageRead", @@ -314,11 +290,23 @@ { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 77, - "filename": "positive2.json", + "line": 7, + "filename": "positive5.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageWrite", + "searchValue": "", + "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Write' method", + "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Write' method" + }, + { + "queryName": "Storage Logging For Read Write And Delete Requests Disabled", + "severity": "MEDIUM", + "line": 79, + "filename": "positive5.json", "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", - "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageDelete", + "searchKey": "properties.template.resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageDelete", "searchValue": "StorageDelete", "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method" @@ -326,20 +314,20 @@ { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 90, - "filename": "positive4.json", + "line": 79, + "filename": "positive5.json", "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", - "searchKey": "properties.template.resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageDelete", - "searchValue": "", - "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Delete' method", - "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Delete' method" + "searchKey": "properties.template.resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageWrite", + "searchValue": "StorageWrite", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageWrite' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageWrite' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", "line": 82, - "filename": "positive4.json", + "filename": "positive5.json", "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", "searchKey": "properties.template.resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageRead", @@ -350,23 +338,59 @@ { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 86, - "filename": "positive4.json", + "line": 2, + "filename": "positive6.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageDelete", + "searchValue": "StorageDelete", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method" + }, + { + "queryName": "Storage Logging For Read Write And Delete Requests Disabled", + "severity": "MEDIUM", + "line": 2, + "filename": "positive6.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageRead", + "searchValue": "StorageRead", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageRead' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageRead' method" + }, + { + "queryName": "Storage Logging For Read Write And Delete Requests Disabled", + "severity": "MEDIUM", + "line": 2, + "filename": "positive6.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageWrite", + "searchValue": "StorageWrite", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageWrite' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageWrite' method" + }, + { + "queryName": "Storage Logging For Read Write And Delete Requests Disabled", + "severity": "MEDIUM", + "line": 69, + "filename": "positive6.json", "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", - "searchKey": "properties.template.resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageWrite", - "searchValue": "", - "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Write' method", - "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Write' method" + "searchKey": "properties.template.resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageDelete", + "searchValue": "StorageDelete", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 67, - "filename": "positive3.json", + "line": 69, + "filename": "positive6.json", "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", - "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageRead", + "searchKey": "properties.template.resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageRead", "searchValue": "StorageRead", "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageRead' method", "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageRead' method" @@ -386,14 +410,14 @@ { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 4, - "filename": "positive5.bicep", + "line": 3, + "filename": "positive7.bicep", "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", - "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageRead", - "searchValue": "StorageRead", - "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageRead' method", - "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageRead' method" + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageWrite", + "searchValue": "StorageWrite", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageWrite' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageWrite' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -410,37 +434,13 @@ { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 7, - "filename": "positive3.bicep", + "line": 3, + "filename": "positive7.bicep", "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageRead", - "searchValue": "", - "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Read' method", - "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Read' method" - }, - { - "queryName": "Storage Logging For Read Write And Delete Requests Disabled", - "severity": "MEDIUM", - "line": 77, - "filename": "positive2.json", - "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", - "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", - "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageWrite", - "searchValue": "StorageWrite", - "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageWrite' method", - "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageWrite' method" - }, - { - "queryName": "Storage Logging For Read Write And Delete Requests Disabled", - "severity": "MEDIUM", - "line": 84, - "filename": "positive1.json", - "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", - "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", - "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageWrite", - "searchValue": "", - "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Write' method", - "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Write' method" + "searchValue": "StorageRead", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageRead' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageRead' method" } ] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/trusted_microsoft_services_not_enabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/trusted_microsoft_services_not_enabled/test/positive_expected_result.json index 12b6dab69ec..e07edf10b93 100644 --- a/assets/queries/azureResourceManager/trusted_microsoft_services_not_enabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/trusted_microsoft_services_not_enabled/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", - "line": 21, - "filename": "positive1.json", + "line": 11, + "filename": "positive1.bicep", "resourceType": "Microsoft.Storage/storageAccounts", "resourceName": "storage", "searchKey": "resources.name=storage.properties.networkAcls", @@ -14,35 +14,35 @@ { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", - "line": 18, - "filename": "positive7.json", + "line": 21, + "filename": "positive1.json", "resourceType": "Microsoft.Storage/storageAccounts", - "resourceName": "value.name", - "searchKey": "resources.name=positive7.properties.networkAcls", + "resourceName": "storage", + "searchKey": "resources.name=storage.properties.networkAcls", "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' enabled", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' property value enabled", "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled" }, { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", - "line": 19, - "filename": "positive6.json", + "line": 11, + "filename": "positive2.bicep", "resourceType": "Microsoft.Storage/storageAccounts", - "resourceName": "value.name", - "searchKey": "resources.name=positive6", + "resourceName": "storage", + "searchKey": "resources.name=storage.properties.networkAcls", "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' enabled", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' property value enabled", "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled" }, { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", - "line": 23, - "filename": "positive4.json", + "line": 21, + "filename": "positive2.json", "resourceType": "Microsoft.Storage/storageAccounts", "resourceName": "storage", - "searchKey": "properties.template.resources.name=storage.properties.networkAcls", + "searchKey": "resources.name=storage.properties.networkAcls", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' property value enabled", "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled" @@ -50,25 +50,25 @@ { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", - "line": 10, - "filename": "positive7.bicep", + "line": 11, + "filename": "positive3.bicep", "resourceType": "Microsoft.Storage/storageAccounts", - "resourceName": "value.name", - "searchKey": "resources.name=positive7.properties.networkAcls", + "resourceName": "storage", + "searchKey": "resources.name=storage.properties.networkAcls", "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' enabled", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' property value enabled", "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled" }, { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", - "line": 1, - "filename": "positive6.bicep", + "line": 23, + "filename": "positive3.json", "resourceType": "Microsoft.Storage/storageAccounts", - "resourceName": "value.name", - "searchKey": "resources.name=positive6", + "resourceName": "storage", + "searchKey": "properties.template.resources.name=storage.properties.networkAcls", "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' enabled", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' property value enabled", "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled" }, { @@ -86,11 +86,11 @@ { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", - "line": 11, - "filename": "positive2.bicep", + "line": 23, + "filename": "positive4.json", "resourceType": "Microsoft.Storage/storageAccounts", "resourceName": "storage", - "searchKey": "resources.name=storage.properties.networkAcls", + "searchKey": "properties.template.resources.name=storage.properties.networkAcls", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' property value enabled", "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled" @@ -98,20 +98,20 @@ { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", - "line": 11, - "filename": "positive3.bicep", + "line": 9, + "filename": "positive5.bicep", "resourceType": "Microsoft.Storage/storageAccounts", - "resourceName": "storage", - "searchKey": "resources.name=storage.properties.networkAcls", + "resourceName": "value.name", + "searchKey": "resources.name=positive5.properties", "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' property value enabled", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' enabled", "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled" }, { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", - "line": 9, - "filename": "positive5.bicep", + "line": 17, + "filename": "positive5.json", "resourceType": "Microsoft.Storage/storageAccounts", "resourceName": "value.name", "searchKey": "resources.name=positive5.properties", @@ -122,11 +122,11 @@ { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", - "line": 17, - "filename": "positive5.json", + "line": 1, + "filename": "positive6.bicep", "resourceType": "Microsoft.Storage/storageAccounts", "resourceName": "value.name", - "searchKey": "resources.name=positive5.properties", + "searchKey": "resources.name=positive6", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' enabled", "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled" @@ -134,37 +134,37 @@ { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", - "line": 23, - "filename": "positive3.json", + "line": 19, + "filename": "positive6.json", "resourceType": "Microsoft.Storage/storageAccounts", - "resourceName": "storage", - "searchKey": "properties.template.resources.name=storage.properties.networkAcls", + "resourceName": "value.name", + "searchKey": "resources.name=positive6", "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' property value enabled", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' enabled", "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled" }, { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", - "line": 11, - "filename": "positive1.bicep", + "line": 10, + "filename": "positive7.bicep", "resourceType": "Microsoft.Storage/storageAccounts", - "resourceName": "storage", - "searchKey": "resources.name=storage.properties.networkAcls", + "resourceName": "value.name", + "searchKey": "resources.name=positive7.properties.networkAcls", "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' property value enabled", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' enabled", "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled" }, { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", - "line": 21, - "filename": "positive2.json", + "line": 18, + "filename": "positive7.json", "resourceType": "Microsoft.Storage/storageAccounts", - "resourceName": "storage", - "searchKey": "resources.name=storage.properties.networkAcls", + "resourceName": "value.name", + "searchKey": "resources.name=positive7.properties.networkAcls", "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' property value enabled", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' enabled", "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled" } ] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/unrecommended_log_profile_retention_policy/test/positive_expected_result.json b/assets/queries/azureResourceManager/unrecommended_log_profile_retention_policy/test/positive_expected_result.json index 57e22cd6455..7b31659016c 100644 --- a/assets/queries/azureResourceManager/unrecommended_log_profile_retention_policy/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/unrecommended_log_profile_retention_policy/test/positive_expected_result.json @@ -3,7 +3,7 @@ "queryName": "Unrecommended Log Profile Retention Policy", "severity": "LOW", "line": 12, - "filename": "positive3.bicep", + "filename": "positive1.bicep", "resourceType": "microsoft.insights/logprofiles", "resourceName": "string", "searchKey": "resources.name=string.properties.retentionPolicy.days", @@ -14,20 +14,8 @@ { "queryName": "Unrecommended Log Profile Retention Policy", "severity": "LOW", - "line": 27, - "filename": "positive4.json", - "resourceType": "microsoft.insights/logprofiles", - "resourceName": "string", - "searchKey": "properties.template.resources.name=string.properties.retentionPolicy.enabled", - "searchValue": "", - "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have 'enabled' property value set to true", - "actualValue": "resource with type 'microsoft.insights/logprofiles' doesn't have 'enabled' set to true" - }, - { - "queryName": "Unrecommended Log Profile Retention Policy", - "severity": "LOW", - "line": 12, - "filename": "positive4.bicep", + "line": 26, + "filename": "positive1.json", "resourceType": "microsoft.insights/logprofiles", "resourceName": "string", "searchKey": "resources.name=string.properties.retentionPolicy.days", @@ -39,7 +27,7 @@ "queryName": "Unrecommended Log Profile Retention Policy", "severity": "LOW", "line": 11, - "filename": "positive4.bicep", + "filename": "positive2.bicep", "resourceType": "microsoft.insights/logprofiles", "resourceName": "string", "searchKey": "resources.name=string.properties.retentionPolicy.enabled", @@ -50,8 +38,8 @@ { "queryName": "Unrecommended Log Profile Retention Policy", "severity": "LOW", - "line": 26, - "filename": "positive2.json", + "line": 12, + "filename": "positive2.bicep", "resourceType": "microsoft.insights/logprofiles", "resourceName": "string", "searchKey": "resources.name=string.properties.retentionPolicy.days", @@ -74,11 +62,11 @@ { "queryName": "Unrecommended Log Profile Retention Policy", "severity": "LOW", - "line": 28, - "filename": "positive4.json", + "line": 26, + "filename": "positive2.json", "resourceType": "microsoft.insights/logprofiles", "resourceName": "string", - "searchKey": "properties.template.resources.name=string.properties.retentionPolicy.days", + "searchKey": "resources.name=string.properties.retentionPolicy.days", "searchValue": "", "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have 'days' property value set to 0 or higher than 365", "actualValue": "resource with type 'microsoft.insights/logprofiles' doesn't have 'days' set to 0 or higher than 365" @@ -86,8 +74,8 @@ { "queryName": "Unrecommended Log Profile Retention Policy", "severity": "LOW", - "line": 26, - "filename": "positive1.json", + "line": 12, + "filename": "positive3.bicep", "resourceType": "microsoft.insights/logprofiles", "resourceName": "string", "searchKey": "resources.name=string.properties.retentionPolicy.days", @@ -110,20 +98,20 @@ { "queryName": "Unrecommended Log Profile Retention Policy", "severity": "LOW", - "line": 12, - "filename": "positive1.bicep", + "line": 11, + "filename": "positive4.bicep", "resourceType": "microsoft.insights/logprofiles", "resourceName": "string", - "searchKey": "resources.name=string.properties.retentionPolicy.days", + "searchKey": "resources.name=string.properties.retentionPolicy.enabled", "searchValue": "", - "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have 'days' property value set to 0 or higher than 365", - "actualValue": "resource with type 'microsoft.insights/logprofiles' doesn't have 'days' set to 0 or higher than 365" + "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have 'enabled' property value set to true", + "actualValue": "resource with type 'microsoft.insights/logprofiles' doesn't have 'enabled' set to true" }, { "queryName": "Unrecommended Log Profile Retention Policy", "severity": "LOW", "line": 12, - "filename": "positive2.bicep", + "filename": "positive4.bicep", "resourceType": "microsoft.insights/logprofiles", "resourceName": "string", "searchKey": "resources.name=string.properties.retentionPolicy.days", @@ -134,13 +122,25 @@ { "queryName": "Unrecommended Log Profile Retention Policy", "severity": "LOW", - "line": 11, - "filename": "positive2.bicep", + "line": 27, + "filename": "positive4.json", "resourceType": "microsoft.insights/logprofiles", "resourceName": "string", - "searchKey": "resources.name=string.properties.retentionPolicy.enabled", + "searchKey": "properties.template.resources.name=string.properties.retentionPolicy.enabled", "searchValue": "", "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have 'enabled' property value set to true", "actualValue": "resource with type 'microsoft.insights/logprofiles' doesn't have 'enabled' set to true" + }, + { + "queryName": "Unrecommended Log Profile Retention Policy", + "severity": "LOW", + "line": 28, + "filename": "positive4.json", + "resourceType": "microsoft.insights/logprofiles", + "resourceName": "string", + "searchKey": "properties.template.resources.name=string.properties.retentionPolicy.days", + "searchValue": "", + "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have 'days' property value set to 0 or higher than 365", + "actualValue": "resource with type 'microsoft.insights/logprofiles' doesn't have 'days' set to 0 or higher than 365" } ] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/unrecommended_network_watcher_flow_log_retention_policy/test/positive_expected_result.json b/assets/queries/azureResourceManager/unrecommended_network_watcher_flow_log_retention_policy/test/positive_expected_result.json index f42bb2a7df7..703589ab7be 100644 --- a/assets/queries/azureResourceManager/unrecommended_network_watcher_flow_log_retention_policy/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/unrecommended_network_watcher_flow_log_retention_policy/test/positive_expected_result.json @@ -1,4 +1,40 @@ [ + { + "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", + "severity": "LOW", + "line": 10, + "filename": "positive1.bicep", + "resourceType": "Microsoft.Network/networkWatchers/flowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "resources.name={{flowlogs/sample}}.properties.retentionPolicy.days", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'days' property value higher than 90", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'days' property higher than 90" + }, + { + "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", + "severity": "LOW", + "line": 11, + "filename": "positive1.bicep", + "resourceType": "Microsoft.Network/networkWatchers/flowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "resources.name={{flowlogs/sample}}.properties.retentionPolicy.enabled", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'enabled' property value set to true", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' set to true" + }, + { + "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", + "severity": "LOW", + "line": 20, + "filename": "positive1.json", + "resourceType": "Microsoft.Network/networkWatchers/flowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "resources.name={{flowlogs/sample}}.properties.retentionPolicy.days", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'days' property value higher than 90", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'days' property higher than 90" + }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", @@ -14,11 +50,11 @@ { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 15, - "filename": "positive4.json", + "line": 9, + "filename": "positive2.bicep", "resourceType": "Microsoft.Network/networkWatchers/FlowLogs", "resourceName": "flowlogs/sample", - "searchKey": "resources.name={{flowlogs/sample}}.properties", + "searchKey": "resources.name={{flowlogs/sample}}.properties.retentionPolicy", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'enabled' property defined", "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' property defined" @@ -27,7 +63,7 @@ "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", "line": 10, - "filename": "positive6.bicep", + "filename": "positive2.bicep", "resourceType": "Microsoft.Network/networkWatchers/FlowLogs", "resourceName": "flowlogs/sample", "searchKey": "resources.name={{flowlogs/sample}}.properties.retentionPolicy.days", @@ -38,8 +74,8 @@ { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 9, - "filename": "positive6.bicep", + "line": 19, + "filename": "positive2.json", "resourceType": "Microsoft.Network/networkWatchers/FlowLogs", "resourceName": "flowlogs/sample", "searchKey": "resources.name={{flowlogs/sample}}.properties.retentionPolicy", @@ -62,11 +98,11 @@ { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 17, - "filename": "positive7.json", + "line": 5, + "filename": "positive3.bicep", "resourceType": "Microsoft.Network/networkWatchers/FlowLogs", "resourceName": "flowlogs/sample", - "searchKey": "properties.template.resources.name={{flowlogs/sample}}.properties", + "searchKey": "resources.name={{flowlogs/sample}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'retentionPolicy' property defined", "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'retentionPolicy' property defined" @@ -86,32 +122,20 @@ { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 22, - "filename": "positive6.json", + "line": 5, + "filename": "positive4.bicep", "resourceType": "Microsoft.Network/networkWatchers/FlowLogs", "resourceName": "flowlogs/sample", - "searchKey": "properties.template.resources.name={{flowlogs/sample}}.properties.retentionPolicy.days", - "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'days' property value higher than 90", - "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'days' property higher than 90" - }, - { - "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", - "severity": "LOW", - "line": 11, - "filename": "positive1.bicep", - "resourceType": "Microsoft.Network/networkWatchers/flowLogs", - "resourceName": "flowlogs/sample", - "searchKey": "resources.name={{flowlogs/sample}}.properties.retentionPolicy.enabled", + "searchKey": "resources.name={{flowlogs/sample}}.properties", "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'enabled' property value set to true", - "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' set to true" + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'enabled' property defined", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' property defined" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 5, - "filename": "positive8.bicep", + "line": 15, + "filename": "positive4.json", "resourceType": "Microsoft.Network/networkWatchers/FlowLogs", "resourceName": "flowlogs/sample", "searchKey": "resources.name={{flowlogs/sample}}.properties", @@ -134,71 +158,59 @@ { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 19, - "filename": "positive2.json", - "resourceType": "Microsoft.Network/networkWatchers/FlowLogs", + "line": 11, + "filename": "positive5.bicep", + "resourceType": "Microsoft.Network/networkWatchers/flowLogs", "resourceName": "flowlogs/sample", - "searchKey": "resources.name={{flowlogs/sample}}.properties.retentionPolicy", + "searchKey": "resources.name={{flowlogs/sample}}.properties.retentionPolicy.enabled", "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'enabled' property defined", - "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' property defined" + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'enabled' property value set to true", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' set to true" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 17, - "filename": "positive8.json", - "resourceType": "Microsoft.Network/networkWatchers/FlowLogs", + "line": 22, + "filename": "positive5.json", + "resourceType": "Microsoft.Network/networkWatchers/flowLogs", "resourceName": "flowlogs/sample", - "searchKey": "properties.template.resources.name={{flowlogs/sample}}.properties", + "searchKey": "properties.template.resources.name={{flowlogs/sample}}.properties.retentionPolicy.days", "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'enabled' property defined", - "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' property defined" + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'days' property value higher than 90", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'days' property higher than 90" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 5, - "filename": "positive4.bicep", - "resourceType": "Microsoft.Network/networkWatchers/FlowLogs", + "line": 23, + "filename": "positive5.json", + "resourceType": "Microsoft.Network/networkWatchers/flowLogs", "resourceName": "flowlogs/sample", - "searchKey": "resources.name={{flowlogs/sample}}.properties", + "searchKey": "properties.template.resources.name={{flowlogs/sample}}.properties.retentionPolicy.enabled", "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'enabled' property defined", - "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' property defined" + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'enabled' property value set to true", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' set to true" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 5, - "filename": "positive3.bicep", + "line": 9, + "filename": "positive6.bicep", "resourceType": "Microsoft.Network/networkWatchers/FlowLogs", "resourceName": "flowlogs/sample", - "searchKey": "resources.name={{flowlogs/sample}}.properties", - "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'retentionPolicy' property defined", - "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'retentionPolicy' property defined" - }, - { - "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", - "severity": "LOW", - "line": 11, - "filename": "positive5.bicep", - "resourceType": "Microsoft.Network/networkWatchers/flowLogs", - "resourceName": "flowlogs/sample", - "searchKey": "resources.name={{flowlogs/sample}}.properties.retentionPolicy.enabled", + "searchKey": "resources.name={{flowlogs/sample}}.properties.retentionPolicy", "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'enabled' property value set to true", - "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' set to true" + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'enabled' property defined", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' property defined" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 22, - "filename": "positive5.json", - "resourceType": "Microsoft.Network/networkWatchers/flowLogs", + "line": 10, + "filename": "positive6.bicep", + "resourceType": "Microsoft.Network/networkWatchers/FlowLogs", "resourceName": "flowlogs/sample", - "searchKey": "properties.template.resources.name={{flowlogs/sample}}.properties.retentionPolicy.days", + "searchKey": "resources.name={{flowlogs/sample}}.properties.retentionPolicy.days", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'days' property value higher than 90", "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'days' property higher than 90" @@ -218,11 +230,11 @@ { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 10, - "filename": "positive1.bicep", - "resourceType": "Microsoft.Network/networkWatchers/flowLogs", + "line": 22, + "filename": "positive6.json", + "resourceType": "Microsoft.Network/networkWatchers/FlowLogs", "resourceName": "flowlogs/sample", - "searchKey": "resources.name={{flowlogs/sample}}.properties.retentionPolicy.days", + "searchKey": "properties.template.resources.name={{flowlogs/sample}}.properties.retentionPolicy.days", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'days' property value higher than 90", "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'days' property higher than 90" @@ -242,23 +254,23 @@ { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 10, - "filename": "positive2.bicep", + "line": 17, + "filename": "positive7.json", "resourceType": "Microsoft.Network/networkWatchers/FlowLogs", "resourceName": "flowlogs/sample", - "searchKey": "resources.name={{flowlogs/sample}}.properties.retentionPolicy.days", + "searchKey": "properties.template.resources.name={{flowlogs/sample}}.properties", "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'days' property value higher than 90", - "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'days' property higher than 90" + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'retentionPolicy' property defined", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'retentionPolicy' property defined" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 9, - "filename": "positive2.bicep", + "line": 5, + "filename": "positive8.bicep", "resourceType": "Microsoft.Network/networkWatchers/FlowLogs", "resourceName": "flowlogs/sample", - "searchKey": "resources.name={{flowlogs/sample}}.properties.retentionPolicy", + "searchKey": "resources.name={{flowlogs/sample}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'enabled' property defined", "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' property defined" @@ -266,25 +278,13 @@ { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 23, - "filename": "positive5.json", - "resourceType": "Microsoft.Network/networkWatchers/flowLogs", - "resourceName": "flowlogs/sample", - "searchKey": "properties.template.resources.name={{flowlogs/sample}}.properties.retentionPolicy.enabled", - "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'enabled' property value set to true", - "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' set to true" - }, - { - "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", - "severity": "LOW", - "line": 20, - "filename": "positive1.json", - "resourceType": "Microsoft.Network/networkWatchers/flowLogs", + "line": 17, + "filename": "positive8.json", + "resourceType": "Microsoft.Network/networkWatchers/FlowLogs", "resourceName": "flowlogs/sample", - "searchKey": "resources.name={{flowlogs/sample}}.properties.retentionPolicy.days", + "searchKey": "properties.template.resources.name={{flowlogs/sample}}.properties", "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'days' property value higher than 90", - "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'days' property higher than 90" + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'enabled' property defined", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' property defined" } ] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/web_app_not_using_tls_last_version/test/positive_expected_result.json b/assets/queries/azureResourceManager/web_app_not_using_tls_last_version/test/positive_expected_result.json index f9cb67d5c75..85cf5d55ca1 100644 --- a/assets/queries/azureResourceManager/web_app_not_using_tls_last_version/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/web_app_not_using_tls_last_version/test/positive_expected_result.json @@ -2,47 +2,47 @@ { "queryName": "Web App Not Using TLS Last Version", "severity": "MEDIUM", - "line": 17, - "filename": "positive5.json", + "line": 6, + "filename": "positive1.bicep", "resourceType": "Microsoft.Web/sites", - "resourceName": "meuAppService", - "searchKey": "resources.name=meuAppService.properties", + "resourceName": "App", + "searchKey": "resources.name=App.properties.siteConfig.minTlsVersion", "searchValue": "", - "expectedValue": "'siteConfig.minTlsVersion' should be defined", - "actualValue": "'siteConfig.minTlsVersion' is undefined" + "expectedValue": "'siteConfig.minTlsVersion' should be 1.2 or 1.3", + "actualValue": "'minTlsVersion' is not 1.2 or 1.3" }, { "queryName": "Web App Not Using TLS Last Version", "severity": "MEDIUM", - "line": 13, - "filename": "positive4.json", + "line": 14, + "filename": "positive1.json", "resourceType": "Microsoft.Web/sites", "resourceName": "App", - "searchKey": "properties.template.resources.name=App.properties.siteConfig", + "searchKey": "properties.template.resources.name=App.properties.siteConfig.minTlsVersion", "searchValue": "", - "expectedValue": "'minTlsVersion' should be defined", - "actualValue": "'minTlsVersion' is undefined" + "expectedValue": "'siteConfig.minTlsVersion' should be 1.2 or 1.3", + "actualValue": "'minTlsVersion' is not 1.2 or 1.3" }, { "queryName": "Web App Not Using TLS Last Version", "severity": "MEDIUM", - "line": 14, - "filename": "positive1.json", + "line": 4, + "filename": "positive2.bicep", "resourceType": "Microsoft.Web/sites", "resourceName": "App", - "searchKey": "properties.template.resources.name=App.properties.siteConfig.minTlsVersion", + "searchKey": "resources.name=App.properties", "searchValue": "", - "expectedValue": "'siteConfig.minTlsVersion' should be 1.2 or 1.3", - "actualValue": "'minTlsVersion' is not 1.2 or 1.3" + "expectedValue": "'siteConfig.minTlsVersion' should be defined", + "actualValue": "'siteConfig.minTlsVersion' is undefined" }, { "queryName": "Web App Not Using TLS Last Version", "severity": "MEDIUM", - "line": 17, - "filename": "positive6.json", + "line": 12, + "filename": "positive2.json", "resourceType": "Microsoft.Web/sites", - "resourceName": "meuAppService", - "searchKey": "resources.name=meuAppService.properties", + "resourceName": "App", + "searchKey": "properties.template.resources.name=App.properties", "searchValue": "", "expectedValue": "'siteConfig.minTlsVersion' should be defined", "actualValue": "'siteConfig.minTlsVersion' is undefined" @@ -50,26 +50,26 @@ { "queryName": "Web App Not Using TLS Last Version", "severity": "MEDIUM", - "line": 10, - "filename": "positive6.bicep", - "resourceType": "config", - "resourceName": "web", - "searchKey": "resources.resources.name=web.properties", + "line": 6, + "filename": "positive3.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "App", + "searchKey": "resources.name=App.properties.siteConfig.minTlsVersion", "searchValue": "", - "expectedValue": "'minTlsVersion' should be defined with the version '1.2' or higher", - "actualValue": "'minTlsVersion' is not defined" + "expectedValue": "'siteConfig.minTlsVersion' should be 1.2 or 1.3", + "actualValue": "'minTlsVersion' is not 1.2 or 1.3" }, { "queryName": "Web App Not Using TLS Last Version", "severity": "MEDIUM", - "line": 11, - "filename": "positive5.bicep", - "resourceType": "config", - "resourceName": "web", - "searchKey": "resources.resources.name=web.properties.minTlsVersion", + "line": 14, + "filename": "positive3.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "App", + "searchKey": "properties.template.resources.name=App.properties.siteConfig.minTlsVersion", "searchValue": "", - "expectedValue": "'minTlsVersion' should be defined with the version '1.2' or higher", - "actualValue": "'minTlsVersion' is defined to '1.1'" + "expectedValue": "'siteConfig.minTlsVersion' should be 1.2 or 1.3", + "actualValue": "'minTlsVersion' is not 1.2 or 1.3" }, { "queryName": "Web App Not Using TLS Last Version", @@ -86,61 +86,61 @@ { "queryName": "Web App Not Using TLS Last Version", "severity": "MEDIUM", - "line": 4, - "filename": "positive2.bicep", + "line": 13, + "filename": "positive4.json", "resourceType": "Microsoft.Web/sites", "resourceName": "App", - "searchKey": "resources.name=App.properties", + "searchKey": "properties.template.resources.name=App.properties.siteConfig", "searchValue": "", - "expectedValue": "'siteConfig.minTlsVersion' should be defined", - "actualValue": "'siteConfig.minTlsVersion' is undefined" + "expectedValue": "'minTlsVersion' should be defined", + "actualValue": "'minTlsVersion' is undefined" }, { "queryName": "Web App Not Using TLS Last Version", "severity": "MEDIUM", - "line": 6, - "filename": "positive1.bicep", - "resourceType": "Microsoft.Web/sites", - "resourceName": "App", - "searchKey": "resources.name=App.properties.siteConfig.minTlsVersion", + "line": 11, + "filename": "positive5.bicep", + "resourceType": "config", + "resourceName": "web", + "searchKey": "resources.resources.name=web.properties.minTlsVersion", "searchValue": "", - "expectedValue": "'siteConfig.minTlsVersion' should be 1.2 or 1.3", - "actualValue": "'minTlsVersion' is not 1.2 or 1.3" + "expectedValue": "'minTlsVersion' should be defined with the version '1.2' or higher", + "actualValue": "'minTlsVersion' is defined to '1.1'" }, { "queryName": "Web App Not Using TLS Last Version", "severity": "MEDIUM", - "line": 14, - "filename": "positive3.json", + "line": 17, + "filename": "positive5.json", "resourceType": "Microsoft.Web/sites", - "resourceName": "App", - "searchKey": "properties.template.resources.name=App.properties.siteConfig.minTlsVersion", + "resourceName": "meuAppService", + "searchKey": "resources.name=meuAppService.properties", "searchValue": "", - "expectedValue": "'siteConfig.minTlsVersion' should be 1.2 or 1.3", - "actualValue": "'minTlsVersion' is not 1.2 or 1.3" + "expectedValue": "'siteConfig.minTlsVersion' should be defined", + "actualValue": "'siteConfig.minTlsVersion' is undefined" }, { "queryName": "Web App Not Using TLS Last Version", "severity": "MEDIUM", - "line": 12, - "filename": "positive2.json", - "resourceType": "Microsoft.Web/sites", - "resourceName": "App", - "searchKey": "properties.template.resources.name=App.properties", + "line": 10, + "filename": "positive6.bicep", + "resourceType": "config", + "resourceName": "web", + "searchKey": "resources.resources.name=web.properties", "searchValue": "", - "expectedValue": "'siteConfig.minTlsVersion' should be defined", - "actualValue": "'siteConfig.minTlsVersion' is undefined" + "expectedValue": "'minTlsVersion' should be defined with the version '1.2' or higher", + "actualValue": "'minTlsVersion' is not defined" }, { "queryName": "Web App Not Using TLS Last Version", "severity": "MEDIUM", - "line": 6, - "filename": "positive3.bicep", + "line": 17, + "filename": "positive6.json", "resourceType": "Microsoft.Web/sites", - "resourceName": "App", - "searchKey": "resources.name=App.properties.siteConfig.minTlsVersion", + "resourceName": "meuAppService", + "searchKey": "resources.name=meuAppService.properties", "searchValue": "", - "expectedValue": "'siteConfig.minTlsVersion' should be 1.2 or 1.3", - "actualValue": "'minTlsVersion' is not 1.2 or 1.3" + "expectedValue": "'siteConfig.minTlsVersion' should be defined", + "actualValue": "'siteConfig.minTlsVersion' is undefined" } ] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/website_azure_active_directory_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/website_azure_active_directory_disabled/test/positive_expected_result.json index 4bab8c0efa5..ca68701cb4b 100644 --- a/assets/queries/azureResourceManager/website_azure_active_directory_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/website_azure_active_directory_disabled/test/positive_expected_result.json @@ -1,4 +1,28 @@ [ + { + "queryName": "Website Azure Active Directory Disabled", + "severity": "LOW", + "line": 2, + "filename": "positive1.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSitePositive2", + "searchKey": "resources.name={{webSitePositive2}}", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'identity' property defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'identity' property defined" + }, + { + "queryName": "Website Azure Active Directory Disabled", + "severity": "LOW", + "line": 10, + "filename": "positive1.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSitePositive2", + "searchKey": "resources.name={{webSitePositive2}}", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'identity' property defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'identity' property defined" + }, { "queryName": "Website Azure Active Directory Disabled", "severity": "LOW", @@ -14,35 +38,35 @@ { "queryName": "Website Azure Active Directory Disabled", "severity": "LOW", - "line": 5, - "filename": "positive6.bicep", + "line": 15, + "filename": "positive2.json", "resourceType": "Microsoft.Web/sites", "resourceName": "webSitePositive3", "searchKey": "resources.name={{webSitePositive3}}.identity", "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Web/sites' should have the identity type set to 'SystemAssigned' or 'UserAssigned' and 'userAssignedIdentities' defined", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned' and 'userAssignedIdentities' defined" + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the identity type set to 'SystemAssigned' or 'UserAssigned'", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned'" }, { "queryName": "Website Azure Active Directory Disabled", "severity": "LOW", - "line": 15, - "filename": "positive2.json", + "line": 5, + "filename": "positive3.bicep", "resourceType": "Microsoft.Web/sites", "resourceName": "webSitePositive3", "searchKey": "resources.name={{webSitePositive3}}.identity", "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Web/sites' should have the identity type set to 'SystemAssigned' or 'UserAssigned'", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned'" + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the identity type set to 'SystemAssigned' or 'UserAssigned' and 'userAssignedIdentities' defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned' and 'userAssignedIdentities' defined" }, { "queryName": "Website Azure Active Directory Disabled", "severity": "LOW", - "line": 17, - "filename": "positive6.json", + "line": 15, + "filename": "positive3.json", "resourceType": "Microsoft.Web/sites", "resourceName": "webSitePositive3", - "searchKey": "properties.template.resources.name={{webSitePositive3}}.identity", + "searchKey": "resources.name={{webSitePositive3}}.identity", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Web/sites' should have the identity type set to 'SystemAssigned' or 'UserAssigned' and 'userAssignedIdentities' defined", "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned' and 'userAssignedIdentities' defined" @@ -50,8 +74,8 @@ { "queryName": "Website Azure Active Directory Disabled", "severity": "LOW", - "line": 10, - "filename": "positive1.json", + "line": 2, + "filename": "positive4.bicep", "resourceType": "Microsoft.Web/sites", "resourceName": "webSitePositive2", "searchKey": "resources.name={{webSitePositive2}}", @@ -62,38 +86,26 @@ { "queryName": "Website Azure Active Directory Disabled", "severity": "LOW", - "line": 5, - "filename": "positive7.bicep", + "line": 12, + "filename": "positive4.json", "resourceType": "Microsoft.Web/sites", - "resourceName": "webSitePositive7", - "searchKey": "resources.name={{webSitePositive7}}.identity", + "resourceName": "webSitePositive2", + "searchKey": "properties.template.resources.name={{webSitePositive2}}", "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Web/sites' should have the identity type set to 'SystemAssigned' or 'UserAssigned'", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned'" + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'identity' property defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'identity' property defined" }, { "queryName": "Website Azure Active Directory Disabled", "severity": "LOW", "line": 5, - "filename": "positive3.bicep", + "filename": "positive5.bicep", "resourceType": "Microsoft.Web/sites", "resourceName": "webSitePositive3", "searchKey": "resources.name={{webSitePositive3}}.identity", "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Web/sites' should have the identity type set to 'SystemAssigned' or 'UserAssigned' and 'userAssignedIdentities' defined", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned' and 'userAssignedIdentities' defined" - }, - { - "queryName": "Website Azure Active Directory Disabled", - "severity": "LOW", - "line": 2, - "filename": "positive4.bicep", - "resourceType": "Microsoft.Web/sites", - "resourceName": "webSitePositive2", - "searchKey": "resources.name={{webSitePositive2}}", - "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'identity' property defined", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'identity' property defined" + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the identity type set to 'SystemAssigned' or 'UserAssigned'", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned'" }, { "queryName": "Website Azure Active Directory Disabled", @@ -110,8 +122,8 @@ { "queryName": "Website Azure Active Directory Disabled", "severity": "LOW", - "line": 15, - "filename": "positive3.json", + "line": 5, + "filename": "positive6.bicep", "resourceType": "Microsoft.Web/sites", "resourceName": "webSitePositive3", "searchKey": "resources.name={{webSitePositive3}}.identity", @@ -122,20 +134,20 @@ { "queryName": "Website Azure Active Directory Disabled", "severity": "LOW", - "line": 12, - "filename": "positive4.json", + "line": 17, + "filename": "positive6.json", "resourceType": "Microsoft.Web/sites", - "resourceName": "webSitePositive2", - "searchKey": "properties.template.resources.name={{webSitePositive2}}", + "resourceName": "webSitePositive3", + "searchKey": "properties.template.resources.name={{webSitePositive3}}.identity", "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'identity' property defined", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'identity' property defined" + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the identity type set to 'SystemAssigned' or 'UserAssigned' and 'userAssignedIdentities' defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned' and 'userAssignedIdentities' defined" }, { "queryName": "Website Azure Active Directory Disabled", "severity": "LOW", - "line": 18, - "filename": "positive7.json", + "line": 5, + "filename": "positive7.bicep", "resourceType": "Microsoft.Web/sites", "resourceName": "webSitePositive7", "searchKey": "resources.name={{webSitePositive7}}.identity", @@ -146,23 +158,11 @@ { "queryName": "Website Azure Active Directory Disabled", "severity": "LOW", - "line": 2, - "filename": "positive1.bicep", - "resourceType": "Microsoft.Web/sites", - "resourceName": "webSitePositive2", - "searchKey": "resources.name={{webSitePositive2}}", - "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'identity' property defined", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'identity' property defined" - }, - { - "queryName": "Website Azure Active Directory Disabled", - "severity": "LOW", - "line": 5, - "filename": "positive5.bicep", + "line": 18, + "filename": "positive7.json", "resourceType": "Microsoft.Web/sites", - "resourceName": "webSitePositive3", - "searchKey": "resources.name={{webSitePositive3}}.identity", + "resourceName": "webSitePositive7", + "searchKey": "resources.name={{webSitePositive7}}.identity", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Web/sites' should have the identity type set to 'SystemAssigned' or 'UserAssigned'", "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned'" diff --git a/assets/queries/azureResourceManager/website_not_forcing_https/test/positive_expected_result.json b/assets/queries/azureResourceManager/website_not_forcing_https/test/positive_expected_result.json index 01fbb9ae742..72f5e4f6a36 100644 --- a/assets/queries/azureResourceManager/website_not_forcing_https/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/website_not_forcing_https/test/positive_expected_result.json @@ -3,7 +3,7 @@ "queryName": "Website Not Forcing HTTPS", "severity": "MEDIUM", "line": 5, - "filename": "positive3.bicep", + "filename": "positive1.bicep", "resourceType": "Microsoft.Web/sites", "resourceName": "webSite", "searchKey": "resources.name={{webSite}}.properties", @@ -14,62 +14,62 @@ { "queryName": "Website Not Forcing HTTPS", "severity": "MEDIUM", - "line": 7, - "filename": "positive2.bicep", + "line": 15, + "filename": "positive1.json", "resourceType": "Microsoft.Web/sites", "resourceName": "webSite", - "searchKey": "resources.name={{webSite}}.properties.httpsOnly", + "searchKey": "resources.name={{webSite}}.properties", "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'httpsOnly' false set to true", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'httpsOnly' set to true" + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'httpsOnly' property defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'httpsOnly' property defined" }, { "queryName": "Website Not Forcing HTTPS", "severity": "MEDIUM", - "line": 15, - "filename": "positive1.json", + "line": 7, + "filename": "positive2.bicep", "resourceType": "Microsoft.Web/sites", "resourceName": "webSite", - "searchKey": "resources.name={{webSite}}.properties", + "searchKey": "resources.name={{webSite}}.properties.httpsOnly", "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'httpsOnly' property defined", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'httpsOnly' property defined" + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'httpsOnly' false set to true", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'httpsOnly' set to true" }, { "queryName": "Website Not Forcing HTTPS", "severity": "MEDIUM", "line": 17, - "filename": "positive3.json", + "filename": "positive2.json", "resourceType": "Microsoft.Web/sites", "resourceName": "webSite", - "searchKey": "properties.template.resources.name={{webSite}}.properties", + "searchKey": "resources.name={{webSite}}.properties.httpsOnly", "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'httpsOnly' property defined", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'httpsOnly' property defined" + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'httpsOnly' false set to true", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'httpsOnly' set to true" }, { "queryName": "Website Not Forcing HTTPS", "severity": "MEDIUM", - "line": 19, - "filename": "positive4.json", + "line": 5, + "filename": "positive3.bicep", "resourceType": "Microsoft.Web/sites", "resourceName": "webSite", - "searchKey": "properties.template.resources.name={{webSite}}.properties.httpsOnly", + "searchKey": "resources.name={{webSite}}.properties", "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'httpsOnly' false set to true", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'httpsOnly' set to true" + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'httpsOnly' property defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'httpsOnly' property defined" }, { "queryName": "Website Not Forcing HTTPS", "severity": "MEDIUM", "line": 17, - "filename": "positive2.json", + "filename": "positive3.json", "resourceType": "Microsoft.Web/sites", "resourceName": "webSite", - "searchKey": "resources.name={{webSite}}.properties.httpsOnly", + "searchKey": "properties.template.resources.name={{webSite}}.properties", "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'httpsOnly' false set to true", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'httpsOnly' set to true" + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'httpsOnly' property defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'httpsOnly' property defined" }, { "queryName": "Website Not Forcing HTTPS", @@ -86,13 +86,13 @@ { "queryName": "Website Not Forcing HTTPS", "severity": "MEDIUM", - "line": 5, - "filename": "positive1.bicep", + "line": 19, + "filename": "positive4.json", "resourceType": "Microsoft.Web/sites", "resourceName": "webSite", - "searchKey": "resources.name={{webSite}}.properties", + "searchKey": "properties.template.resources.name={{webSite}}.properties.httpsOnly", "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'httpsOnly' property defined", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'httpsOnly' property defined" + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'httpsOnly' false set to true", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'httpsOnly' set to true" } ] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/website_with_client_certificate_auth_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/website_with_client_certificate_auth_disabled/test/positive_expected_result.json index e708a1e9f48..af841d00cf4 100644 --- a/assets/queries/azureResourceManager/website_with_client_certificate_auth_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/website_with_client_certificate_auth_disabled/test/positive_expected_result.json @@ -3,7 +3,7 @@ "queryName": "Website with Client Certificate Auth Disabled", "severity": "MEDIUM", "line": 5, - "filename": "positive3.bicep", + "filename": "positive1.bicep", "resourceType": "Microsoft.Web/sites", "resourceName": "webSite", "searchKey": "resources.name={{webSite}}.properties", @@ -14,59 +14,59 @@ { "queryName": "Website with Client Certificate Auth Disabled", "severity": "MEDIUM", - "line": 19, - "filename": "positive4.json", + "line": 15, + "filename": "positive1.json", "resourceType": "Microsoft.Web/sites", "resourceName": "webSite", - "searchKey": "properties.template.resources.name={{webSite}}.properties.clientCertEnabled", + "searchKey": "resources.name={{webSite}}.properties", "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' property value set to true", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' set to true" + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' property defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' property defined" }, { "queryName": "Website with Client Certificate Auth Disabled", "severity": "MEDIUM", - "line": 17, - "filename": "positive3.json", + "line": 7, + "filename": "positive2.bicep", "resourceType": "Microsoft.Web/sites", "resourceName": "webSite", - "searchKey": "properties.template.resources.name={{webSite}}.properties", + "searchKey": "resources.name={{webSite}}.properties.clientCertEnabled", "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' property defined", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' property defined" + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' property value set to true", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' set to true" }, { "queryName": "Website with Client Certificate Auth Disabled", "severity": "MEDIUM", - "line": 15, - "filename": "positive1.json", + "line": 17, + "filename": "positive2.json", "resourceType": "Microsoft.Web/sites", "resourceName": "webSite", - "searchKey": "resources.name={{webSite}}.properties", + "searchKey": "resources.name={{webSite}}.properties.clientCertEnabled", "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' property defined", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' property defined" + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' property value set to true", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' set to true" }, { "queryName": "Website with Client Certificate Auth Disabled", "severity": "MEDIUM", - "line": 25, - "filename": "positive5.bicep", + "line": 5, + "filename": "positive3.bicep", "resourceType": "Microsoft.Web/sites", - "resourceName": "[parameters('siteName')]", - "searchKey": "resources.name={{[parameters('siteName')]}}.properties.clientCertEnabled", + "resourceName": "webSite", + "searchKey": "resources.name={{webSite}}.properties", "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' property value or 'http20Enabled' field set to true", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' or 'http20Enabled' set to true" + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' property defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' property defined" }, { "queryName": "Website with Client Certificate Auth Disabled", "severity": "MEDIUM", - "line": 5, - "filename": "positive1.bicep", + "line": 17, + "filename": "positive3.json", "resourceType": "Microsoft.Web/sites", "resourceName": "webSite", - "searchKey": "resources.name={{webSite}}.properties", + "searchKey": "properties.template.resources.name={{webSite}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' property defined", "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' property defined" @@ -86,26 +86,26 @@ { "queryName": "Website with Client Certificate Auth Disabled", "severity": "MEDIUM", - "line": 44, - "filename": "positive6.json", + "line": 19, + "filename": "positive4.json", "resourceType": "Microsoft.Web/sites", - "resourceName": "[parameters('siteName')]", - "searchKey": "resources.name={{[parameters('siteName')]}}.properties", + "resourceName": "webSite", + "searchKey": "properties.template.resources.name={{webSite}}.properties.clientCertEnabled", "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' property defined", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' property defined" + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' property value set to true", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' set to true" }, { "queryName": "Website with Client Certificate Auth Disabled", "severity": "MEDIUM", - "line": 17, - "filename": "positive2.json", + "line": 25, + "filename": "positive5.bicep", "resourceType": "Microsoft.Web/sites", - "resourceName": "webSite", - "searchKey": "resources.name={{webSite}}.properties.clientCertEnabled", + "resourceName": "[parameters('siteName')]", + "searchKey": "resources.name={{[parameters('siteName')]}}.properties.clientCertEnabled", "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' property value set to true", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' set to true" + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' property value or 'http20Enabled' field set to true", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' or 'http20Enabled' set to true" }, { "queryName": "Website with Client Certificate Auth Disabled", @@ -134,13 +134,13 @@ { "queryName": "Website with Client Certificate Auth Disabled", "severity": "MEDIUM", - "line": 7, - "filename": "positive2.bicep", + "line": 44, + "filename": "positive6.json", "resourceType": "Microsoft.Web/sites", - "resourceName": "webSite", - "searchKey": "resources.name={{webSite}}.properties.clientCertEnabled", + "resourceName": "[parameters('siteName')]", + "searchKey": "resources.name={{[parameters('siteName')]}}.properties", "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' property value set to true", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' set to true" + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' property defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' property defined" } ] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/website_with_http20enabled_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/website_with_http20enabled_disabled/test/positive_expected_result.json index c29eaf47442..baf98a02398 100644 --- a/assets/queries/azureResourceManager/website_with_http20enabled_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/website_with_http20enabled_disabled/test/positive_expected_result.json @@ -2,59 +2,59 @@ { "queryName": "Website with 'Http20Enabled' Disabled", "severity": "LOW", - "line": 8, - "filename": "positive6.bicep", + "line": 5, + "filename": "positive1.bicep", "resourceType": "Microsoft.Web/sites", "resourceName": "webSite", - "searchKey": "resources.name={{webSite}}.properties.siteConfig", + "searchKey": "resources.name={{webSite}}.properties", "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'http20Enabled' property defined in siteConfig", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'http20Enabled' property defined in siteConfig" + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'siteConfig' property defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'siteConfig' property defined" }, { "queryName": "Website with 'Http20Enabled' Disabled", "severity": "LOW", - "line": 9, - "filename": "positive5.bicep", + "line": 15, + "filename": "positive1.json", "resourceType": "Microsoft.Web/sites", "resourceName": "webSite", - "searchKey": "resources.type={{Microsoft.Web/sites}}.properties.siteConfig.http20Enabled", + "searchKey": "resources.name={{webSite}}.properties", "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'http20Enabled' property value set to true in siteConfig", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'http20Enabled' set to true in siteConfig" + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'siteConfig' property defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'siteConfig' property defined" }, { "queryName": "Website with 'Http20Enabled' Disabled", "severity": "LOW", - "line": 17, - "filename": "positive4.json", + "line": 9, + "filename": "positive2.bicep", "resourceType": "Microsoft.Web/sites", "resourceName": "webSite", - "searchKey": "properties.template.resources.name={{webSite}}.properties", + "searchKey": "resources.type={{Microsoft.Web/sites}}.properties.siteConfig.http20Enabled", "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'siteConfig' property defined", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'siteConfig' property defined" + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'http20Enabled' property value set to true in siteConfig", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'http20Enabled' set to true in siteConfig" }, { "queryName": "Website with 'Http20Enabled' Disabled", "severity": "LOW", - "line": 15, - "filename": "positive1.json", + "line": 19, + "filename": "positive2.json", "resourceType": "Microsoft.Web/sites", "resourceName": "webSite", - "searchKey": "resources.name={{webSite}}.properties", + "searchKey": "resources.type={{Microsoft.Web/sites}}.properties.siteConfig.http20Enabled", "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'siteConfig' property defined", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'siteConfig' property defined" + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'http20Enabled' property value set to true in siteConfig", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'http20Enabled' set to true in siteConfig" }, { "queryName": "Website with 'Http20Enabled' Disabled", "severity": "LOW", - "line": 20, - "filename": "positive6.json", + "line": 8, + "filename": "positive3.bicep", "resourceType": "Microsoft.Web/sites", "resourceName": "webSite", - "searchKey": "properties.template.resources.name={{webSite}}.properties.siteConfig", + "searchKey": "resources.name={{webSite}}.properties.siteConfig", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'http20Enabled' property defined in siteConfig", "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'http20Enabled' property defined in siteConfig" @@ -62,35 +62,35 @@ { "queryName": "Website with 'Http20Enabled' Disabled", "severity": "LOW", - "line": 21, - "filename": "positive5.json", + "line": 18, + "filename": "positive3.json", "resourceType": "Microsoft.Web/sites", "resourceName": "webSite", - "searchKey": "resources.type={{Microsoft.Web/sites}}.properties.siteConfig.http20Enabled", + "searchKey": "resources.name={{webSite}}.properties.siteConfig", "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'http20Enabled' property value set to true in siteConfig", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'http20Enabled' set to true in siteConfig" + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'http20Enabled' property defined in siteConfig", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'http20Enabled' property defined in siteConfig" }, { "queryName": "Website with 'Http20Enabled' Disabled", "severity": "LOW", - "line": 9, - "filename": "positive2.bicep", + "line": 5, + "filename": "positive4.bicep", "resourceType": "Microsoft.Web/sites", "resourceName": "webSite", - "searchKey": "resources.type={{Microsoft.Web/sites}}.properties.siteConfig.http20Enabled", + "searchKey": "resources.name={{webSite}}.properties", "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'http20Enabled' property value set to true in siteConfig", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'http20Enabled' set to true in siteConfig" + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'siteConfig' property defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'siteConfig' property defined" }, { "queryName": "Website with 'Http20Enabled' Disabled", "severity": "LOW", - "line": 5, - "filename": "positive1.bicep", + "line": 17, + "filename": "positive4.json", "resourceType": "Microsoft.Web/sites", "resourceName": "webSite", - "searchKey": "resources.name={{webSite}}.properties", + "searchKey": "properties.template.resources.name={{webSite}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'siteConfig' property defined", "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'siteConfig' property defined" @@ -98,8 +98,8 @@ { "queryName": "Website with 'Http20Enabled' Disabled", "severity": "LOW", - "line": 19, - "filename": "positive2.json", + "line": 9, + "filename": "positive5.bicep", "resourceType": "Microsoft.Web/sites", "resourceName": "webSite", "searchKey": "resources.type={{Microsoft.Web/sites}}.properties.siteConfig.http20Enabled", @@ -110,20 +110,20 @@ { "queryName": "Website with 'Http20Enabled' Disabled", "severity": "LOW", - "line": 18, - "filename": "positive3.json", + "line": 21, + "filename": "positive5.json", "resourceType": "Microsoft.Web/sites", "resourceName": "webSite", - "searchKey": "resources.name={{webSite}}.properties.siteConfig", + "searchKey": "resources.type={{Microsoft.Web/sites}}.properties.siteConfig.http20Enabled", "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'http20Enabled' property defined in siteConfig", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'http20Enabled' property defined in siteConfig" + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'http20Enabled' property value set to true in siteConfig", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'http20Enabled' set to true in siteConfig" }, { "queryName": "Website with 'Http20Enabled' Disabled", "severity": "LOW", "line": 8, - "filename": "positive3.bicep", + "filename": "positive6.bicep", "resourceType": "Microsoft.Web/sites", "resourceName": "webSite", "searchKey": "resources.name={{webSite}}.properties.siteConfig", @@ -134,13 +134,13 @@ { "queryName": "Website with 'Http20Enabled' Disabled", "severity": "LOW", - "line": 5, - "filename": "positive4.bicep", + "line": 20, + "filename": "positive6.json", "resourceType": "Microsoft.Web/sites", "resourceName": "webSite", - "searchKey": "resources.name={{webSite}}.properties", + "searchKey": "properties.template.resources.name={{webSite}}.properties.siteConfig", "searchValue": "", - "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'siteConfig' property defined", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'siteConfig' property defined" + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'http20Enabled' property defined in siteConfig", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'http20Enabled' property defined in siteConfig" } ] \ No newline at end of file diff --git a/assets/queries/cicd/github/run_block_injection/test/positive_expected_result.json b/assets/queries/cicd/github/run_block_injection/test/positive_expected_result.json index dee55bda680..edd5e8def93 100644 --- a/assets/queries/cicd/github/run_block_injection/test/positive_expected_result.json +++ b/assets/queries/cicd/github/run_block_injection/test/positive_expected_result.json @@ -7,7 +7,7 @@ "resourceType": "", "resourceName": "", "searchKey": "run={{if [ \"${{ github.event.issue.body }}\" ]; then\n if [[ \"${{ github.event.issue.title }}\" =~ ^\\[Auto\\]* ]]; then\n :\n else\n echo \"This issue does not need to generate a markdown file.\" 1>&2\n exit 1;\n fi;\nelse\n echo \"The description of the issue is empty.\" 1>&2\n exit 1;\nfi;\n}}", - "searchValue": "github.event.issue.body", + "searchValue": "github.event.issue.title", "expectedValue": "Run block does not contain dangerous input controlled by user.", "actualValue": "Run block contains dangerous input controlled by user." }, @@ -19,7 +19,7 @@ "resourceType": "", "resourceName": "", "searchKey": "run={{if [ \"${{ github.event.issue.body }}\" ]; then\n if [[ \"${{ github.event.issue.title }}\" =~ ^\\[Auto\\]* ]]; then\n :\n else\n echo \"This issue does not need to generate a markdown file.\" 1>&2\n exit 1;\n fi;\nelse\n echo \"The description of the issue is empty.\" 1>&2\n exit 1;\nfi;\n}}", - "searchValue": "github.event.issue.title", + "searchValue": "github.event.issue.body", "expectedValue": "Run block does not contain dangerous input controlled by user.", "actualValue": "Run block contains dangerous input controlled by user." }, @@ -27,11 +27,11 @@ "queryName": "Run Block Injection", "severity": "HIGH", "line": 13, - "filename": "positive7.yaml", + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", - "searchKey": "run={{echo \"Workflow Run Path: ${{ github.event.workflow.path }}\"\n}}", - "searchValue": "github.event.workflow.path", + "searchKey": "run={{echo \"Pull Request Body: ${{ github.event.pull_request.body }}\"\n}}", + "searchValue": "github.event.pull_request.body", "expectedValue": "Run block does not contain dangerous input controlled by user.", "actualValue": "Run block contains dangerous input controlled by user." }, @@ -51,11 +51,11 @@ "queryName": "Run Block Injection", "severity": "HIGH", "line": 13, - "filename": "positive5.yaml", + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", - "searchKey": "run={{echo \"Discussion Comment Body: ${{ github.event.comment.body }}\"\n}}", - "searchValue": "github.event.comment.body", + "searchKey": "run={{echo \"Discussion Title: ${{ github.event.discussion.title }}\"\n}}", + "searchValue": "github.event.discussion.title", "expectedValue": "Run block does not contain dangerous input controlled by user.", "actualValue": "Run block contains dangerous input controlled by user." }, @@ -63,11 +63,11 @@ "queryName": "Run Block Injection", "severity": "HIGH", "line": 13, - "filename": "positive4.yaml", + "filename": "positive5.yaml", "resourceType": "", "resourceName": "", - "searchKey": "run={{echo \"Discussion Title: ${{ github.event.discussion.title }}\"\n}}", - "searchValue": "github.event.discussion.title", + "searchKey": "run={{echo \"Discussion Comment Body: ${{ github.event.comment.body }}\"\n}}", + "searchValue": "github.event.comment.body", "expectedValue": "Run block does not contain dangerous input controlled by user.", "actualValue": "Run block contains dangerous input controlled by user." }, @@ -75,11 +75,11 @@ "queryName": "Run Block Injection", "severity": "HIGH", "line": 13, - "filename": "positive2.yaml", + "filename": "positive6.yaml", "resourceType": "", "resourceName": "", - "searchKey": "run={{echo \"Pull Request Body: ${{ github.event.pull_request.body }}\"\n}}", - "searchValue": "github.event.pull_request.body", + "searchKey": "run={{echo \"Author's Name: ${{ github.event.authors.name }}\"\n}}", + "searchValue": "github.*.authors.name", "expectedValue": "Run block does not contain dangerous input controlled by user.", "actualValue": "Run block contains dangerous input controlled by user." }, @@ -87,11 +87,11 @@ "queryName": "Run Block Injection", "severity": "HIGH", "line": 13, - "filename": "positive6.yaml", + "filename": "positive7.yaml", "resourceType": "", "resourceName": "", - "searchKey": "run={{echo \"Author's Name: ${{ github.event.authors.name }}\"\n}}", - "searchValue": "github.*.authors.name", + "searchKey": "run={{echo \"Workflow Run Path: ${{ github.event.workflow.path }}\"\n}}", + "searchValue": "github.event.workflow.path", "expectedValue": "Run block does not contain dangerous input controlled by user.", "actualValue": "Run block contains dangerous input controlled by user." } diff --git a/assets/queries/cicd/github/script_block_injection/test/positive_expected_result.json b/assets/queries/cicd/github/script_block_injection/test/positive_expected_result.json index 0666597288a..0140288f71d 100644 --- a/assets/queries/cicd/github/script_block_injection/test/positive_expected_result.json +++ b/assets/queries/cicd/github/script_block_injection/test/positive_expected_result.json @@ -3,11 +3,11 @@ "queryName": "Script Block Injection", "severity": "HIGH", "line": 17, - "filename": "positive4.yaml", + "filename": "positive1.yaml", "resourceType": "", "resourceName": "", - "searchKey": "script={{const fs = require('fs');\nconst body = fs.readFileSync('/tmp/${{ github.event.discussion.title }}.txt', {encoding: 'utf8'});\n\nawait github.rest.issues.createComment({\n issue_number: context.issue.number,\n owner: context.repo.owner,\n repo: context.repo.repo,\n body: 'Thanks for reporting!'\n})\n\nreturn true;\n}}", - "searchValue": "github.event.discussion.title", + "searchKey": "script={{const fs = require('fs');\nconst body = fs.readFileSync('/tmp/${{ github.event.issue.title }}.txt', {encoding: 'utf8'});\n\nawait github.rest.issues.createComment({\n issue_number: context.issue.number,\n owner: context.repo.owner,\n repo: context.repo.repo,\n body: 'Thanks for reporting!'\n})\n\nreturn true;\n}}", + "searchValue": "github.event.issue.title", "expectedValue": "Script block does not contain dangerous input controlled by user.", "actualValue": "Script block contains dangerous input controlled by user." }, @@ -15,11 +15,11 @@ "queryName": "Script Block Injection", "severity": "HIGH", "line": 17, - "filename": "positive1.yaml", + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", - "searchKey": "script={{const fs = require('fs');\nconst body = fs.readFileSync('/tmp/${{ github.event.issue.title }}.txt', {encoding: 'utf8'});\n\nawait github.rest.issues.createComment({\n issue_number: context.issue.number,\n owner: context.repo.owner,\n repo: context.repo.repo,\n body: 'Thanks for reporting!'\n})\n\nreturn true;\n}}", - "searchValue": "github.event.issue.title", + "searchKey": "script={{const fs = require('fs');\nconst body = fs.readFileSync('/tmp/${{ github.event.pull_request.title }}.txt', {encoding: 'utf8'});\n\nawait github.rest.issues.createComment({\n issue_number: context.issue.number,\n owner: context.repo.owner,\n repo: context.repo.repo,\n body: 'Thanks for reporting!'\n})\n\nreturn true;\n}}", + "searchValue": "github.event.pull_request.title", "expectedValue": "Script block does not contain dangerous input controlled by user.", "actualValue": "Script block contains dangerous input controlled by user." }, @@ -39,11 +39,11 @@ "queryName": "Script Block Injection", "severity": "HIGH", "line": 17, - "filename": "positive2.yaml", + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", - "searchKey": "script={{const fs = require('fs');\nconst body = fs.readFileSync('/tmp/${{ github.event.pull_request.title }}.txt', {encoding: 'utf8'});\n\nawait github.rest.issues.createComment({\n issue_number: context.issue.number,\n owner: context.repo.owner,\n repo: context.repo.repo,\n body: 'Thanks for reporting!'\n})\n\nreturn true;\n}}", - "searchValue": "github.event.pull_request.title", + "searchKey": "script={{const fs = require('fs');\nconst body = fs.readFileSync('/tmp/${{ github.event.discussion.title }}.txt', {encoding: 'utf8'});\n\nawait github.rest.issues.createComment({\n issue_number: context.issue.number,\n owner: context.repo.owner,\n repo: context.repo.repo,\n body: 'Thanks for reporting!'\n})\n\nreturn true;\n}}", + "searchValue": "github.event.discussion.title", "expectedValue": "Script block does not contain dangerous input controlled by user.", "actualValue": "Script block contains dangerous input controlled by user." }, @@ -51,11 +51,11 @@ "queryName": "Script Block Injection", "severity": "HIGH", "line": 17, - "filename": "positive7.yaml", + "filename": "positive5.yaml", "resourceType": "", "resourceName": "", - "searchKey": "script={{const fs = require('fs');\nconst body = fs.readFileSync('/tmp/${{ github.event.authors.name }}.txt', {encoding: 'utf8'});\n\nawait github.rest.issues.createComment({\n issue_number: context.issue.number,\n owner: context.repo.owner,\n repo: context.repo.repo,\n body: 'Thanks for reporting!'\n})\n\nreturn true;\n}}", - "searchValue": "github.*.authors.name", + "searchKey": "script={{const fs = require('fs');\nconst body = fs.readFileSync('/tmp/${{ github.event.discussion.title }}.txt', {encoding: 'utf8'});\n\nawait github.rest.issues.createComment({\n issue_number: context.issue.number,\n owner: context.repo.owner,\n repo: context.repo.repo,\n body: 'Thanks for reporting!'\n})\n\nreturn true;\n}}", + "searchValue": "github.event.discussion.title", "expectedValue": "Script block does not contain dangerous input controlled by user.", "actualValue": "Script block contains dangerous input controlled by user." }, @@ -75,11 +75,11 @@ "queryName": "Script Block Injection", "severity": "HIGH", "line": 17, - "filename": "positive5.yaml", + "filename": "positive7.yaml", "resourceType": "", "resourceName": "", - "searchKey": "script={{const fs = require('fs');\nconst body = fs.readFileSync('/tmp/${{ github.event.discussion.title }}.txt', {encoding: 'utf8'});\n\nawait github.rest.issues.createComment({\n issue_number: context.issue.number,\n owner: context.repo.owner,\n repo: context.repo.repo,\n body: 'Thanks for reporting!'\n})\n\nreturn true;\n}}", - "searchValue": "github.event.discussion.title", + "searchKey": "script={{const fs = require('fs');\nconst body = fs.readFileSync('/tmp/${{ github.event.authors.name }}.txt', {encoding: 'utf8'});\n\nawait github.rest.issues.createComment({\n issue_number: context.issue.number,\n owner: context.repo.owner,\n repo: context.repo.repo,\n body: 'Thanks for reporting!'\n})\n\nreturn true;\n}}", + "searchValue": "github.*.authors.name", "expectedValue": "Script block does not contain dangerous input controlled by user.", "actualValue": "Script block contains dangerous input controlled by user." } diff --git a/assets/queries/cicd/github/unsecured_commands/test/positive_expected_result.json b/assets/queries/cicd/github/unsecured_commands/test/positive_expected_result.json index 27d9feeebeb..1929b9f5c5d 100644 --- a/assets/queries/cicd/github/unsecured_commands/test/positive_expected_result.json +++ b/assets/queries/cicd/github/unsecured_commands/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "Unsecured Commands", "severity": "MEDIUM", - "line": 11, - "filename": "positive2.yaml", + "line": 8, + "filename": "positive1.yaml", "resourceType": "", "resourceName": "", "searchKey": "env.actions_allow_unsecure_commands={{true}}", @@ -14,8 +14,8 @@ { "queryName": "Unsecured Commands", "severity": "MEDIUM", - "line": 8, - "filename": "positive1.yaml", + "line": 11, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", "searchKey": "env.actions_allow_unsecure_commands={{true}}", diff --git a/assets/queries/cloudFormation/aws/access_key_not_rotated_within_90_days/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/access_key_not_rotated_within_90_days/test/positive_expected_result.json index 5a589eea199..c61c2a006e1 100644 --- a/assets/queries/cloudFormation/aws/access_key_not_rotated_within_90_days/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/access_key_not_rotated_within_90_days/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "High Access Key Rotation Period", "severity": "MEDIUM", - "line": 8, - "filename": "positive2.json", + "line": 7, + "filename": "positive1.yaml", "resourceType": "AWS::Config::ConfigRule", "resourceName": "access-keys-rotated", "searchKey": "Resources.ConfigRule.Properties.InputParameters.maxAccessKeyAge", @@ -14,8 +14,8 @@ { "queryName": "High Access Key Rotation Period", "severity": "MEDIUM", - "line": 7, - "filename": "positive1.yaml", + "line": 8, + "filename": "positive2.json", "resourceType": "AWS::Config::ConfigRule", "resourceName": "access-keys-rotated", "searchKey": "Resources.ConfigRule.Properties.InputParameters.maxAccessKeyAge", diff --git a/assets/queries/cloudFormation/aws/alb_is_not_integrated_with_waf/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/alb_is_not_integrated_with_waf/test/positive_expected_result.json index 5c5a944569a..3f3382b68b2 100644 --- a/assets/queries/cloudFormation/aws/alb_is_not_integrated_with_waf/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/alb_is_not_integrated_with_waf/test/positive_expected_result.json @@ -2,26 +2,14 @@ { "queryName": "ALB Is Not Integrated With WAF", "severity": "MEDIUM", - "line": 4, - "filename": "positive3.json", + "line": 3, + "filename": "positive1.yaml", "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", - "resourceName": "MyLoadBalancer22222222", - "searchKey": "Resources.MyLoadBalancer22222222", - "searchValue": "", - "expectedValue": "'Resources.MyLoadBalancer22222222' should not have an 'internal' scheme and should have a 'WebACLAssociation' associated", - "actualValue": "'Resources.MyLoadBalancer22222222' does not have an 'internal' scheme and a 'WebACLAssociation' associated" - }, - { - "queryName": "ALB Is Not Integrated With WAF", - "severity": "MEDIUM", - "line": 4, - "filename": "positive4.json", - "resourceType": "AWS::ElasticLoadBalancingV2::LoadBalancer", - "resourceName": "myloadbalancerv2", - "searchKey": "Resources.MyLoadBalancerV22222", + "resourceName": "MyLoadBalancer22", + "searchKey": "Resources.MyLoadBalancer22", "searchValue": "", - "expectedValue": "'Resources.MyLoadBalancerV22222' should not have an 'internal' scheme and should have a 'WebACLAssociation' associated", - "actualValue": "'Resources.MyLoadBalancerV22222' does not have an 'internal' scheme and a 'WebACLAssociation' associated" + "expectedValue": "'Resources.MyLoadBalancer22' should not have an 'internal' scheme and should have a 'WebACLAssociation' associated", + "actualValue": "'Resources.MyLoadBalancer22' does not have an 'internal' scheme and a 'WebACLAssociation' associated" }, { "queryName": "ALB Is Not Integrated With WAF", @@ -38,13 +26,25 @@ { "queryName": "ALB Is Not Integrated With WAF", "severity": "MEDIUM", - "line": 3, - "filename": "positive1.yaml", + "line": 4, + "filename": "positive3.json", "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", - "resourceName": "MyLoadBalancer22", - "searchKey": "Resources.MyLoadBalancer22", + "resourceName": "MyLoadBalancer22222222", + "searchKey": "Resources.MyLoadBalancer22222222", "searchValue": "", - "expectedValue": "'Resources.MyLoadBalancer22' should not have an 'internal' scheme and should have a 'WebACLAssociation' associated", - "actualValue": "'Resources.MyLoadBalancer22' does not have an 'internal' scheme and a 'WebACLAssociation' associated" + "expectedValue": "'Resources.MyLoadBalancer22222222' should not have an 'internal' scheme and should have a 'WebACLAssociation' associated", + "actualValue": "'Resources.MyLoadBalancer22222222' does not have an 'internal' scheme and a 'WebACLAssociation' associated" + }, + { + "queryName": "ALB Is Not Integrated With WAF", + "severity": "MEDIUM", + "line": 4, + "filename": "positive4.json", + "resourceType": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "resourceName": "myloadbalancerv2", + "searchKey": "Resources.MyLoadBalancerV22222", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancerV22222' should not have an 'internal' scheme and should have a 'WebACLAssociation' associated", + "actualValue": "'Resources.MyLoadBalancerV22222' does not have an 'internal' scheme and a 'WebACLAssociation' associated" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/alb_listening_on_http/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/alb_listening_on_http/test/positive_expected_result.json index 83be4f140b7..984f1ca02ac 100644 --- a/assets/queries/cloudFormation/aws/alb_listening_on_http/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/alb_listening_on_http/test/positive_expected_result.json @@ -1,4 +1,16 @@ [ + { + "queryName": "ALB Listening on HTTP", + "severity": "MEDIUM", + "line": 13, + "filename": "positive1.yaml", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.MyLoadBalancer.Properties.Listeners.Protocol=HTTP", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer.Listeners.Protocol' should not equal to 'HTTP'", + "actualValue": "'Resources.MyLoadBalancer.Listeners.Protocol' equals to 'HTTP'" + }, { "queryName": "ALB Listening on HTTP", "severity": "MEDIUM", @@ -14,8 +26,8 @@ { "queryName": "ALB Listening on HTTP", "severity": "MEDIUM", - "line": 13, - "filename": "positive1.yaml", + "line": 9, + "filename": "positive2.json", "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", "resourceName": "MyLoadBalancer", "searchKey": "Resources.MyLoadBalancer.Properties.Listeners.Protocol=HTTP", @@ -26,8 +38,8 @@ { "queryName": "ALB Listening on HTTP", "severity": "MEDIUM", - "line": 16, - "filename": "positive3.yaml", + "line": 35, + "filename": "positive2.json", "resourceType": "AWS::ElasticLoadBalancingV2::Listener", "resourceName": "HTTPlistener", "searchKey": "Resources.HTTPlistener.Properties.Protocol=HTTP", @@ -38,25 +50,13 @@ { "queryName": "ALB Listening on HTTP", "severity": "MEDIUM", - "line": 35, - "filename": "positive2.json", + "line": 16, + "filename": "positive3.yaml", "resourceType": "AWS::ElasticLoadBalancingV2::Listener", "resourceName": "HTTPlistener", "searchKey": "Resources.HTTPlistener.Properties.Protocol=HTTP", "searchValue": "", "expectedValue": "'Resources.HTTPlistener.Protocol' should not equal to 'HTTP'", "actualValue": "'Resources.HTTPlistener.Protocol' equals to 'HTTP'" - }, - { - "queryName": "ALB Listening on HTTP", - "severity": "MEDIUM", - "line": 9, - "filename": "positive2.json", - "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", - "resourceName": "MyLoadBalancer", - "searchKey": "Resources.MyLoadBalancer.Properties.Listeners.Protocol=HTTP", - "searchValue": "", - "expectedValue": "'Resources.MyLoadBalancer.Listeners.Protocol' should not equal to 'HTTP'", - "actualValue": "'Resources.MyLoadBalancer.Listeners.Protocol' equals to 'HTTP'" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/alexa_skill_plaintext_client_secret_exposed/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/alexa_skill_plaintext_client_secret_exposed/test/positive_expected_result.json index 68ae2e8e772..45b0591895e 100644 --- a/assets/queries/cloudFormation/aws/alexa_skill_plaintext_client_secret_exposed/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/alexa_skill_plaintext_client_secret_exposed/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "Alexa Skill Plaintext Client Secret Exposed", "severity": "MEDIUM", - "line": 24, - "filename": "positive2.json", + "line": 17, + "filename": "positive1.yaml", "resourceType": "Alexa::ASK::Skill", "resourceName": "MySkill", "searchKey": "Resources.MySkill.Properties.AuthenticationConfiguration.ClientSecret", @@ -14,8 +14,8 @@ { "queryName": "Alexa Skill Plaintext Client Secret Exposed", "severity": "MEDIUM", - "line": 17, - "filename": "positive1.yaml", + "line": 24, + "filename": "positive2.json", "resourceType": "Alexa::ASK::Skill", "resourceName": "MySkill", "searchKey": "Resources.MySkill.Properties.AuthenticationConfiguration.ClientSecret", diff --git a/assets/queries/cloudFormation/aws/amazon_dms_replication_instance_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/amazon_dms_replication_instance_is_publicly_accessible/test/positive_expected_result.json index c23d69988ed..59b0693b152 100644 --- a/assets/queries/cloudFormation/aws/amazon_dms_replication_instance_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/amazon_dms_replication_instance_is_publicly_accessible/test/positive_expected_result.json @@ -3,7 +3,7 @@ "queryName": "Amazon DMS Replication Instance Is Publicly Accessible", "severity": "CRITICAL", "line": 9, - "filename": "positive3.yaml", + "filename": "positive1.yaml", "resourceType": "AWS::DMS::ReplicationInstance", "resourceName": "ReplicationInstance", "searchKey": "Resources.ReplicationInstance.Properties.PubliclyAccessible", @@ -27,7 +27,7 @@ "queryName": "Amazon DMS Replication Instance Is Publicly Accessible", "severity": "CRITICAL", "line": 9, - "filename": "positive1.yaml", + "filename": "positive3.yaml", "resourceType": "AWS::DMS::ReplicationInstance", "resourceName": "ReplicationInstance", "searchKey": "Resources.ReplicationInstance.Properties.PubliclyAccessible", diff --git a/assets/queries/cloudFormation/aws/amazon_mq_broker_encryption_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/amazon_mq_broker_encryption_disabled/test/positive_expected_result.json index 922bdc7b034..dec89770740 100644 --- a/assets/queries/cloudFormation/aws/amazon_mq_broker_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/amazon_mq_broker_encryption_disabled/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "AmazonMQ Broker Encryption Disabled", "severity": "HIGH", - "line": 7, - "filename": "positive2.json", + "line": 6, + "filename": "positive1.yaml", "resourceType": "AWS::AmazonMQ::Broker", "resourceName": "MyBasicBroker", "searchKey": "Resources.BasicBroker.Properties.EncryptionOptions", @@ -14,8 +14,8 @@ { "queryName": "AmazonMQ Broker Encryption Disabled", "severity": "HIGH", - "line": 6, - "filename": "positive1.yaml", + "line": 7, + "filename": "positive2.json", "resourceType": "AWS::AmazonMQ::Broker", "resourceName": "MyBasicBroker", "searchKey": "Resources.BasicBroker.Properties.EncryptionOptions", diff --git a/assets/queries/cloudFormation/aws/amplify_app_access_token_exposed/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/amplify_app_access_token_exposed/test/positive_expected_result.json index 3f5824f34f1..927e9aff1b6 100644 --- a/assets/queries/cloudFormation/aws/amplify_app_access_token_exposed/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/amplify_app_access_token_exposed/test/positive_expected_result.json @@ -2,20 +2,20 @@ { "queryName": "Amplify App Access Token Exposed", "severity": "HIGH", - "line": 9, - "filename": "positive6.json", + "line": 6, + "filename": "positive1.yaml", "resourceType": "AWS::Amplify::App", - "resourceName": "NewAmpApp", - "searchKey": "Resources.NewApp.Properties.AccessToken", + "resourceName": "String", + "searchKey": "Resources.NewAmpApp.Properties.AccessToken", "searchValue": "", - "expectedValue": "Resources.NewApp.Properties.AccessToken must not be in plain text string", - "actualValue": "Resources.NewApp.Properties.AccessToken must be defined as a parameter or have a secret manager referenced" + "expectedValue": "Resources.NewAmpApp.Properties.AccessToken must not be in plain text string", + "actualValue": "Resources.NewAmpApp.Properties.AccessToken must be defined as a parameter or have a secret manager referenced" }, { "queryName": "Amplify App Access Token Exposed", "severity": "HIGH", - "line": 7, - "filename": "positive5.json", + "line": 6, + "filename": "positive2.yaml", "resourceType": "n/a", "resourceName": "n/a", "searchKey": "Parameters.ParentAccessToken.Default", @@ -26,20 +26,20 @@ { "queryName": "Amplify App Access Token Exposed", "severity": "HIGH", - "line": 11, - "filename": "positive4.json", + "line": 10, + "filename": "positive3.yaml", "resourceType": "AWS::Amplify::App", - "resourceName": "String", - "searchKey": "Resources.NewAmpApp.Properties.AccessToken", + "resourceName": "NewAmpApp", + "searchKey": "Resources.NewApp.Properties.AccessToken", "searchValue": "", - "expectedValue": "Resources.NewAmpApp.Properties.AccessToken must not be in plain text string", - "actualValue": "Resources.NewAmpApp.Properties.AccessToken must be defined as a parameter or have a secret manager referenced" + "expectedValue": "Resources.NewApp.Properties.AccessToken must not be in plain text string", + "actualValue": "Resources.NewApp.Properties.AccessToken must be defined as a parameter or have a secret manager referenced" }, { "queryName": "Amplify App Access Token Exposed", "severity": "HIGH", - "line": 6, - "filename": "positive1.yaml", + "line": 11, + "filename": "positive4.json", "resourceType": "AWS::Amplify::App", "resourceName": "String", "searchKey": "Resources.NewAmpApp.Properties.AccessToken", @@ -50,8 +50,8 @@ { "queryName": "Amplify App Access Token Exposed", "severity": "HIGH", - "line": 6, - "filename": "positive2.yaml", + "line": 7, + "filename": "positive5.json", "resourceType": "n/a", "resourceName": "n/a", "searchKey": "Parameters.ParentAccessToken.Default", @@ -62,8 +62,8 @@ { "queryName": "Amplify App Access Token Exposed", "severity": "HIGH", - "line": 10, - "filename": "positive3.yaml", + "line": 9, + "filename": "positive6.json", "resourceType": "AWS::Amplify::App", "resourceName": "NewAmpApp", "searchKey": "Resources.NewApp.Properties.AccessToken", diff --git a/assets/queries/cloudFormation/aws/amplify_app_basic_auth_config_password_exposed/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/amplify_app_basic_auth_config_password_exposed/test/positive_expected_result.json index 15f866d5c1f..82e41fec3ae 100644 --- a/assets/queries/cloudFormation/aws/amplify_app_basic_auth_config_password_exposed/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/amplify_app_basic_auth_config_password_exposed/test/positive_expected_result.json @@ -2,8 +2,20 @@ { "queryName": "Amplify App Basic Auth Config Password Exposed", "severity": "HIGH", - "line": 12, - "filename": "positive4.json", + "line": 16, + "filename": "positive1.yaml", + "resourceType": "AWS::Amplify::App", + "resourceName": "NewAmpApp", + "searchKey": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password must not be in plain text string", + "actualValue": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password must be defined as a parameter or have a secret manager referenced" + }, + { + "queryName": "Amplify App Basic Auth Config Password Exposed", + "severity": "HIGH", + "line": 6, + "filename": "positive2.yaml", "resourceType": "n/a", "resourceName": "n/a", "searchKey": "Parameters.ParentPassword.Default", @@ -14,8 +26,8 @@ { "queryName": "Amplify App Basic Auth Config Password Exposed", "severity": "HIGH", - "line": 16, - "filename": "positive1.yaml", + "line": 12, + "filename": "positive3.json", "resourceType": "AWS::Amplify::App", "resourceName": "NewAmpApp", "searchKey": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password", @@ -26,8 +38,8 @@ { "queryName": "Amplify App Basic Auth Config Password Exposed", "severity": "HIGH", - "line": 6, - "filename": "positive5.yaml", + "line": 12, + "filename": "positive4.json", "resourceType": "n/a", "resourceName": "n/a", "searchKey": "Parameters.ParentPassword.Default", @@ -39,7 +51,7 @@ "queryName": "Amplify App Basic Auth Config Password Exposed", "severity": "HIGH", "line": 6, - "filename": "positive2.yaml", + "filename": "positive5.yaml", "resourceType": "n/a", "resourceName": "n/a", "searchKey": "Parameters.ParentPassword.Default", @@ -47,18 +59,6 @@ "expectedValue": "Parameters.ParentPassword.Default should be defined", "actualValue": "Parameters.ParentPassword.Default shouldn't be defined" }, - { - "queryName": "Amplify App Basic Auth Config Password Exposed", - "severity": "HIGH", - "line": 12, - "filename": "positive3.json", - "resourceType": "AWS::Amplify::App", - "resourceName": "NewAmpApp", - "searchKey": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password", - "searchValue": "", - "expectedValue": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password must not be in plain text string", - "actualValue": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password must be defined as a parameter or have a secret manager referenced" - }, { "queryName": "Amplify App Basic Auth Config Password Exposed", "severity": "HIGH", diff --git a/assets/queries/cloudFormation/aws/amplify_app_oauth_token_exposed/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/amplify_app_oauth_token_exposed/test/positive_expected_result.json index d99574e9674..4f81cfa1f5d 100644 --- a/assets/queries/cloudFormation/aws/amplify_app_oauth_token_exposed/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/amplify_app_oauth_token_exposed/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "Amplify App OAuth Token Exposed", - "severity": "HIGH", - "line": 5, - "filename": "positive2.yaml", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "Parameters.ParentPassword.Default", - "searchValue": "", - "expectedValue": "Parameters.ParentPassword.Default should be defined", - "actualValue": "Parameters.ParentPassword.Default shouldn't be defined" - }, { "queryName": "Amplify App OAuth Token Exposed", "severity": "HIGH", @@ -26,8 +14,8 @@ { "queryName": "Amplify App OAuth Token Exposed", "severity": "HIGH", - "line": 11, - "filename": "positive4.json", + "line": 5, + "filename": "positive2.yaml", "resourceType": "n/a", "resourceName": "n/a", "searchKey": "Parameters.ParentPassword.Default", @@ -46,5 +34,17 @@ "searchValue": "", "expectedValue": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password must not be in plain text string", "actualValue": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password must be defined as a parameter or have a secret manager referenced" + }, + { + "queryName": "Amplify App OAuth Token Exposed", + "severity": "HIGH", + "line": 11, + "filename": "positive4.json", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "Parameters.ParentPassword.Default", + "searchValue": "", + "expectedValue": "Parameters.ParentPassword.Default should be defined", + "actualValue": "Parameters.ParentPassword.Default shouldn't be defined" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/amplify_branch_basic_auth_config_password_exposed/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/amplify_branch_basic_auth_config_password_exposed/test/positive_expected_result.json index 13e4020cc62..b74279ee57e 100644 --- a/assets/queries/cloudFormation/aws/amplify_branch_basic_auth_config_password_exposed/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/amplify_branch_basic_auth_config_password_exposed/test/positive_expected_result.json @@ -11,18 +11,6 @@ "expectedValue": "Resources.NewAmpApp1.Properties.BasicAuthConfig.Password must not be in plain text string", "actualValue": "Resources.NewAmpApp1.Properties.BasicAuthConfig.Password must be defined as a parameter or have a secret manager referenced" }, - { - "queryName": "Amplify Branch Basic Auth Config Password Exposed", - "severity": "HIGH", - "line": 18, - "filename": "positive5.yaml", - "resourceType": "AWS::Amplify::Branch", - "resourceName": "NewAmpApp1", - "searchKey": "Resources.NewAmpApp1.Properties.BasicAuthConfig.Password", - "searchValue": "", - "expectedValue": "Resources.NewAmpApp1.Properties.BasicAuthConfig.Password must not be in plain text string", - "actualValue": "Resources.NewAmpApp1.Properties.BasicAuthConfig.Password must be defined as a parameter or have a secret manager referenced" - }, { "queryName": "Amplify Branch Basic Auth Config Password Exposed", "severity": "HIGH", @@ -39,7 +27,7 @@ "queryName": "Amplify Branch Basic Auth Config Password Exposed", "severity": "HIGH", "line": 19, - "filename": "positive6.json", + "filename": "positive3.json", "resourceType": "AWS::Amplify::Branch", "resourceName": "NewAmpApp1", "searchKey": "Resources.NewAmpApp1.Properties.BasicAuthConfig.Password", @@ -59,11 +47,23 @@ "expectedValue": "Parameters.ParentPassword.Default should be defined", "actualValue": "Parameters.ParentPassword.Default shouldn't be defined" }, + { + "queryName": "Amplify Branch Basic Auth Config Password Exposed", + "severity": "HIGH", + "line": 18, + "filename": "positive5.yaml", + "resourceType": "AWS::Amplify::Branch", + "resourceName": "NewAmpApp1", + "searchKey": "Resources.NewAmpApp1.Properties.BasicAuthConfig.Password", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp1.Properties.BasicAuthConfig.Password must not be in plain text string", + "actualValue": "Resources.NewAmpApp1.Properties.BasicAuthConfig.Password must be defined as a parameter or have a secret manager referenced" + }, { "queryName": "Amplify Branch Basic Auth Config Password Exposed", "severity": "HIGH", "line": 19, - "filename": "positive3.json", + "filename": "positive6.json", "resourceType": "AWS::Amplify::Branch", "resourceName": "NewAmpApp1", "searchKey": "Resources.NewAmpApp1.Properties.BasicAuthConfig.Password", diff --git a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json index 9b2320b5c38..ac641fcf69a 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json @@ -2,74 +2,86 @@ { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", - "line": 4, - "filename": "positive16.yaml", + "line": 16, + "filename": "positive1.yaml", "resourceType": "AWS::ApiGateway::Stage", "resourceName": "Prod", - "searchKey": "Resources.Prod.Properties", - "searchValue": "AccessLogSetting", - "expectedValue": "'AccessLogSetting' should be defined", - "actualValue": "'AccessLogSetting' is not defined" + "searchKey": "Resources.Prod.Properties.MethodSettings", + "searchValue": "", + "expectedValue": "Resources.Prod.Properties.MethodSettings.LoggingLevel should be defined and not null", + "actualValue": "Resources.Prod.Properties.MethodSettings.LoggingLevel are undefined or null" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", - "line": 15, - "filename": "positive15.yaml", - "resourceType": "AWS::ApiGatewayV2::Stage", + "line": 19, + "filename": "positive10.json", + "resourceType": "AWS::ApiGateway::Stage", "resourceName": "Prod", - "searchKey": "Resources.Prod.Properties.DefaultRouteSettings.LoggingLevel", + "searchKey": "Resources.MyStage.Properties.MethodSettings", "searchValue": "", - "expectedValue": "Resources.Prod.Properties.DefaultRouteSettings.LoggingLevel should not be set to OFF", - "actualValue": "Resources.Prod.Properties.DefaultRouteSettings.LoggingLevel is OFF" + "expectedValue": "Resources.MyStage.Properties.MethodSettings.LoggingLevel should be defined and not null", + "actualValue": "Resources.MyStage.Properties.MethodSettings.LoggingLevel are undefined or null" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", - "line": 6, - "filename": "positive6.json", + "line": 4, + "filename": "positive11.yaml", "resourceType": "AWS::ApiGateway::Stage", "resourceName": "Prod", - "searchKey": "Resources.MyStage.Properties", - "searchValue": "AccessLogSetting", - "expectedValue": "'AccessLogSetting' should be defined", - "actualValue": "'AccessLogSetting' is not defined" + "searchKey": "Resources.Prod.Properties", + "searchValue": "MethodSettings", + "expectedValue": "Resources.Prod.Properties.MethodSettings should be defined and not null", + "actualValue": "Resources.Prod.Properties.MethodSettings are undefined or null" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", - "line": 21, - "filename": "positive3.json", - "resourceType": "AWS::ApiGatewayV2::Stage", + "line": 13, + "filename": "positive11.yaml", + "resourceType": "AWS::ApiGateway::Stage", "resourceName": "Prod", - "searchKey": "Resources.MyStage.Properties.DefaultRouteSettings.LoggingLevel", + "searchKey": "Resources.Prod.Properties.MethodSettings", "searchValue": "", - "expectedValue": "Resources.MyStage.Properties.DefaultRouteSettings.LoggingLevel should not be set to OFF", - "actualValue": "Resources.MyStage.Properties.DefaultRouteSettings.LoggingLevel is OFF" + "expectedValue": "Resources.Prod.Properties.MethodSettings.LoggingLevel should be defined and not null", + "actualValue": "Resources.Prod.Properties.MethodSettings.LoggingLevel are undefined or null" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", - "line": 7, - "filename": "positive7.json", + "line": 21, + "filename": "positive12.json", "resourceType": "AWS::ApiGateway::Stage", "resourceName": "Prod", - "searchKey": "Resources.MyStage.Properties", - "searchValue": "MethodSettings", - "expectedValue": "Resources.MyStage.Properties.MethodSettings should be defined and not null", - "actualValue": "Resources.MyStage.Properties.MethodSettings are undefined or null" + "searchKey": "Resources.MyStage.Properties.MethodSettings.LoggingLevel", + "searchValue": "", + "expectedValue": "Resources.MyStage.Properties.MethodSettings.LoggingLevel should not be set to OFF", + "actualValue": "Resources.MyStage.Properties.MethodSettings.LoggingLevel is OFF" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", - "line": 16, - "filename": "positive1.yaml", - "resourceType": "AWS::ApiGateway::Stage", + "line": 4, + "filename": "positive13.yaml", + "resourceType": "AWS::ApiGatewayV2::Stage", "resourceName": "Prod", - "searchKey": "Resources.Prod.Properties.MethodSettings", + "searchKey": "Resources.Prod.Properties", + "searchValue": "DefaultRouteSettings", + "expectedValue": "Resources.Prod.Properties.DefaultRouteSettings should be defined and not null", + "actualValue": "Resources.Prod.Properties.DefaultRouteSettings are undefined or null" + }, + { + "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", + "severity": "MEDIUM", + "line": 14, + "filename": "positive13.yaml", + "resourceType": "AWS::ApiGatewayV2::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties.DefaultRouteSettings", "searchValue": "", - "expectedValue": "Resources.Prod.Properties.MethodSettings.LoggingLevel should be defined and not null", - "actualValue": "Resources.Prod.Properties.MethodSettings.LoggingLevel are undefined or null" + "expectedValue": "Resources.Prod.Properties.DefaultRouteSettings.LoggingLevel should be defined and not null", + "actualValue": "Resources.Prod.Properties.DefaultRouteSettings.LoggingLevel are undefined or null" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", @@ -86,35 +98,35 @@ { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", - "line": 4, - "filename": "positive11.yaml", - "resourceType": "AWS::ApiGateway::Stage", + "line": 15, + "filename": "positive15.yaml", + "resourceType": "AWS::ApiGatewayV2::Stage", "resourceName": "Prod", - "searchKey": "Resources.Prod.Properties", - "searchValue": "MethodSettings", - "expectedValue": "Resources.Prod.Properties.MethodSettings should be defined and not null", - "actualValue": "Resources.Prod.Properties.MethodSettings are undefined or null" + "searchKey": "Resources.Prod.Properties.DefaultRouteSettings.LoggingLevel", + "searchValue": "", + "expectedValue": "Resources.Prod.Properties.DefaultRouteSettings.LoggingLevel should not be set to OFF", + "actualValue": "Resources.Prod.Properties.DefaultRouteSettings.LoggingLevel is OFF" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", - "line": 21, - "filename": "positive12.json", + "line": 4, + "filename": "positive16.yaml", "resourceType": "AWS::ApiGateway::Stage", "resourceName": "Prod", - "searchKey": "Resources.MyStage.Properties.MethodSettings.LoggingLevel", - "searchValue": "", - "expectedValue": "Resources.MyStage.Properties.MethodSettings.LoggingLevel should not be set to OFF", - "actualValue": "Resources.MyStage.Properties.MethodSettings.LoggingLevel is OFF" + "searchKey": "Resources.Prod.Properties", + "searchValue": "AccessLogSetting", + "expectedValue": "'AccessLogSetting' should be defined", + "actualValue": "'AccessLogSetting' is not defined" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", - "line": 6, - "filename": "positive5.json", + "line": 4, + "filename": "positive17.yaml", "resourceType": "AWS::ApiGatewayV2::Stage", "resourceName": "Prod", - "searchKey": "Resources.MyStage.Properties", + "searchKey": "Resources.Prod.Properties", "searchValue": "AccessLogSettings", "expectedValue": "'AccessLogSettings' should be defined", "actualValue": "'AccessLogSettings' is not defined" @@ -122,62 +134,74 @@ { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", - "line": 19, - "filename": "positive4.json", + "line": 7, + "filename": "positive2.json", "resourceType": "AWS::ApiGatewayV2::Stage", "resourceName": "Prod", - "searchKey": "Resources.MyStage.Properties.DefaultRouteSettings", - "searchValue": "", - "expectedValue": "Resources.MyStage.Properties.DefaultRouteSettings.LoggingLevel should be defined and not null", - "actualValue": "Resources.MyStage.Properties.DefaultRouteSettings.LoggingLevel are undefined or null" + "searchKey": "Resources.MyStage.Properties", + "searchValue": "DefaultRouteSettings", + "expectedValue": "Resources.MyStage.Properties.DefaultRouteSettings should be defined and not null", + "actualValue": "Resources.MyStage.Properties.DefaultRouteSettings are undefined or null" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", - "line": 4, - "filename": "positive9.yaml", + "line": 21, + "filename": "positive3.json", "resourceType": "AWS::ApiGatewayV2::Stage", "resourceName": "Prod", - "searchKey": "Resources.Prod.Properties", - "searchValue": "DefaultRouteSettings", - "expectedValue": "Resources.Prod.Properties.DefaultRouteSettings should be defined and not null", - "actualValue": "Resources.Prod.Properties.DefaultRouteSettings are undefined or null" + "searchKey": "Resources.MyStage.Properties.DefaultRouteSettings.LoggingLevel", + "searchValue": "", + "expectedValue": "Resources.MyStage.Properties.DefaultRouteSettings.LoggingLevel should not be set to OFF", + "actualValue": "Resources.MyStage.Properties.DefaultRouteSettings.LoggingLevel is OFF" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", - "line": 4, - "filename": "positive13.yaml", + "line": 19, + "filename": "positive4.json", "resourceType": "AWS::ApiGatewayV2::Stage", "resourceName": "Prod", - "searchKey": "Resources.Prod.Properties", - "searchValue": "DefaultRouteSettings", - "expectedValue": "Resources.Prod.Properties.DefaultRouteSettings should be defined and not null", - "actualValue": "Resources.Prod.Properties.DefaultRouteSettings are undefined or null" + "searchKey": "Resources.MyStage.Properties.DefaultRouteSettings", + "searchValue": "", + "expectedValue": "Resources.MyStage.Properties.DefaultRouteSettings.LoggingLevel should be defined and not null", + "actualValue": "Resources.MyStage.Properties.DefaultRouteSettings.LoggingLevel are undefined or null" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", - "line": 4, - "filename": "positive17.yaml", + "line": 6, + "filename": "positive5.json", "resourceType": "AWS::ApiGatewayV2::Stage", "resourceName": "Prod", - "searchKey": "Resources.Prod.Properties", + "searchKey": "Resources.MyStage.Properties", "searchValue": "AccessLogSettings", "expectedValue": "'AccessLogSettings' should be defined", "actualValue": "'AccessLogSettings' is not defined" }, + { + "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", + "severity": "MEDIUM", + "line": 6, + "filename": "positive6.json", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.MyStage.Properties", + "searchValue": "AccessLogSetting", + "expectedValue": "'AccessLogSetting' should be defined", + "actualValue": "'AccessLogSetting' is not defined" + }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", "line": 7, - "filename": "positive2.json", - "resourceType": "AWS::ApiGatewayV2::Stage", + "filename": "positive7.json", + "resourceType": "AWS::ApiGateway::Stage", "resourceName": "Prod", "searchKey": "Resources.MyStage.Properties", - "searchValue": "DefaultRouteSettings", - "expectedValue": "Resources.MyStage.Properties.DefaultRouteSettings should be defined and not null", - "actualValue": "Resources.MyStage.Properties.DefaultRouteSettings are undefined or null" + "searchValue": "MethodSettings", + "expectedValue": "Resources.MyStage.Properties.MethodSettings should be defined and not null", + "actualValue": "Resources.MyStage.Properties.MethodSettings are undefined or null" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", @@ -194,37 +218,13 @@ { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", - "line": 14, - "filename": "positive13.yaml", + "line": 4, + "filename": "positive9.yaml", "resourceType": "AWS::ApiGatewayV2::Stage", "resourceName": "Prod", - "searchKey": "Resources.Prod.Properties.DefaultRouteSettings", - "searchValue": "", - "expectedValue": "Resources.Prod.Properties.DefaultRouteSettings.LoggingLevel should be defined and not null", - "actualValue": "Resources.Prod.Properties.DefaultRouteSettings.LoggingLevel are undefined or null" - }, - { - "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", - "severity": "MEDIUM", - "line": 19, - "filename": "positive10.json", - "resourceType": "AWS::ApiGateway::Stage", - "resourceName": "Prod", - "searchKey": "Resources.MyStage.Properties.MethodSettings", - "searchValue": "", - "expectedValue": "Resources.MyStage.Properties.MethodSettings.LoggingLevel should be defined and not null", - "actualValue": "Resources.MyStage.Properties.MethodSettings.LoggingLevel are undefined or null" - }, - { - "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", - "severity": "MEDIUM", - "line": 13, - "filename": "positive11.yaml", - "resourceType": "AWS::ApiGateway::Stage", - "resourceName": "Prod", - "searchKey": "Resources.Prod.Properties.MethodSettings", - "searchValue": "", - "expectedValue": "Resources.Prod.Properties.MethodSettings.LoggingLevel should be defined and not null", - "actualValue": "Resources.Prod.Properties.MethodSettings.LoggingLevel are undefined or null" + "searchKey": "Resources.Prod.Properties", + "searchValue": "DefaultRouteSettings", + "expectedValue": "Resources.Prod.Properties.DefaultRouteSettings should be defined and not null", + "actualValue": "Resources.Prod.Properties.DefaultRouteSettings are undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_cache_cluster_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_cache_cluster_disabled/test/positive_expected_result.json index 2791b94a5c7..f31f23cc8a4 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_cache_cluster_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_cache_cluster_disabled/test/positive_expected_result.json @@ -3,7 +3,7 @@ "queryName": "API Gateway Cache Cluster Disabled", "severity": "LOW", "line": 6, - "filename": "positive3.json", + "filename": "positive1.yaml", "resourceType": "AWS::ApiGateway::Stage", "resourceName": "Prod", "searchKey": "Resources.ProdPos1.Properties", @@ -14,8 +14,8 @@ { "queryName": "API Gateway Cache Cluster Disabled", "severity": "LOW", - "line": 6, - "filename": "positive6.json", + "line": 31, + "filename": "positive2.yaml", "resourceType": "AWS::ApiGateway::Stage", "resourceName": "Prod", "searchKey": "Resources.ProdPos2.Properties.CacheClusterEnabled", @@ -26,20 +26,20 @@ { "queryName": "API Gateway Cache Cluster Disabled", "severity": "LOW", - "line": 31, - "filename": "positive5.yaml", + "line": 6, + "filename": "positive3.json", "resourceType": "AWS::ApiGateway::Stage", "resourceName": "Prod", - "searchKey": "Resources.ProdPos2.Properties.CacheClusterEnabled", + "searchKey": "Resources.ProdPos1.Properties", "searchValue": "", - "expectedValue": "Resources.ProdPos2.Properties.CacheClusterEnabled should be set to true", - "actualValue": "Resources.ProdPos2.Properties.CacheClusterEnabled is set to false" + "expectedValue": "Resources.ProdPos1.Properties.CacheClusterEnabled should be defined and not null", + "actualValue": "Resources.ProdPos1.Properties.CacheClusterEnabled is undefined or null" }, { "queryName": "API Gateway Cache Cluster Disabled", "severity": "LOW", - "line": 31, - "filename": "positive2.yaml", + "line": 6, + "filename": "positive4.json", "resourceType": "AWS::ApiGateway::Stage", "resourceName": "Prod", "searchKey": "Resources.ProdPos2.Properties.CacheClusterEnabled", @@ -50,20 +50,20 @@ { "queryName": "API Gateway Cache Cluster Disabled", "severity": "LOW", - "line": 6, - "filename": "positive1.yaml", + "line": 31, + "filename": "positive5.yaml", "resourceType": "AWS::ApiGateway::Stage", "resourceName": "Prod", - "searchKey": "Resources.ProdPos1.Properties", + "searchKey": "Resources.ProdPos2.Properties.CacheClusterEnabled", "searchValue": "", - "expectedValue": "Resources.ProdPos1.Properties.CacheClusterEnabled should be defined and not null", - "actualValue": "Resources.ProdPos1.Properties.CacheClusterEnabled is undefined or null" + "expectedValue": "Resources.ProdPos2.Properties.CacheClusterEnabled should be set to true", + "actualValue": "Resources.ProdPos2.Properties.CacheClusterEnabled is set to false" }, { "queryName": "API Gateway Cache Cluster Disabled", "severity": "LOW", "line": 6, - "filename": "positive4.json", + "filename": "positive6.json", "resourceType": "AWS::ApiGateway::Stage", "resourceName": "Prod", "searchKey": "Resources.ProdPos2.Properties.CacheClusterEnabled", diff --git a/assets/queries/cloudFormation/aws/api_gateway_cache_encrypted_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_cache_encrypted_disabled/test/positive_expected_result.json index b0e5d533663..101b648a8c0 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_cache_encrypted_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_cache_encrypted_disabled/test/positive_expected_result.json @@ -14,20 +14,20 @@ { "queryName": "API Gateway Cache Encrypted Disabled", "severity": "HIGH", - "line": 9, - "filename": "positive5.yaml", + "line": 11, + "filename": "positive2.json", "resourceType": "AWS::ApiGateway::Deployment", "resourceName": "DummyStage", - "searchKey": "Resources.Deployment.Properties.StageDescription.CacheDataEncrypted", + "searchKey": "Resources.Deployment.Properties.StageDescription", "searchValue": "", - "expectedValue": "'Resources.Deployment.Properties.StageDescription.CacheDataEncrypted' should be set to true", - "actualValue": "'Resources.Deployment.Properties.StageDescription.CacheDataEncrypted' is set to false" + "expectedValue": "'Resources.Deployment.Properties.StageDescription.CacheDataEncrypted' should be defined and not null", + "actualValue": "'Resources.Deployment.Properties.StageDescription.CacheDataEncrypted' is undefined or null" }, { "queryName": "API Gateway Cache Encrypted Disabled", "severity": "HIGH", - "line": 12, - "filename": "positive6.json", + "line": 9, + "filename": "positive3.yaml", "resourceType": "AWS::ApiGateway::Deployment", "resourceName": "DummyStage", "searchKey": "Resources.Deployment.Properties.StageDescription.CacheDataEncrypted", @@ -38,20 +38,20 @@ { "queryName": "API Gateway Cache Encrypted Disabled", "severity": "HIGH", - "line": 11, - "filename": "positive2.json", + "line": 12, + "filename": "positive4.json", "resourceType": "AWS::ApiGateway::Deployment", "resourceName": "DummyStage", - "searchKey": "Resources.Deployment.Properties.StageDescription", + "searchKey": "Resources.Deployment.Properties.StageDescription.CacheDataEncrypted", "searchValue": "", - "expectedValue": "'Resources.Deployment.Properties.StageDescription.CacheDataEncrypted' should be defined and not null", - "actualValue": "'Resources.Deployment.Properties.StageDescription.CacheDataEncrypted' is undefined or null" + "expectedValue": "'Resources.Deployment.Properties.StageDescription.CacheDataEncrypted' should be set to true", + "actualValue": "'Resources.Deployment.Properties.StageDescription.CacheDataEncrypted' is set to false" }, { "queryName": "API Gateway Cache Encrypted Disabled", "severity": "HIGH", - "line": 12, - "filename": "positive4.json", + "line": 9, + "filename": "positive5.yaml", "resourceType": "AWS::ApiGateway::Deployment", "resourceName": "DummyStage", "searchKey": "Resources.Deployment.Properties.StageDescription.CacheDataEncrypted", @@ -62,8 +62,8 @@ { "queryName": "API Gateway Cache Encrypted Disabled", "severity": "HIGH", - "line": 9, - "filename": "positive3.yaml", + "line": 12, + "filename": "positive6.json", "resourceType": "AWS::ApiGateway::Deployment", "resourceName": "DummyStage", "searchKey": "Resources.Deployment.Properties.StageDescription.CacheDataEncrypted", diff --git a/assets/queries/cloudFormation/aws/api_gateway_deployment_without_access_log_setting/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_deployment_without_access_log_setting/test/positive_expected_result.json index b4e52be8aeb..59ff2afcab3 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_deployment_without_access_log_setting/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_deployment_without_access_log_setting/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "API Gateway Deployment Without Access Log Setting", "severity": "MEDIUM", - "line": 15, - "filename": "positive4.json", + "line": 29, + "filename": "positive1.yaml", "resourceType": "AWS::ApiGateway::Deployment", "resourceName": "DummyStage", "searchKey": "Resources.ApiDeployment.Properties.StageDescription.AccessLogSetting", @@ -14,8 +14,8 @@ { "queryName": "API Gateway Deployment Without Access Log Setting", "severity": "MEDIUM", - "line": 31, - "filename": "positive5.json", + "line": 21, + "filename": "positive2.yaml", "resourceType": "AWS::ApiGateway::Deployment", "resourceName": "DummyStage", "searchKey": "Resources.ApiDeployment1", @@ -26,8 +26,8 @@ { "queryName": "API Gateway Deployment Without Access Log Setting", "severity": "MEDIUM", - "line": 31, - "filename": "positive6.json", + "line": 21, + "filename": "positive3.yaml", "resourceType": "AWS::ApiGateway::Deployment", "resourceName": "DummyStage", "searchKey": "Resources.ApiDeployment2", @@ -38,20 +38,20 @@ { "queryName": "API Gateway Deployment Without Access Log Setting", "severity": "MEDIUM", - "line": 21, - "filename": "positive3.yaml", + "line": 15, + "filename": "positive4.json", "resourceType": "AWS::ApiGateway::Deployment", "resourceName": "DummyStage", - "searchKey": "Resources.ApiDeployment2", + "searchKey": "Resources.ApiDeployment.Properties.StageDescription.AccessLogSetting", "searchValue": "", - "expectedValue": "Resources.ApiDeployment2 should have AWS::ApiGateway::Stage associated, DeploymentId.Ref should be the same as the ApiGateway::Stage resource", - "actualValue": "Resources.ApiDeployment2 should have AWS::ApiGateway::Stage associated, DeploymentId.Ref should be the same in the ApiGateway::Stage resource" + "expectedValue": "Resources.ApiDeployment.Properties.StageDescriptionAccessLogSetting should be defined", + "actualValue": "Resources.ApiDeployment.Properties.StageDescription.AccessLogSetting is not defined" }, { "queryName": "API Gateway Deployment Without Access Log Setting", "severity": "MEDIUM", - "line": 21, - "filename": "positive2.yaml", + "line": 31, + "filename": "positive5.json", "resourceType": "AWS::ApiGateway::Deployment", "resourceName": "DummyStage", "searchKey": "Resources.ApiDeployment1", @@ -62,13 +62,13 @@ { "queryName": "API Gateway Deployment Without Access Log Setting", "severity": "MEDIUM", - "line": 29, - "filename": "positive1.yaml", + "line": 31, + "filename": "positive6.json", "resourceType": "AWS::ApiGateway::Deployment", "resourceName": "DummyStage", - "searchKey": "Resources.ApiDeployment.Properties.StageDescription.AccessLogSetting", + "searchKey": "Resources.ApiDeployment2", "searchValue": "", - "expectedValue": "Resources.ApiDeployment.Properties.StageDescriptionAccessLogSetting should be defined", - "actualValue": "Resources.ApiDeployment.Properties.StageDescription.AccessLogSetting is not defined" + "expectedValue": "Resources.ApiDeployment2 should have AWS::ApiGateway::Stage associated, DeploymentId.Ref should be the same as the ApiGateway::Stage resource", + "actualValue": "Resources.ApiDeployment2 should have AWS::ApiGateway::Stage associated, DeploymentId.Ref should be the same in the ApiGateway::Stage resource" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/test/positive_expected_result.json index 95ed160091f..f82525381a6 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/test/positive_expected_result.json @@ -2,20 +2,20 @@ { "queryName": "API Gateway Deployment Without API Gateway UsagePlan Associated", "severity": "LOW", - "line": 5, - "filename": "positive6.json", + "line": 4, + "filename": "positive1.yaml", "resourceType": "AWS::ApiGateway::Deployment", - "resourceName": "Prod1", - "searchKey": "Resources.Deployment2", + "resourceName": "Prod", + "searchKey": "Resources.Deployment", "searchValue": "", - "expectedValue": "Resources.Deployment2 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same as the Deployment2 resource", - "actualValue": "Resources.Deployment2 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same in the Deployment2 resource" + "expectedValue": "Resources.Deployment should have UsagePlan defined", + "actualValue": "Resources.Deployment doesn't have UsagePlan defined" }, { "queryName": "API Gateway Deployment Without API Gateway UsagePlan Associated", "severity": "LOW", - "line": 5, - "filename": "positive5.json", + "line": 4, + "filename": "positive2.yaml", "resourceType": "AWS::ApiGateway::Deployment", "resourceName": "Prod", "searchKey": "Resources.Deployment1", @@ -23,18 +23,6 @@ "expectedValue": "Resources.Deployment1 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same as the Deployment1 resource", "actualValue": "Resources.Deployment1 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same in the Deployment1 resource" }, - { - "queryName": "API Gateway Deployment Without API Gateway UsagePlan Associated", - "severity": "LOW", - "line": 5, - "filename": "positive4.json", - "resourceType": "AWS::ApiGateway::Deployment", - "resourceName": "Prod", - "searchKey": "Resources.Deployment", - "searchValue": "", - "expectedValue": "Resources.Deployment should have UsagePlan defined", - "actualValue": "Resources.Deployment doesn't have UsagePlan defined" - }, { "queryName": "API Gateway Deployment Without API Gateway UsagePlan Associated", "severity": "LOW", @@ -50,8 +38,8 @@ { "queryName": "API Gateway Deployment Without API Gateway UsagePlan Associated", "severity": "LOW", - "line": 4, - "filename": "positive1.yaml", + "line": 5, + "filename": "positive4.json", "resourceType": "AWS::ApiGateway::Deployment", "resourceName": "Prod", "searchKey": "Resources.Deployment", @@ -62,13 +50,25 @@ { "queryName": "API Gateway Deployment Without API Gateway UsagePlan Associated", "severity": "LOW", - "line": 4, - "filename": "positive2.yaml", + "line": 5, + "filename": "positive5.json", "resourceType": "AWS::ApiGateway::Deployment", "resourceName": "Prod", "searchKey": "Resources.Deployment1", "searchValue": "", "expectedValue": "Resources.Deployment1 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same as the Deployment1 resource", "actualValue": "Resources.Deployment1 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same in the Deployment1 resource" + }, + { + "queryName": "API Gateway Deployment Without API Gateway UsagePlan Associated", + "severity": "LOW", + "line": 5, + "filename": "positive6.json", + "resourceType": "AWS::ApiGateway::Deployment", + "resourceName": "Prod1", + "searchKey": "Resources.Deployment2", + "searchValue": "", + "expectedValue": "Resources.Deployment2 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same as the Deployment2 resource", + "actualValue": "Resources.Deployment2 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same in the Deployment2 resource" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_endpoint_config_is_not_private/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_endpoint_config_is_not_private/test/positive_expected_result.json index 0c3a07b5b99..cd5a661bd4a 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_endpoint_config_is_not_private/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_endpoint_config_is_not_private/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "API Gateway Endpoint Config is Not Private", "severity": "MEDIUM", - "line": 6, - "filename": "positive2.json", + "line": 5, + "filename": "positive1.yaml", "resourceType": "AWS::ApiGateway::RestApi", "resourceName": "myRestApi", "searchKey": "Resources.MyRestApi.Properties", @@ -26,8 +26,8 @@ { "queryName": "API Gateway Endpoint Config is Not Private", "severity": "MEDIUM", - "line": 5, - "filename": "positive1.yaml", + "line": 6, + "filename": "positive2.json", "resourceType": "AWS::ApiGateway::RestApi", "resourceName": "myRestApi", "searchKey": "Resources.MyRestApi.Properties", diff --git a/assets/queries/cloudFormation/aws/api_gateway_method_does_not_contains_an_api_key/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_method_does_not_contains_an_api_key/test/positive_expected_result.json index 41402f79077..4f7870838dc 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_method_does_not_contains_an_api_key/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_method_does_not_contains_an_api_key/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "API Gateway Method Does Not Contains An API Key", - "severity": "MEDIUM", - "line": 7, - "filename": "positive6.yaml", - "resourceType": "AWS::ApiGateway::Method", - "resourceName": "MockMethod", - "searchKey": "Resources.MockMethod.Properties.ApiKeyRequired", - "searchValue": "", - "expectedValue": "Resources.MockMethod.Properties.ApiKeyRequired should be true", - "actualValue": "Resources.MockMethod.Properties.ApiKeyRequired is false" - }, { "queryName": "API Gateway Method Does Not Contains An API Key", "severity": "MEDIUM", @@ -26,14 +14,14 @@ { "queryName": "API Gateway Method Does Not Contains An API Key", "severity": "MEDIUM", - "line": 13, - "filename": "positive5.json", + "line": 6, + "filename": "positive2.yaml", "resourceType": "AWS::ApiGateway::Method", - "resourceName": "MockMethod", - "searchKey": "Resources.MockMethod.Properties.ApiKeyRequired", + "resourceName": "MockMethod1", + "searchKey": "Resources.MockMethod1.Properties", "searchValue": "", - "expectedValue": "Resources.MockMethod.Properties.ApiKeyRequired should be true", - "actualValue": "Resources.MockMethod.Properties.ApiKeyRequired is false" + "expectedValue": "Resources.MockMethod1.Properties.ApiKeyRequired should be defined", + "actualValue": "Resources.MockMethod1.Properties.ApiKeyRequired is undefined" }, { "queryName": "API Gateway Method Does Not Contains An API Key", @@ -62,13 +50,25 @@ { "queryName": "API Gateway Method Does Not Contains An API Key", "severity": "MEDIUM", - "line": 6, - "filename": "positive2.yaml", + "line": 13, + "filename": "positive5.json", "resourceType": "AWS::ApiGateway::Method", - "resourceName": "MockMethod1", - "searchKey": "Resources.MockMethod1.Properties", + "resourceName": "MockMethod", + "searchKey": "Resources.MockMethod.Properties.ApiKeyRequired", "searchValue": "", - "expectedValue": "Resources.MockMethod1.Properties.ApiKeyRequired should be defined", - "actualValue": "Resources.MockMethod1.Properties.ApiKeyRequired is undefined" + "expectedValue": "Resources.MockMethod.Properties.ApiKeyRequired should be true", + "actualValue": "Resources.MockMethod.Properties.ApiKeyRequired is false" + }, + { + "queryName": "API Gateway Method Does Not Contains An API Key", + "severity": "MEDIUM", + "line": 7, + "filename": "positive6.yaml", + "resourceType": "AWS::ApiGateway::Method", + "resourceName": "MockMethod", + "searchKey": "Resources.MockMethod.Properties.ApiKeyRequired", + "searchValue": "", + "expectedValue": "Resources.MockMethod.Properties.ApiKeyRequired should be true", + "actualValue": "Resources.MockMethod.Properties.ApiKeyRequired is false" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_stage_without_api_gateway_usage_plan_associated/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_stage_without_api_gateway_usage_plan_associated/test/positive_expected_result.json index 3c80800f5bd..69a68104eb7 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_stage_without_api_gateway_usage_plan_associated/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_stage_without_api_gateway_usage_plan_associated/test/positive_expected_result.json @@ -2,20 +2,20 @@ { "queryName": "API Gateway Stage Without API Gateway UsagePlan Associated", "severity": "LOW", - "line": 5, - "filename": "positive6.json", + "line": 4, + "filename": "positive1.yaml", "resourceType": "AWS::ApiGateway::Stage", "resourceName": "Prod", - "searchKey": "Resources.Prod2", + "searchKey": "Resources.Prod", "searchValue": "", - "expectedValue": "Resources.Prod2 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same as the Prod2 resource", - "actualValue": "Resources.Prod2 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same in the Prod2 resource" + "expectedValue": "Resources.Prod should have UsagePlan defined", + "actualValue": "Resources.Prod doesn't have UsagePlan defined" }, { "queryName": "API Gateway Stage Without API Gateway UsagePlan Associated", "severity": "LOW", - "line": 5, - "filename": "positive5.json", + "line": 4, + "filename": "positive2.yaml", "resourceType": "AWS::ApiGateway::Stage", "resourceName": "Prod", "searchKey": "Resources.Prod1", @@ -26,20 +26,20 @@ { "queryName": "API Gateway Stage Without API Gateway UsagePlan Associated", "severity": "LOW", - "line": 5, - "filename": "positive4.json", + "line": 4, + "filename": "positive3.yaml", "resourceType": "AWS::ApiGateway::Stage", "resourceName": "Prod", - "searchKey": "Resources.Prod", + "searchKey": "Resources.Prod2", "searchValue": "", - "expectedValue": "Resources.Prod should have UsagePlan defined", - "actualValue": "Resources.Prod doesn't have UsagePlan defined" + "expectedValue": "Resources.Prod2 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same as the Prod2 resource", + "actualValue": "Resources.Prod2 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same in the Prod2 resource" }, { "queryName": "API Gateway Stage Without API Gateway UsagePlan Associated", "severity": "LOW", - "line": 4, - "filename": "positive1.yaml", + "line": 5, + "filename": "positive4.json", "resourceType": "AWS::ApiGateway::Stage", "resourceName": "Prod", "searchKey": "Resources.Prod", @@ -50,8 +50,8 @@ { "queryName": "API Gateway Stage Without API Gateway UsagePlan Associated", "severity": "LOW", - "line": 4, - "filename": "positive2.yaml", + "line": 5, + "filename": "positive5.json", "resourceType": "AWS::ApiGateway::Stage", "resourceName": "Prod", "searchKey": "Resources.Prod1", @@ -62,8 +62,8 @@ { "queryName": "API Gateway Stage Without API Gateway UsagePlan Associated", "severity": "LOW", - "line": 4, - "filename": "positive3.yaml", + "line": 5, + "filename": "positive6.json", "resourceType": "AWS::ApiGateway::Stage", "resourceName": "Prod", "searchKey": "Resources.Prod2", diff --git a/assets/queries/cloudFormation/aws/api_gateway_with_invalid_compression/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_with_invalid_compression/test/positive_expected_result.json index f3b7b3f1873..3864f36cf25 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_with_invalid_compression/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_with_invalid_compression/test/positive_expected_result.json @@ -2,73 +2,73 @@ { "queryName": "API Gateway With Invalid Compression", "severity": "LOW", - "line": 22, - "filename": "positive5.json", + "line": 17, + "filename": "positive1.yaml", "resourceType": "AWS::ApiGateway::RestApi", "resourceName": "myApi", - "searchKey": "Resources.RestApi7.Properties.MinimumCompressionSize", + "searchKey": "Resources.RestApi3.Properties.MinimumCompressionSize", "searchValue": "", - "expectedValue": "Resources.RestApi7.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760", - "actualValue": "Resources.RestApi7.Properties.MinimumCompressionSize is set to greater than 10485759" + "expectedValue": "Resources.RestApi3.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760", + "actualValue": "Resources.RestApi3.Properties.MinimumCompressionSize is set to smaller than 0" }, { "queryName": "API Gateway With Invalid Compression", "severity": "LOW", - "line": 5, - "filename": "positive6.json", + "line": 17, + "filename": "positive2.yaml", "resourceType": "AWS::ApiGateway::RestApi", "resourceName": "myApi", - "searchKey": "Resources.RestApi8.Properties", + "searchKey": "Resources.RestApi4.Properties.MinimumCompressionSize", "searchValue": "", - "expectedValue": "Resources.RestApi8.Properties.MinimumCompressionSize should be defined", - "actualValue": "Resources.RestApi8.Properties.MinimumCompressionSize is not defined" + "expectedValue": "Resources.RestApi4.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760", + "actualValue": "Resources.RestApi4.Properties.MinimumCompressionSize is set to greater than 10485759" }, { "queryName": "API Gateway With Invalid Compression", "severity": "LOW", - "line": 22, - "filename": "positive4.json", + "line": 5, + "filename": "positive3.yaml", "resourceType": "AWS::ApiGateway::RestApi", "resourceName": "myApi", - "searchKey": "Resources.RestApi6.Properties.MinimumCompressionSize", + "searchKey": "Resources.RestApi5.Properties", "searchValue": "", - "expectedValue": "Resources.RestApi6.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760", - "actualValue": "Resources.RestApi6.Properties.MinimumCompressionSize is set to smaller than 0" + "expectedValue": "Resources.RestApi5.Properties.MinimumCompressionSize should be defined", + "actualValue": "Resources.RestApi5.Properties.MinimumCompressionSize is not defined" }, { "queryName": "API Gateway With Invalid Compression", "severity": "LOW", - "line": 5, - "filename": "positive3.yaml", + "line": 22, + "filename": "positive4.json", "resourceType": "AWS::ApiGateway::RestApi", "resourceName": "myApi", - "searchKey": "Resources.RestApi5.Properties", + "searchKey": "Resources.RestApi6.Properties.MinimumCompressionSize", "searchValue": "", - "expectedValue": "Resources.RestApi5.Properties.MinimumCompressionSize should be defined", - "actualValue": "Resources.RestApi5.Properties.MinimumCompressionSize is not defined" + "expectedValue": "Resources.RestApi6.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760", + "actualValue": "Resources.RestApi6.Properties.MinimumCompressionSize is set to smaller than 0" }, { "queryName": "API Gateway With Invalid Compression", "severity": "LOW", - "line": 17, - "filename": "positive1.yaml", + "line": 22, + "filename": "positive5.json", "resourceType": "AWS::ApiGateway::RestApi", "resourceName": "myApi", - "searchKey": "Resources.RestApi3.Properties.MinimumCompressionSize", + "searchKey": "Resources.RestApi7.Properties.MinimumCompressionSize", "searchValue": "", - "expectedValue": "Resources.RestApi3.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760", - "actualValue": "Resources.RestApi3.Properties.MinimumCompressionSize is set to smaller than 0" + "expectedValue": "Resources.RestApi7.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760", + "actualValue": "Resources.RestApi7.Properties.MinimumCompressionSize is set to greater than 10485759" }, { "queryName": "API Gateway With Invalid Compression", "severity": "LOW", - "line": 17, - "filename": "positive2.yaml", + "line": 5, + "filename": "positive6.json", "resourceType": "AWS::ApiGateway::RestApi", "resourceName": "myApi", - "searchKey": "Resources.RestApi4.Properties.MinimumCompressionSize", + "searchKey": "Resources.RestApi8.Properties", "searchValue": "", - "expectedValue": "Resources.RestApi4.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760", - "actualValue": "Resources.RestApi4.Properties.MinimumCompressionSize is set to greater than 10485759" + "expectedValue": "Resources.RestApi8.Properties.MinimumCompressionSize should be defined", + "actualValue": "Resources.RestApi8.Properties.MinimumCompressionSize is not defined" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_without_configured_authorizer/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_without_configured_authorizer/test/positive_expected_result.json index f02ab18095a..e77a395c446 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_without_configured_authorizer/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_without_configured_authorizer/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "API Gateway Without Configured Authorizer", "severity": "MEDIUM", - "line": 4, - "filename": "positive7.json", - "resourceType": "AWS::ApiGateway::RestApi", - "resourceName": "myRestApi", - "searchKey": "Resources.MyRestApi10", + "line": 3, + "filename": "positive1.yaml", + "resourceType": "AWS::ApiGatewayV2::Api", + "resourceName": "TL-Dev-WebSocket-API", + "searchKey": "Resources.DevWebSocket", "searchValue": "", "expectedValue": "API Gateway REST API should be associated with an API Gateway Authorizer", "actualValue": "API Gateway REST API is not associated with an API Gateway Authorizer" @@ -14,11 +14,11 @@ { "queryName": "API Gateway Without Configured Authorizer", "severity": "MEDIUM", - "line": 20, - "filename": "positive6.json", + "line": 3, + "filename": "positive2.yaml", "resourceType": "AWS::ApiGatewayV2::Api", "resourceName": "TL-Dev-WebSocket-API", - "searchKey": "Resources.DevWebSocket9", + "searchKey": "Resources.DevWebSocket5", "searchValue": "", "expectedValue": "API Gateway REST API should be associated with an API Gateway Authorizer", "actualValue": "API Gateway REST API is not associated with an API Gateway Authorizer" @@ -27,10 +27,10 @@ "queryName": "API Gateway Without Configured Authorizer", "severity": "MEDIUM", "line": 3, - "filename": "positive1.yaml", - "resourceType": "AWS::ApiGatewayV2::Api", - "resourceName": "TL-Dev-WebSocket-API", - "searchKey": "Resources.DevWebSocket", + "filename": "positive3.yaml", + "resourceType": "AWS::ApiGateway::RestApi", + "resourceName": "myRestApi", + "searchKey": "Resources.MyRestApi6", "searchValue": "", "expectedValue": "API Gateway REST API should be associated with an API Gateway Authorizer", "actualValue": "API Gateway REST API is not associated with an API Gateway Authorizer" @@ -39,10 +39,10 @@ "queryName": "API Gateway Without Configured Authorizer", "severity": "MEDIUM", "line": 3, - "filename": "positive3.yaml", + "filename": "positive4.yaml", "resourceType": "AWS::ApiGateway::RestApi", "resourceName": "myRestApi", - "searchKey": "Resources.MyRestApi6", + "searchKey": "Resources.MyRestApi7", "searchValue": "", "expectedValue": "API Gateway REST API should be associated with an API Gateway Authorizer", "actualValue": "API Gateway REST API is not associated with an API Gateway Authorizer" @@ -50,11 +50,11 @@ { "queryName": "API Gateway Without Configured Authorizer", "severity": "MEDIUM", - "line": 3, - "filename": "positive2.yaml", + "line": 4, + "filename": "positive5.json", "resourceType": "AWS::ApiGatewayV2::Api", "resourceName": "TL-Dev-WebSocket-API", - "searchKey": "Resources.DevWebSocket5", + "searchKey": "Resources.DevWebSocket8", "searchValue": "", "expectedValue": "API Gateway REST API should be associated with an API Gateway Authorizer", "actualValue": "API Gateway REST API is not associated with an API Gateway Authorizer" @@ -62,11 +62,11 @@ { "queryName": "API Gateway Without Configured Authorizer", "severity": "MEDIUM", - "line": 3, - "filename": "positive4.yaml", - "resourceType": "AWS::ApiGateway::RestApi", - "resourceName": "myRestApi", - "searchKey": "Resources.MyRestApi7", + "line": 20, + "filename": "positive6.json", + "resourceType": "AWS::ApiGatewayV2::Api", + "resourceName": "TL-Dev-WebSocket-API", + "searchKey": "Resources.DevWebSocket9", "searchValue": "", "expectedValue": "API Gateway REST API should be associated with an API Gateway Authorizer", "actualValue": "API Gateway REST API is not associated with an API Gateway Authorizer" @@ -75,10 +75,10 @@ "queryName": "API Gateway Without Configured Authorizer", "severity": "MEDIUM", "line": 4, - "filename": "positive5.json", - "resourceType": "AWS::ApiGatewayV2::Api", - "resourceName": "TL-Dev-WebSocket-API", - "searchKey": "Resources.DevWebSocket8", + "filename": "positive7.json", + "resourceType": "AWS::ApiGateway::RestApi", + "resourceName": "myRestApi", + "searchKey": "Resources.MyRestApi10", "searchValue": "", "expectedValue": "API Gateway REST API should be associated with an API Gateway Authorizer", "actualValue": "API Gateway REST API is not associated with an API Gateway Authorizer" diff --git a/assets/queries/cloudFormation/aws/api_gateway_without_security_policy/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_without_security_policy/test/positive_expected_result.json index 27a59599624..16515bf8e22 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_without_security_policy/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_without_security_policy/test/positive_expected_result.json @@ -2,26 +2,26 @@ { "queryName": "API Gateway Without Security Policy", "severity": "MEDIUM", - "line": 13, - "filename": "positive2.yaml", + "line": 20, + "filename": "positive1.yaml", "resourceType": "AWS::ApiGateway::DomainName", "resourceName": "cfnDomainName", - "searchKey": "Resources.myDomainName1.Properties.SecurityPolicy", + "searchKey": "Resources.myDomainName.Properties.SecurityPolicy", "searchValue": "", - "expectedValue": "Resources.myDomainName1.Properties.SecurityPolicy should not be defined", - "actualValue": "Resources.myDomainName1.Properties.SecurityPolicy is defined" + "expectedValue": "Resources.myDomainName.Properties.SecurityPolicy should be TLS_1_2", + "actualValue": "Resources.myDomainName.Properties.SecurityPolicy should be TLS_1_2" }, { "queryName": "API Gateway Without Security Policy", "severity": "MEDIUM", - "line": 20, - "filename": "positive1.yaml", + "line": 13, + "filename": "positive2.yaml", "resourceType": "AWS::ApiGateway::DomainName", "resourceName": "cfnDomainName", - "searchKey": "Resources.myDomainName.Properties.SecurityPolicy", + "searchKey": "Resources.myDomainName1.Properties.SecurityPolicy", "searchValue": "", - "expectedValue": "Resources.myDomainName.Properties.SecurityPolicy should be TLS_1_2", - "actualValue": "Resources.myDomainName.Properties.SecurityPolicy should be TLS_1_2" + "expectedValue": "Resources.myDomainName1.Properties.SecurityPolicy should not be defined", + "actualValue": "Resources.myDomainName1.Properties.SecurityPolicy is defined" }, { "queryName": "API Gateway Without Security Policy", diff --git a/assets/queries/cloudFormation/aws/api_gateway_xray_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_xray_disabled/test/positive_expected_result.json index 6807b55b7b0..61d36d32640 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_xray_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_xray_disabled/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "API Gateway X-Ray Disabled", - "severity": "LOW", - "line": 6, - "filename": "positive2.yaml", - "resourceType": "AWS::ApiGateway::Stage", - "resourceName": "Prod", - "searchKey": "Resources.ProdPos4.Properties", - "searchValue": "", - "expectedValue": "Resources.ProdPos4.Properties.TracingEnabled should be defined", - "actualValue": "Resources.ProdPos4.Properties.TracingEnabled is undefined" - }, { "queryName": "API Gateway X-Ray Disabled", "severity": "LOW", @@ -27,13 +15,13 @@ "queryName": "API Gateway X-Ray Disabled", "severity": "LOW", "line": 6, - "filename": "positive4.json", + "filename": "positive2.yaml", "resourceType": "AWS::ApiGateway::Stage", "resourceName": "Prod", - "searchKey": "Resources.ProdPos2.Properties", + "searchKey": "Resources.ProdPos4.Properties", "searchValue": "", - "expectedValue": "Resources.ProdPos2.Properties.TracingEnabled should be defined", - "actualValue": "Resources.ProdPos2.Properties.TracingEnabled is undefined" + "expectedValue": "Resources.ProdPos4.Properties.TracingEnabled should be defined", + "actualValue": "Resources.ProdPos4.Properties.TracingEnabled is undefined" }, { "queryName": "API Gateway X-Ray Disabled", @@ -46,5 +34,17 @@ "searchValue": "", "expectedValue": "Resources.ProdPos1.Properties.TracingEnabled should be true", "actualValue": "Resources.ProdPos1.Properties.TracingEnabled is false" + }, + { + "queryName": "API Gateway X-Ray Disabled", + "severity": "LOW", + "line": 6, + "filename": "positive4.json", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.ProdPos2.Properties", + "searchValue": "", + "expectedValue": "Resources.ProdPos2.Properties.TracingEnabled should be defined", + "actualValue": "Resources.ProdPos2.Properties.TracingEnabled is undefined" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/auto_scaling_group_with_no_associated_elb/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/auto_scaling_group_with_no_associated_elb/test/positive_expected_result.json index 20f6466f0f4..39431e3c14b 100644 --- a/assets/queries/cloudFormation/aws/auto_scaling_group_with_no_associated_elb/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/auto_scaling_group_with_no_associated_elb/test/positive_expected_result.json @@ -2,20 +2,8 @@ { "queryName": "Auto Scaling Group With No Associated ELB", "severity": "MEDIUM", - "line": 126, - "filename": "positive2.json", - "resourceType": "AWS::AutoScaling::AutoScalingGroup", - "resourceName": "myASG", - "searchKey": "Resources.myASG3.Properties.LoadBalancerNames", - "searchValue": "", - "expectedValue": "'Resources.myASG3.Properties.LoadBalancerNames' should not be empty", - "actualValue": "'Resources.myASG3.Properties.LoadBalancerNames' is empty" - }, - { - "queryName": "Auto Scaling Group With No Associated ELB", - "severity": "MEDIUM", - "line": 38, - "filename": "positive2.json", + "line": 28, + "filename": "positive1.yaml", "resourceType": "AWS::AutoScaling::AutoScalingGroup", "resourceName": "myASG", "searchKey": "Resources.myASG.Properties", @@ -50,8 +38,8 @@ { "queryName": "Auto Scaling Group With No Associated ELB", "severity": "MEDIUM", - "line": 28, - "filename": "positive1.yaml", + "line": 38, + "filename": "positive2.json", "resourceType": "AWS::AutoScaling::AutoScalingGroup", "resourceName": "myASG", "searchKey": "Resources.myASG.Properties", @@ -70,5 +58,17 @@ "searchValue": "", "expectedValue": "'Resources.myASG2.Properties.LoadBalancerNames' should not be empty", "actualValue": "'Resources.myASG2.Properties.LoadBalancerNames' is empty" + }, + { + "queryName": "Auto Scaling Group With No Associated ELB", + "severity": "MEDIUM", + "line": 126, + "filename": "positive2.json", + "resourceType": "AWS::AutoScaling::AutoScalingGroup", + "resourceName": "myASG", + "searchKey": "Resources.myASG3.Properties.LoadBalancerNames", + "searchValue": "", + "expectedValue": "'Resources.myASG3.Properties.LoadBalancerNames' should not be empty", + "actualValue": "'Resources.myASG3.Properties.LoadBalancerNames' is empty" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/automatic_minor_upgrades_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/automatic_minor_upgrades_disabled/test/positive_expected_result.json index 0cd092621a6..eb9b7615f63 100644 --- a/assets/queries/cloudFormation/aws/automatic_minor_upgrades_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/automatic_minor_upgrades_disabled/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "Automatic Minor Upgrades Disabled", "severity": "LOW", - "line": 17, - "filename": "positive4.json", + "line": 18, + "filename": "positive1.yaml", "resourceType": "AWS::RDS::DBInstance", "resourceName": "DBName", "searchKey": "Resources.MyDB.Properties", @@ -14,8 +14,8 @@ { "queryName": "Automatic Minor Upgrades Disabled", "severity": "LOW", - "line": 44, - "filename": "positive2.json", + "line": 42, + "filename": "positive1.yaml", "resourceType": "AWS::RDS::DBInstance", "resourceName": "DBName", "searchKey": "Resources.MyDB2.Properties.AutoMinorVersionUpgrade", @@ -38,8 +38,8 @@ { "queryName": "Automatic Minor Upgrades Disabled", "severity": "LOW", - "line": 42, - "filename": "positive1.yaml", + "line": 44, + "filename": "positive2.json", "resourceType": "AWS::RDS::DBInstance", "resourceName": "DBName", "searchKey": "Resources.MyDB2.Properties.AutoMinorVersionUpgrade", @@ -51,7 +51,7 @@ "queryName": "Automatic Minor Upgrades Disabled", "severity": "LOW", "line": 18, - "filename": "positive1.yaml", + "filename": "positive3.yaml", "resourceType": "AWS::RDS::DBInstance", "resourceName": "DBName", "searchKey": "Resources.MyDB.Properties", @@ -74,8 +74,8 @@ { "queryName": "Automatic Minor Upgrades Disabled", "severity": "LOW", - "line": 18, - "filename": "positive3.yaml", + "line": 17, + "filename": "positive4.json", "resourceType": "AWS::RDS::DBInstance", "resourceName": "DBName", "searchKey": "Resources.MyDB.Properties", diff --git a/assets/queries/cloudFormation/aws/batch_job_definition_with_privileged_container_properties/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/batch_job_definition_with_privileged_container_properties/test/positive_expected_result.json index e5aa97561c1..dfce37ebfcd 100644 --- a/assets/queries/cloudFormation/aws/batch_job_definition_with_privileged_container_properties/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/batch_job_definition_with_privileged_container_properties/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "Batch Job Definition With Privileged Container Properties", "severity": "HIGH", - "line": 12, - "filename": "positive4.json", + "line": 21, + "filename": "positive1.yaml", "resourceType": "AWS::Batch::JobDefinition", "resourceName": "nvidia-smi", "searchKey": "Resources.JobDefinition.Properties.ContainerProperties.Privileged", @@ -38,8 +38,8 @@ { "queryName": "Batch Job Definition With Privileged Container Properties", "severity": "HIGH", - "line": 21, - "filename": "positive1.yaml", + "line": 12, + "filename": "positive4.json", "resourceType": "AWS::Batch::JobDefinition", "resourceName": "nvidia-smi", "searchKey": "Resources.JobDefinition.Properties.ContainerProperties.Privileged", diff --git a/assets/queries/cloudFormation/aws/block_device_is_not_encrypted/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/block_device_is_not_encrypted/test/positive_expected_result.json index aa865074aef..4ae375766ef 100644 --- a/assets/queries/cloudFormation/aws/block_device_is_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/block_device_is_not_encrypted/test/positive_expected_result.json @@ -2,14 +2,14 @@ { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", - "line": 10, - "filename": "positive8.yaml", - "resourceType": "AWS::AutoScaling::LaunchConfiguration", - "resourceName": "MyLaunchConfiguration", - "searchKey": "Resources.MyLaunchConfiguration.Properties.BlockDeviceMappings[0].Ebs", + "line": 14, + "filename": "positive1.json", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.BlockDeviceMappings[0].Ebs.Encrypted", "searchValue": "", "expectedValue": "'BlockDeviceMappings[0].Ebs.Encrypted' should be defined to 'true'", - "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined" + "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined to 'true'" }, { "queryName": "Block Device Is Not Encrypted", @@ -26,14 +26,14 @@ { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", - "line": 10, - "filename": "positive4.yaml", - "resourceType": "AWS::EC2::Instance", - "resourceName": "MyEC2Instance", - "searchKey": "Resources.MyEC2Instance.Properties.BlockDeviceMappings[0].Ebs", + "line": 15, + "filename": "positive11.json", + "resourceType": "AWS::AutoScaling::LaunchConfiguration", + "resourceName": "MyLaunchConfiguration", + "searchKey": "Resources.MyLaunchConfiguration.Properties.BlockDeviceMappings[0].Ebs.Encrypted", "searchValue": "", "expectedValue": "'BlockDeviceMappings[0].Ebs.Encrypted' should be defined to 'true'", - "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined" + "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined to 'true'" }, { "queryName": "Block Device Is Not Encrypted", @@ -62,26 +62,26 @@ { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", - "line": 14, - "filename": "positive1.json", + "line": 12, + "filename": "positive3.json", "resourceType": "AWS::EC2::Instance", "resourceName": "MyEC2Instance", - "searchKey": "Resources.MyEC2Instance.Properties.BlockDeviceMappings[0].Ebs.Encrypted", + "searchKey": "Resources.MyEC2Instance.Properties.BlockDeviceMappings[0].Ebs", "searchValue": "", "expectedValue": "'BlockDeviceMappings[0].Ebs.Encrypted' should be defined to 'true'", - "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined to 'true'" + "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", - "line": 15, - "filename": "positive11.json", - "resourceType": "AWS::AutoScaling::LaunchConfiguration", - "resourceName": "MyLaunchConfiguration", - "searchKey": "Resources.MyLaunchConfiguration.Properties.BlockDeviceMappings[0].Ebs.Encrypted", + "line": 10, + "filename": "positive4.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.BlockDeviceMappings[0].Ebs", "searchValue": "", "expectedValue": "'BlockDeviceMappings[0].Ebs.Encrypted' should be defined to 'true'", - "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined to 'true'" + "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined" }, { "queryName": "Block Device Is Not Encrypted", @@ -122,25 +122,25 @@ { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", - "line": 14, - "filename": "positive9.json", - "resourceType": "AWS::EC2::Instance", - "resourceName": "MyEC2Instance", - "searchKey": "Resources.MyEC2Instance.Properties.BlockDeviceMappings[0].Ebs.Encrypted", + "line": 10, + "filename": "positive8.yaml", + "resourceType": "AWS::AutoScaling::LaunchConfiguration", + "resourceName": "MyLaunchConfiguration", + "searchKey": "Resources.MyLaunchConfiguration.Properties.BlockDeviceMappings[0].Ebs", "searchValue": "", "expectedValue": "'BlockDeviceMappings[0].Ebs.Encrypted' should be defined to 'true'", - "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined to 'true'" + "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", - "line": 12, - "filename": "positive3.json", + "line": 14, + "filename": "positive9.json", "resourceType": "AWS::EC2::Instance", "resourceName": "MyEC2Instance", - "searchKey": "Resources.MyEC2Instance.Properties.BlockDeviceMappings[0].Ebs", + "searchKey": "Resources.MyEC2Instance.Properties.BlockDeviceMappings[0].Ebs.Encrypted", "searchValue": "", "expectedValue": "'BlockDeviceMappings[0].Ebs.Encrypted' should be defined to 'true'", - "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined" + "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined to 'true'" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cdn_configuration_is_missing/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cdn_configuration_is_missing/test/positive_expected_result.json index e5b27a678d5..fe1da191862 100644 --- a/assets/queries/cloudFormation/aws/cdn_configuration_is_missing/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cdn_configuration_is_missing/test/positive_expected_result.json @@ -2,20 +2,8 @@ { "queryName": "CDN Configuration Is Missing", "severity": "LOW", - "line": 15, - "filename": "positive2.json", - "resourceType": "AWS::CloudFront::Distribution", - "resourceName": "myDistribution", - "searchKey": "Resources.myDistribution.Properties.DistributionConfig.Enabled", - "searchValue": "", - "expectedValue": "Resources.myDistribution.Properties.DistributionConfig.Enabled should be 'true'", - "actualValue": "Resources.myDistribution.Properties.DistributionConfig.Enabled is configured as 'false'" - }, - { - "queryName": "CDN Configuration Is Missing", - "severity": "LOW", - "line": 7, - "filename": "positive2.json", + "line": 6, + "filename": "positive1.yaml", "resourceType": "AWS::CloudFront::Distribution", "resourceName": "myDistribution", "searchKey": "Resources.myDistribution.Properties.DistributionConfig", @@ -38,13 +26,25 @@ { "queryName": "CDN Configuration Is Missing", "severity": "LOW", - "line": 6, - "filename": "positive1.yaml", + "line": 7, + "filename": "positive2.json", "resourceType": "AWS::CloudFront::Distribution", "resourceName": "myDistribution", "searchKey": "Resources.myDistribution.Properties.DistributionConfig", "searchValue": "", "expectedValue": "Resources.myDistribution.Properties.DistributionConfig should contain an 'Origins' object", "actualValue": "Resources.myDistribution.Properties.DistributionConfig does not contain an 'Origins' object configured" + }, + { + "queryName": "CDN Configuration Is Missing", + "severity": "LOW", + "line": 15, + "filename": "positive2.json", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "myDistribution", + "searchKey": "Resources.myDistribution.Properties.DistributionConfig.Enabled", + "searchValue": "", + "expectedValue": "Resources.myDistribution.Properties.DistributionConfig.Enabled should be 'true'", + "actualValue": "Resources.myDistribution.Properties.DistributionConfig.Enabled is configured as 'false'" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cloudfront_viewer_protocol_policy_allows_http/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cloudfront_viewer_protocol_policy_allows_http/test/positive_expected_result.json index 93fbf24ef0d..f4ad7596183 100644 --- a/assets/queries/cloudFormation/aws/cloudfront_viewer_protocol_policy_allows_http/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cloudfront_viewer_protocol_policy_allows_http/test/positive_expected_result.json @@ -2,26 +2,26 @@ { "queryName": "Cloudfront Viewer Protocol Policy Allows HTTP", "severity": "MEDIUM", - "line": 30, + "line": 13, "filename": "positive1.yaml", "resourceType": "AWS::CloudFront::Distribution", - "resourceName": "cloudfrontdistribution_2", - "searchKey": "Resources.cloudfrontdistribution_2.Properties.DistributionConfig.CacheBehaviors.ViewerProtocolPolicy", + "resourceName": "cloudfrontdistribution_1", + "searchKey": "Resources.cloudfrontdistribution_1.Properties.DistributionConfig.DefaultCacheBehavior.ViewerProtocolPolicy", "searchValue": "", - "expectedValue": "Resources.cloudfrontdistribution_2.Properties.DistributionConfig.CacheBehaviors.ViewerProtocolPolicy is 'https-only' or 'redirect-to-https'", - "actualValue": "Resources.cloudfrontdistribution_2.Properties.DistributionConfig.CacheBehaviors.ViewerProtocolPolicy is 'allow-all'" + "expectedValue": "Resources.cloudfrontdistribution_1.Properties.DistributionConfig.DefaultCacheBehavior.ViewerProtocolPolicy is 'https-only' or 'redirect-to-https'", + "actualValue": "Resources.cloudfrontdistribution_1.Properties.DistributionConfig.DefaultCacheBehavior.ViewerProtocolPolicy is 'allow-all'" }, { "queryName": "Cloudfront Viewer Protocol Policy Allows HTTP", "severity": "MEDIUM", - "line": 50, - "filename": "positive2.json", + "line": 30, + "filename": "positive1.yaml", "resourceType": "AWS::CloudFront::Distribution", - "resourceName": "cloudfrontdistribution_1", - "searchKey": "Resources.cloudfrontdistribution_1.Properties.DistributionConfig.DefaultCacheBehavior.ViewerProtocolPolicy", + "resourceName": "cloudfrontdistribution_2", + "searchKey": "Resources.cloudfrontdistribution_2.Properties.DistributionConfig.CacheBehaviors.ViewerProtocolPolicy", "searchValue": "", - "expectedValue": "Resources.cloudfrontdistribution_1.Properties.DistributionConfig.DefaultCacheBehavior.ViewerProtocolPolicy is 'https-only' or 'redirect-to-https'", - "actualValue": "Resources.cloudfrontdistribution_1.Properties.DistributionConfig.DefaultCacheBehavior.ViewerProtocolPolicy is 'allow-all'" + "expectedValue": "Resources.cloudfrontdistribution_2.Properties.DistributionConfig.CacheBehaviors.ViewerProtocolPolicy is 'https-only' or 'redirect-to-https'", + "actualValue": "Resources.cloudfrontdistribution_2.Properties.DistributionConfig.CacheBehaviors.ViewerProtocolPolicy is 'allow-all'" }, { "queryName": "Cloudfront Viewer Protocol Policy Allows HTTP", @@ -38,8 +38,8 @@ { "queryName": "Cloudfront Viewer Protocol Policy Allows HTTP", "severity": "MEDIUM", - "line": 13, - "filename": "positive1.yaml", + "line": 50, + "filename": "positive2.json", "resourceType": "AWS::CloudFront::Distribution", "resourceName": "cloudfrontdistribution_1", "searchKey": "Resources.cloudfrontdistribution_1.Properties.DistributionConfig.DefaultCacheBehavior.ViewerProtocolPolicy", diff --git a/assets/queries/cloudFormation/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json index 5a848c8b1a5..23a5274a018 100644 --- a/assets/queries/cloudFormation/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "CloudFront Without Minimum Protocol TLS 1.2", "severity": "MEDIUM", - "line": 11, - "filename": "positive2.json", + "line": 25, + "filename": "positive1.yaml", "resourceType": "AWS::CloudFront::Distribution", "resourceName": "cloudfrontdistribution", "searchKey": "Resources.cloudfrontdistribution.Properties.DistributionConfig.ViewerCertificate.MinimumProtocolVersion", @@ -14,8 +14,8 @@ { "queryName": "CloudFront Without Minimum Protocol TLS 1.2", "severity": "MEDIUM", - "line": 55, - "filename": "positive2.json", + "line": 33, + "filename": "positive1.yaml", "resourceType": "AWS::CloudFront::Distribution", "resourceName": "cloudfrontdistribution2", "searchKey": "Resources.cloudfrontdistribution2.Properties.DistributionConfig", @@ -26,8 +26,8 @@ { "queryName": "CloudFront Without Minimum Protocol TLS 1.2", "severity": "MEDIUM", - "line": 25, - "filename": "positive1.yaml", + "line": 11, + "filename": "positive2.json", "resourceType": "AWS::CloudFront::Distribution", "resourceName": "cloudfrontdistribution", "searchKey": "Resources.cloudfrontdistribution.Properties.DistributionConfig.ViewerCertificate.MinimumProtocolVersion", @@ -38,8 +38,8 @@ { "queryName": "CloudFront Without Minimum Protocol TLS 1.2", "severity": "MEDIUM", - "line": 33, - "filename": "positive1.yaml", + "line": 55, + "filename": "positive2.json", "resourceType": "AWS::CloudFront::Distribution", "resourceName": "cloudfrontdistribution2", "searchKey": "Resources.cloudfrontdistribution2.Properties.DistributionConfig", diff --git a/assets/queries/cloudFormation/aws/cloudfront_without_waf/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cloudfront_without_waf/test/positive_expected_result.json index dd166d6a84c..28f1f1eef10 100644 --- a/assets/queries/cloudFormation/aws/cloudfront_without_waf/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cloudfront_without_waf/test/positive_expected_result.json @@ -2,20 +2,20 @@ { "queryName": "CloudFront Without WAF", "severity": "MEDIUM", - "line": 21, - "filename": "positive3.yaml", + "line": 6, + "filename": "positive1.yaml", "resourceType": "AWS::CloudFront::Distribution", "resourceName": "cloudfrontdistribution", - "searchKey": "Resources.cloudfrontdistribution.Properties.DistributionConfig.WebACLId", + "searchKey": "Resources.cloudfrontdistribution.Properties.DistributionConfig", "searchValue": "", - "expectedValue": "Resources..Properties.DistributionConfig.WebACLId should be properly defined", - "actualValue": "Resources..Properties.DistributionConfig.WebACLId contains invalid value" + "expectedValue": "Resources.cloudfrontdistribution.Properties.DistributionConfig.WebACLId should be defined", + "actualValue": "Resources.cloudfrontdistribution.Properties.DistributionConfig.WebACLId is undefined" }, { "queryName": "CloudFront Without WAF", "severity": "MEDIUM", - "line": 6, - "filename": "positive1.yaml", + "line": 13, + "filename": "positive2.json", "resourceType": "AWS::CloudFront::Distribution", "resourceName": "cloudfrontdistribution", "searchKey": "Resources.cloudfrontdistribution.Properties.DistributionConfig", @@ -26,8 +26,8 @@ { "queryName": "CloudFront Without WAF", "severity": "MEDIUM", - "line": 36, - "filename": "positive4.json", + "line": 21, + "filename": "positive3.yaml", "resourceType": "AWS::CloudFront::Distribution", "resourceName": "cloudfrontdistribution", "searchKey": "Resources.cloudfrontdistribution.Properties.DistributionConfig.WebACLId", @@ -38,13 +38,13 @@ { "queryName": "CloudFront Without WAF", "severity": "MEDIUM", - "line": 13, - "filename": "positive2.json", + "line": 36, + "filename": "positive4.json", "resourceType": "AWS::CloudFront::Distribution", "resourceName": "cloudfrontdistribution", - "searchKey": "Resources.cloudfrontdistribution.Properties.DistributionConfig", + "searchKey": "Resources.cloudfrontdistribution.Properties.DistributionConfig.WebACLId", "searchValue": "", - "expectedValue": "Resources.cloudfrontdistribution.Properties.DistributionConfig.WebACLId should be defined", - "actualValue": "Resources.cloudfrontdistribution.Properties.DistributionConfig.WebACLId is undefined" + "expectedValue": "Resources..Properties.DistributionConfig.WebACLId should be properly defined", + "actualValue": "Resources..Properties.DistributionConfig.WebACLId contains invalid value" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cloudtrail_log_file_validation_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cloudtrail_log_file_validation_disabled/test/positive_expected_result.json index 5d13b4b1bab..5f57327df50 100644 --- a/assets/queries/cloudFormation/aws/cloudtrail_log_file_validation_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cloudtrail_log_file_validation_disabled/test/positive_expected_result.json @@ -14,8 +14,8 @@ { "queryName": "CloudTrail Log File Validation Disabled", "severity": "LOW", - "line": 108, - "filename": "positive4.json", + "line": 77, + "filename": "positive1.yaml", "resourceType": "AWS::CloudTrail::Trail", "resourceName": "myTrail2", "searchKey": "Resources.myTrail2.Properties.EnableLogFileValidation", @@ -27,7 +27,7 @@ "queryName": "CloudTrail Log File Validation Disabled", "severity": "LOW", "line": 87, - "filename": "positive4.json", + "filename": "positive2.json", "resourceType": "AWS::CloudTrail::Trail", "resourceName": "myTrail", "searchKey": "Resources.myTrail.Properties", @@ -50,8 +50,8 @@ { "queryName": "CloudTrail Log File Validation Disabled", "severity": "LOW", - "line": 87, - "filename": "positive2.json", + "line": 62, + "filename": "positive3.yaml", "resourceType": "AWS::CloudTrail::Trail", "resourceName": "myTrail", "searchKey": "Resources.myTrail.Properties", @@ -74,8 +74,8 @@ { "queryName": "CloudTrail Log File Validation Disabled", "severity": "LOW", - "line": 62, - "filename": "positive3.yaml", + "line": 87, + "filename": "positive4.json", "resourceType": "AWS::CloudTrail::Trail", "resourceName": "myTrail", "searchKey": "Resources.myTrail.Properties", @@ -86,8 +86,8 @@ { "queryName": "CloudTrail Log File Validation Disabled", "severity": "LOW", - "line": 77, - "filename": "positive1.yaml", + "line": 108, + "filename": "positive4.json", "resourceType": "AWS::CloudTrail::Trail", "resourceName": "myTrail2", "searchKey": "Resources.myTrail2.Properties.EnableLogFileValidation", diff --git a/assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_kms/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_kms/test/positive_expected_result.json index c1535f6defb..a3bb0c590df 100644 --- a/assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_kms/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_kms/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "CloudTrail Log Files Not Encrypted With KMS", "severity": "LOW", - "line": 53, - "filename": "positive2.json", + "line": 62, + "filename": "positive1.yaml", "resourceType": "AWS::CloudTrail::Trail", "resourceName": "myTrail", "searchKey": "Resources.myTrail.Properties", @@ -14,8 +14,8 @@ { "queryName": "CloudTrail Log Files Not Encrypted With KMS", "severity": "LOW", - "line": 6, - "filename": "positive3.json", + "line": 53, + "filename": "positive2.json", "resourceType": "AWS::CloudTrail::Trail", "resourceName": "myTrail", "searchKey": "Resources.myTrail.Properties", @@ -26,8 +26,8 @@ { "queryName": "CloudTrail Log Files Not Encrypted With KMS", "severity": "LOW", - "line": 62, - "filename": "positive1.yaml", + "line": 6, + "filename": "positive3.json", "resourceType": "AWS::CloudTrail::Trail", "resourceName": "myTrail", "searchKey": "Resources.myTrail.Properties", diff --git a/assets/queries/cloudFormation/aws/cloudtrail_logging_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cloudtrail_logging_disabled/test/positive_expected_result.json index 837e024960f..fc305e03afc 100644 --- a/assets/queries/cloudFormation/aws/cloudtrail_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cloudtrail_logging_disabled/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "CloudTrail Logging Disabled", - "severity": "MEDIUM", - "line": 20, - "filename": "positive3.yaml", - "resourceType": "AWS::CloudTrail::Trail", - "resourceName": "myTrail", - "searchKey": "Resources.myTrail.Properties.IsLogging", - "searchValue": "", - "expectedValue": "'Resources.myTrail.Properties.IsLogging' should be true", - "actualValue": "'Resources.myTrail.Properties.IsLogging' is false" - }, { "queryName": "CloudTrail Logging Disabled", "severity": "MEDIUM", @@ -35,18 +23,6 @@ "expectedValue": "'Resources.myTrail4.Properties.IsLogging' should be true", "actualValue": "'Resources.myTrail4.Properties.IsLogging' is false" }, - { - "queryName": "CloudTrail Logging Disabled", - "severity": "MEDIUM", - "line": 25, - "filename": "positive4.json", - "resourceType": "AWS::CloudTrail::Trail", - "resourceName": "myTrail5", - "searchKey": "Resources.myTrail5.Properties.IsLogging", - "searchValue": "", - "expectedValue": "'Resources.myTrail5.Properties.IsLogging' should be true", - "actualValue": "'Resources.myTrail5.Properties.IsLogging' is false" - }, { "queryName": "CloudTrail Logging Disabled", "severity": "MEDIUM", @@ -70,5 +46,29 @@ "searchValue": "", "expectedValue": "'Resources.myTrail6.Properties.IsLogging' should be true", "actualValue": "'Resources.myTrail6.Properties.IsLogging' is false" + }, + { + "queryName": "CloudTrail Logging Disabled", + "severity": "MEDIUM", + "line": 20, + "filename": "positive3.yaml", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail", + "searchKey": "Resources.myTrail.Properties.IsLogging", + "searchValue": "", + "expectedValue": "'Resources.myTrail.Properties.IsLogging' should be true", + "actualValue": "'Resources.myTrail.Properties.IsLogging' is false" + }, + { + "queryName": "CloudTrail Logging Disabled", + "severity": "MEDIUM", + "line": 25, + "filename": "positive4.json", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail5", + "searchKey": "Resources.myTrail5.Properties.IsLogging", + "searchValue": "", + "expectedValue": "'Resources.myTrail5.Properties.IsLogging' should be true", + "actualValue": "'Resources.myTrail5.Properties.IsLogging' is false" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cloudtrail_not_integrated_with_cloudwatch/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cloudtrail_not_integrated_with_cloudwatch/test/positive_expected_result.json index 16ea8cc19fb..dc2787298b1 100644 --- a/assets/queries/cloudFormation/aws/cloudtrail_not_integrated_with_cloudwatch/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cloudtrail_not_integrated_with_cloudwatch/test/positive_expected_result.json @@ -23,6 +23,30 @@ "expectedValue": "'Resources.myTrail.Properties.CloudWatchLogsRoleArn' should be declared", "actualValue": "'Resources.myTrail.Properties.CloudWatchLogsRoleArn' is not declared" }, + { + "queryName": "CloudTrail Not Integrated With CloudWatch", + "severity": "LOW", + "line": 62, + "filename": "positive2.yaml", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail2", + "searchKey": "Resources.myTrail2.Properties", + "searchValue": "CloudWatchLogsLogGroupArn", + "expectedValue": "'Resources.myTrail2.Properties.CloudWatchLogsLogGroupArn' should be declared", + "actualValue": "'Resources.myTrail2.Properties.CloudWatchLogsLogGroupArn' is not declared" + }, + { + "queryName": "CloudTrail Not Integrated With CloudWatch", + "severity": "LOW", + "line": 62, + "filename": "positive3.yaml", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail3", + "searchKey": "Resources.myTrail3.Properties", + "searchValue": "CloudWatchLogsRoleArn", + "expectedValue": "'Resources.myTrail3.Properties.CloudWatchLogsRoleArn' should be declared", + "actualValue": "'Resources.myTrail3.Properties.CloudWatchLogsRoleArn' is not declared" + }, { "queryName": "CloudTrail Not Integrated With CloudWatch", "severity": "LOW", @@ -70,29 +94,5 @@ "searchValue": "CloudWatchLogsRoleArn", "expectedValue": "'Resources.myTrail.Properties.CloudWatchLogsRoleArn' should be declared", "actualValue": "'Resources.myTrail.Properties.CloudWatchLogsRoleArn' is not declared" - }, - { - "queryName": "CloudTrail Not Integrated With CloudWatch", - "severity": "LOW", - "line": 62, - "filename": "positive3.yaml", - "resourceType": "AWS::CloudTrail::Trail", - "resourceName": "myTrail3", - "searchKey": "Resources.myTrail3.Properties", - "searchValue": "CloudWatchLogsRoleArn", - "expectedValue": "'Resources.myTrail3.Properties.CloudWatchLogsRoleArn' should be declared", - "actualValue": "'Resources.myTrail3.Properties.CloudWatchLogsRoleArn' is not declared" - }, - { - "queryName": "CloudTrail Not Integrated With CloudWatch", - "severity": "LOW", - "line": 62, - "filename": "positive2.yaml", - "resourceType": "AWS::CloudTrail::Trail", - "resourceName": "myTrail2", - "searchKey": "Resources.myTrail2.Properties", - "searchValue": "CloudWatchLogsLogGroupArn", - "expectedValue": "'Resources.myTrail2.Properties.CloudWatchLogsLogGroupArn' should be declared", - "actualValue": "'Resources.myTrail2.Properties.CloudWatchLogsLogGroupArn' is not declared" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cloudtrail_sns_topic_name_undefined/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cloudtrail_sns_topic_name_undefined/test/positive_expected_result.json index f938503175c..28fe51ce3c7 100644 --- a/assets/queries/cloudFormation/aws/cloudtrail_sns_topic_name_undefined/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cloudtrail_sns_topic_name_undefined/test/positive_expected_result.json @@ -1,4 +1,16 @@ [ + { + "queryName": "CloudTrail SNS Topic Name Undefined", + "severity": "LOW", + "line": 12, + "filename": "positive1.yaml", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail3", + "searchKey": "Resources.myTrail3.Properties", + "searchValue": "", + "expectedValue": "'Resources.myTrail3.Properties.SnsTopicName' should be set", + "actualValue": "'Resources.myTrail3.Properties.SnsTopicName' is undefined" + }, { "queryName": "CloudTrail SNS Topic Name Undefined", "severity": "LOW", @@ -34,17 +46,5 @@ "searchValue": "", "expectedValue": "'Resources.myTrail6.Properties.SnsTopicName' should be set", "actualValue": "'Resources.myTrail6.Properties.SnsTopicName' is undefined" - }, - { - "queryName": "CloudTrail SNS Topic Name Undefined", - "severity": "LOW", - "line": 12, - "filename": "positive1.yaml", - "resourceType": "AWS::CloudTrail::Trail", - "resourceName": "myTrail3", - "searchKey": "Resources.myTrail3.Properties", - "searchValue": "", - "expectedValue": "'Resources.myTrail3.Properties.SnsTopicName' should be set", - "actualValue": "'Resources.myTrail3.Properties.SnsTopicName' is undefined" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cloudwatch_logging_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cloudwatch_logging_disabled/test/positive_expected_result.json index 920ec5ac936..fd3af61be94 100644 --- a/assets/queries/cloudFormation/aws/cloudwatch_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cloudwatch_logging_disabled/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "CloudWatch Logging Disabled", "severity": "MEDIUM", - "line": 7, - "filename": "positive2.json", + "line": 6, + "filename": "positive1.yaml", "resourceType": "AWS::Route53::HostedZone", "resourceName": "HostedZone", - "searchKey": "Resources.HostedZone4.Properties", + "searchKey": "Resources.HostedZone3.Properties", "searchValue": "", - "expectedValue": "Resources.HostedZone4.QueryLoggingConfig should be set", - "actualValue": "Resources.HostedZone4.QueryLoggingConfig is undefined" + "expectedValue": "Resources.HostedZone3.QueryLoggingConfig should be set", + "actualValue": "Resources.HostedZone3.QueryLoggingConfig is undefined" }, { "queryName": "CloudWatch Logging Disabled", "severity": "MEDIUM", - "line": 6, - "filename": "positive1.yaml", + "line": 7, + "filename": "positive2.json", "resourceType": "AWS::Route53::HostedZone", "resourceName": "HostedZone", - "searchKey": "Resources.HostedZone3.Properties", + "searchKey": "Resources.HostedZone4.Properties", "searchValue": "", - "expectedValue": "Resources.HostedZone3.QueryLoggingConfig should be set", - "actualValue": "Resources.HostedZone3.QueryLoggingConfig is undefined" + "expectedValue": "Resources.HostedZone4.QueryLoggingConfig should be set", + "actualValue": "Resources.HostedZone4.QueryLoggingConfig is undefined" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cloudwatch_metrics_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cloudwatch_metrics_disabled/test/positive_expected_result.json index 9a08935ec94..e0b6996a2ca 100644 --- a/assets/queries/cloudFormation/aws/cloudwatch_metrics_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cloudwatch_metrics_disabled/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "CloudWatch Metrics Disabled", - "severity": "MEDIUM", - "line": 20, - "filename": "positive5.yaml", - "resourceType": "AWS::ApiGateway::Stage", - "resourceName": "Prod", - "searchKey": "Resources.Prod.Properties.MethodSettings", - "searchValue": "", - "expectedValue": "Resources.Prod.Properties.MethodSettings[1].MetricsEnabled should be set to true", - "actualValue": "Resources.Prod.Properties.MethodSettings[1].MetricsEnabled is undefined" - }, { "queryName": "CloudWatch Metrics Disabled", "severity": "MEDIUM", @@ -35,18 +23,6 @@ "expectedValue": "Resources.Prod.Properties.MethodSettings[1].MetricsEnabled should be set to true", "actualValue": "Resources.Prod.Properties.MethodSettings[1].MetricsEnabled is undefined" }, - { - "queryName": "CloudWatch Metrics Disabled", - "severity": "MEDIUM", - "line": 6, - "filename": "positive3.yaml", - "resourceType": "AWS::ApiGateway::Stage", - "resourceName": "Prod", - "searchKey": "Resources.Prod.Properties", - "searchValue": "", - "expectedValue": "Resources.Prod.Properties.MethodSettings should be defined", - "actualValue": "Resources.Prod.Properties.MethodSettings is undefined" - }, { "queryName": "CloudWatch Metrics Disabled", "severity": "MEDIUM", @@ -71,6 +47,18 @@ "expectedValue": "Resources.Prod.Properties.MethodSettings[1].MetricsEnabled should be set to true", "actualValue": "Resources.Prod.Properties.MethodSettings[1].MetricsEnabled is set to false" }, + { + "queryName": "CloudWatch Metrics Disabled", + "severity": "MEDIUM", + "line": 6, + "filename": "positive3.yaml", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties", + "searchValue": "", + "expectedValue": "Resources.Prod.Properties.MethodSettings should be defined", + "actualValue": "Resources.Prod.Properties.MethodSettings is undefined" + }, { "queryName": "CloudWatch Metrics Disabled", "severity": "MEDIUM", @@ -94,5 +82,17 @@ "searchValue": "", "expectedValue": "Resources.Prod.Properties.MethodSettings[0].MetricsEnabled should be set to true", "actualValue": "Resources.Prod.Properties.MethodSettings[0].MetricsEnabled is set to false" + }, + { + "queryName": "CloudWatch Metrics Disabled", + "severity": "MEDIUM", + "line": 20, + "filename": "positive5.yaml", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties.MethodSettings", + "searchValue": "", + "expectedValue": "Resources.Prod.Properties.MethodSettings[1].MetricsEnabled should be set to true", + "actualValue": "Resources.Prod.Properties.MethodSettings[1].MetricsEnabled is undefined" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cmk_is_unusable/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cmk_is_unusable/test/positive_expected_result.json index 000351182d2..1e9096d45cc 100644 --- a/assets/queries/cloudFormation/aws/cmk_is_unusable/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cmk_is_unusable/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "CMK Is Unusable", "severity": "MEDIUM", - "line": 6, - "filename": "positive2.json", + "line": 5, + "filename": "positive1.yaml", "resourceType": "AWS::KMS::Key", "resourceName": "myKey", "searchKey": "Resources.myKey.Properties.Enabled", @@ -14,8 +14,8 @@ { "queryName": "CMK Is Unusable", "severity": "MEDIUM", - "line": 59, - "filename": "positive2.json", + "line": 30, + "filename": "positive1.yaml", "resourceType": "AWS::KMS::Key", "resourceName": "myKey2", "searchKey": "Resources.myKey2.Properties.PendingWindowInDays", @@ -26,8 +26,8 @@ { "queryName": "CMK Is Unusable", "severity": "MEDIUM", - "line": 5, - "filename": "positive3.yaml", + "line": 6, + "filename": "positive2.json", "resourceType": "AWS::KMS::Key", "resourceName": "myKey", "searchKey": "Resources.myKey.Properties.Enabled", @@ -38,25 +38,25 @@ { "queryName": "CMK Is Unusable", "severity": "MEDIUM", - "line": 5, - "filename": "positive1.yaml", + "line": 59, + "filename": "positive2.json", "resourceType": "AWS::KMS::Key", - "resourceName": "myKey", - "searchKey": "Resources.myKey.Properties.Enabled", + "resourceName": "myKey2", + "searchKey": "Resources.myKey2.Properties.PendingWindowInDays", "searchValue": "", - "expectedValue": "'Resources.myKey.Properties.Enabled' should be true", - "actualValue": "'Resources.myKey.Properties.Enabled' is false" + "expectedValue": "'Resources.myKey2.Properties.PendingWindowInDays' should be undefined", + "actualValue": "'Resources.myKey2.Properties.PendingWindowInDays' is defined" }, { "queryName": "CMK Is Unusable", "severity": "MEDIUM", - "line": 30, - "filename": "positive1.yaml", + "line": 5, + "filename": "positive3.yaml", "resourceType": "AWS::KMS::Key", - "resourceName": "myKey2", - "searchKey": "Resources.myKey2.Properties.PendingWindowInDays", + "resourceName": "myKey", + "searchKey": "Resources.myKey.Properties.Enabled", "searchValue": "", - "expectedValue": "'Resources.myKey2.Properties.PendingWindowInDays' should be undefined", - "actualValue": "'Resources.myKey2.Properties.PendingWindowInDays' is defined" + "expectedValue": "'Resources.myKey.Properties.Enabled' should be true", + "actualValue": "'Resources.myKey.Properties.Enabled' is false" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cmk_rotation_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cmk_rotation_disabled/test/positive_expected_result.json index 5c33faed445..66b90556a83 100644 --- a/assets/queries/cloudFormation/aws/cmk_rotation_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cmk_rotation_disabled/test/positive_expected_result.json @@ -2,8 +2,20 @@ { "queryName": "CMK Rotation Disabled", "severity": "LOW", - "line": 49, - "filename": "positive2.json", + "line": 5, + "filename": "positive1.yaml", + "resourceType": "AWS::KMS::Key", + "resourceName": "myKey", + "searchKey": "Resources.myKey.Properties", + "searchValue": "", + "expectedValue": "'Resources.myKey.Properties.EnableKeyRotation' should be defined and not null", + "actualValue": "'Resources.myKey.Properties.EnableKeyRotation' is undefined or null" + }, + { + "queryName": "CMK Rotation Disabled", + "severity": "LOW", + "line": 31, + "filename": "positive1.yaml", "resourceType": "AWS::KMS::Key", "resourceName": "myKey2", "searchKey": "Resources.myKey2.Properties.EnableKeyRotation", @@ -26,8 +38,8 @@ { "queryName": "CMK Rotation Disabled", "severity": "LOW", - "line": 7, - "filename": "positive3.yaml", + "line": 49, + "filename": "positive2.json", "resourceType": "AWS::KMS::Key", "resourceName": "myKey2", "searchKey": "Resources.myKey2.Properties.EnableKeyRotation", @@ -38,25 +50,13 @@ { "queryName": "CMK Rotation Disabled", "severity": "LOW", - "line": 31, - "filename": "positive1.yaml", + "line": 7, + "filename": "positive3.yaml", "resourceType": "AWS::KMS::Key", "resourceName": "myKey2", "searchKey": "Resources.myKey2.Properties.EnableKeyRotation", "searchValue": "", "expectedValue": "'Resources.myKey2.Properties.EnableKeyRotation' should be true", "actualValue": "'Resources.myKey2.Properties.EnableKeyRotation' is false" - }, - { - "queryName": "CMK Rotation Disabled", - "severity": "LOW", - "line": 5, - "filename": "positive1.yaml", - "resourceType": "AWS::KMS::Key", - "resourceName": "myKey", - "searchKey": "Resources.myKey.Properties", - "searchValue": "", - "expectedValue": "'Resources.myKey.Properties.EnableKeyRotation' should be defined and not null", - "actualValue": "'Resources.myKey.Properties.EnableKeyRotation' is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cmk_unencrypted_storage/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cmk_unencrypted_storage/test/positive_expected_result.json index a40bc635db4..e24a2171ffc 100644 --- a/assets/queries/cloudFormation/aws/cmk_unencrypted_storage/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cmk_unencrypted_storage/test/positive_expected_result.json @@ -14,14 +14,26 @@ { "queryName": "CMK Unencrypted Storage", "severity": "HIGH", - "line": 4, - "filename": "positive7.yaml", - "resourceType": "AWS::Redshift::Cluster", - "resourceName": "mydb", - "searchKey": "Resources.myCluster.Properties", + "line": 24, + "filename": "positive2.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "RDSCluster1", + "searchKey": "Resources.RDSCluster1.Properties", "searchValue": "", - "expectedValue": "Resources.myCluster.Properties.Encrypted should be defined", - "actualValue": "Resources.myCluster.Properties.Encrypted is undefined" + "expectedValue": "Resources.RDSCluster1.Properties.StorageEncrypted should be defined", + "actualValue": "Resources.RDSCluster1.Properties.StorageEncrypted is undefined" + }, + { + "queryName": "CMK Unencrypted Storage", + "severity": "HIGH", + "line": 36, + "filename": "positive3.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "RDSCluster-2", + "searchKey": "Resources.RDSCluster-2.Properties.StorageEncrypted", + "searchValue": "", + "expectedValue": "Resources.RDSCluster-2.Properties.StorageEncrypted should be true", + "actualValue": "Resources.RDSCluster-2.Properties.StorageEncrypted is false" }, { "queryName": "CMK Unencrypted Storage", @@ -35,6 +47,18 @@ "expectedValue": "Resources.MyDB.Properties.StorageEncrypted should be defined", "actualValue": "Resources.MyDB.Properties.StorageEncrypted is undefined" }, + { + "queryName": "CMK Unencrypted Storage", + "severity": "HIGH", + "line": 25, + "filename": "positive5.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "RDSCluster1", + "searchKey": "Resources.RDSCluster1.Properties", + "searchValue": "", + "expectedValue": "Resources.RDSCluster1.Properties.StorageEncrypted should be defined", + "actualValue": "Resources.RDSCluster1.Properties.StorageEncrypted is undefined" + }, { "queryName": "CMK Unencrypted Storage", "severity": "HIGH", @@ -50,14 +74,14 @@ { "queryName": "CMK Unencrypted Storage", "severity": "HIGH", - "line": 25, - "filename": "positive5.json", - "resourceType": "AWS::RDS::DBCluster", - "resourceName": "RDSCluster1", - "searchKey": "Resources.RDSCluster1.Properties", + "line": 4, + "filename": "positive7.yaml", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.myCluster.Properties", "searchValue": "", - "expectedValue": "Resources.RDSCluster1.Properties.StorageEncrypted should be defined", - "actualValue": "Resources.RDSCluster1.Properties.StorageEncrypted is undefined" + "expectedValue": "Resources.myCluster.Properties.Encrypted should be defined", + "actualValue": "Resources.myCluster.Properties.Encrypted is undefined" }, { "queryName": "CMK Unencrypted Storage", @@ -70,29 +94,5 @@ "searchValue": "", "expectedValue": "Resources.myCluster.Properties.Encrypted should be defined", "actualValue": "Resources.myCluster.Properties.Encrypted is undefined" - }, - { - "queryName": "CMK Unencrypted Storage", - "severity": "HIGH", - "line": 24, - "filename": "positive2.yaml", - "resourceType": "AWS::RDS::DBCluster", - "resourceName": "RDSCluster1", - "searchKey": "Resources.RDSCluster1.Properties", - "searchValue": "", - "expectedValue": "Resources.RDSCluster1.Properties.StorageEncrypted should be defined", - "actualValue": "Resources.RDSCluster1.Properties.StorageEncrypted is undefined" - }, - { - "queryName": "CMK Unencrypted Storage", - "severity": "HIGH", - "line": 36, - "filename": "positive3.yaml", - "resourceType": "AWS::RDS::DBCluster", - "resourceName": "RDSCluster-2", - "searchKey": "Resources.RDSCluster-2.Properties.StorageEncrypted", - "searchValue": "", - "expectedValue": "Resources.RDSCluster-2.Properties.StorageEncrypted should be true", - "actualValue": "Resources.RDSCluster-2.Properties.StorageEncrypted is false" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cognito_userpool_without_mfa/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cognito_userpool_without_mfa/test/positive_expected_result.json index 2e9c08ea318..029e9480f63 100644 --- a/assets/queries/cloudFormation/aws/cognito_userpool_without_mfa/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cognito_userpool_without_mfa/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "Cognito UserPool Without MFA", "severity": "LOW", - "line": 10, - "filename": "positive2.json", + "line": 8, + "filename": "positive1.yaml", "resourceType": "AWS::Cognito::UserPool", "resourceName": "${AuthName}-user-pool", "searchKey": "Resources.UserPool2.Properties.MfaConfiguration", @@ -14,8 +14,8 @@ { "queryName": "Cognito UserPool Without MFA", "severity": "LOW", - "line": 19, - "filename": "positive2.json", + "line": 14, + "filename": "positive1.yaml", "resourceType": "AWS::Cognito::UserPool", "resourceName": "${AuthName}-user-pool", "searchKey": "Resources.UserPool4.Properties", @@ -26,8 +26,8 @@ { "queryName": "Cognito UserPool Without MFA", "severity": "LOW", - "line": 8, - "filename": "positive1.yaml", + "line": 10, + "filename": "positive2.json", "resourceType": "AWS::Cognito::UserPool", "resourceName": "${AuthName}-user-pool", "searchKey": "Resources.UserPool2.Properties.MfaConfiguration", @@ -38,8 +38,8 @@ { "queryName": "Cognito UserPool Without MFA", "severity": "LOW", - "line": 14, - "filename": "positive1.yaml", + "line": 19, + "filename": "positive2.json", "resourceType": "AWS::Cognito::UserPool", "resourceName": "${AuthName}-user-pool", "searchKey": "Resources.UserPool4.Properties", diff --git a/assets/queries/cloudFormation/aws/config_configuration_aggregator_to_all_regions_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/config_configuration_aggregator_to_all_regions_disabled/test/positive_expected_result.json index 4aedf7604ca..be334d14312 100644 --- a/assets/queries/cloudFormation/aws/config_configuration_aggregator_to_all_regions_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/config_configuration_aggregator_to_all_regions_disabled/test/positive_expected_result.json @@ -2,26 +2,26 @@ { "queryName": "Configuration Aggregator to All Regions Disabled", "severity": "LOW", - "line": 21, + "line": 10, "filename": "positive1.yaml", "resourceType": "AWS::Config::ConfigurationAggregator", - "resourceName": "ConfigurationAggregator2", - "searchKey": "Resources.ConfigurationAggregator2.Properties.AccountAggregationSources", + "resourceName": "ConfigurationAggregator1", + "searchKey": "Resources.ConfigurationAggregator1.Properties.AccountAggregationSources", "searchValue": "", - "expectedValue": "'Resources.ConfigurationAggregator2.Properties.AccountAggregationSources' have all configurations with AllAwsRegions set to true", - "actualValue": "'Resources.ConfigurationAggregator2.Properties.AccountAggregationSources' has a configuration with AllAwsRegions set to false" + "expectedValue": "'Resources.ConfigurationAggregator1.Properties.AccountAggregationSources' have all configurations with AllAwsRegions", + "actualValue": "'Resources.ConfigurationAggregator1.Properties.AccountAggregationSources' has a configuration without AllAwsRegions" }, { "queryName": "Configuration Aggregator to All Regions Disabled", "severity": "LOW", - "line": 10, + "line": 21, "filename": "positive1.yaml", "resourceType": "AWS::Config::ConfigurationAggregator", - "resourceName": "ConfigurationAggregator1", - "searchKey": "Resources.ConfigurationAggregator1.Properties.AccountAggregationSources", + "resourceName": "ConfigurationAggregator2", + "searchKey": "Resources.ConfigurationAggregator2.Properties.AccountAggregationSources", "searchValue": "", - "expectedValue": "'Resources.ConfigurationAggregator1.Properties.AccountAggregationSources' have all configurations with AllAwsRegions", - "actualValue": "'Resources.ConfigurationAggregator1.Properties.AccountAggregationSources' has a configuration without AllAwsRegions" + "expectedValue": "'Resources.ConfigurationAggregator2.Properties.AccountAggregationSources' have all configurations with AllAwsRegions set to true", + "actualValue": "'Resources.ConfigurationAggregator2.Properties.AccountAggregationSources' has a configuration with AllAwsRegions set to false" }, { "queryName": "Configuration Aggregator to All Regions Disabled", @@ -38,50 +38,50 @@ { "queryName": "Configuration Aggregator to All Regions Disabled", "severity": "LOW", - "line": 43, - "filename": "positive2.json", + "line": 49, + "filename": "positive1.yaml", "resourceType": "AWS::Config::ConfigurationAggregator", "resourceName": "MyConfigurationAggregator", - "searchKey": "Resources.ConfigurationAggregator7.Properties.OrganizationAggregationSource", + "searchKey": "Resources.ConfigurationAggregator4.Properties.OrganizationAggregationSource.AllAwsRegions", "searchValue": "", - "expectedValue": "'Resources.ConfigurationAggregator7.Properties.OrganizationAggregationSource.AllAwsRegions' should be set", - "actualValue": "'Resources.ConfigurationAggregator7.Properties.OrganizationAggregationSource.AllAwsRegions' is undefined" + "expectedValue": "'Resources.ConfigurationAggregator4.Properties.OrganizationAggregationSource.AllAwsRegions' is true", + "actualValue": "'Resources.ConfigurationAggregator4.Properties.OrganizationAggregationSource.AllAwsRegions' is false" }, { "queryName": "Configuration Aggregator to All Regions Disabled", "severity": "LOW", - "line": 10, - "filename": "positive3.yaml", + "line": 6, + "filename": "positive2.json", "resourceType": "AWS::Config::ConfigurationAggregator", - "resourceName": "ConfigurationAggregator2", - "searchKey": "Resources.ConfigurationAggregator2.Properties.AccountAggregationSources", + "resourceName": "MyConfigurationAggregator", + "searchKey": "Resources.ConfigurationAggregator5.Properties.AccountAggregationSources", "searchValue": "", - "expectedValue": "'Resources.ConfigurationAggregator2.Properties.AccountAggregationSources' have all configurations with AllAwsRegions set to true", - "actualValue": "'Resources.ConfigurationAggregator2.Properties.AccountAggregationSources' has a configuration with AllAwsRegions set to false" + "expectedValue": "'Resources.ConfigurationAggregator5.Properties.AccountAggregationSources' have all configurations with AllAwsRegions", + "actualValue": "'Resources.ConfigurationAggregator5.Properties.AccountAggregationSources' has a configuration without AllAwsRegions" }, { "queryName": "Configuration Aggregator to All Regions Disabled", "severity": "LOW", - "line": 49, - "filename": "positive1.yaml", + "line": 24, + "filename": "positive2.json", "resourceType": "AWS::Config::ConfigurationAggregator", "resourceName": "MyConfigurationAggregator", - "searchKey": "Resources.ConfigurationAggregator4.Properties.OrganizationAggregationSource.AllAwsRegions", + "searchKey": "Resources.ConfigurationAggregator6.Properties.AccountAggregationSources", "searchValue": "", - "expectedValue": "'Resources.ConfigurationAggregator4.Properties.OrganizationAggregationSource.AllAwsRegions' is true", - "actualValue": "'Resources.ConfigurationAggregator4.Properties.OrganizationAggregationSource.AllAwsRegions' is false" + "expectedValue": "'Resources.ConfigurationAggregator6.Properties.AccountAggregationSources' have all configurations with AllAwsRegions set to true", + "actualValue": "'Resources.ConfigurationAggregator6.Properties.AccountAggregationSources' has a configuration with AllAwsRegions set to false" }, { "queryName": "Configuration Aggregator to All Regions Disabled", "severity": "LOW", - "line": 24, + "line": 43, "filename": "positive2.json", "resourceType": "AWS::Config::ConfigurationAggregator", "resourceName": "MyConfigurationAggregator", - "searchKey": "Resources.ConfigurationAggregator6.Properties.AccountAggregationSources", + "searchKey": "Resources.ConfigurationAggregator7.Properties.OrganizationAggregationSource", "searchValue": "", - "expectedValue": "'Resources.ConfigurationAggregator6.Properties.AccountAggregationSources' have all configurations with AllAwsRegions set to true", - "actualValue": "'Resources.ConfigurationAggregator6.Properties.AccountAggregationSources' has a configuration with AllAwsRegions set to false" + "expectedValue": "'Resources.ConfigurationAggregator7.Properties.OrganizationAggregationSource.AllAwsRegions' should be set", + "actualValue": "'Resources.ConfigurationAggregator7.Properties.OrganizationAggregationSource.AllAwsRegions' is undefined" }, { "queryName": "Configuration Aggregator to All Regions Disabled", @@ -98,13 +98,13 @@ { "queryName": "Configuration Aggregator to All Regions Disabled", "severity": "LOW", - "line": 6, - "filename": "positive2.json", + "line": 10, + "filename": "positive3.yaml", "resourceType": "AWS::Config::ConfigurationAggregator", - "resourceName": "MyConfigurationAggregator", - "searchKey": "Resources.ConfigurationAggregator5.Properties.AccountAggregationSources", + "resourceName": "ConfigurationAggregator2", + "searchKey": "Resources.ConfigurationAggregator2.Properties.AccountAggregationSources", "searchValue": "", - "expectedValue": "'Resources.ConfigurationAggregator5.Properties.AccountAggregationSources' have all configurations with AllAwsRegions", - "actualValue": "'Resources.ConfigurationAggregator5.Properties.AccountAggregationSources' has a configuration without AllAwsRegions" + "expectedValue": "'Resources.ConfigurationAggregator2.Properties.AccountAggregationSources' have all configurations with AllAwsRegions set to true", + "actualValue": "'Resources.ConfigurationAggregator2.Properties.AccountAggregationSources' has a configuration with AllAwsRegions set to false" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/connection_between_cloudfront_origin_not_encrypted/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/connection_between_cloudfront_origin_not_encrypted/test/positive_expected_result.json index 26357238fe6..fce5cd6803f 100644 --- a/assets/queries/cloudFormation/aws/connection_between_cloudfront_origin_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/connection_between_cloudfront_origin_not_encrypted/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "Connection Between CloudFront Origin Not Encrypted", - "severity": "MEDIUM", - "line": 56, - "filename": "positive2.json", - "resourceType": "AWS::CloudFront::Distribution", - "resourceName": "cloudfrontdistribution_2", - "searchKey": "Resources.cloudfrontdistribution_2.Properties.DistributionConfig.CacheBehaviors.ViewerProtocolPolicy", - "searchValue": "", - "expectedValue": "Resources.cloudfrontdistribution_2.Properties.DistributionConfig.CacheBehaviors.ViewerProtocolPolicy should be 'https-only' or 'redirect-to-https'", - "actualValue": "Resources.cloudfrontdistribution_2.Properties.DistributionConfig.CacheBehaviors.ViewerProtocolPolicy 'isn't https-only' or 'redirect-to-https'" - }, { "queryName": "Connection Between CloudFront Origin Not Encrypted", "severity": "MEDIUM", @@ -46,5 +34,17 @@ "searchValue": "", "expectedValue": "Resources.cloudfrontdistribution_1.Properties.DistributionConfig.DefaultCacheBehavior.ViewerProtocolPolicy should be 'https-only' or 'redirect-to-https'", "actualValue": "Resources.cloudfrontdistribution_1.Properties.DistributionConfig.DefaultCacheBehavior.ViewerProtocolPolicy 'isn't https-only' or 'redirect-to-https'" + }, + { + "queryName": "Connection Between CloudFront Origin Not Encrypted", + "severity": "MEDIUM", + "line": 56, + "filename": "positive2.json", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "cloudfrontdistribution_2", + "searchKey": "Resources.cloudfrontdistribution_2.Properties.DistributionConfig.CacheBehaviors.ViewerProtocolPolicy", + "searchValue": "", + "expectedValue": "Resources.cloudfrontdistribution_2.Properties.DistributionConfig.CacheBehaviors.ViewerProtocolPolicy should be 'https-only' or 'redirect-to-https'", + "actualValue": "Resources.cloudfrontdistribution_2.Properties.DistributionConfig.CacheBehaviors.ViewerProtocolPolicy 'isn't https-only' or 'redirect-to-https'" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/test/positive_expected_result.json index f7007dd1558..f7d2db12437 100644 --- a/assets/queries/cloudFormation/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/test/positive_expected_result.json @@ -3,7 +3,7 @@ "queryName": "Cross-Account IAM Assume Role Policy Without ExternalId or MFA", "severity": "HIGH", "line": 6, - "filename": "positive5.yaml", + "filename": "positive1.yaml", "resourceType": "AWS::IAM::Role", "resourceName": "RootRole", "searchKey": "Resources.RootRole.Properties.AssumeRolePolicyDocument", @@ -14,8 +14,8 @@ { "queryName": "Cross-Account IAM Assume Role Policy Without ExternalId or MFA", "severity": "HIGH", - "line": 6, - "filename": "positive3.yaml", + "line": 7, + "filename": "positive2.json", "resourceType": "AWS::IAM::Role", "resourceName": "RootRole", "searchKey": "Resources.RootRole.Properties.AssumeRolePolicyDocument", @@ -27,7 +27,7 @@ "queryName": "Cross-Account IAM Assume Role Policy Without ExternalId or MFA", "severity": "HIGH", "line": 6, - "filename": "positive1.yaml", + "filename": "positive3.yaml", "resourceType": "AWS::IAM::Role", "resourceName": "RootRole", "searchKey": "Resources.RootRole.Properties.AssumeRolePolicyDocument", @@ -39,7 +39,7 @@ "queryName": "Cross-Account IAM Assume Role Policy Without ExternalId or MFA", "severity": "HIGH", "line": 7, - "filename": "positive2.json", + "filename": "positive4.json", "resourceType": "AWS::IAM::Role", "resourceName": "RootRole", "searchKey": "Resources.RootRole.Properties.AssumeRolePolicyDocument", @@ -50,8 +50,8 @@ { "queryName": "Cross-Account IAM Assume Role Policy Without ExternalId or MFA", "severity": "HIGH", - "line": 7, - "filename": "positive4.json", + "line": 6, + "filename": "positive5.yaml", "resourceType": "AWS::IAM::Role", "resourceName": "RootRole", "searchKey": "Resources.RootRole.Properties.AssumeRolePolicyDocument", diff --git a/assets/queries/cloudFormation/aws/dax_cluster_not_encrypted/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/dax_cluster_not_encrypted/test/positive_expected_result.json index 8ee240b878d..3744e0ca828 100644 --- a/assets/queries/cloudFormation/aws/dax_cluster_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/dax_cluster_not_encrypted/test/positive_expected_result.json @@ -2,20 +2,20 @@ { "queryName": "DAX Cluster Not Encrypted", "severity": "HIGH", - "line": 7, - "filename": "positive8.json", + "line": 8, + "filename": "positive1.yaml", "resourceType": "AWS::DAX::Cluster", "resourceName": "daxCluster", - "searchKey": "Resources.daxCluster.Properties", + "searchKey": "Resources.daxCluster.Properties.SSESpecification.SSEEnabled", "searchValue": "", - "expectedValue": "'Resources.daxCluster.Properties' should have SSESpecification declared.", - "actualValue": "'Resources.daxCluster.Properties' does not declare SSESpecification." + "expectedValue": "'Resources.daxCluster.Properties.SSESpecification.SSEEnabled' should be set to true.", + "actualValue": "'Resources.daxCluster.Properties.SSESpecification.SSEEnabled' is set to false." }, { "queryName": "DAX Cluster Not Encrypted", "severity": "HIGH", - "line": 9, - "filename": "positive6.json", + "line": 8, + "filename": "positive2.yaml", "resourceType": "AWS::DAX::Cluster", "resourceName": "daxCluster", "searchKey": "Resources.daxCluster.Properties.SSESpecification.SSEEnabled", @@ -50,8 +50,8 @@ { "queryName": "DAX Cluster Not Encrypted", "severity": "HIGH", - "line": 8, - "filename": "positive2.yaml", + "line": 9, + "filename": "positive5.json", "resourceType": "AWS::DAX::Cluster", "resourceName": "daxCluster", "searchKey": "Resources.daxCluster.Properties.SSESpecification.SSEEnabled", @@ -62,8 +62,8 @@ { "queryName": "DAX Cluster Not Encrypted", "severity": "HIGH", - "line": 8, - "filename": "positive1.yaml", + "line": 9, + "filename": "positive6.json", "resourceType": "AWS::DAX::Cluster", "resourceName": "daxCluster", "searchKey": "Resources.daxCluster.Properties.SSESpecification.SSEEnabled", @@ -74,25 +74,25 @@ { "queryName": "DAX Cluster Not Encrypted", "severity": "HIGH", - "line": 9, - "filename": "positive5.json", + "line": 8, + "filename": "positive7.json", "resourceType": "AWS::DAX::Cluster", "resourceName": "daxCluster", - "searchKey": "Resources.daxCluster.Properties.SSESpecification.SSEEnabled", + "searchKey": "Resources.daxCluster.Properties.SSESpecification", "searchValue": "", - "expectedValue": "'Resources.daxCluster.Properties.SSESpecification.SSEEnabled' should be set to true.", - "actualValue": "'Resources.daxCluster.Properties.SSESpecification.SSEEnabled' is set to false." + "expectedValue": "'Resources.daxCluster.Properties.SSESpecification' should have SSEEnabled declared and set to true.", + "actualValue": "'Resources.daxCluster.Properties.SSESpecification' does not declare SSEEnabled." }, { "queryName": "DAX Cluster Not Encrypted", "severity": "HIGH", - "line": 8, - "filename": "positive7.json", + "line": 7, + "filename": "positive8.json", "resourceType": "AWS::DAX::Cluster", "resourceName": "daxCluster", - "searchKey": "Resources.daxCluster.Properties.SSESpecification", + "searchKey": "Resources.daxCluster.Properties", "searchValue": "", - "expectedValue": "'Resources.daxCluster.Properties.SSESpecification' should have SSEEnabled declared and set to true.", - "actualValue": "'Resources.daxCluster.Properties.SSESpecification' does not declare SSEEnabled." + "expectedValue": "'Resources.daxCluster.Properties' should have SSESpecification declared.", + "actualValue": "'Resources.daxCluster.Properties' does not declare SSESpecification." } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/db_security_group_open_to_large_scope/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/db_security_group_open_to_large_scope/test/positive_expected_result.json index 2fd264d8da7..e8cf5aa9ede 100644 --- a/assets/queries/cloudFormation/aws/db_security_group_open_to_large_scope/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/db_security_group_open_to_large_scope/test/positive_expected_result.json @@ -2,20 +2,20 @@ { "queryName": "DB Security Group Open To Large Scope", "severity": "HIGH", - "line": 15, + "line": 8, "filename": "positive1.yaml", - "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "DbSecurityByEC2SecurityGroup1", - "searchKey": "Resources.DbSecurityByEC2SecurityGroup1.Properties.SecurityGroupIngress[0].CidrIp", + "resourceType": "AWS::RDS::DBSecurityGroup", + "resourceName": "DbSecurity", + "searchKey": "Resources.DbSecurity.Properties.DBSecurityGroupIngress[0].CIDRIP", "searchValue": "", - "expectedValue": "'Resources.DbSecurityByEC2SecurityGroup1.Properties.SecurityGroupIngress[0].CidrIp' should not have more than 256 hosts.", - "actualValue": "'Resources.DbSecurityByEC2SecurityGroup1.Properties.SecurityGroupIngress[0].CidrIp' has more than 256 hosts." + "expectedValue": "'Resources.DbSecurity.Properties.DBSecurityGroupIngress[0].CIDRIP' should not have more than 256 hosts.", + "actualValue": "'Resources.DbSecurity.Properties.DBSecurityGroupIngress[0].CIDRIP' has more than 256 hosts." }, { "queryName": "DB Security Group Open To Large Scope", "severity": "HIGH", - "line": 20, - "filename": "positive3.json", + "line": 15, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "DbSecurityByEC2SecurityGroup1", "searchKey": "Resources.DbSecurityByEC2SecurityGroup1.Properties.SecurityGroupIngress[0].CidrIp", @@ -23,30 +23,6 @@ "expectedValue": "'Resources.DbSecurityByEC2SecurityGroup1.Properties.SecurityGroupIngress[0].CidrIp' should not have more than 256 hosts.", "actualValue": "'Resources.DbSecurityByEC2SecurityGroup1.Properties.SecurityGroupIngress[0].CidrIp' has more than 256 hosts." }, - { - "queryName": "DB Security Group Open To Large Scope", - "severity": "HIGH", - "line": 31, - "filename": "positive3.json", - "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "DbSecurityByEC2SecurityGroup2", - "searchKey": "Resources.DbSecurityByEC2SecurityGroup2.Properties.SecurityGroupIngress[0].CidrIpv6", - "searchValue": "", - "expectedValue": "'Resources.DbSecurityByEC2SecurityGroup2.Properties.SecurityGroupIngress[0].CidrIpv6' should not have more than 256 hosts.", - "actualValue": "'Resources.DbSecurityByEC2SecurityGroup2.Properties.SecurityGroupIngress[0].CidrIpv6' has more than 256 hosts." - }, - { - "queryName": "DB Security Group Open To Large Scope", - "severity": "HIGH", - "line": 8, - "filename": "positive1.yaml", - "resourceType": "AWS::RDS::DBSecurityGroup", - "resourceName": "DbSecurity", - "searchKey": "Resources.DbSecurity.Properties.DBSecurityGroupIngress[0].CIDRIP", - "searchValue": "", - "expectedValue": "'Resources.DbSecurity.Properties.DBSecurityGroupIngress[0].CIDRIP' should not have more than 256 hosts.", - "actualValue": "'Resources.DbSecurity.Properties.DBSecurityGroupIngress[0].CIDRIP' has more than 256 hosts." - }, { "queryName": "DB Security Group Open To Large Scope", "severity": "HIGH", @@ -62,8 +38,8 @@ { "queryName": "DB Security Group Open To Large Scope", "severity": "HIGH", - "line": 9, - "filename": "positive4.json", + "line": 7, + "filename": "positive2.yaml", "resourceType": "AWS::RDS::DBSecurityGroupIngress", "resourceName": "MyDBSecurityGroupIngress", "searchKey": "Resources.MyDBSecurityGroupIngress.Properties.CIDRIP", @@ -74,8 +50,8 @@ { "queryName": "DB Security Group Open To Large Scope", "severity": "HIGH", - "line": 18, - "filename": "positive4.json", + "line": 13, + "filename": "positive2.yaml", "resourceType": "AWS::EC2::SecurityGroupIngress", "resourceName": "StandaloneIngressIPv4", "searchKey": "Resources.StandaloneIngressIPv4.Properties.CidrIp", @@ -86,8 +62,8 @@ { "queryName": "DB Security Group Open To Large Scope", "severity": "HIGH", - "line": 27, - "filename": "positive4.json", + "line": 19, + "filename": "positive2.yaml", "resourceType": "AWS::EC2::SecurityGroupIngress", "resourceName": "StandaloneIngressIPv6", "searchKey": "Resources.StandaloneIngressIPv6.Properties.CidrIpv6", @@ -110,8 +86,32 @@ { "queryName": "DB Security Group Open To Large Scope", "severity": "HIGH", - "line": 7, - "filename": "positive2.yaml", + "line": 20, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DbSecurityByEC2SecurityGroup1", + "searchKey": "Resources.DbSecurityByEC2SecurityGroup1.Properties.SecurityGroupIngress[0].CidrIp", + "searchValue": "", + "expectedValue": "'Resources.DbSecurityByEC2SecurityGroup1.Properties.SecurityGroupIngress[0].CidrIp' should not have more than 256 hosts.", + "actualValue": "'Resources.DbSecurityByEC2SecurityGroup1.Properties.SecurityGroupIngress[0].CidrIp' has more than 256 hosts." + }, + { + "queryName": "DB Security Group Open To Large Scope", + "severity": "HIGH", + "line": 31, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DbSecurityByEC2SecurityGroup2", + "searchKey": "Resources.DbSecurityByEC2SecurityGroup2.Properties.SecurityGroupIngress[0].CidrIpv6", + "searchValue": "", + "expectedValue": "'Resources.DbSecurityByEC2SecurityGroup2.Properties.SecurityGroupIngress[0].CidrIpv6' should not have more than 256 hosts.", + "actualValue": "'Resources.DbSecurityByEC2SecurityGroup2.Properties.SecurityGroupIngress[0].CidrIpv6' has more than 256 hosts." + }, + { + "queryName": "DB Security Group Open To Large Scope", + "severity": "HIGH", + "line": 9, + "filename": "positive4.json", "resourceType": "AWS::RDS::DBSecurityGroupIngress", "resourceName": "MyDBSecurityGroupIngress", "searchKey": "Resources.MyDBSecurityGroupIngress.Properties.CIDRIP", @@ -122,8 +122,8 @@ { "queryName": "DB Security Group Open To Large Scope", "severity": "HIGH", - "line": 13, - "filename": "positive2.yaml", + "line": 18, + "filename": "positive4.json", "resourceType": "AWS::EC2::SecurityGroupIngress", "resourceName": "StandaloneIngressIPv4", "searchKey": "Resources.StandaloneIngressIPv4.Properties.CidrIp", @@ -134,8 +134,8 @@ { "queryName": "DB Security Group Open To Large Scope", "severity": "HIGH", - "line": 19, - "filename": "positive2.yaml", + "line": 27, + "filename": "positive4.json", "resourceType": "AWS::EC2::SecurityGroupIngress", "resourceName": "StandaloneIngressIPv6", "searchKey": "Resources.StandaloneIngressIPv6.Properties.CidrIpv6", diff --git a/assets/queries/cloudFormation/aws/db_security_group_with_public_scope/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/db_security_group_with_public_scope/test/positive_expected_result.json index 669b7d07d98..e1f54cfd10b 100644 --- a/assets/queries/cloudFormation/aws/db_security_group_with_public_scope/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/db_security_group_with_public_scope/test/positive_expected_result.json @@ -2,62 +2,50 @@ { "queryName": "DB Security Group With Public Scope", "severity": "CRITICAL", - "line": 41, - "filename": "positive3.json", - "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "DBEC2SecurityGroupInline_pos3", - "searchKey": "Resources.DBEC2SecurityGroupInline_pos3.Properties.SecurityGroupIngress[0].CidrIp", - "searchValue": "", - "expectedValue": "'Resources.DBEC2SecurityGroupInline_pos3.Properties.SecurityGroupIngress[0].CidrIp' should not be '0.0.0.0/0'.", - "actualValue": "'Resources.DBEC2SecurityGroupInline_pos3.Properties.SecurityGroupIngress[0].CidrIp' is '0.0.0.0/0'." - }, - { - "queryName": "DB Security Group With Public Scope", - "severity": "CRITICAL", - "line": 9, - "filename": "positive3.json", + "line": 8, + "filename": "positive1.yaml", "resourceType": "AWS::RDS::DBSecurityGroup", - "resourceName": "DbSecurityByEC2SecurityGroupInline_pos3", - "searchKey": "Resources.DbSecurityByEC2SecurityGroupInline_pos3.Properties.DBSecurityGroupIngress[0].CIDRIP", + "resourceName": "DbSecurityByEC2SecurityGroupInline_pos1", + "searchKey": "Resources.DbSecurityByEC2SecurityGroupInline_pos1.Properties.DBSecurityGroupIngress[0].CIDRIP", "searchValue": "", - "expectedValue": "'Resources.DbSecurityByEC2SecurityGroupInline_pos3.Properties.DBSecurityGroupIngress[0].CIDRIP' should not be '0.0.0.0/0'.", - "actualValue": "'Resources.DbSecurityByEC2SecurityGroupInline_pos3.Properties.DBSecurityGroupIngress[0].CIDRIP' is '0.0.0.0/0'." + "expectedValue": "'Resources.DbSecurityByEC2SecurityGroupInline_pos1.Properties.DBSecurityGroupIngress[0].CIDRIP' should not be '0.0.0.0/0'.", + "actualValue": "'Resources.DbSecurityByEC2SecurityGroupInline_pos1.Properties.DBSecurityGroupIngress[0].CIDRIP' is '0.0.0.0/0'." }, { "queryName": "DB Security Group With Public Scope", "severity": "CRITICAL", - "line": 8, - "filename": "positive2.yaml", - "resourceType": "AWS::RDS::DBSecurityGroup", - "resourceName": "DbSecurityByEC2SecurityGroup_pos2", - "searchKey": "Resources.DbSecurityByEC2SecurityGroup_pos2.Properties.DBSecurityGroupIngress[0].CIDRIP", + "line": 20, + "filename": "positive1.yaml", + "resourceType": "AWS::RDS::DBSecurityGroupIngress", + "resourceName": "DbSecurityIngressRule_pos1", + "searchKey": "Resources.DbSecurityIngressRule_pos1.Properties.CIDRIP", "searchValue": "", - "expectedValue": "'Resources.DbSecurityByEC2SecurityGroup_pos2.Properties.DBSecurityGroupIngress[0].CIDRIP' should not be '0.0.0.0/0'.", - "actualValue": "'Resources.DbSecurityByEC2SecurityGroup_pos2.Properties.DBSecurityGroupIngress[0].CIDRIP' is '0.0.0.0/0'." + "expectedValue": "'Resources.DbSecurityIngressRule_pos1.Properties.CIDRIP' should not be '0.0.0.0/0'.", + "actualValue": "'Resources.DbSecurityIngressRule_pos1.Properties.CIDRIP' is '0.0.0.0/0'." }, { "queryName": "DB Security Group With Public Scope", "severity": "CRITICAL", - "line": 61, + "line": 32, "filename": "positive1.yaml", - "resourceType": "AWS::EC2::SecurityGroupIngress", - "resourceName": "DBEC2SecurityGroupIngressIPv6_pos1", - "searchKey": "Resources.DBEC2SecurityGroupIngressIPv6_pos1.Properties.CidrIpv6", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DBEC2SecurityGroupInline_pos1", + "searchKey": "Resources.DBEC2SecurityGroupInline_pos1.Properties.SecurityGroupIngress[0].CidrIp", "searchValue": "", - "expectedValue": "'Resources.DBEC2SecurityGroupIngressIPv6_pos1.Properties.CidrIpv6' should not be '0000:0000:0000:0000:0000:0000:0000:0000/0'.", - "actualValue": "'Resources.DBEC2SecurityGroupIngressIPv6_pos1.Properties.CidrIpv6' is '0000:0000:0000:0000:0000:0000:0000:0000/0'." + "expectedValue": "'Resources.DBEC2SecurityGroupInline_pos1.Properties.SecurityGroupIngress[0].CidrIp' should not be '0.0.0.0/0'.", + "actualValue": "'Resources.DBEC2SecurityGroupInline_pos1.Properties.SecurityGroupIngress[0].CidrIp' is '0.0.0.0/0'." }, { "queryName": "DB Security Group With Public Scope", "severity": "CRITICAL", - "line": 8, - "filename": "positive5.yaml", - "resourceType": "AWS::RDS::DBSecurityGroup", - "resourceName": "DbSecurityByEC2SecurityGroup_pos5", - "searchKey": "Resources.DbSecurityByEC2SecurityGroup_pos5.Properties.DBSecurityGroupIngress[0].CIDRIP", + "line": 36, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DBEC2SecurityGroupInline_pos1", + "searchKey": "Resources.DBEC2SecurityGroupInline_pos1.Properties.SecurityGroupIngress[1].CidrIpv6", "searchValue": "", - "expectedValue": "'Resources.DbSecurityByEC2SecurityGroup_pos5.Properties.DBSecurityGroupIngress[0].CIDRIP' should not be '0.0.0.0/0'.", - "actualValue": "'Resources.DbSecurityByEC2SecurityGroup_pos5.Properties.DBSecurityGroupIngress[0].CIDRIP' is '0.0.0.0/0'." + "expectedValue": "'Resources.DBEC2SecurityGroupInline_pos1.Properties.SecurityGroupIngress[1].CidrIpv6' should not be '::/0'.", + "actualValue": "'Resources.DBEC2SecurityGroupInline_pos1.Properties.SecurityGroupIngress[1].CidrIpv6' is '::/0'." }, { "queryName": "DB Security Group With Public Scope", @@ -74,38 +62,38 @@ { "queryName": "DB Security Group With Public Scope", "severity": "CRITICAL", - "line": 32, + "line": 61, "filename": "positive1.yaml", - "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "DBEC2SecurityGroupInline_pos1", - "searchKey": "Resources.DBEC2SecurityGroupInline_pos1.Properties.SecurityGroupIngress[0].CidrIp", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DBEC2SecurityGroupIngressIPv6_pos1", + "searchKey": "Resources.DBEC2SecurityGroupIngressIPv6_pos1.Properties.CidrIpv6", "searchValue": "", - "expectedValue": "'Resources.DBEC2SecurityGroupInline_pos1.Properties.SecurityGroupIngress[0].CidrIp' should not be '0.0.0.0/0'.", - "actualValue": "'Resources.DBEC2SecurityGroupInline_pos1.Properties.SecurityGroupIngress[0].CidrIp' is '0.0.0.0/0'." + "expectedValue": "'Resources.DBEC2SecurityGroupIngressIPv6_pos1.Properties.CidrIpv6' should not be '0000:0000:0000:0000:0000:0000:0000:0000/0'.", + "actualValue": "'Resources.DBEC2SecurityGroupIngressIPv6_pos1.Properties.CidrIpv6' is '0000:0000:0000:0000:0000:0000:0000:0000/0'." }, { "queryName": "DB Security Group With Public Scope", "severity": "CRITICAL", - "line": 70, - "filename": "positive3.json", - "resourceType": "AWS::EC2::SecurityGroupIngress", - "resourceName": "DBEC2SecurityGroupIngress_pos3", - "searchKey": "Resources.DBEC2SecurityGroupIngress_pos3.Properties.CidrIp", + "line": 8, + "filename": "positive2.yaml", + "resourceType": "AWS::RDS::DBSecurityGroup", + "resourceName": "DbSecurityByEC2SecurityGroup_pos2", + "searchKey": "Resources.DbSecurityByEC2SecurityGroup_pos2.Properties.DBSecurityGroupIngress[0].CIDRIP", "searchValue": "", - "expectedValue": "'Resources.DBEC2SecurityGroupIngress_pos3.Properties.CidrIp' should not be '0.0.0.0/0'.", - "actualValue": "'Resources.DBEC2SecurityGroupIngress_pos3.Properties.CidrIp' is '0.0.0.0/0'." + "expectedValue": "'Resources.DbSecurityByEC2SecurityGroup_pos2.Properties.DBSecurityGroupIngress[0].CIDRIP' should not be '0.0.0.0/0'.", + "actualValue": "'Resources.DbSecurityByEC2SecurityGroup_pos2.Properties.DBSecurityGroupIngress[0].CIDRIP' is '0.0.0.0/0'." }, { "queryName": "DB Security Group With Public Scope", "severity": "CRITICAL", - "line": 47, + "line": 9, "filename": "positive3.json", - "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "DBEC2SecurityGroupInline_pos3", - "searchKey": "Resources.DBEC2SecurityGroupInline_pos3.Properties.SecurityGroupIngress[1].CidrIpv6", + "resourceType": "AWS::RDS::DBSecurityGroup", + "resourceName": "DbSecurityByEC2SecurityGroupInline_pos3", + "searchKey": "Resources.DbSecurityByEC2SecurityGroupInline_pos3.Properties.DBSecurityGroupIngress[0].CIDRIP", "searchValue": "", - "expectedValue": "'Resources.DBEC2SecurityGroupInline_pos3.Properties.SecurityGroupIngress[1].CidrIpv6' should not be '::/0'.", - "actualValue": "'Resources.DBEC2SecurityGroupInline_pos3.Properties.SecurityGroupIngress[1].CidrIpv6' is '::/0'." + "expectedValue": "'Resources.DbSecurityByEC2SecurityGroupInline_pos3.Properties.DBSecurityGroupIngress[0].CIDRIP' should not be '0.0.0.0/0'.", + "actualValue": "'Resources.DbSecurityByEC2SecurityGroupInline_pos3.Properties.DBSecurityGroupIngress[0].CIDRIP' is '0.0.0.0/0'." }, { "queryName": "DB Security Group With Public Scope", @@ -122,26 +110,38 @@ { "queryName": "DB Security Group With Public Scope", "severity": "CRITICAL", - "line": 36, - "filename": "positive1.yaml", + "line": 41, + "filename": "positive3.json", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "DBEC2SecurityGroupInline_pos1", - "searchKey": "Resources.DBEC2SecurityGroupInline_pos1.Properties.SecurityGroupIngress[1].CidrIpv6", + "resourceName": "DBEC2SecurityGroupInline_pos3", + "searchKey": "Resources.DBEC2SecurityGroupInline_pos3.Properties.SecurityGroupIngress[0].CidrIp", "searchValue": "", - "expectedValue": "'Resources.DBEC2SecurityGroupInline_pos1.Properties.SecurityGroupIngress[1].CidrIpv6' should not be '::/0'.", - "actualValue": "'Resources.DBEC2SecurityGroupInline_pos1.Properties.SecurityGroupIngress[1].CidrIpv6' is '::/0'." + "expectedValue": "'Resources.DBEC2SecurityGroupInline_pos3.Properties.SecurityGroupIngress[0].CidrIp' should not be '0.0.0.0/0'.", + "actualValue": "'Resources.DBEC2SecurityGroupInline_pos3.Properties.SecurityGroupIngress[0].CidrIp' is '0.0.0.0/0'." }, { "queryName": "DB Security Group With Public Scope", "severity": "CRITICAL", - "line": 9, - "filename": "positive4.json", - "resourceType": "AWS::RDS::DBSecurityGroup", - "resourceName": "DbSecurityByEC2SecurityGroup_pos4", - "searchKey": "Resources.DbSecurityByEC2SecurityGroup_pos4.Properties.DBSecurityGroupIngress[0].CIDRIP", + "line": 47, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DBEC2SecurityGroupInline_pos3", + "searchKey": "Resources.DBEC2SecurityGroupInline_pos3.Properties.SecurityGroupIngress[1].CidrIpv6", "searchValue": "", - "expectedValue": "'Resources.DbSecurityByEC2SecurityGroup_pos4.Properties.DBSecurityGroupIngress[0].CIDRIP' should not be '0.0.0.0/0'.", - "actualValue": "'Resources.DbSecurityByEC2SecurityGroup_pos4.Properties.DBSecurityGroupIngress[0].CIDRIP' is '0.0.0.0/0'." + "expectedValue": "'Resources.DBEC2SecurityGroupInline_pos3.Properties.SecurityGroupIngress[1].CidrIpv6' should not be '::/0'.", + "actualValue": "'Resources.DBEC2SecurityGroupInline_pos3.Properties.SecurityGroupIngress[1].CidrIpv6' is '::/0'." + }, + { + "queryName": "DB Security Group With Public Scope", + "severity": "CRITICAL", + "line": 70, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DBEC2SecurityGroupIngress_pos3", + "searchKey": "Resources.DBEC2SecurityGroupIngress_pos3.Properties.CidrIp", + "searchValue": "", + "expectedValue": "'Resources.DBEC2SecurityGroupIngress_pos3.Properties.CidrIp' should not be '0.0.0.0/0'.", + "actualValue": "'Resources.DBEC2SecurityGroupIngress_pos3.Properties.CidrIp' is '0.0.0.0/0'." }, { "queryName": "DB Security Group With Public Scope", @@ -158,25 +158,25 @@ { "queryName": "DB Security Group With Public Scope", "severity": "CRITICAL", - "line": 8, - "filename": "positive1.yaml", + "line": 9, + "filename": "positive4.json", "resourceType": "AWS::RDS::DBSecurityGroup", - "resourceName": "DbSecurityByEC2SecurityGroupInline_pos1", - "searchKey": "Resources.DbSecurityByEC2SecurityGroupInline_pos1.Properties.DBSecurityGroupIngress[0].CIDRIP", + "resourceName": "DbSecurityByEC2SecurityGroup_pos4", + "searchKey": "Resources.DbSecurityByEC2SecurityGroup_pos4.Properties.DBSecurityGroupIngress[0].CIDRIP", "searchValue": "", - "expectedValue": "'Resources.DbSecurityByEC2SecurityGroupInline_pos1.Properties.DBSecurityGroupIngress[0].CIDRIP' should not be '0.0.0.0/0'.", - "actualValue": "'Resources.DbSecurityByEC2SecurityGroupInline_pos1.Properties.DBSecurityGroupIngress[0].CIDRIP' is '0.0.0.0/0'." + "expectedValue": "'Resources.DbSecurityByEC2SecurityGroup_pos4.Properties.DBSecurityGroupIngress[0].CIDRIP' should not be '0.0.0.0/0'.", + "actualValue": "'Resources.DbSecurityByEC2SecurityGroup_pos4.Properties.DBSecurityGroupIngress[0].CIDRIP' is '0.0.0.0/0'." }, { "queryName": "DB Security Group With Public Scope", "severity": "CRITICAL", - "line": 20, - "filename": "positive1.yaml", - "resourceType": "AWS::RDS::DBSecurityGroupIngress", - "resourceName": "DbSecurityIngressRule_pos1", - "searchKey": "Resources.DbSecurityIngressRule_pos1.Properties.CIDRIP", + "line": 8, + "filename": "positive5.yaml", + "resourceType": "AWS::RDS::DBSecurityGroup", + "resourceName": "DbSecurityByEC2SecurityGroup_pos5", + "searchKey": "Resources.DbSecurityByEC2SecurityGroup_pos5.Properties.DBSecurityGroupIngress[0].CIDRIP", "searchValue": "", - "expectedValue": "'Resources.DbSecurityIngressRule_pos1.Properties.CIDRIP' should not be '0.0.0.0/0'.", - "actualValue": "'Resources.DbSecurityIngressRule_pos1.Properties.CIDRIP' is '0.0.0.0/0'." + "expectedValue": "'Resources.DbSecurityByEC2SecurityGroup_pos5.Properties.DBSecurityGroupIngress[0].CIDRIP' should not be '0.0.0.0/0'.", + "actualValue": "'Resources.DbSecurityByEC2SecurityGroup_pos5.Properties.DBSecurityGroupIngress[0].CIDRIP' is '0.0.0.0/0'." } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/default_kms_key_usage/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/default_kms_key_usage/test/positive_expected_result.json index 7d34a6ede23..a3ed2b754f5 100644 --- a/assets/queries/cloudFormation/aws/default_kms_key_usage/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/default_kms_key_usage/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "Default KMS Key Usage", "severity": "MEDIUM", - "line": 25, - "filename": "positive2.json", + "line": 24, + "filename": "positive1.yaml", "resourceType": "AWS::RDS::DBCluster", "resourceName": "RDSCluster1", "searchKey": "Resources.RDSCluster1.Properties", @@ -14,8 +14,8 @@ { "queryName": "Default KMS Key Usage", "severity": "MEDIUM", - "line": 24, - "filename": "positive3.yaml", + "line": 25, + "filename": "positive2.json", "resourceType": "AWS::RDS::DBCluster", "resourceName": "RDSCluster1", "searchKey": "Resources.RDSCluster1.Properties", @@ -27,7 +27,7 @@ "queryName": "Default KMS Key Usage", "severity": "MEDIUM", "line": 24, - "filename": "positive1.yaml", + "filename": "positive3.yaml", "resourceType": "AWS::RDS::DBCluster", "resourceName": "RDSCluster1", "searchKey": "Resources.RDSCluster1.Properties", diff --git a/assets/queries/cloudFormation/aws/default_security_groups_with_unrestricted_traffic/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/default_security_groups_with_unrestricted_traffic/test/positive_expected_result.json index d8c4e75d676..beea9441d72 100644 --- a/assets/queries/cloudFormation/aws/default_security_groups_with_unrestricted_traffic/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/default_security_groups_with_unrestricted_traffic/test/positive_expected_result.json @@ -14,14 +14,14 @@ { "queryName": "Default Security Groups With Unrestricted Traffic", "severity": "HIGH", - "line": 20, - "filename": "positive2.yaml", + "line": 15, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "default", - "searchKey": "Resources.InstanceSecurityGroupEgress.Properties.GroupId", + "searchKey": "Resources.InstanceSecurityGroup_egress.Properties", "searchValue": "", "expectedValue": "Any 'AWS::EC2::SecurityGroup' with 'Properties.GroupName' set to 'default' should not have any traffic rules set.", - "actualValue": "'Resources.InstanceSecurityGroup_default' has 'Properties.GroupName' set to 'default' and a standalone 'AWS::EC2::SecurityGroupEgress' rule set." + "actualValue": "'Resources.InstanceSecurityGroup_egress' has 'Properties.GroupName' set to 'default' and traffic rules set in 'Properties'." }, { "queryName": "Default Security Groups With Unrestricted Traffic", @@ -39,13 +39,13 @@ "queryName": "Default Security Groups With Unrestricted Traffic", "severity": "HIGH", "line": 20, - "filename": "positive3.json", + "filename": "positive2.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "default", - "searchKey": "Resources.InstanceSecurityGroup_egress.Properties", + "searchKey": "Resources.InstanceSecurityGroupEgress.Properties.GroupId", "searchValue": "", "expectedValue": "Any 'AWS::EC2::SecurityGroup' with 'Properties.GroupName' set to 'default' should not have any traffic rules set.", - "actualValue": "'Resources.InstanceSecurityGroup_egress' has 'Properties.GroupName' set to 'default' and traffic rules set in 'Properties'." + "actualValue": "'Resources.InstanceSecurityGroup_default' has 'Properties.GroupName' set to 'default' and a standalone 'AWS::EC2::SecurityGroupEgress' rule set." }, { "queryName": "Default Security Groups With Unrestricted Traffic", @@ -62,14 +62,14 @@ { "queryName": "Default Security Groups With Unrestricted Traffic", "severity": "HIGH", - "line": 25, - "filename": "positive4.json", + "line": 20, + "filename": "positive3.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "default", - "searchKey": "Resources.InstanceSecurityGroupEgress.Properties.GroupId", + "searchKey": "Resources.InstanceSecurityGroup_egress.Properties", "searchValue": "", "expectedValue": "Any 'AWS::EC2::SecurityGroup' with 'Properties.GroupName' set to 'default' should not have any traffic rules set.", - "actualValue": "'Resources.InstanceSecurityGroup_default' has 'Properties.GroupName' set to 'default' and a standalone 'AWS::EC2::SecurityGroupEgress' rule set." + "actualValue": "'Resources.InstanceSecurityGroup_egress' has 'Properties.GroupName' set to 'default' and traffic rules set in 'Properties'." }, { "queryName": "Default Security Groups With Unrestricted Traffic", @@ -86,13 +86,13 @@ { "queryName": "Default Security Groups With Unrestricted Traffic", "severity": "HIGH", - "line": 15, - "filename": "positive1.yaml", + "line": 25, + "filename": "positive4.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "default", - "searchKey": "Resources.InstanceSecurityGroup_egress.Properties", + "searchKey": "Resources.InstanceSecurityGroupEgress.Properties.GroupId", "searchValue": "", "expectedValue": "Any 'AWS::EC2::SecurityGroup' with 'Properties.GroupName' set to 'default' should not have any traffic rules set.", - "actualValue": "'Resources.InstanceSecurityGroup_egress' has 'Properties.GroupName' set to 'default' and traffic rules set in 'Properties'." + "actualValue": "'Resources.InstanceSecurityGroup_default' has 'Properties.GroupName' set to 'default' and a standalone 'AWS::EC2::SecurityGroupEgress' rule set." } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/directory_service_microsoft_ad_password_set_to_plaintext_or_default_ref/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/directory_service_microsoft_ad_password_set_to_plaintext_or_default_ref/test/positive_expected_result.json index f4c97625f7d..3fcea4e4d1e 100644 --- a/assets/queries/cloudFormation/aws/directory_service_microsoft_ad_password_set_to_plaintext_or_default_ref/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/directory_service_microsoft_ad_password_set_to_plaintext_or_default_ref/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "Directory Service Microsoft AD Password Set to Plaintext or Default Ref", "severity": "HIGH", - "line": 17, - "filename": "positive4.json", + "line": 14, + "filename": "positive1.yaml", "resourceType": "AWS::DirectoryService::MicrosoftAD", "resourceName": "String", "searchKey": "Resources.NewAmpApp-2.Properties.Password", @@ -14,8 +14,8 @@ { "queryName": "Directory Service Microsoft AD Password Set to Plaintext or Default Ref", "severity": "HIGH", - "line": 11, - "filename": "positive5.json", + "line": 9, + "filename": "positive2.yaml", "resourceType": "AWS::DirectoryService::MicrosoftAD", "resourceName": "String", "searchKey": "Resources.NewAmpApp.Properties.Password", @@ -26,20 +26,20 @@ { "queryName": "Directory Service Microsoft AD Password Set to Plaintext or Default Ref", "severity": "HIGH", - "line": 9, - "filename": "positive2.yaml", - "resourceType": "AWS::DirectoryService::MicrosoftAD", - "resourceName": "String", - "searchKey": "Resources.NewAmpApp.Properties.Password", + "line": 5, + "filename": "positive3.yaml", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "Parameters.ParentMasterPassword.Default", "searchValue": "", - "expectedValue": "Resources.NewAmpApp.Properties.Password must be defined as a parameter or have a secret manager referenced", - "actualValue": "Resources.NewAmpApp.Properties.Password must not be in plain text string" + "expectedValue": "Parameters.ParentMasterPassword.Default should not be defined", + "actualValue": "Parameters.ParentMasterPassword.Default is defined" }, { "queryName": "Directory Service Microsoft AD Password Set to Plaintext or Default Ref", "severity": "HIGH", - "line": 14, - "filename": "positive1.yaml", + "line": 17, + "filename": "positive4.json", "resourceType": "AWS::DirectoryService::MicrosoftAD", "resourceName": "String", "searchKey": "Resources.NewAmpApp-2.Properties.Password", @@ -50,14 +50,14 @@ { "queryName": "Directory Service Microsoft AD Password Set to Plaintext or Default Ref", "severity": "HIGH", - "line": 5, - "filename": "positive3.yaml", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "Parameters.ParentMasterPassword.Default", + "line": 11, + "filename": "positive5.json", + "resourceType": "AWS::DirectoryService::MicrosoftAD", + "resourceName": "String", + "searchKey": "Resources.NewAmpApp.Properties.Password", "searchValue": "", - "expectedValue": "Parameters.ParentMasterPassword.Default should not be defined", - "actualValue": "Parameters.ParentMasterPassword.Default is defined" + "expectedValue": "Resources.NewAmpApp.Properties.Password must be defined as a parameter or have a secret manager referenced", + "actualValue": "Resources.NewAmpApp.Properties.Password must not be in plain text string" }, { "queryName": "Directory Service Microsoft AD Password Set to Plaintext or Default Ref", diff --git a/assets/queries/cloudFormation/aws/directory_service_simple_ad_password_exposed/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/directory_service_simple_ad_password_exposed/test/positive_expected_result.json index 431ea0ff862..08e0bfeb960 100644 --- a/assets/queries/cloudFormation/aws/directory_service_simple_ad_password_exposed/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/directory_service_simple_ad_password_exposed/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "Directory Service Simple AD Password Exposed", - "severity": "HIGH", - "line": 20, - "filename": "positive4.json", - "resourceType": "AWS::DirectoryService::SimpleAD", - "resourceName": "String", - "searchKey": "Resources.NewAmpApp4.Properties.Password", - "searchValue": "", - "expectedValue": "Resources.NewAmpApp4.Properties.Password must not be in plain text string", - "actualValue": "Resources.NewAmpApp4.Properties.Password must be defined as a parameter or have a secret manager referenced" - }, { "queryName": "Directory Service Simple AD Password Exposed", "severity": "HIGH", @@ -47,6 +35,18 @@ "expectedValue": "Parameters.ParentMasterPassword.Default should be defined", "actualValue": "Parameters.ParentMasterPassword.Default shouldn't be defined" }, + { + "queryName": "Directory Service Simple AD Password Exposed", + "severity": "HIGH", + "line": 20, + "filename": "positive4.json", + "resourceType": "AWS::DirectoryService::SimpleAD", + "resourceName": "String", + "searchKey": "Resources.NewAmpApp4.Properties.Password", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp4.Properties.Password must not be in plain text string", + "actualValue": "Resources.NewAmpApp4.Properties.Password must be defined as a parameter or have a secret manager referenced" + }, { "queryName": "Directory Service Simple AD Password Exposed", "severity": "HIGH", diff --git a/assets/queries/cloudFormation/aws/dms_endpoint_mongo_db_settings_password_exposed/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/dms_endpoint_mongo_db_settings_password_exposed/test/positive_expected_result.json index f25c50004ca..8b02e936564 100644 --- a/assets/queries/cloudFormation/aws/dms_endpoint_mongo_db_settings_password_exposed/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/dms_endpoint_mongo_db_settings_password_exposed/test/positive_expected_result.json @@ -1,28 +1,4 @@ [ - { - "queryName": "DMS Endpoint MongoDB Settings Password Exposed", - "severity": "HIGH", - "line": 38, - "filename": "positive6.json", - "resourceType": "AWS::DMS::Endpoint", - "resourceName": "NewAmpApp6", - "searchKey": "Resources.NewAmpApp6.Properties.MongoDbSettings.Password", - "searchValue": "", - "expectedValue": "Resources.NewAmpApp6.Properties.MongoDbSettings.Password must not be in plain text string", - "actualValue": "Resources.NewAmpApp6.Properties.MongoDbSettings.Password must be defined as a parameter or have a secret manager referenced" - }, - { - "queryName": "DMS Endpoint MongoDB Settings Password Exposed", - "severity": "HIGH", - "line": 26, - "filename": "positive5.json", - "resourceType": "AWS::DMS::Endpoint", - "resourceName": "NewAmpApp5", - "searchKey": "Resources.NewAmpApp5.Properties.MongoDbSettings.Password", - "searchValue": "", - "expectedValue": "Resources.NewAmpApp5.Properties.MongoDbSettings.Password must not be in plain text string", - "actualValue": "Resources.NewAmpApp5.Properties.MongoDbSettings.Password must be defined as a parameter or have a secret manager referenced" - }, { "queryName": "DMS Endpoint MongoDB Settings Password Exposed", "severity": "HIGH", @@ -70,5 +46,29 @@ "searchValue": "", "expectedValue": "Parameters.MasterMongoDBPassword.Default should be defined", "actualValue": "Parameters.MasterMongoDBPassword.Default shouldn't be defined" + }, + { + "queryName": "DMS Endpoint MongoDB Settings Password Exposed", + "severity": "HIGH", + "line": 26, + "filename": "positive5.json", + "resourceType": "AWS::DMS::Endpoint", + "resourceName": "NewAmpApp5", + "searchKey": "Resources.NewAmpApp5.Properties.MongoDbSettings.Password", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp5.Properties.MongoDbSettings.Password must not be in plain text string", + "actualValue": "Resources.NewAmpApp5.Properties.MongoDbSettings.Password must be defined as a parameter or have a secret manager referenced" + }, + { + "queryName": "DMS Endpoint MongoDB Settings Password Exposed", + "severity": "HIGH", + "line": 38, + "filename": "positive6.json", + "resourceType": "AWS::DMS::Endpoint", + "resourceName": "NewAmpApp6", + "searchKey": "Resources.NewAmpApp6.Properties.MongoDbSettings.Password", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp6.Properties.MongoDbSettings.Password must not be in plain text string", + "actualValue": "Resources.NewAmpApp6.Properties.MongoDbSettings.Password must be defined as a parameter or have a secret manager referenced" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/dms_endpoint_password_exposed/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/dms_endpoint_password_exposed/test/positive_expected_result.json index 46991b0d943..cfee8f79cfc 100644 --- a/assets/queries/cloudFormation/aws/dms_endpoint_password_exposed/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/dms_endpoint_password_exposed/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "DMS Endpoint Password Exposed", - "severity": "HIGH", - "line": 25, - "filename": "positive3.yaml", - "resourceType": "AWS::DMS::Endpoint", - "resourceName": "DMSEndpoint6", - "searchKey": "Resources.DMSEndpoint6.Properties.Password", - "searchValue": "", - "expectedValue": "Resources.DMSEndpoint6.Properties.Password must not be in plain text string", - "actualValue": "Resources.DMSEndpoint6.Properties.Password must be defined as a parameter or have a secret manager referenced" - }, { "queryName": "DMS Endpoint Password Exposed", "severity": "HIGH", @@ -35,6 +23,18 @@ "expectedValue": "Parameters.ParentMasterPassword.Default should be defined", "actualValue": "Parameters.ParentMasterPassword.Default shouldn't be defined" }, + { + "queryName": "DMS Endpoint Password Exposed", + "severity": "HIGH", + "line": 25, + "filename": "positive3.yaml", + "resourceType": "AWS::DMS::Endpoint", + "resourceName": "DMSEndpoint6", + "searchKey": "Resources.DMSEndpoint6.Properties.Password", + "searchValue": "", + "expectedValue": "Resources.DMSEndpoint6.Properties.Password must not be in plain text string", + "actualValue": "Resources.DMSEndpoint6.Properties.Password must be defined as a parameter or have a secret manager referenced" + }, { "queryName": "DMS Endpoint Password Exposed", "severity": "HIGH", diff --git a/assets/queries/cloudFormation/aws/docdb_cluster_master_password_in_plaintext/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/docdb_cluster_master_password_in_plaintext/test/positive_expected_result.json index 24347ec319d..46ea576b6fd 100644 --- a/assets/queries/cloudFormation/aws/docdb_cluster_master_password_in_plaintext/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/docdb_cluster_master_password_in_plaintext/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "DocDB Cluster Master Password In Plaintext", - "severity": "HIGH", - "line": 18, - "filename": "positive6.json", - "resourceType": "AWS::DocDB::DBCluster", - "resourceName": "NewAmpApp03", - "searchKey": "Resources.NewAmpApp03.Properties.MasterUserPassword", - "searchValue": "", - "expectedValue": "Resources.NewAmpApp03.Properties.MasterUserPassword must not be in plain text string", - "actualValue": "Resources.NewAmpApp03.Properties.MasterUserPassword must be defined as a parameter or have a secret manager referenced" - }, { "queryName": "DocDB Cluster Master Password In Plaintext", "severity": "HIGH", @@ -47,6 +35,18 @@ "expectedValue": "Resources.NewAmpApp03.Properties.MasterUserPassword must not be in plain text string", "actualValue": "Resources.NewAmpApp03.Properties.MasterUserPassword must be defined as a parameter or have a secret manager referenced" }, + { + "queryName": "DocDB Cluster Master Password In Plaintext", + "severity": "HIGH", + "line": 17, + "filename": "positive4.json", + "resourceType": "AWS::DocDB::DBCluster", + "resourceName": "NewAmpApp", + "searchKey": "Resources.NewAmpApp.Properties.MasterUserPassword", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp.Properties.MasterUserPassword must not be in plain text string", + "actualValue": "Resources.NewAmpApp.Properties.MasterUserPassword must be defined as a parameter or have a secret manager referenced" + }, { "queryName": "DocDB Cluster Master Password In Plaintext", "severity": "HIGH", @@ -62,13 +62,13 @@ { "queryName": "DocDB Cluster Master Password In Plaintext", "severity": "HIGH", - "line": 17, - "filename": "positive4.json", + "line": 18, + "filename": "positive6.json", "resourceType": "AWS::DocDB::DBCluster", - "resourceName": "NewAmpApp", - "searchKey": "Resources.NewAmpApp.Properties.MasterUserPassword", + "resourceName": "NewAmpApp03", + "searchKey": "Resources.NewAmpApp03.Properties.MasterUserPassword", "searchValue": "", - "expectedValue": "Resources.NewAmpApp.Properties.MasterUserPassword must not be in plain text string", - "actualValue": "Resources.NewAmpApp.Properties.MasterUserPassword must be defined as a parameter or have a secret manager referenced" + "expectedValue": "Resources.NewAmpApp03.Properties.MasterUserPassword must not be in plain text string", + "actualValue": "Resources.NewAmpApp03.Properties.MasterUserPassword must be defined as a parameter or have a secret manager referenced" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/docdb_logging_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/docdb_logging_disabled/test/positive_expected_result.json index 48cf0f125dc..b69c14604c9 100644 --- a/assets/queries/cloudFormation/aws/docdb_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/docdb_logging_disabled/test/positive_expected_result.json @@ -15,25 +15,25 @@ "queryName": "DocDB Logging Is Disabled", "severity": "MEDIUM", "line": 15, - "filename": "positive3.yaml", + "filename": "positive2.yaml", "resourceType": "AWS::DocDB::DBCluster", "resourceName": "MyDocDBCluster", "searchKey": "Resources.MyDocDBCluster.Properties.EnableCloudwatchLogsExports", "searchValue": "", "expectedValue": "AWS::DocDB::DBCluster.Properties.EnableCloudwatchLogsExports should have all following values: audit, profiler", - "actualValue": "AWS::DocDB::DBCluster.Properties.EnableCloudwatchLogsExports haven't got the following values: audit" + "actualValue": "AWS::DocDB::DBCluster.Properties.EnableCloudwatchLogsExports haven't got the following values: audit, profiler" }, { "queryName": "DocDB Logging Is Disabled", "severity": "MEDIUM", "line": 15, - "filename": "positive2.yaml", + "filename": "positive3.yaml", "resourceType": "AWS::DocDB::DBCluster", "resourceName": "MyDocDBCluster", "searchKey": "Resources.MyDocDBCluster.Properties.EnableCloudwatchLogsExports", "searchValue": "", "expectedValue": "AWS::DocDB::DBCluster.Properties.EnableCloudwatchLogsExports should have all following values: audit, profiler", - "actualValue": "AWS::DocDB::DBCluster.Properties.EnableCloudwatchLogsExports haven't got the following values: audit, profiler" + "actualValue": "AWS::DocDB::DBCluster.Properties.EnableCloudwatchLogsExports haven't got the following values: audit" }, { "queryName": "DocDB Logging Is Disabled", diff --git a/assets/queries/cloudFormation/aws/dynamodb_table_not_encrypted/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/dynamodb_table_not_encrypted/test/positive_expected_result.json index cdcb93c9347..ec080447be4 100644 --- a/assets/queries/cloudFormation/aws/dynamodb_table_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/dynamodb_table_not_encrypted/test/positive_expected_result.json @@ -2,14 +2,14 @@ { "queryName": "DynamoDB Table Not Encrypted", "severity": "HIGH", - "line": 8, - "filename": "positive3.yaml", + "line": 18, + "filename": "positive1.yaml", "resourceType": "AWS::DynamoDB::Table", - "resourceName": "AuthorsTable_prod", - "searchKey": "Resources.OrdersTable.Properties.SSESpecification.SSEEnabled", + "resourceName": "my-table", + "searchKey": "Resources.MyDynamoDBTable.Properties.SSESpecification.SSEEnabled", "searchValue": "", - "expectedValue": "Resources[OrdersTable].Properties.SSESpecification.SSEEnabled should be 'true'", - "actualValue": "Resources[OrdersTable].Properties.SSESpecification.SSEEnabled is 'false'" + "expectedValue": "Resources[MyDynamoDBTable].Properties.SSESpecification.SSEEnabled should be 'true'", + "actualValue": "Resources[MyDynamoDBTable].Properties.SSESpecification.SSEEnabled is 'false'" }, { "queryName": "DynamoDB Table Not Encrypted", @@ -26,13 +26,13 @@ { "queryName": "DynamoDB Table Not Encrypted", "severity": "HIGH", - "line": 18, - "filename": "positive1.yaml", + "line": 8, + "filename": "positive3.yaml", "resourceType": "AWS::DynamoDB::Table", - "resourceName": "my-table", - "searchKey": "Resources.MyDynamoDBTable.Properties.SSESpecification.SSEEnabled", + "resourceName": "AuthorsTable_prod", + "searchKey": "Resources.OrdersTable.Properties.SSESpecification.SSEEnabled", "searchValue": "", - "expectedValue": "Resources[MyDynamoDBTable].Properties.SSESpecification.SSEEnabled should be 'true'", - "actualValue": "Resources[MyDynamoDBTable].Properties.SSESpecification.SSEEnabled is 'false'" + "expectedValue": "Resources[OrdersTable].Properties.SSESpecification.SSEEnabled should be 'true'", + "actualValue": "Resources[OrdersTable].Properties.SSESpecification.SSEEnabled is 'false'" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive_expected_result.json index 459c806b6d7..ec3e6c11705 100644 --- a/assets/queries/cloudFormation/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive_expected_result.json @@ -2,26 +2,26 @@ { "queryName": "DynamoDB Table Point In Time Recovery Disabled", "severity": "INFO", - "line": 4, - "filename": "positive2.yaml", + "line": 6, + "filename": "positive1.yaml", "resourceType": "AWS::DynamoDB::Table", - "resourceName": "my-table", - "searchKey": "Resources.MyDynamoDBTable.Properties", + "resourceName": "MyDynamoDBTable", + "searchKey": "Resources.MyDynamoDBTable.Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled", "searchValue": "", - "expectedValue": "Resources[MyDynamoDBTable].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled should be defined and set to 'true'", - "actualValue": "Resources[MyDynamoDBTable].Properties.PointInTimeRecoverySpecification is not defined" + "expectedValue": "Resources[MyDynamoDBTable].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled should be set to 'true'", + "actualValue": "Resources[MyDynamoDBTable].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled is set to 'false'" }, { "queryName": "DynamoDB Table Point In Time Recovery Disabled", "severity": "INFO", - "line": 7, - "filename": "positive6.json", + "line": 4, + "filename": "positive2.yaml", "resourceType": "AWS::DynamoDB::Table", - "resourceName": "DynamoDBOnDemandTable1", - "searchKey": "Resources.DynamoDBOnDemandTable1.Properties.PointInTimeRecoverySpecification", + "resourceName": "my-table", + "searchKey": "Resources.MyDynamoDBTable.Properties", "searchValue": "", - "expectedValue": "Resources[DynamoDBOnDemandTable1].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled should be defined and set to 'true'", - "actualValue": "Resources[DynamoDBOnDemandTable1].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled is not defined" + "expectedValue": "Resources[MyDynamoDBTable].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled should be defined and set to 'true'", + "actualValue": "Resources[MyDynamoDBTable].Properties.PointInTimeRecoverySpecification is not defined" }, { "queryName": "DynamoDB Table Point In Time Recovery Disabled", @@ -50,26 +50,26 @@ { "queryName": "DynamoDB Table Point In Time Recovery Disabled", "severity": "INFO", - "line": 6, - "filename": "positive1.yaml", + "line": 5, + "filename": "positive5.yaml", "resourceType": "AWS::DynamoDB::Table", "resourceName": "MyDynamoDBTable", - "searchKey": "Resources.MyDynamoDBTable.Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled", + "searchKey": "Resources.MyDynamoDBTable.Properties.PointInTimeRecoverySpecification", "searchValue": "", - "expectedValue": "Resources[MyDynamoDBTable].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled should be set to 'true'", - "actualValue": "Resources[MyDynamoDBTable].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled is set to 'false'" + "expectedValue": "Resources[MyDynamoDBTable].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled should be defined and set to 'true'", + "actualValue": "Resources[MyDynamoDBTable].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled is not defined" }, { "queryName": "DynamoDB Table Point In Time Recovery Disabled", "severity": "INFO", - "line": 5, - "filename": "positive5.yaml", + "line": 7, + "filename": "positive6.json", "resourceType": "AWS::DynamoDB::Table", - "resourceName": "MyDynamoDBTable", - "searchKey": "Resources.MyDynamoDBTable.Properties.PointInTimeRecoverySpecification", + "resourceName": "DynamoDBOnDemandTable1", + "searchKey": "Resources.DynamoDBOnDemandTable1.Properties.PointInTimeRecoverySpecification", "searchValue": "", - "expectedValue": "Resources[MyDynamoDBTable].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled should be defined and set to 'true'", - "actualValue": "Resources[MyDynamoDBTable].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled is not defined" + "expectedValue": "Resources[DynamoDBOnDemandTable1].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled should be defined and set to 'true'", + "actualValue": "Resources[DynamoDBOnDemandTable1].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled is not defined" }, { "queryName": "DynamoDB Table Point In Time Recovery Disabled", diff --git a/assets/queries/cloudFormation/aws/dynamodb_with_aws_owned_cmk/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/dynamodb_with_aws_owned_cmk/test/positive_expected_result.json index b0cc56e31cc..86eb4920e34 100644 --- a/assets/queries/cloudFormation/aws/dynamodb_with_aws_owned_cmk/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/dynamodb_with_aws_owned_cmk/test/positive_expected_result.json @@ -3,25 +3,13 @@ "queryName": "DynamoDB With Aws Owned CMK", "severity": "HIGH", "line": 4, - "filename": "positive5.json", - "resourceType": "AWS::DynamoDB::Table", - "resourceName": "dynamodb-kms-2", - "searchKey": "Resources.DynamoDBOnDemandTable4.properties;", - "searchValue": "", - "expectedValue": "Resources.DynamoDBOnDemandTable4.properties.SSESpecification.SSEEnabled should be set", - "actualValue": "Resources.DynamoDBOnDemandTable4.properties.SSESpecification.SSEEnabled is undefined" - }, - { - "queryName": "DynamoDB With Aws Owned CMK", - "severity": "HIGH", - "line": 5, - "filename": "positive6.json", + "filename": "positive1.yaml", "resourceType": "AWS::DynamoDB::Table", - "resourceName": "dynamodb-kms-3", - "searchKey": "Resources.DynamoDBOnDemandTable5.properties;", + "resourceName": "dynamodb-kms-0", + "searchKey": "Resources.DynamoDBOnDemandTable2.properties;", "searchValue": "", - "expectedValue": "Resources.DynamoDBOnDemandTable5.properties.SSESpecification should be set", - "actualValue": "Resources.DynamoDBOnDemandTable5.properties.SSESpecification is undefined" + "expectedValue": "Resources[DynamoDBOnDemandTable2].properties.SSESpecification.SSEEnabled should be true", + "actualValue": "Resources[DynamoDBOnDemandTable2].properties.SSESpecification.SSEEnabled is false" }, { "queryName": "DynamoDB With Aws Owned CMK", @@ -39,19 +27,19 @@ "queryName": "DynamoDB With Aws Owned CMK", "severity": "HIGH", "line": 4, - "filename": "positive1.yaml", + "filename": "positive3.yaml", "resourceType": "AWS::DynamoDB::Table", - "resourceName": "dynamodb-kms-0", - "searchKey": "Resources.DynamoDBOnDemandTable2.properties;", + "resourceName": "dynamodb-kms-2", + "searchKey": "Resources.DynamoDBOnDemandTable4.properties;", "searchValue": "", - "expectedValue": "Resources[DynamoDBOnDemandTable2].properties.SSESpecification.SSEEnabled should be true", - "actualValue": "Resources[DynamoDBOnDemandTable2].properties.SSESpecification.SSEEnabled is false" + "expectedValue": "Resources.DynamoDBOnDemandTable4.properties.SSESpecification.SSEEnabled should be set", + "actualValue": "Resources.DynamoDBOnDemandTable4.properties.SSESpecification.SSEEnabled is undefined" }, { "queryName": "DynamoDB With Aws Owned CMK", "severity": "HIGH", - "line": 4, - "filename": "positive7.yaml", + "line": 5, + "filename": "positive4.json", "resourceType": "AWS::DynamoDB::Table", "resourceName": "dynamodb-kms-0", "searchKey": "Resources.DynamoDBOnDemandTable2.properties;", @@ -63,7 +51,7 @@ "queryName": "DynamoDB With Aws Owned CMK", "severity": "HIGH", "line": 4, - "filename": "positive3.yaml", + "filename": "positive5.json", "resourceType": "AWS::DynamoDB::Table", "resourceName": "dynamodb-kms-2", "searchKey": "Resources.DynamoDBOnDemandTable4.properties;", @@ -75,7 +63,19 @@ "queryName": "DynamoDB With Aws Owned CMK", "severity": "HIGH", "line": 5, - "filename": "positive4.json", + "filename": "positive6.json", + "resourceType": "AWS::DynamoDB::Table", + "resourceName": "dynamodb-kms-3", + "searchKey": "Resources.DynamoDBOnDemandTable5.properties;", + "searchValue": "", + "expectedValue": "Resources.DynamoDBOnDemandTable5.properties.SSESpecification should be set", + "actualValue": "Resources.DynamoDBOnDemandTable5.properties.SSESpecification is undefined" + }, + { + "queryName": "DynamoDB With Aws Owned CMK", + "severity": "HIGH", + "line": 4, + "filename": "positive7.yaml", "resourceType": "AWS::DynamoDB::Table", "resourceName": "dynamodb-kms-0", "searchKey": "Resources.DynamoDBOnDemandTable2.properties;", diff --git a/assets/queries/cloudFormation/aws/ebs_volume_encryption_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ebs_volume_encryption_disabled/test/positive_expected_result.json index 72792630fc5..4d36edcf29c 100644 --- a/assets/queries/cloudFormation/aws/ebs_volume_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ebs_volume_encryption_disabled/test/positive_expected_result.json @@ -14,14 +14,14 @@ { "queryName": "EBS Volume Encryption Disabled", "severity": "HIGH", - "line": 8, - "filename": "positive5.yaml", + "line": 6, + "filename": "positive2.yaml", "resourceType": "AWS::EC2::Volume", - "resourceName": "NewVolume", - "searchKey": "Resources.NewVolume.Properties.Encrypted", + "resourceName": "NewVolume02", + "searchKey": "Resources.NewVolume02.Properties", "searchValue": "", - "expectedValue": "Resources.NewVolume.Properties.Encrypted should be true", - "actualValue": "Resources.NewVolume.Properties.Encrypted is false" + "expectedValue": "Resources.NewVolume02.Properties.Encrypted should be defined and not null", + "actualValue": "Resources.NewVolume02.Properties.Encrypted is undefined or null" }, { "queryName": "EBS Volume Encryption Disabled", @@ -50,13 +50,13 @@ { "queryName": "EBS Volume Encryption Disabled", "severity": "HIGH", - "line": 6, - "filename": "positive2.yaml", + "line": 8, + "filename": "positive5.yaml", "resourceType": "AWS::EC2::Volume", - "resourceName": "NewVolume02", - "searchKey": "Resources.NewVolume02.Properties", + "resourceName": "NewVolume", + "searchKey": "Resources.NewVolume.Properties.Encrypted", "searchValue": "", - "expectedValue": "Resources.NewVolume02.Properties.Encrypted should be defined and not null", - "actualValue": "Resources.NewVolume02.Properties.Encrypted is undefined or null" + "expectedValue": "Resources.NewVolume.Properties.Encrypted should be true", + "actualValue": "Resources.NewVolume.Properties.Encrypted is false" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ec2_instance_has_no_iam_role/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ec2_instance_has_no_iam_role/test/positive_expected_result.json index 129f27e5389..483e332580b 100644 --- a/assets/queries/cloudFormation/aws/ec2_instance_has_no_iam_role/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ec2_instance_has_no_iam_role/test/positive_expected_result.json @@ -2,44 +2,20 @@ { "queryName": "EC2 Instance Has No IAM Role", "severity": "MEDIUM", - "line": 55, + "line": 4, "filename": "positive1.yaml", "resourceType": "AWS::EC2::Instance", "resourceName": "Test", - "searchKey": "Resources.NoRolesProfile.Properties", - "searchValue": "", - "expectedValue": "'Resources.NoRolesProfile.Properties.Roles' should be set", - "actualValue": "'Resources.NoRolesProfile.Properties.Roles' is undefined" - }, - { - "queryName": "EC2 Instance Has No IAM Role", - "severity": "MEDIUM", - "line": 5, - "filename": "positive2.json", - "resourceType": "AWS::EC2::Instance", - "resourceName": "Test", "searchKey": "Resources.NoIAM.Properties", "searchValue": "", "expectedValue": "'Resources.NoIAM.Properties.IamInstanceProfile' should be set", "actualValue": "'Resources.NoIAM.Properties.IamInstanceProfile' is undefined" }, - { - "queryName": "EC2 Instance Has No IAM Role", - "severity": "MEDIUM", - "line": 94, - "filename": "positive2.json", - "resourceType": "AWS::EC2::Instance", - "resourceName": "Test", - "searchKey": "Resources.NoRolesProfile.Properties", - "searchValue": "", - "expectedValue": "'Resources.NoRolesProfile.Properties.Roles' should be set", - "actualValue": "'Resources.NoRolesProfile.Properties.Roles' is undefined" - }, { "queryName": "EC2 Instance Has No IAM Role", "severity": "MEDIUM", "line": 29, - "filename": "positive3.yaml", + "filename": "positive1.yaml", "resourceType": "AWS::EC2::Instance", "resourceName": "Test", "searchKey": "Resources.IAM_Missing.Properties.IamInstanceProfile", @@ -50,20 +26,20 @@ { "queryName": "EC2 Instance Has No IAM Role", "severity": "MEDIUM", - "line": 29, + "line": 55, "filename": "positive1.yaml", "resourceType": "AWS::EC2::Instance", "resourceName": "Test", - "searchKey": "Resources.IAM_Missing.Properties.IamInstanceProfile", + "searchKey": "Resources.NoRolesProfile.Properties", "searchValue": "", - "expectedValue": "'Resources.IAM_Missing.Properties.IamInstanceProfile' should have a matching IamInstanceProfile resource", - "actualValue": "'Resources.IAM_Missing.Properties.IamInstanceProfile' does not have matching IamInstanceProfile resource" + "expectedValue": "'Resources.NoRolesProfile.Properties.Roles' should be set", + "actualValue": "'Resources.NoRolesProfile.Properties.Roles' is undefined" }, { "queryName": "EC2 Instance Has No IAM Role", "severity": "MEDIUM", - "line": 4, - "filename": "positive1.yaml", + "line": 5, + "filename": "positive2.json", "resourceType": "AWS::EC2::Instance", "resourceName": "Test", "searchKey": "Resources.NoIAM.Properties", @@ -83,6 +59,18 @@ "expectedValue": "'Resources.IAM_Missing.Properties.IamInstanceProfile' should have a matching IamInstanceProfile resource", "actualValue": "'Resources.IAM_Missing.Properties.IamInstanceProfile' does not have matching IamInstanceProfile resource" }, + { + "queryName": "EC2 Instance Has No IAM Role", + "severity": "MEDIUM", + "line": 94, + "filename": "positive2.json", + "resourceType": "AWS::EC2::Instance", + "resourceName": "Test", + "searchKey": "Resources.NoRolesProfile.Properties", + "searchValue": "", + "expectedValue": "'Resources.NoRolesProfile.Properties.Roles' should be set", + "actualValue": "'Resources.NoRolesProfile.Properties.Roles' is undefined" + }, { "queryName": "EC2 Instance Has No IAM Role", "severity": "MEDIUM", @@ -95,6 +83,18 @@ "expectedValue": "'Resources.NoIAM.Properties.IamInstanceProfile' should be set", "actualValue": "'Resources.NoIAM.Properties.IamInstanceProfile' is undefined" }, + { + "queryName": "EC2 Instance Has No IAM Role", + "severity": "MEDIUM", + "line": 29, + "filename": "positive3.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "Test", + "searchKey": "Resources.IAM_Missing.Properties.IamInstanceProfile", + "searchValue": "", + "expectedValue": "'Resources.IAM_Missing.Properties.IamInstanceProfile' should have a matching IamInstanceProfile resource", + "actualValue": "'Resources.IAM_Missing.Properties.IamInstanceProfile' does not have matching IamInstanceProfile resource" + }, { "queryName": "EC2 Instance Has No IAM Role", "severity": "MEDIUM", diff --git a/assets/queries/cloudFormation/aws/ec2_instance_monitoring_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ec2_instance_monitoring_disabled/test/positive_expected_result.json index 8ba4bc04b1d..75739a2a74e 100644 --- a/assets/queries/cloudFormation/aws/ec2_instance_monitoring_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ec2_instance_monitoring_disabled/test/positive_expected_result.json @@ -14,25 +14,25 @@ { "queryName": "EC2 Instance Monitoring Disabled", "severity": "MEDIUM", - "line": 7, - "filename": "positive3.yaml", + "line": 4, + "filename": "positive2.yaml", "resourceType": "AWS::EC2::Instance", "resourceName": "MyEC2Instance", "searchKey": "Resources.MyEC2Instance.Properties.Monitoring", "searchValue": "", - "expectedValue": "'Resources.MyEC2Instance.Properties.Monitoring' should be set to 'true'", - "actualValue": "'Resources.MyEC2Instance.Properties.Monitoring' is set to 'false'" + "expectedValue": "'Resources.MyEC2Instance.Properties.Monitoring' should be set and to 'true'", + "actualValue": "'Resources.MyEC2Instance.Properties.Monitoring' is not set" }, { "queryName": "EC2 Instance Monitoring Disabled", "severity": "MEDIUM", - "line": 4, - "filename": "positive2.yaml", + "line": 7, + "filename": "positive3.yaml", "resourceType": "AWS::EC2::Instance", "resourceName": "MyEC2Instance", "searchKey": "Resources.MyEC2Instance.Properties.Monitoring", "searchValue": "", - "expectedValue": "'Resources.MyEC2Instance.Properties.Monitoring' should be set and to 'true'", - "actualValue": "'Resources.MyEC2Instance.Properties.Monitoring' is not set" + "expectedValue": "'Resources.MyEC2Instance.Properties.Monitoring' should be set to 'true'", + "actualValue": "'Resources.MyEC2Instance.Properties.Monitoring' is set to 'false'" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ec2_instance_subnet_has_public_ip_mapping_on_launch/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ec2_instance_subnet_has_public_ip_mapping_on_launch/test/positive_expected_result.json index 663f28c6b40..bdcd54bbe58 100644 --- a/assets/queries/cloudFormation/aws/ec2_instance_subnet_has_public_ip_mapping_on_launch/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ec2_instance_subnet_has_public_ip_mapping_on_launch/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "EC2 Instance Subnet Has Public IP Mapping On Launch", "severity": "MEDIUM", - "line": 8, - "filename": "positive2.json", + "line": 7, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::Subnet", "resourceName": "mySubnet", "searchKey": "Resources.mySubnet.Properties.MapPublicIpOnLaunch", @@ -14,8 +14,8 @@ { "queryName": "EC2 Instance Subnet Has Public IP Mapping On Launch", "severity": "MEDIUM", - "line": 7, - "filename": "positive3.yaml", + "line": 8, + "filename": "positive2.json", "resourceType": "AWS::EC2::Subnet", "resourceName": "mySubnet", "searchKey": "Resources.mySubnet.Properties.MapPublicIpOnLaunch", @@ -27,7 +27,7 @@ "queryName": "EC2 Instance Subnet Has Public IP Mapping On Launch", "severity": "MEDIUM", "line": 7, - "filename": "positive1.yaml", + "filename": "positive3.yaml", "resourceType": "AWS::EC2::Subnet", "resourceName": "mySubnet", "searchKey": "Resources.mySubnet.Properties.MapPublicIpOnLaunch", diff --git a/assets/queries/cloudFormation/aws/ec2_instance_using_default_security_group/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ec2_instance_using_default_security_group/test/positive_expected_result.json index 4d7ca46a2c1..2905eb3b0c0 100644 --- a/assets/queries/cloudFormation/aws/ec2_instance_using_default_security_group/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ec2_instance_using_default_security_group/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "EC2 Instance Using Default Security Group", "severity": "MEDIUM", - "line": 23, - "filename": "positive2.json", + "line": 8, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::Instance", "resourceName": "MyEC2Instance", "searchKey": "Resources.MyEC2Instance.Properties.SecurityGroups", @@ -14,8 +14,8 @@ { "queryName": "EC2 Instance Using Default Security Group", "severity": "MEDIUM", - "line": 8, - "filename": "positive1.yaml", + "line": 23, + "filename": "positive2.json", "resourceType": "AWS::EC2::Instance", "resourceName": "MyEC2Instance", "searchKey": "Resources.MyEC2Instance.Properties.SecurityGroups", diff --git a/assets/queries/cloudFormation/aws/ec2_instance_using_default_vpc/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ec2_instance_using_default_vpc/test/positive_expected_result.json index 1929be6e3cd..fe1d0130aff 100644 --- a/assets/queries/cloudFormation/aws/ec2_instance_using_default_vpc/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ec2_instance_using_default_vpc/test/positive_expected_result.json @@ -3,7 +3,7 @@ "queryName": "EC2 Instance Using Default VPC", "severity": "LOW", "line": 7, - "filename": "positive2.json", + "filename": "positive1.yaml", "resourceType": "AWS::EC2::Instance", "resourceName": "DefaultVPC", "searchKey": "Resources.DefaultVPC.Properties.SubnetId", @@ -15,7 +15,7 @@ "queryName": "EC2 Instance Using Default VPC", "severity": "LOW", "line": 7, - "filename": "positive1.yaml", + "filename": "positive2.json", "resourceType": "AWS::EC2::Instance", "resourceName": "DefaultVPC", "searchKey": "Resources.DefaultVPC.Properties.SubnetId", diff --git a/assets/queries/cloudFormation/aws/ec2_network_acl_duplicate_rule/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ec2_network_acl_duplicate_rule/test/positive_expected_result.json index f2f7a749c0b..484501545c1 100644 --- a/assets/queries/cloudFormation/aws/ec2_network_acl_duplicate_rule/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ec2_network_acl_duplicate_rule/test/positive_expected_result.json @@ -2,14 +2,14 @@ { "queryName": "EC2 Network ACL Duplicate Rule", "severity": "INFO", - "line": 39, + "line": 12, "filename": "positive1.yaml", "resourceType": "AWS::EC2::NetworkAclEntry", - "resourceName": "InboundRule2", - "searchKey": "Resources.InboundRule2.Properties.RuleNumber", + "resourceName": "InboundRule", + "searchKey": "Resources.InboundRule.Properties.RuleNumber", "searchValue": "", - "expectedValue": "'Resources.InboundRule2' shouldn't have the same rule number as other entry for the same NetworkACL", - "actualValue": "'Resources.InboundRule2' has the same rule number as other entry for the same NetworkACL" + "expectedValue": "'Resources.InboundRule' shouldn't have the same rule number as other entry for the same NetworkACL", + "actualValue": "'Resources.InboundRule' has the same rule number as other entry for the same NetworkACL" }, { "queryName": "EC2 Network ACL Duplicate Rule", @@ -23,6 +23,18 @@ "expectedValue": "'Resources.OutboundRule' shouldn't have the same rule number as other entry for the same NetworkACL", "actualValue": "'Resources.OutboundRule' has the same rule number as other entry for the same NetworkACL" }, + { + "queryName": "EC2 Network ACL Duplicate Rule", + "severity": "INFO", + "line": 39, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "InboundRule2", + "searchKey": "Resources.InboundRule2.Properties.RuleNumber", + "searchValue": "", + "expectedValue": "'Resources.InboundRule2' shouldn't have the same rule number as other entry for the same NetworkACL", + "actualValue": "'Resources.InboundRule2' has the same rule number as other entry for the same NetworkACL" + }, { "queryName": "EC2 Network ACL Duplicate Rule", "severity": "INFO", @@ -50,26 +62,26 @@ { "queryName": "EC2 Network ACL Duplicate Rule", "severity": "INFO", - "line": 57, + "line": 33, "filename": "positive2.json", "resourceType": "AWS::EC2::NetworkAclEntry", - "resourceName": "InboundRule2", - "searchKey": "Resources.InboundRule2.Properties.RuleNumber", + "resourceName": "OutboundRule", + "searchKey": "Resources.OutboundRule.Properties.RuleNumber", "searchValue": "", - "expectedValue": "'Resources.InboundRule2' shouldn't have the same rule number as other entry for the same NetworkACL", - "actualValue": "'Resources.InboundRule2' has the same rule number as other entry for the same NetworkACL" + "expectedValue": "'Resources.OutboundRule' shouldn't have the same rule number as other entry for the same NetworkACL", + "actualValue": "'Resources.OutboundRule' has the same rule number as other entry for the same NetworkACL" }, { "queryName": "EC2 Network ACL Duplicate Rule", "severity": "INFO", - "line": 33, + "line": 57, "filename": "positive2.json", "resourceType": "AWS::EC2::NetworkAclEntry", - "resourceName": "OutboundRule", - "searchKey": "Resources.OutboundRule.Properties.RuleNumber", + "resourceName": "InboundRule2", + "searchKey": "Resources.InboundRule2.Properties.RuleNumber", "searchValue": "", - "expectedValue": "'Resources.OutboundRule' shouldn't have the same rule number as other entry for the same NetworkACL", - "actualValue": "'Resources.OutboundRule' has the same rule number as other entry for the same NetworkACL" + "expectedValue": "'Resources.InboundRule2' shouldn't have the same rule number as other entry for the same NetworkACL", + "actualValue": "'Resources.InboundRule2' has the same rule number as other entry for the same NetworkACL" }, { "queryName": "EC2 Network ACL Duplicate Rule", @@ -82,17 +94,5 @@ "searchValue": "", "expectedValue": "'Resources.OutboundRule2' shouldn't have the same rule number as other entry for the same NetworkACL", "actualValue": "'Resources.OutboundRule2' has the same rule number as other entry for the same NetworkACL" - }, - { - "queryName": "EC2 Network ACL Duplicate Rule", - "severity": "INFO", - "line": 12, - "filename": "positive1.yaml", - "resourceType": "AWS::EC2::NetworkAclEntry", - "resourceName": "InboundRule", - "searchKey": "Resources.InboundRule.Properties.RuleNumber", - "searchValue": "", - "expectedValue": "'Resources.InboundRule' shouldn't have the same rule number as other entry for the same NetworkACL", - "actualValue": "'Resources.InboundRule' has the same rule number as other entry for the same NetworkACL" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ec2_network_acl_overlapping_ports/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ec2_network_acl_overlapping_ports/test/positive_expected_result.json index afd6be9bb7c..55bcca2bc0e 100644 --- a/assets/queries/cloudFormation/aws/ec2_network_acl_overlapping_ports/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ec2_network_acl_overlapping_ports/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "EC2 Network ACL Overlapping Ports", - "severity": "MEDIUM", - "line": 105, - "filename": "positive2.json", - "resourceType": "AWS::EC2::NetworkAclEntry", - "resourceName": "OutboundTests", - "searchKey": "Resources.OutboundTests.Properties.PortRange", - "searchValue": "", - "expectedValue": "'Resources.OutboundTests.Properties.PortRange should be configured with a different unused port range to avoid overlapping'", - "actualValue": "'Resources.OutboundTests.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'" - }, { "queryName": "EC2 Network ACL Overlapping Ports", "severity": "MEDIUM", @@ -26,26 +14,14 @@ { "queryName": "EC2 Network ACL Overlapping Ports", "severity": "MEDIUM", - "line": 54, - "filename": "positive1.yaml", - "resourceType": "AWS::EC2::NetworkAclEntry", - "resourceName": "InboundTests", - "searchKey": "Resources.InboundTests.Properties.PortRange", - "searchValue": "", - "expectedValue": "'Resources.InboundTests.Properties.PortRange should be configured with a different unused port range to avoid overlapping'", - "actualValue": "'Resources.InboundTests.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'" - }, - { - "queryName": "EC2 Network ACL Overlapping Ports", - "severity": "MEDIUM", - "line": 78, + "line": 30, "filename": "positive1.yaml", "resourceType": "AWS::EC2::NetworkAclEntry", - "resourceName": "Match", - "searchKey": "Resources.Match.Properties.PortRange", + "resourceName": "OutboundRule", + "searchKey": "Resources.OutboundRule.Properties.PortRange", "searchValue": "", - "expectedValue": "'Resources.Match.Properties.PortRange should be configured with a different unused port range to avoid overlapping'", - "actualValue": "'Resources.Match.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'" + "expectedValue": "'Resources.OutboundRule.Properties.PortRange should be configured with a different unused port range to avoid overlapping'", + "actualValue": "'Resources.OutboundRule.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'" }, { "queryName": "EC2 Network ACL Overlapping Ports", @@ -62,26 +38,26 @@ { "queryName": "EC2 Network ACL Overlapping Ports", "severity": "MEDIUM", - "line": 73, - "filename": "positive2.json", + "line": 54, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::NetworkAclEntry", - "resourceName": "InboundRule", - "searchKey": "Resources.InboundRule.Properties.PortRange", + "resourceName": "InboundTests", + "searchKey": "Resources.InboundTests.Properties.PortRange", "searchValue": "", - "expectedValue": "'Resources.InboundRule.Properties.PortRange should be configured with a different unused port range to avoid overlapping'", - "actualValue": "'Resources.InboundRule.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'" + "expectedValue": "'Resources.InboundTests.Properties.PortRange should be configured with a different unused port range to avoid overlapping'", + "actualValue": "'Resources.InboundTests.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'" }, { "queryName": "EC2 Network ACL Overlapping Ports", "severity": "MEDIUM", - "line": 116, - "filename": "positive2.json", + "line": 78, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::NetworkAclEntry", - "resourceName": "InboundTests", - "searchKey": "Resources.InboundTests.Properties.PortRange", + "resourceName": "Match", + "searchKey": "Resources.Match.Properties.PortRange", "searchValue": "", - "expectedValue": "'Resources.InboundTests.Properties.PortRange should be configured with a different unused port range to avoid overlapping'", - "actualValue": "'Resources.InboundTests.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'" + "expectedValue": "'Resources.Match.Properties.PortRange should be configured with a different unused port range to avoid overlapping'", + "actualValue": "'Resources.Match.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'" }, { "queryName": "EC2 Network ACL Overlapping Ports", @@ -98,14 +74,14 @@ { "queryName": "EC2 Network ACL Overlapping Ports", "severity": "MEDIUM", - "line": 30, - "filename": "positive1.yaml", + "line": 22, + "filename": "positive2.json", "resourceType": "AWS::EC2::NetworkAclEntry", - "resourceName": "OutboundRule", - "searchKey": "Resources.OutboundRule.Properties.PortRange", + "resourceName": "Match", + "searchKey": "Resources.Match.Properties.PortRange", "searchValue": "", - "expectedValue": "'Resources.OutboundRule.Properties.PortRange should be configured with a different unused port range to avoid overlapping'", - "actualValue": "'Resources.OutboundRule.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'" + "expectedValue": "'Resources.Match.Properties.PortRange should be configured with a different unused port range to avoid overlapping'", + "actualValue": "'Resources.Match.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'" }, { "queryName": "EC2 Network ACL Overlapping Ports", @@ -122,14 +98,14 @@ { "queryName": "EC2 Network ACL Overlapping Ports", "severity": "MEDIUM", - "line": 22, + "line": 73, "filename": "positive2.json", "resourceType": "AWS::EC2::NetworkAclEntry", - "resourceName": "Match", - "searchKey": "Resources.Match.Properties.PortRange", + "resourceName": "InboundRule", + "searchKey": "Resources.InboundRule.Properties.PortRange", "searchValue": "", - "expectedValue": "'Resources.Match.Properties.PortRange should be configured with a different unused port range to avoid overlapping'", - "actualValue": "'Resources.Match.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'" + "expectedValue": "'Resources.InboundRule.Properties.PortRange should be configured with a different unused port range to avoid overlapping'", + "actualValue": "'Resources.InboundRule.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'" }, { "queryName": "EC2 Network ACL Overlapping Ports", @@ -142,5 +118,29 @@ "searchValue": "", "expectedValue": "'Resources.OutboundRule.Properties.PortRange should be configured with a different unused port range to avoid overlapping'", "actualValue": "'Resources.OutboundRule.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'" + }, + { + "queryName": "EC2 Network ACL Overlapping Ports", + "severity": "MEDIUM", + "line": 105, + "filename": "positive2.json", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "OutboundTests", + "searchKey": "Resources.OutboundTests.Properties.PortRange", + "searchValue": "", + "expectedValue": "'Resources.OutboundTests.Properties.PortRange should be configured with a different unused port range to avoid overlapping'", + "actualValue": "'Resources.OutboundTests.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'" + }, + { + "queryName": "EC2 Network ACL Overlapping Ports", + "severity": "MEDIUM", + "line": 116, + "filename": "positive2.json", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "InboundTests", + "searchKey": "Resources.InboundTests.Properties.PortRange", + "searchValue": "", + "expectedValue": "'Resources.InboundTests.Properties.PortRange should be configured with a different unused port range to avoid overlapping'", + "actualValue": "'Resources.InboundTests.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ec2_not_ebs_optimized/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ec2_not_ebs_optimized/test/positive_expected_result.json index f8365bdf0eb..68a2a29b9b2 100644 --- a/assets/queries/cloudFormation/aws/ec2_not_ebs_optimized/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ec2_not_ebs_optimized/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "EC2 Not EBS Optimized", "severity": "INFO", - "line": 5, - "filename": "positive6.json", + "line": 4, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::Instance", "resourceName": "MyEC2Instance", "searchKey": "Resources.MyEC2Instance.Properties.EbsOptimized", @@ -14,73 +14,73 @@ { "queryName": "EC2 Not EBS Optimized", "severity": "INFO", - "line": 23, - "filename": "positive4.json", + "line": 5, + "filename": "positive2.json", "resourceType": "AWS::EC2::Instance", "resourceName": "MyEC2Instance", "searchKey": "Resources.MyEC2Instance.Properties.EbsOptimized", "searchValue": "", "expectedValue": "Resources.MyEC2Instance.Properties should have EbsOptimized set to true.", - "actualValue": "Resources.MyEC2Instance.Properties.EbsOptimized is set to false." + "actualValue": "Resources.MyEC2Instance.Properties doesn't have EbsOptimized set to true." }, { "queryName": "EC2 Not EBS Optimized", "severity": "INFO", - "line": 5, - "filename": "positive2.json", + "line": 16, + "filename": "positive3.yaml", "resourceType": "AWS::EC2::Instance", "resourceName": "MyEC2Instance", "searchKey": "Resources.MyEC2Instance.Properties.EbsOptimized", "searchValue": "", "expectedValue": "Resources.MyEC2Instance.Properties should have EbsOptimized set to true.", - "actualValue": "Resources.MyEC2Instance.Properties doesn't have EbsOptimized set to true." + "actualValue": "Resources.MyEC2Instance.Properties.EbsOptimized is set to false." }, { "queryName": "EC2 Not EBS Optimized", "severity": "INFO", - "line": 4, - "filename": "positive5.yaml", + "line": 23, + "filename": "positive4.json", "resourceType": "AWS::EC2::Instance", "resourceName": "MyEC2Instance", "searchKey": "Resources.MyEC2Instance.Properties.EbsOptimized", "searchValue": "", "expectedValue": "Resources.MyEC2Instance.Properties should have EbsOptimized set to true.", - "actualValue": "Resources.MyEC2Instance.Properties doesn't have EbsOptimized set to true." + "actualValue": "Resources.MyEC2Instance.Properties.EbsOptimized is set to false." }, { "queryName": "EC2 Not EBS Optimized", "severity": "INFO", - "line": 16, - "filename": "positive7.yaml", + "line": 4, + "filename": "positive5.yaml", "resourceType": "AWS::EC2::Instance", "resourceName": "MyEC2Instance", "searchKey": "Resources.MyEC2Instance.Properties.EbsOptimized", "searchValue": "", "expectedValue": "Resources.MyEC2Instance.Properties should have EbsOptimized set to true.", - "actualValue": "Resources.MyEC2Instance.Properties.EbsOptimized is set to false." + "actualValue": "Resources.MyEC2Instance.Properties doesn't have EbsOptimized set to true." }, { "queryName": "EC2 Not EBS Optimized", "severity": "INFO", - "line": 16, - "filename": "positive3.yaml", + "line": 5, + "filename": "positive6.json", "resourceType": "AWS::EC2::Instance", "resourceName": "MyEC2Instance", "searchKey": "Resources.MyEC2Instance.Properties.EbsOptimized", "searchValue": "", "expectedValue": "Resources.MyEC2Instance.Properties should have EbsOptimized set to true.", - "actualValue": "Resources.MyEC2Instance.Properties.EbsOptimized is set to false." + "actualValue": "Resources.MyEC2Instance.Properties doesn't have EbsOptimized set to true." }, { "queryName": "EC2 Not EBS Optimized", "severity": "INFO", - "line": 4, - "filename": "positive1.yaml", + "line": 16, + "filename": "positive7.yaml", "resourceType": "AWS::EC2::Instance", "resourceName": "MyEC2Instance", "searchKey": "Resources.MyEC2Instance.Properties.EbsOptimized", "searchValue": "", "expectedValue": "Resources.MyEC2Instance.Properties should have EbsOptimized set to true.", - "actualValue": "Resources.MyEC2Instance.Properties doesn't have EbsOptimized set to true." + "actualValue": "Resources.MyEC2Instance.Properties.EbsOptimized is set to false." } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ec2_sensitive_port_is_publicly_exposed/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ec2_sensitive_port_is_publicly_exposed/test/positive_expected_result.json index cd7343dd4b9..2fa2956a34e 100644 --- a/assets/queries/cloudFormation/aws/ec2_sensitive_port_is_publicly_exposed/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ec2_sensitive_port_is_publicly_exposed/test/positive_expected_result.json @@ -2,62 +2,86 @@ { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, + "line": 21, "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv6_1", - "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:138", - "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in EC2 security group for instance 'EC2Instance01'" + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:53", + "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, + "line": 31, "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv6_1", - "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:2484", - "expectedValue": "Oracle DB SSL (UDP:2484) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Oracle DB SSL (UDP:2484) is allowed in EC2 security group for instance 'EC2Instance01'" + "resourceName": "Positive1IPv4_2", + "searchKey": "Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:80", + "expectedValue": "HTTP (TCP:80) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HTTP (TCP:80) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "filename": "positive3.json", + "line": 41, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv4", + "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:53", + "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'" + }, + { + "queryName": "EC2 Sensitive Port Is Publicly Exposed", + "severity": "HIGH", + "line": 49, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv4", + "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[2]", + "searchValue": "EC2Instance01/UDP:137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'" + }, + { + "queryName": "EC2 Sensitive Port Is Publicly Exposed", + "severity": "HIGH", + "line": 60, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:53", - "expectedValue": "DNS (TCP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "DNS (TCP:53) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:2484", + "expectedValue": "Oracle DB SSL (TCP:2484) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracle DB SSL (TCP:2484) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "filename": "positive3.json", + "line": 60, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:636", - "expectedValue": "LDAP SSL (TCP:636) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "LDAP SSL (TCP:636) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:9160", + "expectedValue": "Cassandra Thrift (TCP:9160) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra Thrift (TCP:9160) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "filename": "positive3.json", + "line": 60, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:139", - "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Session Service (TCP:139) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:9000", + "expectedValue": "Hadoop Name Node (TCP:9000) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Hadoop Name Node (TCP:9000) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -67,9 +91,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:3020", - "expectedValue": "CIFS / SMB (TCP:3020) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "CIFS / SMB (TCP:3020) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:9042", + "expectedValue": "Cassandra Client (TCP:9042) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra Client (TCP:9042) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -79,9 +103,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:7000", - "expectedValue": "Cassandra Internode Communication (TCP:7000) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra Internode Communication (TCP:7000) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:9300", + "expectedValue": "Elastic Search (TCP:9300) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Elastic Search (TCP:9300) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -91,9 +115,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:8020", - "expectedValue": "HDFS NameNode (TCP:8020) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "HDFS NameNode (TCP:8020) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:6379", + "expectedValue": "Redis (TCP:6379) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Redis (TCP:6379) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -103,9 +127,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:5432", - "expectedValue": "PostgreSQL (UDP:5432) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "PostgreSQL (UDP:5432) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:4506", + "expectedValue": "SaltStack Master (TCP:4506) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SaltStack Master (TCP:4506) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -115,45 +139,45 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:5900", - "expectedValue": "VNC Server (TCP:5900) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "VNC Server (TCP:5900) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:5500", + "expectedValue": "VNC Listener (TCP:5500) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "VNC Listener (TCP:5500) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 66, - "filename": "positive2.yaml", - "resourceType": "AWS::EC2::SecurityGroupIngress", - "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.IPv6Ingress2.Properties", - "searchValue": "EC2Instance01/TCP:22", - "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'" + "line": 60, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:8020", + "expectedValue": "HDFS NameNode (TCP:8020) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HDFS NameNode (TCP:8020) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "filename": "positive3.json", + "line": 60, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:50070", - "expectedValue": "HDFS NameNode WebUI (TCP:50070) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "HDFS NameNode WebUI (TCP:50070) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:2483", + "expectedValue": "Oracle DB SSL (TCP:2483) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracle DB SSL (TCP:2483) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "filename": "positive3.json", + "line": 60, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:1433", - "expectedValue": "MSSQL Server (TCP:1433) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "MSSQL Server (TCP:1433) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:161", + "expectedValue": "SNMP (TCP:161) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SNMP (TCP:161) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -163,63 +187,63 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:161", - "expectedValue": "SNMP (UDP:161) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SNMP (UDP:161) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:3020", + "expectedValue": "CIFS / SMB (TCP:3020) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "CIFS / SMB (TCP:3020) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 25, - "filename": "positive3.json", + "line": 60, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv4_1", - "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:53", - "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'" + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "filename": "positive3.json", + "line": 60, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:80", - "expectedValue": "HTTP (TCP:80) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "HTTP (TCP:80) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:3389", + "expectedValue": "Remote Desktop (TCP:3389) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Remote Desktop (TCP:3389) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "filename": "positive3.json", + "line": 60, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:389", - "expectedValue": "LDAP (TCP:389) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "LDAP (TCP:389) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:8888", + "expectedValue": "Cassandra OpsCenter Website (TCP:8888) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra OpsCenter Website (TCP:8888) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "filename": "positive3.json", + "line": 60, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:3306", - "expectedValue": "MySQL (TCP:3306) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "MySQL (TCP:3306) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "filename": "positive3.json", + "line": 60, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", @@ -230,8 +254,8 @@ { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "filename": "positive3.json", + "line": 60, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", @@ -242,14 +266,14 @@ { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 93, - "filename": "positive3.json", + "line": 60, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv6_2", - "searchKey": "Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:22", - "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'" + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:636", + "expectedValue": "LDAP SSL (TCP:636) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "LDAP SSL (TCP:636) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -259,9 +283,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:9000", - "expectedValue": "Hadoop Name Node (TCP:9000) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Hadoop Name Node (TCP:9000) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:3306", + "expectedValue": "MySQL (TCP:3306) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MySQL (TCP:3306) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -271,45 +295,45 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:11211", - "expectedValue": "Memcached (UDP:11211) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Memcached (UDP:11211) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:2483", + "expectedValue": "Oracle DB SSL (UDP:2483) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracle DB SSL (UDP:2483) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "filename": "positive3.json", + "line": 60, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:135", - "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "MSSQL Debugger (TCP:135) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:5432", + "expectedValue": "PostgreSQL (TCP:5432) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "PostgreSQL (TCP:5432) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "filename": "positive3.json", + "line": 60, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:2484", - "expectedValue": "Oracle DB SSL (TCP:2484) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Oracle DB SSL (TCP:2484) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:443", + "expectedValue": "HTTPS (TCP:443) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HTTPS (TCP:443) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 54, - "filename": "positive4.json", - "resourceType": "AWS::EC2::SecurityGroupIngress", - "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.IPv4Ingress4.Properties", - "searchValue": "EC2Instance01/UDP:137", - "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'" + "line": 60, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:9090", + "expectedValue": "CiscoSecure, WebSM (TCP:9090) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "CiscoSecure, WebSM (TCP:9090) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -319,9 +343,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:5601", - "expectedValue": "Kibana (TCP:5601) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Kibana (TCP:5601) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:20", + "expectedValue": "FTP (TCP:20) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "FTP (TCP:20) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -331,45 +355,45 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:11214", - "expectedValue": "Memcached SSL (TCP:11214) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Memcached SSL (TCP:11214) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:445", + "expectedValue": "Microsoft-DS (TCP:445) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Microsoft-DS (TCP:445) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 113, - "filename": "positive3.json", + "line": 60, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1ArrayTestIPv6", - "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]", - "searchValue": "EC2Instance01/UDP:137", - "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'" + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:27018", + "expectedValue": "Mongo Web Portal (TCP:27018) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Mongo Web Portal (TCP:27018) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 44, - "filename": "positive4.json", - "resourceType": "AWS::EC2::SecurityGroupIngress", - "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.IPv4Ingress3.Properties", - "searchValue": "EC2Instance01/UDP:53", - "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'" + "line": 60, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:5900", + "expectedValue": "VNC Server (TCP:5900) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "VNC Server (TCP:5900) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "filename": "positive3.json", + "line": 60, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:21", - "expectedValue": "FTP (TCP:21) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "FTP (TCP:21) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:27017", + "expectedValue": "Mongo (TCP:27017) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Mongo (TCP:27017) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -379,9 +403,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:61620", - "expectedValue": "Cassandra OpsCenter (TCP:61620) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra OpsCenter (TCP:61620) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:21", + "expectedValue": "FTP (TCP:21) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "FTP (TCP:21) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -391,9 +415,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:137", - "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:1433", + "expectedValue": "MSSQL Server (TCP:1433) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MSSQL Server (TCP:1433) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -403,57 +427,57 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:23", - "expectedValue": "Telnet (TCP:23) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Telnet (TCP:23) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:61620", + "expectedValue": "Cassandra OpsCenter (TCP:61620) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra OpsCenter (TCP:61620) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "filename": "positive3.json", + "line": 60, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:11215", - "expectedValue": "Memcached SSL (UDP:11215) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Memcached SSL (UDP:11215) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:11215", + "expectedValue": "Memcached SSL (TCP:11215) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached SSL (TCP:11215) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "filename": "positive3.json", + "line": 60, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:2483", - "expectedValue": "Oracle DB SSL (UDP:2483) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Oracle DB SSL (UDP:2483) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:4333", + "expectedValue": "MySQL (TCP:4333) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MySQL (TCP:4333) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "filename": "positive3.json", + "line": 60, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:110", - "expectedValue": "POP3 (TCP:110) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "POP3 (TCP:110) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:2383", + "expectedValue": "SQL Server Analysis (TCP:2383) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SQL Server Analysis (TCP:2383) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "filename": "positive3.json", + "line": 60, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:161", - "expectedValue": "SNMP (UDP:161) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SNMP (UDP:161) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:53", + "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -463,9 +487,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:11215", - "expectedValue": "Memcached SSL (TCP:11215) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Memcached SSL (TCP:11215) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:139", + "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Session Service (TCP:139) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -475,9 +499,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:27018", - "expectedValue": "Mongo Web Portal (TCP:27018) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Mongo Web Portal (TCP:27018) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:9200", + "expectedValue": "Elastic Search (TCP:9200) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Elastic Search (TCP:9200) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -487,9 +511,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:25", - "expectedValue": "SMTP (TCP:25) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SMTP (TCP:25) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:50470", + "expectedValue": "HDFS NameNode WebUI (TCP:50470) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HDFS NameNode WebUI (TCP:50470) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -499,45 +523,45 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:2383", - "expectedValue": "SQL Server Analysis (TCP:2383) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SQL Server Analysis (TCP:2383) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:8000", + "expectedValue": "Known internal web port (TCP:8000) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Known internal web port (TCP:8000) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "filename": "positive3.json", + "line": 60, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:8020", - "expectedValue": "HDFS NameNode (TCP:8020) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "HDFS NameNode (TCP:8020) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:1434", + "expectedValue": "MSSQL Browser (TCP:1434) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MSSQL Browser (TCP:1434) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "filename": "positive3.json", + "line": 60, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:22", - "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:138", + "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "filename": "positive3.json", + "line": 60, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:4505", - "expectedValue": "SaltStack Master (TCP:4505) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SaltStack Master (TCP:4505) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:1521", + "expectedValue": "Oracl DB (TCP:1521) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracl DB (TCP:1521) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -547,9 +571,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:21", - "expectedValue": "FTP (TCP:21) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "FTP (TCP:21) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:2375", + "expectedValue": "Docker (TCP:2375) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Docker (TCP:2375) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -559,9 +583,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:443", - "expectedValue": "HTTPS (TCP:443) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "HTTPS (TCP:443) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:135", + "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MSSQL Debugger (TCP:135) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -571,9 +595,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:1433", - "expectedValue": "MSSQL Server (TCP:1433) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "MSSQL Server (TCP:1433) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:110", + "expectedValue": "POP3 (TCP:110) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "POP3 (TCP:110) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -583,33 +607,33 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:138", - "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:7001", + "expectedValue": "Cassandra (TCP:7001) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra (TCP:7001) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "filename": "positive3.json", + "line": 60, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:445", - "expectedValue": "Microsoft-DS (TCP:445) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Microsoft-DS (TCP:445) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:7199", + "expectedValue": "Cassandra Monitoring (TCP:7199) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra Monitoring (TCP:7199) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "filename": "positive3.json", + "line": 60, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:3000", - "expectedValue": "Prevalent known internal port (TCP:3000) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Prevalent known internal port (TCP:3000) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:11215", + "expectedValue": "Memcached SSL (UDP:11215) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached SSL (UDP:11215) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -619,21 +643,21 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:27017", - "expectedValue": "Mongo (TCP:27017) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Mongo (TCP:27017) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:137", + "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Name Service (TCP:137) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 84, + "line": 60, "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1ArrayTestIPv6", - "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]", - "searchValue": "EC2Instance01/UDP:137", - "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'" + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:4505", + "expectedValue": "SaltStack Master (TCP:4505) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SaltStack Master (TCP:4505) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -643,21 +667,21 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:139", - "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Session Service (UDP:139) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:2484", + "expectedValue": "Oracle DB SSL (UDP:2484) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracle DB SSL (UDP:2484) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "filename": "positive3.json", + "line": 60, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:138", - "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:8140", + "expectedValue": "Puppet Master (TCP:8140) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Puppet Master (TCP:8140) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -667,9 +691,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:8888", - "expectedValue": "Cassandra OpsCenter Website (TCP:8888) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra OpsCenter Website (TCP:8888) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:7000", + "expectedValue": "Cassandra Internode Communication (TCP:7000) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra Internode Communication (TCP:7000) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -679,33 +703,33 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:9160", - "expectedValue": "Cassandra Thrift (TCP:9160) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra Thrift (TCP:9160) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:11214", + "expectedValue": "Memcached SSL (TCP:11214) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached SSL (TCP:11214) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "filename": "positive3.json", + "line": 60, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:11211", - "expectedValue": "Memcached (UDP:11211) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Memcached (UDP:11211) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:389", + "expectedValue": "LDAP (UDP:389) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "LDAP (UDP:389) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "filename": "positive3.json", + "line": 60, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:4506", - "expectedValue": "SaltStack Master (TCP:4506) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SaltStack Master (TCP:4506) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:1434", + "expectedValue": "MSSQL Browser (UDP:1434) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MSSQL Browser (UDP:1434) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -715,9 +739,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:53", - "expectedValue": "DNS (TCP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "DNS (TCP:53) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:11211", + "expectedValue": "Memcached (UDP:11211) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached (UDP:11211) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -727,69 +751,33 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:5985", - "expectedValue": "WinRM for HTTP (TCP:5985) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "WinRM for HTTP (TCP:5985) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:61621", + "expectedValue": "Cassandra OpsCenter (TCP:61621) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra OpsCenter (TCP:61621) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "filename": "positive3.json", + "line": 60, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:389", - "expectedValue": "LDAP (UDP:389) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "LDAP (UDP:389) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:5601", + "expectedValue": "Kibana (TCP:5601) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Kibana (TCP:5601) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "filename": "positive3.json", + "line": 60, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:139", - "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Session Service (UDP:139) is allowed in EC2 security group for instance 'EC2Instance01'" - }, - { - "queryName": "EC2 Sensitive Port Is Publicly Exposed", - "severity": "HIGH", - "line": 94, - "filename": "positive4.json", - "resourceType": "AWS::EC2::SecurityGroupIngress", - "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.IPv6Ingress4.Properties", - "searchValue": "EC2Instance01/UDP:137", - "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'" - }, - { - "queryName": "EC2 Sensitive Port Is Publicly Exposed", - "severity": "HIGH", - "line": 34, - "filename": "positive4.json", - "resourceType": "AWS::EC2::SecurityGroupIngress", - "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.IPv4Ingress2.Properties", - "searchValue": "EC2Instance01/TCP:22", - "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'" - }, - { - "queryName": "EC2 Sensitive Port Is Publicly Exposed", - "severity": "HIGH", - "line": 31, - "filename": "positive1.yaml", - "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv4_2", - "searchKey": "Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:80", - "expectedValue": "HTTP (TCP:80) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "HTTP (TCP:80) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:53", + "expectedValue": "DNS (TCP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "DNS (TCP:53) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -799,9 +787,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:445", - "expectedValue": "Microsoft-DS (TCP:445) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Microsoft-DS (TCP:445) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:50070", + "expectedValue": "HDFS NameNode WebUI (TCP:50070) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HDFS NameNode WebUI (TCP:50070) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -811,9 +799,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:4333", - "expectedValue": "MySQL (TCP:4333) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "MySQL (TCP:4333) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:5432", + "expectedValue": "PostgreSQL (UDP:5432) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "PostgreSQL (UDP:5432) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -830,32 +818,20 @@ { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 38, - "filename": "positive2.yaml", - "resourceType": "AWS::EC2::SecurityGroupIngress", - "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.IPv4Ingress3.Properties", - "searchValue": "EC2Instance01/UDP:53", - "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'" - }, - { - "queryName": "EC2 Sensitive Port Is Publicly Exposed", - "severity": "HIGH", - "line": 79, - "filename": "positive3.json", + "line": 60, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:9160", - "expectedValue": "Cassandra Thrift (TCP:9160) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra Thrift (TCP:9160) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:23", + "expectedValue": "Telnet (TCP:23) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Telnet (TCP:23) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "filename": "positive3.json", + "line": 60, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", @@ -866,38 +842,38 @@ { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 107, - "filename": "positive3.json", + "line": 60, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1ArrayTestIPv6", - "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:53", - "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'" + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:22", + "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "filename": "positive3.json", + "line": 60, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:2375", - "expectedValue": "Docker (TCP:2375) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Docker (TCP:2375) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:161", + "expectedValue": "SNMP (UDP:161) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SNMP (UDP:161) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 21, + "line": 60, "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv4_1", - "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:53", - "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'" + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:2376", + "expectedValue": "Docker (TCP:2376) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Docker (TCP:2376) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -907,57 +883,57 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:61621", - "expectedValue": "Cassandra OpsCenter (TCP:61621) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra OpsCenter (TCP:61621) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:5985", + "expectedValue": "WinRM for HTTP (TCP:5985) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "WinRM for HTTP (TCP:5985) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "filename": "positive3.json", + "line": 60, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:7000", - "expectedValue": "Cassandra Internode Communication (TCP:7000) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra Internode Communication (TCP:7000) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:1522", + "expectedValue": "Oracle Auto Data Warehouse (TCP:1522) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracle Auto Data Warehouse (TCP:1522) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "filename": "positive3.json", + "line": 60, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:8888", - "expectedValue": "Cassandra OpsCenter Website (TCP:8888) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra OpsCenter Website (TCP:8888) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:389", + "expectedValue": "LDAP (TCP:389) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "LDAP (TCP:389) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "filename": "positive3.json", + "line": 60, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:4333", - "expectedValue": "MySQL (TCP:4333) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "MySQL (TCP:4333) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:11214", + "expectedValue": "Memcached SSL (UDP:11214) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached SSL (UDP:11214) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "filename": "positive3.json", + "line": 60, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:5432", - "expectedValue": "PostgreSQL (UDP:5432) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "PostgreSQL (UDP:5432) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:80", + "expectedValue": "HTTP (TCP:80) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HTTP (TCP:80) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -967,9 +943,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:11211", - "expectedValue": "Memcached (TCP:11211) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Memcached (TCP:11211) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:139", + "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Session Service (UDP:139) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -979,18 +955,30 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:1521", - "expectedValue": "Oracl DB (TCP:1521) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Oracl DB (TCP:1521) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:8080", + "expectedValue": "Known internal web port (TCP:8080) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Known internal web port (TCP:8080) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 75, - "filename": "positive2.yaml", - "resourceType": "AWS::EC2::SecurityGroupIngress", - "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.IPv6Ingress3.Properties", + "line": 70, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_2", + "searchKey": "Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:22", + "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'" + }, + { + "queryName": "EC2 Sensitive Port Is Publicly Exposed", + "severity": "HIGH", + "line": 80, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv6", + "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/UDP:53", "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'" @@ -998,11 +986,11 @@ { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 65, - "filename": "positive3.json", + "line": 84, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1ArrayTestIPv4", - "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[2]", + "resourceName": "Positive1ArrayTestIPv6", + "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]", "searchValue": "EC2Instance01/UDP:137", "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'" @@ -1010,59 +998,95 @@ { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "filename": "positive3.json", - "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv6_1", - "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:1522", - "expectedValue": "Oracle Auto Data Warehouse (TCP:1522) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Oracle Auto Data Warehouse (TCP:1522) is allowed in EC2 security group for instance 'EC2Instance01'" + "line": 20, + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress1.Properties", + "searchValue": "EC2Instance01/TCP:22", + "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "filename": "positive1.yaml", - "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv6_1", - "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:8080", - "expectedValue": "Known internal web port (TCP:8080) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Known internal web port (TCP:8080) is allowed in EC2 security group for instance 'EC2Instance01'" + "line": 29, + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress2.Properties", + "searchValue": "EC2Instance01/TCP:22", + "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "filename": "positive1.yaml", - "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv6_1", - "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:161", - "expectedValue": "SNMP (TCP:161) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SNMP (TCP:161) is allowed in EC2 security group for instance 'EC2Instance01'" + "line": 38, + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress3.Properties", + "searchValue": "EC2Instance01/UDP:53", + "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "filename": "positive1.yaml", - "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv6_1", - "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:4505", - "expectedValue": "SaltStack Master (TCP:4505) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SaltStack Master (TCP:4505) is allowed in EC2 security group for instance 'EC2Instance01'" + "line": 47, + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress4.Properties", + "searchValue": "EC2Instance01/UDP:137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 47, + "line": 57, "filename": "positive2.yaml", "resourceType": "AWS::EC2::SecurityGroupIngress", "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.IPv4Ingress4.Properties", + "searchKey": "Resources.IPv6Ingress1.Properties", + "searchValue": "EC2Instance01/TCP:22", + "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'" + }, + { + "queryName": "EC2 Sensitive Port Is Publicly Exposed", + "severity": "HIGH", + "line": 66, + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress2.Properties", + "searchValue": "EC2Instance01/TCP:22", + "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'" + }, + { + "queryName": "EC2 Sensitive Port Is Publicly Exposed", + "severity": "HIGH", + "line": 75, + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress3.Properties", + "searchValue": "EC2Instance01/UDP:53", + "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'" + }, + { + "queryName": "EC2 Sensitive Port Is Publicly Exposed", + "severity": "HIGH", + "line": 84, + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress4.Properties", "searchValue": "EC2Instance01/UDP:137", "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'" @@ -1070,35 +1094,35 @@ { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, + "line": 25, "filename": "positive3.json", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv6_1", - "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:7001", - "expectedValue": "Cassandra (TCP:7001) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra (TCP:7001) is allowed in EC2 security group for instance 'EC2Instance01'" + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:53", + "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, + "line": 39, "filename": "positive3.json", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv6_1", - "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:27017", - "expectedValue": "Mongo (TCP:27017) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Mongo (TCP:27017) is allowed in EC2 security group for instance 'EC2Instance01'" + "resourceName": "Positive1IPv4_2", + "searchKey": "Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:80", + "expectedValue": "HTTP (TCP:80) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HTTP (TCP:80) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 80, - "filename": "positive1.yaml", + "line": 53, + "filename": "positive3.json", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1ArrayTestIPv6", - "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[0]", + "resourceName": "Positive1ArrayTestIPv4", + "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/UDP:53", "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'" @@ -1106,26 +1130,26 @@ { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "filename": "positive1.yaml", + "line": 65, + "filename": "positive3.json", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv6_1", - "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:389", - "expectedValue": "LDAP (TCP:389) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "LDAP (TCP:389) is allowed in EC2 security group for instance 'EC2Instance01'" + "resourceName": "Positive1ArrayTestIPv4", + "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[2]", + "searchValue": "EC2Instance01/UDP:137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "filename": "positive1.yaml", + "line": 79, + "filename": "positive3.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:135", - "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "MSSQL Debugger (TCP:135) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:9042", + "expectedValue": "Cassandra Client (TCP:9042) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra Client (TCP:9042) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1135,57 +1159,57 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:2376", - "expectedValue": "Docker (TCP:2376) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Docker (TCP:2376) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:9000", + "expectedValue": "Hadoop Name Node (TCP:9000) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Hadoop Name Node (TCP:9000) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "filename": "positive1.yaml", + "line": 79, + "filename": "positive3.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:50070", - "expectedValue": "HDFS NameNode WebUI (TCP:50070) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "HDFS NameNode WebUI (TCP:50070) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:11215", + "expectedValue": "Memcached SSL (UDP:11215) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached SSL (UDP:11215) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "filename": "positive1.yaml", + "line": 79, + "filename": "positive3.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:137", - "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Name Service (TCP:137) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:7001", + "expectedValue": "Cassandra (TCP:7001) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra (TCP:7001) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "filename": "positive1.yaml", + "line": 79, + "filename": "positive3.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:1522", - "expectedValue": "Oracle Auto Data Warehouse (TCP:1522) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Oracle Auto Data Warehouse (TCP:1522) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:61620", + "expectedValue": "Cassandra OpsCenter (TCP:61620) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra OpsCenter (TCP:61620) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "filename": "positive1.yaml", + "line": 79, + "filename": "positive3.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:8140", - "expectedValue": "Puppet Master (TCP:8140) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Puppet Master (TCP:8140) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:9090", + "expectedValue": "CiscoSecure, WebSM (TCP:9090) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "CiscoSecure, WebSM (TCP:9090) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1195,9 +1219,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:20", - "expectedValue": "FTP (TCP:20) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "FTP (TCP:20) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:5500", + "expectedValue": "VNC Listener (TCP:5500) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "VNC Listener (TCP:5500) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1207,9 +1231,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:443", - "expectedValue": "HTTPS (TCP:443) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "HTTPS (TCP:443) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:9160", + "expectedValue": "Cassandra Thrift (TCP:9160) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra Thrift (TCP:9160) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1219,9 +1243,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:5601", - "expectedValue": "Kibana (TCP:5601) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Kibana (TCP:5601) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:4333", + "expectedValue": "MySQL (TCP:4333) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MySQL (TCP:4333) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1231,81 +1255,81 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:2484", - "expectedValue": "Oracle DB SSL (UDP:2484) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Oracle DB SSL (UDP:2484) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:2484", + "expectedValue": "Oracle DB SSL (TCP:2484) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracle DB SSL (TCP:2484) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "filename": "positive1.yaml", + "line": 79, + "filename": "positive3.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:9200", - "expectedValue": "Elastic Search (TCP:9200) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Elastic Search (TCP:9200) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:61621", + "expectedValue": "Cassandra OpsCenter (TCP:61621) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra OpsCenter (TCP:61621) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "filename": "positive1.yaml", + "line": 79, + "filename": "positive3.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:389", - "expectedValue": "LDAP (UDP:389) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "LDAP (UDP:389) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:9300", + "expectedValue": "Elastic Search (TCP:9300) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Elastic Search (TCP:9300) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "filename": "positive1.yaml", + "line": 79, + "filename": "positive3.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:1434", - "expectedValue": "MSSQL Browser (UDP:1434) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "MSSQL Browser (UDP:1434) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:11215", + "expectedValue": "Memcached SSL (TCP:11215) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached SSL (TCP:11215) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "filename": "positive1.yaml", + "line": 79, + "filename": "positive3.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:22", - "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:3000", + "expectedValue": "Prevalent known internal port (TCP:3000) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Prevalent known internal port (TCP:3000) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 29, - "filename": "positive2.yaml", - "resourceType": "AWS::EC2::SecurityGroupIngress", - "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.IPv4Ingress2.Properties", - "searchValue": "EC2Instance01/TCP:22", - "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'" + "line": 79, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:3389", + "expectedValue": "Remote Desktop (TCP:3389) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Remote Desktop (TCP:3389) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 39, + "line": 79, "filename": "positive3.json", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv4_2", - "searchKey": "Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:80", - "expectedValue": "HTTP (TCP:80) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "HTTP (TCP:80) is allowed in EC2 security group for instance 'EC2Instance01'" + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:11211", + "expectedValue": "Memcached (UDP:11211) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached (UDP:11211) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1315,9 +1339,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:8000", - "expectedValue": "Known internal web port (TCP:8000) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Known internal web port (TCP:8000) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:139", + "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Session Service (UDP:139) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1327,21 +1351,21 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:6379", - "expectedValue": "Redis (TCP:6379) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Redis (TCP:6379) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:8000", + "expectedValue": "Known internal web port (TCP:8000) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Known internal web port (TCP:8000) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "filename": "positive1.yaml", + "line": 79, + "filename": "positive3.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:3389", - "expectedValue": "Remote Desktop (TCP:3389) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Remote Desktop (TCP:3389) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:11214", + "expectedValue": "Memcached SSL (TCP:11214) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached SSL (TCP:11214) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1351,9 +1375,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:9042", - "expectedValue": "Cassandra Client (TCP:9042) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra Client (TCP:9042) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:3020", + "expectedValue": "CIFS / SMB (TCP:3020) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "CIFS / SMB (TCP:3020) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1363,9 +1387,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:8140", - "expectedValue": "Puppet Master (TCP:8140) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Puppet Master (TCP:8140) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:1434", + "expectedValue": "MSSQL Browser (UDP:1434) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MSSQL Browser (UDP:1434) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1375,21 +1399,21 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:3389", - "expectedValue": "Remote Desktop (TCP:3389) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Remote Desktop (TCP:3389) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "filename": "positive1.yaml", + "line": 79, + "filename": "positive3.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:636", - "expectedValue": "LDAP SSL (TCP:636) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "LDAP SSL (TCP:636) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:2483", + "expectedValue": "Oracle DB SSL (UDP:2483) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracle DB SSL (UDP:2483) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1399,57 +1423,57 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:5985", - "expectedValue": "WinRM for HTTP (TCP:5985) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "WinRM for HTTP (TCP:5985) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:8888", + "expectedValue": "Cassandra OpsCenter Website (TCP:8888) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra OpsCenter Website (TCP:8888) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "filename": "positive1.yaml", + "line": 79, + "filename": "positive3.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:9042", - "expectedValue": "Cassandra Client (TCP:9042) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra Client (TCP:9042) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:138", + "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "filename": "positive1.yaml", + "line": 79, + "filename": "positive3.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:9300", - "expectedValue": "Elastic Search (TCP:9300) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Elastic Search (TCP:9300) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:8140", + "expectedValue": "Puppet Master (TCP:8140) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Puppet Master (TCP:8140) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "filename": "positive1.yaml", + "line": 79, + "filename": "positive3.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:3306", - "expectedValue": "MySQL (TCP:3306) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "MySQL (TCP:3306) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:161", + "expectedValue": "SNMP (TCP:161) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SNMP (TCP:161) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "filename": "positive1.yaml", + "line": 79, + "filename": "positive3.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:5500", - "expectedValue": "VNC Listener (TCP:5500) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "VNC Listener (TCP:5500) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:50470", + "expectedValue": "HDFS NameNode WebUI (TCP:50470) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HDFS NameNode WebUI (TCP:50470) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1459,21 +1483,21 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:3020", - "expectedValue": "CIFS / SMB (TCP:3020) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "CIFS / SMB (TCP:3020) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:5432", + "expectedValue": "PostgreSQL (UDP:5432) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "PostgreSQL (UDP:5432) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 53, + "line": 79, "filename": "positive3.json", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1ArrayTestIPv4", - "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:53", - "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'" + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:50070", + "expectedValue": "HDFS NameNode WebUI (TCP:50070) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HDFS NameNode WebUI (TCP:50070) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1483,45 +1507,45 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:53", - "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:1521", + "expectedValue": "Oracl DB (TCP:1521) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracl DB (TCP:1521) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 84, - "filename": "positive4.json", - "resourceType": "AWS::EC2::SecurityGroupIngress", - "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.IPv6Ingress3.Properties", - "searchValue": "EC2Instance01/UDP:53", - "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'" + "line": 79, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:7000", + "expectedValue": "Cassandra Internode Communication (TCP:7000) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra Internode Communication (TCP:7000) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "filename": "positive1.yaml", + "line": 79, + "filename": "positive3.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:53", - "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:7199", + "expectedValue": "Cassandra Monitoring (TCP:7199) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra Monitoring (TCP:7199) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "filename": "positive1.yaml", + "line": 79, + "filename": "positive3.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:2483", - "expectedValue": "Oracle DB SSL (TCP:2483) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Oracle DB SSL (TCP:2483) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:2375", + "expectedValue": "Docker (TCP:2375) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Docker (TCP:2375) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1531,9 +1555,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:9300", - "expectedValue": "Elastic Search (TCP:9300) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Elastic Search (TCP:9300) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:21", + "expectedValue": "FTP (TCP:21) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "FTP (TCP:21) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1543,9 +1567,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:1434", - "expectedValue": "MSSQL Browser (TCP:1434) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "MSSQL Browser (TCP:1434) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:11214", + "expectedValue": "Memcached SSL (UDP:11214) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached SSL (UDP:11214) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1567,45 +1591,33 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:5500", - "expectedValue": "VNC Listener (TCP:5500) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "VNC Listener (TCP:5500) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:8020", + "expectedValue": "HDFS NameNode (TCP:8020) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HDFS NameNode (TCP:8020) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "filename": "positive1.yaml", + "line": 79, + "filename": "positive3.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:20", - "expectedValue": "FTP (TCP:20) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "FTP (TCP:20) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:27017", + "expectedValue": "Mongo (TCP:27017) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Mongo (TCP:27017) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "filename": "positive1.yaml", + "line": 79, + "filename": "positive3.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:11215", - "expectedValue": "Memcached SSL (UDP:11215) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Memcached SSL (UDP:11215) is allowed in EC2 security group for instance 'EC2Instance01'" - }, - { - "queryName": "EC2 Sensitive Port Is Publicly Exposed", - "severity": "HIGH", - "line": 57, - "filename": "positive2.yaml", - "resourceType": "AWS::EC2::SecurityGroupIngress", - "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.IPv6Ingress1.Properties", - "searchValue": "EC2Instance01/TCP:22", - "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:137", + "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Name Service (TCP:137) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1615,9 +1627,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:61621", - "expectedValue": "Cassandra OpsCenter (TCP:61621) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra OpsCenter (TCP:61621) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:2484", + "expectedValue": "Oracle DB SSL (UDP:2484) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracle DB SSL (UDP:2484) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1627,9 +1639,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:9090", - "expectedValue": "CiscoSecure, WebSM (TCP:9090) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "CiscoSecure, WebSM (TCP:9090) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:5985", + "expectedValue": "WinRM for HTTP (TCP:5985) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "WinRM for HTTP (TCP:5985) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1639,9 +1651,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:9000", - "expectedValue": "Hadoop Name Node (TCP:9000) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Hadoop Name Node (TCP:9000) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:53", + "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1651,9 +1663,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:11214", - "expectedValue": "Memcached SSL (TCP:11214) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Memcached SSL (TCP:11214) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:11211", + "expectedValue": "Memcached (TCP:11211) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached (TCP:11211) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1663,57 +1675,45 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:1521", - "expectedValue": "Oracl DB (TCP:1521) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Oracl DB (TCP:1521) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:27018", + "expectedValue": "Mongo Web Portal (TCP:27018) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Mongo Web Portal (TCP:27018) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "filename": "positive1.yaml", + "line": 79, + "filename": "positive3.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:50470", - "expectedValue": "HDFS NameNode WebUI (TCP:50470) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "HDFS NameNode WebUI (TCP:50470) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:139", + "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Session Service (TCP:139) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "filename": "positive1.yaml", + "line": 79, + "filename": "positive3.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:80", - "expectedValue": "HTTP (TCP:80) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "HTTP (TCP:80) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:2483", + "expectedValue": "Oracle DB SSL (TCP:2483) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracle DB SSL (TCP:2483) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 49, - "filename": "positive1.yaml", + "line": 79, + "filename": "positive3.json", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1ArrayTestIPv4", - "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[2]", - "searchValue": "EC2Instance01/UDP:137", - "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'" - }, - { - "queryName": "EC2 Sensitive Port Is Publicly Exposed", - "severity": "HIGH", - "line": 84, - "filename": "positive2.yaml", - "resourceType": "AWS::EC2::SecurityGroupIngress", - "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.IPv6Ingress4.Properties", - "searchValue": "EC2Instance01/UDP:137", - "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'" + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:22", + "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1723,9 +1723,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:137", - "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Name Service (TCP:137) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:23", + "expectedValue": "Telnet (TCP:23) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Telnet (TCP:23) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1735,9 +1735,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:137", - "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:2376", + "expectedValue": "Docker (TCP:2376) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Docker (TCP:2376) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1747,9 +1747,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:2483", - "expectedValue": "Oracle DB SSL (TCP:2483) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Oracle DB SSL (TCP:2483) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:1434", + "expectedValue": "MSSQL Browser (TCP:1434) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MSSQL Browser (TCP:1434) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1759,9 +1759,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:23", - "expectedValue": "Telnet (TCP:23) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Telnet (TCP:23) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:135", + "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MSSQL Debugger (TCP:135) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1771,57 +1771,57 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:5900", - "expectedValue": "VNC Server (TCP:5900) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "VNC Server (TCP:5900) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "filename": "positive1.yaml", + "line": 79, + "filename": "positive3.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:1434", - "expectedValue": "MSSQL Browser (TCP:1434) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "MSSQL Browser (TCP:1434) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:110", + "expectedValue": "POP3 (TCP:110) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "POP3 (TCP:110) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "filename": "positive1.yaml", + "line": 79, + "filename": "positive3.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:139", - "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Session Service (TCP:139) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:25", + "expectedValue": "SMTP (TCP:25) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SMTP (TCP:25) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "filename": "positive1.yaml", + "line": 79, + "filename": "positive3.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:110", - "expectedValue": "POP3 (TCP:110) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "POP3 (TCP:110) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:443", + "expectedValue": "HTTPS (TCP:443) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HTTPS (TCP:443) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "filename": "positive1.yaml", + "line": 79, + "filename": "positive3.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:5432", - "expectedValue": "PostgreSQL (TCP:5432) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "PostgreSQL (TCP:5432) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:389", + "expectedValue": "LDAP (UDP:389) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "LDAP (UDP:389) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1831,33 +1831,21 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:11214", - "expectedValue": "Memcached SSL (UDP:11214) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Memcached SSL (UDP:11214) is allowed in EC2 security group for instance 'EC2Instance01'" - }, - { - "queryName": "EC2 Sensitive Port Is Publicly Exposed", - "severity": "HIGH", - "line": 74, - "filename": "positive4.json", - "resourceType": "AWS::EC2::SecurityGroupIngress", - "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.IPv6Ingress2.Properties", - "searchValue": "EC2Instance01/TCP:22", - "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:445", + "expectedValue": "Microsoft-DS (TCP:445) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Microsoft-DS (TCP:445) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 41, - "filename": "positive1.yaml", + "line": 79, + "filename": "positive3.json", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1ArrayTestIPv4", - "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:53", - "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'" + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:3306", + "expectedValue": "MySQL (TCP:3306) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MySQL (TCP:3306) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1867,9 +1855,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:61620", - "expectedValue": "Cassandra OpsCenter (TCP:61620) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra OpsCenter (TCP:61620) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:1522", + "expectedValue": "Oracle Auto Data Warehouse (TCP:1522) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracle Auto Data Warehouse (TCP:1522) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1879,9 +1867,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:27018", - "expectedValue": "Mongo Web Portal (TCP:27018) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Mongo Web Portal (TCP:27018) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:4506", + "expectedValue": "SaltStack Master (TCP:4506) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SaltStack Master (TCP:4506) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1891,69 +1879,57 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:161", - "expectedValue": "SNMP (TCP:161) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SNMP (TCP:161) is allowed in EC2 security group for instance 'EC2Instance01'" - }, - { - "queryName": "EC2 Sensitive Port Is Publicly Exposed", - "severity": "HIGH", - "line": 64, - "filename": "positive4.json", - "resourceType": "AWS::EC2::SecurityGroupIngress", - "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.IPv6Ingress1.Properties", - "searchValue": "EC2Instance01/TCP:22", - "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:53", + "expectedValue": "DNS (TCP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "DNS (TCP:53) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "filename": "positive1.yaml", + "line": 79, + "filename": "positive3.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:2375", - "expectedValue": "Docker (TCP:2375) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Docker (TCP:2375) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:636", + "expectedValue": "LDAP SSL (TCP:636) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "LDAP SSL (TCP:636) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "filename": "positive1.yaml", + "line": 79, + "filename": "positive3.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:2484", - "expectedValue": "Oracle DB SSL (TCP:2484) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Oracle DB SSL (TCP:2484) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:2382", + "expectedValue": "SQL Server Analysis (TCP:2382) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SQL Server Analysis (TCP:2382) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "filename": "positive1.yaml", + "line": 79, + "filename": "positive3.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:4506", - "expectedValue": "SaltStack Master (TCP:4506) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SaltStack Master (TCP:4506) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:5900", + "expectedValue": "VNC Server (TCP:5900) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "VNC Server (TCP:5900) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 20, - "filename": "positive2.yaml", - "resourceType": "AWS::EC2::SecurityGroupIngress", - "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.IPv4Ingress1.Properties", - "searchValue": "EC2Instance01/TCP:22", - "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'" + "line": 79, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:9200", + "expectedValue": "Elastic Search (TCP:9200) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Elastic Search (TCP:9200) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1963,9 +1939,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:7199", - "expectedValue": "Cassandra Monitoring (TCP:7199) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra Monitoring (TCP:7199) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:5601", + "expectedValue": "Kibana (TCP:5601) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Kibana (TCP:5601) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1975,9 +1951,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:50470", - "expectedValue": "HDFS NameNode WebUI (TCP:50470) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "HDFS NameNode WebUI (TCP:50470) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:1433", + "expectedValue": "MSSQL Server (TCP:1433) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MSSQL Server (TCP:1433) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1987,57 +1963,57 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:8080", - "expectedValue": "Known internal web port (TCP:8080) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Known internal web port (TCP:8080) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:161", + "expectedValue": "SNMP (UDP:161) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SNMP (UDP:161) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 24, - "filename": "positive4.json", - "resourceType": "AWS::EC2::SecurityGroupIngress", - "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.IPv4Ingress1.Properties", - "searchValue": "EC2Instance01/TCP:22", - "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'" + "line": 79, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:2383", + "expectedValue": "SQL Server Analysis (TCP:2383) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SQL Server Analysis (TCP:2383) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "filename": "positive1.yaml", + "line": 79, + "filename": "positive3.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:7001", - "expectedValue": "Cassandra (TCP:7001) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra (TCP:7001) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:20", + "expectedValue": "FTP (TCP:20) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "FTP (TCP:20) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "filename": "positive1.yaml", + "line": 79, + "filename": "positive3.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:2376", - "expectedValue": "Docker (TCP:2376) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Docker (TCP:2376) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:80", + "expectedValue": "HTTP (TCP:80) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HTTP (TCP:80) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "filename": "positive1.yaml", + "line": 79, + "filename": "positive3.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:11214", - "expectedValue": "Memcached SSL (UDP:11214) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Memcached SSL (UDP:11214) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:389", + "expectedValue": "LDAP (TCP:389) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "LDAP (TCP:389) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -2047,9 +2023,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:11215", - "expectedValue": "Memcached SSL (TCP:11215) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Memcached SSL (TCP:11215) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:4505", + "expectedValue": "SaltStack Master (TCP:4505) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SaltStack Master (TCP:4505) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -2059,27 +2035,27 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:138", - "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:8080", + "expectedValue": "Known internal web port (TCP:8080) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Known internal web port (TCP:8080) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "filename": "positive1.yaml", + "line": 79, + "filename": "positive3.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:7199", - "expectedValue": "Cassandra Monitoring (TCP:7199) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra Monitoring (TCP:7199) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:6379", + "expectedValue": "Redis (TCP:6379) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Redis (TCP:6379) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 70, - "filename": "positive1.yaml", + "line": 93, + "filename": "positive3.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_2", "searchKey": "Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]", @@ -2090,97 +2066,121 @@ { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, + "line": 107, "filename": "positive3.json", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv6_1", - "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:9200", - "expectedValue": "Elastic Search (TCP:9200) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Elastic Search (TCP:9200) is allowed in EC2 security group for instance 'EC2Instance01'" + "resourceName": "Positive1ArrayTestIPv6", + "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:53", + "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, + "line": 113, "filename": "positive3.json", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv6_1", - "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:1434", - "expectedValue": "MSSQL Browser (UDP:1434) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "MSSQL Browser (UDP:1434) is allowed in EC2 security group for instance 'EC2Instance01'" + "resourceName": "Positive1ArrayTestIPv6", + "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]", + "searchValue": "EC2Instance01/UDP:137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "filename": "positive1.yaml", - "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv6_1", - "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:9090", - "expectedValue": "CiscoSecure, WebSM (TCP:9090) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "CiscoSecure, WebSM (TCP:9090) is allowed in EC2 security group for instance 'EC2Instance01'" + "line": 24, + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress1.Properties", + "searchValue": "EC2Instance01/TCP:22", + "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "filename": "positive1.yaml", - "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv6_1", - "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:2483", - "expectedValue": "Oracle DB SSL (UDP:2483) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Oracle DB SSL (UDP:2483) is allowed in EC2 security group for instance 'EC2Instance01'" + "line": 34, + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress2.Properties", + "searchValue": "EC2Instance01/TCP:22", + "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "filename": "positive1.yaml", - "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv6_1", - "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:6379", - "expectedValue": "Redis (TCP:6379) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Redis (TCP:6379) is allowed in EC2 security group for instance 'EC2Instance01'" + "line": 44, + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress3.Properties", + "searchValue": "EC2Instance01/UDP:53", + "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "filename": "positive1.yaml", - "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv6_1", - "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:2382", - "expectedValue": "SQL Server Analysis (TCP:2382) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SQL Server Analysis (TCP:2382) is allowed in EC2 security group for instance 'EC2Instance01'" + "line": 54, + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress4.Properties", + "searchValue": "EC2Instance01/UDP:137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 79, - "filename": "positive3.json", - "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv6_1", - "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:2383", - "expectedValue": "SQL Server Analysis (TCP:2383) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SQL Server Analysis (TCP:2383) is allowed in EC2 security group for instance 'EC2Instance01'" + "line": 64, + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress1.Properties", + "searchValue": "EC2Instance01/TCP:22", + "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", - "line": 60, - "filename": "positive1.yaml", - "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv6_1", - "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:8000", - "expectedValue": "Known internal web port (TCP:8000) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Known internal web port (TCP:8000) is allowed in EC2 security group for instance 'EC2Instance01'" + "line": 74, + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress2.Properties", + "searchValue": "EC2Instance01/TCP:22", + "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'" + }, + { + "queryName": "EC2 Sensitive Port Is Publicly Exposed", + "severity": "HIGH", + "line": 84, + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress3.Properties", + "searchValue": "EC2Instance01/UDP:53", + "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'" + }, + { + "queryName": "EC2 Sensitive Port Is Publicly Exposed", + "severity": "HIGH", + "line": 94, + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress4.Properties", + "searchValue": "EC2Instance01/UDP:137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ecr_image_tag_not_immutable/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ecr_image_tag_not_immutable/test/positive_expected_result.json index dc2a084df86..6f31ef5bda2 100644 --- a/assets/queries/cloudFormation/aws/ecr_image_tag_not_immutable/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ecr_image_tag_not_immutable/test/positive_expected_result.json @@ -1,4 +1,16 @@ [ + { + "queryName": "ECR Image Tag Not Immutable", + "severity": "MEDIUM", + "line": 5, + "filename": "positive1.yaml", + "resourceType": "AWS::ECR::Repository", + "resourceName": "test-repository", + "searchKey": "Resources.MyRepository3.Properties.ImageTagMutability", + "searchValue": "", + "expectedValue": "Resources.MyRepository3.Properties.ImageTagMutability should be 'IMMUTABLE'", + "actualValue": "Resources.MyRepository3.Properties.ImageTagMutability is 'MUTABLE'" + }, { "queryName": "ECR Image Tag Not Immutable", "severity": "MEDIUM", @@ -34,17 +46,5 @@ "searchValue": "", "expectedValue": "Resources.MyRepository6.Properties.ImageTagMutability should be defined and not null", "actualValue": "Resources.MyRepository6.Properties.ImageTagMutability is undefined or null" - }, - { - "queryName": "ECR Image Tag Not Immutable", - "severity": "MEDIUM", - "line": 5, - "filename": "positive1.yaml", - "resourceType": "AWS::ECR::Repository", - "resourceName": "test-repository", - "searchKey": "Resources.MyRepository3.Properties.ImageTagMutability", - "searchValue": "", - "expectedValue": "Resources.MyRepository3.Properties.ImageTagMutability should be 'IMMUTABLE'", - "actualValue": "Resources.MyRepository3.Properties.ImageTagMutability is 'MUTABLE'" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ecr_repository_not_encrypted_with_CMK/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ecr_repository_not_encrypted_with_CMK/test/positive_expected_result.json index ae7269c2358..4628b676429 100644 --- a/assets/queries/cloudFormation/aws/ecr_repository_not_encrypted_with_CMK/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ecr_repository_not_encrypted_with_CMK/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "ECR Repository Not Encrypted With CMK", - "severity": "LOW", - "line": 11, - "filename": "positive5.json", - "resourceType": "AWS::ECR::Repository", - "resourceName": "test-repository", - "searchKey": "Resources.MyRepository.Properties.EncryptionConfiguration", - "searchValue": "", - "expectedValue": "Resources.MyRepository.Properties.EncryptionConfiguration.KmsKey should be defined and not null", - "actualValue": "Resources.MyRepository.Properties.EncryptionConfiguration.KmsKey is undefined or null" - }, { "queryName": "ECR Repository Not Encrypted With CMK", "severity": "LOW", @@ -27,7 +15,7 @@ "queryName": "ECR Repository Not Encrypted With CMK", "severity": "LOW", "line": 8, - "filename": "positive9.yaml", + "filename": "positive10.yaml", "resourceType": "AWS::ECR::Repository", "resourceName": "ecrepo", "searchKey": "Resources.ecrepo.Properties.EncryptionConfiguration", @@ -38,14 +26,14 @@ { "queryName": "ECR Repository Not Encrypted With CMK", "severity": "LOW", - "line": 11, - "filename": "positive4.json", + "line": 12, + "filename": "positive2.json", "resourceType": "AWS::ECR::Repository", "resourceName": "test-repository", - "searchKey": "Resources.MyRepository.Properties.EncryptionConfiguration", + "searchKey": "Resources.MyRepository.Properties.EncryptionConfiguration.EncryptionType", "searchValue": "", - "expectedValue": "Resources.MyRepository.Properties.EncryptionConfiguration.KmsKey should be defined and not null", - "actualValue": "Resources.MyRepository.Properties.EncryptionConfiguration.KmsKey is undefined or null" + "expectedValue": "Resources.MyRepository.Properties.EncryptionConfiguration.EncryptionType should be 'KMS_DSSE' or 'KMS'", + "actualValue": "Resources.MyRepository.Properties.EncryptionConfiguration.EncryptionType is 'AES256'" }, { "queryName": "ECR Repository Not Encrypted With CMK", @@ -62,26 +50,38 @@ { "queryName": "ECR Repository Not Encrypted With CMK", "severity": "LOW", - "line": 5, - "filename": "positive6.yaml", + "line": 11, + "filename": "positive4.json", "resourceType": "AWS::ECR::Repository", - "resourceName": "ecrepo", - "searchKey": "Resources.ecrepo.Properties", + "resourceName": "test-repository", + "searchKey": "Resources.MyRepository.Properties.EncryptionConfiguration", "searchValue": "", - "expectedValue": "Resources.ecrepo.Properties.EncryptionConfiguration should be defined and not null", - "actualValue": "Resources.ecrepo.Properties.EncryptionConfiguration is undefined or null" + "expectedValue": "Resources.MyRepository.Properties.EncryptionConfiguration.KmsKey should be defined and not null", + "actualValue": "Resources.MyRepository.Properties.EncryptionConfiguration.KmsKey is undefined or null" }, { "queryName": "ECR Repository Not Encrypted With CMK", "severity": "LOW", - "line": 8, - "filename": "positive10.yaml", + "line": 11, + "filename": "positive5.json", + "resourceType": "AWS::ECR::Repository", + "resourceName": "test-repository", + "searchKey": "Resources.MyRepository.Properties.EncryptionConfiguration", + "searchValue": "", + "expectedValue": "Resources.MyRepository.Properties.EncryptionConfiguration.KmsKey should be defined and not null", + "actualValue": "Resources.MyRepository.Properties.EncryptionConfiguration.KmsKey is undefined or null" + }, + { + "queryName": "ECR Repository Not Encrypted With CMK", + "severity": "LOW", + "line": 5, + "filename": "positive6.yaml", "resourceType": "AWS::ECR::Repository", "resourceName": "ecrepo", - "searchKey": "Resources.ecrepo.Properties.EncryptionConfiguration", + "searchKey": "Resources.ecrepo.Properties", "searchValue": "", - "expectedValue": "Resources.ecrepo.Properties.EncryptionConfiguration.KmsKey should be defined and not null", - "actualValue": "Resources.ecrepo.Properties.EncryptionConfiguration.KmsKey is undefined or null" + "expectedValue": "Resources.ecrepo.Properties.EncryptionConfiguration should be defined and not null", + "actualValue": "Resources.ecrepo.Properties.EncryptionConfiguration is undefined or null" }, { "queryName": "ECR Repository Not Encrypted With CMK", @@ -110,13 +110,13 @@ { "queryName": "ECR Repository Not Encrypted With CMK", "severity": "LOW", - "line": 12, - "filename": "positive2.json", + "line": 8, + "filename": "positive9.yaml", "resourceType": "AWS::ECR::Repository", - "resourceName": "test-repository", - "searchKey": "Resources.MyRepository.Properties.EncryptionConfiguration.EncryptionType", + "resourceName": "ecrepo", + "searchKey": "Resources.ecrepo.Properties.EncryptionConfiguration", "searchValue": "", - "expectedValue": "Resources.MyRepository.Properties.EncryptionConfiguration.EncryptionType should be 'KMS_DSSE' or 'KMS'", - "actualValue": "Resources.MyRepository.Properties.EncryptionConfiguration.EncryptionType is 'AES256'" + "expectedValue": "Resources.ecrepo.Properties.EncryptionConfiguration.KmsKey should be defined and not null", + "actualValue": "Resources.ecrepo.Properties.EncryptionConfiguration.KmsKey is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ecs_cluster_container_insights_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ecs_cluster_container_insights_disabled/test/positive_expected_result.json index 3bd0469a6e3..0eea542e2c1 100644 --- a/assets/queries/cloudFormation/aws/ecs_cluster_container_insights_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ecs_cluster_container_insights_disabled/test/positive_expected_result.json @@ -2,20 +2,20 @@ { "queryName": "ECS Cluster with Container Insights Disabled", "severity": "LOW", - "line": 7, - "filename": "positive2.json", + "line": 4, + "filename": "positive1.yaml", "resourceType": "AWS::ECS::Cluster", "resourceName": "ECSCluster", - "searchKey": "Resources.ECSCluster.Properties.ClusterSettings", + "searchKey": "Resources.ECSCluster.Properties", "searchValue": "", - "expectedValue": "Resources.ECSCluster.Properties.ClusterSettings should have a ClusterSetting named 'containerInsights' which value is 'enabled'", - "actualValue": "Resources.ECSCluster.Properties.ClusterSettings hasn't got a ClusterSetting named 'containerInsights' which value is 'enabled'" + "expectedValue": "Resources.ECSCluster.Properties.ClusterSettings should be defined and have a ClusterSetting named containerInsights which value is 'enabled'", + "actualValue": "Resources.ECSCluster.Properties.ClusterSettings is not defined" }, { "queryName": "ECS Cluster with Container Insights Disabled", "severity": "LOW", "line": 7, - "filename": "positive3.json", + "filename": "positive2.json", "resourceType": "AWS::ECS::Cluster", "resourceName": "ECSCluster", "searchKey": "Resources.ECSCluster.Properties.ClusterSettings", @@ -26,13 +26,13 @@ { "queryName": "ECS Cluster with Container Insights Disabled", "severity": "LOW", - "line": 4, - "filename": "positive1.yaml", + "line": 7, + "filename": "positive3.json", "resourceType": "AWS::ECS::Cluster", "resourceName": "ECSCluster", - "searchKey": "Resources.ECSCluster.Properties", + "searchKey": "Resources.ECSCluster.Properties.ClusterSettings", "searchValue": "", - "expectedValue": "Resources.ECSCluster.Properties.ClusterSettings should be defined and have a ClusterSetting named containerInsights which value is 'enabled'", - "actualValue": "Resources.ECSCluster.Properties.ClusterSettings is not defined" + "expectedValue": "Resources.ECSCluster.Properties.ClusterSettings should have a ClusterSetting named 'containerInsights' which value is 'enabled'", + "actualValue": "Resources.ECSCluster.Properties.ClusterSettings hasn't got a ClusterSetting named 'containerInsights' which value is 'enabled'" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ecs_no_load_balancer_attached/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ecs_no_load_balancer_attached/test/positive_expected_result.json index 134af83f2e0..ee8aac02a71 100644 --- a/assets/queries/cloudFormation/aws/ecs_no_load_balancer_attached/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ecs_no_load_balancer_attached/test/positive_expected_result.json @@ -1,4 +1,16 @@ [ + { + "queryName": "ECS No Load Balancer Attached", + "severity": "MEDIUM", + "line": 7, + "filename": "positive1.yaml", + "resourceType": "AWS::ECS::Service", + "resourceName": "ECSService", + "searchKey": "Resources.ECSService.Properties", + "searchValue": "", + "expectedValue": "'Resources.ECSService.Properties.LoadBalancers' should be defined", + "actualValue": "'Resources.ECSService.Properties.LoadBalancers' is not defined" + }, { "queryName": "ECS No Load Balancer Attached", "severity": "MEDIUM", @@ -15,7 +27,7 @@ "queryName": "ECS No Load Balancer Attached", "severity": "MEDIUM", "line": 7, - "filename": "positive1.yaml", + "filename": "positive2.json", "resourceType": "AWS::ECS::Service", "resourceName": "ECSService", "searchKey": "Resources.ECSService.Properties", @@ -34,17 +46,5 @@ "searchValue": "", "expectedValue": "'Resources.ECSService2.Properties.LoadBalancers' should not be empty", "actualValue": "'Resources.ECSService2.Properties.LoadBalancers' is empty" - }, - { - "queryName": "ECS No Load Balancer Attached", - "severity": "MEDIUM", - "line": 7, - "filename": "positive2.json", - "resourceType": "AWS::ECS::Service", - "resourceName": "ECSService", - "searchKey": "Resources.ECSService.Properties", - "searchValue": "", - "expectedValue": "'Resources.ECSService.Properties.LoadBalancers' should be defined", - "actualValue": "'Resources.ECSService.Properties.LoadBalancers' is not defined" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ecs_services_assigned_with_public_ip_address/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ecs_services_assigned_with_public_ip_address/test/positive_expected_result.json index 59b26c95af5..b76058ee7aa 100644 --- a/assets/queries/cloudFormation/aws/ecs_services_assigned_with_public_ip_address/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ecs_services_assigned_with_public_ip_address/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "ECS Services assigned with public IP address", "severity": "MEDIUM", - "line": 66, - "filename": "positive2.json", + "line": 54, + "filename": "positive1.yaml", "resourceType": "AWS::ECS::Service", "resourceName": "cfn-service", "searchKey": "Resources.ECSService.Properties.NetworkConfiguration.AwsvpcConfiguration.AssignPublicIp", @@ -14,8 +14,8 @@ { "queryName": "ECS Services assigned with public IP address", "severity": "MEDIUM", - "line": 54, - "filename": "positive1.yaml", + "line": 66, + "filename": "positive2.json", "resourceType": "AWS::ECS::Service", "resourceName": "cfn-service", "searchKey": "Resources.ECSService.Properties.NetworkConfiguration.AwsvpcConfiguration.AssignPublicIp", diff --git a/assets/queries/cloudFormation/aws/ecs_task_definition_invalid_cpu_or_memory/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ecs_task_definition_invalid_cpu_or_memory/test/positive_expected_result.json index 90dce3a01b6..8d65fbefd39 100644 --- a/assets/queries/cloudFormation/aws/ecs_task_definition_invalid_cpu_or_memory/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ecs_task_definition_invalid_cpu_or_memory/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "ECS Task Definition Invalid CPU or Memory", - "severity": "LOW", - "line": 93, - "filename": "positive2.json", - "resourceType": "AWS::ECS::Service", - "resourceName": "ECSService", - "searchKey": "Resources.taskdefinition2.Properties.ContainerDefinitions.Name.Ref=AppName2", - "searchValue": "", - "expectedValue": "'Resources.taskdefinition2.Properties.ContainerDefinitions.Cpu' shouldn't have incorrect values", - "actualValue": "'Resources.taskdefinition2.Properties.ContainerDefinitions.Cpu' has incorrect value" - }, { "queryName": "ECS Task Definition Invalid CPU or Memory", "severity": "LOW", @@ -46,5 +34,17 @@ "searchValue": "", "expectedValue": "'Resources.taskdefinition.Properties.ContainerDefinitions.Memory' shouldn't have incorrect values", "actualValue": "'Resources.taskdefinition.Properties.ContainerDefinitions.Memory' has incorrect value" + }, + { + "queryName": "ECS Task Definition Invalid CPU or Memory", + "severity": "LOW", + "line": 93, + "filename": "positive2.json", + "resourceType": "AWS::ECS::Service", + "resourceName": "ECSService", + "searchKey": "Resources.taskdefinition2.Properties.ContainerDefinitions.Name.Ref=AppName2", + "searchValue": "", + "expectedValue": "'Resources.taskdefinition2.Properties.ContainerDefinitions.Cpu' shouldn't have incorrect values", + "actualValue": "'Resources.taskdefinition2.Properties.ContainerDefinitions.Cpu' has incorrect value" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ecs_task_definition_network_mode_not_recommended/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ecs_task_definition_network_mode_not_recommended/test/positive_expected_result.json index 89e0fb31cba..bb459052e08 100644 --- a/assets/queries/cloudFormation/aws/ecs_task_definition_network_mode_not_recommended/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ecs_task_definition_network_mode_not_recommended/test/positive_expected_result.json @@ -3,24 +3,24 @@ "queryName": "ECS Task Definition Network Mode Not Recommended", "severity": "MEDIUM", "line": 7, - "filename": "positive2.json", + "filename": "positive1.yaml", "resourceType": "AWS::ECS::TaskDefinition", "resourceName": "taskdefinition", - "searchKey": "Resources.taskdefinition.Properties", + "searchKey": "Resources.taskdefinition.Properties.NetworkMode", "searchValue": "", - "expectedValue": "'Resources.taskdefinition.Properties.NetworkMode' should be set and should be 'awsvpc'", - "actualValue": "'Resources.taskdefinition.Properties.NetworkMode' is undefined and defaults to 'bridge'" + "expectedValue": "'Resources.taskdefinition.Properties.NetworkMode' should be 'awsvpc'", + "actualValue": "'Resources.taskdefinition.Properties.NetworkMode' is 'none'" }, { "queryName": "ECS Task Definition Network Mode Not Recommended", "severity": "MEDIUM", "line": 7, - "filename": "positive1.yaml", + "filename": "positive2.json", "resourceType": "AWS::ECS::TaskDefinition", "resourceName": "taskdefinition", - "searchKey": "Resources.taskdefinition.Properties.NetworkMode", + "searchKey": "Resources.taskdefinition.Properties", "searchValue": "", - "expectedValue": "'Resources.taskdefinition.Properties.NetworkMode' should be 'awsvpc'", - "actualValue": "'Resources.taskdefinition.Properties.NetworkMode' is 'none'" + "expectedValue": "'Resources.taskdefinition.Properties.NetworkMode' should be set and should be 'awsvpc'", + "actualValue": "'Resources.taskdefinition.Properties.NetworkMode' is undefined and defaults to 'bridge'" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/efs_not_encrypted/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/efs_not_encrypted/test/positive_expected_result.json index 4302e2bb9f3..6c89fd8d9d5 100644 --- a/assets/queries/cloudFormation/aws/efs_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/efs_not_encrypted/test/positive_expected_result.json @@ -14,8 +14,8 @@ { "queryName": "EFS Not Encrypted", "severity": "HIGH", - "line": 49, - "filename": "positive3.yaml", + "line": 90, + "filename": "positive2.json", "resourceType": "AWS::EFS::FileSystem", "resourceName": "test-VPC-EFS", "searchKey": "Resources.EFSFileSystem01.Properties.Encrypted", @@ -26,8 +26,8 @@ { "queryName": "EFS Not Encrypted", "severity": "HIGH", - "line": 90, - "filename": "positive2.json", + "line": 49, + "filename": "positive3.yaml", "resourceType": "AWS::EFS::FileSystem", "resourceName": "test-VPC-EFS", "searchKey": "Resources.EFSFileSystem01.Properties.Encrypted", diff --git a/assets/queries/cloudFormation/aws/efs_volume_with_disabled_transit_encryption/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/efs_volume_with_disabled_transit_encryption/test/positive_expected_result.json index 436ebd003e5..41ab1a46a83 100644 --- a/assets/queries/cloudFormation/aws/efs_volume_with_disabled_transit_encryption/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/efs_volume_with_disabled_transit_encryption/test/positive_expected_result.json @@ -1,4 +1,28 @@ [ + { + "queryName": "EFS Volume With Disabled Transit Encryption", + "severity": "MEDIUM", + "line": 35, + "filename": "positive1.json", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption should be enabled", + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption is disabled" + }, + { + "queryName": "EFS Volume With Disabled Transit Encryption", + "severity": "MEDIUM", + "line": 31, + "filename": "positive2.json", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption should be defined", + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption is not defined (set to DISABLED by default)" + }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", @@ -23,23 +47,11 @@ "expectedValue": "Resources.taskdefinition.Properties.Volumes should be defined", "actualValue": "Resources.taskdefinition.Properties.Volumes is not defined" }, - { - "queryName": "EFS Volume With Disabled Transit Encryption", - "severity": "MEDIUM", - "line": 31, - "filename": "positive2.json", - "resourceType": "AWS::ECS::TaskDefinition", - "resourceName": "taskdefinition", - "searchKey": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration", - "searchValue": "", - "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption should be defined", - "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption is not defined (set to DISABLED by default)" - }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 35, - "filename": "positive1.json", + "filename": "positive5.yaml", "resourceType": "AWS::ECS::TaskDefinition", "resourceName": "taskdefinition", "searchKey": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption", @@ -59,18 +71,6 @@ "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption should be defined", "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption is not defined (set to DISABLED by default)" }, - { - "queryName": "EFS Volume With Disabled Transit Encryption", - "severity": "MEDIUM", - "line": 35, - "filename": "positive5.yaml", - "resourceType": "AWS::ECS::TaskDefinition", - "resourceName": "taskdefinition", - "searchKey": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption", - "searchValue": "", - "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption should be enabled", - "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption is disabled" - }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", diff --git a/assets/queries/cloudFormation/aws/efs_without_kms/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/efs_without_kms/test/positive_expected_result.json index 917dc73d26e..4b4da411d4a 100644 --- a/assets/queries/cloudFormation/aws/efs_without_kms/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/efs_without_kms/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "EFS Without KMS", "severity": "LOW", - "line": 157, - "filename": "positive2.json", + "line": 82, + "filename": "positive1.yaml", "resourceType": "AWS::EFS::FileSystem", "resourceName": "test-VPC-EFS", "searchKey": "Resources.EFSFileSystem01", @@ -14,8 +14,8 @@ { "queryName": "EFS Without KMS", "severity": "LOW", - "line": 82, - "filename": "positive3.yaml", + "line": 157, + "filename": "positive2.json", "resourceType": "AWS::EFS::FileSystem", "resourceName": "test-VPC-EFS", "searchKey": "Resources.EFSFileSystem01", @@ -27,7 +27,7 @@ "queryName": "EFS Without KMS", "severity": "LOW", "line": 82, - "filename": "positive1.yaml", + "filename": "positive3.yaml", "resourceType": "AWS::EFS::FileSystem", "resourceName": "test-VPC-EFS", "searchKey": "Resources.EFSFileSystem01", diff --git a/assets/queries/cloudFormation/aws/eks_cluster_encryption_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/eks_cluster_encryption_disabled/test/positive_expected_result.json index f5b5cb1ee47..19d5425f3c7 100644 --- a/assets/queries/cloudFormation/aws/eks_cluster_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/eks_cluster_encryption_disabled/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "EKS Cluster Encryption Disabled", - "severity": "HIGH", - "line": 16, - "filename": "positive3.yaml", - "resourceType": "AWS::EKS::Cluster", - "resourceName": "MyEKSClusterB", - "searchKey": "Resources.MyEKSClusterB.Properties.EncryptionConfig", - "searchValue": "", - "expectedValue": "'secrets' should be defined inside the Resources field", - "actualValue": "'secrets' is undefined on the Resources field" - }, { "queryName": "EKS Cluster Encryption Disabled", "severity": "HIGH", @@ -35,6 +23,18 @@ "expectedValue": "'EncryptionConfig' should be defined and not null", "actualValue": "'EncryptionConfig' is undefined or null" }, + { + "queryName": "EKS Cluster Encryption Disabled", + "severity": "HIGH", + "line": 16, + "filename": "positive3.yaml", + "resourceType": "AWS::EKS::Cluster", + "resourceName": "MyEKSClusterB", + "searchKey": "Resources.MyEKSClusterB.Properties.EncryptionConfig", + "searchValue": "", + "expectedValue": "'secrets' should be defined inside the Resources field", + "actualValue": "'secrets' is undefined on the Resources field" + }, { "queryName": "EKS Cluster Encryption Disabled", "severity": "HIGH", diff --git a/assets/queries/cloudFormation/aws/eks_node_group_remote_access/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/eks_node_group_remote_access/test/positive_expected_result.json index 44809606009..8e8fd4a8fd9 100644 --- a/assets/queries/cloudFormation/aws/eks_node_group_remote_access/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/eks_node_group_remote_access/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "EKS node group remote access", "severity": "MEDIUM", - "line": 21, - "filename": "positive2.json", + "line": 17, + "filename": "positive1.yaml", "resourceType": "AWS::EKS::Nodegroup", "resourceName": "EKSNodegroup", "searchKey": "Resources.EKSNodegroup.Properties.RemoteAccess", @@ -14,8 +14,8 @@ { "queryName": "EKS node group remote access", "severity": "MEDIUM", - "line": 17, - "filename": "positive1.yaml", + "line": 21, + "filename": "positive2.json", "resourceType": "AWS::EKS::Nodegroup", "resourceName": "EKSNodegroup", "searchKey": "Resources.EKSNodegroup.Properties.RemoteAccess", diff --git a/assets/queries/cloudFormation/aws/elasticache_nodes_not_created_across_multi_az/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elasticache_nodes_not_created_across_multi_az/test/positive_expected_result.json index d44e9251036..528ce7ee7f9 100644 --- a/assets/queries/cloudFormation/aws/elasticache_nodes_not_created_across_multi_az/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elasticache_nodes_not_created_across_multi_az/test/positive_expected_result.json @@ -15,13 +15,13 @@ "queryName": "ElastiCache Nodes Not Created Across Multi AZ", "severity": "MEDIUM", "line": 5, - "filename": "positive4.json", + "filename": "positive2.yaml", "resourceType": "AWS::ElastiCache::CacheCluster", - "resourceName": "myCacheCluster6", - "searchKey": "Resources.myCacheCluster6.Properties", + "resourceName": "myCacheCluster4", + "searchKey": "Resources.myCacheCluster4.Properties", "searchValue": "", - "expectedValue": "Resources.myCacheCluster6.Properties.AZMode should be defined and is 'cross-az'", - "actualValue": "Resources.myCacheCluster6.Properties.AZMode is not defined, default value is 'single-az'" + "expectedValue": "Resources.myCacheCluster4.Properties.AZMode should be defined and is 'cross-az'", + "actualValue": "Resources.myCacheCluster4.Properties.AZMode is not defined, default value is 'single-az'" }, { "queryName": "ElastiCache Nodes Not Created Across Multi AZ", @@ -39,12 +39,12 @@ "queryName": "ElastiCache Nodes Not Created Across Multi AZ", "severity": "MEDIUM", "line": 5, - "filename": "positive2.yaml", + "filename": "positive4.json", "resourceType": "AWS::ElastiCache::CacheCluster", - "resourceName": "myCacheCluster4", - "searchKey": "Resources.myCacheCluster4.Properties", + "resourceName": "myCacheCluster6", + "searchKey": "Resources.myCacheCluster6.Properties", "searchValue": "", - "expectedValue": "Resources.myCacheCluster4.Properties.AZMode should be defined and is 'cross-az'", - "actualValue": "Resources.myCacheCluster4.Properties.AZMode is not defined, default value is 'single-az'" + "expectedValue": "Resources.myCacheCluster6.Properties.AZMode should be defined and is 'cross-az'", + "actualValue": "Resources.myCacheCluster6.Properties.AZMode is not defined, default value is 'single-az'" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elasticache_with_disabled_at_rest_encryption/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elasticache_with_disabled_at_rest_encryption/test/positive_expected_result.json index 38ee242adb8..fa95fd395f9 100644 --- a/assets/queries/cloudFormation/aws/elasticache_with_disabled_at_rest_encryption/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elasticache_with_disabled_at_rest_encryption/test/positive_expected_result.json @@ -3,7 +3,7 @@ "queryName": "ElastiCache With Disabled at Rest Encryption", "severity": "HIGH", "line": 10, - "filename": "positive5.yaml", + "filename": "positive1.yaml", "resourceType": "AWS::ElastiCache::ReplicationGroup", "resourceName": "ReplicationGroup", "searchKey": "Resources.ReplicationGroup.Properties.AtRestEncryptionEnabled", @@ -23,18 +23,6 @@ "expectedValue": "Resources.MyReplicationGroup.Properties.AtRestEncryptionEnabled should be defined", "actualValue": "Resources.MyReplicationGroup.Properties.AtRestEncryptionEnabled is undefined" }, - { - "queryName": "ElastiCache With Disabled at Rest Encryption", - "severity": "HIGH", - "line": 10, - "filename": "positive1.yaml", - "resourceType": "AWS::ElastiCache::ReplicationGroup", - "resourceName": "ReplicationGroup", - "searchKey": "Resources.ReplicationGroup.Properties.AtRestEncryptionEnabled", - "searchValue": "", - "expectedValue": "Resources.ReplicationGroup.Properties.AtRestEncryptionEnabled should be true", - "actualValue": "Resources.ReplicationGroup.Properties.AtRestEncryptionEnabled is false" - }, { "queryName": "ElastiCache With Disabled at Rest Encryption", "severity": "HIGH", @@ -58,5 +46,17 @@ "searchValue": "", "expectedValue": "Resources.MyReplicationGroup.Properties.AtRestEncryptionEnabled should be defined", "actualValue": "Resources.MyReplicationGroup.Properties.AtRestEncryptionEnabled is undefined" + }, + { + "queryName": "ElastiCache With Disabled at Rest Encryption", + "severity": "HIGH", + "line": 10, + "filename": "positive5.yaml", + "resourceType": "AWS::ElastiCache::ReplicationGroup", + "resourceName": "ReplicationGroup", + "searchKey": "Resources.ReplicationGroup.Properties.AtRestEncryptionEnabled", + "searchValue": "", + "expectedValue": "Resources.ReplicationGroup.Properties.AtRestEncryptionEnabled should be true", + "actualValue": "Resources.ReplicationGroup.Properties.AtRestEncryptionEnabled is false" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elasticache_with_disabled_transit_encryption/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elasticache_with_disabled_transit_encryption/test/positive_expected_result.json index 4dd68bd301c..669cbdbb6d7 100644 --- a/assets/queries/cloudFormation/aws/elasticache_with_disabled_transit_encryption/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elasticache_with_disabled_transit_encryption/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "ElastiCache With Disabled Transit Encryption", "severity": "MEDIUM", - "line": 4, - "filename": "positive3.json", + "line": 6, + "filename": "positive1.yaml", "resourceType": "AWS::ElastiCache::ReplicationGroup", "resourceName": "ReplicationGroup", "searchKey": "Resources.ReplicationGroup.Properties", @@ -14,8 +14,8 @@ { "queryName": "ElastiCache With Disabled Transit Encryption", "severity": "MEDIUM", - "line": 18, - "filename": "positive4.json", + "line": 26, + "filename": "positive2.yaml", "resourceType": "AWS::ElastiCache::ReplicationGroup", "resourceName": "MyReplicationGroup", "searchKey": "Resources.MyReplicationGroup.Properties.TransitEncryptionEnabled", @@ -26,8 +26,8 @@ { "queryName": "ElastiCache With Disabled Transit Encryption", "severity": "MEDIUM", - "line": 6, - "filename": "positive5.yaml", + "line": 4, + "filename": "positive3.json", "resourceType": "AWS::ElastiCache::ReplicationGroup", "resourceName": "ReplicationGroup", "searchKey": "Resources.ReplicationGroup.Properties", @@ -38,25 +38,25 @@ { "queryName": "ElastiCache With Disabled Transit Encryption", "severity": "MEDIUM", - "line": 6, - "filename": "positive1.yaml", + "line": 18, + "filename": "positive4.json", "resourceType": "AWS::ElastiCache::ReplicationGroup", - "resourceName": "ReplicationGroup", - "searchKey": "Resources.ReplicationGroup.Properties", + "resourceName": "MyReplicationGroup", + "searchKey": "Resources.MyReplicationGroup.Properties.TransitEncryptionEnabled", "searchValue": "", - "expectedValue": "Resources.ReplicationGroup.Properties.TransitEncryptionEnabled should be defined", - "actualValue": "Resources.ReplicationGroup.Properties.TransitEncryptionEnabled is undefined" + "expectedValue": "Resources.MyReplicationGroup.Properties.TransitEncryptionEnabled should be true", + "actualValue": "Resources.MyReplicationGroup.Properties.TransitEncryptionEnabled is false" }, { "queryName": "ElastiCache With Disabled Transit Encryption", "severity": "MEDIUM", - "line": 26, - "filename": "positive2.yaml", + "line": 6, + "filename": "positive5.yaml", "resourceType": "AWS::ElastiCache::ReplicationGroup", - "resourceName": "MyReplicationGroup", - "searchKey": "Resources.MyReplicationGroup.Properties.TransitEncryptionEnabled", + "resourceName": "ReplicationGroup", + "searchKey": "Resources.ReplicationGroup.Properties", "searchValue": "", - "expectedValue": "Resources.MyReplicationGroup.Properties.TransitEncryptionEnabled should be true", - "actualValue": "Resources.MyReplicationGroup.Properties.TransitEncryptionEnabled is false" + "expectedValue": "Resources.ReplicationGroup.Properties.TransitEncryptionEnabled should be defined", + "actualValue": "Resources.ReplicationGroup.Properties.TransitEncryptionEnabled is undefined" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elasticsearch_domain_encryption_with_kms_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elasticsearch_domain_encryption_with_kms_disabled/test/positive_expected_result.json index 6ef4ad3ec8d..488c59fdbf2 100644 --- a/assets/queries/cloudFormation/aws/elasticsearch_domain_encryption_with_kms_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elasticsearch_domain_encryption_with_kms_disabled/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "ElasticSearch Encryption With KMS Disabled", "severity": "HIGH", - "line": 7, - "filename": "positive2.json", + "line": 15, + "filename": "positive1.yaml", "resourceType": "AWS::Elasticsearch::Domain", "resourceName": "test", "searchKey": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions", @@ -14,32 +14,32 @@ { "queryName": "ElasticSearch Encryption With KMS Disabled", "severity": "HIGH", - "line": 6, - "filename": "positive4.json", + "line": 7, + "filename": "positive2.json", "resourceType": "AWS::Elasticsearch::Domain", "resourceName": "test", - "searchKey": "Resources.ElasticsearchDomain.Properties", + "searchKey": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions", "searchValue": "", - "expectedValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions should be defined and not null", - "actualValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions is undefined or null" + "expectedValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions.KmsKeyId should be set", + "actualValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions.KmsKeyId is undefined" }, { "queryName": "ElasticSearch Encryption With KMS Disabled", "severity": "HIGH", - "line": 15, - "filename": "positive1.yaml", + "line": 6, + "filename": "positive3.yaml", "resourceType": "AWS::Elasticsearch::Domain", "resourceName": "test", - "searchKey": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions", + "searchKey": "Resources.ElasticsearchDomain.Properties", "searchValue": "", - "expectedValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions.KmsKeyId should be set", - "actualValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions.KmsKeyId is undefined" + "expectedValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions should be defined and not null", + "actualValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions is undefined or null" }, { "queryName": "ElasticSearch Encryption With KMS Disabled", "severity": "HIGH", "line": 6, - "filename": "positive3.yaml", + "filename": "positive4.json", "resourceType": "AWS::Elasticsearch::Domain", "resourceName": "test", "searchKey": "Resources.ElasticsearchDomain.Properties", diff --git a/assets/queries/cloudFormation/aws/elasticsearch_domain_not_encrypted_node_to_node/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elasticsearch_domain_not_encrypted_node_to_node/test/positive_expected_result.json index 9c994d20d45..a2133bad791 100644 --- a/assets/queries/cloudFormation/aws/elasticsearch_domain_not_encrypted_node_to_node/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elasticsearch_domain_not_encrypted_node_to_node/test/positive_expected_result.json @@ -3,7 +3,31 @@ "queryName": "Elasticsearch Domain Not Encrypted Node To Node", "severity": "MEDIUM", "line": 7, - "filename": "positive6.json", + "filename": "positive1.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "MyOpenSearchDomain", + "searchKey": "Resources.MyOpenSearchDomain.Properties", + "searchValue": "", + "expectedValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions' should be defined", + "actualValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions' is null or not defined" + }, + { + "queryName": "Elasticsearch Domain Not Encrypted Node To Node", + "severity": "MEDIUM", + "line": 10, + "filename": "positive10.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "MyOpenSearchDomain", + "searchKey": "Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions", + "searchValue": "", + "expectedValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions' should be defined", + "actualValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions' is null or not defined" + }, + { + "queryName": "Elasticsearch Domain Not Encrypted Node To Node", + "severity": "MEDIUM", + "line": 7, + "filename": "positive11.yaml", "resourceType": "AWS::Elasticsearch::Domain", "resourceName": "my-es-domain", "searchKey": "Resources.MyElasticsearchDomain.Properties", @@ -23,18 +47,6 @@ "expectedValue": "'Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions' should be defined", "actualValue": "'Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions' is null or not defined" }, - { - "queryName": "Elasticsearch Domain Not Encrypted Node To Node", - "severity": "MEDIUM", - "line": 44, - "filename": "positive4.json", - "resourceType": "AWS::OpenSearchService::Domain", - "resourceName": "MyOpenSearchDomain", - "searchKey": "Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled", - "searchValue": "", - "expectedValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled' should be defined to true", - "actualValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled' is not defined to true" - }, { "queryName": "Elasticsearch Domain Not Encrypted Node To Node", "severity": "MEDIUM", @@ -50,50 +62,26 @@ { "queryName": "Elasticsearch Domain Not Encrypted Node To Node", "severity": "MEDIUM", - "line": 7, - "filename": "positive1.yaml", - "resourceType": "AWS::OpenSearchService::Domain", - "resourceName": "MyOpenSearchDomain", - "searchKey": "Resources.MyOpenSearchDomain.Properties", - "searchValue": "", - "expectedValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions' should be defined", - "actualValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions' is null or not defined" - }, - { - "queryName": "Elasticsearch Domain Not Encrypted Node To Node", - "severity": "MEDIUM", - "line": 7, - "filename": "positive9.yaml", + "line": 34, + "filename": "positive3.yaml", "resourceType": "AWS::OpenSearchService::Domain", "resourceName": "MyOpenSearchDomain", - "searchKey": "Resources.MyOpenSearchDomain.Properties", - "searchValue": "", - "expectedValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions' should be defined", - "actualValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions' is null or not defined" - }, - { - "queryName": "Elasticsearch Domain Not Encrypted Node To Node", - "severity": "MEDIUM", - "line": 42, - "filename": "positive8.json", - "resourceType": "AWS::Elasticsearch::Domain", - "resourceName": "my-es-domain", - "searchKey": "Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled", + "searchKey": "Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled", "searchValue": "", - "expectedValue": "'Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled' should be defined to true", - "actualValue": "'Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled' is not defined to true" + "expectedValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled' should be defined to true", + "actualValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled' is not defined to true" }, { "queryName": "Elasticsearch Domain Not Encrypted Node To Node", "severity": "MEDIUM", - "line": 10, - "filename": "positive10.json", + "line": 44, + "filename": "positive4.json", "resourceType": "AWS::OpenSearchService::Domain", "resourceName": "MyOpenSearchDomain", - "searchKey": "Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions", + "searchKey": "Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled", "searchValue": "", - "expectedValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions' should be defined", - "actualValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions' is null or not defined" + "expectedValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled' should be defined to true", + "actualValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled' is not defined to true" }, { "queryName": "Elasticsearch Domain Not Encrypted Node To Node", @@ -111,7 +99,7 @@ "queryName": "Elasticsearch Domain Not Encrypted Node To Node", "severity": "MEDIUM", "line": 7, - "filename": "positive11.yaml", + "filename": "positive6.json", "resourceType": "AWS::Elasticsearch::Domain", "resourceName": "my-es-domain", "searchKey": "Resources.MyElasticsearchDomain.Properties", @@ -122,25 +110,37 @@ { "queryName": "Elasticsearch Domain Not Encrypted Node To Node", "severity": "MEDIUM", - "line": 34, - "filename": "positive3.yaml", - "resourceType": "AWS::OpenSearchService::Domain", - "resourceName": "MyOpenSearchDomain", - "searchKey": "Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled", + "line": 32, + "filename": "positive7.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "my-es-domain", + "searchKey": "Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled", "searchValue": "", - "expectedValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled' should be defined to true", - "actualValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled' is not defined to true" + "expectedValue": "'Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled' should be defined to true", + "actualValue": "'Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled' is not defined to true" }, { "queryName": "Elasticsearch Domain Not Encrypted Node To Node", "severity": "MEDIUM", - "line": 32, - "filename": "positive7.yaml", + "line": 42, + "filename": "positive8.json", "resourceType": "AWS::Elasticsearch::Domain", "resourceName": "my-es-domain", "searchKey": "Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled", "searchValue": "", "expectedValue": "'Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled' should be defined to true", "actualValue": "'Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled' is not defined to true" + }, + { + "queryName": "Elasticsearch Domain Not Encrypted Node To Node", + "severity": "MEDIUM", + "line": 7, + "filename": "positive9.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "MyOpenSearchDomain", + "searchKey": "Resources.MyOpenSearchDomain.Properties", + "searchValue": "", + "expectedValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions' should be defined", + "actualValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions' is null or not defined" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elasticsearch_not_encrypted_at_rest/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elasticsearch_not_encrypted_at_rest/test/positive_expected_result.json index 33e69aa2cbf..8163e48ac9c 100644 --- a/assets/queries/cloudFormation/aws/elasticsearch_not_encrypted_at_rest/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elasticsearch_not_encrypted_at_rest/test/positive_expected_result.json @@ -26,8 +26,8 @@ { "queryName": "ElasticSearch Not Encrypted At Rest", "severity": "HIGH", - "line": 16, - "filename": "positive5.yaml", + "line": 8, + "filename": "positive3.json", "resourceType": "AWS::Elasticsearch::Domain", "resourceName": "test", "searchKey": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions.Enabled", @@ -50,8 +50,8 @@ { "queryName": "ElasticSearch Not Encrypted At Rest", "severity": "HIGH", - "line": 8, - "filename": "positive3.json", + "line": 16, + "filename": "positive5.yaml", "resourceType": "AWS::Elasticsearch::Domain", "resourceName": "test", "searchKey": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions.Enabled", diff --git a/assets/queries/cloudFormation/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json index cee9b02c04e..54d87b31560 100644 --- a/assets/queries/cloudFormation/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json @@ -14,14 +14,14 @@ { "queryName": "Elasticsearch with HTTPS disabled", "severity": "MEDIUM", - "line": 15, - "filename": "positive4.yaml", - "resourceType": "AWS::OpenSearchService::Domain", - "resourceName": "OpenSearchDomain", - "searchKey": "Resources.OpenSearchDomain.Properties.DomainEndpointOptions.EnforceHTTPS", + "line": 24, + "filename": "positive2.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "my-elasticsearch-domain", + "searchKey": "Resources.ElasticsearchDomain.Properties.DomainEndpointOptions", "searchValue": "", - "expectedValue": "Resources.OpenSearchDomain.Properties.DomainEndpointOptions.EnforceHTTPS should be set to 'true'", - "actualValue": "Resources.OpenSearchDomain.Properties.DomainEndpointOptions.EnforceHTTPS is set to 'false'" + "expectedValue": "Resources.ElasticsearchDomain.Properties.DomainEndpointOptions.EnforceHTTPS should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.DomainEndpointOptions.EnforceHTTPS is not set" }, { "queryName": "Elasticsearch with HTTPS disabled", @@ -38,13 +38,13 @@ { "queryName": "Elasticsearch with HTTPS disabled", "severity": "MEDIUM", - "line": 24, - "filename": "positive2.yaml", - "resourceType": "AWS::Elasticsearch::Domain", - "resourceName": "my-elasticsearch-domain", - "searchKey": "Resources.ElasticsearchDomain.Properties.DomainEndpointOptions", + "line": 15, + "filename": "positive4.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "OpenSearchDomain", + "searchKey": "Resources.OpenSearchDomain.Properties.DomainEndpointOptions.EnforceHTTPS", "searchValue": "", - "expectedValue": "Resources.ElasticsearchDomain.Properties.DomainEndpointOptions.EnforceHTTPS should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.DomainEndpointOptions.EnforceHTTPS is not set" + "expectedValue": "Resources.OpenSearchDomain.Properties.DomainEndpointOptions.EnforceHTTPS should be set to 'true'", + "actualValue": "Resources.OpenSearchDomain.Properties.DomainEndpointOptions.EnforceHTTPS is set to 'false'" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elasticsearch_without_audit_logs/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elasticsearch_without_audit_logs/test/positive_expected_result.json index 8b3c3926812..a104359fe37 100644 --- a/assets/queries/cloudFormation/aws/elasticsearch_without_audit_logs/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elasticsearch_without_audit_logs/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", - "line": 14, - "filename": "positive11.json", + "line": 13, + "filename": "positive1.yaml", "resourceType": "AWS::Elasticsearch::Domain", "resourceName": "", "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled", @@ -14,32 +14,20 @@ { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", - "line": 11, - "filename": "positive12.json", - "resourceType": "AWS::Elasticsearch::Domain", - "resourceName": "", - "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions", - "searchValue": "", - "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should declare audit logs", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare audit logs" - }, - { - "queryName": "ElasticSearch Without Audit Logs", - "severity": "MEDIUM", - "line": 11, - "filename": "positive17.json", + "line": 10, + "filename": "positive10.yaml", "resourceType": "AWS::OpenSearchService::Domain", "resourceName": "ElasticsearchDomain", - "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS", "searchValue": "", - "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should declare audit logs", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare audit logs" + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled is undefined" }, { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", - "line": 13, - "filename": "positive1.yaml", + "line": 14, + "filename": "positive11.json", "resourceType": "AWS::Elasticsearch::Domain", "resourceName": "", "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled", @@ -50,38 +38,26 @@ { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", - "line": 13, - "filename": "positive9.yaml", - "resourceType": "AWS::OpenSearchService::Domain", - "resourceName": "ElasticsearchDomain", - "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled", - "searchValue": "", - "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled is set to 'false'" - }, - { - "queryName": "ElasticSearch Without Audit Logs", - "severity": "MEDIUM", - "line": 10, - "filename": "positive5.yaml", + "line": 11, + "filename": "positive12.json", "resourceType": "AWS::Elasticsearch::Domain", "resourceName": "", - "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions", "searchValue": "", - "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled is undefined" + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should declare audit logs", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare audit logs" }, { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", - "line": 12, - "filename": "positive15.json", + "line": 7, + "filename": "positive13.json", "resourceType": "AWS::Elasticsearch::Domain", "resourceName": "", - "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS", + "searchKey": "Resources.ElasticsearchDomain.Properties", "searchValue": "", - "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled is undefined" + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should be defined and not null", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null" }, { "queryName": "ElasticSearch Without Audit Logs", @@ -99,9 +75,9 @@ "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", "line": 12, - "filename": "positive20.json", - "resourceType": "AWS::OpenSearchService::Domain", - "resourceName": "ElasticsearchDomain", + "filename": "positive15.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled should be defined and set to 'true'", @@ -122,32 +98,32 @@ { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", - "line": 10, - "filename": "positive10.yaml", + "line": 11, + "filename": "positive17.json", "resourceType": "AWS::OpenSearchService::Domain", "resourceName": "ElasticsearchDomain", - "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions", "searchValue": "", - "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled is undefined" + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should declare audit logs", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare audit logs" }, { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", - "line": 9, - "filename": "positive2.yaml", - "resourceType": "AWS::Elasticsearch::Domain", - "resourceName": "", - "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions", + "line": 7, + "filename": "positive18.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties", "searchValue": "", - "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should declare audit logs", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare audit logs" + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should be defined and not null", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null" }, { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", - "line": 13, - "filename": "positive6.yaml", + "line": 14, + "filename": "positive19.json", "resourceType": "AWS::OpenSearchService::Domain", "resourceName": "ElasticsearchDomain", "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled", @@ -158,26 +134,26 @@ { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", - "line": 7, - "filename": "positive18.json", - "resourceType": "AWS::OpenSearchService::Domain", - "resourceName": "ElasticsearchDomain", - "searchKey": "Resources.ElasticsearchDomain.Properties", + "line": 9, + "filename": "positive2.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions", "searchValue": "", - "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should be defined and not null", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null" + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should declare audit logs", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare audit logs" }, { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", - "line": 7, - "filename": "positive13.json", - "resourceType": "AWS::Elasticsearch::Domain", - "resourceName": "", - "searchKey": "Resources.ElasticsearchDomain.Properties", + "line": 12, + "filename": "positive20.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS", "searchValue": "", - "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should be defined and not null", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null" + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled is undefined" }, { "queryName": "ElasticSearch Without Audit Logs", @@ -206,20 +182,20 @@ { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", - "line": 6, - "filename": "positive8.yaml", - "resourceType": "AWS::OpenSearchService::Domain", - "resourceName": "ElasticsearchDomain", - "searchKey": "Resources.ElasticsearchDomain.Properties", + "line": 10, + "filename": "positive5.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS", "searchValue": "", - "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should be defined and not null", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null" + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled is undefined" }, { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", - "line": 14, - "filename": "positive19.json", + "line": 13, + "filename": "positive6.yaml", "resourceType": "AWS::OpenSearchService::Domain", "resourceName": "ElasticsearchDomain", "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled", @@ -238,5 +214,29 @@ "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should declare audit logs", "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare audit logs" + }, + { + "queryName": "ElasticSearch Without Audit Logs", + "severity": "MEDIUM", + "line": 6, + "filename": "positive8.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should be defined and not null", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null" + }, + { + "queryName": "ElasticSearch Without Audit Logs", + "severity": "MEDIUM", + "line": 13, + "filename": "positive9.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled is set to 'false'" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elasticsearch_without_es_application_logs/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elasticsearch_without_es_application_logs/test/positive_expected_result.json index a2246555216..abf7b9bfbcf 100644 --- a/assets/queries/cloudFormation/aws/elasticsearch_without_es_application_logs/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elasticsearch_without_es_application_logs/test/positive_expected_result.json @@ -2,44 +2,32 @@ { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", - "line": 6, - "filename": "positive3.yaml", - "resourceType": "AWS::Elasticsearch::Domain", - "resourceName": "", - "searchKey": "Resources.ElasticsearchDomain.Properties", - "searchValue": "", - "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should be defined and not null", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null" - }, - { - "queryName": "ElasticSearch Without Es Application Logs", - "severity": "MEDIUM", - "line": 12, - "filename": "positive15.json", + "line": 13, + "filename": "positive1.yaml", "resourceType": "AWS::Elasticsearch::Domain", "resourceName": "", - "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is undefined" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is set to 'false'" }, { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", - "line": 14, - "filename": "positive16.json", + "line": 10, + "filename": "positive10.yaml", "resourceType": "AWS::OpenSearchService::Domain", "resourceName": "ElasticsearchDomain", - "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is set to 'false'" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is undefined" }, { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", "line": 14, - "filename": "positive14.json", + "filename": "positive11.json", "resourceType": "AWS::Elasticsearch::Domain", "resourceName": "", "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled", @@ -50,8 +38,8 @@ { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", - "line": 9, - "filename": "positive2.yaml", + "line": 11, + "filename": "positive12.json", "resourceType": "AWS::Elasticsearch::Domain", "resourceName": "", "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions", @@ -62,34 +50,34 @@ { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", - "line": 13, - "filename": "positive6.yaml", - "resourceType": "AWS::OpenSearchService::Domain", - "resourceName": "ElasticsearchDomain", - "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled", + "line": 7, + "filename": "positive13.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties", "searchValue": "", - "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is set to 'false'" + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should be defined and not null", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null" }, { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", - "line": 7, - "filename": "positive18.json", - "resourceType": "AWS::OpenSearchService::Domain", - "resourceName": "ElasticsearchDomain", - "searchKey": "Resources.ElasticsearchDomain.Properties", + "line": 14, + "filename": "positive14.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled", "searchValue": "", - "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should be defined and not null", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null" + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is set to 'false'" }, { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", "line": 12, - "filename": "positive20.json", - "resourceType": "AWS::OpenSearchService::Domain", - "resourceName": "ElasticsearchDomain", + "filename": "positive15.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled should be defined and set to 'true'", @@ -98,8 +86,8 @@ { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", - "line": 13, - "filename": "positive9.yaml", + "line": 14, + "filename": "positive16.json", "resourceType": "AWS::OpenSearchService::Domain", "resourceName": "ElasticsearchDomain", "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled", @@ -110,8 +98,20 @@ { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", - "line": 6, - "filename": "positive8.yaml", + "line": 11, + "filename": "positive17.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should declare es application logs", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare es application logs" + }, + { + "queryName": "ElasticSearch Without Es Application Logs", + "severity": "MEDIUM", + "line": 7, + "filename": "positive18.json", "resourceType": "AWS::OpenSearchService::Domain", "resourceName": "ElasticsearchDomain", "searchKey": "Resources.ElasticsearchDomain.Properties", @@ -134,22 +134,10 @@ { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", - "line": 7, - "filename": "positive13.json", + "line": 9, + "filename": "positive2.yaml", "resourceType": "AWS::Elasticsearch::Domain", "resourceName": "", - "searchKey": "Resources.ElasticsearchDomain.Properties", - "searchValue": "", - "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should be defined and not null", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null" - }, - { - "queryName": "ElasticSearch Without Es Application Logs", - "severity": "MEDIUM", - "line": 11, - "filename": "positive17.json", - "resourceType": "AWS::OpenSearchService::Domain", - "resourceName": "ElasticsearchDomain", "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should declare es application logs", @@ -158,26 +146,26 @@ { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", - "line": 9, - "filename": "positive7.yaml", + "line": 12, + "filename": "positive20.json", "resourceType": "AWS::OpenSearchService::Domain", "resourceName": "ElasticsearchDomain", - "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS", "searchValue": "", - "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should declare es application logs", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare es application logs" + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is undefined" }, { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", - "line": 13, - "filename": "positive1.yaml", + "line": 6, + "filename": "positive3.yaml", "resourceType": "AWS::Elasticsearch::Domain", "resourceName": "", - "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled", + "searchKey": "Resources.ElasticsearchDomain.Properties", "searchValue": "", - "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is set to 'false'" + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should be defined and not null", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null" }, { "queryName": "ElasticSearch Without Es Application Logs", @@ -194,22 +182,22 @@ { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", - "line": 11, - "filename": "positive12.json", + "line": 10, + "filename": "positive5.yaml", "resourceType": "AWS::Elasticsearch::Domain", "resourceName": "", - "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS", "searchValue": "", - "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should declare es application logs", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare es application logs" + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is undefined" }, { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", - "line": 14, - "filename": "positive11.json", - "resourceType": "AWS::Elasticsearch::Domain", - "resourceName": "", + "line": 13, + "filename": "positive6.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled should be defined and set to 'true'", @@ -218,25 +206,37 @@ { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", - "line": 10, - "filename": "positive10.yaml", + "line": 9, + "filename": "positive7.yaml", "resourceType": "AWS::OpenSearchService::Domain", "resourceName": "ElasticsearchDomain", - "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions", "searchValue": "", - "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is undefined" + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should declare es application logs", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare es application logs" }, { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", - "line": 10, - "filename": "positive5.yaml", - "resourceType": "AWS::Elasticsearch::Domain", - "resourceName": "", - "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS", + "line": 6, + "filename": "positive8.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should be defined and not null", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null" + }, + { + "queryName": "ElasticSearch Without Es Application Logs", + "severity": "MEDIUM", + "line": 13, + "filename": "positive9.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is undefined" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is set to 'false'" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elasticsearch_without_iam_authentication/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elasticsearch_without_iam_authentication/test/positive_expected_result.json index 651c10b0742..8cbf8a597c8 100644 --- a/assets/queries/cloudFormation/aws/elasticsearch_without_iam_authentication/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elasticsearch_without_iam_authentication/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "Elasticsearch Without IAM Authentication", "severity": "MEDIUM", - "line": 26, - "filename": "positive2.json", + "line": 24, + "filename": "positive1.yaml", "resourceType": "AWS::Elasticsearch::Domain", "resourceName": "test", "searchKey": "Resources.ElasticsearchDomain.Properties.AccessPolicies.Statement", @@ -14,8 +14,8 @@ { "queryName": "Elasticsearch Without IAM Authentication", "severity": "MEDIUM", - "line": 24, - "filename": "positive1.yaml", + "line": 26, + "filename": "positive2.json", "resourceType": "AWS::Elasticsearch::Domain", "resourceName": "test", "searchKey": "Resources.ElasticsearchDomain.Properties.AccessPolicies.Statement", diff --git a/assets/queries/cloudFormation/aws/elasticsearch_without_slow_logs/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elasticsearch_without_slow_logs/test/positive_expected_result.json index 9d1cf08f65d..4ff0c166cf0 100644 --- a/assets/queries/cloudFormation/aws/elasticsearch_without_slow_logs/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elasticsearch_without_slow_logs/test/positive_expected_result.json @@ -1,9 +1,21 @@ [ + { + "queryName": "ElasticSearch Without Slow Logs", + "severity": "LOW", + "line": 13, + "filename": "positive1.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is set to 'false'" + }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", "line": 17, - "filename": "positive4.yaml", + "filename": "positive1.yaml", "resourceType": "AWS::Elasticsearch::Domain", "resourceName": "", "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled", @@ -14,8 +26,8 @@ { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 12, - "filename": "positive20.json", + "line": 10, + "filename": "positive10.yaml", "resourceType": "AWS::OpenSearchService::Domain", "resourceName": "ElasticsearchDomain", "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS", @@ -26,34 +38,22 @@ { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 6, - "filename": "positive8.yaml", - "resourceType": "AWS::OpenSearchService::Domain", - "resourceName": "ElasticsearchDomain", - "searchKey": "Resources.ElasticsearchDomain.Properties", - "searchValue": "", - "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should be defined and not null", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null" - }, - { - "queryName": "ElasticSearch Without Slow Logs", - "severity": "LOW", - "line": 18, - "filename": "positive19.json", + "line": 13, + "filename": "positive10.yaml", "resourceType": "AWS::OpenSearchService::Domain", "resourceName": "ElasticsearchDomain", - "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is set to 'false'" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is undefined" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", "line": 14, - "filename": "positive19.json", - "resourceType": "AWS::OpenSearchService::Domain", - "resourceName": "ElasticsearchDomain", + "filename": "positive11.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled should be defined and set to 'true'", @@ -62,14 +62,14 @@ { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 9, - "filename": "positive7.yaml", - "resourceType": "AWS::OpenSearchService::Domain", - "resourceName": "ElasticsearchDomain", - "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions", + "line": 18, + "filename": "positive11.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled", "searchValue": "", - "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should declare slow logs", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare slow logs" + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is set to 'false'" }, { "queryName": "ElasticSearch Without Slow Logs", @@ -86,44 +86,44 @@ { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 15, - "filename": "positive15.json", + "line": 7, + "filename": "positive13.json", "resourceType": "AWS::Elasticsearch::Domain", "resourceName": "", - "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS", + "searchKey": "Resources.ElasticsearchDomain.Properties", "searchValue": "", - "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is undefined" + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should be defined and not null", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 12, - "filename": "positive15.json", + "line": 14, + "filename": "positive14.json", "resourceType": "AWS::Elasticsearch::Domain", "resourceName": "", - "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is undefined" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is set to 'false'" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 13, - "filename": "positive5.yaml", + "line": 18, + "filename": "positive14.json", "resourceType": "AWS::Elasticsearch::Domain", "resourceName": "", - "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is undefined" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is set to 'false'" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 10, - "filename": "positive5.yaml", + "line": 12, + "filename": "positive15.json", "resourceType": "AWS::Elasticsearch::Domain", "resourceName": "", "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS", @@ -134,14 +134,14 @@ { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 7, - "filename": "positive13.json", + "line": 15, + "filename": "positive15.json", "resourceType": "AWS::Elasticsearch::Domain", "resourceName": "", - "searchKey": "Resources.ElasticsearchDomain.Properties", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS", "searchValue": "", - "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should be defined and not null", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null" + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is undefined" }, { "queryName": "ElasticSearch Without Slow Logs", @@ -158,26 +158,14 @@ { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 13, - "filename": "positive4.yaml", - "resourceType": "AWS::Elasticsearch::Domain", - "resourceName": "", - "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled", - "searchValue": "", - "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is set to 'false'" - }, - { - "queryName": "ElasticSearch Without Slow Logs", - "severity": "LOW", - "line": 7, - "filename": "positive18.json", + "line": 18, + "filename": "positive16.json", "resourceType": "AWS::OpenSearchService::Domain", "resourceName": "ElasticsearchDomain", - "searchKey": "Resources.ElasticsearchDomain.Properties", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled", "searchValue": "", - "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should be defined and not null", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null" + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is set to 'false'" }, { "queryName": "ElasticSearch Without Slow Logs", @@ -194,22 +182,22 @@ { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 15, - "filename": "positive20.json", + "line": 7, + "filename": "positive18.json", "resourceType": "AWS::OpenSearchService::Domain", "resourceName": "ElasticsearchDomain", - "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS", + "searchKey": "Resources.ElasticsearchDomain.Properties", "searchValue": "", - "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is undefined" + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should be defined and not null", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", "line": 14, - "filename": "positive11.json", - "resourceType": "AWS::Elasticsearch::Domain", - "resourceName": "", + "filename": "positive19.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled should be defined and set to 'true'", @@ -218,8 +206,8 @@ { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 17, - "filename": "positive6.yaml", + "line": 18, + "filename": "positive19.json", "resourceType": "AWS::OpenSearchService::Domain", "resourceName": "ElasticsearchDomain", "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled", @@ -230,14 +218,38 @@ { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 18, - "filename": "positive14.json", + "line": 9, + "filename": "positive2.yaml", "resourceType": "AWS::Elasticsearch::Domain", "resourceName": "", - "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should declare slow logs", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare slow logs" + }, + { + "queryName": "ElasticSearch Without Slow Logs", + "severity": "LOW", + "line": 12, + "filename": "positive20.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is undefined" + }, + { + "queryName": "ElasticSearch Without Slow Logs", + "severity": "LOW", + "line": 15, + "filename": "positive20.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is set to 'false'" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is undefined" }, { "queryName": "ElasticSearch Without Slow Logs", @@ -255,7 +267,7 @@ "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", "line": 13, - "filename": "positive1.yaml", + "filename": "positive4.yaml", "resourceType": "AWS::Elasticsearch::Domain", "resourceName": "", "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled", @@ -267,9 +279,9 @@ "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", "line": 17, - "filename": "positive9.yaml", - "resourceType": "AWS::OpenSearchService::Domain", - "resourceName": "ElasticsearchDomain", + "filename": "positive4.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled should be defined and set to 'true'", @@ -278,34 +290,34 @@ { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 18, - "filename": "positive11.json", + "line": 10, + "filename": "positive5.yaml", "resourceType": "AWS::Elasticsearch::Domain", "resourceName": "", - "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS", "searchValue": "", - "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is set to 'false'" + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is undefined" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 18, - "filename": "positive16.json", - "resourceType": "AWS::OpenSearchService::Domain", - "resourceName": "ElasticsearchDomain", - "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled", + "line": 13, + "filename": "positive5.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is set to 'false'" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is undefined" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 14, - "filename": "positive14.json", - "resourceType": "AWS::Elasticsearch::Domain", - "resourceName": "", + "line": 13, + "filename": "positive6.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled should be defined and set to 'true'", @@ -314,22 +326,22 @@ { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 13, + "line": 17, "filename": "positive6.yaml", "resourceType": "AWS::OpenSearchService::Domain", "resourceName": "ElasticsearchDomain", - "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled", "searchValue": "", - "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is set to 'false'" + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is set to 'false'" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", "line": 9, - "filename": "positive2.yaml", - "resourceType": "AWS::Elasticsearch::Domain", - "resourceName": "", + "filename": "positive7.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should declare slow logs", @@ -338,49 +350,37 @@ { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 13, - "filename": "positive10.yaml", + "line": 6, + "filename": "positive8.yaml", "resourceType": "AWS::OpenSearchService::Domain", "resourceName": "ElasticsearchDomain", - "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS", - "searchValue": "", - "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is undefined" - }, - { - "queryName": "ElasticSearch Without Slow Logs", - "severity": "LOW", - "line": 17, - "filename": "positive1.yaml", - "resourceType": "AWS::Elasticsearch::Domain", - "resourceName": "", - "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled", + "searchKey": "Resources.ElasticsearchDomain.Properties", "searchValue": "", - "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is set to 'false'" + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should be defined and not null", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 10, - "filename": "positive10.yaml", + "line": 13, + "filename": "positive9.yaml", "resourceType": "AWS::OpenSearchService::Domain", "resourceName": "ElasticsearchDomain", - "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is undefined" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is set to 'false'" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 13, + "line": 17, "filename": "positive9.yaml", "resourceType": "AWS::OpenSearchService::Domain", "resourceName": "ElasticsearchDomain", - "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled", "searchValue": "", - "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is set to 'false'" + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is set to 'false'" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elb_access_log_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elb_access_log_disabled/test/positive_expected_result.json index f09ae666c8d..6dab395aa9d 100644 --- a/assets/queries/cloudFormation/aws/elb_access_log_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elb_access_log_disabled/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "ELB Access Log Disabled", "severity": "MEDIUM", - "line": 7, - "filename": "positive3.json", + "line": 6, + "filename": "positive1.yaml", "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", "resourceName": "MyLoadBalancer", "searchKey": "Resources.MyLoadBalancer.Properties", @@ -14,8 +14,8 @@ { "queryName": "ELB Access Log Disabled", "severity": "MEDIUM", - "line": 18, - "filename": "positive4.json", + "line": 31, + "filename": "positive2.yaml", "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", "resourceName": "MyLoadBalancer2", "searchKey": "Resources.MyLoadBalancer2.Properties.AccessLoggingPolicy.Enabled", @@ -26,20 +26,20 @@ { "queryName": "ELB Access Log Disabled", "severity": "MEDIUM", - "line": 31, - "filename": "positive2.yaml", + "line": 7, + "filename": "positive3.json", "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", - "resourceName": "MyLoadBalancer2", - "searchKey": "Resources.MyLoadBalancer2.Properties.AccessLoggingPolicy.Enabled", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.MyLoadBalancer.Properties", "searchValue": "", - "expectedValue": "'Resources.MyLoadBalancer2.Properties.AccessLoggingPolicy.Enabled' is true", - "actualValue": "'Resources.MyLoadBalancer2.Properties.AccessLoggingPolicy.Enabled' is false" + "expectedValue": "'Resources.MyLoadBalancer.Properties.AccessLoggingPolicy' should exist", + "actualValue": "'Resources.MyLoadBalancer.Properties.AccessLoggingPolicy' is missing" }, { "queryName": "ELB Access Log Disabled", "severity": "MEDIUM", - "line": 31, - "filename": "positive5.yaml", + "line": 18, + "filename": "positive4.json", "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", "resourceName": "MyLoadBalancer2", "searchKey": "Resources.MyLoadBalancer2.Properties.AccessLoggingPolicy.Enabled", @@ -50,13 +50,13 @@ { "queryName": "ELB Access Log Disabled", "severity": "MEDIUM", - "line": 6, - "filename": "positive1.yaml", + "line": 31, + "filename": "positive5.yaml", "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", - "resourceName": "MyLoadBalancer", - "searchKey": "Resources.MyLoadBalancer.Properties", + "resourceName": "MyLoadBalancer2", + "searchKey": "Resources.MyLoadBalancer2.Properties.AccessLoggingPolicy.Enabled", "searchValue": "", - "expectedValue": "'Resources.MyLoadBalancer.Properties.AccessLoggingPolicy' should exist", - "actualValue": "'Resources.MyLoadBalancer.Properties.AccessLoggingPolicy' is missing" + "expectedValue": "'Resources.MyLoadBalancer2.Properties.AccessLoggingPolicy.Enabled' is true", + "actualValue": "'Resources.MyLoadBalancer2.Properties.AccessLoggingPolicy.Enabled' is false" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elb_sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elb_sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json index 40759bd25a1..45b7472cf7b 100644 --- a/assets/queries/cloudFormation/aws/elb_sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elb_sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json @@ -1,28 +1,4 @@ [ - { - "queryName": "ELB Sensitive Port Is Exposed To Entire Network", - "severity": "HIGH", - "line": 45, - "filename": "positive7.json", - "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "InstancesSecGroup", - "searchKey": "Resources.InstancesSecGroup.Properties.SecurityGroupIngress[2]", - "searchValue": "UDP,1434", - "expectedValue": "MSSQL Browser (UDP:1434) should not be allowed in classic load balancer 'GatewayLoadBalancer'", - "actualValue": "MSSQL Browser (UDP:1434) is allowed in classic load balancer 'GatewayLoadBalancer'" - }, - { - "queryName": "ELB Sensitive Port Is Exposed To Entire Network", - "severity": "HIGH", - "line": 45, - "filename": "positive7.json", - "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "InstancesSecGroup", - "searchKey": "Resources.InstancesSecGroup.Properties.SecurityGroupIngress[2]", - "searchValue": "UDP,2484", - "expectedValue": "Oracle DB SSL (UDP:2484) should not be allowed in classic load balancer 'GatewayLoadBalancer'", - "actualValue": "Oracle DB SSL (UDP:2484) is allowed in classic load balancer 'GatewayLoadBalancer'" - }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", @@ -31,9 +7,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,8888", - "expectedValue": "Cassandra OpsCenter Website (TCP:8888) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra OpsCenter Website (TCP:8888) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,7199", + "expectedValue": "Cassandra Monitoring (TCP:7199) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra Monitoring (TCP:7199) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -43,9 +19,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,443", - "expectedValue": "HTTPS (TCP:443) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "HTTPS (TCP:443) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,1433", + "expectedValue": "MSSQL Server (TCP:1433) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MSSQL Server (TCP:1433) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -55,57 +31,45 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,3306", - "expectedValue": "MySQL (TCP:3306) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "MySQL (TCP:3306) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 71, + "line": 22, "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv6_2", - "searchKey": "Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SSH (TCP:22) is allowed in classic load balancer 'LoadBalancer01'" - }, - { - "queryName": "ELB Sensitive Port Is Exposed To Entire Network", - "severity": "HIGH", - "line": 29, - "filename": "positive5.json", - "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,9300", - "expectedValue": "Elastic Search (TCP:9300) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Elastic Search (TCP:9300) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,161", + "expectedValue": "SNMP (TCP:161) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SNMP (TCP:161) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "filename": "positive5.json", + "line": 22, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,139", - "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Session Service (TCP:139) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,4506", + "expectedValue": "SaltStack Master (TCP:4506) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SaltStack Master (TCP:4506) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "filename": "positive5.json", + "line": 22, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,1521", - "expectedValue": "Oracl DB (TCP:1521) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Oracl DB (TCP:1521) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,9090", + "expectedValue": "CiscoSecure, WebSM (TCP:9090) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "CiscoSecure, WebSM (TCP:9090) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -115,9 +79,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,8000", - "expectedValue": "Known internal web port (TCP:8000) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Known internal web port (TCP:8000) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,4333", + "expectedValue": "MySQL (TCP:4333) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MySQL (TCP:4333) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -127,9 +91,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,389", - "expectedValue": "LDAP (UDP:389) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "LDAP (UDP:389) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,8080", + "expectedValue": "Known internal web port (TCP:8080) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Known internal web port (TCP:8080) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -139,9 +103,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,636", - "expectedValue": "LDAP SSL (TCP:636) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "LDAP SSL (TCP:636) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,1434", + "expectedValue": "MSSQL Browser (UDP:1434) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MSSQL Browser (UDP:1434) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -158,38 +122,14 @@ { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 81, + "line": 22, "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1ArrayTestIPv6", - "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,137", - "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed in classic load balancer 'LoadBalancer01'" - }, - { - "queryName": "ELB Sensitive Port Is Exposed To Entire Network", - "severity": "HIGH", - "line": 90, - "filename": "positive6.json", - "resourceType": "AWS::EC2::SecurityGroupIngress", - "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.IPv6Ingress4.Properties", - "searchValue": "UDP,138", - "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in application load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in application load balancer 'LoadBalancer01'" - }, - { - "queryName": "ELB Sensitive Port Is Exposed To Entire Network", - "severity": "HIGH", - "line": 29, - "filename": "positive5.json", - "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,2484", - "expectedValue": "Oracle DB SSL (UDP:2484) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Oracle DB SSL (UDP:2484) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,3306", + "expectedValue": "MySQL (TCP:3306) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MySQL (TCP:3306) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -199,9 +139,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,9160", - "expectedValue": "Cassandra Thrift (TCP:9160) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra Thrift (TCP:9160) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,137", + "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (TCP:137) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -215,18 +155,6 @@ "expectedValue": "Oracl DB (TCP:1521) should not be allowed in classic load balancer 'LoadBalancer01'", "actualValue": "Oracl DB (TCP:1521) is allowed in classic load balancer 'LoadBalancer01'" }, - { - "queryName": "ELB Sensitive Port Is Exposed To Entire Network", - "severity": "HIGH", - "line": 44, - "filename": "positive2.yaml", - "resourceType": "AWS::EC2::SecurityGroupIngress", - "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.IPv4Ingress4.Properties", - "searchValue": "UDP,138", - "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in application load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in application load balancer 'LoadBalancer01'" - }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", @@ -235,9 +163,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,9090", - "expectedValue": "CiscoSecure, WebSM (TCP:9090) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "CiscoSecure, WebSM (TCP:9090) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,2484", + "expectedValue": "Oracle DB SSL (UDP:2484) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle DB SSL (UDP:2484) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -247,33 +175,33 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,25", - "expectedValue": "SMTP (TCP:25) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SMTP (TCP:25) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,9042", + "expectedValue": "Cassandra Client (TCP:9042) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra Client (TCP:9042) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 64, - "filename": "positive8.json", + "line": 22, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[7]", - "searchValue": "UDP,138", - "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in application load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in application load balancer 'LoadBalancer01'" + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,7000", + "expectedValue": "Cassandra Internode Communication (TCP:7000) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra Internode Communication (TCP:7000) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "filename": "positive5.json", + "line": 22, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,8080", - "expectedValue": "Known internal web port (TCP:8080) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Known internal web port (TCP:8080) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,11214", + "expectedValue": "Memcached SSL (UDP:11214) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached SSL (UDP:11214) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -283,9 +211,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,8020", - "expectedValue": "HDFS NameNode (TCP:8020) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "HDFS NameNode (TCP:8020) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,61621", + "expectedValue": "Cassandra OpsCenter (TCP:61621) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra OpsCenter (TCP:61621) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -295,75 +223,63 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,161", - "expectedValue": "SNMP (UDP:161) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SNMP (UDP:161) is allowed in classic load balancer 'LoadBalancer01'" - }, - { - "queryName": "ELB Sensitive Port Is Exposed To Entire Network", - "severity": "HIGH", - "line": 70, - "filename": "positive6.json", - "resourceType": "AWS::EC2::SecurityGroupIngress", - "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.IPv6Ingress2.Properties", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", - "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'" + "searchValue": "UDP,2483", + "expectedValue": "Oracle DB SSL (UDP:2483) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle DB SSL (UDP:2483) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "filename": "positive8.json", + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,137", - "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'" + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,443", + "expectedValue": "HTTPS (TCP:443) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HTTPS (TCP:443) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "filename": "positive5.json", + "line": 22, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,7000", - "expectedValue": "Cassandra Internode Communication (TCP:7000) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra Internode Communication (TCP:7000) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,3000", + "expectedValue": "Prevalent known internal port (TCP:3000) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Prevalent known internal port (TCP:3000) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "filename": "positive5.json", + "line": 22, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,9200", - "expectedValue": "Elastic Search (TCP:9200) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Elastic Search (TCP:9200) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,2376", + "expectedValue": "Docker (TCP:2376) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Docker (TCP:2376) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "filename": "positive5.json", + "line": 22, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,1522", - "expectedValue": "Oracle Auto Data Warehouse (TCP:1522) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Oracle Auto Data Warehouse (TCP:1522) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,9000", + "expectedValue": "Hadoop Name Node (TCP:9000) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Hadoop Name Node (TCP:9000) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "filename": "positive5.json", + "line": 22, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", @@ -379,9 +295,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,11214", - "expectedValue": "Memcached SSL (TCP:11214) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Memcached SSL (TCP:11214) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,2382", + "expectedValue": "SQL Server Analysis (TCP:2382) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SQL Server Analysis (TCP:2382) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -391,9 +307,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,27018", - "expectedValue": "Mongo Web Portal (TCP:27018) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Mongo Web Portal (TCP:27018) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,161", + "expectedValue": "SNMP (UDP:161) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SNMP (UDP:161) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -403,9 +319,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,139", - "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Session Service (TCP:139) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,7001", + "expectedValue": "Cassandra (TCP:7001) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra (TCP:7001) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -415,57 +331,45 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,2383", - "expectedValue": "SQL Server Analysis (TCP:2383) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SQL Server Analysis (TCP:2383) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,20", + "expectedValue": "FTP (TCP:20) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "FTP (TCP:20) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 55, - "filename": "positive4.yaml", + "line": 22, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[7]", - "searchValue": "UDP,138", - "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in application load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in application load balancer 'LoadBalancer01'" + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,8020", + "expectedValue": "HDFS NameNode (TCP:8020) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HDFS NameNode (TCP:8020) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 27, - "filename": "positive4.yaml", + "line": 22, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[2]", - "searchValue": "UDP,137", - "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'" - }, - { - "queryName": "ELB Sensitive Port Is Exposed To Entire Network", - "severity": "HIGH", - "line": 81, - "filename": "positive2.yaml", - "resourceType": "AWS::EC2::SecurityGroupIngress", - "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.IPv6Ingress4.Properties", - "searchValue": "UDP,138", - "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in application load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in application load balancer 'LoadBalancer01'" + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,389", + "expectedValue": "LDAP (UDP:389) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "LDAP (UDP:389) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "filename": "positive5.json", + "line": 22, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,5985", - "expectedValue": "WinRM for HTTP (TCP:5985) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "WinRM for HTTP (TCP:5985) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,139", + "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Session Service (UDP:139) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -475,9 +379,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,53", - "expectedValue": "DNS (TCP:53) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "DNS (TCP:53) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,5500", + "expectedValue": "VNC Listener (TCP:5500) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "VNC Listener (TCP:5500) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -487,9 +391,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,11214", - "expectedValue": "Memcached SSL (UDP:11214) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Memcached SSL (UDP:11214) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,61620", + "expectedValue": "Cassandra OpsCenter (TCP:61620) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra OpsCenter (TCP:61620) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -499,57 +403,57 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,137", - "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,8000", + "expectedValue": "Known internal web port (TCP:8000) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Known internal web port (TCP:8000) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 40, - "filename": "positive4.yaml", + "line": 22, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[4]", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", - "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'" + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,389", + "expectedValue": "LDAP (TCP:389) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "LDAP (TCP:389) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 30, - "filename": "positive6.json", - "resourceType": "AWS::EC2::SecurityGroupIngress", - "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.IPv4Ingress2.Properties", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", - "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'" + "line": 22, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,4505", + "expectedValue": "SaltStack Master (TCP:4505) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SaltStack Master (TCP:4505) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "filename": "positive5.json", + "line": 22, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,8140", - "expectedValue": "Puppet Master (TCP:8140) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Puppet Master (TCP:8140) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,25", + "expectedValue": "SMTP (TCP:25) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SMTP (TCP:25) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "filename": "positive5.json", + "line": 22, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,161", - "expectedValue": "SNMP (TCP:161) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SNMP (TCP:161) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -559,9 +463,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,50070", - "expectedValue": "HDFS NameNode WebUI (TCP:50070) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "HDFS NameNode WebUI (TCP:50070) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,1434", + "expectedValue": "MSSQL Browser (TCP:1434) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MSSQL Browser (TCP:1434) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -571,21 +475,21 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,389", - "expectedValue": "LDAP (TCP:389) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "LDAP (TCP:389) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,2484", + "expectedValue": "Oracle DB SSL (TCP:2484) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle DB SSL (TCP:2484) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 50, + "line": 22, "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1ArrayTestIPv4", - "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[2]", - "searchValue": "UDP,138", - "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in classic load balancer 'LoadBalancer01'" + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,2383", + "expectedValue": "SQL Server Analysis (TCP:2383) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SQL Server Analysis (TCP:2383) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -595,69 +499,69 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,5432", - "expectedValue": "PostgreSQL (TCP:5432) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "PostgreSQL (TCP:5432) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,5985", + "expectedValue": "WinRM for HTTP (TCP:5985) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "WinRM for HTTP (TCP:5985) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "filename": "positive5.json", + "line": 22, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,50470", - "expectedValue": "HDFS NameNode WebUI (TCP:50470) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "HDFS NameNode WebUI (TCP:50470) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,3020", + "expectedValue": "CIFS / SMB (TCP:3020) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "CIFS / SMB (TCP:3020) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "filename": "positive5.json", + "line": 22, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,11215", - "expectedValue": "Memcached SSL (UDP:11215) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Memcached SSL (UDP:11215) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "filename": "positive5.json", + "line": 22, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,4333", - "expectedValue": "MySQL (TCP:4333) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "MySQL (TCP:4333) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,27017", + "expectedValue": "Mongo (TCP:27017) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Mongo (TCP:27017) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "filename": "positive5.json", + "line": 22, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,2383", - "expectedValue": "SQL Server Analysis (TCP:2383) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SQL Server Analysis (TCP:2383) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,8140", + "expectedValue": "Puppet Master (TCP:8140) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Puppet Master (TCP:8140) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 85, + "line": 22, "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1ArrayTestIPv6", - "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]", - "searchValue": "UDP,138", - "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in classic load balancer 'LoadBalancer01'" + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,21", + "expectedValue": "FTP (TCP:21) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "FTP (TCP:21) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -667,9 +571,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,138", - "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,50470", + "expectedValue": "HDFS NameNode WebUI (TCP:50470) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HDFS NameNode WebUI (TCP:50470) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -679,9 +583,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,139", - "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Session Service (UDP:139) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,53", + "expectedValue": "DNS (TCP:53) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "DNS (TCP:53) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -691,57 +595,57 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,5432", - "expectedValue": "PostgreSQL (UDP:5432) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "PostgreSQL (UDP:5432) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,6379", + "expectedValue": "Redis (TCP:6379) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Redis (TCP:6379) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 61, + "line": 22, "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv6_1", - "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SSH (TCP:22) is allowed in classic load balancer 'LoadBalancer01'" + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,8888", + "expectedValue": "Cassandra OpsCenter Website (TCP:8888) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra OpsCenter Website (TCP:8888) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "filename": "positive5.json", + "line": 22, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,9000", - "expectedValue": "Hadoop Name Node (TCP:9000) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Hadoop Name Node (TCP:9000) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,9200", + "expectedValue": "Elastic Search (TCP:9200) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Elastic Search (TCP:9200) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "filename": "positive5.json", + "line": 22, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,11214", - "expectedValue": "Memcached SSL (TCP:11214) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Memcached SSL (TCP:11214) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,5601", + "expectedValue": "Kibana (TCP:5601) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Kibana (TCP:5601) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "filename": "positive5.json", + "line": 22, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,110", - "expectedValue": "POP3 (TCP:110) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "POP3 (TCP:110) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,139", + "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Session Service (TCP:139) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -751,9 +655,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,20", - "expectedValue": "FTP (TCP:20) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "FTP (TCP:20) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,5900", + "expectedValue": "VNC Server (TCP:5900) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "VNC Server (TCP:5900) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -763,9 +667,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,8080", - "expectedValue": "Known internal web port (TCP:8080) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Known internal web port (TCP:8080) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,11211", + "expectedValue": "Memcached (UDP:11211) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached (UDP:11211) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -775,69 +679,57 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,3000", - "expectedValue": "Prevalent known internal port (TCP:3000) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Prevalent known internal port (TCP:3000) is allowed in classic load balancer 'LoadBalancer01'" - }, - { - "queryName": "ELB Sensitive Port Is Exposed To Entire Network", - "severity": "HIGH", - "line": 50, - "filename": "positive6.json", - "resourceType": "AWS::EC2::SecurityGroupIngress", - "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.IPv4Ingress4.Properties", - "searchValue": "UDP,138", - "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in application load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in application load balancer 'LoadBalancer01'" + "searchValue": "TCP,11214", + "expectedValue": "Memcached SSL (TCP:11214) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached SSL (TCP:11214) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "filename": "positive5.json", + "line": 22, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,636", - "expectedValue": "LDAP SSL (TCP:636) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "LDAP SSL (TCP:636) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,110", + "expectedValue": "POP3 (TCP:110) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "POP3 (TCP:110) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "filename": "positive5.json", + "line": 22, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,1433", - "expectedValue": "MSSQL Server (TCP:1433) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "MSSQL Server (TCP:1433) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,3389", + "expectedValue": "Remote Desktop (TCP:3389) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Remote Desktop (TCP:3389) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 111, - "filename": "positive5.json", + "line": 22, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1ArrayTestIPv6", - "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,137", - "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed in classic load balancer 'LoadBalancer01'" + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,9160", + "expectedValue": "Cassandra Thrift (TCP:9160) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra Thrift (TCP:9160) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "filename": "positive5.json", + "line": 22, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,2483", - "expectedValue": "Oracle DB SSL (UDP:2483) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Oracle DB SSL (UDP:2483) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,138", + "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -847,45 +739,33 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,2484", - "expectedValue": "Oracle DB SSL (UDP:2484) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Oracle DB SSL (UDP:2484) is allowed in classic load balancer 'LoadBalancer01'" - }, - { - "queryName": "ELB Sensitive Port Is Exposed To Entire Network", - "severity": "HIGH", - "line": 17, - "filename": "positive2.yaml", - "resourceType": "AWS::EC2::SecurityGroupIngress", - "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.IPv4Ingress1.Properties", - "searchValue": "UDP,137", - "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'" + "searchValue": "TCP,50070", + "expectedValue": "HDFS NameNode WebUI (TCP:50070) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HDFS NameNode WebUI (TCP:50070) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "filename": "positive5.json", + "line": 22, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,443", - "expectedValue": "HTTPS (TCP:443) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "HTTPS (TCP:443) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,135", + "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MSSQL Debugger (TCP:135) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "filename": "positive5.json", + "line": 22, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,4505", - "expectedValue": "SaltStack Master (TCP:4505) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SaltStack Master (TCP:4505) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,11215", + "expectedValue": "Memcached SSL (UDP:11215) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached SSL (UDP:11215) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -895,105 +775,93 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,137", - "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Name Service (TCP:137) is allowed in classic load balancer 'LoadBalancer01'" - }, - { - "queryName": "ELB Sensitive Port Is Exposed To Entire Network", - "severity": "HIGH", - "line": 35, - "filename": "positive2.yaml", - "resourceType": "AWS::EC2::SecurityGroupIngress", - "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.IPv4Ingress3.Properties", - "searchValue": "UDP,137", - "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'" + "searchValue": "TCP,445", + "expectedValue": "Microsoft-DS (TCP:445) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Microsoft-DS (TCP:445) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 40, - "filename": "positive8.json", + "line": 22, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[3]", - "searchValue": "UDP,138", - "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in application load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in application load balancer 'LoadBalancer01'" + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,27018", + "expectedValue": "Mongo Web Portal (TCP:27018) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Mongo Web Portal (TCP:27018) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "filename": "positive5.json", + "line": 22, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,61620", - "expectedValue": "Cassandra OpsCenter (TCP:61620) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra OpsCenter (TCP:61620) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,53", + "expectedValue": "DNS (UDP:53) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "DNS (UDP:53) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "filename": "positive5.json", + "line": 22, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,11211", - "expectedValue": "Memcached (UDP:11211) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Memcached (UDP:11211) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,80", + "expectedValue": "HTTP (TCP:80) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HTTP (TCP:80) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "filename": "positive5.json", + "line": 22, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,445", - "expectedValue": "Microsoft-DS (TCP:445) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Microsoft-DS (TCP:445) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,2483", + "expectedValue": "Oracle DB SSL (TCP:2483) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle DB SSL (TCP:2483) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "filename": "positive5.json", + "line": 22, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,27018", - "expectedValue": "Mongo Web Portal (TCP:27018) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Mongo Web Portal (TCP:27018) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,5432", + "expectedValue": "PostgreSQL (TCP:5432) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "PostgreSQL (TCP:5432) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 45, - "filename": "positive7.json", + "line": 22, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "InstancesSecGroup", - "searchKey": "Resources.InstancesSecGroup.Properties.SecurityGroupIngress[2]", - "searchValue": "UDP,2483", - "expectedValue": "Oracle DB SSL (UDP:2483) should not be allowed in classic load balancer 'GatewayLoadBalancer'", - "actualValue": "Oracle DB SSL (UDP:2483) is allowed in classic load balancer 'GatewayLoadBalancer'" + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,2375", + "expectedValue": "Docker (TCP:2375) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Docker (TCP:2375) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "filename": "positive5.json", + "line": 22, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,27017", - "expectedValue": "Mongo (TCP:27017) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Mongo (TCP:27017) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,636", + "expectedValue": "LDAP SSL (TCP:636) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "LDAP SSL (TCP:636) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1003,9 +871,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,7001", - "expectedValue": "Cassandra (TCP:7001) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra (TCP:7001) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,9300", + "expectedValue": "Elastic Search (TCP:9300) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Elastic Search (TCP:9300) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1015,9 +883,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,7199", - "expectedValue": "Cassandra Monitoring (TCP:7199) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra Monitoring (TCP:7199) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,11215", + "expectedValue": "Memcached SSL (TCP:11215) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached SSL (TCP:11215) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1027,9 +895,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,2375", - "expectedValue": "Docker (TCP:2375) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Docker (TCP:2375) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,1522", + "expectedValue": "Oracle Auto Data Warehouse (TCP:1522) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle Auto Data Warehouse (TCP:1522) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1039,54 +907,78 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,5900", - "expectedValue": "VNC Server (TCP:5900) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "VNC Server (TCP:5900) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Telnet (TCP:23) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 54, - "filename": "positive2.yaml", - "resourceType": "AWS::EC2::SecurityGroupIngress", - "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.IPv6Ingress1.Properties", + "line": 32, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_2", + "searchKey": "Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", - "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'" + "expectedValue": "SSH (TCP:22) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "filename": "positive5.json", + "line": 42, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv4_1", - "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,8888", - "expectedValue": "Cassandra OpsCenter Website (TCP:8888) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra OpsCenter Website (TCP:8888) is allowed in classic load balancer 'LoadBalancer01'" + "resourceName": "Positive1ArrayTestIPv4", + "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "filename": "positive5.json", + "line": 50, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv4_1", - "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,1434", - "expectedValue": "MSSQL Browser (TCP:1434) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "MSSQL Browser (TCP:1434) is allowed in classic load balancer 'LoadBalancer01'" + "resourceName": "Positive1ArrayTestIPv4", + "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[2]", + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 57, - "filename": "positive5.json", + "line": 61, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1ArrayTestIPv4", - "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[0]", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in classic load balancer 'LoadBalancer01'" + }, + { + "queryName": "ELB Sensitive Port Is Exposed To Entire Network", + "severity": "HIGH", + "line": 71, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_2", + "searchKey": "Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in classic load balancer 'LoadBalancer01'" + }, + { + "queryName": "ELB Sensitive Port Is Exposed To Entire Network", + "severity": "HIGH", + "line": 81, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv6", + "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[0]", "searchValue": "UDP,137", "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in classic load balancer 'LoadBalancer01'", "actualValue": "NetBIOS Name Service (UDP:137) is allowed in classic load balancer 'LoadBalancer01'" @@ -1094,11 +986,23 @@ { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 72, + "line": 85, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv6", + "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]", + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in classic load balancer 'LoadBalancer01'" + }, + { + "queryName": "ELB Sensitive Port Is Exposed To Entire Network", + "severity": "HIGH", + "line": 17, "filename": "positive2.yaml", "resourceType": "AWS::EC2::SecurityGroupIngress", "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.IPv6Ingress3.Properties", + "searchKey": "Resources.IPv4Ingress1.Properties", "searchValue": "UDP,137", "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'" @@ -1106,23 +1010,23 @@ { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 80, - "filename": "positive6.json", + "line": 26, + "filename": "positive2.yaml", "resourceType": "AWS::EC2::SecurityGroupIngress", "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.IPv6Ingress3.Properties", - "searchValue": "UDP,137", - "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'" + "searchKey": "Resources.IPv4Ingress2.Properties", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 58, - "filename": "positive8.json", - "resourceType": "AWS::EC2::SecurityGroup", + "line": 35, + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[6]", + "searchKey": "Resources.IPv4Ingress3.Properties", "searchValue": "UDP,137", "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'" @@ -1130,74 +1034,62 @@ { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "filename": "positive5.json", - "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv4_1", - "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,9042", - "expectedValue": "Cassandra Client (TCP:9042) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra Client (TCP:9042) is allowed in classic load balancer 'LoadBalancer01'" - }, - { - "queryName": "ELB Sensitive Port Is Exposed To Entire Network", - "severity": "HIGH", - "line": 29, - "filename": "positive5.json", - "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv4_1", - "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,20", - "expectedValue": "FTP (TCP:20) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "FTP (TCP:20) is allowed in classic load balancer 'LoadBalancer01'" + "line": 44, + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress4.Properties", + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in application load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "filename": "positive5.json", - "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv4_1", - "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,11215", - "expectedValue": "Memcached SSL (TCP:11215) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Memcached SSL (TCP:11215) is allowed in classic load balancer 'LoadBalancer01'" + "line": 54, + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress1.Properties", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "filename": "positive5.json", - "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv4_1", - "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,6379", - "expectedValue": "Redis (TCP:6379) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Redis (TCP:6379) is allowed in classic load balancer 'LoadBalancer01'" + "line": 63, + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress2.Properties", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "filename": "positive5.json", - "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv4_1", - "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SSH (TCP:22) is allowed in classic load balancer 'LoadBalancer01'" + "line": 72, + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress3.Properties", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "filename": "positive1.yaml", - "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv4_1", - "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,135", - "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "MSSQL Debugger (TCP:135) is allowed in classic load balancer 'LoadBalancer01'" + "line": 81, + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress4.Properties", + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in application load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1214,155 +1106,131 @@ { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "filename": "positive5.json", + "line": 30, + "filename": "positive3.yaml", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv4_1", - "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,8020", - "expectedValue": "HDFS NameNode (TCP:8020) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "HDFS NameNode (TCP:8020) is allowed in classic load balancer 'LoadBalancer01'" + "resourceName": "InstancesSecGroup", + "searchKey": "Resources.InstancesSecGroup.Properties.SecurityGroupIngress[2]", + "searchValue": "UDP,1434", + "expectedValue": "MSSQL Browser (UDP:1434) should not be allowed in classic load balancer 'GatewayLoadBalancer'", + "actualValue": "MSSQL Browser (UDP:1434) is allowed in classic load balancer 'GatewayLoadBalancer'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "filename": "positive5.json", + "line": 30, + "filename": "positive3.yaml", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv4_1", - "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,80", - "expectedValue": "HTTP (TCP:80) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "HTTP (TCP:80) is allowed in classic load balancer 'LoadBalancer01'" + "resourceName": "InstancesSecGroup", + "searchKey": "Resources.InstancesSecGroup.Properties.SecurityGroupIngress[2]", + "searchValue": "UDP,2484", + "expectedValue": "Oracle DB SSL (UDP:2484) should not be allowed in classic load balancer 'GatewayLoadBalancer'", + "actualValue": "Oracle DB SSL (UDP:2484) is allowed in classic load balancer 'GatewayLoadBalancer'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "filename": "positive5.json", + "line": 30, + "filename": "positive3.yaml", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv4_1", - "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,135", - "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "MSSQL Debugger (TCP:135) is allowed in classic load balancer 'LoadBalancer01'" + "resourceName": "InstancesSecGroup", + "searchKey": "Resources.InstancesSecGroup.Properties.SecurityGroupIngress[2]", + "searchValue": "UDP,2483", + "expectedValue": "Oracle DB SSL (UDP:2483) should not be allowed in classic load balancer 'GatewayLoadBalancer'", + "actualValue": "Oracle DB SSL (UDP:2483) is allowed in classic load balancer 'GatewayLoadBalancer'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "filename": "positive5.json", + "line": 17, + "filename": "positive4.yaml", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv4_1", - "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,138", - "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in classic load balancer 'LoadBalancer01'" - }, - { - "queryName": "ELB Sensitive Port Is Exposed To Entire Network", - "severity": "HIGH", - "line": 29, - "filename": "positive5.json", - "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv4_1", - "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,2484", - "expectedValue": "Oracle DB SSL (TCP:2484) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Oracle DB SSL (TCP:2484) is allowed in classic load balancer 'LoadBalancer01'" - }, - { - "queryName": "ELB Sensitive Port Is Exposed To Entire Network", - "severity": "HIGH", - "line": 97, - "filename": "positive5.json", - "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv6_2", - "searchKey": "Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SSH (TCP:22) is allowed in classic load balancer 'LoadBalancer01'" + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "filename": "positive1.yaml", + "filename": "positive4.yaml", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv4_1", - "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,9042", - "expectedValue": "Cassandra Client (TCP:9042) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra Client (TCP:9042) is allowed in classic load balancer 'LoadBalancer01'" + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[1]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "filename": "positive5.json", + "line": 27, + "filename": "positive4.yaml", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv4_1", - "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,53", - "expectedValue": "DNS (TCP:53) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "DNS (TCP:53) is allowed in classic load balancer 'LoadBalancer01'" + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[2]", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "filename": "positive5.json", + "line": 32, + "filename": "positive4.yaml", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv4_1", - "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,5900", - "expectedValue": "VNC Server (TCP:5900) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "VNC Server (TCP:5900) is allowed in classic load balancer 'LoadBalancer01'" + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[3]", + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in application load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "filename": "positive1.yaml", + "line": 40, + "filename": "positive4.yaml", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv4_1", - "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,3020", - "expectedValue": "CIFS / SMB (TCP:3020) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "CIFS / SMB (TCP:3020) is allowed in classic load balancer 'LoadBalancer01'" + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[4]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "filename": "positive1.yaml", + "line": 45, + "filename": "positive4.yaml", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv4_1", - "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,11215", - "expectedValue": "Memcached SSL (UDP:11215) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Memcached SSL (UDP:11215) is allowed in classic load balancer 'LoadBalancer01'" + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[5]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 42, - "filename": "positive1.yaml", + "line": 50, + "filename": "positive4.yaml", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1ArrayTestIPv4", - "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[0]", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[6]", "searchValue": "UDP,137", - "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed in classic load balancer 'LoadBalancer01'" + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 32, + "line": 55, "filename": "positive4.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[3]", + "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[7]", "searchValue": "UDP,138", "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in application load balancer 'LoadBalancer01'", "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in application load balancer 'LoadBalancer01'" @@ -1370,14 +1238,14 @@ { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 63, - "filename": "positive2.yaml", - "resourceType": "AWS::EC2::SecurityGroupIngress", - "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.IPv6Ingress2.Properties", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", - "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'" + "line": 29, + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,8888", + "expectedValue": "Cassandra OpsCenter Website (TCP:8888) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra OpsCenter Website (TCP:8888) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1387,9 +1255,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,50070", - "expectedValue": "HDFS NameNode WebUI (TCP:50070) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "HDFS NameNode WebUI (TCP:50070) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,11211", + "expectedValue": "Memcached (UDP:11211) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached (UDP:11211) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1399,69 +1267,69 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,5601", - "expectedValue": "Kibana (TCP:5601) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Kibana (TCP:5601) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,21", + "expectedValue": "FTP (TCP:21) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "FTP (TCP:21) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 69, + "line": 29, "filename": "positive5.json", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1ArrayTestIPv4", - "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[2]", - "searchValue": "UDP,138", - "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in classic load balancer 'LoadBalancer01'" + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,9000", + "expectedValue": "Hadoop Name Node (TCP:9000) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Hadoop Name Node (TCP:9000) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "filename": "positive1.yaml", + "line": 29, + "filename": "positive5.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,1434", - "expectedValue": "MSSQL Browser (TCP:1434) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "MSSQL Browser (TCP:1434) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,2483", + "expectedValue": "Oracle DB SSL (TCP:2483) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle DB SSL (TCP:2483) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "filename": "positive1.yaml", + "line": 29, + "filename": "positive5.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,3389", - "expectedValue": "Remote Desktop (TCP:3389) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Remote Desktop (TCP:3389) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,2484", + "expectedValue": "Oracle DB SSL (TCP:2484) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle DB SSL (TCP:2484) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "filename": "positive1.yaml", + "line": 29, + "filename": "positive5.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,161", - "expectedValue": "SNMP (TCP:161) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SNMP (TCP:161) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,9090", + "expectedValue": "CiscoSecure, WebSM (TCP:9090) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "CiscoSecure, WebSM (TCP:9090) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 17, - "filename": "positive4.yaml", + "line": 29, + "filename": "positive5.json", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,137", - "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'" + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,50470", + "expectedValue": "HDFS NameNode WebUI (TCP:50470) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HDFS NameNode WebUI (TCP:50470) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1471,21 +1339,21 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,161", - "expectedValue": "SNMP (UDP:161) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SNMP (UDP:161) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,636", + "expectedValue": "LDAP SSL (TCP:636) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "LDAP SSL (TCP:636) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 83, + "line": 29, "filename": "positive5.json", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv6_1", - "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SSH (TCP:22) is allowed in classic load balancer 'LoadBalancer01'" + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,5432", + "expectedValue": "PostgreSQL (TCP:5432) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "PostgreSQL (TCP:5432) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1495,81 +1363,81 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,23", - "expectedValue": "Telnet (TCP:23) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Telnet (TCP:23) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,161", + "expectedValue": "SNMP (UDP:161) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SNMP (UDP:161) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "filename": "positive1.yaml", + "line": 29, + "filename": "positive5.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,61620", - "expectedValue": "Cassandra OpsCenter (TCP:61620) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra OpsCenter (TCP:61620) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,138", + "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "filename": "positive1.yaml", + "line": 29, + "filename": "positive5.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,50470", - "expectedValue": "HDFS NameNode WebUI (TCP:50470) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "HDFS NameNode WebUI (TCP:50470) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,9160", + "expectedValue": "Cassandra Thrift (TCP:9160) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra Thrift (TCP:9160) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "filename": "positive1.yaml", + "line": 29, + "filename": "positive5.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,1434", - "expectedValue": "MSSQL Browser (UDP:1434) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "MSSQL Browser (UDP:1434) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,2375", + "expectedValue": "Docker (TCP:2375) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Docker (TCP:2375) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "filename": "positive1.yaml", + "line": 29, + "filename": "positive5.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,2484", - "expectedValue": "Oracle DB SSL (TCP:2484) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Oracle DB SSL (TCP:2484) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,443", + "expectedValue": "HTTPS (TCP:443) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HTTPS (TCP:443) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "filename": "positive4.yaml", + "line": 29, + "filename": "positive5.json", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[1]", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", - "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'" + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,5601", + "expectedValue": "Kibana (TCP:5601) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Kibana (TCP:5601) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 45, - "filename": "positive4.yaml", + "line": 29, + "filename": "positive5.json", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[5]", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", - "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'" + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,2484", + "expectedValue": "Oracle DB SSL (UDP:2484) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle DB SSL (UDP:2484) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1579,9 +1447,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,3020", - "expectedValue": "CIFS / SMB (TCP:3020) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "CIFS / SMB (TCP:3020) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1591,45 +1459,45 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,53", - "expectedValue": "DNS (UDP:53) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "DNS (UDP:53) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,61620", + "expectedValue": "Cassandra OpsCenter (TCP:61620) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra OpsCenter (TCP:61620) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "filename": "positive1.yaml", + "line": 29, + "filename": "positive5.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,110", - "expectedValue": "POP3 (TCP:110) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "POP3 (TCP:110) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,11215", + "expectedValue": "Memcached SSL (UDP:11215) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached SSL (UDP:11215) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 30, - "filename": "positive3.yaml", + "line": 29, + "filename": "positive5.json", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "InstancesSecGroup", - "searchKey": "Resources.InstancesSecGroup.Properties.SecurityGroupIngress[2]", - "searchValue": "UDP,2483", - "expectedValue": "Oracle DB SSL (UDP:2483) should not be allowed in classic load balancer 'GatewayLoadBalancer'", - "actualValue": "Oracle DB SSL (UDP:2483) is allowed in classic load balancer 'GatewayLoadBalancer'" + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,2383", + "expectedValue": "SQL Server Analysis (TCP:2383) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SQL Server Analysis (TCP:2383) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 30, - "filename": "positive3.yaml", + "line": 29, + "filename": "positive5.json", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "InstancesSecGroup", - "searchKey": "Resources.InstancesSecGroup.Properties.SecurityGroupIngress[2]", - "searchValue": "UDP,2484", - "expectedValue": "Oracle DB SSL (UDP:2484) should not be allowed in classic load balancer 'GatewayLoadBalancer'", - "actualValue": "Oracle DB SSL (UDP:2484) is allowed in classic load balancer 'GatewayLoadBalancer'" + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,8020", + "expectedValue": "HDFS NameNode (TCP:8020) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HDFS NameNode (TCP:8020) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1639,9 +1507,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,7001", - "expectedValue": "Cassandra (TCP:7001) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra (TCP:7001) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,389", + "expectedValue": "LDAP (UDP:389) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "LDAP (UDP:389) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1651,9 +1519,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,7199", - "expectedValue": "Cassandra Monitoring (TCP:7199) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra Monitoring (TCP:7199) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,139", + "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Session Service (TCP:139) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1663,9 +1531,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,9160", - "expectedValue": "Cassandra Thrift (TCP:9160) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra Thrift (TCP:9160) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,1522", + "expectedValue": "Oracle Auto Data Warehouse (TCP:1522) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle Auto Data Warehouse (TCP:1522) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1675,9 +1543,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,389", - "expectedValue": "LDAP (UDP:389) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "LDAP (UDP:389) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,53", + "expectedValue": "DNS (UDP:53) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "DNS (UDP:53) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1687,57 +1555,57 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,3306", - "expectedValue": "MySQL (TCP:3306) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "MySQL (TCP:3306) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,7001", + "expectedValue": "Cassandra (TCP:7001) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra (TCP:7001) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "filename": "positive1.yaml", + "line": 29, + "filename": "positive5.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,61621", - "expectedValue": "Cassandra OpsCenter (TCP:61621) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra OpsCenter (TCP:61621) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "filename": "positive1.yaml", + "line": 29, + "filename": "positive5.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,21", - "expectedValue": "FTP (TCP:21) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "FTP (TCP:21) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Telnet (TCP:23) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "filename": "positive1.yaml", + "line": 29, + "filename": "positive5.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,11211", - "expectedValue": "Memcached (UDP:11211) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Memcached (UDP:11211) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,5985", + "expectedValue": "WinRM for HTTP (TCP:5985) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "WinRM for HTTP (TCP:5985) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 28, - "filename": "positive8.json", + "line": 29, + "filename": "positive5.json", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[1]", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", - "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'" + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1747,21 +1615,21 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,1434", - "expectedValue": "MSSQL Browser (UDP:1434) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "MSSQL Browser (UDP:1434) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,110", + "expectedValue": "POP3 (TCP:110) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "POP3 (TCP:110) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 117, + "line": 29, "filename": "positive5.json", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1ArrayTestIPv6", - "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]", - "searchValue": "UDP,138", - "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in classic load balancer 'LoadBalancer01'" + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,4505", + "expectedValue": "SaltStack Master (TCP:4505) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SaltStack Master (TCP:4505) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1771,9 +1639,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,137", - "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Name Service (TCP:137) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,11214", + "expectedValue": "Memcached SSL (TCP:11214) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached SSL (TCP:11214) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1783,69 +1651,69 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,5432", - "expectedValue": "PostgreSQL (TCP:5432) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "PostgreSQL (TCP:5432) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,1434", + "expectedValue": "MSSQL Browser (UDP:1434) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MSSQL Browser (UDP:1434) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "filename": "positive1.yaml", + "line": 29, + "filename": "positive5.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,1433", - "expectedValue": "MSSQL Server (TCP:1433) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "MSSQL Server (TCP:1433) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,27017", + "expectedValue": "Mongo (TCP:27017) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Mongo (TCP:27017) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "filename": "positive1.yaml", + "line": 29, + "filename": "positive5.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,445", - "expectedValue": "Microsoft-DS (TCP:445) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Microsoft-DS (TCP:445) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,8140", + "expectedValue": "Puppet Master (TCP:8140) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Puppet Master (TCP:8140) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "filename": "positive1.yaml", + "line": 29, + "filename": "positive5.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SSH (TCP:22) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,3389", + "expectedValue": "Remote Desktop (TCP:3389) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Remote Desktop (TCP:3389) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "filename": "positive1.yaml", + "line": 29, + "filename": "positive5.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,23", - "expectedValue": "Telnet (TCP:23) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Telnet (TCP:23) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,2382", + "expectedValue": "SQL Server Analysis (TCP:2382) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SQL Server Analysis (TCP:2382) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "filename": "positive1.yaml", + "line": 29, + "filename": "positive5.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,5985", - "expectedValue": "WinRM for HTTP (TCP:5985) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "WinRM for HTTP (TCP:5985) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,7199", + "expectedValue": "Cassandra Monitoring (TCP:7199) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra Monitoring (TCP:7199) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1855,57 +1723,45 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,11211", - "expectedValue": "Memcached (TCP:11211) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Memcached (TCP:11211) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,9300", + "expectedValue": "Elastic Search (TCP:9300) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Elastic Search (TCP:9300) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "filename": "positive1.yaml", + "line": 29, + "filename": "positive5.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,4333", - "expectedValue": "MySQL (TCP:4333) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "MySQL (TCP:4333) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,80", + "expectedValue": "HTTP (TCP:80) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HTTP (TCP:80) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 40, - "filename": "positive6.json", - "resourceType": "AWS::EC2::SecurityGroupIngress", - "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.IPv4Ingress3.Properties", - "searchValue": "UDP,137", - "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'" - }, - { - "queryName": "ELB Sensitive Port Is Exposed To Entire Network", - "severity": "HIGH", - "line": 60, - "filename": "positive6.json", - "resourceType": "AWS::EC2::SecurityGroupIngress", - "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.IPv6Ingress1.Properties", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", - "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'" + "line": 29, + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,1434", + "expectedValue": "MSSQL Browser (TCP:1434) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MSSQL Browser (TCP:1434) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 34, - "filename": "positive8.json", + "line": 29, + "filename": "positive5.json", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[2]", - "searchValue": "UDP,137", - "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'" + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,27018", + "expectedValue": "Mongo Web Portal (TCP:27018) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Mongo Web Portal (TCP:27018) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1915,9 +1771,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,61621", - "expectedValue": "Cassandra OpsCenter (TCP:61621) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra OpsCenter (TCP:61621) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,25", + "expectedValue": "SMTP (TCP:25) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SMTP (TCP:25) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1927,9 +1783,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,2376", - "expectedValue": "Docker (TCP:2376) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Docker (TCP:2376) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,5500", + "expectedValue": "VNC Listener (TCP:5500) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "VNC Listener (TCP:5500) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1951,69 +1807,69 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,137", - "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,11214", + "expectedValue": "Memcached SSL (UDP:11214) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached SSL (UDP:11214) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "filename": "positive1.yaml", + "line": 29, + "filename": "positive5.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,1522", - "expectedValue": "Oracle Auto Data Warehouse (TCP:1522) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Oracle Auto Data Warehouse (TCP:1522) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,6379", + "expectedValue": "Redis (TCP:6379) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Redis (TCP:6379) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "filename": "positive1.yaml", + "line": 29, + "filename": "positive5.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,2483", - "expectedValue": "Oracle DB SSL (TCP:2483) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Oracle DB SSL (TCP:2483) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,161", + "expectedValue": "SNMP (TCP:161) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SNMP (TCP:161) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 32, - "filename": "positive1.yaml", + "line": 29, + "filename": "positive5.json", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv4_2", - "searchKey": "Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SSH (TCP:22) is allowed in classic load balancer 'LoadBalancer01'" + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,20", + "expectedValue": "FTP (TCP:20) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "FTP (TCP:20) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "filename": "positive1.yaml", + "line": 29, + "filename": "positive5.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,4505", - "expectedValue": "SaltStack Master (TCP:4505) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SaltStack Master (TCP:4505) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,61621", + "expectedValue": "Cassandra OpsCenter (TCP:61621) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra OpsCenter (TCP:61621) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 46, - "filename": "positive8.json", + "line": 29, + "filename": "positive5.json", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[4]", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", - "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'" + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,11215", + "expectedValue": "Memcached SSL (TCP:11215) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached SSL (TCP:11215) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2023,9 +1879,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,3000", - "expectedValue": "Prevalent known internal port (TCP:3000) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Prevalent known internal port (TCP:3000) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,53", + "expectedValue": "DNS (TCP:53) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "DNS (TCP:53) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2035,93 +1891,93 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,5500", - "expectedValue": "VNC Listener (TCP:5500) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "VNC Listener (TCP:5500) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,50070", + "expectedValue": "HDFS NameNode WebUI (TCP:50070) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HDFS NameNode WebUI (TCP:50070) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "filename": "positive1.yaml", + "line": 29, + "filename": "positive5.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,2376", - "expectedValue": "Docker (TCP:2376) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Docker (TCP:2376) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,445", + "expectedValue": "Microsoft-DS (TCP:445) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Microsoft-DS (TCP:445) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "filename": "positive1.yaml", + "line": 29, + "filename": "positive5.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,27017", - "expectedValue": "Mongo (TCP:27017) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Mongo (TCP:27017) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,137", + "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (TCP:137) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "filename": "positive1.yaml", + "line": 29, + "filename": "positive5.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,138", - "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,2376", + "expectedValue": "Docker (TCP:2376) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Docker (TCP:2376) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "filename": "positive1.yaml", + "line": 29, + "filename": "positive5.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,2382", - "expectedValue": "SQL Server Analysis (TCP:2382) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SQL Server Analysis (TCP:2382) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,2483", + "expectedValue": "Oracle DB SSL (UDP:2483) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle DB SSL (UDP:2483) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "filename": "positive1.yaml", + "line": 29, + "filename": "positive5.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,5500", - "expectedValue": "VNC Listener (TCP:5500) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "VNC Listener (TCP:5500) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,7000", + "expectedValue": "Cassandra Internode Communication (TCP:7000) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra Internode Communication (TCP:7000) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 26, - "filename": "positive2.yaml", - "resourceType": "AWS::EC2::SecurityGroupIngress", - "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.IPv4Ingress2.Properties", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", - "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'" + "line": 29, + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,8080", + "expectedValue": "Known internal web port (TCP:8080) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Known internal web port (TCP:8080) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 20, - "filename": "positive6.json", - "resourceType": "AWS::EC2::SecurityGroupIngress", - "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.IPv4Ingress1.Properties", - "searchValue": "UDP,137", - "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'" + "line": 29, + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,1433", + "expectedValue": "MSSQL Server (TCP:1433) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MSSQL Server (TCP:1433) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2131,21 +1987,21 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,9090", - "expectedValue": "CiscoSecure, WebSM (TCP:9090) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "CiscoSecure, WebSM (TCP:9090) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,4333", + "expectedValue": "MySQL (TCP:4333) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MySQL (TCP:4333) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "filename": "positive1.yaml", + "line": 29, + "filename": "positive5.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,9000", - "expectedValue": "Hadoop Name Node (TCP:9000) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Hadoop Name Node (TCP:9000) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,3306", + "expectedValue": "MySQL (TCP:3306) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MySQL (TCP:3306) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2155,69 +2011,69 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,138", - "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,139", + "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Session Service (UDP:139) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 39, - "filename": "positive7.json", + "line": 29, + "filename": "positive5.json", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "InstancesSecGroup", - "searchKey": "Resources.InstancesSecGroup.Properties.SecurityGroupIngress[1]", - "searchValue": "TCP,636", - "expectedValue": "LDAP SSL (TCP:636) should not be allowed in classic load balancer 'GatewayLoadBalancer'", - "actualValue": "LDAP SSL (TCP:636) is allowed in classic load balancer 'GatewayLoadBalancer'" + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,5900", + "expectedValue": "VNC Server (TCP:5900) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "VNC Server (TCP:5900) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "filename": "positive1.yaml", + "line": 29, + "filename": "positive5.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,7000", - "expectedValue": "Cassandra Internode Communication (TCP:7000) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra Internode Communication (TCP:7000) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,9042", + "expectedValue": "Cassandra Client (TCP:9042) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra Client (TCP:9042) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "filename": "positive1.yaml", + "line": 29, + "filename": "positive5.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,9300", - "expectedValue": "Elastic Search (TCP:9300) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Elastic Search (TCP:9300) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,9200", + "expectedValue": "Elastic Search (TCP:9200) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Elastic Search (TCP:9200) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "filename": "positive1.yaml", + "line": 29, + "filename": "positive5.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,80", - "expectedValue": "HTTP (TCP:80) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "HTTP (TCP:80) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,1521", + "expectedValue": "Oracl DB (TCP:1521) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracl DB (TCP:1521) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 52, - "filename": "positive8.json", + "line": 29, + "filename": "positive5.json", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[5]", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", - "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'" + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,3000", + "expectedValue": "Prevalent known internal port (TCP:3000) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Prevalent known internal port (TCP:3000) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2227,9 +2083,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,389", - "expectedValue": "LDAP (TCP:389) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "LDAP (TCP:389) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,4506", + "expectedValue": "SaltStack Master (TCP:4506) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SaltStack Master (TCP:4506) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2239,9 +2095,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,25", - "expectedValue": "SMTP (TCP:25) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SMTP (TCP:25) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,135", + "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MSSQL Debugger (TCP:135) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2251,9 +2107,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,2382", - "expectedValue": "SQL Server Analysis (TCP:2382) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SQL Server Analysis (TCP:2382) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,11211", + "expectedValue": "Memcached (TCP:11211) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached (TCP:11211) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2263,212 +2119,356 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,4506", - "expectedValue": "SaltStack Master (TCP:4506) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SaltStack Master (TCP:4506) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,3020", + "expectedValue": "CIFS / SMB (TCP:3020) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "CIFS / SMB (TCP:3020) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "filename": "positive1.yaml", + "line": 29, + "filename": "positive5.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,53", - "expectedValue": "DNS (UDP:53) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "DNS (UDP:53) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,389", + "expectedValue": "LDAP (TCP:389) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "LDAP (TCP:389) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "filename": "positive1.yaml", + "line": 29, + "filename": "positive5.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,8140", - "expectedValue": "Puppet Master (TCP:8140) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Puppet Master (TCP:8140) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,5432", + "expectedValue": "PostgreSQL (UDP:5432) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "PostgreSQL (UDP:5432) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 50, - "filename": "positive4.yaml", + "line": 43, + "filename": "positive5.json", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[6]", + "resourceName": "Positive1IPv4_2", + "searchKey": "Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in classic load balancer 'LoadBalancer01'" + }, + { + "queryName": "ELB Sensitive Port Is Exposed To Entire Network", + "severity": "HIGH", + "line": 57, + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv4", + "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[0]", "searchValue": "UDP,137", - "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'" + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, + "line": 69, "filename": "positive5.json", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv4_1", - "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,21", - "expectedValue": "FTP (TCP:21) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "FTP (TCP:21) is allowed in classic load balancer 'LoadBalancer01'" + "resourceName": "Positive1ArrayTestIPv4", + "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[2]", + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, + "line": 83, "filename": "positive5.json", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv4_1", - "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,2483", - "expectedValue": "Oracle DB SSL (TCP:2483) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Oracle DB SSL (TCP:2483) is allowed in classic load balancer 'LoadBalancer01'" + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "filename": "positive1.yaml", + "line": 97, + "filename": "positive5.json", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv4_1", - "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,9200", - "expectedValue": "Elastic Search (TCP:9200) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Elastic Search (TCP:9200) is allowed in classic load balancer 'LoadBalancer01'" + "resourceName": "Positive1IPv6_2", + "searchKey": "Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "filename": "positive1.yaml", + "line": 111, + "filename": "positive5.json", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv4_1", - "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,5601", - "expectedValue": "Kibana (TCP:5601) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Kibana (TCP:5601) is allowed in classic load balancer 'LoadBalancer01'" + "resourceName": "Positive1ArrayTestIPv6", + "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "filename": "positive1.yaml", + "line": 117, + "filename": "positive5.json", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv4_1", - "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,11215", - "expectedValue": "Memcached SSL (TCP:11215) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Memcached SSL (TCP:11215) is allowed in classic load balancer 'LoadBalancer01'" + "resourceName": "Positive1ArrayTestIPv6", + "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]", + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "filename": "positive1.yaml", + "line": 20, + "filename": "positive6.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress1.Properties", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'" + }, + { + "queryName": "ELB Sensitive Port Is Exposed To Entire Network", + "severity": "HIGH", + "line": 30, + "filename": "positive6.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress2.Properties", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'" + }, + { + "queryName": "ELB Sensitive Port Is Exposed To Entire Network", + "severity": "HIGH", + "line": 40, + "filename": "positive6.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress3.Properties", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'" + }, + { + "queryName": "ELB Sensitive Port Is Exposed To Entire Network", + "severity": "HIGH", + "line": 50, + "filename": "positive6.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress4.Properties", + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in application load balancer 'LoadBalancer01'" + }, + { + "queryName": "ELB Sensitive Port Is Exposed To Entire Network", + "severity": "HIGH", + "line": 60, + "filename": "positive6.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress1.Properties", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'" + }, + { + "queryName": "ELB Sensitive Port Is Exposed To Entire Network", + "severity": "HIGH", + "line": 70, + "filename": "positive6.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress2.Properties", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'" + }, + { + "queryName": "ELB Sensitive Port Is Exposed To Entire Network", + "severity": "HIGH", + "line": 80, + "filename": "positive6.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress3.Properties", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'" + }, + { + "queryName": "ELB Sensitive Port Is Exposed To Entire Network", + "severity": "HIGH", + "line": 90, + "filename": "positive6.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress4.Properties", + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in application load balancer 'LoadBalancer01'" + }, + { + "queryName": "ELB Sensitive Port Is Exposed To Entire Network", + "severity": "HIGH", + "line": 39, + "filename": "positive7.json", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv4_1", - "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "resourceName": "InstancesSecGroup", + "searchKey": "Resources.InstancesSecGroup.Properties.SecurityGroupIngress[1]", + "searchValue": "TCP,636", + "expectedValue": "LDAP SSL (TCP:636) should not be allowed in classic load balancer 'GatewayLoadBalancer'", + "actualValue": "LDAP SSL (TCP:636) is allowed in classic load balancer 'GatewayLoadBalancer'" + }, + { + "queryName": "ELB Sensitive Port Is Exposed To Entire Network", + "severity": "HIGH", + "line": 45, + "filename": "positive7.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstancesSecGroup", + "searchKey": "Resources.InstancesSecGroup.Properties.SecurityGroupIngress[2]", + "searchValue": "UDP,1434", + "expectedValue": "MSSQL Browser (UDP:1434) should not be allowed in classic load balancer 'GatewayLoadBalancer'", + "actualValue": "MSSQL Browser (UDP:1434) is allowed in classic load balancer 'GatewayLoadBalancer'" + }, + { + "queryName": "ELB Sensitive Port Is Exposed To Entire Network", + "severity": "HIGH", + "line": 45, + "filename": "positive7.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstancesSecGroup", + "searchKey": "Resources.InstancesSecGroup.Properties.SecurityGroupIngress[2]", "searchValue": "UDP,2483", - "expectedValue": "Oracle DB SSL (UDP:2483) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Oracle DB SSL (UDP:2483) is allowed in classic load balancer 'LoadBalancer01'" + "expectedValue": "Oracle DB SSL (UDP:2483) should not be allowed in classic load balancer 'GatewayLoadBalancer'", + "actualValue": "Oracle DB SSL (UDP:2483) is allowed in classic load balancer 'GatewayLoadBalancer'" + }, + { + "queryName": "ELB Sensitive Port Is Exposed To Entire Network", + "severity": "HIGH", + "line": 45, + "filename": "positive7.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstancesSecGroup", + "searchKey": "Resources.InstancesSecGroup.Properties.SecurityGroupIngress[2]", + "searchValue": "UDP,2484", + "expectedValue": "Oracle DB SSL (UDP:2484) should not be allowed in classic load balancer 'GatewayLoadBalancer'", + "actualValue": "Oracle DB SSL (UDP:2484) is allowed in classic load balancer 'GatewayLoadBalancer'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "filename": "positive1.yaml", + "filename": "positive8.json", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv4_1", - "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,6379", - "expectedValue": "Redis (TCP:6379) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Redis (TCP:6379) is allowed in classic load balancer 'LoadBalancer01'" + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "filename": "positive5.json", + "line": 28, + "filename": "positive8.json", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv4_1", - "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,2375", - "expectedValue": "Docker (TCP:2375) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Docker (TCP:2375) is allowed in classic load balancer 'LoadBalancer01'" + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[1]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "filename": "positive5.json", + "line": 34, + "filename": "positive8.json", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv4_1", - "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,11214", - "expectedValue": "Memcached SSL (UDP:11214) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Memcached SSL (UDP:11214) is allowed in classic load balancer 'LoadBalancer01'" + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[2]", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "filename": "positive5.json", + "line": 40, + "filename": "positive8.json", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv4_1", - "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,3389", - "expectedValue": "Remote Desktop (TCP:3389) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Remote Desktop (TCP:3389) is allowed in classic load balancer 'LoadBalancer01'" + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[3]", + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in application load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, - "filename": "positive1.yaml", + "line": 46, + "filename": "positive8.json", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv4_1", - "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,4506", - "expectedValue": "SaltStack Master (TCP:4506) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SaltStack Master (TCP:4506) is allowed in classic load balancer 'LoadBalancer01'" + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[4]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 30, - "filename": "positive3.yaml", + "line": 52, + "filename": "positive8.json", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "InstancesSecGroup", - "searchKey": "Resources.InstancesSecGroup.Properties.SecurityGroupIngress[2]", - "searchValue": "UDP,1434", - "expectedValue": "MSSQL Browser (UDP:1434) should not be allowed in classic load balancer 'GatewayLoadBalancer'", - "actualValue": "MSSQL Browser (UDP:1434) is allowed in classic load balancer 'GatewayLoadBalancer'" + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[5]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 29, - "filename": "positive5.json", + "line": 58, + "filename": "positive8.json", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv4_1", - "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,139", - "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Session Service (UDP:139) is allowed in classic load balancer 'LoadBalancer01'" + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[6]", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 43, - "filename": "positive5.json", + "line": 64, + "filename": "positive8.json", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv4_2", - "searchKey": "Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SSH (TCP:22) is allowed in classic load balancer 'LoadBalancer01'" + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[7]", + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in application load balancer 'LoadBalancer01'" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elb_using_insecure_protocols/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elb_using_insecure_protocols/test/positive_expected_result.json index 7cf8158b837..03191ef5dcd 100644 --- a/assets/queries/cloudFormation/aws/elb_using_insecure_protocols/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elb_using_insecure_protocols/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "ELB Using Insecure Protocols", "severity": "MEDIUM", - "line": 35, - "filename": "positive2.json", + "line": 27, + "filename": "positive1.yaml", "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", "resourceName": "MyLoadBalancer", "searchKey": "Resources.MyLoadBalancer.Properties.Policies.PolicyName=My-SSLNegotiation-Policy.Attributes.Name=Protocol-SSLv2", @@ -14,8 +14,8 @@ { "queryName": "ELB Using Insecure Protocols", "severity": "MEDIUM", - "line": 50, - "filename": "positive2.json", + "line": 34, + "filename": "positive1.yaml", "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", "resourceName": "MyLoadBalancer", "searchKey": "Resources.MyLoadBalancer.Properties.Policies.PolicyName=My-SSLNegotiation-Policy2.Attributes.Name=Protocol-TLSv1", @@ -26,8 +26,8 @@ { "queryName": "ELB Using Insecure Protocols", "severity": "MEDIUM", - "line": 27, - "filename": "positive1.yaml", + "line": 35, + "filename": "positive2.json", "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", "resourceName": "MyLoadBalancer", "searchKey": "Resources.MyLoadBalancer.Properties.Policies.PolicyName=My-SSLNegotiation-Policy.Attributes.Name=Protocol-SSLv2", @@ -38,8 +38,8 @@ { "queryName": "ELB Using Insecure Protocols", "severity": "MEDIUM", - "line": 34, - "filename": "positive1.yaml", + "line": 50, + "filename": "positive2.json", "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", "resourceName": "MyLoadBalancer", "searchKey": "Resources.MyLoadBalancer.Properties.Policies.PolicyName=My-SSLNegotiation-Policy2.Attributes.Name=Protocol-TLSv1", diff --git a/assets/queries/cloudFormation/aws/elb_using_weak_ciphers/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elb_using_weak_ciphers/test/positive_expected_result.json index b86502ca050..06b247e5cb1 100644 --- a/assets/queries/cloudFormation/aws/elb_using_weak_ciphers/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elb_using_weak_ciphers/test/positive_expected_result.json @@ -2,26 +2,26 @@ { "queryName": "ELB Using Weak Ciphers", "severity": "HIGH", - "line": 29, + "line": 27, "filename": "positive1.yaml", "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", "resourceName": "MyLoadBalancer", - "searchKey": "Resources.MyLoadBalancer.Properties.Policies.PolicyName=My-SSLNegotiation-Policy.Attributes.Name=DHE-DSS-DES-CBC3-SHA", + "searchKey": "Resources.MyLoadBalancer.Properties.Policies.PolicyName=My-SSLNegotiation-Policy.Attributes.Name=TLS_RSA_NULL_SHA1", "searchValue": "", - "expectedValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.DHE-DSS-DES-CBC3-SHA' should not be a weak cipher", - "actualValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.DHE-DSS-DES-CBC3-SHA' is a weak cipher" + "expectedValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.TLS_RSA_NULL_SHA1' should not be a weak cipher", + "actualValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.TLS_RSA_NULL_SHA1' is a weak cipher" }, { "queryName": "ELB Using Weak Ciphers", "severity": "HIGH", - "line": 27, + "line": 29, "filename": "positive1.yaml", "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", "resourceName": "MyLoadBalancer", - "searchKey": "Resources.MyLoadBalancer.Properties.Policies.PolicyName=My-SSLNegotiation-Policy.Attributes.Name=TLS_RSA_NULL_SHA1", + "searchKey": "Resources.MyLoadBalancer.Properties.Policies.PolicyName=My-SSLNegotiation-Policy.Attributes.Name=DHE-DSS-DES-CBC3-SHA", "searchValue": "", - "expectedValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.TLS_RSA_NULL_SHA1' should not be a weak cipher", - "actualValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.TLS_RSA_NULL_SHA1' is a weak cipher" + "expectedValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.DHE-DSS-DES-CBC3-SHA' should not be a weak cipher", + "actualValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.DHE-DSS-DES-CBC3-SHA' is a weak cipher" }, { "queryName": "ELB Using Weak Ciphers", @@ -38,26 +38,26 @@ { "queryName": "ELB Using Weak Ciphers", "severity": "HIGH", - "line": 40, + "line": 35, "filename": "positive2.json", "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", "resourceName": "MyLoadBalancer", - "searchKey": "Resources.MyLoadBalancer.Properties.Policies.PolicyName=My-SSLNegotiation-Policy.Attributes.Name=DHE-DSS-DES-CBC3-SHA", + "searchKey": "Resources.MyLoadBalancer.Properties.Policies.PolicyName=My-SSLNegotiation-Policy.Attributes.Name=TLS_RSA_NULL_SHA1", "searchValue": "", - "expectedValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.DHE-DSS-DES-CBC3-SHA' should not be a weak cipher", - "actualValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.DHE-DSS-DES-CBC3-SHA' is a weak cipher" + "expectedValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.TLS_RSA_NULL_SHA1' should not be a weak cipher", + "actualValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.TLS_RSA_NULL_SHA1' is a weak cipher" }, { "queryName": "ELB Using Weak Ciphers", "severity": "HIGH", - "line": 35, + "line": 40, "filename": "positive2.json", "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", "resourceName": "MyLoadBalancer", - "searchKey": "Resources.MyLoadBalancer.Properties.Policies.PolicyName=My-SSLNegotiation-Policy.Attributes.Name=TLS_RSA_NULL_SHA1", + "searchKey": "Resources.MyLoadBalancer.Properties.Policies.PolicyName=My-SSLNegotiation-Policy.Attributes.Name=DHE-DSS-DES-CBC3-SHA", "searchValue": "", - "expectedValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.TLS_RSA_NULL_SHA1' should not be a weak cipher", - "actualValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.TLS_RSA_NULL_SHA1' is a weak cipher" + "expectedValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.DHE-DSS-DES-CBC3-SHA' should not be a weak cipher", + "actualValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.DHE-DSS-DES-CBC3-SHA' is a weak cipher" }, { "queryName": "ELB Using Weak Ciphers", diff --git a/assets/queries/cloudFormation/aws/elb_v2_alb_access_log_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elb_v2_alb_access_log_disabled/test/positive_expected_result.json index ecd7be7e4d2..8c037249448 100644 --- a/assets/queries/cloudFormation/aws/elb_v2_alb_access_log_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elb_v2_alb_access_log_disabled/test/positive_expected_result.json @@ -2,8 +2,20 @@ { "queryName": "ELBv2 ALB Access Log Disabled", "severity": "MEDIUM", - "line": 36, - "filename": "positive4.json", + "line": 22, + "filename": "positive1.yaml", + "resourceType": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "resourceName": "EnvironmentName", + "searchKey": "Resources.LoadBalancer.Properties", + "searchValue": "", + "expectedValue": "'Resources.LoadBalancer.Properties' has LoadBalancerAttributes defined", + "actualValue": "'Resources.LoadBalancer.Properties' doesn't have LoadBalancerAttributes defined" + }, + { + "queryName": "ELBv2 ALB Access Log Disabled", + "severity": "MEDIUM", + "line": 30, + "filename": "positive2.yaml", "resourceType": "AWS::ElasticLoadBalancingV2::LoadBalancer", "resourceName": "EnvironmentName", "searchKey": "Resources.LoadBalancertest.Properties.LoadBalancerAttributes", @@ -14,8 +26,8 @@ { "queryName": "ELBv2 ALB Access Log Disabled", "severity": "MEDIUM", - "line": 22, - "filename": "positive1.yaml", + "line": 23, + "filename": "positive3.json", "resourceType": "AWS::ElasticLoadBalancingV2::LoadBalancer", "resourceName": "EnvironmentName", "searchKey": "Resources.LoadBalancer.Properties", @@ -26,8 +38,8 @@ { "queryName": "ELBv2 ALB Access Log Disabled", "severity": "MEDIUM", - "line": 30, - "filename": "positive2.yaml", + "line": 36, + "filename": "positive4.json", "resourceType": "AWS::ElasticLoadBalancingV2::LoadBalancer", "resourceName": "EnvironmentName", "searchKey": "Resources.LoadBalancertest.Properties.LoadBalancerAttributes", @@ -46,17 +58,5 @@ "searchValue": "", "expectedValue": "'Resources.LoadBalancertest.Properties.LoadBalancerAttributes' has access_logs.s3.enabled with Value true", "actualValue": "'Resources.LoadBalancertest.Properties.LoadBalancerAttributes' doesn't have access_logs.s3.enabled with Value true" - }, - { - "queryName": "ELBv2 ALB Access Log Disabled", - "severity": "MEDIUM", - "line": 23, - "filename": "positive3.json", - "resourceType": "AWS::ElasticLoadBalancingV2::LoadBalancer", - "resourceName": "EnvironmentName", - "searchKey": "Resources.LoadBalancer.Properties", - "searchValue": "", - "expectedValue": "'Resources.LoadBalancer.Properties' has LoadBalancerAttributes defined", - "actualValue": "'Resources.LoadBalancer.Properties' doesn't have LoadBalancerAttributes defined" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elb_without_secure_protocol/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elb_without_secure_protocol/test/positive_expected_result.json index 59e3de8c782..04ff3041663 100644 --- a/assets/queries/cloudFormation/aws/elb_without_secure_protocol/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elb_without_secure_protocol/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "ELB Without Secure Protocol", "severity": "MEDIUM", - "line": 9, - "filename": "positive2.json", + "line": 11, + "filename": "positive1.yaml", "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", "resourceName": "MyLoadBalancer", "searchKey": "Resources.MyLoadBalancer.Properties.Listeners", @@ -14,8 +14,8 @@ { "queryName": "ELB Without Secure Protocol", "severity": "MEDIUM", - "line": 11, - "filename": "positive2.json", + "line": 13, + "filename": "positive1.yaml", "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", "resourceName": "MyLoadBalancer", "searchKey": "Resources.MyLoadBalancer.Properties.Listeners", @@ -26,8 +26,8 @@ { "queryName": "ELB Without Secure Protocol", "severity": "MEDIUM", - "line": 11, - "filename": "positive1.yaml", + "line": 9, + "filename": "positive2.json", "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", "resourceName": "MyLoadBalancer", "searchKey": "Resources.MyLoadBalancer.Properties.Listeners", @@ -38,8 +38,8 @@ { "queryName": "ELB Without Secure Protocol", "severity": "MEDIUM", - "line": 13, - "filename": "positive1.yaml", + "line": 11, + "filename": "positive2.json", "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", "resourceName": "MyLoadBalancer", "searchKey": "Resources.MyLoadBalancer.Properties.Listeners", diff --git a/assets/queries/cloudFormation/aws/empty_roles_for_ecs_cluster_task_definitions/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/empty_roles_for_ecs_cluster_task_definitions/test/positive_expected_result.json index 051d5ffae9f..94d657bb1e2 100644 --- a/assets/queries/cloudFormation/aws/empty_roles_for_ecs_cluster_task_definitions/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/empty_roles_for_ecs_cluster_task_definitions/test/positive_expected_result.json @@ -2,14 +2,14 @@ { "queryName": "Empty Roles For ECS Cluster Task Definitions", "severity": "MEDIUM", - "line": 41, + "line": 6, "filename": "positive1.yaml", "resourceType": "AWS::ECS::Service", - "resourceName": "TaskNoRole", - "searchKey": "Resources.TaskNoRole.Properties.TaskDefinition", + "resourceName": "NoTaskDefinition", + "searchKey": "Resources.NoTaskDefinition.Properties", "searchValue": "", - "expectedValue": "'Resources.TaskNoRole.Properties.TaskDefinition' refers to a TaskDefinition with Role", - "actualValue": "'Resources.TaskNoRole.Properties.TaskDefinition' does not refer to a TaskDefinition with Role" + "expectedValue": "'Resources.NoTaskDefinition.Properties.TaskDefinition' should be set", + "actualValue": "'Resources.NoTaskDefinition.Properties.TaskDefinition' is undefined" }, { "queryName": "Empty Roles For ECS Cluster Task Definitions", @@ -26,21 +26,9 @@ { "queryName": "Empty Roles For ECS Cluster Task Definitions", "severity": "MEDIUM", - "line": 6, + "line": 41, "filename": "positive1.yaml", "resourceType": "AWS::ECS::Service", - "resourceName": "NoTaskDefinition", - "searchKey": "Resources.NoTaskDefinition.Properties", - "searchValue": "", - "expectedValue": "'Resources.NoTaskDefinition.Properties.TaskDefinition' should be set", - "actualValue": "'Resources.NoTaskDefinition.Properties.TaskDefinition' is undefined" - }, - { - "queryName": "Empty Roles For ECS Cluster Task Definitions", - "severity": "MEDIUM", - "line": 39, - "filename": "positive2.json", - "resourceType": "AWS::ECS::Service", "resourceName": "TaskNoRole", "searchKey": "Resources.TaskNoRole.Properties.TaskDefinition", "searchValue": "", @@ -59,6 +47,18 @@ "expectedValue": "'Resources.InvalidTaskDefinition.Properties.Taskdefinition' refers to a valid TaskDefinition", "actualValue": "'Resources.InvalidTaskDefinition.Properties.Taskdefinition' does not refers to a valid TaskDefinition" }, + { + "queryName": "Empty Roles For ECS Cluster Task Definitions", + "severity": "MEDIUM", + "line": 39, + "filename": "positive2.json", + "resourceType": "AWS::ECS::Service", + "resourceName": "TaskNoRole", + "searchKey": "Resources.TaskNoRole.Properties.TaskDefinition", + "searchValue": "", + "expectedValue": "'Resources.TaskNoRole.Properties.TaskDefinition' refers to a TaskDefinition with Role", + "actualValue": "'Resources.TaskNoRole.Properties.TaskDefinition' does not refer to a TaskDefinition with Role" + }, { "queryName": "Empty Roles For ECS Cluster Task Definitions", "severity": "MEDIUM", diff --git a/assets/queries/cloudFormation/aws/emr_cluster_without_security_configuration/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/emr_cluster_without_security_configuration/test/positive_expected_result.json index 3d74f7c416c..27c1f6b2e0c 100644 --- a/assets/queries/cloudFormation/aws/emr_cluster_without_security_configuration/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/emr_cluster_without_security_configuration/test/positive_expected_result.json @@ -3,25 +3,25 @@ "queryName": "EMR Cluster Without Security Configuration", "severity": "MEDIUM", "line": 18, - "filename": "positive2.yaml", + "filename": "positive1.yaml", "resourceType": "AWS::EMR::Cluster", "resourceName": "CFNtest2", - "searchKey": "Resources.cluster1.Properties", + "searchKey": "Resources.cluster.Properties", "searchValue": "", - "expectedValue": "Resources.cluster1.Properties.SecurityConfiguration should be defined", - "actualValue": "Resources.cluster1.Properties.SecurityConfiguration is undefined" + "expectedValue": "Resources.cluster has the same name as the AWS::EMR::SecurityConfiguration Resource", + "actualValue": "Resources.cluster has a different name from AWS::EMR::SecurityConfiguration Resource" }, { "queryName": "EMR Cluster Without Security Configuration", "severity": "MEDIUM", "line": 18, - "filename": "positive1.yaml", + "filename": "positive2.yaml", "resourceType": "AWS::EMR::Cluster", "resourceName": "CFNtest2", - "searchKey": "Resources.cluster.Properties", + "searchKey": "Resources.cluster1.Properties", "searchValue": "", - "expectedValue": "Resources.cluster has the same name as the AWS::EMR::SecurityConfiguration Resource", - "actualValue": "Resources.cluster has a different name from AWS::EMR::SecurityConfiguration Resource" + "expectedValue": "Resources.cluster1.Properties.SecurityConfiguration should be defined", + "actualValue": "Resources.cluster1.Properties.SecurityConfiguration is undefined" }, { "queryName": "EMR Cluster Without Security Configuration", diff --git a/assets/queries/cloudFormation/aws/emr_security_configuration_encryptions_enabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/emr_security_configuration_encryptions_enabled/test/positive_expected_result.json index a95012ac28e..ce51aae6d6d 100644 --- a/assets/queries/cloudFormation/aws/emr_security_configuration_encryptions_enabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/emr_security_configuration_encryptions_enabled/test/positive_expected_result.json @@ -2,32 +2,32 @@ { "queryName": "EMR Security Configuration Encryption Disabled", "severity": "MEDIUM", - "line": 10, - "filename": "positive5.json", + "line": 8, + "filename": "positive1.yaml", "resourceType": "AWS::EMR::SecurityConfiguration", "resourceName": "String", - "searchKey": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption", + "searchKey": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption", "searchValue": "", - "expectedValue": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption should be true", - "actualValue": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption is false" + "expectedValue": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption should be true", + "actualValue": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption is false" }, { "queryName": "EMR Security Configuration Encryption Disabled", "severity": "MEDIUM", - "line": 10, - "filename": "positive6.json", + "line": 9, + "filename": "positive1.yaml", "resourceType": "AWS::EMR::SecurityConfiguration", "resourceName": "String", - "searchKey": "Resources.EMRSecurityConfiguration01.Properties.SecurityConfiguration.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration.EnableEbsEncryption", + "searchKey": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption", "searchValue": "", - "expectedValue": "Resources.EMRSecurityConfiguration01.Properties.SecurityConfiguration.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration.EnableEbsEncryption should be true", - "actualValue": "Resources.EMRSecurityConfiguration01.Properties.SecurityConfiguration.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration.EnableEbsEncryption is false" + "expectedValue": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption should be true", + "actualValue": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption is false" }, { "queryName": "EMR Security Configuration Encryption Disabled", "severity": "MEDIUM", "line": 9, - "filename": "positive6.json", + "filename": "positive2.yaml", "resourceType": "AWS::EMR::SecurityConfiguration", "resourceName": "String", "searchKey": "Resources.EMRSecurityConfiguration01.Properties.SecurityConfiguration.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration", @@ -38,50 +38,38 @@ { "queryName": "EMR Security Configuration Encryption Disabled", "severity": "MEDIUM", - "line": 7, - "filename": "positive8.json", - "resourceType": "AWS::EMR::SecurityConfiguration", - "resourceName": "String", - "searchKey": "Resources.EMRSecurityConfiguration04.Properties.SecurityConfiguration", - "searchValue": "", - "expectedValue": "Resources.EMRSecurityConfiguration04.SecurityConfiguration.EncryptionConfiguration must be defined", - "actualValue": "Resources.EMRSecurityConfiguration04.SecurityConfiguration.EncryptionConfiguration is undefined" - }, - { - "queryName": "EMR Security Configuration Encryption Disabled", - "severity": "MEDIUM", - "line": 9, - "filename": "positive1.yaml", + "line": 10, + "filename": "positive2.yaml", "resourceType": "AWS::EMR::SecurityConfiguration", "resourceName": "String", - "searchKey": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption", + "searchKey": "Resources.EMRSecurityConfiguration01.Properties.SecurityConfiguration.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration.EnableEbsEncryption", "searchValue": "", - "expectedValue": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption should be true", - "actualValue": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption is false" + "expectedValue": "Resources.EMRSecurityConfiguration01.Properties.SecurityConfiguration.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration.EnableEbsEncryption should be true", + "actualValue": "Resources.EMRSecurityConfiguration01.Properties.SecurityConfiguration.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration.EnableEbsEncryption is false" }, { "queryName": "EMR Security Configuration Encryption Disabled", "severity": "MEDIUM", "line": 8, - "filename": "positive9.yaml", + "filename": "positive3.yaml", "resourceType": "AWS::EMR::SecurityConfiguration", "resourceName": "String", - "searchKey": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption", + "searchKey": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption", "searchValue": "", - "expectedValue": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption should be true", - "actualValue": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption is false" + "expectedValue": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption should be true", + "actualValue": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption is false" }, { "queryName": "EMR Security Configuration Encryption Disabled", "severity": "MEDIUM", - "line": 8, + "line": 9, "filename": "positive3.yaml", "resourceType": "AWS::EMR::SecurityConfiguration", "resourceName": "String", - "searchKey": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption", + "searchKey": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption", "searchValue": "", - "expectedValue": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption should be true", - "actualValue": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption is false" + "expectedValue": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption should be true", + "actualValue": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption is false" }, { "queryName": "EMR Security Configuration Encryption Disabled", @@ -95,18 +83,6 @@ "expectedValue": "Resources.EMRSecurityConfiguration04.SecurityConfiguration.EncryptionConfiguration must be defined", "actualValue": "Resources.EMRSecurityConfiguration04.SecurityConfiguration.EncryptionConfiguration is undefined" }, - { - "queryName": "EMR Security Configuration Encryption Disabled", - "severity": "MEDIUM", - "line": 9, - "filename": "positive7.json", - "resourceType": "AWS::EMR::SecurityConfiguration", - "resourceName": "String", - "searchKey": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption", - "searchValue": "", - "expectedValue": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption should be true", - "actualValue": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption is false" - }, { "queryName": "EMR Security Configuration Encryption Disabled", "severity": "MEDIUM", @@ -122,8 +98,8 @@ { "queryName": "EMR Security Configuration Encryption Disabled", "severity": "MEDIUM", - "line": 9, - "filename": "positive9.yaml", + "line": 10, + "filename": "positive5.json", "resourceType": "AWS::EMR::SecurityConfiguration", "resourceName": "String", "searchKey": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption", @@ -135,19 +111,19 @@ "queryName": "EMR Security Configuration Encryption Disabled", "severity": "MEDIUM", "line": 9, - "filename": "positive3.yaml", + "filename": "positive6.json", "resourceType": "AWS::EMR::SecurityConfiguration", "resourceName": "String", - "searchKey": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption", + "searchKey": "Resources.EMRSecurityConfiguration01.Properties.SecurityConfiguration.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration", "searchValue": "", - "expectedValue": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption should be true", - "actualValue": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption is false" + "expectedValue": "Resources.EMRSecurityConfiguration01.SecurityConfiguration.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration.EncryptionKeyProviderType must be defined", + "actualValue": "Resources.EMRSecurityConfiguration01.SecurityConfiguration.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration.EncryptionKeyProviderType is undefined" }, { "queryName": "EMR Security Configuration Encryption Disabled", "severity": "MEDIUM", "line": 10, - "filename": "positive2.yaml", + "filename": "positive6.json", "resourceType": "AWS::EMR::SecurityConfiguration", "resourceName": "String", "searchKey": "Resources.EMRSecurityConfiguration01.Properties.SecurityConfiguration.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration.EnableEbsEncryption", @@ -155,23 +131,47 @@ "expectedValue": "Resources.EMRSecurityConfiguration01.Properties.SecurityConfiguration.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration.EnableEbsEncryption should be true", "actualValue": "Resources.EMRSecurityConfiguration01.Properties.SecurityConfiguration.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration.EnableEbsEncryption is false" }, + { + "queryName": "EMR Security Configuration Encryption Disabled", + "severity": "MEDIUM", + "line": 8, + "filename": "positive7.json", + "resourceType": "AWS::EMR::SecurityConfiguration", + "resourceName": "String", + "searchKey": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption", + "searchValue": "", + "expectedValue": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption should be true", + "actualValue": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption is false" + }, { "queryName": "EMR Security Configuration Encryption Disabled", "severity": "MEDIUM", "line": 9, - "filename": "positive2.yaml", + "filename": "positive7.json", "resourceType": "AWS::EMR::SecurityConfiguration", "resourceName": "String", - "searchKey": "Resources.EMRSecurityConfiguration01.Properties.SecurityConfiguration.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration", + "searchKey": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption", "searchValue": "", - "expectedValue": "Resources.EMRSecurityConfiguration01.SecurityConfiguration.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration.EncryptionKeyProviderType must be defined", - "actualValue": "Resources.EMRSecurityConfiguration01.SecurityConfiguration.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration.EncryptionKeyProviderType is undefined" + "expectedValue": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption should be true", + "actualValue": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption is false" + }, + { + "queryName": "EMR Security Configuration Encryption Disabled", + "severity": "MEDIUM", + "line": 7, + "filename": "positive8.json", + "resourceType": "AWS::EMR::SecurityConfiguration", + "resourceName": "String", + "searchKey": "Resources.EMRSecurityConfiguration04.Properties.SecurityConfiguration", + "searchValue": "", + "expectedValue": "Resources.EMRSecurityConfiguration04.SecurityConfiguration.EncryptionConfiguration must be defined", + "actualValue": "Resources.EMRSecurityConfiguration04.SecurityConfiguration.EncryptionConfiguration is undefined" }, { "queryName": "EMR Security Configuration Encryption Disabled", "severity": "MEDIUM", "line": 8, - "filename": "positive1.yaml", + "filename": "positive9.yaml", "resourceType": "AWS::EMR::SecurityConfiguration", "resourceName": "String", "searchKey": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption", @@ -182,13 +182,13 @@ { "queryName": "EMR Security Configuration Encryption Disabled", "severity": "MEDIUM", - "line": 8, - "filename": "positive7.json", + "line": 9, + "filename": "positive9.yaml", "resourceType": "AWS::EMR::SecurityConfiguration", "resourceName": "String", - "searchKey": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption", + "searchKey": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption", "searchValue": "", - "expectedValue": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption should be true", - "actualValue": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption is false" + "expectedValue": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption should be true", + "actualValue": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption is false" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/emr_wihout_vpc/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/emr_wihout_vpc/test/positive_expected_result.json index 16447f97039..002d567ecc2 100644 --- a/assets/queries/cloudFormation/aws/emr_wihout_vpc/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/emr_wihout_vpc/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "EMR Without VPC", "severity": "LOW", - "line": 32, - "filename": "positive2.json", + "line": 23, + "filename": "positive1.yaml", "resourceType": "AWS::EMR::Cluster", "resourceName": "CFNtest", "searchKey": "Resources.cluster.Properties.Instances", @@ -14,8 +14,8 @@ { "queryName": "EMR Without VPC", "severity": "LOW", - "line": 23, - "filename": "positive1.yaml", + "line": 32, + "filename": "positive2.json", "resourceType": "AWS::EMR::Cluster", "resourceName": "CFNtest", "searchKey": "Resources.cluster.Properties.Instances", diff --git a/assets/queries/cloudFormation/aws/fully_open_ingress/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/fully_open_ingress/test/positive_expected_result.json index ba12d527e5d..03ec9c9eac9 100644 --- a/assets/queries/cloudFormation/aws/fully_open_ingress/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/fully_open_ingress/test/positive_expected_result.json @@ -2,8 +2,20 @@ { "queryName": "Fully Open Ingress", "severity": "HIGH", - "line": 32, - "filename": "positive2.json", + "line": 19, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DBEC2SecurityGroupInline", + "searchKey": "Resources.DBEC2SecurityGroupInline.Properties.SecurityGroupIngress[0].CidrIp", + "searchValue": "", + "expectedValue": "Resource 'DBEC2SecurityGroupInline' of type 'AWS::EC2::SecurityGroup' should not accept ingress connections from all addresses to all available ports", + "actualValue": "Resource 'DBEC2SecurityGroupInline' of type 'AWS::EC2::SecurityGroup' is accepting ingress connections from all addresses to all available ports" + }, + { + "queryName": "Fully Open Ingress", + "severity": "HIGH", + "line": 23, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "DBEC2SecurityGroupInline", "searchKey": "Resources.DBEC2SecurityGroupInline.Properties.SecurityGroupIngress[1].CidrIpv6", @@ -38,8 +50,8 @@ { "queryName": "Fully Open Ingress", "severity": "HIGH", - "line": 19, - "filename": "positive1.yaml", + "line": 26, + "filename": "positive2.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "DBEC2SecurityGroupInline", "searchKey": "Resources.DBEC2SecurityGroupInline.Properties.SecurityGroupIngress[0].CidrIp", @@ -50,8 +62,8 @@ { "queryName": "Fully Open Ingress", "severity": "HIGH", - "line": 23, - "filename": "positive1.yaml", + "line": 32, + "filename": "positive2.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "DBEC2SecurityGroupInline", "searchKey": "Resources.DBEC2SecurityGroupInline.Properties.SecurityGroupIngress[1].CidrIpv6", @@ -82,17 +94,5 @@ "searchValue": "", "expectedValue": "Resource 'DBEC2SecurityGroupIngressIPv6' of type 'AWS::EC2::SecurityGroupIngress' should not accept ingress connections from all addresses to all available ports", "actualValue": "Resource 'DBEC2SecurityGroupIngressIPv6' of type 'AWS::EC2::SecurityGroupIngress' is accepting ingress connections from all addresses to all available ports" - }, - { - "queryName": "Fully Open Ingress", - "severity": "HIGH", - "line": 26, - "filename": "positive2.json", - "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "DBEC2SecurityGroupInline", - "searchKey": "Resources.DBEC2SecurityGroupInline.Properties.SecurityGroupIngress[0].CidrIp", - "searchValue": "", - "expectedValue": "Resource 'DBEC2SecurityGroupInline' of type 'AWS::EC2::SecurityGroup' should not accept ingress connections from all addresses to all available ports", - "actualValue": "Resource 'DBEC2SecurityGroupInline' of type 'AWS::EC2::SecurityGroup' is accepting ingress connections from all addresses to all available ports" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/gamelift_fleet_ec2_inbound_permissions_with_port_range/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/gamelift_fleet_ec2_inbound_permissions_with_port_range/test/positive_expected_result.json index 89a11f2eb36..9c725d235f7 100644 --- a/assets/queries/cloudFormation/aws/gamelift_fleet_ec2_inbound_permissions_with_port_range/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/gamelift_fleet_ec2_inbound_permissions_with_port_range/test/positive_expected_result.json @@ -2,21 +2,9 @@ { "queryName": "GameLift Fleet EC2 InboundPermissions With Port Range", "severity": "MEDIUM", - "line": 32, + "line": 11, "filename": "positive1.yaml", "resourceType": "AWS::GameLift::Fleet", - "resourceName": "FleetResource3", - "searchKey": "Resources.FleetResource3.Properties.EC2InboundPermissions", - "searchValue": "", - "expectedValue": "Resources.FleetResource3.Properties.EC2InboundPermissions[1].FromPort is equal to Resources.FleetResource3.Properties.EC2InboundPermissions[1].ToPort", - "actualValue": "Resources.FleetResource3.Properties.EC2InboundPermissions[1].FromPort is not equal to Resources.FleetResource3.Properties.EC2InboundPermissions[1].ToPort" - }, - { - "queryName": "GameLift Fleet EC2 InboundPermissions With Port Range", - "severity": "MEDIUM", - "line": 8, - "filename": "positive2.json", - "resourceType": "AWS::GameLift::Fleet", "resourceName": "FleetResource1", "searchKey": "Resources.FleetResource1.Properties.EC2InboundPermissions", "searchValue": "", @@ -26,8 +14,8 @@ { "queryName": "GameLift Fleet EC2 InboundPermissions With Port Range", "severity": "MEDIUM", - "line": 14, - "filename": "positive2.json", + "line": 15, + "filename": "positive1.yaml", "resourceType": "AWS::GameLift::Fleet", "resourceName": "FleetResource1", "searchKey": "Resources.FleetResource1.Properties.EC2InboundPermissions", @@ -38,8 +26,8 @@ { "queryName": "GameLift Fleet EC2 InboundPermissions With Port Range", "severity": "MEDIUM", - "line": 39, - "filename": "positive2.json", + "line": 28, + "filename": "positive1.yaml", "resourceType": "AWS::GameLift::Fleet", "resourceName": "FleetResource3", "searchKey": "Resources.FleetResource3.Properties.EC2InboundPermissions", @@ -50,8 +38,8 @@ { "queryName": "GameLift Fleet EC2 InboundPermissions With Port Range", "severity": "MEDIUM", - "line": 45, - "filename": "positive2.json", + "line": 32, + "filename": "positive1.yaml", "resourceType": "AWS::GameLift::Fleet", "resourceName": "FleetResource3", "searchKey": "Resources.FleetResource3.Properties.EC2InboundPermissions", @@ -62,8 +50,8 @@ { "queryName": "GameLift Fleet EC2 InboundPermissions With Port Range", "severity": "MEDIUM", - "line": 11, - "filename": "positive1.yaml", + "line": 8, + "filename": "positive2.json", "resourceType": "AWS::GameLift::Fleet", "resourceName": "FleetResource1", "searchKey": "Resources.FleetResource1.Properties.EC2InboundPermissions", @@ -74,8 +62,8 @@ { "queryName": "GameLift Fleet EC2 InboundPermissions With Port Range", "severity": "MEDIUM", - "line": 15, - "filename": "positive1.yaml", + "line": 14, + "filename": "positive2.json", "resourceType": "AWS::GameLift::Fleet", "resourceName": "FleetResource1", "searchKey": "Resources.FleetResource1.Properties.EC2InboundPermissions", @@ -86,13 +74,25 @@ { "queryName": "GameLift Fleet EC2 InboundPermissions With Port Range", "severity": "MEDIUM", - "line": 28, - "filename": "positive1.yaml", + "line": 39, + "filename": "positive2.json", "resourceType": "AWS::GameLift::Fleet", "resourceName": "FleetResource3", "searchKey": "Resources.FleetResource3.Properties.EC2InboundPermissions", "searchValue": "", "expectedValue": "Resources.FleetResource3.Properties.EC2InboundPermissions[0].FromPort is equal to Resources.FleetResource3.Properties.EC2InboundPermissions[0].ToPort", "actualValue": "Resources.FleetResource3.Properties.EC2InboundPermissions[0].FromPort is not equal to Resources.FleetResource3.Properties.EC2InboundPermissions[0].ToPort" + }, + { + "queryName": "GameLift Fleet EC2 InboundPermissions With Port Range", + "severity": "MEDIUM", + "line": 45, + "filename": "positive2.json", + "resourceType": "AWS::GameLift::Fleet", + "resourceName": "FleetResource3", + "searchKey": "Resources.FleetResource3.Properties.EC2InboundPermissions", + "searchValue": "", + "expectedValue": "Resources.FleetResource3.Properties.EC2InboundPermissions[1].FromPort is equal to Resources.FleetResource3.Properties.EC2InboundPermissions[1].ToPort", + "actualValue": "Resources.FleetResource3.Properties.EC2InboundPermissions[1].FromPort is not equal to Resources.FleetResource3.Properties.EC2InboundPermissions[1].ToPort" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/github_repository_set_to_public/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/github_repository_set_to_public/test/positive_expected_result.json index 6597af1f467..c8ec3c677ac 100644 --- a/assets/queries/cloudFormation/aws/github_repository_set_to_public/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/github_repository_set_to_public/test/positive_expected_result.json @@ -2,26 +2,26 @@ { "queryName": "GitHub Repository Set To Public", "severity": "MEDIUM", - "line": 5, - "filename": "positive2.yaml", + "line": 12, + "filename": "positive1.yaml", "resourceType": "AWS::CodeStar::GitHubRepository", "resourceName": "my-github-repo", - "searchKey": "Resources.MyRepo4.Properties", + "searchKey": "Resources.MyRepo3.Properties.IsPrivate", "searchValue": "", - "expectedValue": "'Resources.MyRepo4.IsPrivate' should be set", - "actualValue": "'Resources.MyRepo4.IsPrivate' is undefined" + "expectedValue": "'Resources.MyRepo3.Properties.IsPrivate' should be set to true", + "actualValue": "'Resources.MyRepo3.Properties.IsPrivate' is not set to true" }, { "queryName": "GitHub Repository Set To Public", "severity": "MEDIUM", - "line": 14, - "filename": "positive4.json", + "line": 5, + "filename": "positive2.yaml", "resourceType": "AWS::CodeStar::GitHubRepository", "resourceName": "my-github-repo", - "searchKey": "Resources.MyRepo6.Properties.IsPrivate", + "searchKey": "Resources.MyRepo4.Properties", "searchValue": "", - "expectedValue": "'Resources.MyRepo6.Properties.IsPrivate' should be set to true", - "actualValue": "'Resources.MyRepo6.Properties.IsPrivate' is not set to true" + "expectedValue": "'Resources.MyRepo4.IsPrivate' should be set", + "actualValue": "'Resources.MyRepo4.IsPrivate' is undefined" }, { "queryName": "GitHub Repository Set To Public", @@ -38,20 +38,20 @@ { "queryName": "GitHub Repository Set To Public", "severity": "MEDIUM", - "line": 12, - "filename": "positive5.yaml", + "line": 14, + "filename": "positive4.json", "resourceType": "AWS::CodeStar::GitHubRepository", "resourceName": "my-github-repo", - "searchKey": "Resources.MyRepo3.Properties.IsPrivate", + "searchKey": "Resources.MyRepo6.Properties.IsPrivate", "searchValue": "", - "expectedValue": "'Resources.MyRepo3.Properties.IsPrivate' should be set to true", - "actualValue": "'Resources.MyRepo3.Properties.IsPrivate' is not set to true" + "expectedValue": "'Resources.MyRepo6.Properties.IsPrivate' should be set to true", + "actualValue": "'Resources.MyRepo6.Properties.IsPrivate' is not set to true" }, { "queryName": "GitHub Repository Set To Public", "severity": "MEDIUM", "line": 12, - "filename": "positive1.yaml", + "filename": "positive5.yaml", "resourceType": "AWS::CodeStar::GitHubRepository", "resourceName": "my-github-repo", "searchKey": "Resources.MyRepo3.Properties.IsPrivate", diff --git a/assets/queries/cloudFormation/aws/guardduty_detector_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/guardduty_detector_disabled/test/positive_expected_result.json index a2e4eb23384..563e075bc60 100644 --- a/assets/queries/cloudFormation/aws/guardduty_detector_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/guardduty_detector_disabled/test/positive_expected_result.json @@ -3,25 +3,25 @@ "queryName": "GuardDuty Detector Disabled", "severity": "MEDIUM", "line": 6, - "filename": "positive2.json", + "filename": "positive1.yaml", "resourceType": "AWS::GuardDuty::Detector", - "resourceName": "mydetector4", - "searchKey": "Resources.mydetector4.Properties.Enable", + "resourceName": "mydetector3", + "searchKey": "Resources.mydetector3.Properties.Enable", "searchValue": "", - "expectedValue": "Resources.mydetector4.Properties.Enable should be set to true", - "actualValue": "Resources.mydetector4.Properties.Enable is set to false" + "expectedValue": "Resources.mydetector3.Properties.Enable should be set to true", + "actualValue": "Resources.mydetector3.Properties.Enable is set to false" }, { "queryName": "GuardDuty Detector Disabled", "severity": "MEDIUM", "line": 6, - "filename": "positive1.yaml", + "filename": "positive2.json", "resourceType": "AWS::GuardDuty::Detector", - "resourceName": "mydetector3", - "searchKey": "Resources.mydetector3.Properties.Enable", + "resourceName": "mydetector4", + "searchKey": "Resources.mydetector4.Properties.Enable", "searchValue": "", - "expectedValue": "Resources.mydetector3.Properties.Enable should be set to true", - "actualValue": "Resources.mydetector3.Properties.Enable is set to false" + "expectedValue": "Resources.mydetector4.Properties.Enable should be set to true", + "actualValue": "Resources.mydetector4.Properties.Enable is set to false" }, { "queryName": "GuardDuty Detector Disabled", diff --git a/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/test/positive_expected_result.json index 53c9c477bf5..0f0b2f4ac4b 100644 --- a/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/test/positive_expected_result.json @@ -2,26 +2,14 @@ { "queryName": "Hardcoded AWS Access Key In Lambda", "severity": "HIGH", - "line": 29, - "filename": "positive4.json", - "resourceType": "AWS::Lambda::Function", - "resourceName": "LambdaFunction6", - "searchKey": "Resources.LambdaFunction6.Properties.Environment.Variables", - "searchValue": "", - "expectedValue": "Resources.LambdaFunction6.Properties.Environment.Variables shouldn't contain access key", - "actualValue": "Resources.LambdaFunction6.Properties.Environment.Variables contains access key" - }, - { - "queryName": "Hardcoded AWS Access Key In Lambda", - "severity": "HIGH", - "line": 29, - "filename": "positive3.json", + "line": 10, + "filename": "positive1.yaml", "resourceType": "AWS::Lambda::Function", - "resourceName": "LambdaFunction5", - "searchKey": "Resources.LambdaFunction5.Properties.Environment.Variables", + "resourceName": "LambdaFunction3", + "searchKey": "Resources.LambdaFunction3.Properties.Environment.Variables", "searchValue": "", - "expectedValue": "Resources.LambdaFunction5.Properties.Environment.Variables shouldn't contain access key", - "actualValue": "Resources.LambdaFunction5.Properties.Environment.Variables contains access key" + "expectedValue": "Resources.LambdaFunction3.Properties.Environment.Variables shouldn't contain access key", + "actualValue": "Resources.LambdaFunction3.Properties.Environment.Variables contains access key" }, { "queryName": "Hardcoded AWS Access Key In Lambda", @@ -38,13 +26,25 @@ { "queryName": "Hardcoded AWS Access Key In Lambda", "severity": "HIGH", - "line": 10, - "filename": "positive1.yaml", + "line": 29, + "filename": "positive3.json", "resourceType": "AWS::Lambda::Function", - "resourceName": "LambdaFunction3", - "searchKey": "Resources.LambdaFunction3.Properties.Environment.Variables", + "resourceName": "LambdaFunction5", + "searchKey": "Resources.LambdaFunction5.Properties.Environment.Variables", "searchValue": "", - "expectedValue": "Resources.LambdaFunction3.Properties.Environment.Variables shouldn't contain access key", - "actualValue": "Resources.LambdaFunction3.Properties.Environment.Variables contains access key" + "expectedValue": "Resources.LambdaFunction5.Properties.Environment.Variables shouldn't contain access key", + "actualValue": "Resources.LambdaFunction5.Properties.Environment.Variables contains access key" + }, + { + "queryName": "Hardcoded AWS Access Key In Lambda", + "severity": "HIGH", + "line": 29, + "filename": "positive4.json", + "resourceType": "AWS::Lambda::Function", + "resourceName": "LambdaFunction6", + "searchKey": "Resources.LambdaFunction6.Properties.Environment.Variables", + "searchValue": "", + "expectedValue": "Resources.LambdaFunction6.Properties.Environment.Variables shouldn't contain access key", + "actualValue": "Resources.LambdaFunction6.Properties.Environment.Variables contains access key" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/http_port_open/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/http_port_open/test/positive_expected_result.json index fd1ae10aef4..1558140d50a 100644 --- a/assets/queries/cloudFormation/aws/http_port_open/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/http_port_open/test/positive_expected_result.json @@ -11,6 +11,30 @@ "expectedValue": "'Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]' should not open the HTTP port (80)", "actualValue": "'Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]' opens the HTTP port (80)" }, + { + "queryName": "HTTP Port Open To Internet", + "severity": "MEDIUM", + "line": 22, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_2", + "searchKey": "Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' should not open the HTTP port (80)", + "actualValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' opens the HTTP port (80)" + }, + { + "queryName": "HTTP Port Open To Internet", + "severity": "MEDIUM", + "line": 38, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv4", + "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]", + "searchValue": "", + "expectedValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' should not open the HTTP port (80)", + "actualValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' opens the HTTP port (80)" + }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", @@ -26,32 +50,44 @@ { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 12, - "filename": "positive2.yaml", - "resourceType": "AWS::EC2::SecurityGroupIngress", - "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.IPv4Ingress1.Properties", + "line": 63, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_2", + "searchKey": "Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]", "searchValue": "", - "expectedValue": "'Resources.IPv4Ingress1.Properties' should not open the HTTP port (80)", - "actualValue": "'Resources.IPv4Ingress1.Properties' opens the HTTP port (80)" + "expectedValue": "'Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]' should not open the HTTP port (80)", + "actualValue": "'Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]' opens the HTTP port (80)" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 49, + "line": 79, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv6", + "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]", + "searchValue": "", + "expectedValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' should not open the HTTP port (80)", + "actualValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' opens the HTTP port (80)" + }, + { + "queryName": "HTTP Port Open To Internet", + "severity": "MEDIUM", + "line": 12, "filename": "positive2.yaml", "resourceType": "AWS::EC2::SecurityGroupIngress", "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.IPv6Ingress3.Properties", + "searchKey": "Resources.IPv4Ingress1.Properties", "searchValue": "", - "expectedValue": "'Resources.IPv6Ingress3.Properties' should not open the HTTP port (80)", - "actualValue": "'Resources.IPv6Ingress3.Properties' opens the HTTP port (80)" + "expectedValue": "'Resources.IPv4Ingress1.Properties' should not open the HTTP port (80)", + "actualValue": "'Resources.IPv4Ingress1.Properties' opens the HTTP port (80)" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 26, - "filename": "positive4.json", + "line": 21, + "filename": "positive2.yaml", "resourceType": "AWS::EC2::SecurityGroupIngress", "resourceName": "DualStackSecurityGroup", "searchKey": "Resources.IPv4Ingress2.Properties", @@ -86,50 +122,38 @@ { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 97, - "filename": "positive3.json", - "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1ArrayTestIPv6", - "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]", + "line": 49, + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress3.Properties", "searchValue": "", - "expectedValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' should not open the HTTP port (80)", - "actualValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' opens the HTTP port (80)" + "expectedValue": "'Resources.IPv6Ingress3.Properties' should not open the HTTP port (80)", + "actualValue": "'Resources.IPv6Ingress3.Properties' opens the HTTP port (80)" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 61, + "line": 10, "filename": "positive3.json", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv6_1", - "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "", - "expectedValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' should not open the HTTP port (80)", - "actualValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' opens the HTTP port (80)" - }, - { - "queryName": "HTTP Port Open To Internet", - "severity": "MEDIUM", - "line": 38, - "filename": "positive1.yaml", - "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1ArrayTestIPv4", - "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "", - "expectedValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' should not open the HTTP port (80)", - "actualValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' opens the HTTP port (80)" + "expectedValue": "'Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]' should not open the HTTP port (80)", + "actualValue": "'Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]' opens the HTTP port (80)" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 79, - "filename": "positive1.yaml", + "line": 25, + "filename": "positive3.json", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1ArrayTestIPv6", - "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]", + "resourceName": "Positive1IPv4_2", + "searchKey": "Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]", "searchValue": "", - "expectedValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' should not open the HTTP port (80)", - "actualValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' opens the HTTP port (80)" + "expectedValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' should not open the HTTP port (80)", + "actualValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' opens the HTTP port (80)" }, { "queryName": "HTTP Port Open To Internet", @@ -146,14 +170,14 @@ { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 10, + "line": 61, "filename": "positive3.json", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv4_1", - "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "", - "expectedValue": "'Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]' should not open the HTTP port (80)", - "actualValue": "'Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]' opens the HTTP port (80)" + "expectedValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' should not open the HTTP port (80)", + "actualValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' opens the HTTP port (80)" }, { "queryName": "HTTP Port Open To Internet", @@ -170,97 +194,73 @@ { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 38, - "filename": "positive4.json", - "resourceType": "AWS::EC2::SecurityGroupIngress", - "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.IPv6Ingress1.Properties", + "line": 97, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv6", + "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]", "searchValue": "", - "expectedValue": "'Resources.IPv6Ingress1.Properties' should not open the HTTP port (80)", - "actualValue": "'Resources.IPv6Ingress1.Properties' opens the HTTP port (80)" + "expectedValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' should not open the HTTP port (80)", + "actualValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' opens the HTTP port (80)" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 50, + "line": 14, "filename": "positive4.json", "resourceType": "AWS::EC2::SecurityGroupIngress", "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.IPv6Ingress2.Properties", + "searchKey": "Resources.IPv4Ingress1.Properties", "searchValue": "", - "expectedValue": "'Resources.IPv6Ingress2.Properties' should not open the HTTP port (80)", - "actualValue": "'Resources.IPv6Ingress2.Properties' opens the HTTP port (80)" + "expectedValue": "'Resources.IPv4Ingress1.Properties' should not open the HTTP port (80)", + "actualValue": "'Resources.IPv4Ingress1.Properties' opens the HTTP port (80)" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 62, + "line": 26, "filename": "positive4.json", "resourceType": "AWS::EC2::SecurityGroupIngress", "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.IPv6Ingress3.Properties", - "searchValue": "", - "expectedValue": "'Resources.IPv6Ingress3.Properties' should not open the HTTP port (80)", - "actualValue": "'Resources.IPv6Ingress3.Properties' opens the HTTP port (80)" - }, - { - "queryName": "HTTP Port Open To Internet", - "severity": "MEDIUM", - "line": 22, - "filename": "positive1.yaml", - "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv4_2", - "searchKey": "Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]", - "searchValue": "", - "expectedValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' should not open the HTTP port (80)", - "actualValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' opens the HTTP port (80)" - }, - { - "queryName": "HTTP Port Open To Internet", - "severity": "MEDIUM", - "line": 63, - "filename": "positive1.yaml", - "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv6_2", - "searchKey": "Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]", + "searchKey": "Resources.IPv4Ingress2.Properties", "searchValue": "", - "expectedValue": "'Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]' should not open the HTTP port (80)", - "actualValue": "'Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]' opens the HTTP port (80)" + "expectedValue": "'Resources.IPv4Ingress2.Properties' should not open the HTTP port (80)", + "actualValue": "'Resources.IPv4Ingress2.Properties' opens the HTTP port (80)" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 21, - "filename": "positive2.yaml", + "line": 38, + "filename": "positive4.json", "resourceType": "AWS::EC2::SecurityGroupIngress", "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.IPv4Ingress2.Properties", + "searchKey": "Resources.IPv6Ingress1.Properties", "searchValue": "", - "expectedValue": "'Resources.IPv4Ingress2.Properties' should not open the HTTP port (80)", - "actualValue": "'Resources.IPv4Ingress2.Properties' opens the HTTP port (80)" + "expectedValue": "'Resources.IPv6Ingress1.Properties' should not open the HTTP port (80)", + "actualValue": "'Resources.IPv6Ingress1.Properties' opens the HTTP port (80)" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 25, - "filename": "positive3.json", - "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv4_2", - "searchKey": "Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]", + "line": 50, + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress2.Properties", "searchValue": "", - "expectedValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' should not open the HTTP port (80)", - "actualValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' opens the HTTP port (80)" + "expectedValue": "'Resources.IPv6Ingress2.Properties' should not open the HTTP port (80)", + "actualValue": "'Resources.IPv6Ingress2.Properties' opens the HTTP port (80)" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 14, + "line": 62, "filename": "positive4.json", "resourceType": "AWS::EC2::SecurityGroupIngress", "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.IPv4Ingress1.Properties", + "searchKey": "Resources.IPv6Ingress3.Properties", "searchValue": "", - "expectedValue": "'Resources.IPv4Ingress1.Properties' should not open the HTTP port (80)", - "actualValue": "'Resources.IPv4Ingress1.Properties' opens the HTTP port (80)" + "expectedValue": "'Resources.IPv6Ingress3.Properties' should not open the HTTP port (80)", + "actualValue": "'Resources.IPv6Ingress3.Properties' opens the HTTP port (80)" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iam_database_auth_not_enabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_database_auth_not_enabled/test/positive_expected_result.json index 3f0a2810410..fa4125a7f69 100644 --- a/assets/queries/cloudFormation/aws/iam_database_auth_not_enabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_database_auth_not_enabled/test/positive_expected_result.json @@ -2,20 +2,20 @@ { "queryName": "IAM Database Auth Not Enabled", "severity": "MEDIUM", - "line": 13, - "filename": "positive3.yaml", + "line": 19, + "filename": "positive1.yaml", "resourceType": "AWS::RDS::DBInstance", "resourceName": "MyDBSmall", - "searchKey": "Resources.MyDBSmall.Properties", + "searchKey": "Resources.MyDBSmall.Properties.EnableIAMDatabaseAuthentication", "searchValue": "", - "expectedValue": "Resources.MyDBSmall.Properties.EnableIAMDatabaseAuthentication should be defined", - "actualValue": "Resources.MyDBSmall.Properties.EnableIAMDatabaseAuthentication is not defined" + "expectedValue": "Resources.MyDBSmall.Properties.EnableIAMDatabaseAuthentication should be true", + "actualValue": "Resources.MyDBSmall.Properties.EnableIAMDatabaseAuthentication is false" }, { "queryName": "IAM Database Auth Not Enabled", "severity": "MEDIUM", - "line": 19, - "filename": "positive5.yaml", + "line": 31, + "filename": "positive2.json", "resourceType": "AWS::RDS::DBInstance", "resourceName": "MyDBSmall", "searchKey": "Resources.MyDBSmall.Properties.EnableIAMDatabaseAuthentication", @@ -26,14 +26,14 @@ { "queryName": "IAM Database Auth Not Enabled", "severity": "MEDIUM", - "line": 31, - "filename": "positive2.json", + "line": 13, + "filename": "positive3.yaml", "resourceType": "AWS::RDS::DBInstance", "resourceName": "MyDBSmall", - "searchKey": "Resources.MyDBSmall.Properties.EnableIAMDatabaseAuthentication", + "searchKey": "Resources.MyDBSmall.Properties", "searchValue": "", - "expectedValue": "Resources.MyDBSmall.Properties.EnableIAMDatabaseAuthentication should be true", - "actualValue": "Resources.MyDBSmall.Properties.EnableIAMDatabaseAuthentication is false" + "expectedValue": "Resources.MyDBSmall.Properties.EnableIAMDatabaseAuthentication should be defined", + "actualValue": "Resources.MyDBSmall.Properties.EnableIAMDatabaseAuthentication is not defined" }, { "queryName": "IAM Database Auth Not Enabled", @@ -51,7 +51,7 @@ "queryName": "IAM Database Auth Not Enabled", "severity": "MEDIUM", "line": 19, - "filename": "positive1.yaml", + "filename": "positive5.yaml", "resourceType": "AWS::RDS::DBInstance", "resourceName": "MyDBSmall", "searchKey": "Resources.MyDBSmall.Properties.EnableIAMDatabaseAuthentication", diff --git a/assets/queries/cloudFormation/aws/iam_db_cluster_auth_not_enabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_db_cluster_auth_not_enabled/test/positive_expected_result.json index de4f519e23e..5c0bc66a6a5 100644 --- a/assets/queries/cloudFormation/aws/iam_db_cluster_auth_not_enabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_db_cluster_auth_not_enabled/test/positive_expected_result.json @@ -14,8 +14,8 @@ { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 14, - "filename": "positive9.yaml", + "line": 22, + "filename": "positive10.json", "resourceType": "AWS::RDS::DBCluster", "resourceName": "sample", "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", @@ -27,7 +27,19 @@ "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 5, - "filename": "positive3.yaml", + "filename": "positive11.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined (disabled by default)", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)" + }, + { + "queryName": "IAM DB Cluster Auth Not Enabled", + "severity": "MEDIUM", + "line": 6, + "filename": "positive12.json", "resourceType": "AWS::RDS::DBCluster", "resourceName": "sample", "searchKey": "Resources.sample.Properties", @@ -39,7 +51,19 @@ "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 14, - "filename": "positive7.yaml", + "filename": "positive13.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false" + }, + { + "queryName": "IAM DB Cluster Auth Not Enabled", + "severity": "MEDIUM", + "line": 22, + "filename": "positive14.json", "resourceType": "AWS::RDS::DBCluster", "resourceName": "sample", "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", @@ -62,8 +86,8 @@ { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 21, - "filename": "positive2.json", + "line": 22, + "filename": "positive16.json", "resourceType": "AWS::RDS::DBCluster", "resourceName": "sample", "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", @@ -74,8 +98,8 @@ { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 6, - "filename": "positive4.json", + "line": 5, + "filename": "positive17.yaml", "resourceType": "AWS::RDS::DBCluster", "resourceName": "sample", "searchKey": "Resources.sample.Properties", @@ -86,8 +110,8 @@ { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 5, - "filename": "positive11.yaml", + "line": 6, + "filename": "positive18.json", "resourceType": "AWS::RDS::DBCluster", "resourceName": "sample", "searchKey": "Resources.sample.Properties", @@ -99,7 +123,7 @@ "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 5, - "filename": "positive21.yaml", + "filename": "positive19.yaml", "resourceType": "AWS::RDS::DBCluster", "resourceName": "PostgresDBCluster", "searchKey": "Resources.PostgresDBCluster.Properties", @@ -110,44 +134,56 @@ { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 14, - "filename": "positive29.yaml", + "line": 21, + "filename": "positive2.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false" + }, + { + "queryName": "IAM DB Cluster Auth Not Enabled", + "severity": "MEDIUM", + "line": 6, + "filename": "positive20.json", "resourceType": "AWS::RDS::DBCluster", "resourceName": "PostgresDBCluster", - "searchKey": "Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication", + "searchKey": "Resources.PostgresDBCluster.Properties", "searchValue": "", - "expectedValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' should be defined to true", - "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is defined to false" + "expectedValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' should be defined (disabled by default)", + "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 22, - "filename": "positive14.json", + "line": 5, + "filename": "positive21.yaml", "resourceType": "AWS::RDS::DBCluster", - "resourceName": "sample", - "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", + "resourceName": "PostgresDBCluster", + "searchKey": "Resources.PostgresDBCluster.Properties", "searchValue": "", - "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", - "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false" + "expectedValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' should be defined (disabled by default)", + "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 6, - "filename": "positive18.json", + "filename": "positive22.json", "resourceType": "AWS::RDS::DBCluster", - "resourceName": "sample", - "searchKey": "Resources.sample.Properties", + "resourceName": "PostgresDBCluster", + "searchKey": "Resources.PostgresDBCluster.Properties", "searchValue": "", - "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined (disabled by default)", - "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)" + "expectedValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' should be defined (disabled by default)", + "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 20, - "filename": "positive28.json", + "line": 15, + "filename": "positive23.yaml", "resourceType": "AWS::RDS::DBCluster", "resourceName": "PostgresDBCluster", "searchKey": "Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication", @@ -158,38 +194,38 @@ { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 6, - "filename": "positive20.json", + "line": 21, + "filename": "positive24.json", "resourceType": "AWS::RDS::DBCluster", "resourceName": "PostgresDBCluster", - "searchKey": "Resources.PostgresDBCluster.Properties", + "searchKey": "Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication", "searchValue": "", - "expectedValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' should be defined (disabled by default)", - "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)" + "expectedValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is defined to false" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 14, - "filename": "positive13.yaml", + "line": 15, + "filename": "positive25.yaml", "resourceType": "AWS::RDS::DBCluster", - "resourceName": "sample", - "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", + "resourceName": "PostgresDBCluster", + "searchKey": "Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication", "searchValue": "", - "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", - "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false" + "expectedValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is defined to false" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 5, - "filename": "positive17.yaml", + "line": 21, + "filename": "positive26.json", "resourceType": "AWS::RDS::DBCluster", - "resourceName": "sample", - "searchKey": "Resources.sample.Properties", + "resourceName": "PostgresDBCluster", + "searchKey": "Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication", "searchValue": "", - "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined (disabled by default)", - "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)" + "expectedValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is defined to false" }, { "queryName": "IAM DB Cluster Auth Not Enabled", @@ -206,20 +242,20 @@ { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 5, - "filename": "positive35.yaml", + "line": 20, + "filename": "positive28.json", "resourceType": "AWS::RDS::DBCluster", - "resourceName": "sample", - "searchKey": "Resources.sample.Properties", + "resourceName": "PostgresDBCluster", + "searchKey": "Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication", "searchValue": "", - "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined (disabled by default)", - "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)" + "expectedValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is defined to false" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 20, - "filename": "positive30.json", + "line": 14, + "filename": "positive29.yaml", "resourceType": "AWS::RDS::DBCluster", "resourceName": "PostgresDBCluster", "searchKey": "Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication", @@ -230,20 +266,20 @@ { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 23, - "filename": "positive32.json", + "line": 5, + "filename": "positive3.yaml", "resourceType": "AWS::RDS::DBCluster", "resourceName": "sample", - "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", + "searchKey": "Resources.sample.Properties", "searchValue": "", - "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", - "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false" + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined (disabled by default)", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 21, - "filename": "positive24.json", + "line": 20, + "filename": "positive30.json", "resourceType": "AWS::RDS::DBCluster", "resourceName": "PostgresDBCluster", "searchKey": "Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication", @@ -254,8 +290,8 @@ { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 22, - "filename": "positive8.json", + "line": 15, + "filename": "positive31.yaml", "resourceType": "AWS::RDS::DBCluster", "resourceName": "sample", "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", @@ -266,8 +302,8 @@ { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 15, - "filename": "positive33.yaml", + "line": 23, + "filename": "positive32.json", "resourceType": "AWS::RDS::DBCluster", "resourceName": "sample", "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", @@ -278,20 +314,20 @@ { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 6, - "filename": "positive22.json", + "line": 15, + "filename": "positive33.yaml", "resourceType": "AWS::RDS::DBCluster", - "resourceName": "PostgresDBCluster", - "searchKey": "Resources.PostgresDBCluster.Properties", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", "searchValue": "", - "expectedValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' should be defined (disabled by default)", - "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)" + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 15, - "filename": "positive5.yaml", + "line": 23, + "filename": "positive34.json", "resourceType": "AWS::RDS::DBCluster", "resourceName": "sample", "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", @@ -302,14 +338,14 @@ { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 22, - "filename": "positive16.json", + "line": 5, + "filename": "positive35.yaml", "resourceType": "AWS::RDS::DBCluster", "resourceName": "sample", - "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", + "searchKey": "Resources.sample.Properties", "searchValue": "", - "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", - "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false" + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined (disabled by default)", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)" }, { "queryName": "IAM DB Cluster Auth Not Enabled", @@ -326,20 +362,20 @@ { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 15, - "filename": "positive23.yaml", + "line": 6, + "filename": "positive4.json", "resourceType": "AWS::RDS::DBCluster", - "resourceName": "PostgresDBCluster", - "searchKey": "Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties", "searchValue": "", - "expectedValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' should be defined to true", - "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is defined to false" + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined (disabled by default)", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 15, - "filename": "positive31.yaml", + "filename": "positive5.yaml", "resourceType": "AWS::RDS::DBCluster", "resourceName": "sample", "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", @@ -347,18 +383,6 @@ "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false" }, - { - "queryName": "IAM DB Cluster Auth Not Enabled", - "severity": "MEDIUM", - "line": 15, - "filename": "positive25.yaml", - "resourceType": "AWS::RDS::DBCluster", - "resourceName": "PostgresDBCluster", - "searchKey": "Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication", - "searchValue": "", - "expectedValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' should be defined to true", - "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is defined to false" - }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", @@ -374,20 +398,8 @@ { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 21, - "filename": "positive26.json", - "resourceType": "AWS::RDS::DBCluster", - "resourceName": "PostgresDBCluster", - "searchKey": "Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication", - "searchValue": "", - "expectedValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' should be defined to true", - "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is defined to false" - }, - { - "queryName": "IAM DB Cluster Auth Not Enabled", - "severity": "MEDIUM", - "line": 23, - "filename": "positive34.json", + "line": 14, + "filename": "positive7.yaml", "resourceType": "AWS::RDS::DBCluster", "resourceName": "sample", "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", @@ -398,32 +410,20 @@ { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 5, - "filename": "positive19.yaml", - "resourceType": "AWS::RDS::DBCluster", - "resourceName": "PostgresDBCluster", - "searchKey": "Resources.PostgresDBCluster.Properties", - "searchValue": "", - "expectedValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' should be defined (disabled by default)", - "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)" - }, - { - "queryName": "IAM DB Cluster Auth Not Enabled", - "severity": "MEDIUM", - "line": 6, - "filename": "positive12.json", + "line": 22, + "filename": "positive8.json", "resourceType": "AWS::RDS::DBCluster", "resourceName": "sample", - "searchKey": "Resources.sample.Properties", + "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", "searchValue": "", - "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined (disabled by default)", - "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)" + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 22, - "filename": "positive10.json", + "line": 14, + "filename": "positive9.yaml", "resourceType": "AWS::RDS::DBCluster", "resourceName": "sample", "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", diff --git a/assets/queries/cloudFormation/aws/iam_group_without_users/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_group_without_users/test/positive_expected_result.json index 53abff46382..7ec83c3f036 100644 --- a/assets/queries/cloudFormation/aws/iam_group_without_users/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_group_without_users/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "IAM Group Without Users", - "severity": "MEDIUM", - "line": 5, - "filename": "positive2.json", - "resourceType": "AWS::IAM::Group", - "resourceName": "myuseeer2", - "searchKey": "Resources.myuseeer2", - "searchValue": "", - "expectedValue": "Resources.myuseeer2 has at least one user", - "actualValue": "Resources.myuseeer2 does not have at least one user" - }, { "queryName": "IAM Group Without Users", "severity": "MEDIUM", @@ -22,5 +10,17 @@ "searchValue": "", "expectedValue": "Resources.myuseeer has at least one user", "actualValue": "Resources.myuseeer does not have at least one user" + }, + { + "queryName": "IAM Group Without Users", + "severity": "MEDIUM", + "line": 5, + "filename": "positive2.json", + "resourceType": "AWS::IAM::Group", + "resourceName": "myuseeer2", + "searchKey": "Resources.myuseeer2", + "searchValue": "", + "expectedValue": "Resources.myuseeer2 has at least one user", + "actualValue": "Resources.myuseeer2 does not have at least one user" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iam_managed_policy_applied_to_a_user/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_managed_policy_applied_to_a_user/test/positive_expected_result.json index d243d0e6a40..f0ac6d02491 100644 --- a/assets/queries/cloudFormation/aws/iam_managed_policy_applied_to_a_user/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_managed_policy_applied_to_a_user/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "IAM Managed Policy Applied to a User", "severity": "MEDIUM", - "line": 11, - "filename": "positive2.json", + "line": 10, + "filename": "positive1.yaml", "resourceType": "AWS::IAM::ManagedPolicy", "resourceName": "CreateTestDBPolicy", "searchKey": "Resources.CreateTestDBPolicy.Properties.Users", @@ -14,8 +14,8 @@ { "queryName": "IAM Managed Policy Applied to a User", "severity": "MEDIUM", - "line": 10, - "filename": "positive1.yaml", + "line": 11, + "filename": "positive2.json", "resourceType": "AWS::IAM::ManagedPolicy", "resourceName": "CreateTestDBPolicy", "searchKey": "Resources.CreateTestDBPolicy.Properties.Users", diff --git a/assets/queries/cloudFormation/aws/iam_policies_attached_to_user/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_policies_attached_to_user/test/positive_expected_result.json index bac7aaaff24..217a771768f 100644 --- a/assets/queries/cloudFormation/aws/iam_policies_attached_to_user/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_policies_attached_to_user/test/positive_expected_result.json @@ -3,7 +3,7 @@ "queryName": "IAM Policies Attached To User", "severity": "MEDIUM", "line": 10, - "filename": "positive2.json", + "filename": "positive1.yaml", "resourceType": "AWS::IAM::User", "resourceName": "myuser", "searchKey": "Resources.myuser.Properties.ManagedPoliciesArns", @@ -15,7 +15,7 @@ "queryName": "IAM Policies Attached To User", "severity": "MEDIUM", "line": 14, - "filename": "positive2.json", + "filename": "positive1.yaml", "resourceType": "AWS::IAM::User", "resourceName": "myuser", "searchKey": "Resources.myuser.Properties.Policies", @@ -27,7 +27,7 @@ "queryName": "IAM Policies Attached To User", "severity": "MEDIUM", "line": 10, - "filename": "positive1.yaml", + "filename": "positive2.json", "resourceType": "AWS::IAM::User", "resourceName": "myuser", "searchKey": "Resources.myuser.Properties.ManagedPoliciesArns", @@ -39,7 +39,7 @@ "queryName": "IAM Policies Attached To User", "severity": "MEDIUM", "line": 14, - "filename": "positive1.yaml", + "filename": "positive2.json", "resourceType": "AWS::IAM::User", "resourceName": "myuser", "searchKey": "Resources.myuser.Properties.Policies", diff --git a/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/positive_expected_result.json index 3f09dc6d6ce..a9036b79a83 100644 --- a/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/positive_expected_result.json @@ -2,26 +2,14 @@ { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", - "line": 12, - "filename": "positive2.yaml", - "resourceType": "AWS::IAM::Group", - "resourceName": "RootGroup", - "searchKey": "Resources.RootGroup.Properties.Policies.0.PolicyDocument.Statement.0.Action", - "searchValue": "", - "expectedValue": "'Resources.RootGroup.Properties.Policies[0].PolicyDocument.Statement[0].Action' shouldn't contain ilegal actions", - "actualValue": "'Resources.RootGroup.Properties.Policies[0].PolicyDocument.Statement[0].Action' contains [ssm:GetParameter]" - }, - { - "queryName": "IAM policy allows for data exfiltration", - "severity": "MEDIUM", - "line": 13, - "filename": "positive12.json", - "resourceType": "AWS::IAM::Policy", - "resourceName": "CFNUsers", - "searchKey": "Resources.MyPolicy.Properties.PolicyDocument.Statement.0.Action", + "line": 14, + "filename": "positive1.yaml", + "resourceType": "AWS::IAM::User", + "resourceName": "CFNUser", + "searchKey": "Resources.CFNUser.Properties.Policies.0.PolicyDocument.Statement.0.Action", "searchValue": "", - "expectedValue": "'Resources.MyPolicy.Properties.PolicyDocument.Statement[0].Action' shouldn't contain ilegal actions", - "actualValue": "'Resources.MyPolicy.Properties.PolicyDocument.Statement[0].Action' contains [secretsmanager:GetSecretValue]" + "expectedValue": "'Resources.CFNUser.Properties.Policies[0].PolicyDocument.Statement[0].Action' shouldn't contain ilegal actions", + "actualValue": "'Resources.CFNUser.Properties.Policies[0].PolicyDocument.Statement[0].Action' contains [*]" }, { "queryName": "IAM policy allows for data exfiltration", @@ -50,14 +38,38 @@ { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", - "line": 15, - "filename": "positive9.json", - "resourceType": "AWS::IAM::Role", - "resourceName": "RootRole", - "searchKey": "Resources.RootRole.Properties.Policies.0.PolicyDocument.Statement.0.Action", + "line": 13, + "filename": "positive12.json", + "resourceType": "AWS::IAM::Policy", + "resourceName": "CFNUsers", + "searchKey": "Resources.MyPolicy.Properties.PolicyDocument.Statement.0.Action", "searchValue": "", - "expectedValue": "'Resources.RootRole.Properties.Policies[0].PolicyDocument.Statement[0].Action' shouldn't contain ilegal actions", - "actualValue": "'Resources.RootRole.Properties.Policies[0].PolicyDocument.Statement[0].Action' contains [s3:GetObject, ssm:GetParameter, s3:*]" + "expectedValue": "'Resources.MyPolicy.Properties.PolicyDocument.Statement[0].Action' shouldn't contain ilegal actions", + "actualValue": "'Resources.MyPolicy.Properties.PolicyDocument.Statement[0].Action' contains [secretsmanager:GetSecretValue]" + }, + { + "queryName": "IAM policy allows for data exfiltration", + "severity": "MEDIUM", + "line": 12, + "filename": "positive2.yaml", + "resourceType": "AWS::IAM::Group", + "resourceName": "RootGroup", + "searchKey": "Resources.RootGroup.Properties.Policies.0.PolicyDocument.Statement.0.Action", + "searchValue": "", + "expectedValue": "'Resources.RootGroup.Properties.Policies[0].PolicyDocument.Statement[0].Action' shouldn't contain ilegal actions", + "actualValue": "'Resources.RootGroup.Properties.Policies[0].PolicyDocument.Statement[0].Action' contains [ssm:GetParameter]" + }, + { + "queryName": "IAM policy allows for data exfiltration", + "severity": "MEDIUM", + "line": 11, + "filename": "positive3.yaml", + "resourceType": "AWS::IAM::Policy", + "resourceName": "CFNUsers", + "searchKey": "Resources.MyPolicy.Properties.PolicyDocument.Statement.0.Action", + "searchValue": "", + "expectedValue": "'Resources.MyPolicy.Properties.PolicyDocument.Statement[0].Action' shouldn't contain ilegal actions", + "actualValue": "'Resources.MyPolicy.Properties.PolicyDocument.Statement[0].Action' contains [ssm:GetParameters]" }, { "queryName": "IAM policy allows for data exfiltration", @@ -83,18 +95,6 @@ "expectedValue": "'Resources.CreateTestDBPolicy.Properties.PolicyDocument.Statement[0].Action' shouldn't contain ilegal actions", "actualValue": "'Resources.CreateTestDBPolicy.Properties.PolicyDocument.Statement[0].Action' contains [s3:*]" }, - { - "queryName": "IAM policy allows for data exfiltration", - "severity": "MEDIUM", - "line": 13, - "filename": "positive8.json", - "resourceType": "AWS::IAM::Policy", - "resourceName": "CFNUsers", - "searchKey": "Resources.MyPolicy.Properties.PolicyDocument.Statement.0.Action", - "searchValue": "", - "expectedValue": "'Resources.MyPolicy.Properties.PolicyDocument.Statement[0].Action' shouldn't contain ilegal actions", - "actualValue": "'Resources.MyPolicy.Properties.PolicyDocument.Statement[0].Action' contains [secretsmanager:GetSecretValue]" - }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", @@ -122,25 +122,25 @@ { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", - "line": 11, - "filename": "positive3.yaml", + "line": 13, + "filename": "positive8.json", "resourceType": "AWS::IAM::Policy", "resourceName": "CFNUsers", "searchKey": "Resources.MyPolicy.Properties.PolicyDocument.Statement.0.Action", "searchValue": "", "expectedValue": "'Resources.MyPolicy.Properties.PolicyDocument.Statement[0].Action' shouldn't contain ilegal actions", - "actualValue": "'Resources.MyPolicy.Properties.PolicyDocument.Statement[0].Action' contains [ssm:GetParameters]" + "actualValue": "'Resources.MyPolicy.Properties.PolicyDocument.Statement[0].Action' contains [secretsmanager:GetSecretValue]" }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", - "line": 14, - "filename": "positive1.yaml", - "resourceType": "AWS::IAM::User", - "resourceName": "CFNUser", - "searchKey": "Resources.CFNUser.Properties.Policies.0.PolicyDocument.Statement.0.Action", + "line": 15, + "filename": "positive9.json", + "resourceType": "AWS::IAM::Role", + "resourceName": "RootRole", + "searchKey": "Resources.RootRole.Properties.Policies.0.PolicyDocument.Statement.0.Action", "searchValue": "", - "expectedValue": "'Resources.CFNUser.Properties.Policies[0].PolicyDocument.Statement[0].Action' shouldn't contain ilegal actions", - "actualValue": "'Resources.CFNUser.Properties.Policies[0].PolicyDocument.Statement[0].Action' contains [*]" + "expectedValue": "'Resources.RootRole.Properties.Policies[0].PolicyDocument.Statement[0].Action' shouldn't contain ilegal actions", + "actualValue": "'Resources.RootRole.Properties.Policies[0].PolicyDocument.Statement[0].Action' contains [s3:GetObject, ssm:GetParameter, s3:*]" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iam_policy_grants_full_permissions/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_policy_grants_full_permissions/test/positive_expected_result.json index 9f8cd1df8d6..b994e56bc83 100644 --- a/assets/queries/cloudFormation/aws/iam_policy_grants_full_permissions/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_policy_grants_full_permissions/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "IAM Policy Grants Full Permissions", "severity": "HIGH", - "line": 29, - "filename": "positive2.json", + "line": 8, + "filename": "positive1.yaml", "resourceType": "AWS::IAM::Policy", "resourceName": "mygrouppolicy", "searchKey": "Resources.mypolicy.Properties.PolicyDocument", @@ -14,8 +14,8 @@ { "queryName": "IAM Policy Grants Full Permissions", "severity": "HIGH", - "line": 9, - "filename": "positive2.json", + "line": 21, + "filename": "positive1.yaml", "resourceType": "AWS::IAM::Policy", "resourceName": "mygrouppolicy", "searchKey": "Resources.mypolicy2.Properties.PolicyDocument", @@ -26,11 +26,11 @@ { "queryName": "IAM Policy Grants Full Permissions", "severity": "HIGH", - "line": 8, - "filename": "positive1.yaml", + "line": 9, + "filename": "positive2.json", "resourceType": "AWS::IAM::Policy", "resourceName": "mygrouppolicy", - "searchKey": "Resources.mypolicy.Properties.PolicyDocument", + "searchKey": "Resources.mypolicy2.Properties.PolicyDocument", "searchValue": "", "expectedValue": "'PolicyDocument.Statement.Resource' and 'PolicyDocument.Statement.Action' should not equal to '*'", "actualValue": "'PolicyDocument.Statement.Resource' and 'PolicyDocument.Statement.Action' are equal to '*'" @@ -38,11 +38,11 @@ { "queryName": "IAM Policy Grants Full Permissions", "severity": "HIGH", - "line": 21, - "filename": "positive1.yaml", + "line": 29, + "filename": "positive2.json", "resourceType": "AWS::IAM::Policy", "resourceName": "mygrouppolicy", - "searchKey": "Resources.mypolicy2.Properties.PolicyDocument", + "searchKey": "Resources.mypolicy.Properties.PolicyDocument", "searchValue": "", "expectedValue": "'PolicyDocument.Statement.Resource' and 'PolicyDocument.Statement.Action' should not equal to '*'", "actualValue": "'PolicyDocument.Statement.Resource' and 'PolicyDocument.Statement.Action' are equal to '*'" diff --git a/assets/queries/cloudFormation/aws/iam_policy_on_user/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_policy_on_user/test/positive_expected_result.json index 009017b04ea..cdfab874841 100644 --- a/assets/queries/cloudFormation/aws/iam_policy_on_user/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_policy_on_user/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "IAM Policy On User", "severity": "MEDIUM", - "line": 12, - "filename": "positive2.json", + "line": 11, + "filename": "positive1.yaml", "resourceType": "AWS::IAM::Policy", "resourceName": "BadPolicy", "searchKey": "Resources.BadPolicy.Properties.Users", @@ -14,8 +14,8 @@ { "queryName": "IAM Policy On User", "severity": "MEDIUM", - "line": 11, - "filename": "positive1.yaml", + "line": 12, + "filename": "positive2.json", "resourceType": "AWS::IAM::Policy", "resourceName": "BadPolicy", "searchKey": "Resources.BadPolicy.Properties.Users", diff --git a/assets/queries/cloudFormation/aws/iam_user_login_profile_password_is_in_plaintext/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_user_login_profile_password_is_in_plaintext/test/positive_expected_result.json index 2b17a68912d..96fcb08b6f6 100644 --- a/assets/queries/cloudFormation/aws/iam_user_login_profile_password_is_in_plaintext/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_user_login_profile_password_is_in_plaintext/test/positive_expected_result.json @@ -3,7 +3,7 @@ "queryName": "IAM User LoginProfile Password Is In Plaintext", "severity": "HIGH", "line": 9, - "filename": "positive2.json", + "filename": "positive1.yaml", "resourceType": "AWS::IAM::User", "resourceName": "myuser", "searchKey": "Resources.myuser.Properties.LoginProfile.Password", @@ -15,7 +15,7 @@ "queryName": "IAM User LoginProfile Password Is In Plaintext", "severity": "HIGH", "line": 9, - "filename": "positive1.yaml", + "filename": "positive2.json", "resourceType": "AWS::IAM::User", "resourceName": "myuser", "searchKey": "Resources.myuser.Properties.LoginProfile.Password", diff --git a/assets/queries/cloudFormation/aws/iam_user_too_many_access_keys/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_user_too_many_access_keys/test/positive_expected_result.json index 6cdceeb22eb..c6c38703adb 100644 --- a/assets/queries/cloudFormation/aws/iam_user_too_many_access_keys/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_user_too_many_access_keys/test/positive_expected_result.json @@ -26,25 +26,25 @@ { "queryName": "IAM User Has Too Many Access Keys", "severity": "MEDIUM", - "line": 20, + "line": 5, "filename": "positive2.json", "resourceType": "AWS::IAM::AccessKey", - "resourceName": "firstKey", - "searchKey": "Resources.firstKey", + "resourceName": "secondKey", + "searchKey": "Resources.secondKey", "searchValue": "", - "expectedValue": "'Resources.firstKey' is the only AccessKey of user 'myuser'", - "actualValue": "'Resources.firstKey' is not the only AccessKey of user 'myuser'" + "expectedValue": "'Resources.secondKey' is the only AccessKey of user 'myuser'", + "actualValue": "'Resources.secondKey' is not the only AccessKey of user 'myuser'" }, { "queryName": "IAM User Has Too Many Access Keys", "severity": "MEDIUM", - "line": 5, + "line": 20, "filename": "positive2.json", "resourceType": "AWS::IAM::AccessKey", - "resourceName": "secondKey", - "searchKey": "Resources.secondKey", + "resourceName": "firstKey", + "searchKey": "Resources.firstKey", "searchValue": "", - "expectedValue": "'Resources.secondKey' is the only AccessKey of user 'myuser'", - "actualValue": "'Resources.secondKey' is not the only AccessKey of user 'myuser'" + "expectedValue": "'Resources.firstKey' is the only AccessKey of user 'myuser'", + "actualValue": "'Resources.firstKey' is not the only AccessKey of user 'myuser'" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iam_user_with_no_group/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_user_with_no_group/test/positive_expected_result.json index cfdf70bcf3a..52f1375f3d3 100644 --- a/assets/queries/cloudFormation/aws/iam_user_with_no_group/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_user_with_no_group/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "IAM User With No Group", - "severity": "LOW", - "line": 7, - "filename": "positive2.yaml", - "resourceType": "AWS::IAM::User", - "resourceName": "TestUser", - "searchKey": "Resources.emptyGroup.Properties.Groups", - "searchValue": "", - "expectedValue": "'Resources.Properties.Groups' should contain groups", - "actualValue": "'Resources.Properties.Groups' is empty" - }, { "queryName": "IAM User With No Group", "severity": "LOW", @@ -26,8 +14,8 @@ { "queryName": "IAM User With No Group", "severity": "LOW", - "line": 8, - "filename": "positive4.json", + "line": 7, + "filename": "positive2.yaml", "resourceType": "AWS::IAM::User", "resourceName": "TestUser", "searchKey": "Resources.emptyGroup.Properties.Groups", @@ -46,5 +34,17 @@ "searchValue": "", "expectedValue": "'Resources.Properties should contain Groups", "actualValue": "'Resources.Properties' does not contain Groups" + }, + { + "queryName": "IAM User With No Group", + "severity": "LOW", + "line": 8, + "filename": "positive4.json", + "resourceType": "AWS::IAM::User", + "resourceName": "TestUser", + "searchKey": "Resources.emptyGroup.Properties.Groups", + "searchValue": "", + "expectedValue": "'Resources.Properties.Groups' should contain groups", + "actualValue": "'Resources.Properties.Groups' is empty" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/instance_uses_metadata_service_IMDSv1/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/instance_uses_metadata_service_IMDSv1/test/positive_expected_result.json index d92adb4e17d..e53b7ff12a1 100644 --- a/assets/queries/cloudFormation/aws/instance_uses_metadata_service_IMDSv1/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/instance_uses_metadata_service_IMDSv1/test/positive_expected_result.json @@ -2,32 +2,32 @@ { "queryName": "Instance Uses Metadata Service IMDSv1", "severity": "LOW", - "line": 25, - "filename": "positive5.yaml", - "resourceType": "AWS::EC2::LaunchTemplate", - "resourceName": "MyLaunchTemplate", - "searchKey": "Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens", + "line": 7, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties", "searchValue": "", - "expectedValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' should be defined to 'required'", - "actualValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' is not defined to 'required'" + "expectedValue": "'Resources.MyEC2Instance.Properties.MetadataOptions' should be defined with 'HttpTokens' field set to 'required'", + "actualValue": "'Resources.MyEC2Instance.Properties.MetadataOptions' is not defined" }, { "queryName": "Instance Uses Metadata Service IMDSv1", "severity": "LOW", - "line": 25, - "filename": "positive4.json", + "line": 15, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::LaunchTemplate", "resourceName": "MyLaunchTemplate", - "searchKey": "Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens", + "searchKey": "Resources.MyLaunchTemplate.Properties.LaunchTemplateData", "searchValue": "", - "expectedValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' should be defined to 'required'", - "actualValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' is not defined to 'required'" + "expectedValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions' should be defined with 'HttpTokens' field set to 'required'", + "actualValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions' is not defined" }, { "queryName": "Instance Uses Metadata Service IMDSv1", "severity": "LOW", "line": 10, - "filename": "positive7.yaml", + "filename": "positive10.json", "resourceType": "AWS::EC2::Instance", "resourceName": "MyEC2Instance", "searchKey": "Resources.MyEC2Instance.Properties.MetadataOptions", @@ -38,20 +38,20 @@ { "queryName": "Instance Uses Metadata Service IMDSv1", "severity": "LOW", - "line": 11, - "filename": "positive3.yaml", - "resourceType": "AWS::EC2::Instance", - "resourceName": "MyEC2Instance", - "searchKey": "Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens", + "line": 24, + "filename": "positive10.json", + "resourceType": "AWS::EC2::LaunchTemplate", + "resourceName": "MyLaunchTemplate", + "searchKey": "Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions", "searchValue": "", - "expectedValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' should be defined to 'required'", - "actualValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' is not defined to 'required'" + "expectedValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' should be defined to 'required'", + "actualValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' is not defined" }, { "queryName": "Instance Uses Metadata Service IMDSv1", "severity": "LOW", "line": 7, - "filename": "positive1.yaml", + "filename": "positive2.json", "resourceType": "AWS::EC2::Instance", "resourceName": "MyEC2Instance", "searchKey": "Resources.MyEC2Instance.Properties", @@ -62,8 +62,8 @@ { "queryName": "Instance Uses Metadata Service IMDSv1", "severity": "LOW", - "line": 15, - "filename": "positive1.yaml", + "line": 16, + "filename": "positive2.json", "resourceType": "AWS::EC2::LaunchTemplate", "resourceName": "MyLaunchTemplate", "searchKey": "Resources.MyLaunchTemplate.Properties.LaunchTemplateData", @@ -74,32 +74,32 @@ { "queryName": "Instance Uses Metadata Service IMDSv1", "severity": "LOW", - "line": 10, - "filename": "positive9.yaml", + "line": 11, + "filename": "positive3.yaml", "resourceType": "AWS::EC2::Instance", "resourceName": "MyEC2Instance", - "searchKey": "Resources.MyEC2Instance.Properties.MetadataOptions", + "searchKey": "Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens", "searchValue": "", "expectedValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' should be defined to 'required'", - "actualValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' is not defined" + "actualValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' is not defined to 'required'" }, { "queryName": "Instance Uses Metadata Service IMDSv1", "severity": "LOW", - "line": 12, - "filename": "positive5.yaml", - "resourceType": "AWS::EC2::Instance", - "resourceName": "MyEC2Instance", - "searchKey": "Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens", + "line": 23, + "filename": "positive3.yaml", + "resourceType": "AWS::EC2::LaunchTemplate", + "resourceName": "MyLaunchTemplate", + "searchKey": "Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens", "searchValue": "", - "expectedValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' should be defined to 'required'", - "actualValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' is not defined to 'required'" + "expectedValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' should be defined to 'required'", + "actualValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' is not defined to 'required'" }, { "queryName": "Instance Uses Metadata Service IMDSv1", "severity": "LOW", - "line": 12, - "filename": "positive6.json", + "line": 11, + "filename": "positive4.json", "resourceType": "AWS::EC2::Instance", "resourceName": "MyEC2Instance", "searchKey": "Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens", @@ -110,8 +110,8 @@ { "queryName": "Instance Uses Metadata Service IMDSv1", "severity": "LOW", - "line": 27, - "filename": "positive6.json", + "line": 25, + "filename": "positive4.json", "resourceType": "AWS::EC2::LaunchTemplate", "resourceName": "MyLaunchTemplate", "searchKey": "Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens", @@ -122,56 +122,56 @@ { "queryName": "Instance Uses Metadata Service IMDSv1", "severity": "LOW", - "line": 23, - "filename": "positive3.yaml", - "resourceType": "AWS::EC2::LaunchTemplate", - "resourceName": "MyLaunchTemplate", - "searchKey": "Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens", + "line": 12, + "filename": "positive5.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens", "searchValue": "", - "expectedValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' should be defined to 'required'", - "actualValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' is not defined to 'required'" + "expectedValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' should be defined to 'required'", + "actualValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' is not defined to 'required'" }, { "queryName": "Instance Uses Metadata Service IMDSv1", "severity": "LOW", - "line": 22, - "filename": "positive9.yaml", + "line": 25, + "filename": "positive5.yaml", "resourceType": "AWS::EC2::LaunchTemplate", "resourceName": "MyLaunchTemplate", - "searchKey": "Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions", + "searchKey": "Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens", "searchValue": "", "expectedValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' should be defined to 'required'", - "actualValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' is not defined" + "actualValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' is not defined to 'required'" }, { "queryName": "Instance Uses Metadata Service IMDSv1", "severity": "LOW", - "line": 7, - "filename": "positive2.json", + "line": 12, + "filename": "positive6.json", "resourceType": "AWS::EC2::Instance", "resourceName": "MyEC2Instance", - "searchKey": "Resources.MyEC2Instance.Properties", + "searchKey": "Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens", "searchValue": "", - "expectedValue": "'Resources.MyEC2Instance.Properties.MetadataOptions' should be defined with 'HttpTokens' field set to 'required'", - "actualValue": "'Resources.MyEC2Instance.Properties.MetadataOptions' is not defined" + "expectedValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' should be defined to 'required'", + "actualValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' is not defined to 'required'" }, { "queryName": "Instance Uses Metadata Service IMDSv1", "severity": "LOW", - "line": 16, - "filename": "positive2.json", + "line": 27, + "filename": "positive6.json", "resourceType": "AWS::EC2::LaunchTemplate", "resourceName": "MyLaunchTemplate", - "searchKey": "Resources.MyLaunchTemplate.Properties.LaunchTemplateData", + "searchKey": "Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens", "searchValue": "", - "expectedValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions' should be defined with 'HttpTokens' field set to 'required'", - "actualValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions' is not defined" + "expectedValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' should be defined to 'required'", + "actualValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' is not defined to 'required'" }, { "queryName": "Instance Uses Metadata Service IMDSv1", "severity": "LOW", "line": 10, - "filename": "positive8.json", + "filename": "positive7.yaml", "resourceType": "AWS::EC2::Instance", "resourceName": "MyEC2Instance", "searchKey": "Resources.MyEC2Instance.Properties.MetadataOptions", @@ -182,8 +182,8 @@ { "queryName": "Instance Uses Metadata Service IMDSv1", "severity": "LOW", - "line": 23, - "filename": "positive8.json", + "line": 21, + "filename": "positive7.yaml", "resourceType": "AWS::EC2::LaunchTemplate", "resourceName": "MyLaunchTemplate", "searchKey": "Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions", @@ -194,20 +194,20 @@ { "queryName": "Instance Uses Metadata Service IMDSv1", "severity": "LOW", - "line": 24, - "filename": "positive10.json", - "resourceType": "AWS::EC2::LaunchTemplate", - "resourceName": "MyLaunchTemplate", - "searchKey": "Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions", + "line": 10, + "filename": "positive8.json", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.MetadataOptions", "searchValue": "", - "expectedValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' should be defined to 'required'", - "actualValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' is not defined" + "expectedValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' should be defined to 'required'", + "actualValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' is not defined" }, { "queryName": "Instance Uses Metadata Service IMDSv1", "severity": "LOW", - "line": 21, - "filename": "positive7.yaml", + "line": 23, + "filename": "positive8.json", "resourceType": "AWS::EC2::LaunchTemplate", "resourceName": "MyLaunchTemplate", "searchKey": "Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions", @@ -218,25 +218,25 @@ { "queryName": "Instance Uses Metadata Service IMDSv1", "severity": "LOW", - "line": 11, - "filename": "positive4.json", + "line": 10, + "filename": "positive9.yaml", "resourceType": "AWS::EC2::Instance", "resourceName": "MyEC2Instance", - "searchKey": "Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens", + "searchKey": "Resources.MyEC2Instance.Properties.MetadataOptions", "searchValue": "", "expectedValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' should be defined to 'required'", - "actualValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' is not defined to 'required'" + "actualValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' is not defined" }, { "queryName": "Instance Uses Metadata Service IMDSv1", "severity": "LOW", - "line": 10, - "filename": "positive10.json", - "resourceType": "AWS::EC2::Instance", - "resourceName": "MyEC2Instance", - "searchKey": "Resources.MyEC2Instance.Properties.MetadataOptions", + "line": 22, + "filename": "positive9.yaml", + "resourceType": "AWS::EC2::LaunchTemplate", + "resourceName": "MyLaunchTemplate", + "searchKey": "Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions", "searchValue": "", - "expectedValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' should be defined to 'required'", - "actualValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' is not defined" + "expectedValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' should be defined to 'required'", + "actualValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' is not defined" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iot_policy_allows_wildcard_resource/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iot_policy_allows_wildcard_resource/test/positive_expected_result.json index bfbc2161327..42d1f6185d4 100644 --- a/assets/queries/cloudFormation/aws/iot_policy_allows_wildcard_resource/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iot_policy_allows_wildcard_resource/test/positive_expected_result.json @@ -3,7 +3,7 @@ "queryName": "IoT Policy Allows Wildcard Resource", "severity": "MEDIUM", "line": 7, - "filename": "positive2.json", + "filename": "positive1.yaml", "resourceType": "AWS::IoT::Policy", "resourceName": "PolicyName", "searchKey": "Resources.IoTPolicy.Properties.PolicyDocument", @@ -15,7 +15,7 @@ "queryName": "IoT Policy Allows Wildcard Resource", "severity": "MEDIUM", "line": 7, - "filename": "positive1.yaml", + "filename": "positive2.json", "resourceType": "AWS::IoT::Policy", "resourceName": "PolicyName", "searchKey": "Resources.IoTPolicy.Properties.PolicyDocument", diff --git a/assets/queries/cloudFormation/aws/kinesis_sse_not_configured/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/kinesis_sse_not_configured/test/positive_expected_result.json index 3b11e972e1d..329c4409f1d 100644 --- a/assets/queries/cloudFormation/aws/kinesis_sse_not_configured/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/kinesis_sse_not_configured/test/positive_expected_result.json @@ -2,8 +2,20 @@ { "queryName": "Kinesis SSE Not Configured", "severity": "HIGH", - "line": 26, - "filename": "positive2.json", + "line": 8, + "filename": "positive1.yaml", + "resourceType": "AWS::Kinesis::Stream", + "resourceName": "EventStream", + "searchKey": "Resources.EventStream1.Properties.StreamEncryption", + "searchValue": "KeyId", + "expectedValue": "Resources.EventStream1.Properties.StreamEncryption.KeyId should be set", + "actualValue": "Resources.EventStream1.Properties.StreamEncryption.KeyId is undefined" + }, + { + "queryName": "Kinesis SSE Not Configured", + "severity": "HIGH", + "line": 19, + "filename": "positive1.yaml", "resourceType": "AWS::Kinesis::Stream", "resourceName": "EventStream", "searchKey": "Resources.EventStream2.Properties.StreamEncryption", @@ -14,8 +26,8 @@ { "queryName": "Kinesis SSE Not Configured", "severity": "HIGH", - "line": 39, - "filename": "positive2.json", + "line": 26, + "filename": "positive1.yaml", "resourceType": "AWS::Kinesis::Stream", "resourceName": "EventStream", "searchKey": "Resources.EventStream3.Properties", @@ -26,8 +38,8 @@ { "queryName": "Kinesis SSE Not Configured", "severity": "HIGH", - "line": 8, - "filename": "positive1.yaml", + "line": 9, + "filename": "positive2.json", "resourceType": "AWS::Kinesis::Stream", "resourceName": "EventStream", "searchKey": "Resources.EventStream1.Properties.StreamEncryption", @@ -38,8 +50,8 @@ { "queryName": "Kinesis SSE Not Configured", "severity": "HIGH", - "line": 19, - "filename": "positive1.yaml", + "line": 26, + "filename": "positive2.json", "resourceType": "AWS::Kinesis::Stream", "resourceName": "EventStream", "searchKey": "Resources.EventStream2.Properties.StreamEncryption", @@ -50,25 +62,13 @@ { "queryName": "Kinesis SSE Not Configured", "severity": "HIGH", - "line": 26, - "filename": "positive1.yaml", + "line": 39, + "filename": "positive2.json", "resourceType": "AWS::Kinesis::Stream", "resourceName": "EventStream", "searchKey": "Resources.EventStream3.Properties", "searchValue": "", "expectedValue": "Resources.EventStream3.Properties.StreamEncryption should be set", "actualValue": "Resources.EventStream3.Properties.StreamEncryption is undefined" - }, - { - "queryName": "Kinesis SSE Not Configured", - "severity": "HIGH", - "line": 9, - "filename": "positive2.json", - "resourceType": "AWS::Kinesis::Stream", - "resourceName": "EventStream", - "searchKey": "Resources.EventStream1.Properties.StreamEncryption", - "searchValue": "KeyId", - "expectedValue": "Resources.EventStream1.Properties.StreamEncryption.KeyId should be set", - "actualValue": "Resources.EventStream1.Properties.StreamEncryption.KeyId is undefined" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/kms_allows_wildcard_principal/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/kms_allows_wildcard_principal/test/positive_expected_result.json index 0af298c818b..a98ebd8b67e 100644 --- a/assets/queries/cloudFormation/aws/kms_allows_wildcard_principal/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/kms_allows_wildcard_principal/test/positive_expected_result.json @@ -3,7 +3,7 @@ "queryName": "KMS Allows Wildcard Principal", "severity": "MEDIUM", "line": 8, - "filename": "positive2.json", + "filename": "positive1.yaml", "resourceType": "AWS::KMS::Key", "resourceName": "myKey", "searchKey": "Resources.myKey.Properties.KeyPolicy", @@ -15,7 +15,7 @@ "queryName": "KMS Allows Wildcard Principal", "severity": "MEDIUM", "line": 8, - "filename": "positive1.yaml", + "filename": "positive2.json", "resourceType": "AWS::KMS::Key", "resourceName": "myKey", "searchKey": "Resources.myKey.Properties.KeyPolicy", diff --git a/assets/queries/cloudFormation/aws/kms_enable_key_rotation_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/kms_enable_key_rotation_disabled/test/positive_expected_result.json index 565be795d76..6b4949c9d40 100644 --- a/assets/queries/cloudFormation/aws/kms_enable_key_rotation_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/kms_enable_key_rotation_disabled/test/positive_expected_result.json @@ -3,7 +3,7 @@ "queryName": "KMS Key Rotation Disabled", "severity": "MEDIUM", "line": 8, - "filename": "positive3.yaml", + "filename": "positive1.yaml", "resourceType": "AWS::KMS::Key", "resourceName": "myKey", "searchKey": "Resources.myKey.Properties.EnableKeyRotation", @@ -15,7 +15,7 @@ "queryName": "KMS Key Rotation Disabled", "severity": "MEDIUM", "line": 51, - "filename": "positive3.yaml", + "filename": "positive1.yaml", "resourceType": "AWS::KMS::Key", "resourceName": "myKey2", "searchKey": "Resources.myKey2.Properties.EnableKeyRotation", @@ -26,8 +26,8 @@ { "queryName": "KMS Key Rotation Disabled", "severity": "MEDIUM", - "line": 8, - "filename": "positive1.yaml", + "line": 60, + "filename": "positive2.json", "resourceType": "AWS::KMS::Key", "resourceName": "myKey", "searchKey": "Resources.myKey.Properties.EnableKeyRotation", @@ -38,8 +38,8 @@ { "queryName": "KMS Key Rotation Disabled", "severity": "MEDIUM", - "line": 51, - "filename": "positive1.yaml", + "line": 65, + "filename": "positive2.json", "resourceType": "AWS::KMS::Key", "resourceName": "myKey2", "searchKey": "Resources.myKey2.Properties.EnableKeyRotation", @@ -50,8 +50,8 @@ { "queryName": "KMS Key Rotation Disabled", "severity": "MEDIUM", - "line": 60, - "filename": "positive2.json", + "line": 8, + "filename": "positive3.yaml", "resourceType": "AWS::KMS::Key", "resourceName": "myKey", "searchKey": "Resources.myKey.Properties.EnableKeyRotation", @@ -62,8 +62,8 @@ { "queryName": "KMS Key Rotation Disabled", "severity": "MEDIUM", - "line": 65, - "filename": "positive2.json", + "line": 51, + "filename": "positive3.yaml", "resourceType": "AWS::KMS::Key", "resourceName": "myKey2", "searchKey": "Resources.myKey2.Properties.EnableKeyRotation", diff --git a/assets/queries/cloudFormation/aws/kms_key_with_full_permissions/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/kms_key_with_full_permissions/test/positive_expected_result.json index 59cbc1b7cc8..bbf9fc9fc4c 100644 --- a/assets/queries/cloudFormation/aws/kms_key_with_full_permissions/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/kms_key_with_full_permissions/test/positive_expected_result.json @@ -1,4 +1,16 @@ [ + { + "queryName": "KMS Key With Vulnerable Policy", + "severity": "HIGH", + "line": 9, + "filename": "positive.json", + "resourceType": "AWS::KMS::Key", + "resourceName": "RSASigningKey", + "searchKey": "Resources.RSASigningKey.Properties.KeyPolicy", + "searchValue": "", + "expectedValue": "Resources.RSASigningKey.Properties.KeyPolicy.Statement should not have wildcard in 'Action' and 'Principal'", + "actualValue": "Resources.RSASigningKey.Properties.KeyPolicy.Statement has wildcard in 'Action' and 'Principal'" + }, { "queryName": "KMS Key With Vulnerable Policy", "severity": "HIGH", @@ -23,18 +35,6 @@ "expectedValue": "Resources.RSASigningKey2.Properties.KeyPolicy should be defined and not null", "actualValue": "Resources.RSASigningKey2.Properties.KeyPolicy is undefined or null" }, - { - "queryName": "KMS Key With Vulnerable Policy", - "severity": "HIGH", - "line": 9, - "filename": "positive.json", - "resourceType": "AWS::KMS::Key", - "resourceName": "RSASigningKey", - "searchKey": "Resources.RSASigningKey.Properties.KeyPolicy", - "searchValue": "", - "expectedValue": "Resources.RSASigningKey.Properties.KeyPolicy.Statement should not have wildcard in 'Action' and 'Principal'", - "actualValue": "Resources.RSASigningKey.Properties.KeyPolicy.Statement has wildcard in 'Action' and 'Principal'" - }, { "queryName": "KMS Key With Vulnerable Policy", "severity": "HIGH", diff --git a/assets/queries/cloudFormation/aws/lambda_function_without_dead_letter_queue/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/lambda_function_without_dead_letter_queue/test/positive_expected_result.json index 5532eeddf83..67f3f97d535 100644 --- a/assets/queries/cloudFormation/aws/lambda_function_without_dead_letter_queue/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/lambda_function_without_dead_letter_queue/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "Lambda Function Without Dead Letter Queue", - "severity": "LOW", - "line": 27, - "filename": "positive2.yaml", - "resourceType": "AWS::Lambda::Function", - "resourceName": "Function2", - "searchKey": "Resources.Function2.Properties.DeadLetterConfig", - "searchValue": "", - "expectedValue": "'Resources.Function2.Properties.DeadLetterConfig.TargetArn' should be defined and not null", - "actualValue": "'Resources.Function2.Properties.DeadLetterConfig.TargetArn' is undefined or null" - }, { "queryName": "Lambda Function Without Dead Letter Queue", "severity": "LOW", @@ -34,5 +22,17 @@ "searchValue": "", "expectedValue": "'Resources.Function2.Properties.DeadLetterConfig' should be defined and not null", "actualValue": "'Resources.Function2.Properties.DeadLetterConfig' is undefined or null" + }, + { + "queryName": "Lambda Function Without Dead Letter Queue", + "severity": "LOW", + "line": 27, + "filename": "positive2.yaml", + "resourceType": "AWS::Lambda::Function", + "resourceName": "Function2", + "searchKey": "Resources.Function2.Properties.DeadLetterConfig", + "searchValue": "", + "expectedValue": "'Resources.Function2.Properties.DeadLetterConfig.TargetArn' should be defined and not null", + "actualValue": "'Resources.Function2.Properties.DeadLetterConfig.TargetArn' is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/lambda_functions_with_full_privileges/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/lambda_functions_with_full_privileges/test/positive_expected_result.json index e51e042c144..04f9944ba25 100644 --- a/assets/queries/cloudFormation/aws/lambda_functions_with_full_privileges/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/lambda_functions_with_full_privileges/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "Lambda Functions With Full Privileges", "severity": "HIGH", - "line": 101, - "filename": "positive2.json", + "line": 76, + "filename": "positive1.yaml", "resourceType": "AWS::Lambda::Function", "resourceName": "AppendItemToListFunction", "searchKey": "Resources.LambdaExecutionRole.Properties.Policies.PolicyDocument", @@ -14,8 +14,8 @@ { "queryName": "Lambda Functions With Full Privileges", "severity": "HIGH", - "line": 76, - "filename": "positive1.yaml", + "line": 101, + "filename": "positive2.json", "resourceType": "AWS::Lambda::Function", "resourceName": "AppendItemToListFunction", "searchKey": "Resources.LambdaExecutionRole.Properties.Policies.PolicyDocument", diff --git a/assets/queries/cloudFormation/aws/lambda_functions_without_unique_iam_roles/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/lambda_functions_without_unique_iam_roles/test/positive_expected_result.json index 6908c240281..b8f62bfcddd 100644 --- a/assets/queries/cloudFormation/aws/lambda_functions_without_unique_iam_roles/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/lambda_functions_without_unique_iam_roles/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "Lambda Functions Without Unique IAM Roles", "severity": "HIGH", - "line": 7, - "filename": "positive2.json", + "line": 8, + "filename": "positive1.yaml", "resourceType": "AWS::Lambda::Function", "resourceName": "Primer01", "searchKey": "Resources.Primer01.Properties.Role", @@ -14,8 +14,8 @@ { "queryName": "Lambda Functions Without Unique IAM Roles", "severity": "HIGH", - "line": 24, - "filename": "positive2.json", + "line": 41, + "filename": "positive1.yaml", "resourceType": "AWS::Lambda::Function", "resourceName": "Primer02", "searchKey": "Resources.Primer02.Properties.Role", @@ -26,8 +26,8 @@ { "queryName": "Lambda Functions Without Unique IAM Roles", "severity": "HIGH", - "line": 8, - "filename": "positive1.yaml", + "line": 7, + "filename": "positive2.json", "resourceType": "AWS::Lambda::Function", "resourceName": "Primer01", "searchKey": "Resources.Primer01.Properties.Role", @@ -38,8 +38,8 @@ { "queryName": "Lambda Functions Without Unique IAM Roles", "severity": "HIGH", - "line": 41, - "filename": "positive1.yaml", + "line": 24, + "filename": "positive2.json", "resourceType": "AWS::Lambda::Function", "resourceName": "Primer02", "searchKey": "Resources.Primer02.Properties.Role", diff --git a/assets/queries/cloudFormation/aws/lambda_functions_without_x-ray_tracing/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/lambda_functions_without_x-ray_tracing/test/positive_expected_result.json index 3197e1a9b92..e67b56ab589 100644 --- a/assets/queries/cloudFormation/aws/lambda_functions_without_x-ray_tracing/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/lambda_functions_without_x-ray_tracing/test/positive_expected_result.json @@ -2,14 +2,14 @@ { "queryName": "Lambda Functions Without X-Ray Tracing", "severity": "LOW", - "line": 4, - "filename": "positive4.json", + "line": 37, + "filename": "positive1.yaml", "resourceType": "AWS::Lambda::Function", - "resourceName": "Function", - "searchKey": "Resources.Function.Properties", + "resourceName": "primer", + "searchKey": "Resources.primer.Properties.TracingConfig.Mode", "searchValue": "", - "expectedValue": "Property 'TracingConfig' should be defined", - "actualValue": "Property 'TracingConfig' is undefined" + "expectedValue": "TracingConfig.Mode should be set to 'Active'", + "actualValue": "TracingConfig.Mode is set to 'PassThrough'" }, { "queryName": "Lambda Functions Without X-Ray Tracing", @@ -26,8 +26,8 @@ { "queryName": "Lambda Functions Without X-Ray Tracing", "severity": "LOW", - "line": 37, - "filename": "positive1.yaml", + "line": 16, + "filename": "positive3.json", "resourceType": "AWS::Lambda::Function", "resourceName": "primer", "searchKey": "Resources.primer.Properties.TracingConfig.Mode", @@ -38,13 +38,13 @@ { "queryName": "Lambda Functions Without X-Ray Tracing", "severity": "LOW", - "line": 16, - "filename": "positive3.json", + "line": 4, + "filename": "positive4.json", "resourceType": "AWS::Lambda::Function", - "resourceName": "primer", - "searchKey": "Resources.primer.Properties.TracingConfig.Mode", + "resourceName": "Function", + "searchKey": "Resources.Function.Properties", "searchValue": "", - "expectedValue": "TracingConfig.Mode should be set to 'Active'", - "actualValue": "TracingConfig.Mode is set to 'PassThrough'" + "expectedValue": "Property 'TracingConfig' should be defined", + "actualValue": "Property 'TracingConfig' is undefined" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/low_rds_backup_retention_period/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/low_rds_backup_retention_period/test/positive_expected_result.json index d946d2e091f..f9677324582 100644 --- a/assets/queries/cloudFormation/aws/low_rds_backup_retention_period/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/low_rds_backup_retention_period/test/positive_expected_result.json @@ -1,4 +1,16 @@ [ + { + "queryName": "Low RDS Backup Retention Period", + "severity": "LOW", + "line": 52, + "filename": "positive1.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "DatabaseCluster", + "searchKey": "Resources.DatabaseCluster.Properties.BackupRetentionPeriod", + "searchValue": "", + "expectedValue": "The RDS DBCluster 'DatabaseCluster' resource should have backup retention period of at least 7 days", + "actualValue": "The RDS DBCluster 'DatabaseCluster' resource has backup retention period of '%!s(int=3)' which is less than the minimum of 7 days" + }, { "queryName": "Low RDS Backup Retention Period", "severity": "LOW", @@ -38,8 +50,8 @@ { "queryName": "Low RDS Backup Retention Period", "severity": "LOW", - "line": 52, - "filename": "positive1.yaml", + "line": 113, + "filename": "positive5.json", "resourceType": "AWS::RDS::DBCluster", "resourceName": "DatabaseCluster", "searchKey": "Resources.DatabaseCluster.Properties.BackupRetentionPeriod", @@ -50,26 +62,14 @@ { "queryName": "Low RDS Backup Retention Period", "severity": "LOW", - "line": 54, - "filename": "positive8.json", - "resourceType": "AWS::RDS::DBCluster", - "resourceName": "BadDatabaseCluster", - "searchKey": "Resources.BadDatabaseCluster.Properties", - "searchValue": "", - "expectedValue": "The RDS DBCluster 'BadDatabaseCluster' resource should have backup retention period of at least 7 days", - "actualValue": "The RDS DBCluster 'BadDatabaseCluster' resource doesn't define a backup retention period" - }, - { - "queryName": "Low RDS Backup Retention Period", - "severity": "LOW", - "line": 113, - "filename": "positive5.json", - "resourceType": "AWS::RDS::DBCluster", - "resourceName": "DatabaseCluster", - "searchKey": "Resources.DatabaseCluster.Properties.BackupRetentionPeriod", + "line": 55, + "filename": "positive6.json", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBSmall", + "searchKey": "Resources.MyDBSmall.Properties.BackupRetentionPeriod", "searchValue": "", - "expectedValue": "The RDS DBCluster 'DatabaseCluster' resource should have backup retention period of at least 7 days", - "actualValue": "The RDS DBCluster 'DatabaseCluster' resource has backup retention period of '%!s(int=3)' which is less than the minimum of 7 days" + "expectedValue": "The RDS DBInstance 'MyDBSmall' resource should have backup retention period of at least 7 days", + "actualValue": "The RDS DBCluster 'MyDBSmall' resource has backup retention period of '%!s(int=6)' which is less than the minimum of 7 days, and no RDS Cluster are defined" }, { "queryName": "Low RDS Backup Retention Period", @@ -86,13 +86,13 @@ { "queryName": "Low RDS Backup Retention Period", "severity": "LOW", - "line": 55, - "filename": "positive6.json", - "resourceType": "AWS::RDS::DBInstance", - "resourceName": "MyDBSmall", - "searchKey": "Resources.MyDBSmall.Properties.BackupRetentionPeriod", + "line": 54, + "filename": "positive8.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "BadDatabaseCluster", + "searchKey": "Resources.BadDatabaseCluster.Properties", "searchValue": "", - "expectedValue": "The RDS DBInstance 'MyDBSmall' resource should have backup retention period of at least 7 days", - "actualValue": "The RDS DBCluster 'MyDBSmall' resource has backup retention period of '%!s(int=6)' which is less than the minimum of 7 days, and no RDS Cluster are defined" + "expectedValue": "The RDS DBCluster 'BadDatabaseCluster' resource should have backup retention period of at least 7 days", + "actualValue": "The RDS DBCluster 'BadDatabaseCluster' resource doesn't define a backup retention period" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/mq_broker_logging_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/mq_broker_logging_disabled/test/positive_expected_result.json index c6dfcc02c0f..54fa6a6b722 100644 --- a/assets/queries/cloudFormation/aws/mq_broker_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/mq_broker_logging_disabled/test/positive_expected_result.json @@ -2,26 +2,14 @@ { "queryName": "MQ Broker Logging Disabled", "severity": "MEDIUM", - "line": 88, - "filename": "positive3.yaml", - "resourceType": "AWS::AmazonMQ::Broker", - "resourceName": "MyBasicBroker", - "searchKey": "Resources.BasicBroker7.Properties", - "searchValue": "", - "expectedValue": "Resources.BasicBroker7.Properties.Logs should be set", - "actualValue": "Resources.BasicBroker7.Properties.Logs is undefined" - }, - { - "queryName": "MQ Broker Logging Disabled", - "severity": "MEDIUM", - "line": 84, + "line": 22, "filename": "positive1.yaml", "resourceType": "AWS::AmazonMQ::Broker", "resourceName": "MyBasicBroker", - "searchKey": "Resources.BasicBroker6.Properties.Logs.Audit", + "searchKey": "Resources.BasicBroker3.Properties.Logs", "searchValue": "", - "expectedValue": "Resources.BasicBroker6.Properties.Logs.Audit is true", - "actualValue": "Resources.BasicBroker6.Properties.Logs.Audit is false" + "expectedValue": "Resources.BasicBroker3.Properties.Logs.Audit should be set", + "actualValue": "Resources.BasicBroker3.Properties.Logs.Audit is undefined" }, { "queryName": "MQ Broker Logging Disabled", @@ -38,32 +26,20 @@ { "queryName": "MQ Broker Logging Disabled", "severity": "MEDIUM", - "line": 121, - "filename": "positive2.json", - "resourceType": "AWS::AmazonMQ::Broker", - "resourceName": "MyBasicBroker", - "searchKey": "Resources.BasicBroker12.Properties", - "searchValue": "", - "expectedValue": "Resources.BasicBroker12.Properties.Logs should be set", - "actualValue": "Resources.BasicBroker12.Properties.Logs is undefined" - }, - { - "queryName": "MQ Broker Logging Disabled", - "severity": "MEDIUM", - "line": 28, - "filename": "positive2.json", + "line": 63, + "filename": "positive1.yaml", "resourceType": "AWS::AmazonMQ::Broker", "resourceName": "MyBasicBroker", - "searchKey": "Resources.BasicBroker8.Properties.Logs", + "searchKey": "Resources.BasicBroker5.Properties.Logs.General", "searchValue": "", - "expectedValue": "Resources.BasicBroker8.Properties.Logs.Audit should be set", - "actualValue": "Resources.BasicBroker8.Properties.Logs.Audit is undefined" + "expectedValue": "Resources.BasicBroker5.Properties.Logs.General is true", + "actualValue": "Resources.BasicBroker5.Properties.Logs.General is false" }, { "queryName": "MQ Broker Logging Disabled", "severity": "MEDIUM", "line": 84, - "filename": "positive3.yaml", + "filename": "positive1.yaml", "resourceType": "AWS::AmazonMQ::Broker", "resourceName": "MyBasicBroker", "searchKey": "Resources.BasicBroker6.Properties.Logs.Audit", @@ -86,26 +62,26 @@ { "queryName": "MQ Broker Logging Disabled", "severity": "MEDIUM", - "line": 63, - "filename": "positive1.yaml", + "line": 28, + "filename": "positive2.json", "resourceType": "AWS::AmazonMQ::Broker", "resourceName": "MyBasicBroker", - "searchKey": "Resources.BasicBroker5.Properties.Logs.General", + "searchKey": "Resources.BasicBroker8.Properties.Logs", "searchValue": "", - "expectedValue": "Resources.BasicBroker5.Properties.Logs.General is true", - "actualValue": "Resources.BasicBroker5.Properties.Logs.General is false" + "expectedValue": "Resources.BasicBroker8.Properties.Logs.Audit should be set", + "actualValue": "Resources.BasicBroker8.Properties.Logs.Audit is undefined" }, { "queryName": "MQ Broker Logging Disabled", "severity": "MEDIUM", - "line": 22, - "filename": "positive1.yaml", + "line": 56, + "filename": "positive2.json", "resourceType": "AWS::AmazonMQ::Broker", "resourceName": "MyBasicBroker", - "searchKey": "Resources.BasicBroker3.Properties.Logs", + "searchKey": "Resources.BasicBroker9.Properties.Logs", "searchValue": "", - "expectedValue": "Resources.BasicBroker3.Properties.Logs.Audit should be set", - "actualValue": "Resources.BasicBroker3.Properties.Logs.Audit is undefined" + "expectedValue": "Resources.BasicBroker9.Properties.Logs.General should be set", + "actualValue": "Resources.BasicBroker9.Properties.Logs.General is undefined" }, { "queryName": "MQ Broker Logging Disabled", @@ -134,14 +110,38 @@ { "queryName": "MQ Broker Logging Disabled", "severity": "MEDIUM", - "line": 56, + "line": 121, "filename": "positive2.json", "resourceType": "AWS::AmazonMQ::Broker", "resourceName": "MyBasicBroker", - "searchKey": "Resources.BasicBroker9.Properties.Logs", + "searchKey": "Resources.BasicBroker12.Properties", "searchValue": "", - "expectedValue": "Resources.BasicBroker9.Properties.Logs.General should be set", - "actualValue": "Resources.BasicBroker9.Properties.Logs.General is undefined" + "expectedValue": "Resources.BasicBroker12.Properties.Logs should be set", + "actualValue": "Resources.BasicBroker12.Properties.Logs is undefined" + }, + { + "queryName": "MQ Broker Logging Disabled", + "severity": "MEDIUM", + "line": 22, + "filename": "positive3.yaml", + "resourceType": "AWS::AmazonMQ::Broker", + "resourceName": "MyBasicBroker", + "searchKey": "Resources.BasicBroker3.Properties.Logs", + "searchValue": "", + "expectedValue": "Resources.BasicBroker3.Properties.Logs.Audit should be set", + "actualValue": "Resources.BasicBroker3.Properties.Logs.Audit is undefined" + }, + { + "queryName": "MQ Broker Logging Disabled", + "severity": "MEDIUM", + "line": 42, + "filename": "positive3.yaml", + "resourceType": "AWS::AmazonMQ::Broker", + "resourceName": "MyBasicBroker", + "searchKey": "Resources.BasicBroker4.Properties.Logs", + "searchValue": "", + "expectedValue": "Resources.BasicBroker4.Properties.Logs.General should be set", + "actualValue": "Resources.BasicBroker4.Properties.Logs.General is undefined" }, { "queryName": "MQ Broker Logging Disabled", @@ -158,25 +158,25 @@ { "queryName": "MQ Broker Logging Disabled", "severity": "MEDIUM", - "line": 22, + "line": 84, "filename": "positive3.yaml", "resourceType": "AWS::AmazonMQ::Broker", "resourceName": "MyBasicBroker", - "searchKey": "Resources.BasicBroker3.Properties.Logs", + "searchKey": "Resources.BasicBroker6.Properties.Logs.Audit", "searchValue": "", - "expectedValue": "Resources.BasicBroker3.Properties.Logs.Audit should be set", - "actualValue": "Resources.BasicBroker3.Properties.Logs.Audit is undefined" + "expectedValue": "Resources.BasicBroker6.Properties.Logs.Audit is true", + "actualValue": "Resources.BasicBroker6.Properties.Logs.Audit is false" }, { "queryName": "MQ Broker Logging Disabled", "severity": "MEDIUM", - "line": 42, + "line": 88, "filename": "positive3.yaml", "resourceType": "AWS::AmazonMQ::Broker", "resourceName": "MyBasicBroker", - "searchKey": "Resources.BasicBroker4.Properties.Logs", + "searchKey": "Resources.BasicBroker7.Properties", "searchValue": "", - "expectedValue": "Resources.BasicBroker4.Properties.Logs.General should be set", - "actualValue": "Resources.BasicBroker4.Properties.Logs.General is undefined" + "expectedValue": "Resources.BasicBroker7.Properties.Logs should be set", + "actualValue": "Resources.BasicBroker7.Properties.Logs is undefined" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/msk_broker_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/msk_broker_is_publicly_accessible/test/positive_expected_result.json index 505533e50fb..44b439e214d 100644 --- a/assets/queries/cloudFormation/aws/msk_broker_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/msk_broker_is_publicly_accessible/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "MSK Broker Is Publicly Accessible", "severity": "HIGH", - "line": 15, - "filename": "positive2.json", + "line": 18, + "filename": "positive1.yaml", "resourceType": "AWS::MSK::Cluster", "resourceName": "ClusterWithRequiredProperties", "searchKey": "Resources.TestCluster.Properties.BrokerNodeGroupInfo.ConnectivityInfo.PublicAccess.Type", @@ -14,8 +14,8 @@ { "queryName": "MSK Broker Is Publicly Accessible", "severity": "HIGH", - "line": 18, - "filename": "positive1.yaml", + "line": 15, + "filename": "positive2.json", "resourceType": "AWS::MSK::Cluster", "resourceName": "ClusterWithRequiredProperties", "searchKey": "Resources.TestCluster.Properties.BrokerNodeGroupInfo.ConnectivityInfo.PublicAccess.Type", diff --git a/assets/queries/cloudFormation/aws/msk_cluster_encryption_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/msk_cluster_encryption_disabled/test/positive_expected_result.json index ad5f027c1d7..037a3f851ca 100644 --- a/assets/queries/cloudFormation/aws/msk_cluster_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/msk_cluster_encryption_disabled/test/positive_expected_result.json @@ -1,4 +1,16 @@ [ + { + "queryName": "MSK Cluster Encryption Disabled", + "severity": "HIGH", + "line": 5, + "filename": "positive1.yaml", + "resourceType": "AWS::MSK::Cluster", + "resourceName": "ClusterWithAllProperties", + "searchKey": "Resources.TestCluster5.Properties", + "searchValue": "", + "expectedValue": "Resources.TestCluster5.Properties.EncryptionInfo should be defined", + "actualValue": "Resources.TestCluster5.Properties.EncryptionInfo is undefined" + }, { "queryName": "MSK Cluster Encryption Disabled", "severity": "HIGH", @@ -26,14 +38,14 @@ { "queryName": "MSK Cluster Encryption Disabled", "severity": "HIGH", - "line": 5, - "filename": "positive1.yaml", + "line": 6, + "filename": "positive4.json", "resourceType": "AWS::MSK::Cluster", "resourceName": "ClusterWithAllProperties", - "searchKey": "Resources.TestCluster5.Properties", + "searchKey": "Resources.TestCluster8.Properties", "searchValue": "", - "expectedValue": "Resources.TestCluster5.Properties.EncryptionInfo should be defined", - "actualValue": "Resources.TestCluster5.Properties.EncryptionInfo is undefined" + "expectedValue": "Resources.TestCluster8.Properties.EncryptionInfo should be defined", + "actualValue": "Resources.TestCluster8.Properties.EncryptionInfo is undefined" }, { "queryName": "MSK Cluster Encryption Disabled", @@ -58,17 +70,5 @@ "searchValue": "", "expectedValue": "Resources.TestCluster10.Properties.EncryptionInfo.EncryptionInTransit.InCluster is 'true'", "actualValue": "Resources.TestCluster10.Properties.EncryptionInfo.EncryptionInTransit.InCluster is 'false'" - }, - { - "queryName": "MSK Cluster Encryption Disabled", - "severity": "HIGH", - "line": 6, - "filename": "positive4.json", - "resourceType": "AWS::MSK::Cluster", - "resourceName": "ClusterWithAllProperties", - "searchKey": "Resources.TestCluster8.Properties", - "searchValue": "", - "expectedValue": "Resources.TestCluster8.Properties.EncryptionInfo should be defined", - "actualValue": "Resources.TestCluster8.Properties.EncryptionInfo is undefined" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/msk_cluster_logging_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/msk_cluster_logging_disabled/test/positive_expected_result.json index 129888d5670..06304277ad1 100644 --- a/assets/queries/cloudFormation/aws/msk_cluster_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/msk_cluster_logging_disabled/test/positive_expected_result.json @@ -2,44 +2,32 @@ { "queryName": "MSK Cluster Logging Disabled", "severity": "MEDIUM", - "line": 7, - "filename": "positive4.json", - "resourceType": "AWS::MSK::Cluster", - "resourceName": "ClusterWithRequiredProperties", - "searchKey": "Resources.TestCluster8.Properties", - "searchValue": "", - "expectedValue": "Resources.TestCluster8.Properties.LoggingInfo should be defined", - "actualValue": "Resources.TestCluster8.Properties.LoggingInfo is undefined" - }, - { - "queryName": "MSK Cluster Logging Disabled", - "severity": "MEDIUM", - "line": 17, - "filename": "positive5.json", + "line": 6, + "filename": "positive1.yaml", "resourceType": "AWS::MSK::Cluster", "resourceName": "ClusterWithRequiredProperties", - "searchKey": "Resources.TestCluster9.Properties.LoggingInfo.BrokerLogs.Firehose.Enabled", + "searchKey": "Resources.TestCluster5.Properties", "searchValue": "", - "expectedValue": "Resources.TestCluster9.Properties.LoggingInfo.BrokerLogs is enabled", - "actualValue": "Resources.TestCluster9.Properties.LoggingInfo.BrokerLogs is disabled" + "expectedValue": "Resources.TestCluster5.Properties.LoggingInfo should be defined", + "actualValue": "Resources.TestCluster5.Properties.LoggingInfo is undefined" }, { "queryName": "MSK Cluster Logging Disabled", "severity": "MEDIUM", - "line": 13, - "filename": "positive6.json", + "line": 12, + "filename": "positive2.yaml", "resourceType": "AWS::MSK::Cluster", "resourceName": "ClusterWithRequiredProperties", - "searchKey": "Resources.TestCluster10.Properties.LoggingInfo.BrokerLogs.CloudWatchLogs.Enabled", + "searchKey": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs.CloudWatchLogs.Enabled", "searchValue": "", - "expectedValue": "Resources.TestCluster10.Properties.LoggingInfo.BrokerLogs is enabled", - "actualValue": "Resources.TestCluster10.Properties.LoggingInfo.BrokerLogs is disabled" + "expectedValue": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs is enabled", + "actualValue": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs is disabled" }, { "queryName": "MSK Cluster Logging Disabled", "severity": "MEDIUM", "line": 15, - "filename": "positive7.yaml", + "filename": "positive2.yaml", "resourceType": "AWS::MSK::Cluster", "resourceName": "ClusterWithRequiredProperties", "searchKey": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs.Firehose.Enabled", @@ -51,7 +39,7 @@ "queryName": "MSK Cluster Logging Disabled", "severity": "MEDIUM", "line": 18, - "filename": "positive7.yaml", + "filename": "positive2.yaml", "resourceType": "AWS::MSK::Cluster", "resourceName": "ClusterWithRequiredProperties", "searchKey": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs.S3.Enabled", @@ -62,26 +50,26 @@ { "queryName": "MSK Cluster Logging Disabled", "severity": "MEDIUM", - "line": 6, - "filename": "positive1.yaml", + "line": 12, + "filename": "positive3.yaml", "resourceType": "AWS::MSK::Cluster", "resourceName": "ClusterWithRequiredProperties", - "searchKey": "Resources.TestCluster5.Properties", + "searchKey": "Resources.TestCluster7.Properties.LoggingInfo.BrokerLogs.CloudWatchLogs.Enabled", "searchValue": "", - "expectedValue": "Resources.TestCluster5.Properties.LoggingInfo should be defined", - "actualValue": "Resources.TestCluster5.Properties.LoggingInfo is undefined" + "expectedValue": "Resources.TestCluster7.Properties.LoggingInfo.BrokerLogs is enabled", + "actualValue": "Resources.TestCluster7.Properties.LoggingInfo.BrokerLogs is disabled" }, { "queryName": "MSK Cluster Logging Disabled", "severity": "MEDIUM", - "line": 15, - "filename": "positive2.yaml", + "line": 7, + "filename": "positive4.json", "resourceType": "AWS::MSK::Cluster", "resourceName": "ClusterWithRequiredProperties", - "searchKey": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs.Firehose.Enabled", + "searchKey": "Resources.TestCluster8.Properties", "searchValue": "", - "expectedValue": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs is enabled", - "actualValue": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs is disabled" + "expectedValue": "Resources.TestCluster8.Properties.LoggingInfo should be defined", + "actualValue": "Resources.TestCluster8.Properties.LoggingInfo is undefined" }, { "queryName": "MSK Cluster Logging Disabled", @@ -95,6 +83,18 @@ "expectedValue": "Resources.TestCluster9.Properties.LoggingInfo.BrokerLogs is enabled", "actualValue": "Resources.TestCluster9.Properties.LoggingInfo.BrokerLogs is disabled" }, + { + "queryName": "MSK Cluster Logging Disabled", + "severity": "MEDIUM", + "line": 17, + "filename": "positive5.json", + "resourceType": "AWS::MSK::Cluster", + "resourceName": "ClusterWithRequiredProperties", + "searchKey": "Resources.TestCluster9.Properties.LoggingInfo.BrokerLogs.Firehose.Enabled", + "searchValue": "", + "expectedValue": "Resources.TestCluster9.Properties.LoggingInfo.BrokerLogs is enabled", + "actualValue": "Resources.TestCluster9.Properties.LoggingInfo.BrokerLogs is disabled" + }, { "queryName": "MSK Cluster Logging Disabled", "severity": "MEDIUM", @@ -110,35 +110,35 @@ { "queryName": "MSK Cluster Logging Disabled", "severity": "MEDIUM", - "line": 12, - "filename": "positive7.yaml", + "line": 13, + "filename": "positive6.json", "resourceType": "AWS::MSK::Cluster", "resourceName": "ClusterWithRequiredProperties", - "searchKey": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs.CloudWatchLogs.Enabled", + "searchKey": "Resources.TestCluster10.Properties.LoggingInfo.BrokerLogs.CloudWatchLogs.Enabled", "searchValue": "", - "expectedValue": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs is enabled", - "actualValue": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs is disabled" + "expectedValue": "Resources.TestCluster10.Properties.LoggingInfo.BrokerLogs is enabled", + "actualValue": "Resources.TestCluster10.Properties.LoggingInfo.BrokerLogs is disabled" }, { "queryName": "MSK Cluster Logging Disabled", "severity": "MEDIUM", "line": 12, - "filename": "positive3.yaml", + "filename": "positive7.yaml", "resourceType": "AWS::MSK::Cluster", "resourceName": "ClusterWithRequiredProperties", - "searchKey": "Resources.TestCluster7.Properties.LoggingInfo.BrokerLogs.CloudWatchLogs.Enabled", + "searchKey": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs.CloudWatchLogs.Enabled", "searchValue": "", - "expectedValue": "Resources.TestCluster7.Properties.LoggingInfo.BrokerLogs is enabled", - "actualValue": "Resources.TestCluster7.Properties.LoggingInfo.BrokerLogs is disabled" + "expectedValue": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs is enabled", + "actualValue": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs is disabled" }, { "queryName": "MSK Cluster Logging Disabled", "severity": "MEDIUM", - "line": 12, - "filename": "positive2.yaml", + "line": 15, + "filename": "positive7.yaml", "resourceType": "AWS::MSK::Cluster", "resourceName": "ClusterWithRequiredProperties", - "searchKey": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs.CloudWatchLogs.Enabled", + "searchKey": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs.Firehose.Enabled", "searchValue": "", "expectedValue": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs is enabled", "actualValue": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs is disabled" @@ -147,7 +147,7 @@ "queryName": "MSK Cluster Logging Disabled", "severity": "MEDIUM", "line": 18, - "filename": "positive2.yaml", + "filename": "positive7.yaml", "resourceType": "AWS::MSK::Cluster", "resourceName": "ClusterWithRequiredProperties", "searchKey": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs.S3.Enabled", diff --git a/assets/queries/cloudFormation/aws/neptune_cluster_with_iam_database_authentication_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/neptune_cluster_with_iam_database_authentication_disabled/test/positive_expected_result.json index d1d630ba529..46a9b0574ea 100644 --- a/assets/queries/cloudFormation/aws/neptune_cluster_with_iam_database_authentication_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/neptune_cluster_with_iam_database_authentication_disabled/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "Neptune Cluster With IAM Database Authentication Disabled", "severity": "HIGH", - "line": 8, - "filename": "positive2.json", + "line": 7, + "filename": "positive1.yaml", "resourceType": "AWS::Neptune::DBCluster", "resourceName": "NeptuneDBCluster", "searchKey": "Resources.NeptuneDBCluster.Properties.IamAuthEnabled", @@ -14,8 +14,8 @@ { "queryName": "Neptune Cluster With IAM Database Authentication Disabled", "severity": "HIGH", - "line": 15, - "filename": "positive2.json", + "line": 12, + "filename": "positive1.yaml", "resourceType": "AWS::Neptune::DBCluster", "resourceName": "NeptuneDBCluster2", "searchKey": "Resources.NeptuneDBCluster2.Properties.IamAuthEnabled", @@ -26,8 +26,8 @@ { "queryName": "Neptune Cluster With IAM Database Authentication Disabled", "severity": "HIGH", - "line": 7, - "filename": "positive1.yaml", + "line": 8, + "filename": "positive2.json", "resourceType": "AWS::Neptune::DBCluster", "resourceName": "NeptuneDBCluster", "searchKey": "Resources.NeptuneDBCluster.Properties.IamAuthEnabled", @@ -38,8 +38,8 @@ { "queryName": "Neptune Cluster With IAM Database Authentication Disabled", "severity": "HIGH", - "line": 12, - "filename": "positive1.yaml", + "line": 15, + "filename": "positive2.json", "resourceType": "AWS::Neptune::DBCluster", "resourceName": "NeptuneDBCluster2", "searchKey": "Resources.NeptuneDBCluster2.Properties.IamAuthEnabled", diff --git a/assets/queries/cloudFormation/aws/neptune_database_cluster_encryption_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/neptune_database_cluster_encryption_disabled/test/positive_expected_result.json index 45b50ce4c8e..d8de7246c68 100644 --- a/assets/queries/cloudFormation/aws/neptune_database_cluster_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/neptune_database_cluster_encryption_disabled/test/positive_expected_result.json @@ -14,8 +14,8 @@ { "queryName": "Neptune Database Cluster Encryption Disabled", "severity": "HIGH", - "line": 27, - "filename": "positive3.yaml", + "line": 21, + "filename": "positive2.json", "resourceType": "AWS::Neptune::DBCluster", "resourceName": "NeptuneDBCluster", "searchKey": "Resources.NeptuneDBCluster.Properties.StorageEncrypted", @@ -26,8 +26,8 @@ { "queryName": "Neptune Database Cluster Encryption Disabled", "severity": "HIGH", - "line": 21, - "filename": "positive2.json", + "line": 27, + "filename": "positive3.yaml", "resourceType": "AWS::Neptune::DBCluster", "resourceName": "NeptuneDBCluster", "searchKey": "Resources.NeptuneDBCluster.Properties.StorageEncrypted", diff --git a/assets/queries/cloudFormation/aws/neptune_logging_is_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/neptune_logging_is_disabled/test/positive_expected_result.json index 506242e05a6..fd1370217be 100644 --- a/assets/queries/cloudFormation/aws/neptune_logging_is_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/neptune_logging_is_disabled/test/positive_expected_result.json @@ -2,8 +2,20 @@ { "queryName": "Neptune Logging Is Disabled", "severity": "MEDIUM", - "line": 7, - "filename": "positive8.yaml", + "line": 6, + "filename": "positive1.json", + "resourceType": "AWS::Neptune::DBCluster", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties", + "searchValue": "", + "expectedValue": "'Resources.Prod.Properties' should have 'EnableCloudwatchLogsExports' enabled ", + "actualValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' is undefined" + }, + { + "queryName": "Neptune Logging Is Disabled", + "severity": "MEDIUM", + "line": 8, + "filename": "positive2.json", "resourceType": "AWS::Neptune::DBCluster", "resourceName": "Prod", "searchKey": "Resources.Prod.Properties.EnableCloudwatchLogsExports", @@ -14,8 +26,8 @@ { "queryName": "Neptune Logging Is Disabled", "severity": "MEDIUM", - "line": 7, - "filename": "positive7.yaml", + "line": 8, + "filename": "positive3.json", "resourceType": "AWS::Neptune::DBCluster", "resourceName": "Prod", "searchKey": "Resources.Prod.Properties.EnableCloudwatchLogsExports", @@ -26,14 +38,14 @@ { "queryName": "Neptune Logging Is Disabled", "severity": "MEDIUM", - "line": 7, - "filename": "positive6.yaml", + "line": 8, + "filename": "positive4.json", "resourceType": "AWS::Neptune::DBCluster", "resourceName": "Prod", "searchKey": "Resources.Prod.Properties.EnableCloudwatchLogsExports", "searchValue": "", - "expectedValue": "'Resources.Prod.Properties' should have 'EnableCloudwatchLogsExports' enabled ", - "actualValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' is set to null" + "expectedValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' should include 'audit'", + "actualValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' does not include 'audit'" }, { "queryName": "Neptune Logging Is Disabled", @@ -50,20 +62,20 @@ { "queryName": "Neptune Logging Is Disabled", "severity": "MEDIUM", - "line": 8, - "filename": "positive2.json", + "line": 7, + "filename": "positive6.yaml", "resourceType": "AWS::Neptune::DBCluster", "resourceName": "Prod", "searchKey": "Resources.Prod.Properties.EnableCloudwatchLogsExports", "searchValue": "", - "expectedValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' should include 'audit'", - "actualValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' does not include 'audit'" + "expectedValue": "'Resources.Prod.Properties' should have 'EnableCloudwatchLogsExports' enabled ", + "actualValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' is set to null" }, { "queryName": "Neptune Logging Is Disabled", "severity": "MEDIUM", - "line": 8, - "filename": "positive4.json", + "line": 7, + "filename": "positive7.yaml", "resourceType": "AWS::Neptune::DBCluster", "resourceName": "Prod", "searchKey": "Resources.Prod.Properties.EnableCloudwatchLogsExports", @@ -74,25 +86,13 @@ { "queryName": "Neptune Logging Is Disabled", "severity": "MEDIUM", - "line": 8, - "filename": "positive3.json", + "line": 7, + "filename": "positive8.yaml", "resourceType": "AWS::Neptune::DBCluster", "resourceName": "Prod", "searchKey": "Resources.Prod.Properties.EnableCloudwatchLogsExports", "searchValue": "", "expectedValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' should include 'audit'", "actualValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' does not include 'audit'" - }, - { - "queryName": "Neptune Logging Is Disabled", - "severity": "MEDIUM", - "line": 6, - "filename": "positive1.json", - "resourceType": "AWS::Neptune::DBCluster", - "resourceName": "Prod", - "searchKey": "Resources.Prod.Properties", - "searchValue": "", - "expectedValue": "'Resources.Prod.Properties' should have 'EnableCloudwatchLogsExports' enabled ", - "actualValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' is undefined" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/rds_associated_with_public_subnet/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/rds_associated_with_public_subnet/test/positive_expected_result.json index a880ae7e75d..0df65e81bbc 100644 --- a/assets/queries/cloudFormation/aws/rds_associated_with_public_subnet/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/rds_associated_with_public_subnet/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "RDS Associated with Public Subnet", "severity": "CRITICAL", - "line": 9, - "filename": "positive2.json", + "line": 12, + "filename": "positive1.yaml", "resourceType": "AWS::RDS::DBInstance", "resourceName": "Positive1", "searchKey": "Resources.Positive1.Properties.DBSubnetGroupName", @@ -14,8 +14,8 @@ { "queryName": "RDS Associated with Public Subnet", "severity": "CRITICAL", - "line": 12, - "filename": "positive1.yaml", + "line": 9, + "filename": "positive2.json", "resourceType": "AWS::RDS::DBInstance", "resourceName": "Positive1", "searchKey": "Resources.Positive1.Properties.DBSubnetGroupName", diff --git a/assets/queries/cloudFormation/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json index 60167e71406..b7a5d6e2fbb 100644 --- a/assets/queries/cloudFormation/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json @@ -3,7 +3,7 @@ "queryName": "RDS DB Instance Publicly Accessible", "severity": "CRITICAL", "line": 69, - "filename": "positive3.yaml", + "filename": "positive1.yaml", "resourceType": "AWS::RDS::DBInstance", "resourceName": "DBName", "searchKey": "Resources.MyDB.Properties.PubliclyAccessible", @@ -14,8 +14,8 @@ { "queryName": "RDS DB Instance Publicly Accessible", "severity": "CRITICAL", - "line": 69, - "filename": "positive1.yaml", + "line": 61, + "filename": "positive2.json", "resourceType": "AWS::RDS::DBInstance", "resourceName": "DBName", "searchKey": "Resources.MyDB.Properties.PubliclyAccessible", @@ -26,8 +26,8 @@ { "queryName": "RDS DB Instance Publicly Accessible", "severity": "CRITICAL", - "line": 61, - "filename": "positive2.json", + "line": 69, + "filename": "positive3.yaml", "resourceType": "AWS::RDS::DBInstance", "resourceName": "DBName", "searchKey": "Resources.MyDB.Properties.PubliclyAccessible", diff --git a/assets/queries/cloudFormation/aws/rds_db_instance_with_deletion_protection_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/rds_db_instance_with_deletion_protection_disabled/test/positive_expected_result.json index 3655472f0a1..12ad686ffff 100644 --- a/assets/queries/cloudFormation/aws/rds_db_instance_with_deletion_protection_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/rds_db_instance_with_deletion_protection_disabled/test/positive_expected_result.json @@ -11,6 +11,18 @@ "expectedValue": "Resources.MyDBSmall.Properties.DeletionProtection should be set to true", "actualValue": "Resources.MyDBSmall.Properties.DeletionProtection is set to false" }, + { + "queryName": "RDS DB Instance With Deletion Protection Disabled", + "severity": "LOW", + "line": 30, + "filename": "positive2.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBSmall1", + "searchKey": "Resources.MyDBSmall1.Properties", + "searchValue": "", + "expectedValue": "Resources.MyDBSmall1.Properties.DeletionProtection should be defined", + "actualValue": "Resources.MyDBSmall1.Properties.DeletionProtection is undefined" + }, { "queryName": "RDS DB Instance With Deletion Protection Disabled", "severity": "LOW", @@ -46,17 +58,5 @@ "searchValue": "", "expectedValue": "Resources.MyDBSmall.Properties.DeletionProtection should be set to true", "actualValue": "Resources.MyDBSmall.Properties.DeletionProtection is set to false" - }, - { - "queryName": "RDS DB Instance With Deletion Protection Disabled", - "severity": "LOW", - "line": 30, - "filename": "positive2.yaml", - "resourceType": "AWS::RDS::DBInstance", - "resourceName": "MyDBSmall1", - "searchKey": "Resources.MyDBSmall1.Properties", - "searchValue": "", - "expectedValue": "Resources.MyDBSmall1.Properties.DeletionProtection should be defined", - "actualValue": "Resources.MyDBSmall1.Properties.DeletionProtection is undefined" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/rds_multi_az_deployment_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/rds_multi_az_deployment_disabled/test/positive_expected_result.json index 863e26fd05f..59e1870d0e9 100644 --- a/assets/queries/cloudFormation/aws/rds_multi_az_deployment_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/rds_multi_az_deployment_disabled/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "RDS Multi-AZ Deployment Disabled", "severity": "MEDIUM", - "line": 89, - "filename": "positive2.json", + "line": 128, + "filename": "positive1.yaml", "resourceType": "AWS::RDS::DBInstance", "resourceName": "", "searchKey": "Resources.MasterDB.Properties.MultiAZ", @@ -14,8 +14,8 @@ { "queryName": "RDS Multi-AZ Deployment Disabled", "severity": "MEDIUM", - "line": 124, - "filename": "positive2.json", + "line": 148, + "filename": "positive1.yaml", "resourceType": "AWS::RDS::DBInstance", "resourceName": "Read Replica Database", "searchKey": "Resources.ReplicaDB.Properties", @@ -26,8 +26,8 @@ { "queryName": "RDS Multi-AZ Deployment Disabled", "severity": "MEDIUM", - "line": 128, - "filename": "positive1.yaml", + "line": 89, + "filename": "positive2.json", "resourceType": "AWS::RDS::DBInstance", "resourceName": "", "searchKey": "Resources.MasterDB.Properties.MultiAZ", @@ -38,8 +38,8 @@ { "queryName": "RDS Multi-AZ Deployment Disabled", "severity": "MEDIUM", - "line": 148, - "filename": "positive1.yaml", + "line": 124, + "filename": "positive2.json", "resourceType": "AWS::RDS::DBInstance", "resourceName": "Read Replica Database", "searchKey": "Resources.ReplicaDB.Properties", diff --git a/assets/queries/cloudFormation/aws/rds_storage_encryption_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/rds_storage_encryption_disabled/test/positive_expected_result.json index 8f1dcd7e68d..fcb9dec4ca2 100644 --- a/assets/queries/cloudFormation/aws/rds_storage_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/rds_storage_encryption_disabled/test/positive_expected_result.json @@ -26,20 +26,8 @@ { "queryName": "RDS Storage Encryption Disabled", "severity": "HIGH", - "line": 5, - "filename": "positive5.yaml", - "resourceType": "AWS::RDS::DBCluster", - "resourceName": "NoEncryption", - "searchKey": "Resources.NoEncryption.Properties", - "searchValue": "", - "expectedValue": "Resources.NoEncryption.Properties.StorageEncrypted should be defined", - "actualValue": "Resources.NoEncryption.Properties.StorageEncrypted is undefined" - }, - { - "queryName": "RDS Storage Encryption Disabled", - "severity": "HIGH", - "line": 12, - "filename": "positive6.yaml", + "line": 9, + "filename": "positive3.json", "resourceType": "AWS::RDS::DBCluster", "resourceName": "RDSCluster", "searchKey": "Resources.RDSCluster.Properties.StorageEncrypted", @@ -62,8 +50,20 @@ { "queryName": "RDS Storage Encryption Disabled", "severity": "HIGH", - "line": 9, - "filename": "positive3.json", + "line": 5, + "filename": "positive5.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "NoEncryption", + "searchKey": "Resources.NoEncryption.Properties", + "searchValue": "", + "expectedValue": "Resources.NoEncryption.Properties.StorageEncrypted should be defined", + "actualValue": "Resources.NoEncryption.Properties.StorageEncrypted is undefined" + }, + { + "queryName": "RDS Storage Encryption Disabled", + "severity": "HIGH", + "line": 12, + "filename": "positive6.yaml", "resourceType": "AWS::RDS::DBCluster", "resourceName": "RDSCluster", "searchKey": "Resources.RDSCluster.Properties.StorageEncrypted", diff --git a/assets/queries/cloudFormation/aws/rds_storage_not_encrypted/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/rds_storage_not_encrypted/test/positive_expected_result.json index c9ef5067819..cbe2b029d1a 100644 --- a/assets/queries/cloudFormation/aws/rds_storage_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/rds_storage_not_encrypted/test/positive_expected_result.json @@ -1,21 +1,9 @@ [ - { - "queryName": "RDS Storage Not Encrypted", - "severity": "HIGH", - "line": 50, - "filename": "positive3.json", - "resourceType": "AWS::RDS::DBInstance", - "resourceName": "MyDBSmall", - "searchKey": "Resources.MyDBSmall.Properties.StorageEncrypted", - "searchValue": "", - "expectedValue": "Resources.MyDBSmall.Properties.StorageEncrypted should be set to true", - "actualValue": "Resources.MyDBSmall.Properties.StorageEncrypted is set to false" - }, { "queryName": "RDS Storage Not Encrypted", "severity": "HIGH", "line": 35, - "filename": "positive5.yaml", + "filename": "positive1.yaml", "resourceType": "AWS::RDS::DBInstance", "resourceName": "MyDBSmall", "searchKey": "Resources.MyDBSmall.Properties.StorageEncrypted", @@ -38,8 +26,8 @@ { "queryName": "RDS Storage Not Encrypted", "severity": "HIGH", - "line": 35, - "filename": "positive1.yaml", + "line": 50, + "filename": "positive3.json", "resourceType": "AWS::RDS::DBInstance", "resourceName": "MyDBSmall", "searchKey": "Resources.MyDBSmall.Properties.StorageEncrypted", @@ -58,5 +46,17 @@ "searchValue": "", "expectedValue": "Resources.MyDBSmall2.Properties.StorageEncrypted should be defined and set to true", "actualValue": "Resources.MyDBSmall2.Properties.StorageEncrypted is undefined" + }, + { + "queryName": "RDS Storage Not Encrypted", + "severity": "HIGH", + "line": 35, + "filename": "positive5.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBSmall", + "searchKey": "Resources.MyDBSmall.Properties.StorageEncrypted", + "searchValue": "", + "expectedValue": "Resources.MyDBSmall.Properties.StorageEncrypted should be set to true", + "actualValue": "Resources.MyDBSmall.Properties.StorageEncrypted is set to false" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/rds_using_default_port/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/rds_using_default_port/test/positive_expected_result.json index 7859094d3ee..1e0d0ee1710 100644 --- a/assets/queries/cloudFormation/aws/rds_using_default_port/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/rds_using_default_port/test/positive_expected_result.json @@ -14,26 +14,26 @@ { "queryName": "RDS Using Default Port", "severity": "LOW", - "line": 15, - "filename": "positive3.yaml", + "line": 21, + "filename": "positive2.json", "resourceType": "AWS::RDS::DBInstance", "resourceName": "MyDB", "searchKey": "Resources.MyDB.Properties.Port", "searchValue": "", - "expectedValue": "'Resources.MyDB.Properties.Port' should not be set to 3306", - "actualValue": "'Resources.MyDB.Properties.Port' is set to 3306" + "expectedValue": "'Resources.MyDB.Properties.Port' should not be set to 1521", + "actualValue": "'Resources.MyDB.Properties.Port' is set to 1521" }, { "queryName": "RDS Using Default Port", "severity": "LOW", - "line": 21, - "filename": "positive2.json", + "line": 15, + "filename": "positive3.yaml", "resourceType": "AWS::RDS::DBInstance", "resourceName": "MyDB", "searchKey": "Resources.MyDB.Properties.Port", "searchValue": "", - "expectedValue": "'Resources.MyDB.Properties.Port' should not be set to 1521", - "actualValue": "'Resources.MyDB.Properties.Port' is set to 1521" + "expectedValue": "'Resources.MyDB.Properties.Port' should not be set to 3306", + "actualValue": "'Resources.MyDB.Properties.Port' is set to 3306" }, { "queryName": "RDS Using Default Port", diff --git a/assets/queries/cloudFormation/aws/redshift_cluster_without_vpc/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/redshift_cluster_without_vpc/test/positive_expected_result.json index 0d9b1e76bc2..fa90cd13168 100644 --- a/assets/queries/cloudFormation/aws/redshift_cluster_without_vpc/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/redshift_cluster_without_vpc/test/positive_expected_result.json @@ -3,91 +3,91 @@ "queryName": "Redshift Cluster Without VPC", "severity": "LOW", "line": 5, - "filename": "positive2.yaml", + "filename": "positive1.yaml", "resourceType": "AWS::Redshift::Cluster", "resourceName": "mydb", "searchKey": "Resources.RedshiftCluster.Properties", "searchValue": "", "expectedValue": "Resources.RedshiftCluster.Properties should have VpcSecurityGroupIds and ClusterSubnetGroupName fields defined", - "actualValue": "Resources.RedshiftCluster.Properties does not define VpcSecurityGroupIds" + "actualValue": "Resources.RedshiftCluster.Properties does not define VpcSecurityGroupIds or ClusterSubnetGroupName" }, { "queryName": "Redshift Cluster Without VPC", "severity": "LOW", "line": 6, - "filename": "positive7.json", + "filename": "positive10.json", "resourceType": "AWS::Redshift::Cluster", "resourceName": "mydb", "searchKey": "Resources.RedshiftCluster.Properties", "searchValue": "", - "expectedValue": "Resources.RedshiftCluster.Properties should have VpcSecurityGroupIds and ClusterSubnetGroupName fields defined", - "actualValue": "Resources.RedshiftCluster.Properties does not define VpcSecurityGroupIds or ClusterSubnetGroupName" + "expectedValue": "Resources.RedshiftCluster.Properties VpcSecurityGroupIds and ClusterSubnetGroupName fields should have valid references", + "actualValue": "Resources.RedshiftCluster.Properties VpcSecurityGroupIds and ClusterSubnetGroupName fields have invalid references" }, { "queryName": "Redshift Cluster Without VPC", "severity": "LOW", - "line": 6, - "filename": "positive8.json", + "line": 26, + "filename": "positive11.json", "resourceType": "AWS::Redshift::Cluster", "resourceName": "mydb", - "searchKey": "Resources.RedshiftCluster.Properties", + "searchKey": "Resources.RedshiftCluster.Properties.VpcSecurityGroupIds", "searchValue": "", - "expectedValue": "Resources.RedshiftCluster.Properties should have VpcSecurityGroupIds and ClusterSubnetGroupName fields defined", - "actualValue": "Resources.RedshiftCluster.Properties does not define VpcSecurityGroupIds" + "expectedValue": "Resources.RedshiftCluster.Properties VpcSecurityGroupIds and ClusterSubnetGroupName fields should have valid references", + "actualValue": "Resources.RedshiftCluster.Properties VpcSecurityGroupIds field has an invalid reference" }, { "queryName": "Redshift Cluster Without VPC", "severity": "LOW", - "line": 5, - "filename": "positive4.yaml", + "line": 24, + "filename": "positive12.json", "resourceType": "AWS::Redshift::Cluster", "resourceName": "mydb", - "searchKey": "Resources.RedshiftCluster.Properties", + "searchKey": "Resources.RedshiftCluster.Properties.ClusterSubnetGroupName", "searchValue": "", "expectedValue": "Resources.RedshiftCluster.Properties VpcSecurityGroupIds and ClusterSubnetGroupName fields should have valid references", - "actualValue": "Resources.RedshiftCluster.Properties VpcSecurityGroupIds and ClusterSubnetGroupName fields have invalid references" + "actualValue": "Resources.RedshiftCluster.Properties ClusterSubnetGroupName field has an invalid reference" }, { "queryName": "Redshift Cluster Without VPC", "severity": "LOW", "line": 5, - "filename": "positive3.yaml", + "filename": "positive2.yaml", "resourceType": "AWS::Redshift::Cluster", "resourceName": "mydb", "searchKey": "Resources.RedshiftCluster.Properties", "searchValue": "", "expectedValue": "Resources.RedshiftCluster.Properties should have VpcSecurityGroupIds and ClusterSubnetGroupName fields defined", - "actualValue": "Resources.RedshiftCluster.Properties does not define ClusterSubnetGroupName" + "actualValue": "Resources.RedshiftCluster.Properties does not define VpcSecurityGroupIds" }, { "queryName": "Redshift Cluster Without VPC", "severity": "LOW", "line": 5, - "filename": "positive1.yaml", + "filename": "positive3.yaml", "resourceType": "AWS::Redshift::Cluster", "resourceName": "mydb", "searchKey": "Resources.RedshiftCluster.Properties", "searchValue": "", "expectedValue": "Resources.RedshiftCluster.Properties should have VpcSecurityGroupIds and ClusterSubnetGroupName fields defined", - "actualValue": "Resources.RedshiftCluster.Properties does not define VpcSecurityGroupIds or ClusterSubnetGroupName" + "actualValue": "Resources.RedshiftCluster.Properties does not define ClusterSubnetGroupName" }, { "queryName": "Redshift Cluster Without VPC", "severity": "LOW", - "line": 6, - "filename": "positive9.json", + "line": 5, + "filename": "positive4.yaml", "resourceType": "AWS::Redshift::Cluster", "resourceName": "mydb", "searchKey": "Resources.RedshiftCluster.Properties", "searchValue": "", - "expectedValue": "Resources.RedshiftCluster.Properties should have VpcSecurityGroupIds and ClusterSubnetGroupName fields defined", - "actualValue": "Resources.RedshiftCluster.Properties does not define ClusterSubnetGroupName" + "expectedValue": "Resources.RedshiftCluster.Properties VpcSecurityGroupIds and ClusterSubnetGroupName fields should have valid references", + "actualValue": "Resources.RedshiftCluster.Properties VpcSecurityGroupIds and ClusterSubnetGroupName fields have invalid references" }, { "queryName": "Redshift Cluster Without VPC", "severity": "LOW", - "line": 26, - "filename": "positive11.json", + "line": 19, + "filename": "positive5.yaml", "resourceType": "AWS::Redshift::Cluster", "resourceName": "mydb", "searchKey": "Resources.RedshiftCluster.Properties.VpcSecurityGroupIds", @@ -98,8 +98,8 @@ { "queryName": "Redshift Cluster Without VPC", "severity": "LOW", - "line": 24, - "filename": "positive12.json", + "line": 18, + "filename": "positive6.yaml", "resourceType": "AWS::Redshift::Cluster", "resourceName": "mydb", "searchKey": "Resources.RedshiftCluster.Properties.ClusterSubnetGroupName", @@ -111,36 +111,36 @@ "queryName": "Redshift Cluster Without VPC", "severity": "LOW", "line": 6, - "filename": "positive10.json", + "filename": "positive7.json", "resourceType": "AWS::Redshift::Cluster", "resourceName": "mydb", "searchKey": "Resources.RedshiftCluster.Properties", "searchValue": "", - "expectedValue": "Resources.RedshiftCluster.Properties VpcSecurityGroupIds and ClusterSubnetGroupName fields should have valid references", - "actualValue": "Resources.RedshiftCluster.Properties VpcSecurityGroupIds and ClusterSubnetGroupName fields have invalid references" + "expectedValue": "Resources.RedshiftCluster.Properties should have VpcSecurityGroupIds and ClusterSubnetGroupName fields defined", + "actualValue": "Resources.RedshiftCluster.Properties does not define VpcSecurityGroupIds or ClusterSubnetGroupName" }, { "queryName": "Redshift Cluster Without VPC", "severity": "LOW", - "line": 19, - "filename": "positive5.yaml", + "line": 6, + "filename": "positive8.json", "resourceType": "AWS::Redshift::Cluster", "resourceName": "mydb", - "searchKey": "Resources.RedshiftCluster.Properties.VpcSecurityGroupIds", + "searchKey": "Resources.RedshiftCluster.Properties", "searchValue": "", - "expectedValue": "Resources.RedshiftCluster.Properties VpcSecurityGroupIds and ClusterSubnetGroupName fields should have valid references", - "actualValue": "Resources.RedshiftCluster.Properties VpcSecurityGroupIds field has an invalid reference" + "expectedValue": "Resources.RedshiftCluster.Properties should have VpcSecurityGroupIds and ClusterSubnetGroupName fields defined", + "actualValue": "Resources.RedshiftCluster.Properties does not define VpcSecurityGroupIds" }, { "queryName": "Redshift Cluster Without VPC", "severity": "LOW", - "line": 18, - "filename": "positive6.yaml", + "line": 6, + "filename": "positive9.json", "resourceType": "AWS::Redshift::Cluster", "resourceName": "mydb", - "searchKey": "Resources.RedshiftCluster.Properties.ClusterSubnetGroupName", + "searchKey": "Resources.RedshiftCluster.Properties", "searchValue": "", - "expectedValue": "Resources.RedshiftCluster.Properties VpcSecurityGroupIds and ClusterSubnetGroupName fields should have valid references", - "actualValue": "Resources.RedshiftCluster.Properties ClusterSubnetGroupName field has an invalid reference" + "expectedValue": "Resources.RedshiftCluster.Properties should have VpcSecurityGroupIds and ClusterSubnetGroupName fields defined", + "actualValue": "Resources.RedshiftCluster.Properties does not define ClusterSubnetGroupName" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/redshift_not_encrypted/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/redshift_not_encrypted/test/positive_expected_result.json index b6ac9382455..03bffa06cae 100644 --- a/assets/queries/cloudFormation/aws/redshift_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/redshift_not_encrypted/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "Redshift Not Encrypted", - "severity": "HIGH", - "line": 21, - "filename": "positive2.yaml", - "resourceType": "AWS::Redshift::Cluster", - "resourceName": "${DatabaseName}", - "searchKey": "Resources.RedshiftCluster2.Properties.Encrypted", - "searchValue": "", - "expectedValue": "Resources.RedshiftCluster2.Properties.Encrypted should be set to true", - "actualValue": "Resources.RedshiftCluster2.Properties.Encryped is set to false" - }, { "queryName": "Redshift Not Encrypted", "severity": "HIGH", @@ -26,8 +14,8 @@ { "queryName": "Redshift Not Encrypted", "severity": "HIGH", - "line": 32, - "filename": "positive4.json", + "line": 21, + "filename": "positive2.yaml", "resourceType": "AWS::Redshift::Cluster", "resourceName": "${DatabaseName}", "searchKey": "Resources.RedshiftCluster2.Properties.Encrypted", @@ -47,6 +35,18 @@ "expectedValue": "Resources.RedshiftCluster.Properties.Encrypted should be set", "actualValue": "Resources.RedshiftCluster.Properties.Encrypted is undefined" }, + { + "queryName": "Redshift Not Encrypted", + "severity": "HIGH", + "line": 32, + "filename": "positive4.json", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "${DatabaseName}", + "searchKey": "Resources.RedshiftCluster2.Properties.Encrypted", + "searchValue": "", + "expectedValue": "Resources.RedshiftCluster2.Properties.Encrypted should be set to true", + "actualValue": "Resources.RedshiftCluster2.Properties.Encryped is set to false" + }, { "queryName": "Redshift Not Encrypted", "severity": "HIGH", diff --git a/assets/queries/cloudFormation/aws/redshift_publicly_accessible/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/redshift_publicly_accessible/test/positive_expected_result.json index 6b1f44ad10e..f970877da65 100644 --- a/assets/queries/cloudFormation/aws/redshift_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/redshift_publicly_accessible/test/positive_expected_result.json @@ -1,21 +1,9 @@ [ - { - "queryName": "Redshift Publicly Accessible", - "severity": "HIGH", - "line": 17, - "filename": "positive3.yaml", - "resourceType": "AWS::Redshift::Cluster", - "resourceName": "mydb", - "searchKey": "Resources.myCluster2.Properties.PubliclyAccessible", - "searchValue": "", - "expectedValue": "'Resources.myCluster2.Properties.PubliclyAccessible' should be set to false", - "actualValue": "'Resources.myCluster2.Properties.PubliclyAccessible' is true" - }, { "queryName": "Redshift Publicly Accessible", "severity": "HIGH", "line": 4, - "filename": "positive3.yaml", + "filename": "positive1.yaml", "resourceType": "AWS::Redshift::Cluster", "resourceName": "mydb", "searchKey": "Resources.myCluster.Properties", @@ -38,8 +26,8 @@ { "queryName": "Redshift Publicly Accessible", "severity": "HIGH", - "line": 4, - "filename": "positive1.yaml", + "line": 5, + "filename": "positive2.json", "resourceType": "AWS::Redshift::Cluster", "resourceName": "mydb", "searchKey": "Resources.myCluster.Properties", @@ -62,13 +50,25 @@ { "queryName": "Redshift Publicly Accessible", "severity": "HIGH", - "line": 5, - "filename": "positive2.json", + "line": 4, + "filename": "positive3.yaml", "resourceType": "AWS::Redshift::Cluster", "resourceName": "mydb", "searchKey": "Resources.myCluster.Properties", "searchValue": "", "expectedValue": "'Resources.myCluster.Properties.PubliclyAccessible' should be defined", "actualValue": "'Resources.myCluster.Properties.PubliclyAccessible' is not defined" + }, + { + "queryName": "Redshift Publicly Accessible", + "severity": "HIGH", + "line": 17, + "filename": "positive3.yaml", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.myCluster2.Properties.PubliclyAccessible", + "searchValue": "", + "expectedValue": "'Resources.myCluster2.Properties.PubliclyAccessible' should be set to false", + "actualValue": "'Resources.myCluster2.Properties.PubliclyAccessible' is true" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/redshift_using_default_port/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/redshift_using_default_port/test/positive_expected_result.json index 9552b6ded0b..5286c13900e 100644 --- a/assets/queries/cloudFormation/aws/redshift_using_default_port/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/redshift_using_default_port/test/positive_expected_result.json @@ -2,20 +2,8 @@ { "queryName": "Redshift Using Default Port", "severity": "LOW", - "line": 39, - "filename": "positive2.json", - "resourceType": "AWS::Redshift::Cluster", - "resourceName": "mydb", - "searchKey": "Resources.myCluster2.Properties.Port", - "searchValue": "", - "expectedValue": "'Resources.myCluster2.Properties.Port' should not be set to 5439", - "actualValue": "'Resources.myCluster2.Properties.Port' is set to 5439" - }, - { - "queryName": "Redshift Using Default Port", - "severity": "LOW", - "line": 5, - "filename": "positive2.json", + "line": 4, + "filename": "positive1.yaml", "resourceType": "AWS::Redshift::Cluster", "resourceName": "mydb", "searchKey": "Resources.myCluster.Properties", @@ -38,13 +26,25 @@ { "queryName": "Redshift Using Default Port", "severity": "LOW", - "line": 4, - "filename": "positive1.yaml", + "line": 5, + "filename": "positive2.json", "resourceType": "AWS::Redshift::Cluster", "resourceName": "mydb", "searchKey": "Resources.myCluster.Properties", "searchValue": "", "expectedValue": "'Resources.myCluster.Properties.Port' should be defined", "actualValue": "'Resources.myCluster.Properties.Port' is not defined" + }, + { + "queryName": "Redshift Using Default Port", + "severity": "LOW", + "line": 39, + "filename": "positive2.json", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.myCluster2.Properties.Port", + "searchValue": "", + "expectedValue": "'Resources.myCluster2.Properties.Port' should not be set to 5439", + "actualValue": "'Resources.myCluster2.Properties.Port' is set to 5439" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/remote_desktop_port_open_to_internet/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/remote_desktop_port_open_to_internet/test/positive_expected_result.json index 11670d426d8..361470afb9c 100644 --- a/assets/queries/cloudFormation/aws/remote_desktop_port_open_to_internet/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/remote_desktop_port_open_to_internet/test/positive_expected_result.json @@ -2,50 +2,50 @@ { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 61, - "filename": "positive3.json", + "line": 10, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv6_1", - "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "", - "expectedValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' should not open the remote desktop port (3389)", - "actualValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' opens the remote desktop port (3389)" + "expectedValue": "'Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]' should not open the remote desktop port (3389)", + "actualValue": "'Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]' opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 76, - "filename": "positive3.json", + "line": 22, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv6_2", - "searchKey": "Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]", + "resourceName": "Positive1IPv4_2", + "searchKey": "Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]", "searchValue": "", - "expectedValue": "'Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]' should not open the remote desktop port (3389)", - "actualValue": "'Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]' opens the remote desktop port (3389)" + "expectedValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' should not open the remote desktop port (3389)", + "actualValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 38, - "filename": "positive4.json", - "resourceType": "AWS::EC2::SecurityGroupIngress", - "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.IPv6Ingress1.Properties", + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv4", + "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]", "searchValue": "", - "expectedValue": "'Resources.IPv6Ingress1.Properties' should not open the remote desktop port (3389)", - "actualValue": "'Resources.IPv6Ingress1.Properties' opens the remote desktop port (3389)" + "expectedValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' should not open the remote desktop port (3389)", + "actualValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 49, - "filename": "positive2.yaml", - "resourceType": "AWS::EC2::SecurityGroupIngress", - "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.IPv6Ingress3.Properties", + "line": 51, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "", - "expectedValue": "'Resources.IPv6Ingress3.Properties' should not open the remote desktop port (3389)", - "actualValue": "'Resources.IPv6Ingress3.Properties' opens the remote desktop port (3389)" + "expectedValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' should not open the remote desktop port (3389)", + "actualValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", @@ -62,26 +62,38 @@ { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 50, - "filename": "positive4.json", + "line": 79, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv6", + "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]", + "searchValue": "", + "expectedValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' should not open the remote desktop port (3389)", + "actualValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' opens the remote desktop port (3389)" + }, + { + "queryName": "Remote Desktop Port Open To Internet", + "severity": "HIGH", + "line": 12, + "filename": "positive2.yaml", "resourceType": "AWS::EC2::SecurityGroupIngress", "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.IPv6Ingress2.Properties", + "searchKey": "Resources.IPv4Ingress1.Properties", "searchValue": "", - "expectedValue": "'Resources.IPv6Ingress2.Properties' should not open the remote desktop port (3389)", - "actualValue": "'Resources.IPv6Ingress2.Properties' opens the remote desktop port (3389)" + "expectedValue": "'Resources.IPv4Ingress1.Properties' should not open the remote desktop port (3389)", + "actualValue": "'Resources.IPv4Ingress1.Properties' opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 46, - "filename": "positive3.json", - "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1ArrayTestIPv4", - "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]", + "line": 21, + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress2.Properties", "searchValue": "", - "expectedValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' should not open the remote desktop port (3389)", - "actualValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' opens the remote desktop port (3389)" + "expectedValue": "'Resources.IPv4Ingress2.Properties' should not open the remote desktop port (3389)", + "actualValue": "'Resources.IPv4Ingress2.Properties' opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", @@ -98,20 +110,20 @@ { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 51, - "filename": "positive1.yaml", - "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv6_1", - "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "line": 40, + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress2.Properties", "searchValue": "", - "expectedValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' should not open the remote desktop port (3389)", - "actualValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' opens the remote desktop port (3389)" + "expectedValue": "'Resources.IPv6Ingress2.Properties' should not open the remote desktop port (3389)", + "actualValue": "'Resources.IPv6Ingress2.Properties' opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 62, - "filename": "positive4.json", + "line": 49, + "filename": "positive2.yaml", "resourceType": "AWS::EC2::SecurityGroupIngress", "resourceName": "DualStackSecurityGroup", "searchKey": "Resources.IPv6Ingress3.Properties", @@ -146,56 +158,44 @@ { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 26, - "filename": "positive4.json", - "resourceType": "AWS::EC2::SecurityGroupIngress", - "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.IPv4Ingress2.Properties", - "searchValue": "", - "expectedValue": "'Resources.IPv4Ingress2.Properties' should not open the remote desktop port (3389)", - "actualValue": "'Resources.IPv4Ingress2.Properties' opens the remote desktop port (3389)" - }, - { - "queryName": "Remote Desktop Port Open To Internet", - "severity": "HIGH", - "line": 21, - "filename": "positive2.yaml", - "resourceType": "AWS::EC2::SecurityGroupIngress", - "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.IPv4Ingress2.Properties", + "line": 46, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv4", + "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]", "searchValue": "", - "expectedValue": "'Resources.IPv4Ingress2.Properties' should not open the remote desktop port (3389)", - "actualValue": "'Resources.IPv4Ingress2.Properties' opens the remote desktop port (3389)" + "expectedValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' should not open the remote desktop port (3389)", + "actualValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 40, - "filename": "positive2.yaml", - "resourceType": "AWS::EC2::SecurityGroupIngress", - "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.IPv6Ingress2.Properties", + "line": 61, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "", - "expectedValue": "'Resources.IPv6Ingress2.Properties' should not open the remote desktop port (3389)", - "actualValue": "'Resources.IPv6Ingress2.Properties' opens the remote desktop port (3389)" + "expectedValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' should not open the remote desktop port (3389)", + "actualValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 38, - "filename": "positive1.yaml", + "line": 76, + "filename": "positive3.json", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1ArrayTestIPv4", - "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]", + "resourceName": "Positive1IPv6_2", + "searchKey": "Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]", "searchValue": "", - "expectedValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' should not open the remote desktop port (3389)", - "actualValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' opens the remote desktop port (3389)" + "expectedValue": "'Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]' should not open the remote desktop port (3389)", + "actualValue": "'Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]' opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 79, - "filename": "positive1.yaml", + "line": 97, + "filename": "positive3.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1ArrayTestIPv6", "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]", @@ -206,61 +206,61 @@ { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 10, - "filename": "positive1.yaml", - "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv4_1", - "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "line": 14, + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress1.Properties", "searchValue": "", - "expectedValue": "'Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]' should not open the remote desktop port (3389)", - "actualValue": "'Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]' opens the remote desktop port (3389)" + "expectedValue": "'Resources.IPv4Ingress1.Properties' should not open the remote desktop port (3389)", + "actualValue": "'Resources.IPv4Ingress1.Properties' opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 22, - "filename": "positive1.yaml", - "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv4_2", - "searchKey": "Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]", + "line": 26, + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress2.Properties", "searchValue": "", - "expectedValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' should not open the remote desktop port (3389)", - "actualValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' opens the remote desktop port (3389)" + "expectedValue": "'Resources.IPv4Ingress2.Properties' should not open the remote desktop port (3389)", + "actualValue": "'Resources.IPv4Ingress2.Properties' opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 97, - "filename": "positive3.json", - "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1ArrayTestIPv6", - "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]", + "line": 38, + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress1.Properties", "searchValue": "", - "expectedValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' should not open the remote desktop port (3389)", - "actualValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' opens the remote desktop port (3389)" + "expectedValue": "'Resources.IPv6Ingress1.Properties' should not open the remote desktop port (3389)", + "actualValue": "'Resources.IPv6Ingress1.Properties' opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 12, - "filename": "positive2.yaml", + "line": 50, + "filename": "positive4.json", "resourceType": "AWS::EC2::SecurityGroupIngress", "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.IPv4Ingress1.Properties", + "searchKey": "Resources.IPv6Ingress2.Properties", "searchValue": "", - "expectedValue": "'Resources.IPv4Ingress1.Properties' should not open the remote desktop port (3389)", - "actualValue": "'Resources.IPv4Ingress1.Properties' opens the remote desktop port (3389)" + "expectedValue": "'Resources.IPv6Ingress2.Properties' should not open the remote desktop port (3389)", + "actualValue": "'Resources.IPv6Ingress2.Properties' opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 14, + "line": 62, "filename": "positive4.json", "resourceType": "AWS::EC2::SecurityGroupIngress", "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.IPv4Ingress1.Properties", + "searchKey": "Resources.IPv6Ingress3.Properties", "searchValue": "", - "expectedValue": "'Resources.IPv4Ingress1.Properties' should not open the remote desktop port (3389)", - "actualValue": "'Resources.IPv4Ingress1.Properties' opens the remote desktop port (3389)" + "expectedValue": "'Resources.IPv6Ingress3.Properties' should not open the remote desktop port (3389)", + "actualValue": "'Resources.IPv6Ingress3.Properties' opens the remote desktop port (3389)" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/route53_record_undefined/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/route53_record_undefined/test/positive_expected_result.json index fa810692739..b8eb5435aa6 100644 --- a/assets/queries/cloudFormation/aws/route53_record_undefined/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/route53_record_undefined/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "Route53 Record Undefined", "severity": "HIGH", - "line": 5, - "filename": "positive2.json", + "line": 4, + "filename": "positive1.yaml", "resourceType": "AWS::Route53::HostedZone", "resourceName": "HostedZone", "searchKey": "Resources.HostedZone", @@ -14,8 +14,8 @@ { "queryName": "Route53 Record Undefined", "severity": "HIGH", - "line": 4, - "filename": "positive1.yaml", + "line": 5, + "filename": "positive2.json", "resourceType": "AWS::Route53::HostedZone", "resourceName": "HostedZone", "searchKey": "Resources.HostedZone", diff --git a/assets/queries/cloudFormation/aws/routertable_with_default_routing/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/routertable_with_default_routing/test/positive_expected_result.json index a2084cb3860..9680f10a214 100644 --- a/assets/queries/cloudFormation/aws/routertable_with_default_routing/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/routertable_with_default_routing/test/positive_expected_result.json @@ -50,25 +50,25 @@ { "queryName": "RouterTable with Default Routing", "severity": "LOW", - "line": 108, + "line": 43, "filename": "positive2.json", "resourceType": "AWS::EC2::Route", - "resourceName": "PublicRoute2", - "searchKey": "Resources.PublicRoute2.Properties.DestinationIpv6CidrBlock", + "resourceName": "PublicRoute3", + "searchKey": "Resources.PublicRoute3.Properties", "searchValue": "", - "expectedValue": "Resources.PublicRoute2.Properties.DestinationIpv6CidrBlock should be different from the default value", - "actualValue": "Resources.PublicRoute2.Properties.DestinationIpv6CidrBlock is ::/0" + "expectedValue": "Resources.PublicRoute3.Properties.NatGatewayId should be defined", + "actualValue": "Resources.PublicRoute3.Properties.NatGatewayId is undefined" }, { "queryName": "RouterTable with Default Routing", "severity": "LOW", - "line": 43, + "line": 108, "filename": "positive2.json", "resourceType": "AWS::EC2::Route", - "resourceName": "PublicRoute3", - "searchKey": "Resources.PublicRoute3.Properties", + "resourceName": "PublicRoute2", + "searchKey": "Resources.PublicRoute2.Properties.DestinationIpv6CidrBlock", "searchValue": "", - "expectedValue": "Resources.PublicRoute3.Properties.NatGatewayId should be defined", - "actualValue": "Resources.PublicRoute3.Properties.NatGatewayId is undefined" + "expectedValue": "Resources.PublicRoute2.Properties.DestinationIpv6CidrBlock should be different from the default value", + "actualValue": "Resources.PublicRoute2.Properties.DestinationIpv6CidrBlock is ::/0" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_access_to_any_principal/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_access_to_any_principal/test/positive_expected_result.json index cf83cd731e2..2a8548872db 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_access_to_any_principal/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_access_to_any_principal/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "S3 Bucket Access to Any Principal", "severity": "CRITICAL", - "line": 3, - "filename": "positive2.json", + "line": 2, + "filename": "positive1.yaml", "resourceType": "AWS::S3::Bucket", "resourceName": "Bucket", "searchKey": "Resources.Bucket", @@ -14,8 +14,8 @@ { "queryName": "S3 Bucket Access to Any Principal", "severity": "CRITICAL", - "line": 42, - "filename": "positive2.json", + "line": 27, + "filename": "positive1.yaml", "resourceType": "AWS::S3::Bucket", "resourceName": "Bucket2", "searchKey": "Resources.Bucket2", @@ -27,10 +27,10 @@ "queryName": "S3 Bucket Access to Any Principal", "severity": "CRITICAL", "line": 3, - "filename": "positive3.yaml", + "filename": "positive2.json", "resourceType": "AWS::S3::Bucket", - "resourceName": "S3BucketName", - "searchKey": "Resources.SWBS3Bucket", + "resourceName": "Bucket", + "searchKey": "Resources.Bucket", "searchValue": "", "expectedValue": "associated Bucket Policy should not allow access to any principal", "actualValue": "associated Bucket Policy allows access to any principal" @@ -38,11 +38,11 @@ { "queryName": "S3 Bucket Access to Any Principal", "severity": "CRITICAL", - "line": 2, - "filename": "positive1.yaml", + "line": 42, + "filename": "positive2.json", "resourceType": "AWS::S3::Bucket", - "resourceName": "Bucket", - "searchKey": "Resources.Bucket", + "resourceName": "Bucket2", + "searchKey": "Resources.Bucket2", "searchValue": "", "expectedValue": "associated Bucket Policy should not allow access to any principal", "actualValue": "associated Bucket Policy allows access to any principal" @@ -50,11 +50,11 @@ { "queryName": "S3 Bucket Access to Any Principal", "severity": "CRITICAL", - "line": 27, - "filename": "positive1.yaml", + "line": 3, + "filename": "positive3.yaml", "resourceType": "AWS::S3::Bucket", - "resourceName": "Bucket2", - "searchKey": "Resources.Bucket2", + "resourceName": "S3BucketName", + "searchKey": "Resources.SWBS3Bucket", "searchValue": "", "expectedValue": "associated Bucket Policy should not allow access to any principal", "actualValue": "associated Bucket Policy allows access to any principal" diff --git a/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_or_write_to_all_users/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_or_write_to_all_users/test/positive_expected_result.json index 8063863ddcd..01a3cf7dbf8 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_or_write_to_all_users/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_or_write_to_all_users/test/positive_expected_result.json @@ -3,31 +3,31 @@ "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", "severity": "CRITICAL", "line": 7, - "filename": "positive4.yaml", + "filename": "positive1.yaml", "resourceType": "AWS::S3::Bucket", - "resourceName": "S3BucketForWebsiteContent", - "searchKey": "Resources.S3BucketForWebsiteContent.AccessControl", + "resourceName": "jenkins-artifacts", + "searchKey": "Resources.JenkinsArtifacts01.AccessControl", "searchValue": "", "expectedValue": "S3 bucket should not have a public readable and writeble ACL", - "actualValue": "S3 bucket named 'undefined' has ACL set to 'PublicReadWrite'" + "actualValue": "S3 bucket named 'jenkins-artifacts' has ACL set to 'PublicReadWrite'" }, { "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", "severity": "CRITICAL", - "line": 13, - "filename": "positive5.json", + "line": 7, + "filename": "positive2.yaml", "resourceType": "AWS::S3::Bucket", - "resourceName": "jenkins-artifacts", - "searchKey": "Resources.JenkinsArtifacts01.AccessControl", + "resourceName": "public-read-static-page01", + "searchKey": "Resources.StaticPage01.AccessControl", "searchValue": "", "expectedValue": "S3 bucket should not have a public readable and writeble ACL", - "actualValue": "S3 bucket named 'jenkins-artifacts' has ACL set to 'PublicReadWrite'" + "actualValue": "S3 bucket named 'public-read-static-page01' has ACL set to 'PublicReadWrite'" }, { "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", "severity": "CRITICAL", - "line": 8, - "filename": "positive7.json", + "line": 7, + "filename": "positive3.yaml", "resourceType": "AWS::S3::Bucket", "resourceName": "jenkins-artifacts-block-public", "searchKey": "Resources.JenkinsArtifacts02.AccessControl", @@ -38,8 +38,8 @@ { "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", "severity": "CRITICAL", - "line": 8, - "filename": "positive8.json", + "line": 7, + "filename": "positive4.yaml", "resourceType": "AWS::S3::Bucket", "resourceName": "S3BucketForWebsiteContent", "searchKey": "Resources.S3BucketForWebsiteContent.AccessControl", @@ -50,20 +50,8 @@ { "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", "severity": "CRITICAL", - "line": 8, - "filename": "positive6.json", - "resourceType": "AWS::S3::Bucket", - "resourceName": "public-read-static-page01", - "searchKey": "Resources.StaticPage01.AccessControl", - "searchValue": "", - "expectedValue": "S3 bucket should not have a public readable and writeble ACL", - "actualValue": "S3 bucket named 'public-read-static-page01' has ACL set to 'PublicReadWrite'" - }, - { - "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", - "severity": "CRITICAL", - "line": 7, - "filename": "positive1.yaml", + "line": 13, + "filename": "positive5.json", "resourceType": "AWS::S3::Bucket", "resourceName": "jenkins-artifacts", "searchKey": "Resources.JenkinsArtifacts01.AccessControl", @@ -74,8 +62,8 @@ { "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", "severity": "CRITICAL", - "line": 7, - "filename": "positive2.yaml", + "line": 8, + "filename": "positive6.json", "resourceType": "AWS::S3::Bucket", "resourceName": "public-read-static-page01", "searchKey": "Resources.StaticPage01.AccessControl", @@ -86,13 +74,25 @@ { "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", "severity": "CRITICAL", - "line": 7, - "filename": "positive3.yaml", + "line": 8, + "filename": "positive7.json", "resourceType": "AWS::S3::Bucket", "resourceName": "jenkins-artifacts-block-public", "searchKey": "Resources.JenkinsArtifacts02.AccessControl", "searchValue": "", "expectedValue": "S3 bucket should not have a public readable and writeble ACL", "actualValue": "S3 bucket named 'jenkins-artifacts-block-public' has ACL set to 'PublicReadWrite'" + }, + { + "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", + "severity": "CRITICAL", + "line": 8, + "filename": "positive8.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3BucketForWebsiteContent", + "searchKey": "Resources.S3BucketForWebsiteContent.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket should not have a public readable and writeble ACL", + "actualValue": "S3 bucket named 'undefined' has ACL set to 'PublicReadWrite'" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_all_users/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_all_users/test/positive_expected_result.json index 6145b174da5..6fd45526be8 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_all_users/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_all_users/test/positive_expected_result.json @@ -11,6 +11,18 @@ "expectedValue": "S3 bucket should not have a public readable ACL", "actualValue": "S3 bucket 'JenkinsArtifacts01' has ACL set to 'PublicRead'" }, + { + "queryName": "S3 Bucket ACL Allows Read to All Users", + "severity": "HIGH", + "line": 7, + "filename": "positive2.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "public-read-static-page01", + "searchKey": "Resources.StaticPage01.Properties.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket should not have a public readable ACL", + "actualValue": "S3 bucket 'StaticPage01' has ACL set to 'PublicRead'" + }, { "queryName": "S3 Bucket ACL Allows Read to All Users", "severity": "HIGH", @@ -26,26 +38,26 @@ { "queryName": "S3 Bucket ACL Allows Read to All Users", "severity": "HIGH", - "line": 13, - "filename": "positive5.json", + "line": 7, + "filename": "positive4.yaml", "resourceType": "AWS::S3::Bucket", - "resourceName": "jenkins-artifacts", - "searchKey": "Resources.JenkinsArtifacts01.Properties.AccessControl", + "resourceName": "S3BucketForWebsiteContent", + "searchKey": "Resources.S3BucketForWebsiteContent.Properties.AccessControl", "searchValue": "", "expectedValue": "S3 bucket should not have a public readable ACL", - "actualValue": "S3 bucket 'JenkinsArtifacts01' has ACL set to 'PublicRead'" + "actualValue": "S3 bucket 'S3BucketForWebsiteContent' has ACL set to 'PublicRead'" }, { "queryName": "S3 Bucket ACL Allows Read to All Users", "severity": "HIGH", - "line": 8, - "filename": "positive8.json", + "line": 13, + "filename": "positive5.json", "resourceType": "AWS::S3::Bucket", - "resourceName": "S3BucketForWebsiteContent", - "searchKey": "Resources.S3BucketForWebsiteContent.Properties.AccessControl", + "resourceName": "jenkins-artifacts", + "searchKey": "Resources.JenkinsArtifacts01.Properties.AccessControl", "searchValue": "", "expectedValue": "S3 bucket should not have a public readable ACL", - "actualValue": "S3 bucket 'S3BucketForWebsiteContent' has ACL set to 'PublicRead'" + "actualValue": "S3 bucket 'JenkinsArtifacts01' has ACL set to 'PublicRead'" }, { "queryName": "S3 Bucket ACL Allows Read to All Users", @@ -74,25 +86,13 @@ { "queryName": "S3 Bucket ACL Allows Read to All Users", "severity": "HIGH", - "line": 7, - "filename": "positive4.yaml", + "line": 8, + "filename": "positive8.json", "resourceType": "AWS::S3::Bucket", "resourceName": "S3BucketForWebsiteContent", "searchKey": "Resources.S3BucketForWebsiteContent.Properties.AccessControl", "searchValue": "", "expectedValue": "S3 bucket should not have a public readable ACL", "actualValue": "S3 bucket 'S3BucketForWebsiteContent' has ACL set to 'PublicRead'" - }, - { - "queryName": "S3 Bucket ACL Allows Read to All Users", - "severity": "HIGH", - "line": 7, - "filename": "positive2.yaml", - "resourceType": "AWS::S3::Bucket", - "resourceName": "public-read-static-page01", - "searchKey": "Resources.StaticPage01.Properties.AccessControl", - "searchValue": "", - "expectedValue": "S3 bucket should not have a public readable ACL", - "actualValue": "S3 bucket 'StaticPage01' has ACL set to 'PublicRead'" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/test/positive_expected_result.json index 306f3c9e688..296a6b5c6d2 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/test/positive_expected_result.json @@ -3,7 +3,7 @@ "queryName": "S3 Bucket ACL Allows Read to Any Authenticated User", "severity": "HIGH", "line": 7, - "filename": "positive5.json", + "filename": "positive1.yaml", "resourceType": "AWS::S3::Bucket", "resourceName": "jenkins-artifacts", "searchKey": "Resources.JenkinsArtifacts01.Properties.AccessControl", @@ -15,49 +15,49 @@ "queryName": "S3 Bucket ACL Allows Read to Any Authenticated User", "severity": "HIGH", "line": 7, - "filename": "positive4.yaml", + "filename": "positive2.yaml", "resourceType": "AWS::S3::Bucket", - "resourceName": "S3BucketForWebsiteContent", - "searchKey": "Resources.S3BucketForWebsiteContent.Properties.AccessControl", + "resourceName": "public-read-static-page01", + "searchKey": "Resources.StaticPage01.Properties.AccessControl", "searchValue": "", "expectedValue": "S3 bucket ACL shouldn't allow read operations from any authenticated user", - "actualValue": "S3 bucket named 'undefined' has ACL set to 'AuthenticatedRead'" + "actualValue": "S3 bucket named 'public-read-static-page01' has ACL set to 'AuthenticatedRead'" }, { "queryName": "S3 Bucket ACL Allows Read to Any Authenticated User", "severity": "HIGH", "line": 7, - "filename": "positive1.yaml", + "filename": "positive3.yaml", "resourceType": "AWS::S3::Bucket", - "resourceName": "jenkins-artifacts", - "searchKey": "Resources.JenkinsArtifacts01.Properties.AccessControl", + "resourceName": "jenkins-artifacts-block-public", + "searchKey": "Resources.JenkinsArtifacts02.Properties.AccessControl", "searchValue": "", "expectedValue": "S3 bucket ACL shouldn't allow read operations from any authenticated user", - "actualValue": "S3 bucket named 'jenkins-artifacts' has ACL set to 'AuthenticatedRead'" + "actualValue": "S3 bucket named 'jenkins-artifacts-block-public' has ACL set to 'AuthenticatedRead'" }, { "queryName": "S3 Bucket ACL Allows Read to Any Authenticated User", "severity": "HIGH", "line": 7, - "filename": "positive3.yaml", + "filename": "positive4.yaml", "resourceType": "AWS::S3::Bucket", - "resourceName": "jenkins-artifacts-block-public", - "searchKey": "Resources.JenkinsArtifacts02.Properties.AccessControl", + "resourceName": "S3BucketForWebsiteContent", + "searchKey": "Resources.S3BucketForWebsiteContent.Properties.AccessControl", "searchValue": "", "expectedValue": "S3 bucket ACL shouldn't allow read operations from any authenticated user", - "actualValue": "S3 bucket named 'jenkins-artifacts-block-public' has ACL set to 'AuthenticatedRead'" + "actualValue": "S3 bucket named 'undefined' has ACL set to 'AuthenticatedRead'" }, { "queryName": "S3 Bucket ACL Allows Read to Any Authenticated User", "severity": "HIGH", "line": 7, - "filename": "positive2.yaml", + "filename": "positive5.json", "resourceType": "AWS::S3::Bucket", - "resourceName": "public-read-static-page01", - "searchKey": "Resources.StaticPage01.Properties.AccessControl", + "resourceName": "jenkins-artifacts", + "searchKey": "Resources.JenkinsArtifacts01.Properties.AccessControl", "searchValue": "", "expectedValue": "S3 bucket ACL shouldn't allow read operations from any authenticated user", - "actualValue": "S3 bucket named 'public-read-static-page01' has ACL set to 'AuthenticatedRead'" + "actualValue": "S3 bucket named 'jenkins-artifacts' has ACL set to 'AuthenticatedRead'" }, { "queryName": "S3 Bucket ACL Allows Read to Any Authenticated User", @@ -74,25 +74,25 @@ { "queryName": "S3 Bucket ACL Allows Read to Any Authenticated User", "severity": "HIGH", - "line": 7, - "filename": "positive8.json", + "line": 20, + "filename": "positive7.json", "resourceType": "AWS::S3::Bucket", - "resourceName": "S3BucketForWebsiteContent", - "searchKey": "Resources.S3BucketForWebsiteContent.Properties.AccessControl", + "resourceName": "jenkins-artifacts-block-public", + "searchKey": "Resources.JenkinsArtifacts02.Properties.AccessControl", "searchValue": "", "expectedValue": "S3 bucket ACL shouldn't allow read operations from any authenticated user", - "actualValue": "S3 bucket named 'undefined' has ACL set to 'AuthenticatedRead'" + "actualValue": "S3 bucket named 'jenkins-artifacts-block-public' has ACL set to 'AuthenticatedRead'" }, { "queryName": "S3 Bucket ACL Allows Read to Any Authenticated User", "severity": "HIGH", - "line": 20, - "filename": "positive7.json", + "line": 7, + "filename": "positive8.json", "resourceType": "AWS::S3::Bucket", - "resourceName": "jenkins-artifacts-block-public", - "searchKey": "Resources.JenkinsArtifacts02.Properties.AccessControl", + "resourceName": "S3BucketForWebsiteContent", + "searchKey": "Resources.S3BucketForWebsiteContent.Properties.AccessControl", "searchValue": "", "expectedValue": "S3 bucket ACL shouldn't allow read operations from any authenticated user", - "actualValue": "S3 bucket named 'jenkins-artifacts-block-public' has ACL set to 'AuthenticatedRead'" + "actualValue": "S3 bucket named 'undefined' has ACL set to 'AuthenticatedRead'" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_allows_delete_actions_from_all_principals/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_allows_delete_actions_from_all_principals/test/positive_expected_result.json index 6a32b6dfd9a..7496aaaf880 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_allows_delete_actions_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_allows_delete_actions_from_all_principals/test/positive_expected_result.json @@ -1,28 +1,4 @@ [ - { - "queryName": "S3 Bucket Allows Delete Action From All Principals", - "severity": "CRITICAL", - "line": 9, - "filename": "positive2.json", - "resourceType": "AWS::S3::BucketPolicy", - "resourceName": "SampleBucketPolicy5", - "searchKey": "Resources.SampleBucketPolicy5.Properties.PolicyDocument", - "searchValue": "", - "expectedValue": "Resources.SampleBucketPolicy5.Properties.PolicyDocument.Statement should not allow a 'Delete' action from all principals", - "actualValue": "Resources.SampleBucketPolicy5.Properties.PolicyDocument.Statement allows a 'Delete' action from all principals" - }, - { - "queryName": "S3 Bucket Allows Delete Action From All Principals", - "severity": "CRITICAL", - "line": 35, - "filename": "positive2.json", - "resourceType": "AWS::S3::BucketPolicy", - "resourceName": "SampleBucketPolicy6", - "searchKey": "Resources.SampleBucketPolicy6.Properties.PolicyDocument", - "searchValue": "", - "expectedValue": "Resources.SampleBucketPolicy6.Properties.PolicyDocument.Statement should not allow a 'Delete' action from all principals", - "actualValue": "Resources.SampleBucketPolicy6.Properties.PolicyDocument.Statement allows a 'Delete' action from all principals" - }, { "queryName": "S3 Bucket Allows Delete Action From All Principals", "severity": "CRITICAL", @@ -46,5 +22,29 @@ "searchValue": "", "expectedValue": "Resources.SampleBucketPolicy4.Properties.PolicyDocument.Statement should not allow a 'Delete' action from all principals", "actualValue": "Resources.SampleBucketPolicy4.Properties.PolicyDocument.Statement allows a 'Delete' action from all principals" + }, + { + "queryName": "S3 Bucket Allows Delete Action From All Principals", + "severity": "CRITICAL", + "line": 9, + "filename": "positive2.json", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy5", + "searchKey": "Resources.SampleBucketPolicy5.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy5.Properties.PolicyDocument.Statement should not allow a 'Delete' action from all principals", + "actualValue": "Resources.SampleBucketPolicy5.Properties.PolicyDocument.Statement allows a 'Delete' action from all principals" + }, + { + "queryName": "S3 Bucket Allows Delete Action From All Principals", + "severity": "CRITICAL", + "line": 35, + "filename": "positive2.json", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy6", + "searchKey": "Resources.SampleBucketPolicy6.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy6.Properties.PolicyDocument.Statement should not allow a 'Delete' action from all principals", + "actualValue": "Resources.SampleBucketPolicy6.Properties.PolicyDocument.Statement allows a 'Delete' action from all principals" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_allows_get_actions_from_all_principals/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_allows_get_actions_from_all_principals/test/positive_expected_result.json index d32b45f1d83..6844270acc3 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_allows_get_actions_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_allows_get_actions_from_all_principals/test/positive_expected_result.json @@ -1,28 +1,4 @@ [ - { - "queryName": "S3 Bucket Allows Get Action From All Principals", - "severity": "HIGH", - "line": 9, - "filename": "positive2.json", - "resourceType": "AWS::S3::BucketPolicy", - "resourceName": "SampleBucketPolicy5", - "searchKey": "Resources.SampleBucketPolicy5.Properties.PolicyDocument", - "searchValue": "", - "expectedValue": "Resources.SampleBucketPolicy5.Properties.PolicyDocument.Statement should not allow a 'Get' action from all principals", - "actualValue": "Resources.SampleBucketPolicy5.Properties.PolicyDocument.Statement allows a 'Get' action from all principals" - }, - { - "queryName": "S3 Bucket Allows Get Action From All Principals", - "severity": "HIGH", - "line": 35, - "filename": "positive2.json", - "resourceType": "AWS::S3::BucketPolicy", - "resourceName": "SampleBucketPolicy6", - "searchKey": "Resources.SampleBucketPolicy6.Properties.PolicyDocument", - "searchValue": "", - "expectedValue": "Resources.SampleBucketPolicy6.Properties.PolicyDocument.Statement should not allow a 'Get' action from all principals", - "actualValue": "Resources.SampleBucketPolicy6.Properties.PolicyDocument.Statement allows a 'Get' action from all principals" - }, { "queryName": "S3 Bucket Allows Get Action From All Principals", "severity": "HIGH", @@ -46,5 +22,29 @@ "searchValue": "", "expectedValue": "Resources.SampleBucketPolicy4.Properties.PolicyDocument.Statement should not allow a 'Get' action from all principals", "actualValue": "Resources.SampleBucketPolicy4.Properties.PolicyDocument.Statement allows a 'Get' action from all principals" + }, + { + "queryName": "S3 Bucket Allows Get Action From All Principals", + "severity": "HIGH", + "line": 9, + "filename": "positive2.json", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy5", + "searchKey": "Resources.SampleBucketPolicy5.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy5.Properties.PolicyDocument.Statement should not allow a 'Get' action from all principals", + "actualValue": "Resources.SampleBucketPolicy5.Properties.PolicyDocument.Statement allows a 'Get' action from all principals" + }, + { + "queryName": "S3 Bucket Allows Get Action From All Principals", + "severity": "HIGH", + "line": 35, + "filename": "positive2.json", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy6", + "searchKey": "Resources.SampleBucketPolicy6.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy6.Properties.PolicyDocument.Statement should not allow a 'Get' action from all principals", + "actualValue": "Resources.SampleBucketPolicy6.Properties.PolicyDocument.Statement allows a 'Get' action from all principals" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_allows_list_actions_from_all_principals/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_allows_list_actions_from_all_principals/test/positive_expected_result.json index ac5ed8776c9..72afa13e04d 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_allows_list_actions_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_allows_list_actions_from_all_principals/test/positive_expected_result.json @@ -1,4 +1,16 @@ [ + { + "queryName": "S3 Bucket Allows List Action From All Principals", + "severity": "HIGH", + "line": 7, + "filename": "positive1.yaml", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy3", + "searchKey": "Resources.SampleBucketPolicy3.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy3.Properties.PolicyDocument.Statement should not allow a 'List' action from all principals", + "actualValue": "Resources.SampleBucketPolicy3.Properties.PolicyDocument.Statement allows a 'List' action from all principals" + }, { "queryName": "S3 Bucket Allows List Action From All Principals", "severity": "HIGH", @@ -34,17 +46,5 @@ "searchValue": "", "expectedValue": "Resources.SampleBucketPolicy6.Properties.PolicyDocument.Statement should not allow a 'List' action from all principals", "actualValue": "Resources.SampleBucketPolicy6.Properties.PolicyDocument.Statement allows a 'List' action from all principals" - }, - { - "queryName": "S3 Bucket Allows List Action From All Principals", - "severity": "HIGH", - "line": 7, - "filename": "positive1.yaml", - "resourceType": "AWS::S3::BucketPolicy", - "resourceName": "SampleBucketPolicy3", - "searchKey": "Resources.SampleBucketPolicy3.Properties.PolicyDocument", - "searchValue": "", - "expectedValue": "Resources.SampleBucketPolicy3.Properties.PolicyDocument.Statement should not allow a 'List' action from all principals", - "actualValue": "Resources.SampleBucketPolicy3.Properties.PolicyDocument.Statement allows a 'List' action from all principals" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_allows_public_acl/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_allows_public_acl/test/positive_expected_result.json index 17bea8fba87..e11ae13f1ef 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_allows_public_acl/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_allows_public_acl/test/positive_expected_result.json @@ -2,20 +2,32 @@ { "queryName": "S3 Bucket Allows Public ACL", "severity": "MEDIUM", - "line": 20, + "line": 4, "filename": "positive1.yaml", "resourceType": "AWS::S3::Bucket", - "resourceName": "Bucket13", - "searchKey": "Resources.Bucket13.Properties.PublicAccessBlockConfiguration.BlockPublicAcls", + "resourceName": "Bucket11", + "searchKey": "Resources.Bucket11.Properties", "searchValue": "", - "expectedValue": "'BlockPublicAcls' should be set to true%!(EXTRA string=Bucket13)", - "actualValue": "'BlockPublicAcls' is set to false%!(EXTRA string=Bucket13)" + "expectedValue": "'PublicAccessBlockConfiguration' should be defined%!(EXTRA string=Bucket11)", + "actualValue": "'PublicAccessBlockConfiguration' is not defined%!(EXTRA string=Bucket11)" + }, + { + "queryName": "S3 Bucket Allows Public ACL", + "severity": "MEDIUM", + "line": 10, + "filename": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket12", + "searchKey": "Resources.Bucket12.Properties.PublicAccessBlockConfiguration", + "searchValue": "", + "expectedValue": "'BlockPublicAcls' should be defined and set to true in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)", + "actualValue": "'BlockPublicAcls' is not defined in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)" }, { "queryName": "S3 Bucket Allows Public ACL", "severity": "MEDIUM", "line": 20, - "filename": "positive3.yaml", + "filename": "positive1.yaml", "resourceType": "AWS::S3::Bucket", "resourceName": "Bucket13", "searchKey": "Resources.Bucket13.Properties.PublicAccessBlockConfiguration.BlockPublicAcls", @@ -35,23 +47,11 @@ "expectedValue": "'BlockPublicAcls' should be set to true%!(EXTRA string=Bucket1)", "actualValue": "'BlockPublicAcls' is set to false%!(EXTRA string=Bucket1)" }, - { - "queryName": "S3 Bucket Allows Public ACL", - "severity": "MEDIUM", - "line": 10, - "filename": "positive1.yaml", - "resourceType": "AWS::S3::Bucket", - "resourceName": "Bucket12", - "searchKey": "Resources.Bucket12.Properties.PublicAccessBlockConfiguration", - "searchValue": "", - "expectedValue": "'BlockPublicAcls' should be defined and set to true in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)", - "actualValue": "'BlockPublicAcls' is not defined in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)" - }, { "queryName": "S3 Bucket Allows Public ACL", "severity": "MEDIUM", "line": 4, - "filename": "positive1.yaml", + "filename": "positive3.yaml", "resourceType": "AWS::S3::Bucket", "resourceName": "Bucket11", "searchKey": "Resources.Bucket11.Properties", @@ -62,25 +62,25 @@ { "queryName": "S3 Bucket Allows Public ACL", "severity": "MEDIUM", - "line": 4, + "line": 10, "filename": "positive3.yaml", "resourceType": "AWS::S3::Bucket", - "resourceName": "Bucket11", - "searchKey": "Resources.Bucket11.Properties", + "resourceName": "Bucket12", + "searchKey": "Resources.Bucket12.Properties.PublicAccessBlockConfiguration", "searchValue": "", - "expectedValue": "'PublicAccessBlockConfiguration' should be defined%!(EXTRA string=Bucket11)", - "actualValue": "'PublicAccessBlockConfiguration' is not defined%!(EXTRA string=Bucket11)" + "expectedValue": "'BlockPublicAcls' should be defined and set to true in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)", + "actualValue": "'BlockPublicAcls' is not defined in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)" }, { "queryName": "S3 Bucket Allows Public ACL", "severity": "MEDIUM", - "line": 10, + "line": 20, "filename": "positive3.yaml", "resourceType": "AWS::S3::Bucket", - "resourceName": "Bucket12", - "searchKey": "Resources.Bucket12.Properties.PublicAccessBlockConfiguration", + "resourceName": "Bucket13", + "searchKey": "Resources.Bucket13.Properties.PublicAccessBlockConfiguration.BlockPublicAcls", "searchValue": "", - "expectedValue": "'BlockPublicAcls' should be defined and set to true in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)", - "actualValue": "'BlockPublicAcls' is not defined in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)" + "expectedValue": "'BlockPublicAcls' should be set to true%!(EXTRA string=Bucket13)", + "actualValue": "'BlockPublicAcls' is set to false%!(EXTRA string=Bucket13)" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_logging_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_logging_disabled/test/positive_expected_result.json index 684db2a066e..bf1a4a26b0b 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_logging_disabled/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "S3 Bucket Logging Disabled", "severity": "MEDIUM", - "line": 113, - "filename": "positive2.json", + "line": 7, + "filename": "positive1.yaml", "resourceType": "AWS::S3::Bucket", "resourceName": "mybucket", "searchKey": "Resources.mybucket.Properties", @@ -14,8 +14,8 @@ { "queryName": "S3 Bucket Logging Disabled", "severity": "MEDIUM", - "line": 7, - "filename": "positive1.yaml", + "line": 113, + "filename": "positive2.json", "resourceType": "AWS::S3::Bucket", "resourceName": "mybucket", "searchKey": "Resources.mybucket.Properties", diff --git a/assets/queries/cloudFormation/aws/s3_bucket_should_have_bucket_policy/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_should_have_bucket_policy/test/positive_expected_result.json index 87cfc1d9d61..6bc7142b49f 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_should_have_bucket_policy/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_should_have_bucket_policy/test/positive_expected_result.json @@ -3,13 +3,13 @@ "queryName": "S3 Bucket Should Have Bucket Policy", "severity": "LOW", "line": 4, - "filename": "positive3.yaml", + "filename": "positive1.yaml", "resourceType": "AWS::S3::Bucket", - "resourceName": "MyS3Bucket2", - "searchKey": "Resources.MyS3Bucket2", + "resourceName": "docexamplebucket1", + "searchKey": "Resources.S3Bucket3", "searchValue": "", - "expectedValue": "'Resources.MyS3Bucket2.Properties.BucketName' or 'Resources.[MyS3Bucket2]' should be associated with an 'AWS::S3::BucketPolicy'", - "actualValue": "'Resources.MyS3Bucket2.Properties.BucketName' or 'Resources.[MyS3Bucket2]' is not associated with an 'AWS::S3::BucketPolicy'" + "expectedValue": "'Resources.S3Bucket3.Properties.BucketName' or 'Resources.[S3Bucket3]' should be associated with an 'AWS::S3::BucketPolicy'", + "actualValue": "'Resources.S3Bucket3.Properties.BucketName' or 'Resources.[S3Bucket3]' is not associated with an 'AWS::S3::BucketPolicy'" }, { "queryName": "S3 Bucket Should Have Bucket Policy", @@ -23,18 +23,6 @@ "expectedValue": "'Resources.S3Bucket.Properties.BucketName' or 'Resources.[S3Bucket]' should be associated with an 'AWS::S3::BucketPolicy'", "actualValue": "'Resources.S3Bucket.Properties.BucketName' or 'Resources.[S3Bucket]' is not associated with an 'AWS::S3::BucketPolicy'" }, - { - "queryName": "S3 Bucket Should Have Bucket Policy", - "severity": "LOW", - "line": 4, - "filename": "positive1.yaml", - "resourceType": "AWS::S3::Bucket", - "resourceName": "docexamplebucket1", - "searchKey": "Resources.S3Bucket3", - "searchValue": "", - "expectedValue": "'Resources.S3Bucket3.Properties.BucketName' or 'Resources.[S3Bucket3]' should be associated with an 'AWS::S3::BucketPolicy'", - "actualValue": "'Resources.S3Bucket3.Properties.BucketName' or 'Resources.[S3Bucket3]' is not associated with an 'AWS::S3::BucketPolicy'" - }, { "queryName": "S3 Bucket Should Have Bucket Policy", "severity": "LOW", @@ -50,14 +38,14 @@ { "queryName": "S3 Bucket Should Have Bucket Policy", "severity": "LOW", - "line": 5, - "filename": "positive4.json", + "line": 42, + "filename": "positive2.json", "resourceType": "AWS::S3::Bucket", - "resourceName": "MyS3Bucket2", - "searchKey": "Resources.MyS3Bucket2", + "resourceName": "docexamplebucket1", + "searchKey": "Resources.S3Bucket3", "searchValue": "", - "expectedValue": "'Resources.MyS3Bucket2.Properties.BucketName' or 'Resources.[MyS3Bucket2]' should be associated with an 'AWS::S3::BucketPolicy'", - "actualValue": "'Resources.MyS3Bucket2.Properties.BucketName' or 'Resources.[MyS3Bucket2]' is not associated with an 'AWS::S3::BucketPolicy'" + "expectedValue": "'Resources.S3Bucket3.Properties.BucketName' or 'Resources.[S3Bucket3]' should be associated with an 'AWS::S3::BucketPolicy'", + "actualValue": "'Resources.S3Bucket3.Properties.BucketName' or 'Resources.[S3Bucket3]' is not associated with an 'AWS::S3::BucketPolicy'" }, { "queryName": "S3 Bucket Should Have Bucket Policy", @@ -74,25 +62,37 @@ { "queryName": "S3 Bucket Should Have Bucket Policy", "severity": "LOW", - "line": 42, + "line": 130, "filename": "positive2.json", "resourceType": "AWS::S3::Bucket", - "resourceName": "docexamplebucket1", - "searchKey": "Resources.S3Bucket3", + "resourceName": "docexamplebucket5", + "searchKey": "Resources.S3Bucket7", "searchValue": "", - "expectedValue": "'Resources.S3Bucket3.Properties.BucketName' or 'Resources.[S3Bucket3]' should be associated with an 'AWS::S3::BucketPolicy'", - "actualValue": "'Resources.S3Bucket3.Properties.BucketName' or 'Resources.[S3Bucket3]' is not associated with an 'AWS::S3::BucketPolicy'" + "expectedValue": "'Resources.S3Bucket7.Properties.BucketName' or 'Resources.[S3Bucket7]' should be associated with an 'AWS::S3::BucketPolicy'", + "actualValue": "'Resources.S3Bucket7.Properties.BucketName' or 'Resources.[S3Bucket7]' is not associated with an 'AWS::S3::BucketPolicy'" }, { "queryName": "S3 Bucket Should Have Bucket Policy", "severity": "LOW", - "line": 130, - "filename": "positive2.json", + "line": 4, + "filename": "positive3.yaml", "resourceType": "AWS::S3::Bucket", - "resourceName": "docexamplebucket5", - "searchKey": "Resources.S3Bucket7", + "resourceName": "MyS3Bucket2", + "searchKey": "Resources.MyS3Bucket2", "searchValue": "", - "expectedValue": "'Resources.S3Bucket7.Properties.BucketName' or 'Resources.[S3Bucket7]' should be associated with an 'AWS::S3::BucketPolicy'", - "actualValue": "'Resources.S3Bucket7.Properties.BucketName' or 'Resources.[S3Bucket7]' is not associated with an 'AWS::S3::BucketPolicy'" + "expectedValue": "'Resources.MyS3Bucket2.Properties.BucketName' or 'Resources.[MyS3Bucket2]' should be associated with an 'AWS::S3::BucketPolicy'", + "actualValue": "'Resources.MyS3Bucket2.Properties.BucketName' or 'Resources.[MyS3Bucket2]' is not associated with an 'AWS::S3::BucketPolicy'" + }, + { + "queryName": "S3 Bucket Should Have Bucket Policy", + "severity": "LOW", + "line": 5, + "filename": "positive4.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "MyS3Bucket2", + "searchKey": "Resources.MyS3Bucket2", + "searchValue": "", + "expectedValue": "'Resources.MyS3Bucket2.Properties.BucketName' or 'Resources.[MyS3Bucket2]' should be associated with an 'AWS::S3::BucketPolicy'", + "actualValue": "'Resources.MyS3Bucket2.Properties.BucketName' or 'Resources.[MyS3Bucket2]' is not associated with an 'AWS::S3::BucketPolicy'" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_with_all_permissions/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_with_all_permissions/test/positive_expected_result.json index 15435222b5c..899177654eb 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_with_all_permissions/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_with_all_permissions/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "S3 Bucket With All Permissions", - "severity": "CRITICAL", - "line": 9, - "filename": "positive2.json", - "resourceType": "AWS::S3::BucketPolicy", - "resourceName": "SampleBucketPolicy4", - "searchKey": "Resources.SampleBucketPolicy4.Properties.PolicyDocument", - "searchValue": "", - "expectedValue": "Resources.SampleBucketPolicy4.Properties.PolicyDocument.Statement should not allow all actions from all principals", - "actualValue": "Resources.SampleBucketPolicy4.Properties.PolicyDocument.Statement allows all actions from all principals" - }, { "queryName": "S3 Bucket With All Permissions", "severity": "CRITICAL", @@ -22,5 +10,17 @@ "searchValue": "", "expectedValue": "Resources.SampleBucketPolicy3.Properties.PolicyDocument.Statement should not allow all actions from all principals", "actualValue": "Resources.SampleBucketPolicy3.Properties.PolicyDocument.Statement allows all actions from all principals" + }, + { + "queryName": "S3 Bucket With All Permissions", + "severity": "CRITICAL", + "line": 9, + "filename": "positive2.json", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy4", + "searchKey": "Resources.SampleBucketPolicy4.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy4.Properties.PolicyDocument.Statement should not allow all actions from all principals", + "actualValue": "Resources.SampleBucketPolicy4.Properties.PolicyDocument.Statement allows all actions from all principals" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_with_public_policy/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_with_public_policy/test/positive_expected_result.json index 532f92f643b..1b125fa915f 100755 --- a/assets/queries/cloudFormation/aws/s3_bucket_with_public_policy/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_with_public_policy/test/positive_expected_result.json @@ -2,14 +2,14 @@ { "queryName": "S3 Bucket Allows Public Policy", "severity": "HIGH", - "line": 19, - "filename": "positive3.yaml", + "line": 4, + "filename": "positive1.yaml", "resourceType": "AWS::S3::Bucket", - "resourceName": "Bucket13", - "searchKey": "Resources.Bucket13.Properties.PublicAccessBlockConfiguration.BlockPublicPolicy", + "resourceName": "Bucket11", + "searchKey": "Resources.Bucket11.Properties", "searchValue": "", - "expectedValue": "'BlockPublicPolicy' should be set to true%!(EXTRA string=Bucket13)", - "actualValue": "'BlockPublicPolicy' is set to false%!(EXTRA string=Bucket13)" + "expectedValue": "'PublicAccessBlockConfiguration' should be defined%!(EXTRA string=Bucket11)", + "actualValue": "'PublicAccessBlockConfiguration' is not defined%!(EXTRA string=Bucket11)" }, { "queryName": "S3 Bucket Allows Public Policy", @@ -23,6 +23,18 @@ "expectedValue": "'BlockPublicPolicy' should be defined and set to true in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)", "actualValue": "'BlockPublicPolicy' is not defined in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)" }, + { + "queryName": "S3 Bucket Allows Public Policy", + "severity": "HIGH", + "line": 19, + "filename": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket13", + "searchKey": "Resources.Bucket13.Properties.PublicAccessBlockConfiguration.BlockPublicPolicy", + "searchValue": "", + "expectedValue": "'BlockPublicPolicy' should be set to true%!(EXTRA string=Bucket13)", + "actualValue": "'BlockPublicPolicy' is set to false%!(EXTRA string=Bucket13)" + }, { "queryName": "S3 Bucket Allows Public Policy", "severity": "HIGH", @@ -47,18 +59,6 @@ "expectedValue": "'PublicAccessBlockConfiguration' should be defined%!(EXTRA string=Bucket11)", "actualValue": "'PublicAccessBlockConfiguration' is not defined%!(EXTRA string=Bucket11)" }, - { - "queryName": "S3 Bucket Allows Public Policy", - "severity": "HIGH", - "line": 19, - "filename": "positive1.yaml", - "resourceType": "AWS::S3::Bucket", - "resourceName": "Bucket13", - "searchKey": "Resources.Bucket13.Properties.PublicAccessBlockConfiguration.BlockPublicPolicy", - "searchValue": "", - "expectedValue": "'BlockPublicPolicy' should be set to true%!(EXTRA string=Bucket13)", - "actualValue": "'BlockPublicPolicy' is set to false%!(EXTRA string=Bucket13)" - }, { "queryName": "S3 Bucket Allows Public Policy", "severity": "HIGH", @@ -74,13 +74,13 @@ { "queryName": "S3 Bucket Allows Public Policy", "severity": "HIGH", - "line": 4, - "filename": "positive1.yaml", + "line": 19, + "filename": "positive3.yaml", "resourceType": "AWS::S3::Bucket", - "resourceName": "Bucket11", - "searchKey": "Resources.Bucket11.Properties", + "resourceName": "Bucket13", + "searchKey": "Resources.Bucket13.Properties.PublicAccessBlockConfiguration.BlockPublicPolicy", "searchValue": "", - "expectedValue": "'PublicAccessBlockConfiguration' should be defined%!(EXTRA string=Bucket11)", - "actualValue": "'PublicAccessBlockConfiguration' is not defined%!(EXTRA string=Bucket11)" + "expectedValue": "'BlockPublicPolicy' should be set to true%!(EXTRA string=Bucket13)", + "actualValue": "'BlockPublicPolicy' is set to false%!(EXTRA string=Bucket13)" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_with_unsecured_cors_rule/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_with_unsecured_cors_rule/test/positive_expected_result.json index a26bb23160b..557e4361630 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_with_unsecured_cors_rule/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_with_unsecured_cors_rule/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "S3 Bucket With Unsecured CORS Rule", "severity": "MEDIUM", - "line": 14, - "filename": "positive2.json", + "line": 9, + "filename": "positive1.yaml", "resourceType": "AWS::S3::Bucket", "resourceName": "S3Bucket", "searchKey": "Resources.S3Bucket.Properties.CorsConfiguration.CorsRules", @@ -14,8 +14,8 @@ { "queryName": "S3 Bucket With Unsecured CORS Rule", "severity": "MEDIUM", - "line": 9, - "filename": "positive1.yaml", + "line": 14, + "filename": "positive2.json", "resourceType": "AWS::S3::Bucket", "resourceName": "S3Bucket", "searchKey": "Resources.S3Bucket.Properties.CorsConfiguration.CorsRules", diff --git a/assets/queries/cloudFormation/aws/s3_bucket_without_ignore_public_acl/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_without_ignore_public_acl/test/positive_expected_result.json index f35552a8e40..a6b4e40af23 100755 --- a/assets/queries/cloudFormation/aws/s3_bucket_without_ignore_public_acl/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_without_ignore_public_acl/test/positive_expected_result.json @@ -1,9 +1,21 @@ [ + { + "queryName": "S3 Bucket Without Ignore Public ACL", + "severity": "MEDIUM", + "line": 4, + "filename": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket11", + "searchKey": "Resources.Bucket11.Properties", + "searchValue": "", + "expectedValue": "'PublicAccessBlockConfiguration' should be defined%!(EXTRA string=Bucket11)", + "actualValue": "'PublicAccessBlockConfiguration' is not defined%!(EXTRA string=Bucket11)" + }, { "queryName": "S3 Bucket Without Ignore Public ACL", "severity": "MEDIUM", "line": 10, - "filename": "positive3.yaml", + "filename": "positive1.yaml", "resourceType": "AWS::S3::Bucket", "resourceName": "Bucket12", "searchKey": "Resources.Bucket12.Properties.PublicAccessBlockConfiguration", @@ -23,18 +35,6 @@ "expectedValue": "'IgnorePublicAcls' should be set to true%!(EXTRA string=Bucket13)", "actualValue": "'IgnorePublicAcls' is set to false%!(EXTRA string=Bucket13)" }, - { - "queryName": "S3 Bucket Without Ignore Public ACL", - "severity": "MEDIUM", - "line": 10, - "filename": "positive1.yaml", - "resourceType": "AWS::S3::Bucket", - "resourceName": "Bucket12", - "searchKey": "Resources.Bucket12.Properties.PublicAccessBlockConfiguration", - "searchValue": "", - "expectedValue": "'IgnorePublicAcls' should be defined and set to true in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)", - "actualValue": "'IgnorePublicAcls' is not defined in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)" - }, { "queryName": "S3 Bucket Without Ignore Public ACL", "severity": "MEDIUM", @@ -51,7 +51,7 @@ "queryName": "S3 Bucket Without Ignore Public ACL", "severity": "MEDIUM", "line": 4, - "filename": "positive1.yaml", + "filename": "positive3.yaml", "resourceType": "AWS::S3::Bucket", "resourceName": "Bucket11", "searchKey": "Resources.Bucket11.Properties", @@ -62,25 +62,25 @@ { "queryName": "S3 Bucket Without Ignore Public ACL", "severity": "MEDIUM", - "line": 21, + "line": 10, "filename": "positive3.yaml", "resourceType": "AWS::S3::Bucket", - "resourceName": "Bucket13", - "searchKey": "Resources.Bucket13.Properties.PublicAccessBlockConfiguration.IgnorePublicAcls", + "resourceName": "Bucket12", + "searchKey": "Resources.Bucket12.Properties.PublicAccessBlockConfiguration", "searchValue": "", - "expectedValue": "'IgnorePublicAcls' should be set to true%!(EXTRA string=Bucket13)", - "actualValue": "'IgnorePublicAcls' is set to false%!(EXTRA string=Bucket13)" + "expectedValue": "'IgnorePublicAcls' should be defined and set to true in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)", + "actualValue": "'IgnorePublicAcls' is not defined in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)" }, { "queryName": "S3 Bucket Without Ignore Public ACL", "severity": "MEDIUM", - "line": 4, + "line": 21, "filename": "positive3.yaml", "resourceType": "AWS::S3::Bucket", - "resourceName": "Bucket11", - "searchKey": "Resources.Bucket11.Properties", + "resourceName": "Bucket13", + "searchKey": "Resources.Bucket13.Properties.PublicAccessBlockConfiguration.IgnorePublicAcls", "searchValue": "", - "expectedValue": "'PublicAccessBlockConfiguration' should be defined%!(EXTRA string=Bucket11)", - "actualValue": "'PublicAccessBlockConfiguration' is not defined%!(EXTRA string=Bucket11)" + "expectedValue": "'IgnorePublicAcls' should be set to true%!(EXTRA string=Bucket13)", + "actualValue": "'IgnorePublicAcls' is set to false%!(EXTRA string=Bucket13)" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_without_restriction_of_public_bucket/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_without_restriction_of_public_bucket/test/positive_expected_result.json index 5423566f78c..c29cf1617c2 100755 --- a/assets/queries/cloudFormation/aws/s3_bucket_without_restriction_of_public_bucket/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_without_restriction_of_public_bucket/test/positive_expected_result.json @@ -2,32 +2,32 @@ { "queryName": "S3 Bucket Without Restriction Of Public Bucket", "severity": "MEDIUM", - "line": 10, - "filename": "positive3.yaml", + "line": 4, + "filename": "positive1.yaml", "resourceType": "AWS::S3::Bucket", - "resourceName": "Bucket12", - "searchKey": "Resources.Bucket12.Properties.PublicAccessBlockConfiguration", + "resourceName": "Bucket11", + "searchKey": "Resources.Bucket11.Properties", "searchValue": "", - "expectedValue": "'RestrictPublicBuckets' should be defined and set to true in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)", - "actualValue": "'RestrictPublicBuckets' is not defined in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)" + "expectedValue": "'PublicAccessBlockConfiguration' should be defined%!(EXTRA string=Bucket11)", + "actualValue": "'PublicAccessBlockConfiguration' is not defined%!(EXTRA string=Bucket11)" }, { "queryName": "S3 Bucket Without Restriction Of Public Bucket", "severity": "MEDIUM", - "line": 21, + "line": 10, "filename": "positive1.yaml", "resourceType": "AWS::S3::Bucket", - "resourceName": "Bucket13", - "searchKey": "Resources.Bucket13.Properties.PublicAccessBlockConfiguration.RestrictPublicBuckets", + "resourceName": "Bucket12", + "searchKey": "Resources.Bucket12.Properties.PublicAccessBlockConfiguration", "searchValue": "", - "expectedValue": "'RestrictPublicBuckets' should be set to true%!(EXTRA string=Bucket13)", - "actualValue": "'RestrictPublicBuckets' is set to false%!(EXTRA string=Bucket13)" + "expectedValue": "'RestrictPublicBuckets' should be defined and set to true in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)", + "actualValue": "'RestrictPublicBuckets' is not defined in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)" }, { "queryName": "S3 Bucket Without Restriction Of Public Bucket", "severity": "MEDIUM", "line": 21, - "filename": "positive3.yaml", + "filename": "positive1.yaml", "resourceType": "AWS::S3::Bucket", "resourceName": "Bucket13", "searchKey": "Resources.Bucket13.Properties.PublicAccessBlockConfiguration.RestrictPublicBuckets", @@ -63,7 +63,7 @@ "queryName": "S3 Bucket Without Restriction Of Public Bucket", "severity": "MEDIUM", "line": 10, - "filename": "positive1.yaml", + "filename": "positive3.yaml", "resourceType": "AWS::S3::Bucket", "resourceName": "Bucket12", "searchKey": "Resources.Bucket12.Properties.PublicAccessBlockConfiguration", @@ -74,13 +74,13 @@ { "queryName": "S3 Bucket Without Restriction Of Public Bucket", "severity": "MEDIUM", - "line": 4, - "filename": "positive1.yaml", + "line": 21, + "filename": "positive3.yaml", "resourceType": "AWS::S3::Bucket", - "resourceName": "Bucket11", - "searchKey": "Resources.Bucket11.Properties", + "resourceName": "Bucket13", + "searchKey": "Resources.Bucket13.Properties.PublicAccessBlockConfiguration.RestrictPublicBuckets", "searchValue": "", - "expectedValue": "'PublicAccessBlockConfiguration' should be defined%!(EXTRA string=Bucket11)", - "actualValue": "'PublicAccessBlockConfiguration' is not defined%!(EXTRA string=Bucket11)" + "expectedValue": "'RestrictPublicBuckets' should be set to true%!(EXTRA string=Bucket13)", + "actualValue": "'RestrictPublicBuckets' is set to false%!(EXTRA string=Bucket13)" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_without_ssl_in_write_actions/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_without_ssl_in_write_actions/test/positive_expected_result.json index 6c5fc411ab4..0f708de9840 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_without_ssl_in_write_actions/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_without_ssl_in_write_actions/test/positive_expected_result.json @@ -2,26 +2,14 @@ { "queryName": "S3 Bucket Without SSL In Write Actions", "severity": "MEDIUM", - "line": 4, - "filename": "positive8.json", - "resourceType": "AWS::S3::Bucket", - "resourceName": "S3Bucket5", - "searchKey": "Resources.S3Bucket5", - "searchValue": "", - "expectedValue": "Resources.S3Bucket5 bucket has a policy that enforces SSL", - "actualValue": "Resources.S3Bucket5 bucket doesn't have a policy" - }, - { - "queryName": "S3 Bucket Without SSL In Write Actions", - "severity": "MEDIUM", - "line": 15, - "filename": "positive8.json", + "line": 3, + "filename": "positive1.yaml", "resourceType": "AWS::S3::Bucket", - "resourceName": "S3Bucket6", - "searchKey": "Resources.S3Bucket6", + "resourceName": "S3Bucket", + "searchKey": "Resources.S3Bucket", "searchValue": "", - "expectedValue": "Resources.S3Bucket6 bucket has a policy that enforces SSL", - "actualValue": "Resources.S3Bucket6 bucket doesn't have a policy" + "expectedValue": "Resources.S3Bucket bucket has a policy that enforces SSL", + "actualValue": "Resources.S3Bucket bucket doesn't have a policy or has a policy that doesn't enforce SSL" }, { "queryName": "S3 Bucket Without SSL In Write Actions", @@ -38,8 +26,8 @@ { "queryName": "S3 Bucket Without SSL In Write Actions", "severity": "MEDIUM", - "line": 4, - "filename": "positive6.json", + "line": 3, + "filename": "positive2.yaml", "resourceType": "AWS::S3::Bucket", "resourceName": "S3Bucket2", "searchKey": "Resources.S3Bucket2", @@ -47,29 +35,17 @@ "expectedValue": "Resources.S3Bucket2 bucket has a policy that enforces SSL", "actualValue": "Resources.S3Bucket2 bucket doesn't have a policy or has a policy that doesn't enforce SSL" }, - { - "queryName": "S3 Bucket Without SSL In Write Actions", - "severity": "MEDIUM", - "line": 12, - "filename": "positive4.yaml", - "resourceType": "AWS::S3::Bucket", - "resourceName": "S3Bucket6", - "searchKey": "Resources.S3Bucket6", - "searchValue": "", - "expectedValue": "Resources.S3Bucket6 bucket has a policy that enforces SSL", - "actualValue": "Resources.S3Bucket6 bucket doesn't have a policy" - }, { "queryName": "S3 Bucket Without SSL In Write Actions", "severity": "MEDIUM", "line": 3, - "filename": "positive9.yaml", + "filename": "positive3.yaml", "resourceType": "AWS::S3::Bucket", - "resourceName": "S3Bucket33,", - "searchKey": "Resources.S3Bucket33", + "resourceName": "S3Bucket3", + "searchKey": "Resources.S3Bucket3", "searchValue": "", - "expectedValue": "Resources.S3Bucket33 bucket has a policy that enforces SSL", - "actualValue": "Resources.S3Bucket33 bucket doesn't have a policy or has a policy that doesn't enforce SSL" + "expectedValue": "Resources.S3Bucket3 bucket has a policy that enforces SSL", + "actualValue": "Resources.S3Bucket3 bucket doesn't have a policy or has a policy that doesn't enforce SSL" }, { "queryName": "S3 Bucket Without SSL In Write Actions", @@ -86,14 +62,26 @@ { "queryName": "S3 Bucket Without SSL In Write Actions", "severity": "MEDIUM", - "line": 47, - "filename": "positive7.json", + "line": 3, + "filename": "positive4.yaml", "resourceType": "AWS::S3::Bucket", - "resourceName": "S3Bucket4", - "searchKey": "Resources.S3Bucket4", + "resourceName": "S3Bucket5", + "searchKey": "Resources.S3Bucket5", "searchValue": "", - "expectedValue": "Resources.S3Bucket4 bucket has a policy that enforces SSL", - "actualValue": "Resources.S3Bucket4 bucket doesn't have a policy" + "expectedValue": "Resources.S3Bucket5 bucket has a policy that enforces SSL", + "actualValue": "Resources.S3Bucket5 bucket doesn't have a policy" + }, + { + "queryName": "S3 Bucket Without SSL In Write Actions", + "severity": "MEDIUM", + "line": 12, + "filename": "positive4.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3Bucket6", + "searchKey": "Resources.S3Bucket6", + "searchValue": "", + "expectedValue": "Resources.S3Bucket6 bucket has a policy that enforces SSL", + "actualValue": "Resources.S3Bucket6 bucket doesn't have a policy" }, { "queryName": "S3 Bucket Without SSL In Write Actions", @@ -110,49 +98,61 @@ { "queryName": "S3 Bucket Without SSL In Write Actions", "severity": "MEDIUM", - "line": 3, - "filename": "positive4.yaml", + "line": 4, + "filename": "positive6.json", "resourceType": "AWS::S3::Bucket", - "resourceName": "S3Bucket5", - "searchKey": "Resources.S3Bucket5", + "resourceName": "S3Bucket2", + "searchKey": "Resources.S3Bucket2", "searchValue": "", - "expectedValue": "Resources.S3Bucket5 bucket has a policy that enforces SSL", - "actualValue": "Resources.S3Bucket5 bucket doesn't have a policy" + "expectedValue": "Resources.S3Bucket2 bucket has a policy that enforces SSL", + "actualValue": "Resources.S3Bucket2 bucket doesn't have a policy or has a policy that doesn't enforce SSL" }, { "queryName": "S3 Bucket Without SSL In Write Actions", "severity": "MEDIUM", - "line": 3, - "filename": "positive1.yaml", + "line": 47, + "filename": "positive7.json", "resourceType": "AWS::S3::Bucket", - "resourceName": "S3Bucket", - "searchKey": "Resources.S3Bucket", + "resourceName": "S3Bucket4", + "searchKey": "Resources.S3Bucket4", "searchValue": "", - "expectedValue": "Resources.S3Bucket bucket has a policy that enforces SSL", - "actualValue": "Resources.S3Bucket bucket doesn't have a policy or has a policy that doesn't enforce SSL" + "expectedValue": "Resources.S3Bucket4 bucket has a policy that enforces SSL", + "actualValue": "Resources.S3Bucket4 bucket doesn't have a policy" }, { "queryName": "S3 Bucket Without SSL In Write Actions", "severity": "MEDIUM", - "line": 3, - "filename": "positive2.yaml", + "line": 4, + "filename": "positive8.json", "resourceType": "AWS::S3::Bucket", - "resourceName": "S3Bucket2", - "searchKey": "Resources.S3Bucket2", + "resourceName": "S3Bucket5", + "searchKey": "Resources.S3Bucket5", "searchValue": "", - "expectedValue": "Resources.S3Bucket2 bucket has a policy that enforces SSL", - "actualValue": "Resources.S3Bucket2 bucket doesn't have a policy or has a policy that doesn't enforce SSL" + "expectedValue": "Resources.S3Bucket5 bucket has a policy that enforces SSL", + "actualValue": "Resources.S3Bucket5 bucket doesn't have a policy" + }, + { + "queryName": "S3 Bucket Without SSL In Write Actions", + "severity": "MEDIUM", + "line": 15, + "filename": "positive8.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3Bucket6", + "searchKey": "Resources.S3Bucket6", + "searchValue": "", + "expectedValue": "Resources.S3Bucket6 bucket has a policy that enforces SSL", + "actualValue": "Resources.S3Bucket6 bucket doesn't have a policy" }, { "queryName": "S3 Bucket Without SSL In Write Actions", "severity": "MEDIUM", "line": 3, - "filename": "positive3.yaml", + "filename": "positive9.yaml", "resourceType": "AWS::S3::Bucket", - "resourceName": "S3Bucket3", - "searchKey": "Resources.S3Bucket3", + "resourceName": "S3Bucket33,", + "searchKey": "Resources.S3Bucket33", "searchValue": "", - "expectedValue": "Resources.S3Bucket3 bucket has a policy that enforces SSL", - "actualValue": "Resources.S3Bucket3 bucket doesn't have a policy or has a policy that doesn't enforce SSL" + "expectedValue": "Resources.S3Bucket33 bucket has a policy that enforces SSL", + "actualValue": "Resources.S3Bucket33 bucket doesn't have a policy or has a policy that doesn't enforce SSL" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_without_versioning/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_without_versioning/test/positive_expected_result.json index 4bc605456a4..7d204a174be 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_without_versioning/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_without_versioning/test/positive_expected_result.json @@ -2,20 +2,8 @@ { "queryName": "S3 Bucket Without Versioning", "severity": "MEDIUM", - "line": 48, - "filename": "positive4.json", - "resourceType": "AWS::S3::Bucket", - "resourceName": "RecordServiceS3Bucket2", - "searchKey": "Resources.RecordServiceS3Bucket2.Properties.VersioningConfiguration.Status", - "searchValue": "", - "expectedValue": "Resources.RecordServiceS3Bucket2.Properties.VersioningConfiguration.Status should be set to Enabled", - "actualValue": "Resources.RecordServiceS3Bucket2.Properties.VersioningConfiguration.Status is set to Suspended" - }, - { - "queryName": "S3 Bucket Without Versioning", - "severity": "MEDIUM", - "line": 4, - "filename": "positive3.json", + "line": 5, + "filename": "positive1.yaml", "resourceType": "AWS::S3::Bucket", "resourceName": "RecordServiceS3Bucket", "searchKey": "Resources.RecordServiceS3Bucket.Properties", @@ -38,13 +26,25 @@ { "queryName": "S3 Bucket Without Versioning", "severity": "MEDIUM", - "line": 5, - "filename": "positive1.yaml", + "line": 4, + "filename": "positive3.json", "resourceType": "AWS::S3::Bucket", "resourceName": "RecordServiceS3Bucket", "searchKey": "Resources.RecordServiceS3Bucket.Properties", "searchValue": "", "expectedValue": "Resources.RecordServiceS3Bucket.Properties.VersioningConfiguration should be defined", "actualValue": "Resources.RecordServiceS3Bucket.Properties.VersioningConfiguration is undefined" + }, + { + "queryName": "S3 Bucket Without Versioning", + "severity": "MEDIUM", + "line": 48, + "filename": "positive4.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "RecordServiceS3Bucket2", + "searchKey": "Resources.RecordServiceS3Bucket2.Properties.VersioningConfiguration.Status", + "searchValue": "", + "expectedValue": "Resources.RecordServiceS3Bucket2.Properties.VersioningConfiguration.Status should be set to Enabled", + "actualValue": "Resources.RecordServiceS3Bucket2.Properties.VersioningConfiguration.Status is set to Suspended" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/sagemaker_data_encryption_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/sagemaker_data_encryption_disabled/test/positive_expected_result.json index 477fe6120a5..50574944d56 100644 --- a/assets/queries/cloudFormation/aws/sagemaker_data_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/sagemaker_data_encryption_disabled/test/positive_expected_result.json @@ -2,20 +2,8 @@ { "queryName": "SageMaker Data Encryption Disabled", "severity": "HIGH", - "line": 16, - "filename": "positive2.json", - "resourceType": "AWS::SageMaker::NotebookInstance", - "resourceName": "BasicNotebookInstance3", - "searchKey": "Resources.BasicNotebookInstance3.Properties.KmsKeyId", - "searchValue": "", - "expectedValue": "'Resources.BasicNotebookInstance3.Properties.KmsKeyId' should not be empty", - "actualValue": "'Resources.BasicNotebookInstance3.Properties.KmsKeyId' is empty" - }, - { - "queryName": "SageMaker Data Encryption Disabled", - "severity": "HIGH", - "line": 59, - "filename": "positive2.json", + "line": 6, + "filename": "positive1.yaml", "resourceType": "AWS::SageMaker::NotebookInstance", "resourceName": "BasicNotebookInstance", "searchKey": "Resources.BasicNotebookInstance.Properties", @@ -38,8 +26,20 @@ { "queryName": "SageMaker Data Encryption Disabled", "severity": "HIGH", - "line": 6, - "filename": "positive1.yaml", + "line": 16, + "filename": "positive2.json", + "resourceType": "AWS::SageMaker::NotebookInstance", + "resourceName": "BasicNotebookInstance3", + "searchKey": "Resources.BasicNotebookInstance3.Properties.KmsKeyId", + "searchValue": "", + "expectedValue": "'Resources.BasicNotebookInstance3.Properties.KmsKeyId' should not be empty", + "actualValue": "'Resources.BasicNotebookInstance3.Properties.KmsKeyId' is empty" + }, + { + "queryName": "SageMaker Data Encryption Disabled", + "severity": "HIGH", + "line": 59, + "filename": "positive2.json", "resourceType": "AWS::SageMaker::NotebookInstance", "resourceName": "BasicNotebookInstance", "searchKey": "Resources.BasicNotebookInstance.Properties", diff --git a/assets/queries/cloudFormation/aws/sdb_domain_declared_as_a_resource/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/sdb_domain_declared_as_a_resource/test/positive_expected_result.json index 30ae2af9d66..a4abb1c1f86 100644 --- a/assets/queries/cloudFormation/aws/sdb_domain_declared_as_a_resource/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/sdb_domain_declared_as_a_resource/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "SDB Domain Declared As A Resource", "severity": "LOW", - "line": 11, - "filename": "positive2.json", + "line": 8, + "filename": "positive1.yaml", "resourceType": "AWS::SDB::Domain", "resourceName": "SBDDomain", "searchKey": "Resources.SBDDomain", @@ -14,8 +14,8 @@ { "queryName": "SDB Domain Declared As A Resource", "severity": "LOW", - "line": 8, - "filename": "positive1.yaml", + "line": 11, + "filename": "positive2.json", "resourceType": "AWS::SDB::Domain", "resourceName": "SBDDomain", "searchKey": "Resources.SBDDomain", diff --git a/assets/queries/cloudFormation/aws/secrets_manager_should_specify_kms_key_id/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/secrets_manager_should_specify_kms_key_id/test/positive_expected_result.json index 9f6727040e6..11c1b86ec96 100644 --- a/assets/queries/cloudFormation/aws/secrets_manager_should_specify_kms_key_id/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/secrets_manager_should_specify_kms_key_id/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "Secrets Manager Should Specify KmsKeyId", "severity": "LOW", - "line": 7, - "filename": "positive2.json", + "line": 6, + "filename": "positive1.yaml", "resourceType": "AWS::SecretsManager::Secret", "resourceName": "String", "searchKey": "Resources.SecretsManagerSecret.Properties", @@ -14,8 +14,8 @@ { "queryName": "Secrets Manager Should Specify KmsKeyId", "severity": "LOW", - "line": 6, - "filename": "positive1.yaml", + "line": 7, + "filename": "positive2.json", "resourceType": "AWS::SecretsManager::Secret", "resourceName": "String", "searchKey": "Resources.SecretsManagerSecret.Properties", diff --git a/assets/queries/cloudFormation/aws/secretsmanager_secret_without_kms/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/secretsmanager_secret_without_kms/test/positive_expected_result.json index 3b70c9d52cb..99a9c47267a 100644 --- a/assets/queries/cloudFormation/aws/secretsmanager_secret_without_kms/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/secretsmanager_secret_without_kms/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "Secretsmanager Secret Without KMS", "severity": "MEDIUM", - "line": 4, - "filename": "positive2.yaml", + "line": 5, + "filename": "positive1.json", "resourceType": "AWS::SecretsManager::Secret", "resourceName": "MySecret", "searchKey": "Resources.MySecret.Properties", @@ -14,20 +14,8 @@ { "queryName": "Secretsmanager Secret Without KMS", "severity": "MEDIUM", - "line": 7, - "filename": "positive4.yaml", - "resourceType": "AWS::SecretsManager::Secret", - "resourceName": "MySecretForAppB", - "searchKey": "Resources.MySecretB.Properties.KmsKeyId", - "searchValue": "", - "expectedValue": "'Resources.MySecretB.Properties.KmsKeyId' should be defined and not null", - "actualValue": "'Resources.MySecretB.Properties.KmsKeyId' is undefined or null" - }, - { - "queryName": "Secretsmanager Secret Without KMS", - "severity": "MEDIUM", - "line": 5, - "filename": "positive1.json", + "line": 4, + "filename": "positive2.yaml", "resourceType": "AWS::SecretsManager::Secret", "resourceName": "MySecret", "searchKey": "Resources.MySecret.Properties", @@ -46,5 +34,17 @@ "searchValue": "", "expectedValue": "'Resources.MySecretB.Properties.KmsKeyId' should be defined and not null", "actualValue": "'Resources.MySecretB.Properties.KmsKeyId' is undefined or null" + }, + { + "queryName": "Secretsmanager Secret Without KMS", + "severity": "MEDIUM", + "line": 7, + "filename": "positive4.yaml", + "resourceType": "AWS::SecretsManager::Secret", + "resourceName": "MySecretForAppB", + "searchKey": "Resources.MySecretB.Properties.KmsKeyId", + "searchValue": "", + "expectedValue": "'Resources.MySecretB.Properties.KmsKeyId' should be defined and not null", + "actualValue": "'Resources.MySecretB.Properties.KmsKeyId' is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/secure_ciphers_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/secure_ciphers_disabled/test/positive_expected_result.json index 36e3446004e..ba8b3fa0aa9 100644 --- a/assets/queries/cloudFormation/aws/secure_ciphers_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/secure_ciphers_disabled/test/positive_expected_result.json @@ -3,7 +3,7 @@ "queryName": "Secure Ciphers Disabled", "severity": "MEDIUM", "line": 26, - "filename": "positive3.yaml", + "filename": "positive1.yaml", "resourceType": "AWS::CloudFront::Distribution", "resourceName": "cloudfrontdistribution", "searchKey": "Resources.cloudfrontdistribution.Properties.ViewerCertificate.MinimumProtocolVersion", @@ -14,8 +14,8 @@ { "queryName": "Secure Ciphers Disabled", "severity": "MEDIUM", - "line": 26, - "filename": "positive1.yaml", + "line": 44, + "filename": "positive2.json", "resourceType": "AWS::CloudFront::Distribution", "resourceName": "cloudfrontdistribution", "searchKey": "Resources.cloudfrontdistribution.Properties.ViewerCertificate.MinimumProtocolVersion", @@ -26,8 +26,8 @@ { "queryName": "Secure Ciphers Disabled", "severity": "MEDIUM", - "line": 44, - "filename": "positive2.json", + "line": 26, + "filename": "positive3.yaml", "resourceType": "AWS::CloudFront::Distribution", "resourceName": "cloudfrontdistribution", "searchKey": "Resources.cloudfrontdistribution.Properties.ViewerCertificate.MinimumProtocolVersion", diff --git a/assets/queries/cloudFormation/aws/security_group_egress_with_port_range/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/security_group_egress_with_port_range/test/positive_expected_result.json index 53a96cc71c2..217e6f20759 100644 --- a/assets/queries/cloudFormation/aws/security_group_egress_with_port_range/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/security_group_egress_with_port_range/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "Security Group Egress With Port Range", "severity": "MEDIUM", - "line": 21, - "filename": "positive2.json", + "line": 15, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "InstanceSecurityGroup", "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0]", @@ -14,8 +14,8 @@ { "queryName": "Security Group Egress With Port Range", "severity": "MEDIUM", - "line": 32, - "filename": "positive2.json", + "line": 22, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroupEgress", "resourceName": "OutboundRule", "searchKey": "Resources.OutboundRule.Properties", @@ -26,8 +26,8 @@ { "queryName": "Security Group Egress With Port Range", "severity": "MEDIUM", - "line": 15, - "filename": "positive1.yaml", + "line": 21, + "filename": "positive2.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "InstanceSecurityGroup", "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0]", @@ -38,8 +38,8 @@ { "queryName": "Security Group Egress With Port Range", "severity": "MEDIUM", - "line": 22, - "filename": "positive1.yaml", + "line": 32, + "filename": "positive2.json", "resourceType": "AWS::EC2::SecurityGroupEgress", "resourceName": "OutboundRule", "searchKey": "Resources.OutboundRule.Properties", diff --git a/assets/queries/cloudFormation/aws/security_group_ingress_has_cidr_not_recommended/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/security_group_ingress_has_cidr_not_recommended/test/positive_expected_result.json index 9792371b3fa..25c324350dc 100644 --- a/assets/queries/cloudFormation/aws/security_group_ingress_has_cidr_not_recommended/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/security_group_ingress_has_cidr_not_recommended/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "Security Group Ingress Has CIDR Not Recommended", - "severity": "LOW", - "line": 43, - "filename": "positive1.yaml", - "resourceType": "AWS::EC2::SecurityGroupIngress", - "resourceName": "InboundRule", - "searchKey": "Resources.InboundRule.Properties.CidrIpv6", - "searchValue": "", - "expectedValue": "Resources.InboundRule.Properties.CidrIpv6 should not be /128", - "actualValue": "Resources.InboundRule.Properties.CidrIpv6 is /128" - }, { "queryName": "Security Group Ingress Has CIDR Not Recommended", "severity": "LOW", @@ -23,6 +11,18 @@ "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].CidrIp should not be /32", "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].CidrIp is /32" }, + { + "queryName": "Security Group Ingress Has CIDR Not Recommended", + "severity": "LOW", + "line": 43, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "InboundRule", + "searchKey": "Resources.InboundRule.Properties.CidrIpv6", + "searchValue": "", + "expectedValue": "Resources.InboundRule.Properties.CidrIpv6 should not be /128", + "actualValue": "Resources.InboundRule.Properties.CidrIpv6 is /128" + }, { "queryName": "Security Group Ingress Has CIDR Not Recommended", "severity": "LOW", diff --git a/assets/queries/cloudFormation/aws/security_group_ingress_with_all_protocols/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/security_group_ingress_with_all_protocols/test/positive_expected_result.json index 39fa7df8972..f8866739f61 100644 --- a/assets/queries/cloudFormation/aws/security_group_ingress_with_all_protocols/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/security_group_ingress_with_all_protocols/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "Security Group Ingress With All Protocols", - "severity": "MEDIUM", - "line": 35, - "filename": "positive1.yaml", - "resourceType": "AWS::EC2::SecurityGroupIngress", - "resourceName": "InboundRule", - "searchKey": "Resources.InboundRule.Properties.IpProtocol", - "searchValue": "", - "expectedValue": "Resources.InboundRule.Properties.IpProtocol should not be set to '-1'", - "actualValue": "Resources.InboundRule.Properties.IpProtocol is set to '-1'" - }, { "queryName": "Security Group Ingress With All Protocols", "severity": "MEDIUM", @@ -26,8 +14,8 @@ { "queryName": "Security Group Ingress With All Protocols", "severity": "MEDIUM", - "line": 51, - "filename": "positive2.json", + "line": 35, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroupIngress", "resourceName": "InboundRule", "searchKey": "Resources.InboundRule.Properties.IpProtocol", @@ -46,5 +34,17 @@ "searchValue": "", "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].IpProtocol should not be set to '-1'", "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].IpProtocol is set to '-1'" + }, + { + "queryName": "Security Group Ingress With All Protocols", + "severity": "MEDIUM", + "line": 51, + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "InboundRule", + "searchKey": "Resources.InboundRule.Properties.IpProtocol", + "searchValue": "", + "expectedValue": "Resources.InboundRule.Properties.IpProtocol should not be set to '-1'", + "actualValue": "Resources.InboundRule.Properties.IpProtocol is set to '-1'" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/security_group_ingress_with_port_range/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/security_group_ingress_with_port_range/test/positive_expected_result.json index b39cd79bdc7..f40b2adba09 100644 --- a/assets/queries/cloudFormation/aws/security_group_ingress_with_port_range/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/security_group_ingress_with_port_range/test/positive_expected_result.json @@ -14,8 +14,8 @@ { "queryName": "Security Group Ingress With Port Range", "severity": "MEDIUM", - "line": 53, - "filename": "positive2.json", + "line": 37, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroupIngress", "resourceName": "InboundRule", "searchKey": "Resources.InboundRule.Properties", @@ -38,8 +38,8 @@ { "queryName": "Security Group Ingress With Port Range", "severity": "MEDIUM", - "line": 37, - "filename": "positive1.yaml", + "line": 53, + "filename": "positive2.json", "resourceType": "AWS::EC2::SecurityGroupIngress", "resourceName": "InboundRule", "searchKey": "Resources.InboundRule.Properties", diff --git a/assets/queries/cloudFormation/aws/security_group_rule_without_description/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/security_group_rule_without_description/test/positive_expected_result.json index f027c2e68e9..6399dc8c05e 100644 --- a/assets/queries/cloudFormation/aws/security_group_rule_without_description/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/security_group_rule_without_description/test/positive_expected_result.json @@ -2,14 +2,38 @@ { "queryName": "Security Group Rule Without Description", "severity": "INFO", - "line": 47, + "line": 4, "filename": "positive1.yaml", - "resourceType": "AWS::RDS::DBSecurityGroup", - "resourceName": "LegacySecurityGroup", - "searchKey": "Resources.LegacySecurityGroup.Properties", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties", "searchValue": "", - "expectedValue": "Resources.LegacySecurityGroup.Properties.GroupDescription should be set", - "actualValue": "Resources.LegacySecurityGroup.Properties.GroupDescription is undefined" + "expectedValue": "Resources.InstanceSecurityGroup.Properties.GroupDescription should be set", + "actualValue": "Resources.InstanceSecurityGroup.Properties.GroupDescription is undefined" + }, + { + "queryName": "Security Group Rule Without Description", + "severity": "INFO", + "line": 8, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress", + "searchValue": "", + "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].Description should be set", + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].Description is undefined" + }, + { + "queryName": "Security Group Rule Without Description", + "severity": "INFO", + "line": 13, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress", + "searchValue": "", + "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].Description should be set", + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].Description is undefined" }, { "queryName": "Security Group Rule Without Description", @@ -26,8 +50,8 @@ { "queryName": "Security Group Rule Without Description", "severity": "INFO", - "line": 49, - "filename": "positive2.json", + "line": 33, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroupIngress", "resourceName": "InboundRule", "searchKey": "Resources.InboundRule.Properties", @@ -38,14 +62,14 @@ { "queryName": "Security Group Rule Without Description", "severity": "INFO", - "line": 13, + "line": 47, "filename": "positive1.yaml", - "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "InstanceSecurityGroup", - "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress", + "resourceType": "AWS::RDS::DBSecurityGroup", + "resourceName": "LegacySecurityGroup", + "searchKey": "Resources.LegacySecurityGroup.Properties", "searchValue": "", - "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].Description should be set", - "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].Description is undefined" + "expectedValue": "Resources.LegacySecurityGroup.Properties.GroupDescription should be set", + "actualValue": "Resources.LegacySecurityGroup.Properties.GroupDescription is undefined" }, { "queryName": "Security Group Rule Without Description", @@ -59,18 +83,6 @@ "expectedValue": "Resources.InstanceSecurityGroup.Properties.GroupDescription should be set", "actualValue": "Resources.InstanceSecurityGroup.Properties.GroupDescription is undefined" }, - { - "queryName": "Security Group Rule Without Description", - "severity": "INFO", - "line": 19, - "filename": "positive2.json", - "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "InstanceSecurityGroup", - "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress", - "searchValue": "", - "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].Description should be set", - "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].Description is undefined" - }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", @@ -86,14 +98,14 @@ { "queryName": "Security Group Rule Without Description", "severity": "INFO", - "line": 69, + "line": 19, "filename": "positive2.json", - "resourceType": "AWS::RDS::DBSecurityGroup", - "resourceName": "LegacySecurityGroup", - "searchKey": "Resources.LegacySecurityGroup.Properties", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress", "searchValue": "", - "expectedValue": "Resources.LegacySecurityGroup.Properties.GroupDescription should be set", - "actualValue": "Resources.LegacySecurityGroup.Properties.GroupDescription is undefined" + "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].Description should be set", + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].Description is undefined" }, { "queryName": "Security Group Rule Without Description", @@ -110,8 +122,8 @@ { "queryName": "Security Group Rule Without Description", "severity": "INFO", - "line": 33, - "filename": "positive1.yaml", + "line": 49, + "filename": "positive2.json", "resourceType": "AWS::EC2::SecurityGroupIngress", "resourceName": "InboundRule", "searchKey": "Resources.InboundRule.Properties", @@ -122,25 +134,13 @@ { "queryName": "Security Group Rule Without Description", "severity": "INFO", - "line": 4, - "filename": "positive1.yaml", - "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "InstanceSecurityGroup", - "searchKey": "Resources.InstanceSecurityGroup.Properties", - "searchValue": "", - "expectedValue": "Resources.InstanceSecurityGroup.Properties.GroupDescription should be set", - "actualValue": "Resources.InstanceSecurityGroup.Properties.GroupDescription is undefined" - }, - { - "queryName": "Security Group Rule Without Description", - "severity": "INFO", - "line": 8, - "filename": "positive1.yaml", - "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "InstanceSecurityGroup", - "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress", + "line": 69, + "filename": "positive2.json", + "resourceType": "AWS::RDS::DBSecurityGroup", + "resourceName": "LegacySecurityGroup", + "searchKey": "Resources.LegacySecurityGroup.Properties", "searchValue": "", - "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].Description should be set", - "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].Description is undefined" + "expectedValue": "Resources.LegacySecurityGroup.Properties.GroupDescription should be set", + "actualValue": "Resources.LegacySecurityGroup.Properties.GroupDescription is undefined" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/security_groups_allows_unrestricted_outbound_traffic/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/security_groups_allows_unrestricted_outbound_traffic/test/positive_expected_result.json index 251b1a93155..0b2afca1b33 100644 --- a/assets/queries/cloudFormation/aws/security_groups_allows_unrestricted_outbound_traffic/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/security_groups_allows_unrestricted_outbound_traffic/test/positive_expected_result.json @@ -11,54 +11,6 @@ "expectedValue": "'Resources.Positive1_security_group.Properties.SecurityGroupEgress[0]' should not have IpProtocol set to '-1' and CidrIp set to '0.0.0.0/0' simultaneously", "actualValue": "'Resources.Positive1_security_group.Properties.SecurityGroupEgress[0]' has IpProtocol set to '-1' and CidrIp set to '0.0.0.0/0'." }, - { - "queryName": "Security Groups Allows Unrestricted Outbound Traffic", - "severity": "MEDIUM", - "line": 8, - "filename": "positive2.yaml", - "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive2_security_group", - "searchKey": "Resources.Positive2_security_group.Properties.SecurityGroupEgress[0]", - "searchValue": "", - "expectedValue": "'Resources.Positive2_security_group.Properties.SecurityGroupEgress[0]' should not have IpProtocol set to '-1' and CidrIpv6 set to '::/0' simultaneously", - "actualValue": "'Resources.Positive2_security_group.Properties.SecurityGroupEgress[0]' has IpProtocol set to '-1' and CidrIpv6 set to '::/0'." - }, - { - "queryName": "Security Groups Allows Unrestricted Outbound Traffic", - "severity": "MEDIUM", - "line": 22, - "filename": "positive4.json", - "resourceType": "AWS::EC2::SecurityGroupEgress", - "resourceName": "Positive4_security_group", - "searchKey": "Resources.Positive4_egress_ipv6.Properties", - "searchValue": "", - "expectedValue": "'Resources.Positive4_egress_ipv6.Properties' should not have IpProtocol set to '-1' and CidrIpv6 set to '0:0:0:0:0:0:0:0/0' simultaneously", - "actualValue": "'Resources.Positive4_egress_ipv6.Properties' has IpProtocol set to '-1' and CidrIpv6 set to '0:0:0:0:0:0:0:0/0'." - }, - { - "queryName": "Security Groups Allows Unrestricted Outbound Traffic", - "severity": "MEDIUM", - "line": 12, - "filename": "positive4.json", - "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive4_security_group", - "searchKey": "Resources.Positive4_security_group.Properties.SecurityGroupEgress[0]", - "searchValue": "", - "expectedValue": "'Resources.Positive4_security_group.Properties.SecurityGroupEgress[0]' should not have IpProtocol set to '-1' and CidrIpv6 set to '::/0' simultaneously", - "actualValue": "'Resources.Positive4_security_group.Properties.SecurityGroupEgress[0]' has IpProtocol set to '-1' and CidrIpv6 set to '::/0'." - }, - { - "queryName": "Security Groups Allows Unrestricted Outbound Traffic", - "severity": "MEDIUM", - "line": 12, - "filename": "positive3.json", - "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive3_security_group", - "searchKey": "Resources.Positive3_security_group.Properties.SecurityGroupEgress[0]", - "searchValue": "", - "expectedValue": "'Resources.Positive3_security_group.Properties.SecurityGroupEgress[0]' should not have IpProtocol set to '-1' and CidrIp set to '0.0.0.0/0' simultaneously", - "actualValue": "'Resources.Positive3_security_group.Properties.SecurityGroupEgress[0]' has IpProtocol set to '-1' and CidrIp set to '0.0.0.0/0'." - }, { "queryName": "Security Groups Allows Unrestricted Outbound Traffic", "severity": "MEDIUM", @@ -83,6 +35,18 @@ "expectedValue": "'Resources.Positive1_egress_ipv6.Properties' should not have IpProtocol set to '-1' and CidrIpv6 set to '::/0' simultaneously", "actualValue": "'Resources.Positive1_egress_ipv6.Properties' has IpProtocol set to '-1' and CidrIpv6 set to '::/0'." }, + { + "queryName": "Security Groups Allows Unrestricted Outbound Traffic", + "severity": "MEDIUM", + "line": 8, + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive2_security_group", + "searchKey": "Resources.Positive2_security_group.Properties.SecurityGroupEgress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive2_security_group.Properties.SecurityGroupEgress[0]' should not have IpProtocol set to '-1' and CidrIpv6 set to '::/0' simultaneously", + "actualValue": "'Resources.Positive2_security_group.Properties.SecurityGroupEgress[0]' has IpProtocol set to '-1' and CidrIpv6 set to '::/0'." + }, { "queryName": "Security Groups Allows Unrestricted Outbound Traffic", "severity": "MEDIUM", @@ -95,6 +59,18 @@ "expectedValue": "'Resources.Positive2_egress_ipv6.Properties' should not have IpProtocol set to '-1' and CidrIpv6 set to '0:0:0:0:0:0:0:0/0' simultaneously", "actualValue": "'Resources.Positive2_egress_ipv6.Properties' has IpProtocol set to '-1' and CidrIpv6 set to '0:0:0:0:0:0:0:0/0'." }, + { + "queryName": "Security Groups Allows Unrestricted Outbound Traffic", + "severity": "MEDIUM", + "line": 12, + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive3_security_group", + "searchKey": "Resources.Positive3_security_group.Properties.SecurityGroupEgress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive3_security_group.Properties.SecurityGroupEgress[0]' should not have IpProtocol set to '-1' and CidrIp set to '0.0.0.0/0' simultaneously", + "actualValue": "'Resources.Positive3_security_group.Properties.SecurityGroupEgress[0]' has IpProtocol set to '-1' and CidrIp set to '0.0.0.0/0'." + }, { "queryName": "Security Groups Allows Unrestricted Outbound Traffic", "severity": "MEDIUM", @@ -118,5 +94,29 @@ "searchValue": "", "expectedValue": "'Resources.Positive3_egress_ipv6.Properties' should not have IpProtocol set to '-1' and CidrIpv6 set to '::/0' simultaneously", "actualValue": "'Resources.Positive3_egress_ipv6.Properties' has IpProtocol set to '-1' and CidrIpv6 set to '::/0'." + }, + { + "queryName": "Security Groups Allows Unrestricted Outbound Traffic", + "severity": "MEDIUM", + "line": 12, + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive4_security_group", + "searchKey": "Resources.Positive4_security_group.Properties.SecurityGroupEgress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive4_security_group.Properties.SecurityGroupEgress[0]' should not have IpProtocol set to '-1' and CidrIpv6 set to '::/0' simultaneously", + "actualValue": "'Resources.Positive4_security_group.Properties.SecurityGroupEgress[0]' has IpProtocol set to '-1' and CidrIpv6 set to '::/0'." + }, + { + "queryName": "Security Groups Allows Unrestricted Outbound Traffic", + "severity": "MEDIUM", + "line": 22, + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupEgress", + "resourceName": "Positive4_security_group", + "searchKey": "Resources.Positive4_egress_ipv6.Properties", + "searchValue": "", + "expectedValue": "'Resources.Positive4_egress_ipv6.Properties' should not have IpProtocol set to '-1' and CidrIpv6 set to '0:0:0:0:0:0:0:0/0' simultaneously", + "actualValue": "'Resources.Positive4_egress_ipv6.Properties' has IpProtocol set to '-1' and CidrIpv6 set to '0:0:0:0:0:0:0:0/0'." } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/security_groups_with_exhibited_admin_ports/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/security_groups_with_exhibited_admin_ports/test/positive_expected_result.json index 11c307dfc7b..fc84292aa77 100644 --- a/assets/queries/cloudFormation/aws/security_groups_with_exhibited_admin_ports/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/security_groups_with_exhibited_admin_ports/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "Security Groups With Exposed Admin Ports", "severity": "HIGH", - "line": 12, - "filename": "positive3.json", + "line": 8, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1_security_group", "searchKey": "Resources.Positive1_security_group.Properties.SecurityGroupIngress[0]", @@ -14,26 +14,26 @@ { "queryName": "Security Groups With Exposed Admin Ports", "severity": "HIGH", - "line": 34, - "filename": "positive2.yaml", + "line": 16, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroupIngress", - "resourceName": "Positive2_security_group", - "searchKey": "Resources.Positive1_ingress_ipv6.Properties", + "resourceName": "Positive1_security_group", + "searchKey": "Resources.Positive1_ingress_ipv4.Properties", "searchValue": "", "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", - "actualValue": "'Resources.Positive1_ingress_ipv6.Properties' is exposed and contains port(s): 20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389" + "actualValue": "'Resources.Positive1_ingress_ipv4.Properties' is exposed and contains port(s): 20, 21, 22, 23" }, { "queryName": "Security Groups With Exposed Admin Ports", "severity": "HIGH", - "line": 24, - "filename": "positive2.yaml", + "line": 26, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroupIngress", - "resourceName": "Positive2_security_group", - "searchKey": "Resources.Positive2_ingress_ipv4.Properties", + "resourceName": "Positive1_security_group", + "searchKey": "Resources.Positive1_ingress_ipv6.Properties", "searchValue": "", "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", - "actualValue": "'Resources.Positive2_ingress_ipv4.Properties' is exposed and contains port(s): 20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389" + "actualValue": "'Resources.Positive1_ingress_ipv6.Properties' is exposed and contains port(s): 2049" }, { "queryName": "Security Groups With Exposed Admin Ports", @@ -50,32 +50,32 @@ { "queryName": "Security Groups With Exposed Admin Ports", "severity": "HIGH", - "line": 16, + "line": 12, "filename": "positive2.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive2_security_group", - "searchKey": "Resources.Positive2_security_group.Properties.SecurityGroupIngress[2]", + "searchKey": "Resources.Positive2_security_group.Properties.SecurityGroupIngress[1]", "searchValue": "", "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", - "actualValue": "'Resources.Positive2_security_group.Properties.SecurityGroupIngress[2]' is exposed and contains port(s): 20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389" + "actualValue": "'Resources.Positive2_security_group.Properties.SecurityGroupIngress[1]' is exposed and contains port(s): 20, 21, 22, 23" }, { "queryName": "Security Groups With Exposed Admin Ports", "severity": "HIGH", - "line": 26, - "filename": "positive1.yaml", - "resourceType": "AWS::EC2::SecurityGroupIngress", - "resourceName": "Positive1_security_group", - "searchKey": "Resources.Positive1_ingress_ipv6.Properties", + "line": 16, + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive2_security_group", + "searchKey": "Resources.Positive2_security_group.Properties.SecurityGroupIngress[2]", "searchValue": "", "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", - "actualValue": "'Resources.Positive1_ingress_ipv6.Properties' is exposed and contains port(s): 2049" + "actualValue": "'Resources.Positive2_security_group.Properties.SecurityGroupIngress[2]' is exposed and contains port(s): 20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389" }, { "queryName": "Security Groups With Exposed Admin Ports", "severity": "HIGH", - "line": 34, - "filename": "positive4.json", + "line": 24, + "filename": "positive2.yaml", "resourceType": "AWS::EC2::SecurityGroupIngress", "resourceName": "Positive2_security_group", "searchKey": "Resources.Positive2_ingress_ipv4.Properties", @@ -86,44 +86,32 @@ { "queryName": "Security Groups With Exposed Admin Ports", "severity": "HIGH", - "line": 12, - "filename": "positive4.json", - "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive2_security_group", - "searchKey": "Resources.Positive2_security_group.Properties.SecurityGroupIngress[0]", - "searchValue": "", - "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", - "actualValue": "'Resources.Positive2_security_group.Properties.SecurityGroupIngress[0]' is exposed and contains port(s): 20, 21, 22, 23" - }, - { - "queryName": "Security Groups With Exposed Admin Ports", - "severity": "HIGH", - "line": 22, - "filename": "positive3.json", + "line": 34, + "filename": "positive2.yaml", "resourceType": "AWS::EC2::SecurityGroupIngress", - "resourceName": "Positive1_security_group", - "searchKey": "Resources.Positive1_ingress_ipv4.Properties", + "resourceName": "Positive2_security_group", + "searchKey": "Resources.Positive1_ingress_ipv6.Properties", "searchValue": "", "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", - "actualValue": "'Resources.Positive1_ingress_ipv4.Properties' is exposed and contains port(s): 20, 21, 22, 23" + "actualValue": "'Resources.Positive1_ingress_ipv6.Properties' is exposed and contains port(s): 20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389" }, { "queryName": "Security Groups With Exposed Admin Ports", "severity": "HIGH", "line": 12, - "filename": "positive2.yaml", + "filename": "positive3.json", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive2_security_group", - "searchKey": "Resources.Positive2_security_group.Properties.SecurityGroupIngress[1]", + "resourceName": "Positive1_security_group", + "searchKey": "Resources.Positive1_security_group.Properties.SecurityGroupIngress[0]", "searchValue": "", "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", - "actualValue": "'Resources.Positive2_security_group.Properties.SecurityGroupIngress[1]' is exposed and contains port(s): 20, 21, 22, 23" + "actualValue": "'Resources.Positive1_security_group.Properties.SecurityGroupIngress[0]' is exposed and contains port(s): 20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389" }, { "queryName": "Security Groups With Exposed Admin Ports", "severity": "HIGH", - "line": 16, - "filename": "positive1.yaml", + "line": 22, + "filename": "positive3.json", "resourceType": "AWS::EC2::SecurityGroupIngress", "resourceName": "Positive1_security_group", "searchKey": "Resources.Positive1_ingress_ipv4.Properties", @@ -131,18 +119,6 @@ "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", "actualValue": "'Resources.Positive1_ingress_ipv4.Properties' is exposed and contains port(s): 20, 21, 22, 23" }, - { - "queryName": "Security Groups With Exposed Admin Ports", - "severity": "HIGH", - "line": 46, - "filename": "positive4.json", - "resourceType": "AWS::EC2::SecurityGroupIngress", - "resourceName": "Positive2_security_group", - "searchKey": "Resources.Positive1_ingress_ipv6.Properties", - "searchValue": "", - "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", - "actualValue": "'Resources.Positive1_ingress_ipv6.Properties' is exposed and contains port(s): 20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389" - }, { "queryName": "Security Groups With Exposed Admin Ports", "severity": "HIGH", @@ -158,14 +134,14 @@ { "queryName": "Security Groups With Exposed Admin Ports", "severity": "HIGH", - "line": 8, - "filename": "positive1.yaml", + "line": 12, + "filename": "positive4.json", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1_security_group", - "searchKey": "Resources.Positive1_security_group.Properties.SecurityGroupIngress[0]", + "resourceName": "Positive2_security_group", + "searchKey": "Resources.Positive2_security_group.Properties.SecurityGroupIngress[0]", "searchValue": "", "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", - "actualValue": "'Resources.Positive1_security_group.Properties.SecurityGroupIngress[0]' is exposed and contains port(s): 20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389" + "actualValue": "'Resources.Positive2_security_group.Properties.SecurityGroupIngress[0]' is exposed and contains port(s): 20, 21, 22, 23" }, { "queryName": "Security Groups With Exposed Admin Ports", @@ -190,5 +166,29 @@ "searchValue": "", "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", "actualValue": "'Resources.Positive2_security_group.Properties.SecurityGroupIngress[2]' is exposed and contains port(s): 20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389" + }, + { + "queryName": "Security Groups With Exposed Admin Ports", + "severity": "HIGH", + "line": 34, + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive2_security_group", + "searchKey": "Resources.Positive2_ingress_ipv4.Properties", + "searchValue": "", + "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", + "actualValue": "'Resources.Positive2_ingress_ipv4.Properties' is exposed and contains port(s): 20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389" + }, + { + "queryName": "Security Groups With Exposed Admin Ports", + "severity": "HIGH", + "line": 46, + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive2_security_group", + "searchKey": "Resources.Positive1_ingress_ipv6.Properties", + "searchValue": "", + "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", + "actualValue": "'Resources.Positive1_ingress_ipv6.Properties' is exposed and contains port(s): 20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/security_groups_with_meta_ip/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/security_groups_with_meta_ip/test/positive_expected_result.json index ae86ee6b131..bc4ebfd6e72 100644 --- a/assets/queries/cloudFormation/aws/security_groups_with_meta_ip/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/security_groups_with_meta_ip/test/positive_expected_result.json @@ -2,32 +2,32 @@ { "queryName": "Security Groups With Meta IP", "severity": "HIGH", - "line": 41, - "filename": "positive2.json", - "resourceType": "AWS::EC2::SecurityGroupIngress", + "line": 12, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1_security_group_1", - "searchKey": "Resources.Positive1_ingress_ipv6_1.Properties.CidrIpv6", + "searchKey": "Resources.Positive1_security_group_1.Properties.SecurityGroupIngress[0].CidrIp", "searchValue": "", - "expectedValue": "No ingress should have a 'CidrIpv6' set to '::/0' with 'IpProtocol' set to '-1'.", - "actualValue": "'Resources.Positive1_ingress_ipv6_1.Properties.CidrIpv6' has CidrIpv6 equal to ::/0 with 'IpProtocol' set to '-1'." + "expectedValue": "No ingress should have a 'CidrIp' set to '0.0.0.0/0' with 'IpProtocol' set to '-1'.", + "actualValue": "'Resources.Positive1_security_group_1.Properties.SecurityGroupIngress[0].CidrIp' has CidrIp equal to 0.0.0.0/0 with 'IpProtocol' set to '-1'." }, { "queryName": "Security Groups With Meta IP", "severity": "HIGH", - "line": 48, + "line": 16, "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1_security_group_2", - "searchKey": "Resources.Positive1_security_group_2.Properties.SecurityGroupIngress[0].CidrIp", + "resourceName": "Positive1_security_group_1", + "searchKey": "Resources.Positive1_security_group_1.Properties.SecurityGroupIngress[1].CidrIpv6", "searchValue": "", - "expectedValue": "No ingress should have a 'CidrIp' set to '0.0.0.0/0' with all 65535 ports open.", - "actualValue": "'Resources.Positive1_security_group_2.Properties.SecurityGroupIngress[0].CidrIp' has CidrIp equal to 0.0.0.0/0 with all 65535 ports open." + "expectedValue": "No ingress should have a 'CidrIpv6' set to '::/0' with 'IpProtocol' set to '-1'.", + "actualValue": "'Resources.Positive1_security_group_1.Properties.SecurityGroupIngress[1].CidrIpv6' has CidrIpv6 equal to ::/0 with 'IpProtocol' set to '-1'." }, { "queryName": "Security Groups With Meta IP", "severity": "HIGH", - "line": 31, - "filename": "positive2.json", + "line": 26, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroupIngress", "resourceName": "Positive1_security_group_1", "searchKey": "Resources.Positive1_ingress_ipv4_1.Properties.CidrIp", @@ -50,62 +50,62 @@ { "queryName": "Security Groups With Meta IP", "severity": "HIGH", - "line": 12, + "line": 48, "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1_security_group_1", - "searchKey": "Resources.Positive1_security_group_1.Properties.SecurityGroupIngress[0].CidrIp", + "resourceName": "Positive1_security_group_2", + "searchKey": "Resources.Positive1_security_group_2.Properties.SecurityGroupIngress[0].CidrIp", "searchValue": "", - "expectedValue": "No ingress should have a 'CidrIp' set to '0.0.0.0/0' with 'IpProtocol' set to '-1'.", - "actualValue": "'Resources.Positive1_security_group_1.Properties.SecurityGroupIngress[0].CidrIp' has CidrIp equal to 0.0.0.0/0 with 'IpProtocol' set to '-1'." + "expectedValue": "No ingress should have a 'CidrIp' set to '0.0.0.0/0' with all 65535 ports open.", + "actualValue": "'Resources.Positive1_security_group_2.Properties.SecurityGroupIngress[0].CidrIp' has CidrIp equal to 0.0.0.0/0 with all 65535 ports open." }, { "queryName": "Security Groups With Meta IP", "severity": "HIGH", - "line": 13, - "filename": "positive2.json", + "line": 52, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1_security_group_1", - "searchKey": "Resources.Positive1_security_group_1.Properties.SecurityGroupIngress[0].CidrIp", + "resourceName": "Positive1_security_group_2", + "searchKey": "Resources.Positive1_security_group_2.Properties.SecurityGroupIngress[1].CidrIpv6", "searchValue": "", - "expectedValue": "No ingress should have a 'CidrIp' set to '0.0.0.0/0' with 'IpProtocol' set to '-1'.", - "actualValue": "'Resources.Positive1_security_group_1.Properties.SecurityGroupIngress[0].CidrIp' has CidrIp equal to 0.0.0.0/0 with 'IpProtocol' set to '-1'." + "expectedValue": "No ingress should have a 'CidrIpv6' set to '::/0' with all 65535 ports open.", + "actualValue": "'Resources.Positive1_security_group_2.Properties.SecurityGroupIngress[1].CidrIpv6' has CidrIpv6 equal to ::/0 with all 65535 ports open." }, { "queryName": "Security Groups With Meta IP", "severity": "HIGH", - "line": 54, - "filename": "positive2.json", - "resourceType": "AWS::EC2::SecurityGroup", + "line": 62, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", "resourceName": "Positive1_security_group_2", - "searchKey": "Resources.Positive1_security_group_2.Properties.SecurityGroupIngress[0].CidrIp", + "searchKey": "Resources.Positive1_ingress_ipv4_2.Properties.CidrIp", "searchValue": "", "expectedValue": "No ingress should have a 'CidrIp' set to '0.0.0.0/0' with all 65535 ports open.", - "actualValue": "'Resources.Positive1_security_group_2.Properties.SecurityGroupIngress[0].CidrIp' has CidrIp equal to 0.0.0.0/0 with all 65535 ports open." + "actualValue": "'Resources.Positive1_ingress_ipv4_2.Properties.CidrIp' has CidrIp equal to 0.0.0.0/0 with all 65535 ports open." }, { "queryName": "Security Groups With Meta IP", "severity": "HIGH", - "line": 60, - "filename": "positive2.json", - "resourceType": "AWS::EC2::SecurityGroup", + "line": 72, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", "resourceName": "Positive1_security_group_2", - "searchKey": "Resources.Positive1_security_group_2.Properties.SecurityGroupIngress[1].CidrIpv6", + "searchKey": "Resources.Positive1_ingress_ipv6_2.Properties.CidrIpv6", "searchValue": "", "expectedValue": "No ingress should have a 'CidrIpv6' set to '::/0' with all 65535 ports open.", - "actualValue": "'Resources.Positive1_security_group_2.Properties.SecurityGroupIngress[1].CidrIpv6' has CidrIpv6 equal to ::/0 with all 65535 ports open." + "actualValue": "'Resources.Positive1_ingress_ipv6_2.Properties.CidrIpv6' has CidrIpv6 equal to ::/0 with all 65535 ports open." }, { "queryName": "Security Groups With Meta IP", "severity": "HIGH", - "line": 82, + "line": 13, "filename": "positive2.json", - "resourceType": "AWS::EC2::SecurityGroupIngress", - "resourceName": "Positive1_security_group_2", - "searchKey": "Resources.Positive1_ingress_ipv6_2.Properties.CidrIpv6", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1_security_group_1", + "searchKey": "Resources.Positive1_security_group_1.Properties.SecurityGroupIngress[0].CidrIp", "searchValue": "", - "expectedValue": "No ingress should have a 'CidrIpv6' set to '::/0' with all 65535 ports open.", - "actualValue": "'Resources.Positive1_ingress_ipv6_2.Properties.CidrIpv6' has CidrIpv6 equal to ::/0 with all 65535 ports open." + "expectedValue": "No ingress should have a 'CidrIp' set to '0.0.0.0/0' with 'IpProtocol' set to '-1'.", + "actualValue": "'Resources.Positive1_security_group_1.Properties.SecurityGroupIngress[0].CidrIp' has CidrIp equal to 0.0.0.0/0 with 'IpProtocol' set to '-1'." }, { "queryName": "Security Groups With Meta IP", @@ -122,8 +122,8 @@ { "queryName": "Security Groups With Meta IP", "severity": "HIGH", - "line": 26, - "filename": "positive1.yaml", + "line": 31, + "filename": "positive2.json", "resourceType": "AWS::EC2::SecurityGroupIngress", "resourceName": "Positive1_security_group_1", "searchKey": "Resources.Positive1_ingress_ipv4_1.Properties.CidrIp", @@ -134,44 +134,32 @@ { "queryName": "Security Groups With Meta IP", "severity": "HIGH", - "line": 62, - "filename": "positive1.yaml", - "resourceType": "AWS::EC2::SecurityGroupIngress", - "resourceName": "Positive1_security_group_2", - "searchKey": "Resources.Positive1_ingress_ipv4_2.Properties.CidrIp", - "searchValue": "", - "expectedValue": "No ingress should have a 'CidrIp' set to '0.0.0.0/0' with all 65535 ports open.", - "actualValue": "'Resources.Positive1_ingress_ipv4_2.Properties.CidrIp' has CidrIp equal to 0.0.0.0/0 with all 65535 ports open." - }, - { - "queryName": "Security Groups With Meta IP", - "severity": "HIGH", - "line": 72, - "filename": "positive1.yaml", + "line": 41, + "filename": "positive2.json", "resourceType": "AWS::EC2::SecurityGroupIngress", - "resourceName": "Positive1_security_group_2", - "searchKey": "Resources.Positive1_ingress_ipv6_2.Properties.CidrIpv6", + "resourceName": "Positive1_security_group_1", + "searchKey": "Resources.Positive1_ingress_ipv6_1.Properties.CidrIpv6", "searchValue": "", - "expectedValue": "No ingress should have a 'CidrIpv6' set to '::/0' with all 65535 ports open.", - "actualValue": "'Resources.Positive1_ingress_ipv6_2.Properties.CidrIpv6' has CidrIpv6 equal to ::/0 with all 65535 ports open." + "expectedValue": "No ingress should have a 'CidrIpv6' set to '::/0' with 'IpProtocol' set to '-1'.", + "actualValue": "'Resources.Positive1_ingress_ipv6_1.Properties.CidrIpv6' has CidrIpv6 equal to ::/0 with 'IpProtocol' set to '-1'." }, { "queryName": "Security Groups With Meta IP", "severity": "HIGH", - "line": 16, - "filename": "positive1.yaml", + "line": 54, + "filename": "positive2.json", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1_security_group_1", - "searchKey": "Resources.Positive1_security_group_1.Properties.SecurityGroupIngress[1].CidrIpv6", + "resourceName": "Positive1_security_group_2", + "searchKey": "Resources.Positive1_security_group_2.Properties.SecurityGroupIngress[0].CidrIp", "searchValue": "", - "expectedValue": "No ingress should have a 'CidrIpv6' set to '::/0' with 'IpProtocol' set to '-1'.", - "actualValue": "'Resources.Positive1_security_group_1.Properties.SecurityGroupIngress[1].CidrIpv6' has CidrIpv6 equal to ::/0 with 'IpProtocol' set to '-1'." + "expectedValue": "No ingress should have a 'CidrIp' set to '0.0.0.0/0' with all 65535 ports open.", + "actualValue": "'Resources.Positive1_security_group_2.Properties.SecurityGroupIngress[0].CidrIp' has CidrIp equal to 0.0.0.0/0 with all 65535 ports open." }, { "queryName": "Security Groups With Meta IP", "severity": "HIGH", - "line": 52, - "filename": "positive1.yaml", + "line": 60, + "filename": "positive2.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1_security_group_2", "searchKey": "Resources.Positive1_security_group_2.Properties.SecurityGroupIngress[1].CidrIpv6", @@ -190,5 +178,17 @@ "searchValue": "", "expectedValue": "No ingress should have a 'CidrIp' set to '0.0.0.0/0' with all 65535 ports open.", "actualValue": "'Resources.Positive1_ingress_ipv4_2.Properties.CidrIp' has CidrIp equal to 0.0.0.0/0 with all 65535 ports open." + }, + { + "queryName": "Security Groups With Meta IP", + "severity": "HIGH", + "line": 82, + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive1_security_group_2", + "searchKey": "Resources.Positive1_ingress_ipv6_2.Properties.CidrIpv6", + "searchValue": "", + "expectedValue": "No ingress should have a 'CidrIpv6' set to '::/0' with all 65535 ports open.", + "actualValue": "'Resources.Positive1_ingress_ipv6_2.Properties.CidrIpv6' has CidrIpv6 equal to ::/0 with all 65535 ports open." } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/security_groups_with_unrestricted_access_to_ssh/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/security_groups_with_unrestricted_access_to_ssh/test/positive_expected_result.json index 426d89465d8..e0f44dfe275 100644 --- a/assets/queries/cloudFormation/aws/security_groups_with_unrestricted_access_to_ssh/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/security_groups_with_unrestricted_access_to_ssh/test/positive_expected_result.json @@ -2,44 +2,56 @@ { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 26, - "filename": "positive4.json", - "resourceType": "AWS::EC2::SecurityGroupIngress", - "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.IPv4Ingress2.Properties", + "line": 10, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "", - "expectedValue": "'Resources.IPv4Ingress2.Properties' should not open the SSH port (22)", - "actualValue": "'Resources.IPv4Ingress2.Properties' opens the SSH port (22)" + "expectedValue": "'Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]' should not open the SSH port (22)", + "actualValue": "'Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]' opens the SSH port (22)" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 12, - "filename": "positive2.yaml", - "resourceType": "AWS::EC2::SecurityGroupIngress", - "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.IPv4Ingress1.Properties", + "line": 22, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_2", + "searchKey": "Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]", "searchValue": "", - "expectedValue": "'Resources.IPv4Ingress1.Properties' should not open the SSH port (22)", - "actualValue": "'Resources.IPv4Ingress1.Properties' opens the SSH port (22)" + "expectedValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' should not open the SSH port (22)", + "actualValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' opens the SSH port (22)" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 21, - "filename": "positive2.yaml", - "resourceType": "AWS::EC2::SecurityGroupIngress", - "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.IPv4Ingress2.Properties", + "line": 38, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv4", + "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]", "searchValue": "", - "expectedValue": "'Resources.IPv4Ingress2.Properties' should not open the SSH port (22)", - "actualValue": "'Resources.IPv4Ingress2.Properties' opens the SSH port (22)" + "expectedValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' should not open the SSH port (22)", + "actualValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' opens the SSH port (22)" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 76, - "filename": "positive3.json", + "line": 51, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' should not open the SSH port (22)", + "actualValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' opens the SSH port (22)" + }, + { + "queryName": "Security Group With Unrestricted Access To SSH", + "severity": "MEDIUM", + "line": 63, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_2", "searchKey": "Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]", @@ -50,26 +62,50 @@ { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 50, - "filename": "positive4.json", + "line": 79, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv6", + "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]", + "searchValue": "", + "expectedValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' should not open the SSH port (22)", + "actualValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' opens the SSH port (22)" + }, + { + "queryName": "Security Group With Unrestricted Access To SSH", + "severity": "MEDIUM", + "line": 12, + "filename": "positive2.yaml", "resourceType": "AWS::EC2::SecurityGroupIngress", "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.IPv6Ingress2.Properties", + "searchKey": "Resources.IPv4Ingress1.Properties", "searchValue": "", - "expectedValue": "'Resources.IPv6Ingress2.Properties' should not open the SSH port (22)", - "actualValue": "'Resources.IPv6Ingress2.Properties' opens the SSH port (22)" + "expectedValue": "'Resources.IPv4Ingress1.Properties' should not open the SSH port (22)", + "actualValue": "'Resources.IPv4Ingress1.Properties' opens the SSH port (22)" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 62, - "filename": "positive4.json", + "line": 21, + "filename": "positive2.yaml", "resourceType": "AWS::EC2::SecurityGroupIngress", "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.IPv6Ingress3.Properties", + "searchKey": "Resources.IPv4Ingress2.Properties", "searchValue": "", - "expectedValue": "'Resources.IPv6Ingress3.Properties' should not open the SSH port (22)", - "actualValue": "'Resources.IPv6Ingress3.Properties' opens the SSH port (22)" + "expectedValue": "'Resources.IPv4Ingress2.Properties' should not open the SSH port (22)", + "actualValue": "'Resources.IPv4Ingress2.Properties' opens the SSH port (22)" + }, + { + "queryName": "Security Group With Unrestricted Access To SSH", + "severity": "MEDIUM", + "line": 31, + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress1.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv6Ingress1.Properties' should not open the SSH port (22)", + "actualValue": "'Resources.IPv6Ingress1.Properties' opens the SSH port (22)" }, { "queryName": "Security Group With Unrestricted Access To SSH", @@ -95,23 +131,11 @@ "expectedValue": "'Resources.IPv6Ingress3.Properties' should not open the SSH port (22)", "actualValue": "'Resources.IPv6Ingress3.Properties' opens the SSH port (22)" }, - { - "queryName": "Security Group With Unrestricted Access To SSH", - "severity": "MEDIUM", - "line": 79, - "filename": "positive1.yaml", - "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1ArrayTestIPv6", - "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]", - "searchValue": "", - "expectedValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' should not open the SSH port (22)", - "actualValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' opens the SSH port (22)" - }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 10, - "filename": "positive1.yaml", + "filename": "positive3.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", @@ -122,32 +146,20 @@ { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 51, - "filename": "positive1.yaml", + "line": 25, + "filename": "positive3.json", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv6_1", - "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "", - "expectedValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' should not open the SSH port (22)", - "actualValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' opens the SSH port (22)" - }, - { - "queryName": "Security Group With Unrestricted Access To SSH", - "severity": "MEDIUM", - "line": 31, - "filename": "positive2.yaml", - "resourceType": "AWS::EC2::SecurityGroupIngress", - "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.IPv6Ingress1.Properties", + "resourceName": "Positive1IPv4_2", + "searchKey": "Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]", "searchValue": "", - "expectedValue": "'Resources.IPv6Ingress1.Properties' should not open the SSH port (22)", - "actualValue": "'Resources.IPv6Ingress1.Properties' opens the SSH port (22)" + "expectedValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' should not open the SSH port (22)", + "actualValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' opens the SSH port (22)" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 38, - "filename": "positive1.yaml", + "line": 46, + "filename": "positive3.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1ArrayTestIPv4", "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]", @@ -158,44 +170,20 @@ { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 22, - "filename": "positive1.yaml", - "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv4_2", - "searchKey": "Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]", - "searchValue": "", - "expectedValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' should not open the SSH port (22)", - "actualValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' opens the SSH port (22)" - }, - { - "queryName": "Security Group With Unrestricted Access To SSH", - "severity": "MEDIUM", - "line": 10, + "line": 61, "filename": "positive3.json", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv4_1", - "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "", - "expectedValue": "'Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]' should not open the SSH port (22)", - "actualValue": "'Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]' opens the SSH port (22)" - }, - { - "queryName": "Security Group With Unrestricted Access To SSH", - "severity": "MEDIUM", - "line": 38, - "filename": "positive4.json", - "resourceType": "AWS::EC2::SecurityGroupIngress", - "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.IPv6Ingress1.Properties", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "", - "expectedValue": "'Resources.IPv6Ingress1.Properties' should not open the SSH port (22)", - "actualValue": "'Resources.IPv6Ingress1.Properties' opens the SSH port (22)" + "expectedValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' should not open the SSH port (22)", + "actualValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' opens the SSH port (22)" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 63, - "filename": "positive1.yaml", + "line": 76, + "filename": "positive3.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_2", "searchKey": "Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]", @@ -203,18 +191,6 @@ "expectedValue": "'Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]' should not open the SSH port (22)", "actualValue": "'Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]' opens the SSH port (22)" }, - { - "queryName": "Security Group With Unrestricted Access To SSH", - "severity": "MEDIUM", - "line": 46, - "filename": "positive3.json", - "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1ArrayTestIPv4", - "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]", - "searchValue": "", - "expectedValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' should not open the SSH port (22)", - "actualValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' opens the SSH port (22)" - }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", @@ -230,37 +206,61 @@ { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 25, - "filename": "positive3.json", - "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv4_2", - "searchKey": "Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]", + "line": 14, + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress1.Properties", "searchValue": "", - "expectedValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' should not open the SSH port (22)", - "actualValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' opens the SSH port (22)" + "expectedValue": "'Resources.IPv4Ingress1.Properties' should not open the SSH port (22)", + "actualValue": "'Resources.IPv4Ingress1.Properties' opens the SSH port (22)" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 61, - "filename": "positive3.json", - "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv6_1", - "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "line": 26, + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress2.Properties", "searchValue": "", - "expectedValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' should not open the SSH port (22)", - "actualValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' opens the SSH port (22)" + "expectedValue": "'Resources.IPv4Ingress2.Properties' should not open the SSH port (22)", + "actualValue": "'Resources.IPv4Ingress2.Properties' opens the SSH port (22)" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 14, + "line": 38, "filename": "positive4.json", "resourceType": "AWS::EC2::SecurityGroupIngress", "resourceName": "DualStackSecurityGroup", - "searchKey": "Resources.IPv4Ingress1.Properties", + "searchKey": "Resources.IPv6Ingress1.Properties", "searchValue": "", - "expectedValue": "'Resources.IPv4Ingress1.Properties' should not open the SSH port (22)", - "actualValue": "'Resources.IPv4Ingress1.Properties' opens the SSH port (22)" + "expectedValue": "'Resources.IPv6Ingress1.Properties' should not open the SSH port (22)", + "actualValue": "'Resources.IPv6Ingress1.Properties' opens the SSH port (22)" + }, + { + "queryName": "Security Group With Unrestricted Access To SSH", + "severity": "MEDIUM", + "line": 50, + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress2.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv6Ingress2.Properties' should not open the SSH port (22)", + "actualValue": "'Resources.IPv6Ingress2.Properties' opens the SSH port (22)" + }, + { + "queryName": "Security Group With Unrestricted Access To SSH", + "severity": "MEDIUM", + "line": 62, + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress3.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv6Ingress3.Properties' should not open the SSH port (22)", + "actualValue": "'Resources.IPv6Ingress3.Properties' opens the SSH port (22)" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/shield_advanced_not_in_use/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/shield_advanced_not_in_use/test/positive_expected_result.json index 1d558a2fbf5..a692c7a7c9d 100644 --- a/assets/queries/cloudFormation/aws/shield_advanced_not_in_use/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/shield_advanced_not_in_use/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "Shield Advanced Not In Use", "severity": "LOW", - "line": 3, - "filename": "positive2.json", + "line": 2, + "filename": "positive1.yaml", "resourceType": "AWS::Route53::HostedZone", "resourceName": "HostedZone", "searchKey": "Resources.HostedZone", @@ -14,8 +14,8 @@ { "queryName": "Shield Advanced Not In Use", "severity": "LOW", - "line": 2, - "filename": "positive1.yaml", + "line": 3, + "filename": "positive2.json", "resourceType": "AWS::Route53::HostedZone", "resourceName": "HostedZone", "searchKey": "Resources.HostedZone", diff --git a/assets/queries/cloudFormation/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json index c6a2f7799c0..048f37dc9dd 100644 --- a/assets/queries/cloudFormation/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json @@ -11,6 +11,18 @@ "expectedValue": "Resources.snsPolicy.Properties.PolicyDocument.Statement shouldn't contain '*' for an AWS Principal", "actualValue": "Resources.snsPolicy.Properties.PolicyDocument.Statement contains '*' in an AWS Principal" }, + { + "queryName": "SNS Topic is Publicly Accessible", + "severity": "CRITICAL", + "line": 7, + "filename": "positive2.yaml", + "resourceType": "AWS::SNS::TopicPolicy", + "resourceName": "snsPolicy", + "searchKey": "Resources.snsPolicy.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.snsPolicy.Properties.PolicyDocument.Statement shouldn't contain '*' for an AWS Principal", + "actualValue": "Resources.snsPolicy.Properties.PolicyDocument.Statement contains '*' in an AWS Principal" + }, { "queryName": "SNS Topic is Publicly Accessible", "severity": "CRITICAL", @@ -34,17 +46,5 @@ "searchValue": "", "expectedValue": "Resources.snsPolicy.Properties.PolicyDocument.Statement shouldn't contain '*' for an AWS Principal", "actualValue": "Resources.snsPolicy.Properties.PolicyDocument.Statement contains '*' in an AWS Principal" - }, - { - "queryName": "SNS Topic is Publicly Accessible", - "severity": "CRITICAL", - "line": 7, - "filename": "positive2.yaml", - "resourceType": "AWS::SNS::TopicPolicy", - "resourceName": "snsPolicy", - "searchKey": "Resources.snsPolicy.Properties.PolicyDocument", - "searchValue": "", - "expectedValue": "Resources.snsPolicy.Properties.PolicyDocument.Statement shouldn't contain '*' for an AWS Principal", - "actualValue": "Resources.snsPolicy.Properties.PolicyDocument.Statement contains '*' in an AWS Principal" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/test/positive_expected_result.json index 7cb606afb30..19a619113c8 100644 --- a/assets/queries/cloudFormation/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "SNS Topic Publicity Has Allow and NotAction Simultaneously", "severity": "MEDIUM", - "line": 8, - "filename": "positive2.json", + "line": 7, + "filename": "positive1.yaml", "resourceType": "AWS::SNS::TopicPolicy", "resourceName": "mysnspolicy", "searchKey": "Resources.mysnspolicy.Properties.PolicyDocument", @@ -14,8 +14,8 @@ { "queryName": "SNS Topic Publicity Has Allow and NotAction Simultaneously", "severity": "MEDIUM", - "line": 7, - "filename": "positive1.yaml", + "line": 8, + "filename": "positive2.json", "resourceType": "AWS::SNS::TopicPolicy", "resourceName": "mysnspolicy", "searchKey": "Resources.mysnspolicy.Properties.PolicyDocument", diff --git a/assets/queries/cloudFormation/aws/sns_topic_without_kms_master_key_id/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/sns_topic_without_kms_master_key_id/test/positive_expected_result.json index 9e60ce6153d..a8c5f931d10 100644 --- a/assets/queries/cloudFormation/aws/sns_topic_without_kms_master_key_id/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/sns_topic_without_kms_master_key_id/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "SNS Topic Without KmsMasterKeyId", "severity": "LOW", - "line": 6, - "filename": "positive2.json", + "line": 5, + "filename": "positive1.yaml", "resourceType": "AWS::SNS::Topic", "resourceName": "SampleTopic", "searchKey": "Resources.MySNSTopic.Properties", @@ -14,8 +14,8 @@ { "queryName": "SNS Topic Without KmsMasterKeyId", "severity": "LOW", - "line": 5, - "filename": "positive1.yaml", + "line": 6, + "filename": "positive2.json", "resourceType": "AWS::SNS::Topic", "resourceName": "SampleTopic", "searchKey": "Resources.MySNSTopic.Properties", diff --git a/assets/queries/cloudFormation/aws/sqs_policy_with_public_access/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/sqs_policy_with_public_access/test/positive_expected_result.json index 9c7745effd9..a90290583f5 100644 --- a/assets/queries/cloudFormation/aws/sqs_policy_with_public_access/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/sqs_policy_with_public_access/test/positive_expected_result.json @@ -27,24 +27,24 @@ "queryName": "SQS Policy With Public Access", "severity": "MEDIUM", "line": 9, - "filename": "positive4.json", + "filename": "positive3.json", "resourceType": "AWS::SQS::QueuePolicy", "resourceName": "SampleSQSPolicy", "searchKey": "Resources.SampleSQSPolicy.Properties.PolicyDocument", "searchValue": "", "expectedValue": "Resources.SampleSQSPolicy.Properties.PolicyDocument.Statement.Principal should not have wildcards when Effect=Allow and Action contains one of [SQS:AddPermission, SQS:CreateQueue, SQS:DeleteQueue, SQS:RemovePermission, SQS:TagQueue, SQS:UnTagQueue]", - "actualValue": "Resources.SampleSQSPolicy.Properties.PolicyDocument.Statement.Principal has wildcards, Effect is Allow and Action contains SQS:AddPermission" + "actualValue": "Resources.SampleSQSPolicy.Properties.PolicyDocument.Statement.Principal has wildcards, Effect is Allow and Action contains SQS:CreateQueue" }, { "queryName": "SQS Policy With Public Access", "severity": "MEDIUM", "line": 9, - "filename": "positive3.json", + "filename": "positive4.json", "resourceType": "AWS::SQS::QueuePolicy", "resourceName": "SampleSQSPolicy", "searchKey": "Resources.SampleSQSPolicy.Properties.PolicyDocument", "searchValue": "", "expectedValue": "Resources.SampleSQSPolicy.Properties.PolicyDocument.Statement.Principal should not have wildcards when Effect=Allow and Action contains one of [SQS:AddPermission, SQS:CreateQueue, SQS:DeleteQueue, SQS:RemovePermission, SQS:TagQueue, SQS:UnTagQueue]", - "actualValue": "Resources.SampleSQSPolicy.Properties.PolicyDocument.Statement.Principal has wildcards, Effect is Allow and Action contains SQS:CreateQueue" + "actualValue": "Resources.SampleSQSPolicy.Properties.PolicyDocument.Statement.Principal has wildcards, Effect is Allow and Action contains SQS:AddPermission" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/sqs_with_sse_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/sqs_with_sse_disabled/test/positive_expected_result.json index 1b0ee7ccf35..eb331bf69a5 100644 --- a/assets/queries/cloudFormation/aws/sqs_with_sse_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/sqs_with_sse_disabled/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", - "line": 5, - "filename": "positive2.json", + "line": 4, + "filename": "positive1.yaml", "resourceType": "AWS::SQS::Queue", "resourceName": "SampleQueue", "searchKey": "Resources.MyQueue.Properties", @@ -14,8 +14,8 @@ { "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", - "line": 11, - "filename": "positive2.json", + "line": 8, + "filename": "positive1.yaml", "resourceType": "AWS::SQS::Queue", "resourceName": "SampleQueue", "searchKey": "Resources.MyQueue2.Properties", @@ -26,8 +26,8 @@ { "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", - "line": 4, - "filename": "positive1.yaml", + "line": 5, + "filename": "positive2.json", "resourceType": "AWS::SQS::Queue", "resourceName": "SampleQueue", "searchKey": "Resources.MyQueue.Properties", @@ -38,8 +38,8 @@ { "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", - "line": 8, - "filename": "positive1.yaml", + "line": 11, + "filename": "positive2.json", "resourceType": "AWS::SQS::Queue", "resourceName": "SampleQueue", "searchKey": "Resources.MyQueue2.Properties", diff --git a/assets/queries/cloudFormation/aws/stack_retention_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/stack_retention_disabled/test/positive_expected_result.json index 733ece0572e..73ca9dc6939 100644 --- a/assets/queries/cloudFormation/aws/stack_retention_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/stack_retention_disabled/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "Stack Retention Disabled", - "severity": "MEDIUM", - "line": 22, - "filename": "positive2.json", - "resourceType": "AWS::CloudFormation::StackSet", - "resourceName": "some_stack_name", - "searchKey": "Resources.stackset9.Properties.AutoDeployment", - "searchValue": "", - "expectedValue": "Resources.stackset9.Properties.AutoDeployment.RetainStacksOnAccountRemoval should be set", - "actualValue": "Resources.stackset9.Properties.AutoDeployment.RetainStacksOnAccountRemoval is undefined" - }, { "queryName": "Stack Retention Disabled", "severity": "MEDIUM", @@ -26,32 +14,32 @@ { "queryName": "Stack Retention Disabled", "severity": "MEDIUM", - "line": 35, + "line": 18, "filename": "positive1.yaml", "resourceType": "AWS::CloudFormation::StackSet", "resourceName": "some_stack_name", - "searchKey": "Resources.stackset6.Properties.AutoDeployment", + "searchKey": "Resources.stackset4.Properties.AutoDeployment", "searchValue": "", - "expectedValue": "Resources.stackset6.Properties.AutoDeployment.Enabled should be set", - "actualValue": "Resources.stackset6.Properties.AutoDeployment.Enabled is undefined" + "expectedValue": "Resources.stackset4.Properties.AutoDeployment.RetainStacksOnAccountRemoval should be set", + "actualValue": "Resources.stackset4.Properties.AutoDeployment.RetainStacksOnAccountRemoval is undefined" }, { "queryName": "Stack Retention Disabled", "severity": "MEDIUM", - "line": 18, - "filename": "positive3.yaml", + "line": 27, + "filename": "positive1.yaml", "resourceType": "AWS::CloudFormation::StackSet", "resourceName": "some_stack_name", - "searchKey": "Resources.stackset4.Properties.AutoDeployment", + "searchKey": "Resources.stackset5.Properties.AutoDeployment.Enabled", "searchValue": "", - "expectedValue": "Resources.stackset4.Properties.AutoDeployment.RetainStacksOnAccountRemoval should be set", - "actualValue": "Resources.stackset4.Properties.AutoDeployment.RetainStacksOnAccountRemoval is undefined" + "expectedValue": "Resources.stackset5.Properties.AutoDeployment.Enabled is true", + "actualValue": "Resources.stackset5.Properties.AutoDeployment.Enabled is false" }, { "queryName": "Stack Retention Disabled", "severity": "MEDIUM", "line": 35, - "filename": "positive3.yaml", + "filename": "positive1.yaml", "resourceType": "AWS::CloudFormation::StackSet", "resourceName": "some_stack_name", "searchKey": "Resources.stackset6.Properties.AutoDeployment", @@ -63,7 +51,7 @@ "queryName": "Stack Retention Disabled", "severity": "MEDIUM", "line": 39, - "filename": "positive3.yaml", + "filename": "positive1.yaml", "resourceType": "AWS::CloudFormation::StackSet", "resourceName": "some_stack_name", "searchKey": "Resources.stackset7.Properties", @@ -74,50 +62,62 @@ { "queryName": "Stack Retention Disabled", "severity": "MEDIUM", - "line": 34, + "line": 12, "filename": "positive2.json", "resourceType": "AWS::CloudFormation::StackSet", "resourceName": "some_stack_name", - "searchKey": "Resources.stackset10.Properties.AutoDeployment.Enabled", + "searchKey": "Resources.stackset8.Properties.AutoDeployment.RetainStacksOnAccountRemoval", "searchValue": "", - "expectedValue": "Resources.stackset10.Properties.AutoDeployment.Enabled is true", - "actualValue": "Resources.stackset10.Properties.AutoDeployment.Enabled is false" + "expectedValue": "Resources.stackset8.Properties.AutoDeployment.RetainStacksOnAccountRemoval is true", + "actualValue": "Resources.stackset8.Properties.AutoDeployment.RetainStacksOnAccountRemoval is false" }, { "queryName": "Stack Retention Disabled", "severity": "MEDIUM", - "line": 52, + "line": 22, "filename": "positive2.json", "resourceType": "AWS::CloudFormation::StackSet", "resourceName": "some_stack_name", - "searchKey": "Resources.stackset12.Properties", + "searchKey": "Resources.stackset9.Properties.AutoDeployment", "searchValue": "", - "expectedValue": "Resources.stackset12.Properties.AutoDeployment should be set", - "actualValue": "Resources.stackset12.Properties.AutoDeployment is undefined" + "expectedValue": "Resources.stackset9.Properties.AutoDeployment.RetainStacksOnAccountRemoval should be set", + "actualValue": "Resources.stackset9.Properties.AutoDeployment.RetainStacksOnAccountRemoval is undefined" }, { "queryName": "Stack Retention Disabled", "severity": "MEDIUM", - "line": 27, - "filename": "positive1.yaml", + "line": 34, + "filename": "positive2.json", "resourceType": "AWS::CloudFormation::StackSet", "resourceName": "some_stack_name", - "searchKey": "Resources.stackset5.Properties.AutoDeployment.Enabled", + "searchKey": "Resources.stackset10.Properties.AutoDeployment.Enabled", "searchValue": "", - "expectedValue": "Resources.stackset5.Properties.AutoDeployment.Enabled is true", - "actualValue": "Resources.stackset5.Properties.AutoDeployment.Enabled is false" + "expectedValue": "Resources.stackset10.Properties.AutoDeployment.Enabled is true", + "actualValue": "Resources.stackset10.Properties.AutoDeployment.Enabled is false" }, { "queryName": "Stack Retention Disabled", "severity": "MEDIUM", - "line": 18, - "filename": "positive1.yaml", + "line": 45, + "filename": "positive2.json", "resourceType": "AWS::CloudFormation::StackSet", "resourceName": "some_stack_name", - "searchKey": "Resources.stackset4.Properties.AutoDeployment", + "searchKey": "Resources.stackset11.Properties.AutoDeployment", "searchValue": "", - "expectedValue": "Resources.stackset4.Properties.AutoDeployment.RetainStacksOnAccountRemoval should be set", - "actualValue": "Resources.stackset4.Properties.AutoDeployment.RetainStacksOnAccountRemoval is undefined" + "expectedValue": "Resources.stackset11.Properties.AutoDeployment.Enabled should be set", + "actualValue": "Resources.stackset11.Properties.AutoDeployment.Enabled is undefined" + }, + { + "queryName": "Stack Retention Disabled", + "severity": "MEDIUM", + "line": 52, + "filename": "positive2.json", + "resourceType": "AWS::CloudFormation::StackSet", + "resourceName": "some_stack_name", + "searchKey": "Resources.stackset12.Properties", + "searchValue": "", + "expectedValue": "Resources.stackset12.Properties.AutoDeployment should be set", + "actualValue": "Resources.stackset12.Properties.AutoDeployment is undefined" }, { "queryName": "Stack Retention Disabled", @@ -134,49 +134,49 @@ { "queryName": "Stack Retention Disabled", "severity": "MEDIUM", - "line": 45, - "filename": "positive2.json", + "line": 18, + "filename": "positive3.yaml", "resourceType": "AWS::CloudFormation::StackSet", "resourceName": "some_stack_name", - "searchKey": "Resources.stackset11.Properties.AutoDeployment", + "searchKey": "Resources.stackset4.Properties.AutoDeployment", "searchValue": "", - "expectedValue": "Resources.stackset11.Properties.AutoDeployment.Enabled should be set", - "actualValue": "Resources.stackset11.Properties.AutoDeployment.Enabled is undefined" + "expectedValue": "Resources.stackset4.Properties.AutoDeployment.RetainStacksOnAccountRemoval should be set", + "actualValue": "Resources.stackset4.Properties.AutoDeployment.RetainStacksOnAccountRemoval is undefined" }, { "queryName": "Stack Retention Disabled", "severity": "MEDIUM", - "line": 39, - "filename": "positive1.yaml", + "line": 27, + "filename": "positive3.yaml", "resourceType": "AWS::CloudFormation::StackSet", "resourceName": "some_stack_name", - "searchKey": "Resources.stackset7.Properties", + "searchKey": "Resources.stackset5.Properties.AutoDeployment.Enabled", "searchValue": "", - "expectedValue": "Resources.stackset7.Properties.AutoDeployment should be set", - "actualValue": "Resources.stackset7.Properties.AutoDeployment is undefined" + "expectedValue": "Resources.stackset5.Properties.AutoDeployment.Enabled is true", + "actualValue": "Resources.stackset5.Properties.AutoDeployment.Enabled is false" }, { "queryName": "Stack Retention Disabled", "severity": "MEDIUM", - "line": 27, + "line": 35, "filename": "positive3.yaml", "resourceType": "AWS::CloudFormation::StackSet", "resourceName": "some_stack_name", - "searchKey": "Resources.stackset5.Properties.AutoDeployment.Enabled", + "searchKey": "Resources.stackset6.Properties.AutoDeployment", "searchValue": "", - "expectedValue": "Resources.stackset5.Properties.AutoDeployment.Enabled is true", - "actualValue": "Resources.stackset5.Properties.AutoDeployment.Enabled is false" + "expectedValue": "Resources.stackset6.Properties.AutoDeployment.Enabled should be set", + "actualValue": "Resources.stackset6.Properties.AutoDeployment.Enabled is undefined" }, { "queryName": "Stack Retention Disabled", "severity": "MEDIUM", - "line": 12, - "filename": "positive2.json", + "line": 39, + "filename": "positive3.yaml", "resourceType": "AWS::CloudFormation::StackSet", "resourceName": "some_stack_name", - "searchKey": "Resources.stackset8.Properties.AutoDeployment.RetainStacksOnAccountRemoval", + "searchKey": "Resources.stackset7.Properties", "searchValue": "", - "expectedValue": "Resources.stackset8.Properties.AutoDeployment.RetainStacksOnAccountRemoval is true", - "actualValue": "Resources.stackset8.Properties.AutoDeployment.RetainStacksOnAccountRemoval is false" + "expectedValue": "Resources.stackset7.Properties.AutoDeployment should be set", + "actualValue": "Resources.stackset7.Properties.AutoDeployment is undefined" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/support_has_no_role_associated/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/support_has_no_role_associated/test/positive_expected_result.json index 57c897f7e7e..4948f2761c1 100644 --- a/assets/queries/cloudFormation/aws/support_has_no_role_associated/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/support_has_no_role_associated/test/positive_expected_result.json @@ -2,20 +2,8 @@ { "queryName": "Support Has No Role Associated", "severity": "LOW", - "line": 53, - "filename": "positive2.json", - "resourceType": "AWS::IAM::Policy", - "resourceName": "AWSSupportAccess", - "searchKey": "Resources.noGroups", - "searchValue": "", - "expectedValue": "'Resources.noGroups.Groups' should be set", - "actualValue": "'Resources.noGroups.Groups' is undefined" - }, - { - "queryName": "Support Has No Role Associated", - "severity": "LOW", - "line": 5, - "filename": "positive2.json", + "line": 4, + "filename": "positive1.yaml", "resourceType": "AWS::IAM::Policy", "resourceName": "AWSSupportAccess", "searchKey": "Resources.noRoles", @@ -26,8 +14,8 @@ { "queryName": "Support Has No Role Associated", "severity": "LOW", - "line": 29, - "filename": "positive2.json", + "line": 16, + "filename": "positive1.yaml", "resourceType": "AWS::IAM::Policy", "resourceName": "AWSSupportAccess", "searchKey": "Resources.noUsers", @@ -50,8 +38,8 @@ { "queryName": "Support Has No Role Associated", "severity": "LOW", - "line": 4, - "filename": "positive1.yaml", + "line": 5, + "filename": "positive2.json", "resourceType": "AWS::IAM::Policy", "resourceName": "AWSSupportAccess", "searchKey": "Resources.noRoles", @@ -62,13 +50,25 @@ { "queryName": "Support Has No Role Associated", "severity": "LOW", - "line": 16, - "filename": "positive1.yaml", + "line": 29, + "filename": "positive2.json", "resourceType": "AWS::IAM::Policy", "resourceName": "AWSSupportAccess", "searchKey": "Resources.noUsers", "searchValue": "", "expectedValue": "'Resources.noUsers.Users' should be set", "actualValue": "'Resources.noUsers.Users' is undefined" + }, + { + "queryName": "Support Has No Role Associated", + "severity": "LOW", + "line": 53, + "filename": "positive2.json", + "resourceType": "AWS::IAM::Policy", + "resourceName": "AWSSupportAccess", + "searchKey": "Resources.noGroups", + "searchValue": "", + "expectedValue": "'Resources.noGroups.Groups' should be set", + "actualValue": "'Resources.noGroups.Groups' is undefined" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/tags_not_copied_to_rds_cluster_snapshot/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/tags_not_copied_to_rds_cluster_snapshot/test/positive_expected_result.json index d396bd8c12a..7a36bc94f59 100644 --- a/assets/queries/cloudFormation/aws/tags_not_copied_to_rds_cluster_snapshot/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/tags_not_copied_to_rds_cluster_snapshot/test/positive_expected_result.json @@ -2,32 +2,20 @@ { "queryName": "Tags Not Copied to RDS Cluster Snapshot", "severity": "LOW", - "line": 17, - "filename": "positive5.json", - "resourceType": "AWS::RDS::DBCluster", - "resourceName": "MyDBCluster", - "searchKey": "Resources.MyDBCluster.Properties", - "searchValue": "", - "expectedValue": "'Resources.MyDBCluster.Properties.CopyTagsToSnapshot' should be set to true", - "actualValue": "'Resources.MyDBCluster.Properties.CopyTagsToSnapshot' is not defined" - }, - { - "queryName": "Tags Not Copied to RDS Cluster Snapshot", - "severity": "LOW", - "line": 7, - "filename": "positive5.json", + "line": 12, + "filename": "positive1.json", "resourceType": "AWS::RDS::DBInstance", "resourceName": "MyDBInstance", - "searchKey": "Resources.MyDBInstance.Properties", + "searchKey": "Resources.MyDBInstance.Properties.CopyTagsToSnapshot", "searchValue": "", "expectedValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' should be set to true", - "actualValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' is not defined" + "actualValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' is set to false" }, { "queryName": "Tags Not Copied to RDS Cluster Snapshot", "severity": "LOW", - "line": 19, - "filename": "positive4.yaml", + "line": 21, + "filename": "positive1.json", "resourceType": "AWS::RDS::DBCluster", "resourceName": "MyDBCluster", "searchKey": "Resources.MyDBCluster.Properties.CopyTagsToSnapshot", @@ -39,7 +27,7 @@ "queryName": "Tags Not Copied to RDS Cluster Snapshot", "severity": "LOW", "line": 12, - "filename": "positive4.yaml", + "filename": "positive2.yaml", "resourceType": "AWS::RDS::DBInstance", "resourceName": "MyDBInstance", "searchKey": "Resources.MyDBInstance.Properties.CopyTagsToSnapshot", @@ -50,26 +38,26 @@ { "queryName": "Tags Not Copied to RDS Cluster Snapshot", "severity": "LOW", - "line": 15, - "filename": "positive6.yaml", + "line": 19, + "filename": "positive2.yaml", "resourceType": "AWS::RDS::DBCluster", "resourceName": "MyDBCluster", - "searchKey": "Resources.MyDBCluster.Properties", + "searchKey": "Resources.MyDBCluster.Properties.CopyTagsToSnapshot", "searchValue": "", "expectedValue": "'Resources.MyDBCluster.Properties.CopyTagsToSnapshot' should be set to true", - "actualValue": "'Resources.MyDBCluster.Properties.CopyTagsToSnapshot' is not defined" + "actualValue": "'Resources.MyDBCluster.Properties.CopyTagsToSnapshot' is set to false" }, { "queryName": "Tags Not Copied to RDS Cluster Snapshot", "severity": "LOW", - "line": 7, - "filename": "positive6.yaml", + "line": 12, + "filename": "positive3.json", "resourceType": "AWS::RDS::DBInstance", "resourceName": "MyDBInstance", - "searchKey": "Resources.MyDBInstance.Properties", + "searchKey": "Resources.MyDBInstance.Properties.CopyTagsToSnapshot", "searchValue": "", "expectedValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' should be set to true", - "actualValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' is not defined" + "actualValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' is set to false" }, { "queryName": "Tags Not Copied to RDS Cluster Snapshot", @@ -86,20 +74,20 @@ { "queryName": "Tags Not Copied to RDS Cluster Snapshot", "severity": "LOW", - "line": 21, - "filename": "positive1.json", - "resourceType": "AWS::RDS::DBCluster", - "resourceName": "MyDBCluster", - "searchKey": "Resources.MyDBCluster.Properties.CopyTagsToSnapshot", + "line": 12, + "filename": "positive4.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBInstance", + "searchKey": "Resources.MyDBInstance.Properties.CopyTagsToSnapshot", "searchValue": "", - "expectedValue": "'Resources.MyDBCluster.Properties.CopyTagsToSnapshot' should be set to true", - "actualValue": "'Resources.MyDBCluster.Properties.CopyTagsToSnapshot' is set to false" + "expectedValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' should be set to true", + "actualValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' is set to false" }, { "queryName": "Tags Not Copied to RDS Cluster Snapshot", "severity": "LOW", "line": 19, - "filename": "positive2.yaml", + "filename": "positive4.yaml", "resourceType": "AWS::RDS::DBCluster", "resourceName": "MyDBCluster", "searchKey": "Resources.MyDBCluster.Properties.CopyTagsToSnapshot", @@ -110,37 +98,49 @@ { "queryName": "Tags Not Copied to RDS Cluster Snapshot", "severity": "LOW", - "line": 12, - "filename": "positive2.yaml", + "line": 7, + "filename": "positive5.json", "resourceType": "AWS::RDS::DBInstance", "resourceName": "MyDBInstance", - "searchKey": "Resources.MyDBInstance.Properties.CopyTagsToSnapshot", + "searchKey": "Resources.MyDBInstance.Properties", "searchValue": "", "expectedValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' should be set to true", - "actualValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' is set to false" + "actualValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' is not defined" }, { "queryName": "Tags Not Copied to RDS Cluster Snapshot", "severity": "LOW", - "line": 12, - "filename": "positive3.json", - "resourceType": "AWS::RDS::DBInstance", - "resourceName": "MyDBInstance", - "searchKey": "Resources.MyDBInstance.Properties.CopyTagsToSnapshot", + "line": 17, + "filename": "positive5.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "MyDBCluster", + "searchKey": "Resources.MyDBCluster.Properties", "searchValue": "", - "expectedValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' should be set to true", - "actualValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' is set to false" + "expectedValue": "'Resources.MyDBCluster.Properties.CopyTagsToSnapshot' should be set to true", + "actualValue": "'Resources.MyDBCluster.Properties.CopyTagsToSnapshot' is not defined" }, { "queryName": "Tags Not Copied to RDS Cluster Snapshot", "severity": "LOW", - "line": 12, - "filename": "positive1.json", + "line": 7, + "filename": "positive6.yaml", "resourceType": "AWS::RDS::DBInstance", "resourceName": "MyDBInstance", - "searchKey": "Resources.MyDBInstance.Properties.CopyTagsToSnapshot", + "searchKey": "Resources.MyDBInstance.Properties", "searchValue": "", "expectedValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' should be set to true", - "actualValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' is set to false" + "actualValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' is not defined" + }, + { + "queryName": "Tags Not Copied to RDS Cluster Snapshot", + "severity": "LOW", + "line": 15, + "filename": "positive6.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "MyDBCluster", + "searchKey": "Resources.MyDBCluster.Properties", + "searchValue": "", + "expectedValue": "'Resources.MyDBCluster.Properties.CopyTagsToSnapshot' should be set to true", + "actualValue": "'Resources.MyDBCluster.Properties.CopyTagsToSnapshot' is not defined" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/tcp_or_udp_protocol_network_acl_entry_allows_all_ports/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/tcp_or_udp_protocol_network_acl_entry_allows_all_ports/test/positive_expected_result.json index 9e3c406de04..85a31735ed9 100644 --- a/assets/queries/cloudFormation/aws/tcp_or_udp_protocol_network_acl_entry_allows_all_ports/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/tcp_or_udp_protocol_network_acl_entry_allows_all_ports/test/positive_expected_result.json @@ -2,21 +2,9 @@ { "queryName": "TCP UDP Protocol Network ACL Entry Allows All Ports", "severity": "MEDIUM", - "line": 49, + "line": 18, "filename": "positive1.yaml", "resourceType": "AWS::EC2::NetworkAclEntry", - "resourceName": "InboundRule5", - "searchKey": "Resources.InboundRule5.Properties.PortRange", - "searchValue": "", - "expectedValue": "Resources.InboundRule5.Properties.PortRange should not allow all ports", - "actualValue": "Resources.InboundRule5.Properties.PortRange allows all ports" - }, - { - "queryName": "TCP UDP Protocol Network ACL Entry Allows All Ports", - "severity": "MEDIUM", - "line": 21, - "filename": "positive2.json", - "resourceType": "AWS::EC2::NetworkAclEntry", "resourceName": "InboundRule2", "searchKey": "Resources.InboundRule2.Properties.PortRange", "searchValue": "", @@ -26,8 +14,8 @@ { "queryName": "TCP UDP Protocol Network ACL Entry Allows All Ports", "severity": "MEDIUM", - "line": 40, - "filename": "positive2.json", + "line": 29, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::NetworkAclEntry", "resourceName": "InboundRule3", "searchKey": "Resources.InboundRule3.Properties.PortRange", @@ -38,8 +26,8 @@ { "queryName": "TCP UDP Protocol Network ACL Entry Allows All Ports", "severity": "MEDIUM", - "line": 47, - "filename": "positive2.json", + "line": 33, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::NetworkAclEntry", "resourceName": "InboundRule4", "searchKey": "Resources.InboundRule4.Properties", @@ -50,8 +38,8 @@ { "queryName": "TCP UDP Protocol Network ACL Entry Allows All Ports", "severity": "MEDIUM", - "line": 61, - "filename": "positive2.json", + "line": 49, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::NetworkAclEntry", "resourceName": "InboundRule5", "searchKey": "Resources.InboundRule5.Properties.PortRange", @@ -62,8 +50,8 @@ { "queryName": "TCP UDP Protocol Network ACL Entry Allows All Ports", "severity": "MEDIUM", - "line": 18, - "filename": "positive1.yaml", + "line": 21, + "filename": "positive2.json", "resourceType": "AWS::EC2::NetworkAclEntry", "resourceName": "InboundRule2", "searchKey": "Resources.InboundRule2.Properties.PortRange", @@ -74,8 +62,8 @@ { "queryName": "TCP UDP Protocol Network ACL Entry Allows All Ports", "severity": "MEDIUM", - "line": 29, - "filename": "positive1.yaml", + "line": 40, + "filename": "positive2.json", "resourceType": "AWS::EC2::NetworkAclEntry", "resourceName": "InboundRule3", "searchKey": "Resources.InboundRule3.Properties.PortRange", @@ -86,13 +74,25 @@ { "queryName": "TCP UDP Protocol Network ACL Entry Allows All Ports", "severity": "MEDIUM", - "line": 33, - "filename": "positive1.yaml", + "line": 47, + "filename": "positive2.json", "resourceType": "AWS::EC2::NetworkAclEntry", "resourceName": "InboundRule4", "searchKey": "Resources.InboundRule4.Properties", "searchValue": "", "expectedValue": "Resources.InboundRule4.Properties.PortRange should be set", "actualValue": "Resources.InboundRule4.Properties.PortRange is undefined" + }, + { + "queryName": "TCP UDP Protocol Network ACL Entry Allows All Ports", + "severity": "MEDIUM", + "line": 61, + "filename": "positive2.json", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "InboundRule5", + "searchKey": "Resources.InboundRule5.Properties.PortRange", + "searchValue": "", + "expectedValue": "Resources.InboundRule5.Properties.PortRange should not allow all ports", + "actualValue": "Resources.InboundRule5.Properties.PortRange allows all ports" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/unknown_port_exposed_to_internet/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/unknown_port_exposed_to_internet/test/positive_expected_result.json index e7f9dd2e146..56f0dc2ccda 100644 --- a/assets/queries/cloudFormation/aws/unknown_port_exposed_to_internet/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/unknown_port_exposed_to_internet/test/positive_expected_result.json @@ -2,20 +2,20 @@ { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", - "line": 49, + "line": 10, "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv6", - "searchKey": "Resources.Positive1IPv6.Properties.SecurityGroupIngress[1]", + "resourceName": "Positive1IPv4", + "searchKey": "Resources.Positive1IPv4.Properties.SecurityGroupIngress[0]", "searchValue": "", - "expectedValue": "'Resources.Positive1IPv6.Properties.SecurityGroupIngress[1]' should not open unknown ports to the Internet", - "actualValue": "'Resources.Positive1IPv6.Properties.SecurityGroupIngress[1]' opens unknown ports to the Internet" + "expectedValue": "'Resources.Positive1IPv4.Properties.SecurityGroupIngress[0]' should not open unknown ports to the Internet", + "actualValue": "'Resources.Positive1IPv4.Properties.SecurityGroupIngress[0]' opens unknown ports to the Internet" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", - "line": 16, - "filename": "positive2.json", + "line": 14, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4", "searchKey": "Resources.Positive1IPv4.Properties.SecurityGroupIngress[1]", @@ -23,18 +23,6 @@ "expectedValue": "'Resources.Positive1IPv4.Properties.SecurityGroupIngress[1]' should not open unknown ports to the Internet", "actualValue": "'Resources.Positive1IPv4.Properties.SecurityGroupIngress[1]' opens unknown ports to the Internet" }, - { - "queryName": "Unknown Port Exposed To Internet", - "severity": "HIGH", - "line": 51, - "filename": "positive2.json", - "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv6", - "searchKey": "Resources.Positive1IPv6.Properties.SecurityGroupIngress[0]", - "searchValue": "", - "expectedValue": "'Resources.Positive1IPv6.Properties.SecurityGroupIngress[0]' should not open unknown ports to the Internet", - "actualValue": "'Resources.Positive1IPv6.Properties.SecurityGroupIngress[0]' opens unknown ports to the Internet" - }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", @@ -50,68 +38,68 @@ { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", - "line": 14, + "line": 30, "filename": "positive1.yaml", - "resourceType": "AWS::EC2::SecurityGroup", + "resourceType": "AWS::EC2::SecurityGroupIngress", "resourceName": "Positive1IPv4", - "searchKey": "Resources.Positive1IPv4.Properties.SecurityGroupIngress[1]", + "searchKey": "Resources.IPv4Ingress2.Properties", "searchValue": "", - "expectedValue": "'Resources.Positive1IPv4.Properties.SecurityGroupIngress[1]' should not open unknown ports to the Internet", - "actualValue": "'Resources.Positive1IPv4.Properties.SecurityGroupIngress[1]' opens unknown ports to the Internet" + "expectedValue": "'Resources.IPv4Ingress2.Properties' should not open unknown ports to the Internet", + "actualValue": "'Resources.IPv4Ingress2.Properties' opens unknown ports to the Internet" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", - "line": 65, + "line": 45, "filename": "positive1.yaml", - "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6", - "searchKey": "Resources.IPv6Ingress2.Properties", + "searchKey": "Resources.Positive1IPv6.Properties.SecurityGroupIngress[0]", "searchValue": "", - "expectedValue": "'Resources.IPv6Ingress2.Properties' should not open unknown ports to the Internet", - "actualValue": "'Resources.IPv6Ingress2.Properties' opens unknown ports to the Internet" + "expectedValue": "'Resources.Positive1IPv6.Properties.SecurityGroupIngress[0]' should not open unknown ports to the Internet", + "actualValue": "'Resources.Positive1IPv6.Properties.SecurityGroupIngress[0]' opens unknown ports to the Internet" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", - "line": 36, - "filename": "positive2.json", - "resourceType": "AWS::EC2::SecurityGroupIngress", - "resourceName": "Positive1IPv4", - "searchKey": "Resources.IPv4Ingress2.Properties", + "line": 49, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6", + "searchKey": "Resources.Positive1IPv6.Properties.SecurityGroupIngress[1]", "searchValue": "", - "expectedValue": "'Resources.IPv4Ingress2.Properties' should not open unknown ports to the Internet", - "actualValue": "'Resources.IPv4Ingress2.Properties' opens unknown ports to the Internet" + "expectedValue": "'Resources.Positive1IPv6.Properties.SecurityGroupIngress[1]' should not open unknown ports to the Internet", + "actualValue": "'Resources.Positive1IPv6.Properties.SecurityGroupIngress[1]' opens unknown ports to the Internet" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", - "line": 77, - "filename": "positive2.json", + "line": 56, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::SecurityGroupIngress", "resourceName": "Positive1IPv6", - "searchKey": "Resources.IPv6Ingress2.Properties", + "searchKey": "Resources.IPv6Ingress1.Properties", "searchValue": "", - "expectedValue": "'Resources.IPv6Ingress2.Properties' should not open unknown ports to the Internet", - "actualValue": "'Resources.IPv6Ingress2.Properties' opens unknown ports to the Internet" + "expectedValue": "'Resources.IPv6Ingress1.Properties' should not open unknown ports to the Internet", + "actualValue": "'Resources.IPv6Ingress1.Properties' opens unknown ports to the Internet" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", - "line": 45, + "line": 65, "filename": "positive1.yaml", - "resourceType": "AWS::EC2::SecurityGroup", + "resourceType": "AWS::EC2::SecurityGroupIngress", "resourceName": "Positive1IPv6", - "searchKey": "Resources.Positive1IPv6.Properties.SecurityGroupIngress[0]", + "searchKey": "Resources.IPv6Ingress2.Properties", "searchValue": "", - "expectedValue": "'Resources.Positive1IPv6.Properties.SecurityGroupIngress[0]' should not open unknown ports to the Internet", - "actualValue": "'Resources.Positive1IPv6.Properties.SecurityGroupIngress[0]' opens unknown ports to the Internet" + "expectedValue": "'Resources.IPv6Ingress2.Properties' should not open unknown ports to the Internet", + "actualValue": "'Resources.IPv6Ingress2.Properties' opens unknown ports to the Internet" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", "line": 10, - "filename": "positive1.yaml", + "filename": "positive2.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4", "searchKey": "Resources.Positive1IPv4.Properties.SecurityGroupIngress[0]", @@ -119,6 +107,18 @@ "expectedValue": "'Resources.Positive1IPv4.Properties.SecurityGroupIngress[0]' should not open unknown ports to the Internet", "actualValue": "'Resources.Positive1IPv4.Properties.SecurityGroupIngress[0]' opens unknown ports to the Internet" }, + { + "queryName": "Unknown Port Exposed To Internet", + "severity": "HIGH", + "line": 16, + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4", + "searchKey": "Resources.Positive1IPv4.Properties.SecurityGroupIngress[1]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv4.Properties.SecurityGroupIngress[1]' should not open unknown ports to the Internet", + "actualValue": "'Resources.Positive1IPv4.Properties.SecurityGroupIngress[1]' opens unknown ports to the Internet" + }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", @@ -134,26 +134,26 @@ { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", - "line": 67, + "line": 36, "filename": "positive2.json", "resourceType": "AWS::EC2::SecurityGroupIngress", - "resourceName": "Positive1IPv6", - "searchKey": "Resources.IPv6Ingress1.Properties", + "resourceName": "Positive1IPv4", + "searchKey": "Resources.IPv4Ingress2.Properties", "searchValue": "", - "expectedValue": "'Resources.IPv6Ingress1.Properties' should not open unknown ports to the Internet", - "actualValue": "'Resources.IPv6Ingress1.Properties' opens unknown ports to the Internet" + "expectedValue": "'Resources.IPv4Ingress2.Properties' should not open unknown ports to the Internet", + "actualValue": "'Resources.IPv4Ingress2.Properties' opens unknown ports to the Internet" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", - "line": 10, + "line": 51, "filename": "positive2.json", "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv4", - "searchKey": "Resources.Positive1IPv4.Properties.SecurityGroupIngress[0]", + "resourceName": "Positive1IPv6", + "searchKey": "Resources.Positive1IPv6.Properties.SecurityGroupIngress[0]", "searchValue": "", - "expectedValue": "'Resources.Positive1IPv4.Properties.SecurityGroupIngress[0]' should not open unknown ports to the Internet", - "actualValue": "'Resources.Positive1IPv4.Properties.SecurityGroupIngress[0]' opens unknown ports to the Internet" + "expectedValue": "'Resources.Positive1IPv6.Properties.SecurityGroupIngress[0]' should not open unknown ports to the Internet", + "actualValue": "'Resources.Positive1IPv6.Properties.SecurityGroupIngress[0]' opens unknown ports to the Internet" }, { "queryName": "Unknown Port Exposed To Internet", @@ -170,25 +170,25 @@ { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", - "line": 30, - "filename": "positive1.yaml", + "line": 67, + "filename": "positive2.json", "resourceType": "AWS::EC2::SecurityGroupIngress", - "resourceName": "Positive1IPv4", - "searchKey": "Resources.IPv4Ingress2.Properties", + "resourceName": "Positive1IPv6", + "searchKey": "Resources.IPv6Ingress1.Properties", "searchValue": "", - "expectedValue": "'Resources.IPv4Ingress2.Properties' should not open unknown ports to the Internet", - "actualValue": "'Resources.IPv4Ingress2.Properties' opens unknown ports to the Internet" + "expectedValue": "'Resources.IPv6Ingress1.Properties' should not open unknown ports to the Internet", + "actualValue": "'Resources.IPv6Ingress1.Properties' opens unknown ports to the Internet" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", - "line": 56, - "filename": "positive1.yaml", + "line": 77, + "filename": "positive2.json", "resourceType": "AWS::EC2::SecurityGroupIngress", "resourceName": "Positive1IPv6", - "searchKey": "Resources.IPv6Ingress1.Properties", + "searchKey": "Resources.IPv6Ingress2.Properties", "searchValue": "", - "expectedValue": "'Resources.IPv6Ingress1.Properties' should not open unknown ports to the Internet", - "actualValue": "'Resources.IPv6Ingress1.Properties' opens unknown ports to the Internet" + "expectedValue": "'Resources.IPv6Ingress2.Properties' should not open unknown ports to the Internet", + "actualValue": "'Resources.IPv6Ingress2.Properties' opens unknown ports to the Internet" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/unrestricted_security_group_ingress/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/unrestricted_security_group_ingress/test/positive_expected_result.json index 06b51849630..b449c7da75d 100644 --- a/assets/queries/cloudFormation/aws/unrestricted_security_group_ingress/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/unrestricted_security_group_ingress/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "Unrestricted Security Group Ingress", - "severity": "HIGH", - "line": 43, - "filename": "positive1.yaml", - "resourceType": "AWS::EC2::SecurityGroupIngress", - "resourceName": "InboundRule", - "searchKey": "Resources.InboundRule.Properties.CidrIpv6", - "searchValue": "", - "expectedValue": "Resources.InboundRule.Properties.CidrIpv6 should not be open to the world (::/0)", - "actualValue": "Resources.InboundRule.Properties.CidrIpv6 is open to the world (::/0)" - }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", @@ -23,6 +11,18 @@ "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].CidrIp should not be open to the world (0.0.0.0/0)", "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].CidrIp is open to the world (0.0.0.0/0)" }, + { + "queryName": "Unrestricted Security Group Ingress", + "severity": "HIGH", + "line": 43, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "InboundRule", + "searchKey": "Resources.InboundRule.Properties.CidrIpv6", + "searchValue": "", + "expectedValue": "Resources.InboundRule.Properties.CidrIpv6 should not be open to the world (::/0)", + "actualValue": "Resources.InboundRule.Properties.CidrIpv6 is open to the world (::/0)" + }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", diff --git a/assets/queries/cloudFormation/aws/unscanned_ecr_image/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/unscanned_ecr_image/test/positive_expected_result.json index d66f56201ad..7cc8d435010 100644 --- a/assets/queries/cloudFormation/aws/unscanned_ecr_image/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/unscanned_ecr_image/test/positive_expected_result.json @@ -2,49 +2,49 @@ { "queryName": "Unscanned ECR Image", "severity": "LOW", - "line": 6, - "filename": "positive3.json", + "line": 5, + "filename": "positive1.yaml", "resourceType": "AWS::ECR::Repository", "resourceName": "test-repository", - "searchKey": "Resources.MyRepository5.Properties", + "searchKey": "Resources.MyRepository3.Properties", "searchValue": "", - "expectedValue": "Resources.MyRepository5.Properties.ImageScanningConfiguration should be defined", - "actualValue": "Resources.MyRepository5.Properties.ImageScanningConfiguration is undefined" + "expectedValue": "Resources.MyRepository3.Properties.ImageScanningConfiguration should be defined", + "actualValue": "Resources.MyRepository3.Properties.ImageScanningConfiguration is undefined" }, { "queryName": "Unscanned ECR Image", "severity": "LOW", - "line": 9, - "filename": "positive4.json", + "line": 8, + "filename": "positive2.yaml", "resourceType": "AWS::ECR::Repository", "resourceName": "test-repository", - "searchKey": "Resources.MyRepository6.Properties.ImageScanningConfiguration.ScanOnPush", + "searchKey": "Resources.MyRepository4.Properties.ImageScanningConfiguration.ScanOnPush", "searchValue": "", - "expectedValue": "Resources.MyRepository6.Properties.ImageScanningConfiguration.ScanOnPush should be set to true", - "actualValue": "Resources.MyRepository6.Properties.ImageScanningConfiguration.ScanOnPush is set to false" + "expectedValue": "Resources.MyRepository4.Properties.ImageScanningConfiguration.ScanOnPush should be set to true", + "actualValue": "Resources.MyRepository4.Properties.ImageScanningConfiguration.ScanOnPush is set to false" }, { "queryName": "Unscanned ECR Image", "severity": "LOW", - "line": 8, - "filename": "positive2.yaml", + "line": 6, + "filename": "positive3.json", "resourceType": "AWS::ECR::Repository", "resourceName": "test-repository", - "searchKey": "Resources.MyRepository4.Properties.ImageScanningConfiguration.ScanOnPush", + "searchKey": "Resources.MyRepository5.Properties", "searchValue": "", - "expectedValue": "Resources.MyRepository4.Properties.ImageScanningConfiguration.ScanOnPush should be set to true", - "actualValue": "Resources.MyRepository4.Properties.ImageScanningConfiguration.ScanOnPush is set to false" + "expectedValue": "Resources.MyRepository5.Properties.ImageScanningConfiguration should be defined", + "actualValue": "Resources.MyRepository5.Properties.ImageScanningConfiguration is undefined" }, { "queryName": "Unscanned ECR Image", "severity": "LOW", - "line": 5, - "filename": "positive1.yaml", + "line": 9, + "filename": "positive4.json", "resourceType": "AWS::ECR::Repository", "resourceName": "test-repository", - "searchKey": "Resources.MyRepository3.Properties", + "searchKey": "Resources.MyRepository6.Properties.ImageScanningConfiguration.ScanOnPush", "searchValue": "", - "expectedValue": "Resources.MyRepository3.Properties.ImageScanningConfiguration should be defined", - "actualValue": "Resources.MyRepository3.Properties.ImageScanningConfiguration is undefined" + "expectedValue": "Resources.MyRepository6.Properties.ImageScanningConfiguration.ScanOnPush should be set to true", + "actualValue": "Resources.MyRepository6.Properties.ImageScanningConfiguration.ScanOnPush is set to false" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/user_iam_missing_password_reset_required/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/user_iam_missing_password_reset_required/test/positive_expected_result.json index 58597757057..076bde69639 100644 --- a/assets/queries/cloudFormation/aws/user_iam_missing_password_reset_required/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/user_iam_missing_password_reset_required/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "IAM User Without Password Reset", "severity": "MEDIUM", - "line": 38, - "filename": "positive4.json", + "line": 10, + "filename": "positive1.yaml", "resourceType": "AWS::IAM::User", "resourceName": "myuser", "searchKey": "Resources.myuser.Properties.LoginProfile.PasswordResetRequired", @@ -14,20 +14,8 @@ { "queryName": "IAM User Without Password Reset", "severity": "MEDIUM", - "line": 7, - "filename": "positive6.json", - "resourceType": "AWS::IAM::User", - "resourceName": "topuser", - "searchKey": "Resources.topuser.Properties", - "searchValue": "", - "expectedValue": "'Resources.topuser.Properties' should be configured with LoginProfile with PasswordResetRequired property set to true", - "actualValue": "'Resources.topuser.Properties' does not include LoginProfile" - }, - { - "queryName": "IAM User Without Password Reset", - "severity": "MEDIUM", - "line": 9, - "filename": "positive5.json", + "line": 8, + "filename": "positive2.yaml", "resourceType": "AWS::IAM::User", "resourceName": "newuser", "searchKey": "Resources.newuser.Properties.LoginProfile", @@ -38,20 +26,20 @@ { "queryName": "IAM User Without Password Reset", "severity": "MEDIUM", - "line": 8, - "filename": "positive2.yaml", + "line": 6, + "filename": "positive3.yaml", "resourceType": "AWS::IAM::User", - "resourceName": "newuser", - "searchKey": "Resources.newuser.Properties.LoginProfile", + "resourceName": "topuser", + "searchKey": "Resources.topuser.Properties", "searchValue": "", - "expectedValue": "'Resources.newuser.Properties.LoginProfile' should also include PasswordResetRequired property set to true", - "actualValue": "'Resources.newuser.Properties.LoginProfile' contains only Password property" + "expectedValue": "'Resources.topuser.Properties' should be configured with LoginProfile with PasswordResetRequired property set to true", + "actualValue": "'Resources.topuser.Properties' does not include LoginProfile" }, { "queryName": "IAM User Without Password Reset", "severity": "MEDIUM", - "line": 10, - "filename": "positive1.yaml", + "line": 38, + "filename": "positive4.json", "resourceType": "AWS::IAM::User", "resourceName": "myuser", "searchKey": "Resources.myuser.Properties.LoginProfile.PasswordResetRequired", @@ -62,8 +50,20 @@ { "queryName": "IAM User Without Password Reset", "severity": "MEDIUM", - "line": 6, - "filename": "positive3.yaml", + "line": 9, + "filename": "positive5.json", + "resourceType": "AWS::IAM::User", + "resourceName": "newuser", + "searchKey": "Resources.newuser.Properties.LoginProfile", + "searchValue": "", + "expectedValue": "'Resources.newuser.Properties.LoginProfile' should also include PasswordResetRequired property set to true", + "actualValue": "'Resources.newuser.Properties.LoginProfile' contains only Password property" + }, + { + "queryName": "IAM User Without Password Reset", + "severity": "MEDIUM", + "line": 7, + "filename": "positive6.json", "resourceType": "AWS::IAM::User", "resourceName": "topuser", "searchKey": "Resources.topuser.Properties", diff --git a/assets/queries/cloudFormation/aws/vpc_attached_with_too_many_gateways/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/vpc_attached_with_too_many_gateways/test/positive_expected_result.json index 9df86e231f3..94322f33c65 100644 --- a/assets/queries/cloudFormation/aws/vpc_attached_with_too_many_gateways/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/vpc_attached_with_too_many_gateways/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "VPC Attached With Too Many Gateways", "severity": "LOW", - "line": 7, - "filename": "positive2.json", + "line": 3, + "filename": "positive1.yaml", "resourceType": "AWS::EC2::VPC", "resourceName": "myVPC", "searchKey": "Resources.myVPC", @@ -14,8 +14,8 @@ { "queryName": "VPC Attached With Too Many Gateways", "severity": "LOW", - "line": 3, - "filename": "positive1.yaml", + "line": 7, + "filename": "positive2.json", "resourceType": "AWS::EC2::VPC", "resourceName": "myVPC", "searchKey": "Resources.myVPC", diff --git a/assets/queries/cloudFormation/aws/vulnerable_default_ssl_certificate/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/vulnerable_default_ssl_certificate/test/positive_expected_result.json index 1385a5404bb..576b1448a3a 100644 --- a/assets/queries/cloudFormation/aws/vulnerable_default_ssl_certificate/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/vulnerable_default_ssl_certificate/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "Vulnerable Default SSL Certificate", - "severity": "MEDIUM", - "line": 8, - "filename": "positive3.json", - "resourceType": "AWS::CloudFront::Distribution", - "resourceName": "myDistribution", - "searchKey": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate", - "searchValue": "SslSupportMethod", - "expectedValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.SslSupportMethod should be defined", - "actualValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.SslSupportMethod is not defined" - }, { "queryName": "Vulnerable Default SSL Certificate", "severity": "MEDIUM", @@ -50,14 +38,14 @@ { "queryName": "Vulnerable Default SSL Certificate", "severity": "MEDIUM", - "line": 9, - "filename": "positive4.json", + "line": 8, + "filename": "positive3.json", "resourceType": "AWS::CloudFront::Distribution", "resourceName": "myDistribution", - "searchKey": "Resources.myDistribution.Properties.DistributionConfig.CloudfrontDefaultCertificate", - "searchValue": "", - "expectedValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.CloudfrontDefaultCertificate should be set to 'false' or not defined.", - "actualValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.CloudfrontDefaultCertificate is 'true'." + "searchKey": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate", + "searchValue": "MinimumProtocolVersion", + "expectedValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.MinimumProtocolVersion should be defined", + "actualValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.MinimumProtocolVersion is not defined" }, { "queryName": "Vulnerable Default SSL Certificate", @@ -67,8 +55,20 @@ "resourceType": "AWS::CloudFront::Distribution", "resourceName": "myDistribution", "searchKey": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate", - "searchValue": "MinimumProtocolVersion", - "expectedValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.MinimumProtocolVersion should be defined", - "actualValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.MinimumProtocolVersion is not defined" + "searchValue": "SslSupportMethod", + "expectedValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.SslSupportMethod should be defined", + "actualValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.SslSupportMethod is not defined" + }, + { + "queryName": "Vulnerable Default SSL Certificate", + "severity": "MEDIUM", + "line": 9, + "filename": "positive4.json", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "myDistribution", + "searchKey": "Resources.myDistribution.Properties.DistributionConfig.CloudfrontDefaultCertificate", + "searchValue": "", + "expectedValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.CloudfrontDefaultCertificate should be set to 'false' or not defined.", + "actualValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.CloudfrontDefaultCertificate is 'true'." } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/webacl_allow_defaultaction/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/webacl_allow_defaultaction/test/positive_expected_result.json index a988e698561..16536eacce4 100644 --- a/assets/queries/cloudFormation/aws/webacl_allow_defaultaction/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/webacl_allow_defaultaction/test/positive_expected_result.json @@ -3,7 +3,7 @@ "queryName": "Permissive Web ACL Default Action", "severity": "HIGH", "line": 8, - "filename": "positive2.json", + "filename": "positive1.yaml", "resourceType": "AWS::WAF::WebACL", "resourceName": "WebACL to with three rules", "searchKey": "Resources.MyWebACL.Properties.DefaultAction.Type", @@ -15,7 +15,7 @@ "queryName": "Permissive Web ACL Default Action", "severity": "HIGH", "line": 8, - "filename": "positive1.yaml", + "filename": "positive2.json", "resourceType": "AWS::WAF::WebACL", "resourceName": "WebACL to with three rules", "searchKey": "Resources.MyWebACL.Properties.DefaultAction.Type", diff --git a/assets/queries/cloudFormation/aws/workspace_without_encryption/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/workspace_without_encryption/test/positive_expected_result.json index ccd82137fd8..d60af33c334 100644 --- a/assets/queries/cloudFormation/aws/workspace_without_encryption/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/workspace_without_encryption/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "Workspace Without Encryption", "severity": "HIGH", - "line": 5, - "filename": "positive3.json", + "line": 4, + "filename": "positive1.yaml", "resourceType": "AWS::WorkSpaces::Workspace", "resourceName": "MyWorkSpace", "searchKey": "Resources.MyWorkSpace.Properties", @@ -14,8 +14,8 @@ { "queryName": "Workspace Without Encryption", "severity": "HIGH", - "line": 17, - "filename": "positive4.json", + "line": 14, + "filename": "positive2.yaml", "resourceType": "AWS::WorkSpaces::Workspace", "resourceName": "MyWorkSpace2", "searchKey": "Resources.MyWorkSpace2.Properties.UserVolumeEncryptionEnabled", @@ -26,8 +26,8 @@ { "queryName": "Workspace Without Encryption", "severity": "HIGH", - "line": 4, - "filename": "positive1.yaml", + "line": 5, + "filename": "positive3.json", "resourceType": "AWS::WorkSpaces::Workspace", "resourceName": "MyWorkSpace", "searchKey": "Resources.MyWorkSpace.Properties", @@ -38,8 +38,8 @@ { "queryName": "Workspace Without Encryption", "severity": "HIGH", - "line": 14, - "filename": "positive2.yaml", + "line": 17, + "filename": "positive4.json", "resourceType": "AWS::WorkSpaces::Workspace", "resourceName": "MyWorkSpace2", "searchKey": "Resources.MyWorkSpace2.Properties.UserVolumeEncryptionEnabled", diff --git a/assets/queries/cloudFormation/aws_sam/serverless_api_cache_cluster_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_sam/serverless_api_cache_cluster_disabled/test/positive_expected_result.json index 037a95a5b68..d9f65d6a43a 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_api_cache_cluster_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_sam/serverless_api_cache_cluster_disabled/test/positive_expected_result.json @@ -2,14 +2,14 @@ { "queryName": "Serverless API Cache Cluster Disabled", "severity": "LOW", - "line": 10, - "filename": "positive3.yaml", + "line": 7, + "filename": "positive1.yaml", "resourceType": "AWS::Serverless::Api", - "resourceName": "ApiGatewayApi2", - "searchKey": "Resources.ApiGatewayApi2.Properties.CacheClusterEnabled", + "resourceName": "ApiGatewayApi", + "searchKey": "Resources.ApiGatewayApi.Properties", "searchValue": "", - "expectedValue": "Resources.ApiGatewayApi2.Properties.CacheClusterEnabled should be set to true", - "actualValue": "Resources.ApiGatewayApi2.Properties.CacheClusterEnabled is set to false" + "expectedValue": "Resources.ApiGatewayApi.Properties.CacheClusterEnabled should be defined and not null", + "actualValue": "Resources.ApiGatewayApi.Properties.CacheClusterEnabled is undefined or null" }, { "queryName": "Serverless API Cache Cluster Disabled", @@ -26,13 +26,13 @@ { "queryName": "Serverless API Cache Cluster Disabled", "severity": "LOW", - "line": 7, - "filename": "positive1.yaml", + "line": 10, + "filename": "positive3.yaml", "resourceType": "AWS::Serverless::Api", - "resourceName": "ApiGatewayApi", - "searchKey": "Resources.ApiGatewayApi.Properties", + "resourceName": "ApiGatewayApi2", + "searchKey": "Resources.ApiGatewayApi2.Properties.CacheClusterEnabled", "searchValue": "", - "expectedValue": "Resources.ApiGatewayApi.Properties.CacheClusterEnabled should be defined and not null", - "actualValue": "Resources.ApiGatewayApi.Properties.CacheClusterEnabled is undefined or null" + "expectedValue": "Resources.ApiGatewayApi2.Properties.CacheClusterEnabled should be set to true", + "actualValue": "Resources.ApiGatewayApi2.Properties.CacheClusterEnabled is set to false" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_sam/serverless_api_without_content_encoding/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_sam/serverless_api_without_content_encoding/test/positive_expected_result.json index 491e4133a19..001f7fd30c0 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_api_without_content_encoding/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_sam/serverless_api_without_content_encoding/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "Serverless API Without Content Encoding", - "severity": "LOW", - "line": 19, - "filename": "positive3.yaml", - "resourceType": "AWS::Serverless::Api", - "resourceName": "ApiGatewayApi3", - "searchKey": "Resources.ApiGatewayApi3.Properties.MinimumCompressionSize", - "searchValue": "", - "expectedValue": "Resources.ApiGatewayApi3.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760", - "actualValue": "Resources.ApiGatewayApi3.Properties.MinimumCompressionSize is set but smaller than 0 or greater than 10485759" - }, { "queryName": "Serverless API Without Content Encoding", "severity": "LOW", @@ -34,5 +22,17 @@ "searchValue": "", "expectedValue": "Resources.ApiGatewayApi2.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760", "actualValue": "Resources.ApiGatewayApi2.Properties.MinimumCompressionSize is set but smaller than 0 or greater than 10485759" + }, + { + "queryName": "Serverless API Without Content Encoding", + "severity": "LOW", + "line": 19, + "filename": "positive3.yaml", + "resourceType": "AWS::Serverless::Api", + "resourceName": "ApiGatewayApi3", + "searchKey": "Resources.ApiGatewayApi3.Properties.MinimumCompressionSize", + "searchValue": "", + "expectedValue": "Resources.ApiGatewayApi3.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760", + "actualValue": "Resources.ApiGatewayApi3.Properties.MinimumCompressionSize is set but smaller than 0 or greater than 10485759" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_sam/serverless_api_xray_tracing_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_sam/serverless_api_xray_tracing_disabled/test/positive_expected_result.json index 0cfc535b451..84f0cffe7db 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_api_xray_tracing_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_sam/serverless_api_xray_tracing_disabled/test/positive_expected_result.json @@ -1,4 +1,16 @@ [ + { + "queryName": "Serverless API X-Ray Tracing Disabled", + "severity": "MEDIUM", + "line": 7, + "filename": "positive1.yaml", + "resourceType": "AWS::Serverless::Api", + "resourceName": "ApiGatewayApi", + "searchKey": "Resources.ApiGatewayApi.Properties", + "searchValue": "", + "expectedValue": "Resources.ApiGatewayApi.Properties.TracingEnabled should be defined and not null", + "actualValue": "Resources.ApiGatewayApi.Properties.TracingEnabled is undefined or null" + }, { "queryName": "Serverless API X-Ray Tracing Disabled", "severity": "MEDIUM", @@ -22,17 +34,5 @@ "searchValue": "", "expectedValue": "Resources.ApiGatewayApi2.Properties.TracingEnabled should be set to true", "actualValue": "Resources.ApiGatewayApi2.Properties.TracingEnabled is set to false" - }, - { - "queryName": "Serverless API X-Ray Tracing Disabled", - "severity": "MEDIUM", - "line": 7, - "filename": "positive1.yaml", - "resourceType": "AWS::Serverless::Api", - "resourceName": "ApiGatewayApi", - "searchKey": "Resources.ApiGatewayApi.Properties", - "searchValue": "", - "expectedValue": "Resources.ApiGatewayApi.Properties.TracingEnabled should be defined and not null", - "actualValue": "Resources.ApiGatewayApi.Properties.TracingEnabled is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_sam/serverless_function_without_unique_iam_role/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_sam/serverless_function_without_unique_iam_role/test/positive_expected_result.json index 8aa1ea90813..8ccf40ad17a 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_function_without_unique_iam_role/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_sam/serverless_function_without_unique_iam_role/test/positive_expected_result.json @@ -1,4 +1,16 @@ [ + { + "queryName": "Serverless Function Without Unique IAM Role", + "severity": "HIGH", + "line": 19, + "filename": "positive1.yaml", + "resourceType": "AWS::Serverless::Function", + "resourceName": "Function1", + "searchKey": "Resources.Function1.Properties.Role", + "searchValue": "", + "expectedValue": "Resource.Function1.Properties.Role is only assigned to the function in question", + "actualValue": "Resource.Function1.Properties.Role is assigned to another funtion" + }, { "queryName": "Serverless Function Without Unique IAM Role", "severity": "HIGH", @@ -34,17 +46,5 @@ "searchValue": "", "expectedValue": "Resource.Function2.Properties.Role is only assigned to the function in question", "actualValue": "Resource.Function2.Properties.Role is assigned to another funtion" - }, - { - "queryName": "Serverless Function Without Unique IAM Role", - "severity": "HIGH", - "line": 19, - "filename": "positive1.yaml", - "resourceType": "AWS::Serverless::Function", - "resourceName": "Function1", - "searchKey": "Resources.Function1.Properties.Role", - "searchValue": "", - "expectedValue": "Resource.Function1.Properties.Role is only assigned to the function in question", - "actualValue": "Resource.Function1.Properties.Role is assigned to another funtion" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_sam/serverless_function_without_x-ray_tracing/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_sam/serverless_function_without_x-ray_tracing/test/positive_expected_result.json index b362e8e7f21..a0f70d66bd0 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_function_without_x-ray_tracing/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_sam/serverless_function_without_x-ray_tracing/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "Serverless Function Without X-Ray Tracing", - "severity": "LOW", - "line": 19, - "filename": "positive2.yaml", - "resourceType": "AWS::Serverless::Function", - "resourceName": "Function2", - "searchKey": "Resources.Function2.Properties.Tracing", - "searchValue": "", - "expectedValue": "'Tracing' should be set to 'Active'", - "actualValue": "'Tracing' is set to 'PassThrough'" - }, { "queryName": "Serverless Function Without X-Ray Tracing", "severity": "LOW", @@ -22,5 +10,17 @@ "searchValue": "", "expectedValue": "Property 'TracingConfig' should be defined and not null", "actualValue": "Property 'TracingConfig' is undefined or null" + }, + { + "queryName": "Serverless Function Without X-Ray Tracing", + "severity": "LOW", + "line": 19, + "filename": "positive2.yaml", + "resourceType": "AWS::Serverless::Function", + "resourceName": "Function2", + "searchKey": "Resources.Function2.Properties.Tracing", + "searchValue": "", + "expectedValue": "'Tracing' should be set to 'Active'", + "actualValue": "'Tracing' is set to 'PassThrough'" } ] \ No newline at end of file diff --git a/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json b/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json index e29ad869f20..a019f29a555 100644 --- a/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json +++ b/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json @@ -3,462 +3,924 @@ "queryName": "Passwords And Secrets - Generic Password", "severity": "HIGH", "line": 8, - "fileName": "positive1.yaml" - }, - { - "queryName": "Passwords And Secrets - Generic Password", - "severity": "HIGH", - "line": 6, - "fileName": "positive2.yaml" - }, - { - "queryName": "Passwords And Secrets - Generic Password", - "severity": "HIGH", - "line": 7, - "fileName": "positive3.yaml" - }, - { - "queryName": "Passwords And Secrets - Generic Password", - "severity": "HIGH", - "line": 9, - "fileName": "positive4.tf" - }, - { - "queryName": "Passwords And Secrets - Generic Secret", - "severity": "HIGH", - "line": 2, - "fileName": "positive5.tf" - }, - { - "queryName": "Passwords And Secrets - Generic Password", - "severity": "HIGH", - "line": 3, - "fileName": "positive6.dockerfile" - }, - { - "queryName": "Passwords And Secrets - Generic Password", - "severity": "HIGH", - "line": 7, - "fileName": "positive6.dockerfile" - }, - { - "queryName": "Passwords And Secrets - Generic Password", - "severity": "HIGH", - "line": 8, - "fileName": "positive7.tf" - }, - { - "queryName": "Passwords And Secrets - Generic Password", - "severity": "HIGH", - "line": 4, - "fileName": "positive8.json" - }, - { - "queryName": "Passwords And Secrets - Generic Password", - "severity": "HIGH", - "line":7, - "fileName": "positive8.json" - }, - { - "queryName": "Passwords And Secrets - Generic Password", - "severity": "HIGH", - "line": 8, - "fileName": "positive9.tf" + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" }, { "queryName": "Passwords And Secrets - Password in URL", "severity": "HIGH", "line": 7, - "fileName": "positive10.json" + "filename": "positive10.json", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" }, { "queryName": "Passwords And Secrets - Slack Webhook", "severity": "HIGH", "line": 17, - "fileName": "positive10.json" + "filename": "positive10.json", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" }, { "queryName": "Passwords And Secrets - MSTeams Webhook", "severity": "HIGH", "line": 27, - "fileName": "positive10.json" + "filename": "positive10.json", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" }, { "queryName": "Passwords And Secrets - Password in URL", "severity": "HIGH", "line": 7, - "fileName": "positive11.yaml" + "filename": "positive11.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" }, { "queryName": "Passwords And Secrets - Slack Webhook", "severity": "HIGH", "line": 9, - "fileName": "positive11.yaml" + "filename": "positive11.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" }, { "queryName": "Passwords And Secrets - MSTeams Webhook", "severity": "HIGH", "line": 11, - "fileName": "positive11.yaml" + "filename": "positive11.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" }, { "queryName": "Passwords And Secrets - Generic Password", "severity": "HIGH", "line": 8, - "fileName": "positive12.json" + "filename": "positive12.json", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" }, { "queryName": "Passwords And Secrets - Password in URL", "severity": "HIGH", "line": 11, - "fileName": "positive12.json" + "filename": "positive12.json", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" }, { "queryName": "Passwords And Secrets - Slack Webhook", "severity": "HIGH", "line": 15, - "fileName": "positive12.json" + "filename": "positive12.json", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" }, { "queryName": "Passwords And Secrets - MSTeams Webhook", "severity": "HIGH", "line": 19, - "fileName": "positive12.json" + "filename": "positive12.json", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" }, { "queryName": "Passwords And Secrets - Asymmetric private key", "severity": "HIGH", "line": 6, - "fileName": "positive13.tf" + "filename": "positive13.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" }, { "queryName": "Passwords And Secrets - AWS Access Key", "severity": "HIGH", "line": 17, - "fileName": "positive14.tf" + "filename": "positive14.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" }, { "queryName": "Passwords And Secrets - AWS Secret Key", "severity": "HIGH", "line": 18, - "fileName": "positive14.tf" + "filename": "positive14.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" }, { "queryName": "Passwords And Secrets - AWS Access Key", "severity": "HIGH", "line": 14, - "fileName": "positive15.tf" + "filename": "positive15.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" }, { "queryName": "Passwords And Secrets - AWS Secret Key", "severity": "HIGH", "line": 15, - "fileName": "positive15.tf" + "filename": "positive15.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" }, { "queryName": "Passwords And Secrets - K8s Environment Variable Password", "severity": "HIGH", "line": 34, - "fileName": "positive16.yaml" + "filename": "positive16.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" }, { "queryName": "Passwords And Secrets - K8s Environment Variable Password", "severity": "HIGH", "line": 36, - "fileName": "positive16.yaml" + "filename": "positive16.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" }, { "queryName": "Passwords And Secrets - Generic Password", "severity": "HIGH", "line": 7, - "fileName": "positive17.tf" + "filename": "positive17.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" }, { "queryName": "Passwords And Secrets - Google OAuth", "severity": "HIGH", "line": 5, - "fileName": "positive18.tf" + "filename": "positive18.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" }, { "queryName": "Passwords And Secrets - Slack Token", "severity": "HIGH", "line": 2, - "fileName": "positive19.tf" + "filename": "positive19.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" + }, + { + "queryName": "Passwords And Secrets - Generic Password", + "severity": "HIGH", + "line": 6, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" }, { "queryName": "Passwords And Secrets - Stripe API Key", "severity": "HIGH", "line": 2, - "fileName": "positive20.tf" + "filename": "positive20.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" }, { "queryName": "Passwords And Secrets - Google API Key", "severity": "HIGH", "line": 50, - "fileName": "positive21.tf" + "filename": "positive21.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" }, { "queryName": "Passwords And Secrets - Heroku API Key", "severity": "HIGH", "line": 3, - "fileName": "positive22.tf" + "filename": "positive22.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" }, { "queryName": "Passwords And Secrets - Generic Token", "severity": "HIGH", "line": 3, - "fileName": "positive23.tf" + "filename": "positive23.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" }, { "queryName": "Passwords And Secrets - Generic API Key", "severity": "HIGH", "line": 4, - "fileName": "positive24.tf" + "filename": "positive24.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" }, { "queryName": "Passwords And Secrets - Square Access Token", "severity": "HIGH", "line": 3, - "fileName": "positive25.dockerfile" + "filename": "positive25.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" }, { "queryName": "Passwords And Secrets - Picatic API Key", "severity": "HIGH", "line": 5, - "fileName": "positive25.dockerfile" + "filename": "positive25.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" }, { "queryName": "Passwords And Secrets - Amazon MWS Auth Token", "severity": "HIGH", "line": 7, - "fileName": "positive25.dockerfile" + "filename": "positive25.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" }, { "queryName": "Passwords And Secrets - MailChimp API Key", "severity": "HIGH", "line": 9, - "fileName": "positive25.dockerfile" + "filename": "positive25.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" }, { "queryName": "Passwords And Secrets - SendGrid API Key", "severity": "HIGH", "line": 11, - "fileName": "positive25.dockerfile" + "filename": "positive25.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" }, { "queryName": "Passwords And Secrets - Generic Private Key", "severity": "HIGH", "line": 9, - "fileName": "positive26.yaml" + "filename": "positive26.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" }, { "queryName": "Passwords And Secrets - Generic Token", "severity": "HIGH", "line": 5, - "fileName": "positive27.yaml" + "filename": "positive27.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" }, { "queryName": "Passwords And Secrets - Generic Token", "severity": "HIGH", "line": 22, - "fileName": "positive27.yaml" + "filename": "positive27.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" }, { "queryName": "Passwords And Secrets - Generic Token", "severity": "HIGH", "line": 5, - "fileName": "positive28.yaml" + "filename": "positive28.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" }, { "queryName": "Passwords And Secrets - Mailgun API Key", "severity": "HIGH", "line": 2, - "fileName": "positive29.tf" + "filename": "positive29.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" + }, + { + "queryName": "Passwords And Secrets - Generic Password", + "severity": "HIGH", + "line": 7, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" }, { "queryName": "Passwords And Secrets - Stripe Restricted API Key", "severity": "HIGH", "line": 2, - "fileName": "positive30.tf" + "filename": "positive30.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" }, { - "queryName": "Passwords And Secrets - Twilio API Key", + "queryName": "Passwords And Secrets - CloudFormation Secret Template", "severity": "HIGH", "line": 4, - "fileName": "positive31.yaml" + "filename": "positive31.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" }, { "queryName": "Passwords And Secrets - PayPal Braintree Access Token", "severity": "HIGH", "line": 4, - "fileName": "positive32.yaml" + "filename": "positive32.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" }, { "queryName": "Passwords And Secrets - Facebook Access Token", "severity": "HIGH", "line": 13, - "fileName": "positive33.yaml" + "filename": "positive33.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" }, { "queryName": "Passwords And Secrets - Square OAuth Secret", "severity": "HIGH", "line": 13, - "fileName": "positive34.yaml" + "filename": "positive34.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" }, { "queryName": "Passwords And Secrets - Google OAuth Access Token", "severity": "HIGH", "line": 13, - "fileName": "positive35.yaml" + "filename": "positive35.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" }, { "queryName": "Passwords And Secrets - Putty User Key File Content", "severity": "HIGH", "line": 5, - "fileName": "positive36.tf" + "filename": "positive36.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" }, { "queryName": "Passwords And Secrets - Generic Secret", "severity": "HIGH", "line": 14, - "fileName": "positive37.tf" + "filename": "positive37.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" }, { "queryName": "Passwords And Secrets - CloudFormation Secret Template", "severity": "HIGH", "line": 16, - "fileName": "positive38.yaml" + "filename": "positive38.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" }, { "queryName": "Passwords And Secrets - Generic Secret", "severity": "HIGH", "line": 3, - "fileName": "positive39.tf" + "filename": "positive39.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" + }, + { + "queryName": "Passwords And Secrets - Generic Password", + "severity": "HIGH", + "line": 9, + "filename": "positive4.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" }, { - "queryName": "Passwords And Secrets - AWS Context-specific credential", + "queryName": "Passwords And Secrets - AWS Access Key", "severity": "HIGH", "line": 14, - "fileName": "positive40.tf" + "filename": "positive40.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" }, { - "queryName": "Passwords And Secrets - AWS Certificate", + "queryName": "Passwords And Secrets - AWS Access Key", "severity": "HIGH", "line": 15, - "fileName": "positive40.tf" + "filename": "positive40.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" }, { "queryName": "Passwords And Secrets - Asymmetric private key", "severity": "HIGH", "line": 6, - "fileName": "positive41.tf" + "filename": "positive41.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" }, { "queryName": "Passwords And Secrets - Generic Access Key", "severity": "HIGH", "line": 7, - "fileName": "positive42.tf" + "filename": "positive42.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" }, { "queryName": "Passwords And Secrets - Generic Token", "severity": "HIGH", "line": 5, - "fileName": "positive43.yaml" + "filename": "positive43.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" }, { "queryName": "Passwords And Secrets - Generic Secret", "severity": "HIGH", "line": 17, - "fileName": "positive44.yaml" + "filename": "positive44.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" }, { "queryName": "Passwords And Secrets - Generic Password", "severity": "HIGH", "line": 9, - "fileName": "positive45.tf" + "filename": "positive45.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" }, { "queryName": "Passwords And Secrets - Generic Password", "severity": "HIGH", "line": 20, - "fileName": "positive46.yaml" + "filename": "positive46.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" }, { "queryName": "Passwords And Secrets - Generic Password", "severity": "HIGH", "line": 21, - "fileName": "positive46.yaml" + "filename": "positive46.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" }, { "queryName": "Passwords And Secrets - Google OAuth", "severity": "HIGH", "line": 5, - "fileName": "positive47.tf" + "filename": "positive47.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" }, { "queryName": "Passwords And Secrets - Generic Secret", "severity": "HIGH", "line": 6, - "fileName": "positive47.tf" + "filename": "positive47.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" }, { "queryName": "Passwords And Secrets - Generic Password", "severity": "HIGH", "line": 8, - "fileName": "positive48.tf" + "filename": "positive48.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" }, { "queryName": "Passwords And Secrets - Generic Private Key", "severity": "HIGH", "line": 7, - "fileName": "positive49.yml" + "filename": "positive49.yml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" + }, + { + "queryName": "Passwords And Secrets - Generic Secret", + "severity": "HIGH", + "line": 2, + "filename": "positive5.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" }, { "queryName": "Passwords And Secrets - Generic Password on YAML files when value in tuple", "severity": "HIGH", "line": 56, - "fileName": "positive50.yaml" + "filename": "positive50.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" }, { "queryName": "Passwords And Secrets - Generic Password on YAML files when value in tuple", "severity": "HIGH", "line": 68, - "fileName": "positive50.yaml" + "filename": "positive50.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" }, { "queryName": "Passwords And Secrets - Dockerfile ENV hardcoded password with omitted equals", "severity": "HIGH", "line": 4, - "fileName": "positive51.dockerfile" + "filename": "positive51.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" }, { "queryName": "Passwords And Secrets - Generic Password", "severity": "HIGH", "line": 4, - "fileName": "positive52.dockerfile" + "filename": "positive52.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" }, { "queryName": "Passwords And Secrets - Generic Password", "severity": "HIGH", "line": 54, - "fileName": "positive53.json" + "filename": "positive53.json", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" }, { "queryName": "Passwords And Secrets - Generic Password", "severity": "HIGH", "line": 8, - "fileName": "positive54.tf" + "filename": "positive54.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" }, { "queryName": "Passwords And Secrets - Generic Password", "severity": "HIGH", "line": 14, - "fileName": "positive54.tf" + "filename": "positive54.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" }, { "queryName": "Passwords And Secrets - Generic Secret", "severity": "HIGH", "line": 4, - "fileName": "positive55.json" + "filename": "positive55.json", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" + }, + { + "queryName": "Passwords And Secrets - Generic Password", + "severity": "HIGH", + "line": 3, + "filename": "positive6.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" + }, + { + "queryName": "Passwords And Secrets - Generic Password", + "severity": "HIGH", + "line": 7, + "filename": "positive6.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" + }, + { + "queryName": "Passwords And Secrets - Generic Password", + "severity": "HIGH", + "line": 8, + "filename": "positive7.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" + }, + { + "queryName": "Passwords And Secrets - Generic Password", + "severity": "HIGH", + "line": 4, + "filename": "positive8.json", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" + }, + { + "queryName": "Passwords And Secrets - Generic Password", + "severity": "HIGH", + "line": 7, + "filename": "positive8.json", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" + }, + { + "queryName": "Passwords And Secrets - Generic Password", + "severity": "HIGH", + "line": 8, + "filename": "positive9.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source" } ] \ No newline at end of file diff --git a/assets/queries/crossplane/aws/cloudfront_logging_disabled/test/positive_expected_result.json b/assets/queries/crossplane/aws/cloudfront_logging_disabled/test/positive_expected_result.json index 5fa9e8dcc24..268be93d0cf 100644 --- a/assets/queries/crossplane/aws/cloudfront_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/crossplane/aws/cloudfront_logging_disabled/test/positive_expected_result.json @@ -2,26 +2,14 @@ { "queryName": "CloudFront Logging Disabled", "severity": "MEDIUM", - "line": 41, - "filename": "positive2.yaml", - "resourceType": "Distribution", - "resourceName": "sample-distribution", - "searchKey": "spec.resources.base.metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig", - "searchValue": "", - "expectedValue": "CloudFront logging enabled attribute should be defined and set to true", - "actualValue": "CloudFront logging is not defined" - }, - { - "queryName": "CloudFront Logging Disabled", - "severity": "MEDIUM", - "line": 11, - "filename": "positive3.yaml", + "line": 12, + "filename": "positive.yaml", "resourceType": "Distribution", "resourceName": "sample-distribution", - "searchKey": "metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig.logging", + "searchKey": "metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig.logging.enabled", "searchValue": "", - "expectedValue": "CloudFront logging enabled attribute should be defined and set to true", - "actualValue": "CloudFront enable is not defined" + "expectedValue": "CloudFront logging enabled attribute should be set to true", + "actualValue": "CloudFront logging enabled attribute is set to false" }, { "queryName": "CloudFront Logging Disabled", @@ -50,14 +38,26 @@ { "queryName": "CloudFront Logging Disabled", "severity": "MEDIUM", - "line": 12, - "filename": "positive.yaml", + "line": 41, + "filename": "positive2.yaml", "resourceType": "Distribution", "resourceName": "sample-distribution", - "searchKey": "metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig.logging.enabled", + "searchKey": "spec.resources.base.metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig", "searchValue": "", - "expectedValue": "CloudFront logging enabled attribute should be set to true", - "actualValue": "CloudFront logging enabled attribute is set to false" + "expectedValue": "CloudFront logging enabled attribute should be defined and set to true", + "actualValue": "CloudFront logging is not defined" + }, + { + "queryName": "CloudFront Logging Disabled", + "severity": "MEDIUM", + "line": 11, + "filename": "positive3.yaml", + "resourceType": "Distribution", + "resourceName": "sample-distribution", + "searchKey": "metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig.logging", + "searchValue": "", + "expectedValue": "CloudFront logging enabled attribute should be defined and set to true", + "actualValue": "CloudFront enable is not defined" }, { "queryName": "CloudFront Logging Disabled", diff --git a/assets/queries/crossplane/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json b/assets/queries/crossplane/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json index 96376fc6b0b..1c6fba2f4c5 100644 --- a/assets/queries/crossplane/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json +++ b/assets/queries/crossplane/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json @@ -2,35 +2,23 @@ { "queryName": "CloudFront Without Minimum Protocol TLS 1.2", "severity": "MEDIUM", - "line": 8, - "filename": "positive2.yaml", - "resourceType": "Distribution", - "resourceName": "sample-distribution", - "searchKey": "metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig", - "searchValue": "", - "expectedValue": "'viewerCertificate.minimumProtocolVersion' should be defined and set to TLSv1.2_x", - "actualValue": "'viewerCertificate' is not defined" - }, - { - "queryName": "CloudFront Without Minimum Protocol TLS 1.2", - "severity": "MEDIUM", - "line": 11, - "filename": "positive3.yaml", + "line": 14, + "filename": "positive.yaml", "resourceType": "Distribution", "resourceName": "sample-distribution", - "searchKey": "metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig.viewerCertificate", + "searchKey": "metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig.viewerCertificate.minimumProtocolVersion", "searchValue": "", - "expectedValue": "'viewerCertificate.minimumProtocolVersion' should be defined and set to TLSv1.2_x", - "actualValue": "'minimumProtocolVersion' is not defined" + "expectedValue": "'viewerCertificate.minimumProtocolVersion' should be TLSv1.2_x", + "actualValue": "'viewerCertificate.minimumProtocolVersion' is TLSv1.1_2016" }, { "queryName": "CloudFront Without Minimum Protocol TLS 1.2", "severity": "MEDIUM", - "line": 14, + "line": 54, "filename": "positive.yaml", "resourceType": "Distribution", "resourceName": "sample-distribution", - "searchKey": "metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig.viewerCertificate.minimumProtocolVersion", + "searchKey": "spec.resources.base.metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig.viewerCertificate.minimumProtocolVersion", "searchValue": "", "expectedValue": "'viewerCertificate.minimumProtocolVersion' should be TLSv1.2_x", "actualValue": "'viewerCertificate.minimumProtocolVersion' is TLSv1.1_2016" @@ -38,14 +26,14 @@ { "queryName": "CloudFront Without Minimum Protocol TLS 1.2", "severity": "MEDIUM", - "line": 50, - "filename": "positive3.yaml", + "line": 8, + "filename": "positive2.yaml", "resourceType": "Distribution", "resourceName": "sample-distribution", - "searchKey": "spec.resources.base.metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig.viewerCertificate", + "searchKey": "metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig", "searchValue": "", "expectedValue": "'viewerCertificate.minimumProtocolVersion' should be defined and set to TLSv1.2_x", - "actualValue": "'minimumProtocolVersion' is not defined" + "actualValue": "'viewerCertificate' is not defined" }, { "queryName": "CloudFront Without Minimum Protocol TLS 1.2", @@ -62,13 +50,25 @@ { "queryName": "CloudFront Without Minimum Protocol TLS 1.2", "severity": "MEDIUM", - "line": 54, - "filename": "positive.yaml", + "line": 11, + "filename": "positive3.yaml", "resourceType": "Distribution", "resourceName": "sample-distribution", - "searchKey": "spec.resources.base.metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig.viewerCertificate.minimumProtocolVersion", + "searchKey": "metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig.viewerCertificate", "searchValue": "", - "expectedValue": "'viewerCertificate.minimumProtocolVersion' should be TLSv1.2_x", - "actualValue": "'viewerCertificate.minimumProtocolVersion' is TLSv1.1_2016" + "expectedValue": "'viewerCertificate.minimumProtocolVersion' should be defined and set to TLSv1.2_x", + "actualValue": "'minimumProtocolVersion' is not defined" + }, + { + "queryName": "CloudFront Without Minimum Protocol TLS 1.2", + "severity": "MEDIUM", + "line": 50, + "filename": "positive3.yaml", + "resourceType": "Distribution", + "resourceName": "sample-distribution", + "searchKey": "spec.resources.base.metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig.viewerCertificate", + "searchValue": "", + "expectedValue": "'viewerCertificate.minimumProtocolVersion' should be defined and set to TLSv1.2_x", + "actualValue": "'minimumProtocolVersion' is not defined" } ] \ No newline at end of file diff --git a/assets/queries/crossplane/aws/cloudwatch_without_retention_period_specified/test/positive_expected_result.json b/assets/queries/crossplane/aws/cloudwatch_without_retention_period_specified/test/positive_expected_result.json index 37d5371cc70..e9f7a4945ed 100644 --- a/assets/queries/crossplane/aws/cloudwatch_without_retention_period_specified/test/positive_expected_result.json +++ b/assets/queries/crossplane/aws/cloudwatch_without_retention_period_specified/test/positive_expected_result.json @@ -2,14 +2,14 @@ { "queryName": "CloudWatch Without Retention Period Specified", "severity": "INFO", - "line": 34, - "filename": "positive2.yaml", + "line": 9, + "filename": "positive.yaml", "resourceType": "LogGroup", - "resourceName": "lg-6", - "searchKey": "spec.resources.base.metadata.name={{lg-6}}.spec.forProvider", + "resourceName": "lg-3", + "searchKey": "metadata.name={{lg-3}}.spec.forProvider.retentionInDays", "searchValue": "", "expectedValue": "retentionInDays should be set to a valid value", - "actualValue": "retentionInDays is undefined" + "actualValue": "retentionInDays is set to a invalid value" }, { "queryName": "CloudWatch Without Retention Period Specified", @@ -38,13 +38,13 @@ { "queryName": "CloudWatch Without Retention Period Specified", "severity": "INFO", - "line": 9, - "filename": "positive.yaml", + "line": 34, + "filename": "positive2.yaml", "resourceType": "LogGroup", - "resourceName": "lg-3", - "searchKey": "metadata.name={{lg-3}}.spec.forProvider.retentionInDays", + "resourceName": "lg-6", + "searchKey": "spec.resources.base.metadata.name={{lg-6}}.spec.forProvider", "searchValue": "", "expectedValue": "retentionInDays should be set to a valid value", - "actualValue": "retentionInDays is set to a invalid value" + "actualValue": "retentionInDays is undefined" } ] \ No newline at end of file diff --git a/assets/queries/crossplane/aws/db_instance_storage_not_encrypted/test/positive_expected_result.json b/assets/queries/crossplane/aws/db_instance_storage_not_encrypted/test/positive_expected_result.json index 05ca36d208b..f780445fe4c 100644 --- a/assets/queries/crossplane/aws/db_instance_storage_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/crossplane/aws/db_instance_storage_not_encrypted/test/positive_expected_result.json @@ -11,18 +11,6 @@ "expectedValue": "storageEncrypted should be set to true", "actualValue": "storageEncrypted is set to false" }, - { - "queryName": "DB Instance Storage Not Encrypted", - "severity": "HIGH", - "line": 6, - "filename": "positive2.yaml", - "resourceType": "RDSInstance", - "resourceName": "rds5", - "searchKey": ".metadata.name={{rds5}}.spec.forProvider", - "searchValue": "", - "expectedValue": "storageEncrypted should be defined and set to true", - "actualValue": "storageEncrypted is not defined" - }, { "queryName": "DB Instance Storage Not Encrypted", "severity": "HIGH", @@ -35,6 +23,18 @@ "expectedValue": "storageEncrypted should be set to true", "actualValue": "storageEncrypted is set to false" }, + { + "queryName": "DB Instance Storage Not Encrypted", + "severity": "HIGH", + "line": 6, + "filename": "positive2.yaml", + "resourceType": "RDSInstance", + "resourceName": "rds5", + "searchKey": ".metadata.name={{rds5}}.spec.forProvider", + "searchValue": "", + "expectedValue": "storageEncrypted should be defined and set to true", + "actualValue": "storageEncrypted is not defined" + }, { "queryName": "DB Instance Storage Not Encrypted", "severity": "HIGH", diff --git a/assets/queries/crossplane/aws/db_security_group_has_public_interface/test/positive_expected_result.json b/assets/queries/crossplane/aws/db_security_group_has_public_interface/test/positive_expected_result.json index 621f7bdf1a1..f03da4c3024 100644 --- a/assets/queries/crossplane/aws/db_security_group_has_public_interface/test/positive_expected_result.json +++ b/assets/queries/crossplane/aws/db_security_group_has_public_interface/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "DB Security Group Has Public Interface", "severity": "HIGH", - "line": 55, + "line": 17, "filename": "positive.yaml", "resourceType": "SecurityGroup", - "resourceName": "ec2-rule5", - "searchKey": "spec.resources.base.metadata.name={{ec2-rule5}}.spec.forProvider.ingress.ipRanges.cidrIp={{0.0.0.0/0}}", + "resourceName": "ec2-rule2", + "searchKey": "metadata.name={{ec2-rule2}}.spec.forProvider.ingress.ipRanges.cidrIp={{0.0.0.0/0}}", "searchValue": "", "expectedValue": "ingress rule should not contain '0.0.0.0/0'", "actualValue": "ingress rule contains '0.0.0.0/0'" @@ -14,11 +14,11 @@ { "queryName": "DB Security Group Has Public Interface", "severity": "HIGH", - "line": 17, + "line": 55, "filename": "positive.yaml", "resourceType": "SecurityGroup", - "resourceName": "ec2-rule2", - "searchKey": "metadata.name={{ec2-rule2}}.spec.forProvider.ingress.ipRanges.cidrIp={{0.0.0.0/0}}", + "resourceName": "ec2-rule5", + "searchKey": "spec.resources.base.metadata.name={{ec2-rule5}}.spec.forProvider.ingress.ipRanges.cidrIp={{0.0.0.0/0}}", "searchValue": "", "expectedValue": "ingress rule should not contain '0.0.0.0/0'", "actualValue": "ingress rule contains '0.0.0.0/0'" diff --git a/assets/queries/crossplane/aws/efs_not_encrypted/test/positive_expected_result.json b/assets/queries/crossplane/aws/efs_not_encrypted/test/positive_expected_result.json index 3d1a2d3c1d4..a030c9df321 100644 --- a/assets/queries/crossplane/aws/efs_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/crossplane/aws/efs_not_encrypted/test/positive_expected_result.json @@ -2,14 +2,14 @@ { "queryName": "EFS Not Encrypted", "severity": "HIGH", - "line": 6, - "filename": "positive2.yaml", + "line": 8, + "filename": "positive.yaml", "resourceType": "FileSystem", - "resourceName": "example5", - "searchKey": "metadata.name={{example5}}.spec.forProvider", + "resourceName": "example3", + "searchKey": "metadata.name={{example3}}.spec.forProvider.encrypted", "searchValue": "", - "expectedValue": "encrypted should be defined and set to true", - "actualValue": "encrypted is not defined" + "expectedValue": "encrypted should be set to true", + "actualValue": "encrypted is set to false" }, { "queryName": "EFS Not Encrypted", @@ -26,11 +26,11 @@ { "queryName": "EFS Not Encrypted", "severity": "HIGH", - "line": 35, + "line": 6, "filename": "positive2.yaml", "resourceType": "FileSystem", - "resourceName": "example6", - "searchKey": "spec.resources.base.metadata.name={{example6}}.spec.forProvider", + "resourceName": "example5", + "searchKey": "metadata.name={{example5}}.spec.forProvider", "searchValue": "", "expectedValue": "encrypted should be defined and set to true", "actualValue": "encrypted is not defined" @@ -38,13 +38,13 @@ { "queryName": "EFS Not Encrypted", "severity": "HIGH", - "line": 8, - "filename": "positive.yaml", + "line": 35, + "filename": "positive2.yaml", "resourceType": "FileSystem", - "resourceName": "example3", - "searchKey": "metadata.name={{example3}}.spec.forProvider.encrypted", + "resourceName": "example6", + "searchKey": "spec.resources.base.metadata.name={{example6}}.spec.forProvider", "searchValue": "", - "expectedValue": "encrypted should be set to true", - "actualValue": "encrypted is set to false" + "expectedValue": "encrypted should be defined and set to true", + "actualValue": "encrypted is not defined" } ] \ No newline at end of file diff --git a/assets/queries/crossplane/aws/neptune_database_cluster_encryption_disabled/test/positive_expected_result.json b/assets/queries/crossplane/aws/neptune_database_cluster_encryption_disabled/test/positive_expected_result.json index 5d7ef5e14b3..8f2de4995d8 100644 --- a/assets/queries/crossplane/aws/neptune_database_cluster_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/crossplane/aws/neptune_database_cluster_encryption_disabled/test/positive_expected_result.json @@ -1,4 +1,16 @@ [ + { + "queryName": "Neptune Database Cluster Encryption Disabled", + "severity": "HIGH", + "line": 6, + "filename": "positive.yaml", + "resourceType": "DBCluster", + "resourceName": "sample-cluster3", + "searchKey": "metadata.name={{sample-cluster3}}.spec.forProvider", + "searchValue": "", + "expectedValue": "storageEncrypted should be defined and set to true", + "actualValue": "storageEncrypted is not defined" + }, { "queryName": "Neptune Database Cluster Encryption Disabled", "severity": "HIGH", @@ -34,17 +46,5 @@ "searchValue": "", "expectedValue": "storageEncrypted should be defined and set to true", "actualValue": "storageEncrypted is set to false" - }, - { - "queryName": "Neptune Database Cluster Encryption Disabled", - "severity": "HIGH", - "line": 6, - "filename": "positive.yaml", - "resourceType": "DBCluster", - "resourceName": "sample-cluster3", - "searchKey": "metadata.name={{sample-cluster3}}.spec.forProvider", - "searchValue": "", - "expectedValue": "storageEncrypted should be defined and set to true", - "actualValue": "storageEncrypted is not defined" } ] \ No newline at end of file diff --git a/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json b/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json index c365eb0f701..8c7c586c222 100644 --- a/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json @@ -3,7 +3,7 @@ "queryName": "RDS DB Instance Publicly Accessible", "severity": "CRITICAL", "line": 11, - "filename": "positive2.yaml", + "filename": "negative2.yaml", "resourceType": "RDSInstance", "resourceName": "my-rds-instance", "searchKey": "metadata.name={{my-rds-instance}}.spec.forProvider.dbSubnetGroupName", @@ -27,7 +27,7 @@ "queryName": "RDS DB Instance Publicly Accessible", "severity": "CRITICAL", "line": 11, - "filename": "negative2.yaml", + "filename": "positive2.yaml", "resourceType": "RDSInstance", "resourceName": "my-rds-instance", "searchKey": "metadata.name={{my-rds-instance}}.spec.forProvider.dbSubnetGroupName", diff --git a/assets/queries/crossplane/azure/aks_rbac_disabled/test/positive_expected_result.json b/assets/queries/crossplane/azure/aks_rbac_disabled/test/positive_expected_result.json index 7f956d3a44b..609be2c3a80 100644 --- a/assets/queries/crossplane/azure/aks_rbac_disabled/test/positive_expected_result.json +++ b/assets/queries/crossplane/azure/aks_rbac_disabled/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "AKS RBAC Disabled", "severity": "MEDIUM", - "line": 40, + "line": 13, "filename": "positive.yaml", "resourceType": "AKSCluster", "resourceName": "anais-crossplane-demo", - "searchKey": "spec.resources.base.metadata.name={{anais-crossplane-demo}}.spec.disableRBAC", + "searchKey": "metadata.name={{anais-crossplane-demo}}.spec.disableRBAC", "searchValue": "", "expectedValue": "disableRBAC should be set to false", "actualValue": "disableRBAC is set to true" @@ -14,11 +14,11 @@ { "queryName": "AKS RBAC Disabled", "severity": "MEDIUM", - "line": 13, + "line": 40, "filename": "positive.yaml", "resourceType": "AKSCluster", "resourceName": "anais-crossplane-demo", - "searchKey": "metadata.name={{anais-crossplane-demo}}.spec.disableRBAC", + "searchKey": "spec.resources.base.metadata.name={{anais-crossplane-demo}}.spec.disableRBAC", "searchValue": "", "expectedValue": "disableRBAC should be set to false", "actualValue": "disableRBAC is set to true" diff --git a/assets/queries/crossplane/gcp/google_container_node_pool_auto_repair_disabled/test/positive_expected_result.json b/assets/queries/crossplane/gcp/google_container_node_pool_auto_repair_disabled/test/positive_expected_result.json index dff0eccaed0..ca33f06225f 100644 --- a/assets/queries/crossplane/gcp/google_container_node_pool_auto_repair_disabled/test/positive_expected_result.json +++ b/assets/queries/crossplane/gcp/google_container_node_pool_auto_repair_disabled/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "Google Container Node Pool Auto Repair Disabled", "severity": "MEDIUM", - "line": 27, + "line": 6, "filename": "positive.yaml", "resourceType": "NodePool", "resourceName": "cluster-np", - "searchKey": "metadata.name={{cluster-np}}.spec.forProvider.management.autoRepair", + "searchKey": "metadata.name={{cluster-np}}.spec.forProvider", "searchValue": "", - "expectedValue": "autoRepair should be set to true", - "actualValue": "autoRepair is set to false" + "expectedValue": "management should be defined with autoRepair set to true", + "actualValue": "management is not defined" }, { "queryName": "Google Container Node Pool Auto Repair Disabled", "severity": "MEDIUM", - "line": 6, + "line": 27, "filename": "positive.yaml", "resourceType": "NodePool", "resourceName": "cluster-np", - "searchKey": "metadata.name={{cluster-np}}.spec.forProvider", + "searchKey": "metadata.name={{cluster-np}}.spec.forProvider.management.autoRepair", "searchValue": "", - "expectedValue": "management should be defined with autoRepair set to true", - "actualValue": "management is not defined" + "expectedValue": "autoRepair should be set to true", + "actualValue": "autoRepair is set to false" } ] \ No newline at end of file diff --git a/assets/queries/dockerCompose/container_capabilities_unrestricted/test/positive_expected_result.json b/assets/queries/dockerCompose/container_capabilities_unrestricted/test/positive_expected_result.json index 7b6750a25d7..b216b285e8c 100644 --- a/assets/queries/dockerCompose/container_capabilities_unrestricted/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/container_capabilities_unrestricted/test/positive_expected_result.json @@ -2,26 +2,26 @@ { "queryName": "Container Capabilities Unrestricted", "severity": "MEDIUM", - "line": 13, + "line": 4, "filename": "positive1.yaml", "resourceType": "", "resourceName": "", - "searchKey": "services.webapp.cap_add", + "searchKey": "services.webapp", "searchValue": "", - "expectedValue": "Make sure you only add the necessary capabilities to your container.", - "actualValue": "Docker compose file has 'cap_add' attribute." + "expectedValue": "Docker compose file to have 'cap_drop' attribute", + "actualValue": "Docker compose file doesn't have 'cap_drop' attribute. Make sure your container only has necessary capabilities." }, { "queryName": "Container Capabilities Unrestricted", "severity": "MEDIUM", - "line": 4, + "line": 13, "filename": "positive1.yaml", "resourceType": "", "resourceName": "", - "searchKey": "services.webapp", + "searchKey": "services.webapp.cap_add", "searchValue": "", - "expectedValue": "Docker compose file to have 'cap_drop' attribute", - "actualValue": "Docker compose file doesn't have 'cap_drop' attribute. Make sure your container only has necessary capabilities." + "expectedValue": "Make sure you only add the necessary capabilities to your container.", + "actualValue": "Docker compose file has 'cap_add' attribute." }, { "queryName": "Container Capabilities Unrestricted", diff --git a/assets/queries/dockerCompose/container_traffic_not_bound_to_host_interface/test/positive_expected_result.json b/assets/queries/dockerCompose/container_traffic_not_bound_to_host_interface/test/positive_expected_result.json index 0d3313e5d74..112e4553581 100644 --- a/assets/queries/dockerCompose/container_traffic_not_bound_to_host_interface/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/container_traffic_not_bound_to_host_interface/test/positive_expected_result.json @@ -15,7 +15,7 @@ "queryName": "Container Traffic Not Bound To Host Interface", "severity": "MEDIUM", "line": 11, - "filename": "positive3.yaml", + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", "searchKey": "services.webapp.ports", @@ -27,7 +27,7 @@ "queryName": "Container Traffic Not Bound To Host Interface", "severity": "MEDIUM", "line": 11, - "filename": "positive2.yaml", + "filename": "positive3.yaml", "resourceType": "", "resourceName": "", "searchKey": "services.webapp.ports", diff --git a/assets/queries/dockerCompose/cpus_not_limited/test/positive_expected_result.json b/assets/queries/dockerCompose/cpus_not_limited/test/positive_expected_result.json index e3e4cb5143d..8f8fee222fc 100644 --- a/assets/queries/dockerCompose/cpus_not_limited/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/cpus_not_limited/test/positive_expected_result.json @@ -1,4 +1,16 @@ [ + { + "queryName": "Cpus Not Limited", + "severity": "LOW", + "line": 9, + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.zapzop.deploy.resources.limits", + "searchValue": "", + "expectedValue": "'deploy.resources.limits.cpus' should be defined", + "actualValue": "'deploy.resources.limits.cpus' is not defined" + }, { "queryName": "Cpus Not Limited", "severity": "LOW", @@ -35,18 +47,6 @@ "expectedValue": "'deploy.resources' should be defined", "actualValue": "'deploy.resources' is not defined" }, - { - "queryName": "Cpus Not Limited", - "severity": "LOW", - "line": 9, - "filename": "positive1.yaml", - "resourceType": "", - "resourceName": "", - "searchKey": "services.zapzop.deploy.resources.limits", - "searchValue": "", - "expectedValue": "'deploy.resources.limits.cpus' should be defined", - "actualValue": "'deploy.resources.limits.cpus' is not defined" - }, { "queryName": "Cpus Not Limited", "severity": "LOW", diff --git a/assets/queries/dockerCompose/default_seccomp_profile_disabled/test/positive_expected_result.json b/assets/queries/dockerCompose/default_seccomp_profile_disabled/test/positive_expected_result.json index 8768fed4cb7..6074dde60cd 100644 --- a/assets/queries/dockerCompose/default_seccomp_profile_disabled/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/default_seccomp_profile_disabled/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "Default Seccomp Profile Disabled", "severity": "MEDIUM", - "line": 10, - "filename": "positive2.yaml", + "line": 13, + "filename": "positive1.yaml", "resourceType": "", "resourceName": "", - "searchKey": "services.example.security_opt", + "searchKey": "services.demo.security_opt", "searchValue": "", "expectedValue": "Seccomp default profile to not be disabled.", "actualValue": "Seccomp default profile is disabled." @@ -14,11 +14,11 @@ { "queryName": "Default Seccomp Profile Disabled", "severity": "MEDIUM", - "line": 13, - "filename": "positive1.yaml", + "line": 10, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", - "searchKey": "services.demo.security_opt", + "searchKey": "services.example.security_opt", "searchValue": "", "expectedValue": "Seccomp default profile to not be disabled.", "actualValue": "Seccomp default profile is disabled." diff --git a/assets/queries/dockerCompose/healthcheck_not_set/test/positive_expected_result.json b/assets/queries/dockerCompose/healthcheck_not_set/test/positive_expected_result.json index 53479d7aa50..1c36d0b3744 100644 --- a/assets/queries/dockerCompose/healthcheck_not_set/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/healthcheck_not_set/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "Healthcheck Not Set", - "severity": "MEDIUM", - "line": 14, - "filename": "positive3.yaml", - "resourceType": "", - "resourceName": "", - "searchKey": "services.lelele-service.healthcheck.test", - "searchValue": "", - "expectedValue": "Healthcheck should be enabled.", - "actualValue": "Healthcheck is disabled." - }, { "queryName": "Healthcheck Not Set", "severity": "MEDIUM", @@ -34,5 +22,17 @@ "searchValue": "", "expectedValue": "Healthcheck should be enabled.", "actualValue": "Healthcheck is disabled." + }, + { + "queryName": "Healthcheck Not Set", + "severity": "MEDIUM", + "line": 14, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.lelele-service.healthcheck.test", + "searchValue": "", + "expectedValue": "Healthcheck should be enabled.", + "actualValue": "Healthcheck is disabled." } ] \ No newline at end of file diff --git a/assets/queries/dockerCompose/host_namespace_is_shared/test/positive_expected_result.json b/assets/queries/dockerCompose/host_namespace_is_shared/test/positive_expected_result.json index d6bc58b1336..da189b93119 100644 --- a/assets/queries/dockerCompose/host_namespace_is_shared/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/host_namespace_is_shared/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "Host Namespace is Shared", "severity": "MEDIUM", - "line": 6, - "filename": "positive2.yaml", + "line": 10, + "filename": "positive1.yaml", "resourceType": "", "resourceName": "", - "searchKey": "services.service_name_2.pid", + "searchKey": "services.service_name_1.pid", "searchValue": "", "expectedValue": "There shouldn't be pid mode declared as host", "actualValue": "There is a pid mode declared as host" @@ -14,11 +14,11 @@ { "queryName": "Host Namespace is Shared", "severity": "MEDIUM", - "line": 10, - "filename": "positive1.yaml", + "line": 6, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", - "searchKey": "services.service_name_1.pid", + "searchKey": "services.service_name_2.pid", "searchValue": "", "expectedValue": "There shouldn't be pid mode declared as host", "actualValue": "There is a pid mode declared as host" diff --git a/assets/queries/dockerCompose/memory_not_limited/test/positive_expected_result.json b/assets/queries/dockerCompose/memory_not_limited/test/positive_expected_result.json index bcf28bfb354..a79c98cfdc7 100644 --- a/assets/queries/dockerCompose/memory_not_limited/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/memory_not_limited/test/positive_expected_result.json @@ -2,38 +2,26 @@ { "queryName": "Memory Not Limited", "severity": "MEDIUM", - "line": 4, - "filename": "positive2.yaml", - "resourceType": "", - "resourceName": "", - "searchKey": "services.criwhat", - "searchValue": "", - "expectedValue": "For mem_limit should be declared.", - "actualValue": "There is no mem_limit declared." - }, - { - "queryName": "Memory Not Limited", - "severity": "MEDIUM", - "line": 5, - "filename": "positive5.yaml", + "line": 9, + "filename": "positive1.yaml", "resourceType": "", "resourceName": "", - "searchKey": "services.redis.deploy", + "searchKey": "services.zapzop.deploy.resources.limits", "searchValue": "", - "expectedValue": "'deploy.resources' should be defined", - "actualValue": "'deploy.resources' is not defined" + "expectedValue": "'deploy.resources.limits.memory' should be defined", + "actualValue": "'deploy.resources.limits.memory' is not defined" }, { "queryName": "Memory Not Limited", "severity": "MEDIUM", - "line": 9, - "filename": "positive1.yaml", + "line": 4, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", - "searchKey": "services.zapzop.deploy.resources.limits", + "searchKey": "services.criwhat", "searchValue": "", - "expectedValue": "'deploy.resources.limits.memory' should be defined", - "actualValue": "'deploy.resources.limits.memory' is not defined" + "expectedValue": "For mem_limit should be declared.", + "actualValue": "There is no mem_limit declared." }, { "queryName": "Memory Not Limited", @@ -70,5 +58,17 @@ "searchValue": "", "expectedValue": "'deploy.resources.limits' should be defined", "actualValue": "'deploy.resources.limits' is not defined" + }, + { + "queryName": "Memory Not Limited", + "severity": "MEDIUM", + "line": 5, + "filename": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.redis.deploy", + "searchValue": "", + "expectedValue": "'deploy.resources' should be defined", + "actualValue": "'deploy.resources' is not defined" } ] \ No newline at end of file diff --git a/assets/queries/dockerCompose/pids_limit_not_set/test/positive_expected_result.json b/assets/queries/dockerCompose/pids_limit_not_set/test/positive_expected_result.json index 705c3d1fd6b..9aa8fd1fc1e 100644 --- a/assets/queries/dockerCompose/pids_limit_not_set/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/pids_limit_not_set/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "Pids Limit Not Set", "severity": "MEDIUM", - "line": 12, - "filename": "positive2.yaml", + "line": 7, + "filename": "positive1.yaml", "resourceType": "", "resourceName": "", - "searchKey": "services.auth.pids_limit", + "searchKey": "services.auth", "searchValue": "", - "expectedValue": "Pids_limit should be limited.", - "actualValue": "Pids_limit is not limited." + "expectedValue": "Pids_limit should be defined.", + "actualValue": "Pids_limit is not defined." }, { "queryName": "Pids Limit Not Set", "severity": "MEDIUM", - "line": 7, - "filename": "positive1.yaml", + "line": 12, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", - "searchKey": "services.auth", + "searchKey": "services.auth.pids_limit", "searchValue": "", - "expectedValue": "Pids_limit should be defined.", - "actualValue": "Pids_limit is not defined." + "expectedValue": "Pids_limit should be limited.", + "actualValue": "Pids_limit is not limited." } ] \ No newline at end of file diff --git a/assets/queries/dockerCompose/privileged_ports_mapped_in_container/test/positive_expected_result.json b/assets/queries/dockerCompose/privileged_ports_mapped_in_container/test/positive_expected_result.json index 81282e65e6a..fe98f83384b 100644 --- a/assets/queries/dockerCompose/privileged_ports_mapped_in_container/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/privileged_ports_mapped_in_container/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "Privileged Ports Mapped In Container", "severity": "MEDIUM", - "line": 11, - "filename": "positive12.yaml", + "line": 5, + "filename": "positive1.yaml", "resourceType": "", "resourceName": "", - "searchKey": "services.webapp.ports", + "searchKey": "services.dhcpd.ports", "searchValue": "", "expectedValue": "Docker compose file to have 'ports' attribute not set to privileged ports (<1024).", "actualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024)." @@ -14,11 +14,11 @@ { "queryName": "Privileged Ports Mapped In Container", "severity": "MEDIUM", - "line": 11, - "filename": "positive2.yaml", + "line": 12, + "filename": "positive1.yaml", "resourceType": "", "resourceName": "", - "searchKey": "services.webapp.ports", + "searchKey": "services.dhcp_client.ports", "searchValue": "", "expectedValue": "Docker compose file to have 'ports' attribute not set to privileged ports (<1024).", "actualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024)." @@ -27,7 +27,7 @@ "queryName": "Privileged Ports Mapped In Container", "severity": "MEDIUM", "line": 11, - "filename": "positive8.yaml", + "filename": "positive10.yaml", "resourceType": "", "resourceName": "", "searchKey": "services.webapp.ports", @@ -39,7 +39,7 @@ "queryName": "Privileged Ports Mapped In Container", "severity": "MEDIUM", "line": 11, - "filename": "positive4.yaml", + "filename": "positive11.yaml", "resourceType": "", "resourceName": "", "searchKey": "services.webapp.ports", @@ -50,11 +50,11 @@ { "queryName": "Privileged Ports Mapped In Container", "severity": "MEDIUM", - "line": 12, - "filename": "positive1.yaml", + "line": 11, + "filename": "positive12.yaml", "resourceType": "", "resourceName": "", - "searchKey": "services.dhcp_client.ports", + "searchKey": "services.webapp.ports", "searchValue": "", "expectedValue": "Docker compose file to have 'ports' attribute not set to privileged ports (<1024).", "actualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024)." @@ -62,11 +62,11 @@ { "queryName": "Privileged Ports Mapped In Container", "severity": "MEDIUM", - "line": 5, - "filename": "positive1.yaml", + "line": 11, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", - "searchKey": "services.dhcpd.ports", + "searchKey": "services.webapp.ports", "searchValue": "", "expectedValue": "Docker compose file to have 'ports' attribute not set to privileged ports (<1024).", "actualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024)." @@ -75,7 +75,7 @@ "queryName": "Privileged Ports Mapped In Container", "severity": "MEDIUM", "line": 11, - "filename": "positive7.yaml", + "filename": "positive3.yaml", "resourceType": "", "resourceName": "", "searchKey": "services.webapp.ports", @@ -87,7 +87,7 @@ "queryName": "Privileged Ports Mapped In Container", "severity": "MEDIUM", "line": 11, - "filename": "positive11.yaml", + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", "searchKey": "services.webapp.ports", @@ -99,7 +99,7 @@ "queryName": "Privileged Ports Mapped In Container", "severity": "MEDIUM", "line": 11, - "filename": "positive10.yaml", + "filename": "positive5.yaml", "resourceType": "", "resourceName": "", "searchKey": "services.webapp.ports", @@ -111,7 +111,7 @@ "queryName": "Privileged Ports Mapped In Container", "severity": "MEDIUM", "line": 11, - "filename": "positive5.yaml", + "filename": "positive6.yaml", "resourceType": "", "resourceName": "", "searchKey": "services.webapp.ports", @@ -123,7 +123,7 @@ "queryName": "Privileged Ports Mapped In Container", "severity": "MEDIUM", "line": 11, - "filename": "positive3.yaml", + "filename": "positive7.yaml", "resourceType": "", "resourceName": "", "searchKey": "services.webapp.ports", @@ -135,7 +135,7 @@ "queryName": "Privileged Ports Mapped In Container", "severity": "MEDIUM", "line": 11, - "filename": "positive6.yaml", + "filename": "positive8.yaml", "resourceType": "", "resourceName": "", "searchKey": "services.webapp.ports", diff --git a/assets/queries/dockerCompose/restart_policy_on_failure_not_set_to_5/test/positive_expected_result.json b/assets/queries/dockerCompose/restart_policy_on_failure_not_set_to_5/test/positive_expected_result.json index 09aeb16c21a..a81de66ab40 100644 --- a/assets/queries/dockerCompose/restart_policy_on_failure_not_set_to_5/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/restart_policy_on_failure_not_set_to_5/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "Restart Policy On Failure Not Set To 5", "severity": "MEDIUM", - "line": 15, - "filename": "positive2.yaml", + "line": 6, + "filename": "positive1.yaml", "resourceType": "", "resourceName": "", - "searchKey": "services.name_of_service.restart", + "searchKey": "services.customer.restart", "searchValue": "", "expectedValue": "on-failure restart attempts should be 5", "actualValue": "on-failure restart attempts are not 5" @@ -26,11 +26,11 @@ { "queryName": "Restart Policy On Failure Not Set To 5", "severity": "MEDIUM", - "line": 6, - "filename": "positive1.yaml", + "line": 15, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", - "searchKey": "services.customer.restart", + "searchKey": "services.name_of_service.restart", "searchValue": "", "expectedValue": "on-failure restart attempts should be 5", "actualValue": "on-failure restart attempts are not 5" diff --git a/assets/queries/dockerCompose/shared_host_ipc_namespace/test/positive_expected_result.json b/assets/queries/dockerCompose/shared_host_ipc_namespace/test/positive_expected_result.json index 5b642c780dd..874e39666fd 100644 --- a/assets/queries/dockerCompose/shared_host_ipc_namespace/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/shared_host_ipc_namespace/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "Shared Host IPC Namespace", "severity": "MEDIUM", - "line": 13, - "filename": "positive2.yaml", + "line": 10, + "filename": "positive1.yaml", "resourceType": "", "resourceName": "", "searchKey": "services.webapp.privileged", @@ -14,8 +14,8 @@ { "queryName": "Shared Host IPC Namespace", "severity": "MEDIUM", - "line": 10, - "filename": "positive1.yaml", + "line": 13, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", "searchKey": "services.webapp.privileged", diff --git a/assets/queries/dockerCompose/shared_volumes_between_containers/test/positive_expected_result.json b/assets/queries/dockerCompose/shared_volumes_between_containers/test/positive_expected_result.json index 9ac66ec779a..49bf1d74bbc 100644 --- a/assets/queries/dockerCompose/shared_volumes_between_containers/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/shared_volumes_between_containers/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "Shared Volumes Between Containers", "severity": "INFO", - "line": 16, + "line": 9, "filename": "positive1.yaml", "resourceType": "", "resourceName": "", - "searchKey": "services.backend.volumes", + "searchKey": "services.frontend.volumes", "searchValue": "shared", "expectedValue": "There shouldn't be volumes shared between containers", "actualValue": "Volume ./logic:/app shared between containers" @@ -14,11 +14,11 @@ { "queryName": "Shared Volumes Between Containers", "severity": "INFO", - "line": 9, + "line": 16, "filename": "positive1.yaml", "resourceType": "", "resourceName": "", - "searchKey": "services.frontend.volumes", + "searchKey": "services.backend.volumes", "searchValue": "shared", "expectedValue": "There shouldn't be volumes shared between containers", "actualValue": "Volume ./logic:/app shared between containers" diff --git a/assets/queries/dockerCompose/volume_has_sensitive_host_directory/test/positive_expected_result.json b/assets/queries/dockerCompose/volume_has_sensitive_host_directory/test/positive_expected_result.json index 87619df51f6..b71575c3566 100644 --- a/assets/queries/dockerCompose/volume_has_sensitive_host_directory/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/volume_has_sensitive_host_directory/test/positive_expected_result.json @@ -2,23 +2,23 @@ { "queryName": "Volume Has Sensitive Host Directory", "severity": "HIGH", - "line": 14, - "filename": "positive3.yaml", + "line": 11, + "filename": "positive1.yaml", "resourceType": "", "resourceName": "", - "searchKey": "volumes.wp-content.driver_opts.mountpoint", + "searchKey": "services.backup.volumes", "searchValue": "", "expectedValue": "There shouldn't be sensitive directory mounted as a volume", - "actualValue": "There is a sensitive directory (/var/data) mounted as a volume" + "actualValue": "There is a sensitive directory (/var/lib/backup/data) mounted as a volume" }, { "queryName": "Volume Has Sensitive Host Directory", "severity": "HIGH", - "line": 11, - "filename": "positive1.yaml", + "line": 18, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", - "searchKey": "services.backup.volumes", + "searchKey": "volumes.vol.driver_opts.device", "searchValue": "", "expectedValue": "There shouldn't be sensitive directory mounted as a volume", "actualValue": "There is a sensitive directory (/var/lib/backup/data) mounted as a volume" @@ -26,25 +26,25 @@ { "queryName": "Volume Has Sensitive Host Directory", "severity": "HIGH", - "line": 11, - "filename": "positive4.yaml", + "line": 14, + "filename": "positive3.yaml", "resourceType": "", "resourceName": "", - "searchKey": "services.yesno.volumes.source", + "searchKey": "volumes.wp-content.driver_opts.mountpoint", "searchValue": "", "expectedValue": "There shouldn't be sensitive directory mounted as a volume", - "actualValue": "There is a sensitive directory (/etc/exercise) mounted as a volume" + "actualValue": "There is a sensitive directory (/var/data) mounted as a volume" }, { "queryName": "Volume Has Sensitive Host Directory", "severity": "HIGH", - "line": 18, - "filename": "positive2.yaml", + "line": 11, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", - "searchKey": "volumes.vol.driver_opts.device", + "searchKey": "services.yesno.volumes.source", "searchValue": "", "expectedValue": "There shouldn't be sensitive directory mounted as a volume", - "actualValue": "There is a sensitive directory (/var/lib/backup/data) mounted as a volume" + "actualValue": "There is a sensitive directory (/etc/exercise) mounted as a volume" } ] \ No newline at end of file diff --git a/assets/queries/dockerCompose/volume_mounted_in_multiple_containers/test/positive_expected_result.json b/assets/queries/dockerCompose/volume_mounted_in_multiple_containers/test/positive_expected_result.json index a68b6f087e0..6ff6e19a3ea 100644 --- a/assets/queries/dockerCompose/volume_mounted_in_multiple_containers/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/volume_mounted_in_multiple_containers/test/positive_expected_result.json @@ -3,48 +3,48 @@ "queryName": "Volume Mounted In Multiple Containers", "severity": "HIGH", "line": 15, - "filename": "positive3.yaml", + "filename": "positive1.yaml", "resourceType": "", "resourceName": "", "searchKey": "services.old8k.volumes.bind.propagation", "searchValue": "", "expectedValue": "Volumes should not be mounted in multiple containers", - "actualValue": "Volumes are being mounted in multiple containers, mode: rslave" + "actualValue": "Volumes are being mounted in multiple containers, mode: rshared" }, { "queryName": "Volume Mounted In Multiple Containers", "severity": "HIGH", "line": 15, - "filename": "positive4.yaml", + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", "searchKey": "services.old8k.volumes.bind.propagation", "searchValue": "", "expectedValue": "Volumes should not be mounted in multiple containers", - "actualValue": "Volumes are being mounted in multiple containers, mode: slave" + "actualValue": "Volumes are being mounted in multiple containers, mode: shared" }, { "queryName": "Volume Mounted In Multiple Containers", "severity": "HIGH", "line": 15, - "filename": "positive1.yaml", + "filename": "positive3.yaml", "resourceType": "", "resourceName": "", "searchKey": "services.old8k.volumes.bind.propagation", "searchValue": "", "expectedValue": "Volumes should not be mounted in multiple containers", - "actualValue": "Volumes are being mounted in multiple containers, mode: rshared" + "actualValue": "Volumes are being mounted in multiple containers, mode: rslave" }, { "queryName": "Volume Mounted In Multiple Containers", "severity": "HIGH", "line": 15, - "filename": "positive2.yaml", + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", "searchKey": "services.old8k.volumes.bind.propagation", "searchValue": "", "expectedValue": "Volumes should not be mounted in multiple containers", - "actualValue": "Volumes are being mounted in multiple containers, mode: shared" + "actualValue": "Volumes are being mounted in multiple containers, mode: slave" } ] \ No newline at end of file diff --git a/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/test/positive_expected_result.json b/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/test/positive_expected_result.json index 11e867821b6..549219c477e 100644 --- a/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/test/positive_expected_result.json +++ b/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "Apt Get Install Lists Were Not Deleted", "severity": "INFO", - "line": 5, + "line": 2, "filename": "positive.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{busybox2}}.RUN={{apt-get install python}}", + "searchKey": "FROM={{busybox1}}.RUN={{apt-get update && apt-get install --no-install-recommends -y python}}", "searchValue": "", "expectedValue": "After using apt-get install, the apt-get lists should be deleted", "actualValue": "After using apt-get install, the apt-get lists were not deleted" @@ -14,11 +14,11 @@ { "queryName": "Apt Get Install Lists Were Not Deleted", "severity": "INFO", - "line": 8, + "line": 5, "filename": "positive.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{busybox3}}.RUN={{apt-get update && apt-get install --no-install-recommends -y python}}", + "searchKey": "FROM={{busybox2}}.RUN={{apt-get install python}}", "searchValue": "", "expectedValue": "After using apt-get install, the apt-get lists should be deleted", "actualValue": "After using apt-get install, the apt-get lists were not deleted" @@ -26,11 +26,11 @@ { "queryName": "Apt Get Install Lists Were Not Deleted", "severity": "INFO", - "line": 12, + "line": 8, "filename": "positive.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{busybox4}}.RUN={{apt-get update && apt-get install --no-install-recommends -y python}}", + "searchKey": "FROM={{busybox3}}.RUN={{apt-get update && apt-get install --no-install-recommends -y python}}", "searchValue": "", "expectedValue": "After using apt-get install, the apt-get lists should be deleted", "actualValue": "After using apt-get install, the apt-get lists were not deleted" @@ -38,11 +38,11 @@ { "queryName": "Apt Get Install Lists Were Not Deleted", "severity": "INFO", - "line": 2, - "filename": "positive2.dockerfile", + "line": 12, + "filename": "positive.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{busybox5}}.RUN={{set -eux; \tapt-get update; \tapt-get install -y --no-install-recommends package=0.0.0}}", + "searchKey": "FROM={{busybox4}}.RUN={{apt-get update && apt-get install --no-install-recommends -y python}}", "searchValue": "", "expectedValue": "After using apt-get install, the apt-get lists should be deleted", "actualValue": "After using apt-get install, the apt-get lists were not deleted" @@ -51,10 +51,10 @@ "queryName": "Apt Get Install Lists Were Not Deleted", "severity": "INFO", "line": 2, - "filename": "positive.dockerfile", + "filename": "positive2.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{busybox1}}.RUN={{apt-get update && apt-get install --no-install-recommends -y python}}", + "searchKey": "FROM={{busybox5}}.RUN={{set -eux; \tapt-get update; \tapt-get install -y --no-install-recommends package=0.0.0}}", "searchValue": "", "expectedValue": "After using apt-get install, the apt-get lists should be deleted", "actualValue": "After using apt-get install, the apt-get lists were not deleted" diff --git a/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/test/positive_expected_result.json b/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/test/positive_expected_result.json index 15afdbb7da1..3d9740b5838 100644 --- a/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/test/positive_expected_result.json +++ b/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/test/positive_expected_result.json @@ -2,23 +2,11 @@ { "queryName": "Apt Get Install Pin Version Not Defined", "severity": "MEDIUM", - "line": 9, + "line": 2, "filename": "positive.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{busybox3}}.RUN={{apt-get update && apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", - "searchValue": "python3-pyqt5", - "expectedValue": "Package 'python3-pyqt5' has version defined", - "actualValue": "Package 'python3-pyqt5' does not have version defined" - }, - { - "queryName": "Apt Get Install Pin Version Not Defined", - "severity": "MEDIUM", - "line": 3, - "filename": "positive2.dockerfile", - "resourceType": "", - "resourceName": "", - "searchKey": "FROM={{busybox4}}.{{RUN [\"apt-get\", \"install\", \"python\"]}}", + "searchKey": "FROM={{busybox}}.RUN={{apt-get install python}}", "searchValue": "python", "expectedValue": "Package 'python' has version defined", "actualValue": "Package 'python' does not have version defined" @@ -26,11 +14,11 @@ { "queryName": "Apt Get Install Pin Version Not Defined", "severity": "MEDIUM", - "line": 2, - "filename": "positive2.dockerfile", + "line": 3, + "filename": "positive.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{busybox4}}.RUN={{apt-get install python}}", + "searchKey": "FROM={{busybox}}.{{RUN [\"apt-get\", \"install\", \"python\"]}}", "searchValue": "python", "expectedValue": "Package 'python' has version defined", "actualValue": "Package 'python' does not have version defined" @@ -39,10 +27,10 @@ "queryName": "Apt Get Install Pin Version Not Defined", "severity": "MEDIUM", "line": 6, - "filename": "positive2.dockerfile", + "filename": "positive.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{busybox5}}.RUN={{apt-get install -y -t python}}", + "searchKey": "FROM={{busybox2}}.RUN={{apt-get install -y -t python}}", "searchValue": "python", "expectedValue": "Package 'python' has version defined", "actualValue": "Package 'python' does not have version defined" @@ -51,37 +39,37 @@ "queryName": "Apt Get Install Pin Version Not Defined", "severity": "MEDIUM", "line": 9, - "filename": "positive2.dockerfile", + "filename": "positive.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{busybox6}}.RUN={{apt-get update ; apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", - "searchValue": "python-pyside", - "expectedValue": "Package 'python-pyside' has version defined", - "actualValue": "Package 'python-pyside' does not have version defined" + "searchKey": "FROM={{busybox3}}.RUN={{apt-get update && apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", + "searchValue": "python-pip", + "expectedValue": "Package 'python-pip' has version defined", + "actualValue": "Package 'python-pip' does not have version defined" }, { "queryName": "Apt Get Install Pin Version Not Defined", "severity": "MEDIUM", - "line": 3, + "line": 9, "filename": "positive.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{busybox}}.{{RUN [\"apt-get\", \"install\", \"python\"]}}", - "searchValue": "python", - "expectedValue": "Package 'python' has version defined", - "actualValue": "Package 'python' does not have version defined" + "searchKey": "FROM={{busybox3}}.RUN={{apt-get update && apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", + "searchValue": "python-pyside", + "expectedValue": "Package 'python-pyside' has version defined", + "actualValue": "Package 'python-pyside' does not have version defined" }, { "queryName": "Apt Get Install Pin Version Not Defined", "severity": "MEDIUM", - "line": 6, + "line": 9, "filename": "positive.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{busybox2}}.RUN={{apt-get install -y -t python}}", - "searchValue": "python", - "expectedValue": "Package 'python' has version defined", - "actualValue": "Package 'python' does not have version defined" + "searchKey": "FROM={{busybox3}}.RUN={{apt-get update && apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", + "searchValue": "python-qt4", + "expectedValue": "Package 'python-qt4' has version defined", + "actualValue": "Package 'python-qt4' does not have version defined" }, { "queryName": "Apt Get Install Pin Version Not Defined", @@ -103,42 +91,42 @@ "resourceType": "", "resourceName": "", "searchKey": "FROM={{busybox3}}.RUN={{apt-get update && apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", - "searchValue": "python-pyside", - "expectedValue": "Package 'python-pyside' has version defined", - "actualValue": "Package 'python-pyside' does not have version defined" + "searchValue": "python3-pyqt5", + "expectedValue": "Package 'python3-pyqt5' has version defined", + "actualValue": "Package 'python3-pyqt5' does not have version defined" }, { "queryName": "Apt Get Install Pin Version Not Defined", "severity": "MEDIUM", - "line": 9, + "line": 2, "filename": "positive2.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{busybox6}}.RUN={{apt-get update ; apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", - "searchValue": "python-qt4", - "expectedValue": "Package 'python-qt4' has version defined", - "actualValue": "Package 'python-qt4' does not have version defined" + "searchKey": "FROM={{busybox4}}.RUN={{apt-get install python}}", + "searchValue": "python", + "expectedValue": "Package 'python' has version defined", + "actualValue": "Package 'python' does not have version defined" }, { "queryName": "Apt Get Install Pin Version Not Defined", "severity": "MEDIUM", - "line": 9, + "line": 3, "filename": "positive2.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{busybox6}}.RUN={{apt-get update ; apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", - "searchValue": "python3-pip", - "expectedValue": "Package 'python3-pip' has version defined", - "actualValue": "Package 'python3-pip' does not have version defined" + "searchKey": "FROM={{busybox4}}.{{RUN [\"apt-get\", \"install\", \"python\"]}}", + "searchValue": "python", + "expectedValue": "Package 'python' has version defined", + "actualValue": "Package 'python' does not have version defined" }, { "queryName": "Apt Get Install Pin Version Not Defined", "severity": "MEDIUM", - "line": 2, - "filename": "positive.dockerfile", + "line": 6, + "filename": "positive2.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{busybox}}.RUN={{apt-get install python}}", + "searchKey": "FROM={{busybox5}}.RUN={{apt-get install -y -t python}}", "searchValue": "python", "expectedValue": "Package 'python' has version defined", "actualValue": "Package 'python' does not have version defined" @@ -147,13 +135,13 @@ "queryName": "Apt Get Install Pin Version Not Defined", "severity": "MEDIUM", "line": 9, - "filename": "positive.dockerfile", + "filename": "positive2.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{busybox3}}.RUN={{apt-get update && apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", - "searchValue": "python-pip", - "expectedValue": "Package 'python-pip' has version defined", - "actualValue": "Package 'python-pip' does not have version defined" + "searchKey": "FROM={{busybox6}}.RUN={{apt-get update ; apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", + "searchValue": "python-pyside", + "expectedValue": "Package 'python-pyside' has version defined", + "actualValue": "Package 'python-pyside' does not have version defined" }, { "queryName": "Apt Get Install Pin Version Not Defined", @@ -167,6 +155,18 @@ "expectedValue": "Package 'python-pip' has version defined", "actualValue": "Package 'python-pip' does not have version defined" }, + { + "queryName": "Apt Get Install Pin Version Not Defined", + "severity": "MEDIUM", + "line": 9, + "filename": "positive2.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox6}}.RUN={{apt-get update ; apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", + "searchValue": "python3-pip", + "expectedValue": "Package 'python3-pip' has version defined", + "actualValue": "Package 'python3-pip' does not have version defined" + }, { "queryName": "Apt Get Install Pin Version Not Defined", "severity": "MEDIUM", @@ -183,10 +183,10 @@ "queryName": "Apt Get Install Pin Version Not Defined", "severity": "MEDIUM", "line": 9, - "filename": "positive.dockerfile", + "filename": "positive2.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{busybox3}}.RUN={{apt-get update && apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", + "searchKey": "FROM={{busybox6}}.RUN={{apt-get update ; apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", "searchValue": "python-qt4", "expectedValue": "Package 'python-qt4' has version defined", "actualValue": "Package 'python-qt4' does not have version defined" diff --git a/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/positive_expected_result.json b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/positive_expected_result.json index 3defd08e956..5100fabf723 100644 --- a/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/positive_expected_result.json +++ b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/positive_expected_result.json @@ -3,180 +3,180 @@ "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", "line": 2, - "filename": "positive6.dockerfile", + "filename": "positive1.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{node:12}}.{{RUN sudo apt-get --quiet install sl}}", + "searchKey": "FROM={{node:12}}.{{RUN apt-get install python=2.7}}", "searchValue": "", - "expectedValue": "{{RUN sudo apt-get --quiet install sl}} should avoid manual input", - "actualValue": "{{RUN sudo apt-get --quiet install sl}} doesn't avoid manual input" + "expectedValue": "{{RUN apt-get install python=2.7}} should avoid manual input", + "actualValue": "{{RUN apt-get install python=2.7}} doesn't avoid manual input" }, { "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", - "line": 2, - "filename": "positive2.dockerfile", + "line": 3, + "filename": "positive1.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{node:12}}.{{RUN sudo apt-get install python=2.7}}", + "searchKey": "FROM={{node:12}}.{{RUN apt-get install apt-utils}}", "searchValue": "", - "expectedValue": "{{RUN sudo apt-get install python=2.7}} should avoid manual input", - "actualValue": "{{RUN sudo apt-get install python=2.7}} doesn't avoid manual input" + "expectedValue": "{{RUN apt-get install apt-utils}} should avoid manual input", + "actualValue": "{{RUN apt-get install apt-utils}} doesn't avoid manual input" }, { "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", - "line": 2, - "filename": "positive3.dockerfile", + "line": 4, + "filename": "positive1.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{node:12}}.{{RUN DUMMY=test apt-get install python=2.7}}", + "searchKey": "FROM={{node:12}}.{{RUN [\"apt-get\", \"install\", \"apt-utils\"]}}", "searchValue": "", - "expectedValue": "{{RUN DUMMY=test apt-get install python=2.7}} should avoid manual input", - "actualValue": "{{RUN DUMMY=test apt-get install python=2.7}} doesn't avoid manual input" + "expectedValue": "{{RUN [\"apt-get\", \"install\", \"apt-utils\"]}} should avoid manual input", + "actualValue": "{{RUN [\"apt-get\", \"install\", \"apt-utils\"]}} doesn't avoid manual input" }, { "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", - "line": 4, - "filename": "positive1.dockerfile", + "line": 2, + "filename": "positive2.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{node:12}}.{{RUN [\"apt-get\", \"install\", \"apt-utils\"]}}", + "searchKey": "FROM={{node:12}}.{{RUN sudo apt-get install python=2.7}}", "searchValue": "", - "expectedValue": "{{RUN [\"apt-get\", \"install\", \"apt-utils\"]}} should avoid manual input", - "actualValue": "{{RUN [\"apt-get\", \"install\", \"apt-utils\"]}} doesn't avoid manual input" + "expectedValue": "{{RUN sudo apt-get install python=2.7}} should avoid manual input", + "actualValue": "{{RUN sudo apt-get install python=2.7}} doesn't avoid manual input" }, { "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", "line": 3, - "filename": "positive7.dockerfile", + "filename": "positive2.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{node:12}}.{{RUN [\"apt-get\", \"-q\", \"install\", \"apt-utils\"] }}", + "searchKey": "FROM={{node:12}}.{{RUN sudo apt-get install apt-utils}}", "searchValue": "", - "expectedValue": "{{RUN [\"apt-get\", \"-q\", \"install\", \"apt-utils\"] }} should avoid manual input", - "actualValue": "{{RUN [\"apt-get\", \"-q\", \"install\", \"apt-utils\"] }} doesn't avoid manual input" + "expectedValue": "{{RUN sudo apt-get install apt-utils}} should avoid manual input", + "actualValue": "{{RUN sudo apt-get install apt-utils}} doesn't avoid manual input" }, { "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", - "line": 2, - "filename": "positive5.dockerfile", + "line": 4, + "filename": "positive2.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{node:12}}.{{RUN [\"sudo\", \"apt-get\", \"--quiet\", \"install\", \"apt-utils\"] }}", + "searchKey": "FROM={{node:12}}.{{RUN [\"sudo\", \"apt-get\", \"install\", \"apt-utils\"]}}", "searchValue": "", - "expectedValue": "{{RUN [\"sudo\", \"apt-get\", \"--quiet\", \"install\", \"apt-utils\"] }} should avoid manual input", - "actualValue": "{{RUN [\"sudo\", \"apt-get\", \"--quiet\", \"install\", \"apt-utils\"] }} doesn't avoid manual input" + "expectedValue": "{{RUN [\"sudo\", \"apt-get\", \"install\", \"apt-utils\"]}} should avoid manual input", + "actualValue": "{{RUN [\"sudo\", \"apt-get\", \"install\", \"apt-utils\"]}} doesn't avoid manual input" }, { "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", - "line": 3, - "filename": "positive6.dockerfile", + "line": 2, + "filename": "positive3.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{node:12}}.{{RUN [\"apt-get\", \"--quiet\" ,\"install\", \"apt-utils\"] }}", + "searchKey": "FROM={{node:12}}.{{RUN DUMMY=test apt-get install python=2.7}}", "searchValue": "", - "expectedValue": "{{RUN [\"apt-get\", \"--quiet\" ,\"install\", \"apt-utils\"] }} should avoid manual input", - "actualValue": "{{RUN [\"apt-get\", \"--quiet\" ,\"install\", \"apt-utils\"] }} doesn't avoid manual input" + "expectedValue": "{{RUN DUMMY=test apt-get install python=2.7}} should avoid manual input", + "actualValue": "{{RUN DUMMY=test apt-get install python=2.7}} doesn't avoid manual input" }, { "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", "line": 2, - "filename": "positive7.dockerfile", + "filename": "positive4.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{node:12}}.{{RUN sudo apt-get -q install sl}}", + "searchKey": "FROM={{node:12}}.{{RUN [\"sudo\", \"apt-get\", \"-q\" ,\"install\", \"apt-utils\"]}}", "searchValue": "", - "expectedValue": "{{RUN sudo apt-get -q install sl}} should avoid manual input", - "actualValue": "{{RUN sudo apt-get -q install sl}} doesn't avoid manual input" + "expectedValue": "{{RUN [\"sudo\", \"apt-get\", \"-q\" ,\"install\", \"apt-utils\"]}} should avoid manual input", + "actualValue": "{{RUN [\"sudo\", \"apt-get\", \"-q\" ,\"install\", \"apt-utils\"]}} doesn't avoid manual input" }, { "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", "line": 3, - "filename": "positive5.dockerfile", + "filename": "positive4.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{node:12}}.{{RUN sudo apt-get --quiet install apt-utils}}", + "searchKey": "FROM={{node:12}}.{{RUN sudo apt-get -q install apt-utils}}", "searchValue": "", - "expectedValue": "{{RUN sudo apt-get --quiet install apt-utils}} should avoid manual input", - "actualValue": "{{RUN sudo apt-get --quiet install apt-utils}} doesn't avoid manual input" + "expectedValue": "{{RUN sudo apt-get -q install apt-utils}} should avoid manual input", + "actualValue": "{{RUN sudo apt-get -q install apt-utils}} doesn't avoid manual input" }, { "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", "line": 2, - "filename": "positive1.dockerfile", + "filename": "positive5.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{node:12}}.{{RUN apt-get install python=2.7}}", + "searchKey": "FROM={{node:12}}.{{RUN [\"sudo\", \"apt-get\", \"--quiet\", \"install\", \"apt-utils\"] }}", "searchValue": "", - "expectedValue": "{{RUN apt-get install python=2.7}} should avoid manual input", - "actualValue": "{{RUN apt-get install python=2.7}} doesn't avoid manual input" + "expectedValue": "{{RUN [\"sudo\", \"apt-get\", \"--quiet\", \"install\", \"apt-utils\"] }} should avoid manual input", + "actualValue": "{{RUN [\"sudo\", \"apt-get\", \"--quiet\", \"install\", \"apt-utils\"] }} doesn't avoid manual input" }, { "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", - "line": 2, - "filename": "positive4.dockerfile", + "line": 3, + "filename": "positive5.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{node:12}}.{{RUN [\"sudo\", \"apt-get\", \"-q\" ,\"install\", \"apt-utils\"]}}", + "searchKey": "FROM={{node:12}}.{{RUN sudo apt-get --quiet install apt-utils}}", "searchValue": "", - "expectedValue": "{{RUN [\"sudo\", \"apt-get\", \"-q\" ,\"install\", \"apt-utils\"]}} should avoid manual input", - "actualValue": "{{RUN [\"sudo\", \"apt-get\", \"-q\" ,\"install\", \"apt-utils\"]}} doesn't avoid manual input" + "expectedValue": "{{RUN sudo apt-get --quiet install apt-utils}} should avoid manual input", + "actualValue": "{{RUN sudo apt-get --quiet install apt-utils}} doesn't avoid manual input" }, { "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", - "line": 3, - "filename": "positive4.dockerfile", + "line": 2, + "filename": "positive6.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{node:12}}.{{RUN sudo apt-get -q install apt-utils}}", + "searchKey": "FROM={{node:12}}.{{RUN sudo apt-get --quiet install sl}}", "searchValue": "", - "expectedValue": "{{RUN sudo apt-get -q install apt-utils}} should avoid manual input", - "actualValue": "{{RUN sudo apt-get -q install apt-utils}} doesn't avoid manual input" + "expectedValue": "{{RUN sudo apt-get --quiet install sl}} should avoid manual input", + "actualValue": "{{RUN sudo apt-get --quiet install sl}} doesn't avoid manual input" }, { "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", - "line": 4, - "filename": "positive2.dockerfile", + "line": 3, + "filename": "positive6.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{node:12}}.{{RUN [\"sudo\", \"apt-get\", \"install\", \"apt-utils\"]}}", + "searchKey": "FROM={{node:12}}.{{RUN [\"apt-get\", \"--quiet\" ,\"install\", \"apt-utils\"] }}", "searchValue": "", - "expectedValue": "{{RUN [\"sudo\", \"apt-get\", \"install\", \"apt-utils\"]}} should avoid manual input", - "actualValue": "{{RUN [\"sudo\", \"apt-get\", \"install\", \"apt-utils\"]}} doesn't avoid manual input" + "expectedValue": "{{RUN [\"apt-get\", \"--quiet\" ,\"install\", \"apt-utils\"] }} should avoid manual input", + "actualValue": "{{RUN [\"apt-get\", \"--quiet\" ,\"install\", \"apt-utils\"] }} doesn't avoid manual input" }, { "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", - "line": 3, - "filename": "positive2.dockerfile", + "line": 2, + "filename": "positive7.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{node:12}}.{{RUN sudo apt-get install apt-utils}}", + "searchKey": "FROM={{node:12}}.{{RUN sudo apt-get -q install sl}}", "searchValue": "", - "expectedValue": "{{RUN sudo apt-get install apt-utils}} should avoid manual input", - "actualValue": "{{RUN sudo apt-get install apt-utils}} doesn't avoid manual input" + "expectedValue": "{{RUN sudo apt-get -q install sl}} should avoid manual input", + "actualValue": "{{RUN sudo apt-get -q install sl}} doesn't avoid manual input" }, { "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", "line": 3, - "filename": "positive1.dockerfile", + "filename": "positive7.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{node:12}}.{{RUN apt-get install apt-utils}}", + "searchKey": "FROM={{node:12}}.{{RUN [\"apt-get\", \"-q\", \"install\", \"apt-utils\"] }}", "searchValue": "", - "expectedValue": "{{RUN apt-get install apt-utils}} should avoid manual input", - "actualValue": "{{RUN apt-get install apt-utils}} doesn't avoid manual input" + "expectedValue": "{{RUN [\"apt-get\", \"-q\", \"install\", \"apt-utils\"] }} should avoid manual input", + "actualValue": "{{RUN [\"apt-get\", \"-q\", \"install\", \"apt-utils\"] }} doesn't avoid manual input" } ] \ No newline at end of file diff --git a/assets/queries/dockerfile/apt_get_not_avoiding_additional_packages/test/positive_expected_result.json b/assets/queries/dockerfile/apt_get_not_avoiding_additional_packages/test/positive_expected_result.json index 91a31177113..4a5e2602100 100644 --- a/assets/queries/dockerfile/apt_get_not_avoiding_additional_packages/test/positive_expected_result.json +++ b/assets/queries/dockerfile/apt_get_not_avoiding_additional_packages/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "APT-GET Not Avoiding Additional Packages", "severity": "INFO", - "line": 3, + "line": 2, "filename": "positive.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{node:12}}.{{RUN [\"apt-get\", \"install\", \"apt-utils\"]}}", + "searchKey": "FROM={{node:12}}.{{RUN apt-get install apt-utils}}", "searchValue": "", - "expectedValue": "'RUN [\"apt-get\", \"install\", \"apt-utils\"]' uses '--no-install-recommends' flag to avoid installing additional packages", - "actualValue": "'RUN [\"apt-get\", \"install\", \"apt-utils\"]' does not use '--no-install-recommends' flag to avoid installing additional packages" + "expectedValue": "'RUN apt-get install apt-utils' uses '--no-install-recommends' flag to avoid installing additional packages", + "actualValue": "'RUN apt-get install apt-utils' does not use '--no-install-recommends' flag to avoid installing additional packages" }, { "queryName": "APT-GET Not Avoiding Additional Packages", "severity": "INFO", - "line": 2, + "line": 3, "filename": "positive.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{node:12}}.{{RUN apt-get install apt-utils}}", + "searchKey": "FROM={{node:12}}.{{RUN [\"apt-get\", \"install\", \"apt-utils\"]}}", "searchValue": "", - "expectedValue": "'RUN apt-get install apt-utils' uses '--no-install-recommends' flag to avoid installing additional packages", - "actualValue": "'RUN apt-get install apt-utils' does not use '--no-install-recommends' flag to avoid installing additional packages" + "expectedValue": "'RUN [\"apt-get\", \"install\", \"apt-utils\"]' uses '--no-install-recommends' flag to avoid installing additional packages", + "actualValue": "'RUN [\"apt-get\", \"install\", \"apt-utils\"]' does not use '--no-install-recommends' flag to avoid installing additional packages" } ] \ No newline at end of file diff --git a/assets/queries/dockerfile/gem_install_without_version/test/positive_expected_result.json b/assets/queries/dockerfile/gem_install_without_version/test/positive_expected_result.json index b270d6ed83d..7dab9f6db79 100644 --- a/assets/queries/dockerfile/gem_install_without_version/test/positive_expected_result.json +++ b/assets/queries/dockerfile/gem_install_without_version/test/positive_expected_result.json @@ -2,26 +2,26 @@ { "queryName": "Gem Install Without Version", "severity": "MEDIUM", - "line": 4, + "line": 3, "filename": "positive.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{alpine:3.5}}.{{RUN [\"gem\", \"install\", \"blunder\"]}}", + "searchKey": "FROM={{alpine:3.5}}.{{RUN gem install bundler}}", "searchValue": "", - "expectedValue": "RUN [\"gem\", \"install\", \"blunder\"] is 'gem install :'", - "actualValue": "RUN [\"gem\", \"install\", \"blunder\"] is 'gem install ', you should use 'gem install :" + "expectedValue": "RUN gem install bundler is 'gem install :'", + "actualValue": "RUN gem install bundler is 'gem install ', you should use 'gem install :" }, { "queryName": "Gem Install Without Version", "severity": "MEDIUM", - "line": 3, + "line": 4, "filename": "positive.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{alpine:3.5}}.{{RUN gem install bundler}}", + "searchKey": "FROM={{alpine:3.5}}.{{RUN [\"gem\", \"install\", \"blunder\"]}}", "searchValue": "", - "expectedValue": "RUN gem install bundler is 'gem install :'", - "actualValue": "RUN gem install bundler is 'gem install ', you should use 'gem install :" + "expectedValue": "RUN [\"gem\", \"install\", \"blunder\"] is 'gem install :'", + "actualValue": "RUN [\"gem\", \"install\", \"blunder\"] is 'gem install ', you should use 'gem install :" }, { "queryName": "Gem Install Without Version", diff --git a/assets/queries/dockerfile/healthcheck_instruction_missing/test/positive_expected_result.json b/assets/queries/dockerfile/healthcheck_instruction_missing/test/positive_expected_result.json index a4cb7236894..b7881a7a5a2 100644 --- a/assets/queries/dockerfile/healthcheck_instruction_missing/test/positive_expected_result.json +++ b/assets/queries/dockerfile/healthcheck_instruction_missing/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "Healthcheck Instruction Missing", "severity": "LOW", - "line": 7, - "filename": "positive2.dockerfile", + "line": 1, + "filename": "positive.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{alpine:latest }}", + "searchKey": "FROM={{node:alpine}}", "searchValue": "", "expectedValue": "Dockerfile should contain instruction 'HEALTHCHECK'", "actualValue": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" @@ -14,11 +14,11 @@ { "queryName": "Healthcheck Instruction Missing", "severity": "LOW", - "line": 1, - "filename": "positive.dockerfile", + "line": 7, + "filename": "positive2.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{node:alpine}}", + "searchKey": "FROM={{alpine:latest }}", "searchValue": "", "expectedValue": "Dockerfile should contain instruction 'HEALTHCHECK'", "actualValue": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" diff --git a/assets/queries/dockerfile/image_version_not_explicit/test/positive_expected_result.json b/assets/queries/dockerfile/image_version_not_explicit/test/positive_expected_result.json index 65b3eee8bcb..48db0c8310a 100644 --- a/assets/queries/dockerfile/image_version_not_explicit/test/positive_expected_result.json +++ b/assets/queries/dockerfile/image_version_not_explicit/test/positive_expected_result.json @@ -11,6 +11,18 @@ "expectedValue": "FROM alpine:'version'", "actualValue": "FROM alpine'" }, + { + "queryName": "Image Version Not Explicit", + "severity": "MEDIUM", + "line": 7, + "filename": "positive2.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{construction AS final}}", + "searchValue": "", + "expectedValue": "FROM construction:'version'", + "actualValue": "FROM construction'" + }, { "queryName": "Image Version Not Explicit", "severity": "MEDIUM", @@ -35,18 +47,6 @@ "expectedValue": "FROM positive42:'version'", "actualValue": "FROM positive42'" }, - { - "queryName": "Image Version Not Explicit", - "severity": "MEDIUM", - "line": 7, - "filename": "positive2.dockerfile", - "resourceType": "", - "resourceName": "", - "searchKey": "FROM={{construction AS final}}", - "searchValue": "", - "expectedValue": "FROM construction:'version'", - "actualValue": "FROM construction'" - }, { "queryName": "Image Version Not Explicit", "severity": "MEDIUM", diff --git a/assets/queries/dockerfile/missing_flag_from_dnf_install/test/positive_expected_result.json b/assets/queries/dockerfile/missing_flag_from_dnf_install/test/positive_expected_result.json index d628b0435a6..fac30bcf83c 100644 --- a/assets/queries/dockerfile/missing_flag_from_dnf_install/test/positive_expected_result.json +++ b/assets/queries/dockerfile/missing_flag_from_dnf_install/test/positive_expected_result.json @@ -3,19 +3,19 @@ "queryName": "Missing Flag From Dnf Install", "severity": "LOW", "line": 2, - "filename": "positive3.dockerfile", + "filename": "positive.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{fedora:27}}.RUN={{microdnf install openssl-libs-1:1.1.1k-6.el8_5.x86_64 zlib-1.2.11-18.el8_5.x86_64 && microdnf clean all}}", - "searchValue": "microdnf install openssl-libs-1:1.1.1k-6.el8_5.x86_64 zlib-1.2.11-18.el8_5.x86_64", + "searchKey": "FROM={{fedora:27}}.RUN={{set -uex && dnf config-manager --set-enabled docker-ce-test && dnf install docker-ce && dnf clean all}}", + "searchValue": "dnf install docker-ce", "expectedValue": "When running `dnf install`, `-y` or `--assumeyes` switch should be set to avoid build failure ", - "actualValue": "Command `RUN={{microdnf install openssl-libs-1:1.1.1k-6.el8_5.x86_64 zlib-1.2.11-18.el8_5.x86_64}}` doesn't have the `-y` or `--assumeyes` switch set" + "actualValue": "Command `RUN={{dnf install docker-ce}}` doesn't have the `-y` or `--assumeyes` switch set" }, { "queryName": "Missing Flag From Dnf Install", "severity": "LOW", "line": 10, - "filename": "positive2.dockerfile", + "filename": "positive.dockerfile", "resourceType": "", "resourceName": "", "searchKey": "FROM={{fedora:28}}.RUN={{dnf in docker-ce}}", @@ -39,7 +39,7 @@ "queryName": "Missing Flag From Dnf Install", "severity": "LOW", "line": 10, - "filename": "positive.dockerfile", + "filename": "positive2.dockerfile", "resourceType": "", "resourceName": "", "searchKey": "FROM={{fedora:28}}.RUN={{dnf in docker-ce}}", @@ -51,13 +51,13 @@ "queryName": "Missing Flag From Dnf Install", "severity": "LOW", "line": 2, - "filename": "positive.dockerfile", + "filename": "positive3.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{fedora:27}}.RUN={{set -uex && dnf config-manager --set-enabled docker-ce-test && dnf install docker-ce && dnf clean all}}", - "searchValue": "dnf install docker-ce", + "searchKey": "FROM={{fedora:27}}.RUN={{microdnf install openssl-libs-1:1.1.1k-6.el8_5.x86_64 zlib-1.2.11-18.el8_5.x86_64 && microdnf clean all}}", + "searchValue": "microdnf install openssl-libs-1:1.1.1k-6.el8_5.x86_64 zlib-1.2.11-18.el8_5.x86_64", "expectedValue": "When running `dnf install`, `-y` or `--assumeyes` switch should be set to avoid build failure ", - "actualValue": "Command `RUN={{dnf install docker-ce}}` doesn't have the `-y` or `--assumeyes` switch set" + "actualValue": "Command `RUN={{microdnf install openssl-libs-1:1.1.1k-6.el8_5.x86_64 zlib-1.2.11-18.el8_5.x86_64}}` doesn't have the `-y` or `--assumeyes` switch set" }, { "queryName": "Missing Flag From Dnf Install", diff --git a/assets/queries/dockerfile/missing_user_instruction/test/positive_expected_result.json b/assets/queries/dockerfile/missing_user_instruction/test/positive_expected_result.json index 98616ff77ad..1564337d4a8 100644 --- a/assets/queries/dockerfile/missing_user_instruction/test/positive_expected_result.json +++ b/assets/queries/dockerfile/missing_user_instruction/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "Missing User Instruction", "severity": "HIGH", - "line": 7, - "filename": "positive2.dockerfile", + "line": 1, + "filename": "positive.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{alpine:latest }}", + "searchKey": "FROM={{python:2.7}}", "searchValue": "", "expectedValue": "The 'Dockerfile' should contain the 'USER' instruction", "actualValue": "The 'Dockerfile' does not contain any 'USER' instruction" @@ -14,11 +14,11 @@ { "queryName": "Missing User Instruction", "severity": "HIGH", - "line": 1, - "filename": "positive.dockerfile", + "line": 7, + "filename": "positive2.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{python:2.7}}", + "searchKey": "FROM={{alpine:latest }}", "searchValue": "", "expectedValue": "The 'Dockerfile' should contain the 'USER' instruction", "actualValue": "The 'Dockerfile' does not contain any 'USER' instruction" diff --git a/assets/queries/dockerfile/missing_version_specification_in_dnf_install/test/positive_expected_result.json b/assets/queries/dockerfile/missing_version_specification_in_dnf_install/test/positive_expected_result.json index fd4c123d44c..37c192357b2 100644 --- a/assets/queries/dockerfile/missing_version_specification_in_dnf_install/test/positive_expected_result.json +++ b/assets/queries/dockerfile/missing_version_specification_in_dnf_install/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "Missing Version Specification In dnf install", "severity": "MEDIUM", - "line": 3, + "line": 2, "filename": "positive.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{fedora:latest}}.{{RUN [\"dnf\", \"install\", \"httpd\"]}}", + "searchKey": "FROM={{fedora:latest}}.{{RUN dnf -y update && dnf -y install httpd && dnf clean all}}", "searchValue": "", "expectedValue": "Package version should be specified when using 'dnf install'", "actualValue": "Package version should be pinned when running ´dnf install´" @@ -14,11 +14,11 @@ { "queryName": "Missing Version Specification In dnf install", "severity": "MEDIUM", - "line": 2, + "line": 3, "filename": "positive.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{fedora:latest}}.{{RUN dnf -y update && dnf -y install httpd && dnf clean all}}", + "searchKey": "FROM={{fedora:latest}}.{{RUN [\"dnf\", \"install\", \"httpd\"]}}", "searchValue": "", "expectedValue": "Package version should be specified when using 'dnf install'", "actualValue": "Package version should be pinned when running ´dnf install´" diff --git a/assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/test/positive_expected_result.json b/assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/test/positive_expected_result.json index 69bd3a76e20..5bf17f8e884 100644 --- a/assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/test/positive_expected_result.json +++ b/assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/test/positive_expected_result.json @@ -3,25 +3,25 @@ "queryName": "Multiple RUN, ADD, COPY, Instructions Listed", "severity": "LOW", "line": 2, - "filename": "positive2.dockerfile", + "filename": "positive1.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{ubuntu}}.{{COPY README.md ./}}", + "searchKey": "FROM={{ubuntu}}.{{RUN apt-get install -y wget}}", "searchValue": "", - "expectedValue": "There isn´t any COPY instruction that could be grouped", - "actualValue": "There are COPY instructions that could be grouped" + "expectedValue": "There isn´t any RUN instruction that could be grouped", + "actualValue": "There are RUN instructions that could be grouped" }, { "queryName": "Multiple RUN, ADD, COPY, Instructions Listed", "severity": "LOW", "line": 2, - "filename": "positive1.dockerfile", + "filename": "positive2.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{ubuntu}}.{{RUN apt-get install -y wget}}", + "searchKey": "FROM={{ubuntu}}.{{COPY README.md ./}}", "searchValue": "", - "expectedValue": "There isn´t any RUN instruction that could be grouped", - "actualValue": "There are RUN instructions that could be grouped" + "expectedValue": "There isn´t any COPY instruction that could be grouped", + "actualValue": "There are COPY instructions that could be grouped" }, { "queryName": "Multiple RUN, ADD, COPY, Instructions Listed", diff --git a/assets/queries/dockerfile/npm_install_without_pinned_version/test/positive_expected_result.json b/assets/queries/dockerfile/npm_install_without_pinned_version/test/positive_expected_result.json index 400ea8922ab..0b4412080b6 100644 --- a/assets/queries/dockerfile/npm_install_without_pinned_version/test/positive_expected_result.json +++ b/assets/queries/dockerfile/npm_install_without_pinned_version/test/positive_expected_result.json @@ -2,85 +2,85 @@ { "queryName": "NPM Install Command Without Pinned Version", "severity": "MEDIUM", - "line": 8, + "line": 2, "filename": "positive1.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{node:12}}.{{RUN [\"npm\",\"add\",\"sax\"]}}", + "searchKey": "FROM={{node:12}}.{{RUN npm install sax}}", "searchValue": "", - "expectedValue": "'RUN [\"npm\",\"add\",\"sax\"]' uses npm install with a pinned version", - "actualValue": "'RUN [\"npm\",\"add\",\"sax\"]' does not uses npm install with a pinned version" + "expectedValue": "'RUN npm install sax' uses npm install with a pinned version", + "actualValue": "'RUN npm install sax' does not uses npm install with a pinned version" }, { "queryName": "NPM Install Command Without Pinned Version", "severity": "MEDIUM", - "line": 7, + "line": 3, "filename": "positive1.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{node:12}}.{{RUN npm i -g @angular/cli}}", + "searchKey": "FROM={{node:12}}.{{RUN npm install sax --no-cache}}", "searchValue": "", - "expectedValue": "'RUN npm i -g @angular/cli' uses npm install with a pinned version", - "actualValue": "'RUN npm i -g @angular/cli' does not uses npm install with a pinned version" + "expectedValue": "'RUN npm install sax --no-cache' uses npm install with a pinned version", + "actualValue": "'RUN npm install sax --no-cache' does not uses npm install with a pinned version" }, { "queryName": "NPM Install Command Without Pinned Version", "severity": "MEDIUM", - "line": 3, + "line": 4, "filename": "positive1.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{node:12}}.{{RUN npm install sax --no-cache}}", + "searchKey": "FROM={{node:12}}.{{RUN npm install sax | grep fail && npm install sax@latest}}", "searchValue": "", - "expectedValue": "'RUN npm install sax --no-cache' uses npm install with a pinned version", - "actualValue": "'RUN npm install sax --no-cache' does not uses npm install with a pinned version" + "expectedValue": "'RUN npm install sax | grep fail && npm install sax@latest' uses npm install with a pinned version", + "actualValue": "'RUN npm install sax | grep fail && npm install sax@latest' does not uses npm install with a pinned version" }, { "queryName": "NPM Install Command Without Pinned Version", "severity": "MEDIUM", - "line": 6, + "line": 5, "filename": "positive1.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{node:12}}.{{RUN npm install sax | grep fail && npm install sax}}", + "searchKey": "FROM={{node:12}}.{{RUN npm install sax@latest | grep fail && npm install sax}}", "searchValue": "", - "expectedValue": "'RUN npm install sax | grep fail && npm install sax' uses npm install with a pinned version", - "actualValue": "'RUN npm install sax | grep fail && npm install sax' does not uses npm install with a pinned version" + "expectedValue": "'RUN npm install sax@latest | grep fail && npm install sax' uses npm install with a pinned version", + "actualValue": "'RUN npm install sax@latest | grep fail && npm install sax' does not uses npm install with a pinned version" }, { "queryName": "NPM Install Command Without Pinned Version", "severity": "MEDIUM", - "line": 4, + "line": 6, "filename": "positive1.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{node:12}}.{{RUN npm install sax | grep fail && npm install sax@latest}}", + "searchKey": "FROM={{node:12}}.{{RUN npm install sax | grep fail && npm install sax}}", "searchValue": "", - "expectedValue": "'RUN npm install sax | grep fail && npm install sax@latest' uses npm install with a pinned version", - "actualValue": "'RUN npm install sax | grep fail && npm install sax@latest' does not uses npm install with a pinned version" + "expectedValue": "'RUN npm install sax | grep fail && npm install sax' uses npm install with a pinned version", + "actualValue": "'RUN npm install sax | grep fail && npm install sax' does not uses npm install with a pinned version" }, { "queryName": "NPM Install Command Without Pinned Version", "severity": "MEDIUM", - "line": 2, + "line": 7, "filename": "positive1.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{node:12}}.{{RUN npm install sax}}", + "searchKey": "FROM={{node:12}}.{{RUN npm i -g @angular/cli}}", "searchValue": "", - "expectedValue": "'RUN npm install sax' uses npm install with a pinned version", - "actualValue": "'RUN npm install sax' does not uses npm install with a pinned version" + "expectedValue": "'RUN npm i -g @angular/cli' uses npm install with a pinned version", + "actualValue": "'RUN npm i -g @angular/cli' does not uses npm install with a pinned version" }, { "queryName": "NPM Install Command Without Pinned Version", "severity": "MEDIUM", - "line": 5, + "line": 8, "filename": "positive1.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{node:12}}.{{RUN npm install sax@latest | grep fail && npm install sax}}", + "searchKey": "FROM={{node:12}}.{{RUN [\"npm\",\"add\",\"sax\"]}}", "searchValue": "", - "expectedValue": "'RUN npm install sax@latest | grep fail && npm install sax' uses npm install with a pinned version", - "actualValue": "'RUN npm install sax@latest | grep fail && npm install sax' does not uses npm install with a pinned version" + "expectedValue": "'RUN [\"npm\",\"add\",\"sax\"]' uses npm install with a pinned version", + "actualValue": "'RUN [\"npm\",\"add\",\"sax\"]' does not uses npm install with a pinned version" } ] \ No newline at end of file diff --git a/assets/queries/dockerfile/pip_install_keeping_cached_packages/test/positive_expected_result.json b/assets/queries/dockerfile/pip_install_keeping_cached_packages/test/positive_expected_result.json index 127b66a9f60..53c06626976 100644 --- a/assets/queries/dockerfile/pip_install_keeping_cached_packages/test/positive_expected_result.json +++ b/assets/queries/dockerfile/pip_install_keeping_cached_packages/test/positive_expected_result.json @@ -14,11 +14,11 @@ { "queryName": "Pip install Keeping Cached Packages", "severity": "LOW", - "line": 11, + "line": 8, "filename": "positive.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{python:3.1}}.{{RUN [\"pip3\", \"install\", \"requests=2.7.0\"]}}", + "searchKey": "FROM={{python:3.1}}.{{pip install --upgrade pip}}", "searchValue": "", "expectedValue": "The '--no-cache-dir' flag should be set when running 'pip/pip3 install'", "actualValue": "The '--no-cache-dir' flag isn't set when running 'pip/pip3 install'" @@ -26,11 +26,11 @@ { "queryName": "Pip install Keeping Cached Packages", "severity": "LOW", - "line": 8, + "line": 9, "filename": "positive.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{python:3.1}}.{{pip install --upgrade pip}}", + "searchKey": "FROM={{python:3.1}}.{{python -m pip install nibabel pydicom matplotlib pillow}}", "searchValue": "", "expectedValue": "The '--no-cache-dir' flag should be set when running 'pip/pip3 install'", "actualValue": "The '--no-cache-dir' flag isn't set when running 'pip/pip3 install'" @@ -50,11 +50,11 @@ { "queryName": "Pip install Keeping Cached Packages", "severity": "LOW", - "line": 9, + "line": 11, "filename": "positive.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{python:3.1}}.{{python -m pip install nibabel pydicom matplotlib pillow}}", + "searchKey": "FROM={{python:3.1}}.{{RUN [\"pip3\", \"install\", \"requests=2.7.0\"]}}", "searchValue": "", "expectedValue": "The '--no-cache-dir' flag should be set when running 'pip/pip3 install'", "actualValue": "The '--no-cache-dir' flag isn't set when running 'pip/pip3 install'" diff --git a/assets/queries/dockerfile/run_command_cd_instead_of_workdir/test/positive_expected_result.json b/assets/queries/dockerfile/run_command_cd_instead_of_workdir/test/positive_expected_result.json index 4ff1e8a020f..17ea89b4445 100644 --- a/assets/queries/dockerfile/run_command_cd_instead_of_workdir/test/positive_expected_result.json +++ b/assets/queries/dockerfile/run_command_cd_instead_of_workdir/test/positive_expected_result.json @@ -2,26 +2,26 @@ { "queryName": "RUN Instruction Using 'cd' Instead of WORKDIR", "severity": "LOW", - "line": 9, + "line": 3, "filename": "positive.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{nginx}}.RUN={{cd ../share/nginx/html}}", + "searchKey": "FROM={{nginx}}.RUN={{cd /../share/nginx/html}}", "searchValue": "", "expectedValue": "Using WORKDIR to change directory", - "actualValue": "RUN cd ../share/nginx/html'" + "actualValue": "RUN cd /../share/nginx/html'" }, { "queryName": "RUN Instruction Using 'cd' Instead of WORKDIR", "severity": "LOW", - "line": 3, + "line": 9, "filename": "positive.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{nginx}}.RUN={{cd /../share/nginx/html}}", + "searchKey": "FROM={{nginx}}.RUN={{cd ../share/nginx/html}}", "searchValue": "", "expectedValue": "Using WORKDIR to change directory", - "actualValue": "RUN cd /../share/nginx/html'" + "actualValue": "RUN cd ../share/nginx/html'" }, { "queryName": "RUN Instruction Using 'cd' Instead of WORKDIR", diff --git a/assets/queries/dockerfile/run_using_wget_and_curl/test/positive_expected_result.json b/assets/queries/dockerfile/run_using_wget_and_curl/test/positive_expected_result.json index 7fe7288b2fd..665d395140c 100644 --- a/assets/queries/dockerfile/run_using_wget_and_curl/test/positive_expected_result.json +++ b/assets/queries/dockerfile/run_using_wget_and_curl/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "Run Using 'wget' and 'curl'", "severity": "LOW", - "line": 8, + "line": 3, "filename": "positive.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{baseImage}}.{{RUN [\"curl\", \"http://bing.com\"]}}", + "searchKey": "FROM={{debian}}.{{RUN curl http://bing.com}}", "searchValue": "", "expectedValue": "Exclusively using 'wget' or 'curl'", "actualValue": "Using both 'wget' and 'curl'" @@ -26,11 +26,11 @@ { "queryName": "Run Using 'wget' and 'curl'", "severity": "LOW", - "line": 3, + "line": 8, "filename": "positive.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{debian}}.{{RUN curl http://bing.com}}", + "searchKey": "FROM={{baseImage}}.{{RUN [\"curl\", \"http://bing.com\"]}}", "searchValue": "", "expectedValue": "Exclusively using 'wget' or 'curl'", "actualValue": "Using both 'wget' and 'curl'" diff --git a/assets/queries/dockerfile/run_utilities_and_posix_commands/test/positive_expected_result.json b/assets/queries/dockerfile/run_utilities_and_posix_commands/test/positive_expected_result.json index 05a5753b0e6..5035c16d89a 100644 --- a/assets/queries/dockerfile/run_utilities_and_posix_commands/test/positive_expected_result.json +++ b/assets/queries/dockerfile/run_utilities_and_posix_commands/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "Run Utilities And POSIX Commands", "severity": "INFO", - "line": 5, + "line": 4, "filename": "positive.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{golang:1.12.0-stretch}}.{{RUN [\"ps\", \"-d\"]}}", + "searchKey": "FROM={{golang:1.12.0-stretch}}.{{RUN top}}", "searchValue": "", "expectedValue": "There should be no dangerous commands or utilities executed", - "actualValue": "Run instruction is executing the ps command" + "actualValue": "Run instruction is executing the top command" }, { "queryName": "Run Utilities And POSIX Commands", "severity": "INFO", - "line": 4, + "line": 5, "filename": "positive.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{golang:1.12.0-stretch}}.{{RUN top}}", + "searchKey": "FROM={{golang:1.12.0-stretch}}.{{RUN [\"ps\", \"-d\"]}}", "searchValue": "", "expectedValue": "There should be no dangerous commands or utilities executed", - "actualValue": "Run instruction is executing the top command" + "actualValue": "Run instruction is executing the ps command" } ] \ No newline at end of file diff --git a/assets/queries/dockerfile/shell_running_a_pipe_without_pipefail_flag/test/positive_expected_result.json b/assets/queries/dockerfile/shell_running_a_pipe_without_pipefail_flag/test/positive_expected_result.json index 74624538517..f54f5c2b364 100644 --- a/assets/queries/dockerfile/shell_running_a_pipe_without_pipefail_flag/test/positive_expected_result.json +++ b/assets/queries/dockerfile/shell_running_a_pipe_without_pipefail_flag/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "Shell Running A Pipe Without Pipefail Flag", "severity": "LOW", - "line": 3, + "line": 2, "filename": "positive.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{node:12}}.{{RUN [ \"/bin/bash\", \"./some_output\", \"|\", \"./some_script\" ]}}", - "searchValue": "/bin/bash", - "expectedValue": "'RUN [ '/bin/bash', './some_output', '|', './some_script' ]' has pipefail option set for pipe command with shell /bin/bash.", - "actualValue": "'RUN [ '/bin/bash', './some_output', '|', './some_script' ]' does not have pipefail option set for pipe command with shell /bin/bash." + "searchKey": "FROM={{node:12}}.{{RUN zsh ./some_output | ./some_script}}", + "searchValue": "zsh", + "expectedValue": "'RUN zsh ./some_output | ./some_script' has pipefail option set for pipe command with shell zsh.", + "actualValue": "'RUN zsh ./some_output | ./some_script' does not have pipefail option set for pipe command with shell zsh." }, { "queryName": "Shell Running A Pipe Without Pipefail Flag", "severity": "LOW", - "line": 2, + "line": 3, "filename": "positive.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{node:12}}.{{RUN zsh ./some_output | ./some_script}}", - "searchValue": "zsh", - "expectedValue": "'RUN zsh ./some_output | ./some_script' has pipefail option set for pipe command with shell zsh.", - "actualValue": "'RUN zsh ./some_output | ./some_script' does not have pipefail option set for pipe command with shell zsh." + "searchKey": "FROM={{node:12}}.{{RUN [ \"/bin/bash\", \"./some_output\", \"|\", \"./some_script\" ]}}", + "searchValue": "/bin/bash", + "expectedValue": "'RUN [ '/bin/bash', './some_output', '|', './some_script' ]' has pipefail option set for pipe command with shell /bin/bash.", + "actualValue": "'RUN [ '/bin/bash', './some_output', '|', './some_script' ]' does not have pipefail option set for pipe command with shell /bin/bash." } ] \ No newline at end of file diff --git a/assets/queries/dockerfile/unpinned_package_version_in_apk_add/test/positive_expected_result.json b/assets/queries/dockerfile/unpinned_package_version_in_apk_add/test/positive_expected_result.json index b101aa5c36e..fd583f9c28c 100644 --- a/assets/queries/dockerfile/unpinned_package_version_in_apk_add/test/positive_expected_result.json +++ b/assets/queries/dockerfile/unpinned_package_version_in_apk_add/test/positive_expected_result.json @@ -2,26 +2,26 @@ { "queryName": "Unpinned Package Version in Apk Add", "severity": "MEDIUM", - "line": 16, + "line": 2, "filename": "positive.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{alpine:3.7}}.{{RUN apk add --dir /dir libimagequant && minidlna}}", + "searchKey": "FROM={{alpine:3.9}}.{{RUN apk add --update py-pip}}", "searchValue": "", "expectedValue": "RUN instruction with 'apk add ' should use package pinning form 'apk add ='", - "actualValue": "RUN instruction apk add --dir /dir libimagequant && minidlna does not use package pinning form" + "actualValue": "RUN instruction apk add --update py-pip does not use package pinning form" }, { "queryName": "Unpinned Package Version in Apk Add", "severity": "MEDIUM", - "line": 2, + "line": 13, "filename": "positive.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{alpine:3.9}}.{{RUN apk add --update py-pip}}", + "searchKey": "FROM={{alpine:3.7}}.{{RUN apk add py-pip && apk add tea}}", "searchValue": "", "expectedValue": "RUN instruction with 'apk add ' should use package pinning form 'apk add ='", - "actualValue": "RUN instruction apk add --update py-pip does not use package pinning form" + "actualValue": "RUN instruction apk add py-pip && apk add tea does not use package pinning form" }, { "queryName": "Unpinned Package Version in Apk Add", @@ -38,14 +38,14 @@ { "queryName": "Unpinned Package Version in Apk Add", "severity": "MEDIUM", - "line": 13, + "line": 16, "filename": "positive.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{alpine:3.7}}.{{RUN apk add py-pip && apk add tea}}", + "searchKey": "FROM={{alpine:3.7}}.{{RUN apk add --dir /dir libimagequant && minidlna}}", "searchValue": "", "expectedValue": "RUN instruction with 'apk add ' should use package pinning form 'apk add ='", - "actualValue": "RUN instruction apk add py-pip && apk add tea does not use package pinning form" + "actualValue": "RUN instruction apk add --dir /dir libimagequant && minidlna does not use package pinning form" }, { "queryName": "Unpinned Package Version in Apk Add", diff --git a/assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/positive_expected_result.json b/assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/positive_expected_result.json index 792be694135..1df44711bab 100644 --- a/assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/positive_expected_result.json +++ b/assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/positive_expected_result.json @@ -2,26 +2,26 @@ { "queryName": "Unpinned Package Version in Pip Install", "severity": "MEDIUM", - "line": 4, + "line": 3, "filename": "positive1.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{alpine:3.9}}.{{RUN [\"pip\", \"install\", \"connexion\"]}}", + "searchKey": "FROM={{alpine:3.9}}.{{RUN pip install --user pip}}", "searchValue": "", "expectedValue": "RUN instruction with 'pip/pip3 install ' should use package pinning form 'pip/pip3 install ='", - "actualValue": "RUN instruction connexion does not use package pinning form" + "actualValue": "RUN instruction pip install --user pip does not use package pinning form" }, { "queryName": "Unpinned Package Version in Pip Install", "severity": "MEDIUM", - "line": 3, + "line": 4, "filename": "positive1.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{alpine:3.9}}.{{RUN pip install --user pip}}", + "searchKey": "FROM={{alpine:3.9}}.{{RUN [\"pip\", \"install\", \"connexion\"]}}", "searchValue": "", "expectedValue": "RUN instruction with 'pip/pip3 install ' should use package pinning form 'pip/pip3 install ='", - "actualValue": "RUN instruction pip install --user pip does not use package pinning form" + "actualValue": "RUN instruction connexion does not use package pinning form" }, { "queryName": "Unpinned Package Version in Pip Install", diff --git a/assets/queries/dockerfile/update_instruction_alone/test/positive_expected_result.json b/assets/queries/dockerfile/update_instruction_alone/test/positive_expected_result.json index 2290444f779..f5c28029c51 100644 --- a/assets/queries/dockerfile/update_instruction_alone/test/positive_expected_result.json +++ b/assets/queries/dockerfile/update_instruction_alone/test/positive_expected_result.json @@ -3,13 +3,13 @@ "queryName": "Update Instruction Alone", "severity": "LOW", "line": 3, - "filename": "positive4.dockerfile", + "filename": "positive1.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{centos:latest}}.RUN={{yum install nginx}}", + "searchKey": "FROM={{alpine:latest}}.RUN={{apk add nginx}}", "searchValue": "", - "expectedValue": "Instruction 'RUN yum [\"install\"]' should be combined with 'RUN yum [\"update\"]' in the same 'RUN' statement", - "actualValue": "Instruction 'RUN yum [\"install\"]' isn't combined with 'RUN yum [\"update\"] in the same 'RUN' statement" + "expectedValue": "Instruction 'RUN apk [\"add\"]' should be combined with 'RUN apk [\"update\"]' in the same 'RUN' statement", + "actualValue": "Instruction 'RUN apk [\"add\"]' isn't combined with 'RUN apk [\"update\"] in the same 'RUN' statement" }, { "queryName": "Update Instruction Alone", @@ -27,60 +27,60 @@ "queryName": "Update Instruction Alone", "severity": "LOW", "line": 3, - "filename": "positive1.dockerfile", + "filename": "positive3.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{alpine:latest}}.RUN={{apk add nginx}}", + "searchKey": "FROM={{debian:latest}}.RUN={{apt install nginx}}", "searchValue": "", - "expectedValue": "Instruction 'RUN apk [\"add\"]' should be combined with 'RUN apk [\"update\"]' in the same 'RUN' statement", - "actualValue": "Instruction 'RUN apk [\"add\"]' isn't combined with 'RUN apk [\"update\"] in the same 'RUN' statement" + "expectedValue": "Instruction 'RUN apt [\"install\"]' should be combined with 'RUN apt [\"update\"]' in the same 'RUN' statement", + "actualValue": "Instruction 'RUN apt [\"install\"]' isn't combined with 'RUN apt [\"update\"] in the same 'RUN' statement" }, { "queryName": "Update Instruction Alone", "severity": "LOW", "line": 3, - "filename": "positive3.dockerfile", + "filename": "positive4.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{debian:latest}}.RUN={{apt install nginx}}", + "searchKey": "FROM={{centos:latest}}.RUN={{yum install nginx}}", "searchValue": "", - "expectedValue": "Instruction 'RUN apt [\"install\"]' should be combined with 'RUN apt [\"update\"]' in the same 'RUN' statement", - "actualValue": "Instruction 'RUN apt [\"install\"]' isn't combined with 'RUN apt [\"update\"] in the same 'RUN' statement" + "expectedValue": "Instruction 'RUN yum [\"install\"]' should be combined with 'RUN yum [\"update\"]' in the same 'RUN' statement", + "actualValue": "Instruction 'RUN yum [\"install\"]' isn't combined with 'RUN yum [\"update\"] in the same 'RUN' statement" }, { "queryName": "Update Instruction Alone", "severity": "LOW", "line": 3, - "filename": "positive6.dockerfile", + "filename": "positive5.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{archlinux:latest}}.RUN={{pacman -S nginx}}", + "searchKey": "FROM={{fedora:latest}}.RUN={{dnf install nginx}}", "searchValue": "", - "expectedValue": "Instruction 'RUN pacman [\"-S\"]' should be combined with 'RUN pacman [\"-Syu\"]' in the same 'RUN' statement", - "actualValue": "Instruction 'RUN pacman [\"-S\"]' isn't combined with 'RUN pacman [\"-Syu\"] in the same 'RUN' statement" + "expectedValue": "Instruction 'RUN dnf [\"install\"]' should be combined with 'RUN dnf [\"update\"]' in the same 'RUN' statement", + "actualValue": "Instruction 'RUN dnf [\"install\"]' isn't combined with 'RUN dnf [\"update\"] in the same 'RUN' statement" }, { "queryName": "Update Instruction Alone", "severity": "LOW", "line": 3, - "filename": "positive7.dockerfile", + "filename": "positive6.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{ubuntu:18.04}}.RUN={{apt-get install -y --no-install-recommends mysql-client && rm -rf /var/lib/apt/lists/*}}", + "searchKey": "FROM={{archlinux:latest}}.RUN={{pacman -S nginx}}", "searchValue": "", - "expectedValue": "Instruction 'RUN apt-get [\"install\", \"source-install\", \"reinstall\"]' should be combined with 'RUN apt-get [\"update\"]' in the same 'RUN' statement", - "actualValue": "Instruction 'RUN apt-get [\"install\", \"source-install\", \"reinstall\"]' isn't combined with 'RUN apt-get [\"update\"] in the same 'RUN' statement" + "expectedValue": "Instruction 'RUN pacman [\"-S\"]' should be combined with 'RUN pacman [\"-Syu\"]' in the same 'RUN' statement", + "actualValue": "Instruction 'RUN pacman [\"-S\"]' isn't combined with 'RUN pacman [\"-Syu\"] in the same 'RUN' statement" }, { "queryName": "Update Instruction Alone", "severity": "LOW", "line": 3, - "filename": "positive5.dockerfile", + "filename": "positive7.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{fedora:latest}}.RUN={{dnf install nginx}}", + "searchKey": "FROM={{ubuntu:18.04}}.RUN={{apt-get install -y --no-install-recommends mysql-client && rm -rf /var/lib/apt/lists/*}}", "searchValue": "", - "expectedValue": "Instruction 'RUN dnf [\"install\"]' should be combined with 'RUN dnf [\"update\"]' in the same 'RUN' statement", - "actualValue": "Instruction 'RUN dnf [\"install\"]' isn't combined with 'RUN dnf [\"update\"] in the same 'RUN' statement" + "expectedValue": "Instruction 'RUN apt-get [\"install\", \"source-install\", \"reinstall\"]' should be combined with 'RUN apt-get [\"update\"]' in the same 'RUN' statement", + "actualValue": "Instruction 'RUN apt-get [\"install\", \"source-install\", \"reinstall\"]' isn't combined with 'RUN apt-get [\"update\"] in the same 'RUN' statement" } ] \ No newline at end of file diff --git a/assets/queries/dockerfile/yum_install_allows_manual_input/test/positive_expected_result.json b/assets/queries/dockerfile/yum_install_allows_manual_input/test/positive_expected_result.json index 7525534aa3f..b1ff288c4cd 100644 --- a/assets/queries/dockerfile/yum_install_allows_manual_input/test/positive_expected_result.json +++ b/assets/queries/dockerfile/yum_install_allows_manual_input/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "Yum Install Allows Manual Input", "severity": "LOW", - "line": 4, + "line": 3, "filename": "positive.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{alpine:3.5}}.{{RUN [\"sudo yum\", \"install\", \"bundler\"]}}", + "searchKey": "FROM={{alpine:3.5}}.{{RUN sudo yum install bundler}}", "searchValue": "", - "expectedValue": "{{RUN [\"sudo yum\", \"install\", \"bundler\"]}} should avoid manual input", - "actualValue": "{{RUN [\"sudo yum\", \"install\", \"bundler\"]}} doesn't avoid manual input" + "expectedValue": "{{RUN sudo yum install bundler}} should avoid manual input", + "actualValue": "{{RUN sudo yum install bundler}} doesn't avoid manual input" }, { "queryName": "Yum Install Allows Manual Input", "severity": "LOW", - "line": 3, + "line": 4, "filename": "positive.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{alpine:3.5}}.{{RUN sudo yum install bundler}}", + "searchKey": "FROM={{alpine:3.5}}.{{RUN [\"sudo yum\", \"install\", \"bundler\"]}}", "searchValue": "", - "expectedValue": "{{RUN sudo yum install bundler}} should avoid manual input", - "actualValue": "{{RUN sudo yum install bundler}} doesn't avoid manual input" + "expectedValue": "{{RUN [\"sudo yum\", \"install\", \"bundler\"]}} should avoid manual input", + "actualValue": "{{RUN [\"sudo yum\", \"install\", \"bundler\"]}} doesn't avoid manual input" } ] \ No newline at end of file diff --git a/assets/queries/dockerfile/yum_install_without_version/test/positive_expected_result.json b/assets/queries/dockerfile/yum_install_without_version/test/positive_expected_result.json index 8056fb26a37..8e3bc26b4b7 100644 --- a/assets/queries/dockerfile/yum_install_without_version/test/positive_expected_result.json +++ b/assets/queries/dockerfile/yum_install_without_version/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "Yum install Without Version", "severity": "MEDIUM", - "line": 3, + "line": 2, "filename": "positive.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{opensuse/leap:15.2}}.{{RUN [\"yum\", \"install\", \"httpd\"]}}", + "searchKey": "FROM={{opensuse/leap:15.2}}.{{RUN yum install -y httpd && yum clean all}}", "searchValue": "httpd", "expectedValue": "The package version should always be specified when using yum install", "actualValue": "No version is specified in package 'httpd'" @@ -14,11 +14,11 @@ { "queryName": "Yum install Without Version", "severity": "MEDIUM", - "line": 2, + "line": 3, "filename": "positive.dockerfile", "resourceType": "", "resourceName": "", - "searchKey": "FROM={{opensuse/leap:15.2}}.{{RUN yum install -y httpd && yum clean all}}", + "searchKey": "FROM={{opensuse/leap:15.2}}.{{RUN [\"yum\", \"install\", \"httpd\"]}}", "searchValue": "httpd", "expectedValue": "The package version should always be specified when using yum install", "actualValue": "No version is specified in package 'httpd'" diff --git a/assets/queries/googleDeploymentManager/gcp/bucket_without_versioning/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/bucket_without_versioning/test/positive_expected_result.json index dcedb4e7105..dcf77c43997 100644 --- a/assets/queries/googleDeploymentManager/gcp/bucket_without_versioning/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/bucket_without_versioning/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "Bucket Without Versioning", "severity": "MEDIUM", - "line": 7, - "filename": "positive2.yaml", + "line": 4, + "filename": "positive1.yaml", "resourceType": "storage.v1.bucket", "resourceName": "bucket", - "searchKey": "resources.name={{bucket}}.properties.versioning.enabled", + "searchKey": "resources.name={{bucket}}.properties", "searchValue": "", - "expectedValue": "'versioning.enabled' should be true", - "actualValue": "'versioning.enabled' is false" + "expectedValue": "'versioning' should be defined and not null", + "actualValue": "'versioning' is undefined or null" }, { "queryName": "Bucket Without Versioning", "severity": "MEDIUM", - "line": 4, - "filename": "positive1.yaml", + "line": 7, + "filename": "positive2.yaml", "resourceType": "storage.v1.bucket", "resourceName": "bucket", - "searchKey": "resources.name={{bucket}}.properties", + "searchKey": "resources.name={{bucket}}.properties.versioning.enabled", "searchValue": "", - "expectedValue": "'versioning' should be defined and not null", - "actualValue": "'versioning' is undefined or null" + "expectedValue": "'versioning.enabled' should be true", + "actualValue": "'versioning.enabled' is false" } ] \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/client_certificate_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/client_certificate_disabled/test/positive_expected_result.json index fad2816f1b1..f5b94306321 100644 --- a/assets/queries/googleDeploymentManager/gcp/client_certificate_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/client_certificate_disabled/test/positive_expected_result.json @@ -2,14 +2,14 @@ { "queryName": "Client Certificate Disabled", "severity": "HIGH", - "line": 8, - "filename": "positive3.yaml", + "line": 4, + "filename": "positive1.yaml", "resourceType": "container.v1.cluster", "resourceName": "cluster", - "searchKey": "resources.name={{cluster}}.properties.masterAuth.clientCertificateConfig.issueClientCertificate", + "searchKey": "resources.name={{cluster}}.properties", "searchValue": "", - "expectedValue": "'masterAuth.clientCertificateConfig.issueClientCertificate' should be true", - "actualValue": "'masterAuth.clientCertificateConfig.issueClientCertificate' is false" + "expectedValue": "'masterAuth' should be defined and not null", + "actualValue": "'masterAuth' is undefined or null" }, { "queryName": "Client Certificate Disabled", @@ -26,13 +26,13 @@ { "queryName": "Client Certificate Disabled", "severity": "HIGH", - "line": 4, - "filename": "positive1.yaml", + "line": 8, + "filename": "positive3.yaml", "resourceType": "container.v1.cluster", "resourceName": "cluster", - "searchKey": "resources.name={{cluster}}.properties", + "searchKey": "resources.name={{cluster}}.properties.masterAuth.clientCertificateConfig.issueClientCertificate", "searchValue": "", - "expectedValue": "'masterAuth' should be defined and not null", - "actualValue": "'masterAuth' is undefined or null" + "expectedValue": "'masterAuth.clientCertificateConfig.issueClientCertificate' should be true", + "actualValue": "'masterAuth.clientCertificateConfig.issueClientCertificate' is false" } ] \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/cloud_dns_without_dnnsec/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/cloud_dns_without_dnnsec/test/positive_expected_result.json index f1f97cfbe59..8b65ba4586b 100644 --- a/assets/queries/googleDeploymentManager/gcp/cloud_dns_without_dnnsec/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/cloud_dns_without_dnnsec/test/positive_expected_result.json @@ -1,4 +1,16 @@ [ + { + "queryName": "Cloud DNS Without DNSSEC", + "severity": "MEDIUM", + "line": 4, + "filename": "positive1.yaml", + "resourceType": "dns.v1.managedZone", + "resourceName": "dns", + "searchKey": "resources.name={{dns}}.properties", + "searchValue": "", + "expectedValue": "'dnssecConfig' should be defined and not null", + "actualValue": "'dnssecConfig' is undefined or null" + }, { "queryName": "Cloud DNS Without DNSSEC", "severity": "MEDIUM", @@ -22,17 +34,5 @@ "searchValue": "", "expectedValue": "'state' should be set to 'on'", "actualValue": "'state' is not set to 'on'" - }, - { - "queryName": "Cloud DNS Without DNSSEC", - "severity": "MEDIUM", - "line": 4, - "filename": "positive1.yaml", - "resourceType": "dns.v1.managedZone", - "resourceName": "dns", - "searchKey": "resources.name={{dns}}.properties", - "searchValue": "", - "expectedValue": "'dnssecConfig' should be defined and not null", - "actualValue": "'dnssecConfig' is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/cloud_storage_anonymous_or_publicly_accessible/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/cloud_storage_anonymous_or_publicly_accessible/test/positive_expected_result.json index 31af029d422..2711d52ce75 100644 --- a/assets/queries/googleDeploymentManager/gcp/cloud_storage_anonymous_or_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/cloud_storage_anonymous_or_publicly_accessible/test/positive_expected_result.json @@ -2,32 +2,32 @@ { "queryName": "Cloud Storage Anonymous or Publicly Accessible", "severity": "CRITICAL", - "line": 7, - "filename": "positive2.yaml", + "line": 4, + "filename": "positive1.yaml", "resourceType": "storage.v1.bucket", "resourceName": "storage-bucket", - "searchKey": "resources.name={{storage-bucket}}.properties.defaultObjectAcl[0].entity", - "searchValue": "", - "expectedValue": "properties.defaultObjectAcl[0].entity should not equal to 'allUsers' or 'AllAuthenticatedUsers'", - "actualValue": "properties.defaultObjectAcl[0].entity is equal to 'allUsers' or 'AllAuthenticatedUsers'" + "searchKey": "resources.name={{storage-bucket}}.properties", + "searchValue": "acl", + "expectedValue": "'acl' should be defined", + "actualValue": "'acl' is undefined or null" }, { "queryName": "Cloud Storage Anonymous or Publicly Accessible", "severity": "CRITICAL", "line": 4, - "filename": "positive2.yaml", + "filename": "positive1.yaml", "resourceType": "storage.v1.bucket", "resourceName": "storage-bucket", "searchKey": "resources.name={{storage-bucket}}.properties", - "searchValue": "acl", - "expectedValue": "'acl' should be defined", - "actualValue": "'acl' is undefined or null" + "searchValue": "defaultObjectAcl", + "expectedValue": "'defaultObjectAcl' should be defined", + "actualValue": "'defaultObjectAcl' is undefined or null" }, { "queryName": "Cloud Storage Anonymous or Publicly Accessible", "severity": "CRITICAL", "line": 4, - "filename": "positive1.yaml", + "filename": "positive2.yaml", "resourceType": "storage.v1.bucket", "resourceName": "storage-bucket", "searchKey": "resources.name={{storage-bucket}}.properties", @@ -38,14 +38,14 @@ { "queryName": "Cloud Storage Anonymous or Publicly Accessible", "severity": "CRITICAL", - "line": 4, - "filename": "positive1.yaml", + "line": 7, + "filename": "positive2.yaml", "resourceType": "storage.v1.bucket", "resourceName": "storage-bucket", - "searchKey": "resources.name={{storage-bucket}}.properties", - "searchValue": "defaultObjectAcl", - "expectedValue": "'defaultObjectAcl' should be defined", - "actualValue": "'defaultObjectAcl' is undefined or null" + "searchKey": "resources.name={{storage-bucket}}.properties.defaultObjectAcl[0].entity", + "searchValue": "", + "expectedValue": "properties.defaultObjectAcl[0].entity should not equal to 'allUsers' or 'AllAuthenticatedUsers'", + "actualValue": "properties.defaultObjectAcl[0].entity is equal to 'allUsers' or 'AllAuthenticatedUsers'" }, { "queryName": "Cloud Storage Anonymous or Publicly Accessible", diff --git a/assets/queries/googleDeploymentManager/gcp/cluster_master_authentication_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/cluster_master_authentication_disabled/test/positive_expected_result.json index d047a22161d..bdbb15c2ac8 100644 --- a/assets/queries/googleDeploymentManager/gcp/cluster_master_authentication_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/cluster_master_authentication_disabled/test/positive_expected_result.json @@ -15,7 +15,7 @@ "queryName": "Cluster Master Authentication Disabled", "severity": "MEDIUM", "line": 5, - "filename": "positive3.yaml", + "filename": "positive2.yaml", "resourceType": "container.v1.cluster", "resourceName": "cluster", "searchKey": "resources.name={{cluster}}.properties.masterAuth", @@ -27,7 +27,7 @@ "queryName": "Cluster Master Authentication Disabled", "severity": "MEDIUM", "line": 5, - "filename": "positive2.yaml", + "filename": "positive3.yaml", "resourceType": "container.v1.cluster", "resourceName": "cluster", "searchKey": "resources.name={{cluster}}.properties.masterAuth", diff --git a/assets/queries/googleDeploymentManager/gcp/disk_encryption_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/disk_encryption_disabled/test/positive_expected_result.json index 332646a83dd..6c58690ea95 100644 --- a/assets/queries/googleDeploymentManager/gcp/disk_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/disk_encryption_disabled/test/positive_expected_result.json @@ -2,26 +2,26 @@ { "queryName": "Disk Encryption Disabled", "severity": "MEDIUM", - "line": 16, - "filename": "positive3.yaml", + "line": 8, + "filename": "positive1.yaml", "resourceType": "compute.v1.instance", - "resourceName": "vm-template3", - "searchKey": "resources.name={{vm-template3}}.properties.disks.diskEncryptionKey.rawKey", + "resourceName": "vm-template", + "searchKey": "resources.name={{vm-template}}.properties.disks", "searchValue": "", - "expectedValue": "'diskEncryptionKey.rawKey' should not be empty", - "actualValue": "'diskEncryptionKey.rawKey' is empty" + "expectedValue": "'diskEncryptionKey' should be defined and not null", + "actualValue": "'diskEncryptionKey' is undefined or null" }, { "queryName": "Disk Encryption Disabled", "severity": "MEDIUM", - "line": 23, - "filename": "positive2.yaml", + "line": 18, + "filename": "positive1.yaml", "resourceType": "compute.v1.disk", - "resourceName": "disk-4-data", - "searchKey": "resources.name={{disk-4-data}}.properties.diskEncryptionKey", + "resourceName": "disk-3-data", + "searchKey": "resources.name={{disk-3-data}}.properties.disks", "searchValue": "", - "expectedValue": "'disk_encryption_key.rawKey' or 'disk_encryption_key.kmsKeyName' should be defined and not null", - "actualValue": "'disk_encryption_key.rawKey' and 'disk_encryption_key.kmsKeyName' are undefined or null" + "expectedValue": "'diskEncryptionKey' should be defined and not null", + "actualValue": "'diskEncryptionKey' is undefined or null" }, { "queryName": "Disk Encryption Disabled", @@ -38,26 +38,26 @@ { "queryName": "Disk Encryption Disabled", "severity": "MEDIUM", - "line": 18, - "filename": "positive1.yaml", + "line": 23, + "filename": "positive2.yaml", "resourceType": "compute.v1.disk", - "resourceName": "disk-3-data", - "searchKey": "resources.name={{disk-3-data}}.properties.disks", + "resourceName": "disk-4-data", + "searchKey": "resources.name={{disk-4-data}}.properties.diskEncryptionKey", "searchValue": "", - "expectedValue": "'diskEncryptionKey' should be defined and not null", - "actualValue": "'diskEncryptionKey' is undefined or null" + "expectedValue": "'disk_encryption_key.rawKey' or 'disk_encryption_key.kmsKeyName' should be defined and not null", + "actualValue": "'disk_encryption_key.rawKey' and 'disk_encryption_key.kmsKeyName' are undefined or null" }, { "queryName": "Disk Encryption Disabled", "severity": "MEDIUM", - "line": 8, - "filename": "positive1.yaml", + "line": 16, + "filename": "positive3.yaml", "resourceType": "compute.v1.instance", - "resourceName": "vm-template", - "searchKey": "resources.name={{vm-template}}.properties.disks", + "resourceName": "vm-template3", + "searchKey": "resources.name={{vm-template3}}.properties.disks.diskEncryptionKey.rawKey", "searchValue": "", - "expectedValue": "'diskEncryptionKey' should be defined and not null", - "actualValue": "'diskEncryptionKey' is undefined or null" + "expectedValue": "'diskEncryptionKey.rawKey' should not be empty", + "actualValue": "'diskEncryptionKey.rawKey' is empty" }, { "queryName": "Disk Encryption Disabled", diff --git a/assets/queries/googleDeploymentManager/gcp/network_policy_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/network_policy_disabled/test/positive_expected_result.json index 3f7a9bcdbad..e0fad579f92 100644 --- a/assets/queries/googleDeploymentManager/gcp/network_policy_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/network_policy_disabled/test/positive_expected_result.json @@ -2,20 +2,20 @@ { "queryName": "Network Policy Disabled", "severity": "MEDIUM", - "line": 8, - "filename": "positive3.yaml", + "line": 4, + "filename": "positive1.yaml", "resourceType": "container.v1.cluster", "resourceName": "cluster", - "searchKey": "resources.name={{cluster}}.properties.addonsConfig.networkPolicyConfig.disabled", - "searchValue": "", - "expectedValue": "'addonsConfig.networkPolicyConfig.disabled' should be false", - "actualValue": "'addonsConfig.networkPolicyConfig.disabled' is true" + "searchKey": "resources.name={{cluster}}.properties", + "searchValue": "addonsConfig", + "expectedValue": "'addonsConfig' should be defined and not null", + "actualValue": "'addonsConfig' is undefined or null" }, { "queryName": "Network Policy Disabled", "severity": "MEDIUM", "line": 4, - "filename": "positive3.yaml", + "filename": "positive1.yaml", "resourceType": "container.v1.cluster", "resourceName": "cluster", "searchKey": "resources.name={{cluster}}.properties", @@ -23,6 +23,18 @@ "expectedValue": "'networkPolicy' should be defined and not null", "actualValue": "'networkPolicy' is undefined or null" }, + { + "queryName": "Network Policy Disabled", + "severity": "MEDIUM", + "line": 4, + "filename": "positive2.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties", + "searchValue": "addonsConfig", + "expectedValue": "'addonsConfig' should be defined and not null", + "actualValue": "'addonsConfig' is undefined or null" + }, { "queryName": "Network Policy Disabled", "severity": "MEDIUM", @@ -39,19 +51,19 @@ "queryName": "Network Policy Disabled", "severity": "MEDIUM", "line": 4, - "filename": "positive2.yaml", + "filename": "positive3.yaml", "resourceType": "container.v1.cluster", "resourceName": "cluster", "searchKey": "resources.name={{cluster}}.properties", - "searchValue": "addonsConfig", - "expectedValue": "'addonsConfig' should be defined and not null", - "actualValue": "'addonsConfig' is undefined or null" + "searchValue": "networkPolicy", + "expectedValue": "'networkPolicy' should be defined and not null", + "actualValue": "'networkPolicy' is undefined or null" }, { "queryName": "Network Policy Disabled", "severity": "MEDIUM", - "line": 10, - "filename": "positive4.yaml", + "line": 8, + "filename": "positive3.yaml", "resourceType": "container.v1.cluster", "resourceName": "cluster", "searchKey": "resources.name={{cluster}}.properties.addonsConfig.networkPolicyConfig.disabled", @@ -74,25 +86,13 @@ { "queryName": "Network Policy Disabled", "severity": "MEDIUM", - "line": 4, - "filename": "positive1.yaml", - "resourceType": "container.v1.cluster", - "resourceName": "cluster", - "searchKey": "resources.name={{cluster}}.properties", - "searchValue": "addonsConfig", - "expectedValue": "'addonsConfig' should be defined and not null", - "actualValue": "'addonsConfig' is undefined or null" - }, - { - "queryName": "Network Policy Disabled", - "severity": "MEDIUM", - "line": 4, - "filename": "positive1.yaml", + "line": 10, + "filename": "positive4.yaml", "resourceType": "container.v1.cluster", "resourceName": "cluster", - "searchKey": "resources.name={{cluster}}.properties", - "searchValue": "networkPolicy", - "expectedValue": "'networkPolicy' should be defined and not null", - "actualValue": "'networkPolicy' is undefined or null" + "searchKey": "resources.name={{cluster}}.properties.addonsConfig.networkPolicyConfig.disabled", + "searchValue": "", + "expectedValue": "'addonsConfig.networkPolicyConfig.disabled' should be false", + "actualValue": "'addonsConfig.networkPolicyConfig.disabled' is true" } ] \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/node_auto_upgrade_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/node_auto_upgrade_disabled/test/positive_expected_result.json index b6325c907a6..a69ad964be8 100644 --- a/assets/queries/googleDeploymentManager/gcp/node_auto_upgrade_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/node_auto_upgrade_disabled/test/positive_expected_result.json @@ -14,14 +14,14 @@ { "queryName": "Node Auto Upgrade Disabled", "severity": "MEDIUM", - "line": 9, - "filename": "positive4.yaml", + "line": 6, + "filename": "positive2.yaml", "resourceType": "container.v1.cluster", "resourceName": "cluster", - "searchKey": "resources.name={{cluster}}.properties.nodePools.management.autoUpgrade", + "searchKey": "resources.name={{cluster}}.properties.nodePools", "searchValue": "", - "expectedValue": "'nodePools.management.autoUpgrade' should be true", - "actualValue": "'nodePools.management.autoUpgrade' is false" + "expectedValue": "'nodePools.management' should be defined and not null", + "actualValue": "'nodePools.management' is undefined or null" }, { "queryName": "Node Auto Upgrade Disabled", @@ -38,13 +38,13 @@ { "queryName": "Node Auto Upgrade Disabled", "severity": "MEDIUM", - "line": 6, - "filename": "positive2.yaml", + "line": 9, + "filename": "positive4.yaml", "resourceType": "container.v1.cluster", "resourceName": "cluster", - "searchKey": "resources.name={{cluster}}.properties.nodePools", + "searchKey": "resources.name={{cluster}}.properties.nodePools.management.autoUpgrade", "searchValue": "", - "expectedValue": "'nodePools.management' should be defined and not null", - "actualValue": "'nodePools.management' is undefined or null" + "expectedValue": "'nodePools.management.autoUpgrade' should be true", + "actualValue": "'nodePools.management.autoUpgrade' is false" } ] \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/private_cluster_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/private_cluster_disabled/test/positive_expected_result.json index 51b13f3c6b7..02e964ea94f 100644 --- a/assets/queries/googleDeploymentManager/gcp/private_cluster_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/private_cluster_disabled/test/positive_expected_result.json @@ -2,14 +2,14 @@ { "queryName": "Private Cluster Disabled", "severity": "MEDIUM", - "line": 7, - "filename": "positive2.yaml", + "line": 4, + "filename": "positive1.yaml", "resourceType": "container.v1.cluster", - "resourceName": "mycluster2", - "searchKey": "resources.name={{mycluster2}}.properties.privateClusterConfig.enablePrivateEndpoint", + "resourceName": "mycluster", + "searchKey": "resources.name={{mycluster}}.properties", "searchValue": "", - "expectedValue": "'enablePrivateEndpoint' should be set to true", - "actualValue": "'enablePrivateEndpoint' is set to false" + "expectedValue": "'privateClusterConfig' should be defined and not null", + "actualValue": "'privateClusterConfig' is undefined or null" }, { "queryName": "Private Cluster Disabled", @@ -26,13 +26,13 @@ { "queryName": "Private Cluster Disabled", "severity": "MEDIUM", - "line": 4, - "filename": "positive1.yaml", + "line": 7, + "filename": "positive2.yaml", "resourceType": "container.v1.cluster", - "resourceName": "mycluster", - "searchKey": "resources.name={{mycluster}}.properties", + "resourceName": "mycluster2", + "searchKey": "resources.name={{mycluster2}}.properties.privateClusterConfig.enablePrivateEndpoint", "searchValue": "", - "expectedValue": "'privateClusterConfig' should be defined and not null", - "actualValue": "'privateClusterConfig' is undefined or null" + "expectedValue": "'enablePrivateEndpoint' should be set to true", + "actualValue": "'enablePrivateEndpoint' is set to false" } ] \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/test/positive_expected_result.json index 7e5ea6f059d..60fa7d25fa9 100644 --- a/assets/queries/googleDeploymentManager/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/test/positive_expected_result.json @@ -2,14 +2,14 @@ { "queryName": "Project-wide SSH Keys Are Enabled In VM Instances", "severity": "MEDIUM", - "line": 12, - "filename": "positive3.yaml", + "line": 4, + "filename": "positive1.yaml", "resourceType": "compute.v1.instance", "resourceName": "vm", - "searchKey": "resources.name={{vm}}.properties.metadata.items[1].key", + "searchKey": "resources.name={{vm}}.properties", "searchValue": "", - "expectedValue": "'metadata.items[1].value' should be true", - "actualValue": "'metadata.items[1].value' is false" + "expectedValue": "'metadata' should be defined and not null", + "actualValue": "'metadata' is undefined or null" }, { "queryName": "Project-wide SSH Keys Are Enabled In VM Instances", @@ -26,13 +26,13 @@ { "queryName": "Project-wide SSH Keys Are Enabled In VM Instances", "severity": "MEDIUM", - "line": 4, - "filename": "positive1.yaml", + "line": 12, + "filename": "positive3.yaml", "resourceType": "compute.v1.instance", "resourceName": "vm", - "searchKey": "resources.name={{vm}}.properties", + "searchKey": "resources.name={{vm}}.properties.metadata.items[1].key", "searchValue": "", - "expectedValue": "'metadata' should be defined and not null", - "actualValue": "'metadata' is undefined or null" + "expectedValue": "'metadata.items[1].value' should be true", + "actualValue": "'metadata.items[1].value' is false" } ] \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/rdp_access_is_not_restricted/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/rdp_access_is_not_restricted/test/positive_expected_result.json index 177d073a68b..273bdd42844 100644 --- a/assets/queries/googleDeploymentManager/gcp/rdp_access_is_not_restricted/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/rdp_access_is_not_restricted/test/positive_expected_result.json @@ -3,7 +3,7 @@ "queryName": "RDP Access Is Not Restricted", "severity": "HIGH", "line": 14, - "filename": "positive2.yaml", + "filename": "positive1.yaml", "resourceType": "compute.v1.firewall", "resourceName": "firewall", "searchKey": "resources.name={{firewall}}.properties.allowed", @@ -15,7 +15,7 @@ "queryName": "RDP Access Is Not Restricted", "severity": "HIGH", "line": 14, - "filename": "positive1.yaml", + "filename": "positive2.yaml", "resourceType": "compute.v1.firewall", "resourceName": "firewall", "searchKey": "resources.name={{firewall}}.properties.allowed", diff --git a/assets/queries/googleDeploymentManager/gcp/shielded_vm_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/shielded_vm_disabled/test/positive_expected_result.json index 9049581f403..c440145bc5a 100644 --- a/assets/queries/googleDeploymentManager/gcp/shielded_vm_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/shielded_vm_disabled/test/positive_expected_result.json @@ -11,18 +11,6 @@ "expectedValue": "'shieldedInstanceConfig' should be defined and not null", "actualValue": "'shieldedInstanceConfig' is undefined or null" }, - { - "queryName": "Shielded VM Disabled", - "severity": "MEDIUM", - "line": 18, - "filename": "positive2.yaml", - "resourceType": "compute.v1.instance", - "resourceName": "vm-template2", - "searchKey": "resources.name={{vm-template2}}.properties.shieldedInstanceConfig.enableSecureBoot", - "searchValue": "", - "expectedValue": "'enableSecureBoot' should be set to true", - "actualValue": "'enableSecureBoot' is set to false" - }, { "queryName": "Shielded VM Disabled", "severity": "MEDIUM", @@ -46,5 +34,17 @@ "searchValue": "enableVtpm", "expectedValue": "'enableVtpm' should be defined and not null", "actualValue": "'enableVtpm' is undefined or null" + }, + { + "queryName": "Shielded VM Disabled", + "severity": "MEDIUM", + "line": 18, + "filename": "positive2.yaml", + "resourceType": "compute.v1.instance", + "resourceName": "vm-template2", + "searchKey": "resources.name={{vm-template2}}.properties.shieldedInstanceConfig.enableSecureBoot", + "searchValue": "", + "expectedValue": "'enableSecureBoot' should be set to true", + "actualValue": "'enableSecureBoot' is set to false" } ] \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/sql_db_instance_backup_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/sql_db_instance_backup_disabled/test/positive_expected_result.json index 6e5e8088800..9fd2a201b3f 100644 --- a/assets/queries/googleDeploymentManager/gcp/sql_db_instance_backup_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/sql_db_instance_backup_disabled/test/positive_expected_result.json @@ -2,26 +2,26 @@ { "queryName": "SQL DB Instance Backup Disabled", "severity": "MEDIUM", - "line": 7, - "filename": "positive2.yaml", + "line": 5, + "filename": "positive1.yaml", "resourceType": "sqladmin.v1beta4.instance", "resourceName": "sql-instance", - "searchKey": "resources.name={{sql-instance}}.properties.settings.backupConfiguration", + "searchKey": "resources.name={{sql-instance}}.properties.settings", "searchValue": "", - "expectedValue": "'settings.backupConfiguration.enabled' should be defined and not null", - "actualValue": "'settings.backupConfiguration.enabled' is undefined or null" + "expectedValue": "'settings.backupConfiguration' should be defined and not null", + "actualValue": "'settings.backupConfiguration' is undefined or null" }, { "queryName": "SQL DB Instance Backup Disabled", "severity": "MEDIUM", - "line": 5, - "filename": "positive1.yaml", + "line": 7, + "filename": "positive2.yaml", "resourceType": "sqladmin.v1beta4.instance", "resourceName": "sql-instance", - "searchKey": "resources.name={{sql-instance}}.properties.settings", + "searchKey": "resources.name={{sql-instance}}.properties.settings.backupConfiguration", "searchValue": "", - "expectedValue": "'settings.backupConfiguration' should be defined and not null", - "actualValue": "'settings.backupConfiguration' is undefined or null" + "expectedValue": "'settings.backupConfiguration.enabled' should be defined and not null", + "actualValue": "'settings.backupConfiguration.enabled' is undefined or null" }, { "queryName": "SQL DB Instance Backup Disabled", diff --git a/assets/queries/googleDeploymentManager/gcp/ssh_access_is_not_restricted/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/ssh_access_is_not_restricted/test/positive_expected_result.json index 088937e5c88..6dfd6951963 100644 --- a/assets/queries/googleDeploymentManager/gcp/ssh_access_is_not_restricted/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/ssh_access_is_not_restricted/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "SSH Access Is Not Restricted", "severity": "MEDIUM", - "line": 4, - "filename": "positive3.yaml", + "line": 10, + "filename": "positive1.yaml", "resourceType": "compute.v1.firewall", "resourceName": "firewall", - "searchKey": "resources.name={{firewall}}.properties.allowed[%!d(string=0-65535)].ports=%!s(MISSING)", + "searchKey": "resources.name={{firewall}}.properties.allowed[%!d(string=22)].ports=%!s(MISSING)", "searchValue": "", "expectedValue": "'allowed[0].ports' to not include SSH port 22", "actualValue": "'allowed[0].ports' includes SSH port 22" @@ -26,11 +26,11 @@ { "queryName": "SSH Access Is Not Restricted", "severity": "MEDIUM", - "line": 10, - "filename": "positive1.yaml", + "line": 4, + "filename": "positive3.yaml", "resourceType": "compute.v1.firewall", "resourceName": "firewall", - "searchKey": "resources.name={{firewall}}.properties.allowed[%!d(string=22)].ports=%!s(MISSING)", + "searchKey": "resources.name={{firewall}}.properties.allowed[%!d(string=0-65535)].ports=%!s(MISSING)", "searchValue": "", "expectedValue": "'allowed[0].ports' to not include SSH port 22", "actualValue": "'allowed[0].ports' includes SSH port 22" diff --git a/assets/queries/grpc/enum_name_not_camel_case/test/positive_expected_result.json b/assets/queries/grpc/enum_name_not_camel_case/test/positive_expected_result.json index 839f4d35f59..d76e18dfebd 100644 --- a/assets/queries/grpc/enum_name_not_camel_case/test/positive_expected_result.json +++ b/assets/queries/grpc/enum_name_not_camel_case/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "Enum Name Not CamelCase", "severity": "INFO", - "line": 10, + "line": 3, "filename": "positive.proto", "resourceType": "", "resourceName": "", - "searchKey": "enum[NOT_CAMEL_CASE]", + "searchKey": "enum[noInitCap]", "searchValue": "", "expectedValue": "Enum Name should follow CamelCase (Initial Letter is Capital)", "actualValue": "Enum Name doesn't follow CamelCase" @@ -14,11 +14,11 @@ { "queryName": "Enum Name Not CamelCase", "severity": "INFO", - "line": 3, + "line": 10, "filename": "positive.proto", "resourceType": "", "resourceName": "", - "searchKey": "enum[noInitCap]", + "searchKey": "enum[NOT_CAMEL_CASE]", "searchValue": "", "expectedValue": "Enum Name should follow CamelCase (Initial Letter is Capital)", "actualValue": "Enum Name doesn't follow CamelCase" diff --git a/assets/queries/k8s/anonymous_auth_is_not_set_to_false/test/positive_expected_result.json b/assets/queries/k8s/anonymous_auth_is_not_set_to_false/test/positive_expected_result.json index 07d5200a7fb..099c55003ef 100644 --- a/assets/queries/k8s/anonymous_auth_is_not_set_to_false/test/positive_expected_result.json +++ b/assets/queries/k8s/anonymous_auth_is_not_set_to_false/test/positive_expected_result.json @@ -3,7 +3,7 @@ "queryName": "Anonymous Auth Is Not Set To False", "severity": "MEDIUM", "line": 11, - "filename": "positive3.yaml", + "filename": "positive1.yaml", "resourceType": "Pod", "resourceName": "command-demo", "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", @@ -11,23 +11,11 @@ "expectedValue": "--anonymous-auth flag should be set to false", "actualValue": "--anonymous-auth flag is set to true" }, - { - "queryName": "Anonymous Auth Is Not Set To False", - "severity": "MEDIUM", - "line": 7, - "filename": "positive6.json", - "resourceType": "KubeletConfiguration", - "resourceName": "n/a", - "searchKey": "kind={{KubeletConfiguration}}.authentication.enabled", - "searchValue": "", - "expectedValue": "authentication.anonymous.enabled attribute should be false", - "actualValue": "authentication.anonymous.enabled attribute is true" - }, { "queryName": "Anonymous Auth Is Not Set To False", "severity": "MEDIUM", "line": 11, - "filename": "positive1.yaml", + "filename": "positive2.yaml", "resourceType": "Pod", "resourceName": "command-demo", "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", @@ -35,23 +23,11 @@ "expectedValue": "--anonymous-auth flag should be set to false", "actualValue": "--anonymous-auth flag is set to true" }, - { - "queryName": "Anonymous Auth Is Not Set To False", - "severity": "MEDIUM", - "line": 9, - "filename": "positive5.yaml", - "resourceType": "KubeletConfiguration", - "resourceName": "n/a", - "searchKey": "kind={{KubeletConfiguration}}.authentication.enabled", - "searchValue": "", - "expectedValue": "authentication.anonymous.enabled attribute should be false", - "actualValue": "authentication.anonymous.enabled attribute is true" - }, { "queryName": "Anonymous Auth Is Not Set To False", "severity": "MEDIUM", "line": 11, - "filename": "positive2.yaml", + "filename": "positive3.yaml", "resourceType": "Pod", "resourceName": "command-demo", "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", @@ -70,5 +46,29 @@ "searchValue": "", "expectedValue": "--anonymous-auth flag should be set to false", "actualValue": "--anonymous-auth flag is set to true" + }, + { + "queryName": "Anonymous Auth Is Not Set To False", + "severity": "MEDIUM", + "line": 9, + "filename": "positive5.yaml", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}.authentication.enabled", + "searchValue": "", + "expectedValue": "authentication.anonymous.enabled attribute should be false", + "actualValue": "authentication.anonymous.enabled attribute is true" + }, + { + "queryName": "Anonymous Auth Is Not Set To False", + "severity": "MEDIUM", + "line": 7, + "filename": "positive6.json", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}.authentication.enabled", + "searchValue": "", + "expectedValue": "authentication.anonymous.enabled attribute should be false", + "actualValue": "authentication.anonymous.enabled attribute is true" } ] \ No newline at end of file diff --git a/assets/queries/k8s/audit_log_maxage_not_properly_set/test/positive_expected_result.json b/assets/queries/k8s/audit_log_maxage_not_properly_set/test/positive_expected_result.json index 7d562a07ea3..710d1e1cd4d 100644 --- a/assets/queries/k8s/audit_log_maxage_not_properly_set/test/positive_expected_result.json +++ b/assets/queries/k8s/audit_log_maxage_not_properly_set/test/positive_expected_result.json @@ -3,22 +3,22 @@ "queryName": "Audit Log Maxage Not Properly Set", "severity": "LOW", "line": 11, - "filename": "positive2.yaml", + "filename": "positive1.yaml", "resourceType": "Pod", "resourceName": "command-demo", "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", - "expectedValue": "--audit-log-maxage flag should be defined and set to 30 or more days", - "actualValue": "--audit-log-maxage flag is not defined" + "expectedValue": "--audit-log-maxage flag should be set to 30 or more days", + "actualValue": "--audit-log-maxage flag is set to less than 30 days" }, { "queryName": "Audit Log Maxage Not Properly Set", "severity": "LOW", - "line": 40, - "filename": "positive3.yaml", - "resourceType": "Revision", - "resourceName": "dummy-rev", - "searchKey": "metadata.name={{dummy-rev}}.spec.containers.name={{command-demo-container}}.command", + "line": 11, + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--audit-log-maxage flag should be defined and set to 30 or more days", "actualValue": "--audit-log-maxage flag is not defined" @@ -50,11 +50,11 @@ { "queryName": "Audit Log Maxage Not Properly Set", "severity": "LOW", - "line": 55, + "line": 40, "filename": "positive3.yaml", - "resourceType": "ContainerSource", - "resourceName": "dummy-cs", - "searchKey": "metadata.name={{dummy-cs}}.spec.template.spec.containers.name={{command-demo-container}}.command", + "resourceType": "Revision", + "resourceName": "dummy-rev", + "searchKey": "metadata.name={{dummy-rev}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--audit-log-maxage flag should be defined and set to 30 or more days", "actualValue": "--audit-log-maxage flag is not defined" @@ -62,13 +62,13 @@ { "queryName": "Audit Log Maxage Not Properly Set", "severity": "LOW", - "line": 11, - "filename": "positive1.yaml", - "resourceType": "Pod", - "resourceName": "command-demo", - "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "line": 55, + "filename": "positive3.yaml", + "resourceType": "ContainerSource", + "resourceName": "dummy-cs", + "searchKey": "metadata.name={{dummy-cs}}.spec.template.spec.containers.name={{command-demo-container}}.command", "searchValue": "", - "expectedValue": "--audit-log-maxage flag should be set to 30 or more days", - "actualValue": "--audit-log-maxage flag is set to less than 30 days" + "expectedValue": "--audit-log-maxage flag should be defined and set to 30 or more days", + "actualValue": "--audit-log-maxage flag is not defined" } ] \ No newline at end of file diff --git a/assets/queries/k8s/audit_log_maxbackup_not_properly_set/test/positive_expected_result.json b/assets/queries/k8s/audit_log_maxbackup_not_properly_set/test/positive_expected_result.json index 4a9208cb4db..f75e8071dad 100644 --- a/assets/queries/k8s/audit_log_maxbackup_not_properly_set/test/positive_expected_result.json +++ b/assets/queries/k8s/audit_log_maxbackup_not_properly_set/test/positive_expected_result.json @@ -3,23 +3,11 @@ "queryName": "Audit Log Maxbackup Not Properly Set", "severity": "LOW", "line": 11, - "filename": "positive2.yaml", + "filename": "positive1.yaml", "resourceType": "Pod", "resourceName": "command-demo", "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", - "expectedValue": "--audit-log-maxbackup flag should be defined and set to 10 or more files", - "actualValue": "--audit-log-maxbackup flag is not defined" - }, - { - "queryName": "Audit Log Maxbackup Not Properly Set", - "severity": "LOW", - "line": 27, - "filename": "positive3.yaml", - "resourceType": "Configuration", - "resourceName": "dummy-config", - "searchKey": "metadata.name={{dummy-config}}.spec.template.spec.containers.name={{command-demo-container}}.command", - "searchValue": "", "expectedValue": "--audit-log-maxbackup flag should be set to 10 or more files", "actualValue": "--audit-log-maxbackup flag is set to less than 10 files" }, @@ -27,22 +15,34 @@ "queryName": "Audit Log Maxbackup Not Properly Set", "severity": "LOW", "line": 11, - "filename": "positive1.yaml", + "filename": "positive2.yaml", "resourceType": "Pod", "resourceName": "command-demo", "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", + "expectedValue": "--audit-log-maxbackup flag should be defined and set to 10 or more files", + "actualValue": "--audit-log-maxbackup flag is not defined" + }, + { + "queryName": "Audit Log Maxbackup Not Properly Set", + "severity": "LOW", + "line": 12, + "filename": "positive3.yaml", + "resourceType": "Service", + "resourceName": "dummy", + "searchKey": "metadata.name={{dummy}}.spec.template.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", "expectedValue": "--audit-log-maxbackup flag should be set to 10 or more files", "actualValue": "--audit-log-maxbackup flag is set to less than 10 files" }, { "queryName": "Audit Log Maxbackup Not Properly Set", "severity": "LOW", - "line": 55, + "line": 27, "filename": "positive3.yaml", - "resourceType": "ContainerSource", - "resourceName": "dummy-cs", - "searchKey": "metadata.name={{dummy-cs}}.spec.template.spec.containers.name={{command-demo-container}}.command", + "resourceType": "Configuration", + "resourceName": "dummy-config", + "searchKey": "metadata.name={{dummy-config}}.spec.template.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--audit-log-maxbackup flag should be set to 10 or more files", "actualValue": "--audit-log-maxbackup flag is set to less than 10 files" @@ -62,11 +62,11 @@ { "queryName": "Audit Log Maxbackup Not Properly Set", "severity": "LOW", - "line": 12, + "line": 55, "filename": "positive3.yaml", - "resourceType": "Service", - "resourceName": "dummy", - "searchKey": "metadata.name={{dummy}}.spec.template.spec.containers.name={{command-demo-container}}.command", + "resourceType": "ContainerSource", + "resourceName": "dummy-cs", + "searchKey": "metadata.name={{dummy-cs}}.spec.template.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--audit-log-maxbackup flag should be set to 10 or more files", "actualValue": "--audit-log-maxbackup flag is set to less than 10 files" diff --git a/assets/queries/k8s/audit_log_maxsize_not_properly_set/test/positive_expected_result.json b/assets/queries/k8s/audit_log_maxsize_not_properly_set/test/positive_expected_result.json index 2aabbc0339f..8d9b1a14b34 100644 --- a/assets/queries/k8s/audit_log_maxsize_not_properly_set/test/positive_expected_result.json +++ b/assets/queries/k8s/audit_log_maxsize_not_properly_set/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "Audit Log Maxsize Not Properly Set", "severity": "LOW", - "line": 40, - "filename": "positive3.yaml", - "resourceType": "Revision", - "resourceName": "dummy-rev", - "searchKey": "metadata.name={{dummy-rev}}.spec.containers.name={{command-demo-container}}.command", + "line": 11, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--audit-log-maxsize flag should be set to 100 or more MegaBytes", "actualValue": "--audit-log-maxsize flag is set to less than 100 MegaBytes" @@ -15,13 +15,13 @@ "queryName": "Audit Log Maxsize Not Properly Set", "severity": "LOW", "line": 11, - "filename": "positive1.yaml", + "filename": "positive2.yaml", "resourceType": "Pod", "resourceName": "command-demo", "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", - "expectedValue": "--audit-log-maxsize flag should be set to 100 or more MegaBytes", - "actualValue": "--audit-log-maxsize flag is set to less than 100 MegaBytes" + "expectedValue": "--audit-log-maxsize flag should be defined and set to 100 or more MegaBytes", + "actualValue": "--audit-log-maxsize flag is not defined" }, { "queryName": "Audit Log Maxsize Not Properly Set", @@ -50,11 +50,11 @@ { "queryName": "Audit Log Maxsize Not Properly Set", "severity": "LOW", - "line": 55, + "line": 40, "filename": "positive3.yaml", - "resourceType": "ContainerSource", - "resourceName": "dummy-cs", - "searchKey": "metadata.name={{dummy-cs}}.spec.template.spec.containers.name={{command-demo-container}}.command", + "resourceType": "Revision", + "resourceName": "dummy-rev", + "searchKey": "metadata.name={{dummy-rev}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--audit-log-maxsize flag should be set to 100 or more MegaBytes", "actualValue": "--audit-log-maxsize flag is set to less than 100 MegaBytes" @@ -62,13 +62,13 @@ { "queryName": "Audit Log Maxsize Not Properly Set", "severity": "LOW", - "line": 11, - "filename": "positive2.yaml", - "resourceType": "Pod", - "resourceName": "command-demo", - "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "line": 55, + "filename": "positive3.yaml", + "resourceType": "ContainerSource", + "resourceName": "dummy-cs", + "searchKey": "metadata.name={{dummy-cs}}.spec.template.spec.containers.name={{command-demo-container}}.command", "searchValue": "", - "expectedValue": "--audit-log-maxsize flag should be defined and set to 100 or more MegaBytes", - "actualValue": "--audit-log-maxsize flag is not defined" + "expectedValue": "--audit-log-maxsize flag should be set to 100 or more MegaBytes", + "actualValue": "--audit-log-maxsize flag is set to less than 100 MegaBytes" } ] \ No newline at end of file diff --git a/assets/queries/k8s/audit_log_path_not_set/test/positive_expected_result.json b/assets/queries/k8s/audit_log_path_not_set/test/positive_expected_result.json index 18997e91e6c..f1aade87734 100644 --- a/assets/queries/k8s/audit_log_path_not_set/test/positive_expected_result.json +++ b/assets/queries/k8s/audit_log_path_not_set/test/positive_expected_result.json @@ -11,18 +11,6 @@ "expectedValue": "--audit-log-path flag should be defined", "actualValue": "--audit-log-path flag is not defined" }, - { - "queryName": "Audit Log Path Not Set", - "severity": "MEDIUM", - "line": 55, - "filename": "positive2.yaml", - "resourceType": "ContainerSource", - "resourceName": "dummy-cs", - "searchKey": "metadata.name={{dummy-cs}}.spec.template.spec.containers.name={{command-demo-container}}.command", - "searchValue": "", - "expectedValue": "--audit-log-path flag should be defined", - "actualValue": "--audit-log-path flag is not defined" - }, { "queryName": "Audit Log Path Not Set", "severity": "MEDIUM", @@ -58,5 +46,17 @@ "searchValue": "", "expectedValue": "--audit-log-path flag should be defined", "actualValue": "--audit-log-path flag is not defined" + }, + { + "queryName": "Audit Log Path Not Set", + "severity": "MEDIUM", + "line": 55, + "filename": "positive2.yaml", + "resourceType": "ContainerSource", + "resourceName": "dummy-cs", + "searchKey": "metadata.name={{dummy-cs}}.spec.template.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-path flag should be defined", + "actualValue": "--audit-log-path flag is not defined" } -] +] \ No newline at end of file diff --git a/assets/queries/k8s/audit_policy_file_not_defined/test/positive_expected_result.json b/assets/queries/k8s/audit_policy_file_not_defined/test/positive_expected_result.json index b77bbe14598..4faba1037b1 100644 --- a/assets/queries/k8s/audit_policy_file_not_defined/test/positive_expected_result.json +++ b/assets/queries/k8s/audit_policy_file_not_defined/test/positive_expected_result.json @@ -11,18 +11,6 @@ "expectedValue": "--audit-policy-file flag should be defined", "actualValue": "--audit-policy-file is not defined" }, - { - "queryName": "Audit Policy File Not Defined", - "severity": "MEDIUM", - "line": 12, - "filename": "positive3.yaml", - "resourceType": "Service", - "resourceName": "dummy", - "searchKey": "metadata.name={{dummy}}.spec.template.spec.containers.name={{command-demo-container}}.command", - "searchValue": "", - "expectedValue": "--audit-policy-file flag should be defined", - "actualValue": "--audit-policy-file is not defined" - }, { "queryName": "Audit Policy File Not Defined", "severity": "MEDIUM", @@ -34,5 +22,17 @@ "searchValue": "", "expectedValue": "--audit-policy-file flag should have a valid file", "actualValue": "--audit-policy-file does not have a valid file" + }, + { + "queryName": "Audit Policy File Not Defined", + "severity": "MEDIUM", + "line": 12, + "filename": "positive3.yaml", + "resourceType": "Service", + "resourceName": "dummy", + "searchKey": "metadata.name={{dummy}}.spec.template.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-policy-file flag should be defined", + "actualValue": "--audit-policy-file is not defined" } ] \ No newline at end of file diff --git a/assets/queries/k8s/audit_policy_not_cover_key_security_concerns/test/positive_expected_result.json b/assets/queries/k8s/audit_policy_not_cover_key_security_concerns/test/positive_expected_result.json index bc1fe79a75e..835aa54617d 100644 --- a/assets/queries/k8s/audit_policy_not_cover_key_security_concerns/test/positive_expected_result.json +++ b/assets/queries/k8s/audit_policy_not_cover_key_security_concerns/test/positive_expected_result.json @@ -1,4 +1,28 @@ [ + { + "queryName": "Audit Policy Not Cover Key Security Concerns", + "severity": "LOW", + "line": 6, + "filename": "positive1.yaml", + "resourceType": "Policy", + "resourceName": "n/a", + "searchKey": "kind={{Policy}}.rules", + "searchValue": "configmaps", + "expectedValue": "Resource 'configmaps' should be defined in one of following levels '[\"Metadata\"]'", + "actualValue": "Resource 'configmaps' is currently defined with the following levels '[]'" + }, + { + "queryName": "Audit Policy Not Cover Key Security Concerns", + "severity": "LOW", + "line": 6, + "filename": "positive1.yaml", + "resourceType": "Policy", + "resourceName": "n/a", + "searchKey": "kind={{Policy}}.rules", + "searchValue": "pods/exec", + "expectedValue": "Resource 'pods/exec' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", + "actualValue": "Resource 'pods/exec' is currently defined with the following levels '[]'" + }, { "queryName": "Audit Policy Not Cover Key Security Concerns", "severity": "LOW", @@ -14,20 +38,20 @@ { "queryName": "Audit Policy Not Cover Key Security Concerns", "severity": "LOW", - "line": 4, - "filename": "positive2.yaml", + "line": 6, + "filename": "positive1.yaml", "resourceType": "Policy", "resourceName": "n/a", "searchKey": "kind={{Policy}}.rules", - "searchValue": "secrets", - "expectedValue": "Resource 'secrets' should be defined in one of following levels '[\"Metadata\"]'", - "actualValue": "Resource 'secrets' is currently defined with the following levels '[]'" + "searchValue": "services/proxy", + "expectedValue": "Resource 'services/proxy' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", + "actualValue": "Resource 'services/proxy' is currently defined with the following levels '[]'" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", "severity": "LOW", - "line": 4, - "filename": "positive2.yaml", + "line": 6, + "filename": "positive1.yaml", "resourceType": "Policy", "resourceName": "n/a", "searchKey": "kind={{Policy}}.rules", @@ -43,33 +67,33 @@ "resourceType": "Policy", "resourceName": "n/a", "searchKey": "kind={{Policy}}.rules", - "searchValue": "pods", - "expectedValue": "Resource 'pods' should be defined in one of following levels '[\"Metadata\"]'", - "actualValue": "Resource 'pods' is currently defined with the following levels '[]'" + "searchValue": "secrets", + "expectedValue": "Resource 'secrets' should be defined in one of following levels '[\"Metadata\"]'", + "actualValue": "Resource 'secrets' is currently defined with the following levels '[]'" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", "severity": "LOW", - "line": 4, - "filename": "positive2.yaml", + "line": 6, + "filename": "positive1.yaml", "resourceType": "Policy", "resourceName": "n/a", "searchKey": "kind={{Policy}}.rules", - "searchValue": "pods/proxy", - "expectedValue": "Resource 'pods/proxy' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", - "actualValue": "Resource 'pods/proxy' is currently defined with the following levels '[]'" + "searchValue": "deployments", + "expectedValue": "Resource 'deployments' should be defined in one of following levels '[\"Metadata\"]'", + "actualValue": "Resource 'deployments' is currently defined with the following levels '[]'" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", "severity": "LOW", "line": 6, - "filename": "positive3.yaml", + "filename": "positive1.yaml", "resourceType": "Policy", "resourceName": "n/a", "searchKey": "kind={{Policy}}.rules", - "searchValue": "deployments", - "expectedValue": "Resource 'deployments' should be defined in one of following levels '[\"Metadata\"]'", - "actualValue": "Resource 'deployments' is currently defined with the following levels '[]'" + "searchValue": "pods", + "expectedValue": "Resource 'pods' should be defined in one of following levels '[\"Metadata\"]'", + "actualValue": "Resource 'pods' is currently defined with the following levels '[]'" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", @@ -79,9 +103,9 @@ "resourceType": "Policy", "resourceName": "n/a", "searchKey": "kind={{Policy}}.rules", - "searchValue": "tokenreviews", - "expectedValue": "Resource 'tokenreviews' should be defined in one of following levels '[\"Metadata\"]'", - "actualValue": "Resource 'tokenreviews' is currently defined with the following levels '[]'" + "searchValue": "pods/portforward", + "expectedValue": "Resource 'pods/portforward' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", + "actualValue": "Resource 'pods/portforward' is currently defined with the following levels '[]'" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", @@ -115,27 +139,15 @@ "resourceType": "Policy", "resourceName": "n/a", "searchKey": "kind={{Policy}}.rules", - "searchValue": "services/proxy", - "expectedValue": "Resource 'services/proxy' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", - "actualValue": "Resource 'services/proxy' is currently defined with the following levels '[]'" - }, - { - "queryName": "Audit Policy Not Cover Key Security Concerns", - "severity": "LOW", - "line": 6, - "filename": "positive1.yaml", - "resourceType": "Policy", - "resourceName": "n/a", - "searchKey": "kind={{Policy}}.rules", - "searchValue": "configmaps", - "expectedValue": "Resource 'configmaps' should be defined in one of following levels '[\"Metadata\"]'", - "actualValue": "Resource 'configmaps' is currently defined with the following levels '[]'" + "searchValue": "tokenreviews", + "expectedValue": "Resource 'tokenreviews' should be defined in one of following levels '[\"Metadata\"]'", + "actualValue": "Resource 'tokenreviews' is currently defined with the following levels '[]'" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", "severity": "LOW", - "line": 6, - "filename": "positive1.yaml", + "line": 4, + "filename": "positive2.yaml", "resourceType": "Policy", "resourceName": "n/a", "searchKey": "kind={{Policy}}.rules", @@ -146,8 +158,8 @@ { "queryName": "Audit Policy Not Cover Key Security Concerns", "severity": "LOW", - "line": 6, - "filename": "positive1.yaml", + "line": 4, + "filename": "positive2.yaml", "resourceType": "Policy", "resourceName": "n/a", "searchKey": "kind={{Policy}}.rules", @@ -158,14 +170,14 @@ { "queryName": "Audit Policy Not Cover Key Security Concerns", "severity": "LOW", - "line": 6, - "filename": "positive1.yaml", + "line": 4, + "filename": "positive2.yaml", "resourceType": "Policy", "resourceName": "n/a", "searchKey": "kind={{Policy}}.rules", - "searchValue": "services/proxy", - "expectedValue": "Resource 'services/proxy' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", - "actualValue": "Resource 'services/proxy' is currently defined with the following levels '[]'" + "searchValue": "pods/proxy", + "expectedValue": "Resource 'pods/proxy' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", + "actualValue": "Resource 'pods/proxy' is currently defined with the following levels '[]'" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", @@ -175,32 +187,20 @@ "resourceType": "Policy", "resourceName": "n/a", "searchKey": "kind={{Policy}}.rules", - "searchValue": "pods/exec", - "expectedValue": "Resource 'pods/exec' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", - "actualValue": "Resource 'pods/exec' is currently defined with the following levels '[]'" + "searchValue": "services/proxy", + "expectedValue": "Resource 'services/proxy' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", + "actualValue": "Resource 'services/proxy' is currently defined with the following levels '[]'" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", "severity": "LOW", "line": 6, - "filename": "positive1.yaml", + "filename": "positive3.yaml", "resourceType": "Policy", "resourceName": "n/a", "searchKey": "kind={{Policy}}.rules", "searchValue": "deployments", "expectedValue": "Resource 'deployments' should be defined in one of following levels '[\"Metadata\"]'", "actualValue": "Resource 'deployments' is currently defined with the following levels '[]'" - }, - { - "queryName": "Audit Policy Not Cover Key Security Concerns", - "severity": "LOW", - "line": 6, - "filename": "positive1.yaml", - "resourceType": "Policy", - "resourceName": "n/a", - "searchKey": "kind={{Policy}}.rules", - "searchValue": "pods/portforward", - "expectedValue": "Resource 'pods/portforward' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", - "actualValue": "Resource 'pods/portforward' is currently defined with the following levels '[]'" } ] \ No newline at end of file diff --git a/assets/queries/k8s/authorization_mode_node_not_set/test/positive_expected_result.json b/assets/queries/k8s/authorization_mode_node_not_set/test/positive_expected_result.json index afb9494a51e..d6f711b4d8d 100644 --- a/assets/queries/k8s/authorization_mode_node_not_set/test/positive_expected_result.json +++ b/assets/queries/k8s/authorization_mode_node_not_set/test/positive_expected_result.json @@ -3,7 +3,7 @@ "queryName": "Authorization Mode Node Not Set", "severity": "MEDIUM", "line": 11, - "filename": "positive2.yaml", + "filename": "positive1.yaml", "resourceType": "Pod", "resourceName": "command-demo", "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", @@ -15,7 +15,7 @@ "queryName": "Authorization Mode Node Not Set", "severity": "MEDIUM", "line": 11, - "filename": "positive1.yaml", + "filename": "positive2.yaml", "resourceType": "Pod", "resourceName": "command-demo", "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", diff --git a/assets/queries/k8s/authorization_mode_rbac_not_set/test/positive_expected_result.json b/assets/queries/k8s/authorization_mode_rbac_not_set/test/positive_expected_result.json index b5b2273905c..7e9b2f5803f 100644 --- a/assets/queries/k8s/authorization_mode_rbac_not_set/test/positive_expected_result.json +++ b/assets/queries/k8s/authorization_mode_rbac_not_set/test/positive_expected_result.json @@ -3,7 +3,7 @@ "queryName": "Authorization Mode RBAC Not Set", "severity": "MEDIUM", "line": 11, - "filename": "positive2.yaml", + "filename": "positive1.yaml", "resourceType": "Pod", "resourceName": "command-demo", "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", @@ -15,7 +15,7 @@ "queryName": "Authorization Mode RBAC Not Set", "severity": "MEDIUM", "line": 11, - "filename": "positive1.yaml", + "filename": "positive2.yaml", "resourceType": "Pod", "resourceName": "command-demo", "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", diff --git a/assets/queries/k8s/authorization_mode_set_to_always_allow/test/positive_expected_result.json b/assets/queries/k8s/authorization_mode_set_to_always_allow/test/positive_expected_result.json index bec261b3343..6b228a66bbb 100644 --- a/assets/queries/k8s/authorization_mode_set_to_always_allow/test/positive_expected_result.json +++ b/assets/queries/k8s/authorization_mode_set_to_always_allow/test/positive_expected_result.json @@ -1,21 +1,9 @@ [ - { - "queryName": "Authorization Mode Set To Always Allow", - "severity": "HIGH", - "line": 6, - "filename": "positive6.json", - "resourceType": "KubeletConfiguration", - "resourceName": "n/a", - "searchKey": "kind={{KubeletConfiguration}}.authorization.mode", - "searchValue": "", - "expectedValue": "authorization.mode attribute should not be 'AlwaysAllow'", - "actualValue": "authorization.mode attribute is equal to 'AlwaysAllow'" - }, { "queryName": "Authorization Mode Set To Always Allow", "severity": "HIGH", "line": 11, - "filename": "positive4.yaml", + "filename": "positive1.yaml", "resourceType": "Pod", "resourceName": "command-demo", "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", @@ -27,7 +15,7 @@ "queryName": "Authorization Mode Set To Always Allow", "severity": "HIGH", "line": 11, - "filename": "positive1.yaml", + "filename": "positive2.yaml", "resourceType": "Pod", "resourceName": "command-demo", "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", @@ -35,18 +23,6 @@ "expectedValue": "--authorization-mode flag to not have 'AlwaysAllow' mode", "actualValue": "--authorization-mode flag contains 'AlwaysAllow' mode" }, - { - "queryName": "Authorization Mode Set To Always Allow", - "severity": "HIGH", - "line": 11, - "filename": "positive5.yaml", - "resourceType": "KubeletConfiguration", - "resourceName": "n/a", - "searchKey": "kind={{KubeletConfiguration}}.authorization.mode", - "searchValue": "", - "expectedValue": "authorization.mode attribute should not be 'AlwaysAllow'", - "actualValue": "authorization.mode attribute is equal to 'AlwaysAllow'" - }, { "queryName": "Authorization Mode Set To Always Allow", "severity": "HIGH", @@ -63,12 +39,36 @@ "queryName": "Authorization Mode Set To Always Allow", "severity": "HIGH", "line": 11, - "filename": "positive2.yaml", + "filename": "positive4.yaml", "resourceType": "Pod", "resourceName": "command-demo", "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--authorization-mode flag to not have 'AlwaysAllow' mode", "actualValue": "--authorization-mode flag contains 'AlwaysAllow' mode" + }, + { + "queryName": "Authorization Mode Set To Always Allow", + "severity": "HIGH", + "line": 11, + "filename": "positive5.yaml", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}.authorization.mode", + "searchValue": "", + "expectedValue": "authorization.mode attribute should not be 'AlwaysAllow'", + "actualValue": "authorization.mode attribute is equal to 'AlwaysAllow'" + }, + { + "queryName": "Authorization Mode Set To Always Allow", + "severity": "HIGH", + "line": 6, + "filename": "positive6.json", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}.authorization.mode", + "searchValue": "", + "expectedValue": "authorization.mode attribute should not be 'AlwaysAllow'", + "actualValue": "authorization.mode attribute is equal to 'AlwaysAllow'" } ] \ No newline at end of file diff --git a/assets/queries/k8s/bind_address_not_properly_set/test/positive_expected_result.json b/assets/queries/k8s/bind_address_not_properly_set/test/positive_expected_result.json index f6df0f8f1eb..64ee59c0794 100644 --- a/assets/queries/k8s/bind_address_not_properly_set/test/positive_expected_result.json +++ b/assets/queries/k8s/bind_address_not_properly_set/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "Bind Address Not Properly Set", "severity": "INFO", - "line": 20, - "filename": "positive3.yaml", + "line": 11, + "filename": "positive1.yaml", "resourceType": "Pod", - "resourceName": "kube-scheduler", - "searchKey": "metadata.name={{kube-scheduler}}.spec.containers.name={{command-demo-container}}.command", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--bind-address flag should not be set to 127.0.0.1", "actualValue": "--bind-address flag is set to a 127.0.01" @@ -27,7 +27,7 @@ "queryName": "Bind Address Not Properly Set", "severity": "INFO", "line": 20, - "filename": "positive4.yaml", + "filename": "positive3.yaml", "resourceType": "Pod", "resourceName": "kube-scheduler", "searchKey": "metadata.name={{kube-scheduler}}.spec.containers.name={{command-demo-container}}.command", @@ -38,11 +38,11 @@ { "queryName": "Bind Address Not Properly Set", "severity": "INFO", - "line": 11, - "filename": "positive1.yaml", + "line": 20, + "filename": "positive4.yaml", "resourceType": "Pod", - "resourceName": "command-demo", - "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "resourceName": "kube-scheduler", + "searchKey": "metadata.name={{kube-scheduler}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--bind-address flag should not be set to 127.0.0.1", "actualValue": "--bind-address flag is set to a 127.0.01" diff --git a/assets/queries/k8s/client_certificate_authentication_not_setup_properly/test/positive_expected_result.json b/assets/queries/k8s/client_certificate_authentication_not_setup_properly/test/positive_expected_result.json index 23621f9c6fa..5f34a59ca82 100644 --- a/assets/queries/k8s/client_certificate_authentication_not_setup_properly/test/positive_expected_result.json +++ b/assets/queries/k8s/client_certificate_authentication_not_setup_properly/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "Client Certificate Authentication Not Setup Properly", "severity": "HIGH", - "line": 2, - "filename": "positive4.yaml", - "resourceType": "KubeletConfiguration", - "resourceName": "n/a", - "searchKey": "kind={{KubeletConfiguration}}", + "line": 11, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "Client Certification should have a .pem or .crt file", "actualValue": "Client Certification is not properly set" @@ -23,18 +23,6 @@ "expectedValue": "Client Certification should have a .pem or .crt file", "actualValue": "Client Certification is not properly set" }, - { - "queryName": "Client Certificate Authentication Not Setup Properly", - "severity": "HIGH", - "line": 2, - "filename": "positive5.yaml", - "resourceType": "KubeletConfiguration", - "resourceName": "n/a", - "searchKey": "kind={{KubeletConfiguration}}", - "searchValue": "", - "expectedValue": "Client Certification should be set", - "actualValue": "Client Certification is not set" - }, { "queryName": "Client Certificate Authentication Not Setup Properly", "severity": "HIGH", @@ -51,7 +39,19 @@ "queryName": "Client Certificate Authentication Not Setup Properly", "severity": "HIGH", "line": 2, - "filename": "positive6.yaml", + "filename": "positive4.yaml", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}", + "searchValue": "", + "expectedValue": "Client Certification should have a .pem or .crt file", + "actualValue": "Client Certification is not properly set" + }, + { + "queryName": "Client Certificate Authentication Not Setup Properly", + "severity": "HIGH", + "line": 2, + "filename": "positive5.yaml", "resourceType": "KubeletConfiguration", "resourceName": "n/a", "searchKey": "kind={{KubeletConfiguration}}", @@ -62,13 +62,13 @@ { "queryName": "Client Certificate Authentication Not Setup Properly", "severity": "HIGH", - "line": 11, - "filename": "positive1.yaml", - "resourceType": "Pod", - "resourceName": "command-demo", - "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "line": 2, + "filename": "positive6.yaml", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}", "searchValue": "", - "expectedValue": "Client Certification should have a .pem or .crt file", - "actualValue": "Client Certification is not properly set" + "expectedValue": "Client Certification should be set", + "actualValue": "Client Certification is not set" } ] \ No newline at end of file diff --git a/assets/queries/k8s/cluster_allows_unsafe_sysctls/test/positive_expected_result.json b/assets/queries/k8s/cluster_allows_unsafe_sysctls/test/positive_expected_result.json index 2a304063247..d3a12a87e3a 100644 --- a/assets/queries/k8s/cluster_allows_unsafe_sysctls/test/positive_expected_result.json +++ b/assets/queries/k8s/cluster_allows_unsafe_sysctls/test/positive_expected_result.json @@ -2,26 +2,26 @@ { "queryName": "Cluster Allows Unsafe Sysctls", "severity": "HIGH", - "line": 13, + "line": 11, "filename": "positive1.yaml", "resourceType": "Pod", "resourceName": "sysctl-example", - "searchKey": "metadata.name={{sysctl-example}}.spec.securityContext.sysctls.name={{kernel.msgmax}}", + "searchKey": "metadata.name={{sysctl-example}}.spec.securityContext.sysctls.name={{net.core.somaxconn}}", "searchValue": "", - "expectedValue": "metadata.name={{sysctl-example}}.spec.securityContext.sysctls.name={{kernel.msgmax}} should not be used", - "actualValue": "metadata.name={{sysctl-example}}.spec.securityContext.sysctls.name={{kernel.msgmax}} is an unsafe sysctl" + "expectedValue": "metadata.name={{sysctl-example}}.spec.securityContext.sysctls.name={{net.core.somaxconn}} should not be used", + "actualValue": "metadata.name={{sysctl-example}}.spec.securityContext.sysctls.name={{net.core.somaxconn}} is an unsafe sysctl" }, { "queryName": "Cluster Allows Unsafe Sysctls", "severity": "HIGH", - "line": 11, + "line": 13, "filename": "positive1.yaml", "resourceType": "Pod", "resourceName": "sysctl-example", - "searchKey": "metadata.name={{sysctl-example}}.spec.securityContext.sysctls.name={{net.core.somaxconn}}", + "searchKey": "metadata.name={{sysctl-example}}.spec.securityContext.sysctls.name={{kernel.msgmax}}", "searchValue": "", - "expectedValue": "metadata.name={{sysctl-example}}.spec.securityContext.sysctls.name={{net.core.somaxconn}} should not be used", - "actualValue": "metadata.name={{sysctl-example}}.spec.securityContext.sysctls.name={{net.core.somaxconn}} is an unsafe sysctl" + "expectedValue": "metadata.name={{sysctl-example}}.spec.securityContext.sysctls.name={{kernel.msgmax}} should not be used", + "actualValue": "metadata.name={{sysctl-example}}.spec.securityContext.sysctls.name={{kernel.msgmax}} is an unsafe sysctl" }, { "queryName": "Cluster Allows Unsafe Sysctls", diff --git a/assets/queries/k8s/container_is_privileged/test/positive_expected_result.json b/assets/queries/k8s/container_is_privileged/test/positive_expected_result.json index e33293a98af..8e2aed8b61d 100644 --- a/assets/queries/k8s/container_is_privileged/test/positive_expected_result.json +++ b/assets/queries/k8s/container_is_privileged/test/positive_expected_result.json @@ -11,18 +11,6 @@ "expectedValue": "metadata.name={{security-context-demo-4}}.spec.containers.name={{sec-ctx-4}}.securityContext.privileged is unset or false", "actualValue": "metadata.name={{security-context-demo-4}}.spec.containers.name={{sec-ctx-4}}.securityContext.privileged is true" }, - { - "queryName": "Container Is Privileged", - "severity": "HIGH", - "line": 21, - "filename": "positive2.yaml", - "resourceType": "Deployment", - "resourceName": "test-deployment", - "searchKey": "metadata.name={{test-deployment}}.spec.template.spec.containers.name={{pause}}.securityContext.privileged", - "searchValue": "", - "expectedValue": "metadata.name={{test-deployment}}.spec.template.spec.containers.name={{pause}}.securityContext.privileged is unset or false", - "actualValue": "metadata.name={{test-deployment}}.spec.template.spec.containers.name={{pause}}.securityContext.privileged is true" - }, { "queryName": "Container Is Privileged", "severity": "HIGH", @@ -34,5 +22,17 @@ "searchValue": "", "expectedValue": "metadata.name={{security-context-demo-5}}.spec.initContainers.name={{sec-ctx-4}}.securityContext.privileged is unset or false", "actualValue": "metadata.name={{security-context-demo-5}}.spec.initContainers.name={{sec-ctx-4}}.securityContext.privileged is true" + }, + { + "queryName": "Container Is Privileged", + "severity": "HIGH", + "line": 21, + "filename": "positive2.yaml", + "resourceType": "Deployment", + "resourceName": "test-deployment", + "searchKey": "metadata.name={{test-deployment}}.spec.template.spec.containers.name={{pause}}.securityContext.privileged", + "searchValue": "", + "expectedValue": "metadata.name={{test-deployment}}.spec.template.spec.containers.name={{pause}}.securityContext.privileged is unset or false", + "actualValue": "metadata.name={{test-deployment}}.spec.template.spec.containers.name={{pause}}.securityContext.privileged is true" } ] \ No newline at end of file diff --git a/assets/queries/k8s/containers_run_with_low_uid/test/positive_expected_result.json b/assets/queries/k8s/containers_run_with_low_uid/test/positive_expected_result.json index 331771560b3..6c525980ea5 100644 --- a/assets/queries/k8s/containers_run_with_low_uid/test/positive_expected_result.json +++ b/assets/queries/k8s/containers_run_with_low_uid/test/positive_expected_result.json @@ -2,62 +2,86 @@ { "queryName": "Container Running With Low UID", "severity": "MEDIUM", - "line": 18, - "filename": "positive2.yaml", + "line": 12, + "filename": "positive1.yaml", "resourceType": "Pod", "resourceName": "security-context-demo-2", - "searchKey": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-200}}.securityContext.runAsUser=340", + "searchKey": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext.runAsUser=2000", "searchValue": "Pod", - "expectedValue": "1 metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-200}}.securityContext.runAsUser should be set to a UID >= 10000", - "actualValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-200}}.securityContext.runAsUser is set to a low UID" + "expectedValue": "1 metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext.runAsUser should be set to a UID >= 10000", + "actualValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext.runAsUser is set to a low UID" }, { "queryName": "Container Running With Low UID", "severity": "MEDIUM", - "line": 38, - "filename": "positive9.yaml", - "resourceType": "Deployment", + "line": 18, + "filename": "positive10.yaml", + "resourceType": "StatefulSet", "resourceName": "security-context-demo", - "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser=1000", - "searchValue": "Deployment", - "expectedValue": "2 metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser should be set to a UID >= 10000", - "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser is set to a low UID" + "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}", + "searchValue": "StatefulSet", + "expectedValue": "3 metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser should be defined", + "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser is undefined" }, { "queryName": "Container Running With Low UID", "severity": "MEDIUM", - "line": 43, - "filename": "positive8.yaml", + "line": 36, + "filename": "positive10.yaml", "resourceType": "Deployment", "resourceName": "security-context-demo", - "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser=1", + "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}", "searchValue": "Deployment", - "expectedValue": "1 metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser should be set to a UID >= 10000", - "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser is set to a low UID" + "expectedValue": "3 metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser should be defined", + "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser is undefined" }, { "queryName": "Container Running With Low UID", "severity": "MEDIUM", - "line": 21, - "filename": "positive8.yaml", - "resourceType": "StatefulSet", - "resourceName": "security-context-demo", - "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser=1", - "searchValue": "StatefulSet", - "expectedValue": "1 metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser should be set to a UID >= 10000", - "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser is set to a low UID" + "line": 13, + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "security-context-demo-2", + "searchKey": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext.runAsUser=333", + "searchValue": "Pod", + "expectedValue": "1 metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext.runAsUser should be set to a UID >= 10000", + "actualValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext.runAsUser is set to a low UID" }, { "queryName": "Container Running With Low UID", "severity": "MEDIUM", "line": 18, - "filename": "positive9.yaml", - "resourceType": "StatefulSet", - "resourceName": "security-context-demo", - "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser=1000", - "searchValue": "StatefulSet", - "expectedValue": "2 metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser should be set to a UID >= 10000", - "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser is set to a low UID" + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "security-context-demo-2", + "searchKey": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-200}}.securityContext.runAsUser=340", + "searchValue": "Pod", + "expectedValue": "1 metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-200}}.securityContext.runAsUser should be set to a UID >= 10000", + "actualValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-200}}.securityContext.runAsUser is set to a low UID" + }, + { + "queryName": "Container Running With Low UID", + "severity": "MEDIUM", + "line": 12, + "filename": "positive3.yaml", + "resourceType": "Pod", + "resourceName": "containers-runs-as-root", + "searchKey": "metadata.name={{containers-runs-as-root}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext.runAsUser=13", + "searchValue": "Pod", + "expectedValue": "1 metadata.name={{containers-runs-as-root}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext.runAsUser should be set to a UID >= 10000", + "actualValue": "metadata.name={{containers-runs-as-root}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext.runAsUser is set to a low UID" + }, + { + "queryName": "Container Running With Low UID", + "severity": "MEDIUM", + "line": 18, + "filename": "positive4.yaml", + "resourceType": "Deployment", + "resourceName": "securitydemo", + "searchKey": "metadata.name={{securitydemo}}.spec.template.spec.securityContext.runAsUser=1200", + "searchValue": "Deployment", + "expectedValue": "2 metadata.name={{securitydemo}}.spec.template.spec.securityContext.runAsUser should be set to a UID >= 10000", + "actualValue": "metadata.name={{securitydemo}}.spec.template.spec.securityContext.runAsUser is set to a low UID" }, { "queryName": "Container Running With Low UID", @@ -74,14 +98,14 @@ { "queryName": "Container Running With Low UID", "severity": "MEDIUM", - "line": 18, - "filename": "positive10.yaml", - "resourceType": "StatefulSet", - "resourceName": "security-context-demo", - "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}", - "searchValue": "StatefulSet", - "expectedValue": "3 metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser should be defined", - "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser is undefined" + "line": 24, + "filename": "positive5.yaml", + "resourceType": "Deployment", + "resourceName": "securitydemo", + "searchKey": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext", + "searchValue": "Deployment", + "expectedValue": "3 metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext.runAsUser should be defined", + "actualValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext.runAsUser is undefined" }, { "queryName": "Container Running With Low UID", @@ -98,14 +122,14 @@ { "queryName": "Container Running With Low UID", "severity": "MEDIUM", - "line": 12, - "filename": "positive1.yaml", - "resourceType": "Pod", - "resourceName": "security-context-demo-2", - "searchKey": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext.runAsUser=2000", - "searchValue": "Pod", - "expectedValue": "1 metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext.runAsUser should be set to a UID >= 10000", - "actualValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext.runAsUser is set to a low UID" + "line": 32, + "filename": "positive6.yaml", + "resourceType": "Deployment", + "resourceName": "securitydemo", + "searchKey": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext.runAsUser=5678", + "searchValue": "Deployment", + "expectedValue": "1 metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext.runAsUser should be set to a UID >= 10000", + "actualValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext.runAsUser is set to a low UID" }, { "queryName": "Container Running With Low UID", @@ -134,73 +158,49 @@ { "queryName": "Container Running With Low UID", "severity": "MEDIUM", - "line": 13, - "filename": "positive2.yaml", - "resourceType": "Pod", - "resourceName": "security-context-demo-2", - "searchKey": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext.runAsUser=333", - "searchValue": "Pod", - "expectedValue": "1 metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext.runAsUser should be set to a UID >= 10000", - "actualValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext.runAsUser is set to a low UID" + "line": 21, + "filename": "positive8.yaml", + "resourceType": "StatefulSet", + "resourceName": "security-context-demo", + "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser=1", + "searchValue": "StatefulSet", + "expectedValue": "1 metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser should be set to a UID >= 10000", + "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser is set to a low UID" }, { "queryName": "Container Running With Low UID", "severity": "MEDIUM", - "line": 32, - "filename": "positive6.yaml", + "line": 43, + "filename": "positive8.yaml", "resourceType": "Deployment", - "resourceName": "securitydemo", - "searchKey": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext.runAsUser=5678", + "resourceName": "security-context-demo", + "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser=1", "searchValue": "Deployment", - "expectedValue": "1 metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext.runAsUser should be set to a UID >= 10000", - "actualValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext.runAsUser is set to a low UID" + "expectedValue": "1 metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser should be set to a UID >= 10000", + "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser is set to a low UID" }, { "queryName": "Container Running With Low UID", "severity": "MEDIUM", "line": 18, - "filename": "positive4.yaml", - "resourceType": "Deployment", - "resourceName": "securitydemo", - "searchKey": "metadata.name={{securitydemo}}.spec.template.spec.securityContext.runAsUser=1200", - "searchValue": "Deployment", - "expectedValue": "2 metadata.name={{securitydemo}}.spec.template.spec.securityContext.runAsUser should be set to a UID >= 10000", - "actualValue": "metadata.name={{securitydemo}}.spec.template.spec.securityContext.runAsUser is set to a low UID" - }, - { - "queryName": "Container Running With Low UID", - "severity": "MEDIUM", - "line": 24, - "filename": "positive5.yaml", - "resourceType": "Deployment", - "resourceName": "securitydemo", - "searchKey": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext", - "searchValue": "Deployment", - "expectedValue": "3 metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext.runAsUser should be defined", - "actualValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext.runAsUser is undefined" - }, - { - "queryName": "Container Running With Low UID", - "severity": "MEDIUM", - "line": 12, - "filename": "positive3.yaml", - "resourceType": "Pod", - "resourceName": "containers-runs-as-root", - "searchKey": "metadata.name={{containers-runs-as-root}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext.runAsUser=13", - "searchValue": "Pod", - "expectedValue": "1 metadata.name={{containers-runs-as-root}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext.runAsUser should be set to a UID >= 10000", - "actualValue": "metadata.name={{containers-runs-as-root}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext.runAsUser is set to a low UID" + "filename": "positive9.yaml", + "resourceType": "StatefulSet", + "resourceName": "security-context-demo", + "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser=1000", + "searchValue": "StatefulSet", + "expectedValue": "2 metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser should be set to a UID >= 10000", + "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser is set to a low UID" }, { "queryName": "Container Running With Low UID", "severity": "MEDIUM", - "line": 36, - "filename": "positive10.yaml", + "line": 38, + "filename": "positive9.yaml", "resourceType": "Deployment", "resourceName": "security-context-demo", - "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}", + "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser=1000", "searchValue": "Deployment", - "expectedValue": "3 metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser should be defined", - "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser is undefined" + "expectedValue": "2 metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser should be set to a UID >= 10000", + "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser is set to a low UID" } ] \ No newline at end of file diff --git a/assets/queries/k8s/containers_running_as_root/test/positive_expected_result.json b/assets/queries/k8s/containers_running_as_root/test/positive_expected_result.json index 11019716dbf..6e0172c76d3 100644 --- a/assets/queries/k8s/containers_running_as_root/test/positive_expected_result.json +++ b/assets/queries/k8s/containers_running_as_root/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "Container Running As Root", - "severity": "MEDIUM", - "line": 42, - "filename": "positive5.yaml", - "resourceType": "Deployment", - "resourceName": "security-context-demo", - "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser", - "searchValue": "Deployment", - "expectedValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext runAsUser is higher than 0 and/or 'runAsNonRoot' is true", - "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext runAsUser is 0 and 'runAsNonRoot' is false" - }, { "queryName": "Container Running As Root", "severity": "MEDIUM", @@ -26,98 +14,110 @@ { "queryName": "Container Running As Root", "severity": "MEDIUM", - "line": 36, - "filename": "positive7.yaml", - "resourceType": "Deployment", - "resourceName": "security-context-demo", - "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}", - "searchValue": "Deployment", - "expectedValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser is higher than 0 and/or 'runAsNonRoot' is true", - "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser is 0 and 'runAsNonRoot' is false" + "line": 28, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "security-context-demo-3", + "searchKey": "metadata.name={{security-context-demo-3}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext.runAsUser", + "searchValue": "Pod", + "expectedValue": "metadata.name={{security-context-demo-3}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext runAsUser is higher than 0 and/or 'runAsNonRoot' is true", + "actualValue": "metadata.name={{security-context-demo-3}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext runAsUser is 0 and 'runAsNonRoot' is false" }, { "queryName": "Container Running As Root", "severity": "MEDIUM", - "line": 7, - "filename": "positive4.yaml", + "line": 43, + "filename": "positive1.yaml", "resourceType": "Pod", - "resourceName": "security-context-demo-2", - "searchKey": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-1}}", + "resourceName": "security-context-demo-4", + "searchKey": "metadata.name={{security-context-demo-4}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext.runAsUser", "searchValue": "Pod", - "expectedValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-1}}.securityContext.runAsUser is higher than 0 and/or 'runAsNonRoot' is true", - "actualValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-1}}.securityContext.runAsUser is 0 and 'runAsNonRoot' is false" + "expectedValue": "metadata.name={{security-context-demo-4}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext runAsUser is higher than 0 and/or 'runAsNonRoot' is true", + "actualValue": "metadata.name={{security-context-demo-4}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext runAsUser is 0 and 'runAsNonRoot' is false" }, { "queryName": "Container Running As Root", "severity": "MEDIUM", "line": 12, - "filename": "positive3.yaml", + "filename": "positive2.yaml", "resourceType": "Pod", - "resourceName": "containers-runs-as-root", - "searchKey": "metadata.name={{containers-runs-as-root}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext.runAsUser", + "resourceName": "security-context-demo-2", + "searchKey": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext.runAsUser", "searchValue": "Pod", - "expectedValue": "metadata.name={{containers-runs-as-root}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext runAsUser is higher than 0 and/or 'runAsNonRoot' is true", - "actualValue": "metadata.name={{containers-runs-as-root}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext runAsUser is 0 and 'runAsNonRoot' is false" + "expectedValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext runAsUser is higher than 0 and/or 'runAsNonRoot' is true", + "actualValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext runAsUser is 0 and 'runAsNonRoot' is false" }, { "queryName": "Container Running As Root", "severity": "MEDIUM", - "line": 20, - "filename": "positive5.yaml", - "resourceType": "StatefulSet", - "resourceName": "security-context-demo", - "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser", - "searchValue": "StatefulSet", - "expectedValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext runAsUser is higher than 0 and/or 'runAsNonRoot' is true", - "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext runAsUser is 0 and 'runAsNonRoot' is false" + "line": 17, + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "security-context-demo-2", + "searchKey": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-200}}.securityContext.runAsUser", + "searchValue": "Pod", + "expectedValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-200}}.securityContext runAsUser is higher than 0 and/or 'runAsNonRoot' is true", + "actualValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-200}}.securityContext runAsUser is 0 and 'runAsNonRoot' is false" }, { "queryName": "Container Running As Root", "severity": "MEDIUM", - "line": 28, - "filename": "positive1.yaml", + "line": 12, + "filename": "positive3.yaml", "resourceType": "Pod", - "resourceName": "security-context-demo-3", - "searchKey": "metadata.name={{security-context-demo-3}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext.runAsUser", + "resourceName": "containers-runs-as-root", + "searchKey": "metadata.name={{containers-runs-as-root}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext.runAsUser", "searchValue": "Pod", - "expectedValue": "metadata.name={{security-context-demo-3}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext runAsUser is higher than 0 and/or 'runAsNonRoot' is true", - "actualValue": "metadata.name={{security-context-demo-3}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext runAsUser is 0 and 'runAsNonRoot' is false" + "expectedValue": "metadata.name={{containers-runs-as-root}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext runAsUser is higher than 0 and/or 'runAsNonRoot' is true", + "actualValue": "metadata.name={{containers-runs-as-root}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext runAsUser is 0 and 'runAsNonRoot' is false" }, { "queryName": "Container Running As Root", "severity": "MEDIUM", - "line": 12, - "filename": "positive2.yaml", + "line": 7, + "filename": "positive4.yaml", "resourceType": "Pod", "resourceName": "security-context-demo-2", - "searchKey": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext.runAsUser", + "searchKey": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-1}}", "searchValue": "Pod", - "expectedValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext runAsUser is higher than 0 and/or 'runAsNonRoot' is true", - "actualValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext runAsUser is 0 and 'runAsNonRoot' is false" + "expectedValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-1}}.securityContext.runAsUser is higher than 0 and/or 'runAsNonRoot' is true", + "actualValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-1}}.securityContext.runAsUser is 0 and 'runAsNonRoot' is false" }, { "queryName": "Container Running As Root", "severity": "MEDIUM", - "line": 17, - "filename": "positive2.yaml", + "line": 11, + "filename": "positive4.yaml", "resourceType": "Pod", "resourceName": "security-context-demo-2", - "searchKey": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-200}}.securityContext.runAsUser", + "searchKey": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext.runAsUser", "searchValue": "Pod", - "expectedValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-200}}.securityContext runAsUser is higher than 0 and/or 'runAsNonRoot' is true", - "actualValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-200}}.securityContext runAsUser is 0 and 'runAsNonRoot' is false" + "expectedValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext runAsUser is higher than 0 and/or 'runAsNonRoot' is true", + "actualValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext runAsUser is 0 and 'runAsNonRoot' is false" }, { "queryName": "Container Running As Root", "severity": "MEDIUM", - "line": 18, - "filename": "positive7.yaml", + "line": 20, + "filename": "positive5.yaml", "resourceType": "StatefulSet", "resourceName": "security-context-demo", - "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}", + "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser", "searchValue": "StatefulSet", - "expectedValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser is higher than 0 and/or 'runAsNonRoot' is true", - "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser is 0 and 'runAsNonRoot' is false" + "expectedValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext runAsUser is higher than 0 and/or 'runAsNonRoot' is true", + "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext runAsUser is 0 and 'runAsNonRoot' is false" + }, + { + "queryName": "Container Running As Root", + "severity": "MEDIUM", + "line": 42, + "filename": "positive5.yaml", + "resourceType": "Deployment", + "resourceName": "security-context-demo", + "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser", + "searchValue": "Deployment", + "expectedValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext runAsUser is higher than 0 and/or 'runAsNonRoot' is true", + "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext runAsUser is 0 and 'runAsNonRoot' is false" }, { "queryName": "Container Running As Root", @@ -134,37 +134,37 @@ { "queryName": "Container Running As Root", "severity": "MEDIUM", - "line": 11, - "filename": "positive4.yaml", - "resourceType": "Pod", - "resourceName": "security-context-demo-2", - "searchKey": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext.runAsUser", - "searchValue": "Pod", - "expectedValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext runAsUser is higher than 0 and/or 'runAsNonRoot' is true", - "actualValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext runAsUser is 0 and 'runAsNonRoot' is false" + "line": 37, + "filename": "positive6.yaml", + "resourceType": "Deployment", + "resourceName": "security-context-demo", + "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser", + "searchValue": "Deployment", + "expectedValue": "metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser is higher than 0 and/or 'runAsNonRoot' is true", + "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser is 0 and 'runAsNonRoot' is false" }, { "queryName": "Container Running As Root", "severity": "MEDIUM", - "line": 43, - "filename": "positive1.yaml", - "resourceType": "Pod", - "resourceName": "security-context-demo-4", - "searchKey": "metadata.name={{security-context-demo-4}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext.runAsUser", - "searchValue": "Pod", - "expectedValue": "metadata.name={{security-context-demo-4}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext runAsUser is higher than 0 and/or 'runAsNonRoot' is true", - "actualValue": "metadata.name={{security-context-demo-4}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext runAsUser is 0 and 'runAsNonRoot' is false" + "line": 18, + "filename": "positive7.yaml", + "resourceType": "StatefulSet", + "resourceName": "security-context-demo", + "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}", + "searchValue": "StatefulSet", + "expectedValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser is higher than 0 and/or 'runAsNonRoot' is true", + "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser is 0 and 'runAsNonRoot' is false" }, { "queryName": "Container Running As Root", "severity": "MEDIUM", - "line": 37, - "filename": "positive6.yaml", + "line": 36, + "filename": "positive7.yaml", "resourceType": "Deployment", "resourceName": "security-context-demo", - "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser", + "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}", "searchValue": "Deployment", - "expectedValue": "metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser is higher than 0 and/or 'runAsNonRoot' is true", - "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser is 0 and 'runAsNonRoot' is false" + "expectedValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser is higher than 0 and/or 'runAsNonRoot' is true", + "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser is 0 and 'runAsNonRoot' is false" } ] \ No newline at end of file diff --git a/assets/queries/k8s/cpu_requests_not_set/test/positive_expected_result.json b/assets/queries/k8s/cpu_requests_not_set/test/positive_expected_result.json index c31bdd4ba58..c4fe70767c7 100644 --- a/assets/queries/k8s/cpu_requests_not_set/test/positive_expected_result.json +++ b/assets/queries/k8s/cpu_requests_not_set/test/positive_expected_result.json @@ -2,26 +2,14 @@ { "queryName": "CPU Requests Not Set", "severity": "LOW", - "line": 37, - "filename": "positive.yaml", - "resourceType": "Configuration", - "resourceName": "dummy-config", - "searchKey": "metadata.name={{dummy-config}}.spec.template.spec.containers.name={{log-aggregator}}.resources", - "searchValue": "Configuration", - "expectedValue": "spec.template.spec.containers.name=log-aggregator.resources should have requests defined", - "actualValue": "spec.template.spec.containers.name=log-aggregator.resources doesn't have requests defined" - }, - { - "queryName": "CPU Requests Not Set", - "severity": "LOW", - "line": 30, + "line": 10, "filename": "positive.yaml", - "resourceType": "Configuration", - "resourceName": "dummy-config", - "searchKey": "metadata.name={{dummy-config}}.spec.template.spec.containers.name={{app}}.resources.requests", - "searchValue": "Configuration", - "expectedValue": "spec.template.spec.containers.name={{app}}.resources.requests should have CPU requests", - "actualValue": "spec.template.spec.containers.name={{app}}.resources.requests doesn't have CPU requests" + "resourceType": "Pod", + "resourceName": "frontend", + "searchKey": "metadata.name={{frontend}}.spec.containers.name={{app}}.resources.requests", + "searchValue": "Pod", + "expectedValue": "spec.containers.name={{app}}.resources.requests should have CPU requests", + "actualValue": "spec.containers.name={{app}}.resources.requests doesn't have CPU requests" }, { "queryName": "CPU Requests Not Set", @@ -38,13 +26,25 @@ { "queryName": "CPU Requests Not Set", "severity": "LOW", - "line": 10, + "line": 30, "filename": "positive.yaml", - "resourceType": "Pod", - "resourceName": "frontend", - "searchKey": "metadata.name={{frontend}}.spec.containers.name={{app}}.resources.requests", - "searchValue": "Pod", - "expectedValue": "spec.containers.name={{app}}.resources.requests should have CPU requests", - "actualValue": "spec.containers.name={{app}}.resources.requests doesn't have CPU requests" + "resourceType": "Configuration", + "resourceName": "dummy-config", + "searchKey": "metadata.name={{dummy-config}}.spec.template.spec.containers.name={{app}}.resources.requests", + "searchValue": "Configuration", + "expectedValue": "spec.template.spec.containers.name={{app}}.resources.requests should have CPU requests", + "actualValue": "spec.template.spec.containers.name={{app}}.resources.requests doesn't have CPU requests" + }, + { + "queryName": "CPU Requests Not Set", + "severity": "LOW", + "line": 37, + "filename": "positive.yaml", + "resourceType": "Configuration", + "resourceName": "dummy-config", + "searchKey": "metadata.name={{dummy-config}}.spec.template.spec.containers.name={{log-aggregator}}.resources", + "searchValue": "Configuration", + "expectedValue": "spec.template.spec.containers.name=log-aggregator.resources should have requests defined", + "actualValue": "spec.template.spec.containers.name=log-aggregator.resources doesn't have requests defined" } ] \ No newline at end of file diff --git a/assets/queries/k8s/dashboard_is_enabled/test/positive_expected_result.json b/assets/queries/k8s/dashboard_is_enabled/test/positive_expected_result.json index 2f631c8ef32..04bcfa0ce99 100644 --- a/assets/queries/k8s/dashboard_is_enabled/test/positive_expected_result.json +++ b/assets/queries/k8s/dashboard_is_enabled/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "Dashboard Is Enabled", - "severity": "LOW", - "line": 67, - "filename": "positive.yaml", - "resourceType": "Pod", - "resourceName": "myapp-pod", - "searchKey": "metadata.name={{myapp-pod}}.spec.initContainers.name={{init-myservice}}.image", - "searchValue": "", - "expectedValue": "metadata.name={{myapp-pod}}.spec.initContainers.name={{init-myservice}}.image has not kubernetes-dashboard deployed", - "actualValue": "metadata.name={{myapp-pod}}.spec.initContainers.name={{init-myservice}}.image has kubernetes-dashboard deployed" - }, { "queryName": "Dashboard Is Enabled", "severity": "LOW", @@ -22,5 +10,17 @@ "searchValue": "", "expectedValue": "metadata.name={{kubernetes-dashboard-1}}.spec.template.spec.containers.name={{kubernetes-dashboard}}.image has not kubernetes-dashboard deployed", "actualValue": "metadata.name={{kubernetes-dashboard-1}}.spec.template.spec.containers.name={{kubernetes-dashboard}}.image has kubernetes-dashboard deployed" + }, + { + "queryName": "Dashboard Is Enabled", + "severity": "LOW", + "line": 67, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "myapp-pod", + "searchKey": "metadata.name={{myapp-pod}}.spec.initContainers.name={{init-myservice}}.image", + "searchValue": "", + "expectedValue": "metadata.name={{myapp-pod}}.spec.initContainers.name={{init-myservice}}.image has not kubernetes-dashboard deployed", + "actualValue": "metadata.name={{myapp-pod}}.spec.initContainers.name={{init-myservice}}.image has kubernetes-dashboard deployed" } ] \ No newline at end of file diff --git a/assets/queries/k8s/deployment_has_no_pod_anti_affinity/test/positive_expected_result.json b/assets/queries/k8s/deployment_has_no_pod_anti_affinity/test/positive_expected_result.json index d3cc37058ed..18234a79f24 100644 --- a/assets/queries/k8s/deployment_has_no_pod_anti_affinity/test/positive_expected_result.json +++ b/assets/queries/k8s/deployment_has_no_pod_anti_affinity/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "Deployment Has No PodAntiAffinity", "severity": "LOW", - "line": 39, + "line": 19, "filename": "positive.yaml", "resourceType": "Deployment", - "resourceName": "no-affinity", - "searchKey": "metadata.name={{no-affinity}}.spec.template.spec", + "resourceName": "label-mismatch", + "searchKey": "metadata.name={{label-mismatch}}.spec.template.spec.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution.labelSelector.matchLabels", "searchValue": "", - "expectedValue": "'spec.template.spec.affinity' should be set", - "actualValue": "'spec.template.spec.affinity' is undefined" + "expectedValue": "'spec.template.spec.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].labelSelector.matchLabels' match any label on template metadata", + "actualValue": "'spec.template.spec.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].labelSelector.matchLabels' don't match any label on template metadata" }, { "queryName": "Deployment Has No PodAntiAffinity", "severity": "LOW", - "line": 19, + "line": 39, "filename": "positive.yaml", "resourceType": "Deployment", - "resourceName": "label-mismatch", - "searchKey": "metadata.name={{label-mismatch}}.spec.template.spec.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution.labelSelector.matchLabels", + "resourceName": "no-affinity", + "searchKey": "metadata.name={{no-affinity}}.spec.template.spec", "searchValue": "", - "expectedValue": "'spec.template.spec.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].labelSelector.matchLabels' match any label on template metadata", - "actualValue": "'spec.template.spec.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].labelSelector.matchLabels' don't match any label on template metadata" + "expectedValue": "'spec.template.spec.affinity' should be set", + "actualValue": "'spec.template.spec.affinity' is undefined" } ] \ No newline at end of file diff --git a/assets/queries/k8s/docker_daemon_socket_is_exposed_to_containers/test/positive_expected_result.json b/assets/queries/k8s/docker_daemon_socket_is_exposed_to_containers/test/positive_expected_result.json index ae9ec79f6ac..3e14f5600a7 100644 --- a/assets/queries/k8s/docker_daemon_socket_is_exposed_to_containers/test/positive_expected_result.json +++ b/assets/queries/k8s/docker_daemon_socket_is_exposed_to_containers/test/positive_expected_result.json @@ -11,18 +11,6 @@ "expectedValue": "metadata.name={{test-pd}}.spec.volumes.name={{test-volume}}.hostPath.path should not be '/var/run/docker.sock'", "actualValue": "metadata.name={{test-pd}}.spec.volumes.name={{test-volume}}.hostPath.path is '/var/run/docker.sock'" }, - { - "queryName": "Docker Daemon Socket is Exposed to Containers", - "severity": "MEDIUM", - "line": 67, - "filename": "positive.yaml", - "resourceType": "CronJob", - "resourceName": "hello", - "searchKey": "metadata.name={{hello}}.spec.jobTemplate.spec.template.spec.volumes.name={{test-volume}}.hostPath.path", - "searchValue": "", - "expectedValue": "metadata.name={{hello}}.spec.jobTemplate.spec.template.spec.volumes.name={{test-volume}}.hostPath.path should not be '/var/run/docker.sock'", - "actualValue": "metadata.name={{hello}}.spec.jobTemplate.spec.template.spec.volumes.name={{test-volume}}.hostPath.path is '/var/run/docker.sock'" - }, { "queryName": "Docker Daemon Socket is Exposed to Containers", "severity": "MEDIUM", @@ -34,5 +22,17 @@ "searchValue": "", "expectedValue": "metadata.name={{node-manager}}.spec.template.spec.volumes.name={{test-volume}}.hostPath.path should not be '/var/run/docker.sock'", "actualValue": "metadata.name={{node-manager}}.spec.template.spec.volumes.name={{test-volume}}.hostPath.path is '/var/run/docker.sock'" + }, + { + "queryName": "Docker Daemon Socket is Exposed to Containers", + "severity": "MEDIUM", + "line": 67, + "filename": "positive.yaml", + "resourceType": "CronJob", + "resourceName": "hello", + "searchKey": "metadata.name={{hello}}.spec.jobTemplate.spec.template.spec.volumes.name={{test-volume}}.hostPath.path", + "searchValue": "", + "expectedValue": "metadata.name={{hello}}.spec.jobTemplate.spec.template.spec.volumes.name={{test-volume}}.hostPath.path should not be '/var/run/docker.sock'", + "actualValue": "metadata.name={{hello}}.spec.jobTemplate.spec.template.spec.volumes.name={{test-volume}}.hostPath.path is '/var/run/docker.sock'" } ] \ No newline at end of file diff --git a/assets/queries/k8s/etcd_peer_client_certificate_authentication_set_to_false/test/positive_expected_result.json b/assets/queries/k8s/etcd_peer_client_certificate_authentication_set_to_false/test/positive_expected_result.json index ea8f68fecb0..1bc7d32661c 100644 --- a/assets/queries/k8s/etcd_peer_client_certificate_authentication_set_to_false/test/positive_expected_result.json +++ b/assets/queries/k8s/etcd_peer_client_certificate_authentication_set_to_false/test/positive_expected_result.json @@ -3,24 +3,24 @@ "queryName": "Etcd Peer Client Certificate Authentication Set To False", "severity": "MEDIUM", "line": 21, - "filename": "positive2.yaml", + "filename": "positive1.yaml", "resourceType": "Deployment", "resourceName": "app-etcd-deployment", "searchKey": "metadata.name={{app-etcd-deployment}}.spec.template.spec.containers.name={{database}}.command", "searchValue": "", - "expectedValue": "--peer-client-cert-auth flag should be defined and set to true", - "actualValue": "--peer-client-cert-auth flag is not defined" + "expectedValue": "--peer-client-cert-auth flag should be set to true", + "actualValue": "--peer-client-cert-auth flag is set to false" }, { "queryName": "Etcd Peer Client Certificate Authentication Set To False", "severity": "MEDIUM", "line": 21, - "filename": "positive1.yaml", + "filename": "positive2.yaml", "resourceType": "Deployment", "resourceName": "app-etcd-deployment", "searchKey": "metadata.name={{app-etcd-deployment}}.spec.template.spec.containers.name={{database}}.command", "searchValue": "", - "expectedValue": "--peer-client-cert-auth flag should be set to true", - "actualValue": "--peer-client-cert-auth flag is set to false" + "expectedValue": "--peer-client-cert-auth flag should be defined and set to true", + "actualValue": "--peer-client-cert-auth flag is not defined" } ] \ No newline at end of file diff --git a/assets/queries/k8s/etcd_tls_certificate_files_not_properly_set/test/positive_expected_result.json b/assets/queries/k8s/etcd_tls_certificate_files_not_properly_set/test/positive_expected_result.json index 0e9ff661895..a7f5943944c 100644 --- a/assets/queries/k8s/etcd_tls_certificate_files_not_properly_set/test/positive_expected_result.json +++ b/assets/queries/k8s/etcd_tls_certificate_files_not_properly_set/test/positive_expected_result.json @@ -11,18 +11,6 @@ "expectedValue": "--key-file flag should be defined", "actualValue": "--key-file flag is not defined" }, - { - "queryName": "Etcd TLS Certificate Files Not Properly Set", - "severity": "MEDIUM", - "line": 21, - "filename": "positive2.yaml", - "resourceType": "Deployment", - "resourceName": "app-etcd-deployment", - "searchKey": "metadata.name={{app-etcd-deployment}}.spec.template.spec.containers.name={{database}}.command", - "searchValue": "Deployment--cert-file", - "expectedValue": "--cert-file flag should be defined", - "actualValue": "--cert-file flag is not defined" - }, { "queryName": "Etcd TLS Certificate Files Not Properly Set", "severity": "MEDIUM", @@ -34,5 +22,17 @@ "searchValue": "Deployment--key-file", "expectedValue": "--key-file flag should be defined", "actualValue": "--key-file flag is not defined" + }, + { + "queryName": "Etcd TLS Certificate Files Not Properly Set", + "severity": "MEDIUM", + "line": 21, + "filename": "positive2.yaml", + "resourceType": "Deployment", + "resourceName": "app-etcd-deployment", + "searchKey": "metadata.name={{app-etcd-deployment}}.spec.template.spec.containers.name={{database}}.command", + "searchValue": "Deployment--cert-file", + "expectedValue": "--cert-file flag should be defined", + "actualValue": "--cert-file flag is not defined" } ] \ No newline at end of file diff --git a/assets/queries/k8s/etcd_tls_certificate_not_properly_configured/test/positive_expected_result.json b/assets/queries/k8s/etcd_tls_certificate_not_properly_configured/test/positive_expected_result.json index 728585e5f21..220f6476fbe 100644 --- a/assets/queries/k8s/etcd_tls_certificate_not_properly_configured/test/positive_expected_result.json +++ b/assets/queries/k8s/etcd_tls_certificate_not_properly_configured/test/positive_expected_result.json @@ -1,4 +1,16 @@ [ + { + "queryName": "Etcd TLS Certificate Not Properly Configured", + "severity": "MEDIUM", + "line": 11, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "Pod--etcd-certfile", + "expectedValue": "--etcd-certfile flag should be defined", + "actualValue": "--etcd-certfile flag is not defined" + }, { "queryName": "Etcd TLS Certificate Not Properly Configured", "severity": "MEDIUM", @@ -22,17 +34,5 @@ "searchValue": "Pod--etcd-keyfile", "expectedValue": "--etcd-keyfile flag should be defined", "actualValue": "--etcd-keyfile flag is not defined" - }, - { - "queryName": "Etcd TLS Certificate Not Properly Configured", - "severity": "MEDIUM", - "line": 11, - "filename": "positive1.yaml", - "resourceType": "Pod", - "resourceName": "command-demo", - "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", - "searchValue": "Pod--etcd-certfile", - "expectedValue": "--etcd-certfile flag should be defined", - "actualValue": "--etcd-certfile flag is not defined" } ] \ No newline at end of file diff --git a/assets/queries/k8s/insecure_bind_address_set/test/positive_expected_result.json b/assets/queries/k8s/insecure_bind_address_set/test/positive_expected_result.json index b820259012c..46dd0470595 100644 --- a/assets/queries/k8s/insecure_bind_address_set/test/positive_expected_result.json +++ b/assets/queries/k8s/insecure_bind_address_set/test/positive_expected_result.json @@ -3,7 +3,7 @@ "queryName": "Insecure Bind Address Set", "severity": "HIGH", "line": 11, - "filename": "positive2.yaml", + "filename": "positive1.yaml", "resourceType": "Pod", "resourceName": "command-demo", "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", @@ -15,7 +15,7 @@ "queryName": "Insecure Bind Address Set", "severity": "HIGH", "line": 11, - "filename": "positive1.yaml", + "filename": "positive2.yaml", "resourceType": "Pod", "resourceName": "command-demo", "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", diff --git a/assets/queries/k8s/insecure_port_not_properly_set/test/positive_expected_result.json b/assets/queries/k8s/insecure_port_not_properly_set/test/positive_expected_result.json index ae9231adcad..e4e306a4485 100644 --- a/assets/queries/k8s/insecure_port_not_properly_set/test/positive_expected_result.json +++ b/assets/queries/k8s/insecure_port_not_properly_set/test/positive_expected_result.json @@ -3,24 +3,24 @@ "queryName": "Insecure Port Not Properly Set", "severity": "HIGH", "line": 11, - "filename": "positive2.yaml", + "filename": "positive1.yaml", "resourceType": "Pod", "resourceName": "command-demo", "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", - "expectedValue": "--insecure-port flag should be defined and set to 0", - "actualValue": "--insecure-port flag is not defined" + "expectedValue": "--insecure-port flag should be set to 0", + "actualValue": "--insecure-port flag is not properly set" }, { "queryName": "Insecure Port Not Properly Set", "severity": "HIGH", "line": 11, - "filename": "positive1.yaml", + "filename": "positive2.yaml", "resourceType": "Pod", "resourceName": "command-demo", "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", - "expectedValue": "--insecure-port flag should be set to 0", - "actualValue": "--insecure-port flag is not properly set" + "expectedValue": "--insecure-port flag should be defined and set to 0", + "actualValue": "--insecure-port flag is not defined" } ] \ No newline at end of file diff --git a/assets/queries/k8s/invalid_image/test/positive_expected_result.json b/assets/queries/k8s/invalid_image/test/positive_expected_result.json index 1f782ebafa8..1f5fd1d6bd4 100644 --- a/assets/queries/k8s/invalid_image/test/positive_expected_result.json +++ b/assets/queries/k8s/invalid_image/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "Invalid Image Tag", "severity": "LOW", - "line": 19, + "line": 8, "filename": "positive.yaml", "resourceType": "Pod", - "resourceName": "private-image-test-33", - "searchKey": "metadata.name={{private-image-test-33}}.spec.containers.name={{uses-private-image-container}}.image", + "resourceName": "private-image-test-3", + "searchKey": "metadata.name={{private-image-test-3}}.spec.containers.name={{uses-private-image-container}}.image", "searchValue": "", - "expectedValue": "metadata.name={{private-image-test-33}}.spec.containers.name={{uses-private-image-container}}.image tag is provided and not latest", - "actualValue": "metadata.name={{private-image-test-33}}.spec.containers.name={{uses-private-image-container}}.image tag is not provided or latest" + "expectedValue": "metadata.name={{private-image-test-3}}.spec.containers.name={{uses-private-image-container}}.image tag is provided and not latest", + "actualValue": "metadata.name={{private-image-test-3}}.spec.containers.name={{uses-private-image-container}}.image tag is not provided or latest" }, { "queryName": "Invalid Image Tag", "severity": "LOW", - "line": 8, + "line": 19, "filename": "positive.yaml", "resourceType": "Pod", - "resourceName": "private-image-test-3", - "searchKey": "metadata.name={{private-image-test-3}}.spec.containers.name={{uses-private-image-container}}.image", + "resourceName": "private-image-test-33", + "searchKey": "metadata.name={{private-image-test-33}}.spec.containers.name={{uses-private-image-container}}.image", "searchValue": "", - "expectedValue": "metadata.name={{private-image-test-3}}.spec.containers.name={{uses-private-image-container}}.image tag is provided and not latest", - "actualValue": "metadata.name={{private-image-test-3}}.spec.containers.name={{uses-private-image-container}}.image tag is not provided or latest" + "expectedValue": "metadata.name={{private-image-test-33}}.spec.containers.name={{uses-private-image-container}}.image tag is provided and not latest", + "actualValue": "metadata.name={{private-image-test-33}}.spec.containers.name={{uses-private-image-container}}.image tag is not provided or latest" } ] \ No newline at end of file diff --git a/assets/queries/k8s/kubelet_client_certificate_or_key_not_set/test/positive_expected_result.json b/assets/queries/k8s/kubelet_client_certificate_or_key_not_set/test/positive_expected_result.json index 019d83c3a98..7a939d7299f 100644 --- a/assets/queries/k8s/kubelet_client_certificate_or_key_not_set/test/positive_expected_result.json +++ b/assets/queries/k8s/kubelet_client_certificate_or_key_not_set/test/positive_expected_result.json @@ -3,7 +3,7 @@ "queryName": "Kubelet Client Certificate Or Key Not Set", "severity": "MEDIUM", "line": 11, - "filename": "positive3.yaml", + "filename": "positive1.yaml", "resourceType": "Pod", "resourceName": "command-demo", "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", @@ -14,14 +14,14 @@ { "queryName": "Kubelet Client Certificate Or Key Not Set", "severity": "MEDIUM", - "line": 25, - "filename": "positive2.yaml", + "line": 11, + "filename": "positive1.yaml", "resourceType": "Pod", - "resourceName": "command-demo2", - "searchKey": "metadata.name={{command-demo2}}.spec.containers.name={{command-demo-container}}.command", - "searchValue": "Pod--kubelet-client-certificate", - "expectedValue": "--kubelet-client-certificate flag should be set", - "actualValue": "--kubelet-client-certificate flag is not set" + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "Pod--kubelet-client-key", + "expectedValue": "--kubelet-client-key flag should be set", + "actualValue": "--kubelet-client-key flag is not set" }, { "queryName": "Kubelet Client Certificate Or Key Not Set", @@ -38,11 +38,11 @@ { "queryName": "Kubelet Client Certificate Or Key Not Set", "severity": "MEDIUM", - "line": 11, - "filename": "positive1.yaml", + "line": 25, + "filename": "positive2.yaml", "resourceType": "Pod", - "resourceName": "command-demo", - "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "resourceName": "command-demo2", + "searchKey": "metadata.name={{command-demo2}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "Pod--kubelet-client-certificate", "expectedValue": "--kubelet-client-certificate flag should be set", "actualValue": "--kubelet-client-certificate flag is not set" @@ -51,12 +51,12 @@ "queryName": "Kubelet Client Certificate Or Key Not Set", "severity": "MEDIUM", "line": 11, - "filename": "positive1.yaml", + "filename": "positive3.yaml", "resourceType": "Pod", "resourceName": "command-demo", "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", - "searchValue": "Pod--kubelet-client-key", - "expectedValue": "--kubelet-client-key flag should be set", - "actualValue": "--kubelet-client-key flag is not set" + "searchValue": "Pod--kubelet-client-certificate", + "expectedValue": "--kubelet-client-certificate flag should be set", + "actualValue": "--kubelet-client-certificate flag is not set" } ] \ No newline at end of file diff --git a/assets/queries/k8s/kubelet_client_periodic_certificate_switch_disabled/test/positive_expected_result.json b/assets/queries/k8s/kubelet_client_periodic_certificate_switch_disabled/test/positive_expected_result.json index 77080f999e5..0ddce75b1a0 100644 --- a/assets/queries/k8s/kubelet_client_periodic_certificate_switch_disabled/test/positive_expected_result.json +++ b/assets/queries/k8s/kubelet_client_periodic_certificate_switch_disabled/test/positive_expected_result.json @@ -2,49 +2,49 @@ { "queryName": "Kubelet Client Periodic Certificate Switch Disabled", "severity": "MEDIUM", - "line": 6, - "filename": "positive3.json", - "resourceType": "KubeletConfiguration", - "resourceName": "n/a", - "searchKey": "kind={{KubeletConfiguration}}.rotateCertificates", + "line": 11, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", - "expectedValue": "rotateCertificates should be true", - "actualValue": "rotateCertificates is not set (default is false)" + "expectedValue": "--rotate-certificates flag should be true", + "actualValue": "--rotate-certificates flag is false" }, { "queryName": "Kubelet Client Periodic Certificate Switch Disabled", "severity": "MEDIUM", - "line": 2, - "filename": "positive4.yaml", + "line": 8, + "filename": "positive2.yaml", "resourceType": "KubeletConfiguration", "resourceName": "n/a", "searchKey": "kind={{KubeletConfiguration}}.rotateCertificates", "searchValue": "", "expectedValue": "rotateCertificates should be true", - "actualValue": "rotateCertificates is not set (default is false)" + "actualValue": "rotateCertificates is false" }, { "queryName": "Kubelet Client Periodic Certificate Switch Disabled", "severity": "MEDIUM", - "line": 11, - "filename": "positive1.yaml", - "resourceType": "Pod", - "resourceName": "command-demo", - "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "line": 6, + "filename": "positive3.json", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}.rotateCertificates", "searchValue": "", - "expectedValue": "--rotate-certificates flag should be true", - "actualValue": "--rotate-certificates flag is false" + "expectedValue": "rotateCertificates should be true", + "actualValue": "rotateCertificates is not set (default is false)" }, { "queryName": "Kubelet Client Periodic Certificate Switch Disabled", "severity": "MEDIUM", - "line": 8, - "filename": "positive2.yaml", + "line": 2, + "filename": "positive4.yaml", "resourceType": "KubeletConfiguration", "resourceName": "n/a", "searchKey": "kind={{KubeletConfiguration}}.rotateCertificates", "searchValue": "", "expectedValue": "rotateCertificates should be true", - "actualValue": "rotateCertificates is false" + "actualValue": "rotateCertificates is not set (default is false)" } ] \ No newline at end of file diff --git a/assets/queries/k8s/kubelet_event_qps_not_properly_set/test/positive_expected_result.json b/assets/queries/k8s/kubelet_event_qps_not_properly_set/test/positive_expected_result.json index 1c67ad18c85..dc93300e34b 100644 --- a/assets/queries/k8s/kubelet_event_qps_not_properly_set/test/positive_expected_result.json +++ b/assets/queries/k8s/kubelet_event_qps_not_properly_set/test/positive_expected_result.json @@ -3,7 +3,7 @@ "queryName": "Kubelet Event QPS Not Properly Set", "severity": "LOW", "line": 11, - "filename": "positive2.yaml", + "filename": "positive1.yaml", "resourceType": "Pod", "resourceName": "command-demo", "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", @@ -15,7 +15,7 @@ "queryName": "Kubelet Event QPS Not Properly Set", "severity": "LOW", "line": 11, - "filename": "positive1.yaml", + "filename": "positive2.yaml", "resourceType": "Pod", "resourceName": "command-demo", "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", @@ -26,25 +26,25 @@ { "queryName": "Kubelet Event QPS Not Properly Set", "severity": "LOW", - "line": 2, - "filename": "positive4.yaml", + "line": 5, + "filename": "positive3.yaml", "resourceType": "KubeletConfiguration", "resourceName": "n/a", - "searchKey": "kind={{KubeletConfiguration}}", + "searchKey": "kind={{KubeletConfiguration}}.eventRecordQPS", "searchValue": "", "expectedValue": "eventRecordQPS flag should set to 0", - "actualValue": "eventRecordQPS flag is not defined" + "actualValue": "eventRecordQPS flag is not set to 0" }, { "queryName": "Kubelet Event QPS Not Properly Set", "severity": "LOW", - "line": 5, - "filename": "positive3.yaml", + "line": 2, + "filename": "positive4.yaml", "resourceType": "KubeletConfiguration", "resourceName": "n/a", - "searchKey": "kind={{KubeletConfiguration}}.eventRecordQPS", + "searchKey": "kind={{KubeletConfiguration}}", "searchValue": "", "expectedValue": "eventRecordQPS flag should set to 0", - "actualValue": "eventRecordQPS flag is not set to 0" + "actualValue": "eventRecordQPS flag is not defined" } ] \ No newline at end of file diff --git a/assets/queries/k8s/kubelet_hostname_override_is_set/test/positive_expected_result.json b/assets/queries/k8s/kubelet_hostname_override_is_set/test/positive_expected_result.json index a3f82622c48..d1a2db55878 100644 --- a/assets/queries/k8s/kubelet_hostname_override_is_set/test/positive_expected_result.json +++ b/assets/queries/k8s/kubelet_hostname_override_is_set/test/positive_expected_result.json @@ -3,7 +3,7 @@ "queryName": "Kubelet Hostname Override Is Set", "severity": "LOW", "line": 11, - "filename": "positive2.yaml", + "filename": "positive1.yaml", "resourceType": "Pod", "resourceName": "command-demo", "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", @@ -15,7 +15,7 @@ "queryName": "Kubelet Hostname Override Is Set", "severity": "LOW", "line": 11, - "filename": "positive1.yaml", + "filename": "positive2.yaml", "resourceType": "Pod", "resourceName": "command-demo", "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", diff --git a/assets/queries/k8s/kubelet_not_managing_ip_tables/test/positive_expected_result.json b/assets/queries/k8s/kubelet_not_managing_ip_tables/test/positive_expected_result.json index 4596f06c0ad..b10fe3d9a0d 100644 --- a/assets/queries/k8s/kubelet_not_managing_ip_tables/test/positive_expected_result.json +++ b/assets/queries/k8s/kubelet_not_managing_ip_tables/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "Kubelet Not Managing Ip Tables", - "severity": "MEDIUM", - "line": 7, - "filename": "positive3.json", - "resourceType": "KubeletConfiguration", - "resourceName": "n/a", - "searchKey": "kind={{KubeletConfiguration}}.makeIPTablesUtilChains", - "searchValue": "", - "expectedValue": "makeIPTablesUtilChains should be true", - "actualValue": "makeIPTablesUtilChains is false" - }, { "queryName": "Kubelet Not Managing Ip Tables", "severity": "MEDIUM", @@ -34,5 +22,17 @@ "searchValue": "", "expectedValue": "makeIPTablesUtilChains should be true", "actualValue": "makeIPTablesUtilChains is false" + }, + { + "queryName": "Kubelet Not Managing Ip Tables", + "severity": "MEDIUM", + "line": 7, + "filename": "positive3.json", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}.makeIPTablesUtilChains", + "searchValue": "", + "expectedValue": "makeIPTablesUtilChains should be true", + "actualValue": "makeIPTablesUtilChains is false" } ] \ No newline at end of file diff --git a/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/test/positive_expected_result.json b/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/test/positive_expected_result.json index 6f9f8dc4b9e..86312abd078 100644 --- a/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/test/positive_expected_result.json +++ b/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/test/positive_expected_result.json @@ -1,28 +1,4 @@ [ - { - "queryName": "Kubelet Protect Kernel Defaults Set To False", - "severity": "MEDIUM", - "line": 2, - "filename": "positive4.yaml", - "resourceType": "KubeletConfiguration", - "resourceName": "n/a", - "searchKey": "kind={{KubeletConfiguration}}", - "searchValue": "", - "expectedValue": "protectKernelDefaults flag should defined to true", - "actualValue": "protectKernelDefaults flag is not defined" - }, - { - "queryName": "Kubelet Protect Kernel Defaults Set To False", - "severity": "MEDIUM", - "line": 5, - "filename": "positive3.yaml", - "resourceType": "KubeletConfiguration", - "resourceName": "n/a", - "searchKey": "kind={{KubeletConfiguration}}.protectKernelDefaults", - "searchValue": "", - "expectedValue": "protectKernelDefaults flag should defined to true", - "actualValue": "protectKernelDefaults flag is set to false" - }, { "queryName": "Kubelet Protect Kernel Defaults Set To False", "severity": "MEDIUM", @@ -46,5 +22,29 @@ "searchValue": "", "expectedValue": "--protect-kernel-defaults flag should not be set to false", "actualValue": "--protect-kernel-defaults flag is set to false" + }, + { + "queryName": "Kubelet Protect Kernel Defaults Set To False", + "severity": "MEDIUM", + "line": 5, + "filename": "positive3.yaml", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}.protectKernelDefaults", + "searchValue": "", + "expectedValue": "protectKernelDefaults flag should defined to true", + "actualValue": "protectKernelDefaults flag is set to false" + }, + { + "queryName": "Kubelet Protect Kernel Defaults Set To False", + "severity": "MEDIUM", + "line": 2, + "filename": "positive4.yaml", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}", + "searchValue": "", + "expectedValue": "protectKernelDefaults flag should defined to true", + "actualValue": "protectKernelDefaults flag is not defined" } ] \ No newline at end of file diff --git a/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/test/positive_expected_result.json b/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/test/positive_expected_result.json index 266d0dc0727..029fcc7a2cf 100644 --- a/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/test/positive_expected_result.json +++ b/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/test/positive_expected_result.json @@ -1,28 +1,4 @@ [ - { - "queryName": "Kubelet Read Only Port Is Not Set To Zero", - "severity": "MEDIUM", - "line": 5, - "filename": "positive4.json", - "resourceType": "KubeletConfiguration", - "resourceName": "n/a", - "searchKey": "kind={{KubeletConfiguration}}.readOnlyPort", - "searchValue": "", - "expectedValue": "readOnlyPort attribute to have value of 0", - "actualValue": "readOnlyPort attribute has value of 1" - }, - { - "queryName": "Kubelet Read Only Port Is Not Set To Zero", - "severity": "MEDIUM", - "line": 8, - "filename": "positive3.yaml", - "resourceType": "KubeletConfiguration", - "resourceName": "n/a", - "searchKey": "kind={{KubeletConfiguration}}.readOnlyPort", - "searchValue": "", - "expectedValue": "readOnlyPort attribute to have value of 0", - "actualValue": "readOnlyPort attribute has value of 1" - }, { "queryName": "Kubelet Read Only Port Is Not Set To Zero", "severity": "MEDIUM", @@ -46,5 +22,29 @@ "searchValue": "", "expectedValue": "--read-only-port flag should be '0'", "actualValue": "--read-only-port flag is not set to '0'" + }, + { + "queryName": "Kubelet Read Only Port Is Not Set To Zero", + "severity": "MEDIUM", + "line": 8, + "filename": "positive3.yaml", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}.readOnlyPort", + "searchValue": "", + "expectedValue": "readOnlyPort attribute to have value of 0", + "actualValue": "readOnlyPort attribute has value of 1" + }, + { + "queryName": "Kubelet Read Only Port Is Not Set To Zero", + "severity": "MEDIUM", + "line": 5, + "filename": "positive4.json", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}.readOnlyPort", + "searchValue": "", + "expectedValue": "readOnlyPort attribute to have value of 0", + "actualValue": "readOnlyPort attribute has value of 1" } ] \ No newline at end of file diff --git a/assets/queries/k8s/memory_limits_not_defined/test/positive_expected_result.json b/assets/queries/k8s/memory_limits_not_defined/test/positive_expected_result.json index 04ab49900ed..40548c625da 100644 --- a/assets/queries/k8s/memory_limits_not_defined/test/positive_expected_result.json +++ b/assets/queries/k8s/memory_limits_not_defined/test/positive_expected_result.json @@ -2,14 +2,14 @@ { "queryName": "Memory Limits Not Defined", "severity": "MEDIUM", - "line": 57, + "line": 8, "filename": "positive1.yaml", "resourceType": "Pod", - "resourceName": "memory-demo-4", - "searchKey": "metadata.name={{memory-demo-4}}.spec.containers.name={{memory-demo-ctr}}", + "resourceName": "memory-demo-1", + "searchKey": "metadata.name={{memory-demo-1}}.spec.containers.name={{memory-demo-ctr}}", "searchValue": "", - "expectedValue": "metadata.name={{memory-demo-4}}.spec.containers.name={{memory-demo-ctr}}.resources.limits.memory should be defined", - "actualValue": "metadata.name={{memory-demo-4}}.spec.containers.name={{memory-demo-ctr}}.resources.limits.memory is undefined" + "expectedValue": "metadata.name={{memory-demo-1}}.spec.containers.name={{memory-demo-ctr}}.resources.limits.memory should be defined", + "actualValue": "metadata.name={{memory-demo-1}}.spec.containers.name={{memory-demo-ctr}}.resources.limits.memory is undefined" }, { "queryName": "Memory Limits Not Defined", @@ -35,6 +35,18 @@ "expectedValue": "metadata.name={{memory-demo-3}}.spec.containers.name={{memory-demo-ctr}}.resources.limits.memory should be defined", "actualValue": "metadata.name={{memory-demo-3}}.spec.containers.name={{memory-demo-ctr}}.resources.limits.memory is undefined" }, + { + "queryName": "Memory Limits Not Defined", + "severity": "MEDIUM", + "line": 57, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "memory-demo-4", + "searchKey": "metadata.name={{memory-demo-4}}.spec.containers.name={{memory-demo-ctr}}", + "searchValue": "", + "expectedValue": "metadata.name={{memory-demo-4}}.spec.containers.name={{memory-demo-ctr}}.resources.limits.memory should be defined", + "actualValue": "metadata.name={{memory-demo-4}}.spec.containers.name={{memory-demo-ctr}}.resources.limits.memory is undefined" + }, { "queryName": "Memory Limits Not Defined", "severity": "MEDIUM", @@ -46,17 +58,5 @@ "searchValue": "", "expectedValue": "metadata.name={{test-deployment}}.spec.template.spec.containers.name={{pause}}.resources.limits.memory should be defined", "actualValue": "metadata.name={{test-deployment}}.spec.template.spec.containers.name={{pause}}.resources.limits.memory is undefined" - }, - { - "queryName": "Memory Limits Not Defined", - "severity": "MEDIUM", - "line": 8, - "filename": "positive1.yaml", - "resourceType": "Pod", - "resourceName": "memory-demo-1", - "searchKey": "metadata.name={{memory-demo-1}}.spec.containers.name={{memory-demo-ctr}}", - "searchValue": "", - "expectedValue": "metadata.name={{memory-demo-1}}.spec.containers.name={{memory-demo-ctr}}.resources.limits.memory should be defined", - "actualValue": "metadata.name={{memory-demo-1}}.spec.containers.name={{memory-demo-ctr}}.resources.limits.memory is undefined" } ] \ No newline at end of file diff --git a/assets/queries/k8s/memory_requests_not_defined/test/positive_expected_result.json b/assets/queries/k8s/memory_requests_not_defined/test/positive_expected_result.json index 13b0a94b5f2..291a8fa1b52 100644 --- a/assets/queries/k8s/memory_requests_not_defined/test/positive_expected_result.json +++ b/assets/queries/k8s/memory_requests_not_defined/test/positive_expected_result.json @@ -2,38 +2,38 @@ { "queryName": "Memory Requests Not Defined", "severity": "MEDIUM", - "line": 20, - "filename": "positive2.yaml", - "resourceType": "Deployment", - "resourceName": "test-deployment2", - "searchKey": "metadata.name={{test-deployment2}}.spec.template.spec.containers.name={{pause}}", - "searchValue": "Deployment", - "expectedValue": "metadata.name={{test-deployment2}}.spec.template.spec.containers.name={{pause}}.resources.requests.memory should be defined", - "actualValue": "metadata.name={{test-deployment2}}.spec.template.spec.containers.name={{pause}}.resources.requests.memory is undefined" + "line": 13, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "memory-demo", + "searchKey": "metadata.name={{memory-demo}}.spec.containers.name={{memory-demo-ctr-1}}", + "searchValue": "Pod", + "expectedValue": "metadata.name={{memory-demo}}.spec.containers.name={{memory-demo-ctr-1}}.resources.requests.memory should be defined", + "actualValue": "metadata.name={{memory-demo}}.spec.containers.name={{memory-demo-ctr-1}}.resources.requests.memory is undefined" }, { "queryName": "Memory Requests Not Defined", "severity": "MEDIUM", - "line": 40, + "line": 27, "filename": "positive1.yaml", "resourceType": "Pod", - "resourceName": "memory-demo-2", - "searchKey": "metadata.name={{memory-demo-2}}.spec.containers.name={{memory-demo-ctr-3}}", + "resourceName": "memory-demo-1", + "searchKey": "metadata.name={{memory-demo-1}}.spec.containers.name={{memory-demo-ctr-2}}", "searchValue": "Pod", - "expectedValue": "metadata.name={{memory-demo-2}}.spec.containers.name={{memory-demo-ctr-3}}.resources.requests.memory should be defined", - "actualValue": "metadata.name={{memory-demo-2}}.spec.containers.name={{memory-demo-ctr-3}}.resources.requests.memory is undefined" + "expectedValue": "metadata.name={{memory-demo-1}}.spec.containers.name={{memory-demo-ctr-2}}.resources.requests.memory should be defined", + "actualValue": "metadata.name={{memory-demo-1}}.spec.containers.name={{memory-demo-ctr-2}}.resources.requests.memory is undefined" }, { "queryName": "Memory Requests Not Defined", "severity": "MEDIUM", - "line": 13, + "line": 40, "filename": "positive1.yaml", "resourceType": "Pod", - "resourceName": "memory-demo", - "searchKey": "metadata.name={{memory-demo}}.spec.containers.name={{memory-demo-ctr-1}}", + "resourceName": "memory-demo-2", + "searchKey": "metadata.name={{memory-demo-2}}.spec.containers.name={{memory-demo-ctr-3}}", "searchValue": "Pod", - "expectedValue": "metadata.name={{memory-demo}}.spec.containers.name={{memory-demo-ctr-1}}.resources.requests.memory should be defined", - "actualValue": "metadata.name={{memory-demo}}.spec.containers.name={{memory-demo-ctr-1}}.resources.requests.memory is undefined" + "expectedValue": "metadata.name={{memory-demo-2}}.spec.containers.name={{memory-demo-ctr-3}}.resources.requests.memory should be defined", + "actualValue": "metadata.name={{memory-demo-2}}.spec.containers.name={{memory-demo-ctr-3}}.resources.requests.memory is undefined" }, { "queryName": "Memory Requests Not Defined", @@ -50,13 +50,13 @@ { "queryName": "Memory Requests Not Defined", "severity": "MEDIUM", - "line": 27, - "filename": "positive1.yaml", - "resourceType": "Pod", - "resourceName": "memory-demo-1", - "searchKey": "metadata.name={{memory-demo-1}}.spec.containers.name={{memory-demo-ctr-2}}", - "searchValue": "Pod", - "expectedValue": "metadata.name={{memory-demo-1}}.spec.containers.name={{memory-demo-ctr-2}}.resources.requests.memory should be defined", - "actualValue": "metadata.name={{memory-demo-1}}.spec.containers.name={{memory-demo-ctr-2}}.resources.requests.memory is undefined" + "line": 20, + "filename": "positive2.yaml", + "resourceType": "Deployment", + "resourceName": "test-deployment2", + "searchKey": "metadata.name={{test-deployment2}}.spec.template.spec.containers.name={{pause}}", + "searchValue": "Deployment", + "expectedValue": "metadata.name={{test-deployment2}}.spec.template.spec.containers.name={{pause}}.resources.requests.memory should be defined", + "actualValue": "metadata.name={{test-deployment2}}.spec.template.spec.containers.name={{pause}}.resources.requests.memory is undefined" } ] \ No newline at end of file diff --git a/assets/queries/k8s/missing_app_armor_config/test/positive_expected_result.json b/assets/queries/k8s/missing_app_armor_config/test/positive_expected_result.json index 14ec5ce0118..0f2516f27c7 100644 --- a/assets/queries/k8s/missing_app_armor_config/test/positive_expected_result.json +++ b/assets/queries/k8s/missing_app_armor_config/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "Missing AppArmor Profile", - "severity": "LOW", - "line": 36, - "filename": "positive.yaml", - "resourceType": "Deployment", - "resourceName": "ubuntu-test1", - "searchKey": "metadata.name={{ubuntu-test1}}.spec.template.metadata", - "searchValue": "Deploymentcontainer.apparmor.security.beta.kubernetes.io/ubuntu-1-container", - "expectedValue": "metadata.name={{ubuntu-test1}}.spec.template.metadata.annotations[container.apparmor.security.beta.kubernetes.io/ubuntu-1-container] should be set to 'runtime/default' or 'localhost'", - "actualValue": "metadata.name={{ubuntu-test1}}.spec.template.metadata.annotations[container.apparmor.security.beta.kubernetes.io/ubuntu-1-container] does not specify a valid AppArmor profile" - }, { "queryName": "Missing AppArmor Profile", "severity": "LOW", @@ -46,5 +34,17 @@ "searchValue": "Podcontainers2", "expectedValue": "metadata.name={{hello-apparmor-1}}.annotations should specify an AppArmor profile for container {{hello3}}", "actualValue": "metadata.name={{hello-apparmor-1}}.annotations does not specify an AppArmor profile for container {{hello3}}" + }, + { + "queryName": "Missing AppArmor Profile", + "severity": "LOW", + "line": 36, + "filename": "positive.yaml", + "resourceType": "Deployment", + "resourceName": "ubuntu-test1", + "searchKey": "metadata.name={{ubuntu-test1}}.spec.template.metadata", + "searchValue": "Deploymentcontainer.apparmor.security.beta.kubernetes.io/ubuntu-1-container", + "expectedValue": "metadata.name={{ubuntu-test1}}.spec.template.metadata.annotations[container.apparmor.security.beta.kubernetes.io/ubuntu-1-container] should be set to 'runtime/default' or 'localhost'", + "actualValue": "metadata.name={{ubuntu-test1}}.spec.template.metadata.annotations[container.apparmor.security.beta.kubernetes.io/ubuntu-1-container] does not specify a valid AppArmor profile" } ] \ No newline at end of file diff --git a/assets/queries/k8s/namespace_lifecycle_admission_control_plugin_disabled/test/positive_expected_result.json b/assets/queries/k8s/namespace_lifecycle_admission_control_plugin_disabled/test/positive_expected_result.json index e836f7f1b5e..141ab3a4af8 100644 --- a/assets/queries/k8s/namespace_lifecycle_admission_control_plugin_disabled/test/positive_expected_result.json +++ b/assets/queries/k8s/namespace_lifecycle_admission_control_plugin_disabled/test/positive_expected_result.json @@ -3,7 +3,7 @@ "queryName": "Namespace Lifecycle Admission Control Plugin Disabled", "severity": "LOW", "line": 11, - "filename": "positive2.yaml", + "filename": "positive1.yaml", "resourceType": "Pod", "resourceName": "command-demo", "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", @@ -15,7 +15,7 @@ "queryName": "Namespace Lifecycle Admission Control Plugin Disabled", "severity": "LOW", "line": 11, - "filename": "positive1.yaml", + "filename": "positive2.yaml", "resourceType": "Pod", "resourceName": "command-demo", "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", diff --git a/assets/queries/k8s/net_raw_capabilities_not_being_dropped/test/positive_expected_result.json b/assets/queries/k8s/net_raw_capabilities_not_being_dropped/test/positive_expected_result.json index f6d08915458..5c6e514c2d9 100644 --- a/assets/queries/k8s/net_raw_capabilities_not_being_dropped/test/positive_expected_result.json +++ b/assets/queries/k8s/net_raw_capabilities_not_being_dropped/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "NET_RAW Capabilities Not Being Dropped", - "severity": "MEDIUM", - "line": 31, - "filename": "positive2.yaml", - "resourceType": "Deployment", - "resourceName": "redis-unhealthy-deployment", - "searchKey": "metadata.name={{redis-unhealthy-deployment}}.spec.template.spec.containers.name={{redis}}", - "searchValue": "Deployment", - "expectedValue": "metadata.name={{redis-unhealthy-deployment}}.spec.template.spec.containers.name={{redis}}.securityContext.capabilities.drop should be defined", - "actualValue": "metadata.name={{redis-unhealthy-deployment}}.spec.template.spec.containers.name={{redis}}.securityContext.capabilities.drop is undefined" - }, { "queryName": "NET_RAW Capabilities Not Being Dropped", "severity": "MEDIUM", @@ -38,25 +26,37 @@ { "queryName": "NET_RAW Capabilities Not Being Dropped", "severity": "MEDIUM", - "line": 23, + "line": 18, "filename": "positive1.yaml", "resourceType": "Pod", "resourceName": "example", - "searchKey": "metadata.name={{example}}.spec.containers.name={{payment3}}", + "searchKey": "metadata.name={{example}}.spec.containers.name={{payment4}}", "searchValue": "Pod", - "expectedValue": "metadata.name={{example}}.spec.containers.name={{payment3}}.securityContext.capabilities.drop should be defined", - "actualValue": "metadata.name={{example}}.spec.containers.name={{payment3}}.securityContext.capabilities.drop is undefined" + "expectedValue": "metadata.name={{example}}.spec.containers.name={{payment4}}.securityContext.capabilities.drop should be defined", + "actualValue": "metadata.name={{example}}.spec.containers.name={{payment4}}.securityContext.capabilities.drop is undefined" }, { "queryName": "NET_RAW Capabilities Not Being Dropped", "severity": "MEDIUM", - "line": 18, + "line": 23, "filename": "positive1.yaml", "resourceType": "Pod", "resourceName": "example", - "searchKey": "metadata.name={{example}}.spec.containers.name={{payment4}}", + "searchKey": "metadata.name={{example}}.spec.containers.name={{payment3}}", "searchValue": "Pod", - "expectedValue": "metadata.name={{example}}.spec.containers.name={{payment4}}.securityContext.capabilities.drop should be defined", - "actualValue": "metadata.name={{example}}.spec.containers.name={{payment4}}.securityContext.capabilities.drop is undefined" + "expectedValue": "metadata.name={{example}}.spec.containers.name={{payment3}}.securityContext.capabilities.drop should be defined", + "actualValue": "metadata.name={{example}}.spec.containers.name={{payment3}}.securityContext.capabilities.drop is undefined" + }, + { + "queryName": "NET_RAW Capabilities Not Being Dropped", + "severity": "MEDIUM", + "line": 31, + "filename": "positive2.yaml", + "resourceType": "Deployment", + "resourceName": "redis-unhealthy-deployment", + "searchKey": "metadata.name={{redis-unhealthy-deployment}}.spec.template.spec.containers.name={{redis}}", + "searchValue": "Deployment", + "expectedValue": "metadata.name={{redis-unhealthy-deployment}}.spec.template.spec.containers.name={{redis}}.securityContext.capabilities.drop should be defined", + "actualValue": "metadata.name={{redis-unhealthy-deployment}}.spec.template.spec.containers.name={{redis}}.securityContext.capabilities.drop is undefined" } ] \ No newline at end of file diff --git a/assets/queries/k8s/no_drop_capabilities_for_containers/test/positive_expected_result.json b/assets/queries/k8s/no_drop_capabilities_for_containers/test/positive_expected_result.json index aff434d705d..f6fbf239f20 100644 --- a/assets/queries/k8s/no_drop_capabilities_for_containers/test/positive_expected_result.json +++ b/assets/queries/k8s/no_drop_capabilities_for_containers/test/positive_expected_result.json @@ -2,14 +2,14 @@ { "queryName": "No Drop Capabilities for Containers", "severity": "LOW", - "line": 28, + "line": 21, "filename": "positive.yaml", "resourceType": "Deployment", "resourceName": "nginx-deployment", - "searchKey": "metadata.name={{nginx-deployment}}.spec.containers.name=payment3", + "searchKey": "metadata.name={{nginx-deployment}}.spec.containers.name={{payment}}.securityContext.capabilities", "searchValue": "Deployment", - "expectedValue": "metadata.name={{nginx-deployment}}.spec.containers.name=payment3.securityContext should be set", - "actualValue": "metadata.name={{nginx-deployment}}.spec.containers.name=payment3.securityContext is undefined" + "expectedValue": "spec.containers[payment].securityContext.capabilities.drop should be defined", + "actualValue": "spec.containers[payment].securityContext.capabilities.drop is not defined" }, { "queryName": "No Drop Capabilities for Containers", @@ -26,13 +26,13 @@ { "queryName": "No Drop Capabilities for Containers", "severity": "LOW", - "line": 21, + "line": 28, "filename": "positive.yaml", "resourceType": "Deployment", "resourceName": "nginx-deployment", - "searchKey": "metadata.name={{nginx-deployment}}.spec.containers.name={{payment}}.securityContext.capabilities", + "searchKey": "metadata.name={{nginx-deployment}}.spec.containers.name=payment3", "searchValue": "Deployment", - "expectedValue": "spec.containers[payment].securityContext.capabilities.drop should be defined", - "actualValue": "spec.containers[payment].securityContext.capabilities.drop is not defined" + "expectedValue": "metadata.name={{nginx-deployment}}.spec.containers.name=payment3.securityContext should be set", + "actualValue": "metadata.name={{nginx-deployment}}.spec.containers.name=payment3.securityContext is undefined" } ] \ No newline at end of file diff --git a/assets/queries/k8s/non_kube_system_pod_with_host_mount/test/positive_expected_result.json b/assets/queries/k8s/non_kube_system_pod_with_host_mount/test/positive_expected_result.json index e2f32500c79..0b170aa4093 100644 --- a/assets/queries/k8s/non_kube_system_pod_with_host_mount/test/positive_expected_result.json +++ b/assets/queries/k8s/non_kube_system_pod_with_host_mount/test/positive_expected_result.json @@ -2,26 +2,14 @@ { "queryName": "Non Kube System Pod With Host Mount", "severity": "HIGH", - "line": 153, - "filename": "positive.yaml", - "resourceType": "PersistentVolume", - "resourceName": "pv-001", - "searchKey": "metadata.name={{pv-001}}.spec.hostPath.path", - "searchValue": "", - "expectedValue": "PersistentVolume name 'pv-001' of kind 'PersistentVolume' in non kube-system namespace 'default' should not mount a host sensitive OS directory '/' with hostPath", - "actualValue": "PersistentVolume name 'pv-001' of kind 'PersistentVolume' in non kube-system namespace 'default' is mounting a host sensitive OS directory '/' with hostPath" - }, - { - "queryName": "Non Kube System Pod With Host Mount", - "severity": "HIGH", - "line": 185, + "line": 40, "filename": "positive.yaml", - "resourceType": "Revision", - "resourceName": "dummy-rev", - "searchKey": "metadata.name={{dummy-rev}}.spec.volumes.name={{redis-storage}}.hostPath.path", + "resourceType": "DaemonSet", + "resourceName": "fluentd-elasticsearch", + "searchKey": "metadata.name={{fluentd-elasticsearch}}.spec.template.spec.volumes.name={{varlog}}.hostPath.path", "searchValue": "", - "expectedValue": "Resource name 'dummy-rev' of kind 'Revision' in non kube-system namespace 'knative-sequence' should not have hostPath '/var/redis/data' mounted", - "actualValue": "Resource name 'dummy-rev' of kind 'Revision' in non kube-system namespace 'knative-sequence' has a hostPath '/var/redis/data' mounted" + "expectedValue": "Resource name 'fluentd-elasticsearch' of kind 'DaemonSet' in non kube-system namespace 'default' should not have hostPath '/var/log' mounted", + "actualValue": "Resource name 'fluentd-elasticsearch' of kind 'DaemonSet' in non kube-system namespace 'default' has a hostPath '/var/log' mounted" }, { "queryName": "Non Kube System Pod With Host Mount", @@ -38,26 +26,14 @@ { "queryName": "Non Kube System Pod With Host Mount", "severity": "HIGH", - "line": 168, - "filename": "positive.yaml", - "resourceType": "PersistentVolume", - "resourceName": "pv-002", - "searchKey": "metadata.name={{pv-002}}.hostPath.path", - "searchValue": "", - "expectedValue": "PersistentVolume name 'pv-002' of kind 'PersistentVolume' in non kube-system namespace 'default' should not mount a host sensitive OS directory '/boot' with hostPath", - "actualValue": "PersistentVolume name 'pv-002' of kind 'PersistentVolume' in non kube-system namespace 'default' is mounting a host sensitive OS directory '/boot' with hostPath" - }, - { - "queryName": "Non Kube System Pod With Host Mount", - "severity": "HIGH", - "line": 136, + "line": 59, "filename": "positive.yaml", - "resourceType": "Deployment", - "resourceName": "nginx-deployment-undefined-ns", - "searchKey": "metadata.name={{nginx-deployment-undefined-ns}}.spec.template.spec.volumes.name={{static-page-dir}}.hostPath.path", + "resourceType": "Pod", + "resourceName": "redis", + "searchKey": "metadata.name={{redis}}.spec.volumes.name={{redis-storage}}.hostPath.path", "searchValue": "", - "expectedValue": "Resource name 'nginx-deployment-undefined-ns' of kind 'Deployment' in a non kube-system namespace 'default' should not have hostPath '/var/local/static' mounted", - "actualValue": "Resource name 'nginx-deployment-undefined-ns' of kind 'Deployment' in a non kube-system namespace 'default' has a hostPath '/var/local/static' mounted" + "expectedValue": "Resource name 'redis' of kind 'Pod' in non kube-system namespace 'default' should not have hostPath '/var/redis/data' mounted", + "actualValue": "Resource name 'redis' of kind 'Pod' in non kube-system namespace 'default' has a hostPath '/var/redis/data' mounted" }, { "queryName": "Non Kube System Pod With Host Mount", @@ -74,37 +50,61 @@ { "queryName": "Non Kube System Pod With Host Mount", "severity": "HIGH", - "line": 59, + "line": 106, "filename": "positive.yaml", - "resourceType": "Pod", - "resourceName": "redis", - "searchKey": "metadata.name={{redis}}.spec.volumes.name={{redis-storage}}.hostPath.path", + "resourceType": "Deployment", + "resourceName": "nginx-deployment", + "searchKey": "metadata.name={{nginx-deployment}}.spec.template.spec.volumes.name={{static-page-dir}}.hostPath.path", "searchValue": "", - "expectedValue": "Resource name 'redis' of kind 'Pod' in non kube-system namespace 'default' should not have hostPath '/var/redis/data' mounted", - "actualValue": "Resource name 'redis' of kind 'Pod' in non kube-system namespace 'default' has a hostPath '/var/redis/data' mounted" + "expectedValue": "Resource name 'nginx-deployment' of kind 'Deployment' in non kube-system namespace 'default' should not have hostPath '/var/local/static' mounted", + "actualValue": "Resource name 'nginx-deployment' of kind 'Deployment' in non kube-system namespace 'default' has a hostPath '/var/local/static' mounted" }, { "queryName": "Non Kube System Pod With Host Mount", "severity": "HIGH", - "line": 106, + "line": 136, "filename": "positive.yaml", "resourceType": "Deployment", - "resourceName": "nginx-deployment", - "searchKey": "metadata.name={{nginx-deployment}}.spec.template.spec.volumes.name={{static-page-dir}}.hostPath.path", + "resourceName": "nginx-deployment-undefined-ns", + "searchKey": "metadata.name={{nginx-deployment-undefined-ns}}.spec.template.spec.volumes.name={{static-page-dir}}.hostPath.path", "searchValue": "", - "expectedValue": "Resource name 'nginx-deployment' of kind 'Deployment' in non kube-system namespace 'default' should not have hostPath '/var/local/static' mounted", - "actualValue": "Resource name 'nginx-deployment' of kind 'Deployment' in non kube-system namespace 'default' has a hostPath '/var/local/static' mounted" + "expectedValue": "Resource name 'nginx-deployment-undefined-ns' of kind 'Deployment' in a non kube-system namespace 'default' should not have hostPath '/var/local/static' mounted", + "actualValue": "Resource name 'nginx-deployment-undefined-ns' of kind 'Deployment' in a non kube-system namespace 'default' has a hostPath '/var/local/static' mounted" }, { "queryName": "Non Kube System Pod With Host Mount", "severity": "HIGH", - "line": 40, + "line": 153, "filename": "positive.yaml", - "resourceType": "DaemonSet", - "resourceName": "fluentd-elasticsearch", - "searchKey": "metadata.name={{fluentd-elasticsearch}}.spec.template.spec.volumes.name={{varlog}}.hostPath.path", + "resourceType": "PersistentVolume", + "resourceName": "pv-001", + "searchKey": "metadata.name={{pv-001}}.spec.hostPath.path", "searchValue": "", - "expectedValue": "Resource name 'fluentd-elasticsearch' of kind 'DaemonSet' in non kube-system namespace 'default' should not have hostPath '/var/log' mounted", - "actualValue": "Resource name 'fluentd-elasticsearch' of kind 'DaemonSet' in non kube-system namespace 'default' has a hostPath '/var/log' mounted" + "expectedValue": "PersistentVolume name 'pv-001' of kind 'PersistentVolume' in non kube-system namespace 'default' should not mount a host sensitive OS directory '/' with hostPath", + "actualValue": "PersistentVolume name 'pv-001' of kind 'PersistentVolume' in non kube-system namespace 'default' is mounting a host sensitive OS directory '/' with hostPath" + }, + { + "queryName": "Non Kube System Pod With Host Mount", + "severity": "HIGH", + "line": 168, + "filename": "positive.yaml", + "resourceType": "PersistentVolume", + "resourceName": "pv-002", + "searchKey": "metadata.name={{pv-002}}.hostPath.path", + "searchValue": "", + "expectedValue": "PersistentVolume name 'pv-002' of kind 'PersistentVolume' in non kube-system namespace 'default' should not mount a host sensitive OS directory '/boot' with hostPath", + "actualValue": "PersistentVolume name 'pv-002' of kind 'PersistentVolume' in non kube-system namespace 'default' is mounting a host sensitive OS directory '/boot' with hostPath" + }, + { + "queryName": "Non Kube System Pod With Host Mount", + "severity": "HIGH", + "line": 185, + "filename": "positive.yaml", + "resourceType": "Revision", + "resourceName": "dummy-rev", + "searchKey": "metadata.name={{dummy-rev}}.spec.volumes.name={{redis-storage}}.hostPath.path", + "searchValue": "", + "expectedValue": "Resource name 'dummy-rev' of kind 'Revision' in non kube-system namespace 'knative-sequence' should not have hostPath '/var/redis/data' mounted", + "actualValue": "Resource name 'dummy-rev' of kind 'Revision' in non kube-system namespace 'knative-sequence' has a hostPath '/var/redis/data' mounted" } ] \ No newline at end of file diff --git a/assets/queries/k8s/object_is_using_a_deprecated_api_version/test/positive_expected_result.json b/assets/queries/k8s/object_is_using_a_deprecated_api_version/test/positive_expected_result.json index 53ff0ea0a89..3988e992d71 100644 --- a/assets/queries/k8s/object_is_using_a_deprecated_api_version/test/positive_expected_result.json +++ b/assets/queries/k8s/object_is_using_a_deprecated_api_version/test/positive_expected_result.json @@ -11,6 +11,18 @@ "expectedValue": "metadata.name={{nginx-deployment}}.apiVersion of Deployment should be {{apps/v1}}", "actualValue": "metadata.name={{nginx-deployment}}.apiVersion of Deployment is deprecated and is {{apps/v1beta1}}" }, + { + "queryName": "Object Is Using A Deprecated API Version", + "severity": "LOW", + "line": 23, + "filename": "positive.yaml", + "resourceType": "DaemonSet", + "resourceName": "fluentd-elasticsearch", + "searchKey": "apiVersion={{apps/v1beta2}}", + "searchValue": "DaemonSet", + "expectedValue": "metadata.name={{fluentd-elasticsearch}}.apiVersion of DaemonSet should be {{apps/v1}}", + "actualValue": "metadata.name={{fluentd-elasticsearch}}.apiVersion of DaemonSet is deprecated and is {{apps/v1beta2}}" + }, { "queryName": "Object Is Using A Deprecated API Version", "severity": "LOW", @@ -35,18 +47,6 @@ "expectedValue": "metadata.name={{minimal-ingress1}}.apiVersion of Ingress should be {{networking.k8s.io/v1}}", "actualValue": "metadata.name={{minimal-ingress1}}.apiVersion of Ingress is deprecated and is {{networking.k8s.io/v1beta1}}" }, - { - "queryName": "Object Is Using A Deprecated API Version", - "severity": "LOW", - "line": 23, - "filename": "positive.yaml", - "resourceType": "DaemonSet", - "resourceName": "fluentd-elasticsearch", - "searchKey": "apiVersion={{apps/v1beta2}}", - "searchValue": "DaemonSet", - "expectedValue": "metadata.name={{fluentd-elasticsearch}}.apiVersion of DaemonSet should be {{apps/v1}}", - "actualValue": "metadata.name={{fluentd-elasticsearch}}.apiVersion of DaemonSet is deprecated and is {{apps/v1beta2}}" - }, { "queryName": "Object Is Using A Deprecated API Version", "severity": "LOW", diff --git a/assets/queries/k8s/permissive_access_to_create_pods/test/positive_expected_result.json b/assets/queries/k8s/permissive_access_to_create_pods/test/positive_expected_result.json index 8bd523cc41d..458fa2e8fb8 100644 --- a/assets/queries/k8s/permissive_access_to_create_pods/test/positive_expected_result.json +++ b/assets/queries/k8s/permissive_access_to_create_pods/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "Permissive Access to Create Pods", - "severity": "MEDIUM", - "line": 39, - "filename": "positive1.yaml", - "resourceType": "Role", - "resourceName": "secret-reader4", - "searchKey": "metadata.name={{secret-reader4}}.rules.verbs.*", - "searchValue": "Role/*", - "expectedValue": "metadata.name=secret-reader4.rules.verbs should not contain a wildcard value when metadata.name=secret-reader4.rules.resources contains a wildcard value", - "actualValue": "metadata.name=secret-reader4.rules.verbs contains a wildcard value and metadata.name=secret-reader4.rules.resources contains a wildcard value" - }, { "queryName": "Permissive Access to Create Pods", "severity": "MEDIUM", @@ -47,6 +35,18 @@ "expectedValue": "metadata.name=secret-reader3.rules.verbs should not contain a wildcard value when metadata.name=secret-reader3.rules.resources contains the value 'pods'", "actualValue": "metadata.name=secret-reader3.rules.verbs contains a wildcard value and metadata.name=secret-reader3.rules.resources contains the value 'pods'" }, + { + "queryName": "Permissive Access to Create Pods", + "severity": "MEDIUM", + "line": 39, + "filename": "positive1.yaml", + "resourceType": "Role", + "resourceName": "secret-reader4", + "searchKey": "metadata.name={{secret-reader4}}.rules.verbs.*", + "searchValue": "Role/*", + "expectedValue": "metadata.name=secret-reader4.rules.verbs should not contain a wildcard value when metadata.name=secret-reader4.rules.resources contains a wildcard value", + "actualValue": "metadata.name=secret-reader4.rules.verbs contains a wildcard value and metadata.name=secret-reader4.rules.resources contains a wildcard value" + }, { "queryName": "Permissive Access to Create Pods", "severity": "MEDIUM", diff --git a/assets/queries/k8s/pod_or_container_without_limit_range/test/positive_expected_result.json b/assets/queries/k8s/pod_or_container_without_limit_range/test/positive_expected_result.json index f94cd2ddd63..501787780a1 100644 --- a/assets/queries/k8s/pod_or_container_without_limit_range/test/positive_expected_result.json +++ b/assets/queries/k8s/pod_or_container_without_limit_range/test/positive_expected_result.json @@ -1,28 +1,4 @@ [ - { - "queryName": "Pod or Container Without LimitRange", - "severity": "LOW", - "line": 4, - "filename": "positive2.yaml", - "resourceType": "Pod", - "resourceName": "frontend2", - "searchKey": "metadata.name={{frontend2}}", - "searchValue": "Pod", - "expectedValue": "metadata.name={{frontend2}} has a 'LimitRange' policy associated", - "actualValue": "metadata.name={{frontend2}} does not have a 'LimitRange' policy associated" - }, - { - "queryName": "Pod or Container Without LimitRange", - "severity": "LOW", - "line": 5, - "filename": "positive4.yaml", - "resourceType": "PersistentVolumeClaim", - "resourceName": "webcontent", - "searchKey": "metadata.name={{webcontent}}", - "searchValue": "PersistentVolumeClaim", - "expectedValue": "metadata.name={{webcontent}} has a 'LimitRange' policy associated", - "actualValue": "metadata.name={{webcontent}} does not have a 'LimitRange' policy associated" - }, { "queryName": "Pod or Container Without LimitRange", "severity": "LOW", @@ -35,6 +11,18 @@ "expectedValue": "metadata.name={{frontend1}} has a 'LimitRange' policy associated", "actualValue": "metadata.name={{frontend1}} does not have a 'LimitRange' policy associated" }, + { + "queryName": "Pod or Container Without LimitRange", + "severity": "LOW", + "line": 4, + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "frontend2", + "searchKey": "metadata.name={{frontend2}}", + "searchValue": "Pod", + "expectedValue": "metadata.name={{frontend2}} has a 'LimitRange' policy associated", + "actualValue": "metadata.name={{frontend2}} does not have a 'LimitRange' policy associated" + }, { "queryName": "Pod or Container Without LimitRange", "severity": "LOW", @@ -46,5 +34,17 @@ "searchValue": "DaemonSet", "expectedValue": "metadata.name={{fluentd-elasticsearch}} has a 'LimitRange' policy associated", "actualValue": "metadata.name={{fluentd-elasticsearch}} does not have a 'LimitRange' policy associated" + }, + { + "queryName": "Pod or Container Without LimitRange", + "severity": "LOW", + "line": 5, + "filename": "positive4.yaml", + "resourceType": "PersistentVolumeClaim", + "resourceName": "webcontent", + "searchKey": "metadata.name={{webcontent}}", + "searchValue": "PersistentVolumeClaim", + "expectedValue": "metadata.name={{webcontent}} has a 'LimitRange' policy associated", + "actualValue": "metadata.name={{webcontent}} does not have a 'LimitRange' policy associated" } ] \ No newline at end of file diff --git a/assets/queries/k8s/pod_or_container_without_resource_quota/test/positive_expected_result.json b/assets/queries/k8s/pod_or_container_without_resource_quota/test/positive_expected_result.json index 4d17bd2e181..ebaa57606c9 100644 --- a/assets/queries/k8s/pod_or_container_without_resource_quota/test/positive_expected_result.json +++ b/assets/queries/k8s/pod_or_container_without_resource_quota/test/positive_expected_result.json @@ -1,28 +1,4 @@ [ - { - "queryName": "Pod or Container Without ResourceQuota", - "severity": "LOW", - "line": 5, - "filename": "positive4.yaml", - "resourceType": "PersistentVolumeClaim", - "resourceName": "webcontent", - "searchKey": "metadata.name={{webcontent}}", - "searchValue": "PersistentVolumeClaim", - "expectedValue": "metadata.name={{webcontent}} has a 'ResourceQuota' policy associated", - "actualValue": "metadata.name={{webcontent}} does not have a 'ResourceQuota' policy associated" - }, - { - "queryName": "Pod or Container Without ResourceQuota", - "severity": "LOW", - "line": 5, - "filename": "positive3.yaml", - "resourceType": "DaemonSet", - "resourceName": "fluentd-elasticsearch", - "searchKey": "metadata.name={{fluentd-elasticsearch}}", - "searchValue": "DaemonSet", - "expectedValue": "metadata.name={{fluentd-elasticsearch}} has a 'ResourceQuota' policy associated", - "actualValue": "metadata.name={{fluentd-elasticsearch}} does not have a 'ResourceQuota' policy associated" - }, { "queryName": "Pod or Container Without ResourceQuota", "severity": "LOW", @@ -46,5 +22,29 @@ "searchValue": "Pod", "expectedValue": "metadata.name={{pod2}} has a 'ResourceQuota' policy associated", "actualValue": "metadata.name={{pod2}} does not have a 'ResourceQuota' policy associated" + }, + { + "queryName": "Pod or Container Without ResourceQuota", + "severity": "LOW", + "line": 5, + "filename": "positive3.yaml", + "resourceType": "DaemonSet", + "resourceName": "fluentd-elasticsearch", + "searchKey": "metadata.name={{fluentd-elasticsearch}}", + "searchValue": "DaemonSet", + "expectedValue": "metadata.name={{fluentd-elasticsearch}} has a 'ResourceQuota' policy associated", + "actualValue": "metadata.name={{fluentd-elasticsearch}} does not have a 'ResourceQuota' policy associated" + }, + { + "queryName": "Pod or Container Without ResourceQuota", + "severity": "LOW", + "line": 5, + "filename": "positive4.yaml", + "resourceType": "PersistentVolumeClaim", + "resourceName": "webcontent", + "searchKey": "metadata.name={{webcontent}}", + "searchValue": "PersistentVolumeClaim", + "expectedValue": "metadata.name={{webcontent}} has a 'ResourceQuota' policy associated", + "actualValue": "metadata.name={{webcontent}} does not have a 'ResourceQuota' policy associated" } ] \ No newline at end of file diff --git a/assets/queries/k8s/privilege_escalation_allowed/test/positive_expected_result.json b/assets/queries/k8s/privilege_escalation_allowed/test/positive_expected_result.json index 979c3e63085..06caca82f06 100644 --- a/assets/queries/k8s/privilege_escalation_allowed/test/positive_expected_result.json +++ b/assets/queries/k8s/privilege_escalation_allowed/test/positive_expected_result.json @@ -2,26 +2,26 @@ { "queryName": "Privilege Escalation Allowed", "severity": "HIGH", - "line": 13, - "filename": "positive2.yaml", + "line": 10, + "filename": "positive1.yaml", "resourceType": "Pod", - "resourceName": "example-priv", - "searchKey": "metadata.name={{example-priv}}.spec.containers.name={{payment2}}", + "resourceName": "pod2", + "searchKey": "metadata.name={{pod2}}.spec.containers.name={{app}}.securityContext.allowPrivilegeEscalation", "searchValue": "Pod", - "expectedValue": "metadata.name={{example-priv}}.spec.containers.name={{payment2}}.securityContext.allowPrivilegeEscalation should be set and should be set to false", - "actualValue": "metadata.name={{example-priv}}.spec.containers.name={{payment2}}.securityContext.allowPrivilegeEscalation is undefined" + "expectedValue": "metadata.name={{pod2}}.spec.containers.name={{app}}.securityContext.allowPrivilegeEscalation should be set to false", + "actualValue": "metadata.name={{pod2}}.spec.containers.name={{app}}.securityContext.allowPrivilegeEscalation is true" }, { "queryName": "Privilege Escalation Allowed", "severity": "HIGH", - "line": 17, - "filename": "positive2.yaml", + "line": 21, + "filename": "positive1.yaml", "resourceType": "Pod", - "resourceName": "example-priv", - "searchKey": "metadata.name={{example-priv}}.spec.containers.name={{payment4}}", + "resourceName": "pod2", + "searchKey": "metadata.name={{pod2}}.spec.containers.name={{log-aggregator}}", "searchValue": "Pod", - "expectedValue": "metadata.name={{example-priv}}.spec.containers.name={{payment4}}.securityContext.allowPrivilegeEscalation should be set and should be set to false", - "actualValue": "metadata.name={{example-priv}}.spec.containers.name={{payment4}}.securityContext.allowPrivilegeEscalation is undefined" + "expectedValue": "metadata.name={{pod2}}.spec.containers.name={{log-aggregator}}.securityContext.allowPrivilegeEscalation should be set and should be set to false", + "actualValue": "metadata.name={{pod2}}.spec.containers.name={{log-aggregator}}.securityContext.allowPrivilegeEscalation is undefined" }, { "queryName": "Privilege Escalation Allowed", @@ -38,25 +38,25 @@ { "queryName": "Privilege Escalation Allowed", "severity": "HIGH", - "line": 10, - "filename": "positive1.yaml", + "line": 13, + "filename": "positive2.yaml", "resourceType": "Pod", - "resourceName": "pod2", - "searchKey": "metadata.name={{pod2}}.spec.containers.name={{app}}.securityContext.allowPrivilegeEscalation", + "resourceName": "example-priv", + "searchKey": "metadata.name={{example-priv}}.spec.containers.name={{payment2}}", "searchValue": "Pod", - "expectedValue": "metadata.name={{pod2}}.spec.containers.name={{app}}.securityContext.allowPrivilegeEscalation should be set to false", - "actualValue": "metadata.name={{pod2}}.spec.containers.name={{app}}.securityContext.allowPrivilegeEscalation is true" + "expectedValue": "metadata.name={{example-priv}}.spec.containers.name={{payment2}}.securityContext.allowPrivilegeEscalation should be set and should be set to false", + "actualValue": "metadata.name={{example-priv}}.spec.containers.name={{payment2}}.securityContext.allowPrivilegeEscalation is undefined" }, { "queryName": "Privilege Escalation Allowed", "severity": "HIGH", - "line": 21, - "filename": "positive1.yaml", + "line": 17, + "filename": "positive2.yaml", "resourceType": "Pod", - "resourceName": "pod2", - "searchKey": "metadata.name={{pod2}}.spec.containers.name={{log-aggregator}}", + "resourceName": "example-priv", + "searchKey": "metadata.name={{example-priv}}.spec.containers.name={{payment4}}", "searchValue": "Pod", - "expectedValue": "metadata.name={{pod2}}.spec.containers.name={{log-aggregator}}.securityContext.allowPrivilegeEscalation should be set and should be set to false", - "actualValue": "metadata.name={{pod2}}.spec.containers.name={{log-aggregator}}.securityContext.allowPrivilegeEscalation is undefined" + "expectedValue": "metadata.name={{example-priv}}.spec.containers.name={{payment4}}.securityContext.allowPrivilegeEscalation should be set and should be set to false", + "actualValue": "metadata.name={{example-priv}}.spec.containers.name={{payment4}}.securityContext.allowPrivilegeEscalation is undefined" } ] \ No newline at end of file diff --git a/assets/queries/k8s/profiling_not_set_to_false/test/positive_expected_result.json b/assets/queries/k8s/profiling_not_set_to_false/test/positive_expected_result.json index fff96684fd5..6df2daf7b97 100644 --- a/assets/queries/k8s/profiling_not_set_to_false/test/positive_expected_result.json +++ b/assets/queries/k8s/profiling_not_set_to_false/test/positive_expected_result.json @@ -11,18 +11,6 @@ "expectedValue": "--profiling flag should be set to false", "actualValue": "--profiling flag is set to true" }, - { - "queryName": "Profiling Not Set To False", - "severity": "LOW", - "line": 3, - "filename": "positive6.yaml", - "resourceType": "KubeSchedulerConfiguration", - "resourceName": "n/a", - "searchKey": "kind={{KubeSchedulerConfiguration}}.enableProfiling", - "searchValue": "", - "expectedValue": "enableProfiling argument flag should be set to false", - "actualValue": "enableProfiling argument is set to true" - }, { "queryName": "Profiling Not Set To False", "severity": "LOW", @@ -35,18 +23,6 @@ "expectedValue": "--profiling flag should be defined and set to false", "actualValue": "--profiling flag is not defined" }, - { - "queryName": "Profiling Not Set To False", - "severity": "LOW", - "line": 2, - "filename": "positive5.yaml", - "resourceType": "KubeSchedulerConfiguration", - "resourceName": "n/a", - "searchKey": "kind={{KubeSchedulerConfiguration}}", - "searchValue": "", - "expectedValue": "enableProfiling argument flag should be defined and set to false", - "actualValue": "enableProfiling argument is not defined" - }, { "queryName": "Profiling Not Set To False", "severity": "LOW", @@ -71,6 +47,30 @@ "expectedValue": "--profiling flag should be defined and set to false", "actualValue": "--profiling flag is not defined" }, + { + "queryName": "Profiling Not Set To False", + "severity": "LOW", + "line": 2, + "filename": "positive5.yaml", + "resourceType": "KubeSchedulerConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeSchedulerConfiguration}}", + "searchValue": "", + "expectedValue": "enableProfiling argument flag should be defined and set to false", + "actualValue": "enableProfiling argument is not defined" + }, + { + "queryName": "Profiling Not Set To False", + "severity": "LOW", + "line": 3, + "filename": "positive6.yaml", + "resourceType": "KubeSchedulerConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeSchedulerConfiguration}}.enableProfiling", + "searchValue": "", + "expectedValue": "enableProfiling argument flag should be set to false", + "actualValue": "enableProfiling argument is set to true" + }, { "queryName": "Profiling Not Set To False", "severity": "LOW", diff --git a/assets/queries/k8s/psp_allows_privilege_escalation/test/positive_expected_result.json b/assets/queries/k8s/psp_allows_privilege_escalation/test/positive_expected_result.json index 523aff86e9e..7c0133004a3 100644 --- a/assets/queries/k8s/psp_allows_privilege_escalation/test/positive_expected_result.json +++ b/assets/queries/k8s/psp_allows_privilege_escalation/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "PSP Allows Privilege Escalation", "severity": "HIGH", - "line": 32, + "line": 9, "filename": "positive.yaml", "resourceType": "PodSecurityPolicy", - "resourceName": "privileged2", - "searchKey": "metadata.name={{privileged2}}.spec", + "resourceName": "privileged", + "searchKey": "metadata.name={{privileged}}.spec.allowPrivilegeEscalation", "searchValue": "", - "expectedValue": "Attribute 'allowPrivilegeEscalation' should be set", - "actualValue": "Attribute 'allowPrivilegeEscalation' is undefined" + "expectedValue": "Attribute 'allowPrivilegeEscalation' should be set to false", + "actualValue": "Attribute 'allowPrivilegeEscalation' is true" }, { "queryName": "PSP Allows Privilege Escalation", "severity": "HIGH", - "line": 9, + "line": 32, "filename": "positive.yaml", "resourceType": "PodSecurityPolicy", - "resourceName": "privileged", - "searchKey": "metadata.name={{privileged}}.spec.allowPrivilegeEscalation", + "resourceName": "privileged2", + "searchKey": "metadata.name={{privileged2}}.spec", "searchValue": "", - "expectedValue": "Attribute 'allowPrivilegeEscalation' should be set to false", - "actualValue": "Attribute 'allowPrivilegeEscalation' is true" + "expectedValue": "Attribute 'allowPrivilegeEscalation' should be set", + "actualValue": "Attribute 'allowPrivilegeEscalation' is undefined" } ] \ No newline at end of file diff --git a/assets/queries/k8s/psp_with_unrestricted_access_to_host_path/test/positive_expected_result.json b/assets/queries/k8s/psp_with_unrestricted_access_to_host_path/test/positive_expected_result.json index 67e5a0aedc8..561f62b391d 100644 --- a/assets/queries/k8s/psp_with_unrestricted_access_to_host_path/test/positive_expected_result.json +++ b/assets/queries/k8s/psp_with_unrestricted_access_to_host_path/test/positive_expected_result.json @@ -2,14 +2,14 @@ { "queryName": "PSP With Unrestricted Access to Host Path", "severity": "HIGH", - "line": 9, - "filename": "positive3.yaml", + "line": 5, + "filename": "positive1.yaml", "resourceType": "PodSecurityPolicy", "resourceName": "example", - "searchKey": "metadata.name={{example}}.spec.allowedHostPaths.readOnly", + "searchKey": "metadata.name={{example}}.spec", "searchValue": "", - "expectedValue": "'spec.allowedHostPaths[0].readOnly' should be set to true", - "actualValue": "'spec.allowedHostPaths[0].readOnly' is set to false" + "expectedValue": "'spec.allowedHostPaths' should be defined and not null", + "actualValue": "'spec.allowedHostPaths' is undefined or null" }, { "queryName": "PSP With Unrestricted Access to Host Path", @@ -26,13 +26,13 @@ { "queryName": "PSP With Unrestricted Access to Host Path", "severity": "HIGH", - "line": 5, - "filename": "positive1.yaml", + "line": 9, + "filename": "positive3.yaml", "resourceType": "PodSecurityPolicy", "resourceName": "example", - "searchKey": "metadata.name={{example}}.spec", + "searchKey": "metadata.name={{example}}.spec.allowedHostPaths.readOnly", "searchValue": "", - "expectedValue": "'spec.allowedHostPaths' should be defined and not null", - "actualValue": "'spec.allowedHostPaths' is undefined or null" + "expectedValue": "'spec.allowedHostPaths[0].readOnly' should be set to true", + "actualValue": "'spec.allowedHostPaths[0].readOnly' is set to false" } ] \ No newline at end of file diff --git a/assets/queries/k8s/rbac_roles_with_read_secrets_permissions/test/positive_expected_result.json b/assets/queries/k8s/rbac_roles_with_read_secrets_permissions/test/positive_expected_result.json index f1e67d617aa..ed671e00154 100644 --- a/assets/queries/k8s/rbac_roles_with_read_secrets_permissions/test/positive_expected_result.json +++ b/assets/queries/k8s/rbac_roles_with_read_secrets_permissions/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "RBAC Roles with Read Secrets Permissions", - "severity": "MEDIUM", - "line": 18, - "filename": "positive.yaml", - "resourceType": "ClusterRole", - "resourceName": "cluster-role-secret-reader", - "searchKey": "metadata.name={{cluster-role-secret-reader}}.rules", - "searchValue": "ClusterRole0", - "expectedValue": "metadata.name={{cluster-role-secret-reader}}.rules[0] should not be granted read access to Secrets objects", - "actualValue": "metadata.name={{cluster-role-secret-reader}}.rules[0] is granted read access (verbs: get, watch, list) to Secrets objects" - }, { "queryName": "RBAC Roles with Read Secrets Permissions", "severity": "MEDIUM", @@ -22,5 +10,17 @@ "searchValue": "Role0", "expectedValue": "metadata.name={{role-secret-reader}}.rules[0] should not be granted read access to Secrets objects", "actualValue": "metadata.name={{role-secret-reader}}.rules[0] is granted read access (verbs: get, watch, list) to Secrets objects" + }, + { + "queryName": "RBAC Roles with Read Secrets Permissions", + "severity": "MEDIUM", + "line": 18, + "filename": "positive.yaml", + "resourceType": "ClusterRole", + "resourceName": "cluster-role-secret-reader", + "searchKey": "metadata.name={{cluster-role-secret-reader}}.rules", + "searchValue": "ClusterRole0", + "expectedValue": "metadata.name={{cluster-role-secret-reader}}.rules[0] should not be granted read access to Secrets objects", + "actualValue": "metadata.name={{cluster-role-secret-reader}}.rules[0] is granted read access (verbs: get, watch, list) to Secrets objects" } ] \ No newline at end of file diff --git a/assets/queries/k8s/rbac_wildcard_in_rule/test/positive_expected_result.json b/assets/queries/k8s/rbac_wildcard_in_rule/test/positive_expected_result.json index dae4d846322..4746d7f9d9d 100644 --- a/assets/queries/k8s/rbac_wildcard_in_rule/test/positive_expected_result.json +++ b/assets/queries/k8s/rbac_wildcard_in_rule/test/positive_expected_result.json @@ -1,4 +1,28 @@ [ + { + "queryName": "RBAC Wildcard In Rule", + "severity": "HIGH", + "line": 7, + "filename": "positive.yaml", + "resourceType": "ClusterRole", + "resourceName": "configmap-modifier", + "searchKey": "metadata.name={{configmap-modifier}}.rules", + "searchValue": "", + "expectedValue": "metadata.name={{configmap-modifier}}.rules[0].apiGroups should list the minimal set of needed objects or actions", + "actualValue": "metadata.name={{configmap-modifier}}.rules[0].apiGroups uses wildcards to specify objects or actions" + }, + { + "queryName": "RBAC Wildcard In Rule", + "severity": "HIGH", + "line": 9, + "filename": "positive.yaml", + "resourceType": "ClusterRole", + "resourceName": "configmap-modifier", + "searchKey": "metadata.name={{configmap-modifier}}.rules", + "searchValue": "", + "expectedValue": "metadata.name={{configmap-modifier}}.rules[0].verbs should list the minimal set of needed objects or actions", + "actualValue": "metadata.name={{configmap-modifier}}.rules[0].verbs uses wildcards to specify objects or actions" + }, { "queryName": "RBAC Wildcard In Rule", "severity": "HIGH", @@ -58,29 +82,5 @@ "searchValue": "", "expectedValue": "metadata.name={{configmap-modifier2}}.rules[0].resources should list the minimal set of needed objects or actions", "actualValue": "metadata.name={{configmap-modifier2}}.rules[0].resources uses wildcards to specify objects or actions" - }, - { - "queryName": "RBAC Wildcard In Rule", - "severity": "HIGH", - "line": 7, - "filename": "positive.yaml", - "resourceType": "ClusterRole", - "resourceName": "configmap-modifier", - "searchKey": "metadata.name={{configmap-modifier}}.rules", - "searchValue": "", - "expectedValue": "metadata.name={{configmap-modifier}}.rules[0].apiGroups should list the minimal set of needed objects or actions", - "actualValue": "metadata.name={{configmap-modifier}}.rules[0].apiGroups uses wildcards to specify objects or actions" - }, - { - "queryName": "RBAC Wildcard In Rule", - "severity": "HIGH", - "line": 9, - "filename": "positive.yaml", - "resourceType": "ClusterRole", - "resourceName": "configmap-modifier", - "searchKey": "metadata.name={{configmap-modifier}}.rules", - "searchValue": "", - "expectedValue": "metadata.name={{configmap-modifier}}.rules[0].verbs should list the minimal set of needed objects or actions", - "actualValue": "metadata.name={{configmap-modifier}}.rules[0].verbs uses wildcards to specify objects or actions" } ] \ No newline at end of file diff --git a/assets/queries/k8s/request_timeout_not_properly_set/test/positive_expected_result.json b/assets/queries/k8s/request_timeout_not_properly_set/test/positive_expected_result.json index 3e840b3abfe..1542d52bc1b 100644 --- a/assets/queries/k8s/request_timeout_not_properly_set/test/positive_expected_result.json +++ b/assets/queries/k8s/request_timeout_not_properly_set/test/positive_expected_result.json @@ -3,7 +3,7 @@ "queryName": "Request Timeout Not Properly Set", "severity": "MEDIUM", "line": 11, - "filename": "positive3.yaml", + "filename": "positive1.yaml", "resourceType": "Pod", "resourceName": "command-demo", "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", @@ -27,7 +27,7 @@ "queryName": "Request Timeout Not Properly Set", "severity": "MEDIUM", "line": 11, - "filename": "positive4.yaml", + "filename": "positive3.yaml", "resourceType": "Pod", "resourceName": "command-demo", "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", @@ -39,7 +39,7 @@ "queryName": "Request Timeout Not Properly Set", "severity": "MEDIUM", "line": 11, - "filename": "positive6.yaml", + "filename": "positive4.yaml", "resourceType": "Pod", "resourceName": "command-demo", "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", @@ -51,7 +51,7 @@ "queryName": "Request Timeout Not Properly Set", "severity": "MEDIUM", "line": 11, - "filename": "positive1.yaml", + "filename": "positive5.yaml", "resourceType": "Pod", "resourceName": "command-demo", "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", @@ -63,7 +63,7 @@ "queryName": "Request Timeout Not Properly Set", "severity": "MEDIUM", "line": 11, - "filename": "positive5.yaml", + "filename": "positive6.yaml", "resourceType": "Pod", "resourceName": "command-demo", "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", diff --git a/assets/queries/k8s/root_containers_admitted/test/positive_expected_result.json b/assets/queries/k8s/root_containers_admitted/test/positive_expected_result.json index 4799ff37cae..cb3b5493e52 100644 --- a/assets/queries/k8s/root_containers_admitted/test/positive_expected_result.json +++ b/assets/queries/k8s/root_containers_admitted/test/positive_expected_result.json @@ -2,26 +2,26 @@ { "queryName": "Root Containers Admitted", "severity": "MEDIUM", - "line": 32, + "line": 12, "filename": "positive.yaml", "resourceType": "PodSecurityPolicy", "resourceName": "restricted", - "searchKey": "metadata.name={{restricted}}.spec.fsGroup", + "searchKey": "metadata.name={{restricted}}.spec.privileged", "searchValue": "", - "expectedValue": "metadata.name{{restricted}}.spec.fsGroup should not allow range '0' (root)", - "actualValue": "metadata.name={{restricted}}.spec.fsGroup allows range '0' (root)" + "expectedValue": "metadata.name={{restricted}}.spec.privileged should be set to 'false'", + "actualValue": "metadata.name={{restricted}}.spec.privileged is set to 'true'" }, { "queryName": "Root Containers Admitted", "severity": "MEDIUM", - "line": 12, + "line": 13, "filename": "positive.yaml", "resourceType": "PodSecurityPolicy", "resourceName": "restricted", - "searchKey": "metadata.name={{restricted}}.spec.privileged", + "searchKey": "metadata.name={{restricted}}.spec.allowPrivilegeEscalation", "searchValue": "", - "expectedValue": "metadata.name={{restricted}}.spec.privileged should be set to 'false'", - "actualValue": "metadata.name={{restricted}}.spec.privileged is set to 'true'" + "expectedValue": "metadata.name={{restricted}}.spec.allowPrivilegeEscalation should be set to 'false'", + "actualValue": "metadata.name={{restricted}}.spec.allowPrivilegeEscalation is set to 'true'" }, { "queryName": "Root Containers Admitted", @@ -50,13 +50,13 @@ { "queryName": "Root Containers Admitted", "severity": "MEDIUM", - "line": 13, + "line": 32, "filename": "positive.yaml", "resourceType": "PodSecurityPolicy", "resourceName": "restricted", - "searchKey": "metadata.name={{restricted}}.spec.allowPrivilegeEscalation", + "searchKey": "metadata.name={{restricted}}.spec.fsGroup", "searchValue": "", - "expectedValue": "metadata.name={{restricted}}.spec.allowPrivilegeEscalation should be set to 'false'", - "actualValue": "metadata.name={{restricted}}.spec.allowPrivilegeEscalation is set to 'true'" + "expectedValue": "metadata.name{{restricted}}.spec.fsGroup should not allow range '0' (root)", + "actualValue": "metadata.name={{restricted}}.spec.fsGroup allows range '0' (root)" } ] \ No newline at end of file diff --git a/assets/queries/k8s/rotate_kubelet_server_certificate_not_active/test/positive_expected_result.json b/assets/queries/k8s/rotate_kubelet_server_certificate_not_active/test/positive_expected_result.json index 972f5fca35a..846ec83a764 100644 --- a/assets/queries/k8s/rotate_kubelet_server_certificate_not_active/test/positive_expected_result.json +++ b/assets/queries/k8s/rotate_kubelet_server_certificate_not_active/test/positive_expected_result.json @@ -2,14 +2,14 @@ { "queryName": "Rotate Kubelet Server Certificate Not Active", "severity": "MEDIUM", - "line": 11, - "filename": "positive4.yaml", - "resourceType": "Pod", - "resourceName": "command-demo", - "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container7}}.command", + "line": 8, + "filename": "positive1.yaml", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}.featureGates", "searchValue": "", - "expectedValue": "--feature-gates=RotateKubeletServerCertificate flag should be true", - "actualValue": "--feature-gates=RotateKubeletServerCertificate flag is false" + "expectedValue": "RotateKubeletServerCertificates should be true", + "actualValue": "RotateKubeletServerCertificate is false" }, { "queryName": "Rotate Kubelet Server Certificate Not Active", @@ -27,7 +27,7 @@ "queryName": "Rotate Kubelet Server Certificate Not Active", "severity": "MEDIUM", "line": 8, - "filename": "positive1.yaml", + "filename": "positive3.json", "resourceType": "KubeletConfiguration", "resourceName": "n/a", "searchKey": "kind={{KubeletConfiguration}}.featureGates", @@ -38,13 +38,13 @@ { "queryName": "Rotate Kubelet Server Certificate Not Active", "severity": "MEDIUM", - "line": 8, - "filename": "positive3.json", - "resourceType": "KubeletConfiguration", - "resourceName": "n/a", - "searchKey": "kind={{KubeletConfiguration}}.featureGates", + "line": 11, + "filename": "positive4.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container7}}.command", "searchValue": "", - "expectedValue": "RotateKubeletServerCertificates should be true", - "actualValue": "RotateKubeletServerCertificate is false" + "expectedValue": "--feature-gates=RotateKubeletServerCertificate flag should be true", + "actualValue": "--feature-gates=RotateKubeletServerCertificate flag is false" } ] \ No newline at end of file diff --git a/assets/queries/k8s/seccomp_profile_is_not_configured/test/positive_expected_result.json b/assets/queries/k8s/seccomp_profile_is_not_configured/test/positive_expected_result.json index ec093d8541e..39d70289a22 100644 --- a/assets/queries/k8s/seccomp_profile_is_not_configured/test/positive_expected_result.json +++ b/assets/queries/k8s/seccomp_profile_is_not_configured/test/positive_expected_result.json @@ -2,14 +2,26 @@ { "queryName": "Seccomp Profile Is Not Configured", "severity": "MEDIUM", - "line": 24, - "filename": "positive3.yaml", - "resourceType": "Deployment", - "resourceName": "securitydemo", - "searchKey": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext", - "searchValue": "Deployment", - "expectedValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext.seccompProfile.type should be defined", - "actualValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext.seccompProfile.type is undefined" + "line": 7, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "pod-test-1", + "searchKey": "metadata.name={{pod-test-1}}.spec.containers.name={{foobar}}", + "searchValue": "Pod", + "expectedValue": "metadata.name={{pod-test-1}}.spec.containers.name={{foobar}}.securityContext.seccompProfile.type should be defined", + "actualValue": "metadata.name={{pod-test-1}}.spec.containers.name={{foobar}}.securityContext.seccompProfile.type is undefined" + }, + { + "queryName": "Seccomp Profile Is Not Configured", + "severity": "MEDIUM", + "line": 18, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "pod-test-2", + "searchKey": "metadata.name={{pod-test-2}}.spec.containers.name={{foobar}}", + "searchValue": "Pod", + "expectedValue": "metadata.name={{pod-test-2}}.spec.containers.name={{foobar}}.securityContext.seccompProfile.type should be defined", + "actualValue": "metadata.name={{pod-test-2}}.spec.containers.name={{foobar}}.securityContext.seccompProfile.type is undefined" }, { "queryName": "Seccomp Profile Is Not Configured", @@ -50,32 +62,20 @@ { "queryName": "Seccomp Profile Is Not Configured", "severity": "MEDIUM", - "line": 7, - "filename": "positive1.yaml", - "resourceType": "Pod", - "resourceName": "pod-test-1", - "searchKey": "metadata.name={{pod-test-1}}.spec.containers.name={{foobar}}", - "searchValue": "Pod", - "expectedValue": "metadata.name={{pod-test-1}}.spec.containers.name={{foobar}}.securityContext.seccompProfile.type should be defined", - "actualValue": "metadata.name={{pod-test-1}}.spec.containers.name={{foobar}}.securityContext.seccompProfile.type is undefined" - }, - { - "queryName": "Seccomp Profile Is Not Configured", - "severity": "MEDIUM", - "line": 18, - "filename": "positive1.yaml", - "resourceType": "Pod", - "resourceName": "pod-test-2", - "searchKey": "metadata.name={{pod-test-2}}.spec.containers.name={{foobar}}", - "searchValue": "Pod", - "expectedValue": "metadata.name={{pod-test-2}}.spec.containers.name={{foobar}}.securityContext.seccompProfile.type should be defined", - "actualValue": "metadata.name={{pod-test-2}}.spec.containers.name={{foobar}}.securityContext.seccompProfile.type is undefined" + "line": 24, + "filename": "positive3.yaml", + "resourceType": "Deployment", + "resourceName": "securitydemo", + "searchKey": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext", + "searchValue": "Deployment", + "expectedValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext.seccompProfile.type should be defined", + "actualValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext.seccompProfile.type is undefined" }, { "queryName": "Seccomp Profile Is Not Configured", "severity": "MEDIUM", - "line": 35, - "filename": "positive4.yaml", + "line": 33, + "filename": "positive3.yaml", "resourceType": "Deployment", "resourceName": "securitydemo", "searchKey": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext.seccompProfile.type=Unconfined", @@ -86,8 +86,8 @@ { "queryName": "Seccomp Profile Is Not Configured", "severity": "MEDIUM", - "line": 33, - "filename": "positive3.yaml", + "line": 35, + "filename": "positive4.yaml", "resourceType": "Deployment", "resourceName": "securitydemo", "searchKey": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext.seccompProfile.type=Unconfined", diff --git a/assets/queries/k8s/secrets_as_environment_variables/test/positive_expected_result.json b/assets/queries/k8s/secrets_as_environment_variables/test/positive_expected_result.json index 82b11dfc571..ed3cb95c723 100644 --- a/assets/queries/k8s/secrets_as_environment_variables/test/positive_expected_result.json +++ b/assets/queries/k8s/secrets_as_environment_variables/test/positive_expected_result.json @@ -2,26 +2,26 @@ { "queryName": "Secrets As Environment Variables", "severity": "LOW", - "line": 17, + "line": 12, "filename": "positive.yaml", "resourceType": "Pod", "resourceName": "secret-env-pod", - "searchKey": "metadata.name={{secret-env-pod}}.spec.containers.env.name={{SECRET_PASSWORD}}.valueFrom.secretKeyRef", + "searchKey": "metadata.name={{secret-env-pod}}.spec.containers.env.name={{SECRET_USERNAME}}.valueFrom.secretKeyRef", "searchValue": "Pod", - "expectedValue": "'spec.containers.name={{mycontainer}}.env.name={{SECRET_PASSWORD}}.valueFrom.secretKeyRef' should be undefined", - "actualValue": "'spec.containers.name={{mycontainer}}.env.name={{SECRET_PASSWORD}}.valueFrom.secretKeyRef' is defined" + "expectedValue": "'spec.containers.name={{mycontainer}}.env.name={{SECRET_USERNAME}}.valueFrom.secretKeyRef' should be undefined", + "actualValue": "'spec.containers.name={{mycontainer}}.env.name={{SECRET_USERNAME}}.valueFrom.secretKeyRef' is defined" }, { "queryName": "Secrets As Environment Variables", "severity": "LOW", - "line": 12, + "line": 17, "filename": "positive.yaml", "resourceType": "Pod", "resourceName": "secret-env-pod", - "searchKey": "metadata.name={{secret-env-pod}}.spec.containers.env.name={{SECRET_USERNAME}}.valueFrom.secretKeyRef", + "searchKey": "metadata.name={{secret-env-pod}}.spec.containers.env.name={{SECRET_PASSWORD}}.valueFrom.secretKeyRef", "searchValue": "Pod", - "expectedValue": "'spec.containers.name={{mycontainer}}.env.name={{SECRET_USERNAME}}.valueFrom.secretKeyRef' should be undefined", - "actualValue": "'spec.containers.name={{mycontainer}}.env.name={{SECRET_USERNAME}}.valueFrom.secretKeyRef' is defined" + "expectedValue": "'spec.containers.name={{mycontainer}}.env.name={{SECRET_PASSWORD}}.valueFrom.secretKeyRef' should be undefined", + "actualValue": "'spec.containers.name={{mycontainer}}.env.name={{SECRET_PASSWORD}}.valueFrom.secretKeyRef' is defined" }, { "queryName": "Secrets As Environment Variables", diff --git a/assets/queries/k8s/service_account_allows_access_secrets/test/positive_expected_result.json b/assets/queries/k8s/service_account_allows_access_secrets/test/positive_expected_result.json index b622816697f..a3cebcecced 100644 --- a/assets/queries/k8s/service_account_allows_access_secrets/test/positive_expected_result.json +++ b/assets/queries/k8s/service_account_allows_access_secrets/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "ServiceAccount Allows Access Secrets", - "severity": "MEDIUM", - "line": 58, - "filename": "positive.yaml", - "resourceType": "ClusterRole", - "resourceName": "testClusterRoleVulnerable", - "searchKey": "metadata.name={{testClusterRoleVulnerable}}.rules", - "searchValue": "ClusterRole", - "expectedValue": "The metadata.name={{testClusterRoleVulnerable}}.rules.verbs should not contain the following verbs: [[\"update\", \"list\"]]", - "actualValue": "The metadata.name={{testClusterRoleVulnerable}}.rules.verbs contain the following verbs: [[\"update\", \"list\"]]" - }, { "queryName": "ServiceAccount Allows Access Secrets", "severity": "MEDIUM", @@ -34,5 +22,17 @@ "searchValue": "Role", "expectedValue": "The metadata.name={{testRoleVulnerable2}}.rules.verbs should not contain the following verbs: [[\"*\"]]", "actualValue": "The metadata.name={{testRoleVulnerable2}}.rules.verbs contain the following verbs: [[\"*\"]]" + }, + { + "queryName": "ServiceAccount Allows Access Secrets", + "severity": "MEDIUM", + "line": 58, + "filename": "positive.yaml", + "resourceType": "ClusterRole", + "resourceName": "testClusterRoleVulnerable", + "searchKey": "metadata.name={{testClusterRoleVulnerable}}.rules", + "searchValue": "ClusterRole", + "expectedValue": "The metadata.name={{testClusterRoleVulnerable}}.rules.verbs should not contain the following verbs: [[\"update\", \"list\"]]", + "actualValue": "The metadata.name={{testClusterRoleVulnerable}}.rules.verbs contain the following verbs: [[\"update\", \"list\"]]" } ] \ No newline at end of file diff --git a/assets/queries/k8s/service_account_name_undefined_or_empty/test/positive_expected_result.json b/assets/queries/k8s/service_account_name_undefined_or_empty/test/positive_expected_result.json index bacfe6cd36f..c927cf115bb 100644 --- a/assets/queries/k8s/service_account_name_undefined_or_empty/test/positive_expected_result.json +++ b/assets/queries/k8s/service_account_name_undefined_or_empty/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "Service Account Name Undefined Or Empty", - "severity": "MEDIUM", - "line": 58, - "filename": "positive.yaml", - "resourceType": "Pod", - "resourceName": "nginx3", - "searchKey": "metadata.name={{nginx3}}.spec.serviceAccountName", - "searchValue": "", - "expectedValue": "metadata.name=nginx3.spec.serviceAccountName should not be empty", - "actualValue": "metadata.name=nginx3.spec.serviceAccountName is empty" - }, { "queryName": "Service Account Name Undefined Or Empty", "severity": "MEDIUM", @@ -34,5 +22,17 @@ "searchValue": "", "expectedValue": "metadata.name=nginx2.container.group.spec.serviceAccountName should be defined", "actualValue": "metadata.name=nginx2.container.group.spec.serviceAccountName is undefined" + }, + { + "queryName": "Service Account Name Undefined Or Empty", + "severity": "MEDIUM", + "line": 58, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "nginx3", + "searchKey": "metadata.name={{nginx3}}.spec.serviceAccountName", + "searchValue": "", + "expectedValue": "metadata.name=nginx3.spec.serviceAccountName should not be empty", + "actualValue": "metadata.name=nginx3.spec.serviceAccountName is empty" } ] \ No newline at end of file diff --git a/assets/queries/k8s/service_account_token_automount_not_disabled/test/positive_expected_result.json b/assets/queries/k8s/service_account_token_automount_not_disabled/test/positive_expected_result.json index de749c6949b..8cf1bbede10 100644 --- a/assets/queries/k8s/service_account_token_automount_not_disabled/test/positive_expected_result.json +++ b/assets/queries/k8s/service_account_token_automount_not_disabled/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "Service Account Token Automount Not Disabled", - "severity": "MEDIUM", - "line": 54, - "filename": "positive1.yaml", - "resourceType": "Configuration", - "resourceName": "dummy-config", - "searchKey": "metadata.name={{dummy-config}}.spec.template.spec.automountServiceAccountToken", - "searchValue": "Configuration", - "expectedValue": "metadata.name={{dummy-config}}.spec.template.spec.automountServiceAccountToken should be set to false", - "actualValue": "metadata.name={{dummy-config}}.spec.template.spec.automountServiceAccountToken is true" - }, { "queryName": "Service Account Token Automount Not Disabled", "severity": "MEDIUM", @@ -23,18 +11,6 @@ "expectedValue": "metadata.name={{security-context-demo}}.spec.automountServiceAccountToken should be defined and set to false", "actualValue": "metadata.name={{security-context-demo}}.spec.automountServiceAccountToken is undefined" }, - { - "queryName": "Service Account Token Automount Not Disabled", - "severity": "MEDIUM", - "line": 5, - "filename": "positive2.yaml", - "resourceType": "ServiceAccount", - "resourceName": "redistest-sa", - "searchKey": "metadata.name={{redistest-sa}}.automountServiceAccountToken", - "searchValue": "", - "expectedValue": "metadata.name={{redistest-sa}}.automountServiceAccountToken should be set to false", - "actualValue": "metadata.name={{redistest-sa}}.automountServiceAccountToken is true" - }, { "queryName": "Service Account Token Automount Not Disabled", "severity": "MEDIUM", @@ -46,5 +22,29 @@ "searchValue": "Pod", "expectedValue": "metadata.name={{security.context.demo}}.spec.automountServiceAccountToken should be set to false", "actualValue": "metadata.name={{security.context.demo}}.spec.automountServiceAccountToken is true" + }, + { + "queryName": "Service Account Token Automount Not Disabled", + "severity": "MEDIUM", + "line": 54, + "filename": "positive1.yaml", + "resourceType": "Configuration", + "resourceName": "dummy-config", + "searchKey": "metadata.name={{dummy-config}}.spec.template.spec.automountServiceAccountToken", + "searchValue": "Configuration", + "expectedValue": "metadata.name={{dummy-config}}.spec.template.spec.automountServiceAccountToken should be set to false", + "actualValue": "metadata.name={{dummy-config}}.spec.template.spec.automountServiceAccountToken is true" + }, + { + "queryName": "Service Account Token Automount Not Disabled", + "severity": "MEDIUM", + "line": 5, + "filename": "positive2.yaml", + "resourceType": "ServiceAccount", + "resourceName": "redistest-sa", + "searchKey": "metadata.name={{redistest-sa}}.automountServiceAccountToken", + "searchValue": "", + "expectedValue": "metadata.name={{redistest-sa}}.automountServiceAccountToken should be set to false", + "actualValue": "metadata.name={{redistest-sa}}.automountServiceAccountToken is true" } ] \ No newline at end of file diff --git a/assets/queries/k8s/service_does_not_target_pod/test/positive_expected_result.json b/assets/queries/k8s/service_does_not_target_pod/test/positive_expected_result.json index 9c643c35c15..9e9a72fd557 100644 --- a/assets/queries/k8s/service_does_not_target_pod/test/positive_expected_result.json +++ b/assets/queries/k8s/service_does_not_target_pod/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "Service Does Not Target Pod", - "severity": "LOW", - "line": 12, - "filename": "positive2.yaml", - "resourceType": "Service", - "resourceName": "helloworld3", - "searchKey": "metadata.name={{helloworld3}}.spec.ports.port={{9377}}", - "searchValue": "", - "expectedValue": "metadata.name={{helloworld3}}.spec.ports.port={{9377}} has a Pod port", - "actualValue": "metadata.name={{helloworld3}}.spec.ports.port={{9377}} does not have a Pod port" - }, { "queryName": "Service Does Not Target Pod", "severity": "LOW", @@ -22,5 +10,17 @@ "searchValue": "", "expectedValue": "metadata.name={{helloworld2}}.spec.selector label refers to a Pod label", "actualValue": "metadata.name={{helloworld2}}.spec.selector label does not match with any Pod label" + }, + { + "queryName": "Service Does Not Target Pod", + "severity": "LOW", + "line": 12, + "filename": "positive2.yaml", + "resourceType": "Service", + "resourceName": "helloworld3", + "searchKey": "metadata.name={{helloworld3}}.spec.ports.port={{9377}}", + "searchValue": "", + "expectedValue": "metadata.name={{helloworld3}}.spec.ports.port={{9377}} has a Pod port", + "actualValue": "metadata.name={{helloworld3}}.spec.ports.port={{9377}} does not have a Pod port" } ] \ No newline at end of file diff --git a/assets/queries/k8s/service_with_external_load_balancer/test/positive_expected_result.json b/assets/queries/k8s/service_with_external_load_balancer/test/positive_expected_result.json index 66ec8b503b8..1c20e34863f 100644 --- a/assets/queries/k8s/service_with_external_load_balancer/test/positive_expected_result.json +++ b/assets/queries/k8s/service_with_external_load_balancer/test/positive_expected_result.json @@ -2,26 +2,26 @@ { "queryName": "Service With External Load Balancer", "severity": "MEDIUM", - "line": 48, + "line": 4, "filename": "positive.yaml", "resourceType": "Service", - "resourceName": "sample-service 08", - "searchKey": "metadata.name={{sample-service 08}}.annotations", + "resourceName": "sample-service 05", + "searchKey": "metadata.name={{sample-service 05}}", "searchValue": "", - "expectedValue": "metadata.name={{sample-service 08}} using an external Load Balancer provider by cloud provider", - "actualValue": "metadata.name={{sample-service 08}} is exposing a workload, not using an external Load Balancer provider by cloud provider" + "expectedValue": "'metadata.annotations' should be set", + "actualValue": "'metadata.annotations' is undefined" }, { "queryName": "Service With External Load Balancer", "severity": "MEDIUM", - "line": 4, + "line": 18, "filename": "positive.yaml", "resourceType": "Service", - "resourceName": "sample-service 05", - "searchKey": "metadata.name={{sample-service 05}}", + "resourceName": "sample-service 05334443", + "searchKey": "metadata.name={{sample-service 05334443}}.annotations", "searchValue": "", - "expectedValue": "'metadata.annotations' should be set", - "actualValue": "'metadata.annotations' is undefined" + "expectedValue": "metadata.name={{sample-service 05334443}} using an external Load Balancer provider by cloud provider", + "actualValue": "metadata.name={{sample-service 05334443}} is exposing a workload, not using an external Load Balancer provider by cloud provider" }, { "queryName": "Service With External Load Balancer", @@ -38,14 +38,14 @@ { "queryName": "Service With External Load Balancer", "severity": "MEDIUM", - "line": 18, + "line": 48, "filename": "positive.yaml", "resourceType": "Service", - "resourceName": "sample-service 05334443", - "searchKey": "metadata.name={{sample-service 05334443}}.annotations", + "resourceName": "sample-service 08", + "searchKey": "metadata.name={{sample-service 08}}.annotations", "searchValue": "", - "expectedValue": "metadata.name={{sample-service 05334443}} using an external Load Balancer provider by cloud provider", - "actualValue": "metadata.name={{sample-service 05334443}} is exposing a workload, not using an external Load Balancer provider by cloud provider" + "expectedValue": "metadata.name={{sample-service 08}} using an external Load Balancer provider by cloud provider", + "actualValue": "metadata.name={{sample-service 08}} is exposing a workload, not using an external Load Balancer provider by cloud provider" }, { "queryName": "Service With External Load Balancer", diff --git a/assets/queries/k8s/shared_host_network_namespace/test/positive_expected_result.json b/assets/queries/k8s/shared_host_network_namespace/test/positive_expected_result.json index dd377474c99..92fb308a190 100644 --- a/assets/queries/k8s/shared_host_network_namespace/test/positive_expected_result.json +++ b/assets/queries/k8s/shared_host_network_namespace/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "Shared Host Network Namespace", - "severity": "MEDIUM", - "line": 9, - "filename": "positive2.yaml", - "resourceType": "Configuration", - "resourceName": "dummy-config", - "searchKey": "metadata.name={{dummy-config}}.spec.template.spec.hostNetwork", - "searchValue": "", - "expectedValue": "'spec.template.spec.hostNetwork' should be set to false or undefined", - "actualValue": "'spec.template.spec.hostNetwork' is true" - }, { "queryName": "Shared Host Network Namespace", "severity": "MEDIUM", @@ -22,5 +10,17 @@ "searchValue": "", "expectedValue": "'spec.hostNetwork' should be set to false or undefined", "actualValue": "'spec.hostNetwork' is true" + }, + { + "queryName": "Shared Host Network Namespace", + "severity": "MEDIUM", + "line": 9, + "filename": "positive2.yaml", + "resourceType": "Configuration", + "resourceName": "dummy-config", + "searchKey": "metadata.name={{dummy-config}}.spec.template.spec.hostNetwork", + "searchValue": "", + "expectedValue": "'spec.template.spec.hostNetwork' should be set to false or undefined", + "actualValue": "'spec.template.spec.hostNetwork' is true" } ] \ No newline at end of file diff --git a/assets/queries/k8s/shared_service_account/test/positive_expected_result.json b/assets/queries/k8s/shared_service_account/test/positive_expected_result.json index 22b74a4d246..610abd86e64 100644 --- a/assets/queries/k8s/shared_service_account/test/positive_expected_result.json +++ b/assets/queries/k8s/shared_service_account/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "Shared Service Account", "severity": "MEDIUM", - "line": 16, - "filename": "positive.yaml", + "line": 6, + "filename": "negative.yaml", "resourceType": "Pod", - "resourceName": "pod2", - "searchKey": "metadata.name={{pod2}}.spec.serviceAccountName", + "resourceName": "pod1", + "searchKey": "metadata.name={{pod1}}.spec.serviceAccountName", "searchValue": "", "expectedValue": "'spec.serviceAccountName' should not be shared with other workloads", "actualValue": "'spec.serviceAccountName' is shared with other workloads" @@ -15,7 +15,7 @@ "queryName": "Shared Service Account", "severity": "MEDIUM", "line": 6, - "filename": "negative.yaml", + "filename": "positive.yaml", "resourceType": "Pod", "resourceName": "pod1", "searchKey": "metadata.name={{pod1}}.spec.serviceAccountName", @@ -26,11 +26,11 @@ { "queryName": "Shared Service Account", "severity": "MEDIUM", - "line": 6, + "line": 16, "filename": "positive.yaml", "resourceType": "Pod", - "resourceName": "pod1", - "searchKey": "metadata.name={{pod1}}.spec.serviceAccountName", + "resourceName": "pod2", + "searchKey": "metadata.name={{pod2}}.spec.serviceAccountName", "searchValue": "", "expectedValue": "'spec.serviceAccountName' should not be shared with other workloads", "actualValue": "'spec.serviceAccountName' is shared with other workloads" diff --git a/assets/queries/k8s/statefulset_requests_storage/test/positive_expected_result.json b/assets/queries/k8s/statefulset_requests_storage/test/positive_expected_result.json index b8ccf00eee6..108dfa73096 100644 --- a/assets/queries/k8s/statefulset_requests_storage/test/positive_expected_result.json +++ b/assets/queries/k8s/statefulset_requests_storage/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "StatefulSet Requests Storage", - "severity": "LOW", - "line": 73, - "filename": "positive.yaml", - "resourceType": "StatefulSet", - "resourceName": "web2", - "searchKey": "metadata.name={{web2}}.spec.volumeClaimTemplates.spec.resources.requests.storage=2Gi", - "searchValue": "", - "expectedValue": "metadata.name={{web2}}.spec.volumeClaimTemplates.spec.resources.requests.storage should not be set", - "actualValue": "metadata.name={{web2}}.spec.volumeClaimTemplates.spec.resources.requests.storage is set to 2Gi" - }, { "queryName": "StatefulSet Requests Storage", "severity": "LOW", @@ -34,5 +22,17 @@ "searchValue": "", "expectedValue": "metadata.name={{web2}}.spec.volumeClaimTemplates.spec.resources.requests.storage should not be set", "actualValue": "metadata.name={{web2}}.spec.volumeClaimTemplates.spec.resources.requests.storage is set to 1Gi" + }, + { + "queryName": "StatefulSet Requests Storage", + "severity": "LOW", + "line": 73, + "filename": "positive.yaml", + "resourceType": "StatefulSet", + "resourceName": "web2", + "searchKey": "metadata.name={{web2}}.spec.volumeClaimTemplates.spec.resources.requests.storage=2Gi", + "searchValue": "", + "expectedValue": "metadata.name={{web2}}.spec.volumeClaimTemplates.spec.resources.requests.storage should not be set", + "actualValue": "metadata.name={{web2}}.spec.volumeClaimTemplates.spec.resources.requests.storage is set to 2Gi" } ] \ No newline at end of file diff --git a/assets/queries/k8s/tiller_deployment_is_accessible_from_within_the_cluster/test/positive_expected_result.json b/assets/queries/k8s/tiller_deployment_is_accessible_from_within_the_cluster/test/positive_expected_result.json index 36c742638b9..7d57696d764 100644 --- a/assets/queries/k8s/tiller_deployment_is_accessible_from_within_the_cluster/test/positive_expected_result.json +++ b/assets/queries/k8s/tiller_deployment_is_accessible_from_within_the_cluster/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "Tiller Deployment Is Accessible From Within The Cluster", "severity": "HIGH", - "line": 53, + "line": 21, "filename": "positive.yaml", "resourceType": "Deployment", - "resourceName": "tiller-deploy-no-args", - "searchKey": "metadata.name=tiller-deploy-no-args.spec.template.spec.containers", + "resourceName": "tiller-bad-args", + "searchKey": "metadata.name=tiller-bad-args.spec.template.spec.containers.args", "searchValue": "", - "expectedValue": "'spec.template.spec.containers[tiller-v2].args' should be set", - "actualValue": "'spec.template.spec.containers[tiller-v2].args' is undefined" + "expectedValue": "'spec.template.spec.containers[tiller-v2].args' sets the container to listen to localhost", + "actualValue": "'spec.template.spec.containers[tiller-v2].args' is not setting the container to listen to localhost" }, { "queryName": "Tiller Deployment Is Accessible From Within The Cluster", "severity": "HIGH", - "line": 21, + "line": 53, "filename": "positive.yaml", "resourceType": "Deployment", - "resourceName": "tiller-bad-args", - "searchKey": "metadata.name=tiller-bad-args.spec.template.spec.containers.args", + "resourceName": "tiller-deploy-no-args", + "searchKey": "metadata.name=tiller-deploy-no-args.spec.template.spec.containers", "searchValue": "", - "expectedValue": "'spec.template.spec.containers[tiller-v2].args' sets the container to listen to localhost", - "actualValue": "'spec.template.spec.containers[tiller-v2].args' is not setting the container to listen to localhost" + "expectedValue": "'spec.template.spec.containers[tiller-v2].args' should be set", + "actualValue": "'spec.template.spec.containers[tiller-v2].args' is undefined" } ] \ No newline at end of file diff --git a/assets/queries/k8s/tiller_service_is_not_deleted/test/positive_expected_result.json b/assets/queries/k8s/tiller_service_is_not_deleted/test/positive_expected_result.json index 8d9361d7005..a880bf40141 100644 --- a/assets/queries/k8s/tiller_service_is_not_deleted/test/positive_expected_result.json +++ b/assets/queries/k8s/tiller_service_is_not_deleted/test/positive_expected_result.json @@ -2,26 +2,26 @@ { "queryName": "Tiller Service Is Not Deleted", "severity": "HIGH", - "line": 7, + "line": 4, "filename": "positive.yaml", "resourceType": "Service", "resourceName": "tiller-deploy", "searchKey": "metadata.name={{tiller-deploy}}", "searchValue": "Service", - "expectedValue": "metadata.labels of Service should not have values that contain 'tiller'", - "actualValue": "metadata.labels.Service of name contains 'tiller'" + "expectedValue": "metadata.name of Service should not contain 'tiller'", + "actualValue": "metadata.name of Service contains 'tiller'" }, { "queryName": "Tiller Service Is Not Deleted", "severity": "HIGH", - "line": 4, + "line": 7, "filename": "positive.yaml", "resourceType": "Service", "resourceName": "tiller-deploy", "searchKey": "metadata.name={{tiller-deploy}}", "searchValue": "Service", - "expectedValue": "metadata.name of Service should not contain 'tiller'", - "actualValue": "metadata.name of Service contains 'tiller'" + "expectedValue": "metadata.labels of Service should not have values that contain 'tiller'", + "actualValue": "metadata.labels.Service of name contains 'tiller'" }, { "queryName": "Tiller Service Is Not Deleted", diff --git a/assets/queries/k8s/use_service_account_credentials_not_set_to_true/test/positive_expected_result.json b/assets/queries/k8s/use_service_account_credentials_not_set_to_true/test/positive_expected_result.json index 12ee78355ec..797263586b9 100644 --- a/assets/queries/k8s/use_service_account_credentials_not_set_to_true/test/positive_expected_result.json +++ b/assets/queries/k8s/use_service_account_credentials_not_set_to_true/test/positive_expected_result.json @@ -3,24 +3,24 @@ "queryName": "Use Service Account Credentials Not Set To True", "severity": "MEDIUM", "line": 11, - "filename": "positive2.yaml", + "filename": "positive1.yaml", "resourceType": "Pod", "resourceName": "command-demo", "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", - "expectedValue": "--use-service-account-credentials flag should be defined and set to true", - "actualValue": "--use-service-account-credentials flag is not defined" + "expectedValue": "--use-service-account-credentials flag should be set to true", + "actualValue": "--use-service-account-credentials flag is set to false" }, { "queryName": "Use Service Account Credentials Not Set To True", "severity": "MEDIUM", "line": 11, - "filename": "positive1.yaml", + "filename": "positive2.yaml", "resourceType": "Pod", "resourceName": "command-demo", "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", - "expectedValue": "--use-service-account-credentials flag should be set to true", - "actualValue": "--use-service-account-credentials flag is set to false" + "expectedValue": "--use-service-account-credentials flag should be defined and set to true", + "actualValue": "--use-service-account-credentials flag is not defined" } ] \ No newline at end of file diff --git a/assets/queries/k8s/using_unrecommended_namespace/test/positive_expected_result.json b/assets/queries/k8s/using_unrecommended_namespace/test/positive_expected_result.json index 740a4d7b325..3fec034ac08 100644 --- a/assets/queries/k8s/using_unrecommended_namespace/test/positive_expected_result.json +++ b/assets/queries/k8s/using_unrecommended_namespace/test/positive_expected_result.json @@ -1,4 +1,16 @@ [ + { + "queryName": "Using Unrecommended Namespace", + "severity": "MEDIUM", + "line": 5, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "frontend", + "searchKey": "metadata.name={{frontend}}.namespace", + "searchValue": "Pod", + "expectedValue": "'metadata.namespace' should not be set to default, kube-system or kube-public", + "actualValue": "'metadata.namespace' is set to default" + }, { "queryName": "Using Unrecommended Namespace", "severity": "MEDIUM", @@ -46,17 +58,5 @@ "searchValue": "Configuration", "expectedValue": "'metadata.namespace' should not be set to default, kube-system or kube-public", "actualValue": "'metadata.namespace' is set to default" - }, - { - "queryName": "Using Unrecommended Namespace", - "severity": "MEDIUM", - "line": 5, - "filename": "positive1.yaml", - "resourceType": "Pod", - "resourceName": "frontend", - "searchKey": "metadata.name={{frontend}}.namespace", - "searchValue": "Pod", - "expectedValue": "'metadata.namespace' should not be set to default, kube-system or kube-public", - "actualValue": "'metadata.namespace' is set to default" } ] \ No newline at end of file diff --git a/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/test/positive_expected_result.json b/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/test/positive_expected_result.json index c5607f08761..760970d4f0c 100644 --- a/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/test/positive_expected_result.json +++ b/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/test/positive_expected_result.json @@ -2,74 +2,74 @@ { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", - "line": 40, + "line": 11, "filename": "positive1.yaml", "resourceType": "Pod", - "resourceName": "pod-1", - "searchKey": "metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-1}}", + "resourceName": "pod-0", + "searchKey": "metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-0}}", "searchValue": "PodreadOnly", - "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-1}} are set to true and Enabled, respectively", - "actualValue": "The properties readOnly or recursiveReadOnly in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-1}} are set to false or Disabled, respectively" + "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-0}} should be defined and set to true and Enabled, respectively", + "actualValue": "Either readOnly or recursiveReadOnly is missing in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-0}}%!(EXTRA string=pod-0, string=spec, string=containers, string=pod-0, string=vol-0)" }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", - "line": 37, + "line": 13, "filename": "positive1.yaml", "resourceType": "Pod", - "resourceName": "pod-1", - "searchKey": "metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-0}}", - "searchValue": "PodreadOnly", - "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-0}} should be defined and set to true and Enabled, respectively", - "actualValue": "Either readOnly or recursiveReadOnly is missing in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-0}}%!(EXTRA string=pod-1, string=spec, string=containers, string=pod-1, string=vol-0)" + "resourceName": "pod-0", + "searchKey": "metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}}", + "searchValue": "PodrecursiveReadOnly", + "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}} are set to true and Enabled, respectively", + "actualValue": "The properties readOnly or recursiveReadOnly in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}} are set to false or Disabled, respectively" }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", - "line": 40, + "line": 13, "filename": "positive1.yaml", "resourceType": "Pod", - "resourceName": "pod-1", - "searchKey": "metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-1}}", - "searchValue": "PodrecursiveReadOnly", - "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-1}} should be defined and set to true and Enabled, respectively", - "actualValue": "Either readOnly or recursiveReadOnly is missing in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-1}}%!(EXTRA string=pod-1, string=spec, string=containers, string=pod-1, string=vol-1)" + "resourceName": "pod-0", + "searchKey": "metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}}", + "searchValue": "PodreadOnly", + "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}} should be defined and set to true and Enabled, respectively", + "actualValue": "Either readOnly or recursiveReadOnly is missing in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}}%!(EXTRA string=pod-0, string=spec, string=containers, string=pod-0, string=vol-1)" }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", - "line": 13, + "line": 37, "filename": "positive1.yaml", "resourceType": "Pod", - "resourceName": "pod-0", - "searchKey": "metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}}", - "searchValue": "PodrecursiveReadOnly", - "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}} are set to true and Enabled, respectively", - "actualValue": "The properties readOnly or recursiveReadOnly in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}} are set to false or Disabled, respectively" + "resourceName": "pod-1", + "searchKey": "metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-0}}", + "searchValue": "PodreadOnly", + "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-0}} should be defined and set to true and Enabled, respectively", + "actualValue": "Either readOnly or recursiveReadOnly is missing in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-0}}%!(EXTRA string=pod-1, string=spec, string=containers, string=pod-1, string=vol-0)" }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", - "line": 11, + "line": 40, "filename": "positive1.yaml", "resourceType": "Pod", - "resourceName": "pod-0", - "searchKey": "metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-0}}", + "resourceName": "pod-1", + "searchKey": "metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-1}}", "searchValue": "PodreadOnly", - "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-0}} should be defined and set to true and Enabled, respectively", - "actualValue": "Either readOnly or recursiveReadOnly is missing in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-0}}%!(EXTRA string=pod-0, string=spec, string=containers, string=pod-0, string=vol-0)" + "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-1}} are set to true and Enabled, respectively", + "actualValue": "The properties readOnly or recursiveReadOnly in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-1}} are set to false or Disabled, respectively" }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", - "line": 13, + "line": 40, "filename": "positive1.yaml", "resourceType": "Pod", - "resourceName": "pod-0", - "searchKey": "metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}}", - "searchValue": "PodreadOnly", - "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}} should be defined and set to true and Enabled, respectively", - "actualValue": "Either readOnly or recursiveReadOnly is missing in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}}%!(EXTRA string=pod-0, string=spec, string=containers, string=pod-0, string=vol-1)" + "resourceName": "pod-1", + "searchKey": "metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-1}}", + "searchValue": "PodrecursiveReadOnly", + "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-1}} should be defined and set to true and Enabled, respectively", + "actualValue": "Either readOnly or recursiveReadOnly is missing in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-1}}%!(EXTRA string=pod-1, string=spec, string=containers, string=pod-1, string=vol-1)" }, { "queryName": "Volume Mount With OS Directory Write Permissions", @@ -98,25 +98,25 @@ { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", - "line": 37, + "line": 34, "filename": "positive2.yaml", "resourceType": "Pod", "resourceName": "pod-1", - "searchKey": "metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-1}}", + "searchKey": "metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-0}}", "searchValue": "PodrecursiveReadOnly", - "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-1}} are set to true and Enabled, respectively", - "actualValue": "The properties readOnly or recursiveReadOnly in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-1}} are set to false or Disabled, respectively" + "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-0}} should be defined and set to true and Enabled, respectively", + "actualValue": "Either readOnly or recursiveReadOnly is missing in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-0}}%!(EXTRA string=pod-1, string=spec, string=containers, string=pod-1, string=vol-0)" }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", - "line": 34, + "line": 37, "filename": "positive2.yaml", "resourceType": "Pod", "resourceName": "pod-1", - "searchKey": "metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-0}}", + "searchKey": "metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-1}}", "searchValue": "PodrecursiveReadOnly", - "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-0}} should be defined and set to true and Enabled, respectively", - "actualValue": "Either readOnly or recursiveReadOnly is missing in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-0}}%!(EXTRA string=pod-1, string=spec, string=containers, string=pod-1, string=vol-0)" + "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-1}} are set to true and Enabled, respectively", + "actualValue": "The properties readOnly or recursiveReadOnly in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-1}} are set to false or Disabled, respectively" } ] \ No newline at end of file diff --git a/assets/queries/k8s/weak_tls_cipher_suites/test/positive_expected_result.json b/assets/queries/k8s/weak_tls_cipher_suites/test/positive_expected_result.json index bbec2de3dd2..07574051422 100644 --- a/assets/queries/k8s/weak_tls_cipher_suites/test/positive_expected_result.json +++ b/assets/queries/k8s/weak_tls_cipher_suites/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "Weak TLS Cipher Suites", "severity": "MEDIUM", - "line": 9, - "filename": "positive3.yaml", - "resourceType": "KubeletConfiguration", - "resourceName": "n/a", - "searchKey": "kind={{KubeletConfiguration}}.tlsCipherSuites", + "line": 11, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "TLS cipher suites should use strong ciphers", "actualValue": "TLS cipher suites uses a weak cipher" @@ -26,11 +26,11 @@ { "queryName": "Weak TLS Cipher Suites", "severity": "MEDIUM", - "line": 11, - "filename": "positive1.yaml", - "resourceType": "Pod", - "resourceName": "command-demo", - "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "line": 9, + "filename": "positive3.yaml", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}.tlsCipherSuites", "searchValue": "", "expectedValue": "TLS cipher suites should use strong ciphers", "actualValue": "TLS cipher suites uses a weak cipher" diff --git a/assets/queries/k8s/workload_mounting_with_sensitive_os_directory/test/positive_expected_result.json b/assets/queries/k8s/workload_mounting_with_sensitive_os_directory/test/positive_expected_result.json index f12c113a65a..e0cd3d03ece 100644 --- a/assets/queries/k8s/workload_mounting_with_sensitive_os_directory/test/positive_expected_result.json +++ b/assets/queries/k8s/workload_mounting_with_sensitive_os_directory/test/positive_expected_result.json @@ -2,38 +2,38 @@ { "queryName": "Workload Mounting With Sensitive OS Directory", "severity": "HIGH", - "line": 250, + "line": 66, "filename": "positive.yaml", - "resourceType": "Pod", - "resourceName": "dood", - "searchKey": "metadata.name={{dood}}.spec.volumes.name={{docker-sock}}.hostPath.path", + "resourceType": "DaemonSet", + "resourceName": "exporter-prometheus-node-exporter", + "searchKey": "metadata.name={{exporter-prometheus-node-exporter}}.spec.template.spec.volumes.name={{proc}}.hostPath.path", "searchValue": "", - "expectedValue": "Workload name 'dood' of kind 'Pod' should not mount a host sensitive OS directory '/var/run' with hostPath", - "actualValue": "Workload name 'dood' of kind 'Pod' is mounting a host sensitive OS directory '/var/run' with hostPath" + "expectedValue": "Workload name 'exporter-prometheus-node-exporter' of kind 'DaemonSet' should not mount a host sensitive OS directory '/proc' with hostPath", + "actualValue": "Workload name 'exporter-prometheus-node-exporter' of kind 'DaemonSet' is mounting a host sensitive OS directory '/proc' with hostPath" }, { "queryName": "Workload Mounting With Sensitive OS Directory", "severity": "HIGH", - "line": 265, + "line": 70, "filename": "positive.yaml", - "resourceType": "PersistentVolume", - "resourceName": "pv-001", - "searchKey": "metadata.name={{pv-001}}.spec.hostPath.path", + "resourceType": "DaemonSet", + "resourceName": "exporter-prometheus-node-exporter", + "searchKey": "metadata.name={{exporter-prometheus-node-exporter}}.spec.template.spec.volumes.name={{sys}}.hostPath.path", "searchValue": "", - "expectedValue": "PersistentVolume name 'pv-001' of kind 'PersistentVolume' should not mount a host sensitive OS directory '/dev/tty1' with hostPath", - "actualValue": "PersistentVolume name 'pv-001' of kind 'PersistentVolume' is mounting a host sensitive OS directory '/dev/tty1' with hostPath" + "expectedValue": "Workload name 'exporter-prometheus-node-exporter' of kind 'DaemonSet' should not mount a host sensitive OS directory '/sys' with hostPath", + "actualValue": "Workload name 'exporter-prometheus-node-exporter' of kind 'DaemonSet' is mounting a host sensitive OS directory '/sys' with hostPath" }, { "queryName": "Workload Mounting With Sensitive OS Directory", "severity": "HIGH", - "line": 193, + "line": 112, "filename": "positive.yaml", - "resourceType": "Pod", - "resourceName": "redis-memcache", - "searchKey": "metadata.name={{redis-memcache}}.spec.volumes.name={{redis-storage}}.hostPath.path", + "resourceType": "DaemonSet", + "resourceName": "fluentd-elasticsearch", + "searchKey": "metadata.name={{fluentd-elasticsearch}}.spec.template.spec.volumes.name={{varlog}}.hostPath.path", "searchValue": "", - "expectedValue": "Workload name 'redis-memcache' of kind 'Pod' should not mount a host sensitive OS directory '/var/redis/data' with hostPath", - "actualValue": "Workload name 'redis-memcache' of kind 'Pod' is mounting a host sensitive OS directory '/var/redis/data' with hostPath" + "expectedValue": "Workload name 'fluentd-elasticsearch' of kind 'DaemonSet' should not mount a host sensitive OS directory '/var/log' with hostPath", + "actualValue": "Workload name 'fluentd-elasticsearch' of kind 'DaemonSet' is mounting a host sensitive OS directory '/var/log' with hostPath" }, { "queryName": "Workload Mounting With Sensitive OS Directory", @@ -50,38 +50,38 @@ { "queryName": "Workload Mounting With Sensitive OS Directory", "severity": "HIGH", - "line": 112, + "line": 145, "filename": "positive.yaml", - "resourceType": "DaemonSet", - "resourceName": "fluentd-elasticsearch", - "searchKey": "metadata.name={{fluentd-elasticsearch}}.spec.template.spec.volumes.name={{varlog}}.hostPath.path", + "resourceType": "Deployment", + "resourceName": "nginx-deployment", + "searchKey": "metadata.name={{nginx-deployment}}.spec.template.spec.volumes.name={{static-page-dir}}.hostPath.path", "searchValue": "", - "expectedValue": "Workload name 'fluentd-elasticsearch' of kind 'DaemonSet' should not mount a host sensitive OS directory '/var/log' with hostPath", - "actualValue": "Workload name 'fluentd-elasticsearch' of kind 'DaemonSet' is mounting a host sensitive OS directory '/var/log' with hostPath" + "expectedValue": "Workload name 'nginx-deployment' of kind 'Deployment' should not mount a host sensitive OS directory '/var/local/static' with hostPath", + "actualValue": "Workload name 'nginx-deployment' of kind 'Deployment' is mounting a host sensitive OS directory '/var/local/static' with hostPath" }, { "queryName": "Workload Mounting With Sensitive OS Directory", "severity": "HIGH", - "line": 299, + "line": 175, "filename": "positive.yaml", - "resourceType": "Configuration", - "resourceName": "dummy-config", - "searchKey": "metadata.name={{dummy-config}}.spec.template.spec.volumes.name={{rootdir}}.hostPath.path", + "resourceType": "Deployment", + "resourceName": "nginx-deployment-undefined-ns", + "searchKey": "metadata.name={{nginx-deployment-undefined-ns}}.spec.template.spec.volumes.name={{static-page-dir}}.hostPath.path", "searchValue": "", - "expectedValue": "Workload name 'dummy-config' of kind 'Configuration' should not mount a host sensitive OS directory '/' with hostPath", - "actualValue": "Workload name 'dummy-config' of kind 'Configuration' is mounting a host sensitive OS directory '/' with hostPath" + "expectedValue": "Workload name 'nginx-deployment-undefined-ns' of kind 'Deployment' should not mount a host sensitive OS directory '/root/local/static' with hostPath", + "actualValue": "Workload name 'nginx-deployment-undefined-ns' of kind 'Deployment' is mounting a host sensitive OS directory '/root/local/static' with hostPath" }, { "queryName": "Workload Mounting With Sensitive OS Directory", "severity": "HIGH", - "line": 229, + "line": 193, "filename": "positive.yaml", "resourceType": "Pod", - "resourceName": "malicious-pod", - "searchKey": "metadata.name={{malicious-pod}}.spec.volumes.name={{rootdir}}.hostPath.path", + "resourceName": "redis-memcache", + "searchKey": "metadata.name={{redis-memcache}}.spec.volumes.name={{redis-storage}}.hostPath.path", "searchValue": "", - "expectedValue": "Workload name 'malicious-pod' of kind 'Pod' should not mount a host sensitive OS directory '/' with hostPath", - "actualValue": "Workload name 'malicious-pod' of kind 'Pod' is mounting a host sensitive OS directory '/' with hostPath" + "expectedValue": "Workload name 'redis-memcache' of kind 'Pod' should not mount a host sensitive OS directory '/var/redis/data' with hostPath", + "actualValue": "Workload name 'redis-memcache' of kind 'Pod' is mounting a host sensitive OS directory '/var/redis/data' with hostPath" }, { "queryName": "Workload Mounting With Sensitive OS Directory", @@ -98,61 +98,61 @@ { "queryName": "Workload Mounting With Sensitive OS Directory", "severity": "HIGH", - "line": 280, + "line": 229, "filename": "positive.yaml", - "resourceType": "PersistentVolume", - "resourceName": "pv-002", - "searchKey": "metadata.name={{pv-002}}.spec.hostPath.path", + "resourceType": "Pod", + "resourceName": "malicious-pod", + "searchKey": "metadata.name={{malicious-pod}}.spec.volumes.name={{rootdir}}.hostPath.path", "searchValue": "", - "expectedValue": "PersistentVolume name 'pv-002' of kind 'PersistentVolume' should not mount a host sensitive OS directory '/boot' with hostPath", - "actualValue": "PersistentVolume name 'pv-002' of kind 'PersistentVolume' is mounting a host sensitive OS directory '/boot' with hostPath" + "expectedValue": "Workload name 'malicious-pod' of kind 'Pod' should not mount a host sensitive OS directory '/' with hostPath", + "actualValue": "Workload name 'malicious-pod' of kind 'Pod' is mounting a host sensitive OS directory '/' with hostPath" }, { "queryName": "Workload Mounting With Sensitive OS Directory", "severity": "HIGH", - "line": 175, + "line": 250, "filename": "positive.yaml", - "resourceType": "Deployment", - "resourceName": "nginx-deployment-undefined-ns", - "searchKey": "metadata.name={{nginx-deployment-undefined-ns}}.spec.template.spec.volumes.name={{static-page-dir}}.hostPath.path", + "resourceType": "Pod", + "resourceName": "dood", + "searchKey": "metadata.name={{dood}}.spec.volumes.name={{docker-sock}}.hostPath.path", "searchValue": "", - "expectedValue": "Workload name 'nginx-deployment-undefined-ns' of kind 'Deployment' should not mount a host sensitive OS directory '/root/local/static' with hostPath", - "actualValue": "Workload name 'nginx-deployment-undefined-ns' of kind 'Deployment' is mounting a host sensitive OS directory '/root/local/static' with hostPath" + "expectedValue": "Workload name 'dood' of kind 'Pod' should not mount a host sensitive OS directory '/var/run' with hostPath", + "actualValue": "Workload name 'dood' of kind 'Pod' is mounting a host sensitive OS directory '/var/run' with hostPath" }, { "queryName": "Workload Mounting With Sensitive OS Directory", "severity": "HIGH", - "line": 66, + "line": 265, "filename": "positive.yaml", - "resourceType": "DaemonSet", - "resourceName": "exporter-prometheus-node-exporter", - "searchKey": "metadata.name={{exporter-prometheus-node-exporter}}.spec.template.spec.volumes.name={{proc}}.hostPath.path", + "resourceType": "PersistentVolume", + "resourceName": "pv-001", + "searchKey": "metadata.name={{pv-001}}.spec.hostPath.path", "searchValue": "", - "expectedValue": "Workload name 'exporter-prometheus-node-exporter' of kind 'DaemonSet' should not mount a host sensitive OS directory '/proc' with hostPath", - "actualValue": "Workload name 'exporter-prometheus-node-exporter' of kind 'DaemonSet' is mounting a host sensitive OS directory '/proc' with hostPath" + "expectedValue": "PersistentVolume name 'pv-001' of kind 'PersistentVolume' should not mount a host sensitive OS directory '/dev/tty1' with hostPath", + "actualValue": "PersistentVolume name 'pv-001' of kind 'PersistentVolume' is mounting a host sensitive OS directory '/dev/tty1' with hostPath" }, { "queryName": "Workload Mounting With Sensitive OS Directory", "severity": "HIGH", - "line": 70, + "line": 280, "filename": "positive.yaml", - "resourceType": "DaemonSet", - "resourceName": "exporter-prometheus-node-exporter", - "searchKey": "metadata.name={{exporter-prometheus-node-exporter}}.spec.template.spec.volumes.name={{sys}}.hostPath.path", + "resourceType": "PersistentVolume", + "resourceName": "pv-002", + "searchKey": "metadata.name={{pv-002}}.spec.hostPath.path", "searchValue": "", - "expectedValue": "Workload name 'exporter-prometheus-node-exporter' of kind 'DaemonSet' should not mount a host sensitive OS directory '/sys' with hostPath", - "actualValue": "Workload name 'exporter-prometheus-node-exporter' of kind 'DaemonSet' is mounting a host sensitive OS directory '/sys' with hostPath" + "expectedValue": "PersistentVolume name 'pv-002' of kind 'PersistentVolume' should not mount a host sensitive OS directory '/boot' with hostPath", + "actualValue": "PersistentVolume name 'pv-002' of kind 'PersistentVolume' is mounting a host sensitive OS directory '/boot' with hostPath" }, { "queryName": "Workload Mounting With Sensitive OS Directory", "severity": "HIGH", - "line": 145, + "line": 299, "filename": "positive.yaml", - "resourceType": "Deployment", - "resourceName": "nginx-deployment", - "searchKey": "metadata.name={{nginx-deployment}}.spec.template.spec.volumes.name={{static-page-dir}}.hostPath.path", + "resourceType": "Configuration", + "resourceName": "dummy-config", + "searchKey": "metadata.name={{dummy-config}}.spec.template.spec.volumes.name={{rootdir}}.hostPath.path", "searchValue": "", - "expectedValue": "Workload name 'nginx-deployment' of kind 'Deployment' should not mount a host sensitive OS directory '/var/local/static' with hostPath", - "actualValue": "Workload name 'nginx-deployment' of kind 'Deployment' is mounting a host sensitive OS directory '/var/local/static' with hostPath" + "expectedValue": "Workload name 'dummy-config' of kind 'Configuration' should not mount a host sensitive OS directory '/' with hostPath", + "actualValue": "Workload name 'dummy-config' of kind 'Configuration' is mounting a host sensitive OS directory '/' with hostPath" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/body_parameter_with_wrong_property/test/positive_expected_result.json b/assets/queries/openAPI/2.0/body_parameter_with_wrong_property/test/positive_expected_result.json index efe20f5f603..21c0c252d9b 100644 --- a/assets/queries/openAPI/2.0/body_parameter_with_wrong_property/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/body_parameter_with_wrong_property/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "Body Parameter With Wrong Property", "severity": "INFO", - "line": 30, - "filename": "positive2.yaml", + "line": 19, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "parameters.limitParam.desc", + "searchKey": "paths.{{/}}.get.parameters.desc", "searchValue": "", "expectedValue": "{\"type\": \"string\"} is a valid property for body parameter", "actualValue": "{\"type\": \"string\"} is not a valid property for body parameter" @@ -14,11 +14,11 @@ { "queryName": "Body Parameter With Wrong Property", "severity": "INFO", - "line": 20, - "filename": "positive2.yaml", + "line": 43, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.parameters.desc", + "searchKey": "parameters.limitParam.desc", "searchValue": "", "expectedValue": "{\"type\": \"string\"} is a valid property for body parameter", "actualValue": "{\"type\": \"string\"} is not a valid property for body parameter" @@ -26,11 +26,11 @@ { "queryName": "Body Parameter With Wrong Property", "severity": "INFO", - "line": 43, - "filename": "positive1.json", + "line": 20, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", - "searchKey": "parameters.limitParam.desc", + "searchKey": "paths.{{/}}.get.parameters.desc", "searchValue": "", "expectedValue": "{\"type\": \"string\"} is a valid property for body parameter", "actualValue": "{\"type\": \"string\"} is not a valid property for body parameter" @@ -38,11 +38,11 @@ { "queryName": "Body Parameter With Wrong Property", "severity": "INFO", - "line": 19, - "filename": "positive1.json", + "line": 30, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.parameters.desc", + "searchKey": "parameters.limitParam.desc", "searchValue": "", "expectedValue": "{\"type\": \"string\"} is a valid property for body parameter", "actualValue": "{\"type\": \"string\"} is not a valid property for body parameter" diff --git a/assets/queries/openAPI/2.0/body_parameter_without_schema/test/positive_expected_result.json b/assets/queries/openAPI/2.0/body_parameter_without_schema/test/positive_expected_result.json index 2249fb1e8b8..fae329c4d50 100644 --- a/assets/queries/openAPI/2.0/body_parameter_without_schema/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/body_parameter_without_schema/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "Body Parameter Without Schema", "severity": "INFO", - "line": 20, - "filename": "positive2.yaml", + "line": 12, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "parameters.name=limit", + "searchKey": "paths.{{/}}.get.parameters.name=limit2", "searchValue": "", "expectedValue": "'schema' should be set", "actualValue": "'schema' is undefined" @@ -14,11 +14,11 @@ { "queryName": "Body Parameter Without Schema", "severity": "INFO", - "line": 14, - "filename": "positive2.yaml", + "line": 30, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.parameters.name=limit2", + "searchKey": "parameters.name=limit", "searchValue": "", "expectedValue": "'schema' should be set", "actualValue": "'schema' is undefined" @@ -26,11 +26,11 @@ { "queryName": "Body Parameter Without Schema", "severity": "INFO", - "line": 30, - "filename": "positive1.json", + "line": 14, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", - "searchKey": "parameters.name=limit", + "searchKey": "paths.{{/}}.get.parameters.name=limit2", "searchValue": "", "expectedValue": "'schema' should be set", "actualValue": "'schema' is undefined" @@ -38,11 +38,11 @@ { "queryName": "Body Parameter Without Schema", "severity": "INFO", - "line": 12, - "filename": "positive1.json", + "line": 20, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.parameters.name=limit2", + "searchKey": "parameters.name=limit", "searchValue": "", "expectedValue": "'schema' should be set", "actualValue": "'schema' is undefined" diff --git a/assets/queries/openAPI/2.0/file_parameter_with_wrong_consumes_property/test/positive_expected_result.json b/assets/queries/openAPI/2.0/file_parameter_with_wrong_consumes_property/test/positive_expected_result.json index be5216329a1..88fb0744514 100644 --- a/assets/queries/openAPI/2.0/file_parameter_with_wrong_consumes_property/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/file_parameter_with_wrong_consumes_property/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "File Parameter With Wrong Consumes Property", "severity": "INFO", - "line": 10, - "filename": "positive2.yaml", + "line": 12, + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.get.parameters", @@ -14,8 +14,8 @@ { "queryName": "File Parameter With Wrong Consumes Property", "severity": "INFO", - "line": 12, - "filename": "positive1.json", + "line": 10, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.get.parameters", diff --git a/assets/queries/openAPI/2.0/global_security_using_password_flow/test/positive_expected_result.json b/assets/queries/openAPI/2.0/global_security_using_password_flow/test/positive_expected_result.json index 397f99d0da0..6f2eff2f6d5 100644 --- a/assets/queries/openAPI/2.0/global_security_using_password_flow/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/global_security_using_password_flow/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "Global Security Using Password Flow", "severity": "MEDIUM", - "line": 22, - "filename": "positive2.yaml", + "line": 33, + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "security.{{oAuth2AuthCodeNeg2}}", @@ -14,8 +14,8 @@ { "queryName": "Global Security Using Password Flow", "severity": "MEDIUM", - "line": 33, - "filename": "positive1.json", + "line": 22, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", "searchKey": "security.{{oAuth2AuthCodeNeg2}}", diff --git a/assets/queries/openAPI/2.0/host_with_invalid_pattern/test/positive_expected_result.json b/assets/queries/openAPI/2.0/host_with_invalid_pattern/test/positive_expected_result.json index f42abb8a572..38b56a626c0 100644 --- a/assets/queries/openAPI/2.0/host_with_invalid_pattern/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/host_with_invalid_pattern/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "Host With Invalid Pattern", "severity": "INFO", - "line": 6, - "filename": "positive2.yaml", + "line": 7, + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "host", @@ -14,8 +14,8 @@ { "queryName": "Host With Invalid Pattern", "severity": "INFO", - "line": 7, - "filename": "positive1.json", + "line": 6, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", "searchKey": "host", diff --git a/assets/queries/openAPI/2.0/invalid_media_type_value/test/positive_expected_result.json b/assets/queries/openAPI/2.0/invalid_media_type_value/test/positive_expected_result.json index 979ab43ff37..644a75914fe 100644 --- a/assets/queries/openAPI/2.0/invalid_media_type_value/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/invalid_media_type_value/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "Invalid Media Type Value (v2)", "severity": "INFO", - "line": 16, + "line": 11, "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.consumes.application/ x-www-form-urlencoded", + "searchKey": "paths.{{/}}.get.produces.image/ png", "searchValue": "", "expectedValue": "The Media Type should be a valid value", "actualValue": "The Media Type is a invalid value" @@ -14,11 +14,11 @@ { "queryName": "Invalid Media Type Value (v2)", "severity": "INFO", - "line": 11, + "line": 16, "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.produces.image/ png", + "searchKey": "paths.{{/}}.get.consumes.application/ x-www-form-urlencoded", "searchValue": "", "expectedValue": "The Media Type should be a valid value", "actualValue": "The Media Type is a invalid value" @@ -26,11 +26,11 @@ { "queryName": "Invalid Media Type Value (v2)", "severity": "INFO", - "line": 18, + "line": 14, "filename": "positive2.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.consumes.application/ x-www-form-urlencoded", + "searchKey": "paths.{{/}}.get.produces.image/ png", "searchValue": "", "expectedValue": "The Media Type should be a valid value", "actualValue": "The Media Type is a invalid value" @@ -38,11 +38,11 @@ { "queryName": "Invalid Media Type Value (v2)", "severity": "INFO", - "line": 14, + "line": 18, "filename": "positive2.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.produces.image/ png", + "searchKey": "paths.{{/}}.get.consumes.application/ x-www-form-urlencoded", "searchValue": "", "expectedValue": "The Media Type should be a valid value", "actualValue": "The Media Type is a invalid value" diff --git a/assets/queries/openAPI/2.0/invalid_oauth2_token_url/test/positive_expected_result.json b/assets/queries/openAPI/2.0/invalid_oauth2_token_url/test/positive_expected_result.json index fef75b1dd8e..b16e4e15a8f 100644 --- a/assets/queries/openAPI/2.0/invalid_oauth2_token_url/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/invalid_oauth2_token_url/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "Invalid OAuth2 Token URL (v2)", "severity": "MEDIUM", - "line": 30, - "filename": "positive2.json", + "line": 22, + "filename": "positive1.yaml", "resourceType": "", "resourceName": "", "searchKey": "securityDefinitions.oAuth2AuthCodeNeg3.tokenUrl", @@ -14,8 +14,8 @@ { "queryName": "Invalid OAuth2 Token URL (v2)", "severity": "MEDIUM", - "line": 22, - "filename": "positive1.yaml", + "line": 30, + "filename": "positive2.json", "resourceType": "", "resourceName": "", "searchKey": "securityDefinitions.oAuth2AuthCodeNeg3.tokenUrl", diff --git a/assets/queries/openAPI/2.0/invalid_oauth_authorization_url/test/positive_expected_result.json b/assets/queries/openAPI/2.0/invalid_oauth_authorization_url/test/positive_expected_result.json index 1270421e349..d755bcd101a 100644 --- a/assets/queries/openAPI/2.0/invalid_oauth_authorization_url/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/invalid_oauth_authorization_url/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "Invalid OAuth2 Authorization URL (v2)", "severity": "MEDIUM", - "line": 23, + "line": 19, "filename": "positive1.yaml", "resourceType": "", "resourceName": "", - "searchKey": "securityDefinitions.petstore_auth.authorizationUrl", + "searchKey": "securityDefinitions.api_key.authorizationUrl", "searchValue": "", "expectedValue": "OAuth2 security schema flow tokenUrl must be set with a valid URL", "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL" @@ -14,11 +14,11 @@ { "queryName": "Invalid OAuth2 Authorization URL (v2)", "severity": "MEDIUM", - "line": 27, - "filename": "positive2.json", + "line": 23, + "filename": "positive1.yaml", "resourceType": "", "resourceName": "", - "searchKey": "securityDefinitions.api_key.authorizationUrl", + "searchKey": "securityDefinitions.petstore_auth.authorizationUrl", "searchValue": "", "expectedValue": "OAuth2 security schema flow tokenUrl must be set with a valid URL", "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL" @@ -26,11 +26,11 @@ { "queryName": "Invalid OAuth2 Authorization URL (v2)", "severity": "MEDIUM", - "line": 32, + "line": 27, "filename": "positive2.json", "resourceType": "", "resourceName": "", - "searchKey": "securityDefinitions.petstore_auth.authorizationUrl", + "searchKey": "securityDefinitions.api_key.authorizationUrl", "searchValue": "", "expectedValue": "OAuth2 security schema flow tokenUrl must be set with a valid URL", "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL" @@ -38,11 +38,11 @@ { "queryName": "Invalid OAuth2 Authorization URL (v2)", "severity": "MEDIUM", - "line": 19, - "filename": "positive1.yaml", + "line": 32, + "filename": "positive2.json", "resourceType": "", "resourceName": "", - "searchKey": "securityDefinitions.api_key.authorizationUrl", + "searchKey": "securityDefinitions.petstore_auth.authorizationUrl", "searchValue": "", "expectedValue": "OAuth2 security schema flow tokenUrl must be set with a valid URL", "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL" diff --git a/assets/queries/openAPI/2.0/multi_collectionformat_not_valid_in_parameter/test/positive_expected_result.json b/assets/queries/openAPI/2.0/multi_collectionformat_not_valid_in_parameter/test/positive_expected_result.json index 596abbccea6..a432fbb5e4f 100644 --- a/assets/queries/openAPI/2.0/multi_collectionformat_not_valid_in_parameter/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/multi_collectionformat_not_valid_in_parameter/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "Multi 'collectionformat' Not Valid For 'in' Parameter", "severity": "INFO", - "line": 26, - "filename": "positive2.yaml", + "line": 13, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "parameters.name=limit.in", + "searchKey": "paths.{{/}}.get.parameters.name=limit2.in", "searchValue": "", "expectedValue": "'in' field should be 'query' or 'formData'", "actualValue": "'in' field is path" @@ -14,11 +14,11 @@ { "queryName": "Multi 'collectionformat' Not Valid For 'in' Parameter", "severity": "INFO", - "line": 10, - "filename": "positive2.yaml", + "line": 37, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.parameters.name=limit2.in", + "searchKey": "parameters.name=limit.in", "searchValue": "", "expectedValue": "'in' field should be 'query' or 'formData'", "actualValue": "'in' field is path" @@ -26,11 +26,11 @@ { "queryName": "Multi 'collectionformat' Not Valid For 'in' Parameter", "severity": "INFO", - "line": 37, - "filename": "positive1.json", + "line": 10, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", - "searchKey": "parameters.name=limit.in", + "searchKey": "paths.{{/}}.get.parameters.name=limit2.in", "searchValue": "", "expectedValue": "'in' field should be 'query' or 'formData'", "actualValue": "'in' field is path" @@ -38,11 +38,11 @@ { "queryName": "Multi 'collectionformat' Not Valid For 'in' Parameter", "severity": "INFO", - "line": 13, - "filename": "positive1.json", + "line": 26, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.parameters.name=limit2.in", + "searchKey": "parameters.name=limit.in", "searchValue": "", "expectedValue": "'in' field should be 'query' or 'formData'", "actualValue": "'in' field is path" diff --git a/assets/queries/openAPI/2.0/non_body_parameter_with_schema/test/positive_expected_result.json b/assets/queries/openAPI/2.0/non_body_parameter_with_schema/test/positive_expected_result.json index bdeb4b3ba18..5ab53f82361 100644 --- a/assets/queries/openAPI/2.0/non_body_parameter_with_schema/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/non_body_parameter_with_schema/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "Non Body Parameter Without Schema", "severity": "INFO", - "line": 37, + "line": 16, "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "parameters.name=limit.schema", + "searchKey": "paths.{{/}}.get.parameters.name=limit2.schema", "searchValue": "", "expectedValue": "'schema' should not be set", "actualValue": "'schema' is set" @@ -14,11 +14,11 @@ { "queryName": "Non Body Parameter Without Schema", "severity": "INFO", - "line": 16, + "line": 37, "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.parameters.name=limit2.schema", + "searchKey": "parameters.name=limit.schema", "searchValue": "", "expectedValue": "'schema' should not be set", "actualValue": "'schema' is set" @@ -26,11 +26,11 @@ { "queryName": "Non Body Parameter Without Schema", "severity": "INFO", - "line": 26, + "line": 13, "filename": "positive2.yaml", "resourceType": "", "resourceName": "", - "searchKey": "parameters.name=limit.schema", + "searchKey": "paths.{{/}}.get.parameters.name=limit2.schema", "searchValue": "", "expectedValue": "'schema' should not be set", "actualValue": "'schema' is set" @@ -38,11 +38,11 @@ { "queryName": "Non Body Parameter Without Schema", "severity": "INFO", - "line": 13, + "line": 26, "filename": "positive2.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.parameters.name=limit2.schema", + "searchKey": "parameters.name=limit.schema", "searchValue": "", "expectedValue": "'schema' should not be set", "actualValue": "'schema' is set" diff --git a/assets/queries/openAPI/2.0/non_oauth2_security_requirement_defining_oauth2_scopes/test/positive_expected_result.json b/assets/queries/openAPI/2.0/non_oauth2_security_requirement_defining_oauth2_scopes/test/positive_expected_result.json index 78f4b18c972..5267c3eb902 100644 --- a/assets/queries/openAPI/2.0/non_oauth2_security_requirement_defining_oauth2_scopes/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/non_oauth2_security_requirement_defining_oauth2_scopes/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "Non OAuth2 Security Requirement Defining OAuth2 Scopes", "severity": "MEDIUM", - "line": 21, - "filename": "positive2.yaml", + "line": 33, + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "security.petstore_auth", @@ -14,8 +14,8 @@ { "queryName": "Non OAuth2 Security Requirement Defining OAuth2 Scopes", "severity": "MEDIUM", - "line": 33, - "filename": "positive1.json", + "line": 21, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", "searchKey": "security.petstore_auth", diff --git a/assets/queries/openAPI/2.0/object_without_required_property/test/positive_expected_result.json b/assets/queries/openAPI/2.0/object_without_required_property/test/positive_expected_result.json index 434e71fb2e2..adaa8558502 100644 --- a/assets/queries/openAPI/2.0/object_without_required_property/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/object_without_required_property/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "Object Without Required Property (v2)", - "severity": "INFO", - "line": 20, - "filename": "positive1.json", - "resourceType": "", - "resourceName": "", - "searchKey": "parameters.{{limitParam}}", - "searchValue": "", - "expectedValue": "Parameter object has 'type' defined", - "actualValue": "Parameter object does not have 'type' defined" - }, { "queryName": "Object Without Required Property (v2)", "severity": "INFO", @@ -26,8 +14,8 @@ { "queryName": "Object Without Required Property (v2)", "severity": "INFO", - "line": 13, - "filename": "positive2.yaml", + "line": 20, + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "parameters.{{limitParam}}", @@ -46,5 +34,17 @@ "searchValue": "", "expectedValue": "info has all required fields", "actualValue": "info is missing required fields" + }, + { + "queryName": "Object Without Required Property (v2)", + "severity": "INFO", + "line": 13, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.{{limitParam}}", + "searchValue": "", + "expectedValue": "Parameter object has 'type' defined", + "actualValue": "Parameter object does not have 'type' defined" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/operation_object_parameters_with_body_and_formatdata/test/positive_expected_result.json b/assets/queries/openAPI/2.0/operation_object_parameters_with_body_and_formatdata/test/positive_expected_result.json index b9139a82367..1739aa31b8d 100644 --- a/assets/queries/openAPI/2.0/operation_object_parameters_with_body_and_formatdata/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/operation_object_parameters_with_body_and_formatdata/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "Operation Object Parameters With 'body' And 'formatData' locations", "severity": "INFO", - "line": 13, - "filename": "positive2.yaml", + "line": 17, + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.get.parameters", @@ -14,8 +14,8 @@ { "queryName": "Operation Object Parameters With 'body' And 'formatData' locations", "severity": "INFO", - "line": 17, - "filename": "positive1.json", + "line": 13, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.get.parameters", diff --git a/assets/queries/openAPI/2.0/operation_summary_too_long/test/positive_expected_result.json b/assets/queries/openAPI/2.0/operation_summary_too_long/test/positive_expected_result.json index da4e9b5bf97..75de419f123 100644 --- a/assets/queries/openAPI/2.0/operation_summary_too_long/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/operation_summary_too_long/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "Operation Summary Too Long", "severity": "INFO", - "line": 9, - "filename": "positive2.yaml", + "line": 11, + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.{{get}}.summary", @@ -14,8 +14,8 @@ { "queryName": "Operation Summary Too Long", "severity": "INFO", - "line": 11, - "filename": "positive1.json", + "line": 9, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.{{get}}.summary", diff --git a/assets/queries/openAPI/2.0/operation_using_implicit_flow/test/positive_expected_result.json b/assets/queries/openAPI/2.0/operation_using_implicit_flow/test/positive_expected_result.json index 7c231dfb0a0..ab8801882c4 100644 --- a/assets/queries/openAPI/2.0/operation_using_implicit_flow/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/operation_using_implicit_flow/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "Operation Using Implicit Flow", "severity": "MEDIUM", - "line": 16, - "filename": "positive2.yaml", + "line": 22, + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.{{get}}.security.{{oAuth2AuthCodeNeg2}}", @@ -14,8 +14,8 @@ { "queryName": "Operation Using Implicit Flow", "severity": "MEDIUM", - "line": 22, - "filename": "positive1.json", + "line": 16, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.{{get}}.security.{{oAuth2AuthCodeNeg2}}", diff --git a/assets/queries/openAPI/2.0/operation_using_password_flow/test/positive_expected_result.json b/assets/queries/openAPI/2.0/operation_using_password_flow/test/positive_expected_result.json index 1353de23826..4cef6239dd9 100644 --- a/assets/queries/openAPI/2.0/operation_using_password_flow/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/operation_using_password_flow/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "Operation Using Password Flow", "severity": "MEDIUM", - "line": 16, - "filename": "positive2.yaml", + "line": 22, + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.{{get}}.security.{{oAuth2AuthCodeNeg2}}", @@ -14,8 +14,8 @@ { "queryName": "Operation Using Password Flow", "severity": "MEDIUM", - "line": 22, - "filename": "positive1.json", + "line": 16, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.{{get}}.security.{{oAuth2AuthCodeNeg2}}", diff --git a/assets/queries/openAPI/2.0/parameter_file_type_not_in_formdata/test/positive_expected_result.json b/assets/queries/openAPI/2.0/parameter_file_type_not_in_formdata/test/positive_expected_result.json index a5ccc7e518a..2b7564dc311 100644 --- a/assets/queries/openAPI/2.0/parameter_file_type_not_in_formdata/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/parameter_file_type_not_in_formdata/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "Parameter File Type Not In 'formData'", "severity": "INFO", - "line": 10, - "filename": "positive2.yaml", + "line": 12, + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.get.parameters.name=limit2", @@ -26,8 +26,8 @@ { "queryName": "Parameter File Type Not In 'formData'", "severity": "INFO", - "line": 12, - "filename": "positive1.json", + "line": 10, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.get.parameters.name=limit2", diff --git a/assets/queries/openAPI/2.0/property_not_unique/test/positive_expected_result.json b/assets/queries/openAPI/2.0/property_not_unique/test/positive_expected_result.json index a3f903ea443..dae6776af56 100644 --- a/assets/queries/openAPI/2.0/property_not_unique/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/property_not_unique/test/positive_expected_result.json @@ -2,14 +2,14 @@ { "queryName": "Property Not Unique", "severity": "INFO", - "line": 57, + "line": 27, "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "parameters.limitParam.properties.address", + "searchKey": "paths.{{/}}.get.parameters.schema.properties.name", "searchValue": "", - "expectedValue": "'address' property is unique throughout the whole API", - "actualValue": "'address' property is not unique throughout the whole API" + "expectedValue": "'name' property is unique throughout the whole API", + "actualValue": "'name' property is not unique throughout the whole API" }, { "queryName": "Property Not Unique", @@ -26,11 +26,11 @@ { "queryName": "Property Not Unique", "severity": "INFO", - "line": 60, + "line": 33, "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "parameters.limitParam.properties.age", + "searchKey": "paths.{{/}}.get.parameters.schema.properties.age", "searchValue": "", "expectedValue": "'age' property is unique throughout the whole API", "actualValue": "'age' property is not unique throughout the whole API" @@ -38,11 +38,35 @@ { "queryName": "Property Not Unique", "severity": "INFO", - "line": 33, + "line": 54, "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.parameters.schema.properties.age", + "searchKey": "parameters.limitParam.properties.name", + "searchValue": "", + "expectedValue": "'name' property is unique throughout the whole API", + "actualValue": "'name' property is not unique throughout the whole API" + }, + { + "queryName": "Property Not Unique", + "severity": "INFO", + "line": 57, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.limitParam.properties.address", + "searchValue": "", + "expectedValue": "'address' property is unique throughout the whole API", + "actualValue": "'address' property is not unique throughout the whole API" + }, + { + "queryName": "Property Not Unique", + "severity": "INFO", + "line": 60, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.limitParam.properties.age", "searchValue": "", "expectedValue": "'age' property is unique throughout the whole API", "actualValue": "'age' property is not unique throughout the whole API" @@ -50,8 +74,8 @@ { "queryName": "Property Not Unique", "severity": "INFO", - "line": 27, - "filename": "positive1.json", + "line": 22, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.get.parameters.schema.properties.name", @@ -62,11 +86,11 @@ { "queryName": "Property Not Unique", "severity": "INFO", - "line": 40, + "line": 24, "filename": "positive2.yaml", "resourceType": "", "resourceName": "", - "searchKey": "parameters.limitParam.properties.address", + "searchKey": "paths.{{/}}.get.parameters.schema.properties.address", "searchValue": "", "expectedValue": "'address' property is unique throughout the whole API", "actualValue": "'address' property is not unique throughout the whole API" @@ -98,23 +122,11 @@ { "queryName": "Property Not Unique", "severity": "INFO", - "line": 54, - "filename": "positive1.json", - "resourceType": "", - "resourceName": "", - "searchKey": "parameters.limitParam.properties.name", - "searchValue": "", - "expectedValue": "'name' property is unique throughout the whole API", - "actualValue": "'name' property is not unique throughout the whole API" - }, - { - "queryName": "Property Not Unique", - "severity": "INFO", - "line": 24, + "line": 40, "filename": "positive2.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.parameters.schema.properties.address", + "searchKey": "parameters.limitParam.properties.address", "searchValue": "", "expectedValue": "'address' property is unique throughout the whole API", "actualValue": "'address' property is not unique throughout the whole API" @@ -130,17 +142,5 @@ "searchValue": "", "expectedValue": "'age' property is unique throughout the whole API", "actualValue": "'age' property is not unique throughout the whole API" - }, - { - "queryName": "Property Not Unique", - "severity": "INFO", - "line": 22, - "filename": "positive2.yaml", - "resourceType": "", - "resourceName": "", - "searchKey": "paths.{{/}}.get.parameters.schema.properties.name", - "searchValue": "", - "expectedValue": "'name' property is unique throughout the whole API", - "actualValue": "'name' property is not unique throughout the whole API" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/schema_with_additional_properties_set_as_boolean/test/positive_expected_result.json b/assets/queries/openAPI/2.0/schema_with_additional_properties_set_as_boolean/test/positive_expected_result.json index c85669d2ab2..a629dc67e26 100644 --- a/assets/queries/openAPI/2.0/schema_with_additional_properties_set_as_boolean/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/schema_with_additional_properties_set_as_boolean/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "Schema with 'additionalProperties' set as Boolean", "severity": "INFO", - "line": 34, - "filename": "positive4.yaml", + "line": 28, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "definitions.User.additionalProperties", + "searchKey": "paths.{{/}}.get.responses.200.schema.additionalProperties", "searchValue": "", "expectedValue": "'additionalProperties' should be set as an object value", "actualValue": "'additionalProperties' is set as a boolean value" @@ -38,11 +38,11 @@ { "queryName": "Schema with 'additionalProperties' set as Boolean", "severity": "INFO", - "line": 28, - "filename": "positive1.json", + "line": 34, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.schema.additionalProperties", + "searchKey": "definitions.User.additionalProperties", "searchValue": "", "expectedValue": "'additionalProperties' should be set as an object value", "actualValue": "'additionalProperties' is set as a boolean value" diff --git a/assets/queries/openAPI/2.0/security_definitions_allows_password_flow/test/positive_expected_result.json b/assets/queries/openAPI/2.0/security_definitions_allows_password_flow/test/positive_expected_result.json index f13fc256f33..6e72c3820ea 100644 --- a/assets/queries/openAPI/2.0/security_definitions_allows_password_flow/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/security_definitions_allows_password_flow/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "Security Definitions Allows Password Flow", "severity": "MEDIUM", - "line": 19, - "filename": "positive2.yaml", + "line": 27, + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "securityDefinitions.{{oAuth2AuthCodeNeg2}}.flow", @@ -14,8 +14,8 @@ { "queryName": "Security Definitions Allows Password Flow", "severity": "MEDIUM", - "line": 27, - "filename": "positive1.json", + "line": 19, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", "searchKey": "securityDefinitions.{{oAuth2AuthCodeNeg2}}.flow", diff --git a/assets/queries/openAPI/2.0/security_definitions_undefined_or_empty/test/positive_expected_result.json b/assets/queries/openAPI/2.0/security_definitions_undefined_or_empty/test/positive_expected_result.json index 4a65081de8b..189abc763fe 100644 --- a/assets/queries/openAPI/2.0/security_definitions_undefined_or_empty/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/security_definitions_undefined_or_empty/test/positive_expected_result.json @@ -3,7 +3,7 @@ "queryName": "Security Definitions Undefined or Empty", "severity": "HIGH", "line": 2, - "filename": "positive3.json", + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "swagger", @@ -14,8 +14,8 @@ { "queryName": "Security Definitions Undefined or Empty", "severity": "HIGH", - "line": 2, - "filename": "positive1.json", + "line": 1, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", "searchKey": "swagger", @@ -26,8 +26,8 @@ { "queryName": "Security Definitions Undefined or Empty", "severity": "HIGH", - "line": 1, - "filename": "positive2.yaml", + "line": 2, + "filename": "positive3.json", "resourceType": "", "resourceName": "", "searchKey": "swagger", diff --git a/assets/queries/openAPI/2.0/security_requirement_not_defined_in_security_definition/test/positive_expected_result.json b/assets/queries/openAPI/2.0/security_requirement_not_defined_in_security_definition/test/positive_expected_result.json index ec82cec42b4..7c52e1a27a8 100644 --- a/assets/queries/openAPI/2.0/security_requirement_not_defined_in_security_definition/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/security_requirement_not_defined_in_security_definition/test/positive_expected_result.json @@ -15,10 +15,10 @@ "queryName": "Security Requirement Not Defined In Security Definition", "severity": "HIGH", "line": 21, - "filename": "positive4.yaml", + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.security.petstore_auth", + "searchKey": "security.petstore_auth", "searchValue": "", "expectedValue": "petstore_auth should be defined in 'securityDefinitions'", "actualValue": "petstore_auth is not defined in 'securityDefinitions'" @@ -26,11 +26,11 @@ { "queryName": "Security Requirement Not Defined In Security Definition", "severity": "HIGH", - "line": 21, - "filename": "positive2.yaml", + "line": 30, + "filename": "positive3.json", "resourceType": "", "resourceName": "", - "searchKey": "security.petstore_auth", + "searchKey": "paths.{{/}}.get.security.petstore_auth", "searchValue": "", "expectedValue": "petstore_auth should be defined in 'securityDefinitions'", "actualValue": "petstore_auth is not defined in 'securityDefinitions'" @@ -38,8 +38,8 @@ { "queryName": "Security Requirement Not Defined In Security Definition", "severity": "HIGH", - "line": 30, - "filename": "positive3.json", + "line": 21, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.get.security.petstore_auth", diff --git a/assets/queries/openAPI/2.0/undefined_security_scope_global_security/test/positive_expected_result.json b/assets/queries/openAPI/2.0/undefined_security_scope_global_security/test/positive_expected_result.json index b04ee564153..fd90113405f 100644 --- a/assets/queries/openAPI/2.0/undefined_security_scope_global_security/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/undefined_security_scope_global_security/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "Undefined Scope 'securityDefinition' On Global 'security' Field", "severity": "LOW", - "line": 33, - "filename": "positive2.json", + "line": 23, + "filename": "positive1.yaml", "resourceType": "", "resourceName": "", "searchKey": "security.{{oAuth2AuthCodeNeg2}}", @@ -14,8 +14,8 @@ { "queryName": "Undefined Scope 'securityDefinition' On Global 'security' Field", "severity": "LOW", - "line": 23, - "filename": "positive1.yaml", + "line": 33, + "filename": "positive2.json", "resourceType": "", "resourceName": "", "searchKey": "security.{{oAuth2AuthCodeNeg2}}", diff --git a/assets/queries/openAPI/2.0/undefined_security_scope_security_operations/test/positive_expected_result.json b/assets/queries/openAPI/2.0/undefined_security_scope_security_operations/test/positive_expected_result.json index e664260b8ab..6d9fbf303be 100644 --- a/assets/queries/openAPI/2.0/undefined_security_scope_security_operations/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/undefined_security_scope_security_operations/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "Undefined Scope 'securityDefinition' On 'security' Field On Operations", "severity": "LOW", - "line": 12, - "filename": "positive2.json", + "line": 10, + "filename": "positive1.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.{{get}}.security", @@ -14,8 +14,8 @@ { "queryName": "Undefined Scope 'securityDefinition' On 'security' Field On Operations", "severity": "LOW", - "line": 10, - "filename": "positive1.yaml", + "line": 12, + "filename": "positive2.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.{{get}}.security", diff --git a/assets/queries/openAPI/2.0/unknown_prefix/test/positive_expected_result.json b/assets/queries/openAPI/2.0/unknown_prefix/test/positive_expected_result.json index 5f44f46ee22..7b636ed8793 100644 --- a/assets/queries/openAPI/2.0/unknown_prefix/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/unknown_prefix/test/positive_expected_result.json @@ -2,14 +2,14 @@ { "queryName": "Unknown Prefix (v2)", "severity": "INFO", - "line": 24, - "filename": "positive4.yaml", + "line": 12, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "produces", + "searchKey": "paths.{{/}}.get.produces", "searchValue": "", - "expectedValue": "produces has only known prefixes", - "actualValue": "aplication/json on 'produces' is an unknown prefix" + "expectedValue": "paths.{{/}}.get.produces has only known prefixes", + "actualValue": "aplication/json on 'paths.{{/}}.get.produces' is an unknown prefix" }, { "queryName": "Unknown Prefix (v2)", @@ -26,8 +26,8 @@ { "queryName": "Unknown Prefix (v2)", "severity": "INFO", - "line": 12, - "filename": "positive1.json", + "line": 10, + "filename": "positive3.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.get.produces", @@ -38,13 +38,13 @@ { "queryName": "Unknown Prefix (v2)", "severity": "INFO", - "line": 10, - "filename": "positive3.yaml", + "line": 24, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.produces", + "searchKey": "produces", "searchValue": "", - "expectedValue": "paths.{{/}}.get.produces has only known prefixes", - "actualValue": "aplication/json on 'paths.{{/}}.get.produces' is an unknown prefix" + "expectedValue": "produces has only known prefixes", + "actualValue": "aplication/json on 'produces' is an unknown prefix" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/unknown_property/test/positive_expected_result.json b/assets/queries/openAPI/2.0/unknown_property/test/positive_expected_result.json index d05591e2b5d..67aba00f259 100644 --- a/assets/queries/openAPI/2.0/unknown_property/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/unknown_property/test/positive_expected_result.json @@ -1,28 +1,4 @@ [ - { - "queryName": "Unknown Property (v2)", - "severity": "INFO", - "line": 6, - "filename": "positive4.yaml", - "resourceType": "", - "resourceName": "", - "searchKey": "info.contact.nameee", - "searchValue": "", - "expectedValue": "The field 'nameee' is known in the contact object", - "actualValue": "The field 'nameee' is unknown in the contact object" - }, - { - "queryName": "Unknown Property (v2)", - "severity": "INFO", - "line": 17, - "filename": "positive4.yaml", - "resourceType": "", - "resourceName": "", - "searchKey": "taggs", - "searchValue": "", - "expectedValue": "The field 'taggs' is known in the openapi object", - "actualValue": "The field 'taggs' is unknown in the openapi object" - }, { "queryName": "Unknown Property (v2)", "severity": "INFO", @@ -94,5 +70,29 @@ "searchValue": "", "expectedValue": "The field 'propppperties' is known in the definitions object", "actualValue": "The field 'propppperties' is unknown in the definitions object" + }, + { + "queryName": "Unknown Property (v2)", + "severity": "INFO", + "line": 6, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "info.contact.nameee", + "searchValue": "", + "expectedValue": "The field 'nameee' is known in the contact object", + "actualValue": "The field 'nameee' is unknown in the contact object" + }, + { + "queryName": "Unknown Property (v2)", + "severity": "INFO", + "line": 17, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "taggs", + "searchValue": "", + "expectedValue": "The field 'taggs' is known in the openapi object", + "actualValue": "The field 'taggs' is unknown in the openapi object" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/unused_response_definition/test/positive_expected_result.json b/assets/queries/openAPI/2.0/unused_response_definition/test/positive_expected_result.json index 21ee9806f0e..2156936a20b 100644 --- a/assets/queries/openAPI/2.0/unused_response_definition/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/unused_response_definition/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "Global Responses Definition Not Being Used", - "severity": "INFO", - "line": 41, - "filename": "positive1.json", - "resourceType": "", - "resourceName": "", - "searchKey": "responses.{{GeneralError}}", - "searchValue": "", - "expectedValue": "responses definition 'GeneralError' is used", - "actualValue": "responses definition 'GeneralError' is not being used" - }, { "queryName": "Global Responses Definition Not Being Used", "severity": "INFO", @@ -26,8 +14,8 @@ { "queryName": "Global Responses Definition Not Being Used", "severity": "INFO", - "line": 27, - "filename": "positive2.yaml", + "line": 41, + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "responses.{{GeneralError}}", @@ -46,5 +34,17 @@ "searchValue": "", "expectedValue": "responses definition 'IllegalInput' is used", "actualValue": "responses definition 'IllegalInput' is not being used" + }, + { + "queryName": "Global Responses Definition Not Being Used", + "severity": "INFO", + "line": 27, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "responses.{{GeneralError}}", + "searchValue": "", + "expectedValue": "responses definition 'GeneralError' is used", + "actualValue": "responses definition 'GeneralError' is not being used" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/additional_properties_too_permissive/test/positive_expected_result.json b/assets/queries/openAPI/3.0/additional_properties_too_permissive/test/positive_expected_result.json index f12dc1d5c28..54373f551d3 100644 --- a/assets/queries/openAPI/3.0/additional_properties_too_permissive/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/additional_properties_too_permissive/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "Additional Properties Too Permissive", "severity": "LOW", - "line": 23, - "filename": "positive4.yaml", + "line": 24, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "components.schemas.MyObject.oneOf", + "searchKey": "paths.{{/}}.get.responses.200.schema.additionalProperties", "searchValue": "", "expectedValue": "'additionalProperties' should be set to false", "actualValue": "'additionalProperties' is set true" @@ -26,49 +26,49 @@ { "queryName": "Additional Properties Too Permissive", "severity": "LOW", - "line": 12, - "filename": "positive6.yaml", + "line": 34, + "filename": "positive3.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.schema", + "searchKey": "components.schemas.MyObject.oneOf", "searchValue": "", - "expectedValue": "'additionalProperties' needs to be set and to false", - "actualValue": "'additionalProperties' is not set" + "expectedValue": "'additionalProperties' should be set to false", + "actualValue": "'additionalProperties' is set true" }, { "queryName": "Additional Properties Too Permissive", "severity": "LOW", - "line": 14, - "filename": "positive5.json", + "line": 23, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.schema", + "searchKey": "components.schemas.MyObject.oneOf", "searchValue": "", - "expectedValue": "'additionalProperties' needs to be set and to false", - "actualValue": "'additionalProperties' is not set" + "expectedValue": "'additionalProperties' should be set to false", + "actualValue": "'additionalProperties' is set true" }, { "queryName": "Additional Properties Too Permissive", "severity": "LOW", - "line": 24, - "filename": "positive1.json", + "line": 14, + "filename": "positive5.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.schema.additionalProperties", + "searchKey": "paths.{{/}}.get.responses.200.schema", "searchValue": "", - "expectedValue": "'additionalProperties' should be set to false", - "actualValue": "'additionalProperties' is set true" + "expectedValue": "'additionalProperties' needs to be set and to false", + "actualValue": "'additionalProperties' is not set" }, { "queryName": "Additional Properties Too Permissive", "severity": "LOW", - "line": 34, - "filename": "positive3.json", + "line": 12, + "filename": "positive6.yaml", "resourceType": "", "resourceName": "", - "searchKey": "components.schemas.MyObject.oneOf", + "searchKey": "paths.{{/}}.get.responses.200.schema", "searchValue": "", - "expectedValue": "'additionalProperties' should be set to false", - "actualValue": "'additionalProperties' is set true" + "expectedValue": "'additionalProperties' needs to be set and to false", + "actualValue": "'additionalProperties' is not set" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/additional_properties_too_restrective/test/positive_expected_result.json b/assets/queries/openAPI/3.0/additional_properties_too_restrective/test/positive_expected_result.json index bd0836ab89f..797d7e22bc8 100644 --- a/assets/queries/openAPI/3.0/additional_properties_too_restrective/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/additional_properties_too_restrective/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "Additional Properties Too Restrictive", "severity": "LOW", - "line": 13, - "filename": "positive4.yaml", + "line": 41, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.schema.allOf", + "searchKey": "components.schemas.MyObject.oneOf", "searchValue": "", "expectedValue": "'additionalProperties' should not be false", "actualValue": "'additionalProperties' is false" @@ -14,8 +14,8 @@ { "queryName": "Additional Properties Too Restrictive", "severity": "LOW", - "line": 41, - "filename": "positive1.json", + "line": 25, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", "searchKey": "components.schemas.MyObject.oneOf", @@ -38,11 +38,11 @@ { "queryName": "Additional Properties Too Restrictive", "severity": "LOW", - "line": 25, - "filename": "positive2.yaml", + "line": 13, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", - "searchKey": "components.schemas.MyObject.oneOf", + "searchKey": "paths.{{/}}.get.responses.200.schema.allOf", "searchValue": "", "expectedValue": "'additionalProperties' should not be false", "actualValue": "'additionalProperties' is false" diff --git a/assets/queries/openAPI/3.0/api_key_exposed_in_global_security_scheme/test/positive_expected_result.json b/assets/queries/openAPI/3.0/api_key_exposed_in_global_security_scheme/test/positive_expected_result.json index 937e9f22ce7..f0e4ca5f277 100644 --- a/assets/queries/openAPI/3.0/api_key_exposed_in_global_security_scheme/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/api_key_exposed_in_global_security_scheme/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "API Key Exposed In Global Security Scheme", "severity": "LOW", - "line": 31, - "filename": "positive2.yaml", + "line": 52, + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "components.securitySchemes.apiKey1", @@ -14,8 +14,8 @@ { "queryName": "API Key Exposed In Global Security Scheme", "severity": "LOW", - "line": 35, - "filename": "positive2.yaml", + "line": 57, + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "components.securitySchemes.apiKey2", @@ -26,8 +26,8 @@ { "queryName": "API Key Exposed In Global Security Scheme", "severity": "LOW", - "line": 39, - "filename": "positive2.yaml", + "line": 62, + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "components.securitySchemes.apiKey3", @@ -38,8 +38,8 @@ { "queryName": "API Key Exposed In Global Security Scheme", "severity": "LOW", - "line": 52, - "filename": "positive1.json", + "line": 31, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", "searchKey": "components.securitySchemes.apiKey1", @@ -50,8 +50,8 @@ { "queryName": "API Key Exposed In Global Security Scheme", "severity": "LOW", - "line": 57, - "filename": "positive1.json", + "line": 35, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", "searchKey": "components.securitySchemes.apiKey2", @@ -62,8 +62,8 @@ { "queryName": "API Key Exposed In Global Security Scheme", "severity": "LOW", - "line": 62, - "filename": "positive1.json", + "line": 39, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", "searchKey": "components.securitySchemes.apiKey3", diff --git a/assets/queries/openAPI/3.0/cleartext_credentials_with_basic_auth_for_operation/test/positive_expected_result.json b/assets/queries/openAPI/3.0/cleartext_credentials_with_basic_auth_for_operation/test/positive_expected_result.json index 9b9a32ac872..994fffe94d1 100644 --- a/assets/queries/openAPI/3.0/cleartext_credentials_with_basic_auth_for_operation/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/cleartext_credentials_with_basic_auth_for_operation/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "Cleartext Credentials With Basic Authentication For Operation", "severity": "MEDIUM", - "line": 19, - "filename": "positive2.yaml", + "line": 28, + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.{{get}}.security.{{regularSecurity}}", @@ -14,8 +14,8 @@ { "queryName": "Cleartext Credentials With Basic Authentication For Operation", "severity": "MEDIUM", - "line": 28, - "filename": "positive1.json", + "line": 19, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.{{get}}.security.{{regularSecurity}}", diff --git a/assets/queries/openAPI/3.0/components_example_definition_unused/test/positive_expected_result.json b/assets/queries/openAPI/3.0/components_example_definition_unused/test/positive_expected_result.json index 1f7f5ad8602..dd1bf691ac1 100644 --- a/assets/queries/openAPI/3.0/components_example_definition_unused/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/components_example_definition_unused/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "Components Example Definition Is Unused", "severity": "INFO", - "line": 27, - "filename": "positive2.yaml", + "line": 42, + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "components.examples.{{objectExample}}", @@ -14,8 +14,8 @@ { "queryName": "Components Example Definition Is Unused", "severity": "INFO", - "line": 42, - "filename": "positive1.json", + "line": 27, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", "searchKey": "components.examples.{{objectExample}}", diff --git a/assets/queries/openAPI/3.0/components_header_definition_unused/test/positive_expected_result.json b/assets/queries/openAPI/3.0/components_header_definition_unused/test/positive_expected_result.json index e45a59a885c..5aea4b3e861 100644 --- a/assets/queries/openAPI/3.0/components_header_definition_unused/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/components_header_definition_unused/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "Components Header Definition Is Unused", "severity": "INFO", - "line": 29, - "filename": "positive2.yaml", + "line": 45, + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "components.headers.{{xPages}}", @@ -14,8 +14,8 @@ { "queryName": "Components Header Definition Is Unused", "severity": "INFO", - "line": 45, - "filename": "positive1.json", + "line": 29, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", "searchKey": "components.headers.{{xPages}}", diff --git a/assets/queries/openAPI/3.0/components_object_fixed_field_key_improperly_named/test/positive_expected_result.json b/assets/queries/openAPI/3.0/components_object_fixed_field_key_improperly_named/test/positive_expected_result.json index adacf8a258a..0def5b31f1c 100644 --- a/assets/queries/openAPI/3.0/components_object_fixed_field_key_improperly_named/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/components_object_fixed_field_key_improperly_named/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "Components Object Fixed Field Key Improperly Named", "severity": "INFO", - "line": 27, - "filename": "positive2.yaml", + "line": 45, + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "components.{{schemas}}.{{General Error}}", @@ -14,8 +14,8 @@ { "queryName": "Components Object Fixed Field Key Improperly Named", "severity": "INFO", - "line": 45, - "filename": "positive1.json", + "line": 27, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", "searchKey": "components.{{schemas}}.{{General Error}}", diff --git a/assets/queries/openAPI/3.0/components_parameter_definition_unused/test/positive_expected_result.json b/assets/queries/openAPI/3.0/components_parameter_definition_unused/test/positive_expected_result.json index 90502499702..5fa04bb0a83 100644 --- a/assets/queries/openAPI/3.0/components_parameter_definition_unused/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/components_parameter_definition_unused/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "Components Parameter Definition Is Unused", "severity": "INFO", - "line": 15, - "filename": "positive2.yaml", + "line": 22, + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "components.parameters.{{limitParam}}", @@ -14,8 +14,8 @@ { "queryName": "Components Parameter Definition Is Unused", "severity": "INFO", - "line": 22, - "filename": "positive1.json", + "line": 15, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", "searchKey": "components.parameters.{{limitParam}}", diff --git a/assets/queries/openAPI/3.0/components_request_body_definition_unused/test/positive_expected_result.json b/assets/queries/openAPI/3.0/components_request_body_definition_unused/test/positive_expected_result.json index fd232baf626..0e87d34785e 100644 --- a/assets/queries/openAPI/3.0/components_request_body_definition_unused/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/components_request_body_definition_unused/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "Components Request Body Definition Is Unused", "severity": "INFO", - "line": 23, - "filename": "positive2.yaml", + "line": 35, + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "components.requestBodies.{{MyObjectBody}}", @@ -14,8 +14,8 @@ { "queryName": "Components Request Body Definition Is Unused", "severity": "INFO", - "line": 35, - "filename": "positive1.json", + "line": 23, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", "searchKey": "components.requestBodies.{{MyObjectBody}}", diff --git a/assets/queries/openAPI/3.0/empty_array/test/positive_expected_result.json b/assets/queries/openAPI/3.0/empty_array/test/positive_expected_result.json index cf2f6214f5c..10a36e5c2f6 100644 --- a/assets/queries/openAPI/3.0/empty_array/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/empty_array/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "Empty Array", "severity": "INFO", - "line": 25, - "filename": "positive2.yaml", + "line": 43, + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "security", @@ -14,8 +14,8 @@ { "queryName": "Empty Array", "severity": "INFO", - "line": 43, - "filename": "positive1.json", + "line": 25, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", "searchKey": "security", diff --git a/assets/queries/openAPI/3.0/encoding_header_content_type_improperly_defined/test/positive_expected_result.json b/assets/queries/openAPI/3.0/encoding_header_content_type_improperly_defined/test/positive_expected_result.json index 249ba59eb74..c3b50685f60 100644 --- a/assets/queries/openAPI/3.0/encoding_header_content_type_improperly_defined/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/encoding_header_content_type_improperly_defined/test/positive_expected_result.json @@ -14,8 +14,8 @@ { "queryName": "Encoding Header 'Content-Type' Improperly Defined", "severity": "INFO", - "line": 26, - "filename": "positive4.yaml", + "line": 36, + "filename": "positive2.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.encoding.{{profileImage}}", @@ -38,8 +38,8 @@ { "queryName": "Encoding Header 'Content-Type' Improperly Defined", "severity": "INFO", - "line": 36, - "filename": "positive2.json", + "line": 26, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.encoding.{{profileImage}}", diff --git a/assets/queries/openAPI/3.0/encoding_map_key_mismatch_schema_defined_properties/test/positive_expected_result.json b/assets/queries/openAPI/3.0/encoding_map_key_mismatch_schema_defined_properties/test/positive_expected_result.json index 77891e167fc..ac527e3a573 100644 --- a/assets/queries/openAPI/3.0/encoding_map_key_mismatch_schema_defined_properties/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/encoding_map_key_mismatch_schema_defined_properties/test/positive_expected_result.json @@ -26,25 +26,25 @@ { "queryName": "Encoding Map Key Mismatch Schema Defined Properties", "severity": "INFO", - "line": 26, - "filename": "positive4.yaml", + "line": 42, + "filename": "positive3.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.encoding.{{profileImage}}", + "searchKey": "components.responses.{{ResponseExample}}.content.{{application/json}}.encoding.{{profileImage}}", "searchValue": "", - "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.encoding.{{profileImage}} should be set in schema defined properties", - "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.encoding.{{profileImage}} is not set in schema defined properties" + "expectedValue": "components.responses.{{ResponseExample}}.content.{{application/json}}.encoding.{{profileImage}} should be set in schema defined properties", + "actualValue": "components.responses.{{ResponseExample}}.content.{{application/json}}.encoding.{{profileImage}} is not set in schema defined properties" }, { "queryName": "Encoding Map Key Mismatch Schema Defined Properties", "severity": "INFO", - "line": 42, - "filename": "positive3.yaml", + "line": 26, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", - "searchKey": "components.responses.{{ResponseExample}}.content.{{application/json}}.encoding.{{profileImage}}", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.encoding.{{profileImage}}", "searchValue": "", - "expectedValue": "components.responses.{{ResponseExample}}.content.{{application/json}}.encoding.{{profileImage}} should be set in schema defined properties", - "actualValue": "components.responses.{{ResponseExample}}.content.{{application/json}}.encoding.{{profileImage}} is not set in schema defined properties" + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.encoding.{{profileImage}} should be set in schema defined properties", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.encoding.{{profileImage}} is not set in schema defined properties" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/global_security_scheme_using_basic_authentication/test/positive_expected_result.json b/assets/queries/openAPI/3.0/global_security_scheme_using_basic_authentication/test/positive_expected_result.json index 850438733dc..fb4621f1d4f 100644 --- a/assets/queries/openAPI/3.0/global_security_scheme_using_basic_authentication/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/global_security_scheme_using_basic_authentication/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "Global Security Scheme Using Basic Authentication", "severity": "MEDIUM", - "line": 30, - "filename": "positive2.yaml", + "line": 51, + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "components.securitySchemes.{{regularSecurity}}", @@ -14,8 +14,8 @@ { "queryName": "Global Security Scheme Using Basic Authentication", "severity": "MEDIUM", - "line": 51, - "filename": "positive1.json", + "line": 30, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", "searchKey": "components.securitySchemes.{{regularSecurity}}", diff --git a/assets/queries/openAPI/3.0/global_server_uses_http/test/positive_expected_result.json b/assets/queries/openAPI/3.0/global_server_uses_http/test/positive_expected_result.json index fb9a422dd47..be68342373e 100644 --- a/assets/queries/openAPI/3.0/global_server_uses_http/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/global_server_uses_http/test/positive_expected_result.json @@ -2,14 +2,14 @@ { "queryName": "Global Server Object Uses HTTP", "severity": "MEDIUM", - "line": 1, - "filename": "positive3.yaml", + "line": 13, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "openapi", + "searchKey": "servers.url.http://staging.gigantic-server.com/v1", "searchValue": "", - "expectedValue": "Global servers array should be defined", - "actualValue": "Global servers array is not defined" + "expectedValue": "Global servers' URL should use HTTPS protocol", + "actualValue": "Global servers' URL are not using HTTPS protocol" }, { "queryName": "Global Server Object Uses HTTP", @@ -26,13 +26,13 @@ { "queryName": "Global Server Object Uses HTTP", "severity": "MEDIUM", - "line": 13, - "filename": "positive1.json", + "line": 1, + "filename": "positive3.yaml", "resourceType": "", "resourceName": "", - "searchKey": "servers.url.http://staging.gigantic-server.com/v1", + "searchKey": "openapi", "searchValue": "", - "expectedValue": "Global servers' URL should use HTTPS protocol", - "actualValue": "Global servers' URL are not using HTTPS protocol" + "expectedValue": "Global servers array should be defined", + "actualValue": "Global servers array is not defined" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/header_object_without_schema/test/positive_expected_result.json b/assets/queries/openAPI/3.0/header_object_without_schema/test/positive_expected_result.json index c498924370e..f7e620c8614 100644 --- a/assets/queries/openAPI/3.0/header_object_without_schema/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/header_object_without_schema/test/positive_expected_result.json @@ -14,32 +14,32 @@ { "queryName": "Header Object Without Schema", "severity": "MEDIUM", - "line": 44, - "filename": "positive3.yaml", + "line": 42, + "filename": "positive2.json", "resourceType": "", "resourceName": "", - "searchKey": "components.responses.ResponseExample.content.{{application/json}}.encoding.code.{{X-Rate-Limit-Limit}}", + "searchKey": "paths.{{/}}.get.responses.6xx.{{X-Rate-Limit-Limit}}", "searchValue": "", - "expectedValue": "components.responses.ResponseExample.content.{{application/json}}.encoding.code.{{X-Rate-Limit-Limit}} has schema defined", - "actualValue": "components.responses.ResponseExample.content.{{application/json}}.encoding.code.{{X-Rate-Limit-Limit}} does not have schema defined" + "expectedValue": "paths.{{/}}.get.responses.6xx.{{X-Rate-Limit-Limit}} has schema defined", + "actualValue": "paths.{{/}}.get.responses.6xx.{{X-Rate-Limit-Limit}} does not have schema defined" }, { "queryName": "Header Object Without Schema", "severity": "MEDIUM", - "line": 28, - "filename": "positive4.yaml", + "line": 44, + "filename": "positive3.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.6xx.{{X-Rate-Limit-Limit}}", + "searchKey": "components.responses.ResponseExample.content.{{application/json}}.encoding.code.{{X-Rate-Limit-Limit}}", "searchValue": "", - "expectedValue": "paths.{{/}}.get.responses.6xx.{{X-Rate-Limit-Limit}} has schema defined", - "actualValue": "paths.{{/}}.get.responses.6xx.{{X-Rate-Limit-Limit}} does not have schema defined" + "expectedValue": "components.responses.ResponseExample.content.{{application/json}}.encoding.code.{{X-Rate-Limit-Limit}} has schema defined", + "actualValue": "components.responses.ResponseExample.content.{{application/json}}.encoding.code.{{X-Rate-Limit-Limit}} does not have schema defined" }, { "queryName": "Header Object Without Schema", "severity": "MEDIUM", - "line": 42, - "filename": "positive2.json", + "line": 28, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.get.responses.6xx.{{X-Rate-Limit-Limit}}", diff --git a/assets/queries/openAPI/3.0/invalid_content_type_for_multiple_files_upload/test/positive_expected_result.json b/assets/queries/openAPI/3.0/invalid_content_type_for_multiple_files_upload/test/positive_expected_result.json index 883827d2500..ebd2c9029f6 100644 --- a/assets/queries/openAPI/3.0/invalid_content_type_for_multiple_files_upload/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/invalid_content_type_for_multiple_files_upload/test/positive_expected_result.json @@ -3,25 +3,25 @@ "queryName": "Invalid Content Type For Multiple Files Upload", "severity": "INFO", "line": 16, - "filename": "positive2.json", + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "components.requestBodies.{{CreateCustomer}}.content.{{application/json}}", + "searchKey": "paths.{{/}}.{{get}}.requestBody.content.{{application/json}}", "searchValue": "", - "expectedValue": "components.requestBodies.{{CreateCustomer}}.content.{{application/json}} should be set to 'multipart/form-data'", - "actualValue": "components.requestBodies.{{CreateCustomer}}.content.{{application/json}} is not set to 'multipart/form-data'" + "expectedValue": "paths.{{/}}.{{get}}.requestBody.content.{{application/json}} should be set to 'multipart/form-data'", + "actualValue": "paths.{{/}}.{{get}}.requestBody.content.{{application/json}} is not set to 'multipart/form-data'" }, { "queryName": "Invalid Content Type For Multiple Files Upload", "severity": "INFO", "line": 16, - "filename": "positive1.json", + "filename": "positive2.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.{{get}}.requestBody.content.{{application/json}}", + "searchKey": "components.requestBodies.{{CreateCustomer}}.content.{{application/json}}", "searchValue": "", - "expectedValue": "paths.{{/}}.{{get}}.requestBody.content.{{application/json}} should be set to 'multipart/form-data'", - "actualValue": "paths.{{/}}.{{get}}.requestBody.content.{{application/json}} is not set to 'multipart/form-data'" + "expectedValue": "components.requestBodies.{{CreateCustomer}}.content.{{application/json}} should be set to 'multipart/form-data'", + "actualValue": "components.requestBodies.{{CreateCustomer}}.content.{{application/json}} is not set to 'multipart/form-data'" }, { "queryName": "Invalid Content Type For Multiple Files Upload", diff --git a/assets/queries/openAPI/3.0/invalid_oauth2_token_url/test/positive_expected_result.json b/assets/queries/openAPI/3.0/invalid_oauth2_token_url/test/positive_expected_result.json index 47c683c0050..e7c726d2f93 100644 --- a/assets/queries/openAPI/3.0/invalid_oauth2_token_url/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/invalid_oauth2_token_url/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "Invalid OAuth2 Token URL (v3)", "severity": "MEDIUM", - "line": 31, - "filename": "positive4.json", + "line": 23, + "filename": "positive1.yaml", "resourceType": "", "resourceName": "", "searchKey": "components.securitySchemes.oAuth2AuthCodePos1.flows.authorizationCode.tokenUrl", @@ -14,8 +14,8 @@ { "queryName": "Invalid OAuth2 Token URL (v3)", "severity": "MEDIUM", - "line": 14, - "filename": "positive5.json", + "line": 12, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", "searchKey": "components.securitySchemes.oAuth2AuthCodePos2.flows.password.tokenUrl", @@ -26,11 +26,11 @@ { "queryName": "Invalid OAuth2 Token URL (v3)", "severity": "MEDIUM", - "line": 12, - "filename": "positive2.yaml", + "line": 22, + "filename": "positive3.yaml", "resourceType": "", "resourceName": "", - "searchKey": "components.securitySchemes.oAuth2AuthCodePos2.flows.password.tokenUrl", + "searchKey": "components.securitySchemes.oAuth2AuthCodePos3.flows.clientCredentials.tokenUrl", "searchValue": "", "expectedValue": "OAuth2 security schema flow tokenUrl must be set with a valid URL", "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL" @@ -38,11 +38,11 @@ { "queryName": "Invalid OAuth2 Token URL (v3)", "severity": "MEDIUM", - "line": 22, - "filename": "positive3.yaml", + "line": 31, + "filename": "positive4.json", "resourceType": "", "resourceName": "", - "searchKey": "components.securitySchemes.oAuth2AuthCodePos3.flows.clientCredentials.tokenUrl", + "searchKey": "components.securitySchemes.oAuth2AuthCodePos1.flows.authorizationCode.tokenUrl", "searchValue": "", "expectedValue": "OAuth2 security schema flow tokenUrl must be set with a valid URL", "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL" @@ -50,11 +50,11 @@ { "queryName": "Invalid OAuth2 Token URL (v3)", "severity": "MEDIUM", - "line": 23, - "filename": "positive1.yaml", + "line": 14, + "filename": "positive5.json", "resourceType": "", "resourceName": "", - "searchKey": "components.securitySchemes.oAuth2AuthCodePos1.flows.authorizationCode.tokenUrl", + "searchKey": "components.securitySchemes.oAuth2AuthCodePos2.flows.password.tokenUrl", "searchValue": "", "expectedValue": "OAuth2 security schema flow tokenUrl must be set with a valid URL", "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL" diff --git a/assets/queries/openAPI/3.0/invalid_oauth_authorization_url/test/positive_expected_result.json b/assets/queries/openAPI/3.0/invalid_oauth_authorization_url/test/positive_expected_result.json index 0d208c71851..1df1cb31fab 100644 --- a/assets/queries/openAPI/3.0/invalid_oauth_authorization_url/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/invalid_oauth_authorization_url/test/positive_expected_result.json @@ -3,10 +3,10 @@ "queryName": "Invalid OAuth2 Authorization URL (v3)", "severity": "MEDIUM", "line": 50, - "filename": "positive2.json", + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "components.securitySchemes.oAuth2AuthCodeNeg2.flows.implicit.authorizationUrl", + "searchKey": "components.securitySchemes.oAuth2AuthCodeNeg2.flows.authorizationCode.authorizationUrl", "searchValue": "", "expectedValue": "OAuth2 security schema flow tokenUrl must be set with a valid URL", "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL" @@ -14,11 +14,11 @@ { "queryName": "Invalid OAuth2 Authorization URL (v3)", "severity": "MEDIUM", - "line": 32, - "filename": "positive3.yaml", + "line": 50, + "filename": "positive2.json", "resourceType": "", "resourceName": "", - "searchKey": "components.securitySchemes.oAuth2AuthCodeNeg2.flows.authorizationCode.authorizationUrl", + "searchKey": "components.securitySchemes.oAuth2AuthCodeNeg2.flows.implicit.authorizationUrl", "searchValue": "", "expectedValue": "OAuth2 security schema flow tokenUrl must be set with a valid URL", "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL" @@ -27,10 +27,10 @@ "queryName": "Invalid OAuth2 Authorization URL (v3)", "severity": "MEDIUM", "line": 32, - "filename": "positive4.yaml", + "filename": "positive3.yaml", "resourceType": "", "resourceName": "", - "searchKey": "components.securitySchemes.oAuth2AuthCodeNeg2.flows.implicit.authorizationUrl", + "searchKey": "components.securitySchemes.oAuth2AuthCodeNeg2.flows.authorizationCode.authorizationUrl", "searchValue": "", "expectedValue": "OAuth2 security schema flow tokenUrl must be set with a valid URL", "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL" @@ -38,11 +38,11 @@ { "queryName": "Invalid OAuth2 Authorization URL (v3)", "severity": "MEDIUM", - "line": 50, - "filename": "positive1.json", + "line": 32, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", - "searchKey": "components.securitySchemes.oAuth2AuthCodeNeg2.flows.authorizationCode.authorizationUrl", + "searchKey": "components.securitySchemes.oAuth2AuthCodeNeg2.flows.implicit.authorizationUrl", "searchValue": "", "expectedValue": "OAuth2 security schema flow tokenUrl must be set with a valid URL", "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL" diff --git a/assets/queries/openAPI/3.0/link_object_operation_id_does_not_target_an_operation_object/test/positive_expected_result.json b/assets/queries/openAPI/3.0/link_object_operation_id_does_not_target_an_operation_object/test/positive_expected_result.json index cee0174bbc9..333f4756552 100644 --- a/assets/queries/openAPI/3.0/link_object_operation_id_does_not_target_an_operation_object/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/link_object_operation_id_does_not_target_an_operation_object/test/positive_expected_result.json @@ -2,20 +2,8 @@ { "queryName": "Link Object OperationId Does Not Target Operation Object", "severity": "INFO", - "line": 43, - "filename": "positive6.yaml", - "resourceType": "", - "resourceName": "", - "searchKey": "components.links.{{address}}.operationId", - "searchValue": "", - "expectedValue": "components.links.{{address}}.operationId points to an operationId of an operation object", - "actualValue": "components.links.{{address}}.operationId does not point to an operationId of an operation object" - }, - { - "queryName": "Link Object OperationId Does Not Target Operation Object", - "severity": "INFO", - "line": 51, - "filename": "positive4.yaml", + "line": 71, + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "components.responses.{{200}}.links.{{address}}.operationId", @@ -26,8 +14,8 @@ { "queryName": "Link Object OperationId Does Not Target Operation Object", "severity": "INFO", - "line": 21, - "filename": "positive5.yaml", + "line": 28, + "filename": "positive2.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/test}}.{{get}}.responses.{{200}}.links.{{address}}.operationId", @@ -50,8 +38,8 @@ { "queryName": "Link Object OperationId Does Not Target Operation Object", "severity": "INFO", - "line": 71, - "filename": "positive1.json", + "line": 51, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", "searchKey": "components.responses.{{200}}.links.{{address}}.operationId", @@ -62,13 +50,25 @@ { "queryName": "Link Object OperationId Does Not Target Operation Object", "severity": "INFO", - "line": 28, - "filename": "positive2.json", + "line": 21, + "filename": "positive5.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/test}}.{{get}}.responses.{{200}}.links.{{address}}.operationId", "searchValue": "", "expectedValue": "paths/test.get.responses.200.links.address.operationId points to an operationId of an operation object", "actualValue": "paths./test.get.responses.200.links.address.operationId does not point to an operationId of an operation object" + }, + { + "queryName": "Link Object OperationId Does Not Target Operation Object", + "severity": "INFO", + "line": 43, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.links.{{address}}.operationId", + "searchValue": "", + "expectedValue": "components.links.{{address}}.operationId points to an operationId of an operation object", + "actualValue": "components.links.{{address}}.operationId does not point to an operationId of an operation object" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/link_object_with_both_operation_id_and_operation_ref/test/positive_expected_result.json b/assets/queries/openAPI/3.0/link_object_with_both_operation_id_and_operation_ref/test/positive_expected_result.json index 0fe7ddb44d7..bffa6c7d1dc 100644 --- a/assets/queries/openAPI/3.0/link_object_with_both_operation_id_and_operation_ref/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/link_object_with_both_operation_id_and_operation_ref/test/positive_expected_result.json @@ -11,18 +11,6 @@ "expectedValue": "components.responses.200.links.address has both 'operationId' and 'operationRef' defined", "actualValue": "components.responses.200.links.address does not have both 'operationId' and 'operationRef' defined" }, - { - "queryName": "Link Object With Both 'operationId' And 'operationRef'", - "severity": "INFO", - "line": 67, - "filename": "positive3.json", - "resourceType": "", - "resourceName": "", - "searchKey": "components.links.{{address}}", - "searchValue": "", - "expectedValue": "components.links.address has both 'operationId' and 'operationRef' defined", - "actualValue": "components.links.address does not have both 'operationId' and 'operationRef' defined" - }, { "queryName": "Link Object With Both 'operationId' And 'operationRef'", "severity": "INFO", @@ -38,8 +26,8 @@ { "queryName": "Link Object With Both 'operationId' And 'operationRef'", "severity": "INFO", - "line": 42, - "filename": "positive6.yaml", + "line": 67, + "filename": "positive3.json", "resourceType": "", "resourceName": "", "searchKey": "components.links.{{address}}", @@ -47,6 +35,18 @@ "expectedValue": "components.links.address has both 'operationId' and 'operationRef' defined", "actualValue": "components.links.address does not have both 'operationId' and 'operationRef' defined" }, + { + "queryName": "Link Object With Both 'operationId' And 'operationRef'", + "severity": "INFO", + "line": 50, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.responses.{{200}}.links.{{address}}", + "searchValue": "", + "expectedValue": "components.responses.200.links.address has both 'operationId' and 'operationRef' defined", + "actualValue": "components.responses.200.links.address does not have both 'operationId' and 'operationRef' defined" + }, { "queryName": "Link Object With Both 'operationId' And 'operationRef'", "severity": "INFO", @@ -62,13 +62,13 @@ { "queryName": "Link Object With Both 'operationId' And 'operationRef'", "severity": "INFO", - "line": 50, - "filename": "positive4.yaml", + "line": 42, + "filename": "positive6.yaml", "resourceType": "", "resourceName": "", - "searchKey": "components.responses.{{200}}.links.{{address}}", + "searchKey": "components.links.{{address}}", "searchValue": "", - "expectedValue": "components.responses.200.links.address has both 'operationId' and 'operationRef' defined", - "actualValue": "components.responses.200.links.address does not have both 'operationId' and 'operationRef' defined" + "expectedValue": "components.links.address has both 'operationId' and 'operationRef' defined", + "actualValue": "components.links.address does not have both 'operationId' and 'operationRef' defined" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/media_type_object_without_schema/test/positive_expected_result.json b/assets/queries/openAPI/3.0/media_type_object_without_schema/test/positive_expected_result.json index 0bcd7fc122f..6c6df7a6c1a 100644 --- a/assets/queries/openAPI/3.0/media_type_object_without_schema/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/media_type_object_without_schema/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "Media Type Object Without Schema", "severity": "MEDIUM", - "line": 31, - "filename": "positive4.yaml", + "line": 16, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "components.requestBodies.NewItem.content[multipart/form-data]", + "searchKey": "paths.{{/}}.get.responses.200.content[application/json]", "searchValue": "", "expectedValue": "The attribute 'schema' should be set", "actualValue": "The attribute 'schema' is undefined" @@ -14,11 +14,11 @@ { "queryName": "Media Type Object Without Schema", "severity": "MEDIUM", - "line": 20, - "filename": "positive5.yaml", + "line": 49, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.requestBody.content[multipart/form-data]", + "searchKey": "components.requestBodies.NewItem.content[multipart/data]", "searchValue": "", "expectedValue": "The attribute 'schema' should be set", "actualValue": "The attribute 'schema' is undefined" @@ -26,8 +26,8 @@ { "queryName": "Media Type Object Without Schema", "severity": "MEDIUM", - "line": 14, - "filename": "positive5.yaml", + "line": 16, + "filename": "positive2.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.get.responses.200.content[application/json]", @@ -38,11 +38,11 @@ { "queryName": "Media Type Object Without Schema", "severity": "MEDIUM", - "line": 49, - "filename": "positive1.json", + "line": 28, + "filename": "positive2.json", "resourceType": "", "resourceName": "", - "searchKey": "components.requestBodies.NewItem.content[multipart/data]", + "searchKey": "paths.{{/}}.get.requestBody.content[multipart/form-data]", "searchValue": "", "expectedValue": "The attribute 'schema' should be set", "actualValue": "The attribute 'schema' is undefined" @@ -74,11 +74,11 @@ { "queryName": "Media Type Object Without Schema", "severity": "MEDIUM", - "line": 20, - "filename": "positive6.yaml", + "line": 31, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.requestBody.content[text/plain]", + "searchKey": "components.requestBodies.NewItem.content[multipart/form-data]", "searchValue": "", "expectedValue": "The attribute 'schema' should be set", "actualValue": "The attribute 'schema' is undefined" @@ -86,8 +86,8 @@ { "queryName": "Media Type Object Without Schema", "severity": "MEDIUM", - "line": 16, - "filename": "positive1.json", + "line": 14, + "filename": "positive5.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.get.responses.200.content[application/json]", @@ -98,8 +98,8 @@ { "queryName": "Media Type Object Without Schema", "severity": "MEDIUM", - "line": 28, - "filename": "positive2.json", + "line": 20, + "filename": "positive5.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.get.requestBody.content[multipart/form-data]", @@ -110,11 +110,11 @@ { "queryName": "Media Type Object Without Schema", "severity": "MEDIUM", - "line": 16, - "filename": "positive2.json", + "line": 20, + "filename": "positive6.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.content[application/json]", + "searchKey": "paths.{{/}}.requestBody.content[text/plain]", "searchValue": "", "expectedValue": "The attribute 'schema' should be set", "actualValue": "The attribute 'schema' is undefined" diff --git a/assets/queries/openAPI/3.0/oauth2_with_implicit_flow/test/positive_expected_result.json b/assets/queries/openAPI/3.0/oauth2_with_implicit_flow/test/positive_expected_result.json index 600f0fbd1f3..e997e7589fd 100644 --- a/assets/queries/openAPI/3.0/oauth2_with_implicit_flow/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/oauth2_with_implicit_flow/test/positive_expected_result.json @@ -14,20 +14,20 @@ { "queryName": "OAuth2 With Implicit Flow", "severity": "MEDIUM", - "line": 37, - "filename": "positive3.json", + "line": 34, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", - "searchKey": "components.securitySchemes.{{oAuth2AuthCode}}.flows.implicit", + "searchKey": "components.securitySchemes.{{petstore_auth}}.flows.implicit", "searchValue": "", - "expectedValue": "components.securitySchemes.{{oAuth2AuthCode}}.flows should not use 'implicit' flow", - "actualValue": "components.securitySchemes.{{oAuth2AuthCode}}.flows is using 'implicit' flow" + "expectedValue": "components.securitySchemes.{{petstore_auth}}.flows should not use 'implicit' flow", + "actualValue": "components.securitySchemes.{{petstore_auth}}.flows is using 'implicit' flow" }, { "queryName": "OAuth2 With Implicit Flow", "severity": "MEDIUM", - "line": 27, - "filename": "positive4.yaml", + "line": 37, + "filename": "positive3.json", "resourceType": "", "resourceName": "", "searchKey": "components.securitySchemes.{{oAuth2AuthCode}}.flows.implicit", @@ -38,14 +38,14 @@ { "queryName": "OAuth2 With Implicit Flow", "severity": "MEDIUM", - "line": 34, - "filename": "positive2.yaml", + "line": 27, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", - "searchKey": "components.securitySchemes.{{petstore_auth}}.flows.implicit", + "searchKey": "components.securitySchemes.{{oAuth2AuthCode}}.flows.implicit", "searchValue": "", - "expectedValue": "components.securitySchemes.{{petstore_auth}}.flows should not use 'implicit' flow", - "actualValue": "components.securitySchemes.{{petstore_auth}}.flows is using 'implicit' flow" + "expectedValue": "components.securitySchemes.{{oAuth2AuthCode}}.flows should not use 'implicit' flow", + "actualValue": "components.securitySchemes.{{oAuth2AuthCode}}.flows is using 'implicit' flow" }, { "queryName": "OAuth2 With Implicit Flow", diff --git a/assets/queries/openAPI/3.0/object_without_required_property/test/positive_expected_result.json b/assets/queries/openAPI/3.0/object_without_required_property/test/positive_expected_result.json index c7a6ed6e2a1..2b0295ceb88 100644 --- a/assets/queries/openAPI/3.0/object_without_required_property/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/object_without_required_property/test/positive_expected_result.json @@ -2,26 +2,38 @@ { "queryName": "Object Without Required Property (v3)", "severity": "INFO", - "line": 10, - "filename": "positive4.yaml", + "line": 3, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.servers", + "searchKey": "info", "searchValue": "", - "expectedValue": "servers has all required fields", - "actualValue": "servers is missing required fields" + "expectedValue": "info has all required fields", + "actualValue": "info is missing required fields" }, { "queryName": "Object Without Required Property (v3)", "severity": "INFO", - "line": 38, - "filename": "positive6.yaml", + "line": 2, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", - "searchKey": "components.requestBodies.MyObjectBody_2", + "searchKey": "info", "searchValue": "", - "expectedValue": "requestBodies has all required fields", - "actualValue": "requestBodies is missing required fields" + "expectedValue": "info has all required fields", + "actualValue": "info is missing required fields" + }, + { + "queryName": "Object Without Required Property (v3)", + "severity": "INFO", + "line": 9, + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get", + "searchValue": "", + "expectedValue": "get has all required fields", + "actualValue": "get is missing required fields" }, { "queryName": "Object Without Required Property (v3)", @@ -38,47 +50,47 @@ { "queryName": "Object Without Required Property (v3)", "severity": "INFO", - "line": 3, - "filename": "positive1.json", + "line": 7, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", - "searchKey": "info", + "searchKey": "paths.{{/}}.get", "searchValue": "", - "expectedValue": "info has all required fields", - "actualValue": "info is missing required fields" + "expectedValue": "get has all required fields", + "actualValue": "get is missing required fields" }, { "queryName": "Object Without Required Property (v3)", "severity": "INFO", - "line": 42, - "filename": "positive8.yaml", + "line": 10, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", - "searchKey": "components.parameters.IdParam", + "searchKey": "paths.{{/}}.get.servers", "searchValue": "", - "expectedValue": "parameters has all required fields", - "actualValue": "parameters is missing required fields" + "expectedValue": "servers has all required fields", + "actualValue": "servers is missing required fields" }, { "queryName": "Object Without Required Property (v3)", "severity": "INFO", - "line": 32, - "filename": "positive8.yaml", + "line": 54, + "filename": "positive5.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.parameters", + "searchKey": "paths.{{/}}.get.requestBody", "searchValue": "", - "expectedValue": "parameters has all required fields", - "actualValue": "parameters is missing required fields" + "expectedValue": "requestBody has all required fields", + "actualValue": "requestBody is missing required fields" }, { "queryName": "Object Without Required Property (v3)", "severity": "INFO", - "line": 65, + "line": 62, "filename": "positive5.json", "resourceType": "", "resourceName": "", - "searchKey": "components.requestBodies.MyObjectBody_2", + "searchKey": "components.requestBodies.MyObjectBody", "searchValue": "", "expectedValue": "requestBodies has all required fields", "actualValue": "requestBodies is missing required fields" @@ -86,56 +98,56 @@ { "queryName": "Object Without Required Property (v3)", "severity": "INFO", - "line": 54, + "line": 65, "filename": "positive5.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.requestBody", + "searchKey": "components.requestBodies.MyObjectBody_2", "searchValue": "", - "expectedValue": "requestBody has all required fields", - "actualValue": "requestBody is missing required fields" + "expectedValue": "requestBodies has all required fields", + "actualValue": "requestBodies is missing required fields" }, { "queryName": "Object Without Required Property (v3)", "severity": "INFO", - "line": 72, - "filename": "positive7.json", + "line": 32, + "filename": "positive6.yaml", "resourceType": "", "resourceName": "", - "searchKey": "components.parameters.IdParam", + "searchKey": "paths.{{/}}.get.requestBody", "searchValue": "", - "expectedValue": "parameters has all required fields", - "actualValue": "parameters is missing required fields" + "expectedValue": "requestBody has all required fields", + "actualValue": "requestBody is missing required fields" }, { "queryName": "Object Without Required Property (v3)", "severity": "INFO", - "line": 27, - "filename": "positive7.json", + "line": 36, + "filename": "positive6.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200", + "searchKey": "components.requestBodies.MyObjectBody", "searchValue": "", - "expectedValue": "responses has all required fields", - "actualValue": "responses is missing required fields" + "expectedValue": "requestBodies has all required fields", + "actualValue": "requestBodies is missing required fields" }, { "queryName": "Object Without Required Property (v3)", "severity": "INFO", - "line": 9, - "filename": "positive3.json", + "line": 38, + "filename": "positive6.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get", + "searchKey": "components.requestBodies.MyObjectBody_2", "searchValue": "", - "expectedValue": "get has all required fields", - "actualValue": "get is missing required fields" + "expectedValue": "requestBodies has all required fields", + "actualValue": "requestBodies is missing required fields" }, { "queryName": "Object Without Required Property (v3)", "severity": "INFO", - "line": 18, - "filename": "positive8.yaml", + "line": 27, + "filename": "positive7.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.get.responses.200", @@ -146,71 +158,59 @@ { "queryName": "Object Without Required Property (v3)", "severity": "INFO", - "line": 7, - "filename": "positive4.yaml", - "resourceType": "", - "resourceName": "", - "searchKey": "paths.{{/}}.get", - "searchValue": "", - "expectedValue": "get has all required fields", - "actualValue": "get is missing required fields" - }, - { - "queryName": "Object Without Required Property (v3)", - "severity": "INFO", - "line": 36, - "filename": "positive6.yaml", + "line": 55, + "filename": "positive7.json", "resourceType": "", "resourceName": "", - "searchKey": "components.requestBodies.MyObjectBody", + "searchKey": "paths.{{/}}.get.parameters", "searchValue": "", - "expectedValue": "requestBodies has all required fields", - "actualValue": "requestBodies is missing required fields" + "expectedValue": "parameters has all required fields", + "actualValue": "parameters is missing required fields" }, { "queryName": "Object Without Required Property (v3)", "severity": "INFO", - "line": 32, - "filename": "positive6.yaml", + "line": 72, + "filename": "positive7.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.requestBody", + "searchKey": "components.parameters.IdParam", "searchValue": "", - "expectedValue": "requestBody has all required fields", - "actualValue": "requestBody is missing required fields" + "expectedValue": "parameters has all required fields", + "actualValue": "parameters is missing required fields" }, { "queryName": "Object Without Required Property (v3)", "severity": "INFO", - "line": 2, - "filename": "positive2.yaml", + "line": 18, + "filename": "positive8.yaml", "resourceType": "", "resourceName": "", - "searchKey": "info", + "searchKey": "paths.{{/}}.get.responses.200", "searchValue": "", - "expectedValue": "info has all required fields", - "actualValue": "info is missing required fields" + "expectedValue": "responses has all required fields", + "actualValue": "responses is missing required fields" }, { "queryName": "Object Without Required Property (v3)", "severity": "INFO", - "line": 62, - "filename": "positive5.json", + "line": 32, + "filename": "positive8.yaml", "resourceType": "", "resourceName": "", - "searchKey": "components.requestBodies.MyObjectBody", + "searchKey": "paths.{{/}}.get.parameters", "searchValue": "", - "expectedValue": "requestBodies has all required fields", - "actualValue": "requestBodies is missing required fields" + "expectedValue": "parameters has all required fields", + "actualValue": "parameters is missing required fields" }, { "queryName": "Object Without Required Property (v3)", "severity": "INFO", - "line": 55, - "filename": "positive7.json", + "line": 42, + "filename": "positive8.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.parameters", + "searchKey": "components.parameters.IdParam", "searchValue": "", "expectedValue": "parameters has all required fields", "actualValue": "parameters is missing required fields" diff --git a/assets/queries/openAPI/3.0/parameter_object_content_with_multiple_entries/test/positive_expected_result.json b/assets/queries/openAPI/3.0/parameter_object_content_with_multiple_entries/test/positive_expected_result.json index 2d7276fc3bb..addd1d153d6 100644 --- a/assets/queries/openAPI/3.0/parameter_object_content_with_multiple_entries/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/parameter_object_content_with_multiple_entries/test/positive_expected_result.json @@ -2,20 +2,8 @@ { "queryName": "Parameter Object Content With Multiple Entries", "severity": "INFO", - "line": 26, - "filename": "positive4.yaml", - "resourceType": "", - "resourceName": "", - "searchKey": "components.parameters", - "searchValue": "", - "expectedValue": "components.parameters.idParam.content has one entry", - "actualValue": "components.parameters.idParam.content has multiple entries" - }, - { - "queryName": "Parameter Object Content With Multiple Entries", - "severity": "INFO", - "line": 10, - "filename": "positive3.yaml", + "line": 11, + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "paths./.get.parameters", @@ -26,8 +14,8 @@ { "queryName": "Parameter Object Content With Multiple Entries", "severity": "INFO", - "line": 48, - "filename": "positive3.yaml", + "line": 78, + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "paths./user/{id}.parameters", @@ -50,8 +38,8 @@ { "queryName": "Parameter Object Content With Multiple Entries", "severity": "INFO", - "line": 11, - "filename": "positive1.json", + "line": 10, + "filename": "positive3.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths./.get.parameters", @@ -62,13 +50,25 @@ { "queryName": "Parameter Object Content With Multiple Entries", "severity": "INFO", - "line": 78, - "filename": "positive1.json", + "line": 48, + "filename": "positive3.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths./user/{id}.parameters", "searchValue": "", "expectedValue": "paths./user/{id}.parameters.0.content has one entry", "actualValue": "paths./user/{id}.parameters.0.content has multiple entries" + }, + { + "queryName": "Parameter Object Content With Multiple Entries", + "severity": "INFO", + "line": 26, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.parameters", + "searchValue": "", + "expectedValue": "components.parameters.idParam.content has one entry", + "actualValue": "components.parameters.idParam.content has multiple entries" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/parameter_object_schema_content/test/positive_expected_result.json b/assets/queries/openAPI/3.0/parameter_object_schema_content/test/positive_expected_result.json index 41d3d69a652..ba6706ef7da 100644 --- a/assets/queries/openAPI/3.0/parameter_object_schema_content/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/parameter_object_schema_content/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "Parameter Object With Schema And Content", "severity": "INFO", - "line": 45, - "filename": "positive2.yaml", + "line": 43, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "paths./users/{id}.get.parameters.name={{id}}", + "searchKey": "paths.{{/}}.parameters.name={{id}}", "searchValue": "", "expectedValue": "Parameter Object shouldn't have both 'schema' and 'content' defined", "actualValue": "Parameter Object has both 'schema' and 'content' defined" @@ -14,11 +14,11 @@ { "queryName": "Parameter Object With Schema And Content", "severity": "INFO", - "line": 26, - "filename": "positive2.yaml", + "line": 73, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.parameters.name={{id}}", + "searchKey": "paths./users/{id}.get.parameters.name={{id}}", "searchValue": "", "expectedValue": "Parameter Object shouldn't have both 'schema' and 'content' defined", "actualValue": "Parameter Object has both 'schema' and 'content' defined" @@ -26,11 +26,11 @@ { "queryName": "Parameter Object With Schema And Content", "severity": "INFO", - "line": 16, - "filename": "positive4.yaml", + "line": 26, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", - "searchKey": "openapi.components.parameters.name={{limit}}", + "searchKey": "paths.{{/}}.parameters.name={{id}}", "searchValue": "", "expectedValue": "Parameter Object shouldn't have both 'schema' and 'content' defined", "actualValue": "Parameter Object has both 'schema' and 'content' defined" @@ -38,11 +38,11 @@ { "queryName": "Parameter Object With Schema And Content", "severity": "INFO", - "line": 20, - "filename": "positive3.json", + "line": 45, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", - "searchKey": "openapi.components.parameters.name={{limit}}", + "searchKey": "paths./users/{id}.get.parameters.name={{id}}", "searchValue": "", "expectedValue": "Parameter Object shouldn't have both 'schema' and 'content' defined", "actualValue": "Parameter Object has both 'schema' and 'content' defined" @@ -50,11 +50,11 @@ { "queryName": "Parameter Object With Schema And Content", "severity": "INFO", - "line": 73, - "filename": "positive1.json", + "line": 20, + "filename": "positive3.json", "resourceType": "", "resourceName": "", - "searchKey": "paths./users/{id}.get.parameters.name={{id}}", + "searchKey": "openapi.components.parameters.name={{limit}}", "searchValue": "", "expectedValue": "Parameter Object shouldn't have both 'schema' and 'content' defined", "actualValue": "Parameter Object has both 'schema' and 'content' defined" @@ -62,11 +62,11 @@ { "queryName": "Parameter Object With Schema And Content", "severity": "INFO", - "line": 43, - "filename": "positive1.json", + "line": 16, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.parameters.name={{id}}", + "searchKey": "openapi.components.parameters.name={{limit}}", "searchValue": "", "expectedValue": "Parameter Object shouldn't have both 'schema' and 'content' defined", "actualValue": "Parameter Object has both 'schema' and 'content' defined" diff --git a/assets/queries/openAPI/3.0/parameter_object_undefined_type/test/positive_expected_result.json b/assets/queries/openAPI/3.0/parameter_object_undefined_type/test/positive_expected_result.json index e5425818eb4..92cfb0e2434 100644 --- a/assets/queries/openAPI/3.0/parameter_object_undefined_type/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/parameter_object_undefined_type/test/positive_expected_result.json @@ -2,8 +2,20 @@ { "queryName": "Parameter Object With Undefined Type", "severity": "INFO", - "line": 40, - "filename": "positive2.yaml", + "line": 43, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters type should be defined%!(EXTRA string=id)", + "actualValue": "paths.{{/}}.parameters type is not defined%!(EXTRA string=id)" + }, + { + "queryName": "Parameter Object With Undefined Type", + "severity": "INFO", + "line": 55, + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/users/{id}}}.{{get}}.parameters.name={{id}}", @@ -26,14 +38,14 @@ { "queryName": "Parameter Object With Undefined Type", "severity": "INFO", - "line": 8, - "filename": "positive4.yaml", + "line": 40, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", - "searchKey": "openapi.components.parameters.name={{id}}", + "searchKey": "paths.{{/users/{id}}}.{{get}}.parameters.name={{id}}", "searchValue": "", - "expectedValue": "openapi.components.parameters type should be defined%!(EXTRA string=id)", - "actualValue": "openapi.components.parameters type is not defined%!(EXTRA string=id)" + "expectedValue": "paths.{{/users/{id}}}.{{get}}.parameters type should be defined%!(EXTRA string=id)", + "actualValue": "paths.{{/users/{id}}}.{{get}}.parameters type is not defined%!(EXTRA string=id)" }, { "queryName": "Parameter Object With Undefined Type", @@ -50,25 +62,13 @@ { "queryName": "Parameter Object With Undefined Type", "severity": "INFO", - "line": 55, - "filename": "positive1.json", - "resourceType": "", - "resourceName": "", - "searchKey": "paths.{{/users/{id}}}.{{get}}.parameters.name={{id}}", - "searchValue": "", - "expectedValue": "paths.{{/users/{id}}}.{{get}}.parameters type should be defined%!(EXTRA string=id)", - "actualValue": "paths.{{/users/{id}}}.{{get}}.parameters type is not defined%!(EXTRA string=id)" - }, - { - "queryName": "Parameter Object With Undefined Type", - "severity": "INFO", - "line": 43, - "filename": "positive1.json", + "line": 8, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.parameters.name={{id}}", + "searchKey": "openapi.components.parameters.name={{id}}", "searchValue": "", - "expectedValue": "paths.{{/}}.parameters type should be defined%!(EXTRA string=id)", - "actualValue": "paths.{{/}}.parameters type is not defined%!(EXTRA string=id)" + "expectedValue": "openapi.components.parameters type should be defined%!(EXTRA string=id)", + "actualValue": "openapi.components.parameters type is not defined%!(EXTRA string=id)" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/parameter_object_without_schema/test/positive_expected_result.json b/assets/queries/openAPI/3.0/parameter_object_without_schema/test/positive_expected_result.json index cb0c0b6b400..f5f70bb3f82 100644 --- a/assets/queries/openAPI/3.0/parameter_object_without_schema/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/parameter_object_without_schema/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "Parameter Object Without Schema", "severity": "MEDIUM", - "line": 39, - "filename": "positive3.yaml", + "line": 11, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/user/}}.parameters", + "searchKey": "paths.{{/}}.get.parameters", "searchValue": "", "expectedValue": "The attribute 'schema' should be set", "actualValue": "The attribute 'schema' is undefined" @@ -14,11 +14,11 @@ { "queryName": "Parameter Object Without Schema", "severity": "MEDIUM", - "line": 10, - "filename": "positive3.yaml", + "line": 64, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.parameters", + "searchKey": "paths.{{/user/}}.parameters", "searchValue": "", "expectedValue": "The attribute 'schema' should be set", "actualValue": "The attribute 'schema' is undefined" @@ -26,8 +26,8 @@ { "queryName": "Parameter Object Without Schema", "severity": "MEDIUM", - "line": 26, - "filename": "positive4.yaml", + "line": 44, + "filename": "positive2.json", "resourceType": "", "resourceName": "", "searchKey": "components.parameters", @@ -38,11 +38,11 @@ { "queryName": "Parameter Object Without Schema", "severity": "MEDIUM", - "line": 44, - "filename": "positive2.json", + "line": 10, + "filename": "positive3.yaml", "resourceType": "", "resourceName": "", - "searchKey": "components.parameters", + "searchKey": "paths.{{/}}.get.parameters", "searchValue": "", "expectedValue": "The attribute 'schema' should be set", "actualValue": "The attribute 'schema' is undefined" @@ -50,8 +50,8 @@ { "queryName": "Parameter Object Without Schema", "severity": "MEDIUM", - "line": 64, - "filename": "positive1.json", + "line": 39, + "filename": "positive3.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/user/}}.parameters", @@ -62,11 +62,11 @@ { "queryName": "Parameter Object Without Schema", "severity": "MEDIUM", - "line": 11, - "filename": "positive1.json", + "line": 26, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.parameters", + "searchKey": "components.parameters", "searchValue": "", "expectedValue": "The attribute 'schema' should be set", "actualValue": "The attribute 'schema' is undefined" diff --git a/assets/queries/openAPI/3.0/path_server_uses_http/test/positive_expected_result.json b/assets/queries/openAPI/3.0/path_server_uses_http/test/positive_expected_result.json index 8538a7169b1..50571ef317c 100644 --- a/assets/queries/openAPI/3.0/path_server_uses_http/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/path_server_uses_http/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "Path Server Object Uses HTTP (v3)", "severity": "MEDIUM", - "line": 15, - "filename": "positive2.yaml", + "line": 18, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.{{get}}.servers.url={{http://api.gigantic-server.com/v1}}", + "searchKey": "paths.{{/}}.{{get}}.servers.url={{http://staging.gigantic-server.com/v1}}", "searchValue": "", "expectedValue": "Path Server Object url uses 'HTTPS' protocol", "actualValue": "Path Server Object url uses 'HTTP' protocol" @@ -14,11 +14,11 @@ { "queryName": "Path Server Object Uses HTTP (v3)", "severity": "MEDIUM", - "line": 18, - "filename": "positive1.json", + "line": 15, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.{{get}}.servers.url={{http://staging.gigantic-server.com/v1}}", + "searchKey": "paths.{{/}}.{{get}}.servers.url={{http://api.gigantic-server.com/v1}}", "searchValue": "", "expectedValue": "Path Server Object url uses 'HTTPS' protocol", "actualValue": "Path Server Object url uses 'HTTP' protocol" diff --git a/assets/queries/openAPI/3.0/property_allow_empty_value_ignored/test/positive_expected_result.json b/assets/queries/openAPI/3.0/property_allow_empty_value_ignored/test/positive_expected_result.json index ed32a92365e..42b54cdca26 100644 --- a/assets/queries/openAPI/3.0/property_allow_empty_value_ignored/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/property_allow_empty_value_ignored/test/positive_expected_result.json @@ -14,8 +14,8 @@ { "queryName": "Property 'allowEmptyValue' Ignored", "severity": "INFO", - "line": 32, - "filename": "positive4.yaml", + "line": 30, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.parameters.allowEmptyValue", @@ -26,8 +26,8 @@ { "queryName": "Property 'allowEmptyValue' Ignored", "severity": "INFO", - "line": 30, - "filename": "positive2.yaml", + "line": 12, + "filename": "positive3.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.parameters.allowEmptyValue", @@ -38,8 +38,8 @@ { "queryName": "Property 'allowEmptyValue' Ignored", "severity": "INFO", - "line": 31, - "filename": "positive6.yaml", + "line": 32, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.parameters.allowEmptyValue", @@ -62,8 +62,8 @@ { "queryName": "Property 'allowEmptyValue' Ignored", "severity": "INFO", - "line": 12, - "filename": "positive3.json", + "line": 31, + "filename": "positive6.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.parameters.allowEmptyValue", diff --git a/assets/queries/openAPI/3.0/property_allow_reserved_encoding_object_ignored/test/positive_expected_result.json b/assets/queries/openAPI/3.0/property_allow_reserved_encoding_object_ignored/test/positive_expected_result.json index e7168b3ffe5..b20b76e0c7c 100644 --- a/assets/queries/openAPI/3.0/property_allow_reserved_encoding_object_ignored/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/property_allow_reserved_encoding_object_ignored/test/positive_expected_result.json @@ -2,14 +2,14 @@ { "queryName": "Property 'allowReserved' of Encoding Object Ignored", "severity": "INFO", - "line": 30, - "filename": "positive4.yaml", + "line": 49, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/form-data}}", + "searchKey": "components.requestBodies.{{NewItem}}.content.{{multipart/data}}", "searchValue": "", - "expectedValue": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/form-data}} should be 'application/x-www-form-urlencoded' when 'allowReserved' is set", - "actualValue": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/form-data}} is not 'application/x-www-form-urlencoded' when 'allowReserved' is set" + "expectedValue": "components.requestBodies.{{NewItem}}.content.{{multipart/data}} should be 'application/x-www-form-urlencoded' when 'allowReserved' is set", + "actualValue": "components.requestBodies.{{NewItem}}.content.{{multipart/data}} is not 'application/x-www-form-urlencoded' when 'allowReserved' is set" }, { "queryName": "Property 'allowReserved' of Encoding Object Ignored", @@ -26,25 +26,25 @@ { "queryName": "Property 'allowReserved' of Encoding Object Ignored", "severity": "INFO", - "line": 49, - "filename": "positive1.json", + "line": 31, + "filename": "positive3.yaml", "resourceType": "", "resourceName": "", - "searchKey": "components.requestBodies.{{NewItem}}.content.{{multipart/data}}", + "searchKey": "components.requestBodies.{{NewItem}}.content.{{multipart/form-data}}", "searchValue": "", - "expectedValue": "components.requestBodies.{{NewItem}}.content.{{multipart/data}} should be 'application/x-www-form-urlencoded' when 'allowReserved' is set", - "actualValue": "components.requestBodies.{{NewItem}}.content.{{multipart/data}} is not 'application/x-www-form-urlencoded' when 'allowReserved' is set" + "expectedValue": "components.requestBodies.{{NewItem}}.content.{{multipart/form-data}} should be 'application/x-www-form-urlencoded' when 'allowReserved' is set", + "actualValue": "components.requestBodies.{{NewItem}}.content.{{multipart/form-data}} is not 'application/x-www-form-urlencoded' when 'allowReserved' is set" }, { "queryName": "Property 'allowReserved' of Encoding Object Ignored", "severity": "INFO", - "line": 31, - "filename": "positive3.yaml", + "line": 30, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", - "searchKey": "components.requestBodies.{{NewItem}}.content.{{multipart/form-data}}", + "searchKey": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/form-data}}", "searchValue": "", - "expectedValue": "components.requestBodies.{{NewItem}}.content.{{multipart/form-data}} should be 'application/x-www-form-urlencoded' when 'allowReserved' is set", - "actualValue": "components.requestBodies.{{NewItem}}.content.{{multipart/form-data}} is not 'application/x-www-form-urlencoded' when 'allowReserved' is set" + "expectedValue": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/form-data}} should be 'application/x-www-form-urlencoded' when 'allowReserved' is set", + "actualValue": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/form-data}} is not 'application/x-www-form-urlencoded' when 'allowReserved' is set" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/property_allow_reserved_improperly_defined/test/positive_expected_result.json b/assets/queries/openAPI/3.0/property_allow_reserved_improperly_defined/test/positive_expected_result.json index c3c0c4f0026..03511e236c2 100644 --- a/assets/queries/openAPI/3.0/property_allow_reserved_improperly_defined/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/property_allow_reserved_improperly_defined/test/positive_expected_result.json @@ -1,21 +1,9 @@ [ - { - "queryName": "Property 'allowReserved' Improperly Defined", - "severity": "INFO", - "line": 26, - "filename": "positive4.yaml", - "resourceType": "", - "resourceName": "", - "searchKey": "paths.{{/}}.parameters.name={{id}}", - "searchValue": "", - "expectedValue": "paths.{{/}}.parameters.name={{id}} should have 'in' set to 'query' when 'allowReserved' is set", - "actualValue": "paths.{{/}}.parameters.name={{id}} does not have 'in' set to 'query' when 'allowReserved' is set" - }, { "queryName": "Property 'allowReserved' Improperly Defined", "severity": "INFO", "line": 43, - "filename": "positive3.json", + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.parameters.name={{id}}", @@ -38,8 +26,8 @@ { "queryName": "Property 'allowReserved' Improperly Defined", "severity": "INFO", - "line": 43, - "filename": "positive1.json", + "line": 26, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.parameters.name={{id}}", @@ -59,11 +47,23 @@ "expectedValue": "paths./users/{id}.get.parameters.name={{id}} should have 'in' set to 'query' when 'allowReserved' is set", "actualValue": "paths./users/{id}.get.parameters.name={{id}} does not have 'in' set to 'query' when 'allowReserved' is set" }, + { + "queryName": "Property 'allowReserved' Improperly Defined", + "severity": "INFO", + "line": 43, + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.name={{id}} should have 'in' set to 'query' when 'allowReserved' is set", + "actualValue": "paths.{{/}}.parameters.name={{id}} does not have 'in' set to 'query' when 'allowReserved' is set" + }, { "queryName": "Property 'allowReserved' Improperly Defined", "severity": "INFO", "line": 26, - "filename": "positive2.yaml", + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.parameters.name={{id}}", diff --git a/assets/queries/openAPI/3.0/property_explode_encoding_object_ignored/test/positive_expected_result.json b/assets/queries/openAPI/3.0/property_explode_encoding_object_ignored/test/positive_expected_result.json index 64cbc2a5c1f..c492ff850b1 100644 --- a/assets/queries/openAPI/3.0/property_explode_encoding_object_ignored/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/property_explode_encoding_object_ignored/test/positive_expected_result.json @@ -2,20 +2,20 @@ { "queryName": "Property 'explode' of Encoding Object Ignored", "severity": "INFO", - "line": 31, - "filename": "positive3.yaml", + "line": 49, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "components.requestBodies.{{NewItem}}.content.{{multipart/form-data}}", + "searchKey": "components.requestBodies.{{NewItem}}.content.{{multipart/data}}", "searchValue": "", - "expectedValue": "components.requestBodies.{{NewItem}}.content.{{multipart/form-data}} should be 'application/x-www-form-urlencoded' when 'explode' is set", - "actualValue": "components.requestBodies.{{NewItem}}.content.{{multipart/form-data}} is not 'application/x-www-form-urlencoded' when 'explode' is set" + "expectedValue": "components.requestBodies.{{NewItem}}.content.{{multipart/data}} should be 'application/x-www-form-urlencoded' when 'explode' is set", + "actualValue": "components.requestBodies.{{NewItem}}.content.{{multipart/data}} is not 'application/x-www-form-urlencoded' when 'explode' is set" }, { "queryName": "Property 'explode' of Encoding Object Ignored", "severity": "INFO", - "line": 30, - "filename": "positive4.yaml", + "line": 43, + "filename": "positive2.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/form-data}}", @@ -26,25 +26,25 @@ { "queryName": "Property 'explode' of Encoding Object Ignored", "severity": "INFO", - "line": 43, - "filename": "positive2.json", + "line": 31, + "filename": "positive3.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/form-data}}", + "searchKey": "components.requestBodies.{{NewItem}}.content.{{multipart/form-data}}", "searchValue": "", - "expectedValue": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/form-data}} should be 'application/x-www-form-urlencoded' when 'explode' is set", - "actualValue": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/form-data}} is not 'application/x-www-form-urlencoded' when 'explode' is set" + "expectedValue": "components.requestBodies.{{NewItem}}.content.{{multipart/form-data}} should be 'application/x-www-form-urlencoded' when 'explode' is set", + "actualValue": "components.requestBodies.{{NewItem}}.content.{{multipart/form-data}} is not 'application/x-www-form-urlencoded' when 'explode' is set" }, { "queryName": "Property 'explode' of Encoding Object Ignored", "severity": "INFO", - "line": 49, - "filename": "positive1.json", + "line": 30, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", - "searchKey": "components.requestBodies.{{NewItem}}.content.{{multipart/data}}", + "searchKey": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/form-data}}", "searchValue": "", - "expectedValue": "components.requestBodies.{{NewItem}}.content.{{multipart/data}} should be 'application/x-www-form-urlencoded' when 'explode' is set", - "actualValue": "components.requestBodies.{{NewItem}}.content.{{multipart/data}} is not 'application/x-www-form-urlencoded' when 'explode' is set" + "expectedValue": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/form-data}} should be 'application/x-www-form-urlencoded' when 'explode' is set", + "actualValue": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/form-data}} is not 'application/x-www-form-urlencoded' when 'explode' is set" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/property_type_encoding_object_ignored/test/positive_expected_result.json b/assets/queries/openAPI/3.0/property_type_encoding_object_ignored/test/positive_expected_result.json index b0e44f5a428..8a16acfde0b 100644 --- a/assets/queries/openAPI/3.0/property_type_encoding_object_ignored/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/property_type_encoding_object_ignored/test/positive_expected_result.json @@ -2,32 +2,32 @@ { "queryName": "Property 'style' of Encoding Object Ignored", "severity": "INFO", - "line": 30, - "filename": "positive4.yaml", + "line": 49, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/data}}", + "searchKey": "components.requestBodies.{{NewItem}}.content.{{multipart/data}}", "searchValue": "", - "expectedValue": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/data}} should be 'application/x-www-form-urlencoded' when 'style' is set", - "actualValue": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/data}} is not 'application/x-www-form-urlencoded' when 'style' is set" + "expectedValue": "components.requestBodies.{{NewItem}}.content.{{multipart/data}} should be 'application/x-www-form-urlencoded' when 'style' is set", + "actualValue": "components.requestBodies.{{NewItem}}.content.{{multipart/data}} is not 'application/x-www-form-urlencoded' when 'style' is set" }, { "queryName": "Property 'style' of Encoding Object Ignored", "severity": "INFO", - "line": 31, - "filename": "positive3.yaml", + "line": 43, + "filename": "positive2.json", "resourceType": "", "resourceName": "", - "searchKey": "components.requestBodies.{{NewItem}}.content.{{multipart/data}}", + "searchKey": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/data}}", "searchValue": "", - "expectedValue": "components.requestBodies.{{NewItem}}.content.{{multipart/data}} should be 'application/x-www-form-urlencoded' when 'style' is set", - "actualValue": "components.requestBodies.{{NewItem}}.content.{{multipart/data}} is not 'application/x-www-form-urlencoded' when 'style' is set" + "expectedValue": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/data}} should be 'application/x-www-form-urlencoded' when 'style' is set", + "actualValue": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/data}} is not 'application/x-www-form-urlencoded' when 'style' is set" }, { "queryName": "Property 'style' of Encoding Object Ignored", "severity": "INFO", - "line": 49, - "filename": "positive1.json", + "line": 31, + "filename": "positive3.yaml", "resourceType": "", "resourceName": "", "searchKey": "components.requestBodies.{{NewItem}}.content.{{multipart/data}}", @@ -38,8 +38,8 @@ { "queryName": "Property 'style' of Encoding Object Ignored", "severity": "INFO", - "line": 43, - "filename": "positive2.json", + "line": 30, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/data}}", diff --git a/assets/queries/openAPI/3.0/request_body_object_with_incorrect_media_type/test/positive_expected_result.json b/assets/queries/openAPI/3.0/request_body_object_with_incorrect_media_type/test/positive_expected_result.json index ef6850e31f5..5b1945e46b0 100644 --- a/assets/queries/openAPI/3.0/request_body_object_with_incorrect_media_type/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/request_body_object_with_incorrect_media_type/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "Request Body Object With Incorrect Media Type", "severity": "INFO", - "line": 41, - "filename": "positive3.yaml", + "line": 64, + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "components.requestBodies.{{NewItem}}.content.{{application/json}}.encoding", @@ -14,8 +14,8 @@ { "queryName": "Request Body Object With Incorrect Media Type", "severity": "INFO", - "line": 30, - "filename": "positive4.yaml", + "line": 43, + "filename": "positive2.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.{{get}}.requestBody.content.{{application/octet-stream}}", @@ -26,8 +26,8 @@ { "queryName": "Request Body Object With Incorrect Media Type", "severity": "INFO", - "line": 64, - "filename": "positive1.json", + "line": 41, + "filename": "positive3.yaml", "resourceType": "", "resourceName": "", "searchKey": "components.requestBodies.{{NewItem}}.content.{{application/json}}.encoding", @@ -38,8 +38,8 @@ { "queryName": "Request Body Object With Incorrect Media Type", "severity": "INFO", - "line": 43, - "filename": "positive2.json", + "line": 30, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.{{get}}.requestBody.content.{{application/octet-stream}}", diff --git a/assets/queries/openAPI/3.0/schema_with_both_read_only_and_write_only/test/positive_expected_result.json b/assets/queries/openAPI/3.0/schema_with_both_read_only_and_write_only/test/positive_expected_result.json index 78ad1402942..d6a2128b230 100644 --- a/assets/queries/openAPI/3.0/schema_with_both_read_only_and_write_only/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/schema_with_both_read_only_and_write_only/test/positive_expected_result.json @@ -2,26 +2,26 @@ { "queryName": "Schema With Both ReadOnly And WriteOnly", "severity": "INFO", - "line": 22, - "filename": "positive2.json", + "line": 50, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema", + "searchKey": "components.schemas.{{GeneralError}}", "searchValue": "", - "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema should not have both 'writeOnly' and 'readOnly' set to true", - "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema has both 'writeOnly' and 'readOnly' set to true" + "expectedValue": "components.schemas.{{GeneralError}} should not have both 'writeOnly' and 'readOnly' set to true", + "actualValue": "components.schemas.{{GeneralError}} has both 'writeOnly' and 'readOnly' set to true" }, { "queryName": "Schema With Both ReadOnly And WriteOnly", "severity": "INFO", - "line": 50, - "filename": "positive1.json", + "line": 22, + "filename": "positive2.json", "resourceType": "", "resourceName": "", - "searchKey": "components.schemas.{{GeneralError}}", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema", "searchValue": "", - "expectedValue": "components.schemas.{{GeneralError}} should not have both 'writeOnly' and 'readOnly' set to true", - "actualValue": "components.schemas.{{GeneralError}} has both 'writeOnly' and 'readOnly' set to true" + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema should not have both 'writeOnly' and 'readOnly' set to true", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema has both 'writeOnly' and 'readOnly' set to true" }, { "queryName": "Schema With Both ReadOnly And WriteOnly", diff --git a/assets/queries/openAPI/3.0/security_field_undefined/test/positive_expected_result.json b/assets/queries/openAPI/3.0/security_field_undefined/test/positive_expected_result.json index 1d11547d999..431102b6e6a 100644 --- a/assets/queries/openAPI/3.0/security_field_undefined/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/security_field_undefined/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "Security Field Undefined", "severity": "INFO", - "line": 26, - "filename": "positive3.yaml", + "line": 45, + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "security.petstore_auth", @@ -14,8 +14,8 @@ { "queryName": "Security Field Undefined", "severity": "INFO", - "line": 26, - "filename": "positive4.yaml", + "line": 45, + "filename": "positive2.json", "resourceType": "", "resourceName": "", "searchKey": "security.petstore_auth", @@ -26,8 +26,8 @@ { "queryName": "Security Field Undefined", "severity": "INFO", - "line": 45, - "filename": "positive1.json", + "line": 26, + "filename": "positive3.yaml", "resourceType": "", "resourceName": "", "searchKey": "security.petstore_auth", @@ -38,8 +38,8 @@ { "queryName": "Security Field Undefined", "severity": "INFO", - "line": 45, - "filename": "positive2.json", + "line": 26, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", "searchKey": "security.petstore_auth", diff --git a/assets/queries/openAPI/3.0/security_requirement_object_with_wrong_scopes/test/positive_expected_result.json b/assets/queries/openAPI/3.0/security_requirement_object_with_wrong_scopes/test/positive_expected_result.json index e52abcb5f7b..92b3557a20e 100644 --- a/assets/queries/openAPI/3.0/security_requirement_object_with_wrong_scopes/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/security_requirement_object_with_wrong_scopes/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "Security Requirement Object With Wrong Scopes", "severity": "INFO", - "line": 19, - "filename": "positive4.yaml", + "line": 9, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/pets}}.get.security.api_key", + "searchKey": "security.api_key", "searchValue": "", "expectedValue": "'security.api_key' has no scopes defined for security scheme of type 'apiKey'", "actualValue": "'security.api_key' has no scopes defined for security scheme of type 'apiKey'" @@ -38,11 +38,11 @@ { "queryName": "Security Requirement Object With Wrong Scopes", "severity": "INFO", - "line": 9, - "filename": "positive1.json", + "line": 19, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", - "searchKey": "security.api_key", + "searchKey": "paths.{{/pets}}.get.security.api_key", "searchValue": "", "expectedValue": "'security.api_key' has no scopes defined for security scheme of type 'apiKey'", "actualValue": "'security.api_key' has no scopes defined for security scheme of type 'apiKey'" diff --git a/assets/queries/openAPI/3.0/security_scheme_undefined/test/positive_expected_result.json b/assets/queries/openAPI/3.0/security_scheme_undefined/test/positive_expected_result.json index 761222ad366..7655f0ffeb1 100644 --- a/assets/queries/openAPI/3.0/security_scheme_undefined/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/security_scheme_undefined/test/positive_expected_result.json @@ -2,14 +2,14 @@ { "queryName": "Field 'securityScheme' On Components Is Undefined", "severity": "MEDIUM", - "line": 26, - "filename": "positive6.yaml", + "line": 2, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "components.securitySchemes", + "searchKey": "openapi", "searchValue": "", "expectedValue": "A security scheme on components should be defined", - "actualValue": "A security scheme is an empty object" + "actualValue": "Components is not defined" }, { "queryName": "Field 'securityScheme' On Components Is Undefined", @@ -38,8 +38,8 @@ { "queryName": "Field 'securityScheme' On Components Is Undefined", "severity": "MEDIUM", - "line": 2, - "filename": "positive1.json", + "line": 1, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", "searchKey": "openapi", @@ -50,25 +50,25 @@ { "queryName": "Field 'securityScheme' On Components Is Undefined", "severity": "MEDIUM", - "line": 1, - "filename": "positive4.yaml", + "line": 25, + "filename": "positive5.yaml", "resourceType": "", "resourceName": "", - "searchKey": "openapi", + "searchKey": "components", "searchValue": "", "expectedValue": "A security scheme on components should be defined", - "actualValue": "Components is not defined" + "actualValue": "A security scheme is not defined" }, { "queryName": "Field 'securityScheme' On Components Is Undefined", "severity": "MEDIUM", - "line": 25, - "filename": "positive5.yaml", + "line": 26, + "filename": "positive6.yaml", "resourceType": "", "resourceName": "", - "searchKey": "components", + "searchKey": "components.securitySchemes", "searchValue": "", "expectedValue": "A security scheme on components should be defined", - "actualValue": "A security scheme is not defined" + "actualValue": "A security scheme is an empty object" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/security_scheme_using_http_basic/test/positive_expected_result.json b/assets/queries/openAPI/3.0/security_scheme_using_http_basic/test/positive_expected_result.json index 69a5451ca7d..fdc10d377e7 100644 --- a/assets/queries/openAPI/3.0/security_scheme_using_http_basic/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/security_scheme_using_http_basic/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "Security Scheme Using HTTP Basic", "severity": "LOW", - "line": 33, - "filename": "positive2.yaml", + "line": 57, + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "components.securitySchemes.{{petstore_auth}}.scheme", @@ -14,8 +14,8 @@ { "queryName": "Security Scheme Using HTTP Basic", "severity": "LOW", - "line": 57, - "filename": "positive1.json", + "line": 33, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", "searchKey": "components.securitySchemes.{{petstore_auth}}.scheme", diff --git a/assets/queries/openAPI/3.0/security_schemes_using_oauth/test/positive_expected_result.json b/assets/queries/openAPI/3.0/security_schemes_using_oauth/test/positive_expected_result.json index d09b687171b..7aca478e95e 100644 --- a/assets/queries/openAPI/3.0/security_schemes_using_oauth/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/security_schemes_using_oauth/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "Security Scheme Using Oauth 1.0", "severity": "LOW", - "line": 31, - "filename": "positive2.yaml", + "line": 55, + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "components.securitySchemes.{{petstore_auth}}", @@ -14,8 +14,8 @@ { "queryName": "Security Scheme Using Oauth 1.0", "severity": "LOW", - "line": 55, - "filename": "positive1.json", + "line": 31, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", "searchKey": "components.securitySchemes.{{petstore_auth}}", diff --git a/assets/queries/openAPI/3.0/server_object_variable_not_used/test/positive_expected_result.json b/assets/queries/openAPI/3.0/server_object_variable_not_used/test/positive_expected_result.json index 0f8a455a20d..3af703f568b 100644 --- a/assets/queries/openAPI/3.0/server_object_variable_not_used/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/server_object_variable_not_used/test/positive_expected_result.json @@ -2,20 +2,8 @@ { "queryName": "Server Object Variable Not Used", "severity": "INFO", - "line": 25, - "filename": "positive4.yaml", - "resourceType": "", - "resourceName": "", - "searchKey": "paths.{{/}}.{{get}}.servers.variables.{{base}}", - "searchValue": "", - "expectedValue": "paths.{{/}}.{{get}}.servers.variables.{{base}} is used in 'paths.{{/}}.{{get}}.servers.{{0}}.url'", - "actualValue": "paths.{{/}}.{{get}}.servers.variables.{{base}} is not used in 'paths.{{/}}.{{get}}.servers.{{0}}.url '" - }, - { - "queryName": "Server Object Variable Not Used", - "severity": "INFO", - "line": 30, - "filename": "positive3.yaml", + "line": 38, + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.variables.{{another}}", @@ -38,13 +26,25 @@ { "queryName": "Server Object Variable Not Used", "severity": "INFO", - "line": 38, - "filename": "positive1.json", + "line": 30, + "filename": "positive3.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.variables.{{another}}", "searchValue": "", "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.variables.{{another}} is used in 'paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url'", "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.variables.{{another}} is not used in 'paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url'" + }, + { + "queryName": "Server Object Variable Not Used", + "severity": "INFO", + "line": 25, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.servers.variables.{{base}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.servers.variables.{{base}} is used in 'paths.{{/}}.{{get}}.servers.{{0}}.url'", + "actualValue": "paths.{{/}}.{{get}}.servers.variables.{{base}} is not used in 'paths.{{/}}.{{get}}.servers.{{0}}.url '" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/server_url_not_absolute/test/positive_expected_result.json b/assets/queries/openAPI/3.0/server_url_not_absolute/test/positive_expected_result.json index 2f2e8f68879..055c0f32061 100644 --- a/assets/queries/openAPI/3.0/server_url_not_absolute/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/server_url_not_absolute/test/positive_expected_result.json @@ -2,32 +2,32 @@ { "queryName": "Server URL Not Absolute", "severity": "INFO", - "line": 22, - "filename": "positive4.yaml", + "line": 30, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.{{get}}.servers.url=/development.gigantic-server.com/v1", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url", "searchValue": "", - "expectedValue": "paths.{{/}}.{{get}}.servers.{{0}}.url has an absolute URL", - "actualValue": "paths.{{/}}.{{get}}.servers.{{0}}.url does not have an absolute URL" + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url has an absolute URL", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url does not have an absolute URL" }, { "queryName": "Server URL Not Absolute", "severity": "INFO", - "line": 24, - "filename": "positive3.yaml", + "line": 32, + "filename": "positive2.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url", + "searchKey": "paths.{{/}}.{{get}}.servers.url=/development.gigantic-server.com/v1", "searchValue": "", - "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url has an absolute URL", - "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url does not have an absolute URL" + "expectedValue": "paths.{{/}}.{{get}}.servers.{{0}}.url has an absolute URL", + "actualValue": "paths.{{/}}.{{get}}.servers.{{0}}.url does not have an absolute URL" }, { "queryName": "Server URL Not Absolute", "severity": "INFO", - "line": 30, - "filename": "positive1.json", + "line": 24, + "filename": "positive3.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url", @@ -38,8 +38,8 @@ { "queryName": "Server URL Not Absolute", "severity": "INFO", - "line": 32, - "filename": "positive2.json", + "line": 22, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.{{get}}.servers.url=/development.gigantic-server.com/v1", diff --git a/assets/queries/openAPI/3.0/server_url_uses_undefined_variables/test/positive_expected_result.json b/assets/queries/openAPI/3.0/server_url_uses_undefined_variables/test/positive_expected_result.json index 8088438d4b8..28c28545c07 100644 --- a/assets/queries/openAPI/3.0/server_url_uses_undefined_variables/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/server_url_uses_undefined_variables/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "Server URL Uses Undefined Variables", - "severity": "INFO", - "line": 32, - "filename": "positive2.json", - "resourceType": "", - "resourceName": "", - "searchKey": "paths.{{/}}.{{get}}.servers.url=https://development.{server}.com/{base}", - "searchValue": "", - "expectedValue": "paths.{{/}}.{{get}}.servers.{{0}}.url uses server object variables defined in the server object variables", - "actualValue": "paths.{{/}}.{{get}}.servers.{{0}}.url does not use server object variables defined in the server object variables" - }, { "queryName": "Server URL Uses Undefined Variables", "severity": "INFO", @@ -26,8 +14,8 @@ { "queryName": "Server URL Uses Undefined Variables", "severity": "INFO", - "line": 22, - "filename": "positive4.yaml", + "line": 32, + "filename": "positive2.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.{{get}}.servers.url=https://development.{server}.com/{base}", @@ -46,5 +34,17 @@ "searchValue": "", "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url uses server object variables defined in the server object variables", "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url does not use server object variables defined in the server object variables" + }, + { + "queryName": "Server URL Uses Undefined Variables", + "severity": "INFO", + "line": 22, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.servers.url=https://development.{server}.com/{base}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.servers.{{0}}.url uses server object variables defined in the server object variables", + "actualValue": "paths.{{/}}.{{get}}.servers.{{0}}.url does not use server object variables defined in the server object variables" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/servers_undefined/test/positive_expected_result.json b/assets/queries/openAPI/3.0/servers_undefined/test/positive_expected_result.json index ca66a346189..259f3866727 100644 --- a/assets/queries/openAPI/3.0/servers_undefined/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/servers_undefined/test/positive_expected_result.json @@ -2,32 +2,32 @@ { "queryName": "Servers Array Undefined", "severity": "INFO", - "line": 25, - "filename": "positive4.yaml", + "line": 2, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "servers", + "searchKey": "openapi", "searchValue": "", "expectedValue": "Servers array has at least one server defined", - "actualValue": "Servers array is empty" + "actualValue": "Servers array does not have at least one server defined" }, { "queryName": "Servers Array Undefined", "severity": "INFO", - "line": 1, - "filename": "positive3.yaml", + "line": 43, + "filename": "positive2.json", "resourceType": "", "resourceName": "", - "searchKey": "openapi", + "searchKey": "servers", "searchValue": "", "expectedValue": "Servers array has at least one server defined", - "actualValue": "Servers array does not have at least one server defined" + "actualValue": "Servers array is empty" }, { "queryName": "Servers Array Undefined", "severity": "INFO", - "line": 2, - "filename": "positive1.json", + "line": 1, + "filename": "positive3.yaml", "resourceType": "", "resourceName": "", "searchKey": "openapi", @@ -38,8 +38,8 @@ { "queryName": "Servers Array Undefined", "severity": "INFO", - "line": 43, - "filename": "positive2.json", + "line": 25, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", "searchKey": "servers", diff --git a/assets/queries/openAPI/3.0/success_response_code_undefined_trace_operation/test/positive_expected_result.json b/assets/queries/openAPI/3.0/success_response_code_undefined_trace_operation/test/positive_expected_result.json index 04f9e876f4d..e26c0470ede 100644 --- a/assets/queries/openAPI/3.0/success_response_code_undefined_trace_operation/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/success_response_code_undefined_trace_operation/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "Success Response Code Undefined for Trace Operation", "severity": "LOW", - "line": 10, - "filename": "positive2.yaml", + "line": 12, + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.trace.responses", @@ -14,8 +14,8 @@ { "queryName": "Success Response Code Undefined for Trace Operation", "severity": "LOW", - "line": 12, - "filename": "positive1.json", + "line": 10, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.trace.responses", diff --git a/assets/queries/openAPI/3.0/undefined_security_scope_global_security/test/positive_expected_result.json b/assets/queries/openAPI/3.0/undefined_security_scope_global_security/test/positive_expected_result.json index d39f825094e..cfb93e77d56 100644 --- a/assets/queries/openAPI/3.0/undefined_security_scope_global_security/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/undefined_security_scope_global_security/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "Undefined Scope 'securityScheme' On Global 'security' Field", "severity": "LOW", - "line": 18, - "filename": "positive3.yaml", + "line": 26, + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "security.{{oAuth2AuthCodeNeg2}}", @@ -14,8 +14,8 @@ { "queryName": "Undefined Scope 'securityScheme' On Global 'security' Field", "severity": "LOW", - "line": 15, - "filename": "positive4.yaml", + "line": 23, + "filename": "positive2.json", "resourceType": "", "resourceName": "", "searchKey": "security", @@ -26,8 +26,8 @@ { "queryName": "Undefined Scope 'securityScheme' On Global 'security' Field", "severity": "LOW", - "line": 26, - "filename": "positive1.json", + "line": 18, + "filename": "positive3.yaml", "resourceType": "", "resourceName": "", "searchKey": "security.{{oAuth2AuthCodeNeg2}}", @@ -38,8 +38,8 @@ { "queryName": "Undefined Scope 'securityScheme' On Global 'security' Field", "severity": "LOW", - "line": 23, - "filename": "positive2.json", + "line": 15, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", "searchKey": "security", diff --git a/assets/queries/openAPI/3.0/undefined_security_scope_security_operations/test/positive_expected_result.json b/assets/queries/openAPI/3.0/undefined_security_scope_security_operations/test/positive_expected_result.json index 4ba24cfc625..61c4407da49 100644 --- a/assets/queries/openAPI/3.0/undefined_security_scope_security_operations/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/undefined_security_scope_security_operations/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "Undefined Scope 'securityScheme' On 'security' Field On Operations", "severity": "LOW", - "line": 13, - "filename": "positive3.yaml", + "line": 15, + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.{{get}}.security.{{oAuth2AuthCodeNeg2}}", @@ -14,8 +14,8 @@ { "queryName": "Undefined Scope 'securityScheme' On 'security' Field On Operations", "severity": "LOW", - "line": 10, - "filename": "positive4.yaml", + "line": 12, + "filename": "positive2.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.{{get}}.security", @@ -26,8 +26,8 @@ { "queryName": "Undefined Scope 'securityScheme' On 'security' Field On Operations", "severity": "LOW", - "line": 15, - "filename": "positive1.json", + "line": 13, + "filename": "positive3.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.{{get}}.security.{{oAuth2AuthCodeNeg2}}", @@ -38,8 +38,8 @@ { "queryName": "Undefined Scope 'securityScheme' On 'security' Field On Operations", "severity": "LOW", - "line": 12, - "filename": "positive2.json", + "line": 10, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.{{get}}.security", diff --git a/assets/queries/openAPI/3.0/unknown_prefix/test/positive_expected_result.json b/assets/queries/openAPI/3.0/unknown_prefix/test/positive_expected_result.json index fd764058889..7bd1190c95b 100644 --- a/assets/queries/openAPI/3.0/unknown_prefix/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/unknown_prefix/test/positive_expected_result.json @@ -2,49 +2,49 @@ { "queryName": "Unknown Prefix (v3)", "severity": "INFO", - "line": 30, - "filename": "positive3.yaml", + "line": 53, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "components.responses.ResponseExample.content.{{sssssss/json}}", + "searchKey": "components.responses.ResponseExample.content.{{applicasdsadtion/json}}", "searchValue": "", - "expectedValue": "components.responses.ResponseExample.content.{{sssssss/json}} is a known prefix", - "actualValue": "components.responses.ResponseExample.content.{{sssssss/json}} is an unknown prefix" + "expectedValue": "components.responses.ResponseExample.content.{{applicasdsadtion/json}} is a known prefix", + "actualValue": "components.responses.ResponseExample.content.{{applicasdsadtion/json}} is an unknown prefix" }, { "queryName": "Unknown Prefix (v3)", "severity": "INFO", - "line": 14, - "filename": "positive4.yaml", + "line": 19, + "filename": "positive2.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.content.{{applicatisdsdsdon/json}}", + "searchKey": "paths.{{/}}.get.responses.200.content.{{ddddd/json}}", "searchValue": "", - "expectedValue": "paths.{{/}}.get.responses.200.content.{{applicatisdsdsdon/json}} is a known prefix", - "actualValue": "paths.{{/}}.get.responses.200.content.{{applicatisdsdsdon/json}} is an unknown prefix" + "expectedValue": "paths.{{/}}.get.responses.200.content.{{ddddd/json}} is a known prefix", + "actualValue": "paths.{{/}}.get.responses.200.content.{{ddddd/json}} is an unknown prefix" }, { "queryName": "Unknown Prefix (v3)", "severity": "INFO", - "line": 19, - "filename": "positive2.json", + "line": 30, + "filename": "positive3.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.content.{{ddddd/json}}", + "searchKey": "components.responses.ResponseExample.content.{{sssssss/json}}", "searchValue": "", - "expectedValue": "paths.{{/}}.get.responses.200.content.{{ddddd/json}} is a known prefix", - "actualValue": "paths.{{/}}.get.responses.200.content.{{ddddd/json}} is an unknown prefix" + "expectedValue": "components.responses.ResponseExample.content.{{sssssss/json}} is a known prefix", + "actualValue": "components.responses.ResponseExample.content.{{sssssss/json}} is an unknown prefix" }, { "queryName": "Unknown Prefix (v3)", "severity": "INFO", - "line": 53, - "filename": "positive1.json", + "line": 14, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", - "searchKey": "components.responses.ResponseExample.content.{{applicasdsadtion/json}}", + "searchKey": "paths.{{/}}.get.responses.200.content.{{applicatisdsdsdon/json}}", "searchValue": "", - "expectedValue": "components.responses.ResponseExample.content.{{applicasdsadtion/json}} is a known prefix", - "actualValue": "components.responses.ResponseExample.content.{{applicasdsadtion/json}} is an unknown prefix" + "expectedValue": "paths.{{/}}.get.responses.200.content.{{applicatisdsdsdon/json}} is a known prefix", + "actualValue": "paths.{{/}}.get.responses.200.content.{{applicatisdsdsdon/json}} is an unknown prefix" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/unknown_property/test/positive_expected_result.json b/assets/queries/openAPI/3.0/unknown_property/test/positive_expected_result.json index de011038a4b..28370b9b65a 100644 --- a/assets/queries/openAPI/3.0/unknown_property/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/unknown_property/test/positive_expected_result.json @@ -2,38 +2,50 @@ { "queryName": "Unknown Property (v3)", "severity": "INFO", - "line": 19, - "filename": "positive5.yaml", + "line": 14, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.tybhbhbpe", + "searchKey": "paths.{{/}}.get.responses.200.descrinnption", "searchValue": "", - "expectedValue": "The field 'tybhbhbpe' is known in the schema object", - "actualValue": "The field 'tybhbhbpe' is unknown in the schema object" + "expectedValue": "The field 'descrinnption' is known in the responses object", + "actualValue": "The field 'descrinnption' is unknown in the responses object" }, { "queryName": "Unknown Property (v3)", "severity": "INFO", - "line": 12, - "filename": "positive4.yaml", + "line": 28, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.descrinnption", + "searchKey": "tags.desdddcription", "searchValue": "", - "expectedValue": "The field 'descrinnption' is known in the responses object", - "actualValue": "The field 'descrinnption' is unknown in the responses object" + "expectedValue": "The field 'desdddcription' is known in the tags object", + "actualValue": "The field 'desdddcription' is unknown in the tags object" }, { "queryName": "Unknown Property (v3)", "severity": "INFO", - "line": 16, - "filename": "positive6.yaml", + "line": 3, + "filename": "positive2.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.callbacks.inProgress.{{{$request.body#/inProgressUrl}}}.pbhbhbost", + "searchKey": "infjnjnjno", "searchValue": "", - "expectedValue": "The field 'pbhbhbost' is known in the callbacks object", - "actualValue": "The field 'pbhbhbost' is unknown in the callbacks object" + "expectedValue": "The field 'infjnjnjno' is known in the openapi object", + "actualValue": "The field 'infjnjnjno' is unknown in the openapi object" + }, + { + "queryName": "Unknown Property (v3)", + "severity": "INFO", + "line": 20, + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.tybhbhbpe:", + "searchValue": "", + "expectedValue": "The field 'tybhbhbpe:' is known in the schema object", + "actualValue": "The field 'tybhbhbpe:' is unknown in the schema object" }, { "queryName": "Unknown Property (v3)", @@ -50,8 +62,8 @@ { "queryName": "Unknown Property (v3)", "severity": "INFO", - "line": 14, - "filename": "positive1.json", + "line": 12, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.get.responses.200.descrinnption", @@ -62,8 +74,8 @@ { "queryName": "Unknown Property (v3)", "severity": "INFO", - "line": 28, - "filename": "positive1.json", + "line": 17, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", "searchKey": "tags.desdddcription", @@ -71,18 +83,6 @@ "expectedValue": "The field 'desdddcription' is known in the tags object", "actualValue": "The field 'desdddcription' is unknown in the tags object" }, - { - "queryName": "Unknown Property (v3)", - "severity": "INFO", - "line": 3, - "filename": "positive2.json", - "resourceType": "", - "resourceName": "", - "searchKey": "infjnjnjno", - "searchValue": "", - "expectedValue": "The field 'infjnjnjno' is known in the openapi object", - "actualValue": "The field 'infjnjnjno' is unknown in the openapi object" - }, { "queryName": "Unknown Property (v3)", "severity": "INFO", @@ -98,25 +98,25 @@ { "queryName": "Unknown Property (v3)", "severity": "INFO", - "line": 17, - "filename": "positive4.yaml", + "line": 19, + "filename": "positive5.yaml", "resourceType": "", "resourceName": "", - "searchKey": "tags.desdddcription", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.tybhbhbpe", "searchValue": "", - "expectedValue": "The field 'desdddcription' is known in the tags object", - "actualValue": "The field 'desdddcription' is unknown in the tags object" + "expectedValue": "The field 'tybhbhbpe' is known in the schema object", + "actualValue": "The field 'tybhbhbpe' is unknown in the schema object" }, { "queryName": "Unknown Property (v3)", "severity": "INFO", - "line": 20, - "filename": "positive2.json", + "line": 16, + "filename": "positive6.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.tybhbhbpe:", + "searchKey": "paths.{{/}}.get.callbacks.inProgress.{{{$request.body#/inProgressUrl}}}.pbhbhbost", "searchValue": "", - "expectedValue": "The field 'tybhbhbpe:' is known in the schema object", - "actualValue": "The field 'tybhbhbpe:' is unknown in the schema object" + "expectedValue": "The field 'pbhbhbost' is known in the callbacks object", + "actualValue": "The field 'pbhbhbost' is unknown in the callbacks object" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/general/api_key_exposed_in_global_security/test/positive_expected_result.json b/assets/queries/openAPI/general/api_key_exposed_in_global_security/test/positive_expected_result.json index ba22ba90418..107316aa105 100644 --- a/assets/queries/openAPI/general/api_key_exposed_in_global_security/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/api_key_exposed_in_global_security/test/positive_expected_result.json @@ -1,21 +1,21 @@ [ { - "queryName": "API Key Exposed In Global Security (v2)", + "queryName": "API Key Exposed In Global Security (v3)", "severity": "LOW", - "line": 23, - "filename": "positive3.json", + "line": 45, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "security.apiKey1", + "searchKey": "security.apiKey2", "searchValue": "", "expectedValue": "The API Key should not be transported over network", "actualValue": "The API Key is transported over network" }, { - "queryName": "API Key Exposed In Global Security (v2)", + "queryName": "API Key Exposed In Global Security (v3)", "severity": "LOW", - "line": 22, - "filename": "positive3.json", + "line": 46, + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "security.apiKey3", @@ -24,10 +24,10 @@ "actualValue": "The API Key is transported over network" }, { - "queryName": "API Key Exposed In Global Security (v2)", + "queryName": "API Key Exposed In Global Security (v3)", "severity": "LOW", - "line": 14, - "filename": "positive4.yaml", + "line": 47, + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "security.apiKey1", @@ -36,13 +36,13 @@ "actualValue": "The API Key is transported over network" }, { - "queryName": "API Key Exposed In Global Security (v2)", + "queryName": "API Key Exposed In Global Security (v3)", "severity": "LOW", - "line": 15, - "filename": "positive4.yaml", + "line": 26, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", - "searchKey": "security.apiKey3", + "searchKey": "security.apiKey1", "searchValue": "", "expectedValue": "The API Key should not be transported over network", "actualValue": "The API Key is transported over network" @@ -72,22 +72,22 @@ "actualValue": "The API Key is transported over network" }, { - "queryName": "API Key Exposed In Global Security (v3)", + "queryName": "API Key Exposed In Global Security (v2)", "severity": "LOW", - "line": 45, - "filename": "positive1.json", + "line": 22, + "filename": "positive3.json", "resourceType": "", "resourceName": "", - "searchKey": "security.apiKey2", + "searchKey": "security.apiKey3", "searchValue": "", "expectedValue": "The API Key should not be transported over network", "actualValue": "The API Key is transported over network" }, { - "queryName": "API Key Exposed In Global Security (v3)", + "queryName": "API Key Exposed In Global Security (v2)", "severity": "LOW", - "line": 26, - "filename": "positive2.yaml", + "line": 23, + "filename": "positive3.json", "resourceType": "", "resourceName": "", "searchKey": "security.apiKey1", @@ -96,10 +96,10 @@ "actualValue": "The API Key is transported over network" }, { - "queryName": "API Key Exposed In Global Security (v3)", + "queryName": "API Key Exposed In Global Security (v2)", "severity": "LOW", - "line": 47, - "filename": "positive1.json", + "line": 14, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", "searchKey": "security.apiKey1", @@ -108,10 +108,10 @@ "actualValue": "The API Key is transported over network" }, { - "queryName": "API Key Exposed In Global Security (v3)", + "queryName": "API Key Exposed In Global Security (v2)", "severity": "LOW", - "line": 46, - "filename": "positive1.json", + "line": 15, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", "searchKey": "security.apiKey3", diff --git a/assets/queries/openAPI/general/api_key_exposed_in_operation_security/test/positive_expected_result.json b/assets/queries/openAPI/general/api_key_exposed_in_operation_security/test/positive_expected_result.json index 584f5e2ba27..fa4005980df 100644 --- a/assets/queries/openAPI/general/api_key_exposed_in_operation_security/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/api_key_exposed_in_operation_security/test/positive_expected_result.json @@ -1,33 +1,33 @@ [ { - "queryName": "API Key Exposed In Operation Security (v2)", + "queryName": "API Key Exposed In Operation Security (v3)", "severity": "LOW", - "line": 15, - "filename": "positive3.json", + "line": 14, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "paths./pets.post.security.apiKey3", + "searchKey": "paths./pets.post.security.apiKey1", "searchValue": "", "expectedValue": "The API Key should not be transported over network", "actualValue": "The API Key is transported over network" }, { - "queryName": "API Key Exposed In Operation Security (v2)", + "queryName": "API Key Exposed In Operation Security (v3)", "severity": "LOW", - "line": 11, - "filename": "positive4.yaml", + "line": 15, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "paths./pets.post.security.apiKey1", + "searchKey": "paths./pets.post.security.apiKey2", "searchValue": "", "expectedValue": "The API Key should not be transported over network", "actualValue": "The API Key is transported over network" }, { - "queryName": "API Key Exposed In Operation Security (v2)", + "queryName": "API Key Exposed In Operation Security (v3)", "severity": "LOW", - "line": 12, - "filename": "positive4.yaml", + "line": 16, + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "paths./pets.post.security.apiKey3", @@ -36,10 +36,10 @@ "actualValue": "The API Key is transported over network" }, { - "queryName": "API Key Exposed In Operation Security (v2)", + "queryName": "API Key Exposed In Operation Security (v3)", "severity": "LOW", - "line": 14, - "filename": "positive3.json", + "line": 11, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths./pets.post.security.apiKey1", @@ -50,11 +50,11 @@ { "queryName": "API Key Exposed In Operation Security (v3)", "severity": "LOW", - "line": 16, - "filename": "positive1.json", + "line": 12, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths./pets.post.security.apiKey3", + "searchKey": "paths./pets.post.security.apiKey2", "searchValue": "", "expectedValue": "The API Key should not be transported over network", "actualValue": "The API Key is transported over network" @@ -62,59 +62,59 @@ { "queryName": "API Key Exposed In Operation Security (v3)", "severity": "LOW", - "line": 11, + "line": 13, "filename": "positive2.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths./pets.post.security.apiKey1", + "searchKey": "paths./pets.post.security.apiKey3", "searchValue": "", "expectedValue": "The API Key should not be transported over network", "actualValue": "The API Key is transported over network" }, { - "queryName": "API Key Exposed In Operation Security (v3)", + "queryName": "API Key Exposed In Operation Security (v2)", "severity": "LOW", - "line": 13, - "filename": "positive2.yaml", + "line": 14, + "filename": "positive3.json", "resourceType": "", "resourceName": "", - "searchKey": "paths./pets.post.security.apiKey3", + "searchKey": "paths./pets.post.security.apiKey1", "searchValue": "", "expectedValue": "The API Key should not be transported over network", "actualValue": "The API Key is transported over network" }, { - "queryName": "API Key Exposed In Operation Security (v3)", + "queryName": "API Key Exposed In Operation Security (v2)", "severity": "LOW", - "line": 14, - "filename": "positive1.json", + "line": 15, + "filename": "positive3.json", "resourceType": "", "resourceName": "", - "searchKey": "paths./pets.post.security.apiKey1", + "searchKey": "paths./pets.post.security.apiKey3", "searchValue": "", "expectedValue": "The API Key should not be transported over network", "actualValue": "The API Key is transported over network" }, { - "queryName": "API Key Exposed In Operation Security (v3)", + "queryName": "API Key Exposed In Operation Security (v2)", "severity": "LOW", - "line": 15, - "filename": "positive1.json", + "line": 11, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths./pets.post.security.apiKey2", + "searchKey": "paths./pets.post.security.apiKey1", "searchValue": "", "expectedValue": "The API Key should not be transported over network", "actualValue": "The API Key is transported over network" }, { - "queryName": "API Key Exposed In Operation Security (v3)", + "queryName": "API Key Exposed In Operation Security (v2)", "severity": "LOW", "line": 12, - "filename": "positive2.yaml", + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths./pets.post.security.apiKey2", + "searchKey": "paths./pets.post.security.apiKey3", "searchValue": "", "expectedValue": "The API Key should not be transported over network", "actualValue": "The API Key is transported over network" diff --git a/assets/queries/openAPI/general/array_items_has_no_type/test/positive_expected_result.json b/assets/queries/openAPI/general/array_items_has_no_type/test/positive_expected_result.json index bc793179fcd..ceb40b99ade 100644 --- a/assets/queries/openAPI/general/array_items_has_no_type/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/array_items_has_no_type/test/positive_expected_result.json @@ -1,27 +1,15 @@ [ { - "queryName": "Array Items Has No Type (v2)", - "severity": "LOW", - "line": 25, - "filename": "positive7.json", - "resourceType": "", - "resourceName": "", - "searchKey": "paths.{{/}}.get.parameters.schema.items", - "searchValue": "", - "expectedValue": "paths.{{/}}.get.parameters.schema.items should have type, anyOf.type, $ref or anyOf.$ref should be defined", - "actualValue": "paths.{{/}}.get.parameters.schema.items have type, anyOf.type, $ref or anyOf.$ref is undefined" - }, - { - "queryName": "Array Items Has No Type (v2)", + "queryName": "Array Items Has No Type (v3)", "severity": "LOW", - "line": 20, - "filename": "positive8.yaml", + "line": 65, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.parameters.schema.items", + "searchKey": "components.schemas.MyIntArray.items", "searchValue": "", - "expectedValue": "paths.{{/}}.get.parameters.schema.items should have type, anyOf.type, $ref or anyOf.$ref should be defined", - "actualValue": "paths.{{/}}.get.parameters.schema.items have type, anyOf.type, $ref or anyOf.$ref is undefined" + "expectedValue": "components.schemas.MyIntArray.items should have type, anyOf.type, $ref or anyOf.$ref should be defined", + "actualValue": "components.schemas.MyIntArray.items have type, anyOf.type, $ref or anyOf.$ref is undefined" }, { "queryName": "Array Items Has No Type (v3)", @@ -47,18 +35,6 @@ "expectedValue": "paths.{{/}}.get.responses.201.content.{{application/x-www-form-urlencoded}}.schema.items should have type, anyOf.type, $ref or anyOf.$ref should be defined", "actualValue": "paths.{{/}}.get.responses.201.content.{{application/x-www-form-urlencoded}}.schema.items have type, anyOf.type, $ref or anyOf.$ref is undefined" }, - { - "queryName": "Array Items Has No Type (v3)", - "severity": "LOW", - "line": 65, - "filename": "positive1.json", - "resourceType": "", - "resourceName": "", - "searchKey": "components.schemas.MyIntArray.items", - "searchValue": "", - "expectedValue": "components.schemas.MyIntArray.items should have type, anyOf.type, $ref or anyOf.$ref should be defined", - "actualValue": "components.schemas.MyIntArray.items have type, anyOf.type, $ref or anyOf.$ref is undefined" - }, { "queryName": "Array Items Has No Type (v3)", "severity": "LOW", @@ -94,5 +70,29 @@ "searchValue": "", "expectedValue": "paths.{{/}}.get.responses.201.content.{{application/x-www-form-urlencoded}}.schema.items should have type, anyOf.type, $ref or anyOf.$ref should be defined", "actualValue": "paths.{{/}}.get.responses.201.content.{{application/x-www-form-urlencoded}}.schema.items have type, anyOf.type, $ref or anyOf.$ref is undefined" + }, + { + "queryName": "Array Items Has No Type (v2)", + "severity": "LOW", + "line": 25, + "filename": "positive7.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.schema.items", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.parameters.schema.items should have type, anyOf.type, $ref or anyOf.$ref should be defined", + "actualValue": "paths.{{/}}.get.parameters.schema.items have type, anyOf.type, $ref or anyOf.$ref is undefined" + }, + { + "queryName": "Array Items Has No Type (v2)", + "severity": "LOW", + "line": 20, + "filename": "positive8.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.schema.items", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.parameters.schema.items should have type, anyOf.type, $ref or anyOf.$ref should be defined", + "actualValue": "paths.{{/}}.get.parameters.schema.items have type, anyOf.type, $ref or anyOf.$ref is undefined" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/general/array_without_maximum_number_items/test/positive_expected_result.json b/assets/queries/openAPI/general/array_without_maximum_number_items/test/positive_expected_result.json index 4be0f386cdc..7d3554055b6 100644 --- a/assets/queries/openAPI/general/array_without_maximum_number_items/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/array_without_maximum_number_items/test/positive_expected_result.json @@ -1,24 +1,12 @@ [ { - "queryName": "Array Without Maximum Number of Items (v2)", - "severity": "MEDIUM", - "line": 23, - "filename": "positive6.yaml", - "resourceType": "", - "resourceName": "", - "searchKey": "paths.{{/}}.parameters.schema.properties.message.type", - "searchValue": "", - "expectedValue": "Array schema has 'maxItems' set", - "actualValue": "Array schema has 'maxItems' undefined" - }, - { - "queryName": "Array Without Maximum Number of Items (v2)", + "queryName": "Array Without Maximum Number of Items (v3)", "severity": "MEDIUM", - "line": 31, - "filename": "positive5.json", + "line": 56, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.parameters.schema.properties.message.type", + "searchKey": "components.schemas.GeneralError.properties.message.type", "searchValue": "", "expectedValue": "Array schema has 'maxItems' set", "actualValue": "Array schema has 'maxItems' undefined" @@ -60,13 +48,25 @@ "actualValue": "Array schema has 'maxItems' undefined" }, { - "queryName": "Array Without Maximum Number of Items (v3)", + "queryName": "Array Without Maximum Number of Items (v2)", "severity": "MEDIUM", - "line": 56, - "filename": "positive1.json", + "line": 31, + "filename": "positive5.json", "resourceType": "", "resourceName": "", - "searchKey": "components.schemas.GeneralError.properties.message.type", + "searchKey": "paths.{{/}}.parameters.schema.properties.message.type", + "searchValue": "", + "expectedValue": "Array schema has 'maxItems' set", + "actualValue": "Array schema has 'maxItems' undefined" + }, + { + "queryName": "Array Without Maximum Number of Items (v2)", + "severity": "MEDIUM", + "line": 23, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.schema.properties.message.type", "searchValue": "", "expectedValue": "Array schema has 'maxItems' set", "actualValue": "Array schema has 'maxItems' undefined" diff --git a/assets/queries/openAPI/general/default_invalid/test/positive_expected_result.json b/assets/queries/openAPI/general/default_invalid/test/positive_expected_result.json index 390ea4c00d0..3aaf46d205a 100644 --- a/assets/queries/openAPI/general/default_invalid/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/default_invalid/test/positive_expected_result.json @@ -1,12 +1,12 @@ [ { - "queryName": "Default Invalid (v2)", + "queryName": "Default Invalid (v3)", "severity": "INFO", - "line": 16, - "filename": "positive9.json", + "line": 21, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.schema.default", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.default", "searchValue": "", "expectedValue": "The field 'default' should be consistent with the type", "actualValue": "The field 'default' is not consistent with the type" @@ -26,8 +26,8 @@ { "queryName": "Default Invalid (v3)", "severity": "INFO", - "line": 19, - "filename": "positive8.yaml", + "line": 22, + "filename": "positive2.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.default", @@ -38,8 +38,8 @@ { "queryName": "Default Invalid (v3)", "severity": "INFO", - "line": 27, - "filename": "positive7.yaml", + "line": 18, + "filename": "positive3.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.default", @@ -62,8 +62,8 @@ { "queryName": "Default Invalid (v3)", "severity": "INFO", - "line": 20, - "filename": "positive6.yaml", + "line": 19, + "filename": "positive5.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.default", @@ -74,8 +74,8 @@ { "queryName": "Default Invalid (v3)", "severity": "INFO", - "line": 19, - "filename": "positive5.yaml", + "line": 20, + "filename": "positive6.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.default", @@ -86,8 +86,8 @@ { "queryName": "Default Invalid (v3)", "severity": "INFO", - "line": 21, - "filename": "positive1.json", + "line": 27, + "filename": "positive7.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.default", @@ -98,8 +98,8 @@ { "queryName": "Default Invalid (v3)", "severity": "INFO", - "line": 18, - "filename": "positive3.json", + "line": 19, + "filename": "positive8.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.default", @@ -108,13 +108,13 @@ "actualValue": "The field 'default' is not consistent with the type" }, { - "queryName": "Default Invalid (v3)", + "queryName": "Default Invalid (v2)", "severity": "INFO", - "line": 22, - "filename": "positive2.json", + "line": 16, + "filename": "positive9.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.default", + "searchKey": "paths.{{/}}.get.responses.200.schema.default", "searchValue": "", "expectedValue": "The field 'default' should be consistent with the type", "actualValue": "The field 'default' is not consistent with the type" diff --git a/assets/queries/openAPI/general/default_response_undefined_operations/test/positive_expected_result.json b/assets/queries/openAPI/general/default_response_undefined_operations/test/positive_expected_result.json index 23ff080b349..dc579f3b1cf 100644 --- a/assets/queries/openAPI/general/default_response_undefined_operations/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/default_response_undefined_operations/test/positive_expected_result.json @@ -1,33 +1,33 @@ [ { - "queryName": "Default Response Undefined On Operations (v2)", + "queryName": "Default Response Undefined On Operations (v3)", "severity": "LOW", "line": 12, - "filename": "positive5.json", + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/item}}.{{delete}}.responses", + "searchKey": "paths.{{/item}}.{{patch}}.responses", "searchValue": "", "expectedValue": "Default field should be defined on responses", "actualValue": "Default field is not defined on responses" }, { - "queryName": "Default Response Undefined On Operations (v2)", + "queryName": "Default Response Undefined On Operations (v3)", "severity": "LOW", - "line": 16, - "filename": "positive6.yaml", + "line": 12, + "filename": "positive2.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/item}}.{{patch}}.responses", + "searchKey": "paths.{{/item}}.{{delete}}.responses", "searchValue": "", "expectedValue": "Default field should be defined on responses", "actualValue": "Default field is not defined on responses" }, { - "queryName": "Default Response Undefined On Operations (v2)", + "queryName": "Default Response Undefined On Operations (v3)", "severity": "LOW", "line": 21, - "filename": "positive5.json", + "filename": "positive2.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{patch}}.responses", @@ -36,13 +36,13 @@ "actualValue": "Default field is not defined on responses" }, { - "queryName": "Default Response Undefined On Operations (v2)", + "queryName": "Default Response Undefined On Operations (v3)", "severity": "LOW", "line": 10, - "filename": "positive6.yaml", + "filename": "positive3.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/item}}.{{delete}}.responses", + "searchKey": "paths.{{/item}}.{{patch}}.responses", "searchValue": "", "expectedValue": "Default field should be defined on responses", "actualValue": "Default field is not defined on responses" @@ -50,11 +50,11 @@ { "queryName": "Default Response Undefined On Operations (v3)", "severity": "LOW", - "line": 12, - "filename": "positive1.json", + "line": 10, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/item}}.{{patch}}.responses", + "searchKey": "paths.{{/item}}.{{delete}}.responses", "searchValue": "", "expectedValue": "Default field should be defined on responses", "actualValue": "Default field is not defined on responses" @@ -62,8 +62,8 @@ { "queryName": "Default Response Undefined On Operations (v3)", "severity": "LOW", - "line": 21, - "filename": "positive2.json", + "line": 16, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{patch}}.responses", @@ -72,34 +72,34 @@ "actualValue": "Default field is not defined on responses" }, { - "queryName": "Default Response Undefined On Operations (v3)", + "queryName": "Default Response Undefined On Operations (v2)", "severity": "LOW", - "line": 10, - "filename": "positive3.yaml", + "line": 12, + "filename": "positive5.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/item}}.{{patch}}.responses", + "searchKey": "paths.{{/item}}.{{delete}}.responses", "searchValue": "", "expectedValue": "Default field should be defined on responses", "actualValue": "Default field is not defined on responses" }, { - "queryName": "Default Response Undefined On Operations (v3)", + "queryName": "Default Response Undefined On Operations (v2)", "severity": "LOW", - "line": 10, - "filename": "positive4.yaml", + "line": 21, + "filename": "positive5.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/item}}.{{delete}}.responses", + "searchKey": "paths.{{/item}}.{{patch}}.responses", "searchValue": "", "expectedValue": "Default field should be defined on responses", "actualValue": "Default field is not defined on responses" }, { - "queryName": "Default Response Undefined On Operations (v3)", + "queryName": "Default Response Undefined On Operations (v2)", "severity": "LOW", - "line": 12, - "filename": "positive2.json", + "line": 10, + "filename": "positive6.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{delete}}.responses", @@ -108,10 +108,10 @@ "actualValue": "Default field is not defined on responses" }, { - "queryName": "Default Response Undefined On Operations (v3)", + "queryName": "Default Response Undefined On Operations (v2)", "severity": "LOW", "line": 16, - "filename": "positive4.yaml", + "filename": "positive6.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{patch}}.responses", diff --git a/assets/queries/openAPI/general/example_not_compliant_with_schema_type/test/positive_expected_result.json b/assets/queries/openAPI/general/example_not_compliant_with_schema_type/test/positive_expected_result.json index 69f6e58144a..105bd0cdd11 100644 --- a/assets/queries/openAPI/general/example_not_compliant_with_schema_type/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/example_not_compliant_with_schema_type/test/positive_expected_result.json @@ -1,27 +1,27 @@ [ { - "queryName": "Example Not Compliant With Schema Type (v2)", + "queryName": "Example Not Compliant With Schema Type (v3)", "severity": "INFO", - "line": 25, - "filename": "positive9.json", + "line": 21, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.parameters.example", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.examples.object", "searchValue": "", - "expectedValue": "paths.{{/}}.get.parameters.example should not be compliant with the schema type", - "actualValue": "paths.{{/}}.get.parameters.example is not compliant with the schema type" + "expectedValue": "paths./.get.responses.200.content.application/json.examples.%!s(MISSING)' should not be compliant with the schema type", + "actualValue": "paths./.get.responses.200.content.application/json.examples.%!s(MISSING) is not compliant with the schema type" }, { "queryName": "Example Not Compliant With Schema Type (v2)", "severity": "INFO", - "line": 30, - "filename": "positive12.yaml", + "line": 20, + "filename": "positive10.yaml", "resourceType": "", "resourceName": "", - "searchKey": "definitions.Tag.example", + "searchKey": "paths.{{/}}.get.parameters.example", "searchValue": "", - "expectedValue": "definitions.Tag.example should not be compliant with the schema type", - "actualValue": "definitions.Tag.example is not compliant with the schema type" + "expectedValue": "paths.{{/}}.get.parameters.example should not be compliant with the schema type", + "actualValue": "paths.{{/}}.get.parameters.example is not compliant with the schema type" }, { "queryName": "Example Not Compliant With Schema Type (v2)", @@ -38,47 +38,35 @@ { "queryName": "Example Not Compliant With Schema Type (v2)", "severity": "INFO", - "line": 20, - "filename": "positive10.yaml", - "resourceType": "", - "resourceName": "", - "searchKey": "paths.{{/}}.get.parameters.example", - "searchValue": "", - "expectedValue": "paths.{{/}}.get.parameters.example should not be compliant with the schema type", - "actualValue": "paths.{{/}}.get.parameters.example is not compliant with the schema type" - }, - { - "queryName": "Example Not Compliant With Schema Type (v3)", - "severity": "INFO", - "line": 17, - "filename": "positive6.yaml", + "line": 30, + "filename": "positive12.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.example", + "searchKey": "definitions.Tag.example", "searchValue": "", - "expectedValue": "paths./.get.responses.200.content.application/json.example should not be compliant with the schema type", - "actualValue": "paths./.get.responses.200.content.application/json.example is not compliant with the schema type" + "expectedValue": "definitions.Tag.example should not be compliant with the schema type", + "actualValue": "definitions.Tag.example is not compliant with the schema type" }, { "queryName": "Example Not Compliant With Schema Type (v3)", "severity": "INFO", - "line": 26, - "filename": "positive6.yaml", + "line": 18, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.400.content.{{application/json}}.example", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.examples.object", "searchValue": "", - "expectedValue": "paths./.get.responses.400.content.application/json.example should not be compliant with the schema type", - "actualValue": "paths./.get.responses.400.content.application/json.example is not compliant with the schema type" + "expectedValue": "paths./.get.responses.200.content.application/json.examples.%!s(MISSING)' should not be compliant with the schema type", + "actualValue": "paths./.get.responses.200.content.application/json.examples.%!s(MISSING) is not compliant with the schema type" }, { "queryName": "Example Not Compliant With Schema Type (v3)", "severity": "INFO", "line": 24, - "filename": "positive7.json", + "filename": "positive3.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.examples.foo", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.examples.foo_2", "searchValue": "", "expectedValue": "paths./.get.responses.200.content.application/json.examples.%!s(MISSING)' should not be compliant with the schema type", "actualValue": "paths./.get.responses.200.content.application/json.examples.%!s(MISSING) is not compliant with the schema type" @@ -86,8 +74,8 @@ { "queryName": "Example Not Compliant With Schema Type (v3)", "severity": "INFO", - "line": 24, - "filename": "positive3.json", + "line": 20, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.examples.foo_2", @@ -99,31 +87,31 @@ "queryName": "Example Not Compliant With Schema Type (v3)", "severity": "INFO", "line": 20, - "filename": "positive4.yaml", + "filename": "positive5.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.examples.foo_2", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.example", "searchValue": "", - "expectedValue": "paths./.get.responses.200.content.application/json.examples.%!s(MISSING)' should not be compliant with the schema type", - "actualValue": "paths./.get.responses.200.content.application/json.examples.%!s(MISSING) is not compliant with the schema type" + "expectedValue": "paths./.get.responses.200.content.application/json.example should not be compliant with the schema type", + "actualValue": "paths./.get.responses.200.content.application/json.example is not compliant with the schema type" }, { "queryName": "Example Not Compliant With Schema Type (v3)", "severity": "INFO", - "line": 21, - "filename": "positive1.json", + "line": 34, + "filename": "positive5.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.examples.object", + "searchKey": "paths.{{/}}.get.responses.400.content.{{application/json}}.example", "searchValue": "", - "expectedValue": "paths./.get.responses.200.content.application/json.examples.%!s(MISSING)' should not be compliant with the schema type", - "actualValue": "paths./.get.responses.200.content.application/json.examples.%!s(MISSING) is not compliant with the schema type" + "expectedValue": "paths./.get.responses.400.content.application/json.example should not be compliant with the schema type", + "actualValue": "paths./.get.responses.400.content.application/json.example is not compliant with the schema type" }, { "queryName": "Example Not Compliant With Schema Type (v3)", "severity": "INFO", - "line": 20, - "filename": "positive5.json", + "line": 17, + "filename": "positive6.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.example", @@ -134,8 +122,8 @@ { "queryName": "Example Not Compliant With Schema Type (v3)", "severity": "INFO", - "line": 34, - "filename": "positive5.json", + "line": 26, + "filename": "positive6.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.get.responses.400.content.{{application/json}}.example", @@ -146,8 +134,8 @@ { "queryName": "Example Not Compliant With Schema Type (v3)", "severity": "INFO", - "line": 20, - "filename": "positive8.yaml", + "line": 24, + "filename": "positive7.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.examples.foo", @@ -158,13 +146,25 @@ { "queryName": "Example Not Compliant With Schema Type (v3)", "severity": "INFO", - "line": 18, - "filename": "positive2.yaml", + "line": 20, + "filename": "positive8.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.examples.object", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.examples.foo", "searchValue": "", "expectedValue": "paths./.get.responses.200.content.application/json.examples.%!s(MISSING)' should not be compliant with the schema type", "actualValue": "paths./.get.responses.200.content.application/json.examples.%!s(MISSING) is not compliant with the schema type" + }, + { + "queryName": "Example Not Compliant With Schema Type (v2)", + "severity": "INFO", + "line": 25, + "filename": "positive9.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.example", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.parameters.example should not be compliant with the schema type", + "actualValue": "paths.{{/}}.get.parameters.example is not compliant with the schema type" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/general/global_security_field_undefined/test/positive_expected_result.json b/assets/queries/openAPI/general/global_security_field_undefined/test/positive_expected_result.json index b3ac100a5fc..41d33ed0f93 100644 --- a/assets/queries/openAPI/general/global_security_field_undefined/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/global_security_field_undefined/test/positive_expected_result.json @@ -1,48 +1,48 @@ [ { - "queryName": "Global Security Field Is Undefined (v2)", + "queryName": "Global Security Field Is Undefined (v3)", "severity": "HIGH", "line": 2, - "filename": "positive3.json", + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "swagger", + "searchKey": "openapi", "searchValue": "", "expectedValue": "A default security property should be defined", "actualValue": "A default security property is not defined" }, { - "queryName": "Global Security Field Is Undefined (v2)", + "queryName": "Global Security Field Is Undefined (v3)", "severity": "HIGH", "line": 1, - "filename": "positive4.yaml", + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", - "searchKey": "swagger", + "searchKey": "openapi", "searchValue": "", "expectedValue": "A default security property should be defined", "actualValue": "A default security property is not defined" }, { - "queryName": "Global Security Field Is Undefined (v3)", + "queryName": "Global Security Field Is Undefined (v2)", "severity": "HIGH", - "line": 1, - "filename": "positive2.yaml", + "line": 2, + "filename": "positive3.json", "resourceType": "", "resourceName": "", - "searchKey": "openapi", + "searchKey": "swagger", "searchValue": "", "expectedValue": "A default security property should be defined", "actualValue": "A default security property is not defined" }, { - "queryName": "Global Security Field Is Undefined (v3)", + "queryName": "Global Security Field Is Undefined (v2)", "severity": "HIGH", - "line": 2, - "filename": "positive1.json", + "line": 1, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", - "searchKey": "openapi", + "searchKey": "swagger", "searchValue": "", "expectedValue": "A default security property should be defined", "actualValue": "A default security property is not defined" diff --git a/assets/queries/openAPI/general/header_parameter_named_as_accept/test/positive_expected_result.json b/assets/queries/openAPI/general/header_parameter_named_as_accept/test/positive_expected_result.json index 4bf3f9bfe24..cfd67d2dc78 100644 --- a/assets/queries/openAPI/general/header_parameter_named_as_accept/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/header_parameter_named_as_accept/test/positive_expected_result.json @@ -1,33 +1,33 @@ [ { - "queryName": "Header Parameter Named as 'Accept' (v2)", + "queryName": "Header Parameter Named as 'Accept' (v3)", "severity": "INFO", - "line": 21, - "filename": "positive6.yaml", + "line": 43, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "parameters.limitParam.name=Accept", + "searchKey": "paths.{{/}}.parameters.name=Accept", "searchValue": "", - "expectedValue": "parameters.limitParam.name=Accept should not be 'Accept'", - "actualValue": "parameters.limitParam.name=Accept is 'Accept'" + "expectedValue": "paths.{{/}}.parameters.name=Accept should not be 'Accept'", + "actualValue": "paths.{{/}}.parameters.name=Accept is 'Accept'" }, { - "queryName": "Header Parameter Named as 'Accept' (v2)", + "queryName": "Header Parameter Named as 'Accept' (v3)", "severity": "INFO", - "line": 38, - "filename": "positive5.json", + "line": 58, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "parameters.limitParam.name=Accept", + "searchKey": "paths.{{/users/{id}}}.get.parameters.name=Accept", "searchValue": "", - "expectedValue": "parameters.limitParam.name=Accept should not be 'Accept'", - "actualValue": "parameters.limitParam.name=Accept is 'Accept'" + "expectedValue": "paths.{{/users/{id}}}.get.parameters.name=Accept should not be 'Accept'", + "actualValue": "paths.{{/users/{id}}}.get.parameters.name=Accept is 'Accept'" }, { - "queryName": "Header Parameter Named as 'Accept' (v2)", + "queryName": "Header Parameter Named as 'Accept' (v3)", "severity": "INFO", - "line": 14, - "filename": "positive6.yaml", + "line": 26, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.parameters.name=Accept", @@ -36,22 +36,22 @@ "actualValue": "paths.{{/}}.parameters.name=Accept is 'Accept'" }, { - "queryName": "Header Parameter Named as 'Accept' (v2)", + "queryName": "Header Parameter Named as 'Accept' (v3)", "severity": "INFO", - "line": 11, - "filename": "positive5.json", + "line": 36, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.parameters.name=Accept", + "searchKey": "paths.{{/users/{id}}}.get.parameters.name=Accept", "searchValue": "", - "expectedValue": "paths.{{/}}.parameters.name=Accept should not be 'Accept'", - "actualValue": "paths.{{/}}.parameters.name=Accept is 'Accept'" + "expectedValue": "paths.{{/users/{id}}}.get.parameters.name=Accept should not be 'Accept'", + "actualValue": "paths.{{/users/{id}}}.get.parameters.name=Accept is 'Accept'" }, { "queryName": "Header Parameter Named as 'Accept' (v3)", "severity": "INFO", - "line": 26, - "filename": "positive4.yaml", + "line": 43, + "filename": "positive3.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.parameters.name=Accept", @@ -62,8 +62,8 @@ { "queryName": "Header Parameter Named as 'Accept' (v3)", "severity": "INFO", - "line": 43, - "filename": "positive3.json", + "line": 26, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.parameters.name=Accept", @@ -72,34 +72,34 @@ "actualValue": "paths.{{/}}.parameters.name=Accept is 'Accept'" }, { - "queryName": "Header Parameter Named as 'Accept' (v3)", + "queryName": "Header Parameter Named as 'Accept' (v2)", "severity": "INFO", - "line": 58, - "filename": "positive1.json", + "line": 11, + "filename": "positive5.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/users/{id}}}.get.parameters.name=Accept", + "searchKey": "paths.{{/}}.parameters.name=Accept", "searchValue": "", - "expectedValue": "paths.{{/users/{id}}}.get.parameters.name=Accept should not be 'Accept'", - "actualValue": "paths.{{/users/{id}}}.get.parameters.name=Accept is 'Accept'" + "expectedValue": "paths.{{/}}.parameters.name=Accept should not be 'Accept'", + "actualValue": "paths.{{/}}.parameters.name=Accept is 'Accept'" }, { - "queryName": "Header Parameter Named as 'Accept' (v3)", + "queryName": "Header Parameter Named as 'Accept' (v2)", "severity": "INFO", - "line": 36, - "filename": "positive2.yaml", + "line": 38, + "filename": "positive5.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/users/{id}}}.get.parameters.name=Accept", + "searchKey": "parameters.limitParam.name=Accept", "searchValue": "", - "expectedValue": "paths.{{/users/{id}}}.get.parameters.name=Accept should not be 'Accept'", - "actualValue": "paths.{{/users/{id}}}.get.parameters.name=Accept is 'Accept'" + "expectedValue": "parameters.limitParam.name=Accept should not be 'Accept'", + "actualValue": "parameters.limitParam.name=Accept is 'Accept'" }, { - "queryName": "Header Parameter Named as 'Accept' (v3)", + "queryName": "Header Parameter Named as 'Accept' (v2)", "severity": "INFO", - "line": 26, - "filename": "positive2.yaml", + "line": 14, + "filename": "positive6.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.parameters.name=Accept", @@ -108,15 +108,15 @@ "actualValue": "paths.{{/}}.parameters.name=Accept is 'Accept'" }, { - "queryName": "Header Parameter Named as 'Accept' (v3)", + "queryName": "Header Parameter Named as 'Accept' (v2)", "severity": "INFO", - "line": 43, - "filename": "positive1.json", + "line": 21, + "filename": "positive6.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.parameters.name=Accept", + "searchKey": "parameters.limitParam.name=Accept", "searchValue": "", - "expectedValue": "paths.{{/}}.parameters.name=Accept should not be 'Accept'", - "actualValue": "paths.{{/}}.parameters.name=Accept is 'Accept'" + "expectedValue": "parameters.limitParam.name=Accept should not be 'Accept'", + "actualValue": "parameters.limitParam.name=Accept is 'Accept'" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/general/header_parameter_named_as_authorization/test/positive_expected_result.json b/assets/queries/openAPI/general/header_parameter_named_as_authorization/test/positive_expected_result.json index 49fe295d530..dd35511ba3c 100644 --- a/assets/queries/openAPI/general/header_parameter_named_as_authorization/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/header_parameter_named_as_authorization/test/positive_expected_result.json @@ -1,33 +1,9 @@ [ { - "queryName": "Header Parameter Named as 'Authorization' (v2)", - "severity": "INFO", - "line": 38, - "filename": "positive5.json", - "resourceType": "", - "resourceName": "", - "searchKey": "parameters.limitParam.name=Authorization", - "searchValue": "", - "expectedValue": "parameters.limitParam.name=Authorization should not be 'Authorization", - "actualValue": "parameters.limitParam.name=Authorization is 'Authorization'" - }, - { - "queryName": "Header Parameter Named as 'Authorization' (v2)", - "severity": "INFO", - "line": 11, - "filename": "positive5.json", - "resourceType": "", - "resourceName": "", - "searchKey": "paths.{{/}}.parameters.name=Authorization", - "searchValue": "", - "expectedValue": "paths.{{/}}.parameters.name=Authorization should not be 'Authorization", - "actualValue": "paths.{{/}}.parameters.name=Authorization is 'Authorization'" - }, - { - "queryName": "Header Parameter Named as 'Authorization' (v2)", + "queryName": "Header Parameter Named as 'Authorization' (v3)", "severity": "INFO", - "line": 14, - "filename": "positive6.yaml", + "line": 43, + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.parameters.name=Authorization", @@ -36,22 +12,22 @@ "actualValue": "paths.{{/}}.parameters.name=Authorization is 'Authorization'" }, { - "queryName": "Header Parameter Named as 'Authorization' (v2)", + "queryName": "Header Parameter Named as 'Authorization' (v3)", "severity": "INFO", - "line": 23, - "filename": "positive6.yaml", + "line": 58, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "parameters.limitParam.name=Authorization", + "searchKey": "paths.{{/users/{id}}}.get.parameters.name=Authorization", "searchValue": "", - "expectedValue": "parameters.limitParam.name=Authorization should not be 'Authorization", - "actualValue": "parameters.limitParam.name=Authorization is 'Authorization'" + "expectedValue": "paths.{{/users/{id}}}.get.parameters.name=Authorization should not be 'Authorization", + "actualValue": "paths.{{/users/{id}}}.get.parameters.name=Authorization is 'Authorization'" }, { "queryName": "Header Parameter Named as 'Authorization' (v3)", "severity": "INFO", - "line": 43, - "filename": "positive3.json", + "line": 26, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.parameters.name=Authorization", @@ -74,8 +50,8 @@ { "queryName": "Header Parameter Named as 'Authorization' (v3)", "severity": "INFO", - "line": 26, - "filename": "positive2.yaml", + "line": 43, + "filename": "positive3.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.parameters.name=Authorization", @@ -96,27 +72,51 @@ "actualValue": "paths.{{/}}.parameters.name=Authorization is 'Authorization'" }, { - "queryName": "Header Parameter Named as 'Authorization' (v3)", + "queryName": "Header Parameter Named as 'Authorization' (v2)", "severity": "INFO", - "line": 58, - "filename": "positive1.json", + "line": 11, + "filename": "positive5.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/users/{id}}}.get.parameters.name=Authorization", + "searchKey": "paths.{{/}}.parameters.name=Authorization", "searchValue": "", - "expectedValue": "paths.{{/users/{id}}}.get.parameters.name=Authorization should not be 'Authorization", - "actualValue": "paths.{{/users/{id}}}.get.parameters.name=Authorization is 'Authorization'" + "expectedValue": "paths.{{/}}.parameters.name=Authorization should not be 'Authorization", + "actualValue": "paths.{{/}}.parameters.name=Authorization is 'Authorization'" }, { - "queryName": "Header Parameter Named as 'Authorization' (v3)", + "queryName": "Header Parameter Named as 'Authorization' (v2)", "severity": "INFO", - "line": 43, - "filename": "positive1.json", + "line": 38, + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.limitParam.name=Authorization", + "searchValue": "", + "expectedValue": "parameters.limitParam.name=Authorization should not be 'Authorization", + "actualValue": "parameters.limitParam.name=Authorization is 'Authorization'" + }, + { + "queryName": "Header Parameter Named as 'Authorization' (v2)", + "severity": "INFO", + "line": 14, + "filename": "positive6.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.parameters.name=Authorization", "searchValue": "", "expectedValue": "paths.{{/}}.parameters.name=Authorization should not be 'Authorization", "actualValue": "paths.{{/}}.parameters.name=Authorization is 'Authorization'" + }, + { + "queryName": "Header Parameter Named as 'Authorization' (v2)", + "severity": "INFO", + "line": 23, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.limitParam.name=Authorization", + "searchValue": "", + "expectedValue": "parameters.limitParam.name=Authorization should not be 'Authorization", + "actualValue": "parameters.limitParam.name=Authorization is 'Authorization'" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/general/header_parameter_named_as_content_type/test/positive_expected_result.json b/assets/queries/openAPI/general/header_parameter_named_as_content_type/test/positive_expected_result.json index b69869df492..518268e2371 100644 --- a/assets/queries/openAPI/general/header_parameter_named_as_content_type/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/header_parameter_named_as_content_type/test/positive_expected_result.json @@ -1,9 +1,9 @@ [ { - "queryName": "Header Parameter Named as 'Content-Type' (v2)", + "queryName": "Header Parameter Named as 'Content-Type' (v3)", "severity": "INFO", - "line": 14, - "filename": "positive6.yaml", + "line": 43, + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.parameters.name=Content-Type", @@ -12,34 +12,22 @@ "actualValue": "paths.{{/}}.parameters.name=Content-Type is 'Content-Type'" }, { - "queryName": "Header Parameter Named as 'Content-Type' (v2)", - "severity": "INFO", - "line": 23, - "filename": "positive6.yaml", - "resourceType": "", - "resourceName": "", - "searchKey": "parameters.limitParam.name=Content-Type", - "searchValue": "", - "expectedValue": "parameters.limitParam.name=Content-Type should not be 'Content-Type", - "actualValue": "parameters.limitParam.name=Content-Type is 'Content-Type'" - }, - { - "queryName": "Header Parameter Named as 'Content-Type' (v2)", + "queryName": "Header Parameter Named as 'Content-Type' (v3)", "severity": "INFO", - "line": 38, - "filename": "positive5.json", + "line": 58, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "parameters.limitParam.name=Content-Type", + "searchKey": "paths.{{/users/{id}}}.get.parameters.name=Content-Type", "searchValue": "", - "expectedValue": "parameters.limitParam.name=Content-Type should not be 'Content-Type", - "actualValue": "parameters.limitParam.name=Content-Type is 'Content-Type'" + "expectedValue": "paths.{{/users/{id}}}.get.parameters.name=Content-Type should not be 'Content-Type", + "actualValue": "paths.{{/users/{id}}}.get.parameters.name=Content-Type is 'Content-Type'" }, { - "queryName": "Header Parameter Named as 'Content-Type' (v2)", + "queryName": "Header Parameter Named as 'Content-Type' (v3)", "severity": "INFO", - "line": 11, - "filename": "positive5.json", + "line": 26, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.parameters.name=Content-Type", @@ -62,8 +50,8 @@ { "queryName": "Header Parameter Named as 'Content-Type' (v3)", "severity": "INFO", - "line": 26, - "filename": "positive4.yaml", + "line": 43, + "filename": "positive3.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.parameters.name=Content-Type", @@ -74,8 +62,8 @@ { "queryName": "Header Parameter Named as 'Content-Type' (v3)", "severity": "INFO", - "line": 43, - "filename": "positive3.json", + "line": 26, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.parameters.name=Content-Type", @@ -84,10 +72,10 @@ "actualValue": "paths.{{/}}.parameters.name=Content-Type is 'Content-Type'" }, { - "queryName": "Header Parameter Named as 'Content-Type' (v3)", + "queryName": "Header Parameter Named as 'Content-Type' (v2)", "severity": "INFO", - "line": 26, - "filename": "positive2.yaml", + "line": 11, + "filename": "positive5.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.parameters.name=Content-Type", @@ -96,27 +84,39 @@ "actualValue": "paths.{{/}}.parameters.name=Content-Type is 'Content-Type'" }, { - "queryName": "Header Parameter Named as 'Content-Type' (v3)", + "queryName": "Header Parameter Named as 'Content-Type' (v2)", "severity": "INFO", - "line": 58, - "filename": "positive1.json", + "line": 38, + "filename": "positive5.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/users/{id}}}.get.parameters.name=Content-Type", + "searchKey": "parameters.limitParam.name=Content-Type", "searchValue": "", - "expectedValue": "paths.{{/users/{id}}}.get.parameters.name=Content-Type should not be 'Content-Type", - "actualValue": "paths.{{/users/{id}}}.get.parameters.name=Content-Type is 'Content-Type'" + "expectedValue": "parameters.limitParam.name=Content-Type should not be 'Content-Type", + "actualValue": "parameters.limitParam.name=Content-Type is 'Content-Type'" }, { - "queryName": "Header Parameter Named as 'Content-Type' (v3)", + "queryName": "Header Parameter Named as 'Content-Type' (v2)", "severity": "INFO", - "line": 43, - "filename": "positive1.json", + "line": 14, + "filename": "positive6.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.parameters.name=Content-Type", "searchValue": "", "expectedValue": "paths.{{/}}.parameters.name=Content-Type should not be 'Content-Type", "actualValue": "paths.{{/}}.parameters.name=Content-Type is 'Content-Type'" + }, + { + "queryName": "Header Parameter Named as 'Content-Type' (v2)", + "severity": "INFO", + "line": 23, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.limitParam.name=Content-Type", + "searchValue": "", + "expectedValue": "parameters.limitParam.name=Content-Type should not be 'Content-Type", + "actualValue": "parameters.limitParam.name=Content-Type is 'Content-Type'" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/general/header_response_name_is_invalid/test/positive_expected_result.json b/assets/queries/openAPI/general/header_response_name_is_invalid/test/positive_expected_result.json index fd99dd673e6..16aef5fabb3 100644 --- a/assets/queries/openAPI/general/header_response_name_is_invalid/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/header_response_name_is_invalid/test/positive_expected_result.json @@ -1,28 +1,4 @@ [ - { - "queryName": "Header Response Name Is Invalid (v2)", - "severity": "INFO", - "line": 32, - "filename": "positive3.json", - "resourceType": "", - "resourceName": "", - "searchKey": "responses.{{Success}}.headers.{{Accept}}", - "searchValue": "", - "expectedValue": "responses.{{Success}}.headers should not contain 'Accept'", - "actualValue": "responses.{{Success}}.headers contains 'Accept'" - }, - { - "queryName": "Header Response Name Is Invalid (v2)", - "severity": "INFO", - "line": 21, - "filename": "positive4.yaml", - "resourceType": "", - "resourceName": "", - "searchKey": "responses.{{Success}}.headers.{{Accept}}", - "searchValue": "", - "expectedValue": "responses.{{Success}}.headers should not contain 'Accept'", - "actualValue": "responses.{{Success}}.headers contains 'Accept'" - }, { "queryName": "Header Response Name Is Invalid (v3)", "severity": "INFO", @@ -46,5 +22,29 @@ "searchValue": "", "expectedValue": "paths.{{/}}.{{get}}.responses.{{6xx}}.headers should not contain 'Content-Type'", "actualValue": "paths.{{/}}.{{get}}.responses.{{6xx}}.headers contains 'Content-Type'" + }, + { + "queryName": "Header Response Name Is Invalid (v2)", + "severity": "INFO", + "line": 32, + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "responses.{{Success}}.headers.{{Accept}}", + "searchValue": "", + "expectedValue": "responses.{{Success}}.headers should not contain 'Accept'", + "actualValue": "responses.{{Success}}.headers contains 'Accept'" + }, + { + "queryName": "Header Response Name Is Invalid (v2)", + "severity": "INFO", + "line": 21, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "responses.{{Success}}.headers.{{Accept}}", + "searchValue": "", + "expectedValue": "responses.{{Success}}.headers should not contain 'Accept'", + "actualValue": "responses.{{Success}}.headers contains 'Accept'" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/general/invalid_contact_email/test/positive_expected_result.json b/assets/queries/openAPI/general/invalid_contact_email/test/positive_expected_result.json index 4a98cc2330f..a5f54641d7d 100644 --- a/assets/queries/openAPI/general/invalid_contact_email/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/invalid_contact_email/test/positive_expected_result.json @@ -1,9 +1,9 @@ [ { - "queryName": "Invalid Contact Email (v2)", + "queryName": "Invalid Contact Email (v3)", "severity": "INFO", - "line": 8, - "filename": "positive4.yaml", + "line": 9, + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "info.contact.email", @@ -12,10 +12,10 @@ "actualValue": "info.contact.email has an invalid email" }, { - "queryName": "Invalid Contact Email (v2)", + "queryName": "Invalid Contact Email (v3)", "severity": "INFO", - "line": 9, - "filename": "positive3.json", + "line": 8, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", "searchKey": "info.contact.email", @@ -24,10 +24,10 @@ "actualValue": "info.contact.email has an invalid email" }, { - "queryName": "Invalid Contact Email (v3)", + "queryName": "Invalid Contact Email (v2)", "severity": "INFO", - "line": 8, - "filename": "positive2.yaml", + "line": 9, + "filename": "positive3.json", "resourceType": "", "resourceName": "", "searchKey": "info.contact.email", @@ -36,10 +36,10 @@ "actualValue": "info.contact.email has an invalid email" }, { - "queryName": "Invalid Contact Email (v3)", + "queryName": "Invalid Contact Email (v2)", "severity": "INFO", - "line": 9, - "filename": "positive1.json", + "line": 8, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", "searchKey": "info.contact.email", diff --git a/assets/queries/openAPI/general/invalid_contact_url/test/positive_expected_result.json b/assets/queries/openAPI/general/invalid_contact_url/test/positive_expected_result.json index c2c70f54d14..ee8de5780d3 100644 --- a/assets/queries/openAPI/general/invalid_contact_url/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/invalid_contact_url/test/positive_expected_result.json @@ -1,9 +1,9 @@ [ { - "queryName": "Invalid Contact URL (v2)", + "queryName": "Invalid Contact URL (v3)", "severity": "INFO", - "line": 7, - "filename": "positive4.yaml", + "line": 8, + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "info.contact.url", @@ -12,10 +12,10 @@ "actualValue": "info.contact.url has an invalid URL" }, { - "queryName": "Invalid Contact URL (v2)", + "queryName": "Invalid Contact URL (v3)", "severity": "INFO", - "line": 8, - "filename": "positive3.json", + "line": 7, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", "searchKey": "info.contact.url", @@ -24,10 +24,10 @@ "actualValue": "info.contact.url has an invalid URL" }, { - "queryName": "Invalid Contact URL (v3)", + "queryName": "Invalid Contact URL (v2)", "severity": "INFO", "line": 8, - "filename": "positive1.json", + "filename": "positive3.json", "resourceType": "", "resourceName": "", "searchKey": "info.contact.url", @@ -36,10 +36,10 @@ "actualValue": "info.contact.url has an invalid URL" }, { - "queryName": "Invalid Contact URL (v3)", + "queryName": "Invalid Contact URL (v2)", "severity": "INFO", "line": 7, - "filename": "positive2.yaml", + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", "searchKey": "info.contact.url", diff --git a/assets/queries/openAPI/general/invalid_format/test/positive_expected_result.json b/assets/queries/openAPI/general/invalid_format/test/positive_expected_result.json index 45d1e6d4155..ef72a29c82e 100644 --- a/assets/queries/openAPI/general/invalid_format/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/invalid_format/test/positive_expected_result.json @@ -1,39 +1,39 @@ [ { - "queryName": "Invalid Format (v2)", + "queryName": "Invalid Format (v3)", "severity": "LOW", - "line": 33, - "filename": "positive4.yaml", + "line": 37, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.parameters.schema.items.properties.percentage.format=int32", + "searchKey": "paths.{{/}}.parameters.schema.items.properties.length.format=float", "searchValue": "", - "expectedValue": "number is float or double formats", - "actualValue": "number is int32 format" + "expectedValue": "integer is int32 or int64 formats", + "actualValue": "integer is float format" }, { - "queryName": "Invalid Format (v2)", + "queryName": "Invalid Format (v3)", "severity": "LOW", - "line": 42, - "filename": "positive3.json", + "line": 53, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.parameters.schema.items.properties.percentage.format=int32", + "searchKey": "components.schemas.MyObject.properties.id.format=double", "searchValue": "", - "expectedValue": "number is float or double formats", - "actualValue": "number is int32 format" + "expectedValue": "integer is int32 or int64 formats", + "actualValue": "integer is double format" }, { "queryName": "Invalid Format (v3)", "severity": "LOW", - "line": 37, - "filename": "positive2.yaml", + "line": 61, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "components.schemas.MyObject.properties.id.format=double", + "searchKey": "components.schemas.MyObject.properties.percentage.format=int32", "searchValue": "", - "expectedValue": "integer is int32 or int64 formats", - "actualValue": "integer is double format" + "expectedValue": "number is float or double formats", + "actualValue": "number is int32 format" }, { "queryName": "Invalid Format (v3)", @@ -50,47 +50,47 @@ { "queryName": "Invalid Format (v3)", "severity": "LOW", - "line": 43, + "line": 37, "filename": "positive2.yaml", "resourceType": "", "resourceName": "", - "searchKey": "components.schemas.MyObject.properties.percentage.format=int32", + "searchKey": "components.schemas.MyObject.properties.id.format=double", "searchValue": "", - "expectedValue": "number is float or double formats", - "actualValue": "number is int32 format" + "expectedValue": "integer is int32 or int64 formats", + "actualValue": "integer is double format" }, { "queryName": "Invalid Format (v3)", "severity": "LOW", - "line": 53, - "filename": "positive1.json", + "line": 43, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", - "searchKey": "components.schemas.MyObject.properties.id.format=double", + "searchKey": "components.schemas.MyObject.properties.percentage.format=int32", "searchValue": "", - "expectedValue": "integer is int32 or int64 formats", - "actualValue": "integer is double format" + "expectedValue": "number is float or double formats", + "actualValue": "number is int32 format" }, { - "queryName": "Invalid Format (v3)", + "queryName": "Invalid Format (v2)", "severity": "LOW", - "line": 37, - "filename": "positive1.json", + "line": 42, + "filename": "positive3.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.parameters.schema.items.properties.length.format=float", + "searchKey": "paths.{{/}}.parameters.schema.items.properties.percentage.format=int32", "searchValue": "", - "expectedValue": "integer is int32 or int64 formats", - "actualValue": "integer is float format" + "expectedValue": "number is float or double formats", + "actualValue": "number is int32 format" }, { - "queryName": "Invalid Format (v3)", + "queryName": "Invalid Format (v2)", "severity": "LOW", - "line": 61, - "filename": "positive1.json", + "line": 33, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", - "searchKey": "components.schemas.MyObject.properties.percentage.format=int32", + "searchKey": "paths.{{/}}.parameters.schema.items.properties.percentage.format=int32", "searchValue": "", "expectedValue": "number is float or double formats", "actualValue": "number is int32 format" diff --git a/assets/queries/openAPI/general/invalid_global_external_documentation_url/test/positive_expected_result.json b/assets/queries/openAPI/general/invalid_global_external_documentation_url/test/positive_expected_result.json index 7b7a5a4f2ab..beaefd124b4 100644 --- a/assets/queries/openAPI/general/invalid_global_external_documentation_url/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/invalid_global_external_documentation_url/test/positive_expected_result.json @@ -1,9 +1,9 @@ [ { - "queryName": "Invalid Global External Documentation URL (v2)", + "queryName": "Invalid Global External Documentation URL (v3)", "severity": "INFO", - "line": 14, - "filename": "positive4.yaml", + "line": 49, + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "externalDocs.url", @@ -12,10 +12,10 @@ "actualValue": "externalDocs.url does not have a valid URL" }, { - "queryName": "Invalid Global External Documentation URL (v2)", + "queryName": "Invalid Global External Documentation URL (v3)", "severity": "INFO", "line": 26, - "filename": "positive3.json", + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", "searchKey": "externalDocs.url", @@ -24,10 +24,10 @@ "actualValue": "externalDocs.url does not have a valid URL" }, { - "queryName": "Invalid Global External Documentation URL (v3)", + "queryName": "Invalid Global External Documentation URL (v2)", "severity": "INFO", - "line": 49, - "filename": "positive1.json", + "line": 26, + "filename": "positive3.json", "resourceType": "", "resourceName": "", "searchKey": "externalDocs.url", @@ -36,10 +36,10 @@ "actualValue": "externalDocs.url does not have a valid URL" }, { - "queryName": "Invalid Global External Documentation URL (v3)", + "queryName": "Invalid Global External Documentation URL (v2)", "severity": "INFO", - "line": 26, - "filename": "positive2.yaml", + "line": 14, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", "searchKey": "externalDocs.url", diff --git a/assets/queries/openAPI/general/invalid_license_url/test/positive_expected_result.json b/assets/queries/openAPI/general/invalid_license_url/test/positive_expected_result.json index 472386a1160..9fc2d56d01a 100644 --- a/assets/queries/openAPI/general/invalid_license_url/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/invalid_license_url/test/positive_expected_result.json @@ -1,9 +1,9 @@ [ { - "queryName": "Invalid License URL (v2)", + "queryName": "Invalid License URL (v3)", "severity": "INFO", - "line": 7, - "filename": "positive4.yaml", + "line": 8, + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "info.license.url", @@ -12,10 +12,10 @@ "actualValue": "info.license.url has an invalid URL" }, { - "queryName": "Invalid License URL (v2)", + "queryName": "Invalid License URL (v3)", "severity": "INFO", - "line": 8, - "filename": "positive3.json", + "line": 7, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", "searchKey": "info.license.url", @@ -24,10 +24,10 @@ "actualValue": "info.license.url has an invalid URL" }, { - "queryName": "Invalid License URL (v3)", + "queryName": "Invalid License URL (v2)", "severity": "INFO", - "line": 7, - "filename": "positive2.yaml", + "line": 8, + "filename": "positive3.json", "resourceType": "", "resourceName": "", "searchKey": "info.license.url", @@ -36,10 +36,10 @@ "actualValue": "info.license.url has an invalid URL" }, { - "queryName": "Invalid License URL (v3)", + "queryName": "Invalid License URL (v2)", "severity": "INFO", - "line": 8, - "filename": "positive1.json", + "line": 7, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", "searchKey": "info.license.url", diff --git a/assets/queries/openAPI/general/invalid_operation_external_documentation_url/test/positive_expected_result.json b/assets/queries/openAPI/general/invalid_operation_external_documentation_url/test/positive_expected_result.json index 70696b1c296..48c58cf8ccc 100644 --- a/assets/queries/openAPI/general/invalid_operation_external_documentation_url/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/invalid_operation_external_documentation_url/test/positive_expected_result.json @@ -1,9 +1,9 @@ [ { - "queryName": "Invalid Operation External Documentation URL (v2)", + "queryName": "Invalid Operation External Documentation URL (v3)", "severity": "INFO", "line": 18, - "filename": "positive3.json", + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.{{get}}.externalDocs.url", @@ -12,10 +12,10 @@ "actualValue": "paths.{{/}}.{{get}}.externalDocs.url has a invalid URL" }, { - "queryName": "Invalid Operation External Documentation URL (v2)", + "queryName": "Invalid Operation External Documentation URL (v3)", "severity": "INFO", - "line": 15, - "filename": "positive4.yaml", + "line": 11, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.{{get}}.externalDocs.url", @@ -24,10 +24,10 @@ "actualValue": "paths.{{/}}.{{get}}.externalDocs.url has a invalid URL" }, { - "queryName": "Invalid Operation External Documentation URL (v3)", + "queryName": "Invalid Operation External Documentation URL (v2)", "severity": "INFO", "line": 18, - "filename": "positive1.json", + "filename": "positive3.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.{{get}}.externalDocs.url", @@ -36,10 +36,10 @@ "actualValue": "paths.{{/}}.{{get}}.externalDocs.url has a invalid URL" }, { - "queryName": "Invalid Operation External Documentation URL (v3)", + "queryName": "Invalid Operation External Documentation URL (v2)", "severity": "INFO", - "line": 11, - "filename": "positive2.yaml", + "line": 15, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.{{get}}.externalDocs.url", diff --git a/assets/queries/openAPI/general/invalid_schema_external_documentation_url/test/positive_expected_result.json b/assets/queries/openAPI/general/invalid_schema_external_documentation_url/test/positive_expected_result.json index 95b41e1d579..f998034d9f9 100644 --- a/assets/queries/openAPI/general/invalid_schema_external_documentation_url/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/invalid_schema_external_documentation_url/test/positive_expected_result.json @@ -1,96 +1,96 @@ [ { - "queryName": "Invalid Schema External Documentation URL (v2)", + "queryName": "Invalid Schema External Documentation URL (v3)", "severity": "INFO", - "line": 22, - "filename": "positive5.json", + "line": 61, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.schema.externalDocs.url", + "searchKey": "components.schemas.{{User}}.externalDocs.url", "searchValue": "", "expectedValue": "Schema External Documentation URL should be a valid URL", "actualValue": "Schema External Documentation URL is not a valid URL" }, { - "queryName": "Invalid Schema External Documentation URL (v2)", + "queryName": "Invalid Schema External Documentation URL (v3)", "severity": "INFO", - "line": 37, - "filename": "positive7.json", + "line": 24, + "filename": "positive2.json", "resourceType": "", "resourceName": "", - "searchKey": "definitions.{{User}}.externalDocs.url", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.externalDocs.url", "searchValue": "", "expectedValue": "Schema External Documentation URL should be a valid URL", "actualValue": "Schema External Documentation URL is not a valid URL" }, { - "queryName": "Invalid Schema External Documentation URL (v2)", + "queryName": "Invalid Schema External Documentation URL (v3)", "severity": "INFO", - "line": 22, - "filename": "positive8.yaml", + "line": 35, + "filename": "positive3.yaml", "resourceType": "", "resourceName": "", - "searchKey": "definitions.{{User}}.externalDocs.url", + "searchKey": "components.schemas.{{User}}.externalDocs.url", "searchValue": "", "expectedValue": "Schema External Documentation URL should be a valid URL", "actualValue": "Schema External Documentation URL is not a valid URL" }, { - "queryName": "Invalid Schema External Documentation URL (v2)", + "queryName": "Invalid Schema External Documentation URL (v3)", "severity": "INFO", - "line": 15, - "filename": "positive6.yaml", + "line": 17, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.schema.externalDocs.url", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.externalDocs.url", "searchValue": "", "expectedValue": "Schema External Documentation URL should be a valid URL", "actualValue": "Schema External Documentation URL is not a valid URL" }, { - "queryName": "Invalid Schema External Documentation URL (v3)", + "queryName": "Invalid Schema External Documentation URL (v2)", "severity": "INFO", - "line": 17, - "filename": "positive4.yaml", + "line": 22, + "filename": "positive5.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.externalDocs.url", + "searchKey": "paths.{{/}}.get.responses.200.schema.externalDocs.url", "searchValue": "", "expectedValue": "Schema External Documentation URL should be a valid URL", "actualValue": "Schema External Documentation URL is not a valid URL" }, { - "queryName": "Invalid Schema External Documentation URL (v3)", + "queryName": "Invalid Schema External Documentation URL (v2)", "severity": "INFO", - "line": 24, - "filename": "positive2.json", + "line": 15, + "filename": "positive6.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.externalDocs.url", + "searchKey": "paths.{{/}}.get.responses.200.schema.externalDocs.url", "searchValue": "", "expectedValue": "Schema External Documentation URL should be a valid URL", "actualValue": "Schema External Documentation URL is not a valid URL" }, { - "queryName": "Invalid Schema External Documentation URL (v3)", + "queryName": "Invalid Schema External Documentation URL (v2)", "severity": "INFO", - "line": 61, - "filename": "positive1.json", + "line": 37, + "filename": "positive7.json", "resourceType": "", "resourceName": "", - "searchKey": "components.schemas.{{User}}.externalDocs.url", + "searchKey": "definitions.{{User}}.externalDocs.url", "searchValue": "", "expectedValue": "Schema External Documentation URL should be a valid URL", "actualValue": "Schema External Documentation URL is not a valid URL" }, { - "queryName": "Invalid Schema External Documentation URL (v3)", + "queryName": "Invalid Schema External Documentation URL (v2)", "severity": "INFO", - "line": 35, - "filename": "positive3.yaml", + "line": 22, + "filename": "positive8.yaml", "resourceType": "", "resourceName": "", - "searchKey": "components.schemas.{{User}}.externalDocs.url", + "searchKey": "definitions.{{User}}.externalDocs.url", "searchValue": "", "expectedValue": "Schema External Documentation URL should be a valid URL", "actualValue": "Schema External Documentation URL is not a valid URL" diff --git a/assets/queries/openAPI/general/invalid_tag_external_documentation_url/test/positive_expected_result.json b/assets/queries/openAPI/general/invalid_tag_external_documentation_url/test/positive_expected_result.json index 6c81e9f1f8d..f7d9f8c1fa0 100644 --- a/assets/queries/openAPI/general/invalid_tag_external_documentation_url/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/invalid_tag_external_documentation_url/test/positive_expected_result.json @@ -1,9 +1,9 @@ [ { - "queryName": "Invalid Tag External Documentation URL (v2)", + "queryName": "Invalid Tag External Documentation URL (v3)", "severity": "INFO", - "line": 18, - "filename": "positive4.yaml", + "line": 53, + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "tags.name=pets", @@ -12,10 +12,10 @@ "actualValue": "tags[0].externalDocs.url has an invalid URL" }, { - "queryName": "Invalid Tag External Documentation URL (v2)", + "queryName": "Invalid Tag External Documentation URL (v3)", "severity": "INFO", - "line": 22, - "filename": "positive4.yaml", + "line": 57, + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "tags.name=store", @@ -24,10 +24,10 @@ "actualValue": "tags[1].externalDocs.url has an invalid URL" }, { - "queryName": "Invalid Tag External Documentation URL (v2)", + "queryName": "Invalid Tag External Documentation URL (v3)", "severity": "INFO", - "line": 30, - "filename": "positive3.json", + "line": 26, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", "searchKey": "tags.name=pets", @@ -35,18 +35,6 @@ "expectedValue": "tags[0].externalDocs.url has a valid URL", "actualValue": "tags[0].externalDocs.url has an invalid URL" }, - { - "queryName": "Invalid Tag External Documentation URL (v2)", - "severity": "INFO", - "line": 34, - "filename": "positive3.json", - "resourceType": "", - "resourceName": "", - "searchKey": "tags.name=store", - "searchValue": "", - "expectedValue": "tags[1].externalDocs.url has a valid URL", - "actualValue": "tags[1].externalDocs.url has an invalid URL" - }, { "queryName": "Invalid Tag External Documentation URL (v3)", "severity": "INFO", @@ -60,10 +48,10 @@ "actualValue": "tags[1].externalDocs.url has an invalid URL" }, { - "queryName": "Invalid Tag External Documentation URL (v3)", + "queryName": "Invalid Tag External Documentation URL (v2)", "severity": "INFO", - "line": 53, - "filename": "positive1.json", + "line": 30, + "filename": "positive3.json", "resourceType": "", "resourceName": "", "searchKey": "tags.name=pets", @@ -72,10 +60,10 @@ "actualValue": "tags[0].externalDocs.url has an invalid URL" }, { - "queryName": "Invalid Tag External Documentation URL (v3)", + "queryName": "Invalid Tag External Documentation URL (v2)", "severity": "INFO", - "line": 57, - "filename": "positive1.json", + "line": 34, + "filename": "positive3.json", "resourceType": "", "resourceName": "", "searchKey": "tags.name=store", @@ -84,15 +72,27 @@ "actualValue": "tags[1].externalDocs.url has an invalid URL" }, { - "queryName": "Invalid Tag External Documentation URL (v3)", + "queryName": "Invalid Tag External Documentation URL (v2)", "severity": "INFO", - "line": 26, - "filename": "positive2.yaml", + "line": 18, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", "searchKey": "tags.name=pets", "searchValue": "", "expectedValue": "tags[0].externalDocs.url has a valid URL", "actualValue": "tags[0].externalDocs.url has an invalid URL" + }, + { + "queryName": "Invalid Tag External Documentation URL (v2)", + "severity": "INFO", + "line": 22, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "tags.name=store", + "searchValue": "", + "expectedValue": "tags[1].externalDocs.url has a valid URL", + "actualValue": "tags[1].externalDocs.url has an invalid URL" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/general/items_undefined/test/positive_expected_result.json b/assets/queries/openAPI/general/items_undefined/test/positive_expected_result.json index a89433e5f93..01830d8041c 100644 --- a/assets/queries/openAPI/general/items_undefined/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/items_undefined/test/positive_expected_result.json @@ -1,24 +1,24 @@ [ { - "queryName": "Items Undefined (v2)", + "queryName": "Items Undefined (v3)", "severity": "INFO", - "line": 16, - "filename": "positive6.yaml", + "line": 50, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/users}}.get.responses.200.schema", + "searchKey": "components.schemas.GeneralError", "searchValue": "", "expectedValue": "Array items property should be defined", "actualValue": "Array items property is undefined" }, { - "queryName": "Items Undefined (v2)", + "queryName": "Items Undefined (v3)", "severity": "INFO", - "line": 19, - "filename": "positive5.json", + "line": 22, + "filename": "positive2.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/users}}.get.responses.200.schema", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema", "searchValue": "", "expectedValue": "Array items property should be defined", "actualValue": "Array items property is undefined" @@ -38,8 +38,8 @@ { "queryName": "Items Undefined (v3)", "severity": "INFO", - "line": 22, - "filename": "positive2.json", + "line": 15, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema", @@ -48,25 +48,25 @@ "actualValue": "Array items property is undefined" }, { - "queryName": "Items Undefined (v3)", + "queryName": "Items Undefined (v2)", "severity": "INFO", - "line": 50, - "filename": "positive1.json", + "line": 19, + "filename": "positive5.json", "resourceType": "", "resourceName": "", - "searchKey": "components.schemas.GeneralError", + "searchKey": "paths.{{/users}}.get.responses.200.schema", "searchValue": "", "expectedValue": "Array items property should be defined", "actualValue": "Array items property is undefined" }, { - "queryName": "Items Undefined (v3)", + "queryName": "Items Undefined (v2)", "severity": "INFO", - "line": 15, - "filename": "positive4.yaml", + "line": 16, + "filename": "positive6.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema", + "searchKey": "paths.{{/users}}.get.responses.200.schema", "searchValue": "", "expectedValue": "Array items property should be defined", "actualValue": "Array items property is undefined" diff --git a/assets/queries/openAPI/general/maximum_length_undefined/test/positive_expected_result.json b/assets/queries/openAPI/general/maximum_length_undefined/test/positive_expected_result.json index 369998bc89d..35194535154 100644 --- a/assets/queries/openAPI/general/maximum_length_undefined/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/maximum_length_undefined/test/positive_expected_result.json @@ -1,84 +1,84 @@ [ { - "queryName": "Maximum Length Undefined (v2)", + "queryName": "Maximum Length Undefined (v3)", "severity": "LOW", - "line": 22, - "filename": "positive6.yaml", + "line": 58, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.schema.properties.message.type", + "searchKey": "components.schemas.GeneralError.properties.code.type", "searchValue": "", "expectedValue": "'maxLength' should be defined", "actualValue": "'maxLength' is undefined" }, { - "queryName": "Maximum Length Undefined (v2)", + "queryName": "Maximum Length Undefined (v3)", "severity": "LOW", - "line": 28, - "filename": "positive7.json", + "line": 62, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.schema.properties.message.type", + "searchKey": "components.schemas.GeneralError.properties.message.type", "searchValue": "", "expectedValue": "'maxLength' should be defined", "actualValue": "'maxLength' is undefined" }, { - "queryName": "Maximum Length Undefined (v2)", + "queryName": "Maximum Length Undefined (v3)", "severity": "LOW", "line": 27, - "filename": "positive5.json", + "filename": "positive2.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.schema.properties.message.type", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code.type", "searchValue": "", "expectedValue": "'maxLength' should be defined", "actualValue": "'maxLength' is undefined" }, { - "queryName": "Maximum Length Undefined (v2)", + "queryName": "Maximum Length Undefined (v3)", "severity": "LOW", - "line": 23, - "filename": "positive5.json", + "line": 31, + "filename": "positive2.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.schema.properties.code.type", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.message.type", "searchValue": "", "expectedValue": "'maxLength' should be defined", "actualValue": "'maxLength' is undefined" }, { - "queryName": "Maximum Length Undefined (v2)", + "queryName": "Maximum Length Undefined (v3)", "severity": "LOW", - "line": 23, - "filename": "positive7.json", + "line": 34, + "filename": "positive3.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.schema.properties.code.type", + "searchKey": "components.schemas.GeneralError.properties.code.type", "searchValue": "", "expectedValue": "'maxLength' should be defined", "actualValue": "'maxLength' is undefined" }, { - "queryName": "Maximum Length Undefined (v2)", + "queryName": "Maximum Length Undefined (v3)", "severity": "LOW", - "line": 28, - "filename": "positive8.json", + "line": 37, + "filename": "positive3.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.schema.properties.message.type", + "searchKey": "components.schemas.GeneralError.properties.message.type", "searchValue": "", "expectedValue": "'maxLength' should be defined", "actualValue": "'maxLength' is undefined" }, { - "queryName": "Maximum Length Undefined (v2)", + "queryName": "Maximum Length Undefined (v3)", "severity": "LOW", - "line": 19, - "filename": "positive6.yaml", + "line": 22, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.schema.properties.code.type", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code.type", "searchValue": "", "expectedValue": "'maxLength' should be defined", "actualValue": "'maxLength' is undefined" @@ -86,95 +86,95 @@ { "queryName": "Maximum Length Undefined (v3)", "severity": "LOW", - "line": 22, + "line": 25, "filename": "positive4.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code.type", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.message.type", "searchValue": "", "expectedValue": "'maxLength' should be defined", "actualValue": "'maxLength' is undefined" }, { - "queryName": "Maximum Length Undefined (v3)", + "queryName": "Maximum Length Undefined (v2)", "severity": "LOW", - "line": 25, - "filename": "positive4.yaml", + "line": 23, + "filename": "positive5.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.message.type", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.code.type", "searchValue": "", "expectedValue": "'maxLength' should be defined", "actualValue": "'maxLength' is undefined" }, { - "queryName": "Maximum Length Undefined (v3)", + "queryName": "Maximum Length Undefined (v2)", "severity": "LOW", - "line": 58, - "filename": "positive1.json", + "line": 27, + "filename": "positive5.json", "resourceType": "", "resourceName": "", - "searchKey": "components.schemas.GeneralError.properties.code.type", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.message.type", "searchValue": "", "expectedValue": "'maxLength' should be defined", "actualValue": "'maxLength' is undefined" }, { - "queryName": "Maximum Length Undefined (v3)", + "queryName": "Maximum Length Undefined (v2)", "severity": "LOW", - "line": 55, - "filename": "positive9.json", + "line": 19, + "filename": "positive6.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/api/adjectives}}.get.parameters.schema.type", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.code.type", "searchValue": "", "expectedValue": "'maxLength' should be defined", "actualValue": "'maxLength' is undefined" }, { - "queryName": "Maximum Length Undefined (v3)", + "queryName": "Maximum Length Undefined (v2)", "severity": "LOW", - "line": 31, - "filename": "positive2.json", + "line": 22, + "filename": "positive6.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.message.type", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.message.type", "searchValue": "", "expectedValue": "'maxLength' should be defined", "actualValue": "'maxLength' is undefined" }, { - "queryName": "Maximum Length Undefined (v3)", + "queryName": "Maximum Length Undefined (v2)", "severity": "LOW", - "line": 34, - "filename": "positive3.yaml", + "line": 23, + "filename": "positive7.json", "resourceType": "", "resourceName": "", - "searchKey": "components.schemas.GeneralError.properties.code.type", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.code.type", "searchValue": "", "expectedValue": "'maxLength' should be defined", "actualValue": "'maxLength' is undefined" }, { - "queryName": "Maximum Length Undefined (v3)", + "queryName": "Maximum Length Undefined (v2)", "severity": "LOW", - "line": 37, - "filename": "positive3.yaml", + "line": 28, + "filename": "positive7.json", "resourceType": "", "resourceName": "", - "searchKey": "components.schemas.GeneralError.properties.message.type", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.message.type", "searchValue": "", "expectedValue": "'maxLength' should be defined", "actualValue": "'maxLength' is undefined" }, { - "queryName": "Maximum Length Undefined (v3)", + "queryName": "Maximum Length Undefined (v2)", "severity": "LOW", - "line": 62, - "filename": "positive1.json", + "line": 28, + "filename": "positive8.json", "resourceType": "", "resourceName": "", - "searchKey": "components.schemas.GeneralError.properties.message.type", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.message.type", "searchValue": "", "expectedValue": "'maxLength' should be defined", "actualValue": "'maxLength' is undefined" @@ -194,11 +194,11 @@ { "queryName": "Maximum Length Undefined (v3)", "severity": "LOW", - "line": 27, - "filename": "positive2.json", + "line": 55, + "filename": "positive9.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code.type", + "searchKey": "paths.{{/api/adjectives}}.get.parameters.schema.type", "searchValue": "", "expectedValue": "'maxLength' should be defined", "actualValue": "'maxLength' is undefined" diff --git a/assets/queries/openAPI/general/no_global_and_operation_security_defined/test/positive_expected_result.json b/assets/queries/openAPI/general/no_global_and_operation_security_defined/test/positive_expected_result.json index abb5a76ca0d..33a0b9c3ade 100644 --- a/assets/queries/openAPI/general/no_global_and_operation_security_defined/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/no_global_and_operation_security_defined/test/positive_expected_result.json @@ -1,9 +1,9 @@ [ { - "queryName": "No Global And Operation Security Defined (v2)", + "queryName": "No Global And Operation Security Defined (v3)", "severity": "HIGH", "line": 9, - "filename": "positive6.json", + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.{{get}}", @@ -12,13 +12,13 @@ "actualValue": "No security schema is used" }, { - "queryName": "No Global And Operation Security Defined (v2)", + "queryName": "No Global And Operation Security Defined (v3)", "severity": "HIGH", - "line": 7, - "filename": "positive5.yaml", + "line": 46, + "filename": "positive2.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.{{get}}", + "searchKey": "paths.{{/}}.{{patch}}", "searchValue": "", "expectedValue": "A security schema should be used", "actualValue": "No security schema is used" @@ -48,10 +48,10 @@ "actualValue": "No security schema is used" }, { - "queryName": "No Global And Operation Security Defined (v3)", + "queryName": "No Global And Operation Security Defined (v2)", "severity": "HIGH", - "line": 9, - "filename": "positive1.json", + "line": 7, + "filename": "positive5.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.{{get}}", @@ -60,13 +60,13 @@ "actualValue": "No security schema is used" }, { - "queryName": "No Global And Operation Security Defined (v3)", + "queryName": "No Global And Operation Security Defined (v2)", "severity": "HIGH", - "line": 46, - "filename": "positive2.json", + "line": 9, + "filename": "positive6.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.{{patch}}", + "searchKey": "paths.{{/}}.{{get}}", "searchValue": "", "expectedValue": "A security schema should be used", "actualValue": "No security schema is used" diff --git a/assets/queries/openAPI/general/non_array_schema_with_items/test/positive_expected_result.json b/assets/queries/openAPI/general/non_array_schema_with_items/test/positive_expected_result.json index 9b2b2d89b8a..0a107619e42 100644 --- a/assets/queries/openAPI/general/non_array_schema_with_items/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/non_array_schema_with_items/test/positive_expected_result.json @@ -1,24 +1,24 @@ [ { - "queryName": "Non-Array Schema With Items (v2)", + "queryName": "Non-Array Schema With Items (v3)", "severity": "INFO", - "line": 32, - "filename": "positive6.yaml", + "line": 52, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "definitions.User.properties.name.items", + "searchKey": "components.schemas.GeneralError.items", "searchValue": "", "expectedValue": "Schema items property should be undefined", "actualValue": "Schema items property is defined" }, { - "queryName": "Non-Array Schema With Items (v2)", + "queryName": "Non-Array Schema With Items (v3)", "severity": "INFO", - "line": 44, - "filename": "positive5.json", + "line": 24, + "filename": "positive2.json", "resourceType": "", "resourceName": "", - "searchKey": "definitions.User.properties.name.items", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.items", "searchValue": "", "expectedValue": "Schema items property should be undefined", "actualValue": "Schema items property is defined" @@ -38,35 +38,35 @@ { "queryName": "Non-Array Schema With Items (v3)", "severity": "INFO", - "line": 52, - "filename": "positive1.json", + "line": 17, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", - "searchKey": "components.schemas.GeneralError.items", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.items", "searchValue": "", "expectedValue": "Schema items property should be undefined", "actualValue": "Schema items property is defined" }, { - "queryName": "Non-Array Schema With Items (v3)", + "queryName": "Non-Array Schema With Items (v2)", "severity": "INFO", - "line": 24, - "filename": "positive2.json", + "line": 44, + "filename": "positive5.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.items", + "searchKey": "definitions.User.properties.name.items", "searchValue": "", "expectedValue": "Schema items property should be undefined", "actualValue": "Schema items property is defined" }, { - "queryName": "Non-Array Schema With Items (v3)", + "queryName": "Non-Array Schema With Items (v2)", "severity": "INFO", - "line": 17, - "filename": "positive4.yaml", + "line": 32, + "filename": "positive6.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.items", + "searchKey": "definitions.User.properties.name.items", "searchValue": "", "expectedValue": "Schema items property should be undefined", "actualValue": "Schema items property is defined" diff --git a/assets/queries/openAPI/general/numeric_schema_without_format/test/positive_expected_result.json b/assets/queries/openAPI/general/numeric_schema_without_format/test/positive_expected_result.json index c61a282219c..7f8bdf0c99e 100644 --- a/assets/queries/openAPI/general/numeric_schema_without_format/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/numeric_schema_without_format/test/positive_expected_result.json @@ -1,24 +1,12 @@ [ { - "queryName": "Numeric Schema Without Format (v2)", - "severity": "LOW", - "line": 23, - "filename": "positive5.json", - "resourceType": "", - "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.schema.properties.code.type", - "searchValue": "", - "expectedValue": "Numeric schema should have 'format' defined", - "actualValue": "Numeric schema does not have 'format' defined" - }, - { - "queryName": "Numeric Schema Without Format (v2)", + "queryName": "Numeric Schema Without Format (v3)", "severity": "LOW", - "line": 20, - "filename": "positive6.yaml", + "line": 58, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.schema.properties.code.type", + "searchKey": "components.schemas.GeneralError.properties.code.type", "searchValue": "", "expectedValue": "Numeric schema should have 'format' defined", "actualValue": "Numeric schema does not have 'format' defined" @@ -60,13 +48,25 @@ "actualValue": "Numeric schema does not have 'format' defined" }, { - "queryName": "Numeric Schema Without Format (v3)", + "queryName": "Numeric Schema Without Format (v2)", "severity": "LOW", - "line": 58, - "filename": "positive1.json", + "line": 23, + "filename": "positive5.json", "resourceType": "", "resourceName": "", - "searchKey": "components.schemas.GeneralError.properties.code.type", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.code.type", + "searchValue": "", + "expectedValue": "Numeric schema should have 'format' defined", + "actualValue": "Numeric schema does not have 'format' defined" + }, + { + "queryName": "Numeric Schema Without Format (v2)", + "severity": "LOW", + "line": 20, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.code.type", "searchValue": "", "expectedValue": "Numeric schema should have 'format' defined", "actualValue": "Numeric schema does not have 'format' defined" diff --git a/assets/queries/openAPI/general/numeric_schema_without_maximum/test/positive_expected_result.json b/assets/queries/openAPI/general/numeric_schema_without_maximum/test/positive_expected_result.json index 2b38b075f99..3291290d541 100644 --- a/assets/queries/openAPI/general/numeric_schema_without_maximum/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/numeric_schema_without_maximum/test/positive_expected_result.json @@ -1,24 +1,24 @@ [ { - "queryName": "Numeric Schema Without Maximum (v2)", + "queryName": "Numeric Schema Without Maximum (v3)", "severity": "LOW", - "line": 20, - "filename": "positive6.yaml", + "line": 58, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.schema.properties.code.type", + "searchKey": "components.schemas.GeneralError.properties.code.type", "searchValue": "", "expectedValue": "Numeric schema should have 'maximum' defined", "actualValue": "Numeric schema does not have 'maximum' defined" }, { - "queryName": "Numeric Schema Without Maximum (v2)", + "queryName": "Numeric Schema Without Maximum (v3)", "severity": "LOW", - "line": 23, - "filename": "positive5.json", + "line": 27, + "filename": "positive2.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.schema.properties.code.type", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code.type", "searchValue": "", "expectedValue": "Numeric schema should have 'maximum' defined", "actualValue": "Numeric schema does not have 'maximum' defined" @@ -26,11 +26,11 @@ { "queryName": "Numeric Schema Without Maximum (v3)", "severity": "LOW", - "line": 22, - "filename": "positive4.yaml", + "line": 34, + "filename": "positive3.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code.type", + "searchKey": "components.schemas.GeneralError.properties.code.type", "searchValue": "", "expectedValue": "Numeric schema should have 'maximum' defined", "actualValue": "Numeric schema does not have 'maximum' defined" @@ -38,35 +38,35 @@ { "queryName": "Numeric Schema Without Maximum (v3)", "severity": "LOW", - "line": 34, - "filename": "positive3.yaml", + "line": 22, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", - "searchKey": "components.schemas.GeneralError.properties.code.type", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code.type", "searchValue": "", "expectedValue": "Numeric schema should have 'maximum' defined", "actualValue": "Numeric schema does not have 'maximum' defined" }, { - "queryName": "Numeric Schema Without Maximum (v3)", + "queryName": "Numeric Schema Without Maximum (v2)", "severity": "LOW", - "line": 58, - "filename": "positive1.json", + "line": 23, + "filename": "positive5.json", "resourceType": "", "resourceName": "", - "searchKey": "components.schemas.GeneralError.properties.code.type", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.code.type", "searchValue": "", "expectedValue": "Numeric schema should have 'maximum' defined", "actualValue": "Numeric schema does not have 'maximum' defined" }, { - "queryName": "Numeric Schema Without Maximum (v3)", + "queryName": "Numeric Schema Without Maximum (v2)", "severity": "LOW", - "line": 27, - "filename": "positive2.json", + "line": 20, + "filename": "positive6.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code.type", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.code.type", "searchValue": "", "expectedValue": "Numeric schema should have 'maximum' defined", "actualValue": "Numeric schema does not have 'maximum' defined" diff --git a/assets/queries/openAPI/general/numeric_schema_without_minimum/test/positive_expected_result.json b/assets/queries/openAPI/general/numeric_schema_without_minimum/test/positive_expected_result.json index f2ec496955f..48614f5de8b 100644 --- a/assets/queries/openAPI/general/numeric_schema_without_minimum/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/numeric_schema_without_minimum/test/positive_expected_result.json @@ -1,24 +1,24 @@ [ { - "queryName": "Numeric Schema Without Minimum (v2)", + "queryName": "Numeric Schema Without Minimum (v3)", "severity": "LOW", - "line": 20, - "filename": "positive6.yaml", + "line": 58, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.schema.properties.code.type", + "searchKey": "components.schemas.GeneralError.properties.code.type", "searchValue": "", "expectedValue": "Numeric schema should have 'minimum' defined", "actualValue": "Numeric schema does not have 'minimum' defined" }, { - "queryName": "Numeric Schema Without Minimum (v2)", + "queryName": "Numeric Schema Without Minimum (v3)", "severity": "LOW", - "line": 23, - "filename": "positive5.json", + "line": 27, + "filename": "positive2.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.schema.properties.code.type", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code.type", "searchValue": "", "expectedValue": "Numeric schema should have 'minimum' defined", "actualValue": "Numeric schema does not have 'minimum' defined" @@ -26,11 +26,11 @@ { "queryName": "Numeric Schema Without Minimum (v3)", "severity": "LOW", - "line": 22, - "filename": "positive4.yaml", + "line": 34, + "filename": "positive3.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code.type", + "searchKey": "components.schemas.GeneralError.properties.code.type", "searchValue": "", "expectedValue": "Numeric schema should have 'minimum' defined", "actualValue": "Numeric schema does not have 'minimum' defined" @@ -38,35 +38,35 @@ { "queryName": "Numeric Schema Without Minimum (v3)", "severity": "LOW", - "line": 34, - "filename": "positive3.yaml", + "line": 22, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", - "searchKey": "components.schemas.GeneralError.properties.code.type", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code.type", "searchValue": "", "expectedValue": "Numeric schema should have 'minimum' defined", "actualValue": "Numeric schema does not have 'minimum' defined" }, { - "queryName": "Numeric Schema Without Minimum (v3)", + "queryName": "Numeric Schema Without Minimum (v2)", "severity": "LOW", - "line": 27, - "filename": "positive2.json", + "line": 23, + "filename": "positive5.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code.type", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.code.type", "searchValue": "", "expectedValue": "Numeric schema should have 'minimum' defined", "actualValue": "Numeric schema does not have 'minimum' defined" }, { - "queryName": "Numeric Schema Without Minimum (v3)", + "queryName": "Numeric Schema Without Minimum (v2)", "severity": "LOW", - "line": 58, - "filename": "positive1.json", + "line": 20, + "filename": "positive6.yaml", "resourceType": "", "resourceName": "", - "searchKey": "components.schemas.GeneralError.properties.code.type", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.code.type", "searchValue": "", "expectedValue": "Numeric schema should have 'minimum' defined", "actualValue": "Numeric schema does not have 'minimum' defined" diff --git a/assets/queries/openAPI/general/object_using_enum_with_keyword/test/positive_expected_result.json b/assets/queries/openAPI/general/object_using_enum_with_keyword/test/positive_expected_result.json index 6df9534a8e1..5d3177bdad6 100644 --- a/assets/queries/openAPI/general/object_using_enum_with_keyword/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/object_using_enum_with_keyword/test/positive_expected_result.json @@ -1,33 +1,33 @@ [ { - "queryName": "Object Using Enum With Keyword (v2)", + "queryName": "Object Using Enum With Keyword (v3)", "severity": "INFO", - "line": 29, - "filename": "positive5.json", + "line": 52, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.parameters.schema.huntingSkill", + "searchKey": "components.schemas.Cat.allOf.huntingSkill", "searchValue": "", - "expectedValue": "/.get.parameters.paths.schema.properties.huntingSkill should not contain 'enum' and schema keyword", - "actualValue": "/.get.parameters.paths.schema.properties.huntingSkill contains 'enum' and schema keyword 'minLength'" + "expectedValue": "Cat.allOf.components.schemas.properties.huntingSkill should not contain 'enum' and schema keyword", + "actualValue": "Cat.allOf.components.schemas.properties.huntingSkill contains 'enum' and schema keyword 'minLength'" }, { - "queryName": "Object Using Enum With Keyword (v2)", + "queryName": "Object Using Enum With Keyword (v3)", "severity": "INFO", - "line": 31, - "filename": "positive6.yaml", + "line": 41, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.parameters.schema.huntingSkill", + "searchKey": "components.schemas.Cat.allOf.huntingSkill", "searchValue": "", - "expectedValue": "/.get.parameters.paths.schema.properties.huntingSkill should not contain 'enum' and schema keyword", - "actualValue": "/.get.parameters.paths.schema.properties.huntingSkill contains 'enum' and schema keyword 'minLength'" + "expectedValue": "Cat.allOf.components.schemas.properties.huntingSkill should not contain 'enum' and schema keyword", + "actualValue": "Cat.allOf.components.schemas.properties.huntingSkill contains 'enum' and schema keyword 'minLength'" }, { "queryName": "Object Using Enum With Keyword (v2)", "severity": "INFO", - "line": 38, - "filename": "positive4.yaml", + "line": 49, + "filename": "positive3.json", "resourceType": "", "resourceName": "", "searchKey": "definitions.Cat.allOf.huntingSkill", @@ -38,8 +38,8 @@ { "queryName": "Object Using Enum With Keyword (v2)", "severity": "INFO", - "line": 49, - "filename": "positive3.json", + "line": 38, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", "searchKey": "definitions.Cat.allOf.huntingSkill", @@ -48,27 +48,27 @@ "actualValue": "Cat.allOf.definitions.properties.huntingSkill contains 'enum' and schema keyword 'minLength'" }, { - "queryName": "Object Using Enum With Keyword (v3)", + "queryName": "Object Using Enum With Keyword (v2)", "severity": "INFO", - "line": 41, - "filename": "positive2.yaml", + "line": 29, + "filename": "positive5.json", "resourceType": "", "resourceName": "", - "searchKey": "components.schemas.Cat.allOf.huntingSkill", + "searchKey": "paths.{{/}}.get.parameters.schema.huntingSkill", "searchValue": "", - "expectedValue": "Cat.allOf.components.schemas.properties.huntingSkill should not contain 'enum' and schema keyword", - "actualValue": "Cat.allOf.components.schemas.properties.huntingSkill contains 'enum' and schema keyword 'minLength'" + "expectedValue": "/.get.parameters.paths.schema.properties.huntingSkill should not contain 'enum' and schema keyword", + "actualValue": "/.get.parameters.paths.schema.properties.huntingSkill contains 'enum' and schema keyword 'minLength'" }, { - "queryName": "Object Using Enum With Keyword (v3)", + "queryName": "Object Using Enum With Keyword (v2)", "severity": "INFO", - "line": 52, - "filename": "positive1.json", + "line": 31, + "filename": "positive6.yaml", "resourceType": "", "resourceName": "", - "searchKey": "components.schemas.Cat.allOf.huntingSkill", + "searchKey": "paths.{{/}}.get.parameters.schema.huntingSkill", "searchValue": "", - "expectedValue": "Cat.allOf.components.schemas.properties.huntingSkill should not contain 'enum' and schema keyword", - "actualValue": "Cat.allOf.components.schemas.properties.huntingSkill contains 'enum' and schema keyword 'minLength'" + "expectedValue": "/.get.parameters.paths.schema.properties.huntingSkill should not contain 'enum' and schema keyword", + "actualValue": "/.get.parameters.paths.schema.properties.huntingSkill contains 'enum' and schema keyword 'minLength'" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/general/operation_id_not_unique/test/positive_expected_result.json b/assets/queries/openAPI/general/operation_id_not_unique/test/positive_expected_result.json index b46d3584988..79eaeae58b1 100644 --- a/assets/queries/openAPI/general/operation_id_not_unique/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/operation_id_not_unique/test/positive_expected_result.json @@ -1,9 +1,9 @@ [ { - "queryName": "OperationId Not Unique (v2)", + "queryName": "OperationId Not Unique (v3)", "severity": "INFO", "line": 15, - "filename": "positive3.json", + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.{{get}}.operationId", @@ -12,10 +12,10 @@ "actualValue": "paths.{{/}}.{{get}}.operationId is not unique" }, { - "queryName": "OperationId Not Unique (v2)", + "queryName": "OperationId Not Unique (v3)", "severity": "INFO", - "line": 23, - "filename": "positive3.json", + "line": 46, + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.{{post}}.operationId", @@ -24,10 +24,10 @@ "actualValue": "paths.{{/}}.{{post}}.operationId is not unique" }, { - "queryName": "OperationId Not Unique (v2)", + "queryName": "OperationId Not Unique (v3)", "severity": "INFO", "line": 8, - "filename": "positive4.yaml", + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.{{get}}.operationId", @@ -36,10 +36,10 @@ "actualValue": "paths.{{/}}.{{get}}.operationId is not unique" }, { - "queryName": "OperationId Not Unique (v2)", + "queryName": "OperationId Not Unique (v3)", "severity": "INFO", - "line": 13, - "filename": "positive4.yaml", + "line": 25, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.{{post}}.operationId", @@ -48,10 +48,10 @@ "actualValue": "paths.{{/}}.{{post}}.operationId is not unique" }, { - "queryName": "OperationId Not Unique (v3)", + "queryName": "OperationId Not Unique (v2)", "severity": "INFO", - "line": 8, - "filename": "positive2.yaml", + "line": 15, + "filename": "positive3.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.{{get}}.operationId", @@ -60,10 +60,10 @@ "actualValue": "paths.{{/}}.{{get}}.operationId is not unique" }, { - "queryName": "OperationId Not Unique (v3)", + "queryName": "OperationId Not Unique (v2)", "severity": "INFO", - "line": 25, - "filename": "positive2.yaml", + "line": 23, + "filename": "positive3.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.{{post}}.operationId", @@ -72,10 +72,10 @@ "actualValue": "paths.{{/}}.{{post}}.operationId is not unique" }, { - "queryName": "OperationId Not Unique (v3)", + "queryName": "OperationId Not Unique (v2)", "severity": "INFO", - "line": 15, - "filename": "positive1.json", + "line": 8, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.{{get}}.operationId", @@ -84,10 +84,10 @@ "actualValue": "paths.{{/}}.{{get}}.operationId is not unique" }, { - "queryName": "OperationId Not Unique (v3)", + "queryName": "OperationId Not Unique (v2)", "severity": "INFO", - "line": 46, - "filename": "positive1.json", + "line": 13, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.{{post}}.operationId", diff --git a/assets/queries/openAPI/general/operation_without_successful_http_status_code/test/positive_expected_result.json b/assets/queries/openAPI/general/operation_without_successful_http_status_code/test/positive_expected_result.json index 333254b2857..8ce9c7a53bf 100644 --- a/assets/queries/openAPI/general/operation_without_successful_http_status_code/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/operation_without_successful_http_status_code/test/positive_expected_result.json @@ -1,9 +1,9 @@ [ { - "queryName": "Operation Without Successful HTTP Status Code (v2)", + "queryName": "Operation Without Successful HTTP Status Code (v3)", "severity": "INFO", "line": 12, - "filename": "positive3.json", + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.{{get}}.responses", @@ -12,10 +12,10 @@ "actualValue": "paths.{{/}}.{{get}}.responses does not have at least one successful HTTP status code defined" }, { - "queryName": "Operation Without Successful HTTP Status Code (v2)", + "queryName": "Operation Without Successful HTTP Status Code (v3)", "severity": "INFO", "line": 10, - "filename": "positive4.yaml", + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.{{get}}.responses", @@ -24,10 +24,10 @@ "actualValue": "paths.{{/}}.{{get}}.responses does not have at least one successful HTTP status code defined" }, { - "queryName": "Operation Without Successful HTTP Status Code (v3)", + "queryName": "Operation Without Successful HTTP Status Code (v2)", "severity": "INFO", "line": 12, - "filename": "positive1.json", + "filename": "positive3.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.{{get}}.responses", @@ -36,10 +36,10 @@ "actualValue": "paths.{{/}}.{{get}}.responses does not have at least one successful HTTP status code defined" }, { - "queryName": "Operation Without Successful HTTP Status Code (v3)", + "queryName": "Operation Without Successful HTTP Status Code (v2)", "severity": "INFO", "line": 10, - "filename": "positive2.yaml", + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.{{get}}.responses", diff --git a/assets/queries/openAPI/general/parameter_objects_headers_dup_name/test/positive_expected_result.json b/assets/queries/openAPI/general/parameter_objects_headers_dup_name/test/positive_expected_result.json index 3b97c5e7aca..ebed1594db1 100644 --- a/assets/queries/openAPI/general/parameter_objects_headers_dup_name/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/parameter_objects_headers_dup_name/test/positive_expected_result.json @@ -1,33 +1,33 @@ [ { - "queryName": "Parameter Objects Headers With Duplicated Name (v2)", + "queryName": "Parameter Objects Headers With Duplicated Name (v3)", "severity": "INFO", - "line": 11, - "filename": "positive5.json", + "line": 14, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.parameters.name=Token", + "searchKey": "paths.{{/}}.get.parameters.name=id", "searchValue": "", "expectedValue": "", - "actualValue": "Parameter Object with location 'header' has duplicate names (name=Token)" + "actualValue": "Parameter Object with location 'header' has duplicate names (name=id)" }, { - "queryName": "Parameter Objects Headers With Duplicated Name (v2)", + "queryName": "Parameter Objects Headers With Duplicated Name (v3)", "severity": "INFO", - "line": 14, - "filename": "positive6.yaml", + "line": 28, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.parameters.name=Token", + "searchKey": "paths.{{/}}.get.parameters.name=ID", "searchValue": "", "expectedValue": "", - "actualValue": "Parameter Object with location 'header' has duplicate names (name=Token)" + "actualValue": "Parameter Object with location 'header' has duplicate names (name=ID)" }, { - "queryName": "Parameter Objects Headers With Duplicated Name (v2)", + "queryName": "Parameter Objects Headers With Duplicated Name (v3)", "severity": "INFO", - "line": 19, - "filename": "positive6.yaml", + "line": 68, + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.parameters.name=token", @@ -36,70 +36,70 @@ "actualValue": "Parameter Object with location 'header' has duplicate names (name=token)" }, { - "queryName": "Parameter Objects Headers With Duplicated Name (v2)", + "queryName": "Parameter Objects Headers With Duplicated Name (v3)", "severity": "INFO", - "line": 32, - "filename": "positive6.yaml", + "line": 82, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "parameters.anotherParam.name=token2", + "searchKey": "paths.{{/}}.parameters.name=Token", "searchValue": "", "expectedValue": "", - "actualValue": "Parameter Object with location 'header' has duplicate names (name=token2)" + "actualValue": "Parameter Object with location 'header' has duplicate names (name=Token)" }, { - "queryName": "Parameter Objects Headers With Duplicated Name (v2)", + "queryName": "Parameter Objects Headers With Duplicated Name (v3)", "severity": "INFO", - "line": 39, - "filename": "positive5.json", + "line": 11, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", - "searchKey": "parameters.oneParam.name=Token2", + "searchKey": "paths.{{/}}.get.parameters.name=id", "searchValue": "", "expectedValue": "", - "actualValue": "Parameter Object with location 'header' has duplicate names (name=Token2)" + "actualValue": "Parameter Object with location 'header' has duplicate names (name=id)" }, { - "queryName": "Parameter Objects Headers With Duplicated Name (v2)", + "queryName": "Parameter Objects Headers With Duplicated Name (v3)", "severity": "INFO", - "line": 18, - "filename": "positive5.json", + "line": 21, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.parameters.name=token", + "searchKey": "paths.{{/}}.get.parameters.name=ID", "searchValue": "", "expectedValue": "", - "actualValue": "Parameter Object with location 'header' has duplicate names (name=token)" + "actualValue": "Parameter Object with location 'header' has duplicate names (name=ID)" }, { - "queryName": "Parameter Objects Headers With Duplicated Name (v2)", + "queryName": "Parameter Objects Headers With Duplicated Name (v3)", "severity": "INFO", - "line": 47, - "filename": "positive5.json", + "line": 43, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", - "searchKey": "parameters.anotherParam.name=token2", + "searchKey": "paths.{{/}}.parameters.name=token", "searchValue": "", "expectedValue": "", - "actualValue": "Parameter Object with location 'header' has duplicate names (name=token2)" + "actualValue": "Parameter Object with location 'header' has duplicate names (name=token)" }, { - "queryName": "Parameter Objects Headers With Duplicated Name (v2)", + "queryName": "Parameter Objects Headers With Duplicated Name (v3)", "severity": "INFO", - "line": 26, - "filename": "positive6.yaml", + "line": 53, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", - "searchKey": "parameters.oneParam.name=Token2", + "searchKey": "paths.{{/}}.parameters.name=Token", "searchValue": "", "expectedValue": "", - "actualValue": "Parameter Object with location 'header' has duplicate names (name=Token2)" + "actualValue": "Parameter Object with location 'header' has duplicate names (name=Token)" }, { "queryName": "Parameter Objects Headers With Duplicated Name (v3)", "severity": "INFO", - "line": 8, - "filename": "positive4.yaml", + "line": 10, + "filename": "positive3.json", "resourceType": "", "resourceName": "", "searchKey": "components.parameters.token.name=token", @@ -110,11 +110,11 @@ { "queryName": "Parameter Objects Headers With Duplicated Name (v3)", "severity": "INFO", - "line": 53, - "filename": "positive2.yaml", + "line": 24, + "filename": "positive3.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.parameters.name=Token", + "searchKey": "components.parameters.Token.name=Token", "searchValue": "", "expectedValue": "", "actualValue": "Parameter Object with location 'header' has duplicate names (name=Token)" @@ -122,121 +122,121 @@ { "queryName": "Parameter Objects Headers With Duplicated Name (v3)", "severity": "INFO", - "line": 11, - "filename": "positive2.yaml", + "line": 8, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.parameters.name=id", + "searchKey": "components.parameters.token.name=token", "searchValue": "", "expectedValue": "", - "actualValue": "Parameter Object with location 'header' has duplicate names (name=id)" + "actualValue": "Parameter Object with location 'header' has duplicate names (name=token)" }, { "queryName": "Parameter Objects Headers With Duplicated Name (v3)", "severity": "INFO", - "line": 82, - "filename": "positive1.json", + "line": 19, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.parameters.name=Token", + "searchKey": "components.parameters.Token.name=Token", "searchValue": "", "expectedValue": "", "actualValue": "Parameter Object with location 'header' has duplicate names (name=Token)" }, { - "queryName": "Parameter Objects Headers With Duplicated Name (v3)", + "queryName": "Parameter Objects Headers With Duplicated Name (v2)", "severity": "INFO", - "line": 68, - "filename": "positive1.json", + "line": 11, + "filename": "positive5.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.parameters.name=token", + "searchKey": "paths.{{/}}.parameters.name=Token", "searchValue": "", "expectedValue": "", - "actualValue": "Parameter Object with location 'header' has duplicate names (name=token)" + "actualValue": "Parameter Object with location 'header' has duplicate names (name=Token)" }, { - "queryName": "Parameter Objects Headers With Duplicated Name (v3)", + "queryName": "Parameter Objects Headers With Duplicated Name (v2)", "severity": "INFO", - "line": 24, - "filename": "positive3.json", + "line": 18, + "filename": "positive5.json", "resourceType": "", "resourceName": "", - "searchKey": "components.parameters.Token.name=Token", + "searchKey": "paths.{{/}}.parameters.name=token", "searchValue": "", "expectedValue": "", - "actualValue": "Parameter Object with location 'header' has duplicate names (name=Token)" + "actualValue": "Parameter Object with location 'header' has duplicate names (name=token)" }, { - "queryName": "Parameter Objects Headers With Duplicated Name (v3)", + "queryName": "Parameter Objects Headers With Duplicated Name (v2)", "severity": "INFO", - "line": 10, - "filename": "positive3.json", + "line": 39, + "filename": "positive5.json", "resourceType": "", "resourceName": "", - "searchKey": "components.parameters.token.name=token", + "searchKey": "parameters.oneParam.name=Token2", "searchValue": "", "expectedValue": "", - "actualValue": "Parameter Object with location 'header' has duplicate names (name=token)" + "actualValue": "Parameter Object with location 'header' has duplicate names (name=Token2)" }, { - "queryName": "Parameter Objects Headers With Duplicated Name (v3)", + "queryName": "Parameter Objects Headers With Duplicated Name (v2)", "severity": "INFO", - "line": 21, - "filename": "positive2.yaml", + "line": 47, + "filename": "positive5.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.parameters.name=ID", + "searchKey": "parameters.anotherParam.name=token2", "searchValue": "", "expectedValue": "", - "actualValue": "Parameter Object with location 'header' has duplicate names (name=ID)" + "actualValue": "Parameter Object with location 'header' has duplicate names (name=token2)" }, { - "queryName": "Parameter Objects Headers With Duplicated Name (v3)", + "queryName": "Parameter Objects Headers With Duplicated Name (v2)", "severity": "INFO", - "line": 28, - "filename": "positive1.json", + "line": 14, + "filename": "positive6.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.parameters.name=ID", + "searchKey": "paths.{{/}}.parameters.name=Token", "searchValue": "", "expectedValue": "", - "actualValue": "Parameter Object with location 'header' has duplicate names (name=ID)" + "actualValue": "Parameter Object with location 'header' has duplicate names (name=Token)" }, { - "queryName": "Parameter Objects Headers With Duplicated Name (v3)", + "queryName": "Parameter Objects Headers With Duplicated Name (v2)", "severity": "INFO", - "line": 14, - "filename": "positive1.json", + "line": 19, + "filename": "positive6.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.parameters.name=id", + "searchKey": "paths.{{/}}.parameters.name=token", "searchValue": "", "expectedValue": "", - "actualValue": "Parameter Object with location 'header' has duplicate names (name=id)" + "actualValue": "Parameter Object with location 'header' has duplicate names (name=token)" }, { - "queryName": "Parameter Objects Headers With Duplicated Name (v3)", + "queryName": "Parameter Objects Headers With Duplicated Name (v2)", "severity": "INFO", - "line": 19, - "filename": "positive4.yaml", + "line": 26, + "filename": "positive6.yaml", "resourceType": "", "resourceName": "", - "searchKey": "components.parameters.Token.name=Token", + "searchKey": "parameters.oneParam.name=Token2", "searchValue": "", "expectedValue": "", - "actualValue": "Parameter Object with location 'header' has duplicate names (name=Token)" + "actualValue": "Parameter Object with location 'header' has duplicate names (name=Token2)" }, { - "queryName": "Parameter Objects Headers With Duplicated Name (v3)", + "queryName": "Parameter Objects Headers With Duplicated Name (v2)", "severity": "INFO", - "line": 43, - "filename": "positive2.yaml", + "line": 32, + "filename": "positive6.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.parameters.name=token", + "searchKey": "parameters.anotherParam.name=token2", "searchValue": "", "expectedValue": "", - "actualValue": "Parameter Object with location 'header' has duplicate names (name=token)" + "actualValue": "Parameter Object with location 'header' has duplicate names (name=token2)" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/general/parameters_name_in_not_unique/test/positive_expected_result.json b/assets/queries/openAPI/general/parameters_name_in_not_unique/test/positive_expected_result.json index da53426c6c7..b2afc16f845 100644 --- a/assets/queries/openAPI/general/parameters_name_in_not_unique/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/parameters_name_in_not_unique/test/positive_expected_result.json @@ -1,24 +1,12 @@ [ { - "queryName": "Parameters Name In Combination Not Unique (v2)", - "severity": "INFO", - "line": 21, - "filename": "positive3.json", - "resourceType": "", - "resourceName": "", - "searchKey": "paths.{{/}}.get.parameters.name", - "searchValue": "", - "expectedValue": "Parameter has unique 'name' and 'in' combinations", - "actualValue": "Parameter does not have unique 'name' and 'in' combinations" - }, - { - "queryName": "Parameters Name In Combination Not Unique (v2)", + "queryName": "Parameters Name In Combination Not Unique (v3)", "severity": "INFO", - "line": 14, - "filename": "positive4.yaml", + "line": 28, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.parameters.name", + "searchKey": "components.parameters.limitJSONParam.name", "searchValue": "", "expectedValue": "Parameter has unique 'name' and 'in' combinations", "actualValue": "Parameter does not have unique 'name' and 'in' combinations" @@ -60,13 +48,25 @@ "actualValue": "Parameter does not have unique 'name' and 'in' combinations" }, { - "queryName": "Parameters Name In Combination Not Unique (v3)", + "queryName": "Parameters Name In Combination Not Unique (v2)", "severity": "INFO", - "line": 28, - "filename": "positive1.json", + "line": 21, + "filename": "positive3.json", "resourceType": "", "resourceName": "", - "searchKey": "components.parameters.limitJSONParam.name", + "searchKey": "paths.{{/}}.get.parameters.name", + "searchValue": "", + "expectedValue": "Parameter has unique 'name' and 'in' combinations", + "actualValue": "Parameter does not have unique 'name' and 'in' combinations" + }, + { + "queryName": "Parameters Name In Combination Not Unique (v2)", + "severity": "INFO", + "line": 14, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.name", "searchValue": "", "expectedValue": "Parameter has unique 'name' and 'in' combinations", "actualValue": "Parameter does not have unique 'name' and 'in' combinations" diff --git a/assets/queries/openAPI/general/path_ambiguous/test/positive_expected_result.json b/assets/queries/openAPI/general/path_ambiguous/test/positive_expected_result.json index 9363bc789a3..41ea5025a2c 100644 --- a/assets/queries/openAPI/general/path_ambiguous/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/path_ambiguous/test/positive_expected_result.json @@ -1,9 +1,21 @@ [ { - "queryName": "Path Is Ambiguous (v2)", + "queryName": "Path Is Ambiguous (v3)", "severity": "INFO", - "line": 31, - "filename": "positive4.json", + "line": 6, + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{id}", + "searchValue": "", + "expectedValue": "There shouldn't be ambiguous path", + "actualValue": "There is ambiguous path" + }, + { + "queryName": "Path Is Ambiguous (v3)", + "severity": "INFO", + "line": 19, + "filename": "positive1.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths./users/{ids}", @@ -12,10 +24,10 @@ "actualValue": "There is ambiguous path" }, { - "queryName": "Path Is Ambiguous (v2)", + "queryName": "Path Is Ambiguous (v3)", "severity": "INFO", - "line": 13, - "filename": "positive4.json", + "line": 8, + "filename": "positive2.json", "resourceType": "", "resourceName": "", "searchKey": "paths./users/{id}", @@ -24,10 +36,10 @@ "actualValue": "There is ambiguous path" }, { - "queryName": "Path Is Ambiguous (v2)", + "queryName": "Path Is Ambiguous (v3)", "severity": "INFO", - "line": 21, - "filename": "positive3.yaml", + "line": 29, + "filename": "positive2.json", "resourceType": "", "resourceName": "", "searchKey": "paths./users/{ids}", @@ -48,10 +60,10 @@ "actualValue": "There is ambiguous path" }, { - "queryName": "Path Is Ambiguous (v3)", + "queryName": "Path Is Ambiguous (v2)", "severity": "INFO", - "line": 19, - "filename": "positive1.yaml", + "line": 21, + "filename": "positive3.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths./users/{ids}", @@ -60,10 +72,10 @@ "actualValue": "There is ambiguous path" }, { - "queryName": "Path Is Ambiguous (v3)", + "queryName": "Path Is Ambiguous (v2)", "severity": "INFO", - "line": 6, - "filename": "positive1.yaml", + "line": 13, + "filename": "positive4.json", "resourceType": "", "resourceName": "", "searchKey": "paths./users/{id}", @@ -72,27 +84,15 @@ "actualValue": "There is ambiguous path" }, { - "queryName": "Path Is Ambiguous (v3)", + "queryName": "Path Is Ambiguous (v2)", "severity": "INFO", - "line": 29, - "filename": "positive2.json", + "line": 31, + "filename": "positive4.json", "resourceType": "", "resourceName": "", "searchKey": "paths./users/{ids}", "searchValue": "", "expectedValue": "There shouldn't be ambiguous path", "actualValue": "There is ambiguous path" - }, - { - "queryName": "Path Is Ambiguous (v3)", - "severity": "INFO", - "line": 8, - "filename": "positive2.json", - "resourceType": "", - "resourceName": "", - "searchKey": "paths./users/{id}", - "searchValue": "", - "expectedValue": "There shouldn't be ambiguous path", - "actualValue": "There is ambiguous path" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/general/path_parameter_not_required/test/positive_expected_result.json b/assets/queries/openAPI/general/path_parameter_not_required/test/positive_expected_result.json index a80e56cac7c..11fd8ba9da9 100644 --- a/assets/queries/openAPI/general/path_parameter_not_required/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/path_parameter_not_required/test/positive_expected_result.json @@ -1,9 +1,9 @@ [ { - "queryName": "Path Parameter Not Required (v2)", + "queryName": "Path Parameter Not Required (v3)", "severity": "INFO", - "line": 20, - "filename": "positive7.json", + "line": 43, + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.parameters.name={{id}}", @@ -12,10 +12,10 @@ "actualValue": "Path parameter does not have the field 'required' set to 'true' for location 'path'" }, { - "queryName": "Path Parameter Not Required (v2)", + "queryName": "Path Parameter Not Required (v3)", "severity": "INFO", - "line": 14, - "filename": "positive8.yaml", + "line": 26, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.parameters.name={{id}}", @@ -27,7 +27,7 @@ "queryName": "Path Parameter Not Required (v3)", "severity": "INFO", "line": 43, - "filename": "positive1.json", + "filename": "positive3.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.parameters.name={{id}}", @@ -38,11 +38,11 @@ { "queryName": "Path Parameter Not Required (v3)", "severity": "INFO", - "line": 10, - "filename": "positive5.json", + "line": 26, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", - "searchKey": "components.parameters.name={{id}}", + "searchKey": "paths.{{/}}.parameters.name={{id}}", "searchValue": "", "expectedValue": "Path parameter should have the field 'required' set to 'true' for location 'path'", "actualValue": "Path parameter does not have the field 'required' set to 'true' for location 'path'" @@ -50,11 +50,11 @@ { "queryName": "Path Parameter Not Required (v3)", "severity": "INFO", - "line": 43, - "filename": "positive3.json", + "line": 10, + "filename": "positive5.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.parameters.name={{id}}", + "searchKey": "components.parameters.name={{id}}", "searchValue": "", "expectedValue": "Path parameter should have the field 'required' set to 'true' for location 'path'", "actualValue": "Path parameter does not have the field 'required' set to 'true' for location 'path'" @@ -62,11 +62,11 @@ { "queryName": "Path Parameter Not Required (v3)", "severity": "INFO", - "line": 8, - "filename": "positive6.yaml", + "line": 19, + "filename": "positive5.json", "resourceType": "", "resourceName": "", - "searchKey": "components.parameters.name={{id}}", + "searchKey": "components.parameters.name={{nameAPI}}", "searchValue": "", "expectedValue": "Path parameter should have the field 'required' set to 'true' for location 'path'", "actualValue": "Path parameter does not have the field 'required' set to 'true' for location 'path'" @@ -74,11 +74,11 @@ { "queryName": "Path Parameter Not Required (v3)", "severity": "INFO", - "line": 15, + "line": 8, "filename": "positive6.yaml", "resourceType": "", "resourceName": "", - "searchKey": "components.parameters.name={{nameAPI}}", + "searchKey": "components.parameters.name={{id}}", "searchValue": "", "expectedValue": "Path parameter should have the field 'required' set to 'true' for location 'path'", "actualValue": "Path parameter does not have the field 'required' set to 'true' for location 'path'" @@ -86,8 +86,8 @@ { "queryName": "Path Parameter Not Required (v3)", "severity": "INFO", - "line": 19, - "filename": "positive5.json", + "line": 15, + "filename": "positive6.yaml", "resourceType": "", "resourceName": "", "searchKey": "components.parameters.name={{nameAPI}}", @@ -96,10 +96,10 @@ "actualValue": "Path parameter does not have the field 'required' set to 'true' for location 'path'" }, { - "queryName": "Path Parameter Not Required (v3)", + "queryName": "Path Parameter Not Required (v2)", "severity": "INFO", - "line": 26, - "filename": "positive4.yaml", + "line": 20, + "filename": "positive7.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.parameters.name={{id}}", @@ -108,10 +108,10 @@ "actualValue": "Path parameter does not have the field 'required' set to 'true' for location 'path'" }, { - "queryName": "Path Parameter Not Required (v3)", + "queryName": "Path Parameter Not Required (v2)", "severity": "INFO", - "line": 26, - "filename": "positive2.yaml", + "line": 14, + "filename": "positive8.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.parameters.name={{id}}", diff --git a/assets/queries/openAPI/general/path_parameter_with_no_corresponding_template_path/test/positive_expected_result.json b/assets/queries/openAPI/general/path_parameter_with_no_corresponding_template_path/test/positive_expected_result.json index f6689a8b135..f44994b7552 100644 --- a/assets/queries/openAPI/general/path_parameter_with_no_corresponding_template_path/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/path_parameter_with_no_corresponding_template_path/test/positive_expected_result.json @@ -1,48 +1,48 @@ [ { - "queryName": "Path Parameter With No Corresponding Template Path (v2)", + "queryName": "Path Parameter With No Corresponding Template Path (v3)", "severity": "INFO", - "line": 32, - "filename": "positive3.yaml", + "line": 37, + "filename": "positive1.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths./people/foo.get.parameters.name={{id}}", + "searchKey": "paths./yada/foo.get.parameters.name={{id}}", "searchValue": "", "expectedValue": "Path parameter 'id' should have an template path parameter with the same name and 'in' set to 'path'", "actualValue": "Path parameter 'id' does not have an template path parameter with the same name and 'in' set to 'path'" }, { - "queryName": "Path Parameter With No Corresponding Template Path (v2)", + "queryName": "Path Parameter With No Corresponding Template Path (v3)", "severity": "INFO", - "line": 51, - "filename": "positive4.json", + "line": 59, + "filename": "positive2.json", "resourceType": "", "resourceName": "", - "searchKey": "paths./people/foo.get.parameters.name={{id}}", + "searchKey": "paths./.get.parameters.name={{id}}", "searchValue": "", "expectedValue": "Path parameter 'id' should have an template path parameter with the same name and 'in' set to 'path'", "actualValue": "Path parameter 'id' does not have an template path parameter with the same name and 'in' set to 'path'" }, { - "queryName": "Path Parameter With No Corresponding Template Path (v3)", + "queryName": "Path Parameter With No Corresponding Template Path (v2)", "severity": "INFO", - "line": 59, - "filename": "positive2.json", + "line": 32, + "filename": "positive3.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths./.get.parameters.name={{id}}", + "searchKey": "paths./people/foo.get.parameters.name={{id}}", "searchValue": "", "expectedValue": "Path parameter 'id' should have an template path parameter with the same name and 'in' set to 'path'", "actualValue": "Path parameter 'id' does not have an template path parameter with the same name and 'in' set to 'path'" }, { - "queryName": "Path Parameter With No Corresponding Template Path (v3)", + "queryName": "Path Parameter With No Corresponding Template Path (v2)", "severity": "INFO", - "line": 37, - "filename": "positive1.yaml", + "line": 51, + "filename": "positive4.json", "resourceType": "", "resourceName": "", - "searchKey": "paths./yada/foo.get.parameters.name={{id}}", + "searchKey": "paths./people/foo.get.parameters.name={{id}}", "searchValue": "", "expectedValue": "Path parameter 'id' should have an template path parameter with the same name and 'in' set to 'path'", "actualValue": "Path parameter 'id' does not have an template path parameter with the same name and 'in' set to 'path'" diff --git a/assets/queries/openAPI/general/path_template_empty/test/positive_expected_result.json b/assets/queries/openAPI/general/path_template_empty/test/positive_expected_result.json index 604b7b0957a..69d8cf3a923 100644 --- a/assets/queries/openAPI/general/path_template_empty/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/path_template_empty/test/positive_expected_result.json @@ -1,9 +1,9 @@ [ { - "queryName": "Path Template is Empty (v2)", + "queryName": "Path Template is Empty (v3)", "severity": "INFO", - "line": 10, - "filename": "positive3.yaml", + "line": 32, + "filename": "positive1.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths./users/{}", @@ -12,10 +12,10 @@ "actualValue": "The path template is empty" }, { - "queryName": "Path Template is Empty (v2)", + "queryName": "Path Template is Empty (v3)", "severity": "INFO", - "line": 13, - "filename": "positive4.json", + "line": 53, + "filename": "positive2.json", "resourceType": "", "resourceName": "", "searchKey": "paths./users/{}", @@ -24,10 +24,10 @@ "actualValue": "The path template is empty" }, { - "queryName": "Path Template is Empty (v3)", + "queryName": "Path Template is Empty (v2)", "severity": "INFO", - "line": 32, - "filename": "positive1.yaml", + "line": 10, + "filename": "positive3.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths./users/{}", @@ -36,10 +36,10 @@ "actualValue": "The path template is empty" }, { - "queryName": "Path Template is Empty (v3)", + "queryName": "Path Template is Empty (v2)", "severity": "INFO", - "line": 53, - "filename": "positive2.json", + "line": 13, + "filename": "positive4.json", "resourceType": "", "resourceName": "", "searchKey": "paths./users/{}", diff --git a/assets/queries/openAPI/general/path_without_operation/test/positive_expected_result.json b/assets/queries/openAPI/general/path_without_operation/test/positive_expected_result.json index ef812e4726c..4568214dbe0 100644 --- a/assets/queries/openAPI/general/path_without_operation/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/path_without_operation/test/positive_expected_result.json @@ -1,9 +1,9 @@ [ { - "queryName": "Path Without Operation (v2)", + "queryName": "Path Without Operation (v3)", "severity": "INFO", "line": 8, - "filename": "positive3.json", + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}", @@ -12,10 +12,10 @@ "actualValue": "paths.{{/}} does not have at least one operation object defined" }, { - "queryName": "Path Without Operation (v2)", + "queryName": "Path Without Operation (v3)", "severity": "INFO", "line": 6, - "filename": "positive4.yaml", + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}", @@ -24,10 +24,10 @@ "actualValue": "paths.{{/}} does not have at least one operation object defined" }, { - "queryName": "Path Without Operation (v3)", + "queryName": "Path Without Operation (v2)", "severity": "INFO", "line": 8, - "filename": "positive1.json", + "filename": "positive3.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}", @@ -36,10 +36,10 @@ "actualValue": "paths.{{/}} does not have at least one operation object defined" }, { - "queryName": "Path Without Operation (v3)", + "queryName": "Path Without Operation (v2)", "severity": "INFO", "line": 6, - "filename": "positive2.yaml", + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}", diff --git a/assets/queries/openAPI/general/paths_object_empty/test/positive_expected_result.json b/assets/queries/openAPI/general/paths_object_empty/test/positive_expected_result.json index 5aa955823a4..80651865c02 100644 --- a/assets/queries/openAPI/general/paths_object_empty/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/paths_object_empty/test/positive_expected_result.json @@ -1,9 +1,9 @@ [ { - "queryName": "Paths Object is Empty (v2)", + "queryName": "Paths Object is Empty (v3)", "severity": "INFO", - "line": 5, - "filename": "positive4.yaml", + "line": 7, + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "paths", @@ -26,8 +26,8 @@ { "queryName": "Paths Object is Empty (v3)", "severity": "INFO", - "line": 7, - "filename": "positive1.json", + "line": 5, + "filename": "positive3.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths", @@ -36,10 +36,10 @@ "actualValue": "The Paths Object is empty" }, { - "queryName": "Paths Object is Empty (v3)", + "queryName": "Paths Object is Empty (v2)", "severity": "INFO", "line": 5, - "filename": "positive3.yaml", + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths", diff --git a/assets/queries/openAPI/general/pattern_undefined/test/positive_expected_result.json b/assets/queries/openAPI/general/pattern_undefined/test/positive_expected_result.json index f3bc748990d..6964f33b226 100644 --- a/assets/queries/openAPI/general/pattern_undefined/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/pattern_undefined/test/positive_expected_result.json @@ -1,48 +1,48 @@ [ { - "queryName": "Pattern Undefined (v2)", + "queryName": "Pattern Undefined (v3)", "severity": "MEDIUM", - "line": 19, - "filename": "positive6.yaml", + "line": 58, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.schema.properties.code.type", + "searchKey": "components.schemas.GeneralError.properties.code.type", "searchValue": "", "expectedValue": "'pattern' should be defined", "actualValue": "'pattern' is undefined" }, { - "queryName": "Pattern Undefined (v2)", + "queryName": "Pattern Undefined (v3)", "severity": "MEDIUM", - "line": 23, - "filename": "positive6.yaml", + "line": 63, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.schema.properties.message.type", + "searchKey": "components.schemas.GeneralError.properties.message.type", "searchValue": "", "expectedValue": "'pattern' should be defined", "actualValue": "'pattern' is undefined" }, { - "queryName": "Pattern Undefined (v2)", + "queryName": "Pattern Undefined (v3)", "severity": "MEDIUM", - "line": 23, - "filename": "positive5.json", + "line": 27, + "filename": "positive2.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.schema.properties.code.type", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code.type", "searchValue": "", "expectedValue": "'pattern' should be defined", "actualValue": "'pattern' is undefined" }, { - "queryName": "Pattern Undefined (v2)", + "queryName": "Pattern Undefined (v3)", "severity": "MEDIUM", - "line": 28, - "filename": "positive5.json", + "line": 32, + "filename": "positive2.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.schema.properties.message.type", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.message.type", "searchValue": "", "expectedValue": "'pattern' should be defined", "actualValue": "'pattern' is undefined" @@ -62,11 +62,11 @@ { "queryName": "Pattern Undefined (v3)", "severity": "MEDIUM", - "line": 22, - "filename": "positive4.yaml", + "line": 38, + "filename": "positive3.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code.type", + "searchKey": "components.schemas.GeneralError.properties.message.type", "searchValue": "", "expectedValue": "'pattern' should be defined", "actualValue": "'pattern' is undefined" @@ -74,11 +74,11 @@ { "queryName": "Pattern Undefined (v3)", "severity": "MEDIUM", - "line": 26, + "line": 22, "filename": "positive4.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.message.type", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code.type", "searchValue": "", "expectedValue": "'pattern' should be defined", "actualValue": "'pattern' is undefined" @@ -86,59 +86,59 @@ { "queryName": "Pattern Undefined (v3)", "severity": "MEDIUM", - "line": 63, - "filename": "positive1.json", + "line": 26, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", - "searchKey": "components.schemas.GeneralError.properties.message.type", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.message.type", "searchValue": "", "expectedValue": "'pattern' should be defined", "actualValue": "'pattern' is undefined" }, { - "queryName": "Pattern Undefined (v3)", + "queryName": "Pattern Undefined (v2)", "severity": "MEDIUM", - "line": 27, - "filename": "positive2.json", + "line": 23, + "filename": "positive5.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code.type", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.code.type", "searchValue": "", "expectedValue": "'pattern' should be defined", "actualValue": "'pattern' is undefined" }, { - "queryName": "Pattern Undefined (v3)", + "queryName": "Pattern Undefined (v2)", "severity": "MEDIUM", - "line": 32, - "filename": "positive2.json", + "line": 28, + "filename": "positive5.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.message.type", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.message.type", "searchValue": "", "expectedValue": "'pattern' should be defined", "actualValue": "'pattern' is undefined" }, { - "queryName": "Pattern Undefined (v3)", + "queryName": "Pattern Undefined (v2)", "severity": "MEDIUM", - "line": 38, - "filename": "positive3.yaml", + "line": 19, + "filename": "positive6.yaml", "resourceType": "", "resourceName": "", - "searchKey": "components.schemas.GeneralError.properties.message.type", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.code.type", "searchValue": "", "expectedValue": "'pattern' should be defined", "actualValue": "'pattern' is undefined" }, { - "queryName": "Pattern Undefined (v3)", + "queryName": "Pattern Undefined (v2)", "severity": "MEDIUM", - "line": 58, - "filename": "positive1.json", + "line": 23, + "filename": "positive6.yaml", "resourceType": "", "resourceName": "", - "searchKey": "components.schemas.GeneralError.properties.code.type", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.message.type", "searchValue": "", "expectedValue": "'pattern' should be defined", "actualValue": "'pattern' is undefined" diff --git a/assets/queries/openAPI/general/properties_missing_required_property/test/positive_expected_result.json b/assets/queries/openAPI/general/properties_missing_required_property/test/positive_expected_result.json index c4bbbe92be4..c9181301ecd 100644 --- a/assets/queries/openAPI/general/properties_missing_required_property/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/properties_missing_required_property/test/positive_expected_result.json @@ -1,39 +1,39 @@ [ { - "queryName": "Properties Missing Required Property (v2)", + "queryName": "Properties Missing Required Property (v3)", "severity": "INFO", - "line": 20, - "filename": "positive6.yaml", + "line": 56, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "definitions.MyObject.properties.code.required.name", + "searchKey": "components.requestBodies.NewItem.content.{{application/x-www-form-urlencoded}}.schema.properties.code.required.name", "searchValue": "", - "expectedValue": "definitions.MyObject.properties.code.required.name should be defined", - "actualValue": "definitions.MyObject.properties.code.required.name is missing" + "expectedValue": "components.requestBodies.NewItem.content.{{application/x-www-form-urlencoded}}.schema.properties.code.required.name should be defined", + "actualValue": "components.requestBodies.NewItem.content.{{application/x-www-form-urlencoded}}.schema.properties.code.required.name is missing" }, { - "queryName": "Properties Missing Required Property (v2)", + "queryName": "Properties Missing Required Property (v3)", "severity": "INFO", - "line": 27, - "filename": "positive5.json", + "line": 38, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", - "searchKey": "definitions.MyObject.properties.code.required.name", + "searchKey": "components.requestBodies.NewItem.content.{{application/x-www-form-urlencoded}}.schema.properties.code.required.name", "searchValue": "", - "expectedValue": "definitions.MyObject.properties.code.required.name should be defined", - "actualValue": "definitions.MyObject.properties.code.required.name is missing" + "expectedValue": "components.requestBodies.NewItem.content.{{application/x-www-form-urlencoded}}.schema.properties.code.required.name should be defined", + "actualValue": "components.requestBodies.NewItem.content.{{application/x-www-form-urlencoded}}.schema.properties.code.required.name is missing" }, { "queryName": "Properties Missing Required Property (v3)", "severity": "INFO", - "line": 38, - "filename": "positive2.yaml", + "line": 54, + "filename": "positive3.json", "resourceType": "", "resourceName": "", - "searchKey": "components.requestBodies.NewItem.content.{{application/x-www-form-urlencoded}}.schema.properties.code.required.name", + "searchKey": "paths.{{/}}.parameters.schema.properties.code.required.name", "searchValue": "", - "expectedValue": "components.requestBodies.NewItem.content.{{application/x-www-form-urlencoded}}.schema.properties.code.required.name should be defined", - "actualValue": "components.requestBodies.NewItem.content.{{application/x-www-form-urlencoded}}.schema.properties.code.required.name is missing" + "expectedValue": "paths.{{/}}.parameters.schema.properties.code.required.name should be defined", + "actualValue": "paths.{{/}}.parameters.schema.properties.code.required.name is missing" }, { "queryName": "Properties Missing Required Property (v3)", @@ -48,27 +48,27 @@ "actualValue": "paths.{{/}}.parameters.schema.properties.code.required.name is missing" }, { - "queryName": "Properties Missing Required Property (v3)", + "queryName": "Properties Missing Required Property (v2)", "severity": "INFO", - "line": 56, - "filename": "positive1.json", + "line": 27, + "filename": "positive5.json", "resourceType": "", "resourceName": "", - "searchKey": "components.requestBodies.NewItem.content.{{application/x-www-form-urlencoded}}.schema.properties.code.required.name", + "searchKey": "definitions.MyObject.properties.code.required.name", "searchValue": "", - "expectedValue": "components.requestBodies.NewItem.content.{{application/x-www-form-urlencoded}}.schema.properties.code.required.name should be defined", - "actualValue": "components.requestBodies.NewItem.content.{{application/x-www-form-urlencoded}}.schema.properties.code.required.name is missing" + "expectedValue": "definitions.MyObject.properties.code.required.name should be defined", + "actualValue": "definitions.MyObject.properties.code.required.name is missing" }, { - "queryName": "Properties Missing Required Property (v3)", + "queryName": "Properties Missing Required Property (v2)", "severity": "INFO", - "line": 54, - "filename": "positive3.json", + "line": 20, + "filename": "positive6.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.parameters.schema.properties.code.required.name", + "searchKey": "definitions.MyObject.properties.code.required.name", "searchValue": "", - "expectedValue": "paths.{{/}}.parameters.schema.properties.code.required.name should be defined", - "actualValue": "paths.{{/}}.parameters.schema.properties.code.required.name is missing" + "expectedValue": "definitions.MyObject.properties.code.required.name should be defined", + "actualValue": "definitions.MyObject.properties.code.required.name is missing" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/general/property_allow_empty_value_improperly_defined/test/positive_expected_result.json b/assets/queries/openAPI/general/property_allow_empty_value_improperly_defined/test/positive_expected_result.json index 614adb5e730..e70e5c2a858 100644 --- a/assets/queries/openAPI/general/property_allow_empty_value_improperly_defined/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/property_allow_empty_value_improperly_defined/test/positive_expected_result.json @@ -1,24 +1,24 @@ [ { - "queryName": "Property 'allowEmptyValue' Improperly Defined (v2)", + "queryName": "Property 'allowEmptyValue' Improperly Defined (v3)", "severity": "INFO", - "line": 15, - "filename": "positive6.yaml", + "line": 43, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.parameters.name={{metadata}}", + "searchKey": "paths.{{/}}.parameters.name={{id}}", "searchValue": "", "expectedValue": "'parameters' should have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set", "actualValue": "'parameters' does not have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set" }, { - "queryName": "Property 'allowEmptyValue' Improperly Defined (v2)", + "queryName": "Property 'allowEmptyValue' Improperly Defined (v3)", "severity": "INFO", - "line": 20, - "filename": "positive5.json", + "line": 59, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.parameters.name={{metadata}}", + "searchKey": "paths.{{/users/{id}}}.get.parameters.name={{id}}", "searchValue": "", "expectedValue": "'parameters' should have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set", "actualValue": "'parameters' does not have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set" @@ -27,7 +27,7 @@ "queryName": "Property 'allowEmptyValue' Improperly Defined (v3)", "severity": "INFO", "line": 26, - "filename": "positive4.yaml", + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.parameters.name={{id}}", @@ -50,8 +50,8 @@ { "queryName": "Property 'allowEmptyValue' Improperly Defined (v3)", "severity": "INFO", - "line": 26, - "filename": "positive2.yaml", + "line": 43, + "filename": "positive3.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.parameters.name={{id}}", @@ -62,35 +62,35 @@ { "queryName": "Property 'allowEmptyValue' Improperly Defined (v3)", "severity": "INFO", - "line": 59, - "filename": "positive1.json", + "line": 26, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/users/{id}}}.get.parameters.name={{id}}", + "searchKey": "paths.{{/}}.parameters.name={{id}}", "searchValue": "", "expectedValue": "'parameters' should have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set", "actualValue": "'parameters' does not have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set" }, { - "queryName": "Property 'allowEmptyValue' Improperly Defined (v3)", + "queryName": "Property 'allowEmptyValue' Improperly Defined (v2)", "severity": "INFO", - "line": 43, - "filename": "positive1.json", + "line": 20, + "filename": "positive5.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.parameters.name={{id}}", + "searchKey": "paths.{{/}}.parameters.name={{metadata}}", "searchValue": "", "expectedValue": "'parameters' should have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set", "actualValue": "'parameters' does not have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set" }, { - "queryName": "Property 'allowEmptyValue' Improperly Defined (v3)", + "queryName": "Property 'allowEmptyValue' Improperly Defined (v2)", "severity": "INFO", - "line": 43, - "filename": "positive3.json", + "line": 15, + "filename": "positive6.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.parameters.name={{id}}", + "searchKey": "paths.{{/}}.parameters.name={{metadata}}", "searchValue": "", "expectedValue": "'parameters' should have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set", "actualValue": "'parameters' does not have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set" diff --git a/assets/queries/openAPI/general/property_defining_maximum_not_greater_than_minimum/test/positive_expected_result.json b/assets/queries/openAPI/general/property_defining_maximum_not_greater_than_minimum/test/positive_expected_result.json index 8ba46b41c0e..671425184c3 100644 --- a/assets/queries/openAPI/general/property_defining_maximum_not_greater_than_minimum/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/property_defining_maximum_not_greater_than_minimum/test/positive_expected_result.json @@ -1,12 +1,12 @@ [ { - "queryName": "Property Defining Minimum Greater Than Maximum (v2)", + "queryName": "Property Defining Minimum Greater Than Maximum (v3)", "severity": "INFO", - "line": 25, - "filename": "positive7.json", + "line": 52, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "definitions.GeneralError.properties.code", + "searchKey": "components.schemas.GeneralError.properties.code", "searchValue": "", "expectedValue": "Numeric schema value should not have 'minimum' larger than 'maximum'", "actualValue": "Numeric schema value has 'minimum' larger than 'maximum'" @@ -14,23 +14,23 @@ { "queryName": "Property Defining Minimum Greater Than Maximum (v3)", "severity": "INFO", - "line": 32, - "filename": "positive6.yaml", + "line": 24, + "filename": "positive2.json", "resourceType": "", "resourceName": "", - "searchKey": "components.schemas.GeneralError.properties.message", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code", "searchValue": "", - "expectedValue": "Array schema value should not have 'minItems' larger than 'maxItems'", - "actualValue": "Array schema value has 'minItems' larger than 'maxItems'" + "expectedValue": "Numeric schema value should not have 'minimum' larger than 'maximum'", + "actualValue": "Numeric schema value has 'minimum' larger than 'maximum'" }, { "queryName": "Property Defining Minimum Greater Than Maximum (v3)", "severity": "INFO", - "line": 21, - "filename": "positive4.yaml", + "line": 33, + "filename": "positive3.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code", + "searchKey": "components.schemas.GeneralError.properties.code", "searchValue": "", "expectedValue": "Numeric schema value should not have 'minimum' larger than 'maximum'", "actualValue": "Numeric schema value has 'minimum' larger than 'maximum'" @@ -38,11 +38,11 @@ { "queryName": "Property Defining Minimum Greater Than Maximum (v3)", "severity": "INFO", - "line": 33, - "filename": "positive3.yaml", + "line": 21, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", - "searchKey": "components.schemas.GeneralError.properties.code", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code", "searchValue": "", "expectedValue": "Numeric schema value should not have 'minimum' larger than 'maximum'", "actualValue": "Numeric schema value has 'minimum' larger than 'maximum'" @@ -62,23 +62,23 @@ { "queryName": "Property Defining Minimum Greater Than Maximum (v3)", "severity": "INFO", - "line": 24, - "filename": "positive2.json", + "line": 32, + "filename": "positive6.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code", + "searchKey": "components.schemas.GeneralError.properties.message", "searchValue": "", - "expectedValue": "Numeric schema value should not have 'minimum' larger than 'maximum'", - "actualValue": "Numeric schema value has 'minimum' larger than 'maximum'" + "expectedValue": "Array schema value should not have 'minItems' larger than 'maxItems'", + "actualValue": "Array schema value has 'minItems' larger than 'maxItems'" }, { - "queryName": "Property Defining Minimum Greater Than Maximum (v3)", + "queryName": "Property Defining Minimum Greater Than Maximum (v2)", "severity": "INFO", - "line": 52, - "filename": "positive1.json", + "line": 25, + "filename": "positive7.json", "resourceType": "", "resourceName": "", - "searchKey": "components.schemas.GeneralError.properties.code", + "searchKey": "definitions.GeneralError.properties.code", "searchValue": "", "expectedValue": "Numeric schema value should not have 'minimum' larger than 'maximum'", "actualValue": "Numeric schema value has 'minimum' larger than 'maximum'" diff --git a/assets/queries/openAPI/general/required_property_default_value/test/positive_expected_result.json b/assets/queries/openAPI/general/required_property_default_value/test/positive_expected_result.json index 9e403445f97..b9bc80aa0b1 100644 --- a/assets/queries/openAPI/general/required_property_default_value/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/required_property_default_value/test/positive_expected_result.json @@ -1,24 +1,24 @@ [ { - "queryName": "Required Property With Default Value (v2)", + "queryName": "Required Property With Default Value (v3)", "severity": "INFO", - "line": 23, - "filename": "positive5.json", + "line": 30, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.post.parameters.schema.properties.{{id}}.default", + "searchKey": "components.schemas.MyObject.properties.{{id}}.default", "searchValue": "", "expectedValue": "Required properties should not have default defined", "actualValue": "Required properties with default defined" }, { - "queryName": "Required Property With Default Value (v2)", + "queryName": "Required Property With Default Value (v3)", "severity": "INFO", - "line": 19, - "filename": "positive6.yaml", + "line": 25, + "filename": "positive2.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.post.parameters.schema.properties.{{id}}.default", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.{{id}}.default", "searchValue": "", "expectedValue": "Required properties should not have default defined", "actualValue": "Required properties with default defined" @@ -26,11 +26,11 @@ { "queryName": "Required Property With Default Value (v3)", "severity": "INFO", - "line": 25, - "filename": "positive2.json", + "line": 22, + "filename": "positive3.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.{{id}}.default", + "searchKey": "components.schemas.MyObject.properties.{{id}}.default", "searchValue": "", "expectedValue": "Required properties should not have default defined", "actualValue": "Required properties with default defined" @@ -38,35 +38,35 @@ { "queryName": "Required Property With Default Value (v3)", "severity": "INFO", - "line": 30, - "filename": "positive1.json", + "line": 23, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", - "searchKey": "components.schemas.MyObject.properties.{{id}}.default", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.{{id}}.default", "searchValue": "", "expectedValue": "Required properties should not have default defined", "actualValue": "Required properties with default defined" }, { - "queryName": "Required Property With Default Value (v3)", + "queryName": "Required Property With Default Value (v2)", "severity": "INFO", - "line": 22, - "filename": "positive3.yaml", + "line": 23, + "filename": "positive5.json", "resourceType": "", "resourceName": "", - "searchKey": "components.schemas.MyObject.properties.{{id}}.default", + "searchKey": "paths.{{/}}.post.parameters.schema.properties.{{id}}.default", "searchValue": "", "expectedValue": "Required properties should not have default defined", "actualValue": "Required properties with default defined" }, { - "queryName": "Required Property With Default Value (v3)", + "queryName": "Required Property With Default Value (v2)", "severity": "INFO", - "line": 23, - "filename": "positive4.yaml", + "line": 19, + "filename": "positive6.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.{{id}}.default", + "searchKey": "paths.{{/}}.post.parameters.schema.properties.{{id}}.default", "searchValue": "", "expectedValue": "Required properties should not have default defined", "actualValue": "Required properties with default defined" diff --git a/assets/queries/openAPI/general/response_code_missing/test/positive_expected_result.json b/assets/queries/openAPI/general/response_code_missing/test/positive_expected_result.json index 5bae57aeaa2..22220dfdf2a 100644 --- a/assets/queries/openAPI/general/response_code_missing/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/response_code_missing/test/positive_expected_result.json @@ -1,63 +1,63 @@ [ { - "queryName": "Response Code Missing (v2)", + "queryName": "Response Code Missing (v3)", "severity": "LOW", "line": 12, - "filename": "positive5.json", + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{put}}.responses", - "searchValue": "401 response", - "expectedValue": "401 response should be set when security field is defined", - "actualValue": "401 response is undefined when security field is defined" + "searchValue": "400 response", + "expectedValue": "400 response should be set", + "actualValue": "400 response is undefined" }, { - "queryName": "Response Code Missing (v2)", + "queryName": "Response Code Missing (v3)", "severity": "LOW", "line": 12, - "filename": "positive5.json", + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{put}}.responses", - "searchValue": "403 response", - "expectedValue": "403 response should be set when security field is defined", - "actualValue": "403 response is undefined when security field is defined" + "searchValue": "415 response", + "expectedValue": "415 response should be set", + "actualValue": "415 response is undefined" }, { - "queryName": "Response Code Missing (v2)", + "queryName": "Response Code Missing (v3)", "severity": "LOW", - "line": 10, - "filename": "positive6.yaml", + "line": 12, + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{put}}.responses", - "searchValue": "401 response", - "expectedValue": "401 response should be set when security field is defined", - "actualValue": "401 response is undefined when security field is defined" + "searchValue": "429 response", + "expectedValue": "429 response should be set", + "actualValue": "429 response is undefined" }, { - "queryName": "Response Code Missing (v2)", + "queryName": "Response Code Missing (v3)", "severity": "LOW", - "line": 10, - "filename": "positive6.yaml", + "line": 12, + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{put}}.responses", - "searchValue": "403 response", - "expectedValue": "403 response should be set when security field is defined", - "actualValue": "403 response is undefined when security field is defined" + "searchValue": "500 response", + "expectedValue": "500 response should be set", + "actualValue": "500 response is undefined" }, { "queryName": "Response Code Missing (v3)", "severity": "LOW", "line": 12, - "filename": "positive2.json", + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{put}}.responses", - "searchValue": "401 response", - "expectedValue": "401 response should be set when security field is defined", - "actualValue": "401 response is undefined when security field is defined" + "searchValue": "404 response", + "expectedValue": "404 response should be set", + "actualValue": "404 response is undefined" }, { "queryName": "Response Code Missing (v3)", @@ -67,21 +67,21 @@ "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{options}}.responses", - "searchValue": "400 response", - "expectedValue": "400 response should be set", - "actualValue": "400 response is undefined" + "searchValue": "200 response", + "expectedValue": "200 response should be set", + "actualValue": "200 response is undefined" }, { "queryName": "Response Code Missing (v3)", "severity": "LOW", - "line": 12, + "line": 21, "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/item}}.{{put}}.responses", - "searchValue": "415 response", - "expectedValue": "415 response should be set", - "actualValue": "415 response is undefined" + "searchKey": "paths.{{/item}}.{{options}}.responses", + "searchValue": "400 response", + "expectedValue": "400 response should be set", + "actualValue": "400 response is undefined" }, { "queryName": "Response Code Missing (v3)", @@ -98,20 +98,20 @@ { "queryName": "Response Code Missing (v3)", "severity": "LOW", - "line": 10, - "filename": "positive3.yaml", + "line": 21, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/item}}.{{put}}.responses", - "searchValue": "404 response", - "expectedValue": "404 response should be set", - "actualValue": "404 response is undefined" + "searchKey": "paths.{{/item}}.{{options}}.responses", + "searchValue": "500 response", + "expectedValue": "500 response should be set", + "actualValue": "500 response is undefined" }, { "queryName": "Response Code Missing (v3)", "severity": "LOW", - "line": 10, - "filename": "positive4.yaml", + "line": 12, + "filename": "positive2.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{put}}.responses", @@ -122,8 +122,8 @@ { "queryName": "Response Code Missing (v3)", "severity": "LOW", - "line": 10, - "filename": "positive4.yaml", + "line": 12, + "filename": "positive2.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{put}}.responses", @@ -151,21 +151,21 @@ "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{put}}.responses", - "searchValue": "415 response", - "expectedValue": "415 response should be set", - "actualValue": "415 response is undefined" + "searchValue": "404 response", + "expectedValue": "404 response should be set", + "actualValue": "404 response is undefined" }, { "queryName": "Response Code Missing (v3)", "severity": "LOW", - "line": 16, + "line": 10, "filename": "positive3.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/item}}.{{options}}.responses", - "searchValue": "500 response", - "expectedValue": "500 response should be set", - "actualValue": "500 response is undefined" + "searchKey": "paths.{{/item}}.{{put}}.responses", + "searchValue": "415 response", + "expectedValue": "415 response should be set", + "actualValue": "415 response is undefined" }, { "queryName": "Response Code Missing (v3)", @@ -175,45 +175,45 @@ "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{put}}.responses", - "searchValue": "500 response", - "expectedValue": "500 response should be set", - "actualValue": "500 response is undefined" + "searchValue": "429 response", + "expectedValue": "429 response should be set", + "actualValue": "429 response is undefined" }, { "queryName": "Response Code Missing (v3)", "severity": "LOW", - "line": 12, - "filename": "positive2.json", + "line": 10, + "filename": "positive3.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{put}}.responses", - "searchValue": "403 response", - "expectedValue": "403 response should be set when security field is defined", - "actualValue": "403 response is undefined when security field is defined" + "searchValue": "500 response", + "expectedValue": "500 response should be set", + "actualValue": "500 response is undefined" }, { "queryName": "Response Code Missing (v3)", "severity": "LOW", - "line": 21, - "filename": "positive1.json", + "line": 16, + "filename": "positive3.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{options}}.responses", - "searchValue": "200 response", - "expectedValue": "200 response should be set", - "actualValue": "200 response is undefined" + "searchValue": "400 response", + "expectedValue": "400 response should be set", + "actualValue": "400 response is undefined" }, { "queryName": "Response Code Missing (v3)", "severity": "LOW", - "line": 12, - "filename": "positive1.json", + "line": 16, + "filename": "positive3.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/item}}.{{put}}.responses", - "searchValue": "404 response", - "expectedValue": "404 response should be set", - "actualValue": "404 response is undefined" + "searchKey": "paths.{{/item}}.{{options}}.responses", + "searchValue": "429 response", + "expectedValue": "429 response should be set", + "actualValue": "429 response is undefined" }, { "queryName": "Response Code Missing (v3)", @@ -235,80 +235,80 @@ "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{options}}.responses", - "searchValue": "400 response", - "expectedValue": "400 response should be set", - "actualValue": "400 response is undefined" + "searchValue": "500 response", + "expectedValue": "500 response should be set", + "actualValue": "500 response is undefined" }, { "queryName": "Response Code Missing (v3)", "severity": "LOW", - "line": 16, - "filename": "positive3.yaml", + "line": 10, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/item}}.{{options}}.responses", - "searchValue": "429 response", - "expectedValue": "429 response should be set", - "actualValue": "429 response is undefined" + "searchKey": "paths.{{/item}}.{{put}}.responses", + "searchValue": "401 response", + "expectedValue": "401 response should be set when security field is defined", + "actualValue": "401 response is undefined when security field is defined" }, { "queryName": "Response Code Missing (v3)", "severity": "LOW", - "line": 12, - "filename": "positive1.json", + "line": 10, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{put}}.responses", - "searchValue": "400 response", - "expectedValue": "400 response should be set", - "actualValue": "400 response is undefined" + "searchValue": "403 response", + "expectedValue": "403 response should be set when security field is defined", + "actualValue": "403 response is undefined when security field is defined" }, { - "queryName": "Response Code Missing (v3)", + "queryName": "Response Code Missing (v2)", "severity": "LOW", "line": 12, - "filename": "positive1.json", + "filename": "positive5.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{put}}.responses", - "searchValue": "429 response", - "expectedValue": "429 response should be set", - "actualValue": "429 response is undefined" + "searchValue": "403 response", + "expectedValue": "403 response should be set when security field is defined", + "actualValue": "403 response is undefined when security field is defined" }, { - "queryName": "Response Code Missing (v3)", + "queryName": "Response Code Missing (v2)", "severity": "LOW", - "line": 10, - "filename": "positive3.yaml", + "line": 12, + "filename": "positive5.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{put}}.responses", - "searchValue": "429 response", - "expectedValue": "429 response should be set", - "actualValue": "429 response is undefined" + "searchValue": "401 response", + "expectedValue": "401 response should be set when security field is defined", + "actualValue": "401 response is undefined when security field is defined" }, { - "queryName": "Response Code Missing (v3)", + "queryName": "Response Code Missing (v2)", "severity": "LOW", - "line": 21, - "filename": "positive1.json", + "line": 10, + "filename": "positive6.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/item}}.{{options}}.responses", - "searchValue": "500 response", - "expectedValue": "500 response should be set", - "actualValue": "500 response is undefined" + "searchKey": "paths.{{/item}}.{{put}}.responses", + "searchValue": "403 response", + "expectedValue": "403 response should be set when security field is defined", + "actualValue": "403 response is undefined when security field is defined" }, { - "queryName": "Response Code Missing (v3)", + "queryName": "Response Code Missing (v2)", "severity": "LOW", - "line": 12, - "filename": "positive1.json", + "line": 10, + "filename": "positive6.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{put}}.responses", - "searchValue": "500 response", - "expectedValue": "500 response should be set", - "actualValue": "500 response is undefined" + "searchValue": "401 response", + "expectedValue": "401 response should be set when security field is defined", + "actualValue": "401 response is undefined when security field is defined" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/general/response_operations_body_schema_incorrect_defined/test/positive_expected_result.json b/assets/queries/openAPI/general/response_operations_body_schema_incorrect_defined/test/positive_expected_result.json index 182df1f13ce..b1b9d168de5 100644 --- a/assets/queries/openAPI/general/response_operations_body_schema_incorrect_defined/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/response_operations_body_schema_incorrect_defined/test/positive_expected_result.json @@ -1,27 +1,27 @@ [ { - "queryName": "Response on operations that should not have a body has declared content (v2)", + "queryName": "Response on operations that should not have a body has declared content (v3)", "severity": "LOW", - "line": 15, - "filename": "positive6.json", + "line": 29, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.responses.{{200}}.schema", + "searchKey": "paths.{{/}}.{{delete}}.responses.{{204}}.content", "searchValue": "", - "expectedValue": "paths.{{/}}.responses.{{200}}.schema should not be defined", - "actualValue": "paths.{{/}}.responses.{{200}}.schema is defined" + "expectedValue": "paths.{{/}}.{{delete}}.responses.{{204}}.content should not be defined", + "actualValue": "paths.{{/}}.{{delete}}.responses.{{204}}.content is defined" }, { - "queryName": "Response on operations that should not have a body has declared content (v2)", + "queryName": "Response on operations that should not have a body has declared content (v3)", "severity": "LOW", - "line": 13, - "filename": "positive5.yaml", + "line": 20, + "filename": "positive2.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.responses.{{200}}.schema", + "searchKey": "paths.{{/}}.responses.{{200}}.content", "searchValue": "", - "expectedValue": "paths.{{/}}.responses.{{200}}.schema should not be defined", - "actualValue": "paths.{{/}}.responses.{{200}}.schema is defined" + "expectedValue": "paths.{{/}}.responses.{{200}}.content should not be defined", + "actualValue": "paths.{{/}}.responses.{{200}}.content is defined" }, { "queryName": "Response on operations that should not have a body has declared content (v3)", @@ -48,27 +48,27 @@ "actualValue": "paths.{{/}}.responses.{{200}}.content is defined" }, { - "queryName": "Response on operations that should not have a body has declared content (v3)", + "queryName": "Response on operations that should not have a body has declared content (v2)", "severity": "LOW", - "line": 20, - "filename": "positive2.json", + "line": 13, + "filename": "positive5.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.responses.{{200}}.content", + "searchKey": "paths.{{/}}.responses.{{200}}.schema", "searchValue": "", - "expectedValue": "paths.{{/}}.responses.{{200}}.content should not be defined", - "actualValue": "paths.{{/}}.responses.{{200}}.content is defined" + "expectedValue": "paths.{{/}}.responses.{{200}}.schema should not be defined", + "actualValue": "paths.{{/}}.responses.{{200}}.schema is defined" }, { - "queryName": "Response on operations that should not have a body has declared content (v3)", + "queryName": "Response on operations that should not have a body has declared content (v2)", "severity": "LOW", - "line": 29, - "filename": "positive1.json", + "line": 15, + "filename": "positive6.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.{{delete}}.responses.{{204}}.content", + "searchKey": "paths.{{/}}.responses.{{200}}.schema", "searchValue": "", - "expectedValue": "paths.{{/}}.{{delete}}.responses.{{204}}.content should not be defined", - "actualValue": "paths.{{/}}.{{delete}}.responses.{{204}}.content is defined" + "expectedValue": "paths.{{/}}.responses.{{200}}.schema should not be defined", + "actualValue": "paths.{{/}}.responses.{{200}}.schema is defined" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/general/response_operations_body_schema_undefined/test/positive_expected_result.json b/assets/queries/openAPI/general/response_operations_body_schema_undefined/test/positive_expected_result.json index d01bd05bd69..f39cce57811 100644 --- a/assets/queries/openAPI/general/response_operations_body_schema_undefined/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/response_operations_body_schema_undefined/test/positive_expected_result.json @@ -1,15 +1,15 @@ [ { - "queryName": "Response on operations that should have a body has undefined schema (v2)", + "queryName": "Response on operations that should have a body has undefined schema (v3)", "severity": "MEDIUM", "line": 18, - "filename": "positive9.json", + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "paths./.get.responses.200", "searchValue": "", - "expectedValue": "paths./.get.responses.200.schema should be defined", - "actualValue": "paths./.get.responses.200.schema is undefined" + "expectedValue": "paths./.get.responses.200.content should be defined", + "actualValue": "paths./.get.responses.200.content is undefined" }, { "queryName": "Response on operations that should have a body has undefined schema (v2)", @@ -26,8 +26,8 @@ { "queryName": "Response on operations that should have a body has undefined schema (v3)", "severity": "MEDIUM", - "line": 22, - "filename": "positive3.json", + "line": 21, + "filename": "positive2.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}", @@ -47,6 +47,30 @@ "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/pdf}}.schema should be defined", "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/pdf}}.schema is undefined" }, + { + "queryName": "Response on operations that should have a body has undefined schema (v3)", + "severity": "MEDIUM", + "line": 22, + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema should be defined", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema is undefined" + }, + { + "queryName": "Response on operations that should have a body has undefined schema (v3)", + "severity": "MEDIUM", + "line": 20, + "filename": "positive4.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.content", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.content should have at least one content-type defined", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content has no content-type defined" + }, { "queryName": "Response on operations that should have a body has undefined schema (v3)", "severity": "MEDIUM", @@ -62,8 +86,8 @@ { "queryName": "Response on operations that should have a body has undefined schema (v3)", "severity": "MEDIUM", - "line": 19, - "filename": "positive7.yaml", + "line": 18, + "filename": "positive6.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}", @@ -86,20 +110,8 @@ { "queryName": "Response on operations that should have a body has undefined schema (v3)", "severity": "MEDIUM", - "line": 20, - "filename": "positive4.json", - "resourceType": "", - "resourceName": "", - "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.content", - "searchValue": "", - "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.content should have at least one content-type defined", - "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content has no content-type defined" - }, - { - "queryName": "Response on operations that should have a body has undefined schema (v3)", - "severity": "MEDIUM", - "line": 21, - "filename": "positive2.json", + "line": 19, + "filename": "positive7.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}", @@ -120,27 +132,15 @@ "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content has no content-type defined" }, { - "queryName": "Response on operations that should have a body has undefined schema (v3)", - "severity": "MEDIUM", - "line": 18, - "filename": "positive6.yaml", - "resourceType": "", - "resourceName": "", - "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}", - "searchValue": "", - "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema should be defined", - "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema is undefined" - }, - { - "queryName": "Response on operations that should have a body has undefined schema (v3)", + "queryName": "Response on operations that should have a body has undefined schema (v2)", "severity": "MEDIUM", "line": 18, - "filename": "positive1.json", + "filename": "positive9.json", "resourceType": "", "resourceName": "", "searchKey": "paths./.get.responses.200", "searchValue": "", - "expectedValue": "paths./.get.responses.200.content should be defined", - "actualValue": "paths./.get.responses.200.content is undefined" + "expectedValue": "paths./.get.responses.200.schema should be defined", + "actualValue": "paths./.get.responses.200.schema is undefined" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/general/responses_object_is_empty/test/positive_expected_result.json b/assets/queries/openAPI/general/responses_object_is_empty/test/positive_expected_result.json index ba0e8674566..3bbd6bfe547 100644 --- a/assets/queries/openAPI/general/responses_object_is_empty/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/responses_object_is_empty/test/positive_expected_result.json @@ -1,9 +1,9 @@ [ { - "queryName": "Responses Object Is Empty (v2)", + "queryName": "Responses Object Is Empty (v3)", "severity": "INFO", - "line": 10, - "filename": "positive6.yaml", + "line": 12, + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.get.responses", @@ -12,13 +12,13 @@ "actualValue": "'responses' is empty" }, { - "queryName": "Responses Object Is Empty (v2)", + "queryName": "Responses Object Is Empty (v3)", "severity": "INFO", - "line": 12, - "filename": "positive5.json", + "line": 21, + "filename": "positive2.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses", + "searchKey": "components.responses", "searchValue": "", "expectedValue": "'responses' should not be empty", "actualValue": "'responses' is empty" @@ -38,35 +38,35 @@ { "queryName": "Responses Object Is Empty (v3)", "severity": "INFO", - "line": 12, - "filename": "positive1.json", + "line": 14, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses", + "searchKey": "components.responses", "searchValue": "", "expectedValue": "'responses' should not be empty", "actualValue": "'responses' is empty" }, { - "queryName": "Responses Object Is Empty (v3)", + "queryName": "Responses Object Is Empty (v2)", "severity": "INFO", - "line": 21, - "filename": "positive2.json", + "line": 12, + "filename": "positive5.json", "resourceType": "", "resourceName": "", - "searchKey": "components.responses", + "searchKey": "paths.{{/}}.get.responses", "searchValue": "", "expectedValue": "'responses' should not be empty", "actualValue": "'responses' is empty" }, { - "queryName": "Responses Object Is Empty (v3)", + "queryName": "Responses Object Is Empty (v2)", "severity": "INFO", - "line": 14, - "filename": "positive4.yaml", + "line": 10, + "filename": "positive6.yaml", "resourceType": "", "resourceName": "", - "searchKey": "components.responses", + "searchKey": "paths.{{/}}.get.responses", "searchValue": "", "expectedValue": "'responses' should not be empty", "actualValue": "'responses' is empty" diff --git a/assets/queries/openAPI/general/responses_wrong_http_status_code/test/positive_expected_result.json b/assets/queries/openAPI/general/responses_wrong_http_status_code/test/positive_expected_result.json index 206e3621c51..6edaca60d8e 100644 --- a/assets/queries/openAPI/general/responses_wrong_http_status_code/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/responses_wrong_http_status_code/test/positive_expected_result.json @@ -1,9 +1,9 @@ [ { - "queryName": "Responses With Wrong HTTP Status Code (v2)", + "queryName": "Responses With Wrong HTTP Status Code (v3)", "severity": "INFO", - "line": 11, - "filename": "positive4.yaml", + "line": 13, + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.{{get}}.responses.{{50}}", @@ -12,10 +12,10 @@ "actualValue": "HTTP responses status codes are not in range of [200-599]" }, { - "queryName": "Responses With Wrong HTTP Status Code (v2)", + "queryName": "Responses With Wrong HTTP Status Code (v3)", "severity": "INFO", - "line": 25, - "filename": "positive4.yaml", + "line": 39, + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.{{get}}.responses.{{6xx}}", @@ -24,10 +24,10 @@ "actualValue": "HTTP responses status codes are not in range of [200-599]" }, { - "queryName": "Responses With Wrong HTTP Status Code (v2)", + "queryName": "Responses With Wrong HTTP Status Code (v3)", "severity": "INFO", - "line": 13, - "filename": "positive3.json", + "line": 11, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.{{get}}.responses.{{50}}", @@ -36,10 +36,10 @@ "actualValue": "HTTP responses status codes are not in range of [200-599]" }, { - "queryName": "Responses With Wrong HTTP Status Code (v2)", + "queryName": "Responses With Wrong HTTP Status Code (v3)", "severity": "INFO", - "line": 39, - "filename": "positive3.json", + "line": 25, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.{{get}}.responses.{{6xx}}", @@ -48,10 +48,10 @@ "actualValue": "HTTP responses status codes are not in range of [200-599]" }, { - "queryName": "Responses With Wrong HTTP Status Code (v3)", + "queryName": "Responses With Wrong HTTP Status Code (v2)", "severity": "INFO", "line": 13, - "filename": "positive1.json", + "filename": "positive3.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.{{get}}.responses.{{50}}", @@ -60,10 +60,10 @@ "actualValue": "HTTP responses status codes are not in range of [200-599]" }, { - "queryName": "Responses With Wrong HTTP Status Code (v3)", + "queryName": "Responses With Wrong HTTP Status Code (v2)", "severity": "INFO", "line": 39, - "filename": "positive1.json", + "filename": "positive3.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.{{get}}.responses.{{6xx}}", @@ -72,10 +72,10 @@ "actualValue": "HTTP responses status codes are not in range of [200-599]" }, { - "queryName": "Responses With Wrong HTTP Status Code (v3)", + "queryName": "Responses With Wrong HTTP Status Code (v2)", "severity": "INFO", "line": 11, - "filename": "positive2.yaml", + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.{{get}}.responses.{{50}}", @@ -84,10 +84,10 @@ "actualValue": "HTTP responses status codes are not in range of [200-599]" }, { - "queryName": "Responses With Wrong HTTP Status Code (v3)", + "queryName": "Responses With Wrong HTTP Status Code (v2)", "severity": "INFO", "line": 25, - "filename": "positive2.yaml", + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.{{get}}.responses.{{6xx}}", diff --git a/assets/queries/openAPI/general/schema_discriminator_mismatch_defined_properties/test/positive_expected_result.json b/assets/queries/openAPI/general/schema_discriminator_mismatch_defined_properties/test/positive_expected_result.json index 792d4488bcb..42cb8b1290c 100644 --- a/assets/queries/openAPI/general/schema_discriminator_mismatch_defined_properties/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/schema_discriminator_mismatch_defined_properties/test/positive_expected_result.json @@ -1,51 +1,39 @@ [ { - "queryName": "Schema Discriminator Mismatch Defined Properties (v2)", - "severity": "INFO", - "line": 16, - "filename": "positive6.yaml", - "resourceType": "", - "resourceName": "", - "searchKey": "definitions.{{GeneralError}}.discriminator", - "searchValue": "", - "expectedValue": "definitions.{{GeneralError}}.discriminator should be set in 'properties'", - "actualValue": "definitions.{{GeneralError}}.discriminator is not set in 'properties'" - }, - { - "queryName": "Schema Discriminator Mismatch Defined Properties (v2)", + "queryName": "Schema Discriminator Mismatch Defined Properties (v3)", "severity": "INFO", - "line": 15, - "filename": "positive8.yaml", + "line": 53, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.discriminator", + "searchKey": "components.schemas.{{GeneralError}}.discriminator.propertyName", "searchValue": "", - "expectedValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) should be set in 'properties'", - "actualValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) is not set in 'properties'" + "expectedValue": "components.schemas.{{GeneralError}}.discriminator.propertyName should be set in 'properties'", + "actualValue": "components.schemas.{{GeneralError}}.discriminator.propertyName is not set in 'properties'" }, { - "queryName": "Schema Discriminator Mismatch Defined Properties (v2)", + "queryName": "Schema Discriminator Mismatch Defined Properties (v3)", "severity": "INFO", - "line": 28, - "filename": "positive5.json", + "line": 25, + "filename": "positive2.json", "resourceType": "", "resourceName": "", - "searchKey": "definitions.{{GeneralError}}.discriminator", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.discriminator.propertyName", "searchValue": "", - "expectedValue": "definitions.{{GeneralError}}.discriminator should be set in 'properties'", - "actualValue": "definitions.{{GeneralError}}.discriminator is not set in 'properties'" + "expectedValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) should be set in 'properties'", + "actualValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) is not set in 'properties'" }, { - "queryName": "Schema Discriminator Mismatch Defined Properties (v2)", + "queryName": "Schema Discriminator Mismatch Defined Properties (v3)", "severity": "INFO", - "line": 25, - "filename": "positive7.json", + "line": 32, + "filename": "positive3.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.discriminator", + "searchKey": "components.schemas.{{GeneralError}}.discriminator.propertyName", "searchValue": "", - "expectedValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) should be set in 'properties'", - "actualValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) is not set in 'properties'" + "expectedValue": "components.schemas.{{GeneralError}}.discriminator.propertyName should be set in 'properties'", + "actualValue": "components.schemas.{{GeneralError}}.discriminator.propertyName is not set in 'properties'" }, { "queryName": "Schema Discriminator Mismatch Defined Properties (v3)", @@ -60,39 +48,51 @@ "actualValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) is not set in 'properties'" }, { - "queryName": "Schema Discriminator Mismatch Defined Properties (v3)", + "queryName": "Schema Discriminator Mismatch Defined Properties (v2)", "severity": "INFO", - "line": 32, - "filename": "positive3.yaml", + "line": 28, + "filename": "positive5.json", "resourceType": "", "resourceName": "", - "searchKey": "components.schemas.{{GeneralError}}.discriminator.propertyName", + "searchKey": "definitions.{{GeneralError}}.discriminator", "searchValue": "", - "expectedValue": "components.schemas.{{GeneralError}}.discriminator.propertyName should be set in 'properties'", - "actualValue": "components.schemas.{{GeneralError}}.discriminator.propertyName is not set in 'properties'" + "expectedValue": "definitions.{{GeneralError}}.discriminator should be set in 'properties'", + "actualValue": "definitions.{{GeneralError}}.discriminator is not set in 'properties'" }, { - "queryName": "Schema Discriminator Mismatch Defined Properties (v3)", + "queryName": "Schema Discriminator Mismatch Defined Properties (v2)", + "severity": "INFO", + "line": 16, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.{{GeneralError}}.discriminator", + "searchValue": "", + "expectedValue": "definitions.{{GeneralError}}.discriminator should be set in 'properties'", + "actualValue": "definitions.{{GeneralError}}.discriminator is not set in 'properties'" + }, + { + "queryName": "Schema Discriminator Mismatch Defined Properties (v2)", "severity": "INFO", "line": 25, - "filename": "positive2.json", + "filename": "positive7.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.discriminator.propertyName", + "searchKey": "paths.{{/}}.get.responses.200.discriminator", "searchValue": "", - "expectedValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) should be set in 'properties'", - "actualValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) is not set in 'properties'" + "expectedValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) should be set in 'properties'", + "actualValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) is not set in 'properties'" }, { - "queryName": "Schema Discriminator Mismatch Defined Properties (v3)", + "queryName": "Schema Discriminator Mismatch Defined Properties (v2)", "severity": "INFO", - "line": 53, - "filename": "positive1.json", + "line": 15, + "filename": "positive8.yaml", "resourceType": "", "resourceName": "", - "searchKey": "components.schemas.{{GeneralError}}.discriminator.propertyName", + "searchKey": "paths.{{/}}.get.responses.200.discriminator", "searchValue": "", - "expectedValue": "components.schemas.{{GeneralError}}.discriminator.propertyName should be set in 'properties'", - "actualValue": "components.schemas.{{GeneralError}}.discriminator.propertyName is not set in 'properties'" + "expectedValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) should be set in 'properties'", + "actualValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) is not set in 'properties'" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/general/schema_discriminator_not_required/test/positive_expected_result.json b/assets/queries/openAPI/general/schema_discriminator_not_required/test/positive_expected_result.json index 6015bf9b664..664d458f5f6 100644 --- a/assets/queries/openAPI/general/schema_discriminator_not_required/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/schema_discriminator_not_required/test/positive_expected_result.json @@ -1,98 +1,98 @@ [ { - "queryName": "Schema Discriminator Not Required (v2)", + "queryName": "Schema Discriminator Not Required (v3)", "severity": "INFO", - "line": 35, - "filename": "positive5.json", + "line": 53, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "definitions.{{GeneralError}}.discriminator", + "searchKey": "components.schemas.{{GeneralError}}.discriminator.propertyName", "searchValue": "", - "expectedValue": "definitions.{{GeneralError}}.discriminator is a required property", - "actualValue": "definitions.{{GeneralError}}.discriminator is not a required property" + "expectedValue": "components.schemas.{{GeneralError}}.discriminator.propertyName is a required property", + "actualValue": "components.schemas.{{GeneralError}}.discriminator.propertyName is not a required property" }, { - "queryName": "Schema Discriminator Not Required (v2)", + "queryName": "Schema Discriminator Not Required (v3)", "severity": "INFO", - "line": 16, - "filename": "positive7.json", + "line": 25, + "filename": "positive2.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.discriminator", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.discriminator.propertyName", "searchValue": "", - "expectedValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) is a required property", - "actualValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) is not a required property" + "expectedValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) is a required property", + "actualValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) is not a required property" }, { - "queryName": "Schema Discriminator Not Required (v2)", + "queryName": "Schema Discriminator Not Required (v3)", "severity": "INFO", - "line": 15, - "filename": "positive8.yaml", + "line": 32, + "filename": "positive3.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.discriminator", + "searchKey": "components.schemas.{{GeneralError}}.discriminator.propertyName", "searchValue": "", - "expectedValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) is a required property", - "actualValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) is not a required property" + "expectedValue": "components.schemas.{{GeneralError}}.discriminator.propertyName is a required property", + "actualValue": "components.schemas.{{GeneralError}}.discriminator.propertyName is not a required property" }, { - "queryName": "Schema Discriminator Not Required (v2)", + "queryName": "Schema Discriminator Not Required (v3)", "severity": "INFO", - "line": 16, - "filename": "positive6.yaml", + "line": 18, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", - "searchKey": "definitions.{{GeneralError}}.discriminator", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.discriminator.propertyName", "searchValue": "", - "expectedValue": "definitions.{{GeneralError}}.discriminator is a required property", - "actualValue": "definitions.{{GeneralError}}.discriminator is not a required property" + "expectedValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) is a required property", + "actualValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) is not a required property" }, { - "queryName": "Schema Discriminator Not Required (v3)", + "queryName": "Schema Discriminator Not Required (v2)", "severity": "INFO", - "line": 25, - "filename": "positive2.json", + "line": 35, + "filename": "positive5.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.discriminator.propertyName", + "searchKey": "definitions.{{GeneralError}}.discriminator", "searchValue": "", - "expectedValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) is a required property", - "actualValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) is not a required property" + "expectedValue": "definitions.{{GeneralError}}.discriminator is a required property", + "actualValue": "definitions.{{GeneralError}}.discriminator is not a required property" }, { - "queryName": "Schema Discriminator Not Required (v3)", + "queryName": "Schema Discriminator Not Required (v2)", "severity": "INFO", - "line": 53, - "filename": "positive1.json", + "line": 16, + "filename": "positive6.yaml", "resourceType": "", "resourceName": "", - "searchKey": "components.schemas.{{GeneralError}}.discriminator.propertyName", + "searchKey": "definitions.{{GeneralError}}.discriminator", "searchValue": "", - "expectedValue": "components.schemas.{{GeneralError}}.discriminator.propertyName is a required property", - "actualValue": "components.schemas.{{GeneralError}}.discriminator.propertyName is not a required property" + "expectedValue": "definitions.{{GeneralError}}.discriminator is a required property", + "actualValue": "definitions.{{GeneralError}}.discriminator is not a required property" }, { - "queryName": "Schema Discriminator Not Required (v3)", + "queryName": "Schema Discriminator Not Required (v2)", "severity": "INFO", - "line": 18, - "filename": "positive4.yaml", + "line": 16, + "filename": "positive7.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.discriminator.propertyName", + "searchKey": "paths.{{/}}.get.responses.200.discriminator", "searchValue": "", - "expectedValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) is a required property", - "actualValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) is not a required property" + "expectedValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) is a required property", + "actualValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) is not a required property" }, { - "queryName": "Schema Discriminator Not Required (v3)", + "queryName": "Schema Discriminator Not Required (v2)", "severity": "INFO", - "line": 32, - "filename": "positive3.yaml", + "line": 15, + "filename": "positive8.yaml", "resourceType": "", "resourceName": "", - "searchKey": "components.schemas.{{GeneralError}}.discriminator.propertyName", + "searchKey": "paths.{{/}}.get.responses.200.discriminator", "searchValue": "", - "expectedValue": "components.schemas.{{GeneralError}}.discriminator.propertyName is a required property", - "actualValue": "components.schemas.{{GeneralError}}.discriminator.propertyName is not a required property" + "expectedValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) is a required property", + "actualValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) is not a required property" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/general/schema_discriminator_property_not_string/test/positive_expected_result.json b/assets/queries/openAPI/general/schema_discriminator_property_not_string/test/positive_expected_result.json index dfffdc7044e..4c075f9874c 100644 --- a/assets/queries/openAPI/general/schema_discriminator_property_not_string/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/schema_discriminator_property_not_string/test/positive_expected_result.json @@ -1,98 +1,98 @@ [ { - "queryName": "Schema Discriminator Property Not String (v2)", + "queryName": "Schema Discriminator Property Not String (v3)", "severity": "INFO", - "line": 28, - "filename": "positive5.json", + "line": 53, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "definitions.{{GeneralError}}.discriminator", + "searchKey": "components.schemas.{{GeneralError}}.discriminator.propertyName", "searchValue": "", - "expectedValue": "definitions.{{GeneralError}}.discriminator should be set to string", - "actualValue": "definitions.{{GeneralError}}.discriminator is not set to string" + "expectedValue": "components.schemas.{{GeneralError}}.discriminator.propertyName should be set to string", + "actualValue": "components.schemas.{{GeneralError}}.discriminator.propertyName is not set to string" }, { - "queryName": "Schema Discriminator Property Not String (v2)", + "queryName": "Schema Discriminator Property Not String (v3)", "severity": "INFO", - "line": 22, - "filename": "positive7.json", + "line": 25, + "filename": "positive2.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.discriminator", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.discriminator.propertyName", "searchValue": "", - "expectedValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) should be set to string", - "actualValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) is not set to string" + "expectedValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) should be set to string", + "actualValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) is not set to string" }, { - "queryName": "Schema Discriminator Property Not String (v2)", + "queryName": "Schema Discriminator Property Not String (v3)", "severity": "INFO", - "line": 15, - "filename": "positive8.yaml", + "line": 32, + "filename": "positive3.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.discriminator", + "searchKey": "components.schemas.{{GeneralError}}.discriminator.propertyName", "searchValue": "", - "expectedValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) should be set to string", - "actualValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) is not set to string" + "expectedValue": "components.schemas.{{GeneralError}}.discriminator.propertyName should be set to string", + "actualValue": "components.schemas.{{GeneralError}}.discriminator.propertyName is not set to string" }, { - "queryName": "Schema Discriminator Property Not String (v2)", + "queryName": "Schema Discriminator Property Not String (v3)", "severity": "INFO", - "line": 16, - "filename": "positive6.yaml", + "line": 18, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", - "searchKey": "definitions.{{GeneralError}}.discriminator", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.discriminator.propertyName", "searchValue": "", - "expectedValue": "definitions.{{GeneralError}}.discriminator should be set to string", - "actualValue": "definitions.{{GeneralError}}.discriminator is not set to string" + "expectedValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) should be set to string", + "actualValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) is not set to string" }, { - "queryName": "Schema Discriminator Property Not String (v3)", + "queryName": "Schema Discriminator Property Not String (v2)", "severity": "INFO", - "line": 25, - "filename": "positive2.json", + "line": 28, + "filename": "positive5.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.discriminator.propertyName", + "searchKey": "definitions.{{GeneralError}}.discriminator", "searchValue": "", - "expectedValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) should be set to string", - "actualValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) is not set to string" + "expectedValue": "definitions.{{GeneralError}}.discriminator should be set to string", + "actualValue": "definitions.{{GeneralError}}.discriminator is not set to string" }, { - "queryName": "Schema Discriminator Property Not String (v3)", + "queryName": "Schema Discriminator Property Not String (v2)", "severity": "INFO", - "line": 18, - "filename": "positive4.yaml", + "line": 16, + "filename": "positive6.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.discriminator.propertyName", + "searchKey": "definitions.{{GeneralError}}.discriminator", "searchValue": "", - "expectedValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) should be set to string", - "actualValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) is not set to string" + "expectedValue": "definitions.{{GeneralError}}.discriminator should be set to string", + "actualValue": "definitions.{{GeneralError}}.discriminator is not set to string" }, { - "queryName": "Schema Discriminator Property Not String (v3)", + "queryName": "Schema Discriminator Property Not String (v2)", "severity": "INFO", - "line": 32, - "filename": "positive3.yaml", + "line": 22, + "filename": "positive7.json", "resourceType": "", "resourceName": "", - "searchKey": "components.schemas.{{GeneralError}}.discriminator.propertyName", + "searchKey": "paths.{{/}}.get.responses.200.discriminator", "searchValue": "", - "expectedValue": "components.schemas.{{GeneralError}}.discriminator.propertyName should be set to string", - "actualValue": "components.schemas.{{GeneralError}}.discriminator.propertyName is not set to string" + "expectedValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) should be set to string", + "actualValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) is not set to string" }, { - "queryName": "Schema Discriminator Property Not String (v3)", + "queryName": "Schema Discriminator Property Not String (v2)", "severity": "INFO", - "line": 53, - "filename": "positive1.json", + "line": 15, + "filename": "positive8.yaml", "resourceType": "", "resourceName": "", - "searchKey": "components.schemas.{{GeneralError}}.discriminator.propertyName", + "searchKey": "paths.{{/}}.get.responses.200.discriminator", "searchValue": "", - "expectedValue": "components.schemas.{{GeneralError}}.discriminator.propertyName should be set to string", - "actualValue": "components.schemas.{{GeneralError}}.discriminator.propertyName is not set to string" + "expectedValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) should be set to string", + "actualValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) is not set to string" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/general/schema_enum_invalid/test/positive_expected_result.json b/assets/queries/openAPI/general/schema_enum_invalid/test/positive_expected_result.json index a263d0ae7df..e7e20e2b8d4 100644 --- a/assets/queries/openAPI/general/schema_enum_invalid/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/schema_enum_invalid/test/positive_expected_result.json @@ -1,24 +1,24 @@ [ { - "queryName": "Schema Enum Invalid (v2)", + "queryName": "Schema Enum Invalid (v3)", "severity": "INFO", - "line": 37, - "filename": "positive6.yaml", + "line": 20, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "definitions.User.properties.name.enum", + "searchKey": "paths.{{/}}.get.responses.201.content.{{text/html}}.schema.enum", "searchValue": "", "expectedValue": "The field 'enum' should be consistent with the schema's type", "actualValue": "The field 'enum' is not consistent with the schema's type" }, { - "queryName": "Schema Enum Invalid (v2)", + "queryName": "Schema Enum Invalid (v3)", "severity": "INFO", - "line": 52, - "filename": "positive5.json", + "line": 20, + "filename": "positive2.json", "resourceType": "", "resourceName": "", - "searchKey": "definitions.User.properties.name.enum", + "searchKey": "paths.{{/}}.get.responses.201.content.{{text/html}}.schema.enum", "searchValue": "", "expectedValue": "The field 'enum' should be consistent with the schema's type", "actualValue": "The field 'enum' is not consistent with the schema's type" @@ -48,25 +48,25 @@ "actualValue": "The field 'enum' is not consistent with the schema's type" }, { - "queryName": "Schema Enum Invalid (v3)", + "queryName": "Schema Enum Invalid (v2)", "severity": "INFO", - "line": 20, - "filename": "positive2.json", + "line": 52, + "filename": "positive5.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.201.content.{{text/html}}.schema.enum", + "searchKey": "definitions.User.properties.name.enum", "searchValue": "", "expectedValue": "The field 'enum' should be consistent with the schema's type", "actualValue": "The field 'enum' is not consistent with the schema's type" }, { - "queryName": "Schema Enum Invalid (v3)", + "queryName": "Schema Enum Invalid (v2)", "severity": "INFO", - "line": 20, - "filename": "positive1.json", + "line": 37, + "filename": "positive6.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.201.content.{{text/html}}.schema.enum", + "searchKey": "definitions.User.properties.name.enum", "searchValue": "", "expectedValue": "The field 'enum' should be consistent with the schema's type", "actualValue": "The field 'enum' is not consistent with the schema's type" diff --git a/assets/queries/openAPI/general/schema_object_empty/test/positive_expected_result.json b/assets/queries/openAPI/general/schema_object_empty/test/positive_expected_result.json index c139ec6897f..f8caeac711c 100644 --- a/assets/queries/openAPI/general/schema_object_empty/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/schema_object_empty/test/positive_expected_result.json @@ -1,96 +1,96 @@ [ { - "queryName": "Schema Object is Empty (v2)", + "queryName": "Schema Object is Empty (v3)", "severity": "MEDIUM", - "line": 26, - "filename": "positive7.json", + "line": 50, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "definitions.{{GeneralError}}", + "searchKey": "components.schemas.{{GeneralError}}", "searchValue": "", "expectedValue": "The Schema Object should not be empty", "actualValue": "The Schema Object is empty" }, { - "queryName": "Schema Object is Empty (v2)", + "queryName": "Schema Object is Empty (v3)", "severity": "MEDIUM", - "line": 20, - "filename": "positive5.json", + "line": 22, + "filename": "positive2.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.schema", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema", "searchValue": "", "expectedValue": "The Schema Object should not be empty", "actualValue": "The Schema Object is empty" }, { - "queryName": "Schema Object is Empty (v2)", + "queryName": "Schema Object is Empty (v3)", "severity": "MEDIUM", - "line": 14, - "filename": "positive8.yaml", + "line": 27, + "filename": "positive3.yaml", "resourceType": "", "resourceName": "", - "searchKey": "definitions.{{GeneralError}}", + "searchKey": "components.schemas.{{GeneralError}}", "searchValue": "", "expectedValue": "The Schema Object should not be empty", "actualValue": "The Schema Object is empty" }, { - "queryName": "Schema Object is Empty (v2)", + "queryName": "Schema Object is Empty (v3)", "severity": "MEDIUM", - "line": 13, - "filename": "positive6.yaml", + "line": 15, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.schema", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema", "searchValue": "", "expectedValue": "The Schema Object should not be empty", "actualValue": "The Schema Object is empty" }, { - "queryName": "Schema Object is Empty (v3)", + "queryName": "Schema Object is Empty (v2)", "severity": "MEDIUM", - "line": 15, - "filename": "positive4.yaml", + "line": 20, + "filename": "positive5.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema", + "searchKey": "paths.{{/}}.get.responses.200.schema", "searchValue": "", "expectedValue": "The Schema Object should not be empty", "actualValue": "The Schema Object is empty" }, { - "queryName": "Schema Object is Empty (v3)", + "queryName": "Schema Object is Empty (v2)", "severity": "MEDIUM", - "line": 50, - "filename": "positive1.json", + "line": 13, + "filename": "positive6.yaml", "resourceType": "", "resourceName": "", - "searchKey": "components.schemas.{{GeneralError}}", + "searchKey": "paths.{{/}}.get.responses.200.schema", "searchValue": "", "expectedValue": "The Schema Object should not be empty", "actualValue": "The Schema Object is empty" }, { - "queryName": "Schema Object is Empty (v3)", + "queryName": "Schema Object is Empty (v2)", "severity": "MEDIUM", - "line": 22, - "filename": "positive2.json", + "line": 26, + "filename": "positive7.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema", + "searchKey": "definitions.{{GeneralError}}", "searchValue": "", "expectedValue": "The Schema Object should not be empty", "actualValue": "The Schema Object is empty" }, { - "queryName": "Schema Object is Empty (v3)", + "queryName": "Schema Object is Empty (v2)", "severity": "MEDIUM", - "line": 27, - "filename": "positive3.yaml", + "line": 14, + "filename": "positive8.yaml", "resourceType": "", "resourceName": "", - "searchKey": "components.schemas.{{GeneralError}}", + "searchKey": "definitions.{{GeneralError}}", "searchValue": "", "expectedValue": "The Schema Object should not be empty", "actualValue": "The Schema Object is empty" diff --git a/assets/queries/openAPI/general/schema_object_properties_with_duplicated_keys/test/positive_expected_result.json b/assets/queries/openAPI/general/schema_object_properties_with_duplicated_keys/test/positive_expected_result.json index 3529175cdff..4a7fa9d433b 100644 --- a/assets/queries/openAPI/general/schema_object_properties_with_duplicated_keys/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/schema_object_properties_with_duplicated_keys/test/positive_expected_result.json @@ -1,84 +1,72 @@ [ { - "queryName": "Schema Object Properties With Duplicated Keys (v2)", - "severity": "INFO", - "line": 57, - "filename": "positive5.json", - "resourceType": "", - "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.additionalProperties.message", - "searchValue": "", - "expectedValue": "'message' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", - "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'" - }, - { - "queryName": "Schema Object Properties With Duplicated Keys (v2)", + "queryName": "Schema Object Properties With Duplicated Keys (v3)", "severity": "INFO", - "line": 28, - "filename": "positive5.json", + "line": 19, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.message", + "searchKey": "components.schemas.ErrorModel.code", "searchValue": "", - "expectedValue": "'message' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", - "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'" + "expectedValue": "'code' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "actualValue": "'code' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'" }, { - "queryName": "Schema Object Properties With Duplicated Keys (v2)", + "queryName": "Schema Object Properties With Duplicated Keys (v3)", "severity": "INFO", - "line": 44, - "filename": "positive5.json", + "line": 38, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.allOf.message", + "searchKey": "components.schemas.ErrorModel.allOf.code", "searchValue": "", - "expectedValue": "'message' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", - "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'" + "expectedValue": "'code' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "actualValue": "'code' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'" }, { - "queryName": "Schema Object Properties With Duplicated Keys (v2)", + "queryName": "Schema Object Properties With Duplicated Keys (v3)", "severity": "INFO", - "line": 41, - "filename": "positive6.yaml", + "line": 53, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.additionalProperties.message", + "searchKey": "components.schemas.ErrorModel.additionalProperties.code", "searchValue": "", - "expectedValue": "'message' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", - "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'" + "expectedValue": "'code' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "actualValue": "'code' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'" }, { - "queryName": "Schema Object Properties With Duplicated Keys (v2)", + "queryName": "Schema Object Properties With Duplicated Keys (v3)", "severity": "INFO", - "line": 24, - "filename": "positive6.yaml", + "line": 16, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.message", + "searchKey": "components.schemas.ErrorModel.code", "searchValue": "", - "expectedValue": "'message' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", - "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'" + "expectedValue": "'code' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "actualValue": "'code' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'" }, { - "queryName": "Schema Object Properties With Duplicated Keys (v2)", + "queryName": "Schema Object Properties With Duplicated Keys (v3)", "severity": "INFO", - "line": 34, - "filename": "positive6.yaml", + "line": 28, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.allOf.message", + "searchKey": "components.schemas.ErrorModel.allOf.code", "searchValue": "", - "expectedValue": "'message' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", - "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'" + "expectedValue": "'code' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "actualValue": "'code' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'" }, { "queryName": "Schema Object Properties With Duplicated Keys (v3)", "severity": "INFO", - "line": 19, - "filename": "positive1.json", + "line": 37, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", - "searchKey": "components.schemas.ErrorModel.code", + "searchKey": "components.schemas.ErrorModel.additionalProperties.code", "searchValue": "", "expectedValue": "'code' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", "actualValue": "'code' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'" @@ -86,11 +74,11 @@ { "queryName": "Schema Object Properties With Duplicated Keys (v3)", "severity": "INFO", - "line": 57, + "line": 28, "filename": "positive3.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.additionalProperties.message", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.message", "searchValue": "", "expectedValue": "'message' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'" @@ -110,11 +98,11 @@ { "queryName": "Schema Object Properties With Duplicated Keys (v3)", "severity": "INFO", - "line": 28, + "line": 57, "filename": "positive3.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.message", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.additionalProperties.message", "searchValue": "", "expectedValue": "'message' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'" @@ -134,68 +122,80 @@ { "queryName": "Schema Object Properties With Duplicated Keys (v3)", "severity": "INFO", - "line": 16, - "filename": "positive2.yaml", + "line": 34, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", - "searchKey": "components.schemas.ErrorModel.code", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.allOf.message", "searchValue": "", - "expectedValue": "'code' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", - "actualValue": "'code' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'" + "expectedValue": "'message' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'" }, { "queryName": "Schema Object Properties With Duplicated Keys (v3)", "severity": "INFO", - "line": 38, - "filename": "positive1.json", + "line": 41, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", - "searchKey": "components.schemas.ErrorModel.allOf.code", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.additionalProperties.message", "searchValue": "", - "expectedValue": "'code' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", - "actualValue": "'code' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'" + "expectedValue": "'message' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'" }, { - "queryName": "Schema Object Properties With Duplicated Keys (v3)", + "queryName": "Schema Object Properties With Duplicated Keys (v2)", "severity": "INFO", - "line": 41, - "filename": "positive4.yaml", + "line": 28, + "filename": "positive5.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.additionalProperties.message", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.message", "searchValue": "", "expectedValue": "'message' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'" }, { - "queryName": "Schema Object Properties With Duplicated Keys (v3)", + "queryName": "Schema Object Properties With Duplicated Keys (v2)", "severity": "INFO", - "line": 37, - "filename": "positive2.yaml", + "line": 44, + "filename": "positive5.json", "resourceType": "", "resourceName": "", - "searchKey": "components.schemas.ErrorModel.additionalProperties.code", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.allOf.message", "searchValue": "", - "expectedValue": "'code' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", - "actualValue": "'code' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'" + "expectedValue": "'message' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'" }, { - "queryName": "Schema Object Properties With Duplicated Keys (v3)", + "queryName": "Schema Object Properties With Duplicated Keys (v2)", "severity": "INFO", - "line": 53, - "filename": "positive1.json", + "line": 57, + "filename": "positive5.json", "resourceType": "", "resourceName": "", - "searchKey": "components.schemas.ErrorModel.additionalProperties.code", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.additionalProperties.message", "searchValue": "", - "expectedValue": "'code' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", - "actualValue": "'code' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'" + "expectedValue": "'message' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'" }, { - "queryName": "Schema Object Properties With Duplicated Keys (v3)", + "queryName": "Schema Object Properties With Duplicated Keys (v2)", + "severity": "INFO", + "line": 24, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.message", + "searchValue": "", + "expectedValue": "'message' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'" + }, + { + "queryName": "Schema Object Properties With Duplicated Keys (v2)", "severity": "INFO", "line": 34, - "filename": "positive4.yaml", + "filename": "positive6.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.allOf.message", @@ -204,15 +204,15 @@ "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'" }, { - "queryName": "Schema Object Properties With Duplicated Keys (v3)", + "queryName": "Schema Object Properties With Duplicated Keys (v2)", "severity": "INFO", - "line": 28, - "filename": "positive2.yaml", + "line": 41, + "filename": "positive6.yaml", "resourceType": "", "resourceName": "", - "searchKey": "components.schemas.ErrorModel.allOf.code", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.additionalProperties.message", "searchValue": "", - "expectedValue": "'code' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", - "actualValue": "'code' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'" + "expectedValue": "'message' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/general/schema_required_property_undefined/test/positive_expected_result.json b/assets/queries/openAPI/general/schema_required_property_undefined/test/positive_expected_result.json index 1e067dc9197..9bd1e12a8b7 100644 --- a/assets/queries/openAPI/general/schema_required_property_undefined/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/schema_required_property_undefined/test/positive_expected_result.json @@ -1,24 +1,24 @@ [ { - "queryName": "Schema Has A Required Property Undefined (v2)", + "queryName": "Schema Has A Required Property Undefined (v3)", "severity": "INFO", - "line": 20, - "filename": "positive5.json", + "line": 50, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.schema", + "searchKey": "components.GeneralError.schema", "searchValue": "", "expectedValue": "Schema should have all required properties defined", "actualValue": "Schema has required properties that are not defined" }, { - "queryName": "Schema Has A Required Property Undefined (v2)", + "queryName": "Schema Has A Required Property Undefined (v3)", "severity": "INFO", - "line": 17, - "filename": "positive6.yaml", + "line": 22, + "filename": "positive2.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.schema", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema", "searchValue": "", "expectedValue": "Schema should have all required properties defined", "actualValue": "Schema has required properties that are not defined" @@ -26,11 +26,11 @@ { "queryName": "Schema Has A Required Property Undefined (v3)", "severity": "INFO", - "line": 19, - "filename": "positive4.yaml", + "line": 31, + "filename": "positive3.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema", + "searchKey": "components.GeneralError.schema", "searchValue": "", "expectedValue": "Schema should have all required properties defined", "actualValue": "Schema has required properties that are not defined" @@ -38,35 +38,35 @@ { "queryName": "Schema Has A Required Property Undefined (v3)", "severity": "INFO", - "line": 50, - "filename": "positive1.json", + "line": 19, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", - "searchKey": "components.GeneralError.schema", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema", "searchValue": "", "expectedValue": "Schema should have all required properties defined", "actualValue": "Schema has required properties that are not defined" }, { - "queryName": "Schema Has A Required Property Undefined (v3)", + "queryName": "Schema Has A Required Property Undefined (v2)", "severity": "INFO", - "line": 22, - "filename": "positive2.json", + "line": 20, + "filename": "positive5.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema", + "searchKey": "paths.{{/}}.get.responses.200.schema", "searchValue": "", "expectedValue": "Schema should have all required properties defined", "actualValue": "Schema has required properties that are not defined" }, { - "queryName": "Schema Has A Required Property Undefined (v3)", + "queryName": "Schema Has A Required Property Undefined (v2)", "severity": "INFO", - "line": 31, - "filename": "positive3.yaml", + "line": 17, + "filename": "positive6.yaml", "resourceType": "", "resourceName": "", - "searchKey": "components.GeneralError.schema", + "searchKey": "paths.{{/}}.get.responses.200.schema", "searchValue": "", "expectedValue": "Schema should have all required properties defined", "actualValue": "Schema has required properties that are not defined" diff --git a/assets/queries/openAPI/general/security_empty_array/test/positive_expected_result.json b/assets/queries/openAPI/general/security_empty_array/test/positive_expected_result.json index 4a11834a241..417b11d4038 100644 --- a/assets/queries/openAPI/general/security_empty_array/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/security_empty_array/test/positive_expected_result.json @@ -1,9 +1,9 @@ [ { - "queryName": "Global Security Field Has An Empty Array (v2)", + "queryName": "Global Security Field Has An Empty Array (v3)", "severity": "HIGH", - "line": 60, - "filename": "positive4.json", + "line": 43, + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "security", @@ -12,10 +12,10 @@ "actualValue": "A default security schema is not defined" }, { - "queryName": "Global Security Field Has An Empty Array (v2)", + "queryName": "Global Security Field Has An Empty Array (v3)", "severity": "HIGH", - "line": 38, - "filename": "positive3.yaml", + "line": 25, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", "searchKey": "security", @@ -24,10 +24,10 @@ "actualValue": "A default security schema is not defined" }, { - "queryName": "Global Security Field Has An Empty Array (v3)", + "queryName": "Global Security Field Has An Empty Array (v2)", "severity": "HIGH", - "line": 43, - "filename": "positive1.json", + "line": 38, + "filename": "positive3.yaml", "resourceType": "", "resourceName": "", "searchKey": "security", @@ -36,10 +36,10 @@ "actualValue": "A default security schema is not defined" }, { - "queryName": "Global Security Field Has An Empty Array (v3)", + "queryName": "Global Security Field Has An Empty Array (v2)", "severity": "HIGH", - "line": 25, - "filename": "positive2.yaml", + "line": 60, + "filename": "positive4.json", "resourceType": "", "resourceName": "", "searchKey": "security", diff --git a/assets/queries/openAPI/general/security_empty_object_definition/test/positive_expected_result.json b/assets/queries/openAPI/general/security_empty_object_definition/test/positive_expected_result.json index 7675ba06177..b37931a2e7d 100644 --- a/assets/queries/openAPI/general/security_empty_object_definition/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/security_empty_object_definition/test/positive_expected_result.json @@ -1,9 +1,9 @@ [ { - "queryName": "Global security field has an empty object (v2)", + "queryName": "Global security field has an empty object (v3)", "severity": "HIGH", - "line": 60, - "filename": "positive10.json", + "line": 43, + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "security", @@ -15,7 +15,7 @@ "queryName": "Global security field has an empty object (v2)", "severity": "HIGH", "line": 60, - "filename": "positive12.json", + "filename": "positive10.json", "resourceType": "", "resourceName": "", "searchKey": "security", @@ -38,8 +38,8 @@ { "queryName": "Global security field has an empty object (v2)", "severity": "HIGH", - "line": 38, - "filename": "positive9.yaml", + "line": 60, + "filename": "positive12.json", "resourceType": "", "resourceName": "", "searchKey": "security", @@ -51,7 +51,7 @@ "queryName": "Global security field has an empty object (v3)", "severity": "HIGH", "line": 43, - "filename": "positive1.json", + "filename": "positive2.json", "resourceType": "", "resourceName": "", "searchKey": "security", @@ -62,8 +62,8 @@ { "queryName": "Global security field has an empty object (v3)", "severity": "HIGH", - "line": 25, - "filename": "positive6.yaml", + "line": 43, + "filename": "positive3.json", "resourceType": "", "resourceName": "", "searchKey": "security", @@ -74,8 +74,8 @@ { "queryName": "Global security field has an empty object (v3)", "severity": "HIGH", - "line": 25, - "filename": "positive8.yaml", + "line": 43, + "filename": "positive4.json", "resourceType": "", "resourceName": "", "searchKey": "security", @@ -86,8 +86,8 @@ { "queryName": "Global security field has an empty object (v3)", "severity": "HIGH", - "line": 43, - "filename": "positive2.json", + "line": 25, + "filename": "positive5.yaml", "resourceType": "", "resourceName": "", "searchKey": "security", @@ -98,8 +98,8 @@ { "queryName": "Global security field has an empty object (v3)", "severity": "HIGH", - "line": 43, - "filename": "positive3.json", + "line": 25, + "filename": "positive6.yaml", "resourceType": "", "resourceName": "", "searchKey": "security", @@ -123,7 +123,7 @@ "queryName": "Global security field has an empty object (v3)", "severity": "HIGH", "line": 25, - "filename": "positive5.yaml", + "filename": "positive8.yaml", "resourceType": "", "resourceName": "", "searchKey": "security", @@ -132,10 +132,10 @@ "actualValue": "Global security field definition has an empty object" }, { - "queryName": "Global security field has an empty object (v3)", + "queryName": "Global security field has an empty object (v2)", "severity": "HIGH", - "line": 43, - "filename": "positive4.json", + "line": 38, + "filename": "positive9.yaml", "resourceType": "", "resourceName": "", "searchKey": "security", diff --git a/assets/queries/openAPI/general/security_operations_empty_array/test/positive_expected_result.json b/assets/queries/openAPI/general/security_operations_empty_array/test/positive_expected_result.json index 3fe6a7fd6fb..fb6857c2aec 100644 --- a/assets/queries/openAPI/general/security_operations_empty_array/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/security_operations_empty_array/test/positive_expected_result.json @@ -1,9 +1,9 @@ [ { - "queryName": "Security Field On Operations Has An Empty Array (v2)", + "queryName": "Security Field On Operations Has An Empty Array (v3)", "severity": "HIGH", - "line": 14, - "filename": "positive9.yaml", + "line": 12, + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.{{get}}.security", @@ -26,11 +26,11 @@ { "queryName": "Security Field On Operations Has An Empty Array (v3)", "severity": "HIGH", - "line": 32, - "filename": "positive8.yaml", + "line": 51, + "filename": "positive2.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/apis}}.{{get}}.security", + "searchKey": "paths.{{/}}.{{patch}}.security", "searchValue": "", "expectedValue": "Security operation field array, when declared, should not be empty", "actualValue": "Security operation field array is declared and empty" @@ -50,11 +50,11 @@ { "queryName": "Security Field On Operations Has An Empty Array (v3)", "severity": "HIGH", - "line": 31, - "filename": "positive6.yaml", + "line": 53, + "filename": "positive4.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.{{patch}}.security", + "searchKey": "paths.{{/apis}}.{{get}}.security", "searchValue": "", "expectedValue": "Security operation field array, when declared, should not be empty", "actualValue": "Security operation field array is declared and empty" @@ -62,11 +62,11 @@ { "queryName": "Security Field On Operations Has An Empty Array (v3)", "severity": "HIGH", - "line": 31, - "filename": "positive7.yaml", + "line": 10, + "filename": "positive5.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.{{patch}}.security", + "searchKey": "paths.{{/}}.{{get}}.security", "searchValue": "", "expectedValue": "Security operation field array, when declared, should not be empty", "actualValue": "Security operation field array is declared and empty" @@ -74,8 +74,8 @@ { "queryName": "Security Field On Operations Has An Empty Array (v3)", "severity": "HIGH", - "line": 51, - "filename": "positive2.json", + "line": 31, + "filename": "positive6.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.{{patch}}.security", @@ -86,11 +86,11 @@ { "queryName": "Security Field On Operations Has An Empty Array (v3)", "severity": "HIGH", - "line": 12, - "filename": "positive1.json", + "line": 31, + "filename": "positive7.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.{{get}}.security", + "searchKey": "paths.{{/}}.{{patch}}.security", "searchValue": "", "expectedValue": "Security operation field array, when declared, should not be empty", "actualValue": "Security operation field array is declared and empty" @@ -98,8 +98,8 @@ { "queryName": "Security Field On Operations Has An Empty Array (v3)", "severity": "HIGH", - "line": 53, - "filename": "positive4.json", + "line": 32, + "filename": "positive8.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/apis}}.{{get}}.security", @@ -108,10 +108,10 @@ "actualValue": "Security operation field array is declared and empty" }, { - "queryName": "Security Field On Operations Has An Empty Array (v3)", + "queryName": "Security Field On Operations Has An Empty Array (v2)", "severity": "HIGH", - "line": 10, - "filename": "positive5.yaml", + "line": 14, + "filename": "positive9.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.{{get}}.security", diff --git a/assets/queries/openAPI/general/security_operations_empty_object_definition/test/positive_expected_result.json b/assets/queries/openAPI/general/security_operations_empty_object_definition/test/positive_expected_result.json index 969260e6ee5..66aa9ac5376 100644 --- a/assets/queries/openAPI/general/security_operations_empty_object_definition/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/security_operations_empty_object_definition/test/positive_expected_result.json @@ -1,9 +1,9 @@ [ { - "queryName": "Security Field On Operations Has An Empty Object Definition (v2)", + "queryName": "Security Field On Operations Has An Empty Object Definition (v3)", "severity": "HIGH", - "line": 14, - "filename": "positive9.yaml", + "line": 12, + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.{{get}}.security", @@ -26,8 +26,8 @@ { "queryName": "Security Field On Operations Has An Empty Object Definition (v3)", "severity": "HIGH", - "line": 44, - "filename": "positive3.json", + "line": 51, + "filename": "positive2.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.{{patch}}.security", @@ -38,32 +38,8 @@ { "queryName": "Security Field On Operations Has An Empty Object Definition (v3)", "severity": "HIGH", - "line": 10, - "filename": "positive5.yaml", - "resourceType": "", - "resourceName": "", - "searchKey": "paths.{{/}}.{{get}}.security", - "searchValue": "", - "expectedValue": "Security operation field should not be empty object", - "actualValue": "Security operation field is an empty object" - }, - { - "queryName": "Security Field On Operations Has An Empty Object Definition (v3)", - "severity": "HIGH", - "line": 32, - "filename": "positive8.yaml", - "resourceType": "", - "resourceName": "", - "searchKey": "paths.{{/apis}}.{{get}}.security", - "searchValue": "", - "expectedValue": "Security operation field should not be empty object", - "actualValue": "Security operation field is an empty object" - }, - { - "queryName": "Security Field On Operations Has An Empty Object Definition (v3)", - "severity": "HIGH", - "line": 51, - "filename": "positive2.json", + "line": 44, + "filename": "positive3.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.{{patch}}.security", @@ -86,8 +62,8 @@ { "queryName": "Security Field On Operations Has An Empty Object Definition (v3)", "severity": "HIGH", - "line": 12, - "filename": "positive1.json", + "line": 10, + "filename": "positive5.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.{{get}}.security", @@ -98,8 +74,8 @@ { "queryName": "Security Field On Operations Has An Empty Object Definition (v3)", "severity": "HIGH", - "line": 28, - "filename": "positive7.yaml", + "line": 31, + "filename": "positive6.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.{{patch}}.security", @@ -110,13 +86,37 @@ { "queryName": "Security Field On Operations Has An Empty Object Definition (v3)", "severity": "HIGH", - "line": 31, - "filename": "positive6.yaml", + "line": 28, + "filename": "positive7.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.{{patch}}.security", "searchValue": "", "expectedValue": "Security operation field array should not have an empty object", "actualValue": "Security operation field array has an empty object" + }, + { + "queryName": "Security Field On Operations Has An Empty Object Definition (v3)", + "severity": "HIGH", + "line": 32, + "filename": "positive8.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/apis}}.{{get}}.security", + "searchValue": "", + "expectedValue": "Security operation field should not be empty object", + "actualValue": "Security operation field is an empty object" + }, + { + "queryName": "Security Field On Operations Has An Empty Object Definition (v2)", + "severity": "HIGH", + "line": 14, + "filename": "positive9.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.security", + "searchValue": "", + "expectedValue": "Security operation field should not be empty object", + "actualValue": "Security operation field is an empty object" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/general/string_schema_with_broad_pattern/test/positive_expected_result.json b/assets/queries/openAPI/general/string_schema_with_broad_pattern/test/positive_expected_result.json index d0c794e412c..cfc9097bfbf 100644 --- a/assets/queries/openAPI/general/string_schema_with_broad_pattern/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/string_schema_with_broad_pattern/test/positive_expected_result.json @@ -1,24 +1,24 @@ [ { - "queryName": "String Schema with Broad Pattern (v2)", + "queryName": "String Schema with Broad Pattern (v3)", "severity": "LOW", - "line": 30, - "filename": "positive6.json", + "line": 61, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.schema.properties.message.pattern", + "searchKey": "components.schemas.GeneralError.properties.code.pattern", "searchValue": "", "expectedValue": "String schema has 'pattern' restricted", "actualValue": "String schema does not have 'pattern' restricted" }, { - "queryName": "String Schema with Broad Pattern (v2)", + "queryName": "String Schema with Broad Pattern (v3)", "severity": "LOW", - "line": 26, - "filename": "positive5.yaml", + "line": 30, + "filename": "positive2.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.schema.properties.message.pattern", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code.pattern", "searchValue": "", "expectedValue": "String schema has 'pattern' restricted", "actualValue": "String schema does not have 'pattern' restricted" @@ -26,8 +26,8 @@ { "queryName": "String Schema with Broad Pattern (v3)", "severity": "LOW", - "line": 61, - "filename": "positive1.json", + "line": 37, + "filename": "positive3.yaml", "resourceType": "", "resourceName": "", "searchKey": "components.schemas.GeneralError.properties.code.pattern", @@ -38,8 +38,8 @@ { "queryName": "String Schema with Broad Pattern (v3)", "severity": "LOW", - "line": 30, - "filename": "positive2.json", + "line": 25, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code.pattern", @@ -48,25 +48,25 @@ "actualValue": "String schema does not have 'pattern' restricted" }, { - "queryName": "String Schema with Broad Pattern (v3)", + "queryName": "String Schema with Broad Pattern (v2)", "severity": "LOW", - "line": 25, - "filename": "positive4.yaml", + "line": 26, + "filename": "positive5.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code.pattern", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.message.pattern", "searchValue": "", "expectedValue": "String schema has 'pattern' restricted", "actualValue": "String schema does not have 'pattern' restricted" }, { - "queryName": "String Schema with Broad Pattern (v3)", + "queryName": "String Schema with Broad Pattern (v2)", "severity": "LOW", - "line": 37, - "filename": "positive3.yaml", + "line": 30, + "filename": "positive6.json", "resourceType": "", "resourceName": "", - "searchKey": "components.schemas.GeneralError.properties.code.pattern", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.message.pattern", "searchValue": "", "expectedValue": "String schema has 'pattern' restricted", "actualValue": "String schema does not have 'pattern' restricted" diff --git a/assets/queries/openAPI/general/success_response_code_undefined_delete_operation/test/positive_expected_result.json b/assets/queries/openAPI/general/success_response_code_undefined_delete_operation/test/positive_expected_result.json index e1e53d98e4f..27f11d2bdb6 100644 --- a/assets/queries/openAPI/general/success_response_code_undefined_delete_operation/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/success_response_code_undefined_delete_operation/test/positive_expected_result.json @@ -1,9 +1,9 @@ [ { - "queryName": "Success Response Code Undefined for Delete Operation (v2)", + "queryName": "Success Response Code Undefined for Delete Operation (v3)", "severity": "LOW", - "line": 10, - "filename": "positive6.yaml", + "line": 12, + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.delete.responses", @@ -12,10 +12,10 @@ "actualValue": "Delete does not have any successful code" }, { - "queryName": "Success Response Code Undefined for Delete Operation (v2)", + "queryName": "Success Response Code Undefined for Delete Operation (v3)", "severity": "LOW", "line": 12, - "filename": "positive5.json", + "filename": "positive2.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.delete.responses", @@ -48,10 +48,10 @@ "actualValue": "Delete does not have any successful code" }, { - "queryName": "Success Response Code Undefined for Delete Operation (v3)", + "queryName": "Success Response Code Undefined for Delete Operation (v2)", "severity": "LOW", "line": 12, - "filename": "positive2.json", + "filename": "positive5.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.delete.responses", @@ -60,10 +60,10 @@ "actualValue": "Delete does not have any successful code" }, { - "queryName": "Success Response Code Undefined for Delete Operation (v3)", + "queryName": "Success Response Code Undefined for Delete Operation (v2)", "severity": "LOW", - "line": 12, - "filename": "positive1.json", + "line": 10, + "filename": "positive6.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.delete.responses", diff --git a/assets/queries/openAPI/general/success_response_code_undefined_get_operation/test/positive_expected_result.json b/assets/queries/openAPI/general/success_response_code_undefined_get_operation/test/positive_expected_result.json index 3ae17959494..6cfc03a87e0 100644 --- a/assets/queries/openAPI/general/success_response_code_undefined_get_operation/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/success_response_code_undefined_get_operation/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "Success Response Code Undefined for Get Operation (v2)", "severity": "LOW", - "line": 10, - "filename": "positive2.yaml", + "line": 12, + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.get.responses", @@ -14,8 +14,8 @@ { "queryName": "Success Response Code Undefined for Get Operation (v2)", "severity": "LOW", - "line": 12, - "filename": "positive1.json", + "line": 10, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.get.responses", @@ -26,8 +26,8 @@ { "queryName": "Success Response Code Undefined for Get Operation (v3)", "severity": "LOW", - "line": 10, - "filename": "positive4.yaml", + "line": 12, + "filename": "positive3.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.get.responses", @@ -38,8 +38,8 @@ { "queryName": "Success Response Code Undefined for Get Operation (v3)", "severity": "LOW", - "line": 12, - "filename": "positive3.json", + "line": 10, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.get.responses", diff --git a/assets/queries/openAPI/general/success_response_code_undefined_head_operation/test/positive_expected_result.json b/assets/queries/openAPI/general/success_response_code_undefined_head_operation/test/positive_expected_result.json index c3aa4c4a472..324fa8b5326 100644 --- a/assets/queries/openAPI/general/success_response_code_undefined_head_operation/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/success_response_code_undefined_head_operation/test/positive_expected_result.json @@ -1,9 +1,9 @@ [ { - "queryName": "Success Response Code Undefined for Head Operation (v2)", + "queryName": "Success Response Code Undefined for Head Operation (v3)", "severity": "LOW", - "line": 10, - "filename": "positive4.yaml", + "line": 12, + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.head.responses", @@ -12,10 +12,10 @@ "actualValue": "Head does not have any successful code" }, { - "queryName": "Success Response Code Undefined for Head Operation (v2)", + "queryName": "Success Response Code Undefined for Head Operation (v3)", "severity": "LOW", - "line": 12, - "filename": "positive3.json", + "line": 10, + "filename": "positive2.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.head.responses", @@ -24,10 +24,10 @@ "actualValue": "Head does not have any successful code" }, { - "queryName": "Success Response Code Undefined for Head Operation (v3)", + "queryName": "Success Response Code Undefined for Head Operation (v2)", "severity": "LOW", - "line": 10, - "filename": "positive2.yaml", + "line": 12, + "filename": "positive3.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.head.responses", @@ -36,10 +36,10 @@ "actualValue": "Head does not have any successful code" }, { - "queryName": "Success Response Code Undefined for Head Operation (v3)", + "queryName": "Success Response Code Undefined for Head Operation (v2)", "severity": "LOW", - "line": 12, - "filename": "positive1.json", + "line": 10, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.head.responses", diff --git a/assets/queries/openAPI/general/success_response_code_undefined_patch_operation/test/positive_expected_result.json b/assets/queries/openAPI/general/success_response_code_undefined_patch_operation/test/positive_expected_result.json index 6a8c11e213c..0335f30647c 100644 --- a/assets/queries/openAPI/general/success_response_code_undefined_patch_operation/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/success_response_code_undefined_patch_operation/test/positive_expected_result.json @@ -1,9 +1,9 @@ [ { - "queryName": "Success Response Code Undefined for Patch Operation (v2)", + "queryName": "Success Response Code Undefined for Patch Operation (v3)", "severity": "LOW", - "line": 24, - "filename": "positive5.json", + "line": 12, + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.patch.responses", @@ -12,10 +12,10 @@ "actualValue": "Patch does not have any successful code" }, { - "queryName": "Success Response Code Undefined for Patch Operation (v2)", + "queryName": "Success Response Code Undefined for Patch Operation (v3)", "severity": "LOW", - "line": 18, - "filename": "positive6.yaml", + "line": 24, + "filename": "positive2.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.patch.responses", @@ -38,8 +38,8 @@ { "queryName": "Success Response Code Undefined for Patch Operation (v3)", "severity": "LOW", - "line": 24, - "filename": "positive2.json", + "line": 18, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.patch.responses", @@ -48,10 +48,10 @@ "actualValue": "Patch does not have any successful code" }, { - "queryName": "Success Response Code Undefined for Patch Operation (v3)", + "queryName": "Success Response Code Undefined for Patch Operation (v2)", "severity": "LOW", - "line": 12, - "filename": "positive1.json", + "line": 24, + "filename": "positive5.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.patch.responses", @@ -60,10 +60,10 @@ "actualValue": "Patch does not have any successful code" }, { - "queryName": "Success Response Code Undefined for Patch Operation (v3)", + "queryName": "Success Response Code Undefined for Patch Operation (v2)", "severity": "LOW", "line": 18, - "filename": "positive4.yaml", + "filename": "positive6.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.patch.responses", diff --git a/assets/queries/openAPI/general/success_response_code_undefined_post_operation/test/positive_expected_result.json b/assets/queries/openAPI/general/success_response_code_undefined_post_operation/test/positive_expected_result.json index eb6dc751ae7..bb355d39e02 100644 --- a/assets/queries/openAPI/general/success_response_code_undefined_post_operation/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/success_response_code_undefined_post_operation/test/positive_expected_result.json @@ -1,9 +1,9 @@ [ { - "queryName": "Success Response Code Undefined for Post Operation (v2)", + "queryName": "Success Response Code Undefined for Post Operation (v3)", "severity": "LOW", - "line": 24, - "filename": "positive5.json", + "line": 12, + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.post.responses", @@ -12,10 +12,10 @@ "actualValue": "Post does not have any successful code" }, { - "queryName": "Success Response Code Undefined for Post Operation (v2)", + "queryName": "Success Response Code Undefined for Post Operation (v3)", "severity": "LOW", - "line": 18, - "filename": "positive6.yaml", + "line": 24, + "filename": "positive2.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.post.responses", @@ -26,8 +26,8 @@ { "queryName": "Success Response Code Undefined for Post Operation (v3)", "severity": "LOW", - "line": 24, - "filename": "positive2.json", + "line": 10, + "filename": "positive3.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.post.responses", @@ -38,8 +38,8 @@ { "queryName": "Success Response Code Undefined for Post Operation (v3)", "severity": "LOW", - "line": 12, - "filename": "positive1.json", + "line": 18, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.post.responses", @@ -48,10 +48,10 @@ "actualValue": "Post does not have any successful code" }, { - "queryName": "Success Response Code Undefined for Post Operation (v3)", + "queryName": "Success Response Code Undefined for Post Operation (v2)", "severity": "LOW", - "line": 10, - "filename": "positive3.yaml", + "line": 24, + "filename": "positive5.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.post.responses", @@ -60,10 +60,10 @@ "actualValue": "Post does not have any successful code" }, { - "queryName": "Success Response Code Undefined for Post Operation (v3)", + "queryName": "Success Response Code Undefined for Post Operation (v2)", "severity": "LOW", "line": 18, - "filename": "positive4.yaml", + "filename": "positive6.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.post.responses", diff --git a/assets/queries/openAPI/general/success_response_code_undefined_put_operation/test/positive_expected_result.json b/assets/queries/openAPI/general/success_response_code_undefined_put_operation/test/positive_expected_result.json index 0f7c12dd852..1e0db472041 100644 --- a/assets/queries/openAPI/general/success_response_code_undefined_put_operation/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/success_response_code_undefined_put_operation/test/positive_expected_result.json @@ -1,9 +1,9 @@ [ { - "queryName": "Success Response Code Undefined for Put Operation (v2)", + "queryName": "Success Response Code Undefined for Put Operation (v3)", "severity": "LOW", - "line": 24, - "filename": "positive5.json", + "line": 12, + "filename": "positive1.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.put.responses", @@ -12,10 +12,10 @@ "actualValue": "Put does not have any successful code" }, { - "queryName": "Success Response Code Undefined for Put Operation (v2)", + "queryName": "Success Response Code Undefined for Put Operation (v3)", "severity": "LOW", - "line": 18, - "filename": "positive6.yaml", + "line": 24, + "filename": "positive2.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.put.responses", @@ -26,8 +26,8 @@ { "queryName": "Success Response Code Undefined for Put Operation (v3)", "severity": "LOW", - "line": 18, - "filename": "positive4.yaml", + "line": 10, + "filename": "positive3.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.put.responses", @@ -38,8 +38,8 @@ { "queryName": "Success Response Code Undefined for Put Operation (v3)", "severity": "LOW", - "line": 10, - "filename": "positive3.yaml", + "line": 18, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.put.responses", @@ -48,10 +48,10 @@ "actualValue": "Put does not have any successful code" }, { - "queryName": "Success Response Code Undefined for Put Operation (v3)", + "queryName": "Success Response Code Undefined for Put Operation (v2)", "severity": "LOW", - "line": 12, - "filename": "positive1.json", + "line": 24, + "filename": "positive5.json", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.put.responses", @@ -60,10 +60,10 @@ "actualValue": "Put does not have any successful code" }, { - "queryName": "Success Response Code Undefined for Put Operation (v3)", + "queryName": "Success Response Code Undefined for Put Operation (v2)", "severity": "LOW", - "line": 24, - "filename": "positive2.json", + "line": 18, + "filename": "positive6.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.put.responses", diff --git a/assets/queries/openAPI/general/template_path_parameter_with_no_corresponding_path_parameter/test/positive_expected_result.json b/assets/queries/openAPI/general/template_path_parameter_with_no_corresponding_path_parameter/test/positive_expected_result.json index 8e9d336bd69..c694cfe97c0 100644 --- a/assets/queries/openAPI/general/template_path_parameter_with_no_corresponding_path_parameter/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/template_path_parameter_with_no_corresponding_path_parameter/test/positive_expected_result.json @@ -1,57 +1,57 @@ [ { - "queryName": "Template Path With No Corresponding Path Parameter (v2)", + "queryName": "Template Path With No Corresponding Path Parameter (v3)", "severity": "INFO", - "line": 25, - "filename": "positive7.yaml", + "line": 10, + "filename": "positive1.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths./people/{id}.get.parameters", + "searchKey": "paths./users/{test-id}.get.parameters.name=test-id", "searchValue": "", - "expectedValue": "Template path parameters should be defined for operation", - "actualValue": "Template path parameters is not defined for operation" + "expectedValue": "Template path parameter should have an operation parameter with the same name and 'in' set to 'path'", + "actualValue": "Template path parameter does not have an operation parameter with the same name and 'in' set to 'path'" }, { - "queryName": "Template Path With No Corresponding Path Parameter (v2)", + "queryName": "Template Path With No Corresponding Path Parameter (v3)", "severity": "INFO", - "line": 31, - "filename": "positive7.yaml", + "line": 58, + "filename": "positive2.json", "resourceType": "", "resourceName": "", - "searchKey": "paths./users/{id}.get.parameters", + "searchKey": "paths./users/{blabla}.get.parameters.name=id", "searchValue": "", - "expectedValue": "Template path parameters should be defined for operation", - "actualValue": "Template path parameters is not defined for operation" + "expectedValue": "Template path parameter should have an operation parameter with the same name and 'in' set to 'path'", + "actualValue": "Template path parameter does not have an operation parameter with the same name and 'in' set to 'path'" }, { - "queryName": "Template Path With No Corresponding Path Parameter (v2)", + "queryName": "Template Path With No Corresponding Path Parameter (v3)", "severity": "INFO", - "line": 14, - "filename": "positive5.yaml", + "line": 34, + "filename": "positive3.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths./users/{test-id}.get.parameters.name=test-id", + "searchKey": "paths./people/{id}.get.parameters", "searchValue": "", - "expectedValue": "Template path parameter should have an operation parameter with the same name and 'in' set to 'path'", - "actualValue": "Template path parameter does not have an operation parameter with the same name and 'in' set to 'path'" + "expectedValue": "Template path parameters should be defined for operation", + "actualValue": "Template path parameters is not defined for operation" }, { - "queryName": "Template Path With No Corresponding Path Parameter (v2)", + "queryName": "Template Path With No Corresponding Path Parameter (v3)", "severity": "INFO", - "line": 38, - "filename": "positive6.json", + "line": 40, + "filename": "positive3.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths./users/{blabla}.get.parameters.name=id", + "searchKey": "paths./users/{id}.get.parameters", "searchValue": "", - "expectedValue": "Template path parameter should have an operation parameter with the same name and 'in' set to 'path'", - "actualValue": "Template path parameter does not have an operation parameter with the same name and 'in' set to 'path'" + "expectedValue": "Template path parameters should be defined for operation", + "actualValue": "Template path parameters is not defined for operation" }, { - "queryName": "Template Path With No Corresponding Path Parameter (v2)", + "queryName": "Template Path With No Corresponding Path Parameter (v3)", "severity": "INFO", - "line": 35, - "filename": "positive8.json", + "line": 55, + "filename": "positive4.json", "resourceType": "", "resourceName": "", "searchKey": "paths./people/{id}.get.parameters", @@ -60,10 +60,10 @@ "actualValue": "Template path parameters is not defined for operation" }, { - "queryName": "Template Path With No Corresponding Path Parameter (v2)", + "queryName": "Template Path With No Corresponding Path Parameter (v3)", "severity": "INFO", - "line": 45, - "filename": "positive8.json", + "line": 65, + "filename": "positive4.json", "resourceType": "", "resourceName": "", "searchKey": "paths./users/{id}.get.parameters", @@ -72,34 +72,34 @@ "actualValue": "Template path parameters is not defined for operation" }, { - "queryName": "Template Path With No Corresponding Path Parameter (v3)", + "queryName": "Template Path With No Corresponding Path Parameter (v2)", "severity": "INFO", - "line": 40, - "filename": "positive3.yaml", + "line": 14, + "filename": "positive5.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths./users/{id}.get.parameters", + "searchKey": "paths./users/{test-id}.get.parameters.name=test-id", "searchValue": "", - "expectedValue": "Template path parameters should be defined for operation", - "actualValue": "Template path parameters is not defined for operation" + "expectedValue": "Template path parameter should have an operation parameter with the same name and 'in' set to 'path'", + "actualValue": "Template path parameter does not have an operation parameter with the same name and 'in' set to 'path'" }, { - "queryName": "Template Path With No Corresponding Path Parameter (v3)", + "queryName": "Template Path With No Corresponding Path Parameter (v2)", "severity": "INFO", - "line": 10, - "filename": "positive1.yaml", + "line": 38, + "filename": "positive6.json", "resourceType": "", "resourceName": "", - "searchKey": "paths./users/{test-id}.get.parameters.name=test-id", + "searchKey": "paths./users/{blabla}.get.parameters.name=id", "searchValue": "", "expectedValue": "Template path parameter should have an operation parameter with the same name and 'in' set to 'path'", "actualValue": "Template path parameter does not have an operation parameter with the same name and 'in' set to 'path'" }, { - "queryName": "Template Path With No Corresponding Path Parameter (v3)", + "queryName": "Template Path With No Corresponding Path Parameter (v2)", "severity": "INFO", - "line": 55, - "filename": "positive4.json", + "line": 25, + "filename": "positive7.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths./people/{id}.get.parameters", @@ -108,10 +108,10 @@ "actualValue": "Template path parameters is not defined for operation" }, { - "queryName": "Template Path With No Corresponding Path Parameter (v3)", + "queryName": "Template Path With No Corresponding Path Parameter (v2)", "severity": "INFO", - "line": 65, - "filename": "positive4.json", + "line": 31, + "filename": "positive7.yaml", "resourceType": "", "resourceName": "", "searchKey": "paths./users/{id}.get.parameters", @@ -120,25 +120,25 @@ "actualValue": "Template path parameters is not defined for operation" }, { - "queryName": "Template Path With No Corresponding Path Parameter (v3)", + "queryName": "Template Path With No Corresponding Path Parameter (v2)", "severity": "INFO", - "line": 58, - "filename": "positive2.json", + "line": 35, + "filename": "positive8.json", "resourceType": "", "resourceName": "", - "searchKey": "paths./users/{blabla}.get.parameters.name=id", + "searchKey": "paths./people/{id}.get.parameters", "searchValue": "", - "expectedValue": "Template path parameter should have an operation parameter with the same name and 'in' set to 'path'", - "actualValue": "Template path parameter does not have an operation parameter with the same name and 'in' set to 'path'" + "expectedValue": "Template path parameters should be defined for operation", + "actualValue": "Template path parameters is not defined for operation" }, { - "queryName": "Template Path With No Corresponding Path Parameter (v3)", + "queryName": "Template Path With No Corresponding Path Parameter (v2)", "severity": "INFO", - "line": 34, - "filename": "positive3.yaml", + "line": 45, + "filename": "positive8.json", "resourceType": "", "resourceName": "", - "searchKey": "paths./people/{id}.get.parameters", + "searchKey": "paths./users/{id}.get.parameters", "searchValue": "", "expectedValue": "Template path parameters should be defined for operation", "actualValue": "Template path parameters is not defined for operation" diff --git a/assets/queries/openAPI/general/type_has_invalid_keyword/test/positive_expected_result.json b/assets/queries/openAPI/general/type_has_invalid_keyword/test/positive_expected_result.json index ef2cac3f430..09d4d54061b 100644 --- a/assets/queries/openAPI/general/type_has_invalid_keyword/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/type_has_invalid_keyword/test/positive_expected_result.json @@ -1,75 +1,63 @@ [ { - "queryName": "Type Has Invalid Keyword (v2)", - "severity": "INFO", - "line": 19, - "filename": "positive9.json", - "resourceType": "", - "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.headers.X-Rate-Limit-Limit.minLength", - "searchValue": "", - "expectedValue": "There shouldn't be any invalid keywords", - "actualValue": "Keyword minLength is not valid for type integer" - }, - { - "queryName": "Type Has Invalid Keyword (v2)", + "queryName": "Type Has Invalid Keyword (v3)", "severity": "INFO", - "line": 55, - "filename": "positive7.json", + "line": 52, + "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.parameters.maximum", + "searchKey": "components.schemas.MyObject.properties.phones.items.pattern", "searchValue": "", "expectedValue": "There shouldn't be any invalid keywords", - "actualValue": "Keyword maximum is not valid for type string" + "actualValue": "Keyword pattern is not valid for type number" }, { "queryName": "Type Has Invalid Keyword (v2)", "severity": "INFO", - "line": 41, - "filename": "positive7.json", + "line": 17, + "filename": "positive10.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.parameters.schema.properties.phones.items.pattern", + "searchKey": "paths.{{/}}.get.responses.200.headers.X-Rate-Limit-Limit.minLength", "searchValue": "", "expectedValue": "There shouldn't be any invalid keywords", - "actualValue": "Keyword pattern is not valid for type number" + "actualValue": "Keyword minLength is not valid for type integer" }, { - "queryName": "Type Has Invalid Keyword (v2)", + "queryName": "Type Has Invalid Keyword (v3)", "severity": "INFO", - "line": 17, - "filename": "positive10.yaml", + "line": 14, + "filename": "positive11.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.headers.X-Rate-Limit-Limit.minLength", + "searchKey": "components.schemas.PointGenre.minimum", "searchValue": "", "expectedValue": "There shouldn't be any invalid keywords", - "actualValue": "Keyword minLength is not valid for type integer" + "actualValue": "Keyword minimum is not valid for type string" }, { - "queryName": "Type Has Invalid Keyword (v2)", + "queryName": "Type Has Invalid Keyword (v3)", "severity": "INFO", - "line": 33, - "filename": "positive8.yaml", + "line": 15, + "filename": "positive11.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.parameters.schema.properties.phones.items.pattern", + "searchKey": "components.schemas.PointGenre.maximum", "searchValue": "", "expectedValue": "There shouldn't be any invalid keywords", - "actualValue": "Keyword pattern is not valid for type number" + "actualValue": "Keyword maximum is not valid for type string" }, { - "queryName": "Type Has Invalid Keyword (v2)", + "queryName": "Type Has Invalid Keyword (v3)", "severity": "INFO", "line": 42, - "filename": "positive8.yaml", + "filename": "positive2.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.parameters.maximum", + "searchKey": "components.schemas.MyObject.properties.id.minLength", "searchValue": "", "expectedValue": "There shouldn't be any invalid keywords", - "actualValue": "Keyword maximum is not valid for type string" + "actualValue": "Keyword minLength is not valid for type integer" }, { "queryName": "Type Has Invalid Keyword (v3)", @@ -86,26 +74,26 @@ { "queryName": "Type Has Invalid Keyword (v3)", "severity": "INFO", - "line": 14, - "filename": "positive11.yaml", + "line": 37, + "filename": "positive4.yaml", "resourceType": "", "resourceName": "", - "searchKey": "components.schemas.PointGenre.minimum", + "searchKey": "components.schemas.MyObject.properties.phones.items.pattern", "searchValue": "", "expectedValue": "There shouldn't be any invalid keywords", - "actualValue": "Keyword minimum is not valid for type string" + "actualValue": "Keyword pattern is not valid for type number" }, { "queryName": "Type Has Invalid Keyword (v3)", "severity": "INFO", - "line": 37, - "filename": "positive4.yaml", + "line": 29, + "filename": "positive5.yaml", "resourceType": "", "resourceName": "", - "searchKey": "components.schemas.MyObject.properties.phones.items.pattern", + "searchKey": "components.schemas.MyObject.properties.id.minLength", "searchValue": "", "expectedValue": "There shouldn't be any invalid keywords", - "actualValue": "Keyword pattern is not valid for type number" + "actualValue": "Keyword minLength is not valid for type integer" }, { "queryName": "Type Has Invalid Keyword (v3)", @@ -120,51 +108,63 @@ "actualValue": "Keyword pattern is not valid for type number" }, { - "queryName": "Type Has Invalid Keyword (v3)", + "queryName": "Type Has Invalid Keyword (v2)", "severity": "INFO", - "line": 29, - "filename": "positive5.yaml", + "line": 41, + "filename": "positive7.json", "resourceType": "", "resourceName": "", - "searchKey": "components.schemas.MyObject.properties.id.minLength", + "searchKey": "paths.{{/}}.parameters.schema.properties.phones.items.pattern", "searchValue": "", "expectedValue": "There shouldn't be any invalid keywords", - "actualValue": "Keyword minLength is not valid for type integer" + "actualValue": "Keyword pattern is not valid for type number" }, { - "queryName": "Type Has Invalid Keyword (v3)", + "queryName": "Type Has Invalid Keyword (v2)", "severity": "INFO", - "line": 42, - "filename": "positive2.json", + "line": 55, + "filename": "positive7.json", "resourceType": "", "resourceName": "", - "searchKey": "components.schemas.MyObject.properties.id.minLength", + "searchKey": "paths.{{/}}.parameters.maximum", "searchValue": "", "expectedValue": "There shouldn't be any invalid keywords", - "actualValue": "Keyword minLength is not valid for type integer" + "actualValue": "Keyword maximum is not valid for type string" }, { - "queryName": "Type Has Invalid Keyword (v3)", + "queryName": "Type Has Invalid Keyword (v2)", "severity": "INFO", - "line": 52, - "filename": "positive1.json", + "line": 33, + "filename": "positive8.yaml", "resourceType": "", "resourceName": "", - "searchKey": "components.schemas.MyObject.properties.phones.items.pattern", + "searchKey": "paths.{{/}}.parameters.schema.properties.phones.items.pattern", "searchValue": "", "expectedValue": "There shouldn't be any invalid keywords", "actualValue": "Keyword pattern is not valid for type number" }, { - "queryName": "Type Has Invalid Keyword (v3)", + "queryName": "Type Has Invalid Keyword (v2)", "severity": "INFO", - "line": 15, - "filename": "positive11.yaml", + "line": 42, + "filename": "positive8.yaml", "resourceType": "", "resourceName": "", - "searchKey": "components.schemas.PointGenre.maximum", + "searchKey": "paths.{{/}}.parameters.maximum", "searchValue": "", "expectedValue": "There shouldn't be any invalid keywords", "actualValue": "Keyword maximum is not valid for type string" + }, + { + "queryName": "Type Has Invalid Keyword (v2)", + "severity": "INFO", + "line": 19, + "filename": "positive9.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.headers.X-Rate-Limit-Limit.minLength", + "searchValue": "", + "expectedValue": "There shouldn't be any invalid keywords", + "actualValue": "Keyword minLength is not valid for type integer" } ] \ No newline at end of file diff --git a/assets/queries/pulumi/aws/amazon_dms_replication_instance_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/pulumi/aws/amazon_dms_replication_instance_is_publicly_accessible/test/positive_expected_result.json index 48bda14ef30..bedbf7e6541 100644 --- a/assets/queries/pulumi/aws/amazon_dms_replication_instance_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/amazon_dms_replication_instance_is_publicly_accessible/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "Amazon DMS Replication Instance Is Publicly Accessible", "severity": "CRITICAL", - "line": 35, - "filename": "positive2.yaml", + "line": 44, + "filename": "positive1.yaml", "resourceType": "aws:dms:ReplicationInstance", "resourceName": "test", - "searchKey": "resources[test].properties", + "searchKey": "resources[test].properties.publiclyAccessible", "searchValue": "", - "expectedValue": "Attribute 'publiclyAccessible' should be defined", - "actualValue": "Attribute 'publiclyAccessible' is not defined" + "expectedValue": "Attribute 'publiclyAccessible' is should be set to 'false'", + "actualValue": "Attribute 'publiclyAccessible' is defined to 'true'" }, { "queryName": "Amazon DMS Replication Instance Is Publicly Accessible", "severity": "CRITICAL", - "line": 44, - "filename": "positive1.yaml", + "line": 35, + "filename": "positive2.yaml", "resourceType": "aws:dms:ReplicationInstance", "resourceName": "test", - "searchKey": "resources[test].properties.publiclyAccessible", + "searchKey": "resources[test].properties", "searchValue": "", - "expectedValue": "Attribute 'publiclyAccessible' is should be set to 'false'", - "actualValue": "Attribute 'publiclyAccessible' is defined to 'true'" + "expectedValue": "Attribute 'publiclyAccessible' should be defined", + "actualValue": "Attribute 'publiclyAccessible' is not defined" } ] \ No newline at end of file diff --git a/assets/queries/pulumi/aws/docdb_logging_disabled/test/positive_expected_result.json b/assets/queries/pulumi/aws/docdb_logging_disabled/test/positive_expected_result.json index b5edd23453b..243c1aa8084 100644 --- a/assets/queries/pulumi/aws/docdb_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/docdb_logging_disabled/test/positive_expected_result.json @@ -2,14 +2,14 @@ { "queryName": "DocDB Logging Is Disabled", "severity": "MEDIUM", - "line": 18, - "filename": "positive3.yaml", + "line": 10, + "filename": "positive1.yaml", "resourceType": "aws:docdb:Cluster", "resourceName": "aws:docdb/cluster", - "searchKey": "resources[aws:docdb/cluster].properties.enabledCloudwatchLogsExports", + "searchKey": "resources[aws:docdb/cluster].properties", "searchValue": "", - "expectedValue": "aws:docdb:Cluster.enabledCloudwatchLogsExports should have all following values: audit, profiler", - "actualValue": "aws:docdb:Cluster.enabledCloudwatchLogsExports has the following missing values: profiler" + "expectedValue": "aws:docdb:Cluster.enabledCloudwatchLogsExports should be defined", + "actualValue": "aws:docdb:Cluster.enabledCloudwatchLogsExports is undefined" }, { "queryName": "DocDB Logging Is Disabled", @@ -26,13 +26,13 @@ { "queryName": "DocDB Logging Is Disabled", "severity": "MEDIUM", - "line": 10, - "filename": "positive1.yaml", + "line": 18, + "filename": "positive3.yaml", "resourceType": "aws:docdb:Cluster", "resourceName": "aws:docdb/cluster", - "searchKey": "resources[aws:docdb/cluster].properties", + "searchKey": "resources[aws:docdb/cluster].properties.enabledCloudwatchLogsExports", "searchValue": "", - "expectedValue": "aws:docdb:Cluster.enabledCloudwatchLogsExports should be defined", - "actualValue": "aws:docdb:Cluster.enabledCloudwatchLogsExports is undefined" + "expectedValue": "aws:docdb:Cluster.enabledCloudwatchLogsExports should have all following values: audit, profiler", + "actualValue": "aws:docdb:Cluster.enabledCloudwatchLogsExports has the following missing values: profiler" } ] \ No newline at end of file diff --git a/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/test/positive_expected_result.json b/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/test/positive_expected_result.json index 3f2fbb91702..322effeeea6 100644 --- a/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/test/positive_expected_result.json @@ -14,25 +14,25 @@ { "queryName": "ECS Cluster with Container Insights Disabled", "severity": "LOW", - "line": 7, - "filename": "positive3.yaml", + "line": 8, + "filename": "positive2.yaml", "resourceType": "aws:ecs:Cluster", "resourceName": "foo", - "searchKey": "resources[foo].properties", + "searchKey": "resources[foo].properties.settings", "searchValue": "", - "expectedValue": "Attribute 'settings' should be defined and have a ClusterSetting named 'containerInsights' which value is 'enabled'", - "actualValue": "Attribute 'settings' is not defined" + "expectedValue": "Attribute 'settings' should have a ClusterSetting named 'containerInsights' which value is 'enabled'", + "actualValue": "Attribute 'settings' doesn't have a ClusterSetting named 'containerInsights' which value is 'enabled'" }, { "queryName": "ECS Cluster with Container Insights Disabled", "severity": "LOW", - "line": 8, - "filename": "positive2.yaml", + "line": 7, + "filename": "positive3.yaml", "resourceType": "aws:ecs:Cluster", "resourceName": "foo", - "searchKey": "resources[foo].properties.settings", + "searchKey": "resources[foo].properties", "searchValue": "", - "expectedValue": "Attribute 'settings' should have a ClusterSetting named 'containerInsights' which value is 'enabled'", - "actualValue": "Attribute 'settings' doesn't have a ClusterSetting named 'containerInsights' which value is 'enabled'" + "expectedValue": "Attribute 'settings' should be defined and have a ClusterSetting named 'containerInsights' which value is 'enabled'", + "actualValue": "Attribute 'settings' is not defined" } ] \ No newline at end of file diff --git a/assets/queries/pulumi/aws/elasticache_nodes_not_created_across_multi_az/test/positive_expected_result.json b/assets/queries/pulumi/aws/elasticache_nodes_not_created_across_multi_az/test/positive_expected_result.json index 135b048670c..7c1dd964178 100644 --- a/assets/queries/pulumi/aws/elasticache_nodes_not_created_across_multi_az/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/elasticache_nodes_not_created_across_multi_az/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "ElastiCache Nodes Not Created Across Multi AZ", "severity": "MEDIUM", - "line": 18, + "line": 10, "filename": "positive.yaml", "resourceType": "aws:elasticache:Cluster", "resourceName": "example", - "searchKey": "resources[example].properties", + "searchKey": "resources[example].properties.azMode", "searchValue": "", - "expectedValue": "Attribute 'azMode' should be defined and set to 'cross-az' in multi nodes cluster", - "actualValue": "Attribute 'azMode' is not defined" + "expectedValue": "Attribute 'azMode' should be set to 'cross-az' in multi nodes cluster", + "actualValue": "Attribute 'azMode' is set to single-az" }, { "queryName": "ElastiCache Nodes Not Created Across Multi AZ", "severity": "MEDIUM", - "line": 10, + "line": 18, "filename": "positive.yaml", "resourceType": "aws:elasticache:Cluster", "resourceName": "example", - "searchKey": "resources[example].properties.azMode", + "searchKey": "resources[example].properties", "searchValue": "", - "expectedValue": "Attribute 'azMode' should be set to 'cross-az' in multi nodes cluster", - "actualValue": "Attribute 'azMode' is set to single-az" + "expectedValue": "Attribute 'azMode' should be defined and set to 'cross-az' in multi nodes cluster", + "actualValue": "Attribute 'azMode' is not defined" } ] \ No newline at end of file diff --git a/assets/queries/pulumi/aws/elasticache_redis_cluster_without_backup/test/positive_expected_result.json b/assets/queries/pulumi/aws/elasticache_redis_cluster_without_backup/test/positive_expected_result.json index df12a0dcab4..34c55f0284a 100644 --- a/assets/queries/pulumi/aws/elasticache_redis_cluster_without_backup/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/elasticache_redis_cluster_without_backup/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "ElastiCache Redis Cluster Without Backup", "severity": "MEDIUM", - "line": 17, + "line": 9, "filename": "positive.yaml", "resourceType": "aws:elasticache:Cluster", "resourceName": "example", - "searchKey": "resources[example].properties", + "searchKey": "resources[example].properties.snapshotRetentionLimit", "searchValue": "", - "expectedValue": "Attribute 'snapshotRetentionLimit' should be defined and set to higher than 0", - "actualValue": "Attribute 'snapshotRetentionLimit' is not defined" + "expectedValue": "Attribute 'snapshotRetentionLimit' should be set to higher than 0", + "actualValue": "Attribute 'snapshotRetentionLimit' is set to 0" }, { "queryName": "ElastiCache Redis Cluster Without Backup", "severity": "MEDIUM", - "line": 9, + "line": 17, "filename": "positive.yaml", "resourceType": "aws:elasticache:Cluster", "resourceName": "example", - "searchKey": "resources[example].properties.snapshotRetentionLimit", + "searchKey": "resources[example].properties", "searchValue": "", - "expectedValue": "Attribute 'snapshotRetentionLimit' should be set to higher than 0", - "actualValue": "Attribute 'snapshotRetentionLimit' is set to 0" + "expectedValue": "Attribute 'snapshotRetentionLimit' should be defined and set to higher than 0", + "actualValue": "Attribute 'snapshotRetentionLimit' is not defined" } ] \ No newline at end of file diff --git a/assets/queries/pulumi/aws/elasticsearch_logs_disabled/test/positive_expected_result.json b/assets/queries/pulumi/aws/elasticsearch_logs_disabled/test/positive_expected_result.json index a4193f76da9..9e513efc584 100644 --- a/assets/queries/pulumi/aws/elasticsearch_logs_disabled/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/elasticsearch_logs_disabled/test/positive_expected_result.json @@ -2,14 +2,14 @@ { "queryName": "Elasticsearch Logs Disabled", "severity": "MEDIUM", - "line": 18, - "filename": "positive3.yaml", + "line": 14, + "filename": "positive1.yaml", "resourceType": "aws:elasticsearch:Domain", "resourceName": "exampleDomain", - "searchKey": "resources.exampleDomain.properties.logPublishingOptions[0].logType", + "searchKey": "resources.exampleDomain.properties", "searchValue": "", - "expectedValue": "Attribute 'enabled' should be set to 'true'", - "actualValue": "Attribute 'enabled' is set to 'false'" + "expectedValue": "Attribute 'logPublishingOptions' should be defined", + "actualValue": "Attribute 'logPublishingOptions' is not defined" }, { "queryName": "Elasticsearch Logs Disabled", @@ -26,13 +26,13 @@ { "queryName": "Elasticsearch Logs Disabled", "severity": "MEDIUM", - "line": 14, - "filename": "positive1.yaml", + "line": 18, + "filename": "positive3.yaml", "resourceType": "aws:elasticsearch:Domain", "resourceName": "exampleDomain", - "searchKey": "resources.exampleDomain.properties", + "searchKey": "resources.exampleDomain.properties.logPublishingOptions[0].logType", "searchValue": "", - "expectedValue": "Attribute 'logPublishingOptions' should be defined", - "actualValue": "Attribute 'logPublishingOptions' is not defined" + "expectedValue": "Attribute 'enabled' should be set to 'true'", + "actualValue": "Attribute 'enabled' is set to 'false'" } ] \ No newline at end of file diff --git a/assets/queries/pulumi/kubernetes/missing_app_armor_config/test/positive_expected_result.json b/assets/queries/pulumi/kubernetes/missing_app_armor_config/test/positive_expected_result.json index 9f5c45866b8..f8c5e8abbda 100644 --- a/assets/queries/pulumi/kubernetes/missing_app_armor_config/test/positive_expected_result.json +++ b/assets/queries/pulumi/kubernetes/missing_app_armor_config/test/positive_expected_result.json @@ -14,25 +14,25 @@ { "queryName": "Missing App Armor Config", "severity": "MEDIUM", - "line": 42, + "line": 25, "filename": "positive.yaml", "resourceType": "kubernetes:core/v1:Pod", "resourceName": "pod", - "searchKey": "resources[pod].properties.metadata.annotations", + "searchKey": "resources[pod].properties.metadata", "searchValue": "", "expectedValue": "Pod should have annotation 'container.apparmor.security.beta.kubernetes.io' defined", - "actualValue": "Pod does not have annotation 'container.apparmor.security.beta.kubernetes.io' defined" + "actualValue": "Pod does not have annotations defined in metadata" }, { "queryName": "Missing App Armor Config", "severity": "MEDIUM", - "line": 25, + "line": 42, "filename": "positive.yaml", "resourceType": "kubernetes:core/v1:Pod", "resourceName": "pod", - "searchKey": "resources[pod].properties.metadata", + "searchKey": "resources[pod].properties.metadata.annotations", "searchValue": "", "expectedValue": "Pod should have annotation 'container.apparmor.security.beta.kubernetes.io' defined", - "actualValue": "Pod does not have annotations defined in metadata" + "actualValue": "Pod does not have annotation 'container.apparmor.security.beta.kubernetes.io' defined" } ] \ No newline at end of file diff --git a/assets/queries/serverlessFW/serverless_api_endpoint_config_not_private/test/positive_expected_result.json b/assets/queries/serverlessFW/serverless_api_endpoint_config_not_private/test/positive_expected_result.json index e14703c3af5..97e27ef7442 100644 --- a/assets/queries/serverlessFW/serverless_api_endpoint_config_not_private/test/positive_expected_result.json +++ b/assets/queries/serverlessFW/serverless_api_endpoint_config_not_private/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "Serverless API Endpoint Config Not Private", "severity": "MEDIUM", - "line": 5, - "filename": "positive2.yml", + "line": 3, + "filename": "positive1.yml", "resourceType": "AWS::ApiGateway", "resourceName": "my-service", - "searchKey": "provider.endpointType", + "searchKey": "provider", "searchValue": "", - "expectedValue": "endpointType should be set to PRIVATE", - "actualValue": "endpointType is not set to PRIVATE" + "expectedValue": "endpointType should be defined and set to PRIVATE", + "actualValue": "endpointType is not defined" }, { "queryName": "Serverless API Endpoint Config Not Private", "severity": "MEDIUM", - "line": 3, - "filename": "positive1.yml", + "line": 5, + "filename": "positive2.yml", "resourceType": "AWS::ApiGateway", "resourceName": "my-service", - "searchKey": "provider", + "searchKey": "provider.endpointType", "searchValue": "", - "expectedValue": "endpointType should be defined and set to PRIVATE", - "actualValue": "endpointType is not defined" + "expectedValue": "endpointType should be set to PRIVATE", + "actualValue": "endpointType is not set to PRIVATE" } ] \ No newline at end of file diff --git a/assets/queries/serverlessFW/serverless_api_without_content_encoding/test/positive_expected_result.json b/assets/queries/serverlessFW/serverless_api_without_content_encoding/test/positive_expected_result.json index 69b4e7f2969..d176e9aedea 100644 --- a/assets/queries/serverlessFW/serverless_api_without_content_encoding/test/positive_expected_result.json +++ b/assets/queries/serverlessFW/serverless_api_without_content_encoding/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "Serverless API Without Content Encoding", "severity": "LOW", - "line": 6, - "filename": "positive2.yml", + "line": 5, + "filename": "positive1.yml", "resourceType": "AWS::ApiGateway", "resourceName": "my-service", - "searchKey": "provider.apiGateway.minimumCompressionSize", + "searchKey": "provider.apiGateway", "searchValue": "", - "expectedValue": "'minimumCompressionSize' should be set to a recommended value", - "actualValue": "'minimumCompressionSize' is set a unrecommended value" + "expectedValue": "apiGateway should have 'minimumCompressionSize' defined and set to a recommended value", + "actualValue": "apiGateway does not have 'minimumCompressionSize' defined" }, { "queryName": "Serverless API Without Content Encoding", "severity": "LOW", - "line": 5, - "filename": "positive1.yml", + "line": 6, + "filename": "positive2.yml", "resourceType": "AWS::ApiGateway", "resourceName": "my-service", - "searchKey": "provider.apiGateway", + "searchKey": "provider.apiGateway.minimumCompressionSize", "searchValue": "", - "expectedValue": "apiGateway should have 'minimumCompressionSize' defined and set to a recommended value", - "actualValue": "apiGateway does not have 'minimumCompressionSize' defined" + "expectedValue": "'minimumCompressionSize' should be set to a recommended value", + "actualValue": "'minimumCompressionSize' is set a unrecommended value" } ] \ No newline at end of file diff --git a/assets/queries/serverlessFW/serverless_function_environment_variables_not_encrypted/test/positive_expected_result.json b/assets/queries/serverlessFW/serverless_function_environment_variables_not_encrypted/test/positive_expected_result.json index 5ca40d7c70b..15a4729637c 100644 --- a/assets/queries/serverlessFW/serverless_function_environment_variables_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/serverlessFW/serverless_function_environment_variables_not_encrypted/test/positive_expected_result.json @@ -3,7 +3,7 @@ "queryName": "Serverless Function Environment Variables Not Encrypted", "severity": "MEDIUM", "line": 6, - "filename": "positive2.yml", + "filename": "positive1.yml", "resourceType": "", "resourceName": "", "searchKey": "provider", @@ -27,7 +27,7 @@ "queryName": "Serverless Function Environment Variables Not Encrypted", "severity": "MEDIUM", "line": 6, - "filename": "positive1.yml", + "filename": "positive2.yml", "resourceType": "", "resourceName": "", "searchKey": "provider", diff --git a/assets/queries/serverlessFW/serverless_function_without_unique_iam_role/test/positive_expected_result.json b/assets/queries/serverlessFW/serverless_function_without_unique_iam_role/test/positive_expected_result.json index 1f051c636ea..4d4c4c1c69e 100644 --- a/assets/queries/serverlessFW/serverless_function_without_unique_iam_role/test/positive_expected_result.json +++ b/assets/queries/serverlessFW/serverless_function_without_unique_iam_role/test/positive_expected_result.json @@ -3,10 +3,10 @@ "queryName": "Serverless Function Without Unique IAM Role", "severity": "HIGH", "line": 8, - "filename": "positive2.yml", + "filename": "positive1.yml", "resourceType": "AWS::Lambda", "resourceName": "hello", - "searchKey": "functions[%!s(int=0)].hello", + "searchKey": "functions.hello", "searchValue": "", "expectedValue": "'role' should be defined inside the function", "actualValue": "'role' is not defined" @@ -15,10 +15,10 @@ "queryName": "Serverless Function Without Unique IAM Role", "severity": "HIGH", "line": 8, - "filename": "positive1.yml", + "filename": "positive2.yml", "resourceType": "AWS::Lambda", "resourceName": "hello", - "searchKey": "functions.hello", + "searchKey": "functions[%!s(int=0)].hello", "searchValue": "", "expectedValue": "'role' should be defined inside the function", "actualValue": "'role' is not defined" diff --git a/assets/queries/serverlessFW/serverless_function_without_x-ray_tracing/test/positive_expected_result.json b/assets/queries/serverlessFW/serverless_function_without_x-ray_tracing/test/positive_expected_result.json index 22676bb7d34..851ee62b37f 100644 --- a/assets/queries/serverlessFW/serverless_function_without_x-ray_tracing/test/positive_expected_result.json +++ b/assets/queries/serverlessFW/serverless_function_without_x-ray_tracing/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "Serverless Function Without X-Ray Tracing", "severity": "LOW", - "line": 8, - "filename": "positive2.yml", + "line": 14, + "filename": "positive1.yml", "resourceType": "AWS::Lambda", "resourceName": "hello", - "searchKey": "functions.hello", + "searchKey": "functions.hello.tracing", "searchValue": "", - "expectedValue": "'tracing' should be defined and set to Active", - "actualValue": "'tracing' is not defined" + "expectedValue": "'tracing' should be set to Active", + "actualValue": "'tracing' is not set to Active" }, { "queryName": "Serverless Function Without X-Ray Tracing", "severity": "LOW", - "line": 14, - "filename": "positive1.yml", + "line": 8, + "filename": "positive2.yml", "resourceType": "AWS::Lambda", "resourceName": "hello", - "searchKey": "functions.hello.tracing", + "searchKey": "functions.hello", "searchValue": "", - "expectedValue": "'tracing' should be set to Active", - "actualValue": "'tracing' is not set to Active" + "expectedValue": "'tracing' should be defined and set to Active", + "actualValue": "'tracing' is not defined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/action_trail_logging_all_regions_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/action_trail_logging_all_regions_disabled/test/positive_expected_result.json index 8bbb6a774d4..3ea58369b43 100644 --- a/assets/queries/terraform/alicloud/action_trail_logging_all_regions_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/action_trail_logging_all_regions_disabled/test/positive_expected_result.json @@ -2,23 +2,23 @@ { "queryName": "Action Trail Logging For All Regions Disabled", "severity": "MEDIUM", - "line": 1, - "filename": "positive9.tf", + "line": 6, + "filename": "positive1.tf", "resourceType": "alicloud_actiontrail_trail", "resourceName": "action-trail", - "searchKey": "alicloud_actiontrail_trail[actiontrail10]", - "searchValue": "event_rw", - "expectedValue": "'event_rw' should be set.", - "actualValue": "'event_rw' is not set." + "searchKey": "alicloud_actiontrail_trail[actiontrail2].trail_region", + "searchValue": "", + "expectedValue": "'trail_region' should be set to All", + "actualValue": "'trail_region' is not set to All" }, { "queryName": "Action Trail Logging For All Regions Disabled", "severity": "MEDIUM", "line": 5, - "filename": "positive3.tf", + "filename": "positive2.tf", "resourceType": "alicloud_actiontrail_trail", "resourceName": "action-trail", - "searchKey": "alicloud_actiontrail_trail[actiontrail4].event_rw", + "searchKey": "alicloud_actiontrail_trail[actiontrail3].event_rw", "searchValue": "", "expectedValue": "'event_rw' should be set to All", "actualValue": "'event_rw' is not set to All" @@ -26,23 +26,23 @@ { "queryName": "Action Trail Logging For All Regions Disabled", "severity": "MEDIUM", - "line": 1, - "filename": "positive8.tf", + "line": 6, + "filename": "positive2.tf", "resourceType": "alicloud_actiontrail_trail", "resourceName": "action-trail", - "searchKey": "alicloud_actiontrail_trail[actiontrail9]", - "searchValue": "event_rw", - "expectedValue": "'event_rw' should be set.", - "actualValue": "'event_rw' is not set." + "searchKey": "alicloud_actiontrail_trail[actiontrail3].trail_region", + "searchValue": "", + "expectedValue": "'trail_region' should be set to All", + "actualValue": "'trail_region' is not set to All" }, { "queryName": "Action Trail Logging For All Regions Disabled", "severity": "MEDIUM", "line": 5, - "filename": "positive2.tf", + "filename": "positive3.tf", "resourceType": "alicloud_actiontrail_trail", "resourceName": "action-trail", - "searchKey": "alicloud_actiontrail_trail[actiontrail3].event_rw", + "searchKey": "alicloud_actiontrail_trail[actiontrail4].event_rw", "searchValue": "", "expectedValue": "'event_rw' should be set to All", "actualValue": "'event_rw' is not set to All" @@ -51,10 +51,10 @@ "queryName": "Action Trail Logging For All Regions Disabled", "severity": "MEDIUM", "line": 6, - "filename": "positive1.tf", + "filename": "positive3.tf", "resourceType": "alicloud_actiontrail_trail", "resourceName": "action-trail", - "searchKey": "alicloud_actiontrail_trail[actiontrail2].trail_region", + "searchKey": "alicloud_actiontrail_trail[actiontrail4].trail_region", "searchValue": "", "expectedValue": "'trail_region' should be set to All", "actualValue": "'trail_region' is not set to All" @@ -62,35 +62,35 @@ { "queryName": "Action Trail Logging For All Regions Disabled", "severity": "MEDIUM", - "line": 1, - "filename": "positive7.tf", + "line": 6, + "filename": "positive4.tf", "resourceType": "alicloud_actiontrail_trail", "resourceName": "action-trail", - "searchKey": "alicloud_actiontrail_trail[actiontrail8]", - "searchValue": "trail_region", - "expectedValue": "'trail_region' should be set.", - "actualValue": "'trail_region' is not set." + "searchKey": "alicloud_actiontrail_trail[actiontrail5].trail_region", + "searchValue": "", + "expectedValue": "'trail_region' should be set to All", + "actualValue": "'trail_region' is not set to All" }, { "queryName": "Action Trail Logging For All Regions Disabled", "severity": "MEDIUM", - "line": 1, - "filename": "positive9.tf", + "line": 5, + "filename": "positive5.tf", "resourceType": "alicloud_actiontrail_trail", "resourceName": "action-trail", - "searchKey": "alicloud_actiontrail_trail[actiontrail10]", - "searchValue": "oss_bucket_name", - "expectedValue": "oss_bucket_name should be set.", - "actualValue": "oss_bucket_name is not set." + "searchKey": "alicloud_actiontrail_trail[actiontrail6].event_rw", + "searchValue": "", + "expectedValue": "'event_rw' should be set to All", + "actualValue": "'event_rw' is not set to All" }, { "queryName": "Action Trail Logging For All Regions Disabled", "severity": "MEDIUM", "line": 6, - "filename": "positive3.tf", + "filename": "positive5.tf", "resourceType": "alicloud_actiontrail_trail", "resourceName": "action-trail", - "searchKey": "alicloud_actiontrail_trail[actiontrail4].trail_region", + "searchKey": "alicloud_actiontrail_trail[actiontrail6].trail_region", "searchValue": "", "expectedValue": "'trail_region' should be set to All", "actualValue": "'trail_region' is not set to All" @@ -122,49 +122,49 @@ { "queryName": "Action Trail Logging For All Regions Disabled", "severity": "MEDIUM", - "line": 5, - "filename": "positive5.tf", + "line": 1, + "filename": "positive7.tf", "resourceType": "alicloud_actiontrail_trail", "resourceName": "action-trail", - "searchKey": "alicloud_actiontrail_trail[actiontrail6].event_rw", - "searchValue": "", - "expectedValue": "'event_rw' should be set to All", - "actualValue": "'event_rw' is not set to All" + "searchKey": "alicloud_actiontrail_trail[actiontrail8]", + "searchValue": "trail_region", + "expectedValue": "'trail_region' should be set.", + "actualValue": "'trail_region' is not set." }, { "queryName": "Action Trail Logging For All Regions Disabled", "severity": "MEDIUM", - "line": 6, - "filename": "positive5.tf", + "line": 1, + "filename": "positive8.tf", "resourceType": "alicloud_actiontrail_trail", "resourceName": "action-trail", - "searchKey": "alicloud_actiontrail_trail[actiontrail6].trail_region", - "searchValue": "", - "expectedValue": "'trail_region' should be set to All", - "actualValue": "'trail_region' is not set to All" + "searchKey": "alicloud_actiontrail_trail[actiontrail9]", + "searchValue": "event_rw", + "expectedValue": "'event_rw' should be set.", + "actualValue": "'event_rw' is not set." }, { "queryName": "Action Trail Logging For All Regions Disabled", "severity": "MEDIUM", - "line": 6, - "filename": "positive2.tf", + "line": 1, + "filename": "positive9.tf", "resourceType": "alicloud_actiontrail_trail", "resourceName": "action-trail", - "searchKey": "alicloud_actiontrail_trail[actiontrail3].trail_region", - "searchValue": "", - "expectedValue": "'trail_region' should be set to All", - "actualValue": "'trail_region' is not set to All" + "searchKey": "alicloud_actiontrail_trail[actiontrail10]", + "searchValue": "event_rw", + "expectedValue": "'event_rw' should be set.", + "actualValue": "'event_rw' is not set." }, { "queryName": "Action Trail Logging For All Regions Disabled", "severity": "MEDIUM", - "line": 6, - "filename": "positive4.tf", + "line": 1, + "filename": "positive9.tf", "resourceType": "alicloud_actiontrail_trail", "resourceName": "action-trail", - "searchKey": "alicloud_actiontrail_trail[actiontrail5].trail_region", - "searchValue": "", - "expectedValue": "'trail_region' should be set to All", - "actualValue": "'trail_region' is not set to All" + "searchKey": "alicloud_actiontrail_trail[actiontrail10]", + "searchValue": "oss_bucket_name", + "expectedValue": "oss_bucket_name should be set.", + "actualValue": "oss_bucket_name is not set." } ] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/actiontrail_trail_oss_bucket_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/alicloud/actiontrail_trail_oss_bucket_is_publicly_accessible/test/positive_expected_result.json index 68322637c34..f0742b89184 100644 --- a/assets/queries/terraform/alicloud/actiontrail_trail_oss_bucket_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/actiontrail_trail_oss_bucket_is_publicly_accessible/test/positive_expected_result.json @@ -3,24 +3,24 @@ "queryName": "ActionTrail Trail OSS Bucket is Publicly Accessible", "severity": "HIGH", "line": 3, - "filename": "positive2.tf", + "filename": "positive1.tf", "resourceType": "alicloud_oss_bucket", - "resourceName": "actiontrail4", - "searchKey": "alicloud_oss_bucket[actiontrail4].acl", + "resourceName": "actiontrail3", + "searchKey": "alicloud_oss_bucket[actiontrail3].acl", "searchValue": "", - "expectedValue": "'alicloud_oss_bucket[actiontrail4].oss_bucket_name' is private", - "actualValue": "'alicloud_oss_bucket[actiontrail4].oss_bucket_name' is public-read-write" + "expectedValue": "'alicloud_oss_bucket[actiontrail3].oss_bucket_name' is private", + "actualValue": "'alicloud_oss_bucket[actiontrail3].oss_bucket_name' is public-read" }, { "queryName": "ActionTrail Trail OSS Bucket is Publicly Accessible", "severity": "HIGH", "line": 3, - "filename": "positive1.tf", + "filename": "positive2.tf", "resourceType": "alicloud_oss_bucket", - "resourceName": "actiontrail3", - "searchKey": "alicloud_oss_bucket[actiontrail3].acl", + "resourceName": "actiontrail4", + "searchKey": "alicloud_oss_bucket[actiontrail4].acl", "searchValue": "", - "expectedValue": "'alicloud_oss_bucket[actiontrail3].oss_bucket_name' is private", - "actualValue": "'alicloud_oss_bucket[actiontrail3].oss_bucket_name' is public-read" + "expectedValue": "'alicloud_oss_bucket[actiontrail4].oss_bucket_name' is private", + "actualValue": "'alicloud_oss_bucket[actiontrail4].oss_bucket_name' is public-read-write" } ] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/api_gateway_api_protocol_not_https/test/positive_expected_result.json b/assets/queries/terraform/alicloud/api_gateway_api_protocol_not_https/test/positive_expected_result.json index d0a5f5803a7..310fc341a50 100644 --- a/assets/queries/terraform/alicloud/api_gateway_api_protocol_not_https/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/api_gateway_api_protocol_not_https/test/positive_expected_result.json @@ -3,7 +3,7 @@ "queryName": "API Gateway API Protocol Not HTTPS", "severity": "MEDIUM", "line": 14, - "filename": "positive2.tf", + "filename": "positive1.tf", "resourceType": "alicloud_api_gateway_api", "resourceName": "${alicloud_api_gateway_group.apiGroup.name}", "searchKey": "alicloud_api_gateway_api[apiGatewayApi].request_config.protocol", @@ -14,7 +14,7 @@ { "queryName": "API Gateway API Protocol Not HTTPS", "severity": "MEDIUM", - "line": 21, + "line": 14, "filename": "positive2.tf", "resourceType": "alicloud_api_gateway_api", "resourceName": "${alicloud_api_gateway_group.apiGroup.name}", @@ -26,8 +26,8 @@ { "queryName": "API Gateway API Protocol Not HTTPS", "severity": "MEDIUM", - "line": 14, - "filename": "positive1.tf", + "line": 21, + "filename": "positive2.tf", "resourceType": "alicloud_api_gateway_api", "resourceName": "${alicloud_api_gateway_group.apiGroup.name}", "searchKey": "alicloud_api_gateway_api[apiGatewayApi].request_config.protocol", diff --git a/assets/queries/terraform/alicloud/cmk_is_unusable/test/positive_expected_result.json b/assets/queries/terraform/alicloud/cmk_is_unusable/test/positive_expected_result.json index 1673793419c..362679cc85e 100644 --- a/assets/queries/terraform/alicloud/cmk_is_unusable/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/cmk_is_unusable/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "CMK Is Unusable", "severity": "MEDIUM", - "line": 5, - "filename": "positive2.tf", + "line": 1, + "filename": "positive1.tf", "resourceType": "alicloud_kms_key", "resourceName": "key", - "searchKey": "alicloud_kms_key[key].is_enabled", + "searchKey": "alicloud_kms_key[key]", "searchValue": "", "expectedValue": "alicloud_kms_key[key].is_enabled should be set to true", - "actualValue": "alicloud_kms_key[key].is_enabled is set to false" + "actualValue": "alicloud_kms_key[key].is_enabled is not set" }, { "queryName": "CMK Is Unusable", "severity": "MEDIUM", - "line": 1, - "filename": "positive1.tf", + "line": 5, + "filename": "positive2.tf", "resourceType": "alicloud_kms_key", "resourceName": "key", - "searchKey": "alicloud_kms_key[key]", + "searchKey": "alicloud_kms_key[key].is_enabled", "searchValue": "", "expectedValue": "alicloud_kms_key[key].is_enabled should be set to true", - "actualValue": "alicloud_kms_key[key].is_enabled is not set" + "actualValue": "alicloud_kms_key[key].is_enabled is set to false" } ] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/cs_kubernetes_node_pool_auto_repair_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/cs_kubernetes_node_pool_auto_repair_disabled/test/positive_expected_result.json index 276e9254d31..c908c4bb41a 100644 --- a/assets/queries/terraform/alicloud/cs_kubernetes_node_pool_auto_repair_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/cs_kubernetes_node_pool_auto_repair_disabled/test/positive_expected_result.json @@ -1,4 +1,16 @@ [ + { + "queryName": "CS Kubernetes Node Pool Auto Repair Disabled", + "severity": "MEDIUM", + "line": 1, + "filename": "positive1.tf", + "resourceType": "alicloud_cs_kubernetes_node_pool", + "resourceName": "${var.name}", + "searchKey": "alicloud_cs_kubernetes_node_pool[default2]", + "searchValue": "", + "expectedValue": "For the resource alicloud_cs_kubernetes_node_pool[default2] to have a 'management' block containing 'auto_repair' set to true.", + "actualValue": "The resource alicloud_cs_kubernetes_node_pool[default2] does not have a 'management' block." + }, { "queryName": "CS Kubernetes Node Pool Auto Repair Disabled", "severity": "MEDIUM", @@ -22,17 +34,5 @@ "searchValue": "", "expectedValue": "For the resource alicloud_cs_kubernetes_node_pool[default4] to have a 'management' block containing 'auto_repair' set to true.", "actualValue": "The resource alicloud_cs_kubernetes_node_pool[default4] has a 'management' block but it doesn't contain 'auto_repair' " - }, - { - "queryName": "CS Kubernetes Node Pool Auto Repair Disabled", - "severity": "MEDIUM", - "line": 1, - "filename": "positive1.tf", - "resourceType": "alicloud_cs_kubernetes_node_pool", - "resourceName": "${var.name}", - "searchKey": "alicloud_cs_kubernetes_node_pool[default2]", - "searchValue": "", - "expectedValue": "For the resource alicloud_cs_kubernetes_node_pool[default2] to have a 'management' block containing 'auto_repair' set to true.", - "actualValue": "The resource alicloud_cs_kubernetes_node_pool[default2] does not have a 'management' block." } ] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/high_kms_key_rotation_period/test/positive_expected_result.json b/assets/queries/terraform/alicloud/high_kms_key_rotation_period/test/positive_expected_result.json index 641313346ca..a8338602b1e 100644 --- a/assets/queries/terraform/alicloud/high_kms_key_rotation_period/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/high_kms_key_rotation_period/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "High KMS Key Rotation Period", - "severity": "MEDIUM", - "line": 6, - "filename": "positive2.tf", - "resourceType": "alicloud_kms_key", - "resourceName": "keypos1", - "searchKey": "alicloud_kms_key[keypos1].rotation_interval", - "searchValue": "", - "expectedValue": "'rotation_interval' value should not be higher than a year", - "actualValue": "'rotation_interval' value is higher than a year" - }, { "queryName": "High KMS Key Rotation Period", "severity": "MEDIUM", @@ -26,14 +14,14 @@ { "queryName": "High KMS Key Rotation Period", "severity": "MEDIUM", - "line": 1, - "filename": "positive4.tf", + "line": 6, + "filename": "positive2.tf", "resourceType": "alicloud_kms_key", "resourceName": "keypos1", "searchKey": "alicloud_kms_key[keypos1].rotation_interval", "searchValue": "", - "expectedValue": "'automatic_rotation' should be defined and set to Enabled", - "actualValue": "'automatic_rotation' is not defined" + "expectedValue": "'rotation_interval' value should not be higher than a year", + "actualValue": "'rotation_interval' value is higher than a year" }, { "queryName": "High KMS Key Rotation Period", @@ -46,5 +34,17 @@ "searchValue": "", "expectedValue": "'rotation_interval' value should not be higher than a year", "actualValue": "'rotation_interval' value is higher than a year" + }, + { + "queryName": "High KMS Key Rotation Period", + "severity": "MEDIUM", + "line": 1, + "filename": "positive4.tf", + "resourceType": "alicloud_kms_key", + "resourceName": "keypos1", + "searchKey": "alicloud_kms_key[keypos1].rotation_interval", + "searchValue": "", + "expectedValue": "'automatic_rotation' should be defined and set to Enabled", + "actualValue": "'automatic_rotation' is not defined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/kubernetes_cluster_without_terway_as_cni_network_plugin/test/positive_expected_result.json b/assets/queries/terraform/alicloud/kubernetes_cluster_without_terway_as_cni_network_plugin/test/positive_expected_result.json index db4f4582fbf..e3f368f397d 100644 --- a/assets/queries/terraform/alicloud/kubernetes_cluster_without_terway_as_cni_network_plugin/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/kubernetes_cluster_without_terway_as_cni_network_plugin/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "Kubernetes Cluster Without Terway as CNI Network Plugin", - "severity": "LOW", - "line": 15, - "filename": "positive3.tf", - "resourceType": "alicloud_cs_kubernetes", - "resourceName": "positive3", - "searchKey": "alicloud_cs_kubernetes[positive3]", - "searchValue": "terway-eniip", - "expectedValue": "alicloud_cs_kubernetes[positive3].addons specifies the terway-eniip", - "actualValue": "alicloud_cs_kubernetes[positive3].addons does not specify the terway-eniip" - }, { "queryName": "Kubernetes Cluster Without Terway as CNI Network Plugin", "severity": "LOW", @@ -46,5 +34,17 @@ "searchValue": "pod_vswitch_ids", "expectedValue": "alicloud_cs_kubernetes[positive2].pod_vswitch_ids should be defined and not null", "actualValue": "alicloud_cs_kubernetes[positive2].pod_vswitch_ids is undefined or null" + }, + { + "queryName": "Kubernetes Cluster Without Terway as CNI Network Plugin", + "severity": "LOW", + "line": 15, + "filename": "positive3.tf", + "resourceType": "alicloud_cs_kubernetes", + "resourceName": "positive3", + "searchKey": "alicloud_cs_kubernetes[positive3]", + "searchValue": "terway-eniip", + "expectedValue": "alicloud_cs_kubernetes[positive3].addons specifies the terway-eniip", + "actualValue": "alicloud_cs_kubernetes[positive3].addons does not specify the terway-eniip" } ] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/launch_template_is_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/alicloud/launch_template_is_not_encrypted/test/positive_expected_result.json index 23e72f96df6..732c22b5263 100644 --- a/assets/queries/terraform/alicloud/launch_template_is_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/launch_template_is_not_encrypted/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "Launch Template Is Not Encrypted", "severity": "HIGH", - "line": 8, - "filename": "positive2.tf", + "line": 36, + "filename": "positive1.tf", "resourceType": "alicloud_launch_template", "resourceName": "tf-test-template", - "searchKey": "alicloud_launch_template[templatepos2]", + "searchKey": "alicloud_launch_template[templatepos1].encrypted", "searchValue": "", - "expectedValue": "alicloud_launch_template[templatepos2] 'encrypted' should be defined and set to true", - "actualValue": "alicloud_launch_template[templatepos2] 'encrypted' argument is not defined" + "expectedValue": "alicloud_launch_template[templatepos1].encrypted should be true", + "actualValue": "alicloud_launch_template[templatepos1].encrypted is false" }, { "queryName": "Launch Template Is Not Encrypted", "severity": "HIGH", - "line": 36, - "filename": "positive1.tf", + "line": 8, + "filename": "positive2.tf", "resourceType": "alicloud_launch_template", "resourceName": "tf-test-template", - "searchKey": "alicloud_launch_template[templatepos1].encrypted", + "searchKey": "alicloud_launch_template[templatepos2]", "searchValue": "", - "expectedValue": "alicloud_launch_template[templatepos1].encrypted should be true", - "actualValue": "alicloud_launch_template[templatepos1].encrypted is false" + "expectedValue": "alicloud_launch_template[templatepos2] 'encrypted' should be defined and set to true", + "actualValue": "alicloud_launch_template[templatepos2] 'encrypted' argument is not defined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/nas_file_system_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/alicloud/nas_file_system_not_encrypted/test/positive_expected_result.json index 2acbe514a03..b5d4dd785a2 100644 --- a/assets/queries/terraform/alicloud/nas_file_system_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/nas_file_system_not_encrypted/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "NAS File System Not Encrypted", - "severity": "HIGH", - "line": 1, - "filename": "positive2.tf", - "resourceType": "alicloud_nas_file_system", - "resourceName": "foopos2", - "searchKey": "alicloud_nas_file_system[foopos2]", - "searchValue": "", - "expectedValue": "alicloud_nas_file_system[foopos2].encrypt_type' should be defined and the value different from 0 ", - "actualValue": "alicloud_nas_file_system[foopos2].encrypt_type' is undefined" - }, { "queryName": "NAS File System Not Encrypted", "severity": "HIGH", @@ -22,5 +10,17 @@ "searchValue": "", "expectedValue": "alicloud_nas_file_system[foopos].encrypt_type' should not be 0", "actualValue": "alicloud_nas_file_system[foopos].encrypt_type' is 0" + }, + { + "queryName": "NAS File System Not Encrypted", + "severity": "HIGH", + "line": 1, + "filename": "positive2.tf", + "resourceType": "alicloud_nas_file_system", + "resourceName": "foopos2", + "searchKey": "alicloud_nas_file_system[foopos2]", + "searchValue": "", + "expectedValue": "alicloud_nas_file_system[foopos2].encrypt_type' should be defined and the value different from 0 ", + "actualValue": "alicloud_nas_file_system[foopos2].encrypt_type' is undefined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/nas_file_system_without_kms/test/positive_expected_result.json b/assets/queries/terraform/alicloud/nas_file_system_without_kms/test/positive_expected_result.json index 6482da156a7..d8b46f0c41b 100644 --- a/assets/queries/terraform/alicloud/nas_file_system_without_kms/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/nas_file_system_without_kms/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "NAS File System Without KMS", - "severity": "HIGH", - "line": 5, - "filename": "positive2.tf", - "resourceType": "alicloud_nas_file_system", - "resourceName": "fooabr", - "searchKey": "alicloud_nas_file_system[fooabr]", - "searchValue": "", - "expectedValue": "alicloud_nas_file_system[fooabr].encrypt_type' should be set to 2'", - "actualValue": "alicloud_nas_file_system[fooabr].encrypt_type' is not set to 2 " - }, { "queryName": "NAS File System Without KMS", "severity": "HIGH", @@ -22,5 +10,17 @@ "searchValue": "", "expectedValue": "alicloud_nas_file_system[foo].encrypt_type' should be defined and set to 2'", "actualValue": "alicloud_nas_file_system[foo].encrypt_type' is not defined" + }, + { + "queryName": "NAS File System Without KMS", + "severity": "HIGH", + "line": 5, + "filename": "positive2.tf", + "resourceType": "alicloud_nas_file_system", + "resourceName": "fooabr", + "searchKey": "alicloud_nas_file_system[fooabr]", + "searchValue": "", + "expectedValue": "alicloud_nas_file_system[fooabr].encrypt_type' should be set to 2'", + "actualValue": "alicloud_nas_file_system[fooabr].encrypt_type' is not set to 2 " } ] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/no_ros_stack_policy/test/positive_expected_result.json b/assets/queries/terraform/alicloud/no_ros_stack_policy/test/positive_expected_result.json index 250c9066cad..36614686c62 100644 --- a/assets/queries/terraform/alicloud/no_ros_stack_policy/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/no_ros_stack_policy/test/positive_expected_result.json @@ -7,18 +7,18 @@ "resourceType": "alicloud_ros_stack", "resourceName": "tf-testaccstack", "searchKey": "alicloud_ros_stack[pos]", - "searchValue": "stack_policy_during_update", - "expectedValue": "The stack should have the attribute 'stack_policy_during_update_body' or 'stack_policy_during_update_url' defined", - "actualValue": "The stack has neither 'stack_policy_during_update_body' nor 'stack_policy_during_update_url' defined" + "searchValue": "stack_policy", + "expectedValue": "The stack should have the attribute 'stack_policy_body' or 'stack_policy_url' defined", + "actualValue": "The stack has neither 'stack_policy_body' nor 'stack_policy_url' defined" }, { "queryName": "No ROS Stack Policy", "severity": "MEDIUM", "line": 1, - "filename": "positive2.tf", + "filename": "positive.tf", "resourceType": "alicloud_ros_stack", "resourceName": "tf-testaccstack", - "searchKey": "alicloud_ros_stack[pos2]", + "searchKey": "alicloud_ros_stack[pos]", "searchValue": "stack_policy_during_update", "expectedValue": "The stack should have the attribute 'stack_policy_during_update_body' or 'stack_policy_during_update_url' defined", "actualValue": "The stack has neither 'stack_policy_during_update_body' nor 'stack_policy_during_update_url' defined" @@ -27,22 +27,22 @@ "queryName": "No ROS Stack Policy", "severity": "MEDIUM", "line": 1, - "filename": "positive3.tf", + "filename": "positive2.tf", "resourceType": "alicloud_ros_stack", "resourceName": "tf-testaccstack", - "searchKey": "alicloud_ros_stack[pos3]", - "searchValue": "stack_policy", - "expectedValue": "The stack should have the attribute 'stack_policy_body' or 'stack_policy_url' defined", - "actualValue": "The stack has neither 'stack_policy_body' nor 'stack_policy_url' defined" + "searchKey": "alicloud_ros_stack[pos2]", + "searchValue": "stack_policy_during_update", + "expectedValue": "The stack should have the attribute 'stack_policy_during_update_body' or 'stack_policy_during_update_url' defined", + "actualValue": "The stack has neither 'stack_policy_during_update_body' nor 'stack_policy_during_update_url' defined" }, { "queryName": "No ROS Stack Policy", "severity": "MEDIUM", "line": 1, - "filename": "positive.tf", + "filename": "positive3.tf", "resourceType": "alicloud_ros_stack", "resourceName": "tf-testaccstack", - "searchKey": "alicloud_ros_stack[pos]", + "searchKey": "alicloud_ros_stack[pos3]", "searchValue": "stack_policy", "expectedValue": "The stack should have the attribute 'stack_policy_body' or 'stack_policy_url' defined", "actualValue": "The stack has neither 'stack_policy_body' nor 'stack_policy_url' defined" diff --git a/assets/queries/terraform/alicloud/oss_bucket_versioning_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/oss_bucket_versioning_disabled/test/positive_expected_result.json index 2e9c81b48c5..ab679738ac0 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_versioning_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/oss_bucket_versioning_disabled/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "OSS Bucket Versioning Disabled", "severity": "MEDIUM", - "line": 1, - "filename": "positive2.tf", + "line": 6, + "filename": "positive1.tf", "resourceType": "alicloud_oss_bucket", "resourceName": "bucket-170309-versioning", - "searchKey": "alicloud_oss_bucket[bucket-versioning3]", + "searchKey": "alicloud_oss_bucket[bucket-versioning2].versioning.status", "searchValue": "", - "expectedValue": "'versioning.status' should be defined and set to enabled", - "actualValue": "'versioning' is missing" + "expectedValue": "'versioning.status' should be enabled", + "actualValue": "'versioning.status' is suspended" }, { "queryName": "OSS Bucket Versioning Disabled", "severity": "MEDIUM", - "line": 6, - "filename": "positive1.tf", + "line": 1, + "filename": "positive2.tf", "resourceType": "alicloud_oss_bucket", "resourceName": "bucket-170309-versioning", - "searchKey": "alicloud_oss_bucket[bucket-versioning2].versioning.status", + "searchKey": "alicloud_oss_bucket[bucket-versioning3]", "searchValue": "", - "expectedValue": "'versioning.status' should be enabled", - "actualValue": "'versioning.status' is suspended" + "expectedValue": "'versioning.status' should be defined and set to enabled", + "actualValue": "'versioning' is missing" } ] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/public_security_group_rule_all_ports_or_protocols/test/positive_expected_result.json b/assets/queries/terraform/alicloud/public_security_group_rule_all_ports_or_protocols/test/positive_expected_result.json index 3a487f3f830..82e36c0a722 100644 --- a/assets/queries/terraform/alicloud/public_security_group_rule_all_ports_or_protocols/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/public_security_group_rule_all_ports_or_protocols/test/positive_expected_result.json @@ -3,36 +3,36 @@ "queryName": "Public Security Group Rule All Ports or Protocols", "severity": "HIGH", "line": 13, - "filename": "positive2.tf", + "filename": "positive1.tf", "resourceType": "alicloud_security_group_rule", "resourceName": "allow_all_tcp", "searchKey": "alicloud_security_group_rule[allow_all_tcp].cidr_ip", "searchValue": "", - "expectedValue": "cidr_ip should not be '0.0.0.0/0' for the specified protocol", - "actualValue": "cidr_ip '0.0.0.0/0' exposes all ports for the gre protocol" + "expectedValue": "cidr_ip should not be '0.0.0.0/0' when ip_protocol is equal to all", + "actualValue": "cidr_ip is '0.0.0.0/0' when ip_protocol is equal to all" }, { "queryName": "Public Security Group Rule All Ports or Protocols", "severity": "HIGH", "line": 13, - "filename": "positive3.tf", + "filename": "positive2.tf", "resourceType": "alicloud_security_group_rule", "resourceName": "allow_all_tcp", "searchKey": "alicloud_security_group_rule[allow_all_tcp].cidr_ip", "searchValue": "", "expectedValue": "cidr_ip should not be '0.0.0.0/0' for the specified protocol", - "actualValue": "cidr_ip '0.0.0.0/0' exposes all ports for the tcp protocol" + "actualValue": "cidr_ip '0.0.0.0/0' exposes all ports for the gre protocol" }, { "queryName": "Public Security Group Rule All Ports or Protocols", "severity": "HIGH", "line": 13, - "filename": "positive1.tf", + "filename": "positive3.tf", "resourceType": "alicloud_security_group_rule", "resourceName": "allow_all_tcp", "searchKey": "alicloud_security_group_rule[allow_all_tcp].cidr_ip", "searchValue": "", - "expectedValue": "cidr_ip should not be '0.0.0.0/0' when ip_protocol is equal to all", - "actualValue": "cidr_ip is '0.0.0.0/0' when ip_protocol is equal to all" + "expectedValue": "cidr_ip should not be '0.0.0.0/0' for the specified protocol", + "actualValue": "cidr_ip '0.0.0.0/0' exposes all ports for the tcp protocol" } ] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/public_security_group_rule_sensitive_port/test/positive_expected_result.json b/assets/queries/terraform/alicloud/public_security_group_rule_sensitive_port/test/positive_expected_result.json index 9796f38ce48..6426a8ad7f2 100644 --- a/assets/queries/terraform/alicloud/public_security_group_rule_sensitive_port/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/public_security_group_rule_sensitive_port/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "Public Security Group Rule Sensitive Port", - "severity": "HIGH", - "line": 10, - "filename": "positive3.tf", - "resourceType": "alicloud_security_group_rule", - "resourceName": "allow_all_tcp", - "searchKey": "alicloud_security_group_rule[allow_all_tcp].port_range", - "searchValue": "445", - "expectedValue": "all:445 port should not be allowed", - "actualValue": "all:445 port is allowed" - }, { "queryName": "Public Security Group Rule Sensitive Port", "severity": "HIGH", @@ -34,5 +22,17 @@ "searchValue": "4333", "expectedValue": "udp:4333 port should not be allowed", "actualValue": "udp:4333 port is allowed" + }, + { + "queryName": "Public Security Group Rule Sensitive Port", + "severity": "HIGH", + "line": 10, + "filename": "positive3.tf", + "resourceType": "alicloud_security_group_rule", + "resourceName": "allow_all_tcp", + "searchKey": "alicloud_security_group_rule[allow_all_tcp].port_range", + "searchValue": "445", + "expectedValue": "all:445 port should not be allowed", + "actualValue": "all:445 port is allowed" } ] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/ram_account_password_policy_max_password_age_unrecommended/test/positive_expected_result.json b/assets/queries/terraform/alicloud/ram_account_password_policy_max_password_age_unrecommended/test/positive_expected_result.json index 8764b1ed27e..d87a3f6dc6c 100644 --- a/assets/queries/terraform/alicloud/ram_account_password_policy_max_password_age_unrecommended/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/ram_account_password_policy_max_password_age_unrecommended/test/positive_expected_result.json @@ -2,37 +2,37 @@ { "queryName": "Ram Account Password Policy Max Password Age Unrecommended", "severity": "MEDIUM", - "line": 8, - "filename": "positive2.tf", + "line": 1, + "filename": "positive1.tf", "resourceType": "alicloud_ram_account_password_policy", "resourceName": "corporate", - "searchKey": "alicloud_ram_account_password_policy[corporate].max_password_age", + "searchKey": "alicloud_ram_account_password_policy[corporate]", "searchValue": "", "expectedValue": "'max_password_age' should be higher than 0 and lower than 91", - "actualValue": "'max_password_age' is higher than 90" + "actualValue": "'max_password_age' is not defined" }, { "queryName": "Ram Account Password Policy Max Password Age Unrecommended", "severity": "MEDIUM", "line": 8, - "filename": "positive3.tf", + "filename": "positive2.tf", "resourceType": "alicloud_ram_account_password_policy", "resourceName": "corporate", "searchKey": "alicloud_ram_account_password_policy[corporate].max_password_age", "searchValue": "", "expectedValue": "'max_password_age' should be higher than 0 and lower than 91", - "actualValue": "'max_password_age' is equal to 0" + "actualValue": "'max_password_age' is higher than 90" }, { "queryName": "Ram Account Password Policy Max Password Age Unrecommended", "severity": "MEDIUM", - "line": 1, - "filename": "positive1.tf", + "line": 8, + "filename": "positive3.tf", "resourceType": "alicloud_ram_account_password_policy", "resourceName": "corporate", - "searchKey": "alicloud_ram_account_password_policy[corporate]", + "searchKey": "alicloud_ram_account_password_policy[corporate].max_password_age", "searchValue": "", "expectedValue": "'max_password_age' should be higher than 0 and lower than 91", - "actualValue": "'max_password_age' is not defined" + "actualValue": "'max_password_age' is equal to 0" } ] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_minimum_length/test/positive_expected_result.json b/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_minimum_length/test/positive_expected_result.json index d12d0b2c3c3..7a89976c101 100644 --- a/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_minimum_length/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_minimum_length/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "Ram Account Password Policy Not Required Minimum Length", "severity": "LOW", - "line": 1, - "filename": "positive2.tf", + "line": 2, + "filename": "positive1.tf", "resourceType": "alicloud_ram_account_password_policy", "resourceName": "corporate", - "searchKey": "alicloud_ram_account_password_policy[corporate]", + "searchKey": "alicloud_ram_account_password_policy[corporate].minimum_password_length", "searchValue": "", - "expectedValue": "'minimum_password_length' should be defined and set to 14 or above ", - "actualValue": "'minimum_password_length' is not defined" + "expectedValue": "'minimum_password_length' should be defined and set to 14 or above", + "actualValue": "'minimum_password_length' is lower than 14" }, { "queryName": "Ram Account Password Policy Not Required Minimum Length", "severity": "LOW", - "line": 2, - "filename": "positive1.tf", + "line": 1, + "filename": "positive2.tf", "resourceType": "alicloud_ram_account_password_policy", "resourceName": "corporate", - "searchKey": "alicloud_ram_account_password_policy[corporate].minimum_password_length", + "searchKey": "alicloud_ram_account_password_policy[corporate]", "searchValue": "", - "expectedValue": "'minimum_password_length' should be defined and set to 14 or above", - "actualValue": "'minimum_password_length' is lower than 14" + "expectedValue": "'minimum_password_length' should be defined and set to 14 or above ", + "actualValue": "'minimum_password_length' is not defined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/ram_account_password_policy_without_reuse_prevention/test/positive_expected_result.json b/assets/queries/terraform/alicloud/ram_account_password_policy_without_reuse_prevention/test/positive_expected_result.json index a591e517bc5..1bebe8d10f8 100644 --- a/assets/queries/terraform/alicloud/ram_account_password_policy_without_reuse_prevention/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/ram_account_password_policy_without_reuse_prevention/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "RAM Account Password Policy without Reuse Prevention", "severity": "MEDIUM", - "line": 9, - "filename": "positive2.tf", + "line": 1, + "filename": "positive1.tf", "resourceType": "alicloud_ram_account_password_policy", "resourceName": "corporate", - "searchKey": "alicloud_ram_account_password_policy[corporate].password_reuse_prevention", + "searchKey": "alicloud_ram_account_password_policy[corporate]", "searchValue": "", - "expectedValue": "'password_reuse_prevention' should be equal or less 24", - "actualValue": "'password_reuse_prevention' is higher than 24" + "expectedValue": "'password_reuse_prevention' should be defined and equal or lower than 24", + "actualValue": "'password_reuse_prevention' is not defined" }, { "queryName": "RAM Account Password Policy without Reuse Prevention", "severity": "MEDIUM", - "line": 1, - "filename": "positive1.tf", + "line": 9, + "filename": "positive2.tf", "resourceType": "alicloud_ram_account_password_policy", "resourceName": "corporate", - "searchKey": "alicloud_ram_account_password_policy[corporate]", + "searchKey": "alicloud_ram_account_password_policy[corporate].password_reuse_prevention", "searchValue": "", - "expectedValue": "'password_reuse_prevention' should be defined and equal or lower than 24", - "actualValue": "'password_reuse_prevention' is not defined" + "expectedValue": "'password_reuse_prevention' should be equal or less 24", + "actualValue": "'password_reuse_prevention' is higher than 24" } ] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/ram_policy_admin_access_not_attached_to_users_groups_roles/test/positive_expected_result.json b/assets/queries/terraform/alicloud/ram_policy_admin_access_not_attached_to_users_groups_roles/test/positive_expected_result.json index 59371022391..534e32eace8 100644 --- a/assets/queries/terraform/alicloud/ram_policy_admin_access_not_attached_to_users_groups_roles/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/ram_policy_admin_access_not_attached_to_users_groups_roles/test/positive_expected_result.json @@ -11,18 +11,6 @@ "expectedValue": "alicloud_ram_policy[policy4] should not give admin access to any user, group or role", "actualValue": "alicloud_ram_policy[policy4] is attached to a user, group or role and gives admin access" }, - { - "queryName": "Ram Policy Admin Access Not Attached to Users Groups Roles", - "severity": "MEDIUM", - "line": 49, - "filename": "positive3.tf", - "resourceType": "alicloud_ram_role_policy_attachment", - "resourceName": "attach", - "searchKey": "alicloud_ram_role_policy_attachment[attach].policy_name", - "searchValue": "", - "expectedValue": "alicloud_ram_policy[policy6] should not give admin access to any user, group or role", - "actualValue": "alicloud_ram_policy[policy6] is attached to a user, group or role and gives admin access" - }, { "queryName": "Ram Policy Admin Access Not Attached to Users Groups Roles", "severity": "MEDIUM", @@ -34,5 +22,17 @@ "searchValue": "", "expectedValue": "alicloud_ram_policy[policy5] should not give admin access to any user, group or role", "actualValue": "alicloud_ram_policy[policy5] is attached to a user, group or role and gives admin access" + }, + { + "queryName": "Ram Policy Admin Access Not Attached to Users Groups Roles", + "severity": "MEDIUM", + "line": 49, + "filename": "positive3.tf", + "resourceType": "alicloud_ram_role_policy_attachment", + "resourceName": "attach", + "searchKey": "alicloud_ram_role_policy_attachment[attach].policy_name", + "searchValue": "", + "expectedValue": "alicloud_ram_policy[policy6] should not give admin access to any user, group or role", + "actualValue": "alicloud_ram_policy[policy6] is attached to a user, group or role and gives admin access" } ] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/ram_security_preference_not_enforce_mfa/test/positive_expected_result.json b/assets/queries/terraform/alicloud/ram_security_preference_not_enforce_mfa/test/positive_expected_result.json index 325eb040490..22f0d1ff731 100644 --- a/assets/queries/terraform/alicloud/ram_security_preference_not_enforce_mfa/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/ram_security_preference_not_enforce_mfa/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "RAM Security Preference Not Enforce MFA Login", - "severity": "LOW", - "line": 14, - "filename": "positive2.tf", - "resourceType": "alicloud_ram_security_preference", - "resourceName": "example2", - "searchKey": "alicloud_ram_security_preference[example2]", - "searchValue": "", - "expectedValue": "'enforce_mfa_for_login' should be set to true", - "actualValue": "'enforce_mfa_for_login' is set to 'false'" - }, { "queryName": "RAM Security Preference Not Enforce MFA Login", "severity": "LOW", @@ -22,5 +10,17 @@ "searchValue": "", "expectedValue": "'enforce_mfa_for_login' should be defined and set to true", "actualValue": "'enforce_mfa_for_login' is not defined" + }, + { + "queryName": "RAM Security Preference Not Enforce MFA Login", + "severity": "LOW", + "line": 14, + "filename": "positive2.tf", + "resourceType": "alicloud_ram_security_preference", + "resourceName": "example2", + "searchKey": "alicloud_ram_security_preference[example2]", + "searchValue": "", + "expectedValue": "'enforce_mfa_for_login' should be set to true", + "actualValue": "'enforce_mfa_for_login' is set to 'false'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/rds_instance_log_connections_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/rds_instance_log_connections_disabled/test/positive_expected_result.json index 28ff9bf2763..15026ea0250 100644 --- a/assets/queries/terraform/alicloud/rds_instance_log_connections_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/rds_instance_log_connections_disabled/test/positive_expected_result.json @@ -1,4 +1,16 @@ [ + { + "queryName": "RDS Instance Log Connections Disabled", + "severity": "MEDIUM", + "line": 6, + "filename": "positive1.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default].parameters", + "searchValue": "", + "expectedValue": "'log_connections' parameter should be defined and value should be 'ON'", + "actualValue": "'log_connections' parameter is not defined" + }, { "queryName": "RDS Instance Log Connections Disabled", "severity": "MEDIUM", @@ -22,17 +34,5 @@ "searchValue": "", "expectedValue": "'log_connections' parameter should be defined and value should be 'ON' in parameters array", "actualValue": "'log_connections' parameter is not defined in parameters array" - }, - { - "queryName": "RDS Instance Log Connections Disabled", - "severity": "MEDIUM", - "line": 6, - "filename": "positive1.tf", - "resourceType": "alicloud_db_instance", - "resourceName": "default", - "searchKey": "alicloud_db_instance[default].parameters", - "searchValue": "", - "expectedValue": "'log_connections' parameter should be defined and value should be 'ON'", - "actualValue": "'log_connections' parameter is not defined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/rds_instance_log_disconnections_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/rds_instance_log_disconnections_disabled/test/positive_expected_result.json index 08517d91a79..b3b6c0716ad 100644 --- a/assets/queries/terraform/alicloud/rds_instance_log_disconnections_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/rds_instance_log_disconnections_disabled/test/positive_expected_result.json @@ -1,4 +1,16 @@ [ + { + "queryName": "RDS Instance Log Disconnections Disabled", + "severity": "MEDIUM", + "line": 14, + "filename": "positive1.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default].parameters[2].value", + "searchValue": "", + "expectedValue": "'log_disconnections' parameter value should be 'ON'", + "actualValue": "'log_disconnections' parameter value is 'OFF'" + }, { "queryName": "RDS Instance Log Disconnections Disabled", "severity": "MEDIUM", @@ -22,17 +34,5 @@ "searchValue": "", "expectedValue": "'log_disconnections' parameter should be defined and value should be 'ON' in parametes array", "actualValue": "'log_disconnections' parameter is not defined in parametes array" - }, - { - "queryName": "RDS Instance Log Disconnections Disabled", - "severity": "MEDIUM", - "line": 14, - "filename": "positive1.tf", - "resourceType": "alicloud_db_instance", - "resourceName": "default", - "searchKey": "alicloud_db_instance[default].parameters[2].value", - "searchValue": "", - "expectedValue": "'log_disconnections' parameter value should be 'ON'", - "actualValue": "'log_disconnections' parameter value is 'OFF'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/rds_instance_log_duration_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/rds_instance_log_duration_disabled/test/positive_expected_result.json index 18b0198c38d..6a6d8b9e94b 100644 --- a/assets/queries/terraform/alicloud/rds_instance_log_duration_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/rds_instance_log_duration_disabled/test/positive_expected_result.json @@ -2,14 +2,14 @@ { "queryName": "RDS Instance Log Duration Disabled", "severity": "MEDIUM", - "line": 1, - "filename": "positive3.tf", + "line": 14, + "filename": "positive1.tf", "resourceType": "alicloud_db_instance", "resourceName": "default", - "searchKey": "alicloud_db_instance[default]]", + "searchKey": "alicloud_db_instance[default].parameters[2].value", "searchValue": "", - "expectedValue": "'log_duration' parameter should be defined and value should be 'ON' in parameters array", - "actualValue": "'log_duration' parameter is not defined in parameters array" + "expectedValue": "'log_duration' parameter value should be 'ON'", + "actualValue": "'log_duration' parameter value is 'OFF'" }, { "queryName": "RDS Instance Log Duration Disabled", @@ -26,13 +26,13 @@ { "queryName": "RDS Instance Log Duration Disabled", "severity": "MEDIUM", - "line": 14, - "filename": "positive1.tf", + "line": 1, + "filename": "positive3.tf", "resourceType": "alicloud_db_instance", "resourceName": "default", - "searchKey": "alicloud_db_instance[default].parameters[2].value", + "searchKey": "alicloud_db_instance[default]]", "searchValue": "", - "expectedValue": "'log_duration' parameter value should be 'ON'", - "actualValue": "'log_duration' parameter value is 'OFF'" + "expectedValue": "'log_duration' parameter should be defined and value should be 'ON' in parameters array", + "actualValue": "'log_duration' parameter is not defined in parameters array" } ] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/rds_instance_retention_not_recommended/test/positive_expected_result.json b/assets/queries/terraform/alicloud/rds_instance_retention_not_recommended/test/positive_expected_result.json index 6105d98b089..97533308e12 100644 --- a/assets/queries/terraform/alicloud/rds_instance_retention_not_recommended/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/rds_instance_retention_not_recommended/test/positive_expected_result.json @@ -3,7 +3,7 @@ "queryName": "RDS Instance Retention Period Not Recommended", "severity": "LOW", "line": 1, - "filename": "positive2.tf", + "filename": "positive1.tf", "resourceType": "alicloud_db_instance", "resourceName": "default", "searchKey": "alicloud_db_instance[default]", @@ -15,19 +15,19 @@ "queryName": "RDS Instance Retention Period Not Recommended", "severity": "LOW", "line": 1, - "filename": "positive3.tf", + "filename": "positive1.tf", "resourceType": "alicloud_db_instance", "resourceName": "default", "searchKey": "alicloud_db_instance[default]", - "searchValue": "sql_collector_config_value", + "searchValue": "sql_collector_status", "expectedValue": "'sql_collector_status' should be defined and set to Enabled and 'sql_collector_config_value' should be defined and set to 180 or more", - "actualValue": "'sql_collector_config_value' is not defined" + "actualValue": "'sql_collector_status' is not defined" }, { "queryName": "RDS Instance Retention Period Not Recommended", "severity": "LOW", "line": 1, - "filename": "positive1.tf", + "filename": "positive2.tf", "resourceType": "alicloud_db_instance", "resourceName": "default", "searchKey": "alicloud_db_instance[default]", @@ -38,37 +38,37 @@ { "queryName": "RDS Instance Retention Period Not Recommended", "severity": "LOW", - "line": 1, - "filename": "positive1.tf", + "line": 6, + "filename": "positive2.tf", "resourceType": "alicloud_db_instance", "resourceName": "default", - "searchKey": "alicloud_db_instance[default]", - "searchValue": "sql_collector_status", + "searchKey": "alicloud_db_instance[default].sql_collector_status", + "searchValue": "", "expectedValue": "'sql_collector_status' should be defined and set to Enabled and 'sql_collector_config_value' should be defined and set to 180 or more", - "actualValue": "'sql_collector_status' is not defined" + "actualValue": "'sql_collector_status' is set to 'Disabled'" }, { "queryName": "RDS Instance Retention Period Not Recommended", "severity": "LOW", - "line": 7, - "filename": "positive4.tf", + "line": 1, + "filename": "positive3.tf", "resourceType": "alicloud_db_instance", "resourceName": "default", - "searchKey": "alicloud_db_instance[default].sql_collector_config_value", - "searchValue": "", + "searchKey": "alicloud_db_instance[default]", + "searchValue": "sql_collector_config_value", "expectedValue": "'sql_collector_status' should be defined and set to Enabled and 'sql_collector_config_value' should be defined and set to 180 or more", - "actualValue": "'sql_collector_config_value' is set to 30" + "actualValue": "'sql_collector_config_value' is not defined" }, { "queryName": "RDS Instance Retention Period Not Recommended", "severity": "LOW", - "line": 6, - "filename": "positive2.tf", + "line": 7, + "filename": "positive4.tf", "resourceType": "alicloud_db_instance", "resourceName": "default", - "searchKey": "alicloud_db_instance[default].sql_collector_status", + "searchKey": "alicloud_db_instance[default].sql_collector_config_value", "searchValue": "", "expectedValue": "'sql_collector_status' should be defined and set to Enabled and 'sql_collector_config_value' should be defined and set to 180 or more", - "actualValue": "'sql_collector_status' is set to 'Disabled'" + "actualValue": "'sql_collector_config_value' is set to 30" } ] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/rds_instance_ssl_action_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/rds_instance_ssl_action_disabled/test/positive_expected_result.json index e00fc22e8ef..03b969c0c2b 100644 --- a/assets/queries/terraform/alicloud/rds_instance_ssl_action_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/rds_instance_ssl_action_disabled/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "RDS Instance SSL Action Disabled", "severity": "MEDIUM", - "line": 1, - "filename": "positive2.tf", + "line": 6, + "filename": "positive1.tf", "resourceType": "alicloud_db_instance", "resourceName": "default", - "searchKey": "alicloud_db_instance[default]", + "searchKey": "alicloud_db_instance[default].ssl_action", "searchValue": "", "expectedValue": "'ssl_action' value should be 'Open'", - "actualValue": "'ssl_action' is not defined" + "actualValue": "'ssl_action' value is 'Close'" }, { "queryName": "RDS Instance SSL Action Disabled", "severity": "MEDIUM", - "line": 6, - "filename": "positive1.tf", + "line": 1, + "filename": "positive2.tf", "resourceType": "alicloud_db_instance", "resourceName": "default", - "searchKey": "alicloud_db_instance[default].ssl_action", + "searchKey": "alicloud_db_instance[default]", "searchValue": "", "expectedValue": "'ssl_action' value should be 'Open'", - "actualValue": "'ssl_action' value is 'Close'" + "actualValue": "'ssl_action' is not defined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/rds_instance_tde_status_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/rds_instance_tde_status_disabled/test/positive_expected_result.json index d00c6d27e28..cc42667a8fb 100644 --- a/assets/queries/terraform/alicloud/rds_instance_tde_status_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/rds_instance_tde_status_disabled/test/positive_expected_result.json @@ -26,25 +26,25 @@ { "queryName": "RDS Instance TDE Status Disabled", "severity": "HIGH", - "line": 1, - "filename": "positive4.tf", + "line": 6, + "filename": "positive3.tf", "resourceType": "alicloud_db_instance", "resourceName": "default", - "searchKey": "alicloud_db_instance[default]", + "searchKey": "alicloud_db_instance[default].tde_status", "searchValue": "", "expectedValue": "'tde_status' value should be 'Enabled'", - "actualValue": "'tde_status' is not declared" + "actualValue": "'tde_status' value is set to 'Disabled'" }, { "queryName": "RDS Instance TDE Status Disabled", "severity": "HIGH", - "line": 6, - "filename": "positive3.tf", + "line": 1, + "filename": "positive4.tf", "resourceType": "alicloud_db_instance", "resourceName": "default", - "searchKey": "alicloud_db_instance[default].tde_status", + "searchKey": "alicloud_db_instance[default]", "searchValue": "", "expectedValue": "'tde_status' value should be 'Enabled'", - "actualValue": "'tde_status' value is set to 'Disabled'" + "actualValue": "'tde_status' is not declared" } ] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/ros_stack_notifications_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/ros_stack_notifications_disabled/test/positive_expected_result.json index 8fae52d0f45..4b27b4e1260 100644 --- a/assets/queries/terraform/alicloud/ros_stack_notifications_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/ros_stack_notifications_disabled/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "ROS Stack Notifications Disabled", "severity": "LOW", - "line": 1, - "filename": "positive2.tf", + "line": 3, + "filename": "positive.tf", "resourceType": "alicloud_ros_stack", "resourceName": "tf-testaccstack", "searchKey": "alicloud_ros_stack[example]", "searchValue": "", - "expectedValue": "stack 'notification_urls' should be defined", - "actualValue": "stack 'notification_urls' is not defined" + "expectedValue": "stack 'notification_urls' should have urls", + "actualValue": "stack 'notification_urls' is empty" }, { "queryName": "ROS Stack Notifications Disabled", "severity": "LOW", - "line": 3, - "filename": "positive.tf", + "line": 1, + "filename": "positive2.tf", "resourceType": "alicloud_ros_stack", "resourceName": "tf-testaccstack", "searchKey": "alicloud_ros_stack[example]", "searchValue": "", - "expectedValue": "stack 'notification_urls' should have urls", - "actualValue": "stack 'notification_urls' is empty" + "expectedValue": "stack 'notification_urls' should be defined", + "actualValue": "stack 'notification_urls' is not defined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/ros_stack_retention_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/ros_stack_retention_disabled/test/positive_expected_result.json index 03d7fffd678..0c22d0d8580 100644 --- a/assets/queries/terraform/alicloud/ros_stack_retention_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/ros_stack_retention_disabled/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "ROS Stack Retention Disabled", "severity": "MEDIUM", - "line": 1, - "filename": "positive2.tf", + "line": 6, + "filename": "positive.tf", "resourceType": "alicloud_ros_stack_instance", "resourceName": "example", - "searchKey": "alicloud_ros_stack_instance[example]", + "searchKey": "alicloud_ros_stack_instance[example].retain_stacks", "searchValue": "", - "expectedValue": "alicloud_ros_stack_instance[example].retain_stacks should be defined and not null", - "actualValue": "alicloud_ros_stack_instance[example].retain_stacks is undefined" + "expectedValue": "alicloud_ros_stack_instance[example].retain_stacks should be true ", + "actualValue": "alicloud_ros_stack_instance[example].retain_stacks is false" }, { "queryName": "ROS Stack Retention Disabled", "severity": "MEDIUM", - "line": 6, - "filename": "positive.tf", + "line": 1, + "filename": "positive2.tf", "resourceType": "alicloud_ros_stack_instance", "resourceName": "example", - "searchKey": "alicloud_ros_stack_instance[example].retain_stacks", + "searchKey": "alicloud_ros_stack_instance[example]", "searchValue": "", - "expectedValue": "alicloud_ros_stack_instance[example].retain_stacks should be true ", - "actualValue": "alicloud_ros_stack_instance[example].retain_stacks is false" + "expectedValue": "alicloud_ros_stack_instance[example].retain_stacks should be defined and not null", + "actualValue": "alicloud_ros_stack_instance[example].retain_stacks is undefined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/alb_deletion_protection_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/alb_deletion_protection_disabled/test/positive_expected_result.json index 2838e914784..28d2004fcd4 100644 --- a/assets/queries/terraform/aws/alb_deletion_protection_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/alb_deletion_protection_disabled/test/positive_expected_result.json @@ -1,16 +1,40 @@ [ + { + "queryName": "ALB Deletion Protection Disabled", + "severity": "MEDIUM", + "line": 7, + "filename": "positive1.tf", + "resourceType": "aws_alb", + "resourceName": "test-lb-tf", + "searchKey": "aws_alb[positive1].enable_deletion_protection", + "searchValue": "", + "expectedValue": "'enable_deletion_protection' should be set to true", + "actualValue": "'enable_deletion_protection' is set to false" + }, { "queryName": "ALB Deletion Protection Disabled", "severity": "MEDIUM", "line": 1, - "filename": "positive6.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[alb]", + "filename": "positive2.tf", + "resourceType": "aws_alb", + "resourceName": "test-lb-tf", + "searchKey": "aws_alb[positive2]", "searchValue": "", "expectedValue": "'enable_deletion_protection' should be defined and set to true", "actualValue": "'enable_deletion_protection' is undefined or null" }, + { + "queryName": "ALB Deletion Protection Disabled", + "severity": "MEDIUM", + "line": 7, + "filename": "positive3.tf", + "resourceType": "aws_lb", + "resourceName": "test-lb-tf", + "searchKey": "aws_lb[positive3].enable_deletion_protection", + "searchValue": "", + "expectedValue": "'enable_deletion_protection' should be set to true", + "actualValue": "'enable_deletion_protection' is set to false" + }, { "queryName": "ALB Deletion Protection Disabled", "severity": "MEDIUM", @@ -35,40 +59,16 @@ "expectedValue": "'enable_deletion_protection' should be set to true", "actualValue": "'enable_deletion_protection' is set to false" }, - { - "queryName": "ALB Deletion Protection Disabled", - "severity": "MEDIUM", - "line": 7, - "filename": "positive1.tf", - "resourceType": "aws_alb", - "resourceName": "test-lb-tf", - "searchKey": "aws_alb[positive1].enable_deletion_protection", - "searchValue": "", - "expectedValue": "'enable_deletion_protection' should be set to true", - "actualValue": "'enable_deletion_protection' is set to false" - }, { "queryName": "ALB Deletion Protection Disabled", "severity": "MEDIUM", "line": 1, - "filename": "positive2.tf", - "resourceType": "aws_alb", - "resourceName": "test-lb-tf", - "searchKey": "aws_alb[positive2]", + "filename": "positive6.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[alb]", "searchValue": "", "expectedValue": "'enable_deletion_protection' should be defined and set to true", "actualValue": "'enable_deletion_protection' is undefined or null" - }, - { - "queryName": "ALB Deletion Protection Disabled", - "severity": "MEDIUM", - "line": 7, - "filename": "positive3.tf", - "resourceType": "aws_lb", - "resourceName": "test-lb-tf", - "searchKey": "aws_lb[positive3].enable_deletion_protection", - "searchValue": "", - "expectedValue": "'enable_deletion_protection' should be set to true", - "actualValue": "'enable_deletion_protection' is set to false" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/alb_not_dropping_invalid_headers/test/positive_expected_result.json b/assets/queries/terraform/aws/alb_not_dropping_invalid_headers/test/positive_expected_result.json index 4a624e402b4..7622c12ba71 100644 --- a/assets/queries/terraform/aws/alb_not_dropping_invalid_headers/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/alb_not_dropping_invalid_headers/test/positive_expected_result.json @@ -2,62 +2,50 @@ { "queryName": "ALB Not Dropping Invalid Headers", "severity": "MEDIUM", - "line": 12, - "filename": "positive3.tf", - "resourceType": "aws_lb", + "line": 1, + "filename": "positive1.tf", + "resourceType": "aws_alb", "resourceName": "alb", - "searchKey": "aws_lb[{{disabled_2}}].drop_invalid_header_fields", + "searchKey": "aws_alb[{{disabled_1}}]", "searchValue": "", - "expectedValue": "aws_lb[{{disabled_2}}].drop_invalid_header_fields should be set to true", - "actualValue": "aws_lb[{{disabled_2}}].drop_invalid_header_fields is set to false" + "expectedValue": "aws_alb[{{disabled_1}}].drop_invalid_header_fields should be set to true", + "actualValue": "aws_alb[{{disabled_1}}].drop_invalid_header_fields is missing" }, { "queryName": "ALB Not Dropping Invalid Headers", "severity": "MEDIUM", "line": 14, - "filename": "positive2.tf", - "resourceType": "aws_lb", + "filename": "positive1.tf", + "resourceType": "aws_alb", "resourceName": "alb", - "searchKey": "aws_lb[{{disabled_2}}].drop_invalid_header_fields", - "searchValue": "", - "expectedValue": "aws_lb[{{disabled_2}}].drop_invalid_header_fields should be set to true", - "actualValue": "aws_lb[{{disabled_2}}].drop_invalid_header_fields is set to false" - }, - { - "queryName": "ALB Not Dropping Invalid Headers", - "severity": "MEDIUM", - "line": 1, - "filename": "positive6.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[alb]", + "searchKey": "aws_alb[{{disabled_2}}].drop_invalid_header_fields", "searchValue": "", - "expectedValue": "module[alb].drop_invalid_header_fields should be set to true", - "actualValue": "module[alb].drop_invalid_header_fields is missing" + "expectedValue": "aws_alb[{{disabled_2}}].drop_invalid_header_fields should be set to true", + "actualValue": "aws_alb[{{disabled_2}}].drop_invalid_header_fields is set to false" }, { "queryName": "ALB Not Dropping Invalid Headers", "severity": "MEDIUM", "line": 1, - "filename": "positive1.tf", - "resourceType": "aws_alb", + "filename": "positive2.tf", + "resourceType": "aws_lb", "resourceName": "alb", - "searchKey": "aws_alb[{{disabled_1}}]", + "searchKey": "aws_lb[{{disabled_1}}]", "searchValue": "", - "expectedValue": "aws_alb[{{disabled_1}}].drop_invalid_header_fields should be set to true", - "actualValue": "aws_alb[{{disabled_1}}].drop_invalid_header_fields is missing" + "expectedValue": "aws_lb[{{disabled_1}}].drop_invalid_header_fields should be set to true", + "actualValue": "aws_lb[{{disabled_1}}].drop_invalid_header_fields is missing" }, { "queryName": "ALB Not Dropping Invalid Headers", "severity": "MEDIUM", - "line": 1, - "filename": "positive5.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[alb]", + "line": 14, + "filename": "positive2.tf", + "resourceType": "aws_lb", + "resourceName": "alb", + "searchKey": "aws_lb[{{disabled_2}}].drop_invalid_header_fields", "searchValue": "", - "expectedValue": "module[alb].drop_invalid_header_fields should be set to true", - "actualValue": "module[alb].drop_invalid_header_fields is missing" + "expectedValue": "aws_lb[{{disabled_2}}].drop_invalid_header_fields should be set to true", + "actualValue": "aws_lb[{{disabled_2}}].drop_invalid_header_fields is set to false" }, { "queryName": "ALB Not Dropping Invalid Headers", @@ -74,37 +62,49 @@ { "queryName": "ALB Not Dropping Invalid Headers", "severity": "MEDIUM", - "line": 1, - "filename": "positive2.tf", + "line": 12, + "filename": "positive3.tf", "resourceType": "aws_lb", "resourceName": "alb", - "searchKey": "aws_lb[{{disabled_1}}]", + "searchKey": "aws_lb[{{disabled_2}}].drop_invalid_header_fields", "searchValue": "", - "expectedValue": "aws_lb[{{disabled_1}}].drop_invalid_header_fields should be set to true", - "actualValue": "aws_lb[{{disabled_1}}].drop_invalid_header_fields is missing" + "expectedValue": "aws_lb[{{disabled_2}}].drop_invalid_header_fields should be set to true", + "actualValue": "aws_lb[{{disabled_2}}].drop_invalid_header_fields is set to false" }, { "queryName": "ALB Not Dropping Invalid Headers", "severity": "MEDIUM", - "line": 14, - "filename": "positive1.tf", - "resourceType": "aws_alb", - "resourceName": "alb", - "searchKey": "aws_alb[{{disabled_2}}].drop_invalid_header_fields", + "line": 8, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[alb].drop_invalid_header_fields", "searchValue": "", - "expectedValue": "aws_alb[{{disabled_2}}].drop_invalid_header_fields should be set to true", - "actualValue": "aws_alb[{{disabled_2}}].drop_invalid_header_fields is set to false" + "expectedValue": "module[alb].drop_invalid_header_fields should be set to true", + "actualValue": "module[alb].drop_invalid_header_fields is set to false" }, { "queryName": "ALB Not Dropping Invalid Headers", "severity": "MEDIUM", - "line": 8, - "filename": "positive4.tf", + "line": 1, + "filename": "positive5.tf", "resourceType": "n/a", "resourceName": "n/a", - "searchKey": "module[alb].drop_invalid_header_fields", + "searchKey": "module[alb]", "searchValue": "", "expectedValue": "module[alb].drop_invalid_header_fields should be set to true", - "actualValue": "module[alb].drop_invalid_header_fields is set to false" + "actualValue": "module[alb].drop_invalid_header_fields is missing" + }, + { + "queryName": "ALB Not Dropping Invalid Headers", + "severity": "MEDIUM", + "line": 1, + "filename": "positive6.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[alb]", + "searchValue": "", + "expectedValue": "module[alb].drop_invalid_header_fields should be set to true", + "actualValue": "module[alb].drop_invalid_header_fields is missing" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/ami_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/ami_not_encrypted/test/positive_expected_result.json index a8e1aea64c9..0168cfa6a6c 100644 --- a/assets/queries/terraform/aws/ami_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ami_not_encrypted/test/positive_expected_result.json @@ -2,26 +2,26 @@ { "queryName": "AMI Not Encrypted", "severity": "MEDIUM", - "line": 25, + "line": 7, "filename": "positive.tf", "resourceType": "aws_ami", "resourceName": "terraform-example", - "searchKey": "aws_ami[positive2].ebs_block_device.encrypted", + "searchKey": "aws_ami[positive1].ebs_block_device", "searchValue": "", "expectedValue": "One of 'rule.ebs_block_device.encrypted' should be 'true'", - "actualValue": "One of 'rule.ebs_block_device.encrypted' is not 'true'" + "actualValue": "'rule.ebs_block_device' is undefined" }, { "queryName": "AMI Not Encrypted", "severity": "MEDIUM", - "line": 7, + "line": 25, "filename": "positive.tf", "resourceType": "aws_ami", "resourceName": "terraform-example", - "searchKey": "aws_ami[positive1].ebs_block_device", + "searchKey": "aws_ami[positive2].ebs_block_device.encrypted", "searchValue": "", "expectedValue": "One of 'rule.ebs_block_device.encrypted' should be 'true'", - "actualValue": "'rule.ebs_block_device' is undefined" + "actualValue": "One of 'rule.ebs_block_device.encrypted' is not 'true'" }, { "queryName": "AMI Not Encrypted", diff --git a/assets/queries/terraform/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json index 913b498c1c7..80290297fe8 100644 --- a/assets/queries/terraform/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json @@ -1,4 +1,40 @@ [ + { + "queryName": "API Gateway Access Logging Disabled", + "severity": "MEDIUM", + "line": 1, + "filename": "positive1.tf", + "resourceType": "aws_api_gateway_stage", + "resourceName": "positive10", + "searchKey": "aws_api_gateway_stage[positive10]", + "searchValue": "access_log_settings", + "expectedValue": "'access_log_settings' should be defined", + "actualValue": "'access_log_settings' is not defined" + }, + { + "queryName": "API Gateway Access Logging Disabled", + "severity": "MEDIUM", + "line": 15, + "filename": "positive1.tf", + "resourceType": "aws_apigatewayv2_stage", + "resourceName": "positive11", + "searchKey": "aws_apigatewayv2_stage[positive11]", + "searchValue": "access_log_settings", + "expectedValue": "'access_log_settings' should be defined", + "actualValue": "'access_log_settings' is not defined" + }, + { + "queryName": "API Gateway Access Logging Disabled", + "severity": "MEDIUM", + "line": 15, + "filename": "positive2.tf", + "resourceType": "aws_api_gateway_stage", + "resourceName": "positive20", + "searchKey": "aws_api_gateway_method_settings[allpositive2].settings.logging_level", + "searchValue": "", + "expectedValue": "aws_api_gateway_method_settings[allpositive2].settings.logging_level should be defined and not null", + "actualValue": "aws_api_gateway_method_settings[allpositive2].settings.logging_level isn't defined or is null" + }, { "queryName": "API Gateway Access Logging Disabled", "severity": "MEDIUM", @@ -14,26 +50,14 @@ { "queryName": "API Gateway Access Logging Disabled", "severity": "MEDIUM", - "line": 10, - "filename": "positive4.tf", + "line": 14, + "filename": "positive3.tf", "resourceType": "aws_api_gateway_stage", - "resourceName": "positive40", - "searchKey": "aws_api_gateway_method_settings[allpositive4]", + "resourceName": "positive30", + "searchKey": "aws_api_gateway_method_settings[allpositive3].settings", "searchValue": "", - "expectedValue": "aws_api_gateway_method_settings[allpositive4].settings should be defined and not null", - "actualValue": "aws_api_gateway_method_settings[allpositive4].settings isn't defined or is null" - }, - { - "queryName": "API Gateway Access Logging Disabled", - "severity": "MEDIUM", - "line": 15, - "filename": "positive4.tf", - "resourceType": "aws_apigatewayv2_stage", - "resourceName": "positive41", - "searchKey": "aws_apigatewayv2_stage[positive41]", - "searchValue": "default_route_settings", - "expectedValue": "aws_apigatewayv2_stage[positive41].default_route_settings should be defined and not null", - "actualValue": "aws_apigatewayv2_stage[positive41].default_route_settings isn't defined or is null" + "expectedValue": "aws_api_gateway_method_settings[allpositive3].settings.logging_level should be defined and not null", + "actualValue": "aws_api_gateway_method_settings[allpositive3].settings.logging_level isn't defined or is null" }, { "queryName": "API Gateway Access Logging Disabled", @@ -50,14 +74,26 @@ { "queryName": "API Gateway Access Logging Disabled", "severity": "MEDIUM", - "line": 14, - "filename": "positive6.tf", + "line": 10, + "filename": "positive4.tf", "resourceType": "aws_api_gateway_stage", - "resourceName": "positive60", - "searchKey": "aws_api_gateway_method_settings[allpositive6].settings", + "resourceName": "positive40", + "searchKey": "aws_api_gateway_method_settings[allpositive4]", "searchValue": "", - "expectedValue": "aws_api_gateway_method_settings[allpositive6].settings.logging_level should be defined and not null", - "actualValue": "aws_api_gateway_method_settings[allpositive6].settings.logging_level isn't defined or is null" + "expectedValue": "aws_api_gateway_method_settings[allpositive4].settings should be defined and not null", + "actualValue": "aws_api_gateway_method_settings[allpositive4].settings isn't defined or is null" + }, + { + "queryName": "API Gateway Access Logging Disabled", + "severity": "MEDIUM", + "line": 15, + "filename": "positive4.tf", + "resourceType": "aws_apigatewayv2_stage", + "resourceName": "positive41", + "searchKey": "aws_apigatewayv2_stage[positive41]", + "searchValue": "default_route_settings", + "expectedValue": "aws_apigatewayv2_stage[positive41].default_route_settings should be defined and not null", + "actualValue": "aws_apigatewayv2_stage[positive41].default_route_settings isn't defined or is null" }, { "queryName": "API Gateway Access Logging Disabled", @@ -74,50 +110,26 @@ { "queryName": "API Gateway Access Logging Disabled", "severity": "MEDIUM", - "line": 1, - "filename": "positive1.tf", - "resourceType": "aws_api_gateway_stage", - "resourceName": "positive10", - "searchKey": "aws_api_gateway_stage[positive10]", - "searchValue": "access_log_settings", - "expectedValue": "'access_log_settings' should be defined", - "actualValue": "'access_log_settings' is not defined" - }, - { - "queryName": "API Gateway Access Logging Disabled", - "severity": "MEDIUM", - "line": 15, - "filename": "positive1.tf", + "line": 28, + "filename": "positive5.tf", "resourceType": "aws_apigatewayv2_stage", - "resourceName": "positive11", - "searchKey": "aws_apigatewayv2_stage[positive11]", - "searchValue": "access_log_settings", - "expectedValue": "'access_log_settings' should be defined", - "actualValue": "'access_log_settings' is not defined" - }, - { - "queryName": "API Gateway Access Logging Disabled", - "severity": "MEDIUM", - "line": 1, - "filename": "positive7.tf", - "resourceType": "aws_api_gateway_stage", - "resourceName": "positive70", - "searchKey": "aws_api_gateway_stage[positive70]", - "searchValue": "aws_api_gateway_method_settings", - "expectedValue": "aws_api_gateway_stage[positive70]'s corresponding aws_api_gateway_method_settings should be defined and not null", - "actualValue": "aws_api_gateway_stage[positive70]'s corresponding aws_api_gateway_method_settings isn't defined or is null" + "resourceName": "positive51", + "searchKey": "aws_apigatewayv2_stage[positive51].default_route_settings.logging_level", + "searchValue": "", + "expectedValue": "aws_apigatewayv2_stage[positive51].default_route_settings.logging_level should not be set to OFF", + "actualValue": "aws_apigatewayv2_stage[positive51].default_route_settings.logging_level is set to OFF" }, { "queryName": "API Gateway Access Logging Disabled", "severity": "MEDIUM", "line": 14, - "filename": "positive3.tf", + "filename": "positive6.tf", "resourceType": "aws_api_gateway_stage", - "resourceName": "positive30", - "searchKey": "aws_api_gateway_method_settings[allpositive3].settings", + "resourceName": "positive60", + "searchKey": "aws_api_gateway_method_settings[allpositive6].settings", "searchValue": "", - "expectedValue": "aws_api_gateway_method_settings[allpositive3].settings.logging_level should be defined and not null", - "actualValue": "aws_api_gateway_method_settings[allpositive3].settings.logging_level isn't defined or is null" + "expectedValue": "aws_api_gateway_method_settings[allpositive6].settings.logging_level should be defined and not null", + "actualValue": "aws_api_gateway_method_settings[allpositive6].settings.logging_level isn't defined or is null" }, { "queryName": "API Gateway Access Logging Disabled", @@ -134,25 +146,13 @@ { "queryName": "API Gateway Access Logging Disabled", "severity": "MEDIUM", - "line": 28, - "filename": "positive5.tf", - "resourceType": "aws_apigatewayv2_stage", - "resourceName": "positive51", - "searchKey": "aws_apigatewayv2_stage[positive51].default_route_settings.logging_level", - "searchValue": "", - "expectedValue": "aws_apigatewayv2_stage[positive51].default_route_settings.logging_level should not be set to OFF", - "actualValue": "aws_apigatewayv2_stage[positive51].default_route_settings.logging_level is set to OFF" - }, - { - "queryName": "API Gateway Access Logging Disabled", - "severity": "MEDIUM", - "line": 15, - "filename": "positive2.tf", + "line": 1, + "filename": "positive7.tf", "resourceType": "aws_api_gateway_stage", - "resourceName": "positive20", - "searchKey": "aws_api_gateway_method_settings[allpositive2].settings.logging_level", - "searchValue": "", - "expectedValue": "aws_api_gateway_method_settings[allpositive2].settings.logging_level should be defined and not null", - "actualValue": "aws_api_gateway_method_settings[allpositive2].settings.logging_level isn't defined or is null" + "resourceName": "positive70", + "searchKey": "aws_api_gateway_stage[positive70]", + "searchValue": "aws_api_gateway_method_settings", + "expectedValue": "aws_api_gateway_stage[positive70]'s corresponding aws_api_gateway_method_settings should be defined and not null", + "actualValue": "aws_api_gateway_stage[positive70]'s corresponding aws_api_gateway_method_settings isn't defined or is null" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/api_gateway_deployment_without_access_log_setting/test/positive_expected_result.json b/assets/queries/terraform/aws/api_gateway_deployment_without_access_log_setting/test/positive_expected_result.json index ff651b3358c..eda78f06cce 100644 --- a/assets/queries/terraform/aws/api_gateway_deployment_without_access_log_setting/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/api_gateway_deployment_without_access_log_setting/test/positive_expected_result.json @@ -3,13 +3,13 @@ "queryName": "API Gateway Deployment Without Access Log Setting", "severity": "MEDIUM", "line": 1, - "filename": "positive3.tf", + "filename": "positive1.tf", "resourceType": "aws_api_gateway_deployment", - "resourceName": "example4", - "searchKey": "aws_api_gateway_deployment[example4]", + "resourceName": "examplee", + "searchKey": "aws_api_gateway_deployment[examplee]", "searchValue": "", - "expectedValue": "aws_api_gateway_deployment[example4].stage_description should be set", - "actualValue": "aws_api_gateway_deployment[example4].stage_description is undefined" + "expectedValue": "aws_api_gateway_deployment[examplee] has a 'aws_api_gateway_stage' resource associated with 'access_log_settings' set", + "actualValue": "aws_api_gateway_deployment[examplee] doesn't have a 'aws_api_gateway_stage' resource associated with 'access_log_settings' set" }, { "queryName": "API Gateway Deployment Without Access Log Setting", @@ -27,12 +27,12 @@ "queryName": "API Gateway Deployment Without Access Log Setting", "severity": "MEDIUM", "line": 1, - "filename": "positive1.tf", + "filename": "positive3.tf", "resourceType": "aws_api_gateway_deployment", - "resourceName": "examplee", - "searchKey": "aws_api_gateway_deployment[examplee]", + "resourceName": "example4", + "searchKey": "aws_api_gateway_deployment[example4]", "searchValue": "", - "expectedValue": "aws_api_gateway_deployment[examplee] has a 'aws_api_gateway_stage' resource associated with 'access_log_settings' set", - "actualValue": "aws_api_gateway_deployment[examplee] doesn't have a 'aws_api_gateway_stage' resource associated with 'access_log_settings' set" + "expectedValue": "aws_api_gateway_deployment[example4].stage_description should be set", + "actualValue": "aws_api_gateway_deployment[example4].stage_description is undefined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/test/positive_expected_result.json b/assets/queries/terraform/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/test/positive_expected_result.json index bea16938911..ea26a071f69 100644 --- a/assets/queries/terraform/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/test/positive_expected_result.json @@ -1,4 +1,16 @@ [ + { + "queryName": "API Gateway Deployment Without API Gateway UsagePlan Associated", + "severity": "LOW", + "line": 1, + "filename": "positive1.tf", + "resourceType": "aws_api_gateway_deployment", + "resourceName": "positive1", + "searchKey": "aws_api_gateway_deployment[positive1]", + "searchValue": "", + "expectedValue": "aws_api_gateway_deployment[positive1] has a 'aws_api_gateway_usage_plan' resource associated. ", + "actualValue": "aws_api_gateway_deployment[positive1] doesn't have a 'aws_api_gateway_usage_plan' resource associated." + }, { "queryName": "API Gateway Deployment Without API Gateway UsagePlan Associated", "severity": "LOW", @@ -34,17 +46,5 @@ "searchValue": "", "expectedValue": "aws_api_gateway_deployment[aws_api_gateway_deployment.positive2] has a 'aws_api_gateway_usage_plan' resource associated. ", "actualValue": "aws_api_gateway_deployment[aws_api_gateway_deployment.positive2] doesn't have a 'aws_api_gateway_usage_plan' resource associated." - }, - { - "queryName": "API Gateway Deployment Without API Gateway UsagePlan Associated", - "severity": "LOW", - "line": 1, - "filename": "positive1.tf", - "resourceType": "aws_api_gateway_deployment", - "resourceName": "positive1", - "searchKey": "aws_api_gateway_deployment[positive1]", - "searchValue": "", - "expectedValue": "aws_api_gateway_deployment[positive1] has a 'aws_api_gateway_usage_plan' resource associated. ", - "actualValue": "aws_api_gateway_deployment[positive1] doesn't have a 'aws_api_gateway_usage_plan' resource associated." } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/api_gateway_method_does_not_contains_an_api_key/test/positive_expected_result.json b/assets/queries/terraform/aws/api_gateway_method_does_not_contains_an_api_key/test/positive_expected_result.json index f9668ec9804..4bd724621fd 100644 --- a/assets/queries/terraform/aws/api_gateway_method_does_not_contains_an_api_key/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/api_gateway_method_does_not_contains_an_api_key/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "API Gateway Method Does Not Contains An API Key", "severity": "MEDIUM", - "line": 13, + "line": 1, "filename": "positive.tf", "resourceType": "aws_api_gateway_method", - "resourceName": "positive2", - "searchKey": "resource.aws_api_gateway_method[positive2].api_key_required", + "resourceName": "positive1", + "searchKey": "resource.aws_api_gateway_method[positive1]", "searchValue": "", - "expectedValue": "resource.aws_api_gateway_method[positive2].api_key_required should be 'true'", - "actualValue": "resource.aws_api_gateway_method[positive2].api_key_required is 'false'" + "expectedValue": "resource.aws_api_gateway_method[positive1].api_key_required should be defined", + "actualValue": "resource.aws_api_gateway_method[positive1].api_key_required is undefined" }, { "queryName": "API Gateway Method Does Not Contains An API Key", "severity": "MEDIUM", - "line": 1, + "line": 13, "filename": "positive.tf", "resourceType": "aws_api_gateway_method", - "resourceName": "positive1", - "searchKey": "resource.aws_api_gateway_method[positive1]", + "resourceName": "positive2", + "searchKey": "resource.aws_api_gateway_method[positive2].api_key_required", "searchValue": "", - "expectedValue": "resource.aws_api_gateway_method[positive1].api_key_required should be defined", - "actualValue": "resource.aws_api_gateway_method[positive1].api_key_required is undefined" + "expectedValue": "resource.aws_api_gateway_method[positive2].api_key_required should be 'true'", + "actualValue": "resource.aws_api_gateway_method[positive2].api_key_required is 'false'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/api_gateway_with_cloudwatch_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/api_gateway_with_cloudwatch_logging_disabled/test/positive_expected_result.json index d0cc2fc246d..b3e6d0170cc 100644 --- a/assets/queries/terraform/aws/api_gateway_with_cloudwatch_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/api_gateway_with_cloudwatch_logging_disabled/test/positive_expected_result.json @@ -2,49 +2,49 @@ { "queryName": "API Gateway With CloudWatch Logging Disabled", "severity": "MEDIUM", - "line": 5, - "filename": "positive4.tf", + "line": 14, + "filename": "positive1.tf", "resourceType": "aws_api_gateway_stage", - "resourceName": "positive4", - "searchKey": "aws_api_gateway_stage[positive4]", + "resourceName": "positive1", + "searchKey": "aws_api_gateway_stage[positive1]", "searchValue": "", - "expectedValue": "'aws_cloudwatch_log_group' for 'aws_api_gateway_stage[positive4]' should be defined and use the correct naming convention", - "actualValue": "'aws_cloudwatch_log_group' for 'aws_api_gateway_stage[positive4]' is undefined or is not using the correct naming convention" + "expectedValue": "'aws_cloudwatch_log_group' for 'aws_api_gateway_stage[positive1]' should be defined and use the correct naming convention", + "actualValue": "'aws_cloudwatch_log_group' for 'aws_api_gateway_stage[positive1]' is undefined or is not using the correct naming convention" }, { "queryName": "API Gateway With CloudWatch Logging Disabled", "severity": "MEDIUM", "line": 9, - "filename": "positive3.tf", + "filename": "positive2.tf", "resourceType": "aws_api_gateway_stage", - "resourceName": "positive3", - "searchKey": "aws_api_gateway_stage[positive3].access_log_settings.destination_arn", + "resourceName": "positive2", + "searchKey": "aws_api_gateway_stage[positive2].access_log_settings.destination_arn", "searchValue": "", - "expectedValue": "'aws_api_gateway_stage[positive3].access_log_settings.destination_arn' should reference a valid 'aws_cloudwatch_log_group' arn", - "actualValue": "'aws_api_gateway_stage[positive3].access_log_settings.destination_arn' does not reference a valid 'aws_cloudwatch_log_group' arn" + "expectedValue": "'aws_api_gateway_stage[positive2].access_log_settings.destination_arn' should reference a valid 'aws_cloudwatch_log_group' arn", + "actualValue": "'aws_api_gateway_stage[positive2].access_log_settings.destination_arn' does not reference a valid 'aws_cloudwatch_log_group' arn" }, { "queryName": "API Gateway With CloudWatch Logging Disabled", "severity": "MEDIUM", - "line": 14, - "filename": "positive1.tf", + "line": 9, + "filename": "positive3.tf", "resourceType": "aws_api_gateway_stage", - "resourceName": "positive1", - "searchKey": "aws_api_gateway_stage[positive1]", + "resourceName": "positive3", + "searchKey": "aws_api_gateway_stage[positive3].access_log_settings.destination_arn", "searchValue": "", - "expectedValue": "'aws_cloudwatch_log_group' for 'aws_api_gateway_stage[positive1]' should be defined and use the correct naming convention", - "actualValue": "'aws_cloudwatch_log_group' for 'aws_api_gateway_stage[positive1]' is undefined or is not using the correct naming convention" + "expectedValue": "'aws_api_gateway_stage[positive3].access_log_settings.destination_arn' should reference a valid 'aws_cloudwatch_log_group' arn", + "actualValue": "'aws_api_gateway_stage[positive3].access_log_settings.destination_arn' does not reference a valid 'aws_cloudwatch_log_group' arn" }, { "queryName": "API Gateway With CloudWatch Logging Disabled", "severity": "MEDIUM", - "line": 9, - "filename": "positive2.tf", + "line": 5, + "filename": "positive4.tf", "resourceType": "aws_api_gateway_stage", - "resourceName": "positive2", - "searchKey": "aws_api_gateway_stage[positive2].access_log_settings.destination_arn", + "resourceName": "positive4", + "searchKey": "aws_api_gateway_stage[positive4]", "searchValue": "", - "expectedValue": "'aws_api_gateway_stage[positive2].access_log_settings.destination_arn' should reference a valid 'aws_cloudwatch_log_group' arn", - "actualValue": "'aws_api_gateway_stage[positive2].access_log_settings.destination_arn' does not reference a valid 'aws_cloudwatch_log_group' arn" + "expectedValue": "'aws_cloudwatch_log_group' for 'aws_api_gateway_stage[positive4]' should be defined and use the correct naming convention", + "actualValue": "'aws_cloudwatch_log_group' for 'aws_api_gateway_stage[positive4]' is undefined or is not using the correct naming convention" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/api_gateway_without_security_policy/test/positive_expected_result.json b/assets/queries/terraform/aws/api_gateway_without_security_policy/test/positive_expected_result.json index 09a4ee40679..7b87ae0cfcc 100644 --- a/assets/queries/terraform/aws/api_gateway_without_security_policy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/api_gateway_without_security_policy/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "API Gateway Without Security Policy", - "severity": "MEDIUM", - "line": 3, - "filename": "positive2.tf", - "resourceType": "aws_api_gateway_domain_name", - "resourceName": "example2", - "searchKey": "aws_api_gateway_domain_name[example2].security_policy", - "searchValue": "", - "expectedValue": "aws_api_gateway_domain_name[example2].security_policy should be set to TLS_1_2", - "actualValue": "aws_api_gateway_domain_name[example2].security_policy is set to TLS_1_0" - }, { "queryName": "API Gateway Without Security Policy", "severity": "MEDIUM", @@ -22,5 +10,17 @@ "searchValue": "", "expectedValue": "aws_api_gateway_domain_name[example].security_policy should be set", "actualValue": "aws_api_gateway_domain_name[example].security_policy is undefined" + }, + { + "queryName": "API Gateway Without Security Policy", + "severity": "MEDIUM", + "line": 3, + "filename": "positive2.tf", + "resourceType": "aws_api_gateway_domain_name", + "resourceName": "example2", + "searchKey": "aws_api_gateway_domain_name[example2].security_policy", + "searchValue": "", + "expectedValue": "aws_api_gateway_domain_name[example2].security_policy should be set to TLS_1_2", + "actualValue": "aws_api_gateway_domain_name[example2].security_policy is set to TLS_1_0" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/athena_workgroup_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/athena_workgroup_not_encrypted/test/positive_expected_result.json index 689e505bb7d..b978a4250aa 100644 --- a/assets/queries/terraform/aws/athena_workgroup_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/athena_workgroup_not_encrypted/test/positive_expected_result.json @@ -2,37 +2,37 @@ { "queryName": "Athena Workgroup Not Encrypted", "severity": "HIGH", - "line": 8, + "line": 1, "filename": "positive1.tf", "resourceType": "aws_athena_workgroup", "resourceName": "example", - "searchKey": "aws_athena_workgroup[{{example_2}}].configuration", + "searchKey": "aws_athena_workgroup[{{example}}]", "searchValue": "", - "expectedValue": "aws_athena_workgroup[{{example_2}}].configuration.result_configuration.encryption_configuration should be defined", - "actualValue": "aws_athena_workgroup[{{example_2}}].configuration.result_configuration is missing" + "expectedValue": "aws_athena_workgroup[{{example}}].configuration.result_configuration.encryption_configuration should be defined", + "actualValue": "aws_athena_workgroup[{{example}}].configuration is missing" }, { "queryName": "Athena Workgroup Not Encrypted", "severity": "HIGH", - "line": 21, + "line": 8, "filename": "positive1.tf", "resourceType": "aws_athena_workgroup", "resourceName": "example", - "searchKey": "aws_athena_workgroup[{{example_3}}].configuration.result_configuration", + "searchKey": "aws_athena_workgroup[{{example_2}}].configuration", "searchValue": "", - "expectedValue": "aws_athena_workgroup[{{example_3}}].configuration.result_configuration.encryption_configuration should be defined", - "actualValue": "aws_athena_workgroup[{{example_3}}].configuration.result_configuration.encryption_configuration is missing" + "expectedValue": "aws_athena_workgroup[{{example_2}}].configuration.result_configuration.encryption_configuration should be defined", + "actualValue": "aws_athena_workgroup[{{example_2}}].configuration.result_configuration is missing" }, { "queryName": "Athena Workgroup Not Encrypted", "severity": "HIGH", - "line": 1, + "line": 21, "filename": "positive1.tf", "resourceType": "aws_athena_workgroup", "resourceName": "example", - "searchKey": "aws_athena_workgroup[{{example}}]", + "searchKey": "aws_athena_workgroup[{{example_3}}].configuration.result_configuration", "searchValue": "", - "expectedValue": "aws_athena_workgroup[{{example}}].configuration.result_configuration.encryption_configuration should be defined", - "actualValue": "aws_athena_workgroup[{{example}}].configuration is missing" + "expectedValue": "aws_athena_workgroup[{{example_3}}].configuration.result_configuration.encryption_configuration should be defined", + "actualValue": "aws_athena_workgroup[{{example_3}}].configuration.result_configuration.encryption_configuration is missing" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/aurora_with_disabled_at_rest_encryption/test/positive_expected_result.json b/assets/queries/terraform/aws/aurora_with_disabled_at_rest_encryption/test/positive_expected_result.json index b8ecc769598..18268fd0e76 100644 --- a/assets/queries/terraform/aws/aurora_with_disabled_at_rest_encryption/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/aurora_with_disabled_at_rest_encryption/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "Aurora With Disabled at Rest Encryption", "severity": "HIGH", - "line": 5, - "filename": "positive2.tf", + "line": 16, + "filename": "positive1.tf", "resourceType": "aws_rds_cluster", "resourceName": "my_cluster", - "searchKey": "aws_rds_cluster[{{my_cluster}}]", + "searchKey": "aws_rds_cluster[{{my_cluster}}].storage_encrypted", "searchValue": "", - "expectedValue": "aws_rds_cluster.storage_encrypted should be defined and set to 'true'", - "actualValue": "aws_rds_cluster.storage_encrypted is undefined" + "expectedValue": "aws_rds_cluster.storage_encrypted should be set to 'true'", + "actualValue": "aws_rds_cluster.storage_encrypted is set to 'false'" }, { "queryName": "Aurora With Disabled at Rest Encryption", "severity": "HIGH", - "line": 16, - "filename": "positive1.tf", + "line": 5, + "filename": "positive2.tf", "resourceType": "aws_rds_cluster", "resourceName": "my_cluster", - "searchKey": "aws_rds_cluster[{{my_cluster}}].storage_encrypted", + "searchKey": "aws_rds_cluster[{{my_cluster}}]", "searchValue": "", - "expectedValue": "aws_rds_cluster.storage_encrypted should be set to 'true'", - "actualValue": "aws_rds_cluster.storage_encrypted is set to 'false'" + "expectedValue": "aws_rds_cluster.storage_encrypted should be defined and set to 'true'", + "actualValue": "aws_rds_cluster.storage_encrypted is undefined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/auto_scaling_group_with_no_associated_elb/test/positive_expected_result.json b/assets/queries/terraform/aws/auto_scaling_group_with_no_associated_elb/test/positive_expected_result.json index 7e7226db2e7..460e02125fb 100644 --- a/assets/queries/terraform/aws/auto_scaling_group_with_no_associated_elb/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/auto_scaling_group_with_no_associated_elb/test/positive_expected_result.json @@ -3,37 +3,25 @@ "queryName": "Auto Scaling Group With No Associated ELB", "severity": "MEDIUM", "line": 1, - "filename": "positive6.tf", - "resourceType": "aws_autoscaling_group", - "resourceName": "bar-", - "searchKey": "aws_autoscaling_group[foo]", - "searchValue": "", - "expectedValue": "aws_autoscaling_group[foo].load_balancers should be set and not empty", - "actualValue": "aws_autoscaling_group[foo].load_balancers is undefined" - }, - { - "queryName": "Auto Scaling Group With No Associated ELB", - "severity": "MEDIUM", - "line": 1, - "filename": "positive5.tf", + "filename": "positive1.tf", "resourceType": "aws_autoscaling_group", - "resourceName": "bar-", - "searchKey": "aws_autoscaling_group[foo]", + "resourceName": "bar", + "searchKey": "aws_autoscaling_group[bar]", "searchValue": "", - "expectedValue": "aws_autoscaling_group[foo].load_balancers should be set and not empty", - "actualValue": "aws_autoscaling_group[foo].load_balancers is undefined" + "expectedValue": "aws_autoscaling_group[bar].load_balancers should be set and not empty", + "actualValue": "aws_autoscaling_group[bar].load_balancers is undefined" }, { "queryName": "Auto Scaling Group With No Associated ELB", "severity": "MEDIUM", - "line": 1, - "filename": "positive1.tf", + "line": 12, + "filename": "positive2.tf", "resourceType": "aws_autoscaling_group", - "resourceName": "bar", - "searchKey": "aws_autoscaling_group[bar]", + "resourceName": "positive2", + "searchKey": "aws_autoscaling_group[positive2].load_balancers", "searchValue": "", - "expectedValue": "aws_autoscaling_group[bar].load_balancers should be set and not empty", - "actualValue": "aws_autoscaling_group[bar].load_balancers is undefined" + "expectedValue": "aws_autoscaling_group[positive2].load_balancers should be set and not empty", + "actualValue": "aws_autoscaling_group[positive2].load_balancers is empty" }, { "queryName": "Auto Scaling Group With No Associated ELB", @@ -62,13 +50,25 @@ { "queryName": "Auto Scaling Group With No Associated ELB", "severity": "MEDIUM", - "line": 12, - "filename": "positive2.tf", + "line": 1, + "filename": "positive5.tf", "resourceType": "aws_autoscaling_group", - "resourceName": "positive2", - "searchKey": "aws_autoscaling_group[positive2].load_balancers", + "resourceName": "bar-", + "searchKey": "aws_autoscaling_group[foo]", "searchValue": "", - "expectedValue": "aws_autoscaling_group[positive2].load_balancers should be set and not empty", - "actualValue": "aws_autoscaling_group[positive2].load_balancers is empty" + "expectedValue": "aws_autoscaling_group[foo].load_balancers should be set and not empty", + "actualValue": "aws_autoscaling_group[foo].load_balancers is undefined" + }, + { + "queryName": "Auto Scaling Group With No Associated ELB", + "severity": "MEDIUM", + "line": 1, + "filename": "positive6.tf", + "resourceType": "aws_autoscaling_group", + "resourceName": "bar-", + "searchKey": "aws_autoscaling_group[foo]", + "searchValue": "", + "expectedValue": "aws_autoscaling_group[foo].load_balancers should be set and not empty", + "actualValue": "aws_autoscaling_group[foo].load_balancers is undefined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/automatic_minor_upgrades_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/automatic_minor_upgrades_disabled/test/positive_expected_result.json index bbc4a955a35..c478399975a 100644 --- a/assets/queries/terraform/aws/automatic_minor_upgrades_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/automatic_minor_upgrades_disabled/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "Automatic Minor Upgrades Disabled", "severity": "LOW", - "line": 11, - "filename": "positive2.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[db].auto_minor_version_upgrade", + "line": 13, + "filename": "positive1.tf", + "resourceType": "aws_db_instance", + "resourceName": "mydb", + "searchKey": "aws_db_instance[positive1].auto_minor_version_upgrade", "searchValue": "", "expectedValue": "'auto_minor_version_upgrade' should be set to true", "actualValue": "'auto_minor_version_upgrade' is set to false" @@ -14,11 +14,11 @@ { "queryName": "Automatic Minor Upgrades Disabled", "severity": "LOW", - "line": 13, - "filename": "positive1.tf", - "resourceType": "aws_db_instance", - "resourceName": "mydb", - "searchKey": "aws_db_instance[positive1].auto_minor_version_upgrade", + "line": 11, + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[db].auto_minor_version_upgrade", "searchValue": "", "expectedValue": "'auto_minor_version_upgrade' should be set to true", "actualValue": "'auto_minor_version_upgrade' is set to false" diff --git a/assets/queries/terraform/aws/autoscaling_groups_supply_tags/test/positive_expected_result.json b/assets/queries/terraform/aws/autoscaling_groups_supply_tags/test/positive_expected_result.json index 0343d474c7d..a16291f859d 100644 --- a/assets/queries/terraform/aws/autoscaling_groups_supply_tags/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/autoscaling_groups_supply_tags/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "Autoscaling Groups Supply Tags", - "severity": "LOW", - "line": 1, - "filename": "positive2.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[asg]", - "searchValue": "", - "expectedValue": "'tags' should be defined and not null", - "actualValue": "'tags' is undefined or null" - }, { "queryName": "Autoscaling Groups Supply Tags", "severity": "LOW", @@ -22,5 +10,17 @@ "searchValue": "", "expectedValue": "'tags' or 'tag' should be defined and not null", "actualValue": "'tags' and 'tag' are undefined or null" + }, + { + "queryName": "Autoscaling Groups Supply Tags", + "severity": "LOW", + "line": 1, + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[asg]", + "searchValue": "", + "expectedValue": "'tags' should be defined and not null", + "actualValue": "'tags' is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/aws_eip_not_attached_to_any_instance/test/positive_expected_result.json b/assets/queries/terraform/aws/aws_eip_not_attached_to_any_instance/test/positive_expected_result.json index 8f94d0f65e1..24abda55dd3 100644 --- a/assets/queries/terraform/aws/aws_eip_not_attached_to_any_instance/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/aws_eip_not_attached_to_any_instance/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "AWS EIP not attached to any instance", "severity": "LOW", - "line": 6, - "filename": "positive2.tf", + "line": 1, + "filename": "positive1.tf", "resourceType": "aws_eip", - "resourceName": "web_eip", - "searchKey": "aws_eip[web_eip]", + "resourceName": "ok_eip", + "searchKey": "aws_eip[ok_eip]", "searchValue": "", "expectedValue": "All EIPs should be attached", "actualValue": "EIP is missing domain field set to \"vpc\"" @@ -14,23 +14,23 @@ { "queryName": "AWS EIP not attached to any instance", "severity": "LOW", - "line": 1, - "filename": "positive6.tf", + "line": 6, + "filename": "positive2.tf", "resourceType": "aws_eip", - "resourceName": "ok_eip", - "searchKey": "aws_eip[ok_eip]", + "resourceName": "web_eip", + "searchKey": "aws_eip[web_eip]", "searchValue": "", "expectedValue": "All EIPs should be attached", - "actualValue": "Vpc is not set to true" + "actualValue": "EIP is missing domain field set to \"vpc\"" }, { "queryName": "AWS EIP not attached to any instance", "severity": "LOW", - "line": 6, - "filename": "positive9.tf", + "line": 1, + "filename": "positive3.tf", "resourceType": "aws_eip", - "resourceName": "web_eip", - "searchKey": "aws_eip[web_eip]", + "resourceName": "nat_eip", + "searchKey": "aws_eip[nat_eip]", "searchValue": "", "expectedValue": "All EIPs should be attached", "actualValue": "EIP is not attached" @@ -50,47 +50,47 @@ { "queryName": "AWS EIP not attached to any instance", "severity": "LOW", - "line": 1, - "filename": "positive1.tf", + "line": 5, + "filename": "positive5.tf", "resourceType": "aws_eip", - "resourceName": "ok_eip", - "searchKey": "aws_eip[ok_eip]", + "resourceName": "one", + "searchKey": "aws_eip[one]", "searchValue": "", "expectedValue": "All EIPs should be attached", - "actualValue": "EIP is missing domain field set to \"vpc\"" + "actualValue": "EIP is not attached" }, { "queryName": "AWS EIP not attached to any instance", "severity": "LOW", "line": 1, - "filename": "positive8.tf", + "filename": "positive6.tf", "resourceType": "aws_eip", - "resourceName": "eip_example", - "searchKey": "aws_eip[eip_example]", + "resourceName": "ok_eip", + "searchKey": "aws_eip[ok_eip]", "searchValue": "", "expectedValue": "All EIPs should be attached", - "actualValue": "EIP is not attached" + "actualValue": "Vpc is not set to true" }, { "queryName": "AWS EIP not attached to any instance", "severity": "LOW", - "line": 5, - "filename": "positive5.tf", + "line": 1, + "filename": "positive7.tf", "resourceType": "aws_eip", - "resourceName": "one", - "searchKey": "aws_eip[one]", + "resourceName": "ok_eip", + "searchKey": "aws_eip[ok_eip]", "searchValue": "", "expectedValue": "All EIPs should be attached", - "actualValue": "EIP is not attached" + "actualValue": "Domain is not set to \"vpc\"" }, { "queryName": "AWS EIP not attached to any instance", "severity": "LOW", "line": 1, - "filename": "positive3.tf", + "filename": "positive8.tf", "resourceType": "aws_eip", - "resourceName": "nat_eip", - "searchKey": "aws_eip[nat_eip]", + "resourceName": "eip_example", + "searchKey": "aws_eip[eip_example]", "searchValue": "", "expectedValue": "All EIPs should be attached", "actualValue": "EIP is not attached" @@ -98,13 +98,13 @@ { "queryName": "AWS EIP not attached to any instance", "severity": "LOW", - "line": 1, - "filename": "positive7.tf", + "line": 6, + "filename": "positive9.tf", "resourceType": "aws_eip", - "resourceName": "ok_eip", - "searchKey": "aws_eip[ok_eip]", + "resourceName": "web_eip", + "searchKey": "aws_eip[web_eip]", "searchValue": "", "expectedValue": "All EIPs should be attached", - "actualValue": "Domain is not set to \"vpc\"" + "actualValue": "EIP is not attached" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/block_device_is_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/block_device_is_not_encrypted/test/positive_expected_result.json index 27a7602d948..181570059ee 100644 --- a/assets/queries/terraform/aws/block_device_is_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/block_device_is_not_encrypted/test/positive_expected_result.json @@ -3,25 +3,37 @@ "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 11, - "filename": "positive3.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[asg].ebs_block_device.0.encrypted", + "filename": "positive1.tf", + "resourceType": "aws_launch_configuration", + "resourceName": "example1", + "searchKey": "aws_launch_configuration[example1].ebs_block_device", "searchValue": "", - "expectedValue": "'encrypted' should be true", - "actualValue": "'encrypted' is false" + "expectedValue": "aws_launch_configuration[example1].ebs_block_device.encrypted should be set", + "actualValue": "aws_launch_configuration[example1].ebs_block_device.encrypted is undefined" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", - "line": 29, - "filename": "positive3.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[asg2].block_device_mappings.0.ebs", + "line": 28, + "filename": "positive1.tf", + "resourceType": "aws_launch_configuration", + "resourceName": "example2", + "searchKey": "aws_launch_configuration[example2].ebs_block_device.encrypted", "searchValue": "", - "expectedValue": "'encrypted' should be defined", - "actualValue": "'encrypted' is undefined" + "expectedValue": "aws_launch_configuration[example2].ebs_block_device.encrypted should be true", + "actualValue": "aws_launch_configuration[example2].ebs_block_device.encrypted is false" + }, + { + "queryName": "Block Device Is Not Encrypted", + "severity": "HIGH", + "line": 36, + "filename": "positive1.tf", + "resourceType": "aws_launch_configuration", + "resourceName": "test-launch-config", + "searchKey": "aws_launch_configuration[example3].root_block_device.encrypted", + "searchValue": "", + "expectedValue": "aws_launch_configuration[example3].root_block_device.encrypted should be true", + "actualValue": "aws_launch_configuration[example3].root_block_device.encrypted is false" }, { "queryName": "Block Device Is Not Encrypted", @@ -38,23 +50,23 @@ { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", - "line": 36, - "filename": "positive1.tf", - "resourceType": "aws_launch_configuration", - "resourceName": "test-launch-config", - "searchKey": "aws_launch_configuration[example3].root_block_device.encrypted", + "line": 16, + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[asg].root_block_device.0", "searchValue": "", - "expectedValue": "aws_launch_configuration[example3].root_block_device.encrypted should be true", - "actualValue": "aws_launch_configuration[example3].root_block_device.encrypted is false" + "expectedValue": "'encrypted' should be defined", + "actualValue": "'encrypted' is undefined" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", - "line": 26, - "filename": "positive9.tf", + "line": 28, + "filename": "positive2.tf", "resourceType": "n/a", "resourceName": "n/a", - "searchKey": "module[positive9-legacy].root_block_device.0", + "searchKey": "module[asg2].block_device_mappings.0.ebs", "searchValue": "", "expectedValue": "'encrypted' should be defined", "actualValue": "'encrypted' is undefined" @@ -62,23 +74,23 @@ { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", - "line": 24, - "filename": "positive6.tf", - "resourceType": "aws_instance", - "resourceName": "web-app-instance", - "searchKey": "aws_instance[example2].ebs_block_device", + "line": 35, + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[asg2].block_device_mappings.1.ebs", "searchValue": "", - "expectedValue": "aws_instance[example2].ebs_block_device.encrypted should be set", - "actualValue": "aws_instance[example2].ebs_block_device.encrypted is undefined" + "expectedValue": "'encrypted' should be defined", + "actualValue": "'encrypted' is undefined" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", - "line": 18, - "filename": "positive4.tf", + "line": 11, + "filename": "positive3.tf", "resourceType": "n/a", "resourceName": "n/a", - "searchKey": "module[asg].root_block_device.0.encrypted", + "searchKey": "module[asg].ebs_block_device.0.encrypted", "searchValue": "", "expectedValue": "'encrypted' should be true", "actualValue": "'encrypted' is false" @@ -86,23 +98,23 @@ { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", - "line": 7, - "filename": "positive5.tf", - "resourceType": "aws_instance", - "resourceName": "web-app-instance", - "searchKey": "aws_instance[example1].root_block_device.encrypted", + "line": 17, + "filename": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[asg].root_block_device.0", "searchValue": "", - "expectedValue": "aws_instance[example1].root_block_device.encrypted should be true", - "actualValue": "aws_instance[example1].root_block_device.encrypted is false" + "expectedValue": "'encrypted' should be defined", + "actualValue": "'encrypted' is undefined" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 27, - "filename": "positive8.tf", + "filename": "positive3.tf", "resourceType": "n/a", "resourceName": "n/a", - "searchKey": "module[positive8-legacy].root_block_device.0.encrypted", + "searchKey": "module[asg2].block_device_mappings.1.ebs.encrypted", "searchValue": "", "expectedValue": "'encrypted' should be true", "actualValue": "'encrypted' is false" @@ -110,35 +122,35 @@ { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", - "line": 41, - "filename": "positive4.tf", + "line": 29, + "filename": "positive3.tf", "resourceType": "n/a", "resourceName": "n/a", - "searchKey": "module[asg2].block_device_mappings.0.ebs.encrypted", + "searchKey": "module[asg2].block_device_mappings.0.ebs", "searchValue": "", - "expectedValue": "'encrypted' should be true", - "actualValue": "'encrypted' is false" + "expectedValue": "'encrypted' should be defined", + "actualValue": "'encrypted' is undefined" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", - "line": 31, - "filename": "positive5.tf", - "resourceType": "aws_instance", - "resourceName": "positive5", - "searchKey": "aws_instance[example2].ebs_block_device.encrypted", + "line": 7, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[asg].ebs_block_device.0", "searchValue": "", - "expectedValue": "aws_instance[example2].ebs_block_device.encrypted should be true", - "actualValue": "aws_instance[example2].ebs_block_device.encrypted is false" + "expectedValue": "'encrypted' should be defined", + "actualValue": "'encrypted' is undefined" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", - "line": 10, - "filename": "positive8.tf", + "line": 18, + "filename": "positive4.tf", "resourceType": "n/a", "resourceName": "n/a", - "searchKey": "module[positive8-aws6].root_block_device.encrypted", + "searchKey": "module[asg].root_block_device.0.encrypted", "searchValue": "", "expectedValue": "'encrypted' should be true", "actualValue": "'encrypted' is false" @@ -146,26 +158,50 @@ { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", - "line": 16, - "filename": "positive2.tf", + "line": 27, + "filename": "positive4.tf", "resourceType": "n/a", "resourceName": "n/a", - "searchKey": "module[asg].root_block_device.0", + "searchKey": "module[asg2].block_device_mappings.1.ebs.encrypted", "searchValue": "", - "expectedValue": "'encrypted' should be defined", - "actualValue": "'encrypted' is undefined" + "expectedValue": "'encrypted' should be true", + "actualValue": "'encrypted' is false" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", - "line": 9, - "filename": "positive9.tf", + "line": 41, + "filename": "positive4.tf", "resourceType": "n/a", "resourceName": "n/a", - "searchKey": "module[positive9-aws6].root_block_device", + "searchKey": "module[asg2].block_device_mappings.0.ebs.encrypted", "searchValue": "", - "expectedValue": "'encrypted' should be defined", - "actualValue": "'encrypted' is undefined" + "expectedValue": "'encrypted' should be true", + "actualValue": "'encrypted' is false" + }, + { + "queryName": "Block Device Is Not Encrypted", + "severity": "HIGH", + "line": 7, + "filename": "positive5.tf", + "resourceType": "aws_instance", + "resourceName": "web-app-instance", + "searchKey": "aws_instance[example1].root_block_device.encrypted", + "searchValue": "", + "expectedValue": "aws_instance[example1].root_block_device.encrypted should be true", + "actualValue": "aws_instance[example1].root_block_device.encrypted is false" + }, + { + "queryName": "Block Device Is Not Encrypted", + "severity": "HIGH", + "line": 31, + "filename": "positive5.tf", + "resourceType": "aws_instance", + "resourceName": "positive5", + "searchKey": "aws_instance[example2].ebs_block_device.encrypted", + "searchValue": "", + "expectedValue": "aws_instance[example2].ebs_block_device.encrypted should be true", + "actualValue": "aws_instance[example2].ebs_block_device.encrypted is false" }, { "queryName": "Block Device Is Not Encrypted", @@ -179,6 +215,18 @@ "expectedValue": "aws_instance[example1].root_block_device.encrypted should be set", "actualValue": "aws_instance[example1].root_block_device.encrypted is undefined" }, + { + "queryName": "Block Device Is Not Encrypted", + "severity": "HIGH", + "line": 24, + "filename": "positive6.tf", + "resourceType": "aws_instance", + "resourceName": "web-app-instance", + "searchKey": "aws_instance[example2].ebs_block_device", + "searchValue": "", + "expectedValue": "aws_instance[example2].ebs_block_device.encrypted should be set", + "actualValue": "aws_instance[example2].ebs_block_device.encrypted is undefined" + }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", @@ -206,23 +254,23 @@ { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", - "line": 35, - "filename": "positive2.tf", + "line": 10, + "filename": "positive8.tf", "resourceType": "n/a", "resourceName": "n/a", - "searchKey": "module[asg2].block_device_mappings.1.ebs", + "searchKey": "module[positive8-aws6].root_block_device.encrypted", "searchValue": "", - "expectedValue": "'encrypted' should be defined", - "actualValue": "'encrypted' is undefined" + "expectedValue": "'encrypted' should be true", + "actualValue": "'encrypted' is false" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 27, - "filename": "positive4.tf", + "filename": "positive8.tf", "resourceType": "n/a", "resourceName": "n/a", - "searchKey": "module[asg2].block_device_mappings.1.ebs.encrypted", + "searchKey": "module[positive8-legacy].root_block_device.0.encrypted", "searchValue": "", "expectedValue": "'encrypted' should be true", "actualValue": "'encrypted' is false" @@ -230,47 +278,11 @@ { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", - "line": 17, - "filename": "positive3.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[asg].root_block_device.0", - "searchValue": "", - "expectedValue": "'encrypted' should be defined", - "actualValue": "'encrypted' is undefined" - }, - { - "queryName": "Block Device Is Not Encrypted", - "severity": "HIGH", - "line": 28, - "filename": "positive1.tf", - "resourceType": "aws_launch_configuration", - "resourceName": "example2", - "searchKey": "aws_launch_configuration[example2].ebs_block_device.encrypted", - "searchValue": "", - "expectedValue": "aws_launch_configuration[example2].ebs_block_device.encrypted should be true", - "actualValue": "aws_launch_configuration[example2].ebs_block_device.encrypted is false" - }, - { - "queryName": "Block Device Is Not Encrypted", - "severity": "HIGH", - "line": 11, - "filename": "positive1.tf", - "resourceType": "aws_launch_configuration", - "resourceName": "example1", - "searchKey": "aws_launch_configuration[example1].ebs_block_device", - "searchValue": "", - "expectedValue": "aws_launch_configuration[example1].ebs_block_device.encrypted should be set", - "actualValue": "aws_launch_configuration[example1].ebs_block_device.encrypted is undefined" - }, - { - "queryName": "Block Device Is Not Encrypted", - "severity": "HIGH", - "line": 28, - "filename": "positive2.tf", + "line": 9, + "filename": "positive9.tf", "resourceType": "n/a", "resourceName": "n/a", - "searchKey": "module[asg2].block_device_mappings.0.ebs", + "searchKey": "module[positive9-aws6].root_block_device", "searchValue": "", "expectedValue": "'encrypted' should be defined", "actualValue": "'encrypted' is undefined" @@ -278,25 +290,13 @@ { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", - "line": 7, - "filename": "positive4.tf", + "line": 26, + "filename": "positive9.tf", "resourceType": "n/a", "resourceName": "n/a", - "searchKey": "module[asg].ebs_block_device.0", + "searchKey": "module[positive9-legacy].root_block_device.0", "searchValue": "", "expectedValue": "'encrypted' should be defined", "actualValue": "'encrypted' is undefined" - }, - { - "queryName": "Block Device Is Not Encrypted", - "severity": "HIGH", - "line": 27, - "filename": "positive3.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[asg2].block_device_mappings.1.ebs.encrypted", - "searchValue": "", - "expectedValue": "'encrypted' should be true", - "actualValue": "'encrypted' is false" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/certificate_rsa_key_bytes_lower_than_256/test/positive_expected_result.json b/assets/queries/terraform/aws/certificate_rsa_key_bytes_lower_than_256/test/positive_expected_result.json index 8cfe0569d03..acc5253dd4c 100644 --- a/assets/queries/terraform/aws/certificate_rsa_key_bytes_lower_than_256/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/certificate_rsa_key_bytes_lower_than_256/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "Certificate RSA Key Bytes Lower Than 256", - "severity": "MEDIUM", - "line": 3, - "filename": "positive2.tf", - "resourceType": "aws_iam_server_certificate", - "resourceName": "test_cert2", - "searchKey": "aws_iam_server_certificate[test_cert2].certificate_body", - "searchValue": "", - "expectedValue": "aws_iam_server_certificate[test_cert2].certificate_body uses a RSA key with a length equal to or higher than 256 bytes", - "actualValue": "aws_iam_server_certificate[test_cert2].certificate_body does not use a RSA key with a length equal to or higher than 256 bytes" - }, { "queryName": "Certificate RSA Key Bytes Lower Than 256", "severity": "MEDIUM", @@ -22,5 +10,17 @@ "searchValue": "", "expectedValue": "aws_api_gateway_domain_name[example].certificate_body uses a RSA key with a length equal to or higher than 256 bytes", "actualValue": "aws_api_gateway_domain_name[example].certificate_body does not use a RSA key with a length equal to or higher than 256 bytes" + }, + { + "queryName": "Certificate RSA Key Bytes Lower Than 256", + "severity": "MEDIUM", + "line": 3, + "filename": "positive2.tf", + "resourceType": "aws_iam_server_certificate", + "resourceName": "test_cert2", + "searchKey": "aws_iam_server_certificate[test_cert2].certificate_body", + "searchValue": "", + "expectedValue": "aws_iam_server_certificate[test_cert2].certificate_body uses a RSA key with a length equal to or higher than 256 bytes", + "actualValue": "aws_iam_server_certificate[test_cert2].certificate_body does not use a RSA key with a length equal to or higher than 256 bytes" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json index 88aa044040f..6168a09cac1 100644 --- a/assets/queries/terraform/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json @@ -2,26 +2,26 @@ { "queryName": "CloudFront Without Minimum Protocol TLS 1.2", "severity": "MEDIUM", - "line": 25, - "filename": "positive2.tf", + "line": 1, + "filename": "positive1.tf", "resourceType": "aws_cloudfront_distribution", - "resourceName": "positive2", - "searchKey": "resource.aws_cloudfront_distribution[positive2].viewer_certificate.minimum_protocol_version", + "resourceName": "positive1", + "searchKey": "resource.aws_cloudfront_distribution[positive1]", "searchValue": "", - "expectedValue": "resource.aws_cloudfront_distribution[positive2].viewer_certificate.minimum_protocol_version' should be TLSv1.2_x", - "actualValue": "resource.aws_cloudfront_distribution[positive2].viewer_certificate.minimum_protocol_version' is TLSv1_2016" + "expectedValue": "resource.aws_cloudfront_distribution[positive1].viewer_certificate' should be defined and not null", + "actualValue": "resource.aws_cloudfront_distribution[positive1].viewer_certificate' is undefined or null" }, { "queryName": "CloudFront Without Minimum Protocol TLS 1.2", "severity": "MEDIUM", - "line": 23, - "filename": "positive4.tf", + "line": 25, + "filename": "positive2.tf", "resourceType": "aws_cloudfront_distribution", - "resourceName": "positive4", - "searchKey": "resource.aws_cloudfront_distribution[positive4].viewer_certificate", + "resourceName": "positive2", + "searchKey": "resource.aws_cloudfront_distribution[positive2].viewer_certificate.minimum_protocol_version", "searchValue": "", - "expectedValue": "resource.aws_cloudfront_distribution[positive4].viewer_certificate.minimum_protocol_version' should be defined and not null", - "actualValue": "resource.aws_cloudfront_distribution[positive4].viewer_certificate.minimum_protocol_version' is undefined or null" + "expectedValue": "resource.aws_cloudfront_distribution[positive2].viewer_certificate.minimum_protocol_version' should be TLSv1.2_x", + "actualValue": "resource.aws_cloudfront_distribution[positive2].viewer_certificate.minimum_protocol_version' is TLSv1_2016" }, { "queryName": "CloudFront Without Minimum Protocol TLS 1.2", @@ -38,13 +38,13 @@ { "queryName": "CloudFront Without Minimum Protocol TLS 1.2", "severity": "MEDIUM", - "line": 1, - "filename": "positive1.tf", + "line": 23, + "filename": "positive4.tf", "resourceType": "aws_cloudfront_distribution", - "resourceName": "positive1", - "searchKey": "resource.aws_cloudfront_distribution[positive1]", + "resourceName": "positive4", + "searchKey": "resource.aws_cloudfront_distribution[positive4].viewer_certificate", "searchValue": "", - "expectedValue": "resource.aws_cloudfront_distribution[positive1].viewer_certificate' should be defined and not null", - "actualValue": "resource.aws_cloudfront_distribution[positive1].viewer_certificate' is undefined or null" + "expectedValue": "resource.aws_cloudfront_distribution[positive4].viewer_certificate.minimum_protocol_version' should be defined and not null", + "actualValue": "resource.aws_cloudfront_distribution[positive4].viewer_certificate.minimum_protocol_version' is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_is_publicly_accessible/test/positive_expected_result.json index 5810fe2df83..7f2de5087a1 100644 --- a/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_is_publicly_accessible/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "CloudTrail Log Files S3 Bucket is Publicly Accessible", - "severity": "HIGH", - "line": 24, - "filename": "positive3.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[s3_bucket].acl", - "searchValue": "", - "expectedValue": "module[s3_bucket] to not be publicly accessible", - "actualValue": "module[s3_bucket] is publicly accessible" - }, { "queryName": "CloudTrail Log Files S3 Bucket is Publicly Accessible", "severity": "HIGH", @@ -34,5 +22,17 @@ "searchValue": "", "expectedValue": "module[s3_bucket] to not be publicly accessible", "actualValue": "module[s3_bucket] is publicly accessible" + }, + { + "queryName": "CloudTrail Log Files S3 Bucket is Publicly Accessible", + "severity": "HIGH", + "line": 24, + "filename": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].acl", + "searchValue": "", + "expectedValue": "module[s3_bucket] to not be publicly accessible", + "actualValue": "module[s3_bucket] is publicly accessible" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_with_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_with_logging_disabled/test/positive_expected_result.json index 1b834eaa2bf..0e972c5820a 100644 --- a/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_with_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_with_logging_disabled/test/positive_expected_result.json @@ -11,18 +11,6 @@ "expectedValue": "aws_s3_bucket[foo] to have 'logging' defined", "actualValue": "aws_s3_bucket[foo] does not have 'logging' defined" }, - { - "queryName": "CloudTrail Log Files S3 Bucket with Logging Disabled", - "severity": "MEDIUM", - "line": 21, - "filename": "positive3.tf", - "resourceType": "aws_s3_bucket", - "resourceName": "my-tf-example-bucket", - "searchKey": "aws_s3_bucket[bb]", - "searchValue": "", - "expectedValue": "aws_s3_bucket[bb] to have 'logging' defined", - "actualValue": "aws_s3_bucket[bb] does not have 'logging' defined" - }, { "queryName": "CloudTrail Log Files S3 Bucket with Logging Disabled", "severity": "MEDIUM", @@ -34,5 +22,17 @@ "searchValue": "", "expectedValue": "'logging' should be defined", "actualValue": "'logging' is undefined" + }, + { + "queryName": "CloudTrail Log Files S3 Bucket with Logging Disabled", + "severity": "MEDIUM", + "line": 21, + "filename": "positive3.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "my-tf-example-bucket", + "searchKey": "aws_s3_bucket[bb]", + "searchValue": "", + "expectedValue": "aws_s3_bucket[bb] to have 'logging' defined", + "actualValue": "aws_s3_bucket[bb] does not have 'logging' defined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudtrail_multi_region_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudtrail_multi_region_disabled/test/positive_expected_result.json index ab5752c9c51..0c235a74a72 100644 --- a/assets/queries/terraform/aws/cloudtrail_multi_region_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudtrail_multi_region_disabled/test/positive_expected_result.json @@ -11,18 +11,6 @@ "expectedValue": "aws_cloudtrail[positive1].is_multi_region_trail should be defined and not null", "actualValue": "aws_cloudtrail[positive1].is_multi_region_trail is undefined or null" }, - { - "queryName": "CloudTrail Multi Region Disabled", - "severity": "LOW", - "line": 5, - "filename": "positive3.tf", - "resourceType": "aws_cloudtrail", - "resourceName": "npositive_3", - "searchKey": "aws_cloudtrail[positive3].include_global_service_events", - "searchValue": "", - "expectedValue": "aws_cloudtrail[positive3].include_global_service_events should be undefined or set to true", - "actualValue": "aws_cloudtrail[positive3].include_global_service_events is set to false" - }, { "queryName": "CloudTrail Multi Region Disabled", "severity": "LOW", @@ -34,5 +22,17 @@ "searchValue": "", "expectedValue": "aws_cloudtrail[positive2].is_multi_region_trail should be set to true", "actualValue": "aws_cloudtrail[positive2].is_multi_region_trail is set to false" + }, + { + "queryName": "CloudTrail Multi Region Disabled", + "severity": "LOW", + "line": 5, + "filename": "positive3.tf", + "resourceType": "aws_cloudtrail", + "resourceName": "npositive_3", + "searchKey": "aws_cloudtrail[positive3].include_global_service_events", + "searchValue": "", + "expectedValue": "aws_cloudtrail[positive3].include_global_service_events should be undefined or set to true", + "actualValue": "aws_cloudtrail[positive3].include_global_service_events is set to false" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudtrail_not_integrated_with_cloudwatch/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudtrail_not_integrated_with_cloudwatch/test/positive_expected_result.json index 5409436d20a..ef1c25819ef 100644 --- a/assets/queries/terraform/aws/cloudtrail_not_integrated_with_cloudwatch/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudtrail_not_integrated_with_cloudwatch/test/positive_expected_result.json @@ -7,9 +7,9 @@ "resourceType": "aws_cloudtrail", "resourceName": "tf-trail-foobar", "searchKey": "aws_cloudtrail[positive1]", - "searchValue": "cloud_watch_logs_group_arn", - "expectedValue": "aws_cloudtrail[positive1].cloud_watch_logs_group_arn should be defined and not null", - "actualValue": "aws_cloudtrail[positive1].cloud_watch_logs_group_arn is undefined or null" + "searchValue": "cloud_watch_logs_role_arn", + "expectedValue": "aws_cloudtrail[positive1].cloud_watch_logs_role_arn should be defined and not null", + "actualValue": "aws_cloudtrail[positive1].cloud_watch_logs_role_arn is undefined or null" }, { "queryName": "CloudTrail Not Integrated With CloudWatch", @@ -19,8 +19,8 @@ "resourceType": "aws_cloudtrail", "resourceName": "tf-trail-foobar", "searchKey": "aws_cloudtrail[positive1]", - "searchValue": "cloud_watch_logs_role_arn", - "expectedValue": "aws_cloudtrail[positive1].cloud_watch_logs_role_arn should be defined and not null", - "actualValue": "aws_cloudtrail[positive1].cloud_watch_logs_role_arn is undefined or null" + "searchValue": "cloud_watch_logs_group_arn", + "expectedValue": "aws_cloudtrail[positive1].cloud_watch_logs_group_arn should be defined and not null", + "actualValue": "aws_cloudtrail[positive1].cloud_watch_logs_group_arn is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_aws_config_configuration_changes_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_aws_config_configuration_changes_alarm_missing/test/positive_expected_result.json index 45231079711..adf34418527 100644 --- a/assets/queries/terraform/aws/cloudwatch_aws_config_configuration_changes_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_aws_config_configuration_changes_alarm_missing/test/positive_expected_result.json @@ -3,7 +3,7 @@ "queryName": "CloudWatch AWS Config Configuration Changes Alarm Missing", "severity": "MEDIUM", "line": 1, - "filename": "positive2.tf", + "filename": "positive1.tf", "resourceType": "aws_cloudwatch_log_metric_filter", "resourceName": "unknown", "searchKey": "resource", @@ -15,7 +15,7 @@ "queryName": "CloudWatch AWS Config Configuration Changes Alarm Missing", "severity": "MEDIUM", "line": 1, - "filename": "positive1.tf", + "filename": "positive2.tf", "resourceType": "aws_cloudwatch_log_metric_filter", "resourceName": "unknown", "searchKey": "resource", @@ -27,7 +27,7 @@ "queryName": "CloudWatch AWS Config Configuration Changes Alarm Missing", "severity": "MEDIUM", "line": 1, - "filename": "positive4.tf", + "filename": "positive3.tf", "resourceType": "aws_cloudwatch_log_metric_filter", "resourceName": "unknown", "searchKey": "resource", @@ -39,7 +39,7 @@ "queryName": "CloudWatch AWS Config Configuration Changes Alarm Missing", "severity": "MEDIUM", "line": 1, - "filename": "positive3.tf", + "filename": "positive4.tf", "resourceType": "aws_cloudwatch_log_metric_filter", "resourceName": "unknown", "searchKey": "resource", diff --git a/assets/queries/terraform/aws/cloudwatch_cloudtrail_configuration_changes_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_cloudtrail_configuration_changes_alarm_missing/test/positive_expected_result.json index ac029f2565d..a3cb30423c4 100644 --- a/assets/queries/terraform/aws/cloudwatch_cloudtrail_configuration_changes_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_cloudtrail_configuration_changes_alarm_missing/test/positive_expected_result.json @@ -3,7 +3,7 @@ "queryName": "Cloudwatch Cloudtrail Configuration Changes Alarm Missing", "severity": "MEDIUM", "line": 1, - "filename": "positive2.tf", + "filename": "positive1.tf", "resourceType": "aws_cloudwatch_log_metric_filter", "resourceName": "unknown", "searchKey": "resource", @@ -15,7 +15,7 @@ "queryName": "Cloudwatch Cloudtrail Configuration Changes Alarm Missing", "severity": "MEDIUM", "line": 1, - "filename": "positive3.tf", + "filename": "positive2.tf", "resourceType": "aws_cloudwatch_log_metric_filter", "resourceName": "unknown", "searchKey": "resource", @@ -27,7 +27,7 @@ "queryName": "Cloudwatch Cloudtrail Configuration Changes Alarm Missing", "severity": "MEDIUM", "line": 1, - "filename": "positive1.tf", + "filename": "positive3.tf", "resourceType": "aws_cloudwatch_log_metric_filter", "resourceName": "unknown", "searchKey": "resource", diff --git a/assets/queries/terraform/aws/cloudwatch_disabling_or_scheduled_deletion_of_customer_created_cmk_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_disabling_or_scheduled_deletion_of_customer_created_cmk_alarm_missing/test/positive_expected_result.json index 19b601944a7..eb1399be268 100644 --- a/assets/queries/terraform/aws/cloudwatch_disabling_or_scheduled_deletion_of_customer_created_cmk_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_disabling_or_scheduled_deletion_of_customer_created_cmk_alarm_missing/test/positive_expected_result.json @@ -3,7 +3,7 @@ "queryName": "CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing", "severity": "MEDIUM", "line": 1, - "filename": "positive2.tf", + "filename": "positive1.tf", "resourceType": "aws_cloudwatch_log_metric_filter", "resourceName": "unknown", "searchKey": "resource", @@ -15,7 +15,7 @@ "queryName": "CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing", "severity": "MEDIUM", "line": 1, - "filename": "positive3.tf", + "filename": "positive2.tf", "resourceType": "aws_cloudwatch_log_metric_filter", "resourceName": "unknown", "searchKey": "resource", @@ -27,7 +27,7 @@ "queryName": "CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing", "severity": "MEDIUM", "line": 1, - "filename": "positive1.tf", + "filename": "positive3.tf", "resourceType": "aws_cloudwatch_log_metric_filter", "resourceName": "unknown", "searchKey": "resource", diff --git a/assets/queries/terraform/aws/cloudwatch_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_logging_disabled/test/positive_expected_result.json index c83b148e562..9e8dcefaa53 100644 --- a/assets/queries/terraform/aws/cloudwatch_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_logging_disabled/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "CloudWatch Logging Disabled", - "severity": "MEDIUM", - "line": 10, - "filename": "positive.tf", - "resourceType": "aws_route53_query_log", - "resourceName": "log_group_mismatch", - "searchKey": "aws_route53_query_log[log_group_mismatch].cloudwatch_log_group_arn", - "searchValue": "", - "expectedValue": "'aws_route53_query_log' log group refers to the query log", - "actualValue": "'aws_route53_query_log' log group does not match with the log name" - }, { "queryName": "CloudWatch Logging Disabled", "severity": "MEDIUM", @@ -22,5 +10,17 @@ "searchValue": "", "expectedValue": "'aws_route53_query_log' should be set for respective 'aws_route53_zone'", "actualValue": "'aws_route53_query_log' is undefined" + }, + { + "queryName": "CloudWatch Logging Disabled", + "severity": "MEDIUM", + "line": 10, + "filename": "positive.tf", + "resourceType": "aws_route53_query_log", + "resourceName": "log_group_mismatch", + "searchKey": "aws_route53_query_log[log_group_mismatch].cloudwatch_log_group_arn", + "searchValue": "", + "expectedValue": "'aws_route53_query_log' log group refers to the query log", + "actualValue": "'aws_route53_query_log' log group does not match with the log name" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_management_console_auth_failed_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_management_console_auth_failed_alarm_missing/test/positive_expected_result.json index c1d0797ca68..5e1fe0d5f11 100644 --- a/assets/queries/terraform/aws/cloudwatch_management_console_auth_failed_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_management_console_auth_failed_alarm_missing/test/positive_expected_result.json @@ -3,7 +3,7 @@ "queryName": "CloudWatch Management Console Auth Failed Alarm Missing", "severity": "MEDIUM", "line": 1, - "filename": "positive4.tf", + "filename": "positive1.tf", "resourceType": "aws_cloudwatch_log_metric_filter", "resourceName": "unknown", "searchKey": "resource", @@ -15,7 +15,7 @@ "queryName": "CloudWatch Management Console Auth Failed Alarm Missing", "severity": "MEDIUM", "line": 1, - "filename": "positive1.tf", + "filename": "positive2.tf", "resourceType": "aws_cloudwatch_log_metric_filter", "resourceName": "unknown", "searchKey": "resource", @@ -39,7 +39,7 @@ "queryName": "CloudWatch Management Console Auth Failed Alarm Missing", "severity": "MEDIUM", "line": 1, - "filename": "positive2.tf", + "filename": "positive4.tf", "resourceType": "aws_cloudwatch_log_metric_filter", "resourceName": "unknown", "searchKey": "resource", diff --git a/assets/queries/terraform/aws/cloudwatch_management_console_sign_in_without_mfa_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_management_console_sign_in_without_mfa_alarm_missing/test/positive_expected_result.json index fba844ce283..6780d7fe132 100644 --- a/assets/queries/terraform/aws/cloudwatch_management_console_sign_in_without_mfa_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_management_console_sign_in_without_mfa_alarm_missing/test/positive_expected_result.json @@ -3,7 +3,7 @@ "queryName": "CloudWatch Console Sign-in Without MFA Alarm Missing", "severity": "LOW", "line": 1, - "filename": "positive2.tf", + "filename": "positive1.tf", "resourceType": "aws_cloudwatch_log_metric_filter", "resourceName": "unknown", "searchKey": "resource", @@ -15,7 +15,7 @@ "queryName": "CloudWatch Console Sign-in Without MFA Alarm Missing", "severity": "LOW", "line": 1, - "filename": "positive1.tf", + "filename": "positive2.tf", "resourceType": "aws_cloudwatch_log_metric_filter", "resourceName": "unknown", "searchKey": "resource", diff --git a/assets/queries/terraform/aws/cloudwatch_network_gateways_changes_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_network_gateways_changes_alarm_missing/test/positive_expected_result.json index 8b100393498..d2c1adc7dfc 100644 --- a/assets/queries/terraform/aws/cloudwatch_network_gateways_changes_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_network_gateways_changes_alarm_missing/test/positive_expected_result.json @@ -3,7 +3,7 @@ "queryName": "CloudWatch Network Gateways Changes Alarm Missing", "severity": "LOW", "line": 1, - "filename": "positive3.tf", + "filename": "positive1.tf", "resourceType": "aws_cloudwatch_log_metric_filter", "resourceName": "unknown", "searchKey": "resource", @@ -27,7 +27,7 @@ "queryName": "CloudWatch Network Gateways Changes Alarm Missing", "severity": "LOW", "line": 1, - "filename": "positive1.tf", + "filename": "positive3.tf", "resourceType": "aws_cloudwatch_log_metric_filter", "resourceName": "unknown", "searchKey": "resource", diff --git a/assets/queries/terraform/aws/cloudwatch_root_account_use_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_root_account_use_alarm_missing/test/positive_expected_result.json index 32b2ac78cab..9902443340a 100644 --- a/assets/queries/terraform/aws/cloudwatch_root_account_use_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_root_account_use_alarm_missing/test/positive_expected_result.json @@ -3,7 +3,7 @@ "queryName": "CloudWatch Root Account Use Missing", "severity": "MEDIUM", "line": 1, - "filename": "positive2.tf", + "filename": "positive1.tf", "resourceType": "aws_cloudwatch_log_metric_filter", "resourceName": "unknown", "searchKey": "resource", @@ -15,7 +15,7 @@ "queryName": "CloudWatch Root Account Use Missing", "severity": "MEDIUM", "line": 1, - "filename": "positive3.tf", + "filename": "positive2.tf", "resourceType": "aws_cloudwatch_log_metric_filter", "resourceName": "unknown", "searchKey": "resource", @@ -27,7 +27,7 @@ "queryName": "CloudWatch Root Account Use Missing", "severity": "MEDIUM", "line": 1, - "filename": "positive4.tf", + "filename": "positive3.tf", "resourceType": "aws_cloudwatch_log_metric_filter", "resourceName": "unknown", "searchKey": "resource", @@ -39,7 +39,7 @@ "queryName": "CloudWatch Root Account Use Missing", "severity": "MEDIUM", "line": 1, - "filename": "positive1.tf", + "filename": "positive4.tf", "resourceType": "aws_cloudwatch_log_metric_filter", "resourceName": "unknown", "searchKey": "resource", diff --git a/assets/queries/terraform/aws/cloudwatch_route_table_changes_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_route_table_changes_alarm_missing/test/positive_expected_result.json index 288d51b51d5..36560263475 100644 --- a/assets/queries/terraform/aws/cloudwatch_route_table_changes_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_route_table_changes_alarm_missing/test/positive_expected_result.json @@ -3,7 +3,7 @@ "queryName": "CloudWatch Route Table Changes Alarm Missing", "severity": "LOW", "line": 1, - "filename": "positive3.tf", + "filename": "positive1.tf", "resourceType": "aws_cloudwatch_log_metric_filter", "resourceName": "unknown", "searchKey": "resource", @@ -27,7 +27,7 @@ "queryName": "CloudWatch Route Table Changes Alarm Missing", "severity": "LOW", "line": 1, - "filename": "positive1.tf", + "filename": "positive3.tf", "resourceType": "aws_cloudwatch_log_metric_filter", "resourceName": "unknown", "searchKey": "resource", diff --git a/assets/queries/terraform/aws/cloudwatch_s3_policy_change_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_s3_policy_change_alarm_missing/test/positive_expected_result.json index 29daa1a4b97..1733d571d9e 100644 --- a/assets/queries/terraform/aws/cloudwatch_s3_policy_change_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_s3_policy_change_alarm_missing/test/positive_expected_result.json @@ -2,26 +2,26 @@ { "queryName": "CloudWatch S3 policy Change Alarm Missing", "severity": "MEDIUM", - "line": 3, - "filename": "positive4.tf", + "line": 1, + "filename": "positive1.tf", "resourceType": "aws_cloudwatch_log_metric_filter", "resourceName": "cis_s3_bucket_policy_change_metric_filter", - "searchKey": "aws_cloudwatch_log_metric_filter.cis_s3_bucket_policy_change_metric_filter", + "searchKey": "aws_cloudwatch_log_metric_filter[cis_s3_bucket_policy_change_metric_filter]", "searchValue": "", - "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern $.eventSource equal to `s3.amazonaws.com` and $.eventName equal to `PutBucketAcl`, `PutBucketPolicy`, `PutBucketCors`, `PutBucketLifecycle`, `PutBucketReplication`, `DeleteBucketPolicy`, `DeleteBucketCors`, `DeleteBucketLifecycle` and `DeleteBucketReplication`", - "actualValue": "aws_cloudwatch_log_metric_filter with wrong pattern" + "expectedValue": "aws_cloudwatch_log_metric_filter should be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not associated with any aws_cloudwatch_metric_alarm" }, { "queryName": "CloudWatch S3 policy Change Alarm Missing", "severity": "MEDIUM", - "line": 1, + "line": 3, "filename": "positive1.tf", "resourceType": "aws_cloudwatch_log_metric_filter", "resourceName": "cis_s3_bucket_policy_change_metric_filter", - "searchKey": "aws_cloudwatch_log_metric_filter[cis_s3_bucket_policy_change_metric_filter]", + "searchKey": "aws_cloudwatch_log_metric_filter.cis_s3_bucket_policy_change_metric_filter", "searchValue": "", - "expectedValue": "aws_cloudwatch_log_metric_filter should be associated an aws_cloudwatch_metric_alarm", - "actualValue": "aws_cloudwatch_log_metric_filter not associated with any aws_cloudwatch_metric_alarm" + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern $.eventSource equal to `s3.amazonaws.com` and $.eventName equal to `PutBucketAcl`, `PutBucketPolicy`, `PutBucketCors`, `PutBucketLifecycle`, `PutBucketReplication`, `DeleteBucketPolicy`, `DeleteBucketCors`, `DeleteBucketLifecycle` and `DeleteBucketReplication`", + "actualValue": "aws_cloudwatch_log_metric_filter with wrong pattern" }, { "queryName": "CloudWatch S3 policy Change Alarm Missing", @@ -39,7 +39,7 @@ "queryName": "CloudWatch S3 policy Change Alarm Missing", "severity": "MEDIUM", "line": 3, - "filename": "positive1.tf", + "filename": "positive2.tf", "resourceType": "aws_cloudwatch_log_metric_filter", "resourceName": "cis_s3_bucket_policy_change_metric_filter", "searchKey": "aws_cloudwatch_log_metric_filter.cis_s3_bucket_policy_change_metric_filter", @@ -51,7 +51,7 @@ "queryName": "CloudWatch S3 policy Change Alarm Missing", "severity": "MEDIUM", "line": 3, - "filename": "positive2.tf", + "filename": "positive3.tf", "resourceType": "aws_cloudwatch_log_metric_filter", "resourceName": "cis_s3_bucket_policy_change_metric_filter", "searchKey": "aws_cloudwatch_log_metric_filter.cis_s3_bucket_policy_change_metric_filter", @@ -62,11 +62,11 @@ { "queryName": "CloudWatch S3 policy Change Alarm Missing", "severity": "MEDIUM", - "line": 31, - "filename": "positive5.tf", + "line": 3, + "filename": "positive4.tf", "resourceType": "aws_cloudwatch_log_metric_filter", - "resourceName": "cis_no_mfa_console_signin_metric_filter", - "searchKey": "aws_cloudwatch_log_metric_filter.cis_no_mfa_console_signin_metric_filter", + "resourceName": "cis_s3_bucket_policy_change_metric_filter", + "searchKey": "aws_cloudwatch_log_metric_filter.cis_s3_bucket_policy_change_metric_filter", "searchValue": "", "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern $.eventSource equal to `s3.amazonaws.com` and $.eventName equal to `PutBucketAcl`, `PutBucketPolicy`, `PutBucketCors`, `PutBucketLifecycle`, `PutBucketReplication`, `DeleteBucketPolicy`, `DeleteBucketCors`, `DeleteBucketLifecycle` and `DeleteBucketReplication`", "actualValue": "aws_cloudwatch_log_metric_filter with wrong pattern" @@ -86,11 +86,11 @@ { "queryName": "CloudWatch S3 policy Change Alarm Missing", "severity": "MEDIUM", - "line": 3, - "filename": "positive3.tf", + "line": 31, + "filename": "positive5.tf", "resourceType": "aws_cloudwatch_log_metric_filter", - "resourceName": "cis_s3_bucket_policy_change_metric_filter", - "searchKey": "aws_cloudwatch_log_metric_filter.cis_s3_bucket_policy_change_metric_filter", + "resourceName": "cis_no_mfa_console_signin_metric_filter", + "searchKey": "aws_cloudwatch_log_metric_filter.cis_no_mfa_console_signin_metric_filter", "searchValue": "", "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern $.eventSource equal to `s3.amazonaws.com` and $.eventName equal to `PutBucketAcl`, `PutBucketPolicy`, `PutBucketCors`, `PutBucketLifecycle`, `PutBucketReplication`, `DeleteBucketPolicy`, `DeleteBucketCors`, `DeleteBucketLifecycle` and `DeleteBucketReplication`", "actualValue": "aws_cloudwatch_log_metric_filter with wrong pattern" diff --git a/assets/queries/terraform/aws/cloudwatch_security_group_changes_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_security_group_changes_alarm_missing/test/positive_expected_result.json index 3cdab796a70..854b6698f44 100644 --- a/assets/queries/terraform/aws/cloudwatch_security_group_changes_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_security_group_changes_alarm_missing/test/positive_expected_result.json @@ -3,7 +3,7 @@ "queryName": "Cloudwatch Security Group Changes Alarm Missing", "severity": "MEDIUM", "line": 1, - "filename": "positive2.tf", + "filename": "positive1.tf", "resourceType": "aws_cloudwatch_log_metric_filter", "resourceName": "unknown", "searchKey": "resource", @@ -15,7 +15,7 @@ "queryName": "Cloudwatch Security Group Changes Alarm Missing", "severity": "MEDIUM", "line": 1, - "filename": "positive1.tf", + "filename": "positive2.tf", "resourceType": "aws_cloudwatch_log_metric_filter", "resourceName": "unknown", "searchKey": "resource", diff --git a/assets/queries/terraform/aws/cloudwatch_unauthorized_access_defined_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_unauthorized_access_defined_alarm_missing/test/positive_expected_result.json index 8a16ec399c9..fbae50e7450 100644 --- a/assets/queries/terraform/aws/cloudwatch_unauthorized_access_defined_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_unauthorized_access_defined_alarm_missing/test/positive_expected_result.json @@ -3,7 +3,7 @@ "queryName": "CloudWatch Unauthorized Access Alarm Missing", "severity": "CRITICAL", "line": 1, - "filename": "positive2.tf", + "filename": "positive1.tf", "resourceType": "aws_cloudwatch_log_metric_filter", "resourceName": "unknown", "searchKey": "resource", @@ -15,7 +15,7 @@ "queryName": "CloudWatch Unauthorized Access Alarm Missing", "severity": "CRITICAL", "line": 1, - "filename": "positive4.tf", + "filename": "positive2.tf", "resourceType": "aws_cloudwatch_log_metric_filter", "resourceName": "unknown", "searchKey": "resource", @@ -27,7 +27,7 @@ "queryName": "CloudWatch Unauthorized Access Alarm Missing", "severity": "CRITICAL", "line": 1, - "filename": "positive1.tf", + "filename": "positive3.tf", "resourceType": "aws_cloudwatch_log_metric_filter", "resourceName": "unknown", "searchKey": "resource", @@ -39,7 +39,7 @@ "queryName": "CloudWatch Unauthorized Access Alarm Missing", "severity": "CRITICAL", "line": 1, - "filename": "positive3.tf", + "filename": "positive4.tf", "resourceType": "aws_cloudwatch_log_metric_filter", "resourceName": "unknown", "searchKey": "resource", diff --git a/assets/queries/terraform/aws/cloudwatch_vpc_changes_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_vpc_changes_alarm_missing/test/positive_expected_result.json index 83e864459c8..c5cf5280637 100644 --- a/assets/queries/terraform/aws/cloudwatch_vpc_changes_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_vpc_changes_alarm_missing/test/positive_expected_result.json @@ -3,7 +3,7 @@ "queryName": "CloudWatch VPC Changes Alarm Missing", "severity": "MEDIUM", "line": 1, - "filename": "positive2.tf", + "filename": "positive1.tf", "resourceType": "aws_cloudwatch_log_metric_filter", "resourceName": "unknown", "searchKey": "resource", @@ -15,7 +15,7 @@ "queryName": "CloudWatch VPC Changes Alarm Missing", "severity": "MEDIUM", "line": 1, - "filename": "positive3.tf", + "filename": "positive2.tf", "resourceType": "aws_cloudwatch_log_metric_filter", "resourceName": "unknown", "searchKey": "resource", @@ -27,7 +27,7 @@ "queryName": "CloudWatch VPC Changes Alarm Missing", "severity": "MEDIUM", "line": 1, - "filename": "positive1.tf", + "filename": "positive3.tf", "resourceType": "aws_cloudwatch_log_metric_filter", "resourceName": "unknown", "searchKey": "resource", diff --git a/assets/queries/terraform/aws/cmk_rotation_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/cmk_rotation_disabled/test/positive_expected_result.json index 90fd3d10529..d3cbee653a8 100644 --- a/assets/queries/terraform/aws/cmk_rotation_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cmk_rotation_disabled/test/positive_expected_result.json @@ -1,4 +1,28 @@ [ + { + "queryName": "CMK Rotation Disabled", + "severity": "LOW", + "line": 1, + "filename": "positive1.tf", + "resourceType": "aws_kms_key", + "resourceName": "positive1", + "searchKey": "aws_kms_key[positive1]", + "searchValue": "", + "expectedValue": "aws_kms_key[positive1].enable_key_rotation should be set to true", + "actualValue": "aws_kms_key[positive1].enable_key_rotation is undefined" + }, + { + "queryName": "CMK Rotation Disabled", + "severity": "LOW", + "line": 1, + "filename": "positive2.tf", + "resourceType": "aws_kms_key", + "resourceName": "positive2", + "searchKey": "aws_kms_key[positive2]", + "searchValue": "", + "expectedValue": "aws_kms_key[positive2].enable_key_rotation should be set to true", + "actualValue": "aws_kms_key[positive2].enable_key_rotation is false" + }, { "queryName": "CMK Rotation Disabled", "severity": "LOW", @@ -23,18 +47,6 @@ "expectedValue": "aws_kms_key[positive4].enable_key_rotation should be set to true", "actualValue": "aws_kms_key[positive4].enable_key_rotation is false" }, - { - "queryName": "CMK Rotation Disabled", - "severity": "LOW", - "line": 1, - "filename": "positive2.tf", - "resourceType": "aws_kms_key", - "resourceName": "positive2", - "searchKey": "aws_kms_key[positive2]", - "searchValue": "", - "expectedValue": "aws_kms_key[positive2].enable_key_rotation should be set to true", - "actualValue": "aws_kms_key[positive2].enable_key_rotation is false" - }, { "queryName": "CMK Rotation Disabled", "severity": "LOW", @@ -46,17 +58,5 @@ "searchValue": "", "expectedValue": "aws_kms_key[positive5].enable_key_rotation should be set to false", "actualValue": "aws_kms_key[positive5].enable_key_rotation is true" - }, - { - "queryName": "CMK Rotation Disabled", - "severity": "LOW", - "line": 1, - "filename": "positive1.tf", - "resourceType": "aws_kms_key", - "resourceName": "positive1", - "searchKey": "aws_kms_key[positive1]", - "searchValue": "", - "expectedValue": "aws_kms_key[positive1].enable_key_rotation should be set to true", - "actualValue": "aws_kms_key[positive1].enable_key_rotation is undefined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/cognito_userpool_without_mfa/test/positive_expected_result.json b/assets/queries/terraform/aws/cognito_userpool_without_mfa/test/positive_expected_result.json index a051efc8616..15fa3d8917f 100644 --- a/assets/queries/terraform/aws/cognito_userpool_without_mfa/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cognito_userpool_without_mfa/test/positive_expected_result.json @@ -2,26 +2,26 @@ { "queryName": "Cognito UserPool Without MFA", "severity": "LOW", - "line": 16, + "line": 1, "filename": "positive.tf", "resourceType": "aws_cognito_user_pool", - "resourceName": "positive2", - "searchKey": "aws_cognito_user_pool[positive2]", + "resourceName": "positive1", + "searchKey": "aws_cognito_user_pool[positive1]", "searchValue": "", - "expectedValue": "aws_cognito_user_pool[positive2].mfa_configuration should be set to 'ON' or 'OPTIONAL", - "actualValue": "aws_cognito_user_pool[positive2].mfa_configuration is set to 'OFF'" + "expectedValue": "aws_cognito_user_pool[positive1].mfa_configuration should be set", + "actualValue": "aws_cognito_user_pool[positive1].mfa_configuration is undefined" }, { "queryName": "Cognito UserPool Without MFA", "severity": "LOW", - "line": 1, + "line": 16, "filename": "positive.tf", "resourceType": "aws_cognito_user_pool", - "resourceName": "positive1", - "searchKey": "aws_cognito_user_pool[positive1]", + "resourceName": "positive2", + "searchKey": "aws_cognito_user_pool[positive2]", "searchValue": "", - "expectedValue": "aws_cognito_user_pool[positive1].mfa_configuration should be set", - "actualValue": "aws_cognito_user_pool[positive1].mfa_configuration is undefined" + "expectedValue": "aws_cognito_user_pool[positive2].mfa_configuration should be set to 'ON' or 'OPTIONAL", + "actualValue": "aws_cognito_user_pool[positive2].mfa_configuration is set to 'OFF'" }, { "queryName": "Cognito UserPool Without MFA", diff --git a/assets/queries/terraform/aws/config_configuration_aggregator_to_all_regions_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/config_configuration_aggregator_to_all_regions_disabled/test/positive_expected_result.json index 75b84b80a6a..17f350ac225 100644 --- a/assets/queries/terraform/aws/config_configuration_aggregator_to_all_regions_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/config_configuration_aggregator_to_all_regions_disabled/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "Configuration Aggregator to All Regions Disabled", "severity": "LOW", - "line": 16, + "line": 4, "filename": "positive.tf", "resourceType": "aws_config_configuration_aggregator", "resourceName": "example", - "searchKey": "aws_config_configuration_aggregator[positive2].organization_aggregation_source.all_regions", + "searchKey": "aws_config_configuration_aggregator[positive1].account_aggregation_source", "searchValue": "", - "expectedValue": "'aws_config_configuration_aggregator[positive2].organization_aggregation_source.all_regions' should be set to true", - "actualValue": "'aws_config_configuration_aggregator[positive2].organization_aggregation_source.all_regions' is set to false" + "expectedValue": "'aws_config_configuration_aggregator[positive1].account_aggregation_source.all_regions' should be set to true", + "actualValue": "'aws_config_configuration_aggregator[positive1].account_aggregation_source.all_regions' is undefined" }, { "queryName": "Configuration Aggregator to All Regions Disabled", "severity": "LOW", - "line": 4, + "line": 16, "filename": "positive.tf", "resourceType": "aws_config_configuration_aggregator", "resourceName": "example", - "searchKey": "aws_config_configuration_aggregator[positive1].account_aggregation_source", + "searchKey": "aws_config_configuration_aggregator[positive2].organization_aggregation_source.all_regions", "searchValue": "", - "expectedValue": "'aws_config_configuration_aggregator[positive1].account_aggregation_source.all_regions' should be set to true", - "actualValue": "'aws_config_configuration_aggregator[positive1].account_aggregation_source.all_regions' is undefined" + "expectedValue": "'aws_config_configuration_aggregator[positive2].organization_aggregation_source.all_regions' should be set to true", + "actualValue": "'aws_config_configuration_aggregator[positive2].organization_aggregation_source.all_regions' is set to false" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/test/positive_expected_result.json b/assets/queries/terraform/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/test/positive_expected_result.json index 8cc81735d89..548a8e41dcc 100644 --- a/assets/queries/terraform/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/test/positive_expected_result.json @@ -3,10 +3,10 @@ "queryName": "Cross-Account IAM Assume Role Policy Without ExternalId or MFA", "severity": "HIGH", "line": 4, - "filename": "positive2.tf", + "filename": "positive1.tf", "resourceType": "aws_iam_role", "resourceName": "test_role", - "searchKey": "aws_iam_role[positive2].assume_role_policy", + "searchKey": "aws_iam_role[positive1].assume_role_policy", "searchValue": "", "expectedValue": "'assume_role_policy' requires external ID or MFA", "actualValue": "'assume_role_policy' does not require external ID or MFA" @@ -15,10 +15,10 @@ "queryName": "Cross-Account IAM Assume Role Policy Without ExternalId or MFA", "severity": "HIGH", "line": 4, - "filename": "positive3.tf", + "filename": "positive2.tf", "resourceType": "aws_iam_role", "resourceName": "test_role", - "searchKey": "aws_iam_role[positive3].assume_role_policy", + "searchKey": "aws_iam_role[positive2].assume_role_policy", "searchValue": "", "expectedValue": "'assume_role_policy' requires external ID or MFA", "actualValue": "'assume_role_policy' does not require external ID or MFA" @@ -27,10 +27,10 @@ "queryName": "Cross-Account IAM Assume Role Policy Without ExternalId or MFA", "severity": "HIGH", "line": 4, - "filename": "positive1.tf", + "filename": "positive3.tf", "resourceType": "aws_iam_role", "resourceName": "test_role", - "searchKey": "aws_iam_role[positive1].assume_role_policy", + "searchKey": "aws_iam_role[positive3].assume_role_policy", "searchValue": "", "expectedValue": "'assume_role_policy' requires external ID or MFA", "actualValue": "'assume_role_policy' does not require external ID or MFA" diff --git a/assets/queries/terraform/aws/dax_cluster_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/dax_cluster_not_encrypted/test/positive_expected_result.json index c7e30f7c680..164631f4afe 100644 --- a/assets/queries/terraform/aws/dax_cluster_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/dax_cluster_not_encrypted/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "DAX Cluster Not Encrypted", - "severity": "HIGH", - "line": 25, - "filename": "positive1.tf", - "resourceType": "aws_dax_cluster", - "resourceName": "bar_3", - "searchKey": "aws_dax_cluster[{{bar_3}}].server_side_encryption.enabled", - "searchValue": "", - "expectedValue": "aws_dax_cluster.server_side_encryption.enabled should be set to true", - "actualValue": "aws_dax_cluster.server_side_encryption.enabled is set to false" - }, { "queryName": "DAX Cluster Not Encrypted", "severity": "HIGH", @@ -34,5 +22,17 @@ "searchValue": "", "expectedValue": "aws_dax_cluster.server_side_encryption.enabled should be set to true", "actualValue": "aws_dax_cluster.server_side_encryption.enabled is missing" + }, + { + "queryName": "DAX Cluster Not Encrypted", + "severity": "HIGH", + "line": 25, + "filename": "positive1.tf", + "resourceType": "aws_dax_cluster", + "resourceName": "bar_3", + "searchKey": "aws_dax_cluster[{{bar_3}}].server_side_encryption.enabled", + "searchValue": "", + "expectedValue": "aws_dax_cluster.server_side_encryption.enabled should be set to true", + "actualValue": "aws_dax_cluster.server_side_encryption.enabled is set to false" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/db_instance_storage_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/db_instance_storage_not_encrypted/test/positive_expected_result.json index 77fe1a32cf2..730ab1dc0c1 100644 --- a/assets/queries/terraform/aws/db_instance_storage_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/db_instance_storage_not_encrypted/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "DB Instance Storage Not Encrypted", - "severity": "HIGH", - "line": 1, - "filename": "positive2.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[db]", - "searchValue": "", - "expectedValue": "'storage_encrypted' should be set to true", - "actualValue": "'storage_encrypted' is undefined or null" - }, { "queryName": "DB Instance Storage Not Encrypted", "severity": "HIGH", @@ -35,6 +23,18 @@ "expectedValue": "'storage_encrypted' should be set to true", "actualValue": "'storage_encrypted' is undefined or null" }, + { + "queryName": "DB Instance Storage Not Encrypted", + "severity": "HIGH", + "line": 1, + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[db]", + "searchValue": "", + "expectedValue": "'storage_encrypted' should be set to true", + "actualValue": "'storage_encrypted' is undefined or null" + }, { "queryName": "DB Instance Storage Not Encrypted", "severity": "HIGH", diff --git a/assets/queries/terraform/aws/default_vpc_exists/test/positive_expected_result.json b/assets/queries/terraform/aws/default_vpc_exists/test/positive_expected_result.json index bcb92c7fcef..157076b96c7 100644 --- a/assets/queries/terraform/aws/default_vpc_exists/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/default_vpc_exists/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "Default VPC Exists", "severity": "MEDIUM", - "line": 14, - "filename": "positive2.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "vpc.default_vpc_name", + "line": 1, + "filename": "positive1.tf", + "resourceType": "aws_default_vpc", + "resourceName": "Default VPC", + "searchKey": "aws_default_vpc[positive1]", "searchValue": "", "expectedValue": "'aws_default_vpc' should not exist", "actualValue": "'aws_default_vpc' exists" @@ -14,11 +14,11 @@ { "queryName": "Default VPC Exists", "severity": "MEDIUM", - "line": 1, - "filename": "positive1.tf", - "resourceType": "aws_default_vpc", - "resourceName": "Default VPC", - "searchKey": "aws_default_vpc[positive1]", + "line": 14, + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "vpc.default_vpc_name", "searchValue": "", "expectedValue": "'aws_default_vpc' should not exist", "actualValue": "'aws_default_vpc' exists" diff --git a/assets/queries/terraform/aws/docdb_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/docdb_logging_disabled/test/positive_expected_result.json index 5d5546daed3..cc2027c46e7 100644 --- a/assets/queries/terraform/aws/docdb_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/docdb_logging_disabled/test/positive_expected_result.json @@ -2,49 +2,49 @@ { "queryName": "DocDB Logging Is Disabled", "severity": "MEDIUM", - "line": 10, - "filename": "positive3.tf", + "line": 1, + "filename": "positive1.tf", "resourceType": "aws_docdb_cluster", - "resourceName": "positive3", - "searchKey": "aws_docdb_cluster[{{positive3}}].enabled_cloudwatch_logs_exports", + "resourceName": "positive1", + "searchKey": "aws_docdb_cluster[{{positive1}}]", "searchValue": "", - "expectedValue": "aws_docdb_cluster.enabled_cloudwatch_logs_exports should have all following values: audit, profiler", - "actualValue": "aws_docdb_cluster.enabled_cloudwatch_logs_exports has the following missing values: audit" + "expectedValue": "aws_docdb_cluster.enabled_cloudwatch_logs_exports should be defined", + "actualValue": "aws_docdb_cluster.enabled_cloudwatch_logs_exports is undefined" }, { "queryName": "DocDB Logging Is Disabled", "severity": "MEDIUM", "line": 10, - "filename": "positive4.tf", + "filename": "positive2.tf", "resourceType": "aws_docdb_cluster", - "resourceName": "positive4", - "searchKey": "aws_docdb_cluster[{{positive4}}].enabled_cloudwatch_logs_exports", + "resourceName": "positive2", + "searchKey": "aws_docdb_cluster[{{positive2}}].enabled_cloudwatch_logs_exports", "searchValue": "", "expectedValue": "aws_docdb_cluster.enabled_cloudwatch_logs_exports should have all following values: audit, profiler", - "actualValue": "aws_docdb_cluster.enabled_cloudwatch_logs_exports has the following missing values: profiler" + "actualValue": "aws_docdb_cluster.enabled_cloudwatch_logs_exports is empty" }, { "queryName": "DocDB Logging Is Disabled", "severity": "MEDIUM", "line": 10, - "filename": "positive2.tf", + "filename": "positive3.tf", "resourceType": "aws_docdb_cluster", - "resourceName": "positive2", - "searchKey": "aws_docdb_cluster[{{positive2}}].enabled_cloudwatch_logs_exports", + "resourceName": "positive3", + "searchKey": "aws_docdb_cluster[{{positive3}}].enabled_cloudwatch_logs_exports", "searchValue": "", "expectedValue": "aws_docdb_cluster.enabled_cloudwatch_logs_exports should have all following values: audit, profiler", - "actualValue": "aws_docdb_cluster.enabled_cloudwatch_logs_exports is empty" + "actualValue": "aws_docdb_cluster.enabled_cloudwatch_logs_exports has the following missing values: audit" }, { "queryName": "DocDB Logging Is Disabled", "severity": "MEDIUM", - "line": 1, - "filename": "positive1.tf", + "line": 10, + "filename": "positive4.tf", "resourceType": "aws_docdb_cluster", - "resourceName": "positive1", - "searchKey": "aws_docdb_cluster[{{positive1}}]", + "resourceName": "positive4", + "searchKey": "aws_docdb_cluster[{{positive4}}].enabled_cloudwatch_logs_exports", "searchValue": "", - "expectedValue": "aws_docdb_cluster.enabled_cloudwatch_logs_exports should be defined", - "actualValue": "aws_docdb_cluster.enabled_cloudwatch_logs_exports is undefined" + "expectedValue": "aws_docdb_cluster.enabled_cloudwatch_logs_exports should have all following values: audit, profiler", + "actualValue": "aws_docdb_cluster.enabled_cloudwatch_logs_exports has the following missing values: profiler" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/dynamodb_table_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/dynamodb_table_not_encrypted/test/positive_expected_result.json index 20f6697a608..ee1079103a0 100644 --- a/assets/queries/terraform/aws/dynamodb_table_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/dynamodb_table_not_encrypted/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "DynamoDB Table Not Encrypted", "severity": "HIGH", - "line": 30, + "line": 1, "filename": "positive1.tf", "resourceType": "aws_dynamodb_table", "resourceName": "example", - "searchKey": "aws_dynamodb_table[{{example_2}}].server_side_encryption.enabled", + "searchKey": "aws_dynamodb_table[{{example}}]", "searchValue": "", "expectedValue": "aws_dynamodb_table.server_side_encryption.enabled should be set to true", - "actualValue": "aws_dynamodb_table.server_side_encryption.enabled is set to false" + "actualValue": "aws_dynamodb_table.server_side_encryption is missing" }, { "queryName": "DynamoDB Table Not Encrypted", "severity": "HIGH", - "line": 1, + "line": 30, "filename": "positive1.tf", "resourceType": "aws_dynamodb_table", "resourceName": "example", - "searchKey": "aws_dynamodb_table[{{example}}]", + "searchKey": "aws_dynamodb_table[{{example_2}}].server_side_encryption.enabled", "searchValue": "", "expectedValue": "aws_dynamodb_table.server_side_encryption.enabled should be set to true", - "actualValue": "aws_dynamodb_table.server_side_encryption is missing" + "actualValue": "aws_dynamodb_table.server_side_encryption.enabled is set to false" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive_expected_result.json index 229e2d1482e..6330405a3fe 100644 --- a/assets/queries/terraform/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "DynamoDB Table Point In Time Recovery Disabled", "severity": "INFO", - "line": 1, - "filename": "positive2.tf", + "line": 10, + "filename": "positive1.tf", "resourceType": "aws_dynamodb_table", "resourceName": "aws_dynamodb_table", - "searchKey": "aws_dynamodb_table[{{basic-dynamodb-table}}]", + "searchKey": "aws_dynamodb_table[{{basic-dynamodb-table}}].point_in_time_recovery.enabled", "searchValue": "", - "expectedValue": "aws_dynamodb_table.point_in_time_recovery.enabled should be enabled", - "actualValue": "aws_dynamodb_table.point_in_time_recovery is missing" + "expectedValue": "aws_dynamodb_table.point_in_time_recovery.enabled should be set to true", + "actualValue": "aws_dynamodb_table.point_in_time_recovery.enabled is set to false" }, { "queryName": "DynamoDB Table Point In Time Recovery Disabled", "severity": "INFO", - "line": 10, - "filename": "positive1.tf", + "line": 1, + "filename": "positive2.tf", "resourceType": "aws_dynamodb_table", "resourceName": "aws_dynamodb_table", - "searchKey": "aws_dynamodb_table[{{basic-dynamodb-table}}].point_in_time_recovery.enabled", + "searchKey": "aws_dynamodb_table[{{basic-dynamodb-table}}]", "searchValue": "", - "expectedValue": "aws_dynamodb_table.point_in_time_recovery.enabled should be set to true", - "actualValue": "aws_dynamodb_table.point_in_time_recovery.enabled is set to false" + "expectedValue": "aws_dynamodb_table.point_in_time_recovery.enabled should be enabled", + "actualValue": "aws_dynamodb_table.point_in_time_recovery is missing" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/ebs_volume_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/ebs_volume_encryption_disabled/test/positive_expected_result.json index 451210d4427..d74f9744586 100644 --- a/assets/queries/terraform/aws/ebs_volume_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ebs_volume_encryption_disabled/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "EBS Volume Encryption Disabled", "severity": "HIGH", - "line": 1, - "filename": "positive2.tf", + "line": 4, + "filename": "positive1.tf", "resourceType": "aws_ebs_volume", "resourceName": "HelloWorld", - "searchKey": "aws_ebs_volume[positive2]", + "searchKey": "aws_ebs_volume[positive1].encrypted", "searchValue": "", - "expectedValue": "One of 'aws_ebs_volume.encrypted' should be defined", - "actualValue": "One of 'aws_ebs_volume.encrypted' is undefined" + "expectedValue": "One of 'aws_ebs_volume.encrypted' should be 'true'", + "actualValue": "One of 'aws_ebs_volume.encrypted' is 'false'" }, { "queryName": "EBS Volume Encryption Disabled", "severity": "HIGH", - "line": 4, - "filename": "positive1.tf", + "line": 1, + "filename": "positive2.tf", "resourceType": "aws_ebs_volume", "resourceName": "HelloWorld", - "searchKey": "aws_ebs_volume[positive1].encrypted", + "searchKey": "aws_ebs_volume[positive2]", "searchValue": "", - "expectedValue": "One of 'aws_ebs_volume.encrypted' should be 'true'", - "actualValue": "One of 'aws_ebs_volume.encrypted' is 'false'" + "expectedValue": "One of 'aws_ebs_volume.encrypted' should be defined", + "actualValue": "One of 'aws_ebs_volume.encrypted' is undefined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/ebs_volume_snapshot_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/ebs_volume_snapshot_not_encrypted/test/positive_expected_result.json index a5687b4cc2d..02df74e7e6d 100644 --- a/assets/queries/terraform/aws/ebs_volume_snapshot_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ebs_volume_snapshot_not_encrypted/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "EBS Volume Snapshot Not Encrypted", - "severity": "HIGH", - "line": 10, - "filename": "positive2.tf", - "resourceType": "aws_ebs_snapshot", - "resourceName": "positive2", - "searchKey": "aws_ebs_snapshot[positive2]", - "searchValue": "", - "expectedValue": "'aws_ebs_volume[positive2].encrypted' associated with aws_ebs_snapshot[positive2] should be set", - "actualValue": "'aws_ebs_volume[positive2].encrypted' associated with aws_ebs_snapshot[positive2] is undefined" - }, { "queryName": "EBS Volume Snapshot Not Encrypted", "severity": "HIGH", @@ -22,5 +10,17 @@ "searchValue": "", "expectedValue": "'aws_ebs_volume[positive1].encrypted' associated with aws_ebs_snapshot[positive1] should be true", "actualValue": "'aws_ebs_volume[positive1].encrypted' associated with aws_ebs_snapshot[positive1] is false" + }, + { + "queryName": "EBS Volume Snapshot Not Encrypted", + "severity": "HIGH", + "line": 10, + "filename": "positive2.tf", + "resourceType": "aws_ebs_snapshot", + "resourceName": "positive2", + "searchKey": "aws_ebs_snapshot[positive2]", + "searchValue": "", + "expectedValue": "'aws_ebs_volume[positive2].encrypted' associated with aws_ebs_snapshot[positive2] should be set", + "actualValue": "'aws_ebs_volume[positive2].encrypted' associated with aws_ebs_snapshot[positive2] is undefined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/ec2_instance_has_public_ip/test/positive_expected_result.json b/assets/queries/terraform/aws/ec2_instance_has_public_ip/test/positive_expected_result.json index b724c7a5558..59f475155b7 100644 --- a/assets/queries/terraform/aws/ec2_instance_has_public_ip/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ec2_instance_has_public_ip/test/positive_expected_result.json @@ -2,27 +2,15 @@ { "queryName": "EC2 Instance Has Public IP", "severity": "MEDIUM", - "line": 1, - "filename": "positive2.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[ec2_instance]", + "line": 17, + "filename": "positive1.tf", + "resourceType": "aws_instance", + "resourceName": "HelloWorld", + "searchKey": "aws_instance.web2", "searchValue": "", "expectedValue": "'associate_public_ip_address' should be defined and not null", "actualValue": "'associate_public_ip_address' is undefined or null" }, - { - "queryName": "EC2 Instance Has Public IP", - "severity": "MEDIUM", - "line": 13, - "filename": "positive3.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[ec2_instance].associate_public_ip_address", - "searchValue": "", - "expectedValue": "'associate_public_ip_address' should be set to false", - "actualValue": "'associate_public_ip_address' is true" - }, { "queryName": "EC2 Instance Has Public IP", "severity": "MEDIUM", @@ -38,13 +26,25 @@ { "queryName": "EC2 Instance Has Public IP", "severity": "MEDIUM", - "line": 17, - "filename": "positive1.tf", - "resourceType": "aws_instance", - "resourceName": "HelloWorld", - "searchKey": "aws_instance.web2", + "line": 1, + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[ec2_instance]", "searchValue": "", "expectedValue": "'associate_public_ip_address' should be defined and not null", "actualValue": "'associate_public_ip_address' is undefined or null" + }, + { + "queryName": "EC2 Instance Has Public IP", + "severity": "MEDIUM", + "line": 13, + "filename": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[ec2_instance].associate_public_ip_address", + "searchValue": "", + "expectedValue": "'associate_public_ip_address' should be set to false", + "actualValue": "'associate_public_ip_address' is true" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/ec2_instance_monitoring_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/ec2_instance_monitoring_disabled/test/positive_expected_result.json index a5313c4f01f..39207b68bf9 100644 --- a/assets/queries/terraform/aws/ec2_instance_monitoring_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ec2_instance_monitoring_disabled/test/positive_expected_result.json @@ -2,14 +2,14 @@ { "queryName": "EC2 Instance Monitoring Disabled", "severity": "MEDIUM", - "line": 10, - "filename": "positive4.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[ec2_instance].monitoring", + "line": 17, + "filename": "positive1.tf", + "resourceType": "aws_instance", + "resourceName": "HelloWorld", + "searchKey": "aws_instance.{{monitoring_positive1}}", "searchValue": "", - "expectedValue": "ec2_instance.'monitoring' should be set to true", - "actualValue": "ec2_instance.'monitoring' is set to false" + "expectedValue": "'monitoring' should be defined and not null", + "actualValue": "'monitoring' is undefined or null" }, { "queryName": "EC2 Instance Monitoring Disabled", @@ -38,14 +38,14 @@ { "queryName": "EC2 Instance Monitoring Disabled", "severity": "MEDIUM", - "line": 17, - "filename": "positive1.tf", - "resourceType": "aws_instance", - "resourceName": "HelloWorld", - "searchKey": "aws_instance.{{monitoring_positive1}}", + "line": 10, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[ec2_instance].monitoring", "searchValue": "", - "expectedValue": "'monitoring' should be defined and not null", - "actualValue": "'monitoring' is undefined or null" + "expectedValue": "ec2_instance.'monitoring' should be set to true", + "actualValue": "ec2_instance.'monitoring' is set to false" }, { "queryName": "EC2 Instance Monitoring Disabled", diff --git a/assets/queries/terraform/aws/ec2_instance_using_api_keys/test/positive_expected_result.json b/assets/queries/terraform/aws/ec2_instance_using_api_keys/test/positive_expected_result.json index 572e2040761..799566a505a 100644 --- a/assets/queries/terraform/aws/ec2_instance_using_api_keys/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ec2_instance_using_api_keys/test/positive_expected_result.json @@ -2,50 +2,50 @@ { "queryName": "EC2 Instance Using API Keys", "severity": "LOW", - "line": 13, - "filename": "positive7.tf", + "line": 5, + "filename": "positive1.tf", "resourceType": "aws_instance", "resourceName": "test", - "searchKey": "aws_instance[positive7].provisioner", + "searchKey": "aws_instance[positive1]", "searchValue": "", - "expectedValue": "aws_instance[positive7].provisioner.remote-exec should be used to configure AWS API keys", - "actualValue": "aws_instance[positive7] should be using iam_instance_profile to assign a role with permissions" + "expectedValue": "aws_instance[positive1] should be using iam_instance_profile to assign a role with permissions", + "actualValue": "aws_instance[positive1].user_data is being used to configure AWS API keys" }, { "queryName": "EC2 Instance Using API Keys", "severity": "LOW", - "line": 13, - "filename": "positive9.tf", - "resourceType": "aws_instance", - "resourceName": "test", - "searchKey": "aws_instance[positive9].provisioner", + "line": 1, + "filename": "positive10.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[ec2_instance]", "searchValue": "", - "expectedValue": "aws_instance[positive9].provisioner.remote-exec should be used to configure AWS API keys", - "actualValue": "aws_instance[positive9] should be using iam_instance_profile to assign a role with permissions" + "expectedValue": "module[ec2_instance] should be using iam_instance_profile to assign a role with permissions", + "actualValue": "module[ec2_instance].user_data is being used to configure AWS API keys" }, { "queryName": "EC2 Instance Using API Keys", "severity": "LOW", - "line": 5, - "filename": "positive3.tf", - "resourceType": "aws_instance", - "resourceName": "test", - "searchKey": "aws_instance[positive3]", + "line": 1, + "filename": "positive11.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[ec2_instance]", "searchValue": "", - "expectedValue": "aws_instance[positive3] should be using iam_instance_profile to assign a role with permissions", - "actualValue": "aws_instance[positive3].user_data is being used to configure AWS API keys" + "expectedValue": "module[ec2_instance] should be using iam_instance_profile to assign a role with permissions", + "actualValue": "module[ec2_instance].user_data is being used to configure AWS API keys" }, { "queryName": "EC2 Instance Using API Keys", "severity": "LOW", - "line": 13, - "filename": "positive8.tf", - "resourceType": "aws_instance", - "resourceName": "test", - "searchKey": "aws_instance[positive8].provisioner", + "line": 1, + "filename": "positive12.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[ec2_instance]", "searchValue": "", - "expectedValue": "aws_instance[positive8].provisioner.file should be used to configure AWS API keys", - "actualValue": "aws_instance[positive8] should be using iam_instance_profile to assign a role with permissions" + "expectedValue": "module[ec2_instance] should be using iam_instance_profile to assign a role with permissions", + "actualValue": "module[ec2_instance].user_data is being used to configure AWS API keys" }, { "queryName": "EC2 Instance Using API Keys", @@ -59,6 +59,18 @@ "expectedValue": "aws_instance[positive2] should be using iam_instance_profile to assign a role with permissions", "actualValue": "aws_instance[positive2].user_data is being used to configure AWS API keys" }, + { + "queryName": "EC2 Instance Using API Keys", + "severity": "LOW", + "line": 5, + "filename": "positive3.tf", + "resourceType": "aws_instance", + "resourceName": "test", + "searchKey": "aws_instance[positive3]", + "searchValue": "", + "expectedValue": "aws_instance[positive3] should be using iam_instance_profile to assign a role with permissions", + "actualValue": "aws_instance[positive3].user_data is being used to configure AWS API keys" + }, { "queryName": "EC2 Instance Using API Keys", "severity": "LOW", @@ -74,14 +86,14 @@ { "queryName": "EC2 Instance Using API Keys", "severity": "LOW", - "line": 1, - "filename": "positive10.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[ec2_instance]", + "line": 5, + "filename": "positive5.tf", + "resourceType": "aws_instance", + "resourceName": "test", + "searchKey": "aws_instance[positive5]", "searchValue": "", - "expectedValue": "module[ec2_instance] should be using iam_instance_profile to assign a role with permissions", - "actualValue": "module[ec2_instance].user_data is being used to configure AWS API keys" + "expectedValue": "aws_instance[positive5] should be using iam_instance_profile to assign a role with permissions", + "actualValue": "aws_instance[positive5].user_data is being used to configure AWS API keys" }, { "queryName": "EC2 Instance Using API Keys", @@ -98,49 +110,37 @@ { "queryName": "EC2 Instance Using API Keys", "severity": "LOW", - "line": 1, - "filename": "positive12.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[ec2_instance]", - "searchValue": "", - "expectedValue": "module[ec2_instance] should be using iam_instance_profile to assign a role with permissions", - "actualValue": "module[ec2_instance].user_data is being used to configure AWS API keys" - }, - { - "queryName": "EC2 Instance Using API Keys", - "severity": "LOW", - "line": 5, - "filename": "positive5.tf", + "line": 13, + "filename": "positive7.tf", "resourceType": "aws_instance", "resourceName": "test", - "searchKey": "aws_instance[positive5]", + "searchKey": "aws_instance[positive7].provisioner", "searchValue": "", - "expectedValue": "aws_instance[positive5] should be using iam_instance_profile to assign a role with permissions", - "actualValue": "aws_instance[positive5].user_data is being used to configure AWS API keys" + "expectedValue": "aws_instance[positive7].provisioner.remote-exec should be used to configure AWS API keys", + "actualValue": "aws_instance[positive7] should be using iam_instance_profile to assign a role with permissions" }, { "queryName": "EC2 Instance Using API Keys", "severity": "LOW", - "line": 1, - "filename": "positive11.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[ec2_instance]", + "line": 13, + "filename": "positive8.tf", + "resourceType": "aws_instance", + "resourceName": "test", + "searchKey": "aws_instance[positive8].provisioner", "searchValue": "", - "expectedValue": "module[ec2_instance] should be using iam_instance_profile to assign a role with permissions", - "actualValue": "module[ec2_instance].user_data is being used to configure AWS API keys" + "expectedValue": "aws_instance[positive8].provisioner.file should be used to configure AWS API keys", + "actualValue": "aws_instance[positive8] should be using iam_instance_profile to assign a role with permissions" }, { "queryName": "EC2 Instance Using API Keys", "severity": "LOW", - "line": 5, - "filename": "positive1.tf", + "line": 13, + "filename": "positive9.tf", "resourceType": "aws_instance", "resourceName": "test", - "searchKey": "aws_instance[positive1]", + "searchKey": "aws_instance[positive9].provisioner", "searchValue": "", - "expectedValue": "aws_instance[positive1] should be using iam_instance_profile to assign a role with permissions", - "actualValue": "aws_instance[positive1].user_data is being used to configure AWS API keys" + "expectedValue": "aws_instance[positive9].provisioner.remote-exec should be used to configure AWS API keys", + "actualValue": "aws_instance[positive9] should be using iam_instance_profile to assign a role with permissions" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/ec2_not_ebs_optimized/test/positive_expected_result.json b/assets/queries/terraform/aws/ec2_not_ebs_optimized/test/positive_expected_result.json index feb8e425bce..b81a5174634 100644 --- a/assets/queries/terraform/aws/ec2_not_ebs_optimized/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ec2_not_ebs_optimized/test/positive_expected_result.json @@ -2,27 +2,15 @@ { "queryName": "EC2 Not EBS Optimized", "severity": "INFO", - "line": 1, - "filename": "positive3.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[ec2_instance]", + "line": 17, + "filename": "positive1.tf", + "resourceType": "aws_instance", + "resourceName": "HelloWorld", + "searchKey": "aws_instance[{{web}}]", "searchValue": "", "expectedValue": "'ebs_optimized' should be set to true", "actualValue": "'ebs_optimized' is undefined or null" }, - { - "queryName": "EC2 Not EBS Optimized", - "severity": "INFO", - "line": 9, - "filename": "positive4.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[ec2_instance].ebs_optimized", - "searchValue": "", - "expectedValue": "'ebs_optimized' should be set to true", - "actualValue": "'ebs_optimized' is set to false" - }, { "queryName": "EC2 Not EBS Optimized", "severity": "INFO", @@ -38,13 +26,25 @@ { "queryName": "EC2 Not EBS Optimized", "severity": "INFO", - "line": 17, - "filename": "positive1.tf", - "resourceType": "aws_instance", - "resourceName": "HelloWorld", - "searchKey": "aws_instance[{{web}}]", + "line": 1, + "filename": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[ec2_instance]", "searchValue": "", "expectedValue": "'ebs_optimized' should be set to true", "actualValue": "'ebs_optimized' is undefined or null" + }, + { + "queryName": "EC2 Not EBS Optimized", + "severity": "INFO", + "line": 9, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[ec2_instance].ebs_optimized", + "searchValue": "", + "expectedValue": "'ebs_optimized' should be set to true", + "actualValue": "'ebs_optimized' is set to false" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/ecr_repository_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/ecr_repository_not_encrypted/test/positive_expected_result.json index 2a51cbcee2c..8919ccc3870 100644 --- a/assets/queries/terraform/aws/ecr_repository_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ecr_repository_not_encrypted/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "ECR Repository Not Encrypted With CMK", "severity": "LOW", - "line": 18, + "line": 1, "filename": "positive.tf", "resourceType": "aws_ecr_repository", - "resourceName": "barX", - "searchKey": "aws_ecr_repository[fooX].encryption_configuration", + "resourceName": "bar", + "searchKey": "aws_ecr_repository[foo]", "searchValue": "", - "expectedValue": "'encryption_configuration.encryption_type' should be set to 'KMS' and 'encryption_configuration.kms_key' specifies a KMS key ARN", - "actualValue": "'encryption_configuration.encryption_type' is not set to 'KMS' and/or 'encryption_configuration.kms_key' does not specify a KMS key ARN" + "expectedValue": "'encryption_configuration' should be defined with 'KMS' as encryption type and a KMS key ARN", + "actualValue": "'encryption_configuration' is undefined or null" }, { "queryName": "ECR Repository Not Encrypted With CMK", "severity": "LOW", - "line": 1, + "line": 18, "filename": "positive.tf", "resourceType": "aws_ecr_repository", - "resourceName": "bar", - "searchKey": "aws_ecr_repository[foo]", + "resourceName": "barX", + "searchKey": "aws_ecr_repository[fooX].encryption_configuration", "searchValue": "", - "expectedValue": "'encryption_configuration' should be defined with 'KMS' as encryption type and a KMS key ARN", - "actualValue": "'encryption_configuration' is undefined or null" + "expectedValue": "'encryption_configuration.encryption_type' should be set to 'KMS' and 'encryption_configuration.kms_key' specifies a KMS key ARN", + "actualValue": "'encryption_configuration.encryption_type' is not set to 'KMS' and/or 'encryption_configuration.kms_key' does not specify a KMS key ARN" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/ecs_services_assigned_with_public_ip_address/test/positive_expected_result.json b/assets/queries/terraform/aws/ecs_services_assigned_with_public_ip_address/test/positive_expected_result.json index 036d18e16fa..325bc151ad3 100644 --- a/assets/queries/terraform/aws/ecs_services_assigned_with_public_ip_address/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ecs_services_assigned_with_public_ip_address/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "ECS Services assigned with public IP address", - "severity": "MEDIUM", - "line": 17, - "filename": "positive2.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[ecs].services.frontend.assign_public_ip", - "searchValue": "", - "expectedValue": "'module[ecs].services.frontend.assign_public_ip' should be set to 'false'(default value is 'false')", - "actualValue": "'module[ecs].services.frontend.assign_public_ip' is set to true" - }, { "queryName": "ECS Services assigned with public IP address", "severity": "MEDIUM", @@ -22,5 +10,17 @@ "searchValue": "", "expectedValue": "'aws_ecs_service[example_ecs_service].network_configuration.assign_public_ip' should be set to 'false'(default value is 'false')", "actualValue": "'aws_ecs_service[example_ecs_service].network_configuration.assign_public_ip' is set to true" + }, + { + "queryName": "ECS Services assigned with public IP address", + "severity": "MEDIUM", + "line": 17, + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[ecs].services.frontend.assign_public_ip", + "searchValue": "", + "expectedValue": "'module[ecs].services.frontend.assign_public_ip' should be set to 'false'(default value is 'false')", + "actualValue": "'module[ecs].services.frontend.assign_public_ip' is set to true" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/efs_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/efs_not_encrypted/test/positive_expected_result.json index d51fa40144a..eb1ff71faae 100644 --- a/assets/queries/terraform/aws/efs_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/efs_not_encrypted/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "EFS Not Encrypted", "severity": "HIGH", - "line": 11, + "line": 1, "filename": "positive.tf", "resourceType": "aws_efs_file_system", "resourceName": "MyProduct", - "searchKey": "aws_efs_file_system[positive2].encrypted", + "searchKey": "aws_efs_file_system[positive1]", "searchValue": "", - "expectedValue": "aws_efs_file_system[positive2].encrypted' should be true", - "actualValue": "aws_efs_file_system[positive2].encrypted' is false" + "expectedValue": "aws_efs_file_system[positive1].encrypted' should be defined and not null", + "actualValue": "aws_efs_file_system[positive1].encrypted' is undefined or null" }, { "queryName": "EFS Not Encrypted", "severity": "HIGH", - "line": 1, + "line": 11, "filename": "positive.tf", "resourceType": "aws_efs_file_system", "resourceName": "MyProduct", - "searchKey": "aws_efs_file_system[positive1]", + "searchKey": "aws_efs_file_system[positive2].encrypted", "searchValue": "", - "expectedValue": "aws_efs_file_system[positive1].encrypted' should be defined and not null", - "actualValue": "aws_efs_file_system[positive1].encrypted' is undefined or null" + "expectedValue": "aws_efs_file_system[positive2].encrypted' should be true", + "actualValue": "aws_efs_file_system[positive2].encrypted' is false" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/eks_cluster_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/eks_cluster_encryption_disabled/test/positive_expected_result.json index e11b5998df9..eec21cdaef0 100644 --- a/assets/queries/terraform/aws/eks_cluster_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/eks_cluster_encryption_disabled/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "EKS Cluster Encryption Disabled", "severity": "HIGH", - "line": 11, - "filename": "positive2.tf", + "line": 6, + "filename": "positive1.tf", "resourceType": "aws_eks_cluster", "resourceName": "example", - "searchKey": "aws_eks_cluster[positive2].encryption_config.resources", + "searchKey": "aws_eks_cluster[positive1]", "searchValue": "", - "expectedValue": "'secrets' should be defined", - "actualValue": "'secrets' is undefined" + "expectedValue": "'encryption_config' should be defined and not null", + "actualValue": "'encryption_config' is undefined or null" }, { "queryName": "EKS Cluster Encryption Disabled", "severity": "HIGH", - "line": 6, - "filename": "positive1.tf", + "line": 11, + "filename": "positive2.tf", "resourceType": "aws_eks_cluster", "resourceName": "example", - "searchKey": "aws_eks_cluster[positive1]", + "searchKey": "aws_eks_cluster[positive2].encryption_config.resources", "searchValue": "", - "expectedValue": "'encryption_config' should be defined and not null", - "actualValue": "'encryption_config' is undefined or null" + "expectedValue": "'secrets' should be defined", + "actualValue": "'secrets' is undefined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/elasticache_nodes_not_created_across_multi_az/test/positive_expected_result.json b/assets/queries/terraform/aws/elasticache_nodes_not_created_across_multi_az/test/positive_expected_result.json index b8e87933e8e..98b2d7f16ea 100644 --- a/assets/queries/terraform/aws/elasticache_nodes_not_created_across_multi_az/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elasticache_nodes_not_created_across_multi_az/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "ElastiCache Nodes Not Created Across Multi AZ", "severity": "MEDIUM", - "line": 12, + "line": 1, "filename": "positive.tf", "resourceType": "aws_elasticache_cluster", "resourceName": "cluster-example", - "searchKey": "aws_elasticache_cluster[positive2].az_mode", + "searchKey": "aws_elasticache_cluster[positive1]", "searchValue": "", - "expectedValue": "'az_mode' should be 'cross-az' in multi nodes cluster", - "actualValue": "'az_mode' is 'single-az'" + "expectedValue": "'az_mode' should be set and must be 'cross-az' in multi nodes cluster", + "actualValue": "'az_mode' is undefined" }, { "queryName": "ElastiCache Nodes Not Created Across Multi AZ", "severity": "MEDIUM", - "line": 1, + "line": 12, "filename": "positive.tf", "resourceType": "aws_elasticache_cluster", "resourceName": "cluster-example", - "searchKey": "aws_elasticache_cluster[positive1]", + "searchKey": "aws_elasticache_cluster[positive2].az_mode", "searchValue": "", - "expectedValue": "'az_mode' should be set and must be 'cross-az' in multi nodes cluster", - "actualValue": "'az_mode' is undefined" + "expectedValue": "'az_mode' should be 'cross-az' in multi nodes cluster", + "actualValue": "'az_mode' is 'single-az'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/elasticache_redis_cluster_without_backup/test/positive_expected_result.json b/assets/queries/terraform/aws/elasticache_redis_cluster_without_backup/test/positive_expected_result.json index 5d378fd4270..e72bae0eee2 100644 --- a/assets/queries/terraform/aws/elasticache_redis_cluster_without_backup/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elasticache_redis_cluster_without_backup/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "ElastiCache Redis Cluster Without Backup", "severity": "MEDIUM", - "line": 16, + "line": 1, "filename": "positive.tf", "resourceType": "aws_elasticache_cluster", "resourceName": "cluster", - "searchKey": "aws_elasticache_cluster[positive2].snapshot_retention_limit", + "searchKey": "aws_elasticache_cluster[positive1]", "searchValue": "", "expectedValue": "'snapshot_retention_limit' should be higher than 0", - "actualValue": "'snapshot_retention_limit' is 0" + "actualValue": "'snapshot_retention_limit' is undefined" }, { "queryName": "ElastiCache Redis Cluster Without Backup", "severity": "MEDIUM", - "line": 1, + "line": 16, "filename": "positive.tf", "resourceType": "aws_elasticache_cluster", "resourceName": "cluster", - "searchKey": "aws_elasticache_cluster[positive1]", + "searchKey": "aws_elasticache_cluster[positive2].snapshot_retention_limit", "searchValue": "", "expectedValue": "'snapshot_retention_limit' should be higher than 0", - "actualValue": "'snapshot_retention_limit' is undefined" + "actualValue": "'snapshot_retention_limit' is 0" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_rest/test/positive_expected_result.json b/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_rest/test/positive_expected_result.json index 6344eca82b9..61e9da60835 100644 --- a/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_rest/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_rest/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "ElastiCache Replication Group Not Encrypted At Rest", "severity": "HIGH", - "line": 9, - "filename": "positive2.tf", + "line": 1, + "filename": "positive1.tf", "resourceType": "aws_elasticache_replication_group", - "resourceName": "example2", - "searchKey": "aws_elasticache_replication_group[example2].at_rest_encryption_enabled", + "resourceName": "example", + "searchKey": "aws_elasticache_replication_group[example]", "searchValue": "", "expectedValue": "The attribute 'at_rest_encryption_enabled' should be set to true", - "actualValue": "The attribute 'at_rest_encryption_enabled' is not set to true" + "actualValue": "The attribute 'at_rest_encryption_enabled' is undefined" }, { "queryName": "ElastiCache Replication Group Not Encrypted At Rest", "severity": "HIGH", - "line": 1, - "filename": "positive1.tf", + "line": 9, + "filename": "positive2.tf", "resourceType": "aws_elasticache_replication_group", - "resourceName": "example", - "searchKey": "aws_elasticache_replication_group[example]", + "resourceName": "example2", + "searchKey": "aws_elasticache_replication_group[example2].at_rest_encryption_enabled", "searchValue": "", "expectedValue": "The attribute 'at_rest_encryption_enabled' should be set to true", - "actualValue": "The attribute 'at_rest_encryption_enabled' is undefined" + "actualValue": "The attribute 'at_rest_encryption_enabled' is not set to true" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_transit/test/positive_expected_result.json b/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_transit/test/positive_expected_result.json index bda5f5fcd0a..850884bd04c 100644 --- a/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_transit/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_transit/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "ElastiCache Replication Group Not Encrypted At Transit", "severity": "MEDIUM", - "line": 9, - "filename": "positive2.tf", + "line": 1, + "filename": "positive1.tf", "resourceType": "aws_elasticache_replication_group", "resourceName": "example", - "searchKey": "aws_elasticache_replication_group[example].transit_encryption_enabled", + "searchKey": "aws_elasticache_replication_group[example]", "searchValue": "", "expectedValue": "The attribute 'transit_encryption_enabled' should be set to true", - "actualValue": "The attribute 'transit_encryption_enabled' is not set to true" + "actualValue": "The attribute 'transit_encryption_enabled' is undefined" }, { "queryName": "ElastiCache Replication Group Not Encrypted At Transit", "severity": "MEDIUM", - "line": 1, - "filename": "positive1.tf", + "line": 9, + "filename": "positive2.tf", "resourceType": "aws_elasticache_replication_group", "resourceName": "example", - "searchKey": "aws_elasticache_replication_group[example]", + "searchKey": "aws_elasticache_replication_group[example].transit_encryption_enabled", "searchValue": "", "expectedValue": "The attribute 'transit_encryption_enabled' should be set to true", - "actualValue": "The attribute 'transit_encryption_enabled' is undefined" + "actualValue": "The attribute 'transit_encryption_enabled' is not set to true" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/elasticache_using_default_port/test/positive_expected_result.json b/assets/queries/terraform/aws/elasticache_using_default_port/test/positive_expected_result.json index d9d3a7e9703..e4019556d8c 100644 --- a/assets/queries/terraform/aws/elasticache_using_default_port/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elasticache_using_default_port/test/positive_expected_result.json @@ -1,4 +1,16 @@ [ + { + "queryName": "ElastiCache Using Default Port", + "severity": "LOW", + "line": 1, + "filename": "positive1.tf", + "resourceType": "aws_elasticache_cluster", + "resourceName": "cluster", + "searchKey": "aws_elasticache_cluster[positive1]", + "searchValue": "", + "expectedValue": "aws_elasticache_cluster.port should be defined and not null", + "actualValue": "aws_elasticache_cluster.port is undefined or null" + }, { "queryName": "ElastiCache Using Default Port", "severity": "LOW", @@ -34,17 +46,5 @@ "searchValue": "", "expectedValue": "'port' should not be set to 11211", "actualValue": "'port' is set to 11211" - }, - { - "queryName": "ElastiCache Using Default Port", - "severity": "LOW", - "line": 1, - "filename": "positive1.tf", - "resourceType": "aws_elasticache_cluster", - "resourceName": "cluster", - "searchKey": "aws_elasticache_cluster[positive1]", - "searchValue": "", - "expectedValue": "aws_elasticache_cluster.port should be defined and not null", - "actualValue": "aws_elasticache_cluster.port is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/elasticsearch_domain_not_encrypted_node_to_node/test/positive_expected_result.json b/assets/queries/terraform/aws/elasticsearch_domain_not_encrypted_node_to_node/test/positive_expected_result.json index 03f6691eac1..0803cf20dd2 100644 --- a/assets/queries/terraform/aws/elasticsearch_domain_not_encrypted_node_to_node/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elasticsearch_domain_not_encrypted_node_to_node/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "Elasticsearch Domain Not Encrypted Node To Node", "severity": "MEDIUM", - "line": 14, - "filename": "positive2.tf", + "line": 1, + "filename": "positive1.tf", "resourceType": "aws_elasticsearch_domain", "resourceName": "positive1", - "searchKey": "aws_elasticsearch_domain[{{positive1}}].node_to_node_encryption.enabled", + "searchKey": "aws_elasticsearch_domain[{{positive1}}]", "searchValue": "", "expectedValue": "The attribute 'node_to_node_encryption' should be set to true", - "actualValue": "The attribute 'node_to_node_encryption' is not set to true" + "actualValue": "The attribute 'node_to_node_encryption' is undefined" }, { "queryName": "Elasticsearch Domain Not Encrypted Node To Node", "severity": "MEDIUM", - "line": 1, - "filename": "positive1.tf", + "line": 14, + "filename": "positive2.tf", "resourceType": "aws_elasticsearch_domain", "resourceName": "positive1", - "searchKey": "aws_elasticsearch_domain[{{positive1}}]", + "searchKey": "aws_elasticsearch_domain[{{positive1}}].node_to_node_encryption.enabled", "searchValue": "", "expectedValue": "The attribute 'node_to_node_encryption' should be set to true", - "actualValue": "The attribute 'node_to_node_encryption' is undefined" + "actualValue": "The attribute 'node_to_node_encryption' is not set to true" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/elasticsearch_logs_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/elasticsearch_logs_disabled/test/positive_expected_result.json index 7757e53fdc1..c23737710af 100644 --- a/assets/queries/terraform/aws/elasticsearch_logs_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elasticsearch_logs_disabled/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "Elasticsearch Log Disabled", - "severity": "MEDIUM", - "line": 1, - "filename": "positive2.tf", - "resourceType": "aws_elasticsearch_domain", - "resourceName": "positive2", - "searchKey": "aws_elasticsearch_domain[{{positive2}}]", - "searchValue": "", - "expectedValue": "'log_publishing_options' should be defined and not null", - "actualValue": "'log_publishing_options' is undefined or null" - }, { "queryName": "Elasticsearch Log Disabled", "severity": "MEDIUM", @@ -22,5 +10,17 @@ "searchValue": "", "expectedValue": "'log_publishing_options.enabled' should be true", "actualValue": "'log_publishing_options.enabled' is false" + }, + { + "queryName": "Elasticsearch Log Disabled", + "severity": "MEDIUM", + "line": 1, + "filename": "positive2.tf", + "resourceType": "aws_elasticsearch_domain", + "resourceName": "positive2", + "searchKey": "aws_elasticsearch_domain[{{positive2}}]", + "searchValue": "", + "expectedValue": "'log_publishing_options' should be defined and not null", + "actualValue": "'log_publishing_options' is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/elb_access_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/elb_access_logging_disabled/test/positive_expected_result.json index 5942f88f1bd..d1a1d73ddcd 100644 --- a/assets/queries/terraform/aws/elb_access_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elb_access_logging_disabled/test/positive_expected_result.json @@ -1,4 +1,16 @@ [ + { + "queryName": "ELB Access Log Disabled", + "severity": "MEDIUM", + "line": 9, + "filename": "positive1.tf", + "resourceType": "aws_elb", + "resourceName": "foobar-terraform-elb", + "searchKey": "aws_elb[{{postive1}}].access_logs.enabled", + "searchValue": "", + "expectedValue": "'aws_elb[{{postive1}}].access_logs.enabled' should be true", + "actualValue": "'aws_elb[{{postive1}}].access_logs.enabled' is false" + }, { "queryName": "ELB Access Log Disabled", "severity": "MEDIUM", @@ -23,18 +35,6 @@ "expectedValue": "'access_logs' should be defined and not null", "actualValue": "'access_logs' is undefined or null" }, - { - "queryName": "ELB Access Log Disabled", - "severity": "MEDIUM", - "line": 9, - "filename": "positive1.tf", - "resourceType": "aws_elb", - "resourceName": "foobar-terraform-elb", - "searchKey": "aws_elb[{{postive1}}].access_logs.enabled", - "searchValue": "", - "expectedValue": "'aws_elb[{{postive1}}].access_logs.enabled' should be true", - "actualValue": "'aws_elb[{{postive1}}].access_logs.enabled' is false" - }, { "queryName": "ELB Access Log Disabled", "severity": "MEDIUM", diff --git a/assets/queries/terraform/aws/elb_using_insecure_protocols/test/positive_expected_result.json b/assets/queries/terraform/aws/elb_using_insecure_protocols/test/positive_expected_result.json index c23197e54a8..74630d30609 100644 --- a/assets/queries/terraform/aws/elb_using_insecure_protocols/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elb_using_insecure_protocols/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "ELB Using Insecure Protocols", "severity": "MEDIUM", - "line": 41, + "line": 30, "filename": "positive.tf", "resourceType": "aws_load_balancer_policy", - "resourceName": "positive5", - "searchKey": "aws_load_balancer_policy[positive5].policy_attribute.name", + "resourceName": "positive4", + "searchKey": "aws_load_balancer_policy[positive4].policy_attribute[1].name", "searchValue": "", - "expectedValue": "'aws_load_balancer_policy[positive5].policy_attribute[Protocol-SSLv3]' should not be an insecure protocol", - "actualValue": "'aws_load_balancer_policy[positive5].policy_attribute[Protocol-SSLv3]' is an insecure protocol" + "expectedValue": "'aws_load_balancer_policy[positive4].policy_attribute[Protocol-TLSv1]' should not be an insecure protocol", + "actualValue": "'aws_load_balancer_policy[positive4].policy_attribute[Protocol-TLSv1]' is an insecure protocol" }, { "queryName": "ELB Using Insecure Protocols", "severity": "MEDIUM", - "line": 30, + "line": 41, "filename": "positive.tf", "resourceType": "aws_load_balancer_policy", - "resourceName": "positive4", - "searchKey": "aws_load_balancer_policy[positive4].policy_attribute[1].name", + "resourceName": "positive5", + "searchKey": "aws_load_balancer_policy[positive5].policy_attribute.name", "searchValue": "", - "expectedValue": "'aws_load_balancer_policy[positive4].policy_attribute[Protocol-TLSv1]' should not be an insecure protocol", - "actualValue": "'aws_load_balancer_policy[positive4].policy_attribute[Protocol-TLSv1]' is an insecure protocol" + "expectedValue": "'aws_load_balancer_policy[positive5].policy_attribute[Protocol-SSLv3]' should not be an insecure protocol", + "actualValue": "'aws_load_balancer_policy[positive5].policy_attribute[Protocol-SSLv3]' is an insecure protocol" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/elb_v2_lb_access_log_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/elb_v2_lb_access_log_disabled/test/positive_expected_result.json index 38c6d921a9a..b3cdb52c7d8 100644 --- a/assets/queries/terraform/aws/elb_v2_lb_access_log_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elb_v2_lb_access_log_disabled/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "ELBv2 LB Access Log Disabled", - "severity": "MEDIUM", - "line": 11, - "filename": "positive5.tf", - "resourceType": "aws_alb", - "resourceName": "test-lb-tf", - "searchKey": "aws_alb[test].access_logs", - "searchValue": "", - "expectedValue": "'access_logs.enabled' should be defined and set to true", - "actualValue": "'access_logs.enabled' is undefined" - }, { "queryName": "ELBv2 LB Access Log Disabled", "severity": "MEDIUM", @@ -23,18 +11,6 @@ "expectedValue": "'access_logs.enabled' should be defined and set to true", "actualValue": "'access_logs.enabled' is not set to true" }, - { - "queryName": "ELBv2 LB Access Log Disabled", - "severity": "MEDIUM", - "line": 2, - "filename": "positive6.tf", - "resourceType": "aws_alb", - "resourceName": "test-lb-tf", - "searchKey": "aws_alb[test]", - "searchValue": "", - "expectedValue": "'access_logs.enabled' should be defined and set to true", - "actualValue": "'access_logs' is undefined" - }, { "queryName": "ELBv2 LB Access Log Disabled", "severity": "MEDIUM", @@ -70,5 +46,29 @@ "searchValue": "", "expectedValue": "'access_logs.enabled' should be defined and set to true", "actualValue": "'access_logs.enabled' is not set to true" + }, + { + "queryName": "ELBv2 LB Access Log Disabled", + "severity": "MEDIUM", + "line": 11, + "filename": "positive5.tf", + "resourceType": "aws_alb", + "resourceName": "test-lb-tf", + "searchKey": "aws_alb[test].access_logs", + "searchValue": "", + "expectedValue": "'access_logs.enabled' should be defined and set to true", + "actualValue": "'access_logs.enabled' is undefined" + }, + { + "queryName": "ELBv2 LB Access Log Disabled", + "severity": "MEDIUM", + "line": 2, + "filename": "positive6.tf", + "resourceType": "aws_alb", + "resourceName": "test-lb-tf", + "searchKey": "aws_alb[test]", + "searchValue": "", + "expectedValue": "'access_logs.enabled' should be defined and set to true", + "actualValue": "'access_logs' is undefined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/global_accelerator_flow_logs_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/global_accelerator_flow_logs_disabled/test/positive_expected_result.json index c9082aef103..118e14c0095 100644 --- a/assets/queries/terraform/aws/global_accelerator_flow_logs_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/global_accelerator_flow_logs_disabled/test/positive_expected_result.json @@ -14,25 +14,25 @@ { "queryName": "Global Accelerator Flow Logs Disabled", "severity": "MEDIUM", - "line": 7, - "filename": "positive3.tf", + "line": 6, + "filename": "positive2.tf", "resourceType": "aws_globalaccelerator_accelerator", "resourceName": "Example", - "searchKey": "aws_globalaccelerator_accelerator[{{positive3}}].attributes.flow_logs_enabled", + "searchKey": "aws_globalaccelerator_accelerator[{{positive2}}].attributes", "searchValue": "", - "expectedValue": "aws_globalaccelerator_accelerator[{{positive3}}].flow_logs_enabled should be true", - "actualValue": "aws_globalaccelerator_accelerator[{{positive3}}].flow_logs_enabled is false" + "expectedValue": "aws_globalaccelerator_accelerator[{{positive2}}].flow_logs_enabled should be defined and not null", + "actualValue": "aws_globalaccelerator_accelerator[{{positive2}}].flow_logs_enabled is undefined or null" }, { "queryName": "Global Accelerator Flow Logs Disabled", "severity": "MEDIUM", - "line": 6, - "filename": "positive2.tf", + "line": 7, + "filename": "positive3.tf", "resourceType": "aws_globalaccelerator_accelerator", "resourceName": "Example", - "searchKey": "aws_globalaccelerator_accelerator[{{positive2}}].attributes", + "searchKey": "aws_globalaccelerator_accelerator[{{positive3}}].attributes.flow_logs_enabled", "searchValue": "", - "expectedValue": "aws_globalaccelerator_accelerator[{{positive2}}].flow_logs_enabled should be defined and not null", - "actualValue": "aws_globalaccelerator_accelerator[{{positive2}}].flow_logs_enabled is undefined or null" + "expectedValue": "aws_globalaccelerator_accelerator[{{positive3}}].flow_logs_enabled should be true", + "actualValue": "aws_globalaccelerator_accelerator[{{positive3}}].flow_logs_enabled is false" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/glue_data_catalog_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/glue_data_catalog_encryption_disabled/test/positive_expected_result.json index 5ab0d7ab5ed..513ad7e1542 100644 --- a/assets/queries/terraform/aws/glue_data_catalog_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/glue_data_catalog_encryption_disabled/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "Glue Data Catalog Encryption Disabled", - "severity": "HIGH", - "line": 9, - "filename": "positive3.tf", - "resourceType": "aws_glue_data_catalog_encryption_settings", - "resourceName": "positive3", - "searchKey": "aws_glue_data_catalog_encryption_settings[positive3].data_catalog_encryption_settings.encryption_at_rest.catalog_encryption_mode", - "searchValue": "", - "expectedValue": "'catalog_encryption_mode' should be set to 'SSE-KMS'", - "actualValue": "'catalog_encryption_mode' is not set to 'SSE-KMS'" - }, { "queryName": "Glue Data Catalog Encryption Disabled", "severity": "HIGH", @@ -23,18 +11,6 @@ "expectedValue": "'return_connection_password_encrypted' should be set to true", "actualValue": "'return_connection_password_encrypted' is not set to true" }, - { - "queryName": "Glue Data Catalog Encryption Disabled", - "severity": "HIGH", - "line": 8, - "filename": "positive4.tf", - "resourceType": "aws_glue_data_catalog_encryption_settings", - "resourceName": "positive4", - "searchKey": "aws_glue_data_catalog_encryption_settings[positive4].data_catalog_encryption_settings.encryption_at_rest", - "searchValue": "", - "expectedValue": "'sse_aws_kms_key_id' should be defined and not null", - "actualValue": "'sse_aws_kms_key_id' is undefined or null" - }, { "queryName": "Glue Data Catalog Encryption Disabled", "severity": "HIGH", @@ -46,5 +22,29 @@ "searchValue": "", "expectedValue": "'aws_kms_key_id' should be defined and not null", "actualValue": "'aws_kms_key_id' is undefined or null" + }, + { + "queryName": "Glue Data Catalog Encryption Disabled", + "severity": "HIGH", + "line": 9, + "filename": "positive3.tf", + "resourceType": "aws_glue_data_catalog_encryption_settings", + "resourceName": "positive3", + "searchKey": "aws_glue_data_catalog_encryption_settings[positive3].data_catalog_encryption_settings.encryption_at_rest.catalog_encryption_mode", + "searchValue": "", + "expectedValue": "'catalog_encryption_mode' should be set to 'SSE-KMS'", + "actualValue": "'catalog_encryption_mode' is not set to 'SSE-KMS'" + }, + { + "queryName": "Glue Data Catalog Encryption Disabled", + "severity": "HIGH", + "line": 8, + "filename": "positive4.tf", + "resourceType": "aws_glue_data_catalog_encryption_settings", + "resourceName": "positive4", + "searchKey": "aws_glue_data_catalog_encryption_settings[positive4].data_catalog_encryption_settings.encryption_at_rest", + "searchValue": "", + "expectedValue": "'sse_aws_kms_key_id' should be defined and not null", + "actualValue": "'sse_aws_kms_key_id' is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/glue_security_configuration_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/glue_security_configuration_encryption_disabled/test/positive_expected_result.json index 1c02e67459b..9bf671512ce 100644 --- a/assets/queries/terraform/aws/glue_security_configuration_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/glue_security_configuration_encryption_disabled/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "Glue Security Configuration Encryption Disabled", - "severity": "HIGH", - "line": 10, - "filename": "positive3.tf", - "resourceType": "aws_glue_security_configuration", - "resourceName": "example", - "searchKey": "aws_glue_security_configuration[positive2].job_bookmarks_encryption", - "searchValue": "", - "expectedValue": "aws_glue_security_configuration[positive2].job_bookmarks_encryption has 'job_bookmarks_encryption_mode' defined and not null", - "actualValue": "aws_glue_security_configKeyiguration[positive2].job_bookmarks_encryption has 'job_bookmarks_encryption_mode' undefined or null" - }, { "queryName": "Glue Security Configuration Encryption Disabled", "severity": "HIGH", @@ -34,5 +22,17 @@ "searchValue": "", "expectedValue": "'job_bookmarks_encryption_mode' should be set to 'CSE-KMS'", "actualValue": "'job_bookmarks_encryption_mode' is not set to 'CSE-KMS'" + }, + { + "queryName": "Glue Security Configuration Encryption Disabled", + "severity": "HIGH", + "line": 10, + "filename": "positive3.tf", + "resourceType": "aws_glue_security_configuration", + "resourceName": "example", + "searchKey": "aws_glue_security_configuration[positive2].job_bookmarks_encryption", + "searchValue": "", + "expectedValue": "aws_glue_security_configuration[positive2].job_bookmarks_encryption has 'job_bookmarks_encryption_mode' defined and not null", + "actualValue": "aws_glue_security_configKeyiguration[positive2].job_bookmarks_encryption has 'job_bookmarks_encryption_mode' undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/hardcoded_aws_access_key/test/positive_expected_result.json b/assets/queries/terraform/aws/hardcoded_aws_access_key/test/positive_expected_result.json index 8c0374e7e53..a592a605291 100644 --- a/assets/queries/terraform/aws/hardcoded_aws_access_key/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/hardcoded_aws_access_key/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "Hardcoded AWS Access Key", "severity": "HIGH", - "line": 5, - "filename": "positive2.tf", - "resourceType": "aws_instance", - "resourceName": "HelloWorld", - "searchKey": "aws_instance[positive1].user_data", + "line": 13, + "filename": "positive1.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[ec2_instance].user_data", "searchValue": "", "expectedValue": "'user_data' shouldn't contain hardcoded access key", "actualValue": "'user_data' contains hardcoded access key" @@ -14,11 +14,11 @@ { "queryName": "Hardcoded AWS Access Key", "severity": "HIGH", - "line": 13, - "filename": "positive1.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[ec2_instance].user_data", + "line": 5, + "filename": "positive2.tf", + "resourceType": "aws_instance", + "resourceName": "HelloWorld", + "searchKey": "aws_instance[positive1].user_data", "searchValue": "", "expectedValue": "'user_data' shouldn't contain hardcoded access key", "actualValue": "'user_data' contains hardcoded access key" diff --git a/assets/queries/terraform/aws/hardcoded_aws_access_key_in_lambda/test/positive_expected_result.json b/assets/queries/terraform/aws/hardcoded_aws_access_key_in_lambda/test/positive_expected_result.json index fd9566bb969..ed3fe6962a1 100644 --- a/assets/queries/terraform/aws/hardcoded_aws_access_key_in_lambda/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/hardcoded_aws_access_key_in_lambda/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "Hardcoded AWS Access Key In Lambda", "severity": "HIGH", - "line": 57, + "line": 36, "filename": "positive.tf", "resourceType": "aws_lambda_function", - "resourceName": "positive3", - "searchKey": "aws_lambda_function[positive3].environment.variables.foo", + "resourceName": "positive2", + "searchKey": "aws_lambda_function[positive2].environment.variables.foo", "searchValue": "", "expectedValue": "'environment.variables' shouldn't contain AWS Access Key", "actualValue": "'environment.variables' contains AWS Access Key" @@ -14,11 +14,11 @@ { "queryName": "Hardcoded AWS Access Key In Lambda", "severity": "HIGH", - "line": 36, + "line": 57, "filename": "positive.tf", "resourceType": "aws_lambda_function", - "resourceName": "positive2", - "searchKey": "aws_lambda_function[positive2].environment.variables.foo", + "resourceName": "positive3", + "searchKey": "aws_lambda_function[positive3].environment.variables.foo", "searchValue": "", "expectedValue": "'environment.variables' shouldn't contain AWS Access Key", "actualValue": "'environment.variables' contains AWS Access Key" diff --git a/assets/queries/terraform/aws/http_port_open/test/positive_expected_result.json b/assets/queries/terraform/aws/http_port_open/test/positive_expected_result.json index 133fc8b9075..d55e4892cae 100644 --- a/assets/queries/terraform/aws/http_port_open/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/http_port_open/test/positive_expected_result.json @@ -2,62 +2,62 @@ { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 7, - "filename": "positive2.tf", - "resourceType": "aws_vpc_security_group_ingress_rule", - "resourceName": "positive2-1", - "searchKey": "aws_vpc_security_group_ingress_rule[positive2-1]", + "line": 5, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-1].ingress", "searchValue": "", - "expectedValue": "aws_vpc_security_group_ingress_rule[positive2-1] should not open the HTTP port (80)", - "actualValue": "aws_vpc_security_group_ingress_rule[positive2-1] opens the HTTP port (80)" + "expectedValue": "aws_security_group[positive1-1].ingress should not open the HTTP port (80)", + "actualValue": "aws_security_group[positive1-1].ingress opens the HTTP port (80)" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 63, - "filename": "positive4.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2", + "line": 26, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-2].ingress[1]", "searchValue": "", - "expectedValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2 should not open the HTTP port (80)", - "actualValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2 opens the HTTP port (80)" + "expectedValue": "aws_security_group[positive1-2].ingress[1] should not open the HTTP port (80)", + "actualValue": "aws_security_group[positive1-2].ingress[1] opens the HTTP port (80)" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 82, - "filename": "positive4.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0", + "line": 39, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-3].ingress", "searchValue": "", - "expectedValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0 should not open the HTTP port (80)", - "actualValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0 opens the HTTP port (80)" + "expectedValue": "aws_security_group[positive1-3].ingress should not open the HTTP port (80)", + "actualValue": "aws_security_group[positive1-3].ingress opens the HTTP port (80)" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 5, + "line": 60, "filename": "positive1.tf", "resourceType": "aws_security_group", "resourceName": "allow_tls", - "searchKey": "aws_security_group[positive1-1].ingress", + "searchKey": "aws_security_group[positive1-4].ingress[1]", "searchValue": "", - "expectedValue": "aws_security_group[positive1-1].ingress should not open the HTTP port (80)", - "actualValue": "aws_security_group[positive1-1].ingress opens the HTTP port (80)" + "expectedValue": "aws_security_group[positive1-4].ingress[1] should not open the HTTP port (80)", + "actualValue": "aws_security_group[positive1-4].ingress[1] opens the HTTP port (80)" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 60, + "line": 73, "filename": "positive1.tf", "resourceType": "aws_security_group", "resourceName": "allow_tls", - "searchKey": "aws_security_group[positive1-4].ingress[1]", + "searchKey": "aws_security_group[positive1-5].ingress", "searchValue": "", - "expectedValue": "aws_security_group[positive1-4].ingress[1] should not open the HTTP port (80)", - "actualValue": "aws_security_group[positive1-4].ingress[1] opens the HTTP port (80)" + "expectedValue": "aws_security_group[positive1-5].ingress should not open the HTTP port (80)", + "actualValue": "aws_security_group[positive1-5].ingress opens the HTTP port (80)" }, { "queryName": "HTTP Port Open To Internet", @@ -74,50 +74,50 @@ { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 49, - "filename": "positive4.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0", + "line": 101, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-7].ingress", "searchValue": "", - "expectedValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0 should not open the HTTP port (80)", - "actualValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0 opens the HTTP port (80)" + "expectedValue": "aws_security_group[positive1-7].ingress should not open the HTTP port (80)", + "actualValue": "aws_security_group[positive1-7].ingress opens the HTTP port (80)" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 30, - "filename": "positive4.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0", + "line": 7, + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2-1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2-1]", "searchValue": "", - "expectedValue": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0 should not open the HTTP port (80)", - "actualValue": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0 opens the HTTP port (80)" + "expectedValue": "aws_vpc_security_group_ingress_rule[positive2-1] should not open the HTTP port (80)", + "actualValue": "aws_vpc_security_group_ingress_rule[positive2-1] opens the HTTP port (80)" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 96, - "filename": "positive4.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2", + "line": 17, + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2-2", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2-2]", "searchValue": "", - "expectedValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2 should not open the HTTP port (80)", - "actualValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2 opens the HTTP port (80)" + "expectedValue": "aws_vpc_security_group_ingress_rule[positive2-2] should not open the HTTP port (80)", + "actualValue": "aws_vpc_security_group_ingress_rule[positive2-2] opens the HTTP port (80)" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 101, - "filename": "positive1.tf", - "resourceType": "aws_security_group", - "resourceName": "allow_tls", - "searchKey": "aws_security_group[positive1-7].ingress", + "line": 7, + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3-1", + "searchKey": "aws_security_group_rule[positive3-1]", "searchValue": "", - "expectedValue": "aws_security_group[positive1-7].ingress should not open the HTTP port (80)", - "actualValue": "aws_security_group[positive1-7].ingress opens the HTTP port (80)" + "expectedValue": "aws_security_group_rule[positive3-1] should not open the HTTP port (80)", + "actualValue": "aws_security_group_rule[positive3-1] opens the HTTP port (80)" }, { "queryName": "HTTP Port Open To Internet", @@ -134,73 +134,73 @@ { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 17, - "filename": "positive2.tf", - "resourceType": "aws_vpc_security_group_ingress_rule", - "resourceName": "positive2-2", - "searchKey": "aws_vpc_security_group_ingress_rule[positive2-2]", + "line": 11, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0", "searchValue": "", - "expectedValue": "aws_vpc_security_group_ingress_rule[positive2-2] should not open the HTTP port (80)", - "actualValue": "aws_vpc_security_group_ingress_rule[positive2-2] opens the HTTP port (80)" + "expectedValue": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0 should not open the HTTP port (80)", + "actualValue": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0 opens the HTTP port (80)" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 26, - "filename": "positive1.tf", - "resourceType": "aws_security_group", - "resourceName": "allow_tls", - "searchKey": "aws_security_group[positive1-2].ingress[1]", + "line": 30, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0", "searchValue": "", - "expectedValue": "aws_security_group[positive1-2].ingress[1] should not open the HTTP port (80)", - "actualValue": "aws_security_group[positive1-2].ingress[1] opens the HTTP port (80)" + "expectedValue": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0 should not open the HTTP port (80)", + "actualValue": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0 opens the HTTP port (80)" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 39, - "filename": "positive1.tf", - "resourceType": "aws_security_group", - "resourceName": "allow_tls", - "searchKey": "aws_security_group[positive1-3].ingress", + "line": 49, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0", "searchValue": "", - "expectedValue": "aws_security_group[positive1-3].ingress should not open the HTTP port (80)", - "actualValue": "aws_security_group[positive1-3].ingress opens the HTTP port (80)" + "expectedValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0 should not open the HTTP port (80)", + "actualValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0 opens the HTTP port (80)" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 73, - "filename": "positive1.tf", - "resourceType": "aws_security_group", - "resourceName": "allow_tls", - "searchKey": "aws_security_group[positive1-5].ingress", + "line": 63, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2", "searchValue": "", - "expectedValue": "aws_security_group[positive1-5].ingress should not open the HTTP port (80)", - "actualValue": "aws_security_group[positive1-5].ingress opens the HTTP port (80)" + "expectedValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2 should not open the HTTP port (80)", + "actualValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2 opens the HTTP port (80)" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 7, - "filename": "positive3.tf", - "resourceType": "aws_security_group_rule", - "resourceName": "positive3-1", - "searchKey": "aws_security_group_rule[positive3-1]", + "line": 82, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0", "searchValue": "", - "expectedValue": "aws_security_group_rule[positive3-1] should not open the HTTP port (80)", - "actualValue": "aws_security_group_rule[positive3-1] opens the HTTP port (80)" + "expectedValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0 should not open the HTTP port (80)", + "actualValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0 opens the HTTP port (80)" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 11, + "line": 96, "filename": "positive4.tf", "resourceType": "n/a", "resourceName": "n/a", - "searchKey": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0", + "searchKey": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2", "searchValue": "", - "expectedValue": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0 should not open the HTTP port (80)", - "actualValue": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0 opens the HTTP port (80)" + "expectedValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2 should not open the HTTP port (80)", + "actualValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2 opens the HTTP port (80)" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_access_analyzer_not_enabled/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_access_analyzer_not_enabled/test/positive_expected_result.json index 8e53334bc5a..313ccf7f292 100644 --- a/assets/queries/terraform/aws/iam_access_analyzer_not_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_access_analyzer_not_enabled/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "IAM Access Analyzer Not Enabled", "severity": "LOW", - "line": 6, - "filename": "positive2.json", + "line": 1, + "filename": "positive1.tf", "resourceType": "n/a", "resourceName": "n/a", "searchKey": "resource", @@ -14,8 +14,8 @@ { "queryName": "IAM Access Analyzer Not Enabled", "severity": "LOW", - "line": 1, - "filename": "positive1.tf", + "line": 6, + "filename": "positive2.json", "resourceType": "n/a", "resourceName": "n/a", "searchKey": "resource", diff --git a/assets/queries/terraform/aws/iam_db_cluster_auth_not_enabled/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_db_cluster_auth_not_enabled/test/positive_expected_result.json index fa15635d98f..cbf99c5095f 100644 --- a/assets/queries/terraform/aws/iam_db_cluster_auth_not_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_db_cluster_auth_not_enabled/test/positive_expected_result.json @@ -2,23 +2,23 @@ { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 1, - "filename": "positive6.tf", + "line": 10, + "filename": "positive1.tf", "resourceType": "aws_rds_cluster", - "resourceName": "positive6", - "searchKey": "aws_rds_cluster[positive6]", + "resourceName": "positive1", + "searchKey": "aws_rds_cluster[positive1].iam_database_authentication_enabled", "searchValue": "", "expectedValue": "'iam_database_authentication_enabled' should be set to true", - "actualValue": "'iam_database_authentication_enabled' is undefined" + "actualValue": "'iam_database_authentication_enabled' is defined to false" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 1, - "filename": "positive13.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[aurora_cluster]", + "filename": "positive10.tf", + "resourceType": "aws_rds_cluster", + "resourceName": "example_postgres", + "searchKey": "aws_rds_cluster[example_postgres]", "searchValue": "", "expectedValue": "'iam_database_authentication_enabled' should be set to true", "actualValue": "'iam_database_authentication_enabled' is undefined" @@ -26,20 +26,20 @@ { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 1, - "filename": "positive10.tf", - "resourceType": "aws_rds_cluster", - "resourceName": "example_postgres", - "searchKey": "aws_rds_cluster[example_postgres]", + "line": 10, + "filename": "positive11.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[aurora_cluster].iam_database_authentication_enabled", "searchValue": "", "expectedValue": "'iam_database_authentication_enabled' should be set to true", - "actualValue": "'iam_database_authentication_enabled' is undefined" + "actualValue": "'iam_database_authentication_enabled' is defined to false" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 1, - "filename": "positive16.tf", + "filename": "positive12.tf", "resourceType": "n/a", "resourceName": "n/a", "searchKey": "module[aurora_cluster]", @@ -50,14 +50,14 @@ { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 10, - "filename": "positive15.tf", + "line": 1, + "filename": "positive13.tf", "resourceType": "n/a", "resourceName": "n/a", - "searchKey": "module[aurora_cluster].iam_database_authentication_enabled", + "searchKey": "module[aurora_cluster]", "searchValue": "", "expectedValue": "'iam_database_authentication_enabled' should be set to true", - "actualValue": "'iam_database_authentication_enabled' is defined to false" + "actualValue": "'iam_database_authentication_enabled' is undefined" }, { "queryName": "IAM DB Cluster Auth Not Enabled", @@ -75,7 +75,7 @@ "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 10, - "filename": "positive17.tf", + "filename": "positive15.tf", "resourceType": "n/a", "resourceName": "n/a", "searchKey": "module[aurora_cluster].iam_database_authentication_enabled", @@ -87,10 +87,10 @@ "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 1, - "filename": "positive8.tf", - "resourceType": "aws_rds_cluster", - "resourceName": "example_postgres", - "searchKey": "aws_rds_cluster[example_postgres]", + "filename": "positive16.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[aurora_cluster]", "searchValue": "", "expectedValue": "'iam_database_authentication_enabled' should be set to true", "actualValue": "'iam_database_authentication_enabled' is undefined" @@ -98,26 +98,26 @@ { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 1, - "filename": "positive2.tf", - "resourceType": "aws_rds_cluster", - "resourceName": "positive2", - "searchKey": "aws_rds_cluster[positive2]", + "line": 10, + "filename": "positive17.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[aurora_cluster].iam_database_authentication_enabled", "searchValue": "", "expectedValue": "'iam_database_authentication_enabled' should be set to true", - "actualValue": "'iam_database_authentication_enabled' is undefined" + "actualValue": "'iam_database_authentication_enabled' is defined to false" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 10, - "filename": "positive11.tf", + "line": 1, + "filename": "positive18.tf", "resourceType": "n/a", "resourceName": "n/a", - "searchKey": "module[aurora_cluster].iam_database_authentication_enabled", + "searchKey": "module[aurora_cluster]", "searchValue": "", "expectedValue": "'iam_database_authentication_enabled' should be set to true", - "actualValue": "'iam_database_authentication_enabled' is defined to false" + "actualValue": "'iam_database_authentication_enabled' is undefined" }, { "queryName": "IAM DB Cluster Auth Not Enabled", @@ -135,7 +135,19 @@ "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 1, - "filename": "positive18.tf", + "filename": "positive2.tf", + "resourceType": "aws_rds_cluster", + "resourceName": "positive2", + "searchKey": "aws_rds_cluster[positive2]", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is undefined" + }, + { + "queryName": "IAM DB Cluster Auth Not Enabled", + "severity": "MEDIUM", + "line": 1, + "filename": "positive20.tf", "resourceType": "n/a", "resourceName": "n/a", "searchKey": "module[aurora_cluster]", @@ -146,14 +158,14 @@ { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 10, - "filename": "positive1.tf", + "line": 1, + "filename": "positive3.tf", "resourceType": "aws_rds_cluster", - "resourceName": "positive1", - "searchKey": "aws_rds_cluster[positive1].iam_database_authentication_enabled", + "resourceName": "positive3", + "searchKey": "aws_rds_cluster[positive3]", "searchValue": "", "expectedValue": "'iam_database_authentication_enabled' should be set to true", - "actualValue": "'iam_database_authentication_enabled' is defined to false" + "actualValue": "'iam_database_authentication_enabled' is undefined" }, { "queryName": "IAM DB Cluster Auth Not Enabled", @@ -183,10 +195,10 @@ "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 1, - "filename": "positive20.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[aurora_cluster]", + "filename": "positive6.tf", + "resourceType": "aws_rds_cluster", + "resourceName": "positive6", + "searchKey": "aws_rds_cluster[positive6]", "searchValue": "", "expectedValue": "'iam_database_authentication_enabled' should be set to true", "actualValue": "'iam_database_authentication_enabled' is undefined" @@ -194,23 +206,23 @@ { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 1, - "filename": "positive3.tf", + "line": 10, + "filename": "positive7.tf", "resourceType": "aws_rds_cluster", - "resourceName": "positive3", - "searchKey": "aws_rds_cluster[positive3]", + "resourceName": "example_postgres", + "searchKey": "aws_rds_cluster[example_postgres].iam_database_authentication_enabled", "searchValue": "", "expectedValue": "'iam_database_authentication_enabled' should be set to true", - "actualValue": "'iam_database_authentication_enabled' is undefined" + "actualValue": "'iam_database_authentication_enabled' is defined to false" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 1, - "filename": "positive12.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[aurora_cluster]", + "filename": "positive8.tf", + "resourceType": "aws_rds_cluster", + "resourceName": "example_postgres", + "searchKey": "aws_rds_cluster[example_postgres]", "searchValue": "", "expectedValue": "'iam_database_authentication_enabled' should be set to true", "actualValue": "'iam_database_authentication_enabled' is undefined" @@ -226,17 +238,5 @@ "searchValue": "", "expectedValue": "'iam_database_authentication_enabled' should be set to true", "actualValue": "'iam_database_authentication_enabled' is defined to false" - }, - { - "queryName": "IAM DB Cluster Auth Not Enabled", - "severity": "MEDIUM", - "line": 10, - "filename": "positive7.tf", - "resourceType": "aws_rds_cluster", - "resourceName": "example_postgres", - "searchKey": "aws_rds_cluster[example_postgres].iam_database_authentication_enabled", - "searchValue": "", - "expectedValue": "'iam_database_authentication_enabled' should be set to true", - "actualValue": "'iam_database_authentication_enabled' is defined to false" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_group_without_users/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_group_without_users/test/positive_expected_result.json index 8466656a2df..bc2eac019ef 100644 --- a/assets/queries/terraform/aws/iam_group_without_users/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_group_without_users/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "IAM Group Without Users", "severity": "MEDIUM", - "line": 1, - "filename": "positive2_1.tf", + "line": 12, + "filename": "positive1.tf", "resourceType": "aws_iam_group", "resourceName": "test-group", "searchKey": "aws_iam_group[group2]", @@ -14,8 +14,8 @@ { "queryName": "IAM Group Without Users", "severity": "MEDIUM", - "line": 5, - "filename": "positive2_1.tf", + "line": 33, + "filename": "positive1.tf", "resourceType": "aws_iam_group", "resourceName": "test-group", "searchKey": "aws_iam_group[group3]", @@ -26,8 +26,8 @@ { "queryName": "IAM Group Without Users", "severity": "MEDIUM", - "line": 12, - "filename": "positive1.tf", + "line": 1, + "filename": "positive2_1.tf", "resourceType": "aws_iam_group", "resourceName": "test-group", "searchKey": "aws_iam_group[group2]", @@ -38,8 +38,8 @@ { "queryName": "IAM Group Without Users", "severity": "MEDIUM", - "line": 33, - "filename": "positive1.tf", + "line": 5, + "filename": "positive2_1.tf", "resourceType": "aws_iam_group", "resourceName": "test-group", "searchKey": "aws_iam_group[group3]", diff --git a/assets/queries/terraform/aws/iam_password_without_minimum_length/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_password_without_minimum_length/test/positive_expected_result.json index c383e354881..923fea78263 100644 --- a/assets/queries/terraform/aws/iam_password_without_minimum_length/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_password_without_minimum_length/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "IAM Password Without Minimum Length", "severity": "LOW", - "line": 10, + "line": 1, "filename": "positive.tf", "resourceType": "aws_iam_account_password_policy", - "resourceName": "positive2", - "searchKey": "aws_iam_account_password_policy[positive2].minimum_password_length", + "resourceName": "positive1", + "searchKey": "aws_iam_account_password_policy[positive1]", "searchValue": "", "expectedValue": "'minimum_password_length' should be set and no less than 14", - "actualValue": "'minimum_password_length' is less than 14" + "actualValue": "'minimum_password_length' is undefined" }, { "queryName": "IAM Password Without Minimum Length", "severity": "LOW", - "line": 1, + "line": 10, "filename": "positive.tf", "resourceType": "aws_iam_account_password_policy", - "resourceName": "positive1", - "searchKey": "aws_iam_account_password_policy[positive1]", + "resourceName": "positive2", + "searchKey": "aws_iam_account_password_policy[positive2].minimum_password_length", "searchValue": "", "expectedValue": "'minimum_password_length' should be set and no less than 14", - "actualValue": "'minimum_password_length' is undefined" + "actualValue": "'minimum_password_length' is less than 14" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_policies_attached_to_user/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_policies_attached_to_user/test/positive_expected_result.json index 5b70bc603d4..3b7bb1f8a31 100755 --- a/assets/queries/terraform/aws/iam_policies_attached_to_user/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_policies_attached_to_user/test/positive_expected_result.json @@ -1,4 +1,16 @@ [ + { + "queryName": "IAM Policies Attached To User", + "severity": "MEDIUM", + "line": 18, + "filename": "positive1.tf", + "resourceType": "aws_iam_policy_attachment", + "resourceName": "excess_policy", + "searchKey": "aws_iam_policy_attachment[{{positive1_3}}].users", + "searchValue": "", + "expectedValue": "'users' is redundant", + "actualValue": "'users' exists" + }, { "queryName": "IAM Policies Attached To User", "severity": "MEDIUM", @@ -22,17 +34,5 @@ "searchValue": "", "expectedValue": "'user' is redundant", "actualValue": "'user' exists" - }, - { - "queryName": "IAM Policies Attached To User", - "severity": "MEDIUM", - "line": 18, - "filename": "positive1.tf", - "resourceType": "aws_iam_policy_attachment", - "resourceName": "excess_policy", - "searchKey": "aws_iam_policy_attachment[{{positive1_3}}].users", - "searchValue": "", - "expectedValue": "'users' is redundant", - "actualValue": "'users' exists" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_policies_with_full_privileges/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_policies_with_full_privileges/test/positive_expected_result.json index 9173cbe346f..a5cbd7f8543 100644 --- a/assets/queries/terraform/aws/iam_policies_with_full_privileges/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_policies_with_full_privileges/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "IAM Policies With Full Privileges", "severity": "MEDIUM", - "line": 4, - "filename": "positive4.tf", - "resourceType": "aws_iam_user_policy", - "resourceName": "test", - "searchKey": "aws_iam_user_policy[positive4-1].policy", + "line": 5, + "filename": "positive1.tf", + "resourceType": "aws_iam_role_policy", + "resourceName": "apigateway-cloudwatch-logging", + "searchKey": "aws_iam_role_policy[positive1].policy", "searchValue": "", "expectedValue": "'policy.Statement.Action' shouldn't contain '*' or 'iam:*'", "actualValue": "'policy.Statement.Action' contains '*' or 'iam:*'" @@ -14,14 +14,14 @@ { "queryName": "IAM Policies With Full Privileges", "severity": "MEDIUM", - "line": 21, - "filename": "positive4.tf", - "resourceType": "aws_iam_user_policy", - "resourceName": "test", - "searchKey": "aws_iam_user_policy[positive4-2].policy", + "line": 20, + "filename": "positive1.tf", + "resourceType": "aws_iam_policy_document", + "resourceName": "example", + "searchKey": "aws_iam_policy_document[example].statement", "searchValue": "", - "expectedValue": "'policy.Statement.Action' shouldn't contain '*' or 'iam:*'", - "actualValue": "'policy.Statement.Action' contains '*' or 'iam:*'" + "expectedValue": "'statement.actions' shouldn't contain '*' or 'iam:*'", + "actualValue": "'statement.actions' contains '*' or 'iam:*'" }, { "queryName": "IAM Policies With Full Privileges", @@ -74,11 +74,11 @@ { "queryName": "IAM Policies With Full Privileges", "severity": "MEDIUM", - "line": 2, - "filename": "positive6.tf", - "resourceType": "aws_iam_policy", - "resourceName": "positive6-1", - "searchKey": "aws_iam_policy[positive6-1].policy", + "line": 4, + "filename": "positive4.tf", + "resourceType": "aws_iam_user_policy", + "resourceName": "test", + "searchKey": "aws_iam_user_policy[positive4-1].policy", "searchValue": "", "expectedValue": "'policy.Statement.Action' shouldn't contain '*' or 'iam:*'", "actualValue": "'policy.Statement.Action' contains '*' or 'iam:*'" @@ -86,11 +86,11 @@ { "queryName": "IAM Policies With Full Privileges", "severity": "MEDIUM", - "line": 17, - "filename": "positive6.tf", - "resourceType": "aws_iam_policy", - "resourceName": "positive6-2", - "searchKey": "aws_iam_policy[positive6-2].policy", + "line": 21, + "filename": "positive4.tf", + "resourceType": "aws_iam_user_policy", + "resourceName": "test", + "searchKey": "aws_iam_user_policy[positive4-2].policy", "searchValue": "", "expectedValue": "'policy.Statement.Action' shouldn't contain '*' or 'iam:*'", "actualValue": "'policy.Statement.Action' contains '*' or 'iam:*'" @@ -98,11 +98,11 @@ { "queryName": "IAM Policies With Full Privileges", "severity": "MEDIUM", - "line": 5, - "filename": "positive1.tf", - "resourceType": "aws_iam_role_policy", - "resourceName": "apigateway-cloudwatch-logging", - "searchKey": "aws_iam_role_policy[positive1].policy", + "line": 4, + "filename": "positive5.tf", + "resourceType": "aws_iam_group_policy", + "resourceName": "my_developer_policy", + "searchKey": "aws_iam_group_policy[positive5-1].policy", "searchValue": "", "expectedValue": "'policy.Statement.Action' shouldn't contain '*' or 'iam:*'", "actualValue": "'policy.Statement.Action' contains '*' or 'iam:*'" @@ -110,23 +110,23 @@ { "queryName": "IAM Policies With Full Privileges", "severity": "MEDIUM", - "line": 20, - "filename": "positive1.tf", - "resourceType": "aws_iam_policy_document", - "resourceName": "example", - "searchKey": "aws_iam_policy_document[example].statement", + "line": 21, + "filename": "positive5.tf", + "resourceType": "aws_iam_group_policy", + "resourceName": "my_developer_policy", + "searchKey": "aws_iam_group_policy[positive5-2].policy", "searchValue": "", - "expectedValue": "'statement.actions' shouldn't contain '*' or 'iam:*'", - "actualValue": "'statement.actions' contains '*' or 'iam:*'" + "expectedValue": "'policy.Statement.Action' shouldn't contain '*' or 'iam:*'", + "actualValue": "'policy.Statement.Action' contains '*' or 'iam:*'" }, { "queryName": "IAM Policies With Full Privileges", "severity": "MEDIUM", - "line": 4, - "filename": "positive5.tf", - "resourceType": "aws_iam_group_policy", - "resourceName": "my_developer_policy", - "searchKey": "aws_iam_group_policy[positive5-1].policy", + "line": 2, + "filename": "positive6.tf", + "resourceType": "aws_iam_policy", + "resourceName": "positive6-1", + "searchKey": "aws_iam_policy[positive6-1].policy", "searchValue": "", "expectedValue": "'policy.Statement.Action' shouldn't contain '*' or 'iam:*'", "actualValue": "'policy.Statement.Action' contains '*' or 'iam:*'" @@ -134,11 +134,11 @@ { "queryName": "IAM Policies With Full Privileges", "severity": "MEDIUM", - "line": 21, - "filename": "positive5.tf", - "resourceType": "aws_iam_group_policy", - "resourceName": "my_developer_policy", - "searchKey": "aws_iam_group_policy[positive5-2].policy", + "line": 17, + "filename": "positive6.tf", + "resourceType": "aws_iam_policy", + "resourceName": "positive6-2", + "searchKey": "aws_iam_policy[positive6-2].policy", "searchValue": "", "expectedValue": "'policy.Statement.Action' shouldn't contain '*' or 'iam:*'", "actualValue": "'policy.Statement.Action' contains '*' or 'iam:*'" diff --git a/assets/queries/terraform/aws/iam_policy_allows_for_data_exfiltration/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_policy_allows_for_data_exfiltration/test/positive_expected_result.json index cf60684f787..188b3bfc6c8 100644 --- a/assets/queries/terraform/aws/iam_policy_allows_for_data_exfiltration/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_policy_allows_for_data_exfiltration/test/positive_expected_result.json @@ -1,4 +1,28 @@ [ + { + "queryName": "IAM policy allows for data exfiltration", + "severity": "MEDIUM", + "line": 5, + "filename": "positive1.tf", + "resourceType": "aws_iam_policy", + "resourceName": "positive1_${var.environment}", + "searchKey": "aws_iam_policy[positive1].policy", + "searchValue": "secretsmanager:GetSecretValue", + "expectedValue": "'positive1.policy.Statement.Action[0]' shouldn't contain illegal actions", + "actualValue": "'positive1.policy.Statement.Action[0]' contains [secretsmanager:GetSecretValue]" + }, + { + "queryName": "IAM policy allows for data exfiltration", + "severity": "MEDIUM", + "line": 5, + "filename": "positive1.tf", + "resourceType": "aws_iam_policy", + "resourceName": "positive1_${var.environment}", + "searchKey": "aws_iam_policy[positive1].policy", + "searchValue": "ssm:GetParameters, ssm:GetParameter, s3:GetObject, ssm:GetParametersByPath, secretsmanager:GetSecretValue", + "expectedValue": "'positive1.policy.Statement.Action[1]' shouldn't contain illegal actions", + "actualValue": "'positive1.policy.Statement.Action[1]' contains [ssm:GetParameters, ssm:GetParameter, s3:GetObject, ssm:GetParametersByPath, secretsmanager:GetSecretValue]" + }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", @@ -11,6 +35,30 @@ "expectedValue": "'positive2.policy.Statement.Action[0]' shouldn't contain illegal actions", "actualValue": "'positive2.policy.Statement.Action[0]' contains [*]" }, + { + "queryName": "IAM policy allows for data exfiltration", + "severity": "MEDIUM", + "line": 5, + "filename": "positive3.tf", + "resourceType": "aws_iam_group_policy", + "resourceName": "positive3_${var.environment}", + "searchKey": "aws_iam_group_policy[positive3].policy", + "searchValue": "*", + "expectedValue": "'positive3.policy.Statement.Action[0]' shouldn't contain illegal actions", + "actualValue": "'positive3.policy.Statement.Action[0]' contains [*]" + }, + { + "queryName": "IAM policy allows for data exfiltration", + "severity": "MEDIUM", + "line": 5, + "filename": "positive3.tf", + "resourceType": "aws_iam_group_policy", + "resourceName": "positive3_${var.environment}", + "searchKey": "aws_iam_group_policy[positive3].policy", + "searchValue": "*", + "expectedValue": "'positive3.policy.Statement.Action[1]' shouldn't contain illegal actions", + "actualValue": "'positive3.policy.Statement.Action[1]' contains [*]" + }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", @@ -35,54 +83,6 @@ "expectedValue": "'positive4.policy.Statement.Action[1]' shouldn't contain illegal actions", "actualValue": "'positive4.policy.Statement.Action[1]' contains [s3:GetObject]" }, - { - "queryName": "IAM policy allows for data exfiltration", - "severity": "MEDIUM", - "line": 8, - "filename": "positive7.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "iam_policy.policy", - "searchValue": "secretsmanager:GetSecretValue", - "expectedValue": "'iam_policy.policy.Statement.Action[0]' shouldn't contain illegal actions", - "actualValue": "'iam_policy.policy.Statement.Action[0]' contains [secretsmanager:GetSecretValue]" - }, - { - "queryName": "IAM policy allows for data exfiltration", - "severity": "MEDIUM", - "line": 5, - "filename": "positive6.tf", - "resourceType": "aws_iam_policy_document", - "resourceName": "positive6", - "searchKey": "aws_iam_policy_document[positive6].statement.actions", - "searchValue": "s3:GetObject, ssm:GetParameter, ssm:GetParameters, ssm:GetParametersByPath, secretsmanager:GetSecretValue, *, s3:*", - "expectedValue": "'aws_iam_policy_document[positive6].statement.actions' shouldn't contain illegal actions", - "actualValue": "'aws_iam_policy_document[positive6].statement.actions' contains [s3:GetObject, ssm:GetParameter, ssm:GetParameters, ssm:GetParametersByPath, secretsmanager:GetSecretValue, *, s3:*]" - }, - { - "queryName": "IAM policy allows for data exfiltration", - "severity": "MEDIUM", - "line": 5, - "filename": "positive1.tf", - "resourceType": "aws_iam_policy", - "resourceName": "positive1_${var.environment}", - "searchKey": "aws_iam_policy[positive1].policy", - "searchValue": "secretsmanager:GetSecretValue", - "expectedValue": "'positive1.policy.Statement.Action[0]' shouldn't contain illegal actions", - "actualValue": "'positive1.policy.Statement.Action[0]' contains [secretsmanager:GetSecretValue]" - }, - { - "queryName": "IAM policy allows for data exfiltration", - "severity": "MEDIUM", - "line": 5, - "filename": "positive1.tf", - "resourceType": "aws_iam_policy", - "resourceName": "positive1_${var.environment}", - "searchKey": "aws_iam_policy[positive1].policy", - "searchValue": "ssm:GetParameters, ssm:GetParameter, s3:GetObject, ssm:GetParametersByPath, secretsmanager:GetSecretValue", - "expectedValue": "'positive1.policy.Statement.Action[1]' shouldn't contain illegal actions", - "actualValue": "'positive1.policy.Statement.Action[1]' contains [ssm:GetParameters, ssm:GetParameter, s3:GetObject, ssm:GetParametersByPath, secretsmanager:GetSecretValue]" - }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", @@ -107,6 +107,18 @@ "expectedValue": "'positive5.policy.Statement.Action[1]' shouldn't contain illegal actions", "actualValue": "'positive5.policy.Statement.Action[1]' contains [ssm:GetParameters]" }, + { + "queryName": "IAM policy allows for data exfiltration", + "severity": "MEDIUM", + "line": 5, + "filename": "positive6.tf", + "resourceType": "aws_iam_policy_document", + "resourceName": "positive6", + "searchKey": "aws_iam_policy_document[positive6].statement.actions", + "searchValue": "s3:GetObject, ssm:GetParameter, ssm:GetParameters, ssm:GetParametersByPath, secretsmanager:GetSecretValue, *, s3:*", + "expectedValue": "'aws_iam_policy_document[positive6].statement.actions' shouldn't contain illegal actions", + "actualValue": "'aws_iam_policy_document[positive6].statement.actions' contains [s3:GetObject, ssm:GetParameter, ssm:GetParameters, ssm:GetParametersByPath, secretsmanager:GetSecretValue, *, s3:*]" + }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", @@ -134,25 +146,13 @@ { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", - "line": 5, - "filename": "positive3.tf", - "resourceType": "aws_iam_group_policy", - "resourceName": "positive3_${var.environment}", - "searchKey": "aws_iam_group_policy[positive3].policy", - "searchValue": "*", - "expectedValue": "'positive3.policy.Statement.Action[0]' shouldn't contain illegal actions", - "actualValue": "'positive3.policy.Statement.Action[0]' contains [*]" - }, - { - "queryName": "IAM policy allows for data exfiltration", - "severity": "MEDIUM", - "line": 5, - "filename": "positive3.tf", - "resourceType": "aws_iam_group_policy", - "resourceName": "positive3_${var.environment}", - "searchKey": "aws_iam_group_policy[positive3].policy", - "searchValue": "*", - "expectedValue": "'positive3.policy.Statement.Action[1]' shouldn't contain illegal actions", - "actualValue": "'positive3.policy.Statement.Action[1]' contains [*]" + "line": 8, + "filename": "positive7.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "iam_policy.policy", + "searchValue": "secretsmanager:GetSecretValue", + "expectedValue": "'iam_policy.policy.Statement.Action[0]' shouldn't contain illegal actions", + "actualValue": "'iam_policy.policy.Statement.Action[0]' contains [secretsmanager:GetSecretValue]" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_policy_grants_full_permissions/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_policy_grants_full_permissions/test/positive_expected_result.json index 356539aa701..ba1a9700051 100644 --- a/assets/queries/terraform/aws/iam_policy_grants_full_permissions/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_policy_grants_full_permissions/test/positive_expected_result.json @@ -1,4 +1,28 @@ [ + { + "queryName": "IAM Policy Grants Full Permissions", + "severity": "HIGH", + "line": 20, + "filename": "positive1.tf", + "resourceType": "aws_iam_user_policy", + "resourceName": "excess_policy", + "searchKey": "aws_iam_user_policy[positive3].policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Resource' and 'policy.Statement.Action' should not equal '*'", + "actualValue": "'policy.Statement.Resource' and 'policy.Statement.Action' are equal to '*'" + }, + { + "queryName": "IAM Policy Grants Full Permissions", + "severity": "HIGH", + "line": 3, + "filename": "positive2.tf", + "resourceType": "aws_iam_policy", + "resourceName": "s3-permission", + "searchKey": "aws_iam_policy[s3-permission].policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Resource' and 'policy.Statement.Action' should not equal '*'", + "actualValue": "'policy.Statement.Resource' and 'policy.Statement.Action' are equal to '*'" + }, { "queryName": "IAM Policy Grants Full Permissions", "severity": "HIGH", @@ -34,29 +58,5 @@ "searchValue": "", "expectedValue": "'statement.resources' and 'statement.actions' should not contain '*'", "actualValue": "'statement.resources' and 'statement.actions' contain '*'" - }, - { - "queryName": "IAM Policy Grants Full Permissions", - "severity": "HIGH", - "line": 3, - "filename": "positive2.tf", - "resourceType": "aws_iam_policy", - "resourceName": "s3-permission", - "searchKey": "aws_iam_policy[s3-permission].policy", - "searchValue": "", - "expectedValue": "'policy.Statement.Resource' and 'policy.Statement.Action' should not equal '*'", - "actualValue": "'policy.Statement.Resource' and 'policy.Statement.Action' are equal to '*'" - }, - { - "queryName": "IAM Policy Grants Full Permissions", - "severity": "HIGH", - "line": 20, - "filename": "positive1.tf", - "resourceType": "aws_iam_user_policy", - "resourceName": "excess_policy", - "searchKey": "aws_iam_user_policy[positive3].policy", - "searchValue": "", - "expectedValue": "'policy.Statement.Resource' and 'policy.Statement.Action' should not equal '*'", - "actualValue": "'policy.Statement.Resource' and 'policy.Statement.Action' are equal to '*'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/instance_uses_metadata_service_IMDSv1/test/positive_expected_result.json b/assets/queries/terraform/aws/instance_uses_metadata_service_IMDSv1/test/positive_expected_result.json index 6eadd9b97f4..133c71feebe 100644 --- a/assets/queries/terraform/aws/instance_uses_metadata_service_IMDSv1/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/instance_uses_metadata_service_IMDSv1/test/positive_expected_result.json @@ -2,14 +2,62 @@ { "queryName": "Instance Uses Metadata Service IMDSv1", "severity": "LOW", - "line": 21, - "filename": "positive7.tf", + "line": 10, + "filename": "positive1.tf", + "resourceType": "aws_instance", + "resourceName": "positive1_1", + "searchKey": "aws_instance[positive1_1].metadata_options.http_tokens", + "searchValue": "", + "expectedValue": "'aws_instance[positive1_1].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'aws_instance[positive1_1].metadata_options.http_tokens' is not defined to 'required'" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 19, + "filename": "positive1.tf", + "resourceType": "aws_instance", + "resourceName": "positive1_2", + "searchKey": "aws_launch_configuration[positive1_2].metadata_options.http_tokens", + "searchValue": "", + "expectedValue": "'aws_launch_configuration[positive1_2].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'aws_launch_configuration[positive1_2].metadata_options.http_tokens' is not defined to 'required'" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 28, + "filename": "positive1.tf", + "resourceType": "aws_instance", + "resourceName": "positive1_3", + "searchKey": "aws_launch_template[positive1_3].metadata_options.http_tokens", + "searchValue": "", + "expectedValue": "'aws_launch_template[positive1_3].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'aws_launch_template[positive1_3].metadata_options.http_tokens' is not defined to 'required'" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 9, + "filename": "positive10.tf", "resourceType": "n/a", "resourceName": "n/a", - "searchKey": "module[positive7_launch_config].metadata_options.http_tokens", + "searchKey": "module[positive10_instance].metadata_options", "searchValue": "", - "expectedValue": "'module[positive7_launch_config].metadata_options.http_tokens' should be defined to 'required'", - "actualValue": "'module[positive7_launch_config].metadata_options.http_tokens' is not defined to 'required'" + "expectedValue": "'module[positive10_instance].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'module[positive10_instance].metadata_options.http_tokens' is not defined" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 18, + "filename": "positive10.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive10_launch_config].metadata_options", + "searchValue": "", + "expectedValue": "'module[positive10_launch_config].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'module[positive10_launch_config].metadata_options.http_tokens' is not defined" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -23,6 +71,30 @@ "expectedValue": "'aws_instance[positive2_1].metadata_options.http_tokens' should be defined to 'required'", "actualValue": "'aws_instance[positive2_1].metadata_options.http_tokens' is not defined to 'required'" }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 21, + "filename": "positive2.tf", + "resourceType": "aws_instance", + "resourceName": "positive2_2", + "searchKey": "aws_launch_configuration[positive2_2].metadata_options.http_tokens", + "searchValue": "", + "expectedValue": "'aws_launch_configuration[positive2_2].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'aws_launch_configuration[positive2_2].metadata_options.http_tokens' is not defined to 'required'" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 31, + "filename": "positive2.tf", + "resourceType": "aws_instance", + "resourceName": "positive2_3", + "searchKey": "aws_launch_template[positive2_3].metadata_options.http_tokens", + "searchValue": "", + "expectedValue": "'aws_launch_template[positive2_3].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'aws_launch_template[positive2_3].metadata_options.http_tokens' is not defined to 'required'" + }, { "queryName": "Instance Uses Metadata Service IMDSv1", "severity": "LOW", @@ -35,6 +107,18 @@ "expectedValue": "'aws_instance[positive3_1].metadata_options.http_tokens' should be defined to 'required'", "actualValue": "'aws_instance[positive3_1].metadata_options.http_tokens' is not defined" }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 18, + "filename": "positive3.tf", + "resourceType": "aws_instance", + "resourceName": "positive3_2", + "searchKey": "aws_launch_configuration[positive3_2].metadata_options", + "searchValue": "", + "expectedValue": "'aws_launch_configuration[positive3_2].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'aws_launch_configuration[positive3_2].metadata_options.http_tokens' is not defined" + }, { "queryName": "Instance Uses Metadata Service IMDSv1", "severity": "LOW", @@ -63,13 +147,25 @@ "queryName": "Instance Uses Metadata Service IMDSv1", "severity": "LOW", "line": 10, - "filename": "positive1.tf", + "filename": "positive4.tf", "resourceType": "aws_instance", - "resourceName": "positive1_1", - "searchKey": "aws_instance[positive1_1].metadata_options.http_tokens", + "resourceName": "positive4_2", + "searchKey": "aws_launch_configuration[positive4_2]", "searchValue": "", - "expectedValue": "'aws_instance[positive1_1].metadata_options.http_tokens' should be defined to 'required'", - "actualValue": "'aws_instance[positive1_1].metadata_options.http_tokens' is not defined to 'required'" + "expectedValue": "'aws_launch_configuration[positive4_2].metadata_options' should be defined with 'http_tokens' field set to 'required'", + "actualValue": "'aws_launch_configuration[positive4_2].metadata_options' is not defined" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 15, + "filename": "positive4.tf", + "resourceType": "aws_instance", + "resourceName": "positive4_3", + "searchKey": "aws_launch_template[positive4_3]", + "searchValue": "", + "expectedValue": "'aws_launch_template[positive4_3].metadata_options' should be defined with 'http_tokens' field set to 'required'", + "actualValue": "'aws_launch_template[positive4_3].metadata_options' is not defined" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -95,54 +191,6 @@ "expectedValue": "'aws_launch_configuration[positive5_2].metadata_options.http_tokens' should be defined to 'required'", "actualValue": "'aws_launch_configuration[positive5_2].metadata_options.http_tokens' is not defined" }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 21, - "filename": "positive2.tf", - "resourceType": "aws_instance", - "resourceName": "positive2_2", - "searchKey": "aws_launch_configuration[positive2_2].metadata_options.http_tokens", - "searchValue": "", - "expectedValue": "'aws_launch_configuration[positive2_2].metadata_options.http_tokens' should be defined to 'required'", - "actualValue": "'aws_launch_configuration[positive2_2].metadata_options.http_tokens' is not defined to 'required'" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 31, - "filename": "positive2.tf", - "resourceType": "aws_instance", - "resourceName": "positive2_3", - "searchKey": "aws_launch_template[positive2_3].metadata_options.http_tokens", - "searchValue": "", - "expectedValue": "'aws_launch_template[positive2_3].metadata_options.http_tokens' should be defined to 'required'", - "actualValue": "'aws_launch_template[positive2_3].metadata_options.http_tokens' is not defined to 'required'" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 15, - "filename": "positive4.tf", - "resourceType": "aws_instance", - "resourceName": "positive4_3", - "searchKey": "aws_launch_template[positive4_3]", - "searchValue": "", - "expectedValue": "'aws_launch_template[positive4_3].metadata_options' should be defined with 'http_tokens' field set to 'required'", - "actualValue": "'aws_launch_template[positive4_3].metadata_options' is not defined" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 28, - "filename": "positive1.tf", - "resourceType": "aws_instance", - "resourceName": "positive1_3", - "searchKey": "aws_launch_template[positive1_3].metadata_options.http_tokens", - "searchValue": "", - "expectedValue": "'aws_launch_template[positive1_3].metadata_options.http_tokens' should be defined to 'required'", - "actualValue": "'aws_launch_template[positive1_3].metadata_options.http_tokens' is not defined to 'required'" - }, { "queryName": "Instance Uses Metadata Service IMDSv1", "severity": "LOW", @@ -158,98 +206,62 @@ { "queryName": "Instance Uses Metadata Service IMDSv1", "severity": "LOW", - "line": 5, - "filename": "positive9.tf", + "line": 10, + "filename": "positive6.tf", "resourceType": "n/a", "resourceName": "n/a", - "searchKey": "module[positive9_instance]", + "searchKey": "module[positive6_instance].metadata_options.http_tokens", "searchValue": "", - "expectedValue": "'module[positive9_instance].metadata_options' should be defined with 'http_tokens' field set to 'required'", - "actualValue": "'module[positive9_instance].metadata_options' is not defined" + "expectedValue": "'module[positive6_instance].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'module[positive6_instance].metadata_options.http_tokens' is not defined to 'required'" }, { "queryName": "Instance Uses Metadata Service IMDSv1", "severity": "LOW", - "line": 13, - "filename": "positive9.tf", + "line": 19, + "filename": "positive6.tf", "resourceType": "n/a", "resourceName": "n/a", - "searchKey": "module[positive9_launch_config]", + "searchKey": "module[positive6_launch_config].metadata_options.http_tokens", "searchValue": "", - "expectedValue": "'module[positive9_launch_config].metadata_options' should be defined with 'http_tokens' field set to 'required'", - "actualValue": "'module[positive9_launch_config].metadata_options' is not defined" + "expectedValue": "'module[positive6_launch_config].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'module[positive6_launch_config].metadata_options.http_tokens' is not defined to 'required'" }, { "queryName": "Instance Uses Metadata Service IMDSv1", "severity": "LOW", - "line": 9, - "filename": "positive8.tf", + "line": 11, + "filename": "positive7.tf", "resourceType": "n/a", "resourceName": "n/a", - "searchKey": "module[positive8_instance].metadata_options", - "searchValue": "", - "expectedValue": "'module[positive8_instance].metadata_options.http_tokens' should be defined to 'required'", - "actualValue": "'module[positive8_instance].metadata_options.http_tokens' is not defined" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 19, - "filename": "positive1.tf", - "resourceType": "aws_instance", - "resourceName": "positive1_2", - "searchKey": "aws_launch_configuration[positive1_2].metadata_options.http_tokens", - "searchValue": "", - "expectedValue": "'aws_launch_configuration[positive1_2].metadata_options.http_tokens' should be defined to 'required'", - "actualValue": "'aws_launch_configuration[positive1_2].metadata_options.http_tokens' is not defined to 'required'" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 18, - "filename": "positive3.tf", - "resourceType": "aws_instance", - "resourceName": "positive3_2", - "searchKey": "aws_launch_configuration[positive3_2].metadata_options", - "searchValue": "", - "expectedValue": "'aws_launch_configuration[positive3_2].metadata_options.http_tokens' should be defined to 'required'", - "actualValue": "'aws_launch_configuration[positive3_2].metadata_options.http_tokens' is not defined" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 10, - "filename": "positive4.tf", - "resourceType": "aws_instance", - "resourceName": "positive4_2", - "searchKey": "aws_launch_configuration[positive4_2]", + "searchKey": "module[positive7_instance].metadata_options.http_tokens", "searchValue": "", - "expectedValue": "'aws_launch_configuration[positive4_2].metadata_options' should be defined with 'http_tokens' field set to 'required'", - "actualValue": "'aws_launch_configuration[positive4_2].metadata_options' is not defined" + "expectedValue": "'module[positive7_instance].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'module[positive7_instance].metadata_options.http_tokens' is not defined to 'required'" }, { "queryName": "Instance Uses Metadata Service IMDSv1", "severity": "LOW", - "line": 9, - "filename": "positive10.tf", + "line": 21, + "filename": "positive7.tf", "resourceType": "n/a", "resourceName": "n/a", - "searchKey": "module[positive10_instance].metadata_options", + "searchKey": "module[positive7_launch_config].metadata_options.http_tokens", "searchValue": "", - "expectedValue": "'module[positive10_instance].metadata_options.http_tokens' should be defined to 'required'", - "actualValue": "'module[positive10_instance].metadata_options.http_tokens' is not defined" + "expectedValue": "'module[positive7_launch_config].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'module[positive7_launch_config].metadata_options.http_tokens' is not defined to 'required'" }, { "queryName": "Instance Uses Metadata Service IMDSv1", "severity": "LOW", - "line": 18, - "filename": "positive10.tf", + "line": 9, + "filename": "positive8.tf", "resourceType": "n/a", "resourceName": "n/a", - "searchKey": "module[positive10_launch_config].metadata_options", + "searchKey": "module[positive8_instance].metadata_options", "searchValue": "", - "expectedValue": "'module[positive10_launch_config].metadata_options.http_tokens' should be defined to 'required'", - "actualValue": "'module[positive10_launch_config].metadata_options.http_tokens' is not defined" + "expectedValue": "'module[positive8_instance].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'module[positive8_instance].metadata_options.http_tokens' is not defined" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -266,37 +278,25 @@ { "queryName": "Instance Uses Metadata Service IMDSv1", "severity": "LOW", - "line": 10, - "filename": "positive6.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[positive6_instance].metadata_options.http_tokens", - "searchValue": "", - "expectedValue": "'module[positive6_instance].metadata_options.http_tokens' should be defined to 'required'", - "actualValue": "'module[positive6_instance].metadata_options.http_tokens' is not defined to 'required'" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 11, - "filename": "positive7.tf", + "line": 5, + "filename": "positive9.tf", "resourceType": "n/a", "resourceName": "n/a", - "searchKey": "module[positive7_instance].metadata_options.http_tokens", + "searchKey": "module[positive9_instance]", "searchValue": "", - "expectedValue": "'module[positive7_instance].metadata_options.http_tokens' should be defined to 'required'", - "actualValue": "'module[positive7_instance].metadata_options.http_tokens' is not defined to 'required'" + "expectedValue": "'module[positive9_instance].metadata_options' should be defined with 'http_tokens' field set to 'required'", + "actualValue": "'module[positive9_instance].metadata_options' is not defined" }, { "queryName": "Instance Uses Metadata Service IMDSv1", "severity": "LOW", - "line": 19, - "filename": "positive6.tf", + "line": 13, + "filename": "positive9.tf", "resourceType": "n/a", "resourceName": "n/a", - "searchKey": "module[positive6_launch_config].metadata_options.http_tokens", + "searchKey": "module[positive9_launch_config]", "searchValue": "", - "expectedValue": "'module[positive6_launch_config].metadata_options.http_tokens' should be defined to 'required'", - "actualValue": "'module[positive6_launch_config].metadata_options.http_tokens' is not defined to 'required'" + "expectedValue": "'module[positive9_launch_config].metadata_options' should be defined with 'http_tokens' field set to 'required'", + "actualValue": "'module[positive9_launch_config].metadata_options' is not defined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/instance_with_no_vpc/test/positive_expected_result.json b/assets/queries/terraform/aws/instance_with_no_vpc/test/positive_expected_result.json index 0c24669cbe7..7148f481e49 100644 --- a/assets/queries/terraform/aws/instance_with_no_vpc/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/instance_with_no_vpc/test/positive_expected_result.json @@ -3,10 +3,10 @@ "queryName": "Instance With No VPC", "severity": "LOW", "line": 1, - "filename": "positive2.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[ec2_instance]", + "filename": "positive1.tf", + "resourceType": "aws_instance", + "resourceName": "positive1", + "searchKey": "aws_instance[positive1]", "searchValue": "", "expectedValue": "Attribute 'vpc_security_group_ids' should be defined and not null", "actualValue": "Attribute 'vpc_security_group_ids' is undefined or null" @@ -15,10 +15,10 @@ "queryName": "Instance With No VPC", "severity": "LOW", "line": 1, - "filename": "positive1.tf", - "resourceType": "aws_instance", - "resourceName": "positive1", - "searchKey": "aws_instance[positive1]", + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[ec2_instance]", "searchValue": "", "expectedValue": "Attribute 'vpc_security_group_ids' should be defined and not null", "actualValue": "Attribute 'vpc_security_group_ids' is undefined or null" diff --git a/assets/queries/terraform/aws/kinesis_not_encrypted_with_kms/test/positive_expected_result.json b/assets/queries/terraform/aws/kinesis_not_encrypted_with_kms/test/positive_expected_result.json index fcc17eaa6a6..1ddedae021d 100644 --- a/assets/queries/terraform/aws/kinesis_not_encrypted_with_kms/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/kinesis_not_encrypted_with_kms/test/positive_expected_result.json @@ -2,26 +2,26 @@ { "queryName": "Kinesis Not Encrypted With KMS", "severity": "HIGH", - "line": 34, + "line": 1, "filename": "positive.tf", "resourceType": "aws_kinesis_stream", "resourceName": "terraform-kinesis-test", - "searchKey": "aws_kinesis_stream[positive2].encryption_type", + "searchKey": "aws_kinesis_stream[positive1]", "searchValue": "", - "expectedValue": "aws_kinesis_stream[positive2].encryption_type should be set and not NONE", - "actualValue": "aws_kinesis_stream[positive2].encryption_type is set but NONE" + "expectedValue": "aws_kinesis_stream[positive1].encryption_type should be set", + "actualValue": "aws_kinesis_stream[positive1].encryption_type is undefined" }, { "queryName": "Kinesis Not Encrypted With KMS", "severity": "HIGH", - "line": 1, + "line": 34, "filename": "positive.tf", "resourceType": "aws_kinesis_stream", "resourceName": "terraform-kinesis-test", - "searchKey": "aws_kinesis_stream[positive1]", + "searchKey": "aws_kinesis_stream[positive2].encryption_type", "searchValue": "", - "expectedValue": "aws_kinesis_stream[positive1].encryption_type should be set", - "actualValue": "aws_kinesis_stream[positive1].encryption_type is undefined" + "expectedValue": "aws_kinesis_stream[positive2].encryption_type should be set and not NONE", + "actualValue": "aws_kinesis_stream[positive2].encryption_type is set but NONE" }, { "queryName": "Kinesis Not Encrypted With KMS", diff --git a/assets/queries/terraform/aws/kinesis_sse_not_configured/test/positive_expected_result.json b/assets/queries/terraform/aws/kinesis_sse_not_configured/test/positive_expected_result.json index dbb7247473f..90e97ea4742 100644 --- a/assets/queries/terraform/aws/kinesis_sse_not_configured/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/kinesis_sse_not_configured/test/positive_expected_result.json @@ -2,14 +2,14 @@ { "queryName": "Kinesis SSE Not Configured", "severity": "HIGH", - "line": 34, + "line": 12, "filename": "positive.tf", "resourceType": "aws_kinesis_firehose_delivery_stream", "resourceName": "${aws_s3_bucket.logs.bucket}-firehose", - "searchKey": "aws_kinesis_firehose_delivery_stream[positive4].server_side_encryption.key_type", + "searchKey": "aws_kinesis_firehose_delivery_stream[positive2]", "searchValue": "", - "expectedValue": "Attribute 'key_type' should be valid", - "actualValue": "Attribute 'key_type' is invalid" + "expectedValue": "Attribute 'server_side_encryption' should be set", + "actualValue": "Attribute 'server_side_encryption' is undefined" }, { "queryName": "Kinesis SSE Not Configured", @@ -26,25 +26,25 @@ { "queryName": "Kinesis SSE Not Configured", "severity": "HIGH", - "line": 42, + "line": 34, "filename": "positive.tf", "resourceType": "aws_kinesis_firehose_delivery_stream", "resourceName": "${aws_s3_bucket.logs.bucket}-firehose", - "searchKey": "aws_kinesis_firehose_delivery_stream[positive5].server_side_encryption", + "searchKey": "aws_kinesis_firehose_delivery_stream[positive4].server_side_encryption.key_type", "searchValue": "", - "expectedValue": "Attribute 'key_type' should be CUSTOMER_MANAGED_CMK and attribute 'key_arn' should be set", - "actualValue": "Attribute 'key_type' is CUSTOMER_MANAGED_CMK and attribute 'key_arn' is undefined" + "expectedValue": "Attribute 'key_type' should be valid", + "actualValue": "Attribute 'key_type' is invalid" }, { "queryName": "Kinesis SSE Not Configured", "severity": "HIGH", - "line": 12, + "line": 42, "filename": "positive.tf", "resourceType": "aws_kinesis_firehose_delivery_stream", "resourceName": "${aws_s3_bucket.logs.bucket}-firehose", - "searchKey": "aws_kinesis_firehose_delivery_stream[positive2]", + "searchKey": "aws_kinesis_firehose_delivery_stream[positive5].server_side_encryption", "searchValue": "", - "expectedValue": "Attribute 'server_side_encryption' should be set", - "actualValue": "Attribute 'server_side_encryption' is undefined" + "expectedValue": "Attribute 'key_type' should be CUSTOMER_MANAGED_CMK and attribute 'key_arn' should be set", + "actualValue": "Attribute 'key_type' is CUSTOMER_MANAGED_CMK and attribute 'key_arn' is undefined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/kms_key_with_full_permissions/test/positive_expected_result.json b/assets/queries/terraform/aws/kms_key_with_full_permissions/test/positive_expected_result.json index 95674958bd7..6ad5b9e6a53 100644 --- a/assets/queries/terraform/aws/kms_key_with_full_permissions/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/kms_key_with_full_permissions/test/positive_expected_result.json @@ -3,7 +3,7 @@ "queryName": "KMS Key With Vulnerable Policy", "severity": "HIGH", "line": 5, - "filename": "positive2.tf", + "filename": "positive1.tf", "resourceType": "aws_kms_key", "resourceName": "positive1", "searchKey": "aws_kms_key[positive1].policy", @@ -15,7 +15,7 @@ "queryName": "KMS Key With Vulnerable Policy", "severity": "HIGH", "line": 5, - "filename": "positive1.tf", + "filename": "positive2.tf", "resourceType": "aws_kms_key", "resourceName": "positive1", "searchKey": "aws_kms_key[positive1].policy", diff --git a/assets/queries/terraform/aws/kms_key_with_no_deletion_window/test/positive_expected_result.json b/assets/queries/terraform/aws/kms_key_with_no_deletion_window/test/positive_expected_result.json index 0f0ebf53919..a9f8e572bb1 100644 --- a/assets/queries/terraform/aws/kms_key_with_no_deletion_window/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/kms_key_with_no_deletion_window/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "KMS Key With No Deletion Window", "severity": "LOW", - "line": 18, + "line": 1, "filename": "positive.tf", "resourceType": "aws_kms_key", - "resourceName": "positive2", - "searchKey": "aws_kms_key[positive2].deletion_window_in_days", + "resourceName": "positive1", + "searchKey": "aws_kms_key[positive1]", "searchValue": "", - "expectedValue": "aws_kms_key[positive2].deletion_window_in_days should be set and valid", - "actualValue": "aws_kms_key[positive2].deletion_window_in_days is set but invalid" + "expectedValue": "aws_kms_key[positive1].deletion_window_in_days should be set and valid", + "actualValue": "aws_kms_key[positive1].deletion_window_in_days is undefined" }, { "queryName": "KMS Key With No Deletion Window", "severity": "LOW", - "line": 1, + "line": 18, "filename": "positive.tf", "resourceType": "aws_kms_key", - "resourceName": "positive1", - "searchKey": "aws_kms_key[positive1]", + "resourceName": "positive2", + "searchKey": "aws_kms_key[positive2].deletion_window_in_days", "searchValue": "", - "expectedValue": "aws_kms_key[positive1].deletion_window_in_days should be set and valid", - "actualValue": "aws_kms_key[positive1].deletion_window_in_days is undefined" + "expectedValue": "aws_kms_key[positive2].deletion_window_in_days should be set and valid", + "actualValue": "aws_kms_key[positive2].deletion_window_in_days is set but invalid" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/lambda_function_with_privileged_role/test/positive_expected_result.json b/assets/queries/terraform/aws/lambda_function_with_privileged_role/test/positive_expected_result.json index e491b6e7fa2..3f64e7b9f78 100644 --- a/assets/queries/terraform/aws/lambda_function_with_privileged_role/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/lambda_function_with_privileged_role/test/positive_expected_result.json @@ -7,21 +7,21 @@ "resourceType": "aws_lambda_function", "resourceName": "lambda", "searchKey": "aws_lambda_function[positivefunction1].role", - "searchValue": "positiverole1/aws_iam_policy_attachment[positivedirectpolicyattachment1]/positivecustomermanagedpolicy2/0", - "expectedValue": "aws_lambda_function[positivefunction1].role shouldn't have privileged permissions through attached managed policy", - "actualValue": "aws_lambda_function[positivefunction1].role has been provided privileged permissions through attached managed policy 'positivecustomermanagedpolicy2'. Provided privileged permissions: 'sts:AssumeRole'. List of privileged permissions '[\"iam:CreatePolicyVersion\", \"iam:SetDefaultPolicyVersion\", \"iam:CreateAccessKey\", \"iam:CreateLoginProfile\", \"iam:UpdateLoginProfile\", \"iam:AttachUserPolicy\", \"iam:AttachGroupPolicy\", \"iam:AttachRolePolicy\", \"iam:PutUserPolicy\", \"iam:PutGroupPolicy\", \"iam:PutRolePolicy\", \"iam:AddUserToGroup\", \"iam:UpdateAssumeRolePolicy\", \"iam:PassRole\", \"iam:CreateServiceLinkedRole\", \"sts:AssumeRole\", \"iam:*\", \"sts:*\"]'" + "searchValue": "positiverole1/positiveinlinepolicy1/0", + "expectedValue": "aws_lambda_function[positivefunction1].role shouldn't have privileged permissions through attached inline policy.", + "actualValue": "aws_lambda_function[positivefunction1].role has been provided privileged permissions through attached inline policy. Provided privileged permissions: 'iam:*'. List of privileged permissions '[\"iam:CreatePolicyVersion\", \"iam:SetDefaultPolicyVersion\", \"iam:CreateAccessKey\", \"iam:CreateLoginProfile\", \"iam:UpdateLoginProfile\", \"iam:AttachUserPolicy\", \"iam:AttachGroupPolicy\", \"iam:AttachRolePolicy\", \"iam:PutUserPolicy\", \"iam:PutGroupPolicy\", \"iam:PutRolePolicy\", \"iam:AddUserToGroup\", \"iam:UpdateAssumeRolePolicy\", \"iam:PassRole\", \"iam:CreateServiceLinkedRole\", \"sts:AssumeRole\", \"iam:*\", \"sts:*\"]'" }, { "queryName": "Lambda Function With Privileged Role", "severity": "HIGH", - "line": 23, + "line": 4, "filename": "positive.tf", "resourceType": "aws_lambda_function", "resourceName": "lambda", - "searchKey": "aws_lambda_function[positivefunction2].role", - "searchValue": "positiverole2/aws_iam_policy_attachment[positivedirectpolicyattachment2]", - "expectedValue": "aws_lambda_function[positivefunction2].role shouldn't have privileged permissions", - "actualValue": "aws_lambda_function[positivefunction2].role has been provided privileged permissions through attached pre-existing managed policy 'arn:aws:iam::policy/AmazonPersonalizeFullAccess'." + "searchKey": "aws_lambda_function[positivefunction1].role", + "searchValue": "positiverole1/aws_iam_role_policy_attachment[positiverolepolicyattachment1]/positivecustomermanagedpolicy1/1", + "expectedValue": "aws_lambda_function[positivefunction1].role shouldn't have privileged permissions through attached managed policy", + "actualValue": "aws_lambda_function[positivefunction1].role has been provided privileged permissions through attached managed policy 'positivecustomermanagedpolicy1'. Provided privileged permissions: 'iam:CreateLoginProfile'. List of privileged permissions '[\"iam:CreatePolicyVersion\", \"iam:SetDefaultPolicyVersion\", \"iam:CreateAccessKey\", \"iam:CreateLoginProfile\", \"iam:UpdateLoginProfile\", \"iam:AttachUserPolicy\", \"iam:AttachGroupPolicy\", \"iam:AttachRolePolicy\", \"iam:PutUserPolicy\", \"iam:PutGroupPolicy\", \"iam:PutRolePolicy\", \"iam:AddUserToGroup\", \"iam:UpdateAssumeRolePolicy\", \"iam:PassRole\", \"iam:CreateServiceLinkedRole\", \"sts:AssumeRole\", \"iam:*\", \"sts:*\"]'" }, { "queryName": "Lambda Function With Privileged Role", @@ -31,9 +31,9 @@ "resourceType": "aws_lambda_function", "resourceName": "lambda", "searchKey": "aws_lambda_function[positivefunction1].role", - "searchValue": "positiverole1/positiveinlinepolicy1/0", - "expectedValue": "aws_lambda_function[positivefunction1].role shouldn't have privileged permissions through attached inline policy.", - "actualValue": "aws_lambda_function[positivefunction1].role has been provided privileged permissions through attached inline policy. Provided privileged permissions: 'iam:*'. List of privileged permissions '[\"iam:CreatePolicyVersion\", \"iam:SetDefaultPolicyVersion\", \"iam:CreateAccessKey\", \"iam:CreateLoginProfile\", \"iam:UpdateLoginProfile\", \"iam:AttachUserPolicy\", \"iam:AttachGroupPolicy\", \"iam:AttachRolePolicy\", \"iam:PutUserPolicy\", \"iam:PutGroupPolicy\", \"iam:PutRolePolicy\", \"iam:AddUserToGroup\", \"iam:UpdateAssumeRolePolicy\", \"iam:PassRole\", \"iam:CreateServiceLinkedRole\", \"sts:AssumeRole\", \"iam:*\", \"sts:*\"]'" + "searchValue": "positiverole1/aws_iam_role_policy_attachment[positiverolepolicyattachment1]/positivecustomermanagedpolicy1/0", + "expectedValue": "aws_lambda_function[positivefunction1].role shouldn't have privileged permissions through attached managed policy", + "actualValue": "aws_lambda_function[positivefunction1].role has been provided privileged permissions through attached managed policy 'positivecustomermanagedpolicy1'. Provided privileged permissions: 'sts:AssumeRole'. List of privileged permissions '[\"iam:CreatePolicyVersion\", \"iam:SetDefaultPolicyVersion\", \"iam:CreateAccessKey\", \"iam:CreateLoginProfile\", \"iam:UpdateLoginProfile\", \"iam:AttachUserPolicy\", \"iam:AttachGroupPolicy\", \"iam:AttachRolePolicy\", \"iam:PutUserPolicy\", \"iam:PutGroupPolicy\", \"iam:PutRolePolicy\", \"iam:AddUserToGroup\", \"iam:UpdateAssumeRolePolicy\", \"iam:PassRole\", \"iam:CreateServiceLinkedRole\", \"sts:AssumeRole\", \"iam:*\", \"sts:*\"]'" }, { "queryName": "Lambda Function With Privileged Role", @@ -43,20 +43,20 @@ "resourceType": "aws_lambda_function", "resourceName": "lambda", "searchKey": "aws_lambda_function[positivefunction1].role", - "searchValue": "positiverole1/aws_iam_role_policy_attachment[positiverolepolicyattachment1]/positivecustomermanagedpolicy1/1", + "searchValue": "positiverole1/aws_iam_policy_attachment[positivedirectpolicyattachment1]/positivecustomermanagedpolicy2/0", "expectedValue": "aws_lambda_function[positivefunction1].role shouldn't have privileged permissions through attached managed policy", - "actualValue": "aws_lambda_function[positivefunction1].role has been provided privileged permissions through attached managed policy 'positivecustomermanagedpolicy1'. Provided privileged permissions: 'iam:CreateLoginProfile'. List of privileged permissions '[\"iam:CreatePolicyVersion\", \"iam:SetDefaultPolicyVersion\", \"iam:CreateAccessKey\", \"iam:CreateLoginProfile\", \"iam:UpdateLoginProfile\", \"iam:AttachUserPolicy\", \"iam:AttachGroupPolicy\", \"iam:AttachRolePolicy\", \"iam:PutUserPolicy\", \"iam:PutGroupPolicy\", \"iam:PutRolePolicy\", \"iam:AddUserToGroup\", \"iam:UpdateAssumeRolePolicy\", \"iam:PassRole\", \"iam:CreateServiceLinkedRole\", \"sts:AssumeRole\", \"iam:*\", \"sts:*\"]'" + "actualValue": "aws_lambda_function[positivefunction1].role has been provided privileged permissions through attached managed policy 'positivecustomermanagedpolicy2'. Provided privileged permissions: 'sts:AssumeRole'. List of privileged permissions '[\"iam:CreatePolicyVersion\", \"iam:SetDefaultPolicyVersion\", \"iam:CreateAccessKey\", \"iam:CreateLoginProfile\", \"iam:UpdateLoginProfile\", \"iam:AttachUserPolicy\", \"iam:AttachGroupPolicy\", \"iam:AttachRolePolicy\", \"iam:PutUserPolicy\", \"iam:PutGroupPolicy\", \"iam:PutRolePolicy\", \"iam:AddUserToGroup\", \"iam:UpdateAssumeRolePolicy\", \"iam:PassRole\", \"iam:CreateServiceLinkedRole\", \"sts:AssumeRole\", \"iam:*\", \"sts:*\"]'" }, { "queryName": "Lambda Function With Privileged Role", "severity": "HIGH", - "line": 4, + "line": 23, "filename": "positive.tf", "resourceType": "aws_lambda_function", "resourceName": "lambda", - "searchKey": "aws_lambda_function[positivefunction1].role", - "searchValue": "positiverole1/aws_iam_role_policy_attachment[positiverolepolicyattachment1]/positivecustomermanagedpolicy1/0", - "expectedValue": "aws_lambda_function[positivefunction1].role shouldn't have privileged permissions through attached managed policy", - "actualValue": "aws_lambda_function[positivefunction1].role has been provided privileged permissions through attached managed policy 'positivecustomermanagedpolicy1'. Provided privileged permissions: 'sts:AssumeRole'. List of privileged permissions '[\"iam:CreatePolicyVersion\", \"iam:SetDefaultPolicyVersion\", \"iam:CreateAccessKey\", \"iam:CreateLoginProfile\", \"iam:UpdateLoginProfile\", \"iam:AttachUserPolicy\", \"iam:AttachGroupPolicy\", \"iam:AttachRolePolicy\", \"iam:PutUserPolicy\", \"iam:PutGroupPolicy\", \"iam:PutRolePolicy\", \"iam:AddUserToGroup\", \"iam:UpdateAssumeRolePolicy\", \"iam:PassRole\", \"iam:CreateServiceLinkedRole\", \"sts:AssumeRole\", \"iam:*\", \"sts:*\"]'" + "searchKey": "aws_lambda_function[positivefunction2].role", + "searchValue": "positiverole2/aws_iam_policy_attachment[positivedirectpolicyattachment2]", + "expectedValue": "aws_lambda_function[positivefunction2].role shouldn't have privileged permissions", + "actualValue": "aws_lambda_function[positivefunction2].role has been provided privileged permissions through attached pre-existing managed policy 'arn:aws:iam::policy/AmazonPersonalizeFullAccess'." } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/lambda_function_without_dead_letter_queue/test/positive_expected_result.json b/assets/queries/terraform/aws/lambda_function_without_dead_letter_queue/test/positive_expected_result.json index f0f5a464aa7..67416c9f06b 100644 --- a/assets/queries/terraform/aws/lambda_function_without_dead_letter_queue/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/lambda_function_without_dead_letter_queue/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "Lambda Function Without Dead Letter Queue", - "severity": "LOW", - "line": 26, - "filename": "positive4.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[lambda_with_incomplete_dlq].dead_letter_target_arn", - "searchValue": "", - "expectedValue": "'module[lambda_with_incomplete_dlq].dead_letter_target_arn' should be defined and not empty", - "actualValue": "'module[lambda_with_incomplete_dlq].dead_letter_target_arn' is empty" - }, { "queryName": "Lambda Function Without Dead Letter Queue", "severity": "LOW", @@ -46,5 +34,17 @@ "searchValue": "", "expectedValue": "'module[lambda_with_incomplete_dlq].dead_letter_target_arn' should be defined and not null", "actualValue": "'module[lambda_with_incomplete_dlq].dead_letter_target_arn' is undefined or null" + }, + { + "queryName": "Lambda Function Without Dead Letter Queue", + "severity": "LOW", + "line": 26, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[lambda_with_incomplete_dlq].dead_letter_target_arn", + "searchValue": "", + "expectedValue": "'module[lambda_with_incomplete_dlq].dead_letter_target_arn' should be defined and not empty", + "actualValue": "'module[lambda_with_incomplete_dlq].dead_letter_target_arn' is empty" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/lambda_iam_invokefunction_misconfigured/test/positive_expected_result.json b/assets/queries/terraform/aws/lambda_iam_invokefunction_misconfigured/test/positive_expected_result.json index 0edef940cbb..052b3c4eaf0 100644 --- a/assets/queries/terraform/aws/lambda_iam_invokefunction_misconfigured/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/lambda_iam_invokefunction_misconfigured/test/positive_expected_result.json @@ -2,50 +2,50 @@ { "queryName": "Lambda IAM InvokeFunction Misconfigured", "severity": "LOW", - "line": 5, - "filename": "positive4.tf", + "line": 8, + "filename": "positive1.tf", "resourceType": "aws_iam_policy", - "resourceName": "positive4policy", - "searchKey": "aws_iam_policy[positive4policy].policy", + "resourceName": "positive1policy", + "searchKey": "aws_iam_policy[positive1policy].policy", "searchValue": "", - "expectedValue": "[positive4policy].policy should be misconfigured", - "actualValue": "[positive4policy].policy allows access to function (unqualified ARN) and its sub-resources, add another statement with \":*\" to function name" + "expectedValue": "[positive1policy].policy should be misconfigured", + "actualValue": "[positive1policy].policy allows access to function (unqualified ARN) and its sub-resources, add another statement with \":*\" to function name" }, { "queryName": "Lambda IAM InvokeFunction Misconfigured", "severity": "LOW", "line": 8, - "filename": "positive3.tf", + "filename": "positive2.tf", "resourceType": "aws_iam_policy", - "resourceName": "positive3policy", - "searchKey": "aws_iam_policy[positive3policy].policy", + "resourceName": "positive2policy", + "searchKey": "aws_iam_policy[positive2policy].policy", "searchValue": "", - "expectedValue": "[positive3policy].policy should be misconfigured", - "actualValue": "[positive3policy].policy allows access to function (unqualified ARN) and its sub-resources, add another statement with \":*\" to function name" + "expectedValue": "[positive2policy].policy should be misconfigured", + "actualValue": "[positive2policy].policy allows access to function (unqualified ARN) and its sub-resources, add another statement with \":*\" to function name" }, { "queryName": "Lambda IAM InvokeFunction Misconfigured", "severity": "LOW", "line": 8, - "filename": "positive1.tf", + "filename": "positive3.tf", "resourceType": "aws_iam_policy", - "resourceName": "positive1policy", - "searchKey": "aws_iam_policy[positive1policy].policy", + "resourceName": "positive3policy", + "searchKey": "aws_iam_policy[positive3policy].policy", "searchValue": "", - "expectedValue": "[positive1policy].policy should be misconfigured", - "actualValue": "[positive1policy].policy allows access to function (unqualified ARN) and its sub-resources, add another statement with \":*\" to function name" + "expectedValue": "[positive3policy].policy should be misconfigured", + "actualValue": "[positive3policy].policy allows access to function (unqualified ARN) and its sub-resources, add another statement with \":*\" to function name" }, { "queryName": "Lambda IAM InvokeFunction Misconfigured", "severity": "LOW", - "line": 8, - "filename": "positive6.tf", + "line": 5, + "filename": "positive4.tf", "resourceType": "aws_iam_policy", - "resourceName": "positive6policy", - "searchKey": "aws_iam_policy[positive6policy].policy", + "resourceName": "positive4policy", + "searchKey": "aws_iam_policy[positive4policy].policy", "searchValue": "", - "expectedValue": "[positive6policy].policy should be misconfigured", - "actualValue": "[positive6policy].policy allows access to function (unqualified ARN) and its sub-resources, add another statement with \":*\" to function name" + "expectedValue": "[positive4policy].policy should be misconfigured", + "actualValue": "[positive4policy].policy allows access to function (unqualified ARN) and its sub-resources, add another statement with \":*\" to function name" }, { "queryName": "Lambda IAM InvokeFunction Misconfigured", @@ -63,12 +63,12 @@ "queryName": "Lambda IAM InvokeFunction Misconfigured", "severity": "LOW", "line": 8, - "filename": "positive2.tf", + "filename": "positive6.tf", "resourceType": "aws_iam_policy", - "resourceName": "positive2policy", - "searchKey": "aws_iam_policy[positive2policy].policy", + "resourceName": "positive6policy", + "searchKey": "aws_iam_policy[positive6policy].policy", "searchValue": "", - "expectedValue": "[positive2policy].policy should be misconfigured", - "actualValue": "[positive2policy].policy allows access to function (unqualified ARN) and its sub-resources, add another statement with \":*\" to function name" + "expectedValue": "[positive6policy].policy should be misconfigured", + "actualValue": "[positive6policy].policy allows access to function (unqualified ARN) and its sub-resources, add another statement with \":*\" to function name" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/mq_broker_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/mq_broker_logging_disabled/test/positive_expected_result.json index 7a66766dc09..3e131a2ae03 100644 --- a/assets/queries/terraform/aws/mq_broker_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/mq_broker_logging_disabled/test/positive_expected_result.json @@ -2,14 +2,14 @@ { "queryName": "MQ Broker Logging Disabled", "severity": "MEDIUM", - "line": 17, + "line": 1, "filename": "positive.tf", "resourceType": "aws_mq_broker", - "resourceName": "disabled-logging", - "searchKey": "aws_mq_broker[positive3].logs.general", + "resourceName": "no-logging", + "searchKey": "aws_mq_broker[positive1]", "searchValue": "", - "expectedValue": "'general' and 'audit' logging should be set to true", - "actualValue": "'general' is set to false" + "expectedValue": "'logs' should be set and enabling general AND audit logging", + "actualValue": "'logs' is undefined" }, { "queryName": "MQ Broker Logging Disabled", @@ -26,13 +26,13 @@ { "queryName": "MQ Broker Logging Disabled", "severity": "MEDIUM", - "line": 1, + "line": 17, "filename": "positive.tf", "resourceType": "aws_mq_broker", - "resourceName": "no-logging", - "searchKey": "aws_mq_broker[positive1]", + "resourceName": "disabled-logging", + "searchKey": "aws_mq_broker[positive3].logs.general", "searchValue": "", - "expectedValue": "'logs' should be set and enabling general AND audit logging", - "actualValue": "'logs' is undefined" + "expectedValue": "'general' and 'audit' logging should be set to true", + "actualValue": "'general' is set to false" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/msk_cluster_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/msk_cluster_encryption_disabled/test/positive_expected_result.json index bdda2aac938..ffe11b747bc 100644 --- a/assets/queries/terraform/aws/msk_cluster_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/msk_cluster_encryption_disabled/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "MSK Cluster Encryption Disabled", "severity": "HIGH", - "line": 37, + "line": 1, "filename": "positive.tf", "resourceType": "aws_msk_cluster", "resourceName": "example", - "searchKey": "msk_cluster[positive4].encryption_info.encryption_in_transit.in_cluster and msk_cluster[positive4].encryption_infoencryption_in_transit.client_broker", + "searchKey": "msk_cluster[positive1]", "searchValue": "", "expectedValue": "Should have 'rule.encryption_info' and, if 'rule.encryption_info.encryption_in_transit' is assigned, 'in_cluster' should be 'true' and 'client_broker' should be TLS", "actualValue": "'rule.encryption_info' is unassigned or property 'in_cluster' is 'false' or property 'client_broker' is not 'TLS'" @@ -14,11 +14,11 @@ { "queryName": "MSK Cluster Encryption Disabled", "severity": "HIGH", - "line": 1, + "line": 14, "filename": "positive.tf", "resourceType": "aws_msk_cluster", "resourceName": "example", - "searchKey": "msk_cluster[positive1]", + "searchKey": "msk_cluster[positive2].encryption_info.encryption_in_transit.client_broker", "searchValue": "", "expectedValue": "Should have 'rule.encryption_info' and, if 'rule.encryption_info.encryption_in_transit' is assigned, 'in_cluster' should be 'true' and 'client_broker' should be TLS", "actualValue": "'rule.encryption_info' is unassigned or property 'in_cluster' is 'false' or property 'client_broker' is not 'TLS'" @@ -26,11 +26,11 @@ { "queryName": "MSK Cluster Encryption Disabled", "severity": "HIGH", - "line": 14, + "line": 26, "filename": "positive.tf", "resourceType": "aws_msk_cluster", "resourceName": "example", - "searchKey": "msk_cluster[positive2].encryption_info.encryption_in_transit.client_broker", + "searchKey": "msk_cluster[positive3].encryption_info.encryption_in_transit.in_cluster", "searchValue": "", "expectedValue": "Should have 'rule.encryption_info' and, if 'rule.encryption_info.encryption_in_transit' is assigned, 'in_cluster' should be 'true' and 'client_broker' should be TLS", "actualValue": "'rule.encryption_info' is unassigned or property 'in_cluster' is 'false' or property 'client_broker' is not 'TLS'" @@ -38,11 +38,11 @@ { "queryName": "MSK Cluster Encryption Disabled", "severity": "HIGH", - "line": 26, + "line": 37, "filename": "positive.tf", "resourceType": "aws_msk_cluster", "resourceName": "example", - "searchKey": "msk_cluster[positive3].encryption_info.encryption_in_transit.in_cluster", + "searchKey": "msk_cluster[positive4].encryption_info.encryption_in_transit.in_cluster and msk_cluster[positive4].encryption_infoencryption_in_transit.client_broker", "searchValue": "", "expectedValue": "Should have 'rule.encryption_info' and, if 'rule.encryption_info.encryption_in_transit' is assigned, 'in_cluster' should be 'true' and 'client_broker' should be TLS", "actualValue": "'rule.encryption_info' is unassigned or property 'in_cluster' is 'false' or property 'client_broker' is not 'TLS'" diff --git a/assets/queries/terraform/aws/msk_cluster_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/msk_cluster_logging_disabled/test/positive_expected_result.json index 7cb2c5f3b86..2f55151a57e 100644 --- a/assets/queries/terraform/aws/msk_cluster_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/msk_cluster_logging_disabled/test/positive_expected_result.json @@ -14,25 +14,25 @@ { "queryName": "MSK Cluster Logging Disabled", "severity": "MEDIUM", - "line": 15, + "line": 8, "filename": "positive.tf", "resourceType": "aws_msk_cluster", - "resourceName": "positive2", - "searchKey": "aws_msk_cluster[positive2]", + "resourceName": "positive1", + "searchKey": "aws_msk_cluster[positive1].logging_info.broker_logs.firehose", "searchValue": "", - "expectedValue": "'rule.logging_info' should exist", - "actualValue": "'rule.logging_info' does not exist" + "expectedValue": "'rule.logging_info.broker_logs.enabled' should be 'true' in every entry", + "actualValue": "msk_cluster[positive1].logging_info.broker_logs.firehose.enabled is missing" }, { "queryName": "MSK Cluster Logging Disabled", "severity": "MEDIUM", - "line": 8, + "line": 15, "filename": "positive.tf", "resourceType": "aws_msk_cluster", - "resourceName": "positive1", - "searchKey": "aws_msk_cluster[positive1].logging_info.broker_logs.firehose", + "resourceName": "positive2", + "searchKey": "aws_msk_cluster[positive2]", "searchValue": "", - "expectedValue": "'rule.logging_info.broker_logs.enabled' should be 'true' in every entry", - "actualValue": "msk_cluster[positive1].logging_info.broker_logs.firehose.enabled is missing" + "expectedValue": "'rule.logging_info' should exist", + "actualValue": "'rule.logging_info' does not exist" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/neptune_cluster_with_iam_database_authentication_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/neptune_cluster_with_iam_database_authentication_disabled/test/positive_expected_result.json index d41d1757e9c..2873cc599eb 100644 --- a/assets/queries/terraform/aws/neptune_cluster_with_iam_database_authentication_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/neptune_cluster_with_iam_database_authentication_disabled/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "Neptune Cluster With IAM Database Authentication Disabled", "severity": "HIGH", - "line": 17, + "line": 1, "filename": "positive.tf", "resourceType": "aws_neptune_cluster", - "resourceName": "positive2", - "searchKey": "aws_neptune_cluster[positive2].iam_database_authentication_enabled", + "resourceName": "positive1", + "searchKey": "aws_neptune_cluster[positive1]", "searchValue": "", "expectedValue": "'iam_database_authentication_enabled' should be set to true", - "actualValue": "'iam_database_authentication_enabled' is set to false" + "actualValue": "'iam_database_authentication_enabled' is undefined" }, { "queryName": "Neptune Cluster With IAM Database Authentication Disabled", "severity": "HIGH", - "line": 1, + "line": 17, "filename": "positive.tf", "resourceType": "aws_neptune_cluster", - "resourceName": "positive1", - "searchKey": "aws_neptune_cluster[positive1]", + "resourceName": "positive2", + "searchKey": "aws_neptune_cluster[positive2].iam_database_authentication_enabled", "searchValue": "", "expectedValue": "'iam_database_authentication_enabled' should be set to true", - "actualValue": "'iam_database_authentication_enabled' is undefined" + "actualValue": "'iam_database_authentication_enabled' is set to false" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/neptune_database_cluster_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/neptune_database_cluster_encryption_disabled/test/positive_expected_result.json index 582f60391a7..8280dba1df5 100644 --- a/assets/queries/terraform/aws/neptune_database_cluster_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/neptune_database_cluster_encryption_disabled/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "Neptune Database Cluster Encryption Disabled", "severity": "HIGH", - "line": 19, + "line": 1, "filename": "positive.tf", "resourceType": "aws_neptune_cluster", - "resourceName": "positive2", - "searchKey": "aws_neptune_cluster[positive2].storage_encrypted", + "resourceName": "positive1", + "searchKey": "aws_neptune_cluster[positive1]", "searchValue": "", - "expectedValue": "'storage_encrypted' should be true", - "actualValue": "'storage_encrypted' is false" + "expectedValue": "'storage_encrypted' should be set with value true", + "actualValue": "'storage_encrypted' is undefined" }, { "queryName": "Neptune Database Cluster Encryption Disabled", "severity": "HIGH", - "line": 1, + "line": 19, "filename": "positive.tf", "resourceType": "aws_neptune_cluster", - "resourceName": "positive1", - "searchKey": "aws_neptune_cluster[positive1]", + "resourceName": "positive2", + "searchKey": "aws_neptune_cluster[positive2].storage_encrypted", "searchValue": "", - "expectedValue": "'storage_encrypted' should be set with value true", - "actualValue": "'storage_encrypted' is undefined" + "expectedValue": "'storage_encrypted' should be true", + "actualValue": "'storage_encrypted' is false" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/neptune_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/neptune_logging_disabled/test/positive_expected_result.json index bc1ec12ac10..45a1be23cdd 100644 --- a/assets/queries/terraform/aws/neptune_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/neptune_logging_disabled/test/positive_expected_result.json @@ -1,4 +1,16 @@ [ + { + "queryName": "Neptune Logging Is Disabled", + "severity": "MEDIUM", + "line": 1, + "filename": "positive1.tf", + "resourceType": "aws_neptune_cluster", + "resourceName": "postive1", + "searchKey": "aws_neptune_cluster[{{postive1}}]", + "searchValue": "", + "expectedValue": "aws_neptune_cluster.enable_cloudwatch_logs_exports should be defined", + "actualValue": "aws_neptune_cluster.enable_cloudwatch_logs_exports is undefined" + }, { "queryName": "Neptune Logging Is Disabled", "severity": "MEDIUM", @@ -15,7 +27,7 @@ "queryName": "Neptune Logging Is Disabled", "severity": "MEDIUM", "line": 9, - "filename": "positive4.tf", + "filename": "positive3.tf", "resourceType": "aws_neptune_cluster", "resourceName": "postive3", "searchKey": "aws_neptune_cluster[{{postive3}}].enable_cloudwatch_logs_exports", @@ -27,24 +39,12 @@ "queryName": "Neptune Logging Is Disabled", "severity": "MEDIUM", "line": 9, - "filename": "positive3.tf", + "filename": "positive4.tf", "resourceType": "aws_neptune_cluster", "resourceName": "postive3", "searchKey": "aws_neptune_cluster[{{postive3}}].enable_cloudwatch_logs_exports", "searchValue": "", "expectedValue": "aws_neptune_cluster.enable_cloudwatch_logs_exports should have all following values: audit", "actualValue": "aws_neptune_cluster.enable_cloudwatch_logs_exports has the following missing values: audit" - }, - { - "queryName": "Neptune Logging Is Disabled", - "severity": "MEDIUM", - "line": 1, - "filename": "positive1.tf", - "resourceType": "aws_neptune_cluster", - "resourceName": "postive1", - "searchKey": "aws_neptune_cluster[{{postive1}}]", - "searchValue": "", - "expectedValue": "aws_neptune_cluster.enable_cloudwatch_logs_exports should be defined", - "actualValue": "aws_neptune_cluster.enable_cloudwatch_logs_exports is undefined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_rdp/test/positive_expected_result.json b/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_rdp/test/positive_expected_result.json index 9ebb51dc835..ec99799dc41 100644 --- a/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_rdp/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_rdp/test/positive_expected_result.json @@ -2,14 +2,14 @@ { "queryName": "Network ACL With Unrestricted Access To RDP", "severity": "HIGH", - "line": 14, - "filename": "positive4.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[vpc].default_network_acl_ingress", + "line": 30, + "filename": "positive1.tf", + "resourceType": "aws_network_acl", + "resourceName": "main", + "searchKey": "aws_network_acl[positive1].ingress", "searchValue": "", - "expectedValue": "module[vpc].default_network_acl_ingress[0] 'RDP' (TCP:3389) should not be public", - "actualValue": "module[vpc].default_network_acl_ingress[0] 'RDP' (TCP:3389) is public" + "expectedValue": "aws_network_acl[positive1].ingress[0] 'RDP' (TCP:3389) should not be public", + "actualValue": "aws_network_acl[positive1].ingress[0] 'RDP' (TCP:3389) is public" }, { "queryName": "Network ACL With Unrestricted Access To RDP", @@ -23,18 +23,6 @@ "expectedValue": "aws_network_acl[postive2] 'RDP' (TCP:3389) should not be public", "actualValue": "aws_network_acl[postive2] 'RDP' (TCP:3389) is public" }, - { - "queryName": "Network ACL With Unrestricted Access To RDP", - "severity": "HIGH", - "line": 30, - "filename": "positive1.tf", - "resourceType": "aws_network_acl", - "resourceName": "main", - "searchKey": "aws_network_acl[positive1].ingress", - "searchValue": "", - "expectedValue": "aws_network_acl[positive1].ingress[0] 'RDP' (TCP:3389) should not be public", - "actualValue": "aws_network_acl[positive1].ingress[0] 'RDP' (TCP:3389) is public" - }, { "queryName": "Network ACL With Unrestricted Access To RDP", "severity": "HIGH", @@ -46,5 +34,17 @@ "searchValue": "", "expectedValue": "aws_network_acl[positive3].ingress 'RDP' (TCP:3389) should not be public", "actualValue": "aws_network_acl[positive3].ingress 'RDP' (TCP:3389) is public" + }, + { + "queryName": "Network ACL With Unrestricted Access To RDP", + "severity": "HIGH", + "line": 14, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vpc].default_network_acl_ingress", + "searchValue": "", + "expectedValue": "module[vpc].default_network_acl_ingress[0] 'RDP' (TCP:3389) should not be public", + "actualValue": "module[vpc].default_network_acl_ingress[0] 'RDP' (TCP:3389) is public" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/no_password_policy_enabled/test/positive_expected_result.json b/assets/queries/terraform/aws/no_password_policy_enabled/test/positive_expected_result.json index 925305264cd..f644ea9a2fd 100644 --- a/assets/queries/terraform/aws/no_password_policy_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/no_password_policy_enabled/test/positive_expected_result.json @@ -2,23 +2,23 @@ { "queryName": "No Password Policy Enabled", "severity": "MEDIUM", - "line": 16, + "line": 5, "filename": "positive.tf", "resourceType": "aws_iam_user_login_profile", - "resourceName": "positive3", - "searchKey": "aws_iam_user_login_profile[positive3].password_length", + "resourceName": "positive2", + "searchKey": "aws_iam_user_login_profile[positive2].password_reset_required", "searchValue": "", - "expectedValue": "Attribute 'password_length' should be 14 or greater", - "actualValue": "Attribute 'password_length' is smaller than 14" + "expectedValue": "Attribute 'password_reset_required' should be true", + "actualValue": "Attribute 'password_reset_required' is false" }, { "queryName": "No Password Policy Enabled", "severity": "MEDIUM", - "line": 23, + "line": 16, "filename": "positive.tf", "resourceType": "aws_iam_user_login_profile", - "resourceName": "positive6", - "searchKey": "aws_iam_user_login_profile[positive6].password_length", + "resourceName": "positive3", + "searchKey": "aws_iam_user_login_profile[positive3].password_length", "searchValue": "", "expectedValue": "Attribute 'password_length' should be 14 or greater", "actualValue": "Attribute 'password_length' is smaller than 14" @@ -26,11 +26,11 @@ { "queryName": "No Password Policy Enabled", "severity": "MEDIUM", - "line": 31, + "line": 23, "filename": "positive.tf", "resourceType": "aws_iam_user_login_profile", - "resourceName": "positive7", - "searchKey": "aws_iam_user_login_profile[positive7].password_length", + "resourceName": "positive6", + "searchKey": "aws_iam_user_login_profile[positive6].password_length", "searchValue": "", "expectedValue": "Attribute 'password_length' should be 14 or greater", "actualValue": "Attribute 'password_length' is smaller than 14" @@ -38,11 +38,11 @@ { "queryName": "No Password Policy Enabled", "severity": "MEDIUM", - "line": 5, + "line": 30, "filename": "positive.tf", "resourceType": "aws_iam_user_login_profile", - "resourceName": "positive2", - "searchKey": "aws_iam_user_login_profile[positive2].password_reset_required", + "resourceName": "positive7", + "searchKey": "aws_iam_user_login_profile[positive7].password_reset_required", "searchValue": "", "expectedValue": "Attribute 'password_reset_required' should be true", "actualValue": "Attribute 'password_reset_required' is false" @@ -50,13 +50,13 @@ { "queryName": "No Password Policy Enabled", "severity": "MEDIUM", - "line": 30, + "line": 31, "filename": "positive.tf", "resourceType": "aws_iam_user_login_profile", "resourceName": "positive7", - "searchKey": "aws_iam_user_login_profile[positive7].password_reset_required", + "searchKey": "aws_iam_user_login_profile[positive7].password_length", "searchValue": "", - "expectedValue": "Attribute 'password_reset_required' should be true", - "actualValue": "Attribute 'password_reset_required' is false" + "expectedValue": "Attribute 'password_length' should be 14 or greater", + "actualValue": "Attribute 'password_length' is smaller than 14" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/postgres_rds_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/postgres_rds_logging_disabled/test/positive_expected_result.json index 46fb82be7f4..a5f2ffb0773 100644 --- a/assets/queries/terraform/aws/postgres_rds_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/postgres_rds_logging_disabled/test/positive_expected_result.json @@ -3,58 +3,58 @@ "queryName": "Postgres RDS logging disabled", "severity": "LOW", "line": 1, - "filename": "positive6.tf", + "filename": "positive1.tf", "resourceType": "aws_db_parameter_group", "resourceName": "postgres-logging", - "searchKey": "aws_db_parameter_group.example", + "searchKey": "aws_db_parameter_group.postgres_logging", "searchValue": "", - "expectedValue": "aws_db_parameter_group's log_statement and log_min_duration_statement should be defined", - "actualValue": "aws_db_parameter_group's log_statement and log_min_duration_statement are undefined" + "expectedValue": "aws_db_parameter_group's log_statement and log_min_duration_statement should be set to 'all' and '1'", + "actualValue": "aws_db_parameter_group's log_statement and log_min_duration_statement are not set or both have the wrong value" }, { "queryName": "Postgres RDS logging disabled", "severity": "LOW", - "line": 1, - "filename": "positive5.tf", + "line": 6, + "filename": "positive2.tf", "resourceType": "aws_db_parameter_group", "resourceName": "postgres-logging", - "searchKey": "aws_db_parameter_group.example", + "searchKey": "aws_db_parameter_group.postgres_logging", "searchValue": "", - "expectedValue": "aws_db_parameter_group's log_statement and log_min_duration_statement should be defined", - "actualValue": "aws_db_parameter_group's log_statement and log_min_duration_statement are undefined" + "expectedValue": "aws_db_parameter_group's log_statement and log_min_duration_statement should be set to 'all' and '1'", + "actualValue": "aws_db_parameter_group's log_statement has the wrong value" }, { "queryName": "Postgres RDS logging disabled", "severity": "LOW", - "line": 1, - "filename": "positive1.tf", + "line": 10, + "filename": "positive3.tf", "resourceType": "aws_db_parameter_group", "resourceName": "postgres-logging", "searchKey": "aws_db_parameter_group.postgres_logging", "searchValue": "", "expectedValue": "aws_db_parameter_group's log_statement and log_min_duration_statement should be set to 'all' and '1'", - "actualValue": "aws_db_parameter_group's log_statement and log_min_duration_statement are not set or both have the wrong value" + "actualValue": "aws_db_parameter_group's log_min_duration_statement has the wrong value" }, { "queryName": "Postgres RDS logging disabled", "severity": "LOW", - "line": 10, - "filename": "positive3.tf", + "line": 1, + "filename": "positive4.tf", "resourceType": "aws_db_parameter_group", "resourceName": "postgres-logging", "searchKey": "aws_db_parameter_group.postgres_logging", "searchValue": "", - "expectedValue": "aws_db_parameter_group's log_statement and log_min_duration_statement should be set to 'all' and '1'", - "actualValue": "aws_db_parameter_group's log_min_duration_statement has the wrong value" + "expectedValue": "aws_db_parameter_group's log_statement and log_min_duration_statement should be defined", + "actualValue": "aws_db_parameter_group's log_statement and log_min_duration_statement are undefined" }, { "queryName": "Postgres RDS logging disabled", "severity": "LOW", "line": 1, - "filename": "positive4.tf", + "filename": "positive5.tf", "resourceType": "aws_db_parameter_group", "resourceName": "postgres-logging", - "searchKey": "aws_db_parameter_group.postgres_logging", + "searchKey": "aws_db_parameter_group.example", "searchValue": "", "expectedValue": "aws_db_parameter_group's log_statement and log_min_duration_statement should be defined", "actualValue": "aws_db_parameter_group's log_statement and log_min_duration_statement are undefined" @@ -62,13 +62,13 @@ { "queryName": "Postgres RDS logging disabled", "severity": "LOW", - "line": 6, - "filename": "positive2.tf", + "line": 1, + "filename": "positive6.tf", "resourceType": "aws_db_parameter_group", "resourceName": "postgres-logging", - "searchKey": "aws_db_parameter_group.postgres_logging", + "searchKey": "aws_db_parameter_group.example", "searchValue": "", - "expectedValue": "aws_db_parameter_group's log_statement and log_min_duration_statement should be set to 'all' and '1'", - "actualValue": "aws_db_parameter_group's log_statement has the wrong value" + "expectedValue": "aws_db_parameter_group's log_statement and log_min_duration_statement should be defined", + "actualValue": "aws_db_parameter_group's log_statement and log_min_duration_statement are undefined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/public_and_private_ec2_share_role/test/positive_expected_result.json b/assets/queries/terraform/aws/public_and_private_ec2_share_role/test/positive_expected_result.json index ea00471d1db..68372ed1039 100644 --- a/assets/queries/terraform/aws/public_and_private_ec2_share_role/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/public_and_private_ec2_share_role/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "Public and Private EC2 Share Role", "severity": "MEDIUM", - "line": 38, - "filename": "positive2.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[ec2_public_instance].iam_instance_profile", + "line": 103, + "filename": "positive1.tf", + "resourceType": "aws_instance", + "resourceName": "pub_ins", + "searchKey": "aws_instance[pub_ins].iam_instance_profile", "searchValue": "", "expectedValue": "Public and private instances should not share the same role", "actualValue": "Public and private instances share the same role" @@ -14,11 +14,11 @@ { "queryName": "Public and Private EC2 Share Role", "severity": "MEDIUM", - "line": 103, - "filename": "positive1.tf", - "resourceType": "aws_instance", - "resourceName": "pub_ins", - "searchKey": "aws_instance[pub_ins].iam_instance_profile", + "line": 38, + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[ec2_public_instance].iam_instance_profile", "searchValue": "", "expectedValue": "Public and private instances should not share the same role", "actualValue": "Public and private instances share the same role" diff --git a/assets/queries/terraform/aws/rds_associated_with_public_subnet/test/positive_expected_result.json b/assets/queries/terraform/aws/rds_associated_with_public_subnet/test/positive_expected_result.json index e9da2391bc9..a7f9330f110 100644 --- a/assets/queries/terraform/aws/rds_associated_with_public_subnet/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/rds_associated_with_public_subnet/test/positive_expected_result.json @@ -3,10 +3,10 @@ "queryName": "RDS Associated with Public Subnet", "severity": "CRITICAL", "line": 11, - "filename": "positive2.tf", + "filename": "positive1.tf", "resourceType": "aws_db_instance", "resourceName": "mydb", - "searchKey": "aws_db_instance[positive2].db_subnet_group_name", + "searchKey": "aws_db_instance[positive1].db_subnet_group_name", "searchValue": "", "expectedValue": "RDS should not be running in a public subnet", "actualValue": "RDS is running in a public subnet" @@ -15,10 +15,10 @@ "queryName": "RDS Associated with Public Subnet", "severity": "CRITICAL", "line": 11, - "filename": "positive1.tf", + "filename": "positive2.tf", "resourceType": "aws_db_instance", "resourceName": "mydb", - "searchKey": "aws_db_instance[positive1].db_subnet_group_name", + "searchKey": "aws_db_instance[positive2].db_subnet_group_name", "searchValue": "", "expectedValue": "RDS should not be running in a public subnet", "actualValue": "RDS is running in a public subnet" diff --git a/assets/queries/terraform/aws/rds_using_default_port/test/positive_expected_result.json b/assets/queries/terraform/aws/rds_using_default_port/test/positive_expected_result.json index 492b97ec704..6fbd7bdd5ff 100644 --- a/assets/queries/terraform/aws/rds_using_default_port/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/rds_using_default_port/test/positive_expected_result.json @@ -2,49 +2,49 @@ { "queryName": "RDS Using Default Port", "severity": "LOW", - "line": 10, - "filename": "positive2.tf", + "line": 11, + "filename": "positive1.tf", "resourceType": "aws_db_instance", "resourceName": "mydb", - "searchKey": "aws_db_instance[positive2].port", + "searchKey": "aws_db_instance[positive1].port", "searchValue": "", - "expectedValue": "aws_db_instance[positive2].port should not be set to 5432", - "actualValue": "aws_db_instance[positive2].port is set to 5432" + "expectedValue": "aws_db_instance[positive1].port should not be set to 3306", + "actualValue": "aws_db_instance[positive1].port is set to 3306" }, { "queryName": "RDS Using Default Port", "severity": "LOW", "line": 10, - "filename": "positive4.tf", + "filename": "positive2.tf", "resourceType": "aws_db_instance", "resourceName": "mydb", - "searchKey": "aws_db_instance[positive4].port", + "searchKey": "aws_db_instance[positive2].port", "searchValue": "", - "expectedValue": "aws_db_instance[positive4].port should not be set to 1433", - "actualValue": "aws_db_instance[positive4].port is set to 1433" + "expectedValue": "aws_db_instance[positive2].port should not be set to 5432", + "actualValue": "aws_db_instance[positive2].port is set to 5432" }, { "queryName": "RDS Using Default Port", "severity": "LOW", - "line": 11, - "filename": "positive1.tf", + "line": 10, + "filename": "positive3.tf", "resourceType": "aws_db_instance", "resourceName": "mydb", - "searchKey": "aws_db_instance[positive1].port", + "searchKey": "aws_db_instance[positive3].port", "searchValue": "", - "expectedValue": "aws_db_instance[positive1].port should not be set to 3306", - "actualValue": "aws_db_instance[positive1].port is set to 3306" + "expectedValue": "aws_db_instance[positive3].port should not be set to 1521", + "actualValue": "aws_db_instance[positive3].port is set to 1521" }, { "queryName": "RDS Using Default Port", "severity": "LOW", "line": 10, - "filename": "positive3.tf", + "filename": "positive4.tf", "resourceType": "aws_db_instance", "resourceName": "mydb", - "searchKey": "aws_db_instance[positive3].port", + "searchKey": "aws_db_instance[positive4].port", "searchValue": "", - "expectedValue": "aws_db_instance[positive3].port should not be set to 1521", - "actualValue": "aws_db_instance[positive3].port is set to 1521" + "expectedValue": "aws_db_instance[positive4].port should not be set to 1433", + "actualValue": "aws_db_instance[positive4].port is set to 1433" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/rds_with_backup_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/rds_with_backup_disabled/test/positive_expected_result.json index 7519dcb4c1b..1d71fb67662 100644 --- a/assets/queries/terraform/aws/rds_with_backup_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/rds_with_backup_disabled/test/positive_expected_result.json @@ -2,14 +2,14 @@ { "queryName": "RDS With Backup Disabled", "severity": "MEDIUM", - "line": 1, - "filename": "positive3.tf", + "line": 12, + "filename": "positive1.tf", "resourceType": "aws_db_instance", "resourceName": "mydb", - "searchKey": "aws_db_instance[positive1]", + "searchKey": "aws_db_instance[positive1].backup_retention_period", "searchValue": "", - "expectedValue": "'backup_retention_period' should be defined, and bigger than '0'", - "actualValue": "'backup_retention_period' is not defined" + "expectedValue": "'backup_retention_period' should not equal '0'", + "actualValue": "'backup_retention_period' is equal '0'" }, { "queryName": "RDS With Backup Disabled", @@ -27,10 +27,10 @@ "queryName": "RDS With Backup Disabled", "severity": "MEDIUM", "line": 1, - "filename": "positive4.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[db]", + "filename": "positive3.tf", + "resourceType": "aws_db_instance", + "resourceName": "mydb", + "searchKey": "aws_db_instance[positive1]", "searchValue": "", "expectedValue": "'backup_retention_period' should be defined, and bigger than '0'", "actualValue": "'backup_retention_period' is not defined" @@ -38,13 +38,13 @@ { "queryName": "RDS With Backup Disabled", "severity": "MEDIUM", - "line": 12, - "filename": "positive1.tf", - "resourceType": "aws_db_instance", - "resourceName": "mydb", - "searchKey": "aws_db_instance[positive1].backup_retention_period", + "line": 1, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[db]", "searchValue": "", - "expectedValue": "'backup_retention_period' should not equal '0'", - "actualValue": "'backup_retention_period' is equal '0'" + "expectedValue": "'backup_retention_period' should be defined, and bigger than '0'", + "actualValue": "'backup_retention_period' is not defined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/rds_without_logging/test/positive_expected_result.json b/assets/queries/terraform/aws/rds_without_logging/test/positive_expected_result.json index 3f869c1e9ca..2cd70ffe5e3 100644 --- a/assets/queries/terraform/aws/rds_without_logging/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/rds_without_logging/test/positive_expected_result.json @@ -3,10 +3,10 @@ "queryName": "RDS Without Logging", "severity": "MEDIUM", "line": 1, - "filename": "positive3.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[db]", + "filename": "positive1.tf", + "resourceType": "aws_db_instance", + "resourceName": "positive1", + "searchKey": "aws_db_instance[positive1]", "searchValue": "", "expectedValue": "'enabled_cloudwatch_logs_exports' should be defined", "actualValue": "'enabled_cloudwatch_logs_exports' is undefined" @@ -14,11 +14,11 @@ { "queryName": "RDS Without Logging", "severity": "MEDIUM", - "line": 11, - "filename": "positive4.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[db].enabled_cloudwatch_logs_exports", + "line": 7, + "filename": "positive2.tf", + "resourceType": "aws_db_instance", + "resourceName": "positive2", + "searchKey": "aws_db_instance[positive2].enabled_cloudwatch_logs_exports", "searchValue": "", "expectedValue": "'enabled_cloudwatch_logs_exports' has one or more values", "actualValue": "'enabled_cloudwatch_logs_exports' is empty" @@ -27,10 +27,10 @@ "queryName": "RDS Without Logging", "severity": "MEDIUM", "line": 1, - "filename": "positive1.tf", - "resourceType": "aws_db_instance", - "resourceName": "positive1", - "searchKey": "aws_db_instance[positive1]", + "filename": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[db]", "searchValue": "", "expectedValue": "'enabled_cloudwatch_logs_exports' should be defined", "actualValue": "'enabled_cloudwatch_logs_exports' is undefined" @@ -38,11 +38,11 @@ { "queryName": "RDS Without Logging", "severity": "MEDIUM", - "line": 7, - "filename": "positive2.tf", - "resourceType": "aws_db_instance", - "resourceName": "positive2", - "searchKey": "aws_db_instance[positive2].enabled_cloudwatch_logs_exports", + "line": 11, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[db].enabled_cloudwatch_logs_exports", "searchValue": "", "expectedValue": "'enabled_cloudwatch_logs_exports' has one or more values", "actualValue": "'enabled_cloudwatch_logs_exports' is empty" diff --git a/assets/queries/terraform/aws/redshift_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/redshift_not_encrypted/test/positive_expected_result.json index c19babbf203..1838316ef92 100644 --- a/assets/queries/terraform/aws/redshift_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/redshift_not_encrypted/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "Redshift Not Encrypted", "severity": "HIGH", - "line": 17, + "line": 1, "filename": "positive.tf", "resourceType": "aws_redshift_cluster", - "resourceName": "positive2", - "searchKey": "aws_redshift_cluster[positive2].encrypted", + "resourceName": "positive1", + "searchKey": "aws_redshift_cluster[positive1]", "searchValue": "", - "expectedValue": "aws_redshift_cluster.encrypted should be set to false", - "actualValue": "aws_redshift_cluster.encrypted is true" + "expectedValue": "aws_redshift_cluster.encrypted should be defined and not null", + "actualValue": "aws_redshift_cluster.encrypted is undefined or null" }, { "queryName": "Redshift Not Encrypted", "severity": "HIGH", - "line": 1, + "line": 17, "filename": "positive.tf", "resourceType": "aws_redshift_cluster", - "resourceName": "positive1", - "searchKey": "aws_redshift_cluster[positive1]", + "resourceName": "positive2", + "searchKey": "aws_redshift_cluster[positive2].encrypted", "searchValue": "", - "expectedValue": "aws_redshift_cluster.encrypted should be defined and not null", - "actualValue": "aws_redshift_cluster.encrypted is undefined or null" + "expectedValue": "aws_redshift_cluster.encrypted should be set to false", + "actualValue": "aws_redshift_cluster.encrypted is true" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/redshift_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/aws/redshift_publicly_accessible/test/positive_expected_result.json index 36fa395216b..475a4a6e7b1 100644 --- a/assets/queries/terraform/aws/redshift_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/redshift_publicly_accessible/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "Redshift Publicly Accessible", "severity": "HIGH", - "line": 17, + "line": 1, "filename": "positive.tf", "resourceType": "aws_redshift_cluster", - "resourceName": "positive2", - "searchKey": "aws_redshift_cluster[positive2].publicly_accessible", + "resourceName": "positive1", + "searchKey": "aws_redshift_cluster[positive1]", "searchValue": "", - "expectedValue": "aws_redshift_cluster.publicly_accessible should be set to false", - "actualValue": "aws_redshift_cluster.publicly_accessible is true" + "expectedValue": "aws_redshift_cluster.publicly_accessible should be defined and not null", + "actualValue": "aws_redshift_cluster.publicly_accessible is undefined or null" }, { "queryName": "Redshift Publicly Accessible", "severity": "HIGH", - "line": 1, + "line": 17, "filename": "positive.tf", "resourceType": "aws_redshift_cluster", - "resourceName": "positive1", - "searchKey": "aws_redshift_cluster[positive1]", + "resourceName": "positive2", + "searchKey": "aws_redshift_cluster[positive2].publicly_accessible", "searchValue": "", - "expectedValue": "aws_redshift_cluster.publicly_accessible should be defined and not null", - "actualValue": "aws_redshift_cluster.publicly_accessible is undefined or null" + "expectedValue": "aws_redshift_cluster.publicly_accessible should be set to false", + "actualValue": "aws_redshift_cluster.publicly_accessible is true" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/remote_desktop_port_open_to_internet/test/positive_expected_result.json b/assets/queries/terraform/aws/remote_desktop_port_open_to_internet/test/positive_expected_result.json index 6a3cc345561..1b2f12fb396 100644 --- a/assets/queries/terraform/aws/remote_desktop_port_open_to_internet/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/remote_desktop_port_open_to_internet/test/positive_expected_result.json @@ -2,50 +2,50 @@ { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 49, - "filename": "positive4.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0", + "line": 5, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-1].ingress", "searchValue": "", - "expectedValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0 shouldn't open the remote desktop port (3389)", - "actualValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0 opens the remote desktop port (3389)" + "expectedValue": "aws_security_group[positive1-1].ingress shouldn't open the remote desktop port (3389)", + "actualValue": "aws_security_group[positive1-1].ingress opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 63, - "filename": "positive4.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2", + "line": 26, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-2].ingress[1]", "searchValue": "", - "expectedValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2 shouldn't open the remote desktop port (3389)", - "actualValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2 opens the remote desktop port (3389)" + "expectedValue": "aws_security_group[positive1-2].ingress[1] shouldn't open the remote desktop port (3389)", + "actualValue": "aws_security_group[positive1-2].ingress[1] opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 17, - "filename": "positive2.tf", - "resourceType": "aws_vpc_security_group_ingress_rule", - "resourceName": "positive2-2", - "searchKey": "aws_vpc_security_group_ingress_rule[positive2-2]", + "line": 39, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-3].ingress", "searchValue": "", - "expectedValue": "aws_vpc_security_group_ingress_rule[positive2-2] shouldn't open the remote desktop port (3389)", - "actualValue": "aws_vpc_security_group_ingress_rule[positive2-2] opens the remote desktop port (3389)" + "expectedValue": "aws_security_group[positive1-3].ingress shouldn't open the remote desktop port (3389)", + "actualValue": "aws_security_group[positive1-3].ingress opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 26, + "line": 60, "filename": "positive1.tf", "resourceType": "aws_security_group", "resourceName": "allow_tls", - "searchKey": "aws_security_group[positive1-2].ingress[1]", + "searchKey": "aws_security_group[positive1-4].ingress[1]", "searchValue": "", - "expectedValue": "aws_security_group[positive1-2].ingress[1] shouldn't open the remote desktop port (3389)", - "actualValue": "aws_security_group[positive1-2].ingress[1] opens the remote desktop port (3389)" + "expectedValue": "aws_security_group[positive1-4].ingress[1] shouldn't open the remote desktop port (3389)", + "actualValue": "aws_security_group[positive1-4].ingress[1] opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", @@ -62,26 +62,26 @@ { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 17, - "filename": "positive3.tf", - "resourceType": "aws_security_group_rule", - "resourceName": "positive3-2", - "searchKey": "aws_security_group_rule[positive3-2]", + "line": 87, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-6].ingress", "searchValue": "", - "expectedValue": "aws_security_group_rule[positive3-2] shouldn't open the remote desktop port (3389)", - "actualValue": "aws_security_group_rule[positive3-2] opens the remote desktop port (3389)" + "expectedValue": "aws_security_group[positive1-6].ingress shouldn't open the remote desktop port (3389)", + "actualValue": "aws_security_group[positive1-6].ingress opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 11, - "filename": "positive4.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0", + "line": 101, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-7].ingress", "searchValue": "", - "expectedValue": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0 shouldn't open the remote desktop port (3389)", - "actualValue": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0 opens the remote desktop port (3389)" + "expectedValue": "aws_security_group[positive1-7].ingress shouldn't open the remote desktop port (3389)", + "actualValue": "aws_security_group[positive1-7].ingress opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", @@ -98,50 +98,50 @@ { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 82, - "filename": "positive4.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0", + "line": 17, + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2-2", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2-2]", "searchValue": "", - "expectedValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0 shouldn't open the remote desktop port (3389)", - "actualValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0 opens the remote desktop port (3389)" + "expectedValue": "aws_vpc_security_group_ingress_rule[positive2-2] shouldn't open the remote desktop port (3389)", + "actualValue": "aws_vpc_security_group_ingress_rule[positive2-2] opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 60, - "filename": "positive1.tf", - "resourceType": "aws_security_group", - "resourceName": "allow_tls", - "searchKey": "aws_security_group[positive1-4].ingress[1]", + "line": 7, + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3-1", + "searchKey": "aws_security_group_rule[positive3-1]", "searchValue": "", - "expectedValue": "aws_security_group[positive1-4].ingress[1] shouldn't open the remote desktop port (3389)", - "actualValue": "aws_security_group[positive1-4].ingress[1] opens the remote desktop port (3389)" + "expectedValue": "aws_security_group_rule[positive3-1] shouldn't open the remote desktop port (3389)", + "actualValue": "aws_security_group_rule[positive3-1] opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 87, - "filename": "positive1.tf", - "resourceType": "aws_security_group", - "resourceName": "allow_tls", - "searchKey": "aws_security_group[positive1-6].ingress", + "line": 17, + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3-2", + "searchKey": "aws_security_group_rule[positive3-2]", "searchValue": "", - "expectedValue": "aws_security_group[positive1-6].ingress shouldn't open the remote desktop port (3389)", - "actualValue": "aws_security_group[positive1-6].ingress opens the remote desktop port (3389)" + "expectedValue": "aws_security_group_rule[positive3-2] shouldn't open the remote desktop port (3389)", + "actualValue": "aws_security_group_rule[positive3-2] opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 96, + "line": 11, "filename": "positive4.tf", "resourceType": "n/a", "resourceName": "n/a", - "searchKey": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2", + "searchKey": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0", "searchValue": "", - "expectedValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2 shouldn't open the remote desktop port (3389)", - "actualValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2 opens the remote desktop port (3389)" + "expectedValue": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0 shouldn't open the remote desktop port (3389)", + "actualValue": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0 opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", @@ -158,49 +158,49 @@ { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 5, - "filename": "positive1.tf", - "resourceType": "aws_security_group", - "resourceName": "allow_tls", - "searchKey": "aws_security_group[positive1-1].ingress", + "line": 49, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0", "searchValue": "", - "expectedValue": "aws_security_group[positive1-1].ingress shouldn't open the remote desktop port (3389)", - "actualValue": "aws_security_group[positive1-1].ingress opens the remote desktop port (3389)" + "expectedValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0 shouldn't open the remote desktop port (3389)", + "actualValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0 opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 39, - "filename": "positive1.tf", - "resourceType": "aws_security_group", - "resourceName": "allow_tls", - "searchKey": "aws_security_group[positive1-3].ingress", + "line": 63, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2", "searchValue": "", - "expectedValue": "aws_security_group[positive1-3].ingress shouldn't open the remote desktop port (3389)", - "actualValue": "aws_security_group[positive1-3].ingress opens the remote desktop port (3389)" + "expectedValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2 shouldn't open the remote desktop port (3389)", + "actualValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2 opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 101, - "filename": "positive1.tf", - "resourceType": "aws_security_group", - "resourceName": "allow_tls", - "searchKey": "aws_security_group[positive1-7].ingress", + "line": 82, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0", "searchValue": "", - "expectedValue": "aws_security_group[positive1-7].ingress shouldn't open the remote desktop port (3389)", - "actualValue": "aws_security_group[positive1-7].ingress opens the remote desktop port (3389)" + "expectedValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0 shouldn't open the remote desktop port (3389)", + "actualValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0 opens the remote desktop port (3389)" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 7, - "filename": "positive3.tf", - "resourceType": "aws_security_group_rule", - "resourceName": "positive3-1", - "searchKey": "aws_security_group_rule[positive3-1]", + "line": 96, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2", "searchValue": "", - "expectedValue": "aws_security_group_rule[positive3-1] shouldn't open the remote desktop port (3389)", - "actualValue": "aws_security_group_rule[positive3-1] opens the remote desktop port (3389)" + "expectedValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2 shouldn't open the remote desktop port (3389)", + "actualValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2 opens the remote desktop port (3389)" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/resource_not_using_tags/test/positive_expected_result.json b/assets/queries/terraform/aws/resource_not_using_tags/test/positive_expected_result.json index f159166253a..2f9752f1056 100644 --- a/assets/queries/terraform/aws/resource_not_using_tags/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/resource_not_using_tags/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "Resource Not Using Tags", "severity": "INFO", - "line": 14, + "line": 1, "filename": "positive1.tf", "resourceType": "aws_acm_certificate", - "resourceName": "test", - "searchKey": "aws_acm_certificate[{{cert_2}}].tags", + "resourceName": "cert", + "searchKey": "aws_acm_certificate[{{cert}}]", "searchValue": "", - "expectedValue": "aws_acm_certificate[{{cert_2}}].tags has additional tags defined other than 'Name'", - "actualValue": "aws_acm_certificate[{{cert_2}}].tags does not have additional tags defined other than 'Name'" + "expectedValue": "aws_acm_certificate[{{cert}}].tags should be defined and not null", + "actualValue": "aws_acm_certificate[{{cert}}].tags is undefined or null" }, { "queryName": "Resource Not Using Tags", "severity": "INFO", - "line": 1, + "line": 14, "filename": "positive1.tf", "resourceType": "aws_acm_certificate", - "resourceName": "cert", - "searchKey": "aws_acm_certificate[{{cert}}]", + "resourceName": "test", + "searchKey": "aws_acm_certificate[{{cert_2}}].tags", "searchValue": "", - "expectedValue": "aws_acm_certificate[{{cert}}].tags should be defined and not null", - "actualValue": "aws_acm_certificate[{{cert}}].tags is undefined or null" + "expectedValue": "aws_acm_certificate[{{cert_2}}].tags has additional tags defined other than 'Name'", + "actualValue": "aws_acm_certificate[{{cert_2}}].tags does not have additional tags defined other than 'Name'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/root_account_has_active_access_keys/test/positive_expected_result.json b/assets/queries/terraform/aws/root_account_has_active_access_keys/test/positive_expected_result.json index ead7cfbf6a7..ccdf898a4d7 100644 --- a/assets/queries/terraform/aws/root_account_has_active_access_keys/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/root_account_has_active_access_keys/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "Root Account Has Active Access Keys", - "severity": "HIGH", - "line": 4, - "filename": "positive2.tf", - "resourceType": "aws_iam_access_key", - "resourceName": "positive2", - "searchKey": "aws_iam_access_key[positive2].status", - "searchValue": "", - "expectedValue": "'aws_iam_access_key[positive2].status' should be defined and set to 'Inactive'", - "actualValue": "'aws_iam_access_key[positive2].status' is set to 'Active'" - }, { "queryName": "Root Account Has Active Access Keys", "severity": "HIGH", @@ -22,5 +10,17 @@ "searchValue": "", "expectedValue": "'aws_iam_access_key[positive1].status' should be defined and set to 'Inactive'", "actualValue": "'aws_iam_access_key[positive1].status' is undefined, that defaults to 'Active'" + }, + { + "queryName": "Root Account Has Active Access Keys", + "severity": "HIGH", + "line": 4, + "filename": "positive2.tf", + "resourceType": "aws_iam_access_key", + "resourceName": "positive2", + "searchKey": "aws_iam_access_key[positive2].status", + "searchValue": "", + "expectedValue": "'aws_iam_access_key[positive2].status' should be defined and set to 'Inactive'", + "actualValue": "'aws_iam_access_key[positive2].status' is set to 'Active'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_acl_allows_read_or_write_to_all_users/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_acl_allows_read_or_write_to_all_users/test/positive_expected_result.json index 302dd6aef79..1582f0b709d 100644 --- a/assets/queries/terraform/aws/s3_bucket_acl_allows_read_or_write_to_all_users/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_acl_allows_read_or_write_to_all_users/test/positive_expected_result.json @@ -14,35 +14,35 @@ { "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", "severity": "CRITICAL", - "line": 20, - "filename": "positive5.tf", - "resourceType": "aws_s3_bucket_acl", - "resourceName": "example_bucket_acl", - "searchKey": "aws_s3_bucket_acl[example_bucket_acl].acl", + "line": 16, + "filename": "positive2.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "my-tf-test-bucket", + "searchKey": "aws_s3_bucket[positive2].acl=public-read-write", "searchValue": "", - "expectedValue": "aws_s3_bucket_acl[example_bucket_acl].acl should be private", - "actualValue": "aws_s3_bucket_acl[public-read].acl is %!s(MISSING)" + "expectedValue": "'acl' should equal to 'private'", + "actualValue": "'acl' is equal 'public-read-write'" }, { "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", "severity": "CRITICAL", "line": 6, - "filename": "positive4.tf", + "filename": "positive3.tf", "resourceType": "n/a", "resourceName": "n/a", "searchKey": "module[s3_bucket].acl", "searchValue": "", "expectedValue": "'acl' should equal to 'private'", - "actualValue": "'acl' is equal 'public-read-write'" + "actualValue": "'acl' is equal 'public-read'" }, { "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", "severity": "CRITICAL", - "line": 16, - "filename": "positive2.tf", - "resourceType": "aws_s3_bucket", - "resourceName": "my-tf-test-bucket", - "searchKey": "aws_s3_bucket[positive2].acl=public-read-write", + "line": 6, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].acl", "searchValue": "", "expectedValue": "'acl' should equal to 'private'", "actualValue": "'acl' is equal 'public-read-write'" @@ -51,24 +51,24 @@ "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", "severity": "CRITICAL", "line": 20, - "filename": "positive6.tf", + "filename": "positive5.tf", "resourceType": "aws_s3_bucket_acl", "resourceName": "example_bucket_acl", "searchKey": "aws_s3_bucket_acl[example_bucket_acl].acl", "searchValue": "", "expectedValue": "aws_s3_bucket_acl[example_bucket_acl].acl should be private", - "actualValue": "aws_s3_bucket_acl[public-read-write].acl is %!s(MISSING)" + "actualValue": "aws_s3_bucket_acl[public-read].acl is %!s(MISSING)" }, { "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", "severity": "CRITICAL", - "line": 6, - "filename": "positive3.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[s3_bucket].acl", + "line": 20, + "filename": "positive6.tf", + "resourceType": "aws_s3_bucket_acl", + "resourceName": "example_bucket_acl", + "searchKey": "aws_s3_bucket_acl[example_bucket_acl].acl", "searchValue": "", - "expectedValue": "'acl' should equal to 'private'", - "actualValue": "'acl' is equal 'public-read'" + "expectedValue": "aws_s3_bucket_acl[example_bucket_acl].acl should be private", + "actualValue": "aws_s3_bucket_acl[public-read-write].acl is %!s(MISSING)" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_allows_delete_action_from_all_principals/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_allows_delete_action_from_all_principals/test/positive_expected_result.json index dddc1b03634..a9aed14a579 100644 --- a/assets/queries/terraform/aws/s3_bucket_allows_delete_action_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_allows_delete_action_from_all_principals/test/positive_expected_result.json @@ -14,14 +14,14 @@ { "queryName": "S3 Bucket Allows Delete Action From All Principals", "severity": "CRITICAL", - "line": 37, - "filename": "positive6.tf", + "line": 4, + "filename": "positive2.tf", "resourceType": "aws_s3_bucket_policy", - "resourceName": "${var.positive6}", - "searchKey": "aws_s3_bucket_policy[positive6].policy", + "resourceName": "${aws_s3_bucket.b.id}", + "searchKey": "aws_s3_bucket_policy[positive2].policy", "searchValue": "", - "expectedValue": "aws_s3_bucket_policy[positive6].policy.Action should not be a 'Delete' action", - "actualValue": "aws_s3_bucket_policy[positive6].policy.Action is a 'Delete' action" + "expectedValue": "aws_s3_bucket_policy[positive2].policy.Action should not be a 'Delete' action", + "actualValue": "aws_s3_bucket_policy[positive2].policy.Action is a 'Delete' action" }, { "queryName": "S3 Bucket Allows Delete Action From All Principals", @@ -35,18 +35,6 @@ "expectedValue": "'policy.Statement.Action' should not be a 'Delete' action", "actualValue": "'policy.Statement.Action' is a 'Delete' action" }, - { - "queryName": "S3 Bucket Allows Delete Action From All Principals", - "severity": "CRITICAL", - "line": 4, - "filename": "positive2.tf", - "resourceType": "aws_s3_bucket_policy", - "resourceName": "${aws_s3_bucket.b.id}", - "searchKey": "aws_s3_bucket_policy[positive2].policy", - "searchValue": "", - "expectedValue": "aws_s3_bucket_policy[positive2].policy.Action should not be a 'Delete' action", - "actualValue": "aws_s3_bucket_policy[positive2].policy.Action is a 'Delete' action" - }, { "queryName": "S3 Bucket Allows Delete Action From All Principals", "severity": "CRITICAL", @@ -70,5 +58,17 @@ "searchValue": "", "expectedValue": "aws_s3_bucket_policy[positive5].policy.Action should not be a 'Delete' action", "actualValue": "aws_s3_bucket_policy[positive5].policy.Action is a 'Delete' action" + }, + { + "queryName": "S3 Bucket Allows Delete Action From All Principals", + "severity": "CRITICAL", + "line": 37, + "filename": "positive6.tf", + "resourceType": "aws_s3_bucket_policy", + "resourceName": "${var.positive6}", + "searchKey": "aws_s3_bucket_policy[positive6].policy", + "searchValue": "", + "expectedValue": "aws_s3_bucket_policy[positive6].policy.Action should not be a 'Delete' action", + "actualValue": "aws_s3_bucket_policy[positive6].policy.Action is a 'Delete' action" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_allows_list_action_from_all_principals/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_allows_list_action_from_all_principals/test/positive_expected_result.json index d543e5d5943..066acf83d99 100644 --- a/assets/queries/terraform/aws/s3_bucket_allows_list_action_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_allows_list_action_from_all_principals/test/positive_expected_result.json @@ -3,10 +3,10 @@ "queryName": "S3 Bucket Allows List Action From All Principals", "severity": "HIGH", "line": 4, - "filename": "positive2.tf", + "filename": "positive1.tf", "resourceType": "aws_s3_bucket_policy", "resourceName": "${aws_s3_bucket.b.id}", - "searchKey": "aws_s3_bucket_policy[positive2].policy", + "searchKey": "aws_s3_bucket_policy[positive1].policy", "searchValue": "", "expectedValue": "'policy.Statement.Action' should not be a 'List' action when 'policy.Statement.Principal' contains '*'", "actualValue": "'policy.Statement.Action' is a 'List' action when 'policy.Statement.Principal' contains '*'" @@ -14,11 +14,11 @@ { "queryName": "S3 Bucket Allows List Action From All Principals", "severity": "HIGH", - "line": 12, - "filename": "positive3.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[s3_bucket].policy", + "line": 4, + "filename": "positive2.tf", + "resourceType": "aws_s3_bucket_policy", + "resourceName": "${aws_s3_bucket.b.id}", + "searchKey": "aws_s3_bucket_policy[positive2].policy", "searchValue": "", "expectedValue": "'policy.Statement.Action' should not be a 'List' action when 'policy.Statement.Principal' contains '*'", "actualValue": "'policy.Statement.Action' is a 'List' action when 'policy.Statement.Principal' contains '*'" @@ -26,11 +26,11 @@ { "queryName": "S3 Bucket Allows List Action From All Principals", "severity": "HIGH", - "line": 4, - "filename": "positive1.tf", - "resourceType": "aws_s3_bucket_policy", - "resourceName": "${aws_s3_bucket.b.id}", - "searchKey": "aws_s3_bucket_policy[positive1].policy", + "line": 12, + "filename": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].policy", "searchValue": "", "expectedValue": "'policy.Statement.Action' should not be a 'List' action when 'policy.Statement.Principal' contains '*'", "actualValue": "'policy.Statement.Action' is a 'List' action when 'policy.Statement.Principal' contains '*'" diff --git a/assets/queries/terraform/aws/s3_bucket_allows_public_acl/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_allows_public_acl/test/positive_expected_result.json index 37d5aeced43..6d1e2a33b63 100644 --- a/assets/queries/terraform/aws/s3_bucket_allows_public_acl/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_allows_public_acl/test/positive_expected_result.json @@ -26,25 +26,25 @@ { "queryName": "S3 Bucket Allows Public ACL", "severity": "MEDIUM", - "line": 1, - "filename": "positive3.tf", + "line": 8, + "filename": "positive2.tf", "resourceType": "n/a", "resourceName": "n/a", - "searchKey": "module[s3_bucket]", + "searchKey": "module[s3_bucket].block_public_acls", "searchValue": "", "expectedValue": "'block_public_acls' should equal 'true'", - "actualValue": "'block_public_acls' is missing" + "actualValue": "'block_public_acls' is equal 'false'" }, { "queryName": "S3 Bucket Allows Public ACL", "severity": "MEDIUM", - "line": 8, - "filename": "positive2.tf", + "line": 1, + "filename": "positive3.tf", "resourceType": "n/a", "resourceName": "n/a", - "searchKey": "module[s3_bucket].block_public_acls", + "searchKey": "module[s3_bucket]", "searchValue": "", "expectedValue": "'block_public_acls' should equal 'true'", - "actualValue": "'block_public_acls' is equal 'false'" + "actualValue": "'block_public_acls' is missing" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_allows_put_action_from_all_principals/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_allows_put_action_from_all_principals/test/positive_expected_result.json index 1c44261a301..d4a9aa2a2f5 100644 --- a/assets/queries/terraform/aws/s3_bucket_allows_put_action_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_allows_put_action_from_all_principals/test/positive_expected_result.json @@ -11,18 +11,6 @@ "expectedValue": "aws_s3_bucket_policy[positive1].policy.Statement.Action should not be a 'Put' action", "actualValue": "aws_s3_bucket_policy[positive1].policy.Statement.Action is a 'Put' action" }, - { - "queryName": "S3 Bucket Allows Put Action From All Principals", - "severity": "CRITICAL", - "line": 12, - "filename": "positive3.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[s3_bucket].policy", - "searchValue": "", - "expectedValue": "'policy.Statement.Action' should not be a 'Put' action", - "actualValue": "'policy.Statement.Action' is a 'Put' action" - }, { "queryName": "S3 Bucket Allows Put Action From All Principals", "severity": "CRITICAL", @@ -34,5 +22,17 @@ "searchValue": "", "expectedValue": "aws_s3_bucket_policy[positive2].policy.Statement.Action should not be a 'Put' action", "actualValue": "aws_s3_bucket_policy[positive2].policy.Statement.Action is a 'Put' action" + }, + { + "queryName": "S3 Bucket Allows Put Action From All Principals", + "severity": "CRITICAL", + "line": 12, + "filename": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Action' should not be a 'Put' action", + "actualValue": "'policy.Statement.Action' is a 'Put' action" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_logging_disabled/test/positive_expected_result.json index 6584d99c955..6b6c57f96a6 100644 --- a/assets/queries/terraform/aws/s3_bucket_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_logging_disabled/test/positive_expected_result.json @@ -1,4 +1,16 @@ [ + { + "queryName": "S3 Bucket Logging Disabled", + "severity": "MEDIUM", + "line": 14, + "filename": "positive1.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "my-tf-test-bucket", + "searchKey": "aws_s3_bucket[positive1]", + "searchValue": "", + "expectedValue": "'logging' should be defined and not null", + "actualValue": "'logging' is undefined or null" + }, { "queryName": "S3 Bucket Logging Disabled", "severity": "MEDIUM", @@ -22,17 +34,5 @@ "searchValue": "", "expectedValue": "'logging' should be defined and not null", "actualValue": "'logging' is undefined or null" - }, - { - "queryName": "S3 Bucket Logging Disabled", - "severity": "MEDIUM", - "line": 14, - "filename": "positive1.tf", - "resourceType": "aws_s3_bucket", - "resourceName": "my-tf-test-bucket", - "searchKey": "aws_s3_bucket[positive1]", - "searchValue": "", - "expectedValue": "'logging' should be defined and not null", - "actualValue": "'logging' is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_notifications_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_notifications_disabled/test/positive_expected_result.json index 6fa8daf276e..20c56317982 100644 --- a/assets/queries/terraform/aws/s3_bucket_notifications_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_notifications_disabled/test/positive_expected_result.json @@ -2,26 +2,26 @@ { "queryName": "S3 bucket notifications disabled", "severity": "LOW", - "line": 1, - "filename": "positive10.tf", + "line": 6, + "filename": "positive1.tf", "resourceType": "aws_sns_topic", "resourceName": "s3-event-notification-topic", - "searchKey": "aws_sns_topic[topic1]", + "searchKey": "aws_sns_topic[topic2]", "searchValue": "", - "expectedValue": "'aws_s3_bucket_notification' should be defined and not null", - "actualValue": "'aws_s3_bucket_notification' is undefined or null" + "expectedValue": "aws_sns_topic.topic2 should be evoked in aws_s3_bucket_notification ", + "actualValue": "aws_sns_topic.topic2 is not properly evoked in aws_s3_bucket_notification " }, { "queryName": "S3 bucket notifications disabled", "severity": "LOW", "line": 1, - "filename": "positive4.tf", + "filename": "positive10.tf", "resourceType": "aws_sns_topic", "resourceName": "s3-event-notification-topic", - "searchKey": "aws_sns_topic[topic]", + "searchKey": "aws_sns_topic[topic1]", "searchValue": "", - "expectedValue": "aws_sns_topic.topic should be evoked in aws_s3_bucket_notification ", - "actualValue": "aws_sns_topic.topic is not properly evoked in aws_s3_bucket_notification " + "expectedValue": "'aws_s3_bucket_notification' should be defined and not null", + "actualValue": "'aws_s3_bucket_notification' is undefined or null" }, { "queryName": "S3 bucket notifications disabled", @@ -35,6 +35,18 @@ "expectedValue": "'aws_s3_bucket_notification' should be defined and not null", "actualValue": "'aws_s3_bucket_notification' is undefined or null" }, + { + "queryName": "S3 bucket notifications disabled", + "severity": "LOW", + "line": 1, + "filename": "positive12.tf", + "resourceType": "aws_lambda_function", + "resourceName": "aws_lambda_function", + "searchKey": "aws_lambda_function[func]", + "searchValue": "", + "expectedValue": "'aws_s3_bucket_notification' should be defined and not null", + "actualValue": "'aws_s3_bucket_notification' is undefined or null" + }, { "queryName": "S3 bucket notifications disabled", "severity": "LOW", @@ -50,14 +62,26 @@ { "queryName": "S3 bucket notifications disabled", "severity": "LOW", - "line": 6, - "filename": "positive1.tf", + "line": 14, + "filename": "positive3.tf", + "resourceType": "aws_lambda_function", + "resourceName": "func2", + "searchKey": "aws_lambda_function[func2]", + "searchValue": "", + "expectedValue": "aws_lambda_function.func2 should be evoked in aws_s3_bucket_notification ", + "actualValue": "aws_lambda_function.func2 is not properly evoked in aws_s3_bucket_notification " + }, + { + "queryName": "S3 bucket notifications disabled", + "severity": "LOW", + "line": 1, + "filename": "positive4.tf", "resourceType": "aws_sns_topic", "resourceName": "s3-event-notification-topic", - "searchKey": "aws_sns_topic[topic2]", + "searchKey": "aws_sns_topic[topic]", "searchValue": "", - "expectedValue": "aws_sns_topic.topic2 should be evoked in aws_s3_bucket_notification ", - "actualValue": "aws_sns_topic.topic2 is not properly evoked in aws_s3_bucket_notification " + "expectedValue": "aws_sns_topic.topic should be evoked in aws_s3_bucket_notification ", + "actualValue": "aws_sns_topic.topic is not properly evoked in aws_s3_bucket_notification " }, { "queryName": "S3 bucket notifications disabled", @@ -71,18 +95,6 @@ "expectedValue": "aws_sqs_queue.queue should be evoked in aws_s3_bucket_notification ", "actualValue": "aws_sqs_queue.queue is not properly evoked in aws_s3_bucket_notification " }, - { - "queryName": "S3 bucket notifications disabled", - "severity": "LOW", - "line": 1, - "filename": "positive7.tf", - "resourceType": "aws_sns_topic", - "resourceName": "s3-event-notification-topic", - "searchKey": "aws_sns_topic[topic]", - "searchValue": "", - "expectedValue": "aws_sns_topic.topic should be evoked in aws_s3_bucket_notification ", - "actualValue": "aws_sns_topic.topic is not properly evoked in aws_s3_bucket_notification " - }, { "queryName": "S3 bucket notifications disabled", "severity": "LOW", @@ -99,25 +111,25 @@ "queryName": "S3 bucket notifications disabled", "severity": "LOW", "line": 1, - "filename": "positive8.tf", - "resourceType": "aws_sqs_queue", - "resourceName": "s3-event-notification-queue", - "searchKey": "aws_sqs_queue[queue]", + "filename": "positive7.tf", + "resourceType": "aws_sns_topic", + "resourceName": "s3-event-notification-topic", + "searchKey": "aws_sns_topic[topic]", "searchValue": "", - "expectedValue": "aws_sqs_queue.queue should be evoked in aws_s3_bucket_notification ", - "actualValue": "aws_sqs_queue.queue is not properly evoked in aws_s3_bucket_notification " + "expectedValue": "aws_sns_topic.topic should be evoked in aws_s3_bucket_notification ", + "actualValue": "aws_sns_topic.topic is not properly evoked in aws_s3_bucket_notification " }, { "queryName": "S3 bucket notifications disabled", "severity": "LOW", "line": 1, - "filename": "positive12.tf", - "resourceType": "aws_lambda_function", - "resourceName": "aws_lambda_function", - "searchKey": "aws_lambda_function[func]", + "filename": "positive8.tf", + "resourceType": "aws_sqs_queue", + "resourceName": "s3-event-notification-queue", + "searchKey": "aws_sqs_queue[queue]", "searchValue": "", - "expectedValue": "'aws_s3_bucket_notification' should be defined and not null", - "actualValue": "'aws_s3_bucket_notification' is undefined or null" + "expectedValue": "aws_sqs_queue.queue should be evoked in aws_s3_bucket_notification ", + "actualValue": "aws_sqs_queue.queue is not properly evoked in aws_s3_bucket_notification " }, { "queryName": "S3 bucket notifications disabled", @@ -130,17 +142,5 @@ "searchValue": "", "expectedValue": "aws_lambda_function.func should be evoked in aws_s3_bucket_notification ", "actualValue": "aws_lambda_function.func is not properly evoked in aws_s3_bucket_notification " - }, - { - "queryName": "S3 bucket notifications disabled", - "severity": "LOW", - "line": 14, - "filename": "positive3.tf", - "resourceType": "aws_lambda_function", - "resourceName": "func2", - "searchKey": "aws_lambda_function[func2]", - "searchValue": "", - "expectedValue": "aws_lambda_function.func2 should be evoked in aws_s3_bucket_notification ", - "actualValue": "aws_lambda_function.func2 is not properly evoked in aws_s3_bucket_notification " } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_policy_accepts_http_requests/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_policy_accepts_http_requests/test/positive_expected_result.json index 3c1d1bbd1fa..32aaa3b7b09 100644 --- a/assets/queries/terraform/aws/s3_bucket_policy_accepts_http_requests/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_policy_accepts_http_requests/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "S3 Bucket Policy Accepts HTTP Requests", - "severity": "MEDIUM", - "line": 12, - "filename": "positive3.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[s3_bucket].policy", - "searchValue": "", - "expectedValue": "'policy' should not accept HTTP Requests", - "actualValue": "'policy' accepts HTTP Requests" - }, { "queryName": "S3 Bucket Policy Accepts HTTP Requests", "severity": "MEDIUM", @@ -26,14 +14,26 @@ { "queryName": "S3 Bucket Policy Accepts HTTP Requests", "severity": "MEDIUM", - "line": 32, - "filename": "positive5.tf", + "line": 4, + "filename": "positive2.tf", "resourceType": "aws_s3_bucket", - "resourceName": "a", - "searchKey": "aws_s3_bucket[pos5].policy", + "resourceName": "my-tf-test-bucket", + "searchKey": "aws_s3_bucket[b2].policy", "searchValue": "", - "expectedValue": "aws_s3_bucket[pos5].policy should not accept HTTP Requests", - "actualValue": "aws_s3_bucket[pos5].policy accepts HTTP Requests" + "expectedValue": "aws_s3_bucket[b2].policy should not accept HTTP Requests", + "actualValue": "aws_s3_bucket[b2].policy accepts HTTP Requests" + }, + { + "queryName": "S3 Bucket Policy Accepts HTTP Requests", + "severity": "MEDIUM", + "line": 12, + "filename": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].policy", + "searchValue": "", + "expectedValue": "'policy' should not accept HTTP Requests", + "actualValue": "'policy' accepts HTTP Requests" }, { "queryName": "S3 Bucket Policy Accepts HTTP Requests", @@ -50,13 +50,13 @@ { "queryName": "S3 Bucket Policy Accepts HTTP Requests", "severity": "MEDIUM", - "line": 4, - "filename": "positive2.tf", + "line": 32, + "filename": "positive5.tf", "resourceType": "aws_s3_bucket", - "resourceName": "my-tf-test-bucket", - "searchKey": "aws_s3_bucket[b2].policy", + "resourceName": "a", + "searchKey": "aws_s3_bucket[pos5].policy", "searchValue": "", - "expectedValue": "aws_s3_bucket[b2].policy should not accept HTTP Requests", - "actualValue": "aws_s3_bucket[b2].policy accepts HTTP Requests" + "expectedValue": "aws_s3_bucket[pos5].policy should not accept HTTP Requests", + "actualValue": "aws_s3_bucket[pos5].policy accepts HTTP Requests" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_public_acl_overridden_by_public_access_block/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_public_acl_overridden_by_public_access_block/test/positive_expected_result.json index 20e75ae1f4e..31d6704f57c 100644 --- a/assets/queries/terraform/aws/s3_bucket_public_acl_overridden_by_public_access_block/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_public_acl_overridden_by_public_access_block/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "S3 Bucket Public ACL Overridden By Public Access Block", - "severity": "HIGH", - "line": 7, - "filename": "positive2.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[s3_bucket].acl", - "searchValue": "", - "expectedValue": "S3 Bucket public ACL to not be overridden by public access block", - "actualValue": "S3 Bucket public ACL is overridden by public access block" - }, { "queryName": "S3 Bucket Public ACL Overridden By Public Access Block", "severity": "HIGH", @@ -23,6 +11,18 @@ "expectedValue": "S3 Bucket public ACL to not be overridden by S3 bucket Public Access Block", "actualValue": "S3 Bucket public ACL is overridden by S3 bucket Public Access Block" }, + { + "queryName": "S3 Bucket Public ACL Overridden By Public Access Block", + "severity": "HIGH", + "line": 7, + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].acl", + "searchValue": "", + "expectedValue": "S3 Bucket public ACL to not be overridden by public access block", + "actualValue": "S3 Bucket public ACL is overridden by public access block" + }, { "queryName": "S3 Bucket Public ACL Overridden By Public Access Block", "severity": "HIGH", diff --git a/assets/queries/terraform/aws/s3_bucket_with_all_permissions/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_with_all_permissions/test/positive_expected_result.json index 0bab1bb9504..6d21930a357 100644 --- a/assets/queries/terraform/aws/s3_bucket_with_all_permissions/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_with_all_permissions/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "S3 Bucket With All Permissions", "severity": "CRITICAL", - "line": 12, - "filename": "positive2.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[s3_bucket].policy", + "line": 5, + "filename": "positive1.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "S3B_181355", + "searchKey": "aws_s3_bucket[positive1].policy", "searchValue": "", "expectedValue": "'policy.Statement' should not allow all actions to all principal", "actualValue": "'policy.Statement' allows all actions to all principal" @@ -14,11 +14,11 @@ { "queryName": "S3 Bucket With All Permissions", "severity": "CRITICAL", - "line": 5, - "filename": "positive1.tf", - "resourceType": "aws_s3_bucket", - "resourceName": "S3B_181355", - "searchKey": "aws_s3_bucket[positive1].policy", + "line": 12, + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].policy", "searchValue": "", "expectedValue": "'policy.Statement' should not allow all actions to all principal", "actualValue": "'policy.Statement' allows all actions to all principal" diff --git a/assets/queries/terraform/aws/s3_bucket_with_public_policy/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_with_public_policy/test/positive_expected_result.json index 229983e651f..2b1eebb8aaf 100644 --- a/assets/queries/terraform/aws/s3_bucket_with_public_policy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_with_public_policy/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "S3 Bucket Allows Public Policy", "severity": "MEDIUM", - "line": 7, - "filename": "positive7.tf", + "line": 11, + "filename": "positive1.tf", "resourceType": "aws_s3_bucket_public_access_block", "resourceName": "allow_public", "searchKey": "aws_s3_bucket_public_access_block[allow_public].block_public_policy", @@ -14,20 +14,20 @@ { "queryName": "S3 Bucket Allows Public Policy", "severity": "MEDIUM", - "line": 5, - "filename": "positive6.tf", - "resourceType": "aws_s3_bucket_public_access_block", - "resourceName": "allow_public", - "searchKey": "aws_s3_bucket_public_access_block[allow_public]", + "line": 1, + "filename": "positive10.tf", + "resourceType": "aws_s3_account_public_access_block", + "resourceName": "allow_public_acc", + "searchKey": "aws_s3_account_public_access_block[allow_public_acc]", "searchValue": "", - "expectedValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' should be defined to true", - "actualValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' is not defined (defaults to false)" + "expectedValue": "'aws_s3_account_public_access_block[allow_public_acc].block_public_policy' should be defined to true", + "actualValue": "'aws_s3_account_public_access_block[allow_public_acc].block_public_policy' is not defined (defaults to false)" }, { "queryName": "S3 Bucket Allows Public Policy", "severity": "MEDIUM", - "line": 11, - "filename": "positive8.tf", + "line": 12, + "filename": "positive2.tf", "resourceType": "aws_s3_bucket_public_access_block", "resourceName": "allow_public", "searchKey": "aws_s3_bucket_public_access_block[allow_public].block_public_policy", @@ -35,18 +35,6 @@ "expectedValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' should be defined to true", "actualValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' is defined to false" }, - { - "queryName": "S3 Bucket Allows Public Policy", - "severity": "MEDIUM", - "line": 2, - "filename": "positive9.tf", - "resourceType": "aws_s3_account_public_access_block", - "resourceName": "allow_public_acc", - "searchKey": "aws_s3_account_public_access_block[allow_public_acc].block_public_policy", - "searchValue": "", - "expectedValue": "'aws_s3_account_public_access_block[allow_public_acc].block_public_policy' should be defined to true", - "actualValue": "'aws_s3_account_public_access_block[allow_public_acc].block_public_policy' is defined to false" - }, { "queryName": "S3 Bucket Allows Public Policy", "severity": "MEDIUM", @@ -74,32 +62,32 @@ { "queryName": "S3 Bucket Allows Public Policy", "severity": "MEDIUM", - "line": 1, - "filename": "positive10.tf", - "resourceType": "aws_s3_account_public_access_block", - "resourceName": "allow_public_acc", - "searchKey": "aws_s3_account_public_access_block[allow_public_acc]", + "line": 11, + "filename": "positive5.tf", + "resourceType": "aws_s3_bucket_public_access_block", + "resourceName": "allow_public", + "searchKey": "aws_s3_bucket_public_access_block[allow_public].block_public_policy", "searchValue": "", - "expectedValue": "'aws_s3_account_public_access_block[allow_public_acc].block_public_policy' should be defined to true", - "actualValue": "'aws_s3_account_public_access_block[allow_public_acc].block_public_policy' is not defined (defaults to false)" + "expectedValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' should be defined to true", + "actualValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' is defined to false" }, { "queryName": "S3 Bucket Allows Public Policy", "severity": "MEDIUM", - "line": 11, - "filename": "positive5.tf", + "line": 5, + "filename": "positive6.tf", "resourceType": "aws_s3_bucket_public_access_block", "resourceName": "allow_public", - "searchKey": "aws_s3_bucket_public_access_block[allow_public].block_public_policy", + "searchKey": "aws_s3_bucket_public_access_block[allow_public]", "searchValue": "", "expectedValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' should be defined to true", - "actualValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' is defined to false" + "actualValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' is not defined (defaults to false)" }, { "queryName": "S3 Bucket Allows Public Policy", "severity": "MEDIUM", - "line": 11, - "filename": "positive1.tf", + "line": 7, + "filename": "positive7.tf", "resourceType": "aws_s3_bucket_public_access_block", "resourceName": "allow_public", "searchKey": "aws_s3_bucket_public_access_block[allow_public].block_public_policy", @@ -110,13 +98,25 @@ { "queryName": "S3 Bucket Allows Public Policy", "severity": "MEDIUM", - "line": 12, - "filename": "positive2.tf", + "line": 11, + "filename": "positive8.tf", "resourceType": "aws_s3_bucket_public_access_block", "resourceName": "allow_public", "searchKey": "aws_s3_bucket_public_access_block[allow_public].block_public_policy", "searchValue": "", "expectedValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' should be defined to true", "actualValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' is defined to false" + }, + { + "queryName": "S3 Bucket Allows Public Policy", + "severity": "MEDIUM", + "line": 2, + "filename": "positive9.tf", + "resourceType": "aws_s3_account_public_access_block", + "resourceName": "allow_public_acc", + "searchKey": "aws_s3_account_public_access_block[allow_public_acc].block_public_policy", + "searchValue": "", + "expectedValue": "'aws_s3_account_public_access_block[allow_public_acc].block_public_policy' should be defined to true", + "actualValue": "'aws_s3_account_public_access_block[allow_public_acc].block_public_policy' is defined to false" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_with_unsecured_cors_rule/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_with_unsecured_cors_rule/test/positive_expected_result.json index 23df0f100be..7309169461b 100644 --- a/assets/queries/terraform/aws/s3_bucket_with_unsecured_cors_rule/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_with_unsecured_cors_rule/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "S3 Bucket with Unsecured CORS Rule", "severity": "MEDIUM", - "line": 16, - "filename": "positive3.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[s3_bucket].cors_rule", + "line": 27, + "filename": "positive1.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "my-tf-test-bucket", + "searchKey": "aws_s3_bucket[positive1].cors_rule", "searchValue": "", "expectedValue": "'cors_rule' to not allow all methods, all headers or several origins", "actualValue": "'cors_rule' allows all methods, all headers or several origins" @@ -15,10 +15,10 @@ "queryName": "S3 Bucket with Unsecured CORS Rule", "severity": "MEDIUM", "line": 27, - "filename": "positive1.tf", + "filename": "positive2.tf", "resourceType": "aws_s3_bucket", "resourceName": "my-tf-test-bucket", - "searchKey": "aws_s3_bucket[positive1].cors_rule", + "searchKey": "aws_s3_bucket[positive2].cors_rule", "searchValue": "", "expectedValue": "'cors_rule' to not allow all methods, all headers or several origins", "actualValue": "'cors_rule' allows all methods, all headers or several origins" @@ -26,11 +26,11 @@ { "queryName": "S3 Bucket with Unsecured CORS Rule", "severity": "MEDIUM", - "line": 26, - "filename": "positive5.tf", - "resourceType": "aws_s3_bucket_cors_configuration", - "resourceName": "example", - "searchKey": "aws_s3_bucket_cors_configuration[example].cors_rule", + "line": 16, + "filename": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].cors_rule", "searchValue": "", "expectedValue": "'cors_rule' to not allow all methods, all headers or several origins", "actualValue": "'cors_rule' allows all methods, all headers or several origins" @@ -50,11 +50,11 @@ { "queryName": "S3 Bucket with Unsecured CORS Rule", "severity": "MEDIUM", - "line": 27, - "filename": "positive2.tf", - "resourceType": "aws_s3_bucket", - "resourceName": "my-tf-test-bucket", - "searchKey": "aws_s3_bucket[positive2].cors_rule", + "line": 26, + "filename": "positive5.tf", + "resourceType": "aws_s3_bucket_cors_configuration", + "resourceName": "example", + "searchKey": "aws_s3_bucket_cors_configuration[example].cors_rule", "searchValue": "", "expectedValue": "'cors_rule' to not allow all methods, all headers or several origins", "actualValue": "'cors_rule' allows all methods, all headers or several origins" diff --git a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive_expected_result.json index 78281432282..478d50a067a 100755 --- a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive_expected_result.json @@ -3,26 +3,14 @@ "queryName": "S3 Bucket Without Enabled MFA Delete", "severity": "LOW", "line": 23, - "filename": "positive3.tf", + "filename": "positive1.tf", "resourceType": "aws_s3_bucket", "resourceName": "my-tf-test-bucket", - "searchKey": "aws_s3_bucket[positive3].versioning", + "searchKey": "aws_s3_bucket[positive1].versioning", "searchValue": "mfa_delete", "expectedValue": "'mfa_delete' should be set to true", "actualValue": "'mfa_delete' is undefined or null" }, - { - "queryName": "S3 Bucket Without Enabled MFA Delete", - "severity": "LOW", - "line": 10, - "filename": "positive5.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[s3_bucket].versioning.mfa_delete", - "searchValue": "", - "expectedValue": "'mfa_delete' should be set to true", - "actualValue": "'mfa_delete' is set to false" - }, { "queryName": "S3 Bucket Without Enabled MFA Delete", "severity": "LOW", @@ -38,26 +26,26 @@ { "queryName": "S3 Bucket Without Enabled MFA Delete", "severity": "LOW", - "line": 9, - "filename": "positive6.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[s3_bucket].versioning.enabled", - "searchValue": "", - "expectedValue": "'enabled' should be set to true", - "actualValue": "'enabled' is set to false" + "line": 23, + "filename": "positive3.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "my-tf-test-bucket", + "searchKey": "aws_s3_bucket[positive3].versioning", + "searchValue": "mfa_delete", + "expectedValue": "'mfa_delete' should be set to true", + "actualValue": "'mfa_delete' is undefined or null" }, { "queryName": "S3 Bucket Without Enabled MFA Delete", "severity": "LOW", - "line": 28, - "filename": "positive7.tf", - "resourceType": "aws_s3_bucket_versioning", - "resourceName": "example2", - "searchKey": "aws_s3_bucket_versioning[example2].versioning_configuration.mfa_delete", + "line": 24, + "filename": "positive3.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "my-tf-test-bucket", + "searchKey": "aws_s3_bucket[positive3].versioning.enabled", "searchValue": "", - "expectedValue": "'versioning_configuration.mfa_delete' should be set to 'Enabled'", - "actualValue": "'versioning_configuration.mfa_delete' is set to 'Disabled'" + "expectedValue": "'enabled' should be set to true", + "actualValue": "'enabled' is set to false" }, { "queryName": "S3 Bucket Without Enabled MFA Delete", @@ -74,11 +62,23 @@ { "queryName": "S3 Bucket Without Enabled MFA Delete", "severity": "LOW", - "line": 23, - "filename": "positive1.tf", - "resourceType": "aws_s3_bucket", - "resourceName": "my-tf-test-bucket", - "searchKey": "aws_s3_bucket[positive1].versioning", + "line": 10, + "filename": "positive5.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].versioning.mfa_delete", + "searchValue": "", + "expectedValue": "'mfa_delete' should be set to true", + "actualValue": "'mfa_delete' is set to false" + }, + { + "queryName": "S3 Bucket Without Enabled MFA Delete", + "severity": "LOW", + "line": 8, + "filename": "positive6.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].versioning", "searchValue": "mfa_delete", "expectedValue": "'mfa_delete' should be set to true", "actualValue": "'mfa_delete' is undefined or null" @@ -86,11 +86,11 @@ { "queryName": "S3 Bucket Without Enabled MFA Delete", "severity": "LOW", - "line": 24, - "filename": "positive3.tf", - "resourceType": "aws_s3_bucket", - "resourceName": "my-tf-test-bucket", - "searchKey": "aws_s3_bucket[positive3].versioning.enabled", + "line": 9, + "filename": "positive6.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].versioning.enabled", "searchValue": "", "expectedValue": "'enabled' should be set to true", "actualValue": "'enabled' is set to false" @@ -98,14 +98,14 @@ { "queryName": "S3 Bucket Without Enabled MFA Delete", "severity": "LOW", - "line": 8, - "filename": "positive6.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[s3_bucket].versioning", - "searchValue": "mfa_delete", - "expectedValue": "'mfa_delete' should be set to true", - "actualValue": "'mfa_delete' is undefined or null" + "line": 28, + "filename": "positive7.tf", + "resourceType": "aws_s3_bucket_versioning", + "resourceName": "example2", + "searchKey": "aws_s3_bucket_versioning[example2].versioning_configuration.mfa_delete", + "searchValue": "", + "expectedValue": "'versioning_configuration.mfa_delete' should be set to 'Enabled'", + "actualValue": "'versioning_configuration.mfa_delete' is set to 'Disabled'" }, { "queryName": "S3 Bucket Without Enabled MFA Delete", diff --git a/assets/queries/terraform/aws/s3_bucket_without_ignore_public_acl/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_without_ignore_public_acl/test/positive_expected_result.json index 22f5f6c0897..f39c7f69463 100755 --- a/assets/queries/terraform/aws/s3_bucket_without_ignore_public_acl/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_without_ignore_public_acl/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "S3 Bucket Without Ignore Public ACL", - "severity": "MEDIUM", - "line": 1, - "filename": "positive3.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[s3_bucket].ignore_public_acls", - "searchValue": "", - "expectedValue": "'ignore_public_acls' should equal 'true'", - "actualValue": "'ignore_public_acls' is missing" - }, { "queryName": "S3 Bucket Without Ignore Public ACL", "severity": "MEDIUM", @@ -26,25 +14,37 @@ { "queryName": "S3 Bucket Without Ignore Public ACL", "severity": "MEDIUM", - "line": 5, - "filename": "positive4.tf", - "resourceType": "aws_s3_bucket_public_access_block", - "resourceName": "positive2", - "searchKey": "aws_s3_bucket_public_access_block[positive2]", + "line": 7, + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].ignore_public_acls", "searchValue": "", "expectedValue": "'ignore_public_acls' should equal 'true'", - "actualValue": "'ignore_public_acls' is missing" + "actualValue": "'ignore_public_acls' is equal 'false'" }, { "queryName": "S3 Bucket Without Ignore Public ACL", "severity": "MEDIUM", - "line": 7, - "filename": "positive2.tf", + "line": 1, + "filename": "positive3.tf", "resourceType": "n/a", "resourceName": "n/a", "searchKey": "module[s3_bucket].ignore_public_acls", "searchValue": "", "expectedValue": "'ignore_public_acls' should equal 'true'", - "actualValue": "'ignore_public_acls' is equal 'false'" + "actualValue": "'ignore_public_acls' is missing" + }, + { + "queryName": "S3 Bucket Without Ignore Public ACL", + "severity": "MEDIUM", + "line": 5, + "filename": "positive4.tf", + "resourceType": "aws_s3_bucket_public_access_block", + "resourceName": "positive2", + "searchKey": "aws_s3_bucket_public_access_block[positive2]", + "searchValue": "", + "expectedValue": "'ignore_public_acls' should equal 'true'", + "actualValue": "'ignore_public_acls' is missing" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_without_restriction_of_public_bucket/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_without_restriction_of_public_bucket/test/positive_expected_result.json index f643854c265..1011c3cacbf 100755 --- a/assets/queries/terraform/aws/s3_bucket_without_restriction_of_public_bucket/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_without_restriction_of_public_bucket/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "S3 Bucket Without Restriction Of Public Bucket", "severity": "MEDIUM", - "line": 13, - "filename": "positive1.tf", + "line": 14, + "filename": "negative1.tf", "resourceType": "aws_s3_bucket_public_access_block", "resourceName": "restrict_public", "searchKey": "aws_s3_bucket_public_access_block[restrict_public].restrict_public_buckets", @@ -14,8 +14,8 @@ { "queryName": "S3 Bucket Without Restriction Of Public Bucket", "severity": "MEDIUM", - "line": 14, - "filename": "negative1.tf", + "line": 8, + "filename": "negative2.tf", "resourceType": "aws_s3_bucket_public_access_block", "resourceName": "restrict_public", "searchKey": "aws_s3_bucket_public_access_block[restrict_public].restrict_public_buckets", @@ -26,8 +26,8 @@ { "queryName": "S3 Bucket Without Restriction Of Public Bucket", "severity": "MEDIUM", - "line": 14, - "filename": "positive2.tf", + "line": 13, + "filename": "positive1.tf", "resourceType": "aws_s3_bucket_public_access_block", "resourceName": "restrict_public", "searchKey": "aws_s3_bucket_public_access_block[restrict_public].restrict_public_buckets", @@ -38,8 +38,8 @@ { "queryName": "S3 Bucket Without Restriction Of Public Bucket", "severity": "MEDIUM", - "line": 8, - "filename": "negative2.tf", + "line": 14, + "filename": "positive2.tf", "resourceType": "aws_s3_bucket_public_access_block", "resourceName": "restrict_public", "searchKey": "aws_s3_bucket_public_access_block[restrict_public].restrict_public_buckets", diff --git a/assets/queries/terraform/aws/s3_bucket_without_versioning/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_without_versioning/test/positive_expected_result.json index ca513978298..fff2e4e37c0 100755 --- a/assets/queries/terraform/aws/s3_bucket_without_versioning/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_without_versioning/test/positive_expected_result.json @@ -1,4 +1,16 @@ [ + { + "queryName": "S3 Bucket Without Versioning", + "severity": "MEDIUM", + "line": 24, + "filename": "positive1.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "my-tf-test-bucket", + "searchKey": "aws_s3_bucket[positive1].versioning.enabled", + "searchValue": "", + "expectedValue": "'versioning.enabled' should be true", + "actualValue": "'versioning.enabled' is set to false" + }, { "queryName": "S3 Bucket Without Versioning", "severity": "MEDIUM", @@ -14,35 +26,23 @@ { "queryName": "S3 Bucket Without Versioning", "severity": "MEDIUM", - "line": 10, - "filename": "positive4.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[s3_bucket].versioning.enabled", + "line": 23, + "filename": "positive3.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "my-tf-test-bucket", + "searchKey": "aws_s3_bucket[positive3].versioning", "searchValue": "", "expectedValue": "'versioning.enabled' should be true", - "actualValue": "'versioning.enabled' is set to false" - }, - { - "queryName": "S3 Bucket Without Versioning", - "severity": "MEDIUM", - "line": 27, - "filename": "positive7.tf", - "resourceType": "aws_s3_bucket_versioning", - "resourceName": "example", - "searchKey": "aws_s3_bucket_versioning[example].versioning_configuration.status", - "searchValue": "", - "expectedValue": "'versioning_configuration.status' should be set to 'Enabled'", - "actualValue": "'versioning_configuration.status' is set to 'Suspended'" + "actualValue": "'versioning.enabled' is undefined or null" }, { "queryName": "S3 Bucket Without Versioning", "severity": "MEDIUM", - "line": 24, - "filename": "positive1.tf", - "resourceType": "aws_s3_bucket", - "resourceName": "my-tf-test-bucket", - "searchKey": "aws_s3_bucket[positive1].versioning.enabled", + "line": 10, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].versioning.enabled", "searchValue": "", "expectedValue": "'versioning.enabled' should be true", "actualValue": "'versioning.enabled' is set to false" @@ -59,18 +59,6 @@ "expectedValue": "'versioning.enabled' should be true", "actualValue": "'versioning.enabled' is undefined or null" }, - { - "queryName": "S3 Bucket Without Versioning", - "severity": "MEDIUM", - "line": 14, - "filename": "positive8.tf", - "resourceType": "aws_s3_bucket", - "resourceName": "my-tf-test-bucket", - "searchKey": "aws_s3_bucket[b2]", - "searchValue": "", - "expectedValue": "'versioning' should be true", - "actualValue": "'versioning' is undefined or null" - }, { "queryName": "S3 Bucket Without Versioning", "severity": "MEDIUM", @@ -86,13 +74,25 @@ { "queryName": "S3 Bucket Without Versioning", "severity": "MEDIUM", - "line": 23, - "filename": "positive3.tf", + "line": 27, + "filename": "positive7.tf", + "resourceType": "aws_s3_bucket_versioning", + "resourceName": "example", + "searchKey": "aws_s3_bucket_versioning[example].versioning_configuration.status", + "searchValue": "", + "expectedValue": "'versioning_configuration.status' should be set to 'Enabled'", + "actualValue": "'versioning_configuration.status' is set to 'Suspended'" + }, + { + "queryName": "S3 Bucket Without Versioning", + "severity": "MEDIUM", + "line": 14, + "filename": "positive8.tf", "resourceType": "aws_s3_bucket", "resourceName": "my-tf-test-bucket", - "searchKey": "aws_s3_bucket[positive3].versioning", + "searchKey": "aws_s3_bucket[b2]", "searchValue": "", - "expectedValue": "'versioning.enabled' should be true", - "actualValue": "'versioning.enabled' is undefined or null" + "expectedValue": "'versioning' should be true", + "actualValue": "'versioning' is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_static_website_host_enabled/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_static_website_host_enabled/test/positive_expected_result.json index 386b433f72a..aebaa8c519b 100644 --- a/assets/queries/terraform/aws/s3_static_website_host_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_static_website_host_enabled/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "S3 Static Website Host Enabled", - "severity": "HIGH", - "line": 12, - "filename": "positive2.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[s3_bucket].website", - "searchValue": "", - "expectedValue": "'website' to not have static websites inside", - "actualValue": "'website' does have static websites inside" - }, { "queryName": "S3 Static Website Host Enabled", "severity": "HIGH", @@ -23,6 +11,18 @@ "expectedValue": "resource.aws_s3_bucket[positive1].website to not have static websites inside", "actualValue": "resource.aws_s3_bucket[positive1].website does have static websites inside" }, + { + "queryName": "S3 Static Website Host Enabled", + "severity": "HIGH", + "line": 12, + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].website", + "searchValue": "", + "expectedValue": "'website' to not have static websites inside", + "actualValue": "'website' does have static websites inside" + }, { "queryName": "S3 Static Website Host Enabled", "severity": "HIGH", diff --git a/assets/queries/terraform/aws/security_group_rules_without_description/test/positive_expected_result.json b/assets/queries/terraform/aws/security_group_rules_without_description/test/positive_expected_result.json index 93cbfa14b8d..cf305a71ef8 100644 --- a/assets/queries/terraform/aws/security_group_rules_without_description/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/security_group_rules_without_description/test/positive_expected_result.json @@ -2,14 +2,38 @@ { "queryName": "Security Group Rule Without Description", "severity": "INFO", - "line": 10, - "filename": "positive3.tf", - "resourceType": "aws_security_group_rule", - "resourceName": "positive3-2", - "searchKey": "aws_security_group_rule[positive3-2]", + "line": 3, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1", + "searchKey": "aws_security_group[positive1].ingress", "searchValue": "", - "expectedValue": "aws_security_group_rule[positive3-2].description should be defined and not null", - "actualValue": "aws_security_group_rule[positive3-2].description is undefined or null" + "expectedValue": "aws_security_group[positive1].ingress.description should be defined and not null", + "actualValue": "aws_security_group[positive1].ingress.description is undefined or null" + }, + { + "queryName": "Security Group Rule Without Description", + "severity": "INFO", + "line": 11, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1", + "searchKey": "aws_security_group[positive1].egress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1].egress.description should be defined and not null", + "actualValue": "aws_security_group[positive1].egress.description is undefined or null" + }, + { + "queryName": "Security Group Rule Without Description", + "severity": "INFO", + "line": 3, + "filename": "positive2.tf", + "resourceType": "aws_security_group", + "resourceName": "positive2-1", + "searchKey": "aws_security_group[positive2-1].ingress.0", + "searchValue": "", + "expectedValue": "aws_security_group[positive2-1].ingress[0].description should be defined and not null", + "actualValue": "aws_security_group[positive2-1].ingress[0].description is undefined or null" }, { "queryName": "Security Group Rule Without Description", @@ -26,38 +50,62 @@ { "queryName": "Security Group Rule Without Description", "severity": "INFO", - "line": 11, - "filename": "positive1.tf", + "line": 20, + "filename": "positive2.tf", "resourceType": "aws_security_group", - "resourceName": "positive1", - "searchKey": "aws_security_group[positive1].egress", + "resourceName": "positive2-2", + "searchKey": "aws_security_group[positive2-2].egress.0", "searchValue": "", - "expectedValue": "aws_security_group[positive1].egress.description should be defined and not null", - "actualValue": "aws_security_group[positive1].egress.description is undefined or null" + "expectedValue": "aws_security_group[positive2-2].egress[0].description should be defined and not null", + "actualValue": "aws_security_group[positive2-2].egress[0].description is undefined or null" }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", - "line": 55, - "filename": "positive5.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[positive5_ipv6_array].egress_with_ipv6_cidr_blocks.0", + "line": 27, + "filename": "positive2.tf", + "resourceType": "aws_security_group", + "resourceName": "positive2-2", + "searchKey": "aws_security_group[positive2-2].egress.1", "searchValue": "", - "expectedValue": "module[positive5_ipv6_array].egress_with_ipv6_cidr_blocks.0.description should be defined and not null", - "actualValue": "module[positive5_ipv6_array].egress_with_ipv6_cidr_blocks.0.description is undefined or null" + "expectedValue": "aws_security_group[positive2-2].egress[1].description should be defined and not null", + "actualValue": "aws_security_group[positive2-2].egress[1].description is undefined or null" }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", - "line": 40, - "filename": "positive5.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[positive5_ipv6_array].ingress_with_ipv6_cidr_blocks.0", + "line": 1, + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3-1", + "searchKey": "aws_security_group_rule[positive3-1]", "searchValue": "", - "expectedValue": "module[positive5_ipv6_array].ingress_with_ipv6_cidr_blocks.0.description should be defined and not null", - "actualValue": "module[positive5_ipv6_array].ingress_with_ipv6_cidr_blocks.0.description is undefined or null" + "expectedValue": "aws_security_group_rule[positive3-1].description should be defined and not null", + "actualValue": "aws_security_group_rule[positive3-1].description is undefined or null" + }, + { + "queryName": "Security Group Rule Without Description", + "severity": "INFO", + "line": 10, + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3-2", + "searchKey": "aws_security_group_rule[positive3-2]", + "searchValue": "", + "expectedValue": "aws_security_group_rule[positive3-2].description should be defined and not null", + "actualValue": "aws_security_group_rule[positive3-2].description is undefined or null" + }, + { + "queryName": "Security Group Rule Without Description", + "severity": "INFO", + "line": 1, + "filename": "positive4.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive4-1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive4-1]", + "searchValue": "", + "expectedValue": "aws_vpc_security_group_ingress_rule[positive4-1].description should be defined and not null", + "actualValue": "aws_vpc_security_group_ingress_rule[positive4-1].description is undefined or null" }, { "queryName": "Security Group Rule Without Description", @@ -74,14 +122,14 @@ { "queryName": "Security Group Rule Without Description", "severity": "INFO", - "line": 21, + "line": 6, "filename": "positive5.tf", "resourceType": "n/a", "resourceName": "n/a", - "searchKey": "module[positive5_ipv4_array].egress_with_cidr_blocks.0", + "searchKey": "module[positive5_ipv4_array].ingress_with_cidr_blocks.0", "searchValue": "", - "expectedValue": "module[positive5_ipv4_array].egress_with_cidr_blocks.0.description should be defined and not null", - "actualValue": "module[positive5_ipv4_array].egress_with_cidr_blocks.0.description is undefined or null" + "expectedValue": "module[positive5_ipv4_array].ingress_with_cidr_blocks.0.description should be defined and not null", + "actualValue": "module[positive5_ipv4_array].ingress_with_cidr_blocks.0.description is undefined or null" }, { "queryName": "Security Group Rule Without Description", @@ -98,50 +146,38 @@ { "queryName": "Security Group Rule Without Description", "severity": "INFO", - "line": 20, - "filename": "positive2.tf", - "resourceType": "aws_security_group", - "resourceName": "positive2-2", - "searchKey": "aws_security_group[positive2-2].egress.0", - "searchValue": "", - "expectedValue": "aws_security_group[positive2-2].egress[0].description should be defined and not null", - "actualValue": "aws_security_group[positive2-2].egress[0].description is undefined or null" - }, - { - "queryName": "Security Group Rule Without Description", - "severity": "INFO", - "line": 3, - "filename": "positive1.tf", - "resourceType": "aws_security_group", - "resourceName": "positive1", - "searchKey": "aws_security_group[positive1].ingress", + "line": 21, + "filename": "positive5.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive5_ipv4_array].egress_with_cidr_blocks.0", "searchValue": "", - "expectedValue": "aws_security_group[positive1].ingress.description should be defined and not null", - "actualValue": "aws_security_group[positive1].ingress.description is undefined or null" + "expectedValue": "module[positive5_ipv4_array].egress_with_cidr_blocks.0.description should be defined and not null", + "actualValue": "module[positive5_ipv4_array].egress_with_cidr_blocks.0.description is undefined or null" }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", - "line": 1, - "filename": "positive4.tf", - "resourceType": "aws_vpc_security_group_ingress_rule", - "resourceName": "positive4-1", - "searchKey": "aws_vpc_security_group_ingress_rule[positive4-1]", + "line": 27, + "filename": "positive5.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive5_ipv4_array].egress_with_cidr_blocks.1", "searchValue": "", - "expectedValue": "aws_vpc_security_group_ingress_rule[positive4-1].description should be defined and not null", - "actualValue": "aws_vpc_security_group_ingress_rule[positive4-1].description is undefined or null" + "expectedValue": "module[positive5_ipv4_array].egress_with_cidr_blocks.1.description should be defined and not null", + "actualValue": "module[positive5_ipv4_array].egress_with_cidr_blocks.1.description is undefined or null" }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", - "line": 6, + "line": 40, "filename": "positive5.tf", "resourceType": "n/a", "resourceName": "n/a", - "searchKey": "module[positive5_ipv4_array].ingress_with_cidr_blocks.0", + "searchKey": "module[positive5_ipv6_array].ingress_with_ipv6_cidr_blocks.0", "searchValue": "", - "expectedValue": "module[positive5_ipv4_array].ingress_with_cidr_blocks.0.description should be defined and not null", - "actualValue": "module[positive5_ipv4_array].ingress_with_cidr_blocks.0.description is undefined or null" + "expectedValue": "module[positive5_ipv6_array].ingress_with_ipv6_cidr_blocks.0.description should be defined and not null", + "actualValue": "module[positive5_ipv6_array].ingress_with_ipv6_cidr_blocks.0.description is undefined or null" }, { "queryName": "Security Group Rule Without Description", @@ -158,38 +194,14 @@ { "queryName": "Security Group Rule Without Description", "severity": "INFO", - "line": 3, - "filename": "positive2.tf", - "resourceType": "aws_security_group", - "resourceName": "positive2-1", - "searchKey": "aws_security_group[positive2-1].ingress.0", - "searchValue": "", - "expectedValue": "aws_security_group[positive2-1].ingress[0].description should be defined and not null", - "actualValue": "aws_security_group[positive2-1].ingress[0].description is undefined or null" - }, - { - "queryName": "Security Group Rule Without Description", - "severity": "INFO", - "line": 27, - "filename": "positive2.tf", - "resourceType": "aws_security_group", - "resourceName": "positive2-2", - "searchKey": "aws_security_group[positive2-2].egress.1", - "searchValue": "", - "expectedValue": "aws_security_group[positive2-2].egress[1].description should be defined and not null", - "actualValue": "aws_security_group[positive2-2].egress[1].description is undefined or null" - }, - { - "queryName": "Security Group Rule Without Description", - "severity": "INFO", - "line": 27, + "line": 55, "filename": "positive5.tf", "resourceType": "n/a", "resourceName": "n/a", - "searchKey": "module[positive5_ipv4_array].egress_with_cidr_blocks.1", + "searchKey": "module[positive5_ipv6_array].egress_with_ipv6_cidr_blocks.0", "searchValue": "", - "expectedValue": "module[positive5_ipv4_array].egress_with_cidr_blocks.1.description should be defined and not null", - "actualValue": "module[positive5_ipv4_array].egress_with_cidr_blocks.1.description is undefined or null" + "expectedValue": "module[positive5_ipv6_array].egress_with_ipv6_cidr_blocks.0.description should be defined and not null", + "actualValue": "module[positive5_ipv6_array].egress_with_ipv6_cidr_blocks.0.description is undefined or null" }, { "queryName": "Security Group Rule Without Description", @@ -202,17 +214,5 @@ "searchValue": "", "expectedValue": "module[positive5_ipv6_array].egress_with_ipv6_cidr_blocks.1.description should be defined and not null", "actualValue": "module[positive5_ipv6_array].egress_with_ipv6_cidr_blocks.1.description is undefined or null" - }, - { - "queryName": "Security Group Rule Without Description", - "severity": "INFO", - "line": 1, - "filename": "positive3.tf", - "resourceType": "aws_security_group_rule", - "resourceName": "positive3-1", - "searchKey": "aws_security_group_rule[positive3-1]", - "searchValue": "", - "expectedValue": "aws_security_group_rule[positive3-1].description should be defined and not null", - "actualValue": "aws_security_group_rule[positive3-1].description is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/security_group_with_unrestricted_access_to_ssh/test/positive_expected_result.json b/assets/queries/terraform/aws/security_group_with_unrestricted_access_to_ssh/test/positive_expected_result.json index 42c3bd738b4..b1d91903609 100644 --- a/assets/queries/terraform/aws/security_group_with_unrestricted_access_to_ssh/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/security_group_with_unrestricted_access_to_ssh/test/positive_expected_result.json @@ -1,4 +1,28 @@ [ + { + "queryName": "Security Group With Unrestricted Access To SSH", + "severity": "MEDIUM", + "line": 5, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-1].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-1].ingress 'SSH' (Port:22) should not be open", + "actualValue": "aws_security_group[positive1-1].ingress 'SSH' (Port:22) is open" + }, + { + "queryName": "Security Group With Unrestricted Access To SSH", + "severity": "MEDIUM", + "line": 26, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-2].ingress[1]", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-2].ingress[1] 'SSH' (Port:22) should not be open", + "actualValue": "aws_security_group[positive1-2].ingress[1] 'SSH' (Port:22) is open" + }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", @@ -14,26 +38,50 @@ { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 101, + "line": 60, "filename": "positive1.tf", "resourceType": "aws_security_group", "resourceName": "allow_tls", - "searchKey": "aws_security_group[positive1-7].ingress", + "searchKey": "aws_security_group[positive1-4].ingress[1]", "searchValue": "", - "expectedValue": "aws_security_group[positive1-7].ingress 'SSH' (Port:22) should not be open", - "actualValue": "aws_security_group[positive1-7].ingress 'SSH' (Port:22) is open" + "expectedValue": "aws_security_group[positive1-4].ingress[1] 'SSH' (Port:22) should not be open", + "actualValue": "aws_security_group[positive1-4].ingress[1] 'SSH' (Port:22) is open" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 49, - "filename": "positive4.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0", + "line": 73, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-5].ingress", "searchValue": "", - "expectedValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0 'SSH' (Port:22) should not be open", - "actualValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0 'SSH' (Port:22) is open" + "expectedValue": "aws_security_group[positive1-5].ingress 'SSH' (Port:22) should not be open", + "actualValue": "aws_security_group[positive1-5].ingress 'SSH' (Port:22) is open" + }, + { + "queryName": "Security Group With Unrestricted Access To SSH", + "severity": "MEDIUM", + "line": 87, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-6].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-6].ingress 'SSH' (Port:22) should not be open", + "actualValue": "aws_security_group[positive1-6].ingress 'SSH' (Port:22) is open" + }, + { + "queryName": "Security Group With Unrestricted Access To SSH", + "severity": "MEDIUM", + "line": 101, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-7].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-7].ingress 'SSH' (Port:22) should not be open", + "actualValue": "aws_security_group[positive1-7].ingress 'SSH' (Port:22) is open" }, { "queryName": "Security Group With Unrestricted Access To SSH", @@ -59,18 +107,6 @@ "expectedValue": "aws_vpc_security_group_ingress_rule[positive2-2] 'SSH' (Port:22) should not be open", "actualValue": "aws_vpc_security_group_ingress_rule[positive2-2] 'SSH' (Port:22) is open" }, - { - "queryName": "Security Group With Unrestricted Access To SSH", - "severity": "MEDIUM", - "line": 73, - "filename": "positive1.tf", - "resourceType": "aws_security_group", - "resourceName": "allow_tls", - "searchKey": "aws_security_group[positive1-5].ingress", - "searchValue": "", - "expectedValue": "aws_security_group[positive1-5].ingress 'SSH' (Port:22) should not be open", - "actualValue": "aws_security_group[positive1-5].ingress 'SSH' (Port:22) is open" - }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", @@ -83,30 +119,6 @@ "expectedValue": "aws_security_group_rule[positive3-1] 'SSH' (Port:22) should not be open", "actualValue": "aws_security_group_rule[positive3-1] 'SSH' (Port:22) is open" }, - { - "queryName": "Security Group With Unrestricted Access To SSH", - "severity": "MEDIUM", - "line": 30, - "filename": "positive4.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0", - "searchValue": "", - "expectedValue": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0 'SSH' (Port:22) should not be open", - "actualValue": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0 'SSH' (Port:22) is open" - }, - { - "queryName": "Security Group With Unrestricted Access To SSH", - "severity": "MEDIUM", - "line": 60, - "filename": "positive1.tf", - "resourceType": "aws_security_group", - "resourceName": "allow_tls", - "searchKey": "aws_security_group[positive1-4].ingress[1]", - "searchValue": "", - "expectedValue": "aws_security_group[positive1-4].ingress[1] 'SSH' (Port:22) should not be open", - "actualValue": "aws_security_group[positive1-4].ingress[1] 'SSH' (Port:22) is open" - }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", @@ -134,50 +146,38 @@ { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 63, + "line": 30, "filename": "positive4.tf", "resourceType": "n/a", "resourceName": "n/a", - "searchKey": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2", + "searchKey": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0", "searchValue": "", - "expectedValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2 'SSH' (Port:22) should not be open", - "actualValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2 'SSH' (Port:22) is open" + "expectedValue": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0 'SSH' (Port:22) should not be open", + "actualValue": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0 'SSH' (Port:22) is open" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 96, + "line": 49, "filename": "positive4.tf", "resourceType": "n/a", "resourceName": "n/a", - "searchKey": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2", - "searchValue": "", - "expectedValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2 'SSH' (Port:22) should not be open", - "actualValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2 'SSH' (Port:22) is open" - }, - { - "queryName": "Security Group With Unrestricted Access To SSH", - "severity": "MEDIUM", - "line": 5, - "filename": "positive1.tf", - "resourceType": "aws_security_group", - "resourceName": "allow_tls", - "searchKey": "aws_security_group[positive1-1].ingress", + "searchKey": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0", "searchValue": "", - "expectedValue": "aws_security_group[positive1-1].ingress 'SSH' (Port:22) should not be open", - "actualValue": "aws_security_group[positive1-1].ingress 'SSH' (Port:22) is open" + "expectedValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0 'SSH' (Port:22) should not be open", + "actualValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0 'SSH' (Port:22) is open" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 87, - "filename": "positive1.tf", - "resourceType": "aws_security_group", - "resourceName": "allow_tls", - "searchKey": "aws_security_group[positive1-6].ingress", + "line": 63, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2", "searchValue": "", - "expectedValue": "aws_security_group[positive1-6].ingress 'SSH' (Port:22) should not be open", - "actualValue": "aws_security_group[positive1-6].ingress 'SSH' (Port:22) is open" + "expectedValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2 'SSH' (Port:22) should not be open", + "actualValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2 'SSH' (Port:22) is open" }, { "queryName": "Security Group With Unrestricted Access To SSH", @@ -194,13 +194,13 @@ { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 26, - "filename": "positive1.tf", - "resourceType": "aws_security_group", - "resourceName": "allow_tls", - "searchKey": "aws_security_group[positive1-2].ingress[1]", + "line": 96, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2", "searchValue": "", - "expectedValue": "aws_security_group[positive1-2].ingress[1] 'SSH' (Port:22) should not be open", - "actualValue": "aws_security_group[positive1-2].ingress[1] 'SSH' (Port:22) is open" + "expectedValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2 'SSH' (Port:22) should not be open", + "actualValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2 'SSH' (Port:22) is open" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/security_group_without_description/test/positive_expected_result.json b/assets/queries/terraform/aws/security_group_without_description/test/positive_expected_result.json index 511bd389136..14c557dc747 100644 --- a/assets/queries/terraform/aws/security_group_without_description/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/security_group_without_description/test/positive_expected_result.json @@ -1,4 +1,16 @@ [ + { + "queryName": "Security Group Without Description", + "severity": "INFO", + "line": 1, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1-1", + "searchKey": "aws_security_group[positive1-1]", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-1] description should be defined and not null", + "actualValue": "aws_security_group[positive1-1] description is undefined or null" + }, { "queryName": "Security Group Without Description", "severity": "INFO", @@ -34,17 +46,5 @@ "searchValue": "", "expectedValue": "module[positive2-2] description should be defined and not null", "actualValue": "module[positive2-2] description is undefined or null" - }, - { - "queryName": "Security Group Without Description", - "severity": "INFO", - "line": 1, - "filename": "positive1.tf", - "resourceType": "aws_security_group", - "resourceName": "positive1-1", - "searchKey": "aws_security_group[positive1-1]", - "searchValue": "", - "expectedValue": "aws_security_group[positive1-1] description should be defined and not null", - "actualValue": "aws_security_group[positive1-1] description is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/security_groups_not_used/test/positive_expected_result.json b/assets/queries/terraform/aws/security_groups_not_used/test/positive_expected_result.json index 7c0cd43dfdd..7f756751d1a 100644 --- a/assets/queries/terraform/aws/security_groups_not_used/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/security_groups_not_used/test/positive_expected_result.json @@ -1,4 +1,16 @@ [ + { + "queryName": "Security Group Not Used", + "severity": "INFO", + "line": 8, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[allow_tls]", + "searchValue": "", + "expectedValue": "'aws_security_group[allow_tls]' should be used", + "actualValue": "'aws_security_group[allow_tls]' is not used" + }, { "queryName": "Security Group Not Used", "severity": "INFO", @@ -26,26 +38,26 @@ { "queryName": "Security Group Not Used", "severity": "INFO", - "line": 1, - "filename": "positive8.tf", + "line": 21, + "filename": "positive4.tf", "resourceType": "aws_security_group", - "resourceName": "default_name", - "searchKey": "aws_security_group[default_name]", + "resourceName": "unused-sg", + "searchKey": "aws_security_group[unused_sg]", "searchValue": "", - "expectedValue": "'aws_security_group[default_name]' should be used", - "actualValue": "'aws_security_group[default_name]' is not used" + "expectedValue": "'aws_security_group[unused_sg]' should be used", + "actualValue": "'aws_security_group[unused_sg]' is not used" }, { "queryName": "Security Group Not Used", "severity": "INFO", - "line": 8, - "filename": "positive1.tf", + "line": 1, + "filename": "positive5.tf", "resourceType": "aws_security_group", - "resourceName": "allow_tls", - "searchKey": "aws_security_group[allow_tls]", + "resourceName": "example", + "searchKey": "aws_security_group[example]", "searchValue": "", - "expectedValue": "'aws_security_group[allow_tls]' should be used", - "actualValue": "'aws_security_group[allow_tls]' is not used" + "expectedValue": "'aws_security_group[example]' should be used", + "actualValue": "'aws_security_group[example]' is not used" }, { "queryName": "Security Group Not Used", @@ -62,8 +74,8 @@ { "queryName": "Security Group Not Used", "severity": "INFO", - "line": 21, - "filename": "positive4.tf", + "line": 19, + "filename": "positive7.tf", "resourceType": "aws_security_group", "resourceName": "unused-sg", "searchKey": "aws_security_group[unused_sg]", @@ -75,24 +87,12 @@ "queryName": "Security Group Not Used", "severity": "INFO", "line": 1, - "filename": "positive5.tf", - "resourceType": "aws_security_group", - "resourceName": "example", - "searchKey": "aws_security_group[example]", - "searchValue": "", - "expectedValue": "'aws_security_group[example]' should be used", - "actualValue": "'aws_security_group[example]' is not used" - }, - { - "queryName": "Security Group Not Used", - "severity": "INFO", - "line": 19, - "filename": "positive7.tf", + "filename": "positive8.tf", "resourceType": "aws_security_group", - "resourceName": "unused-sg", - "searchKey": "aws_security_group[unused_sg]", + "resourceName": "default_name", + "searchKey": "aws_security_group[default_name]", "searchValue": "", - "expectedValue": "'aws_security_group[unused_sg]' should be used", - "actualValue": "'aws_security_group[unused_sg]' is not used" + "expectedValue": "'aws_security_group[default_name]' should be used", + "actualValue": "'aws_security_group[default_name]' is not used" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json b/assets/queries/terraform/aws/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json index 74b44bb662e..406f4aae00c 100644 --- a/assets/queries/terraform/aws/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 46, - "filename": "positive2.tf", - "resourceType": "aws_vpc_security_group_ingress_rule", - "resourceName": "positive2_ipv6_3", - "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_3]", + "line": 3, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_ipv4_1", + "searchKey": "aws_security_group[positive1_ipv4_1].ingress", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", "actualValue": "SSH (UDP:22) is allowed" @@ -14,23 +14,23 @@ { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 47, - "filename": "positive4.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.2", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "line": 3, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_ipv4_1", + "searchKey": "aws_security_group[positive1_ipv4_1].ingress", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 44, - "filename": "positive3.tf", - "resourceType": "aws_security_group_rule", - "resourceName": "positive3_ipv6_2", - "searchKey": "aws_security_group_rule[positive3_ipv6_2]", + "line": 12, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_ipv4_2", + "searchKey": "aws_security_group[positive1_ipv4_2].ingress", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", "actualValue": "SSH (TCP:22) is allowed" @@ -38,11 +38,11 @@ { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 52, - "filename": "positive3.tf", - "resourceType": "aws_security_group_rule", - "resourceName": "positive3_ipv6_3", - "searchKey": "aws_security_group_rule[positive3_ipv6_3]", + "line": 21, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_array_test_ipv4", + "searchKey": "aws_security_group[positive1_array_test_ipv4].ingress[0]", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", "actualValue": "SSH (UDP:22) is allowed" @@ -50,59 +50,59 @@ { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 3, + "line": 27, "filename": "positive1.tf", "resourceType": "aws_security_group", - "resourceName": "positive1_ipv4_1", - "searchKey": "aws_security_group[positive1_ipv4_1].ingress", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "resourceName": "positive1_array_test_ipv4", + "searchKey": "aws_security_group[positive1_array_test_ipv4].ingress[1]", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 23, - "filename": "positive4.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.3", - "searchValue": "UDP,110", - "expectedValue": "POP3 (UDP:110) should not be allowed", - "actualValue": "POP3 (UDP:110) is allowed" + "line": 38, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_ipv6_1", + "searchKey": "aws_security_group[positive1_ipv6_1].ingress", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 60, - "filename": "positive3.tf", - "resourceType": "aws_security_group_rule", - "resourceName": "positive3_ipv6_4", - "searchKey": "aws_security_group_rule[positive3_ipv6_4]", - "searchValue": "UDP,110", - "expectedValue": "POP3 (UDP:110) should not be allowed", - "actualValue": "POP3 (UDP:110) is allowed" + "line": 38, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_ipv6_1", + "searchKey": "aws_security_group[positive1_ipv6_1].ingress", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 2, - "filename": "positive3.tf", - "resourceType": "aws_security_group_rule", - "resourceName": "positive3_ipv4_1", - "searchKey": "aws_security_group_rule[positive3_ipv4_1]", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "line": 47, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_ipv6_2", + "searchKey": "aws_security_group[positive1_ipv6_2].ingress", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 21, + "line": 56, "filename": "positive1.tf", "resourceType": "aws_security_group", - "resourceName": "positive1_array_test_ipv4", - "searchKey": "aws_security_group[positive1_array_test_ipv4].ingress[0]", + "resourceName": "positive1_array_test_ipv6", + "searchKey": "aws_security_group[positive1_array_test_ipv6].ingress[0]", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", "actualValue": "SSH (UDP:22) is allowed" @@ -110,11 +110,11 @@ { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 53, - "filename": "positive2.tf", - "resourceType": "aws_vpc_security_group_ingress_rule", - "resourceName": "positive2_ipv6_4", - "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_4]", + "line": 63, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_array_test_ipv6", + "searchKey": "aws_security_group[positive1_array_test_ipv6].ingress[1]", "searchValue": "UDP,110", "expectedValue": "POP3 (UDP:110) should not be allowed", "actualValue": "POP3 (UDP:110) is allowed" @@ -122,23 +122,23 @@ { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 39, + "line": 2, "filename": "positive2.tf", "resourceType": "aws_vpc_security_group_ingress_rule", - "resourceName": "positive2_ipv6_2", - "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_2]", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "resourceName": "positive2_ipv4_1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_1]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 5, - "filename": "positive4.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.0", + "line": 2, + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv4_1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_1]", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", "actualValue": "SSH (TCP:22) is allowed" @@ -146,27 +146,15 @@ { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 41, - "filename": "positive4.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.1", + "line": 9, + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv4_2", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_2]", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", "actualValue": "SSH (TCP:22) is allowed" }, - { - "queryName": "Sensitive Port Is Exposed To Entire Network", - "severity": "HIGH", - "line": 2, - "filename": "positive2.tf", - "resourceType": "aws_vpc_security_group_ingress_rule", - "resourceName": "positive2_ipv4_1", - "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_1]", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" - }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", @@ -182,11 +170,11 @@ { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 53, - "filename": "positive4.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.3", + "line": 23, + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv4_4", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_4]", "searchValue": "UDP,110", "expectedValue": "POP3 (UDP:110) should not be allowed", "actualValue": "POP3 (UDP:110) is allowed" @@ -194,11 +182,11 @@ { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 35, - "filename": "positive4.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.0", + "line": 32, + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv6_1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_1]", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", "actualValue": "SSH (TCP:22) is allowed" @@ -206,11 +194,11 @@ { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 35, - "filename": "positive4.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.0", + "line": 32, + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv6_1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_1]", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", "actualValue": "SSH (UDP:22) is allowed" @@ -218,35 +206,35 @@ { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 36, - "filename": "positive3.tf", - "resourceType": "aws_security_group_rule", - "resourceName": "positive3_ipv6_1", - "searchKey": "aws_security_group_rule[positive3_ipv6_1]", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "line": 39, + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv6_2", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_2]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 27, - "filename": "positive1.tf", - "resourceType": "aws_security_group", - "resourceName": "positive1_array_test_ipv4", - "searchKey": "aws_security_group[positive1_array_test_ipv4].ingress[1]", - "searchValue": "UDP,110", - "expectedValue": "POP3 (UDP:110) should not be allowed", - "actualValue": "POP3 (UDP:110) is allowed" + "line": 46, + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv6_3", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_3]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 63, - "filename": "positive1.tf", - "resourceType": "aws_security_group", - "resourceName": "positive1_array_test_ipv6", - "searchKey": "aws_security_group[positive1_array_test_ipv6].ingress[1]", + "line": 53, + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv6_4", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_4]", "searchValue": "UDP,110", "expectedValue": "POP3 (UDP:110) should not be allowed", "actualValue": "POP3 (UDP:110) is allowed" @@ -254,11 +242,11 @@ { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 17, - "filename": "positive4.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.2", + "line": 2, + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv4_1", + "searchKey": "aws_security_group_rule[positive3_ipv4_1]", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", "actualValue": "SSH (UDP:22) is allowed" @@ -290,23 +278,23 @@ { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 47, - "filename": "positive1.tf", - "resourceType": "aws_security_group", - "resourceName": "positive1_ipv6_2", - "searchKey": "aws_security_group[positive1_ipv6_2].ingress", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "line": 18, + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv4_3", + "searchKey": "aws_security_group_rule[positive3_ipv4_3]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 23, - "filename": "positive2.tf", - "resourceType": "aws_vpc_security_group_ingress_rule", - "resourceName": "positive2_ipv4_4", - "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_4]", + "line": 26, + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv4_4", + "searchKey": "aws_security_group_rule[positive3_ipv4_4]", "searchValue": "UDP,110", "expectedValue": "POP3 (UDP:110) should not be allowed", "actualValue": "POP3 (UDP:110) is allowed" @@ -319,18 +307,6 @@ "resourceType": "aws_security_group_rule", "resourceName": "positive3_ipv6_1", "searchKey": "aws_security_group_rule[positive3_ipv6_1]", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" - }, - { - "queryName": "Sensitive Port Is Exposed To Entire Network", - "severity": "HIGH", - "line": 3, - "filename": "positive1.tf", - "resourceType": "aws_security_group", - "resourceName": "positive1_ipv4_1", - "searchKey": "aws_security_group[positive1_ipv4_1].ingress", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", "actualValue": "SSH (UDP:22) is allowed" @@ -338,23 +314,23 @@ { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 38, - "filename": "positive1.tf", - "resourceType": "aws_security_group", - "resourceName": "positive1_ipv6_1", - "searchKey": "aws_security_group[positive1_ipv6_1].ingress", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "line": 36, + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv6_1", + "searchKey": "aws_security_group_rule[positive3_ipv6_1]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 9, - "filename": "positive2.tf", - "resourceType": "aws_vpc_security_group_ingress_rule", - "resourceName": "positive2_ipv4_2", - "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_2]", + "line": 44, + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv6_2", + "searchKey": "aws_security_group_rule[positive3_ipv6_2]", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", "actualValue": "SSH (TCP:22) is allowed" @@ -362,23 +338,23 @@ { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 32, - "filename": "positive2.tf", - "resourceType": "aws_vpc_security_group_ingress_rule", - "resourceName": "positive2_ipv6_1", - "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_1]", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "line": 52, + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv6_3", + "searchKey": "aws_security_group_rule[positive3_ipv6_3]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 26, + "line": 60, "filename": "positive3.tf", "resourceType": "aws_security_group_rule", - "resourceName": "positive3_ipv4_4", - "searchKey": "aws_security_group_rule[positive3_ipv4_4]", + "resourceName": "positive3_ipv6_4", + "searchKey": "aws_security_group_rule[positive3_ipv6_4]", "searchValue": "UDP,110", "expectedValue": "POP3 (UDP:110) should not be allowed", "actualValue": "POP3 (UDP:110) is allowed" @@ -398,11 +374,11 @@ { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 2, - "filename": "positive2.tf", - "resourceType": "aws_vpc_security_group_ingress_rule", - "resourceName": "positive2_ipv4_1", - "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_1]", + "line": 5, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.0", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", "actualValue": "SSH (TCP:22) is allowed" @@ -410,11 +386,23 @@ { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 32, - "filename": "positive2.tf", - "resourceType": "aws_vpc_security_group_ingress_rule", - "resourceName": "positive2_ipv6_1", - "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_1]", + "line": 11, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.1", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" + }, + { + "queryName": "Sensitive Port Is Exposed To Entire Network", + "severity": "HIGH", + "line": 17, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.2", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", "actualValue": "SSH (UDP:22) is allowed" @@ -422,23 +410,23 @@ { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 11, + "line": 23, "filename": "positive4.tf", "resourceType": "n/a", "resourceName": "n/a", - "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.1", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.3", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 18, - "filename": "positive3.tf", - "resourceType": "aws_security_group_rule", - "resourceName": "positive3_ipv4_3", - "searchKey": "aws_security_group_rule[positive3_ipv4_3]", + "line": 35, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.0", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", "actualValue": "SSH (UDP:22) is allowed" @@ -446,11 +434,11 @@ { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 12, - "filename": "positive1.tf", - "resourceType": "aws_security_group", - "resourceName": "positive1_ipv4_2", - "searchKey": "aws_security_group[positive1_ipv4_2].ingress", + "line": 35, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.0", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", "actualValue": "SSH (TCP:22) is allowed" @@ -458,11 +446,11 @@ { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 38, - "filename": "positive1.tf", - "resourceType": "aws_security_group", - "resourceName": "positive1_ipv6_1", - "searchKey": "aws_security_group[positive1_ipv6_1].ingress", + "line": 41, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.1", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", "actualValue": "SSH (TCP:22) is allowed" @@ -470,13 +458,25 @@ { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 56, - "filename": "positive1.tf", - "resourceType": "aws_security_group", - "resourceName": "positive1_array_test_ipv6", - "searchKey": "aws_security_group[positive1_array_test_ipv6].ingress[0]", + "line": 47, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.2", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", "actualValue": "SSH (UDP:22) is allowed" + }, + { + "queryName": "Sensitive Port Is Exposed To Entire Network", + "severity": "HIGH", + "line": 53, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.3", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/sensitive_port_is_exposed_to_small_public_network/test/positive_expected_result.json b/assets/queries/terraform/aws/sensitive_port_is_exposed_to_small_public_network/test/positive_expected_result.json index 81b82411ff7..66a47d63628 100644 --- a/assets/queries/terraform/aws/sensitive_port_is_exposed_to_small_public_network/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sensitive_port_is_exposed_to_small_public_network/test/positive_expected_result.json @@ -2,23 +2,23 @@ { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 63, + "line": 3, "filename": "positive1.tf", "resourceType": "aws_security_group", - "resourceName": "positive1_array_test_ipv6", - "searchKey": "aws_security_group[positive1_array_test_ipv6].ingress[1]", - "searchValue": "UDP,110", - "expectedValue": "POP3 (UDP:110) should not be allowed", - "actualValue": "POP3 (UDP:110) is allowed" + "resourceName": "positive1_ipv4_1", + "searchKey": "aws_security_group[positive1_ipv4_1].ingress", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 38, + "line": 3, "filename": "positive1.tf", "resourceType": "aws_security_group", - "resourceName": "positive1_ipv6_1", - "searchKey": "aws_security_group[positive1_ipv6_1].ingress", + "resourceName": "positive1_ipv4_1", + "searchKey": "aws_security_group[positive1_ipv4_1].ingress", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", "actualValue": "SSH (UDP:22) is allowed" @@ -26,23 +26,23 @@ { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 23, - "filename": "positive4.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.3", - "searchValue": "UDP,110", - "expectedValue": "POP3 (UDP:110) should not be allowed", - "actualValue": "POP3 (UDP:110) is allowed" + "line": 12, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_ipv4_2", + "searchKey": "aws_security_group[positive1_ipv4_2].ingress", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 2, - "filename": "positive3.tf", - "resourceType": "aws_security_group_rule", - "resourceName": "positive3_ipv4_1", - "searchKey": "aws_security_group_rule[positive3_ipv4_1]", + "line": 21, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_array_test_ipv4", + "searchKey": "aws_security_group[positive1_array_test_ipv4].ingress[0]", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", "actualValue": "SSH (UDP:22) is allowed" @@ -50,14 +50,14 @@ { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 32, - "filename": "positive2.tf", - "resourceType": "aws_vpc_security_group_ingress_rule", - "resourceName": "positive2_ipv6_1", - "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_1]", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "line": 27, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_array_test_ipv4", + "searchKey": "aws_security_group[positive1_array_test_ipv4].ingress[1]", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -74,11 +74,23 @@ { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 41, - "filename": "positive4.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.1", + "line": 38, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_ipv6_1", + "searchKey": "aws_security_group[positive1_ipv6_1].ingress", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" + }, + { + "queryName": "Sensitive Port Is Exposed To Small Public Network", + "severity": "MEDIUM", + "line": 47, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_ipv6_2", + "searchKey": "aws_security_group[positive1_ipv6_2].ingress", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", "actualValue": "SSH (TCP:22) is allowed" @@ -86,11 +98,23 @@ { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 60, - "filename": "positive3.tf", - "resourceType": "aws_security_group_rule", - "resourceName": "positive3_ipv6_4", - "searchKey": "aws_security_group_rule[positive3_ipv6_4]", + "line": 56, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_array_test_ipv6", + "searchKey": "aws_security_group[positive1_array_test_ipv6].ingress[0]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" + }, + { + "queryName": "Sensitive Port Is Exposed To Small Public Network", + "severity": "MEDIUM", + "line": 63, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_array_test_ipv6", + "searchKey": "aws_security_group[positive1_array_test_ipv6].ingress[1]", "searchValue": "UDP,110", "expectedValue": "POP3 (UDP:110) should not be allowed", "actualValue": "POP3 (UDP:110) is allowed" @@ -99,10 +123,10 @@ "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", "line": 2, - "filename": "positive3.tf", - "resourceType": "aws_security_group_rule", - "resourceName": "positive3_ipv4_1", - "searchKey": "aws_security_group_rule[positive3_ipv4_1]", + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv4_1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_1]", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", "actualValue": "SSH (TCP:22) is allowed" @@ -110,11 +134,11 @@ { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 52, - "filename": "positive3.tf", - "resourceType": "aws_security_group_rule", - "resourceName": "positive3_ipv6_3", - "searchKey": "aws_security_group_rule[positive3_ipv6_3]", + "line": 2, + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv4_1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_1]", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", "actualValue": "SSH (UDP:22) is allowed" @@ -122,23 +146,23 @@ { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 53, + "line": 9, "filename": "positive2.tf", "resourceType": "aws_vpc_security_group_ingress_rule", - "resourceName": "positive2_ipv6_4", - "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_4]", - "searchValue": "UDP,110", - "expectedValue": "POP3 (UDP:110) should not be allowed", - "actualValue": "POP3 (UDP:110) is allowed" + "resourceName": "positive2_ipv4_2", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_2]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 32, + "line": 16, "filename": "positive2.tf", "resourceType": "aws_vpc_security_group_ingress_rule", - "resourceName": "positive2_ipv6_1", - "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_1]", + "resourceName": "positive2_ipv4_3", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_3]", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", "actualValue": "SSH (UDP:22) is allowed" @@ -146,23 +170,23 @@ { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 3, - "filename": "positive1.tf", - "resourceType": "aws_security_group", - "resourceName": "positive1_ipv4_1", - "searchKey": "aws_security_group[positive1_ipv4_1].ingress", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "line": 23, + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv4_4", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_4]", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 5, - "filename": "positive4.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.0", + "line": 32, + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv6_1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_1]", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", "actualValue": "SSH (TCP:22) is allowed" @@ -170,23 +194,11 @@ { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 26, - "filename": "positive3.tf", - "resourceType": "aws_security_group_rule", - "resourceName": "positive3_ipv4_4", - "searchKey": "aws_security_group_rule[positive3_ipv4_4]", - "searchValue": "UDP,110", - "expectedValue": "POP3 (UDP:110) should not be allowed", - "actualValue": "POP3 (UDP:110) is allowed" - }, - { - "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", - "line": 36, - "filename": "positive3.tf", - "resourceType": "aws_security_group_rule", - "resourceName": "positive3_ipv6_1", - "searchKey": "aws_security_group_rule[positive3_ipv6_1]", + "line": 32, + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv6_1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_1]", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", "actualValue": "SSH (UDP:22) is allowed" @@ -194,23 +206,23 @@ { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 16, + "line": 39, "filename": "positive2.tf", "resourceType": "aws_vpc_security_group_ingress_rule", - "resourceName": "positive2_ipv4_3", - "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_3]", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "resourceName": "positive2_ipv6_2", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_2]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 3, - "filename": "positive1.tf", - "resourceType": "aws_security_group", - "resourceName": "positive1_ipv4_1", - "searchKey": "aws_security_group[positive1_ipv4_1].ingress", + "line": 46, + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv6_3", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_3]", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", "actualValue": "SSH (UDP:22) is allowed" @@ -218,23 +230,23 @@ { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 47, - "filename": "positive4.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.2", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "line": 53, + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv6_4", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_4]", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 12, - "filename": "positive1.tf", - "resourceType": "aws_security_group", - "resourceName": "positive1_ipv4_2", - "searchKey": "aws_security_group[positive1_ipv4_2].ingress", + "line": 2, + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv4_1", + "searchKey": "aws_security_group_rule[positive3_ipv4_1]", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", "actualValue": "SSH (TCP:22) is allowed" @@ -242,11 +254,11 @@ { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 56, - "filename": "positive1.tf", - "resourceType": "aws_security_group", - "resourceName": "positive1_array_test_ipv6", - "searchKey": "aws_security_group[positive1_array_test_ipv6].ingress[0]", + "line": 2, + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv4_1", + "searchKey": "aws_security_group_rule[positive3_ipv4_1]", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", "actualValue": "SSH (UDP:22) is allowed" @@ -254,14 +266,14 @@ { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 35, - "filename": "positive4.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.0", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "line": 10, + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv4_2", + "searchKey": "aws_security_group_rule[positive3_ipv4_2]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -278,11 +290,11 @@ { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 27, - "filename": "positive1.tf", - "resourceType": "aws_security_group", - "resourceName": "positive1_array_test_ipv4", - "searchKey": "aws_security_group[positive1_array_test_ipv4].ingress[1]", + "line": 26, + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv4_4", + "searchKey": "aws_security_group_rule[positive3_ipv4_4]", "searchValue": "UDP,110", "expectedValue": "POP3 (UDP:110) should not be allowed", "actualValue": "POP3 (UDP:110) is allowed" @@ -290,11 +302,11 @@ { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 21, - "filename": "positive1.tf", - "resourceType": "aws_security_group", - "resourceName": "positive1_array_test_ipv4", - "searchKey": "aws_security_group[positive1_array_test_ipv4].ingress[0]", + "line": 36, + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv6_1", + "searchKey": "aws_security_group_rule[positive3_ipv6_1]", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", "actualValue": "SSH (UDP:22) is allowed" @@ -302,14 +314,14 @@ { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 17, - "filename": "positive4.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.2", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "line": 36, + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv6_1", + "searchKey": "aws_security_group_rule[positive3_ipv6_1]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -326,47 +338,47 @@ { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 23, - "filename": "positive2.tf", - "resourceType": "aws_vpc_security_group_ingress_rule", - "resourceName": "positive2_ipv4_4", - "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_4]", - "searchValue": "UDP,110", - "expectedValue": "POP3 (UDP:110) should not be allowed", - "actualValue": "POP3 (UDP:110) is allowed" + "line": 52, + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv6_3", + "searchKey": "aws_security_group_rule[positive3_ipv6_3]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 2, - "filename": "positive2.tf", - "resourceType": "aws_vpc_security_group_ingress_rule", - "resourceName": "positive2_ipv4_1", - "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_1]", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "line": 60, + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv6_4", + "searchKey": "aws_security_group_rule[positive3_ipv6_4]", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 9, - "filename": "positive2.tf", - "resourceType": "aws_vpc_security_group_ingress_rule", - "resourceName": "positive2_ipv4_2", - "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_2]", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "line": 5, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.0", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 47, - "filename": "positive1.tf", - "resourceType": "aws_security_group", - "resourceName": "positive1_ipv6_2", - "searchKey": "aws_security_group[positive1_ipv6_2].ingress", + "line": 5, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.0", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", "actualValue": "SSH (TCP:22) is allowed" @@ -374,35 +386,23 @@ { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 53, + "line": 11, "filename": "positive4.tf", "resourceType": "n/a", "resourceName": "n/a", - "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.3", - "searchValue": "UDP,110", - "expectedValue": "POP3 (UDP:110) should not be allowed", - "actualValue": "POP3 (UDP:110) is allowed" + "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.1", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 5, + "line": 17, "filename": "positive4.tf", "resourceType": "n/a", "resourceName": "n/a", - "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.0", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" - }, - { - "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", - "line": 2, - "filename": "positive2.tf", - "resourceType": "aws_vpc_security_group_ingress_rule", - "resourceName": "positive2_ipv4_1", - "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_1]", + "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.2", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", "actualValue": "SSH (UDP:22) is allowed" @@ -410,14 +410,14 @@ { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 11, + "line": 23, "filename": "positive4.tf", "resourceType": "n/a", "resourceName": "n/a", - "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.1", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.3", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -434,23 +434,23 @@ { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 10, - "filename": "positive3.tf", - "resourceType": "aws_security_group_rule", - "resourceName": "positive3_ipv4_2", - "searchKey": "aws_security_group_rule[positive3_ipv4_2]", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "line": 35, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.0", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 36, - "filename": "positive3.tf", - "resourceType": "aws_security_group_rule", - "resourceName": "positive3_ipv6_1", - "searchKey": "aws_security_group_rule[positive3_ipv6_1]", + "line": 41, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.1", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", "actualValue": "SSH (TCP:22) is allowed" @@ -458,25 +458,25 @@ { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 39, - "filename": "positive2.tf", - "resourceType": "aws_vpc_security_group_ingress_rule", - "resourceName": "positive2_ipv6_2", - "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_2]", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "line": 47, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.2", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 46, - "filename": "positive2.tf", - "resourceType": "aws_vpc_security_group_ingress_rule", - "resourceName": "positive2_ipv6_3", - "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_3]", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "line": 53, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.3", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/sensitive_port_is_exposed_to_wide_private_network/test/positive_expected_result.json b/assets/queries/terraform/aws/sensitive_port_is_exposed_to_wide_private_network/test/positive_expected_result.json index 119c50c640d..1f98f673882 100644 --- a/assets/queries/terraform/aws/sensitive_port_is_exposed_to_wide_private_network/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sensitive_port_is_exposed_to_wide_private_network/test/positive_expected_result.json @@ -2,23 +2,23 @@ { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 26, - "filename": "positive3.tf", - "resourceType": "aws_security_group_rule", - "resourceName": "positive3_ipv4_4", - "searchKey": "aws_security_group_rule[positive3_ipv4_4]", - "searchValue": "UDP,110", - "expectedValue": "POP3 (UDP:110) should not be allowed", - "actualValue": "POP3 (UDP:110) is allowed" + "line": 3, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_ipv4_1", + "searchKey": "aws_security_group[positive1_ipv4_1].ingress", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 2, - "filename": "positive3.tf", - "resourceType": "aws_security_group_rule", - "resourceName": "positive3_ipv4_1", - "searchKey": "aws_security_group_rule[positive3_ipv4_1]", + "line": 3, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_ipv4_1", + "searchKey": "aws_security_group[positive1_ipv4_1].ingress", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", "actualValue": "SSH (UDP:22) is allowed" @@ -26,11 +26,23 @@ { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 16, - "filename": "positive2.tf", - "resourceType": "aws_vpc_security_group_ingress_rule", - "resourceName": "positive2_ipv4_3", - "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_3]", + "line": 12, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_ipv4_2", + "searchKey": "aws_security_group[positive1_ipv4_2].ingress", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" + }, + { + "queryName": "Sensitive Port Is Exposed To Wide Private Network", + "severity": "LOW", + "line": 21, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_array_test_ipv4", + "searchKey": "aws_security_group[positive1_array_test_ipv4].ingress[0]", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", "actualValue": "SSH (UDP:22) is allowed" @@ -38,11 +50,11 @@ { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 23, - "filename": "positive4.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.3", + "line": 27, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_array_test_ipv4", + "searchKey": "aws_security_group[positive1_array_test_ipv4].ingress[1]", "searchValue": "UDP,110", "expectedValue": "POP3 (UDP:110) should not be allowed", "actualValue": "POP3 (UDP:110) is allowed" @@ -50,26 +62,38 @@ { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 53, - "filename": "positive4.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.3", - "searchValue": "UDP,110", - "expectedValue": "POP3 (UDP:110) should not be allowed", - "actualValue": "POP3 (UDP:110) is allowed" + "line": 38, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_ipv6_1", + "searchKey": "aws_security_group[positive1_ipv6_1].ingress", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 27, + "line": 38, "filename": "positive1.tf", "resourceType": "aws_security_group", - "resourceName": "positive1_array_test_ipv4", - "searchKey": "aws_security_group[positive1_array_test_ipv4].ingress[1]", - "searchValue": "UDP,110", - "expectedValue": "POP3 (UDP:110) should not be allowed", - "actualValue": "POP3 (UDP:110) is allowed" + "resourceName": "positive1_ipv6_1", + "searchKey": "aws_security_group[positive1_ipv6_1].ingress", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" + }, + { + "queryName": "Sensitive Port Is Exposed To Wide Private Network", + "severity": "LOW", + "line": 47, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_ipv6_2", + "searchKey": "aws_security_group[positive1_ipv6_2].ingress", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -86,11 +110,11 @@ { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 53, - "filename": "positive2.tf", - "resourceType": "aws_vpc_security_group_ingress_rule", - "resourceName": "positive2_ipv6_4", - "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_4]", + "line": 63, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_array_test_ipv6", + "searchKey": "aws_security_group[positive1_array_test_ipv6].ingress[1]", "searchValue": "UDP,110", "expectedValue": "POP3 (UDP:110) should not be allowed", "actualValue": "POP3 (UDP:110) is allowed" @@ -98,35 +122,35 @@ { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 32, + "line": 2, "filename": "positive2.tf", "resourceType": "aws_vpc_security_group_ingress_rule", - "resourceName": "positive2_ipv6_1", - "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_1]", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "resourceName": "positive2_ipv4_1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_1]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 60, - "filename": "positive3.tf", - "resourceType": "aws_security_group_rule", - "resourceName": "positive3_ipv6_4", - "searchKey": "aws_security_group_rule[positive3_ipv6_4]", - "searchValue": "UDP,110", - "expectedValue": "POP3 (UDP:110) should not be allowed", - "actualValue": "POP3 (UDP:110) is allowed" + "line": 2, + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv4_1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_1]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 5, - "filename": "positive4.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.0", + "line": 9, + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv4_2", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_2]", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", "actualValue": "SSH (TCP:22) is allowed" @@ -134,38 +158,38 @@ { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 41, - "filename": "positive4.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.1", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "line": 16, + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv4_3", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_3]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 3, - "filename": "positive1.tf", - "resourceType": "aws_security_group", - "resourceName": "positive1_ipv4_1", - "searchKey": "aws_security_group[positive1_ipv4_1].ingress", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "line": 23, + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv4_4", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_4]", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 12, - "filename": "positive1.tf", - "resourceType": "aws_security_group", - "resourceName": "positive1_ipv4_2", - "searchKey": "aws_security_group[positive1_ipv4_2].ingress", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "line": 32, + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv6_1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_1]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -194,11 +218,11 @@ { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 52, - "filename": "positive3.tf", - "resourceType": "aws_security_group_rule", - "resourceName": "positive3_ipv6_3", - "searchKey": "aws_security_group_rule[positive3_ipv6_3]", + "line": 46, + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv6_3", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_3]", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", "actualValue": "SSH (UDP:22) is allowed" @@ -206,35 +230,11 @@ { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 11, - "filename": "positive4.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.1", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" - }, - { - "queryName": "Sensitive Port Is Exposed To Wide Private Network", - "severity": "LOW", - "line": 38, - "filename": "positive1.tf", - "resourceType": "aws_security_group", - "resourceName": "positive1_ipv6_1", - "searchKey": "aws_security_group[positive1_ipv6_1].ingress", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" - }, - { - "queryName": "Sensitive Port Is Exposed To Wide Private Network", - "severity": "LOW", - "line": 23, + "line": 53, "filename": "positive2.tf", "resourceType": "aws_vpc_security_group_ingress_rule", - "resourceName": "positive2_ipv4_4", - "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_4]", + "resourceName": "positive2_ipv6_4", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_4]", "searchValue": "UDP,110", "expectedValue": "POP3 (UDP:110) should not be allowed", "actualValue": "POP3 (UDP:110) is allowed" @@ -243,22 +243,10 @@ "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 2, - "filename": "positive2.tf", - "resourceType": "aws_vpc_security_group_ingress_rule", - "resourceName": "positive2_ipv4_1", - "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_1]", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" - }, - { - "queryName": "Sensitive Port Is Exposed To Wide Private Network", - "severity": "LOW", - "line": 44, "filename": "positive3.tf", "resourceType": "aws_security_group_rule", - "resourceName": "positive3_ipv6_2", - "searchKey": "aws_security_group_rule[positive3_ipv6_2]", + "resourceName": "positive3_ipv4_1", + "searchKey": "aws_security_group_rule[positive3_ipv4_1]", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", "actualValue": "SSH (TCP:22) is allowed" @@ -266,23 +254,11 @@ { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 18, + "line": 2, "filename": "positive3.tf", "resourceType": "aws_security_group_rule", - "resourceName": "positive3_ipv4_3", - "searchKey": "aws_security_group_rule[positive3_ipv4_3]", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" - }, - { - "queryName": "Sensitive Port Is Exposed To Wide Private Network", - "severity": "LOW", - "line": 47, - "filename": "positive4.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.2", + "resourceName": "positive3_ipv4_1", + "searchKey": "aws_security_group_rule[positive3_ipv4_1]", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", "actualValue": "SSH (UDP:22) is allowed" @@ -290,23 +266,23 @@ { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 35, - "filename": "positive4.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.0", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "line": 10, + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv4_2", + "searchKey": "aws_security_group_rule[positive3_ipv4_2]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 3, - "filename": "positive1.tf", - "resourceType": "aws_security_group", - "resourceName": "positive1_ipv4_1", - "searchKey": "aws_security_group[positive1_ipv4_1].ingress", + "line": 18, + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv4_3", + "searchKey": "aws_security_group_rule[positive3_ipv4_3]", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", "actualValue": "SSH (UDP:22) is allowed" @@ -314,14 +290,14 @@ { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 2, - "filename": "positive2.tf", - "resourceType": "aws_vpc_security_group_ingress_rule", - "resourceName": "positive2_ipv4_1", - "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_1]", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "line": 26, + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv4_4", + "searchKey": "aws_security_group_rule[positive3_ipv4_4]", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -338,23 +314,23 @@ { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 47, - "filename": "positive1.tf", - "resourceType": "aws_security_group", - "resourceName": "positive1_ipv6_2", - "searchKey": "aws_security_group[positive1_ipv6_2].ingress", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "line": 36, + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv6_1", + "searchKey": "aws_security_group_rule[positive3_ipv6_1]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 9, - "filename": "positive2.tf", - "resourceType": "aws_vpc_security_group_ingress_rule", - "resourceName": "positive2_ipv4_2", - "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_2]", + "line": 44, + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv6_2", + "searchKey": "aws_security_group_rule[positive3_ipv6_2]", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", "actualValue": "SSH (TCP:22) is allowed" @@ -362,35 +338,35 @@ { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 2, + "line": 52, "filename": "positive3.tf", "resourceType": "aws_security_group_rule", - "resourceName": "positive3_ipv4_1", - "searchKey": "aws_security_group_rule[positive3_ipv4_1]", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "resourceName": "positive3_ipv6_3", + "searchKey": "aws_security_group_rule[positive3_ipv6_3]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 36, + "line": 60, "filename": "positive3.tf", "resourceType": "aws_security_group_rule", - "resourceName": "positive3_ipv6_1", - "searchKey": "aws_security_group_rule[positive3_ipv6_1]", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "resourceName": "positive3_ipv6_4", + "searchKey": "aws_security_group_rule[positive3_ipv6_4]", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 35, + "line": 5, "filename": "positive4.tf", "resourceType": "n/a", "resourceName": "n/a", - "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.0", + "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.0", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", "actualValue": "SSH (TCP:22) is allowed" @@ -407,6 +383,18 @@ "expectedValue": "SSH (UDP:22) should not be allowed", "actualValue": "SSH (UDP:22) is allowed" }, + { + "queryName": "Sensitive Port Is Exposed To Wide Private Network", + "severity": "LOW", + "line": 11, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.1", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" + }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", @@ -422,11 +410,11 @@ { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 63, - "filename": "positive1.tf", - "resourceType": "aws_security_group", - "resourceName": "positive1_array_test_ipv6", - "searchKey": "aws_security_group[positive1_array_test_ipv6].ingress[1]", + "line": 23, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.3", "searchValue": "UDP,110", "expectedValue": "POP3 (UDP:110) should not be allowed", "actualValue": "POP3 (UDP:110) is allowed" @@ -434,11 +422,11 @@ { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 21, - "filename": "positive1.tf", - "resourceType": "aws_security_group", - "resourceName": "positive1_array_test_ipv4", - "searchKey": "aws_security_group[positive1_array_test_ipv4].ingress[0]", + "line": 35, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.0", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", "actualValue": "SSH (UDP:22) is allowed" @@ -446,11 +434,11 @@ { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 10, - "filename": "positive3.tf", - "resourceType": "aws_security_group_rule", - "resourceName": "positive3_ipv4_2", - "searchKey": "aws_security_group_rule[positive3_ipv4_2]", + "line": 35, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.0", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", "actualValue": "SSH (TCP:22) is allowed" @@ -458,25 +446,37 @@ { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 38, - "filename": "positive1.tf", - "resourceType": "aws_security_group", - "resourceName": "positive1_ipv6_1", - "searchKey": "aws_security_group[positive1_ipv6_1].ingress", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "line": 41, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.1", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 46, - "filename": "positive2.tf", - "resourceType": "aws_vpc_security_group_ingress_rule", - "resourceName": "positive2_ipv6_3", - "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_3]", + "line": 47, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.2", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", "actualValue": "SSH (UDP:22) is allowed" + }, + { + "queryName": "Sensitive Port Is Exposed To Wide Private Network", + "severity": "LOW", + "line": 53, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.3", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/sns_topic_encrypted_with_aws_managed_key/test/positive_expected_result.json b/assets/queries/terraform/aws/sns_topic_encrypted_with_aws_managed_key/test/positive_expected_result.json index 0e0a29db2ad..ddece53ffb6 100644 --- a/assets/queries/terraform/aws/sns_topic_encrypted_with_aws_managed_key/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sns_topic_encrypted_with_aws_managed_key/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "SNS Topic Encrypted With AWS Managed Key", "severity": "MEDIUM", - "line": 11, - "filename": "positive2.tf", + "line": 3, + "filename": "positive1.tf", "resourceType": "aws_sns_topic", - "resourceName": "sns_ecnrypted", - "searchKey": "aws_sns_topic[test].kms_master_key_id", + "resourceName": "user-updates-topic", + "searchKey": "aws_sns_topic[user_updates].kms_master_key_id", "searchValue": "", "expectedValue": "SNS Topic should not be encrypted with AWS managed key", "actualValue": "SNS Topic is encrypted with AWS managed key" @@ -14,11 +14,11 @@ { "queryName": "SNS Topic Encrypted With AWS Managed Key", "severity": "MEDIUM", - "line": 3, - "filename": "positive1.tf", + "line": 11, + "filename": "positive2.tf", "resourceType": "aws_sns_topic", - "resourceName": "user-updates-topic", - "searchKey": "aws_sns_topic[user_updates].kms_master_key_id", + "resourceName": "sns_ecnrypted", + "searchKey": "aws_sns_topic[test].kms_master_key_id", "searchValue": "", "expectedValue": "SNS Topic should not be encrypted with AWS managed key", "actualValue": "SNS Topic is encrypted with AWS managed key" diff --git a/assets/queries/terraform/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json index d3531f51f30..58a6372afc6 100644 --- a/assets/queries/terraform/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "SNS Topic is Publicly Accessible", "severity": "CRITICAL", - "line": 7, - "filename": "positive6.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "topic_policy", + "line": 2, + "filename": "positive1.tf", + "resourceType": "aws_sns_topic", + "resourceName": "positive1", + "searchKey": "aws_sns_topic[positive1].policy", "searchValue": "0", "expectedValue": "'Statement[0].Principal.AWS' shouldn't contain '*'", "actualValue": "'Statement[0].Principal.AWS' contains '*'" @@ -15,43 +15,19 @@ "queryName": "SNS Topic is Publicly Accessible", "severity": "CRITICAL", "line": 7, - "filename": "positive6.tf", + "filename": "positive2.tf", "resourceType": "n/a", "resourceName": "n/a", "searchKey": "topic_policy", - "searchValue": "2", - "expectedValue": "'Statement[2].Principal.AWS' shouldn't contain '*'", - "actualValue": "'Statement[2].Principal.AWS' contains '*'" - }, - { - "queryName": "SNS Topic is Publicly Accessible", - "severity": "CRITICAL", - "line": 2, - "filename": "positive5.tf", - "resourceType": "aws_sns_topic", - "resourceName": "positive1", - "searchKey": "aws_sns_topic[positive1].policy", "searchValue": "0", "expectedValue": "'Statement[0].Principal.AWS' shouldn't contain '*'", "actualValue": "'Statement[0].Principal.AWS' contains '*'" }, - { - "queryName": "SNS Topic is Publicly Accessible", - "severity": "CRITICAL", - "line": 2, - "filename": "positive5.tf", - "resourceType": "aws_sns_topic", - "resourceName": "positive1", - "searchKey": "aws_sns_topic[positive1].policy", - "searchValue": "2", - "expectedValue": "'Statement[2].Principal.AWS' shouldn't contain '*'", - "actualValue": "'Statement[2].Principal.AWS' contains '*'" - }, { "queryName": "SNS Topic is Publicly Accessible", "severity": "CRITICAL", "line": 12, - "filename": "positive7.tf", + "filename": "positive3.tf", "resourceType": "n/a", "resourceName": "n/a", "searchKey": "module[sns_topic_with_policy_statements_valid].topic_policy_statements[0].principals", @@ -75,7 +51,19 @@ "queryName": "SNS Topic is Publicly Accessible", "severity": "CRITICAL", "line": 2, - "filename": "positive1.tf", + "filename": "positive5.tf", + "resourceType": "aws_sns_topic", + "resourceName": "positive1", + "searchKey": "aws_sns_topic[positive1].policy", + "searchValue": "2", + "expectedValue": "'Statement[2].Principal.AWS' shouldn't contain '*'", + "actualValue": "'Statement[2].Principal.AWS' contains '*'" + }, + { + "queryName": "SNS Topic is Publicly Accessible", + "severity": "CRITICAL", + "line": 2, + "filename": "positive5.tf", "resourceType": "aws_sns_topic", "resourceName": "positive1", "searchKey": "aws_sns_topic[positive1].policy", @@ -87,7 +75,7 @@ "queryName": "SNS Topic is Publicly Accessible", "severity": "CRITICAL", "line": 7, - "filename": "positive2.tf", + "filename": "positive6.tf", "resourceType": "n/a", "resourceName": "n/a", "searchKey": "topic_policy", @@ -95,11 +83,23 @@ "expectedValue": "'Statement[0].Principal.AWS' shouldn't contain '*'", "actualValue": "'Statement[0].Principal.AWS' contains '*'" }, + { + "queryName": "SNS Topic is Publicly Accessible", + "severity": "CRITICAL", + "line": 7, + "filename": "positive6.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "topic_policy", + "searchValue": "2", + "expectedValue": "'Statement[2].Principal.AWS' shouldn't contain '*'", + "actualValue": "'Statement[2].Principal.AWS' contains '*'" + }, { "queryName": "SNS Topic is Publicly Accessible", "severity": "CRITICAL", "line": 12, - "filename": "positive3.tf", + "filename": "positive7.tf", "resourceType": "n/a", "resourceName": "n/a", "searchKey": "module[sns_topic_with_policy_statements_valid].topic_policy_statements[0].principals", diff --git a/assets/queries/terraform/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/test/positive_expected_result.json b/assets/queries/terraform/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/test/positive_expected_result.json index 81bd7ccf7c3..fc37db29869 100644 --- a/assets/queries/terraform/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "SNS Topic Publicity Has Allow and NotAction Simultaneously", - "severity": "MEDIUM", - "line": 12, - "filename": "positive2.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[s3_bucket].policy", - "searchValue": "", - "expectedValue": "module[s3_bucket].policy shouldn't have 'Effect: Allow' and 'NotAction' simultaneously", - "actualValue": "module[s3_bucket].policy has 'Effect: Allow' and 'NotAction' simultaneously" - }, { "queryName": "SNS Topic Publicity Has Allow and NotAction Simultaneously", "severity": "MEDIUM", @@ -22,5 +10,17 @@ "searchValue": "", "expectedValue": "aws_sns_topic_policy[positive2].policy shouldn't have 'Effect: Allow' and 'NotAction' simultaneously", "actualValue": "aws_sns_topic_policy[positive2].policy has 'Effect: Allow' and 'NotAction' simultaneously" + }, + { + "queryName": "SNS Topic Publicity Has Allow and NotAction Simultaneously", + "severity": "MEDIUM", + "line": 12, + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].policy", + "searchValue": "", + "expectedValue": "module[s3_bucket].policy shouldn't have 'Effect: Allow' and 'NotAction' simultaneously", + "actualValue": "module[s3_bucket].policy has 'Effect: Allow' and 'NotAction' simultaneously" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/sql_analysis_services_port_2383_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/aws/sql_analysis_services_port_2383_is_publicly_accessible/test/positive_expected_result.json index 5433d1090b5..69479ac00d5 100644 --- a/assets/queries/terraform/aws/sql_analysis_services_port_2383_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sql_analysis_services_port_2383_is_publicly_accessible/test/positive_expected_result.json @@ -23,6 +23,54 @@ "expectedValue": "aws_security_group[positive1-2].ingress[1] shouldn't open SQL Analysis Services Port 2383", "actualValue": "aws_security_group[positive1-2].ingress[1] opens SQL Analysis Services Port 2383" }, + { + "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", + "severity": "MEDIUM", + "line": 39, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-3].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-3].ingress shouldn't open SQL Analysis Services Port 2383", + "actualValue": "aws_security_group[positive1-3].ingress opens SQL Analysis Services Port 2383" + }, + { + "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", + "severity": "MEDIUM", + "line": 60, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-4].ingress[1]", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-4].ingress[1] shouldn't open SQL Analysis Services Port 2383", + "actualValue": "aws_security_group[positive1-4].ingress[1] opens SQL Analysis Services Port 2383" + }, + { + "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", + "severity": "MEDIUM", + "line": 73, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-5].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-5].ingress shouldn't open SQL Analysis Services Port 2383", + "actualValue": "aws_security_group[positive1-5].ingress opens SQL Analysis Services Port 2383" + }, + { + "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", + "severity": "MEDIUM", + "line": 87, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-6].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-6].ingress shouldn't open SQL Analysis Services Port 2383", + "actualValue": "aws_security_group[positive1-6].ingress opens SQL Analysis Services Port 2383" + }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", @@ -50,14 +98,26 @@ { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", - "line": 96, - "filename": "positive4.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2", + "line": 17, + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2-2", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2-2]", "searchValue": "", - "expectedValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2 shouldn't open SQL Analysis Services Port 2383", - "actualValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2 opens SQL Analysis Services Port 2383" + "expectedValue": "aws_vpc_security_group_ingress_rule[positive2-2] shouldn't open SQL Analysis Services Port 2383", + "actualValue": "aws_vpc_security_group_ingress_rule[positive2-2] opens SQL Analysis Services Port 2383" + }, + { + "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", + "severity": "MEDIUM", + "line": 7, + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3-1", + "searchKey": "aws_security_group_rule[positive3-1]", + "searchValue": "", + "expectedValue": "aws_security_group_rule[positive3-1] shouldn't open SQL Analysis Services Port 2383", + "actualValue": "aws_security_group_rule[positive3-1] opens SQL Analysis Services Port 2383" }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", @@ -74,26 +134,26 @@ { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", - "line": 60, - "filename": "positive1.tf", - "resourceType": "aws_security_group", - "resourceName": "allow_tls", - "searchKey": "aws_security_group[positive1-4].ingress[1]", + "line": 11, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0", "searchValue": "", - "expectedValue": "aws_security_group[positive1-4].ingress[1] shouldn't open SQL Analysis Services Port 2383", - "actualValue": "aws_security_group[positive1-4].ingress[1] opens SQL Analysis Services Port 2383" + "expectedValue": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0 shouldn't open SQL Analysis Services Port 2383", + "actualValue": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0 opens SQL Analysis Services Port 2383" }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", - "line": 11, + "line": 30, "filename": "positive4.tf", "resourceType": "n/a", "resourceName": "n/a", - "searchKey": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0", + "searchKey": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0", "searchValue": "", - "expectedValue": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0 shouldn't open SQL Analysis Services Port 2383", - "actualValue": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0 opens SQL Analysis Services Port 2383" + "expectedValue": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0 shouldn't open SQL Analysis Services Port 2383", + "actualValue": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0 opens SQL Analysis Services Port 2383" }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", @@ -134,73 +194,13 @@ { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", - "line": 7, - "filename": "positive3.tf", - "resourceType": "aws_security_group_rule", - "resourceName": "positive3-1", - "searchKey": "aws_security_group_rule[positive3-1]", - "searchValue": "", - "expectedValue": "aws_security_group_rule[positive3-1] shouldn't open SQL Analysis Services Port 2383", - "actualValue": "aws_security_group_rule[positive3-1] opens SQL Analysis Services Port 2383" - }, - { - "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", - "severity": "MEDIUM", - "line": 73, - "filename": "positive1.tf", - "resourceType": "aws_security_group", - "resourceName": "allow_tls", - "searchKey": "aws_security_group[positive1-5].ingress", - "searchValue": "", - "expectedValue": "aws_security_group[positive1-5].ingress shouldn't open SQL Analysis Services Port 2383", - "actualValue": "aws_security_group[positive1-5].ingress opens SQL Analysis Services Port 2383" - }, - { - "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", - "severity": "MEDIUM", - "line": 87, - "filename": "positive1.tf", - "resourceType": "aws_security_group", - "resourceName": "allow_tls", - "searchKey": "aws_security_group[positive1-6].ingress", - "searchValue": "", - "expectedValue": "aws_security_group[positive1-6].ingress shouldn't open SQL Analysis Services Port 2383", - "actualValue": "aws_security_group[positive1-6].ingress opens SQL Analysis Services Port 2383" - }, - { - "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", - "severity": "MEDIUM", - "line": 39, - "filename": "positive1.tf", - "resourceType": "aws_security_group", - "resourceName": "allow_tls", - "searchKey": "aws_security_group[positive1-3].ingress", - "searchValue": "", - "expectedValue": "aws_security_group[positive1-3].ingress shouldn't open SQL Analysis Services Port 2383", - "actualValue": "aws_security_group[positive1-3].ingress opens SQL Analysis Services Port 2383" - }, - { - "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", - "severity": "MEDIUM", - "line": 17, - "filename": "positive2.tf", - "resourceType": "aws_vpc_security_group_ingress_rule", - "resourceName": "positive2-2", - "searchKey": "aws_vpc_security_group_ingress_rule[positive2-2]", - "searchValue": "", - "expectedValue": "aws_vpc_security_group_ingress_rule[positive2-2] shouldn't open SQL Analysis Services Port 2383", - "actualValue": "aws_vpc_security_group_ingress_rule[positive2-2] opens SQL Analysis Services Port 2383" - }, - { - "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", - "severity": "MEDIUM", - "line": 30, + "line": 96, "filename": "positive4.tf", "resourceType": "n/a", "resourceName": "n/a", - "searchKey": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0", + "searchKey": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2", "searchValue": "", - "expectedValue": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0 shouldn't open SQL Analysis Services Port 2383", - "actualValue": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0 opens SQL Analysis Services Port 2383" + "expectedValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2 shouldn't open SQL Analysis Services Port 2383", + "actualValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2 opens SQL Analysis Services Port 2383" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/sqs_with_sse_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/sqs_with_sse_disabled/test/positive_expected_result.json index 99b8e26dbdb..406f1bb8849 100644 --- a/assets/queries/terraform/aws/sqs_with_sse_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sqs_with_sse_disabled/test/positive_expected_result.json @@ -2,14 +2,14 @@ { "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", - "line": 3, - "filename": "positive7.tf", + "line": 1, + "filename": "positive1.tf", "resourceType": "aws_sqs_queue", "resourceName": "terraform-example-queue", - "searchKey": "aws_sqs_queue[positive7].sqs_managed_sse_enabled", + "searchKey": "aws_sqs_queue[positive1]", "searchValue": "", - "expectedValue": "aws_sqs_queue[positive7].sqs_managed_sse_enabled must be set to true", - "actualValue": "aws_sqs_queue[positive7].sqs_managed_sse_enabled is set to false" + "expectedValue": "aws_sqs_queue[positive1].kms_master_key_id or aws_sqs_queue[positive1].sqs_managed_sse_enabled should be defined and not null", + "actualValue": "aws_sqs_queue[positive1].kms_master_key_id and aws_sqs_queue[positive1].sqs_managed_sse_enabled are undefined or null" }, { "queryName": "SQS With SSE Disabled", @@ -26,20 +26,20 @@ { "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", - "line": 12, - "filename": "positive5.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[user_queue]", + "line": 1, + "filename": "positive3.tf", + "resourceType": "aws_sqs_queue", + "resourceName": "terraform-example-queue", + "searchKey": "aws_sqs_queue[positive3]", "searchValue": "", - "expectedValue": "'kms_master_key_id' should not be empty", - "actualValue": "'kms_master_key_id' is empty" + "expectedValue": "aws_sqs_queue[positive3].kms_master_key_id or aws_sqs_queue[positive3].sqs_managed_sse_enabled should be defined and not null", + "actualValue": "aws_sqs_queue[positive3].kms_master_key_id and aws_sqs_queue[positive3].sqs_managed_sse_enabled are undefined or null" }, { "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", "line": 1, - "filename": "positive6.tf", + "filename": "positive4.tf", "resourceType": "n/a", "resourceName": "n/a", "searchKey": "module[user_queue]", @@ -50,37 +50,37 @@ { "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", - "line": 1, - "filename": "positive4.tf", + "line": 12, + "filename": "positive5.tf", "resourceType": "n/a", "resourceName": "n/a", "searchKey": "module[user_queue]", "searchValue": "", - "expectedValue": "'kms_master_key_id' should be defined and not null", - "actualValue": "'kms_master_key_id' is undefined or null" + "expectedValue": "'kms_master_key_id' should not be empty", + "actualValue": "'kms_master_key_id' is empty" }, { "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", "line": 1, - "filename": "positive3.tf", - "resourceType": "aws_sqs_queue", - "resourceName": "terraform-example-queue", - "searchKey": "aws_sqs_queue[positive3]", + "filename": "positive6.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[user_queue]", "searchValue": "", - "expectedValue": "aws_sqs_queue[positive3].kms_master_key_id or aws_sqs_queue[positive3].sqs_managed_sse_enabled should be defined and not null", - "actualValue": "aws_sqs_queue[positive3].kms_master_key_id and aws_sqs_queue[positive3].sqs_managed_sse_enabled are undefined or null" + "expectedValue": "'kms_master_key_id' should be defined and not null", + "actualValue": "'kms_master_key_id' is undefined or null" }, { "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", - "line": 1, - "filename": "positive1.tf", + "line": 3, + "filename": "positive7.tf", "resourceType": "aws_sqs_queue", "resourceName": "terraform-example-queue", - "searchKey": "aws_sqs_queue[positive1]", + "searchKey": "aws_sqs_queue[positive7].sqs_managed_sse_enabled", "searchValue": "", - "expectedValue": "aws_sqs_queue[positive1].kms_master_key_id or aws_sqs_queue[positive1].sqs_managed_sse_enabled should be defined and not null", - "actualValue": "aws_sqs_queue[positive1].kms_master_key_id and aws_sqs_queue[positive1].sqs_managed_sse_enabled are undefined or null" + "expectedValue": "aws_sqs_queue[positive7].sqs_managed_sse_enabled must be set to true", + "actualValue": "aws_sqs_queue[positive7].sqs_managed_sse_enabled is set to false" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/ssm_session_transit_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/ssm_session_transit_encryption_disabled/test/positive_expected_result.json index 1207888783f..defa6a2588d 100644 --- a/assets/queries/terraform/aws/ssm_session_transit_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ssm_session_transit_encryption_disabled/test/positive_expected_result.json @@ -3,24 +3,24 @@ "queryName": "SSM Session Transit Encryption Disabled", "severity": "MEDIUM", "line": 5, - "filename": "positive2.tf", + "filename": "positive1.tf", "resourceType": "aws_ssm_document", "resourceName": "test_document", - "searchKey": "aws_ssm_document[positive2].content", + "searchKey": "aws_ssm_document[positive1].content", "searchValue": "", - "expectedValue": "'inputs.kmsKeyId' should be defined and not null", - "actualValue": "'inputs.kmsKeyId' is undefined or null" + "expectedValue": "'inputs' should be defined and not null", + "actualValue": "'inputs' is undefined or null" }, { "queryName": "SSM Session Transit Encryption Disabled", "severity": "MEDIUM", "line": 5, - "filename": "positive1.tf", + "filename": "positive2.tf", "resourceType": "aws_ssm_document", "resourceName": "test_document", - "searchKey": "aws_ssm_document[positive1].content", + "searchKey": "aws_ssm_document[positive2].content", "searchValue": "", - "expectedValue": "'inputs' should be defined and not null", - "actualValue": "'inputs' is undefined or null" + "expectedValue": "'inputs.kmsKeyId' should be defined and not null", + "actualValue": "'inputs.kmsKeyId' is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/tags_not_copied_to_rds_cluster_snapshot/test/positive_expected_result.json b/assets/queries/terraform/aws/tags_not_copied_to_rds_cluster_snapshot/test/positive_expected_result.json index b885f5cbaac..1f31d1f5354 100644 --- a/assets/queries/terraform/aws/tags_not_copied_to_rds_cluster_snapshot/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/tags_not_copied_to_rds_cluster_snapshot/test/positive_expected_result.json @@ -1,28 +1,4 @@ [ - { - "queryName": "Tags Not Copied to RDS Cluster Snapshot", - "severity": "LOW", - "line": 9, - "filename": "positive5.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[rds_cluster].copy_tags_to_snapshot", - "searchValue": "", - "expectedValue": "'module[rds_cluster].copy_tags_to_snapshot' should be set to true", - "actualValue": "'module[rds_cluster].copy_tags_to_snapshot' is set to false" - }, - { - "queryName": "Tags Not Copied to RDS Cluster Snapshot", - "severity": "LOW", - "line": 1, - "filename": "positive6.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[rds_cluster]", - "searchValue": "", - "expectedValue": "'module[rds_cluster].copy_tags_to_snapshot' should be defined to true", - "actualValue": "'module[rds_cluster].copy_tags_to_snapshot' is not defined" - }, { "queryName": "Tags Not Copied to RDS Cluster Snapshot", "severity": "LOW", @@ -70,5 +46,29 @@ "searchValue": "", "expectedValue": "'aws_db_instance[example].copy_tags_to_snapshot' should be defined to true", "actualValue": "'aws_db_instance[example].copy_tags_to_snapshot' is not defined" + }, + { + "queryName": "Tags Not Copied to RDS Cluster Snapshot", + "severity": "LOW", + "line": 9, + "filename": "positive5.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[rds_cluster].copy_tags_to_snapshot", + "searchValue": "", + "expectedValue": "'module[rds_cluster].copy_tags_to_snapshot' should be set to true", + "actualValue": "'module[rds_cluster].copy_tags_to_snapshot' is set to false" + }, + { + "queryName": "Tags Not Copied to RDS Cluster Snapshot", + "severity": "LOW", + "line": 1, + "filename": "positive6.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[rds_cluster]", + "searchValue": "", + "expectedValue": "'module[rds_cluster].copy_tags_to_snapshot' should be defined to true", + "actualValue": "'module[rds_cluster].copy_tags_to_snapshot' is not defined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/unknown_port_exposed_to_internet/test/positive_expected_result.json b/assets/queries/terraform/aws/unknown_port_exposed_to_internet/test/positive_expected_result.json index f439fb66b43..cf55ccd2caf 100644 --- a/assets/queries/terraform/aws/unknown_port_exposed_to_internet/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/unknown_port_exposed_to_internet/test/positive_expected_result.json @@ -2,26 +2,14 @@ { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", - "line": 11, - "filename": "positive4.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0", - "searchValue": "", - "expectedValue": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0 ports are known", - "actualValue": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0 ports are unknown and exposed to the entire Internet" - }, - { - "queryName": "Unknown Port Exposed To Internet", - "severity": "HIGH", - "line": 30, - "filename": "positive4.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0", + "line": 5, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-1].ingress", "searchValue": "", - "expectedValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0 ports are known", - "actualValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0 ports are unknown and exposed to the entire Internet" + "expectedValue": "aws_security_group[positive1-1].ingress ports are known", + "actualValue": "aws_security_group[positive1-1].ingress ports are unknown and exposed to the entire Internet" }, { "queryName": "Unknown Port Exposed To Internet", @@ -38,74 +26,74 @@ { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", - "line": 73, + "line": 39, "filename": "positive1.tf", "resourceType": "aws_security_group", "resourceName": "allow_tls", - "searchKey": "aws_security_group[positive1-5].ingress", + "searchKey": "aws_security_group[positive1-3].ingress", "searchValue": "", - "expectedValue": "aws_security_group[positive1-5].ingress ports are known", - "actualValue": "aws_security_group[positive1-5].ingress ports are unknown and exposed to the entire Internet" + "expectedValue": "aws_security_group[positive1-3].ingress ports are known", + "actualValue": "aws_security_group[positive1-3].ingress ports are unknown and exposed to the entire Internet" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", - "line": 7, - "filename": "positive2.tf", - "resourceType": "aws_vpc_security_group_ingress_rule", - "resourceName": "positive2-1", - "searchKey": "aws_vpc_security_group_ingress_rule[positive2-1]", + "line": 60, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-4].ingress[1]", "searchValue": "", - "expectedValue": "aws_vpc_security_group_ingress_rule[positive2-1] ports are known", - "actualValue": "aws_vpc_security_group_ingress_rule[positive2-1] ports are unknown and exposed to the entire Internet" + "expectedValue": "aws_security_group[positive1-4].ingress[1] ports are known", + "actualValue": "aws_security_group[positive1-4].ingress[1] ports are unknown and exposed to the entire Internet" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", - "line": 82, - "filename": "positive4.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0", + "line": 73, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-5].ingress", "searchValue": "", - "expectedValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0 ports are known", - "actualValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0 ports are unknown and exposed to the entire Internet" + "expectedValue": "aws_security_group[positive1-5].ingress ports are known", + "actualValue": "aws_security_group[positive1-5].ingress ports are unknown and exposed to the entire Internet" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", - "line": 96, - "filename": "positive4.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2", + "line": 87, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-6].ingress", "searchValue": "", - "expectedValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2 ports are known", - "actualValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2 ports are unknown and exposed to the entire Internet" + "expectedValue": "aws_security_group[positive1-6].ingress ports are known", + "actualValue": "aws_security_group[positive1-6].ingress ports are unknown and exposed to the entire Internet" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", - "line": 39, + "line": 101, "filename": "positive1.tf", "resourceType": "aws_security_group", "resourceName": "allow_tls", - "searchKey": "aws_security_group[positive1-3].ingress", + "searchKey": "aws_security_group[positive1-7].ingress", "searchValue": "", - "expectedValue": "aws_security_group[positive1-3].ingress ports are known", - "actualValue": "aws_security_group[positive1-3].ingress ports are unknown and exposed to the entire Internet" + "expectedValue": "aws_security_group[positive1-7].ingress ports are known", + "actualValue": "aws_security_group[positive1-7].ingress ports are unknown and exposed to the entire Internet" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", - "line": 87, - "filename": "positive1.tf", - "resourceType": "aws_security_group", - "resourceName": "allow_tls", - "searchKey": "aws_security_group[positive1-6].ingress", + "line": 7, + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2-1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2-1]", "searchValue": "", - "expectedValue": "aws_security_group[positive1-6].ingress ports are known", - "actualValue": "aws_security_group[positive1-6].ingress ports are unknown and exposed to the entire Internet" + "expectedValue": "aws_vpc_security_group_ingress_rule[positive2-1] ports are known", + "actualValue": "aws_vpc_security_group_ingress_rule[positive2-1] ports are unknown and exposed to the entire Internet" }, { "queryName": "Unknown Port Exposed To Internet", @@ -122,85 +110,97 @@ { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", - "line": 44, - "filename": "positive4.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2", + "line": 7, + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3-1", + "searchKey": "aws_security_group_rule[positive3-1]", "searchValue": "", - "expectedValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2 ports are known", - "actualValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2 ports are unknown and exposed to the entire Internet" + "expectedValue": "aws_security_group_rule[positive3-1] ports are known", + "actualValue": "aws_security_group_rule[positive3-1] ports are unknown and exposed to the entire Internet" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", - "line": 63, + "line": 17, + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3-2", + "searchKey": "aws_security_group_rule[positive3-2]", + "searchValue": "", + "expectedValue": "aws_security_group_rule[positive3-2] ports are known", + "actualValue": "aws_security_group_rule[positive3-2] ports are unknown and exposed to the entire Internet" + }, + { + "queryName": "Unknown Port Exposed To Internet", + "severity": "HIGH", + "line": 11, "filename": "positive4.tf", "resourceType": "n/a", "resourceName": "n/a", - "searchKey": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0", + "searchKey": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0", "searchValue": "", - "expectedValue": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0 ports are known", - "actualValue": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0 ports are unknown and exposed to the entire Internet" + "expectedValue": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0 ports are known", + "actualValue": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0 ports are unknown and exposed to the entire Internet" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", - "line": 5, - "filename": "positive1.tf", - "resourceType": "aws_security_group", - "resourceName": "allow_tls", - "searchKey": "aws_security_group[positive1-1].ingress", + "line": 30, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0", "searchValue": "", - "expectedValue": "aws_security_group[positive1-1].ingress ports are known", - "actualValue": "aws_security_group[positive1-1].ingress ports are unknown and exposed to the entire Internet" + "expectedValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0 ports are known", + "actualValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0 ports are unknown and exposed to the entire Internet" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", - "line": 60, - "filename": "positive1.tf", - "resourceType": "aws_security_group", - "resourceName": "allow_tls", - "searchKey": "aws_security_group[positive1-4].ingress[1]", + "line": 44, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2", "searchValue": "", - "expectedValue": "aws_security_group[positive1-4].ingress[1] ports are known", - "actualValue": "aws_security_group[positive1-4].ingress[1] ports are unknown and exposed to the entire Internet" + "expectedValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2 ports are known", + "actualValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2 ports are unknown and exposed to the entire Internet" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", - "line": 101, - "filename": "positive1.tf", - "resourceType": "aws_security_group", - "resourceName": "allow_tls", - "searchKey": "aws_security_group[positive1-7].ingress", + "line": 63, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0", "searchValue": "", - "expectedValue": "aws_security_group[positive1-7].ingress ports are known", - "actualValue": "aws_security_group[positive1-7].ingress ports are unknown and exposed to the entire Internet" + "expectedValue": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0 ports are known", + "actualValue": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0 ports are unknown and exposed to the entire Internet" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", - "line": 7, - "filename": "positive3.tf", - "resourceType": "aws_security_group_rule", - "resourceName": "positive3-1", - "searchKey": "aws_security_group_rule[positive3-1]", + "line": 82, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0", "searchValue": "", - "expectedValue": "aws_security_group_rule[positive3-1] ports are known", - "actualValue": "aws_security_group_rule[positive3-1] ports are unknown and exposed to the entire Internet" + "expectedValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0 ports are known", + "actualValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0 ports are unknown and exposed to the entire Internet" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", - "line": 17, - "filename": "positive3.tf", - "resourceType": "aws_security_group_rule", - "resourceName": "positive3-2", - "searchKey": "aws_security_group_rule[positive3-2]", + "line": 96, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2", "searchValue": "", - "expectedValue": "aws_security_group_rule[positive3-2] ports are known", - "actualValue": "aws_security_group_rule[positive3-2] ports are unknown and exposed to the entire Internet" + "expectedValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2 ports are known", + "actualValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2 ports are unknown and exposed to the entire Internet" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/unrestricted_security_group_ingress/test/positive_expected_result.json b/assets/queries/terraform/aws/unrestricted_security_group_ingress/test/positive_expected_result.json index 63521eba9bb..4937b2cefad 100644 --- a/assets/queries/terraform/aws/unrestricted_security_group_ingress/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/unrestricted_security_group_ingress/test/positive_expected_result.json @@ -2,38 +2,50 @@ { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", - "line": 10, - "filename": "positive4.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[positive4-ipv4_array].ingress_cidr_blocks", + "line": 6, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1-ipv4", + "searchKey": "aws_security_group[positive1-ipv4].ingress.cidr_blocks", "searchValue": "", - "expectedValue": "module[positive4-ipv4_array].ingress_cidr_blocks should not contain '0.0.0.0/0'", - "actualValue": "module[positive4-ipv4_array].ingress_cidr_blocks contains '0.0.0.0/0'" + "expectedValue": "aws_security_group[positive1-ipv4].ingress.cidr_blocks should not contain '0.0.0.0/0'", + "actualValue": "aws_security_group[positive1-ipv4].ingress.cidr_blocks contains '0.0.0.0/0'" }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", - "line": 22, - "filename": "positive4.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[positive4-ipv6_array].ingress_ipv6_cidr_blocks", + "line": 16, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1-ipv6", + "searchKey": "aws_security_group[positive1-ipv6].ingress.ipv6_cidr_blocks", "searchValue": "", - "expectedValue": "module[positive4-ipv6_array].ingress_ipv6_cidr_blocks should not contain '::/0'", - "actualValue": "module[positive4-ipv6_array].ingress_ipv6_cidr_blocks contains '::/0'" + "expectedValue": "aws_security_group[positive1-ipv6].ingress.ipv6_cidr_blocks should not contain '::/0'", + "actualValue": "aws_security_group[positive1-ipv6].ingress.ipv6_cidr_blocks contains '::/0'" }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", - "line": 48, - "filename": "positive4.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[positive4-whole_ingresses].ingress_with_cidr_blocks[2].cidr_blocks", + "line": 33, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1-ipv4_array", + "searchKey": "aws_security_group[positive1-ipv4_array].ingress[1].cidr_blocks", "searchValue": "", - "expectedValue": "module[positive4-whole_ingresses].ingress_with_cidr_blocks[2].cidr_blocks should not contain '0.0.0.0/0'", - "actualValue": "module[positive4-whole_ingresses].ingress_with_cidr_blocks[2].cidr_blocks contains '0.0.0.0/0'" + "expectedValue": "aws_security_group[positive1-ipv4_array].ingress[1].cidr_blocks should not contain '0.0.0.0/0'", + "actualValue": "aws_security_group[positive1-ipv4_array].ingress[1].cidr_blocks contains '0.0.0.0/0'" + }, + { + "queryName": "Unrestricted Security Group Ingress", + "severity": "HIGH", + "line": 49, + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1-ipv6_array", + "searchKey": "aws_security_group[positive1-ipv6_array].ingress[1].ipv6_cidr_blocks", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-ipv6_array].ingress[1].ipv6_cidr_blocks should not contain '::/0'", + "actualValue": "aws_security_group[positive1-ipv6_array].ingress[1].ipv6_cidr_blocks contains '::/0'" }, { "queryName": "Unrestricted Security Group Ingress", @@ -83,30 +95,6 @@ "expectedValue": "aws_security_group_rule[positive3-ipv4].cidr_blocks' should not contain '0.0.0.0/0'", "actualValue": "aws_security_group_rule[positive3-ipv4].cidr_blocks' contains '0.0.0.0/0'" }, - { - "queryName": "Unrestricted Security Group Ingress", - "severity": "HIGH", - "line": 16, - "filename": "positive4.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[positive4-ipv6].ingress_ipv6_cidr_blocks", - "searchValue": "", - "expectedValue": "module[positive4-ipv6].ingress_ipv6_cidr_blocks should not contain '::/0'", - "actualValue": "module[positive4-ipv6].ingress_ipv6_cidr_blocks contains '::/0'" - }, - { - "queryName": "Unrestricted Security Group Ingress", - "severity": "HIGH", - "line": 58, - "filename": "positive4.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[positive4-whole_ingresses].ingress_with_ipv6_cidr_blocks[0].ipv6_cidr_blocks", - "searchValue": "", - "expectedValue": "module[positive4-whole_ingresses].ingress_with_ipv6_cidr_blocks[0].ipv6_cidr_blocks should not contain '::/0'", - "actualValue": "module[positive4-whole_ingresses].ingress_with_ipv6_cidr_blocks[0].ipv6_cidr_blocks contains '::/0'" - }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", @@ -119,18 +107,6 @@ "expectedValue": "aws_security_group_rule[positive3-ipv6_1].ipv6_cidr_blocks should not contain '::/0'", "actualValue": "aws_security_group_rule[positive3-ipv6_1].ipv6_cidr_blocks contains '::/0'" }, - { - "queryName": "Unrestricted Security Group Ingress", - "severity": "HIGH", - "line": 33, - "filename": "positive1.tf", - "resourceType": "aws_security_group", - "resourceName": "positive1-ipv4_array", - "searchKey": "aws_security_group[positive1-ipv4_array].ingress[1].cidr_blocks", - "searchValue": "", - "expectedValue": "aws_security_group[positive1-ipv4_array].ingress[1].cidr_blocks should not contain '0.0.0.0/0'", - "actualValue": "aws_security_group[positive1-ipv4_array].ingress[1].cidr_blocks contains '0.0.0.0/0'" - }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", @@ -158,14 +134,38 @@ { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", - "line": 6, - "filename": "positive1.tf", - "resourceType": "aws_security_group", - "resourceName": "positive1-ipv4", - "searchKey": "aws_security_group[positive1-ipv4].ingress.cidr_blocks", + "line": 10, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4-ipv4_array].ingress_cidr_blocks", "searchValue": "", - "expectedValue": "aws_security_group[positive1-ipv4].ingress.cidr_blocks should not contain '0.0.0.0/0'", - "actualValue": "aws_security_group[positive1-ipv4].ingress.cidr_blocks contains '0.0.0.0/0'" + "expectedValue": "module[positive4-ipv4_array].ingress_cidr_blocks should not contain '0.0.0.0/0'", + "actualValue": "module[positive4-ipv4_array].ingress_cidr_blocks contains '0.0.0.0/0'" + }, + { + "queryName": "Unrestricted Security Group Ingress", + "severity": "HIGH", + "line": 16, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4-ipv6].ingress_ipv6_cidr_blocks", + "searchValue": "", + "expectedValue": "module[positive4-ipv6].ingress_ipv6_cidr_blocks should not contain '::/0'", + "actualValue": "module[positive4-ipv6].ingress_ipv6_cidr_blocks contains '::/0'" + }, + { + "queryName": "Unrestricted Security Group Ingress", + "severity": "HIGH", + "line": 22, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4-ipv6_array].ingress_ipv6_cidr_blocks", + "searchValue": "", + "expectedValue": "module[positive4-ipv6_array].ingress_ipv6_cidr_blocks should not contain '::/0'", + "actualValue": "module[positive4-ipv6_array].ingress_ipv6_cidr_blocks contains '::/0'" }, { "queryName": "Unrestricted Security Group Ingress", @@ -182,37 +182,37 @@ { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", - "line": 72, + "line": 48, "filename": "positive4.tf", "resourceType": "n/a", "resourceName": "n/a", - "searchKey": "module[positive4-whole_ingresses].ingress_with_ipv6_cidr_blocks[2].ipv6_cidr_blocks", + "searchKey": "module[positive4-whole_ingresses].ingress_with_cidr_blocks[2].cidr_blocks", "searchValue": "", - "expectedValue": "module[positive4-whole_ingresses].ingress_with_ipv6_cidr_blocks[2].ipv6_cidr_blocks should not contain '::/0'", - "actualValue": "module[positive4-whole_ingresses].ingress_with_ipv6_cidr_blocks[2].ipv6_cidr_blocks contains '::/0'" + "expectedValue": "module[positive4-whole_ingresses].ingress_with_cidr_blocks[2].cidr_blocks should not contain '0.0.0.0/0'", + "actualValue": "module[positive4-whole_ingresses].ingress_with_cidr_blocks[2].cidr_blocks contains '0.0.0.0/0'" }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", - "line": 16, - "filename": "positive1.tf", - "resourceType": "aws_security_group", - "resourceName": "positive1-ipv6", - "searchKey": "aws_security_group[positive1-ipv6].ingress.ipv6_cidr_blocks", + "line": 58, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4-whole_ingresses].ingress_with_ipv6_cidr_blocks[0].ipv6_cidr_blocks", "searchValue": "", - "expectedValue": "aws_security_group[positive1-ipv6].ingress.ipv6_cidr_blocks should not contain '::/0'", - "actualValue": "aws_security_group[positive1-ipv6].ingress.ipv6_cidr_blocks contains '::/0'" + "expectedValue": "module[positive4-whole_ingresses].ingress_with_ipv6_cidr_blocks[0].ipv6_cidr_blocks should not contain '::/0'", + "actualValue": "module[positive4-whole_ingresses].ingress_with_ipv6_cidr_blocks[0].ipv6_cidr_blocks contains '::/0'" }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", - "line": 49, - "filename": "positive1.tf", - "resourceType": "aws_security_group", - "resourceName": "positive1-ipv6_array", - "searchKey": "aws_security_group[positive1-ipv6_array].ingress[1].ipv6_cidr_blocks", + "line": 72, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4-whole_ingresses].ingress_with_ipv6_cidr_blocks[2].ipv6_cidr_blocks", "searchValue": "", - "expectedValue": "aws_security_group[positive1-ipv6_array].ingress[1].ipv6_cidr_blocks should not contain '::/0'", - "actualValue": "aws_security_group[positive1-ipv6_array].ingress[1].ipv6_cidr_blocks contains '::/0'" + "expectedValue": "module[positive4-whole_ingresses].ingress_with_ipv6_cidr_blocks[2].ipv6_cidr_blocks should not contain '::/0'", + "actualValue": "module[positive4-whole_ingresses].ingress_with_ipv6_cidr_blocks[2].ipv6_cidr_blocks contains '::/0'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/unscanned_ecr_image/test/positive_expected_result.json b/assets/queries/terraform/aws/unscanned_ecr_image/test/positive_expected_result.json index 55527841a3e..ff23612b9a6 100644 --- a/assets/queries/terraform/aws/unscanned_ecr_image/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/unscanned_ecr_image/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "Unscanned ECR Image", "severity": "LOW", - "line": 11, + "line": 1, "filename": "positive.tf", "resourceType": "aws_ecr_repository", - "resourceName": "img_p_1", - "searchKey": "aws_ecr_repository[positive2].image_scanning_configuration.scan_on_push", + "resourceName": "img_p_2", + "searchKey": "aws_ecr_repository[positive1]", "searchValue": "", - "expectedValue": "aws_ecr_repository[positive2].image_scanning_configuration.scan_on_push is true", - "actualValue": "aws_ecr_repository[positive2].image_scanning_configuration.scan_on_push is false" + "expectedValue": "aws_ecr_repository[positive1].image_scanning_configuration should be defined", + "actualValue": "aws_ecr_repository[positive1].image_scanning_configuration is undefined" }, { "queryName": "Unscanned ECR Image", "severity": "LOW", - "line": 1, + "line": 11, "filename": "positive.tf", "resourceType": "aws_ecr_repository", - "resourceName": "img_p_2", - "searchKey": "aws_ecr_repository[positive1]", + "resourceName": "img_p_1", + "searchKey": "aws_ecr_repository[positive2].image_scanning_configuration.scan_on_push", "searchValue": "", - "expectedValue": "aws_ecr_repository[positive1].image_scanning_configuration should be defined", - "actualValue": "aws_ecr_repository[positive1].image_scanning_configuration is undefined" + "expectedValue": "aws_ecr_repository[positive2].image_scanning_configuration.scan_on_push is true", + "actualValue": "aws_ecr_repository[positive2].image_scanning_configuration.scan_on_push is false" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_data_contains_encoded_private_key/test/positive_expected_result.json b/assets/queries/terraform/aws/user_data_contains_encoded_private_key/test/positive_expected_result.json index 7b43a67badb..372a19e0c54 100644 --- a/assets/queries/terraform/aws/user_data_contains_encoded_private_key/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_data_contains_encoded_private_key/test/positive_expected_result.json @@ -2,14 +2,14 @@ { "queryName": "User Data Contains Encoded Private Key", "severity": "HIGH", - "line": 11, - "filename": "positive3.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module[positive3].user_data_base64", + "line": 5, + "filename": "positive1.tf", + "resourceType": "aws_launch_configuration", + "resourceName": "positive1", + "searchKey": "aws_launch_configuration[positive1].user_data_base64", "searchValue": "", - "expectedValue": "'user_data_base64' shouldn't contain RSA Private Key", - "actualValue": "'user_data_base64' contains RSA Private Key" + "expectedValue": "aws_launch_configuration[positive1].user_data_base64 shouldn't contain RSA Private Key", + "actualValue": "aws_launch_configuration[positive1].user_data_base64 contains RSA Private Key" }, { "queryName": "User Data Contains Encoded Private Key", @@ -26,13 +26,13 @@ { "queryName": "User Data Contains Encoded Private Key", "severity": "HIGH", - "line": 5, - "filename": "positive1.tf", - "resourceType": "aws_launch_configuration", - "resourceName": "positive1", - "searchKey": "aws_launch_configuration[positive1].user_data_base64", + "line": 11, + "filename": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive3].user_data_base64", "searchValue": "", - "expectedValue": "aws_launch_configuration[positive1].user_data_base64 shouldn't contain RSA Private Key", - "actualValue": "aws_launch_configuration[positive1].user_data_base64 contains RSA Private Key" + "expectedValue": "'user_data_base64' shouldn't contain RSA Private Key", + "actualValue": "'user_data_base64' contains RSA Private Key" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/vpc_default_security_group_accepts_all_traffic/test/positive_expected_result.json b/assets/queries/terraform/aws/vpc_default_security_group_accepts_all_traffic/test/positive_expected_result.json index 9eaad036e10..b7f1a816e84 100644 --- a/assets/queries/terraform/aws/vpc_default_security_group_accepts_all_traffic/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/vpc_default_security_group_accepts_all_traffic/test/positive_expected_result.json @@ -2,38 +2,38 @@ { "queryName": "VPC Default Security Group Accepts All Traffic", "severity": "HIGH", - "line": 17, + "line": 8, "filename": "positive1.tf", "resourceType": "aws_default_security_group", "resourceName": "default", - "searchKey": "aws_default_security_group[{{default}}].egress", + "searchKey": "aws_default_security_group[{{default}}].ingress", "searchValue": "", - "expectedValue": "aws_default_security_group[{{default}}] should not have 'egress' defined", - "actualValue": "aws_default_security_group[{{default}}] has 'egress' defined" + "expectedValue": "aws_default_security_group[{{default}}] should not have 'ingress' defined", + "actualValue": "aws_default_security_group[{{default}}] has 'ingress' defined" }, { "queryName": "VPC Default Security Group Accepts All Traffic", "severity": "HIGH", - "line": 8, + "line": 17, "filename": "positive1.tf", "resourceType": "aws_default_security_group", "resourceName": "default", - "searchKey": "aws_default_security_group[{{default}}].ingress", + "searchKey": "aws_default_security_group[{{default}}].egress", "searchValue": "", - "expectedValue": "aws_default_security_group[{{default}}] should not have 'ingress' defined", - "actualValue": "aws_default_security_group[{{default}}] has 'ingress' defined" + "expectedValue": "aws_default_security_group[{{default}}] should not have 'egress' defined", + "actualValue": "aws_default_security_group[{{default}}] has 'egress' defined" }, { "queryName": "VPC Default Security Group Accepts All Traffic", "severity": "HIGH", - "line": 23, + "line": 8, "filename": "positive2.tf", "resourceType": "aws_default_security_group", "resourceName": "default3", - "searchKey": "aws_default_security_group[{{default3}}].egress.cidr_blocks", + "searchKey": "aws_default_security_group[{{default3}}].ingress", "searchValue": "", - "expectedValue": "'egress' should be undefined", - "actualValue": "'egress' accepts all traffic" + "expectedValue": "aws_default_security_group[{{default3}}] should not have 'ingress' defined", + "actualValue": "aws_default_security_group[{{default3}}] has 'ingress' defined" }, { "queryName": "VPC Default Security Group Accepts All Traffic", @@ -62,13 +62,13 @@ { "queryName": "VPC Default Security Group Accepts All Traffic", "severity": "HIGH", - "line": 8, + "line": 23, "filename": "positive2.tf", "resourceType": "aws_default_security_group", "resourceName": "default3", - "searchKey": "aws_default_security_group[{{default3}}].ingress", + "searchKey": "aws_default_security_group[{{default3}}].egress.cidr_blocks", "searchValue": "", - "expectedValue": "aws_default_security_group[{{default3}}] should not have 'ingress' defined", - "actualValue": "aws_default_security_group[{{default3}}] has 'ingress' defined" + "expectedValue": "'egress' should be undefined", + "actualValue": "'egress' accepts all traffic" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/vpc_flowlogs_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/vpc_flowlogs_disabled/test/positive_expected_result.json index 48a40278c01..e9ed95958b8 100644 --- a/assets/queries/terraform/aws/vpc_flowlogs_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/vpc_flowlogs_disabled/test/positive_expected_result.json @@ -1,4 +1,28 @@ [ + { + "queryName": "VPC FlowLogs Disabled", + "severity": "MEDIUM", + "line": 5, + "filename": "positive1.tf", + "resourceType": "aws_flow_log", + "resourceName": "example", + "searchKey": "aws_flow_log[example]", + "searchValue": "", + "expectedValue": "aws_flow_log[example].vpc_id should be defined and not null", + "actualValue": "aws_flow_log[example].vpc_id is undefined or null" + }, + { + "queryName": "VPC FlowLogs Disabled", + "severity": "MEDIUM", + "line": 1, + "filename": "positive2.tf", + "resourceType": "aws_vpc", + "resourceName": "main", + "searchKey": "aws_vpc[main]", + "searchValue": "", + "expectedValue": "aws_vpc[main] should be the same as Flow Logs VPC id", + "actualValue": "aws_vpc[main] is not the same as Flow Logs VPC id" + }, { "queryName": "VPC FlowLogs Disabled", "severity": "MEDIUM", @@ -22,29 +46,5 @@ "searchValue": "", "expectedValue": "vpc.enable_flow_log should be set to true", "actualValue": "vpc.enable_flow_log is undefined" - }, - { - "queryName": "VPC FlowLogs Disabled", - "severity": "MEDIUM", - "line": 1, - "filename": "positive2.tf", - "resourceType": "aws_vpc", - "resourceName": "main", - "searchKey": "aws_vpc[main]", - "searchValue": "", - "expectedValue": "aws_vpc[main] should be the same as Flow Logs VPC id", - "actualValue": "aws_vpc[main] is not the same as Flow Logs VPC id" - }, - { - "queryName": "VPC FlowLogs Disabled", - "severity": "MEDIUM", - "line": 5, - "filename": "positive1.tf", - "resourceType": "aws_flow_log", - "resourceName": "example", - "searchKey": "aws_flow_log[example]", - "searchValue": "", - "expectedValue": "aws_flow_log[example].vpc_id should be defined and not null", - "actualValue": "aws_flow_log[example].vpc_id is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/vpc_peering_route_table_with_unrestricted_cidr/test/positive_expected_result.json b/assets/queries/terraform/aws/vpc_peering_route_table_with_unrestricted_cidr/test/positive_expected_result.json index 30bf43d9f5a..74ac3449d73 100644 --- a/assets/queries/terraform/aws/vpc_peering_route_table_with_unrestricted_cidr/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/vpc_peering_route_table_with_unrestricted_cidr/test/positive_expected_result.json @@ -1,4 +1,16 @@ [ + { + "queryName": "VPC Peering Route Table with Unrestricted CIDR", + "severity": "HIGH", + "line": 118, + "filename": "positive1.tf", + "resourceType": "aws_route", + "resourceName": "public_route_table", + "searchKey": "aws_route_table[public_route_table].route", + "searchValue": "", + "expectedValue": "aws_route_table[public_route_table].route restricts CIDR", + "actualValue": "aws_route_table[public_route_table].route does not restrict CIDR" + }, { "queryName": "VPC Peering Route Table with Unrestricted CIDR", "severity": "HIGH", @@ -15,7 +27,7 @@ "queryName": "VPC Peering Route Table with Unrestricted CIDR", "severity": "HIGH", "line": 118, - "filename": "positive1.tf", + "filename": "positive3.tf", "resourceType": "aws_route", "resourceName": "public_route_table", "searchKey": "aws_route_table[public_route_table].route", @@ -34,17 +46,5 @@ "searchValue": "", "expectedValue": "aws_route_table[art_nat_gw_out].route restricts CIDR", "actualValue": "aws_route_table[art_nat_gw_out].route does not restrict CIDR" - }, - { - "queryName": "VPC Peering Route Table with Unrestricted CIDR", - "severity": "HIGH", - "line": 118, - "filename": "positive3.tf", - "resourceType": "aws_route", - "resourceName": "public_route_table", - "searchKey": "aws_route_table[public_route_table].route", - "searchValue": "", - "expectedValue": "aws_route_table[public_route_table].route restricts CIDR", - "actualValue": "aws_route_table[public_route_table].route does not restrict CIDR" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/vpc_subnet_assigns_public_ip/test/positive_expected_result.json b/assets/queries/terraform/aws/vpc_subnet_assigns_public_ip/test/positive_expected_result.json index 116bb1b1db6..93338a250c4 100644 --- a/assets/queries/terraform/aws/vpc_subnet_assigns_public_ip/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/vpc_subnet_assigns_public_ip/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "VPC Subnet Assigns Public IP", - "severity": "MEDIUM", - "line": 1, - "filename": "positive3.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "vpc", - "searchValue": "", - "expectedValue": "vpc.map_public_ip_on_launch should be set to false", - "actualValue": "vpc.map_public_ip_on_launch is set undefined" - }, { "queryName": "VPC Subnet Assigns Public IP", "severity": "MEDIUM", @@ -34,5 +22,17 @@ "searchValue": "", "expectedValue": "vpc.map_public_ip_on_launch should be set to false", "actualValue": "vpc.map_public_ip_on_launch is set to true" + }, + { + "queryName": "VPC Subnet Assigns Public IP", + "severity": "MEDIUM", + "line": 1, + "filename": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "vpc", + "searchValue": "", + "expectedValue": "vpc.map_public_ip_on_launch should be set to false", + "actualValue": "vpc.map_public_ip_on_launch is set undefined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/vulnerable_default_ssl_certificate/test/positive_expected_result.json b/assets/queries/terraform/aws/vulnerable_default_ssl_certificate/test/positive_expected_result.json index e133d7def4a..696814a654d 100644 --- a/assets/queries/terraform/aws/vulnerable_default_ssl_certificate/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/vulnerable_default_ssl_certificate/test/positive_expected_result.json @@ -1,4 +1,16 @@ [ + { + "queryName": "Vulnerable Default SSL Certificate", + "severity": "MEDIUM", + "line": 5, + "filename": "positive.tf", + "resourceType": "aws_cloudfront_distribution", + "resourceName": "positive2", + "searchKey": "aws_cloudfront_distribution[positive2]", + "searchValue": "", + "expectedValue": "aws_cloudfront_distribution[positive2].viewer_certificate should be defined and not null", + "actualValue": "aws_cloudfront_distribution[positive2].viewer_certificate is undefined or null" + }, { "queryName": "Vulnerable Default SSL Certificate", "severity": "MEDIUM", @@ -34,17 +46,5 @@ "searchValue": "ssl_support_method", "expectedValue": "Attributes 'ssl_support_method' and 'minimum_protocol_version' should be defined when one of 'acm_certificate_arn' or 'iam_certificate_id' is declared.", "actualValue": "Attribute 'ssl_support_method' is not defined" - }, - { - "queryName": "Vulnerable Default SSL Certificate", - "severity": "MEDIUM", - "line": 5, - "filename": "positive.tf", - "resourceType": "aws_cloudfront_distribution", - "resourceName": "positive2", - "searchKey": "aws_cloudfront_distribution[positive2]", - "searchValue": "", - "expectedValue": "aws_cloudfront_distribution[positive2].viewer_certificate should be defined and not null", - "actualValue": "aws_cloudfront_distribution[positive2].viewer_certificate is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/workspaces_workspace_volume_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/workspaces_workspace_volume_not_encrypted/test/positive_expected_result.json index d060b8049e8..19fdc8044fc 100644 --- a/assets/queries/terraform/aws/workspaces_workspace_volume_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/workspaces_workspace_volume_not_encrypted/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "Workspaces Workspace Volume Not Encrypted", - "severity": "HIGH", - "line": 7, - "filename": "positive4.tf", - "resourceType": "aws_workspaces_workspace", - "resourceName": "example_4", - "searchKey": "aws_workspaces_workspace[{{example_4}}].user_volume_encryption_enabled", - "searchValue": "", - "expectedValue": "aws_workspaces_workspace.user_volume_encryption_enabled should be set to true", - "actualValue": "aws_workspaces_workspace.user_volume_encryption_enabled is set to false" - }, { "queryName": "Workspaces Workspace Volume Not Encrypted", "severity": "HIGH", @@ -26,11 +14,11 @@ { "queryName": "Workspaces Workspace Volume Not Encrypted", "severity": "HIGH", - "line": 11, - "filename": "positive3.tf", + "line": 12, + "filename": "positive2.tf", "resourceType": "aws_workspaces_workspace", - "resourceName": "example_3", - "searchKey": "aws_workspaces_workspace[{{example_3}}].workspace_properties.root_volume_size_gib", + "resourceName": "example_2", + "searchKey": "aws_workspaces_workspace[{{example_2}}].workspace_properties.root_volume_size_gib", "searchValue": "", "expectedValue": "aws_workspaces_workspace.root_volume_encryption_enabled should be set to true", "actualValue": "aws_workspaces_workspace.root_volume_encryption_enabled is missing" @@ -50,11 +38,11 @@ { "queryName": "Workspaces Workspace Volume Not Encrypted", "severity": "HIGH", - "line": 12, - "filename": "positive2.tf", + "line": 11, + "filename": "positive3.tf", "resourceType": "aws_workspaces_workspace", - "resourceName": "example_2", - "searchKey": "aws_workspaces_workspace[{{example_2}}].workspace_properties.root_volume_size_gib", + "resourceName": "example_3", + "searchKey": "aws_workspaces_workspace[{{example_3}}].workspace_properties.root_volume_size_gib", "searchValue": "", "expectedValue": "aws_workspaces_workspace.root_volume_encryption_enabled should be set to true", "actualValue": "aws_workspaces_workspace.root_volume_encryption_enabled is missing" @@ -70,5 +58,17 @@ "searchValue": "", "expectedValue": "aws_workspaces_workspace.root_volume_encryption_enabled should be set to true", "actualValue": "aws_workspaces_workspace.root_volume_encryption_enabled is set to false" + }, + { + "queryName": "Workspaces Workspace Volume Not Encrypted", + "severity": "HIGH", + "line": 7, + "filename": "positive4.tf", + "resourceType": "aws_workspaces_workspace", + "resourceName": "example_4", + "searchKey": "aws_workspaces_workspace[{{example_4}}].user_volume_encryption_enabled", + "searchValue": "", + "expectedValue": "aws_workspaces_workspace.user_volume_encryption_enabled should be set to true", + "actualValue": "aws_workspaces_workspace.user_volume_encryption_enabled is set to false" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/aks_network_policy_misconfigured/test/positive_expected_result.json b/assets/queries/terraform/azure/aks_network_policy_misconfigured/test/positive_expected_result.json index 747d34c4761..1eaa0593206 100644 --- a/assets/queries/terraform/azure/aks_network_policy_misconfigured/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/aks_network_policy_misconfigured/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "AKS Network Policy Misconfigured", - "severity": "LOW", - "line": 69, - "filename": "positive.tf", - "resourceType": "azurerm_kubernetes_cluster", - "resourceName": "example-aks1", - "searchKey": "azurerm_kubernetes_cluster[positive3].network_profile.network_policy", - "searchValue": "", - "expectedValue": "'azurerm_kubernetes_cluster[positive3].network_profile.network_policy' should be either 'azure' or 'calico'", - "actualValue": "'azurerm_kubernetes_cluster[positive3].network_profile.network_policy' is roxanne" - }, { "queryName": "AKS Network Policy Misconfigured", "severity": "LOW", @@ -34,5 +22,17 @@ "searchValue": "", "expectedValue": "'azurerm_kubernetes_cluster[positive2].network_profile' should be set", "actualValue": "'azurerm_kubernetes_cluster[positive2].network_profile' is undefined" + }, + { + "queryName": "AKS Network Policy Misconfigured", + "severity": "LOW", + "line": 69, + "filename": "positive.tf", + "resourceType": "azurerm_kubernetes_cluster", + "resourceName": "example-aks1", + "searchKey": "azurerm_kubernetes_cluster[positive3].network_profile.network_policy", + "searchValue": "", + "expectedValue": "'azurerm_kubernetes_cluster[positive3].network_profile.network_policy' should be either 'azure' or 'calico'", + "actualValue": "'azurerm_kubernetes_cluster[positive3].network_profile.network_policy' is roxanne" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/aks_private_cluster_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/aks_private_cluster_disabled/test/positive_expected_result.json index c4a68c0df33..a32127af4ce 100644 --- a/assets/queries/terraform/azure/aks_private_cluster_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/aks_private_cluster_disabled/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "AKS Private Cluster Disabled", "severity": "MEDIUM", - "line": 1, - "filename": "positive2.tf", + "line": 7, + "filename": "positive1.tf", "resourceType": "azurerm_kubernetes_cluster", "resourceName": "example-aks1", - "searchKey": "azurerm_kubernetes_cluster[positive2]", + "searchKey": "azurerm_kubernetes_cluster[positive1].private_cluster_enabled", "searchValue": "", - "expectedValue": "'azurerm_kubernetes_cluster[positive2].private_cluster_enabled' should be defined and set to true", - "actualValue": "'azurerm_kubernetes_cluster[positive2].private_cluster_enabled' is undefined" + "expectedValue": "'azurerm_kubernetes_cluster[positive1].private_cluster_enabled' should be set to true", + "actualValue": "'azurerm_kubernetes_cluster[positive1].private_cluster_enabled' is set to false" }, { "queryName": "AKS Private Cluster Disabled", "severity": "MEDIUM", - "line": 7, - "filename": "positive1.tf", + "line": 1, + "filename": "positive2.tf", "resourceType": "azurerm_kubernetes_cluster", "resourceName": "example-aks1", - "searchKey": "azurerm_kubernetes_cluster[positive1].private_cluster_enabled", + "searchKey": "azurerm_kubernetes_cluster[positive2]", "searchValue": "", - "expectedValue": "'azurerm_kubernetes_cluster[positive1].private_cluster_enabled' should be set to true", - "actualValue": "'azurerm_kubernetes_cluster[positive1].private_cluster_enabled' is set to false" + "expectedValue": "'azurerm_kubernetes_cluster[positive2].private_cluster_enabled' should be defined and set to true", + "actualValue": "'azurerm_kubernetes_cluster[positive2].private_cluster_enabled' is undefined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/aks_uses_azure_policies_addon_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/aks_uses_azure_policies_addon_disabled/test/positive_expected_result.json index fa3e4b791cf..e799707f1ac 100644 --- a/assets/queries/terraform/azure/aks_uses_azure_policies_addon_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/aks_uses_azure_policies_addon_disabled/test/positive_expected_result.json @@ -2,49 +2,49 @@ { "queryName": "AKS Uses Azure Policies Add-On Disabled", "severity": "LOW", - "line": 1, - "filename": "positive4.tf", + "line": 11, + "filename": "positive1.tf", "resourceType": "azurerm_kubernetes_cluster", - "resourceName": "example-aks1", - "searchKey": "azurerm_kubernetes_cluster[positive4]", + "resourceName": "positive1", + "searchKey": "azurerm_kubernetes_cluster[positive1].addon_profile.azure_policy.enabled", "searchValue": "", - "expectedValue": "'azurerm_kubernetes_cluster[positive4]' should use Azure Policies", - "actualValue": "'azurerm_kubernetes_cluster[positive4]' does not use Azure Policies" + "expectedValue": "'azurerm_kubernetes_cluster[positive1].addon_profile.azure_policy.enabled' should be set to true", + "actualValue": "'azurerm_kubernetes_cluster[positive1].addon_profile.azure_policy.enabled' is set to false" }, { "queryName": "AKS Uses Azure Policies Add-On Disabled", "severity": "LOW", "line": 7, - "filename": "positive3.tf", + "filename": "positive2.tf", "resourceType": "azurerm_kubernetes_cluster", - "resourceName": "positive3", - "searchKey": "azurerm_kubernetes_cluster[positive3].addon_profile", + "resourceName": "example-aks1", + "searchKey": "azurerm_kubernetes_cluster[positive2].azure_policy_enabled", "searchValue": "", - "expectedValue": "'azurerm_kubernetes_cluster[positive3].addon_profile.azure_policy' should be defined and set to true", - "actualValue": "'azurerm_kubernetes_cluster[positive3].addon_profile.azure_policy' is undefined or null" + "expectedValue": "'azurerm_kubernetes_cluster[positive2].azure_policy_enabled' should be set to true", + "actualValue": "'azurerm_kubernetes_cluster[positive2].azure_policy_enabled' is set to false" }, { "queryName": "AKS Uses Azure Policies Add-On Disabled", "severity": "LOW", "line": 7, - "filename": "positive2.tf", + "filename": "positive3.tf", "resourceType": "azurerm_kubernetes_cluster", - "resourceName": "example-aks1", - "searchKey": "azurerm_kubernetes_cluster[positive2].azure_policy_enabled", + "resourceName": "positive3", + "searchKey": "azurerm_kubernetes_cluster[positive3].addon_profile", "searchValue": "", - "expectedValue": "'azurerm_kubernetes_cluster[positive2].azure_policy_enabled' should be set to true", - "actualValue": "'azurerm_kubernetes_cluster[positive2].azure_policy_enabled' is set to false" + "expectedValue": "'azurerm_kubernetes_cluster[positive3].addon_profile.azure_policy' should be defined and set to true", + "actualValue": "'azurerm_kubernetes_cluster[positive3].addon_profile.azure_policy' is undefined or null" }, { "queryName": "AKS Uses Azure Policies Add-On Disabled", "severity": "LOW", - "line": 11, - "filename": "positive1.tf", + "line": 1, + "filename": "positive4.tf", "resourceType": "azurerm_kubernetes_cluster", - "resourceName": "positive1", - "searchKey": "azurerm_kubernetes_cluster[positive1].addon_profile.azure_policy.enabled", + "resourceName": "example-aks1", + "searchKey": "azurerm_kubernetes_cluster[positive4]", "searchValue": "", - "expectedValue": "'azurerm_kubernetes_cluster[positive1].addon_profile.azure_policy.enabled' should be set to true", - "actualValue": "'azurerm_kubernetes_cluster[positive1].addon_profile.azure_policy.enabled' is set to false" + "expectedValue": "'azurerm_kubernetes_cluster[positive4]' should use Azure Policies", + "actualValue": "'azurerm_kubernetes_cluster[positive4]' does not use Azure Policies" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/aks_without_audit_logs/test/positive_expected_result.json b/assets/queries/terraform/azure/aks_without_audit_logs/test/positive_expected_result.json index 06b84da28f1..4900c394e25 100644 --- a/assets/queries/terraform/azure/aks_without_audit_logs/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/aks_without_audit_logs/test/positive_expected_result.json @@ -14,62 +14,62 @@ { "queryName": "Beta - AKS Without Audit Logs", "severity": "MEDIUM", - "line": 34, - "filename": "positive3.tf", + "line": 31, + "filename": "positive1.tf", "resourceType": "azurerm_monitor_diagnostic_setting", "resourceName": "myAKSClusterLogs", - "searchKey": "azurerm_monitor_diagnostic_setting[aks_diagnostics_pos3_2].log[0].enabled", + "searchKey": "azurerm_monitor_diagnostic_setting[aks_diagnostics_pos1_2].enabled_log[0].category", "searchValue": "", - "expectedValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos3_2]' should enable audit logging through a 'azurerm_monitor_diagnostic_setting'", - "actualValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos3_2]' has the 'enabled' field set to 'false' instead of 'true'" + "expectedValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos1_2].enabled_log[0].category' should be defined to 'kube-audit' or 'kube-audit-admin'", + "actualValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos1_2].enabled_log[0].category' is not defined to 'kube-audit' or 'kube-audit-admin'" }, { "queryName": "Beta - AKS Without Audit Logs", "severity": "MEDIUM", - "line": 39, - "filename": "positive3.tf", + "line": 35, + "filename": "positive1.tf", "resourceType": "azurerm_monitor_diagnostic_setting", "resourceName": "myAKSClusterLogs", - "searchKey": "azurerm_monitor_diagnostic_setting[aks_diagnostics_pos3_2].log[1].enabled", + "searchKey": "azurerm_monitor_diagnostic_setting[aks_diagnostics_pos1_2].enabled_log[1].category", "searchValue": "", - "expectedValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos3_2]' should enable audit logging through a 'azurerm_monitor_diagnostic_setting'", - "actualValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos3_2]' has the 'enabled' field set to 'false' instead of 'true'" + "expectedValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos1_2].enabled_log[1].category' should be defined to 'kube-audit' or 'kube-audit-admin'", + "actualValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos1_2].enabled_log[1].category' is not defined to 'kube-audit' or 'kube-audit-admin'" }, { "queryName": "Beta - AKS Without Audit Logs", "severity": "MEDIUM", - "line": 38, + "line": 15, "filename": "positive2.tf", "resourceType": "azurerm_monitor_diagnostic_setting", "resourceName": "myAKSClusterLogs", - "searchKey": "azurerm_monitor_diagnostic_setting[aks_diagnostics_pos2_2].log[1].category", + "searchKey": "azurerm_monitor_diagnostic_setting[aks_diagnostics_pos2_1].log.category", "searchValue": "", - "expectedValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos2_2].log[1].category' should be defined to 'kube-audit' or 'kube-audit-admin' and 'enabled' field set to 'true'", - "actualValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos2_2].log[1].category' is not defined to 'kube-audit' or 'kube-audit-admin'" + "expectedValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos2_1].log.category' should be defined to 'kube-audit' or 'kube-audit-admin' and 'enabled' field set to 'true'", + "actualValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos2_1].log.category' is not defined to 'kube-audit' or 'kube-audit-admin'" }, { "queryName": "Beta - AKS Without Audit Logs", "severity": "MEDIUM", - "line": 31, - "filename": "positive1.tf", + "line": 33, + "filename": "positive2.tf", "resourceType": "azurerm_monitor_diagnostic_setting", "resourceName": "myAKSClusterLogs", - "searchKey": "azurerm_monitor_diagnostic_setting[aks_diagnostics_pos1_2].enabled_log[0].category", + "searchKey": "azurerm_monitor_diagnostic_setting[aks_diagnostics_pos2_2].log[0].category", "searchValue": "", - "expectedValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos1_2].enabled_log[0].category' should be defined to 'kube-audit' or 'kube-audit-admin'", - "actualValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos1_2].enabled_log[0].category' is not defined to 'kube-audit' or 'kube-audit-admin'" + "expectedValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos2_2].log[0].category' should be defined to 'kube-audit' or 'kube-audit-admin' and 'enabled' field set to 'true'", + "actualValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos2_2].log[0].category' is not defined to 'kube-audit' or 'kube-audit-admin'" }, { "queryName": "Beta - AKS Without Audit Logs", "severity": "MEDIUM", - "line": 35, - "filename": "positive1.tf", + "line": 38, + "filename": "positive2.tf", "resourceType": "azurerm_monitor_diagnostic_setting", "resourceName": "myAKSClusterLogs", - "searchKey": "azurerm_monitor_diagnostic_setting[aks_diagnostics_pos1_2].enabled_log[1].category", + "searchKey": "azurerm_monitor_diagnostic_setting[aks_diagnostics_pos2_2].log[1].category", "searchValue": "", - "expectedValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos1_2].enabled_log[1].category' should be defined to 'kube-audit' or 'kube-audit-admin'", - "actualValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos1_2].enabled_log[1].category' is not defined to 'kube-audit' or 'kube-audit-admin'" + "expectedValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos2_2].log[1].category' should be defined to 'kube-audit' or 'kube-audit-admin' and 'enabled' field set to 'true'", + "actualValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos2_2].log[1].category' is not defined to 'kube-audit' or 'kube-audit-admin'" }, { "queryName": "Beta - AKS Without Audit Logs", @@ -86,25 +86,25 @@ { "queryName": "Beta - AKS Without Audit Logs", "severity": "MEDIUM", - "line": 15, - "filename": "positive2.tf", + "line": 34, + "filename": "positive3.tf", "resourceType": "azurerm_monitor_diagnostic_setting", "resourceName": "myAKSClusterLogs", - "searchKey": "azurerm_monitor_diagnostic_setting[aks_diagnostics_pos2_1].log.category", + "searchKey": "azurerm_monitor_diagnostic_setting[aks_diagnostics_pos3_2].log[0].enabled", "searchValue": "", - "expectedValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos2_1].log.category' should be defined to 'kube-audit' or 'kube-audit-admin' and 'enabled' field set to 'true'", - "actualValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos2_1].log.category' is not defined to 'kube-audit' or 'kube-audit-admin'" + "expectedValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos3_2]' should enable audit logging through a 'azurerm_monitor_diagnostic_setting'", + "actualValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos3_2]' has the 'enabled' field set to 'false' instead of 'true'" }, { "queryName": "Beta - AKS Without Audit Logs", "severity": "MEDIUM", - "line": 33, - "filename": "positive2.tf", + "line": 39, + "filename": "positive3.tf", "resourceType": "azurerm_monitor_diagnostic_setting", "resourceName": "myAKSClusterLogs", - "searchKey": "azurerm_monitor_diagnostic_setting[aks_diagnostics_pos2_2].log[0].category", + "searchKey": "azurerm_monitor_diagnostic_setting[aks_diagnostics_pos3_2].log[1].enabled", "searchValue": "", - "expectedValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos2_2].log[0].category' should be defined to 'kube-audit' or 'kube-audit-admin' and 'enabled' field set to 'true'", - "actualValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos2_2].log[0].category' is not defined to 'kube-audit' or 'kube-audit-admin'" + "expectedValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos3_2]' should enable audit logging through a 'azurerm_monitor_diagnostic_setting'", + "actualValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos3_2]' has the 'enabled' field set to 'false' instead of 'true'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/app_service_authentication_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/app_service_authentication_disabled/test/positive_expected_result.json index 8b1f8faa537..5efadc84d2d 100644 --- a/assets/queries/terraform/azure/app_service_authentication_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/app_service_authentication_disabled/test/positive_expected_result.json @@ -1,51 +1,63 @@ [ + { + "queryName": "App Service Authentication Disabled", + "severity": "MEDIUM", + "line": 1, + "filename": "positive1.tf", + "resourceType": "azurerm_app_service", + "resourceName": "example-app-service", + "searchKey": "azurerm_app_service[positive1]", + "searchValue": "", + "expectedValue": "'azurerm_app_service[positive1].auth_settings' should be defined", + "actualValue": "'azurerm_app_service[positive1].auth_settings' is not defined" + }, { "queryName": "App Service Authentication Disabled", "severity": "MEDIUM", "line": 8, - "filename": "positive6.tf", - "resourceType": "azurerm_linux_web_app", + "filename": "positive10.tf", + "resourceType": "azurerm_windows_web_app", "resourceName": "example-app-service", - "searchKey": "azurerm_linux_web_app[positive6].auth_settings_v2.auth_enabled", + "searchKey": "azurerm_windows_web_app[positive10].auth_settings_v2.auth_enabled", "searchValue": "", - "expectedValue": "'azurerm_linux_web_app[positive6].auth_settings_v2.auth_enabled' should be defined to 'true'", - "actualValue": "'azurerm_linux_web_app[positive6].auth_settings_v2.auth_enabled' is defined to 'false'" + "expectedValue": "'azurerm_windows_web_app[positive10].auth_settings_v2.auth_enabled' should be defined to 'true'", + "actualValue": "'azurerm_windows_web_app[positive10].auth_settings_v2.auth_enabled' is defined to 'false'" }, { "queryName": "App Service Authentication Disabled", "severity": "MEDIUM", - "line": 1, - "filename": "positive7.tf", + "line": 9, + "filename": "positive11.tf", "resourceType": "azurerm_windows_web_app", "resourceName": "example-app-service", - "searchKey": "azurerm_windows_web_app[positive7]", + "searchKey": "azurerm_windows_web_app[positive11].auth_settings_v2", "searchValue": "", - "expectedValue": "'azurerm_windows_web_app[positive7].auth_settings' or 'azurerm_windows_web_app[positive7].auth_settings_v2' should be defined", - "actualValue": "'azurerm_windows_web_app[positive7].auth_settings' and 'azurerm_windows_web_app[positive7].auth_settings_v2' are not defined" + "expectedValue": "'azurerm_windows_web_app[positive11].auth_settings_v2.auth_enabled' should be defined (default value is 'false')", + "actualValue": "'azurerm_windows_web_app[positive11].auth_settings_v2.auth_enabled' is not defined" }, { "queryName": "App Service Authentication Disabled", "severity": "MEDIUM", - "line": 1, - "filename": "positive3.tf", - "resourceType": "azurerm_linux_web_app", + "line": 11, + "filename": "positive12.tf", + "resourceType": "azurerm_windows_web_app", "resourceName": "example-app-service", - "searchKey": "azurerm_linux_web_app[positive3]", + "searchKey": "azurerm_windows_web_app[positive12].auth_settings_v2.auth_enabled", "searchValue": "", - "expectedValue": "'azurerm_linux_web_app[positive3].auth_settings' or 'azurerm_linux_web_app[positive3].auth_settings_v2' should be defined", - "actualValue": "'azurerm_linux_web_app[positive3].auth_settings' and 'azurerm_linux_web_app[positive3].auth_settings_v2' are not defined" + "expectedValue": "'azurerm_windows_web_app[positive12].auth_settings_v2.auth_enabled' should be defined to 'true'", + "actualValue": "'azurerm_windows_web_app[positive12].auth_settings_v2.auth_enabled' is defined to 'false'" }, { "queryName": "App Service Authentication Disabled", "severity": "MEDIUM", - "line": 7, - "filename": "positive4.tf", + "line": 9, + "filename": "positive13.tf", "resourceType": "azurerm_linux_web_app", "resourceName": "example-app-service", - "searchKey": "'azurerm_linux_web_app[positive4].auth_settings.enabled'", + "searchKey": "azurerm_linux_web_app[positive13].auth_settings_v2", "searchValue": "", - "expectedValue": "'azurerm_linux_web_app[positive4].auth_settings.enabled' should be defined to 'true'", - "actualValue": "'azurerm_linux_web_app[positive4].auth_settings.enabled' is defined to 'false'" + "expectedValue": "'azurerm_linux_web_app[positive13].auth_settings_v2.auth_enabled' should be defined (default value is 'false')", + "actualValue": "'azurerm_linux_web_app[positive13].auth_settings_v2.auth_enabled' is not defined" }, { "queryName": "App Service Authentication Disabled", @@ -62,50 +74,38 @@ { "queryName": "App Service Authentication Disabled", "severity": "MEDIUM", - "line": 8, - "filename": "positive10.tf", - "resourceType": "azurerm_windows_web_app", - "resourceName": "example-app-service", - "searchKey": "azurerm_windows_web_app[positive10].auth_settings_v2.auth_enabled", - "searchValue": "", - "expectedValue": "'azurerm_windows_web_app[positive10].auth_settings_v2.auth_enabled' should be defined to 'true'", - "actualValue": "'azurerm_windows_web_app[positive10].auth_settings_v2.auth_enabled' is defined to 'false'" - }, - { - "queryName": "App Service Authentication Disabled", - "severity": "MEDIUM", - "line": 1, - "filename": "positive1.tf", + "line": 17, + "filename": "positive2.tf", "resourceType": "azurerm_app_service", "resourceName": "example-app-service", - "searchKey": "azurerm_app_service[positive1]", + "searchKey": "'azurerm_app_service[positive2].auth_settings.enabled'", "searchValue": "", - "expectedValue": "'azurerm_app_service[positive1].auth_settings' should be defined", - "actualValue": "'azurerm_app_service[positive1].auth_settings' is not defined" + "expectedValue": "'azurerm_app_service[positive2].auth_settings.enabled' should be defined to 'true'", + "actualValue": "'azurerm_app_service[positive2].auth_settings.enabled' is defined to 'false'" }, { "queryName": "App Service Authentication Disabled", "severity": "MEDIUM", - "line": 6, - "filename": "positive9.tf", - "resourceType": "azurerm_windows_web_app", + "line": 1, + "filename": "positive3.tf", + "resourceType": "azurerm_linux_web_app", "resourceName": "example-app-service", - "searchKey": "azurerm_windows_web_app[positive9].auth_settings_v2", + "searchKey": "azurerm_linux_web_app[positive3]", "searchValue": "", - "expectedValue": "'azurerm_windows_web_app[positive9].auth_settings_v2.auth_enabled' should be defined (default value is 'false')", - "actualValue": "'azurerm_windows_web_app[positive9].auth_settings_v2.auth_enabled' is not defined" + "expectedValue": "'azurerm_linux_web_app[positive3].auth_settings' or 'azurerm_linux_web_app[positive3].auth_settings_v2' should be defined", + "actualValue": "'azurerm_linux_web_app[positive3].auth_settings' and 'azurerm_linux_web_app[positive3].auth_settings_v2' are not defined" }, { "queryName": "App Service Authentication Disabled", "severity": "MEDIUM", - "line": 9, - "filename": "positive11.tf", - "resourceType": "azurerm_windows_web_app", + "line": 7, + "filename": "positive4.tf", + "resourceType": "azurerm_linux_web_app", "resourceName": "example-app-service", - "searchKey": "azurerm_windows_web_app[positive11].auth_settings_v2", + "searchKey": "'azurerm_linux_web_app[positive4].auth_settings.enabled'", "searchValue": "", - "expectedValue": "'azurerm_windows_web_app[positive11].auth_settings_v2.auth_enabled' should be defined (default value is 'false')", - "actualValue": "'azurerm_windows_web_app[positive11].auth_settings_v2.auth_enabled' is not defined" + "expectedValue": "'azurerm_linux_web_app[positive4].auth_settings.enabled' should be defined to 'true'", + "actualValue": "'azurerm_linux_web_app[positive4].auth_settings.enabled' is defined to 'false'" }, { "queryName": "App Service Authentication Disabled", @@ -122,49 +122,49 @@ { "queryName": "App Service Authentication Disabled", "severity": "MEDIUM", - "line": 11, - "filename": "positive12.tf", - "resourceType": "azurerm_windows_web_app", + "line": 8, + "filename": "positive6.tf", + "resourceType": "azurerm_linux_web_app", "resourceName": "example-app-service", - "searchKey": "azurerm_windows_web_app[positive12].auth_settings_v2.auth_enabled", + "searchKey": "azurerm_linux_web_app[positive6].auth_settings_v2.auth_enabled", "searchValue": "", - "expectedValue": "'azurerm_windows_web_app[positive12].auth_settings_v2.auth_enabled' should be defined to 'true'", - "actualValue": "'azurerm_windows_web_app[positive12].auth_settings_v2.auth_enabled' is defined to 'false'" + "expectedValue": "'azurerm_linux_web_app[positive6].auth_settings_v2.auth_enabled' should be defined to 'true'", + "actualValue": "'azurerm_linux_web_app[positive6].auth_settings_v2.auth_enabled' is defined to 'false'" }, { "queryName": "App Service Authentication Disabled", "severity": "MEDIUM", - "line": 17, - "filename": "positive2.tf", - "resourceType": "azurerm_app_service", + "line": 1, + "filename": "positive7.tf", + "resourceType": "azurerm_windows_web_app", "resourceName": "example-app-service", - "searchKey": "'azurerm_app_service[positive2].auth_settings.enabled'", + "searchKey": "azurerm_windows_web_app[positive7]", "searchValue": "", - "expectedValue": "'azurerm_app_service[positive2].auth_settings.enabled' should be defined to 'true'", - "actualValue": "'azurerm_app_service[positive2].auth_settings.enabled' is defined to 'false'" + "expectedValue": "'azurerm_windows_web_app[positive7].auth_settings' or 'azurerm_windows_web_app[positive7].auth_settings_v2' should be defined", + "actualValue": "'azurerm_windows_web_app[positive7].auth_settings' and 'azurerm_windows_web_app[positive7].auth_settings_v2' are not defined" }, { "queryName": "App Service Authentication Disabled", "severity": "MEDIUM", - "line": 9, - "filename": "positive13.tf", - "resourceType": "azurerm_linux_web_app", + "line": 7, + "filename": "positive8.tf", + "resourceType": "azurerm_windows_web_app", "resourceName": "example-app-service", - "searchKey": "azurerm_linux_web_app[positive13].auth_settings_v2", + "searchKey": "'azurerm_windows_web_app[positive8].auth_settings.enabled'", "searchValue": "", - "expectedValue": "'azurerm_linux_web_app[positive13].auth_settings_v2.auth_enabled' should be defined (default value is 'false')", - "actualValue": "'azurerm_linux_web_app[positive13].auth_settings_v2.auth_enabled' is not defined" + "expectedValue": "'azurerm_windows_web_app[positive8].auth_settings.enabled' should be defined to 'true'", + "actualValue": "'azurerm_windows_web_app[positive8].auth_settings.enabled' is defined to 'false'" }, { "queryName": "App Service Authentication Disabled", "severity": "MEDIUM", - "line": 7, - "filename": "positive8.tf", + "line": 6, + "filename": "positive9.tf", "resourceType": "azurerm_windows_web_app", "resourceName": "example-app-service", - "searchKey": "'azurerm_windows_web_app[positive8].auth_settings.enabled'", + "searchKey": "azurerm_windows_web_app[positive9].auth_settings_v2", "searchValue": "", - "expectedValue": "'azurerm_windows_web_app[positive8].auth_settings.enabled' should be defined to 'true'", - "actualValue": "'azurerm_windows_web_app[positive8].auth_settings.enabled' is defined to 'false'" + "expectedValue": "'azurerm_windows_web_app[positive9].auth_settings_v2.auth_enabled' should be defined (default value is 'false')", + "actualValue": "'azurerm_windows_web_app[positive9].auth_settings_v2.auth_enabled' is not defined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/app_service_http2_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/app_service_http2_disabled/test/positive_expected_result.json index e6cabb3e6ef..b6f1224cbce 100644 --- a/assets/queries/terraform/azure/app_service_http2_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/app_service_http2_disabled/test/positive_expected_result.json @@ -3,49 +3,25 @@ "queryName": "App Service HTTP2 Disabled", "severity": "MEDIUM", "line": 1, - "filename": "positive9.tf", - "resourceType": "azurerm_windows_web_app", - "resourceName": "example-app-service", - "searchKey": "azurerm_windows_web_app[positive9]", - "searchValue": "", - "expectedValue": "'azurerm_windows_web_app[positive9].site_config' should be defined and not null", - "actualValue": "'azurerm_windows_web_app[positive9].site_config' is undefined or null" - }, - { - "queryName": "App Service HTTP2 Disabled", - "severity": "MEDIUM", - "line": 8, - "filename": "positive6.tf", - "resourceType": "azurerm_windows_web_app", - "resourceName": "example-app-service", - "searchKey": "azurerm_windows_web_app[positive6].site_config.http2_enabled", - "searchValue": "", - "expectedValue": "'azurerm_windows_web_app[positive6].site_config.http2_enabled' should be set to true", - "actualValue": "'azurerm_windows_web_app[positive6].site_config.http2_enabled' is set to false" - }, - { - "queryName": "App Service HTTP2 Disabled", - "severity": "MEDIUM", - "line": 7, - "filename": "positive4.tf", - "resourceType": "azurerm_linux_web_app", + "filename": "positive1.tf", + "resourceType": "azurerm_app_service", "resourceName": "example-app-service", - "searchKey": "azurerm_linux_web_app[positive4].site_config", + "searchKey": "azurerm_app_service[positive1]", "searchValue": "", - "expectedValue": "'azurerm_linux_web_app[positive4].site_config.http2_enabled' should be defined and not null", - "actualValue": "'azurerm_linux_web_app[positive4].site_config.http2_enabled' is undefined or null" + "expectedValue": "'azurerm_app_service[positive1].site_config' should be defined and not null", + "actualValue": "'azurerm_app_service[positive1].site_config' is undefined or null" }, { "queryName": "App Service HTTP2 Disabled", "severity": "MEDIUM", - "line": 1, - "filename": "positive1.tf", + "line": 17, + "filename": "positive2.tf", "resourceType": "azurerm_app_service", "resourceName": "example-app-service", - "searchKey": "azurerm_app_service[positive1]", + "searchKey": "azurerm_app_service[positive2].site_config", "searchValue": "", - "expectedValue": "'azurerm_app_service[positive1].site_config' should be defined and not null", - "actualValue": "'azurerm_app_service[positive1].site_config' is undefined or null" + "expectedValue": "'azurerm_app_service[positive2].site_config.http2_enabled' should be defined and not null", + "actualValue": "'azurerm_app_service[positive2].site_config.http2_enabled' is undefined or null" }, { "queryName": "App Service HTTP2 Disabled", @@ -59,6 +35,18 @@ "expectedValue": "'azurerm_app_service[positive3].site_config.http2_enabled' should be set to true", "actualValue": "'azurerm_app_service[positive3].site_config.http2_enabled' is set to false" }, + { + "queryName": "App Service HTTP2 Disabled", + "severity": "MEDIUM", + "line": 7, + "filename": "positive4.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_web_app[positive4].site_config", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app[positive4].site_config.http2_enabled' should be defined and not null", + "actualValue": "'azurerm_linux_web_app[positive4].site_config.http2_enabled' is undefined or null" + }, { "queryName": "App Service HTTP2 Disabled", "severity": "MEDIUM", @@ -71,6 +59,18 @@ "expectedValue": "'azurerm_linux_web_app[positive5].site_config.http2_enabled' should be set to true", "actualValue": "'azurerm_linux_web_app[positive5].site_config.http2_enabled' is set to false" }, + { + "queryName": "App Service HTTP2 Disabled", + "severity": "MEDIUM", + "line": 8, + "filename": "positive6.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_web_app[positive6].site_config.http2_enabled", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[positive6].site_config.http2_enabled' should be set to true", + "actualValue": "'azurerm_windows_web_app[positive6].site_config.http2_enabled' is set to false" + }, { "queryName": "App Service HTTP2 Disabled", "severity": "MEDIUM", @@ -98,13 +98,13 @@ { "queryName": "App Service HTTP2 Disabled", "severity": "MEDIUM", - "line": 17, - "filename": "positive2.tf", - "resourceType": "azurerm_app_service", + "line": 1, + "filename": "positive9.tf", + "resourceType": "azurerm_windows_web_app", "resourceName": "example-app-service", - "searchKey": "azurerm_app_service[positive2].site_config", + "searchKey": "azurerm_windows_web_app[positive9]", "searchValue": "", - "expectedValue": "'azurerm_app_service[positive2].site_config.http2_enabled' should be defined and not null", - "actualValue": "'azurerm_app_service[positive2].site_config.http2_enabled' is undefined or null" + "expectedValue": "'azurerm_windows_web_app[positive9].site_config' should be defined and not null", + "actualValue": "'azurerm_windows_web_app[positive9].site_config' is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/app_service_not_using_latest_tls_encryption_version/test/positive_expected_result.json b/assets/queries/terraform/azure/app_service_not_using_latest_tls_encryption_version/test/positive_expected_result.json index 84ba11e0fd5..6e3844dcab6 100644 --- a/assets/queries/terraform/azure/app_service_not_using_latest_tls_encryption_version/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/app_service_not_using_latest_tls_encryption_version/test/positive_expected_result.json @@ -2,38 +2,14 @@ { "queryName": "App Service Not Using Latest TLS Encryption Version", "severity": "MEDIUM", - "line": 43, - "filename": "positive3.tf", - "resourceType": "azurerm_windows_web_app", - "resourceName": "example-app-service", - "searchKey": "azurerm_windows_web_app[positive3-4].site_config.minimum_tls_version", - "searchValue": "", - "expectedValue": "'azurerm_windows_web_app[positive3-4].site_config.minimum_tls_version' should be set to '1.3'", - "actualValue": "'azurerm_windows_web_app[positive3-4].site_config.minimum_tls_version' is not set to '1.3'" - }, - { - "queryName": "App Service Not Using Latest TLS Encryption Version", - "severity": "MEDIUM", - "line": 20, - "filename": "positive3.tf", - "resourceType": "azurerm_windows_web_app", - "resourceName": "example-app-service", - "searchKey": "azurerm_windows_web_app[positive3-2].site_config", - "searchValue": "", - "expectedValue": "'azurerm_windows_web_app[positive3-2].site_config.minimum_tls_version' should be defined and set to '1.3'", - "actualValue": "'azurerm_windows_web_app[positive3-2].site_config.minimum_tls_version' is not defined" - }, - { - "queryName": "App Service Not Using Latest TLS Encryption Version", - "severity": "MEDIUM", - "line": 26, - "filename": "positive3.tf", - "resourceType": "azurerm_windows_web_app", + "line": 10, + "filename": "positive1.tf", + "resourceType": "azurerm_app_service", "resourceName": "example-app-service", - "searchKey": "azurerm_windows_web_app[positive3-3]", + "searchKey": "azurerm_app_service[positive1-1].site_config.min_tls_version", "searchValue": "", - "expectedValue": "'azurerm_windows_web_app[positive3-3].site_config.minimum_tls_version' should be defined and set to '1.3'", - "actualValue": "'azurerm_windows_web_app[positive3-3].site_config' is not defined" + "expectedValue": "'azurerm_app_service[positive1-1].site_config.min_tls_version' should be set to '1.2'", + "actualValue": "'azurerm_app_service[positive1-1].site_config.min_tls_version' is not set to '1.2'" }, { "queryName": "App Service Not Using Latest TLS Encryption Version", @@ -74,14 +50,14 @@ { "queryName": "App Service Not Using Latest TLS Encryption Version", "severity": "MEDIUM", - "line": 10, - "filename": "positive1.tf", - "resourceType": "azurerm_app_service", + "line": 26, + "filename": "positive2.tf", + "resourceType": "azurerm_linux_web_app", "resourceName": "example-app-service", - "searchKey": "azurerm_app_service[positive1-1].site_config.min_tls_version", + "searchKey": "azurerm_linux_web_app[positive2-3]", "searchValue": "", - "expectedValue": "'azurerm_app_service[positive1-1].site_config.min_tls_version' should be set to '1.2'", - "actualValue": "'azurerm_app_service[positive1-1].site_config.min_tls_version' is not set to '1.2'" + "expectedValue": "'azurerm_linux_web_app[positive2-3].site_config.minimum_tls_version' should be defined and set to '1.3'", + "actualValue": "'azurerm_linux_web_app[positive2-3].site_config' is not defined" }, { "queryName": "App Service Not Using Latest TLS Encryption Version", @@ -95,28 +71,52 @@ "expectedValue": "'azurerm_linux_web_app[positive2-4].site_config.minimum_tls_version' should be set to '1.3'", "actualValue": "'azurerm_linux_web_app[positive2-4].site_config.minimum_tls_version' is not set to '1.3'" }, + { + "queryName": "App Service Not Using Latest TLS Encryption Version", + "severity": "MEDIUM", + "line": 10, + "filename": "positive3.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_web_app[positive3-1].site_config.minimum_tls_version", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[positive3-1].site_config.minimum_tls_version' should be set to '1.3'", + "actualValue": "'azurerm_windows_web_app[positive3-1].site_config.minimum_tls_version' is not set to '1.3'" + }, + { + "queryName": "App Service Not Using Latest TLS Encryption Version", + "severity": "MEDIUM", + "line": 20, + "filename": "positive3.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_web_app[positive3-2].site_config", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[positive3-2].site_config.minimum_tls_version' should be defined and set to '1.3'", + "actualValue": "'azurerm_windows_web_app[positive3-2].site_config.minimum_tls_version' is not defined" + }, { "queryName": "App Service Not Using Latest TLS Encryption Version", "severity": "MEDIUM", "line": 26, - "filename": "positive2.tf", - "resourceType": "azurerm_linux_web_app", + "filename": "positive3.tf", + "resourceType": "azurerm_windows_web_app", "resourceName": "example-app-service", - "searchKey": "azurerm_linux_web_app[positive2-3]", + "searchKey": "azurerm_windows_web_app[positive3-3]", "searchValue": "", - "expectedValue": "'azurerm_linux_web_app[positive2-3].site_config.minimum_tls_version' should be defined and set to '1.3'", - "actualValue": "'azurerm_linux_web_app[positive2-3].site_config' is not defined" + "expectedValue": "'azurerm_windows_web_app[positive3-3].site_config.minimum_tls_version' should be defined and set to '1.3'", + "actualValue": "'azurerm_windows_web_app[positive3-3].site_config' is not defined" }, { "queryName": "App Service Not Using Latest TLS Encryption Version", "severity": "MEDIUM", - "line": 10, + "line": 43, "filename": "positive3.tf", "resourceType": "azurerm_windows_web_app", "resourceName": "example-app-service", - "searchKey": "azurerm_windows_web_app[positive3-1].site_config.minimum_tls_version", + "searchKey": "azurerm_windows_web_app[positive3-4].site_config.minimum_tls_version", "searchValue": "", - "expectedValue": "'azurerm_windows_web_app[positive3-1].site_config.minimum_tls_version' should be set to '1.3'", - "actualValue": "'azurerm_windows_web_app[positive3-1].site_config.minimum_tls_version' is not set to '1.3'" + "expectedValue": "'azurerm_windows_web_app[positive3-4].site_config.minimum_tls_version' should be set to '1.3'", + "actualValue": "'azurerm_windows_web_app[positive3-4].site_config.minimum_tls_version' is not set to '1.3'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/app_service_slot_managed_identity_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/app_service_slot_managed_identity_disabled/test/positive_expected_result.json index def7188ed86..9ee999570cb 100644 --- a/assets/queries/terraform/azure/app_service_slot_managed_identity_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/app_service_slot_managed_identity_disabled/test/positive_expected_result.json @@ -3,10 +3,10 @@ "queryName": "Beta - App Service Slot Managed Identity Disabled", "severity": "MEDIUM", "line": 1, - "filename": "positive2.tf", - "resourceType": "azurerm_linux_web_app_slot", - "resourceName": "example-slot", - "searchKey": "azurerm_linux_web_app_slot[positive2]", + "filename": "positive1.tf", + "resourceType": "azurerm_app_service_slot", + "resourceName": "${random_id.server.hex}", + "searchKey": "azurerm_app_service_slot[positive1]", "searchValue": "", "expectedValue": "'type' field should have the values 'SystemAssigned' or 'UserAssigned' defined inside the 'identity' block", "actualValue": "'identity' block is not defined" @@ -15,10 +15,10 @@ "queryName": "Beta - App Service Slot Managed Identity Disabled", "severity": "MEDIUM", "line": 1, - "filename": "positive1.tf", - "resourceType": "azurerm_app_service_slot", - "resourceName": "${random_id.server.hex}", - "searchKey": "azurerm_app_service_slot[positive1]", + "filename": "positive2.tf", + "resourceType": "azurerm_linux_web_app_slot", + "resourceName": "example-slot", + "searchKey": "azurerm_linux_web_app_slot[positive2]", "searchValue": "", "expectedValue": "'type' field should have the values 'SystemAssigned' or 'UserAssigned' defined inside the 'identity' block", "actualValue": "'identity' block is not defined" diff --git a/assets/queries/terraform/azure/app_service_without_latest_php_version/test/positive_expected_result.json b/assets/queries/terraform/azure/app_service_without_latest_php_version/test/positive_expected_result.json index 3b41e59e79d..a6ced035b7a 100644 --- a/assets/queries/terraform/azure/app_service_without_latest_php_version/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/app_service_without_latest_php_version/test/positive_expected_result.json @@ -14,11 +14,11 @@ { "queryName": "App Service Without Latest PHP Version", "severity": "LOW", - "line": 26, - "filename": "positive3.tf", - "resourceType": "azurerm_linux_web_app", - "resourceName": "example6", - "searchKey": "azurerm_linux_web_app[example6].site_config.application_stack.php_version", + "line": 25, + "filename": "positive2.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example5", + "searchKey": "azurerm_windows_web_app[example5].site_config.application_stack.php_version", "searchValue": "", "expectedValue": "for the attribute 'php_version' should be the latest avaliable stable version (8.1)", "actualValue": "'php_version' is not the latest avaliable stable version (8.1)" @@ -26,11 +26,11 @@ { "queryName": "App Service Without Latest PHP Version", "severity": "LOW", - "line": 25, - "filename": "positive2.tf", - "resourceType": "azurerm_windows_web_app", - "resourceName": "example5", - "searchKey": "azurerm_windows_web_app[example5].site_config.application_stack.php_version", + "line": 26, + "filename": "positive3.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "example6", + "searchKey": "azurerm_linux_web_app[example6].site_config.application_stack.php_version", "searchValue": "", "expectedValue": "for the attribute 'php_version' should be the latest avaliable stable version (8.1)", "actualValue": "'php_version' is not the latest avaliable stable version (8.1)" diff --git a/assets/queries/terraform/azure/azure_active_directory_authentication/test/positive_expected_result.json b/assets/queries/terraform/azure/azure_active_directory_authentication/test/positive_expected_result.json index 8180cb3c0a7..76eebda59ca 100644 --- a/assets/queries/terraform/azure/azure_active_directory_authentication/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/azure_active_directory_authentication/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "Azure Active Directory Authentication", - "severity": "LOW", - "line": 1, - "filename": "positive2.tf", - "resourceType": "azurerm_service_fabric_cluster", - "resourceName": "example-servicefabric", - "searchKey": "azurerm_service_fabric_cluster[positive2]", - "searchValue": "", - "expectedValue": "'azurerm_service_fabric_cluster[positive2].azure_active_directory' should be defined and not null", - "actualValue": "'azurerm_service_fabric_cluster[positive2].azure_active_directory' is undefined or null" - }, { "queryName": "Azure Active Directory Authentication", "severity": "LOW", @@ -22,5 +10,17 @@ "searchValue": "", "expectedValue": "'azurerm_service_fabric_cluster[positive1].azure_active_directory.tenant_id' should be defined and not null", "actualValue": "'azurerm_service_fabric_cluster[positive1].azure_active_directory.tenant_id' is undefined or null" + }, + { + "queryName": "Azure Active Directory Authentication", + "severity": "LOW", + "line": 1, + "filename": "positive2.tf", + "resourceType": "azurerm_service_fabric_cluster", + "resourceName": "example-servicefabric", + "searchKey": "azurerm_service_fabric_cluster[positive2]", + "searchValue": "", + "expectedValue": "'azurerm_service_fabric_cluster[positive2].azure_active_directory' should be defined and not null", + "actualValue": "'azurerm_service_fabric_cluster[positive2].azure_active_directory' is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/azure_app_service_client_certificate_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/azure_app_service_client_certificate_disabled/test/positive_expected_result.json index e1a3e6ad839..1bb23fe62e6 100644 --- a/assets/queries/terraform/azure/azure_app_service_client_certificate_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/azure_app_service_client_certificate_disabled/test/positive_expected_result.json @@ -2,98 +2,86 @@ { "queryName": "Azure App Service Client Certificate Disabled", "severity": "MEDIUM", - "line": 27, + "line": 1, "filename": "positive1.tf", "resourceType": "azurerm_app_service", "resourceName": "example-app-service", - "searchKey": "azurerm_app_service[positive1-3].client_cert_enabled", + "searchKey": "azurerm_app_service[positive1-1]", "searchValue": "", - "expectedValue": "'azurerm_app_service[positive1-3].client_cert_enabled' or 'azurerm_app_service[positive1-3].site_config.http2_enabled' is true", - "actualValue": "'azurerm_app_service[positive1-3].client_cert_enabled' and 'azurerm_app_service[positive1-3].site_config.http2_enabled' are set to false" + "expectedValue": "'azurerm_app_service[positive1-1].client_cert_enabled' should be defined and set to true", + "actualValue": "'azurerm_app_service[positive1-1].client_cert_enabled' is undefined" }, { "queryName": "Azure App Service Client Certificate Disabled", "severity": "MEDIUM", - "line": 58, + "line": 14, "filename": "positive1.tf", "resourceType": "azurerm_app_service", "resourceName": "example-app-service", - "searchKey": "azurerm_app_service[positive1-6].client_cert_enabled", - "searchValue": "", - "expectedValue": "'azurerm_app_service[positive1-6].client_cert_enabled' should be set to true", - "actualValue": "'azurerm_app_service[positive1-6].client_cert_enabled' is set to false" - }, - { - "queryName": "Azure App Service Client Certificate Disabled", - "severity": "MEDIUM", - "line": 1, - "filename": "positive2.tf", - "resourceType": "azurerm_linux_web_app", - "resourceName": "example-app-service", - "searchKey": "azurerm_linux_web_app[positive2-1]", + "searchKey": "azurerm_app_service[positive1-2].client_cert_enabled", "searchValue": "", - "expectedValue": "'azurerm_linux_web_app[positive2-1].client_certificate_enabled' should be defined and set to true", - "actualValue": "'azurerm_linux_web_app[positive2-1].client_cert_enabled' is undefined" + "expectedValue": "'azurerm_app_service[positive1-2].client_cert_enabled' should be set to true", + "actualValue": "'azurerm_app_service[positive1-2].client_cert_enabled' is set to false" }, { "queryName": "Azure App Service Client Certificate Disabled", "severity": "MEDIUM", - "line": 1, - "filename": "positive3.tf", - "resourceType": "azurerm_windows_web_app", + "line": 27, + "filename": "positive1.tf", + "resourceType": "azurerm_app_service", "resourceName": "example-app-service", - "searchKey": "azurerm_windows_web_app[positive3-1]", + "searchKey": "azurerm_app_service[positive1-3].client_cert_enabled", "searchValue": "", - "expectedValue": "'azurerm_windows_web_app[positive3-1].client_certificate_enabled' should be defined and set to true", - "actualValue": "'azurerm_windows_web_app[positive3-1].client_cert_enabled' is undefined" + "expectedValue": "'azurerm_app_service[positive1-3].client_cert_enabled' or 'azurerm_app_service[positive1-3].site_config.http2_enabled' is true", + "actualValue": "'azurerm_app_service[positive1-3].client_cert_enabled' and 'azurerm_app_service[positive1-3].site_config.http2_enabled' are set to false" }, { "queryName": "Azure App Service Client Certificate Disabled", "severity": "MEDIUM", - "line": 33, - "filename": "positive3.tf", - "resourceType": "azurerm_windows_web_app", + "line": 30, + "filename": "positive1.tf", + "resourceType": "azurerm_app_service", "resourceName": "example-app-service", - "searchKey": "azurerm_windows_web_app[positive3-4]", + "searchKey": "azurerm_app_service[positive1-4]", "searchValue": "", - "expectedValue": "'azurerm_windows_web_app[positive3-4].client_certificate_enabled' should be defined and set to true", - "actualValue": "'azurerm_windows_web_app[positive3-4].client_cert_enabled' is undefined" + "expectedValue": "'azurerm_app_service[positive1-4].client_cert_enabled' should be defined and set to true", + "actualValue": "'azurerm_app_service[positive1-4].client_cert_enabled' is undefined" }, { "queryName": "Azure App Service Client Certificate Disabled", "severity": "MEDIUM", - "line": 1, + "line": 41, "filename": "positive1.tf", "resourceType": "azurerm_app_service", "resourceName": "example-app-service", - "searchKey": "azurerm_app_service[positive1-1]", + "searchKey": "azurerm_app_service[positive1-5]", "searchValue": "", - "expectedValue": "'azurerm_app_service[positive1-1].client_cert_enabled' should be defined and set to true", - "actualValue": "'azurerm_app_service[positive1-1].client_cert_enabled' is undefined" + "expectedValue": "'azurerm_app_service[positive1-5].client_cert_enabled' should be defined and set to true", + "actualValue": "'azurerm_app_service[positive1-5].client_cert_enabled' is undefined" }, { "queryName": "Azure App Service Client Certificate Disabled", "severity": "MEDIUM", - "line": 30, + "line": 58, "filename": "positive1.tf", "resourceType": "azurerm_app_service", "resourceName": "example-app-service", - "searchKey": "azurerm_app_service[positive1-4]", + "searchKey": "azurerm_app_service[positive1-6].client_cert_enabled", "searchValue": "", - "expectedValue": "'azurerm_app_service[positive1-4].client_cert_enabled' should be defined and set to true", - "actualValue": "'azurerm_app_service[positive1-4].client_cert_enabled' is undefined" + "expectedValue": "'azurerm_app_service[positive1-6].client_cert_enabled' should be set to true", + "actualValue": "'azurerm_app_service[positive1-6].client_cert_enabled' is set to false" }, { "queryName": "Azure App Service Client Certificate Disabled", "severity": "MEDIUM", - "line": 41, - "filename": "positive1.tf", - "resourceType": "azurerm_app_service", + "line": 1, + "filename": "positive2.tf", + "resourceType": "azurerm_linux_web_app", "resourceName": "example-app-service", - "searchKey": "azurerm_app_service[positive1-5]", + "searchKey": "azurerm_linux_web_app[positive2-1]", "searchValue": "", - "expectedValue": "'azurerm_app_service[positive1-5].client_cert_enabled' should be defined and set to true", - "actualValue": "'azurerm_app_service[positive1-5].client_cert_enabled' is undefined" + "expectedValue": "'azurerm_linux_web_app[positive2-1].client_certificate_enabled' should be defined and set to true", + "actualValue": "'azurerm_linux_web_app[positive2-1].client_cert_enabled' is undefined" }, { "queryName": "Azure App Service Client Certificate Disabled", @@ -131,6 +119,18 @@ "expectedValue": "'azurerm_linux_web_app[positive2-4].client_certificate_enabled' should be defined and set to true", "actualValue": "'azurerm_linux_web_app[positive2-4].client_cert_enabled' is undefined" }, + { + "queryName": "Azure App Service Client Certificate Disabled", + "severity": "MEDIUM", + "line": 1, + "filename": "positive3.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_web_app[positive3-1]", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[positive3-1].client_certificate_enabled' should be defined and set to true", + "actualValue": "'azurerm_windows_web_app[positive3-1].client_cert_enabled' is undefined" + }, { "queryName": "Azure App Service Client Certificate Disabled", "severity": "MEDIUM", @@ -158,13 +158,13 @@ { "queryName": "Azure App Service Client Certificate Disabled", "severity": "MEDIUM", - "line": 14, - "filename": "positive1.tf", - "resourceType": "azurerm_app_service", + "line": 33, + "filename": "positive3.tf", + "resourceType": "azurerm_windows_web_app", "resourceName": "example-app-service", - "searchKey": "azurerm_app_service[positive1-2].client_cert_enabled", + "searchKey": "azurerm_windows_web_app[positive3-4]", "searchValue": "", - "expectedValue": "'azurerm_app_service[positive1-2].client_cert_enabled' should be set to true", - "actualValue": "'azurerm_app_service[positive1-2].client_cert_enabled' is set to false" + "expectedValue": "'azurerm_windows_web_app[positive3-4].client_certificate_enabled' should be defined and set to true", + "actualValue": "'azurerm_windows_web_app[positive3-4].client_cert_enabled' is undefined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/azure_cognitive_search_public_network_access_enabled/test/positive_expected_result.json b/assets/queries/terraform/azure/azure_cognitive_search_public_network_access_enabled/test/positive_expected_result.json index 4ab1be8e9fa..852e5369594 100644 --- a/assets/queries/terraform/azure/azure_cognitive_search_public_network_access_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/azure_cognitive_search_public_network_access_enabled/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "Azure Cognitive Search Public Network Access Enabled", "severity": "MEDIUM", - "line": 1, - "filename": "positive2.tf", + "line": 6, + "filename": "positive1.tf", "resourceType": "azurerm_search_service", "resourceName": "example-search-service", - "searchKey": "azurerm_search_service[positive2]", + "searchKey": "azurerm_search_service[positive1].public_network_access_enabled", "searchValue": "", - "expectedValue": "'azurerm_search_service[positive2].public_network_access_enabled' should be defined and set to false", - "actualValue": "'azurerm_search_service[positive2].public_network_access_enabled' is undefined or null" + "expectedValue": "'azurerm_search_service[positive1].public_network_access_enabled' should be set to false", + "actualValue": "'azurerm_search_service[positive1].public_network_access_enabled' is set to true" }, { "queryName": "Azure Cognitive Search Public Network Access Enabled", "severity": "MEDIUM", - "line": 6, - "filename": "positive1.tf", + "line": 1, + "filename": "positive2.tf", "resourceType": "azurerm_search_service", "resourceName": "example-search-service", - "searchKey": "azurerm_search_service[positive1].public_network_access_enabled", + "searchKey": "azurerm_search_service[positive2]", "searchValue": "", - "expectedValue": "'azurerm_search_service[positive1].public_network_access_enabled' should be set to false", - "actualValue": "'azurerm_search_service[positive1].public_network_access_enabled' is set to true" + "expectedValue": "'azurerm_search_service[positive2].public_network_access_enabled' should be defined and set to false", + "actualValue": "'azurerm_search_service[positive2].public_network_access_enabled' is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/azure_container_registry_with_broad_permissions/test/positive_expected_result.json b/assets/queries/terraform/azure/azure_container_registry_with_broad_permissions/test/positive_expected_result.json index 29b1e9898c5..754a67b9b53 100644 --- a/assets/queries/terraform/azure/azure_container_registry_with_broad_permissions/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/azure_container_registry_with_broad_permissions/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "Beta - Azure Container Registry With Broad Permissions", "severity": "HIGH", - "line": 17, + "line": 11, "filename": "positive.tf", "resourceType": "azurerm_role_assignment", - "resourceName": "positive2", - "searchKey": "azurerm_role_assignment[positive2].role_definition_id", + "resourceName": "positive1", + "searchKey": "azurerm_role_assignment[positive1].role_definition_name", "searchValue": "", - "expectedValue": "'azurerm_role_assignment[positive2].role_definition_id' should be set to '7f951dda-4ed3-4680-a7ca-43fe172d538d'", - "actualValue": "'azurerm_role_assignment[positive2].role_definition_id' is set to '8311e382-0749-4cb8-b61a-304f252e45ec'" + "expectedValue": "'azurerm_role_assignment[positive1].role_definition_name' should be set to 'AcrPull'", + "actualValue": "'azurerm_role_assignment[positive1].role_definition_name' is set to 'AcrPush'" }, { "queryName": "Beta - Azure Container Registry With Broad Permissions", "severity": "HIGH", - "line": 11, + "line": 17, "filename": "positive.tf", "resourceType": "azurerm_role_assignment", - "resourceName": "positive1", - "searchKey": "azurerm_role_assignment[positive1].role_definition_name", + "resourceName": "positive2", + "searchKey": "azurerm_role_assignment[positive2].role_definition_id", "searchValue": "", - "expectedValue": "'azurerm_role_assignment[positive1].role_definition_name' should be set to 'AcrPull'", - "actualValue": "'azurerm_role_assignment[positive1].role_definition_name' is set to 'AcrPush'" + "expectedValue": "'azurerm_role_assignment[positive2].role_definition_id' should be set to '7f951dda-4ed3-4680-a7ca-43fe172d538d'", + "actualValue": "'azurerm_role_assignment[positive2].role_definition_id' is set to '8311e382-0749-4cb8-b61a-304f252e45ec'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/azure_instance_using_basic_authentication/test/positive_expected_result.json b/assets/queries/terraform/azure/azure_instance_using_basic_authentication/test/positive_expected_result.json index 6238af28ed6..f7834bb84c5 100644 --- a/assets/queries/terraform/azure/azure_instance_using_basic_authentication/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/azure_instance_using_basic_authentication/test/positive_expected_result.json @@ -1,28 +1,4 @@ [ - { - "queryName": "Azure Instance Using Basic Authentication", - "severity": "MEDIUM", - "line": 7, - "filename": "positive4.tf", - "resourceType": "azurerm_virtual_machine_scale_set", - "resourceName": "${var.prefix}-vm", - "searchKey": "azurerm_virtual_machine_scale_set[positive4].os_profile_linux_config.disable_password_authentication", - "searchValue": "", - "expectedValue": "'azurerm_virtual_machine_scale_set[positive4].os_profile_linux_config.disable_password_authentication' should be set to 'true'", - "actualValue": "'azurerm_virtual_machine_scale_set[positive4].os_profile_linux_config.disable_password_authentication' is set to 'false'" - }, - { - "queryName": "Azure Instance Using Basic Authentication", - "severity": "MEDIUM", - "line": 9, - "filename": "positive3.tf", - "resourceType": "azurerm_linux_virtual_machine_scale_set", - "resourceName": "positive3-vmss", - "searchKey": "azurerm_linux_virtual_machine_scale_set[positive3].disable_password_authentication", - "searchValue": "", - "expectedValue": "'azurerm_linux_virtual_machine_scale_set[positive3].disable_password_authentication' should be set to 'true'", - "actualValue": "'azurerm_linux_virtual_machine_scale_set[positive3].disable_password_authentication' is set to 'false'" - }, { "queryName": "Azure Instance Using Basic Authentication", "severity": "MEDIUM", @@ -46,5 +22,29 @@ "searchValue": "", "expectedValue": "'azurerm_linux_virtual_machine[positive2].disable_password_authentication' should be set to 'true'", "actualValue": "'azurerm_linux_virtual_machine[positive2].disable_password_authentication' is set to 'false'" + }, + { + "queryName": "Azure Instance Using Basic Authentication", + "severity": "MEDIUM", + "line": 9, + "filename": "positive3.tf", + "resourceType": "azurerm_linux_virtual_machine_scale_set", + "resourceName": "positive3-vmss", + "searchKey": "azurerm_linux_virtual_machine_scale_set[positive3].disable_password_authentication", + "searchValue": "", + "expectedValue": "'azurerm_linux_virtual_machine_scale_set[positive3].disable_password_authentication' should be set to 'true'", + "actualValue": "'azurerm_linux_virtual_machine_scale_set[positive3].disable_password_authentication' is set to 'false'" + }, + { + "queryName": "Azure Instance Using Basic Authentication", + "severity": "MEDIUM", + "line": 7, + "filename": "positive4.tf", + "resourceType": "azurerm_virtual_machine_scale_set", + "resourceName": "${var.prefix}-vm", + "searchKey": "azurerm_virtual_machine_scale_set[positive4].os_profile_linux_config.disable_password_authentication", + "searchValue": "", + "expectedValue": "'azurerm_virtual_machine_scale_set[positive4].os_profile_linux_config.disable_password_authentication' should be set to 'true'", + "actualValue": "'azurerm_virtual_machine_scale_set[positive4].os_profile_linux_config.disable_password_authentication' is set to 'false'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/backup_vault_without_immutability/test/positive_expected_result.json b/assets/queries/terraform/azure/backup_vault_without_immutability/test/positive_expected_result.json index d329150101b..a74fa971921 100644 --- a/assets/queries/terraform/azure/backup_vault_without_immutability/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/backup_vault_without_immutability/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "Beta - Backup Vault Without Immutability", "severity": "HIGH", - "line": 18, + "line": 1, "filename": "positive1.tf", "resourceType": "azurerm_data_protection_backup_vault", - "resourceName": "positive2-backup-vault", - "searchKey": "azurerm_data_protection_backup_vault[positive2].immutability", + "resourceName": "positive1-backup-vault", + "searchKey": "azurerm_data_protection_backup_vault[positive1]", "searchValue": "", - "expectedValue": "'azurerm_data_protection_backup_vault[positive2].immutability' should be set and enabled", - "actualValue": "'azurerm_data_protection_backup_vault[positive2].immutability' is set to 'Disabled'" + "expectedValue": "'azurerm_data_protection_backup_vault[positive1].immutability' should be set and enabled", + "actualValue": "'azurerm_data_protection_backup_vault[positive1].immutability' is undefined or null" }, { "queryName": "Beta - Backup Vault Without Immutability", "severity": "HIGH", - "line": 1, + "line": 18, "filename": "positive1.tf", "resourceType": "azurerm_data_protection_backup_vault", - "resourceName": "positive1-backup-vault", - "searchKey": "azurerm_data_protection_backup_vault[positive1]", + "resourceName": "positive2-backup-vault", + "searchKey": "azurerm_data_protection_backup_vault[positive2].immutability", "searchValue": "", - "expectedValue": "'azurerm_data_protection_backup_vault[positive1].immutability' should be set and enabled", - "actualValue": "'azurerm_data_protection_backup_vault[positive1].immutability' is undefined or null" + "expectedValue": "'azurerm_data_protection_backup_vault[positive2].immutability' should be set and enabled", + "actualValue": "'azurerm_data_protection_backup_vault[positive2].immutability' is set to 'Disabled'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/blob_storage_without_soft_delete/test/positive_expected_result.json b/assets/queries/terraform/azure/blob_storage_without_soft_delete/test/positive_expected_result.json index 5ad59cb1506..8320b9588b9 100644 --- a/assets/queries/terraform/azure/blob_storage_without_soft_delete/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/blob_storage_without_soft_delete/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "Beta - Blob Storage Without Soft Delete", - "severity": "HIGH", - "line": 32, - "filename": "positive.tf", - "resourceType": "azurerm_storage_account", - "resourceName": "positive3", - "searchKey": "azurerm_storage_account[positive3].blob_properties.delete_retention_policy.days", - "searchValue": "", - "expectedValue": "'azurerm_storage_account[positive3].blob_properties.delete_retention_policy.days' should be set to a value higher than '6'", - "actualValue": "'azurerm_storage_account[positive3].blob_properties.delete_retention_policy.days' is set to '5'" - }, { "queryName": "Beta - Blob Storage Without Soft Delete", "severity": "HIGH", @@ -34,5 +22,17 @@ "searchValue": "", "expectedValue": "'azurerm_storage_account[positive2].blob_properties.delete_retention_policy' should be defined and not null", "actualValue": "'azurerm_storage_account[positive2].blob_properties.delete_retention_policy' is undefined or null" + }, + { + "queryName": "Beta - Blob Storage Without Soft Delete", + "severity": "HIGH", + "line": 32, + "filename": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive3", + "searchKey": "azurerm_storage_account[positive3].blob_properties.delete_retention_policy.days", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive3].blob_properties.delete_retention_policy.days' should be set to a value higher than '6'", + "actualValue": "'azurerm_storage_account[positive3].blob_properties.delete_retention_policy.days' is set to '5'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/container_instances_not_using_private_virtual_networks/test/positive_expected_result.json b/assets/queries/terraform/azure/container_instances_not_using_private_virtual_networks/test/positive_expected_result.json index 9b9d81e09b6..8ff7a287bc6 100644 --- a/assets/queries/terraform/azure/container_instances_not_using_private_virtual_networks/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/container_instances_not_using_private_virtual_networks/test/positive_expected_result.json @@ -1,4 +1,16 @@ [ + { + "queryName": "Beta - Container Instances Not Using Private Virtual Networks", + "severity": "LOW", + "line": 1, + "filename": "positive1.tf", + "resourceType": "azurerm_container_group", + "resourceName": "cg-positive1", + "searchKey": "azurerm_container_group[positive1]", + "searchValue": "", + "expectedValue": "'ip_address_type' should be set to 'Private'", + "actualValue": "'ip_address_type' is not defined" + }, { "queryName": "Beta - Container Instances Not Using Private Virtual Networks", "severity": "LOW", @@ -22,17 +34,5 @@ "searchValue": "", "expectedValue": "'ip_address_type' should be set to 'Private'", "actualValue": "'ip_address_type' is defined to 'None'" - }, - { - "queryName": "Beta - Container Instances Not Using Private Virtual Networks", - "severity": "LOW", - "line": 1, - "filename": "positive1.tf", - "resourceType": "azurerm_container_group", - "resourceName": "cg-positive1", - "searchKey": "azurerm_container_group[positive1]", - "searchValue": "", - "expectedValue": "'ip_address_type' should be set to 'Private'", - "actualValue": "'ip_address_type' is not defined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/containers_without_soft_delete/test/positive_expected_result.json b/assets/queries/terraform/azure/containers_without_soft_delete/test/positive_expected_result.json index a14a31a34f7..fce7517c716 100644 --- a/assets/queries/terraform/azure/containers_without_soft_delete/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/containers_without_soft_delete/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "Beta - Containers Without Soft Delete", - "severity": "HIGH", - "line": 32, - "filename": "positive.tf", - "resourceType": "azurerm_storage_account", - "resourceName": "positive3", - "searchKey": "azurerm_storage_account[positive3].blob_properties.container_delete_retention_policy.days", - "searchValue": "", - "expectedValue": "'azurerm_storage_account[positive3].blob_properties.container_delete_retention_policy.days' should be set to a value higher than '6'", - "actualValue": "'azurerm_storage_account[positive3].blob_properties.container_delete_retention_policy' is set to '5'" - }, { "queryName": "Beta - Containers Without Soft Delete", "severity": "HIGH", @@ -34,5 +22,17 @@ "searchValue": "", "expectedValue": "'azurerm_storage_account[positive2].blob_properties.container_delete_retention_policy' should be defined and not null", "actualValue": "'azurerm_storage_account[positive2].blob_properties.container_delete_retention_policy' is undefined or null" + }, + { + "queryName": "Beta - Containers Without Soft Delete", + "severity": "HIGH", + "line": 32, + "filename": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive3", + "searchKey": "azurerm_storage_account[positive3].blob_properties.container_delete_retention_policy.days", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive3].blob_properties.container_delete_retention_policy.days' should be set to a value higher than '6'", + "actualValue": "'azurerm_storage_account[positive3].blob_properties.container_delete_retention_policy' is set to '5'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/databricks_diagnostic_logging_not_configured/test/positive_expected_result.json b/assets/queries/terraform/azure/databricks_diagnostic_logging_not_configured/test/positive_expected_result.json index 48d2026cda3..17358bc32c4 100644 --- a/assets/queries/terraform/azure/databricks_diagnostic_logging_not_configured/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/databricks_diagnostic_logging_not_configured/test/positive_expected_result.json @@ -2,26 +2,26 @@ { "queryName": "Beta - Databricks Diagnostic Logging Not Configured", "severity": "MEDIUM", - "line": 60, - "filename": "positive5.tf", + "line": 1, + "filename": "positive1.tf", "resourceType": "azurerm_databricks_workspace", "resourceName": "secure-databricks-ws", - "searchKey": "azurerm_databricks_workspace[example_pos5]", + "searchKey": "azurerm_databricks_workspace[example_pos1]", "searchValue": "", "expectedValue": "'azurerm_databricks_workspace' should be associated with 'azurerm_monitor_diagnostic_setting' resources that log all required logs to valid destinations", - "actualValue": "'azurerm_databricks_workspace' is associated with 2 'azurerm_monitor_diagnostic_setting' resource(s), but is missing logs for 5 category(s): 'Filesystem', 'accounts', 'clusters', 'jobs', 'notebook'" + "actualValue": "'azurerm_databricks_workspace' is not associated with an 'azurerm_monitor_diagnostic_setting' resource" }, { "queryName": "Beta - Databricks Diagnostic Logging Not Configured", "severity": "MEDIUM", - "line": 27, - "filename": "positive4.tf", + "line": 36, + "filename": "positive2.tf", "resourceType": "azurerm_databricks_workspace", "resourceName": "secure-databricks-ws", - "searchKey": "azurerm_databricks_workspace[example_pos4]", + "searchKey": "azurerm_databricks_workspace[example_pos2]", "searchValue": "", "expectedValue": "'azurerm_databricks_workspace' should be associated with 'azurerm_monitor_diagnostic_setting' resources that log all required logs to valid destinations", - "actualValue": "'azurerm_databricks_workspace' is not associated with an 'azurerm_monitor_diagnostic_setting' resource" + "actualValue": "'azurerm_databricks_workspace' is associated with 3 'azurerm_monitor_diagnostic_setting' resource(s), but is missing logs for 3 category(s): 'Filesystem', 'jobs', 'notebook'" }, { "queryName": "Beta - Databricks Diagnostic Logging Not Configured", @@ -38,11 +38,11 @@ { "queryName": "Beta - Databricks Diagnostic Logging Not Configured", "severity": "MEDIUM", - "line": 1, - "filename": "positive1.tf", + "line": 27, + "filename": "positive4.tf", "resourceType": "azurerm_databricks_workspace", "resourceName": "secure-databricks-ws", - "searchKey": "azurerm_databricks_workspace[example_pos1]", + "searchKey": "azurerm_databricks_workspace[example_pos4]", "searchValue": "", "expectedValue": "'azurerm_databricks_workspace' should be associated with 'azurerm_monitor_diagnostic_setting' resources that log all required logs to valid destinations", "actualValue": "'azurerm_databricks_workspace' is not associated with an 'azurerm_monitor_diagnostic_setting' resource" @@ -50,13 +50,13 @@ { "queryName": "Beta - Databricks Diagnostic Logging Not Configured", "severity": "MEDIUM", - "line": 36, - "filename": "positive2.tf", + "line": 60, + "filename": "positive5.tf", "resourceType": "azurerm_databricks_workspace", "resourceName": "secure-databricks-ws", - "searchKey": "azurerm_databricks_workspace[example_pos2]", + "searchKey": "azurerm_databricks_workspace[example_pos5]", "searchValue": "", "expectedValue": "'azurerm_databricks_workspace' should be associated with 'azurerm_monitor_diagnostic_setting' resources that log all required logs to valid destinations", - "actualValue": "'azurerm_databricks_workspace' is associated with 3 'azurerm_monitor_diagnostic_setting' resource(s), but is missing logs for 3 category(s): 'Filesystem', 'jobs', 'notebook'" + "actualValue": "'azurerm_databricks_workspace' is associated with 2 'azurerm_monitor_diagnostic_setting' resource(s), but is missing logs for 5 category(s): 'Filesystem', 'accounts', 'clusters', 'jobs', 'notebook'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/databricks_workspace_without_cmk/test/positive_expected_result.json b/assets/queries/terraform/azure/databricks_workspace_without_cmk/test/positive_expected_result.json index 9e3a2781faa..89f280ce726 100644 --- a/assets/queries/terraform/azure/databricks_workspace_without_cmk/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/databricks_workspace_without_cmk/test/positive_expected_result.json @@ -2,38 +2,38 @@ { "queryName": "Beta - Databricks Workspace Without CMK", "severity": "MEDIUM", - "line": 17, + "line": 1, "filename": "positive.tf", "resourceType": "azurerm_databricks_workspace", "resourceName": "my-databricks-workspace", - "searchKey": "azurerm_databricks_workspace[positive2].customer_managed_key_enabled", + "searchKey": "azurerm_databricks_workspace[positive1]", "searchValue": "", - "expectedValue": "'azurerm_databricks_workspace[positive2].customer_managed_key_enabled' should be defined and set to true", - "actualValue": "'azurerm_databricks_workspace[positive2].customer_managed_key_enabled' is set to false" + "expectedValue": "'azurerm_databricks_workspace[positive1].managed_disk_cmk_key_vault_key_id' should be defined and not null", + "actualValue": "'azurerm_databricks_workspace[positive1].managed_disk_cmk_key_vault_key_id' is undefined or null" }, { "queryName": "Beta - Databricks Workspace Without CMK", "severity": "MEDIUM", - "line": 27, + "line": 17, "filename": "positive.tf", "resourceType": "azurerm_databricks_workspace", "resourceName": "my-databricks-workspace", - "searchKey": "azurerm_databricks_workspace[positive3].customer_managed_key_enabled", + "searchKey": "azurerm_databricks_workspace[positive2].customer_managed_key_enabled", "searchValue": "", - "expectedValue": "'azurerm_databricks_workspace[positive3].customer_managed_key_enabled' should be defined and set to true", - "actualValue": "'azurerm_databricks_workspace[positive3].customer_managed_key_enabled' is set to false" + "expectedValue": "'azurerm_databricks_workspace[positive2].customer_managed_key_enabled' should be defined and set to true", + "actualValue": "'azurerm_databricks_workspace[positive2].customer_managed_key_enabled' is set to false" }, { "queryName": "Beta - Databricks Workspace Without CMK", "severity": "MEDIUM", - "line": 1, + "line": 27, "filename": "positive.tf", "resourceType": "azurerm_databricks_workspace", "resourceName": "my-databricks-workspace", - "searchKey": "azurerm_databricks_workspace[positive1]", + "searchKey": "azurerm_databricks_workspace[positive3].customer_managed_key_enabled", "searchValue": "", - "expectedValue": "'azurerm_databricks_workspace[positive1].managed_disk_cmk_key_vault_key_id' should be defined and not null", - "actualValue": "'azurerm_databricks_workspace[positive1].managed_disk_cmk_key_vault_key_id' is undefined or null" + "expectedValue": "'azurerm_databricks_workspace[positive3].customer_managed_key_enabled' should be defined and set to true", + "actualValue": "'azurerm_databricks_workspace[positive3].customer_managed_key_enabled' is set to false" }, { "queryName": "Beta - Databricks Workspace Without CMK", diff --git a/assets/queries/terraform/azure/default_azure_storage_account_network_access_is_too_permissive/test/positive_expected_result.json b/assets/queries/terraform/azure/default_azure_storage_account_network_access_is_too_permissive/test/positive_expected_result.json index 8acc99a4a49..47f102745d3 100644 --- a/assets/queries/terraform/azure/default_azure_storage_account_network_access_is_too_permissive/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/default_azure_storage_account_network_access_is_too_permissive/test/positive_expected_result.json @@ -1,28 +1,4 @@ [ - { - "queryName": "Default Azure Storage Account Network Access Is Too Permissive", - "severity": "HIGH", - "line": 6, - "filename": "positive4.tf", - "resourceType": "azurerm_storage_account", - "resourceName": "positive4storageaccount", - "searchKey": "azurerm_storage_account[positive4].public_network_access_enabled", - "searchValue": "", - "expectedValue": "azurerm_storage_account.public_network_access_enabled should be set to 'false'", - "actualValue": "azurerm_storage_account.public_network_access_enabled is not set (default is 'true')" - }, - { - "queryName": "Default Azure Storage Account Network Access Is Too Permissive", - "severity": "HIGH", - "line": 12, - "filename": "positive3.tf", - "resourceType": "azurerm_storage_account", - "resourceName": "positive3storageaccount", - "searchKey": "azurerm_storage_account[positive3].public_network_access_enabled", - "searchValue": "", - "expectedValue": "azurerm_storage_account.public_network_access_enabled should be set to 'false'", - "actualValue": "azurerm_storage_account.public_network_access_enabled set to 'true'" - }, { "queryName": "Default Azure Storage Account Network Access Is Too Permissive", "severity": "HIGH", @@ -46,5 +22,29 @@ "searchValue": "", "expectedValue": "azurerm_storage_account_network_rules.default_action should be set to 'Deny'", "actualValue": "azurerm_storage_account_network_rules.default_action is set to 'Allow'" + }, + { + "queryName": "Default Azure Storage Account Network Access Is Too Permissive", + "severity": "HIGH", + "line": 12, + "filename": "positive3.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive3storageaccount", + "searchKey": "azurerm_storage_account[positive3].public_network_access_enabled", + "searchValue": "", + "expectedValue": "azurerm_storage_account.public_network_access_enabled should be set to 'false'", + "actualValue": "azurerm_storage_account.public_network_access_enabled set to 'true'" + }, + { + "queryName": "Default Azure Storage Account Network Access Is Too Permissive", + "severity": "HIGH", + "line": 6, + "filename": "positive4.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive4storageaccount", + "searchKey": "azurerm_storage_account[positive4].public_network_access_enabled", + "searchValue": "", + "expectedValue": "azurerm_storage_account.public_network_access_enabled should be set to 'false'", + "actualValue": "azurerm_storage_account.public_network_access_enabled is not set (default is 'true')" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/diagnostic_settings_without_appropriate_logging/test/positive_expected_result.json b/assets/queries/terraform/azure/diagnostic_settings_without_appropriate_logging/test/positive_expected_result.json index a24a1d12c10..f91439f890a 100644 --- a/assets/queries/terraform/azure/diagnostic_settings_without_appropriate_logging/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/diagnostic_settings_without_appropriate_logging/test/positive_expected_result.json @@ -2,85 +2,85 @@ { "queryName": "Beta - Diagnostic Settings Without Appropriate Logging", "severity": "MEDIUM", - "line": 39, - "filename": "positive2.tf", + "line": 1, + "filename": "positive1.tf", "resourceType": "azurerm_monitor_diagnostic_setting", "resourceName": "diagnostic-settings-name", - "searchKey": "azurerm_monitor_diagnostic_setting[positive2_4]", + "searchKey": "azurerm_monitor_diagnostic_setting[positive1_1]", "searchValue": "", - "expectedValue": "'azurerm_monitor_diagnostic_setting[positive2_4].log' objects should enable logging for all 4 main categories", - "actualValue": "'azurerm_monitor_diagnostic_setting[positive2_4].log' objects do not enable logging for 1 of the main categories: 'Administrative'" + "expectedValue": "'azurerm_monitor_diagnostic_setting[positive1_1].enabled_log' objects should be defined for all 4 main categories", + "actualValue": "'azurerm_monitor_diagnostic_setting[positive1_1]' does not define a single 'enabled_log' object" }, { "queryName": "Beta - Diagnostic Settings Without Appropriate Logging", "severity": "MEDIUM", - "line": 3, - "filename": "positive2.tf", + "line": 8, + "filename": "positive1.tf", "resourceType": "azurerm_monitor_diagnostic_setting", "resourceName": "diagnostic-settings-name", - "searchKey": "azurerm_monitor_diagnostic_setting[positive2_1]", + "searchKey": "azurerm_monitor_diagnostic_setting[positive1_2]", "searchValue": "", - "expectedValue": "'azurerm_monitor_diagnostic_setting[positive2_1].log' objects should enable logging for all 4 main categories", - "actualValue": "'azurerm_monitor_diagnostic_setting[positive2_1].log' objects do not enable logging for 3 of the main categories: 'Alert', 'Policy', 'Security'" + "expectedValue": "'azurerm_monitor_diagnostic_setting[positive1_2].enabled_log' objects should enable logging for all 4 main categories", + "actualValue": "'azurerm_monitor_diagnostic_setting[positive1_2].enabled_log' objects do not enable logging for 3 of the main categories: 'Alert', 'Policy', 'Security'" }, { "queryName": "Beta - Diagnostic Settings Without Appropriate Logging", "severity": "MEDIUM", - "line": 23, - "filename": "positive2.tf", + "line": 18, + "filename": "positive1.tf", "resourceType": "azurerm_monitor_diagnostic_setting", "resourceName": "diagnostic-settings-name", - "searchKey": "azurerm_monitor_diagnostic_setting[positive2_3]", + "searchKey": "azurerm_monitor_diagnostic_setting[positive1_3]", "searchValue": "", - "expectedValue": "'azurerm_monitor_diagnostic_setting[positive2_3].log' objects should enable logging for all 4 main categories", - "actualValue": "'azurerm_monitor_diagnostic_setting[positive2_3].log' objects do not enable logging for 2 of the main categories: 'Alert', 'Policy'" + "expectedValue": "'azurerm_monitor_diagnostic_setting[positive1_3].enabled_log' objects should enable logging for all 4 main categories", + "actualValue": "'azurerm_monitor_diagnostic_setting[positive1_3].enabled_log' objects do not enable logging for 2 of the main categories: 'Policy', 'Security'" }, { "queryName": "Beta - Diagnostic Settings Without Appropriate Logging", "severity": "MEDIUM", - "line": 1, - "filename": "positive1.tf", + "line": 3, + "filename": "positive2.tf", "resourceType": "azurerm_monitor_diagnostic_setting", "resourceName": "diagnostic-settings-name", - "searchKey": "azurerm_monitor_diagnostic_setting[positive1_1]", + "searchKey": "azurerm_monitor_diagnostic_setting[positive2_1]", "searchValue": "", - "expectedValue": "'azurerm_monitor_diagnostic_setting[positive1_1].enabled_log' objects should be defined for all 4 main categories", - "actualValue": "'azurerm_monitor_diagnostic_setting[positive1_1]' does not define a single 'enabled_log' object" + "expectedValue": "'azurerm_monitor_diagnostic_setting[positive2_1].log' objects should enable logging for all 4 main categories", + "actualValue": "'azurerm_monitor_diagnostic_setting[positive2_1].log' objects do not enable logging for 3 of the main categories: 'Alert', 'Policy', 'Security'" }, { "queryName": "Beta - Diagnostic Settings Without Appropriate Logging", "severity": "MEDIUM", - "line": 8, - "filename": "positive1.tf", + "line": 13, + "filename": "positive2.tf", "resourceType": "azurerm_monitor_diagnostic_setting", "resourceName": "diagnostic-settings-name", - "searchKey": "azurerm_monitor_diagnostic_setting[positive1_2]", + "searchKey": "azurerm_monitor_diagnostic_setting[positive2_2]", "searchValue": "", - "expectedValue": "'azurerm_monitor_diagnostic_setting[positive1_2].enabled_log' objects should enable logging for all 4 main categories", - "actualValue": "'azurerm_monitor_diagnostic_setting[positive1_2].enabled_log' objects do not enable logging for 3 of the main categories: 'Alert', 'Policy', 'Security'" + "expectedValue": "'azurerm_monitor_diagnostic_setting[positive2_2].log' objects should enable logging for all 4 main categories", + "actualValue": "'azurerm_monitor_diagnostic_setting[positive2_2].log' objects do not enable logging for 4 of the main categories: 'Administrative', 'Alert', 'Policy', 'Security'" }, { "queryName": "Beta - Diagnostic Settings Without Appropriate Logging", "severity": "MEDIUM", - "line": 18, - "filename": "positive1.tf", + "line": 23, + "filename": "positive2.tf", "resourceType": "azurerm_monitor_diagnostic_setting", "resourceName": "diagnostic-settings-name", - "searchKey": "azurerm_monitor_diagnostic_setting[positive1_3]", + "searchKey": "azurerm_monitor_diagnostic_setting[positive2_3]", "searchValue": "", - "expectedValue": "'azurerm_monitor_diagnostic_setting[positive1_3].enabled_log' objects should enable logging for all 4 main categories", - "actualValue": "'azurerm_monitor_diagnostic_setting[positive1_3].enabled_log' objects do not enable logging for 2 of the main categories: 'Policy', 'Security'" + "expectedValue": "'azurerm_monitor_diagnostic_setting[positive2_3].log' objects should enable logging for all 4 main categories", + "actualValue": "'azurerm_monitor_diagnostic_setting[positive2_3].log' objects do not enable logging for 2 of the main categories: 'Alert', 'Policy'" }, { "queryName": "Beta - Diagnostic Settings Without Appropriate Logging", "severity": "MEDIUM", - "line": 13, + "line": 39, "filename": "positive2.tf", "resourceType": "azurerm_monitor_diagnostic_setting", "resourceName": "diagnostic-settings-name", - "searchKey": "azurerm_monitor_diagnostic_setting[positive2_2]", + "searchKey": "azurerm_monitor_diagnostic_setting[positive2_4]", "searchValue": "", - "expectedValue": "'azurerm_monitor_diagnostic_setting[positive2_2].log' objects should enable logging for all 4 main categories", - "actualValue": "'azurerm_monitor_diagnostic_setting[positive2_2].log' objects do not enable logging for 4 of the main categories: 'Administrative', 'Alert', 'Policy', 'Security'" + "expectedValue": "'azurerm_monitor_diagnostic_setting[positive2_4].log' objects should enable logging for all 4 main categories", + "actualValue": "'azurerm_monitor_diagnostic_setting[positive2_4].log' objects do not enable logging for 1 of the main categories: 'Administrative'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/encryption_on_managed_disk_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/encryption_on_managed_disk_disabled/test/positive_expected_result.json index f663358fef8..5b842ca330a 100644 --- a/assets/queries/terraform/azure/encryption_on_managed_disk_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/encryption_on_managed_disk_disabled/test/positive_expected_result.json @@ -2,14 +2,14 @@ { "queryName": "Encryption On Managed Disk Disabled", "severity": "MEDIUM", - "line": 44, + "line": 10, "filename": "positive.tf", "resourceType": "azurerm_managed_disk", "resourceName": "acctestmd", - "searchKey": "azurerm_managed_disk[positive4].encryption_settings", + "searchKey": "azurerm_managed_disk[positive1].encryption_settings.enabled", "searchValue": "", - "expectedValue": "'azurerm_managed_disk[positive4].encryption_settings' should be defined and not null", - "actualValue": "'azurerm_managed_disk[positive4].encryption_settings' is set to '[]" + "expectedValue": "'azurerm_managed_disk[positive1].encryption_settings.enabled' should be set to true", + "actualValue": "'azurerm_managed_disk[positive1].encryption_settings.enabled' is set to false" }, { "queryName": "Encryption On Managed Disk Disabled", @@ -26,25 +26,25 @@ { "queryName": "Encryption On Managed Disk Disabled", "severity": "MEDIUM", - "line": 10, + "line": 33, "filename": "positive.tf", "resourceType": "azurerm_managed_disk", "resourceName": "acctestmd", - "searchKey": "azurerm_managed_disk[positive1].encryption_settings.enabled", + "searchKey": "azurerm_managed_disk[positive3].encryption_settings", "searchValue": "", - "expectedValue": "'azurerm_managed_disk[positive1].encryption_settings.enabled' should be set to true", - "actualValue": "'azurerm_managed_disk[positive1].encryption_settings.enabled' is set to false" + "expectedValue": "'azurerm_managed_disk[positive3].encryption_settings' should be defined and not null", + "actualValue": "'azurerm_managed_disk[positive3].encryption_settings' is set to '{}" }, { "queryName": "Encryption On Managed Disk Disabled", "severity": "MEDIUM", - "line": 33, + "line": 44, "filename": "positive.tf", "resourceType": "azurerm_managed_disk", "resourceName": "acctestmd", - "searchKey": "azurerm_managed_disk[positive3].encryption_settings", + "searchKey": "azurerm_managed_disk[positive4].encryption_settings", "searchValue": "", - "expectedValue": "'azurerm_managed_disk[positive3].encryption_settings' should be defined and not null", - "actualValue": "'azurerm_managed_disk[positive3].encryption_settings' is set to '{}" + "expectedValue": "'azurerm_managed_disk[positive4].encryption_settings' should be defined and not null", + "actualValue": "'azurerm_managed_disk[positive4].encryption_settings' is set to '[]" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/file_share_without_soft_delete/test/positive_expected_result.json b/assets/queries/terraform/azure/file_share_without_soft_delete/test/positive_expected_result.json index 1c0dacbaa22..78ec920b971 100644 --- a/assets/queries/terraform/azure/file_share_without_soft_delete/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/file_share_without_soft_delete/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "Beta - File Share Without Soft Delete", "severity": "HIGH", - "line": 18, + "line": 1, "filename": "positive.tf", "resourceType": "azurerm_storage_account", - "resourceName": "positive2", - "searchKey": "azurerm_storage_account[positive2].share_properties", + "resourceName": "positive1", + "searchKey": "azurerm_storage_account[positive1]", "searchValue": "", - "expectedValue": "'azurerm_storage_account[positive2].share_properties.retention_policy' should be defined and not null", - "actualValue": "'azurerm_storage_account[positive2].share_properties.retention_policy' is undefined or null" + "expectedValue": "'azurerm_storage_account[positive1].share_properties.retention_policy' should be defined and not null", + "actualValue": "'azurerm_storage_account[positive1].share_properties' is undefined or null" }, { "queryName": "Beta - File Share Without Soft Delete", "severity": "HIGH", - "line": 1, + "line": 18, "filename": "positive.tf", "resourceType": "azurerm_storage_account", - "resourceName": "positive1", - "searchKey": "azurerm_storage_account[positive1]", + "resourceName": "positive2", + "searchKey": "azurerm_storage_account[positive2].share_properties", "searchValue": "", - "expectedValue": "'azurerm_storage_account[positive1].share_properties.retention_policy' should be defined and not null", - "actualValue": "'azurerm_storage_account[positive1].share_properties' is undefined or null" + "expectedValue": "'azurerm_storage_account[positive2].share_properties.retention_policy' should be defined and not null", + "actualValue": "'azurerm_storage_account[positive2].share_properties.retention_policy' is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/function_app_authentication_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/function_app_authentication_disabled/test/positive_expected_result.json index d8843239a74..511f0616e90 100644 --- a/assets/queries/terraform/azure/function_app_authentication_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/function_app_authentication_disabled/test/positive_expected_result.json @@ -2,86 +2,86 @@ { "queryName": "Function App Authentication Disabled", "severity": "MEDIUM", - "line": 39, - "filename": "positive2.tf", - "resourceType": "azurerm_linux_function_app", + "line": 1, + "filename": "positive1.tf", + "resourceType": "azurerm_function_app", "resourceName": "example-app-service", - "searchKey": "azurerm_linux_function_app[positive2-4].auth_settings_v2.auth_enabled", + "searchKey": "azurerm_function_app[positive1-1]", "searchValue": "", - "expectedValue": "'azurerm_linux_function_app[positive2-4].auth_settings_v2.auth_enabled' should be defined to 'true'", - "actualValue": "'azurerm_linux_function_app[positive2-4].auth_settings_v2.auth_enabled' is defined to 'false'" + "expectedValue": "'azurerm_function_app[positive1-1].auth_settings' should be defined", + "actualValue": "'azurerm_function_app[positive1-1].auth_settings' is not defined" }, { "queryName": "Function App Authentication Disabled", "severity": "MEDIUM", - "line": 1, - "filename": "positive2.tf", - "resourceType": "azurerm_linux_function_app", + "line": 25, + "filename": "positive1.tf", + "resourceType": "azurerm_function_app", "resourceName": "example-app-service", - "searchKey": "azurerm_linux_function_app[positive2-1]", + "searchKey": "'azurerm_function_app[positive1-2].auth_settings.enabled'", "searchValue": "", - "expectedValue": "'azurerm_linux_function_app[positive2-1].auth_settings' or 'azurerm_linux_function_app[positive2-1].auth_settings_v2' should be defined", - "actualValue": "'azurerm_linux_function_app[positive2-1].auth_settings' and 'azurerm_linux_function_app[positive2-1].auth_settings_v2' are not defined" + "expectedValue": "'azurerm_function_app[positive1-2].auth_settings.enabled' should be defined to 'true'", + "actualValue": "'azurerm_function_app[positive1-2].auth_settings.enabled' is defined to 'false'" }, { "queryName": "Function App Authentication Disabled", "severity": "MEDIUM", - "line": 26, + "line": 1, "filename": "positive2.tf", "resourceType": "azurerm_linux_function_app", "resourceName": "example-app-service", - "searchKey": "azurerm_linux_function_app[positive2-3].auth_settings_v2", + "searchKey": "azurerm_linux_function_app[positive2-1]", "searchValue": "", - "expectedValue": "'azurerm_linux_function_app[positive2-3].auth_settings_v2.auth_enabled' should be defined (default value is 'false')", - "actualValue": "'azurerm_linux_function_app[positive2-3].auth_settings_v2.auth_enabled' is not defined" + "expectedValue": "'azurerm_linux_function_app[positive2-1].auth_settings' or 'azurerm_linux_function_app[positive2-1].auth_settings_v2' should be defined", + "actualValue": "'azurerm_linux_function_app[positive2-1].auth_settings' and 'azurerm_linux_function_app[positive2-1].auth_settings_v2' are not defined" }, { "queryName": "Function App Authentication Disabled", "severity": "MEDIUM", - "line": 52, + "line": 16, "filename": "positive2.tf", "resourceType": "azurerm_linux_function_app", "resourceName": "example-app-service", - "searchKey": "azurerm_linux_function_app[positive2-5].auth_settings_v2", + "searchKey": "'azurerm_linux_function_app[positive2-2].auth_settings.enabled'", "searchValue": "", - "expectedValue": "'azurerm_linux_function_app[positive2-5].auth_settings_v2.auth_enabled' should be defined (default value is 'false')", - "actualValue": "'azurerm_linux_function_app[positive2-5].auth_settings_v2.auth_enabled' is not defined" + "expectedValue": "'azurerm_linux_function_app[positive2-2].auth_settings.enabled' should be defined to 'true'", + "actualValue": "'azurerm_linux_function_app[positive2-2].auth_settings.enabled' is defined to 'false'" }, { "queryName": "Function App Authentication Disabled", "severity": "MEDIUM", - "line": 25, - "filename": "positive1.tf", - "resourceType": "azurerm_function_app", + "line": 26, + "filename": "positive2.tf", + "resourceType": "azurerm_linux_function_app", "resourceName": "example-app-service", - "searchKey": "'azurerm_function_app[positive1-2].auth_settings.enabled'", + "searchKey": "azurerm_linux_function_app[positive2-3].auth_settings_v2", "searchValue": "", - "expectedValue": "'azurerm_function_app[positive1-2].auth_settings.enabled' should be defined to 'true'", - "actualValue": "'azurerm_function_app[positive1-2].auth_settings.enabled' is defined to 'false'" + "expectedValue": "'azurerm_linux_function_app[positive2-3].auth_settings_v2.auth_enabled' should be defined (default value is 'false')", + "actualValue": "'azurerm_linux_function_app[positive2-3].auth_settings_v2.auth_enabled' is not defined" }, { "queryName": "Function App Authentication Disabled", "severity": "MEDIUM", - "line": 16, - "filename": "positive3.tf", - "resourceType": "azurerm_windows_function_app", + "line": 39, + "filename": "positive2.tf", + "resourceType": "azurerm_linux_function_app", "resourceName": "example-app-service", - "searchKey": "'azurerm_windows_function_app[positive3-2].auth_settings.enabled'", + "searchKey": "azurerm_linux_function_app[positive2-4].auth_settings_v2.auth_enabled", "searchValue": "", - "expectedValue": "'azurerm_windows_function_app[positive3-2].auth_settings.enabled' should be defined to 'true'", - "actualValue": "'azurerm_windows_function_app[positive3-2].auth_settings.enabled' is defined to 'false'" + "expectedValue": "'azurerm_linux_function_app[positive2-4].auth_settings_v2.auth_enabled' should be defined to 'true'", + "actualValue": "'azurerm_linux_function_app[positive2-4].auth_settings_v2.auth_enabled' is defined to 'false'" }, { "queryName": "Function App Authentication Disabled", "severity": "MEDIUM", - "line": 39, - "filename": "positive3.tf", - "resourceType": "azurerm_windows_function_app", + "line": 52, + "filename": "positive2.tf", + "resourceType": "azurerm_linux_function_app", "resourceName": "example-app-service", - "searchKey": "azurerm_windows_function_app[positive3-4].auth_settings_v2.auth_enabled", + "searchKey": "azurerm_linux_function_app[positive2-5].auth_settings_v2", "searchValue": "", - "expectedValue": "'azurerm_windows_function_app[positive3-4].auth_settings_v2.auth_enabled' should be defined to 'true'", - "actualValue": "'azurerm_windows_function_app[positive3-4].auth_settings_v2.auth_enabled' is defined to 'false'" + "expectedValue": "'azurerm_linux_function_app[positive2-5].auth_settings_v2.auth_enabled' should be defined (default value is 'false')", + "actualValue": "'azurerm_linux_function_app[positive2-5].auth_settings_v2.auth_enabled' is not defined" }, { "queryName": "Function App Authentication Disabled", @@ -99,49 +99,49 @@ "queryName": "Function App Authentication Disabled", "severity": "MEDIUM", "line": 1, - "filename": "positive1.tf", - "resourceType": "azurerm_function_app", + "filename": "positive3.tf", + "resourceType": "azurerm_windows_function_app", "resourceName": "example-app-service", - "searchKey": "azurerm_function_app[positive1-1]", + "searchKey": "azurerm_windows_function_app[positive3-1]", "searchValue": "", - "expectedValue": "'azurerm_function_app[positive1-1].auth_settings' should be defined", - "actualValue": "'azurerm_function_app[positive1-1].auth_settings' is not defined" + "expectedValue": "'azurerm_windows_function_app[positive3-1].auth_settings' or 'azurerm_windows_function_app[positive3-1].auth_settings_v2' should be defined", + "actualValue": "'azurerm_windows_function_app[positive3-1].auth_settings' and 'azurerm_windows_function_app[positive3-1].auth_settings_v2' are not defined" }, { "queryName": "Function App Authentication Disabled", "severity": "MEDIUM", - "line": 68, + "line": 16, "filename": "positive3.tf", "resourceType": "azurerm_windows_function_app", "resourceName": "example-app-service", - "searchKey": "azurerm_windows_function_app[positive3-6].auth_settings_v2.auth_enabled", + "searchKey": "'azurerm_windows_function_app[positive3-2].auth_settings.enabled'", "searchValue": "", - "expectedValue": "'azurerm_windows_function_app[positive3-6].auth_settings_v2.auth_enabled' should be defined to 'true'", - "actualValue": "'azurerm_windows_function_app[positive3-6].auth_settings_v2.auth_enabled' is defined to 'false'" + "expectedValue": "'azurerm_windows_function_app[positive3-2].auth_settings.enabled' should be defined to 'true'", + "actualValue": "'azurerm_windows_function_app[positive3-2].auth_settings.enabled' is defined to 'false'" }, { "queryName": "Function App Authentication Disabled", "severity": "MEDIUM", - "line": 1, + "line": 26, "filename": "positive3.tf", "resourceType": "azurerm_windows_function_app", "resourceName": "example-app-service", - "searchKey": "azurerm_windows_function_app[positive3-1]", + "searchKey": "azurerm_windows_function_app[positive3-3].auth_settings_v2", "searchValue": "", - "expectedValue": "'azurerm_windows_function_app[positive3-1].auth_settings' or 'azurerm_windows_function_app[positive3-1].auth_settings_v2' should be defined", - "actualValue": "'azurerm_windows_function_app[positive3-1].auth_settings' and 'azurerm_windows_function_app[positive3-1].auth_settings_v2' are not defined" + "expectedValue": "'azurerm_windows_function_app[positive3-3].auth_settings_v2.auth_enabled' should be defined (default value is 'false')", + "actualValue": "'azurerm_windows_function_app[positive3-3].auth_settings_v2.auth_enabled' is not defined" }, { "queryName": "Function App Authentication Disabled", "severity": "MEDIUM", - "line": 26, + "line": 39, "filename": "positive3.tf", "resourceType": "azurerm_windows_function_app", "resourceName": "example-app-service", - "searchKey": "azurerm_windows_function_app[positive3-3].auth_settings_v2", + "searchKey": "azurerm_windows_function_app[positive3-4].auth_settings_v2.auth_enabled", "searchValue": "", - "expectedValue": "'azurerm_windows_function_app[positive3-3].auth_settings_v2.auth_enabled' should be defined (default value is 'false')", - "actualValue": "'azurerm_windows_function_app[positive3-3].auth_settings_v2.auth_enabled' is not defined" + "expectedValue": "'azurerm_windows_function_app[positive3-4].auth_settings_v2.auth_enabled' should be defined to 'true'", + "actualValue": "'azurerm_windows_function_app[positive3-4].auth_settings_v2.auth_enabled' is defined to 'false'" }, { "queryName": "Function App Authentication Disabled", @@ -158,13 +158,13 @@ { "queryName": "Function App Authentication Disabled", "severity": "MEDIUM", - "line": 16, - "filename": "positive2.tf", - "resourceType": "azurerm_linux_function_app", + "line": 68, + "filename": "positive3.tf", + "resourceType": "azurerm_windows_function_app", "resourceName": "example-app-service", - "searchKey": "'azurerm_linux_function_app[positive2-2].auth_settings.enabled'", + "searchKey": "azurerm_windows_function_app[positive3-6].auth_settings_v2.auth_enabled", "searchValue": "", - "expectedValue": "'azurerm_linux_function_app[positive2-2].auth_settings.enabled' should be defined to 'true'", - "actualValue": "'azurerm_linux_function_app[positive2-2].auth_settings.enabled' is defined to 'false'" + "expectedValue": "'azurerm_windows_function_app[positive3-6].auth_settings_v2.auth_enabled' should be defined to 'true'", + "actualValue": "'azurerm_windows_function_app[positive3-6].auth_settings_v2.auth_enabled' is defined to 'false'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/positive_expected_result.json b/assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/positive_expected_result.json index 37f79457c24..a7bdc1b606c 100644 --- a/assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "Function App Client Certificates Unrequired", - "severity": "MEDIUM", - "line": 14, - "filename": "positive1.tf", - "resourceType": "azurerm_function_app", - "resourceName": "test-azure-functions", - "searchKey": "azurerm_function_app[positive1-2].client_cert_mode", - "searchValue": "", - "expectedValue": "'azurerm_function_app[positive1-2].client_cert_mode' should be set to 'Required'", - "actualValue": "'azurerm_function_app[positive1-2].client_cert_mode' is not set to 'Required'" - }, { "queryName": "Function App Client Certificates Unrequired", "severity": "MEDIUM", @@ -27,25 +15,25 @@ "queryName": "Function App Client Certificates Unrequired", "severity": "MEDIUM", "line": 14, - "filename": "positive3.tf", - "resourceType": "azurerm_windows_function_app", + "filename": "positive1.tf", + "resourceType": "azurerm_function_app", "resourceName": "test-azure-functions", - "searchKey": "azurerm_windows_function_app[positive3-2].client_certificate_mode", + "searchKey": "azurerm_function_app[positive1-2].client_cert_mode", "searchValue": "", - "expectedValue": "'azurerm_windows_function_app[positive3-2].client_certificate_mode' should be set to 'Required'", - "actualValue": "'azurerm_windows_function_app[positive3-2].client_certificate_mode' is not set to 'Required'" + "expectedValue": "'azurerm_function_app[positive1-2].client_cert_mode' should be set to 'Required'", + "actualValue": "'azurerm_function_app[positive1-2].client_cert_mode' is not set to 'Required'" }, { "queryName": "Function App Client Certificates Unrequired", "severity": "MEDIUM", "line": 1, - "filename": "positive3.tf", - "resourceType": "azurerm_windows_function_app", + "filename": "positive2.tf", + "resourceType": "azurerm_linux_function_app", "resourceName": "test-azure-functions", - "searchKey": "azurerm_windows_function_app[positive3-1]", + "searchKey": "azurerm_linux_function_app[positive2-1]", "searchValue": "", - "expectedValue": "'azurerm_windows_function_app[positive3-1].client_certificate_mode' should be defined and not null", - "actualValue": "'azurerm_windows_function_app[positive3-1].client_certificate_mode' is undefined or null" + "expectedValue": "'azurerm_linux_function_app[positive2-1].client_certificate_mode' should be defined and not null", + "actualValue": "'azurerm_linux_function_app[positive2-1].client_certificate_mode' is undefined or null" }, { "queryName": "Function App Client Certificates Unrequired", @@ -63,12 +51,24 @@ "queryName": "Function App Client Certificates Unrequired", "severity": "MEDIUM", "line": 1, - "filename": "positive2.tf", - "resourceType": "azurerm_linux_function_app", + "filename": "positive3.tf", + "resourceType": "azurerm_windows_function_app", "resourceName": "test-azure-functions", - "searchKey": "azurerm_linux_function_app[positive2-1]", + "searchKey": "azurerm_windows_function_app[positive3-1]", "searchValue": "", - "expectedValue": "'azurerm_linux_function_app[positive2-1].client_certificate_mode' should be defined and not null", - "actualValue": "'azurerm_linux_function_app[positive2-1].client_certificate_mode' is undefined or null" + "expectedValue": "'azurerm_windows_function_app[positive3-1].client_certificate_mode' should be defined and not null", + "actualValue": "'azurerm_windows_function_app[positive3-1].client_certificate_mode' is undefined or null" + }, + { + "queryName": "Function App Client Certificates Unrequired", + "severity": "MEDIUM", + "line": 14, + "filename": "positive3.tf", + "resourceType": "azurerm_windows_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_windows_function_app[positive3-2].client_certificate_mode", + "searchValue": "", + "expectedValue": "'azurerm_windows_function_app[positive3-2].client_certificate_mode' should be set to 'Required'", + "actualValue": "'azurerm_windows_function_app[positive3-2].client_certificate_mode' is not set to 'Required'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/function_app_deployment_slot_not_using_latest_tls_encryption_version/test/positive_expected_result.json b/assets/queries/terraform/azure/function_app_deployment_slot_not_using_latest_tls_encryption_version/test/positive_expected_result.json index e5968afd266..85a6bc271be 100644 --- a/assets/queries/terraform/azure/function_app_deployment_slot_not_using_latest_tls_encryption_version/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/function_app_deployment_slot_not_using_latest_tls_encryption_version/test/positive_expected_result.json @@ -3,10 +3,10 @@ "queryName": "Beta - Function App Deployment Slot Not Using Latest TLS Encryption Version", "severity": "MEDIUM", "line": 7, - "filename": "positive2.tf", - "resourceType": "azurerm_windows_function_app_slot", - "resourceName": "example-slot", - "searchKey": "azurerm_windows_function_app_slot[positive2].site_config.minimum_tls_version", + "filename": "positive1.tf", + "resourceType": "azurerm_linux_function_app_slot", + "resourceName": "example-linux-function-app-slot", + "searchKey": "azurerm_linux_function_app_slot[positive1].site_config.minimum_tls_version", "searchValue": "", "expectedValue": "'site_config.minimum_tls_version' should be defined to '1.2' or higher", "actualValue": "'site_config.minimum_tls_version' is defined to '1.1'" @@ -15,10 +15,10 @@ "queryName": "Beta - Function App Deployment Slot Not Using Latest TLS Encryption Version", "severity": "MEDIUM", "line": 7, - "filename": "positive1.tf", - "resourceType": "azurerm_linux_function_app_slot", - "resourceName": "example-linux-function-app-slot", - "searchKey": "azurerm_linux_function_app_slot[positive1].site_config.minimum_tls_version", + "filename": "positive2.tf", + "resourceType": "azurerm_windows_function_app_slot", + "resourceName": "example-slot", + "searchKey": "azurerm_windows_function_app_slot[positive2].site_config.minimum_tls_version", "searchValue": "", "expectedValue": "'site_config.minimum_tls_version' should be defined to '1.2' or higher", "actualValue": "'site_config.minimum_tls_version' is defined to '1.1'" diff --git a/assets/queries/terraform/azure/function_app_http2_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/function_app_http2_disabled/test/positive_expected_result.json index 48fa88962f0..dd527f0ad35 100644 --- a/assets/queries/terraform/azure/function_app_http2_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/function_app_http2_disabled/test/positive_expected_result.json @@ -2,26 +2,26 @@ { "queryName": "Function App HTTP2 Disabled", "severity": "MEDIUM", - "line": 29, - "filename": "positive3.tf", - "resourceType": "azurerm_windows_function_app", + "line": 1, + "filename": "positive1.tf", + "resourceType": "azurerm_function_app", "resourceName": "test-azure-functions", - "searchKey": "azurerm_windows_function_app[positive3-3].site_config.http2_enabled", + "searchKey": "azurerm_function_app[positive1-1]", "searchValue": "", - "expectedValue": "'azurerm_windows_function_app[positive3-3].site_config.http2_enabled' should be set to true", - "actualValue": "'azurerm_windows_function_app[positive3-3].site_config.http2_enabled' is set to false" + "expectedValue": "'azurerm_function_app[positive1-1].site_config' should be defined and not null", + "actualValue": "'azurerm_function_app[positive1-1].site_config' is undefined or null" }, { "queryName": "Function App HTTP2 Disabled", "severity": "MEDIUM", - "line": 1, - "filename": "positive3.tf", - "resourceType": "azurerm_windows_function_app", + "line": 14, + "filename": "positive1.tf", + "resourceType": "azurerm_function_app", "resourceName": "test-azure-functions", - "searchKey": "azurerm_windows_function_app[positive3-1]", + "searchKey": "azurerm_function_app[positive1-2].site_config", "searchValue": "", - "expectedValue": "'azurerm_windows_function_app[positive3-1].site_config' should be defined and not null", - "actualValue": "'azurerm_windows_function_app[positive3-1].site_config' is undefined or null" + "expectedValue": "'azurerm_function_app[positive1-2].site_config.http2_enabled' should be defined and not null", + "actualValue": "'azurerm_function_app[positive1-2].site_config.http2_enabled' is undefined or null" }, { "queryName": "Function App HTTP2 Disabled", @@ -35,6 +35,18 @@ "expectedValue": "'azurerm_function_app[positive1-3].site_config.http2_enabled' should be set to true", "actualValue": "'azurerm_function_app[positive1-3].site_config.http2_enabled' is set to false" }, + { + "queryName": "Function App HTTP2 Disabled", + "severity": "MEDIUM", + "line": 1, + "filename": "positive2.tf", + "resourceType": "azurerm_linux_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_linux_function_app[positive2-1]", + "searchValue": "", + "expectedValue": "'azurerm_linux_function_app[positive2-1].site_config' should be defined and not null", + "actualValue": "'azurerm_linux_function_app[positive2-1].site_config' is undefined or null" + }, { "queryName": "Function App HTTP2 Disabled", "severity": "MEDIUM", @@ -63,48 +75,36 @@ "queryName": "Function App HTTP2 Disabled", "severity": "MEDIUM", "line": 1, - "filename": "positive2.tf", - "resourceType": "azurerm_linux_function_app", + "filename": "positive3.tf", + "resourceType": "azurerm_windows_function_app", "resourceName": "test-azure-functions", - "searchKey": "azurerm_linux_function_app[positive2-1]", + "searchKey": "azurerm_windows_function_app[positive3-1]", "searchValue": "", - "expectedValue": "'azurerm_linux_function_app[positive2-1].site_config' should be defined and not null", - "actualValue": "'azurerm_linux_function_app[positive2-1].site_config' is undefined or null" + "expectedValue": "'azurerm_windows_function_app[positive3-1].site_config' should be defined and not null", + "actualValue": "'azurerm_windows_function_app[positive3-1].site_config' is undefined or null" }, { "queryName": "Function App HTTP2 Disabled", "severity": "MEDIUM", "line": 14, - "filename": "positive1.tf", - "resourceType": "azurerm_function_app", - "resourceName": "test-azure-functions", - "searchKey": "azurerm_function_app[positive1-2].site_config", - "searchValue": "", - "expectedValue": "'azurerm_function_app[positive1-2].site_config.http2_enabled' should be defined and not null", - "actualValue": "'azurerm_function_app[positive1-2].site_config.http2_enabled' is undefined or null" - }, - { - "queryName": "Function App HTTP2 Disabled", - "severity": "MEDIUM", - "line": 1, - "filename": "positive1.tf", - "resourceType": "azurerm_function_app", + "filename": "positive3.tf", + "resourceType": "azurerm_windows_function_app", "resourceName": "test-azure-functions", - "searchKey": "azurerm_function_app[positive1-1]", + "searchKey": "azurerm_windows_function_app[positive3-2].site_config", "searchValue": "", - "expectedValue": "'azurerm_function_app[positive1-1].site_config' should be defined and not null", - "actualValue": "'azurerm_function_app[positive1-1].site_config' is undefined or null" + "expectedValue": "'azurerm_windows_function_app[positive3-2].site_config.http2_enabled' should be defined and not null", + "actualValue": "'azurerm_windows_function_app[positive3-2].site_config.http2_enabled' is undefined or null" }, { "queryName": "Function App HTTP2 Disabled", "severity": "MEDIUM", - "line": 14, + "line": 29, "filename": "positive3.tf", "resourceType": "azurerm_windows_function_app", "resourceName": "test-azure-functions", - "searchKey": "azurerm_windows_function_app[positive3-2].site_config", + "searchKey": "azurerm_windows_function_app[positive3-3].site_config.http2_enabled", "searchValue": "", - "expectedValue": "'azurerm_windows_function_app[positive3-2].site_config.http2_enabled' should be defined and not null", - "actualValue": "'azurerm_windows_function_app[positive3-2].site_config.http2_enabled' is undefined or null" + "expectedValue": "'azurerm_windows_function_app[positive3-3].site_config.http2_enabled' should be set to true", + "actualValue": "'azurerm_windows_function_app[positive3-3].site_config.http2_enabled' is set to false" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/test/positive_expected_result.json b/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/test/positive_expected_result.json index f19f54b90d7..cb8dc13c9bb 100644 --- a/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/test/positive_expected_result.json @@ -1,4 +1,40 @@ [ + { + "queryName": "Function App Not Using Latest TLS Encryption Version", + "severity": "MEDIUM", + "line": 9, + "filename": "positive1.tf", + "resourceType": "azurerm_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_function_app[positive1-1].site_config.min_tls_version", + "searchValue": "", + "expectedValue": "'azurerm_function_app[positive1-1].site_config.min_tls_version' should be set to '1.2'", + "actualValue": "'azurerm_function_app[positive1-1].site_config.min_tls_version' is not set to '1.2'" + }, + { + "queryName": "Function App Not Using Latest TLS Encryption Version", + "severity": "MEDIUM", + "line": 21, + "filename": "positive1.tf", + "resourceType": "azurerm_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_function_app[positive1-2].site_config.min_tls_version", + "searchValue": "", + "expectedValue": "'azurerm_function_app[positive1-2].site_config.min_tls_version' should be set to '1.2'", + "actualValue": "'azurerm_function_app[positive1-2].site_config.min_tls_version' is not set to '1.2'" + }, + { + "queryName": "Function App Not Using Latest TLS Encryption Version", + "severity": "MEDIUM", + "line": 9, + "filename": "positive2.tf", + "resourceType": "azurerm_linux_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_linux_function_app[positive2-1].site_config.minimum_tls_version", + "searchValue": "", + "expectedValue": "'azurerm_linux_function_app[positive2-1].site_config.minimum_tls_version' should be set to '1.3'", + "actualValue": "'azurerm_linux_function_app[positive2-1].site_config.minimum_tls_version' is not set to '1.3'" + }, { "queryName": "Function App Not Using Latest TLS Encryption Version", "severity": "MEDIUM", @@ -35,18 +71,6 @@ "expectedValue": "'azurerm_linux_function_app[positive2-4].site_config.minimum_tls_version' should be defined and set to '1.3'", "actualValue": "'azurerm_linux_function_app[positive2-4].site_config' is not defined" }, - { - "queryName": "Function App Not Using Latest TLS Encryption Version", - "severity": "MEDIUM", - "line": 21, - "filename": "positive1.tf", - "resourceType": "azurerm_function_app", - "resourceName": "test-azure-functions", - "searchKey": "azurerm_function_app[positive1-2].site_config.min_tls_version", - "searchValue": "", - "expectedValue": "'azurerm_function_app[positive1-2].site_config.min_tls_version' should be set to '1.2'", - "actualValue": "'azurerm_function_app[positive1-2].site_config.min_tls_version' is not set to '1.2'" - }, { "queryName": "Function App Not Using Latest TLS Encryption Version", "severity": "MEDIUM", @@ -94,29 +118,5 @@ "searchValue": "", "expectedValue": "'azurerm_windows_function_app[positive3-4].site_config.minimum_tls_version' should be defined and set to '1.3'", "actualValue": "'azurerm_windows_function_app[positive3-4].site_config' is not defined" - }, - { - "queryName": "Function App Not Using Latest TLS Encryption Version", - "severity": "MEDIUM", - "line": 9, - "filename": "positive2.tf", - "resourceType": "azurerm_linux_function_app", - "resourceName": "test-azure-functions", - "searchKey": "azurerm_linux_function_app[positive2-1].site_config.minimum_tls_version", - "searchValue": "", - "expectedValue": "'azurerm_linux_function_app[positive2-1].site_config.minimum_tls_version' should be set to '1.3'", - "actualValue": "'azurerm_linux_function_app[positive2-1].site_config.minimum_tls_version' is not set to '1.3'" - }, - { - "queryName": "Function App Not Using Latest TLS Encryption Version", - "severity": "MEDIUM", - "line": 9, - "filename": "positive1.tf", - "resourceType": "azurerm_function_app", - "resourceName": "test-azure-functions", - "searchKey": "azurerm_function_app[positive1-1].site_config.min_tls_version", - "searchValue": "", - "expectedValue": "'azurerm_function_app[positive1-1].site_config.min_tls_version' should be set to '1.2'", - "actualValue": "'azurerm_function_app[positive1-1].site_config.min_tls_version' is not set to '1.2'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/geo_redundancy_is_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/geo_redundancy_is_disabled/test/positive_expected_result.json index 85d13dda2c5..51244779f67 100644 --- a/assets/queries/terraform/azure/geo_redundancy_is_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/geo_redundancy_is_disabled/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "Geo Redundancy Is Disabled", "severity": "LOW", - "line": 31, + "line": 2, "filename": "positive.tf", "resourceType": "azurerm_postgresql_server", "resourceName": "dbserver", - "searchKey": "azurerm_postgresql_server[positive2].geo_redundant_backup_enabled", + "searchKey": "azurerm_postgresql_server[positive1]", "searchValue": "", - "expectedValue": "'azurerm_postgresql_server.positive2.geo_redundant_backup_enabled' should be true", - "actualValue": "'azurerm_postgresql_server.positive2.geo_redundant_backup_enabled' is false" + "expectedValue": "'azurerm_postgresql_server.positive1.geo_redundant_backup_enabled' should be set", + "actualValue": "'azurerm_postgresql_server.positive1.geo_redundant_backup_enabled' is undefined" }, { "queryName": "Geo Redundancy Is Disabled", "severity": "LOW", - "line": 2, + "line": 31, "filename": "positive.tf", "resourceType": "azurerm_postgresql_server", "resourceName": "dbserver", - "searchKey": "azurerm_postgresql_server[positive1]", + "searchKey": "azurerm_postgresql_server[positive2].geo_redundant_backup_enabled", "searchValue": "", - "expectedValue": "'azurerm_postgresql_server.positive1.geo_redundant_backup_enabled' should be set", - "actualValue": "'azurerm_postgresql_server.positive1.geo_redundant_backup_enabled' is undefined" + "expectedValue": "'azurerm_postgresql_server.positive2.geo_redundant_backup_enabled' should be true", + "actualValue": "'azurerm_postgresql_server.positive2.geo_redundant_backup_enabled' is false" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/log_retention_is_not_set/test/positive_expected_result.json b/assets/queries/terraform/azure/log_retention_is_not_set/test/positive_expected_result.json index ff08cc3c965..f9f689e41bc 100644 --- a/assets/queries/terraform/azure/log_retention_is_not_set/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/log_retention_is_not_set/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "Log Retention Is Not Set", - "severity": "MEDIUM", - "line": 19, - "filename": "positive.tf", - "resourceType": "azurerm_postgresql_configuration", - "resourceName": "log_retention", - "searchKey": "azurerm_postgresql_configuration[positive3].value", - "searchValue": "", - "expectedValue": "'azurerm_postgresql_configuration.positive3.value' should be 'ON'", - "actualValue": "'azurerm_postgresql_configuration.positive3.value' is 'OFF'" - }, { "queryName": "Log Retention Is Not Set", "severity": "MEDIUM", @@ -34,5 +22,17 @@ "searchValue": "", "expectedValue": "'azurerm_postgresql_configuration.positive2.value' should be 'ON'", "actualValue": "'azurerm_postgresql_configuration.positive2.value' is 'OFF'" + }, + { + "queryName": "Log Retention Is Not Set", + "severity": "MEDIUM", + "line": 19, + "filename": "positive.tf", + "resourceType": "azurerm_postgresql_configuration", + "resourceName": "log_retention", + "searchKey": "azurerm_postgresql_configuration[positive3].value", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_configuration.positive3.value' should be 'ON'", + "actualValue": "'azurerm_postgresql_configuration.positive3.value' is 'OFF'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/mssql_server_database_with_alerts_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/mssql_server_database_with_alerts_disabled/test/positive_expected_result.json index 0d963602343..aa4610e84bb 100644 --- a/assets/queries/terraform/azure/mssql_server_database_with_alerts_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/mssql_server_database_with_alerts_disabled/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "MSSQL Server Database With Alerts Disabled", - "severity": "MEDIUM", - "line": 1, - "filename": "positive3.tf", - "resourceType": "azurerm_mssql_server", - "resourceName": "my-mssql-server", - "searchKey": "azurerm_mssql_server[example]", - "searchValue": "", - "expectedValue": "Security alert policy should be defined and enabled", - "actualValue": "Security alert policy is undefined" - }, { "queryName": "MSSQL Server Database With Alerts Disabled", "severity": "MEDIUM", @@ -34,5 +22,17 @@ "searchValue": "", "expectedValue": "'azurerm_mssql_server_security_alert_policy.positive2.state' should be enabled", "actualValue": "'azurerm_mssql_server_security_alert_policy.positive2.state' is not enabled" + }, + { + "queryName": "MSSQL Server Database With Alerts Disabled", + "severity": "MEDIUM", + "line": 1, + "filename": "positive3.tf", + "resourceType": "azurerm_mssql_server", + "resourceName": "my-mssql-server", + "searchKey": "azurerm_mssql_server[example]", + "searchValue": "", + "expectedValue": "Security alert policy should be defined and enabled", + "actualValue": "Security alert policy is undefined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/postgresql_server_threat_detection_policy_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/postgresql_server_threat_detection_policy_disabled/test/positive_expected_result.json index a11538fcdcd..eaaa64d6218 100644 --- a/assets/queries/terraform/azure/postgresql_server_threat_detection_policy_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/postgresql_server_threat_detection_policy_disabled/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "PostgreSQL Server Threat Detection Policy Disabled", "severity": "MEDIUM", - "line": 1, - "filename": "positive2.tf", + "line": 22, + "filename": "positive1.tf", "resourceType": "azurerm_postgresql_server", "resourceName": "example-psqlserver", - "searchKey": "azurerm_postgresql_server[positive2]", + "searchKey": "azurerm_postgresql_server[positive1].threat_detection_policy.enabled", "searchValue": "", - "expectedValue": "'azurerm_postgresql_server[positive2].threat_detection_policy' is a defined object", - "actualValue": "'azurerm_postgresql_server[positive2].threat_detection_policy' is undefined or null" + "expectedValue": "'azurerm_postgresql_server[positive1].threat_detection_policy.enabled' should be set to true", + "actualValue": "'azurerm_postgresql_server[positive1].threat_detection_policy.enabled' is set to false" }, { "queryName": "PostgreSQL Server Threat Detection Policy Disabled", "severity": "MEDIUM", - "line": 22, - "filename": "positive1.tf", + "line": 1, + "filename": "positive2.tf", "resourceType": "azurerm_postgresql_server", "resourceName": "example-psqlserver", - "searchKey": "azurerm_postgresql_server[positive1].threat_detection_policy.enabled", + "searchKey": "azurerm_postgresql_server[positive2]", "searchValue": "", - "expectedValue": "'azurerm_postgresql_server[positive1].threat_detection_policy.enabled' should be set to true", - "actualValue": "'azurerm_postgresql_server[positive1].threat_detection_policy.enabled' is set to false" + "expectedValue": "'azurerm_postgresql_server[positive2].threat_detection_policy' is a defined object", + "actualValue": "'azurerm_postgresql_server[positive2].threat_detection_policy' is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/public_storage_account/test/positive_expected_result.json b/assets/queries/terraform/azure/public_storage_account/test/positive_expected_result.json index 0724deda635..4cbea672242 100644 --- a/assets/queries/terraform/azure/public_storage_account/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/public_storage_account/test/positive_expected_result.json @@ -1,4 +1,28 @@ [ + { + "queryName": "Public Storage Account", + "severity": "HIGH", + "line": 11, + "filename": "positive1.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "storageaccountname", + "searchKey": "azurerm_storage_account[positive1].network_rules.ip_rules", + "searchValue": "", + "expectedValue": "'network_rules.ip_rules' should not contain 0.0.0.0/0", + "actualValue": "'network_rules.ip_rules' contains 0.0.0.0/0" + }, + { + "queryName": "Public Storage Account", + "severity": "HIGH", + "line": 28, + "filename": "positive1.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "storageaccountname", + "searchKey": "azurerm_storage_account[positive2].network_rules", + "searchValue": "", + "expectedValue": "'network_rules.ip_rules' should be defined and not null", + "actualValue": "'network_rules.default_action' is 'Allow' and 'network_rules.ip_rules' is undefined or null" + }, { "queryName": "Public Storage Account", "severity": "HIGH", @@ -23,18 +47,6 @@ "expectedValue": "'ip_rules' should be defined and not null", "actualValue": "'default_action' is set to 'Allow' and 'ip_rules' is undefined or null" }, - { - "queryName": "Public Storage Account", - "severity": "HIGH", - "line": 28, - "filename": "positive1.tf", - "resourceType": "azurerm_storage_account", - "resourceName": "storageaccountname", - "searchKey": "azurerm_storage_account[positive2].network_rules", - "searchValue": "", - "expectedValue": "'network_rules.ip_rules' should be defined and not null", - "actualValue": "'network_rules.default_action' is 'Allow' and 'network_rules.ip_rules' is undefined or null" - }, { "queryName": "Public Storage Account", "severity": "HIGH", @@ -46,17 +58,5 @@ "searchValue": "", "expectedValue": "'allow_blob_public_access' should be set to false or undefined", "actualValue": "'allow_blob_public_access' is set to true" - }, - { - "queryName": "Public Storage Account", - "severity": "HIGH", - "line": 11, - "filename": "positive1.tf", - "resourceType": "azurerm_storage_account", - "resourceName": "storageaccountname", - "searchKey": "azurerm_storage_account[positive1].network_rules.ip_rules", - "searchValue": "", - "expectedValue": "'network_rules.ip_rules' should not contain 0.0.0.0/0", - "actualValue": "'network_rules.ip_rules' contains 0.0.0.0/0" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/rdp_is_exposed_to_the_internet/test/positive_expected_result.json b/assets/queries/terraform/azure/rdp_is_exposed_to_the_internet/test/positive_expected_result.json index 9c866999cdf..eabe1ac3c5d 100644 --- a/assets/queries/terraform/azure/rdp_is_exposed_to_the_internet/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/rdp_is_exposed_to_the_internet/test/positive_expected_result.json @@ -2,131 +2,131 @@ { "queryName": "RDP Is Exposed To The Internet", "severity": "HIGH", - "line": 64, + "line": 8, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive5].destination_port_range", + "searchKey": "azurerm_network_security_rule[positive1].destination_port_range", "searchValue": "", - "expectedValue": "'azurerm_network_security_rule.positive5.destination_port_range' cannot be 3389", - "actualValue": "'azurerm_network_security_rule.positive5.destination_port_range' might be 3389" + "expectedValue": "'azurerm_network_security_rule.positive1.destination_port_range' cannot be 3389", + "actualValue": "'azurerm_network_security_rule.positive1.destination_port_range' might be 3389" }, { "queryName": "RDP Is Exposed To The Internet", "severity": "HIGH", - "line": 92, + "line": 22, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", + "searchKey": "azurerm_network_security_rule[positive2].destination_port_range", "searchValue": "", - "expectedValue": "'azurerm_network_security_rule.positive7.destination_port_range' cannot be 3389", - "actualValue": "'azurerm_network_security_rule.positive7.destination_port_range' might be 3389" + "expectedValue": "'azurerm_network_security_rule.positive2.destination_port_range' cannot be 3389", + "actualValue": "'azurerm_network_security_rule.positive2.destination_port_range' might be 3389" }, { "queryName": "RDP Is Exposed To The Internet", "severity": "HIGH", - "line": 106, + "line": 36, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive8].destination_port_range", + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", "searchValue": "", - "expectedValue": "'azurerm_network_security_rule.positive8.destination_port_range' cannot be 3389", - "actualValue": "'azurerm_network_security_rule.positive8.destination_port_range' might be 3389" + "expectedValue": "'azurerm_network_security_rule.positive3.destination_port_range' cannot be 3389", + "actualValue": "'azurerm_network_security_rule.positive3.destination_port_range' might be 3389" }, { "queryName": "RDP Is Exposed To The Internet", "severity": "HIGH", - "line": 120, + "line": 50, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive9].destination_port_range", + "searchKey": "azurerm_network_security_rule[positive4].destination_port_range", "searchValue": "", - "expectedValue": "'azurerm_network_security_rule.positive9.destination_port_range' cannot be 3389", - "actualValue": "'azurerm_network_security_rule.positive9.destination_port_range' might be 3389" + "expectedValue": "'azurerm_network_security_rule.positive4.destination_port_range' cannot be 3389", + "actualValue": "'azurerm_network_security_rule.positive4.destination_port_range' might be 3389" }, { "queryName": "RDP Is Exposed To The Internet", "severity": "HIGH", - "line": 153, + "line": 64, "filename": "positive.tf", - "resourceType": "azurerm_network_security_group", - "resourceName": "positive11", - "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive11}}.destination_port_range", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive5].destination_port_range", "searchValue": "", - "expectedValue": "'destination_port_range' cannot be 3389", - "actualValue": "'destination_port_range' might be 3389" + "expectedValue": "'azurerm_network_security_rule.positive5.destination_port_range' cannot be 3389", + "actualValue": "'azurerm_network_security_rule.positive5.destination_port_range' might be 3389" }, { "queryName": "RDP Is Exposed To The Internet", "severity": "HIGH", - "line": 213, + "line": 78, "filename": "positive.tf", - "resourceType": "azurerm_network_security_group", - "resourceName": "positive16", - "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive16}}.destination_port_range", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive6].destination_port_range", "searchValue": "", - "expectedValue": "'destination_port_range' cannot be 3389", - "actualValue": "'destination_port_range' might be 3389" + "expectedValue": "'azurerm_network_security_rule.positive6.destination_port_range' cannot be 3389", + "actualValue": "'azurerm_network_security_rule.positive6.destination_port_range' might be 3389" }, { "queryName": "RDP Is Exposed To The Internet", "severity": "HIGH", - "line": 261, + "line": 92, "filename": "positive.tf", - "resourceType": "azurerm_network_security_group", - "resourceName": "positive20", - "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive20}}.destination_port_range", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", "searchValue": "", - "expectedValue": "'destination_port_range' cannot be 3389", - "actualValue": "'destination_port_range' might be 3389" + "expectedValue": "'azurerm_network_security_rule.positive7.destination_port_range' cannot be 3389", + "actualValue": "'azurerm_network_security_rule.positive7.destination_port_range' might be 3389" }, { "queryName": "RDP Is Exposed To The Internet", "severity": "HIGH", - "line": 78, + "line": 106, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive6].destination_port_range", + "searchKey": "azurerm_network_security_rule[positive8].destination_port_range", "searchValue": "", - "expectedValue": "'azurerm_network_security_rule.positive6.destination_port_range' cannot be 3389", - "actualValue": "'azurerm_network_security_rule.positive6.destination_port_range' might be 3389" + "expectedValue": "'azurerm_network_security_rule.positive8.destination_port_range' cannot be 3389", + "actualValue": "'azurerm_network_security_rule.positive8.destination_port_range' might be 3389" }, { "queryName": "RDP Is Exposed To The Internet", "severity": "HIGH", - "line": 50, + "line": 120, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive4].destination_port_range", + "searchKey": "azurerm_network_security_rule[positive9].destination_port_range", "searchValue": "", - "expectedValue": "'azurerm_network_security_rule.positive4.destination_port_range' cannot be 3389", - "actualValue": "'azurerm_network_security_rule.positive4.destination_port_range' might be 3389" + "expectedValue": "'azurerm_network_security_rule.positive9.destination_port_range' cannot be 3389", + "actualValue": "'azurerm_network_security_rule.positive9.destination_port_range' might be 3389" }, { "queryName": "RDP Is Exposed To The Internet", "severity": "HIGH", - "line": 189, + "line": 134, "filename": "positive.tf", - "resourceType": "azurerm_network_security_group", - "resourceName": "positive14", - "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive14}}.destination_port_range", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "", - "expectedValue": "'destination_port_range' cannot be 3389", - "actualValue": "'destination_port_range' might be 3389" + "expectedValue": "'azurerm_network_security_rule.positive10.destination_port_range' cannot be 3389", + "actualValue": "'azurerm_network_security_rule.positive10.destination_port_range' might be 3389" }, { "queryName": "RDP Is Exposed To The Internet", "severity": "HIGH", - "line": 201, + "line": 153, "filename": "positive.tf", "resourceType": "azurerm_network_security_group", - "resourceName": "positive15", - "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive15}}.destination_port_range", + "resourceName": "positive11", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive11}}.destination_port_range", "searchValue": "", "expectedValue": "'destination_port_range' cannot be 3389", "actualValue": "'destination_port_range' might be 3389" @@ -134,11 +134,11 @@ { "queryName": "RDP Is Exposed To The Internet", "severity": "HIGH", - "line": 225, + "line": 165, "filename": "positive.tf", "resourceType": "azurerm_network_security_group", - "resourceName": "positive17", - "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive17}}.destination_port_range", + "resourceName": "positive12", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive12}}.destination_port_range", "searchValue": "", "expectedValue": "'destination_port_range' cannot be 3389", "actualValue": "'destination_port_range' might be 3389" @@ -146,11 +146,11 @@ { "queryName": "RDP Is Exposed To The Internet", "severity": "HIGH", - "line": 249, + "line": 177, "filename": "positive.tf", "resourceType": "azurerm_network_security_group", - "resourceName": "positive19", - "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive19}}.destination_port_range", + "resourceName": "positive13", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive13}}.destination_port_range", "searchValue": "", "expectedValue": "'destination_port_range' cannot be 3389", "actualValue": "'destination_port_range' might be 3389" @@ -158,47 +158,47 @@ { "queryName": "RDP Is Exposed To The Internet", "severity": "HIGH", - "line": 8, + "line": 189, "filename": "positive.tf", - "resourceType": "azurerm_network_security_rule", - "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive1].destination_port_range", + "resourceType": "azurerm_network_security_group", + "resourceName": "positive14", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive14}}.destination_port_range", "searchValue": "", - "expectedValue": "'azurerm_network_security_rule.positive1.destination_port_range' cannot be 3389", - "actualValue": "'azurerm_network_security_rule.positive1.destination_port_range' might be 3389" + "expectedValue": "'destination_port_range' cannot be 3389", + "actualValue": "'destination_port_range' might be 3389" }, { "queryName": "RDP Is Exposed To The Internet", "severity": "HIGH", - "line": 134, + "line": 201, "filename": "positive.tf", - "resourceType": "azurerm_network_security_rule", - "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "resourceType": "azurerm_network_security_group", + "resourceName": "positive15", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive15}}.destination_port_range", "searchValue": "", - "expectedValue": "'azurerm_network_security_rule.positive10.destination_port_range' cannot be 3389", - "actualValue": "'azurerm_network_security_rule.positive10.destination_port_range' might be 3389" + "expectedValue": "'destination_port_range' cannot be 3389", + "actualValue": "'destination_port_range' might be 3389" }, { "queryName": "RDP Is Exposed To The Internet", "severity": "HIGH", - "line": 36, + "line": 213, "filename": "positive.tf", - "resourceType": "azurerm_network_security_rule", - "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "resourceType": "azurerm_network_security_group", + "resourceName": "positive16", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive16}}.destination_port_range", "searchValue": "", - "expectedValue": "'azurerm_network_security_rule.positive3.destination_port_range' cannot be 3389", - "actualValue": "'azurerm_network_security_rule.positive3.destination_port_range' might be 3389" + "expectedValue": "'destination_port_range' cannot be 3389", + "actualValue": "'destination_port_range' might be 3389" }, { "queryName": "RDP Is Exposed To The Internet", "severity": "HIGH", - "line": 165, + "line": 225, "filename": "positive.tf", "resourceType": "azurerm_network_security_group", - "resourceName": "positive12", - "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive12}}.destination_port_range", + "resourceName": "positive17", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive17}}.destination_port_range", "searchValue": "", "expectedValue": "'destination_port_range' cannot be 3389", "actualValue": "'destination_port_range' might be 3389" @@ -206,11 +206,11 @@ { "queryName": "RDP Is Exposed To The Internet", "severity": "HIGH", - "line": 177, + "line": 237, "filename": "positive.tf", "resourceType": "azurerm_network_security_group", - "resourceName": "positive13", - "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive13}}.destination_port_range", + "resourceName": "positive18", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive18}}.destination_port_range", "searchValue": "", "expectedValue": "'destination_port_range' cannot be 3389", "actualValue": "'destination_port_range' might be 3389" @@ -218,11 +218,11 @@ { "queryName": "RDP Is Exposed To The Internet", "severity": "HIGH", - "line": 237, + "line": 249, "filename": "positive.tf", "resourceType": "azurerm_network_security_group", - "resourceName": "positive18", - "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive18}}.destination_port_range", + "resourceName": "positive19", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive19}}.destination_port_range", "searchValue": "", "expectedValue": "'destination_port_range' cannot be 3389", "actualValue": "'destination_port_range' might be 3389" @@ -230,13 +230,13 @@ { "queryName": "RDP Is Exposed To The Internet", "severity": "HIGH", - "line": 22, + "line": 261, "filename": "positive.tf", - "resourceType": "azurerm_network_security_rule", - "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive2].destination_port_range", + "resourceType": "azurerm_network_security_group", + "resourceName": "positive20", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive20}}.destination_port_range", "searchValue": "", - "expectedValue": "'azurerm_network_security_rule.positive2.destination_port_range' cannot be 3389", - "actualValue": "'azurerm_network_security_rule.positive2.destination_port_range' might be 3389" + "expectedValue": "'destination_port_range' cannot be 3389", + "actualValue": "'destination_port_range' might be 3389" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/recovery_services_vaut_with_public_network_access/test/positive_expected_result.json b/assets/queries/terraform/azure/recovery_services_vaut_with_public_network_access/test/positive_expected_result.json index c659befe235..b7e9068f382 100644 --- a/assets/queries/terraform/azure/recovery_services_vaut_with_public_network_access/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/recovery_services_vaut_with_public_network_access/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "Beta - Recovery Services Vault With Public Network Access", "severity": "HIGH", - "line": 16, + "line": 1, "filename": "positive.tf", "resourceType": "azurerm_recovery_services_vault", - "resourceName": "positive2-recovery-vault", - "searchKey": "azurerm_recovery_services_vault[positive2].public_network_access_enabled", + "resourceName": "positive1-recovery-vault", + "searchKey": "azurerm_recovery_services_vault[positive1]", "searchValue": "", - "expectedValue": "'azurerm_recovery_services_vault[positive2].public_network_access_enabled' should be defined and set to false", - "actualValue": "'azurerm_recovery_services_vault[positive2].public_network_access_enabled' is set to true" + "expectedValue": "'azurerm_recovery_services_vault[positive1].public_network_access_enabled' should be defined and set to false", + "actualValue": "'azurerm_recovery_services_vault[positive1].public_network_access_enabled' is undefined or null" }, { "queryName": "Beta - Recovery Services Vault With Public Network Access", "severity": "HIGH", - "line": 1, + "line": 16, "filename": "positive.tf", "resourceType": "azurerm_recovery_services_vault", - "resourceName": "positive1-recovery-vault", - "searchKey": "azurerm_recovery_services_vault[positive1]", + "resourceName": "positive2-recovery-vault", + "searchKey": "azurerm_recovery_services_vault[positive2].public_network_access_enabled", "searchValue": "", - "expectedValue": "'azurerm_recovery_services_vault[positive1].public_network_access_enabled' should be defined and set to false", - "actualValue": "'azurerm_recovery_services_vault[positive1].public_network_access_enabled' is undefined or null" + "expectedValue": "'azurerm_recovery_services_vault[positive2].public_network_access_enabled' should be defined and set to false", + "actualValue": "'azurerm_recovery_services_vault[positive2].public_network_access_enabled' is set to true" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/recovery_services_vaut_without_immutability/test/positive_expected_result.json b/assets/queries/terraform/azure/recovery_services_vaut_without_immutability/test/positive_expected_result.json index 867065cffd1..da757697fdd 100644 --- a/assets/queries/terraform/azure/recovery_services_vaut_without_immutability/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/recovery_services_vaut_without_immutability/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "Beta - Recovery Services Vault Without Immutability", "severity": "HIGH", - "line": 16, + "line": 1, "filename": "positive.tf", "resourceType": "azurerm_recovery_services_vault", - "resourceName": "positive2-recovery-vault", - "searchKey": "azurerm_recovery_services_vault[positive2].immutability", + "resourceName": "positive1-recovery-vault", + "searchKey": "azurerm_recovery_services_vault[positive1]", "searchValue": "", - "expectedValue": "'azurerm_recovery_services_vault[positive2].immutability' should be set and enabled", - "actualValue": "'azurerm_recovery_services_vault[positive2].immutability' is set to 'Disabled'" + "expectedValue": "'azurerm_recovery_services_vault[positive1].immutability' should be set and enabled", + "actualValue": "'azurerm_recovery_services_vault[positive1].immutability' is undefined or null" }, { "queryName": "Beta - Recovery Services Vault Without Immutability", "severity": "HIGH", - "line": 1, + "line": 16, "filename": "positive.tf", "resourceType": "azurerm_recovery_services_vault", - "resourceName": "positive1-recovery-vault", - "searchKey": "azurerm_recovery_services_vault[positive1]", + "resourceName": "positive2-recovery-vault", + "searchKey": "azurerm_recovery_services_vault[positive2].immutability", "searchValue": "", - "expectedValue": "'azurerm_recovery_services_vault[positive1].immutability' should be set and enabled", - "actualValue": "'azurerm_recovery_services_vault[positive1].immutability' is undefined or null" + "expectedValue": "'azurerm_recovery_services_vault[positive2].immutability' should be set and enabled", + "actualValue": "'azurerm_recovery_services_vault[positive2].immutability' is set to 'Disabled'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/redis_cache_managed_identity_is_not_set_to_system_assigned/test/positive_expected_result.json b/assets/queries/terraform/azure/redis_cache_managed_identity_is_not_set_to_system_assigned/test/positive_expected_result.json index 383ff588558..c9e44c26792 100644 --- a/assets/queries/terraform/azure/redis_cache_managed_identity_is_not_set_to_system_assigned/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/redis_cache_managed_identity_is_not_set_to_system_assigned/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "Beta - Redis Cache Managed Identity Is Not Set To System Assigned", "severity": "MEDIUM", - "line": 10, - "filename": "positive2.tf", + "line": 1, + "filename": "positive1.tf", "resourceType": "azurerm_redis_cache", - "resourceName": "example-cache-negative2", - "searchKey": "azurerm_redis_cache[positive2]", + "resourceName": "example-cache-positive1", + "searchKey": "azurerm_redis_cache[positive1]", "searchValue": "", "expectedValue": "'identity' block should have 'SystemAssigned' defined on 'type' field", - "actualValue": "'identity' block does not have 'SystemAssigned' defined on 'type' field" + "actualValue": "'identity' block is not defined" }, { "queryName": "Beta - Redis Cache Managed Identity Is Not Set To System Assigned", "severity": "MEDIUM", - "line": 1, - "filename": "positive1.tf", + "line": 10, + "filename": "positive2.tf", "resourceType": "azurerm_redis_cache", - "resourceName": "example-cache-positive1", - "searchKey": "azurerm_redis_cache[positive1]", + "resourceName": "example-cache-negative2", + "searchKey": "azurerm_redis_cache[positive2]", "searchValue": "", "expectedValue": "'identity' block should have 'SystemAssigned' defined on 'type' field", - "actualValue": "'identity' block is not defined" + "actualValue": "'identity' block does not have 'SystemAssigned' defined on 'type' field" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/resource_without_diagnostic_settings/test/positive_expected_result.json b/assets/queries/terraform/azure/resource_without_diagnostic_settings/test/positive_expected_result.json index 0572c4dea96..0a106c65958 100644 --- a/assets/queries/terraform/azure/resource_without_diagnostic_settings/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/resource_without_diagnostic_settings/test/positive_expected_result.json @@ -2,26 +2,14 @@ { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", - "line": 75, - "filename": "positive2.tf", - "resourceType": "azurerm_mssql_server", - "resourceName": "mssqlserver", - "searchKey": "azurerm_mssql_server[pos_example]", - "searchValue": "", - "expectedValue": "'azurerm_mssql_server[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_mssql_server[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" - }, - { - "queryName": "Beta - Resource Without Diagnostic Settings", - "severity": "MEDIUM", - "line": 118, - "filename": "positive2.tf", - "resourceType": "azurerm_windows_web_app", - "resourceName": "pos_example", - "searchKey": "azurerm_windows_web_app[pos_example]", + "line": 1, + "filename": "positive1.tf", + "resourceType": "azurerm_subscription", + "resourceName": "positive1_1", + "searchKey": "azurerm_subscription[positive1_1]", "searchValue": "", - "expectedValue": "'azurerm_windows_web_app[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_windows_web_app[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + "expectedValue": "'azurerm_subscription[positive1_1]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_subscription[positive1_1]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" }, { "queryName": "Beta - Resource Without Diagnostic Settings", @@ -38,74 +26,50 @@ { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", - "line": 9, - "filename": "positive2.tf", - "resourceType": "azurerm_application_gateway", - "resourceName": "example-appgateway", - "searchKey": "azurerm_application_gateway[pos_example]", - "searchValue": "", - "expectedValue": "'azurerm_application_gateway[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_application_gateway[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" - }, - { - "queryName": "Beta - Resource Without Diagnostic Settings", - "severity": "MEDIUM", - "line": 41, - "filename": "positive2.tf", - "resourceType": "azurerm_cdn_frontdoor_profile", - "resourceName": "example-cdn-profile", - "searchKey": "azurerm_cdn_frontdoor_profile[pos_example]", - "searchValue": "", - "expectedValue": "'azurerm_cdn_frontdoor_profile[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_cdn_frontdoor_profile[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" - }, - { - "queryName": "Beta - Resource Without Diagnostic Settings", - "severity": "MEDIUM", - "line": 173, + "line": 1, "filename": "positive2.tf", - "resourceType": "azurerm_container_registry", - "resourceName": "containerRegistry1", - "searchKey": "azurerm_container_registry[pos_example]", + "resourceType": "azurerm_key_vault", + "resourceName": "example-keyvault", + "searchKey": "azurerm_key_vault[pos_example]", "searchValue": "", - "expectedValue": "'azurerm_container_registry[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_container_registry[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + "expectedValue": "'azurerm_key_vault[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_key_vault[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", - "line": 158, + "line": 9, "filename": "positive2.tf", - "resourceType": "azurerm_eventhub_namespace", - "resourceName": "example-namespace", - "searchKey": "azurerm_eventhub_namespace[pos_example]", + "resourceType": "azurerm_application_gateway", + "resourceName": "example-appgateway", + "searchKey": "azurerm_application_gateway[pos_example]", "searchValue": "", - "expectedValue": "'azurerm_eventhub_namespace[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_eventhub_namespace[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + "expectedValue": "'azurerm_application_gateway[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_application_gateway[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", - "line": 91, + "line": 15, "filename": "positive2.tf", - "resourceType": "azurerm_mssql_database", - "resourceName": "example-db", - "searchKey": "azurerm_mssql_database[pos_example]", + "resourceType": "azurerm_firewall", + "resourceName": "testfirewall", + "searchKey": "azurerm_firewall[pos_example]", "searchValue": "", - "expectedValue": "'azurerm_mssql_database[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_mssql_database[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + "expectedValue": "'azurerm_firewall[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_firewall[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", - "line": 85, + "line": 23, "filename": "positive2.tf", - "resourceType": "azurerm_mssql_managed_instance", - "resourceName": "managedsqlinstance", - "searchKey": "azurerm_mssql_managed_instance[pos_example]", + "resourceType": "azurerm_lb", + "resourceName": "TestLoadBalancer", + "searchKey": "azurerm_lb[pos_example]", "searchValue": "", - "expectedValue": "'azurerm_mssql_managed_instance[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_mssql_managed_instance[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + "expectedValue": "'azurerm_lb[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_lb[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" }, { "queryName": "Beta - Resource Without Diagnostic Settings", @@ -122,26 +86,26 @@ { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", - "line": 1, - "filename": "positive1.tf", - "resourceType": "azurerm_subscription", - "resourceName": "positive1_1", - "searchKey": "azurerm_subscription[positive1_1]", + "line": 36, + "filename": "positive2.tf", + "resourceType": "azurerm_frontdoor", + "resourceName": "example-FrontDoor", + "searchKey": "azurerm_frontdoor[pos_example]", "searchValue": "", - "expectedValue": "'azurerm_subscription[positive1_1]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_subscription[positive1_1]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + "expectedValue": "'azurerm_frontdoor[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_frontdoor[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", - "line": 181, + "line": 41, "filename": "positive2.tf", - "resourceType": "azurerm_api_management", - "resourceName": "example-apim", - "searchKey": "azurerm_api_management[pos_example]", + "resourceType": "azurerm_cdn_frontdoor_profile", + "resourceName": "example-cdn-profile", + "searchKey": "azurerm_cdn_frontdoor_profile[pos_example]", "searchValue": "", - "expectedValue": "'azurerm_api_management[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_api_management[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + "expectedValue": "'azurerm_cdn_frontdoor_profile[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_cdn_frontdoor_profile[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" }, { "queryName": "Beta - Resource Without Diagnostic Settings", @@ -170,62 +134,74 @@ { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", - "line": 1, + "line": 60, "filename": "positive2.tf", - "resourceType": "azurerm_key_vault", - "resourceName": "example-keyvault", - "searchKey": "azurerm_key_vault[pos_example]", + "resourceType": "azurerm_cdn_endpoint", + "resourceName": "pos_example", + "searchKey": "azurerm_cdn_endpoint[pos_example]", "searchValue": "", - "expectedValue": "'azurerm_key_vault[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_key_vault[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + "expectedValue": "'azurerm_cdn_endpoint[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_cdn_endpoint[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", - "line": 139, + "line": 67, "filename": "positive2.tf", - "resourceType": "azurerm_windows_function_app", - "resourceName": "example-windows-function-app", - "searchKey": "azurerm_windows_function_app[pos_example]", + "resourceType": "azurerm_storage_account", + "resourceName": "storageaccountname", + "searchKey": "azurerm_storage_account[pos_example]", "searchValue": "", - "expectedValue": "'azurerm_windows_function_app[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_windows_function_app[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + "expectedValue": "'azurerm_storage_account[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_storage_account[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", - "line": 60, + "line": 75, "filename": "positive2.tf", - "resourceType": "azurerm_cdn_endpoint", - "resourceName": "pos_example", - "searchKey": "azurerm_cdn_endpoint[pos_example]", + "resourceType": "azurerm_mssql_server", + "resourceName": "mssqlserver", + "searchKey": "azurerm_mssql_server[pos_example]", "searchValue": "", - "expectedValue": "'azurerm_cdn_endpoint[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_cdn_endpoint[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + "expectedValue": "'azurerm_mssql_server[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_mssql_server[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", - "line": 23, + "line": 85, "filename": "positive2.tf", - "resourceType": "azurerm_lb", - "resourceName": "TestLoadBalancer", - "searchKey": "azurerm_lb[pos_example]", + "resourceType": "azurerm_mssql_managed_instance", + "resourceName": "managedsqlinstance", + "searchKey": "azurerm_mssql_managed_instance[pos_example]", "searchValue": "", - "expectedValue": "'azurerm_lb[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_lb[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + "expectedValue": "'azurerm_mssql_managed_instance[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_mssql_managed_instance[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", - "line": 127, + "line": 91, "filename": "positive2.tf", - "resourceType": "azurerm_linux_function_app", - "resourceName": "example-linux-function-app", - "searchKey": "azurerm_linux_function_app[pos_example]", + "resourceType": "azurerm_mssql_database", + "resourceName": "example-db", + "searchKey": "azurerm_mssql_database[pos_example]", "searchValue": "", - "expectedValue": "'azurerm_linux_function_app[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_linux_function_app[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + "expectedValue": "'azurerm_mssql_database[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_mssql_database[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + }, + { + "queryName": "Beta - Resource Without Diagnostic Settings", + "severity": "MEDIUM", + "line": 101, + "filename": "positive2.tf", + "resourceType": "azurerm_cosmosdb_account", + "resourceName": "tfex-cosmos-db-${random_integer.ri.result}", + "searchKey": "azurerm_cosmosdb_account[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_cosmosdb_account[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_cosmosdb_account[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" }, { "queryName": "Beta - Resource Without Diagnostic Settings", @@ -242,73 +218,97 @@ { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", - "line": 166, + "line": 118, "filename": "positive2.tf", - "resourceType": "azurerm_servicebus_namespace", - "resourceName": "tfex-servicebus-namespace", - "searchKey": "azurerm_servicebus_namespace[pos_example]", + "resourceType": "azurerm_windows_web_app", + "resourceName": "pos_example", + "searchKey": "azurerm_windows_web_app[pos_example]", "searchValue": "", - "expectedValue": "'azurerm_servicebus_namespace[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_servicebus_namespace[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + "expectedValue": "'azurerm_windows_web_app[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_windows_web_app[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", - "line": 67, + "line": 127, "filename": "positive2.tf", - "resourceType": "azurerm_storage_account", - "resourceName": "storageaccountname", - "searchKey": "azurerm_storage_account[pos_example]", + "resourceType": "azurerm_linux_function_app", + "resourceName": "example-linux-function-app", + "searchKey": "azurerm_linux_function_app[pos_example]", "searchValue": "", - "expectedValue": "'azurerm_storage_account[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_storage_account[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + "expectedValue": "'azurerm_linux_function_app[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_linux_function_app[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", - "line": 101, + "line": 139, "filename": "positive2.tf", - "resourceType": "azurerm_cosmosdb_account", - "resourceName": "tfex-cosmos-db-${random_integer.ri.result}", - "searchKey": "azurerm_cosmosdb_account[pos_example]", + "resourceType": "azurerm_windows_function_app", + "resourceName": "example-windows-function-app", + "searchKey": "azurerm_windows_function_app[pos_example]", "searchValue": "", - "expectedValue": "'azurerm_cosmosdb_account[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_cosmosdb_account[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + "expectedValue": "'azurerm_windows_function_app[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_windows_function_app[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", - "line": 15, + "line": 151, "filename": "positive2.tf", - "resourceType": "azurerm_firewall", - "resourceName": "testfirewall", - "searchKey": "azurerm_firewall[pos_example]", + "resourceType": "azurerm_kubernetes_cluster", + "resourceName": "example-aks1", + "searchKey": "azurerm_kubernetes_cluster[pos_example]", "searchValue": "", - "expectedValue": "'azurerm_firewall[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_firewall[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + "expectedValue": "'azurerm_kubernetes_cluster[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_kubernetes_cluster[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", - "line": 36, + "line": 158, "filename": "positive2.tf", - "resourceType": "azurerm_frontdoor", - "resourceName": "example-FrontDoor", - "searchKey": "azurerm_frontdoor[pos_example]", + "resourceType": "azurerm_eventhub_namespace", + "resourceName": "example-namespace", + "searchKey": "azurerm_eventhub_namespace[pos_example]", "searchValue": "", - "expectedValue": "'azurerm_frontdoor[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_frontdoor[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + "expectedValue": "'azurerm_eventhub_namespace[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_eventhub_namespace[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", - "line": 151, + "line": 166, "filename": "positive2.tf", - "resourceType": "azurerm_kubernetes_cluster", - "resourceName": "example-aks1", - "searchKey": "azurerm_kubernetes_cluster[pos_example]", + "resourceType": "azurerm_servicebus_namespace", + "resourceName": "tfex-servicebus-namespace", + "searchKey": "azurerm_servicebus_namespace[pos_example]", "searchValue": "", - "expectedValue": "'azurerm_kubernetes_cluster[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_kubernetes_cluster[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + "expectedValue": "'azurerm_servicebus_namespace[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_servicebus_namespace[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + }, + { + "queryName": "Beta - Resource Without Diagnostic Settings", + "severity": "MEDIUM", + "line": 173, + "filename": "positive2.tf", + "resourceType": "azurerm_container_registry", + "resourceName": "containerRegistry1", + "searchKey": "azurerm_container_registry[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_container_registry[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_container_registry[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + }, + { + "queryName": "Beta - Resource Without Diagnostic Settings", + "severity": "MEDIUM", + "line": 181, + "filename": "positive2.tf", + "resourceType": "azurerm_api_management", + "resourceName": "example-apim", + "searchKey": "azurerm_api_management[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_api_management[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_api_management[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/role_definition_allows_custom_role_creation/test/positive_expected_result.json b/assets/queries/terraform/azure/role_definition_allows_custom_role_creation/test/positive_expected_result.json index 875b65870a8..5235694e919 100644 --- a/assets/queries/terraform/azure/role_definition_allows_custom_role_creation/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/role_definition_allows_custom_role_creation/test/positive_expected_result.json @@ -3,24 +3,24 @@ "queryName": "Role Definition Allows Custom Role Creation", "severity": "MEDIUM", "line": 7, - "filename": "positive2.tf", + "filename": "positive1.tf", "resourceType": "azurerm_role_definition", - "resourceName": "my-custom-role", - "searchKey": "azurerm_role_definition[example].permissions.actions", + "resourceName": "my-custom-role-definition", + "searchKey": "azurerm_role_definition[example2].permissions.actions", "searchValue": "", - "expectedValue": "azurerm_role_definition[example].permissions.actions should not allow custom role creation", - "actualValue": "azurerm_role_definition[example].permissions.actions allows custom role creation" + "expectedValue": "azurerm_role_definition[example2].permissions.actions should not allow custom role creation", + "actualValue": "azurerm_role_definition[example2].permissions.actions allows custom role creation" }, { "queryName": "Role Definition Allows Custom Role Creation", "severity": "MEDIUM", "line": 7, - "filename": "positive1.tf", + "filename": "positive2.tf", "resourceType": "azurerm_role_definition", - "resourceName": "my-custom-role-definition", - "searchKey": "azurerm_role_definition[example2].permissions.actions", + "resourceName": "my-custom-role", + "searchKey": "azurerm_role_definition[example].permissions.actions", "searchValue": "", - "expectedValue": "azurerm_role_definition[example2].permissions.actions should not allow custom role creation", - "actualValue": "azurerm_role_definition[example2].permissions.actions allows custom role creation" + "expectedValue": "azurerm_role_definition[example].permissions.actions should not allow custom role creation", + "actualValue": "azurerm_role_definition[example].permissions.actions allows custom role creation" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/security_group_is_not_configured/test/positive_expected_result.json b/assets/queries/terraform/azure/security_group_is_not_configured/test/positive_expected_result.json index 361a8d153a6..c528f8591be 100644 --- a/assets/queries/terraform/azure/security_group_is_not_configured/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/security_group_is_not_configured/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "Security Group is Not Configured", "severity": "HIGH", - "line": 21, + "line": 7, "filename": "positive.tf", "resourceType": "azure_virtual_network", "resourceName": "test-network", - "searchKey": "azure_virtual_network[positive2].subnet.security_group", + "searchKey": "azure_virtual_network[positive1].subnet", "searchValue": "", - "expectedValue": "'azure_virtual_network[positive2].subnet.security_group' should not be empty", - "actualValue": "'azure_virtual_network[positive2].subnet.security_group' is empty" + "expectedValue": "'azure_virtual_network[positive1].subnet.security_group' should be defined and not null", + "actualValue": "'azure_virtual_network[positive1].subnet.security_group' is undefined or null" }, { "queryName": "Security Group is Not Configured", "severity": "HIGH", - "line": 7, + "line": 21, "filename": "positive.tf", "resourceType": "azure_virtual_network", "resourceName": "test-network", - "searchKey": "azure_virtual_network[positive1].subnet", + "searchKey": "azure_virtual_network[positive2].subnet.security_group", "searchValue": "", - "expectedValue": "'azure_virtual_network[positive1].subnet.security_group' should be defined and not null", - "actualValue": "'azure_virtual_network[positive1].subnet.security_group' is undefined or null" + "expectedValue": "'azure_virtual_network[positive2].subnet.security_group' should not be empty", + "actualValue": "'azure_virtual_network[positive2].subnet.security_group' is empty" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json index 81a2ca62f3d..43fc1ccad4a 100644 --- a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json @@ -2,38 +2,38 @@ { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134, + "line": 8, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,110", - "expectedValue": "POP3 (UDP:110) should not be allowed", - "actualValue": "POP3 (UDP110) is allowed" + "searchKey": "azurerm_network_security_rule[positive1].destination_port_range", + "searchValue": "UDP,61621", + "expectedValue": "Cassandra OpsCenter (UDP:61621) should not be allowed", + "actualValue": "Cassandra OpsCenter (UDP61621) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134, + "line": 22, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,25", - "expectedValue": "SMTP (UDP:25) should not be allowed", - "actualValue": "SMTP (UDP25) is allowed" + "searchKey": "azurerm_network_security_rule[positive2].destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 92, + "line": 22, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", - "searchValue": "UDP,25", - "expectedValue": "SMTP (UDP:25) should not be allowed", - "actualValue": "SMTP (UDP25) is allowed" + "searchKey": "azurerm_network_security_rule[positive2].destination_port_range", + "searchValue": "TCP,25", + "expectedValue": "SMTP (TCP:25) should not be allowed", + "actualValue": "SMTP (TCP25) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -43,9 +43,21 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP22) is allowed" + "searchValue": "UDP,21", + "expectedValue": "FTP (UDP:21) should not be allowed", + "actualValue": "FTP (UDP21) is allowed" + }, + { + "queryName": "Sensitive Port Is Exposed To Entire Network", + "severity": "HIGH", + "line": 36, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -67,9 +79,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", - "searchValue": "TCP,21", - "expectedValue": "FTP (TCP:21) should not be allowed", - "actualValue": "FTP (TCP21) is allowed" + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -79,66 +91,66 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", - "searchValue": "UDP,21", - "expectedValue": "FTP (UDP:21) should not be allowed", - "actualValue": "FTP (UDP21) is allowed" + "searchValue": "TCP,21", + "expectedValue": "FTP (TCP:21) should not be allowed", + "actualValue": "FTP (TCP21) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134, + "line": 36, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,137", - "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed", - "actualValue": "NetBIOS Name Service (UDP137) is allowed" + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, + "line": 50, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive2].destination_port_range", - "searchValue": "TCP,25", - "expectedValue": "SMTP (TCP:25) should not be allowed", - "actualValue": "SMTP (TCP25) is allowed" + "searchKey": "azurerm_network_security_rule[positive4].destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 36, + "line": 50, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP22) is allowed" + "searchKey": "azurerm_network_security_rule[positive4].destination_port_range", + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, + "line": 64, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive2].destination_port_range", - "searchValue": "TCP,23", - "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP23) is allowed" + "searchKey": "azurerm_network_security_rule[positive5].destination_port_range", + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 106, + "line": 78, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive8].destination_port_range", + "searchKey": "azurerm_network_security_rule[positive6].destination_port_range", "searchValue": "TCP,23", "expectedValue": "Telnet (TCP:23) should not be allowed", "actualValue": "Telnet (TCP23) is allowed" @@ -146,62 +158,62 @@ { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 8, + "line": 92, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive1].destination_port_range", - "searchValue": "UDP,61621", - "expectedValue": "Cassandra OpsCenter (UDP:61621) should not be allowed", - "actualValue": "Cassandra OpsCenter (UDP61621) is allowed" + "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134, + "line": 92, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,53", - "expectedValue": "DNS (TCP:53) should not be allowed", - "actualValue": "DNS (TCP53) is allowed" + "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134, + "line": 92, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,20", - "expectedValue": "FTP (TCP:20) should not be allowed", - "actualValue": "FTP (TCP20) is allowed" + "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", + "searchValue": "UDP,53", + "expectedValue": "DNS (UDP:53) should not be allowed", + "actualValue": "DNS (UDP53) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134, + "line": 92, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,138", - "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed", - "actualValue": "NetBIOS Datagram Service (TCP138) is allowed" + "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", + "searchValue": "UDP,25", + "expectedValue": "SMTP (UDP:25) should not be allowed", + "actualValue": "SMTP (UDP25) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 36, + "line": 106, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", - "searchValue": "UDP,23", - "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP23) is allowed" + "searchKey": "azurerm_network_security_rule[positive8].destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -211,21 +223,21 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive9].destination_port_range", - "searchValue": "UDP,23", - "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP23) is allowed" + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134, + "line": 120, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,80", - "expectedValue": "HTTP (TCP:80) should not be allowed", - "actualValue": "HTTP (TCP80) is allowed" + "searchKey": "azurerm_network_security_rule[positive9].destination_port_range", + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -235,9 +247,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,135", - "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed", - "actualValue": "MSSQL Debugger (TCP135) is allowed" + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -247,9 +259,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,110", - "expectedValue": "POP3 (TCP:110) should not be allowed", - "actualValue": "POP3 (TCP110) is allowed" + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed", + "actualValue": "NetBIOS Name Service (UDP137) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -263,18 +275,6 @@ "expectedValue": "SSH (TCP:22) should not be allowed", "actualValue": "SSH (TCP22) is allowed" }, - { - "queryName": "Sensitive Port Is Exposed To Entire Network", - "severity": "HIGH", - "line": 120, - "filename": "positive.tf", - "resourceType": "azurerm_network_security_rule", - "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive9].destination_port_range", - "searchValue": "TCP,23", - "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP23) is allowed" - }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", @@ -283,9 +283,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,20", - "expectedValue": "FTP (UDP:20) should not be allowed", - "actualValue": "FTP (UDP20) is allowed" + "searchValue": "UDP,53", + "expectedValue": "DNS (UDP:53) should not be allowed", + "actualValue": "DNS (UDP53) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -295,21 +295,21 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,138", - "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed", - "actualValue": "NetBIOS Datagram Service (UDP138) is allowed" + "searchValue": "TCP,80", + "expectedValue": "HTTP (TCP:80) should not be allowed", + "actualValue": "HTTP (TCP80) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 50, + "line": 134, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive4].destination_port_range", - "searchValue": "TCP,23", - "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP23) is allowed" + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,138", + "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed", + "actualValue": "NetBIOS Datagram Service (TCP138) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -319,21 +319,21 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,23", - "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP23) is allowed" + "searchValue": "TCP,137", + "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed", + "actualValue": "NetBIOS Name Service (TCP137) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 64, + "line": 134, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive5].destination_port_range", - "searchValue": "UDP,23", - "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP23) is allowed" + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,110", + "expectedValue": "POP3 (TCP:110) should not be allowed", + "actualValue": "POP3 (TCP110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -343,9 +343,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,80", - "expectedValue": "HTTP (UDP:80) should not be allowed", - "actualValue": "HTTP (UDP80) is allowed" + "searchValue": "TCP,25", + "expectedValue": "SMTP (TCP:25) should not be allowed", + "actualValue": "SMTP (TCP25) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -355,9 +355,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,135", - "expectedValue": "MSSQL Debugger (UDP:135) should not be allowed", - "actualValue": "MSSQL Debugger (UDP135) is allowed" + "searchValue": "TCP,20", + "expectedValue": "FTP (TCP:20) should not be allowed", + "actualValue": "FTP (TCP20) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -367,33 +367,33 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,23", - "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP23) is allowed" + "searchValue": "TCP,21", + "expectedValue": "FTP (TCP:21) should not be allowed", + "actualValue": "FTP (TCP21) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 92, + "line": 134, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", - "searchValue": "UDP,23", - "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP23) is allowed" + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,21", + "expectedValue": "FTP (UDP:21) should not be allowed", + "actualValue": "FTP (UDP21) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 92, + "line": 134, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", - "searchValue": "UDP,53", - "expectedValue": "DNS (UDP:53) should not be allowed", - "actualValue": "DNS (UDP53) is allowed" + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -403,9 +403,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,139", - "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed", - "actualValue": "NetBIOS Session Service (UDP139) is allowed" + "searchValue": "UDP,20", + "expectedValue": "FTP (UDP:20) should not be allowed", + "actualValue": "FTP (UDP20) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -415,33 +415,33 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP22) is allowed" + "searchValue": "UDP,80", + "expectedValue": "HTTP (UDP:80) should not be allowed", + "actualValue": "HTTP (UDP80) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 92, + "line": 134, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP22) is allowed" + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed", + "actualValue": "NetBIOS Datagram Service (UDP138) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 78, + "line": 134, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive6].destination_port_range", - "searchValue": "TCP,23", - "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP23) is allowed" + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,139", + "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed", + "actualValue": "NetBIOS Session Service (UDP139) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -451,9 +451,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,137", - "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed", - "actualValue": "NetBIOS Name Service (TCP137) is allowed" + "searchValue": "UDP,25", + "expectedValue": "SMTP (UDP:25) should not be allowed", + "actualValue": "SMTP (UDP25) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -463,9 +463,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,139", - "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed", - "actualValue": "NetBIOS Session Service (TCP139) is allowed" + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -475,21 +475,21 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,25", - "expectedValue": "SMTP (TCP:25) should not be allowed", - "actualValue": "SMTP (TCP25) is allowed" + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 50, + "line": 134, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive4].destination_port_range", - "searchValue": "UDP,23", - "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP23) is allowed" + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,135", + "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed", + "actualValue": "MSSQL Debugger (TCP135) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -499,9 +499,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,53", - "expectedValue": "DNS (UDP:53) should not be allowed", - "actualValue": "DNS (UDP53) is allowed" + "searchValue": "UDP,135", + "expectedValue": "MSSQL Debugger (UDP:135) should not be allowed", + "actualValue": "MSSQL Debugger (UDP135) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -511,9 +511,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,21", - "expectedValue": "FTP (TCP:21) should not be allowed", - "actualValue": "FTP (TCP21) is allowed" + "searchValue": "TCP,139", + "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed", + "actualValue": "NetBIOS Session Service (TCP139) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -523,8 +523,8 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,21", - "expectedValue": "FTP (UDP:21) should not be allowed", - "actualValue": "FTP (UDP21) is allowed" + "searchValue": "TCP,53", + "expectedValue": "DNS (TCP:53) should not be allowed", + "actualValue": "DNS (TCP53) is allowed" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_small_public_network/test/positive_expected_result.json b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_small_public_network/test/positive_expected_result.json index a5524c7360f..b99095cf17e 100644 --- a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_small_public_network/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_small_public_network/test/positive_expected_result.json @@ -2,50 +2,50 @@ { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134, + "line": 8, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,135", - "expectedValue": "MSSQL Debugger (UDP:135) should not be allowed", - "actualValue": "MSSQL Debugger (UDP:135) is allowed" + "searchKey": "azurerm_network_security_rule[positive1].destination_port_range", + "searchValue": "UDP,61621", + "expectedValue": "Cassandra OpsCenter (UDP:61621) should not be allowed", + "actualValue": "Cassandra OpsCenter (UDP:61621) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134, + "line": 22, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,138", - "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed", - "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed" + "searchKey": "azurerm_network_security_rule[positive2].destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134, + "line": 22, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,137", - "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed" + "searchKey": "azurerm_network_security_rule[positive2].destination_port_range", + "searchValue": "TCP,25", + "expectedValue": "SMTP (TCP:25) should not be allowed", + "actualValue": "SMTP (TCP:25) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134, + "line": 36, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,139", - "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed", - "actualValue": "NetBIOS Session Service (UDP:139) is allowed" + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -62,71 +62,71 @@ { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134, + "line": 36, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,23", - "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP:23) is allowed" + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "TCP,21", + "expectedValue": "FTP (TCP:21) should not be allowed", + "actualValue": "FTP (TCP:21) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134, + "line": 36, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,21", - "expectedValue": "FTP (TCP:21) should not be allowed", - "actualValue": "FTP (TCP:21) is allowed" + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134, + "line": 36, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,25", - "expectedValue": "SMTP (TCP:25) should not be allowed", - "actualValue": "SMTP (TCP:25) is allowed" + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134, + "line": 36, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,25", - "expectedValue": "SMTP (UDP:25) should not be allowed", - "actualValue": "SMTP (UDP:25) is allowed" + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "UDP,21", + "expectedValue": "FTP (UDP:21) should not be allowed", + "actualValue": "FTP (UDP:21) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134, + "line": 50, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,23", - "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP:23) is allowed" + "searchKey": "azurerm_network_security_rule[positive4].destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 92, + "line": 50, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", + "searchKey": "azurerm_network_security_rule[positive4].destination_port_range", "searchValue": "UDP,23", "expectedValue": "Telnet (UDP:23) should not be allowed", "actualValue": "Telnet (UDP:23) is allowed" @@ -134,11 +134,11 @@ { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 120, + "line": 64, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive9].destination_port_range", + "searchKey": "azurerm_network_security_rule[positive5].destination_port_range", "searchValue": "UDP,23", "expectedValue": "Telnet (UDP:23) should not be allowed", "actualValue": "Telnet (UDP:23) is allowed" @@ -146,23 +146,23 @@ { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 8, + "line": 78, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive1].destination_port_range", - "searchValue": "UDP,61621", - "expectedValue": "Cassandra OpsCenter (UDP:61621) should not be allowed", - "actualValue": "Cassandra OpsCenter (UDP:61621) is allowed" + "searchKey": "azurerm_network_security_rule[positive6].destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134, + "line": 92, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", "searchValue": "UDP,53", "expectedValue": "DNS (UDP:53) should not be allowed", "actualValue": "DNS (UDP:53) is allowed" @@ -170,14 +170,14 @@ { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134, + "line": 92, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,21", - "expectedValue": "FTP (UDP:21) should not be allowed", - "actualValue": "FTP (UDP:21) is allowed" + "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -191,6 +191,18 @@ "expectedValue": "SMTP (UDP:25) should not be allowed", "actualValue": "SMTP (UDP:25) is allowed" }, + { + "queryName": "Sensitive Port Is Exposed To Small Public Network", + "severity": "MEDIUM", + "line": 92, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed" + }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", @@ -206,11 +218,11 @@ { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 36, + "line": 120, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchKey": "azurerm_network_security_rule[positive9].destination_port_range", "searchValue": "UDP,23", "expectedValue": "Telnet (UDP:23) should not be allowed", "actualValue": "Telnet (UDP:23) is allowed" @@ -218,14 +230,14 @@ { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 36, + "line": 120, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", - "searchValue": "TCP,21", - "expectedValue": "FTP (TCP:21) should not be allowed", - "actualValue": "FTP (TCP:21) is allowed" + "searchKey": "azurerm_network_security_rule[positive9].destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -235,9 +247,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,20", - "expectedValue": "FTP (UDP:20) should not be allowed", - "actualValue": "FTP (UDP:20) is allowed" + "searchValue": "UDP,80", + "expectedValue": "HTTP (UDP:80) should not be allowed", + "actualValue": "HTTP (UDP:80) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -247,33 +259,21 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,138", - "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed", - "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed" - }, - { - "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", - "line": 50, - "filename": "positive.tf", - "resourceType": "azurerm_network_security_rule", - "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive4].destination_port_range", - "searchValue": "TCP,23", - "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP:23) is allowed" + "searchValue": "TCP,139", + "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed", + "actualValue": "NetBIOS Session Service (TCP:139) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 50, + "line": 134, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive4].destination_port_range", - "searchValue": "UDP,23", - "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP:23) is allowed" + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,25", + "expectedValue": "SMTP (UDP:25) should not be allowed", + "actualValue": "SMTP (UDP:25) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -283,9 +283,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,53", - "expectedValue": "DNS (TCP:53) should not be allowed", - "actualValue": "DNS (TCP:53) is allowed" + "searchValue": "UDP,53", + "expectedValue": "DNS (UDP:53) should not be allowed", + "actualValue": "DNS (UDP:53) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -295,9 +295,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,20", - "expectedValue": "FTP (TCP:20) should not be allowed", - "actualValue": "FTP (TCP:20) is allowed" + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -307,9 +307,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,139", - "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed", - "actualValue": "NetBIOS Session Service (TCP:139) is allowed" + "searchValue": "TCP,135", + "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed", + "actualValue": "MSSQL Debugger (TCP:135) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -319,42 +319,42 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,110", - "expectedValue": "POP3 (UDP:110) should not be allowed", - "actualValue": "POP3 (UDP:110) is allowed" + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 78, + "line": 134, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive6].destination_port_range", - "searchValue": "TCP,23", - "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP:23) is allowed" + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,110", + "expectedValue": "POP3 (TCP:110) should not be allowed", + "actualValue": "POP3 (TCP:110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 64, + "line": 134, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive5].destination_port_range", - "searchValue": "UDP,23", - "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP:23) is allowed" + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,53", + "expectedValue": "DNS (TCP:53) should not be allowed", + "actualValue": "DNS (TCP:53) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 36, + "line": 134, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "UDP,21", "expectedValue": "FTP (UDP:21) should not be allowed", "actualValue": "FTP (UDP:21) is allowed" @@ -367,9 +367,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,135", - "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed", - "actualValue": "MSSQL Debugger (TCP:135) is allowed" + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -379,9 +379,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,137", - "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed", - "actualValue": "NetBIOS Name Service (TCP:137) is allowed" + "searchValue": "TCP,25", + "expectedValue": "SMTP (TCP:25) should not be allowed", + "actualValue": "SMTP (TCP:25) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -391,34 +391,22 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "searchValue": "TCP,21", + "expectedValue": "FTP (TCP:21) should not be allowed", + "actualValue": "FTP (TCP:21) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 36, + "line": 134, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", "actualValue": "SSH (TCP:22) is allowed" }, - { - "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", - "line": 120, - "filename": "positive.tf", - "resourceType": "azurerm_network_security_rule", - "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive9].destination_port_range", - "searchValue": "TCP,23", - "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP:23) is allowed" - }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", @@ -439,33 +427,33 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,110", - "expectedValue": "POP3 (TCP:110) should not be allowed", - "actualValue": "POP3 (TCP:110) is allowed" + "searchValue": "UDP,135", + "expectedValue": "MSSQL Debugger (UDP:135) should not be allowed", + "actualValue": "MSSQL Debugger (UDP:135) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 22, + "line": 134, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive2].destination_port_range", - "searchValue": "TCP,23", - "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP:23) is allowed" + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,138", + "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed", + "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 92, + "line": 134, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", - "searchValue": "UDP,53", - "expectedValue": "DNS (UDP:53) should not be allowed", - "actualValue": "DNS (UDP:53) is allowed" + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,137", + "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed", + "actualValue": "NetBIOS Name Service (TCP:137) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -475,21 +463,21 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,80", - "expectedValue": "HTTP (UDP:80) should not be allowed", - "actualValue": "HTTP (UDP:80) is allowed" + "searchValue": "UDP,139", + "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed", + "actualValue": "NetBIOS Session Service (UDP:139) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 22, + "line": 134, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive2].destination_port_range", - "searchValue": "TCP,25", - "expectedValue": "SMTP (TCP:25) should not be allowed", - "actualValue": "SMTP (TCP:25) is allowed" + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,20", + "expectedValue": "FTP (TCP:20) should not be allowed", + "actualValue": "FTP (TCP:20) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -506,25 +494,37 @@ { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 92, + "line": 134, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,20", + "expectedValue": "FTP (UDP:20) should not be allowed", + "actualValue": "FTP (UDP:20) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 36, + "line": 134, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "TCP,23", "expectedValue": "Telnet (TCP:23) should not be allowed", "actualValue": "Telnet (TCP:23) is allowed" + }, + { + "queryName": "Sensitive Port Is Exposed To Small Public Network", + "severity": "MEDIUM", + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_wide_private_network/test/positive_expected_result.json b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_wide_private_network/test/positive_expected_result.json index 0e4b4976e38..e4dfb04e1f3 100644 --- a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_wide_private_network/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_wide_private_network/test/positive_expected_result.json @@ -2,83 +2,83 @@ { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134, + "line": 8, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP:20", - "expectedValue": "FTP (UDP:20) should not be allowed", - "actualValue": "FTP (UDP:20) is allowed" + "searchKey": "azurerm_network_security_rule[positive1].destination_port_range", + "searchValue": "UDP:61621", + "expectedValue": "Cassandra OpsCenter (UDP:61621) should not be allowed", + "actualValue": "Cassandra OpsCenter (UDP:61621) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134, + "line": 22, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP:21", - "expectedValue": "FTP (UDP:21) should not be allowed", - "actualValue": "FTP (UDP:21) is allowed" + "searchKey": "azurerm_network_security_rule[positive2].destination_port_range", + "searchValue": "TCP:25", + "expectedValue": "SMTP (TCP:25) should not be allowed", + "actualValue": "SMTP (TCP:25) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134, + "line": 22, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP:135", - "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed", - "actualValue": "MSSQL Debugger (TCP:135) is allowed" + "searchKey": "azurerm_network_security_rule[positive2].destination_port_range", + "searchValue": "TCP:23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134, + "line": 36, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP:137", - "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed" + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "UDP:21", + "expectedValue": "FTP (UDP:21) should not be allowed", + "actualValue": "FTP (UDP:21) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 50, + "line": 36, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive4].destination_port_range", - "searchValue": "UDP:23", - "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP:23) is allowed" + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "TCP:21", + "expectedValue": "FTP (TCP:21) should not be allowed", + "actualValue": "FTP (TCP:21) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 64, + "line": 36, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive5].destination_port_range", - "searchValue": "UDP:23", - "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP:23) is allowed" + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "TCP:22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 92, + "line": 36, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", "searchValue": "UDP:23", "expectedValue": "Telnet (UDP:23) should not be allowed", "actualValue": "Telnet (UDP:23) is allowed" @@ -86,14 +86,14 @@ { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 92, + "line": 36, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", - "searchValue": "UDP:25", - "expectedValue": "SMTP (UDP:25) should not be allowed", - "actualValue": "SMTP (UDP:25) is allowed" + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "UDP:22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -103,30 +103,30 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", - "searchValue": "TCP:22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "searchValue": "TCP:23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 22, + "line": 50, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive2].destination_port_range", - "searchValue": "TCP:23", - "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP:23) is allowed" + "searchKey": "azurerm_network_security_rule[positive4].destination_port_range", + "searchValue": "UDP:23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 78, + "line": 50, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive6].destination_port_range", + "searchKey": "azurerm_network_security_rule[positive4].destination_port_range", "searchValue": "TCP:23", "expectedValue": "Telnet (TCP:23) should not be allowed", "actualValue": "Telnet (TCP:23) is allowed" @@ -134,11 +134,11 @@ { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 36, + "line": 64, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchKey": "azurerm_network_security_rule[positive5].destination_port_range", "searchValue": "UDP:23", "expectedValue": "Telnet (UDP:23) should not be allowed", "actualValue": "Telnet (UDP:23) is allowed" @@ -146,86 +146,86 @@ { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 120, + "line": 78, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive9].destination_port_range", - "searchValue": "UDP:23", - "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP:23) is allowed" + "searchKey": "azurerm_network_security_rule[positive6].destination_port_range", + "searchValue": "TCP:23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 8, + "line": 92, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive1].destination_port_range", - "searchValue": "UDP:61621", - "expectedValue": "Cassandra OpsCenter (UDP:61621) should not be allowed", - "actualValue": "Cassandra OpsCenter (UDP:61621) is allowed" + "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", + "searchValue": "UDP:53", + "expectedValue": "DNS (UDP:53) should not be allowed", + "actualValue": "DNS (UDP:53) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134, + "line": 92, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP:80", - "expectedValue": "HTTP (TCP:80) should not be allowed", - "actualValue": "HTTP (TCP:80) is allowed" + "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", + "searchValue": "UDP:22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134, + "line": 92, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP:138", - "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed", - "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed" + "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", + "searchValue": "UDP:23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 22, + "line": 92, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive2].destination_port_range", - "searchValue": "TCP:25", - "expectedValue": "SMTP (TCP:25) should not be allowed", - "actualValue": "SMTP (TCP:25) is allowed" + "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", + "searchValue": "UDP:25", + "expectedValue": "SMTP (UDP:25) should not be allowed", + "actualValue": "SMTP (UDP:25) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134, + "line": 106, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP:25", - "expectedValue": "SMTP (UDP:25) should not be allowed", - "actualValue": "SMTP (UDP:25) is allowed" + "searchKey": "azurerm_network_security_rule[positive8].destination_port_range", + "searchValue": "TCP:23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 92, + "line": 120, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", - "searchValue": "UDP:22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "searchKey": "azurerm_network_security_rule[positive9].destination_port_range", + "searchValue": "TCP:23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -235,9 +235,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive9].destination_port_range", - "searchValue": "TCP:23", - "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP:23) is allowed" + "searchValue": "UDP:23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -247,9 +247,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP:53", - "expectedValue": "DNS (TCP:53) should not be allowed", - "actualValue": "DNS (TCP:53) is allowed" + "searchValue": "UDP:53", + "expectedValue": "DNS (UDP:53) should not be allowed", + "actualValue": "DNS (UDP:53) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -271,21 +271,21 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP:22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "searchValue": "UDP:137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 36, + "line": 134, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", - "searchValue": "UDP:22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP:20", + "expectedValue": "FTP (UDP:20) should not be allowed", + "actualValue": "FTP (UDP:20) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -295,9 +295,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP:23", - "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP:23) is allowed" + "searchValue": "TCP:80", + "expectedValue": "HTTP (TCP:80) should not be allowed", + "actualValue": "HTTP (TCP:80) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -307,9 +307,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP:80", - "expectedValue": "HTTP (UDP:80) should not be allowed", - "actualValue": "HTTP (UDP:80) is allowed" + "searchValue": "TCP:137", + "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed", + "actualValue": "NetBIOS Name Service (TCP:137) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -319,21 +319,21 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP:110", - "expectedValue": "POP3 (TCP:110) should not be allowed", - "actualValue": "POP3 (TCP:110) is allowed" + "searchValue": "UDP:110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 36, + "line": 134, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", - "searchValue": "TCP:23", - "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP:23) is allowed" + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP:25", + "expectedValue": "SMTP (TCP:25) should not be allowed", + "actualValue": "SMTP (TCP:25) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -355,21 +355,21 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP:21", - "expectedValue": "FTP (TCP:21) should not be allowed", - "actualValue": "FTP (TCP:21) is allowed" + "searchValue": "UDP:25", + "expectedValue": "SMTP (UDP:25) should not be allowed", + "actualValue": "SMTP (UDP:25) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 36, + "line": 134, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", - "searchValue": "TCP:21", - "expectedValue": "FTP (TCP:21) should not be allowed", - "actualValue": "FTP (TCP:21) is allowed" + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP:22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -379,9 +379,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP:138", - "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed", - "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed" + "searchValue": "TCP:23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -391,9 +391,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP:25", - "expectedValue": "SMTP (TCP:25) should not be allowed", - "actualValue": "SMTP (TCP:25) is allowed" + "searchValue": "UDP:23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -403,42 +403,42 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP:22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "searchValue": "TCP:53", + "expectedValue": "DNS (TCP:53) should not be allowed", + "actualValue": "DNS (TCP:53) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 50, + "line": 134, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive4].destination_port_range", - "searchValue": "TCP:23", - "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP:23) is allowed" + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP:21", + "expectedValue": "FTP (TCP:21) should not be allowed", + "actualValue": "FTP (TCP:21) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 106, + "line": 134, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive8].destination_port_range", - "searchValue": "TCP:23", - "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP:23) is allowed" + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP:138", + "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed", + "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 36, + "line": 134, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "UDP:21", "expectedValue": "FTP (UDP:21) should not be allowed", "actualValue": "FTP (UDP:21) is allowed" @@ -451,9 +451,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP:137", - "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed", - "actualValue": "NetBIOS Name Service (TCP:137) is allowed" + "searchValue": "UDP:138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -463,9 +463,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP:139", - "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed", - "actualValue": "NetBIOS Session Service (TCP:139) is allowed" + "searchValue": "TCP:110", + "expectedValue": "POP3 (TCP:110) should not be allowed", + "actualValue": "POP3 (TCP:110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -475,9 +475,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP:110", - "expectedValue": "POP3 (UDP:110) should not be allowed", - "actualValue": "POP3 (UDP:110) is allowed" + "searchValue": "TCP:139", + "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed", + "actualValue": "NetBIOS Session Service (TCP:139) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -487,9 +487,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP:53", - "expectedValue": "DNS (UDP:53) should not be allowed", - "actualValue": "DNS (UDP:53) is allowed" + "searchValue": "TCP:22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -499,9 +499,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP:135", - "expectedValue": "MSSQL Debugger (UDP:135) should not be allowed", - "actualValue": "MSSQL Debugger (UDP:135) is allowed" + "searchValue": "UDP:80", + "expectedValue": "HTTP (UDP:80) should not be allowed", + "actualValue": "HTTP (UDP:80) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -511,20 +511,20 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP:23", - "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP:23) is allowed" + "searchValue": "TCP:135", + "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed", + "actualValue": "MSSQL Debugger (TCP:135) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 92, + "line": 134, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", - "searchValue": "UDP:53", - "expectedValue": "DNS (UDP:53) should not be allowed", - "actualValue": "DNS (UDP:53) is allowed" + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP:135", + "expectedValue": "MSSQL Debugger (UDP:135) should not be allowed", + "actualValue": "MSSQL Debugger (UDP:135) is allowed" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/service_without_resource_logging/test/positive_expected_result.json b/assets/queries/terraform/azure/service_without_resource_logging/test/positive_expected_result.json index 3e6ea5582b5..3b8bf0a3a2f 100644 --- a/assets/queries/terraform/azure/service_without_resource_logging/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/service_without_resource_logging/test/positive_expected_result.json @@ -2,38 +2,26 @@ { "queryName": "Beta - Service Without Resource Logging", "severity": "MEDIUM", - "line": 87, - "filename": "positive1.tf", - "resourceType": "azurerm_application_gateway", - "resourceName": "positive1_11-appgateway", - "searchKey": "azurerm_application_gateway[positive1_11]", - "searchValue": "", - "expectedValue": "'azurerm_application_gateway' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_application_gateway' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" - }, - { - "queryName": "Beta - Service Without Resource Logging", - "severity": "MEDIUM", - "line": 26, + "line": 1, "filename": "positive1.tf", - "resourceType": "azurerm_batch_account", - "resourceName": "testbatchaccount", - "searchKey": "azurerm_batch_account[positive1_4]", + "resourceType": "azurerm_app_service", + "resourceName": "positive1_1-app-service", + "searchKey": "azurerm_app_service[positive1_1]", "searchValue": "", - "expectedValue": "'azurerm_batch_account' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_batch_account' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + "expectedValue": "'azurerm_app_service' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_app_service' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" }, { "queryName": "Beta - Service Without Resource Logging", "severity": "MEDIUM", - "line": 55, + "line": 8, "filename": "positive1.tf", - "resourceType": "azurerm_iothub", - "resourceName": "positive1_7-IoTHub", - "searchKey": "azurerm_iothub[positive1_7]", + "resourceType": "azurerm_windows_web_app", + "resourceName": "positive1_2", + "searchKey": "azurerm_windows_web_app[positive1_2]", "searchValue": "", - "expectedValue": "'azurerm_iothub' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_iothub' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + "expectedValue": "'azurerm_windows_web_app' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_windows_web_app' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" }, { "queryName": "Beta - Service Without Resource Logging", @@ -50,14 +38,26 @@ { "queryName": "Beta - Service Without Resource Logging", "severity": "MEDIUM", - "line": 99, + "line": 26, "filename": "positive1.tf", - "resourceType": "azurerm_logic_app_standard", - "resourceName": "positive1_12-logic-app", - "searchKey": "azurerm_logic_app_standard[positive1_12]", + "resourceType": "azurerm_batch_account", + "resourceName": "testbatchaccount", + "searchKey": "azurerm_batch_account[positive1_4]", "searchValue": "", - "expectedValue": "'azurerm_logic_app_standard' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_logic_app_standard' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + "expectedValue": "'azurerm_batch_account' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_batch_account' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + }, + { + "queryName": "Beta - Service Without Resource Logging", + "severity": "MEDIUM", + "line": 35, + "filename": "positive1.tf", + "resourceType": "azurerm_eventhub", + "resourceName": "acceptanceTestEventHub", + "searchKey": "azurerm_eventhub[positive1_5]", + "searchValue": "", + "expectedValue": "'azurerm_eventhub' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_eventhub' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" }, { "queryName": "Beta - Service Without Resource Logging", @@ -74,74 +74,74 @@ { "queryName": "Beta - Service Without Resource Logging", "severity": "MEDIUM", - "line": 80, + "line": 55, "filename": "positive1.tf", - "resourceType": "azurerm_stream_analytics_job", - "resourceName": "positive1_10-job", - "searchKey": "azurerm_stream_analytics_job[positive1_10]", + "resourceType": "azurerm_iothub", + "resourceName": "positive1_7-IoTHub", + "searchKey": "azurerm_iothub[positive1_7]", "searchValue": "", - "expectedValue": "'azurerm_stream_analytics_job' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_stream_analytics_job' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + "expectedValue": "'azurerm_iothub' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_iothub' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" }, { "queryName": "Beta - Service Without Resource Logging", "severity": "MEDIUM", - "line": 8, + "line": 66, "filename": "positive1.tf", - "resourceType": "azurerm_windows_web_app", - "resourceName": "positive1_2", - "searchKey": "azurerm_windows_web_app[positive1_2]", + "resourceType": "azurerm_search_service", + "resourceName": "positive1_8-resource", + "searchKey": "azurerm_search_service[positive1_8]", "searchValue": "", - "expectedValue": "'azurerm_windows_web_app' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_windows_web_app' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + "expectedValue": "'azurerm_search_service' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_search_service' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" }, { "queryName": "Beta - Service Without Resource Logging", "severity": "MEDIUM", - "line": 1, + "line": 73, "filename": "positive1.tf", - "resourceType": "azurerm_app_service", - "resourceName": "positive1_1-app-service", - "searchKey": "azurerm_app_service[positive1_1]", + "resourceType": "azurerm_servicebus_namespace", + "resourceName": "tfex-servicebus-namespace", + "searchKey": "azurerm_servicebus_namespace[positive1_9]", "searchValue": "", - "expectedValue": "'azurerm_app_service' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_app_service' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + "expectedValue": "'azurerm_servicebus_namespace' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_servicebus_namespace' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" }, { "queryName": "Beta - Service Without Resource Logging", "severity": "MEDIUM", - "line": 35, + "line": 80, "filename": "positive1.tf", - "resourceType": "azurerm_eventhub", - "resourceName": "acceptanceTestEventHub", - "searchKey": "azurerm_eventhub[positive1_5]", + "resourceType": "azurerm_stream_analytics_job", + "resourceName": "positive1_10-job", + "searchKey": "azurerm_stream_analytics_job[positive1_10]", "searchValue": "", - "expectedValue": "'azurerm_eventhub' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_eventhub' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + "expectedValue": "'azurerm_stream_analytics_job' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_stream_analytics_job' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" }, { "queryName": "Beta - Service Without Resource Logging", "severity": "MEDIUM", - "line": 66, + "line": 87, "filename": "positive1.tf", - "resourceType": "azurerm_search_service", - "resourceName": "positive1_8-resource", - "searchKey": "azurerm_search_service[positive1_8]", + "resourceType": "azurerm_application_gateway", + "resourceName": "positive1_11-appgateway", + "searchKey": "azurerm_application_gateway[positive1_11]", "searchValue": "", - "expectedValue": "'azurerm_search_service' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_search_service' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + "expectedValue": "'azurerm_application_gateway' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_application_gateway' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" }, { "queryName": "Beta - Service Without Resource Logging", "severity": "MEDIUM", - "line": 73, + "line": 99, "filename": "positive1.tf", - "resourceType": "azurerm_servicebus_namespace", - "resourceName": "tfex-servicebus-namespace", - "searchKey": "azurerm_servicebus_namespace[positive1_9]", + "resourceType": "azurerm_logic_app_standard", + "resourceName": "positive1_12-logic-app", + "searchKey": "azurerm_logic_app_standard[positive1_12]", "searchValue": "", - "expectedValue": "'azurerm_servicebus_namespace' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_servicebus_namespace' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + "expectedValue": "'azurerm_logic_app_standard' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_logic_app_standard' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" }, { "queryName": "Beta - Service Without Resource Logging", diff --git a/assets/queries/terraform/azure/small_activity_log_retention_period/test/positive_expected_result.json b/assets/queries/terraform/azure/small_activity_log_retention_period/test/positive_expected_result.json index 1aae6129936..56caad58ce1 100644 --- a/assets/queries/terraform/azure/small_activity_log_retention_period/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/small_activity_log_retention_period/test/positive_expected_result.json @@ -14,25 +14,25 @@ { "queryName": "Small Activity Log Retention Period", "severity": "LOW", - "line": 64, + "line": 41, "filename": "positive.tf", "resourceType": "azurerm_monitor_log_profile", "resourceName": "default", - "searchKey": "azurerm_monitor_log_profile[positive3].retention_policy.enabled", + "searchKey": "azurerm_monitor_log_profile[positive2].retention_policy", "searchValue": "", - "expectedValue": "'azurerm_monitor_log_profile[positive3].retention_policy.enabled' should be set to true", - "actualValue": "'azurerm_monitor_log_profile[positive3].retention_policy.enabled' is set to false" + "expectedValue": "'azurerm_monitor_log_profile[positive2].retention_policy.days' should be defined and not null", + "actualValue": "'azurerm_monitor_log_profile[positive2].retention_policy.days' is undefined or null" }, { "queryName": "Small Activity Log Retention Period", "severity": "LOW", - "line": 41, + "line": 64, "filename": "positive.tf", "resourceType": "azurerm_monitor_log_profile", "resourceName": "default", - "searchKey": "azurerm_monitor_log_profile[positive2].retention_policy", + "searchKey": "azurerm_monitor_log_profile[positive3].retention_policy.enabled", "searchValue": "", - "expectedValue": "'azurerm_monitor_log_profile[positive2].retention_policy.days' should be defined and not null", - "actualValue": "'azurerm_monitor_log_profile[positive2].retention_policy.days' is undefined or null" + "expectedValue": "'azurerm_monitor_log_profile[positive3].retention_policy.enabled' should be set to true", + "actualValue": "'azurerm_monitor_log_profile[positive3].retention_policy.enabled' is set to false" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/small_flow_logs_retention_period/test/positive_expected_result.json b/assets/queries/terraform/azure/small_flow_logs_retention_period/test/positive_expected_result.json index 8b9c9a53413..9d91e3ce741 100644 --- a/assets/queries/terraform/azure/small_flow_logs_retention_period/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/small_flow_logs_retention_period/test/positive_expected_result.json @@ -2,14 +2,14 @@ { "queryName": "Small Flow Logs Retention Period", "severity": "MEDIUM", - "line": 43, + "line": 10, "filename": "positive.tf", "resourceType": "azurerm_network_watcher_flow_log", - "resourceName": "positive4", - "searchKey": "azurerm_network_watcher_flow_log[positive4].retention_policy.enabled", + "resourceName": "positive1", + "searchKey": "azurerm_network_watcher_flow_log[positive1].retention_policy.days", "searchValue": "", - "expectedValue": "'positive4.retention_policy' should be enabled)", - "actualValue": "'positive4.retention_policy' is disabled)" + "expectedValue": "'positive1.retention_policy.days' should be bigger than 90)", + "actualValue": "'retention_policy.days' is less than 90 [89])" }, { "queryName": "Small Flow Logs Retention Period", @@ -26,25 +26,25 @@ { "queryName": "Small Flow Logs Retention Period", "severity": "MEDIUM", - "line": 10, + "line": 27, "filename": "positive.tf", "resourceType": "azurerm_network_watcher_flow_log", - "resourceName": "positive1", - "searchKey": "azurerm_network_watcher_flow_log[positive1].retention_policy.days", + "resourceName": "positive3", + "searchKey": "azurerm_network_watcher_flow_log[positive3]", "searchValue": "", - "expectedValue": "'positive1.retention_policy.days' should be bigger than 90)", - "actualValue": "'retention_policy.days' is less than 90 [89])" + "expectedValue": "'positive3.retention_policy' should exist)", + "actualValue": "'positive3.retention_policy' doesn't exist)" }, { "queryName": "Small Flow Logs Retention Period", "severity": "MEDIUM", - "line": 27, + "line": 43, "filename": "positive.tf", "resourceType": "azurerm_network_watcher_flow_log", - "resourceName": "positive3", - "searchKey": "azurerm_network_watcher_flow_log[positive3]", + "resourceName": "positive4", + "searchKey": "azurerm_network_watcher_flow_log[positive4].retention_policy.enabled", "searchValue": "", - "expectedValue": "'positive3.retention_policy' should exist)", - "actualValue": "'positive3.retention_policy' doesn't exist)" + "expectedValue": "'positive4.retention_policy' should be enabled)", + "actualValue": "'positive4.retention_policy' is disabled)" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/small_msql_server_audit_retention/test/positive_expected_result.json b/assets/queries/terraform/azure/small_msql_server_audit_retention/test/positive_expected_result.json index 9fb6d7673d3..c48a6bad891 100644 --- a/assets/queries/terraform/azure/small_msql_server_audit_retention/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/small_msql_server_audit_retention/test/positive_expected_result.json @@ -2,26 +2,14 @@ { "queryName": "Small MSSQL Server Audit Retention", "severity": "LOW", - "line": 46, + "line": 7, "filename": "positive.tf", "resourceType": "azurerm_sql_database", "resourceName": "myexamplesqldatabase", - "searchKey": "azurerm_sql_database[positive3].extended_auditing_policy.retention_in_days", - "searchValue": "", - "expectedValue": "'positive3.extended_auditing_policy.retention_in_days' should be bigger than 90", - "actualValue": "'extended_auditing_policy.retention_in_days' is 0" - }, - { - "queryName": "Small MSSQL Server Audit Retention", - "severity": "LOW", - "line": 66, - "filename": "positive.tf", - "resourceType": "azurerm_sql_server", - "resourceName": "sqlserver", - "searchKey": "azurerm_sql_server[positive4].extended_auditing_policy.retention_in_days", + "searchKey": "azurerm_sql_database[positive1].extended_auditing_policy", "searchValue": "", - "expectedValue": "'positive4.extended_auditing_policy.retention_in_days' should be bigger than 90", - "actualValue": "'extended_auditing_policy.retention_in_days' is 20" + "expectedValue": "extended_auditing_policy.retention_in_days should be defined and bigger than 90", + "actualValue": "extended_auditing_policy.retention_in_days is not defined" }, { "queryName": "Small MSSQL Server Audit Retention", @@ -38,13 +26,25 @@ { "queryName": "Small MSSQL Server Audit Retention", "severity": "LOW", - "line": 7, + "line": 46, "filename": "positive.tf", "resourceType": "azurerm_sql_database", "resourceName": "myexamplesqldatabase", - "searchKey": "azurerm_sql_database[positive1].extended_auditing_policy", + "searchKey": "azurerm_sql_database[positive3].extended_auditing_policy.retention_in_days", "searchValue": "", - "expectedValue": "extended_auditing_policy.retention_in_days should be defined and bigger than 90", - "actualValue": "extended_auditing_policy.retention_in_days is not defined" + "expectedValue": "'positive3.extended_auditing_policy.retention_in_days' should be bigger than 90", + "actualValue": "'extended_auditing_policy.retention_in_days' is 0" + }, + { + "queryName": "Small MSSQL Server Audit Retention", + "severity": "LOW", + "line": 66, + "filename": "positive.tf", + "resourceType": "azurerm_sql_server", + "resourceName": "sqlserver", + "searchKey": "azurerm_sql_server[positive4].extended_auditing_policy.retention_in_days", + "searchValue": "", + "expectedValue": "'positive4.extended_auditing_policy.retention_in_days' should be bigger than 90", + "actualValue": "'extended_auditing_policy.retention_in_days' is 20" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/small_mssql_audit_retention_period/test/positive_expected_result.json b/assets/queries/terraform/azure/small_mssql_audit_retention_period/test/positive_expected_result.json index 36b5614214e..8bb815e7ab7 100644 --- a/assets/queries/terraform/azure/small_mssql_audit_retention_period/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/small_mssql_audit_retention_period/test/positive_expected_result.json @@ -2,49 +2,49 @@ { "queryName": "Small MSSQL Audit Retention Period", "severity": "LOW", - "line": 47, + "line": 11, "filename": "positive.tf", "resourceType": "azurerm_mssql_database", "resourceName": "myexamplesqldatabase", - "searchKey": "azurerm_mssql_database[positive3].extended_auditing_policy.retention_in_days", + "searchKey": "azurerm_mssql_database[positive1].extended_auditing_policy.retention_in_days", "searchValue": "", - "expectedValue": "'positive3.extended_auditing_policy.retention_in_days' should be bigger than 90", - "actualValue": "'extended_auditing_policy.retention_in_days' is 0" + "expectedValue": "'positive1.extended_auditing_policy.retention_in_days' should be bigger than 90", + "actualValue": "'extended_auditing_policy.retention_in_days' is 6" }, { "queryName": "Small MSSQL Audit Retention Period", "severity": "LOW", - "line": 67, + "line": 29, "filename": "positive.tf", - "resourceType": "azurerm_mssql_server", - "resourceName": "mssqlserver", - "searchKey": "azurerm_mssql_server[positive4].extended_auditing_policy.retention_in_days", + "resourceType": "azurerm_mssql_database", + "resourceName": "myexamplesqldatabase", + "searchKey": "azurerm_mssql_database[positive2].extended_auditing_policy.retention_in_days", "searchValue": "", - "expectedValue": "'positive4.extended_auditing_policy.retention_in_days' should be bigger than 90", - "actualValue": "'extended_auditing_policy.retention_in_days' is 20" + "expectedValue": "'positive2.extended_auditing_policy.retention_in_days' should be bigger than 90", + "actualValue": "'extended_auditing_policy.retention_in_days' is 90" }, { "queryName": "Small MSSQL Audit Retention Period", "severity": "LOW", - "line": 11, + "line": 47, "filename": "positive.tf", "resourceType": "azurerm_mssql_database", "resourceName": "myexamplesqldatabase", - "searchKey": "azurerm_mssql_database[positive1].extended_auditing_policy.retention_in_days", + "searchKey": "azurerm_mssql_database[positive3].extended_auditing_policy.retention_in_days", "searchValue": "", - "expectedValue": "'positive1.extended_auditing_policy.retention_in_days' should be bigger than 90", - "actualValue": "'extended_auditing_policy.retention_in_days' is 6" + "expectedValue": "'positive3.extended_auditing_policy.retention_in_days' should be bigger than 90", + "actualValue": "'extended_auditing_policy.retention_in_days' is 0" }, { "queryName": "Small MSSQL Audit Retention Period", "severity": "LOW", - "line": 29, + "line": 67, "filename": "positive.tf", - "resourceType": "azurerm_mssql_database", - "resourceName": "myexamplesqldatabase", - "searchKey": "azurerm_mssql_database[positive2].extended_auditing_policy.retention_in_days", + "resourceType": "azurerm_mssql_server", + "resourceName": "mssqlserver", + "searchKey": "azurerm_mssql_server[positive4].extended_auditing_policy.retention_in_days", "searchValue": "", - "expectedValue": "'positive2.extended_auditing_policy.retention_in_days' should be bigger than 90", - "actualValue": "'extended_auditing_policy.retention_in_days' is 90" + "expectedValue": "'positive4.extended_auditing_policy.retention_in_days' should be bigger than 90", + "actualValue": "'extended_auditing_policy.retention_in_days' is 20" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/sql_server_alert_email_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/sql_server_alert_email_disabled/test/positive_expected_result.json index 75ea3555180..e3b739b4596 100644 --- a/assets/queries/terraform/azure/sql_server_alert_email_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/sql_server_alert_email_disabled/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "SQL Server Alert Email Disabled", - "severity": "INFO", - "line": 12, - "filename": "positive2.tf", - "resourceType": "azurerm_mssql_server_security_alert_policy", - "resourceName": "positive2", - "searchKey": "azurerm_mssql_server_security_alert_policy[positive2].email_account_admins", - "searchValue": "", - "expectedValue": "'azurerm_mssql_server_security_alert_policy[positive2].email_account_admins' should be true", - "actualValue": "'azurerm_mssql_server_security_alert_policy[positive2].email_account_admins' is false" - }, { "queryName": "SQL Server Alert Email Disabled", "severity": "INFO", @@ -22,5 +10,17 @@ "searchValue": "", "expectedValue": "'azurerm_mssql_server_security_alert_policy[positive1].email_account_admins' should be defined", "actualValue": "'azurerm_mssql_server_security_alert_policy[positive1].email_account_admins' is undefined" + }, + { + "queryName": "SQL Server Alert Email Disabled", + "severity": "INFO", + "line": 12, + "filename": "positive2.tf", + "resourceType": "azurerm_mssql_server_security_alert_policy", + "resourceName": "positive2", + "searchKey": "azurerm_mssql_server_security_alert_policy[positive2].email_account_admins", + "searchValue": "", + "expectedValue": "'azurerm_mssql_server_security_alert_policy[positive2].email_account_admins' should be true", + "actualValue": "'azurerm_mssql_server_security_alert_policy[positive2].email_account_admins' is false" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test/positive_expected_result.json b/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test/positive_expected_result.json index 23e5384994a..468de3a191b 100644 --- a/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test/positive_expected_result.json @@ -3,13 +3,13 @@ "queryName": "SQLServer Ingress From Any IP", "severity": "CRITICAL", "line": 1, - "filename": "positive6.tf", - "resourceType": "azurerm_mysql_flexible_server_firewall_rule", - "resourceName": "office", - "searchKey": "azurerm_mysql_flexible_server_firewall_rule[example]", + "filename": "positive1.tf", + "resourceType": "azurerm_sql_firewall_rule", + "resourceName": "FirewallRule1", + "searchKey": "azurerm_sql_firewall_rule[positive1]", "searchValue": "", - "expectedValue": "azurerm_mysql_flexible_server_firewall_rule.start_ip_address different from 0.0.0.0 and end_ip_address different from 0.0.0.0 or 255.255.255.255", - "actualValue": "azurerm_mysql_flexible_server_firewall_rule.start_ip_address equal to 0.0.0.0 and end_ip_address equal to 0.0.0.0 or 255.255.255.255" + "expectedValue": "azurerm_sql_firewall_rule.start_ip_address different from 0.0.0.0 and end_ip_address different from 0.0.0.0 or 255.255.255.255", + "actualValue": "azurerm_sql_firewall_rule.start_ip_address equal to 0.0.0.0 and end_ip_address equal to 0.0.0.0 or 255.255.255.255" }, { "queryName": "SQLServer Ingress From Any IP", @@ -39,36 +39,36 @@ "queryName": "SQLServer Ingress From Any IP", "severity": "CRITICAL", "line": 1, - "filename": "positive5.tf", - "resourceType": "azurerm_postgresql_flexible_server_firewall_rule", - "resourceName": "example-fw", - "searchKey": "azurerm_postgresql_flexible_server_firewall_rule[example]", + "filename": "positive4.tf", + "resourceType": "azurerm_postgresql_firewall_rule", + "resourceName": "office", + "searchKey": "azurerm_postgresql_firewall_rule[example]", "searchValue": "", - "expectedValue": "azurerm_postgresql_flexible_server_firewall_rule.start_ip_address different from 0.0.0.0 and end_ip_address different from 0.0.0.0 or 255.255.255.255", - "actualValue": "azurerm_postgresql_flexible_server_firewall_rule.start_ip_address equal to 0.0.0.0 and end_ip_address equal to 0.0.0.0 or 255.255.255.255" + "expectedValue": "azurerm_postgresql_firewall_rule.start_ip_address different from 0.0.0.0 and end_ip_address different from 0.0.0.0 or 255.255.255.255", + "actualValue": "azurerm_postgresql_firewall_rule.start_ip_address equal to 0.0.0.0 and end_ip_address equal to 0.0.0.0 or 255.255.255.255" }, { "queryName": "SQLServer Ingress From Any IP", "severity": "CRITICAL", "line": 1, - "filename": "positive1.tf", - "resourceType": "azurerm_sql_firewall_rule", - "resourceName": "FirewallRule1", - "searchKey": "azurerm_sql_firewall_rule[positive1]", + "filename": "positive5.tf", + "resourceType": "azurerm_postgresql_flexible_server_firewall_rule", + "resourceName": "example-fw", + "searchKey": "azurerm_postgresql_flexible_server_firewall_rule[example]", "searchValue": "", - "expectedValue": "azurerm_sql_firewall_rule.start_ip_address different from 0.0.0.0 and end_ip_address different from 0.0.0.0 or 255.255.255.255", - "actualValue": "azurerm_sql_firewall_rule.start_ip_address equal to 0.0.0.0 and end_ip_address equal to 0.0.0.0 or 255.255.255.255" + "expectedValue": "azurerm_postgresql_flexible_server_firewall_rule.start_ip_address different from 0.0.0.0 and end_ip_address different from 0.0.0.0 or 255.255.255.255", + "actualValue": "azurerm_postgresql_flexible_server_firewall_rule.start_ip_address equal to 0.0.0.0 and end_ip_address equal to 0.0.0.0 or 255.255.255.255" }, { "queryName": "SQLServer Ingress From Any IP", "severity": "CRITICAL", "line": 1, - "filename": "positive4.tf", - "resourceType": "azurerm_postgresql_firewall_rule", + "filename": "positive6.tf", + "resourceType": "azurerm_mysql_flexible_server_firewall_rule", "resourceName": "office", - "searchKey": "azurerm_postgresql_firewall_rule[example]", + "searchKey": "azurerm_mysql_flexible_server_firewall_rule[example]", "searchValue": "", - "expectedValue": "azurerm_postgresql_firewall_rule.start_ip_address different from 0.0.0.0 and end_ip_address different from 0.0.0.0 or 255.255.255.255", - "actualValue": "azurerm_postgresql_firewall_rule.start_ip_address equal to 0.0.0.0 and end_ip_address equal to 0.0.0.0 or 255.255.255.255" + "expectedValue": "azurerm_mysql_flexible_server_firewall_rule.start_ip_address different from 0.0.0.0 and end_ip_address different from 0.0.0.0 or 255.255.255.255", + "actualValue": "azurerm_mysql_flexible_server_firewall_rule.start_ip_address equal to 0.0.0.0 and end_ip_address equal to 0.0.0.0 or 255.255.255.255" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/ssh_is_exposed_to_the_internet/test/positive_expected_result.json b/assets/queries/terraform/azure/ssh_is_exposed_to_the_internet/test/positive_expected_result.json index 3786903bfd1..bdef12452de 100644 --- a/assets/queries/terraform/azure/ssh_is_exposed_to_the_internet/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/ssh_is_exposed_to_the_internet/test/positive_expected_result.json @@ -2,62 +2,50 @@ { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 50, + "line": 8, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive4].destination_port_range", + "searchKey": "azurerm_network_security_rule[positive1].destination_port_range", "searchValue": "", - "expectedValue": "'azurerm_network_security_rule.positive4.destination_port_range' cannot be 22", - "actualValue": "'azurerm_network_security_rule.positive4.destination_port_range' might be 22" + "expectedValue": "'azurerm_network_security_rule.positive1.destination_port_range' cannot be 22", + "actualValue": "'azurerm_network_security_rule.positive1.destination_port_range' might be 22" }, { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 78, + "line": 22, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive6].destination_port_range", + "searchKey": "azurerm_network_security_rule[positive2].destination_port_range", "searchValue": "", - "expectedValue": "'azurerm_network_security_rule.positive6.destination_port_range' cannot be 22", - "actualValue": "'azurerm_network_security_rule.positive6.destination_port_range' might be 22" + "expectedValue": "'azurerm_network_security_rule.positive2.destination_port_range' cannot be 22", + "actualValue": "'azurerm_network_security_rule.positive2.destination_port_range' might be 22" }, { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 106, + "line": 36, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive8].destination_port_range", - "searchValue": "", - "expectedValue": "'azurerm_network_security_rule.positive8.destination_port_range' cannot be 22", - "actualValue": "'azurerm_network_security_rule.positive8.destination_port_range' might be 22" - }, - { - "queryName": "SSH Is Exposed To The Internet", - "severity": "MEDIUM", - "line": 153, - "filename": "positive.tf", - "resourceType": "azurerm_network_security_group", - "resourceName": "positive11", - "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive11}}.destination_port_range", + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", "searchValue": "", - "expectedValue": "'destination_port_range' cannot be 22", - "actualValue": "'destination_port_range' might be 22" + "expectedValue": "'azurerm_network_security_rule.positive3.destination_port_range' cannot be 22", + "actualValue": "'azurerm_network_security_rule.positive3.destination_port_range' might be 22" }, { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 225, + "line": 50, "filename": "positive.tf", - "resourceType": "azurerm_network_security_group", - "resourceName": "positive17", - "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive17}}.destination_port_range", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive4].destination_port_range", "searchValue": "", - "expectedValue": "'destination_port_range' cannot be 22", - "actualValue": "'destination_port_range' might be 22" + "expectedValue": "'azurerm_network_security_rule.positive4.destination_port_range' cannot be 22", + "actualValue": "'azurerm_network_security_rule.positive4.destination_port_range' might be 22" }, { "queryName": "SSH Is Exposed To The Internet", @@ -74,71 +62,71 @@ { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 120, + "line": 78, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive9].destination_port_range", + "searchKey": "azurerm_network_security_rule[positive6].destination_port_range", "searchValue": "", - "expectedValue": "'azurerm_network_security_rule.positive9.destination_port_range' cannot be 22", - "actualValue": "'azurerm_network_security_rule.positive9.destination_port_range' might be 22" + "expectedValue": "'azurerm_network_security_rule.positive6.destination_port_range' cannot be 22", + "actualValue": "'azurerm_network_security_rule.positive6.destination_port_range' might be 22" }, { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 237, + "line": 92, "filename": "positive.tf", - "resourceType": "azurerm_network_security_group", - "resourceName": "positive18", - "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive18}}.destination_port_range", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", "searchValue": "", - "expectedValue": "'destination_port_range' cannot be 22", - "actualValue": "'destination_port_range' might be 22" + "expectedValue": "'azurerm_network_security_rule.positive7.destination_port_range' cannot be 22", + "actualValue": "'azurerm_network_security_rule.positive7.destination_port_range' might be 22" }, { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 249, + "line": 106, "filename": "positive.tf", - "resourceType": "azurerm_network_security_group", - "resourceName": "positive19", - "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive19}}.destination_port_range", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive8].destination_port_range", "searchValue": "", - "expectedValue": "'destination_port_range' cannot be 22", - "actualValue": "'destination_port_range' might be 22" + "expectedValue": "'azurerm_network_security_rule.positive8.destination_port_range' cannot be 22", + "actualValue": "'azurerm_network_security_rule.positive8.destination_port_range' might be 22" }, { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 8, + "line": 120, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive1].destination_port_range", + "searchKey": "azurerm_network_security_rule[positive9].destination_port_range", "searchValue": "", - "expectedValue": "'azurerm_network_security_rule.positive1.destination_port_range' cannot be 22", - "actualValue": "'azurerm_network_security_rule.positive1.destination_port_range' might be 22" + "expectedValue": "'azurerm_network_security_rule.positive9.destination_port_range' cannot be 22", + "actualValue": "'azurerm_network_security_rule.positive9.destination_port_range' might be 22" }, { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 92, + "line": 134, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "", - "expectedValue": "'azurerm_network_security_rule.positive7.destination_port_range' cannot be 22", - "actualValue": "'azurerm_network_security_rule.positive7.destination_port_range' might be 22" + "expectedValue": "'azurerm_network_security_rule.positive10.destination_port_range' cannot be 22", + "actualValue": "'azurerm_network_security_rule.positive10.destination_port_range' might be 22" }, { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 165, + "line": 153, "filename": "positive.tf", "resourceType": "azurerm_network_security_group", - "resourceName": "positive12", - "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive12}}.destination_port_range", + "resourceName": "positive11", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive11}}.destination_port_range", "searchValue": "", "expectedValue": "'destination_port_range' cannot be 22", "actualValue": "'destination_port_range' might be 22" @@ -146,27 +134,15 @@ { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 213, + "line": 165, "filename": "positive.tf", "resourceType": "azurerm_network_security_group", - "resourceName": "positive16", - "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive16}}.destination_port_range", + "resourceName": "positive12", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive12}}.destination_port_range", "searchValue": "", "expectedValue": "'destination_port_range' cannot be 22", "actualValue": "'destination_port_range' might be 22" }, - { - "queryName": "SSH Is Exposed To The Internet", - "severity": "MEDIUM", - "line": 134, - "filename": "positive.tf", - "resourceType": "azurerm_network_security_rule", - "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "", - "expectedValue": "'azurerm_network_security_rule.positive10.destination_port_range' cannot be 22", - "actualValue": "'azurerm_network_security_rule.positive10.destination_port_range' might be 22" - }, { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", @@ -206,11 +182,11 @@ { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 261, + "line": 213, "filename": "positive.tf", "resourceType": "azurerm_network_security_group", - "resourceName": "positive20", - "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive20}}.destination_port_range", + "resourceName": "positive16", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive16}}.destination_port_range", "searchValue": "", "expectedValue": "'destination_port_range' cannot be 22", "actualValue": "'destination_port_range' might be 22" @@ -218,25 +194,49 @@ { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 22, + "line": 225, "filename": "positive.tf", - "resourceType": "azurerm_network_security_rule", - "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive2].destination_port_range", + "resourceType": "azurerm_network_security_group", + "resourceName": "positive17", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive17}}.destination_port_range", "searchValue": "", - "expectedValue": "'azurerm_network_security_rule.positive2.destination_port_range' cannot be 22", - "actualValue": "'azurerm_network_security_rule.positive2.destination_port_range' might be 22" + "expectedValue": "'destination_port_range' cannot be 22", + "actualValue": "'destination_port_range' might be 22" }, { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 36, + "line": 237, "filename": "positive.tf", - "resourceType": "azurerm_network_security_rule", - "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "resourceType": "azurerm_network_security_group", + "resourceName": "positive18", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive18}}.destination_port_range", "searchValue": "", - "expectedValue": "'azurerm_network_security_rule.positive3.destination_port_range' cannot be 22", - "actualValue": "'azurerm_network_security_rule.positive3.destination_port_range' might be 22" + "expectedValue": "'destination_port_range' cannot be 22", + "actualValue": "'destination_port_range' might be 22" + }, + { + "queryName": "SSH Is Exposed To The Internet", + "severity": "MEDIUM", + "line": 249, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_group", + "resourceName": "positive19", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive19}}.destination_port_range", + "searchValue": "", + "expectedValue": "'destination_port_range' cannot be 22", + "actualValue": "'destination_port_range' might be 22" + }, + { + "queryName": "SSH Is Exposed To The Internet", + "severity": "MEDIUM", + "line": 261, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_group", + "resourceName": "positive20", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive20}}.destination_port_range", + "searchValue": "", + "expectedValue": "'destination_port_range' cannot be 22", + "actualValue": "'destination_port_range' might be 22" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/storage_account_not_forcing_https/test/positive_expected_result.json b/assets/queries/terraform/azure/storage_account_not_forcing_https/test/positive_expected_result.json index 89f1fab2e37..2e17e562801 100644 --- a/assets/queries/terraform/azure/storage_account_not_forcing_https/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/storage_account_not_forcing_https/test/positive_expected_result.json @@ -3,19 +3,19 @@ "queryName": "Storage Account Not Forcing HTTPS", "severity": "MEDIUM", "line": 8, - "filename": "positive2.tf", + "filename": "positive1.tf", "resourceType": "azurerm_storage_account", "resourceName": "example1", - "searchKey": "azurerm_storage_account[example1].https_traffic_only_enabled", + "searchKey": "azurerm_storage_account[example1].enable_https_traffic_only", "searchValue": "", - "expectedValue": "'azurerm_storage_account.example1.https_traffic_only_enabled' equals 'true'", - "actualValue": "'azurerm_storage_account.example1.https_traffic_only_enabled' equals 'false'" + "expectedValue": "'azurerm_storage_account.example1.enable_https_traffic_only' equals 'true'", + "actualValue": "'azurerm_storage_account.example1.enable_https_traffic_only' equals 'false'" }, { "queryName": "Storage Account Not Forcing HTTPS", "severity": "MEDIUM", "line": 12, - "filename": "positive2.tf", + "filename": "positive1.tf", "resourceType": "azurerm_storage_account", "resourceName": "example2", "searchKey": "azurerm_storage_account[example2]", @@ -27,19 +27,19 @@ "queryName": "Storage Account Not Forcing HTTPS", "severity": "MEDIUM", "line": 8, - "filename": "positive1.tf", + "filename": "positive2.tf", "resourceType": "azurerm_storage_account", "resourceName": "example1", - "searchKey": "azurerm_storage_account[example1].enable_https_traffic_only", + "searchKey": "azurerm_storage_account[example1].https_traffic_only_enabled", "searchValue": "", - "expectedValue": "'azurerm_storage_account.example1.enable_https_traffic_only' equals 'true'", - "actualValue": "'azurerm_storage_account.example1.enable_https_traffic_only' equals 'false'" + "expectedValue": "'azurerm_storage_account.example1.https_traffic_only_enabled' equals 'true'", + "actualValue": "'azurerm_storage_account.example1.https_traffic_only_enabled' equals 'false'" }, { "queryName": "Storage Account Not Forcing HTTPS", "severity": "MEDIUM", "line": 12, - "filename": "positive1.tf", + "filename": "positive2.tf", "resourceType": "azurerm_storage_account", "resourceName": "example2", "searchKey": "azurerm_storage_account[example2]", diff --git a/assets/queries/terraform/azure/storage_account_using_unsafe_smb_channel_encryption/test/positive_expected_result.json b/assets/queries/terraform/azure/storage_account_using_unsafe_smb_channel_encryption/test/positive_expected_result.json index a82d2f3eef8..f3023001b45 100644 --- a/assets/queries/terraform/azure/storage_account_using_unsafe_smb_channel_encryption/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/storage_account_using_unsafe_smb_channel_encryption/test/positive_expected_result.json @@ -1,4 +1,16 @@ [ + { + "queryName": "Beta - Storage Account Using Unsafe SMB Channel Encryption", + "severity": "HIGH", + "line": 1, + "filename": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive1", + "searchKey": "azurerm_storage_account[positive1]", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive1].share_properties.smb.channel_encryption_type' should be defined and exclusively include 'AES-256-GCM'", + "actualValue": "'azurerm_storage_account[positive1].share_properties' is undefined or null" + }, { "queryName": "Beta - Storage Account Using Unsafe SMB Channel Encryption", "severity": "HIGH", @@ -58,17 +70,5 @@ "searchValue": "", "expectedValue": "'azurerm_storage_account[positive6].share_properties.smb.channel_encryption_type' should be defined and exclusively include 'AES-256-GCM'", "actualValue": "'azurerm_storage_account[positive6].share_properties.smb.channel_encryption_type' includes 'AES-256-GCM' but also includes 1 weaker encryption standard(s)" - }, - { - "queryName": "Beta - Storage Account Using Unsafe SMB Channel Encryption", - "severity": "HIGH", - "line": 1, - "filename": "positive.tf", - "resourceType": "azurerm_storage_account", - "resourceName": "positive1", - "searchKey": "azurerm_storage_account[positive1]", - "searchValue": "", - "expectedValue": "'azurerm_storage_account[positive1].share_properties.smb.channel_encryption_type' should be defined and exclusively include 'AES-256-GCM'", - "actualValue": "'azurerm_storage_account[positive1].share_properties' is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/storage_account_with_shared_access_key/test/positive_expected_result.json b/assets/queries/terraform/azure/storage_account_with_shared_access_key/test/positive_expected_result.json index 5c5f08c4c33..579dfd25c5a 100644 --- a/assets/queries/terraform/azure/storage_account_with_shared_access_key/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/storage_account_with_shared_access_key/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "Beta - Storage Account With Shared Access Key", "severity": "MEDIUM", - "line": 18, + "line": 1, "filename": "positive.tf", "resourceType": "azurerm_storage_account", - "resourceName": "positive2", - "searchKey": "azurerm_storage_account[positive2].shared_access_key_enabled", + "resourceName": "positive1", + "searchKey": "azurerm_storage_account[positive1]", "searchValue": "", - "expectedValue": "'azurerm_storage_account[positive2].shared_access_key_enabled' should be defined and set to false", - "actualValue": "'azurerm_storage_account[positive2].shared_access_key_enabled' is set to 'true'" + "expectedValue": "'azurerm_storage_account[positive1].shared_access_key_enabled' should be defined and set to false", + "actualValue": "'azurerm_storage_account[positive1].shared_access_key_enabled' is undefined or null" }, { "queryName": "Beta - Storage Account With Shared Access Key", "severity": "MEDIUM", - "line": 1, + "line": 18, "filename": "positive.tf", "resourceType": "azurerm_storage_account", - "resourceName": "positive1", - "searchKey": "azurerm_storage_account[positive1]", + "resourceName": "positive2", + "searchKey": "azurerm_storage_account[positive2].shared_access_key_enabled", "searchValue": "", - "expectedValue": "'azurerm_storage_account[positive1].shared_access_key_enabled' should be defined and set to false", - "actualValue": "'azurerm_storage_account[positive1].shared_access_key_enabled' is undefined or null" + "expectedValue": "'azurerm_storage_account[positive2].shared_access_key_enabled' should be defined and set to false", + "actualValue": "'azurerm_storage_account[positive2].shared_access_key_enabled' is set to 'true'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/storage_account_without_delete_lock/test/positive_expected_result.json b/assets/queries/terraform/azure/storage_account_without_delete_lock/test/positive_expected_result.json index 6e7250ccaaf..0f881fb68f5 100644 --- a/assets/queries/terraform/azure/storage_account_without_delete_lock/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/storage_account_without_delete_lock/test/positive_expected_result.json @@ -3,60 +3,60 @@ "queryName": "Beta - Storage Account Without Delete Lock", "severity": "LOW", "line": 1, - "filename": "positive2.tf", + "filename": "positive1.tf", "resourceType": "azurerm_storage_account", "resourceName": "examplestorageacct", - "searchKey": "azurerm_storage_account[example_pos2]", + "searchKey": "azurerm_storage_account[example_pos1]", "searchValue": "", - "expectedValue": "'azurerm_storage_account[example_pos2]' should be associated with an 'azurerm_management_lock' where lock_level is set to 'CanNotDelete'", - "actualValue": "'azurerm_storage_account[example_pos2]' is not associated with an 'azurerm_management_lock'" + "expectedValue": "'azurerm_storage_account[example_pos1]' should be associated with an 'azurerm_management_lock' where lock_level is set to 'CanNotDelete'", + "actualValue": "'azurerm_storage_account[example_pos1]' is not associated with an 'azurerm_management_lock'" }, { "queryName": "Beta - Storage Account Without Delete Lock", "severity": "LOW", - "line": 6, - "filename": "positive4.tf", + "line": 1, + "filename": "positive2.tf", "resourceType": "azurerm_storage_account", "resourceName": "examplestorageacct", - "searchKey": "azurerm_storage_account[example_pos4]", + "searchKey": "azurerm_storage_account[example_pos2]", "searchValue": "", - "expectedValue": "'azurerm_storage_account[example_pos4]' should be associated with an 'azurerm_management_lock' where lock_level is set to 'CanNotDelete'", - "actualValue": "'azurerm_storage_account[example_pos4]' is not associated with an 'azurerm_management_lock'" + "expectedValue": "'azurerm_storage_account[example_pos2]' should be associated with an 'azurerm_management_lock' where lock_level is set to 'CanNotDelete'", + "actualValue": "'azurerm_storage_account[example_pos2]' is not associated with an 'azurerm_management_lock'" }, { "queryName": "Beta - Storage Account Without Delete Lock", "severity": "LOW", "line": 6, - "filename": "positive5.tf", + "filename": "positive3.tf", "resourceType": "azurerm_storage_account", "resourceName": "examplestorageacct", - "searchKey": "azurerm_storage_account[example_pos5]", + "searchKey": "azurerm_storage_account[example_pos3]", "searchValue": "", - "expectedValue": "'azurerm_storage_account[example_pos5]' should be associated with an 'azurerm_management_lock' where lock_level is set to 'CanNotDelete'", - "actualValue": "'azurerm_storage_account[example_pos5]' is not associated with an 'azurerm_management_lock'" + "expectedValue": "'azurerm_storage_account[example_pos3]' should be associated with an 'azurerm_management_lock' where lock_level is set to 'CanNotDelete'", + "actualValue": "'azurerm_storage_account[example_pos3]' is associated with 'azurerm_management_lock[storage_delete_lock_pos3]' but lock_level is 'ReadOnly'" }, { "queryName": "Beta - Storage Account Without Delete Lock", "severity": "LOW", "line": 6, - "filename": "positive3.tf", + "filename": "positive4.tf", "resourceType": "azurerm_storage_account", "resourceName": "examplestorageacct", - "searchKey": "azurerm_storage_account[example_pos3]", + "searchKey": "azurerm_storage_account[example_pos4]", "searchValue": "", - "expectedValue": "'azurerm_storage_account[example_pos3]' should be associated with an 'azurerm_management_lock' where lock_level is set to 'CanNotDelete'", - "actualValue": "'azurerm_storage_account[example_pos3]' is associated with 'azurerm_management_lock[storage_delete_lock_pos3]' but lock_level is 'ReadOnly'" + "expectedValue": "'azurerm_storage_account[example_pos4]' should be associated with an 'azurerm_management_lock' where lock_level is set to 'CanNotDelete'", + "actualValue": "'azurerm_storage_account[example_pos4]' is not associated with an 'azurerm_management_lock'" }, { "queryName": "Beta - Storage Account Without Delete Lock", "severity": "LOW", - "line": 1, - "filename": "positive1.tf", + "line": 6, + "filename": "positive5.tf", "resourceType": "azurerm_storage_account", "resourceName": "examplestorageacct", - "searchKey": "azurerm_storage_account[example_pos1]", + "searchKey": "azurerm_storage_account[example_pos5]", "searchValue": "", - "expectedValue": "'azurerm_storage_account[example_pos1]' should be associated with an 'azurerm_management_lock' where lock_level is set to 'CanNotDelete'", - "actualValue": "'azurerm_storage_account[example_pos1]' is not associated with an 'azurerm_management_lock'" + "expectedValue": "'azurerm_storage_account[example_pos5]' should be associated with an 'azurerm_management_lock' where lock_level is set to 'CanNotDelete'", + "actualValue": "'azurerm_storage_account[example_pos5]' is not associated with an 'azurerm_management_lock'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/trusted_microsoft_services_not_enabled/test/positive_expected_result.json b/assets/queries/terraform/azure/trusted_microsoft_services_not_enabled/test/positive_expected_result.json index b7223da96ec..7e2f5ed8a68 100644 --- a/assets/queries/terraform/azure/trusted_microsoft_services_not_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/trusted_microsoft_services_not_enabled/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "Trusted Microsoft Services Not Enabled", - "severity": "MEDIUM", - "line": 21, - "filename": "positive.tf", - "resourceType": "azurerm_storage_account", - "resourceName": "storageaccountname", - "searchKey": "azurerm_storage_account[positive2].network_rules.bypass", - "searchValue": "", - "expectedValue": "'network_rules.bypass' should contain 'AzureServices'", - "actualValue": "'network_rules.bypass' does not contain 'AzureServices'" - }, { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", @@ -22,5 +10,17 @@ "searchValue": "", "expectedValue": "'bypass' should contain 'AzureServices'", "actualValue": "'bypass' does not contain 'AzureServices'" + }, + { + "queryName": "Trusted Microsoft Services Not Enabled", + "severity": "MEDIUM", + "line": 21, + "filename": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "storageaccountname", + "searchKey": "azurerm_storage_account[positive2].network_rules.bypass", + "searchValue": "", + "expectedValue": "'network_rules.bypass' should contain 'AzureServices'", + "actualValue": "'network_rules.bypass' does not contain 'AzureServices'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/unrestricted_sql_server_access/test/positive_expected_result.json b/assets/queries/terraform/azure/unrestricted_sql_server_access/test/positive_expected_result.json index 70522104494..dc2725a133e 100644 --- a/assets/queries/terraform/azure/unrestricted_sql_server_access/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/unrestricted_sql_server_access/test/positive_expected_result.json @@ -2,26 +2,38 @@ { "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", - "line": 26, - "filename": "positive2.tf", - "resourceType": "azurerm_mssql_firewall_rule", - "resourceName": "FirewallRule2", - "searchKey": "azurerm_mssql_firewall_rule[positive4].start_ip_address", + "line": 19, + "filename": "positive1.tf", + "resourceType": "azurerm_sql_firewall_rule", + "resourceName": "FirewallRule1", + "searchKey": "azurerm_sql_firewall_rule[positive3-legacy].start_ip_address", "searchValue": "", - "expectedValue": "'azurerm_mssql_firewall_rule[positive4].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' should be less than 256", - "actualValue": "'azurerm_mssql_firewall_rule[positive4].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256" + "expectedValue": "'azurerm_sql_firewall_rule[positive3-legacy].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' should be less than 256", + "actualValue": "'azurerm_sql_firewall_rule[positive3-legacy].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256" }, { "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", "line": 27, - "filename": "positive5.tf", - "resourceType": "azurerm_postgresql_flexible_server_firewall_rule", - "resourceName": "FirewallRule2", - "searchKey": "azurerm_postgresql_flexible_server_firewall_rule[psqlflex_fw2].start_ip_address", + "filename": "positive1.tf", + "resourceType": "azurerm_sql_firewall_rule", + "resourceName": "FirewallRule1", + "searchKey": "azurerm_sql_firewall_rule[positive4-legacy].start_ip_address", "searchValue": "", - "expectedValue": "'azurerm_postgresql_flexible_server_firewall_rule[psqlflex_fw2].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' should be less than 256", - "actualValue": "'azurerm_postgresql_flexible_server_firewall_rule[psqlflex_fw2].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256" + "expectedValue": "'azurerm_sql_firewall_rule[positive4-legacy].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' should be less than 256", + "actualValue": "'azurerm_sql_firewall_rule[positive4-legacy].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256" + }, + { + "queryName": "Unrestricted SQL Server Access", + "severity": "CRITICAL", + "line": 35, + "filename": "positive1.tf", + "resourceType": "azurerm_sql_firewall_rule", + "resourceName": "positive5-legacy", + "searchKey": "azurerm_sql_firewall_rule[positive5-legacy].start_ip_address", + "searchValue": "", + "expectedValue": "'azurerm_sql_firewall_rule[positive5-legacy].start_ip_address' Firewall rules should not have both 'start_ip_address' and 'end_ip_address' set to '0.0.0.0'.", + "actualValue": "'azurerm_sql_firewall_rule[positive5-legacy].start_ip_address' Both 'start_ip_address' and 'end_ip_address' are set to '0.0.0.0'" }, { "queryName": "Unrestricted SQL Server Access", @@ -38,26 +50,26 @@ { "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", - "line": 27, - "filename": "positive6.tf", - "resourceType": "azurerm_mysql_flexible_server_firewall_rule", + "line": 26, + "filename": "positive2.tf", + "resourceType": "azurerm_mssql_firewall_rule", "resourceName": "FirewallRule2", - "searchKey": "azurerm_mysql_flexible_server_firewall_rule[mysqlflex_fw2].start_ip_address", + "searchKey": "azurerm_mssql_firewall_rule[positive4].start_ip_address", "searchValue": "", - "expectedValue": "'azurerm_mysql_flexible_server_firewall_rule[mysqlflex_fw2].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' should be less than 256", - "actualValue": "'azurerm_mysql_flexible_server_firewall_rule[mysqlflex_fw2].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256" + "expectedValue": "'azurerm_mssql_firewall_rule[positive4].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' should be less than 256", + "actualValue": "'azurerm_mssql_firewall_rule[positive4].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256" }, { "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", - "line": 41, - "filename": "positive4.tf", - "resourceType": "azurerm_postgresql_firewall_rule", - "resourceName": "AllowAzure", - "searchKey": "azurerm_postgresql_firewall_rule[psql_fw3].start_ip_address", + "line": 33, + "filename": "positive2.tf", + "resourceType": "azurerm_mssql_firewall_rule", + "resourceName": "positive5", + "searchKey": "azurerm_mssql_firewall_rule[positive5].start_ip_address", "searchValue": "", - "expectedValue": "'azurerm_postgresql_firewall_rule[psql_fw3].start_ip_address' Firewall rules should not have both 'start_ip_address' and 'end_ip_address' set to '0.0.0.0'.", - "actualValue": "'azurerm_postgresql_firewall_rule[psql_fw3].start_ip_address' Both 'start_ip_address' and 'end_ip_address' are set to '0.0.0.0'" + "expectedValue": "'azurerm_mssql_firewall_rule[positive5].start_ip_address' Firewall rules should not have both 'start_ip_address' and 'end_ip_address' set to '0.0.0.0'.", + "actualValue": "'azurerm_mssql_firewall_rule[positive5].start_ip_address' Both 'start_ip_address' and 'end_ip_address' are set to '0.0.0.0'" }, { "queryName": "Unrestricted SQL Server Access", @@ -74,38 +86,38 @@ { "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", - "line": 41, + "line": 33, "filename": "positive3.tf", "resourceType": "azurerm_mariadb_firewall_rule", - "resourceName": "AllowAzure", - "searchKey": "azurerm_mariadb_firewall_rule[mariadb_fw3].start_ip_address", + "resourceName": "FirewallRule2", + "searchKey": "azurerm_mariadb_firewall_rule[mariadb_fw2].start_ip_address", "searchValue": "", - "expectedValue": "'azurerm_mariadb_firewall_rule[mariadb_fw3].start_ip_address' Firewall rules should not have both 'start_ip_address' and 'end_ip_address' set to '0.0.0.0'.", - "actualValue": "'azurerm_mariadb_firewall_rule[mariadb_fw3].start_ip_address' Both 'start_ip_address' and 'end_ip_address' are set to '0.0.0.0'" + "expectedValue": "'azurerm_mariadb_firewall_rule[mariadb_fw2].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' should be less than 256", + "actualValue": "'azurerm_mariadb_firewall_rule[mariadb_fw2].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256" }, { "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", - "line": 33, - "filename": "positive2.tf", - "resourceType": "azurerm_mssql_firewall_rule", - "resourceName": "positive5", - "searchKey": "azurerm_mssql_firewall_rule[positive5].start_ip_address", + "line": 41, + "filename": "positive3.tf", + "resourceType": "azurerm_mariadb_firewall_rule", + "resourceName": "AllowAzure", + "searchKey": "azurerm_mariadb_firewall_rule[mariadb_fw3].start_ip_address", "searchValue": "", - "expectedValue": "'azurerm_mssql_firewall_rule[positive5].start_ip_address' Firewall rules should not have both 'start_ip_address' and 'end_ip_address' set to '0.0.0.0'.", - "actualValue": "'azurerm_mssql_firewall_rule[positive5].start_ip_address' Both 'start_ip_address' and 'end_ip_address' are set to '0.0.0.0'" + "expectedValue": "'azurerm_mariadb_firewall_rule[mariadb_fw3].start_ip_address' Firewall rules should not have both 'start_ip_address' and 'end_ip_address' set to '0.0.0.0'.", + "actualValue": "'azurerm_mariadb_firewall_rule[mariadb_fw3].start_ip_address' Both 'start_ip_address' and 'end_ip_address' are set to '0.0.0.0'" }, { "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", - "line": 35, - "filename": "positive6.tf", - "resourceType": "azurerm_mysql_flexible_server_firewall_rule", - "resourceName": "AllowAzure", - "searchKey": "azurerm_mysql_flexible_server_firewall_rule[mysqlflex_fw3].start_ip_address", + "line": 24, + "filename": "positive4.tf", + "resourceType": "azurerm_postgresql_firewall_rule", + "resourceName": "FirewallRule1", + "searchKey": "azurerm_postgresql_firewall_rule[psql_fw1].start_ip_address", "searchValue": "", - "expectedValue": "'azurerm_mysql_flexible_server_firewall_rule[mysqlflex_fw3].start_ip_address' Firewall rules should not have both 'start_ip_address' and 'end_ip_address' set to '0.0.0.0'.", - "actualValue": "'azurerm_mysql_flexible_server_firewall_rule[mysqlflex_fw3].start_ip_address' Both 'start_ip_address' and 'end_ip_address' are set to '0.0.0.0'" + "expectedValue": "'azurerm_postgresql_firewall_rule[psql_fw1].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' should be less than 256", + "actualValue": "'azurerm_postgresql_firewall_rule[psql_fw1].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256" }, { "queryName": "Unrestricted SQL Server Access", @@ -122,14 +134,14 @@ { "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", - "line": 27, - "filename": "positive1.tf", - "resourceType": "azurerm_sql_firewall_rule", - "resourceName": "FirewallRule1", - "searchKey": "azurerm_sql_firewall_rule[positive4-legacy].start_ip_address", + "line": 41, + "filename": "positive4.tf", + "resourceType": "azurerm_postgresql_firewall_rule", + "resourceName": "AllowAzure", + "searchKey": "azurerm_postgresql_firewall_rule[psql_fw3].start_ip_address", "searchValue": "", - "expectedValue": "'azurerm_sql_firewall_rule[positive4-legacy].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' should be less than 256", - "actualValue": "'azurerm_sql_firewall_rule[positive4-legacy].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256" + "expectedValue": "'azurerm_postgresql_firewall_rule[psql_fw3].start_ip_address' Firewall rules should not have both 'start_ip_address' and 'end_ip_address' set to '0.0.0.0'.", + "actualValue": "'azurerm_postgresql_firewall_rule[psql_fw3].start_ip_address' Both 'start_ip_address' and 'end_ip_address' are set to '0.0.0.0'" }, { "queryName": "Unrestricted SQL Server Access", @@ -146,14 +158,26 @@ { "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", - "line": 33, - "filename": "positive3.tf", - "resourceType": "azurerm_mariadb_firewall_rule", + "line": 27, + "filename": "positive5.tf", + "resourceType": "azurerm_postgresql_flexible_server_firewall_rule", "resourceName": "FirewallRule2", - "searchKey": "azurerm_mariadb_firewall_rule[mariadb_fw2].start_ip_address", + "searchKey": "azurerm_postgresql_flexible_server_firewall_rule[psqlflex_fw2].start_ip_address", "searchValue": "", - "expectedValue": "'azurerm_mariadb_firewall_rule[mariadb_fw2].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' should be less than 256", - "actualValue": "'azurerm_mariadb_firewall_rule[mariadb_fw2].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256" + "expectedValue": "'azurerm_postgresql_flexible_server_firewall_rule[psqlflex_fw2].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' should be less than 256", + "actualValue": "'azurerm_postgresql_flexible_server_firewall_rule[psqlflex_fw2].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256" + }, + { + "queryName": "Unrestricted SQL Server Access", + "severity": "CRITICAL", + "line": 35, + "filename": "positive5.tf", + "resourceType": "azurerm_postgresql_flexible_server_firewall_rule", + "resourceName": "AllowAzure", + "searchKey": "azurerm_postgresql_flexible_server_firewall_rule[psqlflex_fw3].start_ip_address", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_flexible_server_firewall_rule[psqlflex_fw3].start_ip_address' Firewall rules should not have both 'start_ip_address' and 'end_ip_address' set to '0.0.0.0'.", + "actualValue": "'azurerm_postgresql_flexible_server_firewall_rule[psqlflex_fw3].start_ip_address' Both 'start_ip_address' and 'end_ip_address' are set to '0.0.0.0'" }, { "queryName": "Unrestricted SQL Server Access", @@ -170,49 +194,25 @@ { "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", - "line": 24, - "filename": "positive4.tf", - "resourceType": "azurerm_postgresql_firewall_rule", - "resourceName": "FirewallRule1", - "searchKey": "azurerm_postgresql_firewall_rule[psql_fw1].start_ip_address", - "searchValue": "", - "expectedValue": "'azurerm_postgresql_firewall_rule[psql_fw1].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' should be less than 256", - "actualValue": "'azurerm_postgresql_firewall_rule[psql_fw1].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256" - }, - { - "queryName": "Unrestricted SQL Server Access", - "severity": "CRITICAL", - "line": 19, - "filename": "positive1.tf", - "resourceType": "azurerm_sql_firewall_rule", - "resourceName": "FirewallRule1", - "searchKey": "azurerm_sql_firewall_rule[positive3-legacy].start_ip_address", - "searchValue": "", - "expectedValue": "'azurerm_sql_firewall_rule[positive3-legacy].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' should be less than 256", - "actualValue": "'azurerm_sql_firewall_rule[positive3-legacy].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256" - }, - { - "queryName": "Unrestricted SQL Server Access", - "severity": "CRITICAL", - "line": 35, - "filename": "positive1.tf", - "resourceType": "azurerm_sql_firewall_rule", - "resourceName": "positive5-legacy", - "searchKey": "azurerm_sql_firewall_rule[positive5-legacy].start_ip_address", + "line": 27, + "filename": "positive6.tf", + "resourceType": "azurerm_mysql_flexible_server_firewall_rule", + "resourceName": "FirewallRule2", + "searchKey": "azurerm_mysql_flexible_server_firewall_rule[mysqlflex_fw2].start_ip_address", "searchValue": "", - "expectedValue": "'azurerm_sql_firewall_rule[positive5-legacy].start_ip_address' Firewall rules should not have both 'start_ip_address' and 'end_ip_address' set to '0.0.0.0'.", - "actualValue": "'azurerm_sql_firewall_rule[positive5-legacy].start_ip_address' Both 'start_ip_address' and 'end_ip_address' are set to '0.0.0.0'" + "expectedValue": "'azurerm_mysql_flexible_server_firewall_rule[mysqlflex_fw2].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' should be less than 256", + "actualValue": "'azurerm_mysql_flexible_server_firewall_rule[mysqlflex_fw2].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256" }, { "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", "line": 35, - "filename": "positive5.tf", - "resourceType": "azurerm_postgresql_flexible_server_firewall_rule", + "filename": "positive6.tf", + "resourceType": "azurerm_mysql_flexible_server_firewall_rule", "resourceName": "AllowAzure", - "searchKey": "azurerm_postgresql_flexible_server_firewall_rule[psqlflex_fw3].start_ip_address", + "searchKey": "azurerm_mysql_flexible_server_firewall_rule[mysqlflex_fw3].start_ip_address", "searchValue": "", - "expectedValue": "'azurerm_postgresql_flexible_server_firewall_rule[psqlflex_fw3].start_ip_address' Firewall rules should not have both 'start_ip_address' and 'end_ip_address' set to '0.0.0.0'.", - "actualValue": "'azurerm_postgresql_flexible_server_firewall_rule[psqlflex_fw3].start_ip_address' Both 'start_ip_address' and 'end_ip_address' are set to '0.0.0.0'" + "expectedValue": "'azurerm_mysql_flexible_server_firewall_rule[mysqlflex_fw3].start_ip_address' Firewall rules should not have both 'start_ip_address' and 'end_ip_address' set to '0.0.0.0'.", + "actualValue": "'azurerm_mysql_flexible_server_firewall_rule[mysqlflex_fw3].start_ip_address' Both 'start_ip_address' and 'end_ip_address' are set to '0.0.0.0'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/use_of_user_access_administrator_role_is_not_restricted/test/positive_expected_result.json b/assets/queries/terraform/azure/use_of_user_access_administrator_role_is_not_restricted/test/positive_expected_result.json index 3a14a4551a1..572ea2bb01b 100644 --- a/assets/queries/terraform/azure/use_of_user_access_administrator_role_is_not_restricted/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/use_of_user_access_administrator_role_is_not_restricted/test/positive_expected_result.json @@ -3,10 +3,10 @@ "queryName": "Beta - Use Of User Access Administrator Role Is Not Restricted", "severity": "MEDIUM", "line": 2, - "filename": "positive3.tf", + "filename": "positive1.tf", "resourceType": "azurerm_role_assignment", - "resourceName": "positive3", - "searchKey": "azurerm_role_assignment[positive3].role_definition_name", + "resourceName": "positive1", + "searchKey": "azurerm_role_assignment[positive1].role_definition_name", "searchValue": "", "expectedValue": "'role_definition_name' field should not be defined to 'User Access Administrator'", "actualValue": "'role_definition_name' field is defined with 'User Access Administrator'" @@ -15,10 +15,10 @@ "queryName": "Beta - Use Of User Access Administrator Role Is Not Restricted", "severity": "MEDIUM", "line": 2, - "filename": "positive6.tf", + "filename": "positive2.tf", "resourceType": "azurerm_role_assignment", - "resourceName": "positive6", - "searchKey": "azurerm_role_assignment[positive6].role_definition_id", + "resourceName": "positive2", + "searchKey": "azurerm_role_assignment[positive2].role_definition_id", "searchValue": "", "expectedValue": "'role_definition_id' field should not have an id associated with the 'User Access Administrator' role.", "actualValue": "'role_definition_id' field have an id associated with the 'User Access Administrator' role." @@ -27,10 +27,10 @@ "queryName": "Beta - Use Of User Access Administrator Role Is Not Restricted", "severity": "MEDIUM", "line": 2, - "filename": "positive1.tf", + "filename": "positive3.tf", "resourceType": "azurerm_role_assignment", - "resourceName": "positive1", - "searchKey": "azurerm_role_assignment[positive1].role_definition_name", + "resourceName": "positive3", + "searchKey": "azurerm_role_assignment[positive3].role_definition_name", "searchValue": "", "expectedValue": "'role_definition_name' field should not be defined to 'User Access Administrator'", "actualValue": "'role_definition_name' field is defined with 'User Access Administrator'" @@ -39,34 +39,34 @@ "queryName": "Beta - Use Of User Access Administrator Role Is Not Restricted", "severity": "MEDIUM", "line": 2, - "filename": "positive5.tf", + "filename": "positive4.tf", "resourceType": "azurerm_role_assignment", - "resourceName": "positive5", - "searchKey": "azurerm_role_assignment[positive5].role_definition_name", + "resourceName": "positive4", + "searchKey": "azurerm_role_assignment[positive4].role_definition_id", "searchValue": "", - "expectedValue": "'role_definition_name' field should not be defined to 'User Access Administrator'", - "actualValue": "'role_definition_name' field is defined with 'User Access Administrator'" + "expectedValue": "'role_definition_id' field should not have an id associated with the 'User Access Administrator' role.", + "actualValue": "'role_definition_id' field have an id associated with the 'User Access Administrator' role." }, { "queryName": "Beta - Use Of User Access Administrator Role Is Not Restricted", "severity": "MEDIUM", "line": 2, - "filename": "positive4.tf", + "filename": "positive5.tf", "resourceType": "azurerm_role_assignment", - "resourceName": "positive4", - "searchKey": "azurerm_role_assignment[positive4].role_definition_id", + "resourceName": "positive5", + "searchKey": "azurerm_role_assignment[positive5].role_definition_name", "searchValue": "", - "expectedValue": "'role_definition_id' field should not have an id associated with the 'User Access Administrator' role.", - "actualValue": "'role_definition_id' field have an id associated with the 'User Access Administrator' role." + "expectedValue": "'role_definition_name' field should not be defined to 'User Access Administrator'", + "actualValue": "'role_definition_name' field is defined with 'User Access Administrator'" }, { "queryName": "Beta - Use Of User Access Administrator Role Is Not Restricted", "severity": "MEDIUM", "line": 2, - "filename": "positive2.tf", + "filename": "positive6.tf", "resourceType": "azurerm_role_assignment", - "resourceName": "positive2", - "searchKey": "azurerm_role_assignment[positive2].role_definition_id", + "resourceName": "positive6", + "searchKey": "azurerm_role_assignment[positive6].role_definition_id", "searchValue": "", "expectedValue": "'role_definition_id' field should not have an id associated with the 'User Access Administrator' role.", "actualValue": "'role_definition_id' field have an id associated with the 'User Access Administrator' role." diff --git a/assets/queries/terraform/azure/vm_with_automatic_updates_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/vm_with_automatic_updates_disabled/test/positive_expected_result.json index 25ff5885ca9..1bb544b86ad 100644 --- a/assets/queries/terraform/azure/vm_with_automatic_updates_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/vm_with_automatic_updates_disabled/test/positive_expected_result.json @@ -1,4 +1,16 @@ [ + { + "queryName": "Beta - VM With Automatic Updates Disabled", + "severity": "MEDIUM", + "line": 11, + "filename": "positive.tf", + "resourceType": "azurerm_windows_virtual_machine", + "resourceName": "positive1-machine", + "searchKey": "azurerm_windows_virtual_machine[positive1].enable_automatic_updates", + "searchValue": "", + "expectedValue": "'azurerm_windows_virtual_machine[positive1].enable_automatic_updates' should be set to 'true'", + "actualValue": "'azurerm_windows_virtual_machine[positive1].enable_automatic_updates' is set to 'false'" + }, { "queryName": "Beta - VM With Automatic Updates Disabled", "severity": "MEDIUM", @@ -22,17 +34,5 @@ "searchValue": "", "expectedValue": "'azurerm_windows_virtual_machine_scale_set[positive3].enable_automatic_updates' should be set to 'true'", "actualValue": "'azurerm_windows_virtual_machine_scale_set[positive3].enable_automatic_updates' is set to 'false'" - }, - { - "queryName": "Beta - VM With Automatic Updates Disabled", - "severity": "MEDIUM", - "line": 11, - "filename": "positive.tf", - "resourceType": "azurerm_windows_virtual_machine", - "resourceName": "positive1-machine", - "searchKey": "azurerm_windows_virtual_machine[positive1].enable_automatic_updates", - "searchValue": "", - "expectedValue": "'azurerm_windows_virtual_machine[positive1].enable_automatic_updates' should be set to 'true'", - "actualValue": "'azurerm_windows_virtual_machine[positive1].enable_automatic_updates' is set to 'false'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/vm_with_extension_operations_enabled/test/positive_expected_result.json b/assets/queries/terraform/azure/vm_with_extension_operations_enabled/test/positive_expected_result.json index f266775fdd2..1cea3e387fe 100644 --- a/assets/queries/terraform/azure/vm_with_extension_operations_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/vm_with_extension_operations_enabled/test/positive_expected_result.json @@ -3,37 +3,13 @@ "queryName": "Beta - VM With Extension Operations Enabled", "severity": "MEDIUM", "line": 1, - "filename": "positive3.tf", - "resourceType": "azurerm_windows_virtual_machine", - "resourceName": "positive3_1-machine", - "searchKey": "azurerm_windows_virtual_machine[positive3_1]", - "searchValue": "", - "expectedValue": "'azurerm_windows_virtual_machine[positive3_1].allow_extension_operations' should be defined and set to 'false'", - "actualValue": "'azurerm_windows_virtual_machine[positive3_1].allow_extension_operations' is undefined or null" - }, - { - "queryName": "Beta - VM With Extension Operations Enabled", - "severity": "MEDIUM", - "line": 20, - "filename": "positive4.tf", - "resourceType": "azurerm_windows_virtual_machine_scale_set", - "resourceName": "positive4_2-machine", - "searchKey": "azurerm_windows_virtual_machine_scale_set[positive4_2].extension_operations_enabled", - "searchValue": "", - "expectedValue": "'azurerm_windows_virtual_machine_scale_set[positive4_2].extension_operations_enabled' should be defined and set to 'false'", - "actualValue": "'azurerm_windows_virtual_machine_scale_set[positive4_2].extension_operations_enabled' is set to 'true'" - }, - { - "queryName": "Beta - VM With Extension Operations Enabled", - "severity": "MEDIUM", - "line": 1, - "filename": "positive4.tf", - "resourceType": "azurerm_windows_virtual_machine_scale_set", - "resourceName": "positive4_1-vmss", - "searchKey": "azurerm_windows_virtual_machine_scale_set[positive4_1]", + "filename": "positive1.tf", + "resourceType": "azurerm_linux_virtual_machine", + "resourceName": "positive1_1-machine", + "searchKey": "azurerm_linux_virtual_machine[positive1_1]", "searchValue": "", - "expectedValue": "'azurerm_windows_virtual_machine_scale_set[positive4_1].extension_operations_enabled' should be defined and set to 'false'", - "actualValue": "'azurerm_windows_virtual_machine_scale_set[positive4_1].extension_operations_enabled' is undefined or null" + "expectedValue": "'azurerm_linux_virtual_machine[positive1_1].allow_extension_operations' should be defined and set to 'false'", + "actualValue": "'azurerm_linux_virtual_machine[positive1_1].allow_extension_operations' is undefined or null" }, { "queryName": "Beta - VM With Extension Operations Enabled", @@ -51,13 +27,13 @@ "queryName": "Beta - VM With Extension Operations Enabled", "severity": "MEDIUM", "line": 1, - "filename": "positive1.tf", - "resourceType": "azurerm_linux_virtual_machine", - "resourceName": "positive1_1-machine", - "searchKey": "azurerm_linux_virtual_machine[positive1_1]", + "filename": "positive2.tf", + "resourceType": "azurerm_linux_virtual_machine_scale_set", + "resourceName": "positive2_1-vmss", + "searchKey": "azurerm_linux_virtual_machine_scale_set[positive2_1]", "searchValue": "", - "expectedValue": "'azurerm_linux_virtual_machine[positive1_1].allow_extension_operations' should be defined and set to 'false'", - "actualValue": "'azurerm_linux_virtual_machine[positive1_1].allow_extension_operations' is undefined or null" + "expectedValue": "'azurerm_linux_virtual_machine_scale_set[positive2_1].extension_operations_enabled' should be defined and set to 'false'", + "actualValue": "'azurerm_linux_virtual_machine_scale_set[positive2_1].extension_operations_enabled' is undefined or null" }, { "queryName": "Beta - VM With Extension Operations Enabled", @@ -75,13 +51,13 @@ "queryName": "Beta - VM With Extension Operations Enabled", "severity": "MEDIUM", "line": 1, - "filename": "positive2.tf", - "resourceType": "azurerm_linux_virtual_machine_scale_set", - "resourceName": "positive2_1-vmss", - "searchKey": "azurerm_linux_virtual_machine_scale_set[positive2_1]", + "filename": "positive3.tf", + "resourceType": "azurerm_windows_virtual_machine", + "resourceName": "positive3_1-machine", + "searchKey": "azurerm_windows_virtual_machine[positive3_1]", "searchValue": "", - "expectedValue": "'azurerm_linux_virtual_machine_scale_set[positive2_1].extension_operations_enabled' should be defined and set to 'false'", - "actualValue": "'azurerm_linux_virtual_machine_scale_set[positive2_1].extension_operations_enabled' is undefined or null" + "expectedValue": "'azurerm_windows_virtual_machine[positive3_1].allow_extension_operations' should be defined and set to 'false'", + "actualValue": "'azurerm_windows_virtual_machine[positive3_1].allow_extension_operations' is undefined or null" }, { "queryName": "Beta - VM With Extension Operations Enabled", @@ -94,5 +70,29 @@ "searchValue": "", "expectedValue": "'azurerm_windows_virtual_machine[positive3_2].allow_extension_operations' should be defined and set to 'false'", "actualValue": "'azurerm_windows_virtual_machine[positive3_2].allow_extension_operations' is set to 'true'" + }, + { + "queryName": "Beta - VM With Extension Operations Enabled", + "severity": "MEDIUM", + "line": 1, + "filename": "positive4.tf", + "resourceType": "azurerm_windows_virtual_machine_scale_set", + "resourceName": "positive4_1-vmss", + "searchKey": "azurerm_windows_virtual_machine_scale_set[positive4_1]", + "searchValue": "", + "expectedValue": "'azurerm_windows_virtual_machine_scale_set[positive4_1].extension_operations_enabled' should be defined and set to 'false'", + "actualValue": "'azurerm_windows_virtual_machine_scale_set[positive4_1].extension_operations_enabled' is undefined or null" + }, + { + "queryName": "Beta - VM With Extension Operations Enabled", + "severity": "MEDIUM", + "line": 20, + "filename": "positive4.tf", + "resourceType": "azurerm_windows_virtual_machine_scale_set", + "resourceName": "positive4_2-machine", + "searchKey": "azurerm_windows_virtual_machine_scale_set[positive4_2].extension_operations_enabled", + "searchValue": "", + "expectedValue": "'azurerm_windows_virtual_machine_scale_set[positive4_2].extension_operations_enabled' should be defined and set to 'false'", + "actualValue": "'azurerm_windows_virtual_machine_scale_set[positive4_2].extension_operations_enabled' is set to 'true'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/vm_without_admin_ssh_public_key_set/test/positive_expected_result.json b/assets/queries/terraform/azure/vm_without_admin_ssh_public_key_set/test/positive_expected_result.json index 7c597c26155..edff4848e9b 100644 --- a/assets/queries/terraform/azure/vm_without_admin_ssh_public_key_set/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/vm_without_admin_ssh_public_key_set/test/positive_expected_result.json @@ -23,6 +23,18 @@ "expectedValue": "'azurerm_linux_virtual_machine[positive1_2].admin_ssh_key.public_key' should be defined and not null", "actualValue": "'azurerm_linux_virtual_machine[positive1_2].admin_ssh_key.public_key' is undefined or null" }, + { + "queryName": "Beta - VM Without Admin SSH Public Key Set", + "severity": "MEDIUM", + "line": 40, + "filename": "positive1.tf", + "resourceType": "azurerm_linux_virtual_machine", + "resourceName": "positive1_3-machine", + "searchKey": "azurerm_linux_virtual_machine[positive1_3].admin_ssh_key[0]", + "searchValue": "", + "expectedValue": "'azurerm_linux_virtual_machine[positive1_3].admin_ssh_key.public_key' should be defined and not null", + "actualValue": "'azurerm_linux_virtual_machine[positive1_3].admin_ssh_key[0].public_key' is undefined or null" + }, { "queryName": "Beta - VM Without Admin SSH Public Key Set", "severity": "MEDIUM", @@ -94,17 +106,5 @@ "searchValue": "", "expectedValue": "'azurerm_linux_virtual_machine[module.example_module.azurerm_linux_virtual_machine.example_vm[0]].admin_ssh_key.public_key' should be defined and not null", "actualValue": "'azurerm_linux_virtual_machine[module.example_module.azurerm_linux_virtual_machine.example_vm[0]].admin_ssh_key' is undefined or null" - }, - { - "queryName": "Beta - VM Without Admin SSH Public Key Set", - "severity": "MEDIUM", - "line": 40, - "filename": "positive1.tf", - "resourceType": "azurerm_linux_virtual_machine", - "resourceName": "positive1_3-machine", - "searchKey": "azurerm_linux_virtual_machine[positive1_3].admin_ssh_key[0]", - "searchValue": "", - "expectedValue": "'azurerm_linux_virtual_machine[positive1_3].admin_ssh_key.public_key' should be defined and not null", - "actualValue": "'azurerm_linux_virtual_machine[positive1_3].admin_ssh_key[0].public_key' is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/vm_without_encryption_at_host/test/positive_expected_result.json b/assets/queries/terraform/azure/vm_without_encryption_at_host/test/positive_expected_result.json index f56c6f08256..da2bce90227 100644 --- a/assets/queries/terraform/azure/vm_without_encryption_at_host/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/vm_without_encryption_at_host/test/positive_expected_result.json @@ -2,14 +2,26 @@ { "queryName": "Beta - VM Without Encryption At Host", "severity": "LOW", - "line": 20, - "filename": "positive2.tf", - "resourceType": "azurerm_linux_virtual_machine_scale_set", - "resourceName": "positive2_2-vmss", - "searchKey": "azurerm_linux_virtual_machine_scale_set[positive2_2].encryption_at_host_enabled", + "line": 1, + "filename": "positive1.tf", + "resourceType": "azurerm_linux_virtual_machine", + "resourceName": "positive1_1-machine", + "searchKey": "azurerm_linux_virtual_machine[positive1_1]", "searchValue": "", - "expectedValue": "'azurerm_linux_virtual_machine_scale_set[positive2_2].encryption_at_host_enabled' should be defined and set to 'true'", - "actualValue": "'azurerm_linux_virtual_machine_scale_set[positive2_2].encryption_at_host_enabled' is set to 'false'" + "expectedValue": "'azurerm_linux_virtual_machine[positive1_1].encryption_at_host_enabled' should be defined and set to 'true'", + "actualValue": "'azurerm_linux_virtual_machine[positive1_1].encryption_at_host_enabled' is undefined or null" + }, + { + "queryName": "Beta - VM Without Encryption At Host", + "severity": "LOW", + "line": 24, + "filename": "positive1.tf", + "resourceType": "azurerm_linux_virtual_machine", + "resourceName": "positive1_2-machine", + "searchKey": "azurerm_linux_virtual_machine[positive1_2].encryption_at_host_enabled", + "searchValue": "", + "expectedValue": "'azurerm_linux_virtual_machine[positive1_2].encryption_at_host_enabled' should be defined and set to 'true'", + "actualValue": "'azurerm_linux_virtual_machine[positive1_2].encryption_at_host_enabled' is set to 'false'" }, { "queryName": "Beta - VM Without Encryption At Host", @@ -26,14 +38,14 @@ { "queryName": "Beta - VM Without Encryption At Host", "severity": "LOW", - "line": 22, - "filename": "positive3.tf", - "resourceType": "azurerm_windows_virtual_machine", - "resourceName": "positive3_2-machine", - "searchKey": "azurerm_windows_virtual_machine[positive3_2].encryption_at_host_enabled", + "line": 20, + "filename": "positive2.tf", + "resourceType": "azurerm_linux_virtual_machine_scale_set", + "resourceName": "positive2_2-vmss", + "searchKey": "azurerm_linux_virtual_machine_scale_set[positive2_2].encryption_at_host_enabled", "searchValue": "", - "expectedValue": "'azurerm_windows_virtual_machine[positive3_2].encryption_at_host_enabled' should be defined and set to 'true'", - "actualValue": "'azurerm_windows_virtual_machine[positive3_2].encryption_at_host_enabled' is set to 'false'" + "expectedValue": "'azurerm_linux_virtual_machine_scale_set[positive2_2].encryption_at_host_enabled' should be defined and set to 'true'", + "actualValue": "'azurerm_linux_virtual_machine_scale_set[positive2_2].encryption_at_host_enabled' is set to 'false'" }, { "queryName": "Beta - VM Without Encryption At Host", @@ -50,14 +62,14 @@ { "queryName": "Beta - VM Without Encryption At Host", "severity": "LOW", - "line": 20, - "filename": "positive4.tf", - "resourceType": "azurerm_windows_virtual_machine_scale_set", - "resourceName": "positive4_2-machine", - "searchKey": "azurerm_windows_virtual_machine_scale_set[positive4_2].encryption_at_host_enabled", + "line": 22, + "filename": "positive3.tf", + "resourceType": "azurerm_windows_virtual_machine", + "resourceName": "positive3_2-machine", + "searchKey": "azurerm_windows_virtual_machine[positive3_2].encryption_at_host_enabled", "searchValue": "", - "expectedValue": "'azurerm_windows_virtual_machine_scale_set[positive4_2].encryption_at_host_enabled' should be defined and set to 'true'", - "actualValue": "'azurerm_windows_virtual_machine_scale_set[positive4_2].encryption_at_host_enabled' is set to 'false'" + "expectedValue": "'azurerm_windows_virtual_machine[positive3_2].encryption_at_host_enabled' should be defined and set to 'true'", + "actualValue": "'azurerm_windows_virtual_machine[positive3_2].encryption_at_host_enabled' is set to 'false'" }, { "queryName": "Beta - VM Without Encryption At Host", @@ -74,25 +86,13 @@ { "queryName": "Beta - VM Without Encryption At Host", "severity": "LOW", - "line": 24, - "filename": "positive1.tf", - "resourceType": "azurerm_linux_virtual_machine", - "resourceName": "positive1_2-machine", - "searchKey": "azurerm_linux_virtual_machine[positive1_2].encryption_at_host_enabled", - "searchValue": "", - "expectedValue": "'azurerm_linux_virtual_machine[positive1_2].encryption_at_host_enabled' should be defined and set to 'true'", - "actualValue": "'azurerm_linux_virtual_machine[positive1_2].encryption_at_host_enabled' is set to 'false'" - }, - { - "queryName": "Beta - VM Without Encryption At Host", - "severity": "LOW", - "line": 1, - "filename": "positive1.tf", - "resourceType": "azurerm_linux_virtual_machine", - "resourceName": "positive1_1-machine", - "searchKey": "azurerm_linux_virtual_machine[positive1_1]", + "line": 20, + "filename": "positive4.tf", + "resourceType": "azurerm_windows_virtual_machine_scale_set", + "resourceName": "positive4_2-machine", + "searchKey": "azurerm_windows_virtual_machine_scale_set[positive4_2].encryption_at_host_enabled", "searchValue": "", - "expectedValue": "'azurerm_linux_virtual_machine[positive1_1].encryption_at_host_enabled' should be defined and set to 'true'", - "actualValue": "'azurerm_linux_virtual_machine[positive1_1].encryption_at_host_enabled' is undefined or null" + "expectedValue": "'azurerm_windows_virtual_machine_scale_set[positive4_2].encryption_at_host_enabled' should be defined and set to 'true'", + "actualValue": "'azurerm_windows_virtual_machine_scale_set[positive4_2].encryption_at_host_enabled' is set to 'false'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/vm_without_managed_disk/test/positive_expected_result.json b/assets/queries/terraform/azure/vm_without_managed_disk/test/positive_expected_result.json index 93ca9d3dc58..88364de5d2c 100644 --- a/assets/queries/terraform/azure/vm_without_managed_disk/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/vm_without_managed_disk/test/positive_expected_result.json @@ -14,26 +14,26 @@ { "queryName": "Beta - VM Without Managed Disk", "severity": "MEDIUM", - "line": 34, + "line": 21, "filename": "positive1.tf", "resourceType": "azurerm_virtual_machine", "resourceName": "${var.prefix}-vm", - "searchKey": "azurerm_virtual_machine[positive1_3].storage_os_disk", + "searchKey": "azurerm_virtual_machine[positive1_2].storage_os_disk.vhd_uri", "searchValue": "", - "expectedValue": "'azurerm_virtual_machine[positive1_3].storage_os_disk' should define a 'managed_disk_id' or 'managed_disk_type'", - "actualValue": "'azurerm_virtual_machine[positive1_3].storage_os_disk' does not define or sets to null 'managed_disk_id' and 'managed_disk_type'" + "expectedValue": "'azurerm_virtual_machine[positive1_2].storage_os_disk.vhd_uri' should not be set", + "actualValue": "'azurerm_virtual_machine[positive1_2].storage_os_disk.vhd_uri' is set" }, { "queryName": "Beta - VM Without Managed Disk", "severity": "MEDIUM", - "line": 23, - "filename": "positive4.tf", - "resourceType": "azurerm_virtual_machine_scale_set", - "resourceName": "vmss-premium-positive4_2", - "searchKey": "azurerm_virtual_machine_scale_set[positive4_2].storage_profile_os_disk", + "line": 34, + "filename": "positive1.tf", + "resourceType": "azurerm_virtual_machine", + "resourceName": "${var.prefix}-vm", + "searchKey": "azurerm_virtual_machine[positive1_3].storage_os_disk", "searchValue": "", - "expectedValue": "'azurerm_virtual_machine_scale_set[positive4_2].storage_profile_os_disk.managed_disk_type' should be defined and not null", - "actualValue": "'azurerm_virtual_machine_scale_set[positive4_2].storage_profile_os_disk.managed_disk_type' is undefined or null" + "expectedValue": "'azurerm_virtual_machine[positive1_3].storage_os_disk' should define a 'managed_disk_id' or 'managed_disk_type'", + "actualValue": "'azurerm_virtual_machine[positive1_3].storage_os_disk' does not define or sets to null 'managed_disk_id' and 'managed_disk_type'" }, { "queryName": "Beta - VM Without Managed Disk", @@ -47,18 +47,6 @@ "expectedValue": "'azurerm_linux_virtual_machine[positive2].os_managed_disk_id' should be defined and not null", "actualValue": "'azurerm_linux_virtual_machine[positive2].os_managed_disk_id' is undefined or null" }, - { - "queryName": "Beta - VM Without Managed Disk", - "severity": "MEDIUM", - "line": 18, - "filename": "positive5.tf", - "resourceType": "azurerm_virtual_machine", - "resourceName": "${var.prefix}-vm", - "searchKey": "azurerm_virtual_machine[positive5].storage_os_disk.vhd_uri", - "searchValue": "", - "expectedValue": "'azurerm_virtual_machine[positive5].storage_os_disk.vhd_uri' should not be set", - "actualValue": "'azurerm_virtual_machine[positive5].storage_os_disk.vhd_uri' is set" - }, { "queryName": "Beta - VM Without Managed Disk", "severity": "MEDIUM", @@ -71,18 +59,6 @@ "expectedValue": "'azurerm_windows_virtual_machine[positive3].os_managed_disk_id' should be defined and not null", "actualValue": "'azurerm_windows_virtual_machine[positive3].os_managed_disk_id' is undefined or null" }, - { - "queryName": "Beta - VM Without Managed Disk", - "severity": "MEDIUM", - "line": 21, - "filename": "positive1.tf", - "resourceType": "azurerm_virtual_machine", - "resourceName": "${var.prefix}-vm", - "searchKey": "azurerm_virtual_machine[positive1_2].storage_os_disk.vhd_uri", - "searchValue": "", - "expectedValue": "'azurerm_virtual_machine[positive1_2].storage_os_disk.vhd_uri' should not be set", - "actualValue": "'azurerm_virtual_machine[positive1_2].storage_os_disk.vhd_uri' is set" - }, { "queryName": "Beta - VM Without Managed Disk", "severity": "MEDIUM", @@ -95,6 +71,30 @@ "expectedValue": "'azurerm_virtual_machine_scale_set[positive4_1].storage_profile_os_disk.vhd_containers' should not be set", "actualValue": "'azurerm_virtual_machine_scale_set[positive4_1].storage_profile_os_disk.vhd_containers' is set" }, + { + "queryName": "Beta - VM Without Managed Disk", + "severity": "MEDIUM", + "line": 23, + "filename": "positive4.tf", + "resourceType": "azurerm_virtual_machine_scale_set", + "resourceName": "vmss-premium-positive4_2", + "searchKey": "azurerm_virtual_machine_scale_set[positive4_2].storage_profile_os_disk", + "searchValue": "", + "expectedValue": "'azurerm_virtual_machine_scale_set[positive4_2].storage_profile_os_disk.managed_disk_type' should be defined and not null", + "actualValue": "'azurerm_virtual_machine_scale_set[positive4_2].storage_profile_os_disk.managed_disk_type' is undefined or null" + }, + { + "queryName": "Beta - VM Without Managed Disk", + "severity": "MEDIUM", + "line": 18, + "filename": "positive5.tf", + "resourceType": "azurerm_virtual_machine", + "resourceName": "${var.prefix}-vm", + "searchKey": "azurerm_virtual_machine[positive5].storage_os_disk.vhd_uri", + "searchValue": "", + "expectedValue": "'azurerm_virtual_machine[positive5].storage_os_disk.vhd_uri' should not be set", + "actualValue": "'azurerm_virtual_machine[positive5].storage_os_disk.vhd_uri' is set" + }, { "queryName": "Beta - VM Without Managed Disk", "severity": "MEDIUM", diff --git a/assets/queries/terraform/databricks/autoscale_badly_setup/test/positive_expected_result.json b/assets/queries/terraform/databricks/autoscale_badly_setup/test/positive_expected_result.json index 92c217ca658..bc89eebbda0 100644 --- a/assets/queries/terraform/databricks/autoscale_badly_setup/test/positive_expected_result.json +++ b/assets/queries/terraform/databricks/autoscale_badly_setup/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "Databricks Autoscale Badly Setup", - "severity": "MEDIUM", - "line": 6, - "filename": "positive2.tf", - "resourceType": "databricks_cluster", - "resourceName": "positive2", - "searchKey": "databricks_cluster[positive2].autoscale", - "searchValue": "min_workers", - "expectedValue": "'databricks_cluster[positive2].autoscale.min_workers' should not be empty", - "actualValue": "'databricks_cluster[positive2].autoscale.min_workers' is not setup'" - }, { "queryName": "Databricks Autoscale Badly Setup", "severity": "MEDIUM", @@ -22,5 +10,17 @@ "searchValue": "max_workers", "expectedValue": "'databricks_cluster[positive1].autoscale.max_workers' should not be empty", "actualValue": "'databricks_cluster[positive1].autoscale.max_workers' is not setup'" + }, + { + "queryName": "Databricks Autoscale Badly Setup", + "severity": "MEDIUM", + "line": 6, + "filename": "positive2.tf", + "resourceType": "databricks_cluster", + "resourceName": "positive2", + "searchKey": "databricks_cluster[positive2].autoscale", + "searchValue": "min_workers", + "expectedValue": "'databricks_cluster[positive2].autoscale.min_workers' should not be empty", + "actualValue": "'databricks_cluster[positive2].autoscale.min_workers' is not setup'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/databricks/cluster_azure_attributes/test/positive_expected_result.json b/assets/queries/terraform/databricks/cluster_azure_attributes/test/positive_expected_result.json index ebdc206d407..ce09dc6db2f 100644 --- a/assets/queries/terraform/databricks/cluster_azure_attributes/test/positive_expected_result.json +++ b/assets/queries/terraform/databricks/cluster_azure_attributes/test/positive_expected_result.json @@ -11,18 +11,6 @@ "expectedValue": "'databricks_cluster[positive1].azure_attributes.availability' should not be equal to 'SPOT'", "actualValue": "'databricks_cluster[positive1].azure_attributes.availability' is equal to 'SPOT'" }, - { - "queryName": "Check Databricks Cluster Azure Attribute Best Practices", - "severity": "LOW", - "line": 10, - "filename": "positive3.tf", - "resourceType": "databricks_cluster", - "resourceName": "positive3", - "searchKey": "databricks_cluster[positive3].azure_attributes.first_on_demand", - "searchValue": "", - "expectedValue": "'databricks_cluster[positive3].azure_attributes.first_on_demand' should present", - "actualValue": "'databricks_cluster[positive3].azure_attributes.first_on_demand' is not present" - }, { "queryName": "Check Databricks Cluster Azure Attribute Best Practices", "severity": "LOW", @@ -34,5 +22,17 @@ "searchValue": "", "expectedValue": "'databricks_cluster[positive2].azure_attributes.first_on_demand' should not be equal to '0'", "actualValue": "'databricks_cluster[positive2].azure_attributes.first_on_demand' is equal to '0'" + }, + { + "queryName": "Check Databricks Cluster Azure Attribute Best Practices", + "severity": "LOW", + "line": 10, + "filename": "positive3.tf", + "resourceType": "databricks_cluster", + "resourceName": "positive3", + "searchKey": "databricks_cluster[positive3].azure_attributes.first_on_demand", + "searchValue": "", + "expectedValue": "'databricks_cluster[positive3].azure_attributes.first_on_demand' should present", + "actualValue": "'databricks_cluster[positive3].azure_attributes.first_on_demand' is not present" } ] \ No newline at end of file diff --git a/assets/queries/terraform/databricks/databricks_permissions/test/positive_expected_result.json b/assets/queries/terraform/databricks/databricks_permissions/test/positive_expected_result.json index eec7fb48ceb..6a0b81d1623 100755 --- a/assets/queries/terraform/databricks/databricks_permissions/test/positive_expected_result.json +++ b/assets/queries/terraform/databricks/databricks_permissions/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "Databricks Cluster or Job With None Or Insecure Permission(s)", - "severity": "HIGH", - "line": 16, - "filename": "positive3.tf", - "resourceType": "databricks_permissions", - "resourceName": "positive3", - "searchKey": "databricks_permissions.[positive3]", - "searchValue": "", - "expectedValue": "'databricks_permissions[positive3]' should not have permission_level == 'IS_OWNER' without service_principal_name associated", - "actualValue": "'databricks_permissions[positive3]' have permission_level == 'IS_OWNER' without service_principal_name associated" - }, { "queryName": "Databricks Cluster or Job With None Or Insecure Permission(s)", "severity": "HIGH", @@ -35,6 +23,18 @@ "expectedValue": "'databricks_cluster[positive2_error]' should have permissions", "actualValue": "'databricks_cluster[positive2_error]' doesn't have permission associated" }, + { + "queryName": "Databricks Cluster or Job With None Or Insecure Permission(s)", + "severity": "HIGH", + "line": 16, + "filename": "positive3.tf", + "resourceType": "databricks_permissions", + "resourceName": "positive3", + "searchKey": "databricks_permissions.[positive3]", + "searchValue": "", + "expectedValue": "'databricks_permissions[positive3]' should not have permission_level == 'IS_OWNER' without service_principal_name associated", + "actualValue": "'databricks_permissions[positive3]' have permission_level == 'IS_OWNER' without service_principal_name associated" + }, { "queryName": "Databricks Cluster or Job With None Or Insecure Permission(s)", "severity": "HIGH", diff --git a/assets/queries/terraform/databricks/use_spark_submit_task/test/positive_expected_result.json b/assets/queries/terraform/databricks/use_spark_submit_task/test/positive_expected_result.json index 0a5e783f5f8..4ed97df7829 100644 --- a/assets/queries/terraform/databricks/use_spark_submit_task/test/positive_expected_result.json +++ b/assets/queries/terraform/databricks/use_spark_submit_task/test/positive_expected_result.json @@ -2,8 +2,8 @@ { "queryName": "Job's Task is Legacy (spark_submit_task)", "severity": "MEDIUM", - "line": 18, - "filename": "positive2.tf", + "line": 36, + "filename": "positive1.tf", "resourceType": "databricks_job", "resourceName": "Job with multiple tasks", "searchKey": "databricks_job[positive].task.spark_submit_task", @@ -14,8 +14,8 @@ { "queryName": "Job's Task is Legacy (spark_submit_task)", "severity": "MEDIUM", - "line": 36, - "filename": "positive1.tf", + "line": 18, + "filename": "positive2.tf", "resourceType": "databricks_job", "resourceName": "Job with multiple tasks", "searchKey": "databricks_job[positive].task.spark_submit_task", diff --git a/assets/queries/terraform/gcp/cluster_without_network_policy_support_enabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/cluster_without_network_policy_support_enabled/test/positive_expected_result.json index 5879c64df16..e0ae56d3831 100644 --- a/assets/queries/terraform/gcp/cluster_without_network_policy_support_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/cluster_without_network_policy_support_enabled/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "Beta - Cluster Without Network Policy Support Enabled", "severity": "MEDIUM", - "line": 17, + "line": 1, "filename": "positive.tf", "resourceType": "google_container_cluster", "resourceName": "gke-network-policy-cluster", - "searchKey": "google_container_cluster[positive2].network_policy.enabled", + "searchKey": "google_container_cluster[positive1]", "searchValue": "", - "expectedValue": "'google_container_cluster[positive2].network_policy.enabled' should be set to 'true'", - "actualValue": "'google_container_cluster[positive2].network_policy.enabled' is set to 'false'" + "expectedValue": "'google_container_cluster[positive1].network_policy' should be defined and not null", + "actualValue": "'google_container_cluster[positive1].network_policy' is undefined or null" }, { "queryName": "Beta - Cluster Without Network Policy Support Enabled", "severity": "MEDIUM", - "line": 1, + "line": 17, "filename": "positive.tf", "resourceType": "google_container_cluster", "resourceName": "gke-network-policy-cluster", - "searchKey": "google_container_cluster[positive1]", + "searchKey": "google_container_cluster[positive2].network_policy.enabled", "searchValue": "", - "expectedValue": "'google_container_cluster[positive1].network_policy' should be defined and not null", - "actualValue": "'google_container_cluster[positive1].network_policy' is undefined or null" + "expectedValue": "'google_container_cluster[positive2].network_policy.enabled' should be set to 'true'", + "actualValue": "'google_container_cluster[positive2].network_policy.enabled' is set to 'false'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/disk_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/disk_encryption_disabled/test/positive_expected_result.json index e4609576843..10f5fbaed02 100644 --- a/assets/queries/terraform/gcp/disk_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/disk_encryption_disabled/test/positive_expected_result.json @@ -2,49 +2,49 @@ { "queryName": "Disk Encryption Disabled", "severity": "MEDIUM", - "line": 12, - "filename": "positive2.tf", + "line": 1, + "filename": "positive1.tf", "resourceType": "google_compute_disk", "resourceName": "test-disk", - "searchKey": "google_compute_disk[positive3].disk_encryption_key.raw_key", + "searchKey": "google_compute_disk[positive1]", "searchValue": "", - "expectedValue": "'google_compute_disk[positive3].disk_encryption_key.raw_key' should not be empty or null", - "actualValue": "'google_compute_disk[positive3].disk_encryption_key.raw_key' is not empty or null" + "expectedValue": "'google_compute_disk[positive1].disk_encryption_key' should be defined and not null", + "actualValue": "'google_compute_disk[positive1].disk_encryption_key' is undefined or null" }, { "queryName": "Disk Encryption Disabled", "severity": "MEDIUM", - "line": 12, - "filename": "positive3.tf", + "line": 22, + "filename": "positive1.tf", "resourceType": "google_compute_disk", "resourceName": "test-disk", - "searchKey": "google_compute_disk[positive4].disk_encryption_key.kms_key_self_link", + "searchKey": "google_compute_disk[positive2].disk_encryption_key", "searchValue": "", - "expectedValue": "'google_compute_disk[positive4].disk_encryption_key.kms_key_self_link' should not be empty or null", - "actualValue": "'google_compute_disk[positive4].disk_encryption_key.kms_key_self_link' is not empty or null" + "expectedValue": "'google_compute_disk[positive2].disk_encryption_key.raw_key' or 'google_compute_disk[%!s(MISSING)].disk_encryption_key.kms_key_self_link' should be defined and not null", + "actualValue": "'google_compute_disk[positive2].disk_encryption_key.raw_key' and 'google_compute_disk[%!s(MISSING)].disk_encryption_key.kms_key_self_link' are undefined or null" }, { "queryName": "Disk Encryption Disabled", "severity": "MEDIUM", - "line": 1, - "filename": "positive1.tf", + "line": 12, + "filename": "positive2.tf", "resourceType": "google_compute_disk", "resourceName": "test-disk", - "searchKey": "google_compute_disk[positive1]", + "searchKey": "google_compute_disk[positive3].disk_encryption_key.raw_key", "searchValue": "", - "expectedValue": "'google_compute_disk[positive1].disk_encryption_key' should be defined and not null", - "actualValue": "'google_compute_disk[positive1].disk_encryption_key' is undefined or null" + "expectedValue": "'google_compute_disk[positive3].disk_encryption_key.raw_key' should not be empty or null", + "actualValue": "'google_compute_disk[positive3].disk_encryption_key.raw_key' is not empty or null" }, { "queryName": "Disk Encryption Disabled", "severity": "MEDIUM", - "line": 22, - "filename": "positive1.tf", + "line": 12, + "filename": "positive3.tf", "resourceType": "google_compute_disk", "resourceName": "test-disk", - "searchKey": "google_compute_disk[positive2].disk_encryption_key", + "searchKey": "google_compute_disk[positive4].disk_encryption_key.kms_key_self_link", "searchValue": "", - "expectedValue": "'google_compute_disk[positive2].disk_encryption_key.raw_key' or 'google_compute_disk[%!s(MISSING)].disk_encryption_key.kms_key_self_link' should be defined and not null", - "actualValue": "'google_compute_disk[positive2].disk_encryption_key.raw_key' and 'google_compute_disk[%!s(MISSING)].disk_encryption_key.kms_key_self_link' are undefined or null" + "expectedValue": "'google_compute_disk[positive4].disk_encryption_key.kms_key_self_link' should not be empty or null", + "actualValue": "'google_compute_disk[positive4].disk_encryption_key.kms_key_self_link' is not empty or null" } ] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/ensure_essential_contacts_is_configured_for_organization/test/positive_expected_result.json b/assets/queries/terraform/gcp/ensure_essential_contacts_is_configured_for_organization/test/positive_expected_result.json index f87b80b0aff..d078e2c88ec 100644 --- a/assets/queries/terraform/gcp/ensure_essential_contacts_is_configured_for_organization/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/ensure_essential_contacts_is_configured_for_organization/test/positive_expected_result.json @@ -3,10 +3,10 @@ "queryName": "Beta - Ensure Essential Contacts Is Configured For Organization", "severity": "LOW", "line": 10, - "filename": "positive2.tf", + "filename": "positive1.tf", "resourceType": "google_essential_contacts_contact", - "resourceName": "positive2", - "searchKey": "google_essential_contacts_contact[positive2].notification_category_subscription_field", + "resourceName": "positive1", + "searchKey": "google_essential_contacts_contact[positive1].notification_category_subscription_field", "searchValue": "", "expectedValue": "'notification_category_subscription_field' should have 'ALL' value or all 'LEGAL', 'SUSPENSION', 'TECHNICAL' and 'SECURITY' values defined", "actualValue": "'notification_category_subscription_field' does not have 'ALL' value or all 'LEGAL', 'SUSPENSION', 'TECHNICAL' and 'SECURITY' values defined" @@ -15,10 +15,10 @@ "queryName": "Beta - Ensure Essential Contacts Is Configured For Organization", "severity": "LOW", "line": 10, - "filename": "positive1.tf", + "filename": "positive2.tf", "resourceType": "google_essential_contacts_contact", - "resourceName": "positive1", - "searchKey": "google_essential_contacts_contact[positive1].notification_category_subscription_field", + "resourceName": "positive2", + "searchKey": "google_essential_contacts_contact[positive2].notification_category_subscription_field", "searchValue": "", "expectedValue": "'notification_category_subscription_field' should have 'ALL' value or all 'LEGAL', 'SUSPENSION', 'TECHNICAL' and 'SECURITY' values defined", "actualValue": "'notification_category_subscription_field' does not have 'ALL' value or all 'LEGAL', 'SUSPENSION', 'TECHNICAL' and 'SECURITY' values defined" @@ -27,10 +27,10 @@ "queryName": "Beta - Ensure Essential Contacts Is Configured For Organization", "severity": "LOW", "line": 6, - "filename": "positive4.tf", + "filename": "positive3.tf", "resourceType": "google_essential_contacts_contact", - "resourceName": "positive4", - "searchKey": "google_essential_contacts_contact[positive4].notification_category_subscription_field", + "resourceName": "positive3", + "searchKey": "google_essential_contacts_contact[positive3].notification_category_subscription_field", "searchValue": "", "expectedValue": "'notification_category_subscription_field' should have 'ALL' value or all 'LEGAL', 'SUSPENSION', 'TECHNICAL' and 'SECURITY' values defined", "actualValue": "'notification_category_subscription_field' does not have 'ALL' value or all 'LEGAL', 'SUSPENSION', 'TECHNICAL' and 'SECURITY' values defined" @@ -39,10 +39,10 @@ "queryName": "Beta - Ensure Essential Contacts Is Configured For Organization", "severity": "LOW", "line": 6, - "filename": "positive3.tf", + "filename": "positive4.tf", "resourceType": "google_essential_contacts_contact", - "resourceName": "positive3", - "searchKey": "google_essential_contacts_contact[positive3].notification_category_subscription_field", + "resourceName": "positive4", + "searchKey": "google_essential_contacts_contact[positive4].notification_category_subscription_field", "searchValue": "", "expectedValue": "'notification_category_subscription_field' should have 'ALL' value or all 'LEGAL', 'SUSPENSION', 'TECHNICAL' and 'SECURITY' values defined", "actualValue": "'notification_category_subscription_field' does not have 'ALL' value or all 'LEGAL', 'SUSPENSION', 'TECHNICAL' and 'SECURITY' values defined" diff --git a/assets/queries/terraform/gcp/ensure_gke_version_management_is_automated_using_release_channels/test/positive_expected_result.json b/assets/queries/terraform/gcp/ensure_gke_version_management_is_automated_using_release_channels/test/positive_expected_result.json index 4efb3196258..8f36ff6a25d 100644 --- a/assets/queries/terraform/gcp/ensure_gke_version_management_is_automated_using_release_channels/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/ensure_gke_version_management_is_automated_using_release_channels/test/positive_expected_result.json @@ -2,26 +2,26 @@ { "queryName": "Beta - Ensure GKE Version Management Is Automated Using Release Channels", "severity": "LOW", - "line": 6, - "filename": "positive2.tf", + "line": 1, + "filename": "positive1.tf", "resourceType": "google_container_cluster", "resourceName": "my-gke-cluster", - "searchKey": "google_container_cluster[positive2].release_channel.channel", + "searchKey": "google_container_cluster[positive1]", "searchValue": "", "expectedValue": "'channel' should be defined to 'STABLE' or 'REGULAR' inside the 'release_channel' block", - "actualValue": "'release_channel.channel' is defined to 'UNSPECIFIED'" + "actualValue": "'release_channel' block is not defined" }, { "queryName": "Beta - Ensure GKE Version Management Is Automated Using Release Channels", "severity": "LOW", "line": 6, - "filename": "positive4.tf", + "filename": "positive2.tf", "resourceType": "google_container_cluster", "resourceName": "my-gke-cluster", - "searchKey": "google_container_cluster[positive4].release_channel.channel", + "searchKey": "google_container_cluster[positive2].release_channel.channel", "searchValue": "", "expectedValue": "'channel' should be defined to 'STABLE' or 'REGULAR' inside the 'release_channel' block", - "actualValue": "'release_channel.channel' is defined to 'EXTENDED'" + "actualValue": "'release_channel.channel' is defined to 'UNSPECIFIED'" }, { "queryName": "Beta - Ensure GKE Version Management Is Automated Using Release Channels", @@ -38,13 +38,13 @@ { "queryName": "Beta - Ensure GKE Version Management Is Automated Using Release Channels", "severity": "LOW", - "line": 1, - "filename": "positive1.tf", + "line": 6, + "filename": "positive4.tf", "resourceType": "google_container_cluster", "resourceName": "my-gke-cluster", - "searchKey": "google_container_cluster[positive1]", + "searchKey": "google_container_cluster[positive4].release_channel.channel", "searchValue": "", "expectedValue": "'channel' should be defined to 'STABLE' or 'REGULAR' inside the 'release_channel' block", - "actualValue": "'release_channel' block is not defined" + "actualValue": "'release_channel.channel' is defined to 'EXTENDED'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/gke_using_default_service_account/test/positive_expected_result.json b/assets/queries/terraform/gcp/gke_using_default_service_account/test/positive_expected_result.json index 2bb7a5fb29b..40f093f5801 100644 --- a/assets/queries/terraform/gcp/gke_using_default_service_account/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/gke_using_default_service_account/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "GKE Using Default Service Account", "severity": "MEDIUM", - "line": 8, - "filename": "positive2.tf", + "line": 7, + "filename": "positive1.tf", "resourceType": "google_container_cluster", "resourceName": "my-gke-cluster", - "searchKey": "google_container_cluster[positive2].node_config.service_account", + "searchKey": "google_container_cluster[positive1].node_config", "searchValue": "", "expectedValue": "'service_account' should not be default", "actualValue": "'service_account' is default" @@ -14,11 +14,11 @@ { "queryName": "GKE Using Default Service Account", "severity": "MEDIUM", - "line": 7, - "filename": "positive1.tf", + "line": 8, + "filename": "positive2.tf", "resourceType": "google_container_cluster", "resourceName": "my-gke-cluster", - "searchKey": "google_container_cluster[positive1].node_config", + "searchKey": "google_container_cluster[positive2].node_config.service_account", "searchValue": "", "expectedValue": "'service_account' should not be default", "actualValue": "'service_account' is default" diff --git a/assets/queries/terraform/gcp/google_dns_policy_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/google_dns_policy_logging_disabled/test/positive_expected_result.json index 84306d8dd2f..18f7c9cac99 100644 --- a/assets/queries/terraform/gcp/google_dns_policy_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/google_dns_policy_logging_disabled/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "Beta - Google DNS Policy Logging Disabled", "severity": "MEDIUM", - "line": 11, + "line": 1, "filename": "positive.tf", "resourceType": "google_dns_policy", - "resourceName": "example-policy-2", - "searchKey": "google_dns_policy[example-policy-2].enable_logging", + "resourceName": "example-policy", + "searchKey": "google_dns_policy[example-policy]", "searchValue": "", - "expectedValue": "'google_dns_policy[example-policy-2].enable_logging' should be defined and set to true", - "actualValue": "'google_dns_policy[example-policy-2].enable_logging' is set to false" + "expectedValue": "'google_dns_policy[example-policy].enable_logging' should be defined and set to true", + "actualValue": "'google_dns_policy[example-policy].enable_logging' is undefined or null" }, { "queryName": "Beta - Google DNS Policy Logging Disabled", "severity": "MEDIUM", - "line": 1, + "line": 11, "filename": "positive.tf", "resourceType": "google_dns_policy", - "resourceName": "example-policy", - "searchKey": "google_dns_policy[example-policy]", + "resourceName": "example-policy-2", + "searchKey": "google_dns_policy[example-policy-2].enable_logging", "searchValue": "", - "expectedValue": "'google_dns_policy[example-policy].enable_logging' should be defined and set to true", - "actualValue": "'google_dns_policy[example-policy].enable_logging' is undefined or null" + "expectedValue": "'google_dns_policy[example-policy-2].enable_logging' should be defined and set to true", + "actualValue": "'google_dns_policy[example-policy-2].enable_logging' is set to false" } ] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/google_project_auto_create_network_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/google_project_auto_create_network_disabled/test/positive_expected_result.json index dfb5da09a24..61632e9772b 100644 --- a/assets/queries/terraform/gcp/google_project_auto_create_network_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/google_project_auto_create_network_disabled/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "Google Project Auto Create Network Disabled", "severity": "MEDIUM", - "line": 8, + "line": 5, "filename": "positive.tf", "resourceType": "google_project", "resourceName": "My Project", - "searchKey": "google_project[positive2]", + "searchKey": "google_project[positive1].auto_create_network", "searchValue": "", - "expectedValue": "google_project[positive2].auto_create_network should be set to false", - "actualValue": "google_project[positive2].auto_create_network is undefined" + "expectedValue": "google_project[positive1].auto_create_network should be set to false", + "actualValue": "google_project[positive1].auto_create_network is true" }, { "queryName": "Google Project Auto Create Network Disabled", "severity": "MEDIUM", - "line": 5, + "line": 8, "filename": "positive.tf", "resourceType": "google_project", "resourceName": "My Project", - "searchKey": "google_project[positive1].auto_create_network", + "searchKey": "google_project[positive2]", "searchValue": "", - "expectedValue": "google_project[positive1].auto_create_network should be set to false", - "actualValue": "google_project[positive1].auto_create_network is true" + "expectedValue": "google_project[positive2].auto_create_network should be set to false", + "actualValue": "google_project[positive2].auto_create_network is undefined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/iam_audit_not_properly_configured/test/positive_expected_result.json b/assets/queries/terraform/gcp/iam_audit_not_properly_configured/test/positive_expected_result.json index fcfb8e6aafb..667709ac2d3 100644 --- a/assets/queries/terraform/gcp/iam_audit_not_properly_configured/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/iam_audit_not_properly_configured/test/positive_expected_result.json @@ -2,23 +2,23 @@ { "queryName": "IAM Audit Not Properly Configured", "severity": "LOW", - "line": 9, + "line": 3, "filename": "positive.tf", "resourceType": "google_project_iam_audit_config", "resourceName": "positive1", - "searchKey": "google_project_iam_audit_config[positive1].audit_log_config.exempted_members", + "searchKey": "google_project_iam_audit_config[positive1].service", "searchValue": "", - "expectedValue": "'exempted_members' should be empty", - "actualValue": "'exempted_members' is not empty" + "expectedValue": "'service' must be 'allServices'", + "actualValue": "'service' is 'some_specific_service'" }, { "queryName": "IAM Audit Not Properly Configured", "severity": "LOW", - "line": 23, + "line": 9, "filename": "positive.tf", "resourceType": "google_project_iam_audit_config", - "resourceName": "positive2", - "searchKey": "google_project_iam_audit_config[positive2].audit_log_config.exempted_members", + "resourceName": "positive1", + "searchKey": "google_project_iam_audit_config[positive1].audit_log_config.exempted_members", "searchValue": "", "expectedValue": "'exempted_members' should be empty", "actualValue": "'exempted_members' is not empty" @@ -38,13 +38,13 @@ { "queryName": "IAM Audit Not Properly Configured", "severity": "LOW", - "line": 3, + "line": 23, "filename": "positive.tf", "resourceType": "google_project_iam_audit_config", - "resourceName": "positive1", - "searchKey": "google_project_iam_audit_config[positive1].service", + "resourceName": "positive2", + "searchKey": "google_project_iam_audit_config[positive2].audit_log_config.exempted_members", "searchValue": "", - "expectedValue": "'service' must be 'allServices'", - "actualValue": "'service' is 'some_specific_service'" + "expectedValue": "'exempted_members' should be empty", + "actualValue": "'exempted_members' is not empty" } ] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/ip_aliasing_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/ip_aliasing_disabled/test/positive_expected_result.json index 0bd0d745b71..85dcf2dfd92 100644 --- a/assets/queries/terraform/gcp/ip_aliasing_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/ip_aliasing_disabled/test/positive_expected_result.json @@ -2,26 +2,26 @@ { "queryName": "IP Aliasing Disabled", "severity": "MEDIUM", - "line": 13, + "line": 2, "filename": "positive.tf", "resourceType": "google_container_cluster", "resourceName": "marcellus-wallace", - "searchKey": "google_container_cluster[positive2]", + "searchKey": "google_container_cluster[positive1]", "searchValue": "", - "expectedValue": "Attribute 'ip_allocation_policy' should be defined", - "actualValue": "Attribute 'ip_allocation_policy' is undefined" + "expectedValue": "Attributes 'ip_allocation_policy' and 'networking_mode' should be defined", + "actualValue": "Attributes 'ip_allocation_policy' and 'networking_mode' are undefined" }, { "queryName": "IP Aliasing Disabled", "severity": "MEDIUM", - "line": 2, + "line": 13, "filename": "positive.tf", "resourceType": "google_container_cluster", "resourceName": "marcellus-wallace", - "searchKey": "google_container_cluster[positive1]", + "searchKey": "google_container_cluster[positive2]", "searchValue": "", - "expectedValue": "Attributes 'ip_allocation_policy' and 'networking_mode' should be defined", - "actualValue": "Attributes 'ip_allocation_policy' and 'networking_mode' are undefined" + "expectedValue": "Attribute 'ip_allocation_policy' should be defined", + "actualValue": "Attribute 'ip_allocation_policy' is undefined" }, { "queryName": "IP Aliasing Disabled", diff --git a/assets/queries/terraform/gcp/kubernetes_web_ui_is_not_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/kubernetes_web_ui_is_not_disabled/test/positive_expected_result.json index 8cc2e1d1cab..169dfb60390 100644 --- a/assets/queries/terraform/gcp/kubernetes_web_ui_is_not_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/kubernetes_web_ui_is_not_disabled/test/positive_expected_result.json @@ -3,10 +3,10 @@ "queryName": "Beta - Kubernetes Web UI Is Not Disabled", "severity": "LOW", "line": 8, - "filename": "positive4.tf", + "filename": "positive1.tf", "resourceType": "google_container_cluster", "resourceName": "marcellus-wallace", - "searchKey": "google_container_cluster[positive4].addons_config.kubernetes_dashboard.disabled", + "searchKey": "google_container_cluster[positive1].addons_config.kubernetes_dashboard.disabled", "searchValue": "", "expectedValue": "'kuberneters_dashboard' should not be enabled inside the 'addons_config block'", "actualValue": "'kuberneters_dashboard' is enabled inside the 'addons_config block'" @@ -14,14 +14,14 @@ { "queryName": "Beta - Kubernetes Web UI Is Not Disabled", "severity": "LOW", - "line": 8, - "filename": "positive1.tf", + "line": 1, + "filename": "positive2.tf", "resourceType": "google_container_cluster", "resourceName": "marcellus-wallace", - "searchKey": "google_container_cluster[positive1].addons_config.kubernetes_dashboard.disabled", + "searchKey": "google_container_cluster[positive2]", "searchValue": "", - "expectedValue": "'kuberneters_dashboard' should not be enabled inside the 'addons_config block'", - "actualValue": "'kuberneters_dashboard' is enabled inside the 'addons_config block'" + "expectedValue": "'kubernetes_dashboard' should be defined and disabled inside the 'addons_config_version' block for GKE versions below 1.10", + "actualValue": "'addons_config' block is not defined with the 'kubernetes_dashboard' disabled" }, { "queryName": "Beta - Kubernetes Web UI Is Not Disabled", @@ -38,14 +38,14 @@ { "queryName": "Beta - Kubernetes Web UI Is Not Disabled", "severity": "LOW", - "line": 1, - "filename": "positive2.tf", + "line": 8, + "filename": "positive4.tf", "resourceType": "google_container_cluster", "resourceName": "marcellus-wallace", - "searchKey": "google_container_cluster[positive2]", + "searchKey": "google_container_cluster[positive4].addons_config.kubernetes_dashboard.disabled", "searchValue": "", - "expectedValue": "'kubernetes_dashboard' should be defined and disabled inside the 'addons_config_version' block for GKE versions below 1.10", - "actualValue": "'addons_config' block is not defined with the 'kubernetes_dashboard' disabled" + "expectedValue": "'kuberneters_dashboard' should not be enabled inside the 'addons_config block'", + "actualValue": "'kuberneters_dashboard' is enabled inside the 'addons_config block'" }, { "queryName": "Beta - Kubernetes Web UI Is Not Disabled", diff --git a/assets/queries/terraform/gcp/legacy_networks_do_not_exist_for_older_google_projects/test/positive_expected_result.json b/assets/queries/terraform/gcp/legacy_networks_do_not_exist_for_older_google_projects/test/positive_expected_result.json index aa4129767ec..67736ef2fbe 100644 --- a/assets/queries/terraform/gcp/legacy_networks_do_not_exist_for_older_google_projects/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/legacy_networks_do_not_exist_for_older_google_projects/test/positive_expected_result.json @@ -14,44 +14,44 @@ { "queryName": "Beta - Legacy Networks Do Not Exist For Older Google Projects", "severity": "MEDIUM", - "line": 7, - "filename": "positive4.tf", + "line": 14, + "filename": "positive2.tf", "resourceType": "google_compute_network", - "resourceName": "vpc-legacy", - "searchKey": "google_compute_network[vpc_network_network]", + "resourceName": "legacy-network", + "searchKey": "google_compute_network[legacy_network].auto_create_subnetworks", "searchValue": "", "expectedValue": "'auto_create_subnetworks' should be defined to false", - "actualValue": "'auto_create_subnetworks' is not defined" + "actualValue": "'auto_create_subnetworks' is defined to true" }, { "queryName": "Beta - Legacy Networks Do Not Exist For Older Google Projects", "severity": "MEDIUM", - "line": 12, - "filename": "positive5.tf", + "line": 14, + "filename": "positive3.tf", "resourceType": "google_compute_network", "resourceName": "legacy-network", - "searchKey": "google_compute_network[legacy_network]", + "searchKey": "google_compute_network[legacy_network].auto_create_subnetworks", "searchValue": "", "expectedValue": "'auto_create_subnetworks' should be defined to false", - "actualValue": "'auto_create_subnetworks' is not defined" + "actualValue": "'auto_create_subnetworks' is defined to true" }, { "queryName": "Beta - Legacy Networks Do Not Exist For Older Google Projects", "severity": "MEDIUM", - "line": 14, - "filename": "positive3.tf", + "line": 7, + "filename": "positive4.tf", "resourceType": "google_compute_network", - "resourceName": "legacy-network", - "searchKey": "google_compute_network[legacy_network].auto_create_subnetworks", + "resourceName": "vpc-legacy", + "searchKey": "google_compute_network[vpc_network_network]", "searchValue": "", "expectedValue": "'auto_create_subnetworks' should be defined to false", - "actualValue": "'auto_create_subnetworks' is defined to true" + "actualValue": "'auto_create_subnetworks' is not defined" }, { "queryName": "Beta - Legacy Networks Do Not Exist For Older Google Projects", "severity": "MEDIUM", "line": 12, - "filename": "positive6.tf", + "filename": "positive5.tf", "resourceType": "google_compute_network", "resourceName": "legacy-network", "searchKey": "google_compute_network[legacy_network]", @@ -62,13 +62,13 @@ { "queryName": "Beta - Legacy Networks Do Not Exist For Older Google Projects", "severity": "MEDIUM", - "line": 14, - "filename": "positive2.tf", + "line": 12, + "filename": "positive6.tf", "resourceType": "google_compute_network", "resourceName": "legacy-network", - "searchKey": "google_compute_network[legacy_network].auto_create_subnetworks", + "searchKey": "google_compute_network[legacy_network]", "searchValue": "", "expectedValue": "'auto_create_subnetworks' should be defined to false", - "actualValue": "'auto_create_subnetworks' is defined to true" + "actualValue": "'auto_create_subnetworks' is not defined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/logs_and_alerts_missing_audit_configuration_changes/test/positive_expected_result.json b/assets/queries/terraform/gcp/logs_and_alerts_missing_audit_configuration_changes/test/positive_expected_result.json index 25688424051..74038b49683 100644 --- a/assets/queries/terraform/gcp/logs_and_alerts_missing_audit_configuration_changes/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/logs_and_alerts_missing_audit_configuration_changes/test/positive_expected_result.json @@ -3,7 +3,7 @@ "queryName": "Beta - Logs And Alerts Missing Audit Configuration Changes", "severity": "MEDIUM", "line": 1, - "filename": "positive11.tf", + "filename": "positive1.tf", "resourceType": "google_logging_metric", "resourceName": "audit_config_change", "searchKey": "google_logging_metric[audit_config_change].filter", @@ -15,7 +15,7 @@ "queryName": "Beta - Logs And Alerts Missing Audit Configuration Changes", "severity": "MEDIUM", "line": 1, - "filename": "positive1.tf", + "filename": "positive10.tf", "resourceType": "google_logging_metric", "resourceName": "audit_config_change", "searchKey": "google_logging_metric[audit_config_change].filter", @@ -27,13 +27,25 @@ "queryName": "Beta - Logs And Alerts Missing Audit Configuration Changes", "severity": "MEDIUM", "line": 1, - "filename": "positive5.tf", + "filename": "positive11.tf", + "resourceType": "google_logging_metric", + "resourceName": "audit_config_change", + "searchKey": "google_logging_metric[audit_config_change].filter", + "searchValue": "", + "expectedValue": "At least one 'google_logging_metric' resource should capture all audit configuration changes", + "actualValue": "No 'google_logging_metric' resource captures all audit configuration changes" + }, + { + "queryName": "Beta - Logs And Alerts Missing Audit Configuration Changes", + "severity": "MEDIUM", + "line": 7, + "filename": "positive2.tf", "resourceType": "google_monitoring_alert_policy", - "resourceName": "Audit Config Change Alert (Log Match)", - "searchKey": "google_monitoring_alert_policy[audit_config_alert]", + "resourceName": "Audit Config Change Alert", + "searchKey": "google_monitoring_alert_policy[audit_config_alert].conditions.condition_threshold.filter", "searchValue": "", "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture all audit configuration changes", - "actualValue": "The 'google_monitoring_alert_policy[audit_config_alert]' resource captures all audit configuration changes but does not define a proper 'notification_channels'" + "actualValue": "No 'google_monitoring_alert_policy' resource captures all audit configuration changes" }, { "queryName": "Beta - Logs And Alerts Missing Audit Configuration Changes", @@ -50,26 +62,26 @@ { "queryName": "Beta - Logs And Alerts Missing Audit Configuration Changes", "severity": "MEDIUM", - "line": 1, - "filename": "positive7.tf", - "resourceType": "google_logging_metric", - "resourceName": "audit_config_change", - "searchKey": "google_logging_metric[audit_config_change].filter", + "line": 7, + "filename": "positive4.tf", + "resourceType": "google_monitoring_alert_policy", + "resourceName": "Audit Config Change Alert", + "searchKey": "google_monitoring_alert_policy[audit_config_alert]", "searchValue": "", - "expectedValue": "At least one 'google_logging_metric' resource should capture all audit configuration changes", - "actualValue": "No 'google_logging_metric' resource captures all audit configuration changes" + "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture all audit configuration changes", + "actualValue": "The 'google_monitoring_alert_policy[audit_config_alert]' resource captures all audit configuration changes but does not define a proper 'notification_channels'" }, { "queryName": "Beta - Logs And Alerts Missing Audit Configuration Changes", "severity": "MEDIUM", "line": 1, - "filename": "positive9.tf", - "resourceType": "google_logging_metric", - "resourceName": "audit_config_change", - "searchKey": "google_logging_metric[audit_config_change].filter", + "filename": "positive5.tf", + "resourceType": "google_monitoring_alert_policy", + "resourceName": "Audit Config Change Alert (Log Match)", + "searchKey": "google_monitoring_alert_policy[audit_config_alert]", "searchValue": "", - "expectedValue": "At least one 'google_logging_metric' resource should capture all audit configuration changes", - "actualValue": "No 'google_logging_metric' resource captures all audit configuration changes" + "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture all audit configuration changes", + "actualValue": "The 'google_monitoring_alert_policy[audit_config_alert]' resource captures all audit configuration changes but does not define a proper 'notification_channels'" }, { "queryName": "Beta - Logs And Alerts Missing Audit Configuration Changes", @@ -86,14 +98,14 @@ { "queryName": "Beta - Logs And Alerts Missing Audit Configuration Changes", "severity": "MEDIUM", - "line": 7, - "filename": "positive4.tf", - "resourceType": "google_monitoring_alert_policy", - "resourceName": "Audit Config Change Alert", - "searchKey": "google_monitoring_alert_policy[audit_config_alert]", + "line": 1, + "filename": "positive7.tf", + "resourceType": "google_logging_metric", + "resourceName": "audit_config_change", + "searchKey": "google_logging_metric[audit_config_change].filter", "searchValue": "", - "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture all audit configuration changes", - "actualValue": "The 'google_monitoring_alert_policy[audit_config_alert]' resource captures all audit configuration changes but does not define a proper 'notification_channels'" + "expectedValue": "At least one 'google_logging_metric' resource should capture all audit configuration changes", + "actualValue": "No 'google_logging_metric' resource captures all audit configuration changes" }, { "queryName": "Beta - Logs And Alerts Missing Audit Configuration Changes", @@ -111,24 +123,12 @@ "queryName": "Beta - Logs And Alerts Missing Audit Configuration Changes", "severity": "MEDIUM", "line": 1, - "filename": "positive10.tf", + "filename": "positive9.tf", "resourceType": "google_logging_metric", "resourceName": "audit_config_change", "searchKey": "google_logging_metric[audit_config_change].filter", "searchValue": "", "expectedValue": "At least one 'google_logging_metric' resource should capture all audit configuration changes", "actualValue": "No 'google_logging_metric' resource captures all audit configuration changes" - }, - { - "queryName": "Beta - Logs And Alerts Missing Audit Configuration Changes", - "severity": "MEDIUM", - "line": 7, - "filename": "positive2.tf", - "resourceType": "google_monitoring_alert_policy", - "resourceName": "Audit Config Change Alert", - "searchKey": "google_monitoring_alert_policy[audit_config_alert].conditions.condition_threshold.filter", - "searchValue": "", - "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture all audit configuration changes", - "actualValue": "No 'google_monitoring_alert_policy' resource captures all audit configuration changes" } ] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/logs_and_alerts_missing_custom_role_changes/test/positive_expected_result.json b/assets/queries/terraform/gcp/logs_and_alerts_missing_custom_role_changes/test/positive_expected_result.json index 7b3cc49e33b..9cd771f189f 100644 --- a/assets/queries/terraform/gcp/logs_and_alerts_missing_custom_role_changes/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/logs_and_alerts_missing_custom_role_changes/test/positive_expected_result.json @@ -3,13 +3,25 @@ "queryName": "Beta - Logs And Alerts Missing Custom Role Changes", "severity": "MEDIUM", "line": 1, - "filename": "positive5.tf", + "filename": "positive1.tf", + "resourceType": "google_logging_metric", + "resourceName": "audit_config_change", + "searchKey": "google_logging_metric[audit_config_change].filter", + "searchValue": "", + "expectedValue": "At least one 'google_logging_metric' resource should capture all custom role changes", + "actualValue": "'google_logging_metric[audit_config_change].filter' is applied to the wrong resource type" + }, + { + "queryName": "Beta - Logs And Alerts Missing Custom Role Changes", + "severity": "MEDIUM", + "line": 13, + "filename": "positive2.tf", "resourceType": "google_monitoring_alert_policy", - "resourceName": "Audit Config Change Alert (Log Match)", - "searchKey": "google_monitoring_alert_policy[audit_config_alert]", + "resourceName": "Audit Config Change Alert", + "searchKey": "google_monitoring_alert_policy[audit_config_alert].conditions.condition_threshold.filter", "searchValue": "", "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture all custom role changes", - "actualValue": "The 'google_monitoring_alert_policy[audit_config_alert]' resource captures all custom role changes but does not define a proper 'notification_channels'" + "actualValue": "No 'google_monitoring_alert_policy' resource captures all custom role changes" }, { "queryName": "Beta - Logs And Alerts Missing Custom Role Changes", @@ -26,22 +38,22 @@ { "queryName": "Beta - Logs And Alerts Missing Custom Role Changes", "severity": "MEDIUM", - "line": 1, - "filename": "positive1.tf", - "resourceType": "google_logging_metric", - "resourceName": "audit_config_change", - "searchKey": "google_logging_metric[audit_config_change].filter", + "line": 13, + "filename": "positive4.tf", + "resourceType": "google_monitoring_alert_policy", + "resourceName": "Audit Config Change Alert", + "searchKey": "google_monitoring_alert_policy[audit_config_alert]", "searchValue": "", - "expectedValue": "At least one 'google_logging_metric' resource should capture all custom role changes", - "actualValue": "'google_logging_metric[audit_config_change].filter' is applied to the wrong resource type" + "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture all custom role changes", + "actualValue": "The 'google_monitoring_alert_policy[audit_config_alert]' resource captures all custom role changes but does not define a proper 'notification_channels'" }, { "queryName": "Beta - Logs And Alerts Missing Custom Role Changes", "severity": "MEDIUM", - "line": 13, - "filename": "positive4.tf", + "line": 1, + "filename": "positive5.tf", "resourceType": "google_monitoring_alert_policy", - "resourceName": "Audit Config Change Alert", + "resourceName": "Audit Config Change Alert (Log Match)", "searchKey": "google_monitoring_alert_policy[audit_config_alert]", "searchValue": "", "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture all custom role changes", @@ -50,8 +62,8 @@ { "queryName": "Beta - Logs And Alerts Missing Custom Role Changes", "severity": "MEDIUM", - "line": 13, - "filename": "positive2.tf", + "line": 1, + "filename": "positive6.tf", "resourceType": "google_monitoring_alert_policy", "resourceName": "Audit Config Change Alert", "searchKey": "google_monitoring_alert_policy[audit_config_alert].conditions.condition_threshold.filter", @@ -63,33 +75,21 @@ "queryName": "Beta - Logs And Alerts Missing Custom Role Changes", "severity": "MEDIUM", "line": 1, - "filename": "positive8.tf", + "filename": "positive7.tf", "resourceType": "google_logging_metric", - "resourceName": "audit_config_change_1", + "resourceName": "audit_config_change", "searchKey": "google_logging_metric[audit_config_change].filter", "searchValue": "", "expectedValue": "At least one 'google_logging_metric' resource should capture all custom role changes", - "actualValue": "'google_logging_metric[audit_config_change].filter' does not capture all custom role changes for resource type 'iam_role'" - }, - { - "queryName": "Beta - Logs And Alerts Missing Custom Role Changes", - "severity": "MEDIUM", - "line": 1, - "filename": "positive6.tf", - "resourceType": "google_monitoring_alert_policy", - "resourceName": "Audit Config Change Alert", - "searchKey": "google_monitoring_alert_policy[audit_config_alert].conditions.condition_threshold.filter", - "searchValue": "", - "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture all custom role changes", - "actualValue": "No 'google_monitoring_alert_policy' resource captures all custom role changes" + "actualValue": "'google_logging_metric[audit_config_change].filter' is applied to the wrong resource type" }, { "queryName": "Beta - Logs And Alerts Missing Custom Role Changes", "severity": "MEDIUM", "line": 1, - "filename": "positive9.tf", + "filename": "positive8.tf", "resourceType": "google_logging_metric", - "resourceName": "audit_config_change", + "resourceName": "audit_config_change_1", "searchKey": "google_logging_metric[audit_config_change].filter", "searchValue": "", "expectedValue": "At least one 'google_logging_metric' resource should capture all custom role changes", @@ -99,12 +99,12 @@ "queryName": "Beta - Logs And Alerts Missing Custom Role Changes", "severity": "MEDIUM", "line": 1, - "filename": "positive7.tf", + "filename": "positive9.tf", "resourceType": "google_logging_metric", "resourceName": "audit_config_change", "searchKey": "google_logging_metric[audit_config_change].filter", "searchValue": "", "expectedValue": "At least one 'google_logging_metric' resource should capture all custom role changes", - "actualValue": "'google_logging_metric[audit_config_change].filter' is applied to the wrong resource type" + "actualValue": "'google_logging_metric[audit_config_change].filter' does not capture all custom role changes for resource type 'iam_role'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/logs_and_alerts_missing_project_ownership_assignment_and_changes/test/positive_expected_result.json b/assets/queries/terraform/gcp/logs_and_alerts_missing_project_ownership_assignment_and_changes/test/positive_expected_result.json index 358d761fe21..8a595ae74c5 100644 --- a/assets/queries/terraform/gcp/logs_and_alerts_missing_project_ownership_assignment_and_changes/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/logs_and_alerts_missing_project_ownership_assignment_and_changes/test/positive_expected_result.json @@ -3,7 +3,7 @@ "queryName": "Beta - Logs And Alerts Missing Project Ownership Assignment And Changes", "severity": "MEDIUM", "line": 1, - "filename": "positive12.tf", + "filename": "positive1.tf", "resourceType": "google_logging_metric", "resourceName": "audit_config_change", "searchKey": "google_logging_metric[audit_config_change].filter", @@ -15,10 +15,10 @@ "queryName": "Beta - Logs And Alerts Missing Project Ownership Assignment And Changes", "severity": "MEDIUM", "line": 1, - "filename": "positive9.tf", + "filename": "positive10.tf", "resourceType": "google_logging_metric", - "resourceName": "project_ownership_with_not_remove", - "searchKey": "google_logging_metric[positive9].filter", + "resourceName": "audit_config_change", + "searchKey": "google_logging_metric[audit_config_change].filter", "searchValue": "", "expectedValue": "At least one 'google_logging_metric' resource should capture project ownership assignment and changes", "actualValue": "No 'google_logging_metric' resource captures project ownership assignment and changes" @@ -27,7 +27,7 @@ "queryName": "Beta - Logs And Alerts Missing Project Ownership Assignment And Changes", "severity": "MEDIUM", "line": 1, - "filename": "positive1.tf", + "filename": "positive11.tf", "resourceType": "google_logging_metric", "resourceName": "audit_config_change", "searchKey": "google_logging_metric[audit_config_change].filter", @@ -39,7 +39,7 @@ "queryName": "Beta - Logs And Alerts Missing Project Ownership Assignment And Changes", "severity": "MEDIUM", "line": 1, - "filename": "positive13.tf", + "filename": "positive12.tf", "resourceType": "google_logging_metric", "resourceName": "audit_config_change", "searchKey": "google_logging_metric[audit_config_change].filter", @@ -51,7 +51,7 @@ "queryName": "Beta - Logs And Alerts Missing Project Ownership Assignment And Changes", "severity": "MEDIUM", "line": 1, - "filename": "positive11.tf", + "filename": "positive13.tf", "resourceType": "google_logging_metric", "resourceName": "audit_config_change", "searchKey": "google_logging_metric[audit_config_change].filter", @@ -63,7 +63,7 @@ "queryName": "Beta - Logs And Alerts Missing Project Ownership Assignment And Changes", "severity": "MEDIUM", "line": 1, - "filename": "positive7.tf", + "filename": "positive14.tf", "resourceType": "google_logging_metric", "resourceName": "audit_config_change", "searchKey": "google_logging_metric[audit_config_change].filter", @@ -74,59 +74,59 @@ { "queryName": "Beta - Logs And Alerts Missing Project Ownership Assignment And Changes", "severity": "MEDIUM", - "line": 1, - "filename": "positive8.tf", - "resourceType": "google_logging_metric", - "resourceName": "project_ownership_with_not", - "searchKey": "google_logging_metric[positive8].filter", + "line": 14, + "filename": "positive2.tf", + "resourceType": "google_monitoring_alert_policy", + "resourceName": "Audit Config Change Alert", + "searchKey": "google_monitoring_alert_policy[audit_config_alert].conditions.condition_threshold.filter", "searchValue": "", - "expectedValue": "At least one 'google_logging_metric' resource should capture project ownership assignment and changes", - "actualValue": "No 'google_logging_metric' resource captures project ownership assignment and changes" + "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture project ownership assignment and changes", + "actualValue": "No 'google_monitoring_alert_policy' resource captures project ownership assignment and changes" }, { "queryName": "Beta - Logs And Alerts Missing Project Ownership Assignment And Changes", "severity": "MEDIUM", "line": 14, - "filename": "positive4.tf", + "filename": "positive3.tf", "resourceType": "google_monitoring_alert_policy", - "resourceName": "Audit Config Change Alert", - "searchKey": "google_monitoring_alert_policy[audit_config_alert]", + "resourceName": "Audit Config Change Alert (Log Match)", + "searchKey": "google_monitoring_alert_policy[audit_config_alert].conditions.condition_matched_log.filter", "searchValue": "", "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture project ownership assignment and changes", - "actualValue": "The 'google_monitoring_alert_policy[audit_config_alert]' resource captures project ownership assignment and changes but does not define a proper 'notification_channels'" + "actualValue": "No 'google_monitoring_alert_policy' resource captures project ownership assignment and changes" }, { "queryName": "Beta - Logs And Alerts Missing Project Ownership Assignment And Changes", "severity": "MEDIUM", - "line": 1, - "filename": "positive10.tf", - "resourceType": "google_logging_metric", - "resourceName": "audit_config_change", - "searchKey": "google_logging_metric[audit_config_change].filter", + "line": 14, + "filename": "positive4.tf", + "resourceType": "google_monitoring_alert_policy", + "resourceName": "Audit Config Change Alert", + "searchKey": "google_monitoring_alert_policy[audit_config_alert]", "searchValue": "", - "expectedValue": "At least one 'google_logging_metric' resource should capture project ownership assignment and changes", - "actualValue": "No 'google_logging_metric' resource captures project ownership assignment and changes" + "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture project ownership assignment and changes", + "actualValue": "The 'google_monitoring_alert_policy[audit_config_alert]' resource captures project ownership assignment and changes but does not define a proper 'notification_channels'" }, { "queryName": "Beta - Logs And Alerts Missing Project Ownership Assignment And Changes", "severity": "MEDIUM", - "line": 14, - "filename": "positive2.tf", + "line": 1, + "filename": "positive5.tf", "resourceType": "google_monitoring_alert_policy", - "resourceName": "Audit Config Change Alert", - "searchKey": "google_monitoring_alert_policy[audit_config_alert].conditions.condition_threshold.filter", + "resourceName": "Audit Config Change Alert (Log Match)", + "searchKey": "google_monitoring_alert_policy[audit_config_alert]", "searchValue": "", "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture project ownership assignment and changes", - "actualValue": "No 'google_monitoring_alert_policy' resource captures project ownership assignment and changes" + "actualValue": "The 'google_monitoring_alert_policy[audit_config_alert]' resource captures project ownership assignment and changes but does not define a proper 'notification_channels'" }, { "queryName": "Beta - Logs And Alerts Missing Project Ownership Assignment And Changes", "severity": "MEDIUM", - "line": 14, - "filename": "positive3.tf", + "line": 1, + "filename": "positive6.tf", "resourceType": "google_monitoring_alert_policy", - "resourceName": "Audit Config Change Alert (Log Match)", - "searchKey": "google_monitoring_alert_policy[audit_config_alert].conditions.condition_matched_log.filter", + "resourceName": "Audit Config Change Alert", + "searchKey": "google_monitoring_alert_policy[audit_config_alert].conditions.condition_threshold.filter", "searchValue": "", "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture project ownership assignment and changes", "actualValue": "No 'google_monitoring_alert_policy' resource captures project ownership assignment and changes" @@ -135,7 +135,7 @@ "queryName": "Beta - Logs And Alerts Missing Project Ownership Assignment And Changes", "severity": "MEDIUM", "line": 1, - "filename": "positive14.tf", + "filename": "positive7.tf", "resourceType": "google_logging_metric", "resourceName": "audit_config_change", "searchKey": "google_logging_metric[audit_config_change].filter", @@ -147,24 +147,24 @@ "queryName": "Beta - Logs And Alerts Missing Project Ownership Assignment And Changes", "severity": "MEDIUM", "line": 1, - "filename": "positive6.tf", - "resourceType": "google_monitoring_alert_policy", - "resourceName": "Audit Config Change Alert", - "searchKey": "google_monitoring_alert_policy[audit_config_alert].conditions.condition_threshold.filter", + "filename": "positive8.tf", + "resourceType": "google_logging_metric", + "resourceName": "project_ownership_with_not", + "searchKey": "google_logging_metric[positive8].filter", "searchValue": "", - "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture project ownership assignment and changes", - "actualValue": "No 'google_monitoring_alert_policy' resource captures project ownership assignment and changes" + "expectedValue": "At least one 'google_logging_metric' resource should capture project ownership assignment and changes", + "actualValue": "No 'google_logging_metric' resource captures project ownership assignment and changes" }, { "queryName": "Beta - Logs And Alerts Missing Project Ownership Assignment And Changes", "severity": "MEDIUM", "line": 1, - "filename": "positive5.tf", - "resourceType": "google_monitoring_alert_policy", - "resourceName": "Audit Config Change Alert (Log Match)", - "searchKey": "google_monitoring_alert_policy[audit_config_alert]", + "filename": "positive9.tf", + "resourceType": "google_logging_metric", + "resourceName": "project_ownership_with_not_remove", + "searchKey": "google_logging_metric[positive9].filter", "searchValue": "", - "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture project ownership assignment and changes", - "actualValue": "The 'google_monitoring_alert_policy[audit_config_alert]' resource captures project ownership assignment and changes but does not define a proper 'notification_channels'" + "expectedValue": "At least one 'google_logging_metric' resource should capture project ownership assignment and changes", + "actualValue": "No 'google_logging_metric' resource captures project ownership assignment and changes" } ] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/network_policy_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/network_policy_disabled/test/positive_expected_result.json index f9f17ff6580..7140d02b210 100644 --- a/assets/queries/terraform/gcp/network_policy_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/network_policy_disabled/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "Network Policy Disabled", "severity": "MEDIUM", - "line": 16, + "line": 2, "filename": "positive.tf", "resourceType": "google_container_cluster", "resourceName": "marcellus-wallace", - "searchKey": "google_container_cluster[positive2]", + "searchKey": "google_container_cluster[positive1]", "searchValue": "", "expectedValue": "Attribute 'network_policy' should be defined and Attribute 'addons_config' should be defined", "actualValue": "Attribute 'network_policy' is undefined or Attribute 'addons_config' is undefined" @@ -14,11 +14,11 @@ { "queryName": "Network Policy Disabled", "severity": "MEDIUM", - "line": 30, + "line": 16, "filename": "positive.tf", "resourceType": "google_container_cluster", "resourceName": "marcellus-wallace", - "searchKey": "google_container_cluster[positive3]", + "searchKey": "google_container_cluster[positive2]", "searchValue": "", "expectedValue": "Attribute 'network_policy' should be defined and Attribute 'addons_config' should be defined", "actualValue": "Attribute 'network_policy' is undefined or Attribute 'addons_config' is undefined" @@ -26,49 +26,49 @@ { "queryName": "Network Policy Disabled", "severity": "MEDIUM", - "line": 86, + "line": 30, "filename": "positive.tf", "resourceType": "google_container_cluster", "resourceName": "marcellus-wallace", - "searchKey": "google_container_cluster[positive6].addons_config.network_policy_config.disabled", + "searchKey": "google_container_cluster[positive3]", "searchValue": "", - "expectedValue": "Attribute 'addons_config.network_policy_config.disabled' should be set to false", - "actualValue": "Attribute 'addons_config.network_policy_config.disabled' is true" + "expectedValue": "Attribute 'network_policy' should be defined and Attribute 'addons_config' should be defined", + "actualValue": "Attribute 'network_policy' is undefined or Attribute 'addons_config' is undefined" }, { "queryName": "Network Policy Disabled", "severity": "MEDIUM", - "line": 63, + "line": 48, "filename": "positive.tf", "resourceType": "google_container_cluster", "resourceName": "marcellus-wallace", - "searchKey": "google_container_cluster[positive5].network_policy.enabled", + "searchKey": "google_container_cluster[positive4].addons_config", "searchValue": "", - "expectedValue": "Attribute 'network_policy.enabled' should be true", - "actualValue": "Attribute 'network_policy.enabled' is false" + "expectedValue": "Attribute 'addons_config.network_policy_config' should be defined", + "actualValue": "Attribute 'addons_config.network_policy_config' is undefined" }, { "queryName": "Network Policy Disabled", "severity": "MEDIUM", - "line": 48, + "line": 63, "filename": "positive.tf", "resourceType": "google_container_cluster", "resourceName": "marcellus-wallace", - "searchKey": "google_container_cluster[positive4].addons_config", + "searchKey": "google_container_cluster[positive5].network_policy.enabled", "searchValue": "", - "expectedValue": "Attribute 'addons_config.network_policy_config' should be defined", - "actualValue": "Attribute 'addons_config.network_policy_config' is undefined" + "expectedValue": "Attribute 'network_policy.enabled' should be true", + "actualValue": "Attribute 'network_policy.enabled' is false" }, { "queryName": "Network Policy Disabled", "severity": "MEDIUM", - "line": 2, + "line": 86, "filename": "positive.tf", "resourceType": "google_container_cluster", "resourceName": "marcellus-wallace", - "searchKey": "google_container_cluster[positive1]", + "searchKey": "google_container_cluster[positive6].addons_config.network_policy_config.disabled", "searchValue": "", - "expectedValue": "Attribute 'network_policy' should be defined and Attribute 'addons_config' should be defined", - "actualValue": "Attribute 'network_policy' is undefined or Attribute 'addons_config' is undefined" + "expectedValue": "Attribute 'addons_config.network_policy_config.disabled' should be set to false", + "actualValue": "Attribute 'addons_config.network_policy_config.disabled' is true" } ] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/node_auto_upgrade_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/node_auto_upgrade_disabled/test/positive_expected_result.json index 3c008f11ade..aaf4af611f4 100644 --- a/assets/queries/terraform/gcp/node_auto_upgrade_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/node_auto_upgrade_disabled/test/positive_expected_result.json @@ -2,37 +2,37 @@ { "queryName": "Node Auto Upgrade Disabled", "severity": "MEDIUM", - "line": 19, + "line": 1, "filename": "positive.tf", "resourceType": "google_container_node_pool", "resourceName": "my-node-pool", - "searchKey": "google_container_node_pool[positive2].management", + "searchKey": "google_container_node_pool[positive1]", "searchValue": "", - "expectedValue": "management.auto_upgrade should be defined and not null", - "actualValue": "management.auto_upgrade is undefined or null" + "expectedValue": "google_container_node_pool.management should be defined and not null", + "actualValue": "google_container_node_pool.management is undefined or null" }, { "queryName": "Node Auto Upgrade Disabled", "severity": "MEDIUM", - "line": 36, + "line": 19, "filename": "positive.tf", "resourceType": "google_container_node_pool", "resourceName": "my-node-pool", - "searchKey": "google_container_node_pool[positive3].management.auto_upgrade", + "searchKey": "google_container_node_pool[positive2].management", "searchValue": "", - "expectedValue": "management.auto_upgrade should be true", - "actualValue": "management.auto_upgrade is false" + "expectedValue": "management.auto_upgrade should be defined and not null", + "actualValue": "management.auto_upgrade is undefined or null" }, { "queryName": "Node Auto Upgrade Disabled", "severity": "MEDIUM", - "line": 1, + "line": 36, "filename": "positive.tf", "resourceType": "google_container_node_pool", "resourceName": "my-node-pool", - "searchKey": "google_container_node_pool[positive1]", + "searchKey": "google_container_node_pool[positive3].management.auto_upgrade", "searchValue": "", - "expectedValue": "google_container_node_pool.management should be defined and not null", - "actualValue": "google_container_node_pool.management is undefined or null" + "expectedValue": "management.auto_upgrade should be true", + "actualValue": "management.auto_upgrade is false" } ] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/pod_security_policy_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/pod_security_policy_disabled/test/positive_expected_result.json index a88b492b6f2..3d23cacdd82 100644 --- a/assets/queries/terraform/gcp/pod_security_policy_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/pod_security_policy_disabled/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "Pod Security Policy Disabled", "severity": "MEDIUM", - "line": 18, + "line": 2, "filename": "positive.tf", "resourceType": "google_container_cluster", "resourceName": "marcellus-wallace", - "searchKey": "google_container_cluster[positive2].pod_security_policy_config.enabled", + "searchKey": "google_container_cluster[positive1]", "searchValue": "", - "expectedValue": "Attribute 'enabled' of 'pod_security_policy_config' should be true", - "actualValue": "Attribute 'enabled' of 'pod_security_policy_config' is false" + "expectedValue": "Attribute 'pod_security_policy_config' should be defined", + "actualValue": "Attribute 'pod_security_policy_config' is undefined" }, { "queryName": "Pod Security Policy Disabled", "severity": "MEDIUM", - "line": 2, + "line": 18, "filename": "positive.tf", "resourceType": "google_container_cluster", "resourceName": "marcellus-wallace", - "searchKey": "google_container_cluster[positive1]", + "searchKey": "google_container_cluster[positive2].pod_security_policy_config.enabled", "searchValue": "", - "expectedValue": "Attribute 'pod_security_policy_config' should be defined", - "actualValue": "Attribute 'pod_security_policy_config' is undefined" + "expectedValue": "Attribute 'enabled' of 'pod_security_policy_config' should be true", + "actualValue": "Attribute 'enabled' of 'pod_security_policy_config' is false" } ] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/private_cluster_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/private_cluster_disabled/test/positive_expected_result.json index 1b2af48abe7..5099e7b5734 100644 --- a/assets/queries/terraform/gcp/private_cluster_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/private_cluster_disabled/test/positive_expected_result.json @@ -2,23 +2,23 @@ { "queryName": "Private Cluster Disabled", "severity": "MEDIUM", - "line": 30, + "line": 1, "filename": "positive.tf", "resourceType": "google_container_cluster", "resourceName": "marcellus-wallace", - "searchKey": "google_container_cluster[positive3].private_cluster_config", + "searchKey": "google_container_cluster[positive1]", "searchValue": "", - "expectedValue": "Attribute 'private_cluster_config.enable_private_endpoint' should be defined and Attribute 'private_cluster_config.enable_private_nodes' should be defined", - "actualValue": "Attribute 'private_cluster_config.enable_private_endpoint' is undefined or Attribute 'private_cluster_config.enable_private_nodes' is undefined" + "expectedValue": "Attribute 'private_cluster_config' should be defined and not null", + "actualValue": "Attribute 'private_cluster_config' is undefined or null" }, { "queryName": "Private Cluster Disabled", "severity": "MEDIUM", - "line": 44, + "line": 16, "filename": "positive.tf", "resourceType": "google_container_cluster", "resourceName": "marcellus-wallace", - "searchKey": "google_container_cluster[positive4].private_cluster_config", + "searchKey": "google_container_cluster[positive2].private_cluster_config", "searchValue": "", "expectedValue": "Attribute 'private_cluster_config.enable_private_endpoint' should be defined and Attribute 'private_cluster_config.enable_private_nodes' should be defined", "actualValue": "Attribute 'private_cluster_config.enable_private_endpoint' is undefined or Attribute 'private_cluster_config.enable_private_nodes' is undefined" @@ -26,35 +26,35 @@ { "queryName": "Private Cluster Disabled", "severity": "MEDIUM", - "line": 58, + "line": 30, "filename": "positive.tf", "resourceType": "google_container_cluster", "resourceName": "marcellus-wallace", - "searchKey": "google_container_cluster[positive5].private_cluster_config", + "searchKey": "google_container_cluster[positive3].private_cluster_config", "searchValue": "", - "expectedValue": "Attribute 'private_cluster_config.enable_private_endpoint' should be true and Attribute 'private_cluster_config.enable_private_nodes' should be true", - "actualValue": "Attribute 'private_cluster_config.enable_private_endpoint' is false or Attribute 'private_cluster_config.enable_private_nodes' is false" + "expectedValue": "Attribute 'private_cluster_config.enable_private_endpoint' should be defined and Attribute 'private_cluster_config.enable_private_nodes' should be defined", + "actualValue": "Attribute 'private_cluster_config.enable_private_endpoint' is undefined or Attribute 'private_cluster_config.enable_private_nodes' is undefined" }, { "queryName": "Private Cluster Disabled", "severity": "MEDIUM", - "line": 73, + "line": 44, "filename": "positive.tf", "resourceType": "google_container_cluster", "resourceName": "marcellus-wallace", - "searchKey": "google_container_cluster[positive6].private_cluster_config", + "searchKey": "google_container_cluster[positive4].private_cluster_config", "searchValue": "", - "expectedValue": "Attribute 'private_cluster_config.enable_private_endpoint' should be true and Attribute 'private_cluster_config.enable_private_nodes' should be true", - "actualValue": "Attribute 'private_cluster_config.enable_private_endpoint' is false or Attribute 'private_cluster_config.enable_private_nodes' is false" + "expectedValue": "Attribute 'private_cluster_config.enable_private_endpoint' should be defined and Attribute 'private_cluster_config.enable_private_nodes' should be defined", + "actualValue": "Attribute 'private_cluster_config.enable_private_endpoint' is undefined or Attribute 'private_cluster_config.enable_private_nodes' is undefined" }, { "queryName": "Private Cluster Disabled", "severity": "MEDIUM", - "line": 88, + "line": 58, "filename": "positive.tf", "resourceType": "google_container_cluster", "resourceName": "marcellus-wallace", - "searchKey": "google_container_cluster[positive7].private_cluster_config", + "searchKey": "google_container_cluster[positive5].private_cluster_config", "searchValue": "", "expectedValue": "Attribute 'private_cluster_config.enable_private_endpoint' should be true and Attribute 'private_cluster_config.enable_private_nodes' should be true", "actualValue": "Attribute 'private_cluster_config.enable_private_endpoint' is false or Attribute 'private_cluster_config.enable_private_nodes' is false" @@ -62,25 +62,25 @@ { "queryName": "Private Cluster Disabled", "severity": "MEDIUM", - "line": 1, + "line": 73, "filename": "positive.tf", "resourceType": "google_container_cluster", "resourceName": "marcellus-wallace", - "searchKey": "google_container_cluster[positive1]", + "searchKey": "google_container_cluster[positive6].private_cluster_config", "searchValue": "", - "expectedValue": "Attribute 'private_cluster_config' should be defined and not null", - "actualValue": "Attribute 'private_cluster_config' is undefined or null" + "expectedValue": "Attribute 'private_cluster_config.enable_private_endpoint' should be true and Attribute 'private_cluster_config.enable_private_nodes' should be true", + "actualValue": "Attribute 'private_cluster_config.enable_private_endpoint' is false or Attribute 'private_cluster_config.enable_private_nodes' is false" }, { "queryName": "Private Cluster Disabled", "severity": "MEDIUM", - "line": 16, + "line": 88, "filename": "positive.tf", "resourceType": "google_container_cluster", "resourceName": "marcellus-wallace", - "searchKey": "google_container_cluster[positive2].private_cluster_config", + "searchKey": "google_container_cluster[positive7].private_cluster_config", "searchValue": "", - "expectedValue": "Attribute 'private_cluster_config.enable_private_endpoint' should be defined and Attribute 'private_cluster_config.enable_private_nodes' should be defined", - "actualValue": "Attribute 'private_cluster_config.enable_private_endpoint' is undefined or Attribute 'private_cluster_config.enable_private_nodes' is undefined" + "expectedValue": "Attribute 'private_cluster_config.enable_private_endpoint' should be true and Attribute 'private_cluster_config.enable_private_nodes' should be true", + "actualValue": "Attribute 'private_cluster_config.enable_private_endpoint' is false or Attribute 'private_cluster_config.enable_private_nodes' is false" } ] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/service_account_with_improper_privileges/test/positive_expected_result.json b/assets/queries/terraform/gcp/service_account_with_improper_privileges/test/positive_expected_result.json index 8e1b4304746..1949f606e31 100644 --- a/assets/queries/terraform/gcp/service_account_with_improper_privileges/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/service_account_with_improper_privileges/test/positive_expected_result.json @@ -1,39 +1,15 @@ [ - { - "queryName": "Service Account with Improper Privileges", - "severity": "MEDIUM", - "line": 10, - "filename": "positive3.tf", - "resourceType": "google_iam_policy", - "resourceName": "admin", - "searchKey": "google_iam_policy[admin].binding[1].role", - "searchValue": "", - "expectedValue": "google_iam_policy[admin].binding[1].role should not have admin, editor, owner, or write privileges for service account member", - "actualValue": "google_iam_policy[admin].binding[1].role has admin, editor, owner, or write privilege for service account member" - }, { "queryName": "Service Account with Improper Privileges", "severity": "MEDIUM", "line": 3, - "filename": "positive4.tf", - "resourceType": "google_iam_policy", - "resourceName": "admin", - "searchKey": "google_iam_policy[admin].binding[0].role", - "searchValue": "", - "expectedValue": "google_iam_policy[admin].binding[0].role should not have admin, editor, owner, or write privileges for service account member", - "actualValue": "google_iam_policy[admin].binding[0].role has admin, editor, owner, or write privilege for service account member" - }, - { - "queryName": "Service Account with Improper Privileges", - "severity": "MEDIUM", - "line": 9, - "filename": "positive4.tf", + "filename": "positive1.tf", "resourceType": "google_iam_policy", "resourceName": "admin", - "searchKey": "google_iam_policy[admin].binding[1].role", + "searchKey": "google_iam_policy[admin].binding.role", "searchValue": "", - "expectedValue": "google_iam_policy[admin].binding[1].role should not have admin, editor, owner, or write privileges for service account member", - "actualValue": "google_iam_policy[admin].binding[1].role has admin, editor, owner, or write privilege for service account member" + "expectedValue": "google_iam_policy[admin].binding.role should not have admin, editor, owner, or write privileges for service account member", + "actualValue": "google_iam_policy[admin].binding.role has admin, editor, owner, or write privilege for service account member" }, { "queryName": "Service Account with Improper Privileges", @@ -59,16 +35,40 @@ "expectedValue": "google_project_iam_member[project2].role should not have admin, editor, owner, or write privileges for service account member", "actualValue": "google_project_iam_member[project2].role has admin, editor, owner, or write privilege for service account member" }, + { + "queryName": "Service Account with Improper Privileges", + "severity": "MEDIUM", + "line": 10, + "filename": "positive3.tf", + "resourceType": "google_iam_policy", + "resourceName": "admin", + "searchKey": "google_iam_policy[admin].binding[1].role", + "searchValue": "", + "expectedValue": "google_iam_policy[admin].binding[1].role should not have admin, editor, owner, or write privileges for service account member", + "actualValue": "google_iam_policy[admin].binding[1].role has admin, editor, owner, or write privilege for service account member" + }, { "queryName": "Service Account with Improper Privileges", "severity": "MEDIUM", "line": 3, - "filename": "positive1.tf", + "filename": "positive4.tf", "resourceType": "google_iam_policy", "resourceName": "admin", - "searchKey": "google_iam_policy[admin].binding.role", + "searchKey": "google_iam_policy[admin].binding[0].role", "searchValue": "", - "expectedValue": "google_iam_policy[admin].binding.role should not have admin, editor, owner, or write privileges for service account member", - "actualValue": "google_iam_policy[admin].binding.role has admin, editor, owner, or write privilege for service account member" + "expectedValue": "google_iam_policy[admin].binding[0].role should not have admin, editor, owner, or write privileges for service account member", + "actualValue": "google_iam_policy[admin].binding[0].role has admin, editor, owner, or write privilege for service account member" + }, + { + "queryName": "Service Account with Improper Privileges", + "severity": "MEDIUM", + "line": 9, + "filename": "positive4.tf", + "resourceType": "google_iam_policy", + "resourceName": "admin", + "searchKey": "google_iam_policy[admin].binding[1].role", + "searchValue": "", + "expectedValue": "google_iam_policy[admin].binding[1].role should not have admin, editor, owner, or write privileges for service account member", + "actualValue": "google_iam_policy[admin].binding[1].role has admin, editor, owner, or write privilege for service account member" } ] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/shielded_vm_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/shielded_vm_disabled/test/positive_expected_result.json index c2c8ee42ed0..9a6ce5b9cb3 100644 --- a/assets/queries/terraform/gcp/shielded_vm_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/shielded_vm_disabled/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "Shielded VM Disabled", - "severity": "MEDIUM", - "line": 49, - "filename": "positive.tf", - "resourceType": "google_compute_instance", - "resourceName": "primary-application-server", - "searchKey": "google_compute_instance[appserver6].shielded_instance_config.enable_vtpm", - "searchValue": "", - "expectedValue": "Attribute 'shielded_instance_config.enable_vtpm' should be true", - "actualValue": "Attribute 'shielded_instance_config.enable_vtpm' is false" - }, { "queryName": "Shielded VM Disabled", "severity": "MEDIUM", @@ -35,6 +23,18 @@ "expectedValue": "Attribute 'shielded_instance_config.enable_integrity_monitoring' should be defined", "actualValue": "Attribute 'shielded_instance_config.enable_integrity_monitoring' is undefined" }, + { + "queryName": "Shielded VM Disabled", + "severity": "MEDIUM", + "line": 19, + "filename": "positive.tf", + "resourceType": "google_compute_instance", + "resourceName": "primary-application-server", + "searchKey": "google_compute_instance[appserver3].shielded_instance_config", + "searchValue": "", + "expectedValue": "Attribute 'shielded_instance_config.enable_vtpm' should be defined", + "actualValue": "Attribute 'shielded_instance_config.enable_vtpm' is undefined" + }, { "queryName": "Shielded VM Disabled", "severity": "MEDIUM", @@ -50,37 +50,37 @@ { "queryName": "Shielded VM Disabled", "severity": "MEDIUM", - "line": 19, + "line": 38, "filename": "positive.tf", "resourceType": "google_compute_instance", "resourceName": "primary-application-server", - "searchKey": "google_compute_instance[appserver3].shielded_instance_config", + "searchKey": "google_compute_instance[appserver5].shielded_instance_config.enable_secure_boot", "searchValue": "", - "expectedValue": "Attribute 'shielded_instance_config.enable_vtpm' should be defined", - "actualValue": "Attribute 'shielded_instance_config.enable_vtpm' is undefined" + "expectedValue": "Attribute 'shielded_instance_config.enable_secure_boot' should be true", + "actualValue": "Attribute 'shielded_instance_config.enable_secure_boot' is false" }, { "queryName": "Shielded VM Disabled", "severity": "MEDIUM", - "line": 60, + "line": 49, "filename": "positive.tf", "resourceType": "google_compute_instance", "resourceName": "primary-application-server", - "searchKey": "google_compute_instance[appserver7].shielded_instance_config.enable_integrity_monitoring", + "searchKey": "google_compute_instance[appserver6].shielded_instance_config.enable_vtpm", "searchValue": "", - "expectedValue": "Attribute 'shielded_instance_config.enable_integrity_monitoring' should be true", - "actualValue": "Attribute 'shielded_instance_config.enable_integrity_monitoring' is false" + "expectedValue": "Attribute 'shielded_instance_config.enable_vtpm' should be true", + "actualValue": "Attribute 'shielded_instance_config.enable_vtpm' is false" }, { "queryName": "Shielded VM Disabled", "severity": "MEDIUM", - "line": 38, + "line": 60, "filename": "positive.tf", "resourceType": "google_compute_instance", "resourceName": "primary-application-server", - "searchKey": "google_compute_instance[appserver5].shielded_instance_config.enable_secure_boot", + "searchKey": "google_compute_instance[appserver7].shielded_instance_config.enable_integrity_monitoring", "searchValue": "", - "expectedValue": "Attribute 'shielded_instance_config.enable_secure_boot' should be true", - "actualValue": "Attribute 'shielded_instance_config.enable_secure_boot' is false" + "expectedValue": "Attribute 'shielded_instance_config.enable_integrity_monitoring' should be true", + "actualValue": "Attribute 'shielded_instance_config.enable_integrity_monitoring' is false" } ] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/sql_db_instance_backup_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_backup_disabled/test/positive_expected_result.json index 7090be1140b..e1c37bfcb5b 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_backup_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_backup_disabled/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "SQL DB Instance Backup Disabled", - "severity": "MEDIUM", - "line": 31, - "filename": "positive.tf", - "resourceType": "google_sql_database_instance", - "resourceName": "master-instance", - "searchKey": "google_sql_database_instance[positive3].settings.backup_configuration.enabled", - "searchValue": "", - "expectedValue": "settings.backup_configuration.enabled should be true", - "actualValue": "settings.backup_configuration.enabled is false" - }, { "queryName": "SQL DB Instance Backup Disabled", "severity": "MEDIUM", @@ -34,5 +22,17 @@ "searchValue": "", "expectedValue": "settings.backup_configuration.enabled should be defined and not null", "actualValue": "settings.backup_configuration.enabled is undefined or null" + }, + { + "queryName": "SQL DB Instance Backup Disabled", + "severity": "MEDIUM", + "line": 31, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "master-instance", + "searchKey": "google_sql_database_instance[positive3].settings.backup_configuration.enabled", + "searchValue": "", + "expectedValue": "settings.backup_configuration.enabled should be true", + "actualValue": "settings.backup_configuration.enabled is false" } ] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/sql_db_instance_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_is_publicly_accessible/test/positive_expected_result.json index 33cf3a2f375..c23ac264399 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_is_publicly_accessible/test/positive_expected_result.json @@ -2,14 +2,14 @@ { "queryName": "SQL DB Instance Publicly Accessible", "severity": "CRITICAL", - "line": 56, + "line": 6, "filename": "positive.tf", "resourceType": "google_sql_database_instance", "resourceName": "master-instance", - "searchKey": "google_sql_database_instance[positive4].settings.ip_configuration", + "searchKey": "google_sql_database_instance[positive1].settings", "searchValue": "", - "expectedValue": "'ipv4_enabled' should be disabled and 'private_network' should be defined when there are no authorized networks", - "actualValue": "'private_network' is not defined when there are no authorized networks" + "expectedValue": "'ip_configuration' should be defined and allow only trusted networks", + "actualValue": "'ip_configuration' is not defined" }, { "queryName": "SQL DB Instance Publicly Accessible", @@ -38,13 +38,13 @@ { "queryName": "SQL DB Instance Publicly Accessible", "severity": "CRITICAL", - "line": 6, + "line": 56, "filename": "positive.tf", "resourceType": "google_sql_database_instance", "resourceName": "master-instance", - "searchKey": "google_sql_database_instance[positive1].settings", + "searchKey": "google_sql_database_instance[positive4].settings.ip_configuration", "searchValue": "", - "expectedValue": "'ip_configuration' should be defined and allow only trusted networks", - "actualValue": "'ip_configuration' is not defined" + "expectedValue": "'ipv4_enabled' should be disabled and 'private_network' should be defined when there are no authorized networks", + "actualValue": "'private_network' is not defined when there are no authorized networks" } ] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_exposed_trace_logs/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_exposed_trace_logs/test/positive_expected_result.json index 6c3d7f35c0e..2b19b871ee3 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_exposed_trace_logs/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_exposed_trace_logs/test/positive_expected_result.json @@ -1,28 +1,4 @@ [ - { - "queryName": "Beta - SQL DB Instance With Exposed Trace Logs", - "severity": "MEDIUM", - "line": 42, - "filename": "positive.tf", - "resourceType": "google_sql_database_instance", - "resourceName": "sqlserver-instance-with-flag", - "searchKey": "google_sql_database_instance[positive_4].settings.database_flags[1].name", - "searchValue": "", - "expectedValue": "'google_sql_database_instance[positive_4].settings.database_flags' should be defined and set '3625' to 'on'", - "actualValue": "'google_sql_database_instance[positive_4].settings.database_flags' sets '3625' to 'off'" - }, - { - "queryName": "Beta - SQL DB Instance With Exposed Trace Logs", - "severity": "MEDIUM", - "line": 60, - "filename": "positive.tf", - "resourceType": "google_sql_database_instance", - "resourceName": "sqlserver-instance-with-flag", - "searchKey": "google_sql_database_instance[positive_5].settings.database_flags.name", - "searchValue": "", - "expectedValue": "'google_sql_database_instance[positive_5].settings.database_flags' should be defined and set '3625' to 'on'", - "actualValue": "'google_sql_database_instance[positive_5].settings.database_flags' sets '3625' to 'off'" - }, { "queryName": "Beta - SQL DB Instance With Exposed Trace Logs", "severity": "MEDIUM", @@ -58,5 +34,29 @@ "searchValue": "", "expectedValue": "'google_sql_database_instance[positive_3].settings.database_flags' should be defined and set '3625' to 'on'", "actualValue": "'google_sql_database_instance[positive_3].settings.database_flags' does not set '3625'" + }, + { + "queryName": "Beta - SQL DB Instance With Exposed Trace Logs", + "severity": "MEDIUM", + "line": 42, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "sqlserver-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_4].settings.database_flags[1].name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_4].settings.database_flags' should be defined and set '3625' to 'on'", + "actualValue": "'google_sql_database_instance[positive_4].settings.database_flags' sets '3625' to 'off'" + }, + { + "queryName": "Beta - SQL DB Instance With Exposed Trace Logs", + "severity": "MEDIUM", + "line": 60, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "sqlserver-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_5].settings.database_flags.name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_5].settings.database_flags' should be defined and set '3625' to 'on'", + "actualValue": "'google_sql_database_instance[positive_5].settings.database_flags' sets '3625' to 'off'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_global_user_options/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_global_user_options/test/positive_expected_result.json index 7fbd0a41efc..a4384e79016 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_global_user_options/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_global_user_options/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "Beta - SQL DB Instance With Global User Options", "severity": "MEDIUM", - "line": 31, + "line": 13, "filename": "positive.tf", "resourceType": "google_sql_database_instance", "resourceName": "sqlserver-instance-with-flag", - "searchKey": "google_sql_database_instance[positive_2].settings.database_flags.name", + "searchKey": "google_sql_database_instance[positive_1].settings.database_flags[1].name", "searchValue": "", - "expectedValue": "'google_sql_database_instance[positive_2].settings.database_flags' should set 'user options' to '0'", - "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' sets 'user options' to '16'" + "expectedValue": "'google_sql_database_instance[positive_1].settings.database_flags' should set 'user options' to '0'", + "actualValue": "'google_sql_database_instance[positive_1].settings.database_flags' sets 'user options' to '32'" }, { "queryName": "Beta - SQL DB Instance With Global User Options", "severity": "MEDIUM", - "line": 13, + "line": 31, "filename": "positive.tf", "resourceType": "google_sql_database_instance", "resourceName": "sqlserver-instance-with-flag", - "searchKey": "google_sql_database_instance[positive_1].settings.database_flags[1].name", + "searchKey": "google_sql_database_instance[positive_2].settings.database_flags.name", "searchValue": "", - "expectedValue": "'google_sql_database_instance[positive_1].settings.database_flags' should set 'user options' to '0'", - "actualValue": "'google_sql_database_instance[positive_1].settings.database_flags' sets 'user options' to '32'" + "expectedValue": "'google_sql_database_instance[positive_2].settings.database_flags' should set 'user options' to '0'", + "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' sets 'user options' to '16'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test/positive_expected_result.json index 4bf1b9faefb..1a33a452279 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "Beta - SQL DB Instance With Local Data Loading Enabled", - "severity": "MEDIUM", - "line": 60, - "filename": "positive.tf", - "resourceType": "google_sql_database_instance", - "resourceName": "mysql-instance-with-flag", - "searchKey": "google_sql_database_instance[positive_5].settings.database_flags.name", - "searchValue": "", - "expectedValue": "'google_sql_database_instance[positive_5].settings.database_flags' should be defined and set 'local_infile' to 'off'", - "actualValue": "'google_sql_database_instance[positive_5].settings.database_flags' sets 'local_infile' to 'on'" - }, { "queryName": "Beta - SQL DB Instance With Local Data Loading Enabled", "severity": "MEDIUM", @@ -58,5 +46,17 @@ "searchValue": "", "expectedValue": "'google_sql_database_instance[positive_4].settings.database_flags' should be defined and set 'local_infile' to 'off'", "actualValue": "'google_sql_database_instance[positive_4].settings.database_flags' sets 'local_infile' to 'on'" + }, + { + "queryName": "Beta - SQL DB Instance With Local Data Loading Enabled", + "severity": "MEDIUM", + "line": 60, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "mysql-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_5].settings.database_flags.name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_5].settings.database_flags' should be defined and set 'local_infile' to 'off'", + "actualValue": "'google_sql_database_instance[positive_5].settings.database_flags' sets 'local_infile' to 'on'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_ownership_chaining_enabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_ownership_chaining_enabled/test/positive_expected_result.json index 99744d70d9b..72cb28c2d6c 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_ownership_chaining_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_ownership_chaining_enabled/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "Beta - SQL DB Instance With Ownership Chaining Enabled", "severity": "MEDIUM", - "line": 31, + "line": 13, "filename": "positive.tf", "resourceType": "google_sql_database_instance", "resourceName": "sqlserver-instance-with-flag", - "searchKey": "google_sql_database_instance[positive_2].settings.database_flags.name", + "searchKey": "google_sql_database_instance[positive_1].settings.database_flags[1].name", "searchValue": "", - "expectedValue": "'google_sql_database_instance[positive_2].settings.database_flags' should set 'cross db ownership chaining' to 'off'", - "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' sets 'cross db ownership chaining' to 'on'" + "expectedValue": "'google_sql_database_instance[positive_1].settings.database_flags' should set 'cross db ownership chaining' to 'off'", + "actualValue": "'google_sql_database_instance[positive_1].settings.database_flags' sets 'cross db ownership chaining' to 'on'" }, { "queryName": "Beta - SQL DB Instance With Ownership Chaining Enabled", "severity": "MEDIUM", - "line": 13, + "line": 31, "filename": "positive.tf", "resourceType": "google_sql_database_instance", "resourceName": "sqlserver-instance-with-flag", - "searchKey": "google_sql_database_instance[positive_1].settings.database_flags[1].name", + "searchKey": "google_sql_database_instance[positive_2].settings.database_flags.name", "searchValue": "", - "expectedValue": "'google_sql_database_instance[positive_1].settings.database_flags' should set 'cross db ownership chaining' to 'off'", - "actualValue": "'google_sql_database_instance[positive_1].settings.database_flags' sets 'cross db ownership chaining' to 'on'" + "expectedValue": "'google_sql_database_instance[positive_2].settings.database_flags' should set 'cross db ownership chaining' to 'off'", + "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' sets 'cross db ownership chaining' to 'on'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_remote_access_enabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_remote_access_enabled/test/positive_expected_result.json index 98870452457..328be6089ed 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_remote_access_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_remote_access_enabled/test/positive_expected_result.json @@ -1,4 +1,16 @@ [ + { + "queryName": "Beta - SQL DB Instance With Remote Access Enabled", + "severity": "HIGH", + "line": 1, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "mysql-instance-without-flag", + "searchKey": "google_sql_database_instance[positive_1]", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_1].settings.database_flags' should be defined and set 'remote access' to 'off'", + "actualValue": "'google_sql_database_instance[positive_1].settings' is undefined or null" + }, { "queryName": "Beta - SQL DB Instance With Remote Access Enabled", "severity": "HIGH", @@ -46,17 +58,5 @@ "searchValue": "", "expectedValue": "'google_sql_database_instance[positive_5].settings.database_flags' should be defined and set 'remote access' to 'off'", "actualValue": "'google_sql_database_instance[positive_5].settings.database_flags' sets 'remote access' to 'on'" - }, - { - "queryName": "Beta - SQL DB Instance With Remote Access Enabled", - "severity": "HIGH", - "line": 1, - "filename": "positive.tf", - "resourceType": "google_sql_database_instance", - "resourceName": "mysql-instance-without-flag", - "searchKey": "google_sql_database_instance[positive_1]", - "searchValue": "", - "expectedValue": "'google_sql_database_instance[positive_1].settings.database_flags' should be defined and set 'remote access' to 'off'", - "actualValue": "'google_sql_database_instance[positive_1].settings' is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json index d2841da72e8..dacf7065f52 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "SQL DB Instance With SSL Disabled", - "severity": "HIGH", - "line": 44, - "filename": "positive.tf", - "resourceType": "google_sql_database_instance", - "resourceName": "positive3", - "searchKey": "google_sql_database_instance[positive3].settings.ip_configuration.require_ssl", - "searchValue": "", - "expectedValue": "'settings.ip_configuration.require_ssl' should be true", - "actualValue": "'settings.ip_configuration.require_ssl' is false" - }, { "queryName": "SQL DB Instance With SSL Disabled", "severity": "HIGH", @@ -34,5 +22,17 @@ "searchValue": "", "expectedValue": "'settings.ip_configuration.require_ssl' should be defined and not null", "actualValue": "'settings.ip_configuration.require_ssl' is undefined or null" + }, + { + "queryName": "SQL DB Instance With SSL Disabled", + "severity": "HIGH", + "line": 44, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "positive3", + "searchKey": "google_sql_database_instance[positive3].settings.ip_configuration.require_ssl", + "searchValue": "", + "expectedValue": "'settings.ip_configuration.require_ssl' should be true", + "actualValue": "'settings.ip_configuration.require_ssl' is false" } ] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/sql_db_instance_without_connections_logging/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_without_connections_logging/test/positive_expected_result.json index e025e9d4173..19d25f9d975 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_without_connections_logging/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_without_connections_logging/test/positive_expected_result.json @@ -1,28 +1,4 @@ [ - { - "queryName": "Beta - SQL DB Instance Without Connections Logging", - "severity": "MEDIUM", - "line": 42, - "filename": "positive.tf", - "resourceType": "google_sql_database_instance", - "resourceName": "postgres-instance-with-flag", - "searchKey": "google_sql_database_instance[positive_4].settings.database_flags[1].name", - "searchValue": "", - "expectedValue": "'google_sql_database_instance[positive_4].settings.database_flags' should be defined and set 'log_connections' to 'on'", - "actualValue": "'google_sql_database_instance[positive_4].settings.database_flags' sets 'log_connections' to 'off'" - }, - { - "queryName": "Beta - SQL DB Instance Without Connections Logging", - "severity": "MEDIUM", - "line": 60, - "filename": "positive.tf", - "resourceType": "google_sql_database_instance", - "resourceName": "postgres-instance-with-flag", - "searchKey": "google_sql_database_instance[positive_5].settings.database_flags.name", - "searchValue": "", - "expectedValue": "'google_sql_database_instance[positive_5].settings.database_flags' should be defined and set 'log_connections' to 'on'", - "actualValue": "'google_sql_database_instance[positive_5].settings.database_flags' sets 'log_connections' to 'off'" - }, { "queryName": "Beta - SQL DB Instance Without Connections Logging", "severity": "MEDIUM", @@ -58,5 +34,29 @@ "searchValue": "", "expectedValue": "'google_sql_database_instance[positive_3].settings.database_flags' should be defined and set 'log_connections' to 'on'", "actualValue": "'google_sql_database_instance[positive_3].settings.database_flags' does not set 'log_connections'" + }, + { + "queryName": "Beta - SQL DB Instance Without Connections Logging", + "severity": "MEDIUM", + "line": 42, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "postgres-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_4].settings.database_flags[1].name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_4].settings.database_flags' should be defined and set 'log_connections' to 'on'", + "actualValue": "'google_sql_database_instance[positive_4].settings.database_flags' sets 'log_connections' to 'off'" + }, + { + "queryName": "Beta - SQL DB Instance Without Connections Logging", + "severity": "MEDIUM", + "line": 60, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "postgres-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_5].settings.database_flags.name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_5].settings.database_flags' should be defined and set 'log_connections' to 'on'", + "actualValue": "'google_sql_database_instance[positive_5].settings.database_flags' sets 'log_connections' to 'off'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/sql_db_instance_without_disconnections_logging/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_without_disconnections_logging/test/positive_expected_result.json index 020d920de67..2be6b7a284e 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_without_disconnections_logging/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_without_disconnections_logging/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "Beta - SQL DB Instance Without Disconnections Logging", - "severity": "MEDIUM", - "line": 60, - "filename": "positive.tf", - "resourceType": "google_sql_database_instance", - "resourceName": "postgres-instance-with-flag", - "searchKey": "google_sql_database_instance[positive_5].settings.database_flags.name", - "searchValue": "", - "expectedValue": "'google_sql_database_instance[positive_5].settings.database_flags' should be defined and set 'log_disconnections' to 'on'", - "actualValue": "'google_sql_database_instance[positive_5].settings.database_flags' sets 'log_disconnections' to 'off'" - }, { "queryName": "Beta - SQL DB Instance Without Disconnections Logging", "severity": "MEDIUM", @@ -58,5 +46,17 @@ "searchValue": "", "expectedValue": "'google_sql_database_instance[positive_4].settings.database_flags' should be defined and set 'log_disconnections' to 'on'", "actualValue": "'google_sql_database_instance[positive_4].settings.database_flags' sets 'log_disconnections' to 'off'" + }, + { + "queryName": "Beta - SQL DB Instance Without Disconnections Logging", + "severity": "MEDIUM", + "line": 60, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "postgres-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_5].settings.database_flags.name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_5].settings.database_flags' should be defined and set 'log_disconnections' to 'on'", + "actualValue": "'google_sql_database_instance[positive_5].settings.database_flags' sets 'log_disconnections' to 'off'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/stackdriver_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/stackdriver_logging_disabled/test/positive_expected_result.json index aff6e9447d2..aa18711898a 100644 --- a/assets/queries/terraform/gcp/stackdriver_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/stackdriver_logging_disabled/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "Stackdriver Logging Disabled", "severity": "MEDIUM", - "line": 18, + "line": 6, "filename": "positive.tf", "resourceType": "google_container_cluster", "resourceName": "marcellus-wallace", - "searchKey": "google_container_cluster[positive2].logging_service", + "searchKey": "google_container_cluster[positive1].logging_service", "searchValue": "", "expectedValue": "Attribute 'logging_service' should be undefined or 'logging.googleapis.com/kubernetes'", - "actualValue": "Attribute 'logging_service' is 'logging.googleapis.com'" + "actualValue": "Attribute 'logging_service' is 'none'" }, { "queryName": "Stackdriver Logging Disabled", "severity": "MEDIUM", - "line": 6, + "line": 18, "filename": "positive.tf", "resourceType": "google_container_cluster", "resourceName": "marcellus-wallace", - "searchKey": "google_container_cluster[positive1].logging_service", + "searchKey": "google_container_cluster[positive2].logging_service", "searchValue": "", "expectedValue": "Attribute 'logging_service' should be undefined or 'logging.googleapis.com/kubernetes'", - "actualValue": "Attribute 'logging_service' is 'none'" + "actualValue": "Attribute 'logging_service' is 'logging.googleapis.com'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/stackdriver_monitoring_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/stackdriver_monitoring_disabled/test/positive_expected_result.json index 1c08eb0cfa0..cc7c39a0854 100644 --- a/assets/queries/terraform/gcp/stackdriver_monitoring_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/stackdriver_monitoring_disabled/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "Stackdriver Monitoring Disabled", "severity": "MEDIUM", - "line": 18, + "line": 6, "filename": "positive.tf", "resourceType": "google_container_cluster", "resourceName": "marcellus-wallace", - "searchKey": "google_container_cluster[positive2].monitoring_service", + "searchKey": "google_container_cluster[positive1].monitoring_service", "searchValue": "", "expectedValue": "Attribute 'monitoring_service' should be undefined or 'monitoring.googleapis.com/kubernetes'", - "actualValue": "Attribute 'monitoring_service' is 'monitoring.googleapis.com'" + "actualValue": "Attribute 'monitoring_service' is 'none'" }, { "queryName": "Stackdriver Monitoring Disabled", "severity": "MEDIUM", - "line": 6, + "line": 18, "filename": "positive.tf", "resourceType": "google_container_cluster", "resourceName": "marcellus-wallace", - "searchKey": "google_container_cluster[positive1].monitoring_service", + "searchKey": "google_container_cluster[positive2].monitoring_service", "searchValue": "", "expectedValue": "Attribute 'monitoring_service' should be undefined or 'monitoring.googleapis.com/kubernetes'", - "actualValue": "Attribute 'monitoring_service' is 'none'" + "actualValue": "Attribute 'monitoring_service' is 'monitoring.googleapis.com'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/user_with_iam_role/test/positive_expected_result.json b/assets/queries/terraform/gcp/user_with_iam_role/test/positive_expected_result.json index a6616936da0..ff9ecabcfee 100644 --- a/assets/queries/terraform/gcp/user_with_iam_role/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/user_with_iam_role/test/positive_expected_result.json @@ -1,4 +1,16 @@ [ + { + "queryName": "User with IAM Role", + "severity": "LOW", + "line": 3, + "filename": "positive1.tf", + "resourceType": "google_iam_policy", + "resourceName": "positive", + "searchKey": "google_iam_policy[positive].binding.role", + "searchValue": "", + "expectedValue": "google_iam_policy[positive].binding.role should not be set", + "actualValue": "google_iam_policy[positive].binding.role is set" + }, { "queryName": "User with IAM Role", "severity": "LOW", @@ -22,17 +34,5 @@ "searchValue": "", "expectedValue": "google_project_iam_member[positive3].role should not be set", "actualValue": "google_project_iam_member[positive3].role is set" - }, - { - "queryName": "User with IAM Role", - "severity": "LOW", - "line": 3, - "filename": "positive1.tf", - "resourceType": "google_iam_policy", - "resourceName": "positive", - "searchKey": "google_iam_policy[positive].binding.role", - "searchValue": "", - "expectedValue": "google_iam_policy[positive].binding.role should not be set", - "actualValue": "google_iam_policy[positive].binding.role is set" } ] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/using_default_service_account/test/positive_expected_result.json b/assets/queries/terraform/gcp/using_default_service_account/test/positive_expected_result.json index afdce40ce30..bbeea1addba 100644 --- a/assets/queries/terraform/gcp/using_default_service_account/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/using_default_service_account/test/positive_expected_result.json @@ -2,61 +2,61 @@ { "queryName": "Using Default Service Account", "severity": "MEDIUM", - "line": 73, + "line": 2, "filename": "positive.tf", "resourceType": "google_compute_instance", "resourceName": "test", - "searchKey": "google_compute_instance[positive3].service_account.email", + "searchKey": "google_compute_instance[positive1]", "searchValue": "", - "expectedValue": "'google_compute_instance[positive3].service_account.email' should not be empty", - "actualValue": "'google_compute_instance[positive3].service_account.email' is empty" + "expectedValue": "'google_compute_instance[positive1].service_account' should be defined and not null", + "actualValue": "'google_compute_instance[positive1].service_account' is undefined or null" }, { "queryName": "Using Default Service Account", "severity": "MEDIUM", - "line": 100, + "line": 46, "filename": "positive.tf", "resourceType": "google_compute_instance", "resourceName": "test", - "searchKey": "google_compute_instance[positive4].service_account.email", + "searchKey": "google_compute_instance[positive2].service_account", "searchValue": "", - "expectedValue": "'google_compute_instance[positive4].service_account.email' should not be an email", - "actualValue": "'google_compute_instance[positive4].service_account.email' is an email" + "expectedValue": "'google_compute_instance[positive2].service_account.email' should be defined and not null", + "actualValue": "'google_compute_instance[positive2].service_account.email' is undefined or null" }, { "queryName": "Using Default Service Account", "severity": "MEDIUM", - "line": 127, + "line": 73, "filename": "positive.tf", "resourceType": "google_compute_instance", "resourceName": "test", - "searchKey": "google_compute_instance[positive5].service_account.email", + "searchKey": "google_compute_instance[positive3].service_account.email", "searchValue": "", - "expectedValue": "'google_compute_instance[positive5].service_account.email' should not be a default Google Compute Engine service account", - "actualValue": "'google_compute_instance[positive5].service_account.email' is a default Google Compute Engine service account" + "expectedValue": "'google_compute_instance[positive3].service_account.email' should not be empty", + "actualValue": "'google_compute_instance[positive3].service_account.email' is empty" }, { "queryName": "Using Default Service Account", "severity": "MEDIUM", - "line": 2, + "line": 100, "filename": "positive.tf", "resourceType": "google_compute_instance", "resourceName": "test", - "searchKey": "google_compute_instance[positive1]", + "searchKey": "google_compute_instance[positive4].service_account.email", "searchValue": "", - "expectedValue": "'google_compute_instance[positive1].service_account' should be defined and not null", - "actualValue": "'google_compute_instance[positive1].service_account' is undefined or null" + "expectedValue": "'google_compute_instance[positive4].service_account.email' should not be an email", + "actualValue": "'google_compute_instance[positive4].service_account.email' is an email" }, { "queryName": "Using Default Service Account", "severity": "MEDIUM", - "line": 46, + "line": 127, "filename": "positive.tf", "resourceType": "google_compute_instance", "resourceName": "test", - "searchKey": "google_compute_instance[positive2].service_account", + "searchKey": "google_compute_instance[positive5].service_account.email", "searchValue": "", - "expectedValue": "'google_compute_instance[positive2].service_account.email' should be defined and not null", - "actualValue": "'google_compute_instance[positive2].service_account.email' is undefined or null" + "expectedValue": "'google_compute_instance[positive5].service_account.email' should not be a default Google Compute Engine service account", + "actualValue": "'google_compute_instance[positive5].service_account.email' is a default Google Compute Engine service account" } ] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/vm_serial_ports_are_enabled_for_vm_instances/test/positive_expected_result.json b/assets/queries/terraform/gcp/vm_serial_ports_are_enabled_for_vm_instances/test/positive_expected_result.json index c9f380ae5ce..ddadb20aed0 100644 --- a/assets/queries/terraform/gcp/vm_serial_ports_are_enabled_for_vm_instances/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/vm_serial_ports_are_enabled_for_vm_instances/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "Serial Ports Are Enabled For VM Instances", - "severity": "MEDIUM", - "line": 44, - "filename": "positive.tf", - "resourceType": "google_compute_project_metadata_item", - "resourceName": "positive3", - "searchKey": "google_compute_project_metadata_item[positive3].value", - "searchValue": "", - "expectedValue": "google_compute_project_metadata[positive3].value should be set to false", - "actualValue": "google_compute_project_metadata[positive3].value is true" - }, { "queryName": "Serial Ports Are Enabled For VM Instances", "severity": "MEDIUM", @@ -34,5 +22,17 @@ "searchValue": "", "expectedValue": "google_compute_project_metadata[positive2].metadata.serial-port-enable should be set to false or undefined", "actualValue": "google_compute_project_metadata[positive2].metadata.serial-port-enable is true" + }, + { + "queryName": "Serial Ports Are Enabled For VM Instances", + "severity": "MEDIUM", + "line": 44, + "filename": "positive.tf", + "resourceType": "google_compute_project_metadata_item", + "resourceName": "positive3", + "searchKey": "google_compute_project_metadata_item[positive3].value", + "searchValue": "", + "expectedValue": "google_compute_project_metadata[positive3].value should be set to false", + "actualValue": "google_compute_project_metadata[positive3].value is true" } ] \ No newline at end of file diff --git a/assets/queries/terraform/general/name_is_not_snake_case/test/positive_expected_result.json b/assets/queries/terraform/general/name_is_not_snake_case/test/positive_expected_result.json index 7a60a1b3e9f..9cb2a4c440c 100644 --- a/assets/queries/terraform/general/name_is_not_snake_case/test/positive_expected_result.json +++ b/assets/queries/terraform/general/name_is_not_snake_case/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "Name Is Not Snake Case", - "severity": "INFO", - "line": 14, - "filename": "positive2.tf", - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": "module.ACMPositive2", - "searchValue": "", - "expectedValue": "All names should be on snake case pattern", - "actualValue": "'ACMPositive2' is not in snake case" - }, { "queryName": "Name Is Not Snake Case", "severity": "INFO", @@ -22,5 +10,17 @@ "searchValue": "", "expectedValue": "All names should be on snake case pattern", "actualValue": "'positiveExample' is not in snake case" + }, + { + "queryName": "Name Is Not Snake Case", + "severity": "INFO", + "line": 14, + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module.ACMPositive2", + "searchValue": "", + "expectedValue": "All names should be on snake case pattern", + "actualValue": "'ACMPositive2' is not in snake case" } ] \ No newline at end of file diff --git a/assets/queries/terraform/general/output_without_description/test/positive_expected_result.json b/assets/queries/terraform/general/output_without_description/test/positive_expected_result.json index 18140773c0c..e686d965ab5 100644 --- a/assets/queries/terraform/general/output_without_description/test/positive_expected_result.json +++ b/assets/queries/terraform/general/output_without_description/test/positive_expected_result.json @@ -2,20 +2,20 @@ { "queryName": "Output Without Description", "severity": "INFO", - "line": 3, - "filename": "positive2.tf", + "line": 1, + "filename": "positive1.tf", "resourceType": "n/a", "resourceName": "n/a", - "searchKey": "output.{{cluster_name}}.description", + "searchKey": "output.{{cluster_name}}", "searchValue": "", - "expectedValue": "'description' should not be empty", - "actualValue": "'description' is empty" + "expectedValue": "'description' should be defined and not null", + "actualValue": "'description' is undefined or null" }, { "queryName": "Output Without Description", "severity": "INFO", "line": 3, - "filename": "positive3.tf", + "filename": "positive2.tf", "resourceType": "n/a", "resourceName": "n/a", "searchKey": "output.{{cluster_name}}.description", @@ -26,13 +26,13 @@ { "queryName": "Output Without Description", "severity": "INFO", - "line": 1, - "filename": "positive1.tf", + "line": 3, + "filename": "positive3.tf", "resourceType": "n/a", "resourceName": "n/a", - "searchKey": "output.{{cluster_name}}", + "searchKey": "output.{{cluster_name}}.description", "searchValue": "", - "expectedValue": "'description' should be defined and not null", - "actualValue": "'description' is undefined or null" + "expectedValue": "'description' should not be empty", + "actualValue": "'description' is empty" } ] \ No newline at end of file diff --git a/assets/queries/terraform/general/variable_without_description/test/positive_expected_result.json b/assets/queries/terraform/general/variable_without_description/test/positive_expected_result.json index 42ab5c21164..52c51ee869e 100644 --- a/assets/queries/terraform/general/variable_without_description/test/positive_expected_result.json +++ b/assets/queries/terraform/general/variable_without_description/test/positive_expected_result.json @@ -2,26 +2,26 @@ { "queryName": "Variable Without Description", "severity": "INFO", - "line": 4, - "filename": "positive2.tf", + "line": 1, + "filename": "positive1.tf", "resourceType": "n/a", "resourceName": "n/a", - "searchKey": "variable.{{cluster_name}}.description", + "searchKey": "variable.{{cluster_name}}", "searchValue": "", - "expectedValue": "'description' should not be empty", - "actualValue": "'description' is empty" + "expectedValue": "'description' should be defined and not null", + "actualValue": "'description' is undefined or null" }, { "queryName": "Variable Without Description", "severity": "INFO", - "line": 1, - "filename": "positive1.tf", + "line": 4, + "filename": "positive2.tf", "resourceType": "n/a", "resourceName": "n/a", - "searchKey": "variable.{{cluster_name}}", + "searchKey": "variable.{{cluster_name}}.description", "searchValue": "", - "expectedValue": "'description' should be defined and not null", - "actualValue": "'description' is undefined or null" + "expectedValue": "'description' should not be empty", + "actualValue": "'description' is empty" }, { "queryName": "Variable Without Description", diff --git a/assets/queries/terraform/general/variable_without_type/test/positive_expected_result.json b/assets/queries/terraform/general/variable_without_type/test/positive_expected_result.json index 3e75f724027..e4ce822919c 100644 --- a/assets/queries/terraform/general/variable_without_type/test/positive_expected_result.json +++ b/assets/queries/terraform/general/variable_without_type/test/positive_expected_result.json @@ -2,14 +2,14 @@ { "queryName": "Variable Without Type", "severity": "INFO", - "line": 3, - "filename": "positive3.tf", + "line": 1, + "filename": "positive1.tf", "resourceType": "n/a", "resourceName": "n/a", - "searchKey": "variable.{{cluster_name}}.type", + "searchKey": "variable.{{cluster_name}}", "searchValue": "", - "expectedValue": "'type' should not be empty", - "actualValue": "'type' is empty" + "expectedValue": "'type' should be defined and not null", + "actualValue": "'type' is undefined or null" }, { "queryName": "Variable Without Type", @@ -26,13 +26,13 @@ { "queryName": "Variable Without Type", "severity": "INFO", - "line": 1, - "filename": "positive1.tf", + "line": 3, + "filename": "positive3.tf", "resourceType": "n/a", "resourceName": "n/a", - "searchKey": "variable.{{cluster_name}}", + "searchKey": "variable.{{cluster_name}}.type", "searchValue": "", - "expectedValue": "'type' should be defined and not null", - "actualValue": "'type' is undefined or null" + "expectedValue": "'type' should not be empty", + "actualValue": "'type' is empty" } ] \ No newline at end of file diff --git a/assets/queries/terraform/github/github_repository_set_to_public/test/positive_expected_result.json b/assets/queries/terraform/github/github_repository_set_to_public/test/positive_expected_result.json index b8b60880450..36f1b0d8f23 100644 --- a/assets/queries/terraform/github/github_repository_set_to_public/test/positive_expected_result.json +++ b/assets/queries/terraform/github/github_repository_set_to_public/test/positive_expected_result.json @@ -2,37 +2,37 @@ { "queryName": "GitHub Repository Set To Public", "severity": "MEDIUM", - "line": 15, + "line": 1, "filename": "positive.tf", "resourceType": "github_repository", "resourceName": "example", - "searchKey": "github_repository[positive2].private", + "searchKey": "github_repository[positive1]", "searchValue": "", - "expectedValue": "Attribute 'private' should be true", - "actualValue": "Attribute 'private' is false" + "expectedValue": "Attribute 'private' or Attribute 'visibility' should be defined and not null", + "actualValue": "Attribute 'private' and Attribute 'visibility' are undefined or null" }, { "queryName": "GitHub Repository Set To Public", "severity": "MEDIUM", - "line": 28, + "line": 15, "filename": "positive.tf", "resourceType": "github_repository", "resourceName": "example", - "searchKey": "github_repository[positive3].visibility", + "searchKey": "github_repository[positive2].private", "searchValue": "", - "expectedValue": "Attribute 'visibility' should be 'private'", - "actualValue": "Attribute 'visibility' is 'public'" + "expectedValue": "Attribute 'private' should be true", + "actualValue": "Attribute 'private' is false" }, { "queryName": "GitHub Repository Set To Public", "severity": "MEDIUM", - "line": 1, + "line": 28, "filename": "positive.tf", "resourceType": "github_repository", "resourceName": "example", - "searchKey": "github_repository[positive1]", + "searchKey": "github_repository[positive3].visibility", "searchValue": "", - "expectedValue": "Attribute 'private' or Attribute 'visibility' should be defined and not null", - "actualValue": "Attribute 'private' and Attribute 'visibility' are undefined or null" + "expectedValue": "Attribute 'visibility' should be 'private'", + "actualValue": "Attribute 'visibility' is 'public'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/container_resources_limits_undefined/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/container_resources_limits_undefined/test/positive_expected_result.json index 76c50ff5100..1a890508a44 100644 --- a/assets/queries/terraform/kubernetes/container_resources_limits_undefined/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/container_resources_limits_undefined/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "Container Resources Limits Undefined", - "severity": "MEDIUM", - "line": 224, - "filename": "positive.tf", - "resourceType": "kubernetes_pod", - "resourceName": "positive4", - "searchKey": "kubernetes_pod[positive4].spec.container", - "searchValue": "", - "expectedValue": "kubernetes_pod[positive4].spec.container.resources should be set", - "actualValue": "kubernetes_pod[positive4].spec.container.resources is undefined" - }, { "queryName": "Container Resources Limits Undefined", "severity": "MEDIUM", @@ -58,5 +46,17 @@ "searchValue": "limits", "expectedValue": "kubernetes_pod[positive3].spec.container.resources.limits should be set", "actualValue": "kubernetes_pod[positive3].spec.container.resources.limits is undefined" + }, + { + "queryName": "Container Resources Limits Undefined", + "severity": "MEDIUM", + "line": 224, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive4", + "searchKey": "kubernetes_pod[positive4].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive4].spec.container.resources should be set", + "actualValue": "kubernetes_pod[positive4].spec.container.resources is undefined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/container_with_added_capabilities/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/container_with_added_capabilities/test/positive_expected_result.json index 08044c3a68a..d4819840ed0 100644 --- a/assets/queries/terraform/kubernetes/container_with_added_capabilities/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/container_with_added_capabilities/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "Containers With Added Capabilities", - "severity": "MEDIUM", - "line": 110, - "filename": "positive.tf", - "resourceType": "kubernetes_pod", - "resourceName": "positive2", - "searchKey": "kubernetes_pod[positive2].spec.container.security_context.capabilities.add", - "searchValue": "", - "expectedValue": "kubernetes_pod[positive2].spec.container.security_context.capabilities.add should be undefined", - "actualValue": "kkubernetes_pod[positive2].spec.container.security_context.capabilities.add is set" - }, { "queryName": "Containers With Added Capabilities", "severity": "MEDIUM", @@ -34,5 +22,17 @@ "searchValue": "", "expectedValue": "kubernetes_pod[positive1].spec.container[1].security_context.capabilities.add should be undefined", "actualValue": "kubernetes_pod[positive1].spec.container[1].security_context.capabilities.add is set" + }, + { + "queryName": "Containers With Added Capabilities", + "severity": "MEDIUM", + "line": 110, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive2", + "searchKey": "kubernetes_pod[positive2].spec.container.security_context.capabilities.add", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive2].spec.container.security_context.capabilities.add should be undefined", + "actualValue": "kkubernetes_pod[positive2].spec.container.security_context.capabilities.add is set" } ] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/cpu_limits_not_set/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/cpu_limits_not_set/test/positive_expected_result.json index fbbf2b2a3e4..8112dc2570f 100644 --- a/assets/queries/terraform/kubernetes/cpu_limits_not_set/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/cpu_limits_not_set/test/positive_expected_result.json @@ -1,28 +1,4 @@ [ - { - "queryName": "CPU Limits Not Set", - "severity": "LOW", - "line": 192, - "filename": "positive.tf", - "resourceType": "kubernetes_pod", - "resourceName": "positive3", - "searchKey": "kubernetes_pod[positive3].spec.container.resources", - "searchValue": "", - "expectedValue": "kubernetes_pod[positive3].spec.container.resources.limits should be set", - "actualValue": "kubernetes_pod[positive3].spec.container.resources.limits is undefined" - }, - { - "queryName": "CPU Limits Not Set", - "severity": "LOW", - "line": 249, - "filename": "positive.tf", - "resourceType": "kubernetes_pod", - "resourceName": "positive4", - "searchKey": "kubernetes_pod[positive4].spec.container.resources.limits", - "searchValue": "", - "expectedValue": "kubernetes_pod[positive4].spec.container.resources.limits.cpu should be set", - "actualValue": "kubernetes_pod[positive4].spec.container.resources.limits.cpu is undefined" - }, { "queryName": "CPU Limits Not Set", "severity": "LOW", @@ -70,5 +46,29 @@ "searchValue": "", "expectedValue": "kubernetes_pod[positive2].spec.container.resources should be set", "actualValue": "kubernetes_pod[positive2].spec.container.resources is undefined" + }, + { + "queryName": "CPU Limits Not Set", + "severity": "LOW", + "line": 192, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive3", + "searchKey": "kubernetes_pod[positive3].spec.container.resources", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive3].spec.container.resources.limits should be set", + "actualValue": "kubernetes_pod[positive3].spec.container.resources.limits is undefined" + }, + { + "queryName": "CPU Limits Not Set", + "severity": "LOW", + "line": 249, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive4", + "searchKey": "kubernetes_pod[positive4].spec.container.resources.limits", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive4].spec.container.resources.limits.cpu should be set", + "actualValue": "kubernetes_pod[positive4].spec.container.resources.limits.cpu is undefined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/default_service_account_in_use/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/default_service_account_in_use/test/positive_expected_result.json index 265cd82d5ad..108ab8990f0 100644 --- a/assets/queries/terraform/kubernetes/default_service_account_in_use/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/default_service_account_in_use/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "Default Service Account In Use", "severity": "LOW", - "line": 12, + "line": 1, "filename": "positive.tf", "resourceType": "kubernetes_service_account", "resourceName": "default", - "searchKey": "kubernetes_service_account[example2].automount_service_account_token", + "searchKey": "kubernetes_service_account[example]", "searchValue": "", - "expectedValue": "kubernetes_service_account[example2].automount_service_account_token should be set to false", - "actualValue": "kubernetes_service_account[example2].automount_service_account_token is not set to false" + "expectedValue": "kubernetes_service_account[example].automount_service_account_token should be set", + "actualValue": "kubernetes_service_account[example].automount_service_account_token is undefined" }, { "queryName": "Default Service Account In Use", "severity": "LOW", - "line": 1, + "line": 12, "filename": "positive.tf", "resourceType": "kubernetes_service_account", "resourceName": "default", - "searchKey": "kubernetes_service_account[example]", + "searchKey": "kubernetes_service_account[example2].automount_service_account_token", "searchValue": "", - "expectedValue": "kubernetes_service_account[example].automount_service_account_token should be set", - "actualValue": "kubernetes_service_account[example].automount_service_account_token is undefined" + "expectedValue": "kubernetes_service_account[example2].automount_service_account_token should be set to false", + "actualValue": "kubernetes_service_account[example2].automount_service_account_token is not set to false" } ] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/deployment_has_no_pod_anti_affinity/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/deployment_has_no_pod_anti_affinity/test/positive_expected_result.json index f196ec5cdd5..65ea558811f 100644 --- a/assets/queries/terraform/kubernetes/deployment_has_no_pod_anti_affinity/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/deployment_has_no_pod_anti_affinity/test/positive_expected_result.json @@ -2,14 +2,14 @@ { "queryName": "Deployment Has No PodAntiAffinity", "severity": "LOW", - "line": 28, - "filename": "positive3.tf", + "line": 25, + "filename": "positive1.tf", "resourceType": "kubernetes_deployment", "resourceName": "terraform-example", - "searchKey": "kubernetes_deployment[example3].spec.template.spec.affinity", + "searchKey": "kubernetes_deployment[example].spec.template.spec", "searchValue": "", - "expectedValue": "kubernetes_deployment[example3].spec.template.spec.affinity.pod_anti_affinity.preferred_during_scheduling_ignored_during_execution.pod_affinity_term.topology_key should be set to 'kubernetes.io/hostname'", - "actualValue": "kubernetes_deployment[example3].spec.template.spec.affinity.pod_anti_affinity.preferred_during_scheduling_ignored_during_execution.pod_affinity_term.topology_key is invalid or undefined" + "expectedValue": "kubernetes_deployment[example].spec.template.spec.affinity should be set", + "actualValue": "kubernetes_deployment[example].spec.template.spec.affinity is undefined" }, { "queryName": "Deployment Has No PodAntiAffinity", @@ -26,25 +26,25 @@ { "queryName": "Deployment Has No PodAntiAffinity", "severity": "LOW", - "line": 33, - "filename": "positive4.tf", + "line": 28, + "filename": "positive3.tf", "resourceType": "kubernetes_deployment", "resourceName": "terraform-example", - "searchKey": "kubernetes_deployment[example4].spec.template.spec.affinity", + "searchKey": "kubernetes_deployment[example3].spec.template.spec.affinity", "searchValue": "", - "expectedValue": "kubernetes_deployment[example4].spec.template.spec.affinity.pod_anti_affinity.preferred_during_scheduling_ignored_during_execution.pod_affinity_term.label_selector.match_labels match any label on template metadata", - "actualValue": "kubernetes_deployment[example4].spec.template.spec.affinity.pod_anti_affinity.preferred_during_scheduling_ignored_during_execution.pod_affinity_term.label_selector.match_labels don't match any label on template metadata" + "expectedValue": "kubernetes_deployment[example3].spec.template.spec.affinity.pod_anti_affinity.preferred_during_scheduling_ignored_during_execution.pod_affinity_term.topology_key should be set to 'kubernetes.io/hostname'", + "actualValue": "kubernetes_deployment[example3].spec.template.spec.affinity.pod_anti_affinity.preferred_during_scheduling_ignored_during_execution.pod_affinity_term.topology_key is invalid or undefined" }, { "queryName": "Deployment Has No PodAntiAffinity", "severity": "LOW", - "line": 25, - "filename": "positive1.tf", + "line": 33, + "filename": "positive4.tf", "resourceType": "kubernetes_deployment", "resourceName": "terraform-example", - "searchKey": "kubernetes_deployment[example].spec.template.spec", + "searchKey": "kubernetes_deployment[example4].spec.template.spec.affinity", "searchValue": "", - "expectedValue": "kubernetes_deployment[example].spec.template.spec.affinity should be set", - "actualValue": "kubernetes_deployment[example].spec.template.spec.affinity is undefined" + "expectedValue": "kubernetes_deployment[example4].spec.template.spec.affinity.pod_anti_affinity.preferred_during_scheduling_ignored_during_execution.pod_affinity_term.label_selector.match_labels match any label on template metadata", + "actualValue": "kubernetes_deployment[example4].spec.template.spec.affinity.pod_anti_affinity.preferred_during_scheduling_ignored_during_execution.pod_affinity_term.label_selector.match_labels don't match any label on template metadata" } ] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/docker_daemon_socket_is_exposed_to_containers/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/docker_daemon_socket_is_exposed_to_containers/test/positive_expected_result.json index 33178672a2c..5a6745ced16 100644 --- a/assets/queries/terraform/kubernetes/docker_daemon_socket_is_exposed_to_containers/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/docker_daemon_socket_is_exposed_to_containers/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "Docker Daemon Socket is Exposed to Containers", - "severity": "MEDIUM", - "line": 103, - "filename": "positive.tf", - "resourceType": "kubernetes_deployment", - "resourceName": "example", - "searchKey": "kubernetes_deployment[example].spec.template.spec.volume", - "searchValue": "", - "expectedValue": "spec.template.spec.volume[1].host_path.path should not be '/var/run/docker.sock'", - "actualValue": "spec.template.spec.volume[1].host_path.path is '/var/run/docker.sock'" - }, { "queryName": "Docker Daemon Socket is Exposed to Containers", "severity": "MEDIUM", @@ -35,6 +23,30 @@ "expectedValue": "spec.volume[1].host_path.path should not be '/var/run/docker.sock'", "actualValue": "spec.volume[1].host_path.path is '/var/run/docker.sock'" }, + { + "queryName": "Docker Daemon Socket is Exposed to Containers", + "severity": "MEDIUM", + "line": 96, + "filename": "positive.tf", + "resourceType": "kubernetes_deployment", + "resourceName": "example", + "searchKey": "kubernetes_deployment[example].spec.template.spec.volume", + "searchValue": "", + "expectedValue": "spec.template.spec.volume[0].host_path.path should not be '/var/run/docker.sock'", + "actualValue": "spec.template.spec.volume[0].host_path.path is '/var/run/docker.sock'" + }, + { + "queryName": "Docker Daemon Socket is Exposed to Containers", + "severity": "MEDIUM", + "line": 103, + "filename": "positive.tf", + "resourceType": "kubernetes_deployment", + "resourceName": "example", + "searchKey": "kubernetes_deployment[example].spec.template.spec.volume", + "searchValue": "", + "expectedValue": "spec.template.spec.volume[1].host_path.path should not be '/var/run/docker.sock'", + "actualValue": "spec.template.spec.volume[1].host_path.path is '/var/run/docker.sock'" + }, { "queryName": "Docker Daemon Socket is Exposed to Containers", "severity": "MEDIUM", @@ -58,17 +70,5 @@ "searchValue": "", "expectedValue": "spec.job_template.spec.template.spec.volume[1].host_path.path should not be '/var/run/docker.sock'", "actualValue": "spec.job_template.spec.template.spec.volume[1].host_path.path is '/var/run/docker.sock'" - }, - { - "queryName": "Docker Daemon Socket is Exposed to Containers", - "severity": "MEDIUM", - "line": 96, - "filename": "positive.tf", - "resourceType": "kubernetes_deployment", - "resourceName": "example", - "searchKey": "kubernetes_deployment[example].spec.template.spec.volume", - "searchValue": "", - "expectedValue": "spec.template.spec.volume[0].host_path.path should not be '/var/run/docker.sock'", - "actualValue": "spec.template.spec.volume[0].host_path.path is '/var/run/docker.sock'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/hpa_targets_invalid_object/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/hpa_targets_invalid_object/test/positive_expected_result.json index 0e82039c21c..ea4a6e70607 100644 --- a/assets/queries/terraform/kubernetes/hpa_targets_invalid_object/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/hpa_targets_invalid_object/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "HPA Targets Invalid Object", "severity": "LOW", - "line": 49, + "line": 15, "filename": "positive.tf", "resourceType": "kubernetes_horizontal_pod_autoscaler", "resourceName": "test", - "searchKey": "kubernetes_horizontal_pod_autoscaler[example2].spec.metric", + "searchKey": "kubernetes_horizontal_pod_autoscaler[example].spec.metric", "searchValue": "", - "expectedValue": "kubernetes_horizontal_pod_autoscaler[example2].spec.metric is a valid object", - "actualValue": "kubernetes_horizontal_pod_autoscaler[example2].spec.metric is a invalid object" + "expectedValue": "kubernetes_horizontal_pod_autoscaler[example].spec.metric is a valid object", + "actualValue": "kubernetes_horizontal_pod_autoscaler[example].spec.metric is a invalid object" }, { "queryName": "HPA Targets Invalid Object", "severity": "LOW", - "line": 15, + "line": 49, "filename": "positive.tf", "resourceType": "kubernetes_horizontal_pod_autoscaler", "resourceName": "test", - "searchKey": "kubernetes_horizontal_pod_autoscaler[example].spec.metric", + "searchKey": "kubernetes_horizontal_pod_autoscaler[example2].spec.metric", "searchValue": "", - "expectedValue": "kubernetes_horizontal_pod_autoscaler[example].spec.metric is a valid object", - "actualValue": "kubernetes_horizontal_pod_autoscaler[example].spec.metric is a invalid object" + "expectedValue": "kubernetes_horizontal_pod_autoscaler[example2].spec.metric is a valid object", + "actualValue": "kubernetes_horizontal_pod_autoscaler[example2].spec.metric is a invalid object" } ] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/image_pull_policy_of_container_is_not_always/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/image_pull_policy_of_container_is_not_always/test/positive_expected_result.json index c7957540264..c53df9cdeea 100644 --- a/assets/queries/terraform/kubernetes/image_pull_policy_of_container_is_not_always/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/image_pull_policy_of_container_is_not_always/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "Image Pull Policy Of The Container Is Not Set To Always", "severity": "LOW", - "line": 30, - "filename": "positive2.tf", - "resourceType": "kubernetes_deployment", - "resourceName": "terraform-example", - "searchKey": "kubernetes_deployment[example].spec.template.spec.container.image_pull_policy", + "line": 12, + "filename": "positive1.tf", + "resourceType": "kubernetes_pod", + "resourceName": "busybox-tf", + "searchKey": "kubernetes_pod[busybox].spec.container.image_pull_policy", "searchValue": "", "expectedValue": "Attribute 'image_pull_policy' should be defined as 'Always'", "actualValue": "Attribute 'image_pull_policy' is incorrect" @@ -14,11 +14,11 @@ { "queryName": "Image Pull Policy Of The Container Is Not Set To Always", "severity": "LOW", - "line": 12, - "filename": "positive1.tf", - "resourceType": "kubernetes_pod", - "resourceName": "busybox-tf", - "searchKey": "kubernetes_pod[busybox].spec.container.image_pull_policy", + "line": 30, + "filename": "positive2.tf", + "resourceType": "kubernetes_deployment", + "resourceName": "terraform-example", + "searchKey": "kubernetes_deployment[example].spec.template.spec.container.image_pull_policy", "searchValue": "", "expectedValue": "Attribute 'image_pull_policy' should be defined as 'Always'", "actualValue": "Attribute 'image_pull_policy' is incorrect" diff --git a/assets/queries/terraform/kubernetes/image_without_digest/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/image_without_digest/test/positive_expected_result.json index 701d992f582..9cb714feb60 100644 --- a/assets/queries/terraform/kubernetes/image_without_digest/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/image_without_digest/test/positive_expected_result.json @@ -1,4 +1,28 @@ [ + { + "queryName": "Image Without Digest", + "severity": "LOW", + "line": 9, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[0].image should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[0].image is undefined" + }, + { + "queryName": "Image Without Digest", + "severity": "LOW", + "line": 36, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[1].image should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[1].image is undefined" + }, { "queryName": "Image Without Digest", "severity": "LOW", @@ -46,29 +70,5 @@ "searchValue": "", "expectedValue": "kubernetes_pod[positive4].spec.container.image has '@'", "actualValue": "kubernetes_pod[positive4].spec.container.image does not have '@'" - }, - { - "queryName": "Image Without Digest", - "severity": "LOW", - "line": 9, - "filename": "positive.tf", - "resourceType": "kubernetes_pod", - "resourceName": "positive1", - "searchKey": "kubernetes_pod[positive1].spec.container", - "searchValue": "", - "expectedValue": "kubernetes_pod[positive1].spec.container[0].image should be set", - "actualValue": "kubernetes_pod[positive1].spec.container[0].image is undefined" - }, - { - "queryName": "Image Without Digest", - "severity": "LOW", - "line": 36, - "filename": "positive.tf", - "resourceType": "kubernetes_pod", - "resourceName": "positive1", - "searchKey": "kubernetes_pod[positive1].spec.container", - "searchValue": "", - "expectedValue": "kubernetes_pod[positive1].spec.container[1].image should be set", - "actualValue": "kubernetes_pod[positive1].spec.container[1].image is undefined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/ingress_controller_exposes_workload/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/ingress_controller_exposes_workload/test/positive_expected_result.json index 7b03dc649a5..3b6a4aafb09 100644 --- a/assets/queries/terraform/kubernetes/ingress_controller_exposes_workload/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/ingress_controller_exposes_workload/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "Ingress Controller Exposes Workload", - "severity": "MEDIUM", - "line": 28, - "filename": "positive3.tf", - "resourceType": "kubernetes_ingress", - "resourceName": "example-4", - "searchKey": "kubernetes_ingress[example-4].spec.rule.http.path.backend", - "searchValue": "", - "expectedValue": "kubernetes_ingress[example-4] should not be exposing the workload", - "actualValue": "kubernetes_ingress[example-4] is exposing the workload" - }, { "queryName": "Ingress Controller Exposes Workload", "severity": "MEDIUM", @@ -34,5 +22,17 @@ "searchValue": "", "expectedValue": "kubernetes_ingress[example-ingress-2] should not be exposing the workload", "actualValue": "kubernetes_ingress[example-ingress-2] is exposing the workload" + }, + { + "queryName": "Ingress Controller Exposes Workload", + "severity": "MEDIUM", + "line": 28, + "filename": "positive3.tf", + "resourceType": "kubernetes_ingress", + "resourceName": "example-4", + "searchKey": "kubernetes_ingress[example-4].spec.rule.http.path.backend", + "searchValue": "", + "expectedValue": "kubernetes_ingress[example-4] should not be exposing the workload", + "actualValue": "kubernetes_ingress[example-4] is exposing the workload" } ] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/invalid_image/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/invalid_image/test/positive_expected_result.json index 4e4cf07a283..39281e135c0 100644 --- a/assets/queries/terraform/kubernetes/invalid_image/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/invalid_image/test/positive_expected_result.json @@ -14,25 +14,25 @@ { "queryName": "Invalid Image", "severity": "LOW", - "line": 113, + "line": 60, "filename": "positive.tf", "resourceType": "kubernetes_pod", - "resourceName": "positive3", - "searchKey": "kubernetes_pod[positive3].spec.container", + "resourceName": "positive2", + "searchKey": "kubernetes_pod[positive2].spec.container", "searchValue": "", - "expectedValue": "kubernetes_pod[positive3].spec.container[0].image should not be empty or latest", - "actualValue": "kubernetes_pod[positive3].spec.container[0].image is empty or latest" + "expectedValue": "kubernetes_pod[positive2].spec.container.image should be set", + "actualValue": "kubernetes_pod[positive2].spec.container.image is undefined" }, { "queryName": "Invalid Image", "severity": "LOW", - "line": 60, + "line": 113, "filename": "positive.tf", "resourceType": "kubernetes_pod", - "resourceName": "positive2", - "searchKey": "kubernetes_pod[positive2].spec.container", + "resourceName": "positive3", + "searchKey": "kubernetes_pod[positive3].spec.container", "searchValue": "", - "expectedValue": "kubernetes_pod[positive2].spec.container.image should be set", - "actualValue": "kubernetes_pod[positive2].spec.container.image is undefined" + "expectedValue": "kubernetes_pod[positive3].spec.container[0].image should not be empty or latest", + "actualValue": "kubernetes_pod[positive3].spec.container[0].image is empty or latest" } ] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/memory_limits_not_defined/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/memory_limits_not_defined/test/positive_expected_result.json index 9218a95860d..537f1a9f14c 100644 --- a/assets/queries/terraform/kubernetes/memory_limits_not_defined/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/memory_limits_not_defined/test/positive_expected_result.json @@ -2,62 +2,50 @@ { "queryName": "Memory Limits Not Defined", "severity": "MEDIUM", - "line": 53, + "line": 15, "filename": "positive.tf", "resourceType": "kubernetes_pod", "resourceName": "positive1", "searchKey": "kubernetes_pod[positive1].spec.container", "searchValue": "", - "expectedValue": "kubernetes_pod[positive1].spec.container[1].resources.limits.memory should be set", - "actualValue": "kubernetes_pod[positive1].spec.container[1].resources.limits.memory is undefined" - }, - { - "queryName": "Memory Limits Not Defined", - "severity": "MEDIUM", - "line": 136, - "filename": "positive.tf", - "resourceType": "kubernetes_pod", - "resourceName": "positive2", - "searchKey": "kubernetes_pod[positive2].spec.container", - "searchValue": "", - "expectedValue": "kubernetes_pod[positive2].spec.container[1].resources should be set", - "actualValue": "kubernetes_pod[positive2].spec.container[1].resources is undefined" + "expectedValue": "kubernetes_pod[positive1].spec.container[0].resources.limits.memory should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[0].resources.limits.memory is undefined" }, { "queryName": "Memory Limits Not Defined", "severity": "MEDIUM", - "line": 288, + "line": 53, "filename": "positive.tf", "resourceType": "kubernetes_pod", - "resourceName": "positive4", - "searchKey": "kubernetes_pod[positive4].spec.container.resources.limits", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", "searchValue": "", - "expectedValue": "kubernetes_pod[positive4].spec.container.resources.limits.memory should be set", - "actualValue": "kubernetes_pod[positive4].spec.container.resources.limits.memory is undefined" + "expectedValue": "kubernetes_pod[positive1].spec.container[1].resources.limits.memory should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[1].resources.limits.memory is undefined" }, { "queryName": "Memory Limits Not Defined", "severity": "MEDIUM", - "line": 15, + "line": 107, "filename": "positive.tf", "resourceType": "kubernetes_pod", - "resourceName": "positive1", - "searchKey": "kubernetes_pod[positive1].spec.container", + "resourceName": "positive2", + "searchKey": "kubernetes_pod[positive2].spec.container", "searchValue": "", - "expectedValue": "kubernetes_pod[positive1].spec.container[0].resources.limits.memory should be set", - "actualValue": "kubernetes_pod[positive1].spec.container[0].resources.limits.memory is undefined" + "expectedValue": "kubernetes_pod[positive2].spec.container[0].resources should be set", + "actualValue": "kubernetes_pod[positive2].spec.container[0].resources is undefined" }, { "queryName": "Memory Limits Not Defined", "severity": "MEDIUM", - "line": 107, + "line": 136, "filename": "positive.tf", "resourceType": "kubernetes_pod", "resourceName": "positive2", "searchKey": "kubernetes_pod[positive2].spec.container", "searchValue": "", - "expectedValue": "kubernetes_pod[positive2].spec.container[0].resources should be set", - "actualValue": "kubernetes_pod[positive2].spec.container[0].resources is undefined" + "expectedValue": "kubernetes_pod[positive2].spec.container[1].resources should be set", + "actualValue": "kubernetes_pod[positive2].spec.container[1].resources is undefined" }, { "queryName": "Memory Limits Not Defined", @@ -83,6 +71,18 @@ "expectedValue": "kubernetes_pod[positive3].spec.container[1].resources.limits should be set", "actualValue": "kubernetes_pod[positive3].spec.container[1].resources.limits is undefined" }, + { + "queryName": "Memory Limits Not Defined", + "severity": "MEDIUM", + "line": 288, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive4", + "searchKey": "kubernetes_pod[positive4].spec.container.resources.limits", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive4].spec.container.resources.limits.memory should be set", + "actualValue": "kubernetes_pod[positive4].spec.container.resources.limits.memory is undefined" + }, { "queryName": "Memory Limits Not Defined", "severity": "MEDIUM", diff --git a/assets/queries/terraform/kubernetes/memory_requests_not_defined/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/memory_requests_not_defined/test/positive_expected_result.json index b0bdbcd6406..972b2d9ccbc 100644 --- a/assets/queries/terraform/kubernetes/memory_requests_not_defined/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/memory_requests_not_defined/test/positive_expected_result.json @@ -2,86 +2,74 @@ { "queryName": "Memory Requests Not Defined", "severity": "MEDIUM", - "line": 109, - "filename": "positive.tf", - "resourceType": "kubernetes_pod", - "resourceName": "positive2", - "searchKey": "kubernetes_pod[positive2].spec.container", - "searchValue": "", - "expectedValue": "kubernetes_pod[positive2].spec.container[0].resources should be set", - "actualValue": "kubernetes_pod[positive2].spec.container[0].resources is undefined" - }, - { - "queryName": "Memory Requests Not Defined", - "severity": "MEDIUM", - "line": 138, + "line": 12, "filename": "positive.tf", "resourceType": "kubernetes_pod", - "resourceName": "positive2", - "searchKey": "kubernetes_pod[positive2].spec.container", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", "searchValue": "", - "expectedValue": "kubernetes_pod[positive2].spec.container[1].resources should be set", - "actualValue": "kubernetes_pod[positive2].spec.container[1].resources is undefined" + "expectedValue": "kubernetes_pod[positive1].spec.container[0].resources.requests.memory should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[0].resources.requests.memory is undefined" }, { "queryName": "Memory Requests Not Defined", "severity": "MEDIUM", - "line": 231, + "line": 51, "filename": "positive.tf", "resourceType": "kubernetes_pod", - "resourceName": "positive3", - "searchKey": "kubernetes_pod[positive3].spec.container", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", "searchValue": "", - "expectedValue": "kubernetes_pod[positive3].spec.container[1].resources.requests should be set", - "actualValue": "kubernetes_pod[positive3].spec.container[1].resources.requests is undefined" + "expectedValue": "kubernetes_pod[positive1].spec.container[1].resources.requests.memory should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[1].resources.requests.memory is undefined" }, { "queryName": "Memory Requests Not Defined", "severity": "MEDIUM", - "line": 350, + "line": 109, "filename": "positive.tf", "resourceType": "kubernetes_pod", - "resourceName": "positive5", - "searchKey": "kubernetes_pod[positive5].spec.container", + "resourceName": "positive2", + "searchKey": "kubernetes_pod[positive2].spec.container", "searchValue": "", - "expectedValue": "kubernetes_pod[positive5].spec.container.resources should be set", - "actualValue": "kubernetes_pod[positive5].spec.container.resources is undefined" + "expectedValue": "kubernetes_pod[positive2].spec.container[0].resources should be set", + "actualValue": "kubernetes_pod[positive2].spec.container[0].resources is undefined" }, { "queryName": "Memory Requests Not Defined", "severity": "MEDIUM", - "line": 12, + "line": 138, "filename": "positive.tf", "resourceType": "kubernetes_pod", - "resourceName": "positive1", - "searchKey": "kubernetes_pod[positive1].spec.container", + "resourceName": "positive2", + "searchKey": "kubernetes_pod[positive2].spec.container", "searchValue": "", - "expectedValue": "kubernetes_pod[positive1].spec.container[0].resources.requests.memory should be set", - "actualValue": "kubernetes_pod[positive1].spec.container[0].resources.requests.memory is undefined" + "expectedValue": "kubernetes_pod[positive2].spec.container[1].resources should be set", + "actualValue": "kubernetes_pod[positive2].spec.container[1].resources is undefined" }, { "queryName": "Memory Requests Not Defined", "severity": "MEDIUM", - "line": 51, + "line": 195, "filename": "positive.tf", "resourceType": "kubernetes_pod", - "resourceName": "positive1", - "searchKey": "kubernetes_pod[positive1].spec.container", + "resourceName": "positive3", + "searchKey": "kubernetes_pod[positive3].spec.container", "searchValue": "", - "expectedValue": "kubernetes_pod[positive1].spec.container[1].resources.requests.memory should be set", - "actualValue": "kubernetes_pod[positive1].spec.container[1].resources.requests.memory is undefined" + "expectedValue": "kubernetes_pod[positive3].spec.container[0].resources.requests should be set", + "actualValue": "kubernetes_pod[positive3].spec.container[0].resources.requests is undefined" }, { "queryName": "Memory Requests Not Defined", "severity": "MEDIUM", - "line": 195, + "line": 231, "filename": "positive.tf", "resourceType": "kubernetes_pod", "resourceName": "positive3", "searchKey": "kubernetes_pod[positive3].spec.container", "searchValue": "", - "expectedValue": "kubernetes_pod[positive3].spec.container[0].resources.requests should be set", - "actualValue": "kubernetes_pod[positive3].spec.container[0].resources.requests is undefined" + "expectedValue": "kubernetes_pod[positive3].spec.container[1].resources.requests should be set", + "actualValue": "kubernetes_pod[positive3].spec.container[1].resources.requests is undefined" }, { "queryName": "Memory Requests Not Defined", @@ -95,6 +83,18 @@ "expectedValue": "kubernetes_pod[positive4].spec.container.resources.requests.memory should be set", "actualValue": "kubernetes_pod[positive4].spec.container.resources.requests.memory is undefined" }, + { + "queryName": "Memory Requests Not Defined", + "severity": "MEDIUM", + "line": 350, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive5", + "searchKey": "kubernetes_pod[positive5].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive5].spec.container.resources should be set", + "actualValue": "kubernetes_pod[positive5].spec.container.resources is undefined" + }, { "queryName": "Memory Requests Not Defined", "severity": "MEDIUM", diff --git a/assets/queries/terraform/kubernetes/net_raw_capabilities_not_being_dropped/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/net_raw_capabilities_not_being_dropped/test/positive_expected_result.json index 65298b681d5..5e403e66acf 100644 --- a/assets/queries/terraform/kubernetes/net_raw_capabilities_not_being_dropped/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/net_raw_capabilities_not_being_dropped/test/positive_expected_result.json @@ -2,145 +2,145 @@ { "queryName": "NET_RAW Capabilities Not Being Dropped", "severity": "MEDIUM", - "line": 82, + "line": 13, "filename": "positive.tf", "resourceType": "kubernetes_pod", "resourceName": "positive1", "searchKey": "kubernetes_pod[positive1].spec.container", "searchValue": "", - "expectedValue": "kubernetes_pod[positive1].spec.container[2].security_context.capabilities.drop is ALL or NET_RAW", - "actualValue": "kubernetes_pod[positive1].spec.container[2].security_context.capabilities.drop is not ALL or NET_RAW" + "expectedValue": "kubernetes_pod[positive1].spec.container[0].security_context.capabilities.drop should be set", + "actualValue": "kkubernetes_pod[positive1].spec.container[0].security_context.capabilities.drop is undefined" }, { "queryName": "NET_RAW Capabilities Not Being Dropped", "severity": "MEDIUM", - "line": 358, + "line": 47, "filename": "positive.tf", "resourceType": "kubernetes_pod", - "resourceName": "positive3", - "searchKey": "kubernetes_pod[positive3].spec.container.security_context.capabilities.drop", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", "searchValue": "", - "expectedValue": "kubernetes_pod[positive3].spec.container.security_context.capabilities.drop is ALL or NET_RAW", - "actualValue": "kubernetes_pod[positive3].spec.container.security_context.capabilities.drop is not ALL or NET_RAW" + "expectedValue": "kubernetes_pod[positive1].spec.container[1].security_context.capabilities.drop should be set", + "actualValue": "kkubernetes_pod[positive1].spec.container[1].security_context.capabilities.drop is undefined" }, { "queryName": "NET_RAW Capabilities Not Being Dropped", "severity": "MEDIUM", - "line": 13, + "line": 82, "filename": "positive.tf", "resourceType": "kubernetes_pod", "resourceName": "positive1", "searchKey": "kubernetes_pod[positive1].spec.container", "searchValue": "", - "expectedValue": "kubernetes_pod[positive1].spec.container[0].security_context.capabilities.drop should be set", - "actualValue": "kkubernetes_pod[positive1].spec.container[0].security_context.capabilities.drop is undefined" + "expectedValue": "kubernetes_pod[positive1].spec.container[2].security_context.capabilities.drop is ALL or NET_RAW", + "actualValue": "kubernetes_pod[positive1].spec.container[2].security_context.capabilities.drop is not ALL or NET_RAW" }, { "queryName": "NET_RAW Capabilities Not Being Dropped", "severity": "MEDIUM", - "line": 241, + "line": 117, "filename": "positive.tf", "resourceType": "kubernetes_pod", "resourceName": "positive1", "searchKey": "kubernetes_pod[positive1].spec.container", "searchValue": "", - "expectedValue": "kubernetes_pod[positive1].spec.container[7].security_context should be set", - "actualValue": "kubernetes_pod[positive1].spec.container[7].security_context is undefined" + "expectedValue": "kubernetes_pod[positive1].spec.container[3].security_context.capabilities.drop is ALL or NET_RAW", + "actualValue": "kubernetes_pod[positive1].spec.container[3].security_context.capabilities.drop is not ALL or NET_RAW" }, { "queryName": "NET_RAW Capabilities Not Being Dropped", "severity": "MEDIUM", - "line": 299, + "line": 150, "filename": "positive.tf", "resourceType": "kubernetes_pod", - "resourceName": "positive2", - "searchKey": "kubernetes_pod[positive2].spec.container.security_context.capabilities", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", "searchValue": "", - "expectedValue": "kubernetes_pod[positive2].spec.container.security_context.capabilities.drop should be set", - "actualValue": "kubernetes_pod[positive2].spec.container.security_context.capabilities.drop is undefined" + "expectedValue": "kubernetes_pod[positive1].spec.container[4].security_context.capabilities should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[4].security_context.capabilities is undefined" }, { "queryName": "NET_RAW Capabilities Not Being Dropped", "severity": "MEDIUM", - "line": 415, + "line": 183, "filename": "positive.tf", "resourceType": "kubernetes_pod", - "resourceName": "positive4", - "searchKey": "kubernetes_pod[positive4].spec.container.security_context", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", "searchValue": "", - "expectedValue": "kubernetes_pod[positive4].spec.container.security_context.capabilities should be set", - "actualValue": "kubernetes_pod[positive4].spec.container.security_context.capabilities is undefined" + "expectedValue": "kubernetes_pod[positive1].spec.container[5].security_context.capabilities should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[5].security_context.capabilities is undefined" }, { "queryName": "NET_RAW Capabilities Not Being Dropped", "severity": "MEDIUM", - "line": 467, + "line": 212, "filename": "positive.tf", "resourceType": "kubernetes_pod", - "resourceName": "positive5", - "searchKey": "kubernetes_pod[positive5].spec.container", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", "searchValue": "", - "expectedValue": "kubernetes_pod[positive5].spec.container.security_context should be set", - "actualValue": "kubernetes_pod[positive5].spec.container.security_context is undefined" + "expectedValue": "kubernetes_pod[positive1].spec.container[6].security_context should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[6].security_context is undefined" }, { "queryName": "NET_RAW Capabilities Not Being Dropped", "severity": "MEDIUM", - "line": 117, + "line": 241, "filename": "positive.tf", "resourceType": "kubernetes_pod", "resourceName": "positive1", "searchKey": "kubernetes_pod[positive1].spec.container", "searchValue": "", - "expectedValue": "kubernetes_pod[positive1].spec.container[3].security_context.capabilities.drop is ALL or NET_RAW", - "actualValue": "kubernetes_pod[positive1].spec.container[3].security_context.capabilities.drop is not ALL or NET_RAW" + "expectedValue": "kubernetes_pod[positive1].spec.container[7].security_context should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[7].security_context is undefined" }, { "queryName": "NET_RAW Capabilities Not Being Dropped", "severity": "MEDIUM", - "line": 47, + "line": 299, "filename": "positive.tf", "resourceType": "kubernetes_pod", - "resourceName": "positive1", - "searchKey": "kubernetes_pod[positive1].spec.container", + "resourceName": "positive2", + "searchKey": "kubernetes_pod[positive2].spec.container.security_context.capabilities", "searchValue": "", - "expectedValue": "kubernetes_pod[positive1].spec.container[1].security_context.capabilities.drop should be set", - "actualValue": "kkubernetes_pod[positive1].spec.container[1].security_context.capabilities.drop is undefined" + "expectedValue": "kubernetes_pod[positive2].spec.container.security_context.capabilities.drop should be set", + "actualValue": "kubernetes_pod[positive2].spec.container.security_context.capabilities.drop is undefined" }, { "queryName": "NET_RAW Capabilities Not Being Dropped", "severity": "MEDIUM", - "line": 150, + "line": 358, "filename": "positive.tf", "resourceType": "kubernetes_pod", - "resourceName": "positive1", - "searchKey": "kubernetes_pod[positive1].spec.container", + "resourceName": "positive3", + "searchKey": "kubernetes_pod[positive3].spec.container.security_context.capabilities.drop", "searchValue": "", - "expectedValue": "kubernetes_pod[positive1].spec.container[4].security_context.capabilities should be set", - "actualValue": "kubernetes_pod[positive1].spec.container[4].security_context.capabilities is undefined" + "expectedValue": "kubernetes_pod[positive3].spec.container.security_context.capabilities.drop is ALL or NET_RAW", + "actualValue": "kubernetes_pod[positive3].spec.container.security_context.capabilities.drop is not ALL or NET_RAW" }, { "queryName": "NET_RAW Capabilities Not Being Dropped", "severity": "MEDIUM", - "line": 183, + "line": 415, "filename": "positive.tf", "resourceType": "kubernetes_pod", - "resourceName": "positive1", - "searchKey": "kubernetes_pod[positive1].spec.container", + "resourceName": "positive4", + "searchKey": "kubernetes_pod[positive4].spec.container.security_context", "searchValue": "", - "expectedValue": "kubernetes_pod[positive1].spec.container[5].security_context.capabilities should be set", - "actualValue": "kubernetes_pod[positive1].spec.container[5].security_context.capabilities is undefined" + "expectedValue": "kubernetes_pod[positive4].spec.container.security_context.capabilities should be set", + "actualValue": "kubernetes_pod[positive4].spec.container.security_context.capabilities is undefined" }, { "queryName": "NET_RAW Capabilities Not Being Dropped", "severity": "MEDIUM", - "line": 212, + "line": 467, "filename": "positive.tf", "resourceType": "kubernetes_pod", - "resourceName": "positive1", - "searchKey": "kubernetes_pod[positive1].spec.container", + "resourceName": "positive5", + "searchKey": "kubernetes_pod[positive5].spec.container", "searchValue": "", - "expectedValue": "kubernetes_pod[positive1].spec.container[6].security_context should be set", - "actualValue": "kubernetes_pod[positive1].spec.container[6].security_context is undefined" + "expectedValue": "kubernetes_pod[positive5].spec.container.security_context should be set", + "actualValue": "kubernetes_pod[positive5].spec.container.security_context is undefined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/no_drop_capabilities_for_containers/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/no_drop_capabilities_for_containers/test/positive_expected_result.json index b5214b2d11c..518b3ef1268 100644 --- a/assets/queries/terraform/kubernetes/no_drop_capabilities_for_containers/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/no_drop_capabilities_for_containers/test/positive_expected_result.json @@ -2,50 +2,26 @@ { "queryName": "No Drop Capabilities for Containers", "severity": "LOW", - "line": 47, + "line": 12, "filename": "positive1.tf", "resourceType": "kubernetes_pod", "resourceName": "test10", "searchKey": "kubernetes_pod[test10].spec.container", "searchValue": "", - "expectedValue": "kubernetes_pod[test10].spec.container[1].security_context.capabilities.drop should be set", - "actualValue": "kubernetes_pod[test10].spec.container[1].security_context.capabilities.drop is undefined" - }, - { - "queryName": "No Drop Capabilities for Containers", - "severity": "LOW", - "line": 7, - "filename": "positive3.tf", - "resourceType": "kubernetes_pod", - "resourceName": "test30", - "searchKey": "kubernetes_pod[test30].spec.container", - "searchValue": "", - "expectedValue": "kubernetes_pod[test30].spec.container[0].security_context should be set", - "actualValue": "kubernetes_pod[test30].spec.container[0].security_context is undefined" - }, - { - "queryName": "No Drop Capabilities for Containers", - "severity": "LOW", - "line": 36, - "filename": "positive3.tf", - "resourceType": "kubernetes_pod", - "resourceName": "test30", - "searchKey": "kubernetes_pod[test30].spec.container", - "searchValue": "", - "expectedValue": "kubernetes_pod[test30].spec.container[1].security_context should be set", - "actualValue": "kubernetes_pod[test30].spec.container[1].security_context is undefined" + "expectedValue": "kubernetes_pod[test10].spec.container[0].security_context.capabilities.drop should be set", + "actualValue": "kubernetes_pod[test10].spec.container[0].security_context.capabilities.drop is undefined" }, { "queryName": "No Drop Capabilities for Containers", "severity": "LOW", - "line": 124, - "filename": "positive3.tf", + "line": 47, + "filename": "positive1.tf", "resourceType": "kubernetes_pod", - "resourceName": "test31", - "searchKey": "kubernetes_pod[test31].spec.container", + "resourceName": "test10", + "searchKey": "kubernetes_pod[test10].spec.container", "searchValue": "", - "expectedValue": "kubernetes_pod[test31].spec.container.security_context should be set", - "actualValue": "kubernetes_pod[test31].spec.container.security_context is undefined" + "expectedValue": "kubernetes_pod[test10].spec.container[1].security_context.capabilities.drop should be set", + "actualValue": "kubernetes_pod[test10].spec.container[1].security_context.capabilities.drop is undefined" }, { "queryName": "No Drop Capabilities for Containers", @@ -59,18 +35,6 @@ "expectedValue": "kubernetes_pod[test11].spec.container.security_context.capabilities.drop should be set", "actualValue": "kubernetes_pod[test11].spec.container.security_context.capabilities.drop is undefined" }, - { - "queryName": "No Drop Capabilities for Containers", - "severity": "LOW", - "line": 12, - "filename": "positive1.tf", - "resourceType": "kubernetes_pod", - "resourceName": "test10", - "searchKey": "kubernetes_pod[test10].spec.container", - "searchValue": "", - "expectedValue": "kubernetes_pod[test10].spec.container[0].security_context.capabilities.drop should be set", - "actualValue": "kubernetes_pod[test10].spec.container[0].security_context.capabilities.drop is undefined" - }, { "queryName": "No Drop Capabilities for Containers", "severity": "LOW", @@ -106,5 +70,41 @@ "searchValue": "", "expectedValue": "kubernetes_pod[test21].spec.container.security_context.capabilities should be set", "actualValue": "kubernetes_pod[test21].spec.container.security_context.capabilities is undefined" + }, + { + "queryName": "No Drop Capabilities for Containers", + "severity": "LOW", + "line": 7, + "filename": "positive3.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test30", + "searchKey": "kubernetes_pod[test30].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[test30].spec.container[0].security_context should be set", + "actualValue": "kubernetes_pod[test30].spec.container[0].security_context is undefined" + }, + { + "queryName": "No Drop Capabilities for Containers", + "severity": "LOW", + "line": 36, + "filename": "positive3.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test30", + "searchKey": "kubernetes_pod[test30].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[test30].spec.container[1].security_context should be set", + "actualValue": "kubernetes_pod[test30].spec.container[1].security_context is undefined" + }, + { + "queryName": "No Drop Capabilities for Containers", + "severity": "LOW", + "line": 124, + "filename": "positive3.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test31", + "searchKey": "kubernetes_pod[test31].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[test31].spec.container.security_context should be set", + "actualValue": "kubernetes_pod[test31].spec.container.security_context is undefined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/non_kube_system_pod_with_host_mount/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/non_kube_system_pod_with_host_mount/test/positive_expected_result.json index f2871f432db..6b2d4613317 100644 --- a/assets/queries/terraform/kubernetes/non_kube_system_pod_with_host_mount/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/non_kube_system_pod_with_host_mount/test/positive_expected_result.json @@ -1,28 +1,4 @@ [ - { - "queryName": "Non Kube System Pod With Host Mount", - "severity": "HIGH", - "line": 173, - "filename": "positive.tf", - "resourceType": "kubernetes_persistent_volume", - "resourceName": "terraform-example3", - "searchKey": "kubernetes_persistent_volume[test3].spec.volume.host_path.path", - "searchValue": "", - "expectedValue": "Resource name 'terraform-example3' in non kube-system namespace 'kube' should not have host_path '/var/log' mounted", - "actualValue": "Resource name 'terraform-example3' in non kube-system namespace 'kube' has a host_path '/var/log' mounted" - }, - { - "queryName": "Non Kube System Pod With Host Mount", - "severity": "HIGH", - "line": 233, - "filename": "positive.tf", - "resourceType": "kubernetes_persistent_volume", - "resourceName": "terraform-example4", - "searchKey": "kubernetes_persistent_volume[test4].spec.volume.host_path.path", - "searchValue": "", - "expectedValue": "Resource name 'terraform-example4' in non kube-system namespace 'default' should not have host_path '/var/log' mounted", - "actualValue": "Resource name 'terraform-example4' in non kube-system namespace 'default' has a host_path '/var/log' mounted" - }, { "queryName": "Non Kube System Pod With Host Mount", "severity": "HIGH", @@ -46,5 +22,29 @@ "searchValue": "", "expectedValue": "Resource name 'terraform-example2' in non kube-system namespace 'default' should not have host_path '/var/log' mounted", "actualValue": "Resource name 'terraform-example2' in non kube-system namespace 'default' has a host_path '/var/log' mounted" + }, + { + "queryName": "Non Kube System Pod With Host Mount", + "severity": "HIGH", + "line": 173, + "filename": "positive.tf", + "resourceType": "kubernetes_persistent_volume", + "resourceName": "terraform-example3", + "searchKey": "kubernetes_persistent_volume[test3].spec.volume.host_path.path", + "searchValue": "", + "expectedValue": "Resource name 'terraform-example3' in non kube-system namespace 'kube' should not have host_path '/var/log' mounted", + "actualValue": "Resource name 'terraform-example3' in non kube-system namespace 'kube' has a host_path '/var/log' mounted" + }, + { + "queryName": "Non Kube System Pod With Host Mount", + "severity": "HIGH", + "line": 233, + "filename": "positive.tf", + "resourceType": "kubernetes_persistent_volume", + "resourceName": "terraform-example4", + "searchKey": "kubernetes_persistent_volume[test4].spec.volume.host_path.path", + "searchValue": "", + "expectedValue": "Resource name 'terraform-example4' in non kube-system namespace 'default' should not have host_path '/var/log' mounted", + "actualValue": "Resource name 'terraform-example4' in non kube-system namespace 'default' has a host_path '/var/log' mounted" } ] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/permissive_access_to_create_pods/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/permissive_access_to_create_pods/test/positive_expected_result.json index 2abc3101b60..a2bae68ecc3 100644 --- a/assets/queries/terraform/kubernetes/permissive_access_to_create_pods/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/permissive_access_to_create_pods/test/positive_expected_result.json @@ -1,4 +1,16 @@ [ + { + "queryName": "Permissive Access to Create Pods", + "severity": "MEDIUM", + "line": 13, + "filename": "positive1.tf", + "resourceType": "kubernetes_role", + "resourceName": "terraform-example1", + "searchKey": "kubernetes_role[example1].rule.verbs.create", + "searchValue": "create/pods", + "expectedValue": "kubernetes_role[example1].rule.verbs should not contain the value 'create' when kubernetes_role[example1].rule.resources contains the value 'pods'", + "actualValue": "kubernetes_role[example1].rule.verbs contains the value 'create' and kubernetes_role[example1].rule.resources contains the value 'pods'" + }, { "queryName": "Permissive Access to Create Pods", "severity": "MEDIUM", @@ -82,17 +94,5 @@ "searchValue": "*/pods", "expectedValue": "kubernetes_cluster_role[example4].rule.verb should not contain a wildcard value when kubernetes_cluster_role[example4].rule.resources contains the value 'pods'", "actualValue": "kubernetes_cluster_role[example4].rule.verb contains a wildcard value and kubernetes_cluster_role[example4].rule.resources contains the value 'pods'" - }, - { - "queryName": "Permissive Access to Create Pods", - "severity": "MEDIUM", - "line": 13, - "filename": "positive1.tf", - "resourceType": "kubernetes_role", - "resourceName": "terraform-example1", - "searchKey": "kubernetes_role[example1].rule.verbs.create", - "searchValue": "create/pods", - "expectedValue": "kubernetes_role[example1].rule.verbs should not contain the value 'create' when kubernetes_role[example1].rule.resources contains the value 'pods'", - "actualValue": "kubernetes_role[example1].rule.verbs contains the value 'create' and kubernetes_role[example1].rule.resources contains the value 'pods'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/pod_or_container_without_security_context/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/pod_or_container_without_security_context/test/positive_expected_result.json index 92315ce2a0f..513896bd13b 100644 --- a/assets/queries/terraform/kubernetes/pod_or_container_without_security_context/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/pod_or_container_without_security_context/test/positive_expected_result.json @@ -2,26 +2,14 @@ { "queryName": "Pod or Container Without Security Context", "severity": "LOW", - "line": 89, - "filename": "positive.tf", - "resourceType": "kubernetes_pod", - "resourceName": "positive2", - "searchKey": "kubernetes_pod[positive2].spec.container", - "searchValue": "", - "expectedValue": "kubernetes_pod[positive2].spec.container.security_context should be set", - "actualValue": "kubernetes_pod[positive2].spec.container.security_context is undefined" - }, - { - "queryName": "Pod or Container Without Security Context", - "severity": "LOW", - "line": 88, + "line": 6, "filename": "positive.tf", "resourceType": "kubernetes_pod", "resourceName": "terraform-example", - "searchKey": "kubernetes_pod[positive2].spec", + "searchKey": "kubernetes_pod[positive1].spec", "searchValue": "", - "expectedValue": "kubernetes_pod[positive2].spec.security_context should be set", - "actualValue": "kubernetes_pod[positive2].spec.security_context is undefined" + "expectedValue": "kubernetes_pod[positive1].spec.security_context should be set", + "actualValue": "kubernetes_pod[positive1].spec.security_context is undefined" }, { "queryName": "Pod or Container Without Security Context", @@ -50,13 +38,25 @@ { "queryName": "Pod or Container Without Security Context", "severity": "LOW", - "line": 6, + "line": 88, "filename": "positive.tf", "resourceType": "kubernetes_pod", "resourceName": "terraform-example", - "searchKey": "kubernetes_pod[positive1].spec", + "searchKey": "kubernetes_pod[positive2].spec", "searchValue": "", - "expectedValue": "kubernetes_pod[positive1].spec.security_context should be set", - "actualValue": "kubernetes_pod[positive1].spec.security_context is undefined" + "expectedValue": "kubernetes_pod[positive2].spec.security_context should be set", + "actualValue": "kubernetes_pod[positive2].spec.security_context is undefined" + }, + { + "queryName": "Pod or Container Without Security Context", + "severity": "LOW", + "line": 89, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive2", + "searchKey": "kubernetes_pod[positive2].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive2].spec.container.security_context should be set", + "actualValue": "kubernetes_pod[positive2].spec.container.security_context is undefined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/rbac_roles_with_read_secrets_permissions/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/rbac_roles_with_read_secrets_permissions/test/positive_expected_result.json index 0beccff2319..71e4d835f8b 100644 --- a/assets/queries/terraform/kubernetes/rbac_roles_with_read_secrets_permissions/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/rbac_roles_with_read_secrets_permissions/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "RBAC Roles with Read Secrets Permissions", "severity": "MEDIUM", - "line": 48, + "line": 9, "filename": "positive.tf", "resourceType": "kubernetes_role", - "resourceName": "terraform-example3", - "searchKey": "kubernetes_role[example3].rule", + "resourceName": "terraform-example1", + "searchKey": "kubernetes_role[example1].rule", "searchValue": "", "expectedValue": "Rules don't give access to 'secrets' resources", "actualValue": "Some rule is giving access to 'secrets' resources" @@ -14,11 +14,11 @@ { "queryName": "RBAC Roles with Read Secrets Permissions", "severity": "MEDIUM", - "line": 62, + "line": 27, "filename": "positive.tf", "resourceType": "kubernetes_cluster_role", - "resourceName": "terraform-example4", - "searchKey": "kubernetes_cluster_role[example4].rule", + "resourceName": "terraform-example2", + "searchKey": "kubernetes_cluster_role[example2].rule", "searchValue": "", "expectedValue": "Rules don't give access to 'secrets' resources", "actualValue": "Some rule is giving access to 'secrets' resources" @@ -26,11 +26,11 @@ { "queryName": "RBAC Roles with Read Secrets Permissions", "severity": "MEDIUM", - "line": 9, + "line": 48, "filename": "positive.tf", "resourceType": "kubernetes_role", - "resourceName": "terraform-example1", - "searchKey": "kubernetes_role[example1].rule", + "resourceName": "terraform-example3", + "searchKey": "kubernetes_role[example3].rule", "searchValue": "", "expectedValue": "Rules don't give access to 'secrets' resources", "actualValue": "Some rule is giving access to 'secrets' resources" @@ -38,11 +38,11 @@ { "queryName": "RBAC Roles with Read Secrets Permissions", "severity": "MEDIUM", - "line": 27, + "line": 62, "filename": "positive.tf", "resourceType": "kubernetes_cluster_role", - "resourceName": "terraform-example2", - "searchKey": "kubernetes_cluster_role[example2].rule", + "resourceName": "terraform-example4", + "searchKey": "kubernetes_cluster_role[example4].rule", "searchValue": "", "expectedValue": "Rules don't give access to 'secrets' resources", "actualValue": "Some rule is giving access to 'secrets' resources" diff --git a/assets/queries/terraform/kubernetes/readiness_probe_is_not_configured/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/readiness_probe_is_not_configured/test/positive_expected_result.json index 7226d1e7c82..774d5f64491 100644 --- a/assets/queries/terraform/kubernetes/readiness_probe_is_not_configured/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/readiness_probe_is_not_configured/test/positive_expected_result.json @@ -1,4 +1,16 @@ [ + { + "queryName": "Readiness Probe Is Not Configured", + "severity": "MEDIUM", + "line": 7, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test", + "searchKey": "kubernetes_pod[test].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[test].spec.container.readiness_probe should be set", + "actualValue": "kubernetes_pod[test].spec.container.readiness_probe is undefined" + }, { "queryName": "Readiness Probe Is Not Configured", "severity": "MEDIUM", @@ -22,17 +34,5 @@ "searchValue": "", "expectedValue": "kubernetes_pod[test2].spec.container[1].readiness_probe should be set", "actualValue": "kubernetes_pod[test2].spec.container[1].readiness_probe is undefined" - }, - { - "queryName": "Readiness Probe Is Not Configured", - "severity": "MEDIUM", - "line": 7, - "filename": "positive.tf", - "resourceType": "kubernetes_pod", - "resourceName": "test", - "searchKey": "kubernetes_pod[test].spec.container", - "searchValue": "", - "expectedValue": "kubernetes_pod[test].spec.container.readiness_probe should be set", - "actualValue": "kubernetes_pod[test].spec.container.readiness_probe is undefined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/root_container_not_mounted_as_read_only/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/root_container_not_mounted_as_read_only/test/positive_expected_result.json index 4d596eb5cfb..1a1077e269b 100644 --- a/assets/queries/terraform/kubernetes/root_container_not_mounted_as_read_only/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/root_container_not_mounted_as_read_only/test/positive_expected_result.json @@ -2,26 +2,26 @@ { "queryName": "Root Container Not Mounted As Read-only", "severity": "LOW", - "line": 44, + "line": 14, "filename": "positive.tf", "resourceType": "kubernetes_pod", "resourceName": "positive1", - "searchKey": "kubernetes_pod[positive1].spec.container.name={{example22222}}", + "searchKey": "kubernetes_pod[positive1].spec.container.name={{example22}}.security_context.read_only_root_filesystem", "searchValue": "", - "expectedValue": "kubernetes_pod[positive1].spec.container[%!d(string={\"env\": {\"name\": \"environment\", \"value\": \"test\"}, \"image\": \"nginx:1.7.9\", \"liveness_probe\": {\"http_get\": {\"http_header\": {\"name\": \"X-Custom-Header\", \"value\": \"Awesome\"}, \"path\": \"/nginx_status\", \"port\": 80}, \"initial_delay_seconds\": 3, \"period_seconds\": 3}, \"name\": \"example22222\", \"port\": {\"container_port\": 8080}})].security_context should be set", - "actualValue": "kkubernetes_pod[positive1].spec.container[%!d(string={\"env\": {\"name\": \"environment\", \"value\": \"test\"}, \"image\": \"nginx:1.7.9\", \"liveness_probe\": {\"http_get\": {\"http_header\": {\"name\": \"X-Custom-Header\", \"value\": \"Awesome\"}, \"path\": \"/nginx_status\", \"port\": 80}, \"initial_delay_seconds\": 3, \"period_seconds\": 3}, \"name\": \"example22222\", \"port\": {\"container_port\": 8080}})].security_context is undefined" + "expectedValue": "kubernetes_pod[positive1].spec.container[0].security_context.read_only_root_filesystem should be set to true", + "actualValue": "kubernetes_pod[positive1].spec.container[0].security_context.read_only_root_filesystem is not set to true" }, { "queryName": "Root Container Not Mounted As Read-only", "severity": "LOW", - "line": 14, + "line": 44, "filename": "positive.tf", "resourceType": "kubernetes_pod", "resourceName": "positive1", - "searchKey": "kubernetes_pod[positive1].spec.container.name={{example22}}.security_context.read_only_root_filesystem", + "searchKey": "kubernetes_pod[positive1].spec.container.name={{example22222}}", "searchValue": "", - "expectedValue": "kubernetes_pod[positive1].spec.container[0].security_context.read_only_root_filesystem should be set to true", - "actualValue": "kubernetes_pod[positive1].spec.container[0].security_context.read_only_root_filesystem is not set to true" + "expectedValue": "kubernetes_pod[positive1].spec.container[%!d(string={\"env\": {\"name\": \"environment\", \"value\": \"test\"}, \"image\": \"nginx:1.7.9\", \"liveness_probe\": {\"http_get\": {\"http_header\": {\"name\": \"X-Custom-Header\", \"value\": \"Awesome\"}, \"path\": \"/nginx_status\", \"port\": 80}, \"initial_delay_seconds\": 3, \"period_seconds\": 3}, \"name\": \"example22222\", \"port\": {\"container_port\": 8080}})].security_context should be set", + "actualValue": "kkubernetes_pod[positive1].spec.container[%!d(string={\"env\": {\"name\": \"environment\", \"value\": \"test\"}, \"image\": \"nginx:1.7.9\", \"liveness_probe\": {\"http_get\": {\"http_header\": {\"name\": \"X-Custom-Header\", \"value\": \"Awesome\"}, \"path\": \"/nginx_status\", \"port\": 80}, \"initial_delay_seconds\": 3, \"period_seconds\": 3}, \"name\": \"example22222\", \"port\": {\"container_port\": 8080}})].security_context is undefined" }, { "queryName": "Root Container Not Mounted As Read-only", diff --git a/assets/queries/terraform/kubernetes/root_containers_admitted/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/root_containers_admitted/test/positive_expected_result.json index 487770eb817..1d7f7dfbb30 100644 --- a/assets/queries/terraform/kubernetes/root_containers_admitted/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/root_containers_admitted/test/positive_expected_result.json @@ -2,38 +2,26 @@ { "queryName": "Root Containers Admitted", "severity": "MEDIUM", - "line": 7, - "filename": "positive.tf", - "resourceType": "kubernetes_pod_security_policy", - "resourceName": "terraform-example", - "searchKey": "kubernetes_pod_security_policy[example].spec.allow_privilege_escalation", - "searchValue": "", - "expectedValue": "kubernetes_pod_security_policy[example].spec.allow_privilege_escalation should be set to false", - "actualValue": "kubernetes_pod_security_policy[example].spec.allow_privilege_escalation is set to true" - }, - { - "queryName": "Root Containers Admitted", - "severity": "MEDIUM", - "line": 37, + "line": 6, "filename": "positive.tf", "resourceType": "kubernetes_pod_security_policy", "resourceName": "terraform-example", - "searchKey": "kubernetes_pod_security_policy[example].spec.fs_group.range.min", + "searchKey": "kubernetes_pod_security_policy[example].spec.privileged", "searchValue": "", - "expectedValue": "kubernetes_pod_security_policy[example].spec.fs_group.range.min should not allow range '0' (root)", - "actualValue": "kubernetes_pod_security_policy[example].spec.fs_group.range.min allows range '0' (root)" + "expectedValue": "kubernetes_pod_security_policy[example].spec.privileged should be set to false", + "actualValue": "kubernetes_pod_security_policy[example].spec.privileged is set to true" }, { "queryName": "Root Containers Admitted", "severity": "MEDIUM", - "line": 6, + "line": 7, "filename": "positive.tf", "resourceType": "kubernetes_pod_security_policy", "resourceName": "terraform-example", - "searchKey": "kubernetes_pod_security_policy[example].spec.privileged", + "searchKey": "kubernetes_pod_security_policy[example].spec.allow_privilege_escalation", "searchValue": "", - "expectedValue": "kubernetes_pod_security_policy[example].spec.privileged should be set to false", - "actualValue": "kubernetes_pod_security_policy[example].spec.privileged is set to true" + "expectedValue": "kubernetes_pod_security_policy[example].spec.allow_privilege_escalation should be set to false", + "actualValue": "kubernetes_pod_security_policy[example].spec.allow_privilege_escalation is set to true" }, { "queryName": "Root Containers Admitted", @@ -58,5 +46,17 @@ "searchValue": "", "expectedValue": "kubernetes_pod_security_policy[example].spec.supplemental_groups.rule limits its ranges", "actualValue": "kubernetes_pod_security_policy[example].spec.supplemental_groups.rule does not limit its ranges" + }, + { + "queryName": "Root Containers Admitted", + "severity": "MEDIUM", + "line": 37, + "filename": "positive.tf", + "resourceType": "kubernetes_pod_security_policy", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod_security_policy[example].spec.fs_group.range.min", + "searchValue": "", + "expectedValue": "kubernetes_pod_security_policy[example].spec.fs_group.range.min should not allow range '0' (root)", + "actualValue": "kubernetes_pod_security_policy[example].spec.fs_group.range.min allows range '0' (root)" } ] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/secoomp_profile_is_not_configured/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/secoomp_profile_is_not_configured/test/positive_expected_result.json index 5ae73389335..e2613747a9f 100644 --- a/assets/queries/terraform/kubernetes/secoomp_profile_is_not_configured/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/secoomp_profile_is_not_configured/test/positive_expected_result.json @@ -2,38 +2,14 @@ { "queryName": "Seccomp Profile Is Not Configured", "severity": "MEDIUM", - "line": 411, - "filename": "positive.tf", - "resourceType": "kubernetes_deployment", - "resourceName": "deployment3", - "searchKey": "kubernetes_deployment[deployment3].spec.template.metadata.annotations", - "searchValue": "", - "expectedValue": "kubernetes_deployment[deployment3].spec.template.metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is 'runtime/default'", - "actualValue": "kubernetes_deployment[deployment3].spec.template.metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is 'rntim/dfl'" - }, - { - "queryName": "Seccomp Profile Is Not Configured", - "severity": "MEDIUM", - "line": 115, + "line": 2, "filename": "positive.tf", "resourceType": "kubernetes_pod", "resourceName": "terraform-example", - "searchKey": "kubernetes_pod[pod3].metadata.annotations", - "searchValue": "", - "expectedValue": "kubernetes_pod[pod3].metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is 'runtime/default'", - "actualValue": "kubernetes_pod[pod3].metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is 'rntim/dfl'" - }, - { - "queryName": "Seccomp Profile Is Not Configured", - "severity": "MEDIUM", - "line": 348, - "filename": "positive.tf", - "resourceType": "kubernetes_deployment", - "resourceName": "deployment2", - "searchKey": "kubernetes_deployment[deployment2].spec.template.metadata.annotations", + "searchKey": "kubernetes_pod[pod1].metadata", "searchValue": "", - "expectedValue": "kubernetes_deployment[deployment2].spec.template.metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName should be set", - "actualValue": "kubernetes_deployment[deployment2].spec.template.metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is undefined" + "expectedValue": "kubernetes_pod[pod1].metadata.annotations should be set", + "actualValue": "kubernetes_pod[pod1].metadata.annotations is undefined" }, { "queryName": "Seccomp Profile Is Not Configured", @@ -50,14 +26,14 @@ { "queryName": "Seccomp Profile Is Not Configured", "severity": "MEDIUM", - "line": 249, + "line": 115, "filename": "positive.tf", - "resourceType": "kubernetes_cron_job", - "resourceName": "demo", - "searchKey": "kubernetes_cron_job[cron3].spec.job_template.spec.template.metadata.annotations", + "resourceType": "kubernetes_pod", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod[pod3].metadata.annotations", "searchValue": "", - "expectedValue": "kubernetes_cron_job[cron3].spec.job_template.spec.template.metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is 'runtime/default'", - "actualValue": "kubernetes_cron_job[cron3].spec.job_template.spec.template.metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is 'rntim/dfl'" + "expectedValue": "kubernetes_pod[pod3].metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is 'runtime/default'", + "actualValue": "kubernetes_pod[pod3].metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is 'rntim/dfl'" }, { "queryName": "Seccomp Profile Is Not Configured", @@ -83,6 +59,18 @@ "expectedValue": "kubernetes_cron_job[cron2].spec.job_template.spec.template.metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName should be set", "actualValue": "kubernetes_cron_job[cron2].spec.job_template.spec.template.metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is undefined" }, + { + "queryName": "Seccomp Profile Is Not Configured", + "severity": "MEDIUM", + "line": 249, + "filename": "positive.tf", + "resourceType": "kubernetes_cron_job", + "resourceName": "demo", + "searchKey": "kubernetes_cron_job[cron3].spec.job_template.spec.template.metadata.annotations", + "searchValue": "", + "expectedValue": "kubernetes_cron_job[cron3].spec.job_template.spec.template.metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is 'runtime/default'", + "actualValue": "kubernetes_cron_job[cron3].spec.job_template.spec.template.metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is 'rntim/dfl'" + }, { "queryName": "Seccomp Profile Is Not Configured", "severity": "MEDIUM", @@ -98,13 +86,25 @@ { "queryName": "Seccomp Profile Is Not Configured", "severity": "MEDIUM", - "line": 2, + "line": 348, "filename": "positive.tf", - "resourceType": "kubernetes_pod", - "resourceName": "terraform-example", - "searchKey": "kubernetes_pod[pod1].metadata", + "resourceType": "kubernetes_deployment", + "resourceName": "deployment2", + "searchKey": "kubernetes_deployment[deployment2].spec.template.metadata.annotations", "searchValue": "", - "expectedValue": "kubernetes_pod[pod1].metadata.annotations should be set", - "actualValue": "kubernetes_pod[pod1].metadata.annotations is undefined" + "expectedValue": "kubernetes_deployment[deployment2].spec.template.metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName should be set", + "actualValue": "kubernetes_deployment[deployment2].spec.template.metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is undefined" + }, + { + "queryName": "Seccomp Profile Is Not Configured", + "severity": "MEDIUM", + "line": 411, + "filename": "positive.tf", + "resourceType": "kubernetes_deployment", + "resourceName": "deployment3", + "searchKey": "kubernetes_deployment[deployment3].spec.template.metadata.annotations", + "searchValue": "", + "expectedValue": "kubernetes_deployment[deployment3].spec.template.metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is 'runtime/default'", + "actualValue": "kubernetes_deployment[deployment3].spec.template.metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is 'rntim/dfl'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/service_account_name_undefined_or_empty/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/service_account_name_undefined_or_empty/test/positive_expected_result.json index 45c98992695..ea8448b8383 100644 --- a/assets/queries/terraform/kubernetes/service_account_name_undefined_or_empty/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/service_account_name_undefined_or_empty/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "Service Account Name Undefined Or Empty", - "severity": "MEDIUM", - "line": 36, - "filename": "positive3.tf", - "resourceType": "kubernetes_pod", - "resourceName": "terraform-example", - "searchKey": "kubernetes_pod[test3].spec.service_account_name", - "searchValue": "", - "expectedValue": "kubernetes_pod[test3].spec.service_account_name is correct", - "actualValue": "kubernetes_pod[test3].spec.service_account_name is null or empty" - }, { "queryName": "Service Account Name Undefined Or Empty", "severity": "MEDIUM", @@ -34,5 +22,17 @@ "searchValue": "", "expectedValue": "kubernetes_pod[test2].spec.service_account_name should be defined and not null", "actualValue": "kubernetes_pod[test2].spec.service_account_name is undefined or null" + }, + { + "queryName": "Service Account Name Undefined Or Empty", + "severity": "MEDIUM", + "line": 36, + "filename": "positive3.tf", + "resourceType": "kubernetes_pod", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod[test3].spec.service_account_name", + "searchValue": "", + "expectedValue": "kubernetes_pod[test3].spec.service_account_name is correct", + "actualValue": "kubernetes_pod[test3].spec.service_account_name is null or empty" } ] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/service_account_token_automount_not_disabled/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/service_account_token_automount_not_disabled/test/positive_expected_result.json index 2fc06aae9a6..3b82851defc 100644 --- a/assets/queries/terraform/kubernetes/service_account_token_automount_not_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/service_account_token_automount_not_disabled/test/positive_expected_result.json @@ -2,26 +2,14 @@ { "queryName": "Service Account Token Automount Not Disabled", "severity": "MEDIUM", - "line": 162, - "filename": "positive.tf", - "resourceType": "kubernetes_pod", - "resourceName": "terraform-example", - "searchKey": "kubernetes_pod[test6].spec", - "searchValue": "", - "expectedValue": "kubernetes_pod[test6].spec.automount_service_account_token should be set", - "actualValue": "kubernetes_pod[test6].spec.automount_service_account_token is undefined" - }, - { - "queryName": "Service Account Token Automount Not Disabled", - "severity": "MEDIUM", - "line": 144, + "line": 25, "filename": "positive.tf", - "resourceType": "kubernetes_cron_job", - "resourceName": "demo", - "searchKey": "kubernetes_cron_job[demo3].spec.job_template.spec.template.spec.automount_service_account_token", + "resourceType": "kubernetes_deployment", + "resourceName": "example", + "searchKey": "kubernetes_deployment[example].spec.template.spec", "searchValue": "", - "expectedValue": "kubernetes_cron_job[demo3].spec.job_template.spec.template.spec.automount_service_account_token should be set to false", - "actualValue": "kubernetes_cron_job[demo3].spec.job_template.spec.template.spec.automount_service_account_token is set to true" + "expectedValue": "kubernetes_deployment[example].spec.template.spec.automount_service_account_token should be set", + "actualValue": "kubernetes_deployment[example].spec.template.spec.automount_service_account_token is undefined" }, { "queryName": "Service Account Token Automount Not Disabled", @@ -38,13 +26,25 @@ { "queryName": "Service Account Token Automount Not Disabled", "severity": "MEDIUM", - "line": 25, + "line": 144, "filename": "positive.tf", - "resourceType": "kubernetes_deployment", - "resourceName": "example", - "searchKey": "kubernetes_deployment[example].spec.template.spec", + "resourceType": "kubernetes_cron_job", + "resourceName": "demo", + "searchKey": "kubernetes_cron_job[demo3].spec.job_template.spec.template.spec.automount_service_account_token", "searchValue": "", - "expectedValue": "kubernetes_deployment[example].spec.template.spec.automount_service_account_token should be set", - "actualValue": "kubernetes_deployment[example].spec.template.spec.automount_service_account_token is undefined" + "expectedValue": "kubernetes_cron_job[demo3].spec.job_template.spec.template.spec.automount_service_account_token should be set to false", + "actualValue": "kubernetes_cron_job[demo3].spec.job_template.spec.template.spec.automount_service_account_token is set to true" + }, + { + "queryName": "Service Account Token Automount Not Disabled", + "severity": "MEDIUM", + "line": 162, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod[test6].spec", + "searchValue": "", + "expectedValue": "kubernetes_pod[test6].spec.automount_service_account_token should be set", + "actualValue": "kubernetes_pod[test6].spec.automount_service_account_token is undefined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/tiller_is_deployed/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/tiller_is_deployed/test/positive_expected_result.json index e4a678078ed..cd4dff31bc9 100644 --- a/assets/queries/terraform/kubernetes/tiller_is_deployed/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/tiller_is_deployed/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "Tiller (Helm v2) Is Deployed", - "severity": "HIGH", - "line": 200, - "filename": "positive.tf", - "resourceType": "kubernetes_deployment", - "resourceName": "example", - "searchKey": "kubernetes_deployment[example].spec.template.spec.container.image", - "searchValue": "", - "expectedValue": "kubernetes_deployment[example].spec.template.spec.container.image shouldn't have any Tiller containers", - "actualValue": "kubernetes_deployment[example].spec.template.spec.container.image contains a Tiller container" - }, { "queryName": "Tiller (Helm v2) Is Deployed", "severity": "HIGH", @@ -58,5 +46,17 @@ "searchValue": "", "expectedValue": "kubernetes_deployment[example].spec.template.metadata should not refer to any Tiller resource", "actualValue": "kubernetes_deployment[example].spec.template.metadata does not refer to any Tiller resource" + }, + { + "queryName": "Tiller (Helm v2) Is Deployed", + "severity": "HIGH", + "line": 200, + "filename": "positive.tf", + "resourceType": "kubernetes_deployment", + "resourceName": "example", + "searchKey": "kubernetes_deployment[example].spec.template.spec.container.image", + "searchValue": "", + "expectedValue": "kubernetes_deployment[example].spec.template.spec.container.image shouldn't have any Tiller containers", + "actualValue": "kubernetes_deployment[example].spec.template.spec.container.image contains a Tiller container" } ] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/volume_mount_with_os_directory_write_permissions/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/volume_mount_with_os_directory_write_permissions/test/positive_expected_result.json index 07438b91720..a867516865d 100644 --- a/assets/queries/terraform/kubernetes/volume_mount_with_os_directory_write_permissions/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/volume_mount_with_os_directory_write_permissions/test/positive_expected_result.json @@ -2,62 +2,50 @@ { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", - "line": 100, + "line": 8, "filename": "positive1.tf", "resourceType": "kubernetes_pod", - "resourceName": "test11", - "searchKey": "kubernetes_pod[test11].spec.container.volume_mount", + "resourceName": "test10", + "searchKey": "kubernetes_pod[test10].spec.container.volume_mount", "searchValue": "", - "expectedValue": "kubernetes_pod[test11].spec.container[1].volume_mount.read_only should be set", - "actualValue": "kubernetes_pod[test11].spec.container[1].volume_mount.read_only is undefined" + "expectedValue": "kubernetes_pod[test10].spec.container.volume_mount.read_only should be set", + "actualValue": "kubernetes_pod[test10].spec.container.volume_mount.read_only is undefined" }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", - "line": 158, + "line": 66, "filename": "positive1.tf", "resourceType": "kubernetes_pod", - "resourceName": "test12", - "searchKey": "kubernetes_pod[test12].spec.container.volume_mount", - "searchValue": "", - "expectedValue": "kubernetes_pod[test12].spec.container[0].volume_mount[0].read_only should be set", - "actualValue": "kubernetes_pod[test12].spec.container[0].volume_mount[0].read_only is undefined" - }, - { - "queryName": "Volume Mount With OS Directory Write Permissions", - "severity": "HIGH", - "line": 105, - "filename": "positive2.tf", - "resourceType": "kubernetes_pod", - "resourceName": "test21", - "searchKey": "kubernetes_pod[test21].spec.container.volume_mount.read_only", + "resourceName": "test11", + "searchKey": "kubernetes_pod[test11].spec.container.volume_mount", "searchValue": "", - "expectedValue": "kubernetes_pod[test21].spec.container[1].volume_mount.read_only should be set to true", - "actualValue": "kubernetes_pod[test21].spec.container[1].volume_mount.read_only is set to false" + "expectedValue": "kubernetes_pod[test11].spec.container[0].volume_mount.read_only should be set", + "actualValue": "kubernetes_pod[test11].spec.container[0].volume_mount.read_only is undefined" }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", - "line": 164, - "filename": "positive2.tf", + "line": 100, + "filename": "positive1.tf", "resourceType": "kubernetes_pod", - "resourceName": "test22", - "searchKey": "kubernetes_pod[test22].spec.container.volume_mount.read_only", + "resourceName": "test11", + "searchKey": "kubernetes_pod[test11].spec.container.volume_mount", "searchValue": "", - "expectedValue": "kubernetes_pod[test22].spec.container[0].volume_mount[0].read_only should be set to true", - "actualValue": "kubernetes_pod[test22].spec.container[0].volume_mount[0].read_only is set to false" + "expectedValue": "kubernetes_pod[test11].spec.container[1].volume_mount.read_only should be set", + "actualValue": "kubernetes_pod[test11].spec.container[1].volume_mount.read_only is undefined" }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", - "line": 170, - "filename": "positive2.tf", + "line": 158, + "filename": "positive1.tf", "resourceType": "kubernetes_pod", - "resourceName": "test22", - "searchKey": "kubernetes_pod[test22].spec.container.volume_mount.read_only", + "resourceName": "test12", + "searchKey": "kubernetes_pod[test12].spec.container.volume_mount", "searchValue": "", - "expectedValue": "kubernetes_pod[test22].spec.container[0].volume_mount[1].read_only should be set to true", - "actualValue": "kubernetes_pod[test22].spec.container[0].volume_mount[1].read_only is set to false" + "expectedValue": "kubernetes_pod[test12].spec.container[0].volume_mount[0].read_only should be set", + "actualValue": "kubernetes_pod[test12].spec.container[0].volume_mount[0].read_only is undefined" }, { "queryName": "Volume Mount With OS Directory Write Permissions", @@ -122,49 +110,61 @@ { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", - "line": 258, + "line": 105, "filename": "positive2.tf", "resourceType": "kubernetes_pod", - "resourceName": "test23", - "searchKey": "kubernetes_pod[test23].spec.container.volume_mount.read_only", + "resourceName": "test21", + "searchKey": "kubernetes_pod[test21].spec.container.volume_mount.read_only", "searchValue": "", - "expectedValue": "kubernetes_pod[test23].spec.container.volume_mount[0].read_only should be set to true", - "actualValue": "kubernetes_pod[test23].spec.container.volume_mount[0].read_only is set to false" + "expectedValue": "kubernetes_pod[test21].spec.container[1].volume_mount.read_only should be set to true", + "actualValue": "kubernetes_pod[test21].spec.container[1].volume_mount.read_only is set to false" }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", - "line": 264, + "line": 164, "filename": "positive2.tf", "resourceType": "kubernetes_pod", - "resourceName": "test23", - "searchKey": "kubernetes_pod[test23].spec.container.volume_mount.read_only", + "resourceName": "test22", + "searchKey": "kubernetes_pod[test22].spec.container.volume_mount.read_only", "searchValue": "", - "expectedValue": "kubernetes_pod[test23].spec.container.volume_mount[1].read_only should be set to true", - "actualValue": "kubernetes_pod[test23].spec.container.volume_mount[1].read_only is set to false" + "expectedValue": "kubernetes_pod[test22].spec.container[0].volume_mount[0].read_only should be set to true", + "actualValue": "kubernetes_pod[test22].spec.container[0].volume_mount[0].read_only is set to false" }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", - "line": 8, - "filename": "positive1.tf", + "line": 170, + "filename": "positive2.tf", "resourceType": "kubernetes_pod", - "resourceName": "test10", - "searchKey": "kubernetes_pod[test10].spec.container.volume_mount", + "resourceName": "test22", + "searchKey": "kubernetes_pod[test22].spec.container.volume_mount.read_only", "searchValue": "", - "expectedValue": "kubernetes_pod[test10].spec.container.volume_mount.read_only should be set", - "actualValue": "kubernetes_pod[test10].spec.container.volume_mount.read_only is undefined" + "expectedValue": "kubernetes_pod[test22].spec.container[0].volume_mount[1].read_only should be set to true", + "actualValue": "kubernetes_pod[test22].spec.container[0].volume_mount[1].read_only is set to false" }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", - "line": 66, - "filename": "positive1.tf", + "line": 258, + "filename": "positive2.tf", "resourceType": "kubernetes_pod", - "resourceName": "test11", - "searchKey": "kubernetes_pod[test11].spec.container.volume_mount", + "resourceName": "test23", + "searchKey": "kubernetes_pod[test23].spec.container.volume_mount.read_only", "searchValue": "", - "expectedValue": "kubernetes_pod[test11].spec.container[0].volume_mount.read_only should be set", - "actualValue": "kubernetes_pod[test11].spec.container[0].volume_mount.read_only is undefined" + "expectedValue": "kubernetes_pod[test23].spec.container.volume_mount[0].read_only should be set to true", + "actualValue": "kubernetes_pod[test23].spec.container.volume_mount[0].read_only is set to false" + }, + { + "queryName": "Volume Mount With OS Directory Write Permissions", + "severity": "HIGH", + "line": 264, + "filename": "positive2.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test23", + "searchKey": "kubernetes_pod[test23].spec.container.volume_mount.read_only", + "searchValue": "", + "expectedValue": "kubernetes_pod[test23].spec.container.volume_mount[1].read_only should be set to true", + "actualValue": "kubernetes_pod[test23].spec.container.volume_mount[1].read_only is set to false" } ] \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/workload_host_port_not_specified/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/workload_host_port_not_specified/test/positive_expected_result.json index 9793dffd904..16e0ff72318 100644 --- a/assets/queries/terraform/kubernetes/workload_host_port_not_specified/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/workload_host_port_not_specified/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "Workload Host Port Not Specified", "severity": "LOW", - "line": 41, - "filename": "positive2.tf", - "resourceType": "kubernetes_deployment", + "line": 16, + "filename": "positive1.tf", + "resourceType": "kubernetes_pod", "resourceName": "terraform-example", - "searchKey": "kubernetes_deployment[example].spec.template.spec.container.port", + "searchKey": "kubernetes_pod[test].spec.container.port", "searchValue": "", "expectedValue": "Attribute 'host_port' should be defined and not null", "actualValue": "Attribute 'host_port' is undefined or null" @@ -14,11 +14,11 @@ { "queryName": "Workload Host Port Not Specified", "severity": "LOW", - "line": 16, - "filename": "positive1.tf", - "resourceType": "kubernetes_pod", + "line": 41, + "filename": "positive2.tf", + "resourceType": "kubernetes_deployment", "resourceName": "terraform-example", - "searchKey": "kubernetes_pod[test].spec.container.port", + "searchKey": "kubernetes_deployment[example].spec.template.spec.container.port", "searchValue": "", "expectedValue": "Attribute 'host_port' should be defined and not null", "actualValue": "Attribute 'host_port' is undefined or null" diff --git a/assets/queries/terraform/nifcloud/computing_instance_has_common_private/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/computing_instance_has_common_private/test/positive_expected_result.json index 0891e73e269..ecee4586061 100644 --- a/assets/queries/terraform/nifcloud/computing_instance_has_common_private/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/computing_instance_has_common_private/test/positive_expected_result.json @@ -3,7 +3,7 @@ "queryName": "Nifcloud Computing Has Common Private Network", "severity": "LOW", "line": 1, - "filename": "positive2.tf", + "filename": "positive1.tf", "resourceType": "nifcloud_instance", "resourceName": "positive", "searchKey": "nifcloud_instance[positive]", @@ -15,7 +15,7 @@ "queryName": "Nifcloud Computing Has Common Private Network", "severity": "LOW", "line": 1, - "filename": "positive1.tf", + "filename": "positive2.tf", "resourceType": "nifcloud_instance", "resourceName": "positive", "searchKey": "nifcloud_instance[positive]", diff --git a/assets/queries/terraform/nifcloud/elb_has_common_private/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/elb_has_common_private/test/positive_expected_result.json index c10c24a5b08..b8f2e140106 100644 --- a/assets/queries/terraform/nifcloud/elb_has_common_private/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/elb_has_common_private/test/positive_expected_result.json @@ -3,7 +3,7 @@ "queryName": "Nifcloud ELB Has Common Private Network", "severity": "LOW", "line": 1, - "filename": "positive2.tf", + "filename": "positive1.tf", "resourceType": "nifcloud_elb", "resourceName": "positive", "searchKey": "nifcloud_elb[positive]", @@ -15,7 +15,7 @@ "queryName": "Nifcloud ELB Has Common Private Network", "severity": "LOW", "line": 1, - "filename": "positive1.tf", + "filename": "positive2.tf", "resourceType": "nifcloud_elb", "resourceName": "positive", "searchKey": "nifcloud_elb[positive]", diff --git a/assets/queries/terraform/nifcloud/load_balancer_use_insecure_tls_policy_id/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/load_balancer_use_insecure_tls_policy_id/test/positive_expected_result.json index 8811ea933a6..f73799b4f70 100644 --- a/assets/queries/terraform/nifcloud/load_balancer_use_insecure_tls_policy_id/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/load_balancer_use_insecure_tls_policy_id/test/positive_expected_result.json @@ -3,7 +3,7 @@ "queryName": "Nifcloud LB Using Insecure TLS Policy ID", "severity": "MEDIUM", "line": 1, - "filename": "positive2.tf", + "filename": "positive1.tf", "resourceType": "nifcloud_load_balancer", "resourceName": "positive", "searchKey": "nifcloud_load_balancer[positive]", @@ -15,7 +15,7 @@ "queryName": "Nifcloud LB Using Insecure TLS Policy ID", "severity": "MEDIUM", "line": 1, - "filename": "positive1.tf", + "filename": "positive2.tf", "resourceType": "nifcloud_load_balancer", "resourceName": "positive", "searchKey": "nifcloud_load_balancer[positive]", diff --git a/assets/queries/terraform/tencentcloud/clb_listener_using_insecure_protocols/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/clb_listener_using_insecure_protocols/test/positive_expected_result.json index 52e12932b84..ad71e6e7670 100644 --- a/assets/queries/terraform/tencentcloud/clb_listener_using_insecure_protocols/test/positive_expected_result.json +++ b/assets/queries/terraform/tencentcloud/clb_listener_using_insecure_protocols/test/positive_expected_result.json @@ -3,25 +3,25 @@ "queryName": "CLB Listener Using Insecure Protocols", "severity": "HIGH", "line": 4, - "filename": "positive2.tf", + "filename": "positive1.tf", "resourceType": "tencentcloud_clb_listener", "resourceName": "listener", "searchKey": "tencentcloud_clb_listener[listener].protocol", "searchValue": "", - "expectedValue": "tencentcloud_clb_listener[listener].protocol[TCP] should not be an insecure protocol", - "actualValue": "tencentcloud_clb_listener[listener].protocol[TCP] is an insecure protocol" + "expectedValue": "tencentcloud_clb_listener[listener].protocol[HTTP] should not be an insecure protocol", + "actualValue": "tencentcloud_clb_listener[listener].protocol[HTTP] is an insecure protocol" }, { "queryName": "CLB Listener Using Insecure Protocols", "severity": "HIGH", "line": 4, - "filename": "positive1.tf", + "filename": "positive2.tf", "resourceType": "tencentcloud_clb_listener", "resourceName": "listener", "searchKey": "tencentcloud_clb_listener[listener].protocol", "searchValue": "", - "expectedValue": "tencentcloud_clb_listener[listener].protocol[HTTP] should not be an insecure protocol", - "actualValue": "tencentcloud_clb_listener[listener].protocol[HTTP] is an insecure protocol" + "expectedValue": "tencentcloud_clb_listener[listener].protocol[TCP] should not be an insecure protocol", + "actualValue": "tencentcloud_clb_listener[listener].protocol[TCP] is an insecure protocol" }, { "queryName": "CLB Listener Using Insecure Protocols", diff --git a/assets/queries/terraform/tencentcloud/cvm_instance_using_default_vpc/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/cvm_instance_using_default_vpc/test/positive_expected_result.json index b8dff543959..0478e8be2ca 100644 --- a/assets/queries/terraform/tencentcloud/cvm_instance_using_default_vpc/test/positive_expected_result.json +++ b/assets/queries/terraform/tencentcloud/cvm_instance_using_default_vpc/test/positive_expected_result.json @@ -2,25 +2,25 @@ { "queryName": "CVM Instance Using Default VPC", "severity": "LOW", - "line": 23, + "line": 22, "filename": "positive1.tf", "resourceType": "tencentcloud_instance", "resourceName": "cvm_postpaid", - "searchKey": "tencentcloud_instance[cvm_postpaid].subnet_id", + "searchKey": "tencentcloud_instance[cvm_postpaid].vpc_id", "searchValue": "", - "expectedValue": "tencentcloud_instance[cvm_postpaid].subnet_id should not be associated with a default Subnet", - "actualValue": "tencentcloud_instance[cvm_postpaid].subnet_id is associated with a default Subnet" + "expectedValue": "tencentcloud_instance[cvm_postpaid].vpc_id should not contain 'default'", + "actualValue": "tencentcloud_instance[cvm_postpaid].vpc_id contains 'default'" }, { "queryName": "CVM Instance Using Default VPC", "severity": "LOW", - "line": 22, + "line": 23, "filename": "positive1.tf", "resourceType": "tencentcloud_instance", "resourceName": "cvm_postpaid", - "searchKey": "tencentcloud_instance[cvm_postpaid].vpc_id", + "searchKey": "tencentcloud_instance[cvm_postpaid].subnet_id", "searchValue": "", - "expectedValue": "tencentcloud_instance[cvm_postpaid].vpc_id should not contain 'default'", - "actualValue": "tencentcloud_instance[cvm_postpaid].vpc_id contains 'default'" + "expectedValue": "tencentcloud_instance[cvm_postpaid].subnet_id should not be associated with a default Subnet", + "actualValue": "tencentcloud_instance[cvm_postpaid].subnet_id is associated with a default Subnet" } ] \ No newline at end of file diff --git a/assets/queries/terraform/tencentcloud/cvm_instance_using_user_data/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/cvm_instance_using_user_data/test/positive_expected_result.json index 67095c53c01..82c7901073c 100644 --- a/assets/queries/terraform/tencentcloud/cvm_instance_using_user_data/test/positive_expected_result.json +++ b/assets/queries/terraform/tencentcloud/cvm_instance_using_user_data/test/positive_expected_result.json @@ -3,7 +3,7 @@ "queryName": "CVM Instance Using User Data", "severity": "LOW", "line": 41, - "filename": "positive2.tf", + "filename": "positive1.tf", "resourceType": "tencentcloud_instance", "resourceName": "cvm_postpaid", "searchKey": "tencentcloud_instance[cvm_postpaid].user_data", @@ -15,7 +15,7 @@ "queryName": "CVM Instance Using User Data", "severity": "LOW", "line": 41, - "filename": "positive1.tf", + "filename": "positive2.tf", "resourceType": "tencentcloud_instance", "resourceName": "cvm_postpaid", "searchKey": "tencentcloud_instance[cvm_postpaid].user_data", @@ -27,7 +27,7 @@ "queryName": "CVM Instance Using User Data", "severity": "LOW", "line": 41, - "filename": "positive4.tf", + "filename": "positive3.tf", "resourceType": "tencentcloud_instance", "resourceName": "cvm_postpaid", "searchKey": "tencentcloud_instance[cvm_postpaid].user_data", @@ -39,7 +39,7 @@ "queryName": "CVM Instance Using User Data", "severity": "LOW", "line": 41, - "filename": "positive3.tf", + "filename": "positive4.tf", "resourceType": "tencentcloud_instance", "resourceName": "cvm_postpaid", "searchKey": "tencentcloud_instance[cvm_postpaid].user_data", diff --git a/assets/queries/terraform/tencentcloud/security_group_rule_set_accepts_all_traffic/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/security_group_rule_set_accepts_all_traffic/test/positive_expected_result.json index 4aeeb750a1f..45e028271bd 100644 --- a/assets/queries/terraform/tencentcloud/security_group_rule_set_accepts_all_traffic/test/positive_expected_result.json +++ b/assets/queries/terraform/tencentcloud/security_group_rule_set_accepts_all_traffic/test/positive_expected_result.json @@ -15,36 +15,36 @@ "queryName": "Security Group Rule Set Accepts All Traffic", "severity": "HIGH", "line": 9, - "filename": "positive4.tf", + "filename": "positive2.tf", "resourceType": "tencentcloud_security_group_rule_set", "resourceName": "base", "searchKey": "tencentcloud_security_group_rule_set[base].ingress", "searchValue": "", "expectedValue": "tencentcloud_security_group_rule_set[base] ingress should not be set to accept all traffic", - "actualValue": "tencentcloud_security_group_rule_set[base] ingress is set to accept all traffic" + "actualValue": "tencentcloud_security_group_rule_set[base] ingress accept all traffic" }, { "queryName": "Security Group Rule Set Accepts All Traffic", "severity": "HIGH", "line": 9, - "filename": "positive2.tf", + "filename": "positive3.tf", "resourceType": "tencentcloud_security_group_rule_set", "resourceName": "base", "searchKey": "tencentcloud_security_group_rule_set[base].ingress", "searchValue": "", - "expectedValue": "tencentcloud_security_group_rule_set[base] ingress should not be set to accept all traffic", + "expectedValue": "tencentcloud_security_group_rule_set[base] ingress should not set accept all traffic", "actualValue": "tencentcloud_security_group_rule_set[base] ingress accept all traffic" }, { "queryName": "Security Group Rule Set Accepts All Traffic", "severity": "HIGH", "line": 9, - "filename": "positive3.tf", + "filename": "positive4.tf", "resourceType": "tencentcloud_security_group_rule_set", "resourceName": "base", "searchKey": "tencentcloud_security_group_rule_set[base].ingress", "searchValue": "", - "expectedValue": "tencentcloud_security_group_rule_set[base] ingress should not set accept all traffic", - "actualValue": "tencentcloud_security_group_rule_set[base] ingress accept all traffic" + "expectedValue": "tencentcloud_security_group_rule_set[base] ingress should not be set to accept all traffic", + "actualValue": "tencentcloud_security_group_rule_set[base] ingress is set to accept all traffic" } ] \ No newline at end of file diff --git a/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/test/positive_expected_result.json index e7f3cb7220d..eab94f2ffb6 100644 --- a/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/test/positive_expected_result.json +++ b/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/test/positive_expected_result.json @@ -27,42 +27,42 @@ "queryName": "TKE Cluster Has Public Access", "severity": "MEDIUM", "line": 62, - "filename": "positive4.tf", + "filename": "positive2.tf", "resourceType": "tencentcloud_kubernetes_cluster", "resourceName": "example", "searchKey": "tencentcloud_kubernetes_cluster[example].master_config.internet_max_bandwidth_out", "searchValue": "", - "expectedValue": "tencentcloud_kubernetes_cluster[example].master_config.internet_max_bandwidth_out should equal '0' or null", + "expectedValue": "tencentcloud_kubernetes_cluster[example].master_config.internet_max_bandwidth_out should equal '0' or undefined", "actualValue": "tencentcloud_kubernetes_cluster[example].master_config.internet_max_bandwidth_out is not equal '0'" }, { "queryName": "TKE Cluster Has Public Access", "severity": "MEDIUM", - "line": 104, - "filename": "positive4.tf", + "line": 83, + "filename": "positive2.tf", "resourceType": "tencentcloud_kubernetes_cluster", "resourceName": "example", "searchKey": "tencentcloud_kubernetes_cluster[example].worker_config.internet_max_bandwidth_out", "searchValue": "", - "expectedValue": "tencentcloud_kubernetes_cluster[example].worker_config.internet_max_bandwidth_out should be equal to '0' or null", + "expectedValue": "tencentcloud_kubernetes_cluster[example].worker_config.internet_max_bandwidth_out should equal '0' or undefined", "actualValue": "tencentcloud_kubernetes_cluster[example].worker_config.internet_max_bandwidth_out is defined and not equal to '0'" }, { "queryName": "TKE Cluster Has Public Access", "severity": "MEDIUM", - "line": 124, - "filename": "positive4.tf", + "line": 63, + "filename": "positive3.tf", "resourceType": "tencentcloud_kubernetes_cluster", "resourceName": "example", - "searchKey": "tencentcloud_kubernetes_cluster[example].worker_config.internet_max_bandwidth_out", + "searchKey": "tencentcloud_kubernetes_cluster[example].master_config.public_ip_assigned", "searchValue": "", - "expectedValue": "tencentcloud_kubernetes_cluster[example].worker_config.internet_max_bandwidth_out should be equal to '0' or null", - "actualValue": "tencentcloud_kubernetes_cluster[example].worker_config.internet_max_bandwidth_out is defined and not equal to '0'" + "expectedValue": "tencentcloud_kubernetes_cluster[example].master_config.public_ip_assigned should be equal to 'false'", + "actualValue": "tencentcloud_kubernetes_cluster[example].master_config.public_ip_assigned is equal 'true'" }, { "queryName": "TKE Cluster Has Public Access", "severity": "MEDIUM", - "line": 63, + "line": 84, "filename": "positive3.tf", "resourceType": "tencentcloud_kubernetes_cluster", "resourceName": "example", @@ -74,73 +74,73 @@ { "queryName": "TKE Cluster Has Public Access", "severity": "MEDIUM", - "line": 83, - "filename": "positive4.tf", + "line": 105, + "filename": "positive3.tf", "resourceType": "tencentcloud_kubernetes_cluster", "resourceName": "example", - "searchKey": "tencentcloud_kubernetes_cluster[example].master_config.internet_max_bandwidth_out", + "searchKey": "tencentcloud_kubernetes_cluster[example].worker_config.public_ip_assigned", "searchValue": "", - "expectedValue": "tencentcloud_kubernetes_cluster[example].master_config.internet_max_bandwidth_out should equal '0' or null", - "actualValue": "tencentcloud_kubernetes_cluster[example].master_config.internet_max_bandwidth_out is not equal '0'" + "expectedValue": "tencentcloud_kubernetes_cluster[example].worker_config.public_ip_assigned should equal 'false'", + "actualValue": "tencentcloud_kubernetes_cluster[example].worker_config.public_ip_assigned is equal 'true'" }, { "queryName": "TKE Cluster Has Public Access", "severity": "MEDIUM", - "line": 62, - "filename": "positive2.tf", + "line": 126, + "filename": "positive3.tf", "resourceType": "tencentcloud_kubernetes_cluster", "resourceName": "example", - "searchKey": "tencentcloud_kubernetes_cluster[example].master_config.internet_max_bandwidth_out", + "searchKey": "tencentcloud_kubernetes_cluster[example].worker_config.public_ip_assigned", "searchValue": "", - "expectedValue": "tencentcloud_kubernetes_cluster[example].master_config.internet_max_bandwidth_out should equal '0' or undefined", - "actualValue": "tencentcloud_kubernetes_cluster[example].master_config.internet_max_bandwidth_out is not equal '0'" + "expectedValue": "tencentcloud_kubernetes_cluster[example].worker_config.public_ip_assigned should equal 'false'", + "actualValue": "tencentcloud_kubernetes_cluster[example].worker_config.public_ip_assigned is equal 'true'" }, { "queryName": "TKE Cluster Has Public Access", "severity": "MEDIUM", - "line": 83, - "filename": "positive2.tf", + "line": 62, + "filename": "positive4.tf", "resourceType": "tencentcloud_kubernetes_cluster", "resourceName": "example", - "searchKey": "tencentcloud_kubernetes_cluster[example].worker_config.internet_max_bandwidth_out", + "searchKey": "tencentcloud_kubernetes_cluster[example].master_config.internet_max_bandwidth_out", "searchValue": "", - "expectedValue": "tencentcloud_kubernetes_cluster[example].worker_config.internet_max_bandwidth_out should equal '0' or undefined", - "actualValue": "tencentcloud_kubernetes_cluster[example].worker_config.internet_max_bandwidth_out is defined and not equal to '0'" + "expectedValue": "tencentcloud_kubernetes_cluster[example].master_config.internet_max_bandwidth_out should equal '0' or null", + "actualValue": "tencentcloud_kubernetes_cluster[example].master_config.internet_max_bandwidth_out is not equal '0'" }, { "queryName": "TKE Cluster Has Public Access", "severity": "MEDIUM", - "line": 84, - "filename": "positive3.tf", + "line": 83, + "filename": "positive4.tf", "resourceType": "tencentcloud_kubernetes_cluster", "resourceName": "example", - "searchKey": "tencentcloud_kubernetes_cluster[example].master_config.public_ip_assigned", + "searchKey": "tencentcloud_kubernetes_cluster[example].master_config.internet_max_bandwidth_out", "searchValue": "", - "expectedValue": "tencentcloud_kubernetes_cluster[example].master_config.public_ip_assigned should be equal to 'false'", - "actualValue": "tencentcloud_kubernetes_cluster[example].master_config.public_ip_assigned is equal 'true'" + "expectedValue": "tencentcloud_kubernetes_cluster[example].master_config.internet_max_bandwidth_out should equal '0' or null", + "actualValue": "tencentcloud_kubernetes_cluster[example].master_config.internet_max_bandwidth_out is not equal '0'" }, { "queryName": "TKE Cluster Has Public Access", "severity": "MEDIUM", - "line": 105, - "filename": "positive3.tf", + "line": 104, + "filename": "positive4.tf", "resourceType": "tencentcloud_kubernetes_cluster", "resourceName": "example", - "searchKey": "tencentcloud_kubernetes_cluster[example].worker_config.public_ip_assigned", + "searchKey": "tencentcloud_kubernetes_cluster[example].worker_config.internet_max_bandwidth_out", "searchValue": "", - "expectedValue": "tencentcloud_kubernetes_cluster[example].worker_config.public_ip_assigned should equal 'false'", - "actualValue": "tencentcloud_kubernetes_cluster[example].worker_config.public_ip_assigned is equal 'true'" + "expectedValue": "tencentcloud_kubernetes_cluster[example].worker_config.internet_max_bandwidth_out should be equal to '0' or null", + "actualValue": "tencentcloud_kubernetes_cluster[example].worker_config.internet_max_bandwidth_out is defined and not equal to '0'" }, { "queryName": "TKE Cluster Has Public Access", "severity": "MEDIUM", - "line": 126, - "filename": "positive3.tf", + "line": 124, + "filename": "positive4.tf", "resourceType": "tencentcloud_kubernetes_cluster", "resourceName": "example", - "searchKey": "tencentcloud_kubernetes_cluster[example].worker_config.public_ip_assigned", + "searchKey": "tencentcloud_kubernetes_cluster[example].worker_config.internet_max_bandwidth_out", "searchValue": "", - "expectedValue": "tencentcloud_kubernetes_cluster[example].worker_config.public_ip_assigned should equal 'false'", - "actualValue": "tencentcloud_kubernetes_cluster[example].worker_config.public_ip_assigned is equal 'true'" + "expectedValue": "tencentcloud_kubernetes_cluster[example].worker_config.internet_max_bandwidth_out should be equal to '0' or null", + "actualValue": "tencentcloud_kubernetes_cluster[example].worker_config.internet_max_bandwidth_out is defined and not equal to '0'" } ] \ No newline at end of file From 0fc123d26a994c83ac726cbb0f8a4c65516c4b03 Mon Sep 17 00:00:00 2001 From: Ricardo Jesus <219317970+cx-ricardo-jesus@users.noreply.github.com> Date: Tue, 10 Mar 2026 12:28:46 +0000 Subject: [PATCH 04/22] changed more positive expected results --- .../__pycache__/models.cpython-312.pyc | Bin 1488 -> 1521 bytes .../__pycache__/runner.cpython-312.pyc | Bin 4901 -> 5114 bytes .../write_expected_results.cpython-312.pyc | Bin 5029 -> 5797 bytes .../models.py | 1 + .../run_skipped.py | 210 + .../runner.py | 11 +- .../skipped_queries_report.json | 4020 +---------------- .../write_expected_results.py | 25 + .../test/positive_expected_result.json | 198 +- .../test/positive_expected_result.json | 12 +- .../test/positive_expected_result.json | 96 +- .../test/positive_expected_result.json | 4 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 914 ++-- .../test/positive_expected_result.json | 950 ++-- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 18 +- .../dynamo/test/positive_expected_result.json | 42 +- .../ebs/test/positive_expected_result.json | 50 +- .../efs/test/positive_expected_result.json | 34 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 18 +- .../mq/test/positive_expected_result.json | 26 +- .../msk/test/positive_expected_result.json | 18 +- .../rds/test/positive_expected_result.json | 74 +- .../test/positive_expected_result.json | 18 +- .../sns/test/positive_expected_result.json | 18 +- .../sqs/test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 54 +- .../test/positive_expected_result.json | 12 +- .../pd/test/positive_expected_result.json | 92 +- .../pst/test/positive_expected_result.json | 38 +- .../sb/test/positive_expected_result.json | 92 +- .../test/positive_expected_result.json | 84 +- .../test/positive_expected_result.json | 12 +- .../test/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 12 +- .../test/positive_expected_result.json | 48 + .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 4 +- .../test/positive_expected_result.json | 4 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 24 + .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 34 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 34 +- .../test/positive_expected_result.json | 56 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 34 +- .../test/positive_expected_result.json | 24 + .../test/positive_expected_result.json | 96 + .../test/positive_expected_result.json | 50 +- .../test/positive_expected_result.json | 50 +- .../test/positive_expected_result.json | 34 +- .../test/positive_expected_result.json | 24 + .../test/positive_expected_result.json | 24 + .../test/positive_expected_result.json | 24 + .../test/positive_expected_result.json | 24 + .../test/positive_expected_result.json | 24 + .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 24 + .../test/positive_expected_result.json | 36 + .../test/positive_expected_result.json | 24 + .../test/positive_expected_result.json | 108 +- .../test/positive_expected_result.json | 28 +- .../test/positive_expected_result.json | 34 +- .../test/positive_expected_result.json | 24 + .../test/positive_expected_result.json | 72 + .../test/positive_expected_result.json | 12 +- .../test/positive_expected_result.json | 12 +- .../test/positive_expected_result.json | 12 +- .../test/positive_expected_result.json | 12 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 36 +- .../test/positive_expected_result.json | 84 +- .../test/positive_expected_result.json | 48 +- .../test/positive_expected_result.json | 12 +- .../dynamo/test/positive_expected_result.json | 34 +- .../ebs/test/positive_expected_result.json | 18 +- .../efs/test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 50 +- .../test/positive_expected_result.json | 18 +- .../mq/test/positive_expected_result.json | 18 +- .../msk/test/positive_expected_result.json | 18 +- .../rds/test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 82 +- .../sns/test/positive_expected_result.json | 42 +- .../sqs/test/positive_expected_result.json | 42 +- .../positive2/positive_expected_result.json | 56 +- .../positive3/positive_expected_result.json | 16 +- .../positive4/positive_expected_result.json | 8 +- .../positive2/positive_expected_result.json | 56 +- .../positive3/positive_expected_result.json | 16 +- .../positive4/positive_expected_result.json | 8 +- .../positive2/positive_expected_result.json | 56 +- .../positive3/positive_expected_result.json | 16 +- .../positive4/positive_expected_result.json | 10 +- .../positive2/positive_expected_result.json | 56 +- .../positive3/positive_expected_result.json | 16 +- .../positive4/positive_expected_result.json | 8 +- .../positive2/positive_expected_result.json | 56 +- .../positive3/positive_expected_result.json | 16 +- .../positive4/positive_expected_result.json | 8 +- .../positive2/positive_expected_result.json | 56 +- .../positive3/positive_expected_result.json | 16 +- .../positive4/positive_expected_result.json | 8 +- .../positive2/positive_expected_result.json | 58 +- .../positive3/positive_expected_result.json | 16 +- .../positive4/positive_expected_result.json | 8 +- .../positive2/positive_expected_result.json | 56 +- .../positive3/positive_expected_result.json | 16 +- .../positive4/positive_expected_result.json | 8 +- .../positive2/positive_expected_result.json | 56 +- .../test/positive_expected_result.json | 39 +- .../positive2/positive_expected_result.json | 56 +- .../positive3/positive_expected_result.json | 16 +- .../positive4/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 204 +- .../test/positive_expected_result.json | 222 +- .../test/positive_expected_result.json | 198 +- .../test/positive_expected_result.json | 58 +- .../test/positive_expected_result.json | 38 +- .../fi/test/positive_expected_result.json | 56 +- .../pd/test/positive_expected_result.json | 110 +- .../pst/test/positive_expected_result.json | 74 +- .../redis/test/positive_expected_result.json | 38 +- .../sb/test/positive_expected_result.json | 56 +- 141 files changed, 4828 insertions(+), 6182 deletions(-) create mode 100644 .github/scripts/generate-positive-expective-results/run_skipped.py diff --git a/.github/scripts/generate-positive-expective-results/__pycache__/models.cpython-312.pyc b/.github/scripts/generate-positive-expective-results/__pycache__/models.cpython-312.pyc index 0255bb1ba8e223ca27f7897efbaf4f4345b4a01f..afeaa5bad556224c245e380be52e8fd4a81321f1 100644 GIT binary patch delta 196 zcmcb>{gIpZG%qg~0}v=bUY8lUk(ZH)FF-#dKQ~psC^I>+C?$WgI@5Z_s)?t}C-X6z z38ipGai{X6vZQd?0QFR|YjRKaV9w%pyTz7S9G{e*tI0cg3$rDcGEnjsOHzJ*&g3`D za*QsMxmm1uFS97!5SD0g>u|ZkA~D&6rJGF!sH{kH@=X?5E)5V9L`Y3yRc6$ftiq}R lBz;+B8MP;8vl@x8GfIA701}^>8JM^~FoC#2lQ*);0|22WGAjT8 delta 213 zcmey!eSw?zG%qg~0}$|rugP@S$jiti8Lgj@pPQ;*l$o4Zl#-uYn5FNMTAW>yUocsQ zX+2}kpCcCm~0LeU7Sw_vtJ*-B?Y>dhu7=XlQW(Fqi c4@@Ag0Fd>aiILHP@dE>h1WSDc3xFK}0ITyZ?EnA( diff --git a/.github/scripts/generate-positive-expective-results/__pycache__/runner.cpython-312.pyc b/.github/scripts/generate-positive-expective-results/__pycache__/runner.cpython-312.pyc index f530ee01a6ea3477817d39cdb2f0b8321bd2b2ff..ed31b83500c1964c69f499888c72996807f75d6b 100644 GIT binary patch delta 955 zcmZXT%TE(Q9LINdyN~XpkL{C}EeQg(E-M z5@WH*_uE{b zB#9@`^K10AHYmMuJqEmtTnfE=i|{SD%V(sFYf`>U#N6;C`MhbKR+O=PZa$zW>U4T6 zt19^!BxW>4S0~_i@}lcP;zmBFCUk8)t!MJ^9CZy`g)gZgSCMlUxkxD>h)jtP;BTsl zJWauR#|~AXE%@0H>}Ds4brNrfAPS5{>uiRzh!p#e5CkHmMNb2ZDXG15meb;#TC+M zE9DrN)hnZI9#1_8&FOK}(U6ddMx$_ti|{>2H(_`W{^61*pR3@{y-4#KbAWONA2E^P4sWIM7N zI)51Zc&qvd9F|+aI5gzz2?;Q(btM8VPt3J5Pv`cqEJa&^4`Z|-Jn*Hhdk^c~u_z@!w=hfJCAB!aB)?#C0&@&w$mG4uz8oI}IeFMVFmO(mV3B3| z!!+5PULgd3jqqegc4JPJ3g$?Laz;&&$+hh1 z9PEXqsYRKo#gjNXW#xcQEK&dw%0S{4M_Oi1YF=V)YLN<%J9#08B$Foh^UfK1!XOoEFT*>pjo?vqyuMJjlJm_{H%2uR#w z$;kw|R06~YIiM(Lva+xWW87p9;W&M6Mz$G}9~gktf|3=^3oAc^m>*>18HGW@Knf`A Rby3~?Gl>1cW%5;FRRD9Nny3H( diff --git a/.github/scripts/generate-positive-expective-results/__pycache__/write_expected_results.cpython-312.pyc b/.github/scripts/generate-positive-expective-results/__pycache__/write_expected_results.cpython-312.pyc index e07ee618dae9c1fa2ef827d14bccfb68f64fc399..6bd1f3d9f821d05d669d58ec4643c956cd6db5fa 100644 GIT binary patch delta 1628 zcmZ`(O>7%Q6rS;}*X!N&Pn<+`out{ON)wZ&Ax&GLkd%m!R8Sc;r4@|;$MR0nbsRg) zuA{heaD)O%MMYc9p$JqF4i!H=P?QT2XFvi3F+U|*DCz-j91N+D;KZAa(%p&|6bX@us5l3-wdQXoAwDb%D`lir$?T-hraz8c{kF--K= zY=z4SWnL_aB|M8QeCbdLX9PAFs1J!-dn$aThyg9A}V=Kqqurubd*fzXNhhU zX0m2FWfQ%&-vjy-Av0!fQqSkIMcqD6^a+z%ww_O?3zU*vn&|lnouty|^+L{ksjxZo zpyLOF789vy;>Z@6CDgQwj>rPii;1}42o|v&A!Qhjl$x0#IV0|+670kgEkbgRW{~^2 zfXhZUj8HTDbO_8Kdpj0Yk1Ar7-8`~-e$Ri$m*h+ji;4Si zFB=eB)V>W5gffSDxv-*0@%5EILiM?JKeed~J}H?f4A=%S4<=qPT5By&(ATcI4EX&L6EY10nA zw8p-a&+T6y4nTi9{`B#yE7{O!spOlyU1{mO3pdvQCH zm4E8)HKXR9)t=+uH$A>8NAJo}CaH72r*XTt@m_+xs&=WLi?NY5?-y;}k*<|b)#rp= z@cSTofCE2ED9=Z@evCa3>eafq+5<35A7qoEJ-Cm(7V0&RaQYz*X8`z4k`rc@&?h-H z%qcOOPZ{p+Ys>MGvm8b^Jj~%RK-@=LxDMY1azfUW32($m^7Ar@MNcw4+!{FrV;20L z?jwMAKx6DwxXn8b%rh%uO95igZTZqD&q2!p>YN35v0~#?nSDY>bszL##|pv^WEe7RGsZ7FhU_{oc>K_vY=(Y_xA23cm}5 z3?!tx>V@Nm*26W@SG3;Ny&@Bp;7OTit8zvo5u#9;1Zj{;H#CF@E)gLmhcizMtLW0 z?bJQ$dUnonJzr(i%d@#Fe{V0%5D^TBZ|9BR1LR@;U2fnX9UQ`bQd3pR`Smp!}kj3f(GVKq&&Z?PpC1G!YcT# z-pa2AF7rmC54Z74Mvt_E_kO($N4uij#aK%Q@EbbTP?ZTWwUZYM0yINmAVuNu|7Ul zm0Dr2B0u1IjKQfNv`c%o?ehIF&{M=3g<|yrzkuEv_!Ba> tQOy?=-$u1XHH8Q8=3)_netB}Iq<>t*4fs6X94;czuey21epiO>e*mnu#mfKy diff --git a/.github/scripts/generate-positive-expective-results/models.py b/.github/scripts/generate-positive-expective-results/models.py index 1e91f410fad..f5dfd4f0483 100644 --- a/.github/scripts/generate-positive-expective-results/models.py +++ b/.github/scripts/generate-positive-expective-results/models.py @@ -21,6 +21,7 @@ class QueryInfo: payload_path: str results_info: list[ResultInfo] = field(default_factory=list) return_code: int | None = None + is_bom: bool = False @dataclass class TestList: diff --git a/.github/scripts/generate-positive-expective-results/run_skipped.py b/.github/scripts/generate-positive-expective-results/run_skipped.py new file mode 100644 index 00000000000..00167f92f49 --- /dev/null +++ b/.github/scripts/generate-positive-expective-results/run_skipped.py @@ -0,0 +1,210 @@ +#!/usr/bin/env python3 +""" +Run scans for skipped queries individually (per test file) and write positive_expected_result.json. + +For queries that returned no results when scanning the whole test directory, this script +re-runs the scan once per individual positive test file so the query engine can isolate +matches that it misses when all files are scanned together. + +Usage: + python run_skipped.py [path/to/skipped_queries_report.json] + +Defaults to skipped_queries_report.json in the same directory as this script. +""" + +import json +import subprocess +import sys +from pathlib import Path + +SCRIPT_DIR = Path(__file__).resolve().parent +sys.path.insert(0, str(SCRIPT_DIR)) + +from write_expected_results import deduplicate_results + +KICS_ROOT = Path(__file__).resolve().parents[3] +GO_ENTRY_POINT = str(KICS_ROOT / "cmd" / "console" / "main.go") +DEFAULT_SKIPPED_REPORT = SCRIPT_DIR / "skipped_queries_report.json" + + +def get_positive_test_files(test_path: Path) -> list[Path]: + """Return all positive test files/dirs in the test dir (excluding positive_expected_result.json).""" + positives = [] + for item in sorted(test_path.iterdir()): + if item.name.startswith("positive") and item.name != "positive_expected_result.json": + positives.append(item) + return positives + + +def get_payload_for_test(test_file: Path, payload_dir: Path) -> Path: + """Return the individual payload file for a test file, falling back to all_payloads.json.""" + stem = test_file.stem if test_file.is_file() else test_file.name + individual = payload_dir / f"{stem}_payload.json" + if individual.is_file(): + return individual + return payload_dir / "all_payloads.json" + + +def run_individual_scan( + query_id: str, + test_file: Path, + results_dir: Path, + payload_file: Path, +) -> tuple[Path, int]: + """Run a scan on a single test file/dir. Returns (output_file_path, return_code).""" + stem = test_file.stem if test_file.is_file() else test_file.name + output_name = f"{stem}_results.json" + output_file = results_dir / output_name + + results_dir.mkdir(parents=True, exist_ok=True) + + cmd = [ + "go", "run", GO_ENTRY_POINT, "scan", + "-p", str(test_file), + "-o", str(results_dir), + "--output-name", output_name, + "-i", query_id, + "-d", str(payload_file), + "-v", + "--experimental-queries", + "--bom", + "--enable-openapi-refs", + ] + + print(f" $ {' '.join(cmd)}") + result = subprocess.run(cmd, cwd=str(KICS_ROOT)) + return output_file, result.returncode + + +def parse_results_from_file(results_file: Path) -> list[dict]: + """Parse a scan result JSON file and return a list of result dicts.""" + if not results_file.is_file(): + return [] + + with open(results_file, "r", encoding="utf-8") as f: + data = json.load(f) + + results = [] + bom_entries = data.get("bill_of_materials", []) + query_entries = data.get("queries", []) + all_entries = bom_entries if bom_entries else query_entries + + for q in all_entries: + query_name = q.get("query_name", "") + severity = q.get("severity", "") + for file_entry in q.get("files", []): + filename = Path(file_entry.get("file_name", "")).name + results.append({ + "queryName": query_name, + "severity": severity, + "line": file_entry.get("line", ""), + "filename": filename, + "resourceType": file_entry.get("resource_type", ""), + "resourceName": file_entry.get("resource_name", ""), + "searchKey": file_entry.get("search_key", ""), + "searchValue": file_entry.get("search_value", ""), + "expectedValue": file_entry.get("expected_value", ""), + "actualValue": file_entry.get("actual_value", ""), + }) + + return results + + +def process_skipped_query(query: dict) -> list[dict]: + """Run per-file scans for a skipped query and return aggregated results.""" + query_id = query["id"] + test_path = Path(query["test_path"]) + results_dir = Path(query["results_file_path"]) + payload_dir = test_path.parent / "payloads" + + print(f" Test path : {test_path}") + + if not test_path.is_dir(): + print(f" ⚠ Test directory not found") + return [] + + positive_files = get_positive_test_files(test_path) + if not positive_files: + print(f" ⚠ No positive test files found") + return [] + + print(f" Positive files: {[f.name for f in positive_files]}") + + all_results = [] + for test_file in positive_files: + payload_file = get_payload_for_test(test_file, payload_dir) + print(f"\n [{test_file.name}] payload → {payload_file.name}") + + output_file, return_code = run_individual_scan( + query_id=query_id, + test_file=test_file, + results_dir=results_dir, + payload_file=payload_file, + ) + + if return_code != 0: + print(f" ⚠ Scan failed with return code {return_code}") + else: + print(f" ✓ Scan completed") + + file_results = parse_results_from_file(output_file) + print(f" → {len(file_results)} result(s) found") + all_results.extend(file_results) + + return all_results + + +def write_positive_expected_result(test_path: Path, results: list[dict]) -> None: + """Deduplicate, sort, and write positive_expected_result.json to the test directory.""" + results = deduplicate_results(results) + results.sort(key=lambda r: ( + r["filename"], + r["line"] if isinstance(r["line"], int) else 0, + )) + + output_file = test_path / "positive_expected_result.json" + with open(output_file, "w", encoding="utf-8") as f: + json.dump(results, f, indent=2, ensure_ascii=False) + + print(f"\n ✓ Written: {output_file} ({len(results)} result(s))") + + +def main() -> None: + report_path = Path(sys.argv[1]) if len(sys.argv) > 1 else DEFAULT_SKIPPED_REPORT + + if not report_path.is_file(): + print(f"Error: report file not found: {report_path}", file=sys.stderr) + sys.exit(1) + + with open(report_path, "r", encoding="utf-8") as f: + skipped_queries = json.load(f) + + total = len(skipped_queries) + print(f"Processing {total} skipped quer{'y' if total == 1 else 'ies'} from: {report_path}") + print("=" * 60) + + still_skipped = [] + + for i, query in enumerate(skipped_queries, start=1): + print(f"\n[{i}/{total}] Query: {query['id']}") + results = process_skipped_query(query) + + if not results: + print(f" ⚠ No results produced — skipping positive_expected_result.json") + still_skipped.append(query["id"]) + continue + + write_positive_expected_result(Path(query["test_path"]), results) + + print(f"\n{'=' * 60}") + succeeded = total - len(still_skipped) + print(f"Done: {succeeded}/{total} queries updated successfully") + + if still_skipped: + print(f"\nStill produced no results ({len(still_skipped)}):") + for qid in still_skipped: + print(f" - {qid}") + + +if __name__ == "__main__": + main() diff --git a/.github/scripts/generate-positive-expective-results/runner.py b/.github/scripts/generate-positive-expective-results/runner.py index b6c0a2e83b3..a1730e98216 100644 --- a/.github/scripts/generate-positive-expective-results/runner.py +++ b/.github/scripts/generate-positive-expective-results/runner.py @@ -21,6 +21,8 @@ def build_command(query: QueryInfo) -> list[str]: "-d", f"{query.payload_path}/all_payloads.json", "-v", "--experimental-queries", + "--bom", + "--enable-openapi-refs" ] @@ -35,7 +37,14 @@ def parse_results(query: QueryInfo) -> list[ResultInfo]: results: list[ResultInfo] = [] - for q in data.get("queries", []): + bom_entries = data.get("bill_of_materials", []) + query_entries = data.get("queries", []) + + if bom_entries: + query.is_bom = True + + all_entries = bom_entries if bom_entries else query_entries + for q in all_entries: query_name = q.get("query_name", "") severity = q.get("severity", "") diff --git a/.github/scripts/generate-positive-expective-results/skipped_queries_report.json b/.github/scripts/generate-positive-expective-results/skipped_queries_report.json index 4f4fa562adc..c4f767ef48a 100644 --- a/.github/scripts/generate-positive-expective-results/skipped_queries_report.json +++ b/.github/scripts/generate-positive-expective-results/skipped_queries_report.json @@ -26,8 +26,8 @@ }, "total_counter": 0, "total_bom_resources": 0, - "start": "2026-03-09T09:32:46.800174148Z", - "end": "2026-03-09T09:32:47.420617652Z", + "start": "2026-03-10T09:50:40.373333785Z", + "end": "2026-03-10T09:50:41.42904951Z", "paths": [ "/home/ricardo/kics/assets/queries/cloudFormation/aws/ebs_volume_not_attached_to_instances/test" ], @@ -61,8 +61,8 @@ }, "total_counter": 0, "total_bom_resources": 0, - "start": "2026-03-09T09:39:19.582140442Z", - "end": "2026-03-09T09:39:19.998238133Z", + "start": "2026-03-10T09:56:40.654558993Z", + "end": "2026-03-10T09:56:41.08021575Z", "paths": [ "/home/ricardo/kics/assets/queries/cloudFormation/aws/vpc_flowlogs_disabled/test" ], @@ -70,3321 +70,17 @@ } }, { - "id": "124b173b-e06d-48a6-8acd-f889443d97a4", - "test_path": "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/cassandra/test", - "results_file_path": "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/cassandra/results", - "return_code": 0, - "all_results": { - "kics_version": "development", - "files_scanned": 3, - "lines_scanned": 31, - "files_parsed": 3, - "lines_parsed": 31, - "lines_ignored": 0, - "files_failed_to_scan": 0, - "queries_total": 1, - "queries_failed_to_execute": 0, - "queries_failed_to_compute_similarity_id": 0, - "scan_id": "console", - "severity_counters": { - "CRITICAL": 0, - "HIGH": 0, - "INFO": 0, - "LOW": 0, - "MEDIUM": 0, - "TRACE": 2 - }, - "total_counter": 0, - "total_bom_resources": 2, - "start": "2026-03-09T09:39:33.621317947Z", - "end": "2026-03-09T09:39:34.057060952Z", - "paths": [ - "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/cassandra/test" - ], - "queries": [], - "bill_of_materials": [ - { - "query_name": "BOM - AWS Cassandra", - "query_id": "124b173b-e06d-48a6-8acd-f889443d97a4", - "query_url": "https://kics.io", - "severity": "TRACE", - "platform": "CloudFormation", - "cwe": "532", - "risk_score": "0.0", - "cloud_provider": "AWS", - "category": "Bill Of Materials", - "experimental": false, - "description": "A list of Cassandra resources found. Amazon Cassandra is an open-source NoSQL database designed to store data for applications that require fast read and write performance", - "description_id": "bd2db07c", - "files": [ - { - "file_name": "assets/queries/cloudFormation/aws_bom/cassandra/test/positive1.yaml", - "similarity_id": "cf7a5253ec063fc07a17492a1094d19cb8ee6588a487e1489c94badcd5786d22", - "line": 3, - "issue_type": "BillOfMaterials", - "search_key": "Resources.myNewTable1", - "search_line": 3, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"myNewTable1\",\"resource_type\":\"AWS::Cassandra::Table\",\"resource_vendor\":\"AWS\"}" - }, - { - "file_name": "assets/queries/cloudFormation/aws_bom/cassandra/test/positive2.yaml", - "similarity_id": "c8f4328271ad118dee81cc8a6ef4e381719cbd0625966224dd3b1c961c3ecd6b", - "line": 3, - "issue_type": "BillOfMaterials", - "search_key": "Resources.myNewTable2", - "search_line": 3, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Storage\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"myNewTable2\",\"resource_type\":\"AWS::Cassandra::Table\",\"resource_vendor\":\"AWS\"}" - } - ] - } - ] - } - }, - { - "id": "4e67c0ae-38a0-47f4-a50c-f0c9b75826df", - "test_path": "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/dynamo/test", - "results_file_path": "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/dynamo/results", - "return_code": 0, - "all_results": { - "kics_version": "development", - "files_scanned": 6, - "lines_scanned": 189, - "files_parsed": 6, - "lines_parsed": 189, - "lines_ignored": 0, - "files_failed_to_scan": 0, - "queries_total": 1, - "queries_failed_to_execute": 0, - "queries_failed_to_compute_similarity_id": 0, - "scan_id": "console", - "severity_counters": { - "CRITICAL": 0, - "HIGH": 0, - "INFO": 0, - "LOW": 0, - "MEDIUM": 0, - "TRACE": 5 - }, - "total_counter": 0, - "total_bom_resources": 5, - "start": "2026-03-09T09:39:35.628416208Z", - "end": "2026-03-09T09:39:36.14340248Z", - "paths": [ - "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/dynamo/test" - ], - "queries": [], - "bill_of_materials": [ - { - "query_name": "BOM - AWS DynamoDB", - "query_id": "4e67c0ae-38a0-47f4-a50c-f0c9b75826df", - "query_url": "https://kics.io", - "severity": "TRACE", - "platform": "CloudFormation", - "cwe": "532", - "risk_score": "0.0", - "cloud_provider": "AWS", - "category": "Bill Of Materials", - "experimental": false, - "description": "A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale.", - "description_id": "b0d40495", - "files": [ - { - "file_name": "assets/queries/cloudFormation/aws_bom/dynamo/test/positive4.yaml", - "similarity_id": "d3e3d7f0f6b1a5c83c8dd49daefd3354b11058b71bb71d40caab6461af7766ed", - "line": 3, - "issue_type": "BillOfMaterials", - "search_key": "Resources.DynamoDBOnDemandTable2", - "search_line": 3, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"test4\",\"resource_type\":\"AWS::DynamoDB::Table\",\"resource_vendor\":\"AWS\"}" - }, - { - "file_name": "assets/queries/cloudFormation/aws_bom/dynamo/test/positive2.yaml", - "similarity_id": "dd7b50c6ab79b9db23badd92b800ca8941a9f7f9dee2958b80223e53f48392fb", - "line": 27, - "issue_type": "BillOfMaterials", - "search_key": "Resources.DynamoDBOnDemandTable2", - "search_line": 27, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"test2\",\"resource_type\":\"AWS::DynamoDB::Table\",\"resource_vendor\":\"AWS\"}" - }, - { - "file_name": "assets/queries/cloudFormation/aws_bom/dynamo/test/positive1.yaml", - "similarity_id": "cd564d683868c3440f871016300a0c991a2798823d61328bbd4696ec944a3c21", - "line": 27, - "issue_type": "BillOfMaterials", - "search_key": "Resources.DynamoDBOnDemandTable2", - "search_line": 27, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"test\",\"resource_type\":\"AWS::DynamoDB::Table\",\"resource_vendor\":\"AWS\"}" - }, - { - "file_name": "assets/queries/cloudFormation/aws_bom/dynamo/test/positive5.yaml", - "similarity_id": "20646266ea6e73c87cdfa62ce4d0bc34da4ef8ca82c6196698659f4c10d44171", - "line": 27, - "issue_type": "BillOfMaterials", - "search_key": "Resources.DynamoDBOnDemandTable2", - "search_line": 27, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"test\",\"resource_type\":\"AWS::DynamoDB::Table\",\"resource_vendor\":\"AWS\"}" - }, - { - "file_name": "assets/queries/cloudFormation/aws_bom/dynamo/test/positive3.yaml", - "similarity_id": "5908df1c2e0f1eabea2d89ec9efe40f40e6341c7cc0084f2f13cc33661897f98", - "line": 27, - "issue_type": "BillOfMaterials", - "search_key": "Resources.DynamoDBOnDemandTable2", - "search_line": 27, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"test3\",\"resource_type\":\"AWS::DynamoDB::Table\",\"resource_vendor\":\"AWS\"}" - } - ] - } - ] - } - }, - { - "id": "0b0556ea-9cd9-476f-862e-20679dda752b", - "test_path": "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/ebs/test", - "results_file_path": "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/ebs/results", - "return_code": 0, - "all_results": { - "kics_version": "development", - "files_scanned": 8, - "lines_scanned": 128, - "files_parsed": 8, - "lines_parsed": 128, - "lines_ignored": 0, - "files_failed_to_scan": 0, - "queries_total": 1, - "queries_failed_to_execute": 0, - "queries_failed_to_compute_similarity_id": 0, - "scan_id": "console", - "severity_counters": { - "CRITICAL": 0, - "HIGH": 0, - "INFO": 0, - "LOW": 0, - "MEDIUM": 0, - "TRACE": 6 - }, - "total_counter": 0, - "total_bom_resources": 6, - "start": "2026-03-09T09:39:37.856769268Z", - "end": "2026-03-09T09:39:38.278517537Z", - "paths": [ - "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/ebs/test" - ], - "queries": [], - "bill_of_materials": [ - { - "query_name": "BOM - AWS EBS", - "query_id": "0b0556ea-9cd9-476f-862e-20679dda752b", - "query_url": "https://kics.io", - "severity": "TRACE", - "platform": "CloudFormation", - "cwe": "532", - "risk_score": "0.0", - "cloud_provider": "AWS", - "category": "Bill Of Materials", - "experimental": false, - "description": "A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2).", - "description_id": "6869b929", - "files": [ - { - "file_name": "assets/queries/cloudFormation/aws_bom/ebs/test/positive2.json", - "similarity_id": "35dbc5db0a8c9a30ac70ed0d652028b9a0cae32464fd3561cc0f9e2314ada1fe", - "line": 5, - "issue_type": "BillOfMaterials", - "search_key": "Resources.NewVolume", - "search_line": 5, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Storage\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"NewVolume\",\"resource_type\":\"AWS::EC2::Volume\",\"resource_vendor\":\"AWS\"}" - }, - { - "file_name": "assets/queries/cloudFormation/aws_bom/ebs/test/positive6.json", - "similarity_id": "948b6104f5bde62901e2c7823f1e7656d8cd444d279263b357d33020b44d7762", - "line": 5, - "issue_type": "BillOfMaterials", - "search_key": "Resources.NewVolume", - "search_line": 5, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"NewVolume\",\"resource_type\":\"AWS::EC2::Volume\",\"resource_vendor\":\"AWS\"}" - }, - { - "file_name": "assets/queries/cloudFormation/aws_bom/ebs/test/positive5.yaml", - "similarity_id": "b303390a57eff74d8d91f38594a0bbd59c590fda69f43cf5f0e31c5ce41dd889", - "line": 4, - "issue_type": "BillOfMaterials", - "search_key": "Resources.NewVolume", - "search_line": 4, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"NewVolume\",\"resource_type\":\"AWS::EC2::Volume\",\"resource_vendor\":\"AWS\"}" - }, - { - "file_name": "assets/queries/cloudFormation/aws_bom/ebs/test/positive3.yaml", - "similarity_id": "83658baa6ae1329b12fe5f5afe67d04ae1bf999a8b747f42d275eccd80b56dcd", - "line": 4, - "issue_type": "BillOfMaterials", - "search_key": "Resources.NewVolume", - "search_line": 4, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"NewVolume\",\"resource_type\":\"AWS::EC2::Volume\",\"resource_vendor\":\"AWS\"}" - }, - { - "file_name": "assets/queries/cloudFormation/aws_bom/ebs/test/positive1.yaml", - "similarity_id": "9f9e21fbce603b2a82f565acd4d7d51064f79a4f979ed5f3118217739f537386", - "line": 4, - "issue_type": "BillOfMaterials", - "search_key": "Resources.NewVolume", - "search_line": 4, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Storage\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"NewVolume\",\"resource_type\":\"AWS::EC2::Volume\",\"resource_vendor\":\"AWS\"}" - }, - { - "file_name": "assets/queries/cloudFormation/aws_bom/ebs/test/positive4.json", - "similarity_id": "06bd775bbdbf876bbdd7f312907caa7a89a84bf295b851cd554e31ceff3f6881", - "line": 5, - "issue_type": "BillOfMaterials", - "search_key": "Resources.NewVolume", - "search_line": 5, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"NewVolume\",\"resource_type\":\"AWS::EC2::Volume\",\"resource_vendor\":\"AWS\"}" - } - ] - } - ] - } - }, - { - "id": "ef05a925-8568-4054-8ff1-f5ba82631c16", - "test_path": "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/efs/test", - "results_file_path": "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/efs/results", - "return_code": 0, - "all_results": { - "kics_version": "development", - "files_scanned": 6, - "lines_scanned": 141, - "files_parsed": 6, - "lines_parsed": 141, - "lines_ignored": 0, - "files_failed_to_scan": 0, - "queries_total": 1, - "queries_failed_to_execute": 0, - "queries_failed_to_compute_similarity_id": 0, - "scan_id": "console", - "severity_counters": { - "CRITICAL": 0, - "HIGH": 0, - "INFO": 0, - "LOW": 0, - "MEDIUM": 0, - "TRACE": 4 - }, - "total_counter": 0, - "total_bom_resources": 4, - "start": "2026-03-09T09:39:39.633334188Z", - "end": "2026-03-09T09:39:39.95586813Z", - "paths": [ - "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/efs/test" - ], - "queries": [], - "bill_of_materials": [ - { - "query_name": "BOM - AWS EFS", - "query_id": "ef05a925-8568-4054-8ff1-f5ba82631c16", - "query_url": "https://kics.io", - "severity": "TRACE", - "platform": "CloudFormation", - "cwe": "532", - "risk_score": "0.0", - "cloud_provider": "AWS", - "category": "Bill Of Materials", - "experimental": false, - "description": "A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning.", - "description_id": "f6d4e4b8", - "files": [ - { - "file_name": "assets/queries/cloudFormation/aws_bom/efs/test/positive1.yaml", - "similarity_id": "15f1867317e27cb1d592c3004de6a519396c9cc38b18c5aefe95c97353b7f6d0", - "line": 4, - "issue_type": "BillOfMaterials", - "search_key": "Resources.FileSystemResource", - "search_line": 4, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Storage\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"TestFileSystem\",\"resource_type\":\"AWS::EFS::FileSystem\",\"resource_vendor\":\"AWS\"}" - }, - { - "file_name": "assets/queries/cloudFormation/aws_bom/efs/test/positive3.yaml", - "similarity_id": "08902adb0230f388141eea24c1490a30ad5ffb029bbfc2af4a9ed5acf5079ab5", - "line": 4, - "issue_type": "BillOfMaterials", - "search_key": "Resources.FileSystemResource", - "search_line": 4, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"TestFileSystem\",\"resource_type\":\"AWS::EFS::FileSystem\",\"resource_vendor\":\"AWS\"}" - }, - { - "file_name": "assets/queries/cloudFormation/aws_bom/efs/test/positive2.json", - "similarity_id": "eec590ffb1d8a01adb3312249a32b804fceac800ddfba132599977e415e543e4", - "line": 4, - "issue_type": "BillOfMaterials", - "search_key": "Resources.FileSystemResource", - "search_line": 4, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Storage\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"TestFileSystem\",\"resource_type\":\"AWS::EFS::FileSystem\",\"resource_vendor\":\"AWS\"}" - }, - { - "file_name": "assets/queries/cloudFormation/aws_bom/efs/test/positive4.json", - "similarity_id": "f22820832038022e83ccb7e551dfbe556a5e4fee9ac50f127b95cae13c03a566", - "line": 4, - "issue_type": "BillOfMaterials", - "search_key": "Resources.FileSystemResource", - "search_line": 4, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"TestFileSystem\",\"resource_type\":\"AWS::EFS::FileSystem\",\"resource_vendor\":\"AWS\"}" - } - ] - } - ] - } - }, - { - "id": "c689f51b-9203-43b3-9d8b-caed123f706c", - "test_path": "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/elasticache/test", - "results_file_path": "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/elasticache/results", - "return_code": 0, - "all_results": { - "kics_version": "development", - "files_scanned": 5, - "lines_scanned": 101, - "files_parsed": 5, - "lines_parsed": 101, - "lines_ignored": 0, - "files_failed_to_scan": 0, - "queries_total": 1, - "queries_failed_to_execute": 0, - "queries_failed_to_compute_similarity_id": 0, - "scan_id": "console", - "severity_counters": { - "CRITICAL": 0, - "HIGH": 0, - "INFO": 0, - "LOW": 0, - "MEDIUM": 0, - "TRACE": 3 - }, - "total_counter": 0, - "total_bom_resources": 3, - "start": "2026-03-09T09:39:41.152428023Z", - "end": "2026-03-09T09:39:41.566123528Z", - "paths": [ - "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/elasticache/test" - ], - "queries": [], - "bill_of_materials": [ - { - "query_name": "BOM - AWS Elasticache", - "query_id": "c689f51b-9203-43b3-9d8b-caed123f706c", - "query_url": "https://kics.io", - "severity": "TRACE", - "platform": "CloudFormation", - "cwe": "532", - "risk_score": "0.0", - "cloud_provider": "AWS", - "category": "Bill Of Materials", - "experimental": false, - "description": "A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached.", - "description_id": "deea2b5c", - "files": [ - { - "file_name": "assets/queries/cloudFormation/aws_bom/elasticache/test/positive2.json", - "similarity_id": "9a857b97727630406960519cb8fcd30e370d5bc6f24a9ceede66d8b200a28b56", - "line": 3, - "issue_type": "BillOfMaterials", - "search_key": "Resources.ElasticacheCluster", - "search_line": 3, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"In Memory Data Structure\",\"resource_encryption\":\"unknown\",\"resource_engine\":\"memcached\",\"resource_name\":\"ElasticacheCluster\",\"resource_type\":\"AWS::ElastiCache::CacheCluster\",\"resource_vendor\":\"AWS\"}" - }, - { - "file_name": "assets/queries/cloudFormation/aws_bom/elasticache/test/positive1.yaml", - "similarity_id": "0951669f6e87b1ca8a164c4c71fb3ff4a1921745ad6c426f3456958c93bdb4b6", - "line": 2, - "issue_type": "BillOfMaterials", - "search_key": "Resources.ElasticacheCluster", - "search_line": 2, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"at least one security group associated with the elasticache is unrestricted\",\"resource_category\":\"In Memory Data Structure\",\"resource_encryption\":\"unknown\",\"resource_engine\":\"memcached\",\"resource_name\":\"ElasticacheCluster\",\"resource_type\":\"AWS::ElastiCache::CacheCluster\",\"resource_vendor\":\"AWS\"}" - }, - { - "file_name": "assets/queries/cloudFormation/aws_bom/elasticache/test/positive3.yaml", - "similarity_id": "8564117e4ff4464bd3b9b59fd2ead8070591acbcdf04e804cc3238968cce4cd3", - "line": 2, - "issue_type": "BillOfMaterials", - "search_key": "Resources.ElasticacheCluster", - "search_line": 2, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"all security groups associated with the elasticache are restricted\",\"resource_category\":\"In Memory Data Structure\",\"resource_encryption\":\"unknown\",\"resource_engine\":\"memcached\",\"resource_name\":\"ElasticacheCluster\",\"resource_type\":\"AWS::ElastiCache::CacheCluster\",\"resource_vendor\":\"AWS\"}" - } - ] - } - ] - } - }, - { - "id": "d53323be-dde6-4457-9a43-42df737e71d2", - "test_path": "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/kinesis/test", - "results_file_path": "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/kinesis/results", - "return_code": 0, - "all_results": { - "kics_version": "development", - "files_scanned": 4, - "lines_scanned": 48, - "files_parsed": 4, - "lines_parsed": 48, - "lines_ignored": 0, - "files_failed_to_scan": 0, - "queries_total": 1, - "queries_failed_to_execute": 0, - "queries_failed_to_compute_similarity_id": 0, - "scan_id": "console", - "severity_counters": { - "CRITICAL": 0, - "HIGH": 0, - "INFO": 0, - "LOW": 0, - "MEDIUM": 0, - "TRACE": 2 - }, - "total_counter": 0, - "total_bom_resources": 2, - "start": "2026-03-09T09:39:42.915771229Z", - "end": "2026-03-09T09:39:43.668867078Z", - "paths": [ - "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/kinesis/test" - ], - "queries": [], - "bill_of_materials": [ - { - "query_name": "BOM - AWS Kinesis", - "query_id": "d53323be-dde6-4457-9a43-42df737e71d2", - "query_url": "https://kics.io", - "severity": "TRACE", - "platform": "CloudFormation", - "cwe": "532", - "risk_score": "0.0", - "cloud_provider": "AWS", - "category": "Bill Of Materials", - "experimental": false, - "description": "A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time", - "description_id": "4b8f3b90", - "files": [ - { - "file_name": "assets/queries/cloudFormation/aws_bom/kinesis/test/positive1.yaml", - "similarity_id": "a510b0c07f025705029a3f761b89b73d66246f2be5914c5b94d21d7fcffae3f6", - "line": 3, - "issue_type": "BillOfMaterials", - "search_key": "Resources.MyStream", - "search_line": 3, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Streaming\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"MyKinesisStream1\",\"resource_type\":\"AWS::Kinesis::Stream\",\"resource_vendor\":\"AWS\"}" - }, - { - "file_name": "assets/queries/cloudFormation/aws_bom/kinesis/test/positive2.json", - "similarity_id": "9678dcd7f0118bae0b4a369ecb1d95ce6da485bb261fed7c1fcfd524c8882910", - "line": 4, - "issue_type": "BillOfMaterials", - "search_key": "Resources.MyStream2", - "search_line": 4, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Streaming\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"MyKinesisStream2\",\"resource_type\":\"AWS::Kinesis::Stream\",\"resource_vendor\":\"AWS\"}" - } - ] - } - ] - } - }, - { - "id": "209189f3-c879-48a7-9703-fbcfa96d0cef", - "test_path": "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/mq/test", - "results_file_path": "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/mq/results", - "return_code": 0, - "all_results": { - "kics_version": "development", - "files_scanned": 5, - "lines_scanned": 104, - "files_parsed": 5, - "lines_parsed": 104, - "lines_ignored": 0, - "files_failed_to_scan": 0, - "queries_total": 1, - "queries_failed_to_execute": 0, - "queries_failed_to_compute_similarity_id": 0, - "scan_id": "console", - "severity_counters": { - "CRITICAL": 0, - "HIGH": 0, - "INFO": 0, - "LOW": 0, - "MEDIUM": 0, - "TRACE": 3 - }, - "total_counter": 0, - "total_bom_resources": 3, - "start": "2026-03-09T09:39:45.263899826Z", - "end": "2026-03-09T09:39:45.651336799Z", - "paths": [ - "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/mq/test" - ], - "queries": [], - "bill_of_materials": [ - { - "query_name": "BOM - AWS MQ", - "query_id": "209189f3-c879-48a7-9703-fbcfa96d0cef", - "query_url": "https://kics.io", - "severity": "TRACE", - "platform": "CloudFormation", - "cwe": "532", - "risk_score": "0.0", - "cloud_provider": "AWS", - "category": "Bill Of Materials", - "experimental": false, - "description": "A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS.", - "description_id": "93a9e162", - "files": [ - { - "file_name": "assets/queries/cloudFormation/aws_bom/mq/test/positive2.json", - "similarity_id": "f953fb95af7da6488a8bcd76d56044700c9bd942df83b1ed0881eb9437cfe507", - "line": 5, - "issue_type": "BillOfMaterials", - "search_key": "Resources.BasicBroker2", - "search_line": 5, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"private\",\"resource_category\":\"Queues\",\"resource_encryption\":\"unencrypted\",\"resource_engine\":\"ActiveMQ\",\"resource_name\":\"MyBasicBroker\",\"resource_type\":\"AWS::AmazonMQ::Broker\",\"resource_vendor\":\"AWS\"}" - }, - { - "file_name": "assets/queries/cloudFormation/aws_bom/mq/test/positive3.yaml", - "similarity_id": "86d1a91df9e5c5e298df8ef319e60b3b6b8028959b23a090e3c7981451e3544a", - "line": 4, - "issue_type": "BillOfMaterials", - "search_key": "Resources.BasicBroker", - "search_line": 4, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Queues\",\"resource_encryption\":\"encrypted\",\"resource_engine\":\"ActiveMQ\",\"resource_name\":\"MyBasicBroker\",\"resource_type\":\"AWS::AmazonMQ::Broker\",\"resource_vendor\":\"AWS\"}" - }, - { - "file_name": "assets/queries/cloudFormation/aws_bom/mq/test/positive1.yaml", - "similarity_id": "087f6e3fe1bf6c289cf195331f3de394a07caa7fd41b2c144b3cfa83d3972cf2", - "line": 4, - "issue_type": "BillOfMaterials", - "search_key": "Resources.BasicBroker", - "search_line": 4, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Queues\",\"resource_encryption\":\"encrypted\",\"resource_engine\":\"ActiveMQ\",\"resource_name\":\"MyBasicBroker\",\"resource_type\":\"AWS::AmazonMQ::Broker\",\"resource_vendor\":\"AWS\"}" - } - ] - } - ] - } - }, - { - "id": "2730c169-51d7-4ae7-99b5-584379eff1bb", - "test_path": "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/msk/test", - "results_file_path": "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/msk/results", - "return_code": 0, - "all_results": { - "kics_version": "development", - "files_scanned": 4, - "lines_scanned": 126, - "files_parsed": 4, - "lines_parsed": 126, - "lines_ignored": 0, - "files_failed_to_scan": 0, - "queries_total": 1, - "queries_failed_to_execute": 0, - "queries_failed_to_compute_similarity_id": 0, - "scan_id": "console", - "severity_counters": { - "CRITICAL": 0, - "HIGH": 0, - "INFO": 0, - "LOW": 0, - "MEDIUM": 0, - "TRACE": 2 - }, - "total_counter": 0, - "total_bom_resources": 2, - "start": "2026-03-09T09:39:46.903221305Z", - "end": "2026-03-09T09:39:47.223442445Z", - "paths": [ - "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/msk/test" - ], - "queries": [], - "bill_of_materials": [ - { - "query_name": "BOM - AWS MSK", - "query_id": "2730c169-51d7-4ae7-99b5-584379eff1bb", - "query_url": "https://kics.io", - "severity": "TRACE", - "platform": "CloudFormation", - "cwe": "532", - "risk_score": "0.0", - "cloud_provider": "AWS", - "category": "Bill Of Materials", - "experimental": false, - "description": "A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data.", - "description_id": "7413f967", - "files": [ - { - "file_name": "assets/queries/cloudFormation/aws_bom/msk/test/positive2.json", - "similarity_id": "2f8974366a0bd8435b2f2d2fd972d85900a9a92ee5b50f8ff59c4ce1b6e6558d", - "line": 4, - "issue_type": "BillOfMaterials", - "search_key": "Resources.TestCluster3", - "search_line": 4, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"private\",\"resource_category\":\"Streaming\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"ClusterWithAllProperties\",\"resource_type\":\"AWS::MSK::Cluster\",\"resource_vendor\":\"AWS\"}" - }, - { - "file_name": "assets/queries/cloudFormation/aws_bom/msk/test/positive1.yaml", - "similarity_id": "65e20ebdc816a38212a1a278e0af6a47bf5bc874d1fee76c8d9fd453d8ebd1ec", - "line": 3, - "issue_type": "BillOfMaterials", - "search_key": "Resources.TestCluster", - "search_line": 3, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Streaming\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"ClusterWithAllProperties\",\"resource_type\":\"AWS::MSK::Cluster\",\"resource_vendor\":\"AWS\"}" - } - ] - } - ] - } - }, - { - "id": "6ef03ff6-a2bd-483c-851f-631f248bc0ea", - "test_path": "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/rds/test", - "results_file_path": "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/rds/results", - "return_code": 0, - "all_results": { - "kics_version": "development", - "files_scanned": 8, - "lines_scanned": 276, - "files_parsed": 8, - "lines_parsed": 276, - "lines_ignored": 0, - "files_failed_to_scan": 0, - "queries_total": 1, - "queries_failed_to_execute": 0, - "queries_failed_to_compute_similarity_id": 0, - "scan_id": "console", - "severity_counters": { - "CRITICAL": 0, - "HIGH": 0, - "INFO": 0, - "LOW": 0, - "MEDIUM": 0, - "TRACE": 9 - }, - "total_counter": 0, - "total_bom_resources": 9, - "start": "2026-03-09T09:39:48.523869356Z", - "end": "2026-03-09T09:39:48.887913661Z", - "paths": [ - "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/rds/test" - ], - "queries": [], - "bill_of_materials": [ - { - "query_name": "BOM - AWS RDS", - "query_id": "6ef03ff6-a2bd-483c-851f-631f248bc0ea", - "query_url": "https://kics.io", - "severity": "TRACE", - "platform": "CloudFormation", - "cwe": "532", - "risk_score": "0.0", - "cloud_provider": "AWS", - "category": "Bill Of Materials", - "experimental": false, - "description": "A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud.", - "description_id": "77215b57", - "files": [ - { - "file_name": "assets/queries/cloudFormation/aws_bom/rds/test/positive7.yaml", - "similarity_id": "b1d4b85126b2e1ffbcfc01d2815a41dd1516ab57d60f58632239dd5aa624986a", - "line": 3, - "issue_type": "BillOfMaterials", - "search_key": "Resources.DBInstanceSample5", - "search_line": 3, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Storage\",\"resource_encryption\":\"encrypted\",\"resource_engine\":\"aurora\",\"resource_name\":\"DBInstanceSample5\",\"resource_type\":\"AWS::RDS::DBInstance\",\"resource_vendor\":\"AWS\"}" - }, - { - "file_name": "assets/queries/cloudFormation/aws_bom/rds/test/positive3.json", - "similarity_id": "41755ce4875227ad626298119043c7bcb4ed3c452b893b8b051e480b62180c3e", - "line": 14, - "issue_type": "BillOfMaterials", - "search_key": "Resources.DBInstanceRefSample3", - "search_line": 14, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"private\",\"resource_category\":\"Storage\",\"resource_encryption\":\"encrypted\",\"resource_engine\":\"oracle-ee\",\"resource_name\":\"DBInstanceRefSample3\",\"resource_type\":\"AWS::RDS::DBInstance\",\"resource_vendor\":\"AWS\"}" - }, - { - "file_name": "assets/queries/cloudFormation/aws_bom/rds/test/positive2.json", - "similarity_id": "5acc77c55ca85fdc8fdd8417c47da1565e786741a9a3707ebbe2f4cb1a419bfc", - "line": 4, - "issue_type": "BillOfMaterials", - "search_key": "Resources.DBInstanceSample2", - "search_line": 4, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"private\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_engine\":\"oracle-ee\",\"resource_name\":\"DBInstanceSample2\",\"resource_type\":\"AWS::RDS::DBInstance\",\"resource_vendor\":\"AWS\"}" - }, - { - "file_name": "assets/queries/cloudFormation/aws_bom/rds/test/positive5.yaml", - "similarity_id": "ebc5f4c292f404c8dc54917aa4a26d0bc491a68d8551389aa10966ded9aeee36", - "line": 3, - "issue_type": "BillOfMaterials", - "search_key": "Resources.DBInstanceSample5", - "search_line": 3, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Storage\",\"resource_encryption\":\"encrypted\",\"resource_engine\":\"aurora\",\"resource_name\":\"DBInstanceSample5\",\"resource_type\":\"AWS::RDS::DBInstance\",\"resource_vendor\":\"AWS\"}" - }, - { - "file_name": "assets/queries/cloudFormation/aws_bom/rds/test/positive4.yaml", - "similarity_id": "93c5a73659ce8c5ab856fa6bf2e58e5a80b8b9323ee43658c1890f0b44bd9c55", - "line": 3, - "issue_type": "BillOfMaterials", - "search_key": "Resources.DBInstanceSample4", - "search_line": 3, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Storage\",\"resource_encryption\":\"encrypted\",\"resource_engine\":\"aurora\",\"resource_name\":\"DBInstanceSample4\",\"resource_type\":\"AWS::RDS::DBInstance\",\"resource_vendor\":\"AWS\"}" - }, - { - "file_name": "assets/queries/cloudFormation/aws_bom/rds/test/positive6.yaml", - "similarity_id": "e72b6cf611ed31aca306e0bbafbd54add9303b4c1e841d1302a9972a387d3913", - "line": 3, - "issue_type": "BillOfMaterials", - "search_key": "Resources.DBInstanceSample6", - "search_line": 3, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Storage\",\"resource_encryption\":\"encrypted\",\"resource_engine\":\"aurora\",\"resource_name\":\"DBInstanceSample6\",\"resource_type\":\"AWS::RDS::DBInstance\",\"resource_vendor\":\"AWS\"}" - }, - { - "file_name": "assets/queries/cloudFormation/aws_bom/rds/test/positive1.json", - "similarity_id": "88885662c6157f23d2f26d709d1cee31d686be67c6c95278a809ea7ac1a6ff4b", - "line": 4, - "issue_type": "BillOfMaterials", - "search_key": "Resources.DBInstanceSample1", - "search_line": 4, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_engine\":\"oracle-ee\",\"resource_name\":\"DBInstanceSample1\",\"resource_type\":\"AWS::RDS::DBInstance\",\"resource_vendor\":\"AWS\"}" - }, - { - "file_name": "assets/queries/cloudFormation/aws_bom/rds/test/positive3.json", - "similarity_id": "bb3a6a778d62442e0c43eee6b61a368b20129e06b6ba0d6d1f264f0e5a2aa6a6", - "line": 4, - "issue_type": "BillOfMaterials", - "search_key": "Resources.DBInstanceSample3", - "search_line": 4, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"private\",\"resource_category\":\"Storage\",\"resource_encryption\":\"encrypted\",\"resource_engine\":\"oracle-ee\",\"resource_name\":\"DBInstanceSample3\",\"resource_type\":\"AWS::RDS::DBInstance\",\"resource_vendor\":\"AWS\"}" - }, - { - "file_name": "assets/queries/cloudFormation/aws_bom/rds/test/positive2.json", - "similarity_id": "7fc5daf0204755894d5b3fbb5e06ea86fcbe622acea2a10d756dd69e9f8c299e", - "line": 14, - "issue_type": "BillOfMaterials", - "search_key": "Resources.DBInstanceRefSample2", - "search_line": 14, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"private\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_engine\":\"oracle-ee\",\"resource_name\":\"DBInstanceRefSample2\",\"resource_type\":\"AWS::RDS::DBInstance\",\"resource_vendor\":\"AWS\"}" - } - ] - } - ] - } - }, - { - "id": "b5d6a2e0-8f15-4664-bd5b-68ec5c9bab83", - "test_path": "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/s3_bucket/test", - "results_file_path": "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/s3_bucket/results", - "return_code": 0, - "all_results": { - "kics_version": "development", - "files_scanned": 4, - "lines_scanned": 91, - "files_parsed": 4, - "lines_parsed": 91, - "lines_ignored": 0, - "files_failed_to_scan": 0, - "queries_total": 1, - "queries_failed_to_execute": 0, - "queries_failed_to_compute_similarity_id": 0, - "scan_id": "console", - "severity_counters": { - "CRITICAL": 0, - "HIGH": 0, - "INFO": 0, - "LOW": 0, - "MEDIUM": 0, - "TRACE": 2 - }, - "total_counter": 0, - "total_bom_resources": 2, - "start": "2026-03-09T09:39:50.286676834Z", - "end": "2026-03-09T09:39:50.62670615Z", - "paths": [ - "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/s3_bucket/test" - ], - "queries": [], - "bill_of_materials": [ - { - "query_name": "BOM - AWS S3 Buckets", - "query_id": "b5d6a2e0-8f15-4664-bd5b-68ec5c9bab83", - "query_url": "https://kics.io", - "severity": "TRACE", - "platform": "CloudFormation", - "cwe": "532", - "risk_score": "0.0", - "cloud_provider": "AWS", - "category": "Bill Of Materials", - "experimental": false, - "description": "A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance.", - "description_id": "a46851fb", - "files": [ - { - "file_name": "assets/queries/cloudFormation/aws_bom/s3_bucket/test/positive1.yaml", - "similarity_id": "83b05c898afe18c5d86fdc17d01687a9018c5245083b668e2ce3ff5ae7216dec", - "line": 4, - "issue_type": "BillOfMaterials", - "search_key": "Resources.MyBucket", - "search_line": 4, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"acl\":\"BucketOwnerFullControl\",\"resource_accessibility\":\"public\",\"resource_category\":\"Storage\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"jenkins-artifacts\",\"resource_type\":\"AWS::S3::Bucket\",\"resource_vendor\":\"AWS\"}" - }, - { - "file_name": "assets/queries/cloudFormation/aws_bom/s3_bucket/test/positive2.json", - "similarity_id": "f39d35e153d84d94dc27ca59ec732bd3a8450a9d87c8aef49acf5e670c8add2f", - "line": 5, - "issue_type": "BillOfMaterials", - "search_key": "Resources.JenkinsArtifacts03", - "search_line": 5, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"acl\":\"BucketOwnerFullControl\",\"resource_accessibility\":\"public\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"jenkins-artifacts\",\"resource_type\":\"AWS::S3::Bucket\",\"resource_vendor\":\"AWS\"}" - } - ] - } - ] - } - }, - { - "id": "42e7dca3-8cce-4325-8df0-108888259136", - "test_path": "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/sns/test", - "results_file_path": "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/sns/results", - "return_code": 0, - "all_results": { - "kics_version": "development", - "files_scanned": 4, - "lines_scanned": 67, - "files_parsed": 4, - "lines_parsed": 67, - "lines_ignored": 0, - "files_failed_to_scan": 0, - "queries_total": 1, - "queries_failed_to_execute": 0, - "queries_failed_to_compute_similarity_id": 0, - "scan_id": "console", - "severity_counters": { - "CRITICAL": 0, - "HIGH": 0, - "INFO": 0, - "LOW": 0, - "MEDIUM": 0, - "TRACE": 2 - }, - "total_counter": 0, - "total_bom_resources": 2, - "start": "2026-03-09T09:39:52.027735449Z", - "end": "2026-03-09T09:39:52.393462787Z", - "paths": [ - "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/sns/test" - ], - "queries": [], - "bill_of_materials": [ - { - "query_name": "BOM - AWS SNS", - "query_id": "42e7dca3-8cce-4325-8df0-108888259136", - "query_url": "https://kics.io", - "severity": "TRACE", - "platform": "CloudFormation", - "cwe": "532", - "risk_score": "0.0", - "cloud_provider": "AWS", - "category": "Bill Of Materials", - "experimental": false, - "description": "A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication.", - "description_id": "3cd7a815", - "files": [ - { - "file_name": "assets/queries/cloudFormation/aws_bom/sns/test/positive2.json", - "similarity_id": "59cfb12ee6a5d78a93dfa26e43507b9061ff2afc2184995d0a0fb557aa5b0cdf", - "line": 5, - "issue_type": "BillOfMaterials", - "search_key": "Resources.SnsTopic", - "search_line": 5, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Messaging\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"alarm-action\",\"resource_type\":\"AWS::SNS::Topic\",\"resource_vendor\":\"AWS\"}" - }, - { - "file_name": "assets/queries/cloudFormation/aws_bom/sns/test/positive1.yaml", - "similarity_id": "3fbfe5c8466f3dc9a882014bdcb855a004187784fd714fafbfa0208ead65cecd", - "line": 4, - "issue_type": "BillOfMaterials", - "search_key": "Resources.SnsTopic", - "search_line": 4, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Messaging\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"alarm-action\",\"resource_type\":\"AWS::SNS::Topic\",\"resource_vendor\":\"AWS\"}" - } - ] - } - ] - } - }, - { - "id": "59a849c2-1127-4023-85a5-ef906dcd458c", - "test_path": "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/sqs/test", - "results_file_path": "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/sqs/results", - "return_code": 0, - "all_results": { - "kics_version": "development", - "files_scanned": 4, - "lines_scanned": 56, - "files_parsed": 4, - "lines_parsed": 56, - "lines_ignored": 0, - "files_failed_to_scan": 0, - "queries_total": 1, - "queries_failed_to_execute": 0, - "queries_failed_to_compute_similarity_id": 0, - "scan_id": "console", - "severity_counters": { - "CRITICAL": 0, - "HIGH": 0, - "INFO": 0, - "LOW": 0, - "MEDIUM": 0, - "TRACE": 2 - }, - "total_counter": 0, - "total_bom_resources": 2, - "start": "2026-03-09T09:39:53.699817733Z", - "end": "2026-03-09T09:39:54.022150513Z", - "paths": [ - "/home/ricardo/kics/assets/queries/cloudFormation/aws_bom/sqs/test" - ], - "queries": [], - "bill_of_materials": [ - { - "query_name": "BOM - AWS SQS", - "query_id": "59a849c2-1127-4023-85a5-ef906dcd458c", - "query_url": "https://kics.io", - "severity": "TRACE", - "platform": "CloudFormation", - "cwe": "532", - "risk_score": "0.0", - "cloud_provider": "AWS", - "category": "Bill Of Materials", - "experimental": false, - "description": "A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.", - "description_id": "c57e306b", - "files": [ - { - "file_name": "assets/queries/cloudFormation/aws_bom/sqs/test/positive2.json", - "similarity_id": "149b9a5e9a4b7ebd26cdd1cafe08cdb343a3b5cd46e6581a0e5c4f68b4b134fc", - "line": 3, - "issue_type": "BillOfMaterials", - "search_key": "Resources.MyQueue", - "search_line": 3, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Queues\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"SampleQueue\",\"resource_type\":\"AWS::SQS::Queue\",\"resource_vendor\":\"AWS\"}" - }, - { - "file_name": "assets/queries/cloudFormation/aws_bom/sqs/test/positive1.yaml", - "similarity_id": "5532a7f3ccb0bdbc1d4dcb9c90830482fb8eeab451661eca80e4a0221df51b97", - "line": 2, - "issue_type": "BillOfMaterials", - "search_key": "Resources.MyQueue", - "search_line": 2, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Queues\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"SampleQueue\",\"resource_type\":\"AWS::SQS::Queue\",\"resource_vendor\":\"AWS\"}" - } - ] - } - ] - } - }, - { - "id": "268c65a8-58ad-43e4-9019-1a9bbc56749f", - "test_path": "/home/ricardo/kics/assets/queries/googleDeploymentManager/gcp_bom/pd/test", - "results_file_path": "/home/ricardo/kics/assets/queries/googleDeploymentManager/gcp_bom/pd/results", - "return_code": 0, - "all_results": { - "kics_version": "development", - "files_scanned": 2, - "lines_scanned": 58, - "files_parsed": 2, - "lines_parsed": 58, - "lines_ignored": 0, - "files_failed_to_scan": 0, - "queries_total": 1, - "queries_failed_to_execute": 0, - "queries_failed_to_compute_similarity_id": 0, - "scan_id": "console", - "severity_counters": { - "CRITICAL": 0, - "HIGH": 0, - "INFO": 0, - "LOW": 0, - "MEDIUM": 0, - "TRACE": 5 - }, - "total_counter": 0, - "total_bom_resources": 5, - "start": "2026-03-09T09:43:58.843023518Z", - "end": "2026-03-09T09:43:59.167793482Z", - "paths": [ - "/home/ricardo/kics/assets/queries/googleDeploymentManager/gcp_bom/pd/test" - ], - "queries": [], - "bill_of_materials": [ - { - "query_name": "BOM - GCP PD", - "query_id": "268c65a8-58ad-43e4-9019-1a9bbc56749f", - "query_url": "https://kics.io", - "severity": "TRACE", - "platform": "GoogleDeploymentManager", - "cwe": "200", - "risk_score": "0.0", - "cloud_provider": "GCP", - "category": "Bill Of Materials", - "experimental": false, - "description": "A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine.", - "description_id": "3db91dc6", - "files": [ - { - "file_name": "assets/queries/googleDeploymentManager/gcp_bom/pd/test/positive.yaml", - "similarity_id": "09202abab426ee50aedb7ac84453dd1afcf043686fc4f12ff8bc98aa957ddaf4", - "line": 3, - "issue_type": "BillOfMaterials", - "search_key": "resources.name={{disk-1-data}}", - "search_line": -1, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"disk-1-data\",\"resource_type\":\"compute.v1.disk\",\"resource_vendor\":\"GCP\"}" - }, - { - "file_name": "assets/queries/googleDeploymentManager/gcp_bom/pd/test/positive.yaml", - "similarity_id": "2d3bebd769cfb6587648738fb830f2a44abddd69bd5de993032409cd882beccd", - "line": 11, - "issue_type": "BillOfMaterials", - "search_key": "resources.name={{disk-2-data}}", - "search_line": -1, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"disk-2-data\",\"resource_type\":\"compute.v1.disk\",\"resource_vendor\":\"GCP\"}" - }, - { - "file_name": "assets/queries/googleDeploymentManager/gcp_bom/pd/test/positive.yaml", - "similarity_id": "d7ebe593bcea4e7af520b4092449620f7957ebfbf656efdd6cb9ca11343ee985", - "line": 19, - "issue_type": "BillOfMaterials", - "search_key": "resources.name={{disk-3-data}}", - "search_line": -1, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"disk-3-data\",\"resource_type\":\"compute.v1.disk\",\"resource_vendor\":\"GCP\"}" - }, - { - "file_name": "assets/queries/googleDeploymentManager/gcp_bom/pd/test/positive.yaml", - "similarity_id": "e853a12d7676044042c98b987904a749c33f75770c2992d35713681f939e4a42", - "line": 24, - "issue_type": "BillOfMaterials", - "search_key": "resources.name={{disk-4-data}}", - "search_line": -1, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"disk-4-data\",\"resource_type\":\"compute.v1.disk\",\"resource_vendor\":\"GCP\"}" - }, - { - "file_name": "assets/queries/googleDeploymentManager/gcp_bom/pd/test/positive.yaml", - "similarity_id": "f2a17cd07cdb9153b7c4e2c22b76a00085b0df14ba8e90831e757d46e640a47f", - "line": 31, - "issue_type": "BillOfMaterials", - "search_key": "resources.name={{disk-5-data}}", - "search_line": -1, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"disk-5-data\",\"resource_type\":\"compute.v1.disk\",\"resource_vendor\":\"GCP\"}" - } - ] - } - ] - } - }, - { - "id": "9ed08714-b2f3-4c6d-8fb0-ac0b74ad71d8", - "test_path": "/home/ricardo/kics/assets/queries/googleDeploymentManager/gcp_bom/pst/test", - "results_file_path": "/home/ricardo/kics/assets/queries/googleDeploymentManager/gcp_bom/pst/results", - "return_code": 0, - "all_results": { - "kics_version": "development", - "files_scanned": 2, - "lines_scanned": 30, - "files_parsed": 2, - "lines_parsed": 30, - "lines_ignored": 0, - "files_failed_to_scan": 0, - "queries_total": 1, - "queries_failed_to_execute": 0, - "queries_failed_to_compute_similarity_id": 0, - "scan_id": "console", - "severity_counters": { - "CRITICAL": 0, - "HIGH": 0, - "INFO": 0, - "LOW": 0, - "MEDIUM": 0, - "TRACE": 2 - }, - "total_counter": 0, - "total_bom_resources": 2, - "start": "2026-03-09T09:44:00.320717162Z", - "end": "2026-03-09T09:44:00.610455878Z", - "paths": [ - "/home/ricardo/kics/assets/queries/googleDeploymentManager/gcp_bom/pst/test" - ], - "queries": [], - "bill_of_materials": [ - { - "query_name": "BOM - GCP PST", - "query_id": "9ed08714-b2f3-4c6d-8fb0-ac0b74ad71d8", - "query_url": "https://kics.io", - "severity": "TRACE", - "platform": "GoogleDeploymentManager", - "cwe": "200", - "risk_score": "0.0", - "cloud_provider": "GCP", - "category": "Bill Of Materials", - "experimental": false, - "description": "A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages.", - "description_id": "e96debd4", - "files": [ - { - "file_name": "assets/queries/googleDeploymentManager/gcp_bom/pst/test/positive.yaml", - "similarity_id": "f2126d2a0aa3e7620efb6359cc3e8c4887f1f93d89abefe267ec45922869f308", - "line": 3, - "issue_type": "BillOfMaterials", - "search_key": "resources.name={{topic-1}}", - "search_line": -1, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Messaging\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"topic-1\",\"resource_type\":\"pubsub.v1.topic\",\"resource_vendor\":\"GCP\"}" - }, - { - "file_name": "assets/queries/googleDeploymentManager/gcp_bom/pst/test/positive.yaml", - "similarity_id": "3f3749ec8f9648b223ccdf33c627e8d638cdc46116438403fd3fbdab7e56037e", - "line": 8, - "issue_type": "BillOfMaterials", - "search_key": "resources.name={{topic-2}}", - "search_line": -1, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Messaging\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"topic-2\",\"resource_type\":\"pubsub.v1.topic\",\"resource_vendor\":\"GCP\"}" - } - ] - } - ] - } - }, - { - "id": "c7781feb-a955-4f9f-b9cf-0d7c6f54bb59", - "test_path": "/home/ricardo/kics/assets/queries/googleDeploymentManager/gcp_bom/sb/test", - "results_file_path": "/home/ricardo/kics/assets/queries/googleDeploymentManager/gcp_bom/sb/results", - "return_code": 0, - "all_results": { - "kics_version": "development", - "files_scanned": 2, - "lines_scanned": 79, - "files_parsed": 2, - "lines_parsed": 79, - "lines_ignored": 0, - "files_failed_to_scan": 0, - "queries_total": 1, - "queries_failed_to_execute": 0, - "queries_failed_to_compute_similarity_id": 0, - "scan_id": "console", - "severity_counters": { - "CRITICAL": 0, - "HIGH": 0, - "INFO": 0, - "LOW": 0, - "MEDIUM": 0, - "TRACE": 5 - }, - "total_counter": 0, - "total_bom_resources": 5, - "start": "2026-03-09T09:44:01.727235408Z", - "end": "2026-03-09T09:44:02.045571848Z", - "paths": [ - "/home/ricardo/kics/assets/queries/googleDeploymentManager/gcp_bom/sb/test" - ], - "queries": [], - "bill_of_materials": [ - { - "query_name": "BOM - GCP SB", - "query_id": "c7781feb-a955-4f9f-b9cf-0d7c6f54bb59", - "query_url": "https://kics.io", - "severity": "TRACE", - "platform": "GoogleDeploymentManager", - "cwe": "200", - "risk_score": "0.0", - "cloud_provider": "GCP", - "category": "Bill Of Materials", - "experimental": false, - "description": "A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket.", - "description_id": "7f40edaa", - "files": [ - { - "file_name": "assets/queries/googleDeploymentManager/gcp_bom/sb/test/positive.yaml", - "similarity_id": "058098daca1fa02dd63bfc2aeabcdbdbc58fb81d4a71ceceafe12d5be87d8acd", - "line": 12, - "issue_type": "BillOfMaterials", - "search_key": "resources.name={{sample-input2}}", - "search_line": -1, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"sample-input2\",\"resource_type\":\"storage.v1.bucket\",\"resource_vendor\":\"GCP\"}" - }, - { - "file_name": "assets/queries/googleDeploymentManager/gcp_bom/sb/test/positive.yaml", - "similarity_id": "9f29e8fb0bc3dfd0052cb5c96a5e98b10be4325b1fc5877896d7b34750773263", - "line": 20, - "issue_type": "BillOfMaterials", - "search_key": "resources.name={{sample-input3}}", - "search_line": -1, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"sample-input3\",\"resource_type\":\"storage.v1.bucket\",\"resource_vendor\":\"GCP\"}" - }, - { - "file_name": "assets/queries/googleDeploymentManager/gcp_bom/sb/test/positive.yaml", - "similarity_id": "e24ab4f5f3e303af3b41bc9191a0d8fef924efb85486a27cb67188d38ef2e29f", - "line": 33, - "issue_type": "BillOfMaterials", - "search_key": "resources.name={{sample-input4}}", - "search_line": -1, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"sample-input4\",\"resource_type\":\"storage.v1.bucket\",\"resource_vendor\":\"GCP\"}" - }, - { - "file_name": "assets/queries/googleDeploymentManager/gcp_bom/sb/test/positive.yaml", - "similarity_id": "84b1c1ed7834d4382b8ce6087a593b4d080a50384dace3ae6320c64a722f8e6c", - "line": 44, - "issue_type": "BillOfMaterials", - "search_key": "resources.name={{sample-input5}}", - "search_line": -1, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"sample-input5\",\"resource_type\":\"storage.v1.bucket\",\"resource_vendor\":\"GCP\"}" - }, - { - "file_name": "assets/queries/googleDeploymentManager/gcp_bom/sb/test/positive.yaml", - "similarity_id": "3343669c4a0731690f024b31cea7796118f04f91421cdb2fc409ef437065fe2f", - "line": 2, - "issue_type": "BillOfMaterials", - "search_key": "resources.name={{sample-input}}", - "search_line": -1, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Storage\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"sample-input\",\"resource_type\":\"storage.v1.bucket\",\"resource_vendor\":\"GCP\"}" - } - ] - } - ] - } - }, - { - "id": "b9c83569-459b-4110-8f79-6305aa33cb37", - "test_path": "/home/ricardo/kics/assets/queries/k8s/using_kubernetes_native_secret_management/test", - "results_file_path": "/home/ricardo/kics/assets/queries/k8s/using_kubernetes_native_secret_management/results", - "return_code": 0, - "all_results": { - "kics_version": "development", - "files_scanned": 3, - "lines_scanned": 70, - "files_parsed": 3, - "lines_parsed": 66, - "lines_ignored": 4, - "files_failed_to_scan": 0, - "queries_total": 1, - "queries_failed_to_execute": 0, - "queries_failed_to_compute_similarity_id": 0, - "scan_id": "console", - "severity_counters": { - "CRITICAL": 0, - "HIGH": 0, - "INFO": 0, - "LOW": 0, - "MEDIUM": 0, - "TRACE": 0 - }, - "total_counter": 0, - "total_bom_resources": 0, - "start": "2026-03-09T09:47:43.950731293Z", - "end": "2026-03-09T09:47:44.278806776Z", - "paths": [ - "/home/ricardo/kics/assets/queries/k8s/using_kubernetes_native_secret_management/test" - ], - "queries": [] - } - }, - { - "id": "fb889ae9-2d16-40b5-b41f-9da716c5abc1", - "test_path": "/home/ricardo/kics/assets/queries/openAPI/2.0/json_reference_does_not_exists_parameter/test", - "results_file_path": "/home/ricardo/kics/assets/queries/openAPI/2.0/json_reference_does_not_exists_parameter/results", - "return_code": 0, - "all_results": { - "kics_version": "development", - "files_scanned": 4, - "lines_scanned": 184, - "files_parsed": 4, - "lines_parsed": 184, - "lines_ignored": 0, - "files_failed_to_scan": 0, - "queries_total": 1, - "queries_failed_to_execute": 0, - "queries_failed_to_compute_similarity_id": 0, - "scan_id": "console", - "severity_counters": { - "CRITICAL": 0, - "HIGH": 0, - "INFO": 0, - "LOW": 0, - "MEDIUM": 0, - "TRACE": 0 - }, - "total_counter": 0, - "total_bom_resources": 0, - "start": "2026-03-09T09:48:18.659706645Z", - "end": "2026-03-09T09:48:19.028935138Z", - "paths": [ - "/home/ricardo/kics/assets/queries/openAPI/2.0/json_reference_does_not_exists_parameter/test" - ], - "queries": [] - } - }, - { - "id": "2596545e-1757-4ff7-a15a-8a9a180a42f3", - "test_path": "/home/ricardo/kics/assets/queries/openAPI/2.0/parameter_object_incorrect_ref/test", - "results_file_path": "/home/ricardo/kics/assets/queries/openAPI/2.0/parameter_object_incorrect_ref/results", - "return_code": 0, - "all_results": { - "kics_version": "development", - "files_scanned": 4, - "lines_scanned": 190, - "files_parsed": 4, - "lines_parsed": 190, - "lines_ignored": 0, - "files_failed_to_scan": 0, - "queries_total": 1, - "queries_failed_to_execute": 0, - "queries_failed_to_compute_similarity_id": 0, - "scan_id": "console", - "severity_counters": { - "CRITICAL": 0, - "HIGH": 0, - "INFO": 0, - "LOW": 0, - "MEDIUM": 0, - "TRACE": 0 - }, - "total_counter": 0, - "total_bom_resources": 0, - "start": "2026-03-09T09:48:48.581640914Z", - "end": "2026-03-09T09:48:48.965880154Z", - "paths": [ - "/home/ricardo/kics/assets/queries/openAPI/2.0/parameter_object_incorrect_ref/test" - ], - "queries": [] - } - }, - { - "id": "bccfa089-89e4-47e0-a0e5-185fe6902220", - "test_path": "/home/ricardo/kics/assets/queries/openAPI/2.0/response_object_incorrect_ref/test", - "results_file_path": "/home/ricardo/kics/assets/queries/openAPI/2.0/response_object_incorrect_ref/results", - "return_code": 0, - "all_results": { - "kics_version": "development", - "files_scanned": 4, - "lines_scanned": 206, - "files_parsed": 4, - "lines_parsed": 206, - "lines_ignored": 0, - "files_failed_to_scan": 0, - "queries_total": 1, - "queries_failed_to_execute": 0, - "queries_failed_to_compute_similarity_id": 0, - "scan_id": "console", - "severity_counters": { - "CRITICAL": 0, - "HIGH": 0, - "INFO": 0, - "LOW": 0, - "MEDIUM": 0, - "TRACE": 0 - }, - "total_counter": 0, - "total_bom_resources": 0, - "start": "2026-03-09T09:48:53.966179229Z", - "end": "2026-03-09T09:48:54.398177483Z", - "paths": [ - "/home/ricardo/kics/assets/queries/openAPI/2.0/response_object_incorrect_ref/test" - ], - "queries": [] - } - }, - { - "id": "0220e1c5-65d1-49dd-b7c2-cef6d6cb5283", - "test_path": "/home/ricardo/kics/assets/queries/openAPI/2.0/schema_object_incorrect_ref/test", - "results_file_path": "/home/ricardo/kics/assets/queries/openAPI/2.0/schema_object_incorrect_ref/results", - "return_code": 0, - "all_results": { - "kics_version": "development", - "files_scanned": 4, - "lines_scanned": 206, - "files_parsed": 4, - "lines_parsed": 206, - "lines_ignored": 0, - "files_failed_to_scan": 0, - "queries_total": 1, - "queries_failed_to_execute": 0, - "queries_failed_to_compute_similarity_id": 0, - "scan_id": "console", - "severity_counters": { - "CRITICAL": 0, - "HIGH": 0, - "INFO": 0, - "LOW": 0, - "MEDIUM": 0, - "TRACE": 0 - }, - "total_counter": 0, - "total_bom_resources": 0, - "start": "2026-03-09T09:48:56.107844112Z", - "end": "2026-03-09T09:48:56.529061505Z", - "paths": [ - "/home/ricardo/kics/assets/queries/openAPI/2.0/schema_object_incorrect_ref/test" - ], - "queries": [] - } - }, - { - "id": "ba066cda-e808-450d-92b6-f29109754d45", - "test_path": "/home/ricardo/kics/assets/queries/openAPI/3.0/callback_object_incorrect_ref/test", - "results_file_path": "/home/ricardo/kics/assets/queries/openAPI/3.0/callback_object_incorrect_ref/results", - "return_code": 0, - "all_results": { - "kics_version": "development", - "files_scanned": 4, - "lines_scanned": 140, - "files_parsed": 4, - "lines_parsed": 140, - "lines_ignored": 0, - "files_failed_to_scan": 0, - "queries_total": 1, - "queries_failed_to_execute": 0, - "queries_failed_to_compute_similarity_id": 0, - "scan_id": "console", - "severity_counters": { - "CRITICAL": 0, - "HIGH": 0, - "INFO": 0, - "LOW": 0, - "MEDIUM": 0, - "TRACE": 0 - }, - "total_counter": 0, - "total_bom_resources": 0, - "start": "2026-03-09T09:49:29.41444685Z", - "end": "2026-03-09T09:49:29.789228108Z", - "paths": [ - "/home/ricardo/kics/assets/queries/openAPI/3.0/callback_object_incorrect_ref/test" - ], - "queries": [] - } - }, - { - "id": "bac56e3c-1f71-4a74-8ae6-2fba07efcddb", - "test_path": "/home/ricardo/kics/assets/queries/openAPI/3.0/example_json_reference_outside_components_examples/test", - "results_file_path": "/home/ricardo/kics/assets/queries/openAPI/3.0/example_json_reference_outside_components_examples/results", - "return_code": 0, - "all_results": { - "kics_version": "development", - "files_scanned": 4, - "lines_scanned": 290, - "files_parsed": 4, - "lines_parsed": 290, - "lines_ignored": 0, - "files_failed_to_scan": 0, - "queries_total": 1, - "queries_failed_to_execute": 0, - "queries_failed_to_compute_similarity_id": 0, - "scan_id": "console", - "severity_counters": { - "CRITICAL": 0, - "HIGH": 0, - "INFO": 0, - "LOW": 0, - "MEDIUM": 0, - "TRACE": 0 - }, - "total_counter": 0, - "total_bom_resources": 0, - "start": "2026-03-09T09:49:52.377154779Z", - "end": "2026-03-09T09:49:52.714125831Z", - "paths": [ - "/home/ricardo/kics/assets/queries/openAPI/3.0/example_json_reference_outside_components_examples/test" - ], - "queries": [] - } - }, - { - "id": "2d6646f4-2946-420f-8c14-3232d49ae0cb", - "test_path": "/home/ricardo/kics/assets/queries/openAPI/3.0/header_object_with_incorrect_ref/test", - "results_file_path": "/home/ricardo/kics/assets/queries/openAPI/3.0/header_object_with_incorrect_ref/results", - "return_code": 0, - "all_results": { - "kics_version": "development", - "files_scanned": 8, - "lines_scanned": 494, - "files_parsed": 8, - "lines_parsed": 494, - "lines_ignored": 0, - "files_failed_to_scan": 0, - "queries_total": 1, - "queries_failed_to_execute": 0, - "queries_failed_to_compute_similarity_id": 0, - "scan_id": "console", - "severity_counters": { - "CRITICAL": 0, - "HIGH": 0, - "INFO": 0, - "LOW": 0, - "MEDIUM": 0, - "TRACE": 0 - }, - "total_counter": 0, - "total_bom_resources": 0, - "start": "2026-03-09T09:49:57.049539025Z", - "end": "2026-03-09T09:49:57.404325431Z", - "paths": [ - "/home/ricardo/kics/assets/queries/openAPI/3.0/header_object_with_incorrect_ref/test" - ], - "queries": [] - } - }, - { - "id": "f29904c8-6041-4bca-b043-dfa0546b8079", - "test_path": "/home/ricardo/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_callback/test", - "results_file_path": "/home/ricardo/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_callback/results", - "return_code": 0, - "all_results": { - "kics_version": "development", - "files_scanned": 4, - "lines_scanned": 130, - "files_parsed": 4, - "lines_parsed": 130, - "lines_ignored": 0, - "files_failed_to_scan": 0, - "queries_total": 1, - "queries_failed_to_execute": 0, - "queries_failed_to_compute_similarity_id": 0, - "scan_id": "console", - "severity_counters": { - "CRITICAL": 0, - "HIGH": 0, - "INFO": 0, - "LOW": 0, - "MEDIUM": 0, - "TRACE": 0 - }, - "total_counter": 0, - "total_bom_resources": 0, - "start": "2026-03-09T09:50:10.339535674Z", - "end": "2026-03-09T09:50:10.769235875Z", - "paths": [ - "/home/ricardo/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_callback/test" - ], - "queries": [] - } - }, - { - "id": "6a2c219f-da5e-4745-941e-5ea8cde23356", - "test_path": "/home/ricardo/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_example/test", - "results_file_path": "/home/ricardo/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_example/results", - "return_code": 0, - "all_results": { - "kics_version": "development", - "files_scanned": 4, - "lines_scanned": 184, - "files_parsed": 4, - "lines_parsed": 184, - "lines_ignored": 0, - "files_failed_to_scan": 0, - "queries_total": 1, - "queries_failed_to_execute": 0, - "queries_failed_to_compute_similarity_id": 0, - "scan_id": "console", - "severity_counters": { - "CRITICAL": 0, - "HIGH": 0, - "INFO": 0, - "LOW": 0, - "MEDIUM": 0, - "TRACE": 0 - }, - "total_counter": 0, - "total_bom_resources": 0, - "start": "2026-03-09T09:50:12.167057495Z", - "end": "2026-03-09T09:50:12.566896545Z", - "paths": [ - "/home/ricardo/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_example/test" - ], - "queries": [] - } - }, - { - "id": "376c9390-7e9e-4cb8-a067-fd31c05451fd", - "test_path": "/home/ricardo/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_header/test", - "results_file_path": "/home/ricardo/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_header/results", - "return_code": 0, - "all_results": { - "kics_version": "development", - "files_scanned": 4, - "lines_scanned": 191, - "files_parsed": 4, - "lines_parsed": 191, - "lines_ignored": 0, - "files_failed_to_scan": 0, - "queries_total": 1, - "queries_failed_to_execute": 0, - "queries_failed_to_compute_similarity_id": 0, - "scan_id": "console", - "severity_counters": { - "CRITICAL": 0, - "HIGH": 0, - "INFO": 0, - "LOW": 0, - "MEDIUM": 0, - "TRACE": 0 - }, - "total_counter": 0, - "total_bom_resources": 0, - "start": "2026-03-09T09:50:13.894986842Z", - "end": "2026-03-09T09:50:14.272081539Z", - "paths": [ - "/home/ricardo/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_header/test" - ], - "queries": [] - } - }, - { - "id": "801f0c6a-a834-4467-89c6-ddecffb46b5a", - "test_path": "/home/ricardo/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_link/test", - "results_file_path": "/home/ricardo/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_link/results", - "return_code": 0, - "all_results": { - "kics_version": "development", - "files_scanned": 4, - "lines_scanned": 174, - "files_parsed": 4, - "lines_parsed": 174, - "lines_ignored": 0, - "files_failed_to_scan": 0, - "queries_total": 1, - "queries_failed_to_execute": 0, - "queries_failed_to_compute_similarity_id": 0, - "scan_id": "console", - "severity_counters": { - "CRITICAL": 0, - "HIGH": 0, - "INFO": 0, - "LOW": 0, - "MEDIUM": 0, - "TRACE": 0 - }, - "total_counter": 0, - "total_bom_resources": 0, - "start": "2026-03-09T09:50:15.570461479Z", - "end": "2026-03-09T09:50:15.959039448Z", - "paths": [ - "/home/ricardo/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_link/test" - ], - "queries": [] - } - }, - { - "id": "2e275f16-b627-4d3f-ae73-a6153a23ae8f", - "test_path": "/home/ricardo/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_parameter/test", - "results_file_path": "/home/ricardo/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_parameter/results", - "return_code": 0, - "all_results": { - "kics_version": "development", - "files_scanned": 4, - "lines_scanned": 126, - "files_parsed": 4, - "lines_parsed": 126, - "lines_ignored": 0, - "files_failed_to_scan": 0, - "queries_total": 1, - "queries_failed_to_execute": 0, - "queries_failed_to_compute_similarity_id": 0, - "scan_id": "console", - "severity_counters": { - "CRITICAL": 0, - "HIGH": 0, - "INFO": 0, - "LOW": 0, - "MEDIUM": 0, - "TRACE": 0 - }, - "total_counter": 0, - "total_bom_resources": 0, - "start": "2026-03-09T09:50:17.186218682Z", - "end": "2026-03-09T09:50:17.565655992Z", - "paths": [ - "/home/ricardo/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_parameter/test" - ], - "queries": [] - } - }, - { - "id": "ca02f4e8-d3ae-4832-b7db-bb037516d9e7", - "test_path": "/home/ricardo/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_request_body/test", - "results_file_path": "/home/ricardo/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_request_body/results", - "return_code": 0, - "all_results": { - "kics_version": "development", - "files_scanned": 4, - "lines_scanned": 164, - "files_parsed": 4, - "lines_parsed": 164, - "lines_ignored": 0, - "files_failed_to_scan": 0, - "queries_total": 1, - "queries_failed_to_execute": 0, - "queries_failed_to_compute_similarity_id": 0, - "scan_id": "console", - "severity_counters": { - "CRITICAL": 0, - "HIGH": 0, - "INFO": 0, - "LOW": 0, - "MEDIUM": 0, - "TRACE": 0 - }, - "total_counter": 0, - "total_bom_resources": 0, - "start": "2026-03-09T09:50:18.854609137Z", - "end": "2026-03-09T09:50:19.251965247Z", - "paths": [ - "/home/ricardo/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_request_body/test" - ], - "queries": [] - } - }, - { - "id": "7a01dfbd-da62-4165-aed7-71349ad42ab4", - "test_path": "/home/ricardo/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_response/test", - "results_file_path": "/home/ricardo/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_response/results", - "return_code": 0, - "all_results": { - "kics_version": "development", - "files_scanned": 4, - "lines_scanned": 168, - "files_parsed": 4, - "lines_parsed": 168, - "lines_ignored": 0, - "files_failed_to_scan": 0, - "queries_total": 1, - "queries_failed_to_execute": 0, - "queries_failed_to_compute_similarity_id": 0, - "scan_id": "console", - "severity_counters": { - "CRITICAL": 0, - "HIGH": 0, - "INFO": 0, - "LOW": 0, - "MEDIUM": 0, - "TRACE": 0 - }, - "total_counter": 0, - "total_bom_resources": 0, - "start": "2026-03-09T09:50:20.605560504Z", - "end": "2026-03-09T09:50:20.961653336Z", - "paths": [ - "/home/ricardo/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_response/test" - ], - "queries": [] - } - }, - { - "id": "015eac96-6313-43c0-84e5-81b1374fa637", - "test_path": "/home/ricardo/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_schema/test", - "results_file_path": "/home/ricardo/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_schema/results", - "return_code": 0, - "all_results": { - "kics_version": "development", - "files_scanned": 4, - "lines_scanned": 117, - "files_parsed": 4, - "lines_parsed": 117, - "lines_ignored": 0, - "files_failed_to_scan": 0, - "queries_total": 1, - "queries_failed_to_execute": 0, - "queries_failed_to_compute_similarity_id": 0, - "scan_id": "console", - "severity_counters": { - "CRITICAL": 0, - "HIGH": 0, - "INFO": 0, - "LOW": 0, - "MEDIUM": 0, - "TRACE": 0 - }, - "total_counter": 0, - "total_bom_resources": 0, - "start": "2026-03-09T09:50:22.188100468Z", - "end": "2026-03-09T09:50:22.587987606Z", - "paths": [ - "/home/ricardo/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_schema/test" - ], - "queries": [] - } - }, - { - "id": "b9db8a10-020c-49ca-88c6-780e5fdb4328", - "test_path": "/home/ricardo/kics/assets/queries/openAPI/3.0/link_object_incorrect_ref/test", - "results_file_path": "/home/ricardo/kics/assets/queries/openAPI/3.0/link_object_incorrect_ref/results", - "return_code": 0, - "all_results": { - "kics_version": "development", - "files_scanned": 8, - "lines_scanned": 406, - "files_parsed": 8, - "lines_parsed": 406, - "lines_ignored": 0, - "files_failed_to_scan": 0, - "queries_total": 1, - "queries_failed_to_execute": 0, - "queries_failed_to_compute_similarity_id": 0, - "scan_id": "console", - "severity_counters": { - "CRITICAL": 0, - "HIGH": 0, - "INFO": 0, - "LOW": 0, - "MEDIUM": 0, - "TRACE": 0 - }, - "total_counter": 0, - "total_bom_resources": 0, - "start": "2026-03-09T09:50:23.874918823Z", - "end": "2026-03-09T09:50:24.272886894Z", - "paths": [ - "/home/ricardo/kics/assets/queries/openAPI/3.0/link_object_incorrect_ref/test" - ], - "queries": [] - } - }, - { - "id": "d40f27e6-15fb-4b56-90f8-fc0ff0291c51", - "test_path": "/home/ricardo/kics/assets/queries/openAPI/3.0/parameter_object_incorrect_ref/test", - "results_file_path": "/home/ricardo/kics/assets/queries/openAPI/3.0/parameter_object_incorrect_ref/results", - "return_code": 0, - "all_results": { - "kics_version": "development", - "files_scanned": 4, - "lines_scanned": 225, - "files_parsed": 4, - "lines_parsed": 225, - "lines_ignored": 0, - "files_failed_to_scan": 0, - "queries_total": 1, - "queries_failed_to_execute": 0, - "queries_failed_to_compute_similarity_id": 0, - "scan_id": "console", - "severity_counters": { - "CRITICAL": 0, - "HIGH": 0, - "INFO": 0, - "LOW": 0, - "MEDIUM": 0, - "TRACE": 0 - }, - "total_counter": 0, - "total_bom_resources": 0, - "start": "2026-03-09T09:50:37.18262663Z", - "end": "2026-03-09T09:50:37.596920722Z", - "paths": [ - "/home/ricardo/kics/assets/queries/openAPI/3.0/parameter_object_incorrect_ref/test" - ], - "queries": [] - } - }, - { - "id": "0f6cd0ab-c366-4595-84fc-fbd8b9901e4d", - "test_path": "/home/ricardo/kics/assets/queries/openAPI/3.0/request_body_incorrect_ref/test", - "results_file_path": "/home/ricardo/kics/assets/queries/openAPI/3.0/request_body_incorrect_ref/results", - "return_code": 0, - "all_results": { - "kics_version": "development", - "files_scanned": 4, - "lines_scanned": 204, - "files_parsed": 4, - "lines_parsed": 204, - "lines_ignored": 0, - "files_failed_to_scan": 0, - "queries_total": 1, - "queries_failed_to_execute": 0, - "queries_failed_to_compute_similarity_id": 0, - "scan_id": "console", - "severity_counters": { - "CRITICAL": 0, - "HIGH": 0, - "INFO": 0, - "LOW": 0, - "MEDIUM": 0, - "TRACE": 0 - }, - "total_counter": 0, - "total_bom_resources": 0, - "start": "2026-03-09T09:50:53.114728703Z", - "end": "2026-03-09T09:50:53.454107435Z", - "paths": [ - "/home/ricardo/kics/assets/queries/openAPI/3.0/request_body_incorrect_ref/test" - ], - "queries": [] - } - }, - { - "id": "b3871dd8-9333-4d6c-bd52-67eb898b71ab", - "test_path": "/home/ricardo/kics/assets/queries/openAPI/3.0/response_object_incorrect_ref/test", - "results_file_path": "/home/ricardo/kics/assets/queries/openAPI/3.0/response_object_incorrect_ref/results", - "return_code": 0, - "all_results": { - "kics_version": "development", - "files_scanned": 4, - "lines_scanned": 159, - "files_parsed": 4, - "lines_parsed": 159, - "lines_ignored": 0, - "files_failed_to_scan": 0, - "queries_total": 1, - "queries_failed_to_execute": 0, - "queries_failed_to_compute_similarity_id": 0, - "scan_id": "console", - "severity_counters": { - "CRITICAL": 0, - "HIGH": 0, - "INFO": 0, - "LOW": 0, - "MEDIUM": 0, - "TRACE": 0 - }, - "total_counter": 0, - "total_bom_resources": 0, - "start": "2026-03-09T09:50:56.14232327Z", - "end": "2026-03-09T09:50:56.464437526Z", - "paths": [ - "/home/ricardo/kics/assets/queries/openAPI/3.0/response_object_incorrect_ref/test" - ], - "queries": [] - } - }, - { - "id": "4cac7ace-b0fb-477d-830d-65395d9109d9", - "test_path": "/home/ricardo/kics/assets/queries/openAPI/3.0/schema_object_incorrect_ref/test", - "results_file_path": "/home/ricardo/kics/assets/queries/openAPI/3.0/schema_object_incorrect_ref/results", - "return_code": 0, - "all_results": { - "kics_version": "development", - "files_scanned": 8, - "lines_scanned": 503, - "files_parsed": 8, - "lines_parsed": 503, - "lines_ignored": 0, - "files_failed_to_scan": 0, - "queries_total": 1, - "queries_failed_to_execute": 0, - "queries_failed_to_compute_similarity_id": 0, - "scan_id": "console", - "severity_counters": { - "CRITICAL": 0, - "HIGH": 0, - "INFO": 0, - "LOW": 0, - "MEDIUM": 0, - "TRACE": 0 - }, - "total_counter": 0, - "total_bom_resources": 0, - "start": "2026-03-09T09:50:57.630693004Z", - "end": "2026-03-09T09:50:57.971033018Z", - "paths": [ - "/home/ricardo/kics/assets/queries/openAPI/3.0/schema_object_incorrect_ref/test" - ], - "queries": [] - } - }, - { - "id": "9d967a2b-9d64-41a6-abea-dfc4960299bd", - "test_path": "/home/ricardo/kics/assets/queries/openAPI/general/json_object_schema_without_properties/test", - "results_file_path": "/home/ricardo/kics/assets/queries/openAPI/general/json_object_schema_without_properties/results", - "return_code": 0, - "all_results": { - "kics_version": "development", - "files_scanned": 12, - "lines_scanned": 584, - "files_parsed": 12, - "lines_parsed": 584, - "lines_ignored": 0, - "files_failed_to_scan": 0, - "queries_total": 2, - "queries_failed_to_execute": 0, - "queries_failed_to_compute_similarity_id": 0, - "scan_id": "console", - "severity_counters": { - "CRITICAL": 0, - "HIGH": 0, - "INFO": 0, - "LOW": 0, - "MEDIUM": 0, - "TRACE": 0 - }, - "total_counter": 0, - "total_bom_resources": 0, - "start": "2026-03-09T09:52:00.280453072Z", - "end": "2026-03-09T09:52:00.626235794Z", - "paths": [ - "/home/ricardo/kics/assets/queries/openAPI/general/json_object_schema_without_properties/test" - ], - "queries": [] - } - }, - { - "id": "e2ffa504-d22a-4c94-b6c5-f661849d2db7", - "test_path": "/home/ricardo/kics/assets/queries/openAPI/general/json_object_schema_without_type/test", - "results_file_path": "/home/ricardo/kics/assets/queries/openAPI/general/json_object_schema_without_type/results", - "return_code": 0, - "all_results": { - "kics_version": "development", - "files_scanned": 12, - "lines_scanned": 626, - "files_parsed": 12, - "lines_parsed": 626, - "lines_ignored": 0, - "files_failed_to_scan": 0, - "queries_total": 2, - "queries_failed_to_execute": 0, - "queries_failed_to_compute_similarity_id": 0, - "scan_id": "console", - "severity_counters": { - "CRITICAL": 0, - "HIGH": 0, - "INFO": 0, - "LOW": 0, - "MEDIUM": 0, - "TRACE": 0 - }, - "total_counter": 0, - "total_bom_resources": 0, - "start": "2026-03-09T09:52:02.137167343Z", - "end": "2026-03-09T09:52:02.629391769Z", - "paths": [ - "/home/ricardo/kics/assets/queries/openAPI/general/json_object_schema_without_type/test" - ], - "queries": [] - } - }, - { - "id": "96beb800-566f-49a9-a0ea-dbdf4bc80429", - "test_path": "/home/ricardo/kics/assets/queries/openAPI/general/json_ref_alongside_properties/test", - "results_file_path": "/home/ricardo/kics/assets/queries/openAPI/general/json_ref_alongside_properties/results", - "return_code": 0, - "all_results": { - "kics_version": "development", - "files_scanned": 8, - "lines_scanned": 272, - "files_parsed": 8, - "lines_parsed": 272, - "lines_ignored": 0, - "files_failed_to_scan": 0, - "queries_total": 2, - "queries_failed_to_execute": 0, - "queries_failed_to_compute_similarity_id": 0, - "scan_id": "console", - "severity_counters": { - "CRITICAL": 0, - "HIGH": 0, - "INFO": 0, - "LOW": 0, - "MEDIUM": 0, - "TRACE": 0 - }, - "total_counter": 0, - "total_bom_resources": 0, - "start": "2026-03-09T09:52:04.430604886Z", - "end": "2026-03-09T09:52:04.844519019Z", - "paths": [ - "/home/ricardo/kics/assets/queries/openAPI/general/json_ref_alongside_properties/test" - ], - "queries": [] - } - }, - { - "id": "1a1aea94-745b-40a7-b860-0702ea6ee636", - "test_path": "/home/ricardo/kics/assets/queries/openAPI/general/schema_object_with_circular_ref/test", - "results_file_path": "/home/ricardo/kics/assets/queries/openAPI/general/schema_object_with_circular_ref/results", - "return_code": 0, - "all_results": { - "kics_version": "development", - "files_scanned": 8, - "lines_scanned": 484, - "files_parsed": 8, - "lines_parsed": 484, - "lines_ignored": 0, - "files_failed_to_scan": 0, - "queries_total": 2, - "queries_failed_to_execute": 0, - "queries_failed_to_compute_similarity_id": 0, - "scan_id": "console", - "severity_counters": { - "CRITICAL": 0, - "HIGH": 0, - "INFO": 0, - "LOW": 0, - "MEDIUM": 0, - "TRACE": 0 - }, - "total_counter": 0, - "total_bom_resources": 0, - "start": "2026-03-09T09:52:56.653566424Z", - "end": "2026-03-09T09:52:56.994313752Z", - "paths": [ - "/home/ricardo/kics/assets/queries/openAPI/general/schema_object_with_circular_ref/test" - ], - "queries": [] - } - }, - { - "id": "23edf35f-7c22-4ff9-87e6-0ca74261cfbf", - "test_path": "/home/ricardo/kics/assets/queries/terraform/aws_bom/dynamo/test", - "results_file_path": "/home/ricardo/kics/assets/queries/terraform/aws_bom/dynamo/results", - "return_code": 0, - "all_results": { - "kics_version": "development", - "files_scanned": 5, - "lines_scanned": 261, - "files_parsed": 5, - "lines_parsed": 261, - "lines_ignored": 0, - "files_failed_to_scan": 0, - "queries_total": 1, - "queries_failed_to_execute": 0, - "queries_failed_to_compute_similarity_id": 0, - "scan_id": "console", - "severity_counters": { - "CRITICAL": 0, - "HIGH": 0, - "INFO": 0, - "LOW": 0, - "MEDIUM": 0, - "TRACE": 4 - }, - "total_counter": 0, - "total_bom_resources": 4, - "start": "2026-03-09T10:07:18.92729647Z", - "end": "2026-03-09T10:07:19.556905796Z", - "paths": [ - "/home/ricardo/kics/assets/queries/terraform/aws_bom/dynamo/test" - ], - "queries": [], - "bill_of_materials": [ - { - "query_name": "BOM - AWS DynamoDB", - "query_id": "23edf35f-7c22-4ff9-87e6-0ca74261cfbf", - "query_url": "https://kics.io", - "severity": "TRACE", - "platform": "Terraform", - "cwe": "532", - "risk_score": "0.0", - "cloud_provider": "AWS", - "category": "Bill Of Materials", - "experimental": false, - "description": "A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale.", - "description_id": "c9007e7c", - "files": [ - { - "file_name": "assets/queries/terraform/aws_bom/dynamo/test/positive1.tf", - "similarity_id": "a688628f8f494ab21c1fe105db84b9a5caa859c8f9e8e359ccf3a7c46d64aabb", - "line": 21, - "issue_type": "BillOfMaterials", - "search_key": "aws_dynamodb_table[basic-dynamodb-table]", - "search_line": 21, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"GameScores\",\"resource_type\":\"aws_dynamodb_table\",\"resource_vendor\":\"AWS\"}" - }, - { - "file_name": "assets/queries/terraform/aws_bom/dynamo/test/positive4.tf", - "similarity_id": "babb019e4356747925dcc712c2a5940d396c97ece2671dfa6285bbd2f6a0f435", - "line": 1, - "issue_type": "BillOfMaterials", - "search_key": "aws_dynamodb_table[example3-table]", - "search_line": 1, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"GameScores3\",\"resource_type\":\"aws_dynamodb_table\",\"resource_vendor\":\"AWS\"}" - }, - { - "file_name": "assets/queries/terraform/aws_bom/dynamo/test/positive2.tf", - "similarity_id": "a28cf9c3a6cb0794fa3e3a0a805d4944f7dbb3efeade8620fc09c93ea4ae92b4", - "line": 21, - "issue_type": "BillOfMaterials", - "search_key": "aws_dynamodb_table[example2-table]", - "search_line": 21, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"GameScores2\",\"resource_type\":\"aws_dynamodb_table\",\"resource_vendor\":\"AWS\"}" - }, - { - "file_name": "assets/queries/terraform/aws_bom/dynamo/test/positive3.tf", - "similarity_id": "ad2f2a12485e108e26277af0268a7c3b9114edbb6cdf356c0aadedf859b5521c", - "line": 21, - "issue_type": "BillOfMaterials", - "search_key": "aws_dynamodb_table[example3-table]", - "search_line": 21, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"GameScores3\",\"resource_type\":\"aws_dynamodb_table\",\"resource_vendor\":\"AWS\"}" - } - ] - } - ] - } - }, - { - "id": "86571149-eef3-4280-a645-01e60df854b0", - "test_path": "/home/ricardo/kics/assets/queries/terraform/aws_bom/ebs/test", - "results_file_path": "/home/ricardo/kics/assets/queries/terraform/aws_bom/ebs/results", - "return_code": 0, - "all_results": { - "kics_version": "development", - "files_scanned": 3, - "lines_scanned": 37, - "files_parsed": 3, - "lines_parsed": 37, - "lines_ignored": 0, - "files_failed_to_scan": 0, - "queries_total": 1, - "queries_failed_to_execute": 0, - "queries_failed_to_compute_similarity_id": 0, - "scan_id": "console", - "severity_counters": { - "CRITICAL": 0, - "HIGH": 0, - "INFO": 0, - "LOW": 0, - "MEDIUM": 0, - "TRACE": 2 - }, - "total_counter": 0, - "total_bom_resources": 2, - "start": "2026-03-09T10:07:22.024620118Z", - "end": "2026-03-09T10:07:22.599658585Z", - "paths": [ - "/home/ricardo/kics/assets/queries/terraform/aws_bom/ebs/test" - ], - "queries": [], - "bill_of_materials": [ - { - "query_name": "BOM - AWS EBS", - "query_id": "86571149-eef3-4280-a645-01e60df854b0", - "query_url": "https://kics.io", - "severity": "TRACE", - "platform": "Terraform", - "cwe": "532", - "risk_score": "0.0", - "cloud_provider": "AWS", - "category": "Bill Of Materials", - "experimental": false, - "description": "A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2).", - "description_id": "fd141699", - "files": [ - { - "file_name": "assets/queries/terraform/aws_bom/ebs/test/positive1.tf", - "similarity_id": "4d8f36af2e84d7cb28b112c8e8d635f04c7947104305cecf6c86a7bbe2c7fe2a", - "line": 1, - "issue_type": "BillOfMaterials", - "search_key": "aws_ebs_volume[positive1]", - "search_line": 1, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"HelloWorld\",\"resource_type\":\"aws_ebs_volume\",\"resource_vendor\":\"AWS\"}" - }, - { - "file_name": "assets/queries/terraform/aws_bom/ebs/test/positive2.tf", - "similarity_id": "8f256b1e26d47e315b73e4cebe2adbd15c45597b21a0d58695758f242b67ca0c", - "line": 1, - "issue_type": "BillOfMaterials", - "search_key": "aws_ebs_volume[positive2]", - "search_line": 1, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Storage\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"HelloWorld2\",\"resource_type\":\"aws_ebs_volume\",\"resource_vendor\":\"AWS\"}" - } - ] - } - ] - } - }, - { - "id": "f53f16d6-46a9-4277-9fbe-617b1e24cdca", - "test_path": "/home/ricardo/kics/assets/queries/terraform/aws_bom/efs/test", - "results_file_path": "/home/ricardo/kics/assets/queries/terraform/aws_bom/efs/results", - "return_code": 0, - "all_results": { - "kics_version": "development", - "files_scanned": 3, - "lines_scanned": 63, - "files_parsed": 3, - "lines_parsed": 63, - "lines_ignored": 0, - "files_failed_to_scan": 0, - "queries_total": 1, - "queries_failed_to_execute": 0, - "queries_failed_to_compute_similarity_id": 0, - "scan_id": "console", - "severity_counters": { - "CRITICAL": 0, - "HIGH": 0, - "INFO": 0, - "LOW": 0, - "MEDIUM": 0, - "TRACE": 2 - }, - "total_counter": 0, - "total_bom_resources": 2, - "start": "2026-03-09T10:07:24.791631455Z", - "end": "2026-03-09T10:07:25.908126874Z", - "paths": [ - "/home/ricardo/kics/assets/queries/terraform/aws_bom/efs/test" - ], - "queries": [], - "bill_of_materials": [ - { - "query_name": "BOM - AWS EFS", - "query_id": "f53f16d6-46a9-4277-9fbe-617b1e24cdca", - "query_url": "https://kics.io", - "severity": "TRACE", - "platform": "Terraform", - "cwe": "532", - "risk_score": "0.0", - "cloud_provider": "AWS", - "category": "Bill Of Materials", - "experimental": false, - "description": "A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning.", - "description_id": "5522243f", - "files": [ - { - "file_name": "assets/queries/terraform/aws_bom/efs/test/positive1.tf", - "similarity_id": "a5b0f7d6730685996c338e8c7e6f4e49f2a3a72bc1ffcb3fe0624e511bc2ffbc", - "line": 1, - "issue_type": "BillOfMaterials", - "search_key": "aws_efs_file_system[positive1]", - "search_line": 1, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Storage\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"MyProduct\",\"resource_type\":\"aws_efs_file_system\",\"resource_vendor\":\"AWS\"}" - }, - { - "file_name": "assets/queries/terraform/aws_bom/efs/test/positive2.tf", - "similarity_id": "06464310f0d43eb349c3fff2e6587e7437a5684957b470702f7a008343764e2c", - "line": 1, - "issue_type": "BillOfMaterials", - "search_key": "aws_efs_file_system[positive2]", - "search_line": 1, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Storage\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"MyProduct\",\"resource_type\":\"aws_efs_file_system\",\"resource_vendor\":\"AWS\"}" - } - ] - } - ] - } - }, - { - "id": "54229498-850b-4f78-b3a7-218d24ef2c37", - "test_path": "/home/ricardo/kics/assets/queries/terraform/aws_bom/elasticache/test", - "results_file_path": "/home/ricardo/kics/assets/queries/terraform/aws_bom/elasticache/results", - "return_code": 0, - "all_results": { - "kics_version": "development", - "files_scanned": 7, - "lines_scanned": 206, - "files_parsed": 7, - "lines_parsed": 206, - "lines_ignored": 0, - "files_failed_to_scan": 0, - "queries_total": 1, - "queries_failed_to_execute": 0, - "queries_failed_to_compute_similarity_id": 0, - "scan_id": "console", - "severity_counters": { - "CRITICAL": 0, - "HIGH": 0, - "INFO": 0, - "LOW": 0, - "MEDIUM": 0, - "TRACE": 6 - }, - "total_counter": 0, - "total_bom_resources": 6, - "start": "2026-03-09T10:07:27.774375496Z", - "end": "2026-03-09T10:07:28.344589595Z", - "paths": [ - "/home/ricardo/kics/assets/queries/terraform/aws_bom/elasticache/test" - ], - "queries": [], - "bill_of_materials": [ - { - "query_name": "BOM - AWS Elasticache", - "query_id": "54229498-850b-4f78-b3a7-218d24ef2c37", - "query_url": "https://kics.io", - "severity": "TRACE", - "platform": "Terraform", - "cwe": "532", - "risk_score": "0.0", - "cloud_provider": "AWS", - "category": "Bill Of Materials", - "experimental": false, - "description": "A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached.", - "description_id": "34559ecd", - "files": [ - { - "file_name": "assets/queries/terraform/aws_bom/elasticache/test/positive6.tf", - "similarity_id": "16bfdc91d7f8584245d9da2ba7bf6f274c27b09e6e2e04ce667fe8480f16531c", - "line": 13, - "issue_type": "BillOfMaterials", - "search_key": "aws_elasticache_cluster[positive6]", - "search_line": 13, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"at least one security group associated with the elasticache is unrestricted\",\"resource_category\":\"In Memory Data Structure\",\"resource_encryption\":\"unknown\",\"resource_engine\":\"redis\",\"resource_name\":\"test-cache\",\"resource_type\":\"aws_elasticache_cluster\",\"resource_vendor\":\"AWS\"}" - }, - { - "file_name": "assets/queries/terraform/aws_bom/elasticache/test/positive2.tf", - "similarity_id": "5c4b00e3a4a384c86e708ca4b8d7b417d71240bd1ded323b63282352307a7009", - "line": 1, - "issue_type": "BillOfMaterials", - "search_key": "aws_elasticache_cluster[positive2]", - "search_line": 1, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"In Memory Data Structure\",\"resource_encryption\":\"unknown\",\"resource_engine\":\"redis\",\"resource_name\":\"cluster-example\",\"resource_type\":\"aws_elasticache_cluster\",\"resource_vendor\":\"AWS\"}" - }, - { - "file_name": "assets/queries/terraform/aws_bom/elasticache/test/positive5.tf", - "similarity_id": "fdb7e16c2955a8816dfe4a1b052052de7715a1bcb67d861fb75378e68f7015ab", - "line": 13, - "issue_type": "BillOfMaterials", - "search_key": "aws_elasticache_cluster[positive5]", - "search_line": 13, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"all security groups associated with the elasticache are restricted\",\"resource_category\":\"In Memory Data Structure\",\"resource_encryption\":\"unknown\",\"resource_engine\":\"redis\",\"resource_name\":\"test-cache\",\"resource_type\":\"aws_elasticache_cluster\",\"resource_vendor\":\"AWS\"}" - }, - { - "file_name": "assets/queries/terraform/aws_bom/elasticache/test/positive4.tf", - "similarity_id": "275f666c390b50e088e7781ffa4b47cd6e84f143a4b2583efcd65ec06339a97b", - "line": 33, - "issue_type": "BillOfMaterials", - "search_key": "aws_elasticache_cluster[positive4]", - "search_line": 33, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"all security groups associated with the elasticache are restricted\",\"resource_category\":\"In Memory Data Structure\",\"resource_encryption\":\"unknown\",\"resource_engine\":\"redis\",\"resource_name\":\"test-cache\",\"resource_type\":\"aws_elasticache_cluster\",\"resource_vendor\":\"AWS\"}" - }, - { - "file_name": "assets/queries/terraform/aws_bom/elasticache/test/positive1.tf", - "similarity_id": "e757a53e34b7bd24f2beea2a6b7084dc6355f55824f13bc8d292b280c41decc7", - "line": 1, - "issue_type": "BillOfMaterials", - "search_key": "aws_elasticache_cluster[positive1]", - "search_line": 1, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"In Memory Data Structure\",\"resource_encryption\":\"unknown\",\"resource_engine\":\"memcached\",\"resource_name\":\"cluster-example\",\"resource_type\":\"aws_elasticache_cluster\",\"resource_vendor\":\"AWS\"}" - }, - { - "file_name": "assets/queries/terraform/aws_bom/elasticache/test/positive3.tf", - "similarity_id": "16c15c14d3784c9762dbdb31769901b5a428a7d48202e3e543e5c08f57efaf0f", - "line": 33, - "issue_type": "BillOfMaterials", - "search_key": "aws_elasticache_cluster[positive3]", - "search_line": 33, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"at least one security group associated with the elasticache is unrestricted\",\"resource_category\":\"In Memory Data Structure\",\"resource_encryption\":\"unknown\",\"resource_engine\":\"redis\",\"resource_name\":\"test-cache\",\"resource_type\":\"aws_elasticache_cluster\",\"resource_vendor\":\"AWS\"}" - } - ] - } - ] - } - }, - { - "id": "0e59d33e-bba2-4037-8f88-9765647ca7ad", - "test_path": "/home/ricardo/kics/assets/queries/terraform/aws_bom/kinesis/test", - "results_file_path": "/home/ricardo/kics/assets/queries/terraform/aws_bom/kinesis/results", - "return_code": 0, - "all_results": { - "kics_version": "development", - "files_scanned": 2, - "lines_scanned": 58, - "files_parsed": 2, - "lines_parsed": 58, - "lines_ignored": 0, - "files_failed_to_scan": 0, - "queries_total": 1, - "queries_failed_to_execute": 0, - "queries_failed_to_compute_similarity_id": 0, - "scan_id": "console", - "severity_counters": { - "CRITICAL": 0, - "HIGH": 0, - "INFO": 0, - "LOW": 0, - "MEDIUM": 0, - "TRACE": 2 - }, - "total_counter": 0, - "total_bom_resources": 2, - "start": "2026-03-09T10:07:31.176454558Z", - "end": "2026-03-09T10:07:32.10544652Z", - "paths": [ - "/home/ricardo/kics/assets/queries/terraform/aws_bom/kinesis/test" - ], - "queries": [], - "bill_of_materials": [ - { - "query_name": "BOM - AWS Kinesis", - "query_id": "0e59d33e-bba2-4037-8f88-9765647ca7ad", - "query_url": "https://kics.io", - "severity": "TRACE", - "platform": "Terraform", - "cwe": "532", - "risk_score": "0.0", - "cloud_provider": "AWS", - "category": "Bill Of Materials", - "experimental": false, - "description": "A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time", - "description_id": "45271dee", - "files": [ - { - "file_name": "assets/queries/terraform/aws_bom/kinesis/test/positive1.tf", - "similarity_id": "9b840abafc0548d657e04f603c5bc1e3b92c5031146a20809c0a24bd2b6ee3b2", - "line": 1, - "issue_type": "BillOfMaterials", - "search_key": "aws_kinesis_stream[positive1]", - "search_line": 1, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Streaming\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"terraform-kinesis-test\",\"resource_type\":\"aws_kinesis_stream\",\"resource_vendor\":\"AWS\"}" - }, - { - "file_name": "assets/queries/terraform/aws_bom/kinesis/test/positive1.tf", - "similarity_id": "1ca83bb6d86b8b32a35729f9e8e2b659439ec246c43ac8f4b3ed27aa45994daf", - "line": 20, - "issue_type": "BillOfMaterials", - "search_key": "aws_kinesis_stream[positive2]", - "search_line": 20, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Streaming\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"terraform-kinesis-test2\",\"resource_type\":\"aws_kinesis_stream\",\"resource_vendor\":\"AWS\"}" - } - ] - } - ] - } - }, - { - "id": "fcb1b388-f558-4b7f-9b6e-f4e98abb7380", - "test_path": "/home/ricardo/kics/assets/queries/terraform/aws_bom/mq/test", - "results_file_path": "/home/ricardo/kics/assets/queries/terraform/aws_bom/mq/results", + "id": "b9c83569-459b-4110-8f79-6305aa33cb37", + "test_path": "/home/ricardo/kics/assets/queries/k8s/using_kubernetes_native_secret_management/test", + "results_file_path": "/home/ricardo/kics/assets/queries/k8s/using_kubernetes_native_secret_management/results", "return_code": 0, "all_results": { "kics_version": "development", "files_scanned": 3, "lines_scanned": 70, "files_parsed": 3, - "lines_parsed": 70, - "lines_ignored": 0, - "files_failed_to_scan": 0, - "queries_total": 1, - "queries_failed_to_execute": 0, - "queries_failed_to_compute_similarity_id": 0, - "scan_id": "console", - "severity_counters": { - "CRITICAL": 0, - "HIGH": 0, - "INFO": 0, - "LOW": 0, - "MEDIUM": 0, - "TRACE": 2 - }, - "total_counter": 0, - "total_bom_resources": 2, - "start": "2026-03-09T10:07:35.16610123Z", - "end": "2026-03-09T10:07:35.805597952Z", - "paths": [ - "/home/ricardo/kics/assets/queries/terraform/aws_bom/mq/test" - ], - "queries": [], - "bill_of_materials": [ - { - "query_name": "BOM - AWS MQ", - "query_id": "fcb1b388-f558-4b7f-9b6e-f4e98abb7380", - "query_url": "https://kics.io", - "severity": "TRACE", - "platform": "Terraform", - "cwe": "532", - "risk_score": "0.0", - "cloud_provider": "AWS", - "category": "Bill Of Materials", - "experimental": false, - "description": "A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS.", - "description_id": "5f5ba9bc", - "files": [ - { - "file_name": "assets/queries/terraform/aws_bom/mq/test/positive1.tf", - "similarity_id": "41fc993a63f16f0b851073ffc7b913288f60b17b48a8757a669b9341173703a3", - "line": 1, - "issue_type": "BillOfMaterials", - "search_key": "aws_mq_broker[positive1]", - "search_line": 1, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"private\",\"resource_category\":\"Queues\",\"resource_encryption\":\"unencrypted\",\"resource_engine\":\"ActiveMQ\",\"resource_name\":\"example\",\"resource_type\":\"aws_mq_broker\",\"resource_vendor\":\"AWS\"}" - }, - { - "file_name": "assets/queries/terraform/aws_bom/mq/test/positive2.tf", - "similarity_id": "b0dbc9a8c1bb61a40a0b8e60052d5d5c01c88528f407e6d3fc64e46cc0554076", - "line": 1, - "issue_type": "BillOfMaterials", - "search_key": "aws_mq_broker[positive2]", - "search_line": 1, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"private\",\"resource_category\":\"Queues\",\"resource_encryption\":\"encrypted\",\"resource_engine\":\"RabbitMQ\",\"resource_name\":\"example\",\"resource_type\":\"aws_mq_broker\",\"resource_vendor\":\"AWS\"}" - } - ] - } - ] - } - }, - { - "id": "051f2063-2517-4295-ad8e-ba88c1bf5cfc", - "test_path": "/home/ricardo/kics/assets/queries/terraform/aws_bom/msk/test", - "results_file_path": "/home/ricardo/kics/assets/queries/terraform/aws_bom/msk/results", - "return_code": 0, - "all_results": { - "kics_version": "development", - "files_scanned": 3, - "lines_scanned": 291, - "files_parsed": 3, - "lines_parsed": 291, - "lines_ignored": 0, - "files_failed_to_scan": 0, - "queries_total": 1, - "queries_failed_to_execute": 0, - "queries_failed_to_compute_similarity_id": 0, - "scan_id": "console", - "severity_counters": { - "CRITICAL": 0, - "HIGH": 0, - "INFO": 0, - "LOW": 0, - "MEDIUM": 0, - "TRACE": 2 - }, - "total_counter": 0, - "total_bom_resources": 2, - "start": "2026-03-09T10:07:37.889778016Z", - "end": "2026-03-09T10:07:38.867648205Z", - "paths": [ - "/home/ricardo/kics/assets/queries/terraform/aws_bom/msk/test" - ], - "queries": [], - "bill_of_materials": [ - { - "query_name": "BOM - AWS MSK", - "query_id": "051f2063-2517-4295-ad8e-ba88c1bf5cfc", - "query_url": "https://kics.io", - "severity": "TRACE", - "platform": "Terraform", - "cwe": "532", - "risk_score": "0.0", - "cloud_provider": "AWS", - "category": "Bill Of Materials", - "experimental": false, - "description": "A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data.", - "description_id": "cf7ae008", - "files": [ - { - "file_name": "assets/queries/terraform/aws_bom/msk/test/positive2.tf", - "similarity_id": "495dad700d20b8570ab7994a2340362eb4a0bb54d48dfedeafb74dff5f96f7a5", - "line": 84, - "issue_type": "BillOfMaterials", - "search_key": "aws_msk_cluster[positive2]", - "search_line": -1, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"private\",\"resource_category\":\"Streaming\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"positive2\",\"resource_type\":\"aws_msk_cluster\",\"resource_vendor\":\"AWS\"}" - }, - { - "file_name": "assets/queries/terraform/aws_bom/msk/test/positive1.tf", - "similarity_id": "c7a5a95e075a45104b5ddf644b2ceb054924a3a646f264c3b5db725c12521c2f", - "line": 84, - "issue_type": "BillOfMaterials", - "search_key": "aws_msk_cluster[positive1]", - "search_line": -1, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Streaming\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"positive1\",\"resource_type\":\"aws_msk_cluster\",\"resource_vendor\":\"AWS\"}" - } - ] - } - ] - } - }, - { - "id": "12933609-c5bf-44b4-9a41-a6467c3b685b", - "test_path": "/home/ricardo/kics/assets/queries/terraform/aws_bom/rds/test", - "results_file_path": "/home/ricardo/kics/assets/queries/terraform/aws_bom/rds/results", - "return_code": 0, - "all_results": { - "kics_version": "development", - "files_scanned": 2, - "lines_scanned": 62, - "files_parsed": 2, - "lines_parsed": 62, - "lines_ignored": 0, - "files_failed_to_scan": 0, - "queries_total": 1, - "queries_failed_to_execute": 0, - "queries_failed_to_compute_similarity_id": 0, - "scan_id": "console", - "severity_counters": { - "CRITICAL": 0, - "HIGH": 0, - "INFO": 0, - "LOW": 0, - "MEDIUM": 0, - "TRACE": 3 - }, - "total_counter": 0, - "total_bom_resources": 3, - "start": "2026-03-09T10:07:43.589402709Z", - "end": "2026-03-09T10:07:45.036509119Z", - "paths": [ - "/home/ricardo/kics/assets/queries/terraform/aws_bom/rds/test" - ], - "queries": [], - "bill_of_materials": [ - { - "query_name": "BOM - AWS RDS", - "query_id": "12933609-c5bf-44b4-9a41-a6467c3b685b", - "query_url": "https://kics.io", - "severity": "TRACE", - "platform": "Terraform", - "cwe": "532", - "risk_score": "0.0", - "cloud_provider": "AWS", - "category": "Bill Of Materials", - "experimental": false, - "description": "A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud.", - "description_id": "b621abbb", - "files": [ - { - "file_name": "assets/queries/terraform/aws_bom/rds/test/positive1.tf", - "similarity_id": "59a8bd36bdce2661e626e470a6d980349acc274b6d190d784482d6a1e2ecae24", - "line": 23, - "issue_type": "BillOfMaterials", - "search_key": "aws_db_instance[default]", - "search_line": 23, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"private\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_engine\":\"mysql\",\"resource_name\":\"default\",\"resource_type\":\"aws_db_instance\",\"resource_vendor\":\"AWS\"}" - }, - { - "file_name": "assets/queries/terraform/aws_bom/rds/test/positive1.tf", - "similarity_id": "561de55e9a71394f3d7bb2260195e3d13885513366b0a55e0c3b19d4984a3b6b", - "line": 35, - "issue_type": "BillOfMaterials", - "search_key": "aws_db_instance[sample3]", - "search_line": 35, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"private\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_engine\":\"mysql\",\"resource_name\":\"sample3\",\"resource_type\":\"aws_db_instance\",\"resource_vendor\":\"AWS\"}" - }, - { - "file_name": "assets/queries/terraform/aws_bom/rds/test/positive1.tf", - "similarity_id": "419f26bdd3c83ecb7a5e41a631be94a3d55f515a2553fbb47feb532e0c3dcd22", - "line": 1, - "issue_type": "BillOfMaterials", - "search_key": "aws_rds_cluster_instance[cluster_instances]", - "search_line": 1, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"private\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_engine\":\"aurora-mysql\",\"resource_name\":\"cluster_instances\",\"resource_type\":\"aws_rds_cluster_instance\",\"resource_vendor\":\"AWS\"}" - } - ] - } - ] - } - }, - { - "id": "2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045", - "test_path": "/home/ricardo/kics/assets/queries/terraform/aws_bom/s3_bucket/test", - "results_file_path": "/home/ricardo/kics/assets/queries/terraform/aws_bom/s3_bucket/results", - "return_code": 0, - "all_results": { - "kics_version": "development", - "files_scanned": 11, - "lines_scanned": 459, - "files_parsed": 11, - "lines_parsed": 457, - "lines_ignored": 2, - "files_failed_to_scan": 0, - "queries_total": 1, - "queries_failed_to_execute": 0, - "queries_failed_to_compute_similarity_id": 0, - "scan_id": "console", - "severity_counters": { - "CRITICAL": 0, - "HIGH": 0, - "INFO": 0, - "LOW": 0, - "MEDIUM": 0, - "TRACE": 10 - }, - "total_counter": 0, - "total_bom_resources": 10, - "start": "2026-03-09T10:07:48.72639731Z", - "end": "2026-03-09T10:07:49.828912812Z", - "paths": [ - "/home/ricardo/kics/assets/queries/terraform/aws_bom/s3_bucket/test" - ], - "queries": [], - "bill_of_materials": [ - { - "query_name": "BOM - AWS S3 Buckets", - "query_id": "2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045", - "query_url": "https://kics.io", - "severity": "TRACE", - "platform": "Terraform", - "cwe": "532", - "risk_score": "0.0", - "cloud_provider": "AWS", - "category": "Bill Of Materials", - "experimental": false, - "description": "A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance.", - "description_id": "0bdf2341", - "files": [ - { - "file_name": "assets/queries/terraform/aws_bom/s3_bucket/test/positive6.tf", - "similarity_id": "da2d70344def4ff9dcf4b9e4b452eccff2c365d29ceeed122cdfe53e01682887", - "line": 14, - "issue_type": "BillOfMaterials", - "search_key": "aws_s3_bucket[positive6]", - "search_line": 14, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"acl\":\"private\",\"resource_accessibility\":\"private\",\"resource_category\":\"Storage\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"my-tf-test-bucket\",\"resource_type\":\"aws_s3_bucket\",\"resource_vendor\":\"AWS\"}" - }, - { - "file_name": "assets/queries/terraform/aws_bom/s3_bucket/test/positive2.tf", - "similarity_id": "58fccd4caaf8023d0e3915ffff0b0c341cd991a40881f661bd011a6b9f56e1bc", - "line": 14, - "issue_type": "BillOfMaterials", - "search_key": "aws_s3_bucket[positive2]", - "search_line": 14, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"acl\":\"private\",\"resource_accessibility\":\"private\",\"resource_category\":\"Storage\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"my-tf-test-bucket\",\"resource_type\":\"aws_s3_bucket\",\"resource_vendor\":\"AWS\"}" - }, - { - "file_name": "assets/queries/terraform/aws_bom/s3_bucket/test/positive1.tf", - "similarity_id": "5e57dcb6f4edeab49dd489d0c79219ac6d6912ded0e2a0289be99a4f6b36de65", - "line": 14, - "issue_type": "BillOfMaterials", - "search_key": "aws_s3_bucket[positive1]", - "search_line": 14, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"acl\":\"private\",\"resource_accessibility\":\"private\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"my-tf-test-bucket\",\"resource_type\":\"aws_s3_bucket\",\"resource_vendor\":\"AWS\"}" - }, - { - "file_name": "assets/queries/terraform/aws_bom/s3_bucket/test/positive9.tf", - "similarity_id": "f0989da79c6532b9767c95eb80cb14ce98bfab960143d8d7a1419b4cdfdc5b31", - "line": 14, - "issue_type": "BillOfMaterials", - "search_key": "aws_s3_bucket[positive9]", - "search_line": 14, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"acl\":\"private\",\"resource_accessibility\":\"private\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"my-tf-test-bucket\",\"resource_type\":\"aws_s3_bucket\",\"resource_vendor\":\"AWS\"}" - }, - { - "file_name": "assets/queries/terraform/aws_bom/s3_bucket/test/positive4.tf", - "similarity_id": "3e68de88fcf4ab2fd46318782c143c05141b290abf97330dd7df3bbd893a552a", - "line": 14, - "issue_type": "BillOfMaterials", - "search_key": "aws_s3_bucket[positive4]", - "search_line": 14, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"acl\":\"private\",\"resource_accessibility\":\"private\",\"resource_category\":\"Storage\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"my-tf-test-bucket\",\"resource_type\":\"aws_s3_bucket\",\"resource_vendor\":\"AWS\"}" - }, - { - "file_name": "assets/queries/terraform/aws_bom/s3_bucket/test/positive8.tf", - "similarity_id": "14b334cb9a98d8a42dcc64465a50fab5defb3f6d11292ae1eb7b38c37b02f703", - "line": 14, - "issue_type": "BillOfMaterials", - "search_key": "aws_s3_bucket[positive8]", - "search_line": 14, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"acl\":\"public-read\",\"policy\":{\"Id\":\"MYBUCKETPOLICY\",\"Statement\":[{\"Action\":\"s3:GetObject\",\"Condition\":{\"IpAddress\":{\"aws:SourceIp\":\"8.8.8.8/32\"}},\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam::123456789012:root\",\"arn:aws:iam::555555555555:root\"]},\"Resource\":\"arn:aws:s3:::my_tf_test_bucket/*\",\"Sid\":\"IPAllow\"}],\"Version\":\"2012-10-17\"},\"resource_accessibility\":\"hasPolicy\",\"resource_category\":\"Storage\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"my-tf-test-bucket\",\"resource_type\":\"aws_s3_bucket\",\"resource_vendor\":\"AWS\"}" - }, - { - "file_name": "assets/queries/terraform/aws_bom/s3_bucket/test/positive5.tf", - "similarity_id": "0a147aac1b60d48a54fadb1290ea731737959a6f1e44be8b6e81738b7fd4eeac", - "line": 14, - "issue_type": "BillOfMaterials", - "search_key": "aws_s3_bucket[positive5]", - "search_line": 14, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"acl\":\"private\",\"resource_accessibility\":\"private\",\"resource_category\":\"Storage\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"my-tf-test-bucket\",\"resource_type\":\"aws_s3_bucket\",\"resource_vendor\":\"AWS\"}" - }, - { - "file_name": "assets/queries/terraform/aws_bom/s3_bucket/test/positive10.tf", - "similarity_id": "60ee2d022cfddee8056f6af2c3c5914ff535635ecb15b42b3bc7c15268bf29dd", - "line": 14, - "issue_type": "BillOfMaterials", - "search_key": "aws_s3_bucket[positive10]", - "search_line": 14, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"acl\":\"private\",\"resource_accessibility\":\"private\",\"resource_category\":\"Storage\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"my-tf-test-bucket\",\"resource_type\":\"aws_s3_bucket\",\"resource_vendor\":\"AWS\"}" - }, - { - "file_name": "assets/queries/terraform/aws_bom/s3_bucket/test/positive3.tf", - "similarity_id": "3264a6566dc9a3e362e2e590f5ac094dbee9364c92c6f0ea53070e5a9c0a56bb", - "line": 14, - "issue_type": "BillOfMaterials", - "search_key": "aws_s3_bucket[positive3]", - "search_line": 14, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"acl\":\"private\",\"resource_accessibility\":\"private\",\"resource_category\":\"Storage\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"my-tf-test-bucket\",\"resource_type\":\"aws_s3_bucket\",\"resource_vendor\":\"AWS\"}" - }, - { - "file_name": "assets/queries/terraform/aws_bom/s3_bucket/test/positive7.tf", - "similarity_id": "e688b25abb549afda48f834ea47cc6ef1dff6137b06e000a4b63e2cb1a741ea6", - "line": 14, - "issue_type": "BillOfMaterials", - "search_key": "aws_s3_bucket[positive7]", - "search_line": 14, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"acl\":\"private\",\"resource_accessibility\":\"private\",\"resource_category\":\"Storage\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"my-tf-test-bucket\",\"resource_type\":\"aws_s3_bucket\",\"resource_vendor\":\"AWS\"}" - } - ] - } - ] - } - }, - { - "id": "eccc4d59-74b9-4974-86f1-74386e0c7f33", - "test_path": "/home/ricardo/kics/assets/queries/terraform/aws_bom/sns/test", - "results_file_path": "/home/ricardo/kics/assets/queries/terraform/aws_bom/sns/results", - "return_code": 0, - "all_results": { - "kics_version": "development", - "files_scanned": 6, - "lines_scanned": 121, - "files_parsed": 6, - "lines_parsed": 121, - "lines_ignored": 0, - "files_failed_to_scan": 0, - "queries_total": 1, - "queries_failed_to_execute": 0, - "queries_failed_to_compute_similarity_id": 0, - "scan_id": "console", - "severity_counters": { - "CRITICAL": 0, - "HIGH": 0, - "INFO": 0, - "LOW": 0, - "MEDIUM": 0, - "TRACE": 5 - }, - "total_counter": 0, - "total_bom_resources": 5, - "start": "2026-03-09T10:07:53.127208138Z", - "end": "2026-03-09T10:07:54.006295081Z", - "paths": [ - "/home/ricardo/kics/assets/queries/terraform/aws_bom/sns/test" - ], - "queries": [], - "bill_of_materials": [ - { - "query_name": "BOM - AWS SNS", - "query_id": "eccc4d59-74b9-4974-86f1-74386e0c7f33", - "query_url": "https://kics.io", - "severity": "TRACE", - "platform": "Terraform", - "cwe": "532", - "risk_score": "0.0", - "cloud_provider": "AWS", - "category": "Bill Of Materials", - "experimental": false, - "description": "A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication.", - "description_id": "4c016c6f", - "files": [ - { - "file_name": "assets/queries/terraform/aws_bom/sns/test/positive1.tf", - "similarity_id": "c562a3a715b0c93a8f04f5f9a723f409debb38a0dfcb78b3afebbc5a566aef0a", - "line": 1, - "issue_type": "BillOfMaterials", - "search_key": "aws_sns_topic[positive1]", - "search_line": 1, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Messaging\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"user-updates-topic\",\"resource_type\":\"aws_sns_topic\",\"resource_vendor\":\"AWS\"}" - }, - { - "file_name": "assets/queries/terraform/aws_bom/sns/test/positive5.tf", - "similarity_id": "04cec60e37b1bd2b698c215f6f989aeb451280f6208ee3e1c7492329894b8184", - "line": 1, - "issue_type": "BillOfMaterials", - "search_key": "aws_sns_topic[positive5]", - "search_line": 1, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"policy\":{\"Statement\":[{\"Action\":[\"*\"],\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam::123456789012:root\",\"arn:aws:iam::555555555555:root\"]},\"Resource\":\"aws_sns_topic.positive5.arn\",\"Sid\":\"AWSConfigSNSPolicy20180202\"}],\"Version\":\"2012-10-17\"},\"resource_accessibility\":\"hasPolicy\",\"resource_category\":\"Messaging\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"SNS Topic\",\"resource_type\":\"aws_sns_topic\",\"resource_vendor\":\"AWS\"}" - }, - { - "file_name": "assets/queries/terraform/aws_bom/sns/test/positive2.tf", - "similarity_id": "59953404d92d099671ff06905b6c6f7891a124feb22de621276baa4fa3398857", - "line": 1, - "issue_type": "BillOfMaterials", - "search_key": "aws_sns_topic[positive2]", - "search_line": 1, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Messaging\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"user-updates-topic\",\"resource_type\":\"aws_sns_topic\",\"resource_vendor\":\"AWS\"}" - }, - { - "file_name": "assets/queries/terraform/aws_bom/sns/test/positive4.tf", - "similarity_id": "2f6a079f820f16fbd192f6f57b369cd844fab0f1fdd83d770e013f7dfde0768f", - "line": 1, - "issue_type": "BillOfMaterials", - "search_key": "aws_sns_topic[positive4]", - "search_line": 1, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Messaging\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"user-updates-topic\",\"resource_type\":\"aws_sns_topic\",\"resource_vendor\":\"AWS\"}" - }, - { - "file_name": "assets/queries/terraform/aws_bom/sns/test/positive3.tf", - "similarity_id": "1a91e56419ed044bc064e54443071d5b1697615fd2fe63f482d7a63e8d0bce42", - "line": 1, - "issue_type": "BillOfMaterials", - "search_key": "aws_sns_topic[positive3]", - "search_line": 1, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"policy\":{\"Statement\":[{\"Action\":[\"*\"],\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam::123456789012:root\",\"arn:aws:iam::555555555555:root\"]},\"Resource\":\"aws_sns_topic.positive3.arn\",\"Sid\":\"AWSConfigSNSPolicy20180202\"}],\"Version\":\"2012-10-17\"},\"resource_accessibility\":\"hasPolicy\",\"resource_category\":\"Messaging\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"user-updates-topic\",\"resource_type\":\"aws_sns_topic\",\"resource_vendor\":\"AWS\"}" - } - ] - } - ] - } - }, - { - "id": "baecd2da-492a-4d59-b9dc-29540a1398e0", - "test_path": "/home/ricardo/kics/assets/queries/terraform/aws_bom/sqs/test", - "results_file_path": "/home/ricardo/kics/assets/queries/terraform/aws_bom/sqs/results", - "return_code": 0, - "all_results": { - "kics_version": "development", - "files_scanned": 6, - "lines_scanned": 178, - "files_parsed": 6, - "lines_parsed": 178, - "lines_ignored": 0, + "lines_parsed": 66, + "lines_ignored": 4, "files_failed_to_scan": 0, "queries_total": 1, "queries_failed_to_execute": 0, @@ -3396,94 +92,16 @@ "INFO": 0, "LOW": 0, "MEDIUM": 0, - "TRACE": 5 + "TRACE": 0 }, "total_counter": 0, - "total_bom_resources": 5, - "start": "2026-03-09T10:07:56.573338121Z", - "end": "2026-03-09T10:07:57.477490859Z", + "total_bom_resources": 0, + "start": "2026-03-10T10:08:22.975031393Z", + "end": "2026-03-10T10:08:23.502338168Z", "paths": [ - "/home/ricardo/kics/assets/queries/terraform/aws_bom/sqs/test" + "/home/ricardo/kics/assets/queries/k8s/using_kubernetes_native_secret_management/test" ], - "queries": [], - "bill_of_materials": [ - { - "query_name": "BOM - AWS SQS", - "query_id": "baecd2da-492a-4d59-b9dc-29540a1398e0", - "query_url": "https://kics.io", - "severity": "TRACE", - "platform": "Terraform", - "cwe": "532", - "risk_score": "0.0", - "cloud_provider": "AWS", - "category": "Bill Of Materials", - "experimental": false, - "description": "A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.", - "description_id": "63fc27c2", - "files": [ - { - "file_name": "assets/queries/terraform/aws_bom/sqs/test/positive5.tf", - "similarity_id": "270592766a30916ef9e37b9b80a9ea23f0051365b60c0200a2474b76cc8ea127", - "line": 1, - "issue_type": "BillOfMaterials", - "search_key": "aws_sqs_queue[positive5]", - "search_line": 1, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Queues\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"terraform-example-queue\",\"resource_type\":\"aws_sqs_queue\",\"resource_vendor\":\"AWS\"}" - }, - { - "file_name": "assets/queries/terraform/aws_bom/sqs/test/positive3.tf", - "similarity_id": "4c1f945f424abaa50d9666409e0650b91121ace763be1eb79f2dac5e61eb04f5", - "line": 1, - "issue_type": "BillOfMaterials", - "search_key": "aws_sqs_queue[positive3]", - "search_line": 1, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Queues\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"terraform-example-queue\",\"resource_type\":\"aws_sqs_queue\",\"resource_vendor\":\"AWS\"}" - }, - { - "file_name": "assets/queries/terraform/aws_bom/sqs/test/positive2.tf", - "similarity_id": "f99c8ad7c0318d326af34c293ae571794377a811786a83eb940779729d354f82", - "line": 1, - "issue_type": "BillOfMaterials", - "search_key": "aws_sqs_queue[positive2]", - "search_line": 1, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"policy\":{\"Id\":\"sqspolicy\",\"Statement\":[{\"Action\":\"sqs:SendMessage\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam::123456789012:root\",\"arn:aws:iam::555555555555:root\"]},\"Resource\":\"aws_sqs_queue.positive2.arn\",\"Sid\":\"First\"}],\"Version\":\"2012-10-17\"},\"resource_accessibility\":\"hasPolicy\",\"resource_category\":\"Queues\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"terraform-example-queue\",\"resource_type\":\"aws_sqs_queue\",\"resource_vendor\":\"AWS\"}" - }, - { - "file_name": "assets/queries/terraform/aws_bom/sqs/test/positive4.tf", - "similarity_id": "84235e750d64b613aee6d9365eea3377b3de78ce4f5e6e2b0c1b3d084a926b91", - "line": 1, - "issue_type": "BillOfMaterials", - "search_key": "aws_sqs_queue[positive4]", - "search_line": 1, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"policy\":{\"Id\":\"sqspolicy\",\"Statement\":[{\"Action\":\"sqs:SendMessage\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam::123456789012:root\",\"arn:aws:iam::555555555555:root\"]},\"Resource\":\"aws_sqs_queue.positive4.arn\",\"Sid\":\"First\"}],\"Version\":\"2012-10-17\"},\"resource_accessibility\":\"hasPolicy\",\"resource_category\":\"Queues\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"terraform-example-queue\",\"resource_type\":\"aws_sqs_queue\",\"resource_vendor\":\"AWS\"}" - }, - { - "file_name": "assets/queries/terraform/aws_bom/sqs/test/positive1.tf", - "similarity_id": "7562b9d31cf04b34e4e57a5fa16a156e4793e039da59b14f4d8b3db997cb2952", - "line": 1, - "issue_type": "BillOfMaterials", - "search_key": "aws_sqs_queue[positive1]", - "search_line": 1, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Queues\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"terraform-example-queue\",\"resource_type\":\"aws_sqs_queue\",\"resource_vendor\":\"AWS\"}" - } - ] - } - ] + "queries": [] } }, { @@ -3513,8 +131,8 @@ }, "total_counter": 0, "total_bom_resources": 0, - "start": "2026-03-09T10:08:00.918992652Z", - "end": "2026-03-09T10:08:01.796919615Z", + "start": "2026-03-10T10:35:39.96934281Z", + "end": "2026-03-10T10:35:40.363185192Z", "paths": [ "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test" ], @@ -3548,8 +166,8 @@ }, "total_counter": 0, "total_bom_resources": 0, - "start": "2026-03-09T10:08:04.074377978Z", - "end": "2026-03-09T10:08:04.768385499Z", + "start": "2026-03-10T10:35:41.487879903Z", + "end": "2026-03-10T10:35:41.883123189Z", "paths": [ "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test" ], @@ -3583,8 +201,8 @@ }, "total_counter": 0, "total_bom_resources": 0, - "start": "2026-03-09T10:08:07.700724436Z", - "end": "2026-03-09T10:08:09.202455976Z", + "start": "2026-03-10T10:35:42.999894705Z", + "end": "2026-03-10T10:35:43.386747991Z", "paths": [ "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test" ], @@ -3618,8 +236,8 @@ }, "total_counter": 0, "total_bom_resources": 0, - "start": "2026-03-09T10:08:11.436451282Z", - "end": "2026-03-09T10:08:12.030759227Z", + "start": "2026-03-10T10:35:44.557565359Z", + "end": "2026-03-10T10:35:44.933280039Z", "paths": [ "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test" ], @@ -3653,8 +271,8 @@ }, "total_counter": 0, "total_bom_resources": 0, - "start": "2026-03-09T10:08:14.077808707Z", - "end": "2026-03-09T10:08:14.660795198Z", + "start": "2026-03-10T10:35:46.117743929Z", + "end": "2026-03-10T10:35:46.480237804Z", "paths": [ "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test" ], @@ -3688,8 +306,8 @@ }, "total_counter": 0, "total_bom_resources": 0, - "start": "2026-03-09T10:08:16.678307786Z", - "end": "2026-03-09T10:08:17.20995775Z", + "start": "2026-03-10T10:35:47.547157418Z", + "end": "2026-03-10T10:35:47.91013176Z", "paths": [ "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test" ], @@ -3723,8 +341,8 @@ }, "total_counter": 0, "total_bom_resources": 0, - "start": "2026-03-09T10:08:19.462236424Z", - "end": "2026-03-09T10:08:20.11967605Z", + "start": "2026-03-10T10:35:49.26455017Z", + "end": "2026-03-10T10:35:49.709881076Z", "paths": [ "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test" ], @@ -3758,8 +376,8 @@ }, "total_counter": 0, "total_bom_resources": 0, - "start": "2026-03-09T10:08:21.988393802Z", - "end": "2026-03-09T10:08:22.668073796Z", + "start": "2026-03-10T10:35:51.071943301Z", + "end": "2026-03-10T10:35:51.511123113Z", "paths": [ "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test" ], @@ -3793,8 +411,8 @@ }, "total_counter": 0, "total_bom_resources": 0, - "start": "2026-03-09T10:08:25.238654558Z", - "end": "2026-03-09T10:08:25.789712384Z", + "start": "2026-03-10T10:35:52.765083354Z", + "end": "2026-03-10T10:35:53.213700999Z", "paths": [ "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test" ], @@ -3828,8 +446,8 @@ }, "total_counter": 0, "total_bom_resources": 0, - "start": "2026-03-09T10:08:27.65907742Z", - "end": "2026-03-09T10:08:28.249153919Z", + "start": "2026-03-10T10:35:54.549384235Z", + "end": "2026-03-10T10:35:54.944776943Z", "paths": [ "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test" ], @@ -3863,8 +481,8 @@ }, "total_counter": 0, "total_bom_resources": 0, - "start": "2026-03-09T10:11:42.314631827Z", - "end": "2026-03-09T10:11:43.043770936Z", + "start": "2026-03-10T10:37:42.315642653Z", + "end": "2026-03-10T10:37:42.739224631Z", "paths": [ "/home/ricardo/kics/assets/queries/terraform/azure/mssql_server_auditing_disabled/test" ], @@ -3872,7 +490,7 @@ } }, { - "id": "4f60da73-190e-4048-8e1d-cc5a3974cd15", + "id": "", "test_path": "/home/ricardo/kics/assets/queries/terraform/gcp/cloud_asset_inventory_disabled/test", "results_file_path": "/home/ricardo/kics/assets/queries/terraform/gcp/cloud_asset_inventory_disabled/results", "return_code": 0, @@ -3898,570 +516,12 @@ }, "total_counter": 0, "total_bom_resources": 0, - "start": "2026-03-09T10:17:02.728660527Z", - "end": "2026-03-09T10:17:03.596888318Z", + "start": "2026-03-10T10:40:19.203678117Z", + "end": "2026-03-10T10:40:19.576151492Z", "paths": [ "/home/ricardo/kics/assets/queries/terraform/gcp/cloud_asset_inventory_disabled/test" ], "queries": [] } - }, - { - "id": "895ed0d9-6fec-4567-8614-d7a74b599a53", - "test_path": "/home/ricardo/kics/assets/queries/terraform/gcp_bom/dataflow/test", - "results_file_path": "/home/ricardo/kics/assets/queries/terraform/gcp_bom/dataflow/results", - "return_code": 0, - "all_results": { - "kics_version": "development", - "files_scanned": 2, - "lines_scanned": 57, - "files_parsed": 2, - "lines_parsed": 56, - "lines_ignored": 1, - "files_failed_to_scan": 0, - "queries_total": 1, - "queries_failed_to_execute": 0, - "queries_failed_to_compute_similarity_id": 0, - "scan_id": "console", - "severity_counters": { - "CRITICAL": 0, - "HIGH": 0, - "INFO": 0, - "LOW": 0, - "MEDIUM": 0, - "TRACE": 2 - }, - "total_counter": 0, - "total_bom_resources": 2, - "start": "2026-03-09T10:22:54.077886497Z", - "end": "2026-03-09T10:22:54.868465419Z", - "paths": [ - "/home/ricardo/kics/assets/queries/terraform/gcp_bom/dataflow/test" - ], - "queries": [], - "bill_of_materials": [ - { - "query_name": "BOM - GCP Dataflow", - "query_id": "895ed0d9-6fec-4567-8614-d7a74b599a53", - "query_url": "https://kics.io", - "severity": "TRACE", - "platform": "Terraform", - "cwe": "532", - "risk_score": "0.0", - "cloud_provider": "GCP", - "category": "Bill Of Materials", - "experimental": false, - "description": "A list of Dataflow resources found. Unified stream and batch data processing that's serverless, fast, and cost-effective.", - "description_id": "5d614ad5", - "files": [ - { - "file_name": "assets/queries/terraform/gcp_bom/dataflow/test/positive.tf", - "similarity_id": "14da088a3d13e2a488e9498cbf078b3123e6b5db1a7f222e39b4c3c1ca189af7", - "line": 17, - "issue_type": "BillOfMaterials", - "search_key": "google_dataflow_job[pubsub_stream2]", - "search_line": 17, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Streaming\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"tf-test-dataflow-job1\",\"resource_type\":\"google_dataflow_job\",\"resource_vendor\":\"GCP\"}" - }, - { - "file_name": "assets/queries/terraform/gcp_bom/dataflow/test/positive.tf", - "similarity_id": "dc6e5815b35abb3bcfa9818944daad5a16bd4c4145294ba6c5e25ed0e33b8064", - "line": 1, - "issue_type": "BillOfMaterials", - "search_key": "google_dataflow_job[pubsub_stream]", - "search_line": 1, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Streaming\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"tf-test-dataflow-job1\",\"resource_type\":\"google_dataflow_job\",\"resource_vendor\":\"GCP\"}" - } - ] - } - ] - } - }, - { - "id": "c9d81239-c818-4869-9917-1570c62b81fd", - "test_path": "/home/ricardo/kics/assets/queries/terraform/gcp_bom/fi/test", - "results_file_path": "/home/ricardo/kics/assets/queries/terraform/gcp_bom/fi/results", - "return_code": 0, - "all_results": { - "kics_version": "development", - "files_scanned": 2, - "lines_scanned": 104, - "files_parsed": 2, - "lines_parsed": 103, - "lines_ignored": 1, - "files_failed_to_scan": 0, - "queries_total": 1, - "queries_failed_to_execute": 0, - "queries_failed_to_compute_similarity_id": 0, - "scan_id": "console", - "severity_counters": { - "CRITICAL": 0, - "HIGH": 0, - "INFO": 0, - "LOW": 0, - "MEDIUM": 0, - "TRACE": 3 - }, - "total_counter": 0, - "total_bom_resources": 3, - "start": "2026-03-09T10:22:57.433586093Z", - "end": "2026-03-09T10:22:58.258149175Z", - "paths": [ - "/home/ricardo/kics/assets/queries/terraform/gcp_bom/fi/test" - ], - "queries": [], - "bill_of_materials": [ - { - "query_name": "BOM - GCP FI", - "query_id": "c9d81239-c818-4869-9917-1570c62b81fd", - "query_url": "https://kics.io", - "severity": "TRACE", - "platform": "Terraform", - "cwe": "532", - "risk_score": "0.0", - "cloud_provider": "GCP", - "category": "Bill Of Materials", - "experimental": false, - "description": "A list of Filestore Instance resources found. Filestore instances are fully managed file servers on Google Cloud that can be connected to Compute Engine VMs, GKE clusters, and your on-premises machines. Once provisioned, you can scale the capacity of your instances according to need without any downtime.", - "description_id": "4a45b126", - "files": [ - { - "file_name": "assets/queries/terraform/gcp_bom/fi/test/positive.tf", - "similarity_id": "8149542ed0c03690d9b70081cf46010e94c3cfc7bff29e6b13a1d8130522e79b", - "line": 32, - "issue_type": "BillOfMaterials", - "search_key": "google_filestore_instance[instance2]", - "search_line": 32, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"test-instance\",\"resource_type\":\"google_filestore_instance\",\"resource_vendor\":\"GCP\"}" - }, - { - "file_name": "assets/queries/terraform/gcp_bom/fi/test/positive.tf", - "similarity_id": "cdac01a41238e8694925cf9e27f160be4f5984c7ed3469cded298bb7ef9d6064", - "line": 59, - "issue_type": "BillOfMaterials", - "search_key": "google_filestore_instance[instance3]", - "search_line": 59, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Storage\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"test-instance\",\"resource_type\":\"google_filestore_instance\",\"resource_vendor\":\"GCP\"}" - }, - { - "file_name": "assets/queries/terraform/gcp_bom/fi/test/positive.tf", - "similarity_id": "be804ed120315b359617885b02a37d5dabda144e420a661a3ed53700b77f3a5f", - "line": 1, - "issue_type": "BillOfMaterials", - "search_key": "google_filestore_instance[instance]", - "search_line": 1, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Storage\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"test-instance\",\"resource_type\":\"google_filestore_instance\",\"resource_vendor\":\"GCP\"}" - } - ] - } - ] - } - }, - { - "id": "dd7d70aa-a6ec-460d-b5d2-38b40253b16f", - "test_path": "/home/ricardo/kics/assets/queries/terraform/gcp_bom/pd/test", - "results_file_path": "/home/ricardo/kics/assets/queries/terraform/gcp_bom/pd/results", - "return_code": 0, - "all_results": { - "kics_version": "development", - "files_scanned": 2, - "lines_scanned": 115, - "files_parsed": 2, - "lines_parsed": 114, - "lines_ignored": 1, - "files_failed_to_scan": 0, - "queries_total": 1, - "queries_failed_to_execute": 0, - "queries_failed_to_compute_similarity_id": 0, - "scan_id": "console", - "severity_counters": { - "CRITICAL": 0, - "HIGH": 0, - "INFO": 0, - "LOW": 0, - "MEDIUM": 0, - "TRACE": 6 - }, - "total_counter": 0, - "total_bom_resources": 6, - "start": "2026-03-09T10:23:01.158773406Z", - "end": "2026-03-09T10:23:02.223732891Z", - "paths": [ - "/home/ricardo/kics/assets/queries/terraform/gcp_bom/pd/test" - ], - "queries": [], - "bill_of_materials": [ - { - "query_name": "BOM - GCP PD", - "query_id": "dd7d70aa-a6ec-460d-b5d2-38b40253b16f", - "query_url": "https://kics.io", - "severity": "TRACE", - "platform": "Terraform", - "cwe": "532", - "risk_score": "0.0", - "cloud_provider": "GCP", - "category": "Bill Of Materials", - "experimental": false, - "description": "A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine.", - "description_id": "4b72e52d", - "files": [ - { - "file_name": "assets/queries/terraform/gcp_bom/pd/test/positive.tf", - "similarity_id": "f2ddd27a41ebc1dc9c62cb77beb38420bb61b9feae52f5b78b581f63e7cdd7ba", - "line": 44, - "issue_type": "BillOfMaterials", - "search_key": "google_compute_disk[positive4]", - "search_line": 44, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"test-disk\",\"resource_type\":\"google_compute_disk\",\"resource_vendor\":\"GCP\"}" - }, - { - "file_name": "assets/queries/terraform/gcp_bom/pd/test/positive.tf", - "similarity_id": "258753377be972cab9c7375d16f76f577806e4eaf8808c13a2ed8cfbbee0bc6b", - "line": 60, - "issue_type": "BillOfMaterials", - "search_key": "google_compute_disk[negative1]", - "search_line": 60, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Storage\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"test-disk\",\"resource_type\":\"google_compute_disk\",\"resource_vendor\":\"GCP\"}" - }, - { - "file_name": "assets/queries/terraform/gcp_bom/pd/test/positive.tf", - "similarity_id": "17b6d52800b62d4608cde011613db686f789bf1db53194a16bbe183fe20335d6", - "line": 76, - "issue_type": "BillOfMaterials", - "search_key": "google_compute_disk[negative2]", - "search_line": 76, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Storage\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"test-disk\",\"resource_type\":\"google_compute_disk\",\"resource_vendor\":\"GCP\"}" - }, - { - "file_name": "assets/queries/terraform/gcp_bom/pd/test/positive.tf", - "similarity_id": "8b1460302c9ff26037fd43ef76ed658ef118c8ec783f237143d10860770d7feb", - "line": 1, - "issue_type": "BillOfMaterials", - "search_key": "google_compute_disk[positive1]", - "search_line": 1, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"test-disk\",\"resource_type\":\"google_compute_disk\",\"resource_vendor\":\"GCP\"}" - }, - { - "file_name": "assets/queries/terraform/gcp_bom/pd/test/positive.tf", - "similarity_id": "b2f9aff9c6f6e6c9ce6ffedd9779ca0a47d1d1315e44475859dd4860824e055f", - "line": 12, - "issue_type": "BillOfMaterials", - "search_key": "google_compute_disk[positive2]", - "search_line": 12, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"test-disk\",\"resource_type\":\"google_compute_disk\",\"resource_vendor\":\"GCP\"}" - }, - { - "file_name": "assets/queries/terraform/gcp_bom/pd/test/positive.tf", - "similarity_id": "66ea313536579a7a9c7149d8fb5fb2e051cbd4a9f1dd8c05c2e930fc21440fdc", - "line": 28, - "issue_type": "BillOfMaterials", - "search_key": "google_compute_disk[positive3]", - "search_line": 28, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"test-disk\",\"resource_type\":\"google_compute_disk\",\"resource_vendor\":\"GCP\"}" - } - ] - } - ] - } - }, - { - "id": "4b82202a-b18e-4891-a1eb-a0989850bbb3", - "test_path": "/home/ricardo/kics/assets/queries/terraform/gcp_bom/pst/test", - "results_file_path": "/home/ricardo/kics/assets/queries/terraform/gcp_bom/pst/results", - "return_code": 0, - "all_results": { - "kics_version": "development", - "files_scanned": 2, - "lines_scanned": 86, - "files_parsed": 2, - "lines_parsed": 85, - "lines_ignored": 1, - "files_failed_to_scan": 0, - "queries_total": 1, - "queries_failed_to_execute": 0, - "queries_failed_to_compute_similarity_id": 0, - "scan_id": "console", - "severity_counters": { - "CRITICAL": 0, - "HIGH": 0, - "INFO": 0, - "LOW": 0, - "MEDIUM": 0, - "TRACE": 4 - }, - "total_counter": 0, - "total_bom_resources": 4, - "start": "2026-03-09T10:23:05.503500775Z", - "end": "2026-03-09T10:23:07.855625291Z", - "paths": [ - "/home/ricardo/kics/assets/queries/terraform/gcp_bom/pst/test" - ], - "queries": [], - "bill_of_materials": [ - { - "query_name": "BOM - GCP PST", - "query_id": "4b82202a-b18e-4891-a1eb-a0989850bbb3", - "query_url": "https://kics.io", - "severity": "TRACE", - "platform": "Terraform", - "cwe": "532", - "risk_score": "0.0", - "cloud_provider": "GCP", - "category": "Bill Of Materials", - "experimental": false, - "description": "A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages.", - "description_id": "aa371a3b", - "files": [ - { - "file_name": "assets/queries/terraform/gcp_bom/pst/test/positive.tf", - "similarity_id": "cfb6ffe2b4d5d2f434b6455b9831665d6c1334ba9096294683f0e2476ace815a", - "line": 54, - "issue_type": "BillOfMaterials", - "search_key": "google_pubsub_topic[example4]", - "search_line": 54, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Messaging\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"example-topic\",\"resource_type\":\"google_pubsub_topic\",\"resource_vendor\":\"GCP\"}" - }, - { - "file_name": "assets/queries/terraform/gcp_bom/pst/test/positive.tf", - "similarity_id": "e79d3d9fdabefc5bd1c7c487bbdb5e9bf107fff4da675f8c7865914be4d1454d", - "line": 34, - "issue_type": "BillOfMaterials", - "search_key": "google_pubsub_topic[example1]", - "search_line": 34, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Messaging\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"example-topic\",\"resource_type\":\"google_pubsub_topic\",\"resource_vendor\":\"GCP\"}" - }, - { - "file_name": "assets/queries/terraform/gcp_bom/pst/test/positive.tf", - "similarity_id": "b7f4814219d6c83e3ba809cc50e49b9bd9d99d1f5e1ff10466454128323f121d", - "line": 39, - "issue_type": "BillOfMaterials", - "search_key": "google_pubsub_topic[example2]", - "search_line": 39, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Messaging\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"example-topic\",\"resource_type\":\"google_pubsub_topic\",\"resource_vendor\":\"GCP\"}" - }, - { - "file_name": "assets/queries/terraform/gcp_bom/pst/test/positive.tf", - "similarity_id": "8053dc098605ade9e48af7eb35916952bfacfa78d04137695b0fdeb14a004a7a", - "line": 44, - "issue_type": "BillOfMaterials", - "search_key": "google_pubsub_topic[example3]", - "search_line": 44, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Messaging\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"example-topic\",\"resource_type\":\"google_pubsub_topic\",\"resource_vendor\":\"GCP\"}" - } - ] - } - ] - } - }, - { - "id": "bc75ce52-a60a-4660-b533-bce837a5019b", - "test_path": "/home/ricardo/kics/assets/queries/terraform/gcp_bom/redis/test", - "results_file_path": "/home/ricardo/kics/assets/queries/terraform/gcp_bom/redis/results", - "return_code": 0, - "all_results": { - "kics_version": "development", - "files_scanned": 2, - "lines_scanned": 78, - "files_parsed": 2, - "lines_parsed": 77, - "lines_ignored": 1, - "files_failed_to_scan": 0, - "queries_total": 1, - "queries_failed_to_execute": 0, - "queries_failed_to_compute_similarity_id": 0, - "scan_id": "console", - "severity_counters": { - "CRITICAL": 0, - "HIGH": 0, - "INFO": 0, - "LOW": 0, - "MEDIUM": 0, - "TRACE": 2 - }, - "total_counter": 0, - "total_bom_resources": 2, - "start": "2026-03-09T10:23:12.528455929Z", - "end": "2026-03-09T10:23:13.655799834Z", - "paths": [ - "/home/ricardo/kics/assets/queries/terraform/gcp_bom/redis/test" - ], - "queries": [], - "bill_of_materials": [ - { - "query_name": "BOM - GCP Redis", - "query_id": "bc75ce52-a60a-4660-b533-bce837a5019b", - "query_url": "https://kics.io", - "severity": "TRACE", - "platform": "Terraform", - "cwe": "532", - "risk_score": "0.0", - "cloud_provider": "GCP", - "category": "Bill Of Materials", - "experimental": false, - "description": "A list of Redis Instance resources found. Memorystore for Redis is a fully managed Redis service for Google Cloud. Applications running on Google Cloud can achieve extreme performance by leveraging the highly scalable, available, secure Redis service without the burden of managing complex Redis deployments.", - "description_id": "1db9d01f", - "files": [ - { - "file_name": "assets/queries/terraform/gcp_bom/redis/test/positive.tf", - "similarity_id": "239e99ca63fd9449ab66f45b2c359d88033076182f41d59e5a8d363ce11b8c87", - "line": 20, - "issue_type": "BillOfMaterials", - "search_key": "google_redis_instance[cache2]", - "search_line": 20, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"In Memory Data Structure\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"private-cache\",\"resource_type\":\"google_redis_instance\",\"resource_vendor\":\"GCP\"}" - }, - { - "file_name": "assets/queries/terraform/gcp_bom/redis/test/positive.tf", - "similarity_id": "dc6c51484ff06cc85798bc42b423e37c956b1f442f1bac6c91b8549dd0c7b789", - "line": 1, - "issue_type": "BillOfMaterials", - "search_key": "google_redis_instance[cache]", - "search_line": 1, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"In Memory Data Structure\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"memory-cache\",\"resource_type\":\"google_redis_instance\",\"resource_vendor\":\"GCP\"}" - } - ] - } - ] - } - }, - { - "id": "2f06d22c-56bd-4f73-8a51-db001fcf2150", - "test_path": "/home/ricardo/kics/assets/queries/terraform/gcp_bom/sb/test", - "results_file_path": "/home/ricardo/kics/assets/queries/terraform/gcp_bom/sb/results", - "return_code": 0, - "all_results": { - "kics_version": "development", - "files_scanned": 2, - "lines_scanned": 62, - "files_parsed": 2, - "lines_parsed": 61, - "lines_ignored": 1, - "files_failed_to_scan": 0, - "queries_total": 1, - "queries_failed_to_execute": 0, - "queries_failed_to_compute_similarity_id": 0, - "scan_id": "console", - "severity_counters": { - "CRITICAL": 0, - "HIGH": 0, - "INFO": 0, - "LOW": 0, - "MEDIUM": 0, - "TRACE": 3 - }, - "total_counter": 0, - "total_bom_resources": 3, - "start": "2026-03-09T10:23:18.741883234Z", - "end": "2026-03-09T10:23:20.452102045Z", - "paths": [ - "/home/ricardo/kics/assets/queries/terraform/gcp_bom/sb/test" - ], - "queries": [], - "bill_of_materials": [ - { - "query_name": "BOM - GCP SB", - "query_id": "2f06d22c-56bd-4f73-8a51-db001fcf2150", - "query_url": "https://kics.io", - "severity": "TRACE", - "platform": "Terraform", - "cwe": "532", - "risk_score": "0.0", - "cloud_provider": "GCP", - "category": "Bill Of Materials", - "experimental": false, - "description": "A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket.", - "description_id": "38a18539", - "files": [ - { - "file_name": "assets/queries/terraform/gcp_bom/sb/test/positive.tf", - "similarity_id": "79b1b75db372e0a3127efdbe4eaa9e0065b6480b953945f5e90cc00f86689386", - "line": 21, - "issue_type": "BillOfMaterials", - "search_key": "google_storage_bucket[bucket2]", - "search_line": 21, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Storage\",\"resource_encryption\":\"encrypted\",\"resource_name\":\"static-content-bucket\",\"resource_type\":\"google_storage_bucket\",\"resource_vendor\":\"GCP\"}" - }, - { - "file_name": "assets/queries/terraform/gcp_bom/sb/test/positive.tf", - "similarity_id": "334ab83ad1641021d18d4f53ca6986e029e9a3dc4039f59f24c262ee7e73a542", - "line": 35, - "issue_type": "BillOfMaterials", - "search_key": "google_storage_bucket[bucket3]", - "search_line": 35, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"unknown\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"static-content-bucket\",\"resource_type\":\"google_storage_bucket\",\"resource_vendor\":\"GCP\"}" - }, - { - "file_name": "assets/queries/terraform/gcp_bom/sb/test/positive.tf", - "similarity_id": "d3532b5fafe273c7489124c321138ff536b5503d6e338c8035a5e544ec582bdc", - "line": 7, - "issue_type": "BillOfMaterials", - "search_key": "google_storage_bucket[bucket]", - "search_line": 7, - "search_value": "", - "expected_value": "", - "actual_value": "", - "value": "{\"resource_accessibility\":\"public\",\"resource_category\":\"Storage\",\"resource_encryption\":\"unencrypted\",\"resource_name\":\"static-content-bucket\",\"resource_type\":\"google_storage_bucket\",\"resource_vendor\":\"GCP\"}" - } - ] - } - ] - } } ] \ No newline at end of file diff --git a/.github/scripts/generate-positive-expective-results/write_expected_results.py b/.github/scripts/generate-positive-expective-results/write_expected_results.py index 53955ea0063..8ab404055c3 100644 --- a/.github/scripts/generate-positive-expective-results/write_expected_results.py +++ b/.github/scripts/generate-positive-expective-results/write_expected_results.py @@ -5,6 +5,29 @@ from runner import run_all +def deduplicate_results(results: list[dict]) -> list[dict]: + """Remove duplicate results, keeping only the first occurrence of each unique result.""" + seen = set() + deduplicated = [] + for result in results: + result_tuple = ( + result["queryName"], + result["severity"], + result["line"], + result["filename"], + result["resourceType"], + result["resourceName"], + result["searchKey"], + result["searchValue"], + result["expectedValue"], + result["actualValue"], + ) + if result_tuple not in seen: + seen.add(result_tuple) + deduplicated.append(result) + return deduplicated + + def write_positive_expected_results(test_list: TestList) -> None: """For each query, write positive_expected_result.json in the test_path directory.""" total = len(test_list.queries_list) @@ -37,6 +60,8 @@ def write_positive_expected_results(test_list: TestList) -> None: "actualValue": ri.actual_value, }) + expected_results = deduplicate_results(expected_results) + expected_results.sort(key=lambda r: ( r["filename"], r["line"] if isinstance(r["line"], int) else 0, diff --git a/assets/queries/ansible/azure/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json b/assets/queries/ansible/azure/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json index 7f93ba7c360..e65c30ae283 100644 --- a/assets/queries/ansible/azure/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json @@ -43,9 +43,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo3", "searchKey": "name={{foo3}}.{{azure_rm_securitygroup}}.rules.name={{example3}}.destination_port_range", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "searchValue": "UDP,21", + "expectedValue": "FTP (UDP:21) should not be allowed", + "actualValue": "FTP (UDP:21) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -55,9 +55,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo3", "searchKey": "name={{foo3}}.{{azure_rm_securitygroup}}.rules.name={{example3}}.destination_port_range", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -67,9 +67,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo3", "searchKey": "name={{foo3}}.{{azure_rm_securitygroup}}.rules.name={{example3}}.destination_port_range", - "searchValue": "TCP,21", - "expectedValue": "FTP (TCP:21) should not be allowed", - "actualValue": "FTP (TCP:21) is allowed" + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -79,9 +79,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo3", "searchKey": "name={{foo3}}.{{azure_rm_securitygroup}}.rules.name={{example3}}.destination_port_range", - "searchValue": "TCP,23", - "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP:23) is allowed" + "searchValue": "TCP,21", + "expectedValue": "FTP (TCP:21) should not be allowed", + "actualValue": "FTP (TCP:21) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -91,9 +91,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo3", "searchKey": "name={{foo3}}.{{azure_rm_securitygroup}}.rules.name={{example3}}.destination_port_range", - "searchValue": "UDP,21", - "expectedValue": "FTP (UDP:21) should not be allowed", - "actualValue": "FTP (UDP:21) is allowed" + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -103,9 +103,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo3", "searchKey": "name={{foo3}}.{{azure_rm_securitygroup}}.rules.name={{example3}}.destination_port_range", - "searchValue": "UDP,23", - "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP:23) is allowed" + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -115,9 +115,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo4", "searchKey": "name={{foo4}}.{{azure_rm_securitygroup}}.rules.name={{example4}}.destination_port_range", - "searchValue": "UDP,23", - "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP:23) is allowed" + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -127,9 +127,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo4", "searchKey": "name={{foo4}}.{{azure_rm_securitygroup}}.rules.name={{example4}}.destination_port_range", - "searchValue": "TCP,23", - "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP:23) is allowed" + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -175,9 +175,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo7", "searchKey": "name={{foo7}}.{{azure_rm_securitygroup}}.rules.name={{example7}}.destination_port_range", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "searchValue": "UDP,25", + "expectedValue": "SMTP (UDP:25) should not be allowed", + "actualValue": "SMTP (UDP:25) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -187,9 +187,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo7", "searchKey": "name={{foo7}}.{{azure_rm_securitygroup}}.rules.name={{example7}}.destination_port_range", - "searchValue": "UDP,25", - "expectedValue": "SMTP (UDP:25) should not be allowed", - "actualValue": "SMTP (UDP:25) is allowed" + "searchValue": "UDP,53", + "expectedValue": "DNS (UDP:53) should not be allowed", + "actualValue": "DNS (UDP:53) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -199,9 +199,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo7", "searchKey": "name={{foo7}}.{{azure_rm_securitygroup}}.rules.name={{example7}}.destination_port_range", - "searchValue": "UDP,53", - "expectedValue": "DNS (UDP:53) should not be allowed", - "actualValue": "DNS (UDP:53) is allowed" + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -247,9 +247,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "UDP,23", - "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP:23) is allowed" + "searchValue": "TCP,20", + "expectedValue": "FTP (TCP:20) should not be allowed", + "actualValue": "FTP (TCP:20) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -259,9 +259,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "TCP,53", - "expectedValue": "DNS (TCP:53) should not be allowed", - "actualValue": "DNS (TCP:53) is allowed" + "searchValue": "UDP,21", + "expectedValue": "FTP (UDP:21) should not be allowed", + "actualValue": "FTP (UDP:21) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -271,9 +271,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "TCP,25", - "expectedValue": "SMTP (TCP:25) should not be allowed", - "actualValue": "SMTP (TCP:25) is allowed" + "searchValue": "TCP,135", + "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed", + "actualValue": "MSSQL Debugger (TCP:135) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -283,9 +283,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "TCP,20", - "expectedValue": "FTP (TCP:20) should not be allowed", - "actualValue": "FTP (TCP:20) is allowed" + "searchValue": "TCP,53", + "expectedValue": "DNS (TCP:53) should not be allowed", + "actualValue": "DNS (TCP:53) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -295,9 +295,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "UDP,20", - "expectedValue": "FTP (UDP:20) should not be allowed", - "actualValue": "FTP (UDP:20) is allowed" + "searchValue": "TCP,138", + "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed", + "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -307,9 +307,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "UDP,135", - "expectedValue": "MSSQL Debugger (UDP:135) should not be allowed", - "actualValue": "MSSQL Debugger (UDP:135) is allowed" + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -331,9 +331,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "UDP,80", - "expectedValue": "HTTP (UDP:80) should not be allowed", - "actualValue": "HTTP (UDP:80) is allowed" + "searchValue": "TCP,139", + "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed", + "actualValue": "NetBIOS Session Service (TCP:139) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -343,9 +343,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "TCP,110", - "expectedValue": "POP3 (TCP:110) should not be allowed", - "actualValue": "POP3 (TCP:110) is allowed" + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -355,9 +355,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "UDP,21", - "expectedValue": "FTP (UDP:21) should not be allowed", - "actualValue": "FTP (UDP:21) is allowed" + "searchValue": "TCP,80", + "expectedValue": "HTTP (TCP:80) should not be allowed", + "actualValue": "HTTP (TCP:80) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -367,9 +367,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "TCP,138", - "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed", - "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed" + "searchValue": "TCP,110", + "expectedValue": "POP3 (TCP:110) should not be allowed", + "actualValue": "POP3 (TCP:110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -379,9 +379,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "TCP,21", - "expectedValue": "FTP (TCP:21) should not be allowed", - "actualValue": "FTP (TCP:21) is allowed" + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -391,9 +391,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "TCP,137", - "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed", - "actualValue": "NetBIOS Name Service (TCP:137) is allowed" + "searchValue": "UDP,80", + "expectedValue": "HTTP (UDP:80) should not be allowed", + "actualValue": "HTTP (UDP:80) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -403,9 +403,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "searchValue": "UDP,135", + "expectedValue": "MSSQL Debugger (UDP:135) should not be allowed", + "actualValue": "MSSQL Debugger (UDP:135) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -415,9 +415,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "searchValue": "TCP,21", + "expectedValue": "FTP (TCP:21) should not be allowed", + "actualValue": "FTP (TCP:21) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -427,9 +427,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "TCP,139", - "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed", - "actualValue": "NetBIOS Session Service (TCP:139) is allowed" + "searchValue": "UDP,20", + "expectedValue": "FTP (UDP:20) should not be allowed", + "actualValue": "FTP (UDP:20) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -451,9 +451,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "UDP,53", - "expectedValue": "DNS (UDP:53) should not be allowed", - "actualValue": "DNS (UDP:53) is allowed" + "searchValue": "UDP,25", + "expectedValue": "SMTP (UDP:25) should not be allowed", + "actualValue": "SMTP (UDP:25) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -463,9 +463,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "TCP,135", - "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed", - "actualValue": "MSSQL Debugger (TCP:135) is allowed" + "searchValue": "UDP,53", + "expectedValue": "DNS (UDP:53) should not be allowed", + "actualValue": "DNS (UDP:53) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -475,9 +475,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "UDP,137", - "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed" + "searchValue": "TCP,137", + "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed", + "actualValue": "NetBIOS Name Service (TCP:137) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -487,9 +487,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "TCP,80", - "expectedValue": "HTTP (TCP:80) should not be allowed", - "actualValue": "HTTP (TCP:80) is allowed" + "searchValue": "TCP,25", + "expectedValue": "SMTP (TCP:25) should not be allowed", + "actualValue": "SMTP (TCP:25) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -499,9 +499,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "UDP,110", - "expectedValue": "POP3 (UDP:110) should not be allowed", - "actualValue": "POP3 (UDP:110) is allowed" + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -511,9 +511,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "UDP,25", - "expectedValue": "SMTP (UDP:25) should not be allowed", - "actualValue": "SMTP (UDP:25) is allowed" + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -523,8 +523,8 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "TCP,23", - "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP:23) is allowed" + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed" } ] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/key_vault_not_recoverable/test/positive_expected_result.json b/assets/queries/azureResourceManager/key_vault_not_recoverable/test/positive_expected_result.json index a13935f8428..559f373aa5b 100644 --- a/assets/queries/azureResourceManager/key_vault_not_recoverable/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/key_vault_not_recoverable/test/positive_expected_result.json @@ -127,9 +127,9 @@ "resourceType": "Microsoft.KeyVault/vaults", "resourceName": "[parameters('vaults_pgs_bot_prod_name')]", "searchKey": "resources.name={{[parameters('vaults_pgs_bot_prod_name')]}}.properties", - "searchValue": "enablePurgeProtection", - "expectedValue": "resource with type 'Microsoft.KeyVault/vaults' should have 'enablePurgeProtection' property defined", - "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enablePurgeProtection' property defined" + "searchValue": "enableSoftDelete", + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults' should have 'enableSoftDelete' property defined", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enableSoftDelete' property defined" }, { "queryName": "Key Vault Not Recoverable", @@ -139,8 +139,8 @@ "resourceType": "Microsoft.KeyVault/vaults", "resourceName": "[parameters('vaults_pgs_bot_prod_name')]", "searchKey": "resources.name={{[parameters('vaults_pgs_bot_prod_name')]}}.properties", - "searchValue": "enableSoftDelete", - "expectedValue": "resource with type 'Microsoft.KeyVault/vaults' should have 'enableSoftDelete' property defined", - "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enableSoftDelete' property defined" + "searchValue": "enablePurgeProtection", + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults' should have 'enablePurgeProtection' property defined", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enablePurgeProtection' property defined" } ] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/storage_logging_for_read_write_delete_requests_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/storage_logging_for_read_write_delete_requests_disabled/test/positive_expected_result.json index aa87bf21601..61aa61c8f7f 100644 --- a/assets/queries/azureResourceManager/storage_logging_for_read_write_delete_requests_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/storage_logging_for_read_write_delete_requests_disabled/test/positive_expected_result.json @@ -114,10 +114,10 @@ "filename": "positive2.json", "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", - "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageDelete", - "searchValue": "StorageDelete", - "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", - "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method" + "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageWrite", + "searchValue": "StorageWrite", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageWrite' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageWrite' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -126,10 +126,10 @@ "filename": "positive2.json", "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", - "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageWrite", - "searchValue": "StorageWrite", - "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageWrite' method", - "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageWrite' method" + "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageDelete", + "searchValue": "StorageDelete", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -186,10 +186,10 @@ "filename": "positive3.json", "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", - "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageWrite", - "searchValue": "StorageWrite", - "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageWrite' method", - "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageWrite' method" + "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageDelete", + "searchValue": "StorageDelete", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -198,10 +198,10 @@ "filename": "positive3.json", "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", - "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageDelete", - "searchValue": "StorageDelete", - "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", - "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method" + "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageWrite", + "searchValue": "StorageWrite", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageWrite' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageWrite' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -210,10 +210,10 @@ "filename": "positive4.bicep", "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", - "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageRead", - "searchValue": "StorageRead", - "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageRead' method", - "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageRead' method" + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageDelete", + "searchValue": "StorageDelete", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -222,10 +222,10 @@ "filename": "positive4.bicep", "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", - "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageDelete", - "searchValue": "StorageDelete", - "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", - "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method" + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageRead", + "searchValue": "StorageRead", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageRead' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageRead' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -270,10 +270,10 @@ "filename": "positive5.bicep", "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", - "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageDelete", - "searchValue": "StorageDelete", - "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", - "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method" + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageRead", + "searchValue": "StorageRead", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageRead' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageRead' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -282,10 +282,10 @@ "filename": "positive5.bicep", "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", - "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageRead", - "searchValue": "StorageRead", - "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageRead' method", - "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageRead' method" + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageDelete", + "searchValue": "StorageDelete", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -390,10 +390,10 @@ "filename": "positive6.json", "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", - "searchKey": "properties.template.resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageRead", - "searchValue": "StorageRead", - "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageRead' method", - "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageRead' method" + "searchKey": "properties.template.resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageWrite", + "searchValue": "StorageWrite", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageWrite' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageWrite' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -402,10 +402,10 @@ "filename": "positive6.json", "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", - "searchKey": "properties.template.resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageWrite", - "searchValue": "StorageWrite", - "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageWrite' method", - "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageWrite' method" + "searchKey": "properties.template.resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageRead", + "searchValue": "StorageRead", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageRead' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageRead' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -414,10 +414,10 @@ "filename": "positive7.bicep", "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", - "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageWrite", - "searchValue": "StorageWrite", - "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageWrite' method", - "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageWrite' method" + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageDelete", + "searchValue": "StorageDelete", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -426,10 +426,10 @@ "filename": "positive7.bicep", "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", - "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageDelete", - "searchValue": "StorageDelete", - "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", - "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method" + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageWrite", + "searchValue": "StorageWrite", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageWrite' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageWrite' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", diff --git a/assets/queries/cicd/github/run_block_injection/test/positive_expected_result.json b/assets/queries/cicd/github/run_block_injection/test/positive_expected_result.json index edd5e8def93..98d01b9005a 100644 --- a/assets/queries/cicd/github/run_block_injection/test/positive_expected_result.json +++ b/assets/queries/cicd/github/run_block_injection/test/positive_expected_result.json @@ -7,7 +7,7 @@ "resourceType": "", "resourceName": "", "searchKey": "run={{if [ \"${{ github.event.issue.body }}\" ]; then\n if [[ \"${{ github.event.issue.title }}\" =~ ^\\[Auto\\]* ]]; then\n :\n else\n echo \"This issue does not need to generate a markdown file.\" 1>&2\n exit 1;\n fi;\nelse\n echo \"The description of the issue is empty.\" 1>&2\n exit 1;\nfi;\n}}", - "searchValue": "github.event.issue.title", + "searchValue": "github.event.issue.body", "expectedValue": "Run block does not contain dangerous input controlled by user.", "actualValue": "Run block contains dangerous input controlled by user." }, @@ -19,7 +19,7 @@ "resourceType": "", "resourceName": "", "searchKey": "run={{if [ \"${{ github.event.issue.body }}\" ]; then\n if [[ \"${{ github.event.issue.title }}\" =~ ^\\[Auto\\]* ]]; then\n :\n else\n echo \"This issue does not need to generate a markdown file.\" 1>&2\n exit 1;\n fi;\nelse\n echo \"The description of the issue is empty.\" 1>&2\n exit 1;\nfi;\n}}", - "searchValue": "github.event.issue.body", + "searchValue": "github.event.issue.title", "expectedValue": "Run block does not contain dangerous input controlled by user.", "actualValue": "Run block contains dangerous input controlled by user." }, diff --git a/assets/queries/cloudFormation/aws/ebs_volume_not_attached_to_instances/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ebs_volume_not_attached_to_instances/test/positive_expected_result.json index f16e1565d8e..60b9908e64e 100644 --- a/assets/queries/cloudFormation/aws/ebs_volume_not_attached_to_instances/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ebs_volume_not_attached_to_instances/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "EBS Volume Not Attached To Instances", "severity": "LOW", "line": 3, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::Volume", + "resourceName": "NewVolume", + "searchKey": "Resources.NewVolume", + "searchValue": "", + "expectedValue": "'Resources.NewVolume' should be attached to instances", + "actualValue": "'Resources.NewVolume' is not attached to instances" }, { "queryName": "EBS Volume Not Attached To Instances", "severity": "LOW", "line": 4, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::Volume", + "resourceName": "NewVolume", + "searchKey": "Resources.NewVolume", + "searchValue": "", + "expectedValue": "'Resources.NewVolume' should be attached to instances", + "actualValue": "'Resources.NewVolume' is not attached to instances" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ec2_sensitive_port_is_publicly_exposed/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ec2_sensitive_port_is_publicly_exposed/test/positive_expected_result.json index 2fa2956a34e..6b490d7063b 100644 --- a/assets/queries/cloudFormation/aws/ec2_sensitive_port_is_publicly_exposed/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ec2_sensitive_port_is_publicly_exposed/test/positive_expected_result.json @@ -55,9 +55,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:2484", - "expectedValue": "Oracle DB SSL (TCP:2484) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Oracle DB SSL (TCP:2484) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:11211", + "expectedValue": "Memcached (TCP:11211) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached (TCP:11211) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -67,9 +67,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:9160", - "expectedValue": "Cassandra Thrift (TCP:9160) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra Thrift (TCP:9160) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:9300", + "expectedValue": "Elastic Search (TCP:9300) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Elastic Search (TCP:9300) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -79,9 +79,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:9000", - "expectedValue": "Hadoop Name Node (TCP:9000) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Hadoop Name Node (TCP:9000) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:8080", + "expectedValue": "Known internal web port (TCP:8080) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Known internal web port (TCP:8080) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -91,9 +91,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:9042", - "expectedValue": "Cassandra Client (TCP:9042) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra Client (TCP:9042) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:11215", + "expectedValue": "Memcached SSL (TCP:11215) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached SSL (TCP:11215) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -103,9 +103,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:9300", - "expectedValue": "Elastic Search (TCP:9300) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Elastic Search (TCP:9300) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:1521", + "expectedValue": "Oracl DB (TCP:1521) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracl DB (TCP:1521) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -115,9 +115,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:6379", - "expectedValue": "Redis (TCP:6379) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Redis (TCP:6379) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:3020", + "expectedValue": "CIFS / SMB (TCP:3020) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "CIFS / SMB (TCP:3020) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -127,9 +127,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:4506", - "expectedValue": "SaltStack Master (TCP:4506) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SaltStack Master (TCP:4506) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:11215", + "expectedValue": "Memcached SSL (UDP:11215) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached SSL (UDP:11215) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -139,9 +139,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:5500", - "expectedValue": "VNC Listener (TCP:5500) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "VNC Listener (TCP:5500) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:8888", + "expectedValue": "Cassandra OpsCenter Website (TCP:8888) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra OpsCenter Website (TCP:8888) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -151,9 +151,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:8020", - "expectedValue": "HDFS NameNode (TCP:8020) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "HDFS NameNode (TCP:8020) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:9090", + "expectedValue": "CiscoSecure, WebSM (TCP:9090) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "CiscoSecure, WebSM (TCP:9090) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -163,9 +163,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:2483", - "expectedValue": "Oracle DB SSL (TCP:2483) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Oracle DB SSL (TCP:2483) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:443", + "expectedValue": "HTTPS (TCP:443) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HTTPS (TCP:443) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -175,9 +175,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:161", - "expectedValue": "SNMP (TCP:161) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SNMP (TCP:161) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:11214", + "expectedValue": "Memcached SSL (UDP:11214) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached SSL (UDP:11214) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -187,9 +187,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:3020", - "expectedValue": "CIFS / SMB (TCP:3020) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "CIFS / SMB (TCP:3020) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:4333", + "expectedValue": "MySQL (TCP:4333) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MySQL (TCP:4333) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -199,9 +199,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:137", - "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:1434", + "expectedValue": "MSSQL Browser (UDP:1434) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MSSQL Browser (UDP:1434) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -211,9 +211,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:3389", - "expectedValue": "Remote Desktop (TCP:3389) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Remote Desktop (TCP:3389) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:9160", + "expectedValue": "Cassandra Thrift (TCP:9160) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra Thrift (TCP:9160) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -223,9 +223,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:8888", - "expectedValue": "Cassandra OpsCenter Website (TCP:8888) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra OpsCenter Website (TCP:8888) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:389", + "expectedValue": "LDAP (TCP:389) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "LDAP (TCP:389) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -235,9 +235,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:138", - "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:445", + "expectedValue": "Microsoft-DS (TCP:445) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Microsoft-DS (TCP:445) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -247,9 +247,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:25", - "expectedValue": "SMTP (TCP:25) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SMTP (TCP:25) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:9200", + "expectedValue": "Elastic Search (TCP:9200) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Elastic Search (TCP:9200) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -259,9 +259,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:2382", - "expectedValue": "SQL Server Analysis (TCP:2382) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SQL Server Analysis (TCP:2382) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:2484", + "expectedValue": "Oracle DB SSL (TCP:2484) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracle DB SSL (TCP:2484) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -271,9 +271,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:636", - "expectedValue": "LDAP SSL (TCP:636) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "LDAP SSL (TCP:636) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:8140", + "expectedValue": "Puppet Master (TCP:8140) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Puppet Master (TCP:8140) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -283,9 +283,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:3306", - "expectedValue": "MySQL (TCP:3306) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "MySQL (TCP:3306) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:2484", + "expectedValue": "Oracle DB SSL (UDP:2484) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracle DB SSL (UDP:2484) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -295,9 +295,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:2483", - "expectedValue": "Oracle DB SSL (UDP:2483) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Oracle DB SSL (UDP:2483) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:5601", + "expectedValue": "Kibana (TCP:5601) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Kibana (TCP:5601) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -307,9 +307,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:5432", - "expectedValue": "PostgreSQL (TCP:5432) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "PostgreSQL (TCP:5432) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:1433", + "expectedValue": "MSSQL Server (TCP:1433) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MSSQL Server (TCP:1433) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -319,9 +319,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:443", - "expectedValue": "HTTPS (TCP:443) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "HTTPS (TCP:443) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:636", + "expectedValue": "LDAP SSL (TCP:636) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "LDAP SSL (TCP:636) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -331,9 +331,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:9090", - "expectedValue": "CiscoSecure, WebSM (TCP:9090) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "CiscoSecure, WebSM (TCP:9090) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:139", + "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Session Service (TCP:139) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -343,9 +343,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:20", - "expectedValue": "FTP (TCP:20) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "FTP (TCP:20) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:1522", + "expectedValue": "Oracle Auto Data Warehouse (TCP:1522) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracle Auto Data Warehouse (TCP:1522) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -355,9 +355,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:445", - "expectedValue": "Microsoft-DS (TCP:445) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Microsoft-DS (TCP:445) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:2483", + "expectedValue": "Oracle DB SSL (UDP:2483) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracle DB SSL (UDP:2483) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -367,9 +367,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:27018", - "expectedValue": "Mongo Web Portal (TCP:27018) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Mongo Web Portal (TCP:27018) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:5900", + "expectedValue": "VNC Server (TCP:5900) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "VNC Server (TCP:5900) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -379,9 +379,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:5900", - "expectedValue": "VNC Server (TCP:5900) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "VNC Server (TCP:5900) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -391,9 +391,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:27017", - "expectedValue": "Mongo (TCP:27017) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Mongo (TCP:27017) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:50470", + "expectedValue": "HDFS NameNode WebUI (TCP:50470) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HDFS NameNode WebUI (TCP:50470) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -403,9 +403,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:21", - "expectedValue": "FTP (TCP:21) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "FTP (TCP:21) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:5500", + "expectedValue": "VNC Listener (TCP:5500) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "VNC Listener (TCP:5500) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -415,9 +415,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:1433", - "expectedValue": "MSSQL Server (TCP:1433) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "MSSQL Server (TCP:1433) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:53", + "expectedValue": "DNS (TCP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "DNS (TCP:53) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -427,9 +427,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:61620", - "expectedValue": "Cassandra OpsCenter (TCP:61620) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra OpsCenter (TCP:61620) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:11214", + "expectedValue": "Memcached SSL (TCP:11214) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached SSL (TCP:11214) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -439,9 +439,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:11215", - "expectedValue": "Memcached SSL (TCP:11215) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Memcached SSL (TCP:11215) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -451,9 +451,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:4333", - "expectedValue": "MySQL (TCP:4333) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "MySQL (TCP:4333) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:21", + "expectedValue": "FTP (TCP:21) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "FTP (TCP:21) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -463,9 +463,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:2383", - "expectedValue": "SQL Server Analysis (TCP:2383) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SQL Server Analysis (TCP:2383) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:7001", + "expectedValue": "Cassandra (TCP:7001) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra (TCP:7001) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -475,9 +475,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:53", - "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:137", + "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Name Service (TCP:137) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -487,9 +487,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:139", - "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Session Service (TCP:139) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:25", + "expectedValue": "SMTP (TCP:25) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SMTP (TCP:25) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -499,9 +499,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:9200", - "expectedValue": "Elastic Search (TCP:9200) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Elastic Search (TCP:9200) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:4505", + "expectedValue": "SaltStack Master (TCP:4505) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SaltStack Master (TCP:4505) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -511,9 +511,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:50470", - "expectedValue": "HDFS NameNode WebUI (TCP:50470) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "HDFS NameNode WebUI (TCP:50470) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:6379", + "expectedValue": "Redis (TCP:6379) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Redis (TCP:6379) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -523,9 +523,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:8000", - "expectedValue": "Known internal web port (TCP:8000) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Known internal web port (TCP:8000) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:2382", + "expectedValue": "SQL Server Analysis (TCP:2382) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SQL Server Analysis (TCP:2382) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -535,9 +535,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:1434", - "expectedValue": "MSSQL Browser (TCP:1434) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "MSSQL Browser (TCP:1434) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:8020", + "expectedValue": "HDFS NameNode (TCP:8020) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HDFS NameNode (TCP:8020) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -547,9 +547,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:138", - "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:9000", + "expectedValue": "Hadoop Name Node (TCP:9000) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Hadoop Name Node (TCP:9000) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -559,9 +559,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:1521", - "expectedValue": "Oracl DB (TCP:1521) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Oracl DB (TCP:1521) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:389", + "expectedValue": "LDAP (UDP:389) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "LDAP (UDP:389) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -571,9 +571,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:2375", - "expectedValue": "Docker (TCP:2375) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Docker (TCP:2375) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:11211", + "expectedValue": "Memcached (UDP:11211) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached (UDP:11211) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -583,9 +583,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:135", - "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "MSSQL Debugger (TCP:135) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:5432", + "expectedValue": "PostgreSQL (TCP:5432) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "PostgreSQL (TCP:5432) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -595,9 +595,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:110", - "expectedValue": "POP3 (TCP:110) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "POP3 (TCP:110) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:161", + "expectedValue": "SNMP (UDP:161) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SNMP (UDP:161) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -607,9 +607,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:7001", - "expectedValue": "Cassandra (TCP:7001) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra (TCP:7001) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:61621", + "expectedValue": "Cassandra OpsCenter (TCP:61621) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra OpsCenter (TCP:61621) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -619,9 +619,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:7199", - "expectedValue": "Cassandra Monitoring (TCP:7199) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra Monitoring (TCP:7199) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:135", + "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MSSQL Debugger (TCP:135) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -631,9 +631,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:11215", - "expectedValue": "Memcached SSL (UDP:11215) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Memcached SSL (UDP:11215) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:139", + "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Session Service (UDP:139) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -643,9 +643,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:137", - "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Name Service (TCP:137) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:3000", + "expectedValue": "Prevalent known internal port (TCP:3000) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Prevalent known internal port (TCP:3000) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -655,9 +655,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:4505", - "expectedValue": "SaltStack Master (TCP:4505) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SaltStack Master (TCP:4505) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:2376", + "expectedValue": "Docker (TCP:2376) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Docker (TCP:2376) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -667,9 +667,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:2484", - "expectedValue": "Oracle DB SSL (UDP:2484) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Oracle DB SSL (UDP:2484) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:7199", + "expectedValue": "Cassandra Monitoring (TCP:7199) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra Monitoring (TCP:7199) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -679,9 +679,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:8140", - "expectedValue": "Puppet Master (TCP:8140) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Puppet Master (TCP:8140) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:27017", + "expectedValue": "Mongo (TCP:27017) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Mongo (TCP:27017) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -691,9 +691,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:7000", - "expectedValue": "Cassandra Internode Communication (TCP:7000) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra Internode Communication (TCP:7000) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:50070", + "expectedValue": "HDFS NameNode WebUI (TCP:50070) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HDFS NameNode WebUI (TCP:50070) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -703,9 +703,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:11214", - "expectedValue": "Memcached SSL (TCP:11214) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Memcached SSL (TCP:11214) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:8000", + "expectedValue": "Known internal web port (TCP:8000) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Known internal web port (TCP:8000) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -715,9 +715,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:389", - "expectedValue": "LDAP (UDP:389) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "LDAP (UDP:389) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:138", + "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -727,9 +727,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:1434", - "expectedValue": "MSSQL Browser (UDP:1434) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "MSSQL Browser (UDP:1434) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:3389", + "expectedValue": "Remote Desktop (TCP:3389) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Remote Desktop (TCP:3389) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -739,9 +739,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:11211", - "expectedValue": "Memcached (UDP:11211) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Memcached (UDP:11211) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:161", + "expectedValue": "SNMP (TCP:161) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SNMP (TCP:161) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -751,9 +751,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:61621", - "expectedValue": "Cassandra OpsCenter (TCP:61621) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra OpsCenter (TCP:61621) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:23", + "expectedValue": "Telnet (TCP:23) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Telnet (TCP:23) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -763,9 +763,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:5601", - "expectedValue": "Kibana (TCP:5601) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Kibana (TCP:5601) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:5985", + "expectedValue": "WinRM for HTTP (TCP:5985) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "WinRM for HTTP (TCP:5985) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -775,9 +775,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:53", - "expectedValue": "DNS (TCP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "DNS (TCP:53) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:3306", + "expectedValue": "MySQL (TCP:3306) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MySQL (TCP:3306) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -787,9 +787,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:50070", - "expectedValue": "HDFS NameNode WebUI (TCP:50070) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "HDFS NameNode WebUI (TCP:50070) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:5432", + "expectedValue": "PostgreSQL (UDP:5432) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "PostgreSQL (UDP:5432) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -799,9 +799,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:5432", - "expectedValue": "PostgreSQL (UDP:5432) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "PostgreSQL (UDP:5432) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:2383", + "expectedValue": "SQL Server Analysis (TCP:2383) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SQL Server Analysis (TCP:2383) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -811,9 +811,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:3000", - "expectedValue": "Prevalent known internal port (TCP:3000) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Prevalent known internal port (TCP:3000) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:61620", + "expectedValue": "Cassandra OpsCenter (TCP:61620) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra OpsCenter (TCP:61620) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -823,9 +823,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:23", - "expectedValue": "Telnet (TCP:23) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Telnet (TCP:23) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:22", + "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -835,9 +835,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:11211", - "expectedValue": "Memcached (TCP:11211) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Memcached (TCP:11211) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:2375", + "expectedValue": "Docker (TCP:2375) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Docker (TCP:2375) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -847,9 +847,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:22", - "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:20", + "expectedValue": "FTP (TCP:20) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "FTP (TCP:20) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -859,9 +859,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:161", - "expectedValue": "SNMP (UDP:161) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SNMP (UDP:161) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:27018", + "expectedValue": "Mongo Web Portal (TCP:27018) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Mongo Web Portal (TCP:27018) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -871,9 +871,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:2376", - "expectedValue": "Docker (TCP:2376) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Docker (TCP:2376) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:7000", + "expectedValue": "Cassandra Internode Communication (TCP:7000) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra Internode Communication (TCP:7000) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -883,9 +883,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:5985", - "expectedValue": "WinRM for HTTP (TCP:5985) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "WinRM for HTTP (TCP:5985) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:80", + "expectedValue": "HTTP (TCP:80) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HTTP (TCP:80) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -895,9 +895,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:1522", - "expectedValue": "Oracle Auto Data Warehouse (TCP:1522) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Oracle Auto Data Warehouse (TCP:1522) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:1434", + "expectedValue": "MSSQL Browser (TCP:1434) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MSSQL Browser (TCP:1434) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -907,9 +907,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:389", - "expectedValue": "LDAP (TCP:389) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "LDAP (TCP:389) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:53", + "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -919,9 +919,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:11214", - "expectedValue": "Memcached SSL (UDP:11214) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Memcached SSL (UDP:11214) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:110", + "expectedValue": "POP3 (TCP:110) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "POP3 (TCP:110) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -931,9 +931,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:80", - "expectedValue": "HTTP (TCP:80) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "HTTP (TCP:80) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:9042", + "expectedValue": "Cassandra Client (TCP:9042) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra Client (TCP:9042) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -943,9 +943,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:139", - "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Session Service (UDP:139) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:2483", + "expectedValue": "Oracle DB SSL (TCP:2483) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracle DB SSL (TCP:2483) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -955,9 +955,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:8080", - "expectedValue": "Known internal web port (TCP:8080) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Known internal web port (TCP:8080) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:4506", + "expectedValue": "SaltStack Master (TCP:4506) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SaltStack Master (TCP:4506) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1147,9 +1147,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:9042", - "expectedValue": "Cassandra Client (TCP:9042) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra Client (TCP:9042) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:21", + "expectedValue": "FTP (TCP:21) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "FTP (TCP:21) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1159,9 +1159,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:9000", - "expectedValue": "Hadoop Name Node (TCP:9000) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Hadoop Name Node (TCP:9000) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:5432", + "expectedValue": "PostgreSQL (UDP:5432) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "PostgreSQL (UDP:5432) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1171,9 +1171,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:11215", - "expectedValue": "Memcached SSL (UDP:11215) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Memcached SSL (UDP:11215) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:5500", + "expectedValue": "VNC Listener (TCP:5500) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "VNC Listener (TCP:5500) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1183,9 +1183,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:7001", - "expectedValue": "Cassandra (TCP:7001) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra (TCP:7001) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:1522", + "expectedValue": "Oracle Auto Data Warehouse (TCP:1522) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracle Auto Data Warehouse (TCP:1522) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1195,9 +1195,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:61620", - "expectedValue": "Cassandra OpsCenter (TCP:61620) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra OpsCenter (TCP:61620) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:23", + "expectedValue": "Telnet (TCP:23) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Telnet (TCP:23) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1207,9 +1207,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:9090", - "expectedValue": "CiscoSecure, WebSM (TCP:9090) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "CiscoSecure, WebSM (TCP:9090) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:9160", + "expectedValue": "Cassandra Thrift (TCP:9160) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra Thrift (TCP:9160) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1219,9 +1219,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:5500", - "expectedValue": "VNC Listener (TCP:5500) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "VNC Listener (TCP:5500) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:1434", + "expectedValue": "MSSQL Browser (TCP:1434) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MSSQL Browser (TCP:1434) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1231,9 +1231,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:9160", - "expectedValue": "Cassandra Thrift (TCP:9160) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra Thrift (TCP:9160) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:443", + "expectedValue": "HTTPS (TCP:443) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HTTPS (TCP:443) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1243,9 +1243,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:4333", - "expectedValue": "MySQL (TCP:4333) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "MySQL (TCP:4333) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:1433", + "expectedValue": "MSSQL Server (TCP:1433) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MSSQL Server (TCP:1433) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1255,9 +1255,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:2484", - "expectedValue": "Oracle DB SSL (TCP:2484) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Oracle DB SSL (TCP:2484) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:139", + "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Session Service (UDP:139) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1267,9 +1267,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:61621", - "expectedValue": "Cassandra OpsCenter (TCP:61621) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra OpsCenter (TCP:61621) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:1521", + "expectedValue": "Oracl DB (TCP:1521) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracl DB (TCP:1521) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1279,9 +1279,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:9300", - "expectedValue": "Elastic Search (TCP:9300) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Elastic Search (TCP:9300) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:2376", + "expectedValue": "Docker (TCP:2376) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Docker (TCP:2376) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1291,9 +1291,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:11215", - "expectedValue": "Memcached SSL (TCP:11215) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Memcached SSL (TCP:11215) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:137", + "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Name Service (TCP:137) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1303,9 +1303,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:3000", - "expectedValue": "Prevalent known internal port (TCP:3000) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Prevalent known internal port (TCP:3000) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:110", + "expectedValue": "POP3 (TCP:110) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "POP3 (TCP:110) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1315,9 +1315,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:3389", - "expectedValue": "Remote Desktop (TCP:3389) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Remote Desktop (TCP:3389) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:53", + "expectedValue": "DNS (TCP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "DNS (TCP:53) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1327,9 +1327,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:11211", - "expectedValue": "Memcached (UDP:11211) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Memcached (UDP:11211) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:9000", + "expectedValue": "Hadoop Name Node (TCP:9000) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Hadoop Name Node (TCP:9000) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1339,9 +1339,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:139", - "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Session Service (UDP:139) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:4506", + "expectedValue": "SaltStack Master (TCP:4506) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SaltStack Master (TCP:4506) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1351,9 +1351,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:8000", - "expectedValue": "Known internal web port (TCP:8000) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Known internal web port (TCP:8000) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:7001", + "expectedValue": "Cassandra (TCP:7001) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra (TCP:7001) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1363,9 +1363,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:11214", - "expectedValue": "Memcached SSL (TCP:11214) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Memcached SSL (TCP:11214) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:2375", + "expectedValue": "Docker (TCP:2375) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Docker (TCP:2375) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1375,9 +1375,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:3020", - "expectedValue": "CIFS / SMB (TCP:3020) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "CIFS / SMB (TCP:3020) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:8080", + "expectedValue": "Known internal web port (TCP:8080) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Known internal web port (TCP:8080) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1387,9 +1387,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:1434", - "expectedValue": "MSSQL Browser (UDP:1434) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "MSSQL Browser (UDP:1434) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:139", + "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Session Service (TCP:139) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1399,9 +1399,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:137", - "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:5900", + "expectedValue": "VNC Server (TCP:5900) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "VNC Server (TCP:5900) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1411,9 +1411,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:2483", - "expectedValue": "Oracle DB SSL (UDP:2483) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Oracle DB SSL (UDP:2483) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:3000", + "expectedValue": "Prevalent known internal port (TCP:3000) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Prevalent known internal port (TCP:3000) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1423,9 +1423,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:8888", - "expectedValue": "Cassandra OpsCenter Website (TCP:8888) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra OpsCenter Website (TCP:8888) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:3389", + "expectedValue": "Remote Desktop (TCP:3389) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Remote Desktop (TCP:3389) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1435,9 +1435,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:138", - "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:2382", + "expectedValue": "SQL Server Analysis (TCP:2382) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SQL Server Analysis (TCP:2382) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1447,9 +1447,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:8140", - "expectedValue": "Puppet Master (TCP:8140) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Puppet Master (TCP:8140) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:7199", + "expectedValue": "Cassandra Monitoring (TCP:7199) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra Monitoring (TCP:7199) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1459,9 +1459,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:161", - "expectedValue": "SNMP (TCP:161) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SNMP (TCP:161) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:8888", + "expectedValue": "Cassandra OpsCenter Website (TCP:8888) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra OpsCenter Website (TCP:8888) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1471,9 +1471,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:50470", - "expectedValue": "HDFS NameNode WebUI (TCP:50470) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "HDFS NameNode WebUI (TCP:50470) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:11215", + "expectedValue": "Memcached SSL (UDP:11215) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached SSL (UDP:11215) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1483,9 +1483,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:5432", - "expectedValue": "PostgreSQL (UDP:5432) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "PostgreSQL (UDP:5432) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:27018", + "expectedValue": "Mongo Web Portal (TCP:27018) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Mongo Web Portal (TCP:27018) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1495,9 +1495,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:50070", - "expectedValue": "HDFS NameNode WebUI (TCP:50070) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "HDFS NameNode WebUI (TCP:50070) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:8000", + "expectedValue": "Known internal web port (TCP:8000) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Known internal web port (TCP:8000) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1507,9 +1507,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:1521", - "expectedValue": "Oracl DB (TCP:1521) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Oracl DB (TCP:1521) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:1434", + "expectedValue": "MSSQL Browser (UDP:1434) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MSSQL Browser (UDP:1434) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1519,9 +1519,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:7000", - "expectedValue": "Cassandra Internode Communication (TCP:7000) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra Internode Communication (TCP:7000) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:445", + "expectedValue": "Microsoft-DS (TCP:445) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Microsoft-DS (TCP:445) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1531,9 +1531,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:7199", - "expectedValue": "Cassandra Monitoring (TCP:7199) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra Monitoring (TCP:7199) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1542,10 +1542,10 @@ "filename": "positive3.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", - "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:2375", - "expectedValue": "Docker (TCP:2375) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Docker (TCP:2375) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:5985", + "expectedValue": "WinRM for HTTP (TCP:5985) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "WinRM for HTTP (TCP:5985) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1555,9 +1555,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:21", - "expectedValue": "FTP (TCP:21) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "FTP (TCP:21) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:389", + "expectedValue": "LDAP (TCP:389) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "LDAP (TCP:389) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1567,9 +1567,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:11214", - "expectedValue": "Memcached SSL (UDP:11214) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Memcached SSL (UDP:11214) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:11211", + "expectedValue": "Memcached (TCP:11211) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached (TCP:11211) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1579,9 +1579,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:5432", - "expectedValue": "PostgreSQL (TCP:5432) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "PostgreSQL (TCP:5432) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:6379", + "expectedValue": "Redis (TCP:6379) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Redis (TCP:6379) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1591,9 +1591,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:8020", - "expectedValue": "HDFS NameNode (TCP:8020) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "HDFS NameNode (TCP:8020) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:61621", + "expectedValue": "Cassandra OpsCenter (TCP:61621) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra OpsCenter (TCP:61621) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1603,9 +1603,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:27017", - "expectedValue": "Mongo (TCP:27017) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Mongo (TCP:27017) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:50470", + "expectedValue": "HDFS NameNode WebUI (TCP:50470) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HDFS NameNode WebUI (TCP:50470) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1615,9 +1615,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:137", - "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Name Service (TCP:137) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:161", + "expectedValue": "SNMP (UDP:161) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SNMP (UDP:161) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1627,9 +1627,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:2484", - "expectedValue": "Oracle DB SSL (UDP:2484) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Oracle DB SSL (UDP:2484) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:5601", + "expectedValue": "Kibana (TCP:5601) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Kibana (TCP:5601) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1639,9 +1639,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:5985", - "expectedValue": "WinRM for HTTP (TCP:5985) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "WinRM for HTTP (TCP:5985) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:50070", + "expectedValue": "HDFS NameNode WebUI (TCP:50070) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HDFS NameNode WebUI (TCP:50070) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1651,9 +1651,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:53", - "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:8020", + "expectedValue": "HDFS NameNode (TCP:8020) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HDFS NameNode (TCP:8020) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1663,9 +1663,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:11211", - "expectedValue": "Memcached (TCP:11211) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Memcached (TCP:11211) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:389", + "expectedValue": "LDAP (UDP:389) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "LDAP (UDP:389) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1675,9 +1675,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:27018", - "expectedValue": "Mongo Web Portal (TCP:27018) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Mongo Web Portal (TCP:27018) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:11214", + "expectedValue": "Memcached SSL (TCP:11214) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached SSL (TCP:11214) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1687,9 +1687,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:139", - "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Session Service (TCP:139) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:11214", + "expectedValue": "Memcached SSL (UDP:11214) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached SSL (UDP:11214) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1699,9 +1699,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:2483", - "expectedValue": "Oracle DB SSL (TCP:2483) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Oracle DB SSL (TCP:2483) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1711,9 +1711,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:22", - "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:2483", + "expectedValue": "Oracle DB SSL (TCP:2483) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracle DB SSL (TCP:2483) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1723,9 +1723,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:23", - "expectedValue": "Telnet (TCP:23) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Telnet (TCP:23) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:2484", + "expectedValue": "Oracle DB SSL (TCP:2484) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracle DB SSL (TCP:2484) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1735,9 +1735,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:2376", - "expectedValue": "Docker (TCP:2376) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Docker (TCP:2376) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:9300", + "expectedValue": "Elastic Search (TCP:9300) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Elastic Search (TCP:9300) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1747,9 +1747,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:1434", - "expectedValue": "MSSQL Browser (TCP:1434) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "MSSQL Browser (TCP:1434) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:636", + "expectedValue": "LDAP SSL (TCP:636) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "LDAP SSL (TCP:636) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1759,9 +1759,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:135", - "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "MSSQL Debugger (TCP:135) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:138", + "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1771,9 +1771,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:138", - "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:5432", + "expectedValue": "PostgreSQL (TCP:5432) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "PostgreSQL (TCP:5432) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1783,9 +1783,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:110", - "expectedValue": "POP3 (TCP:110) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "POP3 (TCP:110) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:11215", + "expectedValue": "Memcached SSL (TCP:11215) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached SSL (TCP:11215) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1795,9 +1795,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:25", - "expectedValue": "SMTP (TCP:25) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SMTP (TCP:25) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:3306", + "expectedValue": "MySQL (TCP:3306) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MySQL (TCP:3306) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1807,9 +1807,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:443", - "expectedValue": "HTTPS (TCP:443) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "HTTPS (TCP:443) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:2383", + "expectedValue": "SQL Server Analysis (TCP:2383) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SQL Server Analysis (TCP:2383) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1819,9 +1819,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:389", - "expectedValue": "LDAP (UDP:389) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "LDAP (UDP:389) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:7000", + "expectedValue": "Cassandra Internode Communication (TCP:7000) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra Internode Communication (TCP:7000) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1831,9 +1831,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:445", - "expectedValue": "Microsoft-DS (TCP:445) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Microsoft-DS (TCP:445) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:9042", + "expectedValue": "Cassandra Client (TCP:9042) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra Client (TCP:9042) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1843,9 +1843,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:3306", - "expectedValue": "MySQL (TCP:3306) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "MySQL (TCP:3306) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:20", + "expectedValue": "FTP (TCP:20) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "FTP (TCP:20) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1855,9 +1855,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:1522", - "expectedValue": "Oracle Auto Data Warehouse (TCP:1522) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Oracle Auto Data Warehouse (TCP:1522) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:25", + "expectedValue": "SMTP (TCP:25) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SMTP (TCP:25) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1867,9 +1867,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:4506", - "expectedValue": "SaltStack Master (TCP:4506) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SaltStack Master (TCP:4506) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:22", + "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1879,9 +1879,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:53", - "expectedValue": "DNS (TCP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "DNS (TCP:53) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:9200", + "expectedValue": "Elastic Search (TCP:9200) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Elastic Search (TCP:9200) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1891,9 +1891,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:636", - "expectedValue": "LDAP SSL (TCP:636) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "LDAP SSL (TCP:636) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:11211", + "expectedValue": "Memcached (UDP:11211) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached (UDP:11211) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1903,9 +1903,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:2382", - "expectedValue": "SQL Server Analysis (TCP:2382) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SQL Server Analysis (TCP:2382) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:2484", + "expectedValue": "Oracle DB SSL (UDP:2484) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracle DB SSL (UDP:2484) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1915,9 +1915,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:5900", - "expectedValue": "VNC Server (TCP:5900) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "VNC Server (TCP:5900) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:4505", + "expectedValue": "SaltStack Master (TCP:4505) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SaltStack Master (TCP:4505) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1927,9 +1927,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:9200", - "expectedValue": "Elastic Search (TCP:9200) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Elastic Search (TCP:9200) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:3020", + "expectedValue": "CIFS / SMB (TCP:3020) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "CIFS / SMB (TCP:3020) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1939,9 +1939,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:5601", - "expectedValue": "Kibana (TCP:5601) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Kibana (TCP:5601) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:61620", + "expectedValue": "Cassandra OpsCenter (TCP:61620) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra OpsCenter (TCP:61620) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1951,9 +1951,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:1433", - "expectedValue": "MSSQL Server (TCP:1433) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "MSSQL Server (TCP:1433) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:9090", + "expectedValue": "CiscoSecure, WebSM (TCP:9090) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "CiscoSecure, WebSM (TCP:9090) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1963,9 +1963,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:161", - "expectedValue": "SNMP (UDP:161) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SNMP (UDP:161) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:80", + "expectedValue": "HTTP (TCP:80) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HTTP (TCP:80) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1975,9 +1975,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:2383", - "expectedValue": "SQL Server Analysis (TCP:2383) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SQL Server Analysis (TCP:2383) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:2483", + "expectedValue": "Oracle DB SSL (UDP:2483) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracle DB SSL (UDP:2483) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1987,9 +1987,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:20", - "expectedValue": "FTP (TCP:20) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "FTP (TCP:20) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:27017", + "expectedValue": "Mongo (TCP:27017) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Mongo (TCP:27017) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1999,9 +1999,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:80", - "expectedValue": "HTTP (TCP:80) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "HTTP (TCP:80) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:4333", + "expectedValue": "MySQL (TCP:4333) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MySQL (TCP:4333) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -2011,9 +2011,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:389", - "expectedValue": "LDAP (TCP:389) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "LDAP (TCP:389) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:135", + "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MSSQL Debugger (TCP:135) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -2023,9 +2023,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:4505", - "expectedValue": "SaltStack Master (TCP:4505) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SaltStack Master (TCP:4505) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:8140", + "expectedValue": "Puppet Master (TCP:8140) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Puppet Master (TCP:8140) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -2035,9 +2035,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:8080", - "expectedValue": "Known internal web port (TCP:8080) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Known internal web port (TCP:8080) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:161", + "expectedValue": "SNMP (TCP:161) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SNMP (TCP:161) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -2047,9 +2047,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:6379", - "expectedValue": "Redis (TCP:6379) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Redis (TCP:6379) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:53", + "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", diff --git a/assets/queries/cloudFormation/aws/elb_sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elb_sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json index 45b7472cf7b..a31c51e95a7 100644 --- a/assets/queries/cloudFormation/aws/elb_sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elb_sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json @@ -7,9 +7,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,7199", - "expectedValue": "Cassandra Monitoring (TCP:7199) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra Monitoring (TCP:7199) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,80", + "expectedValue": "HTTP (TCP:80) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HTTP (TCP:80) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -19,9 +19,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,1433", - "expectedValue": "MSSQL Server (TCP:1433) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "MSSQL Server (TCP:1433) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,110", + "expectedValue": "POP3 (TCP:110) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "POP3 (TCP:110) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -31,9 +31,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,138", - "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,8080", + "expectedValue": "Known internal web port (TCP:8080) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Known internal web port (TCP:8080) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -43,9 +43,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,161", - "expectedValue": "SNMP (TCP:161) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SNMP (TCP:161) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,27017", + "expectedValue": "Mongo (TCP:27017) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Mongo (TCP:27017) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -55,9 +55,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,4506", - "expectedValue": "SaltStack Master (TCP:4506) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SaltStack Master (TCP:4506) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,27018", + "expectedValue": "Mongo Web Portal (TCP:27018) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Mongo Web Portal (TCP:27018) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -67,9 +67,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,9090", - "expectedValue": "CiscoSecure, WebSM (TCP:9090) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "CiscoSecure, WebSM (TCP:9090) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -79,9 +79,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,4333", - "expectedValue": "MySQL (TCP:4333) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "MySQL (TCP:4333) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,139", + "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Session Service (UDP:139) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -91,9 +91,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,8080", - "expectedValue": "Known internal web port (TCP:8080) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Known internal web port (TCP:8080) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,1521", + "expectedValue": "Oracl DB (TCP:1521) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracl DB (TCP:1521) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -103,9 +103,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,1434", - "expectedValue": "MSSQL Browser (UDP:1434) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "MSSQL Browser (UDP:1434) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,2375", + "expectedValue": "Docker (TCP:2375) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Docker (TCP:2375) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -115,9 +115,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,11211", - "expectedValue": "Memcached (TCP:11211) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Memcached (TCP:11211) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,8000", + "expectedValue": "Known internal web port (TCP:8000) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Known internal web port (TCP:8000) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -127,9 +127,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,3306", - "expectedValue": "MySQL (TCP:3306) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "MySQL (TCP:3306) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,3389", + "expectedValue": "Remote Desktop (TCP:3389) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Remote Desktop (TCP:3389) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -139,9 +139,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,137", - "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Name Service (TCP:137) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,5601", + "expectedValue": "Kibana (TCP:5601) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Kibana (TCP:5601) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -151,9 +151,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,1521", - "expectedValue": "Oracl DB (TCP:1521) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Oracl DB (TCP:1521) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,11214", + "expectedValue": "Memcached SSL (TCP:11214) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached SSL (TCP:11214) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -163,9 +163,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,2484", - "expectedValue": "Oracle DB SSL (UDP:2484) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Oracle DB SSL (UDP:2484) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,9090", + "expectedValue": "CiscoSecure, WebSM (TCP:9090) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "CiscoSecure, WebSM (TCP:9090) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -175,9 +175,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,9042", - "expectedValue": "Cassandra Client (TCP:9042) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra Client (TCP:9042) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,9200", + "expectedValue": "Elastic Search (TCP:9200) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Elastic Search (TCP:9200) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -187,9 +187,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,7000", - "expectedValue": "Cassandra Internode Communication (TCP:7000) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra Internode Communication (TCP:7000) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,53", + "expectedValue": "DNS (UDP:53) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "DNS (UDP:53) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -199,9 +199,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,11214", - "expectedValue": "Memcached SSL (UDP:11214) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Memcached SSL (UDP:11214) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,2483", + "expectedValue": "Oracle DB SSL (UDP:2483) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle DB SSL (UDP:2483) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -211,9 +211,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,61621", - "expectedValue": "Cassandra OpsCenter (TCP:61621) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra OpsCenter (TCP:61621) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,4506", + "expectedValue": "SaltStack Master (TCP:4506) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SaltStack Master (TCP:4506) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -223,9 +223,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,2483", - "expectedValue": "Oracle DB SSL (UDP:2483) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Oracle DB SSL (UDP:2483) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,5432", + "expectedValue": "PostgreSQL (TCP:5432) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "PostgreSQL (TCP:5432) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -235,9 +235,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,443", - "expectedValue": "HTTPS (TCP:443) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "HTTPS (TCP:443) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,4505", + "expectedValue": "SaltStack Master (TCP:4505) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SaltStack Master (TCP:4505) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -247,9 +247,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,3000", - "expectedValue": "Prevalent known internal port (TCP:3000) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Prevalent known internal port (TCP:3000) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,9042", + "expectedValue": "Cassandra Client (TCP:9042) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra Client (TCP:9042) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -259,9 +259,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,2376", - "expectedValue": "Docker (TCP:2376) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Docker (TCP:2376) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,8020", + "expectedValue": "HDFS NameNode (TCP:8020) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HDFS NameNode (TCP:8020) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -271,9 +271,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,9000", - "expectedValue": "Hadoop Name Node (TCP:9000) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Hadoop Name Node (TCP:9000) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,11211", + "expectedValue": "Memcached (UDP:11211) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached (UDP:11211) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -283,9 +283,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,5432", - "expectedValue": "PostgreSQL (UDP:5432) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "PostgreSQL (UDP:5432) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,11214", + "expectedValue": "Memcached SSL (UDP:11214) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached SSL (UDP:11214) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -295,9 +295,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,2382", - "expectedValue": "SQL Server Analysis (TCP:2382) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SQL Server Analysis (TCP:2382) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -307,9 +307,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,161", - "expectedValue": "SNMP (UDP:161) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SNMP (UDP:161) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,5985", + "expectedValue": "WinRM for HTTP (TCP:5985) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "WinRM for HTTP (TCP:5985) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -319,9 +319,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,7001", - "expectedValue": "Cassandra (TCP:7001) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra (TCP:7001) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,9160", + "expectedValue": "Cassandra Thrift (TCP:9160) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra Thrift (TCP:9160) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -331,9 +331,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,20", - "expectedValue": "FTP (TCP:20) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "FTP (TCP:20) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,389", + "expectedValue": "LDAP (UDP:389) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "LDAP (UDP:389) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -343,9 +343,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,8020", - "expectedValue": "HDFS NameNode (TCP:8020) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "HDFS NameNode (TCP:8020) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,135", + "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MSSQL Debugger (TCP:135) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -355,9 +355,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,389", - "expectedValue": "LDAP (UDP:389) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "LDAP (UDP:389) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,445", + "expectedValue": "Microsoft-DS (TCP:445) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Microsoft-DS (TCP:445) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -367,9 +367,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,139", - "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Session Service (UDP:139) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,636", + "expectedValue": "LDAP SSL (TCP:636) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "LDAP SSL (TCP:636) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -379,9 +379,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,5500", - "expectedValue": "VNC Listener (TCP:5500) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "VNC Listener (TCP:5500) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,21", + "expectedValue": "FTP (TCP:21) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "FTP (TCP:21) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -391,9 +391,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,61620", - "expectedValue": "Cassandra OpsCenter (TCP:61620) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra OpsCenter (TCP:61620) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,53", + "expectedValue": "DNS (TCP:53) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "DNS (TCP:53) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -403,9 +403,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,8000", - "expectedValue": "Known internal web port (TCP:8000) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Known internal web port (TCP:8000) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,389", + "expectedValue": "LDAP (TCP:389) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "LDAP (TCP:389) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -415,9 +415,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,389", - "expectedValue": "LDAP (TCP:389) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "LDAP (TCP:389) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,2483", + "expectedValue": "Oracle DB SSL (TCP:2483) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle DB SSL (TCP:2483) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -427,9 +427,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,4505", - "expectedValue": "SaltStack Master (TCP:4505) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SaltStack Master (TCP:4505) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,25", + "expectedValue": "SMTP (TCP:25) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SMTP (TCP:25) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -439,9 +439,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,25", - "expectedValue": "SMTP (TCP:25) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SMTP (TCP:25) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,7000", + "expectedValue": "Cassandra Internode Communication (TCP:7000) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra Internode Communication (TCP:7000) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -451,9 +451,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SSH (TCP:22) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,11215", + "expectedValue": "Memcached SSL (TCP:11215) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached SSL (TCP:11215) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -463,9 +463,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,1434", - "expectedValue": "MSSQL Browser (TCP:1434) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "MSSQL Browser (TCP:1434) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,20", + "expectedValue": "FTP (TCP:20) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "FTP (TCP:20) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -475,9 +475,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,2484", - "expectedValue": "Oracle DB SSL (TCP:2484) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Oracle DB SSL (TCP:2484) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,3306", + "expectedValue": "MySQL (TCP:3306) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MySQL (TCP:3306) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -487,9 +487,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,2383", - "expectedValue": "SQL Server Analysis (TCP:2383) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SQL Server Analysis (TCP:2383) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,6379", + "expectedValue": "Redis (TCP:6379) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Redis (TCP:6379) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -499,9 +499,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,5985", - "expectedValue": "WinRM for HTTP (TCP:5985) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "WinRM for HTTP (TCP:5985) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,5500", + "expectedValue": "VNC Listener (TCP:5500) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "VNC Listener (TCP:5500) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -511,9 +511,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,3020", - "expectedValue": "CIFS / SMB (TCP:3020) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "CIFS / SMB (TCP:3020) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,61621", + "expectedValue": "Cassandra OpsCenter (TCP:61621) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra OpsCenter (TCP:61621) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -523,9 +523,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,137", - "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,9300", + "expectedValue": "Elastic Search (TCP:9300) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Elastic Search (TCP:9300) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -535,9 +535,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,27017", - "expectedValue": "Mongo (TCP:27017) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Mongo (TCP:27017) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,7001", + "expectedValue": "Cassandra (TCP:7001) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra (TCP:7001) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -547,9 +547,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,8140", - "expectedValue": "Puppet Master (TCP:8140) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Puppet Master (TCP:8140) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,61620", + "expectedValue": "Cassandra OpsCenter (TCP:61620) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra OpsCenter (TCP:61620) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -559,9 +559,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,21", - "expectedValue": "FTP (TCP:21) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "FTP (TCP:21) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,137", + "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (TCP:137) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -571,9 +571,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,50470", - "expectedValue": "HDFS NameNode WebUI (TCP:50470) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "HDFS NameNode WebUI (TCP:50470) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,5900", + "expectedValue": "VNC Server (TCP:5900) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "VNC Server (TCP:5900) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -583,9 +583,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,53", - "expectedValue": "DNS (TCP:53) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "DNS (TCP:53) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,4333", + "expectedValue": "MySQL (TCP:4333) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MySQL (TCP:4333) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -595,9 +595,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,6379", - "expectedValue": "Redis (TCP:6379) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Redis (TCP:6379) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Telnet (TCP:23) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -607,9 +607,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,8888", - "expectedValue": "Cassandra OpsCenter Website (TCP:8888) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra OpsCenter Website (TCP:8888) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,50070", + "expectedValue": "HDFS NameNode WebUI (TCP:50070) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HDFS NameNode WebUI (TCP:50070) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -619,9 +619,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,9200", - "expectedValue": "Elastic Search (TCP:9200) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Elastic Search (TCP:9200) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,138", + "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -631,9 +631,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,5601", - "expectedValue": "Kibana (TCP:5601) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Kibana (TCP:5601) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,2484", + "expectedValue": "Oracle DB SSL (TCP:2484) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle DB SSL (TCP:2484) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -643,9 +643,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,139", - "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Session Service (TCP:139) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,3000", + "expectedValue": "Prevalent known internal port (TCP:3000) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Prevalent known internal port (TCP:3000) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -655,9 +655,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,5900", - "expectedValue": "VNC Server (TCP:5900) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "VNC Server (TCP:5900) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,8888", + "expectedValue": "Cassandra OpsCenter Website (TCP:8888) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra OpsCenter Website (TCP:8888) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -667,9 +667,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,11211", - "expectedValue": "Memcached (UDP:11211) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Memcached (UDP:11211) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,5432", + "expectedValue": "PostgreSQL (UDP:5432) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "PostgreSQL (UDP:5432) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -679,9 +679,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,11214", - "expectedValue": "Memcached SSL (TCP:11214) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Memcached SSL (TCP:11214) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,1434", + "expectedValue": "MSSQL Browser (TCP:1434) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MSSQL Browser (TCP:1434) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -691,9 +691,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,110", - "expectedValue": "POP3 (TCP:110) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "POP3 (TCP:110) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,161", + "expectedValue": "SNMP (TCP:161) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SNMP (TCP:161) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -703,9 +703,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,3389", - "expectedValue": "Remote Desktop (TCP:3389) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Remote Desktop (TCP:3389) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,2383", + "expectedValue": "SQL Server Analysis (TCP:2383) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SQL Server Analysis (TCP:2383) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -715,9 +715,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,9160", - "expectedValue": "Cassandra Thrift (TCP:9160) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra Thrift (TCP:9160) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,2376", + "expectedValue": "Docker (TCP:2376) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Docker (TCP:2376) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -727,9 +727,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,138", - "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,50470", + "expectedValue": "HDFS NameNode WebUI (TCP:50470) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HDFS NameNode WebUI (TCP:50470) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -739,9 +739,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,50070", - "expectedValue": "HDFS NameNode WebUI (TCP:50070) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "HDFS NameNode WebUI (TCP:50070) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,11211", + "expectedValue": "Memcached (TCP:11211) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached (TCP:11211) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -751,9 +751,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,135", - "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "MSSQL Debugger (TCP:135) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,2484", + "expectedValue": "Oracle DB SSL (UDP:2484) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle DB SSL (UDP:2484) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -763,9 +763,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,11215", - "expectedValue": "Memcached SSL (UDP:11215) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Memcached SSL (UDP:11215) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -775,9 +775,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,445", - "expectedValue": "Microsoft-DS (TCP:445) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Microsoft-DS (TCP:445) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,139", + "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Session Service (TCP:139) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -787,9 +787,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,27018", - "expectedValue": "Mongo Web Portal (TCP:27018) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Mongo Web Portal (TCP:27018) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,161", + "expectedValue": "SNMP (UDP:161) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SNMP (UDP:161) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -799,9 +799,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,53", - "expectedValue": "DNS (UDP:53) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "DNS (UDP:53) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,1433", + "expectedValue": "MSSQL Server (TCP:1433) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MSSQL Server (TCP:1433) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -811,9 +811,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,80", - "expectedValue": "HTTP (TCP:80) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "HTTP (TCP:80) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,11215", + "expectedValue": "Memcached SSL (UDP:11215) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached SSL (UDP:11215) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -823,9 +823,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,2483", - "expectedValue": "Oracle DB SSL (TCP:2483) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Oracle DB SSL (TCP:2483) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,443", + "expectedValue": "HTTPS (TCP:443) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HTTPS (TCP:443) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -835,9 +835,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,5432", - "expectedValue": "PostgreSQL (TCP:5432) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "PostgreSQL (TCP:5432) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,1434", + "expectedValue": "MSSQL Browser (UDP:1434) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MSSQL Browser (UDP:1434) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -847,9 +847,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,2375", - "expectedValue": "Docker (TCP:2375) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Docker (TCP:2375) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,9000", + "expectedValue": "Hadoop Name Node (TCP:9000) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Hadoop Name Node (TCP:9000) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -859,9 +859,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,636", - "expectedValue": "LDAP SSL (TCP:636) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "LDAP SSL (TCP:636) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,1522", + "expectedValue": "Oracle Auto Data Warehouse (TCP:1522) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle Auto Data Warehouse (TCP:1522) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -871,9 +871,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,9300", - "expectedValue": "Elastic Search (TCP:9300) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Elastic Search (TCP:9300) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,8140", + "expectedValue": "Puppet Master (TCP:8140) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Puppet Master (TCP:8140) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -883,9 +883,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,11215", - "expectedValue": "Memcached SSL (TCP:11215) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Memcached SSL (TCP:11215) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,3020", + "expectedValue": "CIFS / SMB (TCP:3020) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "CIFS / SMB (TCP:3020) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -895,9 +895,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,1522", - "expectedValue": "Oracle Auto Data Warehouse (TCP:1522) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Oracle Auto Data Warehouse (TCP:1522) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,7199", + "expectedValue": "Cassandra Monitoring (TCP:7199) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra Monitoring (TCP:7199) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -907,9 +907,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,23", - "expectedValue": "Telnet (TCP:23) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Telnet (TCP:23) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,2382", + "expectedValue": "SQL Server Analysis (TCP:2382) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SQL Server Analysis (TCP:2382) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1111,9 +1111,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "InstancesSecGroup", "searchKey": "Resources.InstancesSecGroup.Properties.SecurityGroupIngress[2]", - "searchValue": "UDP,1434", - "expectedValue": "MSSQL Browser (UDP:1434) should not be allowed in classic load balancer 'GatewayLoadBalancer'", - "actualValue": "MSSQL Browser (UDP:1434) is allowed in classic load balancer 'GatewayLoadBalancer'" + "searchValue": "UDP,2484", + "expectedValue": "Oracle DB SSL (UDP:2484) should not be allowed in classic load balancer 'GatewayLoadBalancer'", + "actualValue": "Oracle DB SSL (UDP:2484) is allowed in classic load balancer 'GatewayLoadBalancer'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1123,9 +1123,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "InstancesSecGroup", "searchKey": "Resources.InstancesSecGroup.Properties.SecurityGroupIngress[2]", - "searchValue": "UDP,2484", - "expectedValue": "Oracle DB SSL (UDP:2484) should not be allowed in classic load balancer 'GatewayLoadBalancer'", - "actualValue": "Oracle DB SSL (UDP:2484) is allowed in classic load balancer 'GatewayLoadBalancer'" + "searchValue": "UDP,1434", + "expectedValue": "MSSQL Browser (UDP:1434) should not be allowed in classic load balancer 'GatewayLoadBalancer'", + "actualValue": "MSSQL Browser (UDP:1434) is allowed in classic load balancer 'GatewayLoadBalancer'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1243,21 +1243,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,8888", - "expectedValue": "Cassandra OpsCenter Website (TCP:8888) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra OpsCenter Website (TCP:8888) is allowed in classic load balancer 'LoadBalancer01'" - }, - { - "queryName": "ELB Sensitive Port Is Exposed To Entire Network", - "severity": "HIGH", - "line": 29, - "filename": "positive5.json", - "resourceType": "AWS::EC2::SecurityGroup", - "resourceName": "Positive1IPv4_1", - "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,11211", - "expectedValue": "Memcached (UDP:11211) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Memcached (UDP:11211) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,61620", + "expectedValue": "Cassandra OpsCenter (TCP:61620) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra OpsCenter (TCP:61620) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1267,9 +1255,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,21", - "expectedValue": "FTP (TCP:21) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "FTP (TCP:21) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,11211", + "expectedValue": "Memcached (TCP:11211) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached (TCP:11211) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1279,9 +1267,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,9000", - "expectedValue": "Hadoop Name Node (TCP:9000) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Hadoop Name Node (TCP:9000) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,27018", + "expectedValue": "Mongo Web Portal (TCP:27018) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Mongo Web Portal (TCP:27018) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1291,9 +1279,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,2483", - "expectedValue": "Oracle DB SSL (TCP:2483) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Oracle DB SSL (TCP:2483) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,8000", + "expectedValue": "Known internal web port (TCP:8000) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Known internal web port (TCP:8000) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1303,9 +1291,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,2484", - "expectedValue": "Oracle DB SSL (TCP:2484) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Oracle DB SSL (TCP:2484) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,9090", + "expectedValue": "CiscoSecure, WebSM (TCP:9090) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "CiscoSecure, WebSM (TCP:9090) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1315,9 +1303,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,9090", - "expectedValue": "CiscoSecure, WebSM (TCP:9090) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "CiscoSecure, WebSM (TCP:9090) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,1522", + "expectedValue": "Oracle Auto Data Warehouse (TCP:1522) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle Auto Data Warehouse (TCP:1522) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1327,9 +1315,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,50470", - "expectedValue": "HDFS NameNode WebUI (TCP:50470) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "HDFS NameNode WebUI (TCP:50470) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,8140", + "expectedValue": "Puppet Master (TCP:8140) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Puppet Master (TCP:8140) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1339,9 +1327,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,636", - "expectedValue": "LDAP SSL (TCP:636) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "LDAP SSL (TCP:636) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,9042", + "expectedValue": "Cassandra Client (TCP:9042) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra Client (TCP:9042) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1351,9 +1339,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,5432", - "expectedValue": "PostgreSQL (TCP:5432) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "PostgreSQL (TCP:5432) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,5601", + "expectedValue": "Kibana (TCP:5601) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Kibana (TCP:5601) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1363,9 +1351,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,161", - "expectedValue": "SNMP (UDP:161) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SNMP (UDP:161) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,1434", + "expectedValue": "MSSQL Browser (UDP:1434) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MSSQL Browser (UDP:1434) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1375,9 +1363,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,138", - "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,161", + "expectedValue": "SNMP (TCP:161) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SNMP (TCP:161) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1387,9 +1375,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,9160", - "expectedValue": "Cassandra Thrift (TCP:9160) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra Thrift (TCP:9160) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,4506", + "expectedValue": "SaltStack Master (TCP:4506) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SaltStack Master (TCP:4506) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1399,9 +1387,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,2375", - "expectedValue": "Docker (TCP:2375) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Docker (TCP:2375) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,8080", + "expectedValue": "Known internal web port (TCP:8080) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Known internal web port (TCP:8080) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1411,9 +1399,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,443", - "expectedValue": "HTTPS (TCP:443) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "HTTPS (TCP:443) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,161", + "expectedValue": "SNMP (UDP:161) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SNMP (UDP:161) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1423,9 +1411,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,5601", - "expectedValue": "Kibana (TCP:5601) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Kibana (TCP:5601) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,5500", + "expectedValue": "VNC Listener (TCP:5500) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "VNC Listener (TCP:5500) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1435,9 +1423,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,2484", - "expectedValue": "Oracle DB SSL (UDP:2484) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Oracle DB SSL (UDP:2484) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,80", + "expectedValue": "HTTP (TCP:80) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HTTP (TCP:80) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1447,9 +1435,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SSH (TCP:22) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,11211", + "expectedValue": "Memcached (UDP:11211) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached (UDP:11211) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1459,9 +1447,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,61620", - "expectedValue": "Cassandra OpsCenter (TCP:61620) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra OpsCenter (TCP:61620) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,2484", + "expectedValue": "Oracle DB SSL (UDP:2484) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle DB SSL (UDP:2484) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1471,9 +1459,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,11215", - "expectedValue": "Memcached SSL (UDP:11215) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Memcached SSL (UDP:11215) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,5432", + "expectedValue": "PostgreSQL (UDP:5432) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "PostgreSQL (UDP:5432) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1483,9 +1471,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,2383", - "expectedValue": "SQL Server Analysis (TCP:2383) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SQL Server Analysis (TCP:2383) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,7001", + "expectedValue": "Cassandra (TCP:7001) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra (TCP:7001) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1495,9 +1483,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,8020", - "expectedValue": "HDFS NameNode (TCP:8020) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "HDFS NameNode (TCP:8020) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,9300", + "expectedValue": "Elastic Search (TCP:9300) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Elastic Search (TCP:9300) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1507,9 +1495,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,389", - "expectedValue": "LDAP (UDP:389) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "LDAP (UDP:389) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,21", + "expectedValue": "FTP (TCP:21) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "FTP (TCP:21) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1519,9 +1507,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,139", - "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Session Service (TCP:139) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,27017", + "expectedValue": "Mongo (TCP:27017) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Mongo (TCP:27017) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1531,9 +1519,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,1522", - "expectedValue": "Oracle Auto Data Warehouse (TCP:1522) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Oracle Auto Data Warehouse (TCP:1522) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,3020", + "expectedValue": "CIFS / SMB (TCP:3020) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "CIFS / SMB (TCP:3020) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1543,9 +1531,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,53", - "expectedValue": "DNS (UDP:53) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "DNS (UDP:53) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1555,9 +1543,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,7001", - "expectedValue": "Cassandra (TCP:7001) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra (TCP:7001) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,25", + "expectedValue": "SMTP (TCP:25) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SMTP (TCP:25) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1567,9 +1555,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,137", - "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,636", + "expectedValue": "LDAP SSL (TCP:636) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "LDAP SSL (TCP:636) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1579,9 +1567,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,23", - "expectedValue": "Telnet (TCP:23) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Telnet (TCP:23) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,11214", + "expectedValue": "Memcached SSL (TCP:11214) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached SSL (TCP:11214) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1591,9 +1579,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,5985", - "expectedValue": "WinRM for HTTP (TCP:5985) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "WinRM for HTTP (TCP:5985) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,9200", + "expectedValue": "Elastic Search (TCP:9200) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Elastic Search (TCP:9200) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1603,9 +1591,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,138", - "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,3306", + "expectedValue": "MySQL (TCP:3306) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MySQL (TCP:3306) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1615,9 +1603,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,110", - "expectedValue": "POP3 (TCP:110) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "POP3 (TCP:110) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1627,9 +1615,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,4505", - "expectedValue": "SaltStack Master (TCP:4505) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SaltStack Master (TCP:4505) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,2376", + "expectedValue": "Docker (TCP:2376) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Docker (TCP:2376) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1639,9 +1627,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,11214", - "expectedValue": "Memcached SSL (TCP:11214) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Memcached SSL (TCP:11214) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,53", + "expectedValue": "DNS (TCP:53) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "DNS (TCP:53) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1651,9 +1639,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,1434", - "expectedValue": "MSSQL Browser (UDP:1434) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "MSSQL Browser (UDP:1434) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,20", + "expectedValue": "FTP (TCP:20) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "FTP (TCP:20) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1663,9 +1651,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,27017", - "expectedValue": "Mongo (TCP:27017) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Mongo (TCP:27017) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,9000", + "expectedValue": "Hadoop Name Node (TCP:9000) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Hadoop Name Node (TCP:9000) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1674,10 +1662,10 @@ "filename": "positive5.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", - "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,8140", - "expectedValue": "Puppet Master (TCP:8140) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Puppet Master (TCP:8140) is allowed in classic load balancer 'LoadBalancer01'" + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,4333", + "expectedValue": "MySQL (TCP:4333) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MySQL (TCP:4333) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1687,9 +1675,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,3389", - "expectedValue": "Remote Desktop (TCP:3389) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Remote Desktop (TCP:3389) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,50070", + "expectedValue": "HDFS NameNode WebUI (TCP:50070) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HDFS NameNode WebUI (TCP:50070) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1699,9 +1687,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,2382", - "expectedValue": "SQL Server Analysis (TCP:2382) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SQL Server Analysis (TCP:2382) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,11215", + "expectedValue": "Memcached SSL (TCP:11215) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached SSL (TCP:11215) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1711,9 +1699,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,7199", - "expectedValue": "Cassandra Monitoring (TCP:7199) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra Monitoring (TCP:7199) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,1521", + "expectedValue": "Oracl DB (TCP:1521) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracl DB (TCP:1521) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1723,9 +1711,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,9300", - "expectedValue": "Elastic Search (TCP:9300) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Elastic Search (TCP:9300) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,1433", + "expectedValue": "MSSQL Server (TCP:1433) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MSSQL Server (TCP:1433) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1735,9 +1723,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,80", - "expectedValue": "HTTP (TCP:80) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "HTTP (TCP:80) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,2484", + "expectedValue": "Oracle DB SSL (TCP:2484) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle DB SSL (TCP:2484) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1747,9 +1735,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,1434", - "expectedValue": "MSSQL Browser (TCP:1434) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "MSSQL Browser (TCP:1434) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Telnet (TCP:23) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1759,9 +1747,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,27018", - "expectedValue": "Mongo Web Portal (TCP:27018) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Mongo Web Portal (TCP:27018) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,2382", + "expectedValue": "SQL Server Analysis (TCP:2382) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SQL Server Analysis (TCP:2382) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1771,9 +1759,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,25", - "expectedValue": "SMTP (TCP:25) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SMTP (TCP:25) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,7199", + "expectedValue": "Cassandra Monitoring (TCP:7199) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra Monitoring (TCP:7199) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1783,9 +1771,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,5500", - "expectedValue": "VNC Listener (TCP:5500) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "VNC Listener (TCP:5500) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,443", + "expectedValue": "HTTPS (TCP:443) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HTTPS (TCP:443) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1795,9 +1783,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,8000", - "expectedValue": "Known internal web port (TCP:8000) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Known internal web port (TCP:8000) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,389", + "expectedValue": "LDAP (TCP:389) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "LDAP (TCP:389) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1807,9 +1795,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,11214", - "expectedValue": "Memcached SSL (UDP:11214) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Memcached SSL (UDP:11214) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,110", + "expectedValue": "POP3 (TCP:110) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "POP3 (TCP:110) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1819,9 +1807,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,6379", - "expectedValue": "Redis (TCP:6379) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Redis (TCP:6379) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,445", + "expectedValue": "Microsoft-DS (TCP:445) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Microsoft-DS (TCP:445) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1831,9 +1819,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,161", - "expectedValue": "SNMP (TCP:161) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SNMP (TCP:161) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,2383", + "expectedValue": "SQL Server Analysis (TCP:2383) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SQL Server Analysis (TCP:2383) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1843,9 +1831,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,20", - "expectedValue": "FTP (TCP:20) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "FTP (TCP:20) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,4505", + "expectedValue": "SaltStack Master (TCP:4505) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SaltStack Master (TCP:4505) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1855,9 +1843,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,61621", - "expectedValue": "Cassandra OpsCenter (TCP:61621) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra OpsCenter (TCP:61621) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,11214", + "expectedValue": "Memcached SSL (UDP:11214) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached SSL (UDP:11214) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1867,9 +1855,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,11215", - "expectedValue": "Memcached SSL (TCP:11215) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Memcached SSL (TCP:11215) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,2483", + "expectedValue": "Oracle DB SSL (UDP:2483) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle DB SSL (UDP:2483) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1879,9 +1867,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,53", - "expectedValue": "DNS (TCP:53) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "DNS (TCP:53) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,6379", + "expectedValue": "Redis (TCP:6379) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Redis (TCP:6379) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1891,9 +1879,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,50070", - "expectedValue": "HDFS NameNode WebUI (TCP:50070) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "HDFS NameNode WebUI (TCP:50070) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,53", + "expectedValue": "DNS (UDP:53) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "DNS (UDP:53) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1903,9 +1891,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,445", - "expectedValue": "Microsoft-DS (TCP:445) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Microsoft-DS (TCP:445) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,138", + "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1927,9 +1915,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,2376", - "expectedValue": "Docker (TCP:2376) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Docker (TCP:2376) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1939,9 +1927,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,2483", - "expectedValue": "Oracle DB SSL (UDP:2483) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Oracle DB SSL (UDP:2483) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,5985", + "expectedValue": "WinRM for HTTP (TCP:5985) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "WinRM for HTTP (TCP:5985) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1963,9 +1951,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,8080", - "expectedValue": "Known internal web port (TCP:8080) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Known internal web port (TCP:8080) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,61621", + "expectedValue": "Cassandra OpsCenter (TCP:61621) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra OpsCenter (TCP:61621) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1975,9 +1963,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,1433", - "expectedValue": "MSSQL Server (TCP:1433) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "MSSQL Server (TCP:1433) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,50470", + "expectedValue": "HDFS NameNode WebUI (TCP:50470) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HDFS NameNode WebUI (TCP:50470) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1987,9 +1975,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,4333", - "expectedValue": "MySQL (TCP:4333) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "MySQL (TCP:4333) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,139", + "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Session Service (UDP:139) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1999,9 +1987,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,3306", - "expectedValue": "MySQL (TCP:3306) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "MySQL (TCP:3306) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,3000", + "expectedValue": "Prevalent known internal port (TCP:3000) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Prevalent known internal port (TCP:3000) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2011,9 +1999,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,139", - "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Session Service (UDP:139) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,3389", + "expectedValue": "Remote Desktop (TCP:3389) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Remote Desktop (TCP:3389) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2023,9 +2011,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,5900", - "expectedValue": "VNC Server (TCP:5900) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "VNC Server (TCP:5900) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,11215", + "expectedValue": "Memcached SSL (UDP:11215) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached SSL (UDP:11215) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2035,9 +2023,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,9042", - "expectedValue": "Cassandra Client (TCP:9042) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra Client (TCP:9042) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,2375", + "expectedValue": "Docker (TCP:2375) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Docker (TCP:2375) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2047,9 +2035,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,9200", - "expectedValue": "Elastic Search (TCP:9200) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Elastic Search (TCP:9200) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,5432", + "expectedValue": "PostgreSQL (TCP:5432) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "PostgreSQL (TCP:5432) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2059,9 +2047,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,1521", - "expectedValue": "Oracl DB (TCP:1521) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Oracl DB (TCP:1521) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,389", + "expectedValue": "LDAP (UDP:389) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "LDAP (UDP:389) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2071,9 +2059,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,3000", - "expectedValue": "Prevalent known internal port (TCP:3000) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Prevalent known internal port (TCP:3000) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,1434", + "expectedValue": "MSSQL Browser (TCP:1434) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MSSQL Browser (TCP:1434) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2083,9 +2071,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,4506", - "expectedValue": "SaltStack Master (TCP:4506) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SaltStack Master (TCP:4506) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,139", + "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Session Service (TCP:139) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2095,9 +2083,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,135", - "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "MSSQL Debugger (TCP:135) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,2483", + "expectedValue": "Oracle DB SSL (TCP:2483) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle DB SSL (TCP:2483) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2107,9 +2095,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,11211", - "expectedValue": "Memcached (TCP:11211) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Memcached (TCP:11211) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,5900", + "expectedValue": "VNC Server (TCP:5900) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "VNC Server (TCP:5900) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2119,9 +2107,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,3020", - "expectedValue": "CIFS / SMB (TCP:3020) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "CIFS / SMB (TCP:3020) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,8888", + "expectedValue": "Cassandra OpsCenter Website (TCP:8888) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra OpsCenter Website (TCP:8888) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2131,9 +2119,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,389", - "expectedValue": "LDAP (TCP:389) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "LDAP (TCP:389) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,9160", + "expectedValue": "Cassandra Thrift (TCP:9160) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra Thrift (TCP:9160) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2143,9 +2131,21 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,5432", - "expectedValue": "PostgreSQL (UDP:5432) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "PostgreSQL (UDP:5432) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,135", + "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MSSQL Debugger (TCP:135) is allowed in classic load balancer 'LoadBalancer01'" + }, + { + "queryName": "ELB Sensitive Port Is Exposed To Entire Network", + "severity": "HIGH", + "line": 29, + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,8020", + "expectedValue": "HDFS NameNode (TCP:8020) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HDFS NameNode (TCP:8020) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2347,9 +2347,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "InstancesSecGroup", "searchKey": "Resources.InstancesSecGroup.Properties.SecurityGroupIngress[2]", - "searchValue": "UDP,1434", - "expectedValue": "MSSQL Browser (UDP:1434) should not be allowed in classic load balancer 'GatewayLoadBalancer'", - "actualValue": "MSSQL Browser (UDP:1434) is allowed in classic load balancer 'GatewayLoadBalancer'" + "searchValue": "UDP,2483", + "expectedValue": "Oracle DB SSL (UDP:2483) should not be allowed in classic load balancer 'GatewayLoadBalancer'", + "actualValue": "Oracle DB SSL (UDP:2483) is allowed in classic load balancer 'GatewayLoadBalancer'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2359,9 +2359,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "InstancesSecGroup", "searchKey": "Resources.InstancesSecGroup.Properties.SecurityGroupIngress[2]", - "searchValue": "UDP,2483", - "expectedValue": "Oracle DB SSL (UDP:2483) should not be allowed in classic load balancer 'GatewayLoadBalancer'", - "actualValue": "Oracle DB SSL (UDP:2483) is allowed in classic load balancer 'GatewayLoadBalancer'" + "searchValue": "UDP,2484", + "expectedValue": "Oracle DB SSL (UDP:2484) should not be allowed in classic load balancer 'GatewayLoadBalancer'", + "actualValue": "Oracle DB SSL (UDP:2484) is allowed in classic load balancer 'GatewayLoadBalancer'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2371,9 +2371,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "InstancesSecGroup", "searchKey": "Resources.InstancesSecGroup.Properties.SecurityGroupIngress[2]", - "searchValue": "UDP,2484", - "expectedValue": "Oracle DB SSL (UDP:2484) should not be allowed in classic load balancer 'GatewayLoadBalancer'", - "actualValue": "Oracle DB SSL (UDP:2484) is allowed in classic load balancer 'GatewayLoadBalancer'" + "searchValue": "UDP,1434", + "expectedValue": "MSSQL Browser (UDP:1434) should not be allowed in classic load balancer 'GatewayLoadBalancer'", + "actualValue": "MSSQL Browser (UDP:1434) is allowed in classic load balancer 'GatewayLoadBalancer'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", diff --git a/assets/queries/cloudFormation/aws/vpc_flowlogs_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/vpc_flowlogs_disabled/test/positive_expected_result.json index bfe28c75d9c..0326d049be1 100644 --- a/assets/queries/cloudFormation/aws/vpc_flowlogs_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/vpc_flowlogs_disabled/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "VPC FlowLogs Disabled", "severity": "MEDIUM", "line": 34, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::VPC", + "resourceName": "10.${ClassB}.0.0/16", + "searchKey": "Resources.MyVPC", + "searchValue": "", + "expectedValue": "Resources.MyVPC has a FlowLogs resource associated", + "actualValue": "Resources.MyVPC doesn't have a FlowLogs resource associated" }, { "queryName": "VPC FlowLogs Disabled", "severity": "MEDIUM", "line": 52, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::VPC", + "resourceName": "10.${ClassB}.0.0/16", + "searchKey": "Resources.MyVPC", + "searchValue": "", + "expectedValue": "Resources.MyVPC has a FlowLogs resource associated", + "actualValue": "Resources.MyVPC doesn't have a FlowLogs resource associated" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_bom/cassandra/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_bom/cassandra/test/positive_expected_result.json index 9a4886944cb..36f12f1aaa1 100644 --- a/assets/queries/cloudFormation/aws_bom/cassandra/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_bom/cassandra/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "BOM - AWS Cassandra", "severity": "TRACE", "line": 3, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.myNewTable1", + "searchValue": "", + "expectedValue": "", + "actualValue": "" }, { "queryName": "BOM - AWS Cassandra", "severity": "TRACE", "line": 3, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.myNewTable2", + "searchValue": "", + "expectedValue": "", + "actualValue": "" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_bom/dynamo/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_bom/dynamo/test/positive_expected_result.json index 76e5be3bb50..9f2b1d1f490 100644 --- a/assets/queries/cloudFormation/aws_bom/dynamo/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_bom/dynamo/test/positive_expected_result.json @@ -3,30 +3,60 @@ "queryName": "BOM - AWS DynamoDB", "severity": "TRACE", "line": 27, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.DynamoDBOnDemandTable2", + "searchValue": "", + "expectedValue": "", + "actualValue": "" }, { "queryName": "BOM - AWS DynamoDB", "severity": "TRACE", "line": 27, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.DynamoDBOnDemandTable2", + "searchValue": "", + "expectedValue": "", + "actualValue": "" }, { "queryName": "BOM - AWS DynamoDB", "severity": "TRACE", "line": 27, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.DynamoDBOnDemandTable2", + "searchValue": "", + "expectedValue": "", + "actualValue": "" }, { "queryName": "BOM - AWS DynamoDB", "severity": "TRACE", "line": 3, - "fileName": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.DynamoDBOnDemandTable2", + "searchValue": "", + "expectedValue": "", + "actualValue": "" }, { "queryName": "BOM - AWS DynamoDB", "severity": "TRACE", "line": 27, - "fileName": "positive5.yaml" + "filename": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.DynamoDBOnDemandTable2", + "searchValue": "", + "expectedValue": "", + "actualValue": "" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_bom/ebs/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_bom/ebs/test/positive_expected_result.json index 66e4e4b2449..8be7b6b73b8 100644 --- a/assets/queries/cloudFormation/aws_bom/ebs/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_bom/ebs/test/positive_expected_result.json @@ -3,36 +3,72 @@ "queryName": "BOM - AWS EBS", "severity": "TRACE", "line": 4, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.NewVolume", + "searchValue": "", + "expectedValue": "", + "actualValue": "" }, { "queryName": "BOM - AWS EBS", "severity": "TRACE", "line": 5, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.NewVolume", + "searchValue": "", + "expectedValue": "", + "actualValue": "" }, { "queryName": "BOM - AWS EBS", "severity": "TRACE", "line": 4, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.NewVolume", + "searchValue": "", + "expectedValue": "", + "actualValue": "" }, { "queryName": "BOM - AWS EBS", "severity": "TRACE", "line": 5, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.NewVolume", + "searchValue": "", + "expectedValue": "", + "actualValue": "" }, { "queryName": "BOM - AWS EBS", "severity": "TRACE", "line": 4, - "fileName": "positive5.yaml" + "filename": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.NewVolume", + "searchValue": "", + "expectedValue": "", + "actualValue": "" }, { "queryName": "BOM - AWS EBS", "severity": "TRACE", "line": 5, - "fileName": "positive6.json" + "filename": "positive6.json", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.NewVolume", + "searchValue": "", + "expectedValue": "", + "actualValue": "" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_bom/efs/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_bom/efs/test/positive_expected_result.json index 5a8b206a58a..1521c2d1d1e 100644 --- a/assets/queries/cloudFormation/aws_bom/efs/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_bom/efs/test/positive_expected_result.json @@ -3,24 +3,48 @@ "queryName": "BOM - AWS EFS", "severity": "TRACE", "line": 4, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.FileSystemResource", + "searchValue": "", + "expectedValue": "", + "actualValue": "" }, { "queryName": "BOM - AWS EFS", "severity": "TRACE", "line": 4, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.FileSystemResource", + "searchValue": "", + "expectedValue": "", + "actualValue": "" }, { "queryName": "BOM - AWS EFS", "severity": "TRACE", "line": 4, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.FileSystemResource", + "searchValue": "", + "expectedValue": "", + "actualValue": "" }, { "queryName": "BOM - AWS EFS", "severity": "TRACE", "line": 4, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.FileSystemResource", + "searchValue": "", + "expectedValue": "", + "actualValue": "" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_bom/elasticache/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_bom/elasticache/test/positive_expected_result.json index 1b8078706e0..7a19222038e 100644 --- a/assets/queries/cloudFormation/aws_bom/elasticache/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_bom/elasticache/test/positive_expected_result.json @@ -3,18 +3,36 @@ "queryName": "BOM - AWS Elasticache", "severity": "TRACE", "line": 2, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.ElasticacheCluster", + "searchValue": "", + "expectedValue": "", + "actualValue": "" }, { "queryName": "BOM - AWS Elasticache", "severity": "TRACE", "line": 3, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.ElasticacheCluster", + "searchValue": "", + "expectedValue": "", + "actualValue": "" }, { "queryName": "BOM - AWS Elasticache", "severity": "TRACE", "line": 2, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.ElasticacheCluster", + "searchValue": "", + "expectedValue": "", + "actualValue": "" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_bom/kinesis/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_bom/kinesis/test/positive_expected_result.json index d144cd06d85..3112db77d21 100644 --- a/assets/queries/cloudFormation/aws_bom/kinesis/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_bom/kinesis/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "BOM - AWS Kinesis", "severity": "TRACE", "line": 3, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.MyStream", + "searchValue": "", + "expectedValue": "", + "actualValue": "" }, { "queryName": "BOM - AWS Kinesis", "severity": "TRACE", "line": 4, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.MyStream2", + "searchValue": "", + "expectedValue": "", + "actualValue": "" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_bom/mq/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_bom/mq/test/positive_expected_result.json index f2de8ddc34b..b8a18b65e73 100644 --- a/assets/queries/cloudFormation/aws_bom/mq/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_bom/mq/test/positive_expected_result.json @@ -3,18 +3,36 @@ "queryName": "BOM - AWS MQ", "severity": "TRACE", "line": 4, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.BasicBroker", + "searchValue": "", + "expectedValue": "", + "actualValue": "" }, { "queryName": "BOM - AWS MQ", "severity": "TRACE", "line": 5, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.BasicBroker2", + "searchValue": "", + "expectedValue": "", + "actualValue": "" }, { "queryName": "BOM - AWS MQ", "severity": "TRACE", "line": 4, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.BasicBroker", + "searchValue": "", + "expectedValue": "", + "actualValue": "" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_bom/msk/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_bom/msk/test/positive_expected_result.json index 26872452549..b26c8a8039e 100644 --- a/assets/queries/cloudFormation/aws_bom/msk/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_bom/msk/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "BOM - AWS MSK", "severity": "TRACE", "line": 3, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.TestCluster", + "searchValue": "", + "expectedValue": "", + "actualValue": "" }, { "queryName": "BOM - AWS MSK", "severity": "TRACE", "line": 4, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.TestCluster3", + "searchValue": "", + "expectedValue": "", + "actualValue": "" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_bom/rds/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_bom/rds/test/positive_expected_result.json index 31443e3f791..26495d6dd78 100644 --- a/assets/queries/cloudFormation/aws_bom/rds/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_bom/rds/test/positive_expected_result.json @@ -3,54 +3,108 @@ "queryName": "BOM - AWS RDS", "severity": "TRACE", "line": 4, - "fileName": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.DBInstanceSample1", + "searchValue": "", + "expectedValue": "", + "actualValue": "" }, { "queryName": "BOM - AWS RDS", "severity": "TRACE", "line": 4, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.DBInstanceSample2", + "searchValue": "", + "expectedValue": "", + "actualValue": "" }, { "queryName": "BOM - AWS RDS", "severity": "TRACE", "line": 14, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.DBInstanceRefSample2", + "searchValue": "", + "expectedValue": "", + "actualValue": "" }, { "queryName": "BOM - AWS RDS", "severity": "TRACE", "line": 4, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.DBInstanceSample3", + "searchValue": "", + "expectedValue": "", + "actualValue": "" }, { "queryName": "BOM - AWS RDS", "severity": "TRACE", "line": 14, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.DBInstanceRefSample3", + "searchValue": "", + "expectedValue": "", + "actualValue": "" }, { "queryName": "BOM - AWS RDS", "severity": "TRACE", "line": 3, - "fileName": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.DBInstanceSample4", + "searchValue": "", + "expectedValue": "", + "actualValue": "" }, { "queryName": "BOM - AWS RDS", "severity": "TRACE", "line": 3, - "fileName": "positive5.yaml" + "filename": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.DBInstanceSample5", + "searchValue": "", + "expectedValue": "", + "actualValue": "" }, { "queryName": "BOM - AWS RDS", "severity": "TRACE", "line": 3, - "fileName": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.DBInstanceSample6", + "searchValue": "", + "expectedValue": "", + "actualValue": "" }, { "queryName": "BOM - AWS RDS", "severity": "TRACE", "line": 3, - "fileName": "positive7.yaml" + "filename": "positive7.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.DBInstanceSample5", + "searchValue": "", + "expectedValue": "", + "actualValue": "" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_bom/s3_bucket/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_bom/s3_bucket/test/positive_expected_result.json index 4552773fb76..2504e450c28 100644 --- a/assets/queries/cloudFormation/aws_bom/s3_bucket/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_bom/s3_bucket/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "BOM - AWS S3 Buckets", "severity": "TRACE", "line": 4, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.MyBucket", + "searchValue": "", + "expectedValue": "", + "actualValue": "" }, { "queryName": "BOM - AWS S3 Buckets", "severity": "TRACE", "line": 5, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.JenkinsArtifacts03", + "searchValue": "", + "expectedValue": "", + "actualValue": "" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_bom/sns/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_bom/sns/test/positive_expected_result.json index f0fefd2b232..cc94b9502b4 100644 --- a/assets/queries/cloudFormation/aws_bom/sns/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_bom/sns/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "BOM - AWS SNS", "severity": "TRACE", "line": 4, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.SnsTopic", + "searchValue": "", + "expectedValue": "", + "actualValue": "" }, { "queryName": "BOM - AWS SNS", "severity": "TRACE", "line": 5, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.SnsTopic", + "searchValue": "", + "expectedValue": "", + "actualValue": "" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_bom/sqs/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_bom/sqs/test/positive_expected_result.json index d6f7e4b7816..d4391fe7d26 100644 --- a/assets/queries/cloudFormation/aws_bom/sqs/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_bom/sqs/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "BOM - AWS SQS", "severity": "TRACE", "line": 2, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.MyQueue", + "searchValue": "", + "expectedValue": "", + "actualValue": "" }, { "queryName": "BOM - AWS SQS", "severity": "TRACE", "line": 3, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.MyQueue", + "searchValue": "", + "expectedValue": "", + "actualValue": "" } -] +] \ No newline at end of file diff --git a/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/test/positive_expected_result.json b/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/test/positive_expected_result.json index 3d9740b5838..d5422bb6e05 100644 --- a/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/test/positive_expected_result.json +++ b/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/test/positive_expected_result.json @@ -43,9 +43,9 @@ "resourceType": "", "resourceName": "", "searchKey": "FROM={{busybox3}}.RUN={{apt-get update && apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", - "searchValue": "python-pip", - "expectedValue": "Package 'python-pip' has version defined", - "actualValue": "Package 'python-pip' does not have version defined" + "searchValue": "python-qt4", + "expectedValue": "Package 'python-qt4' has version defined", + "actualValue": "Package 'python-qt4' does not have version defined" }, { "queryName": "Apt Get Install Pin Version Not Defined", @@ -55,9 +55,9 @@ "resourceType": "", "resourceName": "", "searchKey": "FROM={{busybox3}}.RUN={{apt-get update && apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", - "searchValue": "python-pyside", - "expectedValue": "Package 'python-pyside' has version defined", - "actualValue": "Package 'python-pyside' does not have version defined" + "searchValue": "python-pip", + "expectedValue": "Package 'python-pip' has version defined", + "actualValue": "Package 'python-pip' does not have version defined" }, { "queryName": "Apt Get Install Pin Version Not Defined", @@ -67,9 +67,9 @@ "resourceType": "", "resourceName": "", "searchKey": "FROM={{busybox3}}.RUN={{apt-get update && apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", - "searchValue": "python-qt4", - "expectedValue": "Package 'python-qt4' has version defined", - "actualValue": "Package 'python-qt4' does not have version defined" + "searchValue": "python-pyside", + "expectedValue": "Package 'python-pyside' has version defined", + "actualValue": "Package 'python-pyside' does not have version defined" }, { "queryName": "Apt Get Install Pin Version Not Defined", @@ -79,9 +79,9 @@ "resourceType": "", "resourceName": "", "searchKey": "FROM={{busybox3}}.RUN={{apt-get update && apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", - "searchValue": "python3-pip", - "expectedValue": "Package 'python3-pip' has version defined", - "actualValue": "Package 'python3-pip' does not have version defined" + "searchValue": "python3-pyqt5", + "expectedValue": "Package 'python3-pyqt5' has version defined", + "actualValue": "Package 'python3-pyqt5' does not have version defined" }, { "queryName": "Apt Get Install Pin Version Not Defined", @@ -91,9 +91,9 @@ "resourceType": "", "resourceName": "", "searchKey": "FROM={{busybox3}}.RUN={{apt-get update && apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", - "searchValue": "python3-pyqt5", - "expectedValue": "Package 'python3-pyqt5' has version defined", - "actualValue": "Package 'python3-pyqt5' does not have version defined" + "searchValue": "python3-pip", + "expectedValue": "Package 'python3-pip' has version defined", + "actualValue": "Package 'python3-pip' does not have version defined" }, { "queryName": "Apt Get Install Pin Version Not Defined", @@ -131,18 +131,6 @@ "expectedValue": "Package 'python' has version defined", "actualValue": "Package 'python' does not have version defined" }, - { - "queryName": "Apt Get Install Pin Version Not Defined", - "severity": "MEDIUM", - "line": 9, - "filename": "positive2.dockerfile", - "resourceType": "", - "resourceName": "", - "searchKey": "FROM={{busybox6}}.RUN={{apt-get update ; apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", - "searchValue": "python-pyside", - "expectedValue": "Package 'python-pyside' has version defined", - "actualValue": "Package 'python-pyside' does not have version defined" - }, { "queryName": "Apt Get Install Pin Version Not Defined", "severity": "MEDIUM", @@ -179,6 +167,18 @@ "expectedValue": "Package 'python3-pyqt5' has version defined", "actualValue": "Package 'python3-pyqt5' does not have version defined" }, + { + "queryName": "Apt Get Install Pin Version Not Defined", + "severity": "MEDIUM", + "line": 9, + "filename": "positive2.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox6}}.RUN={{apt-get update ; apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", + "searchValue": "python-pyside", + "expectedValue": "Package 'python-pyside' has version defined", + "actualValue": "Package 'python-pyside' does not have version defined" + }, { "queryName": "Apt Get Install Pin Version Not Defined", "severity": "MEDIUM", diff --git a/assets/queries/googleDeploymentManager/gcp/network_policy_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/network_policy_disabled/test/positive_expected_result.json index e0fad579f92..5894b440cc0 100644 --- a/assets/queries/googleDeploymentManager/gcp/network_policy_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/network_policy_disabled/test/positive_expected_result.json @@ -7,9 +7,9 @@ "resourceType": "container.v1.cluster", "resourceName": "cluster", "searchKey": "resources.name={{cluster}}.properties", - "searchValue": "addonsConfig", - "expectedValue": "'addonsConfig' should be defined and not null", - "actualValue": "'addonsConfig' is undefined or null" + "searchValue": "networkPolicy", + "expectedValue": "'networkPolicy' should be defined and not null", + "actualValue": "'networkPolicy' is undefined or null" }, { "queryName": "Network Policy Disabled", @@ -19,9 +19,9 @@ "resourceType": "container.v1.cluster", "resourceName": "cluster", "searchKey": "resources.name={{cluster}}.properties", - "searchValue": "networkPolicy", - "expectedValue": "'networkPolicy' should be defined and not null", - "actualValue": "'networkPolicy' is undefined or null" + "searchValue": "addonsConfig", + "expectedValue": "'addonsConfig' should be defined and not null", + "actualValue": "'addonsConfig' is undefined or null" }, { "queryName": "Network Policy Disabled", diff --git a/assets/queries/googleDeploymentManager/gcp_bom/pd/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp_bom/pd/test/positive_expected_result.json index 831cb325438..f0578349398 100644 --- a/assets/queries/googleDeploymentManager/gcp_bom/pd/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp_bom/pd/test/positive_expected_result.json @@ -1,32 +1,62 @@ [ - { - "queryName": "BOM - GCP PD", - "severity": "TRACE", - "line": 3, - "fileName": "positive.yaml" - }, - { - "queryName": "BOM - GCP PD", - "severity": "TRACE", - "line": 11, - "fileName": "positive.yaml" - }, - { - "queryName": "BOM - GCP PD", - "severity": "TRACE", - "line": 19, - "fileName": "positive.yaml" - }, - { - "queryName": "BOM - GCP PD", - "severity": "TRACE", - "line": 24, - "fileName": "positive.yaml" - }, - { - "queryName": "BOM - GCP PD", - "severity": "TRACE", - "line": 31, - "fileName": "positive.yaml" - } -] + { + "queryName": "BOM - GCP PD", + "severity": "TRACE", + "line": 3, + "filename": "positive.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "resources.name={{disk-1-data}}", + "searchValue": "", + "expectedValue": "", + "actualValue": "" + }, + { + "queryName": "BOM - GCP PD", + "severity": "TRACE", + "line": 11, + "filename": "positive.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "resources.name={{disk-2-data}}", + "searchValue": "", + "expectedValue": "", + "actualValue": "" + }, + { + "queryName": "BOM - GCP PD", + "severity": "TRACE", + "line": 19, + "filename": "positive.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "resources.name={{disk-3-data}}", + "searchValue": "", + "expectedValue": "", + "actualValue": "" + }, + { + "queryName": "BOM - GCP PD", + "severity": "TRACE", + "line": 24, + "filename": "positive.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "resources.name={{disk-4-data}}", + "searchValue": "", + "expectedValue": "", + "actualValue": "" + }, + { + "queryName": "BOM - GCP PD", + "severity": "TRACE", + "line": 31, + "filename": "positive.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "resources.name={{disk-5-data}}", + "searchValue": "", + "expectedValue": "", + "actualValue": "" + } +] \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp_bom/pst/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp_bom/pst/test/positive_expected_result.json index 1afedf213ad..6e553a34a75 100644 --- a/assets/queries/googleDeploymentManager/gcp_bom/pst/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp_bom/pst/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ - { - "queryName": "BOM - GCP PST", - "severity": "TRACE", - "line": 3, - "fileName": "positive.yaml" - }, - { - "queryName": "BOM - GCP PST", - "severity": "TRACE", - "line": 8, - "fileName": "positive.yaml" - } -] + { + "queryName": "BOM - GCP PST", + "severity": "TRACE", + "line": 3, + "filename": "positive.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "resources.name={{topic-1}}", + "searchValue": "", + "expectedValue": "", + "actualValue": "" + }, + { + "queryName": "BOM - GCP PST", + "severity": "TRACE", + "line": 8, + "filename": "positive.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "resources.name={{topic-2}}", + "searchValue": "", + "expectedValue": "", + "actualValue": "" + } +] \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp_bom/sb/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp_bom/sb/test/positive_expected_result.json index 217d13d622a..5fb24ab6920 100644 --- a/assets/queries/googleDeploymentManager/gcp_bom/sb/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp_bom/sb/test/positive_expected_result.json @@ -1,32 +1,62 @@ [ - { - "queryName": "BOM - GCP SB", - "severity": "TRACE", - "line": 2, - "fileName": "positive.yaml" - }, - { - "queryName": "BOM - GCP SB", - "severity": "TRACE", - "line": 12, - "fileName": "positive.yaml" - }, - { - "queryName": "BOM - GCP SB", - "severity": "TRACE", - "line": 20, - "fileName": "positive.yaml" - }, - { - "queryName": "BOM - GCP SB", - "severity": "TRACE", - "line": 33, - "fileName": "positive.yaml" - }, - { - "queryName": "BOM - GCP SB", - "severity": "TRACE", - "line": 44, - "fileName": "positive.yaml" - } -] + { + "queryName": "BOM - GCP SB", + "severity": "TRACE", + "line": 2, + "filename": "positive.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "resources.name={{sample-input}}", + "searchValue": "", + "expectedValue": "", + "actualValue": "" + }, + { + "queryName": "BOM - GCP SB", + "severity": "TRACE", + "line": 12, + "filename": "positive.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "resources.name={{sample-input2}}", + "searchValue": "", + "expectedValue": "", + "actualValue": "" + }, + { + "queryName": "BOM - GCP SB", + "severity": "TRACE", + "line": 20, + "filename": "positive.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "resources.name={{sample-input3}}", + "searchValue": "", + "expectedValue": "", + "actualValue": "" + }, + { + "queryName": "BOM - GCP SB", + "severity": "TRACE", + "line": 33, + "filename": "positive.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "resources.name={{sample-input4}}", + "searchValue": "", + "expectedValue": "", + "actualValue": "" + }, + { + "queryName": "BOM - GCP SB", + "severity": "TRACE", + "line": 44, + "filename": "positive.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "resources.name={{sample-input5}}", + "searchValue": "", + "expectedValue": "", + "actualValue": "" + } +] \ No newline at end of file diff --git a/assets/queries/k8s/audit_policy_not_cover_key_security_concerns/test/positive_expected_result.json b/assets/queries/k8s/audit_policy_not_cover_key_security_concerns/test/positive_expected_result.json index 835aa54617d..96743021848 100644 --- a/assets/queries/k8s/audit_policy_not_cover_key_security_concerns/test/positive_expected_result.json +++ b/assets/queries/k8s/audit_policy_not_cover_key_security_concerns/test/positive_expected_result.json @@ -7,9 +7,9 @@ "resourceType": "Policy", "resourceName": "n/a", "searchKey": "kind={{Policy}}.rules", - "searchValue": "configmaps", - "expectedValue": "Resource 'configmaps' should be defined in one of following levels '[\"Metadata\"]'", - "actualValue": "Resource 'configmaps' is currently defined with the following levels '[]'" + "searchValue": "pods/proxy", + "expectedValue": "Resource 'pods/proxy' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", + "actualValue": "Resource 'pods/proxy' is currently defined with the following levels '[]'" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", @@ -19,9 +19,9 @@ "resourceType": "Policy", "resourceName": "n/a", "searchKey": "kind={{Policy}}.rules", - "searchValue": "pods/exec", - "expectedValue": "Resource 'pods/exec' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", - "actualValue": "Resource 'pods/exec' is currently defined with the following levels '[]'" + "searchValue": "secrets", + "expectedValue": "Resource 'secrets' should be defined in one of following levels '[\"Metadata\"]'", + "actualValue": "Resource 'secrets' is currently defined with the following levels '[]'" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", @@ -31,9 +31,9 @@ "resourceType": "Policy", "resourceName": "n/a", "searchKey": "kind={{Policy}}.rules", - "searchValue": "pods/proxy", - "expectedValue": "Resource 'pods/proxy' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", - "actualValue": "Resource 'pods/proxy' is currently defined with the following levels '[]'" + "searchValue": "tokenreviews", + "expectedValue": "Resource 'tokenreviews' should be defined in one of following levels '[\"Metadata\"]'", + "actualValue": "Resource 'tokenreviews' is currently defined with the following levels '[]'" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", @@ -43,9 +43,9 @@ "resourceType": "Policy", "resourceName": "n/a", "searchKey": "kind={{Policy}}.rules", - "searchValue": "services/proxy", - "expectedValue": "Resource 'services/proxy' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", - "actualValue": "Resource 'services/proxy' is currently defined with the following levels '[]'" + "searchValue": "pods/portforward", + "expectedValue": "Resource 'pods/portforward' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", + "actualValue": "Resource 'pods/portforward' is currently defined with the following levels '[]'" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", @@ -55,9 +55,9 @@ "resourceType": "Policy", "resourceName": "n/a", "searchKey": "kind={{Policy}}.rules", - "searchValue": "tokenreviews", - "expectedValue": "Resource 'tokenreviews' should be defined in one of following levels '[\"Metadata\"]'", - "actualValue": "Resource 'tokenreviews' is currently defined with the following levels '[]'" + "searchValue": "deployments", + "expectedValue": "Resource 'deployments' should be defined in one of following levels '[\"Metadata\"]'", + "actualValue": "Resource 'deployments' is currently defined with the following levels '[]'" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", @@ -67,9 +67,9 @@ "resourceType": "Policy", "resourceName": "n/a", "searchKey": "kind={{Policy}}.rules", - "searchValue": "secrets", - "expectedValue": "Resource 'secrets' should be defined in one of following levels '[\"Metadata\"]'", - "actualValue": "Resource 'secrets' is currently defined with the following levels '[]'" + "searchValue": "pods", + "expectedValue": "Resource 'pods' should be defined in one of following levels '[\"Metadata\"]'", + "actualValue": "Resource 'pods' is currently defined with the following levels '[]'" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", @@ -79,9 +79,9 @@ "resourceType": "Policy", "resourceName": "n/a", "searchKey": "kind={{Policy}}.rules", - "searchValue": "deployments", - "expectedValue": "Resource 'deployments' should be defined in one of following levels '[\"Metadata\"]'", - "actualValue": "Resource 'deployments' is currently defined with the following levels '[]'" + "searchValue": "services/proxy", + "expectedValue": "Resource 'services/proxy' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", + "actualValue": "Resource 'services/proxy' is currently defined with the following levels '[]'" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", @@ -91,9 +91,9 @@ "resourceType": "Policy", "resourceName": "n/a", "searchKey": "kind={{Policy}}.rules", - "searchValue": "pods", - "expectedValue": "Resource 'pods' should be defined in one of following levels '[\"Metadata\"]'", - "actualValue": "Resource 'pods' is currently defined with the following levels '[]'" + "searchValue": "configmaps", + "expectedValue": "Resource 'configmaps' should be defined in one of following levels '[\"Metadata\"]'", + "actualValue": "Resource 'configmaps' is currently defined with the following levels '[]'" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", @@ -103,9 +103,9 @@ "resourceType": "Policy", "resourceName": "n/a", "searchKey": "kind={{Policy}}.rules", - "searchValue": "pods/portforward", - "expectedValue": "Resource 'pods/portforward' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", - "actualValue": "Resource 'pods/portforward' is currently defined with the following levels '[]'" + "searchValue": "pods/exec", + "expectedValue": "Resource 'pods/exec' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", + "actualValue": "Resource 'pods/exec' is currently defined with the following levels '[]'" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", @@ -115,9 +115,9 @@ "resourceType": "Policy", "resourceName": "n/a", "searchKey": "kind={{Policy}}.rules", - "searchValue": "configmaps", - "expectedValue": "Resource 'configmaps' should be defined in one of following levels '[\"Metadata\"]'", - "actualValue": "Resource 'configmaps' is currently defined with the following levels '[]'" + "searchValue": "pods/exec", + "expectedValue": "Resource 'pods/exec' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", + "actualValue": "Resource 'pods/exec' is currently defined with the following levels '[]'" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", @@ -139,9 +139,9 @@ "resourceType": "Policy", "resourceName": "n/a", "searchKey": "kind={{Policy}}.rules", - "searchValue": "tokenreviews", - "expectedValue": "Resource 'tokenreviews' should be defined in one of following levels '[\"Metadata\"]'", - "actualValue": "Resource 'tokenreviews' is currently defined with the following levels '[]'" + "searchValue": "secrets", + "expectedValue": "Resource 'secrets' should be defined in one of following levels '[\"Metadata\"]'", + "actualValue": "Resource 'secrets' is currently defined with the following levels '[]'" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", @@ -151,9 +151,9 @@ "resourceType": "Policy", "resourceName": "n/a", "searchKey": "kind={{Policy}}.rules", - "searchValue": "pods/exec", - "expectedValue": "Resource 'pods/exec' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", - "actualValue": "Resource 'pods/exec' is currently defined with the following levels '[]'" + "searchValue": "services/proxy", + "expectedValue": "Resource 'services/proxy' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", + "actualValue": "Resource 'services/proxy' is currently defined with the following levels '[]'" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", @@ -163,9 +163,9 @@ "resourceType": "Policy", "resourceName": "n/a", "searchKey": "kind={{Policy}}.rules", - "searchValue": "secrets", - "expectedValue": "Resource 'secrets' should be defined in one of following levels '[\"Metadata\"]'", - "actualValue": "Resource 'secrets' is currently defined with the following levels '[]'" + "searchValue": "configmaps", + "expectedValue": "Resource 'configmaps' should be defined in one of following levels '[\"Metadata\"]'", + "actualValue": "Resource 'configmaps' is currently defined with the following levels '[]'" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", @@ -187,9 +187,9 @@ "resourceType": "Policy", "resourceName": "n/a", "searchKey": "kind={{Policy}}.rules", - "searchValue": "services/proxy", - "expectedValue": "Resource 'services/proxy' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", - "actualValue": "Resource 'services/proxy' is currently defined with the following levels '[]'" + "searchValue": "tokenreviews", + "expectedValue": "Resource 'tokenreviews' should be defined in one of following levels '[\"Metadata\"]'", + "actualValue": "Resource 'tokenreviews' is currently defined with the following levels '[]'" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", diff --git a/assets/queries/k8s/tls_connection_certificate_not_setup/test/positive_expected_result.json b/assets/queries/k8s/tls_connection_certificate_not_setup/test/positive_expected_result.json index e8cb16c7bd9..ba3d79510b0 100644 --- a/assets/queries/k8s/tls_connection_certificate_not_setup/test/positive_expected_result.json +++ b/assets/queries/k8s/tls_connection_certificate_not_setup/test/positive_expected_result.json @@ -31,9 +31,9 @@ "resourceType": "KubeletConfiguration", "resourceName": "n/a", "searchKey": "kind={{KubeletConfiguration}}", - "searchValue": "tlsCertFile", - "expectedValue": "TLS tlsCertFile connection setting should be set", - "actualValue": "TLS tlsCertFile connection not set" + "searchValue": "tlsPrivateKeyFile", + "expectedValue": "TLS tlsPrivateKeyFile connection setting should be set", + "actualValue": "TLS tlsPrivateKeyFile connection not set" }, { "queryName": "TSL Connection Certificate Not Setup", @@ -43,9 +43,9 @@ "resourceType": "KubeletConfiguration", "resourceName": "n/a", "searchKey": "kind={{KubeletConfiguration}}", - "searchValue": "tlsPrivateKeyFile", - "expectedValue": "TLS tlsPrivateKeyFile connection setting should be set", - "actualValue": "TLS tlsPrivateKeyFile connection not set" + "searchValue": "tlsCertFile", + "expectedValue": "TLS tlsCertFile connection setting should be set", + "actualValue": "TLS tlsCertFile connection not set" }, { "queryName": "TSL Connection Certificate Not Setup", diff --git a/assets/queries/k8s/using_kubernetes_native_secret_management/test/positive_expected_result.json b/assets/queries/k8s/using_kubernetes_native_secret_management/test/positive_expected_result.json index 3f40317c868..df275fbd3a6 100644 --- a/assets/queries/k8s/using_kubernetes_native_secret_management/test/positive_expected_result.json +++ b/assets/queries/k8s/using_kubernetes_native_secret_management/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Using Kubernetes Native Secret Management", "severity": "INFO", "line": 4, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Secret", + "resourceName": "cluster-secrets", + "searchKey": "metadata.name={{cluster-secrets}}", + "searchValue": "", + "expectedValue": "External secret storage should be used", + "actualValue": "External secret storage is not in use" } -] +] \ No newline at end of file diff --git a/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/test/positive_expected_result.json b/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/test/positive_expected_result.json index 760970d4f0c..0ab1b2ad766 100644 --- a/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/test/positive_expected_result.json +++ b/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/test/positive_expected_result.json @@ -19,9 +19,9 @@ "resourceType": "Pod", "resourceName": "pod-0", "searchKey": "metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}}", - "searchValue": "PodrecursiveReadOnly", - "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}} are set to true and Enabled, respectively", - "actualValue": "The properties readOnly or recursiveReadOnly in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}} are set to false or Disabled, respectively" + "searchValue": "PodreadOnly", + "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}} should be defined and set to true and Enabled, respectively", + "actualValue": "Either readOnly or recursiveReadOnly is missing in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}}%!(EXTRA string=pod-0, string=spec, string=containers, string=pod-0, string=vol-1)" }, { "queryName": "Volume Mount With OS Directory Write Permissions", @@ -31,9 +31,9 @@ "resourceType": "Pod", "resourceName": "pod-0", "searchKey": "metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}}", - "searchValue": "PodreadOnly", - "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}} should be defined and set to true and Enabled, respectively", - "actualValue": "Either readOnly or recursiveReadOnly is missing in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}}%!(EXTRA string=pod-0, string=spec, string=containers, string=pod-0, string=vol-1)" + "searchValue": "PodrecursiveReadOnly", + "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}} are set to true and Enabled, respectively", + "actualValue": "The properties readOnly or recursiveReadOnly in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}} are set to false or Disabled, respectively" }, { "queryName": "Volume Mount With OS Directory Write Permissions", diff --git a/assets/queries/openAPI/2.0/constraining_enum_property/test/positive_expected_result.json b/assets/queries/openAPI/2.0/constraining_enum_property/test/positive_expected_result.json index 9e373bb5639..c50b32466b7 100644 --- a/assets/queries/openAPI/2.0/constraining_enum_property/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/constraining_enum_property/test/positive_expected_result.json @@ -1,4 +1,28 @@ [ + { + "queryName": "Constraining Enum Property", + "severity": "INFO", + "line": 24, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.schema.$ref=#/definitions/Category", + "searchValue": "", + "expectedValue": "Type numeric should not have enum and constraining keywords", + "actualValue": "Type numeric has enum and minimum" + }, + { + "queryName": "Constraining Enum Property", + "severity": "INFO", + "line": 24, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.schema.$ref=#/definitions/Category", + "searchValue": "", + "expectedValue": "Type string should not have enum and constraining keywords", + "actualValue": "Type string has enum and maxLength" + }, { "queryName": "Constraining Enum Property", "severity": "INFO", @@ -23,6 +47,30 @@ "expectedValue": "Type string should not have enum and constraining keywords", "actualValue": "Type string has enum and maxLength" }, + { + "queryName": "Constraining Enum Property", + "severity": "INFO", + "line": 19, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.schema.$ref=#/definitions/Category", + "searchValue": "", + "expectedValue": "Type string should not have enum and constraining keywords", + "actualValue": "Type string has enum and maxLength" + }, + { + "queryName": "Constraining Enum Property", + "severity": "INFO", + "line": 19, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.schema.$ref=#/definitions/Category", + "searchValue": "", + "expectedValue": "Type numeric should not have enum and constraining keywords", + "actualValue": "Type numeric has enum and minimum" + }, { "queryName": "Constraining Enum Property", "severity": "INFO", diff --git a/assets/queries/openAPI/2.0/json_reference_does_not_exists_parameter/test/positive_expected_result.json b/assets/queries/openAPI/2.0/json_reference_does_not_exists_parameter/test/positive_expected_result.json index 9bb4d0d4a08..ee3c61b8ca4 100644 --- a/assets/queries/openAPI/2.0/json_reference_does_not_exists_parameter/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/json_reference_does_not_exists_parameter/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Parameter JSON Reference Does Not Exist (v2)", "severity": "INFO", "line": 19, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.$ref={{#/parameters/maxParam}}", + "searchValue": "", + "expectedValue": "maxParam from #/parameters/maxParam should be declared on parameters", + "actualValue": "maxParam from #/parameters/maxParam is not declared on parameters" }, { "queryName": "Parameter JSON Reference Does Not Exist (v2)", "severity": "INFO", "line": 14, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.$ref={{#/parameters/maxParam}}", + "searchValue": "", + "expectedValue": "maxParam from #/parameters/maxParam should be declared on parameters", + "actualValue": "maxParam from #/parameters/maxParam is not declared on parameters" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/json_reference_does_not_exists_response/test/positive_expected_result.json b/assets/queries/openAPI/2.0/json_reference_does_not_exists_response/test/positive_expected_result.json index c5d3cbc2fac..017c8503acc 100644 --- a/assets/queries/openAPI/2.0/json_reference_does_not_exists_response/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/json_reference_does_not_exists_response/test/positive_expected_result.json @@ -6,7 +6,7 @@ "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.$ref", + "searchKey": "paths.{{/}}.get.responses.200.$ref=#/responses/Succes", "searchValue": "", "expectedValue": "Succes from #/responses/Succes should be declared on responses", "actualValue": "Succes from #/responses/Succes is not declared on responses" @@ -18,7 +18,7 @@ "filename": "positive2.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.$ref", + "searchKey": "paths.{{/}}.get.responses.200.$ref=#/responses/Succes", "searchValue": "", "expectedValue": "Succes from #/responses/Succes should be declared on responses", "actualValue": "Succes from #/responses/Succes is not declared on responses" diff --git a/assets/queries/openAPI/2.0/json_reference_does_not_exists_schema/test/positive_expected_result.json b/assets/queries/openAPI/2.0/json_reference_does_not_exists_schema/test/positive_expected_result.json index 95cfcd206ad..ee42a323381 100644 --- a/assets/queries/openAPI/2.0/json_reference_does_not_exists_schema/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/json_reference_does_not_exists_schema/test/positive_expected_result.json @@ -6,7 +6,7 @@ "filename": "positive1.json", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.schema.$ref", + "searchKey": "paths.{{/}}.get.responses.200.schema.$ref=#/definitions/Use", "searchValue": "", "expectedValue": "Use from #/definitions/Use should be declared on definitions", "actualValue": "Use from #/definitions/Use is not declared on definitions" @@ -18,7 +18,7 @@ "filename": "positive2.yaml", "resourceType": "", "resourceName": "", - "searchKey": "paths.{{/}}.get.responses.200.schema.$ref", + "searchKey": "paths.{{/}}.get.responses.200.schema.$ref=#/definitions/Use", "searchValue": "", "expectedValue": "Use from #/definitions/Use should be declared on definitions", "actualValue": "Use from #/definitions/Use is not declared on definitions" diff --git a/assets/queries/openAPI/2.0/parameter_object_incorrect_ref/test/positive_expected_result.json b/assets/queries/openAPI/2.0/parameter_object_incorrect_ref/test/positive_expected_result.json index 261dbfde738..1c32ce4a0ed 100644 --- a/assets/queries/openAPI/2.0/parameter_object_incorrect_ref/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/parameter_object_incorrect_ref/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Parameter Object With Incorrect Ref (v2)", "severity": "INFO", "line": 22, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.$ref=#/definitions/User", + "searchValue": "", + "expectedValue": "Parameters ref points to '#/parameters'", + "actualValue": "Parameters ref doesn't point to '#/parameters'" }, { "queryName": "Parameter Object With Incorrect Ref (v2)", "severity": "INFO", "line": 16, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.$ref=#/definitions/User", + "searchValue": "", + "expectedValue": "Parameters ref points to '#/parameters'", + "actualValue": "Parameters ref doesn't point to '#/parameters'" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/response_object_incorrect_ref/test/positive_expected_result.json b/assets/queries/openAPI/2.0/response_object_incorrect_ref/test/positive_expected_result.json index b14643b039a..176962678f1 100644 --- a/assets/queries/openAPI/2.0/response_object_incorrect_ref/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/response_object_incorrect_ref/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Response Object With Incorrect Ref (v2)", "severity": "INFO", "line": 14, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.{{200}}.$ref", + "searchValue": "", + "expectedValue": "Response ref points to '#/responses'", + "actualValue": "Response ref doesn't point to '#/responses'" }, { "queryName": "Response Object With Incorrect Ref (v2)", "severity": "INFO", "line": 12, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.{{200}}.$ref", + "searchValue": "", + "expectedValue": "Response ref points to '#/responses'", + "actualValue": "Response ref doesn't point to '#/responses'" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/schema_object_incorrect_ref/test/positive_expected_result.json b/assets/queries/openAPI/2.0/schema_object_incorrect_ref/test/positive_expected_result.json index 92c755b5e26..2bc6075b04e 100644 --- a/assets/queries/openAPI/2.0/schema_object_incorrect_ref/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/schema_object_incorrect_ref/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Schema Object Incorrect Ref (v2)", "severity": "INFO", "line": 29, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "responses.Success.schema.$ref", + "searchValue": "", + "expectedValue": "Schema ref points to '#/definitions'", + "actualValue": "Schema ref doesn't point to '#/definitions'" }, { "queryName": "Schema Object Incorrect Ref (v2)", "severity": "INFO", "line": 19, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "responses.Success.schema.$ref", + "searchValue": "", + "expectedValue": "Schema ref points to '#/definitions'", + "actualValue": "Schema ref doesn't point to '#/definitions'" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/schema_with_additional_properties_set_as_boolean/test/positive_expected_result.json b/assets/queries/openAPI/2.0/schema_with_additional_properties_set_as_boolean/test/positive_expected_result.json index a629dc67e26..2f0e9f942e2 100644 --- a/assets/queries/openAPI/2.0/schema_with_additional_properties_set_as_boolean/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/schema_with_additional_properties_set_as_boolean/test/positive_expected_result.json @@ -23,6 +23,18 @@ "expectedValue": "'additionalProperties' should be set as an object value", "actualValue": "'additionalProperties' is set as a boolean value" }, + { + "queryName": "Schema with 'additionalProperties' set as Boolean", + "severity": "INFO", + "line": 29, + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.additionalProperties.$ref=#/definitions/User", + "searchValue": "", + "expectedValue": "'additionalProperties' should be set as an object value", + "actualValue": "'additionalProperties' is set as a boolean value" + }, { "queryName": "Schema with 'additionalProperties' set as Boolean", "severity": "INFO", @@ -35,6 +47,18 @@ "expectedValue": "'additionalProperties' should be set as an object value", "actualValue": "'additionalProperties' is set as a boolean value" }, + { + "queryName": "Schema with 'additionalProperties' set as Boolean", + "severity": "INFO", + "line": 23, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.additionalProperties.$ref=#/definitions/User", + "searchValue": "", + "expectedValue": "'additionalProperties' should be set as an object value", + "actualValue": "'additionalProperties' is set as a boolean value" + }, { "queryName": "Schema with 'additionalProperties' set as Boolean", "severity": "INFO", diff --git a/assets/queries/openAPI/3.0/callback_object_incorrect_ref/test/positive_expected_result.json b/assets/queries/openAPI/3.0/callback_object_incorrect_ref/test/positive_expected_result.json index 27b03bfbc60..d3eec7eda59 100644 --- a/assets/queries/openAPI/3.0/callback_object_incorrect_ref/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/callback_object_incorrect_ref/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Callback Object With Incorrect Ref", "severity": "INFO", "line": 19, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.callbacks.{{myEvent}}.$ref", + "searchValue": "", + "expectedValue": "Callback ref points to '#/components/callbacks'", + "actualValue": "Callback ref does not point to '#/components/callbacks'" }, { "queryName": "Callback Object With Incorrect Ref", "severity": "INFO", "line": 15, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.callbacks.{{myEvent}}.$ref", + "searchValue": "", + "expectedValue": "Callback ref points to '#/components/callbacks'", + "actualValue": "Callback ref does not point to '#/components/callbacks'" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/example_json_reference_outside_components_examples/test/positive_expected_result.json b/assets/queries/openAPI/3.0/example_json_reference_outside_components_examples/test/positive_expected_result.json index 570b4c2a338..864368635ad 100644 --- a/assets/queries/openAPI/3.0/example_json_reference_outside_components_examples/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/example_json_reference_outside_components_examples/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Example JSON Reference Outside Components Examples", "severity": "INFO", "line": 77, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.post.requestBody.content.{{application/json}}.examples.Address.$ref", + "searchValue": "", + "expectedValue": "#/components/schemas/Address should be declared on components.schemas", + "actualValue": "#/components/schemas/Address is not declared on components.schemas" }, { "queryName": "Example JSON Reference Outside Components Examples", "severity": "INFO", "line": 51, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.post.requestBody.content.{{application/json}}.examples.Address.$ref", + "searchValue": "", + "expectedValue": "#/components/schemas/Address should be declared on components.schemas", + "actualValue": "#/components/schemas/Address is not declared on components.schemas" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/header_object_with_incorrect_ref/test/positive_expected_result.json b/assets/queries/openAPI/3.0/header_object_with_incorrect_ref/test/positive_expected_result.json index 2c75b617544..01da2d0217f 100644 --- a/assets/queries/openAPI/3.0/header_object_with_incorrect_ref/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/header_object_with_incorrect_ref/test/positive_expected_result.json @@ -3,24 +3,48 @@ "queryName": "Header Object With Incorrect Ref", "severity": "INFO", "line": 73, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.responses.ResponseExample.content.{{application/json}}.encoding.code.headers.{{X-Rate-Limit-Limit}}.$ref", + "searchValue": "", + "expectedValue": "Response ref points to '#/components/headers'", + "actualValue": "Response ref does not point to '#/components/headers'" }, { "queryName": "Header Object With Incorrect Ref", "severity": "INFO", "line": 43, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.6xx.headers.{{X-Rate-Limit-Limit}}.$ref", + "searchValue": "", + "expectedValue": "Response ref points to '#/components/headers'", + "actualValue": "Response ref does not point to '#/components/headers'" }, { "queryName": "Header Object With Incorrect Ref", "severity": "INFO", "line": 45, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.responses.ResponseExample.content.{{application/json}}.encoding.code.headers.{{X-Rate-Limit-Limit}}.$ref", + "searchValue": "", + "expectedValue": "Response ref points to '#/components/headers'", + "actualValue": "Response ref does not point to '#/components/headers'" }, { "queryName": "Header Object With Incorrect Ref", "severity": "INFO", "line": 29, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.6xx.headers.{{X-Rate-Limit-Limit}}.$ref", + "searchValue": "", + "expectedValue": "Response ref points to '#/components/headers'", + "actualValue": "Response ref does not point to '#/components/headers'" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/json_reference_does_not_exists_callback/test/positive_expected_result.json b/assets/queries/openAPI/3.0/json_reference_does_not_exists_callback/test/positive_expected_result.json index 371a7814b73..bbb7ccf38fd 100644 --- a/assets/queries/openAPI/3.0/json_reference_does_not_exists_callback/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/json_reference_does_not_exists_callback/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Callback JSON Reference Does Not Exist", "severity": "INFO", "line": 19, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.callbacks.myEvent.$ref", + "searchValue": "", + "expectedValue": "inProgress from #/components/callbacks/inProgress should be declared on components.callbacks", + "actualValue": "inProgress from #/components/callbacks/inProgress is not declared on components.callbacks" }, { "queryName": "Callback JSON Reference Does Not Exist", "severity": "INFO", "line": 15, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.callbacks.myEvent.$ref", + "searchValue": "", + "expectedValue": "inProgress from #/components/callbacks/inProgress should be declared on components.callbacks", + "actualValue": "inProgress from #/components/callbacks/inProgress is not declared on components.callbacks" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/json_reference_does_not_exists_example/test/positive_expected_result.json b/assets/queries/openAPI/3.0/json_reference_does_not_exists_example/test/positive_expected_result.json index 5115e74cc5d..5ceac8c3110 100644 --- a/assets/queries/openAPI/3.0/json_reference_does_not_exists_example/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/json_reference_does_not_exists_example/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Example JSON Reference Does Not Exist", "severity": "INFO", "line": 22, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.examples.objectExample.$ref", + "searchValue": "", + "expectedValue": "wrongExample from #/components/examples/wrongExample should be declared on components.examples", + "actualValue": "wrongExample from #/components/examples/wrongExample is not declared on components.examples" }, { "queryName": "Example JSON Reference Does Not Exist", "severity": "INFO", "line": 19, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.examples.objectExample.$ref", + "searchValue": "", + "expectedValue": "wrongExample from #/components/examples/wrongExample should be declared on components.examples", + "actualValue": "wrongExample from #/components/examples/wrongExample is not declared on components.examples" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/json_reference_does_not_exists_header/test/positive_expected_result.json b/assets/queries/openAPI/3.0/json_reference_does_not_exists_header/test/positive_expected_result.json index 06617655473..4fe7e700bab 100644 --- a/assets/queries/openAPI/3.0/json_reference_does_not_exists_header/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/json_reference_does_not_exists_header/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Header JSON Reference Does Not Exist", "severity": "INFO", "line": 25, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.headers.X-Pages.$ref", + "searchValue": "", + "expectedValue": "wPages from #/components/headers/wPages should be declared on components.headers", + "actualValue": "wPages from #/components/headers/wPages is not declared on components.headers" }, { "queryName": "Header JSON Reference Does Not Exist", "severity": "INFO", "line": 21, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.headers.X-Pages.$ref", + "searchValue": "", + "expectedValue": "wPages from #/components/headers/wPages should be declared on components.headers", + "actualValue": "wPages from #/components/headers/wPages is not declared on components.headers" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/json_reference_does_not_exists_link/test/positive_expected_result.json b/assets/queries/openAPI/3.0/json_reference_does_not_exists_link/test/positive_expected_result.json index 718e08c300a..88e646bec27 100644 --- a/assets/queries/openAPI/3.0/json_reference_does_not_exists_link/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/json_reference_does_not_exists_link/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Link JSON Reference Does Not Exist", "severity": "INFO", "line": 26, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.links.$ref", + "searchValue": "", + "expectedValue": "APIWrongRepository from #/components/links/APIWrongRepository should be declared on components.links", + "actualValue": "APIWrongRepository from #/components/links/APIWrongRepository is not declared on components.links" }, { "queryName": "Link JSON Reference Does Not Exist", "severity": "INFO", "line": 20, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.links.$ref", + "searchValue": "", + "expectedValue": "APIWrongRepository from #/components/links/APIWrongRepository should be declared on components.links", + "actualValue": "APIWrongRepository from #/components/links/APIWrongRepository is not declared on components.links" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/json_reference_does_not_exists_parameter/test/positive_expected_result.json b/assets/queries/openAPI/3.0/json_reference_does_not_exists_parameter/test/positive_expected_result.json index ed1353b2cd2..e9d2d807427 100644 --- a/assets/queries/openAPI/3.0/json_reference_does_not_exists_parameter/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/json_reference_does_not_exists_parameter/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Parameter JSON Reference Does Not Exist (v3)", "severity": "INFO", "line": 19, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.$ref={{#/components/parameters/wrongParameter}}", + "searchValue": "", + "expectedValue": "wrongParameter from #/components/parameters/wrongParameter should be declared on components.parameters", + "actualValue": "wrongParameter from #/components/parameters/wrongParameter is not declared on components.parameters" }, { "queryName": "Parameter JSON Reference Does Not Exist (v3)", "severity": "INFO", "line": 14, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.$ref={{#/components/parameters/wrongParameter}}", + "searchValue": "", + "expectedValue": "wrongParameter from #/components/parameters/wrongParameter should be declared on components.parameters", + "actualValue": "wrongParameter from #/components/parameters/wrongParameter is not declared on components.parameters" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/json_reference_does_not_exists_request_body/test/positive_expected_result.json b/assets/queries/openAPI/3.0/json_reference_does_not_exists_request_body/test/positive_expected_result.json index bf43445e0fd..64eecff8c31 100644 --- a/assets/queries/openAPI/3.0/json_reference_does_not_exists_request_body/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/json_reference_does_not_exists_request_body/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Request Body JSON Reference Does Not Exist", "severity": "INFO", "line": 18, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.requestBody.$ref", + "searchValue": "", + "expectedValue": "MyWrongObjectBody from #/components/requestBodies/MyWrongObjectBody should be declared on components.requestBodies", + "actualValue": "MyWrongObjectBody from #/components/requestBodies/MyWrongObjectBody is not declared on components.requestBodies" }, { "queryName": "Request Body JSON Reference Does Not Exist", "severity": "INFO", "line": 14, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.requestBody.$ref", + "searchValue": "", + "expectedValue": "MyWrongObjectBody from #/components/requestBodies/MyWrongObjectBody should be declared on components.requestBodies", + "actualValue": "MyWrongObjectBody from #/components/requestBodies/MyWrongObjectBody is not declared on components.requestBodies" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/json_reference_does_not_exists_response/test/positive_expected_result.json b/assets/queries/openAPI/3.0/json_reference_does_not_exists_response/test/positive_expected_result.json index 34b8bd7edd6..79d6442c871 100644 --- a/assets/queries/openAPI/3.0/json_reference_does_not_exists_response/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/json_reference_does_not_exists_response/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Response JSON Reference Does Not Exist (v3)", "severity": "INFO", "line": 14, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.404.$ref", + "searchValue": "", + "expectedValue": "NotRight from #/components/responses/NotRight should be declared on components.responses", + "actualValue": "NotRight from #/components/responses/NotRight is not declared on components.responses" }, { "queryName": "Response JSON Reference Does Not Exist (v3)", "severity": "INFO", "line": 12, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.404.$ref", + "searchValue": "", + "expectedValue": "NotRight from #/components/responses/NotRight should be declared on components.responses", + "actualValue": "NotRight from #/components/responses/NotRight is not declared on components.responses" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/json_reference_does_not_exists_schema/test/positive_expected_result.json b/assets/queries/openAPI/3.0/json_reference_does_not_exists_schema/test/positive_expected_result.json index 43ce02549c2..898974faa16 100644 --- a/assets/queries/openAPI/3.0/json_reference_does_not_exists_schema/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/json_reference_does_not_exists_schema/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Schema JSON Reference Does Not Exist (v3)", "severity": "INFO", "line": 14, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.$ref", + "searchValue": "", + "expectedValue": "MyWrongObject from #/components/schemas/MyWrongObject should be declared on components.schemas", + "actualValue": "MyWrongObject from #/components/schemas/MyWrongObject is not declared on components.schemas" }, { "queryName": "Schema JSON Reference Does Not Exist (v3)", "severity": "INFO", "line": 13, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.$ref", + "searchValue": "", + "expectedValue": "MyWrongObject from #/components/schemas/MyWrongObject should be declared on components.schemas", + "actualValue": "MyWrongObject from #/components/schemas/MyWrongObject is not declared on components.schemas" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/link_object_incorrect_ref/test/positive_expected_result.json b/assets/queries/openAPI/3.0/link_object_incorrect_ref/test/positive_expected_result.json index e95637f1c8f..9d81dd14019 100644 --- a/assets/queries/openAPI/3.0/link_object_incorrect_ref/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/link_object_incorrect_ref/test/positive_expected_result.json @@ -3,24 +3,48 @@ "queryName": "Link Object Incorrect Ref", "severity": "INFO", "line": 52, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.responses.NotFound.links.{{l}}.$ref", + "searchValue": "", + "expectedValue": "Link ref points to '#/components/links'", + "actualValue": "Link ref does not point to '#/components/links'" }, { "queryName": "Link Object Incorrect Ref", "severity": "INFO", "line": 27, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.links.{{l}}.$ref", + "searchValue": "", + "expectedValue": "Link ref points to '#/components/links'", + "actualValue": "Link ref does not point to '#/components/links'" }, { "queryName": "Link Object Incorrect Ref", "severity": "INFO", "line": 34, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.responses.NotFound.links.{{l}}.$ref", + "searchValue": "", + "expectedValue": "Link ref points to '#/components/links'", + "actualValue": "Link ref does not point to '#/components/links'" }, { "queryName": "Link Object Incorrect Ref", "severity": "INFO", "line": 21, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.links.{{l}}.$ref", + "searchValue": "", + "expectedValue": "Link ref points to '#/components/links'", + "actualValue": "Link ref does not point to '#/components/links'" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/parameter_object_incorrect_ref/test/positive_expected_result.json b/assets/queries/openAPI/3.0/parameter_object_incorrect_ref/test/positive_expected_result.json index d2e84125b05..2962bc89391 100644 --- a/assets/queries/openAPI/3.0/parameter_object_incorrect_ref/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/parameter_object_incorrect_ref/test/positive_expected_result.json @@ -3,36 +3,72 @@ "queryName": "Parameter Object With Incorrect Ref (v3)", "severity": "INFO", "line": 56, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.$ref=#path/parameters/idParam", + "searchValue": "", + "expectedValue": "Parameter Object ref points to '#/components/parameters'", + "actualValue": "Parameter Object ref doesn't point to '#/components/parameters'" }, { "queryName": "Parameter Object With Incorrect Ref (v3)", "severity": "INFO", "line": 59, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.$ref=#components/schemas/idParam", + "searchValue": "", + "expectedValue": "Parameter Object ref points to '#/components/parameters'", + "actualValue": "Parameter Object ref doesn't point to '#/components/parameters'" }, { "queryName": "Parameter Object With Incorrect Ref (v3)", "severity": "INFO", "line": 67, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/user/id}}.get.parameters.$ref=#path/parameters/idParam", + "searchValue": "", + "expectedValue": "Parameter Object ref points to '#/components/parameters'", + "actualValue": "Parameter Object ref doesn't point to '#/components/parameters'" }, { "queryName": "Parameter Object With Incorrect Ref (v3)", "severity": "INFO", - "line": 46, - "filename": "positive2.yaml" + "line": 41, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.$ref=#path/parameters/idParam", + "searchValue": "", + "expectedValue": "Parameter Object ref points to '#/components/parameters'", + "actualValue": "Parameter Object ref doesn't point to '#/components/parameters'" }, { "queryName": "Parameter Object With Incorrect Ref (v3)", "severity": "INFO", - "line": 41, - "filename": "positive2.yaml" + "line": 42, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.$ref=#components/schemas/idParam", + "searchValue": "", + "expectedValue": "Parameter Object ref points to '#/components/parameters'", + "actualValue": "Parameter Object ref doesn't point to '#/components/parameters'" }, { "queryName": "Parameter Object With Incorrect Ref (v3)", "severity": "INFO", - "line": 42, - "filename": "positive2.yaml" + "line": 46, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/user/id}}.get.parameters.$ref=#path/parameters/idParam", + "searchValue": "", + "expectedValue": "Parameter Object ref points to '#/components/parameters'", + "actualValue": "Parameter Object ref doesn't point to '#/components/parameters'" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/request_body_incorrect_ref/test/positive_expected_result.json b/assets/queries/openAPI/3.0/request_body_incorrect_ref/test/positive_expected_result.json index b3841d340d5..aa684b5065b 100644 --- a/assets/queries/openAPI/3.0/request_body_incorrect_ref/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/request_body_incorrect_ref/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Request Body With Incorrect Ref", "severity": "INFO", "line": 30, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.requestBody.$ref", + "searchValue": "", + "expectedValue": "Request body ref points to '#/components/requestBodies'", + "actualValue": "Request body ref doesn't point to '#/components/requestBodies'" }, { "queryName": "Request Body With Incorrect Ref", "severity": "INFO", "line": 22, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.requestBody.$ref", + "searchValue": "", + "expectedValue": "Request body ref points to '#/components/requestBodies'", + "actualValue": "Request body ref doesn't point to '#/components/requestBodies'" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/response_object_incorrect_ref/test/positive_expected_result.json b/assets/queries/openAPI/3.0/response_object_incorrect_ref/test/positive_expected_result.json index 620d091d27d..d0afed9e3b7 100644 --- a/assets/queries/openAPI/3.0/response_object_incorrect_ref/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/response_object_incorrect_ref/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Response Object With Incorrect Ref (v3)", "severity": "INFO", "line": 44, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.{{200}}.$ref", + "searchValue": "", + "expectedValue": "Response ref points to '#/components/responses'", + "actualValue": "Response ref does not point to '#/components/responses'" }, { "queryName": "Response Object With Incorrect Ref (v3)", "severity": "INFO", "line": 27, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.{{200}}.$ref", + "searchValue": "", + "expectedValue": "Response ref points to '#/components/responses'", + "actualValue": "Response ref does not point to '#/components/responses'" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/schema_object_incorrect_ref/test/positive_expected_result.json b/assets/queries/openAPI/3.0/schema_object_incorrect_ref/test/positive_expected_result.json index a756e5b90c4..0e9be12db4f 100644 --- a/assets/queries/openAPI/3.0/schema_object_incorrect_ref/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/schema_object_incorrect_ref/test/positive_expected_result.json @@ -3,24 +3,48 @@ "queryName": "Schema Object Incorrect Ref (v3)", "severity": "INFO", "line": 76, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref", + "searchValue": "", + "expectedValue": "Schema reference points to '#components/schemas'", + "actualValue": "Schema reference does not point to '#components/schemas'" }, { "queryName": "Schema Object Incorrect Ref (v3)", "severity": "INFO", "line": 16, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.$ref", + "searchValue": "", + "expectedValue": "Schema reference points to '#components/schemas'", + "actualValue": "Schema reference does not point to '#components/schemas'" }, { "queryName": "Schema Object Incorrect Ref (v3)", "severity": "INFO", "line": 46, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref", + "searchValue": "", + "expectedValue": "Schema reference points to '#components/schemas'", + "actualValue": "Schema reference does not point to '#components/schemas'" }, { "queryName": "Schema Object Incorrect Ref (v3)", "severity": "INFO", "line": 16, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.$ref", + "searchValue": "", + "expectedValue": "Schema reference points to '#components/schemas'", + "actualValue": "Schema reference does not point to '#components/schemas'" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/general/header_response_name_is_invalid/test/positive_expected_result.json b/assets/queries/openAPI/general/header_response_name_is_invalid/test/positive_expected_result.json index 16aef5fabb3..d7226494532 100644 --- a/assets/queries/openAPI/general/header_response_name_is_invalid/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/header_response_name_is_invalid/test/positive_expected_result.json @@ -23,6 +23,18 @@ "expectedValue": "paths.{{/}}.{{get}}.responses.{{6xx}}.headers should not contain 'Content-Type'", "actualValue": "paths.{{/}}.{{get}}.responses.{{6xx}}.headers contains 'Content-Type'" }, + { + "queryName": "Header Response Name Is Invalid (v2)", + "severity": "INFO", + "line": 14, + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.$ref=#/responses/Success", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.headers should not contain 'Accept'", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.headers contains 'Accept'" + }, { "queryName": "Header Response Name Is Invalid (v2)", "severity": "INFO", @@ -35,6 +47,18 @@ "expectedValue": "responses.{{Success}}.headers should not contain 'Accept'", "actualValue": "responses.{{Success}}.headers contains 'Accept'" }, + { + "queryName": "Header Response Name Is Invalid (v2)", + "severity": "INFO", + "line": 12, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.$ref=#/responses/Success", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.headers should not contain 'Accept'", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.headers contains 'Accept'" + }, { "queryName": "Header Response Name Is Invalid (v2)", "severity": "INFO", diff --git a/assets/queries/openAPI/general/invalid_format/test/positive_expected_result.json b/assets/queries/openAPI/general/invalid_format/test/positive_expected_result.json index ef72a29c82e..e8cebcabeed 100644 --- a/assets/queries/openAPI/general/invalid_format/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/invalid_format/test/positive_expected_result.json @@ -1,4 +1,52 @@ [ + { + "queryName": "Invalid Format (v3)", + "severity": "LOW", + "line": 14, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.$ref=#/components/schemas/MyObject", + "searchValue": "", + "expectedValue": "number is float or double formats", + "actualValue": "number is int32 format" + }, + { + "queryName": "Invalid Format (v3)", + "severity": "LOW", + "line": 14, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.$ref=#/components/schemas/MyObject", + "searchValue": "", + "expectedValue": "integer is int32 or int64 formats", + "actualValue": "integer is double format" + }, + { + "queryName": "Invalid Format (v3)", + "severity": "LOW", + "line": 33, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.schema.items.properties.myObject.$ref=#/components/schemas/MyObject", + "searchValue": "", + "expectedValue": "integer is int32 or int64 formats", + "actualValue": "integer is double format" + }, + { + "queryName": "Invalid Format (v3)", + "severity": "LOW", + "line": 33, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.schema.items.properties.myObject.$ref=#/components/schemas/MyObject", + "searchValue": "", + "expectedValue": "number is float or double formats", + "actualValue": "number is int32 format" + }, { "queryName": "Invalid Format (v3)", "severity": "LOW", @@ -35,6 +83,54 @@ "expectedValue": "number is float or double formats", "actualValue": "number is int32 format" }, + { + "queryName": "Invalid Format (v3)", + "severity": "LOW", + "line": 12, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.$ref=#/components/schemas/MyObject", + "searchValue": "", + "expectedValue": "number is float or double formats", + "actualValue": "number is int32 format" + }, + { + "queryName": "Invalid Format (v3)", + "severity": "LOW", + "line": 12, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.$ref=#/components/schemas/MyObject", + "searchValue": "", + "expectedValue": "integer is int32 or int64 formats", + "actualValue": "integer is double format" + }, + { + "queryName": "Invalid Format (v3)", + "severity": "LOW", + "line": 26, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.schema.items.properties.myObject.$ref=#/components/schemas/MyObject", + "searchValue": "", + "expectedValue": "integer is int32 or int64 formats", + "actualValue": "integer is double format" + }, + { + "queryName": "Invalid Format (v3)", + "severity": "LOW", + "line": 26, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.schema.items.properties.myObject.$ref=#/components/schemas/MyObject", + "searchValue": "", + "expectedValue": "number is float or double formats", + "actualValue": "number is int32 format" + }, { "queryName": "Invalid Format (v3)", "severity": "LOW", diff --git a/assets/queries/openAPI/general/json_object_schema_without_properties/test/positive_expected_result.json b/assets/queries/openAPI/general/json_object_schema_without_properties/test/positive_expected_result.json index 8e6db880f46..292a49a7150 100644 --- a/assets/queries/openAPI/general/json_object_schema_without_properties/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/json_object_schema_without_properties/test/positive_expected_result.json @@ -3,36 +3,72 @@ "queryName": "JSON Object Schema Without Properties (v3)", "severity": "MEDIUM", "line": 67, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref", + "searchValue": "", + "expectedValue": "Schema of the JSON object should have 'properties' defined", + "actualValue": "Schema of the JSON object does not have 'properties' defined" }, { "queryName": "JSON Object Schema Without Properties (v3)", "severity": "MEDIUM", "line": 16, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.$ref", + "searchValue": "", + "expectedValue": "Schema of the JSON object should have 'properties' defined", + "actualValue": "Schema of the JSON object does not have 'properties' defined" }, { "queryName": "JSON Object Schema Without Properties (v3)", "severity": "MEDIUM", "line": 40, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref", + "searchValue": "", + "expectedValue": "Schema of the JSON object should have 'properties' defined", + "actualValue": "Schema of the JSON object does not have 'properties' defined" }, { "queryName": "JSON Object Schema Without Properties (v3)", "severity": "MEDIUM", "line": 16, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.$ref", + "searchValue": "", + "expectedValue": "Schema of the JSON object should have 'properties' defined", + "actualValue": "Schema of the JSON object does not have 'properties' defined" }, { "queryName": "JSON Object Schema Without Properties (v2)", "severity": "MEDIUM", "line": 16, - "filename": "positive5.json" + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.$ref", + "searchValue": "", + "expectedValue": "Schema of the JSON object should have 'properties' defined", + "actualValue": "Schema of the JSON object does not have 'properties' defined" }, { "queryName": "JSON Object Schema Without Properties (v2)", "severity": "MEDIUM", "line": 14, - "filename": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.$ref", + "searchValue": "", + "expectedValue": "Schema of the JSON object should have 'properties' defined", + "actualValue": "Schema of the JSON object does not have 'properties' defined" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/general/json_object_schema_without_type/test/positive_expected_result.json b/assets/queries/openAPI/general/json_object_schema_without_type/test/positive_expected_result.json index e3a9d38a52e..5c83f559945 100644 --- a/assets/queries/openAPI/general/json_object_schema_without_type/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/json_object_schema_without_type/test/positive_expected_result.json @@ -3,36 +3,72 @@ "queryName": "JSON Object Schema Without Type (v3)", "severity": "MEDIUM", "line": 75, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref", + "searchValue": "", + "expectedValue": "Schema of the JSON object should have 'type' defined", + "actualValue": "Schema of the JSON object does not have 'type' defined" }, { "queryName": "JSON Object Schema Without Type (v3)", "severity": "MEDIUM", "line": 16, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.$ref", + "searchValue": "", + "expectedValue": "Schema of the JSON object should have 'type' defined", + "actualValue": "Schema of the JSON object does not have 'type' defined" }, { "queryName": "JSON Object Schema Without Type (v3)", "severity": "MEDIUM", "line": 45, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref", + "searchValue": "", + "expectedValue": "Schema of the JSON object should have 'type' defined", + "actualValue": "Schema of the JSON object does not have 'type' defined" }, { "queryName": "JSON Object Schema Without Type (v3)", "severity": "MEDIUM", "line": 16, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.$ref", + "searchValue": "", + "expectedValue": "Schema of the JSON object should have 'type' defined", + "actualValue": "Schema of the JSON object does not have 'type' defined" }, { "queryName": "JSON Object Schema Without Type (v2)", "severity": "MEDIUM", "line": 16, - "filename": "positive5.json" + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.$ref", + "searchValue": "", + "expectedValue": "Schema of the JSON object should have 'type' defined", + "actualValue": "Schema of the JSON object does not have 'type' defined" }, { "queryName": "JSON Object Schema Without Type (v2)", "severity": "MEDIUM", "line": 14, - "filename": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.$ref", + "searchValue": "", + "expectedValue": "Schema of the JSON object should have 'type' defined", + "actualValue": "Schema of the JSON object does not have 'type' defined" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/general/json_ref_alongside_properties/test/positive_expected_result.json b/assets/queries/openAPI/general/json_ref_alongside_properties/test/positive_expected_result.json index acf698353a8..849b03b5bc2 100644 --- a/assets/queries/openAPI/general/json_ref_alongside_properties/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/json_ref_alongside_properties/test/positive_expected_result.json @@ -3,24 +3,48 @@ "queryName": "JSON '$ref' alongside other properties (v3)", "severity": "INFO", "line": 17, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema", + "searchValue": "", + "expectedValue": "Only '$ref' property should be declared or other properties declared without '$ref'", + "actualValue": "Property '$ref'alongside other properties" }, { "queryName": "JSON '$ref' alongside other properties (v3)", "severity": "INFO", "line": 15, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema", + "searchValue": "", + "expectedValue": "Only '$ref' property should be declared or other properties declared without '$ref'", + "actualValue": "Property '$ref'alongside other properties" }, { "queryName": "JSON '$ref' alongside other properties (v2)", "severity": "INFO", "line": 13, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema", + "searchValue": "", + "expectedValue": "Only '$ref' property should be declared or other properties declared without '$ref'", + "actualValue": "Property '$ref'alongside other properties" }, { "queryName": "JSON '$ref' alongside other properties (v2)", "severity": "INFO", "line": 13, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema", + "searchValue": "", + "expectedValue": "Only '$ref' property should be declared or other properties declared without '$ref'", + "actualValue": "Property '$ref'alongside other properties" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/general/maximum_length_undefined/test/positive_expected_result.json b/assets/queries/openAPI/general/maximum_length_undefined/test/positive_expected_result.json index 35194535154..34e89c1b5d4 100644 --- a/assets/queries/openAPI/general/maximum_length_undefined/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/maximum_length_undefined/test/positive_expected_result.json @@ -23,6 +23,18 @@ "expectedValue": "'maxLength' should be defined", "actualValue": "'maxLength' is undefined" }, + { + "queryName": "Maximum Length Undefined (v3)", + "severity": "LOW", + "line": 77, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", + "searchValue": "", + "expectedValue": "'maxLength' should be defined", + "actualValue": "'maxLength' is undefined" + }, { "queryName": "Maximum Length Undefined (v3)", "severity": "LOW", @@ -71,6 +83,18 @@ "expectedValue": "'maxLength' should be defined", "actualValue": "'maxLength' is undefined" }, + { + "queryName": "Maximum Length Undefined (v3)", + "severity": "LOW", + "line": 47, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", + "searchValue": "", + "expectedValue": "'maxLength' should be defined", + "actualValue": "'maxLength' is undefined" + }, { "queryName": "Maximum Length Undefined (v3)", "severity": "LOW", diff --git a/assets/queries/openAPI/general/non_array_schema_with_items/test/positive_expected_result.json b/assets/queries/openAPI/general/non_array_schema_with_items/test/positive_expected_result.json index 0a107619e42..4e69ac13d70 100644 --- a/assets/queries/openAPI/general/non_array_schema_with_items/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/non_array_schema_with_items/test/positive_expected_result.json @@ -47,6 +47,18 @@ "expectedValue": "Schema items property should be undefined", "actualValue": "Schema items property is defined" }, + { + "queryName": "Non-Array Schema With Items (v2)", + "severity": "INFO", + "line": 22, + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/users}}.get.responses.200.schema.items.$ref=#/definitions/User", + "searchValue": "", + "expectedValue": "Schema items property should be undefined", + "actualValue": "Schema items property is defined" + }, { "queryName": "Non-Array Schema With Items (v2)", "severity": "INFO", @@ -59,6 +71,18 @@ "expectedValue": "Schema items property should be undefined", "actualValue": "Schema items property is defined" }, + { + "queryName": "Non-Array Schema With Items (v2)", + "severity": "INFO", + "line": 19, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/users}}.get.responses.200.schema.items.$ref=#/definitions/User", + "searchValue": "", + "expectedValue": "Schema items property should be undefined", + "actualValue": "Schema items property is defined" + }, { "queryName": "Non-Array Schema With Items (v2)", "severity": "INFO", diff --git a/assets/queries/openAPI/general/numeric_schema_without_format/test/positive_expected_result.json b/assets/queries/openAPI/general/numeric_schema_without_format/test/positive_expected_result.json index 7f8bdf0c99e..3659b32104f 100644 --- a/assets/queries/openAPI/general/numeric_schema_without_format/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/numeric_schema_without_format/test/positive_expected_result.json @@ -11,6 +11,18 @@ "expectedValue": "Numeric schema should have 'format' defined", "actualValue": "Numeric schema does not have 'format' defined" }, + { + "queryName": "Numeric Schema Without Format (v3)", + "severity": "LOW", + "line": 75, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", + "searchValue": "", + "expectedValue": "Numeric schema should have 'format' defined", + "actualValue": "Numeric schema does not have 'format' defined" + }, { "queryName": "Numeric Schema Without Format (v3)", "severity": "LOW", @@ -35,6 +47,18 @@ "expectedValue": "Numeric schema should have 'format' defined", "actualValue": "Numeric schema does not have 'format' defined" }, + { + "queryName": "Numeric Schema Without Format (v3)", + "severity": "LOW", + "line": 46, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", + "searchValue": "", + "expectedValue": "Numeric schema should have 'format' defined", + "actualValue": "Numeric schema does not have 'format' defined" + }, { "queryName": "Numeric Schema Without Format (v3)", "severity": "LOW", diff --git a/assets/queries/openAPI/general/numeric_schema_without_maximum/test/positive_expected_result.json b/assets/queries/openAPI/general/numeric_schema_without_maximum/test/positive_expected_result.json index 3291290d541..c96788fb5eb 100644 --- a/assets/queries/openAPI/general/numeric_schema_without_maximum/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/numeric_schema_without_maximum/test/positive_expected_result.json @@ -11,6 +11,18 @@ "expectedValue": "Numeric schema should have 'maximum' defined", "actualValue": "Numeric schema does not have 'maximum' defined" }, + { + "queryName": "Numeric Schema Without Maximum (v3)", + "severity": "LOW", + "line": 75, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", + "searchValue": "", + "expectedValue": "Numeric schema should have 'maximum' defined", + "actualValue": "Numeric schema does not have 'maximum' defined" + }, { "queryName": "Numeric Schema Without Maximum (v3)", "severity": "LOW", @@ -35,6 +47,18 @@ "expectedValue": "Numeric schema should have 'maximum' defined", "actualValue": "Numeric schema does not have 'maximum' defined" }, + { + "queryName": "Numeric Schema Without Maximum (v3)", + "severity": "LOW", + "line": 46, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", + "searchValue": "", + "expectedValue": "Numeric schema should have 'maximum' defined", + "actualValue": "Numeric schema does not have 'maximum' defined" + }, { "queryName": "Numeric Schema Without Maximum (v3)", "severity": "LOW", diff --git a/assets/queries/openAPI/general/numeric_schema_without_minimum/test/positive_expected_result.json b/assets/queries/openAPI/general/numeric_schema_without_minimum/test/positive_expected_result.json index 48614f5de8b..3c3e8cd434d 100644 --- a/assets/queries/openAPI/general/numeric_schema_without_minimum/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/numeric_schema_without_minimum/test/positive_expected_result.json @@ -11,6 +11,18 @@ "expectedValue": "Numeric schema should have 'minimum' defined", "actualValue": "Numeric schema does not have 'minimum' defined" }, + { + "queryName": "Numeric Schema Without Minimum (v3)", + "severity": "LOW", + "line": 74, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", + "searchValue": "", + "expectedValue": "Numeric schema should have 'minimum' defined", + "actualValue": "Numeric schema does not have 'minimum' defined" + }, { "queryName": "Numeric Schema Without Minimum (v3)", "severity": "LOW", @@ -35,6 +47,18 @@ "expectedValue": "Numeric schema should have 'minimum' defined", "actualValue": "Numeric schema does not have 'minimum' defined" }, + { + "queryName": "Numeric Schema Without Minimum (v3)", + "severity": "LOW", + "line": 45, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", + "searchValue": "", + "expectedValue": "Numeric schema should have 'minimum' defined", + "actualValue": "Numeric schema does not have 'minimum' defined" + }, { "queryName": "Numeric Schema Without Minimum (v3)", "severity": "LOW", diff --git a/assets/queries/openAPI/general/object_using_enum_with_keyword/test/positive_expected_result.json b/assets/queries/openAPI/general/object_using_enum_with_keyword/test/positive_expected_result.json index 5d3177bdad6..67d3826c2a2 100644 --- a/assets/queries/openAPI/general/object_using_enum_with_keyword/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/object_using_enum_with_keyword/test/positive_expected_result.json @@ -2,7 +2,7 @@ { "queryName": "Object Using Enum With Keyword (v3)", "severity": "INFO", - "line": 52, + "line": 42, "filename": "positive1.json", "resourceType": "", "resourceName": "", @@ -14,7 +14,7 @@ { "queryName": "Object Using Enum With Keyword (v3)", "severity": "INFO", - "line": 41, + "line": 32, "filename": "positive2.yaml", "resourceType": "", "resourceName": "", @@ -26,7 +26,7 @@ { "queryName": "Object Using Enum With Keyword (v2)", "severity": "INFO", - "line": 49, + "line": 39, "filename": "positive3.json", "resourceType": "", "resourceName": "", @@ -38,7 +38,7 @@ { "queryName": "Object Using Enum With Keyword (v2)", "severity": "INFO", - "line": 38, + "line": 29, "filename": "positive4.yaml", "resourceType": "", "resourceName": "", diff --git a/assets/queries/openAPI/general/pattern_undefined/test/positive_expected_result.json b/assets/queries/openAPI/general/pattern_undefined/test/positive_expected_result.json index 6964f33b226..9e4adf1e870 100644 --- a/assets/queries/openAPI/general/pattern_undefined/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/pattern_undefined/test/positive_expected_result.json @@ -23,6 +23,18 @@ "expectedValue": "'pattern' should be defined", "actualValue": "'pattern' is undefined" }, + { + "queryName": "Pattern Undefined (v3)", + "severity": "MEDIUM", + "line": 79, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", + "searchValue": "", + "expectedValue": "'pattern' should be defined", + "actualValue": "'pattern' is undefined" + }, { "queryName": "Pattern Undefined (v3)", "severity": "MEDIUM", @@ -71,6 +83,18 @@ "expectedValue": "'pattern' should be defined", "actualValue": "'pattern' is undefined" }, + { + "queryName": "Pattern Undefined (v3)", + "severity": "MEDIUM", + "line": 49, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", + "searchValue": "", + "expectedValue": "'pattern' should be defined", + "actualValue": "'pattern' is undefined" + }, { "queryName": "Pattern Undefined (v3)", "severity": "MEDIUM", diff --git a/assets/queries/openAPI/general/property_defining_maximum_not_greater_than_minimum/test/positive_expected_result.json b/assets/queries/openAPI/general/property_defining_maximum_not_greater_than_minimum/test/positive_expected_result.json index 671425184c3..c1872d4782d 100644 --- a/assets/queries/openAPI/general/property_defining_maximum_not_greater_than_minimum/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/property_defining_maximum_not_greater_than_minimum/test/positive_expected_result.json @@ -11,6 +11,18 @@ "expectedValue": "Numeric schema value should not have 'minimum' larger than 'maximum'", "actualValue": "Numeric schema value has 'minimum' larger than 'maximum'" }, + { + "queryName": "Property Defining Minimum Greater Than Maximum (v3)", + "severity": "INFO", + "line": 71, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", + "searchValue": "", + "expectedValue": "Numeric schema value should not have 'minimum' larger than 'maximum'", + "actualValue": "Numeric schema value has 'minimum' larger than 'maximum'" + }, { "queryName": "Property Defining Minimum Greater Than Maximum (v3)", "severity": "INFO", @@ -35,6 +47,18 @@ "expectedValue": "Numeric schema value should not have 'minimum' larger than 'maximum'", "actualValue": "Numeric schema value has 'minimum' larger than 'maximum'" }, + { + "queryName": "Property Defining Minimum Greater Than Maximum (v3)", + "severity": "INFO", + "line": 47, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", + "searchValue": "", + "expectedValue": "Numeric schema value should not have 'minimum' larger than 'maximum'", + "actualValue": "Numeric schema value has 'minimum' larger than 'maximum'" + }, { "queryName": "Property Defining Minimum Greater Than Maximum (v3)", "severity": "INFO", @@ -59,6 +83,18 @@ "expectedValue": "String schema value should not have 'minLength' larger than 'maxLength'", "actualValue": "String schema value has 'minLength' larger than 'maxLength'" }, + { + "queryName": "Property Defining Minimum Greater Than Maximum (v3)", + "severity": "INFO", + "line": 50, + "filename": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", + "searchValue": "", + "expectedValue": "String schema value should not have 'minLength' larger than 'maxLength'", + "actualValue": "String schema value has 'minLength' larger than 'maxLength'" + }, { "queryName": "Property Defining Minimum Greater Than Maximum (v3)", "severity": "INFO", diff --git a/assets/queries/openAPI/general/required_property_default_value/test/positive_expected_result.json b/assets/queries/openAPI/general/required_property_default_value/test/positive_expected_result.json index b9bc80aa0b1..64fa03c5739 100644 --- a/assets/queries/openAPI/general/required_property_default_value/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/required_property_default_value/test/positive_expected_result.json @@ -1,4 +1,16 @@ [ + { + "queryName": "Required Property With Default Value (v3)", + "severity": "INFO", + "line": 14, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.$ref=#/components/schemas/MyObject", + "searchValue": "", + "expectedValue": "Required properties should not have default defined", + "actualValue": "Required properties with default defined" + }, { "queryName": "Required Property With Default Value (v3)", "severity": "INFO", @@ -23,6 +35,18 @@ "expectedValue": "Required properties should not have default defined", "actualValue": "Required properties with default defined" }, + { + "queryName": "Required Property With Default Value (v3)", + "severity": "INFO", + "line": 12, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.$ref=#/components/schemas/MyObject", + "searchValue": "", + "expectedValue": "Required properties should not have default defined", + "actualValue": "Required properties with default defined" + }, { "queryName": "Required Property With Default Value (v3)", "severity": "INFO", diff --git a/assets/queries/openAPI/general/response_code_missing/test/positive_expected_result.json b/assets/queries/openAPI/general/response_code_missing/test/positive_expected_result.json index 22220dfdf2a..0ba9c48f934 100644 --- a/assets/queries/openAPI/general/response_code_missing/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/response_code_missing/test/positive_expected_result.json @@ -7,9 +7,9 @@ "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{put}}.responses", - "searchValue": "400 response", - "expectedValue": "400 response should be set", - "actualValue": "400 response is undefined" + "searchValue": "429 response", + "expectedValue": "429 response should be set", + "actualValue": "429 response is undefined" }, { "queryName": "Response Code Missing (v3)", @@ -19,9 +19,9 @@ "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{put}}.responses", - "searchValue": "415 response", - "expectedValue": "415 response should be set", - "actualValue": "415 response is undefined" + "searchValue": "500 response", + "expectedValue": "500 response should be set", + "actualValue": "500 response is undefined" }, { "queryName": "Response Code Missing (v3)", @@ -31,9 +31,9 @@ "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{put}}.responses", - "searchValue": "429 response", - "expectedValue": "429 response should be set", - "actualValue": "429 response is undefined" + "searchValue": "400 response", + "expectedValue": "400 response should be set", + "actualValue": "400 response is undefined" }, { "queryName": "Response Code Missing (v3)", @@ -43,9 +43,9 @@ "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{put}}.responses", - "searchValue": "500 response", - "expectedValue": "500 response should be set", - "actualValue": "500 response is undefined" + "searchValue": "404 response", + "expectedValue": "404 response should be set", + "actualValue": "404 response is undefined" }, { "queryName": "Response Code Missing (v3)", @@ -55,9 +55,9 @@ "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{put}}.responses", - "searchValue": "404 response", - "expectedValue": "404 response should be set", - "actualValue": "404 response is undefined" + "searchValue": "415 response", + "expectedValue": "415 response should be set", + "actualValue": "415 response is undefined" }, { "queryName": "Response Code Missing (v3)", @@ -67,9 +67,9 @@ "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{options}}.responses", - "searchValue": "200 response", - "expectedValue": "200 response should be set", - "actualValue": "200 response is undefined" + "searchValue": "429 response", + "expectedValue": "429 response should be set", + "actualValue": "429 response is undefined" }, { "queryName": "Response Code Missing (v3)", @@ -79,9 +79,9 @@ "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{options}}.responses", - "searchValue": "400 response", - "expectedValue": "400 response should be set", - "actualValue": "400 response is undefined" + "searchValue": "500 response", + "expectedValue": "500 response should be set", + "actualValue": "500 response is undefined" }, { "queryName": "Response Code Missing (v3)", @@ -91,9 +91,9 @@ "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{options}}.responses", - "searchValue": "429 response", - "expectedValue": "429 response should be set", - "actualValue": "429 response is undefined" + "searchValue": "200 response", + "expectedValue": "200 response should be set", + "actualValue": "200 response is undefined" }, { "queryName": "Response Code Missing (v3)", @@ -103,9 +103,9 @@ "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{options}}.responses", - "searchValue": "500 response", - "expectedValue": "500 response should be set", - "actualValue": "500 response is undefined" + "searchValue": "400 response", + "expectedValue": "400 response should be set", + "actualValue": "400 response is undefined" }, { "queryName": "Response Code Missing (v3)", @@ -139,9 +139,9 @@ "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{put}}.responses", - "searchValue": "400 response", - "expectedValue": "400 response should be set", - "actualValue": "400 response is undefined" + "searchValue": "415 response", + "expectedValue": "415 response should be set", + "actualValue": "415 response is undefined" }, { "queryName": "Response Code Missing (v3)", @@ -151,9 +151,9 @@ "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{put}}.responses", - "searchValue": "404 response", - "expectedValue": "404 response should be set", - "actualValue": "404 response is undefined" + "searchValue": "400 response", + "expectedValue": "400 response should be set", + "actualValue": "400 response is undefined" }, { "queryName": "Response Code Missing (v3)", @@ -163,9 +163,9 @@ "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{put}}.responses", - "searchValue": "415 response", - "expectedValue": "415 response should be set", - "actualValue": "415 response is undefined" + "searchValue": "404 response", + "expectedValue": "404 response should be set", + "actualValue": "404 response is undefined" }, { "queryName": "Response Code Missing (v3)", @@ -211,9 +211,9 @@ "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{options}}.responses", - "searchValue": "429 response", - "expectedValue": "429 response should be set", - "actualValue": "429 response is undefined" + "searchValue": "500 response", + "expectedValue": "500 response should be set", + "actualValue": "500 response is undefined" }, { "queryName": "Response Code Missing (v3)", @@ -235,9 +235,9 @@ "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{options}}.responses", - "searchValue": "500 response", - "expectedValue": "500 response should be set", - "actualValue": "500 response is undefined" + "searchValue": "429 response", + "expectedValue": "429 response should be set", + "actualValue": "429 response is undefined" }, { "queryName": "Response Code Missing (v3)", @@ -247,9 +247,9 @@ "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{put}}.responses", - "searchValue": "401 response", - "expectedValue": "401 response should be set when security field is defined", - "actualValue": "401 response is undefined when security field is defined" + "searchValue": "403 response", + "expectedValue": "403 response should be set when security field is defined", + "actualValue": "403 response is undefined when security field is defined" }, { "queryName": "Response Code Missing (v3)", @@ -259,9 +259,9 @@ "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{put}}.responses", - "searchValue": "403 response", - "expectedValue": "403 response should be set when security field is defined", - "actualValue": "403 response is undefined when security field is defined" + "searchValue": "401 response", + "expectedValue": "401 response should be set when security field is defined", + "actualValue": "401 response is undefined when security field is defined" }, { "queryName": "Response Code Missing (v2)", @@ -295,9 +295,9 @@ "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{put}}.responses", - "searchValue": "403 response", - "expectedValue": "403 response should be set when security field is defined", - "actualValue": "403 response is undefined when security field is defined" + "searchValue": "401 response", + "expectedValue": "401 response should be set when security field is defined", + "actualValue": "401 response is undefined when security field is defined" }, { "queryName": "Response Code Missing (v2)", @@ -307,8 +307,8 @@ "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{put}}.responses", - "searchValue": "401 response", - "expectedValue": "401 response should be set when security field is defined", - "actualValue": "401 response is undefined when security field is defined" + "searchValue": "403 response", + "expectedValue": "403 response should be set when security field is defined", + "actualValue": "403 response is undefined when security field is defined" } ] \ No newline at end of file diff --git a/assets/queries/openAPI/general/schema_enum_invalid/test/positive_expected_result.json b/assets/queries/openAPI/general/schema_enum_invalid/test/positive_expected_result.json index e7e20e2b8d4..32b5425aa4e 100644 --- a/assets/queries/openAPI/general/schema_enum_invalid/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/schema_enum_invalid/test/positive_expected_result.json @@ -50,7 +50,19 @@ { "queryName": "Schema Enum Invalid (v2)", "severity": "INFO", - "line": 52, + "line": 14, + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.$ref=#/definitions/User", + "searchValue": "", + "expectedValue": "The field 'enum' should be consistent with the schema's type", + "actualValue": "The field 'enum' is not consistent with the schema's type" + }, + { + "queryName": "Schema Enum Invalid (v2)", + "severity": "INFO", + "line": 50, "filename": "positive5.json", "resourceType": "", "resourceName": "", @@ -62,7 +74,19 @@ { "queryName": "Schema Enum Invalid (v2)", "severity": "INFO", - "line": 37, + "line": 12, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.$ref=#/definitions/User", + "searchValue": "", + "expectedValue": "The field 'enum' should be consistent with the schema's type", + "actualValue": "The field 'enum' is not consistent with the schema's type" + }, + { + "queryName": "Schema Enum Invalid (v2)", + "severity": "INFO", + "line": 35, "filename": "positive6.yaml", "resourceType": "", "resourceName": "", diff --git a/assets/queries/openAPI/general/schema_object_with_circular_ref/test/positive_expected_result.json b/assets/queries/openAPI/general/schema_object_with_circular_ref/test/positive_expected_result.json index 483a7ba23c6..972c9736c1c 100644 --- a/assets/queries/openAPI/general/schema_object_with_circular_ref/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/schema_object_with_circular_ref/test/positive_expected_result.json @@ -3,24 +3,48 @@ "queryName": "Schema Object With Circular Ref (v3)", "severity": "INFO", "line": 70, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.ExtendedErrorModel.allOf.$ref=#/components/schemas/ExtendedErrorModel", + "searchValue": "", + "expectedValue": "components.schemas.ExtendedErrorModel.allOf should not reference own schema", + "actualValue": "components.schemas.ExtendedErrorModel.allOf reference own schema" }, { "queryName": "Schema Object With Circular Ref (v2)", "severity": "INFO", "line": 46, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.ExtendedErrorModel.allOf.$ref=#/definitions/ExtendedErrorModel", + "searchValue": "", + "expectedValue": "definitions.ExtendedErrorModel.allOf should not reference own schema", + "actualValue": "definitions.ExtendedErrorModel.allOf reference own schema" }, { "queryName": "Schema Object With Circular Ref (v3)", "severity": "INFO", "line": 45, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.ExtendedErrorModel.allOf.$ref=#/components/schemas/ExtendedErrorModel", + "searchValue": "", + "expectedValue": "components.schemas.ExtendedErrorModel.allOf should not reference own schema", + "actualValue": "components.schemas.ExtendedErrorModel.allOf reference own schema" }, { "queryName": "Schema Object With Circular Ref (v2)", "severity": "INFO", "line": 32, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.ExtendedErrorModel.allOf.$ref=#/definitions/ExtendedErrorModel", + "searchValue": "", + "expectedValue": "definitions.ExtendedErrorModel.allOf should not reference own schema", + "actualValue": "definitions.ExtendedErrorModel.allOf reference own schema" } -] +] \ No newline at end of file diff --git a/assets/queries/openAPI/general/string_schema_with_broad_pattern/test/positive_expected_result.json b/assets/queries/openAPI/general/string_schema_with_broad_pattern/test/positive_expected_result.json index cfc9097bfbf..5bb02212817 100644 --- a/assets/queries/openAPI/general/string_schema_with_broad_pattern/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/string_schema_with_broad_pattern/test/positive_expected_result.json @@ -11,6 +11,18 @@ "expectedValue": "String schema has 'pattern' restricted", "actualValue": "String schema does not have 'pattern' restricted" }, + { + "queryName": "String Schema with Broad Pattern (v3)", + "severity": "LOW", + "line": 81, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", + "searchValue": "", + "expectedValue": "String schema has 'pattern' restricted", + "actualValue": "String schema does not have 'pattern' restricted" + }, { "queryName": "String Schema with Broad Pattern (v3)", "severity": "LOW", @@ -35,6 +47,18 @@ "expectedValue": "String schema has 'pattern' restricted", "actualValue": "String schema does not have 'pattern' restricted" }, + { + "queryName": "String Schema with Broad Pattern (v3)", + "severity": "LOW", + "line": 51, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", + "searchValue": "", + "expectedValue": "String schema has 'pattern' restricted", + "actualValue": "String schema does not have 'pattern' restricted" + }, { "queryName": "String Schema with Broad Pattern (v3)", "severity": "LOW", diff --git a/assets/queries/openAPI/general/type_has_invalid_keyword/test/positive_expected_result.json b/assets/queries/openAPI/general/type_has_invalid_keyword/test/positive_expected_result.json index 09d4d54061b..6f565a68bc7 100644 --- a/assets/queries/openAPI/general/type_has_invalid_keyword/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/type_has_invalid_keyword/test/positive_expected_result.json @@ -1,4 +1,16 @@ [ + { + "queryName": "Type Has Invalid Keyword (v3)", + "severity": "INFO", + "line": 18, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.$ref=#/components/schemas/MyObject", + "searchValue": "", + "expectedValue": "There shouldn't be any invalid keywords", + "actualValue": "Keyword pattern is not valid for type number" + }, { "queryName": "Type Has Invalid Keyword (v3)", "severity": "INFO", @@ -47,6 +59,18 @@ "expectedValue": "There shouldn't be any invalid keywords", "actualValue": "Keyword maximum is not valid for type string" }, + { + "queryName": "Type Has Invalid Keyword (v3)", + "severity": "INFO", + "line": 18, + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.$ref=#/components/schemas/MyObject", + "searchValue": "", + "expectedValue": "There shouldn't be any invalid keywords", + "actualValue": "Keyword minLength is not valid for type integer" + }, { "queryName": "Type Has Invalid Keyword (v3)", "severity": "INFO", @@ -59,6 +83,18 @@ "expectedValue": "There shouldn't be any invalid keywords", "actualValue": "Keyword minLength is not valid for type integer" }, + { + "queryName": "Type Has Invalid Keyword (v3)", + "severity": "INFO", + "line": 18, + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.$ref=#/components/schemas/MyObject", + "searchValue": "", + "expectedValue": "There shouldn't be any invalid keywords", + "actualValue": "Keyword required is not valid for type string" + }, { "queryName": "Type Has Invalid Keyword (v3)", "severity": "INFO", @@ -71,6 +107,18 @@ "expectedValue": "There shouldn't be any invalid keywords", "actualValue": "Keyword required is not valid for type string" }, + { + "queryName": "Type Has Invalid Keyword (v3)", + "severity": "INFO", + "line": 16, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.$ref=#/components/schemas/MyObject", + "searchValue": "", + "expectedValue": "There shouldn't be any invalid keywords", + "actualValue": "Keyword pattern is not valid for type number" + }, { "queryName": "Type Has Invalid Keyword (v3)", "severity": "INFO", @@ -83,6 +131,18 @@ "expectedValue": "There shouldn't be any invalid keywords", "actualValue": "Keyword pattern is not valid for type number" }, + { + "queryName": "Type Has Invalid Keyword (v3)", + "severity": "INFO", + "line": 16, + "filename": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.$ref=#/components/schemas/MyObject", + "searchValue": "", + "expectedValue": "There shouldn't be any invalid keywords", + "actualValue": "Keyword minLength is not valid for type integer" + }, { "queryName": "Type Has Invalid Keyword (v3)", "severity": "INFO", @@ -95,6 +155,18 @@ "expectedValue": "There shouldn't be any invalid keywords", "actualValue": "Keyword minLength is not valid for type integer" }, + { + "queryName": "Type Has Invalid Keyword (v3)", + "severity": "INFO", + "line": 16, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.$ref=#/components/schemas/MyObject", + "searchValue": "", + "expectedValue": "There shouldn't be any invalid keywords", + "actualValue": "Keyword pattern is not valid for type number" + }, { "queryName": "Type Has Invalid Keyword (v3)", "severity": "INFO", diff --git a/assets/queries/terraform/alicloud/action_trail_logging_all_regions_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/action_trail_logging_all_regions_disabled/test/positive_expected_result.json index 3ea58369b43..c53aa666361 100644 --- a/assets/queries/terraform/alicloud/action_trail_logging_all_regions_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/action_trail_logging_all_regions_disabled/test/positive_expected_result.json @@ -151,9 +151,9 @@ "resourceType": "alicloud_actiontrail_trail", "resourceName": "action-trail", "searchKey": "alicloud_actiontrail_trail[actiontrail10]", - "searchValue": "event_rw", - "expectedValue": "'event_rw' should be set.", - "actualValue": "'event_rw' is not set." + "searchValue": "oss_bucket_name", + "expectedValue": "oss_bucket_name should be set.", + "actualValue": "oss_bucket_name is not set." }, { "queryName": "Action Trail Logging For All Regions Disabled", @@ -163,8 +163,8 @@ "resourceType": "alicloud_actiontrail_trail", "resourceName": "action-trail", "searchKey": "alicloud_actiontrail_trail[actiontrail10]", - "searchValue": "oss_bucket_name", - "expectedValue": "oss_bucket_name should be set.", - "actualValue": "oss_bucket_name is not set." + "searchValue": "event_rw", + "expectedValue": "'event_rw' should be set.", + "actualValue": "'event_rw' is not set." } ] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/kubernetes_cluster_without_terway_as_cni_network_plugin/test/positive_expected_result.json b/assets/queries/terraform/alicloud/kubernetes_cluster_without_terway_as_cni_network_plugin/test/positive_expected_result.json index e3f368f397d..b92ed9adaf4 100644 --- a/assets/queries/terraform/alicloud/kubernetes_cluster_without_terway_as_cni_network_plugin/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/kubernetes_cluster_without_terway_as_cni_network_plugin/test/positive_expected_result.json @@ -7,9 +7,9 @@ "resourceType": "alicloud_cs_kubernetes", "resourceName": "positive1", "searchKey": "alicloud_cs_kubernetes[positive1]", - "searchValue": "terway-eniip", - "expectedValue": "alicloud_cs_kubernetes[positive1].addons specifies the terway-eniip", - "actualValue": "alicloud_cs_kubernetes[positive1].addons does not specify the terway-eniip" + "searchValue": "pod_vswitch_ids", + "expectedValue": "alicloud_cs_kubernetes[positive1].pod_vswitch_ids should be defined and not null", + "actualValue": "alicloud_cs_kubernetes[positive1].pod_vswitch_ids is undefined or null" }, { "queryName": "Kubernetes Cluster Without Terway as CNI Network Plugin", @@ -19,9 +19,9 @@ "resourceType": "alicloud_cs_kubernetes", "resourceName": "positive1", "searchKey": "alicloud_cs_kubernetes[positive1]", - "searchValue": "pod_vswitch_ids", - "expectedValue": "alicloud_cs_kubernetes[positive1].pod_vswitch_ids should be defined and not null", - "actualValue": "alicloud_cs_kubernetes[positive1].pod_vswitch_ids is undefined or null" + "searchValue": "terway-eniip", + "expectedValue": "alicloud_cs_kubernetes[positive1].addons specifies the terway-eniip", + "actualValue": "alicloud_cs_kubernetes[positive1].addons does not specify the terway-eniip" }, { "queryName": "Kubernetes Cluster Without Terway as CNI Network Plugin", diff --git a/assets/queries/terraform/aws/cdn_configuration_is_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cdn_configuration_is_missing/test/positive_expected_result.json index 0155c8b9646..4b15c214909 100644 --- a/assets/queries/terraform/aws/cdn_configuration_is_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cdn_configuration_is_missing/test/positive_expected_result.json @@ -19,9 +19,9 @@ "resourceType": "aws_cloudfront_distribution", "resourceName": "positive2", "searchKey": "resource.aws_cloudfront_distribution[positive2]", - "searchValue": "enabled", - "expectedValue": "resource.aws_cloudfront_distribution[positive2].enabled should be set to 'true'", - "actualValue": "resource.aws_cloudfront_distribution[positive2].enabled is not defined" + "searchValue": "origin", + "expectedValue": "resource.aws_cloudfront_distribution[positive2].origin should be defined", + "actualValue": "resource.aws_cloudfront_distribution[positive2].origin is not defined" }, { "queryName": "CDN Configuration Is Missing", @@ -31,8 +31,8 @@ "resourceType": "aws_cloudfront_distribution", "resourceName": "positive2", "searchKey": "resource.aws_cloudfront_distribution[positive2]", - "searchValue": "origin", - "expectedValue": "resource.aws_cloudfront_distribution[positive2].origin should be defined", - "actualValue": "resource.aws_cloudfront_distribution[positive2].origin is not defined" + "searchValue": "enabled", + "expectedValue": "resource.aws_cloudfront_distribution[positive2].enabled should be set to 'true'", + "actualValue": "resource.aws_cloudfront_distribution[positive2].enabled is not defined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudtrail_not_integrated_with_cloudwatch/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudtrail_not_integrated_with_cloudwatch/test/positive_expected_result.json index ef1c25819ef..5409436d20a 100644 --- a/assets/queries/terraform/aws/cloudtrail_not_integrated_with_cloudwatch/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudtrail_not_integrated_with_cloudwatch/test/positive_expected_result.json @@ -7,9 +7,9 @@ "resourceType": "aws_cloudtrail", "resourceName": "tf-trail-foobar", "searchKey": "aws_cloudtrail[positive1]", - "searchValue": "cloud_watch_logs_role_arn", - "expectedValue": "aws_cloudtrail[positive1].cloud_watch_logs_role_arn should be defined and not null", - "actualValue": "aws_cloudtrail[positive1].cloud_watch_logs_role_arn is undefined or null" + "searchValue": "cloud_watch_logs_group_arn", + "expectedValue": "aws_cloudtrail[positive1].cloud_watch_logs_group_arn should be defined and not null", + "actualValue": "aws_cloudtrail[positive1].cloud_watch_logs_group_arn is undefined or null" }, { "queryName": "CloudTrail Not Integrated With CloudWatch", @@ -19,8 +19,8 @@ "resourceType": "aws_cloudtrail", "resourceName": "tf-trail-foobar", "searchKey": "aws_cloudtrail[positive1]", - "searchValue": "cloud_watch_logs_group_arn", - "expectedValue": "aws_cloudtrail[positive1].cloud_watch_logs_group_arn should be defined and not null", - "actualValue": "aws_cloudtrail[positive1].cloud_watch_logs_group_arn is undefined or null" + "searchValue": "cloud_watch_logs_role_arn", + "expectedValue": "aws_cloudtrail[positive1].cloud_watch_logs_role_arn should be defined and not null", + "actualValue": "aws_cloudtrail[positive1].cloud_watch_logs_role_arn is undefined or null" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_policy_allows_for_data_exfiltration/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_policy_allows_for_data_exfiltration/test/positive_expected_result.json index 188b3bfc6c8..fec61841ec6 100644 --- a/assets/queries/terraform/aws/iam_policy_allows_for_data_exfiltration/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_policy_allows_for_data_exfiltration/test/positive_expected_result.json @@ -92,8 +92,8 @@ "resourceName": "positive5_${var.environment}", "searchKey": "aws_iam_role_policy[positive5].policy", "searchValue": "ssm:GetParameters", - "expectedValue": "'positive5.policy.Statement.Action[0]' shouldn't contain illegal actions", - "actualValue": "'positive5.policy.Statement.Action[0]' contains [ssm:GetParameters]" + "expectedValue": "'positive5.policy.Statement.Action[1]' shouldn't contain illegal actions", + "actualValue": "'positive5.policy.Statement.Action[1]' contains [ssm:GetParameters]" }, { "queryName": "IAM policy allows for data exfiltration", @@ -104,8 +104,8 @@ "resourceName": "positive5_${var.environment}", "searchKey": "aws_iam_role_policy[positive5].policy", "searchValue": "ssm:GetParameters", - "expectedValue": "'positive5.policy.Statement.Action[1]' shouldn't contain illegal actions", - "actualValue": "'positive5.policy.Statement.Action[1]' contains [ssm:GetParameters]" + "expectedValue": "'positive5.policy.Statement.Action[0]' shouldn't contain illegal actions", + "actualValue": "'positive5.policy.Statement.Action[0]' contains [ssm:GetParameters]" }, { "queryName": "IAM policy allows for data exfiltration", diff --git a/assets/queries/terraform/aws/lambda_function_with_privileged_role/test/positive_expected_result.json b/assets/queries/terraform/aws/lambda_function_with_privileged_role/test/positive_expected_result.json index 3f64e7b9f78..044d2aa4b1d 100644 --- a/assets/queries/terraform/aws/lambda_function_with_privileged_role/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/lambda_function_with_privileged_role/test/positive_expected_result.json @@ -7,9 +7,9 @@ "resourceType": "aws_lambda_function", "resourceName": "lambda", "searchKey": "aws_lambda_function[positivefunction1].role", - "searchValue": "positiverole1/positiveinlinepolicy1/0", - "expectedValue": "aws_lambda_function[positivefunction1].role shouldn't have privileged permissions through attached inline policy.", - "actualValue": "aws_lambda_function[positivefunction1].role has been provided privileged permissions through attached inline policy. Provided privileged permissions: 'iam:*'. List of privileged permissions '[\"iam:CreatePolicyVersion\", \"iam:SetDefaultPolicyVersion\", \"iam:CreateAccessKey\", \"iam:CreateLoginProfile\", \"iam:UpdateLoginProfile\", \"iam:AttachUserPolicy\", \"iam:AttachGroupPolicy\", \"iam:AttachRolePolicy\", \"iam:PutUserPolicy\", \"iam:PutGroupPolicy\", \"iam:PutRolePolicy\", \"iam:AddUserToGroup\", \"iam:UpdateAssumeRolePolicy\", \"iam:PassRole\", \"iam:CreateServiceLinkedRole\", \"sts:AssumeRole\", \"iam:*\", \"sts:*\"]'" + "searchValue": "positiverole1/aws_iam_policy_attachment[positivedirectpolicyattachment1]/positivecustomermanagedpolicy2/0", + "expectedValue": "aws_lambda_function[positivefunction1].role shouldn't have privileged permissions through attached managed policy", + "actualValue": "aws_lambda_function[positivefunction1].role has been provided privileged permissions through attached managed policy 'positivecustomermanagedpolicy2'. Provided privileged permissions: 'sts:AssumeRole'. List of privileged permissions '[\"iam:CreatePolicyVersion\", \"iam:SetDefaultPolicyVersion\", \"iam:CreateAccessKey\", \"iam:CreateLoginProfile\", \"iam:UpdateLoginProfile\", \"iam:AttachUserPolicy\", \"iam:AttachGroupPolicy\", \"iam:AttachRolePolicy\", \"iam:PutUserPolicy\", \"iam:PutGroupPolicy\", \"iam:PutRolePolicy\", \"iam:AddUserToGroup\", \"iam:UpdateAssumeRolePolicy\", \"iam:PassRole\", \"iam:CreateServiceLinkedRole\", \"sts:AssumeRole\", \"iam:*\", \"sts:*\"]'" }, { "queryName": "Lambda Function With Privileged Role", @@ -19,9 +19,9 @@ "resourceType": "aws_lambda_function", "resourceName": "lambda", "searchKey": "aws_lambda_function[positivefunction1].role", - "searchValue": "positiverole1/aws_iam_role_policy_attachment[positiverolepolicyattachment1]/positivecustomermanagedpolicy1/1", - "expectedValue": "aws_lambda_function[positivefunction1].role shouldn't have privileged permissions through attached managed policy", - "actualValue": "aws_lambda_function[positivefunction1].role has been provided privileged permissions through attached managed policy 'positivecustomermanagedpolicy1'. Provided privileged permissions: 'iam:CreateLoginProfile'. List of privileged permissions '[\"iam:CreatePolicyVersion\", \"iam:SetDefaultPolicyVersion\", \"iam:CreateAccessKey\", \"iam:CreateLoginProfile\", \"iam:UpdateLoginProfile\", \"iam:AttachUserPolicy\", \"iam:AttachGroupPolicy\", \"iam:AttachRolePolicy\", \"iam:PutUserPolicy\", \"iam:PutGroupPolicy\", \"iam:PutRolePolicy\", \"iam:AddUserToGroup\", \"iam:UpdateAssumeRolePolicy\", \"iam:PassRole\", \"iam:CreateServiceLinkedRole\", \"sts:AssumeRole\", \"iam:*\", \"sts:*\"]'" + "searchValue": "positiverole1/positiveinlinepolicy1/0", + "expectedValue": "aws_lambda_function[positivefunction1].role shouldn't have privileged permissions through attached inline policy.", + "actualValue": "aws_lambda_function[positivefunction1].role has been provided privileged permissions through attached inline policy. Provided privileged permissions: 'iam:*'. List of privileged permissions '[\"iam:CreatePolicyVersion\", \"iam:SetDefaultPolicyVersion\", \"iam:CreateAccessKey\", \"iam:CreateLoginProfile\", \"iam:UpdateLoginProfile\", \"iam:AttachUserPolicy\", \"iam:AttachGroupPolicy\", \"iam:AttachRolePolicy\", \"iam:PutUserPolicy\", \"iam:PutGroupPolicy\", \"iam:PutRolePolicy\", \"iam:AddUserToGroup\", \"iam:UpdateAssumeRolePolicy\", \"iam:PassRole\", \"iam:CreateServiceLinkedRole\", \"sts:AssumeRole\", \"iam:*\", \"sts:*\"]'" }, { "queryName": "Lambda Function With Privileged Role", @@ -31,9 +31,9 @@ "resourceType": "aws_lambda_function", "resourceName": "lambda", "searchKey": "aws_lambda_function[positivefunction1].role", - "searchValue": "positiverole1/aws_iam_role_policy_attachment[positiverolepolicyattachment1]/positivecustomermanagedpolicy1/0", + "searchValue": "positiverole1/aws_iam_role_policy_attachment[positiverolepolicyattachment1]/positivecustomermanagedpolicy1/1", "expectedValue": "aws_lambda_function[positivefunction1].role shouldn't have privileged permissions through attached managed policy", - "actualValue": "aws_lambda_function[positivefunction1].role has been provided privileged permissions through attached managed policy 'positivecustomermanagedpolicy1'. Provided privileged permissions: 'sts:AssumeRole'. List of privileged permissions '[\"iam:CreatePolicyVersion\", \"iam:SetDefaultPolicyVersion\", \"iam:CreateAccessKey\", \"iam:CreateLoginProfile\", \"iam:UpdateLoginProfile\", \"iam:AttachUserPolicy\", \"iam:AttachGroupPolicy\", \"iam:AttachRolePolicy\", \"iam:PutUserPolicy\", \"iam:PutGroupPolicy\", \"iam:PutRolePolicy\", \"iam:AddUserToGroup\", \"iam:UpdateAssumeRolePolicy\", \"iam:PassRole\", \"iam:CreateServiceLinkedRole\", \"sts:AssumeRole\", \"iam:*\", \"sts:*\"]'" + "actualValue": "aws_lambda_function[positivefunction1].role has been provided privileged permissions through attached managed policy 'positivecustomermanagedpolicy1'. Provided privileged permissions: 'iam:CreateLoginProfile'. List of privileged permissions '[\"iam:CreatePolicyVersion\", \"iam:SetDefaultPolicyVersion\", \"iam:CreateAccessKey\", \"iam:CreateLoginProfile\", \"iam:UpdateLoginProfile\", \"iam:AttachUserPolicy\", \"iam:AttachGroupPolicy\", \"iam:AttachRolePolicy\", \"iam:PutUserPolicy\", \"iam:PutGroupPolicy\", \"iam:PutRolePolicy\", \"iam:AddUserToGroup\", \"iam:UpdateAssumeRolePolicy\", \"iam:PassRole\", \"iam:CreateServiceLinkedRole\", \"sts:AssumeRole\", \"iam:*\", \"sts:*\"]'" }, { "queryName": "Lambda Function With Privileged Role", @@ -43,9 +43,9 @@ "resourceType": "aws_lambda_function", "resourceName": "lambda", "searchKey": "aws_lambda_function[positivefunction1].role", - "searchValue": "positiverole1/aws_iam_policy_attachment[positivedirectpolicyattachment1]/positivecustomermanagedpolicy2/0", + "searchValue": "positiverole1/aws_iam_role_policy_attachment[positiverolepolicyattachment1]/positivecustomermanagedpolicy1/0", "expectedValue": "aws_lambda_function[positivefunction1].role shouldn't have privileged permissions through attached managed policy", - "actualValue": "aws_lambda_function[positivefunction1].role has been provided privileged permissions through attached managed policy 'positivecustomermanagedpolicy2'. Provided privileged permissions: 'sts:AssumeRole'. List of privileged permissions '[\"iam:CreatePolicyVersion\", \"iam:SetDefaultPolicyVersion\", \"iam:CreateAccessKey\", \"iam:CreateLoginProfile\", \"iam:UpdateLoginProfile\", \"iam:AttachUserPolicy\", \"iam:AttachGroupPolicy\", \"iam:AttachRolePolicy\", \"iam:PutUserPolicy\", \"iam:PutGroupPolicy\", \"iam:PutRolePolicy\", \"iam:AddUserToGroup\", \"iam:UpdateAssumeRolePolicy\", \"iam:PassRole\", \"iam:CreateServiceLinkedRole\", \"sts:AssumeRole\", \"iam:*\", \"sts:*\"]'" + "actualValue": "aws_lambda_function[positivefunction1].role has been provided privileged permissions through attached managed policy 'positivecustomermanagedpolicy1'. Provided privileged permissions: 'sts:AssumeRole'. List of privileged permissions '[\"iam:CreatePolicyVersion\", \"iam:SetDefaultPolicyVersion\", \"iam:CreateAccessKey\", \"iam:CreateLoginProfile\", \"iam:UpdateLoginProfile\", \"iam:AttachUserPolicy\", \"iam:AttachGroupPolicy\", \"iam:AttachRolePolicy\", \"iam:PutUserPolicy\", \"iam:PutGroupPolicy\", \"iam:PutRolePolicy\", \"iam:AddUserToGroup\", \"iam:UpdateAssumeRolePolicy\", \"iam:PassRole\", \"iam:CreateServiceLinkedRole\", \"sts:AssumeRole\", \"iam:*\", \"sts:*\"]'" }, { "queryName": "Lambda Function With Privileged Role", diff --git a/assets/queries/terraform/aws/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json b/assets/queries/terraform/aws/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json index 406f4aae00c..05191e4f36d 100644 --- a/assets/queries/terraform/aws/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json @@ -67,9 +67,9 @@ "resourceType": "aws_security_group", "resourceName": "positive1_ipv6_1", "searchKey": "aws_security_group[positive1_ipv6_1].ingress", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -79,9 +79,9 @@ "resourceType": "aws_security_group", "resourceName": "positive1_ipv6_1", "searchKey": "aws_security_group[positive1_ipv6_1].ingress", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -247,9 +247,9 @@ "resourceType": "aws_security_group_rule", "resourceName": "positive3_ipv4_1", "searchKey": "aws_security_group_rule[positive3_ipv4_1]", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -259,9 +259,9 @@ "resourceType": "aws_security_group_rule", "resourceName": "positive3_ipv4_1", "searchKey": "aws_security_group_rule[positive3_ipv4_1]", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -307,9 +307,9 @@ "resourceType": "aws_security_group_rule", "resourceName": "positive3_ipv6_1", "searchKey": "aws_security_group_rule[positive3_ipv6_1]", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -319,9 +319,9 @@ "resourceType": "aws_security_group_rule", "resourceName": "positive3_ipv6_1", "searchKey": "aws_security_group_rule[positive3_ipv6_1]", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", diff --git a/assets/queries/terraform/aws/sensitive_port_is_exposed_to_small_public_network/test/positive_expected_result.json b/assets/queries/terraform/aws/sensitive_port_is_exposed_to_small_public_network/test/positive_expected_result.json index 66a47d63628..e773e7695c6 100644 --- a/assets/queries/terraform/aws/sensitive_port_is_exposed_to_small_public_network/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sensitive_port_is_exposed_to_small_public_network/test/positive_expected_result.json @@ -7,9 +7,9 @@ "resourceType": "aws_security_group", "resourceName": "positive1_ipv4_1", "searchKey": "aws_security_group[positive1_ipv4_1].ingress", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -19,9 +19,9 @@ "resourceType": "aws_security_group", "resourceName": "positive1_ipv4_1", "searchKey": "aws_security_group[positive1_ipv4_1].ingress", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -67,9 +67,9 @@ "resourceType": "aws_security_group", "resourceName": "positive1_ipv6_1", "searchKey": "aws_security_group[positive1_ipv6_1].ingress", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -79,9 +79,9 @@ "resourceType": "aws_security_group", "resourceName": "positive1_ipv6_1", "searchKey": "aws_security_group[positive1_ipv6_1].ingress", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -127,9 +127,9 @@ "resourceType": "aws_vpc_security_group_ingress_rule", "resourceName": "positive2_ipv4_1", "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_1]", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -139,9 +139,9 @@ "resourceType": "aws_vpc_security_group_ingress_rule", "resourceName": "positive2_ipv4_1", "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_1]", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -187,9 +187,9 @@ "resourceType": "aws_vpc_security_group_ingress_rule", "resourceName": "positive2_ipv6_1", "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_1]", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -199,9 +199,9 @@ "resourceType": "aws_vpc_security_group_ingress_rule", "resourceName": "positive2_ipv6_1", "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_1]", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -307,9 +307,9 @@ "resourceType": "aws_security_group_rule", "resourceName": "positive3_ipv6_1", "searchKey": "aws_security_group_rule[positive3_ipv6_1]", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -319,9 +319,9 @@ "resourceType": "aws_security_group_rule", "resourceName": "positive3_ipv6_1", "searchKey": "aws_security_group_rule[positive3_ipv6_1]", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -367,9 +367,9 @@ "resourceType": "n/a", "resourceName": "n/a", "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.0", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -379,9 +379,9 @@ "resourceType": "n/a", "resourceName": "n/a", "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.0", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -427,9 +427,9 @@ "resourceType": "n/a", "resourceName": "n/a", "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.0", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -439,9 +439,9 @@ "resourceType": "n/a", "resourceName": "n/a", "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.0", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", diff --git a/assets/queries/terraform/aws/sensitive_port_is_exposed_to_wide_private_network/test/positive_expected_result.json b/assets/queries/terraform/aws/sensitive_port_is_exposed_to_wide_private_network/test/positive_expected_result.json index 1f98f673882..e4b48407206 100644 --- a/assets/queries/terraform/aws/sensitive_port_is_exposed_to_wide_private_network/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sensitive_port_is_exposed_to_wide_private_network/test/positive_expected_result.json @@ -67,9 +67,9 @@ "resourceType": "aws_security_group", "resourceName": "positive1_ipv6_1", "searchKey": "aws_security_group[positive1_ipv6_1].ingress", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -79,9 +79,9 @@ "resourceType": "aws_security_group", "resourceName": "positive1_ipv6_1", "searchKey": "aws_security_group[positive1_ipv6_1].ingress", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -127,9 +127,9 @@ "resourceType": "aws_vpc_security_group_ingress_rule", "resourceName": "positive2_ipv4_1", "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_1]", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -139,9 +139,9 @@ "resourceType": "aws_vpc_security_group_ingress_rule", "resourceName": "positive2_ipv4_1", "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_1]", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -307,9 +307,9 @@ "resourceType": "aws_security_group_rule", "resourceName": "positive3_ipv6_1", "searchKey": "aws_security_group_rule[positive3_ipv6_1]", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -319,9 +319,9 @@ "resourceType": "aws_security_group_rule", "resourceName": "positive3_ipv6_1", "searchKey": "aws_security_group_rule[positive3_ipv6_1]", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -427,9 +427,9 @@ "resourceType": "n/a", "resourceName": "n/a", "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.0", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -439,9 +439,9 @@ "resourceType": "n/a", "resourceName": "n/a", "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.0", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", diff --git a/assets/queries/terraform/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json index 58a6372afc6..59aafcf228b 100644 --- a/assets/queries/terraform/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json @@ -55,9 +55,9 @@ "resourceType": "aws_sns_topic", "resourceName": "positive1", "searchKey": "aws_sns_topic[positive1].policy", - "searchValue": "2", - "expectedValue": "'Statement[2].Principal.AWS' shouldn't contain '*'", - "actualValue": "'Statement[2].Principal.AWS' contains '*'" + "searchValue": "0", + "expectedValue": "'Statement[0].Principal.AWS' shouldn't contain '*'", + "actualValue": "'Statement[0].Principal.AWS' contains '*'" }, { "queryName": "SNS Topic is Publicly Accessible", @@ -67,9 +67,9 @@ "resourceType": "aws_sns_topic", "resourceName": "positive1", "searchKey": "aws_sns_topic[positive1].policy", - "searchValue": "0", - "expectedValue": "'Statement[0].Principal.AWS' shouldn't contain '*'", - "actualValue": "'Statement[0].Principal.AWS' contains '*'" + "searchValue": "2", + "expectedValue": "'Statement[2].Principal.AWS' shouldn't contain '*'", + "actualValue": "'Statement[2].Principal.AWS' contains '*'" }, { "queryName": "SNS Topic is Publicly Accessible", diff --git a/assets/queries/terraform/aws_bom/dynamo/test/positive_expected_result.json b/assets/queries/terraform/aws_bom/dynamo/test/positive_expected_result.json index a7df71f21cb..6605b759bae 100644 --- a/assets/queries/terraform/aws_bom/dynamo/test/positive_expected_result.json +++ b/assets/queries/terraform/aws_bom/dynamo/test/positive_expected_result.json @@ -3,24 +3,48 @@ "queryName": "BOM - AWS DynamoDB", "severity": "TRACE", "line": 21, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_dynamodb_table[basic-dynamodb-table]", + "searchValue": "", + "expectedValue": "", + "actualValue": "" }, { "queryName": "BOM - AWS DynamoDB", "severity": "TRACE", "line": 21, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_dynamodb_table[example2-table]", + "searchValue": "", + "expectedValue": "", + "actualValue": "" }, { "queryName": "BOM - AWS DynamoDB", "severity": "TRACE", "line": 21, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_dynamodb_table[example3-table]", + "searchValue": "", + "expectedValue": "", + "actualValue": "" }, { "queryName": "BOM - AWS DynamoDB", "severity": "TRACE", "line": 1, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_dynamodb_table[example3-table]", + "searchValue": "", + "expectedValue": "", + "actualValue": "" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws_bom/ebs/test/positive_expected_result.json b/assets/queries/terraform/aws_bom/ebs/test/positive_expected_result.json index d8e95f01d7b..552f37e9995 100644 --- a/assets/queries/terraform/aws_bom/ebs/test/positive_expected_result.json +++ b/assets/queries/terraform/aws_bom/ebs/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "BOM - AWS EBS", "severity": "TRACE", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_ebs_volume[positive1]", + "searchValue": "", + "expectedValue": "", + "actualValue": "" }, { "queryName": "BOM - AWS EBS", "severity": "TRACE", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_ebs_volume[positive2]", + "searchValue": "", + "expectedValue": "", + "actualValue": "" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws_bom/efs/test/positive_expected_result.json b/assets/queries/terraform/aws_bom/efs/test/positive_expected_result.json index b6420a9e65f..c2e053c16b7 100644 --- a/assets/queries/terraform/aws_bom/efs/test/positive_expected_result.json +++ b/assets/queries/terraform/aws_bom/efs/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "BOM - AWS EFS", "severity": "TRACE", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_efs_file_system[positive1]", + "searchValue": "", + "expectedValue": "", + "actualValue": "" }, { "queryName": "BOM - AWS EFS", "severity": "TRACE", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_efs_file_system[positive2]", + "searchValue": "", + "expectedValue": "", + "actualValue": "" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws_bom/elasticache/test/positive_expected_result.json b/assets/queries/terraform/aws_bom/elasticache/test/positive_expected_result.json index ef7120ad605..4b2a74e2fb8 100644 --- a/assets/queries/terraform/aws_bom/elasticache/test/positive_expected_result.json +++ b/assets/queries/terraform/aws_bom/elasticache/test/positive_expected_result.json @@ -3,36 +3,72 @@ "queryName": "BOM - AWS Elasticache", "severity": "TRACE", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_elasticache_cluster[positive1]", + "searchValue": "", + "expectedValue": "", + "actualValue": "" }, { "queryName": "BOM - AWS Elasticache", "severity": "TRACE", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_elasticache_cluster[positive2]", + "searchValue": "", + "expectedValue": "", + "actualValue": "" }, { "queryName": "BOM - AWS Elasticache", "severity": "TRACE", "line": 33, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_elasticache_cluster[positive3]", + "searchValue": "", + "expectedValue": "", + "actualValue": "" }, { "queryName": "BOM - AWS Elasticache", "severity": "TRACE", "line": 33, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_elasticache_cluster[positive4]", + "searchValue": "", + "expectedValue": "", + "actualValue": "" }, { "queryName": "BOM - AWS Elasticache", "severity": "TRACE", "line": 13, - "fileName": "positive5.tf" + "filename": "positive5.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_elasticache_cluster[positive5]", + "searchValue": "", + "expectedValue": "", + "actualValue": "" }, { "queryName": "BOM - AWS Elasticache", "severity": "TRACE", "line": 13, - "fileName": "positive6.tf" + "filename": "positive6.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_elasticache_cluster[positive6]", + "searchValue": "", + "expectedValue": "", + "actualValue": "" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws_bom/kinesis/test/positive_expected_result.json b/assets/queries/terraform/aws_bom/kinesis/test/positive_expected_result.json index 8e5a045180d..e2f051249cc 100644 --- a/assets/queries/terraform/aws_bom/kinesis/test/positive_expected_result.json +++ b/assets/queries/terraform/aws_bom/kinesis/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "BOM - AWS Kinesis", "severity": "TRACE", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_kinesis_stream[positive1]", + "searchValue": "", + "expectedValue": "", + "actualValue": "" }, { "queryName": "BOM - AWS Kinesis", "severity": "TRACE", "line": 20, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_kinesis_stream[positive2]", + "searchValue": "", + "expectedValue": "", + "actualValue": "" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws_bom/mq/test/positive_expected_result.json b/assets/queries/terraform/aws_bom/mq/test/positive_expected_result.json index 01fc6d11c02..48bb4fd43ee 100644 --- a/assets/queries/terraform/aws_bom/mq/test/positive_expected_result.json +++ b/assets/queries/terraform/aws_bom/mq/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "BOM - AWS MQ", "severity": "TRACE", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_mq_broker[positive1]", + "searchValue": "", + "expectedValue": "", + "actualValue": "" }, { "queryName": "BOM - AWS MQ", "severity": "TRACE", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_mq_broker[positive2]", + "searchValue": "", + "expectedValue": "", + "actualValue": "" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws_bom/msk/test/positive_expected_result.json b/assets/queries/terraform/aws_bom/msk/test/positive_expected_result.json index 7b47467ba0f..1e040b55f45 100644 --- a/assets/queries/terraform/aws_bom/msk/test/positive_expected_result.json +++ b/assets/queries/terraform/aws_bom/msk/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "BOM - AWS MSK", "severity": "TRACE", "line": 84, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_msk_cluster[positive1]", + "searchValue": "", + "expectedValue": "", + "actualValue": "" }, { "queryName": "BOM - AWS MSK", "severity": "TRACE", "line": 84, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_msk_cluster[positive2]", + "searchValue": "", + "expectedValue": "", + "actualValue": "" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws_bom/rds/test/positive_expected_result.json b/assets/queries/terraform/aws_bom/rds/test/positive_expected_result.json index be834e67aa4..b24c7c3f38b 100644 --- a/assets/queries/terraform/aws_bom/rds/test/positive_expected_result.json +++ b/assets/queries/terraform/aws_bom/rds/test/positive_expected_result.json @@ -3,18 +3,36 @@ "queryName": "BOM - AWS RDS", "severity": "TRACE", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_rds_cluster_instance[cluster_instances]", + "searchValue": "", + "expectedValue": "", + "actualValue": "" }, { "queryName": "BOM - AWS RDS", "severity": "TRACE", "line": 23, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_db_instance[default]", + "searchValue": "", + "expectedValue": "", + "actualValue": "" }, { "queryName": "BOM - AWS RDS", "severity": "TRACE", "line": 35, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_db_instance[sample3]", + "searchValue": "", + "expectedValue": "", + "actualValue": "" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws_bom/s3_bucket/test/positive_expected_result.json b/assets/queries/terraform/aws_bom/s3_bucket/test/positive_expected_result.json index f72b42f7543..9af2f6af42a 100644 --- a/assets/queries/terraform/aws_bom/s3_bucket/test/positive_expected_result.json +++ b/assets/queries/terraform/aws_bom/s3_bucket/test/positive_expected_result.json @@ -3,60 +3,120 @@ "queryName": "BOM - AWS S3 Buckets", "severity": "TRACE", "line": 14, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_s3_bucket[positive1]", + "searchValue": "", + "expectedValue": "", + "actualValue": "" }, { "queryName": "BOM - AWS S3 Buckets", "severity": "TRACE", "line": 14, - "fileName": "positive2.tf" + "filename": "positive10.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_s3_bucket[positive10]", + "searchValue": "", + "expectedValue": "", + "actualValue": "" }, { "queryName": "BOM - AWS S3 Buckets", "severity": "TRACE", "line": 14, - "fileName": "positive3.tf" + "filename": "positive2.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_s3_bucket[positive2]", + "searchValue": "", + "expectedValue": "", + "actualValue": "" }, { "queryName": "BOM - AWS S3 Buckets", "severity": "TRACE", "line": 14, - "fileName": "positive4.tf" + "filename": "positive3.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_s3_bucket[positive3]", + "searchValue": "", + "expectedValue": "", + "actualValue": "" }, { "queryName": "BOM - AWS S3 Buckets", "severity": "TRACE", "line": 14, - "fileName": "positive5.tf" + "filename": "positive4.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_s3_bucket[positive4]", + "searchValue": "", + "expectedValue": "", + "actualValue": "" }, { "queryName": "BOM - AWS S3 Buckets", "severity": "TRACE", "line": 14, - "fileName": "positive6.tf" + "filename": "positive5.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_s3_bucket[positive5]", + "searchValue": "", + "expectedValue": "", + "actualValue": "" }, { "queryName": "BOM - AWS S3 Buckets", "severity": "TRACE", "line": 14, - "fileName": "positive7.tf" + "filename": "positive6.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_s3_bucket[positive6]", + "searchValue": "", + "expectedValue": "", + "actualValue": "" }, { "queryName": "BOM - AWS S3 Buckets", "severity": "TRACE", "line": 14, - "fileName": "positive8.tf" + "filename": "positive7.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_s3_bucket[positive7]", + "searchValue": "", + "expectedValue": "", + "actualValue": "" }, { "queryName": "BOM - AWS S3 Buckets", "severity": "TRACE", "line": 14, - "fileName": "positive9.tf" + "filename": "positive8.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_s3_bucket[positive8]", + "searchValue": "", + "expectedValue": "", + "actualValue": "" }, { "queryName": "BOM - AWS S3 Buckets", "severity": "TRACE", "line": 14, - "fileName": "positive10.tf" + "filename": "positive9.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_s3_bucket[positive9]", + "searchValue": "", + "expectedValue": "", + "actualValue": "" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws_bom/sns/test/positive_expected_result.json b/assets/queries/terraform/aws_bom/sns/test/positive_expected_result.json index 269154f3820..6151eb90bc8 100644 --- a/assets/queries/terraform/aws_bom/sns/test/positive_expected_result.json +++ b/assets/queries/terraform/aws_bom/sns/test/positive_expected_result.json @@ -3,30 +3,60 @@ "queryName": "BOM - AWS SNS", "severity": "TRACE", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_sns_topic[positive1]", + "searchValue": "", + "expectedValue": "", + "actualValue": "" }, { "queryName": "BOM - AWS SNS", "severity": "TRACE", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_sns_topic[positive2]", + "searchValue": "", + "expectedValue": "", + "actualValue": "" }, { "queryName": "BOM - AWS SNS", "severity": "TRACE", "line": 1, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_sns_topic[positive3]", + "searchValue": "", + "expectedValue": "", + "actualValue": "" }, { "queryName": "BOM - AWS SNS", "severity": "TRACE", "line": 1, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_sns_topic[positive4]", + "searchValue": "", + "expectedValue": "", + "actualValue": "" }, { "queryName": "BOM - AWS SNS", "severity": "TRACE", "line": 1, - "fileName": "positive5.tf" + "filename": "positive5.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_sns_topic[positive5]", + "searchValue": "", + "expectedValue": "", + "actualValue": "" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws_bom/sqs/test/positive_expected_result.json b/assets/queries/terraform/aws_bom/sqs/test/positive_expected_result.json index 442bcc91315..6e2c087837f 100644 --- a/assets/queries/terraform/aws_bom/sqs/test/positive_expected_result.json +++ b/assets/queries/terraform/aws_bom/sqs/test/positive_expected_result.json @@ -3,30 +3,60 @@ "queryName": "BOM - AWS SQS", "severity": "TRACE", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_sqs_queue[positive1]", + "searchValue": "", + "expectedValue": "", + "actualValue": "" }, { "queryName": "BOM - AWS SQS", "severity": "TRACE", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_sqs_queue[positive2]", + "searchValue": "", + "expectedValue": "", + "actualValue": "" }, { "queryName": "BOM - AWS SQS", "severity": "TRACE", "line": 1, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_sqs_queue[positive3]", + "searchValue": "", + "expectedValue": "", + "actualValue": "" }, { "queryName": "BOM - AWS SQS", "severity": "TRACE", "line": 1, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_sqs_queue[positive4]", + "searchValue": "", + "expectedValue": "", + "actualValue": "" }, { "queryName": "BOM - AWS SQS", "severity": "TRACE", "line": 1, - "fileName": "positive5.tf" + "filename": "positive5.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_sqs_queue[positive5]", + "searchValue": "", + "expectedValue": "", + "actualValue": "" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test/positive2/positive_expected_result.json index 206cee271c3..50692c2ef1c 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test/positive2/positive_expected_result.json @@ -3,42 +3,84 @@ "queryName": "Beta - Activity Log Alert For Create Or Update Network Security Group Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update network security group' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_1]' resource monitors 'create or update network security group' events but sets 1 filter(s): caller" }, { "queryName": "Beta - Activity Log Alert For Create Or Update Network Security Group Not Configured", "severity": "MEDIUM", "line": 28, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update network security group' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_2]' resource monitors 'create or update network security group' events but sets 1 filter(s): level" }, { "queryName": "Beta - Activity Log Alert For Create Or Update Network Security Group Not Configured", "severity": "MEDIUM", "line": 47, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_3].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update network security group' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_3]' resource monitors 'create or update network security group' events but sets 1 filter(s): levels" }, { "queryName": "Beta - Activity Log Alert For Create Or Update Network Security Group Not Configured", "severity": "MEDIUM", "line": 66, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_4].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update network security group' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_4]' resource monitors 'create or update network security group' events but sets 1 filter(s): status" }, { "queryName": "Beta - Activity Log Alert For Create Or Update Network Security Group Not Configured", "severity": "MEDIUM", "line": 8, - "fileName": "positive2_2.tf" + "filename": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_5].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update network security group' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_5]' resource monitors 'create or update network security group' events but sets 1 filter(s): statuses" }, { "queryName": "Beta - Activity Log Alert For Create Or Update Network Security Group Not Configured", "severity": "MEDIUM", "line": 27, - "fileName": "positive2_2.tf" + "filename": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_6].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update network security group' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_6]' resource monitors 'create or update network security group' events but sets 1 filter(s): sub_status" }, { "queryName": "Beta - Activity Log Alert For Create Or Update Network Security Group Not Configured", "severity": "MEDIUM", "line": 46, - "fileName": "positive2_2.tf" + "filename": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_7].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update network security group' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'create or update network security group' events but sets 1 filter(s): sub_statuses" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test/positive3/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test/positive3/positive_expected_result.json index ddf3d1cb713..851febf76ee 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test/positive3/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test/positive3/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Beta - Activity Log Alert For Create Or Update Network Security Group Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive3_1.tf" + "filename": "positive3_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive3_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update network security group' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_1]' resource monitors 'create or update network security group' events but is missing an 'action.action_group_id' field" }, { "queryName": "Beta - Activity Log Alert For Create Or Update Network Security Group Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive3_2.tf" + "filename": "positive3_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive3_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update network security group' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_2]' resource monitors 'create or update network security group' events but is missing an 'action.action_group_id' field" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test/positive4/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test/positive4/positive_expected_result.json index 834f8a946ff..7f7e82f8ac5 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test/positive4/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test/positive4/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Beta - Activity Log Alert For Create Or Update Network Security Group Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive4_1.tf" + "filename": "positive4_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive4_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update network security group' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_1]' resource monitors 'create or update network security group' events but is missing an 'action.action_group_id' field" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test/positive2/positive_expected_result.json index 587344375d0..b463a778e02 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test/positive2/positive_expected_result.json @@ -3,42 +3,84 @@ "queryName": "Beta - Activity Log Alert For Create or Update Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update public ip address rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_1]' resource monitors 'create or update public ip address rule' events but sets 1 filter(s): caller" }, { "queryName": "Beta - Activity Log Alert For Create or Update Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 28, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update public ip address rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_2]' resource monitors 'create or update public ip address rule' events but sets 1 filter(s): level" }, { "queryName": "Beta - Activity Log Alert For Create or Update Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 47, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_3].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update public ip address rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_3]' resource monitors 'create or update public ip address rule' events but sets 1 filter(s): levels" }, { "queryName": "Beta - Activity Log Alert For Create or Update Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 66, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_4].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update public ip address rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_4]' resource monitors 'create or update public ip address rule' events but sets 1 filter(s): status" }, { "queryName": "Beta - Activity Log Alert For Create or Update Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 8, - "fileName": "positive2_2.tf" + "filename": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_5].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update public ip address rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_5]' resource monitors 'create or update public ip address rule' events but sets 1 filter(s): statuses" }, { "queryName": "Beta - Activity Log Alert For Create or Update Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 27, - "fileName": "positive2_2.tf" + "filename": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_6].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update public ip address rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_6]' resource monitors 'create or update public ip address rule' events but sets 1 filter(s): sub_status" }, { "queryName": "Beta - Activity Log Alert For Create or Update Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 46, - "fileName": "positive2_2.tf" + "filename": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_7].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update public ip address rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'create or update public ip address rule' events but sets 1 filter(s): sub_statuses" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test/positive3/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test/positive3/positive_expected_result.json index 647418cc170..62b0aeca3e5 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test/positive3/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test/positive3/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Beta - Activity Log Alert For Create or Update Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive3_1.tf" + "filename": "positive3_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive3_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update public ip address rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_1]' resource monitors 'create or update public ip address rule' events but is missing an 'action.action_group_id' field" }, { "queryName": "Beta - Activity Log Alert For Create or Update Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive3_2.tf" + "filename": "positive3_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive3_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update public ip address rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_2]' resource monitors 'create or update public ip address rule' events but is missing an 'action.action_group_id' field" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test/positive4/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test/positive4/positive_expected_result.json index d2b55122b20..efdfab3f9c0 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test/positive4/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test/positive4/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Beta - Activity Log Alert For Create or Update Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive4_1.tf" + "filename": "positive4_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive4_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update public ip address rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_1]' resource monitors 'create or update public ip address rule' events but is missing an 'action.action_group_id' field" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive2/positive_expected_result.json index 62976f6c962..999ee7ee725 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive2/positive_expected_result.json @@ -3,42 +3,84 @@ "queryName": "Beta - Activity Log Alert For Create or Update Security Solution Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update security solution' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_1]' resource monitors 'create or update security solution' events but sets 1 filter(s): caller" }, { "queryName": "Beta - Activity Log Alert For Create or Update Security Solution Not Configured", "severity": "MEDIUM", "line": 28, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update security solution' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_2]' resource monitors 'create or update security solution' events but sets 1 filter(s): level" }, { "queryName": "Beta - Activity Log Alert For Create or Update Security Solution Not Configured", "severity": "MEDIUM", "line": 47, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_3].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update security solution' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_3]' resource monitors 'create or update security solution' events but sets 1 filter(s): levels" }, { "queryName": "Beta - Activity Log Alert For Create or Update Security Solution Not Configured", "severity": "MEDIUM", "line": 66, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_4].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update security solution' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_4]' resource monitors 'create or update security solution' events but sets 1 filter(s): status" }, { "queryName": "Beta - Activity Log Alert For Create or Update Security Solution Not Configured", "severity": "MEDIUM", "line": 8, - "fileName": "positive2_2.tf" + "filename": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_5].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update security solution' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_5]' resource monitors 'create or update security solution' events but sets 1 filter(s): statuses" }, { "queryName": "Beta - Activity Log Alert For Create or Update Security Solution Not Configured", "severity": "MEDIUM", "line": 27, - "fileName": "positive2_2.tf" + "filename": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_6].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update security solution' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_6]' resource monitors 'create or update security solution' events but sets 1 filter(s): sub_status" }, { "queryName": "Beta - Activity Log Alert For Create or Update Security Solution Not Configured", "severity": "MEDIUM", "line": 46, - "fileName": "positive2_2.tf" + "filename": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_7].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update security solution' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'create or update security solution' events but sets 1 filter(s): sub_statuses" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive3/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive3/positive_expected_result.json index 5fc27a61d32..e5c78bee858 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive3/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive3/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Beta - Activity Log Alert For Create or Update Security Solution Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive3_1.tf" + "filename": "positive3_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive3_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update security solution' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_1]' resource monitors 'create or update security solution' events but is missing an 'action.action_group_id' field" }, { "queryName": "Beta - Activity Log Alert For Create or Update Security Solution Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive3_2.tf" + "filename": "positive3_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive3_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update security solution' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_2]' resource monitors 'create or update security solution' events but is missing an 'action.action_group_id' field" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive4/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive4/positive_expected_result.json index c2d325766f1..bd00b85a2e9 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive4/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive4/positive_expected_result.json @@ -1,8 +1,14 @@ [ - { + { "queryName": "Beta - Activity Log Alert For Create or Update Security Solution Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive4_1.tf" + "filename": "positive4_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive4_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update security solution' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_1]' resource monitors 'create or update security solution' events but is missing an 'action.action_group_id' field" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test/positive2/positive_expected_result.json index 62edf8ed52e..e6ffd1020e0 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test/positive2/positive_expected_result.json @@ -3,42 +3,84 @@ "queryName": "Beta - Activity Log Alert For Create or Update SQL Server Firewall Rule Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update SQL server firewall rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_1]' resource monitors 'create or update SQL server firewall rule' events but sets 1 filter(s): caller" }, { "queryName": "Beta - Activity Log Alert For Create or Update SQL Server Firewall Rule Not Configured", "severity": "MEDIUM", "line": 28, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update SQL server firewall rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_2]' resource monitors 'create or update SQL server firewall rule' events but sets 1 filter(s): level" }, { "queryName": "Beta - Activity Log Alert For Create or Update SQL Server Firewall Rule Not Configured", "severity": "MEDIUM", "line": 47, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_3].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update SQL server firewall rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_3]' resource monitors 'create or update SQL server firewall rule' events but sets 1 filter(s): levels" }, { "queryName": "Beta - Activity Log Alert For Create or Update SQL Server Firewall Rule Not Configured", "severity": "MEDIUM", "line": 66, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_4].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update SQL server firewall rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_4]' resource monitors 'create or update SQL server firewall rule' events but sets 1 filter(s): status" }, { "queryName": "Beta - Activity Log Alert For Create or Update SQL Server Firewall Rule Not Configured", "severity": "MEDIUM", "line": 8, - "fileName": "positive2_2.tf" + "filename": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_5].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update SQL server firewall rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_5]' resource monitors 'create or update SQL server firewall rule' events but sets 1 filter(s): statuses" }, { "queryName": "Beta - Activity Log Alert For Create or Update SQL Server Firewall Rule Not Configured", "severity": "MEDIUM", "line": 27, - "fileName": "positive2_2.tf" + "filename": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_6].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update SQL server firewall rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_6]' resource monitors 'create or update SQL server firewall rule' events but sets 1 filter(s): sub_status" }, { "queryName": "Beta - Activity Log Alert For Create or Update SQL Server Firewall Rule Not Configured", "severity": "MEDIUM", "line": 46, - "fileName": "positive2_2.tf" + "filename": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_7].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update SQL server firewall rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'create or update SQL server firewall rule' events but sets 1 filter(s): sub_statuses" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test/positive3/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test/positive3/positive_expected_result.json index 52d093a64fd..b18135378cd 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test/positive3/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test/positive3/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Beta - Activity Log Alert For Create or Update SQL Server Firewall Rule Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive3_1.tf" + "filename": "positive3_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive3_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update SQL server firewall rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_1]' resource monitors 'create or update SQL server firewall rule' events but is missing an 'action.action_group_id' field" }, { "queryName": "Beta - Activity Log Alert For Create or Update SQL Server Firewall Rule Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive3_2.tf" + "filename": "positive3_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive3_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update SQL server firewall rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_2]' resource monitors 'create or update SQL server firewall rule' events but is missing an 'action.action_group_id' field" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test/positive4/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test/positive4/positive_expected_result.json index 7879a0cfd5d..b0318501b46 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test/positive4/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test/positive4/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Beta - Activity Log Alert For Create or Update SQL Server Firewall Rule Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive4_1.tf" + "filename": "positive4_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive4_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update SQL server firewall rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_1]' resource monitors 'create or update SQL server firewall rule' events but is missing an 'action.action_group_id' field" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive2/positive_expected_result.json index 8d4334d067d..d7ca36ff6c6 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive2/positive_expected_result.json @@ -3,42 +3,84 @@ "queryName": "Beta - Activity Log Alert For Create Policy Assignment Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create policy assignment' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_1]' resource monitors 'create policy assignment' events but sets 1 filter(s): caller" }, { "queryName": "Beta - Activity Log Alert For Create Policy Assignment Not Configured", "severity": "MEDIUM", "line": 28, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create policy assignment' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_2]' resource monitors 'create policy assignment' events but sets 1 filter(s): level" }, { "queryName": "Beta - Activity Log Alert For Create Policy Assignment Not Configured", "severity": "MEDIUM", "line": 47, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_3].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create policy assignment' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_3]' resource monitors 'create policy assignment' events but sets 1 filter(s): levels" }, { "queryName": "Beta - Activity Log Alert For Create Policy Assignment Not Configured", "severity": "MEDIUM", "line": 66, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_4].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create policy assignment' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_4]' resource monitors 'create policy assignment' events but sets 1 filter(s): status" }, { "queryName": "Beta - Activity Log Alert For Create Policy Assignment Not Configured", "severity": "MEDIUM", "line": 8, - "fileName": "positive2_2.tf" + "filename": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_5].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create policy assignment' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_5]' resource monitors 'create policy assignment' events but sets 1 filter(s): statuses" }, { "queryName": "Beta - Activity Log Alert For Create Policy Assignment Not Configured", "severity": "MEDIUM", "line": 27, - "fileName": "positive2_2.tf" + "filename": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_6].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create policy assignment' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_6]' resource monitors 'create policy assignment' events but sets 1 filter(s): sub_status" }, { "queryName": "Beta - Activity Log Alert For Create Policy Assignment Not Configured", "severity": "MEDIUM", "line": 46, - "fileName": "positive2_2.tf" + "filename": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_7].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create policy assignment' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'create policy assignment' events but sets 1 filter(s): sub_statuses" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive3/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive3/positive_expected_result.json index 3903474e1c3..3cb0e2bd17d 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive3/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive3/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Beta - Activity Log Alert For Create Policy Assignment Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive3_1.tf" + "filename": "positive3_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive3_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create policy assignment' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_1]' resource monitors 'create policy assignment' events but is missing an 'action.action_group_id' field" }, { "queryName": "Beta - Activity Log Alert For Create Policy Assignment Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive3_2.tf" + "filename": "positive3_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive3_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create policy assignment' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_2]' resource monitors 'create policy assignment' events but is missing an 'action.action_group_id' field" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive4/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive4/positive_expected_result.json index a5d81846400..1f62940e0bd 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive4/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive4/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Beta - Activity Log Alert For Create Policy Assignment Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive4_1.tf" + "filename": "positive4_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive4_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create policy assignment' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_1]' resource monitors 'create policy assignment' events but is missing an 'action.action_group_id' field" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test/positive2/positive_expected_result.json index 9aa5be053c2..ad567f72fbc 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test/positive2/positive_expected_result.json @@ -3,42 +3,84 @@ "queryName": "Beta - Activity Log Alert For Delete Network Security Group Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete network security group' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_1]' resource monitors 'delete network security group' events but sets 1 filter(s): caller" }, { "queryName": "Beta - Activity Log Alert For Delete Network Security Group Not Configured", "severity": "MEDIUM", "line": 28, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete network security group' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_2]' resource monitors 'delete network security group' events but sets 1 filter(s): level" }, { "queryName": "Beta - Activity Log Alert For Delete Network Security Group Not Configured", "severity": "MEDIUM", "line": 47, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_3].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete network security group' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_3]' resource monitors 'delete network security group' events but sets 1 filter(s): levels" }, { "queryName": "Beta - Activity Log Alert For Delete Network Security Group Not Configured", "severity": "MEDIUM", "line": 66, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_4].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete network security group' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_4]' resource monitors 'delete network security group' events but sets 1 filter(s): status" }, { "queryName": "Beta - Activity Log Alert For Delete Network Security Group Not Configured", "severity": "MEDIUM", "line": 8, - "fileName": "positive2_2.tf" + "filename": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_5].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete network security group' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_5]' resource monitors 'delete network security group' events but sets 1 filter(s): statuses" }, { "queryName": "Beta - Activity Log Alert For Delete Network Security Group Not Configured", "severity": "MEDIUM", "line": 27, - "fileName": "positive2_2.tf" + "filename": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_6].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete network security group' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_6]' resource monitors 'delete network security group' events but sets 1 filter(s): sub_status" }, { "queryName": "Beta - Activity Log Alert For Delete Network Security Group Not Configured", "severity": "MEDIUM", "line": 46, - "fileName": "positive2_2.tf" + "filename": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_7].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete network security group' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'delete network security group' events but sets 1 filter(s): sub_statuses" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test/positive3/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test/positive3/positive_expected_result.json index 2d4adf5066b..ae5e2b787b3 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test/positive3/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test/positive3/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Beta - Activity Log Alert For Delete Network Security Group Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive3_1.tf" + "filename": "positive3_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive3_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete network security group' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_1]' resource monitors 'delete network security group' events but is missing an 'action.action_group_id' field" }, { "queryName": "Beta - Activity Log Alert For Delete Network Security Group Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive3_2.tf" + "filename": "positive3_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive3_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete network security group' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_2]' resource monitors 'delete network security group' events but is missing an 'action.action_group_id' field" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test/positive4/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test/positive4/positive_expected_result.json index d9f4a65bc5e..0e25b1f7492 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test/positive4/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test/positive4/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Beta - Activity Log Alert For Delete Network Security Group Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive4_1.tf" + "filename": "positive4_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive4_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete network security group' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_1]' resource monitors 'delete network security group' events but is missing an 'action.action_group_id' field" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive2/positive_expected_result.json index b72188b5295..9fc76c2b789 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive2/positive_expected_result.json @@ -3,42 +3,84 @@ "queryName": "Beta - Activity Log Alert For Delete Policy Assignment Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete policy assignment' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_1]' resource monitors 'delete policy assignment' events but sets 1 filter(s): caller" }, { "queryName": "Beta - Activity Log Alert For Delete Policy Assignment Not Configured", "severity": "MEDIUM", "line": 28, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete policy assignment' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_2]' resource monitors 'delete policy assignment' events but sets 1 filter(s): level" }, { "queryName": "Beta - Activity Log Alert For Delete Policy Assignment Not Configured", "severity": "MEDIUM", "line": 47, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_3].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete policy assignment' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_3]' resource monitors 'delete policy assignment' events but sets 1 filter(s): levels" }, { "queryName": "Beta - Activity Log Alert For Delete Policy Assignment Not Configured", "severity": "MEDIUM", "line": 66, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_4].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete policy assignment' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_4]' resource monitors 'delete policy assignment' events but sets 1 filter(s): status" }, { "queryName": "Beta - Activity Log Alert For Delete Policy Assignment Not Configured", "severity": "MEDIUM", "line": 8, - "fileName": "positive2_2.tf" + "filename": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_5].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete policy assignment' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_5]' resource monitors 'delete policy assignment' events but sets 1 filter(s): statuses" }, { "queryName": "Beta - Activity Log Alert For Delete Policy Assignment Not Configured", "severity": "MEDIUM", "line": 27, - "fileName": "positive2_2.tf" + "filename": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_6].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete policy assignment' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_6]' resource monitors 'delete policy assignment' events but sets 1 filter(s): sub_status" }, { "queryName": "Beta - Activity Log Alert For Delete Policy Assignment Not Configured", "severity": "MEDIUM", "line": 46, - "fileName": "positive2_2.tf" - } + "filename": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_7].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete policy assignment' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'delete policy assignment' events but sets 1 filter(s): sub_statuses" + }, ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive3/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive3/positive_expected_result.json index 1ff51775942..c28a76eb0d0 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive3/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive3/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Beta - Activity Log Alert For Delete Policy Assignment Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive3_1.tf" + "filename": "positive3_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive3_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete policy assignment' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_1]' resource monitors 'delete policy assignment' events but is missing an 'action.action_group_id' field" }, { "queryName": "Beta - Activity Log Alert For Delete Policy Assignment Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive3_2.tf" + "filename": "positive3_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive3_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete policy assignment' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_2]' resource monitors 'delete policy assignment' events but is missing an 'action.action_group_id' field" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive4/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive4/positive_expected_result.json index 1d75d906347..a77648cf2fc 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive4/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive4/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Beta - Activity Log Alert For Delete Policy Assignment Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive4_1.tf" + "filename": "positive4_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive4_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete policy assignment' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_1]' resource monitors 'delete policy assignment' events but is missing an 'action.action_group_id' field" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive2/positive_expected_result.json index db0d5cb17e5..2309f69e71b 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive2/positive_expected_result.json @@ -3,42 +3,84 @@ "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete public ip address rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_1]' resource monitors 'delete public ip address rule' events but sets 1 filter(s): caller" }, { "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 28, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete public ip address rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_2]' resource monitors 'delete public ip address rule' events but sets 1 filter(s): level" }, { "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 47, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_3].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete public ip address rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_3]' resource monitors 'delete public ip address rule' events but sets 1 filter(s): levels" }, { "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 66, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_4].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete public ip address rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_4]' resource monitors 'delete public ip address rule' events but sets 1 filter(s): status" }, { "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 8, - "fileName": "positive2_2.tf" + "filename": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_5].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete public ip address rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_5]' resource monitors 'delete public ip address rule' events but sets 1 filter(s): statuses" }, { "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 27, - "fileName": "positive2_2.tf" + "filename": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_6].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete public ip address rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_6]' resource monitors 'delete public ip address rule' events but sets 1 filter(s): sub_status" }, { "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 46, - "fileName": "positive2_2.tf" + "filename": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_7].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete public ip address rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'delete public ip address rule' events but sets 1 filter(s): sub_statuses" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive3/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive3/positive_expected_result.json index 8f5b85d8d7b..8f4b7fa96e9 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive3/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive3/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive3_1.tf" + "filename": "positive3_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive3_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete public ip address rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_1]' resource monitors 'delete public ip address rule' events but is missing an 'action.action_group_id' field" }, { "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive3_2.tf" + "filename": "positive3_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive3_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete public ip address rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_2]' resource monitors 'delete public ip address rule' events but is missing an 'action.action_group_id' field" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive4/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive4/positive_expected_result.json index 9e174c03f4d..bda79ec9a2d 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive4/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive4/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive4_1.tf" + "filename": "positive4_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive4_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete public ip address rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_1]' resource monitors 'delete public ip address rule' events but is missing an 'action.action_group_id' field" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive2/positive_expected_result.json index 48cd89dddfe..1be6fe43ee8 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive2/positive_expected_result.json @@ -3,42 +3,84 @@ "queryName": "Beta - Activity Log Alert For Delete Security Solution Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete security solution' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_1]' resource monitors 'delete security solution' events but sets 1 filter(s): caller" }, { "queryName": "Beta - Activity Log Alert For Delete Security Solution Not Configured", "severity": "MEDIUM", "line": 28, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete security solution' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_2]' resource monitors 'delete security solution' events but sets 1 filter(s): level" }, { "queryName": "Beta - Activity Log Alert For Delete Security Solution Not Configured", "severity": "MEDIUM", "line": 47, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_3].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete security solution' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_3]' resource monitors 'delete security solution' events but sets 1 filter(s): levels" }, { "queryName": "Beta - Activity Log Alert For Delete Security Solution Not Configured", "severity": "MEDIUM", "line": 66, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_4].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete security solution' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_4]' resource monitors 'delete security solution' events but sets 1 filter(s): status" }, { "queryName": "Beta - Activity Log Alert For Delete Security Solution Not Configured", "severity": "MEDIUM", "line": 8, - "fileName": "positive2_2.tf" + "filename": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_5].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete security solution' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_5]' resource monitors 'delete security solution' events but sets 1 filter(s): statuses" }, { "queryName": "Beta - Activity Log Alert For Delete Security Solution Not Configured", "severity": "MEDIUM", "line": 27, - "fileName": "positive2_2.tf" + "filename": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_6].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete security solution' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_6]' resource monitors 'delete security solution' events but sets 1 filter(s): sub_status" }, { "queryName": "Beta - Activity Log Alert For Delete Security Solution Not Configured", "severity": "MEDIUM", "line": 46, - "fileName": "positive2_2.tf" + "filename": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_7].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete security solution' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'delete security solution' events but sets 1 filter(s): sub_statuses" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive_expected_result.json index 0d4f101c7a3..f15c3a124bd 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive_expected_result.json @@ -1,2 +1,39 @@ [ -] + + { + "queryName": "Beta - Activity Log Alert For Delete Security Solution Not Configured", + "severity": "MEDIUM", + "line": 9, + "filename": "positive3_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive3_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete security solution' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_1]' resource monitors 'delete security solution' events but is missing an 'action.action_group_id' field" + }, + { + "queryName": "Beta - Activity Log Alert For Delete Security Solution Not Configured", + "severity": "MEDIUM", + "line": 9, + "filename": "positive3_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive3_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete security solution' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_2]' resource monitors 'delete security solution' events but is missing an 'action.action_group_id' field" + }, + { + "queryName": "Beta - Activity Log Alert For Delete Security Solution Not Configured", + "severity": "MEDIUM", + "line": 9, + "filename": "positive4_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive4_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete security solution' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_1]' resource monitors 'delete security solution' events but is missing an 'action.action_group_id' field" + } +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test/positive2/positive_expected_result.json index 07f54508d55..1cd00bba9e6 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test/positive2/positive_expected_result.json @@ -3,42 +3,84 @@ "queryName": "Beta - Activity Log Alert For Delete SQL Server Firewall Rule Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete SQL server firewall rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_1]' resource monitors 'delete SQL server firewall rule' events but sets 1 filter(s): caller" }, { "queryName": "Beta - Activity Log Alert For Delete SQL Server Firewall Rule Not Configured", "severity": "MEDIUM", "line": 28, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete SQL server firewall rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_2]' resource monitors 'delete SQL server firewall rule' events but sets 1 filter(s): level" }, { "queryName": "Beta - Activity Log Alert For Delete SQL Server Firewall Rule Not Configured", "severity": "MEDIUM", "line": 47, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_3].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete SQL server firewall rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_3]' resource monitors 'delete SQL server firewall rule' events but sets 1 filter(s): levels" }, { "queryName": "Beta - Activity Log Alert For Delete SQL Server Firewall Rule Not Configured", "severity": "MEDIUM", "line": 66, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_4].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete SQL server firewall rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_4]' resource monitors 'delete SQL server firewall rule' events but sets 1 filter(s): status" }, { "queryName": "Beta - Activity Log Alert For Delete SQL Server Firewall Rule Not Configured", "severity": "MEDIUM", "line": 8, - "fileName": "positive2_2.tf" + "filename": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_5].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete SQL server firewall rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_5]' resource monitors 'delete SQL server firewall rule' events but sets 1 filter(s): statuses" }, { "queryName": "Beta - Activity Log Alert For Delete SQL Server Firewall Rule Not Configured", "severity": "MEDIUM", "line": 27, - "fileName": "positive2_2.tf" + "filename": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_6].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete SQL server firewall rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_6]' resource monitors 'delete SQL server firewall rule' events but sets 1 filter(s): sub_status" }, { "queryName": "Beta - Activity Log Alert For Delete SQL Server Firewall Rule Not Configured", "severity": "MEDIUM", "line": 46, - "fileName": "positive2_2.tf" + "filename": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_7].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete SQL server firewall rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'delete SQL server firewall rule' events but sets 1 filter(s): sub_statuses" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test/positive3/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test/positive3/positive_expected_result.json index c9a4b7e74c6..f68bec89d13 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test/positive3/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test/positive3/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Beta - Activity Log Alert For Delete SQL Server Firewall Rule Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive3_1.tf" + "filename": "positive3_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive3_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete SQL server firewall rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_1]' resource monitors 'delete SQL server firewall rule' events but is missing an 'action.action_group_id' field" }, { "queryName": "Beta - Activity Log Alert For Delete SQL Server Firewall Rule Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive3_2.tf" + "filename": "positive3_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive3_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete SQL server firewall rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_2]' resource monitors 'delete SQL server firewall rule' events but is missing an 'action.action_group_id' field" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test/positive4/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test/positive4/positive_expected_result.json index 315a11bcbfa..308fe0fb40f 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test/positive4/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test/positive4/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Beta - Activity Log Alert For Delete SQL Server Firewall Rule Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive4_1.tf" + "filename": "positive4_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive4_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete SQL server firewall rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_1]' resource monitors 'delete SQL server firewall rule' events but is missing an 'action.action_group_id' field" } ] diff --git a/assets/queries/terraform/azure/mssql_server_auditing_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/mssql_server_auditing_disabled/test/positive_expected_result.json index 3a520528db2..7d3f9005860 100644 --- a/assets/queries/terraform/azure/mssql_server_auditing_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/mssql_server_auditing_disabled/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "MSSQL Server Auditing Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_mssql_server", + "resourceName": "mssqlserver", + "searchKey": "azurerm_mssql_server[example]", + "searchValue": "", + "expectedValue": "'azurerm_mssql_server[example]' resource should have a 'azurerm_mssql_server_extended_auditing_policy' resource associated", + "actualValue": "'azurerm_mssql_server[example]' resource does not have a 'azurerm_mssql_server_extended_auditing_policy' resource associated" }, { "queryName": "MSSQL Server Auditing Disabled", "severity": "MEDIUM", "line": 10, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_mssql_server", + "resourceName": "mssqlserver", + "searchKey": "azurerm_mssql_server[example]", + "searchValue": "", + "expectedValue": "'azurerm_mssql_server[example]' resource should have a 'azurerm_mssql_server_extended_auditing_policy' resource associated", + "actualValue": "'azurerm_mssql_server[example]' resource does not have a 'azurerm_mssql_server_extended_auditing_policy' resource associated" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json index 43fc1ccad4a..68f807805b9 100644 --- a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json @@ -43,9 +43,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", - "searchValue": "UDP,21", - "expectedValue": "FTP (UDP:21) should not be allowed", - "actualValue": "FTP (UDP21) is allowed" + "searchValue": "TCP,21", + "expectedValue": "FTP (TCP:21) should not be allowed", + "actualValue": "FTP (TCP21) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -55,9 +55,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP22) is allowed" + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -67,9 +67,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", - "searchValue": "TCP,23", - "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP23) is allowed" + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -79,9 +79,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", - "searchValue": "UDP,23", - "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP23) is allowed" + "searchValue": "UDP,21", + "expectedValue": "FTP (UDP:21) should not be allowed", + "actualValue": "FTP (UDP21) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -91,9 +91,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", - "searchValue": "TCP,21", - "expectedValue": "FTP (TCP:21) should not be allowed", - "actualValue": "FTP (TCP21) is allowed" + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -163,9 +163,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP22) is allowed" + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -175,9 +175,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", - "searchValue": "UDP,23", - "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP23) is allowed" + "searchValue": "UDP,25", + "expectedValue": "SMTP (UDP:25) should not be allowed", + "actualValue": "SMTP (UDP25) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -199,9 +199,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", - "searchValue": "UDP,25", - "expectedValue": "SMTP (UDP:25) should not be allowed", - "actualValue": "SMTP (UDP25) is allowed" + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -223,9 +223,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive9].destination_port_range", - "searchValue": "TCP,23", - "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP23) is allowed" + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -235,9 +235,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive9].destination_port_range", - "searchValue": "UDP,23", - "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP23) is allowed" + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -247,9 +247,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,23", - "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP23) is allowed" + "searchValue": "UDP,53", + "expectedValue": "DNS (UDP:53) should not be allowed", + "actualValue": "DNS (UDP53) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -259,9 +259,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,137", - "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed", - "actualValue": "NetBIOS Name Service (UDP137) is allowed" + "searchValue": "UDP,80", + "expectedValue": "HTTP (UDP:80) should not be allowed", + "actualValue": "HTTP (UDP80) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -271,9 +271,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP22) is allowed" + "searchValue": "TCP,110", + "expectedValue": "POP3 (TCP:110) should not be allowed", + "actualValue": "POP3 (TCP110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -283,9 +283,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,53", - "expectedValue": "DNS (UDP:53) should not be allowed", - "actualValue": "DNS (UDP53) is allowed" + "searchValue": "TCP,80", + "expectedValue": "HTTP (TCP:80) should not be allowed", + "actualValue": "HTTP (TCP80) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -295,9 +295,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,80", - "expectedValue": "HTTP (TCP:80) should not be allowed", - "actualValue": "HTTP (TCP80) is allowed" + "searchValue": "UDP,139", + "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed", + "actualValue": "NetBIOS Session Service (UDP139) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -307,9 +307,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,138", - "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed", - "actualValue": "NetBIOS Datagram Service (TCP138) is allowed" + "searchValue": "UDP,25", + "expectedValue": "SMTP (UDP:25) should not be allowed", + "actualValue": "SMTP (UDP25) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -319,9 +319,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,137", - "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed", - "actualValue": "NetBIOS Name Service (TCP137) is allowed" + "searchValue": "TCP,53", + "expectedValue": "DNS (TCP:53) should not be allowed", + "actualValue": "DNS (TCP53) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -331,9 +331,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,110", - "expectedValue": "POP3 (TCP:110) should not be allowed", - "actualValue": "POP3 (TCP110) is allowed" + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed", + "actualValue": "NetBIOS Name Service (UDP137) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -343,9 +343,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,25", - "expectedValue": "SMTP (TCP:25) should not be allowed", - "actualValue": "SMTP (TCP25) is allowed" + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -355,9 +355,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,20", - "expectedValue": "FTP (TCP:20) should not be allowed", - "actualValue": "FTP (TCP20) is allowed" + "searchValue": "UDP,21", + "expectedValue": "FTP (UDP:21) should not be allowed", + "actualValue": "FTP (UDP21) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -367,9 +367,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,21", - "expectedValue": "FTP (TCP:21) should not be allowed", - "actualValue": "FTP (TCP21) is allowed" + "searchValue": "UDP,20", + "expectedValue": "FTP (UDP:20) should not be allowed", + "actualValue": "FTP (UDP20) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -379,9 +379,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,21", - "expectedValue": "FTP (UDP:21) should not be allowed", - "actualValue": "FTP (UDP21) is allowed" + "searchValue": "TCP,138", + "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed", + "actualValue": "NetBIOS Datagram Service (TCP138) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -391,9 +391,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,110", - "expectedValue": "POP3 (UDP:110) should not be allowed", - "actualValue": "POP3 (UDP110) is allowed" + "searchValue": "TCP,139", + "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed", + "actualValue": "NetBIOS Session Service (TCP139) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -403,9 +403,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,20", - "expectedValue": "FTP (UDP:20) should not be allowed", - "actualValue": "FTP (UDP20) is allowed" + "searchValue": "TCP,21", + "expectedValue": "FTP (TCP:21) should not be allowed", + "actualValue": "FTP (TCP21) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -415,9 +415,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,80", - "expectedValue": "HTTP (UDP:80) should not be allowed", - "actualValue": "HTTP (UDP80) is allowed" + "searchValue": "UDP,135", + "expectedValue": "MSSQL Debugger (UDP:135) should not be allowed", + "actualValue": "MSSQL Debugger (UDP135) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -427,9 +427,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,138", - "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed", - "actualValue": "NetBIOS Datagram Service (UDP138) is allowed" + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -439,9 +439,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,139", - "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed", - "actualValue": "NetBIOS Session Service (UDP139) is allowed" + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -451,9 +451,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,25", - "expectedValue": "SMTP (UDP:25) should not be allowed", - "actualValue": "SMTP (UDP25) is allowed" + "searchValue": "TCP,135", + "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed", + "actualValue": "MSSQL Debugger (TCP135) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -463,9 +463,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP22) is allowed" + "searchValue": "TCP,137", + "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed", + "actualValue": "NetBIOS Name Service (TCP137) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -475,9 +475,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,23", - "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP23) is allowed" + "searchValue": "TCP,25", + "expectedValue": "SMTP (TCP:25) should not be allowed", + "actualValue": "SMTP (TCP25) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -487,9 +487,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,135", - "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed", - "actualValue": "MSSQL Debugger (TCP135) is allowed" + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -499,9 +499,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,135", - "expectedValue": "MSSQL Debugger (UDP:135) should not be allowed", - "actualValue": "MSSQL Debugger (UDP135) is allowed" + "searchValue": "TCP,20", + "expectedValue": "FTP (TCP:20) should not be allowed", + "actualValue": "FTP (TCP20) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -511,9 +511,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,139", - "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed", - "actualValue": "NetBIOS Session Service (TCP139) is allowed" + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed", + "actualValue": "NetBIOS Datagram Service (UDP138) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -523,8 +523,8 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,53", - "expectedValue": "DNS (TCP:53) should not be allowed", - "actualValue": "DNS (TCP53) is allowed" + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP23) is allowed" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_small_public_network/test/positive_expected_result.json b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_small_public_network/test/positive_expected_result.json index b99095cf17e..ebaa15aa71a 100644 --- a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_small_public_network/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_small_public_network/test/positive_expected_result.json @@ -55,9 +55,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -67,9 +67,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", - "searchValue": "TCP,21", - "expectedValue": "FTP (TCP:21) should not be allowed", - "actualValue": "FTP (TCP:21) is allowed" + "searchValue": "UDP,21", + "expectedValue": "FTP (UDP:21) should not be allowed", + "actualValue": "FTP (UDP:21) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -79,9 +79,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -91,9 +91,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", - "searchValue": "UDP,23", - "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP:23) is allowed" + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -103,9 +103,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", - "searchValue": "UDP,21", - "expectedValue": "FTP (UDP:21) should not be allowed", - "actualValue": "FTP (UDP:21) is allowed" + "searchValue": "TCP,21", + "expectedValue": "FTP (TCP:21) should not be allowed", + "actualValue": "FTP (TCP:21) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -115,9 +115,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive4].destination_port_range", - "searchValue": "TCP,23", - "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP:23) is allowed" + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -127,9 +127,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive4].destination_port_range", - "searchValue": "UDP,23", - "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP:23) is allowed" + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -163,9 +163,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", - "searchValue": "UDP,53", - "expectedValue": "DNS (UDP:53) should not be allowed", - "actualValue": "DNS (UDP:53) is allowed" + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -175,9 +175,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "searchValue": "UDP,25", + "expectedValue": "SMTP (UDP:25) should not be allowed", + "actualValue": "SMTP (UDP:25) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -187,9 +187,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", - "searchValue": "UDP,25", - "expectedValue": "SMTP (UDP:25) should not be allowed", - "actualValue": "SMTP (UDP:25) is allowed" + "searchValue": "UDP,53", + "expectedValue": "DNS (UDP:53) should not be allowed", + "actualValue": "DNS (UDP:53) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -199,9 +199,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", - "searchValue": "UDP,23", - "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP:23) is allowed" + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -223,9 +223,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive9].destination_port_range", - "searchValue": "UDP,23", - "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP:23) is allowed" + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -235,9 +235,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive9].destination_port_range", - "searchValue": "TCP,23", - "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP:23) is allowed" + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -247,9 +247,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,80", - "expectedValue": "HTTP (UDP:80) should not be allowed", - "actualValue": "HTTP (UDP:80) is allowed" + "searchValue": "TCP,138", + "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed", + "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -259,9 +259,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,139", - "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed", - "actualValue": "NetBIOS Session Service (TCP:139) is allowed" + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -271,9 +271,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,25", - "expectedValue": "SMTP (UDP:25) should not be allowed", - "actualValue": "SMTP (UDP:25) is allowed" + "searchValue": "UDP,135", + "expectedValue": "MSSQL Debugger (UDP:135) should not be allowed", + "actualValue": "MSSQL Debugger (UDP:135) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -283,9 +283,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,53", - "expectedValue": "DNS (UDP:53) should not be allowed", - "actualValue": "DNS (UDP:53) is allowed" + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -295,9 +295,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,137", - "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed" + "searchValue": "TCP,110", + "expectedValue": "POP3 (TCP:110) should not be allowed", + "actualValue": "POP3 (TCP:110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -307,9 +307,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,135", - "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed", - "actualValue": "MSSQL Debugger (TCP:135) is allowed" + "searchValue": "UDP,53", + "expectedValue": "DNS (UDP:53) should not be allowed", + "actualValue": "DNS (UDP:53) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -319,9 +319,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,138", - "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed", - "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed" + "searchValue": "TCP,20", + "expectedValue": "FTP (TCP:20) should not be allowed", + "actualValue": "FTP (TCP:20) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -331,9 +331,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,110", - "expectedValue": "POP3 (TCP:110) should not be allowed", - "actualValue": "POP3 (TCP:110) is allowed" + "searchValue": "TCP,25", + "expectedValue": "SMTP (TCP:25) should not be allowed", + "actualValue": "SMTP (TCP:25) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -343,9 +343,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,53", - "expectedValue": "DNS (TCP:53) should not be allowed", - "actualValue": "DNS (TCP:53) is allowed" + "searchValue": "UDP,80", + "expectedValue": "HTTP (UDP:80) should not be allowed", + "actualValue": "HTTP (UDP:80) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -355,9 +355,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,21", - "expectedValue": "FTP (UDP:21) should not be allowed", - "actualValue": "FTP (UDP:21) is allowed" + "searchValue": "UDP,25", + "expectedValue": "SMTP (UDP:25) should not be allowed", + "actualValue": "SMTP (UDP:25) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -367,9 +367,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,110", - "expectedValue": "POP3 (UDP:110) should not be allowed", - "actualValue": "POP3 (UDP:110) is allowed" + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -379,9 +379,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,25", - "expectedValue": "SMTP (TCP:25) should not be allowed", - "actualValue": "SMTP (TCP:25) is allowed" + "searchValue": "UDP,21", + "expectedValue": "FTP (UDP:21) should not be allowed", + "actualValue": "FTP (UDP:21) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -391,9 +391,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,21", - "expectedValue": "FTP (TCP:21) should not be allowed", - "actualValue": "FTP (TCP:21) is allowed" + "searchValue": "TCP,80", + "expectedValue": "HTTP (TCP:80) should not be allowed", + "actualValue": "HTTP (TCP:80) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -403,9 +403,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -415,9 +415,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,80", - "expectedValue": "HTTP (TCP:80) should not be allowed", - "actualValue": "HTTP (TCP:80) is allowed" + "searchValue": "TCP,137", + "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed", + "actualValue": "NetBIOS Name Service (TCP:137) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -427,9 +427,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,135", - "expectedValue": "MSSQL Debugger (UDP:135) should not be allowed", - "actualValue": "MSSQL Debugger (UDP:135) is allowed" + "searchValue": "UDP,139", + "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed", + "actualValue": "NetBIOS Session Service (UDP:139) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -439,9 +439,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,138", - "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed", - "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed" + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -451,9 +451,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,137", - "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed", - "actualValue": "NetBIOS Name Service (TCP:137) is allowed" + "searchValue": "TCP,21", + "expectedValue": "FTP (TCP:21) should not be allowed", + "actualValue": "FTP (TCP:21) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -463,9 +463,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,139", - "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed", - "actualValue": "NetBIOS Session Service (UDP:139) is allowed" + "searchValue": "TCP,135", + "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed", + "actualValue": "MSSQL Debugger (TCP:135) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -475,9 +475,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,20", - "expectedValue": "FTP (TCP:20) should not be allowed", - "actualValue": "FTP (TCP:20) is allowed" + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -487,9 +487,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "searchValue": "TCP,139", + "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed", + "actualValue": "NetBIOS Session Service (TCP:139) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -499,9 +499,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,20", - "expectedValue": "FTP (UDP:20) should not be allowed", - "actualValue": "FTP (UDP:20) is allowed" + "searchValue": "TCP,53", + "expectedValue": "DNS (TCP:53) should not be allowed", + "actualValue": "DNS (TCP:53) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -511,9 +511,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,23", - "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP:23) is allowed" + "searchValue": "UDP,20", + "expectedValue": "FTP (UDP:20) should not be allowed", + "actualValue": "FTP (UDP:20) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -523,8 +523,8 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,23", - "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP:23) is allowed" + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_wide_private_network/test/positive_expected_result.json b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_wide_private_network/test/positive_expected_result.json index e4dfb04e1f3..05cebc65f4a 100644 --- a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_wide_private_network/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_wide_private_network/test/positive_expected_result.json @@ -43,9 +43,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", - "searchValue": "UDP:21", - "expectedValue": "FTP (UDP:21) should not be allowed", - "actualValue": "FTP (UDP:21) is allowed" + "searchValue": "TCP:22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -55,9 +55,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", - "searchValue": "TCP:21", - "expectedValue": "FTP (TCP:21) should not be allowed", - "actualValue": "FTP (TCP:21) is allowed" + "searchValue": "UDP:23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -67,9 +67,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", - "searchValue": "TCP:22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "searchValue": "UDP:22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -79,9 +79,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", - "searchValue": "UDP:23", - "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP:23) is allowed" + "searchValue": "TCP:23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -91,9 +91,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", - "searchValue": "UDP:22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "searchValue": "UDP:21", + "expectedValue": "FTP (UDP:21) should not be allowed", + "actualValue": "FTP (UDP:21) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -103,9 +103,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", - "searchValue": "TCP:23", - "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP:23) is allowed" + "searchValue": "TCP:21", + "expectedValue": "FTP (TCP:21) should not be allowed", + "actualValue": "FTP (TCP:21) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -115,9 +115,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive4].destination_port_range", - "searchValue": "UDP:23", - "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP:23) is allowed" + "searchValue": "TCP:23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -127,9 +127,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive4].destination_port_range", - "searchValue": "TCP:23", - "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP:23) is allowed" + "searchValue": "UDP:23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -175,9 +175,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", - "searchValue": "UDP:22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "searchValue": "UDP:25", + "expectedValue": "SMTP (UDP:25) should not be allowed", + "actualValue": "SMTP (UDP:25) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -199,9 +199,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", - "searchValue": "UDP:25", - "expectedValue": "SMTP (UDP:25) should not be allowed", - "actualValue": "SMTP (UDP:25) is allowed" + "searchValue": "UDP:22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -247,9 +247,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP:53", - "expectedValue": "DNS (UDP:53) should not be allowed", - "actualValue": "DNS (UDP:53) is allowed" + "searchValue": "UDP:21", + "expectedValue": "FTP (UDP:21) should not be allowed", + "actualValue": "FTP (UDP:21) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -259,9 +259,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP:139", - "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed", - "actualValue": "NetBIOS Session Service (UDP:139) is allowed" + "searchValue": "UDP:80", + "expectedValue": "HTTP (UDP:80) should not be allowed", + "actualValue": "HTTP (UDP:80) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -271,9 +271,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP:137", - "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed" + "searchValue": "UDP:135", + "expectedValue": "MSSQL Debugger (UDP:135) should not be allowed", + "actualValue": "MSSQL Debugger (UDP:135) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -283,9 +283,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP:20", - "expectedValue": "FTP (UDP:20) should not be allowed", - "actualValue": "FTP (UDP:20) is allowed" + "searchValue": "TCP:25", + "expectedValue": "SMTP (TCP:25) should not be allowed", + "actualValue": "SMTP (TCP:25) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -295,9 +295,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP:80", - "expectedValue": "HTTP (TCP:80) should not be allowed", - "actualValue": "HTTP (TCP:80) is allowed" + "searchValue": "UDP:22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -307,9 +307,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP:137", - "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed", - "actualValue": "NetBIOS Name Service (TCP:137) is allowed" + "searchValue": "UDP:20", + "expectedValue": "FTP (UDP:20) should not be allowed", + "actualValue": "FTP (UDP:20) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -319,9 +319,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP:110", - "expectedValue": "POP3 (UDP:110) should not be allowed", - "actualValue": "POP3 (UDP:110) is allowed" + "searchValue": "TCP:138", + "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed", + "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -331,9 +331,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP:25", - "expectedValue": "SMTP (TCP:25) should not be allowed", - "actualValue": "SMTP (TCP:25) is allowed" + "searchValue": "UDP:138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -343,9 +343,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP:20", - "expectedValue": "FTP (TCP:20) should not be allowed", - "actualValue": "FTP (TCP:20) is allowed" + "searchValue": "UDP:110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -355,9 +355,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP:25", - "expectedValue": "SMTP (UDP:25) should not be allowed", - "actualValue": "SMTP (UDP:25) is allowed" + "searchValue": "TCP:20", + "expectedValue": "FTP (TCP:20) should not be allowed", + "actualValue": "FTP (TCP:20) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -367,9 +367,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP:22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "searchValue": "UDP:25", + "expectedValue": "SMTP (UDP:25) should not be allowed", + "actualValue": "SMTP (UDP:25) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -379,9 +379,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP:23", - "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP:23) is allowed" + "searchValue": "TCP:22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -403,9 +403,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP:53", - "expectedValue": "DNS (TCP:53) should not be allowed", - "actualValue": "DNS (TCP:53) is allowed" + "searchValue": "TCP:21", + "expectedValue": "FTP (TCP:21) should not be allowed", + "actualValue": "FTP (TCP:21) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -415,9 +415,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP:21", - "expectedValue": "FTP (TCP:21) should not be allowed", - "actualValue": "FTP (TCP:21) is allowed" + "searchValue": "TCP:137", + "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed", + "actualValue": "NetBIOS Name Service (TCP:137) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -427,9 +427,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP:138", - "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed", - "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed" + "searchValue": "UDP:137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -439,9 +439,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP:21", - "expectedValue": "FTP (UDP:21) should not be allowed", - "actualValue": "FTP (UDP:21) is allowed" + "searchValue": "TCP:53", + "expectedValue": "DNS (TCP:53) should not be allowed", + "actualValue": "DNS (TCP:53) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -451,9 +451,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP:138", - "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed", - "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed" + "searchValue": "UDP:53", + "expectedValue": "DNS (UDP:53) should not be allowed", + "actualValue": "DNS (UDP:53) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -463,9 +463,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP:110", - "expectedValue": "POP3 (TCP:110) should not be allowed", - "actualValue": "POP3 (TCP:110) is allowed" + "searchValue": "TCP:80", + "expectedValue": "HTTP (TCP:80) should not be allowed", + "actualValue": "HTTP (TCP:80) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -475,9 +475,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP:139", - "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed", - "actualValue": "NetBIOS Session Service (TCP:139) is allowed" + "searchValue": "TCP:135", + "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed", + "actualValue": "MSSQL Debugger (TCP:135) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -487,9 +487,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP:22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "searchValue": "TCP:139", + "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed", + "actualValue": "NetBIOS Session Service (TCP:139) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -499,9 +499,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP:80", - "expectedValue": "HTTP (UDP:80) should not be allowed", - "actualValue": "HTTP (UDP:80) is allowed" + "searchValue": "TCP:110", + "expectedValue": "POP3 (TCP:110) should not be allowed", + "actualValue": "POP3 (TCP:110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -511,9 +511,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP:135", - "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed", - "actualValue": "MSSQL Debugger (TCP:135) is allowed" + "searchValue": "UDP:139", + "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed", + "actualValue": "NetBIOS Session Service (UDP:139) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -523,8 +523,8 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP:135", - "expectedValue": "MSSQL Debugger (UDP:135) should not be allowed", - "actualValue": "MSSQL Debugger (UDP:135) is allowed" + "searchValue": "TCP:23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed" } ] \ No newline at end of file diff --git a/assets/queries/terraform/gcp/cloud_asset_inventory_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/cloud_asset_inventory_disabled/test/positive_expected_result.json index bc92565213d..637fea7daa2 100644 --- a/assets/queries/terraform/gcp/cloud_asset_inventory_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/cloud_asset_inventory_disabled/test/positive_expected_result.json @@ -3,42 +3,84 @@ "queryName": "Beta - Cloud Asset Inventory Disabled", "severity": "MEDIUM", "line": 2, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "google_project_service", + "resourceName": "positive1_1", + "searchKey": "google_project_service[positive1_1].service", + "searchValue": "", + "expectedValue": "At least one 'google_project_service.service' field should contain or be equal to 'cloudasset.googleapis.com'", + "actualValue": "No 'google_project_service.service' field contains or is equal to 'cloudasset.googleapis.com'" }, { "queryName": "Beta - Cloud Asset Inventory Disabled", "severity": "MEDIUM", "line": 6, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "google_project_service", + "resourceName": "positive1_2", + "searchKey": "google_project_service[positive1_2].service", + "searchValue": "", + "expectedValue": "At least one 'google_project_service.service' field should contain or be equal to 'cloudasset.googleapis.com'", + "actualValue": "No 'google_project_service.service' field contains or is equal to 'cloudasset.googleapis.com'" }, { "queryName": "Beta - Cloud Asset Inventory Disabled", "severity": "MEDIUM", "line": 6, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "google_project_service", + "resourceName": "positive_2", + "searchKey": "google_project_service[positive_2].service", + "searchValue": "", + "expectedValue": "At least one 'google_project_service.service' field should contain or be equal to 'cloudasset.googleapis.com'", + "actualValue": "No 'google_project_service.service' field contains or is equal to 'cloudasset.googleapis.com'" }, { "queryName": "Beta - Cloud Asset Inventory Disabled", "severity": "MEDIUM", "line": 6, - "filename": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "google_project_service", + "resourceName": "positive_3", + "searchKey": "google_project_service[positive_3].service", + "searchValue": "", + "expectedValue": "At least one 'google_project_service.service' field should contain or be equal to 'cloudasset.googleapis.com'", + "actualValue": "No 'google_project_service.service' field contains or is equal to 'cloudasset.googleapis.com'" }, { "queryName": "Beta - Cloud Asset Inventory Disabled", "severity": "MEDIUM", "line": 7, - "filename": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "google_project_service", + "resourceName": "positive_4", + "searchKey": "google_project_service[positive_4].service", + "searchValue": "", + "expectedValue": "At least one 'google_project_service.service' field should contain or be equal to 'cloudasset.googleapis.com'", + "actualValue": "No 'google_project_service.service' field contains or is equal to 'cloudasset.googleapis.com'" }, { "queryName": "Beta - Cloud Asset Inventory Disabled", "severity": "MEDIUM", "line": 10, - "filename": "positive5.tf" + "filename": "positive5.tf", + "resourceType": "google_project_service", + "resourceName": "positive_5", + "searchKey": "google_project_service[positive_5].service", + "searchValue": "", + "expectedValue": "At least one 'google_project_service.service' field should contain or be equal to 'cloudasset.googleapis.com'", + "actualValue": "No 'google_project_service.service' field contains or is equal to 'cloudasset.googleapis.com'" }, { "queryName": "Beta - Cloud Asset Inventory Disabled", "severity": "MEDIUM", "line": 10, - "filename": "positive6.tf" + "filename": "positive6.tf", + "resourceType": "google_project_service", + "resourceName": "positive_6", + "searchKey": "google_project_service[positive_6].service", + "searchValue": "", + "expectedValue": "At least one 'google_project_service.service' field should contain or be equal to 'cloudasset.googleapis.com'", + "actualValue": "No 'google_project_service.service' field contains or is equal to 'cloudasset.googleapis.com'" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/gcp_bom/dataflow/test/positive_expected_result.json b/assets/queries/terraform/gcp_bom/dataflow/test/positive_expected_result.json index 2af3f798c94..b16f9b8d03e 100644 --- a/assets/queries/terraform/gcp_bom/dataflow/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp_bom/dataflow/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ - { - "queryName": "BOM - GCP Dataflow", - "severity": "TRACE", - "line": 1, - "fileName": "positive.tf" - }, - { - "queryName": "BOM - GCP Dataflow", - "severity": "TRACE", - "line": 17, - "fileName": "positive.tf" - } -] + { + "queryName": "BOM - GCP Dataflow", + "severity": "TRACE", + "line": 1, + "filename": "positive.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "google_dataflow_job[pubsub_stream]", + "searchValue": "", + "expectedValue": "", + "actualValue": "" + }, + { + "queryName": "BOM - GCP Dataflow", + "severity": "TRACE", + "line": 17, + "filename": "positive.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "google_dataflow_job[pubsub_stream2]", + "searchValue": "", + "expectedValue": "", + "actualValue": "" + } +] \ No newline at end of file diff --git a/assets/queries/terraform/gcp_bom/fi/test/positive_expected_result.json b/assets/queries/terraform/gcp_bom/fi/test/positive_expected_result.json index a404cecf273..6abdb96caca 100644 --- a/assets/queries/terraform/gcp_bom/fi/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp_bom/fi/test/positive_expected_result.json @@ -1,20 +1,38 @@ [ - { - "queryName": "BOM - GCP FI", - "severity": "TRACE", - "line": 1, - "fileName": "positive.tf" - }, - { - "queryName": "BOM - GCP FI", - "severity": "TRACE", - "line": 32, - "fileName": "positive.tf" - }, - { - "queryName": "BOM - GCP FI", - "severity": "TRACE", - "line": 59, - "fileName": "positive.tf" - } -] + { + "queryName": "BOM - GCP FI", + "severity": "TRACE", + "line": 1, + "filename": "positive.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "google_filestore_instance[instance]", + "searchValue": "", + "expectedValue": "", + "actualValue": "" + }, + { + "queryName": "BOM - GCP FI", + "severity": "TRACE", + "line": 32, + "filename": "positive.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "google_filestore_instance[instance2]", + "searchValue": "", + "expectedValue": "", + "actualValue": "" + }, + { + "queryName": "BOM - GCP FI", + "severity": "TRACE", + "line": 59, + "filename": "positive.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "google_filestore_instance[instance3]", + "searchValue": "", + "expectedValue": "", + "actualValue": "" + } +] \ No newline at end of file diff --git a/assets/queries/terraform/gcp_bom/pd/test/positive_expected_result.json b/assets/queries/terraform/gcp_bom/pd/test/positive_expected_result.json index 6a5425f770b..7fd44dd7362 100644 --- a/assets/queries/terraform/gcp_bom/pd/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp_bom/pd/test/positive_expected_result.json @@ -1,38 +1,74 @@ [ - { - "queryName": "BOM - GCP PD", - "severity": "TRACE", - "line": 1, - "fileName": "positive.tf" - }, - { - "queryName": "BOM - GCP PD", - "severity": "TRACE", - "line": 12, - "fileName": "positive.tf" - }, - { - "queryName": "BOM - GCP PD", - "severity": "TRACE", - "line": 28, - "fileName": "positive.tf" - }, - { - "queryName": "BOM - GCP PD", - "severity": "TRACE", - "line": 44, - "fileName": "positive.tf" - }, - { - "queryName": "BOM - GCP PD", - "severity": "TRACE", - "line": 60, - "fileName": "positive.tf" - }, - { - "queryName": "BOM - GCP PD", - "severity": "TRACE", - "line": 76, - "fileName": "positive.tf" - } -] + { + "queryName": "BOM - GCP PD", + "severity": "TRACE", + "line": 1, + "filename": "positive.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "google_compute_disk[positive1]", + "searchValue": "", + "expectedValue": "", + "actualValue": "" + }, + { + "queryName": "BOM - GCP PD", + "severity": "TRACE", + "line": 12, + "filename": "positive.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "google_compute_disk[positive2]", + "searchValue": "", + "expectedValue": "", + "actualValue": "" + }, + { + "queryName": "BOM - GCP PD", + "severity": "TRACE", + "line": 28, + "filename": "positive.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "google_compute_disk[positive3]", + "searchValue": "", + "expectedValue": "", + "actualValue": "" + }, + { + "queryName": "BOM - GCP PD", + "severity": "TRACE", + "line": 44, + "filename": "positive.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "google_compute_disk[positive4]", + "searchValue": "", + "expectedValue": "", + "actualValue": "" + }, + { + "queryName": "BOM - GCP PD", + "severity": "TRACE", + "line": 60, + "filename": "positive.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "google_compute_disk[negative1]", + "searchValue": "", + "expectedValue": "", + "actualValue": "" + }, + { + "queryName": "BOM - GCP PD", + "severity": "TRACE", + "line": 76, + "filename": "positive.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "google_compute_disk[negative2]", + "searchValue": "", + "expectedValue": "", + "actualValue": "" + } +] \ No newline at end of file diff --git a/assets/queries/terraform/gcp_bom/pst/test/positive_expected_result.json b/assets/queries/terraform/gcp_bom/pst/test/positive_expected_result.json index 10570b71914..ba6ac0cf696 100644 --- a/assets/queries/terraform/gcp_bom/pst/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp_bom/pst/test/positive_expected_result.json @@ -1,26 +1,50 @@ [ - { - "queryName": "BOM - GCP PST", - "severity": "TRACE", - "line": 34, - "fileName": "positive.tf" - }, - { - "queryName": "BOM - GCP PST", - "severity": "TRACE", - "line": 39, - "fileName": "positive.tf" - }, - { - "queryName": "BOM - GCP PST", - "severity": "TRACE", - "line": 44, - "fileName": "positive.tf" - }, - { - "queryName": "BOM - GCP PST", - "severity": "TRACE", - "line": 54, - "fileName": "positive.tf" - } -] + { + "queryName": "BOM - GCP PST", + "severity": "TRACE", + "line": 34, + "filename": "positive.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "google_pubsub_topic[example1]", + "searchValue": "", + "expectedValue": "", + "actualValue": "" + }, + { + "queryName": "BOM - GCP PST", + "severity": "TRACE", + "line": 39, + "filename": "positive.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "google_pubsub_topic[example2]", + "searchValue": "", + "expectedValue": "", + "actualValue": "" + }, + { + "queryName": "BOM - GCP PST", + "severity": "TRACE", + "line": 44, + "filename": "positive.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "google_pubsub_topic[example3]", + "searchValue": "", + "expectedValue": "", + "actualValue": "" + }, + { + "queryName": "BOM - GCP PST", + "severity": "TRACE", + "line": 54, + "filename": "positive.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "google_pubsub_topic[example4]", + "searchValue": "", + "expectedValue": "", + "actualValue": "" + } +] \ No newline at end of file diff --git a/assets/queries/terraform/gcp_bom/redis/test/positive_expected_result.json b/assets/queries/terraform/gcp_bom/redis/test/positive_expected_result.json index d71c4801f0e..692aa7c1766 100644 --- a/assets/queries/terraform/gcp_bom/redis/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp_bom/redis/test/positive_expected_result.json @@ -1,14 +1,26 @@ [ - { - "queryName": "BOM - GCP Redis", - "severity": "TRACE", - "line": 1, - "fileName": "positive.tf" - }, - { - "queryName": "BOM - GCP Redis", - "severity": "TRACE", - "line": 20, - "fileName": "positive.tf" - } -] + { + "queryName": "BOM - GCP Redis", + "severity": "TRACE", + "line": 1, + "filename": "positive.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "google_redis_instance[cache]", + "searchValue": "", + "expectedValue": "", + "actualValue": "" + }, + { + "queryName": "BOM - GCP Redis", + "severity": "TRACE", + "line": 20, + "filename": "positive.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "google_redis_instance[cache2]", + "searchValue": "", + "expectedValue": "", + "actualValue": "" + } +] \ No newline at end of file diff --git a/assets/queries/terraform/gcp_bom/sb/test/positive_expected_result.json b/assets/queries/terraform/gcp_bom/sb/test/positive_expected_result.json index 828876bd93d..124b877598e 100644 --- a/assets/queries/terraform/gcp_bom/sb/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp_bom/sb/test/positive_expected_result.json @@ -1,20 +1,38 @@ [ - { - "queryName": "BOM - GCP SB", - "severity": "TRACE", - "line": 7, - "fileName": "positive.tf" - }, - { - "queryName": "BOM - GCP SB", - "severity": "TRACE", - "line": 21, - "fileName": "positive.tf" - }, - { - "queryName": "BOM - GCP SB", - "severity": "TRACE", - "line": 35, - "fileName": "positive.tf" - } -] + { + "queryName": "BOM - GCP SB", + "severity": "TRACE", + "line": 7, + "filename": "positive.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "google_storage_bucket[bucket]", + "searchValue": "", + "expectedValue": "", + "actualValue": "" + }, + { + "queryName": "BOM - GCP SB", + "severity": "TRACE", + "line": 21, + "filename": "positive.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "google_storage_bucket[bucket2]", + "searchValue": "", + "expectedValue": "", + "actualValue": "" + }, + { + "queryName": "BOM - GCP SB", + "severity": "TRACE", + "line": 35, + "filename": "positive.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "google_storage_bucket[bucket3]", + "searchValue": "", + "expectedValue": "", + "actualValue": "" + } +] \ No newline at end of file From a502502f2d11ae172ef87e465d8e305168d1a57f Mon Sep 17 00:00:00 2001 From: Ricardo Jesus <219317970+cx-ricardo-jesus@users.noreply.github.com> Date: Tue, 10 Mar 2026 14:15:19 +0000 Subject: [PATCH 05/22] removed pycache files --- .../__pycache__/generate.cpython-312.pyc | Bin 3294 -> 0 bytes .../__pycache__/models.cpython-312.pyc | Bin 1521 -> 0 bytes .../__pycache__/runner.cpython-312.pyc | Bin 5114 -> 0 bytes .../write_expected_results.cpython-312.pyc | Bin 5797 -> 0 bytes 4 files changed, 0 insertions(+), 0 deletions(-) delete mode 100644 .github/scripts/generate-positive-expective-results/__pycache__/generate.cpython-312.pyc delete mode 100644 .github/scripts/generate-positive-expective-results/__pycache__/models.cpython-312.pyc delete mode 100644 .github/scripts/generate-positive-expective-results/__pycache__/runner.cpython-312.pyc delete mode 100644 .github/scripts/generate-positive-expective-results/__pycache__/write_expected_results.cpython-312.pyc diff --git a/.github/scripts/generate-positive-expective-results/__pycache__/generate.cpython-312.pyc b/.github/scripts/generate-positive-expective-results/__pycache__/generate.cpython-312.pyc deleted file mode 100644 index 68d7e12ee700b71c9c8fc79ec5a0e19d413aeb24..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 3294 zcma)8O>7&-6`m!RZKR1$%67i1yaP9+?c3n0HKGz8FHzg z7O98e{Ji<*&CHu`zS+M90xbyAU)*0P|MDR8HEr0*-KgySn?q;=-9$2yITg*((xGxW z$DD(!+njSw2f_}_Zv&F1tgl`k&bJ$ltpBjJUYDKiP?7lpjFVk7pYwo6!5%Z`#R6`j z80?eXV-)Mb4q3qd3@>{>MPaOw- z81e)lFT5186_A%+3K;?9<(EO)vEb0d6pvQ86)xWP4ITJSoU{0MCFAxtPH0(fN!PKV zTb{d1m?&7c0+YXdHm&i{v7=JW_hJu)i&kjEs7y9)2$5M_nnw4sp|QPD+7q?>_iMpO(j zt>q0#$?IYc89zlwNo2OwFuz|NsxHG7twx6lV%++7%+!ICV(!HWHg+%IMn ztjc1BXgOwM(ds`&hJ?kDf@{gh435I_2{@nDWF^1wj^$9~xYOdbMVz;IN*jw;H3@7a z49l^&j3wCI(CO|(Q6vG{6UNI1kw-#fwfl`ryW;=y={Z~xwPq`9wCVto|5uiG+%MG1rjcvh9ZbVxX+owjGpm^O)@80(JZYg5zD~e(1f>xrc3l zpusto4(78xt~pj6SxVz$Np?^Y7&P=O-9vK(fmK?WMd7SKu6>3?WoIEZ)GnVR;&wV+o7W3MIZCcUfNA#iYPG(dcJt z$4sP+j`la;b(G&mDKL9HWVv&ij8)wdX2H?h3e4lyHDX}dYQ2$6PR=G%(>Et)rY4j0 z1+rXZLDl9hHz*xwoaG}}m8c%349#*aO2p6!eDWYBd+d@~-sV;JjDn~#Nc6^bK#vhDt_L#oT-vvz2aev#3P){*l3B5+Ek+a3Ary;ZV zdO7lwbpfWTM*GZY-)^jZGhWP?9j}#RgS%aT-%`voSIS+ZJE4=i?VX#qwmQty!{zqN zJME|b>2t?g)>~>}Xf)+yJp#7_}= zQ!Ni2r7H7;Y8>fptb)F_sTAX@rryI8MQ|Rd(N6(R_`<1^WRNyPsg#t@!+H%x%j+mtv`7!l&Or8i#NxxA zf_-5O_zqta<75K5=nJX$LSA!n9Jh;ne@Cx;jRN1gQLJNg;FI^O(eq~Xd^tK;jgFYn zk*AUw9sP3DjK1+_#f<*Egj%0>oPOMQKd`Pp8h)@`M%^_x&&_h1vo%D^qP)k-T9D^D ziWAh>u?6oq6t!R{7u}5gw);2TdkCtvam4%A3(uVG&%@n}pa0;!C4bM8vqh!)>X`ZJ zSozG4OFiRX&X-zlRQR9n1W#6jy=JiYJLGbO*B#G=Kq)L1TR)3Fi55Mj;6O!)H*K9y zI*Y+laHt|&ux-_z5wmBcB)(n>Ua1J9w)wN}C*39SVkvm3A`FA^*Pd^E;J@ZYdbs-Nv`MDk@bP>19pCZZ_m00dn=Zj| z>E$oc4;CRWb#OLHD{`73c|t-G(wL0sfR3zzMF~)g+$N#*6AA4Td{>W?{6PlxN_9{z zy`wrSwTx=z9krBIz1m+olV_<~=u1C{eIZn77(pBct1ZmKUInKd$rA!(KtnRHz9(RV z6VmHAYnW9qyI@YiN(CzytWvOQ!DtDN zl9_ViD8YCb#bA^s2a!&A08D0MP;Ww`x&nM2?6U`usm6*Q`0)hPIrwo5frOCdal;Sf z#EiC&v-ZZ!*;wRg^j2r)bQTvjXU^uL)tNgT zzIm4G{T*^AHv$84h>w9 zcS6OhtJ=5PebWdv2|}{5FZb2@swhnRpHEp)s2XEGi&H-|Gf$~n3t{ME@z@YuO*wjh z_FjaY)mL>6a>5f9U}pY0NjYY>K<3+4dQnM?`rTgn4_9%y;XxNTGgOe z2)*JF`LpXi@6Nk7%xSa7y}5HEKa^hA_sXhX{HZ{2-S5VOyzpixll8wly{=x*FX|Wk z6MRFrpty&yv?-;3kSi~!`^s|Z#*!eM+Qh0aO}K^Zl~th^mjq!Y=&)r3N_Xj!Xf)E_ JmZs)w{{ckRaGn4F diff --git a/.github/scripts/generate-positive-expective-results/__pycache__/runner.cpython-312.pyc b/.github/scripts/generate-positive-expective-results/__pycache__/runner.cpython-312.pyc deleted file mode 100644 index ed31b83500c1964c69f499888c72996807f75d6b..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 5114 zcmbtYU2Gf25#A&3$Rl|qMN-tirIT#gVk}DaUy?eC16#KI6I)IsJAu_Y1jRc^C-X0R zM>}H4R1XP2BL+;P1w_>`q&$^@4aAS`TYv^ZfWDBS0x=gAwOjWgZ>p6xfQtg1J@Q0a zm63<8%>9|2+u7Njoo~i}vfHf)%D*muCY`k-^fxll3sdcE7$}4mkbnd#j3z2AH9=`( z!-N4^L)aLhCuoYy8N*D(G-1;Ebl4nWC)kK(!V%b)~<0=-HRi~^lPvj%-!YXt`AbZxBn1e0JE zSeP^Elv*oTfX>#&dha$8tal88P2dE(;FxxgBcC(5?-)4(UYQa3=@^d_QCXlevbl_so7gFg#rNVOmLg(Q35NYdoFvLg#_ykuMUq~a zjs_>gqCXagPF(V1aZ2_vs^jGOz=_cdW0wMNoIgE!LA7Z28HX!YUDXW)rlhb4B7tO( z1eL1_*C;*;gY6-i+!p`zjlr2%L>$CYD2RpF;1ww(4-QOA%1mN%P!3@!uE>MaVpPOI zMfAsGvZP2?MQz_9tydK|2&V8KHehx1j0JjtpjqHCs27m3X`S0!p8gmGiagCUm7->KheDRF7X69IhG{g8 z6thlGfqe_cd-Po*5y~NyHYk=#9~_6~wDeJ>O&N5FX`{f9zq{48_B`e~9#e|J+RF*l_R3&GiiuJwQ`(#|A4gg0GDu0YDRx_l7QwnH(efM~ zTOE(}IXql#SI5!iFF>NL?oMpm%C^_m)lX}-Vat(_y>lsgmfZK2qIh*e%964w&6}g` zr8)jrT8c|;&+Dx5K8K^>Cpla{$>IJ<4uAvwcAm43#u~>x@7<~;>ZeJe8(-330XK{^ zO3~wJC)x*|;Tj<5B}Bm=%$$7BcnMvjd`-zyV`5O?xB5Ar_)YOW1qVY4UxN@HoEmXw znoHFk2T%NxJb+zr6Doz1OhTFRzYNI4iqTL^0Jl4;x+W!Xm$9ip1Y8c5f?-)TS6$-; z)vEdA0P(mgQdwEN3M|T;%4iF#7R~QzvvgRBimDy_Q!If)VnCUT*AF!wt1Jd_XeMw) zoKv}K|7tLt5LE~9%ppY-0+lfb$|Zu~%E)KMU7!H&Ce<#Y3QOdYC2=pI?IzV8QUNw2 z>?73+Q297a`~z-;N;ONe=B8De_;-~in4!`HBUIzGsHi5G2OLmoZL6kW9JmBb@J}_$ z3ijDGH?DH^E?=dlR9XlsLDgI(t2S68P`wM)UO7H}Xd`#252$x*TB%m;Aj#Am-U}jS z;*0qDg2`)A?eQR%MIHC>5uoiL>>q%)okx#7%{gYZWw6*XSn~X=aNtDIb7KB%+19*j z>nhs1R&3p6rz>N542TfU4d?f)SoW_Yis`r?TyuJE&Rw6&xjsr|=pT(h1K{Z1Ie+q@ zyJ?~CR$rlg;J%^cJ~01!xv^#8)U8vwOL;@7aqs-OM`m}qxjn<&;2w4N-`acM4=nbU z4diB=8LI4UTDW-YVs0q!E_wSi*0QH@;n1x^xwhr8lBX}jK5T1W>Rs$zHp6^d{}be} zI5TI~n%i?{mPQvx^RGNGlsaB1H4m*eA1yW?&76A3d2WtgAN}}nxxKgC+P&s&$+azY zE_UWku)Ed+CGSC?mOJ~FqKnad;K5|6^XQgQd+*Yb#UuHCSh@X`@{T=A?<~HPAANAF zwBxmMmv8C)#rF#XM?N={x`v;f{K0GMaQqY5?9L}<*yXwf^jq&koM(RY$DUqI|}<2cmy2&to78YyI6E8E9qx*thXfLVqb9twb; z5Puo&7 z*4{>UO!~L5mrXPjSiv&utnul+6r*!%ab&$7#CvIFmPEN*N{XqWj?$!0>TBJz>E1eR zN||O!aI~eQ=)flKZ_gocS6%`qax7(-C2ws@*Fkh#Mw|)jJ5%!ig*UdMj%+K!Wh8xfm;z3_?^2}H@rKkWOI9M%>AV5fP zvXUwBdUnNMgGd{QB=3>~5@ca~JQh!c0r`Z1qzl%H0wz{c6q1@GIeoQ(fdT9HB%}rK zWMn0Xm8aA%o>GHJ*JXYj(iH7G&D--y8_y3{@|(l_QwsiB;Ui<{nt;h`OOVIH^MC!_ zGXEw?=lG->;9Pz;V{uwTUiuDp`TBh`KchltdMN5j%XeIEDk4Wp7--U7p6fK)d*0mazuAHbuG_T znK+iBifR#~3BYI)SCE&7Nq7jr8+A5>OAjMNn6%ABM(!d*&41uK2W)={)|EK^?t?sM*&=dPd2 z^)B@-_N{O`*Em=9?6UXwEuXY3TMI7?J$P&N)zRXsqlKaKU*Up#>>Fe)0CNip?(+ zn)c@R-XHqH`1!~mZ4c64oh(={tk4%9neCus!O^|K_LM!XPY`9{Gs9$e$8(+> zlkNY8>smJg5yBD9Tc8^;`L7w34M4OiMFRm}6CMBpK1--Zc@AP%l7)w*NiFhISv{Ao zn5roP78I5-$uzal4ij7=%W3gfKnvqy;j1E9217U|<8y?S7$+v+0|6tLSH+r%4QfV0 zz9&IrAn+;D_NN)rQ+5cXCBotnOrikdJLFHG0(B_rJ7oI~xxPczKckkvqg{VN`-^D* zBd#Ia^3muj*Hh$rO5CnhuD{6j=ie-HgY%YeU5(jG%if}QcfPgg-GBd5(R-xidTrjZ zZn9IRT8}Sqk$zN)(7#BIvPHCsOf5_xSdG#UE!f_pFWLo0qy?)$LER2@hftH^Koi~SW}eZbm1i8rV&d~GgRZ| zLXR8gX%sh|LtZxa`s?CY_^QYY(MV7V_!W`QpG6x#DvA*)bcGLxg5$h0Eb>DVmK8o6 z2t+X!LjjQw5AmWuFw93o(z{V(WQS^p3LYQukBKTHi&sS~DdQ>~ltNG+l7eE0v~aLa zIEn+};CN(HO&evGML!M()#7j;qaK)iQ!DJ z5bhk60&-`^6-gP6zSAiOuoO|`&MRU_#BgNok+3W&(p9ltw~v(ar`UN7HZS@NyM1|e zM`T>B*kq5P$Ms+U1Alo2vPtxib^dVQi6zU14> zWRjW;*9?ozS|4z`a?M~sj)#sZx_S*vM5kXxa@7FCT_T|$fPj?J))((ZGtgxv5OJqk!Y!C0qJE=Xh4gf(s*DJ$rWlE4Ve zyxp)L=C%rs7z=aTAeJy&+Yj;OQ|MujGb0toJOvrIk5m?FMhUcTqg;@nttr%u(g<<$?t5_Cn1lfp(`+E=bS<{uC$B zK3A**{9IVchI2Y`-TWrHMtSRF zXHSN)4g^}@Z{xL~#~V?xIQn&r$l(w#g)~gjqDKU+J`^^fYtU;_Z4p0U6hJy7UWeG^3y;Pc z|Eob>2PWr$Ng%**6A>oBkI6m9?Vo>FCyr@ z>4^Xj(==pzS~8w0wnA^MZ3s|VFq7O%59k(XwvZvPD~BXYAvh2KU)3yy2#KMvOiqf& zb&#(!`-A?mcLe{zSeK4G&)T!xu|F6N_=EC6DCk3uzyxv!WRob%l_W-{URkManLRQ) z^ilu3yjd#rs?T$&b`eJXsgd1Q87-Aj;xTdbHTcXNPd(T~GcH=R6V>ZX}a7gUsW2L}7 z0G>6+Qp8XjA7gl#ID#m6>s2#Q3Y8=NAc?XDMXFs4MaML7HV|I+Nui;zYKdStH`OEw zm|V*|d=Up!En}nLgSd*Q9h!If2vaF|gldyyK>`whcR?TR>8K?Jjqxdj#}uj>$#LlH z#Yc{Y%a^ZeRK~eM3G_Ora~Ypj(`W$DmM~USIt)}srOBO9X(2im@v@kNV%4IA6+duS z@|@vJR9pT)R7z4Un)xcD-7eUa%7&v#B&ztxF{-5-Yv<{RYQmCA4avmSH2R}wnoFt8 z|HF~+>oBSr{_@|!5rMOCuB1Ivx-(t6bBWtEc_Qm{O`g)Shn0=fQl@Edx@qs?k>$#R zYiNh1YKloviG5jDWya;X@A9m0WyvE+fAZWkHN9iHI>mP_?D$pdr>zThi-%I>rMGFj=Pbedm;OTA33P&Sj>1)!mfx98S9rC)m~c z#uQVNEw9d$Z%>zR{|0e(SK?@vYshddgbFn_&s@57DcjIAbNbflZ0mEM*zVdsaou$- zx4wAWJbiTL)U8vuxkdb&Yrno`bmF&V_&sTUPj;h_pQPC{^Zi@j&w5%ip6An^=d*hK zQ5Czx`7L5gTsbo={hQrs;6&hZ-1)$S{#0Z8 z+?BaE7lu=gLl5Y~PfEz#`r_*{iHU!t>rQR6{Aruz)NcERW04ya*a&RUiv&}R0DcTw z2#3_m^Eyp^0yNMgYR%e2TD8-ytkN)d|aY z^j&!(qx+%J&qJY)nLwXXOCQJo|zIvDl~8lD#H$8V74QzYvl8DYU* zn}%rk9F$d8(MjPmM9adF8b?$>bb@C1HE5T~r>{J6>8RD9qgK&mFa>$0_%d`qOU516 zAZyiDp0d@gxa)5Bd=SdG+tTi~C3i>0y)W(Fm+Cp6cAuYOAG+(NUs`hS0xWUYOrBjW ztIL$_N|){W29;XageA+CX4uC2Y$Kr3s=F@1u2k1gpU5{>4Ch4@;sd(pqrv~5PZCCyPE29qpA^^)B=2pl7zl$`MY;bg#IvNxY;!$V<2SoDckmbx2Mg0x2U!j_Rqx!ES-(35T(&`WFll_m#!%rMdTulro+L!5?FKK(qv45F9@Fm?c+rLbA ZY}ui6ncnjy&Ck|8pm*nL5nZQk^FM3;c>(|c From 79b9175022b22e0bcf8d5ef8bdf2a4b1e33e6f40 Mon Sep 17 00:00:00 2001 From: Ricardo Jesus <219317970+cx-ricardo-jesus@users.noreply.github.com> Date: Tue, 10 Mar 2026 14:20:23 +0000 Subject: [PATCH 06/22] fixed positive expected_result --- .../test/positive2/positive_expected_result.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive2/positive_expected_result.json index 9fc76c2b789..11d6104e899 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive2/positive_expected_result.json @@ -82,5 +82,5 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete policy assignment' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'delete policy assignment' events but sets 1 filter(s): sub_statuses" - }, + } ] From 9236c561db35b82ffbb204c1caaa9d23f91c4dff Mon Sep 17 00:00:00 2001 From: Ricardo Jesus <219317970+cx-ricardo-jesus@users.noreply.github.com> Date: Tue, 10 Mar 2026 14:28:48 +0000 Subject: [PATCH 07/22] removed unnecesary f prefix from strings that contained no placeholders --- .../generate-positive-expective-results/run_skipped.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/scripts/generate-positive-expective-results/run_skipped.py b/.github/scripts/generate-positive-expective-results/run_skipped.py index 00167f92f49..90f68ef0633 100644 --- a/.github/scripts/generate-positive-expective-results/run_skipped.py +++ b/.github/scripts/generate-positive-expective-results/run_skipped.py @@ -120,12 +120,12 @@ def process_skipped_query(query: dict) -> list[dict]: print(f" Test path : {test_path}") if not test_path.is_dir(): - print(f" ⚠ Test directory not found") + print(" ⚠ Test directory not found") return [] positive_files = get_positive_test_files(test_path) if not positive_files: - print(f" ⚠ No positive test files found") + print(" ⚠ No positive test files found") return [] print(f" Positive files: {[f.name for f in positive_files]}") @@ -145,7 +145,7 @@ def process_skipped_query(query: dict) -> list[dict]: if return_code != 0: print(f" ⚠ Scan failed with return code {return_code}") else: - print(f" ✓ Scan completed") + print(" ✓ Scan completed") file_results = parse_results_from_file(output_file) print(f" → {len(file_results)} result(s) found") @@ -190,7 +190,7 @@ def main() -> None: results = process_skipped_query(query) if not results: - print(f" ⚠ No results produced — skipping positive_expected_result.json") + print(" ⚠ No results produced — skipping positive_expected_result.json") still_skipped.append(query["id"]) continue From ab57946b4415eacabd01b31f950dd4381a5d0be2 Mon Sep 17 00:00:00 2001 From: Ricardo Jesus <219317970+cx-ricardo-jesus@users.noreply.github.com> Date: Tue, 10 Mar 2026 14:34:34 +0000 Subject: [PATCH 08/22] removed unused library from the script --- .github/scripts/generate-positive-expective-results/runner.py | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/scripts/generate-positive-expective-results/runner.py b/.github/scripts/generate-positive-expective-results/runner.py index a1730e98216..cef0fa1bc30 100644 --- a/.github/scripts/generate-positive-expective-results/runner.py +++ b/.github/scripts/generate-positive-expective-results/runner.py @@ -1,6 +1,5 @@ import json import subprocess -import sys from pathlib import Path from generate import build_test_list From 471e0932d3c4bc31ab7a387b38e5ec6f3c4f57a7 Mon Sep 17 00:00:00 2001 From: Ricardo Jesus <219317970+cx-ricardo-jesus@users.noreply.github.com> Date: Tue, 10 Mar 2026 17:22:58 +0000 Subject: [PATCH 09/22] changed positive_expected_result.json --- .../main.py | 6 + .../run_skipped.py | 37 +- .../skipped_queries_report.json | 62 +- .../write_expected_results.py | 84 +- .../test/positive_expected_result.json | 12 +- .../test/positive_expected_result.json | 208 ++-- .../test/positive_expected_result.json | 12 +- .../test/positive_expected_result.json | 104 +- .../test/positive_expected_result.json | 902 +++++++++--------- .../test/positive_expected_result.json | 890 ++++++++--------- .../test/positive_expected_result.json | 12 +- .../test/positive_expected_result.json | 12 +- .../test/positive_expected_result.json | 36 +- .../test/positive_expected_result.json | 12 +- .../test/positive_expected_result.json | 84 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 12 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 90 +- .../test/positive_expected_result.json | 12 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 12 +- .../test/positive_expected_result.json | 60 +- .../test/positive_expected_result.json | 60 +- .../test/positive_expected_result.json | 72 +- .../test/positive_expected_result.json | 12 +- .../positive3/positive_expected_result.json | 2 +- .../positive4/positive_expected_result.json | 2 +- .../positive4/positive_expected_result.json | 2 +- .../positive3/positive_expected_result.json | 16 +- .../positive4/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 39 +- .../test/positive_expected_result.json | 212 ++-- .../test/positive_expected_result.json | 198 ++-- .../test/positive_expected_result.json | 214 ++--- 36 files changed, 1802 insertions(+), 1750 deletions(-) diff --git a/.github/scripts/generate-positive-expective-results/main.py b/.github/scripts/generate-positive-expective-results/main.py index 30838ee51f5..844ce734f74 100644 --- a/.github/scripts/generate-positive-expective-results/main.py +++ b/.github/scripts/generate-positive-expective-results/main.py @@ -1,5 +1,6 @@ from runner import run_all from write_expected_results import write_positive_expected_results, write_skipped_queries_report +from run_skipped import main as run_skipped_main def main(): @@ -16,6 +17,11 @@ def main(): print("Writing skipped queries report...\n") write_skipped_queries_report(test_list) + # 4. Re-run skipped queries individually per test file + print(f"\n{'='*60}") + print("Re-running skipped queries with per-file scans...\n") + run_skipped_main() + if __name__ == "__main__": main() diff --git a/.github/scripts/generate-positive-expective-results/run_skipped.py b/.github/scripts/generate-positive-expective-results/run_skipped.py index 90f68ef0633..5a0cf323c84 100644 --- a/.github/scripts/generate-positive-expective-results/run_skipped.py +++ b/.github/scripts/generate-positive-expective-results/run_skipped.py @@ -110,8 +110,14 @@ def parse_results_from_file(results_file: Path) -> list[dict]: return results -def process_skipped_query(query: dict) -> list[dict]: - """Run per-file scans for a skipped query and return aggregated results.""" +def process_skipped_query(query: dict) -> dict[str, list[dict]]: + """Run per-file scans for a skipped query and return results grouped by destination. + + Returns a dict mapping destination paths (as strings) to their result lists. + For positive test files, results are grouped under the top-level test_path. + For positive test directories (which have their own positive_expected_result.json), + results are grouped under the subdirectory path. + """ query_id = query["id"] test_path = Path(query["test_path"]) results_dir = Path(query["results_file_path"]) @@ -121,16 +127,18 @@ def process_skipped_query(query: dict) -> list[dict]: if not test_path.is_dir(): print(" ⚠ Test directory not found") - return [] + return {} positive_files = get_positive_test_files(test_path) if not positive_files: print(" ⚠ No positive test files found") - return [] + return {} print(f" Positive files: {[f.name for f in positive_files]}") - all_results = [] + # Group results by destination: top-level test_path for files, subdirectory for directories + results_by_dest: dict[str, list[dict]] = {} + for test_file in positive_files: payload_file = get_payload_for_test(test_file, payload_dir) print(f"\n [{test_file.name}] payload → {payload_file.name}") @@ -149,9 +157,16 @@ def process_skipped_query(query: dict) -> list[dict]: file_results = parse_results_from_file(output_file) print(f" → {len(file_results)} result(s) found") - all_results.extend(file_results) - return all_results + # Determine destination: subdirectory gets its own positive_expected_result.json + if test_file.is_dir(): + dest = str(test_file) + else: + dest = str(test_path) + + results_by_dest.setdefault(dest, []).extend(file_results) + + return results_by_dest def write_positive_expected_result(test_path: Path, results: list[dict]) -> None: @@ -187,14 +202,16 @@ def main() -> None: for i, query in enumerate(skipped_queries, start=1): print(f"\n[{i}/{total}] Query: {query['id']}") - results = process_skipped_query(query) + results_by_dest = process_skipped_query(query) - if not results: + if not results_by_dest: print(" ⚠ No results produced — skipping positive_expected_result.json") still_skipped.append(query["id"]) continue - write_positive_expected_result(Path(query["test_path"]), results) + for dest_path, results in results_by_dest.items(): + if results: + write_positive_expected_result(Path(dest_path), results) print(f"\n{'=' * 60}") succeeded = total - len(still_skipped) diff --git a/.github/scripts/generate-positive-expective-results/skipped_queries_report.json b/.github/scripts/generate-positive-expective-results/skipped_queries_report.json index c4f767ef48a..0300c79f74e 100644 --- a/.github/scripts/generate-positive-expective-results/skipped_queries_report.json +++ b/.github/scripts/generate-positive-expective-results/skipped_queries_report.json @@ -26,8 +26,8 @@ }, "total_counter": 0, "total_bom_resources": 0, - "start": "2026-03-10T09:50:40.373333785Z", - "end": "2026-03-10T09:50:41.42904951Z", + "start": "2026-03-10T14:53:46.607674039Z", + "end": "2026-03-10T14:53:47.006405134Z", "paths": [ "/home/ricardo/kics/assets/queries/cloudFormation/aws/ebs_volume_not_attached_to_instances/test" ], @@ -61,8 +61,8 @@ }, "total_counter": 0, "total_bom_resources": 0, - "start": "2026-03-10T09:56:40.654558993Z", - "end": "2026-03-10T09:56:41.08021575Z", + "start": "2026-03-10T15:02:25.593818306Z", + "end": "2026-03-10T15:02:26.116217563Z", "paths": [ "/home/ricardo/kics/assets/queries/cloudFormation/aws/vpc_flowlogs_disabled/test" ], @@ -96,8 +96,8 @@ }, "total_counter": 0, "total_bom_resources": 0, - "start": "2026-03-10T10:08:22.975031393Z", - "end": "2026-03-10T10:08:23.502338168Z", + "start": "2026-03-10T15:13:57.507354521Z", + "end": "2026-03-10T15:13:57.893460826Z", "paths": [ "/home/ricardo/kics/assets/queries/k8s/using_kubernetes_native_secret_management/test" ], @@ -131,8 +131,8 @@ }, "total_counter": 0, "total_bom_resources": 0, - "start": "2026-03-10T10:35:39.96934281Z", - "end": "2026-03-10T10:35:40.363185192Z", + "start": "2026-03-10T15:41:34.169229294Z", + "end": "2026-03-10T15:41:34.64605518Z", "paths": [ "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test" ], @@ -166,8 +166,8 @@ }, "total_counter": 0, "total_bom_resources": 0, - "start": "2026-03-10T10:35:41.487879903Z", - "end": "2026-03-10T10:35:41.883123189Z", + "start": "2026-03-10T15:41:36.3876682Z", + "end": "2026-03-10T15:41:36.898643621Z", "paths": [ "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test" ], @@ -201,8 +201,8 @@ }, "total_counter": 0, "total_bom_resources": 0, - "start": "2026-03-10T10:35:42.999894705Z", - "end": "2026-03-10T10:35:43.386747991Z", + "start": "2026-03-10T15:41:39.084678364Z", + "end": "2026-03-10T15:41:39.555173138Z", "paths": [ "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test" ], @@ -236,8 +236,8 @@ }, "total_counter": 0, "total_bom_resources": 0, - "start": "2026-03-10T10:35:44.557565359Z", - "end": "2026-03-10T10:35:44.933280039Z", + "start": "2026-03-10T15:41:41.399525019Z", + "end": "2026-03-10T15:41:41.912024454Z", "paths": [ "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test" ], @@ -271,8 +271,8 @@ }, "total_counter": 0, "total_bom_resources": 0, - "start": "2026-03-10T10:35:46.117743929Z", - "end": "2026-03-10T10:35:46.480237804Z", + "start": "2026-03-10T15:41:44.053372126Z", + "end": "2026-03-10T15:41:44.884172725Z", "paths": [ "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test" ], @@ -306,8 +306,8 @@ }, "total_counter": 0, "total_bom_resources": 0, - "start": "2026-03-10T10:35:47.547157418Z", - "end": "2026-03-10T10:35:47.91013176Z", + "start": "2026-03-10T15:41:47.183986741Z", + "end": "2026-03-10T15:41:47.923680008Z", "paths": [ "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test" ], @@ -341,8 +341,8 @@ }, "total_counter": 0, "total_bom_resources": 0, - "start": "2026-03-10T10:35:49.26455017Z", - "end": "2026-03-10T10:35:49.709881076Z", + "start": "2026-03-10T15:41:50.459484987Z", + "end": "2026-03-10T15:41:50.949910239Z", "paths": [ "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test" ], @@ -376,8 +376,8 @@ }, "total_counter": 0, "total_bom_resources": 0, - "start": "2026-03-10T10:35:51.071943301Z", - "end": "2026-03-10T10:35:51.511123113Z", + "start": "2026-03-10T15:41:52.762161089Z", + "end": "2026-03-10T15:41:53.280330049Z", "paths": [ "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test" ], @@ -411,8 +411,8 @@ }, "total_counter": 0, "total_bom_resources": 0, - "start": "2026-03-10T10:35:52.765083354Z", - "end": "2026-03-10T10:35:53.213700999Z", + "start": "2026-03-10T15:41:54.989824773Z", + "end": "2026-03-10T15:41:55.834692885Z", "paths": [ "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test" ], @@ -446,8 +446,8 @@ }, "total_counter": 0, "total_bom_resources": 0, - "start": "2026-03-10T10:35:54.549384235Z", - "end": "2026-03-10T10:35:54.944776943Z", + "start": "2026-03-10T15:41:57.517448938Z", + "end": "2026-03-10T15:41:58.070237141Z", "paths": [ "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test" ], @@ -481,8 +481,8 @@ }, "total_counter": 0, "total_bom_resources": 0, - "start": "2026-03-10T10:37:42.315642653Z", - "end": "2026-03-10T10:37:42.739224631Z", + "start": "2026-03-10T15:44:36.795482746Z", + "end": "2026-03-10T15:44:37.389720721Z", "paths": [ "/home/ricardo/kics/assets/queries/terraform/azure/mssql_server_auditing_disabled/test" ], @@ -490,7 +490,7 @@ } }, { - "id": "", + "id": "4f60da73-190e-4048-8e1d-cc5a3974cd15", "test_path": "/home/ricardo/kics/assets/queries/terraform/gcp/cloud_asset_inventory_disabled/test", "results_file_path": "/home/ricardo/kics/assets/queries/terraform/gcp/cloud_asset_inventory_disabled/results", "return_code": 0, @@ -516,8 +516,8 @@ }, "total_counter": 0, "total_bom_resources": 0, - "start": "2026-03-10T10:40:19.203678117Z", - "end": "2026-03-10T10:40:19.576151492Z", + "start": "2026-03-10T15:48:11.696935812Z", + "end": "2026-03-10T15:48:12.272461036Z", "paths": [ "/home/ricardo/kics/assets/queries/terraform/gcp/cloud_asset_inventory_disabled/test" ], diff --git a/.github/scripts/generate-positive-expective-results/write_expected_results.py b/.github/scripts/generate-positive-expective-results/write_expected_results.py index 8ab404055c3..926bac45405 100644 --- a/.github/scripts/generate-positive-expective-results/write_expected_results.py +++ b/.github/scripts/generate-positive-expective-results/write_expected_results.py @@ -28,8 +28,41 @@ def deduplicate_results(results: list[dict]) -> list[dict]: return deduplicated +def _get_subdir_filenames(test_dir: Path) -> dict[str, Path]: + """Build a mapping of filename -> subdirectory path for files inside positive subdirectories. + + Some test directories contain positive test subdirectories (e.g. positive2/) that have their + own files and their own positive_expected_result.json. This function maps filenames found + inside those subdirectories so results can be routed to the correct location. + """ + filename_to_subdir: dict[str, Path] = {} + for item in test_dir.iterdir(): + if item.is_dir() and item.name.startswith("positive"): + for child in item.iterdir(): + if child.is_file() and child.name != "positive_expected_result.json": + filename_to_subdir[child.name] = item + return filename_to_subdir + + +def _write_results_file(output_file: Path, results: list[dict]) -> None: + """Deduplicate, sort, and write results to a positive_expected_result.json file.""" + results = deduplicate_results(results) + results.sort(key=lambda r: ( + r["filename"], + r["line"] if isinstance(r["line"], int) else 0, + )) + output_file.parent.mkdir(parents=True, exist_ok=True) + with open(output_file, "w", encoding="utf-8") as f: + json.dump(results, f, indent=2, ensure_ascii=False) + + def write_positive_expected_results(test_list: TestList) -> None: - """For each query, write positive_expected_result.json in the test_path directory.""" + """For each query, write positive_expected_result.json in the test_path directory. + + When a test directory contains positive subdirectories (e.g. positive2/), results + for files inside those subdirectories are written to the subdirectory's own + positive_expected_result.json instead of the top-level one. + """ total = len(test_list.queries_list) written = 0 skipped = 0 @@ -43,11 +76,15 @@ def write_positive_expected_results(test_list: TestList) -> None: test_dir = Path(query.test_path) test_dir.mkdir(parents=True, exist_ok=True) - output_file = test_dir / "positive_expected_result.json" + # Map filenames inside positive subdirectories to their subdirectory + subdir_filenames = _get_subdir_filenames(test_dir) + + # Route results: top-level vs subdirectory + top_level_results: list[dict] = [] + subdir_results: dict[str, list[dict]] = {} - expected_results = [] for ri in query.results_info: - expected_results.append({ + result = { "queryName": ri.query_name, "severity": ri.severity, "line": int(ri.line) if ri.line.isdigit() else ri.line, @@ -58,20 +95,31 @@ def write_positive_expected_results(test_list: TestList) -> None: "searchValue": ri.search_value, "expectedValue": ri.expected_value, "actualValue": ri.actual_value, - }) - - expected_results = deduplicate_results(expected_results) - - expected_results.sort(key=lambda r: ( - r["filename"], - r["line"] if isinstance(r["line"], int) else 0, - )) - - with open(output_file, "w", encoding="utf-8") as f: - json.dump(expected_results, f, indent=2, ensure_ascii=False) - - print(f"[{i}/{total}] Wrote {output_file} ({len(expected_results)} results)") - written += 1 + } + + if ri.filename in subdir_filenames: + subdir_path = str(subdir_filenames[ri.filename]) + subdir_results.setdefault(subdir_path, []).append(result) + else: + top_level_results.append(result) + + # Write top-level positive_expected_result.json + if top_level_results: + output_file = test_dir / "positive_expected_result.json" + _write_results_file(output_file, top_level_results) + print(f"[{i}/{total}] Wrote {output_file} ({len(top_level_results)} results)") + written += 1 + + # Write subdirectory positive_expected_result.json files + for subdir_path, results in subdir_results.items(): + output_file = Path(subdir_path) / "positive_expected_result.json" + _write_results_file(output_file, results) + print(f"[{i}/{total}] Wrote {output_file} ({len(results)} results)") + written += 1 + + if not top_level_results and not subdir_results: + print(f"[{i}/{total}] Skipping query {query.id} — no results after routing") + skipped += 1 print(f"\nDone: {written} files written, {skipped} skipped") diff --git a/assets/queries/ansible/aws/cloudtrail_not_integrated_with_cloudwatch/test/positive_expected_result.json b/assets/queries/ansible/aws/cloudtrail_not_integrated_with_cloudwatch/test/positive_expected_result.json index 3e690b42cdb..3e771070912 100644 --- a/assets/queries/ansible/aws/cloudtrail_not_integrated_with_cloudwatch/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cloudtrail_not_integrated_with_cloudwatch/test/positive_expected_result.json @@ -7,9 +7,9 @@ "resourceType": "community.aws.cloudtrail", "resourceName": "positive1", "searchKey": "name={{positive1}}.{{community.aws.cloudtrail}}", - "searchValue": "cloudwatch_logs_log_group_arn", - "expectedValue": "name={{positive1}}.{{community.aws.cloudtrail}}.cloudwatch_logs_log_group_arn should be defined", - "actualValue": "name={{positive1}}.{{community.aws.cloudtrail}}.cloudwatch_logs_log_group_arn is not defined" + "searchValue": "cloudwatch_logs_role_arn", + "expectedValue": "name={{positive1}}.{{community.aws.cloudtrail}}.cloudwatch_logs_role_arn should be defined", + "actualValue": "name={{positive1}}.{{community.aws.cloudtrail}}.cloudwatch_logs_role_arn is not defined" }, { "queryName": "CloudTrail Not Integrated With CloudWatch", @@ -19,9 +19,9 @@ "resourceType": "community.aws.cloudtrail", "resourceName": "positive1", "searchKey": "name={{positive1}}.{{community.aws.cloudtrail}}", - "searchValue": "cloudwatch_logs_role_arn", - "expectedValue": "name={{positive1}}.{{community.aws.cloudtrail}}.cloudwatch_logs_role_arn should be defined", - "actualValue": "name={{positive1}}.{{community.aws.cloudtrail}}.cloudwatch_logs_role_arn is not defined" + "searchValue": "cloudwatch_logs_log_group_arn", + "expectedValue": "name={{positive1}}.{{community.aws.cloudtrail}}.cloudwatch_logs_log_group_arn should be defined", + "actualValue": "name={{positive1}}.{{community.aws.cloudtrail}}.cloudwatch_logs_log_group_arn is not defined" }, { "queryName": "CloudTrail Not Integrated With CloudWatch", diff --git a/assets/queries/ansible/azure/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json b/assets/queries/ansible/azure/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json index e65c30ae283..12f1ce3ddaa 100644 --- a/assets/queries/ansible/azure/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json @@ -19,9 +19,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo2", "searchKey": "name={{foo2}}.{{azure_rm_securitygroup}}.rules.name={{example2}}.destination_port_range", - "searchValue": "TCP,25", - "expectedValue": "SMTP (TCP:25) should not be allowed", - "actualValue": "SMTP (TCP:25) is allowed" + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -31,9 +31,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo2", "searchKey": "name={{foo2}}.{{azure_rm_securitygroup}}.rules.name={{example2}}.destination_port_range", - "searchValue": "TCP,23", - "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP:23) is allowed" + "searchValue": "TCP,25", + "expectedValue": "SMTP (TCP:25) should not be allowed", + "actualValue": "SMTP (TCP:25) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -43,9 +43,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo3", "searchKey": "name={{foo3}}.{{azure_rm_securitygroup}}.rules.name={{example3}}.destination_port_range", - "searchValue": "UDP,21", - "expectedValue": "FTP (UDP:21) should not be allowed", - "actualValue": "FTP (UDP:21) is allowed" + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -67,9 +67,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo3", "searchKey": "name={{foo3}}.{{azure_rm_securitygroup}}.rules.name={{example3}}.destination_port_range", - "searchValue": "UDP,23", - "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP:23) is allowed" + "searchValue": "TCP,21", + "expectedValue": "FTP (TCP:21) should not be allowed", + "actualValue": "FTP (TCP:21) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -79,9 +79,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo3", "searchKey": "name={{foo3}}.{{azure_rm_securitygroup}}.rules.name={{example3}}.destination_port_range", - "searchValue": "TCP,21", - "expectedValue": "FTP (TCP:21) should not be allowed", - "actualValue": "FTP (TCP:21) is allowed" + "searchValue": "UDP,21", + "expectedValue": "FTP (UDP:21) should not be allowed", + "actualValue": "FTP (UDP:21) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -115,9 +115,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo4", "searchKey": "name={{foo4}}.{{azure_rm_securitygroup}}.rules.name={{example4}}.destination_port_range", - "searchValue": "TCP,23", - "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP:23) is allowed" + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -127,9 +127,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo4", "searchKey": "name={{foo4}}.{{azure_rm_securitygroup}}.rules.name={{example4}}.destination_port_range", - "searchValue": "UDP,23", - "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP:23) is allowed" + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -163,9 +163,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo7", "searchKey": "name={{foo7}}.{{azure_rm_securitygroup}}.rules.name={{example7}}.destination_port_range", - "searchValue": "UDP,23", - "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP:23) is allowed" + "searchValue": "UDP,25", + "expectedValue": "SMTP (UDP:25) should not be allowed", + "actualValue": "SMTP (UDP:25) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -175,9 +175,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo7", "searchKey": "name={{foo7}}.{{azure_rm_securitygroup}}.rules.name={{example7}}.destination_port_range", - "searchValue": "UDP,25", - "expectedValue": "SMTP (UDP:25) should not be allowed", - "actualValue": "SMTP (UDP:25) is allowed" + "searchValue": "UDP,53", + "expectedValue": "DNS (UDP:53) should not be allowed", + "actualValue": "DNS (UDP:53) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -187,9 +187,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo7", "searchKey": "name={{foo7}}.{{azure_rm_securitygroup}}.rules.name={{example7}}.destination_port_range", - "searchValue": "UDP,53", - "expectedValue": "DNS (UDP:53) should not be allowed", - "actualValue": "DNS (UDP:53) is allowed" + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -215,18 +215,6 @@ "expectedValue": "Telnet (TCP:23) should not be allowed", "actualValue": "Telnet (TCP:23) is allowed" }, - { - "queryName": "Sensitive Port Is Exposed To Entire Network", - "severity": "HIGH", - "line": 130, - "filename": "positive.yaml", - "resourceType": "azure_rm_securitygroup", - "resourceName": "foo9", - "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example9}}.destination_port_range", - "searchValue": "TCP,23", - "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP:23) is allowed" - }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", @@ -242,14 +230,14 @@ { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142, + "line": 130, "filename": "positive.yaml", "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", - "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "TCP,20", - "expectedValue": "FTP (TCP:20) should not be allowed", - "actualValue": "FTP (TCP:20) is allowed" + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example9}}.destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -259,9 +247,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "UDP,21", - "expectedValue": "FTP (UDP:21) should not be allowed", - "actualValue": "FTP (UDP:21) is allowed" + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -271,9 +259,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "TCP,135", - "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed", - "actualValue": "MSSQL Debugger (TCP:135) is allowed" + "searchValue": "TCP,53", + "expectedValue": "DNS (TCP:53) should not be allowed", + "actualValue": "DNS (TCP:53) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -283,9 +271,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "TCP,53", - "expectedValue": "DNS (TCP:53) should not be allowed", - "actualValue": "DNS (TCP:53) is allowed" + "searchValue": "TCP,21", + "expectedValue": "FTP (TCP:21) should not be allowed", + "actualValue": "FTP (TCP:21) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -295,9 +283,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "TCP,138", - "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed", - "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed" + "searchValue": "TCP,25", + "expectedValue": "SMTP (TCP:25) should not be allowed", + "actualValue": "SMTP (TCP:25) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -307,9 +295,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "UDP,137", - "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed" + "searchValue": "UDP,25", + "expectedValue": "SMTP (UDP:25) should not be allowed", + "actualValue": "SMTP (UDP:25) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -319,9 +307,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "UDP,138", - "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed", - "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed" + "searchValue": "UDP,20", + "expectedValue": "FTP (UDP:20) should not be allowed", + "actualValue": "FTP (UDP:20) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -331,9 +319,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "TCP,139", - "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed", - "actualValue": "NetBIOS Session Service (TCP:139) is allowed" + "searchValue": "TCP,138", + "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed", + "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -343,9 +331,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -355,9 +343,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "TCP,80", - "expectedValue": "HTTP (TCP:80) should not be allowed", - "actualValue": "HTTP (TCP:80) is allowed" + "searchValue": "UDP,80", + "expectedValue": "HTTP (UDP:80) should not be allowed", + "actualValue": "HTTP (UDP:80) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -379,9 +367,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "UDP,110", - "expectedValue": "POP3 (UDP:110) should not be allowed", - "actualValue": "POP3 (UDP:110) is allowed" + "searchValue": "UDP,53", + "expectedValue": "DNS (UDP:53) should not be allowed", + "actualValue": "DNS (UDP:53) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -391,9 +379,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "UDP,80", - "expectedValue": "HTTP (UDP:80) should not be allowed", - "actualValue": "HTTP (UDP:80) is allowed" + "searchValue": "TCP,135", + "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed", + "actualValue": "MSSQL Debugger (TCP:135) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -415,9 +403,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "TCP,21", - "expectedValue": "FTP (TCP:21) should not be allowed", - "actualValue": "FTP (TCP:21) is allowed" + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -427,9 +415,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "UDP,20", - "expectedValue": "FTP (UDP:20) should not be allowed", - "actualValue": "FTP (UDP:20) is allowed" + "searchValue": "UDP,21", + "expectedValue": "FTP (UDP:21) should not be allowed", + "actualValue": "FTP (UDP:21) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -439,9 +427,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "UDP,139", - "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed", - "actualValue": "NetBIOS Session Service (UDP:139) is allowed" + "searchValue": "TCP,80", + "expectedValue": "HTTP (TCP:80) should not be allowed", + "actualValue": "HTTP (TCP:80) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -451,9 +439,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "UDP,25", - "expectedValue": "SMTP (UDP:25) should not be allowed", - "actualValue": "SMTP (UDP:25) is allowed" + "searchValue": "TCP,20", + "expectedValue": "FTP (TCP:20) should not be allowed", + "actualValue": "FTP (TCP:20) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -463,9 +451,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "UDP,53", - "expectedValue": "DNS (UDP:53) should not be allowed", - "actualValue": "DNS (UDP:53) is allowed" + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -487,9 +475,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "TCP,25", - "expectedValue": "SMTP (TCP:25) should not be allowed", - "actualValue": "SMTP (TCP:25) is allowed" + "searchValue": "UDP,139", + "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed", + "actualValue": "NetBIOS Session Service (UDP:139) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -511,9 +499,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "TCP,23", - "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP:23) is allowed" + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -523,8 +511,20 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "UDP,23", - "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP:23) is allowed" + "searchValue": "TCP,139", + "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed", + "actualValue": "NetBIOS Session Service (TCP:139) is allowed" + }, + { + "queryName": "Sensitive Port Is Exposed To Entire Network", + "severity": "HIGH", + "line": 142, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed" } ] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/key_vault_not_recoverable/test/positive_expected_result.json b/assets/queries/azureResourceManager/key_vault_not_recoverable/test/positive_expected_result.json index 559f373aa5b..a13935f8428 100644 --- a/assets/queries/azureResourceManager/key_vault_not_recoverable/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/key_vault_not_recoverable/test/positive_expected_result.json @@ -127,9 +127,9 @@ "resourceType": "Microsoft.KeyVault/vaults", "resourceName": "[parameters('vaults_pgs_bot_prod_name')]", "searchKey": "resources.name={{[parameters('vaults_pgs_bot_prod_name')]}}.properties", - "searchValue": "enableSoftDelete", - "expectedValue": "resource with type 'Microsoft.KeyVault/vaults' should have 'enableSoftDelete' property defined", - "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enableSoftDelete' property defined" + "searchValue": "enablePurgeProtection", + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults' should have 'enablePurgeProtection' property defined", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enablePurgeProtection' property defined" }, { "queryName": "Key Vault Not Recoverable", @@ -139,8 +139,8 @@ "resourceType": "Microsoft.KeyVault/vaults", "resourceName": "[parameters('vaults_pgs_bot_prod_name')]", "searchKey": "resources.name={{[parameters('vaults_pgs_bot_prod_name')]}}.properties", - "searchValue": "enablePurgeProtection", - "expectedValue": "resource with type 'Microsoft.KeyVault/vaults' should have 'enablePurgeProtection' property defined", - "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enablePurgeProtection' property defined" + "searchValue": "enableSoftDelete", + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults' should have 'enableSoftDelete' property defined", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enableSoftDelete' property defined" } ] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/storage_logging_for_read_write_delete_requests_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/storage_logging_for_read_write_delete_requests_disabled/test/positive_expected_result.json index 61aa61c8f7f..2366467aa6e 100644 --- a/assets/queries/azureResourceManager/storage_logging_for_read_write_delete_requests_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/storage_logging_for_read_write_delete_requests_disabled/test/positive_expected_result.json @@ -78,10 +78,10 @@ "filename": "positive2.bicep", "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", - "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageRead", - "searchValue": "StorageRead", - "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageRead' method", - "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageRead' method" + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageDelete", + "searchValue": "StorageDelete", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -102,10 +102,10 @@ "filename": "positive2.bicep", "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", - "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageDelete", - "searchValue": "StorageDelete", - "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", - "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method" + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageRead", + "searchValue": "StorageRead", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageRead' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageRead' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -174,10 +174,10 @@ "filename": "positive3.json", "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", - "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageRead", - "searchValue": "StorageRead", - "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageRead' method", - "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageRead' method" + "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageWrite", + "searchValue": "StorageWrite", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageWrite' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageWrite' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -186,10 +186,10 @@ "filename": "positive3.json", "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", - "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageDelete", - "searchValue": "StorageDelete", - "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", - "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method" + "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageRead", + "searchValue": "StorageRead", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageRead' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageRead' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -198,10 +198,10 @@ "filename": "positive3.json", "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", - "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageWrite", - "searchValue": "StorageWrite", - "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageWrite' method", - "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageWrite' method" + "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageDelete", + "searchValue": "StorageDelete", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -306,10 +306,10 @@ "filename": "positive5.json", "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", - "searchKey": "properties.template.resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageDelete", - "searchValue": "StorageDelete", - "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", - "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method" + "searchKey": "properties.template.resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageWrite", + "searchValue": "StorageWrite", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageWrite' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageWrite' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -318,10 +318,10 @@ "filename": "positive5.json", "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", - "searchKey": "properties.template.resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageWrite", - "searchValue": "StorageWrite", - "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageWrite' method", - "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageWrite' method" + "searchKey": "properties.template.resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageDelete", + "searchValue": "StorageDelete", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -335,6 +335,18 @@ "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Read' method", "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Read' method" }, + { + "queryName": "Storage Logging For Read Write And Delete Requests Disabled", + "severity": "MEDIUM", + "line": 2, + "filename": "positive6.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageWrite", + "searchValue": "StorageWrite", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageWrite' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageWrite' method" + }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", @@ -362,11 +374,11 @@ { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 2, - "filename": "positive6.bicep", + "line": 69, + "filename": "positive6.json", "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", - "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", - "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageWrite", + "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", + "searchKey": "properties.template.resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageWrite", "searchValue": "StorageWrite", "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageWrite' method", "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageWrite' method" @@ -383,18 +395,6 @@ "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method" }, - { - "queryName": "Storage Logging For Read Write And Delete Requests Disabled", - "severity": "MEDIUM", - "line": 69, - "filename": "positive6.json", - "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", - "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", - "searchKey": "properties.template.resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageWrite", - "searchValue": "StorageWrite", - "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageWrite' method", - "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageWrite' method" - }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", @@ -414,10 +414,10 @@ "filename": "positive7.bicep", "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", - "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageDelete", - "searchValue": "StorageDelete", - "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", - "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method" + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageWrite", + "searchValue": "StorageWrite", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageWrite' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageWrite' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -426,10 +426,10 @@ "filename": "positive7.bicep", "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", - "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageWrite", - "searchValue": "StorageWrite", - "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageWrite' method", - "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageWrite' method" + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageDelete", + "searchValue": "StorageDelete", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", diff --git a/assets/queries/cloudFormation/aws/ec2_sensitive_port_is_publicly_exposed/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ec2_sensitive_port_is_publicly_exposed/test/positive_expected_result.json index 6b490d7063b..5c414a385cd 100644 --- a/assets/queries/cloudFormation/aws/ec2_sensitive_port_is_publicly_exposed/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ec2_sensitive_port_is_publicly_exposed/test/positive_expected_result.json @@ -55,9 +55,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:11211", - "expectedValue": "Memcached (TCP:11211) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Memcached (TCP:11211) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:2376", + "expectedValue": "Docker (TCP:2376) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Docker (TCP:2376) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -67,9 +67,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:9300", - "expectedValue": "Elastic Search (TCP:9300) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Elastic Search (TCP:9300) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:22", + "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -79,9 +79,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:8080", - "expectedValue": "Known internal web port (TCP:8080) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Known internal web port (TCP:8080) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:80", + "expectedValue": "HTTP (TCP:80) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HTTP (TCP:80) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -91,9 +91,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:11215", - "expectedValue": "Memcached SSL (TCP:11215) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Memcached SSL (TCP:11215) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:139", + "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Session Service (TCP:139) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -103,9 +103,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:1521", - "expectedValue": "Oracl DB (TCP:1521) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Oracl DB (TCP:1521) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:2484", + "expectedValue": "Oracle DB SSL (UDP:2484) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracle DB SSL (UDP:2484) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -115,9 +115,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:3020", - "expectedValue": "CIFS / SMB (TCP:3020) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "CIFS / SMB (TCP:3020) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:61620", + "expectedValue": "Cassandra OpsCenter (TCP:61620) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra OpsCenter (TCP:61620) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -127,9 +127,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:11215", - "expectedValue": "Memcached SSL (UDP:11215) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Memcached SSL (UDP:11215) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:11214", + "expectedValue": "Memcached SSL (UDP:11214) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached SSL (UDP:11214) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -139,9 +139,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:8888", - "expectedValue": "Cassandra OpsCenter Website (TCP:8888) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra OpsCenter Website (TCP:8888) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:443", + "expectedValue": "HTTPS (TCP:443) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HTTPS (TCP:443) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -151,9 +151,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:9090", - "expectedValue": "CiscoSecure, WebSM (TCP:9090) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "CiscoSecure, WebSM (TCP:9090) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:3306", + "expectedValue": "MySQL (TCP:3306) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MySQL (TCP:3306) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -163,9 +163,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:443", - "expectedValue": "HTTPS (TCP:443) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "HTTPS (TCP:443) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:8140", + "expectedValue": "Puppet Master (TCP:8140) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Puppet Master (TCP:8140) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -175,9 +175,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:11214", - "expectedValue": "Memcached SSL (UDP:11214) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Memcached SSL (UDP:11214) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:161", + "expectedValue": "SNMP (TCP:161) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SNMP (TCP:161) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -187,9 +187,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:4333", - "expectedValue": "MySQL (TCP:4333) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "MySQL (TCP:4333) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:4505", + "expectedValue": "SaltStack Master (TCP:4505) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SaltStack Master (TCP:4505) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -199,9 +199,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:1434", - "expectedValue": "MSSQL Browser (UDP:1434) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "MSSQL Browser (UDP:1434) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:5500", + "expectedValue": "VNC Listener (TCP:5500) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "VNC Listener (TCP:5500) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -211,9 +211,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:9160", - "expectedValue": "Cassandra Thrift (TCP:9160) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra Thrift (TCP:9160) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:9042", + "expectedValue": "Cassandra Client (TCP:9042) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra Client (TCP:9042) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -223,9 +223,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:389", - "expectedValue": "LDAP (TCP:389) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "LDAP (TCP:389) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:11215", + "expectedValue": "Memcached SSL (UDP:11215) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached SSL (UDP:11215) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -235,9 +235,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:445", - "expectedValue": "Microsoft-DS (TCP:445) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Microsoft-DS (TCP:445) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:50070", + "expectedValue": "HDFS NameNode WebUI (TCP:50070) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HDFS NameNode WebUI (TCP:50070) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -247,9 +247,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:9200", - "expectedValue": "Elastic Search (TCP:9200) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Elastic Search (TCP:9200) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:3000", + "expectedValue": "Prevalent known internal port (TCP:3000) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Prevalent known internal port (TCP:3000) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -259,9 +259,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:2484", - "expectedValue": "Oracle DB SSL (TCP:2484) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Oracle DB SSL (TCP:2484) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:7199", + "expectedValue": "Cassandra Monitoring (TCP:7199) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra Monitoring (TCP:7199) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -271,9 +271,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:8140", - "expectedValue": "Puppet Master (TCP:8140) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Puppet Master (TCP:8140) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:11211", + "expectedValue": "Memcached (TCP:11211) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached (TCP:11211) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -283,9 +283,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:2484", - "expectedValue": "Oracle DB SSL (UDP:2484) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Oracle DB SSL (UDP:2484) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:11215", + "expectedValue": "Memcached SSL (TCP:11215) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached SSL (TCP:11215) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -295,9 +295,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:5601", - "expectedValue": "Kibana (TCP:5601) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Kibana (TCP:5601) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:445", + "expectedValue": "Microsoft-DS (TCP:445) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Microsoft-DS (TCP:445) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -307,9 +307,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:1433", - "expectedValue": "MSSQL Server (TCP:1433) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "MSSQL Server (TCP:1433) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:25", + "expectedValue": "SMTP (TCP:25) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SMTP (TCP:25) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -319,9 +319,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:636", - "expectedValue": "LDAP SSL (TCP:636) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "LDAP SSL (TCP:636) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:5985", + "expectedValue": "WinRM for HTTP (TCP:5985) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "WinRM for HTTP (TCP:5985) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -331,9 +331,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:139", - "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Session Service (TCP:139) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:1433", + "expectedValue": "MSSQL Server (TCP:1433) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MSSQL Server (TCP:1433) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -343,9 +343,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:1522", - "expectedValue": "Oracle Auto Data Warehouse (TCP:1522) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Oracle Auto Data Warehouse (TCP:1522) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:9090", + "expectedValue": "CiscoSecure, WebSM (TCP:9090) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "CiscoSecure, WebSM (TCP:9090) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -355,9 +355,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:2483", - "expectedValue": "Oracle DB SSL (UDP:2483) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Oracle DB SSL (UDP:2483) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:8888", + "expectedValue": "Cassandra OpsCenter Website (TCP:8888) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra OpsCenter Website (TCP:8888) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -367,9 +367,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:5900", - "expectedValue": "VNC Server (TCP:5900) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "VNC Server (TCP:5900) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:2375", + "expectedValue": "Docker (TCP:2375) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Docker (TCP:2375) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -379,9 +379,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:138", - "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:8020", + "expectedValue": "HDFS NameNode (TCP:8020) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HDFS NameNode (TCP:8020) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -391,9 +391,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:50470", - "expectedValue": "HDFS NameNode WebUI (TCP:50470) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "HDFS NameNode WebUI (TCP:50470) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:1521", + "expectedValue": "Oracl DB (TCP:1521) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracl DB (TCP:1521) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -403,9 +403,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:5500", - "expectedValue": "VNC Listener (TCP:5500) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "VNC Listener (TCP:5500) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:1522", + "expectedValue": "Oracle Auto Data Warehouse (TCP:1522) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracle Auto Data Warehouse (TCP:1522) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -415,9 +415,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:53", - "expectedValue": "DNS (TCP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "DNS (TCP:53) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:5432", + "expectedValue": "PostgreSQL (TCP:5432) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "PostgreSQL (TCP:5432) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -427,9 +427,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:11214", - "expectedValue": "Memcached SSL (TCP:11214) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Memcached SSL (TCP:11214) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:161", + "expectedValue": "SNMP (UDP:161) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SNMP (UDP:161) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -439,9 +439,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:137", - "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:20", + "expectedValue": "FTP (TCP:20) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "FTP (TCP:20) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -451,9 +451,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:21", - "expectedValue": "FTP (TCP:21) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "FTP (TCP:21) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:5601", + "expectedValue": "Kibana (TCP:5601) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Kibana (TCP:5601) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -463,9 +463,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:7001", - "expectedValue": "Cassandra (TCP:7001) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra (TCP:7001) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:27017", + "expectedValue": "Mongo (TCP:27017) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Mongo (TCP:27017) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -475,9 +475,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:137", - "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Name Service (TCP:137) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:53", + "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -487,9 +487,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:25", - "expectedValue": "SMTP (TCP:25) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SMTP (TCP:25) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:1434", + "expectedValue": "MSSQL Browser (TCP:1434) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MSSQL Browser (TCP:1434) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -499,9 +499,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:4505", - "expectedValue": "SaltStack Master (TCP:4505) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SaltStack Master (TCP:4505) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:3020", + "expectedValue": "CIFS / SMB (TCP:3020) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "CIFS / SMB (TCP:3020) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -511,9 +511,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:6379", - "expectedValue": "Redis (TCP:6379) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Redis (TCP:6379) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -523,9 +523,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:2382", - "expectedValue": "SQL Server Analysis (TCP:2382) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SQL Server Analysis (TCP:2382) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:50470", + "expectedValue": "HDFS NameNode WebUI (TCP:50470) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HDFS NameNode WebUI (TCP:50470) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -535,9 +535,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:8020", - "expectedValue": "HDFS NameNode (TCP:8020) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "HDFS NameNode (TCP:8020) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:11214", + "expectedValue": "Memcached SSL (TCP:11214) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached SSL (TCP:11214) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -547,9 +547,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:9000", - "expectedValue": "Hadoop Name Node (TCP:9000) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Hadoop Name Node (TCP:9000) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:4333", + "expectedValue": "MySQL (TCP:4333) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MySQL (TCP:4333) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -559,9 +559,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:389", - "expectedValue": "LDAP (UDP:389) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "LDAP (UDP:389) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:139", + "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Session Service (UDP:139) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -571,9 +571,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:11211", - "expectedValue": "Memcached (UDP:11211) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Memcached (UDP:11211) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:5432", + "expectedValue": "PostgreSQL (UDP:5432) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "PostgreSQL (UDP:5432) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -583,9 +583,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:5432", - "expectedValue": "PostgreSQL (TCP:5432) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "PostgreSQL (TCP:5432) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:9000", + "expectedValue": "Hadoop Name Node (TCP:9000) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Hadoop Name Node (TCP:9000) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -595,9 +595,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:161", - "expectedValue": "SNMP (UDP:161) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SNMP (UDP:161) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:8000", + "expectedValue": "Known internal web port (TCP:8000) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Known internal web port (TCP:8000) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -607,9 +607,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:61621", - "expectedValue": "Cassandra OpsCenter (TCP:61621) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra OpsCenter (TCP:61621) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:2483", + "expectedValue": "Oracle DB SSL (UDP:2483) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracle DB SSL (UDP:2483) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -619,9 +619,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:135", - "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "MSSQL Debugger (TCP:135) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -631,9 +631,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:139", - "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Session Service (UDP:139) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:23", + "expectedValue": "Telnet (TCP:23) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Telnet (TCP:23) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -643,9 +643,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:3000", - "expectedValue": "Prevalent known internal port (TCP:3000) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Prevalent known internal port (TCP:3000) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:7000", + "expectedValue": "Cassandra Internode Communication (TCP:7000) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra Internode Communication (TCP:7000) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -655,9 +655,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:2376", - "expectedValue": "Docker (TCP:2376) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Docker (TCP:2376) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:9160", + "expectedValue": "Cassandra Thrift (TCP:9160) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra Thrift (TCP:9160) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -667,9 +667,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:7199", - "expectedValue": "Cassandra Monitoring (TCP:7199) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra Monitoring (TCP:7199) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:636", + "expectedValue": "LDAP SSL (TCP:636) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "LDAP SSL (TCP:636) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -679,9 +679,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:27017", - "expectedValue": "Mongo (TCP:27017) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Mongo (TCP:27017) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:2383", + "expectedValue": "SQL Server Analysis (TCP:2383) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SQL Server Analysis (TCP:2383) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -691,9 +691,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:50070", - "expectedValue": "HDFS NameNode WebUI (TCP:50070) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "HDFS NameNode WebUI (TCP:50070) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:9300", + "expectedValue": "Elastic Search (TCP:9300) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Elastic Search (TCP:9300) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -703,9 +703,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:8000", - "expectedValue": "Known internal web port (TCP:8000) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Known internal web port (TCP:8000) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:137", + "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Name Service (TCP:137) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -715,9 +715,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:138", - "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:135", + "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MSSQL Debugger (TCP:135) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -727,9 +727,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:3389", - "expectedValue": "Remote Desktop (TCP:3389) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Remote Desktop (TCP:3389) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:2483", + "expectedValue": "Oracle DB SSL (TCP:2483) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracle DB SSL (TCP:2483) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -739,9 +739,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:161", - "expectedValue": "SNMP (TCP:161) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SNMP (TCP:161) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:4506", + "expectedValue": "SaltStack Master (TCP:4506) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SaltStack Master (TCP:4506) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -751,9 +751,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:23", - "expectedValue": "Telnet (TCP:23) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Telnet (TCP:23) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:389", + "expectedValue": "LDAP (UDP:389) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "LDAP (UDP:389) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -763,9 +763,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:5985", - "expectedValue": "WinRM for HTTP (TCP:5985) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "WinRM for HTTP (TCP:5985) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:11211", + "expectedValue": "Memcached (UDP:11211) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached (UDP:11211) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -775,9 +775,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:3306", - "expectedValue": "MySQL (TCP:3306) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "MySQL (TCP:3306) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:27018", + "expectedValue": "Mongo Web Portal (TCP:27018) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Mongo Web Portal (TCP:27018) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -787,9 +787,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:5432", - "expectedValue": "PostgreSQL (UDP:5432) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "PostgreSQL (UDP:5432) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:389", + "expectedValue": "LDAP (TCP:389) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "LDAP (TCP:389) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -799,9 +799,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:2383", - "expectedValue": "SQL Server Analysis (TCP:2383) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SQL Server Analysis (TCP:2383) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:138", + "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -811,9 +811,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:61620", - "expectedValue": "Cassandra OpsCenter (TCP:61620) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra OpsCenter (TCP:61620) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:7001", + "expectedValue": "Cassandra (TCP:7001) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra (TCP:7001) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -823,9 +823,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:22", - "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:61621", + "expectedValue": "Cassandra OpsCenter (TCP:61621) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra OpsCenter (TCP:61621) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -835,9 +835,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:2375", - "expectedValue": "Docker (TCP:2375) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Docker (TCP:2375) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:5900", + "expectedValue": "VNC Server (TCP:5900) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "VNC Server (TCP:5900) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -847,9 +847,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:20", - "expectedValue": "FTP (TCP:20) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "FTP (TCP:20) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:53", + "expectedValue": "DNS (TCP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "DNS (TCP:53) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -859,9 +859,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:27018", - "expectedValue": "Mongo Web Portal (TCP:27018) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Mongo Web Portal (TCP:27018) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:1434", + "expectedValue": "MSSQL Browser (UDP:1434) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MSSQL Browser (UDP:1434) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -871,9 +871,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:7000", - "expectedValue": "Cassandra Internode Communication (TCP:7000) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra Internode Communication (TCP:7000) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:9200", + "expectedValue": "Elastic Search (TCP:9200) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Elastic Search (TCP:9200) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -883,9 +883,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:80", - "expectedValue": "HTTP (TCP:80) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "HTTP (TCP:80) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:8080", + "expectedValue": "Known internal web port (TCP:8080) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Known internal web port (TCP:8080) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -895,9 +895,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:1434", - "expectedValue": "MSSQL Browser (TCP:1434) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "MSSQL Browser (TCP:1434) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:110", + "expectedValue": "POP3 (TCP:110) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "POP3 (TCP:110) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -907,9 +907,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:53", - "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:3389", + "expectedValue": "Remote Desktop (TCP:3389) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Remote Desktop (TCP:3389) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -919,9 +919,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:110", - "expectedValue": "POP3 (TCP:110) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "POP3 (TCP:110) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:21", + "expectedValue": "FTP (TCP:21) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "FTP (TCP:21) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -931,9 +931,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:9042", - "expectedValue": "Cassandra Client (TCP:9042) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra Client (TCP:9042) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:6379", + "expectedValue": "Redis (TCP:6379) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Redis (TCP:6379) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -943,9 +943,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:2483", - "expectedValue": "Oracle DB SSL (TCP:2483) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Oracle DB SSL (TCP:2483) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:2382", + "expectedValue": "SQL Server Analysis (TCP:2382) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SQL Server Analysis (TCP:2382) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -955,9 +955,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:4506", - "expectedValue": "SaltStack Master (TCP:4506) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SaltStack Master (TCP:4506) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:2484", + "expectedValue": "Oracle DB SSL (TCP:2484) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracle DB SSL (TCP:2484) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1147,9 +1147,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:21", - "expectedValue": "FTP (TCP:21) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "FTP (TCP:21) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:135", + "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MSSQL Debugger (TCP:135) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1159,9 +1159,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:5432", - "expectedValue": "PostgreSQL (UDP:5432) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "PostgreSQL (UDP:5432) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:1521", + "expectedValue": "Oracl DB (TCP:1521) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracl DB (TCP:1521) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1171,9 +1171,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:5500", - "expectedValue": "VNC Listener (TCP:5500) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "VNC Listener (TCP:5500) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:5432", + "expectedValue": "PostgreSQL (UDP:5432) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "PostgreSQL (UDP:5432) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1183,9 +1183,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:1522", - "expectedValue": "Oracle Auto Data Warehouse (TCP:1522) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Oracle Auto Data Warehouse (TCP:1522) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:22", + "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1195,9 +1195,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:23", - "expectedValue": "Telnet (TCP:23) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Telnet (TCP:23) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:1433", + "expectedValue": "MSSQL Server (TCP:1433) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MSSQL Server (TCP:1433) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1207,9 +1207,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:9160", - "expectedValue": "Cassandra Thrift (TCP:9160) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra Thrift (TCP:9160) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:139", + "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Session Service (TCP:139) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1219,9 +1219,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:1434", - "expectedValue": "MSSQL Browser (TCP:1434) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "MSSQL Browser (TCP:1434) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:8140", + "expectedValue": "Puppet Master (TCP:8140) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Puppet Master (TCP:8140) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1231,9 +1231,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:443", - "expectedValue": "HTTPS (TCP:443) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "HTTPS (TCP:443) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:161", + "expectedValue": "SNMP (TCP:161) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SNMP (TCP:161) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1243,9 +1243,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:1433", - "expectedValue": "MSSQL Server (TCP:1433) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "MSSQL Server (TCP:1433) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:7001", + "expectedValue": "Cassandra (TCP:7001) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra (TCP:7001) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1255,9 +1255,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:139", - "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Session Service (UDP:139) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:11211", + "expectedValue": "Memcached (TCP:11211) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached (TCP:11211) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1267,9 +1267,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:1521", - "expectedValue": "Oracl DB (TCP:1521) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Oracl DB (TCP:1521) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:25", + "expectedValue": "SMTP (TCP:25) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SMTP (TCP:25) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1279,9 +1279,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:2376", - "expectedValue": "Docker (TCP:2376) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Docker (TCP:2376) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1291,9 +1291,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:137", - "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Name Service (TCP:137) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:1434", + "expectedValue": "MSSQL Browser (UDP:1434) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MSSQL Browser (UDP:1434) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1303,9 +1303,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:110", - "expectedValue": "POP3 (TCP:110) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "POP3 (TCP:110) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:27017", + "expectedValue": "Mongo (TCP:27017) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Mongo (TCP:27017) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1315,9 +1315,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:53", - "expectedValue": "DNS (TCP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "DNS (TCP:53) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:4505", + "expectedValue": "SaltStack Master (TCP:4505) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SaltStack Master (TCP:4505) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1327,9 +1327,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:9000", - "expectedValue": "Hadoop Name Node (TCP:9000) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Hadoop Name Node (TCP:9000) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:3020", + "expectedValue": "CIFS / SMB (TCP:3020) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "CIFS / SMB (TCP:3020) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1339,9 +1339,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:4506", - "expectedValue": "SaltStack Master (TCP:4506) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SaltStack Master (TCP:4506) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:7199", + "expectedValue": "Cassandra Monitoring (TCP:7199) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra Monitoring (TCP:7199) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1351,9 +1351,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:7001", - "expectedValue": "Cassandra (TCP:7001) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra (TCP:7001) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:8888", + "expectedValue": "Cassandra OpsCenter Website (TCP:8888) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra OpsCenter Website (TCP:8888) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1363,9 +1363,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:2375", - "expectedValue": "Docker (TCP:2375) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Docker (TCP:2375) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:53", + "expectedValue": "DNS (TCP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "DNS (TCP:53) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1375,9 +1375,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:8080", - "expectedValue": "Known internal web port (TCP:8080) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Known internal web port (TCP:8080) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:2483", + "expectedValue": "Oracle DB SSL (TCP:2483) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracle DB SSL (TCP:2483) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1387,9 +1387,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:139", - "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Session Service (TCP:139) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:2376", + "expectedValue": "Docker (TCP:2376) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Docker (TCP:2376) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1399,9 +1399,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:5900", - "expectedValue": "VNC Server (TCP:5900) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "VNC Server (TCP:5900) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:8020", + "expectedValue": "HDFS NameNode (TCP:8020) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HDFS NameNode (TCP:8020) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1411,9 +1411,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:3000", - "expectedValue": "Prevalent known internal port (TCP:3000) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Prevalent known internal port (TCP:3000) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:4333", + "expectedValue": "MySQL (TCP:4333) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MySQL (TCP:4333) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1423,9 +1423,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:3389", - "expectedValue": "Remote Desktop (TCP:3389) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Remote Desktop (TCP:3389) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:161", + "expectedValue": "SNMP (UDP:161) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SNMP (UDP:161) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1435,9 +1435,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:2382", - "expectedValue": "SQL Server Analysis (TCP:2382) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SQL Server Analysis (TCP:2382) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:5985", + "expectedValue": "WinRM for HTTP (TCP:5985) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "WinRM for HTTP (TCP:5985) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1447,9 +1447,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:7199", - "expectedValue": "Cassandra Monitoring (TCP:7199) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra Monitoring (TCP:7199) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:61620", + "expectedValue": "Cassandra OpsCenter (TCP:61620) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra OpsCenter (TCP:61620) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1459,9 +1459,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:8888", - "expectedValue": "Cassandra OpsCenter Website (TCP:8888) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra OpsCenter Website (TCP:8888) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:61621", + "expectedValue": "Cassandra OpsCenter (TCP:61621) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra OpsCenter (TCP:61621) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1471,9 +1471,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:11215", - "expectedValue": "Memcached SSL (UDP:11215) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Memcached SSL (UDP:11215) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:1434", + "expectedValue": "MSSQL Browser (TCP:1434) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MSSQL Browser (TCP:1434) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1483,9 +1483,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:27018", - "expectedValue": "Mongo Web Portal (TCP:27018) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Mongo Web Portal (TCP:27018) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:11211", + "expectedValue": "Memcached (UDP:11211) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached (UDP:11211) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1495,9 +1495,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:8000", - "expectedValue": "Known internal web port (TCP:8000) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Known internal web port (TCP:8000) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:445", + "expectedValue": "Microsoft-DS (TCP:445) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Microsoft-DS (TCP:445) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1507,9 +1507,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:1434", - "expectedValue": "MSSQL Browser (UDP:1434) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "MSSQL Browser (UDP:1434) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:3306", + "expectedValue": "MySQL (TCP:3306) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MySQL (TCP:3306) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1518,10 +1518,10 @@ "filename": "positive3.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", - "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:445", - "expectedValue": "Microsoft-DS (TCP:445) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Microsoft-DS (TCP:445) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1531,9 +1531,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:138", - "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:8080", + "expectedValue": "Known internal web port (TCP:8080) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Known internal web port (TCP:8080) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1543,9 +1543,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:5985", - "expectedValue": "WinRM for HTTP (TCP:5985) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "WinRM for HTTP (TCP:5985) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:389", + "expectedValue": "LDAP (UDP:389) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "LDAP (UDP:389) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1555,9 +1555,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:389", - "expectedValue": "LDAP (TCP:389) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "LDAP (TCP:389) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:5601", + "expectedValue": "Kibana (TCP:5601) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Kibana (TCP:5601) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1567,9 +1567,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:11211", - "expectedValue": "Memcached (TCP:11211) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Memcached (TCP:11211) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:8000", + "expectedValue": "Known internal web port (TCP:8000) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Known internal web port (TCP:8000) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1579,9 +1579,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:6379", - "expectedValue": "Redis (TCP:6379) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Redis (TCP:6379) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:4506", + "expectedValue": "SaltStack Master (TCP:4506) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SaltStack Master (TCP:4506) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1591,9 +1591,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:61621", - "expectedValue": "Cassandra OpsCenter (TCP:61621) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra OpsCenter (TCP:61621) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:5900", + "expectedValue": "VNC Server (TCP:5900) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "VNC Server (TCP:5900) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1603,9 +1603,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:50470", - "expectedValue": "HDFS NameNode WebUI (TCP:50470) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "HDFS NameNode WebUI (TCP:50470) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:443", + "expectedValue": "HTTPS (TCP:443) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HTTPS (TCP:443) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1615,9 +1615,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:161", - "expectedValue": "SNMP (UDP:161) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SNMP (UDP:161) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:9000", + "expectedValue": "Hadoop Name Node (TCP:9000) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Hadoop Name Node (TCP:9000) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1627,9 +1627,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:5601", - "expectedValue": "Kibana (TCP:5601) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Kibana (TCP:5601) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:636", + "expectedValue": "LDAP SSL (TCP:636) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "LDAP SSL (TCP:636) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1639,9 +1639,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:50070", - "expectedValue": "HDFS NameNode WebUI (TCP:50070) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "HDFS NameNode WebUI (TCP:50070) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:1522", + "expectedValue": "Oracle Auto Data Warehouse (TCP:1522) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracle Auto Data Warehouse (TCP:1522) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1651,9 +1651,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:8020", - "expectedValue": "HDFS NameNode (TCP:8020) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "HDFS NameNode (TCP:8020) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:11215", + "expectedValue": "Memcached SSL (UDP:11215) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached SSL (UDP:11215) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1663,9 +1663,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:389", - "expectedValue": "LDAP (UDP:389) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "LDAP (UDP:389) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:9160", + "expectedValue": "Cassandra Thrift (TCP:9160) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra Thrift (TCP:9160) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1699,9 +1699,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:137", - "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:3000", + "expectedValue": "Prevalent known internal port (TCP:3000) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Prevalent known internal port (TCP:3000) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1711,9 +1711,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:2483", - "expectedValue": "Oracle DB SSL (TCP:2483) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Oracle DB SSL (TCP:2483) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:7000", + "expectedValue": "Cassandra Internode Communication (TCP:7000) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra Internode Communication (TCP:7000) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1723,9 +1723,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:2484", - "expectedValue": "Oracle DB SSL (TCP:2484) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Oracle DB SSL (TCP:2484) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:3389", + "expectedValue": "Remote Desktop (TCP:3389) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Remote Desktop (TCP:3389) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1735,9 +1735,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:9300", - "expectedValue": "Elastic Search (TCP:9300) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Elastic Search (TCP:9300) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:20", + "expectedValue": "FTP (TCP:20) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "FTP (TCP:20) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1747,9 +1747,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:636", - "expectedValue": "LDAP SSL (TCP:636) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "LDAP SSL (TCP:636) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:138", + "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1759,9 +1759,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:138", - "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:2383", + "expectedValue": "SQL Server Analysis (TCP:2383) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SQL Server Analysis (TCP:2383) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1771,9 +1771,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:5432", - "expectedValue": "PostgreSQL (TCP:5432) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "PostgreSQL (TCP:5432) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:137", + "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Name Service (TCP:137) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1783,9 +1783,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:11215", - "expectedValue": "Memcached SSL (TCP:11215) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Memcached SSL (TCP:11215) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:139", + "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Session Service (UDP:139) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1795,9 +1795,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:3306", - "expectedValue": "MySQL (TCP:3306) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "MySQL (TCP:3306) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:2382", + "expectedValue": "SQL Server Analysis (TCP:2382) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SQL Server Analysis (TCP:2382) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1807,9 +1807,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:2383", - "expectedValue": "SQL Server Analysis (TCP:2383) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SQL Server Analysis (TCP:2383) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:9200", + "expectedValue": "Elastic Search (TCP:9200) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Elastic Search (TCP:9200) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1819,9 +1819,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:7000", - "expectedValue": "Cassandra Internode Communication (TCP:7000) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra Internode Communication (TCP:7000) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:389", + "expectedValue": "LDAP (TCP:389) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "LDAP (TCP:389) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1831,9 +1831,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:9042", - "expectedValue": "Cassandra Client (TCP:9042) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra Client (TCP:9042) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:50070", + "expectedValue": "HDFS NameNode WebUI (TCP:50070) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HDFS NameNode WebUI (TCP:50070) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1843,9 +1843,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:20", - "expectedValue": "FTP (TCP:20) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "FTP (TCP:20) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:2484", + "expectedValue": "Oracle DB SSL (UDP:2484) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracle DB SSL (UDP:2484) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1855,9 +1855,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:25", - "expectedValue": "SMTP (TCP:25) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SMTP (TCP:25) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:53", + "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1867,9 +1867,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:22", - "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:2375", + "expectedValue": "Docker (TCP:2375) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Docker (TCP:2375) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1879,9 +1879,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:9200", - "expectedValue": "Elastic Search (TCP:9200) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Elastic Search (TCP:9200) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:9090", + "expectedValue": "CiscoSecure, WebSM (TCP:9090) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "CiscoSecure, WebSM (TCP:9090) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1891,9 +1891,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:11211", - "expectedValue": "Memcached (UDP:11211) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Memcached (UDP:11211) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:80", + "expectedValue": "HTTP (TCP:80) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HTTP (TCP:80) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1903,9 +1903,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:2484", - "expectedValue": "Oracle DB SSL (UDP:2484) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Oracle DB SSL (UDP:2484) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:27018", + "expectedValue": "Mongo Web Portal (TCP:27018) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Mongo Web Portal (TCP:27018) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1915,9 +1915,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:4505", - "expectedValue": "SaltStack Master (TCP:4505) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SaltStack Master (TCP:4505) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:9042", + "expectedValue": "Cassandra Client (TCP:9042) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra Client (TCP:9042) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1927,9 +1927,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:3020", - "expectedValue": "CIFS / SMB (TCP:3020) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "CIFS / SMB (TCP:3020) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:21", + "expectedValue": "FTP (TCP:21) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "FTP (TCP:21) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1939,9 +1939,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:61620", - "expectedValue": "Cassandra OpsCenter (TCP:61620) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra OpsCenter (TCP:61620) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:2484", + "expectedValue": "Oracle DB SSL (TCP:2484) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracle DB SSL (TCP:2484) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1951,9 +1951,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:9090", - "expectedValue": "CiscoSecure, WebSM (TCP:9090) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "CiscoSecure, WebSM (TCP:9090) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:5432", + "expectedValue": "PostgreSQL (TCP:5432) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "PostgreSQL (TCP:5432) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1963,9 +1963,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:80", - "expectedValue": "HTTP (TCP:80) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "HTTP (TCP:80) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:50470", + "expectedValue": "HDFS NameNode WebUI (TCP:50470) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HDFS NameNode WebUI (TCP:50470) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1975,9 +1975,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:2483", - "expectedValue": "Oracle DB SSL (UDP:2483) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Oracle DB SSL (UDP:2483) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:5500", + "expectedValue": "VNC Listener (TCP:5500) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "VNC Listener (TCP:5500) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1987,9 +1987,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:27017", - "expectedValue": "Mongo (TCP:27017) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Mongo (TCP:27017) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:9300", + "expectedValue": "Elastic Search (TCP:9300) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Elastic Search (TCP:9300) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1999,9 +1999,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:4333", - "expectedValue": "MySQL (TCP:4333) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "MySQL (TCP:4333) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:11215", + "expectedValue": "Memcached SSL (TCP:11215) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached SSL (TCP:11215) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -2011,9 +2011,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:135", - "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "MSSQL Debugger (TCP:135) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:110", + "expectedValue": "POP3 (TCP:110) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "POP3 (TCP:110) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -2023,9 +2023,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:8140", - "expectedValue": "Puppet Master (TCP:8140) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Puppet Master (TCP:8140) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:6379", + "expectedValue": "Redis (TCP:6379) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Redis (TCP:6379) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -2035,9 +2035,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:161", - "expectedValue": "SNMP (TCP:161) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SNMP (TCP:161) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:2483", + "expectedValue": "Oracle DB SSL (UDP:2483) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracle DB SSL (UDP:2483) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -2047,9 +2047,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:53", - "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:23", + "expectedValue": "Telnet (TCP:23) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Telnet (TCP:23) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", diff --git a/assets/queries/cloudFormation/aws/elb_sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elb_sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json index a31c51e95a7..f3d55d3b2e5 100644 --- a/assets/queries/cloudFormation/aws/elb_sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elb_sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json @@ -7,9 +7,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,80", - "expectedValue": "HTTP (TCP:80) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "HTTP (TCP:80) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,6379", + "expectedValue": "Redis (TCP:6379) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Redis (TCP:6379) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -19,9 +19,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,110", - "expectedValue": "POP3 (TCP:110) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "POP3 (TCP:110) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,2382", + "expectedValue": "SQL Server Analysis (TCP:2382) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SQL Server Analysis (TCP:2382) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -31,9 +31,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,8080", - "expectedValue": "Known internal web port (TCP:8080) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Known internal web port (TCP:8080) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -43,9 +43,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,27017", - "expectedValue": "Mongo (TCP:27017) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Mongo (TCP:27017) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,3389", + "expectedValue": "Remote Desktop (TCP:3389) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Remote Desktop (TCP:3389) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -55,9 +55,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,27018", - "expectedValue": "Mongo Web Portal (TCP:27018) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Mongo Web Portal (TCP:27018) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,11214", + "expectedValue": "Memcached SSL (UDP:11214) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached SSL (UDP:11214) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -67,9 +67,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,138", - "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,5500", + "expectedValue": "VNC Listener (TCP:5500) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "VNC Listener (TCP:5500) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -79,9 +79,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,139", - "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Session Service (UDP:139) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,21", + "expectedValue": "FTP (TCP:21) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "FTP (TCP:21) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -91,9 +91,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,1521", - "expectedValue": "Oracl DB (TCP:1521) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Oracl DB (TCP:1521) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,11214", + "expectedValue": "Memcached SSL (TCP:11214) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached SSL (TCP:11214) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -103,9 +103,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,2375", - "expectedValue": "Docker (TCP:2375) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Docker (TCP:2375) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,2383", + "expectedValue": "SQL Server Analysis (TCP:2383) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SQL Server Analysis (TCP:2383) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -115,9 +115,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,8000", - "expectedValue": "Known internal web port (TCP:8000) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Known internal web port (TCP:8000) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,3020", + "expectedValue": "CIFS / SMB (TCP:3020) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "CIFS / SMB (TCP:3020) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -127,9 +127,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,3389", - "expectedValue": "Remote Desktop (TCP:3389) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Remote Desktop (TCP:3389) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,3306", + "expectedValue": "MySQL (TCP:3306) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MySQL (TCP:3306) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -139,9 +139,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,5601", - "expectedValue": "Kibana (TCP:5601) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Kibana (TCP:5601) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,4333", + "expectedValue": "MySQL (TCP:4333) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MySQL (TCP:4333) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -151,9 +151,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,11214", - "expectedValue": "Memcached SSL (TCP:11214) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Memcached SSL (TCP:11214) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,161", + "expectedValue": "SNMP (UDP:161) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SNMP (UDP:161) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -163,9 +163,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,9090", - "expectedValue": "CiscoSecure, WebSM (TCP:9090) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "CiscoSecure, WebSM (TCP:9090) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,139", + "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Session Service (UDP:139) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -175,9 +175,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,9200", - "expectedValue": "Elastic Search (TCP:9200) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Elastic Search (TCP:9200) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,11211", + "expectedValue": "Memcached (TCP:11211) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached (TCP:11211) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -187,9 +187,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,53", - "expectedValue": "DNS (UDP:53) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "DNS (UDP:53) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -199,9 +199,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,2483", - "expectedValue": "Oracle DB SSL (UDP:2483) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Oracle DB SSL (UDP:2483) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,5432", + "expectedValue": "PostgreSQL (UDP:5432) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "PostgreSQL (UDP:5432) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -211,9 +211,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,4506", - "expectedValue": "SaltStack Master (TCP:4506) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SaltStack Master (TCP:4506) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,20", + "expectedValue": "FTP (TCP:20) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "FTP (TCP:20) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -223,9 +223,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,5432", - "expectedValue": "PostgreSQL (TCP:5432) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "PostgreSQL (TCP:5432) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,2483", + "expectedValue": "Oracle DB SSL (UDP:2483) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle DB SSL (UDP:2483) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -235,9 +235,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,4505", - "expectedValue": "SaltStack Master (TCP:4505) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SaltStack Master (TCP:4505) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,7199", + "expectedValue": "Cassandra Monitoring (TCP:7199) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra Monitoring (TCP:7199) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -247,9 +247,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,9042", - "expectedValue": "Cassandra Client (TCP:9042) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra Client (TCP:9042) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,1434", + "expectedValue": "MSSQL Browser (TCP:1434) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MSSQL Browser (TCP:1434) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -259,9 +259,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,8020", - "expectedValue": "HDFS NameNode (TCP:8020) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "HDFS NameNode (TCP:8020) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,445", + "expectedValue": "Microsoft-DS (TCP:445) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Microsoft-DS (TCP:445) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -271,9 +271,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,11211", - "expectedValue": "Memcached (UDP:11211) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Memcached (UDP:11211) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,2484", + "expectedValue": "Oracle DB SSL (UDP:2484) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle DB SSL (UDP:2484) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -283,9 +283,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,11214", - "expectedValue": "Memcached SSL (UDP:11214) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Memcached SSL (UDP:11214) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,9300", + "expectedValue": "Elastic Search (TCP:9300) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Elastic Search (TCP:9300) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -295,9 +295,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,137", - "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,636", + "expectedValue": "LDAP SSL (TCP:636) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "LDAP SSL (TCP:636) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -307,9 +307,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,5985", - "expectedValue": "WinRM for HTTP (TCP:5985) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "WinRM for HTTP (TCP:5985) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,4506", + "expectedValue": "SaltStack Master (TCP:4506) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SaltStack Master (TCP:4506) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -319,9 +319,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,9160", - "expectedValue": "Cassandra Thrift (TCP:9160) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra Thrift (TCP:9160) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,138", + "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -331,9 +331,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,389", - "expectedValue": "LDAP (UDP:389) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "LDAP (UDP:389) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,9160", + "expectedValue": "Cassandra Thrift (TCP:9160) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra Thrift (TCP:9160) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -343,9 +343,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,135", - "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "MSSQL Debugger (TCP:135) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,8000", + "expectedValue": "Known internal web port (TCP:8000) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Known internal web port (TCP:8000) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -355,9 +355,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,445", - "expectedValue": "Microsoft-DS (TCP:445) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Microsoft-DS (TCP:445) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,9090", + "expectedValue": "CiscoSecure, WebSM (TCP:9090) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "CiscoSecure, WebSM (TCP:9090) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -367,9 +367,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,636", - "expectedValue": "LDAP SSL (TCP:636) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "LDAP SSL (TCP:636) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,4505", + "expectedValue": "SaltStack Master (TCP:4505) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SaltStack Master (TCP:4505) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -379,9 +379,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,21", - "expectedValue": "FTP (TCP:21) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "FTP (TCP:21) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,53", + "expectedValue": "DNS (TCP:53) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "DNS (TCP:53) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -391,9 +391,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,53", - "expectedValue": "DNS (TCP:53) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "DNS (TCP:53) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,135", + "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MSSQL Debugger (TCP:135) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -403,9 +403,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,389", - "expectedValue": "LDAP (TCP:389) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "LDAP (TCP:389) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,61620", + "expectedValue": "Cassandra OpsCenter (TCP:61620) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra OpsCenter (TCP:61620) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -415,9 +415,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,2483", - "expectedValue": "Oracle DB SSL (TCP:2483) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Oracle DB SSL (TCP:2483) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,8020", + "expectedValue": "HDFS NameNode (TCP:8020) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HDFS NameNode (TCP:8020) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -427,9 +427,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,25", - "expectedValue": "SMTP (TCP:25) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SMTP (TCP:25) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,80", + "expectedValue": "HTTP (TCP:80) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HTTP (TCP:80) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -451,9 +451,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,11215", - "expectedValue": "Memcached SSL (TCP:11215) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Memcached SSL (TCP:11215) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,389", + "expectedValue": "LDAP (UDP:389) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "LDAP (UDP:389) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -463,9 +463,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,20", - "expectedValue": "FTP (TCP:20) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "FTP (TCP:20) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,161", + "expectedValue": "SNMP (TCP:161) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SNMP (TCP:161) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -475,9 +475,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,3306", - "expectedValue": "MySQL (TCP:3306) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "MySQL (TCP:3306) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,5900", + "expectedValue": "VNC Server (TCP:5900) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "VNC Server (TCP:5900) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -487,9 +487,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,6379", - "expectedValue": "Redis (TCP:6379) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Redis (TCP:6379) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,2375", + "expectedValue": "Docker (TCP:2375) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Docker (TCP:2375) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -499,9 +499,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,5500", - "expectedValue": "VNC Listener (TCP:5500) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "VNC Listener (TCP:5500) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,389", + "expectedValue": "LDAP (TCP:389) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "LDAP (TCP:389) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -511,9 +511,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,61621", - "expectedValue": "Cassandra OpsCenter (TCP:61621) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra OpsCenter (TCP:61621) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,2483", + "expectedValue": "Oracle DB SSL (TCP:2483) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle DB SSL (TCP:2483) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -523,9 +523,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,9300", - "expectedValue": "Elastic Search (TCP:9300) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Elastic Search (TCP:9300) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,2484", + "expectedValue": "Oracle DB SSL (TCP:2484) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle DB SSL (TCP:2484) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -535,9 +535,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,7001", - "expectedValue": "Cassandra (TCP:7001) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra (TCP:7001) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -547,9 +547,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,61620", - "expectedValue": "Cassandra OpsCenter (TCP:61620) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra OpsCenter (TCP:61620) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,7001", + "expectedValue": "Cassandra (TCP:7001) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra (TCP:7001) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -559,9 +559,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,137", - "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Name Service (TCP:137) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,9000", + "expectedValue": "Hadoop Name Node (TCP:9000) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Hadoop Name Node (TCP:9000) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -571,9 +571,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,5900", - "expectedValue": "VNC Server (TCP:5900) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "VNC Server (TCP:5900) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,27017", + "expectedValue": "Mongo (TCP:27017) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Mongo (TCP:27017) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -583,9 +583,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,4333", - "expectedValue": "MySQL (TCP:4333) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "MySQL (TCP:4333) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,5985", + "expectedValue": "WinRM for HTTP (TCP:5985) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "WinRM for HTTP (TCP:5985) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -595,9 +595,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,23", - "expectedValue": "Telnet (TCP:23) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Telnet (TCP:23) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,9042", + "expectedValue": "Cassandra Client (TCP:9042) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra Client (TCP:9042) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -607,9 +607,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,50070", - "expectedValue": "HDFS NameNode WebUI (TCP:50070) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "HDFS NameNode WebUI (TCP:50070) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,443", + "expectedValue": "HTTPS (TCP:443) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HTTPS (TCP:443) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -619,9 +619,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,138", - "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,8140", + "expectedValue": "Puppet Master (TCP:8140) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Puppet Master (TCP:8140) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -631,9 +631,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,2484", - "expectedValue": "Oracle DB SSL (TCP:2484) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Oracle DB SSL (TCP:2484) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,8888", + "expectedValue": "Cassandra OpsCenter Website (TCP:8888) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra OpsCenter Website (TCP:8888) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -643,9 +643,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,3000", - "expectedValue": "Prevalent known internal port (TCP:3000) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Prevalent known internal port (TCP:3000) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,50470", + "expectedValue": "HDFS NameNode WebUI (TCP:50470) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HDFS NameNode WebUI (TCP:50470) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -655,9 +655,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,8888", - "expectedValue": "Cassandra OpsCenter Website (TCP:8888) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra OpsCenter Website (TCP:8888) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,1433", + "expectedValue": "MSSQL Server (TCP:1433) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MSSQL Server (TCP:1433) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -667,9 +667,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,5432", - "expectedValue": "PostgreSQL (UDP:5432) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "PostgreSQL (UDP:5432) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,27018", + "expectedValue": "Mongo Web Portal (TCP:27018) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Mongo Web Portal (TCP:27018) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -679,9 +679,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,1434", - "expectedValue": "MSSQL Browser (TCP:1434) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "MSSQL Browser (TCP:1434) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Telnet (TCP:23) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -691,9 +691,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,161", - "expectedValue": "SNMP (TCP:161) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SNMP (TCP:161) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,139", + "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Session Service (TCP:139) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -703,9 +703,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,2383", - "expectedValue": "SQL Server Analysis (TCP:2383) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SQL Server Analysis (TCP:2383) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,110", + "expectedValue": "POP3 (TCP:110) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "POP3 (TCP:110) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -727,9 +727,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,50470", - "expectedValue": "HDFS NameNode WebUI (TCP:50470) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "HDFS NameNode WebUI (TCP:50470) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,1434", + "expectedValue": "MSSQL Browser (UDP:1434) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MSSQL Browser (UDP:1434) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -739,9 +739,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,11211", - "expectedValue": "Memcached (TCP:11211) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Memcached (TCP:11211) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,1522", + "expectedValue": "Oracle Auto Data Warehouse (TCP:1522) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle Auto Data Warehouse (TCP:1522) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -751,9 +751,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,2484", - "expectedValue": "Oracle DB SSL (UDP:2484) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Oracle DB SSL (UDP:2484) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,5601", + "expectedValue": "Kibana (TCP:5601) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Kibana (TCP:5601) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -763,9 +763,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SSH (TCP:22) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,11215", + "expectedValue": "Memcached SSL (TCP:11215) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached SSL (TCP:11215) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -775,9 +775,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,139", - "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Session Service (TCP:139) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,3000", + "expectedValue": "Prevalent known internal port (TCP:3000) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Prevalent known internal port (TCP:3000) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -787,9 +787,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,161", - "expectedValue": "SNMP (UDP:161) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SNMP (UDP:161) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,53", + "expectedValue": "DNS (UDP:53) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "DNS (UDP:53) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -799,9 +799,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,1433", - "expectedValue": "MSSQL Server (TCP:1433) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "MSSQL Server (TCP:1433) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,5432", + "expectedValue": "PostgreSQL (TCP:5432) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "PostgreSQL (TCP:5432) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -811,9 +811,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,11215", - "expectedValue": "Memcached SSL (UDP:11215) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Memcached SSL (UDP:11215) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,25", + "expectedValue": "SMTP (TCP:25) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SMTP (TCP:25) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -823,9 +823,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,443", - "expectedValue": "HTTPS (TCP:443) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "HTTPS (TCP:443) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,61621", + "expectedValue": "Cassandra OpsCenter (TCP:61621) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra OpsCenter (TCP:61621) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -835,9 +835,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,1434", - "expectedValue": "MSSQL Browser (UDP:1434) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "MSSQL Browser (UDP:1434) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,11211", + "expectedValue": "Memcached (UDP:11211) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached (UDP:11211) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -847,9 +847,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,9000", - "expectedValue": "Hadoop Name Node (TCP:9000) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Hadoop Name Node (TCP:9000) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,50070", + "expectedValue": "HDFS NameNode WebUI (TCP:50070) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HDFS NameNode WebUI (TCP:50070) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -859,9 +859,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,1522", - "expectedValue": "Oracle Auto Data Warehouse (TCP:1522) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Oracle Auto Data Warehouse (TCP:1522) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,11215", + "expectedValue": "Memcached SSL (UDP:11215) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached SSL (UDP:11215) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -871,9 +871,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,8140", - "expectedValue": "Puppet Master (TCP:8140) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Puppet Master (TCP:8140) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,137", + "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (TCP:137) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -883,9 +883,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,3020", - "expectedValue": "CIFS / SMB (TCP:3020) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "CIFS / SMB (TCP:3020) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,1521", + "expectedValue": "Oracl DB (TCP:1521) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracl DB (TCP:1521) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -895,9 +895,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,7199", - "expectedValue": "Cassandra Monitoring (TCP:7199) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra Monitoring (TCP:7199) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,9200", + "expectedValue": "Elastic Search (TCP:9200) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Elastic Search (TCP:9200) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -907,9 +907,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,2382", - "expectedValue": "SQL Server Analysis (TCP:2382) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SQL Server Analysis (TCP:2382) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,8080", + "expectedValue": "Known internal web port (TCP:8080) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Known internal web port (TCP:8080) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1243,9 +1243,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,61620", - "expectedValue": "Cassandra OpsCenter (TCP:61620) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra OpsCenter (TCP:61620) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,1434", + "expectedValue": "MSSQL Browser (TCP:1434) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MSSQL Browser (TCP:1434) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1255,9 +1255,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,11211", - "expectedValue": "Memcached (TCP:11211) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Memcached (TCP:11211) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,2483", + "expectedValue": "Oracle DB SSL (UDP:2483) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle DB SSL (UDP:2483) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1267,9 +1267,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,27018", - "expectedValue": "Mongo Web Portal (TCP:27018) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Mongo Web Portal (TCP:27018) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,9000", + "expectedValue": "Hadoop Name Node (TCP:9000) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Hadoop Name Node (TCP:9000) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1279,9 +1279,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,8000", - "expectedValue": "Known internal web port (TCP:8000) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Known internal web port (TCP:8000) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,53", + "expectedValue": "DNS (UDP:53) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "DNS (UDP:53) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1291,9 +1291,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,9090", - "expectedValue": "CiscoSecure, WebSM (TCP:9090) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "CiscoSecure, WebSM (TCP:9090) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,139", + "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Session Service (TCP:139) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1303,9 +1303,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,1522", - "expectedValue": "Oracle Auto Data Warehouse (TCP:1522) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Oracle Auto Data Warehouse (TCP:1522) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Telnet (TCP:23) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1315,9 +1315,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,8140", - "expectedValue": "Puppet Master (TCP:8140) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Puppet Master (TCP:8140) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,9160", + "expectedValue": "Cassandra Thrift (TCP:9160) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra Thrift (TCP:9160) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1327,9 +1327,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,9042", - "expectedValue": "Cassandra Client (TCP:9042) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra Client (TCP:9042) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,9200", + "expectedValue": "Elastic Search (TCP:9200) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Elastic Search (TCP:9200) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1339,9 +1339,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,5601", - "expectedValue": "Kibana (TCP:5601) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Kibana (TCP:5601) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,8020", + "expectedValue": "HDFS NameNode (TCP:8020) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HDFS NameNode (TCP:8020) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1351,9 +1351,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,1434", - "expectedValue": "MSSQL Browser (UDP:1434) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "MSSQL Browser (UDP:1434) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,8140", + "expectedValue": "Puppet Master (TCP:8140) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Puppet Master (TCP:8140) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1363,9 +1363,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,161", - "expectedValue": "SNMP (TCP:161) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SNMP (TCP:161) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,50470", + "expectedValue": "HDFS NameNode WebUI (TCP:50470) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HDFS NameNode WebUI (TCP:50470) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1387,9 +1387,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,8080", - "expectedValue": "Known internal web port (TCP:8080) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Known internal web port (TCP:8080) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,139", + "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Session Service (UDP:139) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1399,9 +1399,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,161", - "expectedValue": "SNMP (UDP:161) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SNMP (UDP:161) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1411,9 +1411,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,5500", - "expectedValue": "VNC Listener (TCP:5500) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "VNC Listener (TCP:5500) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,137", + "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (TCP:137) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1423,9 +1423,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,80", - "expectedValue": "HTTP (TCP:80) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "HTTP (TCP:80) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,2383", + "expectedValue": "SQL Server Analysis (TCP:2383) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SQL Server Analysis (TCP:2383) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1435,9 +1435,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,11211", - "expectedValue": "Memcached (UDP:11211) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Memcached (UDP:11211) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,11215", + "expectedValue": "Memcached SSL (TCP:11215) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached SSL (TCP:11215) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1447,9 +1447,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,2484", - "expectedValue": "Oracle DB SSL (UDP:2484) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Oracle DB SSL (UDP:2484) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,11214", + "expectedValue": "Memcached SSL (UDP:11214) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached SSL (UDP:11214) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1459,9 +1459,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,5432", - "expectedValue": "PostgreSQL (UDP:5432) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "PostgreSQL (UDP:5432) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,161", + "expectedValue": "SNMP (UDP:161) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SNMP (UDP:161) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1471,9 +1471,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,7001", - "expectedValue": "Cassandra (TCP:7001) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra (TCP:7001) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,2382", + "expectedValue": "SQL Server Analysis (TCP:2382) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SQL Server Analysis (TCP:2382) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1483,9 +1483,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,9300", - "expectedValue": "Elastic Search (TCP:9300) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Elastic Search (TCP:9300) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,445", + "expectedValue": "Microsoft-DS (TCP:445) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Microsoft-DS (TCP:445) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1495,9 +1495,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,21", - "expectedValue": "FTP (TCP:21) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "FTP (TCP:21) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,2375", + "expectedValue": "Docker (TCP:2375) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Docker (TCP:2375) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1507,9 +1507,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,27017", - "expectedValue": "Mongo (TCP:27017) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Mongo (TCP:27017) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,9300", + "expectedValue": "Elastic Search (TCP:9300) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Elastic Search (TCP:9300) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1519,9 +1519,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,3020", - "expectedValue": "CIFS / SMB (TCP:3020) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "CIFS / SMB (TCP:3020) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,80", + "expectedValue": "HTTP (TCP:80) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HTTP (TCP:80) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1531,9 +1531,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,138", - "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,389", + "expectedValue": "LDAP (TCP:389) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "LDAP (TCP:389) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1543,9 +1543,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,25", - "expectedValue": "SMTP (TCP:25) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SMTP (TCP:25) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,11211", + "expectedValue": "Memcached (TCP:11211) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached (TCP:11211) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1555,9 +1555,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,636", - "expectedValue": "LDAP SSL (TCP:636) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "LDAP SSL (TCP:636) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,3389", + "expectedValue": "Remote Desktop (TCP:3389) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Remote Desktop (TCP:3389) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1567,9 +1567,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,11214", - "expectedValue": "Memcached SSL (TCP:11214) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Memcached SSL (TCP:11214) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,5985", + "expectedValue": "WinRM for HTTP (TCP:5985) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "WinRM for HTTP (TCP:5985) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1579,9 +1579,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,9200", - "expectedValue": "Elastic Search (TCP:9200) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Elastic Search (TCP:9200) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,636", + "expectedValue": "LDAP SSL (TCP:636) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "LDAP SSL (TCP:636) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1591,9 +1591,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,3306", - "expectedValue": "MySQL (TCP:3306) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "MySQL (TCP:3306) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,161", + "expectedValue": "SNMP (TCP:161) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SNMP (TCP:161) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1603,9 +1603,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SSH (TCP:22) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,8888", + "expectedValue": "Cassandra OpsCenter Website (TCP:8888) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra OpsCenter Website (TCP:8888) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1615,9 +1615,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,2376", - "expectedValue": "Docker (TCP:2376) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Docker (TCP:2376) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,389", + "expectedValue": "LDAP (UDP:389) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "LDAP (UDP:389) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1626,10 +1626,10 @@ "filename": "positive5.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", - "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,53", - "expectedValue": "DNS (TCP:53) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "DNS (TCP:53) is allowed in classic load balancer 'LoadBalancer01'" + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,9090", + "expectedValue": "CiscoSecure, WebSM (TCP:9090) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "CiscoSecure, WebSM (TCP:9090) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1639,9 +1639,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,20", - "expectedValue": "FTP (TCP:20) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "FTP (TCP:20) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,135", + "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MSSQL Debugger (TCP:135) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1651,9 +1651,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,9000", - "expectedValue": "Hadoop Name Node (TCP:9000) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Hadoop Name Node (TCP:9000) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,7000", + "expectedValue": "Cassandra Internode Communication (TCP:7000) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra Internode Communication (TCP:7000) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1663,9 +1663,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,4333", - "expectedValue": "MySQL (TCP:4333) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "MySQL (TCP:4333) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,61621", + "expectedValue": "Cassandra OpsCenter (TCP:61621) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra OpsCenter (TCP:61621) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1675,9 +1675,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,50070", - "expectedValue": "HDFS NameNode WebUI (TCP:50070) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "HDFS NameNode WebUI (TCP:50070) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,20", + "expectedValue": "FTP (TCP:20) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "FTP (TCP:20) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1687,9 +1687,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,11215", - "expectedValue": "Memcached SSL (TCP:11215) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Memcached SSL (TCP:11215) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,443", + "expectedValue": "HTTPS (TCP:443) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HTTPS (TCP:443) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1699,9 +1699,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,1521", - "expectedValue": "Oracl DB (TCP:1521) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Oracl DB (TCP:1521) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,5432", + "expectedValue": "PostgreSQL (TCP:5432) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "PostgreSQL (TCP:5432) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1723,9 +1723,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,2484", - "expectedValue": "Oracle DB SSL (TCP:2484) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Oracle DB SSL (TCP:2484) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,2484", + "expectedValue": "Oracle DB SSL (UDP:2484) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle DB SSL (UDP:2484) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1735,9 +1735,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,23", - "expectedValue": "Telnet (TCP:23) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Telnet (TCP:23) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,5432", + "expectedValue": "PostgreSQL (UDP:5432) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "PostgreSQL (UDP:5432) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1747,9 +1747,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,2382", - "expectedValue": "SQL Server Analysis (TCP:2382) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SQL Server Analysis (TCP:2382) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,3000", + "expectedValue": "Prevalent known internal port (TCP:3000) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Prevalent known internal port (TCP:3000) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1759,9 +1759,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,7199", - "expectedValue": "Cassandra Monitoring (TCP:7199) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra Monitoring (TCP:7199) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,53", + "expectedValue": "DNS (TCP:53) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "DNS (TCP:53) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1771,9 +1771,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,443", - "expectedValue": "HTTPS (TCP:443) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "HTTPS (TCP:443) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,1434", + "expectedValue": "MSSQL Browser (UDP:1434) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MSSQL Browser (UDP:1434) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1783,9 +1783,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,389", - "expectedValue": "LDAP (TCP:389) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "LDAP (TCP:389) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,25", + "expectedValue": "SMTP (TCP:25) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SMTP (TCP:25) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1795,9 +1795,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,110", - "expectedValue": "POP3 (TCP:110) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "POP3 (TCP:110) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,3306", + "expectedValue": "MySQL (TCP:3306) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MySQL (TCP:3306) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1807,9 +1807,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,445", - "expectedValue": "Microsoft-DS (TCP:445) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Microsoft-DS (TCP:445) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1819,9 +1819,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,2383", - "expectedValue": "SQL Server Analysis (TCP:2383) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SQL Server Analysis (TCP:2383) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,11215", + "expectedValue": "Memcached SSL (UDP:11215) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached SSL (UDP:11215) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1831,9 +1831,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,4505", - "expectedValue": "SaltStack Master (TCP:4505) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SaltStack Master (TCP:4505) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,1521", + "expectedValue": "Oracl DB (TCP:1521) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracl DB (TCP:1521) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1843,9 +1843,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,11214", - "expectedValue": "Memcached SSL (UDP:11214) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Memcached SSL (UDP:11214) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,21", + "expectedValue": "FTP (TCP:21) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "FTP (TCP:21) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1855,9 +1855,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,2483", - "expectedValue": "Oracle DB SSL (UDP:2483) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Oracle DB SSL (UDP:2483) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,5601", + "expectedValue": "Kibana (TCP:5601) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Kibana (TCP:5601) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1867,9 +1867,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,6379", - "expectedValue": "Redis (TCP:6379) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Redis (TCP:6379) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,1522", + "expectedValue": "Oracle Auto Data Warehouse (TCP:1522) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle Auto Data Warehouse (TCP:1522) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1879,9 +1879,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,53", - "expectedValue": "DNS (UDP:53) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "DNS (UDP:53) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,50070", + "expectedValue": "HDFS NameNode WebUI (TCP:50070) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HDFS NameNode WebUI (TCP:50070) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1891,9 +1891,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,138", - "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,8000", + "expectedValue": "Known internal web port (TCP:8000) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Known internal web port (TCP:8000) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1903,9 +1903,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,137", - "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Name Service (TCP:137) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,2483", + "expectedValue": "Oracle DB SSL (TCP:2483) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle DB SSL (TCP:2483) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1915,9 +1915,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,137", - "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,7199", + "expectedValue": "Cassandra Monitoring (TCP:7199) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra Monitoring (TCP:7199) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1927,9 +1927,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,5985", - "expectedValue": "WinRM for HTTP (TCP:5985) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "WinRM for HTTP (TCP:5985) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,2376", + "expectedValue": "Docker (TCP:2376) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Docker (TCP:2376) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1939,9 +1939,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,7000", - "expectedValue": "Cassandra Internode Communication (TCP:7000) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra Internode Communication (TCP:7000) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,3020", + "expectedValue": "CIFS / SMB (TCP:3020) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "CIFS / SMB (TCP:3020) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1951,9 +1951,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,61621", - "expectedValue": "Cassandra OpsCenter (TCP:61621) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra OpsCenter (TCP:61621) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,27017", + "expectedValue": "Mongo (TCP:27017) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Mongo (TCP:27017) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1963,9 +1963,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,50470", - "expectedValue": "HDFS NameNode WebUI (TCP:50470) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "HDFS NameNode WebUI (TCP:50470) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,27018", + "expectedValue": "Mongo Web Portal (TCP:27018) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Mongo Web Portal (TCP:27018) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1975,9 +1975,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,139", - "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Session Service (UDP:139) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,4505", + "expectedValue": "SaltStack Master (TCP:4505) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SaltStack Master (TCP:4505) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1987,9 +1987,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,3000", - "expectedValue": "Prevalent known internal port (TCP:3000) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Prevalent known internal port (TCP:3000) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,11214", + "expectedValue": "Memcached SSL (TCP:11214) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached SSL (TCP:11214) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1999,9 +1999,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,3389", - "expectedValue": "Remote Desktop (TCP:3389) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Remote Desktop (TCP:3389) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,5500", + "expectedValue": "VNC Listener (TCP:5500) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "VNC Listener (TCP:5500) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2011,9 +2011,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,11215", - "expectedValue": "Memcached SSL (UDP:11215) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Memcached SSL (UDP:11215) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,5900", + "expectedValue": "VNC Server (TCP:5900) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "VNC Server (TCP:5900) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2023,9 +2023,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,2375", - "expectedValue": "Docker (TCP:2375) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Docker (TCP:2375) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,2484", + "expectedValue": "Oracle DB SSL (TCP:2484) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle DB SSL (TCP:2484) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2035,9 +2035,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,5432", - "expectedValue": "PostgreSQL (TCP:5432) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "PostgreSQL (TCP:5432) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,110", + "expectedValue": "POP3 (TCP:110) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "POP3 (TCP:110) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2047,9 +2047,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,389", - "expectedValue": "LDAP (UDP:389) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "LDAP (UDP:389) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,8080", + "expectedValue": "Known internal web port (TCP:8080) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Known internal web port (TCP:8080) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2059,9 +2059,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,1434", - "expectedValue": "MSSQL Browser (TCP:1434) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "MSSQL Browser (TCP:1434) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2071,9 +2071,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,139", - "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Session Service (TCP:139) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,9042", + "expectedValue": "Cassandra Client (TCP:9042) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra Client (TCP:9042) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2083,9 +2083,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,2483", - "expectedValue": "Oracle DB SSL (TCP:2483) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Oracle DB SSL (TCP:2483) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,11211", + "expectedValue": "Memcached (UDP:11211) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached (UDP:11211) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2095,9 +2095,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,5900", - "expectedValue": "VNC Server (TCP:5900) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "VNC Server (TCP:5900) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,6379", + "expectedValue": "Redis (TCP:6379) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Redis (TCP:6379) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2107,9 +2107,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,8888", - "expectedValue": "Cassandra OpsCenter Website (TCP:8888) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra OpsCenter Website (TCP:8888) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,138", + "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2119,9 +2119,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,9160", - "expectedValue": "Cassandra Thrift (TCP:9160) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra Thrift (TCP:9160) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,7001", + "expectedValue": "Cassandra (TCP:7001) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra (TCP:7001) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2131,9 +2131,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,135", - "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "MSSQL Debugger (TCP:135) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,61620", + "expectedValue": "Cassandra OpsCenter (TCP:61620) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra OpsCenter (TCP:61620) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2143,9 +2143,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,8020", - "expectedValue": "HDFS NameNode (TCP:8020) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "HDFS NameNode (TCP:8020) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,4333", + "expectedValue": "MySQL (TCP:4333) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MySQL (TCP:4333) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", diff --git a/assets/queries/cloudFormation/aws/vulnerable_default_ssl_certificate/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/vulnerable_default_ssl_certificate/test/positive_expected_result.json index 576b1448a3a..a2e577a971e 100644 --- a/assets/queries/cloudFormation/aws/vulnerable_default_ssl_certificate/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/vulnerable_default_ssl_certificate/test/positive_expected_result.json @@ -7,9 +7,9 @@ "resourceType": "AWS::CloudFront::Distribution", "resourceName": "myDistribution", "searchKey": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate", - "searchValue": "MinimumProtocolVersion", - "expectedValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.MinimumProtocolVersion should be defined", - "actualValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.MinimumProtocolVersion is not defined" + "searchValue": "SslSupportMethod", + "expectedValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.SslSupportMethod should be defined", + "actualValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.SslSupportMethod is not defined" }, { "queryName": "Vulnerable Default SSL Certificate", @@ -19,9 +19,9 @@ "resourceType": "AWS::CloudFront::Distribution", "resourceName": "myDistribution", "searchKey": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate", - "searchValue": "SslSupportMethod", - "expectedValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.SslSupportMethod should be defined", - "actualValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.SslSupportMethod is not defined" + "searchValue": "MinimumProtocolVersion", + "expectedValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.MinimumProtocolVersion should be defined", + "actualValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.MinimumProtocolVersion is not defined" }, { "queryName": "Vulnerable Default SSL Certificate", diff --git a/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json b/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json index a019f29a555..e51edb86b26 100644 --- a/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json +++ b/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json @@ -144,7 +144,7 @@ "actualValue": "Hardcoded secret key appears in source" }, { - "queryName": "Passwords And Secrets - AWS Access Key", + "queryName": "Passwords And Secrets - AWS Context-specific credential", "severity": "HIGH", "line": 17, "filename": "positive14.tf", @@ -168,7 +168,7 @@ "actualValue": "Hardcoded secret key appears in source" }, { - "queryName": "Passwords And Secrets - AWS Access Key", + "queryName": "Passwords And Secrets - AWS Context-specific credential", "severity": "HIGH", "line": 14, "filename": "positive15.tf", @@ -468,7 +468,7 @@ "actualValue": "Hardcoded secret key appears in source" }, { - "queryName": "Passwords And Secrets - CloudFormation Secret Template", + "queryName": "Passwords And Secrets - Twilio API Key", "severity": "HIGH", "line": 4, "filename": "positive31.yaml", @@ -552,7 +552,7 @@ "actualValue": "Hardcoded secret key appears in source" }, { - "queryName": "Passwords And Secrets - CloudFormation Secret Template", + "queryName": "Passwords And Secrets - Twilio API Key", "severity": "HIGH", "line": 16, "filename": "positive38.yaml", @@ -588,7 +588,7 @@ "actualValue": "Hardcoded secret key appears in source" }, { - "queryName": "Passwords And Secrets - AWS Access Key", + "queryName": "Passwords And Secrets - AWS Context-specific credential", "severity": "HIGH", "line": 14, "filename": "positive40.tf", @@ -600,7 +600,7 @@ "actualValue": "Hardcoded secret key appears in source" }, { - "queryName": "Passwords And Secrets - AWS Access Key", + "queryName": "Passwords And Secrets - AWS Context-specific credential", "severity": "HIGH", "line": 15, "filename": "positive40.tf", diff --git a/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/test/positive_expected_result.json b/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/test/positive_expected_result.json index d5422bb6e05..9fb8ec0807a 100644 --- a/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/test/positive_expected_result.json +++ b/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/test/positive_expected_result.json @@ -55,9 +55,9 @@ "resourceType": "", "resourceName": "", "searchKey": "FROM={{busybox3}}.RUN={{apt-get update && apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", - "searchValue": "python-pip", - "expectedValue": "Package 'python-pip' has version defined", - "actualValue": "Package 'python-pip' does not have version defined" + "searchValue": "python3-pyqt5", + "expectedValue": "Package 'python3-pyqt5' has version defined", + "actualValue": "Package 'python3-pyqt5' does not have version defined" }, { "queryName": "Apt Get Install Pin Version Not Defined", @@ -79,9 +79,9 @@ "resourceType": "", "resourceName": "", "searchKey": "FROM={{busybox3}}.RUN={{apt-get update && apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", - "searchValue": "python3-pyqt5", - "expectedValue": "Package 'python3-pyqt5' has version defined", - "actualValue": "Package 'python3-pyqt5' does not have version defined" + "searchValue": "python-pip", + "expectedValue": "Package 'python-pip' has version defined", + "actualValue": "Package 'python-pip' does not have version defined" }, { "queryName": "Apt Get Install Pin Version Not Defined", @@ -139,9 +139,9 @@ "resourceType": "", "resourceName": "", "searchKey": "FROM={{busybox6}}.RUN={{apt-get update ; apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", - "searchValue": "python-pip", - "expectedValue": "Package 'python-pip' has version defined", - "actualValue": "Package 'python-pip' does not have version defined" + "searchValue": "python-pyside", + "expectedValue": "Package 'python-pyside' has version defined", + "actualValue": "Package 'python-pyside' does not have version defined" }, { "queryName": "Apt Get Install Pin Version Not Defined", @@ -151,9 +151,9 @@ "resourceType": "", "resourceName": "", "searchKey": "FROM={{busybox6}}.RUN={{apt-get update ; apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", - "searchValue": "python3-pip", - "expectedValue": "Package 'python3-pip' has version defined", - "actualValue": "Package 'python3-pip' does not have version defined" + "searchValue": "python-qt4", + "expectedValue": "Package 'python-qt4' has version defined", + "actualValue": "Package 'python-qt4' does not have version defined" }, { "queryName": "Apt Get Install Pin Version Not Defined", @@ -175,9 +175,9 @@ "resourceType": "", "resourceName": "", "searchKey": "FROM={{busybox6}}.RUN={{apt-get update ; apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", - "searchValue": "python-pyside", - "expectedValue": "Package 'python-pyside' has version defined", - "actualValue": "Package 'python-pyside' does not have version defined" + "searchValue": "python-pip", + "expectedValue": "Package 'python-pip' has version defined", + "actualValue": "Package 'python-pip' does not have version defined" }, { "queryName": "Apt Get Install Pin Version Not Defined", @@ -187,8 +187,8 @@ "resourceType": "", "resourceName": "", "searchKey": "FROM={{busybox6}}.RUN={{apt-get update ; apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", - "searchValue": "python-qt4", - "expectedValue": "Package 'python-qt4' has version defined", - "actualValue": "Package 'python-qt4' does not have version defined" + "searchValue": "python3-pip", + "expectedValue": "Package 'python3-pip' has version defined", + "actualValue": "Package 'python3-pip' does not have version defined" } ] \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/network_policy_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/network_policy_disabled/test/positive_expected_result.json index 5894b440cc0..e0fad579f92 100644 --- a/assets/queries/googleDeploymentManager/gcp/network_policy_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/network_policy_disabled/test/positive_expected_result.json @@ -7,9 +7,9 @@ "resourceType": "container.v1.cluster", "resourceName": "cluster", "searchKey": "resources.name={{cluster}}.properties", - "searchValue": "networkPolicy", - "expectedValue": "'networkPolicy' should be defined and not null", - "actualValue": "'networkPolicy' is undefined or null" + "searchValue": "addonsConfig", + "expectedValue": "'addonsConfig' should be defined and not null", + "actualValue": "'addonsConfig' is undefined or null" }, { "queryName": "Network Policy Disabled", @@ -19,9 +19,9 @@ "resourceType": "container.v1.cluster", "resourceName": "cluster", "searchKey": "resources.name={{cluster}}.properties", - "searchValue": "addonsConfig", - "expectedValue": "'addonsConfig' should be defined and not null", - "actualValue": "'addonsConfig' is undefined or null" + "searchValue": "networkPolicy", + "expectedValue": "'networkPolicy' should be defined and not null", + "actualValue": "'networkPolicy' is undefined or null" }, { "queryName": "Network Policy Disabled", diff --git a/assets/queries/k8s/audit_policy_not_cover_key_security_concerns/test/positive_expected_result.json b/assets/queries/k8s/audit_policy_not_cover_key_security_concerns/test/positive_expected_result.json index 96743021848..54546a0f94c 100644 --- a/assets/queries/k8s/audit_policy_not_cover_key_security_concerns/test/positive_expected_result.json +++ b/assets/queries/k8s/audit_policy_not_cover_key_security_concerns/test/positive_expected_result.json @@ -7,9 +7,9 @@ "resourceType": "Policy", "resourceName": "n/a", "searchKey": "kind={{Policy}}.rules", - "searchValue": "pods/proxy", - "expectedValue": "Resource 'pods/proxy' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", - "actualValue": "Resource 'pods/proxy' is currently defined with the following levels '[]'" + "searchValue": "deployments", + "expectedValue": "Resource 'deployments' should be defined in one of following levels '[\"Metadata\"]'", + "actualValue": "Resource 'deployments' is currently defined with the following levels '[]'" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", @@ -43,9 +43,9 @@ "resourceType": "Policy", "resourceName": "n/a", "searchKey": "kind={{Policy}}.rules", - "searchValue": "pods/portforward", - "expectedValue": "Resource 'pods/portforward' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", - "actualValue": "Resource 'pods/portforward' is currently defined with the following levels '[]'" + "searchValue": "configmaps", + "expectedValue": "Resource 'configmaps' should be defined in one of following levels '[\"Metadata\"]'", + "actualValue": "Resource 'configmaps' is currently defined with the following levels '[]'" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", @@ -55,9 +55,9 @@ "resourceType": "Policy", "resourceName": "n/a", "searchKey": "kind={{Policy}}.rules", - "searchValue": "deployments", - "expectedValue": "Resource 'deployments' should be defined in one of following levels '[\"Metadata\"]'", - "actualValue": "Resource 'deployments' is currently defined with the following levels '[]'" + "searchValue": "pods", + "expectedValue": "Resource 'pods' should be defined in one of following levels '[\"Metadata\"]'", + "actualValue": "Resource 'pods' is currently defined with the following levels '[]'" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", @@ -67,9 +67,9 @@ "resourceType": "Policy", "resourceName": "n/a", "searchKey": "kind={{Policy}}.rules", - "searchValue": "pods", - "expectedValue": "Resource 'pods' should be defined in one of following levels '[\"Metadata\"]'", - "actualValue": "Resource 'pods' is currently defined with the following levels '[]'" + "searchValue": "pods/portforward", + "expectedValue": "Resource 'pods/portforward' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", + "actualValue": "Resource 'pods/portforward' is currently defined with the following levels '[]'" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", @@ -79,9 +79,9 @@ "resourceType": "Policy", "resourceName": "n/a", "searchKey": "kind={{Policy}}.rules", - "searchValue": "services/proxy", - "expectedValue": "Resource 'services/proxy' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", - "actualValue": "Resource 'services/proxy' is currently defined with the following levels '[]'" + "searchValue": "pods/proxy", + "expectedValue": "Resource 'pods/proxy' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", + "actualValue": "Resource 'pods/proxy' is currently defined with the following levels '[]'" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", @@ -91,9 +91,9 @@ "resourceType": "Policy", "resourceName": "n/a", "searchKey": "kind={{Policy}}.rules", - "searchValue": "configmaps", - "expectedValue": "Resource 'configmaps' should be defined in one of following levels '[\"Metadata\"]'", - "actualValue": "Resource 'configmaps' is currently defined with the following levels '[]'" + "searchValue": "pods/exec", + "expectedValue": "Resource 'pods/exec' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", + "actualValue": "Resource 'pods/exec' is currently defined with the following levels '[]'" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", @@ -103,9 +103,9 @@ "resourceType": "Policy", "resourceName": "n/a", "searchKey": "kind={{Policy}}.rules", - "searchValue": "pods/exec", - "expectedValue": "Resource 'pods/exec' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", - "actualValue": "Resource 'pods/exec' is currently defined with the following levels '[]'" + "searchValue": "services/proxy", + "expectedValue": "Resource 'services/proxy' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", + "actualValue": "Resource 'services/proxy' is currently defined with the following levels '[]'" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", @@ -115,9 +115,9 @@ "resourceType": "Policy", "resourceName": "n/a", "searchKey": "kind={{Policy}}.rules", - "searchValue": "pods/exec", - "expectedValue": "Resource 'pods/exec' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", - "actualValue": "Resource 'pods/exec' is currently defined with the following levels '[]'" + "searchValue": "configmaps", + "expectedValue": "Resource 'configmaps' should be defined in one of following levels '[\"Metadata\"]'", + "actualValue": "Resource 'configmaps' is currently defined with the following levels '[]'" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", @@ -127,9 +127,9 @@ "resourceType": "Policy", "resourceName": "n/a", "searchKey": "kind={{Policy}}.rules", - "searchValue": "pods/portforward", - "expectedValue": "Resource 'pods/portforward' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", - "actualValue": "Resource 'pods/portforward' is currently defined with the following levels '[]'" + "searchValue": "pods/proxy", + "expectedValue": "Resource 'pods/proxy' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", + "actualValue": "Resource 'pods/proxy' is currently defined with the following levels '[]'" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", @@ -139,9 +139,9 @@ "resourceType": "Policy", "resourceName": "n/a", "searchKey": "kind={{Policy}}.rules", - "searchValue": "secrets", - "expectedValue": "Resource 'secrets' should be defined in one of following levels '[\"Metadata\"]'", - "actualValue": "Resource 'secrets' is currently defined with the following levels '[]'" + "searchValue": "pods/exec", + "expectedValue": "Resource 'pods/exec' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", + "actualValue": "Resource 'pods/exec' is currently defined with the following levels '[]'" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", @@ -151,9 +151,9 @@ "resourceType": "Policy", "resourceName": "n/a", "searchKey": "kind={{Policy}}.rules", - "searchValue": "services/proxy", - "expectedValue": "Resource 'services/proxy' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", - "actualValue": "Resource 'services/proxy' is currently defined with the following levels '[]'" + "searchValue": "pods/portforward", + "expectedValue": "Resource 'pods/portforward' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", + "actualValue": "Resource 'pods/portforward' is currently defined with the following levels '[]'" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", @@ -163,9 +163,9 @@ "resourceType": "Policy", "resourceName": "n/a", "searchKey": "kind={{Policy}}.rules", - "searchValue": "configmaps", - "expectedValue": "Resource 'configmaps' should be defined in one of following levels '[\"Metadata\"]'", - "actualValue": "Resource 'configmaps' is currently defined with the following levels '[]'" + "searchValue": "tokenreviews", + "expectedValue": "Resource 'tokenreviews' should be defined in one of following levels '[\"Metadata\"]'", + "actualValue": "Resource 'tokenreviews' is currently defined with the following levels '[]'" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", @@ -175,9 +175,9 @@ "resourceType": "Policy", "resourceName": "n/a", "searchKey": "kind={{Policy}}.rules", - "searchValue": "pods/proxy", - "expectedValue": "Resource 'pods/proxy' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", - "actualValue": "Resource 'pods/proxy' is currently defined with the following levels '[]'" + "searchValue": "secrets", + "expectedValue": "Resource 'secrets' should be defined in one of following levels '[\"Metadata\"]'", + "actualValue": "Resource 'secrets' is currently defined with the following levels '[]'" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", @@ -187,9 +187,9 @@ "resourceType": "Policy", "resourceName": "n/a", "searchKey": "kind={{Policy}}.rules", - "searchValue": "tokenreviews", - "expectedValue": "Resource 'tokenreviews' should be defined in one of following levels '[\"Metadata\"]'", - "actualValue": "Resource 'tokenreviews' is currently defined with the following levels '[]'" + "searchValue": "services/proxy", + "expectedValue": "Resource 'services/proxy' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", + "actualValue": "Resource 'services/proxy' is currently defined with the following levels '[]'" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", diff --git a/assets/queries/k8s/tls_connection_certificate_not_setup/test/positive_expected_result.json b/assets/queries/k8s/tls_connection_certificate_not_setup/test/positive_expected_result.json index ba3d79510b0..a52a863b449 100644 --- a/assets/queries/k8s/tls_connection_certificate_not_setup/test/positive_expected_result.json +++ b/assets/queries/k8s/tls_connection_certificate_not_setup/test/positive_expected_result.json @@ -7,9 +7,9 @@ "resourceType": "Pod", "resourceName": "command-demo", "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", - "searchValue": "--tls-cert-file", - "expectedValue": "TLS --tls-cert-file connection setting should be set", - "actualValue": "TLS --tls-cert-file connection not set" + "searchValue": "--tls-private-key-file", + "expectedValue": "TLS --tls-private-key-file connection setting should be set", + "actualValue": "TLS --tls-private-key-file connection not set" }, { "queryName": "TSL Connection Certificate Not Setup", @@ -19,9 +19,9 @@ "resourceType": "Pod", "resourceName": "command-demo", "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", - "searchValue": "--tls-private-key-file", - "expectedValue": "TLS --tls-private-key-file connection setting should be set", - "actualValue": "TLS --tls-private-key-file connection not set" + "searchValue": "--tls-cert-file", + "expectedValue": "TLS --tls-cert-file connection setting should be set", + "actualValue": "TLS --tls-cert-file connection not set" }, { "queryName": "TSL Connection Certificate Not Setup", @@ -31,9 +31,9 @@ "resourceType": "KubeletConfiguration", "resourceName": "n/a", "searchKey": "kind={{KubeletConfiguration}}", - "searchValue": "tlsPrivateKeyFile", - "expectedValue": "TLS tlsPrivateKeyFile connection setting should be set", - "actualValue": "TLS tlsPrivateKeyFile connection not set" + "searchValue": "tlsCertFile", + "expectedValue": "TLS tlsCertFile connection setting should be set", + "actualValue": "TLS tlsCertFile connection not set" }, { "queryName": "TSL Connection Certificate Not Setup", @@ -43,9 +43,9 @@ "resourceType": "KubeletConfiguration", "resourceName": "n/a", "searchKey": "kind={{KubeletConfiguration}}", - "searchValue": "tlsCertFile", - "expectedValue": "TLS tlsCertFile connection setting should be set", - "actualValue": "TLS tlsCertFile connection not set" + "searchValue": "tlsPrivateKeyFile", + "expectedValue": "TLS tlsPrivateKeyFile connection setting should be set", + "actualValue": "TLS tlsPrivateKeyFile connection not set" }, { "queryName": "TSL Connection Certificate Not Setup", diff --git a/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/test/positive_expected_result.json b/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/test/positive_expected_result.json index 0ab1b2ad766..760970d4f0c 100644 --- a/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/test/positive_expected_result.json +++ b/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/test/positive_expected_result.json @@ -19,9 +19,9 @@ "resourceType": "Pod", "resourceName": "pod-0", "searchKey": "metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}}", - "searchValue": "PodreadOnly", - "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}} should be defined and set to true and Enabled, respectively", - "actualValue": "Either readOnly or recursiveReadOnly is missing in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}}%!(EXTRA string=pod-0, string=spec, string=containers, string=pod-0, string=vol-1)" + "searchValue": "PodrecursiveReadOnly", + "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}} are set to true and Enabled, respectively", + "actualValue": "The properties readOnly or recursiveReadOnly in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}} are set to false or Disabled, respectively" }, { "queryName": "Volume Mount With OS Directory Write Permissions", @@ -31,9 +31,9 @@ "resourceType": "Pod", "resourceName": "pod-0", "searchKey": "metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}}", - "searchValue": "PodrecursiveReadOnly", - "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}} are set to true and Enabled, respectively", - "actualValue": "The properties readOnly or recursiveReadOnly in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}} are set to false or Disabled, respectively" + "searchValue": "PodreadOnly", + "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}} should be defined and set to true and Enabled, respectively", + "actualValue": "Either readOnly or recursiveReadOnly is missing in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}}%!(EXTRA string=pod-0, string=spec, string=containers, string=pod-0, string=vol-1)" }, { "queryName": "Volume Mount With OS Directory Write Permissions", diff --git a/assets/queries/openAPI/2.0/constraining_enum_property/test/positive_expected_result.json b/assets/queries/openAPI/2.0/constraining_enum_property/test/positive_expected_result.json index c50b32466b7..7df036ca432 100644 --- a/assets/queries/openAPI/2.0/constraining_enum_property/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/constraining_enum_property/test/positive_expected_result.json @@ -56,8 +56,8 @@ "resourceName": "", "searchKey": "paths.{{/}}.get.parameters.schema.$ref=#/definitions/Category", "searchValue": "", - "expectedValue": "Type string should not have enum and constraining keywords", - "actualValue": "Type string has enum and maxLength" + "expectedValue": "Type numeric should not have enum and constraining keywords", + "actualValue": "Type numeric has enum and minimum" }, { "queryName": "Constraining Enum Property", @@ -68,8 +68,8 @@ "resourceName": "", "searchKey": "paths.{{/}}.get.parameters.schema.$ref=#/definitions/Category", "searchValue": "", - "expectedValue": "Type numeric should not have enum and constraining keywords", - "actualValue": "Type numeric has enum and minimum" + "expectedValue": "Type string should not have enum and constraining keywords", + "actualValue": "Type string has enum and maxLength" }, { "queryName": "Constraining Enum Property", diff --git a/assets/queries/openAPI/general/invalid_format/test/positive_expected_result.json b/assets/queries/openAPI/general/invalid_format/test/positive_expected_result.json index e8cebcabeed..fc0088c51c5 100644 --- a/assets/queries/openAPI/general/invalid_format/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/invalid_format/test/positive_expected_result.json @@ -32,8 +32,8 @@ "resourceName": "", "searchKey": "paths.{{/}}.parameters.schema.items.properties.myObject.$ref=#/components/schemas/MyObject", "searchValue": "", - "expectedValue": "integer is int32 or int64 formats", - "actualValue": "integer is double format" + "expectedValue": "number is float or double formats", + "actualValue": "number is int32 format" }, { "queryName": "Invalid Format (v3)", @@ -44,8 +44,8 @@ "resourceName": "", "searchKey": "paths.{{/}}.parameters.schema.items.properties.myObject.$ref=#/components/schemas/MyObject", "searchValue": "", - "expectedValue": "number is float or double formats", - "actualValue": "number is int32 format" + "expectedValue": "integer is int32 or int64 formats", + "actualValue": "integer is double format" }, { "queryName": "Invalid Format (v3)", @@ -92,8 +92,8 @@ "resourceName": "", "searchKey": "paths.{{/}}.get.responses.200.$ref=#/components/schemas/MyObject", "searchValue": "", - "expectedValue": "number is float or double formats", - "actualValue": "number is int32 format" + "expectedValue": "integer is int32 or int64 formats", + "actualValue": "integer is double format" }, { "queryName": "Invalid Format (v3)", @@ -104,8 +104,8 @@ "resourceName": "", "searchKey": "paths.{{/}}.get.responses.200.$ref=#/components/schemas/MyObject", "searchValue": "", - "expectedValue": "integer is int32 or int64 formats", - "actualValue": "integer is double format" + "expectedValue": "number is float or double formats", + "actualValue": "number is int32 format" }, { "queryName": "Invalid Format (v3)", diff --git a/assets/queries/openAPI/general/response_code_missing/test/positive_expected_result.json b/assets/queries/openAPI/general/response_code_missing/test/positive_expected_result.json index 0ba9c48f934..32099f4f301 100644 --- a/assets/queries/openAPI/general/response_code_missing/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/response_code_missing/test/positive_expected_result.json @@ -7,9 +7,9 @@ "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{put}}.responses", - "searchValue": "429 response", - "expectedValue": "429 response should be set", - "actualValue": "429 response is undefined" + "searchValue": "415 response", + "expectedValue": "415 response should be set", + "actualValue": "415 response is undefined" }, { "queryName": "Response Code Missing (v3)", @@ -19,9 +19,9 @@ "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{put}}.responses", - "searchValue": "500 response", - "expectedValue": "500 response should be set", - "actualValue": "500 response is undefined" + "searchValue": "429 response", + "expectedValue": "429 response should be set", + "actualValue": "429 response is undefined" }, { "queryName": "Response Code Missing (v3)", @@ -43,9 +43,9 @@ "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{put}}.responses", - "searchValue": "404 response", - "expectedValue": "404 response should be set", - "actualValue": "404 response is undefined" + "searchValue": "500 response", + "expectedValue": "500 response should be set", + "actualValue": "500 response is undefined" }, { "queryName": "Response Code Missing (v3)", @@ -55,9 +55,9 @@ "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{put}}.responses", - "searchValue": "415 response", - "expectedValue": "415 response should be set", - "actualValue": "415 response is undefined" + "searchValue": "404 response", + "expectedValue": "404 response should be set", + "actualValue": "404 response is undefined" }, { "queryName": "Response Code Missing (v3)", @@ -67,9 +67,9 @@ "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{options}}.responses", - "searchValue": "429 response", - "expectedValue": "429 response should be set", - "actualValue": "429 response is undefined" + "searchValue": "500 response", + "expectedValue": "500 response should be set", + "actualValue": "500 response is undefined" }, { "queryName": "Response Code Missing (v3)", @@ -79,9 +79,9 @@ "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{options}}.responses", - "searchValue": "500 response", - "expectedValue": "500 response should be set", - "actualValue": "500 response is undefined" + "searchValue": "400 response", + "expectedValue": "400 response should be set", + "actualValue": "400 response is undefined" }, { "queryName": "Response Code Missing (v3)", @@ -103,9 +103,9 @@ "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{options}}.responses", - "searchValue": "400 response", - "expectedValue": "400 response should be set", - "actualValue": "400 response is undefined" + "searchValue": "429 response", + "expectedValue": "429 response should be set", + "actualValue": "429 response is undefined" }, { "queryName": "Response Code Missing (v3)", @@ -139,9 +139,9 @@ "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{put}}.responses", - "searchValue": "415 response", - "expectedValue": "415 response should be set", - "actualValue": "415 response is undefined" + "searchValue": "400 response", + "expectedValue": "400 response should be set", + "actualValue": "400 response is undefined" }, { "queryName": "Response Code Missing (v3)", @@ -151,9 +151,9 @@ "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{put}}.responses", - "searchValue": "400 response", - "expectedValue": "400 response should be set", - "actualValue": "400 response is undefined" + "searchValue": "500 response", + "expectedValue": "500 response should be set", + "actualValue": "500 response is undefined" }, { "queryName": "Response Code Missing (v3)", @@ -187,9 +187,9 @@ "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{put}}.responses", - "searchValue": "500 response", - "expectedValue": "500 response should be set", - "actualValue": "500 response is undefined" + "searchValue": "415 response", + "expectedValue": "415 response should be set", + "actualValue": "415 response is undefined" }, { "queryName": "Response Code Missing (v3)", @@ -199,9 +199,9 @@ "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{options}}.responses", - "searchValue": "400 response", - "expectedValue": "400 response should be set", - "actualValue": "400 response is undefined" + "searchValue": "429 response", + "expectedValue": "429 response should be set", + "actualValue": "429 response is undefined" }, { "queryName": "Response Code Missing (v3)", @@ -211,9 +211,9 @@ "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{options}}.responses", - "searchValue": "500 response", - "expectedValue": "500 response should be set", - "actualValue": "500 response is undefined" + "searchValue": "400 response", + "expectedValue": "400 response should be set", + "actualValue": "400 response is undefined" }, { "queryName": "Response Code Missing (v3)", @@ -235,9 +235,9 @@ "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{options}}.responses", - "searchValue": "429 response", - "expectedValue": "429 response should be set", - "actualValue": "429 response is undefined" + "searchValue": "500 response", + "expectedValue": "500 response should be set", + "actualValue": "500 response is undefined" }, { "queryName": "Response Code Missing (v3)", @@ -247,9 +247,9 @@ "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{put}}.responses", - "searchValue": "403 response", - "expectedValue": "403 response should be set when security field is defined", - "actualValue": "403 response is undefined when security field is defined" + "searchValue": "401 response", + "expectedValue": "401 response should be set when security field is defined", + "actualValue": "401 response is undefined when security field is defined" }, { "queryName": "Response Code Missing (v3)", @@ -259,9 +259,9 @@ "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{put}}.responses", - "searchValue": "401 response", - "expectedValue": "401 response should be set when security field is defined", - "actualValue": "401 response is undefined when security field is defined" + "searchValue": "403 response", + "expectedValue": "403 response should be set when security field is defined", + "actualValue": "403 response is undefined when security field is defined" }, { "queryName": "Response Code Missing (v2)", diff --git a/assets/queries/terraform/alicloud/kubernetes_cluster_without_terway_as_cni_network_plugin/test/positive_expected_result.json b/assets/queries/terraform/alicloud/kubernetes_cluster_without_terway_as_cni_network_plugin/test/positive_expected_result.json index b92ed9adaf4..e3f368f397d 100644 --- a/assets/queries/terraform/alicloud/kubernetes_cluster_without_terway_as_cni_network_plugin/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/kubernetes_cluster_without_terway_as_cni_network_plugin/test/positive_expected_result.json @@ -7,9 +7,9 @@ "resourceType": "alicloud_cs_kubernetes", "resourceName": "positive1", "searchKey": "alicloud_cs_kubernetes[positive1]", - "searchValue": "pod_vswitch_ids", - "expectedValue": "alicloud_cs_kubernetes[positive1].pod_vswitch_ids should be defined and not null", - "actualValue": "alicloud_cs_kubernetes[positive1].pod_vswitch_ids is undefined or null" + "searchValue": "terway-eniip", + "expectedValue": "alicloud_cs_kubernetes[positive1].addons specifies the terway-eniip", + "actualValue": "alicloud_cs_kubernetes[positive1].addons does not specify the terway-eniip" }, { "queryName": "Kubernetes Cluster Without Terway as CNI Network Plugin", @@ -19,9 +19,9 @@ "resourceType": "alicloud_cs_kubernetes", "resourceName": "positive1", "searchKey": "alicloud_cs_kubernetes[positive1]", - "searchValue": "terway-eniip", - "expectedValue": "alicloud_cs_kubernetes[positive1].addons specifies the terway-eniip", - "actualValue": "alicloud_cs_kubernetes[positive1].addons does not specify the terway-eniip" + "searchValue": "pod_vswitch_ids", + "expectedValue": "alicloud_cs_kubernetes[positive1].pod_vswitch_ids should be defined and not null", + "actualValue": "alicloud_cs_kubernetes[positive1].pod_vswitch_ids is undefined or null" }, { "queryName": "Kubernetes Cluster Without Terway as CNI Network Plugin", diff --git a/assets/queries/terraform/aws/iam_policy_allows_for_data_exfiltration/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_policy_allows_for_data_exfiltration/test/positive_expected_result.json index fec61841ec6..188b3bfc6c8 100644 --- a/assets/queries/terraform/aws/iam_policy_allows_for_data_exfiltration/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_policy_allows_for_data_exfiltration/test/positive_expected_result.json @@ -92,8 +92,8 @@ "resourceName": "positive5_${var.environment}", "searchKey": "aws_iam_role_policy[positive5].policy", "searchValue": "ssm:GetParameters", - "expectedValue": "'positive5.policy.Statement.Action[1]' shouldn't contain illegal actions", - "actualValue": "'positive5.policy.Statement.Action[1]' contains [ssm:GetParameters]" + "expectedValue": "'positive5.policy.Statement.Action[0]' shouldn't contain illegal actions", + "actualValue": "'positive5.policy.Statement.Action[0]' contains [ssm:GetParameters]" }, { "queryName": "IAM policy allows for data exfiltration", @@ -104,8 +104,8 @@ "resourceName": "positive5_${var.environment}", "searchKey": "aws_iam_role_policy[positive5].policy", "searchValue": "ssm:GetParameters", - "expectedValue": "'positive5.policy.Statement.Action[0]' shouldn't contain illegal actions", - "actualValue": "'positive5.policy.Statement.Action[0]' contains [ssm:GetParameters]" + "expectedValue": "'positive5.policy.Statement.Action[1]' shouldn't contain illegal actions", + "actualValue": "'positive5.policy.Statement.Action[1]' contains [ssm:GetParameters]" }, { "queryName": "IAM policy allows for data exfiltration", diff --git a/assets/queries/terraform/aws/redshift_cluster_without_vpc/test/positive_expected_result.json b/assets/queries/terraform/aws/redshift_cluster_without_vpc/test/positive_expected_result.json index 611c2843e92..643c39dd0de 100644 --- a/assets/queries/terraform/aws/redshift_cluster_without_vpc/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/redshift_cluster_without_vpc/test/positive_expected_result.json @@ -7,9 +7,9 @@ "resourceType": "aws_redshift_cluster", "resourceName": "positive1", "searchKey": "aws_redshift_cluster[positive1]", - "searchValue": "cluster_subnet_group_name", - "expectedValue": "aws_redshift_cluster[positive1].cluster_subnet_group_name should be set", - "actualValue": "aws_redshift_cluster[positive1].cluster_subnet_group_name is undefined" + "searchValue": "vpc_security_group_ids", + "expectedValue": "aws_redshift_cluster[positive1].vpc_security_group_ids should be set", + "actualValue": "aws_redshift_cluster[positive1].vpc_security_group_ids is undefined" }, { "queryName": "Redshift Cluster Without VPC", @@ -19,8 +19,8 @@ "resourceType": "aws_redshift_cluster", "resourceName": "positive1", "searchKey": "aws_redshift_cluster[positive1]", - "searchValue": "vpc_security_group_ids", - "expectedValue": "aws_redshift_cluster[positive1].vpc_security_group_ids should be set", - "actualValue": "aws_redshift_cluster[positive1].vpc_security_group_ids is undefined" + "searchValue": "cluster_subnet_group_name", + "expectedValue": "aws_redshift_cluster[positive1].cluster_subnet_group_name should be set", + "actualValue": "aws_redshift_cluster[positive1].cluster_subnet_group_name is undefined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json b/assets/queries/terraform/aws/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json index 05191e4f36d..79c6b1e35c4 100644 --- a/assets/queries/terraform/aws/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json @@ -7,9 +7,9 @@ "resourceType": "aws_security_group", "resourceName": "positive1_ipv4_1", "searchKey": "aws_security_group[positive1_ipv4_1].ingress", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -19,9 +19,9 @@ "resourceType": "aws_security_group", "resourceName": "positive1_ipv4_1", "searchKey": "aws_security_group[positive1_ipv4_1].ingress", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -67,9 +67,9 @@ "resourceType": "aws_security_group", "resourceName": "positive1_ipv6_1", "searchKey": "aws_security_group[positive1_ipv6_1].ingress", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -79,9 +79,9 @@ "resourceType": "aws_security_group", "resourceName": "positive1_ipv6_1", "searchKey": "aws_security_group[positive1_ipv6_1].ingress", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -187,9 +187,9 @@ "resourceType": "aws_vpc_security_group_ingress_rule", "resourceName": "positive2_ipv6_1", "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_1]", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -199,9 +199,9 @@ "resourceType": "aws_vpc_security_group_ingress_rule", "resourceName": "positive2_ipv6_1", "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_1]", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -307,9 +307,9 @@ "resourceType": "aws_security_group_rule", "resourceName": "positive3_ipv6_1", "searchKey": "aws_security_group_rule[positive3_ipv6_1]", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -319,9 +319,9 @@ "resourceType": "aws_security_group_rule", "resourceName": "positive3_ipv6_1", "searchKey": "aws_security_group_rule[positive3_ipv6_1]", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -367,9 +367,9 @@ "resourceType": "n/a", "resourceName": "n/a", "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.0", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -379,9 +379,9 @@ "resourceType": "n/a", "resourceName": "n/a", "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.0", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", diff --git a/assets/queries/terraform/aws/sensitive_port_is_exposed_to_small_public_network/test/positive_expected_result.json b/assets/queries/terraform/aws/sensitive_port_is_exposed_to_small_public_network/test/positive_expected_result.json index e773e7695c6..f24183e28fe 100644 --- a/assets/queries/terraform/aws/sensitive_port_is_exposed_to_small_public_network/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sensitive_port_is_exposed_to_small_public_network/test/positive_expected_result.json @@ -7,9 +7,9 @@ "resourceType": "aws_security_group", "resourceName": "positive1_ipv4_1", "searchKey": "aws_security_group[positive1_ipv4_1].ingress", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -19,9 +19,9 @@ "resourceType": "aws_security_group", "resourceName": "positive1_ipv4_1", "searchKey": "aws_security_group[positive1_ipv4_1].ingress", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -67,9 +67,9 @@ "resourceType": "aws_security_group", "resourceName": "positive1_ipv6_1", "searchKey": "aws_security_group[positive1_ipv6_1].ingress", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -79,9 +79,9 @@ "resourceType": "aws_security_group", "resourceName": "positive1_ipv6_1", "searchKey": "aws_security_group[positive1_ipv6_1].ingress", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -187,9 +187,9 @@ "resourceType": "aws_vpc_security_group_ingress_rule", "resourceName": "positive2_ipv6_1", "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_1]", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -199,9 +199,9 @@ "resourceType": "aws_vpc_security_group_ingress_rule", "resourceName": "positive2_ipv6_1", "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_1]", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -247,9 +247,9 @@ "resourceType": "aws_security_group_rule", "resourceName": "positive3_ipv4_1", "searchKey": "aws_security_group_rule[positive3_ipv4_1]", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -259,9 +259,9 @@ "resourceType": "aws_security_group_rule", "resourceName": "positive3_ipv4_1", "searchKey": "aws_security_group_rule[positive3_ipv4_1]", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -307,9 +307,9 @@ "resourceType": "aws_security_group_rule", "resourceName": "positive3_ipv6_1", "searchKey": "aws_security_group_rule[positive3_ipv6_1]", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -319,9 +319,9 @@ "resourceType": "aws_security_group_rule", "resourceName": "positive3_ipv6_1", "searchKey": "aws_security_group_rule[positive3_ipv6_1]", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", diff --git a/assets/queries/terraform/aws/sensitive_port_is_exposed_to_wide_private_network/test/positive_expected_result.json b/assets/queries/terraform/aws/sensitive_port_is_exposed_to_wide_private_network/test/positive_expected_result.json index e4b48407206..b2c70bdde8e 100644 --- a/assets/queries/terraform/aws/sensitive_port_is_exposed_to_wide_private_network/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sensitive_port_is_exposed_to_wide_private_network/test/positive_expected_result.json @@ -7,9 +7,9 @@ "resourceType": "aws_security_group", "resourceName": "positive1_ipv4_1", "searchKey": "aws_security_group[positive1_ipv4_1].ingress", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -19,9 +19,9 @@ "resourceType": "aws_security_group", "resourceName": "positive1_ipv4_1", "searchKey": "aws_security_group[positive1_ipv4_1].ingress", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -67,9 +67,9 @@ "resourceType": "aws_security_group", "resourceName": "positive1_ipv6_1", "searchKey": "aws_security_group[positive1_ipv6_1].ingress", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -79,9 +79,9 @@ "resourceType": "aws_security_group", "resourceName": "positive1_ipv6_1", "searchKey": "aws_security_group[positive1_ipv6_1].ingress", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -187,9 +187,9 @@ "resourceType": "aws_vpc_security_group_ingress_rule", "resourceName": "positive2_ipv6_1", "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_1]", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -199,9 +199,9 @@ "resourceType": "aws_vpc_security_group_ingress_rule", "resourceName": "positive2_ipv6_1", "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_1]", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -307,9 +307,9 @@ "resourceType": "aws_security_group_rule", "resourceName": "positive3_ipv6_1", "searchKey": "aws_security_group_rule[positive3_ipv6_1]", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -319,9 +319,9 @@ "resourceType": "aws_security_group_rule", "resourceName": "positive3_ipv6_1", "searchKey": "aws_security_group_rule[positive3_ipv6_1]", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -367,9 +367,9 @@ "resourceType": "n/a", "resourceName": "n/a", "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.0", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -379,9 +379,9 @@ "resourceType": "n/a", "resourceName": "n/a", "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.0", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -427,9 +427,9 @@ "resourceType": "n/a", "resourceName": "n/a", "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.0", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -439,9 +439,9 @@ "resourceType": "n/a", "resourceName": "n/a", "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.0", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", diff --git a/assets/queries/terraform/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json index 59aafcf228b..58a6372afc6 100644 --- a/assets/queries/terraform/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json @@ -55,9 +55,9 @@ "resourceType": "aws_sns_topic", "resourceName": "positive1", "searchKey": "aws_sns_topic[positive1].policy", - "searchValue": "0", - "expectedValue": "'Statement[0].Principal.AWS' shouldn't contain '*'", - "actualValue": "'Statement[0].Principal.AWS' contains '*'" + "searchValue": "2", + "expectedValue": "'Statement[2].Principal.AWS' shouldn't contain '*'", + "actualValue": "'Statement[2].Principal.AWS' contains '*'" }, { "queryName": "SNS Topic is Publicly Accessible", @@ -67,9 +67,9 @@ "resourceType": "aws_sns_topic", "resourceName": "positive1", "searchKey": "aws_sns_topic[positive1].policy", - "searchValue": "2", - "expectedValue": "'Statement[2].Principal.AWS' shouldn't contain '*'", - "actualValue": "'Statement[2].Principal.AWS' contains '*'" + "searchValue": "0", + "expectedValue": "'Statement[0].Principal.AWS' shouldn't contain '*'", + "actualValue": "'Statement[0].Principal.AWS' contains '*'" }, { "queryName": "SNS Topic is Publicly Accessible", diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test/positive3/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test/positive3/positive_expected_result.json index 62b0aeca3e5..5df8899e9d1 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test/positive3/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test/positive3/positive_expected_result.json @@ -23,4 +23,4 @@ "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update public ip address rule' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_2]' resource monitors 'create or update public ip address rule' events but is missing an 'action.action_group_id' field" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test/positive4/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test/positive4/positive_expected_result.json index efdfab3f9c0..d3d0bff0da8 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test/positive4/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test/positive4/positive_expected_result.json @@ -11,4 +11,4 @@ "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update public ip address rule' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_1]' resource monitors 'create or update public ip address rule' events but is missing an 'action.action_group_id' field" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive4/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive4/positive_expected_result.json index bd00b85a2e9..7b7a83ec863 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive4/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive4/positive_expected_result.json @@ -1,5 +1,5 @@ [ - { + { "queryName": "Beta - Activity Log Alert For Create or Update Security Solution Not Configured", "severity": "MEDIUM", "line": 9, diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive3/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive3/positive_expected_result.json index df7ec6ee0e6..892b458dbf7 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive3/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive3/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Beta - Activity Log Alert For Delete Security Solution Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive3_1.tf" + "filename": "positive3_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive3_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete security solution' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_1]' resource monitors 'delete security solution' events but is missing an 'action.action_group_id' field" }, { "queryName": "Beta - Activity Log Alert For Delete Security Solution Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive3_2.tf" + "filename": "positive3_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive3_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete security solution' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_2]' resource monitors 'delete security solution' events but is missing an 'action.action_group_id' field" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive4/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive4/positive_expected_result.json index 0ec2da06fea..8b59acc998b 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive4/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive4/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Beta - Activity Log Alert For Delete Security Solution Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive4_1.tf" + "filename": "positive4_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive4_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete security solution' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_1]' resource monitors 'delete security solution' events but is missing an 'action.action_group_id' field" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive_expected_result.json index f15c3a124bd..0d4f101c7a3 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive_expected_result.json @@ -1,39 +1,2 @@ [ - - { - "queryName": "Beta - Activity Log Alert For Delete Security Solution Not Configured", - "severity": "MEDIUM", - "line": 9, - "filename": "positive3_1.tf", - "resourceType": "azurerm_monitor_activity_log_alert", - "resourceName": "example-activitylogalert", - "searchKey": "azurerm_monitor_activity_log_alert[positive3_1].criteria", - "searchValue": "", - "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete security solution' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_1]' resource monitors 'delete security solution' events but is missing an 'action.action_group_id' field" - }, - { - "queryName": "Beta - Activity Log Alert For Delete Security Solution Not Configured", - "severity": "MEDIUM", - "line": 9, - "filename": "positive3_2.tf", - "resourceType": "azurerm_monitor_activity_log_alert", - "resourceName": "example-activitylogalert", - "searchKey": "azurerm_monitor_activity_log_alert[positive3_2].criteria", - "searchValue": "", - "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete security solution' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_2]' resource monitors 'delete security solution' events but is missing an 'action.action_group_id' field" - }, - { - "queryName": "Beta - Activity Log Alert For Delete Security Solution Not Configured", - "severity": "MEDIUM", - "line": 9, - "filename": "positive4_1.tf", - "resourceType": "azurerm_monitor_activity_log_alert", - "resourceName": "example-activitylogalert", - "searchKey": "azurerm_monitor_activity_log_alert[positive4_1].criteria", - "searchValue": "", - "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete security solution' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_1]' resource monitors 'delete security solution' events but is missing an 'action.action_group_id' field" - } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json index 68f807805b9..4a94d677b72 100644 --- a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json @@ -11,6 +11,18 @@ "expectedValue": "Cassandra OpsCenter (UDP:61621) should not be allowed", "actualValue": "Cassandra OpsCenter (UDP61621) is allowed" }, + { + "queryName": "Sensitive Port Is Exposed To Entire Network", + "severity": "HIGH", + "line": 22, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive2].destination_port_range", + "searchValue": "TCP,25", + "expectedValue": "SMTP (TCP:25) should not be allowed", + "actualValue": "SMTP (TCP25) is allowed" + }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", @@ -26,14 +38,14 @@ { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22, + "line": 36, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive2].destination_port_range", - "searchValue": "TCP,25", - "expectedValue": "SMTP (TCP:25) should not be allowed", - "actualValue": "SMTP (TCP25) is allowed" + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -55,9 +67,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", - "searchValue": "TCP,23", - "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP23) is allowed" + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -91,21 +103,21 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP22) is allowed" + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 36, + "line": 50, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP22) is allowed" + "searchKey": "azurerm_network_security_rule[positive4].destination_port_range", + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -119,18 +131,6 @@ "expectedValue": "Telnet (TCP:23) should not be allowed", "actualValue": "Telnet (TCP23) is allowed" }, - { - "queryName": "Sensitive Port Is Exposed To Entire Network", - "severity": "HIGH", - "line": 50, - "filename": "positive.tf", - "resourceType": "azurerm_network_security_rule", - "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive4].destination_port_range", - "searchValue": "UDP,23", - "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP23) is allowed" - }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", @@ -163,9 +163,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", - "searchValue": "UDP,23", - "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP23) is allowed" + "searchValue": "UDP,25", + "expectedValue": "SMTP (UDP:25) should not be allowed", + "actualValue": "SMTP (UDP25) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -175,9 +175,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", - "searchValue": "UDP,25", - "expectedValue": "SMTP (UDP:25) should not be allowed", - "actualValue": "SMTP (UDP25) is allowed" + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -199,9 +199,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP22) is allowed" + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -223,9 +223,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive9].destination_port_range", - "searchValue": "UDP,23", - "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP23) is allowed" + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -235,9 +235,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive9].destination_port_range", - "searchValue": "TCP,23", - "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP23) is allowed" + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -247,9 +247,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,53", - "expectedValue": "DNS (UDP:53) should not be allowed", - "actualValue": "DNS (UDP53) is allowed" + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -259,9 +259,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,80", - "expectedValue": "HTTP (UDP:80) should not be allowed", - "actualValue": "HTTP (UDP80) is allowed" + "searchValue": "TCP,53", + "expectedValue": "DNS (TCP:53) should not be allowed", + "actualValue": "DNS (TCP53) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -271,9 +271,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,110", - "expectedValue": "POP3 (TCP:110) should not be allowed", - "actualValue": "POP3 (TCP110) is allowed" + "searchValue": "TCP,20", + "expectedValue": "FTP (TCP:20) should not be allowed", + "actualValue": "FTP (TCP20) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -295,9 +295,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,139", - "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed", - "actualValue": "NetBIOS Session Service (UDP139) is allowed" + "searchValue": "TCP,135", + "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed", + "actualValue": "MSSQL Debugger (TCP135) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -307,9 +307,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,25", - "expectedValue": "SMTP (UDP:25) should not be allowed", - "actualValue": "SMTP (UDP25) is allowed" + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -319,9 +319,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,53", - "expectedValue": "DNS (TCP:53) should not be allowed", - "actualValue": "DNS (TCP53) is allowed" + "searchValue": "UDP,80", + "expectedValue": "HTTP (UDP:80) should not be allowed", + "actualValue": "HTTP (UDP80) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -331,9 +331,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,137", - "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed", - "actualValue": "NetBIOS Name Service (UDP137) is allowed" + "searchValue": "TCP,137", + "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed", + "actualValue": "NetBIOS Name Service (TCP137) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -343,9 +343,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP22) is allowed" + "searchValue": "UDP,139", + "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed", + "actualValue": "NetBIOS Session Service (UDP139) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -355,9 +355,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,21", - "expectedValue": "FTP (UDP:21) should not be allowed", - "actualValue": "FTP (UDP21) is allowed" + "searchValue": "UDP,53", + "expectedValue": "DNS (UDP:53) should not be allowed", + "actualValue": "DNS (UDP53) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -367,9 +367,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,20", - "expectedValue": "FTP (UDP:20) should not be allowed", - "actualValue": "FTP (UDP20) is allowed" + "searchValue": "TCP,138", + "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed", + "actualValue": "NetBIOS Datagram Service (TCP138) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -379,9 +379,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,138", - "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed", - "actualValue": "NetBIOS Datagram Service (TCP138) is allowed" + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -391,9 +391,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,139", - "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed", - "actualValue": "NetBIOS Session Service (TCP139) is allowed" + "searchValue": "TCP,21", + "expectedValue": "FTP (TCP:21) should not be allowed", + "actualValue": "FTP (TCP21) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -403,9 +403,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,21", - "expectedValue": "FTP (TCP:21) should not be allowed", - "actualValue": "FTP (TCP21) is allowed" + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed", + "actualValue": "NetBIOS Name Service (UDP137) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -415,9 +415,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,135", - "expectedValue": "MSSQL Debugger (UDP:135) should not be allowed", - "actualValue": "MSSQL Debugger (UDP135) is allowed" + "searchValue": "TCP,139", + "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed", + "actualValue": "NetBIOS Session Service (TCP139) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -427,9 +427,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,110", - "expectedValue": "POP3 (UDP:110) should not be allowed", - "actualValue": "POP3 (UDP110) is allowed" + "searchValue": "UDP,25", + "expectedValue": "SMTP (UDP:25) should not be allowed", + "actualValue": "SMTP (UDP25) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -439,9 +439,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,23", - "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP23) is allowed" + "searchValue": "UDP,20", + "expectedValue": "FTP (UDP:20) should not be allowed", + "actualValue": "FTP (UDP20) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -451,9 +451,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,135", - "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed", - "actualValue": "MSSQL Debugger (TCP135) is allowed" + "searchValue": "UDP,135", + "expectedValue": "MSSQL Debugger (UDP:135) should not be allowed", + "actualValue": "MSSQL Debugger (UDP135) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -463,9 +463,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,137", - "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed", - "actualValue": "NetBIOS Name Service (TCP137) is allowed" + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -487,9 +487,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP22) is allowed" + "searchValue": "TCP,110", + "expectedValue": "POP3 (TCP:110) should not be allowed", + "actualValue": "POP3 (TCP110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -499,9 +499,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,20", - "expectedValue": "FTP (TCP:20) should not be allowed", - "actualValue": "FTP (TCP20) is allowed" + "searchValue": "UDP,21", + "expectedValue": "FTP (UDP:21) should not be allowed", + "actualValue": "FTP (UDP21) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -523,8 +523,8 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,23", - "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP23) is allowed" + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP22) is allowed" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_small_public_network/test/positive_expected_result.json b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_small_public_network/test/positive_expected_result.json index ebaa15aa71a..22c52114db8 100644 --- a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_small_public_network/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_small_public_network/test/positive_expected_result.json @@ -19,9 +19,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive2].destination_port_range", - "searchValue": "TCP,23", - "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP:23) is allowed" + "searchValue": "TCP,25", + "expectedValue": "SMTP (TCP:25) should not be allowed", + "actualValue": "SMTP (TCP:25) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -31,9 +31,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive2].destination_port_range", - "searchValue": "TCP,25", - "expectedValue": "SMTP (TCP:25) should not be allowed", - "actualValue": "SMTP (TCP:25) is allowed" + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -43,9 +43,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", - "searchValue": "TCP,23", - "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP:23) is allowed" + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -55,9 +55,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", - "searchValue": "UDP,23", - "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP:23) is allowed" + "searchValue": "TCP,21", + "expectedValue": "FTP (TCP:21) should not be allowed", + "actualValue": "FTP (TCP:21) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -91,9 +91,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -103,9 +103,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", - "searchValue": "TCP,21", - "expectedValue": "FTP (TCP:21) should not be allowed", - "actualValue": "FTP (TCP:21) is allowed" + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -163,9 +163,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", - "searchValue": "UDP,23", - "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP:23) is allowed" + "searchValue": "UDP,25", + "expectedValue": "SMTP (UDP:25) should not be allowed", + "actualValue": "SMTP (UDP:25) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -175,9 +175,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", - "searchValue": "UDP,25", - "expectedValue": "SMTP (UDP:25) should not be allowed", - "actualValue": "SMTP (UDP:25) is allowed" + "searchValue": "UDP,53", + "expectedValue": "DNS (UDP:53) should not be allowed", + "actualValue": "DNS (UDP:53) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -187,9 +187,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", - "searchValue": "UDP,53", - "expectedValue": "DNS (UDP:53) should not be allowed", - "actualValue": "DNS (UDP:53) is allowed" + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -223,9 +223,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive9].destination_port_range", - "searchValue": "TCP,23", - "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP:23) is allowed" + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -235,9 +235,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive9].destination_port_range", - "searchValue": "UDP,23", - "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP:23) is allowed" + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -247,9 +247,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,138", - "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed", - "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed" + "searchValue": "TCP,53", + "expectedValue": "DNS (TCP:53) should not be allowed", + "actualValue": "DNS (TCP:53) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -259,9 +259,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,23", - "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP:23) is allowed" + "searchValue": "TCP,138", + "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed", + "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -271,9 +271,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,135", - "expectedValue": "MSSQL Debugger (UDP:135) should not be allowed", - "actualValue": "MSSQL Debugger (UDP:135) is allowed" + "searchValue": "UDP,21", + "expectedValue": "FTP (UDP:21) should not be allowed", + "actualValue": "FTP (UDP:21) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -283,9 +283,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,23", - "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP:23) is allowed" + "searchValue": "UDP,80", + "expectedValue": "HTTP (UDP:80) should not be allowed", + "actualValue": "HTTP (UDP:80) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -295,9 +295,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,110", - "expectedValue": "POP3 (TCP:110) should not be allowed", - "actualValue": "POP3 (TCP:110) is allowed" + "searchValue": "TCP,137", + "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed", + "actualValue": "NetBIOS Name Service (TCP:137) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -307,9 +307,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,53", - "expectedValue": "DNS (UDP:53) should not be allowed", - "actualValue": "DNS (UDP:53) is allowed" + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -319,9 +319,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,20", - "expectedValue": "FTP (TCP:20) should not be allowed", - "actualValue": "FTP (TCP:20) is allowed" + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -331,9 +331,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,25", - "expectedValue": "SMTP (TCP:25) should not be allowed", - "actualValue": "SMTP (TCP:25) is allowed" + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -343,9 +343,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,80", - "expectedValue": "HTTP (UDP:80) should not be allowed", - "actualValue": "HTTP (UDP:80) is allowed" + "searchValue": "TCP,80", + "expectedValue": "HTTP (TCP:80) should not be allowed", + "actualValue": "HTTP (TCP:80) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -379,9 +379,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,21", - "expectedValue": "FTP (UDP:21) should not be allowed", - "actualValue": "FTP (UDP:21) is allowed" + "searchValue": "TCP,21", + "expectedValue": "FTP (TCP:21) should not be allowed", + "actualValue": "FTP (TCP:21) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -391,9 +391,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,80", - "expectedValue": "HTTP (TCP:80) should not be allowed", - "actualValue": "HTTP (TCP:80) is allowed" + "searchValue": "UDP,20", + "expectedValue": "FTP (UDP:20) should not be allowed", + "actualValue": "FTP (UDP:20) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -403,9 +403,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,138", - "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed", - "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed" + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -415,9 +415,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,137", - "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed", - "actualValue": "NetBIOS Name Service (TCP:137) is allowed" + "searchValue": "TCP,135", + "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed", + "actualValue": "MSSQL Debugger (TCP:135) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -427,9 +427,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,139", - "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed", - "actualValue": "NetBIOS Session Service (UDP:139) is allowed" + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -439,9 +439,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,110", - "expectedValue": "POP3 (UDP:110) should not be allowed", - "actualValue": "POP3 (UDP:110) is allowed" + "searchValue": "TCP,139", + "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed", + "actualValue": "NetBIOS Session Service (TCP:139) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -451,9 +451,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,21", - "expectedValue": "FTP (TCP:21) should not be allowed", - "actualValue": "FTP (TCP:21) is allowed" + "searchValue": "TCP,20", + "expectedValue": "FTP (TCP:20) should not be allowed", + "actualValue": "FTP (TCP:20) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -463,9 +463,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,135", - "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed", - "actualValue": "MSSQL Debugger (TCP:135) is allowed" + "searchValue": "UDP,135", + "expectedValue": "MSSQL Debugger (UDP:135) should not be allowed", + "actualValue": "MSSQL Debugger (UDP:135) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -475,9 +475,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,137", - "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed" + "searchValue": "UDP,139", + "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed", + "actualValue": "NetBIOS Session Service (UDP:139) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -487,9 +487,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,139", - "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed", - "actualValue": "NetBIOS Session Service (TCP:139) is allowed" + "searchValue": "TCP,25", + "expectedValue": "SMTP (TCP:25) should not be allowed", + "actualValue": "SMTP (TCP:25) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -499,9 +499,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,53", - "expectedValue": "DNS (TCP:53) should not be allowed", - "actualValue": "DNS (TCP:53) is allowed" + "searchValue": "TCP,110", + "expectedValue": "POP3 (TCP:110) should not be allowed", + "actualValue": "POP3 (TCP:110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -511,9 +511,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,20", - "expectedValue": "FTP (UDP:20) should not be allowed", - "actualValue": "FTP (UDP:20) is allowed" + "searchValue": "UDP,53", + "expectedValue": "DNS (UDP:53) should not be allowed", + "actualValue": "DNS (UDP:53) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -523,8 +523,8 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_wide_private_network/test/positive_expected_result.json b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_wide_private_network/test/positive_expected_result.json index 05cebc65f4a..e6c94551e2e 100644 --- a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_wide_private_network/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_wide_private_network/test/positive_expected_result.json @@ -35,6 +35,18 @@ "expectedValue": "Telnet (TCP:23) should not be allowed", "actualValue": "Telnet (TCP:23) is allowed" }, + { + "queryName": "Sensitive Port Is Exposed To Wide Private Network", + "severity": "LOW", + "line": 36, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "UDP:22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" + }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", @@ -67,9 +79,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", - "searchValue": "UDP:22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "searchValue": "TCP:21", + "expectedValue": "FTP (TCP:21) should not be allowed", + "actualValue": "FTP (TCP:21) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -98,14 +110,14 @@ { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 36, + "line": 50, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", - "searchValue": "TCP:21", - "expectedValue": "FTP (TCP:21) should not be allowed", - "actualValue": "FTP (TCP:21) is allowed" + "searchKey": "azurerm_network_security_rule[positive4].destination_port_range", + "searchValue": "UDP:23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -119,18 +131,6 @@ "expectedValue": "Telnet (TCP:23) should not be allowed", "actualValue": "Telnet (TCP:23) is allowed" }, - { - "queryName": "Sensitive Port Is Exposed To Wide Private Network", - "severity": "LOW", - "line": 50, - "filename": "positive.tf", - "resourceType": "azurerm_network_security_rule", - "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive4].destination_port_range", - "searchValue": "UDP:23", - "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP:23) is allowed" - }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", @@ -155,18 +155,6 @@ "expectedValue": "Telnet (TCP:23) should not be allowed", "actualValue": "Telnet (TCP:23) is allowed" }, - { - "queryName": "Sensitive Port Is Exposed To Wide Private Network", - "severity": "LOW", - "line": 92, - "filename": "positive.tf", - "resourceType": "azurerm_network_security_rule", - "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", - "searchValue": "UDP:53", - "expectedValue": "DNS (UDP:53) should not be allowed", - "actualValue": "DNS (UDP:53) is allowed" - }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", @@ -206,23 +194,23 @@ { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 106, + "line": 92, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive8].destination_port_range", - "searchValue": "TCP:23", - "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP:23) is allowed" + "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", + "searchValue": "UDP:53", + "expectedValue": "DNS (UDP:53) should not be allowed", + "actualValue": "DNS (UDP:53) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 120, + "line": 106, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive9].destination_port_range", + "searchKey": "azurerm_network_security_rule[positive8].destination_port_range", "searchValue": "TCP:23", "expectedValue": "Telnet (TCP:23) should not be allowed", "actualValue": "Telnet (TCP:23) is allowed" @@ -242,14 +230,14 @@ { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134, + "line": 120, "filename": "positive.tf", "resourceType": "azurerm_network_security_rule", "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP:21", - "expectedValue": "FTP (UDP:21) should not be allowed", - "actualValue": "FTP (UDP:21) is allowed" + "searchKey": "azurerm_network_security_rule[positive9].destination_port_range", + "searchValue": "TCP:23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -263,18 +251,6 @@ "expectedValue": "HTTP (UDP:80) should not be allowed", "actualValue": "HTTP (UDP:80) is allowed" }, - { - "queryName": "Sensitive Port Is Exposed To Wide Private Network", - "severity": "LOW", - "line": 134, - "filename": "positive.tf", - "resourceType": "azurerm_network_security_rule", - "resourceName": "example", - "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP:135", - "expectedValue": "MSSQL Debugger (UDP:135) should not be allowed", - "actualValue": "MSSQL Debugger (UDP:135) is allowed" - }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", @@ -295,9 +271,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP:22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "searchValue": "TCP:21", + "expectedValue": "FTP (TCP:21) should not be allowed", + "actualValue": "FTP (TCP:21) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -319,9 +295,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP:138", - "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed", - "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed" + "searchValue": "TCP:110", + "expectedValue": "POP3 (TCP:110) should not be allowed", + "actualValue": "POP3 (TCP:110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -331,9 +307,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP:138", - "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed", - "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed" + "searchValue": "UDP:23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -343,9 +319,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP:110", - "expectedValue": "POP3 (UDP:110) should not be allowed", - "actualValue": "POP3 (UDP:110) is allowed" + "searchValue": "UDP:135", + "expectedValue": "MSSQL Debugger (UDP:135) should not be allowed", + "actualValue": "MSSQL Debugger (UDP:135) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -355,9 +331,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP:20", - "expectedValue": "FTP (TCP:20) should not be allowed", - "actualValue": "FTP (TCP:20) is allowed" + "searchValue": "UDP:25", + "expectedValue": "SMTP (UDP:25) should not be allowed", + "actualValue": "SMTP (UDP:25) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -367,9 +343,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP:25", - "expectedValue": "SMTP (UDP:25) should not be allowed", - "actualValue": "SMTP (UDP:25) is allowed" + "searchValue": "TCP:137", + "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed", + "actualValue": "NetBIOS Name Service (TCP:137) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -391,9 +367,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP:23", - "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP:23) is allowed" + "searchValue": "TCP:23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -403,9 +379,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP:21", - "expectedValue": "FTP (TCP:21) should not be allowed", - "actualValue": "FTP (TCP:21) is allowed" + "searchValue": "TCP:53", + "expectedValue": "DNS (TCP:53) should not be allowed", + "actualValue": "DNS (TCP:53) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -415,9 +391,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP:137", - "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed", - "actualValue": "NetBIOS Name Service (TCP:137) is allowed" + "searchValue": "UDP:139", + "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed", + "actualValue": "NetBIOS Session Service (UDP:139) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -427,9 +403,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP:137", - "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed" + "searchValue": "UDP:53", + "expectedValue": "DNS (UDP:53) should not be allowed", + "actualValue": "DNS (UDP:53) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -439,9 +415,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP:53", - "expectedValue": "DNS (TCP:53) should not be allowed", - "actualValue": "DNS (TCP:53) is allowed" + "searchValue": "TCP:20", + "expectedValue": "FTP (TCP:20) should not be allowed", + "actualValue": "FTP (TCP:20) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -451,9 +427,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP:53", - "expectedValue": "DNS (UDP:53) should not be allowed", - "actualValue": "DNS (UDP:53) is allowed" + "searchValue": "UDP:21", + "expectedValue": "FTP (UDP:21) should not be allowed", + "actualValue": "FTP (UDP:21) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -463,9 +439,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP:80", - "expectedValue": "HTTP (TCP:80) should not be allowed", - "actualValue": "HTTP (TCP:80) is allowed" + "searchValue": "TCP:135", + "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed", + "actualValue": "MSSQL Debugger (TCP:135) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -475,9 +451,33 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP:135", - "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed", - "actualValue": "MSSQL Debugger (TCP:135) is allowed" + "searchValue": "TCP:138", + "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed", + "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed" + }, + { + "queryName": "Sensitive Port Is Exposed To Wide Private Network", + "severity": "LOW", + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP:138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed" + }, + { + "queryName": "Sensitive Port Is Exposed To Wide Private Network", + "severity": "LOW", + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP:137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -499,9 +499,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP:110", - "expectedValue": "POP3 (TCP:110) should not be allowed", - "actualValue": "POP3 (TCP:110) is allowed" + "searchValue": "UDP:22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -511,9 +511,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP:139", - "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed", - "actualValue": "NetBIOS Session Service (UDP:139) is allowed" + "searchValue": "UDP:110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -523,8 +523,8 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP:23", - "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP:23) is allowed" + "searchValue": "TCP:80", + "expectedValue": "HTTP (TCP:80) should not be allowed", + "actualValue": "HTTP (TCP:80) is allowed" } ] \ No newline at end of file From e9fc0f2379964fc22f0993355b030b4fdf3c4244 Mon Sep 17 00:00:00 2001 From: Ricardo Jesus <219317970+cx-ricardo-jesus@users.noreply.github.com> Date: Tue, 10 Mar 2026 21:49:13 +0000 Subject: [PATCH 10/22] changed positive_expected_results --- .../run_skipped.py | 8 +- .../runner.py | 9 +- .../skipped_queries_report.json | 60 +- .../test/positive_expected_result.json | 12 +- .../test/positive_expected_result.json | 180 ++-- .../test/positive_expected_result.json | 80 +- .../test/positive_expected_result.json | 896 ++++++++--------- .../test/positive_expected_result.json | 938 +++++++++--------- .../test/positive_expected_result.json | 12 +- .../test/positive_expected_result.json | 12 +- .../test/positive_expected_result.json | 12 - .../test/positive_expected_result.json | 54 +- .../test/positive_expected_result.json | 84 +- .../test/positive_expected_result.json | 12 - .../test/positive_expected_result.json | 12 +- .../test/positive_expected_result.json | 12 +- .../test/positive_expected_result.json | 16 +- .../test/positive_expected_result.json | 108 +- .../test/positive_expected_result.json | 12 +- .../test/positive_expected_result.json | 8 +- .../positive2/positive_expected_result.json | 22 +- .../test/positive_expected_result.json | 24 - .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 12 +- .../test/positive_expected_result.json | 24 - .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 12 +- .../test/positive_expected_result.json | 12 +- .../positive2/positive_expected_result.json | 2 +- .../positive3/positive_expected_result.json | 2 +- .../positive4/positive_expected_result.json | 2 +- .../positive2/positive_expected_result.json | 2 +- .../positive2/positive_expected_result.json | 2 +- .../positive3/positive_expected_result.json | 2 +- .../positive4/positive_expected_result.json | 2 +- .../positive2/positive_expected_result.json | 2 +- .../positive3/positive_expected_result.json | 2 +- .../positive4/positive_expected_result.json | 2 +- .../positive2/positive_expected_result.json | 2 +- .../positive3/positive_expected_result.json | 2 +- .../positive4/positive_expected_result.json | 2 +- .../positive2/positive_expected_result.json | 2 +- .../positive3/positive_expected_result.json | 2 +- .../positive4/positive_expected_result.json | 2 +- .../positive2/positive_expected_result.json | 2 +- .../positive3/positive_expected_result.json | 2 +- .../positive4/positive_expected_result.json | 2 +- .../positive2/positive_expected_result.json | 2 +- .../positive3/positive_expected_result.json | 2 +- .../positive4/positive_expected_result.json | 2 +- .../positive2/positive_expected_result.json | 2 +- .../positive3/positive_expected_result.json | 2 +- .../positive4/positive_expected_result.json | 2 +- .../positive2/positive_expected_result.json | 2 +- .../positive3/positive_expected_result.json | 2 +- .../positive4/positive_expected_result.json | 2 +- .../positive6/positive_expected_result.json | 10 +- .../test/positive_expected_result.json | 210 ++-- .../test/positive_expected_result.json | 228 ++--- .../test/positive_expected_result.json | 198 ++-- 62 files changed, 1696 insertions(+), 1737 deletions(-) diff --git a/.github/scripts/generate-positive-expective-results/run_skipped.py b/.github/scripts/generate-positive-expective-results/run_skipped.py index 5a0cf323c84..7ff822a54f5 100644 --- a/.github/scripts/generate-positive-expective-results/run_skipped.py +++ b/.github/scripts/generate-positive-expective-results/run_skipped.py @@ -93,7 +93,13 @@ def parse_results_from_file(results_file: Path) -> list[dict]: query_name = q.get("query_name", "") severity = q.get("severity", "") for file_entry in q.get("files", []): - filename = Path(file_entry.get("file_name", "")).name + file_path = Path(file_entry.get("file_name", "")) + filename = file_path.name + + # Skip results from negative test files + if not filename.startswith("positive") and not file_path.parent.name.startswith("positive"): + continue + results.append({ "queryName": query_name, "severity": severity, diff --git a/.github/scripts/generate-positive-expective-results/runner.py b/.github/scripts/generate-positive-expective-results/runner.py index cef0fa1bc30..81e1f66d96d 100644 --- a/.github/scripts/generate-positive-expective-results/runner.py +++ b/.github/scripts/generate-positive-expective-results/runner.py @@ -48,7 +48,14 @@ def parse_results(query: QueryInfo) -> list[ResultInfo]: severity = q.get("severity", "") for file_entry in q.get("files", []): - filename = Path(file_entry.get("file_name", "")).name + file_path = Path(file_entry.get("file_name", "")) + filename = file_path.name + + # Skip results from negative test files — only positive files belong + # in positive_expected_result.json. Also check the parent directory name + # for cases where positive tests live inside subdirectories (e.g. positive2/). + if not filename.startswith("positive") and not file_path.parent.name.startswith("positive"): + continue results.append(ResultInfo( query_name=query_name, diff --git a/.github/scripts/generate-positive-expective-results/skipped_queries_report.json b/.github/scripts/generate-positive-expective-results/skipped_queries_report.json index 0300c79f74e..8fd9fd8c43c 100644 --- a/.github/scripts/generate-positive-expective-results/skipped_queries_report.json +++ b/.github/scripts/generate-positive-expective-results/skipped_queries_report.json @@ -26,8 +26,8 @@ }, "total_counter": 0, "total_bom_resources": 0, - "start": "2026-03-10T14:53:46.607674039Z", - "end": "2026-03-10T14:53:47.006405134Z", + "start": "2026-03-10T21:09:36.862538133Z", + "end": "2026-03-10T21:09:37.125576984Z", "paths": [ "/home/ricardo/kics/assets/queries/cloudFormation/aws/ebs_volume_not_attached_to_instances/test" ], @@ -61,8 +61,8 @@ }, "total_counter": 0, "total_bom_resources": 0, - "start": "2026-03-10T15:02:25.593818306Z", - "end": "2026-03-10T15:02:26.116217563Z", + "start": "2026-03-10T21:14:10.140367518Z", + "end": "2026-03-10T21:14:10.430882489Z", "paths": [ "/home/ricardo/kics/assets/queries/cloudFormation/aws/vpc_flowlogs_disabled/test" ], @@ -96,8 +96,8 @@ }, "total_counter": 0, "total_bom_resources": 0, - "start": "2026-03-10T15:13:57.507354521Z", - "end": "2026-03-10T15:13:57.893460826Z", + "start": "2026-03-10T21:21:17.55744331Z", + "end": "2026-03-10T21:21:17.854914524Z", "paths": [ "/home/ricardo/kics/assets/queries/k8s/using_kubernetes_native_secret_management/test" ], @@ -131,8 +131,8 @@ }, "total_counter": 0, "total_bom_resources": 0, - "start": "2026-03-10T15:41:34.169229294Z", - "end": "2026-03-10T15:41:34.64605518Z", + "start": "2026-03-10T21:36:41.360706913Z", + "end": "2026-03-10T21:36:41.728017239Z", "paths": [ "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test" ], @@ -166,8 +166,8 @@ }, "total_counter": 0, "total_bom_resources": 0, - "start": "2026-03-10T15:41:36.3876682Z", - "end": "2026-03-10T15:41:36.898643621Z", + "start": "2026-03-10T21:36:42.947693087Z", + "end": "2026-03-10T21:36:43.329669351Z", "paths": [ "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test" ], @@ -201,8 +201,8 @@ }, "total_counter": 0, "total_bom_resources": 0, - "start": "2026-03-10T15:41:39.084678364Z", - "end": "2026-03-10T15:41:39.555173138Z", + "start": "2026-03-10T21:36:44.496885909Z", + "end": "2026-03-10T21:36:44.883018849Z", "paths": [ "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test" ], @@ -236,8 +236,8 @@ }, "total_counter": 0, "total_bom_resources": 0, - "start": "2026-03-10T15:41:41.399525019Z", - "end": "2026-03-10T15:41:41.912024454Z", + "start": "2026-03-10T21:36:46.245238204Z", + "end": "2026-03-10T21:36:46.758666376Z", "paths": [ "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test" ], @@ -271,8 +271,8 @@ }, "total_counter": 0, "total_bom_resources": 0, - "start": "2026-03-10T15:41:44.053372126Z", - "end": "2026-03-10T15:41:44.884172725Z", + "start": "2026-03-10T21:36:48.132274021Z", + "end": "2026-03-10T21:36:48.519158635Z", "paths": [ "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test" ], @@ -306,8 +306,8 @@ }, "total_counter": 0, "total_bom_resources": 0, - "start": "2026-03-10T15:41:47.183986741Z", - "end": "2026-03-10T15:41:47.923680008Z", + "start": "2026-03-10T21:36:50.245121761Z", + "end": "2026-03-10T21:36:50.627450482Z", "paths": [ "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test" ], @@ -341,8 +341,8 @@ }, "total_counter": 0, "total_bom_resources": 0, - "start": "2026-03-10T15:41:50.459484987Z", - "end": "2026-03-10T15:41:50.949910239Z", + "start": "2026-03-10T21:36:51.897827526Z", + "end": "2026-03-10T21:36:52.284502912Z", "paths": [ "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test" ], @@ -376,8 +376,8 @@ }, "total_counter": 0, "total_bom_resources": 0, - "start": "2026-03-10T15:41:52.762161089Z", - "end": "2026-03-10T15:41:53.280330049Z", + "start": "2026-03-10T21:36:53.462302745Z", + "end": "2026-03-10T21:36:53.832331011Z", "paths": [ "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test" ], @@ -411,8 +411,8 @@ }, "total_counter": 0, "total_bom_resources": 0, - "start": "2026-03-10T15:41:54.989824773Z", - "end": "2026-03-10T15:41:55.834692885Z", + "start": "2026-03-10T21:36:55.0886508Z", + "end": "2026-03-10T21:36:55.488912552Z", "paths": [ "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test" ], @@ -446,8 +446,8 @@ }, "total_counter": 0, "total_bom_resources": 0, - "start": "2026-03-10T15:41:57.517448938Z", - "end": "2026-03-10T15:41:58.070237141Z", + "start": "2026-03-10T21:36:56.718499014Z", + "end": "2026-03-10T21:36:57.096622134Z", "paths": [ "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test" ], @@ -481,8 +481,8 @@ }, "total_counter": 0, "total_bom_resources": 0, - "start": "2026-03-10T15:44:36.795482746Z", - "end": "2026-03-10T15:44:37.389720721Z", + "start": "2026-03-10T21:38:33.396715951Z", + "end": "2026-03-10T21:38:33.702529094Z", "paths": [ "/home/ricardo/kics/assets/queries/terraform/azure/mssql_server_auditing_disabled/test" ], @@ -516,8 +516,8 @@ }, "total_counter": 0, "total_bom_resources": 0, - "start": "2026-03-10T15:48:11.696935812Z", - "end": "2026-03-10T15:48:12.272461036Z", + "start": "2026-03-10T21:40:41.995856833Z", + "end": "2026-03-10T21:40:42.339995358Z", "paths": [ "/home/ricardo/kics/assets/queries/terraform/gcp/cloud_asset_inventory_disabled/test" ], diff --git a/assets/queries/ansible/aws/cloudtrail_not_integrated_with_cloudwatch/test/positive_expected_result.json b/assets/queries/ansible/aws/cloudtrail_not_integrated_with_cloudwatch/test/positive_expected_result.json index 3e771070912..3e690b42cdb 100644 --- a/assets/queries/ansible/aws/cloudtrail_not_integrated_with_cloudwatch/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cloudtrail_not_integrated_with_cloudwatch/test/positive_expected_result.json @@ -7,9 +7,9 @@ "resourceType": "community.aws.cloudtrail", "resourceName": "positive1", "searchKey": "name={{positive1}}.{{community.aws.cloudtrail}}", - "searchValue": "cloudwatch_logs_role_arn", - "expectedValue": "name={{positive1}}.{{community.aws.cloudtrail}}.cloudwatch_logs_role_arn should be defined", - "actualValue": "name={{positive1}}.{{community.aws.cloudtrail}}.cloudwatch_logs_role_arn is not defined" + "searchValue": "cloudwatch_logs_log_group_arn", + "expectedValue": "name={{positive1}}.{{community.aws.cloudtrail}}.cloudwatch_logs_log_group_arn should be defined", + "actualValue": "name={{positive1}}.{{community.aws.cloudtrail}}.cloudwatch_logs_log_group_arn is not defined" }, { "queryName": "CloudTrail Not Integrated With CloudWatch", @@ -19,9 +19,9 @@ "resourceType": "community.aws.cloudtrail", "resourceName": "positive1", "searchKey": "name={{positive1}}.{{community.aws.cloudtrail}}", - "searchValue": "cloudwatch_logs_log_group_arn", - "expectedValue": "name={{positive1}}.{{community.aws.cloudtrail}}.cloudwatch_logs_log_group_arn should be defined", - "actualValue": "name={{positive1}}.{{community.aws.cloudtrail}}.cloudwatch_logs_log_group_arn is not defined" + "searchValue": "cloudwatch_logs_role_arn", + "expectedValue": "name={{positive1}}.{{community.aws.cloudtrail}}.cloudwatch_logs_role_arn should be defined", + "actualValue": "name={{positive1}}.{{community.aws.cloudtrail}}.cloudwatch_logs_role_arn is not defined" }, { "queryName": "CloudTrail Not Integrated With CloudWatch", diff --git a/assets/queries/ansible/azure/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json b/assets/queries/ansible/azure/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json index 12f1ce3ddaa..a03a8d6d87e 100644 --- a/assets/queries/ansible/azure/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json @@ -43,9 +43,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo3", "searchKey": "name={{foo3}}.{{azure_rm_securitygroup}}.rules.name={{example3}}.destination_port_range", - "searchValue": "UDP,23", - "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP:23) is allowed" + "searchValue": "TCP,21", + "expectedValue": "FTP (TCP:21) should not be allowed", + "actualValue": "FTP (TCP:21) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -55,9 +55,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo3", "searchKey": "name={{foo3}}.{{azure_rm_securitygroup}}.rules.name={{example3}}.destination_port_range", - "searchValue": "TCP,23", - "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP:23) is allowed" + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -67,9 +67,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo3", "searchKey": "name={{foo3}}.{{azure_rm_securitygroup}}.rules.name={{example3}}.destination_port_range", - "searchValue": "TCP,21", - "expectedValue": "FTP (TCP:21) should not be allowed", - "actualValue": "FTP (TCP:21) is allowed" + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -79,9 +79,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo3", "searchKey": "name={{foo3}}.{{azure_rm_securitygroup}}.rules.name={{example3}}.destination_port_range", - "searchValue": "UDP,21", - "expectedValue": "FTP (UDP:21) should not be allowed", - "actualValue": "FTP (UDP:21) is allowed" + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -103,9 +103,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo3", "searchKey": "name={{foo3}}.{{azure_rm_securitygroup}}.rules.name={{example3}}.destination_port_range", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "searchValue": "UDP,21", + "expectedValue": "FTP (UDP:21) should not be allowed", + "actualValue": "FTP (UDP:21) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -223,9 +223,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example9}}.destination_port_range", - "searchValue": "UDP,23", - "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP:23) is allowed" + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -235,9 +235,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example9}}.destination_port_range", - "searchValue": "TCP,23", - "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP:23) is allowed" + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -247,9 +247,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "UDP,23", - "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP:23) is allowed" + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -259,9 +259,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "TCP,53", - "expectedValue": "DNS (TCP:53) should not be allowed", - "actualValue": "DNS (TCP:53) is allowed" + "searchValue": "UDP,21", + "expectedValue": "FTP (UDP:21) should not be allowed", + "actualValue": "FTP (UDP:21) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -271,9 +271,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "TCP,21", - "expectedValue": "FTP (TCP:21) should not be allowed", - "actualValue": "FTP (TCP:21) is allowed" + "searchValue": "TCP,80", + "expectedValue": "HTTP (TCP:80) should not be allowed", + "actualValue": "HTTP (TCP:80) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -283,9 +283,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "TCP,25", - "expectedValue": "SMTP (TCP:25) should not be allowed", - "actualValue": "SMTP (TCP:25) is allowed" + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -295,9 +295,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "UDP,25", - "expectedValue": "SMTP (UDP:25) should not be allowed", - "actualValue": "SMTP (UDP:25) is allowed" + "searchValue": "TCP,25", + "expectedValue": "SMTP (TCP:25) should not be allowed", + "actualValue": "SMTP (TCP:25) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -307,9 +307,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "UDP,20", - "expectedValue": "FTP (UDP:20) should not be allowed", - "actualValue": "FTP (UDP:20) is allowed" + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -319,9 +319,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "TCP,138", - "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed", - "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed" + "searchValue": "TCP,53", + "expectedValue": "DNS (TCP:53) should not be allowed", + "actualValue": "DNS (TCP:53) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -331,9 +331,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "UDP,110", - "expectedValue": "POP3 (UDP:110) should not be allowed", - "actualValue": "POP3 (UDP:110) is allowed" + "searchValue": "TCP,21", + "expectedValue": "FTP (TCP:21) should not be allowed", + "actualValue": "FTP (TCP:21) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -343,9 +343,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "UDP,80", - "expectedValue": "HTTP (UDP:80) should not be allowed", - "actualValue": "HTTP (UDP:80) is allowed" + "searchValue": "TCP,138", + "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed", + "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -355,9 +355,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "TCP,110", - "expectedValue": "POP3 (TCP:110) should not be allowed", - "actualValue": "POP3 (TCP:110) is allowed" + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -367,9 +367,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "UDP,53", - "expectedValue": "DNS (UDP:53) should not be allowed", - "actualValue": "DNS (UDP:53) is allowed" + "searchValue": "UDP,25", + "expectedValue": "SMTP (UDP:25) should not be allowed", + "actualValue": "SMTP (UDP:25) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -379,9 +379,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "TCP,135", - "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed", - "actualValue": "MSSQL Debugger (TCP:135) is allowed" + "searchValue": "UDP,53", + "expectedValue": "DNS (UDP:53) should not be allowed", + "actualValue": "DNS (UDP:53) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -391,9 +391,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "UDP,135", - "expectedValue": "MSSQL Debugger (UDP:135) should not be allowed", - "actualValue": "MSSQL Debugger (UDP:135) is allowed" + "searchValue": "TCP,137", + "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed", + "actualValue": "NetBIOS Name Service (TCP:137) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -403,9 +403,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "searchValue": "TCP,110", + "expectedValue": "POP3 (TCP:110) should not be allowed", + "actualValue": "POP3 (TCP:110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -415,9 +415,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "UDP,21", - "expectedValue": "FTP (UDP:21) should not be allowed", - "actualValue": "FTP (UDP:21) is allowed" + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -427,9 +427,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "TCP,80", - "expectedValue": "HTTP (TCP:80) should not be allowed", - "actualValue": "HTTP (TCP:80) is allowed" + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -451,9 +451,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "UDP,138", - "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed", - "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed" + "searchValue": "UDP,20", + "expectedValue": "FTP (UDP:20) should not be allowed", + "actualValue": "FTP (UDP:20) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -463,9 +463,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "TCP,137", - "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed", - "actualValue": "NetBIOS Name Service (TCP:137) is allowed" + "searchValue": "UDP,80", + "expectedValue": "HTTP (UDP:80) should not be allowed", + "actualValue": "HTTP (UDP:80) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -475,9 +475,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "UDP,139", - "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed", - "actualValue": "NetBIOS Session Service (UDP:139) is allowed" + "searchValue": "UDP,135", + "expectedValue": "MSSQL Debugger (UDP:135) should not be allowed", + "actualValue": "MSSQL Debugger (UDP:135) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -487,9 +487,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -499,9 +499,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "UDP,137", - "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed" + "searchValue": "TCP,139", + "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed", + "actualValue": "NetBIOS Session Service (TCP:139) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -511,9 +511,9 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "TCP,139", - "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed", - "actualValue": "NetBIOS Session Service (TCP:139) is allowed" + "searchValue": "TCP,135", + "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed", + "actualValue": "MSSQL Debugger (TCP:135) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -523,8 +523,8 @@ "resourceType": "azure_rm_securitygroup", "resourceName": "foo9", "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", - "searchValue": "TCP,23", - "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP:23) is allowed" + "searchValue": "UDP,139", + "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed", + "actualValue": "NetBIOS Session Service (UDP:139) is allowed" } ] \ No newline at end of file diff --git a/assets/queries/azureResourceManager/storage_logging_for_read_write_delete_requests_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/storage_logging_for_read_write_delete_requests_disabled/test/positive_expected_result.json index 2366467aa6e..68c473a472b 100644 --- a/assets/queries/azureResourceManager/storage_logging_for_read_write_delete_requests_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/storage_logging_for_read_write_delete_requests_disabled/test/positive_expected_result.json @@ -186,10 +186,10 @@ "filename": "positive3.json", "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", - "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageRead", - "searchValue": "StorageRead", - "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageRead' method", - "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageRead' method" + "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageDelete", + "searchValue": "StorageDelete", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -198,10 +198,10 @@ "filename": "positive3.json", "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", - "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageDelete", - "searchValue": "StorageDelete", - "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", - "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method" + "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageRead", + "searchValue": "StorageRead", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageRead' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageRead' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -210,10 +210,10 @@ "filename": "positive4.bicep", "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", - "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageDelete", - "searchValue": "StorageDelete", - "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", - "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method" + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageRead", + "searchValue": "StorageRead", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageRead' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageRead' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -222,10 +222,10 @@ "filename": "positive4.bicep", "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", - "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageRead", - "searchValue": "StorageRead", - "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageRead' method", - "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageRead' method" + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageDelete", + "searchValue": "StorageDelete", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -342,10 +342,10 @@ "filename": "positive6.bicep", "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", - "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageWrite", - "searchValue": "StorageWrite", - "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageWrite' method", - "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageWrite' method" + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageDelete", + "searchValue": "StorageDelete", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -354,10 +354,10 @@ "filename": "positive6.bicep", "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", - "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageDelete", - "searchValue": "StorageDelete", - "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", - "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method" + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageWrite", + "searchValue": "StorageWrite", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageWrite' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageWrite' method" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -371,18 +371,6 @@ "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageRead' method", "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageRead' method" }, - { - "queryName": "Storage Logging For Read Write And Delete Requests Disabled", - "severity": "MEDIUM", - "line": 69, - "filename": "positive6.json", - "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", - "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", - "searchKey": "properties.template.resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageWrite", - "searchValue": "StorageWrite", - "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageWrite' method", - "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageWrite' method" - }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", @@ -410,11 +398,11 @@ { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 3, - "filename": "positive7.bicep", + "line": 69, + "filename": "positive6.json", "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", - "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", - "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageWrite", + "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", + "searchKey": "properties.template.resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageWrite", "searchValue": "StorageWrite", "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageWrite' method", "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageWrite' method" @@ -442,5 +430,17 @@ "searchValue": "StorageRead", "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageRead' method", "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageRead' method" + }, + { + "queryName": "Storage Logging For Read Write And Delete Requests Disabled", + "severity": "MEDIUM", + "line": 3, + "filename": "positive7.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageWrite", + "searchValue": "StorageWrite", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageWrite' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageWrite' method" } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ec2_sensitive_port_is_publicly_exposed/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ec2_sensitive_port_is_publicly_exposed/test/positive_expected_result.json index 5c414a385cd..1b05477797f 100644 --- a/assets/queries/cloudFormation/aws/ec2_sensitive_port_is_publicly_exposed/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ec2_sensitive_port_is_publicly_exposed/test/positive_expected_result.json @@ -55,9 +55,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:2376", - "expectedValue": "Docker (TCP:2376) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Docker (TCP:2376) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:11215", + "expectedValue": "Memcached SSL (UDP:11215) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached SSL (UDP:11215) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -67,9 +67,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:22", - "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:7000", + "expectedValue": "Cassandra Internode Communication (TCP:7000) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra Internode Communication (TCP:7000) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -79,9 +79,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:80", - "expectedValue": "HTTP (TCP:80) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "HTTP (TCP:80) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:389", + "expectedValue": "LDAP (UDP:389) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "LDAP (UDP:389) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -91,9 +91,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:139", - "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Session Service (TCP:139) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:1434", + "expectedValue": "MSSQL Browser (UDP:1434) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MSSQL Browser (UDP:1434) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -103,9 +103,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:2484", - "expectedValue": "Oracle DB SSL (UDP:2484) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Oracle DB SSL (UDP:2484) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:5500", + "expectedValue": "VNC Listener (TCP:5500) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "VNC Listener (TCP:5500) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -115,9 +115,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:61620", - "expectedValue": "Cassandra OpsCenter (TCP:61620) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra OpsCenter (TCP:61620) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:3020", + "expectedValue": "CIFS / SMB (TCP:3020) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "CIFS / SMB (TCP:3020) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -127,9 +127,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:11214", - "expectedValue": "Memcached SSL (UDP:11214) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Memcached SSL (UDP:11214) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:389", + "expectedValue": "LDAP (TCP:389) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "LDAP (TCP:389) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -139,9 +139,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:443", - "expectedValue": "HTTPS (TCP:443) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "HTTPS (TCP:443) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:61620", + "expectedValue": "Cassandra OpsCenter (TCP:61620) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra OpsCenter (TCP:61620) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -151,9 +151,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:3306", - "expectedValue": "MySQL (TCP:3306) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "MySQL (TCP:3306) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:8080", + "expectedValue": "Known internal web port (TCP:8080) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Known internal web port (TCP:8080) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -163,9 +163,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:8140", - "expectedValue": "Puppet Master (TCP:8140) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Puppet Master (TCP:8140) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:50470", + "expectedValue": "HDFS NameNode WebUI (TCP:50470) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HDFS NameNode WebUI (TCP:50470) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -175,9 +175,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:161", - "expectedValue": "SNMP (TCP:161) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SNMP (TCP:161) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:5601", + "expectedValue": "Kibana (TCP:5601) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Kibana (TCP:5601) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -187,9 +187,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:4505", - "expectedValue": "SaltStack Master (TCP:4505) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SaltStack Master (TCP:4505) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:11214", + "expectedValue": "Memcached SSL (TCP:11214) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached SSL (TCP:11214) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -199,9 +199,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:5500", - "expectedValue": "VNC Listener (TCP:5500) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "VNC Listener (TCP:5500) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:137", + "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Name Service (TCP:137) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -211,9 +211,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:9042", - "expectedValue": "Cassandra Client (TCP:9042) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra Client (TCP:9042) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:2483", + "expectedValue": "Oracle DB SSL (UDP:2483) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracle DB SSL (UDP:2483) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -223,9 +223,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:11215", - "expectedValue": "Memcached SSL (UDP:11215) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Memcached SSL (UDP:11215) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:9200", + "expectedValue": "Elastic Search (TCP:9200) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Elastic Search (TCP:9200) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -235,9 +235,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:50070", - "expectedValue": "HDFS NameNode WebUI (TCP:50070) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "HDFS NameNode WebUI (TCP:50070) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:445", + "expectedValue": "Microsoft-DS (TCP:445) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Microsoft-DS (TCP:445) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -247,9 +247,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:3000", - "expectedValue": "Prevalent known internal port (TCP:3000) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Prevalent known internal port (TCP:3000) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:2484", + "expectedValue": "Oracle DB SSL (UDP:2484) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracle DB SSL (UDP:2484) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -259,9 +259,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:7199", - "expectedValue": "Cassandra Monitoring (TCP:7199) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra Monitoring (TCP:7199) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:5432", + "expectedValue": "PostgreSQL (TCP:5432) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "PostgreSQL (TCP:5432) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -271,9 +271,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:11211", - "expectedValue": "Memcached (TCP:11211) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Memcached (TCP:11211) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:7001", + "expectedValue": "Cassandra (TCP:7001) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra (TCP:7001) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -283,9 +283,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:11215", - "expectedValue": "Memcached SSL (TCP:11215) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Memcached SSL (TCP:11215) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:8888", + "expectedValue": "Cassandra OpsCenter Website (TCP:8888) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra OpsCenter Website (TCP:8888) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -295,9 +295,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:445", - "expectedValue": "Microsoft-DS (TCP:445) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Microsoft-DS (TCP:445) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:7199", + "expectedValue": "Cassandra Monitoring (TCP:7199) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra Monitoring (TCP:7199) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -307,9 +307,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:25", - "expectedValue": "SMTP (TCP:25) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SMTP (TCP:25) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:1521", + "expectedValue": "Oracl DB (TCP:1521) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracl DB (TCP:1521) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -319,9 +319,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:5985", - "expectedValue": "WinRM for HTTP (TCP:5985) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "WinRM for HTTP (TCP:5985) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:161", + "expectedValue": "SNMP (TCP:161) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SNMP (TCP:161) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -331,9 +331,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:1433", - "expectedValue": "MSSQL Server (TCP:1433) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "MSSQL Server (TCP:1433) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:50070", + "expectedValue": "HDFS NameNode WebUI (TCP:50070) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HDFS NameNode WebUI (TCP:50070) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -343,9 +343,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:9090", - "expectedValue": "CiscoSecure, WebSM (TCP:9090) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "CiscoSecure, WebSM (TCP:9090) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:4333", + "expectedValue": "MySQL (TCP:4333) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MySQL (TCP:4333) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -355,9 +355,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:8888", - "expectedValue": "Cassandra OpsCenter Website (TCP:8888) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra OpsCenter Website (TCP:8888) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:138", + "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -367,9 +367,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:2375", - "expectedValue": "Docker (TCP:2375) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Docker (TCP:2375) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -379,9 +379,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:8020", - "expectedValue": "HDFS NameNode (TCP:8020) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "HDFS NameNode (TCP:8020) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:139", + "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Session Service (UDP:139) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -391,9 +391,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:1521", - "expectedValue": "Oracl DB (TCP:1521) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Oracl DB (TCP:1521) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:4506", + "expectedValue": "SaltStack Master (TCP:4506) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SaltStack Master (TCP:4506) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -403,9 +403,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:1522", - "expectedValue": "Oracle Auto Data Warehouse (TCP:1522) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Oracle Auto Data Warehouse (TCP:1522) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:110", + "expectedValue": "POP3 (TCP:110) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "POP3 (TCP:110) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -415,9 +415,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:5432", - "expectedValue": "PostgreSQL (TCP:5432) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "PostgreSQL (TCP:5432) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:443", + "expectedValue": "HTTPS (TCP:443) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HTTPS (TCP:443) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -427,9 +427,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:161", - "expectedValue": "SNMP (UDP:161) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SNMP (UDP:161) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:2483", + "expectedValue": "Oracle DB SSL (TCP:2483) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracle DB SSL (TCP:2483) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -439,9 +439,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:20", - "expectedValue": "FTP (TCP:20) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "FTP (TCP:20) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:53", + "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -451,9 +451,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:5601", - "expectedValue": "Kibana (TCP:5601) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Kibana (TCP:5601) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:9300", + "expectedValue": "Elastic Search (TCP:9300) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Elastic Search (TCP:9300) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -463,9 +463,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:27017", - "expectedValue": "Mongo (TCP:27017) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Mongo (TCP:27017) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:11215", + "expectedValue": "Memcached SSL (TCP:11215) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached SSL (TCP:11215) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -475,9 +475,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:53", - "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:22", + "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -487,9 +487,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:1434", - "expectedValue": "MSSQL Browser (TCP:1434) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "MSSQL Browser (TCP:1434) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:1522", + "expectedValue": "Oracle Auto Data Warehouse (TCP:1522) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracle Auto Data Warehouse (TCP:1522) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -499,9 +499,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:3020", - "expectedValue": "CIFS / SMB (TCP:3020) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "CIFS / SMB (TCP:3020) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:3000", + "expectedValue": "Prevalent known internal port (TCP:3000) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Prevalent known internal port (TCP:3000) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -511,9 +511,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:138", - "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:25", + "expectedValue": "SMTP (TCP:25) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SMTP (TCP:25) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -523,9 +523,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:50470", - "expectedValue": "HDFS NameNode WebUI (TCP:50470) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "HDFS NameNode WebUI (TCP:50470) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:5985", + "expectedValue": "WinRM for HTTP (TCP:5985) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "WinRM for HTTP (TCP:5985) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -535,9 +535,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:11214", - "expectedValue": "Memcached SSL (TCP:11214) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Memcached SSL (TCP:11214) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:8020", + "expectedValue": "HDFS NameNode (TCP:8020) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HDFS NameNode (TCP:8020) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -547,9 +547,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:4333", - "expectedValue": "MySQL (TCP:4333) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "MySQL (TCP:4333) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:4505", + "expectedValue": "SaltStack Master (TCP:4505) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SaltStack Master (TCP:4505) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -559,9 +559,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:139", - "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Session Service (UDP:139) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:9000", + "expectedValue": "Hadoop Name Node (TCP:9000) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Hadoop Name Node (TCP:9000) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -571,9 +571,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:5432", - "expectedValue": "PostgreSQL (UDP:5432) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "PostgreSQL (UDP:5432) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:61621", + "expectedValue": "Cassandra OpsCenter (TCP:61621) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra OpsCenter (TCP:61621) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -583,9 +583,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:9000", - "expectedValue": "Hadoop Name Node (TCP:9000) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Hadoop Name Node (TCP:9000) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:53", + "expectedValue": "DNS (TCP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "DNS (TCP:53) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -595,9 +595,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:8000", - "expectedValue": "Known internal web port (TCP:8000) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Known internal web port (TCP:8000) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:2376", + "expectedValue": "Docker (TCP:2376) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Docker (TCP:2376) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -607,9 +607,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:2483", - "expectedValue": "Oracle DB SSL (UDP:2483) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Oracle DB SSL (UDP:2483) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:135", + "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MSSQL Debugger (TCP:135) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -619,9 +619,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:137", - "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:1433", + "expectedValue": "MSSQL Server (TCP:1433) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MSSQL Server (TCP:1433) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -631,9 +631,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:23", - "expectedValue": "Telnet (TCP:23) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Telnet (TCP:23) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:2484", + "expectedValue": "Oracle DB SSL (TCP:2484) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracle DB SSL (TCP:2484) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -643,9 +643,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:7000", - "expectedValue": "Cassandra Internode Communication (TCP:7000) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra Internode Communication (TCP:7000) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:2383", + "expectedValue": "SQL Server Analysis (TCP:2383) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SQL Server Analysis (TCP:2383) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -655,9 +655,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:9160", - "expectedValue": "Cassandra Thrift (TCP:9160) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra Thrift (TCP:9160) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:636", + "expectedValue": "LDAP SSL (TCP:636) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "LDAP SSL (TCP:636) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -667,9 +667,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:636", - "expectedValue": "LDAP SSL (TCP:636) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "LDAP SSL (TCP:636) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:5900", + "expectedValue": "VNC Server (TCP:5900) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "VNC Server (TCP:5900) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -679,9 +679,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:2383", - "expectedValue": "SQL Server Analysis (TCP:2383) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SQL Server Analysis (TCP:2383) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:8000", + "expectedValue": "Known internal web port (TCP:8000) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Known internal web port (TCP:8000) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -691,9 +691,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:9300", - "expectedValue": "Elastic Search (TCP:9300) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Elastic Search (TCP:9300) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:6379", + "expectedValue": "Redis (TCP:6379) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Redis (TCP:6379) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -703,9 +703,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:137", - "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Name Service (TCP:137) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:27018", + "expectedValue": "Mongo Web Portal (TCP:27018) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Mongo Web Portal (TCP:27018) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -715,9 +715,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:135", - "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "MSSQL Debugger (TCP:135) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:161", + "expectedValue": "SNMP (UDP:161) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SNMP (UDP:161) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -727,9 +727,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:2483", - "expectedValue": "Oracle DB SSL (TCP:2483) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Oracle DB SSL (TCP:2483) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:139", + "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Session Service (TCP:139) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -739,9 +739,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:4506", - "expectedValue": "SaltStack Master (TCP:4506) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SaltStack Master (TCP:4506) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:23", + "expectedValue": "Telnet (TCP:23) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Telnet (TCP:23) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -751,9 +751,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:389", - "expectedValue": "LDAP (UDP:389) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "LDAP (UDP:389) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:20", + "expectedValue": "FTP (TCP:20) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "FTP (TCP:20) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -763,9 +763,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:11211", - "expectedValue": "Memcached (UDP:11211) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Memcached (UDP:11211) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -775,9 +775,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:27018", - "expectedValue": "Mongo Web Portal (TCP:27018) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Mongo Web Portal (TCP:27018) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:3389", + "expectedValue": "Remote Desktop (TCP:3389) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Remote Desktop (TCP:3389) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -787,9 +787,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:389", - "expectedValue": "LDAP (TCP:389) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "LDAP (TCP:389) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:11211", + "expectedValue": "Memcached (UDP:11211) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached (UDP:11211) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -799,9 +799,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:138", - "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:9160", + "expectedValue": "Cassandra Thrift (TCP:9160) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra Thrift (TCP:9160) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -811,9 +811,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:7001", - "expectedValue": "Cassandra (TCP:7001) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra (TCP:7001) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:9042", + "expectedValue": "Cassandra Client (TCP:9042) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra Client (TCP:9042) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -823,9 +823,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:61621", - "expectedValue": "Cassandra OpsCenter (TCP:61621) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra OpsCenter (TCP:61621) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:9090", + "expectedValue": "CiscoSecure, WebSM (TCP:9090) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "CiscoSecure, WebSM (TCP:9090) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -835,9 +835,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:5900", - "expectedValue": "VNC Server (TCP:5900) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "VNC Server (TCP:5900) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:1434", + "expectedValue": "MSSQL Browser (TCP:1434) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MSSQL Browser (TCP:1434) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -847,9 +847,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:53", - "expectedValue": "DNS (TCP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "DNS (TCP:53) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:5432", + "expectedValue": "PostgreSQL (UDP:5432) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "PostgreSQL (UDP:5432) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -859,9 +859,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:1434", - "expectedValue": "MSSQL Browser (UDP:1434) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "MSSQL Browser (UDP:1434) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:21", + "expectedValue": "FTP (TCP:21) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "FTP (TCP:21) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -871,9 +871,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:9200", - "expectedValue": "Elastic Search (TCP:9200) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Elastic Search (TCP:9200) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:2382", + "expectedValue": "SQL Server Analysis (TCP:2382) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SQL Server Analysis (TCP:2382) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -883,9 +883,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:8080", - "expectedValue": "Known internal web port (TCP:8080) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Known internal web port (TCP:8080) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:80", + "expectedValue": "HTTP (TCP:80) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HTTP (TCP:80) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -895,9 +895,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:110", - "expectedValue": "POP3 (TCP:110) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "POP3 (TCP:110) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:11211", + "expectedValue": "Memcached (TCP:11211) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached (TCP:11211) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -907,9 +907,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:3389", - "expectedValue": "Remote Desktop (TCP:3389) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Remote Desktop (TCP:3389) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:3306", + "expectedValue": "MySQL (TCP:3306) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MySQL (TCP:3306) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -919,9 +919,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:21", - "expectedValue": "FTP (TCP:21) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "FTP (TCP:21) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:8140", + "expectedValue": "Puppet Master (TCP:8140) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Puppet Master (TCP:8140) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -931,9 +931,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:6379", - "expectedValue": "Redis (TCP:6379) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Redis (TCP:6379) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:27017", + "expectedValue": "Mongo (TCP:27017) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Mongo (TCP:27017) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -943,9 +943,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:2382", - "expectedValue": "SQL Server Analysis (TCP:2382) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SQL Server Analysis (TCP:2382) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:2375", + "expectedValue": "Docker (TCP:2375) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Docker (TCP:2375) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -955,9 +955,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:2484", - "expectedValue": "Oracle DB SSL (TCP:2484) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Oracle DB SSL (TCP:2484) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:11214", + "expectedValue": "Memcached SSL (UDP:11214) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached SSL (UDP:11214) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1159,9 +1159,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:1521", - "expectedValue": "Oracl DB (TCP:1521) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Oracl DB (TCP:1521) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:11215", + "expectedValue": "Memcached SSL (TCP:11215) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached SSL (TCP:11215) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1171,9 +1171,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:5432", - "expectedValue": "PostgreSQL (UDP:5432) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "PostgreSQL (UDP:5432) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:5985", + "expectedValue": "WinRM for HTTP (TCP:5985) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "WinRM for HTTP (TCP:5985) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1183,9 +1183,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:22", - "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:9042", + "expectedValue": "Cassandra Client (TCP:9042) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra Client (TCP:9042) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1195,9 +1195,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:1433", - "expectedValue": "MSSQL Server (TCP:1433) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "MSSQL Server (TCP:1433) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:7000", + "expectedValue": "Cassandra Internode Communication (TCP:7000) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra Internode Communication (TCP:7000) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1207,9 +1207,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:139", - "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Session Service (TCP:139) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:1434", + "expectedValue": "MSSQL Browser (TCP:1434) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MSSQL Browser (TCP:1434) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1219,9 +1219,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:8140", - "expectedValue": "Puppet Master (TCP:8140) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Puppet Master (TCP:8140) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:4505", + "expectedValue": "SaltStack Master (TCP:4505) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SaltStack Master (TCP:4505) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1231,9 +1231,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:161", - "expectedValue": "SNMP (TCP:161) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SNMP (TCP:161) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:8020", + "expectedValue": "HDFS NameNode (TCP:8020) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HDFS NameNode (TCP:8020) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1243,9 +1243,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:7001", - "expectedValue": "Cassandra (TCP:7001) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra (TCP:7001) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:80", + "expectedValue": "HTTP (TCP:80) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HTTP (TCP:80) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1255,9 +1255,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:11211", - "expectedValue": "Memcached (TCP:11211) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Memcached (TCP:11211) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:7001", + "expectedValue": "Cassandra (TCP:7001) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra (TCP:7001) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1267,9 +1267,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:25", - "expectedValue": "SMTP (TCP:25) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SMTP (TCP:25) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:1433", + "expectedValue": "MSSQL Server (TCP:1433) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MSSQL Server (TCP:1433) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1279,9 +1279,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:137", - "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:2375", + "expectedValue": "Docker (TCP:2375) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Docker (TCP:2375) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1291,9 +1291,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:1434", - "expectedValue": "MSSQL Browser (UDP:1434) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "MSSQL Browser (UDP:1434) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:3000", + "expectedValue": "Prevalent known internal port (TCP:3000) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Prevalent known internal port (TCP:3000) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1303,9 +1303,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:27017", - "expectedValue": "Mongo (TCP:27017) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Mongo (TCP:27017) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:22", + "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1315,9 +1315,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:4505", - "expectedValue": "SaltStack Master (TCP:4505) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SaltStack Master (TCP:4505) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:3020", + "expectedValue": "CIFS / SMB (TCP:3020) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "CIFS / SMB (TCP:3020) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1327,9 +1327,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:3020", - "expectedValue": "CIFS / SMB (TCP:3020) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "CIFS / SMB (TCP:3020) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:8888", + "expectedValue": "Cassandra OpsCenter Website (TCP:8888) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra OpsCenter Website (TCP:8888) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1339,9 +1339,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:7199", - "expectedValue": "Cassandra Monitoring (TCP:7199) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra Monitoring (TCP:7199) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:161", + "expectedValue": "SNMP (TCP:161) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SNMP (TCP:161) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1351,9 +1351,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:8888", - "expectedValue": "Cassandra OpsCenter Website (TCP:8888) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra OpsCenter Website (TCP:8888) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:5900", + "expectedValue": "VNC Server (TCP:5900) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "VNC Server (TCP:5900) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1363,9 +1363,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:53", - "expectedValue": "DNS (TCP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "DNS (TCP:53) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:53", + "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1375,9 +1375,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:2483", - "expectedValue": "Oracle DB SSL (TCP:2483) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Oracle DB SSL (TCP:2483) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:139", + "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Session Service (UDP:139) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1387,9 +1387,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:2376", - "expectedValue": "Docker (TCP:2376) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Docker (TCP:2376) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:138", + "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1399,9 +1399,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:8020", - "expectedValue": "HDFS NameNode (TCP:8020) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "HDFS NameNode (TCP:8020) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:1521", + "expectedValue": "Oracl DB (TCP:1521) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracl DB (TCP:1521) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1411,9 +1411,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:4333", - "expectedValue": "MySQL (TCP:4333) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "MySQL (TCP:4333) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:7199", + "expectedValue": "Cassandra Monitoring (TCP:7199) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra Monitoring (TCP:7199) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1423,9 +1423,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:161", - "expectedValue": "SNMP (UDP:161) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SNMP (UDP:161) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:2484", + "expectedValue": "Oracle DB SSL (UDP:2484) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracle DB SSL (UDP:2484) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1435,9 +1435,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:5985", - "expectedValue": "WinRM for HTTP (TCP:5985) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "WinRM for HTTP (TCP:5985) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:8140", + "expectedValue": "Puppet Master (TCP:8140) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Puppet Master (TCP:8140) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1447,9 +1447,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:61620", - "expectedValue": "Cassandra OpsCenter (TCP:61620) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra OpsCenter (TCP:61620) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:389", + "expectedValue": "LDAP (UDP:389) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "LDAP (UDP:389) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1459,9 +1459,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:61621", - "expectedValue": "Cassandra OpsCenter (TCP:61621) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra OpsCenter (TCP:61621) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:27017", + "expectedValue": "Mongo (TCP:27017) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Mongo (TCP:27017) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1471,9 +1471,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:1434", - "expectedValue": "MSSQL Browser (TCP:1434) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "MSSQL Browser (TCP:1434) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:27018", + "expectedValue": "Mongo Web Portal (TCP:27018) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Mongo Web Portal (TCP:27018) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1483,9 +1483,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:11211", - "expectedValue": "Memcached (UDP:11211) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Memcached (UDP:11211) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:3306", + "expectedValue": "MySQL (TCP:3306) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MySQL (TCP:3306) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1495,9 +1495,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:445", - "expectedValue": "Microsoft-DS (TCP:445) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Microsoft-DS (TCP:445) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1507,9 +1507,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:3306", - "expectedValue": "MySQL (TCP:3306) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "MySQL (TCP:3306) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:5432", + "expectedValue": "PostgreSQL (TCP:5432) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "PostgreSQL (TCP:5432) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1518,10 +1518,10 @@ "filename": "positive3.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", - "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:138", - "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:5432", + "expectedValue": "PostgreSQL (UDP:5432) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "PostgreSQL (UDP:5432) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1531,9 +1531,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:8080", - "expectedValue": "Known internal web port (TCP:8080) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Known internal web port (TCP:8080) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:2383", + "expectedValue": "SQL Server Analysis (TCP:2383) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SQL Server Analysis (TCP:2383) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1543,9 +1543,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:389", - "expectedValue": "LDAP (UDP:389) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "LDAP (UDP:389) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:4506", + "expectedValue": "SaltStack Master (TCP:4506) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SaltStack Master (TCP:4506) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1555,9 +1555,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:5601", - "expectedValue": "Kibana (TCP:5601) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Kibana (TCP:5601) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:23", + "expectedValue": "Telnet (TCP:23) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Telnet (TCP:23) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1567,9 +1567,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:8000", - "expectedValue": "Known internal web port (TCP:8000) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Known internal web port (TCP:8000) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:9000", + "expectedValue": "Hadoop Name Node (TCP:9000) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Hadoop Name Node (TCP:9000) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1579,9 +1579,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:4506", - "expectedValue": "SaltStack Master (TCP:4506) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SaltStack Master (TCP:4506) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:5601", + "expectedValue": "Kibana (TCP:5601) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Kibana (TCP:5601) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1591,9 +1591,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:5900", - "expectedValue": "VNC Server (TCP:5900) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "VNC Server (TCP:5900) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:137", + "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Name Service (TCP:137) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1603,9 +1603,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:443", - "expectedValue": "HTTPS (TCP:443) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "HTTPS (TCP:443) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:2376", + "expectedValue": "Docker (TCP:2376) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Docker (TCP:2376) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1615,9 +1615,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:9000", - "expectedValue": "Hadoop Name Node (TCP:9000) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Hadoop Name Node (TCP:9000) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:8080", + "expectedValue": "Known internal web port (TCP:8080) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Known internal web port (TCP:8080) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1627,9 +1627,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:636", - "expectedValue": "LDAP SSL (TCP:636) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "LDAP SSL (TCP:636) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1651,9 +1651,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:11215", - "expectedValue": "Memcached SSL (UDP:11215) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Memcached SSL (UDP:11215) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:161", + "expectedValue": "SNMP (UDP:161) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SNMP (UDP:161) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1663,9 +1663,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:9160", - "expectedValue": "Cassandra Thrift (TCP:9160) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra Thrift (TCP:9160) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:2382", + "expectedValue": "SQL Server Analysis (TCP:2382) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SQL Server Analysis (TCP:2382) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1675,9 +1675,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:11214", - "expectedValue": "Memcached SSL (TCP:11214) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Memcached SSL (TCP:11214) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:21", + "expectedValue": "FTP (TCP:21) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "FTP (TCP:21) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1687,9 +1687,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:11214", - "expectedValue": "Memcached SSL (UDP:11214) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Memcached SSL (UDP:11214) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:8000", + "expectedValue": "Known internal web port (TCP:8000) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Known internal web port (TCP:8000) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1699,9 +1699,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:3000", - "expectedValue": "Prevalent known internal port (TCP:3000) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Prevalent known internal port (TCP:3000) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:11211", + "expectedValue": "Memcached (TCP:11211) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached (TCP:11211) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1711,9 +1711,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:7000", - "expectedValue": "Cassandra Internode Communication (TCP:7000) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra Internode Communication (TCP:7000) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:2483", + "expectedValue": "Oracle DB SSL (UDP:2483) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracle DB SSL (UDP:2483) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1723,9 +1723,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:3389", - "expectedValue": "Remote Desktop (TCP:3389) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Remote Desktop (TCP:3389) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:139", + "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Session Service (TCP:139) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1735,9 +1735,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:20", - "expectedValue": "FTP (TCP:20) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "FTP (TCP:20) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:9160", + "expectedValue": "Cassandra Thrift (TCP:9160) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra Thrift (TCP:9160) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1747,9 +1747,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:138", - "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:9090", + "expectedValue": "CiscoSecure, WebSM (TCP:9090) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "CiscoSecure, WebSM (TCP:9090) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1759,9 +1759,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:2383", - "expectedValue": "SQL Server Analysis (TCP:2383) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SQL Server Analysis (TCP:2383) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:2483", + "expectedValue": "Oracle DB SSL (TCP:2483) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracle DB SSL (TCP:2483) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1771,9 +1771,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:137", - "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Name Service (TCP:137) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:110", + "expectedValue": "POP3 (TCP:110) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "POP3 (TCP:110) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1783,9 +1783,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:139", - "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Session Service (UDP:139) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:3389", + "expectedValue": "Remote Desktop (TCP:3389) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Remote Desktop (TCP:3389) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1795,9 +1795,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:2382", - "expectedValue": "SQL Server Analysis (TCP:2382) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SQL Server Analysis (TCP:2382) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:53", + "expectedValue": "DNS (TCP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "DNS (TCP:53) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1807,9 +1807,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:9200", - "expectedValue": "Elastic Search (TCP:9200) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Elastic Search (TCP:9200) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:9300", + "expectedValue": "Elastic Search (TCP:9300) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Elastic Search (TCP:9300) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1819,9 +1819,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:389", - "expectedValue": "LDAP (TCP:389) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "LDAP (TCP:389) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:50470", + "expectedValue": "HDFS NameNode WebUI (TCP:50470) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HDFS NameNode WebUI (TCP:50470) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1831,9 +1831,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:50070", - "expectedValue": "HDFS NameNode WebUI (TCP:50070) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "HDFS NameNode WebUI (TCP:50070) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:1434", + "expectedValue": "MSSQL Browser (UDP:1434) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MSSQL Browser (UDP:1434) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1843,9 +1843,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:2484", - "expectedValue": "Oracle DB SSL (UDP:2484) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Oracle DB SSL (UDP:2484) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:25", + "expectedValue": "SMTP (TCP:25) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SMTP (TCP:25) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1855,9 +1855,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:53", - "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:11215", + "expectedValue": "Memcached SSL (UDP:11215) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached SSL (UDP:11215) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1867,9 +1867,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:2375", - "expectedValue": "Docker (TCP:2375) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Docker (TCP:2375) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:2484", + "expectedValue": "Oracle DB SSL (TCP:2484) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracle DB SSL (TCP:2484) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1879,9 +1879,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:9090", - "expectedValue": "CiscoSecure, WebSM (TCP:9090) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "CiscoSecure, WebSM (TCP:9090) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:20", + "expectedValue": "FTP (TCP:20) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "FTP (TCP:20) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1891,9 +1891,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:80", - "expectedValue": "HTTP (TCP:80) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "HTTP (TCP:80) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:445", + "expectedValue": "Microsoft-DS (TCP:445) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Microsoft-DS (TCP:445) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1903,9 +1903,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:27018", - "expectedValue": "Mongo Web Portal (TCP:27018) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Mongo Web Portal (TCP:27018) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:4333", + "expectedValue": "MySQL (TCP:4333) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MySQL (TCP:4333) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1915,9 +1915,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:9042", - "expectedValue": "Cassandra Client (TCP:9042) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra Client (TCP:9042) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:61620", + "expectedValue": "Cassandra OpsCenter (TCP:61620) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra OpsCenter (TCP:61620) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1927,9 +1927,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:21", - "expectedValue": "FTP (TCP:21) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "FTP (TCP:21) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:11214", + "expectedValue": "Memcached SSL (UDP:11214) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached SSL (UDP:11214) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1939,9 +1939,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:2484", - "expectedValue": "Oracle DB SSL (TCP:2484) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Oracle DB SSL (TCP:2484) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:443", + "expectedValue": "HTTPS (TCP:443) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HTTPS (TCP:443) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1951,9 +1951,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:5432", - "expectedValue": "PostgreSQL (TCP:5432) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "PostgreSQL (TCP:5432) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:50070", + "expectedValue": "HDFS NameNode WebUI (TCP:50070) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HDFS NameNode WebUI (TCP:50070) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1963,9 +1963,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:50470", - "expectedValue": "HDFS NameNode WebUI (TCP:50470) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "HDFS NameNode WebUI (TCP:50470) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:11214", + "expectedValue": "Memcached SSL (TCP:11214) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached SSL (TCP:11214) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1987,9 +1987,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:9300", - "expectedValue": "Elastic Search (TCP:9300) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Elastic Search (TCP:9300) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/UDP:11211", + "expectedValue": "Memcached (UDP:11211) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached (UDP:11211) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1999,9 +1999,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:11215", - "expectedValue": "Memcached SSL (TCP:11215) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Memcached SSL (TCP:11215) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:61621", + "expectedValue": "Cassandra OpsCenter (TCP:61621) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra OpsCenter (TCP:61621) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -2011,9 +2011,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:110", - "expectedValue": "POP3 (TCP:110) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "POP3 (TCP:110) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:9200", + "expectedValue": "Elastic Search (TCP:9200) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Elastic Search (TCP:9200) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -2023,9 +2023,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:6379", - "expectedValue": "Redis (TCP:6379) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Redis (TCP:6379) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:389", + "expectedValue": "LDAP (TCP:389) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "LDAP (TCP:389) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -2035,9 +2035,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/UDP:2483", - "expectedValue": "Oracle DB SSL (UDP:2483) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Oracle DB SSL (UDP:2483) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:6379", + "expectedValue": "Redis (TCP:6379) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Redis (TCP:6379) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -2047,9 +2047,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv6_1", "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", - "searchValue": "EC2Instance01/TCP:23", - "expectedValue": "Telnet (TCP:23) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Telnet (TCP:23) is allowed in EC2 security group for instance 'EC2Instance01'" + "searchValue": "EC2Instance01/TCP:636", + "expectedValue": "LDAP SSL (TCP:636) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "LDAP SSL (TCP:636) is allowed in EC2 security group for instance 'EC2Instance01'" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", diff --git a/assets/queries/cloudFormation/aws/elb_sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elb_sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json index f3d55d3b2e5..b31fa1b7d2b 100644 --- a/assets/queries/cloudFormation/aws/elb_sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elb_sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json @@ -7,9 +7,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,6379", - "expectedValue": "Redis (TCP:6379) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Redis (TCP:6379) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,636", + "expectedValue": "LDAP SSL (TCP:636) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "LDAP SSL (TCP:636) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -19,9 +19,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,2382", - "expectedValue": "SQL Server Analysis (TCP:2382) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SQL Server Analysis (TCP:2382) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,389", + "expectedValue": "LDAP (UDP:389) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "LDAP (UDP:389) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -31,9 +31,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,138", - "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,2375", + "expectedValue": "Docker (TCP:2375) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Docker (TCP:2375) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -43,9 +43,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,3389", - "expectedValue": "Remote Desktop (TCP:3389) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Remote Desktop (TCP:3389) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,11211", + "expectedValue": "Memcached (UDP:11211) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached (UDP:11211) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -55,9 +55,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,11214", - "expectedValue": "Memcached SSL (UDP:11214) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Memcached SSL (UDP:11214) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,5432", + "expectedValue": "PostgreSQL (TCP:5432) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "PostgreSQL (TCP:5432) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -67,9 +67,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,5500", - "expectedValue": "VNC Listener (TCP:5500) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "VNC Listener (TCP:5500) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,3020", + "expectedValue": "CIFS / SMB (TCP:3020) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "CIFS / SMB (TCP:3020) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -79,9 +79,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,21", - "expectedValue": "FTP (TCP:21) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "FTP (TCP:21) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,9042", + "expectedValue": "Cassandra Client (TCP:9042) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra Client (TCP:9042) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -91,9 +91,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,11214", - "expectedValue": "Memcached SSL (TCP:11214) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Memcached SSL (TCP:11214) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,8000", + "expectedValue": "Known internal web port (TCP:8000) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Known internal web port (TCP:8000) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -103,9 +103,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,2383", - "expectedValue": "SQL Server Analysis (TCP:2383) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SQL Server Analysis (TCP:2383) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,7199", + "expectedValue": "Cassandra Monitoring (TCP:7199) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra Monitoring (TCP:7199) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -115,9 +115,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,3020", - "expectedValue": "CIFS / SMB (TCP:3020) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "CIFS / SMB (TCP:3020) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,53", + "expectedValue": "DNS (UDP:53) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "DNS (UDP:53) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -127,9 +127,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,3306", - "expectedValue": "MySQL (TCP:3306) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "MySQL (TCP:3306) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,138", + "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -139,9 +139,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,4333", - "expectedValue": "MySQL (TCP:4333) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "MySQL (TCP:4333) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,2484", + "expectedValue": "Oracle DB SSL (TCP:2484) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle DB SSL (TCP:2484) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -151,9 +151,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,161", - "expectedValue": "SNMP (UDP:161) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SNMP (UDP:161) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,1521", + "expectedValue": "Oracl DB (TCP:1521) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracl DB (TCP:1521) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -163,9 +163,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,139", - "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Session Service (UDP:139) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Telnet (TCP:23) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -175,9 +175,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,11211", - "expectedValue": "Memcached (TCP:11211) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Memcached (TCP:11211) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,2483", + "expectedValue": "Oracle DB SSL (TCP:2483) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle DB SSL (TCP:2483) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -187,9 +187,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,137", - "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,5500", + "expectedValue": "VNC Listener (TCP:5500) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "VNC Listener (TCP:5500) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -199,9 +199,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,5432", - "expectedValue": "PostgreSQL (UDP:5432) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "PostgreSQL (UDP:5432) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,389", + "expectedValue": "LDAP (TCP:389) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "LDAP (TCP:389) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -211,9 +211,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,20", - "expectedValue": "FTP (TCP:20) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "FTP (TCP:20) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,11214", + "expectedValue": "Memcached SSL (UDP:11214) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached SSL (UDP:11214) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -223,9 +223,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,2483", - "expectedValue": "Oracle DB SSL (UDP:2483) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Oracle DB SSL (UDP:2483) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,137", + "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (TCP:137) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -235,9 +235,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,7199", - "expectedValue": "Cassandra Monitoring (TCP:7199) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra Monitoring (TCP:7199) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,20", + "expectedValue": "FTP (TCP:20) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "FTP (TCP:20) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -247,9 +247,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,1434", - "expectedValue": "MSSQL Browser (TCP:1434) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "MSSQL Browser (TCP:1434) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,50070", + "expectedValue": "HDFS NameNode WebUI (TCP:50070) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HDFS NameNode WebUI (TCP:50070) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -259,9 +259,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,445", - "expectedValue": "Microsoft-DS (TCP:445) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Microsoft-DS (TCP:445) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,1434", + "expectedValue": "MSSQL Browser (TCP:1434) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MSSQL Browser (TCP:1434) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -271,9 +271,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,2484", - "expectedValue": "Oracle DB SSL (UDP:2484) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Oracle DB SSL (UDP:2484) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,11211", + "expectedValue": "Memcached (TCP:11211) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached (TCP:11211) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -283,9 +283,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,9300", - "expectedValue": "Elastic Search (TCP:9300) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Elastic Search (TCP:9300) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,2382", + "expectedValue": "SQL Server Analysis (TCP:2382) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SQL Server Analysis (TCP:2382) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -295,9 +295,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,636", - "expectedValue": "LDAP SSL (TCP:636) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "LDAP SSL (TCP:636) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,9300", + "expectedValue": "Elastic Search (TCP:9300) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Elastic Search (TCP:9300) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -307,9 +307,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,4506", - "expectedValue": "SaltStack Master (TCP:4506) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SaltStack Master (TCP:4506) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,4333", + "expectedValue": "MySQL (TCP:4333) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MySQL (TCP:4333) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -319,9 +319,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,138", - "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,8020", + "expectedValue": "HDFS NameNode (TCP:8020) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HDFS NameNode (TCP:8020) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -331,9 +331,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,9160", - "expectedValue": "Cassandra Thrift (TCP:9160) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra Thrift (TCP:9160) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,11215", + "expectedValue": "Memcached SSL (TCP:11215) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached SSL (TCP:11215) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -343,9 +343,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,8000", - "expectedValue": "Known internal web port (TCP:8000) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Known internal web port (TCP:8000) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -355,9 +355,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,9090", - "expectedValue": "CiscoSecure, WebSM (TCP:9090) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "CiscoSecure, WebSM (TCP:9090) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,3000", + "expectedValue": "Prevalent known internal port (TCP:3000) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Prevalent known internal port (TCP:3000) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -367,9 +367,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,4505", - "expectedValue": "SaltStack Master (TCP:4505) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SaltStack Master (TCP:4505) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,8140", + "expectedValue": "Puppet Master (TCP:8140) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Puppet Master (TCP:8140) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -379,9 +379,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,53", - "expectedValue": "DNS (TCP:53) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "DNS (TCP:53) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,5900", + "expectedValue": "VNC Server (TCP:5900) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "VNC Server (TCP:5900) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -391,9 +391,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,135", - "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "MSSQL Debugger (TCP:135) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,5985", + "expectedValue": "WinRM for HTTP (TCP:5985) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "WinRM for HTTP (TCP:5985) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -403,9 +403,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,61620", - "expectedValue": "Cassandra OpsCenter (TCP:61620) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra OpsCenter (TCP:61620) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,2483", + "expectedValue": "Oracle DB SSL (UDP:2483) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle DB SSL (UDP:2483) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -415,9 +415,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,8020", - "expectedValue": "HDFS NameNode (TCP:8020) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "HDFS NameNode (TCP:8020) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,8888", + "expectedValue": "Cassandra OpsCenter Website (TCP:8888) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra OpsCenter Website (TCP:8888) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -427,9 +427,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,80", - "expectedValue": "HTTP (TCP:80) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "HTTP (TCP:80) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,135", + "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MSSQL Debugger (TCP:135) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -439,9 +439,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,7000", - "expectedValue": "Cassandra Internode Communication (TCP:7000) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra Internode Communication (TCP:7000) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -451,9 +451,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,389", - "expectedValue": "LDAP (UDP:389) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "LDAP (UDP:389) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,9160", + "expectedValue": "Cassandra Thrift (TCP:9160) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra Thrift (TCP:9160) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -463,9 +463,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,161", - "expectedValue": "SNMP (TCP:161) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SNMP (TCP:161) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,443", + "expectedValue": "HTTPS (TCP:443) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HTTPS (TCP:443) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -475,9 +475,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,5900", - "expectedValue": "VNC Server (TCP:5900) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "VNC Server (TCP:5900) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,11214", + "expectedValue": "Memcached SSL (TCP:11214) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached SSL (TCP:11214) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -487,9 +487,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,2375", - "expectedValue": "Docker (TCP:2375) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Docker (TCP:2375) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,4505", + "expectedValue": "SaltStack Master (TCP:4505) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SaltStack Master (TCP:4505) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -499,9 +499,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,389", - "expectedValue": "LDAP (TCP:389) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "LDAP (TCP:389) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,50470", + "expectedValue": "HDFS NameNode WebUI (TCP:50470) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HDFS NameNode WebUI (TCP:50470) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -511,9 +511,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,2483", - "expectedValue": "Oracle DB SSL (TCP:2483) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Oracle DB SSL (TCP:2483) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,1434", + "expectedValue": "MSSQL Browser (UDP:1434) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MSSQL Browser (UDP:1434) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -523,9 +523,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,2484", - "expectedValue": "Oracle DB SSL (TCP:2484) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Oracle DB SSL (TCP:2484) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,21", + "expectedValue": "FTP (TCP:21) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "FTP (TCP:21) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -535,9 +535,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SSH (TCP:22) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,7001", + "expectedValue": "Cassandra (TCP:7001) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra (TCP:7001) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -547,9 +547,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,7001", - "expectedValue": "Cassandra (TCP:7001) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra (TCP:7001) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,9000", + "expectedValue": "Hadoop Name Node (TCP:9000) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Hadoop Name Node (TCP:9000) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -559,9 +559,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,9000", - "expectedValue": "Hadoop Name Node (TCP:9000) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Hadoop Name Node (TCP:9000) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,11215", + "expectedValue": "Memcached SSL (UDP:11215) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached SSL (UDP:11215) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -571,9 +571,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,27017", - "expectedValue": "Mongo (TCP:27017) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Mongo (TCP:27017) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,4506", + "expectedValue": "SaltStack Master (TCP:4506) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SaltStack Master (TCP:4506) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -583,9 +583,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,5985", - "expectedValue": "WinRM for HTTP (TCP:5985) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "WinRM for HTTP (TCP:5985) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,53", + "expectedValue": "DNS (TCP:53) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "DNS (TCP:53) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -595,9 +595,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,9042", - "expectedValue": "Cassandra Client (TCP:9042) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra Client (TCP:9042) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,27018", + "expectedValue": "Mongo Web Portal (TCP:27018) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Mongo Web Portal (TCP:27018) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -607,9 +607,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,443", - "expectedValue": "HTTPS (TCP:443) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "HTTPS (TCP:443) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,445", + "expectedValue": "Microsoft-DS (TCP:445) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Microsoft-DS (TCP:445) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -619,9 +619,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,8140", - "expectedValue": "Puppet Master (TCP:8140) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Puppet Master (TCP:8140) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,139", + "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Session Service (TCP:139) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -631,9 +631,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,8888", - "expectedValue": "Cassandra OpsCenter Website (TCP:8888) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra OpsCenter Website (TCP:8888) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,9200", + "expectedValue": "Elastic Search (TCP:9200) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Elastic Search (TCP:9200) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -643,9 +643,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,50470", - "expectedValue": "HDFS NameNode WebUI (TCP:50470) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "HDFS NameNode WebUI (TCP:50470) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,8080", + "expectedValue": "Known internal web port (TCP:8080) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Known internal web port (TCP:8080) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -655,9 +655,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,1433", - "expectedValue": "MSSQL Server (TCP:1433) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "MSSQL Server (TCP:1433) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,3306", + "expectedValue": "MySQL (TCP:3306) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MySQL (TCP:3306) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -667,9 +667,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,27018", - "expectedValue": "Mongo Web Portal (TCP:27018) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Mongo Web Portal (TCP:27018) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,1522", + "expectedValue": "Oracle Auto Data Warehouse (TCP:1522) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle Auto Data Warehouse (TCP:1522) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -679,9 +679,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,23", - "expectedValue": "Telnet (TCP:23) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Telnet (TCP:23) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,161", + "expectedValue": "SNMP (UDP:161) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SNMP (UDP:161) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -691,9 +691,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,139", - "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Session Service (TCP:139) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,7000", + "expectedValue": "Cassandra Internode Communication (TCP:7000) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra Internode Communication (TCP:7000) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -703,9 +703,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,110", - "expectedValue": "POP3 (TCP:110) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "POP3 (TCP:110) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,3389", + "expectedValue": "Remote Desktop (TCP:3389) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Remote Desktop (TCP:3389) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -715,9 +715,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,2376", - "expectedValue": "Docker (TCP:2376) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Docker (TCP:2376) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,9090", + "expectedValue": "CiscoSecure, WebSM (TCP:9090) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "CiscoSecure, WebSM (TCP:9090) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -727,9 +727,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,1434", - "expectedValue": "MSSQL Browser (UDP:1434) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "MSSQL Browser (UDP:1434) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,5601", + "expectedValue": "Kibana (TCP:5601) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Kibana (TCP:5601) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -739,9 +739,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,1522", - "expectedValue": "Oracle Auto Data Warehouse (TCP:1522) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Oracle Auto Data Warehouse (TCP:1522) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,139", + "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Session Service (UDP:139) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -751,9 +751,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,5601", - "expectedValue": "Kibana (TCP:5601) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Kibana (TCP:5601) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -763,9 +763,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,11215", - "expectedValue": "Memcached SSL (TCP:11215) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Memcached SSL (TCP:11215) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,80", + "expectedValue": "HTTP (TCP:80) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HTTP (TCP:80) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -775,9 +775,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,3000", - "expectedValue": "Prevalent known internal port (TCP:3000) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Prevalent known internal port (TCP:3000) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,2484", + "expectedValue": "Oracle DB SSL (UDP:2484) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle DB SSL (UDP:2484) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -787,9 +787,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,53", - "expectedValue": "DNS (UDP:53) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "DNS (UDP:53) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,25", + "expectedValue": "SMTP (TCP:25) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SMTP (TCP:25) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -799,9 +799,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,5432", - "expectedValue": "PostgreSQL (TCP:5432) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "PostgreSQL (TCP:5432) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,110", + "expectedValue": "POP3 (TCP:110) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "POP3 (TCP:110) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -811,9 +811,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,25", - "expectedValue": "SMTP (TCP:25) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SMTP (TCP:25) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,6379", + "expectedValue": "Redis (TCP:6379) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Redis (TCP:6379) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -823,9 +823,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,61621", - "expectedValue": "Cassandra OpsCenter (TCP:61621) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra OpsCenter (TCP:61621) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,161", + "expectedValue": "SNMP (TCP:161) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SNMP (TCP:161) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -835,9 +835,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,11211", - "expectedValue": "Memcached (UDP:11211) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Memcached (UDP:11211) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,61621", + "expectedValue": "Cassandra OpsCenter (TCP:61621) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra OpsCenter (TCP:61621) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -847,9 +847,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,50070", - "expectedValue": "HDFS NameNode WebUI (TCP:50070) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "HDFS NameNode WebUI (TCP:50070) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,1433", + "expectedValue": "MSSQL Server (TCP:1433) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MSSQL Server (TCP:1433) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -859,9 +859,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,11215", - "expectedValue": "Memcached SSL (UDP:11215) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Memcached SSL (UDP:11215) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,2383", + "expectedValue": "SQL Server Analysis (TCP:2383) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SQL Server Analysis (TCP:2383) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -871,9 +871,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,137", - "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Name Service (TCP:137) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,61620", + "expectedValue": "Cassandra OpsCenter (TCP:61620) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra OpsCenter (TCP:61620) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -883,9 +883,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,1521", - "expectedValue": "Oracl DB (TCP:1521) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Oracl DB (TCP:1521) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,5432", + "expectedValue": "PostgreSQL (UDP:5432) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "PostgreSQL (UDP:5432) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -895,9 +895,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,9200", - "expectedValue": "Elastic Search (TCP:9200) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Elastic Search (TCP:9200) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,2376", + "expectedValue": "Docker (TCP:2376) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Docker (TCP:2376) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -907,9 +907,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,8080", - "expectedValue": "Known internal web port (TCP:8080) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Known internal web port (TCP:8080) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,27017", + "expectedValue": "Mongo (TCP:27017) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Mongo (TCP:27017) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1111,9 +1111,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "InstancesSecGroup", "searchKey": "Resources.InstancesSecGroup.Properties.SecurityGroupIngress[2]", - "searchValue": "UDP,2484", - "expectedValue": "Oracle DB SSL (UDP:2484) should not be allowed in classic load balancer 'GatewayLoadBalancer'", - "actualValue": "Oracle DB SSL (UDP:2484) is allowed in classic load balancer 'GatewayLoadBalancer'" + "searchValue": "UDP,2483", + "expectedValue": "Oracle DB SSL (UDP:2483) should not be allowed in classic load balancer 'GatewayLoadBalancer'", + "actualValue": "Oracle DB SSL (UDP:2483) is allowed in classic load balancer 'GatewayLoadBalancer'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1135,9 +1135,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "InstancesSecGroup", "searchKey": "Resources.InstancesSecGroup.Properties.SecurityGroupIngress[2]", - "searchValue": "UDP,2483", - "expectedValue": "Oracle DB SSL (UDP:2483) should not be allowed in classic load balancer 'GatewayLoadBalancer'", - "actualValue": "Oracle DB SSL (UDP:2483) is allowed in classic load balancer 'GatewayLoadBalancer'" + "searchValue": "UDP,2484", + "expectedValue": "Oracle DB SSL (UDP:2484) should not be allowed in classic load balancer 'GatewayLoadBalancer'", + "actualValue": "Oracle DB SSL (UDP:2484) is allowed in classic load balancer 'GatewayLoadBalancer'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1243,9 +1243,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,1434", - "expectedValue": "MSSQL Browser (TCP:1434) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "MSSQL Browser (TCP:1434) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,4506", + "expectedValue": "SaltStack Master (TCP:4506) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SaltStack Master (TCP:4506) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1255,9 +1255,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,2483", - "expectedValue": "Oracle DB SSL (UDP:2483) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Oracle DB SSL (UDP:2483) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,443", + "expectedValue": "HTTPS (TCP:443) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HTTPS (TCP:443) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1267,9 +1267,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,9000", - "expectedValue": "Hadoop Name Node (TCP:9000) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Hadoop Name Node (TCP:9000) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,5432", + "expectedValue": "PostgreSQL (TCP:5432) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "PostgreSQL (TCP:5432) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1279,9 +1279,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,53", - "expectedValue": "DNS (UDP:53) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "DNS (UDP:53) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,4505", + "expectedValue": "SaltStack Master (TCP:4505) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SaltStack Master (TCP:4505) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1291,9 +1291,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,139", - "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Session Service (TCP:139) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,2375", + "expectedValue": "Docker (TCP:2375) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Docker (TCP:2375) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1303,9 +1303,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,23", - "expectedValue": "Telnet (TCP:23) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Telnet (TCP:23) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,8080", + "expectedValue": "Known internal web port (TCP:8080) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Known internal web port (TCP:8080) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1315,9 +1315,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,9160", - "expectedValue": "Cassandra Thrift (TCP:9160) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra Thrift (TCP:9160) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,11214", + "expectedValue": "Memcached SSL (UDP:11214) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached SSL (UDP:11214) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1327,9 +1327,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,9200", - "expectedValue": "Elastic Search (TCP:9200) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Elastic Search (TCP:9200) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,27018", + "expectedValue": "Mongo Web Portal (TCP:27018) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Mongo Web Portal (TCP:27018) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1339,9 +1339,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,8020", - "expectedValue": "HDFS NameNode (TCP:8020) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "HDFS NameNode (TCP:8020) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,25", + "expectedValue": "SMTP (TCP:25) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SMTP (TCP:25) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1351,9 +1351,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,8140", - "expectedValue": "Puppet Master (TCP:8140) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Puppet Master (TCP:8140) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,2382", + "expectedValue": "SQL Server Analysis (TCP:2382) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SQL Server Analysis (TCP:2382) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1363,9 +1363,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,50470", - "expectedValue": "HDFS NameNode WebUI (TCP:50470) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "HDFS NameNode WebUI (TCP:50470) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,9300", + "expectedValue": "Elastic Search (TCP:9300) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Elastic Search (TCP:9300) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1375,9 +1375,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,4506", - "expectedValue": "SaltStack Master (TCP:4506) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SaltStack Master (TCP:4506) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,21", + "expectedValue": "FTP (TCP:21) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "FTP (TCP:21) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1387,9 +1387,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,139", - "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Session Service (UDP:139) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,9090", + "expectedValue": "CiscoSecure, WebSM (TCP:9090) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "CiscoSecure, WebSM (TCP:9090) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1399,9 +1399,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,138", - "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Telnet (TCP:23) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1411,9 +1411,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,137", - "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Name Service (TCP:137) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,7000", + "expectedValue": "Cassandra Internode Communication (TCP:7000) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra Internode Communication (TCP:7000) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1423,9 +1423,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,2383", - "expectedValue": "SQL Server Analysis (TCP:2383) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SQL Server Analysis (TCP:2383) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,11215", + "expectedValue": "Memcached SSL (TCP:11215) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached SSL (TCP:11215) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1435,9 +1435,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,11215", - "expectedValue": "Memcached SSL (TCP:11215) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Memcached SSL (TCP:11215) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,3000", + "expectedValue": "Prevalent known internal port (TCP:3000) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Prevalent known internal port (TCP:3000) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1447,9 +1447,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,11214", - "expectedValue": "Memcached SSL (UDP:11214) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Memcached SSL (UDP:11214) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,138", + "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1459,9 +1459,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,161", - "expectedValue": "SNMP (UDP:161) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SNMP (UDP:161) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,2484", + "expectedValue": "Oracle DB SSL (TCP:2484) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle DB SSL (TCP:2484) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1471,9 +1471,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,2382", - "expectedValue": "SQL Server Analysis (TCP:2382) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SQL Server Analysis (TCP:2382) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,6379", + "expectedValue": "Redis (TCP:6379) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Redis (TCP:6379) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1483,9 +1483,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,445", - "expectedValue": "Microsoft-DS (TCP:445) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Microsoft-DS (TCP:445) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,5985", + "expectedValue": "WinRM for HTTP (TCP:5985) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "WinRM for HTTP (TCP:5985) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1495,9 +1495,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,2375", - "expectedValue": "Docker (TCP:2375) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Docker (TCP:2375) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,7001", + "expectedValue": "Cassandra (TCP:7001) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra (TCP:7001) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1507,9 +1507,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,9300", - "expectedValue": "Elastic Search (TCP:9300) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Elastic Search (TCP:9300) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,9200", + "expectedValue": "Elastic Search (TCP:9200) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Elastic Search (TCP:9200) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1519,9 +1519,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,80", - "expectedValue": "HTTP (TCP:80) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "HTTP (TCP:80) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,2483", + "expectedValue": "Oracle DB SSL (TCP:2483) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle DB SSL (TCP:2483) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1531,9 +1531,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,389", - "expectedValue": "LDAP (TCP:389) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "LDAP (TCP:389) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,11211", + "expectedValue": "Memcached (TCP:11211) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached (TCP:11211) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1543,9 +1543,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,11211", - "expectedValue": "Memcached (TCP:11211) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Memcached (TCP:11211) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,53", + "expectedValue": "DNS (TCP:53) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "DNS (TCP:53) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1555,9 +1555,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,3389", - "expectedValue": "Remote Desktop (TCP:3389) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Remote Desktop (TCP:3389) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,139", + "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Session Service (TCP:139) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1567,9 +1567,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,5985", - "expectedValue": "WinRM for HTTP (TCP:5985) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "WinRM for HTTP (TCP:5985) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,5432", + "expectedValue": "PostgreSQL (UDP:5432) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "PostgreSQL (UDP:5432) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1579,9 +1579,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,636", - "expectedValue": "LDAP SSL (TCP:636) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "LDAP SSL (TCP:636) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,50070", + "expectedValue": "HDFS NameNode WebUI (TCP:50070) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HDFS NameNode WebUI (TCP:50070) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1591,9 +1591,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,161", - "expectedValue": "SNMP (TCP:161) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SNMP (TCP:161) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,50470", + "expectedValue": "HDFS NameNode WebUI (TCP:50470) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HDFS NameNode WebUI (TCP:50470) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1603,9 +1603,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,8888", - "expectedValue": "Cassandra OpsCenter Website (TCP:8888) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra OpsCenter Website (TCP:8888) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,1434", + "expectedValue": "MSSQL Browser (UDP:1434) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MSSQL Browser (UDP:1434) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1615,9 +1615,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,389", - "expectedValue": "LDAP (UDP:389) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "LDAP (UDP:389) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,11214", + "expectedValue": "Memcached SSL (TCP:11214) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached SSL (TCP:11214) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1627,9 +1627,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,9090", - "expectedValue": "CiscoSecure, WebSM (TCP:9090) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "CiscoSecure, WebSM (TCP:9090) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,137", + "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (TCP:137) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1639,9 +1639,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,135", - "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "MSSQL Debugger (TCP:135) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,110", + "expectedValue": "POP3 (TCP:110) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "POP3 (TCP:110) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1651,9 +1651,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,7000", - "expectedValue": "Cassandra Internode Communication (TCP:7000) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra Internode Communication (TCP:7000) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,161", + "expectedValue": "SNMP (TCP:161) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SNMP (TCP:161) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1662,10 +1662,10 @@ "filename": "positive5.json", "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", - "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,61621", - "expectedValue": "Cassandra OpsCenter (TCP:61621) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra OpsCenter (TCP:61621) is allowed in classic load balancer 'LoadBalancer01'" + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1675,9 +1675,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,20", - "expectedValue": "FTP (TCP:20) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "FTP (TCP:20) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,8020", + "expectedValue": "HDFS NameNode (TCP:8020) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HDFS NameNode (TCP:8020) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1687,9 +1687,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,443", - "expectedValue": "HTTPS (TCP:443) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "HTTPS (TCP:443) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,11211", + "expectedValue": "Memcached (UDP:11211) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached (UDP:11211) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1699,9 +1699,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,5432", - "expectedValue": "PostgreSQL (TCP:5432) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "PostgreSQL (TCP:5432) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1711,9 +1711,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,1433", - "expectedValue": "MSSQL Server (TCP:1433) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "MSSQL Server (TCP:1433) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,20", + "expectedValue": "FTP (TCP:20) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "FTP (TCP:20) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1723,9 +1723,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,2484", - "expectedValue": "Oracle DB SSL (UDP:2484) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Oracle DB SSL (UDP:2484) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,1434", + "expectedValue": "MSSQL Browser (TCP:1434) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MSSQL Browser (TCP:1434) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1735,9 +1735,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,5432", - "expectedValue": "PostgreSQL (UDP:5432) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "PostgreSQL (UDP:5432) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,1433", + "expectedValue": "MSSQL Server (TCP:1433) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MSSQL Server (TCP:1433) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1747,9 +1747,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,3000", - "expectedValue": "Prevalent known internal port (TCP:3000) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Prevalent known internal port (TCP:3000) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,53", + "expectedValue": "DNS (UDP:53) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "DNS (UDP:53) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1759,9 +1759,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,53", - "expectedValue": "DNS (TCP:53) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "DNS (TCP:53) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,27017", + "expectedValue": "Mongo (TCP:27017) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Mongo (TCP:27017) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1771,9 +1771,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,1434", - "expectedValue": "MSSQL Browser (UDP:1434) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "MSSQL Browser (UDP:1434) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,8140", + "expectedValue": "Puppet Master (TCP:8140) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Puppet Master (TCP:8140) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1783,9 +1783,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,25", - "expectedValue": "SMTP (TCP:25) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SMTP (TCP:25) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,9000", + "expectedValue": "Hadoop Name Node (TCP:9000) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Hadoop Name Node (TCP:9000) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1795,9 +1795,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,3306", - "expectedValue": "MySQL (TCP:3306) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "MySQL (TCP:3306) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,5601", + "expectedValue": "Kibana (TCP:5601) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Kibana (TCP:5601) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1807,9 +1807,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,137", - "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,389", + "expectedValue": "LDAP (UDP:389) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "LDAP (UDP:389) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1819,9 +1819,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,11215", - "expectedValue": "Memcached SSL (UDP:11215) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Memcached SSL (UDP:11215) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,3020", + "expectedValue": "CIFS / SMB (TCP:3020) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "CIFS / SMB (TCP:3020) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1831,9 +1831,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,1521", - "expectedValue": "Oracl DB (TCP:1521) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Oracl DB (TCP:1521) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,2376", + "expectedValue": "Docker (TCP:2376) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Docker (TCP:2376) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1843,9 +1843,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,21", - "expectedValue": "FTP (TCP:21) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "FTP (TCP:21) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,1521", + "expectedValue": "Oracl DB (TCP:1521) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracl DB (TCP:1521) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1855,9 +1855,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,5601", - "expectedValue": "Kibana (TCP:5601) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Kibana (TCP:5601) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,2483", + "expectedValue": "Oracle DB SSL (UDP:2483) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle DB SSL (UDP:2483) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1867,9 +1867,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,1522", - "expectedValue": "Oracle Auto Data Warehouse (TCP:1522) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Oracle Auto Data Warehouse (TCP:1522) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,61621", + "expectedValue": "Cassandra OpsCenter (TCP:61621) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra OpsCenter (TCP:61621) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1879,9 +1879,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,50070", - "expectedValue": "HDFS NameNode WebUI (TCP:50070) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "HDFS NameNode WebUI (TCP:50070) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,4333", + "expectedValue": "MySQL (TCP:4333) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MySQL (TCP:4333) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1891,9 +1891,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,8000", - "expectedValue": "Known internal web port (TCP:8000) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Known internal web port (TCP:8000) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,135", + "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MSSQL Debugger (TCP:135) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1903,9 +1903,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,2483", - "expectedValue": "Oracle DB SSL (TCP:2483) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Oracle DB SSL (TCP:2483) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,389", + "expectedValue": "LDAP (TCP:389) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "LDAP (TCP:389) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1915,9 +1915,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,7199", - "expectedValue": "Cassandra Monitoring (TCP:7199) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra Monitoring (TCP:7199) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,139", + "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Session Service (UDP:139) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1927,9 +1927,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,2376", - "expectedValue": "Docker (TCP:2376) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Docker (TCP:2376) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,3389", + "expectedValue": "Remote Desktop (TCP:3389) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Remote Desktop (TCP:3389) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1939,9 +1939,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,3020", - "expectedValue": "CIFS / SMB (TCP:3020) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "CIFS / SMB (TCP:3020) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,161", + "expectedValue": "SNMP (UDP:161) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SNMP (UDP:161) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1951,9 +1951,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,27017", - "expectedValue": "Mongo (TCP:27017) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Mongo (TCP:27017) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,61620", + "expectedValue": "Cassandra OpsCenter (TCP:61620) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra OpsCenter (TCP:61620) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1963,9 +1963,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,27018", - "expectedValue": "Mongo Web Portal (TCP:27018) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Mongo Web Portal (TCP:27018) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,9160", + "expectedValue": "Cassandra Thrift (TCP:9160) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra Thrift (TCP:9160) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1975,9 +1975,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,4505", - "expectedValue": "SaltStack Master (TCP:4505) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SaltStack Master (TCP:4505) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,445", + "expectedValue": "Microsoft-DS (TCP:445) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Microsoft-DS (TCP:445) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1987,9 +1987,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,11214", - "expectedValue": "Memcached SSL (TCP:11214) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Memcached SSL (TCP:11214) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,5900", + "expectedValue": "VNC Server (TCP:5900) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "VNC Server (TCP:5900) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2011,9 +2011,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,5900", - "expectedValue": "VNC Server (TCP:5900) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "VNC Server (TCP:5900) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,11215", + "expectedValue": "Memcached SSL (UDP:11215) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached SSL (UDP:11215) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2023,9 +2023,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,2484", - "expectedValue": "Oracle DB SSL (TCP:2484) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Oracle DB SSL (TCP:2484) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,2383", + "expectedValue": "SQL Server Analysis (TCP:2383) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SQL Server Analysis (TCP:2383) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2035,9 +2035,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,110", - "expectedValue": "POP3 (TCP:110) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "POP3 (TCP:110) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,80", + "expectedValue": "HTTP (TCP:80) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HTTP (TCP:80) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2047,9 +2047,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,8080", - "expectedValue": "Known internal web port (TCP:8080) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Known internal web port (TCP:8080) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,3306", + "expectedValue": "MySQL (TCP:3306) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MySQL (TCP:3306) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2059,9 +2059,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SSH (TCP:22) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2071,9 +2071,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,9042", - "expectedValue": "Cassandra Client (TCP:9042) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra Client (TCP:9042) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,7199", + "expectedValue": "Cassandra Monitoring (TCP:7199) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra Monitoring (TCP:7199) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2083,9 +2083,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "UDP,11211", - "expectedValue": "Memcached (UDP:11211) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Memcached (UDP:11211) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,8888", + "expectedValue": "Cassandra OpsCenter Website (TCP:8888) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra OpsCenter Website (TCP:8888) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2095,9 +2095,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,6379", - "expectedValue": "Redis (TCP:6379) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Redis (TCP:6379) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,636", + "expectedValue": "LDAP SSL (TCP:636) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "LDAP SSL (TCP:636) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2107,9 +2107,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,138", - "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "UDP,2484", + "expectedValue": "Oracle DB SSL (UDP:2484) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle DB SSL (UDP:2484) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2119,9 +2119,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,7001", - "expectedValue": "Cassandra (TCP:7001) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra (TCP:7001) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,9042", + "expectedValue": "Cassandra Client (TCP:9042) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra Client (TCP:9042) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2131,9 +2131,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,61620", - "expectedValue": "Cassandra OpsCenter (TCP:61620) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra OpsCenter (TCP:61620) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,1522", + "expectedValue": "Oracle Auto Data Warehouse (TCP:1522) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle Auto Data Warehouse (TCP:1522) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2143,9 +2143,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "Positive1IPv4_1", "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", - "searchValue": "TCP,4333", - "expectedValue": "MySQL (TCP:4333) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "MySQL (TCP:4333) is allowed in classic load balancer 'LoadBalancer01'" + "searchValue": "TCP,8000", + "expectedValue": "Known internal web port (TCP:8000) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Known internal web port (TCP:8000) is allowed in classic load balancer 'LoadBalancer01'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2347,9 +2347,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "InstancesSecGroup", "searchKey": "Resources.InstancesSecGroup.Properties.SecurityGroupIngress[2]", - "searchValue": "UDP,2483", - "expectedValue": "Oracle DB SSL (UDP:2483) should not be allowed in classic load balancer 'GatewayLoadBalancer'", - "actualValue": "Oracle DB SSL (UDP:2483) is allowed in classic load balancer 'GatewayLoadBalancer'" + "searchValue": "UDP,1434", + "expectedValue": "MSSQL Browser (UDP:1434) should not be allowed in classic load balancer 'GatewayLoadBalancer'", + "actualValue": "MSSQL Browser (UDP:1434) is allowed in classic load balancer 'GatewayLoadBalancer'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2359,9 +2359,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "InstancesSecGroup", "searchKey": "Resources.InstancesSecGroup.Properties.SecurityGroupIngress[2]", - "searchValue": "UDP,2484", - "expectedValue": "Oracle DB SSL (UDP:2484) should not be allowed in classic load balancer 'GatewayLoadBalancer'", - "actualValue": "Oracle DB SSL (UDP:2484) is allowed in classic load balancer 'GatewayLoadBalancer'" + "searchValue": "UDP,2483", + "expectedValue": "Oracle DB SSL (UDP:2483) should not be allowed in classic load balancer 'GatewayLoadBalancer'", + "actualValue": "Oracle DB SSL (UDP:2483) is allowed in classic load balancer 'GatewayLoadBalancer'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2371,9 +2371,9 @@ "resourceType": "AWS::EC2::SecurityGroup", "resourceName": "InstancesSecGroup", "searchKey": "Resources.InstancesSecGroup.Properties.SecurityGroupIngress[2]", - "searchValue": "UDP,1434", - "expectedValue": "MSSQL Browser (UDP:1434) should not be allowed in classic load balancer 'GatewayLoadBalancer'", - "actualValue": "MSSQL Browser (UDP:1434) is allowed in classic load balancer 'GatewayLoadBalancer'" + "searchValue": "UDP,2484", + "expectedValue": "Oracle DB SSL (UDP:2484) should not be allowed in classic load balancer 'GatewayLoadBalancer'", + "actualValue": "Oracle DB SSL (UDP:2484) is allowed in classic load balancer 'GatewayLoadBalancer'" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", diff --git a/assets/queries/cloudFormation/aws/vulnerable_default_ssl_certificate/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/vulnerable_default_ssl_certificate/test/positive_expected_result.json index a2e577a971e..576b1448a3a 100644 --- a/assets/queries/cloudFormation/aws/vulnerable_default_ssl_certificate/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/vulnerable_default_ssl_certificate/test/positive_expected_result.json @@ -7,9 +7,9 @@ "resourceType": "AWS::CloudFront::Distribution", "resourceName": "myDistribution", "searchKey": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate", - "searchValue": "SslSupportMethod", - "expectedValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.SslSupportMethod should be defined", - "actualValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.SslSupportMethod is not defined" + "searchValue": "MinimumProtocolVersion", + "expectedValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.MinimumProtocolVersion should be defined", + "actualValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.MinimumProtocolVersion is not defined" }, { "queryName": "Vulnerable Default SSL Certificate", @@ -19,9 +19,9 @@ "resourceType": "AWS::CloudFront::Distribution", "resourceName": "myDistribution", "searchKey": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate", - "searchValue": "MinimumProtocolVersion", - "expectedValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.MinimumProtocolVersion should be defined", - "actualValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.MinimumProtocolVersion is not defined" + "searchValue": "SslSupportMethod", + "expectedValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.SslSupportMethod should be defined", + "actualValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.SslSupportMethod is not defined" }, { "queryName": "Vulnerable Default SSL Certificate", diff --git a/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json b/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json index e51edb86b26..a019f29a555 100644 --- a/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json +++ b/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json @@ -144,7 +144,7 @@ "actualValue": "Hardcoded secret key appears in source" }, { - "queryName": "Passwords And Secrets - AWS Context-specific credential", + "queryName": "Passwords And Secrets - AWS Access Key", "severity": "HIGH", "line": 17, "filename": "positive14.tf", @@ -168,7 +168,7 @@ "actualValue": "Hardcoded secret key appears in source" }, { - "queryName": "Passwords And Secrets - AWS Context-specific credential", + "queryName": "Passwords And Secrets - AWS Access Key", "severity": "HIGH", "line": 14, "filename": "positive15.tf", @@ -468,7 +468,7 @@ "actualValue": "Hardcoded secret key appears in source" }, { - "queryName": "Passwords And Secrets - Twilio API Key", + "queryName": "Passwords And Secrets - CloudFormation Secret Template", "severity": "HIGH", "line": 4, "filename": "positive31.yaml", @@ -552,7 +552,7 @@ "actualValue": "Hardcoded secret key appears in source" }, { - "queryName": "Passwords And Secrets - Twilio API Key", + "queryName": "Passwords And Secrets - CloudFormation Secret Template", "severity": "HIGH", "line": 16, "filename": "positive38.yaml", @@ -588,7 +588,7 @@ "actualValue": "Hardcoded secret key appears in source" }, { - "queryName": "Passwords And Secrets - AWS Context-specific credential", + "queryName": "Passwords And Secrets - AWS Access Key", "severity": "HIGH", "line": 14, "filename": "positive40.tf", @@ -600,7 +600,7 @@ "actualValue": "Hardcoded secret key appears in source" }, { - "queryName": "Passwords And Secrets - AWS Context-specific credential", + "queryName": "Passwords And Secrets - AWS Access Key", "severity": "HIGH", "line": 15, "filename": "positive40.tf", diff --git a/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json b/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json index 8c7c586c222..0642c0580f0 100644 --- a/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "RDS DB Instance Publicly Accessible", - "severity": "CRITICAL", - "line": 11, - "filename": "negative2.yaml", - "resourceType": "RDSInstance", - "resourceName": "my-rds-instance", - "searchKey": "metadata.name={{my-rds-instance}}.spec.forProvider.dbSubnetGroupName", - "searchValue": "", - "expectedValue": "dbSubnetGroupName' subnets not being part of a VPC that has an Internet gateway attached to it", - "actualValue": "dbSubnetGroupName' subnets are part of a VPC that has an Internet gateway attached to it" - }, { "queryName": "RDS DB Instance Publicly Accessible", "severity": "CRITICAL", diff --git a/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/test/positive_expected_result.json b/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/test/positive_expected_result.json index 9fb8ec0807a..b51583a87bc 100644 --- a/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/test/positive_expected_result.json +++ b/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/test/positive_expected_result.json @@ -43,9 +43,9 @@ "resourceType": "", "resourceName": "", "searchKey": "FROM={{busybox3}}.RUN={{apt-get update && apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", - "searchValue": "python-qt4", - "expectedValue": "Package 'python-qt4' has version defined", - "actualValue": "Package 'python-qt4' does not have version defined" + "searchValue": "python-pip", + "expectedValue": "Package 'python-pip' has version defined", + "actualValue": "Package 'python-pip' does not have version defined" }, { "queryName": "Apt Get Install Pin Version Not Defined", @@ -55,9 +55,9 @@ "resourceType": "", "resourceName": "", "searchKey": "FROM={{busybox3}}.RUN={{apt-get update && apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", - "searchValue": "python3-pyqt5", - "expectedValue": "Package 'python3-pyqt5' has version defined", - "actualValue": "Package 'python3-pyqt5' does not have version defined" + "searchValue": "python-qt4", + "expectedValue": "Package 'python-qt4' has version defined", + "actualValue": "Package 'python-qt4' does not have version defined" }, { "queryName": "Apt Get Install Pin Version Not Defined", @@ -67,9 +67,9 @@ "resourceType": "", "resourceName": "", "searchKey": "FROM={{busybox3}}.RUN={{apt-get update && apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", - "searchValue": "python-pyside", - "expectedValue": "Package 'python-pyside' has version defined", - "actualValue": "Package 'python-pyside' does not have version defined" + "searchValue": "python3-pip", + "expectedValue": "Package 'python3-pip' has version defined", + "actualValue": "Package 'python3-pip' does not have version defined" }, { "queryName": "Apt Get Install Pin Version Not Defined", @@ -79,9 +79,9 @@ "resourceType": "", "resourceName": "", "searchKey": "FROM={{busybox3}}.RUN={{apt-get update && apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", - "searchValue": "python-pip", - "expectedValue": "Package 'python-pip' has version defined", - "actualValue": "Package 'python-pip' does not have version defined" + "searchValue": "python3-pyqt5", + "expectedValue": "Package 'python3-pyqt5' has version defined", + "actualValue": "Package 'python3-pyqt5' does not have version defined" }, { "queryName": "Apt Get Install Pin Version Not Defined", @@ -91,9 +91,9 @@ "resourceType": "", "resourceName": "", "searchKey": "FROM={{busybox3}}.RUN={{apt-get update && apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", - "searchValue": "python3-pip", - "expectedValue": "Package 'python3-pip' has version defined", - "actualValue": "Package 'python3-pip' does not have version defined" + "searchValue": "python-pyside", + "expectedValue": "Package 'python-pyside' has version defined", + "actualValue": "Package 'python-pyside' does not have version defined" }, { "queryName": "Apt Get Install Pin Version Not Defined", @@ -139,9 +139,9 @@ "resourceType": "", "resourceName": "", "searchKey": "FROM={{busybox6}}.RUN={{apt-get update ; apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", - "searchValue": "python-pyside", - "expectedValue": "Package 'python-pyside' has version defined", - "actualValue": "Package 'python-pyside' does not have version defined" + "searchValue": "python-pip", + "expectedValue": "Package 'python-pip' has version defined", + "actualValue": "Package 'python-pip' does not have version defined" }, { "queryName": "Apt Get Install Pin Version Not Defined", @@ -151,9 +151,9 @@ "resourceType": "", "resourceName": "", "searchKey": "FROM={{busybox6}}.RUN={{apt-get update ; apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", - "searchValue": "python-qt4", - "expectedValue": "Package 'python-qt4' has version defined", - "actualValue": "Package 'python-qt4' does not have version defined" + "searchValue": "python-pyside", + "expectedValue": "Package 'python-pyside' has version defined", + "actualValue": "Package 'python-pyside' does not have version defined" }, { "queryName": "Apt Get Install Pin Version Not Defined", @@ -163,9 +163,9 @@ "resourceType": "", "resourceName": "", "searchKey": "FROM={{busybox6}}.RUN={{apt-get update ; apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", - "searchValue": "python3-pyqt5", - "expectedValue": "Package 'python3-pyqt5' has version defined", - "actualValue": "Package 'python3-pyqt5' does not have version defined" + "searchValue": "python-qt4", + "expectedValue": "Package 'python-qt4' has version defined", + "actualValue": "Package 'python-qt4' does not have version defined" }, { "queryName": "Apt Get Install Pin Version Not Defined", @@ -175,9 +175,9 @@ "resourceType": "", "resourceName": "", "searchKey": "FROM={{busybox6}}.RUN={{apt-get update ; apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", - "searchValue": "python-pip", - "expectedValue": "Package 'python-pip' has version defined", - "actualValue": "Package 'python-pip' does not have version defined" + "searchValue": "python3-pyqt5", + "expectedValue": "Package 'python3-pyqt5' has version defined", + "actualValue": "Package 'python3-pyqt5' does not have version defined" }, { "queryName": "Apt Get Install Pin Version Not Defined", diff --git a/assets/queries/k8s/audit_policy_not_cover_key_security_concerns/test/positive_expected_result.json b/assets/queries/k8s/audit_policy_not_cover_key_security_concerns/test/positive_expected_result.json index 54546a0f94c..06f9cd8edbf 100644 --- a/assets/queries/k8s/audit_policy_not_cover_key_security_concerns/test/positive_expected_result.json +++ b/assets/queries/k8s/audit_policy_not_cover_key_security_concerns/test/positive_expected_result.json @@ -7,9 +7,9 @@ "resourceType": "Policy", "resourceName": "n/a", "searchKey": "kind={{Policy}}.rules", - "searchValue": "deployments", - "expectedValue": "Resource 'deployments' should be defined in one of following levels '[\"Metadata\"]'", - "actualValue": "Resource 'deployments' is currently defined with the following levels '[]'" + "searchValue": "pods/exec", + "expectedValue": "Resource 'pods/exec' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", + "actualValue": "Resource 'pods/exec' is currently defined with the following levels '[]'" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", @@ -19,9 +19,9 @@ "resourceType": "Policy", "resourceName": "n/a", "searchKey": "kind={{Policy}}.rules", - "searchValue": "secrets", - "expectedValue": "Resource 'secrets' should be defined in one of following levels '[\"Metadata\"]'", - "actualValue": "Resource 'secrets' is currently defined with the following levels '[]'" + "searchValue": "pods", + "expectedValue": "Resource 'pods' should be defined in one of following levels '[\"Metadata\"]'", + "actualValue": "Resource 'pods' is currently defined with the following levels '[]'" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", @@ -31,9 +31,9 @@ "resourceType": "Policy", "resourceName": "n/a", "searchKey": "kind={{Policy}}.rules", - "searchValue": "tokenreviews", - "expectedValue": "Resource 'tokenreviews' should be defined in one of following levels '[\"Metadata\"]'", - "actualValue": "Resource 'tokenreviews' is currently defined with the following levels '[]'" + "searchValue": "secrets", + "expectedValue": "Resource 'secrets' should be defined in one of following levels '[\"Metadata\"]'", + "actualValue": "Resource 'secrets' is currently defined with the following levels '[]'" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", @@ -43,9 +43,9 @@ "resourceType": "Policy", "resourceName": "n/a", "searchKey": "kind={{Policy}}.rules", - "searchValue": "configmaps", - "expectedValue": "Resource 'configmaps' should be defined in one of following levels '[\"Metadata\"]'", - "actualValue": "Resource 'configmaps' is currently defined with the following levels '[]'" + "searchValue": "deployments", + "expectedValue": "Resource 'deployments' should be defined in one of following levels '[\"Metadata\"]'", + "actualValue": "Resource 'deployments' is currently defined with the following levels '[]'" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", @@ -55,9 +55,9 @@ "resourceType": "Policy", "resourceName": "n/a", "searchKey": "kind={{Policy}}.rules", - "searchValue": "pods", - "expectedValue": "Resource 'pods' should be defined in one of following levels '[\"Metadata\"]'", - "actualValue": "Resource 'pods' is currently defined with the following levels '[]'" + "searchValue": "pods/proxy", + "expectedValue": "Resource 'pods/proxy' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", + "actualValue": "Resource 'pods/proxy' is currently defined with the following levels '[]'" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", @@ -67,9 +67,9 @@ "resourceType": "Policy", "resourceName": "n/a", "searchKey": "kind={{Policy}}.rules", - "searchValue": "pods/portforward", - "expectedValue": "Resource 'pods/portforward' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", - "actualValue": "Resource 'pods/portforward' is currently defined with the following levels '[]'" + "searchValue": "configmaps", + "expectedValue": "Resource 'configmaps' should be defined in one of following levels '[\"Metadata\"]'", + "actualValue": "Resource 'configmaps' is currently defined with the following levels '[]'" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", @@ -79,9 +79,9 @@ "resourceType": "Policy", "resourceName": "n/a", "searchKey": "kind={{Policy}}.rules", - "searchValue": "pods/proxy", - "expectedValue": "Resource 'pods/proxy' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", - "actualValue": "Resource 'pods/proxy' is currently defined with the following levels '[]'" + "searchValue": "services/proxy", + "expectedValue": "Resource 'services/proxy' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", + "actualValue": "Resource 'services/proxy' is currently defined with the following levels '[]'" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", @@ -91,9 +91,9 @@ "resourceType": "Policy", "resourceName": "n/a", "searchKey": "kind={{Policy}}.rules", - "searchValue": "pods/exec", - "expectedValue": "Resource 'pods/exec' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", - "actualValue": "Resource 'pods/exec' is currently defined with the following levels '[]'" + "searchValue": "tokenreviews", + "expectedValue": "Resource 'tokenreviews' should be defined in one of following levels '[\"Metadata\"]'", + "actualValue": "Resource 'tokenreviews' is currently defined with the following levels '[]'" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", @@ -103,9 +103,9 @@ "resourceType": "Policy", "resourceName": "n/a", "searchKey": "kind={{Policy}}.rules", - "searchValue": "services/proxy", - "expectedValue": "Resource 'services/proxy' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", - "actualValue": "Resource 'services/proxy' is currently defined with the following levels '[]'" + "searchValue": "pods/portforward", + "expectedValue": "Resource 'pods/portforward' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", + "actualValue": "Resource 'pods/portforward' is currently defined with the following levels '[]'" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", @@ -115,9 +115,9 @@ "resourceType": "Policy", "resourceName": "n/a", "searchKey": "kind={{Policy}}.rules", - "searchValue": "configmaps", - "expectedValue": "Resource 'configmaps' should be defined in one of following levels '[\"Metadata\"]'", - "actualValue": "Resource 'configmaps' is currently defined with the following levels '[]'" + "searchValue": "pods/exec", + "expectedValue": "Resource 'pods/exec' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", + "actualValue": "Resource 'pods/exec' is currently defined with the following levels '[]'" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", @@ -127,9 +127,9 @@ "resourceType": "Policy", "resourceName": "n/a", "searchKey": "kind={{Policy}}.rules", - "searchValue": "pods/proxy", - "expectedValue": "Resource 'pods/proxy' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", - "actualValue": "Resource 'pods/proxy' is currently defined with the following levels '[]'" + "searchValue": "pods/portforward", + "expectedValue": "Resource 'pods/portforward' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", + "actualValue": "Resource 'pods/portforward' is currently defined with the following levels '[]'" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", @@ -139,9 +139,9 @@ "resourceType": "Policy", "resourceName": "n/a", "searchKey": "kind={{Policy}}.rules", - "searchValue": "pods/exec", - "expectedValue": "Resource 'pods/exec' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", - "actualValue": "Resource 'pods/exec' is currently defined with the following levels '[]'" + "searchValue": "pods/proxy", + "expectedValue": "Resource 'pods/proxy' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", + "actualValue": "Resource 'pods/proxy' is currently defined with the following levels '[]'" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", @@ -151,9 +151,9 @@ "resourceType": "Policy", "resourceName": "n/a", "searchKey": "kind={{Policy}}.rules", - "searchValue": "pods/portforward", - "expectedValue": "Resource 'pods/portforward' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", - "actualValue": "Resource 'pods/portforward' is currently defined with the following levels '[]'" + "searchValue": "secrets", + "expectedValue": "Resource 'secrets' should be defined in one of following levels '[\"Metadata\"]'", + "actualValue": "Resource 'secrets' is currently defined with the following levels '[]'" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", @@ -175,9 +175,9 @@ "resourceType": "Policy", "resourceName": "n/a", "searchKey": "kind={{Policy}}.rules", - "searchValue": "secrets", - "expectedValue": "Resource 'secrets' should be defined in one of following levels '[\"Metadata\"]'", - "actualValue": "Resource 'secrets' is currently defined with the following levels '[]'" + "searchValue": "configmaps", + "expectedValue": "Resource 'configmaps' should be defined in one of following levels '[\"Metadata\"]'", + "actualValue": "Resource 'configmaps' is currently defined with the following levels '[]'" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", diff --git a/assets/queries/k8s/shared_service_account/test/positive_expected_result.json b/assets/queries/k8s/shared_service_account/test/positive_expected_result.json index 610abd86e64..0e171f32309 100644 --- a/assets/queries/k8s/shared_service_account/test/positive_expected_result.json +++ b/assets/queries/k8s/shared_service_account/test/positive_expected_result.json @@ -1,16 +1,4 @@ [ - { - "queryName": "Shared Service Account", - "severity": "MEDIUM", - "line": 6, - "filename": "negative.yaml", - "resourceType": "Pod", - "resourceName": "pod1", - "searchKey": "metadata.name={{pod1}}.spec.serviceAccountName", - "searchValue": "", - "expectedValue": "'spec.serviceAccountName' should not be shared with other workloads", - "actualValue": "'spec.serviceAccountName' is shared with other workloads" - }, { "queryName": "Shared Service Account", "severity": "MEDIUM", diff --git a/assets/queries/k8s/tls_connection_certificate_not_setup/test/positive_expected_result.json b/assets/queries/k8s/tls_connection_certificate_not_setup/test/positive_expected_result.json index a52a863b449..e8cb16c7bd9 100644 --- a/assets/queries/k8s/tls_connection_certificate_not_setup/test/positive_expected_result.json +++ b/assets/queries/k8s/tls_connection_certificate_not_setup/test/positive_expected_result.json @@ -7,9 +7,9 @@ "resourceType": "Pod", "resourceName": "command-demo", "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", - "searchValue": "--tls-private-key-file", - "expectedValue": "TLS --tls-private-key-file connection setting should be set", - "actualValue": "TLS --tls-private-key-file connection not set" + "searchValue": "--tls-cert-file", + "expectedValue": "TLS --tls-cert-file connection setting should be set", + "actualValue": "TLS --tls-cert-file connection not set" }, { "queryName": "TSL Connection Certificate Not Setup", @@ -19,9 +19,9 @@ "resourceType": "Pod", "resourceName": "command-demo", "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", - "searchValue": "--tls-cert-file", - "expectedValue": "TLS --tls-cert-file connection setting should be set", - "actualValue": "TLS --tls-cert-file connection not set" + "searchValue": "--tls-private-key-file", + "expectedValue": "TLS --tls-private-key-file connection setting should be set", + "actualValue": "TLS --tls-private-key-file connection not set" }, { "queryName": "TSL Connection Certificate Not Setup", diff --git a/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/test/positive_expected_result.json b/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/test/positive_expected_result.json index 760970d4f0c..0ab1b2ad766 100644 --- a/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/test/positive_expected_result.json +++ b/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/test/positive_expected_result.json @@ -19,9 +19,9 @@ "resourceType": "Pod", "resourceName": "pod-0", "searchKey": "metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}}", - "searchValue": "PodrecursiveReadOnly", - "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}} are set to true and Enabled, respectively", - "actualValue": "The properties readOnly or recursiveReadOnly in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}} are set to false or Disabled, respectively" + "searchValue": "PodreadOnly", + "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}} should be defined and set to true and Enabled, respectively", + "actualValue": "Either readOnly or recursiveReadOnly is missing in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}}%!(EXTRA string=pod-0, string=spec, string=containers, string=pod-0, string=vol-1)" }, { "queryName": "Volume Mount With OS Directory Write Permissions", @@ -31,9 +31,9 @@ "resourceType": "Pod", "resourceName": "pod-0", "searchKey": "metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}}", - "searchValue": "PodreadOnly", - "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}} should be defined and set to true and Enabled, respectively", - "actualValue": "Either readOnly or recursiveReadOnly is missing in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}}%!(EXTRA string=pod-0, string=spec, string=containers, string=pod-0, string=vol-1)" + "searchValue": "PodrecursiveReadOnly", + "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}} are set to true and Enabled, respectively", + "actualValue": "The properties readOnly or recursiveReadOnly in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}} are set to false or Disabled, respectively" }, { "queryName": "Volume Mount With OS Directory Write Permissions", diff --git a/assets/queries/openAPI/general/invalid_format/test/positive_expected_result.json b/assets/queries/openAPI/general/invalid_format/test/positive_expected_result.json index fc0088c51c5..c470df1ccab 100644 --- a/assets/queries/openAPI/general/invalid_format/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/invalid_format/test/positive_expected_result.json @@ -32,8 +32,8 @@ "resourceName": "", "searchKey": "paths.{{/}}.parameters.schema.items.properties.myObject.$ref=#/components/schemas/MyObject", "searchValue": "", - "expectedValue": "number is float or double formats", - "actualValue": "number is int32 format" + "expectedValue": "integer is int32 or int64 formats", + "actualValue": "integer is double format" }, { "queryName": "Invalid Format (v3)", @@ -44,8 +44,8 @@ "resourceName": "", "searchKey": "paths.{{/}}.parameters.schema.items.properties.myObject.$ref=#/components/schemas/MyObject", "searchValue": "", - "expectedValue": "integer is int32 or int64 formats", - "actualValue": "integer is double format" + "expectedValue": "number is float or double formats", + "actualValue": "number is int32 format" }, { "queryName": "Invalid Format (v3)", @@ -116,8 +116,8 @@ "resourceName": "", "searchKey": "paths.{{/}}.parameters.schema.items.properties.myObject.$ref=#/components/schemas/MyObject", "searchValue": "", - "expectedValue": "integer is int32 or int64 formats", - "actualValue": "integer is double format" + "expectedValue": "number is float or double formats", + "actualValue": "number is int32 format" }, { "queryName": "Invalid Format (v3)", @@ -128,8 +128,8 @@ "resourceName": "", "searchKey": "paths.{{/}}.parameters.schema.items.properties.myObject.$ref=#/components/schemas/MyObject", "searchValue": "", - "expectedValue": "number is float or double formats", - "actualValue": "number is int32 format" + "expectedValue": "integer is int32 or int64 formats", + "actualValue": "integer is double format" }, { "queryName": "Invalid Format (v3)", diff --git a/assets/queries/openAPI/general/response_code_missing/test/positive_expected_result.json b/assets/queries/openAPI/general/response_code_missing/test/positive_expected_result.json index 32099f4f301..abc645c831d 100644 --- a/assets/queries/openAPI/general/response_code_missing/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/response_code_missing/test/positive_expected_result.json @@ -7,9 +7,9 @@ "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{put}}.responses", - "searchValue": "415 response", - "expectedValue": "415 response should be set", - "actualValue": "415 response is undefined" + "searchValue": "400 response", + "expectedValue": "400 response should be set", + "actualValue": "400 response is undefined" }, { "queryName": "Response Code Missing (v3)", @@ -19,9 +19,9 @@ "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{put}}.responses", - "searchValue": "429 response", - "expectedValue": "429 response should be set", - "actualValue": "429 response is undefined" + "searchValue": "415 response", + "expectedValue": "415 response should be set", + "actualValue": "415 response is undefined" }, { "queryName": "Response Code Missing (v3)", @@ -31,9 +31,9 @@ "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{put}}.responses", - "searchValue": "400 response", - "expectedValue": "400 response should be set", - "actualValue": "400 response is undefined" + "searchValue": "500 response", + "expectedValue": "500 response should be set", + "actualValue": "500 response is undefined" }, { "queryName": "Response Code Missing (v3)", @@ -43,9 +43,9 @@ "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{put}}.responses", - "searchValue": "500 response", - "expectedValue": "500 response should be set", - "actualValue": "500 response is undefined" + "searchValue": "429 response", + "expectedValue": "429 response should be set", + "actualValue": "429 response is undefined" }, { "queryName": "Response Code Missing (v3)", @@ -67,9 +67,9 @@ "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{options}}.responses", - "searchValue": "500 response", - "expectedValue": "500 response should be set", - "actualValue": "500 response is undefined" + "searchValue": "200 response", + "expectedValue": "200 response should be set", + "actualValue": "200 response is undefined" }, { "queryName": "Response Code Missing (v3)", @@ -91,9 +91,9 @@ "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{options}}.responses", - "searchValue": "200 response", - "expectedValue": "200 response should be set", - "actualValue": "200 response is undefined" + "searchValue": "429 response", + "expectedValue": "429 response should be set", + "actualValue": "429 response is undefined" }, { "queryName": "Response Code Missing (v3)", @@ -103,9 +103,9 @@ "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{options}}.responses", - "searchValue": "429 response", - "expectedValue": "429 response should be set", - "actualValue": "429 response is undefined" + "searchValue": "500 response", + "expectedValue": "500 response should be set", + "actualValue": "500 response is undefined" }, { "queryName": "Response Code Missing (v3)", @@ -151,9 +151,9 @@ "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{put}}.responses", - "searchValue": "500 response", - "expectedValue": "500 response should be set", - "actualValue": "500 response is undefined" + "searchValue": "429 response", + "expectedValue": "429 response should be set", + "actualValue": "429 response is undefined" }, { "queryName": "Response Code Missing (v3)", @@ -175,9 +175,9 @@ "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{put}}.responses", - "searchValue": "429 response", - "expectedValue": "429 response should be set", - "actualValue": "429 response is undefined" + "searchValue": "415 response", + "expectedValue": "415 response should be set", + "actualValue": "415 response is undefined" }, { "queryName": "Response Code Missing (v3)", @@ -187,9 +187,9 @@ "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{put}}.responses", - "searchValue": "415 response", - "expectedValue": "415 response should be set", - "actualValue": "415 response is undefined" + "searchValue": "500 response", + "expectedValue": "500 response should be set", + "actualValue": "500 response is undefined" }, { "queryName": "Response Code Missing (v3)", @@ -199,9 +199,9 @@ "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{options}}.responses", - "searchValue": "429 response", - "expectedValue": "429 response should be set", - "actualValue": "429 response is undefined" + "searchValue": "500 response", + "expectedValue": "500 response should be set", + "actualValue": "500 response is undefined" }, { "queryName": "Response Code Missing (v3)", @@ -211,9 +211,9 @@ "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{options}}.responses", - "searchValue": "400 response", - "expectedValue": "400 response should be set", - "actualValue": "400 response is undefined" + "searchValue": "200 response", + "expectedValue": "200 response should be set", + "actualValue": "200 response is undefined" }, { "queryName": "Response Code Missing (v3)", @@ -223,9 +223,9 @@ "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{options}}.responses", - "searchValue": "200 response", - "expectedValue": "200 response should be set", - "actualValue": "200 response is undefined" + "searchValue": "400 response", + "expectedValue": "400 response should be set", + "actualValue": "400 response is undefined" }, { "queryName": "Response Code Missing (v3)", @@ -235,9 +235,9 @@ "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{options}}.responses", - "searchValue": "500 response", - "expectedValue": "500 response should be set", - "actualValue": "500 response is undefined" + "searchValue": "429 response", + "expectedValue": "429 response should be set", + "actualValue": "429 response is undefined" }, { "queryName": "Response Code Missing (v3)", @@ -247,9 +247,9 @@ "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{put}}.responses", - "searchValue": "401 response", - "expectedValue": "401 response should be set when security field is defined", - "actualValue": "401 response is undefined when security field is defined" + "searchValue": "403 response", + "expectedValue": "403 response should be set when security field is defined", + "actualValue": "403 response is undefined when security field is defined" }, { "queryName": "Response Code Missing (v3)", @@ -259,9 +259,9 @@ "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{put}}.responses", - "searchValue": "403 response", - "expectedValue": "403 response should be set when security field is defined", - "actualValue": "403 response is undefined when security field is defined" + "searchValue": "401 response", + "expectedValue": "401 response should be set when security field is defined", + "actualValue": "401 response is undefined when security field is defined" }, { "queryName": "Response Code Missing (v2)", @@ -271,9 +271,9 @@ "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{put}}.responses", - "searchValue": "403 response", - "expectedValue": "403 response should be set when security field is defined", - "actualValue": "403 response is undefined when security field is defined" + "searchValue": "401 response", + "expectedValue": "401 response should be set when security field is defined", + "actualValue": "401 response is undefined when security field is defined" }, { "queryName": "Response Code Missing (v2)", @@ -283,9 +283,9 @@ "resourceType": "", "resourceName": "", "searchKey": "paths.{{/item}}.{{put}}.responses", - "searchValue": "401 response", - "expectedValue": "401 response should be set when security field is defined", - "actualValue": "401 response is undefined when security field is defined" + "searchValue": "403 response", + "expectedValue": "403 response should be set when security field is defined", + "actualValue": "403 response is undefined when security field is defined" }, { "queryName": "Response Code Missing (v2)", diff --git a/assets/queries/terraform/alicloud/action_trail_logging_all_regions_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/action_trail_logging_all_regions_disabled/test/positive_expected_result.json index c53aa666361..3ea58369b43 100644 --- a/assets/queries/terraform/alicloud/action_trail_logging_all_regions_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/action_trail_logging_all_regions_disabled/test/positive_expected_result.json @@ -151,9 +151,9 @@ "resourceType": "alicloud_actiontrail_trail", "resourceName": "action-trail", "searchKey": "alicloud_actiontrail_trail[actiontrail10]", - "searchValue": "oss_bucket_name", - "expectedValue": "oss_bucket_name should be set.", - "actualValue": "oss_bucket_name is not set." + "searchValue": "event_rw", + "expectedValue": "'event_rw' should be set.", + "actualValue": "'event_rw' is not set." }, { "queryName": "Action Trail Logging For All Regions Disabled", @@ -163,8 +163,8 @@ "resourceType": "alicloud_actiontrail_trail", "resourceName": "action-trail", "searchKey": "alicloud_actiontrail_trail[actiontrail10]", - "searchValue": "event_rw", - "expectedValue": "'event_rw' should be set.", - "actualValue": "'event_rw' is not set." + "searchValue": "oss_bucket_name", + "expectedValue": "oss_bucket_name should be set.", + "actualValue": "oss_bucket_name is not set." } ] \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/rds_instance_retention_not_recommended/test/positive_expected_result.json b/assets/queries/terraform/alicloud/rds_instance_retention_not_recommended/test/positive_expected_result.json index 97533308e12..90504004d6e 100644 --- a/assets/queries/terraform/alicloud/rds_instance_retention_not_recommended/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/rds_instance_retention_not_recommended/test/positive_expected_result.json @@ -7,9 +7,9 @@ "resourceType": "alicloud_db_instance", "resourceName": "default", "searchKey": "alicloud_db_instance[default]", - "searchValue": "sql_collector_config_value", + "searchValue": "sql_collector_status", "expectedValue": "'sql_collector_status' should be defined and set to Enabled and 'sql_collector_config_value' should be defined and set to 180 or more", - "actualValue": "'sql_collector_config_value' is not defined" + "actualValue": "'sql_collector_status' is not defined" }, { "queryName": "RDS Instance Retention Period Not Recommended", @@ -19,9 +19,9 @@ "resourceType": "alicloud_db_instance", "resourceName": "default", "searchKey": "alicloud_db_instance[default]", - "searchValue": "sql_collector_status", + "searchValue": "sql_collector_config_value", "expectedValue": "'sql_collector_status' should be defined and set to Enabled and 'sql_collector_config_value' should be defined and set to 180 or more", - "actualValue": "'sql_collector_status' is not defined" + "actualValue": "'sql_collector_config_value' is not defined" }, { "queryName": "RDS Instance Retention Period Not Recommended", diff --git a/assets/queries/terraform/aws/iam_group_without_users/test/positive2/positive_expected_result.json b/assets/queries/terraform/aws/iam_group_without_users/test/positive2/positive_expected_result.json index 9694db417c6..45c5f0a56c4 100644 --- a/assets/queries/terraform/aws/iam_group_without_users/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_group_without_users/test/positive2/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "IAM Group Without Users", "severity": "MEDIUM", - "fileName": "positive2_1.tf", - "line": 1 + "line": 1, + "filename": "positive2_1.tf", + "resourceType": "aws_iam_group", + "resourceName": "test-group", + "searchKey": "aws_iam_group[group2]", + "searchValue": "", + "expectedValue": "aws_iam_group[group2] should be associated with an aws_iam_group_membership that has at least one user set", + "actualValue": "aws_iam_group[group2] is not associated with an aws_iam_group_membership that has at least one user set" }, { "queryName": "IAM Group Without Users", "severity": "MEDIUM", - "fileName": "positive2_1.tf", - "line": 5 + "line": 5, + "filename": "positive2_1.tf", + "resourceType": "aws_iam_group", + "resourceName": "test-group", + "searchKey": "aws_iam_group[group3]", + "searchValue": "", + "expectedValue": "aws_iam_group[group3] should be associated with an aws_iam_group_membership that has at least one user set", + "actualValue": "aws_iam_group[group3] is not associated with an aws_iam_group_membership that has at least one user set" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_group_without_users/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_group_without_users/test/positive_expected_result.json index bc2eac019ef..57b1272290f 100644 --- a/assets/queries/terraform/aws/iam_group_without_users/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_group_without_users/test/positive_expected_result.json @@ -22,29 +22,5 @@ "searchValue": "", "expectedValue": "aws_iam_group[group3] should be associated with an aws_iam_group_membership that has at least one user set", "actualValue": "aws_iam_group[group3] is not associated with an aws_iam_group_membership that has at least one user set" - }, - { - "queryName": "IAM Group Without Users", - "severity": "MEDIUM", - "line": 1, - "filename": "positive2_1.tf", - "resourceType": "aws_iam_group", - "resourceName": "test-group", - "searchKey": "aws_iam_group[group2]", - "searchValue": "", - "expectedValue": "aws_iam_group[group2] should be associated with an aws_iam_group_membership that has at least one user set", - "actualValue": "aws_iam_group[group2] is not associated with an aws_iam_group_membership that has at least one user set" - }, - { - "queryName": "IAM Group Without Users", - "severity": "MEDIUM", - "line": 5, - "filename": "positive2_1.tf", - "resourceType": "aws_iam_group", - "resourceName": "test-group", - "searchKey": "aws_iam_group[group3]", - "searchValue": "", - "expectedValue": "aws_iam_group[group3] should be associated with an aws_iam_group_membership that has at least one user set", - "actualValue": "aws_iam_group[group3] is not associated with an aws_iam_group_membership that has at least one user set" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_policy_allows_for_data_exfiltration/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_policy_allows_for_data_exfiltration/test/positive_expected_result.json index 188b3bfc6c8..223188e63ec 100644 --- a/assets/queries/terraform/aws/iam_policy_allows_for_data_exfiltration/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_policy_allows_for_data_exfiltration/test/positive_expected_result.json @@ -7,9 +7,9 @@ "resourceType": "aws_iam_policy", "resourceName": "positive1_${var.environment}", "searchKey": "aws_iam_policy[positive1].policy", - "searchValue": "secretsmanager:GetSecretValue", - "expectedValue": "'positive1.policy.Statement.Action[0]' shouldn't contain illegal actions", - "actualValue": "'positive1.policy.Statement.Action[0]' contains [secretsmanager:GetSecretValue]" + "searchValue": "ssm:GetParameters, ssm:GetParameter, s3:GetObject, ssm:GetParametersByPath, secretsmanager:GetSecretValue", + "expectedValue": "'positive1.policy.Statement.Action[1]' shouldn't contain illegal actions", + "actualValue": "'positive1.policy.Statement.Action[1]' contains [ssm:GetParameters, ssm:GetParameter, s3:GetObject, ssm:GetParametersByPath, secretsmanager:GetSecretValue]" }, { "queryName": "IAM policy allows for data exfiltration", @@ -19,9 +19,9 @@ "resourceType": "aws_iam_policy", "resourceName": "positive1_${var.environment}", "searchKey": "aws_iam_policy[positive1].policy", - "searchValue": "ssm:GetParameters, ssm:GetParameter, s3:GetObject, ssm:GetParametersByPath, secretsmanager:GetSecretValue", - "expectedValue": "'positive1.policy.Statement.Action[1]' shouldn't contain illegal actions", - "actualValue": "'positive1.policy.Statement.Action[1]' contains [ssm:GetParameters, ssm:GetParameter, s3:GetObject, ssm:GetParametersByPath, secretsmanager:GetSecretValue]" + "searchValue": "secretsmanager:GetSecretValue", + "expectedValue": "'positive1.policy.Statement.Action[0]' shouldn't contain illegal actions", + "actualValue": "'positive1.policy.Statement.Action[0]' contains [secretsmanager:GetSecretValue]" }, { "queryName": "IAM policy allows for data exfiltration", @@ -68,8 +68,8 @@ "resourceName": "positive4_${var.environment}", "searchKey": "aws_iam_user_policy[positive4].policy", "searchValue": "s3:GetObject", - "expectedValue": "'positive4.policy.Statement.Action[0]' shouldn't contain illegal actions", - "actualValue": "'positive4.policy.Statement.Action[0]' contains [s3:GetObject]" + "expectedValue": "'positive4.policy.Statement.Action[1]' shouldn't contain illegal actions", + "actualValue": "'positive4.policy.Statement.Action[1]' contains [s3:GetObject]" }, { "queryName": "IAM policy allows for data exfiltration", @@ -80,8 +80,8 @@ "resourceName": "positive4_${var.environment}", "searchKey": "aws_iam_user_policy[positive4].policy", "searchValue": "s3:GetObject", - "expectedValue": "'positive4.policy.Statement.Action[1]' shouldn't contain illegal actions", - "actualValue": "'positive4.policy.Statement.Action[1]' contains [s3:GetObject]" + "expectedValue": "'positive4.policy.Statement.Action[0]' shouldn't contain illegal actions", + "actualValue": "'positive4.policy.Statement.Action[0]' contains [s3:GetObject]" }, { "queryName": "IAM policy allows for data exfiltration", diff --git a/assets/queries/terraform/aws/lambda_function_with_privileged_role/test/positive_expected_result.json b/assets/queries/terraform/aws/lambda_function_with_privileged_role/test/positive_expected_result.json index 044d2aa4b1d..c83001fc2fe 100644 --- a/assets/queries/terraform/aws/lambda_function_with_privileged_role/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/lambda_function_with_privileged_role/test/positive_expected_result.json @@ -7,9 +7,9 @@ "resourceType": "aws_lambda_function", "resourceName": "lambda", "searchKey": "aws_lambda_function[positivefunction1].role", - "searchValue": "positiverole1/aws_iam_policy_attachment[positivedirectpolicyattachment1]/positivecustomermanagedpolicy2/0", + "searchValue": "positiverole1/aws_iam_role_policy_attachment[positiverolepolicyattachment1]/positivecustomermanagedpolicy1/1", "expectedValue": "aws_lambda_function[positivefunction1].role shouldn't have privileged permissions through attached managed policy", - "actualValue": "aws_lambda_function[positivefunction1].role has been provided privileged permissions through attached managed policy 'positivecustomermanagedpolicy2'. Provided privileged permissions: 'sts:AssumeRole'. List of privileged permissions '[\"iam:CreatePolicyVersion\", \"iam:SetDefaultPolicyVersion\", \"iam:CreateAccessKey\", \"iam:CreateLoginProfile\", \"iam:UpdateLoginProfile\", \"iam:AttachUserPolicy\", \"iam:AttachGroupPolicy\", \"iam:AttachRolePolicy\", \"iam:PutUserPolicy\", \"iam:PutGroupPolicy\", \"iam:PutRolePolicy\", \"iam:AddUserToGroup\", \"iam:UpdateAssumeRolePolicy\", \"iam:PassRole\", \"iam:CreateServiceLinkedRole\", \"sts:AssumeRole\", \"iam:*\", \"sts:*\"]'" + "actualValue": "aws_lambda_function[positivefunction1].role has been provided privileged permissions through attached managed policy 'positivecustomermanagedpolicy1'. Provided privileged permissions: 'iam:CreateLoginProfile'. List of privileged permissions '[\"iam:CreatePolicyVersion\", \"iam:SetDefaultPolicyVersion\", \"iam:CreateAccessKey\", \"iam:CreateLoginProfile\", \"iam:UpdateLoginProfile\", \"iam:AttachUserPolicy\", \"iam:AttachGroupPolicy\", \"iam:AttachRolePolicy\", \"iam:PutUserPolicy\", \"iam:PutGroupPolicy\", \"iam:PutRolePolicy\", \"iam:AddUserToGroup\", \"iam:UpdateAssumeRolePolicy\", \"iam:PassRole\", \"iam:CreateServiceLinkedRole\", \"sts:AssumeRole\", \"iam:*\", \"sts:*\"]'" }, { "queryName": "Lambda Function With Privileged Role", @@ -19,9 +19,9 @@ "resourceType": "aws_lambda_function", "resourceName": "lambda", "searchKey": "aws_lambda_function[positivefunction1].role", - "searchValue": "positiverole1/positiveinlinepolicy1/0", - "expectedValue": "aws_lambda_function[positivefunction1].role shouldn't have privileged permissions through attached inline policy.", - "actualValue": "aws_lambda_function[positivefunction1].role has been provided privileged permissions through attached inline policy. Provided privileged permissions: 'iam:*'. List of privileged permissions '[\"iam:CreatePolicyVersion\", \"iam:SetDefaultPolicyVersion\", \"iam:CreateAccessKey\", \"iam:CreateLoginProfile\", \"iam:UpdateLoginProfile\", \"iam:AttachUserPolicy\", \"iam:AttachGroupPolicy\", \"iam:AttachRolePolicy\", \"iam:PutUserPolicy\", \"iam:PutGroupPolicy\", \"iam:PutRolePolicy\", \"iam:AddUserToGroup\", \"iam:UpdateAssumeRolePolicy\", \"iam:PassRole\", \"iam:CreateServiceLinkedRole\", \"sts:AssumeRole\", \"iam:*\", \"sts:*\"]'" + "searchValue": "positiverole1/aws_iam_role_policy_attachment[positiverolepolicyattachment1]/positivecustomermanagedpolicy1/0", + "expectedValue": "aws_lambda_function[positivefunction1].role shouldn't have privileged permissions through attached managed policy", + "actualValue": "aws_lambda_function[positivefunction1].role has been provided privileged permissions through attached managed policy 'positivecustomermanagedpolicy1'. Provided privileged permissions: 'sts:AssumeRole'. List of privileged permissions '[\"iam:CreatePolicyVersion\", \"iam:SetDefaultPolicyVersion\", \"iam:CreateAccessKey\", \"iam:CreateLoginProfile\", \"iam:UpdateLoginProfile\", \"iam:AttachUserPolicy\", \"iam:AttachGroupPolicy\", \"iam:AttachRolePolicy\", \"iam:PutUserPolicy\", \"iam:PutGroupPolicy\", \"iam:PutRolePolicy\", \"iam:AddUserToGroup\", \"iam:UpdateAssumeRolePolicy\", \"iam:PassRole\", \"iam:CreateServiceLinkedRole\", \"sts:AssumeRole\", \"iam:*\", \"sts:*\"]'" }, { "queryName": "Lambda Function With Privileged Role", @@ -31,9 +31,9 @@ "resourceType": "aws_lambda_function", "resourceName": "lambda", "searchKey": "aws_lambda_function[positivefunction1].role", - "searchValue": "positiverole1/aws_iam_role_policy_attachment[positiverolepolicyattachment1]/positivecustomermanagedpolicy1/1", + "searchValue": "positiverole1/aws_iam_policy_attachment[positivedirectpolicyattachment1]/positivecustomermanagedpolicy2/0", "expectedValue": "aws_lambda_function[positivefunction1].role shouldn't have privileged permissions through attached managed policy", - "actualValue": "aws_lambda_function[positivefunction1].role has been provided privileged permissions through attached managed policy 'positivecustomermanagedpolicy1'. Provided privileged permissions: 'iam:CreateLoginProfile'. List of privileged permissions '[\"iam:CreatePolicyVersion\", \"iam:SetDefaultPolicyVersion\", \"iam:CreateAccessKey\", \"iam:CreateLoginProfile\", \"iam:UpdateLoginProfile\", \"iam:AttachUserPolicy\", \"iam:AttachGroupPolicy\", \"iam:AttachRolePolicy\", \"iam:PutUserPolicy\", \"iam:PutGroupPolicy\", \"iam:PutRolePolicy\", \"iam:AddUserToGroup\", \"iam:UpdateAssumeRolePolicy\", \"iam:PassRole\", \"iam:CreateServiceLinkedRole\", \"sts:AssumeRole\", \"iam:*\", \"sts:*\"]'" + "actualValue": "aws_lambda_function[positivefunction1].role has been provided privileged permissions through attached managed policy 'positivecustomermanagedpolicy2'. Provided privileged permissions: 'sts:AssumeRole'. List of privileged permissions '[\"iam:CreatePolicyVersion\", \"iam:SetDefaultPolicyVersion\", \"iam:CreateAccessKey\", \"iam:CreateLoginProfile\", \"iam:UpdateLoginProfile\", \"iam:AttachUserPolicy\", \"iam:AttachGroupPolicy\", \"iam:AttachRolePolicy\", \"iam:PutUserPolicy\", \"iam:PutGroupPolicy\", \"iam:PutRolePolicy\", \"iam:AddUserToGroup\", \"iam:UpdateAssumeRolePolicy\", \"iam:PassRole\", \"iam:CreateServiceLinkedRole\", \"sts:AssumeRole\", \"iam:*\", \"sts:*\"]'" }, { "queryName": "Lambda Function With Privileged Role", @@ -43,9 +43,9 @@ "resourceType": "aws_lambda_function", "resourceName": "lambda", "searchKey": "aws_lambda_function[positivefunction1].role", - "searchValue": "positiverole1/aws_iam_role_policy_attachment[positiverolepolicyattachment1]/positivecustomermanagedpolicy1/0", - "expectedValue": "aws_lambda_function[positivefunction1].role shouldn't have privileged permissions through attached managed policy", - "actualValue": "aws_lambda_function[positivefunction1].role has been provided privileged permissions through attached managed policy 'positivecustomermanagedpolicy1'. Provided privileged permissions: 'sts:AssumeRole'. List of privileged permissions '[\"iam:CreatePolicyVersion\", \"iam:SetDefaultPolicyVersion\", \"iam:CreateAccessKey\", \"iam:CreateLoginProfile\", \"iam:UpdateLoginProfile\", \"iam:AttachUserPolicy\", \"iam:AttachGroupPolicy\", \"iam:AttachRolePolicy\", \"iam:PutUserPolicy\", \"iam:PutGroupPolicy\", \"iam:PutRolePolicy\", \"iam:AddUserToGroup\", \"iam:UpdateAssumeRolePolicy\", \"iam:PassRole\", \"iam:CreateServiceLinkedRole\", \"sts:AssumeRole\", \"iam:*\", \"sts:*\"]'" + "searchValue": "positiverole1/positiveinlinepolicy1/0", + "expectedValue": "aws_lambda_function[positivefunction1].role shouldn't have privileged permissions through attached inline policy.", + "actualValue": "aws_lambda_function[positivefunction1].role has been provided privileged permissions through attached inline policy. Provided privileged permissions: 'iam:*'. List of privileged permissions '[\"iam:CreatePolicyVersion\", \"iam:SetDefaultPolicyVersion\", \"iam:CreateAccessKey\", \"iam:CreateLoginProfile\", \"iam:UpdateLoginProfile\", \"iam:AttachUserPolicy\", \"iam:AttachGroupPolicy\", \"iam:AttachRolePolicy\", \"iam:PutUserPolicy\", \"iam:PutGroupPolicy\", \"iam:PutRolePolicy\", \"iam:AddUserToGroup\", \"iam:UpdateAssumeRolePolicy\", \"iam:PassRole\", \"iam:CreateServiceLinkedRole\", \"sts:AssumeRole\", \"iam:*\", \"sts:*\"]'" }, { "queryName": "Lambda Function With Privileged Role", diff --git a/assets/queries/terraform/aws/redshift_cluster_without_vpc/test/positive_expected_result.json b/assets/queries/terraform/aws/redshift_cluster_without_vpc/test/positive_expected_result.json index 643c39dd0de..611c2843e92 100644 --- a/assets/queries/terraform/aws/redshift_cluster_without_vpc/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/redshift_cluster_without_vpc/test/positive_expected_result.json @@ -7,9 +7,9 @@ "resourceType": "aws_redshift_cluster", "resourceName": "positive1", "searchKey": "aws_redshift_cluster[positive1]", - "searchValue": "vpc_security_group_ids", - "expectedValue": "aws_redshift_cluster[positive1].vpc_security_group_ids should be set", - "actualValue": "aws_redshift_cluster[positive1].vpc_security_group_ids is undefined" + "searchValue": "cluster_subnet_group_name", + "expectedValue": "aws_redshift_cluster[positive1].cluster_subnet_group_name should be set", + "actualValue": "aws_redshift_cluster[positive1].cluster_subnet_group_name is undefined" }, { "queryName": "Redshift Cluster Without VPC", @@ -19,8 +19,8 @@ "resourceType": "aws_redshift_cluster", "resourceName": "positive1", "searchKey": "aws_redshift_cluster[positive1]", - "searchValue": "cluster_subnet_group_name", - "expectedValue": "aws_redshift_cluster[positive1].cluster_subnet_group_name should be set", - "actualValue": "aws_redshift_cluster[positive1].cluster_subnet_group_name is undefined" + "searchValue": "vpc_security_group_ids", + "expectedValue": "aws_redshift_cluster[positive1].vpc_security_group_ids should be set", + "actualValue": "aws_redshift_cluster[positive1].vpc_security_group_ids is undefined" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_without_restriction_of_public_bucket/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_without_restriction_of_public_bucket/test/positive_expected_result.json index 1011c3cacbf..b47ae7c6712 100755 --- a/assets/queries/terraform/aws/s3_bucket_without_restriction_of_public_bucket/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_without_restriction_of_public_bucket/test/positive_expected_result.json @@ -1,28 +1,4 @@ [ - { - "queryName": "S3 Bucket Without Restriction Of Public Bucket", - "severity": "MEDIUM", - "line": 14, - "filename": "negative1.tf", - "resourceType": "aws_s3_bucket_public_access_block", - "resourceName": "restrict_public", - "searchKey": "aws_s3_bucket_public_access_block[restrict_public].restrict_public_buckets", - "searchValue": "", - "expectedValue": "'restrict_public_buckets' should equal 'true'", - "actualValue": "'restrict_public_buckets' is equal to 'false'" - }, - { - "queryName": "S3 Bucket Without Restriction Of Public Bucket", - "severity": "MEDIUM", - "line": 8, - "filename": "negative2.tf", - "resourceType": "aws_s3_bucket_public_access_block", - "resourceName": "restrict_public", - "searchKey": "aws_s3_bucket_public_access_block[restrict_public].restrict_public_buckets", - "searchValue": "", - "expectedValue": "'restrict_public_buckets' should equal 'true'", - "actualValue": "'restrict_public_buckets' is equal to 'false'" - }, { "queryName": "S3 Bucket Without Restriction Of Public Bucket", "severity": "MEDIUM", diff --git a/assets/queries/terraform/aws/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json b/assets/queries/terraform/aws/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json index 79c6b1e35c4..bfcf5db1e19 100644 --- a/assets/queries/terraform/aws/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json @@ -247,9 +247,9 @@ "resourceType": "aws_security_group_rule", "resourceName": "positive3_ipv4_1", "searchKey": "aws_security_group_rule[positive3_ipv4_1]", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -259,9 +259,9 @@ "resourceType": "aws_security_group_rule", "resourceName": "positive3_ipv4_1", "searchKey": "aws_security_group_rule[positive3_ipv4_1]", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -367,9 +367,9 @@ "resourceType": "n/a", "resourceName": "n/a", "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.0", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -379,9 +379,9 @@ "resourceType": "n/a", "resourceName": "n/a", "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.0", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", diff --git a/assets/queries/terraform/aws/sensitive_port_is_exposed_to_small_public_network/test/positive_expected_result.json b/assets/queries/terraform/aws/sensitive_port_is_exposed_to_small_public_network/test/positive_expected_result.json index f24183e28fe..82a46ee832c 100644 --- a/assets/queries/terraform/aws/sensitive_port_is_exposed_to_small_public_network/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sensitive_port_is_exposed_to_small_public_network/test/positive_expected_result.json @@ -67,9 +67,9 @@ "resourceType": "aws_security_group", "resourceName": "positive1_ipv6_1", "searchKey": "aws_security_group[positive1_ipv6_1].ingress", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -79,9 +79,9 @@ "resourceType": "aws_security_group", "resourceName": "positive1_ipv6_1", "searchKey": "aws_security_group[positive1_ipv6_1].ingress", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -367,9 +367,9 @@ "resourceType": "n/a", "resourceName": "n/a", "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.0", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -379,9 +379,9 @@ "resourceType": "n/a", "resourceName": "n/a", "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.0", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", diff --git a/assets/queries/terraform/aws/sensitive_port_is_exposed_to_wide_private_network/test/positive_expected_result.json b/assets/queries/terraform/aws/sensitive_port_is_exposed_to_wide_private_network/test/positive_expected_result.json index b2c70bdde8e..1c24cda9e6a 100644 --- a/assets/queries/terraform/aws/sensitive_port_is_exposed_to_wide_private_network/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sensitive_port_is_exposed_to_wide_private_network/test/positive_expected_result.json @@ -247,9 +247,9 @@ "resourceType": "aws_security_group_rule", "resourceName": "positive3_ipv4_1", "searchKey": "aws_security_group_rule[positive3_ipv4_1]", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -259,9 +259,9 @@ "resourceType": "aws_security_group_rule", "resourceName": "positive3_ipv4_1", "searchKey": "aws_security_group_rule[positive3_ipv4_1]", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", diff --git a/assets/queries/terraform/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json index 58a6372afc6..59aafcf228b 100644 --- a/assets/queries/terraform/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json @@ -55,9 +55,9 @@ "resourceType": "aws_sns_topic", "resourceName": "positive1", "searchKey": "aws_sns_topic[positive1].policy", - "searchValue": "2", - "expectedValue": "'Statement[2].Principal.AWS' shouldn't contain '*'", - "actualValue": "'Statement[2].Principal.AWS' contains '*'" + "searchValue": "0", + "expectedValue": "'Statement[0].Principal.AWS' shouldn't contain '*'", + "actualValue": "'Statement[0].Principal.AWS' contains '*'" }, { "queryName": "SNS Topic is Publicly Accessible", @@ -67,9 +67,9 @@ "resourceType": "aws_sns_topic", "resourceName": "positive1", "searchKey": "aws_sns_topic[positive1].policy", - "searchValue": "0", - "expectedValue": "'Statement[0].Principal.AWS' shouldn't contain '*'", - "actualValue": "'Statement[0].Principal.AWS' contains '*'" + "searchValue": "2", + "expectedValue": "'Statement[2].Principal.AWS' shouldn't contain '*'", + "actualValue": "'Statement[2].Principal.AWS' contains '*'" }, { "queryName": "SNS Topic is Publicly Accessible", diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test/positive2/positive_expected_result.json index 50692c2ef1c..60fc3ab71aa 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test/positive2/positive_expected_result.json @@ -83,4 +83,4 @@ "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update network security group' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'create or update network security group' events but sets 1 filter(s): sub_statuses" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test/positive3/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test/positive3/positive_expected_result.json index 851febf76ee..ab1a40bcdbd 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test/positive3/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test/positive3/positive_expected_result.json @@ -23,4 +23,4 @@ "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update network security group' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_2]' resource monitors 'create or update network security group' events but is missing an 'action.action_group_id' field" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test/positive4/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test/positive4/positive_expected_result.json index 7f7e82f8ac5..bd10e919864 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test/positive4/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test/positive4/positive_expected_result.json @@ -11,4 +11,4 @@ "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update network security group' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_1]' resource monitors 'create or update network security group' events but is missing an 'action.action_group_id' field" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test/positive2/positive_expected_result.json index b463a778e02..91105343032 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test/positive2/positive_expected_result.json @@ -83,4 +83,4 @@ "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update public ip address rule' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'create or update public ip address rule' events but sets 1 filter(s): sub_statuses" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive2/positive_expected_result.json index 999ee7ee725..54bc3360ee5 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive2/positive_expected_result.json @@ -83,4 +83,4 @@ "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update security solution' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'create or update security solution' events but sets 1 filter(s): sub_statuses" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive3/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive3/positive_expected_result.json index e5c78bee858..a22f2a4cd3f 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive3/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive3/positive_expected_result.json @@ -23,4 +23,4 @@ "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update security solution' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_2]' resource monitors 'create or update security solution' events but is missing an 'action.action_group_id' field" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive4/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive4/positive_expected_result.json index 7b7a83ec863..706eaab97dd 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive4/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive4/positive_expected_result.json @@ -11,4 +11,4 @@ "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update security solution' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_1]' resource monitors 'create or update security solution' events but is missing an 'action.action_group_id' field" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test/positive2/positive_expected_result.json index e6ffd1020e0..94ecfe7f81e 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test/positive2/positive_expected_result.json @@ -83,4 +83,4 @@ "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update SQL server firewall rule' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'create or update SQL server firewall rule' events but sets 1 filter(s): sub_statuses" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test/positive3/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test/positive3/positive_expected_result.json index b18135378cd..e7493c47e74 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test/positive3/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test/positive3/positive_expected_result.json @@ -23,4 +23,4 @@ "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update SQL server firewall rule' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_2]' resource monitors 'create or update SQL server firewall rule' events but is missing an 'action.action_group_id' field" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test/positive4/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test/positive4/positive_expected_result.json index b0318501b46..df5122e2306 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test/positive4/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test/positive4/positive_expected_result.json @@ -11,4 +11,4 @@ "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update SQL server firewall rule' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_1]' resource monitors 'create or update SQL server firewall rule' events but is missing an 'action.action_group_id' field" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive2/positive_expected_result.json index d7ca36ff6c6..784cbd5f074 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive2/positive_expected_result.json @@ -83,4 +83,4 @@ "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create policy assignment' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'create policy assignment' events but sets 1 filter(s): sub_statuses" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive3/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive3/positive_expected_result.json index 3cb0e2bd17d..08b63f2af71 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive3/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive3/positive_expected_result.json @@ -23,4 +23,4 @@ "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create policy assignment' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_2]' resource monitors 'create policy assignment' events but is missing an 'action.action_group_id' field" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive4/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive4/positive_expected_result.json index 1f62940e0bd..ac5b35db21c 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive4/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive4/positive_expected_result.json @@ -11,4 +11,4 @@ "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create policy assignment' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_1]' resource monitors 'create policy assignment' events but is missing an 'action.action_group_id' field" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test/positive2/positive_expected_result.json index ad567f72fbc..45185f5ebaf 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test/positive2/positive_expected_result.json @@ -83,4 +83,4 @@ "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete network security group' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'delete network security group' events but sets 1 filter(s): sub_statuses" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test/positive3/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test/positive3/positive_expected_result.json index ae5e2b787b3..26f9a0b97bb 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test/positive3/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test/positive3/positive_expected_result.json @@ -23,4 +23,4 @@ "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete network security group' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_2]' resource monitors 'delete network security group' events but is missing an 'action.action_group_id' field" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test/positive4/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test/positive4/positive_expected_result.json index 0e25b1f7492..261f0cf667b 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test/positive4/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test/positive4/positive_expected_result.json @@ -11,4 +11,4 @@ "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete network security group' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_1]' resource monitors 'delete network security group' events but is missing an 'action.action_group_id' field" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive2/positive_expected_result.json index 11d6104e899..7ddeaaff973 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive2/positive_expected_result.json @@ -83,4 +83,4 @@ "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete policy assignment' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'delete policy assignment' events but sets 1 filter(s): sub_statuses" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive3/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive3/positive_expected_result.json index c28a76eb0d0..8ecfd89e35d 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive3/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive3/positive_expected_result.json @@ -23,4 +23,4 @@ "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete policy assignment' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_2]' resource monitors 'delete policy assignment' events but is missing an 'action.action_group_id' field" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive4/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive4/positive_expected_result.json index a77648cf2fc..c21d49cc9fa 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive4/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive4/positive_expected_result.json @@ -11,4 +11,4 @@ "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete policy assignment' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_1]' resource monitors 'delete policy assignment' events but is missing an 'action.action_group_id' field" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive2/positive_expected_result.json index 2309f69e71b..a3ba0417b4d 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive2/positive_expected_result.json @@ -83,4 +83,4 @@ "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete public ip address rule' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'delete public ip address rule' events but sets 1 filter(s): sub_statuses" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive3/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive3/positive_expected_result.json index 8f4b7fa96e9..a35ea356314 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive3/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive3/positive_expected_result.json @@ -23,4 +23,4 @@ "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete public ip address rule' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_2]' resource monitors 'delete public ip address rule' events but is missing an 'action.action_group_id' field" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive4/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive4/positive_expected_result.json index bda79ec9a2d..7e15fb7e801 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive4/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive4/positive_expected_result.json @@ -11,4 +11,4 @@ "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete public ip address rule' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_1]' resource monitors 'delete public ip address rule' events but is missing an 'action.action_group_id' field" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive2/positive_expected_result.json index 1be6fe43ee8..c7271b650f5 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive2/positive_expected_result.json @@ -83,4 +83,4 @@ "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete security solution' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'delete security solution' events but sets 1 filter(s): sub_statuses" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive3/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive3/positive_expected_result.json index 892b458dbf7..4502b71fe72 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive3/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive3/positive_expected_result.json @@ -23,4 +23,4 @@ "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete security solution' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_2]' resource monitors 'delete security solution' events but is missing an 'action.action_group_id' field" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive4/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive4/positive_expected_result.json index 8b59acc998b..d94e0cbab76 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive4/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive4/positive_expected_result.json @@ -11,4 +11,4 @@ "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete security solution' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_1]' resource monitors 'delete security solution' events but is missing an 'action.action_group_id' field" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test/positive2/positive_expected_result.json index 1cd00bba9e6..60e226c54cd 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test/positive2/positive_expected_result.json @@ -83,4 +83,4 @@ "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete SQL server firewall rule' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'delete SQL server firewall rule' events but sets 1 filter(s): sub_statuses" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test/positive3/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test/positive3/positive_expected_result.json index f68bec89d13..c963ea02261 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test/positive3/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test/positive3/positive_expected_result.json @@ -23,4 +23,4 @@ "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete SQL server firewall rule' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_2]' resource monitors 'delete SQL server firewall rule' events but is missing an 'action.action_group_id' field" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test/positive4/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test/positive4/positive_expected_result.json index 308fe0fb40f..e4d24cc8a78 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test/positive4/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test/positive4/positive_expected_result.json @@ -11,4 +11,4 @@ "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete SQL server firewall rule' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_1]' resource monitors 'delete SQL server firewall rule' events but is missing an 'action.action_group_id' field" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive6/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive6/positive_expected_result.json index 88278bcc16b..3d390cdb6ff 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive6/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive6/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Beta - Activity Log Alert For Service Health Not Configured", "severity": "MEDIUM", "line": 3, - "fileName": "positive6_1.tf" + "filename": "positive6_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "", + "searchKey": "azurerm_subscription[positive6]", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'ServiceHealth' events should be defined for each subscription", + "actualValue": "There is not a single 'azurerm_monitor_activity_log_alert' resource associated with the 'positive6' subscription" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json index 4a94d677b72..d3624caf085 100644 --- a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json @@ -19,9 +19,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive2].destination_port_range", - "searchValue": "TCP,25", - "expectedValue": "SMTP (TCP:25) should not be allowed", - "actualValue": "SMTP (TCP25) is allowed" + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -31,9 +31,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive2].destination_port_range", - "searchValue": "TCP,23", - "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP23) is allowed" + "searchValue": "TCP,25", + "expectedValue": "SMTP (TCP:25) should not be allowed", + "actualValue": "SMTP (TCP25) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -43,9 +43,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP22) is allowed" + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -55,9 +55,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", - "searchValue": "TCP,21", - "expectedValue": "FTP (TCP:21) should not be allowed", - "actualValue": "FTP (TCP21) is allowed" + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -67,9 +67,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP22) is allowed" + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -103,9 +103,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", - "searchValue": "TCP,23", - "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP23) is allowed" + "searchValue": "TCP,21", + "expectedValue": "FTP (TCP:21) should not be allowed", + "actualValue": "FTP (TCP21) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -115,9 +115,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive4].destination_port_range", - "searchValue": "UDP,23", - "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP23) is allowed" + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -127,9 +127,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive4].destination_port_range", - "searchValue": "TCP,23", - "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP23) is allowed" + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -163,9 +163,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", - "searchValue": "UDP,25", - "expectedValue": "SMTP (UDP:25) should not be allowed", - "actualValue": "SMTP (UDP25) is allowed" + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -175,9 +175,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP22) is allowed" + "searchValue": "UDP,25", + "expectedValue": "SMTP (UDP:25) should not be allowed", + "actualValue": "SMTP (UDP25) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -187,9 +187,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", - "searchValue": "UDP,53", - "expectedValue": "DNS (UDP:53) should not be allowed", - "actualValue": "DNS (UDP53) is allowed" + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -199,9 +199,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", - "searchValue": "UDP,23", - "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP23) is allowed" + "searchValue": "UDP,53", + "expectedValue": "DNS (UDP:53) should not be allowed", + "actualValue": "DNS (UDP53) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -247,9 +247,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP22) is allowed" + "searchValue": "UDP,80", + "expectedValue": "HTTP (UDP:80) should not be allowed", + "actualValue": "HTTP (UDP80) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -259,9 +259,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,53", - "expectedValue": "DNS (TCP:53) should not be allowed", - "actualValue": "DNS (TCP53) is allowed" + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed", + "actualValue": "NetBIOS Datagram Service (UDP138) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -271,9 +271,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,20", - "expectedValue": "FTP (TCP:20) should not be allowed", - "actualValue": "FTP (TCP20) is allowed" + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -283,9 +283,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,80", - "expectedValue": "HTTP (TCP:80) should not be allowed", - "actualValue": "HTTP (TCP80) is allowed" + "searchValue": "TCP,20", + "expectedValue": "FTP (TCP:20) should not be allowed", + "actualValue": "FTP (TCP20) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -295,9 +295,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,135", - "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed", - "actualValue": "MSSQL Debugger (TCP135) is allowed" + "searchValue": "TCP,21", + "expectedValue": "FTP (TCP:21) should not be allowed", + "actualValue": "FTP (TCP21) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -307,9 +307,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,23", - "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP23) is allowed" + "searchValue": "TCP,137", + "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed", + "actualValue": "NetBIOS Name Service (TCP137) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -319,9 +319,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,80", - "expectedValue": "HTTP (UDP:80) should not be allowed", - "actualValue": "HTTP (UDP80) is allowed" + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -331,9 +331,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,137", - "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed", - "actualValue": "NetBIOS Name Service (TCP137) is allowed" + "searchValue": "UDP,53", + "expectedValue": "DNS (UDP:53) should not be allowed", + "actualValue": "DNS (UDP53) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -343,9 +343,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,139", - "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed", - "actualValue": "NetBIOS Session Service (UDP139) is allowed" + "searchValue": "UDP,20", + "expectedValue": "FTP (UDP:20) should not be allowed", + "actualValue": "FTP (UDP20) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -355,9 +355,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,53", - "expectedValue": "DNS (UDP:53) should not be allowed", - "actualValue": "DNS (UDP53) is allowed" + "searchValue": "UDP,135", + "expectedValue": "MSSQL Debugger (UDP:135) should not be allowed", + "actualValue": "MSSQL Debugger (UDP135) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -379,9 +379,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,23", - "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP23) is allowed" + "searchValue": "TCP,110", + "expectedValue": "POP3 (TCP:110) should not be allowed", + "actualValue": "POP3 (TCP110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -391,9 +391,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,21", - "expectedValue": "FTP (TCP:21) should not be allowed", - "actualValue": "FTP (TCP21) is allowed" + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -403,9 +403,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,137", - "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed", - "actualValue": "NetBIOS Name Service (UDP137) is allowed" + "searchValue": "TCP,53", + "expectedValue": "DNS (TCP:53) should not be allowed", + "actualValue": "DNS (TCP53) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -415,9 +415,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,139", - "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed", - "actualValue": "NetBIOS Session Service (TCP139) is allowed" + "searchValue": "TCP,80", + "expectedValue": "HTTP (TCP:80) should not be allowed", + "actualValue": "HTTP (TCP80) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -427,9 +427,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,25", - "expectedValue": "SMTP (UDP:25) should not be allowed", - "actualValue": "SMTP (UDP25) is allowed" + "searchValue": "TCP,25", + "expectedValue": "SMTP (TCP:25) should not be allowed", + "actualValue": "SMTP (TCP25) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -439,9 +439,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,20", - "expectedValue": "FTP (UDP:20) should not be allowed", - "actualValue": "FTP (UDP20) is allowed" + "searchValue": "UDP,25", + "expectedValue": "SMTP (UDP:25) should not be allowed", + "actualValue": "SMTP (UDP25) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -451,9 +451,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,135", - "expectedValue": "MSSQL Debugger (UDP:135) should not be allowed", - "actualValue": "MSSQL Debugger (UDP135) is allowed" + "searchValue": "UDP,21", + "expectedValue": "FTP (UDP:21) should not be allowed", + "actualValue": "FTP (UDP21) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -463,9 +463,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,110", - "expectedValue": "POP3 (UDP:110) should not be allowed", - "actualValue": "POP3 (UDP110) is allowed" + "searchValue": "TCP,135", + "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed", + "actualValue": "MSSQL Debugger (TCP135) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -475,9 +475,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,25", - "expectedValue": "SMTP (TCP:25) should not be allowed", - "actualValue": "SMTP (TCP25) is allowed" + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed", + "actualValue": "NetBIOS Name Service (UDP137) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -487,9 +487,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,110", - "expectedValue": "POP3 (TCP:110) should not be allowed", - "actualValue": "POP3 (TCP110) is allowed" + "searchValue": "UDP,139", + "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed", + "actualValue": "NetBIOS Session Service (UDP139) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -499,9 +499,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,21", - "expectedValue": "FTP (UDP:21) should not be allowed", - "actualValue": "FTP (UDP21) is allowed" + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -511,9 +511,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,138", - "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed", - "actualValue": "NetBIOS Datagram Service (UDP138) is allowed" + "searchValue": "TCP,139", + "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed", + "actualValue": "NetBIOS Session Service (TCP139) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -523,8 +523,8 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP22) is allowed" + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP23) is allowed" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_small_public_network/test/positive_expected_result.json b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_small_public_network/test/positive_expected_result.json index 22c52114db8..310efd0159c 100644 --- a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_small_public_network/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_small_public_network/test/positive_expected_result.json @@ -19,9 +19,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive2].destination_port_range", - "searchValue": "TCP,25", - "expectedValue": "SMTP (TCP:25) should not be allowed", - "actualValue": "SMTP (TCP:25) is allowed" + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -31,9 +31,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive2].destination_port_range", - "searchValue": "TCP,23", - "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP:23) is allowed" + "searchValue": "TCP,25", + "expectedValue": "SMTP (TCP:25) should not be allowed", + "actualValue": "SMTP (TCP:25) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -43,9 +43,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "searchValue": "UDP,21", + "expectedValue": "FTP (UDP:21) should not be allowed", + "actualValue": "FTP (UDP:21) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -55,9 +55,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", - "searchValue": "TCP,21", - "expectedValue": "FTP (TCP:21) should not be allowed", - "actualValue": "FTP (TCP:21) is allowed" + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -67,9 +67,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", - "searchValue": "UDP,21", - "expectedValue": "FTP (UDP:21) should not be allowed", - "actualValue": "FTP (UDP:21) is allowed" + "searchValue": "TCP,21", + "expectedValue": "FTP (TCP:21) should not be allowed", + "actualValue": "FTP (TCP:21) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -91,9 +91,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", - "searchValue": "TCP,23", - "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP:23) is allowed" + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -103,9 +103,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", - "searchValue": "UDP,23", - "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP:23) is allowed" + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -115,9 +115,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive4].destination_port_range", - "searchValue": "UDP,23", - "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP:23) is allowed" + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -127,9 +127,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive4].destination_port_range", - "searchValue": "TCP,23", - "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP:23) is allowed" + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -163,9 +163,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", - "searchValue": "UDP,25", - "expectedValue": "SMTP (UDP:25) should not be allowed", - "actualValue": "SMTP (UDP:25) is allowed" + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -187,9 +187,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", - "searchValue": "UDP,23", - "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP:23) is allowed" + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -199,9 +199,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "searchValue": "UDP,25", + "expectedValue": "SMTP (UDP:25) should not be allowed", + "actualValue": "SMTP (UDP:25) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -223,9 +223,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive9].destination_port_range", - "searchValue": "UDP,23", - "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP:23) is allowed" + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -235,9 +235,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive9].destination_port_range", - "searchValue": "TCP,23", - "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP:23) is allowed" + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -247,9 +247,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,53", - "expectedValue": "DNS (TCP:53) should not be allowed", - "actualValue": "DNS (TCP:53) is allowed" + "searchValue": "UDP,135", + "expectedValue": "MSSQL Debugger (UDP:135) should not be allowed", + "actualValue": "MSSQL Debugger (UDP:135) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -259,9 +259,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,138", - "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed", - "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed" + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -271,9 +271,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,21", - "expectedValue": "FTP (UDP:21) should not be allowed", - "actualValue": "FTP (UDP:21) is allowed" + "searchValue": "UDP,80", + "expectedValue": "HTTP (UDP:80) should not be allowed", + "actualValue": "HTTP (UDP:80) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -283,9 +283,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,80", - "expectedValue": "HTTP (UDP:80) should not be allowed", - "actualValue": "HTTP (UDP:80) is allowed" + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -295,9 +295,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,137", - "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed", - "actualValue": "NetBIOS Name Service (TCP:137) is allowed" + "searchValue": "TCP,20", + "expectedValue": "FTP (TCP:20) should not be allowed", + "actualValue": "FTP (TCP:20) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -307,9 +307,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,110", - "expectedValue": "POP3 (UDP:110) should not be allowed", - "actualValue": "POP3 (UDP:110) is allowed" + "searchValue": "UDP,20", + "expectedValue": "FTP (UDP:20) should not be allowed", + "actualValue": "FTP (UDP:20) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -319,9 +319,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "searchValue": "TCP,138", + "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed", + "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -331,9 +331,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,23", - "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP:23) is allowed" + "searchValue": "TCP,139", + "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed", + "actualValue": "NetBIOS Session Service (TCP:139) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -343,9 +343,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,80", - "expectedValue": "HTTP (TCP:80) should not be allowed", - "actualValue": "HTTP (TCP:80) is allowed" + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -355,9 +355,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,25", - "expectedValue": "SMTP (UDP:25) should not be allowed", - "actualValue": "SMTP (UDP:25) is allowed" + "searchValue": "TCP,137", + "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed", + "actualValue": "NetBIOS Name Service (TCP:137) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -367,9 +367,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "searchValue": "UDP,25", + "expectedValue": "SMTP (UDP:25) should not be allowed", + "actualValue": "SMTP (UDP:25) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -379,9 +379,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,21", - "expectedValue": "FTP (TCP:21) should not be allowed", - "actualValue": "FTP (TCP:21) is allowed" + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -391,9 +391,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,20", - "expectedValue": "FTP (UDP:20) should not be allowed", - "actualValue": "FTP (UDP:20) is allowed" + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -403,9 +403,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,23", - "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP:23) is allowed" + "searchValue": "TCP,21", + "expectedValue": "FTP (TCP:21) should not be allowed", + "actualValue": "FTP (TCP:21) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -415,9 +415,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,135", - "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed", - "actualValue": "MSSQL Debugger (TCP:135) is allowed" + "searchValue": "UDP,21", + "expectedValue": "FTP (UDP:21) should not be allowed", + "actualValue": "FTP (UDP:21) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -427,9 +427,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,137", - "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed" + "searchValue": "TCP,25", + "expectedValue": "SMTP (TCP:25) should not be allowed", + "actualValue": "SMTP (TCP:25) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -439,9 +439,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,139", - "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed", - "actualValue": "NetBIOS Session Service (TCP:139) is allowed" + "searchValue": "TCP,80", + "expectedValue": "HTTP (TCP:80) should not be allowed", + "actualValue": "HTTP (TCP:80) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -451,9 +451,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,20", - "expectedValue": "FTP (TCP:20) should not be allowed", - "actualValue": "FTP (TCP:20) is allowed" + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -463,9 +463,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,135", - "expectedValue": "MSSQL Debugger (UDP:135) should not be allowed", - "actualValue": "MSSQL Debugger (UDP:135) is allowed" + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -475,9 +475,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,139", - "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed", - "actualValue": "NetBIOS Session Service (UDP:139) is allowed" + "searchValue": "TCP,135", + "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed", + "actualValue": "MSSQL Debugger (TCP:135) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -487,9 +487,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,25", - "expectedValue": "SMTP (TCP:25) should not be allowed", - "actualValue": "SMTP (TCP:25) is allowed" + "searchValue": "TCP,53", + "expectedValue": "DNS (TCP:53) should not be allowed", + "actualValue": "DNS (TCP:53) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -499,9 +499,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP,110", - "expectedValue": "POP3 (TCP:110) should not be allowed", - "actualValue": "POP3 (TCP:110) is allowed" + "searchValue": "UDP,53", + "expectedValue": "DNS (UDP:53) should not be allowed", + "actualValue": "DNS (UDP:53) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -511,9 +511,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,53", - "expectedValue": "DNS (UDP:53) should not be allowed", - "actualValue": "DNS (UDP:53) is allowed" + "searchValue": "UDP,139", + "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed", + "actualValue": "NetBIOS Session Service (UDP:139) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -523,8 +523,8 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP,138", - "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed", - "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed" + "searchValue": "TCP,110", + "expectedValue": "POP3 (TCP:110) should not be allowed", + "actualValue": "POP3 (TCP:110) is allowed" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_wide_private_network/test/positive_expected_result.json b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_wide_private_network/test/positive_expected_result.json index e6c94551e2e..50de9fc5c1d 100644 --- a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_wide_private_network/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_wide_private_network/test/positive_expected_result.json @@ -43,9 +43,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", - "searchValue": "UDP:22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "searchValue": "TCP:23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -67,9 +67,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", - "searchValue": "UDP:23", - "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP:23) is allowed" + "searchValue": "UDP:22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -79,9 +79,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", - "searchValue": "TCP:21", - "expectedValue": "FTP (TCP:21) should not be allowed", - "actualValue": "FTP (TCP:21) is allowed" + "searchValue": "UDP:21", + "expectedValue": "FTP (UDP:21) should not be allowed", + "actualValue": "FTP (UDP:21) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -91,9 +91,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", - "searchValue": "TCP:23", - "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP:23) is allowed" + "searchValue": "UDP:23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -103,9 +103,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", - "searchValue": "UDP:21", - "expectedValue": "FTP (UDP:21) should not be allowed", - "actualValue": "FTP (UDP:21) is allowed" + "searchValue": "TCP:21", + "expectedValue": "FTP (TCP:21) should not be allowed", + "actualValue": "FTP (TCP:21) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -115,9 +115,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive4].destination_port_range", - "searchValue": "UDP:23", - "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP:23) is allowed" + "searchValue": "TCP:23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -127,9 +127,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive4].destination_port_range", - "searchValue": "TCP:23", - "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP:23) is allowed" + "searchValue": "UDP:23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -175,9 +175,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", - "searchValue": "UDP:23", - "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP:23) is allowed" + "searchValue": "UDP:22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -187,9 +187,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", - "searchValue": "UDP:22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "searchValue": "UDP:23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -247,9 +247,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP:80", - "expectedValue": "HTTP (UDP:80) should not be allowed", - "actualValue": "HTTP (UDP:80) is allowed" + "searchValue": "UDP:22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -259,9 +259,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP:25", - "expectedValue": "SMTP (TCP:25) should not be allowed", - "actualValue": "SMTP (TCP:25) is allowed" + "searchValue": "UDP:23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -271,9 +271,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP:21", - "expectedValue": "FTP (TCP:21) should not be allowed", - "actualValue": "FTP (TCP:21) is allowed" + "searchValue": "UDP:21", + "expectedValue": "FTP (UDP:21) should not be allowed", + "actualValue": "FTP (UDP:21) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -283,9 +283,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP:20", - "expectedValue": "FTP (UDP:20) should not be allowed", - "actualValue": "FTP (UDP:20) is allowed" + "searchValue": "UDP:80", + "expectedValue": "HTTP (UDP:80) should not be allowed", + "actualValue": "HTTP (UDP:80) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -295,9 +295,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP:110", - "expectedValue": "POP3 (TCP:110) should not be allowed", - "actualValue": "POP3 (TCP:110) is allowed" + "searchValue": "TCP:21", + "expectedValue": "FTP (TCP:21) should not be allowed", + "actualValue": "FTP (TCP:21) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -307,9 +307,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP:23", - "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP:23) is allowed" + "searchValue": "TCP:138", + "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed", + "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -319,9 +319,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP:135", - "expectedValue": "MSSQL Debugger (UDP:135) should not be allowed", - "actualValue": "MSSQL Debugger (UDP:135) is allowed" + "searchValue": "UDP:137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -331,9 +331,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP:25", - "expectedValue": "SMTP (UDP:25) should not be allowed", - "actualValue": "SMTP (UDP:25) is allowed" + "searchValue": "UDP:110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -343,9 +343,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP:137", - "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed", - "actualValue": "NetBIOS Name Service (TCP:137) is allowed" + "searchValue": "TCP:20", + "expectedValue": "FTP (TCP:20) should not be allowed", + "actualValue": "FTP (TCP:20) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -355,9 +355,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP:22", - "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "searchValue": "TCP:135", + "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed", + "actualValue": "MSSQL Debugger (TCP:135) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -367,9 +367,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP:23", - "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP:23) is allowed" + "searchValue": "UDP:138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -379,9 +379,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP:53", - "expectedValue": "DNS (TCP:53) should not be allowed", - "actualValue": "DNS (TCP:53) is allowed" + "searchValue": "TCP:110", + "expectedValue": "POP3 (TCP:110) should not be allowed", + "actualValue": "POP3 (TCP:110) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -391,9 +391,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP:139", - "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed", - "actualValue": "NetBIOS Session Service (UDP:139) is allowed" + "searchValue": "UDP:53", + "expectedValue": "DNS (UDP:53) should not be allowed", + "actualValue": "DNS (UDP:53) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -403,9 +403,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP:53", - "expectedValue": "DNS (UDP:53) should not be allowed", - "actualValue": "DNS (UDP:53) is allowed" + "searchValue": "TCP:80", + "expectedValue": "HTTP (TCP:80) should not be allowed", + "actualValue": "HTTP (TCP:80) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -415,9 +415,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP:20", - "expectedValue": "FTP (TCP:20) should not be allowed", - "actualValue": "FTP (TCP:20) is allowed" + "searchValue": "TCP:23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -427,9 +427,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP:21", - "expectedValue": "FTP (UDP:21) should not be allowed", - "actualValue": "FTP (UDP:21) is allowed" + "searchValue": "TCP:139", + "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed", + "actualValue": "NetBIOS Session Service (TCP:139) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -439,9 +439,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP:135", - "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed", - "actualValue": "MSSQL Debugger (TCP:135) is allowed" + "searchValue": "UDP:139", + "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed", + "actualValue": "NetBIOS Session Service (UDP:139) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -451,9 +451,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP:138", - "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed", - "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed" + "searchValue": "TCP:22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -463,9 +463,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP:138", - "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed", - "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed" + "searchValue": "UDP:20", + "expectedValue": "FTP (UDP:20) should not be allowed", + "actualValue": "FTP (UDP:20) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -475,9 +475,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP:137", - "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed" + "searchValue": "TCP:137", + "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed", + "actualValue": "NetBIOS Name Service (TCP:137) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -487,9 +487,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP:139", - "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed", - "actualValue": "NetBIOS Session Service (TCP:139) is allowed" + "searchValue": "TCP:53", + "expectedValue": "DNS (TCP:53) should not be allowed", + "actualValue": "DNS (TCP:53) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -499,9 +499,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP:22", - "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "searchValue": "UDP:135", + "expectedValue": "MSSQL Debugger (UDP:135) should not be allowed", + "actualValue": "MSSQL Debugger (UDP:135) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -511,9 +511,9 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "UDP:110", - "expectedValue": "POP3 (UDP:110) should not be allowed", - "actualValue": "POP3 (UDP:110) is allowed" + "searchValue": "TCP:25", + "expectedValue": "SMTP (TCP:25) should not be allowed", + "actualValue": "SMTP (TCP:25) is allowed" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -523,8 +523,8 @@ "resourceType": "azurerm_network_security_rule", "resourceName": "example", "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", - "searchValue": "TCP:80", - "expectedValue": "HTTP (TCP:80) should not be allowed", - "actualValue": "HTTP (TCP:80) is allowed" + "searchValue": "UDP:25", + "expectedValue": "SMTP (UDP:25) should not be allowed", + "actualValue": "SMTP (UDP:25) is allowed" } ] \ No newline at end of file From 7831795a8818cd107d3568f90ab8f43eccb85d01 Mon Sep 17 00:00:00 2001 From: Ricardo Jesus <219317970+cx-ricardo-jesus@users.noreply.github.com> Date: Wed, 11 Mar 2026 11:25:11 +0000 Subject: [PATCH 11/22] added positive vs expected in queryName validation --- test/queries_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/queries_test.go b/test/queries_test.go index 958ebda1580..2f80da8160f 100644 --- a/test/queries_test.go +++ b/test/queries_test.go @@ -375,7 +375,7 @@ func requireEqualVulnerabilities(tb testing.TB, expected, actual []model.Vulnera require.Equal(tb, expectedItem.Line, actualItem.Line, "Incorrect detected line for query %s \n%v\n---\n%v", dir, filterFileNameAndLine(expected), filterFileNameAndLine(actual)) require.Equal(tb, expectedItem.Severity, actualItem.Severity, "Invalid severity for query %s", dir) - require.Equal(tb, expectedItem.QueryName, actualItem.QueryName, "Invalid query name for query %s :: %s", dir, actualItem.FileName) + require.Equal(tb, expectedItem.QueryName, actualItem.QueryName, "Invalid query name for query %s :: Actual: %s | Expected: %s", dir, actualItem.FileName) if expectedItem.Value != nil { require.NotNil(tb, actualItem.Value) require.Equal(tb, *expectedItem.Value, *actualItem.Value) From 120324de2b8ad281554e8fc42e918079af0820a8 Mon Sep 17 00:00:00 2001 From: Ricardo Jesus <219317970+cx-ricardo-jesus@users.noreply.github.com> Date: Wed, 11 Mar 2026 16:58:24 +0000 Subject: [PATCH 12/22] sorted actual and expected structures using more fields --- test/queries_test.go | 37 +++++++++++++++++++++++++++++-------- 1 file changed, 29 insertions(+), 8 deletions(-) diff --git a/test/queries_test.go b/test/queries_test.go index 2f80da8160f..5974aa985cf 100644 --- a/test/queries_test.go +++ b/test/queries_test.go @@ -281,16 +281,37 @@ func testQuery(tb testing.TB, entry queryEntry, filesPath []string, expectedVuln } func vulnerabilityCompare(vulnerabilitySlice []model.Vulnerability, i, j int) bool { - if vulnerabilitySlice[i].FileName != "" { - compareFile := strings.Compare(filepath.Base(vulnerabilitySlice[i].FileName), filepath.Base(vulnerabilitySlice[j].FileName)) - if compareFile == 0 { - return vulnerabilitySlice[i].Line < vulnerabilitySlice[j].Line - } else if compareFile < 0 { - return true + a := vulnerabilitySlice[i] + b := vulnerabilitySlice[j] + + if a.FileName != "" { + compareFile := strings.Compare(filepath.Base(a.FileName), filepath.Base(b.FileName)) + if compareFile != 0 { + return compareFile < 0 } - return false } - return vulnerabilitySlice[i].Line < vulnerabilitySlice[j].Line + if a.Line != b.Line { + return a.Line < b.Line + } + if cmp := strings.Compare(a.SearchKey, b.SearchKey); cmp != 0 { + return cmp < 0 + } + if cmp := strings.Compare(a.SearchValue, b.SearchValue); cmp != 0 { + return cmp < 0 + } + if cmp := strings.Compare(a.ResourceType, b.ResourceType); cmp != 0 { + return cmp < 0 + } + if cmp := strings.Compare(a.ResourceName, b.ResourceName); cmp != 0 { + return cmp < 0 + } + if cmp := strings.Compare(a.QueryName, b.QueryName); cmp != 0 { + return cmp < 0 + } + if cmp := strings.Compare(a.KeyExpectedValue, b.KeyExpectedValue); cmp != 0 { + return cmp < 0 + } + return strings.Compare(a.KeyActualValue, b.KeyActualValue) < 0 } func validateQueryResultFields(tb testing.TB, vulnerabilities []model.Vulnerability) { From 6f384245cb64b7b6d7828a1ad4ad1e180ce3dcbd Mon Sep 17 00:00:00 2001 From: Ricardo Jesus <219317970+cx-ricardo-jesus@users.noreply.github.com> Date: Sun, 15 Mar 2026 18:11:51 +0000 Subject: [PATCH 13/22] changed positive_expected_results --- .../test/positive_expected_result.json | 12 ++++++++++++ .../test/positive_expected_result.json | 12 ++++++++++++ 2 files changed, 24 insertions(+) diff --git a/assets/queries/dockerfile/image_version_not_explicit/test/positive_expected_result.json b/assets/queries/dockerfile/image_version_not_explicit/test/positive_expected_result.json index 48db0c8310a..5e04309310c 100644 --- a/assets/queries/dockerfile/image_version_not_explicit/test/positive_expected_result.json +++ b/assets/queries/dockerfile/image_version_not_explicit/test/positive_expected_result.json @@ -58,5 +58,17 @@ "searchValue": "", "expectedValue": "FROM test_fail_1:'version'", "actualValue": "FROM test_fail_1'" + }, + { + "queryName": "Image Version Not Explicit", + "severity": "MEDIUM", + "line": 10, + "filename": "positive4.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{test3 AS test_fail_2}}", + "searchValue": "", + "expectedValue": "FROM test3:'version'", + "actualValue": "FROM test3'" } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/positive_expected_result.json b/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/positive_expected_result.json index 0a1b53974ab..7f6863e8a68 100644 --- a/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/positive_expected_result.json @@ -10,5 +10,17 @@ "searchValue": "", "expectedValue": "'aws_alb[foo]' should not be 'internal' and has a 'aws_wafregional_web_acl_association' associated", "actualValue": "'aws_alb[foo]' is not 'internal' and does not have a 'aws_wafregional_web_acl_association' associated" + }, + { + "queryName": "ALB Is Not Integrated With WAF", + "severity": "MEDIUM", + "line": 1, + "filename": "positive2.tf", + "resourceType": "aws_lb", + "resourceName": "test-lb-tf", + "searchKey": "aws_lb[alb]", + "searchValue": "", + "expectedValue": "'aws_lb[alb]' should not be 'internal' and has a 'aws_wafregional_web_acl_association' associated", + "actualValue": "'aws_lb[alb]' is not 'internal' and does not have a 'aws_wafregional_web_acl_association' associated" } ] \ No newline at end of file From 325f25b229e40afa032f0f37a10791738003c360 Mon Sep 17 00:00:00 2001 From: Ricardo Jesus <219317970+cx-ricardo-jesus@users.noreply.github.com> Date: Sun, 15 Mar 2026 18:42:42 +0000 Subject: [PATCH 14/22] changed positive_expected_results.json --- .../test/positive_expected_result.json | 120 ++++++++++++++++++ 1 file changed, 120 insertions(+) diff --git a/assets/queries/cloudFormation/aws/elb_with_security_group_without_outbound_rules/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elb_with_security_group_without_outbound_rules/test/positive_expected_result.json index d3505f79294..e2146e3a44c 100644 --- a/assets/queries/cloudFormation/aws/elb_with_security_group_without_outbound_rules/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elb_with_security_group_without_outbound_rules/test/positive_expected_result.json @@ -22,5 +22,125 @@ "searchValue": "", "expectedValue": "'Resources.sgwithoutegress.Properties.SecurityGroupEgress' should be defined", "actualValue": "'Resources.sgwithoutegress.Properties.SecurityGroupEgress' is undefined" + }, + { + "queryName": "ELB With Security Group Without Outbound Rules", + "severity": "MEDIUM", + "line": 5, + "filename": "positive3.yaml", + "resourceType": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.sgwithegress.Properties", + "searchValue": "", + "expectedValue": "'Resources.sgwithegress.Properties.SecurityGroupEgress' should be defined", + "actualValue": "'Resources.sgwithegress.Properties.SecurityGroupEgress' is undefined" + }, + { + "queryName": "ELB With Security Group Without Outbound Rules", + "severity": "MEDIUM", + "line": 6, + "filename": "positive4.json", + "resourceType": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.sgwithegress.Properties", + "searchValue": "", + "expectedValue": "'Resources.sgwithegress.Properties.SecurityGroupEgress' should be defined", + "actualValue": "'Resources.sgwithegress.Properties.SecurityGroupEgress' is undefined" + }, + { + "queryName": "ELB With Security Group Without Outbound Rules", + "severity": "MEDIUM", + "line": 5, + "filename": "positive5.yaml", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyClassicLB", + "searchKey": "Resources.MySG.Properties", + "searchValue": "", + "expectedValue": "'Resources.MySG.Properties.SecurityGroupEgress' should be defined", + "actualValue": "'Resources.MySG.Properties.SecurityGroupEgress' is undefined" + }, + { + "queryName": "ELB With Security Group Without Outbound Rules", + "severity": "MEDIUM", + "line": 6, + "filename": "positive6.json", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyClassicLB", + "searchKey": "Resources.MySG.Properties", + "searchValue": "", + "expectedValue": "'Resources.MySG.Properties.SecurityGroupEgress' should be defined", + "actualValue": "'Resources.MySG.Properties.SecurityGroupEgress' is undefined" + }, + { + "queryName": "ELB With Security Group Without Outbound Rules", + "severity": "MEDIUM", + "line": 8, + "filename": "positive7.yaml", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyClassicLB", + "searchKey": "Resources.MySG.Properties.SecurityGroupEgress", + "searchValue": "", + "expectedValue": "'Resources.MySG.Properties.SecurityGroupEgress' should not be empty", + "actualValue": "'Resources.MySG.Properties.SecurityGroupEgress' is empty" + }, + { + "queryName": "ELB With Security Group Without Outbound Rules", + "severity": "MEDIUM", + "line": 9, + "filename": "positive8.json", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyClassicLB", + "searchKey": "Resources.MySG.Properties.SecurityGroupEgress", + "searchValue": "", + "expectedValue": "'Resources.MySG.Properties.SecurityGroupEgress' should not be empty", + "actualValue": "'Resources.MySG.Properties.SecurityGroupEgress' is empty" + }, + { + "queryName": "ELB With Security Group Without Outbound Rules", + "severity": "MEDIUM", + "line": 8, + "filename": "positive9.yaml", + "resourceType": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "resourceName": "MyALB", + "searchKey": "Resources.MySGv2.Properties.SecurityGroupEgress", + "searchValue": "", + "expectedValue": "'Resources.MySGv2.Properties.SecurityGroupEgress' should not be empty", + "actualValue": "'Resources.MySGv2.Properties.SecurityGroupEgress' is empty" + }, + { + "queryName": "ELB With Security Group Without Outbound Rules", + "severity": "MEDIUM", + "line": 9, + "filename": "positive10.json", + "resourceType": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "resourceName": "MyALB", + "searchKey": "Resources.MySGv2.Properties.SecurityGroupEgress", + "searchValue": "", + "expectedValue": "'Resources.MySGv2.Properties.SecurityGroupEgress' should not be empty", + "actualValue": "'Resources.MySGv2.Properties.SecurityGroupEgress' is empty" + }, + { + "queryName": "ELB With Security Group Without Outbound Rules", + "severity": "MEDIUM", + "line": 5, + "filename": "positive11.yaml", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyClassicLB", + "searchKey": "Resources.MySG.Properties", + "searchValue": "", + "expectedValue": "'Resources.MySG.Properties.SecurityGroupEgress' should be defined", + "actualValue": "'Resources.MySG.Properties.SecurityGroupEgress' is undefined" + }, + { + "queryName": "ELB With Security Group Without Outbound Rules", + "severity": "MEDIUM", + "line": 6, + "filename": "positive12.json", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyClassicLB", + "searchKey": "Resources.MySG.Properties", + "searchValue": "", + "expectedValue": "'Resources.MySG.Properties.SecurityGroupEgress' should be defined", + "actualValue": "'Resources.MySG.Properties.SecurityGroupEgress' is undefined" } ] \ No newline at end of file From e06b23590df69d838898a39a8978c305621dd5b7 Mon Sep 17 00:00:00 2001 From: Ricardo Jesus <219317970+cx-ricardo-jesus@users.noreply.github.com> Date: Sun, 15 Mar 2026 23:13:06 +0000 Subject: [PATCH 15/22] changed positive_expected_result.json --- .../test/positive_expected_result.json | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/assets/queries/cloudFormation/aws/elb_with_security_group_without_inbound_rules/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elb_with_security_group_without_inbound_rules/test/positive_expected_result.json index 757cbe6cb21..da39fe93c8a 100644 --- a/assets/queries/cloudFormation/aws/elb_with_security_group_without_inbound_rules/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elb_with_security_group_without_inbound_rules/test/positive_expected_result.json @@ -22,5 +22,29 @@ "searchValue": "", "expectedValue": "'Resources.sgwithoutingress.Properties.SecurityGroupIngress' should be defined", "actualValue": "'Resources.sgwithoutingress.Properties.SecurityGroupIngress' is undefined" + }, + { + "queryName": "ELB With Security Group Without Inbound Rules", + "severity": "MEDIUM", + "line": 5, + "filename": "positive3.yaml", + "resourceType": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.sgwithingress.Properties", + "searchValue": "", + "expectedValue": "'Resources.sgwithingress.Properties.SecurityGroupIngress' should be defined", + "actualValue": "'Resources.sgwithingress.Properties.SecurityGroupIngress' is undefined" + }, + { + "queryName": "ELB With Security Group Without Inbound Rules", + "severity": "MEDIUM", + "line": 6, + "filename": "positive4.json", + "resourceType": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.sgwithingress.Properties", + "searchValue": "", + "expectedValue": "'Resources.sgwithingress.Properties.SecurityGroupIngress' should be defined", + "actualValue": "'Resources.sgwithingress.Properties.SecurityGroupIngress' is undefined" } ] \ No newline at end of file From 25ec4879a147ab5bc2adcb7290c37e3e5cff96f3 Mon Sep 17 00:00:00 2001 From: Ricardo Jesus <219317970+cx-ricardo-jesus@users.noreply.github.com> Date: Mon, 16 Mar 2026 23:55:02 +0000 Subject: [PATCH 16/22] solved all the errors in the queries besides passwords_and_secrets --- .../test/negative.json | 35 +++++++------------ .../test/positive.json | 2 ++ .../test/positive_expected_result.json | 12 +++++++ .../queries/k8s/tiller_is_deployed/query.rego | 2 +- .../query.rego | 6 ++-- .../test/positive_expected_result.json | 12 +++---- .../test/positive_expected_result.json | 4 +-- .../test/positive_expected_result.json | 4 +-- .../test/positive_expected_result.json | 4 +-- .../test/positive_expected_result.json | 24 +++++++++++++ .../test/positive_expected_result.json | 24 +++++++++++++ .../positive2/positive_expected_result.json | 24 +++++++++++-- .../positive3/positive_expected_result.json | 16 +++++++-- .../positive4/positive_expected_result.json | 18 ++++++++-- .../positive5/positive_expected_result.json | 8 ++++- .../test/positive_expected_result.json | 22 +++++++++--- 16 files changed, 164 insertions(+), 53 deletions(-) diff --git a/assets/queries/k8s/cni_plugin_does_not_support_network_policies/test/negative.json b/assets/queries/k8s/cni_plugin_does_not_support_network_policies/test/negative.json index 74e9d872042..4055201320e 100644 --- a/assets/queries/k8s/cni_plugin_does_not_support_network_policies/test/negative.json +++ b/assets/queries/k8s/cni_plugin_does_not_support_network_policies/test/negative.json @@ -1,26 +1,15 @@ { - "name": "k8s-pod-network", - "cniVersion": "0.3.0", - "plugins": [ - { - "type": "calico", - "log_level": "info", - "datastore_type": "kubernetes", - "nodename": "127.0.0.1", - "ipam": { - "type": "host-local", - "subnet": "usePodCidr" - }, - "policy": { - "type": "k8s" - }, - "kubernetes": { - "kubeconfig": "/etc/cni/net.d/calico-kubeconfig" - } - }, - { - "type": "portmap", - "capabilities": {"portMappings": true} + "apiVersion": "v1", + "kind": "ConfigMap", + "metadata": { + "name": "kube-calico-cfg", + "namespace": "kube-system", + "labels": { + "tier": "node", + "app": "calico" } - ] + }, + "data": { + "cni-conf.json": "{\"name\":\"k8s-pod-network\",\"plugins\":[{\"type\":\"calico\",\"log_level\":\"info\",\"datastore_type\":\"kubernetes\",\"nodename\":\"127.0.0.1\",\"ipam\":{\"type\":\"host-local\",\"subnet\":\"usePodCidr\"},\"policy\":{\"type\":\"k8s\"},\"kubernetes\":{\"kubeconfig\":\"/etc/cni/net.d/calico-kubeconfig\"}},{\"type\":\"portmap\",\"capabilities\":{\"portMappings\":true}}]}" + } } diff --git a/assets/queries/k8s/cni_plugin_does_not_support_network_policies/test/positive.json b/assets/queries/k8s/cni_plugin_does_not_support_network_policies/test/positive.json index f5af842cc4e..9d3e29b608b 100644 --- a/assets/queries/k8s/cni_plugin_does_not_support_network_policies/test/positive.json +++ b/assets/queries/k8s/cni_plugin_does_not_support_network_policies/test/positive.json @@ -1,4 +1,6 @@ { + "kind": "KubeletConfiguration", + "apiVersion": "kubelet.config.k8s.io/v1beta1", "name": "k8s-pod-network", "cniVersion": "0.3.0", "plugins": [ diff --git a/assets/queries/k8s/cni_plugin_does_not_support_network_policies/test/positive_expected_result.json b/assets/queries/k8s/cni_plugin_does_not_support_network_policies/test/positive_expected_result.json index 09ae1fd0b4f..06ce3211228 100644 --- a/assets/queries/k8s/cni_plugin_does_not_support_network_policies/test/positive_expected_result.json +++ b/assets/queries/k8s/cni_plugin_does_not_support_network_policies/test/positive_expected_result.json @@ -1,4 +1,16 @@ [ + { + "queryName": "CNI Plugin Does Not Support Network Policies", + "severity": "MEDIUM", + "line": 8, + "filename": "", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "plugins", + "searchValue": "", + "expectedValue": "Plugins should not contain a plugin that does not support Network Policies", + "actualValue": "Plugins contains a plugin that does not support Network Policies" + }, { "queryName": "CNI Plugin Does Not Support Network Policies", "severity": "MEDIUM", diff --git a/assets/queries/k8s/tiller_is_deployed/query.rego b/assets/queries/k8s/tiller_is_deployed/query.rego index 679d520784f..8409c66b3b5 100644 --- a/assets/queries/k8s/tiller_is_deployed/query.rego +++ b/assets/queries/k8s/tiller_is_deployed/query.rego @@ -19,7 +19,7 @@ CxPolicy[result] { "searchValue": document.kind, # multiple kind can match the same rule "keyExpectedValue": sprintf("'metadata' of %s should not refer to any Tiller resource", [document.kind]), "keyActualValue": sprintf("'metadata' of %s refers to a Tiller resource", [document.kind]), - "searchLine": commonLib.build_search_line(["metadata"],[]), + "searchLine": commonLib.build_search_line(["metadata", "name"],[]), } } diff --git a/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/query.rego b/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/query.rego index 64cdd606528..6814e7cc074 100644 --- a/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/query.rego +++ b/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/query.rego @@ -29,7 +29,7 @@ CxPolicy[result] { "searchValue": sprintf("%s%s", [document.kind, type]), "keyExpectedValue": sprintf("The properties readOnly and recursiveReadOnly in metadata.name={{%s}}.%s.%s.name={{%s}}.volumeMounts.name={{%s}} are set to true and Enabled, respectively", [metadata.name, specInfo.path, types[x], container.name, volumeMounts[v].name]), "keyActualValue": sprintf("The properties readOnly or recursiveReadOnly in metadata.name={{%s}}.%s.%s.name={{%s}}.volumeMounts.name={{%s}} are set to false or Disabled, respectively", [metadata.name, specInfo.path, types[x], container.name, volumeMounts[v].name]), - "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x],j, "volumeMounts", v]), + "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x],j, "volumeMounts", v, "name"]), } } @@ -55,8 +55,8 @@ CxPolicy[result] { "issueType": "MissingAttribute", "searchValue": sprintf("%s%s", [document.kind, type]), "keyExpectedValue": sprintf("The properties readOnly and recursiveReadOnly in metadata.name={{%s}}.%s.%s.name={{%s}}.volumeMounts.name={{%s}} should be defined and set to true and Enabled, respectively", [metadata.name, specInfo.path, types[x], container.name, volumeMounts[v].name]), - "keyActualValue": sprintf("Either readOnly or recursiveReadOnly is missing in metadata.name={{%s}}.%s.%s.name={{%s}}.volumeMounts.name={{%s}}", [metadata.name, specInfo.path, types[x], container.name, volumeMounts[v].name, metadata.name, specInfo.path, types[x], container.name, volumeMounts[v].name]), - "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x],j, "volumeMounts", v]), + "keyActualValue": sprintf("Either readOnly or recursiveReadOnly is missing in metadata.name={{%s}}.%s.%s.name={{%s}}.volumeMounts.name={{%s}}", [metadata.name, specInfo.path, types[x], container.name, volumeMounts[v].name]), + "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x],j, "volumeMounts", v, "name"]), } } diff --git a/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/test/positive_expected_result.json b/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/test/positive_expected_result.json index 0ab1b2ad766..8c399248f90 100644 --- a/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/test/positive_expected_result.json +++ b/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/test/positive_expected_result.json @@ -9,7 +9,7 @@ "searchKey": "metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-0}}", "searchValue": "PodreadOnly", "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-0}} should be defined and set to true and Enabled, respectively", - "actualValue": "Either readOnly or recursiveReadOnly is missing in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-0}}%!(EXTRA string=pod-0, string=spec, string=containers, string=pod-0, string=vol-0)" + "actualValue": "Either readOnly or recursiveReadOnly is missing in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-0}}" }, { "queryName": "Volume Mount With OS Directory Write Permissions", @@ -21,7 +21,7 @@ "searchKey": "metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}}", "searchValue": "PodreadOnly", "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}} should be defined and set to true and Enabled, respectively", - "actualValue": "Either readOnly or recursiveReadOnly is missing in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}}%!(EXTRA string=pod-0, string=spec, string=containers, string=pod-0, string=vol-1)" + "actualValue": "Either readOnly or recursiveReadOnly is missing in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}}" }, { "queryName": "Volume Mount With OS Directory Write Permissions", @@ -45,7 +45,7 @@ "searchKey": "metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-0}}", "searchValue": "PodreadOnly", "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-0}} should be defined and set to true and Enabled, respectively", - "actualValue": "Either readOnly or recursiveReadOnly is missing in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-0}}%!(EXTRA string=pod-1, string=spec, string=containers, string=pod-1, string=vol-0)" + "actualValue": "Either readOnly or recursiveReadOnly is missing in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-0}}" }, { "queryName": "Volume Mount With OS Directory Write Permissions", @@ -69,7 +69,7 @@ "searchKey": "metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-1}}", "searchValue": "PodrecursiveReadOnly", "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-1}} should be defined and set to true and Enabled, respectively", - "actualValue": "Either readOnly or recursiveReadOnly is missing in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-1}}%!(EXTRA string=pod-1, string=spec, string=containers, string=pod-1, string=vol-1)" + "actualValue": "Either readOnly or recursiveReadOnly is missing in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-1}}" }, { "queryName": "Volume Mount With OS Directory Write Permissions", @@ -105,7 +105,7 @@ "searchKey": "metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-0}}", "searchValue": "PodrecursiveReadOnly", "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-0}} should be defined and set to true and Enabled, respectively", - "actualValue": "Either readOnly or recursiveReadOnly is missing in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-0}}%!(EXTRA string=pod-1, string=spec, string=containers, string=pod-1, string=vol-0)" + "actualValue": "Either readOnly or recursiveReadOnly is missing in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-0}}" }, { "queryName": "Volume Mount With OS Directory Write Permissions", @@ -119,4 +119,4 @@ "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-1}} are set to true and Enabled, respectively", "actualValue": "The properties readOnly or recursiveReadOnly in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-1}} are set to false or Disabled, respectively" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/2.0/undefined_security_scope_security_operations/test/positive_expected_result.json b/assets/queries/openAPI/2.0/undefined_security_scope_security_operations/test/positive_expected_result.json index 6d9fbf303be..f3c8a64a205 100644 --- a/assets/queries/openAPI/2.0/undefined_security_scope_security_operations/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/undefined_security_scope_security_operations/test/positive_expected_result.json @@ -2,7 +2,7 @@ { "queryName": "Undefined Scope 'securityDefinition' On 'security' Field On Operations", "severity": "LOW", - "line": 10, + "line": 13, "filename": "positive1.yaml", "resourceType": "", "resourceName": "", @@ -14,7 +14,7 @@ { "queryName": "Undefined Scope 'securityDefinition' On 'security' Field On Operations", "severity": "LOW", - "line": 12, + "line": 16, "filename": "positive2.json", "resourceType": "", "resourceName": "", diff --git a/assets/queries/openAPI/3.0/undefined_security_scope_global_security/test/positive_expected_result.json b/assets/queries/openAPI/3.0/undefined_security_scope_global_security/test/positive_expected_result.json index cfb93e77d56..ce0b36f1e71 100644 --- a/assets/queries/openAPI/3.0/undefined_security_scope_global_security/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/undefined_security_scope_global_security/test/positive_expected_result.json @@ -14,7 +14,7 @@ { "queryName": "Undefined Scope 'securityScheme' On Global 'security' Field", "severity": "LOW", - "line": 23, + "line": 26, "filename": "positive2.json", "resourceType": "", "resourceName": "", @@ -38,7 +38,7 @@ { "queryName": "Undefined Scope 'securityScheme' On Global 'security' Field", "severity": "LOW", - "line": 15, + "line": 17, "filename": "positive4.yaml", "resourceType": "", "resourceName": "", diff --git a/assets/queries/openAPI/3.0/undefined_security_scope_security_operations/test/positive_expected_result.json b/assets/queries/openAPI/3.0/undefined_security_scope_security_operations/test/positive_expected_result.json index 61c4407da49..0063c3fce08 100644 --- a/assets/queries/openAPI/3.0/undefined_security_scope_security_operations/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/undefined_security_scope_security_operations/test/positive_expected_result.json @@ -14,7 +14,7 @@ { "queryName": "Undefined Scope 'securityScheme' On 'security' Field On Operations", "severity": "LOW", - "line": 12, + "line": 15, "filename": "positive2.json", "resourceType": "", "resourceName": "", @@ -38,7 +38,7 @@ { "queryName": "Undefined Scope 'securityScheme' On 'security' Field On Operations", "severity": "LOW", - "line": 10, + "line": 12, "filename": "positive4.yaml", "resourceType": "", "resourceName": "", diff --git a/assets/queries/openAPI/general/maximum_length_undefined/test/positive_expected_result.json b/assets/queries/openAPI/general/maximum_length_undefined/test/positive_expected_result.json index 34e89c1b5d4..f92e806d5da 100644 --- a/assets/queries/openAPI/general/maximum_length_undefined/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/maximum_length_undefined/test/positive_expected_result.json @@ -35,6 +35,18 @@ "expectedValue": "'maxLength' should be defined", "actualValue": "'maxLength' is undefined" }, + { + "queryName": "Maximum Length Undefined (v3)", + "severity": "LOW", + "line": 77, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", + "searchValue": "", + "expectedValue": "'maxLength' should be defined", + "actualValue": "'maxLength' is undefined" + }, { "queryName": "Maximum Length Undefined (v3)", "severity": "LOW", @@ -95,6 +107,18 @@ "expectedValue": "'maxLength' should be defined", "actualValue": "'maxLength' is undefined" }, + { + "queryName": "Maximum Length Undefined (v3)", + "severity": "LOW", + "line": 47, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", + "searchValue": "", + "expectedValue": "'maxLength' should be defined", + "actualValue": "'maxLength' is undefined" + }, { "queryName": "Maximum Length Undefined (v3)", "severity": "LOW", diff --git a/assets/queries/openAPI/general/pattern_undefined/test/positive_expected_result.json b/assets/queries/openAPI/general/pattern_undefined/test/positive_expected_result.json index 9e4adf1e870..f5c4b8ed5c2 100644 --- a/assets/queries/openAPI/general/pattern_undefined/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/pattern_undefined/test/positive_expected_result.json @@ -35,6 +35,18 @@ "expectedValue": "'pattern' should be defined", "actualValue": "'pattern' is undefined" }, + { + "queryName": "Pattern Undefined (v3)", + "severity": "MEDIUM", + "line": 79, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", + "searchValue": "", + "expectedValue": "'pattern' should be defined", + "actualValue": "'pattern' is undefined" + }, { "queryName": "Pattern Undefined (v3)", "severity": "MEDIUM", @@ -95,6 +107,18 @@ "expectedValue": "'pattern' should be defined", "actualValue": "'pattern' is undefined" }, + { + "queryName": "Pattern Undefined (v3)", + "severity": "MEDIUM", + "line": 49, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", + "searchValue": "", + "expectedValue": "'pattern' should be defined", + "actualValue": "'pattern' is undefined" + }, { "queryName": "Pattern Undefined (v3)", "severity": "MEDIUM", diff --git a/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive2/positive_expected_result.json index 8e854727ca9..b3c31f2da35 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive2/positive_expected_result.json @@ -3,18 +3,36 @@ "queryName": "Beta - Activity Log Alert For Service Health Not Configured", "severity": "MEDIUM", "line": 8, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "ServiceHealthActivityLogAlert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'ServiceHealth' events should be defined for each subscription", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_1]' resource monitors 'ServiceHealth' events but does not include 'Incident' in its 'criteria.service_health.events' array" }, { "queryName": "Beta - Activity Log Alert For Service Health Not Configured", "severity": "MEDIUM", "line": 28, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "ServiceHealthActivityLogAlert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'ServiceHealth' events should be defined for each subscription", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_2]' resource monitors 'ServiceHealth' events but does not include 'Incident' in its 'criteria.service_health.events' array" }, { "queryName": "Beta - Activity Log Alert For Service Health Not Configured", "severity": "MEDIUM", "line": 8, - "fileName": "positive2_2.tf" + "filename": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "ServiceHealthActivityLogAlert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_3].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'ServiceHealth' events should be defined for each subscription", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_3]' resource monitors 'ServiceHealth' events but does not include 'Incident' in its 'criteria.service_health.events' array" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive3/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive3/positive_expected_result.json index 7f2aecf8f06..5f632daab2f 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive3/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive3/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Beta - Activity Log Alert For Service Health Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive3_1.tf" + "filename": "positive3_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "ServiceHealthActivityLogAlert", + "searchKey": "azurerm_monitor_activity_log_alert[positive3_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'ServiceHealth' events should be defined for each subscription", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_1]' resource monitors 'ServiceHealth' events but is missing an 'action.action_group_id' field" }, { "queryName": "Beta - Activity Log Alert For Service Health Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive3_2.tf" + "filename": "positive3_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "ServiceHealthActivityLogAlert", + "searchKey": "azurerm_monitor_activity_log_alert[positive3_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'ServiceHealth' events should be defined for each subscription", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_2]' resource monitors 'ServiceHealth' events but is missing an 'action.action_group_id' field" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive4/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive4/positive_expected_result.json index 0063cec5071..91bb4c9350b 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive4/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive4/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Beta - Activity Log Alert For Service Health Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive4_1.tf" + "filename": "positive4_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "ServiceHealthActivityLogAlert", + "searchKey": "azurerm_monitor_activity_log_alert[positive4_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'ServiceHealth' events should be defined for each subscription", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_1]' resource monitors 'ServiceHealth' events but does not include 'Incident' in its 'criteria.service_health.events' array" }, { "queryName": "Beta - Activity Log Alert For Service Health Not Configured", "severity": "MEDIUM", "line": 29, - "fileName": "positive4_1.tf" + "filename": "positive4_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "ServiceHealthActivityLogAlert", + "searchKey": "azurerm_monitor_activity_log_alert[positive4_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'ServiceHealth' events should be defined for each subscription", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_2]' resource monitors 'ServiceHealth' events but does not include 'Incident' in its 'criteria.service_health.events' array" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive5/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive5/positive_expected_result.json index 55b26065a68..853ffb9e106 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive5/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive5/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Beta - Activity Log Alert For Service Health Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive5_1.tf" + "filename": "positive5_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "ServiceHealthActivityLogAlert", + "searchKey": "azurerm_monitor_activity_log_alert[positive5_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'ServiceHealth' events should be defined for each subscription", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive5_1]' resource monitors 'ServiceHealth' events but is missing an 'action.action_group_id' field" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive_expected_result.json index 3d390cdb6ff..85145bad6b6 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive_expected_result.json @@ -2,13 +2,25 @@ { "queryName": "Beta - Activity Log Alert For Service Health Not Configured", "severity": "MEDIUM", - "line": 3, - "filename": "positive6_1.tf", + "line": 8, + "filename": "positive1.tf", "resourceType": "azurerm_monitor_activity_log_alert", - "resourceName": "", - "searchKey": "azurerm_subscription[positive6]", + "resourceName": "ServiceHealthActivityLogAlert", + "searchKey": "azurerm_monitor_activity_log_alert[positive1_1].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'ServiceHealth' events should be defined for each subscription", - "actualValue": "There is not a single 'azurerm_monitor_activity_log_alert' resource associated with the 'positive6' subscription" + "actualValue": "None of the 'azurerm_monitor_activity_log_alert' resources monitor 'ServiceHealth' events" + }, + { + "queryName": "Beta - Activity Log Alert For Service Health Not Configured", + "severity": "MEDIUM", + "line": 28, + "filename": "positive1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "ServiceHealthActivityLogAlert", + "searchKey": "azurerm_monitor_activity_log_alert[positive1_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'ServiceHealth' events should be defined for each subscription", + "actualValue": "None of the 'azurerm_monitor_activity_log_alert' resources monitor 'ServiceHealth' events" } ] \ No newline at end of file From d8173ee619be7828727983e3d1e54615c492b834 Mon Sep 17 00:00:00 2001 From: Ricardo Jesus <219317970+cx-ricardo-jesus@users.noreply.github.com> Date: Tue, 17 Mar 2026 10:10:50 +0000 Subject: [PATCH 17/22] changed positive_expected_results.json --- .../test/positive_expected_result.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json b/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json index a019f29a555..31ca12db562 100644 --- a/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json +++ b/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json @@ -468,7 +468,7 @@ "actualValue": "Hardcoded secret key appears in source" }, { - "queryName": "Passwords And Secrets - CloudFormation Secret Template", + "queryName": "Passwords And Secrets - Twilio API Key", "severity": "HIGH", "line": 4, "filename": "positive31.yaml", @@ -588,7 +588,7 @@ "actualValue": "Hardcoded secret key appears in source" }, { - "queryName": "Passwords And Secrets - AWS Access Key", + "queryName": "Passwords And Secrets - AWS Context-specific credential", "severity": "HIGH", "line": 14, "filename": "positive40.tf", @@ -600,7 +600,7 @@ "actualValue": "Hardcoded secret key appears in source" }, { - "queryName": "Passwords And Secrets - AWS Access Key", + "queryName": "Passwords And Secrets - AWS Certificate", "severity": "HIGH", "line": 15, "filename": "positive40.tf", @@ -923,4 +923,4 @@ "expectedValue": "Hardcoded secret key should not appear in source", "actualValue": "Hardcoded secret key appears in source" } -] \ No newline at end of file +] From 88a7a8f838c6cb2ff41b9b21c8fcf11096d93b7a Mon Sep 17 00:00:00 2001 From: Ricardo Jesus <219317970+cx-ricardo-jesus@users.noreply.github.com> Date: Tue, 17 Mar 2026 12:00:12 +0000 Subject: [PATCH 18/22] added issueType on every positive_expected_results --- .../add_issue_type.py | 286 ++++++++ .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 23 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 62 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 23 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 134 ++-- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 29 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 23 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 32 +- .../test/positive_expected_result.json | 80 ++- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 62 +- .../test/positive_expected_result.json | 50 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 74 ++- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 41 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 50 +- .../test/positive_expected_result.json | 50 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 50 +- .../test/positive_expected_result.json | 44 +- .../test/positive_expected_result.json | 47 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 32 +- .../test/positive_expected_result.json | 113 ++-- .../test/positive_expected_result.json | 44 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 74 ++- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 44 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 23 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 59 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 29 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 47 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 23 +- .../test/positive_expected_result.json | 23 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 29 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 23 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 548 ++++++++++------ .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 32 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 62 +- .../test/positive_expected_result.json | 62 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 98 ++- .../test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 620 ++++++++++++------ .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 50 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 68 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 110 ++-- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 62 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 47 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 41 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 68 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 23 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 23 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 23 +- .../test/positive_expected_result.json | 23 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 41 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 32 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 50 +- .../test/positive_expected_result.json | 50 +- .../test/positive_expected_result.json | 68 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 47 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 50 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 23 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 8 +- .../dynamo/test/positive_expected_result.json | 17 +- .../ebs/test/positive_expected_result.json | 20 +- .../efs/test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 8 +- .../mq/test/positive_expected_result.json | 11 +- .../msk/test/positive_expected_result.json | 8 +- .../rds/test/positive_expected_result.json | 29 +- .../test/positive_expected_result.json | 8 +- .../sns/test/positive_expected_result.json | 8 +- .../sqs/test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 231 ++++--- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 41 +- .../test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 50 +- .../test/positive_expected_result.json | 47 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 23 +- .../test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 23 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../pd/test/positive_expected_result.json | 17 +- .../pst/test/positive_expected_result.json | 8 +- .../sb/test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 53 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 53 +- .../test/positive_expected_result.json | 44 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 29 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 23 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 23 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 23 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 30 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 41 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 32 +- .../test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 56 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 32 +- .../test/positive_expected_result.json | 32 +- .../test/positive_expected_result.json | 32 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 32 +- .../test/positive_expected_result.json | 32 +- .../test/positive_expected_result.json | 44 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 32 +- .../test/positive_expected_result.json | 32 +- .../test/positive_expected_result.json | 32 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 50 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 65 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 62 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 32 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 50 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 32 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 80 ++- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 56 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 32 +- .../test/positive_expected_result.json | 32 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 62 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 44 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 29 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 41 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 29 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 77 ++- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 53 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 62 +- .../positive2/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 41 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 77 ++- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 53 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 32 +- .../test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 32 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 56 +- .../test/positive_expected_result.json | 53 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 122 ++-- .../test/positive_expected_result.json | 122 ++-- .../test/positive_expected_result.json | 122 ++-- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 32 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 53 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 23 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 53 +- .../test/positive_expected_result.json | 56 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 20 +- .../dynamo/test/positive_expected_result.json | 14 +- .../ebs/test/positive_expected_result.json | 8 +- .../efs/test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 8 +- .../mq/test/positive_expected_result.json | 8 +- .../msk/test/positive_expected_result.json | 8 +- .../rds/test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 32 +- .../sns/test/positive_expected_result.json | 17 +- .../sqs/test/positive_expected_result.json | 17 +- .../positive2/positive_expected_result.json | 23 +- .../positive3/positive_expected_result.json | 8 +- .../positive4/positive_expected_result.json | 5 +- .../positive2/positive_expected_result.json | 23 +- .../positive3/positive_expected_result.json | 8 +- .../positive4/positive_expected_result.json | 5 +- .../positive2/positive_expected_result.json | 23 +- .../positive3/positive_expected_result.json | 8 +- .../positive4/positive_expected_result.json | 5 +- .../positive2/positive_expected_result.json | 23 +- .../positive3/positive_expected_result.json | 8 +- .../positive4/positive_expected_result.json | 5 +- .../positive2/positive_expected_result.json | 23 +- .../positive3/positive_expected_result.json | 8 +- .../positive4/positive_expected_result.json | 5 +- .../positive2/positive_expected_result.json | 23 +- .../positive3/positive_expected_result.json | 8 +- .../positive4/positive_expected_result.json | 5 +- .../positive2/positive_expected_result.json | 23 +- .../positive3/positive_expected_result.json | 8 +- .../positive4/positive_expected_result.json | 5 +- .../positive2/positive_expected_result.json | 23 +- .../positive3/positive_expected_result.json | 8 +- .../positive4/positive_expected_result.json | 5 +- .../positive2/positive_expected_result.json | 23 +- .../positive3/positive_expected_result.json | 8 +- .../positive4/positive_expected_result.json | 5 +- .../positive2/positive_expected_result.json | 23 +- .../positive3/positive_expected_result.json | 8 +- .../positive4/positive_expected_result.json | 5 +- .../positive2/positive_expected_result.json | 9 +- .../positive3/positive_expected_result.json | 6 +- .../positive4/positive_expected_result.json | 8 +- .../positive5/positive_expected_result.json | 3 +- .../positive6/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 29 +- .../test/positive_expected_result.json | 44 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 29 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 32 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 44 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 23 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 44 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 29 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 32 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 62 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 80 ++- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 134 ++-- .../test/positive_expected_result.json | 134 ++-- .../test/positive_expected_result.json | 134 ++-- .../test/positive_expected_result.json | 44 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 62 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 56 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 29 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 29 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 23 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 35 +- .../test/positive_expected_result.json | 29 +- .../test/positive_expected_result.json | 44 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 23 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 23 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../fi/test/positive_expected_result.json | 11 +- .../pd/test/positive_expected_result.json | 20 +- .../pst/test/positive_expected_result.json | 14 +- .../redis/test/positive_expected_result.json | 8 +- .../sb/test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 20 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 29 +- .../test/positive_expected_result.json | 29 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 29 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 26 +- .../test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 29 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 17 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 44 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 11 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 14 +- .../test/positive_expected_result.json | 5 +- .../test/positive_expected_result.json | 38 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 5 +- failed_queries_report.csv | 41 ++ test/queries_test.go | 3 +- 1840 files changed, 17225 insertions(+), 9365 deletions(-) create mode 100644 .github/scripts/generate-positive-expective-results/add_issue_type.py create mode 100644 failed_queries_report.csv diff --git a/.github/scripts/generate-positive-expective-results/add_issue_type.py b/.github/scripts/generate-positive-expective-results/add_issue_type.py new file mode 100644 index 00000000000..75c909983e9 --- /dev/null +++ b/.github/scripts/generate-positive-expective-results/add_issue_type.py @@ -0,0 +1,286 @@ +""" +Add the missing 'issueType' field to every positive_expected_result.json file. + +This script does NOT re-run any scans. It reads each query's query.rego to +determine the issueType(s) and matches them to existing expected-result entries +based on expectedValue / actualValue patterns. + +No existing field is modified — only 'issueType' is inserted. + +Usage: + python add_issue_type.py # normal run + python add_issue_type.py --dry # dry run (report only, no writes) +""" + +import json +import re +import sys +from pathlib import Path + +ASSETS_QUERIES_DIR = Path(__file__).resolve().parents[3] / "assets" / "queries" + +# ── Rego parsing ──────────────────────────────────────────────────────────── + +VALID_ISSUE_TYPES = {"MissingAttribute", "IncorrectValue", "RedundantAttribute", "BillOfMaterials"} + +# Keys used for issueType in different rego coding styles +_IT_KEYS = ("issueType", "it", "issueT", "type", "issue") +# Keys used for expected-value pattern +_EV_KEYS = ("keyExpectedValue", "kev", "solution") +# Keys used for actual-value pattern +_AV_KEYS = ("keyActualValue", "kav", "message") + + +def extract_string_or_sprintf(block: str, keys: tuple[str, ...] | str) -> str | None: + """Extract a literal string or the format-string from a sprintf call. + + ``keys`` can be a single key or a tuple of alternatives (first match wins). + """ + if isinstance(keys, str): + keys = (keys,) + for key in keys: + # "key": "literal" + m = re.search(rf'"{key}"\s*:\s*"([^"]*)"', block) + if m: + return m.group(1) + # "key": sprintf("format ...", [...]) + m = re.search(rf'"{key}"\s*:\s*sprintf\s*\(\s*"([^"]*)"', block) + if m: + return m.group(1) + return None + + +def _split_into_result_blocks(content: str) -> list[str]: + """Split rego content into logical blocks that each contain one result dict. + + We look for: + - CxPolicy[result] { ... } + - } else = res { ... } (helper function branches) + - functionName(...) = res { ... } + - functionName(...) = "IssueType" { (issueType helper functions) + Each "block" is the text from the opening brace to the next block boundary. + """ + openers = list(re.finditer( + r'(?:CxPolicy\s*\[\s*result\s*\]\s*\{|' # CxPolicy blocks + r'}\s*else\s*=\s*\w+\s*\{|' # else = res { + r'}\s*else\s*=\s*"[^"]*"\s*(?:#[^\n]*)?\n|' # else = "IncorrectValue" # comment\n + r'\w+\([^)]*\)\s*=\s*(?:res|result|issue)\s*\{|' # func(...) = res/issue { + r'\w+\([^)]*\)\s*=\s*"[^"]*"\s*\{)', # issueType(str) = "Value" { + content + )) + + blocks: list[str] = [] + for i, m in enumerate(openers): + start = m.end() + end = openers[i + 1].start() if i + 1 < len(openers) else len(content) + blocks.append(m.group() + content[start:end]) # include opener for context + + return blocks + + +def parse_rego_blocks(rego_path: Path) -> list[dict]: + """Return a list of dicts with issueType / expectedPattern / actualPattern. + + Handles direct issueType in CxPolicy blocks and indirect issueType via + helper functions with various key-name conventions. + """ + content = rego_path.read_text(encoding="utf-8") + blocks: list[dict] = [] + + result_blocks = _split_into_result_blocks(content) + + for block in result_blocks: + issue_type = None + + # 1. Check for known issueType keys with literal values + for key in _IT_KEYS: + m = re.search(rf'"{key}"\s*:\s*"([^"]+)"', block) + if m and m.group(1) in VALID_ISSUE_TYPES: + issue_type = m.group(1) + break + + # 2. Check for function-style: = "MissingAttribute" { or else = "Value" (comment) + if not issue_type: + m = re.search( + r'=\s*"(MissingAttribute|IncorrectValue|RedundantAttribute|BillOfMaterials)"', + block + ) + if m: + issue_type = m.group(1) + + if not issue_type: + continue + + blocks.append({ + "issueType": issue_type, + "expectedPattern": extract_string_or_sprintf(block, _EV_KEYS), + "actualPattern": extract_string_or_sprintf(block, _AV_KEYS), + }) + + return blocks + + +# ── Matching ──────────────────────────────────────────────────────────────── + +def _pattern_score(pattern: str | None, value: str) -> int: + """Score how well a sprintf/literal pattern matches a resolved value.""" + if not pattern: + return 0 + # Split the pattern on format specifiers (%s, %d, %v, …) and check + # whether the literal fragments appear in the value. + fragments = re.split(r'%[sdvfgtq]', pattern) + score = 0 + for frag in fragments: + frag = frag.strip() + if frag and frag in value: + score += len(frag) + return score + + +def match_issue_type(entry: dict, blocks: list[dict]) -> str | None: + """Determine the issueType for a single expected-result entry.""" + if not blocks: + return None + + unique = {b["issueType"] for b in blocks} + if len(unique) == 1: + return unique.pop() + + # Multiple issueTypes — score each block against the entry + actual = entry.get("actualValue", "") + expected = entry.get("expectedValue", "") + + best_type: str | None = None + best_score = -1 + + for block in blocks: + score = ( + _pattern_score(block["actualPattern"], actual) + + _pattern_score(block["expectedPattern"], expected) + ) + if score > best_score: + best_score = score + best_type = block["issueType"] + + return best_type + + +# ── File discovery ────────────────────────────────────────────────────────── + +def find_expected_result_files(query_dir: Path) -> list[Path]: + """Return all positive_expected_result.json files under the query's test dir.""" + test_dir = query_dir / "test" + if not test_dir.is_dir(): + return [] + return sorted(test_dir.rglob("positive_expected_result.json")) + + +def is_query_directory(p: Path) -> bool: + if not (p / "metadata.json").is_file(): + return False + return (p / "query.rego").is_file() or (p / "regex_rules.json").is_file() + + +# ── Main logic ────────────────────────────────────────────────────────────── + +def process_query(query_dir: Path, dry: bool) -> dict: + """Process one query directory. Returns a small stats dict.""" + stats = {"added": 0, "skipped": 0, "already": 0, "no_match": 0, "files": 0} + + rego_path = query_dir / "query.rego" + is_regex = (query_dir / "regex_rules.json").is_file() and not rego_path.is_file() + + if is_regex: + blocks: list[dict] = [] + default_issue_type = "RedundantAttribute" + else: + if not rego_path.is_file(): + return stats + blocks = parse_rego_blocks(rego_path) + default_issue_type = None + + result_files = find_expected_result_files(query_dir) + if not result_files: + return stats + + for rf in result_files: + with open(rf, "r", encoding="utf-8") as f: + entries = json.load(f) + + if not isinstance(entries, list): + continue + + modified = False + for entry in entries: + if "issueType" in entry: + stats["already"] += 1 + continue + + if default_issue_type: + it = default_issue_type + else: + it = match_issue_type(entry, blocks) + + if it is None: + stats["no_match"] += 1 + print(f" WARNING: could not determine issueType for entry in {rf}") + print(f" expectedValue: {entry.get('expectedValue', '')[:80]}") + print(f" actualValue: {entry.get('actualValue', '')[:80]}") + continue + + entry["issueType"] = it + stats["added"] += 1 + modified = True + + if modified and not dry: + with open(rf, "w", encoding="utf-8") as f: + json.dump(entries, f, indent=2, ensure_ascii=False) + f.write("\n") + + stats["files"] += 1 + + return stats + + +def main() -> None: + dry = "--dry" in sys.argv + + if dry: + print("=== DRY RUN — no files will be written ===\n") + + totals = {"added": 0, "skipped": 0, "already": 0, "no_match": 0, "files": 0, "queries": 0} + + for query_dir in sorted(ASSETS_QUERIES_DIR.rglob("*")): + if not query_dir.is_dir(): + continue + if not is_query_directory(query_dir): + continue + + stats = process_query(query_dir, dry) + if stats["files"] == 0: + continue + + totals["queries"] += 1 + for k in ("added", "skipped", "already", "no_match", "files"): + totals[k] += stats[k] + + label = query_dir.relative_to(ASSETS_QUERIES_DIR) + if stats["no_match"]: + print(f"[!] {label}: {stats}") + elif stats["added"]: + print(f"[+] {label}: added {stats['added']} issueType(s)") + + print(f"\n{'='*60}") + print(f"Queries processed : {totals['queries']}") + print(f"Files touched : {totals['files']}") + print(f"issueType added : {totals['added']}") + print(f"Already present : {totals['already']}") + print(f"No match (WARN) : {totals['no_match']}") + + if totals["no_match"]: + print("\n⚠ Some entries could not be matched. Review the warnings above.") + sys.exit(1) + + +if __name__ == "__main__": + main() diff --git a/assets/queries/ansible/aws/alb_listening_on_http/test/positive_expected_result.json b/assets/queries/ansible/aws/alb_listening_on_http/test/positive_expected_result.json index 85d8c08ef2c..eee3891c6b6 100644 --- a/assets/queries/ansible/aws/alb_listening_on_http/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/alb_listening_on_http/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{my_elb_application}}.{{community.aws.elb_application_lb}}.listeners.Protocol=HTTP", "searchValue": "", "expectedValue": "'aws_elb_application_lb' Protocol should be 'HTTP'", - "actualValue": "'aws_elb_application_lb' Protocol it's not 'HTTP'" + "actualValue": "'aws_elb_application_lb' Protocol it's not 'HTTP'", + "issueType": "IncorrectValue" }, { "queryName": "ALB Listening on HTTP", @@ -21,6 +22,7 @@ "searchKey": "name={{my_elb_application2}}.{{community.aws.elb_application_lb}}.listeners", "searchValue": "", "expectedValue": "'aws_elb_application_lb' Protocol should be 'HTTP'", - "actualValue": "'aws_elb_application_lb' Protocol is missing" + "actualValue": "'aws_elb_application_lb' Protocol is missing", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/ami_not_encrypted/test/positive_expected_result.json b/assets/queries/ansible/aws/ami_not_encrypted/test/positive_expected_result.json index 7282b7ea4f6..69cf2064ce3 100644 --- a/assets/queries/ansible/aws/ami_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ami_not_encrypted/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{Basic AMI Creation}}.{{amazon.aws.ec2_ami}}.device_mapping.encrypted", "searchValue": "", "expectedValue": "ec2_ami.device_mapping.encrypted should be set to true", - "actualValue": "ec2_ami.device_mapping.encrypted is set to false" + "actualValue": "ec2_ami.device_mapping.encrypted is set to false", + "issueType": "IncorrectValue" }, { "queryName": "AMI Not Encrypted", @@ -21,6 +22,7 @@ "searchKey": "name={{Basic AMI Creation2}}.{{amazon.aws.ec2_ami}}", "searchValue": "", "expectedValue": "ec2_ami.device_mapping.device_name.encrypted should be set to true", - "actualValue": "ec2_ami.device_mapping.device_name.encrypted is undefined" + "actualValue": "ec2_ami.device_mapping.device_name.encrypted is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/ami_shared_with_multiple_accounts/test/positive_expected_result.json b/assets/queries/ansible/aws/ami_shared_with_multiple_accounts/test/positive_expected_result.json index aaed40b51c8..5ccfb462013 100644 --- a/assets/queries/ansible/aws/ami_shared_with_multiple_accounts/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ami_shared_with_multiple_accounts/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{Update AMI Launch Permissions, making it public}}.{{amazon.aws.ec2_ami}}.launch_permissions", "searchValue": "", "expectedValue": "ec2_ami.launch_permissions just allows one user to launch the AMI", - "actualValue": "ec2_ami.launch_permissions allows more than one user to launch the AMI" + "actualValue": "ec2_ami.launch_permissions allows more than one user to launch the AMI", + "issueType": "IncorrectValue" }, { "queryName": "AMI Shared With Multiple Accounts", @@ -21,6 +22,7 @@ "searchKey": "name={{Allow AMI to be launched by another account}}.{{amazon.aws.ec2_ami}}.launch_permissions", "searchValue": "", "expectedValue": "ec2_ami.launch_permissions just allows one user to launch the AMI", - "actualValue": "ec2_ami.launch_permissions allows more than one user to launch the AMI" + "actualValue": "ec2_ami.launch_permissions allows more than one user to launch the AMI", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/api_gateway_endpoint_config_is_not_private/test/positive_expected_result.json b/assets/queries/ansible/aws/api_gateway_endpoint_config_is_not_private/test/positive_expected_result.json index fa19b98a94b..33d1cf1aa11 100644 --- a/assets/queries/ansible/aws/api_gateway_endpoint_config_is_not_private/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/api_gateway_endpoint_config_is_not_private/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{Setup AWS API Gateway setup on AWS and deploy API definition}}.{{community.aws.aws_api_gateway}}.endpoint_type", "searchValue": "", "expectedValue": "'aws_api_gateway.endpoint_type' should be set to 'PRIVATE'", - "actualValue": "'aws_api_gateway.endpoint_type' is not 'PRIVATE'" + "actualValue": "'aws_api_gateway.endpoint_type' is not 'PRIVATE'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/api_gateway_with_cloudwatch_logging_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/api_gateway_with_cloudwatch_logging_disabled/test/positive_expected_result.json index 63291d5835a..a8666a8002c 100644 --- a/assets/queries/ansible/aws/api_gateway_with_cloudwatch_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/api_gateway_with_cloudwatch_logging_disabled/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{Setup AWS API Gateway setup on AWS cloudwatchlogs}}.{{community.aws.cloudwatchlogs_log_group}}", "searchValue": "", "expectedValue": "cloudwatchlogs_log_grouptracing_enabled should contain log_group_name", - "actualValue": "cloudwatchlogs_log_group does not contain log_group_name defined" + "actualValue": "cloudwatchlogs_log_group does not contain log_group_name defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/api_gateway_without_configured_authorizer/test/positive_expected_result.json b/assets/queries/ansible/aws/api_gateway_without_configured_authorizer/test/positive_expected_result.json index 891e9b3d019..10c174d16da 100644 --- a/assets/queries/ansible/aws/api_gateway_without_configured_authorizer/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/api_gateway_without_configured_authorizer/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{Setup AWS API Gateway setup on AWS and deploy API definition}}.{{community.aws.aws_api_gateway}}.swagger_dict", "searchValue": "", "expectedValue": "'community.aws.aws_api_gateway.swagger_dict' should have an authorizer set", - "actualValue": "'community.aws.aws_api_gateway.swagger_dict' does not have a authorizer set" + "actualValue": "'community.aws.aws_api_gateway.swagger_dict' does not have a authorizer set", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Without Configured Authorizer", @@ -21,7 +22,8 @@ "searchKey": "name={{Setup AWS API Gateway setup on AWS and deploy API definition2}}.{{aws_api_gateway}}", "searchValue": "", "expectedValue": "'aws_api_gateway' should have swagger_file, swagger_text or swagger_dict set", - "actualValue": "'aws_api_gateway' does not have swagger_file, swagger_text or swagger_dict set" + "actualValue": "'aws_api_gateway' does not have swagger_file, swagger_text or swagger_dict set", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Without Configured Authorizer", @@ -33,7 +35,8 @@ "searchKey": "name={{Setup AWS API Gateway setup on AWS and deploy API 222}}.{{aws_api_gateway}}.swagger_file", "searchValue": "", "expectedValue": "'aws_api_gateway.swagger_file' should have an authorizer set", - "actualValue": "'aws_api_gateway.swagger_file' does not have a authorizer set" + "actualValue": "'aws_api_gateway.swagger_file' does not have a authorizer set", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Without Configured Authorizer", @@ -45,6 +48,7 @@ "searchKey": "name={{Setup AWS API Gateway setup on AWS and deploy API 222}}.{{aws_api_gateway}}.swagger_text", "searchValue": "", "expectedValue": "'aws_api_gateway.swagger_text' should have an authorizer set", - "actualValue": "'aws_api_gateway.swagger_text' does not have a authorizer set" + "actualValue": "'aws_api_gateway.swagger_text' does not have a authorizer set", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/api_gateway_without_ssl_certificate/test/positive_expected_result.json b/assets/queries/ansible/aws/api_gateway_without_ssl_certificate/test/positive_expected_result.json index f8443639cec..931d0e61ad8 100644 --- a/assets/queries/ansible/aws/api_gateway_without_ssl_certificate/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/api_gateway_without_ssl_certificate/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{update API}}.{{aws_api_gateway}}.validate_certs", "searchValue": "", "expectedValue": "aws_api_gateway.validate_certs should be set to yes", - "actualValue": "aws_api_gateway.validate_certs is not set to yes" + "actualValue": "aws_api_gateway.validate_certs is not set to yes", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Without SSL Certificate", @@ -21,7 +22,8 @@ "searchKey": "name={{update API v1}}.{{aws_api_gateway}}", "searchValue": "", "expectedValue": "aws_api_gateway.validate_certs should be set", - "actualValue": "aws_api_gateway.validate_certs is undefined" + "actualValue": "aws_api_gateway.validate_certs is undefined", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway Without SSL Certificate", @@ -33,7 +35,8 @@ "searchKey": "name={{Setup AWS API Gateway setup on AWS and deploy API definition}}.{{community.aws.aws_api_gateway}}.validate_certs", "searchValue": "", "expectedValue": "aws_api_gateway.validate_certs should be set to yes", - "actualValue": "aws_api_gateway.validate_certs is not set to yes" + "actualValue": "aws_api_gateway.validate_certs is not set to yes", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Without SSL Certificate", @@ -45,6 +48,7 @@ "searchKey": "name={{Setup AWS API Gateway setup on AWS and deploy API definition v1}}.{{community.aws.aws_api_gateway}}", "searchValue": "", "expectedValue": "aws_api_gateway.validate_certs should be set", - "actualValue": "aws_api_gateway.validate_certs is undefined" + "actualValue": "aws_api_gateway.validate_certs is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/api_gateway_without_waf/test/positive_expected_result.json b/assets/queries/ansible/aws/api_gateway_without_waf/test/positive_expected_result.json index 700acc0743f..dbc6106eccc 100644 --- a/assets/queries/ansible/aws/api_gateway_without_waf/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/api_gateway_without_waf/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{Setup AWS API Gateway setup on AWS and deploy API definition2}}.{{community.aws.aws_api_gateway}}", "searchValue": "", "expectedValue": "API Gateway Stage should be associated with a Web Application Firewall", - "actualValue": "API Gateway Stage is not associated with a Web Application Firewall" + "actualValue": "API Gateway Stage is not associated with a Web Application Firewall", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/api_gateway_xray_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/api_gateway_xray_disabled/test/positive_expected_result.json index b051d9d4974..6c3a1e117cf 100644 --- a/assets/queries/ansible/aws/api_gateway_xray_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/api_gateway_xray_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{Setup AWS API Gateway setup on AWS and deploy API definition}}.{{community.aws.aws_api_gateway}}.tracing_enabled", "searchValue": "", "expectedValue": "aws_api_gateway.tracing_enabled should be true", - "actualValue": "aws_api_gateway.tracing_enabled is false" + "actualValue": "aws_api_gateway.tracing_enabled is false", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway X-Ray Disabled", @@ -21,6 +22,7 @@ "searchKey": "name={{Update API definition to deploy new version}}.{{community.aws.aws_api_gateway}}", "searchValue": "", "expectedValue": "aws_api_gateway.tracing_enabled should be defined", - "actualValue": "aws_api_gateway.tracing_enabled is undefined" + "actualValue": "aws_api_gateway.tracing_enabled is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/authentication_without_mfa/test/positive_expected_result.json b/assets/queries/ansible/aws/authentication_without_mfa/test/positive_expected_result.json index c7ce7e7db88..2a9684ddf6d 100644 --- a/assets/queries/ansible/aws/authentication_without_mfa/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/authentication_without_mfa/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{Assume an existing role}}.{{community.aws.sts_assume_role}}", "searchValue": "mfa_token", "expectedValue": "sts_assume_role.mfa_token should be set", - "actualValue": "sts_assume_role.mfa_token is undefined" + "actualValue": "sts_assume_role.mfa_token is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Authentication Without MFA", @@ -21,7 +22,8 @@ "searchKey": "name={{Hello}}.{{sts_assume_role}}", "searchValue": "mfa_serial_number", "expectedValue": "sts_assume_role.mfa_serial_number should be set", - "actualValue": "sts_assume_role.mfa_serial_number is undefined" + "actualValue": "sts_assume_role.mfa_serial_number is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Authentication Without MFA", @@ -33,6 +35,7 @@ "searchKey": "name={{Hello}}.{{sts_assume_role}}", "searchValue": "mfa_token", "expectedValue": "sts_assume_role.mfa_token should be set", - "actualValue": "sts_assume_role.mfa_token is undefined" + "actualValue": "sts_assume_role.mfa_token is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/auto_scaling_group_with_no_associated_elb/test/positive_expected_result.json b/assets/queries/ansible/aws/auto_scaling_group_with_no_associated_elb/test/positive_expected_result.json index 5008d689631..b61f3437eea 100644 --- a/assets/queries/ansible/aws/auto_scaling_group_with_no_associated_elb/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/auto_scaling_group_with_no_associated_elb/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{elb1}}.{{community.aws.ec2_asg}}.load_balancers", "searchValue": "", "expectedValue": "community.aws.ec2_asg.load_balancers should not be empty", - "actualValue": "community.aws.ec2_asg.load_balancers is empty" + "actualValue": "community.aws.ec2_asg.load_balancers is empty", + "issueType": "IncorrectValue" }, { "queryName": "Auto Scaling Group With No Associated ELB", @@ -21,6 +22,7 @@ "searchKey": "name={{elb2}}.{{ec2_asg}}", "searchValue": "", "expectedValue": "ec2_asg.load_balancers should be set and not empty", - "actualValue": "ec2_asg.load_balancers is undefined" + "actualValue": "ec2_asg.load_balancers is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/automatic_minor_upgrades_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/automatic_minor_upgrades_disabled/test/positive_expected_result.json index d62e0e779b1..19e542b441f 100644 --- a/assets/queries/ansible/aws/automatic_minor_upgrades_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/automatic_minor_upgrades_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{community - create minimal aurora instance in default VPC and default subnet group}}.{{community.aws.rds_instance}}.auto_minor_version_upgrade", "searchValue": "", "expectedValue": "rds_instance.auto_minor_version_upgrade should be true", - "actualValue": "rds_instance.auto_minor_version_upgrade is false" + "actualValue": "rds_instance.auto_minor_version_upgrade is false", + "issueType": "IncorrectValue" }, { "queryName": "Automatic Minor Upgrades Disabled", @@ -21,6 +22,7 @@ "searchKey": "name={{community - Create a DB instance using the default AWS KMS encryption key}}.{{community.aws.rds_instance}}", "searchValue": "", "expectedValue": "rds_instance.auto_minor_version_upgrade should be set", - "actualValue": "rds_instance.auto_minor_version_upgrade is undefined" + "actualValue": "rds_instance.auto_minor_version_upgrade is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/aws_password_policy_with_unchangeable_passwords/test/positive_expected_result.json b/assets/queries/ansible/aws/aws_password_policy_with_unchangeable_passwords/test/positive_expected_result.json index c5dff31403d..38162f7b664 100644 --- a/assets/queries/ansible/aws/aws_password_policy_with_unchangeable_passwords/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/aws_password_policy_with_unchangeable_passwords/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{Password policy for AWS account}}.{{community.aws.iam_password_policy}}.allow_pw_change", "searchValue": "", "expectedValue": "iam_password_policy should have the property 'allow_pw_change/allow_password_change' true", - "actualValue": "iam_password_policy has the property 'allow_pw_change/allow_password_change' undefined or false" + "actualValue": "iam_password_policy has the property 'allow_pw_change/allow_password_change' undefined or false", + "issueType": "IncorrectValue" }, { "queryName": "AWS Password Policy With Unchangeable Passwords", @@ -21,6 +22,7 @@ "searchKey": "name={{Alias Password policy for AWS account}}.{{community.aws.iam_password_policy}}.allow_password_change", "searchValue": "", "expectedValue": "iam_password_policy should have the property 'allow_pw_change/allow_password_change' true", - "actualValue": "iam_password_policy has the property 'allow_pw_change/allow_password_change' undefined or false" + "actualValue": "iam_password_policy has the property 'allow_pw_change/allow_password_change' undefined or false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/batch_job_definition_with_privileged_container_properties/test/positive_expected_result.json b/assets/queries/ansible/aws/batch_job_definition_with_privileged_container_properties/test/positive_expected_result.json index c132971238b..eebb5df47c1 100644 --- a/assets/queries/ansible/aws/batch_job_definition_with_privileged_container_properties/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/batch_job_definition_with_privileged_container_properties/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{My Batch Job Definition}}.{{community.aws.aws_batch_job_definition}}.privileged", "searchValue": "", "expectedValue": "name={{My Batch Job Definition}}.{{community.aws.aws_batch_job_definition}}.privileged should be set to 'false' or not set", - "actualValue": "name={{My Batch Job Definition}}.{{community.aws.aws_batch_job_definition}}.privileged is 'true'" + "actualValue": "name={{My Batch Job Definition}}.{{community.aws.aws_batch_job_definition}}.privileged is 'true'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/ca_certificate_identifier_is_outdated/test/positive_expected_result.json b/assets/queries/ansible/aws/ca_certificate_identifier_is_outdated/test/positive_expected_result.json index 3c4bcd45f9a..5e478c6189e 100644 --- a/assets/queries/ansible/aws/ca_certificate_identifier_is_outdated/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ca_certificate_identifier_is_outdated/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{create minimal aurora instance in default VPC and default subnet group}}.{{community.aws.rds_instance}}.ca_certificate_identifier", "searchValue": "", "expectedValue": "rds_instance.ca_certificate_identifier should equal to 'rds-ca-2019'", - "actualValue": "rds_instance.ca_certificate_identifier is not equal to 'rds-ca-2019'" + "actualValue": "rds_instance.ca_certificate_identifier is not equal to 'rds-ca-2019'", + "issueType": "IncorrectValue" }, { "queryName": "CA Certificate Identifier Is Outdated", @@ -21,6 +22,7 @@ "searchKey": "name={{create a DB instance using the default AWS KMS encryption key}}.{{community.aws.rds_instance}}", "searchValue": "", "expectedValue": "rds_instance.ca_certificate_identifier should be defined", - "actualValue": "rds_instance.ca_certificate_identifier is undefined" + "actualValue": "rds_instance.ca_certificate_identifier is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/cdn_configuration_is_missing/test/positive_expected_result.json b/assets/queries/ansible/aws/cdn_configuration_is_missing/test/positive_expected_result.json index f2666fec60c..17cca5753af 100644 --- a/assets/queries/ansible/aws/cdn_configuration_is_missing/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cdn_configuration_is_missing/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{create a distribution without an origin and with enabled=false}}.{{community.aws.cloudfront_distribution}}", "searchValue": "origins", "expectedValue": "name={{create a distribution without an origin and with enabled=false}}.{{community.aws.cloudfront_distribution}}.origins should be defined", - "actualValue": "name={{create a distribution without an origin and with enabled=false}}.{{community.aws.cloudfront_distribution}}.origins is not defined" + "actualValue": "name={{create a distribution without an origin and with enabled=false}}.{{community.aws.cloudfront_distribution}}.origins is not defined", + "issueType": "MissingAttribute" }, { "queryName": "CDN Configuration Is Missing", @@ -21,6 +22,7 @@ "searchKey": "name={{create a distribution without an origin and with enabled=false}}.{{community.aws.cloudfront_distribution}}.enabled", "searchValue": "", "expectedValue": "name={{create a distribution without an origin and with enabled=false}}.{{community.aws.cloudfront_distribution}}.enabled should be set to 'true'", - "actualValue": "name={{create a distribution without an origin and with enabled=false}}.{{community.aws.cloudfront_distribution}}.enabled is set to 'false'" + "actualValue": "name={{create a distribution without an origin and with enabled=false}}.{{community.aws.cloudfront_distribution}}.enabled is set to 'false'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/certificate_has_expired/test/positive_expected_result.json b/assets/queries/ansible/aws/certificate_has_expired/test/positive_expected_result.json index 956aeff2050..724fcb75976 100644 --- a/assets/queries/ansible/aws/certificate_has_expired/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/certificate_has_expired/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{upload a self-signed certificate}}.community.aws.aws_acm.certificate", "searchValue": "", "expectedValue": "'community.aws.aws_acm.certificate' should not have expired", - "actualValue": "'community.aws.aws_acm.certificate' has expired" + "actualValue": "'community.aws.aws_acm.certificate' has expired", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/certificate_rsa_key_bytes_lower_than_256/test/positive_expected_result.json b/assets/queries/ansible/aws/certificate_rsa_key_bytes_lower_than_256/test/positive_expected_result.json index 08dca83ff31..4713a5648bc 100644 --- a/assets/queries/ansible/aws/certificate_rsa_key_bytes_lower_than_256/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/certificate_rsa_key_bytes_lower_than_256/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{upload a self-signed certificate}}.community.aws.aws_acm.certificate", "searchValue": "", "expectedValue": "'community.aws.aws_acm.certificate' should use a RSA key with a length equal to or higher than 256 bytes", - "actualValue": "'community.aws.aws_acm.certificate' does not use a RSA key with a length equal to or higher than 256 bytes" + "actualValue": "'community.aws.aws_acm.certificate' does not use a RSA key with a length equal to or higher than 256 bytes", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/cloudfront_logging_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/cloudfront_logging_disabled/test/positive_expected_result.json index a6912488d53..1fb9b9e1bbf 100644 --- a/assets/queries/ansible/aws/cloudfront_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cloudfront_logging_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{create a distribution with an origin, logging and default cache behavior}}.{{community.aws.cloudfront_distribution}}", "searchValue": "", "expectedValue": "cloudfront_distribution.logging should be defined", - "actualValue": "cloudfront_distribution.logging is undefined" + "actualValue": "cloudfront_distribution.logging is undefined", + "issueType": "MissingAttribute" }, { "queryName": "CloudFront Logging Disabled", @@ -21,6 +22,7 @@ "searchKey": "name={{create a second distribution with an origin, logging and default cache behavior}}.{{community.aws.cloudfront_distribution}}.logging.enabled", "searchValue": "", "expectedValue": "cloudfront_distribution.logging.enabled should be true", - "actualValue": "cloudfront_distribution.logging.enabled is false" + "actualValue": "cloudfront_distribution.logging.enabled is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json b/assets/queries/ansible/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json index 6398cca8e71..52b68d190ac 100644 --- a/assets/queries/ansible/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{create a distribution with an origin and logging}}.{{community.aws.cloudfront_distribution}}.viewer_certificate.minimum_protocol_version", "searchValue": "", "expectedValue": "name={{create a distribution with an origin and logging}}.{{community.aws.cloudfront_distribution}}.viewer_certificate.minimum_protocol_version' should be TLSv1.2_x", - "actualValue": "name={{create a distribution with an origin and logging}}.{{community.aws.cloudfront_distribution}}.viewer_certificate.minimum_protocol_version' is TLSv1" + "actualValue": "name={{create a distribution with an origin and logging}}.{{community.aws.cloudfront_distribution}}.viewer_certificate.minimum_protocol_version' is TLSv1", + "issueType": "IncorrectValue" }, { "queryName": "CloudFront Without Minimum Protocol TLS 1.2", @@ -21,7 +22,8 @@ "searchKey": "name={{create another distribution with an origin and logging}}.{{community.aws.cloudfront_distribution}}.viewer_certificate.minimum_protocol_version", "searchValue": "", "expectedValue": "name={{create another distribution with an origin and logging}}.{{community.aws.cloudfront_distribution}}.viewer_certificate.minimum_protocol_version' should be TLSv1.2_x", - "actualValue": "name={{create another distribution with an origin and logging}}.{{community.aws.cloudfront_distribution}}.viewer_certificate.minimum_protocol_version' is TLSv1.1_2016" + "actualValue": "name={{create another distribution with an origin and logging}}.{{community.aws.cloudfront_distribution}}.viewer_certificate.minimum_protocol_version' is TLSv1.1_2016", + "issueType": "IncorrectValue" }, { "queryName": "CloudFront Without Minimum Protocol TLS 1.2", @@ -33,6 +35,7 @@ "searchKey": "name={{create a third distribution}}.{{community.aws.cloudfront_distribution}}", "searchValue": "", "expectedValue": "cloudfront_distribution.viewer_certificate should be defined", - "actualValue": "cloudfront_distribution.viewer_certificate is undefined" + "actualValue": "cloudfront_distribution.viewer_certificate is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/cloudfront_without_waf/test/positive_expected_result.json b/assets/queries/ansible/aws/cloudfront_without_waf/test/positive_expected_result.json index 336c867d0bb..b4d32bc1d60 100644 --- a/assets/queries/ansible/aws/cloudfront_without_waf/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cloudfront_without_waf/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{create a basic distribution with defaults and tags}}.{{community.aws.cloudfront_distribution}}", "searchValue": "", "expectedValue": "cloudfront_distribution.web_acl_id should be defined", - "actualValue": "cloudfront_distribution.web_acl_id is undefined" + "actualValue": "cloudfront_distribution.web_acl_id is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/cloudtrail_log_file_validation_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/cloudtrail_log_file_validation_disabled/test/positive_expected_result.json index c8234d5152f..9e398a7ca80 100644 --- a/assets/queries/ansible/aws/cloudtrail_log_file_validation_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cloudtrail_log_file_validation_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{create multi-region trail with validation and tags}}.{{community.aws.cloudtrail}}", "searchValue": "", "expectedValue": "cloudtrail.enable_log_file_validation or cloudtrail.log_file_validation_enabled should be defined", - "actualValue": "cloudtrail.enable_log_file_validation and cloudtrail.log_file_validation_enabled are undefined" + "actualValue": "cloudtrail.enable_log_file_validation and cloudtrail.log_file_validation_enabled are undefined", + "issueType": "MissingAttribute" }, { "queryName": "CloudTrail Log File Validation Disabled", @@ -21,6 +22,7 @@ "searchKey": "name={{create multi-region trail with validation and tags v7}}.{{community.aws.cloudtrail}}.enable_log_file_validation", "searchValue": "", "expectedValue": "cloudtrail.enable_log_file_validation should be set to true or yes", - "actualValue": "cloudtrail.enable_log_file_validation is not set to true nor yes" + "actualValue": "cloudtrail.enable_log_file_validation is not set to true nor yes", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/cloudtrail_log_files_not_encrypted_with_kms/test/positive_expected_result.json b/assets/queries/ansible/aws/cloudtrail_log_files_not_encrypted_with_kms/test/positive_expected_result.json index 06cec696874..aa69cdc13d7 100644 --- a/assets/queries/ansible/aws/cloudtrail_log_files_not_encrypted_with_kms/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cloudtrail_log_files_not_encrypted_with_kms/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{no sns topic name}}.{{community.aws.cloudtrail}}", "searchValue": "", "expectedValue": "cloudtrail.kms_key_id should be set", - "actualValue": "cloudtrail.kms_key_id is undefined" + "actualValue": "cloudtrail.kms_key_id is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/cloudtrail_logging_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/cloudtrail_logging_disabled/test/positive_expected_result.json index 867a626de15..f9a5b330745 100644 --- a/assets/queries/ansible/aws/cloudtrail_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cloudtrail_logging_disabled/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{example}}.{{community.aws.cloudtrail}}.enable_logging", "searchValue": "", "expectedValue": "cloudtrail.enable_logging should be true", - "actualValue": "cloudtrail.enable_logging is false" + "actualValue": "cloudtrail.enable_logging is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/cloudtrail_multi_region_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/cloudtrail_multi_region_disabled/test/positive_expected_result.json index 44c9bef2a9d..4e863eb7f09 100644 --- a/assets/queries/ansible/aws/cloudtrail_multi_region_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cloudtrail_multi_region_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{example1}}.{{community.aws.cloudtrail}}.is_multi_region_trail", "searchValue": "", "expectedValue": "cloudtrail.is_multi_region_trail should be true", - "actualValue": "cloudtrail.is_multi_region_trail is false" + "actualValue": "cloudtrail.is_multi_region_trail is false", + "issueType": "IncorrectValue" }, { "queryName": "CloudTrail Multi Region Disabled", @@ -21,6 +22,7 @@ "searchKey": "name={{example2}}.{{community.aws.cloudtrail}}", "searchValue": "", "expectedValue": "cloudtrail.is_multi_region_trail should be defined and set to true", - "actualValue": "cloudtrail.is_multi_region_trail is undefined" + "actualValue": "cloudtrail.is_multi_region_trail is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/cloudtrail_not_integrated_with_cloudwatch/test/positive_expected_result.json b/assets/queries/ansible/aws/cloudtrail_not_integrated_with_cloudwatch/test/positive_expected_result.json index 3e690b42cdb..3d723a3226b 100644 --- a/assets/queries/ansible/aws/cloudtrail_not_integrated_with_cloudwatch/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cloudtrail_not_integrated_with_cloudwatch/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{positive1}}.{{community.aws.cloudtrail}}", "searchValue": "cloudwatch_logs_log_group_arn", "expectedValue": "name={{positive1}}.{{community.aws.cloudtrail}}.cloudwatch_logs_log_group_arn should be defined", - "actualValue": "name={{positive1}}.{{community.aws.cloudtrail}}.cloudwatch_logs_log_group_arn is not defined" + "actualValue": "name={{positive1}}.{{community.aws.cloudtrail}}.cloudwatch_logs_log_group_arn is not defined", + "issueType": "MissingAttribute" }, { "queryName": "CloudTrail Not Integrated With CloudWatch", @@ -21,7 +22,8 @@ "searchKey": "name={{positive1}}.{{community.aws.cloudtrail}}", "searchValue": "cloudwatch_logs_role_arn", "expectedValue": "name={{positive1}}.{{community.aws.cloudtrail}}.cloudwatch_logs_role_arn should be defined", - "actualValue": "name={{positive1}}.{{community.aws.cloudtrail}}.cloudwatch_logs_role_arn is not defined" + "actualValue": "name={{positive1}}.{{community.aws.cloudtrail}}.cloudwatch_logs_role_arn is not defined", + "issueType": "MissingAttribute" }, { "queryName": "CloudTrail Not Integrated With CloudWatch", @@ -33,7 +35,8 @@ "searchKey": "name={{positive2}}.{{community.aws.cloudtrail}}", "searchValue": "cloudwatch_logs_log_group_arn", "expectedValue": "name={{positive2}}.{{community.aws.cloudtrail}}.cloudwatch_logs_log_group_arn should be defined", - "actualValue": "name={{positive2}}.{{community.aws.cloudtrail}}.cloudwatch_logs_log_group_arn is not defined" + "actualValue": "name={{positive2}}.{{community.aws.cloudtrail}}.cloudwatch_logs_log_group_arn is not defined", + "issueType": "MissingAttribute" }, { "queryName": "CloudTrail Not Integrated With CloudWatch", @@ -45,6 +48,7 @@ "searchKey": "name={{positive3}}.{{community.aws.cloudtrail}}", "searchValue": "cloudwatch_logs_role_arn", "expectedValue": "name={{positive3}}.{{community.aws.cloudtrail}}.cloudwatch_logs_role_arn should be defined", - "actualValue": "name={{positive3}}.{{community.aws.cloudtrail}}.cloudwatch_logs_role_arn is not defined" + "actualValue": "name={{positive3}}.{{community.aws.cloudtrail}}.cloudwatch_logs_role_arn is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/cloudtrail_sns_topic_name_undefined/test/positive_expected_result.json b/assets/queries/ansible/aws/cloudtrail_sns_topic_name_undefined/test/positive_expected_result.json index 6866090c790..3c17f3729be 100644 --- a/assets/queries/ansible/aws/cloudtrail_sns_topic_name_undefined/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cloudtrail_sns_topic_name_undefined/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{no sns topic name}}.{{community.aws.cloudtrail}}", "searchValue": "", "expectedValue": "cloudtrail.sns_topic_name should be set", - "actualValue": "cloudtrail.sns_topic_name is undefined" + "actualValue": "cloudtrail.sns_topic_name is undefined", + "issueType": "MissingAttribute" }, { "queryName": "CloudTrail SNS Topic Name Undefined", @@ -21,6 +22,7 @@ "searchKey": "name={{sns topic name defined}}.{{community.aws.cloudtrail}}.sns_topic_name", "searchValue": "", "expectedValue": "cloudtrail.sns_topic_name should be set", - "actualValue": "cloudtrail.sns_topic_name is empty" + "actualValue": "cloudtrail.sns_topic_name is empty", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/cloudwatch_without_retention_period_specified/test/positive_expected_result.json b/assets/queries/ansible/aws/cloudwatch_without_retention_period_specified/test/positive_expected_result.json index 80e515cc001..37626107eba 100644 --- a/assets/queries/ansible/aws/cloudwatch_without_retention_period_specified/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cloudwatch_without_retention_period_specified/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{example ec2 group}}.{{community.aws.cloudwatchlogs_log_group}}", "searchValue": "", "expectedValue": "cloudwatchlogs_log_group.retention should be set", - "actualValue": "cloudwatchlogs_log_group.retention is undefined" + "actualValue": "cloudwatchlogs_log_group.retention is undefined", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch Without Retention Period Specified", @@ -21,6 +22,7 @@ "searchKey": "name={{example2 ec2 group}}.{{community.aws.cloudwatchlogs_log_group}}.retention", "searchValue": "", "expectedValue": "cloudwatchlogs_log_group.retention should be set and valid", - "actualValue": "cloudwatchlogs_log_group.retention is set and invalid" + "actualValue": "cloudwatchlogs_log_group.retention is set and invalid", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/cmk_is_unusable/test/positive_expected_result.json b/assets/queries/ansible/aws/cmk_is_unusable/test/positive_expected_result.json index 994d0f0f5a0..8f31773b2d4 100644 --- a/assets/queries/ansible/aws/cmk_is_unusable/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cmk_is_unusable/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{Update IAM policy on an existing KMS key1}}.{{community.aws.aws_kms}}.enabled", "searchValue": "", "expectedValue": "community.aws.aws_kms.enabled should be set to true", - "actualValue": "community.aws.aws_kms.enabled is set to false" + "actualValue": "community.aws.aws_kms.enabled is set to false", + "issueType": "IncorrectValue" }, { "queryName": "CMK Is Unusable", @@ -21,6 +22,7 @@ "searchKey": "name={{Update IAM policy on an existing KMS key2}}.{{community.aws.aws_kms}}.pending_window", "searchValue": "", "expectedValue": "community.aws.aws_kms.pending_window should be undefined", - "actualValue": "community.aws.aws_kms.pending_windowis is set" + "actualValue": "community.aws.aws_kms.pending_windowis is set", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/cmk_rotation_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/cmk_rotation_disabled/test/positive_expected_result.json index 21941ab7d90..3bbb7ca7453 100644 --- a/assets/queries/ansible/aws/cmk_rotation_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cmk_rotation_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{Update IAM policy on an existing KMS key}}.{{community.aws.aws_kms}}", "searchValue": "", "expectedValue": "community.aws.aws_kms.enable_key_rotation should be set", - "actualValue": "community.aws.aws_kms.enable_key_rotation is undefined" + "actualValue": "community.aws.aws_kms.enable_key_rotation is undefined", + "issueType": "MissingAttribute" }, { "queryName": "CMK Rotation Disabled", @@ -21,6 +22,7 @@ "searchKey": "name={{Update IAM policy on an existing KMS key2}}.{{community.aws.aws_kms}}.enable_key_rotation", "searchValue": "", "expectedValue": "community.aws.aws_kms.enable_key_rotation should be set to true", - "actualValue": "community.aws.aws_kms.enable_key_rotation is set to false" + "actualValue": "community.aws.aws_kms.enable_key_rotation is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/codebuild_not_encrypted/test/positive_expected_result.json b/assets/queries/ansible/aws/codebuild_not_encrypted/test/positive_expected_result.json index e14f25f985a..4694bacbd91 100644 --- a/assets/queries/ansible/aws/codebuild_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/codebuild_not_encrypted/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{My project}}.{{community.aws.aws_codebuild}}", "searchValue": "", "expectedValue": "aws_codebuild.encryption_key should be set", - "actualValue": "aws_codebuild.encryption_key is undefined" + "actualValue": "aws_codebuild.encryption_key is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/config_configuration_aggregator_to_all_regions_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/config_configuration_aggregator_to_all_regions_disabled/test/positive_expected_result.json index cd38ebd3b2e..e33de52798b 100644 --- a/assets/queries/ansible/aws/config_configuration_aggregator_to_all_regions_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/config_configuration_aggregator_to_all_regions_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{Create cross-account aggregator}}.{{community.aws.aws_config_aggregator}}.account_sources.all_aws_regions", "searchValue": "", "expectedValue": "'aws_config_aggregator.account_sources' should have all_aws_regions set to true", - "actualValue": "'aws_config_aggregator.account_sources' has all_aws_regions set to false" + "actualValue": "'aws_config_aggregator.account_sources' has all_aws_regions set to false", + "issueType": "IncorrectValue" }, { "queryName": "Configuration Aggregator to All Regions Disabled", @@ -21,6 +22,7 @@ "searchKey": "name={{Create cross-account aggregator2}}.{{community.aws.aws_config_aggregator}}.organization_source.all_aws_regions", "searchValue": "", "expectedValue": "'aws_config_aggregator.organization_source' should have all_aws_regions set to true", - "actualValue": "'aws_config_aggregator.organization_source' has all_aws_regions set to false" + "actualValue": "'aws_config_aggregator.organization_source' has all_aws_regions set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/config_rule_for_encrypted_volumes_is_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/config_rule_for_encrypted_volumes_is_disabled/test/positive_expected_result.json index 55a63ea0b2f..000336cb7cf 100644 --- a/assets/queries/ansible/aws/config_rule_for_encrypted_volumes_is_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/config_rule_for_encrypted_volumes_is_disabled/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{foo}}", "searchValue": "", "expectedValue": "There should be a aws_config_rule with source.identifier equal to 'ENCRYPTED_VOLUMES'", - "actualValue": "There is no aws_config_rule with source.identifier equal to 'ENCRYPTED_VOLUMES'" + "actualValue": "There is no aws_config_rule with source.identifier equal to 'ENCRYPTED_VOLUMES'", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/test/positive_expected_result.json b/assets/queries/ansible/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/test/positive_expected_result.json index 8ff8f9e1898..df423ae55ff 100644 --- a/assets/queries/ansible/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{Create a role with description and tags}}.{{community.aws.iam_role}}.assume_role_policy_document", "searchValue": "", "expectedValue": "assume_role_policy_document should not contain ':root", - "actualValue": "assume_role_policy_document contains ':root'" + "actualValue": "assume_role_policy_document contains ':root'", + "issueType": "IncorrectValue" }, { "queryName": "Cross-Account IAM Assume Role Policy Without ExternalId or MFA", @@ -21,7 +22,8 @@ "searchKey": "name={{Create a role with description and tags2}}.{{community.aws.iam_role}}.assume_role_policy_document", "searchValue": "", "expectedValue": "assume_role_policy_document should not contain ':root", - "actualValue": "assume_role_policy_document contains ':root'" + "actualValue": "assume_role_policy_document contains ':root'", + "issueType": "IncorrectValue" }, { "queryName": "Cross-Account IAM Assume Role Policy Without ExternalId or MFA", @@ -33,6 +35,7 @@ "searchKey": "name={{Create a role with description and tags3}}.{{community.aws.iam_role}}.assume_role_policy_document", "searchValue": "", "expectedValue": "assume_role_policy_document should not contain ':root", - "actualValue": "assume_role_policy_document contains ':root'" + "actualValue": "assume_role_policy_document contains ':root'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/db_instance_storage_not_encrypted/test/positive_expected_result.json b/assets/queries/ansible/aws/db_instance_storage_not_encrypted/test/positive_expected_result.json index 3d206aabf97..8b3bccb76e0 100644 --- a/assets/queries/ansible/aws/db_instance_storage_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/db_instance_storage_not_encrypted/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{foo}}.{{community.aws.rds_instance}}.storage_encrypted", "searchValue": "", "expectedValue": "rds_instance.storage_encrypted should be set to true", - "actualValue": "rds_instance.storage_encrypted is set to false" + "actualValue": "rds_instance.storage_encrypted is set to false", + "issueType": "IncorrectValue" }, { "queryName": "DB Instance Storage Not Encrypted", @@ -21,7 +22,8 @@ "searchKey": "name={{foo2}}.{{community.aws.rds_instance}}.storage_encrypted", "searchValue": "", "expectedValue": "rds_instance.storage_encrypted should be set to true", - "actualValue": "rds_instance.storage_encrypted is set to false" + "actualValue": "rds_instance.storage_encrypted is set to false", + "issueType": "IncorrectValue" }, { "queryName": "DB Instance Storage Not Encrypted", @@ -33,6 +35,7 @@ "searchKey": "name={{foo3}}.{{community.aws.rds_instance}}", "searchValue": "", "expectedValue": "rds_instance.storage_encrypted should be set to true", - "actualValue": "rds_instance.storage_encrypted is undefined" + "actualValue": "rds_instance.storage_encrypted is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/db_security_group_open_to_large_scope/test/positive_expected_result.json b/assets/queries/ansible/aws/db_security_group_open_to_large_scope/test/positive_expected_result.json index 623a0a3d338..db1cb448fbf 100644 --- a/assets/queries/ansible/aws/db_security_group_open_to_large_scope/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/db_security_group_open_to_large_scope/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{example ec2 group}}.{{ec2_group}}.rules.cidr_ip", "searchValue": "", "expectedValue": "'ec2_group.rules.cidr_ip' should be one of [10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12]", - "actualValue": "'ec2_group.rules.cidr_ip' is [0.0.0.0/0,10.0.0.0/8,192.168.1.0/24]" + "actualValue": "'ec2_group.rules.cidr_ip' is [0.0.0.0/0,10.0.0.0/8,192.168.1.0/24]", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/db_security_group_with_public_scope/test/positive_expected_result.json b/assets/queries/ansible/aws/db_security_group_with_public_scope/test/positive_expected_result.json index b6b78c334b8..87ba37aca1e 100644 --- a/assets/queries/ansible/aws/db_security_group_with_public_scope/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/db_security_group_with_public_scope/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{example ec2 group}}.{{ec2_group}}.rules.cidr_ip", "searchValue": "", "expectedValue": "'ec2_group.rules.cidr_ip' should be one of [10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12]", - "actualValue": "'ec2_group.rules.cidr_ip' is [0.0.0.0/0]" + "actualValue": "'ec2_group.rules.cidr_ip' is [0.0.0.0/0]", + "issueType": "IncorrectValue" }, { "queryName": "DB Security Group With Public Scope", @@ -21,6 +22,7 @@ "searchKey": "name={{example ec2 group}}.{{ec2_group}}.rules_egress.cidr_ip", "searchValue": "", "expectedValue": "'ec2_group.rules_egress.cidr_ip' should be one of [10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12]", - "actualValue": "'ec2_group.rules_egress.cidr_ip' is [0.0.0.0/0]" + "actualValue": "'ec2_group.rules_egress.cidr_ip' is [0.0.0.0/0]", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/default_security_groups_with_unrestricted_traffic/test/positive_expected_result.json b/assets/queries/ansible/aws/default_security_groups_with_unrestricted_traffic/test/positive_expected_result.json index 00e0ee45c9c..9afb56300a3 100644 --- a/assets/queries/ansible/aws/default_security_groups_with_unrestricted_traffic/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/default_security_groups_with_unrestricted_traffic/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{example ec2 group}}.{{amazon.aws.ec2_group}}.rules.cidr_ip.{{0.0.0.0/0}}", "searchValue": "", "expectedValue": "ec2_group.rules.cidr_ip should not contain the value '0.0.0.0/0'", - "actualValue": "ec2_group.rules.cidr_ip contains value '0.0.0.0/0'" + "actualValue": "ec2_group.rules.cidr_ip contains value '0.0.0.0/0'", + "issueType": "IncorrectValue" }, { "queryName": "Default Security Groups With Unrestricted Traffic", @@ -21,7 +22,8 @@ "searchKey": "name={{example2 ec2 group}}.{{amazon.aws.ec2_group}}.rules_egress.cidr_ip={{0.0.0.0/0}}", "searchValue": "", "expectedValue": "ec2_group.rules_egress.cidr_ip should not contain the value '0.0.0.0/0'", - "actualValue": "ec2_group.rules_egress.cidr_ip contains value '0.0.0.0/0'" + "actualValue": "ec2_group.rules_egress.cidr_ip contains value '0.0.0.0/0'", + "issueType": "IncorrectValue" }, { "queryName": "Default Security Groups With Unrestricted Traffic", @@ -33,7 +35,8 @@ "searchKey": "name={{example3 ec2 group}}.{{amazon.aws.ec2_group}}.rules.cidr_ipv6={{::/0}}", "searchValue": "", "expectedValue": "ec2_group.rules.cidr_ipv6 should not contain the value '::/0'", - "actualValue": "ec2_group.rules.cidr_ipv6 contains value '::/0'" + "actualValue": "ec2_group.rules.cidr_ipv6 contains value '::/0'", + "issueType": "IncorrectValue" }, { "queryName": "Default Security Groups With Unrestricted Traffic", @@ -45,7 +48,8 @@ "searchKey": "name={{example4 ec2 group}}.{{amazon.aws.ec2_group}}.rules_egress.cidr_ipv6={{::/0}}", "searchValue": "", "expectedValue": "ec2_group.rules_egress.cidr_ipv6 should not contain the value '::/0'", - "actualValue": "ec2_group.rules_egress.cidr_ipv6 contains value '::/0'" + "actualValue": "ec2_group.rules_egress.cidr_ipv6 contains value '::/0'", + "issueType": "IncorrectValue" }, { "queryName": "Default Security Groups With Unrestricted Traffic", @@ -57,6 +61,7 @@ "searchKey": "name={{example5 ec2 group}}.{{amazon.aws.ec2_group}}.rules_egress.cidr_ipv6.{{::/0}}", "searchValue": "", "expectedValue": "ec2_group.rules_egress.cidr_ipv6 should not contain the value '::/0'", - "actualValue": "ec2_group.rules_egress.cidr_ipv6 contains value '::/0'" + "actualValue": "ec2_group.rules_egress.cidr_ipv6 contains value '::/0'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/ebs_volume_encryption_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/ebs_volume_encryption_disabled/test/positive_expected_result.json index ac66cc422cd..788da35806c 100644 --- a/assets/queries/ansible/aws/ebs_volume_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ebs_volume_encryption_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{Creating EBS volume01}}.{{amazon.aws.ec2_vol}}.encrypted", "searchValue": "", "expectedValue": "ec2_vol.encrypted should be enabled", - "actualValue": "ec2_vol.encrypted is disabled" + "actualValue": "ec2_vol.encrypted is disabled", + "issueType": "IncorrectValue" }, { "queryName": "EBS Volume Encryption Disabled", @@ -21,7 +22,8 @@ "searchKey": "name={{Creating EBS volume02}}.{{amazon.aws.ec2_vol}}.encrypted", "searchValue": "", "expectedValue": "ec2_vol.encrypted should be enabled", - "actualValue": "ec2_vol.encrypted is disabled" + "actualValue": "ec2_vol.encrypted is disabled", + "issueType": "IncorrectValue" }, { "queryName": "EBS Volume Encryption Disabled", @@ -33,7 +35,8 @@ "searchKey": "name={{Creating EBS volume03}}.{{amazon.aws.ec2_vol}}.encrypted", "searchValue": "", "expectedValue": "ec2_vol.encrypted should be enabled", - "actualValue": "ec2_vol.encrypted is disabled" + "actualValue": "ec2_vol.encrypted is disabled", + "issueType": "IncorrectValue" }, { "queryName": "EBS Volume Encryption Disabled", @@ -45,6 +48,7 @@ "searchKey": "name={{Creating EBS volume04}}.{{amazon.aws.ec2_vol}}", "searchValue": "", "expectedValue": "ec2_vol.encrypted should be defined", - "actualValue": "ec2_vol.encrypted is undefined" + "actualValue": "ec2_vol.encrypted is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/ec2_group_has_public_interface/test/positive_expected_result.json b/assets/queries/ansible/aws/ec2_group_has_public_interface/test/positive_expected_result.json index 60aa9c98562..8fab0f56bf5 100644 --- a/assets/queries/ansible/aws/ec2_group_has_public_interface/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ec2_group_has_public_interface/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{example ec2 group}}.{{ec2_group}}.rules.cidr_ip", "searchValue": "", "expectedValue": "'ec2_group.rules.cidr_ip' should not be 0.0.0.0/0", - "actualValue": "'ec2_group.rules.cidr_ip' is 0.0.0.0/0" + "actualValue": "'ec2_group.rules.cidr_ip' is 0.0.0.0/0", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/ec2_instance_has_public_ip/test/positive_expected_result.json b/assets/queries/ansible/aws/ec2_instance_has_public_ip/test/positive_expected_result.json index 15309e9b8e2..761c9b06d66 100644 --- a/assets/queries/ansible/aws/ec2_instance_has_public_ip/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ec2_instance_has_public_ip/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{example}}.{{amazon.aws.ec2}}.assign_public_ip", "searchValue": "", "expectedValue": "ec2.assign_public_ip should be set to false, 'no' or undefined", - "actualValue": "ec2.assign_public_ip is 'yes'" + "actualValue": "ec2.assign_public_ip is 'yes'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Instance Has Public IP", @@ -21,7 +22,8 @@ "searchKey": "name={{Create an ec2 launch template}}.{{community.aws.ec2_launch_template}}.network_interfaces.associate_public_ip_address", "searchValue": "", "expectedValue": "ec2_launch_template.network_interfaces.associate_public_ip_address should be set to false, 'no' or undefined", - "actualValue": "ec2_launch_template.network_interfaces.associate_public_ip_address is 'true'" + "actualValue": "ec2_launch_template.network_interfaces.associate_public_ip_address is 'true'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Instance Has Public IP", @@ -33,6 +35,7 @@ "searchKey": "name={{start an instance with a public IP address}}.{{community.aws.ec2_instance}}.network.assign_public_ip", "searchValue": "", "expectedValue": "ec2_instance.network.assign_public_ip should be set to false, 'no' or undefined", - "actualValue": "ec2_instance.network.assign_public_ip is 'true'" + "actualValue": "ec2_instance.network.assign_public_ip is 'true'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/ec2_instance_using_default_security_group/test/positive_expected_result.json b/assets/queries/ansible/aws/ec2_instance_using_default_security_group/test/positive_expected_result.json index e22c594cb81..e2e7eab9801 100644 --- a/assets/queries/ansible/aws/ec2_instance_using_default_security_group/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ec2_instance_using_default_security_group/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{example}}.{{amazon.aws.ec2}}.group", "searchValue": "", "expectedValue": "'group' should not be using default security group", - "actualValue": "'group' is using default security group" + "actualValue": "'group' is using default security group", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Instance Using Default Security Group", @@ -21,6 +22,7 @@ "searchKey": "name={{example2}}.{{amazon.aws.ec2}}.group", "searchValue": "", "expectedValue": "'group' should not be using default security group", - "actualValue": "'group' is using default security group" + "actualValue": "'group' is using default security group", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/ec2_instance_using_default_vpc/test/positive_expected_result.json b/assets/queries/ansible/aws/ec2_instance_using_default_vpc/test/positive_expected_result.json index 5d4c3c4af86..21823e51916 100644 --- a/assets/queries/ansible/aws/ec2_instance_using_default_vpc/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ec2_instance_using_default_vpc/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{example}}.{{amazon.aws.ec2}}.vpc_subnet_id", "searchValue": "", "expectedValue": "'vpc_subnet_id' should not be associated with a default VPC", - "actualValue": "'vpc_subnet_id' is associated with a default VPC" + "actualValue": "'vpc_subnet_id' is associated with a default VPC", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/ec2_not_ebs_optimized/test/positive_expected_result.json b/assets/queries/ansible/aws/ec2_not_ebs_optimized/test/positive_expected_result.json index 781b250899a..115f5072b7a 100644 --- a/assets/queries/ansible/aws/ec2_not_ebs_optimized/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ec2_not_ebs_optimized/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{example}}.{{amazon.aws.ec2}}", "searchValue": "", "expectedValue": "ec2 to have ebs_optimized set to true.", - "actualValue": "ec2 doesn't have ebs_optimized set to true." + "actualValue": "ec2 doesn't have ebs_optimized set to true.", + "issueType": "MissingAttribute" }, { "queryName": "EC2 Not EBS Optimized", @@ -21,7 +22,8 @@ "searchKey": "name={{example2}}.{{amazon.aws.ec2}}.ebs_optimized", "searchValue": "", "expectedValue": "ec2 to have ebs_optimized set to true.", - "actualValue": "ec2 ebs_optimized is set to false." + "actualValue": "ec2 ebs_optimized is set to false.", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Not EBS Optimized", @@ -33,6 +35,7 @@ "searchKey": "name={{example3}}.{{amazon.aws.ec2}}", "searchValue": "", "expectedValue": "ec2 to have ebs_optimized set to true.", - "actualValue": "ec2 doesn't have ebs_optimized set to true." + "actualValue": "ec2 doesn't have ebs_optimized set to true.", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/ecr_image_tag_not_immutable/test/positive_expected_result.json b/assets/queries/ansible/aws/ecr_image_tag_not_immutable/test/positive_expected_result.json index ae74631c528..fb8e2352f40 100644 --- a/assets/queries/ansible/aws/ecr_image_tag_not_immutable/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ecr_image_tag_not_immutable/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{create immutable ecr-repo}}.{{community.aws.ecs_ecr}}", "searchValue": "", "expectedValue": "ecs_ecr.image_tag_mutability should be set ", - "actualValue": "ecs_ecr.image_tag_mutability is undefined" + "actualValue": "ecs_ecr.image_tag_mutability is undefined", + "issueType": "MissingAttribute" }, { "queryName": "ECR Image Tag Not Immutable", @@ -21,6 +22,7 @@ "searchKey": "name={{create immutable ecr-repo v2}}.{{community.aws.ecs_ecr}}.image_tag_mutability", "searchValue": "", "expectedValue": "ecs_ecr.image_tag_mutability should be set to 'immutable'", - "actualValue": "ecs_ecr.image_tag_mutability is not set to 'immutable'" + "actualValue": "ecs_ecr.image_tag_mutability is not set to 'immutable'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/ecr_repository_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/ansible/aws/ecr_repository_is_publicly_accessible/test/positive_expected_result.json index 38a52543f95..79b3284fe2d 100644 --- a/assets/queries/ansible/aws/ecr_repository_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ecr_repository_is_publicly_accessible/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{set-policy as object}}.{{community.aws.ecs_ecr}}.policy", "searchValue": "", "expectedValue": "ecs_ecr.policy.Principal should not equal to '*'", - "actualValue": "ecs_ecr.policy.Principal is equal to '*'" + "actualValue": "ecs_ecr.policy.Principal is equal to '*'", + "issueType": "IncorrectValue" }, { "queryName": "ECR Repository Is Publicly Accessible", @@ -21,6 +22,7 @@ "searchKey": "name={{set-policy as string}}.{{community.aws.ecs_ecr}}.policy", "searchValue": "", "expectedValue": "ecs_ecr.policy.Principal should not equal to '*'", - "actualValue": "ecs_ecr.policy.Principal is equal to '*'" + "actualValue": "ecs_ecr.policy.Principal is equal to '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/ecs_service_admin_role_is_present/test/positive_expected_result.json b/assets/queries/ansible/aws/ecs_service_admin_role_is_present/test/positive_expected_result.json index 7ddc6f1a72e..6be84b41416 100644 --- a/assets/queries/ansible/aws/ecs_service_admin_role_is_present/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ecs_service_admin_role_is_present/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{ECS Service}}.{{community.aws.ecs_service}}.role", "searchValue": "", "expectedValue": "ecs_service.role should not be an admin role", - "actualValue": "ecs_service.role is an admin role" + "actualValue": "ecs_service.role is an admin role", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/ecs_service_without_running_tasks/test/positive_expected_result.json b/assets/queries/ansible/aws/ecs_service_without_running_tasks/test/positive_expected_result.json index d44762256c9..97c2f7ad16b 100644 --- a/assets/queries/ansible/aws/ecs_service_without_running_tasks/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ecs_service_without_running_tasks/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{ECS Service}}.{{community.aws.ecs_service}}", "searchValue": "", "expectedValue": "community.aws.ecs_service.deployment_configuration should be defined", - "actualValue": "%!&(string=community.aws.ecs_service)s.deployment_configuration is undefined" + "actualValue": "%!&(string=community.aws.ecs_service)s.deployment_configuration is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/ecs_services_assigned_with_public_ip_address/test/positive_expected_result.json b/assets/queries/ansible/aws/ecs_services_assigned_with_public_ip_address/test/positive_expected_result.json index b8fd004b8de..5c8e83eb565 100644 --- a/assets/queries/ansible/aws/ecs_services_assigned_with_public_ip_address/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ecs_services_assigned_with_public_ip_address/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{Create ECS service with network configuration}}.{{community.aws.ecs_service}}.network_configuration.assign_public_ip", "searchValue": "", "expectedValue": "'community.aws.ecs_service.network_configuration.assign_public_ip' should be set to false (default value is false)", - "actualValue": "'community.aws.ecs_service.network_configuration.assign_public_ip' is set to true" + "actualValue": "'community.aws.ecs_service.network_configuration.assign_public_ip' is set to true", + "issueType": "IncorrectValue" }, { "queryName": "ECS Services assigned with public IP address", @@ -21,6 +22,7 @@ "searchKey": "name={{Create ECS service with network configuration}}.{{ecs_service}}.network_configuration.assign_public_ip", "searchValue": "", "expectedValue": "'ecs_service.network_configuration.assign_public_ip' should be set to false (default value is false)", - "actualValue": "'ecs_service.network_configuration.assign_public_ip' is set to true" + "actualValue": "'ecs_service.network_configuration.assign_public_ip' is set to true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/ecs_task_definition_network_mode_not_recommended/test/positive_expected_result.json b/assets/queries/ansible/aws/ecs_task_definition_network_mode_not_recommended/test/positive_expected_result.json index 6ef0d9fae10..864a8623528 100644 --- a/assets/queries/ansible/aws/ecs_task_definition_network_mode_not_recommended/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ecs_task_definition_network_mode_not_recommended/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{Create task definition}}.{{community.aws.ecs_taskdefinition}}.network_mode", "searchValue": "", "expectedValue": "'ecs_taskdefinition.network_mode' should be set to 'awsvpc'", - "actualValue": "'ecs_taskdefinition.network_mode' is 'default'" + "actualValue": "'ecs_taskdefinition.network_mode' is 'default'", + "issueType": "IncorrectValue" }, { "queryName": "ECS Task Definition Network Mode Not Recommended", @@ -21,6 +22,7 @@ "searchKey": "name={{Create task definition2}}.{{community.aws.ecs_taskdefinition}}.network_mode", "searchValue": "", "expectedValue": "'ecs_taskdefinition.network_mode' should be set to 'awsvpc'", - "actualValue": "'ecs_taskdefinition.network_mode' is 'none'" + "actualValue": "'ecs_taskdefinition.network_mode' is 'none'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/efs_not_encrypted/test/positive_expected_result.json b/assets/queries/ansible/aws/efs_not_encrypted/test/positive_expected_result.json index 5a472366b28..17a04dcff11 100644 --- a/assets/queries/ansible/aws/efs_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/efs_not_encrypted/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{foo}}.{{community.aws.efs}}.encrypt", "searchValue": "", "expectedValue": "efs.encrypt should be set to true", - "actualValue": "efs.encrypt is set to false" + "actualValue": "efs.encrypt is set to false", + "issueType": "IncorrectValue" }, { "queryName": "EFS Not Encrypted", @@ -21,7 +22,8 @@ "searchKey": "name={{foo2}}.{{community.aws.efs}}.encrypt", "searchValue": "", "expectedValue": "efs.encrypt should be set to true", - "actualValue": "efs.encrypt is set to false" + "actualValue": "efs.encrypt is set to false", + "issueType": "IncorrectValue" }, { "queryName": "EFS Not Encrypted", @@ -33,6 +35,7 @@ "searchKey": "name={{foo3}}.{{community.aws.efs}}", "searchValue": "", "expectedValue": "efs.encrypt should be set to true", - "actualValue": "efs.encrypt is undefined" + "actualValue": "efs.encrypt is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/efs_without_kms/test/positive_expected_result.json b/assets/queries/ansible/aws/efs_without_kms/test/positive_expected_result.json index b9017c4afe5..1fc27f50a33 100644 --- a/assets/queries/ansible/aws/efs_without_kms/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/efs_without_kms/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{foo}}.{{community.aws.efs}}", "searchValue": "", "expectedValue": "efs.kms_key_id should be set", - "actualValue": "efs.kms_key_id is undefined" + "actualValue": "efs.kms_key_id is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/efs_without_tags/test/positive_expected_result.json b/assets/queries/ansible/aws/efs_without_tags/test/positive_expected_result.json index 61763b17149..2a86fc6b0bf 100644 --- a/assets/queries/ansible/aws/efs_without_tags/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/efs_without_tags/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{EFS provisioning without tags}}.{{community.aws.efs}}", "searchValue": "", "expectedValue": "name={{EFS provisioning without tags}}.{{community.aws.efs}}.tags should be set", - "actualValue": "name={{EFS provisioning without tags}}.{{community.aws.efs}}.tags is not defined" + "actualValue": "name={{EFS provisioning without tags}}.{{community.aws.efs}}.tags is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/elasticache_using_default_port/test/positive_expected_result.json b/assets/queries/ansible/aws/elasticache_using_default_port/test/positive_expected_result.json index 4341c33c536..39d71d464ea 100644 --- a/assets/queries/ansible/aws/elasticache_using_default_port/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/elasticache_using_default_port/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{Basic example}}.{{community.aws.elasticache}}.cache_port", "searchValue": "", "expectedValue": "'cache_port' should not be set to 11211", - "actualValue": "'cache_port' is set to 11211" + "actualValue": "'cache_port' is set to 11211", + "issueType": "IncorrectValue" }, { "queryName": "ElastiCache Using Default Port", @@ -21,6 +22,7 @@ "searchKey": "name={{Basic example2}}.{{community.aws.elasticache}}.cache_port", "searchValue": "", "expectedValue": "'cache_port' should not be set to 6379", - "actualValue": "'cache_port' is set to 6379" + "actualValue": "'cache_port' is set to 6379", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/elasticache_without_vpc/test/positive_expected_result.json b/assets/queries/ansible/aws/elasticache_without_vpc/test/positive_expected_result.json index 9aa6b98b743..64c6c980a65 100644 --- a/assets/queries/ansible/aws/elasticache_without_vpc/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/elasticache_without_vpc/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{Basic example}}.{{community.aws.elasticache}}", "searchValue": "", "expectedValue": "'cache_subnet_group' should be defined and not null", - "actualValue": "'cache_subnet_group' is undefined or null" + "actualValue": "'cache_subnet_group' is undefined or null", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json index eff91b8ef50..f60d7659881 100644 --- a/assets/queries/ansible/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{Create OpenSearch domain for dev environment, no zone awareness, no dedicated masters}}.{{community.aws.opensearch}}.domain_endpoint_options.enforce_https", "searchValue": "", "expectedValue": "name={{Create OpenSearch domain for dev environment, no zone awareness, no dedicated masters}}.{{community.aws.opensearch}}.domain_endpoint_options.enforce_https should be set to 'true'", - "actualValue": "name={{Create OpenSearch domain for dev environment, no zone awareness, no dedicated masters}}.{{community.aws.opensearch}}.domain_endpoint_options.enforce_https is set to 'false'" + "actualValue": "name={{Create OpenSearch domain for dev environment, no zone awareness, no dedicated masters}}.{{community.aws.opensearch}}.domain_endpoint_options.enforce_https is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "Elasticsearch with HTTPS disabled", @@ -21,7 +22,8 @@ "searchKey": "name={{Create OpenSearch domain for dev environment, no zone awareness, no dedicated masters}}.{{community.aws.opensearch}}.domain_endpoint_options", "searchValue": "", "expectedValue": "name={{Create OpenSearch domain for dev environment, no zone awareness, no dedicated masters}}.{{community.aws.opensearch}}.domain_endpoint_options.enforce_https should be defined and set to 'true'", - "actualValue": "name={{Create OpenSearch domain for dev environment, no zone awareness, no dedicated masters}}.{{community.aws.opensearch}}.domain_endpoint_options.enforce_https is not set" + "actualValue": "name={{Create OpenSearch domain for dev environment, no zone awareness, no dedicated masters}}.{{community.aws.opensearch}}.domain_endpoint_options.enforce_https is not set", + "issueType": "MissingAttribute" }, { "queryName": "Elasticsearch with HTTPS disabled", @@ -33,6 +35,7 @@ "searchKey": "name={{Create OpenSearch domain for dev environment, no zone awareness, no dedicated masters}}.{{community.aws.opensearch}}", "searchValue": "", "expectedValue": "name={{Create OpenSearch domain for dev environment, no zone awareness, no dedicated masters}}.{{community.aws.opensearch}}.domain_endpoint_options.enforce_https should be defined and set to 'true'", - "actualValue": "name={{Create OpenSearch domain for dev environment, no zone awareness, no dedicated masters}}.{{community.aws.opensearch}}.domain_endpoint_options.enforce_https is not set" + "actualValue": "name={{Create OpenSearch domain for dev environment, no zone awareness, no dedicated masters}}.{{community.aws.opensearch}}.domain_endpoint_options.enforce_https is not set", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/elb_using_insecure_protocols/test/positive_expected_result.json b/assets/queries/ansible/aws/elb_using_insecure_protocols/test/positive_expected_result.json index 4165504e86e..d6b7b4374e9 100644 --- a/assets/queries/ansible/aws/elb_using_insecure_protocols/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/elb_using_insecure_protocols/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{elb1}}.{{community.aws.elb_application_lb}}", "searchValue": "", "expectedValue": "community.aws.elb_application_lb.listeners should be defined", - "actualValue": "%!&(string=community.aws.elb_application_lb)s.listeners is undefined" + "actualValue": "%!&(string=community.aws.elb_application_lb)s.listeners is undefined", + "issueType": "MissingAttribute" }, { "queryName": "ELB Using Insecure Protocols", @@ -21,7 +22,8 @@ "searchKey": "name={{elb2}}.{{community.aws.elb_application_lb}}.listeners.%!s(int=0)", "searchValue": "", "expectedValue": "community.aws.elb_application_lb.listeners.SslPolicy should be defined", - "actualValue": "community.aws.elb_application_lb.listeners.SslPolicy is undefined" + "actualValue": "community.aws.elb_application_lb.listeners.SslPolicy is undefined", + "issueType": "MissingAttribute" }, { "queryName": "ELB Using Insecure Protocols", @@ -33,7 +35,8 @@ "searchKey": "name={{elb3}}.{{community.aws.elb_application_lb}}.listeners.%!s(int=0)", "searchValue": "", "expectedValue": "community.aws.elb_application_lb.listeners.SslPolicy is a secure protocol", - "actualValue": "community.aws.elb_application_lb.listeners.SslPolicy is an insecure protocol" + "actualValue": "community.aws.elb_application_lb.listeners.SslPolicy is an insecure protocol", + "issueType": "IncorrectValue" }, { "queryName": "ELB Using Insecure Protocols", @@ -45,7 +48,8 @@ "searchKey": "name={{elb4}}.{{community.aws.elb_network_lb}}", "searchValue": "", "expectedValue": "community.aws.elb_network_lb.listeners should be defined", - "actualValue": "%!&(string=community.aws.elb_network_lb)s.listeners is undefined" + "actualValue": "%!&(string=community.aws.elb_network_lb)s.listeners is undefined", + "issueType": "MissingAttribute" }, { "queryName": "ELB Using Insecure Protocols", @@ -57,7 +61,8 @@ "searchKey": "name={{elb5}}.{{community.aws.elb_network_lb}}.listeners.%!s(int=0)", "searchValue": "", "expectedValue": "community.aws.elb_network_lb.listeners.SslPolicy should be defined", - "actualValue": "community.aws.elb_network_lb.listeners.SslPolicy is undefined" + "actualValue": "community.aws.elb_network_lb.listeners.SslPolicy is undefined", + "issueType": "MissingAttribute" }, { "queryName": "ELB Using Insecure Protocols", @@ -69,6 +74,7 @@ "searchKey": "name={{elb6}}.{{community.aws.elb_network_lb}}.listeners.%!s(int=0)", "searchValue": "", "expectedValue": "community.aws.elb_network_lb.listeners.SslPolicy is a secure protocol", - "actualValue": "community.aws.elb_network_lb.listeners.SslPolicy is an insecure protocol" + "actualValue": "community.aws.elb_network_lb.listeners.SslPolicy is an insecure protocol", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/elb_using_weak_ciphers/test/positive_expected_result.json b/assets/queries/ansible/aws/elb_using_weak_ciphers/test/positive_expected_result.json index 721f0d5fd93..12db88cd260 100644 --- a/assets/queries/ansible/aws/elb_using_weak_ciphers/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/elb_using_weak_ciphers/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{elb1}}.{{community.aws.elb_application_lb}}", "searchValue": "", "expectedValue": "community.aws.elb_application_lb.listeners should be defined", - "actualValue": "%!&(string=community.aws.elb_application_lb)s.listeners is undefined" + "actualValue": "%!&(string=community.aws.elb_application_lb)s.listeners is undefined", + "issueType": "MissingAttribute" }, { "queryName": "ELB Using Weak Ciphers", @@ -21,7 +22,8 @@ "searchKey": "name={{elb2}}.{{community.aws.elb_application_lb}}.listeners.%!s(int=0)", "searchValue": "", "expectedValue": "community.aws.elb_application_lb.listeners.SslPolicy should be defined", - "actualValue": "community.aws.elb_application_lb.listeners.SslPolicy is undefined" + "actualValue": "community.aws.elb_application_lb.listeners.SslPolicy is undefined", + "issueType": "MissingAttribute" }, { "queryName": "ELB Using Weak Ciphers", @@ -33,7 +35,8 @@ "searchKey": "name={{elb3}}.{{community.aws.elb_application_lb}}.listeners.%!s(int=0)", "searchValue": "", "expectedValue": "community.aws.elb_application_lb.listeners.SslPolicy should not be a weak cipher", - "actualValue": "community.aws.elb_application_lb.listeners.SslPolicy is a weak cipher" + "actualValue": "community.aws.elb_application_lb.listeners.SslPolicy is a weak cipher", + "issueType": "IncorrectValue" }, { "queryName": "ELB Using Weak Ciphers", @@ -45,7 +48,8 @@ "searchKey": "name={{elb4}}.{{community.aws.elb_network_lb}}", "searchValue": "", "expectedValue": "community.aws.elb_network_lb.listeners should be defined", - "actualValue": "%!&(string=community.aws.elb_network_lb)s.listeners is undefined" + "actualValue": "%!&(string=community.aws.elb_network_lb)s.listeners is undefined", + "issueType": "MissingAttribute" }, { "queryName": "ELB Using Weak Ciphers", @@ -57,7 +61,8 @@ "searchKey": "name={{elb5}}.{{community.aws.elb_network_lb}}.listeners.%!s(int=0)", "searchValue": "", "expectedValue": "community.aws.elb_network_lb.listeners.SslPolicy should be defined", - "actualValue": "community.aws.elb_network_lb.listeners.SslPolicy is undefined" + "actualValue": "community.aws.elb_network_lb.listeners.SslPolicy is undefined", + "issueType": "MissingAttribute" }, { "queryName": "ELB Using Weak Ciphers", @@ -69,6 +74,7 @@ "searchKey": "name={{elb6}}.{{community.aws.elb_network_lb}}.listeners.%!s(int=0)", "searchValue": "", "expectedValue": "community.aws.elb_network_lb.listeners.SslPolicy should not be a weak cipher", - "actualValue": "community.aws.elb_network_lb.listeners.SslPolicy is a weak cipher" + "actualValue": "community.aws.elb_network_lb.listeners.SslPolicy is a weak cipher", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/hardcoded_aws_access_key/test/positive_expected_result.json b/assets/queries/ansible/aws/hardcoded_aws_access_key/test/positive_expected_result.json index e96eef9f4f3..db36ec3f3ca 100644 --- a/assets/queries/ansible/aws/hardcoded_aws_access_key/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/hardcoded_aws_access_key/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{start an instance with a cpu_options}}.{{community.aws.ec2_instance}}.user_data", "searchValue": "", "expectedValue": "'ec2_instance.user_data' shouldn't contain access key", - "actualValue": "'ec2_instance.user_data' contains access key" + "actualValue": "'ec2_instance.user_data' contains access key", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/hardcoded_aws_access_key_in_lambda/test/positive_expected_result.json b/assets/queries/ansible/aws/hardcoded_aws_access_key_in_lambda/test/positive_expected_result.json index 16f5c943a85..c133805645e 100644 --- a/assets/queries/ansible/aws/hardcoded_aws_access_key_in_lambda/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/hardcoded_aws_access_key_in_lambda/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{looped creation}}.{{community.aws.lambda}}.aws_access_key", "searchValue": "", "expectedValue": "lambda.aws_access_key should not be in plaintext", - "actualValue": "lambda.aws_access_key is in plaintext" + "actualValue": "lambda.aws_access_key is in plaintext", + "issueType": "IncorrectValue" }, { "queryName": "Hardcoded AWS Access Key In Lambda", @@ -21,6 +22,7 @@ "searchKey": "name={{remove tags}}.{{community.aws.lambda}}.aws_access_key", "searchValue": "", "expectedValue": "lambda.aws_access_key should not be in plaintext", - "actualValue": "lambda.aws_access_key is in plaintext" + "actualValue": "lambda.aws_access_key is in plaintext", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/http_port_open_to_internet/test/positive_expected_result.json b/assets/queries/ansible/aws/http_port_open_to_internet/test/positive_expected_result.json index 7584b54c08c..8f3300805ed 100644 --- a/assets/queries/ansible/aws/http_port_open_to_internet/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/http_port_open_to_internet/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{example ec2 group1}}.{{amazon.aws.ec2_group}}.rules", "searchValue": "", "expectedValue": "ec2_group.rules[0] shouldn't open the http port (80)", - "actualValue": "ec2_group.rules[0] opens the http port (80)" + "actualValue": "ec2_group.rules[0] opens the http port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", @@ -21,7 +22,8 @@ "searchKey": "name={{example ec2 group2}}.{{amazon.aws.ec2_group}}.rules", "searchValue": "", "expectedValue": "ec2_group.rules[0] shouldn't open the http port (80)", - "actualValue": "ec2_group.rules[0] opens the http port (80)" + "actualValue": "ec2_group.rules[0] opens the http port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", @@ -33,7 +35,8 @@ "searchKey": "name={{example ec2 group3}}.{{amazon.aws.ec2_group}}.rules", "searchValue": "", "expectedValue": "ec2_group.rules[0] shouldn't open the http port (80)", - "actualValue": "ec2_group.rules[0] opens the http port (80)" + "actualValue": "ec2_group.rules[0] opens the http port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", @@ -45,7 +48,8 @@ "searchKey": "name={{example ec2 group4}}.{{amazon.aws.ec2_group}}.rules", "searchValue": "", "expectedValue": "ec2_group.rules[0] shouldn't open the http port (80)", - "actualValue": "ec2_group.rules[0] opens the http port (80)" + "actualValue": "ec2_group.rules[0] opens the http port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", @@ -57,7 +61,8 @@ "searchKey": "name={{example ec2 group5}}.{{amazon.aws.ec2_group}}.rules", "searchValue": "", "expectedValue": "ec2_group.rules[0] shouldn't open the http port (80)", - "actualValue": "ec2_group.rules[0] opens the http port (80)" + "actualValue": "ec2_group.rules[0] opens the http port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", @@ -69,7 +74,8 @@ "searchKey": "name={{example ec2 group6}}.{{amazon.aws.ec2_group}}.rules", "searchValue": "", "expectedValue": "ec2_group.rules[0] shouldn't open the http port (80)", - "actualValue": "ec2_group.rules[0] opens the http port (80)" + "actualValue": "ec2_group.rules[0] opens the http port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", @@ -81,6 +87,7 @@ "searchKey": "name={{example ec2 group7}}.{{amazon.aws.ec2_group}}.rules", "searchValue": "", "expectedValue": "ec2_group.rules[0] shouldn't open the http port (80)", - "actualValue": "ec2_group.rules[0] opens the http port (80)" + "actualValue": "ec2_group.rules[0] opens the http port (80)", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/iam_access_key_is_exposed/test/positive_expected_result.json b/assets/queries/ansible/aws/iam_access_key_is_exposed/test/positive_expected_result.json index ced48a52445..406158bf675 100644 --- a/assets/queries/ansible/aws/iam_access_key_is_exposed/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/iam_access_key_is_exposed/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{Create two new IAM users with API keys}}.{{community.aws.iam}}.access_key_state", "searchValue": "", "expectedValue": "iam.name should be 'root' for an active access key", - "actualValue": "iam.name is '{{ item }}' for an active access key" + "actualValue": "iam.name is '{{ item }}' for an active access key", + "issueType": "IncorrectValue" }, { "queryName": "IAM Access Key Is Exposed", @@ -21,7 +22,8 @@ "searchKey": "name={{Create Two Groups, Mario and Luigi}}.{{community.aws.iam}}.access_key_state", "searchValue": "", "expectedValue": "iam.name should be 'root' for an active access key", - "actualValue": "iam.name is '{{ item }}' for an active access key" + "actualValue": "iam.name is '{{ item }}' for an active access key", + "issueType": "IncorrectValue" }, { "queryName": "IAM Access Key Is Exposed", @@ -33,6 +35,7 @@ "searchKey": "name={{Update user}}.{{community.aws.iam}}.access_key_state", "searchValue": "", "expectedValue": "iam.name should be 'root' for an active access key", - "actualValue": "iam.name is 'jdavila' for an active access key" + "actualValue": "iam.name is 'jdavila' for an active access key", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/iam_database_auth_not_enabled/test/positive_expected_result.json b/assets/queries/ansible/aws/iam_database_auth_not_enabled/test/positive_expected_result.json index 1ea7e50a82d..be94174c32d 100644 --- a/assets/queries/ansible/aws/iam_database_auth_not_enabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/iam_database_auth_not_enabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{create minimal aurora instance in default VPC and default subnet group}}.{{community.aws.rds_instance}}.enable_iam_database_authentication", "searchValue": "", "expectedValue": "rds_instance.enable_iam_database_authentication should be enabled", - "actualValue": "rds_instance.enable_iam_database_authentication is disabled" + "actualValue": "rds_instance.enable_iam_database_authentication is disabled", + "issueType": "IncorrectValue" }, { "queryName": "IAM Database Auth Not Enabled", @@ -21,6 +22,7 @@ "searchKey": "name={{Create a DB instance using the default AWS KMS encryption key}}.{{community.aws.rds_instance}}.enable_iam_database_authentication", "searchValue": "", "expectedValue": "rds_instance.enable_iam_database_authentication should be enabled", - "actualValue": "rds_instance.enable_iam_database_authentication is disabled" + "actualValue": "rds_instance.enable_iam_database_authentication is disabled", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/iam_group_without_users/test/positive_expected_result.json b/assets/queries/ansible/aws/iam_group_without_users/test/positive_expected_result.json index 62adad52a9d..da86482bafd 100644 --- a/assets/queries/ansible/aws/iam_group_without_users/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/iam_group_without_users/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{Group1}}.{{iam_group}}", "searchValue": "", "expectedValue": "iam_group.users should be defined and not null", - "actualValue": "iam_group.users is undefined or null" + "actualValue": "iam_group.users is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "IAM Group Without Users", @@ -21,6 +22,7 @@ "searchKey": "name={{Group2}}.{{iam_group}}", "searchValue": "", "expectedValue": "iam_group.users should be defined and not null", - "actualValue": "iam_group.users is undefined or null" + "actualValue": "iam_group.users is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/iam_password_without_minimum_length/test/positive_expected_result.json b/assets/queries/ansible/aws/iam_password_without_minimum_length/test/positive_expected_result.json index 7e9314655bd..1ca73ac508b 100644 --- a/assets/queries/ansible/aws/iam_password_without_minimum_length/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/iam_password_without_minimum_length/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{Password policy for AWS account}}.{{community.aws.iam_password_policy}}", "searchValue": "", "expectedValue": "iam_password_policy.min_pw_length/minimum_password_length should be set and no less than 8", - "actualValue": "iam_password_policy.min_pw_length/minimum_password_length is undefined" + "actualValue": "iam_password_policy.min_pw_length/minimum_password_length is undefined", + "issueType": "MissingAttribute" }, { "queryName": "IAM Password Without Minimum Length", @@ -21,7 +22,8 @@ "searchKey": "name={{aws_iam_account_password_policy}}.{{community.aws.iam_password_policy}}.{{min_pw_length}}", "searchValue": "", "expectedValue": "iam_password_policy.min_pw_length should be set and no less than 8", - "actualValue": "iam_password_policy.min_pw_length is less than 8" + "actualValue": "iam_password_policy.min_pw_length is less than 8", + "issueType": "IncorrectValue" }, { "queryName": "IAM Password Without Minimum Length", @@ -33,6 +35,7 @@ "searchKey": "name={{aws_iam_account_password_policy_2}}.{{community.aws.iam_password_policy}}.{{min_pw_length}}", "searchValue": "", "expectedValue": "iam_password_policy.minimum_password_length should be set and no less than 8", - "actualValue": "iam_password_policy.minimum_password_length is less than 8" + "actualValue": "iam_password_policy.minimum_password_length is less than 8", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/iam_policies_attached_to_user/test/positive_expected_result.json b/assets/queries/ansible/aws/iam_policies_attached_to_user/test/positive_expected_result.json index 4107a2b9160..6609f4daa4a 100644 --- a/assets/queries/ansible/aws/iam_policies_attached_to_user/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/iam_policies_attached_to_user/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{Assign a policy called Admin to user}}.{{community.aws.iam_policy}}.iam_type", "searchValue": "", "expectedValue": "iam_policy.iam_type should be configured with group or role", - "actualValue": "iam_policy.iam_type is configured with user" + "actualValue": "iam_policy.iam_type is configured with user", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/iam_policies_with_full_privileges/test/positive_expected_result.json b/assets/queries/ansible/aws/iam_policies_with_full_privileges/test/positive_expected_result.json index 2158976522f..7cfc051bef6 100644 --- a/assets/queries/ansible/aws/iam_policies_with_full_privileges/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/iam_policies_with_full_privileges/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{Create IAM Managed Policy}}.{{community.aws.iam_managed_policy}}.policy", "searchValue": "", "expectedValue": "iam_managed_policy.policy.Statement.Action should not contain '*'", - "actualValue": "iam_managed_policy.policy.Statement.Action contains '*'" + "actualValue": "iam_managed_policy.policy.Statement.Action contains '*'", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/iam_policy_grants_assumerole_permission_across_all_services/test/positive_expected_result.json b/assets/queries/ansible/aws/iam_policy_grants_assumerole_permission_across_all_services/test/positive_expected_result.json index 5624fdda872..f8128d20be1 100644 --- a/assets/queries/ansible/aws/iam_policy_grants_assumerole_permission_across_all_services/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/iam_policy_grants_assumerole_permission_across_all_services/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{Create IAM Managed Policy}}.{{community.aws.iam_managed_policy}}.policy", "searchValue": "", "expectedValue": "iam_managed_policy.policy.Statement.Principal.AWS should not contain '*'", - "actualValue": "iam_managed_policy.policy.Statement.Principal.AWS contains '*'" + "actualValue": "iam_managed_policy.policy.Statement.Principal.AWS contains '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/iam_policy_grants_full_permissions/test/positive_expected_result.json b/assets/queries/ansible/aws/iam_policy_grants_full_permissions/test/positive_expected_result.json index 19fe9cba72f..977cdd011d4 100644 --- a/assets/queries/ansible/aws/iam_policy_grants_full_permissions/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/iam_policy_grants_full_permissions/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{Create IAM Managed Policy}}.{{community.aws.iam_managed_policy}}.policy", "searchValue": "", "expectedValue": "'policy.Statement.Resource' and 'policy.Statement.Action' should no be equal to '*'", - "actualValue": "'policy.Statement.Resource' and 'policy.Statement.Action' are equal to '*'" + "actualValue": "'policy.Statement.Resource' and 'policy.Statement.Action' are equal to '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/iam_role_allows_all_principals_to_assume/test/positive_expected_result.json b/assets/queries/ansible/aws/iam_role_allows_all_principals_to_assume/test/positive_expected_result.json index 024ff76dafc..2d327157c98 100644 --- a/assets/queries/ansible/aws/iam_role_allows_all_principals_to_assume/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/iam_role_allows_all_principals_to_assume/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{Create IAM Managed Policy}}.{{community.aws.iam_managed_policy}}.policy", "searchValue": "", "expectedValue": "iam_managed_policy.policy.Statement.Principal.AWS should not contain ':root", - "actualValue": "iam_managed_policy.policy.Statement.Principal.AWS contains ':root'" + "actualValue": "iam_managed_policy.policy.Statement.Principal.AWS contains ':root'", + "issueType": "IncorrectValue" }, { "queryName": "IAM Role Allows All Principals To Assume", @@ -21,6 +22,7 @@ "searchKey": "name={{Create2 IAM Managed Policy}}.{{community.aws.iam_managed_policy}}.policy", "searchValue": "", "expectedValue": "iam_managed_policy.policy.Statement.Principal.AWS should not contain ':root", - "actualValue": "iam_managed_policy.policy.Statement.Principal.AWS contains ':root'" + "actualValue": "iam_managed_policy.policy.Statement.Principal.AWS contains ':root'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/instance_uses_metadata_service_IMDSv1/test/positive_expected_result.json b/assets/queries/ansible/aws/instance_uses_metadata_service_IMDSv1/test/positive_expected_result.json index 42512939e8f..54d2b94f9b4 100644 --- a/assets/queries/ansible/aws/instance_uses_metadata_service_IMDSv1/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/instance_uses_metadata_service_IMDSv1/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{start an instance with metadata options}}.{{amazon.aws.ec2_instance}}.metadata_options.http_tokens", "searchValue": "", "expectedValue": "'amazon.aws.ec2_instance.metadata_options.http_tokens' should be defined to 'required'", - "actualValue": "'amazon.aws.ec2_instance.metadata_options.http_tokens' is not defined to 'required'" + "actualValue": "'amazon.aws.ec2_instance.metadata_options.http_tokens' is not defined to 'required'", + "issueType": "IncorrectValue" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -21,7 +22,8 @@ "searchKey": "name={{create launch configuration with metadata options}}.{{community.aws.autoscaling_launch_config}}.metadata_options.http_tokens", "searchValue": "", "expectedValue": "'community.aws.autoscaling_launch_config.metadata_options.http_tokens' should be defined to 'required'", - "actualValue": "'community.aws.autoscaling_launch_config.metadata_options.http_tokens' is not defined to 'required'" + "actualValue": "'community.aws.autoscaling_launch_config.metadata_options.http_tokens' is not defined to 'required'", + "issueType": "IncorrectValue" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -33,7 +35,8 @@ "searchKey": "name={{start an instance with legacy naming and metadata options}}.{{community.aws.ec2_instance}}.metadata_options.http_tokens", "searchValue": "", "expectedValue": "'community.aws.ec2_instance.metadata_options.http_tokens' should be defined to 'required'", - "actualValue": "'community.aws.ec2_instance.metadata_options.http_tokens' is not defined to 'required'" + "actualValue": "'community.aws.ec2_instance.metadata_options.http_tokens' is not defined to 'required'", + "issueType": "IncorrectValue" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -45,7 +48,8 @@ "searchKey": "name={{create launch configuration with legacy naming and metadata options}}.{{community.aws.ec2_lc}}.metadata_options.http_tokens", "searchValue": "", "expectedValue": "'community.aws.ec2_lc.metadata_options.http_tokens' should be defined to 'required'", - "actualValue": "'community.aws.ec2_lc.metadata_options.http_tokens' is not defined to 'required'" + "actualValue": "'community.aws.ec2_lc.metadata_options.http_tokens' is not defined to 'required'", + "issueType": "IncorrectValue" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -57,7 +61,8 @@ "searchKey": "name={{start an instance}}.{{amazon.aws.ec2_instance}}", "searchValue": "", "expectedValue": "'amazon.aws.ec2_instance.metadata_options' should be defined with 'http_tokens' field set to 'required'", - "actualValue": "'amazon.aws.ec2_instance.metadata_options' is not defined" + "actualValue": "'amazon.aws.ec2_instance.metadata_options' is not defined", + "issueType": "IncorrectValue" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -69,7 +74,8 @@ "searchKey": "name={{create launch configuration}}.{{community.aws.autoscaling_launch_config}}", "searchValue": "", "expectedValue": "'community.aws.autoscaling_launch_config.metadata_options' should be defined with 'http_tokens' field set to 'required'", - "actualValue": "'community.aws.autoscaling_launch_config.metadata_options' is not defined" + "actualValue": "'community.aws.autoscaling_launch_config.metadata_options' is not defined", + "issueType": "IncorrectValue" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -81,7 +87,8 @@ "searchKey": "name={{start an instance with legacy naming}}.{{community.aws.ec2_instance}}", "searchValue": "", "expectedValue": "'community.aws.ec2_instance.metadata_options' should be defined with 'http_tokens' field set to 'required'", - "actualValue": "'community.aws.ec2_instance.metadata_options' is not defined" + "actualValue": "'community.aws.ec2_instance.metadata_options' is not defined", + "issueType": "IncorrectValue" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -93,7 +100,8 @@ "searchKey": "name={{create launch configuration with legacy naming}}.{{community.aws.ec2_lc}}", "searchValue": "", "expectedValue": "'community.aws.ec2_lc.metadata_options' should be defined with 'http_tokens' field set to 'required'", - "actualValue": "'community.aws.ec2_lc.metadata_options' is not defined" + "actualValue": "'community.aws.ec2_lc.metadata_options' is not defined", + "issueType": "IncorrectValue" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -105,7 +113,8 @@ "searchKey": "name={{start an instance with metadata options}}.{{amazon.aws.ec2_instance}}.metadata_options.http_tokens", "searchValue": "", "expectedValue": "'amazon.aws.ec2_instance.metadata_options.http_tokens' should be defined to 'required'", - "actualValue": "'amazon.aws.ec2_instance.metadata_options.http_tokens' is not defined to 'required'" + "actualValue": "'amazon.aws.ec2_instance.metadata_options.http_tokens' is not defined to 'required'", + "issueType": "IncorrectValue" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -117,7 +126,8 @@ "searchKey": "name={{create launch configuration with metadata options}}.{{community.aws.autoscaling_launch_config}}.metadata_options.http_tokens", "searchValue": "", "expectedValue": "'community.aws.autoscaling_launch_config.metadata_options.http_tokens' should be defined to 'required'", - "actualValue": "'community.aws.autoscaling_launch_config.metadata_options.http_tokens' is not defined to 'required'" + "actualValue": "'community.aws.autoscaling_launch_config.metadata_options.http_tokens' is not defined to 'required'", + "issueType": "IncorrectValue" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -129,7 +139,8 @@ "searchKey": "name={{start an instance with legacy naming and metadata options}}.{{community.aws.ec2_instance}}.metadata_options.http_tokens", "searchValue": "", "expectedValue": "'community.aws.ec2_instance.metadata_options.http_tokens' should be defined to 'required'", - "actualValue": "'community.aws.ec2_instance.metadata_options.http_tokens' is not defined to 'required'" + "actualValue": "'community.aws.ec2_instance.metadata_options.http_tokens' is not defined to 'required'", + "issueType": "IncorrectValue" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -141,7 +152,8 @@ "searchKey": "name={{create launch configuration with legacy naming and metadata options}}.{{community.aws.ec2_lc}}.metadata_options.http_tokens", "searchValue": "", "expectedValue": "'community.aws.ec2_lc.metadata_options.http_tokens' should be defined to 'required'", - "actualValue": "'community.aws.ec2_lc.metadata_options.http_tokens' is not defined to 'required'" + "actualValue": "'community.aws.ec2_lc.metadata_options.http_tokens' is not defined to 'required'", + "issueType": "IncorrectValue" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -153,7 +165,8 @@ "searchKey": "name={{start an instance with metadata options}}.{{amazon.aws.ec2_instance}}.metadata_options", "searchValue": "", "expectedValue": "'amazon.aws.ec2_instance.metadata_options.http_tokens' should be defined to 'required'", - "actualValue": "'amazon.aws.ec2_instance.metadata_options.http_tokens' is not defined" + "actualValue": "'amazon.aws.ec2_instance.metadata_options.http_tokens' is not defined", + "issueType": "IncorrectValue" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -165,7 +178,8 @@ "searchKey": "name={{create launch configuration with metadata options}}.{{community.aws.autoscaling_launch_config}}.metadata_options", "searchValue": "", "expectedValue": "'community.aws.autoscaling_launch_config.metadata_options.http_tokens' should be defined to 'required'", - "actualValue": "'community.aws.autoscaling_launch_config.metadata_options.http_tokens' is not defined" + "actualValue": "'community.aws.autoscaling_launch_config.metadata_options.http_tokens' is not defined", + "issueType": "IncorrectValue" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -177,7 +191,8 @@ "searchKey": "name={{start an instance with legacy naming and metadata options}}.{{community.aws.ec2_instance}}.metadata_options", "searchValue": "", "expectedValue": "'community.aws.ec2_instance.metadata_options.http_tokens' should be defined to 'required'", - "actualValue": "'community.aws.ec2_instance.metadata_options.http_tokens' is not defined" + "actualValue": "'community.aws.ec2_instance.metadata_options.http_tokens' is not defined", + "issueType": "IncorrectValue" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -189,7 +204,8 @@ "searchKey": "name={{create launch configuration with legacy naming and metadata options}}.{{community.aws.ec2_lc}}.metadata_options", "searchValue": "", "expectedValue": "'community.aws.ec2_lc.metadata_options.http_tokens' should be defined to 'required'", - "actualValue": "'community.aws.ec2_lc.metadata_options.http_tokens' is not defined" + "actualValue": "'community.aws.ec2_lc.metadata_options.http_tokens' is not defined", + "issueType": "IncorrectValue" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -201,7 +217,8 @@ "searchKey": "name={{start an instance with metadata options}}.{{amazon.aws.ec2_instance}}.metadata_options", "searchValue": "", "expectedValue": "'amazon.aws.ec2_instance.metadata_options.http_tokens' should be defined to 'required'", - "actualValue": "'amazon.aws.ec2_instance.metadata_options.http_tokens' is not defined" + "actualValue": "'amazon.aws.ec2_instance.metadata_options.http_tokens' is not defined", + "issueType": "IncorrectValue" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -213,7 +230,8 @@ "searchKey": "name={{create launch configuration with metadata options}}.{{community.aws.autoscaling_launch_config}}.metadata_options", "searchValue": "", "expectedValue": "'community.aws.autoscaling_launch_config.metadata_options.http_tokens' should be defined to 'required'", - "actualValue": "'community.aws.autoscaling_launch_config.metadata_options.http_tokens' is not defined" + "actualValue": "'community.aws.autoscaling_launch_config.metadata_options.http_tokens' is not defined", + "issueType": "IncorrectValue" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -225,7 +243,8 @@ "searchKey": "name={{start an instance with legacy naming and metadata options}}.{{community.aws.ec2_instance}}.metadata_options", "searchValue": "", "expectedValue": "'community.aws.ec2_instance.metadata_options.http_tokens' should be defined to 'required'", - "actualValue": "'community.aws.ec2_instance.metadata_options.http_tokens' is not defined" + "actualValue": "'community.aws.ec2_instance.metadata_options.http_tokens' is not defined", + "issueType": "IncorrectValue" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -237,6 +256,7 @@ "searchKey": "name={{create launch configuration with legacy naming and metadata options}}.{{community.aws.ec2_lc}}.metadata_options", "searchValue": "", "expectedValue": "'community.aws.ec2_lc.metadata_options.http_tokens' should be defined to 'required'", - "actualValue": "'community.aws.ec2_lc.metadata_options.http_tokens' is not defined" + "actualValue": "'community.aws.ec2_lc.metadata_options.http_tokens' is not defined", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/instance_with_no_vpc/test/positive_expected_result.json b/assets/queries/ansible/aws/instance_with_no_vpc/test/positive_expected_result.json index 69951e1ee11..242ce78fb74 100644 --- a/assets/queries/ansible/aws/instance_with_no_vpc/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/instance_with_no_vpc/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{Start an instance and have it begin a Tower callback on boot}}.{{community.aws.ec2_instance}}", "searchValue": "", "expectedValue": "community.aws.ec2_instance.vpc_subnet_id should be set", - "actualValue": "community.aws.ec2_instance.vpc_subnet_id is undefined" + "actualValue": "community.aws.ec2_instance.vpc_subnet_id is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Instance With No VPC", @@ -21,6 +22,7 @@ "searchKey": "name={{Start an instance and have it begin a Tower callback on boot v2}}.{{amazon.aws.ec2}}", "searchValue": "", "expectedValue": "amazon.aws.ec2.vpc_subnet_id should be set", - "actualValue": "amazon.aws.ec2.vpc_subnet_id is undefined" + "actualValue": "amazon.aws.ec2.vpc_subnet_id is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/kinesis_not_encrypted_with_kms/test/positive_expected_result.json b/assets/queries/ansible/aws/kinesis_not_encrypted_with_kms/test/positive_expected_result.json index 288076551df..7abc38c4f7b 100644 --- a/assets/queries/ansible/aws/kinesis_not_encrypted_with_kms/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/kinesis_not_encrypted_with_kms/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{Encrypt Kinesis Stream test-stream.}}.{{community.aws.kinesis_stream}}", "searchValue": "", "expectedValue": "kinesis_stream.encryption_state should be set", - "actualValue": "kinesis_stream.encryption_state is undefined" + "actualValue": "kinesis_stream.encryption_state is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Kinesis Not Encrypted With KMS", @@ -21,7 +22,8 @@ "searchKey": "name={{Encrypt Kinesis Stream test-stream. v2}}.{{community.aws.kinesis_stream}}.encryption_state", "searchValue": "", "expectedValue": "kinesis_stream.encryption_state should be set to enabled", - "actualValue": "kinesis_stream.encryption_state is not set to enabled" + "actualValue": "kinesis_stream.encryption_state is not set to enabled", + "issueType": "IncorrectValue" }, { "queryName": "Kinesis Not Encrypted With KMS", @@ -33,7 +35,8 @@ "searchKey": "name={{Encrypt Kinesis Stream test-stream. v3}}.{{community.aws.kinesis_stream}}", "searchValue": "", "expectedValue": "kinesis_stream.encryption_type should be set", - "actualValue": "kinesis_stream.encryption_type is undefined" + "actualValue": "kinesis_stream.encryption_type is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Kinesis Not Encrypted With KMS", @@ -45,7 +48,8 @@ "searchKey": "name={{Encrypt Kinesis Stream test-stream. v4}}.{{community.aws.kinesis_stream}}.encryption_type", "searchValue": "", "expectedValue": "kinesis_stream.encryption_type should be set and not NONE", - "actualValue": "kinesis_stream.encryption_type is set but NONE" + "actualValue": "kinesis_stream.encryption_type is set but NONE", + "issueType": "IncorrectValue" }, { "queryName": "Kinesis Not Encrypted With KMS", @@ -57,6 +61,7 @@ "searchKey": "name={{Encrypt Kinesis Stream test-stream. v5}}.{{community.aws.kinesis_stream}}", "searchValue": "", "expectedValue": "kinesis_stream.key_id should be set", - "actualValue": "kinesis_stream.key_id is undefined" + "actualValue": "kinesis_stream.key_id is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/kms_key_with_full_permissions/test/positive_expected_result.json b/assets/queries/ansible/aws/kms_key_with_full_permissions/test/positive_expected_result.json index 81b3af821ae..f6c6b07a74b 100644 --- a/assets/queries/ansible/aws/kms_key_with_full_permissions/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/kms_key_with_full_permissions/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{Update IAM policy on an existing KMS key}}.{{community.aws.aws_kms}}.policy", "searchValue": "", "expectedValue": "aws_kms.policy should not have wildcard in 'Action' and 'Principal'", - "actualValue": "aws_kms.policy has wildcard in 'Action' or 'Principal'" + "actualValue": "aws_kms.policy has wildcard in 'Action' or 'Principal'", + "issueType": "IncorrectValue" }, { "queryName": "KMS Key With Vulnerable Policy", @@ -21,6 +22,7 @@ "searchKey": "name={{Update IAM policy on an existing KMS key2}}.{{community.aws.aws_kms}}", "searchValue": "", "expectedValue": "'policy' should be undefined or null", - "actualValue": "'policy' is defined and not null" + "actualValue": "'policy' is defined and not null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/lambda_function_without_tags/test/positive_expected_result.json b/assets/queries/ansible/aws/lambda_function_without_tags/test/positive_expected_result.json index 1e91399545f..84e1797425c 100644 --- a/assets/queries/ansible/aws/lambda_function_without_tags/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/lambda_function_without_tags/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{add tags}}.{{community.aws.lambda}}", "searchValue": "", "expectedValue": "name={{add tags}}.{{community.aws.lambda}}.tags should be defined", - "actualValue": "name={{add tags}}.{{community.aws.lambda}}.tags is undefined" + "actualValue": "name={{add tags}}.{{community.aws.lambda}}.tags is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/lambda_functions_without_x-ray_tracing/test/positive_expected_result.json b/assets/queries/ansible/aws/lambda_functions_without_x-ray_tracing/test/positive_expected_result.json index 9041a5ac127..e683756a1b2 100644 --- a/assets/queries/ansible/aws/lambda_functions_without_x-ray_tracing/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/lambda_functions_without_x-ray_tracing/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{looped creation}}.{{community.aws.lambda}}", "searchValue": "", "expectedValue": "lambda.tracing_mode should be set", - "actualValue": "lambda.tracing_mode is undefined" + "actualValue": "lambda.tracing_mode is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Lambda Functions Without X-Ray Tracing", @@ -21,6 +22,7 @@ "searchKey": "name={{looped creation V2}}.{{community.aws.lambda}}.tracing_mode", "searchValue": "", "expectedValue": "lambda.tracing_mode should be set to 'Active'", - "actualValue": "lambda.tracing_mode is not set to 'Active'" + "actualValue": "lambda.tracing_mode is not set to 'Active'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/lambda_permission_misconfigured/test/positive_expected_result.json b/assets/queries/ansible/aws/lambda_permission_misconfigured/test/positive_expected_result.json index ac770bdcc0a..4f60de6ba31 100644 --- a/assets/queries/ansible/aws/lambda_permission_misconfigured/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/lambda_permission_misconfigured/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{Lambda S3 notification positive}}.{{community.aws.lambda_policy}}.action", "searchValue": "", "expectedValue": "name={{Lambda S3 notification positive}}.{{community.aws.lambda_policy}}.action should be 'lambda:InvokeFunction'", - "actualValue": "name={{Lambda S3 notification positive}}.{{community.aws.lambda_policy}}.action is lambda:CreateFunction" + "actualValue": "name={{Lambda S3 notification positive}}.{{community.aws.lambda_policy}}.action is lambda:CreateFunction", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/lambda_permission_principal_is_wildcard/test/positive_expected_result.json b/assets/queries/ansible/aws/lambda_permission_principal_is_wildcard/test/positive_expected_result.json index 1ee54fdf508..1ca9aacfcac 100644 --- a/assets/queries/ansible/aws/lambda_permission_principal_is_wildcard/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/lambda_permission_principal_is_wildcard/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{Lambda S3 event notification}}.{{community.aws.lambda_policy}}.principal", "searchValue": "", "expectedValue": "name={{Lambda S3 event notification}}.{{community.aws.lambda_policy}}.principal shouldn't contain a wildcard", - "actualValue": "name={{Lambda S3 event notification}}.{{community.aws.lambda_policy}}.principal contains a wildcard" + "actualValue": "name={{Lambda S3 event notification}}.{{community.aws.lambda_policy}}.principal contains a wildcard", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/launch_configuration_is_not_encrypted/test/positive_expected_result.json b/assets/queries/ansible/aws/launch_configuration_is_not_encrypted/test/positive_expected_result.json index b70c5692640..d8f75f37cd2 100644 --- a/assets/queries/ansible/aws/launch_configuration_is_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/launch_configuration_is_not_encrypted/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{note that encrypted volumes are only supported in >= Ansible 2.4}}.{{community.aws.ec2_lc}}.volumes", "searchValue": "", "expectedValue": "ec2_lc.volumes[0].encrypted should be set to true or yes", - "actualValue": "ec2_lc.volumes[0].encrypted is not set to true or yes" + "actualValue": "ec2_lc.volumes[0].encrypted is not set to true or yes", + "issueType": "IncorrectValue" }, { "queryName": "Launch Configuration Is Not Encrypted", @@ -21,7 +22,8 @@ "searchKey": "name={{note that encrypted volumes are only supported in >= Ansible 2.4 v2}}.{{ec2_lc}}.volumes", "searchValue": "", "expectedValue": "ec2_lc.volumes[0].encrypted should be set", - "actualValue": "ec2_lc.volumes[0].encrypted is undefined" + "actualValue": "ec2_lc.volumes[0].encrypted is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Launch Configuration Is Not Encrypted", @@ -33,6 +35,7 @@ "searchKey": "name={{note that encrypted volumes are only supported in >= Ansible 2.4 v3}}.{{ec2_lc}}", "searchValue": "", "expectedValue": "ec2_lc.volumes should be set", - "actualValue": "ec2_lc.volumes is undefined" + "actualValue": "ec2_lc.volumes is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/misconfigured_password_policy_expiration/test/positive_expected_result.json b/assets/queries/ansible/aws/misconfigured_password_policy_expiration/test/positive_expected_result.json index 6e33d25f567..48e1a2a3425 100644 --- a/assets/queries/ansible/aws/misconfigured_password_policy_expiration/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/misconfigured_password_policy_expiration/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{Missing Password policy for AWS account}}.{{community.aws.iam_password_policy}}", "searchValue": "", "expectedValue": "iam_password_policy should have the property 'pw_max_age/password_max_age' lower than 90", - "actualValue": "iam_password_policy has the property 'pw_max_age/password_max_age' unassigned or greater than 90" + "actualValue": "iam_password_policy has the property 'pw_max_age/password_max_age' unassigned or greater than 90", + "issueType": "MissingAttribute" }, { "queryName": "Misconfigured Password Policy Expiration", @@ -21,7 +22,8 @@ "searchKey": "name={{Extreme Password policy for AWS account}}.{{community.aws.iam_password_policy}}.pw_max_age", "searchValue": "", "expectedValue": "iam_password_policy should have the property 'pw_max_age/password_max_age' lower than 90", - "actualValue": "iam_password_policy has the property 'pw_max_age/password_max_age' unassigned or greater than 90" + "actualValue": "iam_password_policy has the property 'pw_max_age/password_max_age' unassigned or greater than 90", + "issueType": "IncorrectValue" }, { "queryName": "Misconfigured Password Policy Expiration", @@ -33,6 +35,7 @@ "searchKey": "name={{Alias extreme Password policy for AWS account}}.{{community.aws.iam_password_policy}}.password_max_age", "searchValue": "", "expectedValue": "iam_password_policy should have the property 'pw_max_age/password_max_age' lower than 90", - "actualValue": "iam_password_policy has the property 'pw_max_age/password_max_age' unassigned or greater than 90" + "actualValue": "iam_password_policy has the property 'pw_max_age/password_max_age' unassigned or greater than 90", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/no_stack_policy/test/positive_expected_result.json b/assets/queries/ansible/aws/no_stack_policy/test/positive_expected_result.json index 4394a7e84ea..12b2b0771f5 100644 --- a/assets/queries/ansible/aws/no_stack_policy/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/no_stack_policy/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{create a stack, pass in the template via an URL}}.{{amazon.aws.cloudformation}}", "searchValue": "", "expectedValue": "cloudformation.stack_policy should be set", - "actualValue": "cloudformation.stack_policy is undefined" + "actualValue": "cloudformation.stack_policy is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/password_without_reuse_prevention/test/positive_expected_result.json b/assets/queries/ansible/aws/password_without_reuse_prevention/test/positive_expected_result.json index 85f56edad0e..567159b1ed0 100644 --- a/assets/queries/ansible/aws/password_without_reuse_prevention/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/password_without_reuse_prevention/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{Password policy for AWS account}}.{{community.aws.iam_password_policy}}", "searchValue": "", "expectedValue": "iam_password_policy should have the property 'password_reuse_prevent' greater than 0", - "actualValue": "iam_password_policy has the property 'password_reuse_prevent' unassigned or assigned to 0" + "actualValue": "iam_password_policy has the property 'password_reuse_prevent' unassigned or assigned to 0", + "issueType": "MissingAttribute" }, { "queryName": "Password Without Reuse Prevention", @@ -21,7 +22,8 @@ "searchKey": "name={{Password policy for AWS account2}}.{{community.aws.iam_password_policy}}.password_reuse_prevent", "searchValue": "", "expectedValue": "iam_password_policy should have the property 'password_reuse_prevent' greater than 0", - "actualValue": "iam_password_policy has the property 'password_reuse_prevent' unassigned or assigned to 0" + "actualValue": "iam_password_policy has the property 'password_reuse_prevent' unassigned or assigned to 0", + "issueType": "IncorrectValue" }, { "queryName": "Password Without Reuse Prevention", @@ -33,6 +35,7 @@ "searchKey": "name={{Password policy for AWS account3}}.{{community.aws.iam_password_policy}}", "searchValue": "", "expectedValue": "iam_password_policy should have the property 'password_reuse_prevent' greater than 0", - "actualValue": "iam_password_policy has the property 'password_reuse_prevent' unassigned or assigned to 0" + "actualValue": "iam_password_policy has the property 'password_reuse_prevent' unassigned or assigned to 0", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/public_lambda_via_api_gateway/test/positive_expected_result.json b/assets/queries/ansible/aws/public_lambda_via_api_gateway/test/positive_expected_result.json index e997514223f..a5c8e0c2d69 100644 --- a/assets/queries/ansible/aws/public_lambda_via_api_gateway/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/public_lambda_via_api_gateway/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{Lambda S3 event notification}}.{{lambda_policy}}.source_arn", "searchValue": "", "expectedValue": "lambda_policy.source_arn should not equal to '/*/*'", - "actualValue": "lambda_policy.source_arn is equal to '/*/*'" + "actualValue": "lambda_policy.source_arn is equal to '/*/*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/public_port_wide/test/positive_expected_result.json b/assets/queries/ansible/aws/public_port_wide/test/positive_expected_result.json index fa702f76624..0816e230543 100644 --- a/assets/queries/ansible/aws/public_port_wide/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/public_port_wide/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{example ec2 group}}.{{amazon.aws.ec2_group}}.rules", "searchValue": "", "expectedValue": "ec2_group.rules[0] shouldn't have public port wide", - "actualValue": "ec2_group.rules[0] has public port wide" + "actualValue": "ec2_group.rules[0] has public port wide", + "issueType": "IncorrectValue" }, { "queryName": "Public Port Wide", @@ -21,6 +22,7 @@ "searchKey": "name={{example ec2 group}}.{{amazon.aws.ec2_group}}.rules", "searchValue": "", "expectedValue": "ec2_group.rules[1] shouldn't have public port wide", - "actualValue": "ec2_group.rules[1] has public port wide" + "actualValue": "ec2_group.rules[1] has public port wide", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/rds_associated_with_public_subnet/test/positive_expected_result.json b/assets/queries/ansible/aws/rds_associated_with_public_subnet/test/positive_expected_result.json index 6dfb39e510b..af90b8c732f 100644 --- a/assets/queries/ansible/aws/rds_associated_with_public_subnet/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/rds_associated_with_public_subnet/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{create minimal aurora instance in default VPC and default subnet group}}.{{community.aws.rds_instance}}.db_subnet_group_name", "searchValue": "", "expectedValue": "RDS should not be running in a public subnet", - "actualValue": "RDS is running in a public subnet" + "actualValue": "RDS is running in a public subnet", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json b/assets/queries/ansible/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json index 055fbb0bc3e..57c65b4256c 100644 --- a/assets/queries/ansible/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{community - Create a DB instance using the default AWS KMS encryption key}}.{{community.aws.rds_instance}}.publicly_accessible", "searchValue": "", "expectedValue": "community.aws.rds_instance.publicly_accessible should be false", - "actualValue": "community.aws.rds_instance.publicly_accessible is true" + "actualValue": "community.aws.rds_instance.publicly_accessible is true", + "issueType": "IncorrectValue" }, { "queryName": "RDS DB Instance Publicly Accessible", @@ -21,6 +22,7 @@ "searchKey": "name={{community - Basic mysql provisioning example}}.{{community.aws.rds}}.publicly_accessible", "searchValue": "", "expectedValue": "community.aws.rds.publicly_accessible should be false", - "actualValue": "community.aws.rds.publicly_accessible is true" + "actualValue": "community.aws.rds.publicly_accessible is true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/rds_using_default_port/test/positive_expected_result.json b/assets/queries/ansible/aws/rds_using_default_port/test/positive_expected_result.json index fb62e6fb994..11c751157e3 100644 --- a/assets/queries/ansible/aws/rds_using_default_port/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/rds_using_default_port/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{create minimal aurora instance in default VPC and default subnet group}}.{{community.aws.rds_instance}}.port", "searchValue": "", "expectedValue": "'port' should not be set to 3306", - "actualValue": "'port' is set to 3306" + "actualValue": "'port' is set to 3306", + "issueType": "IncorrectValue" }, { "queryName": "RDS Using Default Port", @@ -21,7 +22,8 @@ "searchKey": "name={{create minimal aurora instance in default VPC and default subnet group2}}.{{community.aws.rds_instance}}.port", "searchValue": "", "expectedValue": "'port' should not be set to 5432", - "actualValue": "'port' is set to 5432" + "actualValue": "'port' is set to 5432", + "issueType": "IncorrectValue" }, { "queryName": "RDS Using Default Port", @@ -33,7 +35,8 @@ "searchKey": "name={{create minimal aurora instance in default VPC and default subnet group2}}.{{community.aws.rds_instance}}.port", "searchValue": "", "expectedValue": "'port' should not be set to 1521", - "actualValue": "'port' is set to 1521" + "actualValue": "'port' is set to 1521", + "issueType": "IncorrectValue" }, { "queryName": "RDS Using Default Port", @@ -45,6 +48,7 @@ "searchKey": "name={{create minimal aurora instance in default VPC and default subnet group2}}.{{community.aws.rds_instance}}.port", "searchValue": "", "expectedValue": "'port' should not be set to 1433", - "actualValue": "'port' is set to 1433" + "actualValue": "'port' is set to 1433", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/rds_with_backup_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/rds_with_backup_disabled/test/positive_expected_result.json index 0a89a3cffe1..ec92dbad951 100644 --- a/assets/queries/ansible/aws/rds_with_backup_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/rds_with_backup_disabled/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{create minimal aurora instance in default VPC and default subnet group}}.{{community.aws.rds_instance}}.backup_retention_period", "searchValue": "", "expectedValue": "rds_instance should have the property 'backup_retention_period' greater than 0", - "actualValue": "rds_instance has the property 'backup_retention_period' assigned to 0" + "actualValue": "rds_instance has the property 'backup_retention_period' assigned to 0", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/redis_not_compliant/test/positive_expected_result.json b/assets/queries/ansible/aws/redis_not_compliant/test/positive_expected_result.json index 6d38b972dc1..5752a72488d 100644 --- a/assets/queries/ansible/aws/redis_not_compliant/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/redis_not_compliant/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{Basic example}}.{{community.aws.elasticache}}.cache_engine_version", "searchValue": "", "expectedValue": "elasticache.cache_engine_version should be compliant with the AWS PCI DSS requirements", - "actualValue": "elasticache.cache_engine_version isn't compliant with the AWS PCI DSS requirements" + "actualValue": "elasticache.cache_engine_version isn't compliant with the AWS PCI DSS requirements", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/redshift_not_encrypted/test/positive_expected_result.json b/assets/queries/ansible/aws/redshift_not_encrypted/test/positive_expected_result.json index 34257c3a30d..d09fb3ea107 100644 --- a/assets/queries/ansible/aws/redshift_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/redshift_not_encrypted/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{Basic cluster provisioning example}}.{{community.aws.redshift}}", "searchValue": "", "expectedValue": "redshift.encrypted should be set to true", - "actualValue": "redshift.encrypted is undefined" + "actualValue": "redshift.encrypted is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Redshift Not Encrypted", @@ -21,7 +22,8 @@ "searchKey": "name={{Basic cluster provisioning example2}}.{{community.aws.redshift}}.encrypted", "searchValue": "", "expectedValue": "redshift.encrypted should be set to true", - "actualValue": "redshift.encrypted is set to false" + "actualValue": "redshift.encrypted is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Redshift Not Encrypted", @@ -33,6 +35,7 @@ "searchKey": "name={{Basic cluster provisioning example3}}.{{community.aws.redshift}}.encrypted", "searchValue": "", "expectedValue": "redshift.encrypted should be set to true", - "actualValue": "redshift.encrypted is set to false" + "actualValue": "redshift.encrypted is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/redshift_publicly_accessible/test/positive_expected_result.json b/assets/queries/ansible/aws/redshift_publicly_accessible/test/positive_expected_result.json index f924660f341..52cb2f2dffa 100644 --- a/assets/queries/ansible/aws/redshift_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/redshift_publicly_accessible/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{Basic cluster provisioning example04}}.{{community.aws.redshift}}.publicly_accessible", "searchValue": "", "expectedValue": "redshift.publicly_accessible should be set to false", - "actualValue": "redshift.publicly_accessible is true" + "actualValue": "redshift.publicly_accessible is true", + "issueType": "IncorrectValue" }, { "queryName": "Redshift Publicly Accessible", @@ -21,7 +22,8 @@ "searchKey": "name={{Basic cluster provisioning example05}}.{{community.aws.redshift}}.publicly_accessible", "searchValue": "", "expectedValue": "redshift.publicly_accessible should be set to false", - "actualValue": "redshift.publicly_accessible is true" + "actualValue": "redshift.publicly_accessible is true", + "issueType": "IncorrectValue" }, { "queryName": "Redshift Publicly Accessible", @@ -33,6 +35,7 @@ "searchKey": "name={{Basic cluster provisioning example06}}.{{redshift}}.publicly_accessible", "searchValue": "", "expectedValue": "redshift.publicly_accessible should be set to false", - "actualValue": "redshift.publicly_accessible is true" + "actualValue": "redshift.publicly_accessible is true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/redshift_using_default_port/test/positive_expected_result.json b/assets/queries/ansible/aws/redshift_using_default_port/test/positive_expected_result.json index b53dc532c2b..ccc3b258c5d 100644 --- a/assets/queries/ansible/aws/redshift_using_default_port/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/redshift_using_default_port/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{Redshift}}.{{community.aws.redshift}}.port", "searchValue": "", "expectedValue": "redshift.port should not be set to 5439", - "actualValue": "redshift.port is set to 5439" + "actualValue": "redshift.port is set to 5439", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/remote_desktop_port_open/test/positive_expected_result.json b/assets/queries/ansible/aws/remote_desktop_port_open/test/positive_expected_result.json index 3a5794b4881..0f8d4b43182 100644 --- a/assets/queries/ansible/aws/remote_desktop_port_open/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/remote_desktop_port_open/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{example ec2 group1}}.{{amazon.aws.ec2_group}}.rules", "searchValue": "", "expectedValue": "ec2_group.rules shouldn't open the remote desktop port (3389)", - "actualValue": "ec2_group.rules opens the remote desktop port (3389)" + "actualValue": "ec2_group.rules opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", @@ -21,7 +22,8 @@ "searchKey": "name={{example ec2 group2}}.{{amazon.aws.ec2_group}}.rules", "searchValue": "", "expectedValue": "ec2_group.rules shouldn't open the remote desktop port (3389)", - "actualValue": "ec2_group.rules opens the remote desktop port (3389)" + "actualValue": "ec2_group.rules opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", @@ -33,7 +35,8 @@ "searchKey": "name={{example ec2 group3}}.{{amazon.aws.ec2_group}}.rules", "searchValue": "", "expectedValue": "ec2_group.rules shouldn't open the remote desktop port (3389)", - "actualValue": "ec2_group.rules opens the remote desktop port (3389)" + "actualValue": "ec2_group.rules opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", @@ -45,7 +48,8 @@ "searchKey": "name={{example ec2 group4}}.{{amazon.aws.ec2_group}}.rules", "searchValue": "", "expectedValue": "ec2_group.rules shouldn't open the remote desktop port (3389)", - "actualValue": "ec2_group.rules opens the remote desktop port (3389)" + "actualValue": "ec2_group.rules opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", @@ -57,7 +61,8 @@ "searchKey": "name={{example ec2 group5}}.{{amazon.aws.ec2_group}}.rules", "searchValue": "", "expectedValue": "ec2_group.rules shouldn't open the remote desktop port (3389)", - "actualValue": "ec2_group.rules opens the remote desktop port (3389)" + "actualValue": "ec2_group.rules opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", @@ -69,7 +74,8 @@ "searchKey": "name={{example ec2 group6}}.{{amazon.aws.ec2_group}}.rules", "searchValue": "", "expectedValue": "ec2_group.rules shouldn't open the remote desktop port (3389)", - "actualValue": "ec2_group.rules opens the remote desktop port (3389)" + "actualValue": "ec2_group.rules opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", @@ -81,6 +87,7 @@ "searchKey": "name={{example ec2 group7}}.{{amazon.aws.ec2_group}}.rules", "searchValue": "", "expectedValue": "ec2_group.rules shouldn't open the remote desktop port (3389)", - "actualValue": "ec2_group.rules opens the remote desktop port (3389)" + "actualValue": "ec2_group.rules opens the remote desktop port (3389)", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/root_account_has_active_access_keys/test/positive_expected_result.json b/assets/queries/ansible/aws/root_account_has_active_access_keys/test/positive_expected_result.json index 86e3549fa2d..ddc810aa78f 100644 --- a/assets/queries/ansible/aws/root_account_has_active_access_keys/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/root_account_has_active_access_keys/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{Create two new IAM users with API keys}}.{{community.aws.iam}}", "searchValue": "", "expectedValue": "iam should not be active for a root account", - "actualValue": "iam is active for a root account" + "actualValue": "iam is active for a root account", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/route53_record_undefined/test/positive_expected_result.json b/assets/queries/ansible/aws/route53_record_undefined/test/positive_expected_result.json index c5c9e783f4f..6d262543ee7 100644 --- a/assets/queries/ansible/aws/route53_record_undefined/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/route53_record_undefined/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{Use a routing policy to distribute traffic02}}.{{community.aws.route53}}", "searchValue": "", "expectedValue": "route53.value should be defined or not null", - "actualValue": "route53.value is undefined or null" + "actualValue": "route53.value is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Route53 Record Undefined", @@ -21,6 +22,7 @@ "searchKey": "name={{Use a routing policy to distribute traffic03}}.{{community.aws.route53}}", "searchValue": "", "expectedValue": "route53.value should be defined or not null", - "actualValue": "route53.value is undefined or null" + "actualValue": "route53.value is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/s3_bucket_access_to_any_principal/test/positive_expected_result.json b/assets/queries/ansible/aws/s3_bucket_access_to_any_principal/test/positive_expected_result.json index fc52ffd8ccf..8d18d451225 100644 --- a/assets/queries/ansible/aws/s3_bucket_access_to_any_principal/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/s3_bucket_access_to_any_principal/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{Create a simple s3 bucket with a policy}}.{{amazon.aws.s3_bucket}}.policy", "searchValue": "", "expectedValue": "s3_bucket.policy.Statement shouldn't make the bucket accessible to all AWS Accounts", - "actualValue": "s3_bucket.policy.Statement does make the bucket accessible to all AWS Accounts" + "actualValue": "s3_bucket.policy.Statement does make the bucket accessible to all AWS Accounts", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_all_users/test/positive_expected_result.json b/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_all_users/test/positive_expected_result.json index db4fb911d36..8a958995930 100644 --- a/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_all_users/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_all_users/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{Create an empty bucket}}.{{amazon.aws.aws_s3}}.permission", "searchValue": "", "expectedValue": "aws_s3 should not have read access for all user groups", - "actualValue": "aws_s3 has read access for all user groups" + "actualValue": "aws_s3 has read access for all user groups", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket ACL Allows Read to All Users", @@ -21,6 +22,7 @@ "searchKey": "name={{Create an empty bucket2}}.{{amazon.aws.aws_s3}}.permission", "searchValue": "", "expectedValue": "aws_s3 should not have read access for all user groups", - "actualValue": "aws_s3 has read access for all user groups" + "actualValue": "aws_s3 has read access for all user groups", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/test/positive_expected_result.json b/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/test/positive_expected_result.json index 7e54f45e61a..59196d0d38d 100644 --- a/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{Create an empty bucket2}}.{{amazon.aws.aws_s3}}.permission", "searchValue": "", "expectedValue": "aws_s3 should not have read access for all authenticated users", - "actualValue": "aws_s3 has read access for all authenticated users" + "actualValue": "aws_s3 has read access for all authenticated users", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/s3_bucket_allows_delete_action_from_all_principals/test/positive_expected_result.json b/assets/queries/ansible/aws/s3_bucket_allows_delete_action_from_all_principals/test/positive_expected_result.json index 9445db35847..27e8bf1e73b 100644 --- a/assets/queries/ansible/aws/s3_bucket_allows_delete_action_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/s3_bucket_allows_delete_action_from_all_principals/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{Bucket}}.{{amazon.aws.s3_bucket}}.policy", "searchValue": "", "expectedValue": "s3_bucket[mys3bucket] should not allow Delete Action From All Principals", - "actualValue": "s3_bucket[mys3bucket] allows Delete Action From All Principals" + "actualValue": "s3_bucket[mys3bucket] allows Delete Action From All Principals", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/s3_bucket_allows_get_action_from_all_principals/test/positive_expected_result.json b/assets/queries/ansible/aws/s3_bucket_allows_get_action_from_all_principals/test/positive_expected_result.json index efb3d37c071..2368457dd01 100644 --- a/assets/queries/ansible/aws/s3_bucket_allows_get_action_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/s3_bucket_allows_get_action_from_all_principals/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{Bucket}}.{{amazon.aws.s3_bucket}}.policy", "searchValue": "", "expectedValue": "s3_bucket[mys3bucket] should not allow Get Action From All Principals", - "actualValue": "s3_bucket[mys3bucket] allows Get Action From All Principals" + "actualValue": "s3_bucket[mys3bucket] allows Get Action From All Principals", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/s3_bucket_allows_list_action_from_all_principals/test/positive_expected_result.json b/assets/queries/ansible/aws/s3_bucket_allows_list_action_from_all_principals/test/positive_expected_result.json index 4c890f3aff0..2a12619e07c 100644 --- a/assets/queries/ansible/aws/s3_bucket_allows_list_action_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/s3_bucket_allows_list_action_from_all_principals/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{Bucket}}.{{amazon.aws.s3_bucket}}.policy", "searchValue": "", "expectedValue": "s3_bucket[mys3bucket] should not allow List Action From All Principals", - "actualValue": "s3_bucket[mys3bucket] allows List Action From All Principals" + "actualValue": "s3_bucket[mys3bucket] allows List Action From All Principals", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/s3_bucket_allows_put_action_from_all_principals/test/positive_expected_result.json b/assets/queries/ansible/aws/s3_bucket_allows_put_action_from_all_principals/test/positive_expected_result.json index 588e4253135..26d4db06d34 100644 --- a/assets/queries/ansible/aws/s3_bucket_allows_put_action_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/s3_bucket_allows_put_action_from_all_principals/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{Bucket}}.{{amazon.aws.s3_bucket}}.policy", "searchValue": "", "expectedValue": "s3_bucket[mys3bucket] should not allow Put Action From All Principals", - "actualValue": "s3_bucket[mys3bucket] allows Put Action From All Principals" + "actualValue": "s3_bucket[mys3bucket] allows Put Action From All Principals", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/s3_bucket_logging_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/s3_bucket_logging_disabled/test/positive_expected_result.json index 341c78ce547..79718d74bcc 100644 --- a/assets/queries/ansible/aws/s3_bucket_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/s3_bucket_logging_disabled/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{Create S3 bucket}}.{{amazon.aws.s3_bucket}}.debug_botocore_endpoint_logs", "searchValue": "", "expectedValue": "s3_bucket.debug_botocore_endpoint_logs should be true", - "actualValue": "s3_bucket.debug_botocore_endpoint_logs is false" + "actualValue": "s3_bucket.debug_botocore_endpoint_logs is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/s3_bucket_with_all_permissions/test/positive_expected_result.json b/assets/queries/ansible/aws/s3_bucket_with_all_permissions/test/positive_expected_result.json index 32af7c6ff95..79a9924b077 100644 --- a/assets/queries/ansible/aws/s3_bucket_with_all_permissions/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/s3_bucket_with_all_permissions/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{Create s3 bucket}}.{{amazon.aws.s3_bucket}}.policy", "searchValue": "", "expectedValue": "'policy.Statement' should not allow all actions to all principal", - "actualValue": "'policy.Statement' allows all actions to all principal" + "actualValue": "'policy.Statement' allows all actions to all principal", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/s3_bucket_with_public_access/test/positive_expected_result.json b/assets/queries/ansible/aws/s3_bucket_with_public_access/test/positive_expected_result.json index acca18c30c1..21814de4045 100644 --- a/assets/queries/ansible/aws/s3_bucket_with_public_access/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/s3_bucket_with_public_access/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{Create an empty bucket}}.{{amazon.aws.aws_s3}}.permission", "searchValue": "", "expectedValue": "aws_s3.permission shouldn't allow public access", - "actualValue": "aws_s3.permission allows public access" + "actualValue": "aws_s3.permission allows public access", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket With Public Access", @@ -21,6 +22,7 @@ "searchKey": "name={{Create an empty bucket 01}}.{{amazon.aws.aws_s3}}.permission", "searchValue": "", "expectedValue": "aws_s3.permission shouldn't allow public access", - "actualValue": "aws_s3.permission allows public access" + "actualValue": "aws_s3.permission allows public access", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/s3_bucket_with_unsecured_cors_rule/test/positive_expected_result.json b/assets/queries/ansible/aws/s3_bucket_with_unsecured_cors_rule/test/positive_expected_result.json index da06d618da5..8311c1745b0 100644 --- a/assets/queries/ansible/aws/s3_bucket_with_unsecured_cors_rule/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/s3_bucket_with_unsecured_cors_rule/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{Create s3 bucket2}}.{{community.aws.aws_s3_cors}}.rules", "searchValue": "", "expectedValue": "community.aws.aws_s3_cors[0] should not allow all methods, all headers or several origins", - "actualValue": "community.aws.aws_s3_cors[0] allows all methods, all headers or several origins" + "actualValue": "community.aws.aws_s3_cors[0] allows all methods, all headers or several origins", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket with Unsecured CORS Rule", @@ -21,6 +22,7 @@ "searchKey": "name={{Create s3 bucket4}}.{{aws_s3_cors}}.rules", "searchValue": "", "expectedValue": "aws_s3_cors[0] should not allow all methods, all headers or several origins", - "actualValue": "aws_s3_cors[0] allows all methods, all headers or several origins" + "actualValue": "aws_s3_cors[0] allows all methods, all headers or several origins", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/s3_bucket_without_server-side_encryption/test/positive_expected_result.json b/assets/queries/ansible/aws/s3_bucket_without_server-side_encryption/test/positive_expected_result.json index 645f63faaff..08b1a9e210a 100644 --- a/assets/queries/ansible/aws/s3_bucket_without_server-side_encryption/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/s3_bucket_without_server-side_encryption/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{Create a simple s3 bucket}}.{{amazon.aws.s3_bucket}}.encryption", "searchValue": "", "expectedValue": "s3_bucket.encryption should not be 'none'", - "actualValue": "s3_bucket.encryption is 'none'" + "actualValue": "s3_bucket.encryption is 'none'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/s3_bucket_without_versioning/test/positive_expected_result.json b/assets/queries/ansible/aws/s3_bucket_without_versioning/test/positive_expected_result.json index 5454b62e65e..c315c35fe24 100644 --- a/assets/queries/ansible/aws/s3_bucket_without_versioning/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/s3_bucket_without_versioning/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{foo}}.{{amazon.aws.s3_bucket}}", "searchValue": "", "expectedValue": "s3_bucket should have versioning set to true", - "actualValue": "s3_bucket does not have versioning (defaults to false)" + "actualValue": "s3_bucket does not have versioning (defaults to false)", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Without Versioning", @@ -21,6 +22,7 @@ "searchKey": "name={{foo2}}.{{amazon.aws.s3_bucket}}.versioning", "searchValue": "", "expectedValue": "s3_bucket should have versioning set to true", - "actualValue": "s3_bucket does has versioning set to false" + "actualValue": "s3_bucket does has versioning set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/secure_ciphers_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/secure_ciphers_disabled/test/positive_expected_result.json index 2b344ecbd8b..7233a540356 100644 --- a/assets/queries/ansible/aws/secure_ciphers_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/secure_ciphers_disabled/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{example}}.{{community.aws.cloudfront_distribution}}.viewer_certificate.minimum_protocol_version", "searchValue": "", "expectedValue": "cloudfront_distribution.viewer_certificate.minimum_protocol_version should be TLSv1.1 or TLSv1.2", - "actualValue": "cloudfront_distribution.viewer_certificate.minimum_protocol_version isn't TLSv1.1 or TLSv1.2" + "actualValue": "cloudfront_distribution.viewer_certificate.minimum_protocol_version isn't TLSv1.1 or TLSv1.2", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/security_group_ingress_not_restricted/test/positive_expected_result.json b/assets/queries/ansible/aws/security_group_ingress_not_restricted/test/positive_expected_result.json index 2faf14ab8e7..f410ead625c 100644 --- a/assets/queries/ansible/aws/security_group_ingress_not_restricted/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/security_group_ingress_not_restricted/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{example ec2 group}}.{{amazon.aws.ec2_group}}.rules", "searchValue": "", "expectedValue": "ec2_group.rules[0] should be restricted", - "actualValue": "ec2_group.rules[0] is not restricted" + "actualValue": "ec2_group.rules[0] is not restricted", + "issueType": "IncorrectValue" }, { "queryName": "Security Group Ingress Not Restricted", @@ -21,7 +22,8 @@ "searchKey": "name={{example ec2 group}}.{{amazon.aws.ec2_group}}.rules", "searchValue": "", "expectedValue": "ec2_group.rules[1] should be restricted", - "actualValue": "ec2_group.rules[1] is not restricted" + "actualValue": "ec2_group.rules[1] is not restricted", + "issueType": "IncorrectValue" }, { "queryName": "Security Group Ingress Not Restricted", @@ -33,7 +35,8 @@ "searchKey": "name={{example ec2 group}}.{{amazon.aws.ec2_group}}.rules", "searchValue": "", "expectedValue": "ec2_group.rules[2] should be restricted", - "actualValue": "ec2_group.rules[2] is not restricted" + "actualValue": "ec2_group.rules[2] is not restricted", + "issueType": "IncorrectValue" }, { "queryName": "Security Group Ingress Not Restricted", @@ -45,7 +48,8 @@ "searchKey": "name={{example ec2 group v2}}.{{amazon.aws.ec2_group}}.rules", "searchValue": "", "expectedValue": "ec2_group.rules[0] should be restricted", - "actualValue": "ec2_group.rules[0] is not restricted" + "actualValue": "ec2_group.rules[0] is not restricted", + "issueType": "IncorrectValue" }, { "queryName": "Security Group Ingress Not Restricted", @@ -57,7 +61,8 @@ "searchKey": "name={{example ec2 group v2}}.{{amazon.aws.ec2_group}}.rules", "searchValue": "", "expectedValue": "ec2_group.rules[1] should be restricted", - "actualValue": "ec2_group.rules[1] is not restricted" + "actualValue": "ec2_group.rules[1] is not restricted", + "issueType": "IncorrectValue" }, { "queryName": "Security Group Ingress Not Restricted", @@ -69,6 +74,7 @@ "searchKey": "name={{example ec2 group v2}}.{{amazon.aws.ec2_group}}.rules", "searchValue": "", "expectedValue": "ec2_group.rules[2] should be restricted", - "actualValue": "ec2_group.rules[2] is not restricted" + "actualValue": "ec2_group.rules[2] is not restricted", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/security_group_with_unrestricted_access_to_ssh/test/positive_expected_result.json b/assets/queries/ansible/aws/security_group_with_unrestricted_access_to_ssh/test/positive_expected_result.json index 2819965670b..554b4aae4d9 100644 --- a/assets/queries/ansible/aws/security_group_with_unrestricted_access_to_ssh/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/security_group_with_unrestricted_access_to_ssh/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{example ec2 group}}.{{amazon.aws.ec2_group}}.rules", "searchValue": "", "expectedValue": "ec2_group.rules[0] SSH' (Port:22) should not be public", - "actualValue": "ec2_group.rules[0] SSH' (Port:22) is public" + "actualValue": "ec2_group.rules[0] SSH' (Port:22) is public", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", @@ -21,7 +22,8 @@ "searchKey": "name={{example ec2 group}}.{{amazon.aws.ec2_group}}.rules", "searchValue": "", "expectedValue": "ec2_group.rules[1] SSH' (Port:22) should not be public", - "actualValue": "ec2_group.rules[1] SSH' (Port:22) is public" + "actualValue": "ec2_group.rules[1] SSH' (Port:22) is public", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", @@ -33,6 +35,7 @@ "searchKey": "name={{example ec2 group}}.{{amazon.aws.ec2_group}}.rules", "searchValue": "", "expectedValue": "ec2_group.rules[2] SSH' (Port:22) should not be public", - "actualValue": "ec2_group.rules[2] SSH' (Port:22) is public" + "actualValue": "ec2_group.rules[2] SSH' (Port:22) is public", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/ses_policy_with_allowed_iam_actions/test/positive_expected_result.json b/assets/queries/ansible/aws/ses_policy_with_allowed_iam_actions/test/positive_expected_result.json index b80e58527d5..545eb4c538e 100644 --- a/assets/queries/ansible/aws/ses_policy_with_allowed_iam_actions/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ses_policy_with_allowed_iam_actions/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{add sending authorization policy to email identityyy}}.{{community.aws.aws_ses_identity_policy}}.policy", "searchValue": "", "expectedValue": "'policy' should not allow IAM actions to all principals", - "actualValue": "'policy' allows IAM actions to all principals" + "actualValue": "'policy' allows IAM actions to all principals", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/ansible/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json index 58439061fb4..685ba248dee 100644 --- a/assets/queries/ansible/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{Create alarm SNS topic community}}.{{community.aws.sns_topic}}.policy", "searchValue": "", "expectedValue": "sns_topic.policy.Statement shouldn't contain '*' for an AWS Principal", - "actualValue": "sns_topic.policy.Statement contains '*' in an AWS Principal" + "actualValue": "sns_topic.policy.Statement contains '*' in an AWS Principal", + "issueType": "IncorrectValue" }, { "queryName": "SNS Topic is Publicly Accessible", @@ -21,7 +22,8 @@ "searchKey": "name={{Create alarm SNS topic}}.{{sns_topic}}.policy", "searchValue": "", "expectedValue": "sns_topic.policy.Statement shouldn't contain '*' for an AWS Principal", - "actualValue": "sns_topic.policy.Statement contains '*' in an AWS Principal" + "actualValue": "sns_topic.policy.Statement contains '*' in an AWS Principal", + "issueType": "IncorrectValue" }, { "queryName": "SNS Topic is Publicly Accessible", @@ -33,7 +35,8 @@ "searchKey": "name={{Create alarm SNS topic community}}.{{community.aws.sns_topic}}.policy", "searchValue": "", "expectedValue": "sns_topic.policy.Statement shouldn't contain '*' for an AWS Principal", - "actualValue": "sns_topic.policy.Statement contains '*' in an AWS Principal" + "actualValue": "sns_topic.policy.Statement contains '*' in an AWS Principal", + "issueType": "IncorrectValue" }, { "queryName": "SNS Topic is Publicly Accessible", @@ -45,6 +48,7 @@ "searchKey": "name={{Create alarm SNS topic}}.{{sns_topic}}.policy", "searchValue": "", "expectedValue": "sns_topic.policy.Statement shouldn't contain '*' for an AWS Principal", - "actualValue": "sns_topic.policy.Statement contains '*' in an AWS Principal" + "actualValue": "sns_topic.policy.Statement contains '*' in an AWS Principal", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/sql_analysis_services_port_2383_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/ansible/aws/sql_analysis_services_port_2383_is_publicly_accessible/test/positive_expected_result.json index 7ad15eb99a6..d772e5b0948 100644 --- a/assets/queries/ansible/aws/sql_analysis_services_port_2383_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/sql_analysis_services_port_2383_is_publicly_accessible/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{example using security group rule descriptions}}.{{amazon.aws.ec2_group}}.rules", "searchValue": "", "expectedValue": "ec2_group.rules[0] shouldn't open the SQL analysis services port (2383)", - "actualValue": "ec2_group.rules[0] opens the SQL analysis services port (2383)" + "actualValue": "ec2_group.rules[0] opens the SQL analysis services port (2383)", + "issueType": "IncorrectValue" }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", @@ -21,7 +22,8 @@ "searchKey": "name={{example using security group rule descriptions 2}}.{{amazon.aws.ec2_group}}.rules", "searchValue": "", "expectedValue": "ec2_group.rules[0] shouldn't open the SQL analysis services port (2383)", - "actualValue": "ec2_group.rules[0] opens the SQL analysis services port (2383)" + "actualValue": "ec2_group.rules[0] opens the SQL analysis services port (2383)", + "issueType": "IncorrectValue" }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", @@ -33,7 +35,8 @@ "searchKey": "name={{example using security group rule descriptions 3}}.{{amazon.aws.ec2_group}}.rules", "searchValue": "", "expectedValue": "ec2_group.rules[0] shouldn't open the SQL analysis services port (2383)", - "actualValue": "ec2_group.rules[0] opens the SQL analysis services port (2383)" + "actualValue": "ec2_group.rules[0] opens the SQL analysis services port (2383)", + "issueType": "IncorrectValue" }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", @@ -45,7 +48,8 @@ "searchKey": "name={{example using security group rule descriptions 4}}.{{amazon.aws.ec2_group}}.rules", "searchValue": "", "expectedValue": "ec2_group.rules[0] shouldn't open the SQL analysis services port (2383)", - "actualValue": "ec2_group.rules[0] opens the SQL analysis services port (2383)" + "actualValue": "ec2_group.rules[0] opens the SQL analysis services port (2383)", + "issueType": "IncorrectValue" }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", @@ -57,6 +61,7 @@ "searchKey": "name={{example using security group rule descriptions 5}}.{{amazon.aws.ec2_group}}.rules", "searchValue": "", "expectedValue": "ec2_group.rules[0] shouldn't open the SQL analysis services port (2383)", - "actualValue": "ec2_group.rules[0] opens the SQL analysis services port (2383)" + "actualValue": "ec2_group.rules[0] opens the SQL analysis services port (2383)", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/sqs_policy_allows_all_actions/test/positive_expected_result.json b/assets/queries/ansible/aws/sqs_policy_allows_all_actions/test/positive_expected_result.json index 46b53984359..c19cb955427 100644 --- a/assets/queries/ansible/aws/sqs_policy_allows_all_actions/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/sqs_policy_allows_all_actions/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{Second SQS queue with policy}}.{{community.aws.sqs_queue}}.policy", "searchValue": "", "expectedValue": "sqs_queue.policy.Statement should not contain Action equal to '*'", - "actualValue": "sqs_queue.policy.Statement contains Action equal to '*'" + "actualValue": "sqs_queue.policy.Statement contains Action equal to '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/sqs_policy_with_public_access/test/positive_expected_result.json b/assets/queries/ansible/aws/sqs_policy_with_public_access/test/positive_expected_result.json index 18f4abc6ccb..4954f5f67c7 100644 --- a/assets/queries/ansible/aws/sqs_policy_with_public_access/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/sqs_policy_with_public_access/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{First SQS queue with policy}}.{{community.aws.sqs_queue}}.policy", "searchValue": "", "expectedValue": "sqs_queue.policy.Principal should not equal to '*'", - "actualValue": "sqs_queue.policy.Principal is equal to '*'" + "actualValue": "sqs_queue.policy.Principal is equal to '*'", + "issueType": "IncorrectValue" }, { "queryName": "SQS Policy With Public Access", @@ -21,6 +22,7 @@ "searchKey": "name={{Second SQS queue with policy}}.{{community.aws.sqs_queue}}.policy", "searchValue": "", "expectedValue": "sqs_queue.policy.Principal should not equal to '*'", - "actualValue": "sqs_queue.policy.Principal is equal to '*'" + "actualValue": "sqs_queue.policy.Principal is equal to '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/sqs_queue_exposed/test/positive_expected_result.json b/assets/queries/ansible/aws/sqs_queue_exposed/test/positive_expected_result.json index 69d78e4336b..8c785d4cb0a 100644 --- a/assets/queries/ansible/aws/sqs_queue_exposed/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/sqs_queue_exposed/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{example}}.{{community.aws.sqs_queue}}.policy", "searchValue": "", "expectedValue": "sqs_queue.policy.Principal shouldn't get the queue publicly accessible", - "actualValue": "sqs_queue.policy.Principal does get the queue publicly accessible" + "actualValue": "sqs_queue.policy.Principal does get the queue publicly accessible", + "issueType": "IncorrectValue" }, { "queryName": "SQS Queue Exposed", @@ -21,6 +22,7 @@ "searchKey": "name={{example with list}}.{{community.aws.sqs_queue}}.policy", "searchValue": "", "expectedValue": "sqs_queue.policy.Principal shouldn't get the queue publicly accessible", - "actualValue": "sqs_queue.policy.Principal does get the queue publicly accessible" + "actualValue": "sqs_queue.policy.Principal does get the queue publicly accessible", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/sqs_with_sse_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/sqs_with_sse_disabled/test/positive_expected_result.json index 511a119521e..ac8f4e7ff5a 100644 --- a/assets/queries/ansible/aws/sqs_with_sse_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/sqs_with_sse_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{Create SQS queue with redrive policy}}.{{community.aws.sqs_queue}}.kms_master_key_id", "searchValue": "", "expectedValue": "'kms_master_key_id' should be set", - "actualValue": "'kms_master_key_id' is undefined" + "actualValue": "'kms_master_key_id' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "SQS With SSE Disabled", @@ -21,7 +22,8 @@ "searchKey": "name={{Drop redrive policy}}.{{community.aws.sqs_queue}}.kms_master_key_id", "searchValue": "", "expectedValue": "'kms_master_key_id' should be set", - "actualValue": "'kms_master_key_id' is undefined" + "actualValue": "'kms_master_key_id' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "SQS With SSE Disabled", @@ -33,7 +35,8 @@ "searchKey": "name={{Create FIFO queue}}.{{community.aws.sqs_queue}}.kms_master_key_id", "searchValue": "", "expectedValue": "'kms_master_key_id' should be set", - "actualValue": "'kms_master_key_id' is undefined" + "actualValue": "'kms_master_key_id' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "SQS With SSE Disabled", @@ -45,6 +48,7 @@ "searchKey": "name={{Tag queue}}.{{community.aws.sqs_queue}}.kms_master_key_id", "searchValue": "", "expectedValue": "'kms_master_key_id' should be set", - "actualValue": "'kms_master_key_id' is undefined" + "actualValue": "'kms_master_key_id' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/stack_notifications_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/stack_notifications_disabled/test/positive_expected_result.json index 7d742abc82c..b245e36e0b8 100644 --- a/assets/queries/ansible/aws/stack_notifications_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/stack_notifications_disabled/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{create a stack, pass in the template via an URL}}.{{amazon.aws.cloudformation}}", "searchValue": "", "expectedValue": "cloudformation.notification_arns should be set", - "actualValue": "cloudformation.notification_arns is undefined" + "actualValue": "cloudformation.notification_arns is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/stack_retention_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/stack_retention_disabled/test/positive_expected_result.json index dda5d34d59b..8c2d3e55650 100644 --- a/assets/queries/ansible/aws/stack_retention_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/stack_retention_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{Create a stack set with instances in two accounts}}.{{community.aws.cloudformation_stack_set}}", "searchValue": "", "expectedValue": "cloudformation_stack_set.purge_stacks should be set", - "actualValue": "cloudformation_stack_set.purge_stacks is undefined" + "actualValue": "cloudformation_stack_set.purge_stacks is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Stack Retention Disabled", @@ -21,6 +22,7 @@ "searchKey": "name={{on subsequent calls, templates are optional but parameters and tags can be altered}}.{{community.aws.cloudformation_stack_set}}.purge_stacks", "searchValue": "", "expectedValue": "cloudformation_stack_set.purge_stacks should be set to false", - "actualValue": "cloudformation_stack_set.purge_stacks is true" + "actualValue": "cloudformation_stack_set.purge_stacks is true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/stack_without_template/test/positive_expected_result.json b/assets/queries/ansible/aws/stack_without_template/test/positive_expected_result.json index 0bdeb7135f0..ea9b2347b26 100644 --- a/assets/queries/ansible/aws/stack_without_template/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/stack_without_template/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{create a stack, pass in the template via an URL}}.{{amazon.aws.cloudformation}}", "searchValue": "", "expectedValue": "amazon.aws.cloudformation has template, template_body or template_url set", - "actualValue": "amazon.aws.cloudformation does not have template, template_body or template_url set" + "actualValue": "amazon.aws.cloudformation does not have template, template_body or template_url set", + "issueType": "MissingAttribute" }, { "queryName": "Stack Without Template", @@ -21,7 +22,8 @@ "searchKey": "name={{create a stack, pass in the template via an URL v2}}.{{amazon.aws.cloudformation}}", "searchValue": "", "expectedValue": "amazon.aws.cloudformation should not have more than one of the attributes template, template_body and template_url set", - "actualValue": "amazon.aws.cloudformation has more than one of the attributes template, template_body and template_url set" + "actualValue": "amazon.aws.cloudformation has more than one of the attributes template, template_body and template_url set", + "issueType": "IncorrectValue" }, { "queryName": "Stack Without Template", @@ -33,7 +35,8 @@ "searchKey": "name={{Create a stack set with instances in two accounts}}.{{community.aws.cloudformation_stack_set}}", "searchValue": "", "expectedValue": "community.aws.cloudformation_stack_set should not have more than one of the attributes template, template_body and template_url set", - "actualValue": "community.aws.cloudformation_stack_set has more than one of the attributes template, template_body and template_url set" + "actualValue": "community.aws.cloudformation_stack_set has more than one of the attributes template, template_body and template_url set", + "issueType": "IncorrectValue" }, { "queryName": "Stack Without Template", @@ -45,6 +48,7 @@ "searchKey": "name={{Create a stack set with instances in two accounts v2}}.{{community.aws.cloudformation_stack_set}}", "searchValue": "", "expectedValue": "community.aws.cloudformation_stack_set has template, template_body or template_url set", - "actualValue": "community.aws.cloudformation_stack_set does not have template, template_body or template_url set" + "actualValue": "community.aws.cloudformation_stack_set does not have template, template_body or template_url set", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/unknown_port_exposed_to_internet/test/positive_expected_result.json b/assets/queries/ansible/aws/unknown_port_exposed_to_internet/test/positive_expected_result.json index 3299419b53e..1028235e3aa 100644 --- a/assets/queries/ansible/aws/unknown_port_exposed_to_internet/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/unknown_port_exposed_to_internet/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{example ec2 group}}.{{amazon.aws.ec2_group}}.rules", "searchValue": "", "expectedValue": "ec2_group.rules[0] port_range should not contain unknown ports and should not be exposed to the entire Internet", - "actualValue": "ec2_group.rules[0] port_range contains unknown ports and are exposed to the entire Internet" + "actualValue": "ec2_group.rules[0] port_range contains unknown ports and are exposed to the entire Internet", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Port Exposed To Internet", @@ -21,6 +22,7 @@ "searchKey": "name={{example ec2 group}}.{{amazon.aws.ec2_group}}.rules", "searchValue": "", "expectedValue": "ec2_group.rules[1] port_range should not contain unknown ports and should not be exposed to the entire Internet", - "actualValue": "ec2_group.rules[1] port_range contains unknown ports and are exposed to the entire Internet" + "actualValue": "ec2_group.rules[1] port_range contains unknown ports and are exposed to the entire Internet", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/unrestricted_security_group_ingress/test/positive_expected_result.json b/assets/queries/ansible/aws/unrestricted_security_group_ingress/test/positive_expected_result.json index db7ea03e6d3..b0cd51a29b5 100644 --- a/assets/queries/ansible/aws/unrestricted_security_group_ingress/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/unrestricted_security_group_ingress/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{example1}}.{{amazon.aws.ec2_group}}.rules.cidr_ip={{0.0.0.0/0}}", "searchValue": "", "expectedValue": "ec2_group.rules.cidr_ip should not contain the value '0.0.0.0/0'", - "actualValue": "ec2_group.rules.cidr_ip contains value '0.0.0.0/0'" + "actualValue": "ec2_group.rules.cidr_ip contains value '0.0.0.0/0'", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted Security Group Ingress", @@ -21,7 +22,8 @@ "searchKey": "name={{example2}}.{{amazon.aws.ec2_group}}.rules.cidr_ip.{{0.0.0.0/0}}", "searchValue": "", "expectedValue": "ec2_group.rules.cidr_ip should not contain the value '0.0.0.0/0'", - "actualValue": "ec2_group.rules.cidr_ip contains value '0.0.0.0/0'" + "actualValue": "ec2_group.rules.cidr_ip contains value '0.0.0.0/0'", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted Security Group Ingress", @@ -33,7 +35,8 @@ "searchKey": "name={{example3}}.{{amazon.aws.ec2_group}}.rules.cidr_ipv6={{::/0}}", "searchValue": "", "expectedValue": "ec2_group.rules.cidr_ipv6 should not contain the value '::/0'", - "actualValue": "ec2_group.rules.cidr_ipv6 contains value '::/0'" + "actualValue": "ec2_group.rules.cidr_ipv6 contains value '::/0'", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted Security Group Ingress", @@ -45,6 +48,7 @@ "searchKey": "name={{example4}}.{{amazon.aws.ec2_group}}.rules.cidr_ipv6.{{::/0}}", "searchValue": "", "expectedValue": "ec2_group.rules.cidr_ipv6 should not contain the value '::/0'", - "actualValue": "ec2_group.rules.cidr_ipv6 contains value '::/0'" + "actualValue": "ec2_group.rules.cidr_ipv6 contains value '::/0'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/user_data_contains_encoded_private_key/test/positive_expected_result.json b/assets/queries/ansible/aws/user_data_contains_encoded_private_key/test/positive_expected_result.json index f92ace115e3..712754b1752 100644 --- a/assets/queries/ansible/aws/user_data_contains_encoded_private_key/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/user_data_contains_encoded_private_key/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{note that encrypted volumes are only supported in >= Ansible 2.4}}.{{community.aws.ec2_lc}}.user_data", "searchValue": "", "expectedValue": "ec2_lc.user_data should not contain RSA Private Key", - "actualValue": "ec2_lc.user_data contains RSA Private Key" + "actualValue": "ec2_lc.user_data contains RSA Private Key", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/viewer_protocol_policy_allows_http/test/positive_expected_result.json b/assets/queries/ansible/aws/viewer_protocol_policy_allows_http/test/positive_expected_result.json index 2b82ac8e8cf..b3d4f82a63a 100644 --- a/assets/queries/ansible/aws/viewer_protocol_policy_allows_http/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/viewer_protocol_policy_allows_http/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{example1}}.{{community.aws.cloudfront_distribution}}.default_cache_behavior.viewer_protocol_policy", "searchValue": "", "expectedValue": "cloudfront_distribution.default_cache_behavior.viewer_protocol_policy should be 'https-only' or 'redirect-to-https'", - "actualValue": "cloudfront_distribution.default_cache_behavior.viewer_protocol_policy isn't 'https-only' or 'redirect-to-https'" + "actualValue": "cloudfront_distribution.default_cache_behavior.viewer_protocol_policy isn't 'https-only' or 'redirect-to-https'", + "issueType": "IncorrectValue" }, { "queryName": "Cloudfront Viewer Protocol Policy Allows HTTP", @@ -21,6 +22,7 @@ "searchKey": "name={{example2}}.{{community.aws.cloudfront_distribution}}.cache_behaviors.viewer_protocol_policy", "searchValue": "", "expectedValue": "cloudfront_distribution.cache_behaviors.viewer_protocol_policy should be 'https-only' or 'redirect-to-https'", - "actualValue": "cloudfront_distribution.cache_behaviors.viewer_protocol_policy isn't 'https-only' or 'redirect-to-https'" + "actualValue": "cloudfront_distribution.cache_behaviors.viewer_protocol_policy isn't 'https-only' or 'redirect-to-https'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/vulnerable_default_ssl_certificate/test/positive_expected_result.json b/assets/queries/ansible/aws/vulnerable_default_ssl_certificate/test/positive_expected_result.json index 2235c4681ba..a025b85998b 100644 --- a/assets/queries/ansible/aws/vulnerable_default_ssl_certificate/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/vulnerable_default_ssl_certificate/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{create a basic distribution with defaults, tags and default SSL certificate}}.{{community.aws.cloudfront_distribution}}.viewer_certificate.cloudfront_default_certificate", "searchValue": "", "expectedValue": "Attribute 'cloudfront_default_certificate' should be 'false' or not defined", - "actualValue": "Attribute 'cloudfront_default_certificate' is 'true'" + "actualValue": "Attribute 'cloudfront_default_certificate' is 'true'", + "issueType": "IncorrectValue" }, { "queryName": "Vulnerable Default SSL Certificate", @@ -21,7 +22,8 @@ "searchKey": "name={{create a basic distribution with defaults, tags and misconfigured custom SSL certificate}}.{{community.aws.cloudfront_distribution}}.viewer_certificate", "searchValue": "minimum_protocol_version", "expectedValue": "Attribute minimum_protocol_version should be defined when one of 'acm_certificate_arn' or 'iam_certificate_id' is declared.", - "actualValue": "Attribute 'minimum_protocol_version' is not defined" + "actualValue": "Attribute 'minimum_protocol_version' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Vulnerable Default SSL Certificate", @@ -33,6 +35,7 @@ "searchKey": "name={{create a basic distribution with defaults, tags and misconfigured custom SSL certificate}}.{{community.aws.cloudfront_distribution}}.viewer_certificate", "searchValue": "ssl_support_method", "expectedValue": "Attribute ssl_support_method should be defined when one of 'acm_certificate_arn' or 'iam_certificate_id' is declared.", - "actualValue": "Attribute 'ssl_support_method' is not defined" + "actualValue": "Attribute 'ssl_support_method' is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/ad_admin_not_configured_for_sql_server/test/positive_expected_result.json b/assets/queries/ansible/azure/ad_admin_not_configured_for_sql_server/test/positive_expected_result.json index cf3e6e12d43..8c1b6a39f2b 100644 --- a/assets/queries/ansible/azure/ad_admin_not_configured_for_sql_server/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/ad_admin_not_configured_for_sql_server/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{Create (or update) SQL Server}}.{{azure_rm_sqlserver}}", "searchValue": "", "expectedValue": "azure_rm_sqlserver.ad_user should be defined", - "actualValue": "azure_rm_sqlserver.ad_user is undefined" + "actualValue": "azure_rm_sqlserver.ad_user is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/admin_user_enabled_for_container_registry/test/positive_expected_result.json b/assets/queries/ansible/azure/admin_user_enabled_for_container_registry/test/positive_expected_result.json index a93bab71a7b..b1cae01e219 100644 --- a/assets/queries/ansible/azure/admin_user_enabled_for_container_registry/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/admin_user_enabled_for_container_registry/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{Create an azure container registry}}.{{azure.azcollection.azure_rm_containerregistry}}.admin_user_enabled", "searchValue": "", "expectedValue": "azure_rm_containerregistry.admin_user_enabled should be false or undefined (defaults to false)", - "actualValue": "azure_rm_containerregistry.admin_user_enabled is true" + "actualValue": "azure_rm_containerregistry.admin_user_enabled is true", + "issueType": "IncorrectValue" }, { "queryName": "Admin User Enabled For Container Registry", @@ -21,6 +22,7 @@ "searchKey": "name={{Create an azure container registry2}}.{{azure.azcollection.azure_rm_containerregistry}}.admin_user_enabled", "searchValue": "", "expectedValue": "azure_rm_containerregistry.admin_user_enabled should be false or undefined (defaults to false)", - "actualValue": "azure_rm_containerregistry.admin_user_enabled is true" + "actualValue": "azure_rm_containerregistry.admin_user_enabled is true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/aks_monitoring_logging_disabled/test/positive_expected_result.json b/assets/queries/ansible/azure/aks_monitoring_logging_disabled/test/positive_expected_result.json index 4c5c0b34577..f6858cba4c8 100644 --- a/assets/queries/ansible/azure/aks_monitoring_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/aks_monitoring_logging_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{Create an AKS instance v0}}.{{azure_rm_aks}}", "searchValue": "", "expectedValue": "azure_rm_aks.addon should be set", - "actualValue": "azure_rm_aks.addon is undefined" + "actualValue": "azure_rm_aks.addon is undefined", + "issueType": "MissingAttribute" }, { "queryName": "AKS Monitoring Logging Disabled", @@ -21,7 +22,8 @@ "searchKey": "name={{Create an AKS instance}}.{{azure_rm_aks}}.addon", "searchValue": "", "expectedValue": "azure_rm_aks.addon.monitoring should be set", - "actualValue": "azure_rm_aks.addon.monitoring is undefined" + "actualValue": "azure_rm_aks.addon.monitoring is undefined", + "issueType": "MissingAttribute" }, { "queryName": "AKS Monitoring Logging Disabled", @@ -33,7 +35,8 @@ "searchKey": "name={{Create an AKS instance v3}}.{{azure_rm_aks}}.addon.monitoring", "searchValue": "", "expectedValue": "azure_rm_aks.addon.monitoring.{\"enabled\", \"log_analytics_workspace_resource_id\"} should be set", - "actualValue": "azure_rm_aks.addon.monitoring.{\"enabled\", \"log_analytics_workspace_resource_id\"} is undefined" + "actualValue": "azure_rm_aks.addon.monitoring.{\"enabled\", \"log_analytics_workspace_resource_id\"} is undefined", + "issueType": "MissingAttribute" }, { "queryName": "AKS Monitoring Logging Disabled", @@ -45,6 +48,7 @@ "searchKey": "name={{Create an AKS instance v9}}.{{azure_rm_aks}}.addon.monitoring.enabled", "searchValue": "", "expectedValue": "azure_rm_aks.addon.monitoring.enabled should be set to 'yes' or 'false'", - "actualValue": "azure_rm_aks.addon.monitoring.enabled is not set to 'yes' or 'false'" + "actualValue": "azure_rm_aks.addon.monitoring.enabled is not set to 'yes' or 'false'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/aks_network_policy_misconfigured/test/positive_expected_result.json b/assets/queries/ansible/azure/aks_network_policy_misconfigured/test/positive_expected_result.json index cbd51b1b590..3c49a8c373b 100644 --- a/assets/queries/ansible/azure/aks_network_policy_misconfigured/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/aks_network_policy_misconfigured/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{Create a managed Azure Container Services (AKS) instance03}}.{{azure_rm_aks}}.network_profile.network_policy", "searchValue": "", "expectedValue": "Azure AKS cluster network policy should be either 'calico' or 'azure'", - "actualValue": "Azure AKS cluster network policy is istio" + "actualValue": "Azure AKS cluster network policy is istio", + "issueType": "IncorrectValue" }, { "queryName": "AKS Network Policy Misconfigured", @@ -21,6 +22,7 @@ "searchKey": "name={{Create a managed Azure Container Services (AKS) instance04}}.{{azure_rm_aks}}", "searchValue": "", "expectedValue": "Azure AKS cluster network profile should be defined", - "actualValue": "Azure AKS cluster network profile is undefined" + "actualValue": "Azure AKS cluster network profile is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/aks_rbac_disabled/test/positive_expected_result.json b/assets/queries/ansible/azure/aks_rbac_disabled/test/positive_expected_result.json index ff854e68d5e..91400f7f3d8 100644 --- a/assets/queries/ansible/azure/aks_rbac_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/aks_rbac_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{Create an AKS instance}}.{{azure_rm_aks}}.enable_rbac", "searchValue": "", "expectedValue": "azure_rm_aks.enable_rbac should be set to 'yes' or 'true'", - "actualValue": "azure_rm_aks.enable_rbac is not set to 'yes' or 'true'" + "actualValue": "azure_rm_aks.enable_rbac is not set to 'yes' or 'true'", + "issueType": "IncorrectValue" }, { "queryName": "AKS RBAC Disabled", @@ -21,6 +22,7 @@ "searchKey": "name={{Create an AKS instance v2}}.{{azure_rm_aks}}", "searchValue": "", "expectedValue": "azure_rm_aks.enable_rbac should be defined", - "actualValue": "azure_rm_aks.enable_rbac is undefined" + "actualValue": "azure_rm_aks.enable_rbac is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/azure_container_registry_with_no_locks/test/positive_expected_result.json b/assets/queries/ansible/azure/azure_container_registry_with_no_locks/test/positive_expected_result.json index 23b77b67327..8cb73e4f88a 100644 --- a/assets/queries/ansible/azure/azure_container_registry_with_no_locks/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/azure_container_registry_with_no_locks/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{Create an azure container registry}}.{{azure_rm_containerregistry}}", "searchValue": "", "expectedValue": "'azure_rm_containerregistry' should be referenced by an existing lock", - "actualValue": "'azure_rm_containerregistry' is not referenced by an existing lock" + "actualValue": "'azure_rm_containerregistry' is not referenced by an existing lock", + "issueType": "IncorrectValue" }, { "queryName": "Azure Container Registry With No Locks", @@ -21,7 +22,8 @@ "searchKey": "name={{Create an azure container registry2}}.{{azure.azcollection.azure_rm_containerregistry}}", "searchValue": "", "expectedValue": "'azure.azcollection.azure_rm_containerregistry' should be referenced by an existing lock", - "actualValue": "'azure.azcollection.azure_rm_containerregistry' is not referenced by an existing lock" + "actualValue": "'azure.azcollection.azure_rm_containerregistry' is not referenced by an existing lock", + "issueType": "IncorrectValue" }, { "queryName": "Azure Container Registry With No Locks", @@ -33,6 +35,7 @@ "searchKey": "name={{Create an azure container registryy1}}.{{azure.azcollection.azure_rm_containerregistry}}", "searchValue": "", "expectedValue": "'azure.azcollection.azure_rm_containerregistry' should be referenced by an existing lock", - "actualValue": "'azure.azcollection.azure_rm_containerregistry' is not referenced by an existing lock" + "actualValue": "'azure.azcollection.azure_rm_containerregistry' is not referenced by an existing lock", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/azure_instance_using_basic_authentication/test/positive_expected_result.json b/assets/queries/ansible/azure/azure_instance_using_basic_authentication/test/positive_expected_result.json index 8a07c973fad..4da00e98480 100644 --- a/assets/queries/ansible/azure/azure_instance_using_basic_authentication/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/azure_instance_using_basic_authentication/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "azure_rm_virtualmachine[testvm001].ssh_public_keys", "searchValue": "", "expectedValue": "'azure_rm_virtualmachine[testvm001]' should be using SSH keys for authentication", - "actualValue": "'azure_rm_virtualmachine[testvm001]' is using username and password for authentication" + "actualValue": "'azure_rm_virtualmachine[testvm001]' is using username and password for authentication", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/cosmosdb_account_ip_range_filter_not_set/test/positive_expected_result.json b/assets/queries/ansible/azure/cosmosdb_account_ip_range_filter_not_set/test/positive_expected_result.json index 5f90390655d..6a30b93f871 100644 --- a/assets/queries/ansible/azure/cosmosdb_account_ip_range_filter_not_set/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/cosmosdb_account_ip_range_filter_not_set/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{Create Cosmos DB Account - max}}.{{azure_rm_cosmosdbaccount}}", "searchValue": "", "expectedValue": "'azurerm_cosmosdb_account.ip_range_filter' should be defined", - "actualValue": "'azurerm_cosmosdb_account.ip_range_filter' is undefined" + "actualValue": "'azurerm_cosmosdb_account.ip_range_filter' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/cosmosdb_account_without_tags/test/positive_expected_result.json b/assets/queries/ansible/azure/cosmosdb_account_without_tags/test/positive_expected_result.json index bf2928b144b..9485ed12c88 100644 --- a/assets/queries/ansible/azure/cosmosdb_account_without_tags/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/cosmosdb_account_without_tags/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{Create Cosmos DB Account - min}}.{{azure_rm_cosmosdbaccount}}.tags", "searchValue": "", "expectedValue": "azure_rm_cosmosdbaccount.tags should be defined", - "actualValue": "azure_rm_cosmosdbaccount.tags is undefined" + "actualValue": "azure_rm_cosmosdbaccount.tags is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/default_azure_storage_account_network_access_is_too_permissive/test/positive_expected_result.json b/assets/queries/ansible/azure/default_azure_storage_account_network_access_is_too_permissive/test/positive_expected_result.json index 40d9a90726f..7bd26df2499 100644 --- a/assets/queries/ansible/azure/default_azure_storage_account_network_access_is_too_permissive/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/default_azure_storage_account_network_access_is_too_permissive/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{create an account}}.{{azure.azcollection.azure_rm_storageaccount}}", "searchValue": "", "expectedValue": "azure_rm_storageaccount.public_network_access should be set to 'Disabled'", - "actualValue": "azure_rm_storageaccount.public_network_access is set to 'Enabled'" + "actualValue": "azure_rm_storageaccount.public_network_access is set to 'Enabled'", + "issueType": "IncorrectValue" }, { "queryName": "Default Azure Storage Account Network Access Is Too Permissive", @@ -21,7 +22,8 @@ "searchKey": "name={{create an account}}.{{azure.azcollection.azure_rm_storageaccount}}", "searchValue": "", "expectedValue": "azure_rm_storageaccount.public_network_access should be set to 'Disabled'", - "actualValue": "azure_rm_storageaccount.public_network_access is not set (default is 'Enabled')" + "actualValue": "azure_rm_storageaccount.public_network_access is not set (default is 'Enabled')", + "issueType": "MissingAttribute" }, { "queryName": "Default Azure Storage Account Network Access Is Too Permissive", @@ -33,6 +35,7 @@ "searchKey": "name={{create an account}}.{{azure.azcollection.azure_rm_storageaccount}}", "searchValue": "", "expectedValue": "azure_rm_storageaccountnetworkAcls.network_acls.default_action should be set to 'Deny'", - "actualValue": "azure_rm_storageaccountnetworkAcls.network_acls.default_action is set to 'Allow'" + "actualValue": "azure_rm_storageaccountnetworkAcls.network_acls.default_action is set to 'Allow'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/test/positive_expected_result.json b/assets/queries/ansible/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/test/positive_expected_result.json index ed61f4d6f8a..a1dd69e166c 100644 --- a/assets/queries/ansible/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{too_many_hosts}}.{{azure_rm_rediscachefirewallrule}}.start_ip_address", "searchValue": "", "expectedValue": "azure_rm_rediscachefirewallrule.start_ip_address and end_ip_address should allow up to 255 hosts", - "actualValue": "azure_rm_rediscachefirewallrule.start_ip_address and end_ip_address allow 65539 hosts" + "actualValue": "azure_rm_rediscachefirewallrule.start_ip_address and end_ip_address allow 65539 hosts", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/key_vault_soft_delete_is_disabled/test/positive_expected_result.json b/assets/queries/ansible/azure/key_vault_soft_delete_is_disabled/test/positive_expected_result.json index c87e0fdb7d3..c75f4aa2600 100644 --- a/assets/queries/ansible/azure/key_vault_soft_delete_is_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/key_vault_soft_delete_is_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{Create instance of Key Vault}}.{{azure_rm_keyvault}}.enable_soft_delete", "searchValue": "", "expectedValue": "azure_rm_keyvault.enable_soft_delete should be true", - "actualValue": "azure_rm_keyvault.enable_soft_delete is false" + "actualValue": "azure_rm_keyvault.enable_soft_delete is false", + "issueType": "IncorrectValue" }, { "queryName": "Key Vault Soft Delete Is Disabled", @@ -21,6 +22,7 @@ "searchKey": "name={{Create instance of Key Vault 02}}.{{azure_rm_keyvault}}", "searchValue": "", "expectedValue": "azure_rm_keyvault.enable_soft_delete should be defined", - "actualValue": "azure_rm_keyvault.enable_soft_delete is undefined" + "actualValue": "azure_rm_keyvault.enable_soft_delete is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/log_retention_is_not_set/test/positive_expected_result.json b/assets/queries/ansible/azure/log_retention_is_not_set/test/positive_expected_result.json index 0f7ae6f85ab..d0691b4c176 100644 --- a/assets/queries/ansible/azure/log_retention_is_not_set/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/log_retention_is_not_set/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{Update PostgreSQL Server setting}}.{{azure_rm_postgresqlconfiguration}}.value", "searchValue": "", "expectedValue": "azure_rm_postgresqlconfiguration.value should equal to 'on'", - "actualValue": "azure_rm_postgresqlconfiguration.value is not equal to 'on'" + "actualValue": "azure_rm_postgresqlconfiguration.value is not equal to 'on'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/monitoring_log_profile_without_all_activities/test/positive_expected_result.json b/assets/queries/ansible/azure/monitoring_log_profile_without_all_activities/test/positive_expected_result.json index 6c50f8f1b65..ba0cb73fe4e 100644 --- a/assets/queries/ansible/azure/monitoring_log_profile_without_all_activities/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/monitoring_log_profile_without_all_activities/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{Create a log profile}}.{{azure_rm_monitorlogprofile}}.categories", "searchValue": "", "expectedValue": "azure_rm_monitorlogprofile.categories should have all categories, Write, Action and Delete", - "actualValue": "azure_rm_monitorlogprofile.categories does not have all categories, Write, Action and Delete" + "actualValue": "azure_rm_monitorlogprofile.categories does not have all categories, Write, Action and Delete", + "issueType": "IncorrectValue" }, { "queryName": "Monitoring Log Profile Without All Activities", @@ -21,6 +22,7 @@ "searchKey": "name={{Create a log profile2}}.{{azure_rm_monitorlogprofile}}", "searchValue": "", "expectedValue": "azure_rm_monitorlogprofile.categories should be defined", - "actualValue": "azure_rm_monitorlogprofile.categories is undefined" + "actualValue": "azure_rm_monitorlogprofile.categories is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/mysql_ssl_connection_disabled/test/positive_expected_result.json b/assets/queries/ansible/azure/mysql_ssl_connection_disabled/test/positive_expected_result.json index ff553f401da..10d7cea04db 100644 --- a/assets/queries/ansible/azure/mysql_ssl_connection_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/mysql_ssl_connection_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{Create (or update) MySQL Server}}.{{azure.azcollection.azure_rm_mysqlserver}}", "searchValue": "", "expectedValue": "azure_rm_mysqlserver should have enforce_ssl set to true", - "actualValue": "azure_rm_mysqlserver does not have enforce_ssl (defaults to false)" + "actualValue": "azure_rm_mysqlserver does not have enforce_ssl (defaults to false)", + "issueType": "MissingAttribute" }, { "queryName": "MySQL SSL Connection Disabled", @@ -21,6 +22,7 @@ "searchKey": "name={{Create (or update) MySQL Server2}}.{{azure.azcollection.azure_rm_mysqlserver}}.enforce_ssl", "searchValue": "", "expectedValue": "azure_rm_mysqlserver should have enforce_ssl set to true", - "actualValue": "azure_rm_mysqlserver does has enforce_ssl set to false" + "actualValue": "azure_rm_mysqlserver does has enforce_ssl set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/postgresql_log_checkpoints_disabled/test/positive_expected_result.json b/assets/queries/ansible/azure/postgresql_log_checkpoints_disabled/test/positive_expected_result.json index 00724d2a907..0af0e3ffcae 100644 --- a/assets/queries/ansible/azure/postgresql_log_checkpoints_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/postgresql_log_checkpoints_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{Update PostgreSQL Server setting}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", "searchValue": "", "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_checkpoints'", - "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'" + "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Log Checkpoints Disabled", @@ -21,7 +22,8 @@ "searchKey": "name={{Update PostgreSQL Server setting2}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", "searchValue": "", "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_checkpoints'", - "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'" + "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Log Checkpoints Disabled", @@ -33,7 +35,8 @@ "searchKey": "name={{Update PostgreSQL Server setting3}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", "searchValue": "", "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_checkpoints'", - "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'" + "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Log Checkpoints Disabled", @@ -45,7 +48,8 @@ "searchKey": "name={{Update PostgreSQL Server setting4}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", "searchValue": "", "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_checkpoints'", - "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'" + "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Log Checkpoints Disabled", @@ -57,7 +61,8 @@ "searchKey": "name={{Update PostgreSQL Server setting5}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", "searchValue": "", "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_checkpoints'", - "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'" + "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Log Checkpoints Disabled", @@ -69,6 +74,7 @@ "searchKey": "name={{Update PostgreSQL Server setting6}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", "searchValue": "", "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_checkpoints'", - "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'" + "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/postgresql_log_connections_not_set/test/positive_expected_result.json b/assets/queries/ansible/azure/postgresql_log_connections_not_set/test/positive_expected_result.json index c19015d10da..7cd010b9106 100644 --- a/assets/queries/ansible/azure/postgresql_log_connections_not_set/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/postgresql_log_connections_not_set/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{Update PostgreSQL Server setting}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", "searchValue": "", "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_connections'", - "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF'" + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Log Connections Not Set", @@ -21,7 +22,8 @@ "searchKey": "name={{Update PostgreSQL Server setting2}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", "searchValue": "", "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_connections'", - "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF'" + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Log Connections Not Set", @@ -33,7 +35,8 @@ "searchKey": "name={{Update PostgreSQL Server setting3}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", "searchValue": "", "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_connections'", - "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF'" + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Log Connections Not Set", @@ -45,7 +48,8 @@ "searchKey": "name={{Update PostgreSQL Server setting4}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", "searchValue": "", "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_connections'", - "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF'" + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Log Connections Not Set", @@ -57,7 +61,8 @@ "searchKey": "name={{Update PostgreSQL Server setting5}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", "searchValue": "", "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_connections'", - "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF'" + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Log Connections Not Set", @@ -69,6 +74,7 @@ "searchKey": "name={{Update PostgreSQL Server setting6}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", "searchValue": "", "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_connections'", - "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF'" + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/postgresql_log_disconnections_not_set/test/positive_expected_result.json b/assets/queries/ansible/azure/postgresql_log_disconnections_not_set/test/positive_expected_result.json index 67da74c4872..4a70105cdde 100644 --- a/assets/queries/ansible/azure/postgresql_log_disconnections_not_set/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/postgresql_log_disconnections_not_set/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{Update PostgreSQL Server setting}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", "searchValue": "", "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_disconnections'", - "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF'" + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Log Disconnections Not Set", @@ -21,7 +22,8 @@ "searchKey": "name={{Update PostgreSQL Server setting2}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", "searchValue": "", "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_disconnections'", - "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF'" + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Log Disconnections Not Set", @@ -33,7 +35,8 @@ "searchKey": "name={{Update PostgreSQL Server setting3}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", "searchValue": "", "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_disconnections'", - "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF'" + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Log Disconnections Not Set", @@ -45,7 +48,8 @@ "searchKey": "name={{Update PostgreSQL Server setting4}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", "searchValue": "", "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_disconnections'", - "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF'" + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Log Disconnections Not Set", @@ -57,7 +61,8 @@ "searchKey": "name={{Update PostgreSQL Server setting5}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", "searchValue": "", "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_disconnections'", - "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF'" + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Log Disconnections Not Set", @@ -69,6 +74,7 @@ "searchKey": "name={{Update PostgreSQL Server setting6}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", "searchValue": "", "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_disconnections'", - "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF'" + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/postgresql_log_duration_not_set/test/positive_expected_result.json b/assets/queries/ansible/azure/postgresql_log_duration_not_set/test/positive_expected_result.json index 5a3381bdc92..fb246bf0c50 100644 --- a/assets/queries/ansible/azure/postgresql_log_duration_not_set/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/postgresql_log_duration_not_set/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{example1}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", "searchValue": "", "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' for 'log_duration'", - "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF' for 'log_duration'" + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF' for 'log_duration'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Log Duration Not Set", @@ -21,7 +22,8 @@ "searchKey": "name={{example2}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", "searchValue": "", "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' for 'log_duration'", - "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF' for 'log_duration'" + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF' for 'log_duration'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Log Duration Not Set", @@ -33,7 +35,8 @@ "searchKey": "name={{example3}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", "searchValue": "", "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' for 'log_duration'", - "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF' for 'log_duration'" + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF' for 'log_duration'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Log Duration Not Set", @@ -45,7 +48,8 @@ "searchKey": "name={{example4}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", "searchValue": "", "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' for 'log_duration'", - "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF' for 'log_duration'" + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF' for 'log_duration'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Log Duration Not Set", @@ -57,7 +61,8 @@ "searchKey": "name={{example5}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", "searchValue": "", "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' for 'log_duration'", - "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF' for 'log_duration'" + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF' for 'log_duration'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Log Duration Not Set", @@ -69,6 +74,7 @@ "searchKey": "name={{example6}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", "searchValue": "", "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' for 'log_duration'", - "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF' for 'log_duration'" + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF' for 'log_duration'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/postgresql_server_without_connection_throttling/test/positive_expected_result.json b/assets/queries/ansible/azure/postgresql_server_without_connection_throttling/test/positive_expected_result.json index be8afed87ce..b9135ff3ba5 100644 --- a/assets/queries/ansible/azure/postgresql_server_without_connection_throttling/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/postgresql_server_without_connection_throttling/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{Update PostgreSQL Server setting}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", "searchValue": "", "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'connection_throttling'", - "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'" + "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Server Without Connection Throttling", @@ -21,7 +22,8 @@ "searchKey": "name={{Update PostgreSQL Server setting2}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", "searchValue": "", "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'connection_throttling'", - "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'" + "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Server Without Connection Throttling", @@ -33,7 +35,8 @@ "searchKey": "name={{Update PostgreSQL Server setting3}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", "searchValue": "", "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'connection_throttling'", - "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'" + "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Server Without Connection Throttling", @@ -45,7 +48,8 @@ "searchKey": "name={{Update PostgreSQL Server setting4}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", "searchValue": "", "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'connection_throttling'", - "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'" + "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Server Without Connection Throttling", @@ -57,7 +61,8 @@ "searchKey": "name={{Update PostgreSQL Server setting5}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", "searchValue": "", "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'connection_throttling'", - "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'" + "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Server Without Connection Throttling", @@ -69,6 +74,7 @@ "searchKey": "name={{Update PostgreSQL Server setting6}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", "searchValue": "", "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'connection_throttling'", - "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'" + "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/public_storage_account/test/positive_expected_result.json b/assets/queries/ansible/azure/public_storage_account/test/positive_expected_result.json index 061697d9acd..272fd79464d 100644 --- a/assets/queries/ansible/azure/public_storage_account/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/public_storage_account/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{configure firewall and virtual networks}}.{{azure_rm_storageaccount}}.network_acls.ip_rules", "searchValue": "", "expectedValue": "azure_rm_storageaccount.network_acls.default_action should be set to 'Deny' and azure_rm_storageaccount.network_acls.ip_rules should not contain value '0.0.0.0/0' ", - "actualValue": "azure_rm_storageaccount.network_acls.default_action is 'Deny' and azure_rm_storageaccount.network_acls.ip_rules contains value '0.0.0.0/0'" + "actualValue": "azure_rm_storageaccount.network_acls.default_action is 'Deny' and azure_rm_storageaccount.network_acls.ip_rules contains value '0.0.0.0/0'", + "issueType": "IncorrectValue" }, { "queryName": "Public Storage Account", @@ -21,6 +22,7 @@ "searchKey": "name={{configure firewall and more virtual networks}}.{{azure_rm_storageaccount}}.network_acls.default_action", "searchValue": "", "expectedValue": "azure_rm_storageaccount.network_acls.default_action should not be set", - "actualValue": "azure_rm_storageaccount.network_acls.default_action is 'Allow'" + "actualValue": "azure_rm_storageaccount.network_acls.default_action is 'Allow'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json b/assets/queries/ansible/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json index 7b3ce78c2e4..5a03ddf7cd4 100644 --- a/assets/queries/ansible/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{Non SSl Allowed}}.{{azure_rm_rediscache}}.enable_non_ssl_port", "searchValue": "", "expectedValue": "azure_rm_rediscache.enable_non_ssl_port should be set to false or undefined", - "actualValue": "azure_rm_rediscache.enable_non_ssl_port is true" + "actualValue": "azure_rm_rediscache.enable_non_ssl_port is true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/redis_entirely_accessible/test/positive_expected_result.json b/assets/queries/ansible/azure/redis_entirely_accessible/test/positive_expected_result.json index 98e1e2e8647..fe42c283027 100644 --- a/assets/queries/ansible/azure/redis_entirely_accessible/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/redis_entirely_accessible/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{Create a Firewall rule for Azure Cache for Redis}}.{{azure_rm_rediscachefirewallrule}}.start_ip_address", "searchValue": "", "expectedValue": "azure_rm_rediscachefirewallrule start_ip and end_ip should not equal to '0.0.0.0'", - "actualValue": "azure_rm_rediscachefirewallrule start_ip and end_ip are equal to '0.0.0.0'" + "actualValue": "azure_rm_rediscachefirewallrule start_ip and end_ip are equal to '0.0.0.0'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/redis_publicly_accessible/test/positive_expected_result.json b/assets/queries/ansible/azure/redis_publicly_accessible/test/positive_expected_result.json index bf543b96a40..f95b9929390 100644 --- a/assets/queries/ansible/azure/redis_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/redis_publicly_accessible/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{Create a Firewall rule for Azure Cache for Redis}}.{{azure_rm_rediscachefirewallrule}}.start_ip_address", "searchValue": "", "expectedValue": "azure_rm_rediscachefirewallrule ip range should be private", - "actualValue": "azure_rm_rediscachefirewallrule ip range is public" + "actualValue": "azure_rm_rediscachefirewallrule ip range is public", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/role_definition_allows_custom_role_creation/test/positive_expected_result.json b/assets/queries/ansible/azure/role_definition_allows_custom_role_creation/test/positive_expected_result.json index 8d402bbd624..88d016f1c58 100644 --- a/assets/queries/ansible/azure/role_definition_allows_custom_role_creation/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/role_definition_allows_custom_role_creation/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{Create a role definition}}.{{azure_rm_roledefinition}}.permissions.actions", "searchValue": "", "expectedValue": "azure_rm_roledefinition.permissions[0].actions should not allow custom role creation", - "actualValue": "azure_rm_roledefinition.permissions[0].actions allows custom role creation" + "actualValue": "azure_rm_roledefinition.permissions[0].actions allows custom role creation", + "issueType": "IncorrectValue" }, { "queryName": "Role Definition Allows Custom Role Creation", @@ -21,6 +22,7 @@ "searchKey": "name={{Create a role definition2}}.{{azure_rm_roledefinition}}.permissions.actions", "searchValue": "", "expectedValue": "azure_rm_roledefinition.permissions[0].actions should not allow custom role creation", - "actualValue": "azure_rm_roledefinition.permissions[0].actions allows custom role creation" + "actualValue": "azure_rm_roledefinition.permissions[0].actions allows custom role creation", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/security_group_is_not_configured/test/positive_expected_result.json b/assets/queries/ansible/azure/security_group_is_not_configured/test/positive_expected_result.json index a0aa26f342e..86a65ef6fe7 100644 --- a/assets/queries/ansible/azure/security_group_is_not_configured/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/security_group_is_not_configured/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{Create a subnet1}}.{{azure_rm_subnet}}", "searchValue": "", "expectedValue": "azure_rm_subnet.security_group should be defined and not null", - "actualValue": "azure_rm_subnet.security_group is undefined or null" + "actualValue": "azure_rm_subnet.security_group is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Security Group is Not Configured", @@ -21,7 +22,8 @@ "searchKey": "name={{Create a subnet2}}.{{azure_rm_subnet}}", "searchValue": "", "expectedValue": "azure_rm_subnet.security_group should be defined and not null", - "actualValue": "azure_rm_subnet.security_group is undefined or null" + "actualValue": "azure_rm_subnet.security_group is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Security Group is Not Configured", @@ -33,7 +35,8 @@ "searchKey": "name={{Create a subnet3}}.{{azure_rm_subnet}}", "searchValue": "", "expectedValue": "azure_rm_subnet.security_group should be defined and not null", - "actualValue": "azure_rm_subnet.security_group is undefined or null" + "actualValue": "azure_rm_subnet.security_group is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Security Group is Not Configured", @@ -45,7 +48,8 @@ "searchKey": "name={{Create a subnet4}}.{{azure_rm_subnet}}.security_group", "searchValue": "", "expectedValue": "azure_rm_subnet.security_group should not be empty", - "actualValue": "azure_rm_subnet.security_group is empty" + "actualValue": "azure_rm_subnet.security_group is empty", + "issueType": "IncorrectValue" }, { "queryName": "Security Group is Not Configured", @@ -57,6 +61,7 @@ "searchKey": "name={{Create a subnet5}}.{{azure_rm_subnet}}.security_group_name", "searchValue": "", "expectedValue": "azure_rm_subnet.security_group_name should not be empty", - "actualValue": "azure_rm_subnet.security_group_name is empty" + "actualValue": "azure_rm_subnet.security_group_name is empty", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json b/assets/queries/ansible/azure/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json index a03a8d6d87e..c0c74d8520a 100644 --- a/assets/queries/ansible/azure/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{foo1}}.{{azure_rm_securitygroup}}.rules.name={{example1}}.destination_port_range", "searchValue": "UDP,61621", "expectedValue": "Cassandra OpsCenter (UDP:61621) should not be allowed", - "actualValue": "Cassandra OpsCenter (UDP:61621) is allowed" + "actualValue": "Cassandra OpsCenter (UDP:61621) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -21,7 +22,8 @@ "searchKey": "name={{foo2}}.{{azure_rm_securitygroup}}.rules.name={{example2}}.destination_port_range", "searchValue": "TCP,23", "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP:23) is allowed" + "actualValue": "Telnet (TCP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -33,7 +35,8 @@ "searchKey": "name={{foo2}}.{{azure_rm_securitygroup}}.rules.name={{example2}}.destination_port_range", "searchValue": "TCP,25", "expectedValue": "SMTP (TCP:25) should not be allowed", - "actualValue": "SMTP (TCP:25) is allowed" + "actualValue": "SMTP (TCP:25) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -45,7 +48,8 @@ "searchKey": "name={{foo3}}.{{azure_rm_securitygroup}}.rules.name={{example3}}.destination_port_range", "searchValue": "TCP,21", "expectedValue": "FTP (TCP:21) should not be allowed", - "actualValue": "FTP (TCP:21) is allowed" + "actualValue": "FTP (TCP:21) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -57,7 +61,8 @@ "searchKey": "name={{foo3}}.{{azure_rm_securitygroup}}.rules.name={{example3}}.destination_port_range", "searchValue": "UDP,23", "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP:23) is allowed" + "actualValue": "Telnet (UDP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -69,7 +74,8 @@ "searchKey": "name={{foo3}}.{{azure_rm_securitygroup}}.rules.name={{example3}}.destination_port_range", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -81,7 +87,8 @@ "searchKey": "name={{foo3}}.{{azure_rm_securitygroup}}.rules.name={{example3}}.destination_port_range", "searchValue": "TCP,23", "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP:23) is allowed" + "actualValue": "Telnet (TCP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -93,7 +100,8 @@ "searchKey": "name={{foo3}}.{{azure_rm_securitygroup}}.rules.name={{example3}}.destination_port_range", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -105,7 +113,8 @@ "searchKey": "name={{foo3}}.{{azure_rm_securitygroup}}.rules.name={{example3}}.destination_port_range", "searchValue": "UDP,21", "expectedValue": "FTP (UDP:21) should not be allowed", - "actualValue": "FTP (UDP:21) is allowed" + "actualValue": "FTP (UDP:21) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -117,7 +126,8 @@ "searchKey": "name={{foo4}}.{{azure_rm_securitygroup}}.rules.name={{example4}}.destination_port_range", "searchValue": "UDP,23", "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP:23) is allowed" + "actualValue": "Telnet (UDP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -129,7 +139,8 @@ "searchKey": "name={{foo4}}.{{azure_rm_securitygroup}}.rules.name={{example4}}.destination_port_range", "searchValue": "TCP,23", "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP:23) is allowed" + "actualValue": "Telnet (TCP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -141,7 +152,8 @@ "searchKey": "name={{foo5}}.{{azure_rm_securitygroup}}.rules.name={{example5}}.destination_port_range", "searchValue": "UDP,23", "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP:23) is allowed" + "actualValue": "Telnet (UDP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -153,7 +165,8 @@ "searchKey": "name={{foo6}}.{{azure_rm_securitygroup}}.rules.name={{example6}}.destination_port_range", "searchValue": "TCP,23", "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP:23) is allowed" + "actualValue": "Telnet (TCP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -165,7 +178,8 @@ "searchKey": "name={{foo7}}.{{azure_rm_securitygroup}}.rules.name={{example7}}.destination_port_range", "searchValue": "UDP,25", "expectedValue": "SMTP (UDP:25) should not be allowed", - "actualValue": "SMTP (UDP:25) is allowed" + "actualValue": "SMTP (UDP:25) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -177,7 +191,8 @@ "searchKey": "name={{foo7}}.{{azure_rm_securitygroup}}.rules.name={{example7}}.destination_port_range", "searchValue": "UDP,53", "expectedValue": "DNS (UDP:53) should not be allowed", - "actualValue": "DNS (UDP:53) is allowed" + "actualValue": "DNS (UDP:53) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -189,7 +204,8 @@ "searchKey": "name={{foo7}}.{{azure_rm_securitygroup}}.rules.name={{example7}}.destination_port_range", "searchValue": "UDP,23", "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP:23) is allowed" + "actualValue": "Telnet (UDP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -201,7 +217,8 @@ "searchKey": "name={{foo7}}.{{azure_rm_securitygroup}}.rules.name={{example7}}.destination_port_range", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -213,7 +230,8 @@ "searchKey": "name={{foo8}}.{{azure_rm_securitygroup}}.rules.name={{example8}}.destination_port_range", "searchValue": "TCP,23", "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP:23) is allowed" + "actualValue": "Telnet (TCP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -225,7 +243,8 @@ "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example9}}.destination_port_range", "searchValue": "TCP,23", "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP:23) is allowed" + "actualValue": "Telnet (TCP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -237,7 +256,8 @@ "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example9}}.destination_port_range", "searchValue": "UDP,23", "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP:23) is allowed" + "actualValue": "Telnet (UDP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -249,7 +269,8 @@ "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -261,7 +282,8 @@ "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", "searchValue": "UDP,21", "expectedValue": "FTP (UDP:21) should not be allowed", - "actualValue": "FTP (UDP:21) is allowed" + "actualValue": "FTP (UDP:21) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -273,7 +295,8 @@ "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", "searchValue": "TCP,80", "expectedValue": "HTTP (TCP:80) should not be allowed", - "actualValue": "HTTP (TCP:80) is allowed" + "actualValue": "HTTP (TCP:80) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -285,7 +308,8 @@ "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -297,7 +321,8 @@ "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", "searchValue": "TCP,25", "expectedValue": "SMTP (TCP:25) should not be allowed", - "actualValue": "SMTP (TCP:25) is allowed" + "actualValue": "SMTP (TCP:25) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -309,7 +334,8 @@ "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", "searchValue": "TCP,23", "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP:23) is allowed" + "actualValue": "Telnet (TCP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -321,7 +347,8 @@ "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", "searchValue": "TCP,53", "expectedValue": "DNS (TCP:53) should not be allowed", - "actualValue": "DNS (TCP:53) is allowed" + "actualValue": "DNS (TCP:53) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -333,7 +360,8 @@ "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", "searchValue": "TCP,21", "expectedValue": "FTP (TCP:21) should not be allowed", - "actualValue": "FTP (TCP:21) is allowed" + "actualValue": "FTP (TCP:21) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -345,7 +373,8 @@ "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", "searchValue": "TCP,138", "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed", - "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed" + "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -357,7 +386,8 @@ "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", "searchValue": "UDP,138", "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed", - "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed" + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -369,7 +399,8 @@ "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", "searchValue": "UDP,25", "expectedValue": "SMTP (UDP:25) should not be allowed", - "actualValue": "SMTP (UDP:25) is allowed" + "actualValue": "SMTP (UDP:25) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -381,7 +412,8 @@ "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", "searchValue": "UDP,53", "expectedValue": "DNS (UDP:53) should not be allowed", - "actualValue": "DNS (UDP:53) is allowed" + "actualValue": "DNS (UDP:53) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -393,7 +425,8 @@ "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", "searchValue": "TCP,137", "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed", - "actualValue": "NetBIOS Name Service (TCP:137) is allowed" + "actualValue": "NetBIOS Name Service (TCP:137) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -405,7 +438,8 @@ "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", "searchValue": "TCP,110", "expectedValue": "POP3 (TCP:110) should not be allowed", - "actualValue": "POP3 (TCP:110) is allowed" + "actualValue": "POP3 (TCP:110) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -417,7 +451,8 @@ "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", "searchValue": "UDP,110", "expectedValue": "POP3 (UDP:110) should not be allowed", - "actualValue": "POP3 (UDP:110) is allowed" + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -429,7 +464,8 @@ "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", "searchValue": "UDP,23", "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP:23) is allowed" + "actualValue": "Telnet (UDP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -441,7 +477,8 @@ "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", "searchValue": "TCP,20", "expectedValue": "FTP (TCP:20) should not be allowed", - "actualValue": "FTP (TCP:20) is allowed" + "actualValue": "FTP (TCP:20) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -453,7 +490,8 @@ "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", "searchValue": "UDP,20", "expectedValue": "FTP (UDP:20) should not be allowed", - "actualValue": "FTP (UDP:20) is allowed" + "actualValue": "FTP (UDP:20) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -465,7 +503,8 @@ "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", "searchValue": "UDP,80", "expectedValue": "HTTP (UDP:80) should not be allowed", - "actualValue": "HTTP (UDP:80) is allowed" + "actualValue": "HTTP (UDP:80) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -477,7 +516,8 @@ "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", "searchValue": "UDP,135", "expectedValue": "MSSQL Debugger (UDP:135) should not be allowed", - "actualValue": "MSSQL Debugger (UDP:135) is allowed" + "actualValue": "MSSQL Debugger (UDP:135) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -489,7 +529,8 @@ "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", "searchValue": "UDP,137", "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed" + "actualValue": "NetBIOS Name Service (UDP:137) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -501,7 +542,8 @@ "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", "searchValue": "TCP,139", "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed", - "actualValue": "NetBIOS Session Service (TCP:139) is allowed" + "actualValue": "NetBIOS Session Service (TCP:139) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -513,7 +555,8 @@ "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", "searchValue": "TCP,135", "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed", - "actualValue": "MSSQL Debugger (TCP:135) is allowed" + "actualValue": "MSSQL Debugger (TCP:135) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -525,6 +568,7 @@ "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", "searchValue": "UDP,139", "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed", - "actualValue": "NetBIOS Session Service (UDP:139) is allowed" + "actualValue": "NetBIOS Session Service (UDP:139) is allowed", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/small_activity_log_retention_period/test/positive_expected_result.json b/assets/queries/ansible/azure/small_activity_log_retention_period/test/positive_expected_result.json index 070979105b7..81044c16b19 100644 --- a/assets/queries/ansible/azure/small_activity_log_retention_period/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/small_activity_log_retention_period/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{Create a log profile}}.{{azure_rm_monitorlogprofile}}.retention_policy.enabled", "searchValue": "", "expectedValue": "azure_rm_monitorlogprofile.retention_policy.enabled should be true or yes", - "actualValue": "azure_rm_monitorlogprofile.retention_policy.enabled is false or no" + "actualValue": "azure_rm_monitorlogprofile.retention_policy.enabled is false or no", + "issueType": "IncorrectValue" }, { "queryName": "Small Activity Log Retention Period", @@ -21,7 +22,8 @@ "searchKey": "name={{Create a log profile2}}.{{azure_rm_monitorlogprofile}}", "searchValue": "", "expectedValue": "azure_rm_monitorlogprofile.retention_policy should be defined", - "actualValue": "azure_rm_monitorlogprofile.retention_policy is undefined" + "actualValue": "azure_rm_monitorlogprofile.retention_policy is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Small Activity Log Retention Period", @@ -33,6 +35,7 @@ "searchKey": "name={{Create a log profile3}}.{{azure_rm_monitorlogprofile}}.retention_policy.days", "searchValue": "", "expectedValue": "azure_rm_monitorlogprofile.retention_policy.days should be greater than or equal to 365 days or 0 (indefinitely)", - "actualValue": "azure_rm_monitorlogprofile.retention_policy.days is less than 365 days or different than 0 (indefinitely)" + "actualValue": "azure_rm_monitorlogprofile.retention_policy.days is less than 365 days or different than 0 (indefinitely)", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/sql_server_ingress_from_any_ip/test/positive_expected_result.json b/assets/queries/ansible/azure/sql_server_ingress_from_any_ip/test/positive_expected_result.json index 21c69736641..ac0f797aa34 100644 --- a/assets/queries/ansible/azure/sql_server_ingress_from_any_ip/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/sql_server_ingress_from_any_ip/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{Create (or update) Firewall Rule}}.{{azure.azcollection.azure_rm_sqlfirewallrule}}.end_ip_address", "searchValue": "", "expectedValue": "azure_rm_sqlfirewallrule should allow all IPs", - "actualValue": "azure_rm_sqlfirewallrule should not allow all IPs (range from start_ip_address to end_ip_address)" + "actualValue": "azure_rm_sqlfirewallrule should not allow all IPs (range from start_ip_address to end_ip_address)", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/sql_server_predictable_active_directory_admin_account_name/test/positive_expected_result.json b/assets/queries/ansible/azure/sql_server_predictable_active_directory_admin_account_name/test/positive_expected_result.json index 445711d293c..5e64fa09903 100644 --- a/assets/queries/ansible/azure/sql_server_predictable_active_directory_admin_account_name/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/sql_server_predictable_active_directory_admin_account_name/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{create ad sp}}.{{azure_ad_serviceprincipal}}.ad_user", "searchValue": "", "expectedValue": "azure_ad_serviceprincipal.ad_user should not be predictable", - "actualValue": "azure_ad_serviceprincipal.ad_user is predictable" + "actualValue": "azure_ad_serviceprincipal.ad_user is predictable", + "issueType": "IncorrectValue" }, { "queryName": "SQL Server Predictable Active Directory Account Name", @@ -21,7 +22,8 @@ "searchKey": "name={{create ad sp2}}.{{azure_ad_serviceprincipal}}.ad_user", "searchValue": "", "expectedValue": "azure_ad_serviceprincipal.ad_user should be neither empty nor null", - "actualValue": "azure_ad_serviceprincipal.ad_user is empty or null" + "actualValue": "azure_ad_serviceprincipal.ad_user is empty or null", + "issueType": "IncorrectValue" }, { "queryName": "SQL Server Predictable Active Directory Account Name", @@ -33,6 +35,7 @@ "searchKey": "name={{create ad sp3}}.{{azure_ad_serviceprincipal}}.ad_user", "searchValue": "", "expectedValue": "azure_ad_serviceprincipal.ad_user should be neither empty nor null", - "actualValue": "azure_ad_serviceprincipal.ad_user is empty or null" + "actualValue": "azure_ad_serviceprincipal.ad_user is empty or null", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/sql_server_predictable_admin_account_name/test/positive_expected_result.json b/assets/queries/ansible/azure/sql_server_predictable_admin_account_name/test/positive_expected_result.json index 18824e13cf7..7b6d66ee713 100644 --- a/assets/queries/ansible/azure/sql_server_predictable_admin_account_name/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/sql_server_predictable_admin_account_name/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{Create (or update) SQL Server1}}.{{azure_rm_sqlserver}}.admin_username", "searchValue": "", "expectedValue": "azure_rm_sqlserver.admin_username should not be empty", - "actualValue": "azure_rm_sqlserver.admin_username is empty" + "actualValue": "azure_rm_sqlserver.admin_username is empty", + "issueType": "IncorrectValue" }, { "queryName": "SQL Server Predictable Admin Account Name", @@ -21,7 +22,8 @@ "searchKey": "name={{Create (or update) SQL Server2}}.{{azure_rm_sqlserver}}.admin_username", "searchValue": "", "expectedValue": "azure_rm_sqlserver.admin_username should not be empty", - "actualValue": "azure_rm_sqlserver.admin_username is empty" + "actualValue": "azure_rm_sqlserver.admin_username is empty", + "issueType": "IncorrectValue" }, { "queryName": "SQL Server Predictable Admin Account Name", @@ -33,6 +35,7 @@ "searchKey": "name={{Create (or update) SQL Server3}}.{{azure_rm_sqlserver}}.admin_username", "searchValue": "", "expectedValue": "azure_rm_sqlserver.admin_username should not be predictable", - "actualValue": "azure_rm_sqlserver.admin_username is predictable" + "actualValue": "azure_rm_sqlserver.admin_username is predictable", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/ssl_enforce_is_disabled/test/positive_expected_result.json b/assets/queries/ansible/azure/ssl_enforce_is_disabled/test/positive_expected_result.json index f64e01b5eca..4d4c2d9a8fe 100644 --- a/assets/queries/ansible/azure/ssl_enforce_is_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/ssl_enforce_is_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{Create (or update) PostgreSQL Server}}.{{azure.azcollection.azure_rm_postgresqlserver}}", "searchValue": "", "expectedValue": "azure_rm_postgresqlserver should have enforce_ssl set to true", - "actualValue": "azure_rm_postgresqlserver does not have enforce_ssl (defaults to false)" + "actualValue": "azure_rm_postgresqlserver does not have enforce_ssl (defaults to false)", + "issueType": "MissingAttribute" }, { "queryName": "SSL Enforce Disabled", @@ -21,6 +22,7 @@ "searchKey": "name={{Create (or update) PostgreSQL Server2}}.{{azure.azcollection.azure_rm_postgresqlserver}}.enforce_ssl", "searchValue": "", "expectedValue": "azure_rm_postgresqlserver should have enforce_ssl set to true", - "actualValue": "azure_rm_postgresqlserver does has enforce_ssl set to false" + "actualValue": "azure_rm_postgresqlserver does has enforce_ssl set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/storage_account_not_forcing_https/test/positive_expected_result.json b/assets/queries/ansible/azure/storage_account_not_forcing_https/test/positive_expected_result.json index 3228fb834d5..80c01465350 100644 --- a/assets/queries/ansible/azure/storage_account_not_forcing_https/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/storage_account_not_forcing_https/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{create an account}}.{{azure.azcollection.azure_rm_storageaccount}}", "searchValue": "", "expectedValue": "azure_rm_storageaccount.https_only should be defined", - "actualValue": "azure_rm_storageaccount.https_only is undefined (defaults to false)" + "actualValue": "azure_rm_storageaccount.https_only is undefined (defaults to false)", + "issueType": "MissingAttribute" }, { "queryName": "Storage Account Not Forcing HTTPS", @@ -21,7 +22,8 @@ "searchKey": "name={{create an account2}}.{{azure.azcollection.azure_rm_storageaccount}}.https_only", "searchValue": "", "expectedValue": "azure_rm_storageaccount should have https_only set to true", - "actualValue": "azure_rm_storageaccount has https_only set to false" + "actualValue": "azure_rm_storageaccount has https_only set to false", + "issueType": "IncorrectValue" }, { "queryName": "Storage Account Not Forcing HTTPS", @@ -33,7 +35,8 @@ "searchKey": "name={{create an account3}}.{{azure.azcollection.azure_rm_storageaccount}}.https_only", "searchValue": "", "expectedValue": "azure_rm_storageaccount should have https_only set to true", - "actualValue": "azure_rm_storageaccount has https_only set to false" + "actualValue": "azure_rm_storageaccount has https_only set to false", + "issueType": "IncorrectValue" }, { "queryName": "Storage Account Not Forcing HTTPS", @@ -45,7 +48,8 @@ "searchKey": "name={{create an account4}}.{{azure.azcollection.azure_rm_storageaccount}}.https_only", "searchValue": "", "expectedValue": "azure_rm_storageaccount should have https_only set to true", - "actualValue": "azure_rm_storageaccount has https_only set to false" + "actualValue": "azure_rm_storageaccount has https_only set to false", + "issueType": "IncorrectValue" }, { "queryName": "Storage Account Not Forcing HTTPS", @@ -57,7 +61,8 @@ "searchKey": "name={{create an account5}}.{{azure.azcollection.azure_rm_storageaccount}}.https_only", "searchValue": "", "expectedValue": "azure_rm_storageaccount should have https_only set to true", - "actualValue": "azure_rm_storageaccount has https_only set to false" + "actualValue": "azure_rm_storageaccount has https_only set to false", + "issueType": "IncorrectValue" }, { "queryName": "Storage Account Not Forcing HTTPS", @@ -69,7 +74,8 @@ "searchKey": "name={{create an account6}}.{{azure.azcollection.azure_rm_storageaccount}}.https_only", "searchValue": "", "expectedValue": "azure_rm_storageaccount should have https_only set to true", - "actualValue": "azure_rm_storageaccount has https_only set to false" + "actualValue": "azure_rm_storageaccount has https_only set to false", + "issueType": "IncorrectValue" }, { "queryName": "Storage Account Not Forcing HTTPS", @@ -81,7 +87,8 @@ "searchKey": "name={{create an account7}}.{{azure.azcollection.azure_rm_storageaccount}}.https_only", "searchValue": "", "expectedValue": "azure_rm_storageaccount should have https_only set to true", - "actualValue": "azure_rm_storageaccount has https_only set to false" + "actualValue": "azure_rm_storageaccount has https_only set to false", + "issueType": "IncorrectValue" }, { "queryName": "Storage Account Not Forcing HTTPS", @@ -93,7 +100,8 @@ "searchKey": "name={{create an account8}}.{{azure.azcollection.azure_rm_storageaccount}}.https_only", "searchValue": "", "expectedValue": "azure_rm_storageaccount should have https_only set to true", - "actualValue": "azure_rm_storageaccount has https_only set to false" + "actualValue": "azure_rm_storageaccount has https_only set to false", + "issueType": "IncorrectValue" }, { "queryName": "Storage Account Not Forcing HTTPS", @@ -105,6 +113,7 @@ "searchKey": "name={{create an account9}}.{{azure.azcollection.azure_rm_storageaccount}}.https_only", "searchValue": "", "expectedValue": "azure_rm_storageaccount should have https_only set to true", - "actualValue": "azure_rm_storageaccount has https_only set to false" + "actualValue": "azure_rm_storageaccount has https_only set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/storage_account_not_using_latest_tls_encryption_version/test/positive_expected_result.json b/assets/queries/ansible/azure/storage_account_not_using_latest_tls_encryption_version/test/positive_expected_result.json index ad3fcb31396..41db9294327 100644 --- a/assets/queries/ansible/azure/storage_account_not_using_latest_tls_encryption_version/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/storage_account_not_using_latest_tls_encryption_version/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{Create an account with kind of FileStorage}}.{{azure_rm_storageaccount}}.minimum_tls_version", "searchValue": "", "expectedValue": "azure_rm_storageaccount should be using the latest version of TLS encryption", - "actualValue": "azure_rm_storageaccount is using version TLS1_0 of TLS encryption" + "actualValue": "azure_rm_storageaccount is using version TLS1_0 of TLS encryption", + "issueType": "IncorrectValue" }, { "queryName": "Storage Account Not Using Latest TLS Encryption Version", @@ -21,6 +22,7 @@ "searchKey": "name={{Create a second account with kind of FileStorage}}.{{azure_rm_storageaccount}}", "searchValue": "", "expectedValue": "azure_rm_storageaccount.minimum_tls_version should be defined", - "actualValue": "azure_rm_storageaccount.minimum_tls_version is undefined" + "actualValue": "azure_rm_storageaccount.minimum_tls_version is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/storage_container_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/ansible/azure/storage_container_is_publicly_accessible/test/positive_expected_result.json index 0089607b3e2..9e2c5d46bdb 100644 --- a/assets/queries/ansible/azure/storage_container_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/storage_container_is_publicly_accessible/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{Create container foo and upload a file}}.{{azure_rm_storageblob}}.public_access", "searchValue": "", "expectedValue": "azure_rm_storageblob.public_access should not be set", - "actualValue": "azure_rm_storageblob.public_access is equal to 'blob' or 'container'" + "actualValue": "azure_rm_storageblob.public_access is equal to 'blob' or 'container'", + "issueType": "IncorrectValue" }, { "queryName": "Storage Container Is Publicly Accessible", @@ -21,6 +22,7 @@ "searchKey": "name={{Create container foo2 and upload a file}}.{{azure_rm_storageblob}}.public_access", "searchValue": "", "expectedValue": "azure_rm_storageblob.public_access should not be set", - "actualValue": "azure_rm_storageblob.public_access is equal to 'blob' or 'container'" + "actualValue": "azure_rm_storageblob.public_access is equal to 'blob' or 'container'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/trusted_microsoft_services_not_enabled/test/positive_expected_result.json b/assets/queries/ansible/azure/trusted_microsoft_services_not_enabled/test/positive_expected_result.json index 0540545350c..c7750fdb0c1 100644 --- a/assets/queries/ansible/azure/trusted_microsoft_services_not_enabled/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/trusted_microsoft_services_not_enabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{configure firewall and virtual networks}}.{{azure_rm_storageaccount}}.network_acls.bypass", "searchValue": "", "expectedValue": "azure_rm_storageaccount.network_acls.bypass should not be set or contain 'AzureServices'", - "actualValue": "azure_rm_storageaccount.network_acls.bypass does not contain 'AzureServices' " + "actualValue": "azure_rm_storageaccount.network_acls.bypass does not contain 'AzureServices' ", + "issueType": "IncorrectValue" }, { "queryName": "Trusted Microsoft Services Not Enabled", @@ -21,7 +22,8 @@ "searchKey": "name={{configure firewall and virtual networks2}}.{{azure_rm_storageaccount}}.network_acls.bypass", "searchValue": "", "expectedValue": "azure_rm_storageaccount.network_acls.bypass should not be set or contain 'AzureServices'", - "actualValue": "azure_rm_storageaccount.network_acls.bypass does not contain 'AzureServices' " + "actualValue": "azure_rm_storageaccount.network_acls.bypass does not contain 'AzureServices' ", + "issueType": "IncorrectValue" }, { "queryName": "Trusted Microsoft Services Not Enabled", @@ -33,6 +35,7 @@ "searchKey": "name={{configure firewall and virtual networks3}}.{{azure_rm_storageaccount}}.network_acls.bypass", "searchValue": "", "expectedValue": "azure_rm_storageaccount.network_acls.bypass should not be set or contain 'AzureServices'", - "actualValue": "azure_rm_storageaccount.network_acls.bypass does not contain 'AzureServices' " + "actualValue": "azure_rm_storageaccount.network_acls.bypass does not contain 'AzureServices' ", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/unrestricted_sql_server_acess/test/positive_expected_result.json b/assets/queries/ansible/azure/unrestricted_sql_server_acess/test/positive_expected_result.json index f47ea2c74c2..cd2de87491a 100644 --- a/assets/queries/ansible/azure/unrestricted_sql_server_acess/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/unrestricted_sql_server_acess/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{Create (or update) Firewall Rule1}}.{{azure_rm_sqlfirewallrule}}", "searchValue": "", "expectedValue": "The difference between the value of azure_rm_sqlfirewallrule end_ip_address and start_ip_address should be less than 256", - "actualValue": "The difference between the value of azure_rm_sqlfirewallrule end_ip_address and start_ip_address is greater than or equal to 256" + "actualValue": "The difference between the value of azure_rm_sqlfirewallrule end_ip_address and start_ip_address is greater than or equal to 256", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted SQL Server Access", @@ -21,6 +22,7 @@ "searchKey": "name={{Create (or update) Firewall Rule2}}.{{azure_rm_sqlfirewallrule}}", "searchValue": "", "expectedValue": "The difference between the value of azure_rm_sqlfirewallrule end_ip_address and start_ip_address should be less than 256", - "actualValue": "The difference between the value of azure_rm_sqlfirewallrule end_ip_address and start_ip_address is greater than or equal to 256" + "actualValue": "The difference between the value of azure_rm_sqlfirewallrule end_ip_address and start_ip_address is greater than or equal to 256", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/vm_not_attached_to_network/test/positive_expected_result.json b/assets/queries/ansible/azure/vm_not_attached_to_network/test/positive_expected_result.json index 9f405d94dd6..d75b8c1b79c 100644 --- a/assets/queries/ansible/azure/vm_not_attached_to_network/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/vm_not_attached_to_network/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{Create a VM with a custom image}}.{{azure_rm_virtualmachine}}", "searchValue": "", "expectedValue": "azure_rm_virtualmachine.network_interface_names should be defined", - "actualValue": "azure_rm_virtualmachine.network_interface_names is undefined" + "actualValue": "azure_rm_virtualmachine.network_interface_names is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/waf_is_disabled_for_azure_application_gateway/test/positive_expected_result.json b/assets/queries/ansible/azure/waf_is_disabled_for_azure_application_gateway/test/positive_expected_result.json index 6882cead6dc..629671cc233 100644 --- a/assets/queries/ansible/azure/waf_is_disabled_for_azure_application_gateway/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/waf_is_disabled_for_azure_application_gateway/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{Create instance of Application Gateway}}.{{azure_rm_appgateway}}.sku.tier", "searchValue": "", "expectedValue": "azure_rm_appgateway.sku.tier should be 'waf' or 'waf_v2'", - "actualValue": "azure_rm_appgateway.sku.tier is standard" + "actualValue": "azure_rm_appgateway.sku.tier is standard", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/web_app_accepting_traffic_other_than_https/test/positive_expected_result.json b/assets/queries/ansible/azure/web_app_accepting_traffic_other_than_https/test/positive_expected_result.json index aed8c662eca..206f17b8718 100644 --- a/assets/queries/ansible/azure/web_app_accepting_traffic_other_than_https/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/web_app_accepting_traffic_other_than_https/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{Create a windows web app with non-exist app service plan}}.{{azure_rm_webapp}}.https_only", "searchValue": "", "expectedValue": "azure_rm_webapp.https_only should be set to true or 'yes'", - "actualValue": "azure_rm_webapp.https_only value is 'false'" + "actualValue": "azure_rm_webapp.https_only value is 'false'", + "issueType": "IncorrectValue" }, { "queryName": "Web App Accepting Traffic Other Than HTTPS", @@ -21,6 +22,7 @@ "searchKey": "name={{Create another windows web app}}.{{azure_rm_webapp}}", "searchValue": "", "expectedValue": "azure_rm_webapp.https_only should be defined", - "actualValue": "azure_rm_webapp.https_only is undefined" + "actualValue": "azure_rm_webapp.https_only is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/config/allow_unsafe_lookups_enabled_in_defaults/test/positive_expected_result.json b/assets/queries/ansible/config/allow_unsafe_lookups_enabled_in_defaults/test/positive_expected_result.json index 2f945749899..4f2765c0f8a 100644 --- a/assets/queries/ansible/config/allow_unsafe_lookups_enabled_in_defaults/test/positive_expected_result.json +++ b/assets/queries/ansible/config/allow_unsafe_lookups_enabled_in_defaults/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "defaults.allow_unsafe_lookups", "searchValue": "", "expectedValue": "allow_unsafe_lookups should be set to 'False'", - "actualValue": "allow_unsafe_lookups is set to 'True'" + "actualValue": "allow_unsafe_lookups is set to 'True'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/config/communication_over_http_in_defaults/test/positive_expected_result.json b/assets/queries/ansible/config/communication_over_http_in_defaults/test/positive_expected_result.json index bef06fa20b7..9123c1a6d5b 100644 --- a/assets/queries/ansible/config/communication_over_http_in_defaults/test/positive_expected_result.json +++ b/assets/queries/ansible/config/communication_over_http_in_defaults/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "[galaxy].server", "searchValue": "", "expectedValue": "'server' from galaxy group should be accessed via the HTTPS protocol", - "actualValue": "'server' from galaxy group is accessed via the HTTP protocol'" + "actualValue": "'server' from galaxy group is accessed via the HTTP protocol'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/config/logging_of_sensitive_data_in_defaults/test/positive_expected_result.json b/assets/queries/ansible/config/logging_of_sensitive_data_in_defaults/test/positive_expected_result.json index 6299050594b..174d635e4b7 100644 --- a/assets/queries/ansible/config/logging_of_sensitive_data_in_defaults/test/positive_expected_result.json +++ b/assets/queries/ansible/config/logging_of_sensitive_data_in_defaults/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "defaults", "searchValue": "", "expectedValue": "no_log should be defined and set to 'true'", - "actualValue": "no_log is not defined" + "actualValue": "no_log is not defined", + "issueType": "IncorrectValue" }, { "queryName": "Logging of Sensitive Data In Defaults", @@ -21,6 +22,7 @@ "searchKey": "defaults.no_log", "searchValue": "", "expectedValue": "no_log should be set to 'true'", - "actualValue": "no_log is set to 'false'" + "actualValue": "no_log is set to 'false'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/config/privilege_escalation_using_become_plugin_in_defaults/test/positive_expected_result.json b/assets/queries/ansible/config/privilege_escalation_using_become_plugin_in_defaults/test/positive_expected_result.json index 9c852a596e3..d67afbbd16d 100644 --- a/assets/queries/ansible/config/privilege_escalation_using_become_plugin_in_defaults/test/positive_expected_result.json +++ b/assets/queries/ansible/config/privilege_escalation_using_become_plugin_in_defaults/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "defaults.become", "searchValue": "", "expectedValue": "'become' should be set to 'true'", - "actualValue": "'become' is set to 'false'" + "actualValue": "'become' is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "Privilege Escalation Using Become Plugin In Defaults", @@ -21,6 +22,7 @@ "searchKey": "defaults.become_user", "searchValue": "", "expectedValue": "'become' should be defined and set to 'true'", - "actualValue": "'become' is not defined" + "actualValue": "'become' is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/bigquery_dataset_is_public/test/positive_expected_result.json b/assets/queries/ansible/gcp/bigquery_dataset_is_public/test/positive_expected_result.json index a78d4fdd312..eb8c9bdab99 100644 --- a/assets/queries/ansible/gcp/bigquery_dataset_is_public/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/bigquery_dataset_is_public/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{create a dataset}}.{{google.cloud.gcp_bigquery_dataset}}.access", "searchValue": "", "expectedValue": "gcp_bigquery_dataset.access.special_group should not equal to 'allAuthenticatedUsers'", - "actualValue": "gcp_bigquery_dataset.access.special_group is equal to 'allAuthenticatedUsers'" + "actualValue": "gcp_bigquery_dataset.access.special_group is equal to 'allAuthenticatedUsers'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/client_certificate_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/client_certificate_disabled/test/positive_expected_result.json index 9132a260950..aff3d8e0545 100644 --- a/assets/queries/ansible/gcp/client_certificate_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/client_certificate_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{create a cluster1}}.{{google.cloud.gcp_container_cluster}}", "searchValue": "", "expectedValue": "gcp_container_cluster.master_auth should be defined", - "actualValue": "gcp_container_cluster.master_auth is undefined" + "actualValue": "gcp_container_cluster.master_auth is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Client Certificate Disabled", @@ -21,7 +22,8 @@ "searchKey": "name={{create a cluster2}}.{{google.cloud.gcp_container_cluster}}.master_auth", "searchValue": "", "expectedValue": "gcp_container_cluster.master_auth.client_certificate_config should be defined", - "actualValue": "gcp_container_cluster.master_auth.client_certificate_config is undefined" + "actualValue": "gcp_container_cluster.master_auth.client_certificate_config is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Client Certificate Disabled", @@ -33,6 +35,7 @@ "searchKey": "name={{create a cluster3}}.{{google.cloud.gcp_container_cluster}}.master_auth.client_certificate_config.issue_client_certificate", "searchValue": "", "expectedValue": "gcp_container_cluster.master_auth.password should be true", - "actualValue": "gcp_container_cluster.master_auth.password is false" + "actualValue": "gcp_container_cluster.master_auth.password is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/cloud_dns_without_dnnsec/test/positive_expected_result.json b/assets/queries/ansible/gcp/cloud_dns_without_dnnsec/test/positive_expected_result.json index d60f10c5f05..99b0859bd2f 100644 --- a/assets/queries/ansible/gcp/cloud_dns_without_dnnsec/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/cloud_dns_without_dnnsec/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{create a managed zone}}.{{google.cloud.gcp_dns_managed_zone}}", "searchValue": "", "expectedValue": "gcp_dns_managed_zone.dnssec_config should be defined", - "actualValue": "gcp_dns_managed_zone.dnssec_config is undefined" + "actualValue": "gcp_dns_managed_zone.dnssec_config is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Cloud DNS Without DNSSEC", @@ -21,7 +22,8 @@ "searchKey": "name={{create a second managed zone}}.{{google.cloud.gcp_dns_managed_zone}}.dnssec_config", "searchValue": "", "expectedValue": "gcp_dns_managed_zone.dnssec_config.state should be defined", - "actualValue": "gcp_dns_managed_zone.dnssec_config.state is undefined" + "actualValue": "gcp_dns_managed_zone.dnssec_config.state is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Cloud DNS Without DNSSEC", @@ -33,6 +35,7 @@ "searchKey": "name={{create a third managed zone}}.{{google.cloud.gcp_dns_managed_zone}}.dnssec_config.state", "searchValue": "", "expectedValue": "gcp_dns_managed_zone.dnssec_config.state should equal to 'on'", - "actualValue": "gcp_dns_managed_zone.dnssec_config.state is not equal to 'on'" + "actualValue": "gcp_dns_managed_zone.dnssec_config.state is not equal to 'on'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/cloud_sql_instance_with_contained_database_authentication_on/test/positive_expected_result.json b/assets/queries/ansible/gcp/cloud_sql_instance_with_contained_database_authentication_on/test/positive_expected_result.json index 610ef091dee..f07a27f2012 100644 --- a/assets/queries/ansible/gcp/cloud_sql_instance_with_contained_database_authentication_on/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/cloud_sql_instance_with_contained_database_authentication_on/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{sql_instance}}.{{google.cloud.gcp_sql_instance}}.settings.database_flags", "searchValue": "", "expectedValue": "cloud_gcp_sql_instance.settings.database_flags should be correct", - "actualValue": "cloud_gcp_sql_instance.settings.database_flags.name is 'contained database authentication' and cloud_gcp_sql_instance.settings.database_flags.value is not 'off'" + "actualValue": "cloud_gcp_sql_instance.settings.database_flags.name is 'contained database authentication' and cloud_gcp_sql_instance.settings.database_flags.value is not 'off'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/cloud_sql_instance_with_cross_db_ownership_chaining_on/test/positive_expected_result.json b/assets/queries/ansible/gcp/cloud_sql_instance_with_cross_db_ownership_chaining_on/test/positive_expected_result.json index d91183c2cb6..a6a0b86ce53 100644 --- a/assets/queries/ansible/gcp/cloud_sql_instance_with_cross_db_ownership_chaining_on/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/cloud_sql_instance_with_cross_db_ownership_chaining_on/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{sql_instance}}.{{google.cloud.gcp_sql_instance}}.settings.database_flags", "searchValue": "", "expectedValue": "{{cloud_gcp_sql_instance}}.settings.database_flags should be correct", - "actualValue": "{{cloud_gcp_sql_instance}}.settings.database_flags.name is 'cross db ownership chaining' and cloud_gcp_sql_instance.settings.database_flags.value is not 'off'" + "actualValue": "{{cloud_gcp_sql_instance}}.settings.database_flags.name is 'cross db ownership chaining' and cloud_gcp_sql_instance.settings.database_flags.value is not 'off'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/cloud_storage_anonymous_or_publicly_accessible/test/positive_expected_result.json b/assets/queries/ansible/gcp/cloud_storage_anonymous_or_publicly_accessible/test/positive_expected_result.json index 3fe9396e63a..051ce350cc8 100644 --- a/assets/queries/ansible/gcp/cloud_storage_anonymous_or_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/cloud_storage_anonymous_or_publicly_accessible/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{create a bucket1}}.{{google.cloud.gcp_storage_bucket}}.default_object_acl.entity", "searchValue": "", "expectedValue": "gcp_storage_bucket.default_object_acl.entity should not be 'allUsers' or 'allAuthenticatedUsers'", - "actualValue": "gcp_storage_bucket.default_object_acl.entity is 'allUsers' or 'allAuthenticatedUsers'" + "actualValue": "gcp_storage_bucket.default_object_acl.entity is 'allUsers' or 'allAuthenticatedUsers'", + "issueType": "IncorrectValue" }, { "queryName": "Cloud Storage Anonymous or Publicly Accessible", @@ -21,7 +22,8 @@ "searchKey": "name={{create a bucket2}}.{{google.cloud.gcp_storage_bucket}}.acl.entity", "searchValue": "", "expectedValue": "gcp_storage_bucket.acl.entity should not be 'allUsers' or 'allAuthenticatedUsers'", - "actualValue": "gcp_storage_bucket.acl.entity is 'allUsers' or 'allAuthenticatedUsers'" + "actualValue": "gcp_storage_bucket.acl.entity is 'allUsers' or 'allAuthenticatedUsers'", + "issueType": "IncorrectValue" }, { "queryName": "Cloud Storage Anonymous or Publicly Accessible", @@ -33,6 +35,7 @@ "searchKey": "name={{create a bucket3}}.{{google.cloud.gcp_storage_bucket}}", "searchValue": "", "expectedValue": "gcp_storage_bucket.default_object_acl should be defined", - "actualValue": "gcp_storage_bucket.default_object_acl is undefined" + "actualValue": "gcp_storage_bucket.default_object_acl is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/cloud_storage_bucket_logging_not_enabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/cloud_storage_bucket_logging_not_enabled/test/positive_expected_result.json index 514b1dbc420..b91fe36561d 100644 --- a/assets/queries/ansible/gcp/cloud_storage_bucket_logging_not_enabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/cloud_storage_bucket_logging_not_enabled/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{create a bucket}}.{{google.cloud.gcp_storage_bucket}}", "searchValue": "", "expectedValue": "gcp_storage_bucket.logging should be defined", - "actualValue": "gcp_storage_bucket.logging is undefined" + "actualValue": "gcp_storage_bucket.logging is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/cloud_storage_bucket_versioning_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/cloud_storage_bucket_versioning_disabled/test/positive_expected_result.json index fd3e30a84ab..83a8326bafd 100644 --- a/assets/queries/ansible/gcp/cloud_storage_bucket_versioning_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/cloud_storage_bucket_versioning_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{create a bucket}}.{{google.cloud.gcp_storage_bucket}}", "searchValue": "", "expectedValue": "gcp_storage_bucket.versioning should be defined", - "actualValue": "gcp_storage_bucket.versioning is undefined" + "actualValue": "gcp_storage_bucket.versioning is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Cloud Storage Bucket Versioning Disabled", @@ -21,6 +22,7 @@ "searchKey": "name={{create a second bucket}}.{{google.cloud.gcp_storage_bucket}}.versioning.enabled", "searchValue": "", "expectedValue": "gcp_storage_bucket.versioning.enabled should be true", - "actualValue": "gcp_storage_bucket.versioning.enabled is false" + "actualValue": "gcp_storage_bucket.versioning.enabled is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/cluster_labels_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/cluster_labels_disabled/test/positive_expected_result.json index a534d26413d..b0a265340c2 100644 --- a/assets/queries/ansible/gcp/cluster_labels_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/cluster_labels_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{create a cluster1}}.{{google.cloud.gcp_container_cluster}}", "searchValue": "", "expectedValue": "google.cloud.gcp_container_cluster should be defined and not null", - "actualValue": "google.cloud.gcp_container_cluster is undefined and null" + "actualValue": "google.cloud.gcp_container_cluster is undefined and null", + "issueType": "MissingAttribute" }, { "queryName": "Cluster Labels Disabled", @@ -21,7 +22,8 @@ "searchKey": "name={{create a cluster2}}.{{google.cloud.gcp_container_cluster}}", "searchValue": "", "expectedValue": "google.cloud.gcp_container_cluster should be defined and not null", - "actualValue": "google.cloud.gcp_container_cluster is undefined and null" + "actualValue": "google.cloud.gcp_container_cluster is undefined and null", + "issueType": "MissingAttribute" }, { "queryName": "Cluster Labels Disabled", @@ -33,6 +35,7 @@ "searchKey": "name={{create a cluster3}}.{{google.cloud.gcp_container_cluster}}.resource_labels", "searchValue": "", "expectedValue": "google.cloud.gcp_container_cluster should not be empty", - "actualValue": "google.cloud.gcp_container_cluster is empty" + "actualValue": "google.cloud.gcp_container_cluster is empty", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/cluster_master_authentication_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/cluster_master_authentication_disabled/test/positive_expected_result.json index d0406153fc5..f263c85b76d 100644 --- a/assets/queries/ansible/gcp/cluster_master_authentication_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/cluster_master_authentication_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{create a cluster1}}.{{google.cloud.gcp_container_cluster}}", "searchValue": "", "expectedValue": "gcp_container_cluster.master_auth should be defined and not null", - "actualValue": "gcp_container_cluster.master_auth is undefined or null" + "actualValue": "gcp_container_cluster.master_auth is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Cluster Master Authentication Disabled", @@ -21,7 +22,8 @@ "searchKey": "name={{create a cluster2}}.{{google.cloud.gcp_container_cluster}}.master_auth", "searchValue": "", "expectedValue": "gcp_container_cluster.master_auth.username should be defined and not null", - "actualValue": "gcp_container_cluster.master_auth.username is undefined or null" + "actualValue": "gcp_container_cluster.master_auth.username is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Cluster Master Authentication Disabled", @@ -33,7 +35,8 @@ "searchKey": "name={{create a cluster3}}.{{google.cloud.gcp_container_cluster}}.master_auth", "searchValue": "", "expectedValue": "gcp_container_cluster.master_auth.password should be defined and not null", - "actualValue": "gcp_container_cluster.master_auth.password is undefined or null" + "actualValue": "gcp_container_cluster.master_auth.password is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Cluster Master Authentication Disabled", @@ -45,7 +48,8 @@ "searchKey": "name={{create a cluster4}}.{{google.cloud.gcp_container_cluster}}.master_auth", "searchValue": "", "expectedValue": "gcp_container_cluster.master_auth.username should be defined and not null", - "actualValue": "gcp_container_cluster.master_auth.username is undefined or null" + "actualValue": "gcp_container_cluster.master_auth.username is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Cluster Master Authentication Disabled", @@ -57,6 +61,7 @@ "searchKey": "name={{create a cluster5}}.{{google.cloud.gcp_container_cluster}}.master_auth", "searchValue": "", "expectedValue": "gcp_container_cluster.master_auth.password should be defined and not null", - "actualValue": "gcp_container_cluster.master_auth.password is undefined or null" + "actualValue": "gcp_container_cluster.master_auth.password is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/compute_instance_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/ansible/gcp/compute_instance_is_publicly_accessible/test/positive_expected_result.json index 677109a159d..74f1a4903c8 100644 --- a/assets/queries/ansible/gcp/compute_instance_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/compute_instance_is_publicly_accessible/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{create a instance}}.{{google.cloud.gcp_compute_instance}}.network_interfaces.access_configs", "searchValue": "", "expectedValue": "gcp_compute_instance.network_interfaces.access_configs should not be defined", - "actualValue": "gcp_compute_instance.network_interfaces.access_configs is defined" + "actualValue": "gcp_compute_instance.network_interfaces.access_configs is defined", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/cos_node_image_not_used/test/positive_expected_result.json b/assets/queries/ansible/gcp/cos_node_image_not_used/test/positive_expected_result.json index dd84fb41d4d..d2cf2d7de3f 100644 --- a/assets/queries/ansible/gcp/cos_node_image_not_used/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/cos_node_image_not_used/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{create a node pool}}.{{google.cloud.gcp_container_node_pool}}.config.image_type", "searchValue": "", "expectedValue": "gcp_container_node_pool.config.image_type should start with 'COS'", - "actualValue": "gcp_container_node_pool.config.image_type does not start with 'COS'" + "actualValue": "gcp_container_node_pool.config.image_type does not start with 'COS'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/disk_encryption_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/disk_encryption_disabled/test/positive_expected_result.json index d9fdf6f6e8a..4006e0c7b33 100644 --- a/assets/queries/ansible/gcp/disk_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/disk_encryption_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{create a disk1}}.{{google.cloud.gcp_compute_disk}}", "searchValue": "", "expectedValue": "gcp_compute_disk.disk_encryption_key should be defined and not null", - "actualValue": "gcp_compute_disk.disk_encryption_key is undefined or null" + "actualValue": "gcp_compute_disk.disk_encryption_key is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Disk Encryption Disabled", @@ -21,7 +22,8 @@ "searchKey": "name={{create a disk3}}.{{google.cloud.gcp_compute_disk}}.disk_encryption_key", "searchValue": "", "expectedValue": "gcp_compute_disk.disk_encryption_key.raw_key or gcp_compute_disk.disk_encryption_key.kms_key_name should be defined and not null", - "actualValue": "gcp_compute_disk.disk_encryption_key.raw_key and gcp_compute_disk.disk_encryption_key.kms_key_name are undefined or null" + "actualValue": "gcp_compute_disk.disk_encryption_key.raw_key and gcp_compute_disk.disk_encryption_key.kms_key_name are undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Disk Encryption Disabled", @@ -33,7 +35,8 @@ "searchKey": "name={{create a disk4}}.{{google.cloud.gcp_compute_disk}}.disk_encryption_key.raw_key", "searchValue": "", "expectedValue": "gcp_compute_disk.disk_encryption_key.raw_key should not be empty", - "actualValue": "gcp_compute_disk.disk_encryption_key.raw_key is empty" + "actualValue": "gcp_compute_disk.disk_encryption_key.raw_key is empty", + "issueType": "IncorrectValue" }, { "queryName": "Disk Encryption Disabled", @@ -45,7 +48,8 @@ "searchKey": "name={{create a disk3}}.{{google.cloud.gcp_compute_disk}}.disk_encryption_key", "searchValue": "", "expectedValue": "gcp_compute_disk.disk_encryption_key.raw_key or gcp_compute_disk.disk_encryption_key.kms_key_name should be defined and not null", - "actualValue": "gcp_compute_disk.disk_encryption_key.raw_key and gcp_compute_disk.disk_encryption_key.kms_key_name are undefined or null" + "actualValue": "gcp_compute_disk.disk_encryption_key.raw_key and gcp_compute_disk.disk_encryption_key.kms_key_name are undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Disk Encryption Disabled", @@ -57,6 +61,7 @@ "searchKey": "name={{create a disk4}}.{{google.cloud.gcp_compute_disk}}.disk_encryption_key.kms_key_name", "searchValue": "", "expectedValue": "gcp_compute_disk.disk_encryption_key.kms_key_name should not be empty", - "actualValue": "gcp_compute_disk.disk_encryption_key.kms_key_name is empty" + "actualValue": "gcp_compute_disk.disk_encryption_key.kms_key_name is empty", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/dnssec_using_rsasha1/test/positive_expected_result.json b/assets/queries/ansible/gcp/dnssec_using_rsasha1/test/positive_expected_result.json index e7878dcd8ba..25ca6be4480 100644 --- a/assets/queries/ansible/gcp/dnssec_using_rsasha1/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/dnssec_using_rsasha1/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{create a managed zone}}.{{google.cloud.gcp_dns_managed_zone}}.dnssec_config.defaultKeySpecs.algorithm", "searchValue": "", "expectedValue": "gcp_dns_managed_zone.dnssec_config.defaultKeySpecs.algorithm should not equal to 'rsasha1'", - "actualValue": "gcp_dns_managed_zone.dnssec_config.defaultKeySpecs.algorithm is equal to 'rsasha1'" + "actualValue": "gcp_dns_managed_zone.dnssec_config.defaultKeySpecs.algorithm is equal to 'rsasha1'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/gke_basic_authentication_enabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/gke_basic_authentication_enabled/test/positive_expected_result.json index 8329718ffee..8c760fe1fe5 100644 --- a/assets/queries/ansible/gcp/gke_basic_authentication_enabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/gke_basic_authentication_enabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{create a cluster1}}.{{google.cloud.gcp_container_cluster}}", "searchValue": "", "expectedValue": "gcp_container_cluster.master_auth should be defined", - "actualValue": "gcp_container_cluster.master_auth is undefined" + "actualValue": "gcp_container_cluster.master_auth is undefined", + "issueType": "MissingAttribute" }, { "queryName": "GKE Basic Authentication Enabled", @@ -21,7 +22,8 @@ "searchKey": "name={{create a cluster2}}.{{google.cloud.gcp_container_cluster}}.master_auth", "searchValue": "", "expectedValue": "gcp_container_cluster.master_auth.username should be defined", - "actualValue": "gcp_container_cluster.master_auth.username is undefined" + "actualValue": "gcp_container_cluster.master_auth.username is undefined", + "issueType": "MissingAttribute" }, { "queryName": "GKE Basic Authentication Enabled", @@ -33,7 +35,8 @@ "searchKey": "name={{create a cluster3}}.{{google.cloud.gcp_container_cluster}}.master_auth", "searchValue": "", "expectedValue": "gcp_container_cluster.master_auth.password should be defined", - "actualValue": "gcp_container_cluster.master_auth.password is undefined" + "actualValue": "gcp_container_cluster.master_auth.password is undefined", + "issueType": "MissingAttribute" }, { "queryName": "GKE Basic Authentication Enabled", @@ -45,7 +48,8 @@ "searchKey": "name={{create a cluster4}}.{{google.cloud.gcp_container_cluster}}.master_auth.username", "searchValue": "", "expectedValue": "gcp_container_cluster.master_auth.username should be empty", - "actualValue": "gcp_container_cluster.master_auth.username is not empty" + "actualValue": "gcp_container_cluster.master_auth.username is not empty", + "issueType": "IncorrectValue" }, { "queryName": "GKE Basic Authentication Enabled", @@ -57,6 +61,7 @@ "searchKey": "name={{create a cluster5}}.{{google.cloud.gcp_container_cluster}}.master_auth.password", "searchValue": "", "expectedValue": "gcp_container_cluster.master_auth.password should be empty", - "actualValue": "gcp_container_cluster.master_auth.password is not empty" + "actualValue": "gcp_container_cluster.master_auth.password is not empty", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/gke_legacy_authorization_enabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/gke_legacy_authorization_enabled/test/positive_expected_result.json index e2018dc7308..cf690d5d430 100644 --- a/assets/queries/ansible/gcp/gke_legacy_authorization_enabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/gke_legacy_authorization_enabled/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{create a cluster}}.{{google.cloud.gcp_container_cluster}}.legacy_abac.enabled", "searchValue": "", "expectedValue": "gcp_container_cluster.legacy_abac.enabled should be set to false", - "actualValue": "gcp_container_cluster.legacy_abac.enabled is true" + "actualValue": "gcp_container_cluster.legacy_abac.enabled is true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/gke_master_authorized_networks_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/gke_master_authorized_networks_disabled/test/positive_expected_result.json index 7d3a7c54091..1ec52d3e4e9 100644 --- a/assets/queries/ansible/gcp/gke_master_authorized_networks_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/gke_master_authorized_networks_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{create a cluster}}.{{google.cloud.gcp_container_cluster}}.master_authorized_networks_config.enabled", "searchValue": "", "expectedValue": "gcp_container_cluster.master_authorized_networks_config.enabled should be true", - "actualValue": "gcp_container_cluster.master_authorized_networks_config.enabled is false" + "actualValue": "gcp_container_cluster.master_authorized_networks_config.enabled is false", + "issueType": "IncorrectValue" }, { "queryName": "GKE Master Authorized Networks Disabled", @@ -21,7 +22,8 @@ "searchKey": "name={{create a second cluster}}.{{google.cloud.gcp_container_cluster}}.master_authorized_networks_config", "searchValue": "", "expectedValue": "gcp_container_cluster.master_authorized_networks_config.enabled should be defined", - "actualValue": "gcp_container_cluster.master_authorized_networks_config.enabled is undefined" + "actualValue": "gcp_container_cluster.master_authorized_networks_config.enabled is undefined", + "issueType": "MissingAttribute" }, { "queryName": "GKE Master Authorized Networks Disabled", @@ -33,6 +35,7 @@ "searchKey": "name={{create a third cluster}}.{{google.cloud.gcp_container_cluster}}", "searchValue": "", "expectedValue": "gcp_container_cluster.master_authorized_networks_config should be defined", - "actualValue": "gcp_container_cluster.master_authorized_networks_config is undefined" + "actualValue": "gcp_container_cluster.master_authorized_networks_config is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/gke_using_default_service_account/test/positive_expected_result.json b/assets/queries/ansible/gcp/gke_using_default_service_account/test/positive_expected_result.json index 1958481135f..fedec730665 100644 --- a/assets/queries/ansible/gcp/gke_using_default_service_account/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/gke_using_default_service_account/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{create a cluster}}.{{google.cloud.gcp_container_cluster}}.node_config", "searchValue": "", "expectedValue": "'service_account' should not be default", - "actualValue": "'service_account' is missing" + "actualValue": "'service_account' is missing", + "issueType": "MissingAttribute" }, { "queryName": "GKE Using Default Service Account", @@ -21,6 +22,7 @@ "searchKey": "name={{create a cluster}}.{{google.cloud.gcp_container_cluster}}.node_config.service_account", "searchValue": "", "expectedValue": "'service_account' should not be default", - "actualValue": "'service_account' is default" + "actualValue": "'service_account' is default", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/google_compute_network_using_default_firewall_rule/test/positive_expected_result.json b/assets/queries/ansible/gcp/google_compute_network_using_default_firewall_rule/test/positive_expected_result.json index ce303782d3c..bae09afcaf2 100644 --- a/assets/queries/ansible/gcp/google_compute_network_using_default_firewall_rule/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/google_compute_network_using_default_firewall_rule/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{create a network2}}.{{google.cloud.gcp_compute_network}}", "searchValue": "", "expectedValue": "'google.cloud.gcp_compute_network' should not be using a default firewall rule", - "actualValue": "'google.cloud.gcp_compute_network' is using a default firewall rule" + "actualValue": "'google.cloud.gcp_compute_network' is using a default firewall rule", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/google_compute_network_using_firewall_allows_port_range/test/positive_expected_result.json b/assets/queries/ansible/gcp/google_compute_network_using_firewall_allows_port_range/test/positive_expected_result.json index 660a1c91e63..f5b553533c1 100644 --- a/assets/queries/ansible/gcp/google_compute_network_using_firewall_allows_port_range/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/google_compute_network_using_firewall_allows_port_range/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{create a network2}}.{{google.cloud.gcp_compute_network}}", "searchValue": "", "expectedValue": "'google.cloud.gcp_compute_network' should not be using a firewall rule that allows access to port range", - "actualValue": "'google.cloud.gcp_compute_network' is using a firewall rule that allows access to port range" + "actualValue": "'google.cloud.gcp_compute_network' is using a firewall rule that allows access to port range", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/google_compute_network_using_firewall_rule_allows_all_ports/test/positive_expected_result.json b/assets/queries/ansible/gcp/google_compute_network_using_firewall_rule_allows_all_ports/test/positive_expected_result.json index 8f32ef54a5a..0a12b4cc14b 100644 --- a/assets/queries/ansible/gcp/google_compute_network_using_firewall_rule_allows_all_ports/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/google_compute_network_using_firewall_rule_allows_all_ports/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{create a network2}}.{{google.cloud.gcp_compute_network}}", "searchValue": "", "expectedValue": "'google.cloud.gcp_compute_network' should not be using a firewall rule that allows access to all ports", - "actualValue": "'google.cloud.gcp_compute_network' is using a firewall rule that allows access to all ports" + "actualValue": "'google.cloud.gcp_compute_network' is using a firewall rule that allows access to all ports", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/google_compute_ssl_policy_weak_cipher_in_use/test/positive_expected_result.json b/assets/queries/ansible/gcp/google_compute_ssl_policy_weak_cipher_in_use/test/positive_expected_result.json index 401c93188b2..c9a9decac64 100644 --- a/assets/queries/ansible/gcp/google_compute_ssl_policy_weak_cipher_in_use/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/google_compute_ssl_policy_weak_cipher_in_use/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{create a SSL policy}}.{{google.cloud.gcp_compute_ssl_policy}}", "searchValue": "", "expectedValue": "gcp_compute_ssl_policy has min_tls_version should be set to 'TLS_1_2'", - "actualValue": "gcp_compute_ssl_policy does not have min_tls_version set to 'TLS_1_2'" + "actualValue": "gcp_compute_ssl_policy does not have min_tls_version set to 'TLS_1_2'", + "issueType": "MissingAttribute" }, { "queryName": "Google Compute SSL Policy Weak Cipher In Use", @@ -21,6 +22,7 @@ "searchKey": "name={{create a SSL policy2}}.{{google.cloud.gcp_compute_ssl_policy}}.min_tls_version", "searchValue": "", "expectedValue": "gcp_compute_ssl_policy.min_tls_version has min_tls_version should be set to 'TLS_1_2'", - "actualValue": "gcp_compute_ssl_policy.min_tls_version does not have min_tls_version set to 'TLS_1_2'" + "actualValue": "gcp_compute_ssl_policy.min_tls_version does not have min_tls_version set to 'TLS_1_2'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/google_compute_subnetwork_with_private_google_access_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/google_compute_subnetwork_with_private_google_access_disabled/test/positive_expected_result.json index 850ce02e451..7fda25bb211 100644 --- a/assets/queries/ansible/gcp/google_compute_subnetwork_with_private_google_access_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/google_compute_subnetwork_with_private_google_access_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{create a subnetwork}}.{{google.cloud.gcp_compute_subnetwork}}", "searchValue": "", "expectedValue": "google.cloud.gcp_compute_subnetwork.private_ip_google_access should be defined and not null", - "actualValue": "google.cloud.gcp_compute_subnetwork.private_ip_google_access is undefined or null" + "actualValue": "google.cloud.gcp_compute_subnetwork.private_ip_google_access is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Google Compute Subnetwork with Private Google Access Disabled", @@ -21,6 +22,7 @@ "searchKey": "name={{create a subnetwork2}}.{{google.cloud.gcp_compute_subnetwork}}.private_ip_google_access", "searchValue": "", "expectedValue": "google.cloud.gcp_compute_subnetwork.private_ip_google_access should be set to yes", - "actualValue": "google.cloud.gcp_compute_subnetwork.private_ip_google_access is set to no" + "actualValue": "google.cloud.gcp_compute_subnetwork.private_ip_google_access is set to no", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/google_container_node_pool_auto_repair_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/google_container_node_pool_auto_repair_disabled/test/positive_expected_result.json index 8c9dbd89a8e..f23dbf70a80 100644 --- a/assets/queries/ansible/gcp/google_container_node_pool_auto_repair_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/google_container_node_pool_auto_repair_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{create a node pool}}.{{google.cloud.gcp_container_node_pool}}.management.auto_repair", "searchValue": "", "expectedValue": "gcp_container_node_pool.management.auto_repair should be set to true", - "actualValue": "gcp_container_node_poolmanagement.auto_repair is set to false" + "actualValue": "gcp_container_node_poolmanagement.auto_repair is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Google Container Node Pool Auto Repair Disabled", @@ -21,7 +22,8 @@ "searchKey": "name={{create a node pool2}}.{{google.cloud.gcp_container_node_pool}}.management.auto_repair", "searchValue": "", "expectedValue": "gcp_container_node_pool.management.auto_repair should be set to true", - "actualValue": "gcp_container_node_poolmanagement.auto_repair is set to false" + "actualValue": "gcp_container_node_poolmanagement.auto_repair is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Google Container Node Pool Auto Repair Disabled", @@ -33,6 +35,7 @@ "searchKey": "name={{create a node pool3}}.{{google.cloud.gcp_container_node_pool}}", "searchValue": "", "expectedValue": "gcp_container_node_pool.management should be defined", - "actualValue": "gcp_container_node_pool.management is undefined" + "actualValue": "gcp_container_node_pool.management is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/high_google_kms_crypto_key_rotation_period/test/positive_expected_result.json b/assets/queries/ansible/gcp/high_google_kms_crypto_key_rotation_period/test/positive_expected_result.json index 846afd659cc..b9e96c3fe89 100644 --- a/assets/queries/ansible/gcp/high_google_kms_crypto_key_rotation_period/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/high_google_kms_crypto_key_rotation_period/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{create a crypto key}}.{{google.cloud.gcp_kms_crypto_key}}.rotation_period", "searchValue": "", "expectedValue": "gcp_kms_crypto_key.rotation_period should be less or equal to 7776000", - "actualValue": "gcp_kms_crypto_key.rotation_period exceeds 7776000" + "actualValue": "gcp_kms_crypto_key.rotation_period exceeds 7776000", + "issueType": "IncorrectValue" }, { "queryName": "High Google KMS Crypto Key Rotation Period", @@ -21,6 +22,7 @@ "searchKey": "name={{create a crypto key2}}.{{google.cloud.gcp_kms_crypto_key}}", "searchValue": "", "expectedValue": "gcp_kms_crypto_key.rotation_period should be defined with a value less or equal to 7776000", - "actualValue": "gcp_kms_crypto_key.rotation_period is undefined" + "actualValue": "gcp_kms_crypto_key.rotation_period is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/ip_aliasing_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/ip_aliasing_disabled/test/positive_expected_result.json index 246d07b6d92..bf00224bb44 100644 --- a/assets/queries/ansible/gcp/ip_aliasing_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/ip_aliasing_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{create a cluster1}}.{{google.cloud.gcp_container_cluster}}", "searchValue": "", "expectedValue": "gcp_container_cluster.ip_allocation_policy should be defined", - "actualValue": "gcp_container_cluster.ip_allocation_policy is undefined" + "actualValue": "gcp_container_cluster.ip_allocation_policy is undefined", + "issueType": "MissingAttribute" }, { "queryName": "IP Aliasing Disabled", @@ -21,7 +22,8 @@ "searchKey": "name={{create a cluster2}}.{{google.cloud.gcp_container_cluster}}.ip_allocation_policy", "searchValue": "", "expectedValue": "gcp_container_cluster.ip_allocation_policy.use_ip_aliases should be set to true", - "actualValue": "gcp_container_cluster.ip_allocation_policy.use_ip_aliases is undefined" + "actualValue": "gcp_container_cluster.ip_allocation_policy.use_ip_aliases is undefined", + "issueType": "MissingAttribute" }, { "queryName": "IP Aliasing Disabled", @@ -33,6 +35,7 @@ "searchKey": "name={{create a cluster3}}.{{google.cloud.gcp_container_cluster}}.ip_allocation_policy.use_ip_aliases", "searchValue": "", "expectedValue": "gcp_container_cluster.ip_allocation_policy.use_ip_aliases should be true", - "actualValue": "gcp_container_cluster.ip_allocation_policy.use_ip_aliases is false" + "actualValue": "gcp_container_cluster.ip_allocation_policy.use_ip_aliases is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/ip_forwarding_enabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/ip_forwarding_enabled/test/positive_expected_result.json index 320fb0583b3..ee06f4780ea 100644 --- a/assets/queries/ansible/gcp/ip_forwarding_enabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/ip_forwarding_enabled/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{create a instance}}.{{google.cloud.gcp_compute_instance}}.can_ip_forward", "searchValue": "", "expectedValue": "gcp_compute_instance.can_ip_forward should be set to false", - "actualValue": "gcp_compute_instance.can_ip_forward is true" + "actualValue": "gcp_compute_instance.can_ip_forward is true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/mysql_instance_with_local_infile_on/test/positive_expected_result.json b/assets/queries/ansible/gcp/mysql_instance_with_local_infile_on/test/positive_expected_result.json index 395be491147..0c734e6df4e 100644 --- a/assets/queries/ansible/gcp/mysql_instance_with_local_infile_on/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/mysql_instance_with_local_infile_on/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{sql_instance}}.{{google.cloud.gcp_sql_instance}}.settings.database_flags", "searchValue": "", "expectedValue": "cloud_gcp_sql_instance.settings.database_flags should be correct", - "actualValue": "cloud_gcp_sql_instance.settings.database_flags.name is 'local_infile' and cloud_gcp_sql_instance.settings.database_flags.value is not 'off'" + "actualValue": "cloud_gcp_sql_instance.settings.database_flags.name is 'local_infile' and cloud_gcp_sql_instance.settings.database_flags.value is not 'off'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/network_policy_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/network_policy_disabled/test/positive_expected_result.json index 423c27e6538..b5e8aa9ac33 100644 --- a/assets/queries/ansible/gcp/network_policy_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/network_policy_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{create a cluster1}}.{{google.cloud.gcp_container_cluster}}", "searchValue": "network_policy", "expectedValue": "gcp_container_cluster.network_policy should be defined", - "actualValue": "gcp_container_cluster.network_policy is undefined" + "actualValue": "gcp_container_cluster.network_policy is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Network Policy Disabled", @@ -21,7 +22,8 @@ "searchKey": "name={{create a cluster2}}.{{google.cloud.gcp_container_cluster}}", "searchValue": "addons_config", "expectedValue": "gcp_container_cluster.addons_config should be defined", - "actualValue": "gcp_container_cluster.addons_config is undefined" + "actualValue": "gcp_container_cluster.addons_config is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Network Policy Disabled", @@ -33,7 +35,8 @@ "searchKey": "name={{create a cluster3}}.{{google.cloud.gcp_container_cluster}}.addons_config", "searchValue": "", "expectedValue": "gcp_container_cluster.addons_config.network_policy_config should be defined", - "actualValue": "gcp_container_cluster.addons_config.network_policy_config is undefined" + "actualValue": "gcp_container_cluster.addons_config.network_policy_config is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Network Policy Disabled", @@ -45,7 +48,8 @@ "searchKey": "name={{create a cluster4}}.{{google.cloud.gcp_container_cluster}}.network_policy.enabled", "searchValue": "", "expectedValue": "gcp_container_cluster.network_policy.enabled should be true", - "actualValue": "gcp_container_cluster.network_policy.enabled is false" + "actualValue": "gcp_container_cluster.network_policy.enabled is false", + "issueType": "IncorrectValue" }, { "queryName": "Network Policy Disabled", @@ -57,6 +61,7 @@ "searchKey": "name={{create a cluster5}}.{{google.cloud.gcp_container_cluster}}.addons_config.network_policy_config.disabled", "searchValue": "", "expectedValue": "gcp_container_cluster.addons_config.network_policy_config.disabled should be set to false", - "actualValue": "gcp_container_cluster.addons_config.network_policy_config.disabled is true" + "actualValue": "gcp_container_cluster.addons_config.network_policy_config.disabled is true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/node_auto_upgrade_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/node_auto_upgrade_disabled/test/positive_expected_result.json index 052b5f52e6d..b88ab156a9b 100644 --- a/assets/queries/ansible/gcp/node_auto_upgrade_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/node_auto_upgrade_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{create a node pool}}.{{google.cloud.gcp_container_node_pool}}", "searchValue": "", "expectedValue": "gcp_container_node_pool.management should be defined", - "actualValue": "gcp_container_node_pool.management is undefined" + "actualValue": "gcp_container_node_pool.management is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Node Auto Upgrade Disabled", @@ -21,7 +22,8 @@ "searchKey": "name={{create a second node pool}}.{{google.cloud.gcp_container_node_pool}}.management", "searchValue": "", "expectedValue": "gcp_container_node_pool.management.auto_upgrade should be defined", - "actualValue": "gcp_container_node_pool.management.auto_upgrade is undefined" + "actualValue": "gcp_container_node_pool.management.auto_upgrade is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Node Auto Upgrade Disabled", @@ -33,6 +35,7 @@ "searchKey": "name={{create a third node pool}}.{{google.cloud.gcp_container_node_pool}}.management.auto_upgrade", "searchValue": "", "expectedValue": "gcp_container_node_pool.management.auto_upgrade should be true", - "actualValue": "gcp_container_node_pool.management.auto_upgrade is false" + "actualValue": "gcp_container_node_pool.management.auto_upgrade is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/oslogin_is_disabled_for_vm_instance/test/positive_expected_result.json b/assets/queries/ansible/gcp/oslogin_is_disabled_for_vm_instance/test/positive_expected_result.json index 87195853fb4..fa168f793d7 100644 --- a/assets/queries/ansible/gcp/oslogin_is_disabled_for_vm_instance/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/oslogin_is_disabled_for_vm_instance/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{oslogin-disabled}}.{{google.cloud.gcp_compute_instance}}.metadata.enable-oslogin", "searchValue": "", "expectedValue": "gcp_compute_instance.metadata.enable-oslogin should be true", - "actualValue": "gcp_compute_instance.metadata.enable-oslogin is false" + "actualValue": "gcp_compute_instance.metadata.enable-oslogin is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/postgresql_log_checkpoints_flag_not_set_to_on/test/positive_expected_result.json b/assets/queries/ansible/gcp/postgresql_log_checkpoints_flag_not_set_to_on/test/positive_expected_result.json index 20cbdcc5647..b2f7b1ce458 100644 --- a/assets/queries/ansible/gcp/postgresql_log_checkpoints_flag_not_set_to_on/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/postgresql_log_checkpoints_flag_not_set_to_on/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{create instance}}.{{google.cloud.gcp_sql_instance}}.settings.databaseFlags", "searchValue": "", "expectedValue": "gcp_sql_instance.settings.databaseFlags should have 'log_checkpoints' flag set to 'on'", - "actualValue": "gcp_sql_instance.settings.databaseFlags has 'log_checkpoints' flag set to 'off'" + "actualValue": "gcp_sql_instance.settings.databaseFlags has 'log_checkpoints' flag set to 'off'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL log_checkpoints Flag Not Set To ON", @@ -21,6 +22,7 @@ "searchKey": "name={{create another instance}}.{{google.cloud.gcp_sql_instance}}", "searchValue": "", "expectedValue": "gcp_sql_instance.settings.databaseFlags should be defined", - "actualValue": "gcp_sql_instance.settings.databaseFlags is not defined" + "actualValue": "gcp_sql_instance.settings.databaseFlags is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/postgresql_log_connections_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/postgresql_log_connections_disabled/test/positive_expected_result.json index 2f2ecdf0b78..fdd09f30c50 100644 --- a/assets/queries/ansible/gcp/postgresql_log_connections_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/postgresql_log_connections_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{create instance}}.{{google.cloud.gcp_sql_instance}}.settings.databaseFlags", "searchValue": "", "expectedValue": "gcp_sql_instance.settings.databaseFlags should have 'log_connections' flag set to 'on'", - "actualValue": "gcp_sql_instance.settings.databaseFlags has 'log_connections' flag set to 'off'" + "actualValue": "gcp_sql_instance.settings.databaseFlags has 'log_connections' flag set to 'off'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Log Connections Disabled", @@ -21,6 +22,7 @@ "searchKey": "name={{create another instance}}.{{google.cloud.gcp_sql_instance}}", "searchValue": "", "expectedValue": "gcp_sql_instance.settings.databaseFlags should be defined", - "actualValue": "gcp_sql_instance.settings.databaseFlags is not defined" + "actualValue": "gcp_sql_instance.settings.databaseFlags is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/postgresql_logging_of_temporary_files_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/postgresql_logging_of_temporary_files_disabled/test/positive_expected_result.json index dd6f8ab1f99..8018231242f 100644 --- a/assets/queries/ansible/gcp/postgresql_logging_of_temporary_files_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/postgresql_logging_of_temporary_files_disabled/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{sql_instance}}.{{google.cloud.gcp_sql_instance}}.settings.database_flags", "searchValue": "", "expectedValue": "gcp_sql_instance.settings.database_flags should set the log_temp_files to 0", - "actualValue": "gcp_sql_instance.settings.database_flags doesn't set the log_temp_files to 0" + "actualValue": "gcp_sql_instance.settings.database_flags doesn't set the log_temp_files to 0", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/postgresql_misconfigured_log_messages_flag/test/positive_expected_result.json b/assets/queries/ansible/gcp/postgresql_misconfigured_log_messages_flag/test/positive_expected_result.json index 7f7db602824..89ccca0756a 100644 --- a/assets/queries/ansible/gcp/postgresql_misconfigured_log_messages_flag/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/postgresql_misconfigured_log_messages_flag/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{sql_instance}}.{{google.cloud.gcp_sql_instance}}.settings.database_flags.log_min_messages", "searchValue": "", "expectedValue": "gcp_sql_instance.settings.database_flags should set 'log_min_messages' to a valid value", - "actualValue": "gcp_sql_instance.settings.database_flags doesn't set 'log_min_messages' to a valid value" + "actualValue": "gcp_sql_instance.settings.database_flags doesn't set 'log_min_messages' to a valid value", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/postgresql_misconfigured_logging_duration_flag/test/positive_expected_result.json b/assets/queries/ansible/gcp/postgresql_misconfigured_logging_duration_flag/test/positive_expected_result.json index 8b9e1125eab..ebae796beb6 100644 --- a/assets/queries/ansible/gcp/postgresql_misconfigured_logging_duration_flag/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/postgresql_misconfigured_logging_duration_flag/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{sql_instance}}.{{google.cloud.gcp_sql_instance}}.settings.database_flags", "searchValue": "", "expectedValue": "gcp_sql_instance.settings.database_flags should set the log_min_duration_statement to -1", - "actualValue": "gcp_sql_instance.settings.database_flags doesn't set the log_min_duration_statement to -1" + "actualValue": "gcp_sql_instance.settings.database_flags doesn't set the log_min_duration_statement to -1", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/private_cluster_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/private_cluster_disabled/test/positive_expected_result.json index c35e772cedc..fe2af78c435 100644 --- a/assets/queries/ansible/gcp/private_cluster_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/private_cluster_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{create a cluster1}}.{{google.cloud.gcp_container_cluster}}", "searchValue": "", "expectedValue": "gcp_container_cluster.private_cluster_config should be defined", - "actualValue": "gcp_container_cluster.private_cluster_config is undefined" + "actualValue": "gcp_container_cluster.private_cluster_config is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Private Cluster Disabled", @@ -21,7 +22,8 @@ "searchKey": "name={{create a cluster2}}.{{google.cloud.gcp_container_cluster}}.private_cluster_config", "searchValue": "", "expectedValue": "gcp_container_cluster.private_cluster_config.enable_private_nodes should be defined", - "actualValue": "gcp_container_cluster.private_cluster_config.enable_private_nodes is undefined" + "actualValue": "gcp_container_cluster.private_cluster_config.enable_private_nodes is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Private Cluster Disabled", @@ -33,7 +35,8 @@ "searchKey": "name={{create a cluster3}}.{{google.cloud.gcp_container_cluster}}.private_cluster_config", "searchValue": "", "expectedValue": "gcp_container_cluster.private_cluster_config.enable_private_endpoint should be defined", - "actualValue": "gcp_container_cluster.private_cluster_config.enable_private_endpoint is undefined" + "actualValue": "gcp_container_cluster.private_cluster_config.enable_private_endpoint is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Private Cluster Disabled", @@ -45,7 +48,8 @@ "searchKey": "name={{create a cluster4}}.{{google.cloud.gcp_container_cluster}}.private_cluster_config.enable_private_endpoint", "searchValue": "", "expectedValue": "gcp_container_cluster.private_cluster_config.enable_private_endpoint should be true", - "actualValue": "gcp_container_cluster.private_cluster_config.enable_private_endpoint is false" + "actualValue": "gcp_container_cluster.private_cluster_config.enable_private_endpoint is false", + "issueType": "IncorrectValue" }, { "queryName": "Private Cluster Disabled", @@ -57,6 +61,7 @@ "searchKey": "name={{create a cluster5}}.{{google.cloud.gcp_container_cluster}}.private_cluster_config.enable_private_nodes", "searchValue": "", "expectedValue": "gcp_container_cluster.private_cluster_config.enable_private_nodes should be true", - "actualValue": "gcp_container_cluster.private_cluster_config.enable_private_nodes is false" + "actualValue": "gcp_container_cluster.private_cluster_config.enable_private_nodes is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/test/positive_expected_result.json b/assets/queries/ansible/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/test/positive_expected_result.json index 7ab68879601..543fdbe58f1 100644 --- a/assets/queries/ansible/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{ssh_keys_unblocked}}.{{google.cloud.gcp_compute_instance}}.metadata.block-project-ssh-keys", "searchValue": "", "expectedValue": "gcp_compute_instance.metadata.block-project-ssh-keys should be true", - "actualValue": "gcp_compute_instance.metadata.block-project-ssh-keys is false" + "actualValue": "gcp_compute_instance.metadata.block-project-ssh-keys is false", + "issueType": "IncorrectValue" }, { "queryName": "Project-wide SSH Keys Are Enabled In VM Instances", @@ -21,7 +22,8 @@ "searchKey": "name={{ssh_keys_missing}}.{{google.cloud.gcp_compute_instance}}.metadata", "searchValue": "", "expectedValue": "gcp_compute_instance.metadata.block-project-ssh-keys should be set to true", - "actualValue": "gcp_compute_instance.metadata.block-project-ssh-keys is undefined" + "actualValue": "gcp_compute_instance.metadata.block-project-ssh-keys is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Project-wide SSH Keys Are Enabled In VM Instances", @@ -33,6 +35,7 @@ "searchKey": "name={{no_metadata}}.{{google.cloud.gcp_compute_instance}}", "searchValue": "", "expectedValue": "gcp_compute_instance.metadata should be set", - "actualValue": "gcp_compute_instance.metadata is undefined" + "actualValue": "gcp_compute_instance.metadata is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/rdp_access_is_not_restricted/test/positive_expected_result.json b/assets/queries/ansible/gcp/rdp_access_is_not_restricted/test/positive_expected_result.json index e5d5f03d384..9ba816b949a 100644 --- a/assets/queries/ansible/gcp/rdp_access_is_not_restricted/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/rdp_access_is_not_restricted/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{rdp_in_range}}.{{google.cloud.gcp_compute_firewall}}.allowed.ip_protocol=tcp.ports", "searchValue": "", "expectedValue": "gcp_compute_firewall.allowed.ip_protocol=tcp.ports shouldn't contain RDP port (3389) with unrestricted ingress traffic", - "actualValue": "gcp_compute_firewall.allowed.ip_protocol=tcp.ports contain RDP port (3389) with unrestricted ingress traffic" + "actualValue": "gcp_compute_firewall.allowed.ip_protocol=tcp.ports contain RDP port (3389) with unrestricted ingress traffic", + "issueType": "IncorrectValue" }, { "queryName": "RDP Access Is Not Restricted", @@ -21,6 +22,7 @@ "searchKey": "name={{rdp_in_port}}.{{google.cloud.gcp_compute_firewall}}.allowed.ip_protocol=tcp.ports", "searchValue": "", "expectedValue": "gcp_compute_firewall.allowed.ip_protocol=tcp.ports shouldn't contain RDP port (3389) with unrestricted ingress traffic", - "actualValue": "gcp_compute_firewall.allowed.ip_protocol=tcp.ports contain RDP port (3389) with unrestricted ingress traffic" + "actualValue": "gcp_compute_firewall.allowed.ip_protocol=tcp.ports contain RDP port (3389) with unrestricted ingress traffic", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/serial_ports_enabled_for_vm_instances/test/positive_expected_result.json b/assets/queries/ansible/gcp/serial_ports_enabled_for_vm_instances/test/positive_expected_result.json index 317268008ad..cc550840de3 100644 --- a/assets/queries/ansible/gcp/serial_ports_enabled_for_vm_instances/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/serial_ports_enabled_for_vm_instances/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{serial_enabled}}.{{google.cloud.gcp_compute_instance}}.metadata.serial-port-enable", "searchValue": "", "expectedValue": "gcp_compute_instance.metadata.serial-port-enable should be undefined or set to false", - "actualValue": "gcp_compute_instance.metadata.serial-port-enable is set to true" + "actualValue": "gcp_compute_instance.metadata.serial-port-enable is set to true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/shielded_vm_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/shielded_vm_disabled/test/positive_expected_result.json index ef8f448e40f..c7cd4b6520a 100644 --- a/assets/queries/ansible/gcp/shielded_vm_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/shielded_vm_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{create a instance1}}.{{google.cloud.gcp_compute_instance}}", "searchValue": "", "expectedValue": "gcp_compute_instance.shielded_instance_config should be defined", - "actualValue": "gcp_compute_instance.shielded_instance_config is undefined" + "actualValue": "gcp_compute_instance.shielded_instance_config is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Shielded VM Disabled", @@ -21,7 +22,8 @@ "searchKey": "name={{create a instance2}}.{{google.cloud.gcp_compute_instance}}.shielded_instance_config", "searchValue": "", "expectedValue": "gcp_compute_instance.shielded_instance_config.enable_integrity_monitoring should be defined", - "actualValue": "gcp_compute_instance.shielded_instance_config.enable_integrity_monitoring is undefined" + "actualValue": "gcp_compute_instance.shielded_instance_config.enable_integrity_monitoring is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Shielded VM Disabled", @@ -33,7 +35,8 @@ "searchKey": "name={{create a instance3}}.{{google.cloud.gcp_compute_instance}}.shielded_instance_config", "searchValue": "", "expectedValue": "gcp_compute_instance.shielded_instance_config.enable_secure_boot should be defined", - "actualValue": "gcp_compute_instance.shielded_instance_config.enable_secure_boot is undefined" + "actualValue": "gcp_compute_instance.shielded_instance_config.enable_secure_boot is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Shielded VM Disabled", @@ -45,7 +48,8 @@ "searchKey": "name={{create a instance4}}.{{google.cloud.gcp_compute_instance}}.shielded_instance_config", "searchValue": "", "expectedValue": "gcp_compute_instance.shielded_instance_config.enable_vtpm should be defined", - "actualValue": "gcp_compute_instance.shielded_instance_config.enable_vtpm is undefined" + "actualValue": "gcp_compute_instance.shielded_instance_config.enable_vtpm is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Shielded VM Disabled", @@ -57,7 +61,8 @@ "searchKey": "name={{create a instance5}}.{{google.cloud.gcp_compute_instance}}.shielded_instance_config.enable_integrity_monitoring", "searchValue": "", "expectedValue": "gcp_compute_instance.shielded_instance_config.enable_integrity_monitoring should be true", - "actualValue": "gcp_compute_instance.shielded_instance_config.enable_integrity_monitoring is false" + "actualValue": "gcp_compute_instance.shielded_instance_config.enable_integrity_monitoring is false", + "issueType": "IncorrectValue" }, { "queryName": "Shielded VM Disabled", @@ -69,7 +74,8 @@ "searchKey": "name={{create a instance6}}.{{google.cloud.gcp_compute_instance}}.shielded_instance_config.enable_secure_boot", "searchValue": "", "expectedValue": "gcp_compute_instance.shielded_instance_config.enable_secure_boot should be true", - "actualValue": "gcp_compute_instance.shielded_instance_config.enable_secure_boot is false" + "actualValue": "gcp_compute_instance.shielded_instance_config.enable_secure_boot is false", + "issueType": "IncorrectValue" }, { "queryName": "Shielded VM Disabled", @@ -81,6 +87,7 @@ "searchKey": "name={{create a instance7}}.{{google.cloud.gcp_compute_instance}}.shielded_instance_config.enable_vtpm", "searchValue": "", "expectedValue": "gcp_compute_instance.shielded_instance_config.enable_vtpm should be true", - "actualValue": "gcp_compute_instance.shielded_instance_config.enable_vtpm is false" + "actualValue": "gcp_compute_instance.shielded_instance_config.enable_vtpm is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/sql_db_instance_backup_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/sql_db_instance_backup_disabled/test/positive_expected_result.json index bd62898e7ee..2299c808c61 100644 --- a/assets/queries/ansible/gcp/sql_db_instance_backup_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/sql_db_instance_backup_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{create a instance}}.{{google.cloud.gcp_sql_instance}}", "searchValue": "", "expectedValue": "gcp_sql_instance.settings should be defined", - "actualValue": "gcp_sql_instance.settings is undefined" + "actualValue": "gcp_sql_instance.settings is undefined", + "issueType": "MissingAttribute" }, { "queryName": "SQL DB Instance Backup Disabled", @@ -21,7 +22,8 @@ "searchKey": "name={{create a second instance}}.{{google.cloud.gcp_sql_instance}}.settings", "searchValue": "", "expectedValue": "gcp_sql_instance.settings.backup_configuration should be defined", - "actualValue": "gcp_sql_instance.settings.backup_configuration is undefined" + "actualValue": "gcp_sql_instance.settings.backup_configuration is undefined", + "issueType": "MissingAttribute" }, { "queryName": "SQL DB Instance Backup Disabled", @@ -33,7 +35,8 @@ "searchKey": "name={{create a third instance}}.{{google.cloud.gcp_sql_instance}}.settings.backup_configuration", "searchValue": "", "expectedValue": "gcp_sql_instance.settings.backup_configuration.enabled should be defined", - "actualValue": "gcp_sql_instance.settings.backup_configuration.enabled is undefined" + "actualValue": "gcp_sql_instance.settings.backup_configuration.enabled is undefined", + "issueType": "MissingAttribute" }, { "queryName": "SQL DB Instance Backup Disabled", @@ -45,6 +48,7 @@ "searchKey": "name={{create a forth instance}}.{{google.cloud.gcp_sql_instance}}.settings.backup_configuration.enabled", "searchValue": "", "expectedValue": "gcp_sql_instance.settings.backup_configuration.require_ssl should be true", - "actualValue": "gcp_sql_instance.settings.backup_configuration.require_ssl is false" + "actualValue": "gcp_sql_instance.settings.backup_configuration.require_ssl is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/sql_db_instance_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/ansible/gcp/sql_db_instance_is_publicly_accessible/test/positive_expected_result.json index 9b6da82cf12..c1cdb2abd51 100644 --- a/assets/queries/ansible/gcp/sql_db_instance_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/sql_db_instance_is_publicly_accessible/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{sql_instance}}.{{google.cloud.gcp_sql_instance}}.settings.ip_configuration.authorized_networks.name={{google dns server}}.value", "searchValue": "", "expectedValue": "gcp_sql_instance.settings.ip_configuration.authorized_networks.name={{google dns server}}.value address should be trusted", - "actualValue": "gcp_sql_instance.settings.ip_configuration.authorized_networks.name={{google dns server}}.value address is not restricted: '0.0.0.0'" + "actualValue": "gcp_sql_instance.settings.ip_configuration.authorized_networks.name={{google dns server}}.value address is not restricted: '0.0.0.0'", + "issueType": "IncorrectValue" }, { "queryName": "SQL DB Instance Publicly Accessible", @@ -21,7 +22,8 @@ "searchKey": "name={{sql_instance2}}.{{google.cloud.gcp_sql_instance}}.settings.ip_configuration.ipv4_enabled", "searchValue": "", "expectedValue": "gcp_sql_instance.settings.ip_configuration.ipv4_enabled should be disabled when there are no authorized networks", - "actualValue": "gcp_sql_instance.settings.ip_configuration.ipv4_enabled is enabled when there are no authorized networks" + "actualValue": "gcp_sql_instance.settings.ip_configuration.ipv4_enabled is enabled when there are no authorized networks", + "issueType": "IncorrectValue" }, { "queryName": "SQL DB Instance Publicly Accessible", @@ -33,6 +35,7 @@ "searchKey": "name={{sql_instance3}}.{{google.cloud.gcp_sql_instance}}.settings", "searchValue": "", "expectedValue": "gcp_sql_instance.settings.ip_configuration should be defined and allow only trusted networks", - "actualValue": "gcp_sql_instance.settings.ip_configuration is undefined" + "actualValue": "gcp_sql_instance.settings.ip_configuration is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json index d037cc44041..dc60d43b700 100644 --- a/assets/queries/ansible/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{create a instance}}.{{google.cloud.gcp_sql_instance}}", "searchValue": "", "expectedValue": "gcp_sql_instance.settings should be defined", - "actualValue": "gcp_sql_instance.settings is undefined" + "actualValue": "gcp_sql_instance.settings is undefined", + "issueType": "MissingAttribute" }, { "queryName": "SQL DB Instance With SSL Disabled", @@ -21,7 +22,8 @@ "searchKey": "name={{create a second instance}}.{{google.cloud.gcp_sql_instance}}.settings", "searchValue": "", "expectedValue": "gcp_sql_instance.settings.ip_configuration should be defined", - "actualValue": "gcp_sql_instance.settings.ip_configuration is undefined" + "actualValue": "gcp_sql_instance.settings.ip_configuration is undefined", + "issueType": "MissingAttribute" }, { "queryName": "SQL DB Instance With SSL Disabled", @@ -33,7 +35,8 @@ "searchKey": "name={{create a third instance}}.{{google.cloud.gcp_sql_instance}}.settings.ip_configuration", "searchValue": "", "expectedValue": "gcp_sql_instance.settings.ip_configuration.require_ssl should be defined", - "actualValue": "gcp_sql_instance.settings.ip_configuration.require_ssl is undefined" + "actualValue": "gcp_sql_instance.settings.ip_configuration.require_ssl is undefined", + "issueType": "MissingAttribute" }, { "queryName": "SQL DB Instance With SSL Disabled", @@ -45,6 +48,7 @@ "searchKey": "name={{create a forth instance}}.{{google.cloud.gcp_sql_instance}}.settings.ip_configuration.require_ssl", "searchValue": "", "expectedValue": "gcp_sql_instance.settings.ip_configuration.require_ssl should be true", - "actualValue": "gcp_sql_instance.settings.ip_configuration.require_ssl is false" + "actualValue": "gcp_sql_instance.settings.ip_configuration.require_ssl is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/ssh_access_is_not_restricted/test/positive_expected_result.json b/assets/queries/ansible/gcp/ssh_access_is_not_restricted/test/positive_expected_result.json index 1ba1dceba8a..f82c8d4527e 100644 --- a/assets/queries/ansible/gcp/ssh_access_is_not_restricted/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/ssh_access_is_not_restricted/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{ssh_unrestricted}}.{{google.cloud.gcp_compute_firewall}}.allowed.ip_protocol=tcp.ports", "searchValue": "", "expectedValue": "gcp_compute_firewall.allowed.ip_protocol=tcp.ports shouldn't contain SSH port (22) with unrestricted ingress traffic", - "actualValue": "gcp_compute_firewall.allowed.ip_protocol=tcp.ports contain SSH port (22) with unrestricted ingress traffic" + "actualValue": "gcp_compute_firewall.allowed.ip_protocol=tcp.ports contain SSH port (22) with unrestricted ingress traffic", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/stackdriver_logging_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/stackdriver_logging_disabled/test/positive_expected_result.json index 621ff9b8464..ebccb57ab53 100644 --- a/assets/queries/ansible/gcp/stackdriver_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/stackdriver_logging_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{create a cluster1}}.{{google.cloud.gcp_container_cluster}}", "searchValue": "", "expectedValue": "gcp_container_cluster.logging_service should be defined", - "actualValue": "gcp_container_cluster.logging_service is undefined" + "actualValue": "gcp_container_cluster.logging_service is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Stackdriver Logging Disabled", @@ -21,6 +22,7 @@ "searchKey": "name={{create a cluster2}}.{{google.cloud.gcp_container_cluster}}.logging_service", "searchValue": "", "expectedValue": "gcp_container_cluster.logging_service should not be 'none'", - "actualValue": "gcp_container_cluster.logging_service is 'none'" + "actualValue": "gcp_container_cluster.logging_service is 'none'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/stackdriver_monitoring_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/stackdriver_monitoring_disabled/test/positive_expected_result.json index a90878e001a..5c28fe731d3 100644 --- a/assets/queries/ansible/gcp/stackdriver_monitoring_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/stackdriver_monitoring_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{create a cluster1}}.{{google.cloud.gcp_container_cluster}}", "searchValue": "", "expectedValue": "gcp_container_cluster.monitoring_service should be defined", - "actualValue": "gcp_container_cluster.monitoring_service is undefined" + "actualValue": "gcp_container_cluster.monitoring_service is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Stackdriver Monitoring Disabled", @@ -21,6 +22,7 @@ "searchKey": "name={{create a cluster2}}.{{google.cloud.gcp_container_cluster}}.monitoring_service", "searchValue": "", "expectedValue": "gcp_container_cluster.monitoring_service should not be 'none'", - "actualValue": "gcp_container_cluster.monitoring_service is 'none'" + "actualValue": "gcp_container_cluster.monitoring_service is 'none'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/using_default_service_account/test/positive_expected_result.json b/assets/queries/ansible/gcp/using_default_service_account/test/positive_expected_result.json index 041c50b7741..440ca1c7d78 100644 --- a/assets/queries/ansible/gcp/using_default_service_account/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/using_default_service_account/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{create a instance1}}.{{google.cloud.gcp_compute_instance}}", "searchValue": "", "expectedValue": "gcp_compute_instance.service_account_email should be defined", - "actualValue": "gcp_compute_instance.service_account_email is undefined" + "actualValue": "gcp_compute_instance.service_account_email is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Using Default Service Account", @@ -21,7 +22,8 @@ "searchKey": "name={{create a instance2}}.{{google.cloud.gcp_compute_instance}}.service_account_email", "searchValue": "", "expectedValue": "gcp_compute_instance.service_account_email should not be empty", - "actualValue": "gcp_compute_instance.service_account_email is empty" + "actualValue": "gcp_compute_instance.service_account_email is empty", + "issueType": "IncorrectValue" }, { "queryName": "Using Default Service Account", @@ -33,7 +35,8 @@ "searchKey": "name={{create a instance3}}.{{google.cloud.gcp_compute_instance}}.service_account_email", "searchValue": "", "expectedValue": "gcp_compute_instance.service_account_email should be an email", - "actualValue": "gcp_compute_instance.service_account_email is not an email" + "actualValue": "gcp_compute_instance.service_account_email is not an email", + "issueType": "IncorrectValue" }, { "queryName": "Using Default Service Account", @@ -45,6 +48,7 @@ "searchKey": "name={{create a instance4}}.{{google.cloud.gcp_compute_instance}}.service_account_email", "searchValue": "", "expectedValue": "gcp_compute_instance.service_account_email should not be a default Google Compute Engine service account", - "actualValue": "gcp_compute_instance.service_account_email is a default Google Compute Engine service account" + "actualValue": "gcp_compute_instance.service_account_email is a default Google Compute Engine service account", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/vm_with_full_cloud_access/test/positive_expected_result.json b/assets/queries/ansible/gcp/vm_with_full_cloud_access/test/positive_expected_result.json index 0df5d498573..a8a7481dc6c 100644 --- a/assets/queries/ansible/gcp/vm_with_full_cloud_access/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/vm_with_full_cloud_access/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{create a instance}}.{{google.cloud.gcp_compute_instance}}.service_accounts", "searchValue": "", "expectedValue": "gcp_compute_instance.service_accounts.scopes should not contain 'cloud-platform'", - "actualValue": "gcp_compute_instance.service_accounts.scopes contains 'cloud-platform'" + "actualValue": "gcp_compute_instance.service_accounts.scopes contains 'cloud-platform'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/general/communication_over_http/test/positive_expected_result.json b/assets/queries/ansible/general/communication_over_http/test/positive_expected_result.json index f3b32d20242..b5b260fc035 100644 --- a/assets/queries/ansible/general/communication_over_http/test/positive_expected_result.json +++ b/assets/queries/ansible/general/communication_over_http/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "name={{Verificar o status do site}}.{{ansible.builtin.uri}}.url", "searchValue": "", "expectedValue": "ansible.builtin.uri.url should be accessed via the HTTPS protocol", - "actualValue": "ansible.builtin.uri.url is accessed via the HTTP protocol'" + "actualValue": "ansible.builtin.uri.url is accessed via the HTTP protocol'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/general/insecure_relative_path_resolution/test/positive_expected_result.json b/assets/queries/ansible/general/insecure_relative_path_resolution/test/positive_expected_result.json index 563e8631804..ea55853985b 100644 --- a/assets/queries/ansible/general/insecure_relative_path_resolution/test/positive_expected_result.json +++ b/assets/queries/ansible/general/insecure_relative_path_resolution/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{One}}.{{ansible.builtin.template}}.src", "searchValue": "", "expectedValue": "ansible.builtin.template.src should not be a relative path", - "actualValue": "ansible.builtin.template.src is a relative path" + "actualValue": "ansible.builtin.template.src is a relative path", + "issueType": "IncorrectValue" }, { "queryName": "Insecure Relative Path Resolution", @@ -21,6 +22,7 @@ "searchKey": "name={{Two}}.{{ansible.builtin.copy}}.src", "searchValue": "", "expectedValue": "ansible.builtin.copy.src should not be a relative path", - "actualValue": "ansible.builtin.copy.src is a relative path" + "actualValue": "ansible.builtin.copy.src is a relative path", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/general/logging_of_sensitive_data/test/positive_expected_result.json b/assets/queries/ansible/general/logging_of_sensitive_data/test/positive_expected_result.json index 0e03a53b26f..5362bfee868 100644 --- a/assets/queries/ansible/general/logging_of_sensitive_data/test/positive_expected_result.json +++ b/assets/queries/ansible/general/logging_of_sensitive_data/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{bar}}.no_log", "searchValue": "", "expectedValue": "'no_log' should be set to 'true' in order to not expose sensitive data", - "actualValue": "'no_log' is set to false" + "actualValue": "'no_log' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Logging of Sensitive Data", @@ -21,6 +22,7 @@ "searchKey": "name={{bar}}", "searchValue": "", "expectedValue": "'no_log' should be defined and set to 'true' in order to not expose sensitive data", - "actualValue": "'no_log' is not defined" + "actualValue": "'no_log' is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive_expected_result.json b/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive_expected_result.json index 1c72300ddd0..e423f27c8e3 100644 --- a/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive_expected_result.json +++ b/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "become_user={{bar}}", "searchValue": "", "expectedValue": "'become' should be defined and set to 'true' in order to perform an action with bar", - "actualValue": "'become' is not defined" + "actualValue": "'become' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Privilege Escalation Using Become Plugin", @@ -21,7 +22,8 @@ "searchKey": "become", "searchValue": "", "expectedValue": "'become' should be defined and set to 'true' in order to perform an action with root", - "actualValue": "'become' is set to 'false'" + "actualValue": "'become' is set to 'false'", + "issueType": "MissingAttribute" }, { "queryName": "Privilege Escalation Using Become Plugin", @@ -33,7 +35,8 @@ "searchKey": "name={{Sample become_user}}.become_user={{foo}}", "searchValue": "", "expectedValue": "'become' should be defined and set to 'true' in order to perform an action with foo", - "actualValue": "'become' is not defined" + "actualValue": "'become' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Privilege Escalation Using Become Plugin", @@ -45,7 +48,8 @@ "searchKey": "name={{Sample become_user}}.become_user={{postgres}}.become", "searchValue": "", "expectedValue": "'become' should be to 'true' in order to perform an action with postgres", - "actualValue": "'become' is set to 'false'" + "actualValue": "'become' is set to 'false'", + "issueType": "MissingAttribute" }, { "queryName": "Privilege Escalation Using Become Plugin", @@ -57,7 +61,8 @@ "searchKey": "name={{become_user with become task as false}}.become_user={{mongodb}}.become", "searchValue": "", "expectedValue": "'become' should be to 'true' in order to perform an action with mongodb", - "actualValue": "'become' is set to 'false'" + "actualValue": "'become' is set to 'false'", + "issueType": "MissingAttribute" }, { "queryName": "Privilege Escalation Using Become Plugin", @@ -69,6 +74,7 @@ "searchKey": "name={{become_user without become}}.become_user={{mysql}}", "searchValue": "", "expectedValue": "'become' should be defined and set to 'true' in order to perform an action with mysql", - "actualValue": "'become' is not defined" + "actualValue": "'become' is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/general/risky_file_permissions/test/positive_expected_result.json b/assets/queries/ansible/general/risky_file_permissions/test/positive_expected_result.json index 1263c988eae..2a630fa9754 100644 --- a/assets/queries/ansible/general/risky_file_permissions/test/positive_expected_result.json +++ b/assets/queries/ansible/general/risky_file_permissions/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{not preserve value}}.{{ansible.builtin.file}}", "searchValue": "", "expectedValue": "ansible.builtin.file does not allow setting 'preserve' value for 'mode' key", - "actualValue": "'Mode' key of ansible.builtin.file is set to 'preserve'" + "actualValue": "'Mode' key of ansible.builtin.file is set to 'preserve'", + "issueType": "IncorrectValue" }, { "queryName": "Risky File Permissions", @@ -21,7 +22,8 @@ "searchKey": "name={{Permissions missing}}.{{file}}", "searchValue": "", "expectedValue": "All the permissions set in file about creating files/directories", - "actualValue": "There are some permissions missing in file and might create directory/file" + "actualValue": "There are some permissions missing in file and might create directory/file", + "issueType": "MissingAttribute" }, { "queryName": "Risky File Permissions", @@ -33,7 +35,8 @@ "searchKey": "name={{Permissions missing 2x}}.{{ansible.builtin.file}}", "searchValue": "", "expectedValue": "All the permissions set in ansible.builtin.file about creating files/directories", - "actualValue": "There are some permissions missing in ansible.builtin.file and might create directory/file" + "actualValue": "There are some permissions missing in ansible.builtin.file and might create directory/file", + "issueType": "MissingAttribute" }, { "queryName": "Risky File Permissions", @@ -45,7 +48,8 @@ "searchKey": "name={{Permissions missing 3x}}.{{file}}", "searchValue": "", "expectedValue": "All the permissions set in file about creating files/directories", - "actualValue": "There are some permissions missing in file and might create directory/file" + "actualValue": "There are some permissions missing in file and might create directory/file", + "issueType": "MissingAttribute" }, { "queryName": "Risky File Permissions", @@ -57,7 +61,8 @@ "searchKey": "name={{create is true}}.{{ansible.builtin.lineinfile}}", "searchValue": "", "expectedValue": "ansible.builtin.lineinfile 'create' key should set to 'false' or 'mode' key should be defined", - "actualValue": "ansible.builtin.lineinfile 'create' key is set to 'true' and 'mode' key is not defined" + "actualValue": "ansible.builtin.lineinfile 'create' key is set to 'true' and 'mode' key is not defined", + "issueType": "IncorrectValue" }, { "queryName": "Risky File Permissions", @@ -69,7 +74,8 @@ "searchKey": "name={{Permissions missing 4x}}.{{get_url}}", "searchValue": "", "expectedValue": "All the permissions set in get_url about creating files/directories", - "actualValue": "There are some permissions missing in get_url and might create directory/file" + "actualValue": "There are some permissions missing in get_url and might create directory/file", + "issueType": "MissingAttribute" }, { "queryName": "Risky File Permissions", @@ -81,7 +87,8 @@ "searchKey": "name={{create is true 2x}}.{{ansible.builtin.lineinfile}}", "searchValue": "", "expectedValue": "ansible.builtin.lineinfile 'create' key should set to 'false' or 'mode' key should be defined", - "actualValue": "ansible.builtin.lineinfile 'create' key is set to 'true' and 'mode' key is not defined" + "actualValue": "ansible.builtin.lineinfile 'create' key is set to 'true' and 'mode' key is not defined", + "issueType": "IncorrectValue" }, { "queryName": "Risky File Permissions", @@ -93,7 +100,8 @@ "searchKey": "name={{not preserve mode 2x}}.{{replace}}", "searchValue": "", "expectedValue": "replace does not allow setting 'preserve' value for 'mode' key", - "actualValue": "'Mode' key of replace is set to 'preserve'" + "actualValue": "'Mode' key of replace is set to 'preserve'", + "issueType": "IncorrectValue" }, { "queryName": "Risky File Permissions", @@ -105,7 +113,8 @@ "searchKey": "name={{Not Permissions}}.{{file}}", "searchValue": "", "expectedValue": "All the permissions set in file about creating files/directories", - "actualValue": "There are some permissions missing in file and might create directory/file" + "actualValue": "There are some permissions missing in file and might create directory/file", + "issueType": "MissingAttribute" }, { "queryName": "Risky File Permissions", @@ -117,6 +126,7 @@ "searchKey": "name={{create_false}}.{{ansible.builtin.lineinfile}}", "searchValue": "", "expectedValue": "ansible.builtin.lineinfile does not allow setting 'preserve' value for 'mode' key", - "actualValue": "'Mode' key of ansible.builtin.lineinfile is set to 'preserve'" + "actualValue": "'Mode' key of ansible.builtin.lineinfile is set to 'preserve'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/general/unpinned_package_version/test/positive_expected_result.json b/assets/queries/ansible/general/unpinned_package_version/test/positive_expected_result.json index c5dfbf4a36f..379b8acb319 100644 --- a/assets/queries/ansible/general/unpinned_package_version/test/positive_expected_result.json +++ b/assets/queries/ansible/general/unpinned_package_version/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "name={{Install Ansible}}.{{ansible.builtin.yum}}.state", "searchValue": "", "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", - "actualValue": "State's task is set to 'latest'" + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue" }, { "queryName": "Unpinned Package Version", @@ -21,7 +22,8 @@ "searchKey": "name={{Install Ansible-lint}}.{{ansible.builtin.pip}}.state", "searchValue": "", "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", - "actualValue": "State's task is set to 'latest'" + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue" }, { "queryName": "Unpinned Package Version", @@ -33,7 +35,8 @@ "searchKey": "name={{Install some-package}}.{{ansible.builtin.package}}.state", "searchValue": "", "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", - "actualValue": "State's task is set to 'latest'" + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue" }, { "queryName": "Unpinned Package Version", @@ -45,7 +48,8 @@ "searchKey": "name={{Install Ansible with update_only to false}}.{{ansible.builtin.yum}}.state", "searchValue": "", "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", - "actualValue": "State's task is set to 'latest'" + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue" }, { "queryName": "Unpinned Package Version", @@ -57,7 +61,8 @@ "searchKey": "name={{Install nmap}}.{{community.general.zypper}}.state", "searchValue": "", "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", - "actualValue": "State's task is set to 'latest'" + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue" }, { "queryName": "Unpinned Package Version", @@ -69,7 +74,8 @@ "searchKey": "name={{Install package without using cache}}.{{community.general.apk}}.state", "searchValue": "", "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", - "actualValue": "State's task is set to 'latest'" + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue" }, { "queryName": "Unpinned Package Version", @@ -81,7 +87,8 @@ "searchKey": "name={{Install apache httpd}}.{{ansible.builtin.apt}}.state", "searchValue": "", "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", - "actualValue": "State's task is set to 'latest'" + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue" }, { "queryName": "Unpinned Package Version", @@ -93,7 +100,8 @@ "searchKey": "name={{Update Gemfile in another directory}}.{{community.general.bundler}}.state", "searchValue": "", "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", - "actualValue": "State's task is set to 'latest'" + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue" }, { "queryName": "Unpinned Package Version", @@ -105,7 +113,8 @@ "searchKey": "name={{Install a modularity appstream with defined profile}}.{{ansible.builtin.dnf}}.state", "searchValue": "", "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", - "actualValue": "State's task is set to 'latest'" + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue" }, { "queryName": "Unpinned Package Version", @@ -117,7 +126,8 @@ "searchKey": "name={{Install rake}}.{{community.general.gem}}.state", "searchValue": "", "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", - "actualValue": "State's task is set to 'latest'" + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue" }, { "queryName": "Unpinned Package Version", @@ -129,7 +139,8 @@ "searchKey": "name={{Install formula foo with 'brew' from cask}}.{{community.general.homebrew}}.state", "searchValue": "", "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", - "actualValue": "State's task is set to 'latest'" + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue" }, { "queryName": "Unpinned Package Version", @@ -141,7 +152,8 @@ "searchKey": "name={{Install Green Balls plugin}}.{{community.general.jenkins_plugin}}.state", "searchValue": "", "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", - "actualValue": "State's task is set to 'latest'" + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue" }, { "queryName": "Unpinned Package Version", @@ -153,7 +165,8 @@ "searchKey": "name={{Install packages based on package.json}}.{{community.general.npm}}.state", "searchValue": "", "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", - "actualValue": "State's task is set to 'latest'" + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue" }, { "queryName": "Unpinned Package Version", @@ -165,7 +178,8 @@ "searchKey": "name={{Install nmap}}.{{community.general.openbsd_pkg}}.state", "searchValue": "", "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", - "actualValue": "State's task is set to 'latest'" + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue" }, { "queryName": "Unpinned Package Version", @@ -177,7 +191,8 @@ "searchKey": "name={{Install ntpdate}}.{{ansible.builtin.package}}.state", "searchValue": "", "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", - "actualValue": "State's task is set to 'latest'" + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue" }, { "queryName": "Unpinned Package Version", @@ -189,7 +204,8 @@ "searchKey": "name={{Install package bar from file}}.{{community.general.pacman}}.state", "searchValue": "", "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", - "actualValue": "State's task is set to 'latest'" + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue" }, { "queryName": "Unpinned Package Version", @@ -201,7 +217,8 @@ "searchKey": "name={{Install finger daemon}}.{{community.general.pkg5}}.state", "searchValue": "", "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", - "actualValue": "State's task is set to 'latest'" + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue" }, { "queryName": "Unpinned Package Version", @@ -213,7 +230,8 @@ "searchKey": "name={{Install several packages}}.{{community.general.pkgutil}}.state", "searchValue": "", "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", - "actualValue": "State's task is set to 'latest'" + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue" }, { "queryName": "Unpinned Package Version", @@ -225,7 +243,8 @@ "searchKey": "name={{Install package foo}}.{{community.general.portage}}.state", "searchValue": "", "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", - "actualValue": "State's task is set to 'latest'" + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue" }, { "queryName": "Unpinned Package Version", @@ -237,7 +256,8 @@ "searchKey": "name={{Make sure that it is the most updated package}}.{{community.general.slackpkg}}.state", "searchValue": "", "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", - "actualValue": "State's task is set to 'latest'" + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue" }, { "queryName": "Unpinned Package Version", @@ -249,7 +269,8 @@ "searchKey": "name={{Make sure spell foo is installed}}.{{community.general.sorcery}}.state", "searchValue": "", "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", - "actualValue": "State's task is set to 'latest'" + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue" }, { "queryName": "Unpinned Package Version", @@ -261,7 +282,8 @@ "searchKey": "name={{Install package unzip}}.{{community.general.swdepot}}.state", "searchValue": "", "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", - "actualValue": "State's task is set to 'latest'" + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue" }, { "queryName": "Unpinned Package Version", @@ -273,7 +295,8 @@ "searchKey": "name={{Install multiple packages}}.{{win_chocolatey}}.state", "searchValue": "", "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", - "actualValue": "State's task is set to 'latest'" + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue" }, { "queryName": "Unpinned Package Version", @@ -285,7 +308,8 @@ "searchKey": "name={{Install \"imagemin\" node.js package globally.}}.{{community.general.yarn}}.state", "searchValue": "", "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", - "actualValue": "State's task is set to 'latest'" + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue" }, { "queryName": "Unpinned Package Version", @@ -297,7 +321,8 @@ "searchKey": "name={{Install a list of packages (suitable replacement for 2.11 loop deprecation warning)}}.{{ansible.builtin.yum}}.state", "searchValue": "", "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", - "actualValue": "State's task is set to 'latest'" + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue" }, { "queryName": "Unpinned Package Version", @@ -309,6 +334,7 @@ "searchKey": "name={{Install local rpm file}}.{{community.general.zypper}}.state", "searchValue": "", "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", - "actualValue": "State's task is set to 'latest'" + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/hosts/ansible_tower_exposed_to_internet/test/positive_expected_result.json b/assets/queries/ansible/hosts/ansible_tower_exposed_to_internet/test/positive_expected_result.json index 87e5f1496ac..3a3b43ec164 100644 --- a/assets/queries/ansible/hosts/ansible_tower_exposed_to_internet/test/positive_expected_result.json +++ b/assets/queries/ansible/hosts/ansible_tower_exposed_to_internet/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "[tower]", "searchValue": "", "expectedValue": "Ansible Tower IP should be private", - "actualValue": "Ansible Tower IP is public" + "actualValue": "Ansible Tower IP is public", + "issueType": "IncorrectValue" }, { "queryName": "Ansible Tower Exposed To Internet", @@ -21,6 +22,7 @@ "searchKey": "all.children.tower.hosts", "searchValue": "", "expectedValue": "Ansible Tower IP should be private", - "actualValue": "Ansible Tower IP is public" + "actualValue": "Ansible Tower IP is public", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/account_admins_not_notified_by_email/test/positive_expected_result.json b/assets/queries/azureResourceManager/account_admins_not_notified_by_email/test/positive_expected_result.json index a8fac6bb91e..54c74a67951 100644 --- a/assets/queries/azureResourceManager/account_admins_not_notified_by_email/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/account_admins_not_notified_by_email/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources.name={{sample/server/default}}.properties.emailAccountAdmins", "searchValue": "", "expectedValue": "securityAlertPolicies.properties.emailAccountAdmins property value should be set to true", - "actualValue": "securityAlertPolicies.properties.emailAccountAdmins property value is set to false" + "actualValue": "securityAlertPolicies.properties.emailAccountAdmins property value is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Account Admins Not Notified By Email", @@ -21,7 +22,8 @@ "searchKey": "resources.name={{sample/server/default}}.properties.emailAccountAdmins", "searchValue": "", "expectedValue": "securityAlertPolicies.properties.emailAccountAdmins property value should be set to true", - "actualValue": "securityAlertPolicies.properties.emailAccountAdmins property value is set to false" + "actualValue": "securityAlertPolicies.properties.emailAccountAdmins property value is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Account Admins Not Notified By Email", @@ -33,7 +35,8 @@ "searchKey": "resources.name={{sample/server/default}}.properties", "searchValue": "", "expectedValue": "securityAlertPolicies.properties.emailAccountAdmins should be set to true", - "actualValue": "securityAlertPolicies.properties.emailAccountAdmins is missing" + "actualValue": "securityAlertPolicies.properties.emailAccountAdmins is missing", + "issueType": "MissingAttribute" }, { "queryName": "Account Admins Not Notified By Email", @@ -45,7 +48,8 @@ "searchKey": "resources.name={{sample/server/default}}.properties", "searchValue": "", "expectedValue": "securityAlertPolicies.properties.emailAccountAdmins should be set to true", - "actualValue": "securityAlertPolicies.properties.emailAccountAdmins is missing" + "actualValue": "securityAlertPolicies.properties.emailAccountAdmins is missing", + "issueType": "MissingAttribute" }, { "queryName": "Account Admins Not Notified By Email", @@ -57,7 +61,8 @@ "searchKey": "resources.name={{sample/server/default}}.properties.emailAccountAdmins", "searchValue": "", "expectedValue": "securityAlertPolicies.properties.emailAccountAdmins property value should be set to true", - "actualValue": "securityAlertPolicies.properties.emailAccountAdmins property value is set to false" + "actualValue": "securityAlertPolicies.properties.emailAccountAdmins property value is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Account Admins Not Notified By Email", @@ -69,7 +74,8 @@ "searchKey": "properties.template.resources.name={{sample/server/default}}.properties.emailAccountAdmins", "searchValue": "", "expectedValue": "securityAlertPolicies.properties.emailAccountAdmins property value should be set to true", - "actualValue": "securityAlertPolicies.properties.emailAccountAdmins property value is set to false" + "actualValue": "securityAlertPolicies.properties.emailAccountAdmins property value is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Account Admins Not Notified By Email", @@ -81,7 +87,8 @@ "searchKey": "resources.name={{sample/server/default}}.properties", "searchValue": "", "expectedValue": "securityAlertPolicies.properties.emailAccountAdmins should be set to true", - "actualValue": "securityAlertPolicies.properties.emailAccountAdmins is missing" + "actualValue": "securityAlertPolicies.properties.emailAccountAdmins is missing", + "issueType": "MissingAttribute" }, { "queryName": "Account Admins Not Notified By Email", @@ -93,6 +100,7 @@ "searchKey": "properties.template.resources.name={{sample/server/default}}.properties", "searchValue": "", "expectedValue": "securityAlertPolicies.properties.emailAccountAdmins should be set to true", - "actualValue": "securityAlertPolicies.properties.emailAccountAdmins is missing" + "actualValue": "securityAlertPolicies.properties.emailAccountAdmins is missing", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/aks_cluster_network_policy_not_configured/test/positive_expected_result.json b/assets/queries/azureResourceManager/aks_cluster_network_policy_not_configured/test/positive_expected_result.json index cf949e5a63e..efe27b62eef 100644 --- a/assets/queries/azureResourceManager/aks_cluster_network_policy_not_configured/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/aks_cluster_network_policy_not_configured/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources.name=aksCluster1", "searchValue": "", "expectedValue": "'networkProfile.networkPolicy' should be defined and not empty", - "actualValue": "'networkProfile.networkPolicy' is undefined" + "actualValue": "'networkProfile.networkPolicy' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "AKS Cluster Network Policy Not Configured", @@ -21,7 +22,8 @@ "searchKey": "resources.name=aksCluster1", "searchValue": "", "expectedValue": "'networkProfile.networkPolicy' should be defined and not empty", - "actualValue": "'networkProfile.networkPolicy' is undefined" + "actualValue": "'networkProfile.networkPolicy' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "AKS Cluster Network Policy Not Configured", @@ -33,7 +35,8 @@ "searchKey": "resources.name=aksCluster1.properties.networkProfile.networkPolicy", "searchValue": "", "expectedValue": "'networkProfile.networkPolicy' should be defined and not empty", - "actualValue": "'networkProfile.networkPolicy' is empty" + "actualValue": "'networkProfile.networkPolicy' is empty", + "issueType": "IncorrectValue" }, { "queryName": "AKS Cluster Network Policy Not Configured", @@ -45,7 +48,8 @@ "searchKey": "resources.name=aksCluster1.properties.networkProfile.networkPolicy", "searchValue": "", "expectedValue": "'networkProfile.networkPolicy' should be defined and not empty", - "actualValue": "'networkProfile.networkPolicy' is empty" + "actualValue": "'networkProfile.networkPolicy' is empty", + "issueType": "IncorrectValue" }, { "queryName": "AKS Cluster Network Policy Not Configured", @@ -57,7 +61,8 @@ "searchKey": "resources.name=aksCluster1", "searchValue": "", "expectedValue": "'networkProfile.networkPolicy' should be defined and not empty", - "actualValue": "'networkProfile.networkPolicy' is undefined" + "actualValue": "'networkProfile.networkPolicy' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "AKS Cluster Network Policy Not Configured", @@ -69,7 +74,8 @@ "searchKey": "properties.template.resources.name=aksCluster1", "searchValue": "", "expectedValue": "'networkProfile.networkPolicy' should be defined and not empty", - "actualValue": "'networkProfile.networkPolicy' is undefined" + "actualValue": "'networkProfile.networkPolicy' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "AKS Cluster Network Policy Not Configured", @@ -81,7 +87,8 @@ "searchKey": "resources.name=aksCluster1.properties.networkProfile.networkPolicy", "searchValue": "", "expectedValue": "'networkProfile.networkPolicy' should be defined and not empty", - "actualValue": "'networkProfile.networkPolicy' is empty" + "actualValue": "'networkProfile.networkPolicy' is empty", + "issueType": "IncorrectValue" }, { "queryName": "AKS Cluster Network Policy Not Configured", @@ -93,6 +100,7 @@ "searchKey": "properties.template.resources.name=aksCluster1.properties.networkProfile.networkPolicy", "searchValue": "", "expectedValue": "'networkProfile.networkPolicy' should be defined and not empty", - "actualValue": "'networkProfile.networkPolicy' is empty" + "actualValue": "'networkProfile.networkPolicy' is empty", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/aks_cluster_rbac_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/aks_cluster_rbac_disabled/test/positive_expected_result.json index b7c248c26c2..87e0a908d18 100644 --- a/assets/queries/azureResourceManager/aks_cluster_rbac_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/aks_cluster_rbac_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources.name={{aksCluster1}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.ContainerService/managedClusters' should have the 'enableRBAC' property defined", - "actualValue": "resource with type 'Microsoft.ContainerService/managedClusters' doesn't have 'enableRBAC' property defined" + "actualValue": "resource with type 'Microsoft.ContainerService/managedClusters' doesn't have 'enableRBAC' property defined", + "issueType": "MissingAttribute" }, { "queryName": "AKS Cluster RBAC Disabled", @@ -21,7 +22,8 @@ "searchKey": "resources.name={{aksCluster1}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.ContainerService/managedClusters' should have the 'enableRBAC' property defined", - "actualValue": "resource with type 'Microsoft.ContainerService/managedClusters' doesn't have 'enableRBAC' property defined" + "actualValue": "resource with type 'Microsoft.ContainerService/managedClusters' doesn't have 'enableRBAC' property defined", + "issueType": "MissingAttribute" }, { "queryName": "AKS Cluster RBAC Disabled", @@ -33,7 +35,8 @@ "searchKey": "resources.name={{aksCluster1}}.properties.enableRBAC", "searchValue": "", "expectedValue": "resource with type 'Microsoft.ContainerService/managedClusters' should have the 'enableRBAC' property value set to true", - "actualValue": "resource with type 'Microsoft.ContainerService/managedClusters' doesn't have 'enableRBAC' set to true%!(EXTRA string=property value)" + "actualValue": "resource with type 'Microsoft.ContainerService/managedClusters' doesn't have 'enableRBAC' set to true%!(EXTRA string=property value)", + "issueType": "IncorrectValue" }, { "queryName": "AKS Cluster RBAC Disabled", @@ -45,7 +48,8 @@ "searchKey": "resources.name={{aksCluster1}}.properties.enableRBAC", "searchValue": "", "expectedValue": "resource with type 'Microsoft.ContainerService/managedClusters' should have the 'enableRBAC' property value set to true", - "actualValue": "resource with type 'Microsoft.ContainerService/managedClusters' doesn't have 'enableRBAC' set to true%!(EXTRA string=property value)" + "actualValue": "resource with type 'Microsoft.ContainerService/managedClusters' doesn't have 'enableRBAC' set to true%!(EXTRA string=property value)", + "issueType": "IncorrectValue" }, { "queryName": "AKS Cluster RBAC Disabled", @@ -57,7 +61,8 @@ "searchKey": "resources.name={{aksCluster1}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.ContainerService/managedClusters' should have the 'enableRBAC' property defined", - "actualValue": "resource with type 'Microsoft.ContainerService/managedClusters' doesn't have 'enableRBAC' property defined" + "actualValue": "resource with type 'Microsoft.ContainerService/managedClusters' doesn't have 'enableRBAC' property defined", + "issueType": "MissingAttribute" }, { "queryName": "AKS Cluster RBAC Disabled", @@ -69,7 +74,8 @@ "searchKey": "properties.template.resources.name={{aksCluster1}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.ContainerService/managedClusters' should have the 'enableRBAC' property defined", - "actualValue": "resource with type 'Microsoft.ContainerService/managedClusters' doesn't have 'enableRBAC' property defined" + "actualValue": "resource with type 'Microsoft.ContainerService/managedClusters' doesn't have 'enableRBAC' property defined", + "issueType": "MissingAttribute" }, { "queryName": "AKS Cluster RBAC Disabled", @@ -81,7 +87,8 @@ "searchKey": "resources.name={{aksCluster1}}.properties.enableRBAC", "searchValue": "", "expectedValue": "resource with type 'Microsoft.ContainerService/managedClusters' should have the 'enableRBAC' property value set to true", - "actualValue": "resource with type 'Microsoft.ContainerService/managedClusters' doesn't have 'enableRBAC' set to true%!(EXTRA string=property value)" + "actualValue": "resource with type 'Microsoft.ContainerService/managedClusters' doesn't have 'enableRBAC' set to true%!(EXTRA string=property value)", + "issueType": "IncorrectValue" }, { "queryName": "AKS Cluster RBAC Disabled", @@ -93,6 +100,7 @@ "searchKey": "properties.template.resources.name={{aksCluster1}}.properties.enableRBAC", "searchValue": "", "expectedValue": "resource with type 'Microsoft.ContainerService/managedClusters' should have the 'enableRBAC' property value set to true", - "actualValue": "resource with type 'Microsoft.ContainerService/managedClusters' doesn't have 'enableRBAC' set to true%!(EXTRA string=property value)" + "actualValue": "resource with type 'Microsoft.ContainerService/managedClusters' doesn't have 'enableRBAC' set to true%!(EXTRA string=property value)", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/aks_dashboard_enabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/aks_dashboard_enabled/test/positive_expected_result.json index 7aed5e777db..be32cd0c6c2 100644 --- a/assets/queries/azureResourceManager/aks_dashboard_enabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/aks_dashboard_enabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources.name=aksCluster1.properties.addonProfiles.kubeDashboard.enabled", "searchValue": "", "expectedValue": "'addonProfiles.kubeDashboard.enabled' should be defined and false", - "actualValue": "'addonProfiles.kubeDashboard.enabled' property value is false" + "actualValue": "'addonProfiles.kubeDashboard.enabled' property value is false", + "issueType": "IncorrectValue" }, { "queryName": "AKS Dashboard Is Enabled", @@ -21,7 +22,8 @@ "searchKey": "resources.name=aksCluster1.properties.addonProfiles.kubeDashboard.enabled", "searchValue": "", "expectedValue": "'addonProfiles.kubeDashboard.enabled' should be defined and false", - "actualValue": "'addonProfiles.kubeDashboard.enabled' property value is false" + "actualValue": "'addonProfiles.kubeDashboard.enabled' property value is false", + "issueType": "IncorrectValue" }, { "queryName": "AKS Dashboard Is Enabled", @@ -33,7 +35,8 @@ "searchKey": "resources.name=aksCluster1.properties.addonProfiles.kubeDashboard.enabled", "searchValue": "", "expectedValue": "'addonProfiles.kubeDashboard.enabled' should be defined and false", - "actualValue": "'addonProfiles.kubeDashboard.enabled' property value is false" + "actualValue": "'addonProfiles.kubeDashboard.enabled' property value is false", + "issueType": "IncorrectValue" }, { "queryName": "AKS Dashboard Is Enabled", @@ -45,6 +48,7 @@ "searchKey": "properties.template.resources.name=aksCluster1.properties.addonProfiles.kubeDashboard.enabled", "searchValue": "", "expectedValue": "'addonProfiles.kubeDashboard.enabled' should be defined and false", - "actualValue": "'addonProfiles.kubeDashboard.enabled' property value is false" + "actualValue": "'addonProfiles.kubeDashboard.enabled' property value is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/aks_logging_azure_monitoring_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/aks_logging_azure_monitoring_disabled/test/positive_expected_result.json index 38ac5ae227b..5c11f896091 100644 --- a/assets/queries/azureResourceManager/aks_logging_azure_monitoring_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/aks_logging_azure_monitoring_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources.name=aksCluster1.properties.addonProfiles.omsagent.enabled", "searchValue": "", "expectedValue": "'addonProfiles.omsagent.enabled' should be defined and false", - "actualValue": "'addonProfiles.omsagent.enabled' property value is set to false" + "actualValue": "'addonProfiles.omsagent.enabled' property value is set to false", + "issueType": "IncorrectValue" }, { "queryName": "AKS Logging To Azure Monitoring Is Disabled", @@ -21,7 +22,8 @@ "searchKey": "resources.name=aksCluster1.properties.addonProfiles.omsagent.enabled", "searchValue": "", "expectedValue": "'addonProfiles.omsagent.enabled' should be defined and false", - "actualValue": "'addonProfiles.omsagent.enabled' property value is set to false" + "actualValue": "'addonProfiles.omsagent.enabled' property value is set to false", + "issueType": "IncorrectValue" }, { "queryName": "AKS Logging To Azure Monitoring Is Disabled", @@ -33,7 +35,8 @@ "searchKey": "resources.name=aksCluster1", "searchValue": "", "expectedValue": "'addonProfiles.omsagent.enabled' should be defined and false", - "actualValue": "'addonProfiles.omsagent.enabled' is undefined" + "actualValue": "'addonProfiles.omsagent.enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "AKS Logging To Azure Monitoring Is Disabled", @@ -45,7 +48,8 @@ "searchKey": "resources.name=aksCluster1", "searchValue": "", "expectedValue": "'addonProfiles.omsagent.enabled' should be defined and false", - "actualValue": "'addonProfiles.omsagent.enabled' is undefined" + "actualValue": "'addonProfiles.omsagent.enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "AKS Logging To Azure Monitoring Is Disabled", @@ -57,7 +61,8 @@ "searchKey": "resources.name=aksCluster1.properties.addonProfiles.omsagent.enabled", "searchValue": "", "expectedValue": "'addonProfiles.omsagent.enabled' should be defined and false", - "actualValue": "'addonProfiles.omsagent.enabled' property value is set to false" + "actualValue": "'addonProfiles.omsagent.enabled' property value is set to false", + "issueType": "IncorrectValue" }, { "queryName": "AKS Logging To Azure Monitoring Is Disabled", @@ -69,7 +74,8 @@ "searchKey": "properties.template.resources.name=aksCluster1.properties.addonProfiles.omsagent.enabled", "searchValue": "", "expectedValue": "'addonProfiles.omsagent.enabled' should be defined and false", - "actualValue": "'addonProfiles.omsagent.enabled' property value is set to false" + "actualValue": "'addonProfiles.omsagent.enabled' property value is set to false", + "issueType": "IncorrectValue" }, { "queryName": "AKS Logging To Azure Monitoring Is Disabled", @@ -81,7 +87,8 @@ "searchKey": "resources.name=aksCluster1", "searchValue": "", "expectedValue": "'addonProfiles.omsagent.enabled' should be defined and false", - "actualValue": "'addonProfiles.omsagent.enabled' is undefined" + "actualValue": "'addonProfiles.omsagent.enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "AKS Logging To Azure Monitoring Is Disabled", @@ -93,6 +100,7 @@ "searchKey": "properties.template.resources.name=aksCluster1", "searchValue": "", "expectedValue": "'addonProfiles.omsagent.enabled' should be defined and false", - "actualValue": "'addonProfiles.omsagent.enabled' is undefined" + "actualValue": "'addonProfiles.omsagent.enabled' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/aks_with_authorized_ip_ranges_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/aks_with_authorized_ip_ranges_disabled/test/positive_expected_result.json index 4b55e8c5ed0..dbb8aaf034f 100644 --- a/assets/queries/azureResourceManager/aks_with_authorized_ip_ranges_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/aks_with_authorized_ip_ranges_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources.name=aksCluster1.apiVersion", "searchValue": "", "expectedValue": "'apiVersion' should be '2019-02-01' or newer", - "actualValue": "'apiVersion' is 2017-08-31" + "actualValue": "'apiVersion' is 2017-08-31", + "issueType": "IncorrectValue" }, { "queryName": "AKS With Authorized IP Ranges Disabled", @@ -21,7 +22,8 @@ "searchKey": "resources.name=aksCluster1.apiVersion", "searchValue": "", "expectedValue": "'apiVersion' should be '2019-02-01' or newer", - "actualValue": "'apiVersion' is 2017-08-31" + "actualValue": "'apiVersion' is 2017-08-31", + "issueType": "IncorrectValue" }, { "queryName": "AKS With Authorized IP Ranges Disabled", @@ -33,7 +35,8 @@ "searchKey": "resources.name=aksCluster1.properties.apiServerAccessProfile.authorizedIPRanges", "searchValue": "", "expectedValue": "'apiServerAccessProfile.authorizedIPRanges' should be defined as an array", - "actualValue": "'apiServerAccessProfile.authorizedIPRanges' is empty" + "actualValue": "'apiServerAccessProfile.authorizedIPRanges' is empty", + "issueType": "IncorrectValue" }, { "queryName": "AKS With Authorized IP Ranges Disabled", @@ -45,7 +48,8 @@ "searchKey": "properties.template.resources.name=aksCluster1.properties.apiServerAccessProfile.authorizedIPRanges", "searchValue": "", "expectedValue": "'apiServerAccessProfile.authorizedIPRanges' should be defined as an array", - "actualValue": "'apiServerAccessProfile.authorizedIPRanges' is empty" + "actualValue": "'apiServerAccessProfile.authorizedIPRanges' is empty", + "issueType": "IncorrectValue" }, { "queryName": "AKS With Authorized IP Ranges Disabled", @@ -57,7 +61,8 @@ "searchKey": "resources.name=aksCluster1", "searchValue": "", "expectedValue": "'apiServerAuthorizedIPRanges' should be a defined as an array", - "actualValue": "'apiServerAuthorizedIPRanges' is undefined" + "actualValue": "'apiServerAuthorizedIPRanges' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "AKS With Authorized IP Ranges Disabled", @@ -69,7 +74,8 @@ "searchKey": "resources.name=aksCluster1", "searchValue": "", "expectedValue": "'apiServerAuthorizedIPRanges' should be a defined as an array", - "actualValue": "'apiServerAuthorizedIPRanges' is undefined" + "actualValue": "'apiServerAuthorizedIPRanges' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "AKS With Authorized IP Ranges Disabled", @@ -81,7 +87,8 @@ "searchKey": "resources.name=aksCluster1.properties.apiServerAuthorizedIPRanges", "searchValue": "", "expectedValue": "'apiServerAuthorizedIPRanges' should be a defined as an array", - "actualValue": "'apiServerAuthorizedIPRanges' is empty" + "actualValue": "'apiServerAuthorizedIPRanges' is empty", + "issueType": "IncorrectValue" }, { "queryName": "AKS With Authorized IP Ranges Disabled", @@ -93,7 +100,8 @@ "searchKey": "resources.name=aksCluster1.properties.apiServerAuthorizedIPRanges", "searchValue": "", "expectedValue": "'apiServerAuthorizedIPRanges' should be a defined as an array", - "actualValue": "'apiServerAuthorizedIPRanges' is empty" + "actualValue": "'apiServerAuthorizedIPRanges' is empty", + "issueType": "IncorrectValue" }, { "queryName": "AKS With Authorized IP Ranges Disabled", @@ -105,7 +113,8 @@ "searchKey": "resources.name=aksCluster1", "searchValue": "", "expectedValue": "'apiServerAccessProfile.authorizedIPRanges' should be defined as an array", - "actualValue": "'apiServerAccessProfile.authorizedIPRanges' is undefined" + "actualValue": "'apiServerAccessProfile.authorizedIPRanges' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "AKS With Authorized IP Ranges Disabled", @@ -117,7 +126,8 @@ "searchKey": "resources.name=aksCluster1", "searchValue": "", "expectedValue": "'apiServerAccessProfile.authorizedIPRanges' should be defined as an array", - "actualValue": "'apiServerAccessProfile.authorizedIPRanges' is undefined" + "actualValue": "'apiServerAccessProfile.authorizedIPRanges' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "AKS With Authorized IP Ranges Disabled", @@ -129,7 +139,8 @@ "searchKey": "resources.name=aksCluster1.properties.apiServerAccessProfile.authorizedIPRanges", "searchValue": "", "expectedValue": "'apiServerAccessProfile.authorizedIPRanges' should be defined as an array", - "actualValue": "'apiServerAccessProfile.authorizedIPRanges' is empty" + "actualValue": "'apiServerAccessProfile.authorizedIPRanges' is empty", + "issueType": "IncorrectValue" }, { "queryName": "AKS With Authorized IP Ranges Disabled", @@ -141,7 +152,8 @@ "searchKey": "resources.name=aksCluster1.properties.apiServerAccessProfile.authorizedIPRanges", "searchValue": "", "expectedValue": "'apiServerAccessProfile.authorizedIPRanges' should be defined as an array", - "actualValue": "'apiServerAccessProfile.authorizedIPRanges' is empty" + "actualValue": "'apiServerAccessProfile.authorizedIPRanges' is empty", + "issueType": "IncorrectValue" }, { "queryName": "AKS With Authorized IP Ranges Disabled", @@ -153,7 +165,8 @@ "searchKey": "resources.name=aksCluster1.apiVersion", "searchValue": "", "expectedValue": "'apiVersion' should be '2019-02-01' or newer", - "actualValue": "'apiVersion' is 2017-08-31" + "actualValue": "'apiVersion' is 2017-08-31", + "issueType": "IncorrectValue" }, { "queryName": "AKS With Authorized IP Ranges Disabled", @@ -165,7 +178,8 @@ "searchKey": "properties.template.resources.name=aksCluster1.apiVersion", "searchValue": "", "expectedValue": "'apiVersion' should be '2019-02-01' or newer", - "actualValue": "'apiVersion' is 2017-08-31" + "actualValue": "'apiVersion' is 2017-08-31", + "issueType": "IncorrectValue" }, { "queryName": "AKS With Authorized IP Ranges Disabled", @@ -177,7 +191,8 @@ "searchKey": "resources.name=aksCluster1", "searchValue": "", "expectedValue": "'apiServerAuthorizedIPRanges' should be a defined as an array", - "actualValue": "'apiServerAuthorizedIPRanges' is undefined" + "actualValue": "'apiServerAuthorizedIPRanges' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "AKS With Authorized IP Ranges Disabled", @@ -189,7 +204,8 @@ "searchKey": "properties.template.resources.name=aksCluster1", "searchValue": "", "expectedValue": "'apiServerAuthorizedIPRanges' should be a defined as an array", - "actualValue": "'apiServerAuthorizedIPRanges' is undefined" + "actualValue": "'apiServerAuthorizedIPRanges' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "AKS With Authorized IP Ranges Disabled", @@ -201,7 +217,8 @@ "searchKey": "resources.name=aksCluster1.properties.apiServerAuthorizedIPRanges", "searchValue": "", "expectedValue": "'apiServerAuthorizedIPRanges' should be a defined as an array", - "actualValue": "'apiServerAuthorizedIPRanges' is empty" + "actualValue": "'apiServerAuthorizedIPRanges' is empty", + "issueType": "IncorrectValue" }, { "queryName": "AKS With Authorized IP Ranges Disabled", @@ -213,7 +230,8 @@ "searchKey": "properties.template.resources.name=aksCluster1.properties.apiServerAuthorizedIPRanges", "searchValue": "", "expectedValue": "'apiServerAuthorizedIPRanges' should be a defined as an array", - "actualValue": "'apiServerAuthorizedIPRanges' is empty" + "actualValue": "'apiServerAuthorizedIPRanges' is empty", + "issueType": "IncorrectValue" }, { "queryName": "AKS With Authorized IP Ranges Disabled", @@ -225,7 +243,8 @@ "searchKey": "resources.name=aksCluster1", "searchValue": "", "expectedValue": "'apiServerAccessProfile.authorizedIPRanges' should be defined as an array", - "actualValue": "'apiServerAccessProfile.authorizedIPRanges' is undefined" + "actualValue": "'apiServerAccessProfile.authorizedIPRanges' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "AKS With Authorized IP Ranges Disabled", @@ -237,6 +256,7 @@ "searchKey": "properties.template.resources.name=aksCluster1", "searchValue": "", "expectedValue": "'apiServerAccessProfile.authorizedIPRanges' should be defined as an array", - "actualValue": "'apiServerAccessProfile.authorizedIPRanges' is undefined" + "actualValue": "'apiServerAccessProfile.authorizedIPRanges' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/app_service_authentication_not_set/test/positive_expected_result.json b/assets/queries/azureResourceManager/app_service_authentication_not_set/test/positive_expected_result.json index 1e9fa2ca622..532fa8dad0e 100644 --- a/assets/queries/azureResourceManager/app_service_authentication_not_set/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/app_service_authentication_not_set/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources.name=webApp1.resources.name=authsettings.properties.enabled", "searchValue": "", "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", - "actualValue": "'enabled' property value is false on authsettings properties" + "actualValue": "'enabled' property value is false on authsettings properties", + "issueType": "IncorrectValue" }, { "queryName": "App Service Authentication Is Not Set", @@ -21,7 +22,8 @@ "searchKey": "resources.name=webApp1.resources.name=authsettings.properties.enabled", "searchValue": "", "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", - "actualValue": "'enabled' property value is false on authsettings properties" + "actualValue": "'enabled' property value is false on authsettings properties", + "issueType": "IncorrectValue" }, { "queryName": "App Service Authentication Is Not Set", @@ -33,7 +35,8 @@ "searchKey": "resources.name=webApp1.resources.name=authsettings", "searchValue": "", "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", - "actualValue": "'enabled' is undefined" + "actualValue": "'enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "App Service Authentication Is Not Set", @@ -45,7 +48,8 @@ "searchKey": "resources.name=webApp1.resources.name=authsettings", "searchValue": "", "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", - "actualValue": "'enabled' is undefined" + "actualValue": "'enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "App Service Authentication Is Not Set", @@ -57,7 +61,8 @@ "searchKey": "resources.name=webApp1.resources.name=authsettings.properties.enabled", "searchValue": "", "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", - "actualValue": "'enabled' property value is false on authsettings properties" + "actualValue": "'enabled' property value is false on authsettings properties", + "issueType": "IncorrectValue" }, { "queryName": "App Service Authentication Is Not Set", @@ -69,7 +74,8 @@ "searchKey": "resources.name=webApp1/authsettings.properties.enabled", "searchValue": "", "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", - "actualValue": "'enabled' property value is false on authsettings properties" + "actualValue": "'enabled' property value is false on authsettings properties", + "issueType": "IncorrectValue" }, { "queryName": "App Service Authentication Is Not Set", @@ -81,7 +87,8 @@ "searchKey": "resources.name=webApp1.resources.name=authsettings", "searchValue": "", "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", - "actualValue": "'enabled' is undefined" + "actualValue": "'enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "App Service Authentication Is Not Set", @@ -93,7 +100,8 @@ "searchKey": "resources.name=webApp1/authsettings", "searchValue": "", "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", - "actualValue": "'enabled' is undefined" + "actualValue": "'enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "App Service Authentication Is Not Set", @@ -105,7 +113,8 @@ "searchKey": "resources.name=webApp1.resources.name=authsettings.properties.enabled", "searchValue": "", "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", - "actualValue": "'enabled' property value is false on authsettings properties" + "actualValue": "'enabled' property value is false on authsettings properties", + "issueType": "IncorrectValue" }, { "queryName": "App Service Authentication Is Not Set", @@ -117,7 +126,8 @@ "searchKey": "properties.template.resources.name=webApp1.resources.name=authsettings.properties.enabled", "searchValue": "", "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", - "actualValue": "'enabled' property value is false on authsettings properties" + "actualValue": "'enabled' property value is false on authsettings properties", + "issueType": "IncorrectValue" }, { "queryName": "App Service Authentication Is Not Set", @@ -129,7 +139,8 @@ "searchKey": "resources.name=webApp1.resources.name=authsettings", "searchValue": "", "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", - "actualValue": "'enabled' is undefined" + "actualValue": "'enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "App Service Authentication Is Not Set", @@ -141,7 +152,8 @@ "searchKey": "properties.template.resources.name=webApp1.resources.name=authsettings", "searchValue": "", "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", - "actualValue": "'enabled' is undefined" + "actualValue": "'enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "App Service Authentication Is Not Set", @@ -153,7 +165,8 @@ "searchKey": "resources.name=webApp1.resources.name=authsettings.properties.enabled", "searchValue": "", "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", - "actualValue": "'enabled' property value is false on authsettings properties" + "actualValue": "'enabled' property value is false on authsettings properties", + "issueType": "IncorrectValue" }, { "queryName": "App Service Authentication Is Not Set", @@ -165,7 +178,8 @@ "searchKey": "properties.template.resources.name=webApp1/authsettings.properties.enabled", "searchValue": "", "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", - "actualValue": "'enabled' property value is false on authsettings properties" + "actualValue": "'enabled' property value is false on authsettings properties", + "issueType": "IncorrectValue" }, { "queryName": "App Service Authentication Is Not Set", @@ -177,7 +191,8 @@ "searchKey": "resources.name=webApp1.resources.name=authsettings", "searchValue": "", "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", - "actualValue": "'enabled' is undefined" + "actualValue": "'enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "App Service Authentication Is Not Set", @@ -189,6 +204,7 @@ "searchKey": "properties.template.resources.name=webApp1/authsettings", "searchValue": "", "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", - "actualValue": "'enabled' is undefined" + "actualValue": "'enabled' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/azure_instance_using_basic_authentication/test/positive_expected_result.json b/assets/queries/azureResourceManager/azure_instance_using_basic_authentication/test/positive_expected_result.json index 5bae76f613f..998e14937d7 100644 --- a/assets/queries/azureResourceManager/azure_instance_using_basic_authentication/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/azure_instance_using_basic_authentication/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources.name=[variables('vmName')].properties.osProfile.linuxConfiguration.disablePasswordAuthentication", "searchValue": "", "expectedValue": "'disablePasswordAuthentication' should be set to true", - "actualValue": "'disablePasswordAuthentication' property value is set to false" + "actualValue": "'disablePasswordAuthentication' property value is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Azure Instance Using Basic Authentication", @@ -21,7 +22,8 @@ "searchKey": "resources.name=[variables('vmName')].properties.osProfile.linuxConfiguration.disablePasswordAuthentication", "searchValue": "", "expectedValue": "'disablePasswordAuthentication' should be set to true", - "actualValue": "'disablePasswordAuthentication' property value is set to false" + "actualValue": "'disablePasswordAuthentication' property value is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Azure Instance Using Basic Authentication", @@ -33,7 +35,8 @@ "searchKey": "resources.name=[variables('vmName')]", "searchValue": "", "expectedValue": "'disablePasswordAuthentication' should be set to true", - "actualValue": "'linuxConfiguration.disablePasswordAuthentication' is not defined" + "actualValue": "'linuxConfiguration.disablePasswordAuthentication' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Azure Instance Using Basic Authentication", @@ -45,7 +48,8 @@ "searchKey": "resources.name=[variables('vmName')]", "searchValue": "", "expectedValue": "'disablePasswordAuthentication' should be set to true", - "actualValue": "'linuxConfiguration.disablePasswordAuthentication' is not defined" + "actualValue": "'linuxConfiguration.disablePasswordAuthentication' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Azure Instance Using Basic Authentication", @@ -57,7 +61,8 @@ "searchKey": "resources.name=[variables('vmName')].properties.osProfile.linuxConfiguration.disablePasswordAuthentication", "searchValue": "", "expectedValue": "'disablePasswordAuthentication' should be set to true", - "actualValue": "'disablePasswordAuthentication' property value is set to false" + "actualValue": "'disablePasswordAuthentication' property value is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Azure Instance Using Basic Authentication", @@ -69,7 +74,8 @@ "searchKey": "properties.template.resources.name=[variables('vmName')].properties.osProfile.linuxConfiguration.disablePasswordAuthentication", "searchValue": "", "expectedValue": "'disablePasswordAuthentication' should be set to true", - "actualValue": "'disablePasswordAuthentication' property value is set to false" + "actualValue": "'disablePasswordAuthentication' property value is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Azure Instance Using Basic Authentication", @@ -81,7 +87,8 @@ "searchKey": "resources.name=[variables('vmName')]", "searchValue": "", "expectedValue": "'disablePasswordAuthentication' should be set to true", - "actualValue": "'linuxConfiguration.disablePasswordAuthentication' is not defined" + "actualValue": "'linuxConfiguration.disablePasswordAuthentication' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Azure Instance Using Basic Authentication", @@ -93,6 +100,7 @@ "searchKey": "properties.template.resources.name=[variables('vmName')]", "searchValue": "", "expectedValue": "'disablePasswordAuthentication' should be set to true", - "actualValue": "'linuxConfiguration.disablePasswordAuthentication' is not defined" + "actualValue": "'linuxConfiguration.disablePasswordAuthentication' is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/azure_managed_disk_without_encryption/test/positive_expected_result.json b/assets/queries/azureResourceManager/azure_managed_disk_without_encryption/test/positive_expected_result.json index 707b817c960..d6e181462f6 100644 --- a/assets/queries/azureResourceManager/azure_managed_disk_without_encryption/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/azure_managed_disk_without_encryption/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources.name=['${variables('vmName')}-disk1'].properties.encryptionSettingsCollection.enabled", "searchValue": "", "expectedValue": "'encryptionSettingsCollection.enabled' should be set to true", - "actualValue": "'encryptionSettingsCollection.enabled' property value is set to false" + "actualValue": "'encryptionSettingsCollection.enabled' property value is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Azure Managed Disk Without Encryption", @@ -21,7 +22,8 @@ "searchKey": "resources.name=[concat(variables('vmName'),'-disk1')].properties.encryptionSettingsCollection.enabled", "searchValue": "", "expectedValue": "'encryptionSettingsCollection.enabled' should be set to true", - "actualValue": "'encryptionSettingsCollection.enabled' property value is set to false" + "actualValue": "'encryptionSettingsCollection.enabled' property value is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Azure Managed Disk Without Encryption", @@ -33,7 +35,8 @@ "searchKey": "resources.name=['${variables('vmName')}-disk1']", "searchValue": "", "expectedValue": "'encryptionSettingsCollection.enabled' should be set to true", - "actualValue": "'encryptionSettingsCollection.enabled' is undefined" + "actualValue": "'encryptionSettingsCollection.enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Azure Managed Disk Without Encryption", @@ -45,7 +48,8 @@ "searchKey": "resources.name=[concat(variables('vmName'),'-disk1')]", "searchValue": "", "expectedValue": "'encryptionSettingsCollection.enabled' should be set to true", - "actualValue": "'encryptionSettingsCollection.enabled' is undefined" + "actualValue": "'encryptionSettingsCollection.enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Azure Managed Disk Without Encryption", @@ -57,7 +61,8 @@ "searchKey": "resources.name=['${variables('vmName')}-disk1'].properties.encryptionSettingsCollection.enabled", "searchValue": "", "expectedValue": "'encryptionSettingsCollection.enabled' should be set to true", - "actualValue": "'encryptionSettingsCollection.enabled' property value is set to false" + "actualValue": "'encryptionSettingsCollection.enabled' property value is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Azure Managed Disk Without Encryption", @@ -69,7 +74,8 @@ "searchKey": "properties.template.resources.name=[concat(variables('vmName'),'-disk1')].properties.encryptionSettingsCollection.enabled", "searchValue": "", "expectedValue": "'encryptionSettingsCollection.enabled' should be set to true", - "actualValue": "'encryptionSettingsCollection.enabled' property value is set to false" + "actualValue": "'encryptionSettingsCollection.enabled' property value is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Azure Managed Disk Without Encryption", @@ -81,7 +87,8 @@ "searchKey": "resources.name=['${variables('vmName')}-disk1']", "searchValue": "", "expectedValue": "'encryptionSettingsCollection.enabled' should be set to true", - "actualValue": "'encryptionSettingsCollection.enabled' is undefined" + "actualValue": "'encryptionSettingsCollection.enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Azure Managed Disk Without Encryption", @@ -93,6 +100,7 @@ "searchKey": "properties.template.resources.name=[concat(variables('vmName'),'-disk1')]", "searchValue": "", "expectedValue": "'encryptionSettingsCollection.enabled' should be set to true", - "actualValue": "'encryptionSettingsCollection.enabled' is undefined" + "actualValue": "'encryptionSettingsCollection.enabled' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/default_azure_storage_account_network_access_is_too_permissive/test/positive_expected_result.json b/assets/queries/azureResourceManager/default_azure_storage_account_network_access_is_too_permissive/test/positive_expected_result.json index b7ece2b7004..1d3e7d54d38 100644 --- a/assets/queries/azureResourceManager/default_azure_storage_account_network_access_is_too_permissive/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/default_azure_storage_account_network_access_is_too_permissive/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources.name=positive1.properties.networkAcls.defaultAction", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' publicNetworkAccess should be set to false, and/or networkAcls.defaultAction should be set to deny", - "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' networkAcls.defaultAction is set to 'Allow')" + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' networkAcls.defaultAction is set to 'Allow')", + "issueType": "IncorrectValue" }, { "queryName": "Default Azure Storage Account Network Access Is Too Permissive", @@ -21,7 +22,8 @@ "searchKey": "resources.name=positive1.properties.networkAcls.defaultAction", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' publicNetworkAccess should be set to false, and/or networkAcls.defaultAction should be set to deny", - "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' networkAcls.defaultAction is set to 'Allow')" + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' networkAcls.defaultAction is set to 'Allow')", + "issueType": "IncorrectValue" }, { "queryName": "Default Azure Storage Account Network Access Is Too Permissive", @@ -33,7 +35,8 @@ "searchKey": "resources.name=positive2.properties.publicNetworkAccess", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' publicNetworkAccess should be set to false, and/or networkAcls.defaultAction should be set to deny", - "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' publicNetworkAccess is not set (default is 'Enabled')" + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' publicNetworkAccess is not set (default is 'Enabled')", + "issueType": "MissingAttribute" }, { "queryName": "Default Azure Storage Account Network Access Is Too Permissive", @@ -45,7 +48,8 @@ "searchKey": "resources.name=positive2.properties.publicNetworkAccess", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' publicNetworkAccess should be set to false, and/or networkAcls.defaultAction should be set to deny", - "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' publicNetworkAccess is not set (default is 'Enabled')" + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' publicNetworkAccess is not set (default is 'Enabled')", + "issueType": "MissingAttribute" }, { "queryName": "Default Azure Storage Account Network Access Is Too Permissive", @@ -57,7 +61,8 @@ "searchKey": "resources.name=positive3.properties.publicNetworkAccess", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' publicNetworkAccess should be set to false, and/or networkAcls.defaultAction should be set to deny", - "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' publicNetworkAccess is set to 'Enabled')" + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' publicNetworkAccess is set to 'Enabled')", + "issueType": "IncorrectValue" }, { "queryName": "Default Azure Storage Account Network Access Is Too Permissive", @@ -69,6 +74,7 @@ "searchKey": "resources.name=positive3.properties.publicNetworkAccess", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' publicNetworkAccess should be set to false, and/or networkAcls.defaultAction should be set to deny", - "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' publicNetworkAccess is set to 'Enabled')" + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' publicNetworkAccess is set to 'Enabled')", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/email_notifications_set_off/test/positive_expected_result.json b/assets/queries/azureResourceManager/email_notifications_set_off/test/positive_expected_result.json index 30b338a9475..bd3bf684e39 100644 --- a/assets/queries/azureResourceManager/email_notifications_set_off/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/email_notifications_set_off/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources.name={{security contact}}.properties.alertNotifications.state", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Security/securityContacts' property value should have 'alertNotifications.state' property set to 'On'", - "actualValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'Off'" + "actualValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'Off'", + "issueType": "IncorrectValue" }, { "queryName": "Email Notifications Disabled", @@ -21,7 +22,8 @@ "searchKey": "resources.name={{security contact}}.properties.alertNotifications.state", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Security/securityContacts' property value should have 'alertNotifications.state' property set to 'On'", - "actualValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'Off'" + "actualValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'Off'", + "issueType": "IncorrectValue" }, { "queryName": "Email Notifications Disabled", @@ -33,7 +35,8 @@ "searchKey": "resources.name={{security contact}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'notificationsByRole.state' property set to 'On'", - "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'notificationsByRole' property defined" + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'notificationsByRole' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Email Notifications Disabled", @@ -45,7 +48,8 @@ "searchKey": "properties.template.resources.name={{security contact}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'notificationsByRole.state' property set to 'On'", - "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'notificationsByRole' property defined" + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'notificationsByRole' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Email Notifications Disabled", @@ -57,7 +61,8 @@ "searchKey": "resources.name={{security contact}}.properties.notificationsByRole.state", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Security/securityContacts' property value should have 'notificationsByRole.state' property set to 'On'", - "actualValue": "resource with type 'Microsoft.Security/securityContacts' should have 'notificationsByRole.state' property set to 'Off'" + "actualValue": "resource with type 'Microsoft.Security/securityContacts' should have 'notificationsByRole.state' property set to 'Off'", + "issueType": "IncorrectValue" }, { "queryName": "Email Notifications Disabled", @@ -69,7 +74,8 @@ "searchKey": "properties.template.resources.name={{security contact}}.properties.notificationsByRole.state", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Security/securityContacts' property value should have 'notificationsByRole.state' property set to 'On'", - "actualValue": "resource with type 'Microsoft.Security/securityContacts' should have 'notificationsByRole.state' property set to 'Off'" + "actualValue": "resource with type 'Microsoft.Security/securityContacts' should have 'notificationsByRole.state' property set to 'Off'", + "issueType": "IncorrectValue" }, { "queryName": "Email Notifications Disabled", @@ -81,7 +87,8 @@ "searchKey": "resources.name={{security contact}}.properties.notificationsByRole", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'notificationsByRole.state' property set to 'On'", - "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'notificationsByRole.state' property defined" + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'notificationsByRole.state' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Email Notifications Disabled", @@ -93,7 +100,8 @@ "searchKey": "properties.template.resources.name={{security contact}}.properties.notificationsByRole", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'notificationsByRole.state' property set to 'On'", - "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'notificationsByRole.state' property defined" + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'notificationsByRole.state' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Email Notifications Disabled", @@ -105,7 +113,8 @@ "searchKey": "resources.name={{security contact}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'On'", - "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'alertNotifications' property defined" + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'alertNotifications' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Email Notifications Disabled", @@ -117,7 +126,8 @@ "searchKey": "resources.name={{security contact}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'On'", - "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'alertNotifications' property defined" + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'alertNotifications' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Email Notifications Disabled", @@ -129,7 +139,8 @@ "searchKey": "resources.name={{security contact}}.properties.alertNotifications", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'On'", - "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'alertNotifications.state' property defined" + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'alertNotifications.state' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Email Notifications Disabled", @@ -141,7 +152,8 @@ "searchKey": "resources.name={{security contact}}.properties.alertNotifications", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'On'", - "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'alertNotifications.state' property defined" + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'alertNotifications.state' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Email Notifications Disabled", @@ -153,7 +165,8 @@ "searchKey": "resources.name={{security contact}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'notificationsByRole.state' property set to 'On'", - "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'notificationsByRole' property defined" + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'notificationsByRole' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Email Notifications Disabled", @@ -165,7 +178,8 @@ "searchKey": "resources.name={{security contact}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'notificationsByRole.state' property set to 'On'", - "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'notificationsByRole' property defined" + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'notificationsByRole' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Email Notifications Disabled", @@ -177,7 +191,8 @@ "searchKey": "resources.name={{security contact}}.properties.notificationsByRole.state", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Security/securityContacts' property value should have 'notificationsByRole.state' property set to 'On'", - "actualValue": "resource with type 'Microsoft.Security/securityContacts' should have 'notificationsByRole.state' property set to 'Off'" + "actualValue": "resource with type 'Microsoft.Security/securityContacts' should have 'notificationsByRole.state' property set to 'Off'", + "issueType": "IncorrectValue" }, { "queryName": "Email Notifications Disabled", @@ -189,7 +204,8 @@ "searchKey": "resources.name={{security contact}}.properties.notificationsByRole.state", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Security/securityContacts' property value should have 'notificationsByRole.state' property set to 'On'", - "actualValue": "resource with type 'Microsoft.Security/securityContacts' should have 'notificationsByRole.state' property set to 'Off'" + "actualValue": "resource with type 'Microsoft.Security/securityContacts' should have 'notificationsByRole.state' property set to 'Off'", + "issueType": "IncorrectValue" }, { "queryName": "Email Notifications Disabled", @@ -201,7 +217,8 @@ "searchKey": "resources.name={{security contact}}.properties.notificationsByRole", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'notificationsByRole.state' property set to 'On'", - "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'notificationsByRole.state' property defined" + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'notificationsByRole.state' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Email Notifications Disabled", @@ -213,7 +230,8 @@ "searchKey": "resources.name={{security contact}}.properties.notificationsByRole", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'notificationsByRole.state' property set to 'On'", - "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'notificationsByRole.state' property defined" + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'notificationsByRole.state' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Email Notifications Disabled", @@ -225,7 +243,8 @@ "searchKey": "resources.name={{security contact}}.properties.alertNotifications.state", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Security/securityContacts' property value should have 'alertNotifications.state' property set to 'On'", - "actualValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'Off'" + "actualValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'Off'", + "issueType": "IncorrectValue" }, { "queryName": "Email Notifications Disabled", @@ -237,7 +256,8 @@ "searchKey": "properties.template.resources.name={{security contact}}.properties.alertNotifications.state", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Security/securityContacts' property value should have 'alertNotifications.state' property set to 'On'", - "actualValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'Off'" + "actualValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'Off'", + "issueType": "IncorrectValue" }, { "queryName": "Email Notifications Disabled", @@ -249,7 +269,8 @@ "searchKey": "resources.name={{security contact}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'On'", - "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'alertNotifications' property defined" + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'alertNotifications' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Email Notifications Disabled", @@ -261,7 +282,8 @@ "searchKey": "properties.template.resources.name={{security contact}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'On'", - "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'alertNotifications' property defined" + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'alertNotifications' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Email Notifications Disabled", @@ -273,7 +295,8 @@ "searchKey": "resources.name={{security contact}}.properties.alertNotifications", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'On'", - "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'alertNotifications.state' property defined" + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'alertNotifications.state' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Email Notifications Disabled", @@ -285,6 +308,7 @@ "searchKey": "properties.template.resources.name={{security contact}}.properties.alertNotifications", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'On'", - "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'alertNotifications.state' property defined" + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'alertNotifications.state' property defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/hardcoded_securestring_parameter_default_value/test/positive_expected_result.json b/assets/queries/azureResourceManager/hardcoded_securestring_parameter_default_value/test/positive_expected_result.json index 6b24cc74621..98f38be116c 100644 --- a/assets/queries/azureResourceManager/hardcoded_securestring_parameter_default_value/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/hardcoded_securestring_parameter_default_value/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "parameters.adminPassword.defaultValue", "searchValue": "", "expectedValue": "parameters.adminPassword.defaultValue should not be hardcoded", - "actualValue": "parameters.adminPassword.defaultValue is hardcoded" + "actualValue": "parameters.adminPassword.defaultValue is hardcoded", + "issueType": "IncorrectValue" }, { "queryName": "Hardcoded SecureString Parameter Default Value", @@ -21,7 +22,8 @@ "searchKey": "parameters.adminPassword.defaultValue", "searchValue": "", "expectedValue": "parameters.adminPassword.defaultValue should not be hardcoded", - "actualValue": "parameters.adminPassword.defaultValue is hardcoded" + "actualValue": "parameters.adminPassword.defaultValue is hardcoded", + "issueType": "IncorrectValue" }, { "queryName": "Hardcoded SecureString Parameter Default Value", @@ -33,7 +35,8 @@ "searchKey": "parameters.adminPassword.defaultValue", "searchValue": "", "expectedValue": "parameters.adminPassword.defaultValue should not be hardcoded", - "actualValue": "parameters.adminPassword.defaultValue is hardcoded" + "actualValue": "parameters.adminPassword.defaultValue is hardcoded", + "issueType": "IncorrectValue" }, { "queryName": "Hardcoded SecureString Parameter Default Value", @@ -45,6 +48,7 @@ "searchKey": "parameters.adminPassword.defaultValue", "searchValue": "", "expectedValue": "parameters.adminPassword.defaultValue should not be hardcoded", - "actualValue": "parameters.adminPassword.defaultValue is hardcoded" + "actualValue": "parameters.adminPassword.defaultValue is hardcoded", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/key_vault_not_recoverable/test/positive_expected_result.json b/assets/queries/azureResourceManager/key_vault_not_recoverable/test/positive_expected_result.json index a13935f8428..a0f2068346c 100644 --- a/assets/queries/azureResourceManager/key_vault_not_recoverable/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/key_vault_not_recoverable/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources.name={{keyVaultInstance}}.properties", "searchValue": "enablePurgeProtection", "expectedValue": "resource with type 'Microsoft.KeyVault/vaults' should have 'enablePurgeProtection' property defined", - "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enablePurgeProtection' property defined" + "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enablePurgeProtection' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Key Vault Not Recoverable", @@ -21,7 +22,8 @@ "searchKey": "resources.name={{keyVaultInstance}}.properties", "searchValue": "enablePurgeProtection", "expectedValue": "resource with type 'Microsoft.KeyVault/vaults' should have 'enablePurgeProtection' property defined", - "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enablePurgeProtection' property defined" + "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enablePurgeProtection' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Key Vault Not Recoverable", @@ -33,7 +35,8 @@ "searchKey": "resources.name={{keyVaultInstance}}.properties.enablePurgeProtection", "searchValue": "enablePurgeProtection", "expectedValue": "resource with type 'Microsoft.KeyVault/vaults' property value should have 'enablePurgeProtection' property set to true", - "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enablePurgeProtection' property set to true" + "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enablePurgeProtection' property set to true", + "issueType": "IncorrectValue" }, { "queryName": "Key Vault Not Recoverable", @@ -45,7 +48,8 @@ "searchKey": "resources.name={{keyVaultInstance}}.properties.enablePurgeProtection", "searchValue": "enablePurgeProtection", "expectedValue": "resource with type 'Microsoft.KeyVault/vaults' property value should have 'enablePurgeProtection' property set to true", - "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enablePurgeProtection' property set to true" + "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enablePurgeProtection' property set to true", + "issueType": "IncorrectValue" }, { "queryName": "Key Vault Not Recoverable", @@ -57,7 +61,8 @@ "searchKey": "resources.name={{keyVaultInstance}}.properties", "searchValue": "enablePurgeProtection", "expectedValue": "resource with type 'Microsoft.KeyVault/vaults' should have 'enablePurgeProtection' property defined", - "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enablePurgeProtection' property defined" + "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enablePurgeProtection' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Key Vault Not Recoverable", @@ -69,7 +74,8 @@ "searchKey": "properties.template.resources.name={{keyVaultInstance}}.properties", "searchValue": "enablePurgeProtection", "expectedValue": "resource with type 'Microsoft.KeyVault/vaults' should have 'enablePurgeProtection' property defined", - "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enablePurgeProtection' property defined" + "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enablePurgeProtection' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Key Vault Not Recoverable", @@ -81,7 +87,8 @@ "searchKey": "resources.name={{keyVaultInstance}}.properties.enablePurgeProtection", "searchValue": "enablePurgeProtection", "expectedValue": "resource with type 'Microsoft.KeyVault/vaults' property value should have 'enablePurgeProtection' property set to true", - "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enablePurgeProtection' property set to true" + "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enablePurgeProtection' property set to true", + "issueType": "IncorrectValue" }, { "queryName": "Key Vault Not Recoverable", @@ -93,7 +100,8 @@ "searchKey": "properties.template.resources.name={{keyVaultInstance}}.properties.enablePurgeProtection", "searchValue": "enablePurgeProtection", "expectedValue": "resource with type 'Microsoft.KeyVault/vaults' property value should have 'enablePurgeProtection' property set to true", - "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enablePurgeProtection' property set to true" + "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enablePurgeProtection' property set to true", + "issueType": "IncorrectValue" }, { "queryName": "Key Vault Not Recoverable", @@ -105,7 +113,8 @@ "searchKey": "resources.name={{[parameters('vaults_pgs_bot_prod_name')]}}.properties", "searchValue": "enablePurgeProtection", "expectedValue": "resource with type 'Microsoft.KeyVault/vaults' should have 'enablePurgeProtection' property defined", - "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enablePurgeProtection' property defined" + "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enablePurgeProtection' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Key Vault Not Recoverable", @@ -117,7 +126,8 @@ "searchKey": "resources.name={{[parameters('vaults_pgs_bot_prod_name')]}}.properties", "searchValue": "enableSoftDelete", "expectedValue": "resource with type 'Microsoft.KeyVault/vaults' should have 'enableSoftDelete' property defined", - "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enableSoftDelete' property defined" + "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enableSoftDelete' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Key Vault Not Recoverable", @@ -129,7 +139,8 @@ "searchKey": "resources.name={{[parameters('vaults_pgs_bot_prod_name')]}}.properties", "searchValue": "enablePurgeProtection", "expectedValue": "resource with type 'Microsoft.KeyVault/vaults' should have 'enablePurgeProtection' property defined", - "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enablePurgeProtection' property defined" + "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enablePurgeProtection' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Key Vault Not Recoverable", @@ -141,6 +152,7 @@ "searchKey": "resources.name={{[parameters('vaults_pgs_bot_prod_name')]}}.properties", "searchValue": "enableSoftDelete", "expectedValue": "resource with type 'Microsoft.KeyVault/vaults' should have 'enableSoftDelete' property defined", - "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enableSoftDelete' property defined" + "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enableSoftDelete' property defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/log_profile_incorrect_category/test/positive_expected_result.json b/assets/queries/azureResourceManager/log_profile_incorrect_category/test/positive_expected_result.json index c36e341e07c..5b9fbfeecd6 100644 --- a/assets/queries/azureResourceManager/log_profile_incorrect_category/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/log_profile_incorrect_category/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources.name={{string}}.properties.categories", "searchValue": "", "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have categories[%!d(string=property value)] %!s(int=0) set to 'Write', 'Delete' or 'Action'", - "actualValue": "resource with type 'microsoft.insights/logprofiles' has categories[0] set to 'Writ'" + "actualValue": "resource with type 'microsoft.insights/logprofiles' has categories[0] set to 'Writ'", + "issueType": "IncorrectValue" }, { "queryName": "Log Profile Incorrect Category", @@ -21,7 +22,8 @@ "searchKey": "resources.name={{string}}.properties.categories", "searchValue": "", "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have categories[%!d(string=property value)] %!s(int=0) set to 'Write', 'Delete' or 'Action'", - "actualValue": "resource with type 'microsoft.insights/logprofiles' has categories[0] set to 'Writ'" + "actualValue": "resource with type 'microsoft.insights/logprofiles' has categories[0] set to 'Writ'", + "issueType": "IncorrectValue" }, { "queryName": "Log Profile Incorrect Category", @@ -33,7 +35,8 @@ "searchKey": "resources.name={{string}}.properties.categories", "searchValue": "", "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have categories[%!d(string=property value)] %!s(int=0) set to 'Write', 'Delete' or 'Action'", - "actualValue": "resource with type 'microsoft.insights/logprofiles' has categories[0] set to 'Writ'" + "actualValue": "resource with type 'microsoft.insights/logprofiles' has categories[0] set to 'Writ'", + "issueType": "IncorrectValue" }, { "queryName": "Log Profile Incorrect Category", @@ -45,6 +48,7 @@ "searchKey": "properties.template.resources.name={{string}}.properties.categories", "searchValue": "", "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have categories[%!d(string=property value)] %!s(int=0) set to 'Write', 'Delete' or 'Action'", - "actualValue": "resource with type 'microsoft.insights/logprofiles' has categories[0] set to 'Writ'" + "actualValue": "resource with type 'microsoft.insights/logprofiles' has categories[0] set to 'Writ'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/mysql_server_ssl_enforcement_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/mysql_server_ssl_enforcement_disabled/test/positive_expected_result.json index dda23090044..65b8b2908cf 100644 --- a/assets/queries/azureResourceManager/mysql_server_ssl_enforcement_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/mysql_server_ssl_enforcement_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources.name={{server}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.DBforMySQL/servers' should have the 'sslEnforcement' property defined", - "actualValue": "resource with type 'Microsoft.DBforMySQL/servers' doesn't have 'sslEnforcement' property defined" + "actualValue": "resource with type 'Microsoft.DBforMySQL/servers' doesn't have 'sslEnforcement' property defined", + "issueType": "MissingAttribute" }, { "queryName": "MySQL Server SSL Enforcement Disabled", @@ -21,7 +22,8 @@ "searchKey": "resources.name={{server}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.DBforMySQL/servers' should have the 'sslEnforcement' property defined", - "actualValue": "resource with type 'Microsoft.DBforMySQL/servers' doesn't have 'sslEnforcement' property defined" + "actualValue": "resource with type 'Microsoft.DBforMySQL/servers' doesn't have 'sslEnforcement' property defined", + "issueType": "MissingAttribute" }, { "queryName": "MySQL Server SSL Enforcement Disabled", @@ -33,7 +35,8 @@ "searchKey": "resources.name={{server}}.properties.sslEnforcement", "searchValue": "", "expectedValue": "resource with type 'Microsoft.DBforMySQL/servers' should have the 'sslEnforcement' property value set to 'Enabled'", - "actualValue": "resource with type 'Microsoft.DBforMySQL/servers' doesn't have 'sslEnforcement' set to 'Enabled'" + "actualValue": "resource with type 'Microsoft.DBforMySQL/servers' doesn't have 'sslEnforcement' set to 'Enabled'", + "issueType": "IncorrectValue" }, { "queryName": "MySQL Server SSL Enforcement Disabled", @@ -45,7 +48,8 @@ "searchKey": "resources.name={{server}}.properties.sslEnforcement", "searchValue": "", "expectedValue": "resource with type 'Microsoft.DBforMySQL/servers' should have the 'sslEnforcement' property value set to 'Enabled'", - "actualValue": "resource with type 'Microsoft.DBforMySQL/servers' doesn't have 'sslEnforcement' set to 'Enabled'" + "actualValue": "resource with type 'Microsoft.DBforMySQL/servers' doesn't have 'sslEnforcement' set to 'Enabled'", + "issueType": "IncorrectValue" }, { "queryName": "MySQL Server SSL Enforcement Disabled", @@ -57,7 +61,8 @@ "searchKey": "resources.name={{server}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.DBforMySQL/servers' should have the 'sslEnforcement' property defined", - "actualValue": "resource with type 'Microsoft.DBforMySQL/servers' doesn't have 'sslEnforcement' property defined" + "actualValue": "resource with type 'Microsoft.DBforMySQL/servers' doesn't have 'sslEnforcement' property defined", + "issueType": "MissingAttribute" }, { "queryName": "MySQL Server SSL Enforcement Disabled", @@ -69,7 +74,8 @@ "searchKey": "properties.template.resources.name={{server}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.DBforMySQL/servers' should have the 'sslEnforcement' property defined", - "actualValue": "resource with type 'Microsoft.DBforMySQL/servers' doesn't have 'sslEnforcement' property defined" + "actualValue": "resource with type 'Microsoft.DBforMySQL/servers' doesn't have 'sslEnforcement' property defined", + "issueType": "MissingAttribute" }, { "queryName": "MySQL Server SSL Enforcement Disabled", @@ -81,7 +87,8 @@ "searchKey": "resources.name={{server}}.properties.sslEnforcement", "searchValue": "", "expectedValue": "resource with type 'Microsoft.DBforMySQL/servers' should have the 'sslEnforcement' property value set to 'Enabled'", - "actualValue": "resource with type 'Microsoft.DBforMySQL/servers' doesn't have 'sslEnforcement' set to 'Enabled'" + "actualValue": "resource with type 'Microsoft.DBforMySQL/servers' doesn't have 'sslEnforcement' set to 'Enabled'", + "issueType": "IncorrectValue" }, { "queryName": "MySQL Server SSL Enforcement Disabled", @@ -93,6 +100,7 @@ "searchKey": "properties.template.resources.name={{server}}.properties.sslEnforcement", "searchValue": "", "expectedValue": "resource with type 'Microsoft.DBforMySQL/servers' should have the 'sslEnforcement' property value set to 'Enabled'", - "actualValue": "resource with type 'Microsoft.DBforMySQL/servers' doesn't have 'sslEnforcement' set to 'Enabled'" + "actualValue": "resource with type 'Microsoft.DBforMySQL/servers' doesn't have 'sslEnforcement' set to 'Enabled'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_rdp/test/positive_expected_result.json b/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_rdp/test/positive_expected_result.json index 95382dedda6..a10c9db24a6 100644 --- a/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_rdp/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_rdp/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources.name={{security group}}.properties.securityRules", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups' should restrict access to RDP", - "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups' does not restrict access to RDP" + "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups' does not restrict access to RDP", + "issueType": "IncorrectValue" }, { "queryName": "Network Security Group With Unrestricted Access To RDP", @@ -21,7 +22,8 @@ "searchKey": "resources.name={{security group}}.properties.securityRules", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups' should restrict access to RDP", - "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups' does not restrict access to RDP" + "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups' does not restrict access to RDP", + "issueType": "IncorrectValue" }, { "queryName": "Network Security Group With Unrestricted Access To RDP", @@ -33,7 +35,8 @@ "searchKey": "resources.type={{Microsoft.Network/networkSecurityGroups/securityRules}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' should restrict access to RDP", - "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' does not restrict access to RDP" + "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' does not restrict access to RDP", + "issueType": "IncorrectValue" }, { "queryName": "Network Security Group With Unrestricted Access To RDP", @@ -45,7 +48,8 @@ "searchKey": "resources.type={{Microsoft.Network/networkSecurityGroups/securityRules}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' should restrict access to RDP", - "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' does not restrict access to RDP" + "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' does not restrict access to RDP", + "issueType": "IncorrectValue" }, { "queryName": "Network Security Group With Unrestricted Access To RDP", @@ -57,7 +61,8 @@ "searchKey": "resources.type={{securityRules}}.properties", "searchValue": "", "expectedValue": "resource with type 'securityRules' should restrict access to RDP", - "actualValue": "resource with type 'securityRules' does not restrict access to RDP" + "actualValue": "resource with type 'securityRules' does not restrict access to RDP", + "issueType": "IncorrectValue" }, { "queryName": "Network Security Group With Unrestricted Access To RDP", @@ -69,7 +74,8 @@ "searchKey": "resources.type={{securityRules}}.properties", "searchValue": "", "expectedValue": "resource with type 'securityRules' should restrict access to RDP", - "actualValue": "resource with type 'securityRules' does not restrict access to RDP" + "actualValue": "resource with type 'securityRules' does not restrict access to RDP", + "issueType": "IncorrectValue" }, { "queryName": "Network Security Group With Unrestricted Access To RDP", @@ -81,7 +87,8 @@ "searchKey": "resources.name={{security group}}.properties.securityRules", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups' should restrict access to RDP", - "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups' does not restrict access to RDP" + "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups' does not restrict access to RDP", + "issueType": "IncorrectValue" }, { "queryName": "Network Security Group With Unrestricted Access To RDP", @@ -93,7 +100,8 @@ "searchKey": "properties.template.resources.name={{security group}}.properties.securityRules", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups' should restrict access to RDP", - "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups' does not restrict access to RDP" + "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups' does not restrict access to RDP", + "issueType": "IncorrectValue" }, { "queryName": "Network Security Group With Unrestricted Access To RDP", @@ -105,7 +113,8 @@ "searchKey": "resources.type={{Microsoft.Network/networkSecurityGroups/securityRules}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' should restrict access to RDP", - "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' does not restrict access to RDP" + "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' does not restrict access to RDP", + "issueType": "IncorrectValue" }, { "queryName": "Network Security Group With Unrestricted Access To RDP", @@ -117,7 +126,8 @@ "searchKey": "resources.type={{Microsoft.Network/networkSecurityGroups/securityRules}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' should restrict access to RDP", - "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' does not restrict access to RDP" + "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' does not restrict access to RDP", + "issueType": "IncorrectValue" }, { "queryName": "Network Security Group With Unrestricted Access To RDP", @@ -129,7 +139,8 @@ "searchKey": "resources.type={{securityRules}}.properties", "searchValue": "", "expectedValue": "resource with type 'securityRules' should restrict access to RDP", - "actualValue": "resource with type 'securityRules' does not restrict access to RDP" + "actualValue": "resource with type 'securityRules' does not restrict access to RDP", + "issueType": "IncorrectValue" }, { "queryName": "Network Security Group With Unrestricted Access To RDP", @@ -141,6 +152,7 @@ "searchKey": "resources.type={{securityRules}}.properties", "searchValue": "", "expectedValue": "resource with type 'securityRules' should restrict access to RDP", - "actualValue": "resource with type 'securityRules' does not restrict access to RDP" + "actualValue": "resource with type 'securityRules' does not restrict access to RDP", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/test/positive_expected_result.json b/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/test/positive_expected_result.json index e134357d75c..ff5edf09279 100644 --- a/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources.name={{security group}}.properties.securityRules", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups' restricts access to SSH", - "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups' does not restrict access to SSH" + "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups' does not restrict access to SSH", + "issueType": "IncorrectValue" }, { "queryName": "Network Security Group With Unrestricted Access To SSH", @@ -21,7 +22,8 @@ "searchKey": "resources.name={{security group}}.properties.securityRules", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups' restricts access to SSH", - "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups' does not restrict access to SSH" + "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups' does not restrict access to SSH", + "issueType": "IncorrectValue" }, { "queryName": "Network Security Group With Unrestricted Access To SSH", @@ -33,7 +35,8 @@ "searchKey": "resources.type={{Microsoft.Network/networkSecurityGroups/securityRules}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' restricts access to SSH", - "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' does not restrict access to SSH" + "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' does not restrict access to SSH", + "issueType": "IncorrectValue" }, { "queryName": "Network Security Group With Unrestricted Access To SSH", @@ -45,7 +48,8 @@ "searchKey": "resources.type={{Microsoft.Network/networkSecurityGroups/securityRules}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' restricts access to SSH", - "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' does not restrict access to SSH" + "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' does not restrict access to SSH", + "issueType": "IncorrectValue" }, { "queryName": "Network Security Group With Unrestricted Access To SSH", @@ -57,7 +61,8 @@ "searchKey": "resources.type={{securityRules}}.properties", "searchValue": "", "expectedValue": "resource with type 'securityRules' restricts access to SSH", - "actualValue": "resource with type 'securityRules' does not restrict access to SSH" + "actualValue": "resource with type 'securityRules' does not restrict access to SSH", + "issueType": "IncorrectValue" }, { "queryName": "Network Security Group With Unrestricted Access To SSH", @@ -69,7 +74,8 @@ "searchKey": "resources.type={{securityRules}}.properties", "searchValue": "", "expectedValue": "resource with type 'securityRules' restricts access to SSH", - "actualValue": "resource with type 'securityRules' does not restrict access to SSH" + "actualValue": "resource with type 'securityRules' does not restrict access to SSH", + "issueType": "IncorrectValue" }, { "queryName": "Network Security Group With Unrestricted Access To SSH", @@ -81,7 +87,8 @@ "searchKey": "resources.name={{security group}}.properties.securityRules", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups' restricts access to SSH", - "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups' does not restrict access to SSH" + "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups' does not restrict access to SSH", + "issueType": "IncorrectValue" }, { "queryName": "Network Security Group With Unrestricted Access To SSH", @@ -93,7 +100,8 @@ "searchKey": "properties.template.resources.name={{security group}}.properties.securityRules", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups' restricts access to SSH", - "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups' does not restrict access to SSH" + "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups' does not restrict access to SSH", + "issueType": "IncorrectValue" }, { "queryName": "Network Security Group With Unrestricted Access To SSH", @@ -105,7 +113,8 @@ "searchKey": "resources.type={{Microsoft.Network/networkSecurityGroups/securityRules}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' restricts access to SSH", - "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' does not restrict access to SSH" + "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' does not restrict access to SSH", + "issueType": "IncorrectValue" }, { "queryName": "Network Security Group With Unrestricted Access To SSH", @@ -117,7 +126,8 @@ "searchKey": "resources.type={{Microsoft.Network/networkSecurityGroups/securityRules}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' restricts access to SSH", - "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' does not restrict access to SSH" + "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' does not restrict access to SSH", + "issueType": "IncorrectValue" }, { "queryName": "Network Security Group With Unrestricted Access To SSH", @@ -129,7 +139,8 @@ "searchKey": "resources.type={{securityRules}}.properties", "searchValue": "", "expectedValue": "resource with type 'securityRules' restricts access to SSH", - "actualValue": "resource with type 'securityRules' does not restrict access to SSH" + "actualValue": "resource with type 'securityRules' does not restrict access to SSH", + "issueType": "IncorrectValue" }, { "queryName": "Network Security Group With Unrestricted Access To SSH", @@ -141,7 +152,8 @@ "searchKey": "resources.type={{securityRules}}.properties", "searchValue": "", "expectedValue": "resource with type 'securityRules' restricts access to SSH", - "actualValue": "resource with type 'securityRules' does not restrict access to SSH" + "actualValue": "resource with type 'securityRules' does not restrict access to SSH", + "issueType": "IncorrectValue" }, { "queryName": "Network Security Group With Unrestricted Access To SSH", @@ -153,6 +165,7 @@ "searchKey": "resources.type={{securityRules}}.properties", "searchValue": "", "expectedValue": "resource with type 'securityRules' restricts access to SSH", - "actualValue": "resource with type 'securityRules' does not restrict access to SSH" + "actualValue": "resource with type 'securityRules' does not restrict access to SSH", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/phone_number_not_set_security_contacts/test/positive_expected_result.json b/assets/queries/azureResourceManager/phone_number_not_set_security_contacts/test/positive_expected_result.json index 87779b82b4b..a943a8a9840 100644 --- a/assets/queries/azureResourceManager/phone_number_not_set_security_contacts/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/phone_number_not_set_security_contacts/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources.name={{security contact}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'phone' property defined", - "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'phone' property defined" + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'phone' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Phone Number Not Set For Security Contacts", @@ -21,7 +22,8 @@ "searchKey": "resources.name={{security contact}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'phone' property defined", - "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'phone' property defined" + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'phone' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Phone Number Not Set For Security Contacts", @@ -33,7 +35,8 @@ "searchKey": "resources.name={{security contact}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'phone' property defined", - "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'phone' property defined" + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'phone' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Phone Number Not Set For Security Contacts", @@ -45,6 +48,7 @@ "searchKey": "properties.template.resources.name={{security contact}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'phone' property defined", - "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'phone' property defined" + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'phone' property defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/postgresql_database_server_connection_throttling_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/postgresql_database_server_connection_throttling_disabled/test/positive_expected_result.json index 7d15bee9ecc..ee61c504472 100644 --- a/assets/queries/azureResourceManager/postgresql_database_server_connection_throttling_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/postgresql_database_server_connection_throttling_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources.resources.name=connection_throttling.properties.value", "searchValue": "", "expectedValue": "resource 'property value' should have an 'auditingsettings' servers1 resource enabled", - "actualValue": "resource 'servers1' doesn't have an 'auditingsettings' resource enabled" + "actualValue": "resource 'servers1' doesn't have an 'auditingsettings' resource enabled", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Database Server Connection Throttling Disabled", @@ -21,7 +22,8 @@ "searchKey": "resources.resources.name=connection_throttling.properties.value", "searchValue": "", "expectedValue": "resource 'property value' should have an 'auditingsettings' servers1 resource enabled", - "actualValue": "resource 'servers1' doesn't have an 'auditingsettings' resource enabled" + "actualValue": "resource 'servers1' doesn't have an 'auditingsettings' resource enabled", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Database Server Connection Throttling Disabled", @@ -33,7 +35,8 @@ "searchKey": "resources.name=servers1", "searchValue": "", "expectedValue": "resource 'servers1' should have an 'auditingsettings' resource enabled", - "actualValue": "resource 'servers1' doesn't have an 'auditingsettings' resource enabled" + "actualValue": "resource 'servers1' doesn't have an 'auditingsettings' resource enabled", + "issueType": "MissingAttribute" }, { "queryName": "PostgreSQL Database Server Connection Throttling Disabled", @@ -45,7 +48,8 @@ "searchKey": "resources.name=servers1", "searchValue": "", "expectedValue": "resource 'servers1' should have an 'auditingsettings' resource enabled", - "actualValue": "resource 'servers1' doesn't have an 'auditingsettings' resource enabled" + "actualValue": "resource 'servers1' doesn't have an 'auditingsettings' resource enabled", + "issueType": "MissingAttribute" }, { "queryName": "PostgreSQL Database Server Connection Throttling Disabled", @@ -57,7 +61,8 @@ "searchKey": "resources.name=servers1", "searchValue": "", "expectedValue": "resource 'servers1' should have an 'auditingsettings' resource enabled", - "actualValue": "resource 'servers1' doesn't have an 'auditingsettings' resource enabled" + "actualValue": "resource 'servers1' doesn't have an 'auditingsettings' resource enabled", + "issueType": "MissingAttribute" }, { "queryName": "PostgreSQL Database Server Connection Throttling Disabled", @@ -69,7 +74,8 @@ "searchKey": "resources.name=servers1", "searchValue": "", "expectedValue": "resource 'servers1' should have an 'auditingsettings' resource enabled", - "actualValue": "resource 'servers1' doesn't have an 'auditingsettings' resource enabled" + "actualValue": "resource 'servers1' doesn't have an 'auditingsettings' resource enabled", + "issueType": "MissingAttribute" }, { "queryName": "PostgreSQL Database Server Connection Throttling Disabled", @@ -81,7 +87,8 @@ "searchKey": "resources.resources.name=connection_throttling.properties.value", "searchValue": "", "expectedValue": "resource 'property value' should have an 'auditingsettings' servers1 resource enabled", - "actualValue": "resource 'servers1' doesn't have an 'auditingsettings' resource enabled" + "actualValue": "resource 'servers1' doesn't have an 'auditingsettings' resource enabled", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Database Server Connection Throttling Disabled", @@ -93,7 +100,8 @@ "searchKey": "properties.template.resources.resources.name=connection_throttling.properties.value", "searchValue": "", "expectedValue": "resource 'property value' should have an 'auditingsettings' servers1 resource enabled", - "actualValue": "resource 'servers1' doesn't have an 'auditingsettings' resource enabled" + "actualValue": "resource 'servers1' doesn't have an 'auditingsettings' resource enabled", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Database Server Connection Throttling Disabled", @@ -105,7 +113,8 @@ "searchKey": "resources.name=servers1", "searchValue": "", "expectedValue": "resource 'servers1' should have an 'auditingsettings' resource enabled", - "actualValue": "resource 'servers1' doesn't have an 'auditingsettings' resource enabled" + "actualValue": "resource 'servers1' doesn't have an 'auditingsettings' resource enabled", + "issueType": "MissingAttribute" }, { "queryName": "PostgreSQL Database Server Connection Throttling Disabled", @@ -117,7 +126,8 @@ "searchKey": "properties.template.resources.name=servers1", "searchValue": "", "expectedValue": "resource 'servers1' should have an 'auditingsettings' resource enabled", - "actualValue": "resource 'servers1' doesn't have an 'auditingsettings' resource enabled" + "actualValue": "resource 'servers1' doesn't have an 'auditingsettings' resource enabled", + "issueType": "MissingAttribute" }, { "queryName": "PostgreSQL Database Server Connection Throttling Disabled", @@ -129,7 +139,8 @@ "searchKey": "resources.name=servers1", "searchValue": "", "expectedValue": "resource 'servers1' should have an 'auditingsettings' resource enabled", - "actualValue": "resource 'servers1' doesn't have an 'auditingsettings' resource enabled" + "actualValue": "resource 'servers1' doesn't have an 'auditingsettings' resource enabled", + "issueType": "MissingAttribute" }, { "queryName": "PostgreSQL Database Server Connection Throttling Disabled", @@ -141,6 +152,7 @@ "searchKey": "properties.template.resources.name=servers1", "searchValue": "", "expectedValue": "resource 'servers1' should have an 'auditingsettings' resource enabled", - "actualValue": "resource 'servers1' doesn't have an 'auditingsettings' resource enabled" + "actualValue": "resource 'servers1' doesn't have an 'auditingsettings' resource enabled", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/postgresql_server_log_checkpoint_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/postgresql_server_log_checkpoint_disabled/test/positive_expected_result.json index 1ad135cb0a9..977c3e1d2ed 100644 --- a/assets/queries/azureResourceManager/postgresql_server_log_checkpoint_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/postgresql_server_log_checkpoint_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources.name={{MyDBServer1}}.resources.name=log_checkpoints", "searchValue": "", "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_checkpoints' set to 'on'", - "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' 'log_checkpoints' is not defined" + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' 'log_checkpoints' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", @@ -21,7 +22,8 @@ "searchKey": "resources.name={{MyDBServer1}}.resources.name=log_checkpoints", "searchValue": "", "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_checkpoints' set to 'on'", - "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' 'log_checkpoints' is not defined" + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' 'log_checkpoints' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", @@ -33,7 +35,8 @@ "searchKey": "resources.name={{MyDBServer2}}.resources.name=log_checkpoints.properties.value", "searchValue": "", "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_checkpoints' property value set to 'on'", - "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_checkpoints' set to 'off'" + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_checkpoints' set to 'off'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", @@ -45,7 +48,8 @@ "searchKey": "resources.name={{MyDBServer2}}.resources.name=log_checkpoints.properties.value", "searchValue": "", "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_checkpoints' property value set to 'on'", - "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_checkpoints' set to 'off'" + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_checkpoints' set to 'off'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", @@ -57,7 +61,8 @@ "searchKey": "resources.name={{MyDBServer/log_checkpoints}}.properties.value", "searchValue": "", "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_checkpoints' property value set to 'on'", - "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_checkpoints' property set to 'off'" + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_checkpoints' property set to 'off'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", @@ -69,7 +74,8 @@ "searchKey": "resources.name={{MyDBServer/log_checkpoints}}.properties.value", "searchValue": "", "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_checkpoints' property value set to 'on'", - "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_checkpoints' property set to 'off'" + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_checkpoints' property set to 'off'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", @@ -81,7 +87,8 @@ "searchKey": "resources.name={{MyDBServer/log_checkpoints}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_checkpoints' property set to 'off'", - "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' 'log_checkpoints' is not defined" + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' 'log_checkpoints' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", @@ -93,7 +100,8 @@ "searchKey": "resources.name={{MyDBServer/log_checkpoints}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_checkpoints' property set to 'off'", - "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' 'log_checkpoints' is not defined" + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' 'log_checkpoints' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", @@ -105,7 +113,8 @@ "searchKey": "resources.name={{MyDBServer1}}.resources.name=log_checkpoints", "searchValue": "", "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_checkpoints' set to 'on'", - "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' 'log_checkpoints' is not defined" + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' 'log_checkpoints' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", @@ -117,7 +126,8 @@ "searchKey": "properties.template.resources.name={{MyDBServer1}}.resources.name=log_checkpoints", "searchValue": "", "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_checkpoints' set to 'on'", - "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' 'log_checkpoints' is not defined" + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' 'log_checkpoints' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", @@ -129,7 +139,8 @@ "searchKey": "resources.name={{MyDBServer2}}.resources.name=log_checkpoints.properties.value", "searchValue": "", "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_checkpoints' property value set to 'on'", - "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_checkpoints' set to 'off'" + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_checkpoints' set to 'off'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", @@ -141,7 +152,8 @@ "searchKey": "properties.template.resources.name={{MyDBServer2}}.resources.name=log_checkpoints.properties.value", "searchValue": "", "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_checkpoints' property value set to 'on'", - "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_checkpoints' set to 'off'" + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_checkpoints' set to 'off'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", @@ -153,7 +165,8 @@ "searchKey": "resources.name={{MyDBServer/log_checkpoints}}.properties.value", "searchValue": "", "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_checkpoints' property value set to 'on'", - "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_checkpoints' property set to 'off'" + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_checkpoints' property set to 'off'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", @@ -165,7 +178,8 @@ "searchKey": "properties.template.resources.name={{MyDBServer/log_checkpoints}}.properties.value", "searchValue": "", "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_checkpoints' property value set to 'on'", - "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_checkpoints' property set to 'off'" + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_checkpoints' property set to 'off'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", @@ -177,7 +191,8 @@ "searchKey": "resources.name={{MyDBServer/log_checkpoints}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_checkpoints' property set to 'off'", - "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' 'log_checkpoints' is not defined" + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' 'log_checkpoints' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", @@ -189,6 +204,7 @@ "searchKey": "properties.template.resources.name={{MyDBServer/log_checkpoints}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_checkpoints' property set to 'off'", - "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' 'log_checkpoints' is not defined" + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' 'log_checkpoints' is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/postgresql_server_log_connections_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/postgresql_server_log_connections_disabled/test/positive_expected_result.json index 2c295b3ef3e..12942e62fca 100644 --- a/assets/queries/azureResourceManager/postgresql_server_log_connections_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/postgresql_server_log_connections_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources.name={{MyDBServer1}}.resources.name=log_connections", "searchValue": "", "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_connections' set to 'on'", - "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_connections' value undefined" + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_connections' value undefined", + "issueType": "MissingAttribute" }, { "queryName": "PostgreSQL Database Server Log Connections Disabled", @@ -21,7 +22,8 @@ "searchKey": "resources.name={{MyDBServer1}}.resources.name=log_connections", "searchValue": "", "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_connections' set to 'on'", - "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_connections' value undefined" + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_connections' value undefined", + "issueType": "MissingAttribute" }, { "queryName": "PostgreSQL Database Server Log Connections Disabled", @@ -33,7 +35,8 @@ "searchKey": "resources.name={{MyDBServer2}}.resources.name=log_connections.properties.value", "searchValue": "", "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_connections' property value set to 'on'", - "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_connections' set to 'off'" + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_connections' set to 'off'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Database Server Log Connections Disabled", @@ -45,7 +48,8 @@ "searchKey": "resources.name={{MyDBServer2}}.resources.name=log_connections.properties.value", "searchValue": "", "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_connections' property value set to 'on'", - "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_connections' set to 'off'" + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_connections' set to 'off'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Database Server Log Connections Disabled", @@ -57,7 +61,8 @@ "searchKey": "resources.name={{MyDBServer/log_connections}}.properties.value", "searchValue": "", "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_connections' property value set to 'on'", - "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_connections' property set to 'on'" + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_connections' property set to 'on'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Database Server Log Connections Disabled", @@ -69,7 +74,8 @@ "searchKey": "resources.name={{MyDBServer/log_connections}}.properties.value", "searchValue": "", "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_connections' property value set to 'on'", - "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_connections' property set to 'on'" + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_connections' property set to 'on'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Database Server Log Connections Disabled", @@ -81,7 +87,8 @@ "searchKey": "resources.name={{MyDBServer/log_connections}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_connections' property set to 'on'", - "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_connections' value undefined" + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_connections' value undefined", + "issueType": "MissingAttribute" }, { "queryName": "PostgreSQL Database Server Log Connections Disabled", @@ -93,7 +100,8 @@ "searchKey": "resources.name={{MyDBServer/log_connections}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_connections' property set to 'on'", - "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_connections' value undefined" + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_connections' value undefined", + "issueType": "MissingAttribute" }, { "queryName": "PostgreSQL Database Server Log Connections Disabled", @@ -105,7 +113,8 @@ "searchKey": "resources.name={{MyDBServer1}}.resources.name=log_connections", "searchValue": "", "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_connections' set to 'on'", - "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_connections' value undefined" + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_connections' value undefined", + "issueType": "MissingAttribute" }, { "queryName": "PostgreSQL Database Server Log Connections Disabled", @@ -117,7 +126,8 @@ "searchKey": "properties.template.resources.name={{MyDBServer1}}.resources.name=log_connections", "searchValue": "", "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_connections' set to 'on'", - "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_connections' value undefined" + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_connections' value undefined", + "issueType": "MissingAttribute" }, { "queryName": "PostgreSQL Database Server Log Connections Disabled", @@ -129,7 +139,8 @@ "searchKey": "resources.name={{MyDBServer2}}.resources.name=log_connections.properties.value", "searchValue": "", "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_connections' property value set to 'on'", - "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_connections' set to 'off'" + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_connections' set to 'off'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Database Server Log Connections Disabled", @@ -141,7 +152,8 @@ "searchKey": "properties.template.resources.name={{MyDBServer2}}.resources.name=log_connections.properties.value", "searchValue": "", "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_connections' property value set to 'on'", - "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_connections' set to 'off'" + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_connections' set to 'off'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Database Server Log Connections Disabled", @@ -153,7 +165,8 @@ "searchKey": "resources.name={{MyDBServer/log_connections}}.properties.value", "searchValue": "", "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_connections' property value set to 'on'", - "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_connections' property set to 'on'" + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_connections' property set to 'on'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Database Server Log Connections Disabled", @@ -165,7 +178,8 @@ "searchKey": "properties.template.resources.name={{MyDBServer/log_connections}}.properties.value", "searchValue": "", "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_connections' property value set to 'on'", - "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_connections' property set to 'on'" + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_connections' property set to 'on'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Database Server Log Connections Disabled", @@ -177,7 +191,8 @@ "searchKey": "resources.name={{MyDBServer/log_connections}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_connections' property set to 'on'", - "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_connections' value undefined" + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_connections' value undefined", + "issueType": "MissingAttribute" }, { "queryName": "PostgreSQL Database Server Log Connections Disabled", @@ -189,6 +204,7 @@ "searchKey": "properties.template.resources.name={{MyDBServer/log_connections}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_connections' property set to 'on'", - "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_connections' value undefined" + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_connections' value undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/postgresql_server_ssl_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/postgresql_server_ssl_disabled/test/positive_expected_result.json index e1d587dcf5d..ca808439ee5 100644 --- a/assets/queries/azureResourceManager/postgresql_server_ssl_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/postgresql_server_ssl_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources.name={{MyDBServer}}.properties.sslEnforcement", "searchValue": "", "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' should have 'sslEnforcement' property value set to 'Enabled'", - "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' doesn't have 'sslEnforcement' property set to 'Enabled'" + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' doesn't have 'sslEnforcement' property set to 'Enabled'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Database Server SSL Disabled", @@ -21,7 +22,8 @@ "searchKey": "resources.name={{MyDBServer}}.properties.sslEnforcement", "searchValue": "", "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' should have 'sslEnforcement' property value set to 'Enabled'", - "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' doesn't have 'sslEnforcement' property set to 'Enabled'" + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' doesn't have 'sslEnforcement' property set to 'Enabled'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Database Server SSL Disabled", @@ -33,7 +35,8 @@ "searchKey": "resources.name={{MyDBServer}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' should have 'sslEnforcement' property defined", - "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' doesn't have 'sslEnforcement' property defined" + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' doesn't have 'sslEnforcement' property defined", + "issueType": "MissingAttribute" }, { "queryName": "PostgreSQL Database Server SSL Disabled", @@ -45,7 +48,8 @@ "searchKey": "resources.name={{MyDBServer}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' should have 'sslEnforcement' property defined", - "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' doesn't have 'sslEnforcement' property defined" + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' doesn't have 'sslEnforcement' property defined", + "issueType": "MissingAttribute" }, { "queryName": "PostgreSQL Database Server SSL Disabled", @@ -57,7 +61,8 @@ "searchKey": "resources.name={{MyDBServer}}.properties.sslEnforcement", "searchValue": "", "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' should have 'sslEnforcement' property value set to 'Enabled'", - "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' doesn't have 'sslEnforcement' property set to 'Enabled'" + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' doesn't have 'sslEnforcement' property set to 'Enabled'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Database Server SSL Disabled", @@ -69,7 +74,8 @@ "searchKey": "properties.template.resources.name={{MyDBServer}}.properties.sslEnforcement", "searchValue": "", "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' should have 'sslEnforcement' property value set to 'Enabled'", - "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' doesn't have 'sslEnforcement' property set to 'Enabled'" + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' doesn't have 'sslEnforcement' property set to 'Enabled'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Database Server SSL Disabled", @@ -81,7 +87,8 @@ "searchKey": "resources.name={{MyDBServer}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' should have 'sslEnforcement' property defined", - "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' doesn't have 'sslEnforcement' property defined" + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' doesn't have 'sslEnforcement' property defined", + "issueType": "MissingAttribute" }, { "queryName": "PostgreSQL Database Server SSL Disabled", @@ -93,6 +100,7 @@ "searchKey": "properties.template.resources.name={{MyDBServer}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' should have 'sslEnforcement' property defined", - "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' doesn't have 'sslEnforcement' property defined" + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' doesn't have 'sslEnforcement' property defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/role_definitions_allow_custom_subscription_role_creation/test/positive_expected_result.json b/assets/queries/azureResourceManager/role_definitions_allow_custom_subscription_role_creation/test/positive_expected_result.json index 95bf2128548..c26cb5e96e0 100644 --- a/assets/queries/azureResourceManager/role_definitions_allow_custom_subscription_role_creation/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/role_definitions_allow_custom_subscription_role_creation/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources.name={{roleDef}}.properties.permissions.actions", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Authorization/roleDefinitions' should not allow custom role creation", - "actualValue": "resource with type 'Microsoft.Authorization/roleDefinitions' allows custom role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write')" + "actualValue": "resource with type 'Microsoft.Authorization/roleDefinitions' allows custom role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write')", + "issueType": "IncorrectValue" }, { "queryName": "Role Definitions Allow Custom Subscription Role Creation", @@ -21,7 +22,8 @@ "searchKey": "resources.name={{roleDef}}.properties.permissions.actions", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Authorization/roleDefinitions' should not allow custom role creation", - "actualValue": "resource with type 'Microsoft.Authorization/roleDefinitions' allows custom role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write')" + "actualValue": "resource with type 'Microsoft.Authorization/roleDefinitions' allows custom role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write')", + "issueType": "IncorrectValue" }, { "queryName": "Role Definitions Allow Custom Subscription Role Creation", @@ -33,7 +35,8 @@ "searchKey": "resources.name={{roleDef}}.properties.permissions.actions", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Authorization/roleDefinitions' should not allow custom role creation", - "actualValue": "resource with type 'Microsoft.Authorization/roleDefinitions' allows custom role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write')" + "actualValue": "resource with type 'Microsoft.Authorization/roleDefinitions' allows custom role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write')", + "issueType": "IncorrectValue" }, { "queryName": "Role Definitions Allow Custom Subscription Role Creation", @@ -45,7 +48,8 @@ "searchKey": "resources.name={{roleDef}}.properties.permissions.actions", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Authorization/roleDefinitions' should not allow custom role creation", - "actualValue": "resource with type 'Microsoft.Authorization/roleDefinitions' allows custom role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write')" + "actualValue": "resource with type 'Microsoft.Authorization/roleDefinitions' allows custom role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write')", + "issueType": "IncorrectValue" }, { "queryName": "Role Definitions Allow Custom Subscription Role Creation", @@ -57,7 +61,8 @@ "searchKey": "resources.name={{roleDef}}.properties.permissions.actions", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Authorization/roleDefinitions' should not allow custom role creation", - "actualValue": "resource with type 'Microsoft.Authorization/roleDefinitions' allows custom role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write')" + "actualValue": "resource with type 'Microsoft.Authorization/roleDefinitions' allows custom role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write')", + "issueType": "IncorrectValue" }, { "queryName": "Role Definitions Allow Custom Subscription Role Creation", @@ -69,7 +74,8 @@ "searchKey": "properties.template.resources.name={{roleDef}}.properties.permissions.actions", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Authorization/roleDefinitions' should not allow custom role creation", - "actualValue": "resource with type 'Microsoft.Authorization/roleDefinitions' allows custom role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write')" + "actualValue": "resource with type 'Microsoft.Authorization/roleDefinitions' allows custom role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write')", + "issueType": "IncorrectValue" }, { "queryName": "Role Definitions Allow Custom Subscription Role Creation", @@ -81,7 +87,8 @@ "searchKey": "resources.name={{roleDef}}.properties.permissions.actions", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Authorization/roleDefinitions' should not allow custom role creation", - "actualValue": "resource with type 'Microsoft.Authorization/roleDefinitions' allows custom role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write')" + "actualValue": "resource with type 'Microsoft.Authorization/roleDefinitions' allows custom role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write')", + "issueType": "IncorrectValue" }, { "queryName": "Role Definitions Allow Custom Subscription Role Creation", @@ -93,6 +100,7 @@ "searchKey": "properties.template.resources.name={{roleDef}}.properties.permissions.actions", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Authorization/roleDefinitions' should not allow custom role creation", - "actualValue": "resource with type 'Microsoft.Authorization/roleDefinitions' allows custom role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write')" + "actualValue": "resource with type 'Microsoft.Authorization/roleDefinitions' allows custom role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write')", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/secret_without_expiration_date/test/positive_expected_result.json b/assets/queries/azureResourceManager/secret_without_expiration_date/test/positive_expected_result.json index 7c7872cb129..d1e6eac5e0f 100644 --- a/assets/queries/azureResourceManager/secret_without_expiration_date/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/secret_without_expiration_date/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources.resources.name={{secretid1}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' should have 'attributes.exp' property id defined", - "actualValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' doesn't have 'attributes' property defined" + "actualValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' doesn't have 'attributes' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Secret Without Expiration Date", @@ -21,7 +22,8 @@ "searchKey": "resources.name={{keyVault1/secretid1}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' should have 'attributes.exp' property id defined", - "actualValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' doesn't have 'attributes' property defined" + "actualValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' doesn't have 'attributes' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Secret Without Expiration Date", @@ -33,7 +35,8 @@ "searchKey": "resources.resources.name={{keyVaultSecret1}}.properties.attributes", "searchValue": "", "expectedValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' should have 'attributes.exp' property id defined", - "actualValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' doesn't have 'attributes.exp' property defined" + "actualValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' doesn't have 'attributes.exp' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Secret Without Expiration Date", @@ -45,7 +48,8 @@ "searchKey": "resources.resources.name={{keyVaultSecret1}}.properties.attributes", "searchValue": "", "expectedValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' should have 'attributes.exp' property id defined", - "actualValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' doesn't have 'attributes.exp' property defined" + "actualValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' doesn't have 'attributes.exp' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Secret Without Expiration Date", @@ -57,7 +61,8 @@ "searchKey": "resources.resources.name={{secretid1}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' should have 'attributes.exp' property id defined", - "actualValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' doesn't have 'attributes' property defined" + "actualValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' doesn't have 'attributes' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Secret Without Expiration Date", @@ -69,7 +74,8 @@ "searchKey": "properties.template.resources.name={{keyVault1/secretid1}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' should have 'attributes.exp' property id defined", - "actualValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' doesn't have 'attributes' property defined" + "actualValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' doesn't have 'attributes' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Secret Without Expiration Date", @@ -81,7 +87,8 @@ "searchKey": "resources.resources.name={{keyVaultSecret1}}.properties.attributes", "searchValue": "", "expectedValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' should have 'attributes.exp' property id defined", - "actualValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' doesn't have 'attributes.exp' property defined" + "actualValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' doesn't have 'attributes.exp' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Secret Without Expiration Date", @@ -93,6 +100,7 @@ "searchKey": "properties.template.resources.resources.name={{keyVaultSecret1}}.properties.attributes", "searchValue": "", "expectedValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' should have 'attributes.exp' property id defined", - "actualValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' doesn't have 'attributes.exp' property defined" + "actualValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' doesn't have 'attributes.exp' property defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/sql_alert_policy_without_emails/test/positive_expected_result.json b/assets/queries/azureResourceManager/sql_alert_policy_without_emails/test/positive_expected_result.json index 7d90153dc8b..942df5b45d3 100644 --- a/assets/queries/azureResourceManager/sql_alert_policy_without_emails/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/sql_alert_policy_without_emails/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources.resources.resources.name={{securityPolicy1}}.properties", "searchValue": "", "expectedValue": "securityAlertPolicies.properties.emailAddresses should be defined and contain emails", - "actualValue": "securityAlertPolicies.properties.emailAddresses is not defined" + "actualValue": "securityAlertPolicies.properties.emailAddresses is not defined", + "issueType": "MissingAttribute" }, { "queryName": "SQL Alert Policy Without Emails", @@ -21,7 +22,8 @@ "searchKey": "resources.resources.name={{sqlServer1/sqlDatabase1/securityPolicy1}}.properties", "searchValue": "", "expectedValue": "securityAlertPolicies.properties.emailAddresses should be defined and contain emails", - "actualValue": "securityAlertPolicies.properties.emailAddresses is not defined" + "actualValue": "securityAlertPolicies.properties.emailAddresses is not defined", + "issueType": "MissingAttribute" }, { "queryName": "SQL Alert Policy Without Emails", @@ -33,7 +35,8 @@ "searchKey": "resources.resources.resources.name={{securityPolicy1}}.properties.emailAddresses", "searchValue": "", "expectedValue": "securityAlertPolicies.properties.emailAddresses should be defined and contain emails", - "actualValue": "securityAlertPolicies.properties.emailAddresses doesn't contain emails" + "actualValue": "securityAlertPolicies.properties.emailAddresses doesn't contain emails", + "issueType": "IncorrectValue" }, { "queryName": "SQL Alert Policy Without Emails", @@ -45,7 +48,8 @@ "searchKey": "resources.resources.name={{sqlServer1/sqlDatabase1/securityPolicy1}}.properties.emailAddresses", "searchValue": "", "expectedValue": "securityAlertPolicies.properties.emailAddresses should be defined and contain emails", - "actualValue": "securityAlertPolicies.properties.emailAddresses doesn't contain emails" + "actualValue": "securityAlertPolicies.properties.emailAddresses doesn't contain emails", + "issueType": "IncorrectValue" }, { "queryName": "SQL Alert Policy Without Emails", @@ -57,7 +61,8 @@ "searchKey": "resources.resources.resources.name={{securityPolicy1}}.properties.emailAddresses", "searchValue": "", "expectedValue": "securityAlertPolicies.properties.emailAddresses should be defined and contain emails", - "actualValue": "securityAlertPolicies.properties.emailAddresses doesn't contain emails" + "actualValue": "securityAlertPolicies.properties.emailAddresses doesn't contain emails", + "issueType": "IncorrectValue" }, { "queryName": "SQL Alert Policy Without Emails", @@ -69,7 +74,8 @@ "searchKey": "resources.resources.name={{sqlServer1/sqlDatabase1/securityPolicy1}}.properties.emailAddresses", "searchValue": "", "expectedValue": "securityAlertPolicies.properties.emailAddresses should be defined and contain emails", - "actualValue": "securityAlertPolicies.properties.emailAddresses doesn't contain emails" + "actualValue": "securityAlertPolicies.properties.emailAddresses doesn't contain emails", + "issueType": "IncorrectValue" }, { "queryName": "SQL Alert Policy Without Emails", @@ -81,7 +87,8 @@ "searchKey": "resources.resources.resources.name={{securityPolicy1}}.properties", "searchValue": "", "expectedValue": "securityAlertPolicies.properties.emailAddresses should be defined and contain emails", - "actualValue": "securityAlertPolicies.properties.emailAddresses is not defined" + "actualValue": "securityAlertPolicies.properties.emailAddresses is not defined", + "issueType": "MissingAttribute" }, { "queryName": "SQL Alert Policy Without Emails", @@ -93,7 +100,8 @@ "searchKey": "properties.template.resources.resources.name={{sqlServer1/sqlDatabase1/securityPolicy1}}.properties", "searchValue": "", "expectedValue": "securityAlertPolicies.properties.emailAddresses should be defined and contain emails", - "actualValue": "securityAlertPolicies.properties.emailAddresses is not defined" + "actualValue": "securityAlertPolicies.properties.emailAddresses is not defined", + "issueType": "MissingAttribute" }, { "queryName": "SQL Alert Policy Without Emails", @@ -105,7 +113,8 @@ "searchKey": "resources.resources.resources.name={{securityPolicy1}}.properties.emailAddresses", "searchValue": "", "expectedValue": "securityAlertPolicies.properties.emailAddresses should be defined and contain emails", - "actualValue": "securityAlertPolicies.properties.emailAddresses doesn't contain emails" + "actualValue": "securityAlertPolicies.properties.emailAddresses doesn't contain emails", + "issueType": "IncorrectValue" }, { "queryName": "SQL Alert Policy Without Emails", @@ -117,7 +126,8 @@ "searchKey": "properties.template.resources.resources.name={{sqlServer1/sqlDatabase1/securityPolicy1}}.properties.emailAddresses", "searchValue": "", "expectedValue": "securityAlertPolicies.properties.emailAddresses should be defined and contain emails", - "actualValue": "securityAlertPolicies.properties.emailAddresses doesn't contain emails" + "actualValue": "securityAlertPolicies.properties.emailAddresses doesn't contain emails", + "issueType": "IncorrectValue" }, { "queryName": "SQL Alert Policy Without Emails", @@ -129,7 +139,8 @@ "searchKey": "resources.resources.resources.name={{securityPolicy1}}.properties.emailAddresses", "searchValue": "", "expectedValue": "securityAlertPolicies.properties.emailAddresses should be defined and contain emails", - "actualValue": "securityAlertPolicies.properties.emailAddresses doesn't contain emails" + "actualValue": "securityAlertPolicies.properties.emailAddresses doesn't contain emails", + "issueType": "IncorrectValue" }, { "queryName": "SQL Alert Policy Without Emails", @@ -141,6 +152,7 @@ "searchKey": "properties.template.resources.resources.name={{sqlServer1/sqlDatabase1/securityPolicy1}}.properties.emailAddresses", "searchValue": "", "expectedValue": "securityAlertPolicies.properties.emailAddresses should be defined and contain emails", - "actualValue": "securityAlertPolicies.properties.emailAddresses doesn't contain emails" + "actualValue": "securityAlertPolicies.properties.emailAddresses doesn't contain emails", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/sql_database_server_firewall_allows_all_ips/test/positive_expected_result.json b/assets/queries/azureResourceManager/sql_database_server_firewall_allows_all_ips/test/positive_expected_result.json index 42a0f5f17f7..f7c1a361ed3 100644 --- a/assets/queries/azureResourceManager/sql_database_server_firewall_allows_all_ips/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/sql_database_server_firewall_allows_all_ips/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources.resources.name={{AllowAllWindowsAzureIps}}.properties.endIpAddress", "searchValue": "", "expectedValue": "endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0'", - "actualValue": "endIpAddress is '255.255.255.255' and startIpAddress is '0.0.0.0'" + "actualValue": "endIpAddress is '255.255.255.255' and startIpAddress is '0.0.0.0'", + "issueType": "IncorrectValue" }, { "queryName": "SQL Database Server Firewall Allows All IPS", @@ -21,7 +22,8 @@ "searchKey": "resources.resources.name={{AllowAllWindowsAzureIps}}.properties.endIpAddress", "searchValue": "", "expectedValue": "endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0'", - "actualValue": "endIpAddress is '255.255.255.255' and startIpAddress is '0.0.0.0'" + "actualValue": "endIpAddress is '255.255.255.255' and startIpAddress is '0.0.0.0'", + "issueType": "IncorrectValue" }, { "queryName": "SQL Database Server Firewall Allows All IPS", @@ -33,7 +35,8 @@ "searchKey": "resources.name={{sample/firewall}}.properties.endIpAddress", "searchValue": "", "expectedValue": "endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0'", - "actualValue": "endIpAddress is '255.255.255.255' and startIpAddress is '0.0.0.0/0'" + "actualValue": "endIpAddress is '255.255.255.255' and startIpAddress is '0.0.0.0/0'", + "issueType": "IncorrectValue" }, { "queryName": "SQL Database Server Firewall Allows All IPS", @@ -45,7 +48,8 @@ "searchKey": "resources.name={{sample/firewall}}.properties.endIpAddress", "searchValue": "", "expectedValue": "endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0'", - "actualValue": "endIpAddress is '255.255.255.255' and startIpAddress is '0.0.0.0/0'" + "actualValue": "endIpAddress is '255.255.255.255' and startIpAddress is '0.0.0.0/0'", + "issueType": "IncorrectValue" }, { "queryName": "SQL Database Server Firewall Allows All IPS", @@ -57,7 +61,8 @@ "searchKey": "resources.resources.name={{AllowAllWindowsAzureIps}}.properties.endIpAddress", "searchValue": "", "expectedValue": "endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0'", - "actualValue": "endIpAddress is '255.255.255.255' and startIpAddress is '0.0.0.0'" + "actualValue": "endIpAddress is '255.255.255.255' and startIpAddress is '0.0.0.0'", + "issueType": "IncorrectValue" }, { "queryName": "SQL Database Server Firewall Allows All IPS", @@ -69,7 +74,8 @@ "searchKey": "properties.template.resources.resources.name={{AllowAllWindowsAzureIps}}.properties.endIpAddress", "searchValue": "", "expectedValue": "endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0'", - "actualValue": "endIpAddress is '255.255.255.255' and startIpAddress is '0.0.0.0'" + "actualValue": "endIpAddress is '255.255.255.255' and startIpAddress is '0.0.0.0'", + "issueType": "IncorrectValue" }, { "queryName": "SQL Database Server Firewall Allows All IPS", @@ -81,7 +87,8 @@ "searchKey": "resources.name={{sample/firewall}}.properties.endIpAddress", "searchValue": "", "expectedValue": "endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0'", - "actualValue": "endIpAddress is '255.255.255.255' and startIpAddress is '0.0.0.0/0'" + "actualValue": "endIpAddress is '255.255.255.255' and startIpAddress is '0.0.0.0/0'", + "issueType": "IncorrectValue" }, { "queryName": "SQL Database Server Firewall Allows All IPS", @@ -93,6 +100,7 @@ "searchKey": "properties.template.resources.name={{sample/firewall}}.properties.endIpAddress", "searchValue": "", "expectedValue": "endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0'", - "actualValue": "endIpAddress is '255.255.255.255' and startIpAddress is '0.0.0.0/0'" + "actualValue": "endIpAddress is '255.255.255.255' and startIpAddress is '0.0.0.0/0'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/sql_server_database_with_alerts_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/sql_server_database_with_alerts_disabled/test/positive_expected_result.json index f241bbe6444..1af4cf6eb5b 100644 --- a/assets/queries/azureResourceManager/sql_server_database_with_alerts_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/sql_server_database_with_alerts_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources.name={{sample/databases/default}}.properties.disabledAlerts", "searchValue": "", "expectedValue": "'resources.name=sample/databases/default.disabledAlerts' should be empty", - "actualValue": "'resources.name=sample/databases/default.disabledAlerts' is not empty" + "actualValue": "'resources.name=sample/databases/default.disabledAlerts' is not empty", + "issueType": "IncorrectValue" }, { "queryName": "SQL Server Database With Alerts Disabled", @@ -21,7 +22,8 @@ "searchKey": "resources.name={{sample/databases/default}}.properties.disabledAlerts", "searchValue": "", "expectedValue": "'resources.name=sample/databases/default.disabledAlerts' should be empty", - "actualValue": "'resources.name=sample/databases/default.disabledAlerts' is not empty" + "actualValue": "'resources.name=sample/databases/default.disabledAlerts' is not empty", + "issueType": "IncorrectValue" }, { "queryName": "SQL Server Database With Alerts Disabled", @@ -33,7 +35,8 @@ "searchKey": "resources.name={{sample/databases/default}}.properties.disabledAlerts", "searchValue": "", "expectedValue": "'resources.name=sample/databases/default.disabledAlerts' should be empty", - "actualValue": "'resources.name=sample/databases/default.disabledAlerts' is not empty" + "actualValue": "'resources.name=sample/databases/default.disabledAlerts' is not empty", + "issueType": "IncorrectValue" }, { "queryName": "SQL Server Database With Alerts Disabled", @@ -45,7 +48,8 @@ "searchKey": "properties.template.resources.name={{sample/databases/default}}.properties.disabledAlerts", "searchValue": "", "expectedValue": "'properties.template.resources.name=sample/databases/default.disabledAlerts' should be empty", - "actualValue": "'properties.template.resources.name=sample/databases/default.disabledAlerts' is not empty" + "actualValue": "'properties.template.resources.name=sample/databases/default.disabledAlerts' is not empty", + "issueType": "IncorrectValue" }, { "queryName": "SQL Server Database With Alerts Disabled", @@ -57,7 +61,8 @@ "searchKey": "resources.name={{sample/databases/default}}.properties", "searchValue": "", "expectedValue": "'resources.name=sample/databases/default.state' should be enabled", - "actualValue": "'resources.name=sample/databases/default.state' is not enabled" + "actualValue": "'resources.name=sample/databases/default.state' is not enabled", + "issueType": "IncorrectValue" }, { "queryName": "SQL Server Database With Alerts Disabled", @@ -69,7 +74,8 @@ "searchKey": "resources.name={{sample/databases/default}}.properties", "searchValue": "", "expectedValue": "'resources.name=sample/databases/default.state' should be enabled", - "actualValue": "'resources.name=sample/databases/default.state' is not enabled" + "actualValue": "'resources.name=sample/databases/default.state' is not enabled", + "issueType": "IncorrectValue" }, { "queryName": "SQL Server Database With Alerts Disabled", @@ -81,7 +87,8 @@ "searchKey": "resources.name={{sample/databases/default}}.properties", "searchValue": "", "expectedValue": "'resources.name=sample/databases/default.state' should be enabled", - "actualValue": "'resources.name=sample/databases/default.state' is not enabled" + "actualValue": "'resources.name=sample/databases/default.state' is not enabled", + "issueType": "IncorrectValue" }, { "queryName": "SQL Server Database With Alerts Disabled", @@ -93,7 +100,8 @@ "searchKey": "properties.template.resources.name={{sample/databases/default}}.properties", "searchValue": "", "expectedValue": "'properties.template.resources.name=sample/databases/default.state' should be enabled", - "actualValue": "'properties.template.resources.name=sample/databases/default.state' is not enabled" + "actualValue": "'properties.template.resources.name=sample/databases/default.state' is not enabled", + "issueType": "IncorrectValue" }, { "queryName": "SQL Server Database With Alerts Disabled", @@ -105,7 +113,8 @@ "searchKey": "resources.name={{sample/default}}", "searchValue": "", "expectedValue": "Security alert policy should be defined and enabled", - "actualValue": "Security alert policy is undefined" + "actualValue": "Security alert policy is undefined", + "issueType": "MissingAttribute" }, { "queryName": "SQL Server Database With Alerts Disabled", @@ -117,7 +126,8 @@ "searchKey": "properties.template.resources.name={{sample/default}}", "searchValue": "", "expectedValue": "Security alert policy should be defined and enabled", - "actualValue": "Security alert policy is undefined" + "actualValue": "Security alert policy is undefined", + "issueType": "MissingAttribute" }, { "queryName": "SQL Server Database With Alerts Disabled", @@ -129,7 +139,8 @@ "searchKey": "resources.name={{sampleServer/default}}.properties.disabledAlerts", "searchValue": "", "expectedValue": "'resources.name=sampleServer/default.disabledAlerts' should be empty", - "actualValue": "'resources.name=sampleServer/default.disabledAlerts' is not empty" + "actualValue": "'resources.name=sampleServer/default.disabledAlerts' is not empty", + "issueType": "IncorrectValue" }, { "queryName": "SQL Server Database With Alerts Disabled", @@ -141,7 +152,8 @@ "searchKey": "resources.name={{sampleServer/default}}.properties.disabledAlerts", "searchValue": "", "expectedValue": "'resources.name=sampleServer/default.disabledAlerts' should be empty", - "actualValue": "'resources.name=sampleServer/default.disabledAlerts' is not empty" + "actualValue": "'resources.name=sampleServer/default.disabledAlerts' is not empty", + "issueType": "IncorrectValue" }, { "queryName": "SQL Server Database With Alerts Disabled", @@ -153,7 +165,8 @@ "searchKey": "resources.name={{sampleServer/default}}.properties", "searchValue": "", "expectedValue": "'resources.name=sampleServer/default.state' should be enabled", - "actualValue": "'resources.name=sampleServer/default.state' is not enabled" + "actualValue": "'resources.name=sampleServer/default.state' is not enabled", + "issueType": "IncorrectValue" }, { "queryName": "SQL Server Database With Alerts Disabled", @@ -165,7 +178,8 @@ "searchKey": "resources.name={{sampleServer/default}}.properties", "searchValue": "", "expectedValue": "'resources.name=sampleServer/default.state' should be enabled", - "actualValue": "'resources.name=sampleServer/default.state' is not enabled" + "actualValue": "'resources.name=sampleServer/default.state' is not enabled", + "issueType": "IncorrectValue" }, { "queryName": "SQL Server Database With Alerts Disabled", @@ -177,7 +191,8 @@ "searchKey": "resources.name={{sample}}", "searchValue": "", "expectedValue": "Security alert policy should be defined and enabled", - "actualValue": "Security alert policy is undefined" + "actualValue": "Security alert policy is undefined", + "issueType": "MissingAttribute" }, { "queryName": "SQL Server Database With Alerts Disabled", @@ -189,6 +204,7 @@ "searchKey": "resources.name={{sample}}", "searchValue": "", "expectedValue": "Security alert policy should be defined and enabled", - "actualValue": "Security alert policy is undefined" + "actualValue": "Security alert policy is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/sql_server_database_with_low_retention_days/test/positive_expected_result.json b/assets/queries/azureResourceManager/sql_server_database_with_low_retention_days/test/positive_expected_result.json index 7d9e8085827..7a54722eb35 100644 --- a/assets/queries/azureResourceManager/sql_server_database_with_low_retention_days/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/sql_server_database_with_low_retention_days/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources.resources.resources.name={{default}}.properties.retentionDays", "searchValue": "", "expectedValue": "'auditingSettings.properties.retentionDays' property value should be defined and above 90 days", - "actualValue": "'auditingSettings.properties.retentionDays' property value is 50" + "actualValue": "'auditingSettings.properties.retentionDays' property value is 50", + "issueType": "IncorrectValue" }, { "queryName": "SQL Server Database With Unrecommended Retention Days", @@ -21,7 +22,8 @@ "searchKey": "resources.resources.resources.name={{sqlServer1/sqlDatabase1/default}}.properties.retentionDays", "searchValue": "", "expectedValue": "'auditingSettings.properties.retentionDays' property value should be defined and above 90 days", - "actualValue": "'auditingSettings.properties.retentionDays' property value is 50" + "actualValue": "'auditingSettings.properties.retentionDays' property value is 50", + "issueType": "IncorrectValue" }, { "queryName": "SQL Server Database With Unrecommended Retention Days", @@ -33,7 +35,8 @@ "searchKey": "resources.resources.resources.name={{default}}.properties", "searchValue": "", "expectedValue": "'auditingSettings.properties.retentionDays' should be defined and above 90 days", - "actualValue": "'auditingSettings.properties.retentionDays' is missing" + "actualValue": "'auditingSettings.properties.retentionDays' is missing", + "issueType": "MissingAttribute" }, { "queryName": "SQL Server Database With Unrecommended Retention Days", @@ -45,7 +48,8 @@ "searchKey": "resources.resources.resources.name={{sqlServer1/sqlDatabase1/default}}.properties", "searchValue": "", "expectedValue": "'auditingSettings.properties.retentionDays' should be defined and above 90 days", - "actualValue": "'auditingSettings.properties.retentionDays' is missing" + "actualValue": "'auditingSettings.properties.retentionDays' is missing", + "issueType": "MissingAttribute" }, { "queryName": "SQL Server Database With Unrecommended Retention Days", @@ -57,7 +61,8 @@ "searchKey": "resources.resources.resources.name={{default}}.properties.retentionDays", "searchValue": "", "expectedValue": "'auditingSettings.properties.retentionDays' property value should be defined and above 90 days", - "actualValue": "'auditingSettings.properties.retentionDays' property value is 50" + "actualValue": "'auditingSettings.properties.retentionDays' property value is 50", + "issueType": "IncorrectValue" }, { "queryName": "SQL Server Database With Unrecommended Retention Days", @@ -69,7 +74,8 @@ "searchKey": "properties.template.resources.resources.resources.name={{sqlServer1/sqlDatabase1/default}}.properties.retentionDays", "searchValue": "", "expectedValue": "'auditingSettings.properties.retentionDays' property value should be defined and above 90 days", - "actualValue": "'auditingSettings.properties.retentionDays' property value is 50" + "actualValue": "'auditingSettings.properties.retentionDays' property value is 50", + "issueType": "IncorrectValue" }, { "queryName": "SQL Server Database With Unrecommended Retention Days", @@ -81,7 +87,8 @@ "searchKey": "resources.resources.resources.name={{default}}.properties", "searchValue": "", "expectedValue": "'auditingSettings.properties.retentionDays' should be defined and above 90 days", - "actualValue": "'auditingSettings.properties.retentionDays' is missing" + "actualValue": "'auditingSettings.properties.retentionDays' is missing", + "issueType": "MissingAttribute" }, { "queryName": "SQL Server Database With Unrecommended Retention Days", @@ -93,7 +100,8 @@ "searchKey": "properties.template.resources.resources.resources.name={{sqlServer1/sqlDatabase1/default}}.properties", "searchValue": "", "expectedValue": "'auditingSettings.properties.retentionDays' should be defined and above 90 days", - "actualValue": "'auditingSettings.properties.retentionDays' is missing" + "actualValue": "'auditingSettings.properties.retentionDays' is missing", + "issueType": "MissingAttribute" }, { "queryName": "SQL Server Database With Unrecommended Retention Days", @@ -105,7 +113,8 @@ "searchKey": "resources.resources.name={{default}}.properties.retentionDays", "searchValue": "", "expectedValue": "'auditingSettings.properties.retentionDays' property value should be defined and above 90 days", - "actualValue": "'auditingSettings.properties.retentionDays' property value is 89" + "actualValue": "'auditingSettings.properties.retentionDays' property value is 89", + "issueType": "IncorrectValue" }, { "queryName": "SQL Server Database With Unrecommended Retention Days", @@ -117,7 +126,8 @@ "searchKey": "resources.name={{sqlServer1/default}}.properties.retentionDays", "searchValue": "", "expectedValue": "'auditingSettings.properties.retentionDays' property value should be defined and above 90 days", - "actualValue": "'auditingSettings.properties.retentionDays' property value is 89" + "actualValue": "'auditingSettings.properties.retentionDays' property value is 89", + "issueType": "IncorrectValue" }, { "queryName": "SQL Server Database With Unrecommended Retention Days", @@ -129,7 +139,8 @@ "searchKey": "resources.resources.name={{default}}.properties", "searchValue": "", "expectedValue": "'auditingSettings.properties.retentionDays' should be defined and above 90 days", - "actualValue": "'auditingSettings.properties.retentionDays' is missing" + "actualValue": "'auditingSettings.properties.retentionDays' is missing", + "issueType": "MissingAttribute" }, { "queryName": "SQL Server Database With Unrecommended Retention Days", @@ -141,7 +152,8 @@ "searchKey": "resources.name={{[format('{0}/{1}', 'sqlServer1', 'default')]}}.properties", "searchValue": "", "expectedValue": "'auditingSettings.properties.retentionDays' should be defined and above 90 days", - "actualValue": "'auditingSettings.properties.retentionDays' is missing" + "actualValue": "'auditingSettings.properties.retentionDays' is missing", + "issueType": "MissingAttribute" }, { "queryName": "SQL Server Database With Unrecommended Retention Days", @@ -153,7 +165,8 @@ "searchKey": "resources.resources.resources.name={{default}}.properties", "searchValue": "", "expectedValue": "'auditingSettings.properties.retentionDays' should be defined and above 90 days", - "actualValue": "'auditingSettings.properties.retentionDays' is missing" + "actualValue": "'auditingSettings.properties.retentionDays' is missing", + "issueType": "MissingAttribute" }, { "queryName": "SQL Server Database With Unrecommended Retention Days", @@ -165,6 +178,7 @@ "searchKey": "resources.resources.resources.name={{sqlServer1/sqlDatabase1/default}}.properties", "searchValue": "", "expectedValue": "'auditingSettings.properties.retentionDays' should be defined and above 90 days", - "actualValue": "'auditingSettings.properties.retentionDays' is missing" + "actualValue": "'auditingSettings.properties.retentionDays' is missing", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/sql_server_database_without_auditing/test/positive_expected_result.json b/assets/queries/azureResourceManager/sql_server_database_without_auditing/test/positive_expected_result.json index 74e5eb8f1a6..a38c5914b43 100644 --- a/assets/queries/azureResourceManager/sql_server_database_without_auditing/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/sql_server_database_without_auditing/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources.name=sqlServer1", "searchValue": "", "expectedValue": "resource 'sqlServer1' should have an enabled 'auditingsettings' resource", - "actualValue": "resource 'sqlServer1' is missing an enabled 'auditingsettings' resource" + "actualValue": "resource 'sqlServer1' is missing an enabled 'auditingsettings' resource", + "issueType": "MissingAttribute" }, { "queryName": "SQL Server Database Without Auditing", @@ -21,7 +22,8 @@ "searchKey": "resources.resources.name=sqlDatabase1", "searchValue": "", "expectedValue": "resource 'sqlDatabase1' should have an enabled 'auditingsettings' resource", - "actualValue": "resource 'sqlDatabase1' is missing an enabled 'auditingsettings' resource" + "actualValue": "resource 'sqlDatabase1' is missing an enabled 'auditingsettings' resource", + "issueType": "MissingAttribute" }, { "queryName": "SQL Server Database Without Auditing", @@ -33,7 +35,8 @@ "searchKey": "resources.name=sqlServer1", "searchValue": "", "expectedValue": "resource 'sqlServer1' should have an enabled 'auditingsettings' resource", - "actualValue": "resource 'sqlServer1' is missing an enabled 'auditingsettings' resource" + "actualValue": "resource 'sqlServer1' is missing an enabled 'auditingsettings' resource", + "issueType": "MissingAttribute" }, { "queryName": "SQL Server Database Without Auditing", @@ -45,7 +48,8 @@ "searchKey": "resources.resources.name=sqlDatabase1", "searchValue": "", "expectedValue": "resource 'sqlDatabase1' should have an enabled 'auditingsettings' resource", - "actualValue": "resource 'sqlDatabase1' is missing an enabled 'auditingsettings' resource" + "actualValue": "resource 'sqlDatabase1' is missing an enabled 'auditingsettings' resource", + "issueType": "MissingAttribute" }, { "queryName": "SQL Server Database Without Auditing", @@ -57,7 +61,8 @@ "searchKey": "resources.name=sqlServer1", "searchValue": "", "expectedValue": "resource 'sqlServer1' should have an enabled 'auditingsettings' resource", - "actualValue": "resource 'sqlServer1' is missing an enabled 'auditingsettings' resource" + "actualValue": "resource 'sqlServer1' is missing an enabled 'auditingsettings' resource", + "issueType": "MissingAttribute" }, { "queryName": "SQL Server Database Without Auditing", @@ -69,7 +74,8 @@ "searchKey": "resources.name=sqlServer1", "searchValue": "", "expectedValue": "resource 'sqlServer1' should have an enabled 'auditingsettings' resource", - "actualValue": "resource 'sqlServer1' is missing an enabled 'auditingsettings' resource" + "actualValue": "resource 'sqlServer1' is missing an enabled 'auditingsettings' resource", + "issueType": "MissingAttribute" }, { "queryName": "SQL Server Database Without Auditing", @@ -81,7 +87,8 @@ "searchKey": "resources.name=sqlServer1/sqlDatabase1", "searchValue": "", "expectedValue": "resource 'sqlServer1/sqlDatabase1' should have an enabled 'auditingsettings' resource", - "actualValue": "resource 'sqlServer1/sqlDatabase1' is missing an enabled 'auditingsettings' resource" + "actualValue": "resource 'sqlServer1/sqlDatabase1' is missing an enabled 'auditingsettings' resource", + "issueType": "MissingAttribute" }, { "queryName": "SQL Server Database Without Auditing", @@ -93,7 +100,8 @@ "searchKey": "resources.name=sqlServer1", "searchValue": "", "expectedValue": "resource 'sqlServer1' should have an enabled 'auditingsettings' resource", - "actualValue": "resource 'sqlServer1' is missing an enabled 'auditingsettings' resource" + "actualValue": "resource 'sqlServer1' is missing an enabled 'auditingsettings' resource", + "issueType": "MissingAttribute" }, { "queryName": "SQL Server Database Without Auditing", @@ -105,7 +113,8 @@ "searchKey": "resources.resources.name=sqlDatabase1", "searchValue": "", "expectedValue": "resource 'sqlDatabase1' should have an enabled 'auditingsettings' resource", - "actualValue": "resource 'sqlDatabase1' is missing an enabled 'auditingsettings' resource" + "actualValue": "resource 'sqlDatabase1' is missing an enabled 'auditingsettings' resource", + "issueType": "MissingAttribute" }, { "queryName": "SQL Server Database Without Auditing", @@ -117,7 +126,8 @@ "searchKey": "resources.name=sqlServer1", "searchValue": "", "expectedValue": "resource 'sqlServer1' should have an enabled 'auditingsettings' resource", - "actualValue": "resource 'sqlServer1' is missing an enabled 'auditingsettings' resource" + "actualValue": "resource 'sqlServer1' is missing an enabled 'auditingsettings' resource", + "issueType": "MissingAttribute" }, { "queryName": "SQL Server Database Without Auditing", @@ -129,7 +139,8 @@ "searchKey": "resources.name=sqlServer1/sqlDatabase1", "searchValue": "", "expectedValue": "resource 'sqlServer1/sqlDatabase1' should have an enabled 'auditingsettings' resource", - "actualValue": "resource 'sqlServer1/sqlDatabase1' is missing an enabled 'auditingsettings' resource" + "actualValue": "resource 'sqlServer1/sqlDatabase1' is missing an enabled 'auditingsettings' resource", + "issueType": "MissingAttribute" }, { "queryName": "SQL Server Database Without Auditing", @@ -141,7 +152,8 @@ "searchKey": "resources.name=sqlServer1", "searchValue": "", "expectedValue": "resource 'sqlServer1' should have an enabled 'auditingsettings' resource", - "actualValue": "resource 'sqlServer1' is missing an enabled 'auditingsettings' resource" + "actualValue": "resource 'sqlServer1' is missing an enabled 'auditingsettings' resource", + "issueType": "MissingAttribute" }, { "queryName": "SQL Server Database Without Auditing", @@ -153,7 +165,8 @@ "searchKey": "resources.resources.name=sqlDatabase1", "searchValue": "", "expectedValue": "resource 'sqlDatabase1' should have an enabled 'auditingsettings' resource", - "actualValue": "resource 'sqlDatabase1' is missing an enabled 'auditingsettings' resource" + "actualValue": "resource 'sqlDatabase1' is missing an enabled 'auditingsettings' resource", + "issueType": "MissingAttribute" }, { "queryName": "SQL Server Database Without Auditing", @@ -165,7 +178,8 @@ "searchKey": "resources.name=sqlServer1", "searchValue": "", "expectedValue": "resource 'sqlServer1' should have an enabled 'auditingsettings' resource", - "actualValue": "resource 'sqlServer1' is missing an enabled 'auditingsettings' resource" + "actualValue": "resource 'sqlServer1' is missing an enabled 'auditingsettings' resource", + "issueType": "MissingAttribute" }, { "queryName": "SQL Server Database Without Auditing", @@ -177,6 +191,7 @@ "searchKey": "resources.name=sqlServer1", "searchValue": "", "expectedValue": "resource 'sqlServer1' should have an enabled 'auditingsettings' resource", - "actualValue": "resource 'sqlServer1' is missing an enabled 'auditingsettings' resource" + "actualValue": "resource 'sqlServer1' is missing an enabled 'auditingsettings' resource", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/standard_price_not_selected/test/positive_expected_result.json b/assets/queries/azureResourceManager/standard_price_not_selected/test/positive_expected_result.json index 00ffa26b884..6c1acf26ad2 100644 --- a/assets/queries/azureResourceManager/standard_price_not_selected/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/standard_price_not_selected/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources.name=Princing.properties.pricingTier", "searchValue": "", "expectedValue": "'pricingTier' should be set to standard", - "actualValue": "'pricingTier' property value is set to Free" + "actualValue": "'pricingTier' property value is set to Free", + "issueType": "IncorrectValue" }, { "queryName": "Standard Price Is Not Selected", @@ -21,7 +22,8 @@ "searchKey": "resources.name=Princing.properties.pricingTier", "searchValue": "", "expectedValue": "'pricingTier' should be set to standard", - "actualValue": "'pricingTier' property value is set to Free" + "actualValue": "'pricingTier' property value is set to Free", + "issueType": "IncorrectValue" }, { "queryName": "Standard Price Is Not Selected", @@ -33,7 +35,8 @@ "searchKey": "resources.name=Princing.properties.pricingTier", "searchValue": "", "expectedValue": "'pricingTier' should be set to standard", - "actualValue": "'pricingTier' property value is set to Free" + "actualValue": "'pricingTier' property value is set to Free", + "issueType": "IncorrectValue" }, { "queryName": "Standard Price Is Not Selected", @@ -45,7 +48,8 @@ "searchKey": "properties.template.resources.name=Princing.properties.pricingTier", "searchValue": "", "expectedValue": "'pricingTier' should be set to standard", - "actualValue": "'pricingTier' property value is set to Free" + "actualValue": "'pricingTier' property value is set to Free", + "issueType": "IncorrectValue" }, { "queryName": "Standard Price Is Not Selected", @@ -57,7 +61,8 @@ "searchKey": "resources.name=VirtualMachines.properties.pricingTier", "searchValue": "", "expectedValue": "'pricingTier' should be set to standard", - "actualValue": "'pricingTier' parameter default value is set to Free" + "actualValue": "'pricingTier' parameter default value is set to Free", + "issueType": "IncorrectValue" }, { "queryName": "Standard Price Is Not Selected", @@ -69,6 +74,7 @@ "searchKey": "resources.name=VirtualMachines.properties.pricingTier", "searchValue": "", "expectedValue": "'pricingTier' should be set to standard", - "actualValue": "'pricingTier' parameter default value is set to Free" + "actualValue": "'pricingTier' parameter default value is set to Free", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/storage_account_allows_network_default_access/test/positive_expected_result.json b/assets/queries/azureResourceManager/storage_account_allows_network_default_access/test/positive_expected_result.json index 4fbf46225fc..63732bbd2fb 100644 --- a/assets/queries/azureResourceManager/storage_account_allows_network_default_access/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/storage_account_allows_network_default_access/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources.name=[variables('storageAccountName')].properties.networkAcls.defaultAction", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' property value should have the 'properties.networkAcls.defaultAction' set to 'Deny'", - "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' has the 'properties.networkAcls.defaultAction' set to 'Allow'" + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' has the 'properties.networkAcls.defaultAction' set to 'Allow'", + "issueType": "IncorrectValue" }, { "queryName": "Storage Account Allows Default Network Access", @@ -21,7 +22,8 @@ "searchKey": "resources.name=[variables('storageAccountName')].properties.networkAcls.defaultAction", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' property value should have the 'properties.networkAcls.defaultAction' set to 'Deny'", - "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' has the 'properties.networkAcls.defaultAction' set to 'Allow'" + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' has the 'properties.networkAcls.defaultAction' set to 'Allow'", + "issueType": "IncorrectValue" }, { "queryName": "Storage Account Allows Default Network Access", @@ -33,7 +35,8 @@ "searchKey": "resources.name=storageaccount1Positive2.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have the 'properties.networkAcls.defaultAction' defined", - "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'properties.networkAcls.defaultAction' defined" + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'properties.networkAcls.defaultAction' defined", + "issueType": "MissingAttribute" }, { "queryName": "Storage Account Allows Default Network Access", @@ -45,7 +48,8 @@ "searchKey": "resources.name=storageaccount1Positive2.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have the 'properties.networkAcls.defaultAction' defined", - "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'properties.networkAcls.defaultAction' defined" + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'properties.networkAcls.defaultAction' defined", + "issueType": "MissingAttribute" }, { "queryName": "Storage Account Allows Default Network Access", @@ -57,7 +61,8 @@ "searchKey": "resources.name=storageaccount1Positive3.apiVersion=2016-12-01", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' apiVersion should be newer than 2017 and enable setting networkAcls", - "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' apiVersion is older than 2017 and doesn't enable setting networkAcls" + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' apiVersion is older than 2017 and doesn't enable setting networkAcls", + "issueType": "IncorrectValue" }, { "queryName": "Storage Account Allows Default Network Access", @@ -69,7 +74,8 @@ "searchKey": "resources.name=storageaccount1Positive3.apiVersion=2016-12-01", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' apiVersion should be newer than 2017 and enable setting networkAcls", - "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' apiVersion is older than 2017 and doesn't enable setting networkAcls" + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' apiVersion is older than 2017 and doesn't enable setting networkAcls", + "issueType": "IncorrectValue" }, { "queryName": "Storage Account Allows Default Network Access", @@ -81,7 +87,8 @@ "searchKey": "resources.name=[variables('storageAccountName')].properties.networkAcls.defaultAction", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' property value should have the 'properties.networkAcls.defaultAction' set to 'Deny'", - "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' has the 'properties.networkAcls.defaultAction' set to 'Allow'" + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' has the 'properties.networkAcls.defaultAction' set to 'Allow'", + "issueType": "IncorrectValue" }, { "queryName": "Storage Account Allows Default Network Access", @@ -93,7 +100,8 @@ "searchKey": "properties.template.resources.name=[variables('storageAccountName')].properties.networkAcls.defaultAction", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' property value should have the 'properties.networkAcls.defaultAction' set to 'Deny'", - "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' has the 'properties.networkAcls.defaultAction' set to 'Allow'" + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' has the 'properties.networkAcls.defaultAction' set to 'Allow'", + "issueType": "IncorrectValue" }, { "queryName": "Storage Account Allows Default Network Access", @@ -105,7 +113,8 @@ "searchKey": "resources.name=storageaccount1Positive2.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have the 'properties.networkAcls.defaultAction' defined", - "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'properties.networkAcls.defaultAction' defined" + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'properties.networkAcls.defaultAction' defined", + "issueType": "MissingAttribute" }, { "queryName": "Storage Account Allows Default Network Access", @@ -117,7 +126,8 @@ "searchKey": "properties.template.resources.name=storageaccount1Positive2.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have the 'properties.networkAcls.defaultAction' defined", - "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'properties.networkAcls.defaultAction' defined" + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'properties.networkAcls.defaultAction' defined", + "issueType": "MissingAttribute" }, { "queryName": "Storage Account Allows Default Network Access", @@ -129,7 +139,8 @@ "searchKey": "resources.name=storageaccount1Positive3.apiVersion=2016-12-01", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' apiVersion should be newer than 2017 and enable setting networkAcls", - "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' apiVersion is older than 2017 and doesn't enable setting networkAcls" + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' apiVersion is older than 2017 and doesn't enable setting networkAcls", + "issueType": "IncorrectValue" }, { "queryName": "Storage Account Allows Default Network Access", @@ -141,6 +152,7 @@ "searchKey": "properties.template.resources.name=storageaccount1Positive3.apiVersion=2016-12-01", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' apiVersion should be newer than 2017 and enable setting networkAcls", - "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' apiVersion is older than 2017 and doesn't enable setting networkAcls" + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' apiVersion is older than 2017 and doesn't enable setting networkAcls", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/storage_account_allows_unsecure_transfer/test/positive_expected_result.json b/assets/queries/azureResourceManager/storage_account_allows_unsecure_transfer/test/positive_expected_result.json index 728aef5f4b0..ae99734acb4 100644 --- a/assets/queries/azureResourceManager/storage_account_allows_unsecure_transfer/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/storage_account_allows_unsecure_transfer/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources.name=storageaccount1.properties.supportsHttpsTrafficOnly", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' property value should have the 'supportsHttpsTrafficOnly' property set to true", - "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'supportsHttpsTrafficOnly' set to true" + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'supportsHttpsTrafficOnly' set to true", + "issueType": "IncorrectValue" }, { "queryName": "Storage Account Allows Unsecure Transfer", @@ -21,7 +22,8 @@ "searchKey": "resources.name=storageaccount1.properties.supportsHttpsTrafficOnly", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' property value should have the 'supportsHttpsTrafficOnly' property set to true", - "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'supportsHttpsTrafficOnly' set to true" + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'supportsHttpsTrafficOnly' set to true", + "issueType": "IncorrectValue" }, { "queryName": "Storage Account Allows Unsecure Transfer", @@ -33,7 +35,8 @@ "searchKey": "resources.name={{storageaccount1Positive2}}", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have the 'supportsHttpsTrafficOnly' property defined", - "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'supportsHttpsTrafficOnly' property defined" + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'supportsHttpsTrafficOnly' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Storage Account Allows Unsecure Transfer", @@ -45,7 +48,8 @@ "searchKey": "resources.name={{storageaccount1Positive2}}", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have the 'supportsHttpsTrafficOnly' property defined", - "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'supportsHttpsTrafficOnly' property defined" + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'supportsHttpsTrafficOnly' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Storage Account Allows Unsecure Transfer", @@ -57,7 +61,8 @@ "searchKey": "resources.name={{storageaccount1Positive3}}properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have the 'supportsHttpsTrafficOnly' property defined", - "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'supportsHttpsTrafficOnly' property defined" + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'supportsHttpsTrafficOnly' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Storage Account Allows Unsecure Transfer", @@ -69,7 +74,8 @@ "searchKey": "resources.name={{storageaccount1Positive3}}properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have the 'supportsHttpsTrafficOnly' property defined", - "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'supportsHttpsTrafficOnly' property defined" + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'supportsHttpsTrafficOnly' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Storage Account Allows Unsecure Transfer", @@ -81,7 +87,8 @@ "searchKey": "resources.name=storageaccount1.properties.supportsHttpsTrafficOnly", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' property value should have the 'supportsHttpsTrafficOnly' property set to true", - "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'supportsHttpsTrafficOnly' set to true" + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'supportsHttpsTrafficOnly' set to true", + "issueType": "IncorrectValue" }, { "queryName": "Storage Account Allows Unsecure Transfer", @@ -93,7 +100,8 @@ "searchKey": "properties.template.resources.name=storageaccount1.properties.supportsHttpsTrafficOnly", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' property value should have the 'supportsHttpsTrafficOnly' property set to true", - "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'supportsHttpsTrafficOnly' set to true" + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'supportsHttpsTrafficOnly' set to true", + "issueType": "IncorrectValue" }, { "queryName": "Storage Account Allows Unsecure Transfer", @@ -105,7 +113,8 @@ "searchKey": "resources.name={{storageaccount1Positive2}}", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have the 'supportsHttpsTrafficOnly' property defined", - "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'supportsHttpsTrafficOnly' property defined" + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'supportsHttpsTrafficOnly' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Storage Account Allows Unsecure Transfer", @@ -117,7 +126,8 @@ "searchKey": "resources.name={{storageaccount1Positive2}}", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have the 'supportsHttpsTrafficOnly' property defined", - "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'supportsHttpsTrafficOnly' property defined" + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'supportsHttpsTrafficOnly' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Storage Account Allows Unsecure Transfer", @@ -129,7 +139,8 @@ "searchKey": "resources.name={{storageaccount1Positive3}}properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have the 'supportsHttpsTrafficOnly' property defined", - "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'supportsHttpsTrafficOnly' property defined" + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'supportsHttpsTrafficOnly' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Storage Account Allows Unsecure Transfer", @@ -141,6 +152,7 @@ "searchKey": "resources.name={{storageaccount1Positive3}}properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have the 'supportsHttpsTrafficOnly' property defined", - "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'supportsHttpsTrafficOnly' property defined" + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'supportsHttpsTrafficOnly' property defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/storage_blob_service_container_with_public_access/test/positive_expected_result.json b/assets/queries/azureResourceManager/storage_blob_service_container_with_public_access/test/positive_expected_result.json index 3951d5f0122..345c5eb1152 100644 --- a/assets/queries/azureResourceManager/storage_blob_service_container_with_public_access/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/storage_blob_service_container_with_public_access/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources.name=blob/container/example.properties.publicAccess", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts/blobServices/containers' shouldn't have 'publicAccess' property value set to 'Container' or 'Blob'", - "actualValue": "resource with type 'Microsoft.Storage/storageAccounts/blobServices/containers' has 'publicAccess' property set to 'Container'" + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts/blobServices/containers' has 'publicAccess' property set to 'Container'", + "issueType": "IncorrectValue" }, { "queryName": "Storage Blob Service Container With Public Access", @@ -21,7 +22,8 @@ "searchKey": "resources.name=blob/container/example.properties.publicAccess", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts/blobServices/containers' shouldn't have 'publicAccess' property value set to 'Container' or 'Blob'", - "actualValue": "resource with type 'Microsoft.Storage/storageAccounts/blobServices/containers' has 'publicAccess' property set to 'Container'" + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts/blobServices/containers' has 'publicAccess' property set to 'Container'", + "issueType": "IncorrectValue" }, { "queryName": "Storage Blob Service Container With Public Access", @@ -33,7 +35,8 @@ "searchKey": "resources.name=[parameters('storageAccountName')].resources.name=default.resources.name=container.properties.publicAccess", "searchValue": "", "expectedValue": "resource with type 'containers' shouldn't have 'publicAccess' property value set to 'Container' or 'Blob'", - "actualValue": "resource with type 'containers' has 'publicAccess' property set to 'Blob'" + "actualValue": "resource with type 'containers' has 'publicAccess' property set to 'Blob'", + "issueType": "IncorrectValue" }, { "queryName": "Storage Blob Service Container With Public Access", @@ -45,7 +48,8 @@ "searchKey": "resources.name=[concat(parameters('storageAccountName'), '/default')].resources.name=container.properties.publicAccess", "searchValue": "", "expectedValue": "resource with type 'containers' shouldn't have 'publicAccess' property value set to 'Container' or 'Blob'", - "actualValue": "resource with type 'containers' has 'publicAccess' property set to 'Blob'" + "actualValue": "resource with type 'containers' has 'publicAccess' property set to 'Blob'", + "issueType": "IncorrectValue" }, { "queryName": "Storage Blob Service Container With Public Access", @@ -57,7 +61,8 @@ "searchKey": "resources.name=['${parameters('storageAccountName')}/default/${parameters('containerName')}'].properties.publicAccess", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts/blobServices/containers' shouldn't have 'publicAccess' property value set to 'Container' or 'Blob'", - "actualValue": "resource with type 'Microsoft.Storage/storageAccounts/blobServices/containers' has 'publicAccess' property set to 'Blob'" + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts/blobServices/containers' has 'publicAccess' property set to 'Blob'", + "issueType": "IncorrectValue" }, { "queryName": "Storage Blob Service Container With Public Access", @@ -69,7 +74,8 @@ "searchKey": "resources.name=[parameters('storageAccountName')].resources.name=[concat('default/', parameters('containerName'))].properties.publicAccess", "searchValue": "", "expectedValue": "resource with type 'blobServices/containers' shouldn't have 'publicAccess' property value set to 'Container' or 'Blob'", - "actualValue": "resource with type 'blobServices/containers' has 'publicAccess' property set to 'Blob'" + "actualValue": "resource with type 'blobServices/containers' has 'publicAccess' property set to 'Blob'", + "issueType": "IncorrectValue" }, { "queryName": "Storage Blob Service Container With Public Access", @@ -81,7 +87,8 @@ "searchKey": "properties.template.resources.name=blob/container/example.properties.publicAccess", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts/blobServices/containers' shouldn't have 'publicAccess' property value set to 'Container' or 'Blob'", - "actualValue": "resource with type 'Microsoft.Storage/storageAccounts/blobServices/containers' has 'publicAccess' property set to 'Container'" + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts/blobServices/containers' has 'publicAccess' property set to 'Container'", + "issueType": "IncorrectValue" }, { "queryName": "Storage Blob Service Container With Public Access", @@ -93,7 +100,8 @@ "searchKey": "properties.template.resources.name=[concat(parameters('storageAccountName'), '/default')].resources.name=container.properties.publicAccess", "searchValue": "", "expectedValue": "resource with type 'containers' shouldn't have 'publicAccess' property value set to 'Container' or 'Blob'", - "actualValue": "resource with type 'containers' has 'publicAccess' property set to 'Blob'" + "actualValue": "resource with type 'containers' has 'publicAccess' property set to 'Blob'", + "issueType": "IncorrectValue" }, { "queryName": "Storage Blob Service Container With Public Access", @@ -105,7 +113,8 @@ "searchKey": "properties.template.resources.name=[parameters('storageAccountName')].resources.name=[concat('default/', parameters('containerName'))].properties.publicAccess", "searchValue": "", "expectedValue": "resource with type 'blobServices/containers' shouldn't have 'publicAccess' property value set to 'Container' or 'Blob'", - "actualValue": "resource with type 'blobServices/containers' has 'publicAccess' property set to 'Blob'" + "actualValue": "resource with type 'blobServices/containers' has 'publicAccess' property set to 'Blob'", + "issueType": "IncorrectValue" }, { "queryName": "Storage Blob Service Container With Public Access", @@ -117,6 +126,7 @@ "searchKey": "resources.name=[parameters('storageAccountName')].resources.name=[concat(parameters('storageAccountName'), '/default')].resources.name=container.properties.publicAccess", "searchValue": "", "expectedValue": "resource with type 'containers' shouldn't have 'publicAccess' property value set to 'Container' or 'Blob'", - "actualValue": "resource with type 'containers' has 'publicAccess' property set to 'Blob'" + "actualValue": "resource with type 'containers' has 'publicAccess' property set to 'Blob'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/storage_logging_for_read_write_delete_requests_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/storage_logging_for_read_write_delete_requests_disabled/test/positive_expected_result.json index 68c473a472b..db4a16bb087 100644 --- a/assets/queries/azureResourceManager/storage_logging_for_read_write_delete_requests_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/storage_logging_for_read_write_delete_requests_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageRead", "searchValue": "", "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Read' method", - "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Read' method" + "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Read' method", + "issueType": "MissingAttribute" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -21,7 +22,8 @@ "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageWrite", "searchValue": "", "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Write' method", - "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Write' method" + "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Write' method", + "issueType": "MissingAttribute" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -33,7 +35,8 @@ "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageDelete", "searchValue": "", "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Delete' method", - "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Delete' method" + "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Delete' method", + "issueType": "MissingAttribute" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -45,7 +48,8 @@ "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageRead", "searchValue": "", "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Read' method", - "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Read' method" + "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Read' method", + "issueType": "MissingAttribute" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -57,7 +61,8 @@ "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageWrite", "searchValue": "", "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Write' method", - "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Write' method" + "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Write' method", + "issueType": "MissingAttribute" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -69,7 +74,8 @@ "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageDelete", "searchValue": "", "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Delete' method", - "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Delete' method" + "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Delete' method", + "issueType": "MissingAttribute" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -81,7 +87,8 @@ "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageDelete", "searchValue": "StorageDelete", "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", - "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method" + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method", + "issueType": "MissingAttribute" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -93,7 +100,8 @@ "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageWrite", "searchValue": "StorageWrite", "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageWrite' method", - "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageWrite' method" + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageWrite' method", + "issueType": "MissingAttribute" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -105,7 +113,8 @@ "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageRead", "searchValue": "StorageRead", "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageRead' method", - "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageRead' method" + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageRead' method", + "issueType": "MissingAttribute" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -117,7 +126,8 @@ "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageWrite", "searchValue": "StorageWrite", "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageWrite' method", - "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageWrite' method" + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageWrite' method", + "issueType": "MissingAttribute" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -129,7 +139,8 @@ "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageDelete", "searchValue": "StorageDelete", "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", - "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method" + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method", + "issueType": "MissingAttribute" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -141,7 +152,8 @@ "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageRead", "searchValue": "", "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Read' method", - "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Read' method" + "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Read' method", + "issueType": "MissingAttribute" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -153,7 +165,8 @@ "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageRead", "searchValue": "", "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Read' method", - "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Read' method" + "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Read' method", + "issueType": "MissingAttribute" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -165,7 +178,8 @@ "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageDelete", "searchValue": "", "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Delete' method", - "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Delete' method" + "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Delete' method", + "issueType": "MissingAttribute" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -177,7 +191,8 @@ "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageWrite", "searchValue": "StorageWrite", "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageWrite' method", - "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageWrite' method" + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageWrite' method", + "issueType": "MissingAttribute" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -189,7 +204,8 @@ "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageDelete", "searchValue": "StorageDelete", "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", - "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method" + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method", + "issueType": "MissingAttribute" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -201,7 +217,8 @@ "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageRead", "searchValue": "StorageRead", "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageRead' method", - "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageRead' method" + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageRead' method", + "issueType": "MissingAttribute" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -213,7 +230,8 @@ "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageRead", "searchValue": "StorageRead", "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageRead' method", - "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageRead' method" + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageRead' method", + "issueType": "MissingAttribute" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -225,7 +243,8 @@ "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageDelete", "searchValue": "StorageDelete", "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", - "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method" + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method", + "issueType": "MissingAttribute" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -237,7 +256,8 @@ "searchKey": "properties.template.resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageRead", "searchValue": "", "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Read' method", - "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Read' method" + "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Read' method", + "issueType": "MissingAttribute" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -249,7 +269,8 @@ "searchKey": "properties.template.resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageWrite", "searchValue": "", "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Write' method", - "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Write' method" + "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Write' method", + "issueType": "MissingAttribute" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -261,7 +282,8 @@ "searchKey": "properties.template.resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageDelete", "searchValue": "", "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Delete' method", - "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Delete' method" + "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Delete' method", + "issueType": "MissingAttribute" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -273,7 +295,8 @@ "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageRead", "searchValue": "StorageRead", "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageRead' method", - "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageRead' method" + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageRead' method", + "issueType": "MissingAttribute" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -285,7 +308,8 @@ "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageDelete", "searchValue": "StorageDelete", "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", - "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method" + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method", + "issueType": "MissingAttribute" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -297,7 +321,8 @@ "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageWrite", "searchValue": "", "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Write' method", - "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Write' method" + "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Write' method", + "issueType": "MissingAttribute" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -309,7 +334,8 @@ "searchKey": "properties.template.resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageWrite", "searchValue": "StorageWrite", "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageWrite' method", - "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageWrite' method" + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageWrite' method", + "issueType": "MissingAttribute" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -321,7 +347,8 @@ "searchKey": "properties.template.resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageDelete", "searchValue": "StorageDelete", "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", - "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method" + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method", + "issueType": "MissingAttribute" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -333,7 +360,8 @@ "searchKey": "properties.template.resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageRead", "searchValue": "", "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Read' method", - "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Read' method" + "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Read' method", + "issueType": "MissingAttribute" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -345,7 +373,8 @@ "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageDelete", "searchValue": "StorageDelete", "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", - "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method" + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method", + "issueType": "MissingAttribute" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -357,7 +386,8 @@ "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageWrite", "searchValue": "StorageWrite", "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageWrite' method", - "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageWrite' method" + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageWrite' method", + "issueType": "MissingAttribute" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -369,7 +399,8 @@ "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageRead", "searchValue": "StorageRead", "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageRead' method", - "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageRead' method" + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageRead' method", + "issueType": "MissingAttribute" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -381,7 +412,8 @@ "searchKey": "properties.template.resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageDelete", "searchValue": "StorageDelete", "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", - "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method" + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method", + "issueType": "MissingAttribute" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -393,7 +425,8 @@ "searchKey": "properties.template.resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageRead", "searchValue": "StorageRead", "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageRead' method", - "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageRead' method" + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageRead' method", + "issueType": "MissingAttribute" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -405,7 +438,8 @@ "searchKey": "properties.template.resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageWrite", "searchValue": "StorageWrite", "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageWrite' method", - "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageWrite' method" + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageWrite' method", + "issueType": "MissingAttribute" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -417,7 +451,8 @@ "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageDelete", "searchValue": "StorageDelete", "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", - "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method" + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method", + "issueType": "MissingAttribute" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -429,7 +464,8 @@ "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageRead", "searchValue": "StorageRead", "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageRead' method", - "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageRead' method" + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageRead' method", + "issueType": "MissingAttribute" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -441,6 +477,7 @@ "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageWrite", "searchValue": "StorageWrite", "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageWrite' method", - "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageWrite' method" + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageWrite' method", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/trusted_microsoft_services_not_enabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/trusted_microsoft_services_not_enabled/test/positive_expected_result.json index e07edf10b93..15646be49ca 100644 --- a/assets/queries/azureResourceManager/trusted_microsoft_services_not_enabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/trusted_microsoft_services_not_enabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources.name=storage.properties.networkAcls", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' property value enabled", - "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled" + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled", + "issueType": "IncorrectValue" }, { "queryName": "Trusted Microsoft Services Not Enabled", @@ -21,7 +22,8 @@ "searchKey": "resources.name=storage.properties.networkAcls", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' property value enabled", - "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled" + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled", + "issueType": "IncorrectValue" }, { "queryName": "Trusted Microsoft Services Not Enabled", @@ -33,7 +35,8 @@ "searchKey": "resources.name=storage.properties.networkAcls", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' property value enabled", - "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled" + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled", + "issueType": "IncorrectValue" }, { "queryName": "Trusted Microsoft Services Not Enabled", @@ -45,7 +48,8 @@ "searchKey": "resources.name=storage.properties.networkAcls", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' property value enabled", - "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled" + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled", + "issueType": "IncorrectValue" }, { "queryName": "Trusted Microsoft Services Not Enabled", @@ -57,7 +61,8 @@ "searchKey": "resources.name=storage.properties.networkAcls", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' property value enabled", - "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled" + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled", + "issueType": "IncorrectValue" }, { "queryName": "Trusted Microsoft Services Not Enabled", @@ -69,7 +74,8 @@ "searchKey": "properties.template.resources.name=storage.properties.networkAcls", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' property value enabled", - "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled" + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled", + "issueType": "IncorrectValue" }, { "queryName": "Trusted Microsoft Services Not Enabled", @@ -81,7 +87,8 @@ "searchKey": "resources.name=storage.properties.networkAcls", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' property value enabled", - "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled" + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled", + "issueType": "IncorrectValue" }, { "queryName": "Trusted Microsoft Services Not Enabled", @@ -93,7 +100,8 @@ "searchKey": "properties.template.resources.name=storage.properties.networkAcls", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' property value enabled", - "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled" + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled", + "issueType": "IncorrectValue" }, { "queryName": "Trusted Microsoft Services Not Enabled", @@ -105,7 +113,8 @@ "searchKey": "resources.name=positive5.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' enabled", - "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled" + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled", + "issueType": "MissingAttribute" }, { "queryName": "Trusted Microsoft Services Not Enabled", @@ -117,7 +126,8 @@ "searchKey": "resources.name=positive5.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' enabled", - "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled" + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled", + "issueType": "MissingAttribute" }, { "queryName": "Trusted Microsoft Services Not Enabled", @@ -129,7 +139,8 @@ "searchKey": "resources.name=positive6", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' enabled", - "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled" + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled", + "issueType": "MissingAttribute" }, { "queryName": "Trusted Microsoft Services Not Enabled", @@ -141,7 +152,8 @@ "searchKey": "resources.name=positive6", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' enabled", - "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled" + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled", + "issueType": "MissingAttribute" }, { "queryName": "Trusted Microsoft Services Not Enabled", @@ -153,7 +165,8 @@ "searchKey": "resources.name=positive7.properties.networkAcls", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' enabled", - "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled" + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled", + "issueType": "MissingAttribute" }, { "queryName": "Trusted Microsoft Services Not Enabled", @@ -165,6 +178,7 @@ "searchKey": "resources.name=positive7.properties.networkAcls", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' enabled", - "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled" + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/unrecommended_log_profile_retention_policy/test/positive_expected_result.json b/assets/queries/azureResourceManager/unrecommended_log_profile_retention_policy/test/positive_expected_result.json index 7b31659016c..c812745a0fa 100644 --- a/assets/queries/azureResourceManager/unrecommended_log_profile_retention_policy/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/unrecommended_log_profile_retention_policy/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources.name=string.properties.retentionPolicy.days", "searchValue": "", "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have 'days' property value set to 0 or higher than 365", - "actualValue": "resource with type 'microsoft.insights/logprofiles' doesn't have 'days' set to 0 or higher than 365" + "actualValue": "resource with type 'microsoft.insights/logprofiles' doesn't have 'days' set to 0 or higher than 365", + "issueType": "IncorrectValue" }, { "queryName": "Unrecommended Log Profile Retention Policy", @@ -21,7 +22,8 @@ "searchKey": "resources.name=string.properties.retentionPolicy.days", "searchValue": "", "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have 'days' property value set to 0 or higher than 365", - "actualValue": "resource with type 'microsoft.insights/logprofiles' doesn't have 'days' set to 0 or higher than 365" + "actualValue": "resource with type 'microsoft.insights/logprofiles' doesn't have 'days' set to 0 or higher than 365", + "issueType": "IncorrectValue" }, { "queryName": "Unrecommended Log Profile Retention Policy", @@ -33,7 +35,8 @@ "searchKey": "resources.name=string.properties.retentionPolicy.enabled", "searchValue": "", "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have 'enabled' property value set to true", - "actualValue": "resource with type 'microsoft.insights/logprofiles' doesn't have 'enabled' set to true" + "actualValue": "resource with type 'microsoft.insights/logprofiles' doesn't have 'enabled' set to true", + "issueType": "IncorrectValue" }, { "queryName": "Unrecommended Log Profile Retention Policy", @@ -45,7 +48,8 @@ "searchKey": "resources.name=string.properties.retentionPolicy.days", "searchValue": "", "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have 'days' property value set to 0 or higher than 365", - "actualValue": "resource with type 'microsoft.insights/logprofiles' doesn't have 'days' set to 0 or higher than 365" + "actualValue": "resource with type 'microsoft.insights/logprofiles' doesn't have 'days' set to 0 or higher than 365", + "issueType": "IncorrectValue" }, { "queryName": "Unrecommended Log Profile Retention Policy", @@ -57,7 +61,8 @@ "searchKey": "resources.name=string.properties.retentionPolicy.enabled", "searchValue": "", "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have 'enabled' property value set to true", - "actualValue": "resource with type 'microsoft.insights/logprofiles' doesn't have 'enabled' set to true" + "actualValue": "resource with type 'microsoft.insights/logprofiles' doesn't have 'enabled' set to true", + "issueType": "IncorrectValue" }, { "queryName": "Unrecommended Log Profile Retention Policy", @@ -69,7 +74,8 @@ "searchKey": "resources.name=string.properties.retentionPolicy.days", "searchValue": "", "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have 'days' property value set to 0 or higher than 365", - "actualValue": "resource with type 'microsoft.insights/logprofiles' doesn't have 'days' set to 0 or higher than 365" + "actualValue": "resource with type 'microsoft.insights/logprofiles' doesn't have 'days' set to 0 or higher than 365", + "issueType": "IncorrectValue" }, { "queryName": "Unrecommended Log Profile Retention Policy", @@ -81,7 +87,8 @@ "searchKey": "resources.name=string.properties.retentionPolicy.days", "searchValue": "", "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have 'days' property value set to 0 or higher than 365", - "actualValue": "resource with type 'microsoft.insights/logprofiles' doesn't have 'days' set to 0 or higher than 365" + "actualValue": "resource with type 'microsoft.insights/logprofiles' doesn't have 'days' set to 0 or higher than 365", + "issueType": "IncorrectValue" }, { "queryName": "Unrecommended Log Profile Retention Policy", @@ -93,7 +100,8 @@ "searchKey": "properties.template.resources.name=string.properties.retentionPolicy.days", "searchValue": "", "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have 'days' property value set to 0 or higher than 365", - "actualValue": "resource with type 'microsoft.insights/logprofiles' doesn't have 'days' set to 0 or higher than 365" + "actualValue": "resource with type 'microsoft.insights/logprofiles' doesn't have 'days' set to 0 or higher than 365", + "issueType": "IncorrectValue" }, { "queryName": "Unrecommended Log Profile Retention Policy", @@ -105,7 +113,8 @@ "searchKey": "resources.name=string.properties.retentionPolicy.enabled", "searchValue": "", "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have 'enabled' property value set to true", - "actualValue": "resource with type 'microsoft.insights/logprofiles' doesn't have 'enabled' set to true" + "actualValue": "resource with type 'microsoft.insights/logprofiles' doesn't have 'enabled' set to true", + "issueType": "IncorrectValue" }, { "queryName": "Unrecommended Log Profile Retention Policy", @@ -117,7 +126,8 @@ "searchKey": "resources.name=string.properties.retentionPolicy.days", "searchValue": "", "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have 'days' property value set to 0 or higher than 365", - "actualValue": "resource with type 'microsoft.insights/logprofiles' doesn't have 'days' set to 0 or higher than 365" + "actualValue": "resource with type 'microsoft.insights/logprofiles' doesn't have 'days' set to 0 or higher than 365", + "issueType": "IncorrectValue" }, { "queryName": "Unrecommended Log Profile Retention Policy", @@ -129,7 +139,8 @@ "searchKey": "properties.template.resources.name=string.properties.retentionPolicy.enabled", "searchValue": "", "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have 'enabled' property value set to true", - "actualValue": "resource with type 'microsoft.insights/logprofiles' doesn't have 'enabled' set to true" + "actualValue": "resource with type 'microsoft.insights/logprofiles' doesn't have 'enabled' set to true", + "issueType": "IncorrectValue" }, { "queryName": "Unrecommended Log Profile Retention Policy", @@ -141,6 +152,7 @@ "searchKey": "properties.template.resources.name=string.properties.retentionPolicy.days", "searchValue": "", "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have 'days' property value set to 0 or higher than 365", - "actualValue": "resource with type 'microsoft.insights/logprofiles' doesn't have 'days' set to 0 or higher than 365" + "actualValue": "resource with type 'microsoft.insights/logprofiles' doesn't have 'days' set to 0 or higher than 365", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/unrecommended_network_watcher_flow_log_retention_policy/test/positive_expected_result.json b/assets/queries/azureResourceManager/unrecommended_network_watcher_flow_log_retention_policy/test/positive_expected_result.json index 703589ab7be..ed40f9ff810 100644 --- a/assets/queries/azureResourceManager/unrecommended_network_watcher_flow_log_retention_policy/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/unrecommended_network_watcher_flow_log_retention_policy/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources.name={{flowlogs/sample}}.properties.retentionPolicy.days", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'days' property value higher than 90", - "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'days' property higher than 90" + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'days' property higher than 90", + "issueType": "IncorrectValue" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", @@ -21,7 +22,8 @@ "searchKey": "resources.name={{flowlogs/sample}}.properties.retentionPolicy.enabled", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'enabled' property value set to true", - "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' set to true" + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' set to true", + "issueType": "IncorrectValue" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", @@ -33,7 +35,8 @@ "searchKey": "resources.name={{flowlogs/sample}}.properties.retentionPolicy.days", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'days' property value higher than 90", - "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'days' property higher than 90" + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'days' property higher than 90", + "issueType": "IncorrectValue" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", @@ -45,7 +48,8 @@ "searchKey": "resources.name={{flowlogs/sample}}.properties.retentionPolicy.enabled", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'enabled' property value set to true", - "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' set to true" + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' set to true", + "issueType": "IncorrectValue" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", @@ -57,7 +61,8 @@ "searchKey": "resources.name={{flowlogs/sample}}.properties.retentionPolicy", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'enabled' property defined", - "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' property defined" + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", @@ -69,7 +74,8 @@ "searchKey": "resources.name={{flowlogs/sample}}.properties.retentionPolicy.days", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'days' property value higher than 90", - "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'days' property higher than 90" + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'days' property higher than 90", + "issueType": "IncorrectValue" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", @@ -81,7 +87,8 @@ "searchKey": "resources.name={{flowlogs/sample}}.properties.retentionPolicy", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'enabled' property defined", - "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' property defined" + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", @@ -93,7 +100,8 @@ "searchKey": "resources.name={{flowlogs/sample}}.properties.retentionPolicy.days", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'days' property value higher than 90", - "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'days' property higher than 90" + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'days' property higher than 90", + "issueType": "IncorrectValue" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", @@ -105,7 +113,8 @@ "searchKey": "resources.name={{flowlogs/sample}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'retentionPolicy' property defined", - "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'retentionPolicy' property defined" + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'retentionPolicy' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", @@ -117,7 +126,8 @@ "searchKey": "resources.name={{flowlogs/sample}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'retentionPolicy' property defined", - "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'retentionPolicy' property defined" + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'retentionPolicy' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", @@ -129,7 +139,8 @@ "searchKey": "resources.name={{flowlogs/sample}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'enabled' property defined", - "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' property defined" + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", @@ -141,7 +152,8 @@ "searchKey": "resources.name={{flowlogs/sample}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'enabled' property defined", - "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' property defined" + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", @@ -153,7 +165,8 @@ "searchKey": "resources.name={{flowlogs/sample}}.properties.retentionPolicy.days", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'days' property value higher than 90", - "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'days' property higher than 90" + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'days' property higher than 90", + "issueType": "IncorrectValue" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", @@ -165,7 +178,8 @@ "searchKey": "resources.name={{flowlogs/sample}}.properties.retentionPolicy.enabled", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'enabled' property value set to true", - "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' set to true" + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' set to true", + "issueType": "IncorrectValue" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", @@ -177,7 +191,8 @@ "searchKey": "properties.template.resources.name={{flowlogs/sample}}.properties.retentionPolicy.days", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'days' property value higher than 90", - "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'days' property higher than 90" + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'days' property higher than 90", + "issueType": "IncorrectValue" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", @@ -189,7 +204,8 @@ "searchKey": "properties.template.resources.name={{flowlogs/sample}}.properties.retentionPolicy.enabled", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'enabled' property value set to true", - "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' set to true" + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' set to true", + "issueType": "IncorrectValue" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", @@ -201,7 +217,8 @@ "searchKey": "resources.name={{flowlogs/sample}}.properties.retentionPolicy", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'enabled' property defined", - "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' property defined" + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", @@ -213,7 +230,8 @@ "searchKey": "resources.name={{flowlogs/sample}}.properties.retentionPolicy.days", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'days' property value higher than 90", - "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'days' property higher than 90" + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'days' property higher than 90", + "issueType": "IncorrectValue" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", @@ -225,7 +243,8 @@ "searchKey": "properties.template.resources.name={{flowlogs/sample}}.properties.retentionPolicy", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'enabled' property defined", - "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' property defined" + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", @@ -237,7 +256,8 @@ "searchKey": "properties.template.resources.name={{flowlogs/sample}}.properties.retentionPolicy.days", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'days' property value higher than 90", - "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'days' property higher than 90" + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'days' property higher than 90", + "issueType": "IncorrectValue" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", @@ -249,7 +269,8 @@ "searchKey": "resources.name={{flowlogs/sample}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'retentionPolicy' property defined", - "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'retentionPolicy' property defined" + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'retentionPolicy' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", @@ -261,7 +282,8 @@ "searchKey": "properties.template.resources.name={{flowlogs/sample}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'retentionPolicy' property defined", - "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'retentionPolicy' property defined" + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'retentionPolicy' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", @@ -273,7 +295,8 @@ "searchKey": "resources.name={{flowlogs/sample}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'enabled' property defined", - "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' property defined" + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", @@ -285,6 +308,7 @@ "searchKey": "properties.template.resources.name={{flowlogs/sample}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'enabled' property defined", - "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' property defined" + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' property defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/web_app_not_using_tls_last_version/test/positive_expected_result.json b/assets/queries/azureResourceManager/web_app_not_using_tls_last_version/test/positive_expected_result.json index 85cf5d55ca1..8211cb230e0 100644 --- a/assets/queries/azureResourceManager/web_app_not_using_tls_last_version/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/web_app_not_using_tls_last_version/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources.name=App.properties.siteConfig.minTlsVersion", "searchValue": "", "expectedValue": "'siteConfig.minTlsVersion' should be 1.2 or 1.3", - "actualValue": "'minTlsVersion' is not 1.2 or 1.3" + "actualValue": "'minTlsVersion' is not 1.2 or 1.3", + "issueType": "IncorrectValue" }, { "queryName": "Web App Not Using TLS Last Version", @@ -21,7 +22,8 @@ "searchKey": "properties.template.resources.name=App.properties.siteConfig.minTlsVersion", "searchValue": "", "expectedValue": "'siteConfig.minTlsVersion' should be 1.2 or 1.3", - "actualValue": "'minTlsVersion' is not 1.2 or 1.3" + "actualValue": "'minTlsVersion' is not 1.2 or 1.3", + "issueType": "IncorrectValue" }, { "queryName": "Web App Not Using TLS Last Version", @@ -33,7 +35,8 @@ "searchKey": "resources.name=App.properties", "searchValue": "", "expectedValue": "'siteConfig.minTlsVersion' should be defined", - "actualValue": "'siteConfig.minTlsVersion' is undefined" + "actualValue": "'siteConfig.minTlsVersion' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Web App Not Using TLS Last Version", @@ -45,7 +48,8 @@ "searchKey": "properties.template.resources.name=App.properties", "searchValue": "", "expectedValue": "'siteConfig.minTlsVersion' should be defined", - "actualValue": "'siteConfig.minTlsVersion' is undefined" + "actualValue": "'siteConfig.minTlsVersion' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Web App Not Using TLS Last Version", @@ -57,7 +61,8 @@ "searchKey": "resources.name=App.properties.siteConfig.minTlsVersion", "searchValue": "", "expectedValue": "'siteConfig.minTlsVersion' should be 1.2 or 1.3", - "actualValue": "'minTlsVersion' is not 1.2 or 1.3" + "actualValue": "'minTlsVersion' is not 1.2 or 1.3", + "issueType": "IncorrectValue" }, { "queryName": "Web App Not Using TLS Last Version", @@ -69,7 +74,8 @@ "searchKey": "properties.template.resources.name=App.properties.siteConfig.minTlsVersion", "searchValue": "", "expectedValue": "'siteConfig.minTlsVersion' should be 1.2 or 1.3", - "actualValue": "'minTlsVersion' is not 1.2 or 1.3" + "actualValue": "'minTlsVersion' is not 1.2 or 1.3", + "issueType": "IncorrectValue" }, { "queryName": "Web App Not Using TLS Last Version", @@ -81,7 +87,8 @@ "searchKey": "resources.name=App.properties.siteConfig", "searchValue": "", "expectedValue": "'minTlsVersion' should be defined", - "actualValue": "'minTlsVersion' is undefined" + "actualValue": "'minTlsVersion' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Web App Not Using TLS Last Version", @@ -93,7 +100,8 @@ "searchKey": "properties.template.resources.name=App.properties.siteConfig", "searchValue": "", "expectedValue": "'minTlsVersion' should be defined", - "actualValue": "'minTlsVersion' is undefined" + "actualValue": "'minTlsVersion' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Web App Not Using TLS Last Version", @@ -105,7 +113,8 @@ "searchKey": "resources.resources.name=web.properties.minTlsVersion", "searchValue": "", "expectedValue": "'minTlsVersion' should be defined with the version '1.2' or higher", - "actualValue": "'minTlsVersion' is defined to '1.1'" + "actualValue": "'minTlsVersion' is defined to '1.1'", + "issueType": "IncorrectValue" }, { "queryName": "Web App Not Using TLS Last Version", @@ -117,7 +126,8 @@ "searchKey": "resources.name=meuAppService.properties", "searchValue": "", "expectedValue": "'siteConfig.minTlsVersion' should be defined", - "actualValue": "'siteConfig.minTlsVersion' is undefined" + "actualValue": "'siteConfig.minTlsVersion' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Web App Not Using TLS Last Version", @@ -129,7 +139,8 @@ "searchKey": "resources.resources.name=web.properties", "searchValue": "", "expectedValue": "'minTlsVersion' should be defined with the version '1.2' or higher", - "actualValue": "'minTlsVersion' is not defined" + "actualValue": "'minTlsVersion' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Web App Not Using TLS Last Version", @@ -141,6 +152,7 @@ "searchKey": "resources.name=meuAppService.properties", "searchValue": "", "expectedValue": "'siteConfig.minTlsVersion' should be defined", - "actualValue": "'siteConfig.minTlsVersion' is undefined" + "actualValue": "'siteConfig.minTlsVersion' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/website_azure_active_directory_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/website_azure_active_directory_disabled/test/positive_expected_result.json index ca68701cb4b..8d0c4f93526 100644 --- a/assets/queries/azureResourceManager/website_azure_active_directory_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/website_azure_active_directory_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources.name={{webSitePositive2}}", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'identity' property defined", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'identity' property defined" + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'identity' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Website Azure Active Directory Disabled", @@ -21,7 +22,8 @@ "searchKey": "resources.name={{webSitePositive2}}", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'identity' property defined", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'identity' property defined" + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'identity' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Website Azure Active Directory Disabled", @@ -33,7 +35,8 @@ "searchKey": "resources.name={{webSitePositive3}}.identity", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Web/sites' should have the identity type set to 'SystemAssigned' or 'UserAssigned'", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned'" + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned'", + "issueType": "IncorrectValue" }, { "queryName": "Website Azure Active Directory Disabled", @@ -45,7 +48,8 @@ "searchKey": "resources.name={{webSitePositive3}}.identity", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Web/sites' should have the identity type set to 'SystemAssigned' or 'UserAssigned'", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned'" + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned'", + "issueType": "IncorrectValue" }, { "queryName": "Website Azure Active Directory Disabled", @@ -57,7 +61,8 @@ "searchKey": "resources.name={{webSitePositive3}}.identity", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Web/sites' should have the identity type set to 'SystemAssigned' or 'UserAssigned' and 'userAssignedIdentities' defined", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned' and 'userAssignedIdentities' defined" + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned' and 'userAssignedIdentities' defined", + "issueType": "MissingAttribute" }, { "queryName": "Website Azure Active Directory Disabled", @@ -69,7 +74,8 @@ "searchKey": "resources.name={{webSitePositive3}}.identity", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Web/sites' should have the identity type set to 'SystemAssigned' or 'UserAssigned' and 'userAssignedIdentities' defined", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned' and 'userAssignedIdentities' defined" + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned' and 'userAssignedIdentities' defined", + "issueType": "MissingAttribute" }, { "queryName": "Website Azure Active Directory Disabled", @@ -81,7 +87,8 @@ "searchKey": "resources.name={{webSitePositive2}}", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'identity' property defined", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'identity' property defined" + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'identity' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Website Azure Active Directory Disabled", @@ -93,7 +100,8 @@ "searchKey": "properties.template.resources.name={{webSitePositive2}}", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'identity' property defined", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'identity' property defined" + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'identity' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Website Azure Active Directory Disabled", @@ -105,7 +113,8 @@ "searchKey": "resources.name={{webSitePositive3}}.identity", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Web/sites' should have the identity type set to 'SystemAssigned' or 'UserAssigned'", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned'" + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned'", + "issueType": "IncorrectValue" }, { "queryName": "Website Azure Active Directory Disabled", @@ -117,7 +126,8 @@ "searchKey": "properties.template.resources.name={{webSitePositive3}}.identity", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Web/sites' should have the identity type set to 'SystemAssigned' or 'UserAssigned'", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned'" + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned'", + "issueType": "IncorrectValue" }, { "queryName": "Website Azure Active Directory Disabled", @@ -129,7 +139,8 @@ "searchKey": "resources.name={{webSitePositive3}}.identity", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Web/sites' should have the identity type set to 'SystemAssigned' or 'UserAssigned' and 'userAssignedIdentities' defined", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned' and 'userAssignedIdentities' defined" + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned' and 'userAssignedIdentities' defined", + "issueType": "MissingAttribute" }, { "queryName": "Website Azure Active Directory Disabled", @@ -141,7 +152,8 @@ "searchKey": "properties.template.resources.name={{webSitePositive3}}.identity", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Web/sites' should have the identity type set to 'SystemAssigned' or 'UserAssigned' and 'userAssignedIdentities' defined", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned' and 'userAssignedIdentities' defined" + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned' and 'userAssignedIdentities' defined", + "issueType": "MissingAttribute" }, { "queryName": "Website Azure Active Directory Disabled", @@ -153,7 +165,8 @@ "searchKey": "resources.name={{webSitePositive7}}.identity", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Web/sites' should have the identity type set to 'SystemAssigned' or 'UserAssigned'", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned'" + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned'", + "issueType": "IncorrectValue" }, { "queryName": "Website Azure Active Directory Disabled", @@ -165,6 +178,7 @@ "searchKey": "resources.name={{webSitePositive7}}.identity", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Web/sites' should have the identity type set to 'SystemAssigned' or 'UserAssigned'", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned'" + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/website_not_forcing_https/test/positive_expected_result.json b/assets/queries/azureResourceManager/website_not_forcing_https/test/positive_expected_result.json index 72f5e4f6a36..e76eb5a8f1e 100644 --- a/assets/queries/azureResourceManager/website_not_forcing_https/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/website_not_forcing_https/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources.name={{webSite}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'httpsOnly' property defined", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'httpsOnly' property defined" + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'httpsOnly' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Website Not Forcing HTTPS", @@ -21,7 +22,8 @@ "searchKey": "resources.name={{webSite}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'httpsOnly' property defined", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'httpsOnly' property defined" + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'httpsOnly' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Website Not Forcing HTTPS", @@ -33,7 +35,8 @@ "searchKey": "resources.name={{webSite}}.properties.httpsOnly", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'httpsOnly' false set to true", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'httpsOnly' set to true" + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'httpsOnly' set to true", + "issueType": "IncorrectValue" }, { "queryName": "Website Not Forcing HTTPS", @@ -45,7 +48,8 @@ "searchKey": "resources.name={{webSite}}.properties.httpsOnly", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'httpsOnly' false set to true", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'httpsOnly' set to true" + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'httpsOnly' set to true", + "issueType": "IncorrectValue" }, { "queryName": "Website Not Forcing HTTPS", @@ -57,7 +61,8 @@ "searchKey": "resources.name={{webSite}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'httpsOnly' property defined", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'httpsOnly' property defined" + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'httpsOnly' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Website Not Forcing HTTPS", @@ -69,7 +74,8 @@ "searchKey": "properties.template.resources.name={{webSite}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'httpsOnly' property defined", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'httpsOnly' property defined" + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'httpsOnly' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Website Not Forcing HTTPS", @@ -81,7 +87,8 @@ "searchKey": "resources.name={{webSite}}.properties.httpsOnly", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'httpsOnly' false set to true", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'httpsOnly' set to true" + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'httpsOnly' set to true", + "issueType": "IncorrectValue" }, { "queryName": "Website Not Forcing HTTPS", @@ -93,6 +100,7 @@ "searchKey": "properties.template.resources.name={{webSite}}.properties.httpsOnly", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'httpsOnly' false set to true", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'httpsOnly' set to true" + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'httpsOnly' set to true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/website_with_client_certificate_auth_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/website_with_client_certificate_auth_disabled/test/positive_expected_result.json index af841d00cf4..6c2122f3df8 100644 --- a/assets/queries/azureResourceManager/website_with_client_certificate_auth_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/website_with_client_certificate_auth_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources.name={{webSite}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' property defined", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' property defined" + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Website with Client Certificate Auth Disabled", @@ -21,7 +22,8 @@ "searchKey": "resources.name={{webSite}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' property defined", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' property defined" + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Website with Client Certificate Auth Disabled", @@ -33,7 +35,8 @@ "searchKey": "resources.name={{webSite}}.properties.clientCertEnabled", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' property value set to true", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' set to true" + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' set to true", + "issueType": "MissingAttribute" }, { "queryName": "Website with Client Certificate Auth Disabled", @@ -45,7 +48,8 @@ "searchKey": "resources.name={{webSite}}.properties.clientCertEnabled", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' property value set to true", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' set to true" + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' set to true", + "issueType": "MissingAttribute" }, { "queryName": "Website with Client Certificate Auth Disabled", @@ -57,7 +61,8 @@ "searchKey": "resources.name={{webSite}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' property defined", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' property defined" + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Website with Client Certificate Auth Disabled", @@ -69,7 +74,8 @@ "searchKey": "properties.template.resources.name={{webSite}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' property defined", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' property defined" + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Website with Client Certificate Auth Disabled", @@ -81,7 +87,8 @@ "searchKey": "resources.name={{webSite}}.properties.clientCertEnabled", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' property value set to true", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' set to true" + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' set to true", + "issueType": "MissingAttribute" }, { "queryName": "Website with Client Certificate Auth Disabled", @@ -93,7 +100,8 @@ "searchKey": "properties.template.resources.name={{webSite}}.properties.clientCertEnabled", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' property value set to true", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' set to true" + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' set to true", + "issueType": "MissingAttribute" }, { "queryName": "Website with Client Certificate Auth Disabled", @@ -105,7 +113,8 @@ "searchKey": "resources.name={{[parameters('siteName')]}}.properties.clientCertEnabled", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' property value or 'http20Enabled' field set to true", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' or 'http20Enabled' set to true" + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' or 'http20Enabled' set to true", + "issueType": "MissingAttribute" }, { "queryName": "Website with Client Certificate Auth Disabled", @@ -117,7 +126,8 @@ "searchKey": "resources.name={{[parameters('siteName')]}}.properties.clientCertEnabled", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' property value or 'http20Enabled' field set to true", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' or 'http20Enabled' set to true" + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' or 'http20Enabled' set to true", + "issueType": "MissingAttribute" }, { "queryName": "Website with Client Certificate Auth Disabled", @@ -129,7 +139,8 @@ "searchKey": "resources.name={{[parameters('siteName')]}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' property defined", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' property defined" + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Website with Client Certificate Auth Disabled", @@ -141,6 +152,7 @@ "searchKey": "resources.name={{[parameters('siteName')]}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' property defined", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' property defined" + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' property defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/website_with_http20enabled_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/website_with_http20enabled_disabled/test/positive_expected_result.json index baf98a02398..94a00940568 100644 --- a/assets/queries/azureResourceManager/website_with_http20enabled_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/website_with_http20enabled_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources.name={{webSite}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'siteConfig' property defined", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'siteConfig' property defined" + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'siteConfig' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Website with 'Http20Enabled' Disabled", @@ -21,7 +22,8 @@ "searchKey": "resources.name={{webSite}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'siteConfig' property defined", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'siteConfig' property defined" + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'siteConfig' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Website with 'Http20Enabled' Disabled", @@ -33,7 +35,8 @@ "searchKey": "resources.type={{Microsoft.Web/sites}}.properties.siteConfig.http20Enabled", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'http20Enabled' property value set to true in siteConfig", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'http20Enabled' set to true in siteConfig" + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'http20Enabled' set to true in siteConfig", + "issueType": "IncorrectValue" }, { "queryName": "Website with 'Http20Enabled' Disabled", @@ -45,7 +48,8 @@ "searchKey": "resources.type={{Microsoft.Web/sites}}.properties.siteConfig.http20Enabled", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'http20Enabled' property value set to true in siteConfig", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'http20Enabled' set to true in siteConfig" + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'http20Enabled' set to true in siteConfig", + "issueType": "IncorrectValue" }, { "queryName": "Website with 'Http20Enabled' Disabled", @@ -57,7 +61,8 @@ "searchKey": "resources.name={{webSite}}.properties.siteConfig", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'http20Enabled' property defined in siteConfig", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'http20Enabled' property defined in siteConfig" + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'http20Enabled' property defined in siteConfig", + "issueType": "MissingAttribute" }, { "queryName": "Website with 'Http20Enabled' Disabled", @@ -69,7 +74,8 @@ "searchKey": "resources.name={{webSite}}.properties.siteConfig", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'http20Enabled' property defined in siteConfig", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'http20Enabled' property defined in siteConfig" + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'http20Enabled' property defined in siteConfig", + "issueType": "MissingAttribute" }, { "queryName": "Website with 'Http20Enabled' Disabled", @@ -81,7 +87,8 @@ "searchKey": "resources.name={{webSite}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'siteConfig' property defined", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'siteConfig' property defined" + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'siteConfig' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Website with 'Http20Enabled' Disabled", @@ -93,7 +100,8 @@ "searchKey": "properties.template.resources.name={{webSite}}.properties", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'siteConfig' property defined", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'siteConfig' property defined" + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'siteConfig' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Website with 'Http20Enabled' Disabled", @@ -105,7 +113,8 @@ "searchKey": "resources.type={{Microsoft.Web/sites}}.properties.siteConfig.http20Enabled", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'http20Enabled' property value set to true in siteConfig", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'http20Enabled' set to true in siteConfig" + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'http20Enabled' set to true in siteConfig", + "issueType": "IncorrectValue" }, { "queryName": "Website with 'Http20Enabled' Disabled", @@ -117,7 +126,8 @@ "searchKey": "resources.type={{Microsoft.Web/sites}}.properties.siteConfig.http20Enabled", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'http20Enabled' property value set to true in siteConfig", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'http20Enabled' set to true in siteConfig" + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'http20Enabled' set to true in siteConfig", + "issueType": "IncorrectValue" }, { "queryName": "Website with 'Http20Enabled' Disabled", @@ -129,7 +139,8 @@ "searchKey": "resources.name={{webSite}}.properties.siteConfig", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'http20Enabled' property defined in siteConfig", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'http20Enabled' property defined in siteConfig" + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'http20Enabled' property defined in siteConfig", + "issueType": "MissingAttribute" }, { "queryName": "Website with 'Http20Enabled' Disabled", @@ -141,6 +152,7 @@ "searchKey": "properties.template.resources.name={{webSite}}.properties.siteConfig", "searchValue": "", "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'http20Enabled' property defined in siteConfig", - "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'http20Enabled' property defined in siteConfig" + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'http20Enabled' property defined in siteConfig", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/buildah/run_using_apt/test/positive_expected_result.json b/assets/queries/buildah/run_using_apt/test/positive_expected_result.json index 8bc63902839..e2601f563c9 100644 --- a/assets/queries/buildah/run_using_apt/test/positive_expected_result.json +++ b/assets/queries/buildah/run_using_apt/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "from[{{fedora}}].{{buildah run ${c} apt install python3-setuptools -y}}", "searchValue": "", "expectedValue": "RUN instructions should not use the 'apt' program", - "actualValue": "RUN instruction is invoking the 'apt' program" + "actualValue": "RUN instruction is invoking the 'apt' program", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cicd/github/run_block_injection/test/positive_expected_result.json b/assets/queries/cicd/github/run_block_injection/test/positive_expected_result.json index 98d01b9005a..398e24e3cb2 100644 --- a/assets/queries/cicd/github/run_block_injection/test/positive_expected_result.json +++ b/assets/queries/cicd/github/run_block_injection/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "run={{if [ \"${{ github.event.issue.body }}\" ]; then\n if [[ \"${{ github.event.issue.title }}\" =~ ^\\[Auto\\]* ]]; then\n :\n else\n echo \"This issue does not need to generate a markdown file.\" 1>&2\n exit 1;\n fi;\nelse\n echo \"The description of the issue is empty.\" 1>&2\n exit 1;\nfi;\n}}", "searchValue": "github.event.issue.body", "expectedValue": "Run block does not contain dangerous input controlled by user.", - "actualValue": "Run block contains dangerous input controlled by user." + "actualValue": "Run block contains dangerous input controlled by user.", + "issueType": "IncorrectValue" }, { "queryName": "Run Block Injection", @@ -21,7 +22,8 @@ "searchKey": "run={{if [ \"${{ github.event.issue.body }}\" ]; then\n if [[ \"${{ github.event.issue.title }}\" =~ ^\\[Auto\\]* ]]; then\n :\n else\n echo \"This issue does not need to generate a markdown file.\" 1>&2\n exit 1;\n fi;\nelse\n echo \"The description of the issue is empty.\" 1>&2\n exit 1;\nfi;\n}}", "searchValue": "github.event.issue.title", "expectedValue": "Run block does not contain dangerous input controlled by user.", - "actualValue": "Run block contains dangerous input controlled by user." + "actualValue": "Run block contains dangerous input controlled by user.", + "issueType": "IncorrectValue" }, { "queryName": "Run Block Injection", @@ -33,7 +35,8 @@ "searchKey": "run={{echo \"Pull Request Body: ${{ github.event.pull_request.body }}\"\n}}", "searchValue": "github.event.pull_request.body", "expectedValue": "Run block does not contain dangerous input controlled by user.", - "actualValue": "Run block contains dangerous input controlled by user." + "actualValue": "Run block contains dangerous input controlled by user.", + "issueType": "IncorrectValue" }, { "queryName": "Run Block Injection", @@ -45,7 +48,8 @@ "searchKey": "run={{echo \"Issue Comment Body: ${{ github.event.comment.body }}\"\n}}", "searchValue": "github.event.comment.body", "expectedValue": "Run block does not contain dangerous input controlled by user.", - "actualValue": "Run block contains dangerous input controlled by user." + "actualValue": "Run block contains dangerous input controlled by user.", + "issueType": "IncorrectValue" }, { "queryName": "Run Block Injection", @@ -57,7 +61,8 @@ "searchKey": "run={{echo \"Discussion Title: ${{ github.event.discussion.title }}\"\n}}", "searchValue": "github.event.discussion.title", "expectedValue": "Run block does not contain dangerous input controlled by user.", - "actualValue": "Run block contains dangerous input controlled by user." + "actualValue": "Run block contains dangerous input controlled by user.", + "issueType": "IncorrectValue" }, { "queryName": "Run Block Injection", @@ -69,7 +74,8 @@ "searchKey": "run={{echo \"Discussion Comment Body: ${{ github.event.comment.body }}\"\n}}", "searchValue": "github.event.comment.body", "expectedValue": "Run block does not contain dangerous input controlled by user.", - "actualValue": "Run block contains dangerous input controlled by user." + "actualValue": "Run block contains dangerous input controlled by user.", + "issueType": "IncorrectValue" }, { "queryName": "Run Block Injection", @@ -81,7 +87,8 @@ "searchKey": "run={{echo \"Author's Name: ${{ github.event.authors.name }}\"\n}}", "searchValue": "github.*.authors.name", "expectedValue": "Run block does not contain dangerous input controlled by user.", - "actualValue": "Run block contains dangerous input controlled by user." + "actualValue": "Run block contains dangerous input controlled by user.", + "issueType": "IncorrectValue" }, { "queryName": "Run Block Injection", @@ -93,6 +100,7 @@ "searchKey": "run={{echo \"Workflow Run Path: ${{ github.event.workflow.path }}\"\n}}", "searchValue": "github.event.workflow.path", "expectedValue": "Run block does not contain dangerous input controlled by user.", - "actualValue": "Run block contains dangerous input controlled by user." + "actualValue": "Run block contains dangerous input controlled by user.", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cicd/github/script_block_injection/test/positive_expected_result.json b/assets/queries/cicd/github/script_block_injection/test/positive_expected_result.json index 0140288f71d..044beb409ee 100644 --- a/assets/queries/cicd/github/script_block_injection/test/positive_expected_result.json +++ b/assets/queries/cicd/github/script_block_injection/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "script={{const fs = require('fs');\nconst body = fs.readFileSync('/tmp/${{ github.event.issue.title }}.txt', {encoding: 'utf8'});\n\nawait github.rest.issues.createComment({\n issue_number: context.issue.number,\n owner: context.repo.owner,\n repo: context.repo.repo,\n body: 'Thanks for reporting!'\n})\n\nreturn true;\n}}", "searchValue": "github.event.issue.title", "expectedValue": "Script block does not contain dangerous input controlled by user.", - "actualValue": "Script block contains dangerous input controlled by user." + "actualValue": "Script block contains dangerous input controlled by user.", + "issueType": "IncorrectValue" }, { "queryName": "Script Block Injection", @@ -21,7 +22,8 @@ "searchKey": "script={{const fs = require('fs');\nconst body = fs.readFileSync('/tmp/${{ github.event.pull_request.title }}.txt', {encoding: 'utf8'});\n\nawait github.rest.issues.createComment({\n issue_number: context.issue.number,\n owner: context.repo.owner,\n repo: context.repo.repo,\n body: 'Thanks for reporting!'\n})\n\nreturn true;\n}}", "searchValue": "github.event.pull_request.title", "expectedValue": "Script block does not contain dangerous input controlled by user.", - "actualValue": "Script block contains dangerous input controlled by user." + "actualValue": "Script block contains dangerous input controlled by user.", + "issueType": "IncorrectValue" }, { "queryName": "Script Block Injection", @@ -33,7 +35,8 @@ "searchKey": "script={{const fs = require('fs');\nconst body = fs.readFileSync('/tmp/${{ github.event.issue.title }}.txt', {encoding: 'utf8'});\n\nawait github.rest.issues.createComment({\n issue_number: context.issue.number,\n owner: context.repo.owner,\n repo: context.repo.repo,\n body: 'Thanks for reporting!'\n})\n\nreturn true;\n}}", "searchValue": "github.event.issue.title", "expectedValue": "Script block does not contain dangerous input controlled by user.", - "actualValue": "Script block contains dangerous input controlled by user." + "actualValue": "Script block contains dangerous input controlled by user.", + "issueType": "IncorrectValue" }, { "queryName": "Script Block Injection", @@ -45,7 +48,8 @@ "searchKey": "script={{const fs = require('fs');\nconst body = fs.readFileSync('/tmp/${{ github.event.discussion.title }}.txt', {encoding: 'utf8'});\n\nawait github.rest.issues.createComment({\n issue_number: context.issue.number,\n owner: context.repo.owner,\n repo: context.repo.repo,\n body: 'Thanks for reporting!'\n})\n\nreturn true;\n}}", "searchValue": "github.event.discussion.title", "expectedValue": "Script block does not contain dangerous input controlled by user.", - "actualValue": "Script block contains dangerous input controlled by user." + "actualValue": "Script block contains dangerous input controlled by user.", + "issueType": "IncorrectValue" }, { "queryName": "Script Block Injection", @@ -57,7 +61,8 @@ "searchKey": "script={{const fs = require('fs');\nconst body = fs.readFileSync('/tmp/${{ github.event.discussion.title }}.txt', {encoding: 'utf8'});\n\nawait github.rest.issues.createComment({\n issue_number: context.issue.number,\n owner: context.repo.owner,\n repo: context.repo.repo,\n body: 'Thanks for reporting!'\n})\n\nreturn true;\n}}", "searchValue": "github.event.discussion.title", "expectedValue": "Script block does not contain dangerous input controlled by user.", - "actualValue": "Script block contains dangerous input controlled by user." + "actualValue": "Script block contains dangerous input controlled by user.", + "issueType": "IncorrectValue" }, { "queryName": "Script Block Injection", @@ -69,7 +74,8 @@ "searchKey": "script={{const fs = require('fs');\nconst body = fs.readFileSync('/tmp/${{ github.event.workflow.path }}.txt', {encoding: 'utf8'});\n\nawait github.rest.issues.createComment({\n issue_number: context.issue.number,\n owner: context.repo.owner,\n repo: context.repo.repo,\n body: 'Thanks for reporting!'\n})\n\nreturn true;\n}}", "searchValue": "github.event.workflow.path", "expectedValue": "Script block does not contain dangerous input controlled by user.", - "actualValue": "Script block contains dangerous input controlled by user." + "actualValue": "Script block contains dangerous input controlled by user.", + "issueType": "IncorrectValue" }, { "queryName": "Script Block Injection", @@ -81,6 +87,7 @@ "searchKey": "script={{const fs = require('fs');\nconst body = fs.readFileSync('/tmp/${{ github.event.authors.name }}.txt', {encoding: 'utf8'});\n\nawait github.rest.issues.createComment({\n issue_number: context.issue.number,\n owner: context.repo.owner,\n repo: context.repo.repo,\n body: 'Thanks for reporting!'\n})\n\nreturn true;\n}}", "searchValue": "github.*.authors.name", "expectedValue": "Script block does not contain dangerous input controlled by user.", - "actualValue": "Script block contains dangerous input controlled by user." + "actualValue": "Script block contains dangerous input controlled by user.", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cicd/github/unpinned_actions_full_length_commit_sha/test/positive_expected_result.json b/assets/queries/cicd/github/unpinned_actions_full_length_commit_sha/test/positive_expected_result.json index 3de30fa0f97..b626a5eb747 100644 --- a/assets/queries/cicd/github/unpinned_actions_full_length_commit_sha/test/positive_expected_result.json +++ b/assets/queries/cicd/github/unpinned_actions_full_length_commit_sha/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "uses={{thollander/actions-comment-pull-request@v2}}", "searchValue": "", "expectedValue": "Action pinned to a full length commit SHA.", - "actualValue": "Action is not pinned to a full length commit SHA." + "actualValue": "Action is not pinned to a full length commit SHA.", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cicd/github/unsecured_commands/test/positive_expected_result.json b/assets/queries/cicd/github/unsecured_commands/test/positive_expected_result.json index 1929b9f5c5d..efd604c5d30 100644 --- a/assets/queries/cicd/github/unsecured_commands/test/positive_expected_result.json +++ b/assets/queries/cicd/github/unsecured_commands/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "env.actions_allow_unsecure_commands={{true}}", "searchValue": "", "expectedValue": "ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable is not set as true.", - "actualValue": "ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable is set as true." + "actualValue": "ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable is set as true.", + "issueType": "IncorrectValue" }, { "queryName": "Unsecured Commands", @@ -21,7 +22,8 @@ "searchKey": "env.actions_allow_unsecure_commands={{true}}", "searchValue": "", "expectedValue": "ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable is not set as true.", - "actualValue": "ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable is set as true." + "actualValue": "ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable is set as true.", + "issueType": "IncorrectValue" }, { "queryName": "Unsecured Commands", @@ -33,6 +35,7 @@ "searchKey": "env.actions_allow_unsecure_commands={{true}}", "searchValue": "", "expectedValue": "ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable is not set as true.", - "actualValue": "ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable is set as true." + "actualValue": "ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable is set as true.", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/access_key_not_rotated_within_90_days/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/access_key_not_rotated_within_90_days/test/positive_expected_result.json index c61c2a006e1..26c18e5fab5 100644 --- a/assets/queries/cloudFormation/aws/access_key_not_rotated_within_90_days/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/access_key_not_rotated_within_90_days/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.ConfigRule.Properties.InputParameters.maxAccessKeyAge", "searchValue": "", "expectedValue": "Resources.ConfigRule.InputParameters.maxAccessKeyAge should be less or equal to 90 (days)", - "actualValue": "Resources.ConfigRule.InputParameters.maxAccessKeyAge is more than 90 (days)." + "actualValue": "Resources.ConfigRule.InputParameters.maxAccessKeyAge is more than 90 (days).", + "issueType": "IncorrectValue" }, { "queryName": "High Access Key Rotation Period", @@ -21,6 +22,7 @@ "searchKey": "Resources.ConfigRule.Properties.InputParameters.maxAccessKeyAge", "searchValue": "", "expectedValue": "Resources.ConfigRule.InputParameters.maxAccessKeyAge should be less or equal to 90 (days)", - "actualValue": "Resources.ConfigRule.InputParameters.maxAccessKeyAge is more than 90 (days)." + "actualValue": "Resources.ConfigRule.InputParameters.maxAccessKeyAge is more than 90 (days).", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/alb_is_not_integrated_with_waf/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/alb_is_not_integrated_with_waf/test/positive_expected_result.json index 3f3382b68b2..bb64784ba3d 100644 --- a/assets/queries/cloudFormation/aws/alb_is_not_integrated_with_waf/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/alb_is_not_integrated_with_waf/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.MyLoadBalancer22", "searchValue": "", "expectedValue": "'Resources.MyLoadBalancer22' should not have an 'internal' scheme and should have a 'WebACLAssociation' associated", - "actualValue": "'Resources.MyLoadBalancer22' does not have an 'internal' scheme and a 'WebACLAssociation' associated" + "actualValue": "'Resources.MyLoadBalancer22' does not have an 'internal' scheme and a 'WebACLAssociation' associated", + "issueType": "MissingAttribute" }, { "queryName": "ALB Is Not Integrated With WAF", @@ -21,7 +22,8 @@ "searchKey": "Resources.MyLoadBalancerV2", "searchValue": "", "expectedValue": "'Resources.MyLoadBalancerV2' should not have an 'internal' scheme and should have a 'WebACLAssociation' associated", - "actualValue": "'Resources.MyLoadBalancerV2' does not have an 'internal' scheme and a 'WebACLAssociation' associated" + "actualValue": "'Resources.MyLoadBalancerV2' does not have an 'internal' scheme and a 'WebACLAssociation' associated", + "issueType": "MissingAttribute" }, { "queryName": "ALB Is Not Integrated With WAF", @@ -33,7 +35,8 @@ "searchKey": "Resources.MyLoadBalancer22222222", "searchValue": "", "expectedValue": "'Resources.MyLoadBalancer22222222' should not have an 'internal' scheme and should have a 'WebACLAssociation' associated", - "actualValue": "'Resources.MyLoadBalancer22222222' does not have an 'internal' scheme and a 'WebACLAssociation' associated" + "actualValue": "'Resources.MyLoadBalancer22222222' does not have an 'internal' scheme and a 'WebACLAssociation' associated", + "issueType": "MissingAttribute" }, { "queryName": "ALB Is Not Integrated With WAF", @@ -45,6 +48,7 @@ "searchKey": "Resources.MyLoadBalancerV22222", "searchValue": "", "expectedValue": "'Resources.MyLoadBalancerV22222' should not have an 'internal' scheme and should have a 'WebACLAssociation' associated", - "actualValue": "'Resources.MyLoadBalancerV22222' does not have an 'internal' scheme and a 'WebACLAssociation' associated" + "actualValue": "'Resources.MyLoadBalancerV22222' does not have an 'internal' scheme and a 'WebACLAssociation' associated", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/alb_listening_on_http/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/alb_listening_on_http/test/positive_expected_result.json index 984f1ca02ac..630bb17e82e 100644 --- a/assets/queries/cloudFormation/aws/alb_listening_on_http/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/alb_listening_on_http/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.MyLoadBalancer.Properties.Listeners.Protocol=HTTP", "searchValue": "", "expectedValue": "'Resources.MyLoadBalancer.Listeners.Protocol' should not equal to 'HTTP'", - "actualValue": "'Resources.MyLoadBalancer.Listeners.Protocol' equals to 'HTTP'" + "actualValue": "'Resources.MyLoadBalancer.Listeners.Protocol' equals to 'HTTP'", + "issueType": "IncorrectValue" }, { "queryName": "ALB Listening on HTTP", @@ -21,7 +22,8 @@ "searchKey": "Resources.HTTPlistener.Properties.Protocol=HTTP", "searchValue": "", "expectedValue": "'Resources.HTTPlistener.Protocol' should not equal to 'HTTP'", - "actualValue": "'Resources.HTTPlistener.Protocol' equals to 'HTTP'" + "actualValue": "'Resources.HTTPlistener.Protocol' equals to 'HTTP'", + "issueType": "IncorrectValue" }, { "queryName": "ALB Listening on HTTP", @@ -33,7 +35,8 @@ "searchKey": "Resources.MyLoadBalancer.Properties.Listeners.Protocol=HTTP", "searchValue": "", "expectedValue": "'Resources.MyLoadBalancer.Listeners.Protocol' should not equal to 'HTTP'", - "actualValue": "'Resources.MyLoadBalancer.Listeners.Protocol' equals to 'HTTP'" + "actualValue": "'Resources.MyLoadBalancer.Listeners.Protocol' equals to 'HTTP'", + "issueType": "IncorrectValue" }, { "queryName": "ALB Listening on HTTP", @@ -45,7 +48,8 @@ "searchKey": "Resources.HTTPlistener.Properties.Protocol=HTTP", "searchValue": "", "expectedValue": "'Resources.HTTPlistener.Protocol' should not equal to 'HTTP'", - "actualValue": "'Resources.HTTPlistener.Protocol' equals to 'HTTP'" + "actualValue": "'Resources.HTTPlistener.Protocol' equals to 'HTTP'", + "issueType": "IncorrectValue" }, { "queryName": "ALB Listening on HTTP", @@ -57,6 +61,7 @@ "searchKey": "Resources.HTTPlistener.Properties.Protocol=HTTP", "searchValue": "", "expectedValue": "'Resources.HTTPlistener.Protocol' should not equal to 'HTTP'", - "actualValue": "'Resources.HTTPlistener.Protocol' equals to 'HTTP'" + "actualValue": "'Resources.HTTPlistener.Protocol' equals to 'HTTP'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/alexa_skill_plaintext_client_secret_exposed/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/alexa_skill_plaintext_client_secret_exposed/test/positive_expected_result.json index 45b0591895e..ad3e06cf175 100644 --- a/assets/queries/cloudFormation/aws/alexa_skill_plaintext_client_secret_exposed/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/alexa_skill_plaintext_client_secret_exposed/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.MySkill.Properties.AuthenticationConfiguration.ClientSecret", "searchValue": "", "expectedValue": "'Resources.MySkill.Properties.ClientSecret' should start with '{{resolve:secretsmanager:' or '{{resolve:ssm-secure:'", - "actualValue": "'Resources.MySkill.Properties.ClientSecret' does not start with '{{resolve:secretsmanager:' or '{{resolve:ssm-secure:'" + "actualValue": "'Resources.MySkill.Properties.ClientSecret' does not start with '{{resolve:secretsmanager:' or '{{resolve:ssm-secure:'", + "issueType": "IncorrectValue" }, { "queryName": "Alexa Skill Plaintext Client Secret Exposed", @@ -21,6 +22,7 @@ "searchKey": "Resources.MySkill.Properties.AuthenticationConfiguration.ClientSecret", "searchValue": "", "expectedValue": "'Resources.MySkill.Properties.ClientSecret' should start with '{{resolve:secretsmanager:' or '{{resolve:ssm-secure:'", - "actualValue": "'Resources.MySkill.Properties.ClientSecret' does not start with '{{resolve:secretsmanager:' or '{{resolve:ssm-secure:'" + "actualValue": "'Resources.MySkill.Properties.ClientSecret' does not start with '{{resolve:secretsmanager:' or '{{resolve:ssm-secure:'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/amazon_dms_replication_instance_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/amazon_dms_replication_instance_is_publicly_accessible/test/positive_expected_result.json index 59b0693b152..8920107f467 100644 --- a/assets/queries/cloudFormation/aws/amazon_dms_replication_instance_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/amazon_dms_replication_instance_is_publicly_accessible/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.ReplicationInstance.Properties.PubliclyAccessible", "searchValue": "", "expectedValue": "Resources.ReplicationInstance.Properties.PubliclyAccessible should be defined to 'false'", - "actualValue": "Resources.ReplicationInstance.Properties.PubliclyAccessible is defined to 'true" + "actualValue": "Resources.ReplicationInstance.Properties.PubliclyAccessible is defined to 'true", + "issueType": "IncorrectValue" }, { "queryName": "Amazon DMS Replication Instance Is Publicly Accessible", @@ -21,7 +22,8 @@ "searchKey": "Resources.ReplicationInstance.Properties", "searchValue": "", "expectedValue": "Resources.ReplicationInstance.Properties.PubliclyAccessible should be defined to 'false'", - "actualValue": "Resources.ReplicationInstance.Properties.PubliclyAccessible is not defined" + "actualValue": "Resources.ReplicationInstance.Properties.PubliclyAccessible is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Amazon DMS Replication Instance Is Publicly Accessible", @@ -33,6 +35,7 @@ "searchKey": "Resources.ReplicationInstance.Properties.PubliclyAccessible", "searchValue": "", "expectedValue": "Resources.ReplicationInstance.Properties.PubliclyAccessible should be defined to 'false'", - "actualValue": "Resources.ReplicationInstance.Properties.PubliclyAccessible is defined to 'true" + "actualValue": "Resources.ReplicationInstance.Properties.PubliclyAccessible is defined to 'true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/amazon_mq_broker_encryption_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/amazon_mq_broker_encryption_disabled/test/positive_expected_result.json index dec89770740..28e494cc5cf 100644 --- a/assets/queries/cloudFormation/aws/amazon_mq_broker_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/amazon_mq_broker_encryption_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.BasicBroker.Properties.EncryptionOptions", "searchValue": "", "expectedValue": "Resources.BasicBroker.Properties.EncryptionOptions should be defined", - "actualValue": "Resources.BasicBroker.Properties.EncryptionOptions is not defined" + "actualValue": "Resources.BasicBroker.Properties.EncryptionOptions is not defined", + "issueType": "MissingAttribute" }, { "queryName": "AmazonMQ Broker Encryption Disabled", @@ -21,6 +22,7 @@ "searchKey": "Resources.BasicBroker.Properties.EncryptionOptions", "searchValue": "", "expectedValue": "Resources.BasicBroker.Properties.EncryptionOptions should be defined", - "actualValue": "Resources.BasicBroker.Properties.EncryptionOptions is not defined" + "actualValue": "Resources.BasicBroker.Properties.EncryptionOptions is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/amplify_app_access_token_exposed/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/amplify_app_access_token_exposed/test/positive_expected_result.json index 927e9aff1b6..acc420ed1b3 100644 --- a/assets/queries/cloudFormation/aws/amplify_app_access_token_exposed/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/amplify_app_access_token_exposed/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.NewAmpApp.Properties.AccessToken", "searchValue": "", "expectedValue": "Resources.NewAmpApp.Properties.AccessToken must not be in plain text string", - "actualValue": "Resources.NewAmpApp.Properties.AccessToken must be defined as a parameter or have a secret manager referenced" + "actualValue": "Resources.NewAmpApp.Properties.AccessToken must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue" }, { "queryName": "Amplify App Access Token Exposed", @@ -21,7 +22,8 @@ "searchKey": "Parameters.ParentAccessToken.Default", "searchValue": "", "expectedValue": "Parameters.ParentAccessToken.Default should be defined", - "actualValue": "Parameters.ParentAccessToken.Default shouldn't be defined" + "actualValue": "Parameters.ParentAccessToken.Default shouldn't be defined", + "issueType": "IncorrectValue" }, { "queryName": "Amplify App Access Token Exposed", @@ -33,7 +35,8 @@ "searchKey": "Resources.NewApp.Properties.AccessToken", "searchValue": "", "expectedValue": "Resources.NewApp.Properties.AccessToken must not be in plain text string", - "actualValue": "Resources.NewApp.Properties.AccessToken must be defined as a parameter or have a secret manager referenced" + "actualValue": "Resources.NewApp.Properties.AccessToken must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue" }, { "queryName": "Amplify App Access Token Exposed", @@ -45,7 +48,8 @@ "searchKey": "Resources.NewAmpApp.Properties.AccessToken", "searchValue": "", "expectedValue": "Resources.NewAmpApp.Properties.AccessToken must not be in plain text string", - "actualValue": "Resources.NewAmpApp.Properties.AccessToken must be defined as a parameter or have a secret manager referenced" + "actualValue": "Resources.NewAmpApp.Properties.AccessToken must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue" }, { "queryName": "Amplify App Access Token Exposed", @@ -57,7 +61,8 @@ "searchKey": "Parameters.ParentAccessToken.Default", "searchValue": "", "expectedValue": "Parameters.ParentAccessToken.Default should be defined", - "actualValue": "Parameters.ParentAccessToken.Default shouldn't be defined" + "actualValue": "Parameters.ParentAccessToken.Default shouldn't be defined", + "issueType": "IncorrectValue" }, { "queryName": "Amplify App Access Token Exposed", @@ -69,6 +74,7 @@ "searchKey": "Resources.NewApp.Properties.AccessToken", "searchValue": "", "expectedValue": "Resources.NewApp.Properties.AccessToken must not be in plain text string", - "actualValue": "Resources.NewApp.Properties.AccessToken must be defined as a parameter or have a secret manager referenced" + "actualValue": "Resources.NewApp.Properties.AccessToken must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/amplify_app_basic_auth_config_password_exposed/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/amplify_app_basic_auth_config_password_exposed/test/positive_expected_result.json index 82e41fec3ae..5ab8145cc3f 100644 --- a/assets/queries/cloudFormation/aws/amplify_app_basic_auth_config_password_exposed/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/amplify_app_basic_auth_config_password_exposed/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password", "searchValue": "", "expectedValue": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password must not be in plain text string", - "actualValue": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password must be defined as a parameter or have a secret manager referenced" + "actualValue": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue" }, { "queryName": "Amplify App Basic Auth Config Password Exposed", @@ -21,7 +22,8 @@ "searchKey": "Parameters.ParentPassword.Default", "searchValue": "", "expectedValue": "Parameters.ParentPassword.Default should be defined", - "actualValue": "Parameters.ParentPassword.Default shouldn't be defined" + "actualValue": "Parameters.ParentPassword.Default shouldn't be defined", + "issueType": "IncorrectValue" }, { "queryName": "Amplify App Basic Auth Config Password Exposed", @@ -33,7 +35,8 @@ "searchKey": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password", "searchValue": "", "expectedValue": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password must not be in plain text string", - "actualValue": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password must be defined as a parameter or have a secret manager referenced" + "actualValue": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue" }, { "queryName": "Amplify App Basic Auth Config Password Exposed", @@ -45,7 +48,8 @@ "searchKey": "Parameters.ParentPassword.Default", "searchValue": "", "expectedValue": "Parameters.ParentPassword.Default should be defined", - "actualValue": "Parameters.ParentPassword.Default shouldn't be defined" + "actualValue": "Parameters.ParentPassword.Default shouldn't be defined", + "issueType": "IncorrectValue" }, { "queryName": "Amplify App Basic Auth Config Password Exposed", @@ -57,7 +61,8 @@ "searchKey": "Parameters.ParentPassword.Default", "searchValue": "", "expectedValue": "Parameters.ParentPassword.Default should be defined", - "actualValue": "Parameters.ParentPassword.Default shouldn't be defined" + "actualValue": "Parameters.ParentPassword.Default shouldn't be defined", + "issueType": "IncorrectValue" }, { "queryName": "Amplify App Basic Auth Config Password Exposed", @@ -69,6 +74,7 @@ "searchKey": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password", "searchValue": "", "expectedValue": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password must not be in plain text string", - "actualValue": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password must be defined as a parameter or have a secret manager referenced" + "actualValue": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/amplify_app_oauth_token_exposed/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/amplify_app_oauth_token_exposed/test/positive_expected_result.json index 4f81cfa1f5d..2772e06e9ac 100644 --- a/assets/queries/cloudFormation/aws/amplify_app_oauth_token_exposed/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/amplify_app_oauth_token_exposed/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password", "searchValue": "", "expectedValue": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password must not be in plain text string", - "actualValue": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password must be defined as a parameter or have a secret manager referenced" + "actualValue": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue" }, { "queryName": "Amplify App OAuth Token Exposed", @@ -21,7 +22,8 @@ "searchKey": "Parameters.ParentPassword.Default", "searchValue": "", "expectedValue": "Parameters.ParentPassword.Default should be defined", - "actualValue": "Parameters.ParentPassword.Default shouldn't be defined" + "actualValue": "Parameters.ParentPassword.Default shouldn't be defined", + "issueType": "IncorrectValue" }, { "queryName": "Amplify App OAuth Token Exposed", @@ -33,7 +35,8 @@ "searchKey": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password", "searchValue": "", "expectedValue": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password must not be in plain text string", - "actualValue": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password must be defined as a parameter or have a secret manager referenced" + "actualValue": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue" }, { "queryName": "Amplify App OAuth Token Exposed", @@ -45,6 +48,7 @@ "searchKey": "Parameters.ParentPassword.Default", "searchValue": "", "expectedValue": "Parameters.ParentPassword.Default should be defined", - "actualValue": "Parameters.ParentPassword.Default shouldn't be defined" + "actualValue": "Parameters.ParentPassword.Default shouldn't be defined", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/amplify_branch_basic_auth_config_password_exposed/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/amplify_branch_basic_auth_config_password_exposed/test/positive_expected_result.json index b74279ee57e..1fb5258084e 100644 --- a/assets/queries/cloudFormation/aws/amplify_branch_basic_auth_config_password_exposed/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/amplify_branch_basic_auth_config_password_exposed/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.NewAmpApp1.Properties.BasicAuthConfig.Password", "searchValue": "", "expectedValue": "Resources.NewAmpApp1.Properties.BasicAuthConfig.Password must not be in plain text string", - "actualValue": "Resources.NewAmpApp1.Properties.BasicAuthConfig.Password must be defined as a parameter or have a secret manager referenced" + "actualValue": "Resources.NewAmpApp1.Properties.BasicAuthConfig.Password must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue" }, { "queryName": "Amplify Branch Basic Auth Config Password Exposed", @@ -21,7 +22,8 @@ "searchKey": "Parameters.ParentPassword.Default", "searchValue": "", "expectedValue": "Parameters.ParentPassword.Default should be defined", - "actualValue": "Parameters.ParentPassword.Default shouldn't be defined" + "actualValue": "Parameters.ParentPassword.Default shouldn't be defined", + "issueType": "IncorrectValue" }, { "queryName": "Amplify Branch Basic Auth Config Password Exposed", @@ -33,7 +35,8 @@ "searchKey": "Resources.NewAmpApp1.Properties.BasicAuthConfig.Password", "searchValue": "", "expectedValue": "Resources.NewAmpApp1.Properties.BasicAuthConfig.Password must not be in plain text string", - "actualValue": "Resources.NewAmpApp1.Properties.BasicAuthConfig.Password must be defined as a parameter or have a secret manager referenced" + "actualValue": "Resources.NewAmpApp1.Properties.BasicAuthConfig.Password must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue" }, { "queryName": "Amplify Branch Basic Auth Config Password Exposed", @@ -45,7 +48,8 @@ "searchKey": "Parameters.ParentPassword.Default", "searchValue": "", "expectedValue": "Parameters.ParentPassword.Default should be defined", - "actualValue": "Parameters.ParentPassword.Default shouldn't be defined" + "actualValue": "Parameters.ParentPassword.Default shouldn't be defined", + "issueType": "IncorrectValue" }, { "queryName": "Amplify Branch Basic Auth Config Password Exposed", @@ -57,7 +61,8 @@ "searchKey": "Resources.NewAmpApp1.Properties.BasicAuthConfig.Password", "searchValue": "", "expectedValue": "Resources.NewAmpApp1.Properties.BasicAuthConfig.Password must not be in plain text string", - "actualValue": "Resources.NewAmpApp1.Properties.BasicAuthConfig.Password must be defined as a parameter or have a secret manager referenced" + "actualValue": "Resources.NewAmpApp1.Properties.BasicAuthConfig.Password must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue" }, { "queryName": "Amplify Branch Basic Auth Config Password Exposed", @@ -69,6 +74,7 @@ "searchKey": "Resources.NewAmpApp1.Properties.BasicAuthConfig.Password", "searchValue": "", "expectedValue": "Resources.NewAmpApp1.Properties.BasicAuthConfig.Password must not be in plain text string", - "actualValue": "Resources.NewAmpApp1.Properties.BasicAuthConfig.Password must be defined as a parameter or have a secret manager referenced" + "actualValue": "Resources.NewAmpApp1.Properties.BasicAuthConfig.Password must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json index ac641fcf69a..694edebdd8b 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.Prod.Properties.MethodSettings", "searchValue": "", "expectedValue": "Resources.Prod.Properties.MethodSettings.LoggingLevel should be defined and not null", - "actualValue": "Resources.Prod.Properties.MethodSettings.LoggingLevel are undefined or null" + "actualValue": "Resources.Prod.Properties.MethodSettings.LoggingLevel are undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", @@ -21,7 +22,8 @@ "searchKey": "Resources.MyStage.Properties.MethodSettings", "searchValue": "", "expectedValue": "Resources.MyStage.Properties.MethodSettings.LoggingLevel should be defined and not null", - "actualValue": "Resources.MyStage.Properties.MethodSettings.LoggingLevel are undefined or null" + "actualValue": "Resources.MyStage.Properties.MethodSettings.LoggingLevel are undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", @@ -33,7 +35,8 @@ "searchKey": "Resources.Prod.Properties", "searchValue": "MethodSettings", "expectedValue": "Resources.Prod.Properties.MethodSettings should be defined and not null", - "actualValue": "Resources.Prod.Properties.MethodSettings are undefined or null" + "actualValue": "Resources.Prod.Properties.MethodSettings are undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", @@ -45,7 +48,8 @@ "searchKey": "Resources.Prod.Properties.MethodSettings", "searchValue": "", "expectedValue": "Resources.Prod.Properties.MethodSettings.LoggingLevel should be defined and not null", - "actualValue": "Resources.Prod.Properties.MethodSettings.LoggingLevel are undefined or null" + "actualValue": "Resources.Prod.Properties.MethodSettings.LoggingLevel are undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", @@ -57,7 +61,8 @@ "searchKey": "Resources.MyStage.Properties.MethodSettings.LoggingLevel", "searchValue": "", "expectedValue": "Resources.MyStage.Properties.MethodSettings.LoggingLevel should not be set to OFF", - "actualValue": "Resources.MyStage.Properties.MethodSettings.LoggingLevel is OFF" + "actualValue": "Resources.MyStage.Properties.MethodSettings.LoggingLevel is OFF", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", @@ -69,7 +74,8 @@ "searchKey": "Resources.Prod.Properties", "searchValue": "DefaultRouteSettings", "expectedValue": "Resources.Prod.Properties.DefaultRouteSettings should be defined and not null", - "actualValue": "Resources.Prod.Properties.DefaultRouteSettings are undefined or null" + "actualValue": "Resources.Prod.Properties.DefaultRouteSettings are undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", @@ -81,7 +87,8 @@ "searchKey": "Resources.Prod.Properties.DefaultRouteSettings", "searchValue": "", "expectedValue": "Resources.Prod.Properties.DefaultRouteSettings.LoggingLevel should be defined and not null", - "actualValue": "Resources.Prod.Properties.DefaultRouteSettings.LoggingLevel are undefined or null" + "actualValue": "Resources.Prod.Properties.DefaultRouteSettings.LoggingLevel are undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", @@ -93,7 +100,8 @@ "searchKey": "Resources.Prod.Properties.MethodSettings.LoggingLevel", "searchValue": "", "expectedValue": "Resources.Prod.Properties.MethodSettings.LoggingLevel should not be set to OFF", - "actualValue": "Resources.Prod.Properties.MethodSettings.LoggingLevel is OFF" + "actualValue": "Resources.Prod.Properties.MethodSettings.LoggingLevel is OFF", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", @@ -105,7 +113,8 @@ "searchKey": "Resources.Prod.Properties.DefaultRouteSettings.LoggingLevel", "searchValue": "", "expectedValue": "Resources.Prod.Properties.DefaultRouteSettings.LoggingLevel should not be set to OFF", - "actualValue": "Resources.Prod.Properties.DefaultRouteSettings.LoggingLevel is OFF" + "actualValue": "Resources.Prod.Properties.DefaultRouteSettings.LoggingLevel is OFF", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", @@ -117,7 +126,8 @@ "searchKey": "Resources.Prod.Properties", "searchValue": "AccessLogSetting", "expectedValue": "'AccessLogSetting' should be defined", - "actualValue": "'AccessLogSetting' is not defined" + "actualValue": "'AccessLogSetting' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", @@ -129,7 +139,8 @@ "searchKey": "Resources.Prod.Properties", "searchValue": "AccessLogSettings", "expectedValue": "'AccessLogSettings' should be defined", - "actualValue": "'AccessLogSettings' is not defined" + "actualValue": "'AccessLogSettings' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", @@ -141,7 +152,8 @@ "searchKey": "Resources.MyStage.Properties", "searchValue": "DefaultRouteSettings", "expectedValue": "Resources.MyStage.Properties.DefaultRouteSettings should be defined and not null", - "actualValue": "Resources.MyStage.Properties.DefaultRouteSettings are undefined or null" + "actualValue": "Resources.MyStage.Properties.DefaultRouteSettings are undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", @@ -153,7 +165,8 @@ "searchKey": "Resources.MyStage.Properties.DefaultRouteSettings.LoggingLevel", "searchValue": "", "expectedValue": "Resources.MyStage.Properties.DefaultRouteSettings.LoggingLevel should not be set to OFF", - "actualValue": "Resources.MyStage.Properties.DefaultRouteSettings.LoggingLevel is OFF" + "actualValue": "Resources.MyStage.Properties.DefaultRouteSettings.LoggingLevel is OFF", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", @@ -165,7 +178,8 @@ "searchKey": "Resources.MyStage.Properties.DefaultRouteSettings", "searchValue": "", "expectedValue": "Resources.MyStage.Properties.DefaultRouteSettings.LoggingLevel should be defined and not null", - "actualValue": "Resources.MyStage.Properties.DefaultRouteSettings.LoggingLevel are undefined or null" + "actualValue": "Resources.MyStage.Properties.DefaultRouteSettings.LoggingLevel are undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", @@ -177,7 +191,8 @@ "searchKey": "Resources.MyStage.Properties", "searchValue": "AccessLogSettings", "expectedValue": "'AccessLogSettings' should be defined", - "actualValue": "'AccessLogSettings' is not defined" + "actualValue": "'AccessLogSettings' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", @@ -189,7 +204,8 @@ "searchKey": "Resources.MyStage.Properties", "searchValue": "AccessLogSetting", "expectedValue": "'AccessLogSetting' should be defined", - "actualValue": "'AccessLogSetting' is not defined" + "actualValue": "'AccessLogSetting' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", @@ -201,7 +217,8 @@ "searchKey": "Resources.MyStage.Properties", "searchValue": "MethodSettings", "expectedValue": "Resources.MyStage.Properties.MethodSettings should be defined and not null", - "actualValue": "Resources.MyStage.Properties.MethodSettings are undefined or null" + "actualValue": "Resources.MyStage.Properties.MethodSettings are undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", @@ -213,7 +230,8 @@ "searchKey": "Resources.Prod.Properties", "searchValue": "MethodSettings", "expectedValue": "Resources.Prod.Properties.MethodSettings should be defined and not null", - "actualValue": "Resources.Prod.Properties.MethodSettings are undefined or null" + "actualValue": "Resources.Prod.Properties.MethodSettings are undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", @@ -225,6 +243,7 @@ "searchKey": "Resources.Prod.Properties", "searchValue": "DefaultRouteSettings", "expectedValue": "Resources.Prod.Properties.DefaultRouteSettings should be defined and not null", - "actualValue": "Resources.Prod.Properties.DefaultRouteSettings are undefined or null" + "actualValue": "Resources.Prod.Properties.DefaultRouteSettings are undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/api_gateway_cache_cluster_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_cache_cluster_disabled/test/positive_expected_result.json index f31f23cc8a4..747e281a18e 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_cache_cluster_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_cache_cluster_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.ProdPos1.Properties", "searchValue": "", "expectedValue": "Resources.ProdPos1.Properties.CacheClusterEnabled should be defined and not null", - "actualValue": "Resources.ProdPos1.Properties.CacheClusterEnabled is undefined or null" + "actualValue": "Resources.ProdPos1.Properties.CacheClusterEnabled is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway Cache Cluster Disabled", @@ -21,7 +22,8 @@ "searchKey": "Resources.ProdPos2.Properties.CacheClusterEnabled", "searchValue": "", "expectedValue": "Resources.ProdPos2.Properties.CacheClusterEnabled should be set to true", - "actualValue": "Resources.ProdPos2.Properties.CacheClusterEnabled is set to false" + "actualValue": "Resources.ProdPos2.Properties.CacheClusterEnabled is set to false", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Cache Cluster Disabled", @@ -33,7 +35,8 @@ "searchKey": "Resources.ProdPos1.Properties", "searchValue": "", "expectedValue": "Resources.ProdPos1.Properties.CacheClusterEnabled should be defined and not null", - "actualValue": "Resources.ProdPos1.Properties.CacheClusterEnabled is undefined or null" + "actualValue": "Resources.ProdPos1.Properties.CacheClusterEnabled is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway Cache Cluster Disabled", @@ -45,7 +48,8 @@ "searchKey": "Resources.ProdPos2.Properties.CacheClusterEnabled", "searchValue": "", "expectedValue": "Resources.ProdPos2.Properties.CacheClusterEnabled should be set to true", - "actualValue": "Resources.ProdPos2.Properties.CacheClusterEnabled is set to false" + "actualValue": "Resources.ProdPos2.Properties.CacheClusterEnabled is set to false", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Cache Cluster Disabled", @@ -57,7 +61,8 @@ "searchKey": "Resources.ProdPos2.Properties.CacheClusterEnabled", "searchValue": "", "expectedValue": "Resources.ProdPos2.Properties.CacheClusterEnabled should be set to true", - "actualValue": "Resources.ProdPos2.Properties.CacheClusterEnabled is set to false" + "actualValue": "Resources.ProdPos2.Properties.CacheClusterEnabled is set to false", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Cache Cluster Disabled", @@ -69,6 +74,7 @@ "searchKey": "Resources.ProdPos2.Properties.CacheClusterEnabled", "searchValue": "", "expectedValue": "Resources.ProdPos2.Properties.CacheClusterEnabled should be set to true", - "actualValue": "Resources.ProdPos2.Properties.CacheClusterEnabled is set to false" + "actualValue": "Resources.ProdPos2.Properties.CacheClusterEnabled is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/api_gateway_cache_encrypted_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_cache_encrypted_disabled/test/positive_expected_result.json index 101b648a8c0..2a494cb27e2 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_cache_encrypted_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_cache_encrypted_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.Deployment.Properties.StageDescription", "searchValue": "", "expectedValue": "'Resources.Deployment.Properties.StageDescription.CacheDataEncrypted' should be defined and not null", - "actualValue": "'Resources.Deployment.Properties.StageDescription.CacheDataEncrypted' is undefined or null" + "actualValue": "'Resources.Deployment.Properties.StageDescription.CacheDataEncrypted' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway Cache Encrypted Disabled", @@ -21,7 +22,8 @@ "searchKey": "Resources.Deployment.Properties.StageDescription", "searchValue": "", "expectedValue": "'Resources.Deployment.Properties.StageDescription.CacheDataEncrypted' should be defined and not null", - "actualValue": "'Resources.Deployment.Properties.StageDescription.CacheDataEncrypted' is undefined or null" + "actualValue": "'Resources.Deployment.Properties.StageDescription.CacheDataEncrypted' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway Cache Encrypted Disabled", @@ -33,7 +35,8 @@ "searchKey": "Resources.Deployment.Properties.StageDescription.CacheDataEncrypted", "searchValue": "", "expectedValue": "'Resources.Deployment.Properties.StageDescription.CacheDataEncrypted' should be set to true", - "actualValue": "'Resources.Deployment.Properties.StageDescription.CacheDataEncrypted' is set to false" + "actualValue": "'Resources.Deployment.Properties.StageDescription.CacheDataEncrypted' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Cache Encrypted Disabled", @@ -45,7 +48,8 @@ "searchKey": "Resources.Deployment.Properties.StageDescription.CacheDataEncrypted", "searchValue": "", "expectedValue": "'Resources.Deployment.Properties.StageDescription.CacheDataEncrypted' should be set to true", - "actualValue": "'Resources.Deployment.Properties.StageDescription.CacheDataEncrypted' is set to false" + "actualValue": "'Resources.Deployment.Properties.StageDescription.CacheDataEncrypted' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Cache Encrypted Disabled", @@ -57,7 +61,8 @@ "searchKey": "Resources.Deployment.Properties.StageDescription.CacheDataEncrypted", "searchValue": "", "expectedValue": "'Resources.Deployment.Properties.StageDescription.CacheDataEncrypted' should be set to true", - "actualValue": "'Resources.Deployment.Properties.StageDescription.CacheDataEncrypted' is set to false" + "actualValue": "'Resources.Deployment.Properties.StageDescription.CacheDataEncrypted' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Cache Encrypted Disabled", @@ -69,6 +74,7 @@ "searchKey": "Resources.Deployment.Properties.StageDescription.CacheDataEncrypted", "searchValue": "", "expectedValue": "'Resources.Deployment.Properties.StageDescription.CacheDataEncrypted' should be set to true", - "actualValue": "'Resources.Deployment.Properties.StageDescription.CacheDataEncrypted' is set to false" + "actualValue": "'Resources.Deployment.Properties.StageDescription.CacheDataEncrypted' is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/api_gateway_deployment_without_access_log_setting/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_deployment_without_access_log_setting/test/positive_expected_result.json index 59ff2afcab3..6ff9c9c2d85 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_deployment_without_access_log_setting/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_deployment_without_access_log_setting/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.ApiDeployment.Properties.StageDescription.AccessLogSetting", "searchValue": "", "expectedValue": "Resources.ApiDeployment.Properties.StageDescriptionAccessLogSetting should be defined", - "actualValue": "Resources.ApiDeployment.Properties.StageDescription.AccessLogSetting is not defined" + "actualValue": "Resources.ApiDeployment.Properties.StageDescription.AccessLogSetting is not defined", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway Deployment Without Access Log Setting", @@ -21,7 +22,8 @@ "searchKey": "Resources.ApiDeployment1", "searchValue": "", "expectedValue": "Resources.ApiDeployment1 should have AWS::ApiGateway::Stage associated, DeploymentId.Ref should be the same as the ApiGateway::Stage resource", - "actualValue": "Resources.ApiDeployment1 should have AWS::ApiGateway::Stage associated, DeploymentId.Ref should be the same in the ApiGateway::Stage resource" + "actualValue": "Resources.ApiDeployment1 should have AWS::ApiGateway::Stage associated, DeploymentId.Ref should be the same in the ApiGateway::Stage resource", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Deployment Without Access Log Setting", @@ -33,7 +35,8 @@ "searchKey": "Resources.ApiDeployment2", "searchValue": "", "expectedValue": "Resources.ApiDeployment2 should have AWS::ApiGateway::Stage associated, DeploymentId.Ref should be the same as the ApiGateway::Stage resource", - "actualValue": "Resources.ApiDeployment2 should have AWS::ApiGateway::Stage associated, DeploymentId.Ref should be the same in the ApiGateway::Stage resource" + "actualValue": "Resources.ApiDeployment2 should have AWS::ApiGateway::Stage associated, DeploymentId.Ref should be the same in the ApiGateway::Stage resource", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Deployment Without Access Log Setting", @@ -45,7 +48,8 @@ "searchKey": "Resources.ApiDeployment.Properties.StageDescription.AccessLogSetting", "searchValue": "", "expectedValue": "Resources.ApiDeployment.Properties.StageDescriptionAccessLogSetting should be defined", - "actualValue": "Resources.ApiDeployment.Properties.StageDescription.AccessLogSetting is not defined" + "actualValue": "Resources.ApiDeployment.Properties.StageDescription.AccessLogSetting is not defined", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway Deployment Without Access Log Setting", @@ -57,7 +61,8 @@ "searchKey": "Resources.ApiDeployment1", "searchValue": "", "expectedValue": "Resources.ApiDeployment1 should have AWS::ApiGateway::Stage associated, DeploymentId.Ref should be the same as the ApiGateway::Stage resource", - "actualValue": "Resources.ApiDeployment1 should have AWS::ApiGateway::Stage associated, DeploymentId.Ref should be the same in the ApiGateway::Stage resource" + "actualValue": "Resources.ApiDeployment1 should have AWS::ApiGateway::Stage associated, DeploymentId.Ref should be the same in the ApiGateway::Stage resource", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Deployment Without Access Log Setting", @@ -69,6 +74,7 @@ "searchKey": "Resources.ApiDeployment2", "searchValue": "", "expectedValue": "Resources.ApiDeployment2 should have AWS::ApiGateway::Stage associated, DeploymentId.Ref should be the same as the ApiGateway::Stage resource", - "actualValue": "Resources.ApiDeployment2 should have AWS::ApiGateway::Stage associated, DeploymentId.Ref should be the same in the ApiGateway::Stage resource" + "actualValue": "Resources.ApiDeployment2 should have AWS::ApiGateway::Stage associated, DeploymentId.Ref should be the same in the ApiGateway::Stage resource", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/test/positive_expected_result.json index f82525381a6..cd7f3ea6269 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.Deployment", "searchValue": "", "expectedValue": "Resources.Deployment should have UsagePlan defined", - "actualValue": "Resources.Deployment doesn't have UsagePlan defined" + "actualValue": "Resources.Deployment doesn't have UsagePlan defined", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway Deployment Without API Gateway UsagePlan Associated", @@ -21,7 +22,8 @@ "searchKey": "Resources.Deployment1", "searchValue": "", "expectedValue": "Resources.Deployment1 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same as the Deployment1 resource", - "actualValue": "Resources.Deployment1 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same in the Deployment1 resource" + "actualValue": "Resources.Deployment1 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same in the Deployment1 resource", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Deployment Without API Gateway UsagePlan Associated", @@ -33,7 +35,8 @@ "searchKey": "Resources.Deployment2", "searchValue": "", "expectedValue": "Resources.Deployment2 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same as the Deployment2 resource", - "actualValue": "Resources.Deployment2 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same in the Deployment2 resource" + "actualValue": "Resources.Deployment2 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same in the Deployment2 resource", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Deployment Without API Gateway UsagePlan Associated", @@ -45,7 +48,8 @@ "searchKey": "Resources.Deployment", "searchValue": "", "expectedValue": "Resources.Deployment should have UsagePlan defined", - "actualValue": "Resources.Deployment doesn't have UsagePlan defined" + "actualValue": "Resources.Deployment doesn't have UsagePlan defined", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway Deployment Without API Gateway UsagePlan Associated", @@ -57,7 +61,8 @@ "searchKey": "Resources.Deployment1", "searchValue": "", "expectedValue": "Resources.Deployment1 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same as the Deployment1 resource", - "actualValue": "Resources.Deployment1 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same in the Deployment1 resource" + "actualValue": "Resources.Deployment1 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same in the Deployment1 resource", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Deployment Without API Gateway UsagePlan Associated", @@ -69,6 +74,7 @@ "searchKey": "Resources.Deployment2", "searchValue": "", "expectedValue": "Resources.Deployment2 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same as the Deployment2 resource", - "actualValue": "Resources.Deployment2 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same in the Deployment2 resource" + "actualValue": "Resources.Deployment2 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same in the Deployment2 resource", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/api_gateway_endpoint_config_is_not_private/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_endpoint_config_is_not_private/test/positive_expected_result.json index cd5a661bd4a..fefed42415f 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_endpoint_config_is_not_private/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_endpoint_config_is_not_private/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.MyRestApi.Properties", "searchValue": "", "expectedValue": "'Resources.MyRestApi.EndpointConfiguration' should be defined", - "actualValue": "'Resources.MyRestApi.EndpointConfiguration' is undefined" + "actualValue": "'Resources.MyRestApi.EndpointConfiguration' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway Endpoint Config is Not Private", @@ -21,7 +22,8 @@ "searchKey": "Resources.MyRestApi2.Properties.EndpointConfiguration.Types", "searchValue": "", "expectedValue": "'Resources.MyRestApi2.EndpointConfiguration.Types' should contain 'PRIVATE'", - "actualValue": "'Resources.MyRestApi2.EndpointConfiguration.Types' does not contain 'PRIVATE'" + "actualValue": "'Resources.MyRestApi2.EndpointConfiguration.Types' does not contain 'PRIVATE'", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Endpoint Config is Not Private", @@ -33,7 +35,8 @@ "searchKey": "Resources.MyRestApi.Properties", "searchValue": "", "expectedValue": "'Resources.MyRestApi.EndpointConfiguration' should be defined", - "actualValue": "'Resources.MyRestApi.EndpointConfiguration' is undefined" + "actualValue": "'Resources.MyRestApi.EndpointConfiguration' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway Endpoint Config is Not Private", @@ -45,6 +48,7 @@ "searchKey": "Resources.MyRestApi2.Properties.EndpointConfiguration.Types", "searchValue": "", "expectedValue": "'Resources.MyRestApi2.EndpointConfiguration.Types' should contain 'PRIVATE'", - "actualValue": "'Resources.MyRestApi2.EndpointConfiguration.Types' does not contain 'PRIVATE'" + "actualValue": "'Resources.MyRestApi2.EndpointConfiguration.Types' does not contain 'PRIVATE'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/api_gateway_method_does_not_contains_an_api_key/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_method_does_not_contains_an_api_key/test/positive_expected_result.json index 4f7870838dc..72a94c5e2e3 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_method_does_not_contains_an_api_key/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_method_does_not_contains_an_api_key/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.MockMethod.Properties.ApiKeyRequired", "searchValue": "", "expectedValue": "Resources.MockMethod.Properties.ApiKeyRequired should be true", - "actualValue": "Resources.MockMethod.Properties.ApiKeyRequired is false" + "actualValue": "Resources.MockMethod.Properties.ApiKeyRequired is false", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Method Does Not Contains An API Key", @@ -21,7 +22,8 @@ "searchKey": "Resources.MockMethod1.Properties", "searchValue": "", "expectedValue": "Resources.MockMethod1.Properties.ApiKeyRequired should be defined", - "actualValue": "Resources.MockMethod1.Properties.ApiKeyRequired is undefined" + "actualValue": "Resources.MockMethod1.Properties.ApiKeyRequired is undefined", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway Method Does Not Contains An API Key", @@ -33,7 +35,8 @@ "searchKey": "Resources.MockMethod.Properties.ApiKeyRequired", "searchValue": "", "expectedValue": "Resources.MockMethod.Properties.ApiKeyRequired should be true", - "actualValue": "Resources.MockMethod.Properties.ApiKeyRequired is false" + "actualValue": "Resources.MockMethod.Properties.ApiKeyRequired is false", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Method Does Not Contains An API Key", @@ -45,7 +48,8 @@ "searchKey": "Resources.MockMethod1.Properties", "searchValue": "", "expectedValue": "Resources.MockMethod1.Properties.ApiKeyRequired should be defined", - "actualValue": "Resources.MockMethod1.Properties.ApiKeyRequired is undefined" + "actualValue": "Resources.MockMethod1.Properties.ApiKeyRequired is undefined", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway Method Does Not Contains An API Key", @@ -57,7 +61,8 @@ "searchKey": "Resources.MockMethod.Properties.ApiKeyRequired", "searchValue": "", "expectedValue": "Resources.MockMethod.Properties.ApiKeyRequired should be true", - "actualValue": "Resources.MockMethod.Properties.ApiKeyRequired is false" + "actualValue": "Resources.MockMethod.Properties.ApiKeyRequired is false", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Method Does Not Contains An API Key", @@ -69,6 +74,7 @@ "searchKey": "Resources.MockMethod.Properties.ApiKeyRequired", "searchValue": "", "expectedValue": "Resources.MockMethod.Properties.ApiKeyRequired should be true", - "actualValue": "Resources.MockMethod.Properties.ApiKeyRequired is false" + "actualValue": "Resources.MockMethod.Properties.ApiKeyRequired is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/api_gateway_stage_without_api_gateway_usage_plan_associated/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_stage_without_api_gateway_usage_plan_associated/test/positive_expected_result.json index 69a68104eb7..1beac9d582d 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_stage_without_api_gateway_usage_plan_associated/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_stage_without_api_gateway_usage_plan_associated/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.Prod", "searchValue": "", "expectedValue": "Resources.Prod should have UsagePlan defined", - "actualValue": "Resources.Prod doesn't have UsagePlan defined" + "actualValue": "Resources.Prod doesn't have UsagePlan defined", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway Stage Without API Gateway UsagePlan Associated", @@ -21,7 +22,8 @@ "searchKey": "Resources.Prod1", "searchValue": "", "expectedValue": "Resources.Prod1 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same as the Prod1 resource", - "actualValue": "Resources.Prod1 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same in the Prod1 resource" + "actualValue": "Resources.Prod1 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same in the Prod1 resource", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Stage Without API Gateway UsagePlan Associated", @@ -33,7 +35,8 @@ "searchKey": "Resources.Prod2", "searchValue": "", "expectedValue": "Resources.Prod2 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same as the Prod2 resource", - "actualValue": "Resources.Prod2 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same in the Prod2 resource" + "actualValue": "Resources.Prod2 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same in the Prod2 resource", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Stage Without API Gateway UsagePlan Associated", @@ -45,7 +48,8 @@ "searchKey": "Resources.Prod", "searchValue": "", "expectedValue": "Resources.Prod should have UsagePlan defined", - "actualValue": "Resources.Prod doesn't have UsagePlan defined" + "actualValue": "Resources.Prod doesn't have UsagePlan defined", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway Stage Without API Gateway UsagePlan Associated", @@ -57,7 +61,8 @@ "searchKey": "Resources.Prod1", "searchValue": "", "expectedValue": "Resources.Prod1 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same as the Prod1 resource", - "actualValue": "Resources.Prod1 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same in the Prod1 resource" + "actualValue": "Resources.Prod1 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same in the Prod1 resource", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Stage Without API Gateway UsagePlan Associated", @@ -69,6 +74,7 @@ "searchKey": "Resources.Prod2", "searchValue": "", "expectedValue": "Resources.Prod2 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same as the Prod2 resource", - "actualValue": "Resources.Prod2 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same in the Prod2 resource" + "actualValue": "Resources.Prod2 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same in the Prod2 resource", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/api_gateway_with_invalid_compression/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_with_invalid_compression/test/positive_expected_result.json index 3864f36cf25..64dc2af3645 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_with_invalid_compression/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_with_invalid_compression/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.RestApi3.Properties.MinimumCompressionSize", "searchValue": "", "expectedValue": "Resources.RestApi3.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760", - "actualValue": "Resources.RestApi3.Properties.MinimumCompressionSize is set to smaller than 0" + "actualValue": "Resources.RestApi3.Properties.MinimumCompressionSize is set to smaller than 0", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway With Invalid Compression", @@ -21,7 +22,8 @@ "searchKey": "Resources.RestApi4.Properties.MinimumCompressionSize", "searchValue": "", "expectedValue": "Resources.RestApi4.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760", - "actualValue": "Resources.RestApi4.Properties.MinimumCompressionSize is set to greater than 10485759" + "actualValue": "Resources.RestApi4.Properties.MinimumCompressionSize is set to greater than 10485759", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway With Invalid Compression", @@ -33,7 +35,8 @@ "searchKey": "Resources.RestApi5.Properties", "searchValue": "", "expectedValue": "Resources.RestApi5.Properties.MinimumCompressionSize should be defined", - "actualValue": "Resources.RestApi5.Properties.MinimumCompressionSize is not defined" + "actualValue": "Resources.RestApi5.Properties.MinimumCompressionSize is not defined", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway With Invalid Compression", @@ -45,7 +48,8 @@ "searchKey": "Resources.RestApi6.Properties.MinimumCompressionSize", "searchValue": "", "expectedValue": "Resources.RestApi6.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760", - "actualValue": "Resources.RestApi6.Properties.MinimumCompressionSize is set to smaller than 0" + "actualValue": "Resources.RestApi6.Properties.MinimumCompressionSize is set to smaller than 0", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway With Invalid Compression", @@ -57,7 +61,8 @@ "searchKey": "Resources.RestApi7.Properties.MinimumCompressionSize", "searchValue": "", "expectedValue": "Resources.RestApi7.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760", - "actualValue": "Resources.RestApi7.Properties.MinimumCompressionSize is set to greater than 10485759" + "actualValue": "Resources.RestApi7.Properties.MinimumCompressionSize is set to greater than 10485759", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway With Invalid Compression", @@ -69,6 +74,7 @@ "searchKey": "Resources.RestApi8.Properties", "searchValue": "", "expectedValue": "Resources.RestApi8.Properties.MinimumCompressionSize should be defined", - "actualValue": "Resources.RestApi8.Properties.MinimumCompressionSize is not defined" + "actualValue": "Resources.RestApi8.Properties.MinimumCompressionSize is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/api_gateway_with_open_access/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_with_open_access/test/positive_expected_result.json index 020d5d534b0..228fbc44785 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_with_open_access/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_with_open_access/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.MockMethod.Properties", "searchValue": "", "expectedValue": "Resources.MockMethod.Properties.AuthorizationType is NONE and Resources.MockMethod.Properties.HttpMethod should be OPTIONS", - "actualValue": "Resources.MockMethod.Properties.AuthorizationType is NONE and Resources.MockMethod.Properties.HttpMethod is not OPTIONS" + "actualValue": "Resources.MockMethod.Properties.AuthorizationType is NONE and Resources.MockMethod.Properties.HttpMethod is not OPTIONS", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway With Open Access", @@ -21,6 +22,7 @@ "searchKey": "Resources.MockMethod.Properties", "searchValue": "", "expectedValue": "Resources.MockMethod.Properties.AuthorizationType is NONE and Resources.MockMethod.Properties.HttpMethod should be OPTIONS", - "actualValue": "Resources.MockMethod.Properties.AuthorizationType is NONE and Resources.MockMethod.Properties.HttpMethod is not OPTIONS" + "actualValue": "Resources.MockMethod.Properties.AuthorizationType is NONE and Resources.MockMethod.Properties.HttpMethod is not OPTIONS", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/api_gateway_without_configured_authorizer/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_without_configured_authorizer/test/positive_expected_result.json index e77a395c446..9d0f2318235 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_without_configured_authorizer/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_without_configured_authorizer/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.DevWebSocket", "searchValue": "", "expectedValue": "API Gateway REST API should be associated with an API Gateway Authorizer", - "actualValue": "API Gateway REST API is not associated with an API Gateway Authorizer" + "actualValue": "API Gateway REST API is not associated with an API Gateway Authorizer", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Without Configured Authorizer", @@ -21,7 +22,8 @@ "searchKey": "Resources.DevWebSocket5", "searchValue": "", "expectedValue": "API Gateway REST API should be associated with an API Gateway Authorizer", - "actualValue": "API Gateway REST API is not associated with an API Gateway Authorizer" + "actualValue": "API Gateway REST API is not associated with an API Gateway Authorizer", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Without Configured Authorizer", @@ -33,7 +35,8 @@ "searchKey": "Resources.MyRestApi6", "searchValue": "", "expectedValue": "API Gateway REST API should be associated with an API Gateway Authorizer", - "actualValue": "API Gateway REST API is not associated with an API Gateway Authorizer" + "actualValue": "API Gateway REST API is not associated with an API Gateway Authorizer", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Without Configured Authorizer", @@ -45,7 +48,8 @@ "searchKey": "Resources.MyRestApi7", "searchValue": "", "expectedValue": "API Gateway REST API should be associated with an API Gateway Authorizer", - "actualValue": "API Gateway REST API is not associated with an API Gateway Authorizer" + "actualValue": "API Gateway REST API is not associated with an API Gateway Authorizer", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Without Configured Authorizer", @@ -57,7 +61,8 @@ "searchKey": "Resources.DevWebSocket8", "searchValue": "", "expectedValue": "API Gateway REST API should be associated with an API Gateway Authorizer", - "actualValue": "API Gateway REST API is not associated with an API Gateway Authorizer" + "actualValue": "API Gateway REST API is not associated with an API Gateway Authorizer", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Without Configured Authorizer", @@ -69,7 +74,8 @@ "searchKey": "Resources.DevWebSocket9", "searchValue": "", "expectedValue": "API Gateway REST API should be associated with an API Gateway Authorizer", - "actualValue": "API Gateway REST API is not associated with an API Gateway Authorizer" + "actualValue": "API Gateway REST API is not associated with an API Gateway Authorizer", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Without Configured Authorizer", @@ -81,7 +87,8 @@ "searchKey": "Resources.MyRestApi10", "searchValue": "", "expectedValue": "API Gateway REST API should be associated with an API Gateway Authorizer", - "actualValue": "API Gateway REST API is not associated with an API Gateway Authorizer" + "actualValue": "API Gateway REST API is not associated with an API Gateway Authorizer", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Without Configured Authorizer", @@ -93,6 +100,7 @@ "searchKey": "Resources.MyRestApi11", "searchValue": "", "expectedValue": "API Gateway REST API should be associated with an API Gateway Authorizer", - "actualValue": "API Gateway REST API is not associated with an API Gateway Authorizer" + "actualValue": "API Gateway REST API is not associated with an API Gateway Authorizer", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/api_gateway_without_security_policy/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_without_security_policy/test/positive_expected_result.json index 16515bf8e22..1d14375b515 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_without_security_policy/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_without_security_policy/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.myDomainName.Properties.SecurityPolicy", "searchValue": "", "expectedValue": "Resources.myDomainName.Properties.SecurityPolicy should be TLS_1_2", - "actualValue": "Resources.myDomainName.Properties.SecurityPolicy should be TLS_1_2" + "actualValue": "Resources.myDomainName.Properties.SecurityPolicy should be TLS_1_2", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Without Security Policy", @@ -21,7 +22,8 @@ "searchKey": "Resources.myDomainName1.Properties.SecurityPolicy", "searchValue": "", "expectedValue": "Resources.myDomainName1.Properties.SecurityPolicy should not be defined", - "actualValue": "Resources.myDomainName1.Properties.SecurityPolicy is defined" + "actualValue": "Resources.myDomainName1.Properties.SecurityPolicy is defined", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway Without Security Policy", @@ -33,7 +35,8 @@ "searchKey": "Resources.myDomainName.Properties.SecurityPolicy", "searchValue": "", "expectedValue": "Resources.myDomainName.Properties.SecurityPolicy should be TLS_1_2", - "actualValue": "Resources.myDomainName.Properties.SecurityPolicy should be TLS_1_2" + "actualValue": "Resources.myDomainName.Properties.SecurityPolicy should be TLS_1_2", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Without Security Policy", @@ -45,6 +48,7 @@ "searchKey": "Resources.myDomainName1.Properties.SecurityPolicy", "searchValue": "", "expectedValue": "Resources.myDomainName1.Properties.SecurityPolicy should not be defined", - "actualValue": "Resources.myDomainName1.Properties.SecurityPolicy is defined" + "actualValue": "Resources.myDomainName1.Properties.SecurityPolicy is defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/api_gateway_without_ssl_certificate/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_without_ssl_certificate/test/positive_expected_result.json index c89f9f88d5a..9a39af39bd9 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_without_ssl_certificate/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_without_ssl_certificate/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.ProdApiGatewayStagePos.Properties", "searchValue": "", "expectedValue": "Resources.ProdApiGatewayStagePos.Properties should have ClientCertificateId defined", - "actualValue": "Resources.ProdApiGatewayStagePos.Properties doesn't have ClientCertificateId defined" + "actualValue": "Resources.ProdApiGatewayStagePos.Properties doesn't have ClientCertificateId defined", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway Without SSL Certificate", @@ -21,6 +22,7 @@ "searchKey": "Resources.ProdApiGatewayStagePos2.Properties", "searchValue": "", "expectedValue": "Resources.ProdApiGatewayStagePos2.Properties should have ClientCertificateId defined", - "actualValue": "Resources.ProdApiGatewayStagePos2.Properties doesn't have ClientCertificateId defined" + "actualValue": "Resources.ProdApiGatewayStagePos2.Properties doesn't have ClientCertificateId defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/api_gateway_without_waf/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_without_waf/test/positive_expected_result.json index 43cae870810..647f4ca2a54 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_without_waf/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_without_waf/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.Prod.Properties.StageName", "searchValue": "", "expectedValue": "API Gateway Stage should be associated with a Web Application Firewall", - "actualValue": "API Gateway Stage is not associated with a Web Application Firewall" + "actualValue": "API Gateway Stage is not associated with a Web Application Firewall", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway without WAF", @@ -21,6 +22,7 @@ "searchKey": "Resources.Prod.Properties.StageName", "searchValue": "", "expectedValue": "API Gateway Stage should be associated with a Web Application Firewall", - "actualValue": "API Gateway Stage is not associated with a Web Application Firewall" + "actualValue": "API Gateway Stage is not associated with a Web Application Firewall", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/api_gateway_xray_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_xray_disabled/test/positive_expected_result.json index 61d36d32640..b31be0e31cb 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_xray_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_xray_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.ProdPos3.Properties.TracingEnabled", "searchValue": "", "expectedValue": "Resources.ProdPos3.Properties.TracingEnabled should be true", - "actualValue": "Resources.ProdPos3.Properties.TracingEnabled is false" + "actualValue": "Resources.ProdPos3.Properties.TracingEnabled is false", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway X-Ray Disabled", @@ -21,7 +22,8 @@ "searchKey": "Resources.ProdPos4.Properties", "searchValue": "", "expectedValue": "Resources.ProdPos4.Properties.TracingEnabled should be defined", - "actualValue": "Resources.ProdPos4.Properties.TracingEnabled is undefined" + "actualValue": "Resources.ProdPos4.Properties.TracingEnabled is undefined", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway X-Ray Disabled", @@ -33,7 +35,8 @@ "searchKey": "Resources.ProdPos1.Properties.TracingEnabled", "searchValue": "", "expectedValue": "Resources.ProdPos1.Properties.TracingEnabled should be true", - "actualValue": "Resources.ProdPos1.Properties.TracingEnabled is false" + "actualValue": "Resources.ProdPos1.Properties.TracingEnabled is false", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway X-Ray Disabled", @@ -45,6 +48,7 @@ "searchKey": "Resources.ProdPos2.Properties", "searchValue": "", "expectedValue": "Resources.ProdPos2.Properties.TracingEnabled should be defined", - "actualValue": "Resources.ProdPos2.Properties.TracingEnabled is undefined" + "actualValue": "Resources.ProdPos2.Properties.TracingEnabled is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/auto_scaling_group_with_no_associated_elb/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/auto_scaling_group_with_no_associated_elb/test/positive_expected_result.json index 39431e3c14b..359d22060c4 100644 --- a/assets/queries/cloudFormation/aws/auto_scaling_group_with_no_associated_elb/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/auto_scaling_group_with_no_associated_elb/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.myASG.Properties", "searchValue": "", "expectedValue": "'Resources.myASG.Properties.LoadBalancerNames' should be defined", - "actualValue": "'Resources.myASG.Properties.LoadBalancerNames' is not defined" + "actualValue": "'Resources.myASG.Properties.LoadBalancerNames' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Auto Scaling Group With No Associated ELB", @@ -21,7 +22,8 @@ "searchKey": "Resources.myASG2.Properties.LoadBalancerNames", "searchValue": "", "expectedValue": "'Resources.myASG2.Properties.LoadBalancerNames' should not be empty", - "actualValue": "'Resources.myASG2.Properties.LoadBalancerNames' is empty" + "actualValue": "'Resources.myASG2.Properties.LoadBalancerNames' is empty", + "issueType": "IncorrectValue" }, { "queryName": "Auto Scaling Group With No Associated ELB", @@ -33,7 +35,8 @@ "searchKey": "Resources.myASG3.Properties.LoadBalancerNames", "searchValue": "", "expectedValue": "'Resources.myASG3.Properties.LoadBalancerNames' should not be empty", - "actualValue": "'Resources.myASG3.Properties.LoadBalancerNames' is empty" + "actualValue": "'Resources.myASG3.Properties.LoadBalancerNames' is empty", + "issueType": "IncorrectValue" }, { "queryName": "Auto Scaling Group With No Associated ELB", @@ -45,7 +48,8 @@ "searchKey": "Resources.myASG.Properties", "searchValue": "", "expectedValue": "'Resources.myASG.Properties.LoadBalancerNames' should be defined", - "actualValue": "'Resources.myASG.Properties.LoadBalancerNames' is not defined" + "actualValue": "'Resources.myASG.Properties.LoadBalancerNames' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Auto Scaling Group With No Associated ELB", @@ -57,7 +61,8 @@ "searchKey": "Resources.myASG2.Properties.LoadBalancerNames", "searchValue": "", "expectedValue": "'Resources.myASG2.Properties.LoadBalancerNames' should not be empty", - "actualValue": "'Resources.myASG2.Properties.LoadBalancerNames' is empty" + "actualValue": "'Resources.myASG2.Properties.LoadBalancerNames' is empty", + "issueType": "IncorrectValue" }, { "queryName": "Auto Scaling Group With No Associated ELB", @@ -69,6 +74,7 @@ "searchKey": "Resources.myASG3.Properties.LoadBalancerNames", "searchValue": "", "expectedValue": "'Resources.myASG3.Properties.LoadBalancerNames' should not be empty", - "actualValue": "'Resources.myASG3.Properties.LoadBalancerNames' is empty" + "actualValue": "'Resources.myASG3.Properties.LoadBalancerNames' is empty", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/automatic_minor_upgrades_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/automatic_minor_upgrades_disabled/test/positive_expected_result.json index eb9b7615f63..93e627b36bc 100644 --- a/assets/queries/cloudFormation/aws/automatic_minor_upgrades_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/automatic_minor_upgrades_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.MyDB.Properties", "searchValue": "", "expectedValue": "'Resources.MyDB.Properties.AutoMinorVersionUpgrade' should be defined", - "actualValue": "'Resources.MyDB.Properties.AutoMinorVersionUpgrade' is undefined" + "actualValue": "'Resources.MyDB.Properties.AutoMinorVersionUpgrade' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Automatic Minor Upgrades Disabled", @@ -21,7 +22,8 @@ "searchKey": "Resources.MyDB2.Properties.AutoMinorVersionUpgrade", "searchValue": "", "expectedValue": "'Resources.MyDB2.Properties.AutoMinorVersionUpgrade' should be true", - "actualValue": "'Resources.MyDB2.Properties.AutoMinorVersionUpgrade' is false" + "actualValue": "'Resources.MyDB2.Properties.AutoMinorVersionUpgrade' is false", + "issueType": "IncorrectValue" }, { "queryName": "Automatic Minor Upgrades Disabled", @@ -33,7 +35,8 @@ "searchKey": "Resources.MyDB.Properties", "searchValue": "", "expectedValue": "'Resources.MyDB.Properties.AutoMinorVersionUpgrade' should be defined", - "actualValue": "'Resources.MyDB.Properties.AutoMinorVersionUpgrade' is undefined" + "actualValue": "'Resources.MyDB.Properties.AutoMinorVersionUpgrade' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Automatic Minor Upgrades Disabled", @@ -45,7 +48,8 @@ "searchKey": "Resources.MyDB2.Properties.AutoMinorVersionUpgrade", "searchValue": "", "expectedValue": "'Resources.MyDB2.Properties.AutoMinorVersionUpgrade' should be true", - "actualValue": "'Resources.MyDB2.Properties.AutoMinorVersionUpgrade' is false" + "actualValue": "'Resources.MyDB2.Properties.AutoMinorVersionUpgrade' is false", + "issueType": "IncorrectValue" }, { "queryName": "Automatic Minor Upgrades Disabled", @@ -57,7 +61,8 @@ "searchKey": "Resources.MyDB.Properties", "searchValue": "", "expectedValue": "'Resources.MyDB.Properties.AutoMinorVersionUpgrade' should be defined", - "actualValue": "'Resources.MyDB.Properties.AutoMinorVersionUpgrade' is undefined" + "actualValue": "'Resources.MyDB.Properties.AutoMinorVersionUpgrade' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Automatic Minor Upgrades Disabled", @@ -69,7 +74,8 @@ "searchKey": "Resources.MyDB2.Properties.AutoMinorVersionUpgrade", "searchValue": "", "expectedValue": "'Resources.MyDB2.Properties.AutoMinorVersionUpgrade' should be true", - "actualValue": "'Resources.MyDB2.Properties.AutoMinorVersionUpgrade' is false" + "actualValue": "'Resources.MyDB2.Properties.AutoMinorVersionUpgrade' is false", + "issueType": "IncorrectValue" }, { "queryName": "Automatic Minor Upgrades Disabled", @@ -81,7 +87,8 @@ "searchKey": "Resources.MyDB.Properties", "searchValue": "", "expectedValue": "'Resources.MyDB.Properties.AutoMinorVersionUpgrade' should be defined", - "actualValue": "'Resources.MyDB.Properties.AutoMinorVersionUpgrade' is undefined" + "actualValue": "'Resources.MyDB.Properties.AutoMinorVersionUpgrade' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Automatic Minor Upgrades Disabled", @@ -93,6 +100,7 @@ "searchKey": "Resources.MyDB2.Properties.AutoMinorVersionUpgrade", "searchValue": "", "expectedValue": "'Resources.MyDB2.Properties.AutoMinorVersionUpgrade' should be true", - "actualValue": "'Resources.MyDB2.Properties.AutoMinorVersionUpgrade' is false" + "actualValue": "'Resources.MyDB2.Properties.AutoMinorVersionUpgrade' is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/batch_job_definition_with_privileged_container_properties/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/batch_job_definition_with_privileged_container_properties/test/positive_expected_result.json index dfce37ebfcd..b4e3278d547 100644 --- a/assets/queries/cloudFormation/aws/batch_job_definition_with_privileged_container_properties/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/batch_job_definition_with_privileged_container_properties/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.JobDefinition.Properties.ContainerProperties.Privileged", "searchValue": "", "expectedValue": "Resources.JobDefinition.Properties.ContainerProperties.Privileged should be set to false", - "actualValue": "Resources.JobDefinition.Properties.ContainerProperties.Privileged is true" + "actualValue": "Resources.JobDefinition.Properties.ContainerProperties.Privileged is true", + "issueType": "IncorrectValue" }, { "queryName": "Batch Job Definition With Privileged Container Properties", @@ -21,7 +22,8 @@ "searchKey": "Resources.JobDefinition.Properties.ContainerProperties.Privileged", "searchValue": "", "expectedValue": "Resources.JobDefinition.Properties.ContainerProperties.Privileged should be set to false", - "actualValue": "Resources.JobDefinition.Properties.ContainerProperties.Privileged is true" + "actualValue": "Resources.JobDefinition.Properties.ContainerProperties.Privileged is true", + "issueType": "IncorrectValue" }, { "queryName": "Batch Job Definition With Privileged Container Properties", @@ -33,7 +35,8 @@ "searchKey": "Resources.JobDefinition.Properties.ContainerProperties.Privileged", "searchValue": "", "expectedValue": "Resources.JobDefinition.Properties.ContainerProperties.Privileged should be set to false", - "actualValue": "Resources.JobDefinition.Properties.ContainerProperties.Privileged is true" + "actualValue": "Resources.JobDefinition.Properties.ContainerProperties.Privileged is true", + "issueType": "IncorrectValue" }, { "queryName": "Batch Job Definition With Privileged Container Properties", @@ -45,6 +48,7 @@ "searchKey": "Resources.JobDefinition.Properties.ContainerProperties.Privileged", "searchValue": "", "expectedValue": "Resources.JobDefinition.Properties.ContainerProperties.Privileged should be set to false", - "actualValue": "Resources.JobDefinition.Properties.ContainerProperties.Privileged is true" + "actualValue": "Resources.JobDefinition.Properties.ContainerProperties.Privileged is true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/block_device_is_not_encrypted/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/block_device_is_not_encrypted/test/positive_expected_result.json index 4ae375766ef..8077cb67c2e 100644 --- a/assets/queries/cloudFormation/aws/block_device_is_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/block_device_is_not_encrypted/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.MyEC2Instance.Properties.BlockDeviceMappings[0].Ebs.Encrypted", "searchValue": "", "expectedValue": "'BlockDeviceMappings[0].Ebs.Encrypted' should be defined to 'true'", - "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined to 'true'" + "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined to 'true'", + "issueType": "IncorrectValue" }, { "queryName": "Block Device Is Not Encrypted", @@ -21,7 +22,8 @@ "searchKey": "Resources.MyEC2Instance.Properties.BlockDeviceMappings[0].Ebs.Encrypted", "searchValue": "", "expectedValue": "'BlockDeviceMappings[0].Ebs.Encrypted' should be defined to 'true'", - "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined to 'true'" + "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined to 'true'", + "issueType": "IncorrectValue" }, { "queryName": "Block Device Is Not Encrypted", @@ -33,7 +35,8 @@ "searchKey": "Resources.MyLaunchConfiguration.Properties.BlockDeviceMappings[0].Ebs.Encrypted", "searchValue": "", "expectedValue": "'BlockDeviceMappings[0].Ebs.Encrypted' should be defined to 'true'", - "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined to 'true'" + "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined to 'true'", + "issueType": "IncorrectValue" }, { "queryName": "Block Device Is Not Encrypted", @@ -45,7 +48,8 @@ "searchKey": "Resources.MyLaunchConfiguration.Properties.BlockDeviceMappings[0].Ebs.Encrypted", "searchValue": "", "expectedValue": "'BlockDeviceMappings[0].Ebs.Encrypted' should be defined to 'true'", - "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined to 'true'" + "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined to 'true'", + "issueType": "IncorrectValue" }, { "queryName": "Block Device Is Not Encrypted", @@ -57,7 +61,8 @@ "searchKey": "Resources.MyEC2Instance.Properties.BlockDeviceMappings[0].Ebs.Encrypted", "searchValue": "", "expectedValue": "'BlockDeviceMappings[0].Ebs.Encrypted' should be defined to 'true'", - "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined to 'true'" + "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined to 'true'", + "issueType": "IncorrectValue" }, { "queryName": "Block Device Is Not Encrypted", @@ -69,7 +74,8 @@ "searchKey": "Resources.MyEC2Instance.Properties.BlockDeviceMappings[0].Ebs", "searchValue": "", "expectedValue": "'BlockDeviceMappings[0].Ebs.Encrypted' should be defined to 'true'", - "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined" + "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Block Device Is Not Encrypted", @@ -81,7 +87,8 @@ "searchKey": "Resources.MyEC2Instance.Properties.BlockDeviceMappings[0].Ebs", "searchValue": "", "expectedValue": "'BlockDeviceMappings[0].Ebs.Encrypted' should be defined to 'true'", - "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined" + "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Block Device Is Not Encrypted", @@ -93,7 +100,8 @@ "searchKey": "Resources.MyLaunchConfiguration.Properties.BlockDeviceMappings[0].Ebs.Encrypted", "searchValue": "", "expectedValue": "'BlockDeviceMappings[0].Ebs.Encrypted' should be defined to 'true'", - "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined to 'true'" + "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined to 'true'", + "issueType": "IncorrectValue" }, { "queryName": "Block Device Is Not Encrypted", @@ -105,7 +113,8 @@ "searchKey": "Resources.MyLaunchConfiguration.Properties.BlockDeviceMappings[0].Ebs.Encrypted", "searchValue": "", "expectedValue": "'BlockDeviceMappings[0].Ebs.Encrypted' should be defined to 'true'", - "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined to 'true'" + "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined to 'true'", + "issueType": "IncorrectValue" }, { "queryName": "Block Device Is Not Encrypted", @@ -117,7 +126,8 @@ "searchKey": "Resources.MyLaunchConfiguration.Properties.BlockDeviceMappings[0].Ebs", "searchValue": "", "expectedValue": "'BlockDeviceMappings[0].Ebs.Encrypted' should be defined to 'true'", - "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined" + "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Block Device Is Not Encrypted", @@ -129,7 +139,8 @@ "searchKey": "Resources.MyLaunchConfiguration.Properties.BlockDeviceMappings[0].Ebs", "searchValue": "", "expectedValue": "'BlockDeviceMappings[0].Ebs.Encrypted' should be defined to 'true'", - "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined" + "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Block Device Is Not Encrypted", @@ -141,6 +152,7 @@ "searchKey": "Resources.MyEC2Instance.Properties.BlockDeviceMappings[0].Ebs.Encrypted", "searchValue": "", "expectedValue": "'BlockDeviceMappings[0].Ebs.Encrypted' should be defined to 'true'", - "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined to 'true'" + "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined to 'true'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/cdn_configuration_is_missing/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cdn_configuration_is_missing/test/positive_expected_result.json index fe1da191862..c16b62e99af 100644 --- a/assets/queries/cloudFormation/aws/cdn_configuration_is_missing/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cdn_configuration_is_missing/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.myDistribution.Properties.DistributionConfig", "searchValue": "", "expectedValue": "Resources.myDistribution.Properties.DistributionConfig should contain an 'Origins' object", - "actualValue": "Resources.myDistribution.Properties.DistributionConfig does not contain an 'Origins' object configured" + "actualValue": "Resources.myDistribution.Properties.DistributionConfig does not contain an 'Origins' object configured", + "issueType": "MissingAttribute" }, { "queryName": "CDN Configuration Is Missing", @@ -21,7 +22,8 @@ "searchKey": "Resources.myDistribution.Properties.DistributionConfig.Enabled", "searchValue": "", "expectedValue": "Resources.myDistribution.Properties.DistributionConfig.Enabled should be 'true'", - "actualValue": "Resources.myDistribution.Properties.DistributionConfig.Enabled is configured as 'false'" + "actualValue": "Resources.myDistribution.Properties.DistributionConfig.Enabled is configured as 'false'", + "issueType": "IncorrectValue" }, { "queryName": "CDN Configuration Is Missing", @@ -33,7 +35,8 @@ "searchKey": "Resources.myDistribution.Properties.DistributionConfig", "searchValue": "", "expectedValue": "Resources.myDistribution.Properties.DistributionConfig should contain an 'Origins' object", - "actualValue": "Resources.myDistribution.Properties.DistributionConfig does not contain an 'Origins' object configured" + "actualValue": "Resources.myDistribution.Properties.DistributionConfig does not contain an 'Origins' object configured", + "issueType": "MissingAttribute" }, { "queryName": "CDN Configuration Is Missing", @@ -45,6 +48,7 @@ "searchKey": "Resources.myDistribution.Properties.DistributionConfig.Enabled", "searchValue": "", "expectedValue": "Resources.myDistribution.Properties.DistributionConfig.Enabled should be 'true'", - "actualValue": "Resources.myDistribution.Properties.DistributionConfig.Enabled is configured as 'false'" + "actualValue": "Resources.myDistribution.Properties.DistributionConfig.Enabled is configured as 'false'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/cloudformation_specifying_credentials_not_safe/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cloudformation_specifying_credentials_not_safe/test/positive_expected_result.json index 46abfa03290..42e53eda972 100644 --- a/assets/queries/cloudFormation/aws/cloudformation_specifying_credentials_not_safe/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cloudformation_specifying_credentials_not_safe/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.WebServer.Metadata.AWS::CloudFormation::Authentication.S3AccessCreds.accessKeyId", "searchValue": "", "expectedValue": "Resources.WebServer.Metadata.AWS::CloudFormation::Authentication.S3AccessCreds.accessKeyId should not exist", - "actualValue": "Resources.WebServer.Metadata.AWS::CloudFormation::Authentication.S3AccessCreds.accessKeyId exists" + "actualValue": "Resources.WebServer.Metadata.AWS::CloudFormation::Authentication.S3AccessCreds.accessKeyId exists", + "issueType": "MissingAttribute" }, { "queryName": "CloudFormation Specifying Credentials Not Safe", @@ -21,7 +22,8 @@ "searchKey": "Resources.WebServer.Metadata.AWS::CloudFormation::Authentication.S3AccessCreds.secretKey", "searchValue": "", "expectedValue": "Resources.WebServer.Metadata.AWS::CloudFormation::Authentication.S3AccessCreds.secretKey should not exist", - "actualValue": "Resources.WebServer.Metadata.AWS::CloudFormation::Authentication.S3AccessCreds.secretKey exists" + "actualValue": "Resources.WebServer.Metadata.AWS::CloudFormation::Authentication.S3AccessCreds.secretKey exists", + "issueType": "MissingAttribute" }, { "queryName": "CloudFormation Specifying Credentials Not Safe", @@ -33,7 +35,8 @@ "searchKey": "Resources.WebServer2.Metadata.AWS::CloudFormation::Authentication.BasicAccessCreds.password", "searchValue": "", "expectedValue": "Resources.WebServer2.Metadata.AWS::CloudFormation::Authentication.BasicAccessCreds.password should not exist", - "actualValue": "Resources.WebServer2.Metadata.AWS::CloudFormation::Authentication.BasicAccessCreds.password exists" + "actualValue": "Resources.WebServer2.Metadata.AWS::CloudFormation::Authentication.BasicAccessCreds.password exists", + "issueType": "MissingAttribute" }, { "queryName": "CloudFormation Specifying Credentials Not Safe", @@ -45,7 +48,8 @@ "searchKey": "Resources.WebServer.Metadata.AWS::CloudFormation::Authentication.S3AccessCreds.accessKeyId", "searchValue": "", "expectedValue": "Resources.WebServer.Metadata.AWS::CloudFormation::Authentication.S3AccessCreds.accessKeyId should not exist", - "actualValue": "Resources.WebServer.Metadata.AWS::CloudFormation::Authentication.S3AccessCreds.accessKeyId exists" + "actualValue": "Resources.WebServer.Metadata.AWS::CloudFormation::Authentication.S3AccessCreds.accessKeyId exists", + "issueType": "MissingAttribute" }, { "queryName": "CloudFormation Specifying Credentials Not Safe", @@ -57,7 +61,8 @@ "searchKey": "Resources.WebServer.Metadata.AWS::CloudFormation::Authentication.S3AccessCreds.secretKey", "searchValue": "", "expectedValue": "Resources.WebServer.Metadata.AWS::CloudFormation::Authentication.S3AccessCreds.secretKey should not exist", - "actualValue": "Resources.WebServer.Metadata.AWS::CloudFormation::Authentication.S3AccessCreds.secretKey exists" + "actualValue": "Resources.WebServer.Metadata.AWS::CloudFormation::Authentication.S3AccessCreds.secretKey exists", + "issueType": "MissingAttribute" }, { "queryName": "CloudFormation Specifying Credentials Not Safe", @@ -69,6 +74,7 @@ "searchKey": "Resources.WebServer2.Metadata.AWS::CloudFormation::Authentication.BasicAccessCreds.password", "searchValue": "", "expectedValue": "Resources.WebServer2.Metadata.AWS::CloudFormation::Authentication.BasicAccessCreds.password should not exist", - "actualValue": "Resources.WebServer2.Metadata.AWS::CloudFormation::Authentication.BasicAccessCreds.password exists" + "actualValue": "Resources.WebServer2.Metadata.AWS::CloudFormation::Authentication.BasicAccessCreds.password exists", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/cloudfront_logging_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cloudfront_logging_disabled/test/positive_expected_result.json index 1ff00352ec4..251b50fbdd4 100644 --- a/assets/queries/cloudFormation/aws/cloudfront_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cloudfront_logging_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.myDistribution1.Properties", "searchValue": "", "expectedValue": "Resources.myDistribution1.Properties.DistributionConfig.Logging should be defined", - "actualValue": "Resources.myDistribution1.Properties.DistributionConfig.Logging is undefined" + "actualValue": "Resources.myDistribution1.Properties.DistributionConfig.Logging is undefined", + "issueType": "MissingAttribute" }, { "queryName": "CloudFront Logging Disabled", @@ -21,7 +22,8 @@ "searchKey": "Resources.myDistribution2.Properties.DistributionConfig.Logging.Bucket", "searchValue": "", "expectedValue": "Resources.myDistribution2.Properties.DistributionConfig.Logging.Bucket should have the domain '.s3.amazonaws.com'", - "actualValue": "Resources.myDistribution2.Properties.DistributionConfig.Logging.Bucket does not have the correct domain" + "actualValue": "Resources.myDistribution2.Properties.DistributionConfig.Logging.Bucket does not have the correct domain", + "issueType": "IncorrectValue" }, { "queryName": "CloudFront Logging Disabled", @@ -33,7 +35,8 @@ "searchKey": "Resources.myDistribution1.Properties", "searchValue": "", "expectedValue": "Resources.myDistribution1.Properties.DistributionConfig.Logging should be defined", - "actualValue": "Resources.myDistribution1.Properties.DistributionConfig.Logging is undefined" + "actualValue": "Resources.myDistribution1.Properties.DistributionConfig.Logging is undefined", + "issueType": "MissingAttribute" }, { "queryName": "CloudFront Logging Disabled", @@ -45,6 +48,7 @@ "searchKey": "Resources.myDistribution2.Properties.DistributionConfig.Logging.Bucket", "searchValue": "", "expectedValue": "Resources.myDistribution2.Properties.DistributionConfig.Logging.Bucket should have the domain '.s3.amazonaws.com'", - "actualValue": "Resources.myDistribution2.Properties.DistributionConfig.Logging.Bucket does not have the correct domain" + "actualValue": "Resources.myDistribution2.Properties.DistributionConfig.Logging.Bucket does not have the correct domain", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/cloudfront_viewer_protocol_policy_allows_http/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cloudfront_viewer_protocol_policy_allows_http/test/positive_expected_result.json index f4ad7596183..2e3286f29b8 100644 --- a/assets/queries/cloudFormation/aws/cloudfront_viewer_protocol_policy_allows_http/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cloudfront_viewer_protocol_policy_allows_http/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.cloudfrontdistribution_1.Properties.DistributionConfig.DefaultCacheBehavior.ViewerProtocolPolicy", "searchValue": "", "expectedValue": "Resources.cloudfrontdistribution_1.Properties.DistributionConfig.DefaultCacheBehavior.ViewerProtocolPolicy is 'https-only' or 'redirect-to-https'", - "actualValue": "Resources.cloudfrontdistribution_1.Properties.DistributionConfig.DefaultCacheBehavior.ViewerProtocolPolicy is 'allow-all'" + "actualValue": "Resources.cloudfrontdistribution_1.Properties.DistributionConfig.DefaultCacheBehavior.ViewerProtocolPolicy is 'allow-all'", + "issueType": "IncorrectValue" }, { "queryName": "Cloudfront Viewer Protocol Policy Allows HTTP", @@ -21,7 +22,8 @@ "searchKey": "Resources.cloudfrontdistribution_2.Properties.DistributionConfig.CacheBehaviors.ViewerProtocolPolicy", "searchValue": "", "expectedValue": "Resources.cloudfrontdistribution_2.Properties.DistributionConfig.CacheBehaviors.ViewerProtocolPolicy is 'https-only' or 'redirect-to-https'", - "actualValue": "Resources.cloudfrontdistribution_2.Properties.DistributionConfig.CacheBehaviors.ViewerProtocolPolicy is 'allow-all'" + "actualValue": "Resources.cloudfrontdistribution_2.Properties.DistributionConfig.CacheBehaviors.ViewerProtocolPolicy is 'allow-all'", + "issueType": "IncorrectValue" }, { "queryName": "Cloudfront Viewer Protocol Policy Allows HTTP", @@ -33,7 +35,8 @@ "searchKey": "Resources.cloudfrontdistribution_2.Properties.DistributionConfig.CacheBehaviors.ViewerProtocolPolicy", "searchValue": "", "expectedValue": "Resources.cloudfrontdistribution_2.Properties.DistributionConfig.CacheBehaviors.ViewerProtocolPolicy is 'https-only' or 'redirect-to-https'", - "actualValue": "Resources.cloudfrontdistribution_2.Properties.DistributionConfig.CacheBehaviors.ViewerProtocolPolicy is 'allow-all'" + "actualValue": "Resources.cloudfrontdistribution_2.Properties.DistributionConfig.CacheBehaviors.ViewerProtocolPolicy is 'allow-all'", + "issueType": "IncorrectValue" }, { "queryName": "Cloudfront Viewer Protocol Policy Allows HTTP", @@ -45,6 +48,7 @@ "searchKey": "Resources.cloudfrontdistribution_1.Properties.DistributionConfig.DefaultCacheBehavior.ViewerProtocolPolicy", "searchValue": "", "expectedValue": "Resources.cloudfrontdistribution_1.Properties.DistributionConfig.DefaultCacheBehavior.ViewerProtocolPolicy is 'https-only' or 'redirect-to-https'", - "actualValue": "Resources.cloudfrontdistribution_1.Properties.DistributionConfig.DefaultCacheBehavior.ViewerProtocolPolicy is 'allow-all'" + "actualValue": "Resources.cloudfrontdistribution_1.Properties.DistributionConfig.DefaultCacheBehavior.ViewerProtocolPolicy is 'allow-all'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json index 23a5274a018..f768dfdfc38 100644 --- a/assets/queries/cloudFormation/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.cloudfrontdistribution.Properties.DistributionConfig.ViewerCertificate.MinimumProtocolVersion", "searchValue": "", "expectedValue": "Resources.cloudfrontdistribution.Properties.DistributionConfig.ViewerCertificate.MinimumProtocolVersion' should be TLSv1.2_x", - "actualValue": "Resources.cloudfrontdistribution.Properties.DistributionConfig.ViewerCertificate.MinimumProtocolVersion' is TLSv1.1_2016" + "actualValue": "Resources.cloudfrontdistribution.Properties.DistributionConfig.ViewerCertificate.MinimumProtocolVersion' is TLSv1.1_2016", + "issueType": "IncorrectValue" }, { "queryName": "CloudFront Without Minimum Protocol TLS 1.2", @@ -21,7 +22,8 @@ "searchKey": "Resources.cloudfrontdistribution2.Properties.DistributionConfig", "searchValue": "", "expectedValue": "Resources.cloudfrontdistribution2.Properties.DistributionConfig.ViewerCertificate' should be defined", - "actualValue": "Resources.cloudfrontdistribution2.Properties.DistributionConfig.ViewerCertificate' is undefined" + "actualValue": "Resources.cloudfrontdistribution2.Properties.DistributionConfig.ViewerCertificate' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "CloudFront Without Minimum Protocol TLS 1.2", @@ -33,7 +35,8 @@ "searchKey": "Resources.cloudfrontdistribution.Properties.DistributionConfig.ViewerCertificate.MinimumProtocolVersion", "searchValue": "", "expectedValue": "Resources.cloudfrontdistribution.Properties.DistributionConfig.ViewerCertificate.MinimumProtocolVersion' should be TLSv1.2_x", - "actualValue": "Resources.cloudfrontdistribution.Properties.DistributionConfig.ViewerCertificate.MinimumProtocolVersion' is TLSv1.1_2016" + "actualValue": "Resources.cloudfrontdistribution.Properties.DistributionConfig.ViewerCertificate.MinimumProtocolVersion' is TLSv1.1_2016", + "issueType": "IncorrectValue" }, { "queryName": "CloudFront Without Minimum Protocol TLS 1.2", @@ -45,6 +48,7 @@ "searchKey": "Resources.cloudfrontdistribution2.Properties.DistributionConfig", "searchValue": "", "expectedValue": "Resources.cloudfrontdistribution2.Properties.DistributionConfig.ViewerCertificate' should be defined", - "actualValue": "Resources.cloudfrontdistribution2.Properties.DistributionConfig.ViewerCertificate' is undefined" + "actualValue": "Resources.cloudfrontdistribution2.Properties.DistributionConfig.ViewerCertificate' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/cloudfront_without_waf/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cloudfront_without_waf/test/positive_expected_result.json index 28f1f1eef10..6ad894b0192 100644 --- a/assets/queries/cloudFormation/aws/cloudfront_without_waf/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cloudfront_without_waf/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.cloudfrontdistribution.Properties.DistributionConfig", "searchValue": "", "expectedValue": "Resources.cloudfrontdistribution.Properties.DistributionConfig.WebACLId should be defined", - "actualValue": "Resources.cloudfrontdistribution.Properties.DistributionConfig.WebACLId is undefined" + "actualValue": "Resources.cloudfrontdistribution.Properties.DistributionConfig.WebACLId is undefined", + "issueType": "MissingAttribute" }, { "queryName": "CloudFront Without WAF", @@ -21,7 +22,8 @@ "searchKey": "Resources.cloudfrontdistribution.Properties.DistributionConfig", "searchValue": "", "expectedValue": "Resources.cloudfrontdistribution.Properties.DistributionConfig.WebACLId should be defined", - "actualValue": "Resources.cloudfrontdistribution.Properties.DistributionConfig.WebACLId is undefined" + "actualValue": "Resources.cloudfrontdistribution.Properties.DistributionConfig.WebACLId is undefined", + "issueType": "MissingAttribute" }, { "queryName": "CloudFront Without WAF", @@ -33,7 +35,8 @@ "searchKey": "Resources.cloudfrontdistribution.Properties.DistributionConfig.WebACLId", "searchValue": "", "expectedValue": "Resources..Properties.DistributionConfig.WebACLId should be properly defined", - "actualValue": "Resources..Properties.DistributionConfig.WebACLId contains invalid value" + "actualValue": "Resources..Properties.DistributionConfig.WebACLId contains invalid value", + "issueType": "IncorrectValue" }, { "queryName": "CloudFront Without WAF", @@ -45,6 +48,7 @@ "searchKey": "Resources.cloudfrontdistribution.Properties.DistributionConfig.WebACLId", "searchValue": "", "expectedValue": "Resources..Properties.DistributionConfig.WebACLId should be properly defined", - "actualValue": "Resources..Properties.DistributionConfig.WebACLId contains invalid value" + "actualValue": "Resources..Properties.DistributionConfig.WebACLId contains invalid value", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/cloudtrail_log_file_validation_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cloudtrail_log_file_validation_disabled/test/positive_expected_result.json index 5f57327df50..05e2ccfc9ce 100644 --- a/assets/queries/cloudFormation/aws/cloudtrail_log_file_validation_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cloudtrail_log_file_validation_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.myTrail.Properties", "searchValue": "", "expectedValue": "'Resources.myTrail.Properties.EnableLogFileValidation' should exist", - "actualValue": "'Resources.myTrail.Properties.EnableLogFileValidation' is missing" + "actualValue": "'Resources.myTrail.Properties.EnableLogFileValidation' is missing", + "issueType": "MissingAttribute" }, { "queryName": "CloudTrail Log File Validation Disabled", @@ -21,7 +22,8 @@ "searchKey": "Resources.myTrail2.Properties.EnableLogFileValidation", "searchValue": "", "expectedValue": "'Resources.myTrail2.Properties.EnableLogFileValidation' should be true", - "actualValue": "'Resources.myTrail2.Properties.EnableLogFileValidation' is not true" + "actualValue": "'Resources.myTrail2.Properties.EnableLogFileValidation' is not true", + "issueType": "IncorrectValue" }, { "queryName": "CloudTrail Log File Validation Disabled", @@ -33,7 +35,8 @@ "searchKey": "Resources.myTrail.Properties", "searchValue": "", "expectedValue": "'Resources.myTrail.Properties.EnableLogFileValidation' should exist", - "actualValue": "'Resources.myTrail.Properties.EnableLogFileValidation' is missing" + "actualValue": "'Resources.myTrail.Properties.EnableLogFileValidation' is missing", + "issueType": "MissingAttribute" }, { "queryName": "CloudTrail Log File Validation Disabled", @@ -45,7 +48,8 @@ "searchKey": "Resources.myTrail2.Properties.EnableLogFileValidation", "searchValue": "", "expectedValue": "'Resources.myTrail2.Properties.EnableLogFileValidation' should be true", - "actualValue": "'Resources.myTrail2.Properties.EnableLogFileValidation' is not true" + "actualValue": "'Resources.myTrail2.Properties.EnableLogFileValidation' is not true", + "issueType": "IncorrectValue" }, { "queryName": "CloudTrail Log File Validation Disabled", @@ -57,7 +61,8 @@ "searchKey": "Resources.myTrail.Properties", "searchValue": "", "expectedValue": "'Resources.myTrail.Properties.EnableLogFileValidation' should exist", - "actualValue": "'Resources.myTrail.Properties.EnableLogFileValidation' is missing" + "actualValue": "'Resources.myTrail.Properties.EnableLogFileValidation' is missing", + "issueType": "MissingAttribute" }, { "queryName": "CloudTrail Log File Validation Disabled", @@ -69,7 +74,8 @@ "searchKey": "Resources.myTrail2.Properties.EnableLogFileValidation", "searchValue": "", "expectedValue": "'Resources.myTrail2.Properties.EnableLogFileValidation' should be true", - "actualValue": "'Resources.myTrail2.Properties.EnableLogFileValidation' is not true" + "actualValue": "'Resources.myTrail2.Properties.EnableLogFileValidation' is not true", + "issueType": "IncorrectValue" }, { "queryName": "CloudTrail Log File Validation Disabled", @@ -81,7 +87,8 @@ "searchKey": "Resources.myTrail.Properties", "searchValue": "", "expectedValue": "'Resources.myTrail.Properties.EnableLogFileValidation' should exist", - "actualValue": "'Resources.myTrail.Properties.EnableLogFileValidation' is missing" + "actualValue": "'Resources.myTrail.Properties.EnableLogFileValidation' is missing", + "issueType": "MissingAttribute" }, { "queryName": "CloudTrail Log File Validation Disabled", @@ -93,6 +100,7 @@ "searchKey": "Resources.myTrail2.Properties.EnableLogFileValidation", "searchValue": "", "expectedValue": "'Resources.myTrail2.Properties.EnableLogFileValidation' should be true", - "actualValue": "'Resources.myTrail2.Properties.EnableLogFileValidation' is not true" + "actualValue": "'Resources.myTrail2.Properties.EnableLogFileValidation' is not true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_kms/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_kms/test/positive_expected_result.json index a3bb0c590df..34c2b2eaff4 100644 --- a/assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_kms/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_kms/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.myTrail.Properties", "searchValue": "", "expectedValue": "'Resources.myTrail.Properties.KMSKeyId' should be defined and not null", - "actualValue": "'Resources.myTrail.Properties.KMSKeyId' is undefined or null" + "actualValue": "'Resources.myTrail.Properties.KMSKeyId' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "CloudTrail Log Files Not Encrypted With KMS", @@ -21,7 +22,8 @@ "searchKey": "Resources.myTrail.Properties", "searchValue": "", "expectedValue": "'Resources.myTrail.Properties.KMSKeyId' should be defined and not null", - "actualValue": "'Resources.myTrail.Properties.KMSKeyId' is undefined or null" + "actualValue": "'Resources.myTrail.Properties.KMSKeyId' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "CloudTrail Log Files Not Encrypted With KMS", @@ -33,6 +35,7 @@ "searchKey": "Resources.myTrail.Properties", "searchValue": "", "expectedValue": "'Resources.myTrail.Properties.KMSKeyId' should be defined and not null", - "actualValue": "'Resources.myTrail.Properties.KMSKeyId' is undefined or null" + "actualValue": "'Resources.myTrail.Properties.KMSKeyId' is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/cloudtrail_logging_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cloudtrail_logging_disabled/test/positive_expected_result.json index fc305e03afc..ac7303c07d0 100644 --- a/assets/queries/cloudFormation/aws/cloudtrail_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cloudtrail_logging_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.myTrail3.Properties.IsLogging", "searchValue": "", "expectedValue": "'Resources.myTrail3.Properties.IsLogging' should be true", - "actualValue": "'Resources.myTrail3.Properties.IsLogging' is false" + "actualValue": "'Resources.myTrail3.Properties.IsLogging' is false", + "issueType": "IncorrectValue" }, { "queryName": "CloudTrail Logging Disabled", @@ -21,7 +22,8 @@ "searchKey": "Resources.myTrail4.Properties.IsLogging", "searchValue": "", "expectedValue": "'Resources.myTrail4.Properties.IsLogging' should be true", - "actualValue": "'Resources.myTrail4.Properties.IsLogging' is false" + "actualValue": "'Resources.myTrail4.Properties.IsLogging' is false", + "issueType": "IncorrectValue" }, { "queryName": "CloudTrail Logging Disabled", @@ -33,7 +35,8 @@ "searchKey": "Resources.myTrail5.Properties.IsLogging", "searchValue": "", "expectedValue": "'Resources.myTrail5.Properties.IsLogging' should be true", - "actualValue": "'Resources.myTrail5.Properties.IsLogging' is false" + "actualValue": "'Resources.myTrail5.Properties.IsLogging' is false", + "issueType": "IncorrectValue" }, { "queryName": "CloudTrail Logging Disabled", @@ -45,7 +48,8 @@ "searchKey": "Resources.myTrail6.Properties.IsLogging", "searchValue": "", "expectedValue": "'Resources.myTrail6.Properties.IsLogging' should be true", - "actualValue": "'Resources.myTrail6.Properties.IsLogging' is false" + "actualValue": "'Resources.myTrail6.Properties.IsLogging' is false", + "issueType": "IncorrectValue" }, { "queryName": "CloudTrail Logging Disabled", @@ -57,7 +61,8 @@ "searchKey": "Resources.myTrail.Properties.IsLogging", "searchValue": "", "expectedValue": "'Resources.myTrail.Properties.IsLogging' should be true", - "actualValue": "'Resources.myTrail.Properties.IsLogging' is false" + "actualValue": "'Resources.myTrail.Properties.IsLogging' is false", + "issueType": "IncorrectValue" }, { "queryName": "CloudTrail Logging Disabled", @@ -69,6 +74,7 @@ "searchKey": "Resources.myTrail5.Properties.IsLogging", "searchValue": "", "expectedValue": "'Resources.myTrail5.Properties.IsLogging' should be true", - "actualValue": "'Resources.myTrail5.Properties.IsLogging' is false" + "actualValue": "'Resources.myTrail5.Properties.IsLogging' is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/cloudtrail_multi_region_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cloudtrail_multi_region_disabled/test/positive_expected_result.json index 00832068b3a..b60f47ec0d6 100644 --- a/assets/queries/cloudFormation/aws/cloudtrail_multi_region_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cloudtrail_multi_region_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.myTrail.Properties.IsMultiRegionTrail", "searchValue": "", "expectedValue": "'Resources.myTrail.Properties.IsMultiRegionTrail' should be true", - "actualValue": "'Resources.myTrail.Properties.IsMultiRegionTrail' is not true" + "actualValue": "'Resources.myTrail.Properties.IsMultiRegionTrail' is not true", + "issueType": "IncorrectValue" }, { "queryName": "CloudTrail Multi Region Disabled", @@ -21,7 +22,8 @@ "searchKey": "Resources.myTrail2.Properties", "searchValue": "", "expectedValue": "'Resources.myTrail2.Properties.IsMultiRegionTrail' should exist", - "actualValue": "'Resources.myTrail2.Properties.IsMultiRegionTrail' is missing" + "actualValue": "'Resources.myTrail2.Properties.IsMultiRegionTrail' is missing", + "issueType": "MissingAttribute" }, { "queryName": "CloudTrail Multi Region Disabled", @@ -33,7 +35,8 @@ "searchKey": "Resources.myTrail.Properties.IsMultiRegionTrail", "searchValue": "", "expectedValue": "'Resources.myTrail.Properties.IsMultiRegionTrail' should be true", - "actualValue": "'Resources.myTrail.Properties.IsMultiRegionTrail' is not true" + "actualValue": "'Resources.myTrail.Properties.IsMultiRegionTrail' is not true", + "issueType": "IncorrectValue" }, { "queryName": "CloudTrail Multi Region Disabled", @@ -45,7 +48,8 @@ "searchKey": "Resources.myTrail2.Properties", "searchValue": "", "expectedValue": "'Resources.myTrail2.Properties.IsMultiRegionTrail' should exist", - "actualValue": "'Resources.myTrail2.Properties.IsMultiRegionTrail' is missing" + "actualValue": "'Resources.myTrail2.Properties.IsMultiRegionTrail' is missing", + "issueType": "MissingAttribute" }, { "queryName": "CloudTrail Multi Region Disabled", @@ -57,6 +61,7 @@ "searchKey": "Resources.myTrail.Properties.IsMultiRegionTrail", "searchValue": "", "expectedValue": "'Resources.myTrail.Properties.IsMultiRegionTrail' should be true", - "actualValue": "'Resources.myTrail.Properties.IsMultiRegionTrail' is not true" + "actualValue": "'Resources.myTrail.Properties.IsMultiRegionTrail' is not true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/cloudtrail_not_integrated_with_cloudwatch/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cloudtrail_not_integrated_with_cloudwatch/test/positive_expected_result.json index dc2787298b1..50de33de32f 100644 --- a/assets/queries/cloudFormation/aws/cloudtrail_not_integrated_with_cloudwatch/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cloudtrail_not_integrated_with_cloudwatch/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.myTrail.Properties", "searchValue": "CloudWatchLogsLogGroupArn", "expectedValue": "'Resources.myTrail.Properties.CloudWatchLogsLogGroupArn' should be declared", - "actualValue": "'Resources.myTrail.Properties.CloudWatchLogsLogGroupArn' is not declared" + "actualValue": "'Resources.myTrail.Properties.CloudWatchLogsLogGroupArn' is not declared", + "issueType": "MissingAttribute" }, { "queryName": "CloudTrail Not Integrated With CloudWatch", @@ -21,7 +22,8 @@ "searchKey": "Resources.myTrail.Properties", "searchValue": "CloudWatchLogsRoleArn", "expectedValue": "'Resources.myTrail.Properties.CloudWatchLogsRoleArn' should be declared", - "actualValue": "'Resources.myTrail.Properties.CloudWatchLogsRoleArn' is not declared" + "actualValue": "'Resources.myTrail.Properties.CloudWatchLogsRoleArn' is not declared", + "issueType": "MissingAttribute" }, { "queryName": "CloudTrail Not Integrated With CloudWatch", @@ -33,7 +35,8 @@ "searchKey": "Resources.myTrail2.Properties", "searchValue": "CloudWatchLogsLogGroupArn", "expectedValue": "'Resources.myTrail2.Properties.CloudWatchLogsLogGroupArn' should be declared", - "actualValue": "'Resources.myTrail2.Properties.CloudWatchLogsLogGroupArn' is not declared" + "actualValue": "'Resources.myTrail2.Properties.CloudWatchLogsLogGroupArn' is not declared", + "issueType": "MissingAttribute" }, { "queryName": "CloudTrail Not Integrated With CloudWatch", @@ -45,7 +48,8 @@ "searchKey": "Resources.myTrail3.Properties", "searchValue": "CloudWatchLogsRoleArn", "expectedValue": "'Resources.myTrail3.Properties.CloudWatchLogsRoleArn' should be declared", - "actualValue": "'Resources.myTrail3.Properties.CloudWatchLogsRoleArn' is not declared" + "actualValue": "'Resources.myTrail3.Properties.CloudWatchLogsRoleArn' is not declared", + "issueType": "MissingAttribute" }, { "queryName": "CloudTrail Not Integrated With CloudWatch", @@ -57,7 +61,8 @@ "searchKey": "Resources.myTrail.Properties", "searchValue": "CloudWatchLogsLogGroupArn", "expectedValue": "'Resources.myTrail.Properties.CloudWatchLogsLogGroupArn' should be declared", - "actualValue": "'Resources.myTrail.Properties.CloudWatchLogsLogGroupArn' is not declared" + "actualValue": "'Resources.myTrail.Properties.CloudWatchLogsLogGroupArn' is not declared", + "issueType": "MissingAttribute" }, { "queryName": "CloudTrail Not Integrated With CloudWatch", @@ -69,7 +74,8 @@ "searchKey": "Resources.myTrail.Properties", "searchValue": "CloudWatchLogsRoleArn", "expectedValue": "'Resources.myTrail.Properties.CloudWatchLogsRoleArn' should be declared", - "actualValue": "'Resources.myTrail.Properties.CloudWatchLogsRoleArn' is not declared" + "actualValue": "'Resources.myTrail.Properties.CloudWatchLogsRoleArn' is not declared", + "issueType": "MissingAttribute" }, { "queryName": "CloudTrail Not Integrated With CloudWatch", @@ -81,7 +87,8 @@ "searchKey": "Resources.myTrail.Properties", "searchValue": "CloudWatchLogsLogGroupArn", "expectedValue": "'Resources.myTrail.Properties.CloudWatchLogsLogGroupArn' should be declared", - "actualValue": "'Resources.myTrail.Properties.CloudWatchLogsLogGroupArn' is not declared" + "actualValue": "'Resources.myTrail.Properties.CloudWatchLogsLogGroupArn' is not declared", + "issueType": "MissingAttribute" }, { "queryName": "CloudTrail Not Integrated With CloudWatch", @@ -93,6 +100,7 @@ "searchKey": "Resources.myTrail.Properties", "searchValue": "CloudWatchLogsRoleArn", "expectedValue": "'Resources.myTrail.Properties.CloudWatchLogsRoleArn' should be declared", - "actualValue": "'Resources.myTrail.Properties.CloudWatchLogsRoleArn' is not declared" + "actualValue": "'Resources.myTrail.Properties.CloudWatchLogsRoleArn' is not declared", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/cloudtrail_sns_topic_name_undefined/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cloudtrail_sns_topic_name_undefined/test/positive_expected_result.json index 28fe51ce3c7..1f47d82e375 100644 --- a/assets/queries/cloudFormation/aws/cloudtrail_sns_topic_name_undefined/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cloudtrail_sns_topic_name_undefined/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.myTrail3.Properties", "searchValue": "", "expectedValue": "'Resources.myTrail3.Properties.SnsTopicName' should be set", - "actualValue": "'Resources.myTrail3.Properties.SnsTopicName' is undefined" + "actualValue": "'Resources.myTrail3.Properties.SnsTopicName' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "CloudTrail SNS Topic Name Undefined", @@ -21,7 +22,8 @@ "searchKey": "Resources.myTrail4.Properties", "searchValue": "", "expectedValue": "'Resources.myTrail4.Properties.SnsTopicName' should be set", - "actualValue": "'Resources.myTrail4.Properties.SnsTopicName' is undefined" + "actualValue": "'Resources.myTrail4.Properties.SnsTopicName' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "CloudTrail SNS Topic Name Undefined", @@ -33,7 +35,8 @@ "searchKey": "Resources.myTrail5.Properties", "searchValue": "", "expectedValue": "'Resources.myTrail5.Properties.SnsTopicName' should be set", - "actualValue": "'Resources.myTrail5.Properties.SnsTopicName' is undefined" + "actualValue": "'Resources.myTrail5.Properties.SnsTopicName' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "CloudTrail SNS Topic Name Undefined", @@ -45,6 +48,7 @@ "searchKey": "Resources.myTrail6.Properties", "searchValue": "", "expectedValue": "'Resources.myTrail6.Properties.SnsTopicName' should be set", - "actualValue": "'Resources.myTrail6.Properties.SnsTopicName' is undefined" + "actualValue": "'Resources.myTrail6.Properties.SnsTopicName' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/cloudwatch_logging_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cloudwatch_logging_disabled/test/positive_expected_result.json index fd3af61be94..05bbf33bad1 100644 --- a/assets/queries/cloudFormation/aws/cloudwatch_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cloudwatch_logging_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.HostedZone3.Properties", "searchValue": "", "expectedValue": "Resources.HostedZone3.QueryLoggingConfig should be set", - "actualValue": "Resources.HostedZone3.QueryLoggingConfig is undefined" + "actualValue": "Resources.HostedZone3.QueryLoggingConfig is undefined", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch Logging Disabled", @@ -21,6 +22,7 @@ "searchKey": "Resources.HostedZone4.Properties", "searchValue": "", "expectedValue": "Resources.HostedZone4.QueryLoggingConfig should be set", - "actualValue": "Resources.HostedZone4.QueryLoggingConfig is undefined" + "actualValue": "Resources.HostedZone4.QueryLoggingConfig is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/cloudwatch_metrics_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cloudwatch_metrics_disabled/test/positive_expected_result.json index e0b6996a2ca..89476453db0 100644 --- a/assets/queries/cloudFormation/aws/cloudwatch_metrics_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cloudwatch_metrics_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.Prod.Properties.MethodSettings", "searchValue": "", "expectedValue": "Resources.Prod.Properties.MethodSettings[0].MetricsEnabled should be set to true", - "actualValue": "Resources.Prod.Properties.MethodSettings[0].MetricsEnabled is set to false" + "actualValue": "Resources.Prod.Properties.MethodSettings[0].MetricsEnabled is set to false", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch Metrics Disabled", @@ -21,7 +22,8 @@ "searchKey": "Resources.Prod.Properties.MethodSettings", "searchValue": "", "expectedValue": "Resources.Prod.Properties.MethodSettings[1].MetricsEnabled should be set to true", - "actualValue": "Resources.Prod.Properties.MethodSettings[1].MetricsEnabled is undefined" + "actualValue": "Resources.Prod.Properties.MethodSettings[1].MetricsEnabled is undefined", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch Metrics Disabled", @@ -33,7 +35,8 @@ "searchKey": "Resources.Prod.Properties.MethodSettings", "searchValue": "", "expectedValue": "Resources.Prod.Properties.MethodSettings[0].MetricsEnabled should be set to true", - "actualValue": "Resources.Prod.Properties.MethodSettings[0].MetricsEnabled is undefined" + "actualValue": "Resources.Prod.Properties.MethodSettings[0].MetricsEnabled is undefined", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch Metrics Disabled", @@ -45,7 +48,8 @@ "searchKey": "Resources.Prod.Properties.MethodSettings", "searchValue": "", "expectedValue": "Resources.Prod.Properties.MethodSettings[1].MetricsEnabled should be set to true", - "actualValue": "Resources.Prod.Properties.MethodSettings[1].MetricsEnabled is set to false" + "actualValue": "Resources.Prod.Properties.MethodSettings[1].MetricsEnabled is set to false", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch Metrics Disabled", @@ -57,7 +61,8 @@ "searchKey": "Resources.Prod.Properties", "searchValue": "", "expectedValue": "Resources.Prod.Properties.MethodSettings should be defined", - "actualValue": "Resources.Prod.Properties.MethodSettings is undefined" + "actualValue": "Resources.Prod.Properties.MethodSettings is undefined", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch Metrics Disabled", @@ -69,7 +74,8 @@ "searchKey": "Resources.Prod.Properties", "searchValue": "", "expectedValue": "Resources.Prod.Properties.MethodSettings should be defined", - "actualValue": "Resources.Prod.Properties.MethodSettings is undefined" + "actualValue": "Resources.Prod.Properties.MethodSettings is undefined", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch Metrics Disabled", @@ -81,7 +87,8 @@ "searchKey": "Resources.Prod.Properties.MethodSettings", "searchValue": "", "expectedValue": "Resources.Prod.Properties.MethodSettings[0].MetricsEnabled should be set to true", - "actualValue": "Resources.Prod.Properties.MethodSettings[0].MetricsEnabled is set to false" + "actualValue": "Resources.Prod.Properties.MethodSettings[0].MetricsEnabled is set to false", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch Metrics Disabled", @@ -93,6 +100,7 @@ "searchKey": "Resources.Prod.Properties.MethodSettings", "searchValue": "", "expectedValue": "Resources.Prod.Properties.MethodSettings[1].MetricsEnabled should be set to true", - "actualValue": "Resources.Prod.Properties.MethodSettings[1].MetricsEnabled is undefined" + "actualValue": "Resources.Prod.Properties.MethodSettings[1].MetricsEnabled is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/cmk_is_unusable/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cmk_is_unusable/test/positive_expected_result.json index 1e9096d45cc..43b8a0201f8 100644 --- a/assets/queries/cloudFormation/aws/cmk_is_unusable/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cmk_is_unusable/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.myKey.Properties.Enabled", "searchValue": "", "expectedValue": "'Resources.myKey.Properties.Enabled' should be true", - "actualValue": "'Resources.myKey.Properties.Enabled' is false" + "actualValue": "'Resources.myKey.Properties.Enabled' is false", + "issueType": "IncorrectValue" }, { "queryName": "CMK Is Unusable", @@ -21,7 +22,8 @@ "searchKey": "Resources.myKey2.Properties.PendingWindowInDays", "searchValue": "", "expectedValue": "'Resources.myKey2.Properties.PendingWindowInDays' should be undefined", - "actualValue": "'Resources.myKey2.Properties.PendingWindowInDays' is defined" + "actualValue": "'Resources.myKey2.Properties.PendingWindowInDays' is defined", + "issueType": "IncorrectValue" }, { "queryName": "CMK Is Unusable", @@ -33,7 +35,8 @@ "searchKey": "Resources.myKey.Properties.Enabled", "searchValue": "", "expectedValue": "'Resources.myKey.Properties.Enabled' should be true", - "actualValue": "'Resources.myKey.Properties.Enabled' is false" + "actualValue": "'Resources.myKey.Properties.Enabled' is false", + "issueType": "IncorrectValue" }, { "queryName": "CMK Is Unusable", @@ -45,7 +48,8 @@ "searchKey": "Resources.myKey2.Properties.PendingWindowInDays", "searchValue": "", "expectedValue": "'Resources.myKey2.Properties.PendingWindowInDays' should be undefined", - "actualValue": "'Resources.myKey2.Properties.PendingWindowInDays' is defined" + "actualValue": "'Resources.myKey2.Properties.PendingWindowInDays' is defined", + "issueType": "IncorrectValue" }, { "queryName": "CMK Is Unusable", @@ -57,6 +61,7 @@ "searchKey": "Resources.myKey.Properties.Enabled", "searchValue": "", "expectedValue": "'Resources.myKey.Properties.Enabled' should be true", - "actualValue": "'Resources.myKey.Properties.Enabled' is false" + "actualValue": "'Resources.myKey.Properties.Enabled' is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/cmk_rotation_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cmk_rotation_disabled/test/positive_expected_result.json index 66b90556a83..dca9e8c299b 100644 --- a/assets/queries/cloudFormation/aws/cmk_rotation_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cmk_rotation_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.myKey.Properties", "searchValue": "", "expectedValue": "'Resources.myKey.Properties.EnableKeyRotation' should be defined and not null", - "actualValue": "'Resources.myKey.Properties.EnableKeyRotation' is undefined or null" + "actualValue": "'Resources.myKey.Properties.EnableKeyRotation' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "CMK Rotation Disabled", @@ -21,7 +22,8 @@ "searchKey": "Resources.myKey2.Properties.EnableKeyRotation", "searchValue": "", "expectedValue": "'Resources.myKey2.Properties.EnableKeyRotation' should be true", - "actualValue": "'Resources.myKey2.Properties.EnableKeyRotation' is false" + "actualValue": "'Resources.myKey2.Properties.EnableKeyRotation' is false", + "issueType": "IncorrectValue" }, { "queryName": "CMK Rotation Disabled", @@ -33,7 +35,8 @@ "searchKey": "Resources.myKey.Properties", "searchValue": "", "expectedValue": "'Resources.myKey.Properties.EnableKeyRotation' should be defined and not null", - "actualValue": "'Resources.myKey.Properties.EnableKeyRotation' is undefined or null" + "actualValue": "'Resources.myKey.Properties.EnableKeyRotation' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "CMK Rotation Disabled", @@ -45,7 +48,8 @@ "searchKey": "Resources.myKey2.Properties.EnableKeyRotation", "searchValue": "", "expectedValue": "'Resources.myKey2.Properties.EnableKeyRotation' should be true", - "actualValue": "'Resources.myKey2.Properties.EnableKeyRotation' is false" + "actualValue": "'Resources.myKey2.Properties.EnableKeyRotation' is false", + "issueType": "IncorrectValue" }, { "queryName": "CMK Rotation Disabled", @@ -57,6 +61,7 @@ "searchKey": "Resources.myKey2.Properties.EnableKeyRotation", "searchValue": "", "expectedValue": "'Resources.myKey2.Properties.EnableKeyRotation' should be true", - "actualValue": "'Resources.myKey2.Properties.EnableKeyRotation' is false" + "actualValue": "'Resources.myKey2.Properties.EnableKeyRotation' is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/cmk_unencrypted_storage/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cmk_unencrypted_storage/test/positive_expected_result.json index e24a2171ffc..e9a9dfd7d04 100644 --- a/assets/queries/cloudFormation/aws/cmk_unencrypted_storage/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cmk_unencrypted_storage/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.MyDB.Properties", "searchValue": "", "expectedValue": "Resources.MyDB.Properties.StorageEncrypted should be defined", - "actualValue": "Resources.MyDB.Properties.StorageEncrypted is undefined" + "actualValue": "Resources.MyDB.Properties.StorageEncrypted is undefined", + "issueType": "MissingAttribute" }, { "queryName": "CMK Unencrypted Storage", @@ -21,7 +22,8 @@ "searchKey": "Resources.RDSCluster1.Properties", "searchValue": "", "expectedValue": "Resources.RDSCluster1.Properties.StorageEncrypted should be defined", - "actualValue": "Resources.RDSCluster1.Properties.StorageEncrypted is undefined" + "actualValue": "Resources.RDSCluster1.Properties.StorageEncrypted is undefined", + "issueType": "MissingAttribute" }, { "queryName": "CMK Unencrypted Storage", @@ -33,7 +35,8 @@ "searchKey": "Resources.RDSCluster-2.Properties.StorageEncrypted", "searchValue": "", "expectedValue": "Resources.RDSCluster-2.Properties.StorageEncrypted should be true", - "actualValue": "Resources.RDSCluster-2.Properties.StorageEncrypted is false" + "actualValue": "Resources.RDSCluster-2.Properties.StorageEncrypted is false", + "issueType": "IncorrectValue" }, { "queryName": "CMK Unencrypted Storage", @@ -45,7 +48,8 @@ "searchKey": "Resources.MyDB.Properties", "searchValue": "", "expectedValue": "Resources.MyDB.Properties.StorageEncrypted should be defined", - "actualValue": "Resources.MyDB.Properties.StorageEncrypted is undefined" + "actualValue": "Resources.MyDB.Properties.StorageEncrypted is undefined", + "issueType": "MissingAttribute" }, { "queryName": "CMK Unencrypted Storage", @@ -57,7 +61,8 @@ "searchKey": "Resources.RDSCluster1.Properties", "searchValue": "", "expectedValue": "Resources.RDSCluster1.Properties.StorageEncrypted should be defined", - "actualValue": "Resources.RDSCluster1.Properties.StorageEncrypted is undefined" + "actualValue": "Resources.RDSCluster1.Properties.StorageEncrypted is undefined", + "issueType": "MissingAttribute" }, { "queryName": "CMK Unencrypted Storage", @@ -69,7 +74,8 @@ "searchKey": "Resources.RDSCluster-2.Properties.StorageEncrypted", "searchValue": "", "expectedValue": "Resources.RDSCluster-2.Properties.StorageEncrypted should be true", - "actualValue": "Resources.RDSCluster-2.Properties.StorageEncrypted is false" + "actualValue": "Resources.RDSCluster-2.Properties.StorageEncrypted is false", + "issueType": "IncorrectValue" }, { "queryName": "CMK Unencrypted Storage", @@ -81,7 +87,8 @@ "searchKey": "Resources.myCluster.Properties", "searchValue": "", "expectedValue": "Resources.myCluster.Properties.Encrypted should be defined", - "actualValue": "Resources.myCluster.Properties.Encrypted is undefined" + "actualValue": "Resources.myCluster.Properties.Encrypted is undefined", + "issueType": "MissingAttribute" }, { "queryName": "CMK Unencrypted Storage", @@ -93,6 +100,7 @@ "searchKey": "Resources.myCluster.Properties", "searchValue": "", "expectedValue": "Resources.myCluster.Properties.Encrypted should be defined", - "actualValue": "Resources.myCluster.Properties.Encrypted is undefined" + "actualValue": "Resources.myCluster.Properties.Encrypted is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/codebuild_not_encrypted/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/codebuild_not_encrypted/test/positive_expected_result.json index 3e13b6d1c2d..ea0d1f87ebb 100644 --- a/assets/queries/cloudFormation/aws/codebuild_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/codebuild_not_encrypted/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.CodeBuildProject.Project.Properties", "searchValue": "", "expectedValue": "Resources.CodeBuildProject.Project.Properties.EncryptionKey' should be defined and not null", - "actualValue": "Resources.CodeBuildProject.Project.Properties.EncryptionKey' is undefined or null" + "actualValue": "Resources.CodeBuildProject.Project.Properties.EncryptionKey' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "CodeBuild Not Encrypted", @@ -21,6 +22,7 @@ "searchKey": "Resources.CodeBuildProject.Project.Properties", "searchValue": "", "expectedValue": "Resources.CodeBuildProject.Project.Properties.EncryptionKey' should be defined and not null", - "actualValue": "Resources.CodeBuildProject.Project.Properties.EncryptionKey' is undefined or null" + "actualValue": "Resources.CodeBuildProject.Project.Properties.EncryptionKey' is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/cognito_userpool_without_mfa/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cognito_userpool_without_mfa/test/positive_expected_result.json index 029e9480f63..b1f1a739f2d 100644 --- a/assets/queries/cloudFormation/aws/cognito_userpool_without_mfa/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cognito_userpool_without_mfa/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.UserPool2.Properties.MfaConfiguration", "searchValue": "", "expectedValue": "Resources.UserPool2.Properties.MfaConfiguration should be set to ON or OPTIONAL", - "actualValue": "Resources.UserPool2.Properties.MfaConfiguration is set to OFF" + "actualValue": "Resources.UserPool2.Properties.MfaConfiguration is set to OFF", + "issueType": "IncorrectValue" }, { "queryName": "Cognito UserPool Without MFA", @@ -21,7 +22,8 @@ "searchKey": "Resources.UserPool4.Properties", "searchValue": "", "expectedValue": "Resources.UserPool4.Properties.MfaConfiguration should be set", - "actualValue": "Resources.UserPool4.Properties.MfaConfiguration is undefined" + "actualValue": "Resources.UserPool4.Properties.MfaConfiguration is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Cognito UserPool Without MFA", @@ -33,7 +35,8 @@ "searchKey": "Resources.UserPool2.Properties.MfaConfiguration", "searchValue": "", "expectedValue": "Resources.UserPool2.Properties.MfaConfiguration should be set to ON or OPTIONAL", - "actualValue": "Resources.UserPool2.Properties.MfaConfiguration is set to OFF" + "actualValue": "Resources.UserPool2.Properties.MfaConfiguration is set to OFF", + "issueType": "IncorrectValue" }, { "queryName": "Cognito UserPool Without MFA", @@ -45,6 +48,7 @@ "searchKey": "Resources.UserPool4.Properties", "searchValue": "", "expectedValue": "Resources.UserPool4.Properties.MfaConfiguration should be set", - "actualValue": "Resources.UserPool4.Properties.MfaConfiguration is undefined" + "actualValue": "Resources.UserPool4.Properties.MfaConfiguration is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/config_configuration_aggregator_to_all_regions_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/config_configuration_aggregator_to_all_regions_disabled/test/positive_expected_result.json index be334d14312..7f607b4f463 100644 --- a/assets/queries/cloudFormation/aws/config_configuration_aggregator_to_all_regions_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/config_configuration_aggregator_to_all_regions_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.ConfigurationAggregator1.Properties.AccountAggregationSources", "searchValue": "", "expectedValue": "'Resources.ConfigurationAggregator1.Properties.AccountAggregationSources' have all configurations with AllAwsRegions", - "actualValue": "'Resources.ConfigurationAggregator1.Properties.AccountAggregationSources' has a configuration without AllAwsRegions" + "actualValue": "'Resources.ConfigurationAggregator1.Properties.AccountAggregationSources' has a configuration without AllAwsRegions", + "issueType": "MissingAttribute" }, { "queryName": "Configuration Aggregator to All Regions Disabled", @@ -21,7 +22,8 @@ "searchKey": "Resources.ConfigurationAggregator2.Properties.AccountAggregationSources", "searchValue": "", "expectedValue": "'Resources.ConfigurationAggregator2.Properties.AccountAggregationSources' have all configurations with AllAwsRegions set to true", - "actualValue": "'Resources.ConfigurationAggregator2.Properties.AccountAggregationSources' has a configuration with AllAwsRegions set to false" + "actualValue": "'Resources.ConfigurationAggregator2.Properties.AccountAggregationSources' has a configuration with AllAwsRegions set to false", + "issueType": "IncorrectValue" }, { "queryName": "Configuration Aggregator to All Regions Disabled", @@ -33,7 +35,8 @@ "searchKey": "Resources.ConfigurationAggregator3.Properties.OrganizationAggregationSource", "searchValue": "", "expectedValue": "'Resources.ConfigurationAggregator3.Properties.OrganizationAggregationSource.AllAwsRegions' should be set", - "actualValue": "'Resources.ConfigurationAggregator3.Properties.OrganizationAggregationSource.AllAwsRegions' is undefined" + "actualValue": "'Resources.ConfigurationAggregator3.Properties.OrganizationAggregationSource.AllAwsRegions' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Configuration Aggregator to All Regions Disabled", @@ -45,7 +48,8 @@ "searchKey": "Resources.ConfigurationAggregator4.Properties.OrganizationAggregationSource.AllAwsRegions", "searchValue": "", "expectedValue": "'Resources.ConfigurationAggregator4.Properties.OrganizationAggregationSource.AllAwsRegions' is true", - "actualValue": "'Resources.ConfigurationAggregator4.Properties.OrganizationAggregationSource.AllAwsRegions' is false" + "actualValue": "'Resources.ConfigurationAggregator4.Properties.OrganizationAggregationSource.AllAwsRegions' is false", + "issueType": "IncorrectValue" }, { "queryName": "Configuration Aggregator to All Regions Disabled", @@ -57,7 +61,8 @@ "searchKey": "Resources.ConfigurationAggregator5.Properties.AccountAggregationSources", "searchValue": "", "expectedValue": "'Resources.ConfigurationAggregator5.Properties.AccountAggregationSources' have all configurations with AllAwsRegions", - "actualValue": "'Resources.ConfigurationAggregator5.Properties.AccountAggregationSources' has a configuration without AllAwsRegions" + "actualValue": "'Resources.ConfigurationAggregator5.Properties.AccountAggregationSources' has a configuration without AllAwsRegions", + "issueType": "MissingAttribute" }, { "queryName": "Configuration Aggregator to All Regions Disabled", @@ -69,7 +74,8 @@ "searchKey": "Resources.ConfigurationAggregator6.Properties.AccountAggregationSources", "searchValue": "", "expectedValue": "'Resources.ConfigurationAggregator6.Properties.AccountAggregationSources' have all configurations with AllAwsRegions set to true", - "actualValue": "'Resources.ConfigurationAggregator6.Properties.AccountAggregationSources' has a configuration with AllAwsRegions set to false" + "actualValue": "'Resources.ConfigurationAggregator6.Properties.AccountAggregationSources' has a configuration with AllAwsRegions set to false", + "issueType": "IncorrectValue" }, { "queryName": "Configuration Aggregator to All Regions Disabled", @@ -81,7 +87,8 @@ "searchKey": "Resources.ConfigurationAggregator7.Properties.OrganizationAggregationSource", "searchValue": "", "expectedValue": "'Resources.ConfigurationAggregator7.Properties.OrganizationAggregationSource.AllAwsRegions' should be set", - "actualValue": "'Resources.ConfigurationAggregator7.Properties.OrganizationAggregationSource.AllAwsRegions' is undefined" + "actualValue": "'Resources.ConfigurationAggregator7.Properties.OrganizationAggregationSource.AllAwsRegions' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Configuration Aggregator to All Regions Disabled", @@ -93,7 +100,8 @@ "searchKey": "Resources.ConfigurationAggregator8.Properties.OrganizationAggregationSource.AllAwsRegions", "searchValue": "", "expectedValue": "'Resources.ConfigurationAggregator8.Properties.OrganizationAggregationSource.AllAwsRegions' is true", - "actualValue": "'Resources.ConfigurationAggregator8.Properties.OrganizationAggregationSource.AllAwsRegions' is false" + "actualValue": "'Resources.ConfigurationAggregator8.Properties.OrganizationAggregationSource.AllAwsRegions' is false", + "issueType": "IncorrectValue" }, { "queryName": "Configuration Aggregator to All Regions Disabled", @@ -105,6 +113,7 @@ "searchKey": "Resources.ConfigurationAggregator2.Properties.AccountAggregationSources", "searchValue": "", "expectedValue": "'Resources.ConfigurationAggregator2.Properties.AccountAggregationSources' have all configurations with AllAwsRegions set to true", - "actualValue": "'Resources.ConfigurationAggregator2.Properties.AccountAggregationSources' has a configuration with AllAwsRegions set to false" + "actualValue": "'Resources.ConfigurationAggregator2.Properties.AccountAggregationSources' has a configuration with AllAwsRegions set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/config_rule_for_encryption_volumes_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/config_rule_for_encryption_volumes_disabled/test/positive_expected_result.json index 215d1b9f51b..06bfe0e4898 100644 --- a/assets/queries/cloudFormation/aws/config_rule_for_encryption_volumes_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/config_rule_for_encryption_volumes_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.ConfigRule", "searchValue": "", "expectedValue": "There should be a ConfigRule for encrypted volumes.", - "actualValue": "There isn't a ConfigRule for encrypted volumes." + "actualValue": "There isn't a ConfigRule for encrypted volumes.", + "issueType": "MissingAttribute" }, { "queryName": "Config Rule For Encrypted Volumes Disabled", @@ -21,6 +22,7 @@ "searchKey": "Resources.ConfigRule", "searchValue": "", "expectedValue": "There should be a ConfigRule for encrypted volumes.", - "actualValue": "There isn't a ConfigRule for encrypted volumes." + "actualValue": "There isn't a ConfigRule for encrypted volumes.", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/connection_between_cloudfront_origin_not_encrypted/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/connection_between_cloudfront_origin_not_encrypted/test/positive_expected_result.json index fce5cd6803f..4638d69a281 100644 --- a/assets/queries/cloudFormation/aws/connection_between_cloudfront_origin_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/connection_between_cloudfront_origin_not_encrypted/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.cloudfrontdistribution_1.Properties.DistributionConfig.DefaultCacheBehavior.ViewerProtocolPolicy", "searchValue": "", "expectedValue": "Resources.cloudfrontdistribution_1.Properties.DistributionConfig.DefaultCacheBehavior.ViewerProtocolPolicy should be 'https-only' or 'redirect-to-https'", - "actualValue": "Resources.cloudfrontdistribution_1.Properties.DistributionConfig.DefaultCacheBehavior.ViewerProtocolPolicy 'isn't https-only' or 'redirect-to-https'" + "actualValue": "Resources.cloudfrontdistribution_1.Properties.DistributionConfig.DefaultCacheBehavior.ViewerProtocolPolicy 'isn't https-only' or 'redirect-to-https'", + "issueType": "IncorrectValue" }, { "queryName": "Connection Between CloudFront Origin Not Encrypted", @@ -21,7 +22,8 @@ "searchKey": "Resources.cloudfrontdistribution_2.Properties.DistributionConfig.CacheBehaviors.ViewerProtocolPolicy", "searchValue": "", "expectedValue": "Resources.cloudfrontdistribution_2.Properties.DistributionConfig.CacheBehaviors.ViewerProtocolPolicy should be 'https-only' or 'redirect-to-https'", - "actualValue": "Resources.cloudfrontdistribution_2.Properties.DistributionConfig.CacheBehaviors.ViewerProtocolPolicy 'isn't https-only' or 'redirect-to-https'" + "actualValue": "Resources.cloudfrontdistribution_2.Properties.DistributionConfig.CacheBehaviors.ViewerProtocolPolicy 'isn't https-only' or 'redirect-to-https'", + "issueType": "IncorrectValue" }, { "queryName": "Connection Between CloudFront Origin Not Encrypted", @@ -33,7 +35,8 @@ "searchKey": "Resources.cloudfrontdistribution_1.Properties.DistributionConfig.DefaultCacheBehavior.ViewerProtocolPolicy", "searchValue": "", "expectedValue": "Resources.cloudfrontdistribution_1.Properties.DistributionConfig.DefaultCacheBehavior.ViewerProtocolPolicy should be 'https-only' or 'redirect-to-https'", - "actualValue": "Resources.cloudfrontdistribution_1.Properties.DistributionConfig.DefaultCacheBehavior.ViewerProtocolPolicy 'isn't https-only' or 'redirect-to-https'" + "actualValue": "Resources.cloudfrontdistribution_1.Properties.DistributionConfig.DefaultCacheBehavior.ViewerProtocolPolicy 'isn't https-only' or 'redirect-to-https'", + "issueType": "IncorrectValue" }, { "queryName": "Connection Between CloudFront Origin Not Encrypted", @@ -45,6 +48,7 @@ "searchKey": "Resources.cloudfrontdistribution_2.Properties.DistributionConfig.CacheBehaviors.ViewerProtocolPolicy", "searchValue": "", "expectedValue": "Resources.cloudfrontdistribution_2.Properties.DistributionConfig.CacheBehaviors.ViewerProtocolPolicy should be 'https-only' or 'redirect-to-https'", - "actualValue": "Resources.cloudfrontdistribution_2.Properties.DistributionConfig.CacheBehaviors.ViewerProtocolPolicy 'isn't https-only' or 'redirect-to-https'" + "actualValue": "Resources.cloudfrontdistribution_2.Properties.DistributionConfig.CacheBehaviors.ViewerProtocolPolicy 'isn't https-only' or 'redirect-to-https'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/test/positive_expected_result.json index f7d2db12437..a19bcdbd730 100644 --- a/assets/queries/cloudFormation/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.RootRole.Properties.AssumeRolePolicyDocument", "searchValue": "", "expectedValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument should require external ID or MFA", - "actualValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument does not require external ID or MFA" + "actualValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument does not require external ID or MFA", + "issueType": "IncorrectValue" }, { "queryName": "Cross-Account IAM Assume Role Policy Without ExternalId or MFA", @@ -21,7 +22,8 @@ "searchKey": "Resources.RootRole.Properties.AssumeRolePolicyDocument", "searchValue": "", "expectedValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument should require external ID or MFA", - "actualValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument does not require external ID or MFA" + "actualValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument does not require external ID or MFA", + "issueType": "IncorrectValue" }, { "queryName": "Cross-Account IAM Assume Role Policy Without ExternalId or MFA", @@ -33,7 +35,8 @@ "searchKey": "Resources.RootRole.Properties.AssumeRolePolicyDocument", "searchValue": "", "expectedValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument should require external ID or MFA", - "actualValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument does not require external ID or MFA" + "actualValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument does not require external ID or MFA", + "issueType": "IncorrectValue" }, { "queryName": "Cross-Account IAM Assume Role Policy Without ExternalId or MFA", @@ -45,7 +48,8 @@ "searchKey": "Resources.RootRole.Properties.AssumeRolePolicyDocument", "searchValue": "", "expectedValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument should require external ID or MFA", - "actualValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument does not require external ID or MFA" + "actualValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument does not require external ID or MFA", + "issueType": "IncorrectValue" }, { "queryName": "Cross-Account IAM Assume Role Policy Without ExternalId or MFA", @@ -57,7 +61,8 @@ "searchKey": "Resources.RootRole.Properties.AssumeRolePolicyDocument", "searchValue": "", "expectedValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument should require external ID or MFA", - "actualValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument does not require external ID or MFA" + "actualValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument does not require external ID or MFA", + "issueType": "IncorrectValue" }, { "queryName": "Cross-Account IAM Assume Role Policy Without ExternalId or MFA", @@ -69,6 +74,7 @@ "searchKey": "Resources.RootRole.Properties.AssumeRolePolicyDocument", "searchValue": "", "expectedValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument should require external ID or MFA", - "actualValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument does not require external ID or MFA" + "actualValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument does not require external ID or MFA", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/dax_cluster_not_encrypted/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/dax_cluster_not_encrypted/test/positive_expected_result.json index 3744e0ca828..432d3b71012 100644 --- a/assets/queries/cloudFormation/aws/dax_cluster_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/dax_cluster_not_encrypted/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.daxCluster.Properties.SSESpecification.SSEEnabled", "searchValue": "", "expectedValue": "'Resources.daxCluster.Properties.SSESpecification.SSEEnabled' should be set to true.", - "actualValue": "'Resources.daxCluster.Properties.SSESpecification.SSEEnabled' is set to false." + "actualValue": "'Resources.daxCluster.Properties.SSESpecification.SSEEnabled' is set to false.", + "issueType": "IncorrectValue" }, { "queryName": "DAX Cluster Not Encrypted", @@ -21,7 +22,8 @@ "searchKey": "Resources.daxCluster.Properties.SSESpecification.SSEEnabled", "searchValue": "", "expectedValue": "'Resources.daxCluster.Properties.SSESpecification.SSEEnabled' should be set to true.", - "actualValue": "'Resources.daxCluster.Properties.SSESpecification.SSEEnabled' is set to false." + "actualValue": "'Resources.daxCluster.Properties.SSESpecification.SSEEnabled' is set to false.", + "issueType": "IncorrectValue" }, { "queryName": "DAX Cluster Not Encrypted", @@ -33,7 +35,8 @@ "searchKey": "Resources.daxCluster.Properties.SSESpecification", "searchValue": "", "expectedValue": "'Resources.daxCluster.Properties.SSESpecification' should have SSEEnabled declared and set to true.", - "actualValue": "'Resources.daxCluster.Properties.SSESpecification' does not declare SSEEnabled." + "actualValue": "'Resources.daxCluster.Properties.SSESpecification' does not declare SSEEnabled.", + "issueType": "MissingAttribute" }, { "queryName": "DAX Cluster Not Encrypted", @@ -45,7 +48,8 @@ "searchKey": "Resources.daxCluster.Properties", "searchValue": "", "expectedValue": "'Resources.daxCluster.Properties' should have SSESpecification declared.", - "actualValue": "'Resources.daxCluster.Properties' does not declare SSESpecification." + "actualValue": "'Resources.daxCluster.Properties' does not declare SSESpecification.", + "issueType": "MissingAttribute" }, { "queryName": "DAX Cluster Not Encrypted", @@ -57,7 +61,8 @@ "searchKey": "Resources.daxCluster.Properties.SSESpecification.SSEEnabled", "searchValue": "", "expectedValue": "'Resources.daxCluster.Properties.SSESpecification.SSEEnabled' should be set to true.", - "actualValue": "'Resources.daxCluster.Properties.SSESpecification.SSEEnabled' is set to false." + "actualValue": "'Resources.daxCluster.Properties.SSESpecification.SSEEnabled' is set to false.", + "issueType": "IncorrectValue" }, { "queryName": "DAX Cluster Not Encrypted", @@ -69,7 +74,8 @@ "searchKey": "Resources.daxCluster.Properties.SSESpecification.SSEEnabled", "searchValue": "", "expectedValue": "'Resources.daxCluster.Properties.SSESpecification.SSEEnabled' should be set to true.", - "actualValue": "'Resources.daxCluster.Properties.SSESpecification.SSEEnabled' is set to false." + "actualValue": "'Resources.daxCluster.Properties.SSESpecification.SSEEnabled' is set to false.", + "issueType": "IncorrectValue" }, { "queryName": "DAX Cluster Not Encrypted", @@ -81,7 +87,8 @@ "searchKey": "Resources.daxCluster.Properties.SSESpecification", "searchValue": "", "expectedValue": "'Resources.daxCluster.Properties.SSESpecification' should have SSEEnabled declared and set to true.", - "actualValue": "'Resources.daxCluster.Properties.SSESpecification' does not declare SSEEnabled." + "actualValue": "'Resources.daxCluster.Properties.SSESpecification' does not declare SSEEnabled.", + "issueType": "MissingAttribute" }, { "queryName": "DAX Cluster Not Encrypted", @@ -93,6 +100,7 @@ "searchKey": "Resources.daxCluster.Properties", "searchValue": "", "expectedValue": "'Resources.daxCluster.Properties' should have SSESpecification declared.", - "actualValue": "'Resources.daxCluster.Properties' does not declare SSESpecification." + "actualValue": "'Resources.daxCluster.Properties' does not declare SSESpecification.", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/db_security_group_open_to_large_scope/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/db_security_group_open_to_large_scope/test/positive_expected_result.json index e8cf5aa9ede..f851558a8f3 100644 --- a/assets/queries/cloudFormation/aws/db_security_group_open_to_large_scope/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/db_security_group_open_to_large_scope/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.DbSecurity.Properties.DBSecurityGroupIngress[0].CIDRIP", "searchValue": "", "expectedValue": "'Resources.DbSecurity.Properties.DBSecurityGroupIngress[0].CIDRIP' should not have more than 256 hosts.", - "actualValue": "'Resources.DbSecurity.Properties.DBSecurityGroupIngress[0].CIDRIP' has more than 256 hosts." + "actualValue": "'Resources.DbSecurity.Properties.DBSecurityGroupIngress[0].CIDRIP' has more than 256 hosts.", + "issueType": "IncorrectValue" }, { "queryName": "DB Security Group Open To Large Scope", @@ -21,7 +22,8 @@ "searchKey": "Resources.DbSecurityByEC2SecurityGroup1.Properties.SecurityGroupIngress[0].CidrIp", "searchValue": "", "expectedValue": "'Resources.DbSecurityByEC2SecurityGroup1.Properties.SecurityGroupIngress[0].CidrIp' should not have more than 256 hosts.", - "actualValue": "'Resources.DbSecurityByEC2SecurityGroup1.Properties.SecurityGroupIngress[0].CidrIp' has more than 256 hosts." + "actualValue": "'Resources.DbSecurityByEC2SecurityGroup1.Properties.SecurityGroupIngress[0].CidrIp' has more than 256 hosts.", + "issueType": "IncorrectValue" }, { "queryName": "DB Security Group Open To Large Scope", @@ -33,7 +35,8 @@ "searchKey": "Resources.DbSecurityByEC2SecurityGroup2.Properties.SecurityGroupIngress[0].CidrIpv6", "searchValue": "", "expectedValue": "'Resources.DbSecurityByEC2SecurityGroup2.Properties.SecurityGroupIngress[0].CidrIpv6' should not have more than 256 hosts.", - "actualValue": "'Resources.DbSecurityByEC2SecurityGroup2.Properties.SecurityGroupIngress[0].CidrIpv6' has more than 256 hosts." + "actualValue": "'Resources.DbSecurityByEC2SecurityGroup2.Properties.SecurityGroupIngress[0].CidrIpv6' has more than 256 hosts.", + "issueType": "IncorrectValue" }, { "queryName": "DB Security Group Open To Large Scope", @@ -45,7 +48,8 @@ "searchKey": "Resources.MyDBSecurityGroupIngress.Properties.CIDRIP", "searchValue": "", "expectedValue": "'Resources.MyDBSecurityGroupIngress.Properties.CIDRIP' should not have more than 256 hosts.", - "actualValue": "'Resources.MyDBSecurityGroupIngress.Properties.CIDRIP' has more than 256 hosts." + "actualValue": "'Resources.MyDBSecurityGroupIngress.Properties.CIDRIP' has more than 256 hosts.", + "issueType": "IncorrectValue" }, { "queryName": "DB Security Group Open To Large Scope", @@ -57,7 +61,8 @@ "searchKey": "Resources.StandaloneIngressIPv4.Properties.CidrIp", "searchValue": "", "expectedValue": "'Resources.StandaloneIngressIPv4.Properties.CidrIp' should not have more than 256 hosts.", - "actualValue": "'Resources.StandaloneIngressIPv4.Properties.CidrIp' has more than 256 hosts." + "actualValue": "'Resources.StandaloneIngressIPv4.Properties.CidrIp' has more than 256 hosts.", + "issueType": "IncorrectValue" }, { "queryName": "DB Security Group Open To Large Scope", @@ -69,7 +74,8 @@ "searchKey": "Resources.StandaloneIngressIPv6.Properties.CidrIpv6", "searchValue": "", "expectedValue": "'Resources.StandaloneIngressIPv6.Properties.CidrIpv6' should not have more than 256 hosts.", - "actualValue": "'Resources.StandaloneIngressIPv6.Properties.CidrIpv6' has more than 256 hosts." + "actualValue": "'Resources.StandaloneIngressIPv6.Properties.CidrIpv6' has more than 256 hosts.", + "issueType": "IncorrectValue" }, { "queryName": "DB Security Group Open To Large Scope", @@ -81,7 +87,8 @@ "searchKey": "Resources.DbSecurity.Properties.DBSecurityGroupIngress[0].CIDRIP", "searchValue": "", "expectedValue": "'Resources.DbSecurity.Properties.DBSecurityGroupIngress[0].CIDRIP' should not have more than 256 hosts.", - "actualValue": "'Resources.DbSecurity.Properties.DBSecurityGroupIngress[0].CIDRIP' has more than 256 hosts." + "actualValue": "'Resources.DbSecurity.Properties.DBSecurityGroupIngress[0].CIDRIP' has more than 256 hosts.", + "issueType": "IncorrectValue" }, { "queryName": "DB Security Group Open To Large Scope", @@ -93,7 +100,8 @@ "searchKey": "Resources.DbSecurityByEC2SecurityGroup1.Properties.SecurityGroupIngress[0].CidrIp", "searchValue": "", "expectedValue": "'Resources.DbSecurityByEC2SecurityGroup1.Properties.SecurityGroupIngress[0].CidrIp' should not have more than 256 hosts.", - "actualValue": "'Resources.DbSecurityByEC2SecurityGroup1.Properties.SecurityGroupIngress[0].CidrIp' has more than 256 hosts." + "actualValue": "'Resources.DbSecurityByEC2SecurityGroup1.Properties.SecurityGroupIngress[0].CidrIp' has more than 256 hosts.", + "issueType": "IncorrectValue" }, { "queryName": "DB Security Group Open To Large Scope", @@ -105,7 +113,8 @@ "searchKey": "Resources.DbSecurityByEC2SecurityGroup2.Properties.SecurityGroupIngress[0].CidrIpv6", "searchValue": "", "expectedValue": "'Resources.DbSecurityByEC2SecurityGroup2.Properties.SecurityGroupIngress[0].CidrIpv6' should not have more than 256 hosts.", - "actualValue": "'Resources.DbSecurityByEC2SecurityGroup2.Properties.SecurityGroupIngress[0].CidrIpv6' has more than 256 hosts." + "actualValue": "'Resources.DbSecurityByEC2SecurityGroup2.Properties.SecurityGroupIngress[0].CidrIpv6' has more than 256 hosts.", + "issueType": "IncorrectValue" }, { "queryName": "DB Security Group Open To Large Scope", @@ -117,7 +126,8 @@ "searchKey": "Resources.MyDBSecurityGroupIngress.Properties.CIDRIP", "searchValue": "", "expectedValue": "'Resources.MyDBSecurityGroupIngress.Properties.CIDRIP' should not have more than 256 hosts.", - "actualValue": "'Resources.MyDBSecurityGroupIngress.Properties.CIDRIP' has more than 256 hosts." + "actualValue": "'Resources.MyDBSecurityGroupIngress.Properties.CIDRIP' has more than 256 hosts.", + "issueType": "IncorrectValue" }, { "queryName": "DB Security Group Open To Large Scope", @@ -129,7 +139,8 @@ "searchKey": "Resources.StandaloneIngressIPv4.Properties.CidrIp", "searchValue": "", "expectedValue": "'Resources.StandaloneIngressIPv4.Properties.CidrIp' should not have more than 256 hosts.", - "actualValue": "'Resources.StandaloneIngressIPv4.Properties.CidrIp' has more than 256 hosts." + "actualValue": "'Resources.StandaloneIngressIPv4.Properties.CidrIp' has more than 256 hosts.", + "issueType": "IncorrectValue" }, { "queryName": "DB Security Group Open To Large Scope", @@ -141,6 +152,7 @@ "searchKey": "Resources.StandaloneIngressIPv6.Properties.CidrIpv6", "searchValue": "", "expectedValue": "'Resources.StandaloneIngressIPv6.Properties.CidrIpv6' should not have more than 256 hosts.", - "actualValue": "'Resources.StandaloneIngressIPv6.Properties.CidrIpv6' has more than 256 hosts." + "actualValue": "'Resources.StandaloneIngressIPv6.Properties.CidrIpv6' has more than 256 hosts.", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/db_security_group_with_public_scope/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/db_security_group_with_public_scope/test/positive_expected_result.json index e1f54cfd10b..a8522ffe940 100644 --- a/assets/queries/cloudFormation/aws/db_security_group_with_public_scope/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/db_security_group_with_public_scope/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.DbSecurityByEC2SecurityGroupInline_pos1.Properties.DBSecurityGroupIngress[0].CIDRIP", "searchValue": "", "expectedValue": "'Resources.DbSecurityByEC2SecurityGroupInline_pos1.Properties.DBSecurityGroupIngress[0].CIDRIP' should not be '0.0.0.0/0'.", - "actualValue": "'Resources.DbSecurityByEC2SecurityGroupInline_pos1.Properties.DBSecurityGroupIngress[0].CIDRIP' is '0.0.0.0/0'." + "actualValue": "'Resources.DbSecurityByEC2SecurityGroupInline_pos1.Properties.DBSecurityGroupIngress[0].CIDRIP' is '0.0.0.0/0'.", + "issueType": "IncorrectValue" }, { "queryName": "DB Security Group With Public Scope", @@ -21,7 +22,8 @@ "searchKey": "Resources.DbSecurityIngressRule_pos1.Properties.CIDRIP", "searchValue": "", "expectedValue": "'Resources.DbSecurityIngressRule_pos1.Properties.CIDRIP' should not be '0.0.0.0/0'.", - "actualValue": "'Resources.DbSecurityIngressRule_pos1.Properties.CIDRIP' is '0.0.0.0/0'." + "actualValue": "'Resources.DbSecurityIngressRule_pos1.Properties.CIDRIP' is '0.0.0.0/0'.", + "issueType": "IncorrectValue" }, { "queryName": "DB Security Group With Public Scope", @@ -33,7 +35,8 @@ "searchKey": "Resources.DBEC2SecurityGroupInline_pos1.Properties.SecurityGroupIngress[0].CidrIp", "searchValue": "", "expectedValue": "'Resources.DBEC2SecurityGroupInline_pos1.Properties.SecurityGroupIngress[0].CidrIp' should not be '0.0.0.0/0'.", - "actualValue": "'Resources.DBEC2SecurityGroupInline_pos1.Properties.SecurityGroupIngress[0].CidrIp' is '0.0.0.0/0'." + "actualValue": "'Resources.DBEC2SecurityGroupInline_pos1.Properties.SecurityGroupIngress[0].CidrIp' is '0.0.0.0/0'.", + "issueType": "IncorrectValue" }, { "queryName": "DB Security Group With Public Scope", @@ -45,7 +48,8 @@ "searchKey": "Resources.DBEC2SecurityGroupInline_pos1.Properties.SecurityGroupIngress[1].CidrIpv6", "searchValue": "", "expectedValue": "'Resources.DBEC2SecurityGroupInline_pos1.Properties.SecurityGroupIngress[1].CidrIpv6' should not be '::/0'.", - "actualValue": "'Resources.DBEC2SecurityGroupInline_pos1.Properties.SecurityGroupIngress[1].CidrIpv6' is '::/0'." + "actualValue": "'Resources.DBEC2SecurityGroupInline_pos1.Properties.SecurityGroupIngress[1].CidrIpv6' is '::/0'.", + "issueType": "IncorrectValue" }, { "queryName": "DB Security Group With Public Scope", @@ -57,7 +61,8 @@ "searchKey": "Resources.DBEC2SecurityGroupIngress_pos1.Properties.CidrIp", "searchValue": "", "expectedValue": "'Resources.DBEC2SecurityGroupIngress_pos1.Properties.CidrIp' should not be '0.0.0.0/0'.", - "actualValue": "'Resources.DBEC2SecurityGroupIngress_pos1.Properties.CidrIp' is '0.0.0.0/0'." + "actualValue": "'Resources.DBEC2SecurityGroupIngress_pos1.Properties.CidrIp' is '0.0.0.0/0'.", + "issueType": "IncorrectValue" }, { "queryName": "DB Security Group With Public Scope", @@ -69,7 +74,8 @@ "searchKey": "Resources.DBEC2SecurityGroupIngressIPv6_pos1.Properties.CidrIpv6", "searchValue": "", "expectedValue": "'Resources.DBEC2SecurityGroupIngressIPv6_pos1.Properties.CidrIpv6' should not be '0000:0000:0000:0000:0000:0000:0000:0000/0'.", - "actualValue": "'Resources.DBEC2SecurityGroupIngressIPv6_pos1.Properties.CidrIpv6' is '0000:0000:0000:0000:0000:0000:0000:0000/0'." + "actualValue": "'Resources.DBEC2SecurityGroupIngressIPv6_pos1.Properties.CidrIpv6' is '0000:0000:0000:0000:0000:0000:0000:0000/0'.", + "issueType": "IncorrectValue" }, { "queryName": "DB Security Group With Public Scope", @@ -81,7 +87,8 @@ "searchKey": "Resources.DbSecurityByEC2SecurityGroup_pos2.Properties.DBSecurityGroupIngress[0].CIDRIP", "searchValue": "", "expectedValue": "'Resources.DbSecurityByEC2SecurityGroup_pos2.Properties.DBSecurityGroupIngress[0].CIDRIP' should not be '0.0.0.0/0'.", - "actualValue": "'Resources.DbSecurityByEC2SecurityGroup_pos2.Properties.DBSecurityGroupIngress[0].CIDRIP' is '0.0.0.0/0'." + "actualValue": "'Resources.DbSecurityByEC2SecurityGroup_pos2.Properties.DBSecurityGroupIngress[0].CIDRIP' is '0.0.0.0/0'.", + "issueType": "IncorrectValue" }, { "queryName": "DB Security Group With Public Scope", @@ -93,7 +100,8 @@ "searchKey": "Resources.DbSecurityByEC2SecurityGroupInline_pos3.Properties.DBSecurityGroupIngress[0].CIDRIP", "searchValue": "", "expectedValue": "'Resources.DbSecurityByEC2SecurityGroupInline_pos3.Properties.DBSecurityGroupIngress[0].CIDRIP' should not be '0.0.0.0/0'.", - "actualValue": "'Resources.DbSecurityByEC2SecurityGroupInline_pos3.Properties.DBSecurityGroupIngress[0].CIDRIP' is '0.0.0.0/0'." + "actualValue": "'Resources.DbSecurityByEC2SecurityGroupInline_pos3.Properties.DBSecurityGroupIngress[0].CIDRIP' is '0.0.0.0/0'.", + "issueType": "IncorrectValue" }, { "queryName": "DB Security Group With Public Scope", @@ -105,7 +113,8 @@ "searchKey": "Resources.DbSecurityIngressRule_pos3.Properties.CIDRIP", "searchValue": "", "expectedValue": "'Resources.DbSecurityIngressRule_pos3.Properties.CIDRIP' should not be '0.0.0.0/0'.", - "actualValue": "'Resources.DbSecurityIngressRule_pos3.Properties.CIDRIP' is '0.0.0.0/0'." + "actualValue": "'Resources.DbSecurityIngressRule_pos3.Properties.CIDRIP' is '0.0.0.0/0'.", + "issueType": "IncorrectValue" }, { "queryName": "DB Security Group With Public Scope", @@ -117,7 +126,8 @@ "searchKey": "Resources.DBEC2SecurityGroupInline_pos3.Properties.SecurityGroupIngress[0].CidrIp", "searchValue": "", "expectedValue": "'Resources.DBEC2SecurityGroupInline_pos3.Properties.SecurityGroupIngress[0].CidrIp' should not be '0.0.0.0/0'.", - "actualValue": "'Resources.DBEC2SecurityGroupInline_pos3.Properties.SecurityGroupIngress[0].CidrIp' is '0.0.0.0/0'." + "actualValue": "'Resources.DBEC2SecurityGroupInline_pos3.Properties.SecurityGroupIngress[0].CidrIp' is '0.0.0.0/0'.", + "issueType": "IncorrectValue" }, { "queryName": "DB Security Group With Public Scope", @@ -129,7 +139,8 @@ "searchKey": "Resources.DBEC2SecurityGroupInline_pos3.Properties.SecurityGroupIngress[1].CidrIpv6", "searchValue": "", "expectedValue": "'Resources.DBEC2SecurityGroupInline_pos3.Properties.SecurityGroupIngress[1].CidrIpv6' should not be '::/0'.", - "actualValue": "'Resources.DBEC2SecurityGroupInline_pos3.Properties.SecurityGroupIngress[1].CidrIpv6' is '::/0'." + "actualValue": "'Resources.DBEC2SecurityGroupInline_pos3.Properties.SecurityGroupIngress[1].CidrIpv6' is '::/0'.", + "issueType": "IncorrectValue" }, { "queryName": "DB Security Group With Public Scope", @@ -141,7 +152,8 @@ "searchKey": "Resources.DBEC2SecurityGroupIngress_pos3.Properties.CidrIp", "searchValue": "", "expectedValue": "'Resources.DBEC2SecurityGroupIngress_pos3.Properties.CidrIp' should not be '0.0.0.0/0'.", - "actualValue": "'Resources.DBEC2SecurityGroupIngress_pos3.Properties.CidrIp' is '0.0.0.0/0'." + "actualValue": "'Resources.DBEC2SecurityGroupIngress_pos3.Properties.CidrIp' is '0.0.0.0/0'.", + "issueType": "IncorrectValue" }, { "queryName": "DB Security Group With Public Scope", @@ -153,7 +165,8 @@ "searchKey": "Resources.DBEC2SecurityGroupIngressIPv6_pos3.Properties.CidrIpv6", "searchValue": "", "expectedValue": "'Resources.DBEC2SecurityGroupIngressIPv6_pos3.Properties.CidrIpv6' should not be '0000:0000:0000:0000:0000:0000:0000:0000/0'.", - "actualValue": "'Resources.DBEC2SecurityGroupIngressIPv6_pos3.Properties.CidrIpv6' is '0000:0000:0000:0000:0000:0000:0000:0000/0'." + "actualValue": "'Resources.DBEC2SecurityGroupIngressIPv6_pos3.Properties.CidrIpv6' is '0000:0000:0000:0000:0000:0000:0000:0000/0'.", + "issueType": "IncorrectValue" }, { "queryName": "DB Security Group With Public Scope", @@ -165,7 +178,8 @@ "searchKey": "Resources.DbSecurityByEC2SecurityGroup_pos4.Properties.DBSecurityGroupIngress[0].CIDRIP", "searchValue": "", "expectedValue": "'Resources.DbSecurityByEC2SecurityGroup_pos4.Properties.DBSecurityGroupIngress[0].CIDRIP' should not be '0.0.0.0/0'.", - "actualValue": "'Resources.DbSecurityByEC2SecurityGroup_pos4.Properties.DBSecurityGroupIngress[0].CIDRIP' is '0.0.0.0/0'." + "actualValue": "'Resources.DbSecurityByEC2SecurityGroup_pos4.Properties.DBSecurityGroupIngress[0].CIDRIP' is '0.0.0.0/0'.", + "issueType": "IncorrectValue" }, { "queryName": "DB Security Group With Public Scope", @@ -177,6 +191,7 @@ "searchKey": "Resources.DbSecurityByEC2SecurityGroup_pos5.Properties.DBSecurityGroupIngress[0].CIDRIP", "searchValue": "", "expectedValue": "'Resources.DbSecurityByEC2SecurityGroup_pos5.Properties.DBSecurityGroupIngress[0].CIDRIP' should not be '0.0.0.0/0'.", - "actualValue": "'Resources.DbSecurityByEC2SecurityGroup_pos5.Properties.DBSecurityGroupIngress[0].CIDRIP' is '0.0.0.0/0'." + "actualValue": "'Resources.DbSecurityByEC2SecurityGroup_pos5.Properties.DBSecurityGroupIngress[0].CIDRIP' is '0.0.0.0/0'.", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/default_kms_key_usage/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/default_kms_key_usage/test/positive_expected_result.json index a3ed2b754f5..556821a1290 100644 --- a/assets/queries/cloudFormation/aws/default_kms_key_usage/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/default_kms_key_usage/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.RDSCluster1.Properties", "searchValue": "", "expectedValue": "Resources.RDSCluster1.Properties.KmsKeyId should be defined with AWS-Managed CMK", - "actualValue": "Resources.RDSCluster1.Properties.KmsKeyId is undefined" + "actualValue": "Resources.RDSCluster1.Properties.KmsKeyId is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Default KMS Key Usage", @@ -21,7 +22,8 @@ "searchKey": "Resources.RDSCluster1.Properties", "searchValue": "", "expectedValue": "Resources.RDSCluster1.Properties.KmsKeyId should be defined with AWS-Managed CMK", - "actualValue": "Resources.RDSCluster1.Properties.KmsKeyId is undefined" + "actualValue": "Resources.RDSCluster1.Properties.KmsKeyId is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Default KMS Key Usage", @@ -33,6 +35,7 @@ "searchKey": "Resources.RDSCluster1.Properties", "searchValue": "", "expectedValue": "Resources.RDSCluster1.Properties.KmsKeyId should be defined with AWS-Managed CMK", - "actualValue": "Resources.RDSCluster1.Properties.KmsKeyId is undefined" + "actualValue": "Resources.RDSCluster1.Properties.KmsKeyId is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/default_security_groups_with_unrestricted_traffic/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/default_security_groups_with_unrestricted_traffic/test/positive_expected_result.json index beea9441d72..030ab417d75 100644 --- a/assets/queries/cloudFormation/aws/default_security_groups_with_unrestricted_traffic/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/default_security_groups_with_unrestricted_traffic/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.InstanceSecurityGroup_ingress.Properties", "searchValue": "", "expectedValue": "Any 'AWS::EC2::SecurityGroup' with 'Properties.GroupName' set to 'default' should not have any traffic rules set.", - "actualValue": "'Resources.InstanceSecurityGroup_ingress' has 'Properties.GroupName' set to 'default' and traffic rules set in 'Properties'." + "actualValue": "'Resources.InstanceSecurityGroup_ingress' has 'Properties.GroupName' set to 'default' and traffic rules set in 'Properties'.", + "issueType": "IncorrectValue" }, { "queryName": "Default Security Groups With Unrestricted Traffic", @@ -21,7 +22,8 @@ "searchKey": "Resources.InstanceSecurityGroup_egress.Properties", "searchValue": "", "expectedValue": "Any 'AWS::EC2::SecurityGroup' with 'Properties.GroupName' set to 'default' should not have any traffic rules set.", - "actualValue": "'Resources.InstanceSecurityGroup_egress' has 'Properties.GroupName' set to 'default' and traffic rules set in 'Properties'." + "actualValue": "'Resources.InstanceSecurityGroup_egress' has 'Properties.GroupName' set to 'default' and traffic rules set in 'Properties'.", + "issueType": "IncorrectValue" }, { "queryName": "Default Security Groups With Unrestricted Traffic", @@ -33,7 +35,8 @@ "searchKey": "Resources.InstanceSecurityGroupIngress.Properties.GroupId", "searchValue": "", "expectedValue": "Any 'AWS::EC2::SecurityGroup' with 'Properties.GroupName' set to 'default' should not have any traffic rules set.", - "actualValue": "'Resources.InstanceSecurityGroup_default' has 'Properties.GroupName' set to 'default' and a standalone 'AWS::EC2::SecurityGroupIngress' rule set." + "actualValue": "'Resources.InstanceSecurityGroup_default' has 'Properties.GroupName' set to 'default' and a standalone 'AWS::EC2::SecurityGroupIngress' rule set.", + "issueType": "IncorrectValue" }, { "queryName": "Default Security Groups With Unrestricted Traffic", @@ -45,7 +48,8 @@ "searchKey": "Resources.InstanceSecurityGroupEgress.Properties.GroupId", "searchValue": "", "expectedValue": "Any 'AWS::EC2::SecurityGroup' with 'Properties.GroupName' set to 'default' should not have any traffic rules set.", - "actualValue": "'Resources.InstanceSecurityGroup_default' has 'Properties.GroupName' set to 'default' and a standalone 'AWS::EC2::SecurityGroupEgress' rule set." + "actualValue": "'Resources.InstanceSecurityGroup_default' has 'Properties.GroupName' set to 'default' and a standalone 'AWS::EC2::SecurityGroupEgress' rule set.", + "issueType": "IncorrectValue" }, { "queryName": "Default Security Groups With Unrestricted Traffic", @@ -57,7 +61,8 @@ "searchKey": "Resources.InstanceSecurityGroup_ingress.Properties", "searchValue": "", "expectedValue": "Any 'AWS::EC2::SecurityGroup' with 'Properties.GroupName' set to 'default' should not have any traffic rules set.", - "actualValue": "'Resources.InstanceSecurityGroup_ingress' has 'Properties.GroupName' set to 'default' and traffic rules set in 'Properties'." + "actualValue": "'Resources.InstanceSecurityGroup_ingress' has 'Properties.GroupName' set to 'default' and traffic rules set in 'Properties'.", + "issueType": "IncorrectValue" }, { "queryName": "Default Security Groups With Unrestricted Traffic", @@ -69,7 +74,8 @@ "searchKey": "Resources.InstanceSecurityGroup_egress.Properties", "searchValue": "", "expectedValue": "Any 'AWS::EC2::SecurityGroup' with 'Properties.GroupName' set to 'default' should not have any traffic rules set.", - "actualValue": "'Resources.InstanceSecurityGroup_egress' has 'Properties.GroupName' set to 'default' and traffic rules set in 'Properties'." + "actualValue": "'Resources.InstanceSecurityGroup_egress' has 'Properties.GroupName' set to 'default' and traffic rules set in 'Properties'.", + "issueType": "IncorrectValue" }, { "queryName": "Default Security Groups With Unrestricted Traffic", @@ -81,7 +87,8 @@ "searchKey": "Resources.InstanceSecurityGroupIngress.Properties.GroupId", "searchValue": "", "expectedValue": "Any 'AWS::EC2::SecurityGroup' with 'Properties.GroupName' set to 'default' should not have any traffic rules set.", - "actualValue": "'Resources.InstanceSecurityGroup_default' has 'Properties.GroupName' set to 'default' and a standalone 'AWS::EC2::SecurityGroupIngress' rule set." + "actualValue": "'Resources.InstanceSecurityGroup_default' has 'Properties.GroupName' set to 'default' and a standalone 'AWS::EC2::SecurityGroupIngress' rule set.", + "issueType": "IncorrectValue" }, { "queryName": "Default Security Groups With Unrestricted Traffic", @@ -93,6 +100,7 @@ "searchKey": "Resources.InstanceSecurityGroupEgress.Properties.GroupId", "searchValue": "", "expectedValue": "Any 'AWS::EC2::SecurityGroup' with 'Properties.GroupName' set to 'default' should not have any traffic rules set.", - "actualValue": "'Resources.InstanceSecurityGroup_default' has 'Properties.GroupName' set to 'default' and a standalone 'AWS::EC2::SecurityGroupEgress' rule set." + "actualValue": "'Resources.InstanceSecurityGroup_default' has 'Properties.GroupName' set to 'default' and a standalone 'AWS::EC2::SecurityGroupEgress' rule set.", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/directory_service_microsoft_ad_password_set_to_plaintext_or_default_ref/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/directory_service_microsoft_ad_password_set_to_plaintext_or_default_ref/test/positive_expected_result.json index 3fcea4e4d1e..e2761f7bd43 100644 --- a/assets/queries/cloudFormation/aws/directory_service_microsoft_ad_password_set_to_plaintext_or_default_ref/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/directory_service_microsoft_ad_password_set_to_plaintext_or_default_ref/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.NewAmpApp-2.Properties.Password", "searchValue": "", "expectedValue": "Resources.NewAmpApp-2.Properties.Password must be defined as a parameter or have a secret manager referenced", - "actualValue": "Resources.NewAmpApp-2.Properties.Password must not be in plain text string" + "actualValue": "Resources.NewAmpApp-2.Properties.Password must not be in plain text string", + "issueType": "IncorrectValue" }, { "queryName": "Directory Service Microsoft AD Password Set to Plaintext or Default Ref", @@ -21,7 +22,8 @@ "searchKey": "Resources.NewAmpApp.Properties.Password", "searchValue": "", "expectedValue": "Resources.NewAmpApp.Properties.Password must be defined as a parameter or have a secret manager referenced", - "actualValue": "Resources.NewAmpApp.Properties.Password must not be in plain text string" + "actualValue": "Resources.NewAmpApp.Properties.Password must not be in plain text string", + "issueType": "IncorrectValue" }, { "queryName": "Directory Service Microsoft AD Password Set to Plaintext or Default Ref", @@ -33,7 +35,8 @@ "searchKey": "Parameters.ParentMasterPassword.Default", "searchValue": "", "expectedValue": "Parameters.ParentMasterPassword.Default should not be defined", - "actualValue": "Parameters.ParentMasterPassword.Default is defined" + "actualValue": "Parameters.ParentMasterPassword.Default is defined", + "issueType": "IncorrectValue" }, { "queryName": "Directory Service Microsoft AD Password Set to Plaintext or Default Ref", @@ -45,7 +48,8 @@ "searchKey": "Resources.NewAmpApp-2.Properties.Password", "searchValue": "", "expectedValue": "Resources.NewAmpApp-2.Properties.Password must be defined as a parameter or have a secret manager referenced", - "actualValue": "Resources.NewAmpApp-2.Properties.Password must not be in plain text string" + "actualValue": "Resources.NewAmpApp-2.Properties.Password must not be in plain text string", + "issueType": "IncorrectValue" }, { "queryName": "Directory Service Microsoft AD Password Set to Plaintext or Default Ref", @@ -57,7 +61,8 @@ "searchKey": "Resources.NewAmpApp.Properties.Password", "searchValue": "", "expectedValue": "Resources.NewAmpApp.Properties.Password must be defined as a parameter or have a secret manager referenced", - "actualValue": "Resources.NewAmpApp.Properties.Password must not be in plain text string" + "actualValue": "Resources.NewAmpApp.Properties.Password must not be in plain text string", + "issueType": "IncorrectValue" }, { "queryName": "Directory Service Microsoft AD Password Set to Plaintext or Default Ref", @@ -69,6 +74,7 @@ "searchKey": "Parameters.ParentMasterPassword.Default", "searchValue": "", "expectedValue": "Parameters.ParentMasterPassword.Default should not be defined", - "actualValue": "Parameters.ParentMasterPassword.Default is defined" + "actualValue": "Parameters.ParentMasterPassword.Default is defined", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/directory_service_simple_ad_password_exposed/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/directory_service_simple_ad_password_exposed/test/positive_expected_result.json index 08e0bfeb960..cc1e869c1d4 100644 --- a/assets/queries/cloudFormation/aws/directory_service_simple_ad_password_exposed/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/directory_service_simple_ad_password_exposed/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.NewAmpApp4.Properties.Password", "searchValue": "", "expectedValue": "Resources.NewAmpApp4.Properties.Password must not be in plain text string", - "actualValue": "Resources.NewAmpApp4.Properties.Password must be defined as a parameter or have a secret manager referenced" + "actualValue": "Resources.NewAmpApp4.Properties.Password must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue" }, { "queryName": "Directory Service Simple AD Password Exposed", @@ -21,7 +22,8 @@ "searchKey": "Resources.NewAmpApp5.Properties.Password", "searchValue": "", "expectedValue": "Resources.NewAmpApp5.Properties.Password must not be in plain text string", - "actualValue": "Resources.NewAmpApp5.Properties.Password must be defined as a parameter or have a secret manager referenced" + "actualValue": "Resources.NewAmpApp5.Properties.Password must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue" }, { "queryName": "Directory Service Simple AD Password Exposed", @@ -33,7 +35,8 @@ "searchKey": "Parameters.ParentMasterPassword.Default", "searchValue": "", "expectedValue": "Parameters.ParentMasterPassword.Default should be defined", - "actualValue": "Parameters.ParentMasterPassword.Default shouldn't be defined" + "actualValue": "Parameters.ParentMasterPassword.Default shouldn't be defined", + "issueType": "IncorrectValue" }, { "queryName": "Directory Service Simple AD Password Exposed", @@ -45,7 +48,8 @@ "searchKey": "Resources.NewAmpApp4.Properties.Password", "searchValue": "", "expectedValue": "Resources.NewAmpApp4.Properties.Password must not be in plain text string", - "actualValue": "Resources.NewAmpApp4.Properties.Password must be defined as a parameter or have a secret manager referenced" + "actualValue": "Resources.NewAmpApp4.Properties.Password must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue" }, { "queryName": "Directory Service Simple AD Password Exposed", @@ -57,7 +61,8 @@ "searchKey": "Resources.NewAmpApp5.Properties.Password", "searchValue": "", "expectedValue": "Resources.NewAmpApp5.Properties.Password must not be in plain text string", - "actualValue": "Resources.NewAmpApp5.Properties.Password must be defined as a parameter or have a secret manager referenced" + "actualValue": "Resources.NewAmpApp5.Properties.Password must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue" }, { "queryName": "Directory Service Simple AD Password Exposed", @@ -69,6 +74,7 @@ "searchKey": "Parameters.ParentMasterPassword.Default", "searchValue": "", "expectedValue": "Parameters.ParentMasterPassword.Default should be defined", - "actualValue": "Parameters.ParentMasterPassword.Default shouldn't be defined" + "actualValue": "Parameters.ParentMasterPassword.Default shouldn't be defined", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/dms_endpoint_mongo_db_settings_password_exposed/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/dms_endpoint_mongo_db_settings_password_exposed/test/positive_expected_result.json index 8b02e936564..e52a9146a43 100644 --- a/assets/queries/cloudFormation/aws/dms_endpoint_mongo_db_settings_password_exposed/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/dms_endpoint_mongo_db_settings_password_exposed/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Parameters.MasterMongoDBPassword.Default", "searchValue": "", "expectedValue": "Parameters.MasterMongoDBPassword.Default should be defined", - "actualValue": "Parameters.MasterMongoDBPassword.Default shouldn't be defined" + "actualValue": "Parameters.MasterMongoDBPassword.Default shouldn't be defined", + "issueType": "IncorrectValue" }, { "queryName": "DMS Endpoint MongoDB Settings Password Exposed", @@ -21,7 +22,8 @@ "searchKey": "Resources.NewAmpApp5.Properties.MongoDbSettings.Password", "searchValue": "", "expectedValue": "Resources.NewAmpApp5.Properties.MongoDbSettings.Password must not be in plain text string", - "actualValue": "Resources.NewAmpApp5.Properties.MongoDbSettings.Password must be defined as a parameter or have a secret manager referenced" + "actualValue": "Resources.NewAmpApp5.Properties.MongoDbSettings.Password must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue" }, { "queryName": "DMS Endpoint MongoDB Settings Password Exposed", @@ -33,7 +35,8 @@ "searchKey": "Resources.NewAmpApp6.Properties.MongoDbSettings.Password", "searchValue": "", "expectedValue": "Resources.NewAmpApp6.Properties.MongoDbSettings.Password must not be in plain text string", - "actualValue": "Resources.NewAmpApp6.Properties.MongoDbSettings.Password must be defined as a parameter or have a secret manager referenced" + "actualValue": "Resources.NewAmpApp6.Properties.MongoDbSettings.Password must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue" }, { "queryName": "DMS Endpoint MongoDB Settings Password Exposed", @@ -45,7 +48,8 @@ "searchKey": "Parameters.MasterMongoDBPassword.Default", "searchValue": "", "expectedValue": "Parameters.MasterMongoDBPassword.Default should be defined", - "actualValue": "Parameters.MasterMongoDBPassword.Default shouldn't be defined" + "actualValue": "Parameters.MasterMongoDBPassword.Default shouldn't be defined", + "issueType": "IncorrectValue" }, { "queryName": "DMS Endpoint MongoDB Settings Password Exposed", @@ -57,7 +61,8 @@ "searchKey": "Resources.NewAmpApp5.Properties.MongoDbSettings.Password", "searchValue": "", "expectedValue": "Resources.NewAmpApp5.Properties.MongoDbSettings.Password must not be in plain text string", - "actualValue": "Resources.NewAmpApp5.Properties.MongoDbSettings.Password must be defined as a parameter or have a secret manager referenced" + "actualValue": "Resources.NewAmpApp5.Properties.MongoDbSettings.Password must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue" }, { "queryName": "DMS Endpoint MongoDB Settings Password Exposed", @@ -69,6 +74,7 @@ "searchKey": "Resources.NewAmpApp6.Properties.MongoDbSettings.Password", "searchValue": "", "expectedValue": "Resources.NewAmpApp6.Properties.MongoDbSettings.Password must not be in plain text string", - "actualValue": "Resources.NewAmpApp6.Properties.MongoDbSettings.Password must be defined as a parameter or have a secret manager referenced" + "actualValue": "Resources.NewAmpApp6.Properties.MongoDbSettings.Password must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/dms_endpoint_password_exposed/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/dms_endpoint_password_exposed/test/positive_expected_result.json index cfee8f79cfc..fead76ad193 100644 --- a/assets/queries/cloudFormation/aws/dms_endpoint_password_exposed/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/dms_endpoint_password_exposed/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.DMSEndpoint4.Properties.Password", "searchValue": "", "expectedValue": "Resources.DMSEndpoint4.Properties.Password must not be in plain text string", - "actualValue": "Resources.DMSEndpoint4.Properties.Password must be defined as a parameter or have a secret manager referenced" + "actualValue": "Resources.DMSEndpoint4.Properties.Password must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue" }, { "queryName": "DMS Endpoint Password Exposed", @@ -21,7 +22,8 @@ "searchKey": "Parameters.ParentMasterPassword.Default", "searchValue": "", "expectedValue": "Parameters.ParentMasterPassword.Default should be defined", - "actualValue": "Parameters.ParentMasterPassword.Default shouldn't be defined" + "actualValue": "Parameters.ParentMasterPassword.Default shouldn't be defined", + "issueType": "IncorrectValue" }, { "queryName": "DMS Endpoint Password Exposed", @@ -33,7 +35,8 @@ "searchKey": "Resources.DMSEndpoint6.Properties.Password", "searchValue": "", "expectedValue": "Resources.DMSEndpoint6.Properties.Password must not be in plain text string", - "actualValue": "Resources.DMSEndpoint6.Properties.Password must be defined as a parameter or have a secret manager referenced" + "actualValue": "Resources.DMSEndpoint6.Properties.Password must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue" }, { "queryName": "DMS Endpoint Password Exposed", @@ -45,7 +48,8 @@ "searchKey": "Resources.DMSEndpoint4.Properties.Password", "searchValue": "", "expectedValue": "Resources.DMSEndpoint4.Properties.Password must not be in plain text string", - "actualValue": "Resources.DMSEndpoint4.Properties.Password must be defined as a parameter or have a secret manager referenced" + "actualValue": "Resources.DMSEndpoint4.Properties.Password must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue" }, { "queryName": "DMS Endpoint Password Exposed", @@ -57,7 +61,8 @@ "searchKey": "Parameters.ParentMasterPassword.Default", "searchValue": "", "expectedValue": "Parameters.ParentMasterPassword.Default should be defined", - "actualValue": "Parameters.ParentMasterPassword.Default shouldn't be defined" + "actualValue": "Parameters.ParentMasterPassword.Default shouldn't be defined", + "issueType": "IncorrectValue" }, { "queryName": "DMS Endpoint Password Exposed", @@ -69,6 +74,7 @@ "searchKey": "Resources.DMSEndpoint6.Properties.Password", "searchValue": "", "expectedValue": "Resources.DMSEndpoint6.Properties.Password must not be in plain text string", - "actualValue": "Resources.DMSEndpoint6.Properties.Password must be defined as a parameter or have a secret manager referenced" + "actualValue": "Resources.DMSEndpoint6.Properties.Password must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/docdb_cluster_master_password_in_plaintext/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/docdb_cluster_master_password_in_plaintext/test/positive_expected_result.json index 46ea576b6fd..23a323d6676 100644 --- a/assets/queries/cloudFormation/aws/docdb_cluster_master_password_in_plaintext/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/docdb_cluster_master_password_in_plaintext/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.NewAmpApp.Properties.MasterUserPassword", "searchValue": "", "expectedValue": "Resources.NewAmpApp.Properties.MasterUserPassword must not be in plain text string", - "actualValue": "Resources.NewAmpApp.Properties.MasterUserPassword must be defined as a parameter or have a secret manager referenced" + "actualValue": "Resources.NewAmpApp.Properties.MasterUserPassword must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue" }, { "queryName": "DocDB Cluster Master Password In Plaintext", @@ -21,7 +22,8 @@ "searchKey": "Parameters.ParentMasterPassword.Default", "searchValue": "", "expectedValue": "Parameters.ParentMasterPassword.Default should be defined", - "actualValue": "Parameters.ParentMasterPassword.Default shouldn't be defined" + "actualValue": "Parameters.ParentMasterPassword.Default shouldn't be defined", + "issueType": "IncorrectValue" }, { "queryName": "DocDB Cluster Master Password In Plaintext", @@ -33,7 +35,8 @@ "searchKey": "Resources.NewAmpApp03.Properties.MasterUserPassword", "searchValue": "", "expectedValue": "Resources.NewAmpApp03.Properties.MasterUserPassword must not be in plain text string", - "actualValue": "Resources.NewAmpApp03.Properties.MasterUserPassword must be defined as a parameter or have a secret manager referenced" + "actualValue": "Resources.NewAmpApp03.Properties.MasterUserPassword must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue" }, { "queryName": "DocDB Cluster Master Password In Plaintext", @@ -45,7 +48,8 @@ "searchKey": "Resources.NewAmpApp.Properties.MasterUserPassword", "searchValue": "", "expectedValue": "Resources.NewAmpApp.Properties.MasterUserPassword must not be in plain text string", - "actualValue": "Resources.NewAmpApp.Properties.MasterUserPassword must be defined as a parameter or have a secret manager referenced" + "actualValue": "Resources.NewAmpApp.Properties.MasterUserPassword must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue" }, { "queryName": "DocDB Cluster Master Password In Plaintext", @@ -57,7 +61,8 @@ "searchKey": "Parameters.ParentMasterPassword.Default", "searchValue": "", "expectedValue": "Parameters.ParentMasterPassword.Default should be defined", - "actualValue": "Parameters.ParentMasterPassword.Default shouldn't be defined" + "actualValue": "Parameters.ParentMasterPassword.Default shouldn't be defined", + "issueType": "IncorrectValue" }, { "queryName": "DocDB Cluster Master Password In Plaintext", @@ -69,6 +74,7 @@ "searchKey": "Resources.NewAmpApp03.Properties.MasterUserPassword", "searchValue": "", "expectedValue": "Resources.NewAmpApp03.Properties.MasterUserPassword must not be in plain text string", - "actualValue": "Resources.NewAmpApp03.Properties.MasterUserPassword must be defined as a parameter or have a secret manager referenced" + "actualValue": "Resources.NewAmpApp03.Properties.MasterUserPassword must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/docdb_logging_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/docdb_logging_disabled/test/positive_expected_result.json index b69c14604c9..d70ea07d4e7 100644 --- a/assets/queries/cloudFormation/aws/docdb_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/docdb_logging_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.MyDocDBCluster.Properties", "searchValue": "", "expectedValue": "AWS::DocDB::DBCluster.Properties.EnableCloudwatchLogsExports should be defined", - "actualValue": "AWS::DocDB::DBCluster.Properties.EnableCloudwatchLogsExports is undefined" + "actualValue": "AWS::DocDB::DBCluster.Properties.EnableCloudwatchLogsExports is undefined", + "issueType": "MissingAttribute" }, { "queryName": "DocDB Logging Is Disabled", @@ -21,7 +22,8 @@ "searchKey": "Resources.MyDocDBCluster.Properties.EnableCloudwatchLogsExports", "searchValue": "", "expectedValue": "AWS::DocDB::DBCluster.Properties.EnableCloudwatchLogsExports should have all following values: audit, profiler", - "actualValue": "AWS::DocDB::DBCluster.Properties.EnableCloudwatchLogsExports haven't got the following values: audit, profiler" + "actualValue": "AWS::DocDB::DBCluster.Properties.EnableCloudwatchLogsExports haven't got the following values: audit, profiler", + "issueType": "IncorrectValue" }, { "queryName": "DocDB Logging Is Disabled", @@ -33,7 +35,8 @@ "searchKey": "Resources.MyDocDBCluster.Properties.EnableCloudwatchLogsExports", "searchValue": "", "expectedValue": "AWS::DocDB::DBCluster.Properties.EnableCloudwatchLogsExports should have all following values: audit, profiler", - "actualValue": "AWS::DocDB::DBCluster.Properties.EnableCloudwatchLogsExports haven't got the following values: audit" + "actualValue": "AWS::DocDB::DBCluster.Properties.EnableCloudwatchLogsExports haven't got the following values: audit", + "issueType": "IncorrectValue" }, { "queryName": "DocDB Logging Is Disabled", @@ -45,6 +48,7 @@ "searchKey": "Resources.MyDocDBCluster.Properties.EnableCloudwatchLogsExports", "searchValue": "", "expectedValue": "AWS::DocDB::DBCluster.Properties.EnableCloudwatchLogsExports should have all following values: audit, profiler", - "actualValue": "AWS::DocDB::DBCluster.Properties.EnableCloudwatchLogsExports haven't got the following values: profiler" + "actualValue": "AWS::DocDB::DBCluster.Properties.EnableCloudwatchLogsExports haven't got the following values: profiler", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/dynamodb_table_not_encrypted/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/dynamodb_table_not_encrypted/test/positive_expected_result.json index ec080447be4..098b7d85240 100644 --- a/assets/queries/cloudFormation/aws/dynamodb_table_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/dynamodb_table_not_encrypted/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.MyDynamoDBTable.Properties.SSESpecification.SSEEnabled", "searchValue": "", "expectedValue": "Resources[MyDynamoDBTable].Properties.SSESpecification.SSEEnabled should be 'true'", - "actualValue": "Resources[MyDynamoDBTable].Properties.SSESpecification.SSEEnabled is 'false'" + "actualValue": "Resources[MyDynamoDBTable].Properties.SSESpecification.SSEEnabled is 'false'", + "issueType": "IncorrectValue" }, { "queryName": "DynamoDB Table Not Encrypted", @@ -21,7 +22,8 @@ "searchKey": "Resources.MyDynamoDBTable.Properties.SSESpecification", "searchValue": "", "expectedValue": "Resources[MyDynamoDBTable].Properties.SSESpecification.SSEEnabled should be set and to 'true'", - "actualValue": "Resources[MyDynamoDBTable].Properties.SSESpecification.SSEEnabled is not set" + "actualValue": "Resources[MyDynamoDBTable].Properties.SSESpecification.SSEEnabled is not set", + "issueType": "MissingAttribute" }, { "queryName": "DynamoDB Table Not Encrypted", @@ -33,6 +35,7 @@ "searchKey": "Resources.OrdersTable.Properties.SSESpecification.SSEEnabled", "searchValue": "", "expectedValue": "Resources[OrdersTable].Properties.SSESpecification.SSEEnabled should be 'true'", - "actualValue": "Resources[OrdersTable].Properties.SSESpecification.SSEEnabled is 'false'" + "actualValue": "Resources[OrdersTable].Properties.SSESpecification.SSEEnabled is 'false'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive_expected_result.json index ec3e6c11705..56e6d90a739 100644 --- a/assets/queries/cloudFormation/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.MyDynamoDBTable.Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled", "searchValue": "", "expectedValue": "Resources[MyDynamoDBTable].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled should be set to 'true'", - "actualValue": "Resources[MyDynamoDBTable].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled is set to 'false'" + "actualValue": "Resources[MyDynamoDBTable].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "DynamoDB Table Point In Time Recovery Disabled", @@ -21,7 +22,8 @@ "searchKey": "Resources.MyDynamoDBTable.Properties", "searchValue": "", "expectedValue": "Resources[MyDynamoDBTable].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled should be defined and set to 'true'", - "actualValue": "Resources[MyDynamoDBTable].Properties.PointInTimeRecoverySpecification is not defined" + "actualValue": "Resources[MyDynamoDBTable].Properties.PointInTimeRecoverySpecification is not defined", + "issueType": "MissingAttribute" }, { "queryName": "DynamoDB Table Point In Time Recovery Disabled", @@ -33,7 +35,8 @@ "searchKey": "Resources.DynamoDBOnDemandTable1.Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled", "searchValue": "", "expectedValue": "Resources[DynamoDBOnDemandTable1].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled should be set to 'true'", - "actualValue": "Resources[DynamoDBOnDemandTable1].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled is set to 'false'" + "actualValue": "Resources[DynamoDBOnDemandTable1].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "DynamoDB Table Point In Time Recovery Disabled", @@ -45,7 +48,8 @@ "searchKey": "Resources.DynamoDBOnDemandTable1.Properties", "searchValue": "", "expectedValue": "Resources[DynamoDBOnDemandTable1].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled should be defined and set to 'true'", - "actualValue": "Resources[DynamoDBOnDemandTable1].Properties.PointInTimeRecoverySpecification is not defined" + "actualValue": "Resources[DynamoDBOnDemandTable1].Properties.PointInTimeRecoverySpecification is not defined", + "issueType": "MissingAttribute" }, { "queryName": "DynamoDB Table Point In Time Recovery Disabled", @@ -57,7 +61,8 @@ "searchKey": "Resources.MyDynamoDBTable.Properties.PointInTimeRecoverySpecification", "searchValue": "", "expectedValue": "Resources[MyDynamoDBTable].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled should be defined and set to 'true'", - "actualValue": "Resources[MyDynamoDBTable].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled is not defined" + "actualValue": "Resources[MyDynamoDBTable].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled is not defined", + "issueType": "MissingAttribute" }, { "queryName": "DynamoDB Table Point In Time Recovery Disabled", @@ -69,7 +74,8 @@ "searchKey": "Resources.DynamoDBOnDemandTable1.Properties.PointInTimeRecoverySpecification", "searchValue": "", "expectedValue": "Resources[DynamoDBOnDemandTable1].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled should be defined and set to 'true'", - "actualValue": "Resources[DynamoDBOnDemandTable1].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled is not defined" + "actualValue": "Resources[DynamoDBOnDemandTable1].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled is not defined", + "issueType": "MissingAttribute" }, { "queryName": "DynamoDB Table Point In Time Recovery Disabled", @@ -81,6 +87,7 @@ "searchKey": "Resources.MyDynamoDBTable.Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled", "searchValue": "", "expectedValue": "Resources[MyDynamoDBTable].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled should be set to 'true'", - "actualValue": "Resources[MyDynamoDBTable].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled is set to 'false'" + "actualValue": "Resources[MyDynamoDBTable].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled is set to 'false'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/dynamodb_with_aws_owned_cmk/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/dynamodb_with_aws_owned_cmk/test/positive_expected_result.json index 86eb4920e34..eb93f862202 100644 --- a/assets/queries/cloudFormation/aws/dynamodb_with_aws_owned_cmk/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/dynamodb_with_aws_owned_cmk/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.DynamoDBOnDemandTable2.properties;", "searchValue": "", "expectedValue": "Resources[DynamoDBOnDemandTable2].properties.SSESpecification.SSEEnabled should be true", - "actualValue": "Resources[DynamoDBOnDemandTable2].properties.SSESpecification.SSEEnabled is false" + "actualValue": "Resources[DynamoDBOnDemandTable2].properties.SSESpecification.SSEEnabled is false", + "issueType": "IncorrectValue" }, { "queryName": "DynamoDB With Aws Owned CMK", @@ -21,7 +22,8 @@ "searchKey": "Resources.DynamoDBOnDemandTable5.properties;", "searchValue": "", "expectedValue": "Resources.DynamoDBOnDemandTable5.properties.SSESpecification should be set", - "actualValue": "Resources.DynamoDBOnDemandTable5.properties.SSESpecification is undefined" + "actualValue": "Resources.DynamoDBOnDemandTable5.properties.SSESpecification is undefined", + "issueType": "MissingAttribute" }, { "queryName": "DynamoDB With Aws Owned CMK", @@ -33,7 +35,8 @@ "searchKey": "Resources.DynamoDBOnDemandTable4.properties;", "searchValue": "", "expectedValue": "Resources.DynamoDBOnDemandTable4.properties.SSESpecification.SSEEnabled should be set", - "actualValue": "Resources.DynamoDBOnDemandTable4.properties.SSESpecification.SSEEnabled is undefined" + "actualValue": "Resources.DynamoDBOnDemandTable4.properties.SSESpecification.SSEEnabled is undefined", + "issueType": "MissingAttribute" }, { "queryName": "DynamoDB With Aws Owned CMK", @@ -45,7 +48,8 @@ "searchKey": "Resources.DynamoDBOnDemandTable2.properties;", "searchValue": "", "expectedValue": "Resources[DynamoDBOnDemandTable2].properties.SSESpecification.SSEEnabled should be true", - "actualValue": "Resources[DynamoDBOnDemandTable2].properties.SSESpecification.SSEEnabled is false" + "actualValue": "Resources[DynamoDBOnDemandTable2].properties.SSESpecification.SSEEnabled is false", + "issueType": "IncorrectValue" }, { "queryName": "DynamoDB With Aws Owned CMK", @@ -57,7 +61,8 @@ "searchKey": "Resources.DynamoDBOnDemandTable4.properties;", "searchValue": "", "expectedValue": "Resources.DynamoDBOnDemandTable4.properties.SSESpecification.SSEEnabled should be set", - "actualValue": "Resources.DynamoDBOnDemandTable4.properties.SSESpecification.SSEEnabled is undefined" + "actualValue": "Resources.DynamoDBOnDemandTable4.properties.SSESpecification.SSEEnabled is undefined", + "issueType": "MissingAttribute" }, { "queryName": "DynamoDB With Aws Owned CMK", @@ -69,7 +74,8 @@ "searchKey": "Resources.DynamoDBOnDemandTable5.properties;", "searchValue": "", "expectedValue": "Resources.DynamoDBOnDemandTable5.properties.SSESpecification should be set", - "actualValue": "Resources.DynamoDBOnDemandTable5.properties.SSESpecification is undefined" + "actualValue": "Resources.DynamoDBOnDemandTable5.properties.SSESpecification is undefined", + "issueType": "MissingAttribute" }, { "queryName": "DynamoDB With Aws Owned CMK", @@ -81,6 +87,7 @@ "searchKey": "Resources.DynamoDBOnDemandTable2.properties;", "searchValue": "", "expectedValue": "Resources[DynamoDBOnDemandTable2].properties.SSESpecification.SSEEnabled should be true", - "actualValue": "Resources[DynamoDBOnDemandTable2].properties.SSESpecification.SSEEnabled is false" + "actualValue": "Resources[DynamoDBOnDemandTable2].properties.SSESpecification.SSEEnabled is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/dynamodb_with_table_billing_mode_not_recommended/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/dynamodb_with_table_billing_mode_not_recommended/test/positive_expected_result.json index ae79a4b55c6..185780e0414 100644 --- a/assets/queries/cloudFormation/aws/dynamodb_with_table_billing_mode_not_recommended/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/dynamodb_with_table_billing_mode_not_recommended/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.myDynamoDBTable.Properties.BillingMode", "searchValue": "", "expectedValue": "Resources.myDynamoDBTable.Properties.BillingMode should not be 'PROVISIONED' or 'PAY_PER_REQUEST'", - "actualValue": "Resources.myDynamoDBTable.Properties.BillingMode is 'PROVISIONED' or 'PAY_PER_REQUEST'" + "actualValue": "Resources.myDynamoDBTable.Properties.BillingMode is 'PROVISIONED' or 'PAY_PER_REQUEST'", + "issueType": "IncorrectValue" }, { "queryName": "DynamoDB With Not Recommended Table Billing Mode", @@ -21,6 +22,7 @@ "searchKey": "Resources.myDynamoDBTable.Properties.BillingMode", "searchValue": "", "expectedValue": "Resources.myDynamoDBTable.Properties.BillingMode should not be 'PROVISIONED' or 'PAY_PER_REQUEST'", - "actualValue": "Resources.myDynamoDBTable.Properties.BillingMode is 'PROVISIONED' or 'PAY_PER_REQUEST'" + "actualValue": "Resources.myDynamoDBTable.Properties.BillingMode is 'PROVISIONED' or 'PAY_PER_REQUEST'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/ebs_volume_encryption_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ebs_volume_encryption_disabled/test/positive_expected_result.json index 4d36edcf29c..9ef17e0a7c6 100644 --- a/assets/queries/cloudFormation/aws/ebs_volume_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ebs_volume_encryption_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.NewVolume.Properties.Encrypted", "searchValue": "", "expectedValue": "Resources.NewVolume.Properties.Encrypted should be true", - "actualValue": "Resources.NewVolume.Properties.Encrypted is false" + "actualValue": "Resources.NewVolume.Properties.Encrypted is false", + "issueType": "IncorrectValue" }, { "queryName": "EBS Volume Encryption Disabled", @@ -21,7 +22,8 @@ "searchKey": "Resources.NewVolume02.Properties", "searchValue": "", "expectedValue": "Resources.NewVolume02.Properties.Encrypted should be defined and not null", - "actualValue": "Resources.NewVolume02.Properties.Encrypted is undefined or null" + "actualValue": "Resources.NewVolume02.Properties.Encrypted is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "EBS Volume Encryption Disabled", @@ -33,7 +35,8 @@ "searchKey": "Resources.NewVolume.Properties.Encrypted", "searchValue": "", "expectedValue": "Resources.NewVolume.Properties.Encrypted should be true", - "actualValue": "Resources.NewVolume.Properties.Encrypted is false" + "actualValue": "Resources.NewVolume.Properties.Encrypted is false", + "issueType": "IncorrectValue" }, { "queryName": "EBS Volume Encryption Disabled", @@ -45,7 +48,8 @@ "searchKey": "Resources.NewVolume02.Properties", "searchValue": "", "expectedValue": "Resources.NewVolume02.Properties.Encrypted should be defined and not null", - "actualValue": "Resources.NewVolume02.Properties.Encrypted is undefined or null" + "actualValue": "Resources.NewVolume02.Properties.Encrypted is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "EBS Volume Encryption Disabled", @@ -57,6 +61,7 @@ "searchKey": "Resources.NewVolume.Properties.Encrypted", "searchValue": "", "expectedValue": "Resources.NewVolume.Properties.Encrypted should be true", - "actualValue": "Resources.NewVolume.Properties.Encrypted is false" + "actualValue": "Resources.NewVolume.Properties.Encrypted is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/ebs_volume_not_attached_to_instances/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ebs_volume_not_attached_to_instances/test/positive_expected_result.json index 60b9908e64e..bdf6c6ad336 100644 --- a/assets/queries/cloudFormation/aws/ebs_volume_not_attached_to_instances/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ebs_volume_not_attached_to_instances/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.NewVolume", "searchValue": "", "expectedValue": "'Resources.NewVolume' should be attached to instances", - "actualValue": "'Resources.NewVolume' is not attached to instances" + "actualValue": "'Resources.NewVolume' is not attached to instances", + "issueType": "MissingAttribute" }, { "queryName": "EBS Volume Not Attached To Instances", @@ -21,6 +22,7 @@ "searchKey": "Resources.NewVolume", "searchValue": "", "expectedValue": "'Resources.NewVolume' should be attached to instances", - "actualValue": "'Resources.NewVolume' is not attached to instances" + "actualValue": "'Resources.NewVolume' is not attached to instances", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/ebs_volume_without_kms_key_id/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ebs_volume_without_kms_key_id/test/positive_expected_result.json index 3a35f06d9c1..ec4990023d2 100644 --- a/assets/queries/cloudFormation/aws/ebs_volume_without_kms_key_id/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ebs_volume_without_kms_key_id/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.NewVolume.Properties", "searchValue": "", "expectedValue": "Resources.NewVolume.Properties.KmsKeyId should be defined", - "actualValue": "Resources.NewVolume.Properties.KmsKeyId is undefined" + "actualValue": "Resources.NewVolume.Properties.KmsKeyId is undefined", + "issueType": "MissingAttribute" }, { "queryName": "EBS Volume Without KmsKeyId", @@ -21,6 +22,7 @@ "searchKey": "Resources.NewVolume.Properties", "searchValue": "", "expectedValue": "Resources.NewVolume.Properties.KmsKeyId should be defined", - "actualValue": "Resources.NewVolume.Properties.KmsKeyId is undefined" + "actualValue": "Resources.NewVolume.Properties.KmsKeyId is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/ec2_instance_has_no_iam_role/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ec2_instance_has_no_iam_role/test/positive_expected_result.json index 483e332580b..b3618f9b926 100644 --- a/assets/queries/cloudFormation/aws/ec2_instance_has_no_iam_role/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ec2_instance_has_no_iam_role/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.NoIAM.Properties", "searchValue": "", "expectedValue": "'Resources.NoIAM.Properties.IamInstanceProfile' should be set", - "actualValue": "'Resources.NoIAM.Properties.IamInstanceProfile' is undefined" + "actualValue": "'Resources.NoIAM.Properties.IamInstanceProfile' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "EC2 Instance Has No IAM Role", @@ -21,7 +22,8 @@ "searchKey": "Resources.IAM_Missing.Properties.IamInstanceProfile", "searchValue": "", "expectedValue": "'Resources.IAM_Missing.Properties.IamInstanceProfile' should have a matching IamInstanceProfile resource", - "actualValue": "'Resources.IAM_Missing.Properties.IamInstanceProfile' does not have matching IamInstanceProfile resource" + "actualValue": "'Resources.IAM_Missing.Properties.IamInstanceProfile' does not have matching IamInstanceProfile resource", + "issueType": "MissingAttribute" }, { "queryName": "EC2 Instance Has No IAM Role", @@ -33,7 +35,8 @@ "searchKey": "Resources.NoRolesProfile.Properties", "searchValue": "", "expectedValue": "'Resources.NoRolesProfile.Properties.Roles' should be set", - "actualValue": "'Resources.NoRolesProfile.Properties.Roles' is undefined" + "actualValue": "'Resources.NoRolesProfile.Properties.Roles' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "EC2 Instance Has No IAM Role", @@ -45,7 +48,8 @@ "searchKey": "Resources.NoIAM.Properties", "searchValue": "", "expectedValue": "'Resources.NoIAM.Properties.IamInstanceProfile' should be set", - "actualValue": "'Resources.NoIAM.Properties.IamInstanceProfile' is undefined" + "actualValue": "'Resources.NoIAM.Properties.IamInstanceProfile' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "EC2 Instance Has No IAM Role", @@ -57,7 +61,8 @@ "searchKey": "Resources.IAM_Missing.Properties.IamInstanceProfile", "searchValue": "", "expectedValue": "'Resources.IAM_Missing.Properties.IamInstanceProfile' should have a matching IamInstanceProfile resource", - "actualValue": "'Resources.IAM_Missing.Properties.IamInstanceProfile' does not have matching IamInstanceProfile resource" + "actualValue": "'Resources.IAM_Missing.Properties.IamInstanceProfile' does not have matching IamInstanceProfile resource", + "issueType": "MissingAttribute" }, { "queryName": "EC2 Instance Has No IAM Role", @@ -69,7 +74,8 @@ "searchKey": "Resources.NoRolesProfile.Properties", "searchValue": "", "expectedValue": "'Resources.NoRolesProfile.Properties.Roles' should be set", - "actualValue": "'Resources.NoRolesProfile.Properties.Roles' is undefined" + "actualValue": "'Resources.NoRolesProfile.Properties.Roles' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "EC2 Instance Has No IAM Role", @@ -81,7 +87,8 @@ "searchKey": "Resources.NoIAM.Properties", "searchValue": "", "expectedValue": "'Resources.NoIAM.Properties.IamInstanceProfile' should be set", - "actualValue": "'Resources.NoIAM.Properties.IamInstanceProfile' is undefined" + "actualValue": "'Resources.NoIAM.Properties.IamInstanceProfile' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "EC2 Instance Has No IAM Role", @@ -93,7 +100,8 @@ "searchKey": "Resources.IAM_Missing.Properties.IamInstanceProfile", "searchValue": "", "expectedValue": "'Resources.IAM_Missing.Properties.IamInstanceProfile' should have a matching IamInstanceProfile resource", - "actualValue": "'Resources.IAM_Missing.Properties.IamInstanceProfile' does not have matching IamInstanceProfile resource" + "actualValue": "'Resources.IAM_Missing.Properties.IamInstanceProfile' does not have matching IamInstanceProfile resource", + "issueType": "MissingAttribute" }, { "queryName": "EC2 Instance Has No IAM Role", @@ -105,6 +113,7 @@ "searchKey": "Resources.NoRolesProfile.Properties", "searchValue": "", "expectedValue": "'Resources.NoRolesProfile.Properties.Roles' should be set", - "actualValue": "'Resources.NoRolesProfile.Properties.Roles' is undefined" + "actualValue": "'Resources.NoRolesProfile.Properties.Roles' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/ec2_instance_monitoring_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ec2_instance_monitoring_disabled/test/positive_expected_result.json index 75739a2a74e..a7a731fb01a 100644 --- a/assets/queries/cloudFormation/aws/ec2_instance_monitoring_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ec2_instance_monitoring_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.MyEC2Instance.Properties.Monitoring", "searchValue": "", "expectedValue": "'Resources.MyEC2Instance.Properties.Monitoring' should be set to 'true'", - "actualValue": "'Resources.MyEC2Instance.Properties.Monitoring' is set to 'false'" + "actualValue": "'Resources.MyEC2Instance.Properties.Monitoring' is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Instance Monitoring Disabled", @@ -21,7 +22,8 @@ "searchKey": "Resources.MyEC2Instance.Properties.Monitoring", "searchValue": "", "expectedValue": "'Resources.MyEC2Instance.Properties.Monitoring' should be set and to 'true'", - "actualValue": "'Resources.MyEC2Instance.Properties.Monitoring' is not set" + "actualValue": "'Resources.MyEC2Instance.Properties.Monitoring' is not set", + "issueType": "MissingAttribute" }, { "queryName": "EC2 Instance Monitoring Disabled", @@ -33,6 +35,7 @@ "searchKey": "Resources.MyEC2Instance.Properties.Monitoring", "searchValue": "", "expectedValue": "'Resources.MyEC2Instance.Properties.Monitoring' should be set to 'true'", - "actualValue": "'Resources.MyEC2Instance.Properties.Monitoring' is set to 'false'" + "actualValue": "'Resources.MyEC2Instance.Properties.Monitoring' is set to 'false'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/ec2_instance_subnet_has_public_ip_mapping_on_launch/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ec2_instance_subnet_has_public_ip_mapping_on_launch/test/positive_expected_result.json index bdcd54bbe58..71a35e67bde 100644 --- a/assets/queries/cloudFormation/aws/ec2_instance_subnet_has_public_ip_mapping_on_launch/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ec2_instance_subnet_has_public_ip_mapping_on_launch/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.mySubnet.Properties.MapPublicIpOnLaunch", "searchValue": "", "expectedValue": "'Resources.mySubnet.Properties.MapPublicIpOnLaunch' should be false", - "actualValue": "'Resources.mySubnet.Properties.MapPublicIpOnLaunch' is true" + "actualValue": "'Resources.mySubnet.Properties.MapPublicIpOnLaunch' is true", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Instance Subnet Has Public IP Mapping On Launch", @@ -21,7 +22,8 @@ "searchKey": "Resources.mySubnet.Properties.MapPublicIpOnLaunch", "searchValue": "", "expectedValue": "'Resources.mySubnet.Properties.MapPublicIpOnLaunch' should be false", - "actualValue": "'Resources.mySubnet.Properties.MapPublicIpOnLaunch' is true" + "actualValue": "'Resources.mySubnet.Properties.MapPublicIpOnLaunch' is true", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Instance Subnet Has Public IP Mapping On Launch", @@ -33,6 +35,7 @@ "searchKey": "Resources.mySubnet.Properties.MapPublicIpOnLaunch", "searchValue": "", "expectedValue": "'Resources.mySubnet.Properties.MapPublicIpOnLaunch' should be false", - "actualValue": "'Resources.mySubnet.Properties.MapPublicIpOnLaunch' is true" + "actualValue": "'Resources.mySubnet.Properties.MapPublicIpOnLaunch' is true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/ec2_instance_using_default_security_group/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ec2_instance_using_default_security_group/test/positive_expected_result.json index 2905eb3b0c0..caae1aa760b 100644 --- a/assets/queries/cloudFormation/aws/ec2_instance_using_default_security_group/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ec2_instance_using_default_security_group/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.MyEC2Instance.Properties.SecurityGroups", "searchValue": "", "expectedValue": "'Resources.MyEC2Instance.Properties.SecurityGroups' should not be using default security group", - "actualValue": "'Resources.MyEC2Instance.Properties.SecurityGroups' is using default security group" + "actualValue": "'Resources.MyEC2Instance.Properties.SecurityGroups' is using default security group", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Instance Using Default Security Group", @@ -21,6 +22,7 @@ "searchKey": "Resources.MyEC2Instance.Properties.SecurityGroups", "searchValue": "", "expectedValue": "'Resources.MyEC2Instance.Properties.SecurityGroups' should not be using default security group", - "actualValue": "'Resources.MyEC2Instance.Properties.SecurityGroups' is using default security group" + "actualValue": "'Resources.MyEC2Instance.Properties.SecurityGroups' is using default security group", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/ec2_instance_using_default_vpc/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ec2_instance_using_default_vpc/test/positive_expected_result.json index fe1d0130aff..00fe838751b 100644 --- a/assets/queries/cloudFormation/aws/ec2_instance_using_default_vpc/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ec2_instance_using_default_vpc/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.DefaultVPC.Properties.SubnetId", "searchValue": "", "expectedValue": "Resources.DefaultVPC.Properties.SubnetId should not be associated with a default VPC", - "actualValue": "Resources.DefaultVPC.Properties.SubnetId is associated with a default VPC" + "actualValue": "Resources.DefaultVPC.Properties.SubnetId is associated with a default VPC", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Instance Using Default VPC", @@ -21,6 +22,7 @@ "searchKey": "Resources.DefaultVPC.Properties.SubnetId", "searchValue": "", "expectedValue": "Resources.DefaultVPC.Properties.SubnetId should not be associated with a default VPC", - "actualValue": "Resources.DefaultVPC.Properties.SubnetId is associated with a default VPC" + "actualValue": "Resources.DefaultVPC.Properties.SubnetId is associated with a default VPC", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/ec2_network_acl_duplicate_rule/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ec2_network_acl_duplicate_rule/test/positive_expected_result.json index 484501545c1..c69b13e36c3 100644 --- a/assets/queries/cloudFormation/aws/ec2_network_acl_duplicate_rule/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ec2_network_acl_duplicate_rule/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.InboundRule.Properties.RuleNumber", "searchValue": "", "expectedValue": "'Resources.InboundRule' shouldn't have the same rule number as other entry for the same NetworkACL", - "actualValue": "'Resources.InboundRule' has the same rule number as other entry for the same NetworkACL" + "actualValue": "'Resources.InboundRule' has the same rule number as other entry for the same NetworkACL", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Network ACL Duplicate Rule", @@ -21,7 +22,8 @@ "searchKey": "Resources.OutboundRule.Properties.RuleNumber", "searchValue": "", "expectedValue": "'Resources.OutboundRule' shouldn't have the same rule number as other entry for the same NetworkACL", - "actualValue": "'Resources.OutboundRule' has the same rule number as other entry for the same NetworkACL" + "actualValue": "'Resources.OutboundRule' has the same rule number as other entry for the same NetworkACL", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Network ACL Duplicate Rule", @@ -33,7 +35,8 @@ "searchKey": "Resources.InboundRule2.Properties.RuleNumber", "searchValue": "", "expectedValue": "'Resources.InboundRule2' shouldn't have the same rule number as other entry for the same NetworkACL", - "actualValue": "'Resources.InboundRule2' has the same rule number as other entry for the same NetworkACL" + "actualValue": "'Resources.InboundRule2' has the same rule number as other entry for the same NetworkACL", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Network ACL Duplicate Rule", @@ -45,7 +48,8 @@ "searchKey": "Resources.OutboundRule2.Properties.RuleNumber", "searchValue": "", "expectedValue": "'Resources.OutboundRule2' shouldn't have the same rule number as other entry for the same NetworkACL", - "actualValue": "'Resources.OutboundRule2' has the same rule number as other entry for the same NetworkACL" + "actualValue": "'Resources.OutboundRule2' has the same rule number as other entry for the same NetworkACL", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Network ACL Duplicate Rule", @@ -57,7 +61,8 @@ "searchKey": "Resources.InboundRule.Properties.RuleNumber", "searchValue": "", "expectedValue": "'Resources.InboundRule' shouldn't have the same rule number as other entry for the same NetworkACL", - "actualValue": "'Resources.InboundRule' has the same rule number as other entry for the same NetworkACL" + "actualValue": "'Resources.InboundRule' has the same rule number as other entry for the same NetworkACL", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Network ACL Duplicate Rule", @@ -69,7 +74,8 @@ "searchKey": "Resources.OutboundRule.Properties.RuleNumber", "searchValue": "", "expectedValue": "'Resources.OutboundRule' shouldn't have the same rule number as other entry for the same NetworkACL", - "actualValue": "'Resources.OutboundRule' has the same rule number as other entry for the same NetworkACL" + "actualValue": "'Resources.OutboundRule' has the same rule number as other entry for the same NetworkACL", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Network ACL Duplicate Rule", @@ -81,7 +87,8 @@ "searchKey": "Resources.InboundRule2.Properties.RuleNumber", "searchValue": "", "expectedValue": "'Resources.InboundRule2' shouldn't have the same rule number as other entry for the same NetworkACL", - "actualValue": "'Resources.InboundRule2' has the same rule number as other entry for the same NetworkACL" + "actualValue": "'Resources.InboundRule2' has the same rule number as other entry for the same NetworkACL", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Network ACL Duplicate Rule", @@ -93,6 +100,7 @@ "searchKey": "Resources.OutboundRule2.Properties.RuleNumber", "searchValue": "", "expectedValue": "'Resources.OutboundRule2' shouldn't have the same rule number as other entry for the same NetworkACL", - "actualValue": "'Resources.OutboundRule2' has the same rule number as other entry for the same NetworkACL" + "actualValue": "'Resources.OutboundRule2' has the same rule number as other entry for the same NetworkACL", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/ec2_network_acl_ineffective_denied_traffic/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ec2_network_acl_ineffective_denied_traffic/test/positive_expected_result.json index 699a01f65c1..06f51235b15 100644 --- a/assets/queries/cloudFormation/aws/ec2_network_acl_ineffective_denied_traffic/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ec2_network_acl_ineffective_denied_traffic/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.InboundRule.Properties.CidrBlock", "searchValue": "", "expectedValue": "Traffic denial should be effective (Action is 'Deny' when CidrBlock is '0.0.0.0/0')%!(EXTRA string=InboundRule)", - "actualValue": "Traffic denial is ineffective (Action is 'Deny' when CidrBlock is different from '0.0.0.0/0'%!(EXTRA string=InboundRule)" + "actualValue": "Traffic denial is ineffective (Action is 'Deny' when CidrBlock is different from '0.0.0.0/0'%!(EXTRA string=InboundRule)", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Network ACL Ineffective Denied Traffic", @@ -21,6 +22,7 @@ "searchKey": "Resources.InboundRule.Properties.CidrBlock", "searchValue": "", "expectedValue": "Traffic denial should be effective (Action is 'Deny' when CidrBlock is '0.0.0.0/0')%!(EXTRA string=InboundRule)", - "actualValue": "Traffic denial is ineffective (Action is 'Deny' when CidrBlock is different from '0.0.0.0/0'%!(EXTRA string=InboundRule)" + "actualValue": "Traffic denial is ineffective (Action is 'Deny' when CidrBlock is different from '0.0.0.0/0'%!(EXTRA string=InboundRule)", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/ec2_network_acl_overlapping_ports/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ec2_network_acl_overlapping_ports/test/positive_expected_result.json index 55bcca2bc0e..31300335262 100644 --- a/assets/queries/cloudFormation/aws/ec2_network_acl_overlapping_ports/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ec2_network_acl_overlapping_ports/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.InboundRule.Properties.PortRange", "searchValue": "", "expectedValue": "'Resources.InboundRule.Properties.PortRange should be configured with a different unused port range to avoid overlapping'", - "actualValue": "'Resources.InboundRule.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'" + "actualValue": "'Resources.InboundRule.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Network ACL Overlapping Ports", @@ -21,7 +22,8 @@ "searchKey": "Resources.OutboundRule.Properties.PortRange", "searchValue": "", "expectedValue": "'Resources.OutboundRule.Properties.PortRange should be configured with a different unused port range to avoid overlapping'", - "actualValue": "'Resources.OutboundRule.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'" + "actualValue": "'Resources.OutboundRule.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Network ACL Overlapping Ports", @@ -33,7 +35,8 @@ "searchKey": "Resources.OutboundTests.Properties.PortRange", "searchValue": "", "expectedValue": "'Resources.OutboundTests.Properties.PortRange should be configured with a different unused port range to avoid overlapping'", - "actualValue": "'Resources.OutboundTests.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'" + "actualValue": "'Resources.OutboundTests.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Network ACL Overlapping Ports", @@ -45,7 +48,8 @@ "searchKey": "Resources.InboundTests.Properties.PortRange", "searchValue": "", "expectedValue": "'Resources.InboundTests.Properties.PortRange should be configured with a different unused port range to avoid overlapping'", - "actualValue": "'Resources.InboundTests.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'" + "actualValue": "'Resources.InboundTests.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Network ACL Overlapping Ports", @@ -57,7 +61,8 @@ "searchKey": "Resources.Match.Properties.PortRange", "searchValue": "", "expectedValue": "'Resources.Match.Properties.PortRange should be configured with a different unused port range to avoid overlapping'", - "actualValue": "'Resources.Match.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'" + "actualValue": "'Resources.Match.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Network ACL Overlapping Ports", @@ -69,7 +74,8 @@ "searchKey": "Resources.EqualMatch.Properties.PortRange", "searchValue": "", "expectedValue": "'Resources.EqualMatch.Properties.PortRange should be configured with a different unused port range to avoid overlapping'", - "actualValue": "'Resources.EqualMatch.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'" + "actualValue": "'Resources.EqualMatch.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Network ACL Overlapping Ports", @@ -81,7 +87,8 @@ "searchKey": "Resources.Match.Properties.PortRange", "searchValue": "", "expectedValue": "'Resources.Match.Properties.PortRange should be configured with a different unused port range to avoid overlapping'", - "actualValue": "'Resources.Match.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'" + "actualValue": "'Resources.Match.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Network ACL Overlapping Ports", @@ -93,7 +100,8 @@ "searchKey": "Resources.EqualMatch.Properties.PortRange", "searchValue": "", "expectedValue": "'Resources.EqualMatch.Properties.PortRange should be configured with a different unused port range to avoid overlapping'", - "actualValue": "'Resources.EqualMatch.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'" + "actualValue": "'Resources.EqualMatch.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Network ACL Overlapping Ports", @@ -105,7 +113,8 @@ "searchKey": "Resources.InboundRule.Properties.PortRange", "searchValue": "", "expectedValue": "'Resources.InboundRule.Properties.PortRange should be configured with a different unused port range to avoid overlapping'", - "actualValue": "'Resources.InboundRule.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'" + "actualValue": "'Resources.InboundRule.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Network ACL Overlapping Ports", @@ -117,7 +126,8 @@ "searchKey": "Resources.OutboundRule.Properties.PortRange", "searchValue": "", "expectedValue": "'Resources.OutboundRule.Properties.PortRange should be configured with a different unused port range to avoid overlapping'", - "actualValue": "'Resources.OutboundRule.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'" + "actualValue": "'Resources.OutboundRule.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Network ACL Overlapping Ports", @@ -129,7 +139,8 @@ "searchKey": "Resources.OutboundTests.Properties.PortRange", "searchValue": "", "expectedValue": "'Resources.OutboundTests.Properties.PortRange should be configured with a different unused port range to avoid overlapping'", - "actualValue": "'Resources.OutboundTests.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'" + "actualValue": "'Resources.OutboundTests.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Network ACL Overlapping Ports", @@ -141,6 +152,7 @@ "searchKey": "Resources.InboundTests.Properties.PortRange", "searchValue": "", "expectedValue": "'Resources.InboundTests.Properties.PortRange should be configured with a different unused port range to avoid overlapping'", - "actualValue": "'Resources.InboundTests.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'" + "actualValue": "'Resources.InboundTests.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/ec2_not_ebs_optimized/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ec2_not_ebs_optimized/test/positive_expected_result.json index 68a2a29b9b2..207d0de991a 100644 --- a/assets/queries/cloudFormation/aws/ec2_not_ebs_optimized/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ec2_not_ebs_optimized/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.MyEC2Instance.Properties.EbsOptimized", "searchValue": "", "expectedValue": "Resources.MyEC2Instance.Properties should have EbsOptimized set to true.", - "actualValue": "Resources.MyEC2Instance.Properties doesn't have EbsOptimized set to true." + "actualValue": "Resources.MyEC2Instance.Properties doesn't have EbsOptimized set to true.", + "issueType": "MissingAttribute" }, { "queryName": "EC2 Not EBS Optimized", @@ -21,7 +22,8 @@ "searchKey": "Resources.MyEC2Instance.Properties.EbsOptimized", "searchValue": "", "expectedValue": "Resources.MyEC2Instance.Properties should have EbsOptimized set to true.", - "actualValue": "Resources.MyEC2Instance.Properties doesn't have EbsOptimized set to true." + "actualValue": "Resources.MyEC2Instance.Properties doesn't have EbsOptimized set to true.", + "issueType": "MissingAttribute" }, { "queryName": "EC2 Not EBS Optimized", @@ -33,7 +35,8 @@ "searchKey": "Resources.MyEC2Instance.Properties.EbsOptimized", "searchValue": "", "expectedValue": "Resources.MyEC2Instance.Properties should have EbsOptimized set to true.", - "actualValue": "Resources.MyEC2Instance.Properties.EbsOptimized is set to false." + "actualValue": "Resources.MyEC2Instance.Properties.EbsOptimized is set to false.", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Not EBS Optimized", @@ -45,7 +48,8 @@ "searchKey": "Resources.MyEC2Instance.Properties.EbsOptimized", "searchValue": "", "expectedValue": "Resources.MyEC2Instance.Properties should have EbsOptimized set to true.", - "actualValue": "Resources.MyEC2Instance.Properties.EbsOptimized is set to false." + "actualValue": "Resources.MyEC2Instance.Properties.EbsOptimized is set to false.", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Not EBS Optimized", @@ -57,7 +61,8 @@ "searchKey": "Resources.MyEC2Instance.Properties.EbsOptimized", "searchValue": "", "expectedValue": "Resources.MyEC2Instance.Properties should have EbsOptimized set to true.", - "actualValue": "Resources.MyEC2Instance.Properties doesn't have EbsOptimized set to true." + "actualValue": "Resources.MyEC2Instance.Properties doesn't have EbsOptimized set to true.", + "issueType": "MissingAttribute" }, { "queryName": "EC2 Not EBS Optimized", @@ -69,7 +74,8 @@ "searchKey": "Resources.MyEC2Instance.Properties.EbsOptimized", "searchValue": "", "expectedValue": "Resources.MyEC2Instance.Properties should have EbsOptimized set to true.", - "actualValue": "Resources.MyEC2Instance.Properties doesn't have EbsOptimized set to true." + "actualValue": "Resources.MyEC2Instance.Properties doesn't have EbsOptimized set to true.", + "issueType": "MissingAttribute" }, { "queryName": "EC2 Not EBS Optimized", @@ -81,6 +87,7 @@ "searchKey": "Resources.MyEC2Instance.Properties.EbsOptimized", "searchValue": "", "expectedValue": "Resources.MyEC2Instance.Properties should have EbsOptimized set to true.", - "actualValue": "Resources.MyEC2Instance.Properties.EbsOptimized is set to false." + "actualValue": "Resources.MyEC2Instance.Properties.EbsOptimized is set to false.", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/ec2_permissive_network_acl_protocols/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ec2_permissive_network_acl_protocols/test/positive_expected_result.json index 6ba54453fe2..94c8d1fa2e5 100644 --- a/assets/queries/cloudFormation/aws/ec2_permissive_network_acl_protocols/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ec2_permissive_network_acl_protocols/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.OutboundRule.Properties.Protocol", "searchValue": "", "expectedValue": "'Resources.OutboundRule.Properties.Protocol' should be either 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code)", - "actualValue": "'Resources.OutboundRule.Properties.Protocol' is configured with a protocol different than 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code)" + "actualValue": "'Resources.OutboundRule.Properties.Protocol' is configured with a protocol different than 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code)", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Permissive Network ACL Protocols", @@ -21,6 +22,7 @@ "searchKey": "Resources.OutboundRule.Properties.Protocol", "searchValue": "", "expectedValue": "'Resources.OutboundRule.Properties.Protocol' should be either 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code)", - "actualValue": "'Resources.OutboundRule.Properties.Protocol' is configured with a protocol different than 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code)" + "actualValue": "'Resources.OutboundRule.Properties.Protocol' is configured with a protocol different than 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code)", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/ec2_public_instance_exposed_through_subnet/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ec2_public_instance_exposed_through_subnet/test/positive_expected_result.json index fc02bee7c68..07a1d5d2d19 100644 --- a/assets/queries/cloudFormation/aws/ec2_public_instance_exposed_through_subnet/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ec2_public_instance_exposed_through_subnet/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.mySubnet", "searchValue": "", "expectedValue": "Resources.mySubnet should be a private subnet", - "actualValue": "Resources.mySubnet has a route for unrestricted internet traffic" + "actualValue": "Resources.mySubnet has a route for unrestricted internet traffic", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Public Instance Exposed Through Subnet", @@ -21,6 +22,7 @@ "searchKey": "Resources.mySubnet", "searchValue": "", "expectedValue": "Resources.mySubnet should be a private subnet", - "actualValue": "Resources.mySubnet has a route for unrestricted internet traffic" + "actualValue": "Resources.mySubnet has a route for unrestricted internet traffic", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/ec2_sensitive_port_is_publicly_exposed/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ec2_sensitive_port_is_publicly_exposed/test/positive_expected_result.json index 1b05477797f..132c97afda8 100644 --- a/assets/queries/cloudFormation/aws/ec2_sensitive_port_is_publicly_exposed/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ec2_sensitive_port_is_publicly_exposed/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/UDP:53", "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -21,7 +22,8 @@ "searchKey": "Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:80", "expectedValue": "HTTP (TCP:80) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "HTTP (TCP:80) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "HTTP (TCP:80) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -33,7 +35,8 @@ "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/UDP:53", "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -45,7 +48,8 @@ "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[2]", "searchValue": "EC2Instance01/UDP:137", "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -57,7 +61,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/UDP:11215", "expectedValue": "Memcached SSL (UDP:11215) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Memcached SSL (UDP:11215) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Memcached SSL (UDP:11215) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -69,7 +74,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:7000", "expectedValue": "Cassandra Internode Communication (TCP:7000) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra Internode Communication (TCP:7000) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Cassandra Internode Communication (TCP:7000) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -81,7 +87,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/UDP:389", "expectedValue": "LDAP (UDP:389) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "LDAP (UDP:389) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "LDAP (UDP:389) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -93,7 +100,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/UDP:1434", "expectedValue": "MSSQL Browser (UDP:1434) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "MSSQL Browser (UDP:1434) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "MSSQL Browser (UDP:1434) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -105,7 +113,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:5500", "expectedValue": "VNC Listener (TCP:5500) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "VNC Listener (TCP:5500) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "VNC Listener (TCP:5500) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -117,7 +126,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:3020", "expectedValue": "CIFS / SMB (TCP:3020) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "CIFS / SMB (TCP:3020) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "CIFS / SMB (TCP:3020) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -129,7 +139,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:389", "expectedValue": "LDAP (TCP:389) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "LDAP (TCP:389) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "LDAP (TCP:389) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -141,7 +152,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:61620", "expectedValue": "Cassandra OpsCenter (TCP:61620) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra OpsCenter (TCP:61620) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Cassandra OpsCenter (TCP:61620) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -153,7 +165,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:8080", "expectedValue": "Known internal web port (TCP:8080) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Known internal web port (TCP:8080) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Known internal web port (TCP:8080) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -165,7 +178,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:50470", "expectedValue": "HDFS NameNode WebUI (TCP:50470) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "HDFS NameNode WebUI (TCP:50470) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "HDFS NameNode WebUI (TCP:50470) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -177,7 +191,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:5601", "expectedValue": "Kibana (TCP:5601) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Kibana (TCP:5601) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Kibana (TCP:5601) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -189,7 +204,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:11214", "expectedValue": "Memcached SSL (TCP:11214) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Memcached SSL (TCP:11214) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Memcached SSL (TCP:11214) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -201,7 +217,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:137", "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Name Service (TCP:137) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "NetBIOS Name Service (TCP:137) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -213,7 +230,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/UDP:2483", "expectedValue": "Oracle DB SSL (UDP:2483) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Oracle DB SSL (UDP:2483) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Oracle DB SSL (UDP:2483) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -225,7 +243,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:9200", "expectedValue": "Elastic Search (TCP:9200) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Elastic Search (TCP:9200) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Elastic Search (TCP:9200) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -237,7 +256,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:445", "expectedValue": "Microsoft-DS (TCP:445) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Microsoft-DS (TCP:445) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Microsoft-DS (TCP:445) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -249,7 +269,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/UDP:2484", "expectedValue": "Oracle DB SSL (UDP:2484) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Oracle DB SSL (UDP:2484) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Oracle DB SSL (UDP:2484) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -261,7 +282,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:5432", "expectedValue": "PostgreSQL (TCP:5432) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "PostgreSQL (TCP:5432) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "PostgreSQL (TCP:5432) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -273,7 +295,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:7001", "expectedValue": "Cassandra (TCP:7001) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra (TCP:7001) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Cassandra (TCP:7001) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -285,7 +308,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:8888", "expectedValue": "Cassandra OpsCenter Website (TCP:8888) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra OpsCenter Website (TCP:8888) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Cassandra OpsCenter Website (TCP:8888) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -297,7 +321,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:7199", "expectedValue": "Cassandra Monitoring (TCP:7199) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra Monitoring (TCP:7199) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Cassandra Monitoring (TCP:7199) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -309,7 +334,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:1521", "expectedValue": "Oracl DB (TCP:1521) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Oracl DB (TCP:1521) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Oracl DB (TCP:1521) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -321,7 +347,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:161", "expectedValue": "SNMP (TCP:161) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SNMP (TCP:161) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "SNMP (TCP:161) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -333,7 +360,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:50070", "expectedValue": "HDFS NameNode WebUI (TCP:50070) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "HDFS NameNode WebUI (TCP:50070) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "HDFS NameNode WebUI (TCP:50070) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -345,7 +373,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:4333", "expectedValue": "MySQL (TCP:4333) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "MySQL (TCP:4333) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "MySQL (TCP:4333) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -357,7 +386,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:138", "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -369,7 +399,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/UDP:138", "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -381,7 +412,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/UDP:139", "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Session Service (UDP:139) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "NetBIOS Session Service (UDP:139) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -393,7 +425,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:4506", "expectedValue": "SaltStack Master (TCP:4506) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SaltStack Master (TCP:4506) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "SaltStack Master (TCP:4506) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -405,7 +438,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:110", "expectedValue": "POP3 (TCP:110) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "POP3 (TCP:110) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "POP3 (TCP:110) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -417,7 +451,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:443", "expectedValue": "HTTPS (TCP:443) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "HTTPS (TCP:443) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "HTTPS (TCP:443) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -429,7 +464,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:2483", "expectedValue": "Oracle DB SSL (TCP:2483) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Oracle DB SSL (TCP:2483) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Oracle DB SSL (TCP:2483) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -441,7 +477,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/UDP:53", "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -453,7 +490,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:9300", "expectedValue": "Elastic Search (TCP:9300) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Elastic Search (TCP:9300) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Elastic Search (TCP:9300) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -465,7 +503,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:11215", "expectedValue": "Memcached SSL (TCP:11215) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Memcached SSL (TCP:11215) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Memcached SSL (TCP:11215) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -477,7 +516,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:22", "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -489,7 +529,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:1522", "expectedValue": "Oracle Auto Data Warehouse (TCP:1522) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Oracle Auto Data Warehouse (TCP:1522) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Oracle Auto Data Warehouse (TCP:1522) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -501,7 +542,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:3000", "expectedValue": "Prevalent known internal port (TCP:3000) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Prevalent known internal port (TCP:3000) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Prevalent known internal port (TCP:3000) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -513,7 +555,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:25", "expectedValue": "SMTP (TCP:25) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SMTP (TCP:25) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "SMTP (TCP:25) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -525,7 +568,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:5985", "expectedValue": "WinRM for HTTP (TCP:5985) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "WinRM for HTTP (TCP:5985) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "WinRM for HTTP (TCP:5985) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -537,7 +581,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:8020", "expectedValue": "HDFS NameNode (TCP:8020) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "HDFS NameNode (TCP:8020) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "HDFS NameNode (TCP:8020) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -549,7 +594,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:4505", "expectedValue": "SaltStack Master (TCP:4505) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SaltStack Master (TCP:4505) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "SaltStack Master (TCP:4505) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -561,7 +607,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:9000", "expectedValue": "Hadoop Name Node (TCP:9000) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Hadoop Name Node (TCP:9000) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Hadoop Name Node (TCP:9000) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -573,7 +620,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:61621", "expectedValue": "Cassandra OpsCenter (TCP:61621) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra OpsCenter (TCP:61621) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Cassandra OpsCenter (TCP:61621) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -585,7 +633,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:53", "expectedValue": "DNS (TCP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "DNS (TCP:53) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "DNS (TCP:53) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -597,7 +646,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:2376", "expectedValue": "Docker (TCP:2376) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Docker (TCP:2376) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Docker (TCP:2376) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -609,7 +659,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:135", "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "MSSQL Debugger (TCP:135) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "MSSQL Debugger (TCP:135) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -621,7 +672,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:1433", "expectedValue": "MSSQL Server (TCP:1433) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "MSSQL Server (TCP:1433) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "MSSQL Server (TCP:1433) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -633,7 +685,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:2484", "expectedValue": "Oracle DB SSL (TCP:2484) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Oracle DB SSL (TCP:2484) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Oracle DB SSL (TCP:2484) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -645,7 +698,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:2383", "expectedValue": "SQL Server Analysis (TCP:2383) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SQL Server Analysis (TCP:2383) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "SQL Server Analysis (TCP:2383) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -657,7 +711,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:636", "expectedValue": "LDAP SSL (TCP:636) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "LDAP SSL (TCP:636) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "LDAP SSL (TCP:636) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -669,7 +724,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:5900", "expectedValue": "VNC Server (TCP:5900) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "VNC Server (TCP:5900) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "VNC Server (TCP:5900) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -681,7 +737,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:8000", "expectedValue": "Known internal web port (TCP:8000) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Known internal web port (TCP:8000) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Known internal web port (TCP:8000) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -693,7 +750,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:6379", "expectedValue": "Redis (TCP:6379) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Redis (TCP:6379) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Redis (TCP:6379) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -705,7 +763,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:27018", "expectedValue": "Mongo Web Portal (TCP:27018) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Mongo Web Portal (TCP:27018) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Mongo Web Portal (TCP:27018) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -717,7 +776,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/UDP:161", "expectedValue": "SNMP (UDP:161) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SNMP (UDP:161) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "SNMP (UDP:161) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -729,7 +789,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:139", "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Session Service (TCP:139) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "NetBIOS Session Service (TCP:139) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -741,7 +802,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:23", "expectedValue": "Telnet (TCP:23) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Telnet (TCP:23) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Telnet (TCP:23) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -753,7 +815,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:20", "expectedValue": "FTP (TCP:20) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "FTP (TCP:20) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "FTP (TCP:20) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -765,7 +828,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/UDP:137", "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -777,7 +841,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:3389", "expectedValue": "Remote Desktop (TCP:3389) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Remote Desktop (TCP:3389) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Remote Desktop (TCP:3389) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -789,7 +854,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/UDP:11211", "expectedValue": "Memcached (UDP:11211) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Memcached (UDP:11211) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Memcached (UDP:11211) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -801,7 +867,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:9160", "expectedValue": "Cassandra Thrift (TCP:9160) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra Thrift (TCP:9160) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Cassandra Thrift (TCP:9160) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -813,7 +880,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:9042", "expectedValue": "Cassandra Client (TCP:9042) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra Client (TCP:9042) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Cassandra Client (TCP:9042) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -825,7 +893,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:9090", "expectedValue": "CiscoSecure, WebSM (TCP:9090) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "CiscoSecure, WebSM (TCP:9090) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "CiscoSecure, WebSM (TCP:9090) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -837,7 +906,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:1434", "expectedValue": "MSSQL Browser (TCP:1434) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "MSSQL Browser (TCP:1434) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "MSSQL Browser (TCP:1434) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -849,7 +919,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/UDP:5432", "expectedValue": "PostgreSQL (UDP:5432) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "PostgreSQL (UDP:5432) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "PostgreSQL (UDP:5432) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -861,7 +932,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:21", "expectedValue": "FTP (TCP:21) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "FTP (TCP:21) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "FTP (TCP:21) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -873,7 +945,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:2382", "expectedValue": "SQL Server Analysis (TCP:2382) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SQL Server Analysis (TCP:2382) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "SQL Server Analysis (TCP:2382) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -885,7 +958,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:80", "expectedValue": "HTTP (TCP:80) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "HTTP (TCP:80) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "HTTP (TCP:80) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -897,7 +971,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:11211", "expectedValue": "Memcached (TCP:11211) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Memcached (TCP:11211) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Memcached (TCP:11211) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -909,7 +984,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:3306", "expectedValue": "MySQL (TCP:3306) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "MySQL (TCP:3306) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "MySQL (TCP:3306) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -921,7 +997,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:8140", "expectedValue": "Puppet Master (TCP:8140) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Puppet Master (TCP:8140) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Puppet Master (TCP:8140) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -933,7 +1010,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:27017", "expectedValue": "Mongo (TCP:27017) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Mongo (TCP:27017) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Mongo (TCP:27017) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -945,7 +1023,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:2375", "expectedValue": "Docker (TCP:2375) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Docker (TCP:2375) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Docker (TCP:2375) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -957,7 +1036,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/UDP:11214", "expectedValue": "Memcached SSL (UDP:11214) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Memcached SSL (UDP:11214) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Memcached SSL (UDP:11214) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -969,7 +1049,8 @@ "searchKey": "Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:22", "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -981,7 +1062,8 @@ "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/UDP:53", "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -993,7 +1075,8 @@ "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]", "searchValue": "EC2Instance01/UDP:137", "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1005,7 +1088,8 @@ "searchKey": "Resources.IPv4Ingress1.Properties", "searchValue": "EC2Instance01/TCP:22", "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1017,7 +1101,8 @@ "searchKey": "Resources.IPv4Ingress2.Properties", "searchValue": "EC2Instance01/TCP:22", "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1029,7 +1114,8 @@ "searchKey": "Resources.IPv4Ingress3.Properties", "searchValue": "EC2Instance01/UDP:53", "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1041,7 +1127,8 @@ "searchKey": "Resources.IPv4Ingress4.Properties", "searchValue": "EC2Instance01/UDP:137", "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1053,7 +1140,8 @@ "searchKey": "Resources.IPv6Ingress1.Properties", "searchValue": "EC2Instance01/TCP:22", "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1065,7 +1153,8 @@ "searchKey": "Resources.IPv6Ingress2.Properties", "searchValue": "EC2Instance01/TCP:22", "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1077,7 +1166,8 @@ "searchKey": "Resources.IPv6Ingress3.Properties", "searchValue": "EC2Instance01/UDP:53", "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1089,7 +1179,8 @@ "searchKey": "Resources.IPv6Ingress4.Properties", "searchValue": "EC2Instance01/UDP:137", "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1101,7 +1192,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/UDP:53", "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1113,7 +1205,8 @@ "searchKey": "Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:80", "expectedValue": "HTTP (TCP:80) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "HTTP (TCP:80) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "HTTP (TCP:80) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1125,7 +1218,8 @@ "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/UDP:53", "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1137,7 +1231,8 @@ "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[2]", "searchValue": "EC2Instance01/UDP:137", "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1149,7 +1244,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:135", "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "MSSQL Debugger (TCP:135) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "MSSQL Debugger (TCP:135) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1161,7 +1257,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:11215", "expectedValue": "Memcached SSL (TCP:11215) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Memcached SSL (TCP:11215) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Memcached SSL (TCP:11215) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1173,7 +1270,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:5985", "expectedValue": "WinRM for HTTP (TCP:5985) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "WinRM for HTTP (TCP:5985) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "WinRM for HTTP (TCP:5985) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1185,7 +1283,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:9042", "expectedValue": "Cassandra Client (TCP:9042) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra Client (TCP:9042) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Cassandra Client (TCP:9042) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1197,7 +1296,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:7000", "expectedValue": "Cassandra Internode Communication (TCP:7000) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra Internode Communication (TCP:7000) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Cassandra Internode Communication (TCP:7000) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1209,7 +1309,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:1434", "expectedValue": "MSSQL Browser (TCP:1434) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "MSSQL Browser (TCP:1434) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "MSSQL Browser (TCP:1434) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1221,7 +1322,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:4505", "expectedValue": "SaltStack Master (TCP:4505) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SaltStack Master (TCP:4505) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "SaltStack Master (TCP:4505) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1233,7 +1335,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:8020", "expectedValue": "HDFS NameNode (TCP:8020) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "HDFS NameNode (TCP:8020) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "HDFS NameNode (TCP:8020) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1245,7 +1348,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:80", "expectedValue": "HTTP (TCP:80) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "HTTP (TCP:80) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "HTTP (TCP:80) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1257,7 +1361,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:7001", "expectedValue": "Cassandra (TCP:7001) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra (TCP:7001) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Cassandra (TCP:7001) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1269,7 +1374,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:1433", "expectedValue": "MSSQL Server (TCP:1433) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "MSSQL Server (TCP:1433) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "MSSQL Server (TCP:1433) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1281,7 +1387,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:2375", "expectedValue": "Docker (TCP:2375) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Docker (TCP:2375) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Docker (TCP:2375) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1293,7 +1400,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:3000", "expectedValue": "Prevalent known internal port (TCP:3000) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Prevalent known internal port (TCP:3000) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Prevalent known internal port (TCP:3000) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1305,7 +1413,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:22", "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1317,7 +1426,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:3020", "expectedValue": "CIFS / SMB (TCP:3020) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "CIFS / SMB (TCP:3020) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "CIFS / SMB (TCP:3020) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1329,7 +1439,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:8888", "expectedValue": "Cassandra OpsCenter Website (TCP:8888) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra OpsCenter Website (TCP:8888) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Cassandra OpsCenter Website (TCP:8888) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1341,7 +1452,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:161", "expectedValue": "SNMP (TCP:161) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SNMP (TCP:161) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "SNMP (TCP:161) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1353,7 +1465,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:5900", "expectedValue": "VNC Server (TCP:5900) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "VNC Server (TCP:5900) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "VNC Server (TCP:5900) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1365,7 +1478,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/UDP:53", "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1377,7 +1491,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/UDP:139", "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Session Service (UDP:139) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "NetBIOS Session Service (UDP:139) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1389,7 +1504,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:138", "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1401,7 +1517,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:1521", "expectedValue": "Oracl DB (TCP:1521) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Oracl DB (TCP:1521) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Oracl DB (TCP:1521) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1413,7 +1530,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:7199", "expectedValue": "Cassandra Monitoring (TCP:7199) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra Monitoring (TCP:7199) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Cassandra Monitoring (TCP:7199) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1425,7 +1543,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/UDP:2484", "expectedValue": "Oracle DB SSL (UDP:2484) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Oracle DB SSL (UDP:2484) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Oracle DB SSL (UDP:2484) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1437,7 +1556,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:8140", "expectedValue": "Puppet Master (TCP:8140) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Puppet Master (TCP:8140) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Puppet Master (TCP:8140) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1449,7 +1569,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/UDP:389", "expectedValue": "LDAP (UDP:389) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "LDAP (UDP:389) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "LDAP (UDP:389) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1461,7 +1582,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:27017", "expectedValue": "Mongo (TCP:27017) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Mongo (TCP:27017) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Mongo (TCP:27017) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1473,7 +1595,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:27018", "expectedValue": "Mongo Web Portal (TCP:27018) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Mongo Web Portal (TCP:27018) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Mongo Web Portal (TCP:27018) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1485,7 +1608,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:3306", "expectedValue": "MySQL (TCP:3306) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "MySQL (TCP:3306) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "MySQL (TCP:3306) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1497,7 +1621,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/UDP:137", "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1509,7 +1634,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:5432", "expectedValue": "PostgreSQL (TCP:5432) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "PostgreSQL (TCP:5432) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "PostgreSQL (TCP:5432) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1521,7 +1647,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/UDP:5432", "expectedValue": "PostgreSQL (UDP:5432) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "PostgreSQL (UDP:5432) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "PostgreSQL (UDP:5432) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1533,7 +1660,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:2383", "expectedValue": "SQL Server Analysis (TCP:2383) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SQL Server Analysis (TCP:2383) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "SQL Server Analysis (TCP:2383) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1545,7 +1673,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:4506", "expectedValue": "SaltStack Master (TCP:4506) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SaltStack Master (TCP:4506) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "SaltStack Master (TCP:4506) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1557,7 +1686,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:23", "expectedValue": "Telnet (TCP:23) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Telnet (TCP:23) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Telnet (TCP:23) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1569,7 +1699,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:9000", "expectedValue": "Hadoop Name Node (TCP:9000) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Hadoop Name Node (TCP:9000) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Hadoop Name Node (TCP:9000) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1581,7 +1712,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:5601", "expectedValue": "Kibana (TCP:5601) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Kibana (TCP:5601) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Kibana (TCP:5601) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1593,7 +1725,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:137", "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Name Service (TCP:137) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "NetBIOS Name Service (TCP:137) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1605,7 +1738,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:2376", "expectedValue": "Docker (TCP:2376) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Docker (TCP:2376) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Docker (TCP:2376) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1617,7 +1751,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:8080", "expectedValue": "Known internal web port (TCP:8080) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Known internal web port (TCP:8080) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Known internal web port (TCP:8080) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1629,7 +1764,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/UDP:138", "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1641,7 +1777,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:1522", "expectedValue": "Oracle Auto Data Warehouse (TCP:1522) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Oracle Auto Data Warehouse (TCP:1522) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Oracle Auto Data Warehouse (TCP:1522) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1653,7 +1790,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/UDP:161", "expectedValue": "SNMP (UDP:161) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SNMP (UDP:161) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "SNMP (UDP:161) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1665,7 +1803,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:2382", "expectedValue": "SQL Server Analysis (TCP:2382) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SQL Server Analysis (TCP:2382) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "SQL Server Analysis (TCP:2382) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1677,7 +1816,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:21", "expectedValue": "FTP (TCP:21) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "FTP (TCP:21) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "FTP (TCP:21) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1689,7 +1829,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:8000", "expectedValue": "Known internal web port (TCP:8000) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Known internal web port (TCP:8000) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Known internal web port (TCP:8000) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1701,7 +1842,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:11211", "expectedValue": "Memcached (TCP:11211) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Memcached (TCP:11211) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Memcached (TCP:11211) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1713,7 +1855,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/UDP:2483", "expectedValue": "Oracle DB SSL (UDP:2483) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Oracle DB SSL (UDP:2483) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Oracle DB SSL (UDP:2483) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1725,7 +1868,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:139", "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Session Service (TCP:139) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "NetBIOS Session Service (TCP:139) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1737,7 +1881,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:9160", "expectedValue": "Cassandra Thrift (TCP:9160) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra Thrift (TCP:9160) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Cassandra Thrift (TCP:9160) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1749,7 +1894,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:9090", "expectedValue": "CiscoSecure, WebSM (TCP:9090) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "CiscoSecure, WebSM (TCP:9090) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "CiscoSecure, WebSM (TCP:9090) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1761,7 +1907,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:2483", "expectedValue": "Oracle DB SSL (TCP:2483) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Oracle DB SSL (TCP:2483) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Oracle DB SSL (TCP:2483) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1773,7 +1920,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:110", "expectedValue": "POP3 (TCP:110) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "POP3 (TCP:110) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "POP3 (TCP:110) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1785,7 +1933,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:3389", "expectedValue": "Remote Desktop (TCP:3389) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Remote Desktop (TCP:3389) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Remote Desktop (TCP:3389) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1797,7 +1946,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:53", "expectedValue": "DNS (TCP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "DNS (TCP:53) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "DNS (TCP:53) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1809,7 +1959,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:9300", "expectedValue": "Elastic Search (TCP:9300) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Elastic Search (TCP:9300) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Elastic Search (TCP:9300) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1821,7 +1972,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:50470", "expectedValue": "HDFS NameNode WebUI (TCP:50470) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "HDFS NameNode WebUI (TCP:50470) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "HDFS NameNode WebUI (TCP:50470) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1833,7 +1985,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/UDP:1434", "expectedValue": "MSSQL Browser (UDP:1434) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "MSSQL Browser (UDP:1434) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "MSSQL Browser (UDP:1434) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1845,7 +1998,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:25", "expectedValue": "SMTP (TCP:25) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SMTP (TCP:25) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "SMTP (TCP:25) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1857,7 +2011,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/UDP:11215", "expectedValue": "Memcached SSL (UDP:11215) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Memcached SSL (UDP:11215) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Memcached SSL (UDP:11215) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1869,7 +2024,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:2484", "expectedValue": "Oracle DB SSL (TCP:2484) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Oracle DB SSL (TCP:2484) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Oracle DB SSL (TCP:2484) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1881,7 +2037,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:20", "expectedValue": "FTP (TCP:20) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "FTP (TCP:20) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "FTP (TCP:20) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1893,7 +2050,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:445", "expectedValue": "Microsoft-DS (TCP:445) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Microsoft-DS (TCP:445) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Microsoft-DS (TCP:445) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1905,7 +2063,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:4333", "expectedValue": "MySQL (TCP:4333) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "MySQL (TCP:4333) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "MySQL (TCP:4333) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1917,7 +2076,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:61620", "expectedValue": "Cassandra OpsCenter (TCP:61620) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra OpsCenter (TCP:61620) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Cassandra OpsCenter (TCP:61620) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1929,7 +2089,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/UDP:11214", "expectedValue": "Memcached SSL (UDP:11214) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Memcached SSL (UDP:11214) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Memcached SSL (UDP:11214) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1941,7 +2102,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:443", "expectedValue": "HTTPS (TCP:443) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "HTTPS (TCP:443) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "HTTPS (TCP:443) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1953,7 +2115,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:50070", "expectedValue": "HDFS NameNode WebUI (TCP:50070) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "HDFS NameNode WebUI (TCP:50070) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "HDFS NameNode WebUI (TCP:50070) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1965,7 +2128,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:11214", "expectedValue": "Memcached SSL (TCP:11214) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Memcached SSL (TCP:11214) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Memcached SSL (TCP:11214) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1977,7 +2141,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:5500", "expectedValue": "VNC Listener (TCP:5500) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "VNC Listener (TCP:5500) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "VNC Listener (TCP:5500) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -1989,7 +2154,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/UDP:11211", "expectedValue": "Memcached (UDP:11211) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Memcached (UDP:11211) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Memcached (UDP:11211) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -2001,7 +2167,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:61621", "expectedValue": "Cassandra OpsCenter (TCP:61621) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Cassandra OpsCenter (TCP:61621) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Cassandra OpsCenter (TCP:61621) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -2013,7 +2180,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:9200", "expectedValue": "Elastic Search (TCP:9200) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Elastic Search (TCP:9200) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Elastic Search (TCP:9200) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -2025,7 +2193,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:389", "expectedValue": "LDAP (TCP:389) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "LDAP (TCP:389) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "LDAP (TCP:389) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -2037,7 +2206,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:6379", "expectedValue": "Redis (TCP:6379) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "Redis (TCP:6379) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "Redis (TCP:6379) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -2049,7 +2219,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:636", "expectedValue": "LDAP SSL (TCP:636) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "LDAP SSL (TCP:636) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "LDAP SSL (TCP:636) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -2061,7 +2232,8 @@ "searchKey": "Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/TCP:22", "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -2073,7 +2245,8 @@ "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[0]", "searchValue": "EC2Instance01/UDP:53", "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -2085,7 +2258,8 @@ "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]", "searchValue": "EC2Instance01/UDP:137", "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -2097,7 +2271,8 @@ "searchKey": "Resources.IPv4Ingress1.Properties", "searchValue": "EC2Instance01/TCP:22", "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -2109,7 +2284,8 @@ "searchKey": "Resources.IPv4Ingress2.Properties", "searchValue": "EC2Instance01/TCP:22", "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -2121,7 +2297,8 @@ "searchKey": "Resources.IPv4Ingress3.Properties", "searchValue": "EC2Instance01/UDP:53", "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -2133,7 +2310,8 @@ "searchKey": "Resources.IPv4Ingress4.Properties", "searchValue": "EC2Instance01/UDP:137", "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -2145,7 +2323,8 @@ "searchKey": "Resources.IPv6Ingress1.Properties", "searchValue": "EC2Instance01/TCP:22", "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -2157,7 +2336,8 @@ "searchKey": "Resources.IPv6Ingress2.Properties", "searchValue": "EC2Instance01/TCP:22", "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -2169,7 +2349,8 @@ "searchKey": "Resources.IPv6Ingress3.Properties", "searchValue": "EC2Instance01/UDP:53", "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", @@ -2181,6 +2362,7 @@ "searchKey": "Resources.IPv6Ingress4.Properties", "searchValue": "EC2Instance01/UDP:137", "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'" + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/ecr_image_tag_not_immutable/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ecr_image_tag_not_immutable/test/positive_expected_result.json index 6f31ef5bda2..33e120f391a 100644 --- a/assets/queries/cloudFormation/aws/ecr_image_tag_not_immutable/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ecr_image_tag_not_immutable/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.MyRepository3.Properties.ImageTagMutability", "searchValue": "", "expectedValue": "Resources.MyRepository3.Properties.ImageTagMutability should be 'IMMUTABLE'", - "actualValue": "Resources.MyRepository3.Properties.ImageTagMutability is 'MUTABLE'" + "actualValue": "Resources.MyRepository3.Properties.ImageTagMutability is 'MUTABLE'", + "issueType": "IncorrectValue" }, { "queryName": "ECR Image Tag Not Immutable", @@ -21,7 +22,8 @@ "searchKey": "Resources.MyRepository4.Properties", "searchValue": "", "expectedValue": "Resources.MyRepository4.Properties.ImageTagMutability should be defined and not null", - "actualValue": "Resources.MyRepository4.Properties.ImageTagMutability is undefined or null" + "actualValue": "Resources.MyRepository4.Properties.ImageTagMutability is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "ECR Image Tag Not Immutable", @@ -33,7 +35,8 @@ "searchKey": "Resources.MyRepository5.Properties.ImageTagMutability", "searchValue": "", "expectedValue": "Resources.MyRepository5.Properties.ImageTagMutability should be 'IMMUTABLE'", - "actualValue": "Resources.MyRepository5.Properties.ImageTagMutability is 'MUTABLE'" + "actualValue": "Resources.MyRepository5.Properties.ImageTagMutability is 'MUTABLE'", + "issueType": "IncorrectValue" }, { "queryName": "ECR Image Tag Not Immutable", @@ -45,6 +48,7 @@ "searchKey": "Resources.MyRepository6.Properties", "searchValue": "", "expectedValue": "Resources.MyRepository6.Properties.ImageTagMutability should be defined and not null", - "actualValue": "Resources.MyRepository6.Properties.ImageTagMutability is undefined or null" + "actualValue": "Resources.MyRepository6.Properties.ImageTagMutability is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/ecr_repository_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ecr_repository_is_publicly_accessible/test/positive_expected_result.json index d137f6dc1e6..a2b23f94972 100644 --- a/assets/queries/cloudFormation/aws/ecr_repository_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ecr_repository_is_publicly_accessible/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.MyRepository3.Properties.RepositoryPolicyText", "searchValue": "", "expectedValue": "Resources.MyRepository3.Properties.RepositoryPolicyText.Statement.Principal shouldn't contain '*'", - "actualValue": "Resources.MyRepository3.Properties.RepositoryPolicyText.Statement.Principal contains '*'" + "actualValue": "Resources.MyRepository3.Properties.RepositoryPolicyText.Statement.Principal contains '*'", + "issueType": "IncorrectValue" }, { "queryName": "ECR Repository Is Publicly Accessible", @@ -21,6 +22,7 @@ "searchKey": "Resources.MyRepository4.Properties.RepositoryPolicyText", "searchValue": "", "expectedValue": "Resources.MyRepository4.Properties.RepositoryPolicyText.Statement.Principal shouldn't contain '*'", - "actualValue": "Resources.MyRepository4.Properties.RepositoryPolicyText.Statement.Principal contains '*'" + "actualValue": "Resources.MyRepository4.Properties.RepositoryPolicyText.Statement.Principal contains '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/ecr_repository_not_encrypted_with_CMK/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ecr_repository_not_encrypted_with_CMK/test/positive_expected_result.json index 4628b676429..79dc6a92c51 100644 --- a/assets/queries/cloudFormation/aws/ecr_repository_not_encrypted_with_CMK/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ecr_repository_not_encrypted_with_CMK/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.MyRepository.Properties", "searchValue": "", "expectedValue": "Resources.MyRepository.Properties.EncryptionConfiguration should be defined and not null", - "actualValue": "Resources.MyRepository.Properties.EncryptionConfiguration is undefined or null" + "actualValue": "Resources.MyRepository.Properties.EncryptionConfiguration is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "ECR Repository Not Encrypted With CMK", @@ -21,7 +22,8 @@ "searchKey": "Resources.ecrepo.Properties.EncryptionConfiguration", "searchValue": "", "expectedValue": "Resources.ecrepo.Properties.EncryptionConfiguration.KmsKey should be defined and not null", - "actualValue": "Resources.ecrepo.Properties.EncryptionConfiguration.KmsKey is undefined or null" + "actualValue": "Resources.ecrepo.Properties.EncryptionConfiguration.KmsKey is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "ECR Repository Not Encrypted With CMK", @@ -33,7 +35,8 @@ "searchKey": "Resources.MyRepository.Properties.EncryptionConfiguration.EncryptionType", "searchValue": "", "expectedValue": "Resources.MyRepository.Properties.EncryptionConfiguration.EncryptionType should be 'KMS_DSSE' or 'KMS'", - "actualValue": "Resources.MyRepository.Properties.EncryptionConfiguration.EncryptionType is 'AES256'" + "actualValue": "Resources.MyRepository.Properties.EncryptionConfiguration.EncryptionType is 'AES256'", + "issueType": "IncorrectValue" }, { "queryName": "ECR Repository Not Encrypted With CMK", @@ -45,7 +48,8 @@ "searchKey": "Resources.MyRepository.Properties.EncryptionConfiguration.EncryptionType", "searchValue": "", "expectedValue": "Resources.MyRepository.Properties.EncryptionConfiguration.EncryptionType should be 'KMS_DSSE' or 'KMS'", - "actualValue": "Resources.MyRepository.Properties.EncryptionConfiguration.EncryptionType is 'AES256'" + "actualValue": "Resources.MyRepository.Properties.EncryptionConfiguration.EncryptionType is 'AES256'", + "issueType": "IncorrectValue" }, { "queryName": "ECR Repository Not Encrypted With CMK", @@ -57,7 +61,8 @@ "searchKey": "Resources.MyRepository.Properties.EncryptionConfiguration", "searchValue": "", "expectedValue": "Resources.MyRepository.Properties.EncryptionConfiguration.KmsKey should be defined and not null", - "actualValue": "Resources.MyRepository.Properties.EncryptionConfiguration.KmsKey is undefined or null" + "actualValue": "Resources.MyRepository.Properties.EncryptionConfiguration.KmsKey is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "ECR Repository Not Encrypted With CMK", @@ -69,7 +74,8 @@ "searchKey": "Resources.MyRepository.Properties.EncryptionConfiguration", "searchValue": "", "expectedValue": "Resources.MyRepository.Properties.EncryptionConfiguration.KmsKey should be defined and not null", - "actualValue": "Resources.MyRepository.Properties.EncryptionConfiguration.KmsKey is undefined or null" + "actualValue": "Resources.MyRepository.Properties.EncryptionConfiguration.KmsKey is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "ECR Repository Not Encrypted With CMK", @@ -81,7 +87,8 @@ "searchKey": "Resources.ecrepo.Properties", "searchValue": "", "expectedValue": "Resources.ecrepo.Properties.EncryptionConfiguration should be defined and not null", - "actualValue": "Resources.ecrepo.Properties.EncryptionConfiguration is undefined or null" + "actualValue": "Resources.ecrepo.Properties.EncryptionConfiguration is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "ECR Repository Not Encrypted With CMK", @@ -93,7 +100,8 @@ "searchKey": "Resources.ecrepo.Properties.EncryptionConfiguration.EncryptionType", "searchValue": "", "expectedValue": "Resources.ecrepo.Properties.EncryptionConfiguration.EncryptionType should be 'KMS_DSSE' or 'KMS'", - "actualValue": "Resources.ecrepo.Properties.EncryptionConfiguration.EncryptionType is 'AES256'" + "actualValue": "Resources.ecrepo.Properties.EncryptionConfiguration.EncryptionType is 'AES256'", + "issueType": "IncorrectValue" }, { "queryName": "ECR Repository Not Encrypted With CMK", @@ -105,7 +113,8 @@ "searchKey": "Resources.ecrepo.Properties.EncryptionConfiguration.EncryptionType", "searchValue": "", "expectedValue": "Resources.ecrepo.Properties.EncryptionConfiguration.EncryptionType should be 'KMS_DSSE' or 'KMS'", - "actualValue": "Resources.ecrepo.Properties.EncryptionConfiguration.EncryptionType is 'AES256'" + "actualValue": "Resources.ecrepo.Properties.EncryptionConfiguration.EncryptionType is 'AES256'", + "issueType": "IncorrectValue" }, { "queryName": "ECR Repository Not Encrypted With CMK", @@ -117,6 +126,7 @@ "searchKey": "Resources.ecrepo.Properties.EncryptionConfiguration", "searchValue": "", "expectedValue": "Resources.ecrepo.Properties.EncryptionConfiguration.KmsKey should be defined and not null", - "actualValue": "Resources.ecrepo.Properties.EncryptionConfiguration.KmsKey is undefined or null" + "actualValue": "Resources.ecrepo.Properties.EncryptionConfiguration.KmsKey is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/ecs_cluster_container_insights_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ecs_cluster_container_insights_disabled/test/positive_expected_result.json index 0eea542e2c1..bd8524ac5eb 100644 --- a/assets/queries/cloudFormation/aws/ecs_cluster_container_insights_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ecs_cluster_container_insights_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.ECSCluster.Properties", "searchValue": "", "expectedValue": "Resources.ECSCluster.Properties.ClusterSettings should be defined and have a ClusterSetting named containerInsights which value is 'enabled'", - "actualValue": "Resources.ECSCluster.Properties.ClusterSettings is not defined" + "actualValue": "Resources.ECSCluster.Properties.ClusterSettings is not defined", + "issueType": "MissingAttribute" }, { "queryName": "ECS Cluster with Container Insights Disabled", @@ -21,7 +22,8 @@ "searchKey": "Resources.ECSCluster.Properties.ClusterSettings", "searchValue": "", "expectedValue": "Resources.ECSCluster.Properties.ClusterSettings should have a ClusterSetting named 'containerInsights' which value is 'enabled'", - "actualValue": "Resources.ECSCluster.Properties.ClusterSettings hasn't got a ClusterSetting named 'containerInsights' which value is 'enabled'" + "actualValue": "Resources.ECSCluster.Properties.ClusterSettings hasn't got a ClusterSetting named 'containerInsights' which value is 'enabled'", + "issueType": "IncorrectValue" }, { "queryName": "ECS Cluster with Container Insights Disabled", @@ -33,6 +35,7 @@ "searchKey": "Resources.ECSCluster.Properties.ClusterSettings", "searchValue": "", "expectedValue": "Resources.ECSCluster.Properties.ClusterSettings should have a ClusterSetting named 'containerInsights' which value is 'enabled'", - "actualValue": "Resources.ECSCluster.Properties.ClusterSettings hasn't got a ClusterSetting named 'containerInsights' which value is 'enabled'" + "actualValue": "Resources.ECSCluster.Properties.ClusterSettings hasn't got a ClusterSetting named 'containerInsights' which value is 'enabled'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/positive_expected_result.json index 8b91db39dc1..29822fd55ab 100644 --- a/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.taskdefinition.Properties.Volumes", "searchValue": "", "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption should be enabled", - "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption is disabled" + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption is disabled", + "issueType": "IncorrectValue" }, { "queryName": "ECS Cluster Not Encrypted At Rest", @@ -21,7 +22,8 @@ "searchKey": "Resources.taskdefinition1", "searchValue": "", "expectedValue": "Resources.taskdefinition1 should be defined", - "actualValue": "Resources.taskdefinition1 is not defined." + "actualValue": "Resources.taskdefinition1 is not defined.", + "issueType": "MissingAttribute" }, { "queryName": "ECS Cluster Not Encrypted At Rest", @@ -33,7 +35,8 @@ "searchKey": "Resources.taskdefinition.Properties.Volumes", "searchValue": "", "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption should be enabled", - "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption is disabled" + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption is disabled", + "issueType": "IncorrectValue" }, { "queryName": "ECS Cluster Not Encrypted At Rest", @@ -45,6 +48,7 @@ "searchKey": "Resources.taskdefinition1", "searchValue": "", "expectedValue": "Resources.taskdefinition1 should be defined", - "actualValue": "Resources.taskdefinition1 is not defined." + "actualValue": "Resources.taskdefinition1 is not defined.", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/ecs_no_load_balancer_attached/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ecs_no_load_balancer_attached/test/positive_expected_result.json index ee8aac02a71..3c4bb42d9d5 100644 --- a/assets/queries/cloudFormation/aws/ecs_no_load_balancer_attached/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ecs_no_load_balancer_attached/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.ECSService.Properties", "searchValue": "", "expectedValue": "'Resources.ECSService.Properties.LoadBalancers' should be defined", - "actualValue": "'Resources.ECSService.Properties.LoadBalancers' is not defined" + "actualValue": "'Resources.ECSService.Properties.LoadBalancers' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "ECS No Load Balancer Attached", @@ -21,7 +22,8 @@ "searchKey": "Resources.ECSService2.Properties.LoadBalancers", "searchValue": "", "expectedValue": "'Resources.ECSService2.Properties.LoadBalancers' should not be empty", - "actualValue": "'Resources.ECSService2.Properties.LoadBalancers' is empty" + "actualValue": "'Resources.ECSService2.Properties.LoadBalancers' is empty", + "issueType": "IncorrectValue" }, { "queryName": "ECS No Load Balancer Attached", @@ -33,7 +35,8 @@ "searchKey": "Resources.ECSService.Properties", "searchValue": "", "expectedValue": "'Resources.ECSService.Properties.LoadBalancers' should be defined", - "actualValue": "'Resources.ECSService.Properties.LoadBalancers' is not defined" + "actualValue": "'Resources.ECSService.Properties.LoadBalancers' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "ECS No Load Balancer Attached", @@ -45,6 +48,7 @@ "searchKey": "Resources.ECSService2.Properties.LoadBalancers", "searchValue": "", "expectedValue": "'Resources.ECSService2.Properties.LoadBalancers' should not be empty", - "actualValue": "'Resources.ECSService2.Properties.LoadBalancers' is empty" + "actualValue": "'Resources.ECSService2.Properties.LoadBalancers' is empty", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/ecs_service_admin_role_is_present/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ecs_service_admin_role_is_present/test/positive_expected_result.json index 1ff0add812c..9f204df6100 100644 --- a/assets/queries/cloudFormation/aws/ecs_service_admin_role_is_present/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ecs_service_admin_role_is_present/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.service.Properties.Role", "searchValue": "", "expectedValue": "Resources.service.Properties.Role should not be an admin role", - "actualValue": "Resources.service.Properties.Role is an admin role" + "actualValue": "Resources.service.Properties.Role is an admin role", + "issueType": "IncorrectValue" }, { "queryName": "ECS Service Admin Role Is Present", @@ -21,6 +22,7 @@ "searchKey": "Resources.service.Properties.Role", "searchValue": "", "expectedValue": "Resources.service.Properties.Role should not be an admin role", - "actualValue": "Resources.service.Properties.Role is an admin role" + "actualValue": "Resources.service.Properties.Role is an admin role", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/ecs_service_without_running_tasks/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ecs_service_without_running_tasks/test/positive_expected_result.json index a425bc532ea..55fe694d307 100644 --- a/assets/queries/cloudFormation/aws/ecs_service_without_running_tasks/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ecs_service_without_running_tasks/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.service.Properties", "searchValue": "", "expectedValue": "Resources.service.Properties.DeploymentConfiguration should be defined and not null", - "actualValue": "Resources.service.Properties.DeploymentConfiguration is undefined or null" + "actualValue": "Resources.service.Properties.DeploymentConfiguration is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "ECS Service Without Running Tasks", @@ -21,6 +22,7 @@ "searchKey": "Resources.service.Properties", "searchValue": "", "expectedValue": "Resources.service.Properties.DeploymentConfiguration should be defined and not null", - "actualValue": "Resources.service.Properties.DeploymentConfiguration is undefined or null" + "actualValue": "Resources.service.Properties.DeploymentConfiguration is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/ecs_services_assigned_with_public_ip_address/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ecs_services_assigned_with_public_ip_address/test/positive_expected_result.json index b76058ee7aa..680e89da06c 100644 --- a/assets/queries/cloudFormation/aws/ecs_services_assigned_with_public_ip_address/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ecs_services_assigned_with_public_ip_address/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.ECSService.Properties.NetworkConfiguration.AwsvpcConfiguration.AssignPublicIp", "searchValue": "", "expectedValue": "'AssignPublicIp' field should be defined to 'DISABLED' (defaults to 'DISABLED')", - "actualValue": "'AssignPublicIp' field is defined to 'ENABLED'" + "actualValue": "'AssignPublicIp' field is defined to 'ENABLED'", + "issueType": "IncorrectValue" }, { "queryName": "ECS Services assigned with public IP address", @@ -21,6 +22,7 @@ "searchKey": "Resources.ECSService.Properties.NetworkConfiguration.AwsvpcConfiguration.AssignPublicIp", "searchValue": "", "expectedValue": "'AssignPublicIp' field should be defined to 'DISABLED' (defaults to 'DISABLED')", - "actualValue": "'AssignPublicIp' field is defined to 'ENABLED'" + "actualValue": "'AssignPublicIp' field is defined to 'ENABLED'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/ecs_task_definition_healthcheck_missing/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ecs_task_definition_healthcheck_missing/test/positive_expected_result.json index fc8bbf2cc91..f4e1e326ef4 100644 --- a/assets/queries/cloudFormation/aws/ecs_task_definition_healthcheck_missing/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ecs_task_definition_healthcheck_missing/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.taskdefinition.Properties.ContainerDefinitions.1.Name.Ref=AppName", "searchValue": "", "expectedValue": "'Resources.taskdefinition.Properties.ContainerDefinitions' should contain 'HealthCheck' property", - "actualValue": "'Resources.taskdefinition.Properties.ContainerDefinitions' doesn't contain 'HealthCheck' property" + "actualValue": "'Resources.taskdefinition.Properties.ContainerDefinitions' doesn't contain 'HealthCheck' property", + "issueType": "MissingAttribute" }, { "queryName": "ECS Task Definition HealthCheck Missing", @@ -21,6 +22,7 @@ "searchKey": "Resources.taskdefinition.Properties.ContainerDefinitions.0.Name.Ref=AppName", "searchValue": "", "expectedValue": "'Resources.taskdefinition.Properties.ContainerDefinitions' should contain 'HealthCheck' property", - "actualValue": "'Resources.taskdefinition.Properties.ContainerDefinitions' doesn't contain 'HealthCheck' property" + "actualValue": "'Resources.taskdefinition.Properties.ContainerDefinitions' doesn't contain 'HealthCheck' property", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/ecs_task_definition_invalid_cpu_or_memory/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ecs_task_definition_invalid_cpu_or_memory/test/positive_expected_result.json index 8d65fbefd39..5bb2cfc0e89 100644 --- a/assets/queries/cloudFormation/aws/ecs_task_definition_invalid_cpu_or_memory/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ecs_task_definition_invalid_cpu_or_memory/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.taskdefinition.Properties.ContainerDefinitions.Name.Ref=AppName", "searchValue": "", "expectedValue": "'Resources.taskdefinition.Properties.ContainerDefinitions.Memory' shouldn't have incorrect values", - "actualValue": "'Resources.taskdefinition.Properties.ContainerDefinitions.Memory' has incorrect value" + "actualValue": "'Resources.taskdefinition.Properties.ContainerDefinitions.Memory' has incorrect value", + "issueType": "IncorrectValue" }, { "queryName": "ECS Task Definition Invalid CPU or Memory", @@ -21,7 +22,8 @@ "searchKey": "Resources.taskdefinition2.Properties.ContainerDefinitions.Name.Ref=AppName2", "searchValue": "", "expectedValue": "'Resources.taskdefinition2.Properties.ContainerDefinitions.Cpu' shouldn't have incorrect values", - "actualValue": "'Resources.taskdefinition2.Properties.ContainerDefinitions.Cpu' has incorrect value" + "actualValue": "'Resources.taskdefinition2.Properties.ContainerDefinitions.Cpu' has incorrect value", + "issueType": "IncorrectValue" }, { "queryName": "ECS Task Definition Invalid CPU or Memory", @@ -33,7 +35,8 @@ "searchKey": "Resources.taskdefinition.Properties.ContainerDefinitions.Name.Ref=AppName", "searchValue": "", "expectedValue": "'Resources.taskdefinition.Properties.ContainerDefinitions.Memory' shouldn't have incorrect values", - "actualValue": "'Resources.taskdefinition.Properties.ContainerDefinitions.Memory' has incorrect value" + "actualValue": "'Resources.taskdefinition.Properties.ContainerDefinitions.Memory' has incorrect value", + "issueType": "IncorrectValue" }, { "queryName": "ECS Task Definition Invalid CPU or Memory", @@ -45,6 +48,7 @@ "searchKey": "Resources.taskdefinition2.Properties.ContainerDefinitions.Name.Ref=AppName2", "searchValue": "", "expectedValue": "'Resources.taskdefinition2.Properties.ContainerDefinitions.Cpu' shouldn't have incorrect values", - "actualValue": "'Resources.taskdefinition2.Properties.ContainerDefinitions.Cpu' has incorrect value" + "actualValue": "'Resources.taskdefinition2.Properties.ContainerDefinitions.Cpu' has incorrect value", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/ecs_task_definition_network_mode_not_recommended/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ecs_task_definition_network_mode_not_recommended/test/positive_expected_result.json index bb459052e08..84d348c3a60 100644 --- a/assets/queries/cloudFormation/aws/ecs_task_definition_network_mode_not_recommended/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ecs_task_definition_network_mode_not_recommended/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.taskdefinition.Properties.NetworkMode", "searchValue": "", "expectedValue": "'Resources.taskdefinition.Properties.NetworkMode' should be 'awsvpc'", - "actualValue": "'Resources.taskdefinition.Properties.NetworkMode' is 'none'" + "actualValue": "'Resources.taskdefinition.Properties.NetworkMode' is 'none'", + "issueType": "IncorrectValue" }, { "queryName": "ECS Task Definition Network Mode Not Recommended", @@ -21,6 +22,7 @@ "searchKey": "Resources.taskdefinition.Properties", "searchValue": "", "expectedValue": "'Resources.taskdefinition.Properties.NetworkMode' should be set and should be 'awsvpc'", - "actualValue": "'Resources.taskdefinition.Properties.NetworkMode' is undefined and defaults to 'bridge'" + "actualValue": "'Resources.taskdefinition.Properties.NetworkMode' is undefined and defaults to 'bridge'", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/efs_not_encrypted/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/efs_not_encrypted/test/positive_expected_result.json index 6c89fd8d9d5..f647e2d28e7 100644 --- a/assets/queries/cloudFormation/aws/efs_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/efs_not_encrypted/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.EFSFileSystem01.Properties.Encrypted", "searchValue": "", "expectedValue": "EFS resource 'EFSFileSystem01' should have encryption enabled", - "actualValue": "EFS resource 'EFSFileSystem01' has encryption set to false" + "actualValue": "EFS resource 'EFSFileSystem01' has encryption set to false", + "issueType": "IncorrectValue" }, { "queryName": "EFS Not Encrypted", @@ -21,7 +22,8 @@ "searchKey": "Resources.EFSFileSystem01.Properties.Encrypted", "searchValue": "", "expectedValue": "EFS resource 'EFSFileSystem01' should have encryption enabled", - "actualValue": "EFS resource 'EFSFileSystem01' has encryption set to false" + "actualValue": "EFS resource 'EFSFileSystem01' has encryption set to false", + "issueType": "IncorrectValue" }, { "queryName": "EFS Not Encrypted", @@ -33,6 +35,7 @@ "searchKey": "Resources.EFSFileSystem01.Properties.Encrypted", "searchValue": "", "expectedValue": "EFS resource 'EFSFileSystem01' should have encryption enabled", - "actualValue": "EFS resource 'EFSFileSystem01' has encryption set to false" + "actualValue": "EFS resource 'EFSFileSystem01' has encryption set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/efs_volume_with_disabled_transit_encryption/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/efs_volume_with_disabled_transit_encryption/test/positive_expected_result.json index 41ab1a46a83..a12f2c4f974 100644 --- a/assets/queries/cloudFormation/aws/efs_volume_with_disabled_transit_encryption/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/efs_volume_with_disabled_transit_encryption/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption", "searchValue": "", "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption should be enabled", - "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption is disabled" + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption is disabled", + "issueType": "IncorrectValue" }, { "queryName": "EFS Volume With Disabled Transit Encryption", @@ -21,7 +22,8 @@ "searchKey": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration", "searchValue": "", "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption should be defined", - "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption is not defined (set to DISABLED by default)" + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption is not defined (set to DISABLED by default)", + "issueType": "MissingAttribute" }, { "queryName": "EFS Volume With Disabled Transit Encryption", @@ -33,7 +35,8 @@ "searchKey": "Resources.taskdefinition.Properties.Volumes[0]", "searchValue": "", "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration should be defined", - "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration is not defined" + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration is not defined", + "issueType": "MissingAttribute" }, { "queryName": "EFS Volume With Disabled Transit Encryption", @@ -45,7 +48,8 @@ "searchKey": "Resources.taskdefinition.Properties", "searchValue": "", "expectedValue": "Resources.taskdefinition.Properties.Volumes should be defined", - "actualValue": "Resources.taskdefinition.Properties.Volumes is not defined" + "actualValue": "Resources.taskdefinition.Properties.Volumes is not defined", + "issueType": "MissingAttribute" }, { "queryName": "EFS Volume With Disabled Transit Encryption", @@ -57,7 +61,8 @@ "searchKey": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption", "searchValue": "", "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption should be enabled", - "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption is disabled" + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption is disabled", + "issueType": "IncorrectValue" }, { "queryName": "EFS Volume With Disabled Transit Encryption", @@ -69,7 +74,8 @@ "searchKey": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration", "searchValue": "", "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption should be defined", - "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption is not defined (set to DISABLED by default)" + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption is not defined (set to DISABLED by default)", + "issueType": "MissingAttribute" }, { "queryName": "EFS Volume With Disabled Transit Encryption", @@ -81,7 +87,8 @@ "searchKey": "Resources.taskdefinition.Properties.Volumes[0]", "searchValue": "", "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration should be defined", - "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration is not defined" + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration is not defined", + "issueType": "MissingAttribute" }, { "queryName": "EFS Volume With Disabled Transit Encryption", @@ -93,6 +100,7 @@ "searchKey": "Resources.taskdefinition.Properties", "searchValue": "", "expectedValue": "Resources.taskdefinition.Properties.Volumes should be defined", - "actualValue": "Resources.taskdefinition.Properties.Volumes is not defined" + "actualValue": "Resources.taskdefinition.Properties.Volumes is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/efs_without_kms/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/efs_without_kms/test/positive_expected_result.json index 4b4da411d4a..ad598bf505b 100644 --- a/assets/queries/cloudFormation/aws/efs_without_kms/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/efs_without_kms/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.EFSFileSystem01", "searchValue": "", "expectedValue": "EFS resource 'EFSFileSystem01' should have encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys", - "actualValue": "EFS resource 'EFSFileSystem01' is not encrypted using KMS CMK customer-managed keys instead of AWS managed-keys" + "actualValue": "EFS resource 'EFSFileSystem01' is not encrypted using KMS CMK customer-managed keys instead of AWS managed-keys", + "issueType": "MissingAttribute" }, { "queryName": "EFS Without KMS", @@ -21,7 +22,8 @@ "searchKey": "Resources.EFSFileSystem01", "searchValue": "", "expectedValue": "EFS resource 'EFSFileSystem01' should have encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys", - "actualValue": "EFS resource 'EFSFileSystem01' is not encrypted using KMS CMK customer-managed keys instead of AWS managed-keys" + "actualValue": "EFS resource 'EFSFileSystem01' is not encrypted using KMS CMK customer-managed keys instead of AWS managed-keys", + "issueType": "MissingAttribute" }, { "queryName": "EFS Without KMS", @@ -33,6 +35,7 @@ "searchKey": "Resources.EFSFileSystem01", "searchValue": "", "expectedValue": "EFS resource 'EFSFileSystem01' should have encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys", - "actualValue": "EFS resource 'EFSFileSystem01' is not encrypted using KMS CMK customer-managed keys instead of AWS managed-keys" + "actualValue": "EFS resource 'EFSFileSystem01' is not encrypted using KMS CMK customer-managed keys instead of AWS managed-keys", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/efs_without_tags/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/efs_without_tags/test/positive_expected_result.json index 4fbae484ef5..d40cf029969 100644 --- a/assets/queries/cloudFormation/aws/efs_without_tags/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/efs_without_tags/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.FileSystem", "searchValue": "", "expectedValue": "'Resources.FileSystem.Properties.FileSystemTags' should be defined and not null", - "actualValue": "'Resources.FileSystem.Properties.FileSystemTags' is undefined or null" + "actualValue": "'Resources.FileSystem.Properties.FileSystemTags' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "EFS Without Tags", @@ -21,6 +22,7 @@ "searchKey": "Resources.FileSystem", "searchValue": "", "expectedValue": "'Resources.FileSystem.Properties.FileSystemTags' should be defined and not null", - "actualValue": "'Resources.FileSystem.Properties.FileSystemTags' is undefined or null" + "actualValue": "'Resources.FileSystem.Properties.FileSystemTags' is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/eks_cluster_encryption_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/eks_cluster_encryption_disabled/test/positive_expected_result.json index 19d5425f3c7..6032b86cab7 100644 --- a/assets/queries/cloudFormation/aws/eks_cluster_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/eks_cluster_encryption_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.MyEKSClusterA.Properties", "searchValue": "", "expectedValue": "'EncryptionConfig' should be defined and not null", - "actualValue": "'EncryptionConfig' is undefined or null" + "actualValue": "'EncryptionConfig' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "EKS Cluster Encryption Disabled", @@ -21,7 +22,8 @@ "searchKey": "Resources.MyEKSClusterA.Properties", "searchValue": "", "expectedValue": "'EncryptionConfig' should be defined and not null", - "actualValue": "'EncryptionConfig' is undefined or null" + "actualValue": "'EncryptionConfig' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "EKS Cluster Encryption Disabled", @@ -33,7 +35,8 @@ "searchKey": "Resources.MyEKSClusterB.Properties.EncryptionConfig", "searchValue": "", "expectedValue": "'secrets' should be defined inside the Resources field", - "actualValue": "'secrets' is undefined on the Resources field" + "actualValue": "'secrets' is undefined on the Resources field", + "issueType": "IncorrectValue" }, { "queryName": "EKS Cluster Encryption Disabled", @@ -45,6 +48,7 @@ "searchKey": "Resources.MyEKSClusterB.Properties.EncryptionConfig", "searchValue": "", "expectedValue": "'secrets' should be defined inside the Resources field", - "actualValue": "'secrets' is undefined on the Resources field" + "actualValue": "'secrets' is undefined on the Resources field", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/eks_node_group_remote_access/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/eks_node_group_remote_access/test/positive_expected_result.json index 8e8fd4a8fd9..e65eb241208 100644 --- a/assets/queries/cloudFormation/aws/eks_node_group_remote_access/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/eks_node_group_remote_access/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.EKSNodegroup.Properties.RemoteAccess", "searchValue": "", "expectedValue": "'Resources.EKSNodegroup.Properties.RemoteAccess.SourceSecurityGroups' should be defined and not null", - "actualValue": "'Resources.EKSNodegroup.Properties.RemoteAccess.Source SecurityGroups' is undefined or null" + "actualValue": "'Resources.EKSNodegroup.Properties.RemoteAccess.Source SecurityGroups' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "EKS node group remote access", @@ -21,6 +22,7 @@ "searchKey": "Resources.EKSNodegroup.Properties.RemoteAccess", "searchValue": "", "expectedValue": "'Resources.EKSNodegroup.Properties.RemoteAccess.SourceSecurityGroups' should be defined and not null", - "actualValue": "'Resources.EKSNodegroup.Properties.RemoteAccess.Source SecurityGroups' is undefined or null" + "actualValue": "'Resources.EKSNodegroup.Properties.RemoteAccess.Source SecurityGroups' is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/elasticache_nodes_not_created_across_multi_az/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elasticache_nodes_not_created_across_multi_az/test/positive_expected_result.json index 528ce7ee7f9..bb11ba49fba 100644 --- a/assets/queries/cloudFormation/aws/elasticache_nodes_not_created_across_multi_az/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elasticache_nodes_not_created_across_multi_az/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.myCacheCluster3.Properties.AZMode", "searchValue": "", "expectedValue": "Resources.myCacheCluster3.Properties.AZMode is 'cross-az'", - "actualValue": "Resources.myCacheCluster3.Properties.AZMode is 'single-az" + "actualValue": "Resources.myCacheCluster3.Properties.AZMode is 'single-az", + "issueType": "IncorrectValue" }, { "queryName": "ElastiCache Nodes Not Created Across Multi AZ", @@ -21,7 +22,8 @@ "searchKey": "Resources.myCacheCluster4.Properties", "searchValue": "", "expectedValue": "Resources.myCacheCluster4.Properties.AZMode should be defined and is 'cross-az'", - "actualValue": "Resources.myCacheCluster4.Properties.AZMode is not defined, default value is 'single-az'" + "actualValue": "Resources.myCacheCluster4.Properties.AZMode is not defined, default value is 'single-az'", + "issueType": "MissingAttribute" }, { "queryName": "ElastiCache Nodes Not Created Across Multi AZ", @@ -33,7 +35,8 @@ "searchKey": "Resources.myCacheCluster5.Properties.AZMode", "searchValue": "", "expectedValue": "Resources.myCacheCluster5.Properties.AZMode is 'cross-az'", - "actualValue": "Resources.myCacheCluster5.Properties.AZMode is 'single-az" + "actualValue": "Resources.myCacheCluster5.Properties.AZMode is 'single-az", + "issueType": "IncorrectValue" }, { "queryName": "ElastiCache Nodes Not Created Across Multi AZ", @@ -45,6 +48,7 @@ "searchKey": "Resources.myCacheCluster6.Properties", "searchValue": "", "expectedValue": "Resources.myCacheCluster6.Properties.AZMode should be defined and is 'cross-az'", - "actualValue": "Resources.myCacheCluster6.Properties.AZMode is not defined, default value is 'single-az'" + "actualValue": "Resources.myCacheCluster6.Properties.AZMode is not defined, default value is 'single-az'", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/elasticache_using_default_port/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elasticache_using_default_port/test/positive_expected_result.json index 7a7f9c3a988..3d6fb1a6c3b 100644 --- a/assets/queries/cloudFormation/aws/elasticache_using_default_port/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elasticache_using_default_port/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.BasicReplicationGroup.Properties.Port", "searchValue": "", "expectedValue": "Resources.BasicReplicationGroup.Properties.Port should not be set to 6379", - "actualValue": "Resources.BasicReplicationGroup.Properties.Port is set to 6379" + "actualValue": "Resources.BasicReplicationGroup.Properties.Port is set to 6379", + "issueType": "IncorrectValue" }, { "queryName": "ElastiCache Using Default Port", @@ -21,7 +22,8 @@ "searchKey": "Resources.BasicReplicationGroup.Properties.Port", "searchValue": "", "expectedValue": "Resources.BasicReplicationGroup.Properties.Port should not be set to 11211", - "actualValue": "Resources.BasicReplicationGroup.Properties.Port is set to 11211" + "actualValue": "Resources.BasicReplicationGroup.Properties.Port is set to 11211", + "issueType": "IncorrectValue" }, { "queryName": "ElastiCache Using Default Port", @@ -33,7 +35,8 @@ "searchKey": "Resources.BasicReplicationGroup.Properties.Port", "searchValue": "", "expectedValue": "Resources.BasicReplicationGroup.Properties.Port should not be set to 6379", - "actualValue": "Resources.BasicReplicationGroup.Properties.Port is set to 6379" + "actualValue": "Resources.BasicReplicationGroup.Properties.Port is set to 6379", + "issueType": "IncorrectValue" }, { "queryName": "ElastiCache Using Default Port", @@ -45,6 +48,7 @@ "searchKey": "Resources.BasicReplicationGroup.Properties.Port", "searchValue": "", "expectedValue": "Resources.BasicReplicationGroup.Properties.Port should not be set to 11211", - "actualValue": "Resources.BasicReplicationGroup.Properties.Port is set to 11211" + "actualValue": "Resources.BasicReplicationGroup.Properties.Port is set to 11211", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/elasticache_with_disabled_at_rest_encryption/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elasticache_with_disabled_at_rest_encryption/test/positive_expected_result.json index fa95fd395f9..10c3a067ad1 100644 --- a/assets/queries/cloudFormation/aws/elasticache_with_disabled_at_rest_encryption/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elasticache_with_disabled_at_rest_encryption/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.ReplicationGroup.Properties.AtRestEncryptionEnabled", "searchValue": "", "expectedValue": "Resources.ReplicationGroup.Properties.AtRestEncryptionEnabled should be true", - "actualValue": "Resources.ReplicationGroup.Properties.AtRestEncryptionEnabled is false" + "actualValue": "Resources.ReplicationGroup.Properties.AtRestEncryptionEnabled is false", + "issueType": "IncorrectValue" }, { "queryName": "ElastiCache With Disabled at Rest Encryption", @@ -21,7 +22,8 @@ "searchKey": "Resources.MyReplicationGroup.Properties", "searchValue": "", "expectedValue": "Resources.MyReplicationGroup.Properties.AtRestEncryptionEnabled should be defined", - "actualValue": "Resources.MyReplicationGroup.Properties.AtRestEncryptionEnabled is undefined" + "actualValue": "Resources.MyReplicationGroup.Properties.AtRestEncryptionEnabled is undefined", + "issueType": "MissingAttribute" }, { "queryName": "ElastiCache With Disabled at Rest Encryption", @@ -33,7 +35,8 @@ "searchKey": "Resources.ReplicationGroup.Properties.AtRestEncryptionEnabled", "searchValue": "", "expectedValue": "Resources.ReplicationGroup.Properties.AtRestEncryptionEnabled should be true", - "actualValue": "Resources.ReplicationGroup.Properties.AtRestEncryptionEnabled is false" + "actualValue": "Resources.ReplicationGroup.Properties.AtRestEncryptionEnabled is false", + "issueType": "IncorrectValue" }, { "queryName": "ElastiCache With Disabled at Rest Encryption", @@ -45,7 +48,8 @@ "searchKey": "Resources.MyReplicationGroup.Properties", "searchValue": "", "expectedValue": "Resources.MyReplicationGroup.Properties.AtRestEncryptionEnabled should be defined", - "actualValue": "Resources.MyReplicationGroup.Properties.AtRestEncryptionEnabled is undefined" + "actualValue": "Resources.MyReplicationGroup.Properties.AtRestEncryptionEnabled is undefined", + "issueType": "MissingAttribute" }, { "queryName": "ElastiCache With Disabled at Rest Encryption", @@ -57,6 +61,7 @@ "searchKey": "Resources.ReplicationGroup.Properties.AtRestEncryptionEnabled", "searchValue": "", "expectedValue": "Resources.ReplicationGroup.Properties.AtRestEncryptionEnabled should be true", - "actualValue": "Resources.ReplicationGroup.Properties.AtRestEncryptionEnabled is false" + "actualValue": "Resources.ReplicationGroup.Properties.AtRestEncryptionEnabled is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/elasticache_with_disabled_transit_encryption/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elasticache_with_disabled_transit_encryption/test/positive_expected_result.json index 669cbdbb6d7..1c2e7761625 100644 --- a/assets/queries/cloudFormation/aws/elasticache_with_disabled_transit_encryption/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elasticache_with_disabled_transit_encryption/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.ReplicationGroup.Properties", "searchValue": "", "expectedValue": "Resources.ReplicationGroup.Properties.TransitEncryptionEnabled should be defined", - "actualValue": "Resources.ReplicationGroup.Properties.TransitEncryptionEnabled is undefined" + "actualValue": "Resources.ReplicationGroup.Properties.TransitEncryptionEnabled is undefined", + "issueType": "MissingAttribute" }, { "queryName": "ElastiCache With Disabled Transit Encryption", @@ -21,7 +22,8 @@ "searchKey": "Resources.MyReplicationGroup.Properties.TransitEncryptionEnabled", "searchValue": "", "expectedValue": "Resources.MyReplicationGroup.Properties.TransitEncryptionEnabled should be true", - "actualValue": "Resources.MyReplicationGroup.Properties.TransitEncryptionEnabled is false" + "actualValue": "Resources.MyReplicationGroup.Properties.TransitEncryptionEnabled is false", + "issueType": "IncorrectValue" }, { "queryName": "ElastiCache With Disabled Transit Encryption", @@ -33,7 +35,8 @@ "searchKey": "Resources.ReplicationGroup.Properties", "searchValue": "", "expectedValue": "Resources.ReplicationGroup.Properties.TransitEncryptionEnabled should be defined", - "actualValue": "Resources.ReplicationGroup.Properties.TransitEncryptionEnabled is undefined" + "actualValue": "Resources.ReplicationGroup.Properties.TransitEncryptionEnabled is undefined", + "issueType": "MissingAttribute" }, { "queryName": "ElastiCache With Disabled Transit Encryption", @@ -45,7 +48,8 @@ "searchKey": "Resources.MyReplicationGroup.Properties.TransitEncryptionEnabled", "searchValue": "", "expectedValue": "Resources.MyReplicationGroup.Properties.TransitEncryptionEnabled should be true", - "actualValue": "Resources.MyReplicationGroup.Properties.TransitEncryptionEnabled is false" + "actualValue": "Resources.MyReplicationGroup.Properties.TransitEncryptionEnabled is false", + "issueType": "IncorrectValue" }, { "queryName": "ElastiCache With Disabled Transit Encryption", @@ -57,6 +61,7 @@ "searchKey": "Resources.ReplicationGroup.Properties", "searchValue": "", "expectedValue": "Resources.ReplicationGroup.Properties.TransitEncryptionEnabled should be defined", - "actualValue": "Resources.ReplicationGroup.Properties.TransitEncryptionEnabled is undefined" + "actualValue": "Resources.ReplicationGroup.Properties.TransitEncryptionEnabled is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/elasticache_without_vpc/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elasticache_without_vpc/test/positive_expected_result.json index e16714fbd59..cb8612e2a13 100644 --- a/assets/queries/cloudFormation/aws/elasticache_without_vpc/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elasticache_without_vpc/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.ElasticacheCluster.Properties", "searchValue": "", "expectedValue": "Resources.ElasticacheCluster.Properties.CacheSubnetGroupName should be defined and not null", - "actualValue": "Resources.ElasticacheCluster.Properties.CacheSubnetGroupName is undefined or null" + "actualValue": "Resources.ElasticacheCluster.Properties.CacheSubnetGroupName is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "ElastiCache Without VPC", @@ -21,6 +22,7 @@ "searchKey": "Resources.ElasticacheCluster.Properties", "searchValue": "", "expectedValue": "Resources.ElasticacheCluster.Properties.CacheSubnetGroupName should be defined and not null", - "actualValue": "Resources.ElasticacheCluster.Properties.CacheSubnetGroupName is undefined or null" + "actualValue": "Resources.ElasticacheCluster.Properties.CacheSubnetGroupName is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/elasticsearch_domain_encryption_with_kms_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elasticsearch_domain_encryption_with_kms_disabled/test/positive_expected_result.json index 488c59fdbf2..6abd495cc7f 100644 --- a/assets/queries/cloudFormation/aws/elasticsearch_domain_encryption_with_kms_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elasticsearch_domain_encryption_with_kms_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions.KmsKeyId should be set", - "actualValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions.KmsKeyId is undefined" + "actualValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions.KmsKeyId is undefined", + "issueType": "MissingAttribute" }, { "queryName": "ElasticSearch Encryption With KMS Disabled", @@ -21,7 +22,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions.KmsKeyId should be set", - "actualValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions.KmsKeyId is undefined" + "actualValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions.KmsKeyId is undefined", + "issueType": "MissingAttribute" }, { "queryName": "ElasticSearch Encryption With KMS Disabled", @@ -33,7 +35,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions should be defined and not null", - "actualValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions is undefined or null" + "actualValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "ElasticSearch Encryption With KMS Disabled", @@ -45,6 +48,7 @@ "searchKey": "Resources.ElasticsearchDomain.Properties", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions should be defined and not null", - "actualValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions is undefined or null" + "actualValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/elasticsearch_domain_not_encrypted_node_to_node/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elasticsearch_domain_not_encrypted_node_to_node/test/positive_expected_result.json index a2133bad791..5bd73e8e988 100644 --- a/assets/queries/cloudFormation/aws/elasticsearch_domain_not_encrypted_node_to_node/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elasticsearch_domain_not_encrypted_node_to_node/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.MyOpenSearchDomain.Properties", "searchValue": "", "expectedValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions' should be defined", - "actualValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions' is null or not defined" + "actualValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions' is null or not defined", + "issueType": "MissingAttribute" }, { "queryName": "Elasticsearch Domain Not Encrypted Node To Node", @@ -21,7 +22,8 @@ "searchKey": "Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions", "searchValue": "", "expectedValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions' should be defined", - "actualValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions' is null or not defined" + "actualValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions' is null or not defined", + "issueType": "MissingAttribute" }, { "queryName": "Elasticsearch Domain Not Encrypted Node To Node", @@ -33,7 +35,8 @@ "searchKey": "Resources.MyElasticsearchDomain.Properties", "searchValue": "", "expectedValue": "'Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions' should be defined", - "actualValue": "'Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions' is null or not defined" + "actualValue": "'Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions' is null or not defined", + "issueType": "MissingAttribute" }, { "queryName": "Elasticsearch Domain Not Encrypted Node To Node", @@ -45,7 +48,8 @@ "searchKey": "Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions", "searchValue": "", "expectedValue": "'Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions' should be defined", - "actualValue": "'Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions' is null or not defined" + "actualValue": "'Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions' is null or not defined", + "issueType": "MissingAttribute" }, { "queryName": "Elasticsearch Domain Not Encrypted Node To Node", @@ -57,7 +61,8 @@ "searchKey": "Resources.MyOpenSearchDomain.Properties", "searchValue": "", "expectedValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions' should be defined", - "actualValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions' is null or not defined" + "actualValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions' is null or not defined", + "issueType": "MissingAttribute" }, { "queryName": "Elasticsearch Domain Not Encrypted Node To Node", @@ -69,7 +74,8 @@ "searchKey": "Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled", "searchValue": "", "expectedValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled' should be defined to true", - "actualValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled' is not defined to true" + "actualValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled' is not defined to true", + "issueType": "IncorrectValue" }, { "queryName": "Elasticsearch Domain Not Encrypted Node To Node", @@ -81,7 +87,8 @@ "searchKey": "Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled", "searchValue": "", "expectedValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled' should be defined to true", - "actualValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled' is not defined to true" + "actualValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled' is not defined to true", + "issueType": "IncorrectValue" }, { "queryName": "Elasticsearch Domain Not Encrypted Node To Node", @@ -93,7 +100,8 @@ "searchKey": "Resources.MyElasticsearchDomain.Properties", "searchValue": "", "expectedValue": "'Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions' should be defined", - "actualValue": "'Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions' is null or not defined" + "actualValue": "'Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions' is null or not defined", + "issueType": "MissingAttribute" }, { "queryName": "Elasticsearch Domain Not Encrypted Node To Node", @@ -105,7 +113,8 @@ "searchKey": "Resources.MyElasticsearchDomain.Properties", "searchValue": "", "expectedValue": "'Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions' should be defined", - "actualValue": "'Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions' is null or not defined" + "actualValue": "'Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions' is null or not defined", + "issueType": "MissingAttribute" }, { "queryName": "Elasticsearch Domain Not Encrypted Node To Node", @@ -117,7 +126,8 @@ "searchKey": "Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled", "searchValue": "", "expectedValue": "'Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled' should be defined to true", - "actualValue": "'Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled' is not defined to true" + "actualValue": "'Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled' is not defined to true", + "issueType": "IncorrectValue" }, { "queryName": "Elasticsearch Domain Not Encrypted Node To Node", @@ -129,7 +139,8 @@ "searchKey": "Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled", "searchValue": "", "expectedValue": "'Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled' should be defined to true", - "actualValue": "'Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled' is not defined to true" + "actualValue": "'Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled' is not defined to true", + "issueType": "IncorrectValue" }, { "queryName": "Elasticsearch Domain Not Encrypted Node To Node", @@ -141,6 +152,7 @@ "searchKey": "Resources.MyOpenSearchDomain.Properties", "searchValue": "", "expectedValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions' should be defined", - "actualValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions' is null or not defined" + "actualValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions' is null or not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/elasticsearch_not_encrypted_at_rest/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elasticsearch_not_encrypted_at_rest/test/positive_expected_result.json index 8163e48ac9c..959b1352a32 100644 --- a/assets/queries/cloudFormation/aws/elasticsearch_not_encrypted_at_rest/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elasticsearch_not_encrypted_at_rest/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions.Enabled", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions should be enabled", - "actualValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions is disabled" + "actualValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions is disabled", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Not Encrypted At Rest", @@ -21,7 +22,8 @@ "searchKey": "Resources.ElasticsearchDomain1.Properties", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain1.Properties.EncryptionAtRestOptions should be defined and not null", - "actualValue": "Resources.ElasticsearchDomain1.Properties.EncryptionAtRestOptions is undefined or null" + "actualValue": "Resources.ElasticsearchDomain1.Properties.EncryptionAtRestOptions is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "ElasticSearch Not Encrypted At Rest", @@ -33,7 +35,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions.Enabled", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions should be enabled", - "actualValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions is disabled" + "actualValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions is disabled", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Not Encrypted At Rest", @@ -45,7 +48,8 @@ "searchKey": "Resources.ElasticsearchDomain1.Properties", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain1.Properties.EncryptionAtRestOptions should be defined and not null", - "actualValue": "Resources.ElasticsearchDomain1.Properties.EncryptionAtRestOptions is undefined or null" + "actualValue": "Resources.ElasticsearchDomain1.Properties.EncryptionAtRestOptions is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "ElasticSearch Not Encrypted At Rest", @@ -57,6 +61,7 @@ "searchKey": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions.Enabled", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions should be enabled", - "actualValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions is disabled" + "actualValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions is disabled", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json index 54d87b31560..f1047a9064a 100644 --- a/assets/queries/cloudFormation/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.OpenSearchDomain.Properties.DomainEndpointOptions.EnforceHTTPS", "searchValue": "", "expectedValue": "Resources.OpenSearchDomain.Properties.DomainEndpointOptions.EnforceHTTPS should be set to 'true'", - "actualValue": "Resources.OpenSearchDomain.Properties.DomainEndpointOptions.EnforceHTTPS is set to 'false'" + "actualValue": "Resources.OpenSearchDomain.Properties.DomainEndpointOptions.EnforceHTTPS is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "Elasticsearch with HTTPS disabled", @@ -21,7 +22,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties.DomainEndpointOptions", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.DomainEndpointOptions.EnforceHTTPS should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.DomainEndpointOptions.EnforceHTTPS is not set" + "actualValue": "Resources.ElasticsearchDomain.Properties.DomainEndpointOptions.EnforceHTTPS is not set", + "issueType": "MissingAttribute" }, { "queryName": "Elasticsearch with HTTPS disabled", @@ -33,7 +35,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.DomainEndpointOptions.EnforceHTTPS should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.DomainEndpointOptions.EnforceHTTPS is not set" + "actualValue": "Resources.ElasticsearchDomain.Properties.DomainEndpointOptions.EnforceHTTPS is not set", + "issueType": "MissingAttribute" }, { "queryName": "Elasticsearch with HTTPS disabled", @@ -45,6 +48,7 @@ "searchKey": "Resources.OpenSearchDomain.Properties.DomainEndpointOptions.EnforceHTTPS", "searchValue": "", "expectedValue": "Resources.OpenSearchDomain.Properties.DomainEndpointOptions.EnforceHTTPS should be set to 'true'", - "actualValue": "Resources.OpenSearchDomain.Properties.DomainEndpointOptions.EnforceHTTPS is set to 'false'" + "actualValue": "Resources.OpenSearchDomain.Properties.DomainEndpointOptions.EnforceHTTPS is set to 'false'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/elasticsearch_without_audit_logs/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elasticsearch_without_audit_logs/test/positive_expected_result.json index a104359fe37..26245123b25 100644 --- a/assets/queries/cloudFormation/aws/elasticsearch_without_audit_logs/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elasticsearch_without_audit_logs/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled is set to 'false'" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Audit Logs", @@ -21,7 +22,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled is undefined" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled is undefined", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Audit Logs", @@ -33,7 +35,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled is set to 'false'" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Audit Logs", @@ -45,7 +48,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should declare audit logs", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare audit logs" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare audit logs", + "issueType": "MissingAttribute" }, { "queryName": "ElasticSearch Without Audit Logs", @@ -57,7 +61,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should be defined and not null", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "ElasticSearch Without Audit Logs", @@ -69,7 +74,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled is set to 'false'" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Audit Logs", @@ -81,7 +87,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled is undefined" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled is undefined", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Audit Logs", @@ -93,7 +100,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled is set to 'false'" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Audit Logs", @@ -105,7 +113,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should declare audit logs", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare audit logs" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare audit logs", + "issueType": "MissingAttribute" }, { "queryName": "ElasticSearch Without Audit Logs", @@ -117,7 +126,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should be defined and not null", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "ElasticSearch Without Audit Logs", @@ -129,7 +139,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled is set to 'false'" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Audit Logs", @@ -141,7 +152,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should declare audit logs", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare audit logs" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare audit logs", + "issueType": "MissingAttribute" }, { "queryName": "ElasticSearch Without Audit Logs", @@ -153,7 +165,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled is undefined" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled is undefined", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Audit Logs", @@ -165,7 +178,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should be defined and not null", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "ElasticSearch Without Audit Logs", @@ -177,7 +191,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled is set to 'false'" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Audit Logs", @@ -189,7 +204,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled is undefined" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled is undefined", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Audit Logs", @@ -201,7 +217,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled is set to 'false'" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Audit Logs", @@ -213,7 +230,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should declare audit logs", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare audit logs" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare audit logs", + "issueType": "MissingAttribute" }, { "queryName": "ElasticSearch Without Audit Logs", @@ -225,7 +243,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should be defined and not null", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "ElasticSearch Without Audit Logs", @@ -237,6 +256,7 @@ "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled is set to 'false'" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/elasticsearch_without_es_application_logs/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elasticsearch_without_es_application_logs/test/positive_expected_result.json index abf7b9bfbcf..badf6cc51c6 100644 --- a/assets/queries/cloudFormation/aws/elasticsearch_without_es_application_logs/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elasticsearch_without_es_application_logs/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is set to 'false'" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Es Application Logs", @@ -21,7 +22,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is undefined" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is undefined", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Es Application Logs", @@ -33,7 +35,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is set to 'false'" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Es Application Logs", @@ -45,7 +48,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should declare es application logs", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare es application logs" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare es application logs", + "issueType": "MissingAttribute" }, { "queryName": "ElasticSearch Without Es Application Logs", @@ -57,7 +61,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should be defined and not null", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "ElasticSearch Without Es Application Logs", @@ -69,7 +74,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is set to 'false'" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Es Application Logs", @@ -81,7 +87,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is undefined" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is undefined", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Es Application Logs", @@ -93,7 +100,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is set to 'false'" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Es Application Logs", @@ -105,7 +113,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should declare es application logs", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare es application logs" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare es application logs", + "issueType": "MissingAttribute" }, { "queryName": "ElasticSearch Without Es Application Logs", @@ -117,7 +126,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should be defined and not null", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "ElasticSearch Without Es Application Logs", @@ -129,7 +139,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is set to 'false'" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Es Application Logs", @@ -141,7 +152,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should declare es application logs", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare es application logs" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare es application logs", + "issueType": "MissingAttribute" }, { "queryName": "ElasticSearch Without Es Application Logs", @@ -153,7 +165,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is undefined" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is undefined", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Es Application Logs", @@ -165,7 +178,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should be defined and not null", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "ElasticSearch Without Es Application Logs", @@ -177,7 +191,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is set to 'false'" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Es Application Logs", @@ -189,7 +204,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is undefined" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is undefined", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Es Application Logs", @@ -201,7 +217,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is set to 'false'" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Es Application Logs", @@ -213,7 +230,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should declare es application logs", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare es application logs" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare es application logs", + "issueType": "MissingAttribute" }, { "queryName": "ElasticSearch Without Es Application Logs", @@ -225,7 +243,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should be defined and not null", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "ElasticSearch Without Es Application Logs", @@ -237,6 +256,7 @@ "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is set to 'false'" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/elasticsearch_without_iam_authentication/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elasticsearch_without_iam_authentication/test/positive_expected_result.json index 8cbf8a597c8..6a838bcec76 100644 --- a/assets/queries/cloudFormation/aws/elasticsearch_without_iam_authentication/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elasticsearch_without_iam_authentication/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties.AccessPolicies.Statement", "searchValue": "", "expectedValue": "Elasticsearch Domain should ensure IAM Authentication", - "actualValue": "Elasticsearch Domain does not ensure IAM Authentication" + "actualValue": "Elasticsearch Domain does not ensure IAM Authentication", + "issueType": "IncorrectValue" }, { "queryName": "Elasticsearch Without IAM Authentication", @@ -21,6 +22,7 @@ "searchKey": "Resources.ElasticsearchDomain.Properties.AccessPolicies.Statement", "searchValue": "", "expectedValue": "Elasticsearch Domain should ensure IAM Authentication", - "actualValue": "Elasticsearch Domain does not ensure IAM Authentication" + "actualValue": "Elasticsearch Domain does not ensure IAM Authentication", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/elasticsearch_without_slow_logs/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elasticsearch_without_slow_logs/test/positive_expected_result.json index 4ff0c166cf0..cd8f878e9f2 100644 --- a/assets/queries/cloudFormation/aws/elasticsearch_without_slow_logs/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elasticsearch_without_slow_logs/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is set to 'false'" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Slow Logs", @@ -21,7 +22,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is set to 'false'" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Slow Logs", @@ -33,7 +35,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is undefined" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is undefined", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Slow Logs", @@ -45,7 +48,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is undefined" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is undefined", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Slow Logs", @@ -57,7 +61,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is set to 'false'" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Slow Logs", @@ -69,7 +74,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is set to 'false'" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Slow Logs", @@ -81,7 +87,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should declare slow logs", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare slow logs" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare slow logs", + "issueType": "MissingAttribute" }, { "queryName": "ElasticSearch Without Slow Logs", @@ -93,7 +100,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should be defined and not null", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "ElasticSearch Without Slow Logs", @@ -105,7 +113,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is set to 'false'" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Slow Logs", @@ -117,7 +126,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is set to 'false'" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Slow Logs", @@ -129,7 +139,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is undefined" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is undefined", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Slow Logs", @@ -141,7 +152,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is undefined" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is undefined", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Slow Logs", @@ -153,7 +165,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is set to 'false'" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Slow Logs", @@ -165,7 +178,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is set to 'false'" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Slow Logs", @@ -177,7 +191,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should declare slow logs", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare slow logs" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare slow logs", + "issueType": "MissingAttribute" }, { "queryName": "ElasticSearch Without Slow Logs", @@ -189,7 +204,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should be defined and not null", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "ElasticSearch Without Slow Logs", @@ -201,7 +217,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is set to 'false'" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Slow Logs", @@ -213,7 +230,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is set to 'false'" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Slow Logs", @@ -225,7 +243,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should declare slow logs", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare slow logs" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare slow logs", + "issueType": "MissingAttribute" }, { "queryName": "ElasticSearch Without Slow Logs", @@ -237,7 +256,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is undefined" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is undefined", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Slow Logs", @@ -249,7 +269,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is undefined" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is undefined", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Slow Logs", @@ -261,7 +282,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should be defined and not null", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "ElasticSearch Without Slow Logs", @@ -273,7 +295,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is set to 'false'" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Slow Logs", @@ -285,7 +308,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is set to 'false'" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Slow Logs", @@ -297,7 +321,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is undefined" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is undefined", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Slow Logs", @@ -309,7 +334,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is undefined" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is undefined", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Slow Logs", @@ -321,7 +347,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is set to 'false'" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Slow Logs", @@ -333,7 +360,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is set to 'false'" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Slow Logs", @@ -345,7 +373,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should declare slow logs", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare slow logs" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare slow logs", + "issueType": "MissingAttribute" }, { "queryName": "ElasticSearch Without Slow Logs", @@ -357,7 +386,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should be defined and not null", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "ElasticSearch Without Slow Logs", @@ -369,7 +399,8 @@ "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is set to 'false'" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Slow Logs", @@ -381,6 +412,7 @@ "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled", "searchValue": "", "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled should be defined and set to 'true'", - "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is set to 'false'" + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/elb_access_log_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elb_access_log_disabled/test/positive_expected_result.json index 6dab395aa9d..09eb2d382ec 100644 --- a/assets/queries/cloudFormation/aws/elb_access_log_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elb_access_log_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.MyLoadBalancer.Properties", "searchValue": "", "expectedValue": "'Resources.MyLoadBalancer.Properties.AccessLoggingPolicy' should exist", - "actualValue": "'Resources.MyLoadBalancer.Properties.AccessLoggingPolicy' is missing" + "actualValue": "'Resources.MyLoadBalancer.Properties.AccessLoggingPolicy' is missing", + "issueType": "MissingAttribute" }, { "queryName": "ELB Access Log Disabled", @@ -21,7 +22,8 @@ "searchKey": "Resources.MyLoadBalancer2.Properties.AccessLoggingPolicy.Enabled", "searchValue": "", "expectedValue": "'Resources.MyLoadBalancer2.Properties.AccessLoggingPolicy.Enabled' is true", - "actualValue": "'Resources.MyLoadBalancer2.Properties.AccessLoggingPolicy.Enabled' is false" + "actualValue": "'Resources.MyLoadBalancer2.Properties.AccessLoggingPolicy.Enabled' is false", + "issueType": "IncorrectValue" }, { "queryName": "ELB Access Log Disabled", @@ -33,7 +35,8 @@ "searchKey": "Resources.MyLoadBalancer.Properties", "searchValue": "", "expectedValue": "'Resources.MyLoadBalancer.Properties.AccessLoggingPolicy' should exist", - "actualValue": "'Resources.MyLoadBalancer.Properties.AccessLoggingPolicy' is missing" + "actualValue": "'Resources.MyLoadBalancer.Properties.AccessLoggingPolicy' is missing", + "issueType": "MissingAttribute" }, { "queryName": "ELB Access Log Disabled", @@ -45,7 +48,8 @@ "searchKey": "Resources.MyLoadBalancer2.Properties.AccessLoggingPolicy.Enabled", "searchValue": "", "expectedValue": "'Resources.MyLoadBalancer2.Properties.AccessLoggingPolicy.Enabled' is true", - "actualValue": "'Resources.MyLoadBalancer2.Properties.AccessLoggingPolicy.Enabled' is false" + "actualValue": "'Resources.MyLoadBalancer2.Properties.AccessLoggingPolicy.Enabled' is false", + "issueType": "IncorrectValue" }, { "queryName": "ELB Access Log Disabled", @@ -57,6 +61,7 @@ "searchKey": "Resources.MyLoadBalancer2.Properties.AccessLoggingPolicy.Enabled", "searchValue": "", "expectedValue": "'Resources.MyLoadBalancer2.Properties.AccessLoggingPolicy.Enabled' is true", - "actualValue": "'Resources.MyLoadBalancer2.Properties.AccessLoggingPolicy.Enabled' is false" + "actualValue": "'Resources.MyLoadBalancer2.Properties.AccessLoggingPolicy.Enabled' is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/elb_sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elb_sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json index b31fa1b7d2b..4b4e3a84075 100644 --- a/assets/queries/cloudFormation/aws/elb_sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elb_sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,636", "expectedValue": "LDAP SSL (TCP:636) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "LDAP SSL (TCP:636) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "LDAP SSL (TCP:636) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -21,7 +22,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "UDP,389", "expectedValue": "LDAP (UDP:389) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "LDAP (UDP:389) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "LDAP (UDP:389) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -33,7 +35,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,2375", "expectedValue": "Docker (TCP:2375) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Docker (TCP:2375) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Docker (TCP:2375) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -45,7 +48,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "UDP,11211", "expectedValue": "Memcached (UDP:11211) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Memcached (UDP:11211) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Memcached (UDP:11211) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -57,7 +61,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,5432", "expectedValue": "PostgreSQL (TCP:5432) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "PostgreSQL (TCP:5432) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "PostgreSQL (TCP:5432) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -69,7 +74,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,3020", "expectedValue": "CIFS / SMB (TCP:3020) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "CIFS / SMB (TCP:3020) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "CIFS / SMB (TCP:3020) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -81,7 +87,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,9042", "expectedValue": "Cassandra Client (TCP:9042) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra Client (TCP:9042) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Cassandra Client (TCP:9042) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -93,7 +100,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,8000", "expectedValue": "Known internal web port (TCP:8000) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Known internal web port (TCP:8000) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Known internal web port (TCP:8000) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -105,7 +113,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,7199", "expectedValue": "Cassandra Monitoring (TCP:7199) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra Monitoring (TCP:7199) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Cassandra Monitoring (TCP:7199) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -117,7 +126,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "UDP,53", "expectedValue": "DNS (UDP:53) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "DNS (UDP:53) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "DNS (UDP:53) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -129,7 +139,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,138", "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -141,7 +152,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,2484", "expectedValue": "Oracle DB SSL (TCP:2484) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Oracle DB SSL (TCP:2484) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Oracle DB SSL (TCP:2484) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -153,7 +165,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,1521", "expectedValue": "Oracl DB (TCP:1521) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Oracl DB (TCP:1521) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Oracl DB (TCP:1521) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -165,7 +178,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,23", "expectedValue": "Telnet (TCP:23) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Telnet (TCP:23) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Telnet (TCP:23) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -177,7 +191,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,2483", "expectedValue": "Oracle DB SSL (TCP:2483) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Oracle DB SSL (TCP:2483) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Oracle DB SSL (TCP:2483) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -189,7 +204,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,5500", "expectedValue": "VNC Listener (TCP:5500) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "VNC Listener (TCP:5500) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "VNC Listener (TCP:5500) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -201,7 +217,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,389", "expectedValue": "LDAP (TCP:389) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "LDAP (TCP:389) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "LDAP (TCP:389) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -213,7 +230,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "UDP,11214", "expectedValue": "Memcached SSL (UDP:11214) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Memcached SSL (UDP:11214) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Memcached SSL (UDP:11214) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -225,7 +243,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,137", "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Name Service (TCP:137) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "NetBIOS Name Service (TCP:137) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -237,7 +256,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,20", "expectedValue": "FTP (TCP:20) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "FTP (TCP:20) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "FTP (TCP:20) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -249,7 +269,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,50070", "expectedValue": "HDFS NameNode WebUI (TCP:50070) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "HDFS NameNode WebUI (TCP:50070) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "HDFS NameNode WebUI (TCP:50070) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -261,7 +282,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,1434", "expectedValue": "MSSQL Browser (TCP:1434) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "MSSQL Browser (TCP:1434) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "MSSQL Browser (TCP:1434) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -273,7 +295,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,11211", "expectedValue": "Memcached (TCP:11211) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Memcached (TCP:11211) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Memcached (TCP:11211) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -285,7 +308,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,2382", "expectedValue": "SQL Server Analysis (TCP:2382) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SQL Server Analysis (TCP:2382) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "SQL Server Analysis (TCP:2382) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -297,7 +321,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,9300", "expectedValue": "Elastic Search (TCP:9300) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Elastic Search (TCP:9300) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Elastic Search (TCP:9300) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -309,7 +334,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,4333", "expectedValue": "MySQL (TCP:4333) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "MySQL (TCP:4333) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "MySQL (TCP:4333) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -321,7 +347,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,8020", "expectedValue": "HDFS NameNode (TCP:8020) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "HDFS NameNode (TCP:8020) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "HDFS NameNode (TCP:8020) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -333,7 +360,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,11215", "expectedValue": "Memcached SSL (TCP:11215) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Memcached SSL (TCP:11215) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Memcached SSL (TCP:11215) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -345,7 +373,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "UDP,138", "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -357,7 +386,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,3000", "expectedValue": "Prevalent known internal port (TCP:3000) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Prevalent known internal port (TCP:3000) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Prevalent known internal port (TCP:3000) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -369,7 +399,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,8140", "expectedValue": "Puppet Master (TCP:8140) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Puppet Master (TCP:8140) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Puppet Master (TCP:8140) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -381,7 +412,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,5900", "expectedValue": "VNC Server (TCP:5900) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "VNC Server (TCP:5900) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "VNC Server (TCP:5900) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -393,7 +425,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,5985", "expectedValue": "WinRM for HTTP (TCP:5985) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "WinRM for HTTP (TCP:5985) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "WinRM for HTTP (TCP:5985) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -405,7 +438,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "UDP,2483", "expectedValue": "Oracle DB SSL (UDP:2483) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Oracle DB SSL (UDP:2483) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Oracle DB SSL (UDP:2483) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -417,7 +451,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,8888", "expectedValue": "Cassandra OpsCenter Website (TCP:8888) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra OpsCenter Website (TCP:8888) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Cassandra OpsCenter Website (TCP:8888) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -429,7 +464,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,135", "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "MSSQL Debugger (TCP:135) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "MSSQL Debugger (TCP:135) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -441,7 +477,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SSH (TCP:22) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "SSH (TCP:22) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -453,7 +490,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,9160", "expectedValue": "Cassandra Thrift (TCP:9160) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra Thrift (TCP:9160) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Cassandra Thrift (TCP:9160) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -465,7 +503,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,443", "expectedValue": "HTTPS (TCP:443) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "HTTPS (TCP:443) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "HTTPS (TCP:443) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -477,7 +516,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,11214", "expectedValue": "Memcached SSL (TCP:11214) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Memcached SSL (TCP:11214) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Memcached SSL (TCP:11214) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -489,7 +529,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,4505", "expectedValue": "SaltStack Master (TCP:4505) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SaltStack Master (TCP:4505) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "SaltStack Master (TCP:4505) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -501,7 +542,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,50470", "expectedValue": "HDFS NameNode WebUI (TCP:50470) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "HDFS NameNode WebUI (TCP:50470) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "HDFS NameNode WebUI (TCP:50470) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -513,7 +555,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "UDP,1434", "expectedValue": "MSSQL Browser (UDP:1434) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "MSSQL Browser (UDP:1434) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "MSSQL Browser (UDP:1434) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -525,7 +568,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,21", "expectedValue": "FTP (TCP:21) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "FTP (TCP:21) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "FTP (TCP:21) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -537,7 +581,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,7001", "expectedValue": "Cassandra (TCP:7001) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra (TCP:7001) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Cassandra (TCP:7001) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -549,7 +594,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,9000", "expectedValue": "Hadoop Name Node (TCP:9000) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Hadoop Name Node (TCP:9000) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Hadoop Name Node (TCP:9000) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -561,7 +607,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "UDP,11215", "expectedValue": "Memcached SSL (UDP:11215) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Memcached SSL (UDP:11215) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Memcached SSL (UDP:11215) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -573,7 +620,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,4506", "expectedValue": "SaltStack Master (TCP:4506) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SaltStack Master (TCP:4506) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "SaltStack Master (TCP:4506) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -585,7 +633,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,53", "expectedValue": "DNS (TCP:53) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "DNS (TCP:53) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "DNS (TCP:53) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -597,7 +646,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,27018", "expectedValue": "Mongo Web Portal (TCP:27018) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Mongo Web Portal (TCP:27018) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Mongo Web Portal (TCP:27018) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -609,7 +659,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,445", "expectedValue": "Microsoft-DS (TCP:445) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Microsoft-DS (TCP:445) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Microsoft-DS (TCP:445) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -621,7 +672,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,139", "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Session Service (TCP:139) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "NetBIOS Session Service (TCP:139) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -633,7 +685,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,9200", "expectedValue": "Elastic Search (TCP:9200) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Elastic Search (TCP:9200) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Elastic Search (TCP:9200) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -645,7 +698,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,8080", "expectedValue": "Known internal web port (TCP:8080) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Known internal web port (TCP:8080) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Known internal web port (TCP:8080) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -657,7 +711,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,3306", "expectedValue": "MySQL (TCP:3306) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "MySQL (TCP:3306) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "MySQL (TCP:3306) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -669,7 +724,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,1522", "expectedValue": "Oracle Auto Data Warehouse (TCP:1522) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Oracle Auto Data Warehouse (TCP:1522) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Oracle Auto Data Warehouse (TCP:1522) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -681,7 +737,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "UDP,161", "expectedValue": "SNMP (UDP:161) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SNMP (UDP:161) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "SNMP (UDP:161) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -693,7 +750,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,7000", "expectedValue": "Cassandra Internode Communication (TCP:7000) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra Internode Communication (TCP:7000) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Cassandra Internode Communication (TCP:7000) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -705,7 +763,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,3389", "expectedValue": "Remote Desktop (TCP:3389) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Remote Desktop (TCP:3389) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Remote Desktop (TCP:3389) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -717,7 +776,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,9090", "expectedValue": "CiscoSecure, WebSM (TCP:9090) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "CiscoSecure, WebSM (TCP:9090) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "CiscoSecure, WebSM (TCP:9090) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -729,7 +789,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,5601", "expectedValue": "Kibana (TCP:5601) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Kibana (TCP:5601) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Kibana (TCP:5601) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -741,7 +802,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "UDP,139", "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Session Service (UDP:139) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "NetBIOS Session Service (UDP:139) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -753,7 +815,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "UDP,137", "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -765,7 +828,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,80", "expectedValue": "HTTP (TCP:80) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "HTTP (TCP:80) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "HTTP (TCP:80) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -777,7 +841,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "UDP,2484", "expectedValue": "Oracle DB SSL (UDP:2484) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Oracle DB SSL (UDP:2484) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Oracle DB SSL (UDP:2484) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -789,7 +854,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,25", "expectedValue": "SMTP (TCP:25) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SMTP (TCP:25) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "SMTP (TCP:25) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -801,7 +867,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,110", "expectedValue": "POP3 (TCP:110) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "POP3 (TCP:110) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "POP3 (TCP:110) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -813,7 +880,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,6379", "expectedValue": "Redis (TCP:6379) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Redis (TCP:6379) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Redis (TCP:6379) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -825,7 +893,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,161", "expectedValue": "SNMP (TCP:161) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SNMP (TCP:161) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "SNMP (TCP:161) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -837,7 +906,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,61621", "expectedValue": "Cassandra OpsCenter (TCP:61621) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra OpsCenter (TCP:61621) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Cassandra OpsCenter (TCP:61621) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -849,7 +919,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,1433", "expectedValue": "MSSQL Server (TCP:1433) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "MSSQL Server (TCP:1433) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "MSSQL Server (TCP:1433) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -861,7 +932,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,2383", "expectedValue": "SQL Server Analysis (TCP:2383) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SQL Server Analysis (TCP:2383) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "SQL Server Analysis (TCP:2383) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -873,7 +945,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,61620", "expectedValue": "Cassandra OpsCenter (TCP:61620) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra OpsCenter (TCP:61620) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Cassandra OpsCenter (TCP:61620) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -885,7 +958,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "UDP,5432", "expectedValue": "PostgreSQL (UDP:5432) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "PostgreSQL (UDP:5432) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "PostgreSQL (UDP:5432) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -897,7 +971,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,2376", "expectedValue": "Docker (TCP:2376) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Docker (TCP:2376) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Docker (TCP:2376) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -909,7 +984,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,27017", "expectedValue": "Mongo (TCP:27017) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Mongo (TCP:27017) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Mongo (TCP:27017) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -921,7 +997,8 @@ "searchKey": "Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SSH (TCP:22) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "SSH (TCP:22) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -933,7 +1010,8 @@ "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[0]", "searchValue": "UDP,137", "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -945,7 +1023,8 @@ "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[2]", "searchValue": "UDP,138", "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -957,7 +1036,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SSH (TCP:22) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "SSH (TCP:22) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -969,7 +1049,8 @@ "searchKey": "Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SSH (TCP:22) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "SSH (TCP:22) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -981,7 +1062,8 @@ "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[0]", "searchValue": "UDP,137", "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -993,7 +1075,8 @@ "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]", "searchValue": "UDP,138", "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1005,7 +1088,8 @@ "searchKey": "Resources.IPv4Ingress1.Properties", "searchValue": "UDP,137", "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'" + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1017,7 +1101,8 @@ "searchKey": "Resources.IPv4Ingress2.Properties", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", - "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'" + "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1029,7 +1114,8 @@ "searchKey": "Resources.IPv4Ingress3.Properties", "searchValue": "UDP,137", "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'" + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1041,7 +1127,8 @@ "searchKey": "Resources.IPv4Ingress4.Properties", "searchValue": "UDP,138", "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in application load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in application load balancer 'LoadBalancer01'" + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1053,7 +1140,8 @@ "searchKey": "Resources.IPv6Ingress1.Properties", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", - "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'" + "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1065,7 +1153,8 @@ "searchKey": "Resources.IPv6Ingress2.Properties", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", - "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'" + "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1077,7 +1166,8 @@ "searchKey": "Resources.IPv6Ingress3.Properties", "searchValue": "UDP,137", "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'" + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1089,7 +1179,8 @@ "searchKey": "Resources.IPv6Ingress4.Properties", "searchValue": "UDP,138", "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in application load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in application load balancer 'LoadBalancer01'" + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1101,7 +1192,8 @@ "searchKey": "Resources.InstancesSecGroup.Properties.SecurityGroupIngress[1]", "searchValue": "TCP,636", "expectedValue": "LDAP SSL (TCP:636) should not be allowed in classic load balancer 'GatewayLoadBalancer'", - "actualValue": "LDAP SSL (TCP:636) is allowed in classic load balancer 'GatewayLoadBalancer'" + "actualValue": "LDAP SSL (TCP:636) is allowed in classic load balancer 'GatewayLoadBalancer'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1113,7 +1205,8 @@ "searchKey": "Resources.InstancesSecGroup.Properties.SecurityGroupIngress[2]", "searchValue": "UDP,2483", "expectedValue": "Oracle DB SSL (UDP:2483) should not be allowed in classic load balancer 'GatewayLoadBalancer'", - "actualValue": "Oracle DB SSL (UDP:2483) is allowed in classic load balancer 'GatewayLoadBalancer'" + "actualValue": "Oracle DB SSL (UDP:2483) is allowed in classic load balancer 'GatewayLoadBalancer'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1125,7 +1218,8 @@ "searchKey": "Resources.InstancesSecGroup.Properties.SecurityGroupIngress[2]", "searchValue": "UDP,1434", "expectedValue": "MSSQL Browser (UDP:1434) should not be allowed in classic load balancer 'GatewayLoadBalancer'", - "actualValue": "MSSQL Browser (UDP:1434) is allowed in classic load balancer 'GatewayLoadBalancer'" + "actualValue": "MSSQL Browser (UDP:1434) is allowed in classic load balancer 'GatewayLoadBalancer'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1137,7 +1231,8 @@ "searchKey": "Resources.InstancesSecGroup.Properties.SecurityGroupIngress[2]", "searchValue": "UDP,2484", "expectedValue": "Oracle DB SSL (UDP:2484) should not be allowed in classic load balancer 'GatewayLoadBalancer'", - "actualValue": "Oracle DB SSL (UDP:2484) is allowed in classic load balancer 'GatewayLoadBalancer'" + "actualValue": "Oracle DB SSL (UDP:2484) is allowed in classic load balancer 'GatewayLoadBalancer'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1149,7 +1244,8 @@ "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[0]", "searchValue": "UDP,137", "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'" + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1161,7 +1257,8 @@ "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[1]", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", - "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'" + "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1173,7 +1270,8 @@ "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[2]", "searchValue": "UDP,137", "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'" + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1185,7 +1283,8 @@ "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[3]", "searchValue": "UDP,138", "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in application load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in application load balancer 'LoadBalancer01'" + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1197,7 +1296,8 @@ "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[4]", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", - "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'" + "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1209,7 +1309,8 @@ "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[5]", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", - "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'" + "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1221,7 +1322,8 @@ "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[6]", "searchValue": "UDP,137", "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'" + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1233,7 +1335,8 @@ "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[7]", "searchValue": "UDP,138", "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in application load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in application load balancer 'LoadBalancer01'" + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1245,7 +1348,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,4506", "expectedValue": "SaltStack Master (TCP:4506) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SaltStack Master (TCP:4506) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "SaltStack Master (TCP:4506) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1257,7 +1361,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,443", "expectedValue": "HTTPS (TCP:443) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "HTTPS (TCP:443) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "HTTPS (TCP:443) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1269,7 +1374,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,5432", "expectedValue": "PostgreSQL (TCP:5432) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "PostgreSQL (TCP:5432) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "PostgreSQL (TCP:5432) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1281,7 +1387,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,4505", "expectedValue": "SaltStack Master (TCP:4505) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SaltStack Master (TCP:4505) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "SaltStack Master (TCP:4505) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1293,7 +1400,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,2375", "expectedValue": "Docker (TCP:2375) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Docker (TCP:2375) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Docker (TCP:2375) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1305,7 +1413,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,8080", "expectedValue": "Known internal web port (TCP:8080) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Known internal web port (TCP:8080) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Known internal web port (TCP:8080) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1317,7 +1426,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "UDP,11214", "expectedValue": "Memcached SSL (UDP:11214) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Memcached SSL (UDP:11214) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Memcached SSL (UDP:11214) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1329,7 +1439,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,27018", "expectedValue": "Mongo Web Portal (TCP:27018) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Mongo Web Portal (TCP:27018) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Mongo Web Portal (TCP:27018) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1341,7 +1452,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,25", "expectedValue": "SMTP (TCP:25) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SMTP (TCP:25) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "SMTP (TCP:25) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1353,7 +1465,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,2382", "expectedValue": "SQL Server Analysis (TCP:2382) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SQL Server Analysis (TCP:2382) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "SQL Server Analysis (TCP:2382) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1365,7 +1478,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,9300", "expectedValue": "Elastic Search (TCP:9300) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Elastic Search (TCP:9300) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Elastic Search (TCP:9300) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1377,7 +1491,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,21", "expectedValue": "FTP (TCP:21) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "FTP (TCP:21) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "FTP (TCP:21) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1389,7 +1504,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,9090", "expectedValue": "CiscoSecure, WebSM (TCP:9090) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "CiscoSecure, WebSM (TCP:9090) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "CiscoSecure, WebSM (TCP:9090) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1401,7 +1517,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,23", "expectedValue": "Telnet (TCP:23) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Telnet (TCP:23) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Telnet (TCP:23) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1413,7 +1530,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,7000", "expectedValue": "Cassandra Internode Communication (TCP:7000) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra Internode Communication (TCP:7000) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Cassandra Internode Communication (TCP:7000) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1425,7 +1543,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,11215", "expectedValue": "Memcached SSL (TCP:11215) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Memcached SSL (TCP:11215) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Memcached SSL (TCP:11215) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1437,7 +1556,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,3000", "expectedValue": "Prevalent known internal port (TCP:3000) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Prevalent known internal port (TCP:3000) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Prevalent known internal port (TCP:3000) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1449,7 +1569,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,138", "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1461,7 +1582,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,2484", "expectedValue": "Oracle DB SSL (TCP:2484) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Oracle DB SSL (TCP:2484) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Oracle DB SSL (TCP:2484) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1473,7 +1595,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,6379", "expectedValue": "Redis (TCP:6379) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Redis (TCP:6379) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Redis (TCP:6379) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1485,7 +1608,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,5985", "expectedValue": "WinRM for HTTP (TCP:5985) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "WinRM for HTTP (TCP:5985) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "WinRM for HTTP (TCP:5985) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1497,7 +1621,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,7001", "expectedValue": "Cassandra (TCP:7001) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra (TCP:7001) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Cassandra (TCP:7001) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1509,7 +1634,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,9200", "expectedValue": "Elastic Search (TCP:9200) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Elastic Search (TCP:9200) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Elastic Search (TCP:9200) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1521,7 +1647,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,2483", "expectedValue": "Oracle DB SSL (TCP:2483) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Oracle DB SSL (TCP:2483) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Oracle DB SSL (TCP:2483) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1533,7 +1660,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,11211", "expectedValue": "Memcached (TCP:11211) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Memcached (TCP:11211) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Memcached (TCP:11211) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1545,7 +1673,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,53", "expectedValue": "DNS (TCP:53) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "DNS (TCP:53) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "DNS (TCP:53) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1557,7 +1686,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,139", "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Session Service (TCP:139) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "NetBIOS Session Service (TCP:139) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1569,7 +1699,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "UDP,5432", "expectedValue": "PostgreSQL (UDP:5432) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "PostgreSQL (UDP:5432) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "PostgreSQL (UDP:5432) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1581,7 +1712,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,50070", "expectedValue": "HDFS NameNode WebUI (TCP:50070) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "HDFS NameNode WebUI (TCP:50070) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "HDFS NameNode WebUI (TCP:50070) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1593,7 +1725,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,50470", "expectedValue": "HDFS NameNode WebUI (TCP:50470) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "HDFS NameNode WebUI (TCP:50470) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "HDFS NameNode WebUI (TCP:50470) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1605,7 +1738,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "UDP,1434", "expectedValue": "MSSQL Browser (UDP:1434) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "MSSQL Browser (UDP:1434) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "MSSQL Browser (UDP:1434) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1617,7 +1751,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,11214", "expectedValue": "Memcached SSL (TCP:11214) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Memcached SSL (TCP:11214) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Memcached SSL (TCP:11214) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1629,7 +1764,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,137", "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Name Service (TCP:137) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "NetBIOS Name Service (TCP:137) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1641,7 +1777,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,110", "expectedValue": "POP3 (TCP:110) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "POP3 (TCP:110) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "POP3 (TCP:110) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1653,7 +1790,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,161", "expectedValue": "SNMP (TCP:161) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SNMP (TCP:161) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "SNMP (TCP:161) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1665,7 +1803,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SSH (TCP:22) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "SSH (TCP:22) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1677,7 +1816,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,8020", "expectedValue": "HDFS NameNode (TCP:8020) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "HDFS NameNode (TCP:8020) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "HDFS NameNode (TCP:8020) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1689,7 +1829,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "UDP,11211", "expectedValue": "Memcached (UDP:11211) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Memcached (UDP:11211) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Memcached (UDP:11211) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1701,7 +1842,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "UDP,138", "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1713,7 +1855,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,20", "expectedValue": "FTP (TCP:20) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "FTP (TCP:20) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "FTP (TCP:20) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1725,7 +1868,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,1434", "expectedValue": "MSSQL Browser (TCP:1434) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "MSSQL Browser (TCP:1434) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "MSSQL Browser (TCP:1434) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1737,7 +1881,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,1433", "expectedValue": "MSSQL Server (TCP:1433) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "MSSQL Server (TCP:1433) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "MSSQL Server (TCP:1433) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1749,7 +1894,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "UDP,53", "expectedValue": "DNS (UDP:53) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "DNS (UDP:53) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "DNS (UDP:53) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1761,7 +1907,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,27017", "expectedValue": "Mongo (TCP:27017) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Mongo (TCP:27017) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Mongo (TCP:27017) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1773,7 +1920,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,8140", "expectedValue": "Puppet Master (TCP:8140) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Puppet Master (TCP:8140) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Puppet Master (TCP:8140) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1785,7 +1933,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,9000", "expectedValue": "Hadoop Name Node (TCP:9000) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Hadoop Name Node (TCP:9000) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Hadoop Name Node (TCP:9000) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1797,7 +1946,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,5601", "expectedValue": "Kibana (TCP:5601) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Kibana (TCP:5601) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Kibana (TCP:5601) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1809,7 +1959,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "UDP,389", "expectedValue": "LDAP (UDP:389) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "LDAP (UDP:389) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "LDAP (UDP:389) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1821,7 +1972,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,3020", "expectedValue": "CIFS / SMB (TCP:3020) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "CIFS / SMB (TCP:3020) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "CIFS / SMB (TCP:3020) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1833,7 +1985,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,2376", "expectedValue": "Docker (TCP:2376) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Docker (TCP:2376) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Docker (TCP:2376) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1845,7 +1998,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,1521", "expectedValue": "Oracl DB (TCP:1521) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Oracl DB (TCP:1521) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Oracl DB (TCP:1521) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1857,7 +2011,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "UDP,2483", "expectedValue": "Oracle DB SSL (UDP:2483) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Oracle DB SSL (UDP:2483) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Oracle DB SSL (UDP:2483) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1869,7 +2024,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,61621", "expectedValue": "Cassandra OpsCenter (TCP:61621) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra OpsCenter (TCP:61621) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Cassandra OpsCenter (TCP:61621) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1881,7 +2037,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,4333", "expectedValue": "MySQL (TCP:4333) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "MySQL (TCP:4333) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "MySQL (TCP:4333) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1893,7 +2050,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,135", "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "MSSQL Debugger (TCP:135) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "MSSQL Debugger (TCP:135) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1905,7 +2063,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,389", "expectedValue": "LDAP (TCP:389) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "LDAP (TCP:389) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "LDAP (TCP:389) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1917,7 +2076,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "UDP,139", "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Session Service (UDP:139) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "NetBIOS Session Service (UDP:139) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1929,7 +2089,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,3389", "expectedValue": "Remote Desktop (TCP:3389) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Remote Desktop (TCP:3389) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Remote Desktop (TCP:3389) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1941,7 +2102,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "UDP,161", "expectedValue": "SNMP (UDP:161) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SNMP (UDP:161) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "SNMP (UDP:161) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1953,7 +2115,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,61620", "expectedValue": "Cassandra OpsCenter (TCP:61620) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra OpsCenter (TCP:61620) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Cassandra OpsCenter (TCP:61620) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1965,7 +2128,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,9160", "expectedValue": "Cassandra Thrift (TCP:9160) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra Thrift (TCP:9160) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Cassandra Thrift (TCP:9160) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1977,7 +2141,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,445", "expectedValue": "Microsoft-DS (TCP:445) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Microsoft-DS (TCP:445) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Microsoft-DS (TCP:445) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -1989,7 +2154,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,5900", "expectedValue": "VNC Server (TCP:5900) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "VNC Server (TCP:5900) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "VNC Server (TCP:5900) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2001,7 +2167,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,5500", "expectedValue": "VNC Listener (TCP:5500) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "VNC Listener (TCP:5500) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "VNC Listener (TCP:5500) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2013,7 +2180,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "UDP,11215", "expectedValue": "Memcached SSL (UDP:11215) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Memcached SSL (UDP:11215) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Memcached SSL (UDP:11215) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2025,7 +2193,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,2383", "expectedValue": "SQL Server Analysis (TCP:2383) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SQL Server Analysis (TCP:2383) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "SQL Server Analysis (TCP:2383) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2037,7 +2206,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,80", "expectedValue": "HTTP (TCP:80) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "HTTP (TCP:80) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "HTTP (TCP:80) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2049,7 +2219,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,3306", "expectedValue": "MySQL (TCP:3306) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "MySQL (TCP:3306) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "MySQL (TCP:3306) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2061,7 +2232,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "UDP,137", "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2073,7 +2245,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,7199", "expectedValue": "Cassandra Monitoring (TCP:7199) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra Monitoring (TCP:7199) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Cassandra Monitoring (TCP:7199) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2085,7 +2258,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,8888", "expectedValue": "Cassandra OpsCenter Website (TCP:8888) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra OpsCenter Website (TCP:8888) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Cassandra OpsCenter Website (TCP:8888) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2097,7 +2271,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,636", "expectedValue": "LDAP SSL (TCP:636) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "LDAP SSL (TCP:636) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "LDAP SSL (TCP:636) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2109,7 +2284,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "UDP,2484", "expectedValue": "Oracle DB SSL (UDP:2484) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Oracle DB SSL (UDP:2484) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Oracle DB SSL (UDP:2484) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2121,7 +2297,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,9042", "expectedValue": "Cassandra Client (TCP:9042) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Cassandra Client (TCP:9042) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Cassandra Client (TCP:9042) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2133,7 +2310,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,1522", "expectedValue": "Oracle Auto Data Warehouse (TCP:1522) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Oracle Auto Data Warehouse (TCP:1522) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Oracle Auto Data Warehouse (TCP:1522) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2145,7 +2323,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,8000", "expectedValue": "Known internal web port (TCP:8000) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "Known internal web port (TCP:8000) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "Known internal web port (TCP:8000) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2157,7 +2336,8 @@ "searchKey": "Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SSH (TCP:22) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "SSH (TCP:22) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2169,7 +2349,8 @@ "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[0]", "searchValue": "UDP,137", "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2181,7 +2362,8 @@ "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[2]", "searchValue": "UDP,138", "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2193,7 +2375,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SSH (TCP:22) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "SSH (TCP:22) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2205,7 +2388,8 @@ "searchKey": "Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "SSH (TCP:22) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "SSH (TCP:22) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2217,7 +2401,8 @@ "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[0]", "searchValue": "UDP,137", "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2229,7 +2414,8 @@ "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]", "searchValue": "UDP,138", "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in classic load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in classic load balancer 'LoadBalancer01'" + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2241,7 +2427,8 @@ "searchKey": "Resources.IPv4Ingress1.Properties", "searchValue": "UDP,137", "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'" + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2253,7 +2440,8 @@ "searchKey": "Resources.IPv4Ingress2.Properties", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", - "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'" + "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2265,7 +2453,8 @@ "searchKey": "Resources.IPv4Ingress3.Properties", "searchValue": "UDP,137", "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'" + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2277,7 +2466,8 @@ "searchKey": "Resources.IPv4Ingress4.Properties", "searchValue": "UDP,138", "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in application load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in application load balancer 'LoadBalancer01'" + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2289,7 +2479,8 @@ "searchKey": "Resources.IPv6Ingress1.Properties", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", - "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'" + "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2301,7 +2492,8 @@ "searchKey": "Resources.IPv6Ingress2.Properties", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", - "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'" + "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2313,7 +2505,8 @@ "searchKey": "Resources.IPv6Ingress3.Properties", "searchValue": "UDP,137", "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'" + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2325,7 +2518,8 @@ "searchKey": "Resources.IPv6Ingress4.Properties", "searchValue": "UDP,138", "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in application load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in application load balancer 'LoadBalancer01'" + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2337,7 +2531,8 @@ "searchKey": "Resources.InstancesSecGroup.Properties.SecurityGroupIngress[1]", "searchValue": "TCP,636", "expectedValue": "LDAP SSL (TCP:636) should not be allowed in classic load balancer 'GatewayLoadBalancer'", - "actualValue": "LDAP SSL (TCP:636) is allowed in classic load balancer 'GatewayLoadBalancer'" + "actualValue": "LDAP SSL (TCP:636) is allowed in classic load balancer 'GatewayLoadBalancer'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2349,7 +2544,8 @@ "searchKey": "Resources.InstancesSecGroup.Properties.SecurityGroupIngress[2]", "searchValue": "UDP,1434", "expectedValue": "MSSQL Browser (UDP:1434) should not be allowed in classic load balancer 'GatewayLoadBalancer'", - "actualValue": "MSSQL Browser (UDP:1434) is allowed in classic load balancer 'GatewayLoadBalancer'" + "actualValue": "MSSQL Browser (UDP:1434) is allowed in classic load balancer 'GatewayLoadBalancer'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2361,7 +2557,8 @@ "searchKey": "Resources.InstancesSecGroup.Properties.SecurityGroupIngress[2]", "searchValue": "UDP,2483", "expectedValue": "Oracle DB SSL (UDP:2483) should not be allowed in classic load balancer 'GatewayLoadBalancer'", - "actualValue": "Oracle DB SSL (UDP:2483) is allowed in classic load balancer 'GatewayLoadBalancer'" + "actualValue": "Oracle DB SSL (UDP:2483) is allowed in classic load balancer 'GatewayLoadBalancer'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2373,7 +2570,8 @@ "searchKey": "Resources.InstancesSecGroup.Properties.SecurityGroupIngress[2]", "searchValue": "UDP,2484", "expectedValue": "Oracle DB SSL (UDP:2484) should not be allowed in classic load balancer 'GatewayLoadBalancer'", - "actualValue": "Oracle DB SSL (UDP:2484) is allowed in classic load balancer 'GatewayLoadBalancer'" + "actualValue": "Oracle DB SSL (UDP:2484) is allowed in classic load balancer 'GatewayLoadBalancer'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2385,7 +2583,8 @@ "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[0]", "searchValue": "UDP,137", "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'" + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2397,7 +2596,8 @@ "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[1]", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", - "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'" + "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2409,7 +2609,8 @@ "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[2]", "searchValue": "UDP,137", "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'" + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2421,7 +2622,8 @@ "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[3]", "searchValue": "UDP,138", "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in application load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in application load balancer 'LoadBalancer01'" + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2433,7 +2635,8 @@ "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[4]", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", - "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'" + "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2445,7 +2648,8 @@ "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[5]", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", - "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'" + "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2457,7 +2661,8 @@ "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[6]", "searchValue": "UDP,137", "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'" + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", @@ -2469,6 +2674,7 @@ "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[7]", "searchValue": "UDP,138", "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in application load balancer 'LoadBalancer01'", - "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in application load balancer 'LoadBalancer01'" + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/elb_using_insecure_protocols/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elb_using_insecure_protocols/test/positive_expected_result.json index 03191ef5dcd..67790ece55f 100644 --- a/assets/queries/cloudFormation/aws/elb_using_insecure_protocols/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elb_using_insecure_protocols/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.MyLoadBalancer.Properties.Policies.PolicyName=My-SSLNegotiation-Policy.Attributes.Name=Protocol-SSLv2", "searchValue": "", "expectedValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.Protocol-SSLv2' should not be an insecure protocol", - "actualValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.Protocol-SSLv2' is an insecure protocol" + "actualValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.Protocol-SSLv2' is an insecure protocol", + "issueType": "IncorrectValue" }, { "queryName": "ELB Using Insecure Protocols", @@ -21,7 +22,8 @@ "searchKey": "Resources.MyLoadBalancer.Properties.Policies.PolicyName=My-SSLNegotiation-Policy2.Attributes.Name=Protocol-TLSv1", "searchValue": "", "expectedValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy2.Attributes.Protocol-TLSv1' should not be an insecure protocol", - "actualValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy2.Attributes.Protocol-TLSv1' is an insecure protocol" + "actualValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy2.Attributes.Protocol-TLSv1' is an insecure protocol", + "issueType": "IncorrectValue" }, { "queryName": "ELB Using Insecure Protocols", @@ -33,7 +35,8 @@ "searchKey": "Resources.MyLoadBalancer.Properties.Policies.PolicyName=My-SSLNegotiation-Policy.Attributes.Name=Protocol-SSLv2", "searchValue": "", "expectedValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.Protocol-SSLv2' should not be an insecure protocol", - "actualValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.Protocol-SSLv2' is an insecure protocol" + "actualValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.Protocol-SSLv2' is an insecure protocol", + "issueType": "IncorrectValue" }, { "queryName": "ELB Using Insecure Protocols", @@ -45,6 +48,7 @@ "searchKey": "Resources.MyLoadBalancer.Properties.Policies.PolicyName=My-SSLNegotiation-Policy2.Attributes.Name=Protocol-TLSv1", "searchValue": "", "expectedValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy2.Attributes.Protocol-TLSv1' should not be an insecure protocol", - "actualValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy2.Attributes.Protocol-TLSv1' is an insecure protocol" + "actualValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy2.Attributes.Protocol-TLSv1' is an insecure protocol", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/elb_using_weak_ciphers/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elb_using_weak_ciphers/test/positive_expected_result.json index 06b247e5cb1..9d29e20c09f 100644 --- a/assets/queries/cloudFormation/aws/elb_using_weak_ciphers/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elb_using_weak_ciphers/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.MyLoadBalancer.Properties.Policies.PolicyName=My-SSLNegotiation-Policy.Attributes.Name=TLS_RSA_NULL_SHA1", "searchValue": "", "expectedValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.TLS_RSA_NULL_SHA1' should not be a weak cipher", - "actualValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.TLS_RSA_NULL_SHA1' is a weak cipher" + "actualValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.TLS_RSA_NULL_SHA1' is a weak cipher", + "issueType": "IncorrectValue" }, { "queryName": "ELB Using Weak Ciphers", @@ -21,7 +22,8 @@ "searchKey": "Resources.MyLoadBalancer.Properties.Policies.PolicyName=My-SSLNegotiation-Policy.Attributes.Name=DHE-DSS-DES-CBC3-SHA", "searchValue": "", "expectedValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.DHE-DSS-DES-CBC3-SHA' should not be a weak cipher", - "actualValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.DHE-DSS-DES-CBC3-SHA' is a weak cipher" + "actualValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.DHE-DSS-DES-CBC3-SHA' is a weak cipher", + "issueType": "IncorrectValue" }, { "queryName": "ELB Using Weak Ciphers", @@ -33,7 +35,8 @@ "searchKey": "Resources.MyLoadBalancer.Properties.Policies.PolicyName=My-SSLNegotiation-Policy2.Attributes.Name=TLS_DHE_PSK_WITH_NULL_SHA256", "searchValue": "", "expectedValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy2.Attributes.TLS_DHE_PSK_WITH_NULL_SHA256' should not be a weak cipher", - "actualValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy2.Attributes.TLS_DHE_PSK_WITH_NULL_SHA256' is a weak cipher" + "actualValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy2.Attributes.TLS_DHE_PSK_WITH_NULL_SHA256' is a weak cipher", + "issueType": "IncorrectValue" }, { "queryName": "ELB Using Weak Ciphers", @@ -45,7 +48,8 @@ "searchKey": "Resources.MyLoadBalancer.Properties.Policies.PolicyName=My-SSLNegotiation-Policy.Attributes.Name=TLS_RSA_NULL_SHA1", "searchValue": "", "expectedValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.TLS_RSA_NULL_SHA1' should not be a weak cipher", - "actualValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.TLS_RSA_NULL_SHA1' is a weak cipher" + "actualValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.TLS_RSA_NULL_SHA1' is a weak cipher", + "issueType": "IncorrectValue" }, { "queryName": "ELB Using Weak Ciphers", @@ -57,7 +61,8 @@ "searchKey": "Resources.MyLoadBalancer.Properties.Policies.PolicyName=My-SSLNegotiation-Policy.Attributes.Name=DHE-DSS-DES-CBC3-SHA", "searchValue": "", "expectedValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.DHE-DSS-DES-CBC3-SHA' should not be a weak cipher", - "actualValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.DHE-DSS-DES-CBC3-SHA' is a weak cipher" + "actualValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.DHE-DSS-DES-CBC3-SHA' is a weak cipher", + "issueType": "IncorrectValue" }, { "queryName": "ELB Using Weak Ciphers", @@ -69,6 +74,7 @@ "searchKey": "Resources.MyLoadBalancer.Properties.Policies.PolicyName=My-SSLNegotiation-Policy2.Attributes.Name=TLS_DHE_PSK_WITH_NULL_SHA256", "searchValue": "", "expectedValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy2.Attributes.TLS_DHE_PSK_WITH_NULL_SHA256' should not be a weak cipher", - "actualValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy2.Attributes.TLS_DHE_PSK_WITH_NULL_SHA256' is a weak cipher" + "actualValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy2.Attributes.TLS_DHE_PSK_WITH_NULL_SHA256' is a weak cipher", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/elb_v2_alb_access_log_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elb_v2_alb_access_log_disabled/test/positive_expected_result.json index 8c037249448..059056584de 100644 --- a/assets/queries/cloudFormation/aws/elb_v2_alb_access_log_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elb_v2_alb_access_log_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.LoadBalancer.Properties", "searchValue": "", "expectedValue": "'Resources.LoadBalancer.Properties' has LoadBalancerAttributes defined", - "actualValue": "'Resources.LoadBalancer.Properties' doesn't have LoadBalancerAttributes defined" + "actualValue": "'Resources.LoadBalancer.Properties' doesn't have LoadBalancerAttributes defined", + "issueType": "MissingAttribute" }, { "queryName": "ELBv2 ALB Access Log Disabled", @@ -21,7 +22,8 @@ "searchKey": "Resources.LoadBalancertest.Properties.LoadBalancerAttributes", "searchValue": "", "expectedValue": "'Resources.LoadBalancertest.Properties.LoadBalancerAttributes' has access_logs.s3.enabled with Value true", - "actualValue": "'Resources.LoadBalancertest.Properties.LoadBalancerAttributes' doesn't have access_logs.s3.enabled with Value true" + "actualValue": "'Resources.LoadBalancertest.Properties.LoadBalancerAttributes' doesn't have access_logs.s3.enabled with Value true", + "issueType": "IncorrectValue" }, { "queryName": "ELBv2 ALB Access Log Disabled", @@ -33,7 +35,8 @@ "searchKey": "Resources.LoadBalancer.Properties", "searchValue": "", "expectedValue": "'Resources.LoadBalancer.Properties' has LoadBalancerAttributes defined", - "actualValue": "'Resources.LoadBalancer.Properties' doesn't have LoadBalancerAttributes defined" + "actualValue": "'Resources.LoadBalancer.Properties' doesn't have LoadBalancerAttributes defined", + "issueType": "MissingAttribute" }, { "queryName": "ELBv2 ALB Access Log Disabled", @@ -45,7 +48,8 @@ "searchKey": "Resources.LoadBalancertest.Properties.LoadBalancerAttributes", "searchValue": "", "expectedValue": "'Resources.LoadBalancertest.Properties.LoadBalancerAttributes' has access_logs.s3.enabled with Value true", - "actualValue": "'Resources.LoadBalancertest.Properties.LoadBalancerAttributes' doesn't have access_logs.s3.enabled with Value true" + "actualValue": "'Resources.LoadBalancertest.Properties.LoadBalancerAttributes' doesn't have access_logs.s3.enabled with Value true", + "issueType": "IncorrectValue" }, { "queryName": "ELBv2 ALB Access Log Disabled", @@ -57,6 +61,7 @@ "searchKey": "Resources.LoadBalancertest.Properties.LoadBalancerAttributes", "searchValue": "", "expectedValue": "'Resources.LoadBalancertest.Properties.LoadBalancerAttributes' has access_logs.s3.enabled with Value true", - "actualValue": "'Resources.LoadBalancertest.Properties.LoadBalancerAttributes' doesn't have access_logs.s3.enabled with Value true" + "actualValue": "'Resources.LoadBalancertest.Properties.LoadBalancerAttributes' doesn't have access_logs.s3.enabled with Value true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/elb_with_security_group_without_inbound_rules/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elb_with_security_group_without_inbound_rules/test/positive_expected_result.json index da39fe93c8a..ea8c51d3e67 100644 --- a/assets/queries/cloudFormation/aws/elb_with_security_group_without_inbound_rules/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elb_with_security_group_without_inbound_rules/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.sgwithoutingress.Properties", "searchValue": "", "expectedValue": "'Resources.sgwithoutingress.Properties.SecurityGroupIngress' should be defined", - "actualValue": "'Resources.sgwithoutingress.Properties.SecurityGroupIngress' is undefined" + "actualValue": "'Resources.sgwithoutingress.Properties.SecurityGroupIngress' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "ELB With Security Group Without Inbound Rules", @@ -21,7 +22,8 @@ "searchKey": "Resources.sgwithoutingress.Properties", "searchValue": "", "expectedValue": "'Resources.sgwithoutingress.Properties.SecurityGroupIngress' should be defined", - "actualValue": "'Resources.sgwithoutingress.Properties.SecurityGroupIngress' is undefined" + "actualValue": "'Resources.sgwithoutingress.Properties.SecurityGroupIngress' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "ELB With Security Group Without Inbound Rules", @@ -33,7 +35,8 @@ "searchKey": "Resources.sgwithingress.Properties", "searchValue": "", "expectedValue": "'Resources.sgwithingress.Properties.SecurityGroupIngress' should be defined", - "actualValue": "'Resources.sgwithingress.Properties.SecurityGroupIngress' is undefined" + "actualValue": "'Resources.sgwithingress.Properties.SecurityGroupIngress' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "ELB With Security Group Without Inbound Rules", @@ -45,6 +48,7 @@ "searchKey": "Resources.sgwithingress.Properties", "searchValue": "", "expectedValue": "'Resources.sgwithingress.Properties.SecurityGroupIngress' should be defined", - "actualValue": "'Resources.sgwithingress.Properties.SecurityGroupIngress' is undefined" + "actualValue": "'Resources.sgwithingress.Properties.SecurityGroupIngress' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/elb_with_security_group_without_outbound_rules/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elb_with_security_group_without_outbound_rules/test/positive_expected_result.json index e2146e3a44c..596865cc02f 100644 --- a/assets/queries/cloudFormation/aws/elb_with_security_group_without_outbound_rules/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elb_with_security_group_without_outbound_rules/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.sgwithoutegress.Properties", "searchValue": "", "expectedValue": "'Resources.sgwithoutegress.Properties.SecurityGroupEgress' should be defined", - "actualValue": "'Resources.sgwithoutegress.Properties.SecurityGroupEgress' is undefined" + "actualValue": "'Resources.sgwithoutegress.Properties.SecurityGroupEgress' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "ELB With Security Group Without Outbound Rules", @@ -21,7 +22,8 @@ "searchKey": "Resources.sgwithoutegress.Properties", "searchValue": "", "expectedValue": "'Resources.sgwithoutegress.Properties.SecurityGroupEgress' should be defined", - "actualValue": "'Resources.sgwithoutegress.Properties.SecurityGroupEgress' is undefined" + "actualValue": "'Resources.sgwithoutegress.Properties.SecurityGroupEgress' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "ELB With Security Group Without Outbound Rules", @@ -33,7 +35,8 @@ "searchKey": "Resources.sgwithegress.Properties", "searchValue": "", "expectedValue": "'Resources.sgwithegress.Properties.SecurityGroupEgress' should be defined", - "actualValue": "'Resources.sgwithegress.Properties.SecurityGroupEgress' is undefined" + "actualValue": "'Resources.sgwithegress.Properties.SecurityGroupEgress' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "ELB With Security Group Without Outbound Rules", @@ -45,7 +48,8 @@ "searchKey": "Resources.sgwithegress.Properties", "searchValue": "", "expectedValue": "'Resources.sgwithegress.Properties.SecurityGroupEgress' should be defined", - "actualValue": "'Resources.sgwithegress.Properties.SecurityGroupEgress' is undefined" + "actualValue": "'Resources.sgwithegress.Properties.SecurityGroupEgress' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "ELB With Security Group Without Outbound Rules", @@ -57,7 +61,8 @@ "searchKey": "Resources.MySG.Properties", "searchValue": "", "expectedValue": "'Resources.MySG.Properties.SecurityGroupEgress' should be defined", - "actualValue": "'Resources.MySG.Properties.SecurityGroupEgress' is undefined" + "actualValue": "'Resources.MySG.Properties.SecurityGroupEgress' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "ELB With Security Group Without Outbound Rules", @@ -69,7 +74,8 @@ "searchKey": "Resources.MySG.Properties", "searchValue": "", "expectedValue": "'Resources.MySG.Properties.SecurityGroupEgress' should be defined", - "actualValue": "'Resources.MySG.Properties.SecurityGroupEgress' is undefined" + "actualValue": "'Resources.MySG.Properties.SecurityGroupEgress' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "ELB With Security Group Without Outbound Rules", @@ -81,7 +87,8 @@ "searchKey": "Resources.MySG.Properties.SecurityGroupEgress", "searchValue": "", "expectedValue": "'Resources.MySG.Properties.SecurityGroupEgress' should not be empty", - "actualValue": "'Resources.MySG.Properties.SecurityGroupEgress' is empty" + "actualValue": "'Resources.MySG.Properties.SecurityGroupEgress' is empty", + "issueType": "MissingAttribute" }, { "queryName": "ELB With Security Group Without Outbound Rules", @@ -93,7 +100,8 @@ "searchKey": "Resources.MySG.Properties.SecurityGroupEgress", "searchValue": "", "expectedValue": "'Resources.MySG.Properties.SecurityGroupEgress' should not be empty", - "actualValue": "'Resources.MySG.Properties.SecurityGroupEgress' is empty" + "actualValue": "'Resources.MySG.Properties.SecurityGroupEgress' is empty", + "issueType": "MissingAttribute" }, { "queryName": "ELB With Security Group Without Outbound Rules", @@ -105,7 +113,8 @@ "searchKey": "Resources.MySGv2.Properties.SecurityGroupEgress", "searchValue": "", "expectedValue": "'Resources.MySGv2.Properties.SecurityGroupEgress' should not be empty", - "actualValue": "'Resources.MySGv2.Properties.SecurityGroupEgress' is empty" + "actualValue": "'Resources.MySGv2.Properties.SecurityGroupEgress' is empty", + "issueType": "MissingAttribute" }, { "queryName": "ELB With Security Group Without Outbound Rules", @@ -117,7 +126,8 @@ "searchKey": "Resources.MySGv2.Properties.SecurityGroupEgress", "searchValue": "", "expectedValue": "'Resources.MySGv2.Properties.SecurityGroupEgress' should not be empty", - "actualValue": "'Resources.MySGv2.Properties.SecurityGroupEgress' is empty" + "actualValue": "'Resources.MySGv2.Properties.SecurityGroupEgress' is empty", + "issueType": "MissingAttribute" }, { "queryName": "ELB With Security Group Without Outbound Rules", @@ -129,7 +139,8 @@ "searchKey": "Resources.MySG.Properties", "searchValue": "", "expectedValue": "'Resources.MySG.Properties.SecurityGroupEgress' should be defined", - "actualValue": "'Resources.MySG.Properties.SecurityGroupEgress' is undefined" + "actualValue": "'Resources.MySG.Properties.SecurityGroupEgress' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "ELB With Security Group Without Outbound Rules", @@ -141,6 +152,7 @@ "searchKey": "Resources.MySG.Properties", "searchValue": "", "expectedValue": "'Resources.MySG.Properties.SecurityGroupEgress' should be defined", - "actualValue": "'Resources.MySG.Properties.SecurityGroupEgress' is undefined" + "actualValue": "'Resources.MySG.Properties.SecurityGroupEgress' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/elb_without_secure_protocol/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elb_without_secure_protocol/test/positive_expected_result.json index 04ff3041663..e8def9748c3 100644 --- a/assets/queries/cloudFormation/aws/elb_without_secure_protocol/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elb_without_secure_protocol/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.MyLoadBalancer.Properties.Listeners", "searchValue": "", "expectedValue": "'Resources.MyLoadBalancer.Listeners.InstanceProtocol' should be set to 'SSL' or 'HTTPS'", - "actualValue": "'Resources.MyLoadBalancer.Listeners.InstanceProtocol' isn't set to 'SSL' or 'HTTPS'" + "actualValue": "'Resources.MyLoadBalancer.Listeners.InstanceProtocol' isn't set to 'SSL' or 'HTTPS'", + "issueType": "MissingAttribute" }, { "queryName": "ELB Without Secure Protocol", @@ -21,7 +22,8 @@ "searchKey": "Resources.MyLoadBalancer.Properties.Listeners", "searchValue": "", "expectedValue": "'Resources.MyLoadBalancer.Listeners.Protocol' should be set to 'SSL' or 'HTTPS'", - "actualValue": "'Resources.MyLoadBalancer.Listeners.Protocol' isn't set to 'SSL' or 'HTTPS'" + "actualValue": "'Resources.MyLoadBalancer.Listeners.Protocol' isn't set to 'SSL' or 'HTTPS'", + "issueType": "MissingAttribute" }, { "queryName": "ELB Without Secure Protocol", @@ -33,7 +35,8 @@ "searchKey": "Resources.MyLoadBalancer.Properties.Listeners", "searchValue": "", "expectedValue": "'Resources.MyLoadBalancer.Listeners.InstanceProtocol' should be set to 'SSL' or 'HTTPS'", - "actualValue": "'Resources.MyLoadBalancer.Listeners.InstanceProtocol' isn't set to 'SSL' or 'HTTPS'" + "actualValue": "'Resources.MyLoadBalancer.Listeners.InstanceProtocol' isn't set to 'SSL' or 'HTTPS'", + "issueType": "MissingAttribute" }, { "queryName": "ELB Without Secure Protocol", @@ -45,6 +48,7 @@ "searchKey": "Resources.MyLoadBalancer.Properties.Listeners", "searchValue": "", "expectedValue": "'Resources.MyLoadBalancer.Listeners.Protocol' should be set to 'SSL' or 'HTTPS'", - "actualValue": "'Resources.MyLoadBalancer.Listeners.Protocol' isn't set to 'SSL' or 'HTTPS'" + "actualValue": "'Resources.MyLoadBalancer.Listeners.Protocol' isn't set to 'SSL' or 'HTTPS'", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/empty_roles_for_ecs_cluster_task_definitions/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/empty_roles_for_ecs_cluster_task_definitions/test/positive_expected_result.json index 94d657bb1e2..73c7bd1f7be 100644 --- a/assets/queries/cloudFormation/aws/empty_roles_for_ecs_cluster_task_definitions/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/empty_roles_for_ecs_cluster_task_definitions/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.NoTaskDefinition.Properties", "searchValue": "", "expectedValue": "'Resources.NoTaskDefinition.Properties.TaskDefinition' should be set", - "actualValue": "'Resources.NoTaskDefinition.Properties.TaskDefinition' is undefined" + "actualValue": "'Resources.NoTaskDefinition.Properties.TaskDefinition' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Empty Roles For ECS Cluster Task Definitions", @@ -21,7 +22,8 @@ "searchKey": "Resources.InvalidTaskDefinition.Properties.TaskDefinition", "searchValue": "", "expectedValue": "'Resources.InvalidTaskDefinition.Properties.Taskdefinition' refers to a valid TaskDefinition", - "actualValue": "'Resources.InvalidTaskDefinition.Properties.Taskdefinition' does not refers to a valid TaskDefinition" + "actualValue": "'Resources.InvalidTaskDefinition.Properties.Taskdefinition' does not refers to a valid TaskDefinition", + "issueType": "MissingAttribute" }, { "queryName": "Empty Roles For ECS Cluster Task Definitions", @@ -33,7 +35,8 @@ "searchKey": "Resources.TaskNoRole.Properties.TaskDefinition", "searchValue": "", "expectedValue": "'Resources.TaskNoRole.Properties.TaskDefinition' refers to a TaskDefinition with Role", - "actualValue": "'Resources.TaskNoRole.Properties.TaskDefinition' does not refer to a TaskDefinition with Role" + "actualValue": "'Resources.TaskNoRole.Properties.TaskDefinition' does not refer to a TaskDefinition with Role", + "issueType": "IncorrectValue" }, { "queryName": "Empty Roles For ECS Cluster Task Definitions", @@ -45,7 +48,8 @@ "searchKey": "Resources.InvalidTaskDefinition.Properties.TaskDefinition", "searchValue": "", "expectedValue": "'Resources.InvalidTaskDefinition.Properties.Taskdefinition' refers to a valid TaskDefinition", - "actualValue": "'Resources.InvalidTaskDefinition.Properties.Taskdefinition' does not refers to a valid TaskDefinition" + "actualValue": "'Resources.InvalidTaskDefinition.Properties.Taskdefinition' does not refers to a valid TaskDefinition", + "issueType": "MissingAttribute" }, { "queryName": "Empty Roles For ECS Cluster Task Definitions", @@ -57,7 +61,8 @@ "searchKey": "Resources.TaskNoRole.Properties.TaskDefinition", "searchValue": "", "expectedValue": "'Resources.TaskNoRole.Properties.TaskDefinition' refers to a TaskDefinition with Role", - "actualValue": "'Resources.TaskNoRole.Properties.TaskDefinition' does not refer to a TaskDefinition with Role" + "actualValue": "'Resources.TaskNoRole.Properties.TaskDefinition' does not refer to a TaskDefinition with Role", + "issueType": "IncorrectValue" }, { "queryName": "Empty Roles For ECS Cluster Task Definitions", @@ -69,6 +74,7 @@ "searchKey": "Resources.NoTaskDefinition.Properties", "searchValue": "", "expectedValue": "'Resources.NoTaskDefinition.Properties.TaskDefinition' should be set", - "actualValue": "'Resources.NoTaskDefinition.Properties.TaskDefinition' is undefined" + "actualValue": "'Resources.NoTaskDefinition.Properties.TaskDefinition' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/emr_cluster_without_security_configuration/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/emr_cluster_without_security_configuration/test/positive_expected_result.json index 27c1f6b2e0c..0887adc229a 100644 --- a/assets/queries/cloudFormation/aws/emr_cluster_without_security_configuration/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/emr_cluster_without_security_configuration/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.cluster.Properties", "searchValue": "", "expectedValue": "Resources.cluster has the same name as the AWS::EMR::SecurityConfiguration Resource", - "actualValue": "Resources.cluster has a different name from AWS::EMR::SecurityConfiguration Resource" + "actualValue": "Resources.cluster has a different name from AWS::EMR::SecurityConfiguration Resource", + "issueType": "IncorrectValue" }, { "queryName": "EMR Cluster Without Security Configuration", @@ -21,7 +22,8 @@ "searchKey": "Resources.cluster1.Properties", "searchValue": "", "expectedValue": "Resources.cluster1.Properties.SecurityConfiguration should be defined", - "actualValue": "Resources.cluster1.Properties.SecurityConfiguration is undefined" + "actualValue": "Resources.cluster1.Properties.SecurityConfiguration is undefined", + "issueType": "MissingAttribute" }, { "queryName": "EMR Cluster Without Security Configuration", @@ -33,7 +35,8 @@ "searchKey": "Resources.cluster.Properties", "searchValue": "", "expectedValue": "Resources.cluster has the same name as the AWS::EMR::SecurityConfiguration Resource", - "actualValue": "Resources.cluster has a different name from AWS::EMR::SecurityConfiguration Resource" + "actualValue": "Resources.cluster has a different name from AWS::EMR::SecurityConfiguration Resource", + "issueType": "IncorrectValue" }, { "queryName": "EMR Cluster Without Security Configuration", @@ -45,6 +48,7 @@ "searchKey": "Resources.cluster1.Properties", "searchValue": "", "expectedValue": "Resources.cluster1.Properties.SecurityConfiguration should be defined", - "actualValue": "Resources.cluster1.Properties.SecurityConfiguration is undefined" + "actualValue": "Resources.cluster1.Properties.SecurityConfiguration is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/emr_security_configuration_encryptions_enabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/emr_security_configuration_encryptions_enabled/test/positive_expected_result.json index ce51aae6d6d..aa56fb9a046 100644 --- a/assets/queries/cloudFormation/aws/emr_security_configuration_encryptions_enabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/emr_security_configuration_encryptions_enabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption", "searchValue": "", "expectedValue": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption should be true", - "actualValue": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption is false" + "actualValue": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption is false", + "issueType": "IncorrectValue" }, { "queryName": "EMR Security Configuration Encryption Disabled", @@ -21,7 +22,8 @@ "searchKey": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption", "searchValue": "", "expectedValue": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption should be true", - "actualValue": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption is false" + "actualValue": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption is false", + "issueType": "IncorrectValue" }, { "queryName": "EMR Security Configuration Encryption Disabled", @@ -33,7 +35,8 @@ "searchKey": "Resources.EMRSecurityConfiguration01.Properties.SecurityConfiguration.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration", "searchValue": "", "expectedValue": "Resources.EMRSecurityConfiguration01.SecurityConfiguration.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration.EncryptionKeyProviderType must be defined", - "actualValue": "Resources.EMRSecurityConfiguration01.SecurityConfiguration.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration.EncryptionKeyProviderType is undefined" + "actualValue": "Resources.EMRSecurityConfiguration01.SecurityConfiguration.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration.EncryptionKeyProviderType is undefined", + "issueType": "IncorrectValue" }, { "queryName": "EMR Security Configuration Encryption Disabled", @@ -45,7 +48,8 @@ "searchKey": "Resources.EMRSecurityConfiguration01.Properties.SecurityConfiguration.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration.EnableEbsEncryption", "searchValue": "", "expectedValue": "Resources.EMRSecurityConfiguration01.Properties.SecurityConfiguration.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration.EnableEbsEncryption should be true", - "actualValue": "Resources.EMRSecurityConfiguration01.Properties.SecurityConfiguration.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration.EnableEbsEncryption is false" + "actualValue": "Resources.EMRSecurityConfiguration01.Properties.SecurityConfiguration.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration.EnableEbsEncryption is false", + "issueType": "IncorrectValue" }, { "queryName": "EMR Security Configuration Encryption Disabled", @@ -57,7 +61,8 @@ "searchKey": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption", "searchValue": "", "expectedValue": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption should be true", - "actualValue": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption is false" + "actualValue": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption is false", + "issueType": "IncorrectValue" }, { "queryName": "EMR Security Configuration Encryption Disabled", @@ -69,7 +74,8 @@ "searchKey": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption", "searchValue": "", "expectedValue": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption should be true", - "actualValue": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption is false" + "actualValue": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption is false", + "issueType": "IncorrectValue" }, { "queryName": "EMR Security Configuration Encryption Disabled", @@ -81,7 +87,8 @@ "searchKey": "Resources.EMRSecurityConfiguration04.Properties.SecurityConfiguration", "searchValue": "", "expectedValue": "Resources.EMRSecurityConfiguration04.SecurityConfiguration.EncryptionConfiguration must be defined", - "actualValue": "Resources.EMRSecurityConfiguration04.SecurityConfiguration.EncryptionConfiguration is undefined" + "actualValue": "Resources.EMRSecurityConfiguration04.SecurityConfiguration.EncryptionConfiguration is undefined", + "issueType": "IncorrectValue" }, { "queryName": "EMR Security Configuration Encryption Disabled", @@ -93,7 +100,8 @@ "searchKey": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption", "searchValue": "", "expectedValue": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption should be true", - "actualValue": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption is false" + "actualValue": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption is false", + "issueType": "IncorrectValue" }, { "queryName": "EMR Security Configuration Encryption Disabled", @@ -105,7 +113,8 @@ "searchKey": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption", "searchValue": "", "expectedValue": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption should be true", - "actualValue": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption is false" + "actualValue": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption is false", + "issueType": "IncorrectValue" }, { "queryName": "EMR Security Configuration Encryption Disabled", @@ -117,7 +126,8 @@ "searchKey": "Resources.EMRSecurityConfiguration01.Properties.SecurityConfiguration.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration", "searchValue": "", "expectedValue": "Resources.EMRSecurityConfiguration01.SecurityConfiguration.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration.EncryptionKeyProviderType must be defined", - "actualValue": "Resources.EMRSecurityConfiguration01.SecurityConfiguration.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration.EncryptionKeyProviderType is undefined" + "actualValue": "Resources.EMRSecurityConfiguration01.SecurityConfiguration.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration.EncryptionKeyProviderType is undefined", + "issueType": "IncorrectValue" }, { "queryName": "EMR Security Configuration Encryption Disabled", @@ -129,7 +139,8 @@ "searchKey": "Resources.EMRSecurityConfiguration01.Properties.SecurityConfiguration.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration.EnableEbsEncryption", "searchValue": "", "expectedValue": "Resources.EMRSecurityConfiguration01.Properties.SecurityConfiguration.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration.EnableEbsEncryption should be true", - "actualValue": "Resources.EMRSecurityConfiguration01.Properties.SecurityConfiguration.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration.EnableEbsEncryption is false" + "actualValue": "Resources.EMRSecurityConfiguration01.Properties.SecurityConfiguration.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration.EnableEbsEncryption is false", + "issueType": "IncorrectValue" }, { "queryName": "EMR Security Configuration Encryption Disabled", @@ -141,7 +152,8 @@ "searchKey": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption", "searchValue": "", "expectedValue": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption should be true", - "actualValue": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption is false" + "actualValue": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption is false", + "issueType": "IncorrectValue" }, { "queryName": "EMR Security Configuration Encryption Disabled", @@ -153,7 +165,8 @@ "searchKey": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption", "searchValue": "", "expectedValue": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption should be true", - "actualValue": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption is false" + "actualValue": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption is false", + "issueType": "IncorrectValue" }, { "queryName": "EMR Security Configuration Encryption Disabled", @@ -165,7 +178,8 @@ "searchKey": "Resources.EMRSecurityConfiguration04.Properties.SecurityConfiguration", "searchValue": "", "expectedValue": "Resources.EMRSecurityConfiguration04.SecurityConfiguration.EncryptionConfiguration must be defined", - "actualValue": "Resources.EMRSecurityConfiguration04.SecurityConfiguration.EncryptionConfiguration is undefined" + "actualValue": "Resources.EMRSecurityConfiguration04.SecurityConfiguration.EncryptionConfiguration is undefined", + "issueType": "IncorrectValue" }, { "queryName": "EMR Security Configuration Encryption Disabled", @@ -177,7 +191,8 @@ "searchKey": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption", "searchValue": "", "expectedValue": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption should be true", - "actualValue": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption is false" + "actualValue": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption is false", + "issueType": "IncorrectValue" }, { "queryName": "EMR Security Configuration Encryption Disabled", @@ -189,6 +204,7 @@ "searchKey": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption", "searchValue": "", "expectedValue": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption should be true", - "actualValue": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption is false" + "actualValue": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/emr_wihout_vpc/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/emr_wihout_vpc/test/positive_expected_result.json index 002d567ecc2..08240272574 100644 --- a/assets/queries/cloudFormation/aws/emr_wihout_vpc/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/emr_wihout_vpc/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.cluster.Properties.Instances", "searchValue": "", "expectedValue": "Resources.cluster.Properties.Instances.Ec2SubnetId should be defined and not null", - "actualValue": "Resources.cluster.Properties.Instances.Ec2SubnetId is undefined or null" + "actualValue": "Resources.cluster.Properties.Instances.Ec2SubnetId is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "EMR Without VPC", @@ -21,6 +22,7 @@ "searchKey": "Resources.cluster.Properties.Instances", "searchValue": "", "expectedValue": "Resources.cluster.Properties.Instances.Ec2SubnetId should be defined and not null", - "actualValue": "Resources.cluster.Properties.Instances.Ec2SubnetId is undefined or null" + "actualValue": "Resources.cluster.Properties.Instances.Ec2SubnetId is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/fully_open_ingress/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/fully_open_ingress/test/positive_expected_result.json index 03ec9c9eac9..ea08e1b615a 100644 --- a/assets/queries/cloudFormation/aws/fully_open_ingress/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/fully_open_ingress/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.DBEC2SecurityGroupInline.Properties.SecurityGroupIngress[0].CidrIp", "searchValue": "", "expectedValue": "Resource 'DBEC2SecurityGroupInline' of type 'AWS::EC2::SecurityGroup' should not accept ingress connections from all addresses to all available ports", - "actualValue": "Resource 'DBEC2SecurityGroupInline' of type 'AWS::EC2::SecurityGroup' is accepting ingress connections from all addresses to all available ports" + "actualValue": "Resource 'DBEC2SecurityGroupInline' of type 'AWS::EC2::SecurityGroup' is accepting ingress connections from all addresses to all available ports", + "issueType": "IncorrectValue" }, { "queryName": "Fully Open Ingress", @@ -21,7 +22,8 @@ "searchKey": "Resources.DBEC2SecurityGroupInline.Properties.SecurityGroupIngress[1].CidrIpv6", "searchValue": "", "expectedValue": "Resource 'DBEC2SecurityGroupInline' of type 'AWS::EC2::SecurityGroup' should not accept ingress connections from all addresses to all available ports", - "actualValue": "Resource 'DBEC2SecurityGroupInline' of type 'AWS::EC2::SecurityGroup' is accepting ingress connections from all addresses to all available ports" + "actualValue": "Resource 'DBEC2SecurityGroupInline' of type 'AWS::EC2::SecurityGroup' is accepting ingress connections from all addresses to all available ports", + "issueType": "IncorrectValue" }, { "queryName": "Fully Open Ingress", @@ -33,7 +35,8 @@ "searchKey": "Resources.DBEC2SecurityGroupIngress.Properties.CidrIp", "searchValue": "", "expectedValue": "Resource 'DBEC2SecurityGroupIngress' of type 'AWS::EC2::SecurityGroupIngress' should not accept ingress connections from all addresses to all available ports", - "actualValue": "Resource 'DBEC2SecurityGroupIngress' of type 'AWS::EC2::SecurityGroupIngress' is accepting ingress connections from all addresses to all available ports" + "actualValue": "Resource 'DBEC2SecurityGroupIngress' of type 'AWS::EC2::SecurityGroupIngress' is accepting ingress connections from all addresses to all available ports", + "issueType": "IncorrectValue" }, { "queryName": "Fully Open Ingress", @@ -45,7 +48,8 @@ "searchKey": "Resources.DBEC2SecurityGroupIngressIPv6.Properties.CidrIpv6", "searchValue": "", "expectedValue": "Resource 'DBEC2SecurityGroupIngressIPv6' of type 'AWS::EC2::SecurityGroupIngress' should not accept ingress connections from all addresses to all available ports", - "actualValue": "Resource 'DBEC2SecurityGroupIngressIPv6' of type 'AWS::EC2::SecurityGroupIngress' is accepting ingress connections from all addresses to all available ports" + "actualValue": "Resource 'DBEC2SecurityGroupIngressIPv6' of type 'AWS::EC2::SecurityGroupIngress' is accepting ingress connections from all addresses to all available ports", + "issueType": "IncorrectValue" }, { "queryName": "Fully Open Ingress", @@ -57,7 +61,8 @@ "searchKey": "Resources.DBEC2SecurityGroupInline.Properties.SecurityGroupIngress[0].CidrIp", "searchValue": "", "expectedValue": "Resource 'DBEC2SecurityGroupInline' of type 'AWS::EC2::SecurityGroup' should not accept ingress connections from all addresses to all available ports", - "actualValue": "Resource 'DBEC2SecurityGroupInline' of type 'AWS::EC2::SecurityGroup' is accepting ingress connections from all addresses to all available ports" + "actualValue": "Resource 'DBEC2SecurityGroupInline' of type 'AWS::EC2::SecurityGroup' is accepting ingress connections from all addresses to all available ports", + "issueType": "IncorrectValue" }, { "queryName": "Fully Open Ingress", @@ -69,7 +74,8 @@ "searchKey": "Resources.DBEC2SecurityGroupInline.Properties.SecurityGroupIngress[1].CidrIpv6", "searchValue": "", "expectedValue": "Resource 'DBEC2SecurityGroupInline' of type 'AWS::EC2::SecurityGroup' should not accept ingress connections from all addresses to all available ports", - "actualValue": "Resource 'DBEC2SecurityGroupInline' of type 'AWS::EC2::SecurityGroup' is accepting ingress connections from all addresses to all available ports" + "actualValue": "Resource 'DBEC2SecurityGroupInline' of type 'AWS::EC2::SecurityGroup' is accepting ingress connections from all addresses to all available ports", + "issueType": "IncorrectValue" }, { "queryName": "Fully Open Ingress", @@ -81,7 +87,8 @@ "searchKey": "Resources.DBEC2SecurityGroupIngress.Properties.CidrIp", "searchValue": "", "expectedValue": "Resource 'DBEC2SecurityGroupIngress' of type 'AWS::EC2::SecurityGroupIngress' should not accept ingress connections from all addresses to all available ports", - "actualValue": "Resource 'DBEC2SecurityGroupIngress' of type 'AWS::EC2::SecurityGroupIngress' is accepting ingress connections from all addresses to all available ports" + "actualValue": "Resource 'DBEC2SecurityGroupIngress' of type 'AWS::EC2::SecurityGroupIngress' is accepting ingress connections from all addresses to all available ports", + "issueType": "IncorrectValue" }, { "queryName": "Fully Open Ingress", @@ -93,6 +100,7 @@ "searchKey": "Resources.DBEC2SecurityGroupIngressIPv6.Properties.CidrIpv6", "searchValue": "", "expectedValue": "Resource 'DBEC2SecurityGroupIngressIPv6' of type 'AWS::EC2::SecurityGroupIngress' should not accept ingress connections from all addresses to all available ports", - "actualValue": "Resource 'DBEC2SecurityGroupIngressIPv6' of type 'AWS::EC2::SecurityGroupIngress' is accepting ingress connections from all addresses to all available ports" + "actualValue": "Resource 'DBEC2SecurityGroupIngressIPv6' of type 'AWS::EC2::SecurityGroupIngress' is accepting ingress connections from all addresses to all available ports", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/gamelift_fleet_ec2_inbound_permissions_with_port_range/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/gamelift_fleet_ec2_inbound_permissions_with_port_range/test/positive_expected_result.json index 9c725d235f7..113880bd7c7 100644 --- a/assets/queries/cloudFormation/aws/gamelift_fleet_ec2_inbound_permissions_with_port_range/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/gamelift_fleet_ec2_inbound_permissions_with_port_range/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.FleetResource1.Properties.EC2InboundPermissions", "searchValue": "", "expectedValue": "Resources.FleetResource1.Properties.EC2InboundPermissions[0].FromPort is equal to Resources.FleetResource1.Properties.EC2InboundPermissions[0].ToPort", - "actualValue": "Resources.FleetResource1.Properties.EC2InboundPermissions[0].FromPort is not equal to Resources.FleetResource1.Properties.EC2InboundPermissions[0].ToPort" + "actualValue": "Resources.FleetResource1.Properties.EC2InboundPermissions[0].FromPort is not equal to Resources.FleetResource1.Properties.EC2InboundPermissions[0].ToPort", + "issueType": "IncorrectValue" }, { "queryName": "GameLift Fleet EC2 InboundPermissions With Port Range", @@ -21,7 +22,8 @@ "searchKey": "Resources.FleetResource1.Properties.EC2InboundPermissions", "searchValue": "", "expectedValue": "Resources.FleetResource1.Properties.EC2InboundPermissions[1].FromPort is equal to Resources.FleetResource1.Properties.EC2InboundPermissions[1].ToPort", - "actualValue": "Resources.FleetResource1.Properties.EC2InboundPermissions[1].FromPort is not equal to Resources.FleetResource1.Properties.EC2InboundPermissions[1].ToPort" + "actualValue": "Resources.FleetResource1.Properties.EC2InboundPermissions[1].FromPort is not equal to Resources.FleetResource1.Properties.EC2InboundPermissions[1].ToPort", + "issueType": "IncorrectValue" }, { "queryName": "GameLift Fleet EC2 InboundPermissions With Port Range", @@ -33,7 +35,8 @@ "searchKey": "Resources.FleetResource3.Properties.EC2InboundPermissions", "searchValue": "", "expectedValue": "Resources.FleetResource3.Properties.EC2InboundPermissions[0].FromPort is equal to Resources.FleetResource3.Properties.EC2InboundPermissions[0].ToPort", - "actualValue": "Resources.FleetResource3.Properties.EC2InboundPermissions[0].FromPort is not equal to Resources.FleetResource3.Properties.EC2InboundPermissions[0].ToPort" + "actualValue": "Resources.FleetResource3.Properties.EC2InboundPermissions[0].FromPort is not equal to Resources.FleetResource3.Properties.EC2InboundPermissions[0].ToPort", + "issueType": "IncorrectValue" }, { "queryName": "GameLift Fleet EC2 InboundPermissions With Port Range", @@ -45,7 +48,8 @@ "searchKey": "Resources.FleetResource3.Properties.EC2InboundPermissions", "searchValue": "", "expectedValue": "Resources.FleetResource3.Properties.EC2InboundPermissions[1].FromPort is equal to Resources.FleetResource3.Properties.EC2InboundPermissions[1].ToPort", - "actualValue": "Resources.FleetResource3.Properties.EC2InboundPermissions[1].FromPort is not equal to Resources.FleetResource3.Properties.EC2InboundPermissions[1].ToPort" + "actualValue": "Resources.FleetResource3.Properties.EC2InboundPermissions[1].FromPort is not equal to Resources.FleetResource3.Properties.EC2InboundPermissions[1].ToPort", + "issueType": "IncorrectValue" }, { "queryName": "GameLift Fleet EC2 InboundPermissions With Port Range", @@ -57,7 +61,8 @@ "searchKey": "Resources.FleetResource1.Properties.EC2InboundPermissions", "searchValue": "", "expectedValue": "Resources.FleetResource1.Properties.EC2InboundPermissions[0].FromPort is equal to Resources.FleetResource1.Properties.EC2InboundPermissions[0].ToPort", - "actualValue": "Resources.FleetResource1.Properties.EC2InboundPermissions[0].FromPort is not equal to Resources.FleetResource1.Properties.EC2InboundPermissions[0].ToPort" + "actualValue": "Resources.FleetResource1.Properties.EC2InboundPermissions[0].FromPort is not equal to Resources.FleetResource1.Properties.EC2InboundPermissions[0].ToPort", + "issueType": "IncorrectValue" }, { "queryName": "GameLift Fleet EC2 InboundPermissions With Port Range", @@ -69,7 +74,8 @@ "searchKey": "Resources.FleetResource1.Properties.EC2InboundPermissions", "searchValue": "", "expectedValue": "Resources.FleetResource1.Properties.EC2InboundPermissions[1].FromPort is equal to Resources.FleetResource1.Properties.EC2InboundPermissions[1].ToPort", - "actualValue": "Resources.FleetResource1.Properties.EC2InboundPermissions[1].FromPort is not equal to Resources.FleetResource1.Properties.EC2InboundPermissions[1].ToPort" + "actualValue": "Resources.FleetResource1.Properties.EC2InboundPermissions[1].FromPort is not equal to Resources.FleetResource1.Properties.EC2InboundPermissions[1].ToPort", + "issueType": "IncorrectValue" }, { "queryName": "GameLift Fleet EC2 InboundPermissions With Port Range", @@ -81,7 +87,8 @@ "searchKey": "Resources.FleetResource3.Properties.EC2InboundPermissions", "searchValue": "", "expectedValue": "Resources.FleetResource3.Properties.EC2InboundPermissions[0].FromPort is equal to Resources.FleetResource3.Properties.EC2InboundPermissions[0].ToPort", - "actualValue": "Resources.FleetResource3.Properties.EC2InboundPermissions[0].FromPort is not equal to Resources.FleetResource3.Properties.EC2InboundPermissions[0].ToPort" + "actualValue": "Resources.FleetResource3.Properties.EC2InboundPermissions[0].FromPort is not equal to Resources.FleetResource3.Properties.EC2InboundPermissions[0].ToPort", + "issueType": "IncorrectValue" }, { "queryName": "GameLift Fleet EC2 InboundPermissions With Port Range", @@ -93,6 +100,7 @@ "searchKey": "Resources.FleetResource3.Properties.EC2InboundPermissions", "searchValue": "", "expectedValue": "Resources.FleetResource3.Properties.EC2InboundPermissions[1].FromPort is equal to Resources.FleetResource3.Properties.EC2InboundPermissions[1].ToPort", - "actualValue": "Resources.FleetResource3.Properties.EC2InboundPermissions[1].FromPort is not equal to Resources.FleetResource3.Properties.EC2InboundPermissions[1].ToPort" + "actualValue": "Resources.FleetResource3.Properties.EC2InboundPermissions[1].FromPort is not equal to Resources.FleetResource3.Properties.EC2InboundPermissions[1].ToPort", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/geo_restriction_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/geo_restriction_disabled/test/positive_expected_result.json index 0cedff24951..7497ec8a7f1 100644 --- a/assets/queries/cloudFormation/aws/geo_restriction_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/geo_restriction_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.myDistribution.Properties.Restrictions.GeoRestriction.RestrictionType", "searchValue": "", "expectedValue": "Resources.myDistribution.Properties.Restrictions.GeoRestriction.RestrictionType should be enabled with whitelist or blacklist", - "actualValue": "Resources.myDistribution.Properties.Restrictions.GeoRestriction.RestrictionTypeallows is configured with none. Therefore, Geo Restriction is not enabled and it should be" + "actualValue": "Resources.myDistribution.Properties.Restrictions.GeoRestriction.RestrictionTypeallows is configured with none. Therefore, Geo Restriction is not enabled and it should be", + "issueType": "IncorrectValue" }, { "queryName": "Geo Restriction Disabled", @@ -21,6 +22,7 @@ "searchKey": "Resources.myDistribution.Properties.Restrictions.GeoRestriction.RestrictionType", "searchValue": "", "expectedValue": "Resources.myDistribution.Properties.Restrictions.GeoRestriction.RestrictionType should be enabled with whitelist or blacklist", - "actualValue": "Resources.myDistribution.Properties.Restrictions.GeoRestriction.RestrictionTypeallows is configured with none. Therefore, Geo Restriction is not enabled and it should be" + "actualValue": "Resources.myDistribution.Properties.Restrictions.GeoRestriction.RestrictionTypeallows is configured with none. Therefore, Geo Restriction is not enabled and it should be", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/github_repository_set_to_public/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/github_repository_set_to_public/test/positive_expected_result.json index c8ec3c677ac..cadfba034a0 100644 --- a/assets/queries/cloudFormation/aws/github_repository_set_to_public/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/github_repository_set_to_public/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.MyRepo3.Properties.IsPrivate", "searchValue": "", "expectedValue": "'Resources.MyRepo3.Properties.IsPrivate' should be set to true", - "actualValue": "'Resources.MyRepo3.Properties.IsPrivate' is not set to true" + "actualValue": "'Resources.MyRepo3.Properties.IsPrivate' is not set to true", + "issueType": "IncorrectValue" }, { "queryName": "GitHub Repository Set To Public", @@ -21,7 +22,8 @@ "searchKey": "Resources.MyRepo4.Properties", "searchValue": "", "expectedValue": "'Resources.MyRepo4.IsPrivate' should be set", - "actualValue": "'Resources.MyRepo4.IsPrivate' is undefined" + "actualValue": "'Resources.MyRepo4.IsPrivate' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "GitHub Repository Set To Public", @@ -33,7 +35,8 @@ "searchKey": "Resources.MyRepo5.Properties", "searchValue": "", "expectedValue": "'Resources.MyRepo5.IsPrivate' should be set", - "actualValue": "'Resources.MyRepo5.IsPrivate' is undefined" + "actualValue": "'Resources.MyRepo5.IsPrivate' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "GitHub Repository Set To Public", @@ -45,7 +48,8 @@ "searchKey": "Resources.MyRepo6.Properties.IsPrivate", "searchValue": "", "expectedValue": "'Resources.MyRepo6.Properties.IsPrivate' should be set to true", - "actualValue": "'Resources.MyRepo6.Properties.IsPrivate' is not set to true" + "actualValue": "'Resources.MyRepo6.Properties.IsPrivate' is not set to true", + "issueType": "IncorrectValue" }, { "queryName": "GitHub Repository Set To Public", @@ -57,6 +61,7 @@ "searchKey": "Resources.MyRepo3.Properties.IsPrivate", "searchValue": "", "expectedValue": "'Resources.MyRepo3.Properties.IsPrivate' should be set to true", - "actualValue": "'Resources.MyRepo3.Properties.IsPrivate' is not set to true" + "actualValue": "'Resources.MyRepo3.Properties.IsPrivate' is not set to true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/guardduty_detector_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/guardduty_detector_disabled/test/positive_expected_result.json index 563e075bc60..ad8e040d586 100644 --- a/assets/queries/cloudFormation/aws/guardduty_detector_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/guardduty_detector_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.mydetector3.Properties.Enable", "searchValue": "", "expectedValue": "Resources.mydetector3.Properties.Enable should be set to true", - "actualValue": "Resources.mydetector3.Properties.Enable is set to false" + "actualValue": "Resources.mydetector3.Properties.Enable is set to false", + "issueType": "IncorrectValue" }, { "queryName": "GuardDuty Detector Disabled", @@ -21,7 +22,8 @@ "searchKey": "Resources.mydetector4.Properties.Enable", "searchValue": "", "expectedValue": "Resources.mydetector4.Properties.Enable should be set to true", - "actualValue": "Resources.mydetector4.Properties.Enable is set to false" + "actualValue": "Resources.mydetector4.Properties.Enable is set to false", + "issueType": "IncorrectValue" }, { "queryName": "GuardDuty Detector Disabled", @@ -33,6 +35,7 @@ "searchKey": "Resources.mydetector3.Properties.Enable", "searchValue": "", "expectedValue": "Resources.mydetector3.Properties.Enable should be set to true", - "actualValue": "Resources.mydetector3.Properties.Enable is set to false" + "actualValue": "Resources.mydetector3.Properties.Enable is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/test/positive_expected_result.json index 0f0b2f4ac4b..d985abe6bd6 100644 --- a/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.LambdaFunction3.Properties.Environment.Variables", "searchValue": "", "expectedValue": "Resources.LambdaFunction3.Properties.Environment.Variables shouldn't contain access key", - "actualValue": "Resources.LambdaFunction3.Properties.Environment.Variables contains access key" + "actualValue": "Resources.LambdaFunction3.Properties.Environment.Variables contains access key", + "issueType": "IncorrectValue" }, { "queryName": "Hardcoded AWS Access Key In Lambda", @@ -21,7 +22,8 @@ "searchKey": "Resources.LambdaFunction4.Properties.Environment.Variables", "searchValue": "", "expectedValue": "Resources.LambdaFunction4.Properties.Environment.Variables shouldn't contain access key", - "actualValue": "Resources.LambdaFunction4.Properties.Environment.Variables contains access key" + "actualValue": "Resources.LambdaFunction4.Properties.Environment.Variables contains access key", + "issueType": "IncorrectValue" }, { "queryName": "Hardcoded AWS Access Key In Lambda", @@ -33,7 +35,8 @@ "searchKey": "Resources.LambdaFunction5.Properties.Environment.Variables", "searchValue": "", "expectedValue": "Resources.LambdaFunction5.Properties.Environment.Variables shouldn't contain access key", - "actualValue": "Resources.LambdaFunction5.Properties.Environment.Variables contains access key" + "actualValue": "Resources.LambdaFunction5.Properties.Environment.Variables contains access key", + "issueType": "IncorrectValue" }, { "queryName": "Hardcoded AWS Access Key In Lambda", @@ -45,6 +48,7 @@ "searchKey": "Resources.LambdaFunction6.Properties.Environment.Variables", "searchValue": "", "expectedValue": "Resources.LambdaFunction6.Properties.Environment.Variables shouldn't contain access key", - "actualValue": "Resources.LambdaFunction6.Properties.Environment.Variables contains access key" + "actualValue": "Resources.LambdaFunction6.Properties.Environment.Variables contains access key", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/http_port_open/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/http_port_open/test/positive_expected_result.json index 1558140d50a..161541151ba 100644 --- a/assets/queries/cloudFormation/aws/http_port_open/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/http_port_open/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "", "expectedValue": "'Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]' should not open the HTTP port (80)", - "actualValue": "'Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]' opens the HTTP port (80)" + "actualValue": "'Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]' opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", @@ -21,7 +22,8 @@ "searchKey": "Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]", "searchValue": "", "expectedValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' should not open the HTTP port (80)", - "actualValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' opens the HTTP port (80)" + "actualValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", @@ -33,7 +35,8 @@ "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]", "searchValue": "", "expectedValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' should not open the HTTP port (80)", - "actualValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' opens the HTTP port (80)" + "actualValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", @@ -45,7 +48,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "", "expectedValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' should not open the HTTP port (80)", - "actualValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' opens the HTTP port (80)" + "actualValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", @@ -57,7 +61,8 @@ "searchKey": "Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]", "searchValue": "", "expectedValue": "'Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]' should not open the HTTP port (80)", - "actualValue": "'Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]' opens the HTTP port (80)" + "actualValue": "'Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]' opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", @@ -69,7 +74,8 @@ "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]", "searchValue": "", "expectedValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' should not open the HTTP port (80)", - "actualValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' opens the HTTP port (80)" + "actualValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", @@ -81,7 +87,8 @@ "searchKey": "Resources.IPv4Ingress1.Properties", "searchValue": "", "expectedValue": "'Resources.IPv4Ingress1.Properties' should not open the HTTP port (80)", - "actualValue": "'Resources.IPv4Ingress1.Properties' opens the HTTP port (80)" + "actualValue": "'Resources.IPv4Ingress1.Properties' opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", @@ -93,7 +100,8 @@ "searchKey": "Resources.IPv4Ingress2.Properties", "searchValue": "", "expectedValue": "'Resources.IPv4Ingress2.Properties' should not open the HTTP port (80)", - "actualValue": "'Resources.IPv4Ingress2.Properties' opens the HTTP port (80)" + "actualValue": "'Resources.IPv4Ingress2.Properties' opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", @@ -105,7 +113,8 @@ "searchKey": "Resources.IPv6Ingress1.Properties", "searchValue": "", "expectedValue": "'Resources.IPv6Ingress1.Properties' should not open the HTTP port (80)", - "actualValue": "'Resources.IPv6Ingress1.Properties' opens the HTTP port (80)" + "actualValue": "'Resources.IPv6Ingress1.Properties' opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", @@ -117,7 +126,8 @@ "searchKey": "Resources.IPv6Ingress2.Properties", "searchValue": "", "expectedValue": "'Resources.IPv6Ingress2.Properties' should not open the HTTP port (80)", - "actualValue": "'Resources.IPv6Ingress2.Properties' opens the HTTP port (80)" + "actualValue": "'Resources.IPv6Ingress2.Properties' opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", @@ -129,7 +139,8 @@ "searchKey": "Resources.IPv6Ingress3.Properties", "searchValue": "", "expectedValue": "'Resources.IPv6Ingress3.Properties' should not open the HTTP port (80)", - "actualValue": "'Resources.IPv6Ingress3.Properties' opens the HTTP port (80)" + "actualValue": "'Resources.IPv6Ingress3.Properties' opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", @@ -141,7 +152,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "", "expectedValue": "'Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]' should not open the HTTP port (80)", - "actualValue": "'Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]' opens the HTTP port (80)" + "actualValue": "'Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]' opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", @@ -153,7 +165,8 @@ "searchKey": "Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]", "searchValue": "", "expectedValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' should not open the HTTP port (80)", - "actualValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' opens the HTTP port (80)" + "actualValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", @@ -165,7 +178,8 @@ "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]", "searchValue": "", "expectedValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' should not open the HTTP port (80)", - "actualValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' opens the HTTP port (80)" + "actualValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", @@ -177,7 +191,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "", "expectedValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' should not open the HTTP port (80)", - "actualValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' opens the HTTP port (80)" + "actualValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", @@ -189,7 +204,8 @@ "searchKey": "Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]", "searchValue": "", "expectedValue": "'Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]' should not open the HTTP port (80)", - "actualValue": "'Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]' opens the HTTP port (80)" + "actualValue": "'Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]' opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", @@ -201,7 +217,8 @@ "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]", "searchValue": "", "expectedValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' should not open the HTTP port (80)", - "actualValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' opens the HTTP port (80)" + "actualValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", @@ -213,7 +230,8 @@ "searchKey": "Resources.IPv4Ingress1.Properties", "searchValue": "", "expectedValue": "'Resources.IPv4Ingress1.Properties' should not open the HTTP port (80)", - "actualValue": "'Resources.IPv4Ingress1.Properties' opens the HTTP port (80)" + "actualValue": "'Resources.IPv4Ingress1.Properties' opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", @@ -225,7 +243,8 @@ "searchKey": "Resources.IPv4Ingress2.Properties", "searchValue": "", "expectedValue": "'Resources.IPv4Ingress2.Properties' should not open the HTTP port (80)", - "actualValue": "'Resources.IPv4Ingress2.Properties' opens the HTTP port (80)" + "actualValue": "'Resources.IPv4Ingress2.Properties' opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", @@ -237,7 +256,8 @@ "searchKey": "Resources.IPv6Ingress1.Properties", "searchValue": "", "expectedValue": "'Resources.IPv6Ingress1.Properties' should not open the HTTP port (80)", - "actualValue": "'Resources.IPv6Ingress1.Properties' opens the HTTP port (80)" + "actualValue": "'Resources.IPv6Ingress1.Properties' opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", @@ -249,7 +269,8 @@ "searchKey": "Resources.IPv6Ingress2.Properties", "searchValue": "", "expectedValue": "'Resources.IPv6Ingress2.Properties' should not open the HTTP port (80)", - "actualValue": "'Resources.IPv6Ingress2.Properties' opens the HTTP port (80)" + "actualValue": "'Resources.IPv6Ingress2.Properties' opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", @@ -261,6 +282,7 @@ "searchKey": "Resources.IPv6Ingress3.Properties", "searchValue": "", "expectedValue": "'Resources.IPv6Ingress3.Properties' should not open the HTTP port (80)", - "actualValue": "'Resources.IPv6Ingress3.Properties' opens the HTTP port (80)" + "actualValue": "'Resources.IPv6Ingress3.Properties' opens the HTTP port (80)", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/test/positive_expected_result.json index 4ef8b93f842..ed0ddfeddb5 100644 --- a/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources", "searchValue": "", "expectedValue": "'AWS::AccessAnalyzer::Analyzer' should be set", - "actualValue": "'AWS::AccessAnalyzer::Analyzer' is undefined" + "actualValue": "'AWS::AccessAnalyzer::Analyzer' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "IAM Access Analyzer Not Enabled", @@ -21,6 +22,7 @@ "searchKey": "Resources", "searchValue": "", "expectedValue": "'AWS::AccessAnalyzer::Analyzer' should be set", - "actualValue": "'AWS::AccessAnalyzer::Analyzer' is undefined" + "actualValue": "'AWS::AccessAnalyzer::Analyzer' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/iam_database_auth_not_enabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_database_auth_not_enabled/test/positive_expected_result.json index fa4125a7f69..42ae5624f91 100644 --- a/assets/queries/cloudFormation/aws/iam_database_auth_not_enabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_database_auth_not_enabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.MyDBSmall.Properties.EnableIAMDatabaseAuthentication", "searchValue": "", "expectedValue": "Resources.MyDBSmall.Properties.EnableIAMDatabaseAuthentication should be true", - "actualValue": "Resources.MyDBSmall.Properties.EnableIAMDatabaseAuthentication is false" + "actualValue": "Resources.MyDBSmall.Properties.EnableIAMDatabaseAuthentication is false", + "issueType": "IncorrectValue" }, { "queryName": "IAM Database Auth Not Enabled", @@ -21,7 +22,8 @@ "searchKey": "Resources.MyDBSmall.Properties.EnableIAMDatabaseAuthentication", "searchValue": "", "expectedValue": "Resources.MyDBSmall.Properties.EnableIAMDatabaseAuthentication should be true", - "actualValue": "Resources.MyDBSmall.Properties.EnableIAMDatabaseAuthentication is false" + "actualValue": "Resources.MyDBSmall.Properties.EnableIAMDatabaseAuthentication is false", + "issueType": "IncorrectValue" }, { "queryName": "IAM Database Auth Not Enabled", @@ -33,7 +35,8 @@ "searchKey": "Resources.MyDBSmall.Properties", "searchValue": "", "expectedValue": "Resources.MyDBSmall.Properties.EnableIAMDatabaseAuthentication should be defined", - "actualValue": "Resources.MyDBSmall.Properties.EnableIAMDatabaseAuthentication is not defined" + "actualValue": "Resources.MyDBSmall.Properties.EnableIAMDatabaseAuthentication is not defined", + "issueType": "MissingAttribute" }, { "queryName": "IAM Database Auth Not Enabled", @@ -45,7 +48,8 @@ "searchKey": "Resources.MyDBSmall.Properties", "searchValue": "", "expectedValue": "Resources.MyDBSmall.Properties.EnableIAMDatabaseAuthentication should be defined", - "actualValue": "Resources.MyDBSmall.Properties.EnableIAMDatabaseAuthentication is not defined" + "actualValue": "Resources.MyDBSmall.Properties.EnableIAMDatabaseAuthentication is not defined", + "issueType": "MissingAttribute" }, { "queryName": "IAM Database Auth Not Enabled", @@ -57,6 +61,7 @@ "searchKey": "Resources.MyDBSmall.Properties.EnableIAMDatabaseAuthentication", "searchValue": "", "expectedValue": "Resources.MyDBSmall.Properties.EnableIAMDatabaseAuthentication should be true", - "actualValue": "Resources.MyDBSmall.Properties.EnableIAMDatabaseAuthentication is false" + "actualValue": "Resources.MyDBSmall.Properties.EnableIAMDatabaseAuthentication is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/iam_db_cluster_auth_not_enabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_db_cluster_auth_not_enabled/test/positive_expected_result.json index 5c0bc66a6a5..2b24b10d755 100644 --- a/assets/queries/cloudFormation/aws/iam_db_cluster_auth_not_enabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_db_cluster_auth_not_enabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", "searchValue": "", "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", - "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false" + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue" }, { "queryName": "IAM DB Cluster Auth Not Enabled", @@ -21,7 +22,8 @@ "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", "searchValue": "", "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", - "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false" + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue" }, { "queryName": "IAM DB Cluster Auth Not Enabled", @@ -33,7 +35,8 @@ "searchKey": "Resources.sample.Properties", "searchValue": "", "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined (disabled by default)", - "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)" + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)", + "issueType": "MissingAttribute" }, { "queryName": "IAM DB Cluster Auth Not Enabled", @@ -45,7 +48,8 @@ "searchKey": "Resources.sample.Properties", "searchValue": "", "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined (disabled by default)", - "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)" + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)", + "issueType": "MissingAttribute" }, { "queryName": "IAM DB Cluster Auth Not Enabled", @@ -57,7 +61,8 @@ "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", "searchValue": "", "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", - "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false" + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue" }, { "queryName": "IAM DB Cluster Auth Not Enabled", @@ -69,7 +74,8 @@ "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", "searchValue": "", "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", - "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false" + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue" }, { "queryName": "IAM DB Cluster Auth Not Enabled", @@ -81,7 +87,8 @@ "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", "searchValue": "", "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", - "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false" + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue" }, { "queryName": "IAM DB Cluster Auth Not Enabled", @@ -93,7 +100,8 @@ "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", "searchValue": "", "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", - "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false" + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue" }, { "queryName": "IAM DB Cluster Auth Not Enabled", @@ -105,7 +113,8 @@ "searchKey": "Resources.sample.Properties", "searchValue": "", "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined (disabled by default)", - "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)" + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)", + "issueType": "MissingAttribute" }, { "queryName": "IAM DB Cluster Auth Not Enabled", @@ -117,7 +126,8 @@ "searchKey": "Resources.sample.Properties", "searchValue": "", "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined (disabled by default)", - "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)" + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)", + "issueType": "MissingAttribute" }, { "queryName": "IAM DB Cluster Auth Not Enabled", @@ -129,7 +139,8 @@ "searchKey": "Resources.PostgresDBCluster.Properties", "searchValue": "", "expectedValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' should be defined (disabled by default)", - "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)" + "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)", + "issueType": "MissingAttribute" }, { "queryName": "IAM DB Cluster Auth Not Enabled", @@ -141,7 +152,8 @@ "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", "searchValue": "", "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", - "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false" + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue" }, { "queryName": "IAM DB Cluster Auth Not Enabled", @@ -153,7 +165,8 @@ "searchKey": "Resources.PostgresDBCluster.Properties", "searchValue": "", "expectedValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' should be defined (disabled by default)", - "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)" + "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)", + "issueType": "MissingAttribute" }, { "queryName": "IAM DB Cluster Auth Not Enabled", @@ -165,7 +178,8 @@ "searchKey": "Resources.PostgresDBCluster.Properties", "searchValue": "", "expectedValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' should be defined (disabled by default)", - "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)" + "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)", + "issueType": "MissingAttribute" }, { "queryName": "IAM DB Cluster Auth Not Enabled", @@ -177,7 +191,8 @@ "searchKey": "Resources.PostgresDBCluster.Properties", "searchValue": "", "expectedValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' should be defined (disabled by default)", - "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)" + "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)", + "issueType": "MissingAttribute" }, { "queryName": "IAM DB Cluster Auth Not Enabled", @@ -189,7 +204,8 @@ "searchKey": "Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication", "searchValue": "", "expectedValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' should be defined to true", - "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is defined to false" + "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue" }, { "queryName": "IAM DB Cluster Auth Not Enabled", @@ -201,7 +217,8 @@ "searchKey": "Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication", "searchValue": "", "expectedValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' should be defined to true", - "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is defined to false" + "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue" }, { "queryName": "IAM DB Cluster Auth Not Enabled", @@ -213,7 +230,8 @@ "searchKey": "Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication", "searchValue": "", "expectedValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' should be defined to true", - "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is defined to false" + "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue" }, { "queryName": "IAM DB Cluster Auth Not Enabled", @@ -225,7 +243,8 @@ "searchKey": "Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication", "searchValue": "", "expectedValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' should be defined to true", - "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is defined to false" + "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue" }, { "queryName": "IAM DB Cluster Auth Not Enabled", @@ -237,7 +256,8 @@ "searchKey": "Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication", "searchValue": "", "expectedValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' should be defined to true", - "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is defined to false" + "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue" }, { "queryName": "IAM DB Cluster Auth Not Enabled", @@ -249,7 +269,8 @@ "searchKey": "Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication", "searchValue": "", "expectedValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' should be defined to true", - "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is defined to false" + "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue" }, { "queryName": "IAM DB Cluster Auth Not Enabled", @@ -261,7 +282,8 @@ "searchKey": "Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication", "searchValue": "", "expectedValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' should be defined to true", - "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is defined to false" + "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue" }, { "queryName": "IAM DB Cluster Auth Not Enabled", @@ -273,7 +295,8 @@ "searchKey": "Resources.sample.Properties", "searchValue": "", "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined (disabled by default)", - "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)" + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)", + "issueType": "MissingAttribute" }, { "queryName": "IAM DB Cluster Auth Not Enabled", @@ -285,7 +308,8 @@ "searchKey": "Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication", "searchValue": "", "expectedValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' should be defined to true", - "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is defined to false" + "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue" }, { "queryName": "IAM DB Cluster Auth Not Enabled", @@ -297,7 +321,8 @@ "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", "searchValue": "", "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", - "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false" + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue" }, { "queryName": "IAM DB Cluster Auth Not Enabled", @@ -309,7 +334,8 @@ "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", "searchValue": "", "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", - "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false" + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue" }, { "queryName": "IAM DB Cluster Auth Not Enabled", @@ -321,7 +347,8 @@ "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", "searchValue": "", "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", - "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false" + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue" }, { "queryName": "IAM DB Cluster Auth Not Enabled", @@ -333,7 +360,8 @@ "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", "searchValue": "", "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", - "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false" + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue" }, { "queryName": "IAM DB Cluster Auth Not Enabled", @@ -345,7 +373,8 @@ "searchKey": "Resources.sample.Properties", "searchValue": "", "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined (disabled by default)", - "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)" + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)", + "issueType": "MissingAttribute" }, { "queryName": "IAM DB Cluster Auth Not Enabled", @@ -357,7 +386,8 @@ "searchKey": "Resources.sample.Properties", "searchValue": "", "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined (disabled by default)", - "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)" + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)", + "issueType": "MissingAttribute" }, { "queryName": "IAM DB Cluster Auth Not Enabled", @@ -369,7 +399,8 @@ "searchKey": "Resources.sample.Properties", "searchValue": "", "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined (disabled by default)", - "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)" + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)", + "issueType": "MissingAttribute" }, { "queryName": "IAM DB Cluster Auth Not Enabled", @@ -381,7 +412,8 @@ "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", "searchValue": "", "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", - "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false" + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue" }, { "queryName": "IAM DB Cluster Auth Not Enabled", @@ -393,7 +425,8 @@ "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", "searchValue": "", "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", - "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false" + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue" }, { "queryName": "IAM DB Cluster Auth Not Enabled", @@ -405,7 +438,8 @@ "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", "searchValue": "", "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", - "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false" + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue" }, { "queryName": "IAM DB Cluster Auth Not Enabled", @@ -417,7 +451,8 @@ "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", "searchValue": "", "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", - "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false" + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue" }, { "queryName": "IAM DB Cluster Auth Not Enabled", @@ -429,6 +464,7 @@ "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", "searchValue": "", "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", - "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false" + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/iam_group_without_users/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_group_without_users/test/positive_expected_result.json index 7ec83c3f036..be317625045 100644 --- a/assets/queries/cloudFormation/aws/iam_group_without_users/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_group_without_users/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.myuseeer", "searchValue": "", "expectedValue": "Resources.myuseeer has at least one user", - "actualValue": "Resources.myuseeer does not have at least one user" + "actualValue": "Resources.myuseeer does not have at least one user", + "issueType": "IncorrectValue" }, { "queryName": "IAM Group Without Users", @@ -21,6 +22,7 @@ "searchKey": "Resources.myuseeer2", "searchValue": "", "expectedValue": "Resources.myuseeer2 has at least one user", - "actualValue": "Resources.myuseeer2 does not have at least one user" + "actualValue": "Resources.myuseeer2 does not have at least one user", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/iam_groups_inline_policies/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_groups_inline_policies/test/positive_expected_result.json index cea754607ac..bf84f1baf35 100644 --- a/assets/queries/cloudFormation/aws/iam_groups_inline_policies/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_groups_inline_policies/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.myuser.Properties.Policies", "searchValue": "", "expectedValue": "'Resources.Properties.Policies' should be undefined or empty", - "actualValue": "'Resources.Properties.Policies' is not empty" + "actualValue": "'Resources.Properties.Policies' is not empty", + "issueType": "IncorrectValue" }, { "queryName": "IAM Group Inline Policies", @@ -21,6 +22,7 @@ "searchKey": "Resources.myuser.Properties.Policies", "searchValue": "", "expectedValue": "'Resources.Properties.Policies' should be undefined or empty", - "actualValue": "'Resources.Properties.Policies' is not empty" + "actualValue": "'Resources.Properties.Policies' is not empty", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/iam_managed_policy_applied_to_a_user/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_managed_policy_applied_to_a_user/test/positive_expected_result.json index f0ac6d02491..08d578707e9 100644 --- a/assets/queries/cloudFormation/aws/iam_managed_policy_applied_to_a_user/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_managed_policy_applied_to_a_user/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.CreateTestDBPolicy.Properties.Users", "searchValue": "", "expectedValue": "Resources.CreateTestDBPolicy is assigned to a set of users", - "actualValue": "Resources.CreateTestDBPolicy should be assigned to a set of groups" + "actualValue": "Resources.CreateTestDBPolicy should be assigned to a set of groups", + "issueType": "IncorrectValue" }, { "queryName": "IAM Managed Policy Applied to a User", @@ -21,6 +22,7 @@ "searchKey": "Resources.CreateTestDBPolicy.Properties.Users", "searchValue": "", "expectedValue": "Resources.CreateTestDBPolicy is assigned to a set of users", - "actualValue": "Resources.CreateTestDBPolicy should be assigned to a set of groups" + "actualValue": "Resources.CreateTestDBPolicy should be assigned to a set of groups", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/iam_password_without_minimum_length/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_password_without_minimum_length/test/positive_expected_result.json index cca619f7794..386ec8c9edd 100644 --- a/assets/queries/cloudFormation/aws/iam_password_without_minimum_length/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_password_without_minimum_length/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.myuser.Properties.LoginProfile.Password", "searchValue": "", "expectedValue": "'Resources.Properties.LoginProfile.Password' has a minimum length of 14", - "actualValue": "'Resources.Properties.LoginProfile.Password' doesn't have a minimum length of 14" + "actualValue": "'Resources.Properties.LoginProfile.Password' doesn't have a minimum length of 14", + "issueType": "IncorrectValue" }, { "queryName": "IAM Password Without Minimum Length", @@ -21,6 +22,7 @@ "searchKey": "Resources.myuser.Properties.LoginProfile.Password", "searchValue": "", "expectedValue": "'Resources.Properties.LoginProfile.Password' has a minimum length of 14", - "actualValue": "'Resources.Properties.LoginProfile.Password' doesn't have a minimum length of 14" + "actualValue": "'Resources.Properties.LoginProfile.Password' doesn't have a minimum length of 14", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/iam_policies_attached_to_user/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_policies_attached_to_user/test/positive_expected_result.json index 217a771768f..0dc6e05b6e0 100644 --- a/assets/queries/cloudFormation/aws/iam_policies_attached_to_user/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_policies_attached_to_user/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.myuser.Properties.ManagedPoliciesArns", "searchValue": "", "expectedValue": "'Resources.myuser.Properties.ManagedPoliciesArns' is undefined or empty", - "actualValue": "'Resources.myuser.Properties.ManagedPoliciesArns' is not empty" + "actualValue": "'Resources.myuser.Properties.ManagedPoliciesArns' is not empty", + "issueType": "IncorrectValue" }, { "queryName": "IAM Policies Attached To User", @@ -21,7 +22,8 @@ "searchKey": "Resources.myuser.Properties.Policies", "searchValue": "", "expectedValue": "'Resources.myuser.Properties.Policies' should be undefined or empty", - "actualValue": "'Resources.myuser.Properties.Policies' is not empty" + "actualValue": "'Resources.myuser.Properties.Policies' is not empty", + "issueType": "IncorrectValue" }, { "queryName": "IAM Policies Attached To User", @@ -33,7 +35,8 @@ "searchKey": "Resources.myuser.Properties.ManagedPoliciesArns", "searchValue": "", "expectedValue": "'Resources.myuser.Properties.ManagedPoliciesArns' is undefined or empty", - "actualValue": "'Resources.myuser.Properties.ManagedPoliciesArns' is not empty" + "actualValue": "'Resources.myuser.Properties.ManagedPoliciesArns' is not empty", + "issueType": "IncorrectValue" }, { "queryName": "IAM Policies Attached To User", @@ -45,6 +48,7 @@ "searchKey": "Resources.myuser.Properties.Policies", "searchValue": "", "expectedValue": "'Resources.myuser.Properties.Policies' should be undefined or empty", - "actualValue": "'Resources.myuser.Properties.Policies' is not empty" + "actualValue": "'Resources.myuser.Properties.Policies' is not empty", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/iam_policies_with_full_privileges/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_policies_with_full_privileges/test/positive_expected_result.json index b70a3eac264..c60a8fdac4b 100644 --- a/assets/queries/cloudFormation/aws/iam_policies_with_full_privileges/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_policies_with_full_privileges/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.mypolicy.Properties.PolicyDocument", "searchValue": "", "expectedValue": "'Resources.Properties.PolicyDocument.Statement' shouldn't contain '*'", - "actualValue": "'Resources.Properties.PolicyDocument.Statement' contains '*'" + "actualValue": "'Resources.Properties.PolicyDocument.Statement' contains '*'", + "issueType": "IncorrectValue" }, { "queryName": "IAM Policies With Full Privileges", @@ -21,7 +22,8 @@ "searchKey": "Resources.mypolicy2.Properties.PolicyDocument", "searchValue": "", "expectedValue": "'Resources.Properties.PolicyDocument.Statement' shouldn't contain '*'", - "actualValue": "'Resources.Properties.PolicyDocument.Statement' contains '*'" + "actualValue": "'Resources.Properties.PolicyDocument.Statement' contains '*'", + "issueType": "IncorrectValue" }, { "queryName": "IAM Policies With Full Privileges", @@ -33,7 +35,8 @@ "searchKey": "Resources.mypolicy.Properties.PolicyDocument", "searchValue": "", "expectedValue": "'Resources.Properties.PolicyDocument.Statement' shouldn't contain '*'", - "actualValue": "'Resources.Properties.PolicyDocument.Statement' contains '*'" + "actualValue": "'Resources.Properties.PolicyDocument.Statement' contains '*'", + "issueType": "IncorrectValue" }, { "queryName": "IAM Policies With Full Privileges", @@ -45,6 +48,7 @@ "searchKey": "Resources.mypolicy2.Properties.PolicyDocument", "searchValue": "", "expectedValue": "'Resources.Properties.PolicyDocument.Statement' shouldn't contain '*'", - "actualValue": "'Resources.Properties.PolicyDocument.Statement' contains '*'" + "actualValue": "'Resources.Properties.PolicyDocument.Statement' contains '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/iam_policies_without_groups/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_policies_without_groups/test/positive_expected_result.json index 0bf843d65c3..b16d30a6f2d 100644 --- a/assets/queries/cloudFormation/aws/iam_policies_without_groups/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_policies_without_groups/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.myuser.Properties.Policies.Users", "searchValue": "", "expectedValue": "'Resources.Properties.Policies.Users should be replaced by Groups", - "actualValue": "'Resources.Properties.Policies.Users' is not the correct definition." + "actualValue": "'Resources.Properties.Policies.Users' is not the correct definition.", + "issueType": "IncorrectValue" }, { "queryName": "IAM Policies Without Groups", @@ -21,6 +22,7 @@ "searchKey": "Resources.myuser.Properties.Policies.Users", "searchValue": "", "expectedValue": "'Resources.Properties.Policies.Users should be replaced by Groups", - "actualValue": "'Resources.Properties.Policies.Users' is not the correct definition." + "actualValue": "'Resources.Properties.Policies.Users' is not the correct definition.", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/positive_expected_result.json index a9036b79a83..bd9106d0a97 100644 --- a/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.CFNUser.Properties.Policies.0.PolicyDocument.Statement.0.Action", "searchValue": "", "expectedValue": "'Resources.CFNUser.Properties.Policies[0].PolicyDocument.Statement[0].Action' shouldn't contain ilegal actions", - "actualValue": "'Resources.CFNUser.Properties.Policies[0].PolicyDocument.Statement[0].Action' contains [*]" + "actualValue": "'Resources.CFNUser.Properties.Policies[0].PolicyDocument.Statement[0].Action' contains [*]", + "issueType": "IncorrectValue" }, { "queryName": "IAM policy allows for data exfiltration", @@ -21,7 +22,8 @@ "searchKey": "Resources.CreateTestDBPolicy.Properties.PolicyDocument.Statement.0.Action", "searchValue": "", "expectedValue": "'Resources.CreateTestDBPolicy.Properties.PolicyDocument.Statement[0].Action' shouldn't contain ilegal actions", - "actualValue": "'Resources.CreateTestDBPolicy.Properties.PolicyDocument.Statement[0].Action' contains [s3:GetObject, ssm:GetParameter, s3:*]" + "actualValue": "'Resources.CreateTestDBPolicy.Properties.PolicyDocument.Statement[0].Action' contains [s3:GetObject, ssm:GetParameter, s3:*]", + "issueType": "IncorrectValue" }, { "queryName": "IAM policy allows for data exfiltration", @@ -33,7 +35,8 @@ "searchKey": "Resources.CreateTestDBPolicy.Properties.PolicyDocument.Statement.0.Action", "searchValue": "", "expectedValue": "'Resources.CreateTestDBPolicy.Properties.PolicyDocument.Statement[0].Action' shouldn't contain ilegal actions", - "actualValue": "'Resources.CreateTestDBPolicy.Properties.PolicyDocument.Statement[0].Action' contains [s3:*]" + "actualValue": "'Resources.CreateTestDBPolicy.Properties.PolicyDocument.Statement[0].Action' contains [s3:*]", + "issueType": "IncorrectValue" }, { "queryName": "IAM policy allows for data exfiltration", @@ -45,7 +48,8 @@ "searchKey": "Resources.MyPolicy.Properties.PolicyDocument.Statement.0.Action", "searchValue": "", "expectedValue": "'Resources.MyPolicy.Properties.PolicyDocument.Statement[0].Action' shouldn't contain ilegal actions", - "actualValue": "'Resources.MyPolicy.Properties.PolicyDocument.Statement[0].Action' contains [secretsmanager:GetSecretValue]" + "actualValue": "'Resources.MyPolicy.Properties.PolicyDocument.Statement[0].Action' contains [secretsmanager:GetSecretValue]", + "issueType": "IncorrectValue" }, { "queryName": "IAM policy allows for data exfiltration", @@ -57,7 +61,8 @@ "searchKey": "Resources.RootGroup.Properties.Policies.0.PolicyDocument.Statement.0.Action", "searchValue": "", "expectedValue": "'Resources.RootGroup.Properties.Policies[0].PolicyDocument.Statement[0].Action' shouldn't contain ilegal actions", - "actualValue": "'Resources.RootGroup.Properties.Policies[0].PolicyDocument.Statement[0].Action' contains [ssm:GetParameter]" + "actualValue": "'Resources.RootGroup.Properties.Policies[0].PolicyDocument.Statement[0].Action' contains [ssm:GetParameter]", + "issueType": "IncorrectValue" }, { "queryName": "IAM policy allows for data exfiltration", @@ -69,7 +74,8 @@ "searchKey": "Resources.MyPolicy.Properties.PolicyDocument.Statement.0.Action", "searchValue": "", "expectedValue": "'Resources.MyPolicy.Properties.PolicyDocument.Statement[0].Action' shouldn't contain ilegal actions", - "actualValue": "'Resources.MyPolicy.Properties.PolicyDocument.Statement[0].Action' contains [ssm:GetParameters]" + "actualValue": "'Resources.MyPolicy.Properties.PolicyDocument.Statement[0].Action' contains [ssm:GetParameters]", + "issueType": "IncorrectValue" }, { "queryName": "IAM policy allows for data exfiltration", @@ -81,7 +87,8 @@ "searchKey": "Resources.RootRole.Properties.Policies.0.PolicyDocument.Statement.0.Action", "searchValue": "", "expectedValue": "'Resources.RootRole.Properties.Policies[0].PolicyDocument.Statement[0].Action' shouldn't contain ilegal actions", - "actualValue": "'Resources.RootRole.Properties.Policies[0].PolicyDocument.Statement[0].Action' contains [ssm:GetParametersByPath]" + "actualValue": "'Resources.RootRole.Properties.Policies[0].PolicyDocument.Statement[0].Action' contains [ssm:GetParametersByPath]", + "issueType": "IncorrectValue" }, { "queryName": "IAM policy allows for data exfiltration", @@ -93,7 +100,8 @@ "searchKey": "Resources.CreateTestDBPolicy.Properties.PolicyDocument.Statement.0.Action", "searchValue": "", "expectedValue": "'Resources.CreateTestDBPolicy.Properties.PolicyDocument.Statement[0].Action' shouldn't contain ilegal actions", - "actualValue": "'Resources.CreateTestDBPolicy.Properties.PolicyDocument.Statement[0].Action' contains [s3:*]" + "actualValue": "'Resources.CreateTestDBPolicy.Properties.PolicyDocument.Statement[0].Action' contains [s3:*]", + "issueType": "IncorrectValue" }, { "queryName": "IAM policy allows for data exfiltration", @@ -105,7 +113,8 @@ "searchKey": "Resources.CFNUser.Properties.Policies.0.PolicyDocument.Statement.0.Action", "searchValue": "", "expectedValue": "'Resources.CFNUser.Properties.Policies[0].PolicyDocument.Statement[0].Action' shouldn't contain ilegal actions", - "actualValue": "'Resources.CFNUser.Properties.Policies[0].PolicyDocument.Statement[0].Action' contains [*]" + "actualValue": "'Resources.CFNUser.Properties.Policies[0].PolicyDocument.Statement[0].Action' contains [*]", + "issueType": "IncorrectValue" }, { "queryName": "IAM policy allows for data exfiltration", @@ -117,7 +126,8 @@ "searchKey": "Resources.RootGroup.Properties.Policies.0.PolicyDocument.Statement.0.Action", "searchValue": "", "expectedValue": "'Resources.RootGroup.Properties.Policies[0].PolicyDocument.Statement[0].Action' shouldn't contain ilegal actions", - "actualValue": "'Resources.RootGroup.Properties.Policies[0].PolicyDocument.Statement[0].Action' contains [s3:GetObject]" + "actualValue": "'Resources.RootGroup.Properties.Policies[0].PolicyDocument.Statement[0].Action' contains [s3:GetObject]", + "issueType": "IncorrectValue" }, { "queryName": "IAM policy allows for data exfiltration", @@ -129,7 +139,8 @@ "searchKey": "Resources.MyPolicy.Properties.PolicyDocument.Statement.0.Action", "searchValue": "", "expectedValue": "'Resources.MyPolicy.Properties.PolicyDocument.Statement[0].Action' shouldn't contain ilegal actions", - "actualValue": "'Resources.MyPolicy.Properties.PolicyDocument.Statement[0].Action' contains [secretsmanager:GetSecretValue]" + "actualValue": "'Resources.MyPolicy.Properties.PolicyDocument.Statement[0].Action' contains [secretsmanager:GetSecretValue]", + "issueType": "IncorrectValue" }, { "queryName": "IAM policy allows for data exfiltration", @@ -141,6 +152,7 @@ "searchKey": "Resources.RootRole.Properties.Policies.0.PolicyDocument.Statement.0.Action", "searchValue": "", "expectedValue": "'Resources.RootRole.Properties.Policies[0].PolicyDocument.Statement[0].Action' shouldn't contain ilegal actions", - "actualValue": "'Resources.RootRole.Properties.Policies[0].PolicyDocument.Statement[0].Action' contains [s3:GetObject, ssm:GetParameter, s3:*]" + "actualValue": "'Resources.RootRole.Properties.Policies[0].PolicyDocument.Statement[0].Action' contains [s3:GetObject, ssm:GetParameter, s3:*]", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/iam_policy_grants_assumerole_permission_across_all_services/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_policy_grants_assumerole_permission_across_all_services/test/positive_expected_result.json index 5143947ada0..fa806a35140 100644 --- a/assets/queries/cloudFormation/aws/iam_policy_grants_assumerole_permission_across_all_services/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_policy_grants_assumerole_permission_across_all_services/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.mypolicy.Properties.PolicyDocument", "searchValue": "", "expectedValue": "'Resources.mypolicy.Properties.PolicyDocument.Statement' with AssumeRole action should not grant access in all services ('*')", - "actualValue": "'Resources.mypolicy.Properties.PolicyDocument.Statement' with AssumeRole action is granting access in all services ('*')" + "actualValue": "'Resources.mypolicy.Properties.PolicyDocument.Statement' with AssumeRole action is granting access in all services ('*')", + "issueType": "IncorrectValue" }, { "queryName": "IAM Policy Grants 'AssumeRole' Permission Across All Services", @@ -21,6 +22,7 @@ "searchKey": "Resources.mypolicy.Properties.PolicyDocument", "searchValue": "", "expectedValue": "'Resources.mypolicy.Properties.PolicyDocument.Statement' with AssumeRole action should not grant access in all services ('*')", - "actualValue": "'Resources.mypolicy.Properties.PolicyDocument.Statement' with AssumeRole action is granting access in all services ('*')" + "actualValue": "'Resources.mypolicy.Properties.PolicyDocument.Statement' with AssumeRole action is granting access in all services ('*')", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/iam_policy_grants_full_permissions/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_policy_grants_full_permissions/test/positive_expected_result.json index b994e56bc83..3c70b097542 100644 --- a/assets/queries/cloudFormation/aws/iam_policy_grants_full_permissions/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_policy_grants_full_permissions/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.mypolicy.Properties.PolicyDocument", "searchValue": "", "expectedValue": "'PolicyDocument.Statement.Resource' and 'PolicyDocument.Statement.Action' should not equal to '*'", - "actualValue": "'PolicyDocument.Statement.Resource' and 'PolicyDocument.Statement.Action' are equal to '*'" + "actualValue": "'PolicyDocument.Statement.Resource' and 'PolicyDocument.Statement.Action' are equal to '*'", + "issueType": "IncorrectValue" }, { "queryName": "IAM Policy Grants Full Permissions", @@ -21,7 +22,8 @@ "searchKey": "Resources.mypolicy2.Properties.PolicyDocument", "searchValue": "", "expectedValue": "'PolicyDocument.Statement.Resource' and 'PolicyDocument.Statement.Action' should not equal to '*'", - "actualValue": "'PolicyDocument.Statement.Resource' and 'PolicyDocument.Statement.Action' are equal to '*'" + "actualValue": "'PolicyDocument.Statement.Resource' and 'PolicyDocument.Statement.Action' are equal to '*'", + "issueType": "IncorrectValue" }, { "queryName": "IAM Policy Grants Full Permissions", @@ -33,7 +35,8 @@ "searchKey": "Resources.mypolicy2.Properties.PolicyDocument", "searchValue": "", "expectedValue": "'PolicyDocument.Statement.Resource' and 'PolicyDocument.Statement.Action' should not equal to '*'", - "actualValue": "'PolicyDocument.Statement.Resource' and 'PolicyDocument.Statement.Action' are equal to '*'" + "actualValue": "'PolicyDocument.Statement.Resource' and 'PolicyDocument.Statement.Action' are equal to '*'", + "issueType": "IncorrectValue" }, { "queryName": "IAM Policy Grants Full Permissions", @@ -45,6 +48,7 @@ "searchKey": "Resources.mypolicy.Properties.PolicyDocument", "searchValue": "", "expectedValue": "'PolicyDocument.Statement.Resource' and 'PolicyDocument.Statement.Action' should not equal to '*'", - "actualValue": "'PolicyDocument.Statement.Resource' and 'PolicyDocument.Statement.Action' are equal to '*'" + "actualValue": "'PolicyDocument.Statement.Resource' and 'PolicyDocument.Statement.Action' are equal to '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/iam_policy_on_user/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_policy_on_user/test/positive_expected_result.json index cdfab874841..d473369d33b 100644 --- a/assets/queries/cloudFormation/aws/iam_policy_on_user/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_policy_on_user/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.BadPolicy.Properties.Users", "searchValue": "", "expectedValue": "Resources.BadPolicy is assigned to a set of users", - "actualValue": "Resources.BadPolicy should be assigned to a set of groups" + "actualValue": "Resources.BadPolicy should be assigned to a set of groups", + "issueType": "IncorrectValue" }, { "queryName": "IAM Policy On User", @@ -21,6 +22,7 @@ "searchKey": "Resources.BadPolicy.Properties.Users", "searchValue": "", "expectedValue": "Resources.BadPolicy is assigned to a set of users", - "actualValue": "Resources.BadPolicy should be assigned to a set of groups" + "actualValue": "Resources.BadPolicy should be assigned to a set of groups", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/iam_role_allows_all_principals_to_assume/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_role_allows_all_principals_to_assume/test/positive_expected_result.json index 0e2bf02135f..76aaa8b9a70 100644 --- a/assets/queries/cloudFormation/aws/iam_role_allows_all_principals_to_assume/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_role_allows_all_principals_to_assume/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.RootRole.Properties.AssumeRolePolicyDocument", "searchValue": "", "expectedValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument.Statement.Principal.AWS should not contain ':root'", - "actualValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument.Statement.Principal.AWS contains ':root'" + "actualValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument.Statement.Principal.AWS contains ':root'", + "issueType": "IncorrectValue" }, { "queryName": "IAM Role Allows All Principals To Assume", @@ -21,6 +22,7 @@ "searchKey": "Resources.RootRole.Properties.AssumeRolePolicyDocument", "searchValue": "", "expectedValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument.Statement.Principal.AWS should not contain ':root'", - "actualValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument.Statement.Principal.AWS contains ':root'" + "actualValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument.Statement.Principal.AWS contains ':root'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/iam_user_login_profile_password_is_in_plaintext/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_user_login_profile_password_is_in_plaintext/test/positive_expected_result.json index 96fcb08b6f6..cc9b1f6a6a9 100644 --- a/assets/queries/cloudFormation/aws/iam_user_login_profile_password_is_in_plaintext/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_user_login_profile_password_is_in_plaintext/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.myuser.Properties.LoginProfile.Password", "searchValue": "", "expectedValue": "'Resources.myuser.Properties.LoginProfile.Password' should be a ref to a secretsmanager value", - "actualValue": "'Resources.myuser.Properties.LoginProfile.Password' is a string literal" + "actualValue": "'Resources.myuser.Properties.LoginProfile.Password' is a string literal", + "issueType": "IncorrectValue" }, { "queryName": "IAM User LoginProfile Password Is In Plaintext", @@ -21,6 +22,7 @@ "searchKey": "Resources.myuser.Properties.LoginProfile.Password", "searchValue": "", "expectedValue": "'Resources.myuser.Properties.LoginProfile.Password' should be a ref to a secretsmanager value", - "actualValue": "'Resources.myuser.Properties.LoginProfile.Password' is a string literal" + "actualValue": "'Resources.myuser.Properties.LoginProfile.Password' is a string literal", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/iam_user_too_many_access_keys/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_user_too_many_access_keys/test/positive_expected_result.json index c6c38703adb..96fc708a1eb 100644 --- a/assets/queries/cloudFormation/aws/iam_user_too_many_access_keys/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_user_too_many_access_keys/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.firstKey", "searchValue": "", "expectedValue": "'Resources.firstKey' is the only AccessKey of user 'myuser'", - "actualValue": "'Resources.firstKey' is not the only AccessKey of user 'myuser'" + "actualValue": "'Resources.firstKey' is not the only AccessKey of user 'myuser'", + "issueType": "IncorrectValue" }, { "queryName": "IAM User Has Too Many Access Keys", @@ -21,7 +22,8 @@ "searchKey": "Resources.secondKey", "searchValue": "", "expectedValue": "'Resources.secondKey' is the only AccessKey of user 'myuser'", - "actualValue": "'Resources.secondKey' is not the only AccessKey of user 'myuser'" + "actualValue": "'Resources.secondKey' is not the only AccessKey of user 'myuser'", + "issueType": "IncorrectValue" }, { "queryName": "IAM User Has Too Many Access Keys", @@ -33,7 +35,8 @@ "searchKey": "Resources.secondKey", "searchValue": "", "expectedValue": "'Resources.secondKey' is the only AccessKey of user 'myuser'", - "actualValue": "'Resources.secondKey' is not the only AccessKey of user 'myuser'" + "actualValue": "'Resources.secondKey' is not the only AccessKey of user 'myuser'", + "issueType": "IncorrectValue" }, { "queryName": "IAM User Has Too Many Access Keys", @@ -45,6 +48,7 @@ "searchKey": "Resources.firstKey", "searchValue": "", "expectedValue": "'Resources.firstKey' is the only AccessKey of user 'myuser'", - "actualValue": "'Resources.firstKey' is not the only AccessKey of user 'myuser'" + "actualValue": "'Resources.firstKey' is not the only AccessKey of user 'myuser'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/iam_user_with_no_group/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_user_with_no_group/test/positive_expected_result.json index 52f1375f3d3..3a7bbe25de9 100644 --- a/assets/queries/cloudFormation/aws/iam_user_with_no_group/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_user_with_no_group/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.MyUser.Properties", "searchValue": "", "expectedValue": "'Resources.Properties should contain Groups", - "actualValue": "'Resources.Properties' does not contain Groups" + "actualValue": "'Resources.Properties' does not contain Groups", + "issueType": "MissingAttribute" }, { "queryName": "IAM User With No Group", @@ -21,7 +22,8 @@ "searchKey": "Resources.emptyGroup.Properties.Groups", "searchValue": "", "expectedValue": "'Resources.Properties.Groups' should contain groups", - "actualValue": "'Resources.Properties.Groups' is empty" + "actualValue": "'Resources.Properties.Groups' is empty", + "issueType": "IncorrectValue" }, { "queryName": "IAM User With No Group", @@ -33,7 +35,8 @@ "searchKey": "Resources.MyUser.Properties", "searchValue": "", "expectedValue": "'Resources.Properties should contain Groups", - "actualValue": "'Resources.Properties' does not contain Groups" + "actualValue": "'Resources.Properties' does not contain Groups", + "issueType": "MissingAttribute" }, { "queryName": "IAM User With No Group", @@ -45,6 +48,7 @@ "searchKey": "Resources.emptyGroup.Properties.Groups", "searchValue": "", "expectedValue": "'Resources.Properties.Groups' should contain groups", - "actualValue": "'Resources.Properties.Groups' is empty" + "actualValue": "'Resources.Properties.Groups' is empty", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/inline_policies_are_attached_to_ecs_service/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/inline_policies_are_attached_to_ecs_service/test/positive_expected_result.json index f7e9ffc0770..2f2ede6a0c4 100644 --- a/assets/queries/cloudFormation/aws/inline_policies_are_attached_to_ecs_service/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/inline_policies_are_attached_to_ecs_service/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.InlinePolicy.Properties.Role", "searchValue": "", "expectedValue": "'Resources.InlinePolicy.Properties.Role' should not refer an inline IAM Policy", - "actualValue": "'Resources.InlinePolicy.Properties.Role' refers to inline IAM Policy 'IAMPolicy'" + "actualValue": "'Resources.InlinePolicy.Properties.Role' refers to inline IAM Policy 'IAMPolicy'", + "issueType": "IncorrectValue" }, { "queryName": "Inline Policies Are Attached To ECS Service", @@ -21,6 +22,7 @@ "searchKey": "Resources.InlinePolicy.Properties.Role", "searchValue": "", "expectedValue": "'Resources.InlinePolicy.Properties.Role' should not refer an inline IAM Policy", - "actualValue": "'Resources.InlinePolicy.Properties.Role' refers to inline IAM Policy 'IAMPolicy'" + "actualValue": "'Resources.InlinePolicy.Properties.Role' refers to inline IAM Policy 'IAMPolicy'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/instance_uses_metadata_service_IMDSv1/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/instance_uses_metadata_service_IMDSv1/test/positive_expected_result.json index e53b7ff12a1..bdf48e71d28 100644 --- a/assets/queries/cloudFormation/aws/instance_uses_metadata_service_IMDSv1/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/instance_uses_metadata_service_IMDSv1/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.MyEC2Instance.Properties", "searchValue": "", "expectedValue": "'Resources.MyEC2Instance.Properties.MetadataOptions' should be defined with 'HttpTokens' field set to 'required'", - "actualValue": "'Resources.MyEC2Instance.Properties.MetadataOptions' is not defined" + "actualValue": "'Resources.MyEC2Instance.Properties.MetadataOptions' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -21,7 +22,8 @@ "searchKey": "Resources.MyLaunchTemplate.Properties.LaunchTemplateData", "searchValue": "", "expectedValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions' should be defined with 'HttpTokens' field set to 'required'", - "actualValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions' is not defined" + "actualValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -33,7 +35,8 @@ "searchKey": "Resources.MyEC2Instance.Properties.MetadataOptions", "searchValue": "", "expectedValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' should be defined to 'required'", - "actualValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' is not defined" + "actualValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -45,7 +48,8 @@ "searchKey": "Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions", "searchValue": "", "expectedValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' should be defined to 'required'", - "actualValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' is not defined" + "actualValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -57,7 +61,8 @@ "searchKey": "Resources.MyEC2Instance.Properties", "searchValue": "", "expectedValue": "'Resources.MyEC2Instance.Properties.MetadataOptions' should be defined with 'HttpTokens' field set to 'required'", - "actualValue": "'Resources.MyEC2Instance.Properties.MetadataOptions' is not defined" + "actualValue": "'Resources.MyEC2Instance.Properties.MetadataOptions' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -69,7 +74,8 @@ "searchKey": "Resources.MyLaunchTemplate.Properties.LaunchTemplateData", "searchValue": "", "expectedValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions' should be defined with 'HttpTokens' field set to 'required'", - "actualValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions' is not defined" + "actualValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -81,7 +87,8 @@ "searchKey": "Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens", "searchValue": "", "expectedValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' should be defined to 'required'", - "actualValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' is not defined to 'required'" + "actualValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' is not defined to 'required'", + "issueType": "IncorrectValue" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -93,7 +100,8 @@ "searchKey": "Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens", "searchValue": "", "expectedValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' should be defined to 'required'", - "actualValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' is not defined to 'required'" + "actualValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' is not defined to 'required'", + "issueType": "IncorrectValue" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -105,7 +113,8 @@ "searchKey": "Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens", "searchValue": "", "expectedValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' should be defined to 'required'", - "actualValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' is not defined to 'required'" + "actualValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' is not defined to 'required'", + "issueType": "IncorrectValue" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -117,7 +126,8 @@ "searchKey": "Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens", "searchValue": "", "expectedValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' should be defined to 'required'", - "actualValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' is not defined to 'required'" + "actualValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' is not defined to 'required'", + "issueType": "IncorrectValue" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -129,7 +139,8 @@ "searchKey": "Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens", "searchValue": "", "expectedValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' should be defined to 'required'", - "actualValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' is not defined to 'required'" + "actualValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' is not defined to 'required'", + "issueType": "IncorrectValue" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -141,7 +152,8 @@ "searchKey": "Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens", "searchValue": "", "expectedValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' should be defined to 'required'", - "actualValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' is not defined to 'required'" + "actualValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' is not defined to 'required'", + "issueType": "IncorrectValue" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -153,7 +165,8 @@ "searchKey": "Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens", "searchValue": "", "expectedValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' should be defined to 'required'", - "actualValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' is not defined to 'required'" + "actualValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' is not defined to 'required'", + "issueType": "IncorrectValue" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -165,7 +178,8 @@ "searchKey": "Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens", "searchValue": "", "expectedValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' should be defined to 'required'", - "actualValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' is not defined to 'required'" + "actualValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' is not defined to 'required'", + "issueType": "IncorrectValue" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -177,7 +191,8 @@ "searchKey": "Resources.MyEC2Instance.Properties.MetadataOptions", "searchValue": "", "expectedValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' should be defined to 'required'", - "actualValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' is not defined" + "actualValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -189,7 +204,8 @@ "searchKey": "Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions", "searchValue": "", "expectedValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' should be defined to 'required'", - "actualValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' is not defined" + "actualValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -201,7 +217,8 @@ "searchKey": "Resources.MyEC2Instance.Properties.MetadataOptions", "searchValue": "", "expectedValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' should be defined to 'required'", - "actualValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' is not defined" + "actualValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -213,7 +230,8 @@ "searchKey": "Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions", "searchValue": "", "expectedValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' should be defined to 'required'", - "actualValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' is not defined" + "actualValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -225,7 +243,8 @@ "searchKey": "Resources.MyEC2Instance.Properties.MetadataOptions", "searchValue": "", "expectedValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' should be defined to 'required'", - "actualValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' is not defined" + "actualValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -237,6 +256,7 @@ "searchKey": "Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions", "searchValue": "", "expectedValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' should be defined to 'required'", - "actualValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' is not defined" + "actualValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/instance_with_no_vpc/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/instance_with_no_vpc/test/positive_expected_result.json index 295cbdda370..9ef3ce0e586 100644 --- a/assets/queries/cloudFormation/aws/instance_with_no_vpc/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/instance_with_no_vpc/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.PublicSubnetA.Properties", "searchValue": "", "expectedValue": "Resources.PublicSubnetA.Properties.VpcId should be defined", - "actualValue": "Resources.PublicSubnetA.Properties.VpcId is undefined" + "actualValue": "Resources.PublicSubnetA.Properties.VpcId is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Instance With No VPC", @@ -21,7 +22,8 @@ "searchKey": "Resources.Ec2Instance-02.Properties", "searchValue": "", "expectedValue": "Resources.Ec2Instance-02.Properties.NetworkInterfaces should be defined", - "actualValue": "Resources.Ec2Instance-02.Properties.NetworkInterfaces is undefined" + "actualValue": "Resources.Ec2Instance-02.Properties.NetworkInterfaces is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Instance With No VPC", @@ -33,7 +35,8 @@ "searchKey": "Resources.PublicSubnetA.Properties", "searchValue": "", "expectedValue": "Resources.PublicSubnetA.Properties.VpcId should be defined", - "actualValue": "Resources.PublicSubnetA.Properties.VpcId is undefined" + "actualValue": "Resources.PublicSubnetA.Properties.VpcId is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Instance With No VPC", @@ -45,6 +48,7 @@ "searchKey": "Resources.Ec2Instance-02.Properties", "searchValue": "", "expectedValue": "Resources.Ec2Instance-02.Properties.NetworkInterfaces should be defined", - "actualValue": "Resources.Ec2Instance-02.Properties.NetworkInterfaces is undefined" + "actualValue": "Resources.Ec2Instance-02.Properties.NetworkInterfaces is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/iot_policy_allows_action_as_wildcard/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iot_policy_allows_action_as_wildcard/test/positive_expected_result.json index c45bb65d0ae..1bd0f07b23d 100644 --- a/assets/queries/cloudFormation/aws/iot_policy_allows_action_as_wildcard/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iot_policy_allows_action_as_wildcard/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.IoTPolicy.Properties.PolicyDocument", "searchValue": "", "expectedValue": "Resources.IoTPolicy.Properties.PolicyDocument.Statement.Action should not be '*'", - "actualValue": "Resources.IoTPolicy.Properties.PolicyDocument.Statement.Action is '*'" + "actualValue": "Resources.IoTPolicy.Properties.PolicyDocument.Statement.Action is '*'", + "issueType": "IncorrectValue" }, { "queryName": "IoT Policy Allows Action as Wildcard", @@ -21,6 +22,7 @@ "searchKey": "Resources.IoTPolicy.Properties.PolicyDocument", "searchValue": "", "expectedValue": "Resources.IoTPolicy.Properties.PolicyDocument.Statement.Action should not be '*'", - "actualValue": "Resources.IoTPolicy.Properties.PolicyDocument.Statement.Action is '*'" + "actualValue": "Resources.IoTPolicy.Properties.PolicyDocument.Statement.Action is '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/iot_policy_allows_wildcard_resource/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iot_policy_allows_wildcard_resource/test/positive_expected_result.json index 42d1f6185d4..59575b4b45a 100644 --- a/assets/queries/cloudFormation/aws/iot_policy_allows_wildcard_resource/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iot_policy_allows_wildcard_resource/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.IoTPolicy.Properties.PolicyDocument", "searchValue": "", "expectedValue": "Resources.IoTPolicy.Properties.PolicyDocument.Statement.Resource should not be '*'", - "actualValue": "Resources.IoTPolicy.Properties.PolicyDocument.Statement.Recource is '*'" + "actualValue": "Resources.IoTPolicy.Properties.PolicyDocument.Statement.Recource is '*'", + "issueType": "IncorrectValue" }, { "queryName": "IoT Policy Allows Wildcard Resource", @@ -21,6 +22,7 @@ "searchKey": "Resources.IoTPolicy.Properties.PolicyDocument", "searchValue": "", "expectedValue": "Resources.IoTPolicy.Properties.PolicyDocument.Statement.Resource should not be '*'", - "actualValue": "Resources.IoTPolicy.Properties.PolicyDocument.Statement.Recource is '*'" + "actualValue": "Resources.IoTPolicy.Properties.PolicyDocument.Statement.Recource is '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/kinesis_sse_not_configured/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/kinesis_sse_not_configured/test/positive_expected_result.json index 329c4409f1d..ecf65f298d4 100644 --- a/assets/queries/cloudFormation/aws/kinesis_sse_not_configured/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/kinesis_sse_not_configured/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.EventStream1.Properties.StreamEncryption", "searchValue": "KeyId", "expectedValue": "Resources.EventStream1.Properties.StreamEncryption.KeyId should be set", - "actualValue": "Resources.EventStream1.Properties.StreamEncryption.KeyId is undefined" + "actualValue": "Resources.EventStream1.Properties.StreamEncryption.KeyId is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Kinesis SSE Not Configured", @@ -21,7 +22,8 @@ "searchKey": "Resources.EventStream2.Properties.StreamEncryption", "searchValue": "EncryptionType", "expectedValue": "Resources.EventStream2.Properties.StreamEncryption.EncryptionType should be set", - "actualValue": "Resources.EventStream2.Properties.StreamEncryption.EncryptionType is undefined" + "actualValue": "Resources.EventStream2.Properties.StreamEncryption.EncryptionType is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Kinesis SSE Not Configured", @@ -33,7 +35,8 @@ "searchKey": "Resources.EventStream3.Properties", "searchValue": "", "expectedValue": "Resources.EventStream3.Properties.StreamEncryption should be set", - "actualValue": "Resources.EventStream3.Properties.StreamEncryption is undefined" + "actualValue": "Resources.EventStream3.Properties.StreamEncryption is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Kinesis SSE Not Configured", @@ -45,7 +48,8 @@ "searchKey": "Resources.EventStream1.Properties.StreamEncryption", "searchValue": "KeyId", "expectedValue": "Resources.EventStream1.Properties.StreamEncryption.KeyId should be set", - "actualValue": "Resources.EventStream1.Properties.StreamEncryption.KeyId is undefined" + "actualValue": "Resources.EventStream1.Properties.StreamEncryption.KeyId is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Kinesis SSE Not Configured", @@ -57,7 +61,8 @@ "searchKey": "Resources.EventStream2.Properties.StreamEncryption", "searchValue": "EncryptionType", "expectedValue": "Resources.EventStream2.Properties.StreamEncryption.EncryptionType should be set", - "actualValue": "Resources.EventStream2.Properties.StreamEncryption.EncryptionType is undefined" + "actualValue": "Resources.EventStream2.Properties.StreamEncryption.EncryptionType is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Kinesis SSE Not Configured", @@ -69,6 +74,7 @@ "searchKey": "Resources.EventStream3.Properties", "searchValue": "", "expectedValue": "Resources.EventStream3.Properties.StreamEncryption should be set", - "actualValue": "Resources.EventStream3.Properties.StreamEncryption is undefined" + "actualValue": "Resources.EventStream3.Properties.StreamEncryption is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/kms_allows_wildcard_principal/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/kms_allows_wildcard_principal/test/positive_expected_result.json index a98ebd8b67e..6b1a8e98519 100644 --- a/assets/queries/cloudFormation/aws/kms_allows_wildcard_principal/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/kms_allows_wildcard_principal/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.myKey.Properties.KeyPolicy", "searchValue": "", "expectedValue": "Resources.myKey.Properties.KeyPolicy.Statement should not be '*'", - "actualValue": "Resources.myKey.Properties.KeyPolicy.Statement is '*'" + "actualValue": "Resources.myKey.Properties.KeyPolicy.Statement is '*'", + "issueType": "IncorrectValue" }, { "queryName": "KMS Allows Wildcard Principal", @@ -21,6 +22,7 @@ "searchKey": "Resources.myKey.Properties.KeyPolicy", "searchValue": "", "expectedValue": "Resources.myKey.Properties.KeyPolicy.Statement should not be '*'", - "actualValue": "Resources.myKey.Properties.KeyPolicy.Statement is '*'" + "actualValue": "Resources.myKey.Properties.KeyPolicy.Statement is '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/kms_enable_key_rotation_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/kms_enable_key_rotation_disabled/test/positive_expected_result.json index 6b4949c9d40..8435be7dfda 100644 --- a/assets/queries/cloudFormation/aws/kms_enable_key_rotation_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/kms_enable_key_rotation_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.myKey.Properties.EnableKeyRotation", "searchValue": "", "expectedValue": "Resources.myKey.Properties.EnableKeyRotation should not be 'true'", - "actualValue": "Resources.myKey.Properties.EnableKeyRotation is true" + "actualValue": "Resources.myKey.Properties.EnableKeyRotation is true", + "issueType": "IncorrectValue" }, { "queryName": "KMS Key Rotation Disabled", @@ -21,7 +22,8 @@ "searchKey": "Resources.myKey2.Properties.EnableKeyRotation", "searchValue": "", "expectedValue": "Resources.myKey2.Properties.EnableKeyRotation should be defined", - "actualValue": "Resources.myKey2.Properties.EnableKeyRotation is undefined" + "actualValue": "Resources.myKey2.Properties.EnableKeyRotation is undefined", + "issueType": "MissingAttribute" }, { "queryName": "KMS Key Rotation Disabled", @@ -33,7 +35,8 @@ "searchKey": "Resources.myKey.Properties.EnableKeyRotation", "searchValue": "", "expectedValue": "Resources.myKey.Properties.EnableKeyRotation should not be 'true'", - "actualValue": "Resources.myKey.Properties.EnableKeyRotation is true" + "actualValue": "Resources.myKey.Properties.EnableKeyRotation is true", + "issueType": "IncorrectValue" }, { "queryName": "KMS Key Rotation Disabled", @@ -45,7 +48,8 @@ "searchKey": "Resources.myKey2.Properties.EnableKeyRotation", "searchValue": "", "expectedValue": "Resources.myKey2.Properties.EnableKeyRotation should be defined", - "actualValue": "Resources.myKey2.Properties.EnableKeyRotation is undefined" + "actualValue": "Resources.myKey2.Properties.EnableKeyRotation is undefined", + "issueType": "MissingAttribute" }, { "queryName": "KMS Key Rotation Disabled", @@ -57,7 +61,8 @@ "searchKey": "Resources.myKey.Properties.EnableKeyRotation", "searchValue": "", "expectedValue": "Resources.myKey.Properties.EnableKeyRotation should not be 'true'", - "actualValue": "Resources.myKey.Properties.EnableKeyRotation is true" + "actualValue": "Resources.myKey.Properties.EnableKeyRotation is true", + "issueType": "IncorrectValue" }, { "queryName": "KMS Key Rotation Disabled", @@ -69,6 +74,7 @@ "searchKey": "Resources.myKey2.Properties.EnableKeyRotation", "searchValue": "", "expectedValue": "Resources.myKey2.Properties.EnableKeyRotation should be defined", - "actualValue": "Resources.myKey2.Properties.EnableKeyRotation is undefined" + "actualValue": "Resources.myKey2.Properties.EnableKeyRotation is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/kms_key_with_full_permissions/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/kms_key_with_full_permissions/test/positive_expected_result.json index bbf9fc9fc4c..305d6958395 100644 --- a/assets/queries/cloudFormation/aws/kms_key_with_full_permissions/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/kms_key_with_full_permissions/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.RSASigningKey.Properties.KeyPolicy", "searchValue": "", "expectedValue": "Resources.RSASigningKey.Properties.KeyPolicy.Statement should not have wildcard in 'Action' and 'Principal'", - "actualValue": "Resources.RSASigningKey.Properties.KeyPolicy.Statement has wildcard in 'Action' and 'Principal'" + "actualValue": "Resources.RSASigningKey.Properties.KeyPolicy.Statement has wildcard in 'Action' and 'Principal'", + "issueType": "IncorrectValue" }, { "queryName": "KMS Key With Vulnerable Policy", @@ -21,7 +22,8 @@ "searchKey": "Resources.RSASigningKey.Properties.KeyPolicy", "searchValue": "", "expectedValue": "Resources.RSASigningKey.Properties.KeyPolicy.Statement should not have wildcard in 'Action' and 'Principal'", - "actualValue": "Resources.RSASigningKey.Properties.KeyPolicy.Statement has wildcard in 'Action' and 'Principal'" + "actualValue": "Resources.RSASigningKey.Properties.KeyPolicy.Statement has wildcard in 'Action' and 'Principal'", + "issueType": "IncorrectValue" }, { "queryName": "KMS Key With Vulnerable Policy", @@ -33,7 +35,8 @@ "searchKey": "Resources.RSASigningKey2.Properties", "searchValue": "", "expectedValue": "Resources.RSASigningKey2.Properties.KeyPolicy should be defined and not null", - "actualValue": "Resources.RSASigningKey2.Properties.KeyPolicy is undefined or null" + "actualValue": "Resources.RSASigningKey2.Properties.KeyPolicy is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "KMS Key With Vulnerable Policy", @@ -45,6 +48,7 @@ "searchKey": "Resources.RSASigningKey2.Properties", "searchValue": "", "expectedValue": "Resources.RSASigningKey2.Properties.KeyPolicy should be defined and not null", - "actualValue": "Resources.RSASigningKey2.Properties.KeyPolicy is undefined or null" + "actualValue": "Resources.RSASigningKey2.Properties.KeyPolicy is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/lambda_function_without_dead_letter_queue/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/lambda_function_without_dead_letter_queue/test/positive_expected_result.json index 67f3f97d535..c9c00498385 100644 --- a/assets/queries/cloudFormation/aws/lambda_function_without_dead_letter_queue/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/lambda_function_without_dead_letter_queue/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.Function.Properties", "searchValue": "", "expectedValue": "'Resources.Function.Properties.DeadLetterConfig' should be defined and not null", - "actualValue": "'Resources.Function.Properties.DeadLetterConfig' is undefined or null" + "actualValue": "'Resources.Function.Properties.DeadLetterConfig' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Lambda Function Without Dead Letter Queue", @@ -21,7 +22,8 @@ "searchKey": "Resources.Function2.Properties", "searchValue": "", "expectedValue": "'Resources.Function2.Properties.DeadLetterConfig' should be defined and not null", - "actualValue": "'Resources.Function2.Properties.DeadLetterConfig' is undefined or null" + "actualValue": "'Resources.Function2.Properties.DeadLetterConfig' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Lambda Function Without Dead Letter Queue", @@ -33,6 +35,7 @@ "searchKey": "Resources.Function2.Properties.DeadLetterConfig", "searchValue": "", "expectedValue": "'Resources.Function2.Properties.DeadLetterConfig.TargetArn' should be defined and not null", - "actualValue": "'Resources.Function2.Properties.DeadLetterConfig.TargetArn' is undefined or null" + "actualValue": "'Resources.Function2.Properties.DeadLetterConfig.TargetArn' is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/lambda_function_without_tags/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/lambda_function_without_tags/test/positive_expected_result.json index b58f06f8aab..41b62dfa19f 100644 --- a/assets/queries/cloudFormation/aws/lambda_function_without_tags/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/lambda_function_without_tags/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.AppendItemToListFunction.Properties", "searchValue": "", "expectedValue": "'Resources.AppendItemToListFunction.Properties.Tags' should be defined", - "actualValue": "'Resources.AppendItemToListFunction.Properties.Tags' is undefined" + "actualValue": "'Resources.AppendItemToListFunction.Properties.Tags' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Lambda Function Without Tags", @@ -21,6 +22,7 @@ "searchKey": "Resources.AppendItemToListFunction.Properties", "searchValue": "", "expectedValue": "'Resources.AppendItemToListFunction.Properties.Tags' should be defined", - "actualValue": "'Resources.AppendItemToListFunction.Properties.Tags' is undefined" + "actualValue": "'Resources.AppendItemToListFunction.Properties.Tags' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/lambda_functions_with_full_privileges/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/lambda_functions_with_full_privileges/test/positive_expected_result.json index 04f9944ba25..412fafddc5d 100644 --- a/assets/queries/cloudFormation/aws/lambda_functions_with_full_privileges/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/lambda_functions_with_full_privileges/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.LambdaExecutionRole.Properties.Policies.PolicyDocument", "searchValue": "AppendItemToListFunction", "expectedValue": "Resources.LambdaExecutionRole.Properties.Policies[root].PolicyDocument should not give admin privileges to Resources.AppendItemToListFunction ", - "actualValue": "Resources.LambdaExecutionRole.Properties.Policies[root].PolicyDocument gives admin privileges to Resources.AppendItemToListFunction " + "actualValue": "Resources.LambdaExecutionRole.Properties.Policies[root].PolicyDocument gives admin privileges to Resources.AppendItemToListFunction ", + "issueType": "IncorrectValue" }, { "queryName": "Lambda Functions With Full Privileges", @@ -21,6 +22,7 @@ "searchKey": "Resources.LambdaExecutionRole.Properties.Policies.PolicyDocument", "searchValue": "AppendItemToListFunction", "expectedValue": "Resources.LambdaExecutionRole.Properties.Policies[root].PolicyDocument should not give admin privileges to Resources.AppendItemToListFunction ", - "actualValue": "Resources.LambdaExecutionRole.Properties.Policies[root].PolicyDocument gives admin privileges to Resources.AppendItemToListFunction " + "actualValue": "Resources.LambdaExecutionRole.Properties.Policies[root].PolicyDocument gives admin privileges to Resources.AppendItemToListFunction ", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/lambda_functions_without_unique_iam_roles/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/lambda_functions_without_unique_iam_roles/test/positive_expected_result.json index b8f62bfcddd..450f6683166 100644 --- a/assets/queries/cloudFormation/aws/lambda_functions_without_unique_iam_roles/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/lambda_functions_without_unique_iam_roles/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.Primer01.Properties.Role", "searchValue": "", "expectedValue": "Each AWS Lambda Function has a unique role", - "actualValue": "Resource.Primer01.Properties.Role is assigned to another funtion" + "actualValue": "Resource.Primer01.Properties.Role is assigned to another funtion", + "issueType": "IncorrectValue" }, { "queryName": "Lambda Functions Without Unique IAM Roles", @@ -21,7 +22,8 @@ "searchKey": "Resources.Primer02.Properties.Role", "searchValue": "", "expectedValue": "Each AWS Lambda Function has a unique role", - "actualValue": "Resource.Primer02.Properties.Role is assigned to another funtion" + "actualValue": "Resource.Primer02.Properties.Role is assigned to another funtion", + "issueType": "IncorrectValue" }, { "queryName": "Lambda Functions Without Unique IAM Roles", @@ -33,7 +35,8 @@ "searchKey": "Resources.Primer01.Properties.Role", "searchValue": "", "expectedValue": "Each AWS Lambda Function has a unique role", - "actualValue": "Resource.Primer01.Properties.Role is assigned to another funtion" + "actualValue": "Resource.Primer01.Properties.Role is assigned to another funtion", + "issueType": "IncorrectValue" }, { "queryName": "Lambda Functions Without Unique IAM Roles", @@ -45,6 +48,7 @@ "searchKey": "Resources.Primer02.Properties.Role", "searchValue": "", "expectedValue": "Each AWS Lambda Function has a unique role", - "actualValue": "Resource.Primer02.Properties.Role is assigned to another funtion" + "actualValue": "Resource.Primer02.Properties.Role is assigned to another funtion", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/lambda_functions_without_x-ray_tracing/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/lambda_functions_without_x-ray_tracing/test/positive_expected_result.json index e67b56ab589..af0839d3d98 100644 --- a/assets/queries/cloudFormation/aws/lambda_functions_without_x-ray_tracing/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/lambda_functions_without_x-ray_tracing/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.primer.Properties.TracingConfig.Mode", "searchValue": "", "expectedValue": "TracingConfig.Mode should be set to 'Active'", - "actualValue": "TracingConfig.Mode is set to 'PassThrough'" + "actualValue": "TracingConfig.Mode is set to 'PassThrough'", + "issueType": "IncorrectValue" }, { "queryName": "Lambda Functions Without X-Ray Tracing", @@ -21,7 +22,8 @@ "searchKey": "Resources.Function.Properties", "searchValue": "", "expectedValue": "Property 'TracingConfig' should be defined", - "actualValue": "Property 'TracingConfig' is undefined" + "actualValue": "Property 'TracingConfig' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Lambda Functions Without X-Ray Tracing", @@ -33,7 +35,8 @@ "searchKey": "Resources.primer.Properties.TracingConfig.Mode", "searchValue": "", "expectedValue": "TracingConfig.Mode should be set to 'Active'", - "actualValue": "TracingConfig.Mode is set to 'PassThrough'" + "actualValue": "TracingConfig.Mode is set to 'PassThrough'", + "issueType": "IncorrectValue" }, { "queryName": "Lambda Functions Without X-Ray Tracing", @@ -45,6 +48,7 @@ "searchKey": "Resources.Function.Properties", "searchValue": "", "expectedValue": "Property 'TracingConfig' should be defined", - "actualValue": "Property 'TracingConfig' is undefined" + "actualValue": "Property 'TracingConfig' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/lambda_permission_misconfigured/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/lambda_permission_misconfigured/test/positive_expected_result.json index d7a885d3dbf..f6a1b378caa 100644 --- a/assets/queries/cloudFormation/aws/lambda_permission_misconfigured/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/lambda_permission_misconfigured/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.s3Permission.Properties.Action", "searchValue": "", "expectedValue": "'Resources.s3Permission.Properties.Action' should be lambda:InvokeFunction ", - "actualValue": "'Resources.s3Permission.Properties.Action' is not lambda:InvokeFunction" + "actualValue": "'Resources.s3Permission.Properties.Action' is not lambda:InvokeFunction", + "issueType": "IncorrectValue" }, { "queryName": "Lambda Permission Misconfigured", @@ -21,6 +22,7 @@ "searchKey": "Resources.s3Permission.Properties.Action", "searchValue": "", "expectedValue": "'Resources.s3Permission.Properties.Action' should be lambda:InvokeFunction ", - "actualValue": "'Resources.s3Permission.Properties.Action' is not lambda:InvokeFunction" + "actualValue": "'Resources.s3Permission.Properties.Action' is not lambda:InvokeFunction", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/lambda_permission_principal_is_wildcard/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/lambda_permission_principal_is_wildcard/test/positive_expected_result.json index ce51ba0ee84..b65e15a2363 100644 --- a/assets/queries/cloudFormation/aws/lambda_permission_principal_is_wildcard/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/lambda_permission_principal_is_wildcard/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.s3Permission.Properties.Principal", "searchValue": "", "expectedValue": "Resources.s3Permission.Properties.Principal should not be wildcard", - "actualValue": "Resources.s3Permission.Properties.Principal is wildcard" + "actualValue": "Resources.s3Permission.Properties.Principal is wildcard", + "issueType": "IncorrectValue" }, { "queryName": "Lambda Permission Principal Is Wildcard", @@ -21,6 +22,7 @@ "searchKey": "Resources.s3Permission.Properties.Principal", "searchValue": "", "expectedValue": "Resources.s3Permission.Properties.Principal should not be wildcard", - "actualValue": "Resources.s3Permission.Properties.Principal is wildcard" + "actualValue": "Resources.s3Permission.Properties.Principal is wildcard", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/low_rds_backup_retention_period/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/low_rds_backup_retention_period/test/positive_expected_result.json index f9677324582..bfdaddba3a5 100644 --- a/assets/queries/cloudFormation/aws/low_rds_backup_retention_period/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/low_rds_backup_retention_period/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.DatabaseCluster.Properties.BackupRetentionPeriod", "searchValue": "", "expectedValue": "The RDS DBCluster 'DatabaseCluster' resource should have backup retention period of at least 7 days", - "actualValue": "The RDS DBCluster 'DatabaseCluster' resource has backup retention period of '%!s(int=3)' which is less than the minimum of 7 days" + "actualValue": "The RDS DBCluster 'DatabaseCluster' resource has backup retention period of '%!s(int=3)' which is less than the minimum of 7 days", + "issueType": "IncorrectValue" }, { "queryName": "Low RDS Backup Retention Period", @@ -21,7 +22,8 @@ "searchKey": "Resources.MyDBSmall.Properties.BackupRetentionPeriod", "searchValue": "", "expectedValue": "The RDS DBInstance 'MyDBSmall' resource should have backup retention period of at least 7 days", - "actualValue": "The RDS DBCluster 'MyDBSmall' resource has backup retention period of '%!s(int=6)' which is less than the minimum of 7 days, and no RDS Cluster are defined" + "actualValue": "The RDS DBCluster 'MyDBSmall' resource has backup retention period of '%!s(int=6)' which is less than the minimum of 7 days, and no RDS Cluster are defined", + "issueType": "IncorrectValue" }, { "queryName": "Low RDS Backup Retention Period", @@ -33,7 +35,8 @@ "searchKey": "Resources.MyDB.Properties", "searchValue": "", "expectedValue": "The RDS DBInstance 'MyDB' resource should have backup retention period of at least 7 days", - "actualValue": "The RDS DBInstance 'MyDB' resource doesn't define a backup retention period and no RDS Cluster are defined" + "actualValue": "The RDS DBInstance 'MyDB' resource doesn't define a backup retention period and no RDS Cluster are defined", + "issueType": "IncorrectValue" }, { "queryName": "Low RDS Backup Retention Period", @@ -45,7 +48,8 @@ "searchKey": "Resources.BadDatabaseCluster.Properties", "searchValue": "", "expectedValue": "The RDS DBCluster 'BadDatabaseCluster' resource should have backup retention period of at least 7 days", - "actualValue": "The RDS DBCluster 'BadDatabaseCluster' resource doesn't define a backup retention period" + "actualValue": "The RDS DBCluster 'BadDatabaseCluster' resource doesn't define a backup retention period", + "issueType": "MissingAttribute" }, { "queryName": "Low RDS Backup Retention Period", @@ -57,7 +61,8 @@ "searchKey": "Resources.DatabaseCluster.Properties.BackupRetentionPeriod", "searchValue": "", "expectedValue": "The RDS DBCluster 'DatabaseCluster' resource should have backup retention period of at least 7 days", - "actualValue": "The RDS DBCluster 'DatabaseCluster' resource has backup retention period of '%!s(int=3)' which is less than the minimum of 7 days" + "actualValue": "The RDS DBCluster 'DatabaseCluster' resource has backup retention period of '%!s(int=3)' which is less than the minimum of 7 days", + "issueType": "IncorrectValue" }, { "queryName": "Low RDS Backup Retention Period", @@ -69,7 +74,8 @@ "searchKey": "Resources.MyDBSmall.Properties.BackupRetentionPeriod", "searchValue": "", "expectedValue": "The RDS DBInstance 'MyDBSmall' resource should have backup retention period of at least 7 days", - "actualValue": "The RDS DBCluster 'MyDBSmall' resource has backup retention period of '%!s(int=6)' which is less than the minimum of 7 days, and no RDS Cluster are defined" + "actualValue": "The RDS DBCluster 'MyDBSmall' resource has backup retention period of '%!s(int=6)' which is less than the minimum of 7 days, and no RDS Cluster are defined", + "issueType": "IncorrectValue" }, { "queryName": "Low RDS Backup Retention Period", @@ -81,7 +87,8 @@ "searchKey": "Resources.MyDB.Properties", "searchValue": "", "expectedValue": "The RDS DBInstance 'MyDB' resource should have backup retention period of at least 7 days", - "actualValue": "The RDS DBInstance 'MyDB' resource doesn't define a backup retention period and no RDS Cluster are defined" + "actualValue": "The RDS DBInstance 'MyDB' resource doesn't define a backup retention period and no RDS Cluster are defined", + "issueType": "IncorrectValue" }, { "queryName": "Low RDS Backup Retention Period", @@ -93,6 +100,7 @@ "searchKey": "Resources.BadDatabaseCluster.Properties", "searchValue": "", "expectedValue": "The RDS DBCluster 'BadDatabaseCluster' resource should have backup retention period of at least 7 days", - "actualValue": "The RDS DBCluster 'BadDatabaseCluster' resource doesn't define a backup retention period" + "actualValue": "The RDS DBCluster 'BadDatabaseCluster' resource doesn't define a backup retention period", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/mq_broker_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/mq_broker_is_publicly_accessible/test/positive_expected_result.json index 0e17f06c568..f4ff73b71e2 100644 --- a/assets/queries/cloudFormation/aws/mq_broker_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/mq_broker_is_publicly_accessible/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.BasicBroker.Properties.PubliclyAccessible", "searchValue": "", "expectedValue": "Resources.BasicBroker.Properties.PubliclyAccessible should be set to false or undefined", - "actualValue": "Resources.BasicBroker.Properties.PubliclyAccessible is true" + "actualValue": "Resources.BasicBroker.Properties.PubliclyAccessible is true", + "issueType": "IncorrectValue" }, { "queryName": "MQ Broker Is Publicly Accessible", @@ -21,7 +22,8 @@ "searchKey": "Resources.BasicBroker2.Properties.PubliclyAccessible", "searchValue": "", "expectedValue": "Resources.BasicBroker2.Properties.PubliclyAccessible should be set to false or undefined", - "actualValue": "Resources.BasicBroker2.Properties.PubliclyAccessible is true" + "actualValue": "Resources.BasicBroker2.Properties.PubliclyAccessible is true", + "issueType": "IncorrectValue" }, { "queryName": "MQ Broker Is Publicly Accessible", @@ -33,6 +35,7 @@ "searchKey": "Resources.BasicBroker.Properties.PubliclyAccessible", "searchValue": "", "expectedValue": "Resources.BasicBroker.Properties.PubliclyAccessible should be set to false or undefined", - "actualValue": "Resources.BasicBroker.Properties.PubliclyAccessible is true" + "actualValue": "Resources.BasicBroker.Properties.PubliclyAccessible is true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/mq_broker_logging_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/mq_broker_logging_disabled/test/positive_expected_result.json index 54fa6a6b722..27a5ff67e2c 100644 --- a/assets/queries/cloudFormation/aws/mq_broker_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/mq_broker_logging_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.BasicBroker3.Properties.Logs", "searchValue": "", "expectedValue": "Resources.BasicBroker3.Properties.Logs.Audit should be set", - "actualValue": "Resources.BasicBroker3.Properties.Logs.Audit is undefined" + "actualValue": "Resources.BasicBroker3.Properties.Logs.Audit is undefined", + "issueType": "MissingAttribute" }, { "queryName": "MQ Broker Logging Disabled", @@ -21,7 +22,8 @@ "searchKey": "Resources.BasicBroker4.Properties.Logs", "searchValue": "", "expectedValue": "Resources.BasicBroker4.Properties.Logs.General should be set", - "actualValue": "Resources.BasicBroker4.Properties.Logs.General is undefined" + "actualValue": "Resources.BasicBroker4.Properties.Logs.General is undefined", + "issueType": "MissingAttribute" }, { "queryName": "MQ Broker Logging Disabled", @@ -33,7 +35,8 @@ "searchKey": "Resources.BasicBroker5.Properties.Logs.General", "searchValue": "", "expectedValue": "Resources.BasicBroker5.Properties.Logs.General is true", - "actualValue": "Resources.BasicBroker5.Properties.Logs.General is false" + "actualValue": "Resources.BasicBroker5.Properties.Logs.General is false", + "issueType": "IncorrectValue" }, { "queryName": "MQ Broker Logging Disabled", @@ -45,7 +48,8 @@ "searchKey": "Resources.BasicBroker6.Properties.Logs.Audit", "searchValue": "", "expectedValue": "Resources.BasicBroker6.Properties.Logs.Audit is true", - "actualValue": "Resources.BasicBroker6.Properties.Logs.Audit is false" + "actualValue": "Resources.BasicBroker6.Properties.Logs.Audit is false", + "issueType": "IncorrectValue" }, { "queryName": "MQ Broker Logging Disabled", @@ -57,7 +61,8 @@ "searchKey": "Resources.BasicBroker7.Properties", "searchValue": "", "expectedValue": "Resources.BasicBroker7.Properties.Logs should be set", - "actualValue": "Resources.BasicBroker7.Properties.Logs is undefined" + "actualValue": "Resources.BasicBroker7.Properties.Logs is undefined", + "issueType": "MissingAttribute" }, { "queryName": "MQ Broker Logging Disabled", @@ -69,7 +74,8 @@ "searchKey": "Resources.BasicBroker8.Properties.Logs", "searchValue": "", "expectedValue": "Resources.BasicBroker8.Properties.Logs.Audit should be set", - "actualValue": "Resources.BasicBroker8.Properties.Logs.Audit is undefined" + "actualValue": "Resources.BasicBroker8.Properties.Logs.Audit is undefined", + "issueType": "MissingAttribute" }, { "queryName": "MQ Broker Logging Disabled", @@ -81,7 +87,8 @@ "searchKey": "Resources.BasicBroker9.Properties.Logs", "searchValue": "", "expectedValue": "Resources.BasicBroker9.Properties.Logs.General should be set", - "actualValue": "Resources.BasicBroker9.Properties.Logs.General is undefined" + "actualValue": "Resources.BasicBroker9.Properties.Logs.General is undefined", + "issueType": "MissingAttribute" }, { "queryName": "MQ Broker Logging Disabled", @@ -93,7 +100,8 @@ "searchKey": "Resources.BasicBroker10.Properties.Logs.General", "searchValue": "", "expectedValue": "Resources.BasicBroker10.Properties.Logs.General is true", - "actualValue": "Resources.BasicBroker10.Properties.Logs.General is false" + "actualValue": "Resources.BasicBroker10.Properties.Logs.General is false", + "issueType": "IncorrectValue" }, { "queryName": "MQ Broker Logging Disabled", @@ -105,7 +113,8 @@ "searchKey": "Resources.BasicBroker11.Properties.Logs.Audit", "searchValue": "", "expectedValue": "Resources.BasicBroker11.Properties.Logs.Audit is true", - "actualValue": "Resources.BasicBroker11.Properties.Logs.Audit is false" + "actualValue": "Resources.BasicBroker11.Properties.Logs.Audit is false", + "issueType": "IncorrectValue" }, { "queryName": "MQ Broker Logging Disabled", @@ -117,7 +126,8 @@ "searchKey": "Resources.BasicBroker12.Properties", "searchValue": "", "expectedValue": "Resources.BasicBroker12.Properties.Logs should be set", - "actualValue": "Resources.BasicBroker12.Properties.Logs is undefined" + "actualValue": "Resources.BasicBroker12.Properties.Logs is undefined", + "issueType": "MissingAttribute" }, { "queryName": "MQ Broker Logging Disabled", @@ -129,7 +139,8 @@ "searchKey": "Resources.BasicBroker3.Properties.Logs", "searchValue": "", "expectedValue": "Resources.BasicBroker3.Properties.Logs.Audit should be set", - "actualValue": "Resources.BasicBroker3.Properties.Logs.Audit is undefined" + "actualValue": "Resources.BasicBroker3.Properties.Logs.Audit is undefined", + "issueType": "MissingAttribute" }, { "queryName": "MQ Broker Logging Disabled", @@ -141,7 +152,8 @@ "searchKey": "Resources.BasicBroker4.Properties.Logs", "searchValue": "", "expectedValue": "Resources.BasicBroker4.Properties.Logs.General should be set", - "actualValue": "Resources.BasicBroker4.Properties.Logs.General is undefined" + "actualValue": "Resources.BasicBroker4.Properties.Logs.General is undefined", + "issueType": "MissingAttribute" }, { "queryName": "MQ Broker Logging Disabled", @@ -153,7 +165,8 @@ "searchKey": "Resources.BasicBroker5.Properties.Logs.General", "searchValue": "", "expectedValue": "Resources.BasicBroker5.Properties.Logs.General is true", - "actualValue": "Resources.BasicBroker5.Properties.Logs.General is false" + "actualValue": "Resources.BasicBroker5.Properties.Logs.General is false", + "issueType": "IncorrectValue" }, { "queryName": "MQ Broker Logging Disabled", @@ -165,7 +178,8 @@ "searchKey": "Resources.BasicBroker6.Properties.Logs.Audit", "searchValue": "", "expectedValue": "Resources.BasicBroker6.Properties.Logs.Audit is true", - "actualValue": "Resources.BasicBroker6.Properties.Logs.Audit is false" + "actualValue": "Resources.BasicBroker6.Properties.Logs.Audit is false", + "issueType": "IncorrectValue" }, { "queryName": "MQ Broker Logging Disabled", @@ -177,6 +191,7 @@ "searchKey": "Resources.BasicBroker7.Properties", "searchValue": "", "expectedValue": "Resources.BasicBroker7.Properties.Logs should be set", - "actualValue": "Resources.BasicBroker7.Properties.Logs is undefined" + "actualValue": "Resources.BasicBroker7.Properties.Logs is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/msk_broker_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/msk_broker_is_publicly_accessible/test/positive_expected_result.json index 44b439e214d..36a176e2b44 100644 --- a/assets/queries/cloudFormation/aws/msk_broker_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/msk_broker_is_publicly_accessible/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.TestCluster.Properties.BrokerNodeGroupInfo.ConnectivityInfo.PublicAccess.Type", "searchValue": "", "expectedValue": "Resources.TestCluster.Properties.BrokerNodeGroupInfo.ConnectivityInfo.PublicAccess.Type should be set to 'DISABLED' or undefined", - "actualValue": "Resources.TestCluster.Properties.BrokerNodeGroupInfo.ConnectivityInfo.PublicAccess.Type is set to 'SERVICE_PROVIDED_EIPS'" + "actualValue": "Resources.TestCluster.Properties.BrokerNodeGroupInfo.ConnectivityInfo.PublicAccess.Type is set to 'SERVICE_PROVIDED_EIPS'", + "issueType": "IncorrectValue" }, { "queryName": "MSK Broker Is Publicly Accessible", @@ -21,6 +22,7 @@ "searchKey": "Resources.TestCluster.Properties.BrokerNodeGroupInfo.ConnectivityInfo.PublicAccess.Type", "searchValue": "", "expectedValue": "Resources.TestCluster.Properties.BrokerNodeGroupInfo.ConnectivityInfo.PublicAccess.Type should be set to 'DISABLED' or undefined", - "actualValue": "Resources.TestCluster.Properties.BrokerNodeGroupInfo.ConnectivityInfo.PublicAccess.Type is set to 'SERVICE_PROVIDED_EIPS'" + "actualValue": "Resources.TestCluster.Properties.BrokerNodeGroupInfo.ConnectivityInfo.PublicAccess.Type is set to 'SERVICE_PROVIDED_EIPS'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/msk_cluster_encryption_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/msk_cluster_encryption_disabled/test/positive_expected_result.json index 037a3f851ca..6365d1eaae8 100644 --- a/assets/queries/cloudFormation/aws/msk_cluster_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/msk_cluster_encryption_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.TestCluster5.Properties", "searchValue": "", "expectedValue": "Resources.TestCluster5.Properties.EncryptionInfo should be defined", - "actualValue": "Resources.TestCluster5.Properties.EncryptionInfo is undefined" + "actualValue": "Resources.TestCluster5.Properties.EncryptionInfo is undefined", + "issueType": "MissingAttribute" }, { "queryName": "MSK Cluster Encryption Disabled", @@ -21,7 +22,8 @@ "searchKey": "Resources.TestCluster6.Properties.EncryptionInfo.EncryptionInTransit.ClientBroker", "searchValue": "", "expectedValue": "Resources.TestCluster6.Properties.EncryptionInfo.EncryptionInTransit.ClientBroker is 'TLS'", - "actualValue": "Resources.TestCluster6.Properties.EncryptionInfo.EncryptionInTransit.ClientBroker is not 'TLS'" + "actualValue": "Resources.TestCluster6.Properties.EncryptionInfo.EncryptionInTransit.ClientBroker is not 'TLS'", + "issueType": "IncorrectValue" }, { "queryName": "MSK Cluster Encryption Disabled", @@ -33,7 +35,8 @@ "searchKey": "Resources.TestCluster7.Properties.EncryptionInfo.EncryptionInTransit.InCluster", "searchValue": "", "expectedValue": "Resources.TestCluster7.Properties.EncryptionInfo.EncryptionInTransit.InCluster is 'true'", - "actualValue": "Resources.TestCluster7.Properties.EncryptionInfo.EncryptionInTransit.InCluster is 'false'" + "actualValue": "Resources.TestCluster7.Properties.EncryptionInfo.EncryptionInTransit.InCluster is 'false'", + "issueType": "IncorrectValue" }, { "queryName": "MSK Cluster Encryption Disabled", @@ -45,7 +48,8 @@ "searchKey": "Resources.TestCluster8.Properties", "searchValue": "", "expectedValue": "Resources.TestCluster8.Properties.EncryptionInfo should be defined", - "actualValue": "Resources.TestCluster8.Properties.EncryptionInfo is undefined" + "actualValue": "Resources.TestCluster8.Properties.EncryptionInfo is undefined", + "issueType": "MissingAttribute" }, { "queryName": "MSK Cluster Encryption Disabled", @@ -57,7 +61,8 @@ "searchKey": "Resources.TestCluster9.Properties.EncryptionInfo.EncryptionInTransit.ClientBroker", "searchValue": "", "expectedValue": "Resources.TestCluster9.Properties.EncryptionInfo.EncryptionInTransit.ClientBroker is 'TLS'", - "actualValue": "Resources.TestCluster9.Properties.EncryptionInfo.EncryptionInTransit.ClientBroker is not 'TLS'" + "actualValue": "Resources.TestCluster9.Properties.EncryptionInfo.EncryptionInTransit.ClientBroker is not 'TLS'", + "issueType": "IncorrectValue" }, { "queryName": "MSK Cluster Encryption Disabled", @@ -69,6 +74,7 @@ "searchKey": "Resources.TestCluster10.Properties.EncryptionInfo.EncryptionInTransit.InCluster", "searchValue": "", "expectedValue": "Resources.TestCluster10.Properties.EncryptionInfo.EncryptionInTransit.InCluster is 'true'", - "actualValue": "Resources.TestCluster10.Properties.EncryptionInfo.EncryptionInTransit.InCluster is 'false'" + "actualValue": "Resources.TestCluster10.Properties.EncryptionInfo.EncryptionInTransit.InCluster is 'false'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/msk_cluster_logging_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/msk_cluster_logging_disabled/test/positive_expected_result.json index 06304277ad1..cbf56d2a642 100644 --- a/assets/queries/cloudFormation/aws/msk_cluster_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/msk_cluster_logging_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.TestCluster5.Properties", "searchValue": "", "expectedValue": "Resources.TestCluster5.Properties.LoggingInfo should be defined", - "actualValue": "Resources.TestCluster5.Properties.LoggingInfo is undefined" + "actualValue": "Resources.TestCluster5.Properties.LoggingInfo is undefined", + "issueType": "MissingAttribute" }, { "queryName": "MSK Cluster Logging Disabled", @@ -21,7 +22,8 @@ "searchKey": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs.CloudWatchLogs.Enabled", "searchValue": "", "expectedValue": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs is enabled", - "actualValue": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs is disabled" + "actualValue": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs is disabled", + "issueType": "IncorrectValue" }, { "queryName": "MSK Cluster Logging Disabled", @@ -33,7 +35,8 @@ "searchKey": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs.Firehose.Enabled", "searchValue": "", "expectedValue": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs is enabled", - "actualValue": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs is disabled" + "actualValue": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs is disabled", + "issueType": "IncorrectValue" }, { "queryName": "MSK Cluster Logging Disabled", @@ -45,7 +48,8 @@ "searchKey": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs.S3.Enabled", "searchValue": "", "expectedValue": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs is enabled", - "actualValue": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs is disabled" + "actualValue": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs is disabled", + "issueType": "IncorrectValue" }, { "queryName": "MSK Cluster Logging Disabled", @@ -57,7 +61,8 @@ "searchKey": "Resources.TestCluster7.Properties.LoggingInfo.BrokerLogs.CloudWatchLogs.Enabled", "searchValue": "", "expectedValue": "Resources.TestCluster7.Properties.LoggingInfo.BrokerLogs is enabled", - "actualValue": "Resources.TestCluster7.Properties.LoggingInfo.BrokerLogs is disabled" + "actualValue": "Resources.TestCluster7.Properties.LoggingInfo.BrokerLogs is disabled", + "issueType": "IncorrectValue" }, { "queryName": "MSK Cluster Logging Disabled", @@ -69,7 +74,8 @@ "searchKey": "Resources.TestCluster8.Properties", "searchValue": "", "expectedValue": "Resources.TestCluster8.Properties.LoggingInfo should be defined", - "actualValue": "Resources.TestCluster8.Properties.LoggingInfo is undefined" + "actualValue": "Resources.TestCluster8.Properties.LoggingInfo is undefined", + "issueType": "MissingAttribute" }, { "queryName": "MSK Cluster Logging Disabled", @@ -81,7 +87,8 @@ "searchKey": "Resources.TestCluster9.Properties.LoggingInfo.BrokerLogs.CloudWatchLogs.Enabled", "searchValue": "", "expectedValue": "Resources.TestCluster9.Properties.LoggingInfo.BrokerLogs is enabled", - "actualValue": "Resources.TestCluster9.Properties.LoggingInfo.BrokerLogs is disabled" + "actualValue": "Resources.TestCluster9.Properties.LoggingInfo.BrokerLogs is disabled", + "issueType": "IncorrectValue" }, { "queryName": "MSK Cluster Logging Disabled", @@ -93,7 +100,8 @@ "searchKey": "Resources.TestCluster9.Properties.LoggingInfo.BrokerLogs.Firehose.Enabled", "searchValue": "", "expectedValue": "Resources.TestCluster9.Properties.LoggingInfo.BrokerLogs is enabled", - "actualValue": "Resources.TestCluster9.Properties.LoggingInfo.BrokerLogs is disabled" + "actualValue": "Resources.TestCluster9.Properties.LoggingInfo.BrokerLogs is disabled", + "issueType": "IncorrectValue" }, { "queryName": "MSK Cluster Logging Disabled", @@ -105,7 +113,8 @@ "searchKey": "Resources.TestCluster9.Properties.LoggingInfo.BrokerLogs.S3.Enabled", "searchValue": "", "expectedValue": "Resources.TestCluster9.Properties.LoggingInfo.BrokerLogs is enabled", - "actualValue": "Resources.TestCluster9.Properties.LoggingInfo.BrokerLogs is disabled" + "actualValue": "Resources.TestCluster9.Properties.LoggingInfo.BrokerLogs is disabled", + "issueType": "IncorrectValue" }, { "queryName": "MSK Cluster Logging Disabled", @@ -117,7 +126,8 @@ "searchKey": "Resources.TestCluster10.Properties.LoggingInfo.BrokerLogs.CloudWatchLogs.Enabled", "searchValue": "", "expectedValue": "Resources.TestCluster10.Properties.LoggingInfo.BrokerLogs is enabled", - "actualValue": "Resources.TestCluster10.Properties.LoggingInfo.BrokerLogs is disabled" + "actualValue": "Resources.TestCluster10.Properties.LoggingInfo.BrokerLogs is disabled", + "issueType": "IncorrectValue" }, { "queryName": "MSK Cluster Logging Disabled", @@ -129,7 +139,8 @@ "searchKey": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs.CloudWatchLogs.Enabled", "searchValue": "", "expectedValue": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs is enabled", - "actualValue": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs is disabled" + "actualValue": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs is disabled", + "issueType": "IncorrectValue" }, { "queryName": "MSK Cluster Logging Disabled", @@ -141,7 +152,8 @@ "searchKey": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs.Firehose.Enabled", "searchValue": "", "expectedValue": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs is enabled", - "actualValue": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs is disabled" + "actualValue": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs is disabled", + "issueType": "IncorrectValue" }, { "queryName": "MSK Cluster Logging Disabled", @@ -153,6 +165,7 @@ "searchKey": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs.S3.Enabled", "searchValue": "", "expectedValue": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs is enabled", - "actualValue": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs is disabled" + "actualValue": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs is disabled", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/neptune_cluster_with_iam_database_authentication_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/neptune_cluster_with_iam_database_authentication_disabled/test/positive_expected_result.json index 46a9b0574ea..c1d560c5676 100644 --- a/assets/queries/cloudFormation/aws/neptune_cluster_with_iam_database_authentication_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/neptune_cluster_with_iam_database_authentication_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.NeptuneDBCluster.Properties.IamAuthEnabled", "searchValue": "", "expectedValue": "Resources.NeptuneDBCluster.Properties.IamAuthEnabled should be set to true", - "actualValue": "Resources.NeptuneDBCluster.Properties.IamAuthEnabled is set to false" + "actualValue": "Resources.NeptuneDBCluster.Properties.IamAuthEnabled is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Neptune Cluster With IAM Database Authentication Disabled", @@ -21,7 +22,8 @@ "searchKey": "Resources.NeptuneDBCluster2.Properties.IamAuthEnabled", "searchValue": "", "expectedValue": "Resources.NeptuneDBCluster2.Properties.IamAuthEnabled should be set to true", - "actualValue": "Resources.NeptuneDBCluster2.Properties.IamAuthEnabled is set to false" + "actualValue": "Resources.NeptuneDBCluster2.Properties.IamAuthEnabled is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Neptune Cluster With IAM Database Authentication Disabled", @@ -33,7 +35,8 @@ "searchKey": "Resources.NeptuneDBCluster.Properties.IamAuthEnabled", "searchValue": "", "expectedValue": "Resources.NeptuneDBCluster.Properties.IamAuthEnabled should be set to true", - "actualValue": "Resources.NeptuneDBCluster.Properties.IamAuthEnabled is set to false" + "actualValue": "Resources.NeptuneDBCluster.Properties.IamAuthEnabled is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Neptune Cluster With IAM Database Authentication Disabled", @@ -45,7 +48,8 @@ "searchKey": "Resources.NeptuneDBCluster2.Properties.IamAuthEnabled", "searchValue": "", "expectedValue": "Resources.NeptuneDBCluster2.Properties.IamAuthEnabled should be set to true", - "actualValue": "Resources.NeptuneDBCluster2.Properties.IamAuthEnabled is set to false" + "actualValue": "Resources.NeptuneDBCluster2.Properties.IamAuthEnabled is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Neptune Cluster With IAM Database Authentication Disabled", @@ -57,7 +61,8 @@ "searchKey": "Resources.NeptuneDBCluster.Properties.IamAuthEnabled", "searchValue": "", "expectedValue": "Resources.NeptuneDBCluster.Properties.IamAuthEnabled should be set to true", - "actualValue": "Resources.NeptuneDBCluster.Properties.IamAuthEnabled is set to false" + "actualValue": "Resources.NeptuneDBCluster.Properties.IamAuthEnabled is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Neptune Cluster With IAM Database Authentication Disabled", @@ -69,6 +74,7 @@ "searchKey": "Resources.NeptuneDBCluster2.Properties.IamAuthEnabled", "searchValue": "", "expectedValue": "Resources.NeptuneDBCluster2.Properties.IamAuthEnabled should be set to true", - "actualValue": "Resources.NeptuneDBCluster2.Properties.IamAuthEnabled is set to false" + "actualValue": "Resources.NeptuneDBCluster2.Properties.IamAuthEnabled is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/neptune_database_cluster_encryption_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/neptune_database_cluster_encryption_disabled/test/positive_expected_result.json index d8de7246c68..8e831b80a2f 100644 --- a/assets/queries/cloudFormation/aws/neptune_database_cluster_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/neptune_database_cluster_encryption_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.NeptuneDBCluster.Properties.StorageEncrypted", "searchValue": "", "expectedValue": "Resources.NeptuneDBCluster.Properties.StorageEncrypted should be set to True", - "actualValue": "Resources.NeptuneDBCluster.Properties.StorageEncrypted is False" + "actualValue": "Resources.NeptuneDBCluster.Properties.StorageEncrypted is False", + "issueType": "IncorrectValue" }, { "queryName": "Neptune Database Cluster Encryption Disabled", @@ -21,7 +22,8 @@ "searchKey": "Resources.NeptuneDBCluster.Properties.StorageEncrypted", "searchValue": "", "expectedValue": "Resources.NeptuneDBCluster.Properties.StorageEncrypted should be set to True", - "actualValue": "Resources.NeptuneDBCluster.Properties.StorageEncrypted is False" + "actualValue": "Resources.NeptuneDBCluster.Properties.StorageEncrypted is False", + "issueType": "IncorrectValue" }, { "queryName": "Neptune Database Cluster Encryption Disabled", @@ -33,6 +35,7 @@ "searchKey": "Resources.NeptuneDBCluster.Properties.StorageEncrypted", "searchValue": "", "expectedValue": "Resources.NeptuneDBCluster.Properties.StorageEncrypted should be set to True", - "actualValue": "Resources.NeptuneDBCluster.Properties.StorageEncrypted is False" + "actualValue": "Resources.NeptuneDBCluster.Properties.StorageEncrypted is False", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/neptune_logging_is_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/neptune_logging_is_disabled/test/positive_expected_result.json index fd1370217be..38a5db6fdb3 100644 --- a/assets/queries/cloudFormation/aws/neptune_logging_is_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/neptune_logging_is_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.Prod.Properties", "searchValue": "", "expectedValue": "'Resources.Prod.Properties' should have 'EnableCloudwatchLogsExports' enabled ", - "actualValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' is undefined" + "actualValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Neptune Logging Is Disabled", @@ -21,7 +22,8 @@ "searchKey": "Resources.Prod.Properties.EnableCloudwatchLogsExports", "searchValue": "", "expectedValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' should include 'audit'", - "actualValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' does not include 'audit'" + "actualValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' does not include 'audit'", + "issueType": "MissingAttribute" }, { "queryName": "Neptune Logging Is Disabled", @@ -33,7 +35,8 @@ "searchKey": "Resources.Prod.Properties.EnableCloudwatchLogsExports", "searchValue": "", "expectedValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' should include 'audit'", - "actualValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' does not include 'audit'" + "actualValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' does not include 'audit'", + "issueType": "MissingAttribute" }, { "queryName": "Neptune Logging Is Disabled", @@ -45,7 +48,8 @@ "searchKey": "Resources.Prod.Properties.EnableCloudwatchLogsExports", "searchValue": "", "expectedValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' should include 'audit'", - "actualValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' does not include 'audit'" + "actualValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' does not include 'audit'", + "issueType": "MissingAttribute" }, { "queryName": "Neptune Logging Is Disabled", @@ -57,7 +61,8 @@ "searchKey": "Resources.Prod.Properties", "searchValue": "", "expectedValue": "'Resources.Prod.Properties' should have 'EnableCloudwatchLogsExports' enabled ", - "actualValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' is undefined" + "actualValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Neptune Logging Is Disabled", @@ -69,7 +74,8 @@ "searchKey": "Resources.Prod.Properties.EnableCloudwatchLogsExports", "searchValue": "", "expectedValue": "'Resources.Prod.Properties' should have 'EnableCloudwatchLogsExports' enabled ", - "actualValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' is set to null" + "actualValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' is set to null", + "issueType": "MissingAttribute" }, { "queryName": "Neptune Logging Is Disabled", @@ -81,7 +87,8 @@ "searchKey": "Resources.Prod.Properties.EnableCloudwatchLogsExports", "searchValue": "", "expectedValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' should include 'audit'", - "actualValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' does not include 'audit'" + "actualValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' does not include 'audit'", + "issueType": "MissingAttribute" }, { "queryName": "Neptune Logging Is Disabled", @@ -93,6 +100,7 @@ "searchKey": "Resources.Prod.Properties.EnableCloudwatchLogsExports", "searchValue": "", "expectedValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' should include 'audit'", - "actualValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' does not include 'audit'" + "actualValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' does not include 'audit'", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/public_lambda_via_api_gateway/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/public_lambda_via_api_gateway/test/positive_expected_result.json index 8805311d1e4..600838e3d1b 100644 --- a/assets/queries/cloudFormation/aws/public_lambda_via_api_gateway/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/public_lambda_via_api_gateway/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.s3Permission3.Properties.SourceArn", "searchValue": "", "expectedValue": "Resources.s3Permission3.Properties.SourceArn should not equal to '/*/*'", - "actualValue": "Resources.s3Permission3.Properties.SourceArn is equal to '/*/*' or contains '/*/*'" + "actualValue": "Resources.s3Permission3.Properties.SourceArn is equal to '/*/*' or contains '/*/*'", + "issueType": "IncorrectValue" }, { "queryName": "Public Lambda via API Gateway", @@ -21,6 +22,7 @@ "searchKey": "Resources.s3Permission.Properties.SourceArn", "searchValue": "", "expectedValue": "Resources.s3Permission.Properties.SourceArn should not equal to '/*/*'", - "actualValue": "Resources.s3Permission.Properties.SourceArn is equal to '/*/*' or contains '/*/*'" + "actualValue": "Resources.s3Permission.Properties.SourceArn is equal to '/*/*' or contains '/*/*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/rds_associated_with_public_subnet/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/rds_associated_with_public_subnet/test/positive_expected_result.json index 0df65e81bbc..50bff9259db 100644 --- a/assets/queries/cloudFormation/aws/rds_associated_with_public_subnet/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/rds_associated_with_public_subnet/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.Positive1.Properties.DBSubnetGroupName", "searchValue": "", "expectedValue": "RDS should not be running in a public subnet", - "actualValue": "RDS is running in a public subnet" + "actualValue": "RDS is running in a public subnet", + "issueType": "IncorrectValue" }, { "queryName": "RDS Associated with Public Subnet", @@ -21,6 +22,7 @@ "searchKey": "Resources.Positive1.Properties.DBSubnetGroupName", "searchValue": "", "expectedValue": "RDS should not be running in a public subnet", - "actualValue": "RDS is running in a public subnet" + "actualValue": "RDS is running in a public subnet", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json index b7a5d6e2fbb..d9a55a74dd3 100644 --- a/assets/queries/cloudFormation/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.MyDB.Properties.PubliclyAccessible", "searchValue": "", "expectedValue": "'Resources.MyDB.Properties.PubliclyAccessible' should be set to false", - "actualValue": "'Resources.MyDB.Properties.PubliclyAccessible' is set to true" + "actualValue": "'Resources.MyDB.Properties.PubliclyAccessible' is set to true", + "issueType": "IncorrectValue" }, { "queryName": "RDS DB Instance Publicly Accessible", @@ -21,7 +22,8 @@ "searchKey": "Resources.MyDB.Properties.PubliclyAccessible", "searchValue": "", "expectedValue": "'Resources.MyDB.Properties.PubliclyAccessible' should be set to false", - "actualValue": "'Resources.MyDB.Properties.PubliclyAccessible' is set to true" + "actualValue": "'Resources.MyDB.Properties.PubliclyAccessible' is set to true", + "issueType": "IncorrectValue" }, { "queryName": "RDS DB Instance Publicly Accessible", @@ -33,6 +35,7 @@ "searchKey": "Resources.MyDB.Properties.PubliclyAccessible", "searchValue": "", "expectedValue": "'Resources.MyDB.Properties.PubliclyAccessible' should be set to false", - "actualValue": "'Resources.MyDB.Properties.PubliclyAccessible' is set to true" + "actualValue": "'Resources.MyDB.Properties.PubliclyAccessible' is set to true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/rds_db_instance_with_deletion_protection_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/rds_db_instance_with_deletion_protection_disabled/test/positive_expected_result.json index 12ad686ffff..fa29192f3f8 100644 --- a/assets/queries/cloudFormation/aws/rds_db_instance_with_deletion_protection_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/rds_db_instance_with_deletion_protection_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.MyDBSmall.Properties.DeletionProtection", "searchValue": "", "expectedValue": "Resources.MyDBSmall.Properties.DeletionProtection should be set to true", - "actualValue": "Resources.MyDBSmall.Properties.DeletionProtection is set to false" + "actualValue": "Resources.MyDBSmall.Properties.DeletionProtection is set to false", + "issueType": "IncorrectValue" }, { "queryName": "RDS DB Instance With Deletion Protection Disabled", @@ -21,7 +22,8 @@ "searchKey": "Resources.MyDBSmall1.Properties", "searchValue": "", "expectedValue": "Resources.MyDBSmall1.Properties.DeletionProtection should be defined", - "actualValue": "Resources.MyDBSmall1.Properties.DeletionProtection is undefined" + "actualValue": "Resources.MyDBSmall1.Properties.DeletionProtection is undefined", + "issueType": "MissingAttribute" }, { "queryName": "RDS DB Instance With Deletion Protection Disabled", @@ -33,7 +35,8 @@ "searchKey": "Resources.MyDBSmall.Properties.DeletionProtection", "searchValue": "", "expectedValue": "Resources.MyDBSmall.Properties.DeletionProtection should be set to true", - "actualValue": "Resources.MyDBSmall.Properties.DeletionProtection is set to false" + "actualValue": "Resources.MyDBSmall.Properties.DeletionProtection is set to false", + "issueType": "IncorrectValue" }, { "queryName": "RDS DB Instance With Deletion Protection Disabled", @@ -45,7 +48,8 @@ "searchKey": "Resources.MyDBSmall1.Properties", "searchValue": "", "expectedValue": "Resources.MyDBSmall1.Properties.DeletionProtection should be defined", - "actualValue": "Resources.MyDBSmall1.Properties.DeletionProtection is undefined" + "actualValue": "Resources.MyDBSmall1.Properties.DeletionProtection is undefined", + "issueType": "MissingAttribute" }, { "queryName": "RDS DB Instance With Deletion Protection Disabled", @@ -57,6 +61,7 @@ "searchKey": "Resources.MyDBSmall.Properties.DeletionProtection", "searchValue": "", "expectedValue": "Resources.MyDBSmall.Properties.DeletionProtection should be set to true", - "actualValue": "Resources.MyDBSmall.Properties.DeletionProtection is set to false" + "actualValue": "Resources.MyDBSmall.Properties.DeletionProtection is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/rds_multi_az_deployment_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/rds_multi_az_deployment_disabled/test/positive_expected_result.json index 59e1870d0e9..0b282502ccc 100644 --- a/assets/queries/cloudFormation/aws/rds_multi_az_deployment_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/rds_multi_az_deployment_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.MasterDB.Properties.MultiAZ", "searchValue": "", "expectedValue": "The RDS DBInstance 'MasterDB' should have Multi-Availability Zone enabled", - "actualValue": "The RDS DBInstance 'MasterDB' has MultiAZ value set to false" + "actualValue": "The RDS DBInstance 'MasterDB' has MultiAZ value set to false", + "issueType": "IncorrectValue" }, { "queryName": "RDS Multi-AZ Deployment Disabled", @@ -21,7 +22,8 @@ "searchKey": "Resources.ReplicaDB.Properties", "searchValue": "", "expectedValue": "The RDS DBInstance 'ReplicaDB' should have Multi-Availability Zone enabled", - "actualValue": "The RDS DBInstance 'ReplicaDB' MultiAZ property is undefined and by default disabled" + "actualValue": "The RDS DBInstance 'ReplicaDB' MultiAZ property is undefined and by default disabled", + "issueType": "MissingAttribute" }, { "queryName": "RDS Multi-AZ Deployment Disabled", @@ -33,7 +35,8 @@ "searchKey": "Resources.MasterDB.Properties.MultiAZ", "searchValue": "", "expectedValue": "The RDS DBInstance 'MasterDB' should have Multi-Availability Zone enabled", - "actualValue": "The RDS DBInstance 'MasterDB' has MultiAZ value set to false" + "actualValue": "The RDS DBInstance 'MasterDB' has MultiAZ value set to false", + "issueType": "IncorrectValue" }, { "queryName": "RDS Multi-AZ Deployment Disabled", @@ -45,7 +48,8 @@ "searchKey": "Resources.ReplicaDB.Properties", "searchValue": "", "expectedValue": "The RDS DBInstance 'ReplicaDB' should have Multi-Availability Zone enabled", - "actualValue": "The RDS DBInstance 'ReplicaDB' MultiAZ property is undefined and by default disabled" + "actualValue": "The RDS DBInstance 'ReplicaDB' MultiAZ property is undefined and by default disabled", + "issueType": "MissingAttribute" }, { "queryName": "RDS Multi-AZ Deployment Disabled", @@ -57,6 +61,7 @@ "searchKey": "Resources.MasterDB.Properties.MultiAZ", "searchValue": "", "expectedValue": "The RDS DBInstance 'MasterDB' should have Multi-Availability Zone enabled", - "actualValue": "The RDS DBInstance 'MasterDB' has MultiAZ value set to false" + "actualValue": "The RDS DBInstance 'MasterDB' has MultiAZ value set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/rds_storage_encryption_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/rds_storage_encryption_disabled/test/positive_expected_result.json index fcb9dec4ca2..fb841c44433 100644 --- a/assets/queries/cloudFormation/aws/rds_storage_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/rds_storage_encryption_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.RDSCluster.Properties.StorageEncrypted", "searchValue": "", "expectedValue": "Resources.RDSCluster.Properties.StorageEncrypted should be set to true", - "actualValue": "Resources.RDSCluster.Properties.StorageEncrypted is false" + "actualValue": "Resources.RDSCluster.Properties.StorageEncrypted is false", + "issueType": "IncorrectValue" }, { "queryName": "RDS Storage Encryption Disabled", @@ -21,7 +22,8 @@ "searchKey": "Resources.RDSCluster1.Properties", "searchValue": "", "expectedValue": "Resources.RDSCluster1.Properties.StorageEncrypted should be defined", - "actualValue": "Resources.RDSCluster1.Properties.StorageEncrypted is undefined" + "actualValue": "Resources.RDSCluster1.Properties.StorageEncrypted is undefined", + "issueType": "MissingAttribute" }, { "queryName": "RDS Storage Encryption Disabled", @@ -33,7 +35,8 @@ "searchKey": "Resources.RDSCluster.Properties.StorageEncrypted", "searchValue": "", "expectedValue": "Resources.RDSCluster.Properties.StorageEncrypted should be set to true", - "actualValue": "Resources.RDSCluster.Properties.StorageEncrypted is false" + "actualValue": "Resources.RDSCluster.Properties.StorageEncrypted is false", + "issueType": "IncorrectValue" }, { "queryName": "RDS Storage Encryption Disabled", @@ -45,7 +48,8 @@ "searchKey": "Resources.RDSCluster1.Properties", "searchValue": "", "expectedValue": "Resources.RDSCluster1.Properties.StorageEncrypted should be defined", - "actualValue": "Resources.RDSCluster1.Properties.StorageEncrypted is undefined" + "actualValue": "Resources.RDSCluster1.Properties.StorageEncrypted is undefined", + "issueType": "MissingAttribute" }, { "queryName": "RDS Storage Encryption Disabled", @@ -57,7 +61,8 @@ "searchKey": "Resources.NoEncryption.Properties", "searchValue": "", "expectedValue": "Resources.NoEncryption.Properties.StorageEncrypted should be defined", - "actualValue": "Resources.NoEncryption.Properties.StorageEncrypted is undefined" + "actualValue": "Resources.NoEncryption.Properties.StorageEncrypted is undefined", + "issueType": "MissingAttribute" }, { "queryName": "RDS Storage Encryption Disabled", @@ -69,6 +74,7 @@ "searchKey": "Resources.RDSCluster.Properties.StorageEncrypted", "searchValue": "", "expectedValue": "Resources.RDSCluster.Properties.StorageEncrypted should be set to true", - "actualValue": "Resources.RDSCluster.Properties.StorageEncrypted is false" + "actualValue": "Resources.RDSCluster.Properties.StorageEncrypted is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/rds_storage_not_encrypted/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/rds_storage_not_encrypted/test/positive_expected_result.json index cbe2b029d1a..142620cf402 100644 --- a/assets/queries/cloudFormation/aws/rds_storage_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/rds_storage_not_encrypted/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.MyDBSmall.Properties.StorageEncrypted", "searchValue": "", "expectedValue": "Resources.MyDBSmall.Properties.StorageEncrypted should be set to true", - "actualValue": "Resources.MyDBSmall.Properties.StorageEncrypted is set to false" + "actualValue": "Resources.MyDBSmall.Properties.StorageEncrypted is set to false", + "issueType": "IncorrectValue" }, { "queryName": "RDS Storage Not Encrypted", @@ -21,7 +22,8 @@ "searchKey": "Resources.MyDBSmall2.Properties", "searchValue": "", "expectedValue": "Resources.MyDBSmall2.Properties.StorageEncrypted should be defined and set to true", - "actualValue": "Resources.MyDBSmall2.Properties.StorageEncrypted is undefined" + "actualValue": "Resources.MyDBSmall2.Properties.StorageEncrypted is undefined", + "issueType": "MissingAttribute" }, { "queryName": "RDS Storage Not Encrypted", @@ -33,7 +35,8 @@ "searchKey": "Resources.MyDBSmall.Properties.StorageEncrypted", "searchValue": "", "expectedValue": "Resources.MyDBSmall.Properties.StorageEncrypted should be set to true", - "actualValue": "Resources.MyDBSmall.Properties.StorageEncrypted is set to false" + "actualValue": "Resources.MyDBSmall.Properties.StorageEncrypted is set to false", + "issueType": "IncorrectValue" }, { "queryName": "RDS Storage Not Encrypted", @@ -45,7 +48,8 @@ "searchKey": "Resources.MyDBSmall2.Properties", "searchValue": "", "expectedValue": "Resources.MyDBSmall2.Properties.StorageEncrypted should be defined and set to true", - "actualValue": "Resources.MyDBSmall2.Properties.StorageEncrypted is undefined" + "actualValue": "Resources.MyDBSmall2.Properties.StorageEncrypted is undefined", + "issueType": "MissingAttribute" }, { "queryName": "RDS Storage Not Encrypted", @@ -57,6 +61,7 @@ "searchKey": "Resources.MyDBSmall.Properties.StorageEncrypted", "searchValue": "", "expectedValue": "Resources.MyDBSmall.Properties.StorageEncrypted should be set to true", - "actualValue": "Resources.MyDBSmall.Properties.StorageEncrypted is set to false" + "actualValue": "Resources.MyDBSmall.Properties.StorageEncrypted is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/rds_using_default_port/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/rds_using_default_port/test/positive_expected_result.json index 1e0d0ee1710..a0edac6c158 100644 --- a/assets/queries/cloudFormation/aws/rds_using_default_port/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/rds_using_default_port/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.MyDB.Properties.Port", "searchValue": "", "expectedValue": "'Resources.MyDB.Properties.Port' should not be set to 1521", - "actualValue": "'Resources.MyDB.Properties.Port' is set to 1521" + "actualValue": "'Resources.MyDB.Properties.Port' is set to 1521", + "issueType": "IncorrectValue" }, { "queryName": "RDS Using Default Port", @@ -21,7 +22,8 @@ "searchKey": "Resources.MyDB.Properties.Port", "searchValue": "", "expectedValue": "'Resources.MyDB.Properties.Port' should not be set to 1521", - "actualValue": "'Resources.MyDB.Properties.Port' is set to 1521" + "actualValue": "'Resources.MyDB.Properties.Port' is set to 1521", + "issueType": "IncorrectValue" }, { "queryName": "RDS Using Default Port", @@ -33,7 +35,8 @@ "searchKey": "Resources.MyDB.Properties.Port", "searchValue": "", "expectedValue": "'Resources.MyDB.Properties.Port' should not be set to 3306", - "actualValue": "'Resources.MyDB.Properties.Port' is set to 3306" + "actualValue": "'Resources.MyDB.Properties.Port' is set to 3306", + "issueType": "IncorrectValue" }, { "queryName": "RDS Using Default Port", @@ -45,6 +48,7 @@ "searchKey": "Resources.MyDB.Properties.Port", "searchValue": "", "expectedValue": "'Resources.MyDB.Properties.Port' should not be set to 3306", - "actualValue": "'Resources.MyDB.Properties.Port' is set to 3306" + "actualValue": "'Resources.MyDB.Properties.Port' is set to 3306", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/rds_with_backup_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/rds_with_backup_disabled/test/positive_expected_result.json index 13216d3c82b..73dbf73f338 100644 --- a/assets/queries/cloudFormation/aws/rds_with_backup_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/rds_with_backup_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.MyDB.Properties.BackupRetentionPeriod", "searchValue": "", "expectedValue": "'Resources.MyDB.Properties.BackupRetentionPeriod' should not equal to zero", - "actualValue": "'Resources.MyDB.Properties.BackupRetentionPeriod' is equal to zero" + "actualValue": "'Resources.MyDB.Properties.BackupRetentionPeriod' is equal to zero", + "issueType": "IncorrectValue" }, { "queryName": "RDS With Backup Disabled", @@ -21,6 +22,7 @@ "searchKey": "Resources.MyDB.Properties.BackupRetentionPeriod", "searchValue": "", "expectedValue": "'Resources.MyDB.Properties.BackupRetentionPeriod' should not equal to zero", - "actualValue": "'Resources.MyDB.Properties.BackupRetentionPeriod' is equal to zero" + "actualValue": "'Resources.MyDB.Properties.BackupRetentionPeriod' is equal to zero", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/redshift_cluster_logging_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/redshift_cluster_logging_disabled/test/positive_expected_result.json index 0ab5f847ec2..670e7b1ba3d 100644 --- a/assets/queries/cloudFormation/aws/redshift_cluster_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/redshift_cluster_logging_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.RedshiftCluster3.Properties", "searchValue": "", "expectedValue": "Resources.RedshiftCluster3.Properties.LoggingProperties should be set", - "actualValue": "Resources.RedshiftCluster3.Properties.LoggingProperties is undefined" + "actualValue": "Resources.RedshiftCluster3.Properties.LoggingProperties is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Redshift Cluster Logging Disabled", @@ -21,6 +22,7 @@ "searchKey": "Resources.RedshiftCluster4.Properties", "searchValue": "", "expectedValue": "Resources.RedshiftCluster4.Properties.LoggingProperties should be set", - "actualValue": "Resources.RedshiftCluster4.Properties.LoggingProperties is undefined" + "actualValue": "Resources.RedshiftCluster4.Properties.LoggingProperties is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/redshift_cluster_without_kms_cmk/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/redshift_cluster_without_kms_cmk/test/positive_expected_result.json index 3797535d65f..2b6aa063e2a 100644 --- a/assets/queries/cloudFormation/aws/redshift_cluster_without_kms_cmk/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/redshift_cluster_without_kms_cmk/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.RedshiftCluster.Properties", "searchValue": "", "expectedValue": "Resources.RedshiftCluster.Properties.KmsKeyId should be set", - "actualValue": "Resources.RedshiftCluster.Properties.KmsKeyId is undefined" + "actualValue": "Resources.RedshiftCluster.Properties.KmsKeyId is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Redshift Cluster Without KMS CMK", @@ -21,6 +22,7 @@ "searchKey": "Resources.RedshiftCluster.Properties", "searchValue": "", "expectedValue": "Resources.RedshiftCluster.Properties.KmsKeyId should be set", - "actualValue": "Resources.RedshiftCluster.Properties.KmsKeyId is undefined" + "actualValue": "Resources.RedshiftCluster.Properties.KmsKeyId is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/redshift_cluster_without_vpc/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/redshift_cluster_without_vpc/test/positive_expected_result.json index fa90cd13168..7b28a659cac 100644 --- a/assets/queries/cloudFormation/aws/redshift_cluster_without_vpc/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/redshift_cluster_without_vpc/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.RedshiftCluster.Properties", "searchValue": "", "expectedValue": "Resources.RedshiftCluster.Properties should have VpcSecurityGroupIds and ClusterSubnetGroupName fields defined", - "actualValue": "Resources.RedshiftCluster.Properties does not define VpcSecurityGroupIds or ClusterSubnetGroupName" + "actualValue": "Resources.RedshiftCluster.Properties does not define VpcSecurityGroupIds or ClusterSubnetGroupName", + "issueType": "MissingAttribute" }, { "queryName": "Redshift Cluster Without VPC", @@ -21,7 +22,8 @@ "searchKey": "Resources.RedshiftCluster.Properties", "searchValue": "", "expectedValue": "Resources.RedshiftCluster.Properties VpcSecurityGroupIds and ClusterSubnetGroupName fields should have valid references", - "actualValue": "Resources.RedshiftCluster.Properties VpcSecurityGroupIds and ClusterSubnetGroupName fields have invalid references" + "actualValue": "Resources.RedshiftCluster.Properties VpcSecurityGroupIds and ClusterSubnetGroupName fields have invalid references", + "issueType": "IncorrectValue" }, { "queryName": "Redshift Cluster Without VPC", @@ -33,7 +35,8 @@ "searchKey": "Resources.RedshiftCluster.Properties.VpcSecurityGroupIds", "searchValue": "", "expectedValue": "Resources.RedshiftCluster.Properties VpcSecurityGroupIds and ClusterSubnetGroupName fields should have valid references", - "actualValue": "Resources.RedshiftCluster.Properties VpcSecurityGroupIds field has an invalid reference" + "actualValue": "Resources.RedshiftCluster.Properties VpcSecurityGroupIds field has an invalid reference", + "issueType": "IncorrectValue" }, { "queryName": "Redshift Cluster Without VPC", @@ -45,7 +48,8 @@ "searchKey": "Resources.RedshiftCluster.Properties.ClusterSubnetGroupName", "searchValue": "", "expectedValue": "Resources.RedshiftCluster.Properties VpcSecurityGroupIds and ClusterSubnetGroupName fields should have valid references", - "actualValue": "Resources.RedshiftCluster.Properties ClusterSubnetGroupName field has an invalid reference" + "actualValue": "Resources.RedshiftCluster.Properties ClusterSubnetGroupName field has an invalid reference", + "issueType": "IncorrectValue" }, { "queryName": "Redshift Cluster Without VPC", @@ -57,7 +61,8 @@ "searchKey": "Resources.RedshiftCluster.Properties", "searchValue": "", "expectedValue": "Resources.RedshiftCluster.Properties should have VpcSecurityGroupIds and ClusterSubnetGroupName fields defined", - "actualValue": "Resources.RedshiftCluster.Properties does not define VpcSecurityGroupIds" + "actualValue": "Resources.RedshiftCluster.Properties does not define VpcSecurityGroupIds", + "issueType": "MissingAttribute" }, { "queryName": "Redshift Cluster Without VPC", @@ -69,7 +74,8 @@ "searchKey": "Resources.RedshiftCluster.Properties", "searchValue": "", "expectedValue": "Resources.RedshiftCluster.Properties should have VpcSecurityGroupIds and ClusterSubnetGroupName fields defined", - "actualValue": "Resources.RedshiftCluster.Properties does not define ClusterSubnetGroupName" + "actualValue": "Resources.RedshiftCluster.Properties does not define ClusterSubnetGroupName", + "issueType": "MissingAttribute" }, { "queryName": "Redshift Cluster Without VPC", @@ -81,7 +87,8 @@ "searchKey": "Resources.RedshiftCluster.Properties", "searchValue": "", "expectedValue": "Resources.RedshiftCluster.Properties VpcSecurityGroupIds and ClusterSubnetGroupName fields should have valid references", - "actualValue": "Resources.RedshiftCluster.Properties VpcSecurityGroupIds and ClusterSubnetGroupName fields have invalid references" + "actualValue": "Resources.RedshiftCluster.Properties VpcSecurityGroupIds and ClusterSubnetGroupName fields have invalid references", + "issueType": "IncorrectValue" }, { "queryName": "Redshift Cluster Without VPC", @@ -93,7 +100,8 @@ "searchKey": "Resources.RedshiftCluster.Properties.VpcSecurityGroupIds", "searchValue": "", "expectedValue": "Resources.RedshiftCluster.Properties VpcSecurityGroupIds and ClusterSubnetGroupName fields should have valid references", - "actualValue": "Resources.RedshiftCluster.Properties VpcSecurityGroupIds field has an invalid reference" + "actualValue": "Resources.RedshiftCluster.Properties VpcSecurityGroupIds field has an invalid reference", + "issueType": "IncorrectValue" }, { "queryName": "Redshift Cluster Without VPC", @@ -105,7 +113,8 @@ "searchKey": "Resources.RedshiftCluster.Properties.ClusterSubnetGroupName", "searchValue": "", "expectedValue": "Resources.RedshiftCluster.Properties VpcSecurityGroupIds and ClusterSubnetGroupName fields should have valid references", - "actualValue": "Resources.RedshiftCluster.Properties ClusterSubnetGroupName field has an invalid reference" + "actualValue": "Resources.RedshiftCluster.Properties ClusterSubnetGroupName field has an invalid reference", + "issueType": "IncorrectValue" }, { "queryName": "Redshift Cluster Without VPC", @@ -117,7 +126,8 @@ "searchKey": "Resources.RedshiftCluster.Properties", "searchValue": "", "expectedValue": "Resources.RedshiftCluster.Properties should have VpcSecurityGroupIds and ClusterSubnetGroupName fields defined", - "actualValue": "Resources.RedshiftCluster.Properties does not define VpcSecurityGroupIds or ClusterSubnetGroupName" + "actualValue": "Resources.RedshiftCluster.Properties does not define VpcSecurityGroupIds or ClusterSubnetGroupName", + "issueType": "MissingAttribute" }, { "queryName": "Redshift Cluster Without VPC", @@ -129,7 +139,8 @@ "searchKey": "Resources.RedshiftCluster.Properties", "searchValue": "", "expectedValue": "Resources.RedshiftCluster.Properties should have VpcSecurityGroupIds and ClusterSubnetGroupName fields defined", - "actualValue": "Resources.RedshiftCluster.Properties does not define VpcSecurityGroupIds" + "actualValue": "Resources.RedshiftCluster.Properties does not define VpcSecurityGroupIds", + "issueType": "MissingAttribute" }, { "queryName": "Redshift Cluster Without VPC", @@ -141,6 +152,7 @@ "searchKey": "Resources.RedshiftCluster.Properties", "searchValue": "", "expectedValue": "Resources.RedshiftCluster.Properties should have VpcSecurityGroupIds and ClusterSubnetGroupName fields defined", - "actualValue": "Resources.RedshiftCluster.Properties does not define ClusterSubnetGroupName" + "actualValue": "Resources.RedshiftCluster.Properties does not define ClusterSubnetGroupName", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/redshift_not_encrypted/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/redshift_not_encrypted/test/positive_expected_result.json index 03bffa06cae..963e6b12504 100644 --- a/assets/queries/cloudFormation/aws/redshift_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/redshift_not_encrypted/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.RedshiftCluster.Properties", "searchValue": "", "expectedValue": "Resources.RedshiftCluster.Properties.Encrypted should be set", - "actualValue": "Resources.RedshiftCluster.Properties.Encrypted is undefined" + "actualValue": "Resources.RedshiftCluster.Properties.Encrypted is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Redshift Not Encrypted", @@ -21,7 +22,8 @@ "searchKey": "Resources.RedshiftCluster2.Properties.Encrypted", "searchValue": "", "expectedValue": "Resources.RedshiftCluster2.Properties.Encrypted should be set to true", - "actualValue": "Resources.RedshiftCluster2.Properties.Encryped is set to false" + "actualValue": "Resources.RedshiftCluster2.Properties.Encryped is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Redshift Not Encrypted", @@ -33,7 +35,8 @@ "searchKey": "Resources.RedshiftCluster.Properties", "searchValue": "", "expectedValue": "Resources.RedshiftCluster.Properties.Encrypted should be set", - "actualValue": "Resources.RedshiftCluster.Properties.Encrypted is undefined" + "actualValue": "Resources.RedshiftCluster.Properties.Encrypted is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Redshift Not Encrypted", @@ -45,7 +48,8 @@ "searchKey": "Resources.RedshiftCluster2.Properties.Encrypted", "searchValue": "", "expectedValue": "Resources.RedshiftCluster2.Properties.Encrypted should be set to true", - "actualValue": "Resources.RedshiftCluster2.Properties.Encryped is set to false" + "actualValue": "Resources.RedshiftCluster2.Properties.Encryped is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Redshift Not Encrypted", @@ -57,6 +61,7 @@ "searchKey": "Resources.RedshiftCluster.Properties", "searchValue": "", "expectedValue": "Resources.RedshiftCluster.Properties.Encrypted should be set", - "actualValue": "Resources.RedshiftCluster.Properties.Encrypted is undefined" + "actualValue": "Resources.RedshiftCluster.Properties.Encrypted is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/redshift_publicly_accessible/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/redshift_publicly_accessible/test/positive_expected_result.json index f970877da65..df15e5837de 100644 --- a/assets/queries/cloudFormation/aws/redshift_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/redshift_publicly_accessible/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.myCluster.Properties", "searchValue": "", "expectedValue": "'Resources.myCluster.Properties.PubliclyAccessible' should be defined", - "actualValue": "'Resources.myCluster.Properties.PubliclyAccessible' is not defined" + "actualValue": "'Resources.myCluster.Properties.PubliclyAccessible' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Redshift Publicly Accessible", @@ -21,7 +22,8 @@ "searchKey": "Resources.myCluster2.Properties.PubliclyAccessible", "searchValue": "", "expectedValue": "'Resources.myCluster2.Properties.PubliclyAccessible' should be set to false", - "actualValue": "'Resources.myCluster2.Properties.PubliclyAccessible' is true" + "actualValue": "'Resources.myCluster2.Properties.PubliclyAccessible' is true", + "issueType": "IncorrectValue" }, { "queryName": "Redshift Publicly Accessible", @@ -33,7 +35,8 @@ "searchKey": "Resources.myCluster.Properties", "searchValue": "", "expectedValue": "'Resources.myCluster.Properties.PubliclyAccessible' should be defined", - "actualValue": "'Resources.myCluster.Properties.PubliclyAccessible' is not defined" + "actualValue": "'Resources.myCluster.Properties.PubliclyAccessible' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Redshift Publicly Accessible", @@ -45,7 +48,8 @@ "searchKey": "Resources.myCluster2.Properties.PubliclyAccessible", "searchValue": "", "expectedValue": "'Resources.myCluster2.Properties.PubliclyAccessible' should be set to false", - "actualValue": "'Resources.myCluster2.Properties.PubliclyAccessible' is true" + "actualValue": "'Resources.myCluster2.Properties.PubliclyAccessible' is true", + "issueType": "IncorrectValue" }, { "queryName": "Redshift Publicly Accessible", @@ -57,7 +61,8 @@ "searchKey": "Resources.myCluster.Properties", "searchValue": "", "expectedValue": "'Resources.myCluster.Properties.PubliclyAccessible' should be defined", - "actualValue": "'Resources.myCluster.Properties.PubliclyAccessible' is not defined" + "actualValue": "'Resources.myCluster.Properties.PubliclyAccessible' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Redshift Publicly Accessible", @@ -69,6 +74,7 @@ "searchKey": "Resources.myCluster2.Properties.PubliclyAccessible", "searchValue": "", "expectedValue": "'Resources.myCluster2.Properties.PubliclyAccessible' should be set to false", - "actualValue": "'Resources.myCluster2.Properties.PubliclyAccessible' is true" + "actualValue": "'Resources.myCluster2.Properties.PubliclyAccessible' is true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/redshift_using_default_port/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/redshift_using_default_port/test/positive_expected_result.json index 5286c13900e..1ea39125ebc 100644 --- a/assets/queries/cloudFormation/aws/redshift_using_default_port/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/redshift_using_default_port/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.myCluster.Properties", "searchValue": "", "expectedValue": "'Resources.myCluster.Properties.Port' should be defined", - "actualValue": "'Resources.myCluster.Properties.Port' is not defined" + "actualValue": "'Resources.myCluster.Properties.Port' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Redshift Using Default Port", @@ -21,7 +22,8 @@ "searchKey": "Resources.myCluster2.Properties.Port", "searchValue": "", "expectedValue": "'Resources.myCluster2.Properties.Port' should not be set to 5439", - "actualValue": "'Resources.myCluster2.Properties.Port' is set to 5439" + "actualValue": "'Resources.myCluster2.Properties.Port' is set to 5439", + "issueType": "IncorrectValue" }, { "queryName": "Redshift Using Default Port", @@ -33,7 +35,8 @@ "searchKey": "Resources.myCluster.Properties", "searchValue": "", "expectedValue": "'Resources.myCluster.Properties.Port' should be defined", - "actualValue": "'Resources.myCluster.Properties.Port' is not defined" + "actualValue": "'Resources.myCluster.Properties.Port' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Redshift Using Default Port", @@ -45,6 +48,7 @@ "searchKey": "Resources.myCluster2.Properties.Port", "searchValue": "", "expectedValue": "'Resources.myCluster2.Properties.Port' should not be set to 5439", - "actualValue": "'Resources.myCluster2.Properties.Port' is set to 5439" + "actualValue": "'Resources.myCluster2.Properties.Port' is set to 5439", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/refresh_token_is_exposed/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/refresh_token_is_exposed/test/positive_expected_result.json index edaed15c0fb..e47cb8aec62 100644 --- a/assets/queries/cloudFormation/aws/refresh_token_is_exposed/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/refresh_token_is_exposed/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.MySkill.Properties.AuthenticationConfiguration.RefreshToken", "searchValue": "", "expectedValue": "'Resources.MySkill.Properties.RefreshToken' starts with '{{resolve:secretsmanager:' or starts with '{{resolve:ssm-secure:'", - "actualValue": "'Resources.MySkill.Properties.RefreshToken' does not start with '{{resolve:secretsmanager:' or with '{{resolve:ssm-secure:'" + "actualValue": "'Resources.MySkill.Properties.RefreshToken' does not start with '{{resolve:secretsmanager:' or with '{{resolve:ssm-secure:'", + "issueType": "IncorrectValue" }, { "queryName": "RefreshToken Is Exposed", @@ -21,6 +22,7 @@ "searchKey": "Resources.MySkill.Properties.AuthenticationConfiguration.RefreshToken", "searchValue": "", "expectedValue": "'Resources.MySkill.Properties.RefreshToken' starts with '{{resolve:secretsmanager:' or starts with '{{resolve:ssm-secure:'", - "actualValue": "'Resources.MySkill.Properties.RefreshToken' does not start with '{{resolve:secretsmanager:' or with '{{resolve:ssm-secure:'" + "actualValue": "'Resources.MySkill.Properties.RefreshToken' does not start with '{{resolve:secretsmanager:' or with '{{resolve:ssm-secure:'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/remote_desktop_port_open_to_internet/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/remote_desktop_port_open_to_internet/test/positive_expected_result.json index 361470afb9c..87d277e6840 100644 --- a/assets/queries/cloudFormation/aws/remote_desktop_port_open_to_internet/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/remote_desktop_port_open_to_internet/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "", "expectedValue": "'Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]' should not open the remote desktop port (3389)", - "actualValue": "'Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]' opens the remote desktop port (3389)" + "actualValue": "'Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]' opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", @@ -21,7 +22,8 @@ "searchKey": "Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]", "searchValue": "", "expectedValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' should not open the remote desktop port (3389)", - "actualValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' opens the remote desktop port (3389)" + "actualValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", @@ -33,7 +35,8 @@ "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]", "searchValue": "", "expectedValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' should not open the remote desktop port (3389)", - "actualValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' opens the remote desktop port (3389)" + "actualValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", @@ -45,7 +48,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "", "expectedValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' should not open the remote desktop port (3389)", - "actualValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' opens the remote desktop port (3389)" + "actualValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", @@ -57,7 +61,8 @@ "searchKey": "Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]", "searchValue": "", "expectedValue": "'Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]' should not open the remote desktop port (3389)", - "actualValue": "'Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]' opens the remote desktop port (3389)" + "actualValue": "'Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]' opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", @@ -69,7 +74,8 @@ "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]", "searchValue": "", "expectedValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' should not open the remote desktop port (3389)", - "actualValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' opens the remote desktop port (3389)" + "actualValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", @@ -81,7 +87,8 @@ "searchKey": "Resources.IPv4Ingress1.Properties", "searchValue": "", "expectedValue": "'Resources.IPv4Ingress1.Properties' should not open the remote desktop port (3389)", - "actualValue": "'Resources.IPv4Ingress1.Properties' opens the remote desktop port (3389)" + "actualValue": "'Resources.IPv4Ingress1.Properties' opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", @@ -93,7 +100,8 @@ "searchKey": "Resources.IPv4Ingress2.Properties", "searchValue": "", "expectedValue": "'Resources.IPv4Ingress2.Properties' should not open the remote desktop port (3389)", - "actualValue": "'Resources.IPv4Ingress2.Properties' opens the remote desktop port (3389)" + "actualValue": "'Resources.IPv4Ingress2.Properties' opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", @@ -105,7 +113,8 @@ "searchKey": "Resources.IPv6Ingress1.Properties", "searchValue": "", "expectedValue": "'Resources.IPv6Ingress1.Properties' should not open the remote desktop port (3389)", - "actualValue": "'Resources.IPv6Ingress1.Properties' opens the remote desktop port (3389)" + "actualValue": "'Resources.IPv6Ingress1.Properties' opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", @@ -117,7 +126,8 @@ "searchKey": "Resources.IPv6Ingress2.Properties", "searchValue": "", "expectedValue": "'Resources.IPv6Ingress2.Properties' should not open the remote desktop port (3389)", - "actualValue": "'Resources.IPv6Ingress2.Properties' opens the remote desktop port (3389)" + "actualValue": "'Resources.IPv6Ingress2.Properties' opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", @@ -129,7 +139,8 @@ "searchKey": "Resources.IPv6Ingress3.Properties", "searchValue": "", "expectedValue": "'Resources.IPv6Ingress3.Properties' should not open the remote desktop port (3389)", - "actualValue": "'Resources.IPv6Ingress3.Properties' opens the remote desktop port (3389)" + "actualValue": "'Resources.IPv6Ingress3.Properties' opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", @@ -141,7 +152,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "", "expectedValue": "'Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]' should not open the remote desktop port (3389)", - "actualValue": "'Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]' opens the remote desktop port (3389)" + "actualValue": "'Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]' opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", @@ -153,7 +165,8 @@ "searchKey": "Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]", "searchValue": "", "expectedValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' should not open the remote desktop port (3389)", - "actualValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' opens the remote desktop port (3389)" + "actualValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", @@ -165,7 +178,8 @@ "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]", "searchValue": "", "expectedValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' should not open the remote desktop port (3389)", - "actualValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' opens the remote desktop port (3389)" + "actualValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", @@ -177,7 +191,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "", "expectedValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' should not open the remote desktop port (3389)", - "actualValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' opens the remote desktop port (3389)" + "actualValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", @@ -189,7 +204,8 @@ "searchKey": "Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]", "searchValue": "", "expectedValue": "'Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]' should not open the remote desktop port (3389)", - "actualValue": "'Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]' opens the remote desktop port (3389)" + "actualValue": "'Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]' opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", @@ -201,7 +217,8 @@ "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]", "searchValue": "", "expectedValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' should not open the remote desktop port (3389)", - "actualValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' opens the remote desktop port (3389)" + "actualValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", @@ -213,7 +230,8 @@ "searchKey": "Resources.IPv4Ingress1.Properties", "searchValue": "", "expectedValue": "'Resources.IPv4Ingress1.Properties' should not open the remote desktop port (3389)", - "actualValue": "'Resources.IPv4Ingress1.Properties' opens the remote desktop port (3389)" + "actualValue": "'Resources.IPv4Ingress1.Properties' opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", @@ -225,7 +243,8 @@ "searchKey": "Resources.IPv4Ingress2.Properties", "searchValue": "", "expectedValue": "'Resources.IPv4Ingress2.Properties' should not open the remote desktop port (3389)", - "actualValue": "'Resources.IPv4Ingress2.Properties' opens the remote desktop port (3389)" + "actualValue": "'Resources.IPv4Ingress2.Properties' opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", @@ -237,7 +256,8 @@ "searchKey": "Resources.IPv6Ingress1.Properties", "searchValue": "", "expectedValue": "'Resources.IPv6Ingress1.Properties' should not open the remote desktop port (3389)", - "actualValue": "'Resources.IPv6Ingress1.Properties' opens the remote desktop port (3389)" + "actualValue": "'Resources.IPv6Ingress1.Properties' opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", @@ -249,7 +269,8 @@ "searchKey": "Resources.IPv6Ingress2.Properties", "searchValue": "", "expectedValue": "'Resources.IPv6Ingress2.Properties' should not open the remote desktop port (3389)", - "actualValue": "'Resources.IPv6Ingress2.Properties' opens the remote desktop port (3389)" + "actualValue": "'Resources.IPv6Ingress2.Properties' opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", @@ -261,6 +282,7 @@ "searchKey": "Resources.IPv6Ingress3.Properties", "searchValue": "", "expectedValue": "'Resources.IPv6Ingress3.Properties' should not open the remote desktop port (3389)", - "actualValue": "'Resources.IPv6Ingress3.Properties' opens the remote desktop port (3389)" + "actualValue": "'Resources.IPv6Ingress3.Properties' opens the remote desktop port (3389)", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/root_account_has_active_access_keys/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/root_account_has_active_access_keys/test/positive_expected_result.json index 66500ccd67e..07394bd1da3 100644 --- a/assets/queries/cloudFormation/aws/root_account_has_active_access_keys/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/root_account_has_active_access_keys/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.CFNKeys.Properties.UserName", "searchValue": "", "expectedValue": "'Resources.CFNKeys.Properties.UserName' should not be asssociated to root account.", - "actualValue": "'Resources.CFNKeys.Properties.UserName' is asssociated to root account." + "actualValue": "'Resources.CFNKeys.Properties.UserName' is asssociated to root account.", + "issueType": "IncorrectValue" }, { "queryName": "Root Account Has Active Access Keys", @@ -21,6 +22,7 @@ "searchKey": "Resources.CFNKeys.Properties.UserName", "searchValue": "", "expectedValue": "'Resources.CFNKeys.Properties.UserName' should not be asssociated to root account.", - "actualValue": "'Resources.CFNKeys.Properties.UserName' is asssociated to root account." + "actualValue": "'Resources.CFNKeys.Properties.UserName' is asssociated to root account.", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/route53_record_undefined/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/route53_record_undefined/test/positive_expected_result.json index b8eb5435aa6..f6e8b83be60 100644 --- a/assets/queries/cloudFormation/aws/route53_record_undefined/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/route53_record_undefined/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.HostedZone", "searchValue": "", "expectedValue": "Resources.HostedZone has RecordSet", - "actualValue": "Resources.HostedZone doesn't have RecordSet" + "actualValue": "Resources.HostedZone doesn't have RecordSet", + "issueType": "MissingAttribute" }, { "queryName": "Route53 Record Undefined", @@ -21,6 +22,7 @@ "searchKey": "Resources.HostedZone", "searchValue": "", "expectedValue": "Resources.HostedZone has RecordSet", - "actualValue": "Resources.HostedZone doesn't have RecordSet" + "actualValue": "Resources.HostedZone doesn't have RecordSet", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/routertable_with_default_routing/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/routertable_with_default_routing/test/positive_expected_result.json index 9680f10a214..9a1f9a509b7 100644 --- a/assets/queries/cloudFormation/aws/routertable_with_default_routing/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/routertable_with_default_routing/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.PublicRoute1.Properties.DestinationCidrBlock", "searchValue": "", "expectedValue": "Resources.PublicRoute1.Properties.DestinationCidrBlock should be different from the default value", - "actualValue": "Resources.PublicRoute1.Properties.DestinationCidrBlock is 0.0.0.0/0" + "actualValue": "Resources.PublicRoute1.Properties.DestinationCidrBlock is 0.0.0.0/0", + "issueType": "IncorrectValue" }, { "queryName": "RouterTable with Default Routing", @@ -21,7 +22,8 @@ "searchKey": "Resources.PublicRoute2.Properties.DestinationIpv6CidrBlock", "searchValue": "", "expectedValue": "Resources.PublicRoute2.Properties.DestinationIpv6CidrBlock should be different from the default value", - "actualValue": "Resources.PublicRoute2.Properties.DestinationIpv6CidrBlock is ::/0" + "actualValue": "Resources.PublicRoute2.Properties.DestinationIpv6CidrBlock is ::/0", + "issueType": "IncorrectValue" }, { "queryName": "RouterTable with Default Routing", @@ -33,7 +35,8 @@ "searchKey": "Resources.PublicRoute3.Properties", "searchValue": "", "expectedValue": "Resources.PublicRoute3.Properties.NatGatewayId should be defined", - "actualValue": "Resources.PublicRoute3.Properties.NatGatewayId is undefined" + "actualValue": "Resources.PublicRoute3.Properties.NatGatewayId is undefined", + "issueType": "MissingAttribute" }, { "queryName": "RouterTable with Default Routing", @@ -45,7 +48,8 @@ "searchKey": "Resources.PublicRoute1.Properties.DestinationCidrBlock", "searchValue": "", "expectedValue": "Resources.PublicRoute1.Properties.DestinationCidrBlock should be different from the default value", - "actualValue": "Resources.PublicRoute1.Properties.DestinationCidrBlock is 0.0.0.0/0" + "actualValue": "Resources.PublicRoute1.Properties.DestinationCidrBlock is 0.0.0.0/0", + "issueType": "IncorrectValue" }, { "queryName": "RouterTable with Default Routing", @@ -57,7 +61,8 @@ "searchKey": "Resources.PublicRoute3.Properties", "searchValue": "", "expectedValue": "Resources.PublicRoute3.Properties.NatGatewayId should be defined", - "actualValue": "Resources.PublicRoute3.Properties.NatGatewayId is undefined" + "actualValue": "Resources.PublicRoute3.Properties.NatGatewayId is undefined", + "issueType": "MissingAttribute" }, { "queryName": "RouterTable with Default Routing", @@ -69,6 +74,7 @@ "searchKey": "Resources.PublicRoute2.Properties.DestinationIpv6CidrBlock", "searchValue": "", "expectedValue": "Resources.PublicRoute2.Properties.DestinationIpv6CidrBlock should be different from the default value", - "actualValue": "Resources.PublicRoute2.Properties.DestinationIpv6CidrBlock is ::/0" + "actualValue": "Resources.PublicRoute2.Properties.DestinationIpv6CidrBlock is ::/0", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/s3_bucket_access_to_any_principal/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_access_to_any_principal/test/positive_expected_result.json index 2a8548872db..41020a82880 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_access_to_any_principal/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_access_to_any_principal/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.Bucket", "searchValue": "", "expectedValue": "associated Bucket Policy should not allow access to any principal", - "actualValue": "associated Bucket Policy allows access to any principal" + "actualValue": "associated Bucket Policy allows access to any principal", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Access to Any Principal", @@ -21,7 +22,8 @@ "searchKey": "Resources.Bucket2", "searchValue": "", "expectedValue": "associated Bucket Policy should not allow access to any principal", - "actualValue": "associated Bucket Policy allows access to any principal" + "actualValue": "associated Bucket Policy allows access to any principal", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Access to Any Principal", @@ -33,7 +35,8 @@ "searchKey": "Resources.Bucket", "searchValue": "", "expectedValue": "associated Bucket Policy should not allow access to any principal", - "actualValue": "associated Bucket Policy allows access to any principal" + "actualValue": "associated Bucket Policy allows access to any principal", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Access to Any Principal", @@ -45,7 +48,8 @@ "searchKey": "Resources.Bucket2", "searchValue": "", "expectedValue": "associated Bucket Policy should not allow access to any principal", - "actualValue": "associated Bucket Policy allows access to any principal" + "actualValue": "associated Bucket Policy allows access to any principal", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Access to Any Principal", @@ -57,6 +61,7 @@ "searchKey": "Resources.SWBS3Bucket", "searchValue": "", "expectedValue": "associated Bucket Policy should not allow access to any principal", - "actualValue": "associated Bucket Policy allows access to any principal" + "actualValue": "associated Bucket Policy allows access to any principal", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_or_write_to_all_users/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_or_write_to_all_users/test/positive_expected_result.json index 01a3cf7dbf8..bedd8de7e56 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_or_write_to_all_users/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_or_write_to_all_users/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.JenkinsArtifacts01.AccessControl", "searchValue": "", "expectedValue": "S3 bucket should not have a public readable and writeble ACL", - "actualValue": "S3 bucket named 'jenkins-artifacts' has ACL set to 'PublicReadWrite'" + "actualValue": "S3 bucket named 'jenkins-artifacts' has ACL set to 'PublicReadWrite'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", @@ -21,7 +22,8 @@ "searchKey": "Resources.StaticPage01.AccessControl", "searchValue": "", "expectedValue": "S3 bucket should not have a public readable and writeble ACL", - "actualValue": "S3 bucket named 'public-read-static-page01' has ACL set to 'PublicReadWrite'" + "actualValue": "S3 bucket named 'public-read-static-page01' has ACL set to 'PublicReadWrite'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", @@ -33,7 +35,8 @@ "searchKey": "Resources.JenkinsArtifacts02.AccessControl", "searchValue": "", "expectedValue": "S3 bucket should not have a public readable and writeble ACL", - "actualValue": "S3 bucket named 'jenkins-artifacts-block-public' has ACL set to 'PublicReadWrite'" + "actualValue": "S3 bucket named 'jenkins-artifacts-block-public' has ACL set to 'PublicReadWrite'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", @@ -45,7 +48,8 @@ "searchKey": "Resources.S3BucketForWebsiteContent.AccessControl", "searchValue": "", "expectedValue": "S3 bucket should not have a public readable and writeble ACL", - "actualValue": "S3 bucket named 'undefined' has ACL set to 'PublicReadWrite'" + "actualValue": "S3 bucket named 'undefined' has ACL set to 'PublicReadWrite'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", @@ -57,7 +61,8 @@ "searchKey": "Resources.JenkinsArtifacts01.AccessControl", "searchValue": "", "expectedValue": "S3 bucket should not have a public readable and writeble ACL", - "actualValue": "S3 bucket named 'jenkins-artifacts' has ACL set to 'PublicReadWrite'" + "actualValue": "S3 bucket named 'jenkins-artifacts' has ACL set to 'PublicReadWrite'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", @@ -69,7 +74,8 @@ "searchKey": "Resources.StaticPage01.AccessControl", "searchValue": "", "expectedValue": "S3 bucket should not have a public readable and writeble ACL", - "actualValue": "S3 bucket named 'public-read-static-page01' has ACL set to 'PublicReadWrite'" + "actualValue": "S3 bucket named 'public-read-static-page01' has ACL set to 'PublicReadWrite'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", @@ -81,7 +87,8 @@ "searchKey": "Resources.JenkinsArtifacts02.AccessControl", "searchValue": "", "expectedValue": "S3 bucket should not have a public readable and writeble ACL", - "actualValue": "S3 bucket named 'jenkins-artifacts-block-public' has ACL set to 'PublicReadWrite'" + "actualValue": "S3 bucket named 'jenkins-artifacts-block-public' has ACL set to 'PublicReadWrite'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", @@ -93,6 +100,7 @@ "searchKey": "Resources.S3BucketForWebsiteContent.AccessControl", "searchValue": "", "expectedValue": "S3 bucket should not have a public readable and writeble ACL", - "actualValue": "S3 bucket named 'undefined' has ACL set to 'PublicReadWrite'" + "actualValue": "S3 bucket named 'undefined' has ACL set to 'PublicReadWrite'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_all_users/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_all_users/test/positive_expected_result.json index 6fd45526be8..3f67b2a7853 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_all_users/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_all_users/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.JenkinsArtifacts01.Properties.AccessControl", "searchValue": "", "expectedValue": "S3 bucket should not have a public readable ACL", - "actualValue": "S3 bucket 'JenkinsArtifacts01' has ACL set to 'PublicRead'" + "actualValue": "S3 bucket 'JenkinsArtifacts01' has ACL set to 'PublicRead'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket ACL Allows Read to All Users", @@ -21,7 +22,8 @@ "searchKey": "Resources.StaticPage01.Properties.AccessControl", "searchValue": "", "expectedValue": "S3 bucket should not have a public readable ACL", - "actualValue": "S3 bucket 'StaticPage01' has ACL set to 'PublicRead'" + "actualValue": "S3 bucket 'StaticPage01' has ACL set to 'PublicRead'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket ACL Allows Read to All Users", @@ -33,7 +35,8 @@ "searchKey": "Resources.JenkinsArtifacts02.Properties.AccessControl", "searchValue": "", "expectedValue": "S3 bucket should not have a public readable ACL", - "actualValue": "S3 bucket 'JenkinsArtifacts02' has ACL set to 'PublicRead'" + "actualValue": "S3 bucket 'JenkinsArtifacts02' has ACL set to 'PublicRead'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket ACL Allows Read to All Users", @@ -45,7 +48,8 @@ "searchKey": "Resources.S3BucketForWebsiteContent.Properties.AccessControl", "searchValue": "", "expectedValue": "S3 bucket should not have a public readable ACL", - "actualValue": "S3 bucket 'S3BucketForWebsiteContent' has ACL set to 'PublicRead'" + "actualValue": "S3 bucket 'S3BucketForWebsiteContent' has ACL set to 'PublicRead'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket ACL Allows Read to All Users", @@ -57,7 +61,8 @@ "searchKey": "Resources.JenkinsArtifacts01.Properties.AccessControl", "searchValue": "", "expectedValue": "S3 bucket should not have a public readable ACL", - "actualValue": "S3 bucket 'JenkinsArtifacts01' has ACL set to 'PublicRead'" + "actualValue": "S3 bucket 'JenkinsArtifacts01' has ACL set to 'PublicRead'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket ACL Allows Read to All Users", @@ -69,7 +74,8 @@ "searchKey": "Resources.StaticPage01.Properties.AccessControl", "searchValue": "", "expectedValue": "S3 bucket should not have a public readable ACL", - "actualValue": "S3 bucket 'StaticPage01' has ACL set to 'PublicRead'" + "actualValue": "S3 bucket 'StaticPage01' has ACL set to 'PublicRead'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket ACL Allows Read to All Users", @@ -81,7 +87,8 @@ "searchKey": "Resources.JenkinsArtifacts02.Properties.AccessControl", "searchValue": "", "expectedValue": "S3 bucket should not have a public readable ACL", - "actualValue": "S3 bucket 'JenkinsArtifacts02' has ACL set to 'PublicRead'" + "actualValue": "S3 bucket 'JenkinsArtifacts02' has ACL set to 'PublicRead'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket ACL Allows Read to All Users", @@ -93,6 +100,7 @@ "searchKey": "Resources.S3BucketForWebsiteContent.Properties.AccessControl", "searchValue": "", "expectedValue": "S3 bucket should not have a public readable ACL", - "actualValue": "S3 bucket 'S3BucketForWebsiteContent' has ACL set to 'PublicRead'" + "actualValue": "S3 bucket 'S3BucketForWebsiteContent' has ACL set to 'PublicRead'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/test/positive_expected_result.json index 296a6b5c6d2..365f6730c7a 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.JenkinsArtifacts01.Properties.AccessControl", "searchValue": "", "expectedValue": "S3 bucket ACL shouldn't allow read operations from any authenticated user", - "actualValue": "S3 bucket named 'jenkins-artifacts' has ACL set to 'AuthenticatedRead'" + "actualValue": "S3 bucket named 'jenkins-artifacts' has ACL set to 'AuthenticatedRead'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket ACL Allows Read to Any Authenticated User", @@ -21,7 +22,8 @@ "searchKey": "Resources.StaticPage01.Properties.AccessControl", "searchValue": "", "expectedValue": "S3 bucket ACL shouldn't allow read operations from any authenticated user", - "actualValue": "S3 bucket named 'public-read-static-page01' has ACL set to 'AuthenticatedRead'" + "actualValue": "S3 bucket named 'public-read-static-page01' has ACL set to 'AuthenticatedRead'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket ACL Allows Read to Any Authenticated User", @@ -33,7 +35,8 @@ "searchKey": "Resources.JenkinsArtifacts02.Properties.AccessControl", "searchValue": "", "expectedValue": "S3 bucket ACL shouldn't allow read operations from any authenticated user", - "actualValue": "S3 bucket named 'jenkins-artifacts-block-public' has ACL set to 'AuthenticatedRead'" + "actualValue": "S3 bucket named 'jenkins-artifacts-block-public' has ACL set to 'AuthenticatedRead'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket ACL Allows Read to Any Authenticated User", @@ -45,7 +48,8 @@ "searchKey": "Resources.S3BucketForWebsiteContent.Properties.AccessControl", "searchValue": "", "expectedValue": "S3 bucket ACL shouldn't allow read operations from any authenticated user", - "actualValue": "S3 bucket named 'undefined' has ACL set to 'AuthenticatedRead'" + "actualValue": "S3 bucket named 'undefined' has ACL set to 'AuthenticatedRead'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket ACL Allows Read to Any Authenticated User", @@ -57,7 +61,8 @@ "searchKey": "Resources.JenkinsArtifacts01.Properties.AccessControl", "searchValue": "", "expectedValue": "S3 bucket ACL shouldn't allow read operations from any authenticated user", - "actualValue": "S3 bucket named 'jenkins-artifacts' has ACL set to 'AuthenticatedRead'" + "actualValue": "S3 bucket named 'jenkins-artifacts' has ACL set to 'AuthenticatedRead'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket ACL Allows Read to Any Authenticated User", @@ -69,7 +74,8 @@ "searchKey": "Resources.StaticPage01.Properties.AccessControl", "searchValue": "", "expectedValue": "S3 bucket ACL shouldn't allow read operations from any authenticated user", - "actualValue": "S3 bucket named 'public-read-static-page01' has ACL set to 'AuthenticatedRead'" + "actualValue": "S3 bucket named 'public-read-static-page01' has ACL set to 'AuthenticatedRead'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket ACL Allows Read to Any Authenticated User", @@ -81,7 +87,8 @@ "searchKey": "Resources.JenkinsArtifacts02.Properties.AccessControl", "searchValue": "", "expectedValue": "S3 bucket ACL shouldn't allow read operations from any authenticated user", - "actualValue": "S3 bucket named 'jenkins-artifacts-block-public' has ACL set to 'AuthenticatedRead'" + "actualValue": "S3 bucket named 'jenkins-artifacts-block-public' has ACL set to 'AuthenticatedRead'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket ACL Allows Read to Any Authenticated User", @@ -93,6 +100,7 @@ "searchKey": "Resources.S3BucketForWebsiteContent.Properties.AccessControl", "searchValue": "", "expectedValue": "S3 bucket ACL shouldn't allow read operations from any authenticated user", - "actualValue": "S3 bucket named 'undefined' has ACL set to 'AuthenticatedRead'" + "actualValue": "S3 bucket named 'undefined' has ACL set to 'AuthenticatedRead'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/s3_bucket_allows_delete_actions_from_all_principals/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_allows_delete_actions_from_all_principals/test/positive_expected_result.json index 7496aaaf880..b4522c551f1 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_allows_delete_actions_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_allows_delete_actions_from_all_principals/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.SampleBucketPolicy3.Properties.PolicyDocument", "searchValue": "", "expectedValue": "Resources.SampleBucketPolicy3.Properties.PolicyDocument.Statement should not allow a 'Delete' action from all principals", - "actualValue": "Resources.SampleBucketPolicy3.Properties.PolicyDocument.Statement allows a 'Delete' action from all principals" + "actualValue": "Resources.SampleBucketPolicy3.Properties.PolicyDocument.Statement allows a 'Delete' action from all principals", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows Delete Action From All Principals", @@ -21,7 +22,8 @@ "searchKey": "Resources.SampleBucketPolicy4.Properties.PolicyDocument", "searchValue": "", "expectedValue": "Resources.SampleBucketPolicy4.Properties.PolicyDocument.Statement should not allow a 'Delete' action from all principals", - "actualValue": "Resources.SampleBucketPolicy4.Properties.PolicyDocument.Statement allows a 'Delete' action from all principals" + "actualValue": "Resources.SampleBucketPolicy4.Properties.PolicyDocument.Statement allows a 'Delete' action from all principals", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows Delete Action From All Principals", @@ -33,7 +35,8 @@ "searchKey": "Resources.SampleBucketPolicy5.Properties.PolicyDocument", "searchValue": "", "expectedValue": "Resources.SampleBucketPolicy5.Properties.PolicyDocument.Statement should not allow a 'Delete' action from all principals", - "actualValue": "Resources.SampleBucketPolicy5.Properties.PolicyDocument.Statement allows a 'Delete' action from all principals" + "actualValue": "Resources.SampleBucketPolicy5.Properties.PolicyDocument.Statement allows a 'Delete' action from all principals", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows Delete Action From All Principals", @@ -45,6 +48,7 @@ "searchKey": "Resources.SampleBucketPolicy6.Properties.PolicyDocument", "searchValue": "", "expectedValue": "Resources.SampleBucketPolicy6.Properties.PolicyDocument.Statement should not allow a 'Delete' action from all principals", - "actualValue": "Resources.SampleBucketPolicy6.Properties.PolicyDocument.Statement allows a 'Delete' action from all principals" + "actualValue": "Resources.SampleBucketPolicy6.Properties.PolicyDocument.Statement allows a 'Delete' action from all principals", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/s3_bucket_allows_get_actions_from_all_principals/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_allows_get_actions_from_all_principals/test/positive_expected_result.json index 6844270acc3..4241a040d61 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_allows_get_actions_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_allows_get_actions_from_all_principals/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.SampleBucketPolicy3.Properties.PolicyDocument", "searchValue": "", "expectedValue": "Resources.SampleBucketPolicy3.Properties.PolicyDocument.Statement should not allow a 'Get' action from all principals", - "actualValue": "Resources.SampleBucketPolicy3.Properties.PolicyDocument.Statement allows a 'Get' action from all principals" + "actualValue": "Resources.SampleBucketPolicy3.Properties.PolicyDocument.Statement allows a 'Get' action from all principals", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows Get Action From All Principals", @@ -21,7 +22,8 @@ "searchKey": "Resources.SampleBucketPolicy4.Properties.PolicyDocument", "searchValue": "", "expectedValue": "Resources.SampleBucketPolicy4.Properties.PolicyDocument.Statement should not allow a 'Get' action from all principals", - "actualValue": "Resources.SampleBucketPolicy4.Properties.PolicyDocument.Statement allows a 'Get' action from all principals" + "actualValue": "Resources.SampleBucketPolicy4.Properties.PolicyDocument.Statement allows a 'Get' action from all principals", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows Get Action From All Principals", @@ -33,7 +35,8 @@ "searchKey": "Resources.SampleBucketPolicy5.Properties.PolicyDocument", "searchValue": "", "expectedValue": "Resources.SampleBucketPolicy5.Properties.PolicyDocument.Statement should not allow a 'Get' action from all principals", - "actualValue": "Resources.SampleBucketPolicy5.Properties.PolicyDocument.Statement allows a 'Get' action from all principals" + "actualValue": "Resources.SampleBucketPolicy5.Properties.PolicyDocument.Statement allows a 'Get' action from all principals", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows Get Action From All Principals", @@ -45,6 +48,7 @@ "searchKey": "Resources.SampleBucketPolicy6.Properties.PolicyDocument", "searchValue": "", "expectedValue": "Resources.SampleBucketPolicy6.Properties.PolicyDocument.Statement should not allow a 'Get' action from all principals", - "actualValue": "Resources.SampleBucketPolicy6.Properties.PolicyDocument.Statement allows a 'Get' action from all principals" + "actualValue": "Resources.SampleBucketPolicy6.Properties.PolicyDocument.Statement allows a 'Get' action from all principals", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/s3_bucket_allows_list_actions_from_all_principals/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_allows_list_actions_from_all_principals/test/positive_expected_result.json index 72afa13e04d..9706fb4501c 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_allows_list_actions_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_allows_list_actions_from_all_principals/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.SampleBucketPolicy3.Properties.PolicyDocument", "searchValue": "", "expectedValue": "Resources.SampleBucketPolicy3.Properties.PolicyDocument.Statement should not allow a 'List' action from all principals", - "actualValue": "Resources.SampleBucketPolicy3.Properties.PolicyDocument.Statement allows a 'List' action from all principals" + "actualValue": "Resources.SampleBucketPolicy3.Properties.PolicyDocument.Statement allows a 'List' action from all principals", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows List Action From All Principals", @@ -21,7 +22,8 @@ "searchKey": "Resources.SampleBucketPolicy4.Properties.PolicyDocument", "searchValue": "", "expectedValue": "Resources.SampleBucketPolicy4.Properties.PolicyDocument.Statement should not allow a 'List' action from all principals", - "actualValue": "Resources.SampleBucketPolicy4.Properties.PolicyDocument.Statement allows a 'List' action from all principals" + "actualValue": "Resources.SampleBucketPolicy4.Properties.PolicyDocument.Statement allows a 'List' action from all principals", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows List Action From All Principals", @@ -33,7 +35,8 @@ "searchKey": "Resources.SampleBucketPolicy5.Properties.PolicyDocument", "searchValue": "", "expectedValue": "Resources.SampleBucketPolicy5.Properties.PolicyDocument.Statement should not allow a 'List' action from all principals", - "actualValue": "Resources.SampleBucketPolicy5.Properties.PolicyDocument.Statement allows a 'List' action from all principals" + "actualValue": "Resources.SampleBucketPolicy5.Properties.PolicyDocument.Statement allows a 'List' action from all principals", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows List Action From All Principals", @@ -45,6 +48,7 @@ "searchKey": "Resources.SampleBucketPolicy6.Properties.PolicyDocument", "searchValue": "", "expectedValue": "Resources.SampleBucketPolicy6.Properties.PolicyDocument.Statement should not allow a 'List' action from all principals", - "actualValue": "Resources.SampleBucketPolicy6.Properties.PolicyDocument.Statement allows a 'List' action from all principals" + "actualValue": "Resources.SampleBucketPolicy6.Properties.PolicyDocument.Statement allows a 'List' action from all principals", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/s3_bucket_allows_public_acl/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_allows_public_acl/test/positive_expected_result.json index e11ae13f1ef..e641c4a0958 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_allows_public_acl/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_allows_public_acl/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.Bucket11.Properties", "searchValue": "", "expectedValue": "'PublicAccessBlockConfiguration' should be defined%!(EXTRA string=Bucket11)", - "actualValue": "'PublicAccessBlockConfiguration' is not defined%!(EXTRA string=Bucket11)" + "actualValue": "'PublicAccessBlockConfiguration' is not defined%!(EXTRA string=Bucket11)", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Allows Public ACL", @@ -21,7 +22,8 @@ "searchKey": "Resources.Bucket12.Properties.PublicAccessBlockConfiguration", "searchValue": "", "expectedValue": "'BlockPublicAcls' should be defined and set to true in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)", - "actualValue": "'BlockPublicAcls' is not defined in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)" + "actualValue": "'BlockPublicAcls' is not defined in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Allows Public ACL", @@ -33,7 +35,8 @@ "searchKey": "Resources.Bucket13.Properties.PublicAccessBlockConfiguration.BlockPublicAcls", "searchValue": "", "expectedValue": "'BlockPublicAcls' should be set to true%!(EXTRA string=Bucket13)", - "actualValue": "'BlockPublicAcls' is set to false%!(EXTRA string=Bucket13)" + "actualValue": "'BlockPublicAcls' is set to false%!(EXTRA string=Bucket13)", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows Public ACL", @@ -45,7 +48,8 @@ "searchKey": "Resources.Bucket1.Properties.PublicAccessBlockConfiguration.BlockPublicAcls", "searchValue": "", "expectedValue": "'BlockPublicAcls' should be set to true%!(EXTRA string=Bucket1)", - "actualValue": "'BlockPublicAcls' is set to false%!(EXTRA string=Bucket1)" + "actualValue": "'BlockPublicAcls' is set to false%!(EXTRA string=Bucket1)", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows Public ACL", @@ -57,7 +61,8 @@ "searchKey": "Resources.Bucket11.Properties", "searchValue": "", "expectedValue": "'PublicAccessBlockConfiguration' should be defined%!(EXTRA string=Bucket11)", - "actualValue": "'PublicAccessBlockConfiguration' is not defined%!(EXTRA string=Bucket11)" + "actualValue": "'PublicAccessBlockConfiguration' is not defined%!(EXTRA string=Bucket11)", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Allows Public ACL", @@ -69,7 +74,8 @@ "searchKey": "Resources.Bucket12.Properties.PublicAccessBlockConfiguration", "searchValue": "", "expectedValue": "'BlockPublicAcls' should be defined and set to true in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)", - "actualValue": "'BlockPublicAcls' is not defined in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)" + "actualValue": "'BlockPublicAcls' is not defined in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Allows Public ACL", @@ -81,6 +87,7 @@ "searchKey": "Resources.Bucket13.Properties.PublicAccessBlockConfiguration.BlockPublicAcls", "searchValue": "", "expectedValue": "'BlockPublicAcls' should be set to true%!(EXTRA string=Bucket13)", - "actualValue": "'BlockPublicAcls' is set to false%!(EXTRA string=Bucket13)" + "actualValue": "'BlockPublicAcls' is set to false%!(EXTRA string=Bucket13)", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/s3_bucket_allows_put_actions_from_all_principals/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_allows_put_actions_from_all_principals/test/positive_expected_result.json index c49bc6e5b40..f9e0e33f489 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_allows_put_actions_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_allows_put_actions_from_all_principals/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.SampleBucketPolicy3.Properties.PolicyDocument", "searchValue": "", "expectedValue": "Resources.SampleBucketPolicy3.Properties.PolicyDocument.Statement should not allow a 'Put' action from all principals", - "actualValue": "Resources.SampleBucketPolicy3.Properties.PolicyDocument.Statement allows a 'Put' action from all principals" + "actualValue": "Resources.SampleBucketPolicy3.Properties.PolicyDocument.Statement allows a 'Put' action from all principals", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows Put Action From All Principals", @@ -21,7 +22,8 @@ "searchKey": "Resources.SampleBucketPolicy4.Properties.PolicyDocument", "searchValue": "", "expectedValue": "Resources.SampleBucketPolicy4.Properties.PolicyDocument.Statement should not allow a 'Put' action from all principals", - "actualValue": "Resources.SampleBucketPolicy4.Properties.PolicyDocument.Statement allows a 'Put' action from all principals" + "actualValue": "Resources.SampleBucketPolicy4.Properties.PolicyDocument.Statement allows a 'Put' action from all principals", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows Put Action From All Principals", @@ -33,7 +35,8 @@ "searchKey": "Resources.SampleBucketPolicy5.Properties.PolicyDocument", "searchValue": "", "expectedValue": "Resources.SampleBucketPolicy5.Properties.PolicyDocument.Statement should not allow a 'Put' action from all principals", - "actualValue": "Resources.SampleBucketPolicy5.Properties.PolicyDocument.Statement allows a 'Put' action from all principals" + "actualValue": "Resources.SampleBucketPolicy5.Properties.PolicyDocument.Statement allows a 'Put' action from all principals", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows Put Action From All Principals", @@ -45,6 +48,7 @@ "searchKey": "Resources.SampleBucketPolicy6.Properties.PolicyDocument", "searchValue": "", "expectedValue": "Resources.SampleBucketPolicy6.Properties.PolicyDocument.Statement should not allow a 'Put' action from all principals", - "actualValue": "Resources.SampleBucketPolicy6.Properties.PolicyDocument.Statement allows a 'Put' action from all principals" + "actualValue": "Resources.SampleBucketPolicy6.Properties.PolicyDocument.Statement allows a 'Put' action from all principals", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/s3_bucket_allows_restore_actions_from_all_principals/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_allows_restore_actions_from_all_principals/test/positive_expected_result.json index 7f22a682907..a09f10289ac 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_allows_restore_actions_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_allows_restore_actions_from_all_principals/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.SampleBucketPolicy3.Properties.PolicyDocument", "searchValue": "", "expectedValue": "Resources.SampleBucketPolicy3.Properties.PolicyDocument.Statement should not allow a 'Restore' action from all principals", - "actualValue": "Resources.SampleBucketPolicy3.Properties.PolicyDocument.Statement allows a 'Restore' action from all principals" + "actualValue": "Resources.SampleBucketPolicy3.Properties.PolicyDocument.Statement allows a 'Restore' action from all principals", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows Restore Actions From All Principals", @@ -21,7 +22,8 @@ "searchKey": "Resources.SampleBucketPolicy4.Properties.PolicyDocument", "searchValue": "", "expectedValue": "Resources.SampleBucketPolicy4.Properties.PolicyDocument.Statement should not allow a 'Restore' action from all principals", - "actualValue": "Resources.SampleBucketPolicy4.Properties.PolicyDocument.Statement allows a 'Restore' action from all principals" + "actualValue": "Resources.SampleBucketPolicy4.Properties.PolicyDocument.Statement allows a 'Restore' action from all principals", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows Restore Actions From All Principals", @@ -33,7 +35,8 @@ "searchKey": "Resources.SampleBucketPolicy5.Properties.PolicyDocument", "searchValue": "", "expectedValue": "Resources.SampleBucketPolicy5.Properties.PolicyDocument.Statement should not allow a 'Restore' action from all principals", - "actualValue": "Resources.SampleBucketPolicy5.Properties.PolicyDocument.Statement allows a 'Restore' action from all principals" + "actualValue": "Resources.SampleBucketPolicy5.Properties.PolicyDocument.Statement allows a 'Restore' action from all principals", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows Restore Actions From All Principals", @@ -45,6 +48,7 @@ "searchKey": "Resources.SampleBucketPolicy6.Properties.PolicyDocument", "searchValue": "", "expectedValue": "Resources.SampleBucketPolicy6.Properties.PolicyDocument.Statement should not allow a 'Restore' action from all principals", - "actualValue": "Resources.SampleBucketPolicy6.Properties.PolicyDocument.Statement allows a 'Restore' action from all principals" + "actualValue": "Resources.SampleBucketPolicy6.Properties.PolicyDocument.Statement allows a 'Restore' action from all principals", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/s3_bucket_cloudtrail_logging_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_cloudtrail_logging_disabled/test/positive_expected_result.json index 5261826166e..1bef9dcd9a7 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_cloudtrail_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_cloudtrail_logging_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.mybucketVulnerable.Properties", "searchValue": "", "expectedValue": "S3 bucket 'mybucketVulnerable' should have logging enabled", - "actualValue": "S3 bucket 'mybucketVulnerable' doesn't have logging enabled" + "actualValue": "S3 bucket 'mybucketVulnerable' doesn't have logging enabled", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket CloudTrail Logging Disabled", @@ -21,6 +22,7 @@ "searchKey": "Resources.mybucketVulnerable.Properties", "searchValue": "", "expectedValue": "S3 bucket 'mybucketVulnerable' should have logging enabled", - "actualValue": "S3 bucket 'mybucketVulnerable' doesn't have logging enabled" + "actualValue": "S3 bucket 'mybucketVulnerable' doesn't have logging enabled", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/s3_bucket_logging_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_logging_disabled/test/positive_expected_result.json index bf1a4a26b0b..44be099b596 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_logging_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.mybucket.Properties", "searchValue": "", "expectedValue": "'Resources.mybucket.Properties' should have property 'LoggingConfiguration'", - "actualValue": "'Resources.mybucket.Properties' doesn't have property 'LoggingConfiguration'" + "actualValue": "'Resources.mybucket.Properties' doesn't have property 'LoggingConfiguration'", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Logging Disabled", @@ -21,6 +22,7 @@ "searchKey": "Resources.mybucket.Properties", "searchValue": "", "expectedValue": "'Resources.mybucket.Properties' should have property 'LoggingConfiguration'", - "actualValue": "'Resources.mybucket.Properties' doesn't have property 'LoggingConfiguration'" + "actualValue": "'Resources.mybucket.Properties' doesn't have property 'LoggingConfiguration'", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/s3_bucket_should_have_bucket_policy/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_should_have_bucket_policy/test/positive_expected_result.json index 6bc7142b49f..ebccedf00cf 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_should_have_bucket_policy/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_should_have_bucket_policy/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.S3Bucket3", "searchValue": "", "expectedValue": "'Resources.S3Bucket3.Properties.BucketName' or 'Resources.[S3Bucket3]' should be associated with an 'AWS::S3::BucketPolicy'", - "actualValue": "'Resources.S3Bucket3.Properties.BucketName' or 'Resources.[S3Bucket3]' is not associated with an 'AWS::S3::BucketPolicy'" + "actualValue": "'Resources.S3Bucket3.Properties.BucketName' or 'Resources.[S3Bucket3]' is not associated with an 'AWS::S3::BucketPolicy'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Should Have Bucket Policy", @@ -21,7 +22,8 @@ "searchKey": "Resources.S3Bucket", "searchValue": "", "expectedValue": "'Resources.S3Bucket.Properties.BucketName' or 'Resources.[S3Bucket]' should be associated with an 'AWS::S3::BucketPolicy'", - "actualValue": "'Resources.S3Bucket.Properties.BucketName' or 'Resources.[S3Bucket]' is not associated with an 'AWS::S3::BucketPolicy'" + "actualValue": "'Resources.S3Bucket.Properties.BucketName' or 'Resources.[S3Bucket]' is not associated with an 'AWS::S3::BucketPolicy'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Should Have Bucket Policy", @@ -33,7 +35,8 @@ "searchKey": "Resources.S3Bucket7", "searchValue": "", "expectedValue": "'Resources.S3Bucket7.Properties.BucketName' or 'Resources.[S3Bucket7]' should be associated with an 'AWS::S3::BucketPolicy'", - "actualValue": "'Resources.S3Bucket7.Properties.BucketName' or 'Resources.[S3Bucket7]' is not associated with an 'AWS::S3::BucketPolicy'" + "actualValue": "'Resources.S3Bucket7.Properties.BucketName' or 'Resources.[S3Bucket7]' is not associated with an 'AWS::S3::BucketPolicy'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Should Have Bucket Policy", @@ -45,7 +48,8 @@ "searchKey": "Resources.S3Bucket3", "searchValue": "", "expectedValue": "'Resources.S3Bucket3.Properties.BucketName' or 'Resources.[S3Bucket3]' should be associated with an 'AWS::S3::BucketPolicy'", - "actualValue": "'Resources.S3Bucket3.Properties.BucketName' or 'Resources.[S3Bucket3]' is not associated with an 'AWS::S3::BucketPolicy'" + "actualValue": "'Resources.S3Bucket3.Properties.BucketName' or 'Resources.[S3Bucket3]' is not associated with an 'AWS::S3::BucketPolicy'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Should Have Bucket Policy", @@ -57,7 +61,8 @@ "searchKey": "Resources.S3Bucket", "searchValue": "", "expectedValue": "'Resources.S3Bucket.Properties.BucketName' or 'Resources.[S3Bucket]' should be associated with an 'AWS::S3::BucketPolicy'", - "actualValue": "'Resources.S3Bucket.Properties.BucketName' or 'Resources.[S3Bucket]' is not associated with an 'AWS::S3::BucketPolicy'" + "actualValue": "'Resources.S3Bucket.Properties.BucketName' or 'Resources.[S3Bucket]' is not associated with an 'AWS::S3::BucketPolicy'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Should Have Bucket Policy", @@ -69,7 +74,8 @@ "searchKey": "Resources.S3Bucket7", "searchValue": "", "expectedValue": "'Resources.S3Bucket7.Properties.BucketName' or 'Resources.[S3Bucket7]' should be associated with an 'AWS::S3::BucketPolicy'", - "actualValue": "'Resources.S3Bucket7.Properties.BucketName' or 'Resources.[S3Bucket7]' is not associated with an 'AWS::S3::BucketPolicy'" + "actualValue": "'Resources.S3Bucket7.Properties.BucketName' or 'Resources.[S3Bucket7]' is not associated with an 'AWS::S3::BucketPolicy'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Should Have Bucket Policy", @@ -81,7 +87,8 @@ "searchKey": "Resources.MyS3Bucket2", "searchValue": "", "expectedValue": "'Resources.MyS3Bucket2.Properties.BucketName' or 'Resources.[MyS3Bucket2]' should be associated with an 'AWS::S3::BucketPolicy'", - "actualValue": "'Resources.MyS3Bucket2.Properties.BucketName' or 'Resources.[MyS3Bucket2]' is not associated with an 'AWS::S3::BucketPolicy'" + "actualValue": "'Resources.MyS3Bucket2.Properties.BucketName' or 'Resources.[MyS3Bucket2]' is not associated with an 'AWS::S3::BucketPolicy'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Should Have Bucket Policy", @@ -93,6 +100,7 @@ "searchKey": "Resources.MyS3Bucket2", "searchValue": "", "expectedValue": "'Resources.MyS3Bucket2.Properties.BucketName' or 'Resources.[MyS3Bucket2]' should be associated with an 'AWS::S3::BucketPolicy'", - "actualValue": "'Resources.MyS3Bucket2.Properties.BucketName' or 'Resources.[MyS3Bucket2]' is not associated with an 'AWS::S3::BucketPolicy'" + "actualValue": "'Resources.MyS3Bucket2.Properties.BucketName' or 'Resources.[MyS3Bucket2]' is not associated with an 'AWS::S3::BucketPolicy'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/s3_bucket_with_all_permissions/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_with_all_permissions/test/positive_expected_result.json index 899177654eb..d910ec5e6a8 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_with_all_permissions/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_with_all_permissions/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.SampleBucketPolicy3.Properties.PolicyDocument", "searchValue": "", "expectedValue": "Resources.SampleBucketPolicy3.Properties.PolicyDocument.Statement should not allow all actions from all principals", - "actualValue": "Resources.SampleBucketPolicy3.Properties.PolicyDocument.Statement allows all actions from all principals" + "actualValue": "Resources.SampleBucketPolicy3.Properties.PolicyDocument.Statement allows all actions from all principals", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket With All Permissions", @@ -21,6 +22,7 @@ "searchKey": "Resources.SampleBucketPolicy4.Properties.PolicyDocument", "searchValue": "", "expectedValue": "Resources.SampleBucketPolicy4.Properties.PolicyDocument.Statement should not allow all actions from all principals", - "actualValue": "Resources.SampleBucketPolicy4.Properties.PolicyDocument.Statement allows all actions from all principals" + "actualValue": "Resources.SampleBucketPolicy4.Properties.PolicyDocument.Statement allows all actions from all principals", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/s3_bucket_with_public_policy/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_with_public_policy/test/positive_expected_result.json index 1b125fa915f..ad6c7428a71 100755 --- a/assets/queries/cloudFormation/aws/s3_bucket_with_public_policy/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_with_public_policy/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.Bucket11.Properties", "searchValue": "", "expectedValue": "'PublicAccessBlockConfiguration' should be defined%!(EXTRA string=Bucket11)", - "actualValue": "'PublicAccessBlockConfiguration' is not defined%!(EXTRA string=Bucket11)" + "actualValue": "'PublicAccessBlockConfiguration' is not defined%!(EXTRA string=Bucket11)", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Allows Public Policy", @@ -21,7 +22,8 @@ "searchKey": "Resources.Bucket12.Properties.PublicAccessBlockConfiguration", "searchValue": "", "expectedValue": "'BlockPublicPolicy' should be defined and set to true in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)", - "actualValue": "'BlockPublicPolicy' is not defined in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)" + "actualValue": "'BlockPublicPolicy' is not defined in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Allows Public Policy", @@ -33,7 +35,8 @@ "searchKey": "Resources.Bucket13.Properties.PublicAccessBlockConfiguration.BlockPublicPolicy", "searchValue": "", "expectedValue": "'BlockPublicPolicy' should be set to true%!(EXTRA string=Bucket13)", - "actualValue": "'BlockPublicPolicy' is set to false%!(EXTRA string=Bucket13)" + "actualValue": "'BlockPublicPolicy' is set to false%!(EXTRA string=Bucket13)", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows Public Policy", @@ -45,7 +48,8 @@ "searchKey": "Resources.Bucket1.Properties.PublicAccessBlockConfiguration.BlockPublicPolicy", "searchValue": "", "expectedValue": "'BlockPublicPolicy' should be set to true%!(EXTRA string=Bucket1)", - "actualValue": "'BlockPublicPolicy' is set to false%!(EXTRA string=Bucket1)" + "actualValue": "'BlockPublicPolicy' is set to false%!(EXTRA string=Bucket1)", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows Public Policy", @@ -57,7 +61,8 @@ "searchKey": "Resources.Bucket11.Properties", "searchValue": "", "expectedValue": "'PublicAccessBlockConfiguration' should be defined%!(EXTRA string=Bucket11)", - "actualValue": "'PublicAccessBlockConfiguration' is not defined%!(EXTRA string=Bucket11)" + "actualValue": "'PublicAccessBlockConfiguration' is not defined%!(EXTRA string=Bucket11)", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Allows Public Policy", @@ -69,7 +74,8 @@ "searchKey": "Resources.Bucket12.Properties.PublicAccessBlockConfiguration", "searchValue": "", "expectedValue": "'BlockPublicPolicy' should be defined and set to true in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)", - "actualValue": "'BlockPublicPolicy' is not defined in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)" + "actualValue": "'BlockPublicPolicy' is not defined in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Allows Public Policy", @@ -81,6 +87,7 @@ "searchKey": "Resources.Bucket13.Properties.PublicAccessBlockConfiguration.BlockPublicPolicy", "searchValue": "", "expectedValue": "'BlockPublicPolicy' should be set to true%!(EXTRA string=Bucket13)", - "actualValue": "'BlockPublicPolicy' is set to false%!(EXTRA string=Bucket13)" + "actualValue": "'BlockPublicPolicy' is set to false%!(EXTRA string=Bucket13)", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/s3_bucket_with_unsecured_cors_rule/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_with_unsecured_cors_rule/test/positive_expected_result.json index 557e4361630..0c9bbea09ef 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_with_unsecured_cors_rule/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_with_unsecured_cors_rule/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.S3Bucket.Properties.CorsConfiguration.CorsRules", "searchValue": "", "expectedValue": "Resources.S3Bucket.Properties.CorsConfiguration.CorsRules[0] should not allow all methods, all headers or several origins", - "actualValue": "Resources.S3Bucket.Properties.CorsConfiguration.CorsRules[0] allows all methods, all headers or several origins" + "actualValue": "Resources.S3Bucket.Properties.CorsConfiguration.CorsRules[0] allows all methods, all headers or several origins", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket With Unsecured CORS Rule", @@ -21,6 +22,7 @@ "searchKey": "Resources.S3Bucket.Properties.CorsConfiguration.CorsRules", "searchValue": "", "expectedValue": "Resources.S3Bucket.Properties.CorsConfiguration.CorsRules[0] should not allow all methods, all headers or several origins", - "actualValue": "Resources.S3Bucket.Properties.CorsConfiguration.CorsRules[0] allows all methods, all headers or several origins" + "actualValue": "Resources.S3Bucket.Properties.CorsConfiguration.CorsRules[0] allows all methods, all headers or several origins", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/s3_bucket_without_ignore_public_acl/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_without_ignore_public_acl/test/positive_expected_result.json index a6b4e40af23..1442ff80e22 100755 --- a/assets/queries/cloudFormation/aws/s3_bucket_without_ignore_public_acl/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_without_ignore_public_acl/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.Bucket11.Properties", "searchValue": "", "expectedValue": "'PublicAccessBlockConfiguration' should be defined%!(EXTRA string=Bucket11)", - "actualValue": "'PublicAccessBlockConfiguration' is not defined%!(EXTRA string=Bucket11)" + "actualValue": "'PublicAccessBlockConfiguration' is not defined%!(EXTRA string=Bucket11)", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Without Ignore Public ACL", @@ -21,7 +22,8 @@ "searchKey": "Resources.Bucket12.Properties.PublicAccessBlockConfiguration", "searchValue": "", "expectedValue": "'IgnorePublicAcls' should be defined and set to true in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)", - "actualValue": "'IgnorePublicAcls' is not defined in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)" + "actualValue": "'IgnorePublicAcls' is not defined in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Without Ignore Public ACL", @@ -33,7 +35,8 @@ "searchKey": "Resources.Bucket13.Properties.PublicAccessBlockConfiguration.IgnorePublicAcls", "searchValue": "", "expectedValue": "'IgnorePublicAcls' should be set to true%!(EXTRA string=Bucket13)", - "actualValue": "'IgnorePublicAcls' is set to false%!(EXTRA string=Bucket13)" + "actualValue": "'IgnorePublicAcls' is set to false%!(EXTRA string=Bucket13)", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Without Ignore Public ACL", @@ -45,7 +48,8 @@ "searchKey": "Resources.Bucket1.Properties.PublicAccessBlockConfiguration.IgnorePublicAcls", "searchValue": "", "expectedValue": "'IgnorePublicAcls' should be set to true%!(EXTRA string=Bucket1)", - "actualValue": "'IgnorePublicAcls' is set to false%!(EXTRA string=Bucket1)" + "actualValue": "'IgnorePublicAcls' is set to false%!(EXTRA string=Bucket1)", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Without Ignore Public ACL", @@ -57,7 +61,8 @@ "searchKey": "Resources.Bucket11.Properties", "searchValue": "", "expectedValue": "'PublicAccessBlockConfiguration' should be defined%!(EXTRA string=Bucket11)", - "actualValue": "'PublicAccessBlockConfiguration' is not defined%!(EXTRA string=Bucket11)" + "actualValue": "'PublicAccessBlockConfiguration' is not defined%!(EXTRA string=Bucket11)", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Without Ignore Public ACL", @@ -69,7 +74,8 @@ "searchKey": "Resources.Bucket12.Properties.PublicAccessBlockConfiguration", "searchValue": "", "expectedValue": "'IgnorePublicAcls' should be defined and set to true in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)", - "actualValue": "'IgnorePublicAcls' is not defined in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)" + "actualValue": "'IgnorePublicAcls' is not defined in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Without Ignore Public ACL", @@ -81,6 +87,7 @@ "searchKey": "Resources.Bucket13.Properties.PublicAccessBlockConfiguration.IgnorePublicAcls", "searchValue": "", "expectedValue": "'IgnorePublicAcls' should be set to true%!(EXTRA string=Bucket13)", - "actualValue": "'IgnorePublicAcls' is set to false%!(EXTRA string=Bucket13)" + "actualValue": "'IgnorePublicAcls' is set to false%!(EXTRA string=Bucket13)", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/s3_bucket_without_restriction_of_public_bucket/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_without_restriction_of_public_bucket/test/positive_expected_result.json index c29cf1617c2..3c981ce7ece 100755 --- a/assets/queries/cloudFormation/aws/s3_bucket_without_restriction_of_public_bucket/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_without_restriction_of_public_bucket/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.Bucket11.Properties", "searchValue": "", "expectedValue": "'PublicAccessBlockConfiguration' should be defined%!(EXTRA string=Bucket11)", - "actualValue": "'PublicAccessBlockConfiguration' is not defined%!(EXTRA string=Bucket11)" + "actualValue": "'PublicAccessBlockConfiguration' is not defined%!(EXTRA string=Bucket11)", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Without Restriction Of Public Bucket", @@ -21,7 +22,8 @@ "searchKey": "Resources.Bucket12.Properties.PublicAccessBlockConfiguration", "searchValue": "", "expectedValue": "'RestrictPublicBuckets' should be defined and set to true in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)", - "actualValue": "'RestrictPublicBuckets' is not defined in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)" + "actualValue": "'RestrictPublicBuckets' is not defined in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Without Restriction Of Public Bucket", @@ -33,7 +35,8 @@ "searchKey": "Resources.Bucket13.Properties.PublicAccessBlockConfiguration.RestrictPublicBuckets", "searchValue": "", "expectedValue": "'RestrictPublicBuckets' should be set to true%!(EXTRA string=Bucket13)", - "actualValue": "'RestrictPublicBuckets' is set to false%!(EXTRA string=Bucket13)" + "actualValue": "'RestrictPublicBuckets' is set to false%!(EXTRA string=Bucket13)", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Without Restriction Of Public Bucket", @@ -45,7 +48,8 @@ "searchKey": "Resources.Bucket1.Properties.PublicAccessBlockConfiguration.RestrictPublicBuckets", "searchValue": "", "expectedValue": "'RestrictPublicBuckets' should be set to true%!(EXTRA string=Bucket1)", - "actualValue": "'RestrictPublicBuckets' is set to false%!(EXTRA string=Bucket1)" + "actualValue": "'RestrictPublicBuckets' is set to false%!(EXTRA string=Bucket1)", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Without Restriction Of Public Bucket", @@ -57,7 +61,8 @@ "searchKey": "Resources.Bucket11.Properties", "searchValue": "", "expectedValue": "'PublicAccessBlockConfiguration' should be defined%!(EXTRA string=Bucket11)", - "actualValue": "'PublicAccessBlockConfiguration' is not defined%!(EXTRA string=Bucket11)" + "actualValue": "'PublicAccessBlockConfiguration' is not defined%!(EXTRA string=Bucket11)", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Without Restriction Of Public Bucket", @@ -69,7 +74,8 @@ "searchKey": "Resources.Bucket12.Properties.PublicAccessBlockConfiguration", "searchValue": "", "expectedValue": "'RestrictPublicBuckets' should be defined and set to true in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)", - "actualValue": "'RestrictPublicBuckets' is not defined in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)" + "actualValue": "'RestrictPublicBuckets' is not defined in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Without Restriction Of Public Bucket", @@ -81,6 +87,7 @@ "searchKey": "Resources.Bucket13.Properties.PublicAccessBlockConfiguration.RestrictPublicBuckets", "searchValue": "", "expectedValue": "'RestrictPublicBuckets' should be set to true%!(EXTRA string=Bucket13)", - "actualValue": "'RestrictPublicBuckets' is set to false%!(EXTRA string=Bucket13)" + "actualValue": "'RestrictPublicBuckets' is set to false%!(EXTRA string=Bucket13)", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/s3_bucket_without_server_side_encryption/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_without_server_side_encryption/test/positive_expected_result.json index 9d3a92ff395..44adcf20eea 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_without_server_side_encryption/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_without_server_side_encryption/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.S3Bucket.Properties", "searchValue": "", "expectedValue": "Resources.S3Bucket.Properties.BucketEncryption.ServerSideEncryptionConfiguration should be defined and not empty", - "actualValue": "Resources.S3Bucket.Properties.BucketEncryption.ServerSideEncryptionConfiguration is undefined or empty" + "actualValue": "Resources.S3Bucket.Properties.BucketEncryption.ServerSideEncryptionConfiguration is undefined or empty", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Without Server-side-encryption", @@ -21,6 +22,7 @@ "searchKey": "Resources.S3Bucket.Properties", "searchValue": "", "expectedValue": "Resources.S3Bucket.Properties.BucketEncryption.ServerSideEncryptionConfiguration should be defined and not empty", - "actualValue": "Resources.S3Bucket.Properties.BucketEncryption.ServerSideEncryptionConfiguration is undefined or empty" + "actualValue": "Resources.S3Bucket.Properties.BucketEncryption.ServerSideEncryptionConfiguration is undefined or empty", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/s3_bucket_without_ssl_in_write_actions/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_without_ssl_in_write_actions/test/positive_expected_result.json index 0f708de9840..19c99d1d6f1 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_without_ssl_in_write_actions/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_without_ssl_in_write_actions/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.S3Bucket", "searchValue": "", "expectedValue": "Resources.S3Bucket bucket has a policy that enforces SSL", - "actualValue": "Resources.S3Bucket bucket doesn't have a policy or has a policy that doesn't enforce SSL" + "actualValue": "Resources.S3Bucket bucket doesn't have a policy or has a policy that doesn't enforce SSL", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Without SSL In Write Actions", @@ -21,7 +22,8 @@ "searchKey": "Resources.S3Bucket33", "searchValue": "", "expectedValue": "Resources.S3Bucket33 bucket has a policy that enforces SSL", - "actualValue": "Resources.S3Bucket33 bucket doesn't have a policy or has a policy that doesn't enforce SSL" + "actualValue": "Resources.S3Bucket33 bucket doesn't have a policy or has a policy that doesn't enforce SSL", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Without SSL In Write Actions", @@ -33,7 +35,8 @@ "searchKey": "Resources.S3Bucket2", "searchValue": "", "expectedValue": "Resources.S3Bucket2 bucket has a policy that enforces SSL", - "actualValue": "Resources.S3Bucket2 bucket doesn't have a policy or has a policy that doesn't enforce SSL" + "actualValue": "Resources.S3Bucket2 bucket doesn't have a policy or has a policy that doesn't enforce SSL", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Without SSL In Write Actions", @@ -45,7 +48,8 @@ "searchKey": "Resources.S3Bucket3", "searchValue": "", "expectedValue": "Resources.S3Bucket3 bucket has a policy that enforces SSL", - "actualValue": "Resources.S3Bucket3 bucket doesn't have a policy or has a policy that doesn't enforce SSL" + "actualValue": "Resources.S3Bucket3 bucket doesn't have a policy or has a policy that doesn't enforce SSL", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Without SSL In Write Actions", @@ -57,7 +61,8 @@ "searchKey": "Resources.S3Bucket4", "searchValue": "", "expectedValue": "Resources.S3Bucket4 bucket has a policy that enforces SSL", - "actualValue": "Resources.S3Bucket4 bucket doesn't have a policy" + "actualValue": "Resources.S3Bucket4 bucket doesn't have a policy", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Without SSL In Write Actions", @@ -69,7 +74,8 @@ "searchKey": "Resources.S3Bucket5", "searchValue": "", "expectedValue": "Resources.S3Bucket5 bucket has a policy that enforces SSL", - "actualValue": "Resources.S3Bucket5 bucket doesn't have a policy" + "actualValue": "Resources.S3Bucket5 bucket doesn't have a policy", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Without SSL In Write Actions", @@ -81,7 +87,8 @@ "searchKey": "Resources.S3Bucket6", "searchValue": "", "expectedValue": "Resources.S3Bucket6 bucket has a policy that enforces SSL", - "actualValue": "Resources.S3Bucket6 bucket doesn't have a policy" + "actualValue": "Resources.S3Bucket6 bucket doesn't have a policy", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Without SSL In Write Actions", @@ -93,7 +100,8 @@ "searchKey": "Resources.S3Bucket", "searchValue": "", "expectedValue": "Resources.S3Bucket bucket has a policy that enforces SSL", - "actualValue": "Resources.S3Bucket bucket doesn't have a policy or has a policy that doesn't enforce SSL" + "actualValue": "Resources.S3Bucket bucket doesn't have a policy or has a policy that doesn't enforce SSL", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Without SSL In Write Actions", @@ -105,7 +113,8 @@ "searchKey": "Resources.S3Bucket2", "searchValue": "", "expectedValue": "Resources.S3Bucket2 bucket has a policy that enforces SSL", - "actualValue": "Resources.S3Bucket2 bucket doesn't have a policy or has a policy that doesn't enforce SSL" + "actualValue": "Resources.S3Bucket2 bucket doesn't have a policy or has a policy that doesn't enforce SSL", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Without SSL In Write Actions", @@ -117,7 +126,8 @@ "searchKey": "Resources.S3Bucket4", "searchValue": "", "expectedValue": "Resources.S3Bucket4 bucket has a policy that enforces SSL", - "actualValue": "Resources.S3Bucket4 bucket doesn't have a policy" + "actualValue": "Resources.S3Bucket4 bucket doesn't have a policy", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Without SSL In Write Actions", @@ -129,7 +139,8 @@ "searchKey": "Resources.S3Bucket5", "searchValue": "", "expectedValue": "Resources.S3Bucket5 bucket has a policy that enforces SSL", - "actualValue": "Resources.S3Bucket5 bucket doesn't have a policy" + "actualValue": "Resources.S3Bucket5 bucket doesn't have a policy", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Without SSL In Write Actions", @@ -141,7 +152,8 @@ "searchKey": "Resources.S3Bucket6", "searchValue": "", "expectedValue": "Resources.S3Bucket6 bucket has a policy that enforces SSL", - "actualValue": "Resources.S3Bucket6 bucket doesn't have a policy" + "actualValue": "Resources.S3Bucket6 bucket doesn't have a policy", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Without SSL In Write Actions", @@ -153,6 +165,7 @@ "searchKey": "Resources.S3Bucket33", "searchValue": "", "expectedValue": "Resources.S3Bucket33 bucket has a policy that enforces SSL", - "actualValue": "Resources.S3Bucket33 bucket doesn't have a policy or has a policy that doesn't enforce SSL" + "actualValue": "Resources.S3Bucket33 bucket doesn't have a policy or has a policy that doesn't enforce SSL", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/s3_bucket_without_versioning/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_without_versioning/test/positive_expected_result.json index 7d204a174be..638e1ffd783 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_without_versioning/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_without_versioning/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.RecordServiceS3Bucket.Properties", "searchValue": "", "expectedValue": "Resources.RecordServiceS3Bucket.Properties.VersioningConfiguration should be defined", - "actualValue": "Resources.RecordServiceS3Bucket.Properties.VersioningConfiguration is undefined" + "actualValue": "Resources.RecordServiceS3Bucket.Properties.VersioningConfiguration is undefined", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Without Versioning", @@ -21,7 +22,8 @@ "searchKey": "Resources.RecordServiceS3Bucket2.Properties.VersioningConfiguration.Status", "searchValue": "", "expectedValue": "Resources.RecordServiceS3Bucket2.Properties.VersioningConfiguration.Status should be set to Enabled", - "actualValue": "Resources.RecordServiceS3Bucket2.Properties.VersioningConfiguration.Status is set to Suspended" + "actualValue": "Resources.RecordServiceS3Bucket2.Properties.VersioningConfiguration.Status is set to Suspended", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Without Versioning", @@ -33,7 +35,8 @@ "searchKey": "Resources.RecordServiceS3Bucket.Properties", "searchValue": "", "expectedValue": "Resources.RecordServiceS3Bucket.Properties.VersioningConfiguration should be defined", - "actualValue": "Resources.RecordServiceS3Bucket.Properties.VersioningConfiguration is undefined" + "actualValue": "Resources.RecordServiceS3Bucket.Properties.VersioningConfiguration is undefined", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Without Versioning", @@ -45,6 +48,7 @@ "searchKey": "Resources.RecordServiceS3Bucket2.Properties.VersioningConfiguration.Status", "searchValue": "", "expectedValue": "Resources.RecordServiceS3Bucket2.Properties.VersioningConfiguration.Status should be set to Enabled", - "actualValue": "Resources.RecordServiceS3Bucket2.Properties.VersioningConfiguration.Status is set to Suspended" + "actualValue": "Resources.RecordServiceS3Bucket2.Properties.VersioningConfiguration.Status is set to Suspended", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/s3_static_website_host_enabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_static_website_host_enabled/test/positive_expected_result.json index e8368628307..20bb9a02468 100644 --- a/assets/queries/cloudFormation/aws/s3_static_website_host_enabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_static_website_host_enabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.Bucket2.Properties", "searchValue": "", "expectedValue": "'Resources.Bucket2.Properties.WebsiteConfiguration' should not be defined", - "actualValue": "'Resources.Bucket2.Properties.WebsiteConfiguration' is defined" + "actualValue": "'Resources.Bucket2.Properties.WebsiteConfiguration' is defined", + "issueType": "IncorrectValue" }, { "queryName": "S3 Static Website Host Enabled", @@ -21,6 +22,7 @@ "searchKey": "Resources.Bucket2.Properties", "searchValue": "", "expectedValue": "'Resources.Bucket2.Properties.WebsiteConfiguration' should not be defined", - "actualValue": "'Resources.Bucket2.Properties.WebsiteConfiguration' is defined" + "actualValue": "'Resources.Bucket2.Properties.WebsiteConfiguration' is defined", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/sagemaker_data_encryption_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/sagemaker_data_encryption_disabled/test/positive_expected_result.json index 50574944d56..c6094da99fb 100644 --- a/assets/queries/cloudFormation/aws/sagemaker_data_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/sagemaker_data_encryption_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.BasicNotebookInstance.Properties", "searchValue": "", "expectedValue": "'Resources.BasicNotebookInstance.Properties.KmsKeyId' should be defined", - "actualValue": "'Resources.BasicNotebookInstance.Properties.KmsKeyId' is not defined" + "actualValue": "'Resources.BasicNotebookInstance.Properties.KmsKeyId' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "SageMaker Data Encryption Disabled", @@ -21,7 +22,8 @@ "searchKey": "Resources.BasicNotebookInstance3.Properties.KmsKeyId", "searchValue": "", "expectedValue": "'Resources.BasicNotebookInstance3.Properties.KmsKeyId' should not be empty", - "actualValue": "'Resources.BasicNotebookInstance3.Properties.KmsKeyId' is empty" + "actualValue": "'Resources.BasicNotebookInstance3.Properties.KmsKeyId' is empty", + "issueType": "IncorrectValue" }, { "queryName": "SageMaker Data Encryption Disabled", @@ -33,7 +35,8 @@ "searchKey": "Resources.BasicNotebookInstance3.Properties.KmsKeyId", "searchValue": "", "expectedValue": "'Resources.BasicNotebookInstance3.Properties.KmsKeyId' should not be empty", - "actualValue": "'Resources.BasicNotebookInstance3.Properties.KmsKeyId' is empty" + "actualValue": "'Resources.BasicNotebookInstance3.Properties.KmsKeyId' is empty", + "issueType": "IncorrectValue" }, { "queryName": "SageMaker Data Encryption Disabled", @@ -45,6 +48,7 @@ "searchKey": "Resources.BasicNotebookInstance.Properties", "searchValue": "", "expectedValue": "'Resources.BasicNotebookInstance.Properties.KmsKeyId' should be defined", - "actualValue": "'Resources.BasicNotebookInstance.Properties.KmsKeyId' is not defined" + "actualValue": "'Resources.BasicNotebookInstance.Properties.KmsKeyId' is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/sagemaker_enabling_internet_access/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/sagemaker_enabling_internet_access/test/positive_expected_result.json index 69db90092c4..4e6e66bb4e8 100644 --- a/assets/queries/cloudFormation/aws/sagemaker_enabling_internet_access/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/sagemaker_enabling_internet_access/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.Notebook.Properties.DirectInternetAccess", "searchValue": "", "expectedValue": "Resources.Notebook.Properties.DirectInternetAccess is enabled", - "actualValue": "Resources.Notebook.Properties.DirectInternetAccess is disabled" + "actualValue": "Resources.Notebook.Properties.DirectInternetAccess is disabled", + "issueType": "IncorrectValue" }, { "queryName": "SageMaker Enabling Internet Access", @@ -21,6 +22,7 @@ "searchKey": "Resources.Notebook.Properties.DirectInternetAccess", "searchValue": "", "expectedValue": "Resources.Notebook.Properties.DirectInternetAccess is enabled", - "actualValue": "Resources.Notebook.Properties.DirectInternetAccess is disabled" + "actualValue": "Resources.Notebook.Properties.DirectInternetAccess is disabled", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/sagemaker_endpoint_config_should_specify_kms_key_id_attribute/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/sagemaker_endpoint_config_should_specify_kms_key_id_attribute/test/positive_expected_result.json index 101d8eae620..cf98d49e0bd 100644 --- a/assets/queries/cloudFormation/aws/sagemaker_endpoint_config_should_specify_kms_key_id_attribute/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/sagemaker_endpoint_config_should_specify_kms_key_id_attribute/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.EndpointConfig.Properties", "searchValue": "", "expectedValue": "Resources.EndpointConfig.Properties.KmsKeyId should be defined", - "actualValue": "Resources.EndpointConfig.Properties.KmsKeyId is undefined" + "actualValue": "Resources.EndpointConfig.Properties.KmsKeyId is undefined", + "issueType": "MissingAttribute" }, { "queryName": "SageMaker EndPoint Config Should Specify KmsKeyId Attribute", @@ -21,6 +22,7 @@ "searchKey": "Resources.EndpointConfig.Properties", "searchValue": "", "expectedValue": "Resources.EndpointConfig.Properties.KmsKeyId should be defined", - "actualValue": "Resources.EndpointConfig.Properties.KmsKeyId is undefined" + "actualValue": "Resources.EndpointConfig.Properties.KmsKeyId is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/sagemaker_notebook_not_placed_in_vpc/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/sagemaker_notebook_not_placed_in_vpc/test/positive_expected_result.json index e1d7e7f4012..241eda5e1d6 100644 --- a/assets/queries/cloudFormation/aws/sagemaker_notebook_not_placed_in_vpc/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/sagemaker_notebook_not_placed_in_vpc/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.NotebookInstance.Properties.SubnetId", "searchValue": "", "expectedValue": "Resources.NotebookInstance.Properties.SubnetId should be defined", - "actualValue": "Resources.NotebookInstance.Properties.SubnetId is not defined" + "actualValue": "Resources.NotebookInstance.Properties.SubnetId is not defined", + "issueType": "MissingAttribute" }, { "queryName": "SageMaker Notebook Not Placed In VPC", @@ -21,6 +22,7 @@ "searchKey": "Resources.NotebookInstance.Properties.SubnetId", "searchValue": "", "expectedValue": "Resources.NotebookInstance.Properties.SubnetId should be defined", - "actualValue": "Resources.NotebookInstance.Properties.SubnetId is not defined" + "actualValue": "Resources.NotebookInstance.Properties.SubnetId is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/sdb_domain_declared_as_a_resource/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/sdb_domain_declared_as_a_resource/test/positive_expected_result.json index a4abb1c1f86..3fa8c5f6c91 100644 --- a/assets/queries/cloudFormation/aws/sdb_domain_declared_as_a_resource/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/sdb_domain_declared_as_a_resource/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.SBDDomain", "searchValue": "", "expectedValue": "Resources.SBDDomain should not be defined", - "actualValue": "Resources.SBDDomain is defined" + "actualValue": "Resources.SBDDomain is defined", + "issueType": "MissingAttribute" }, { "queryName": "SDB Domain Declared As A Resource", @@ -21,6 +22,7 @@ "searchKey": "Resources.SBDDomain", "searchValue": "", "expectedValue": "Resources.SBDDomain should not be defined", - "actualValue": "Resources.SBDDomain is defined" + "actualValue": "Resources.SBDDomain is defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/secrets_manager_should_specify_kms_key_id/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/secrets_manager_should_specify_kms_key_id/test/positive_expected_result.json index 11c1b86ec96..1aa1dd6ad65 100644 --- a/assets/queries/cloudFormation/aws/secrets_manager_should_specify_kms_key_id/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/secrets_manager_should_specify_kms_key_id/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.SecretsManagerSecret.Properties", "searchValue": "", "expectedValue": "Resources.SecretsManagerSecret.Properties.KmsKeyId should be defined", - "actualValue": "Resources.SecretsManagerSecret.Properties.KmsKeyId is undefined" + "actualValue": "Resources.SecretsManagerSecret.Properties.KmsKeyId is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Secrets Manager Should Specify KmsKeyId", @@ -21,6 +22,7 @@ "searchKey": "Resources.SecretsManagerSecret.Properties", "searchValue": "", "expectedValue": "Resources.SecretsManagerSecret.Properties.KmsKeyId should be defined", - "actualValue": "Resources.SecretsManagerSecret.Properties.KmsKeyId is undefined" + "actualValue": "Resources.SecretsManagerSecret.Properties.KmsKeyId is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/secretsmanager_secret_without_kms/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/secretsmanager_secret_without_kms/test/positive_expected_result.json index 99a9c47267a..a0a37ee5070 100644 --- a/assets/queries/cloudFormation/aws/secretsmanager_secret_without_kms/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/secretsmanager_secret_without_kms/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.MySecret.Properties", "searchValue": "", "expectedValue": "'Resources.MySecret.Properties.KmsKeyId' should be defined and not null", - "actualValue": "'Resources.MySecret.Properties.KmsKeyId' is undefined or null" + "actualValue": "'Resources.MySecret.Properties.KmsKeyId' is undefined or null", + "issueType": "IncorrectValue" }, { "queryName": "Secretsmanager Secret Without KMS", @@ -21,7 +22,8 @@ "searchKey": "Resources.MySecret.Properties", "searchValue": "", "expectedValue": "'Resources.MySecret.Properties.KmsKeyId' should be defined and not null", - "actualValue": "'Resources.MySecret.Properties.KmsKeyId' is undefined or null" + "actualValue": "'Resources.MySecret.Properties.KmsKeyId' is undefined or null", + "issueType": "IncorrectValue" }, { "queryName": "Secretsmanager Secret Without KMS", @@ -33,7 +35,8 @@ "searchKey": "Resources.MySecretB.Properties.KmsKeyId", "searchValue": "", "expectedValue": "'Resources.MySecretB.Properties.KmsKeyId' should be defined and not null", - "actualValue": "'Resources.MySecretB.Properties.KmsKeyId' is undefined or null" + "actualValue": "'Resources.MySecretB.Properties.KmsKeyId' is undefined or null", + "issueType": "IncorrectValue" }, { "queryName": "Secretsmanager Secret Without KMS", @@ -45,6 +48,7 @@ "searchKey": "Resources.MySecretB.Properties.KmsKeyId", "searchValue": "", "expectedValue": "'Resources.MySecretB.Properties.KmsKeyId' should be defined and not null", - "actualValue": "'Resources.MySecretB.Properties.KmsKeyId' is undefined or null" + "actualValue": "'Resources.MySecretB.Properties.KmsKeyId' is undefined or null", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/secure_ciphers_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/secure_ciphers_disabled/test/positive_expected_result.json index ba8b3fa0aa9..4361a6e0e07 100644 --- a/assets/queries/cloudFormation/aws/secure_ciphers_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/secure_ciphers_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.cloudfrontdistribution.Properties.ViewerCertificate.MinimumProtocolVersion", "searchValue": "", "expectedValue": "Resources.cloudfrontdistribution.Properties.ViewerCertificate.MinimumProtocolVersion is TLSv1.1 or TLSv1.2", - "actualValue": "Resources.cloudfrontdistribution.Properties.ViewerCertificate.MinimumProtocolVersion isn't TLSv1.1 or TLSv1.2" + "actualValue": "Resources.cloudfrontdistribution.Properties.ViewerCertificate.MinimumProtocolVersion isn't TLSv1.1 or TLSv1.2", + "issueType": "IncorrectValue" }, { "queryName": "Secure Ciphers Disabled", @@ -21,7 +22,8 @@ "searchKey": "Resources.cloudfrontdistribution.Properties.ViewerCertificate.MinimumProtocolVersion", "searchValue": "", "expectedValue": "Resources.cloudfrontdistribution.Properties.ViewerCertificate.MinimumProtocolVersion is TLSv1.1 or TLSv1.2", - "actualValue": "Resources.cloudfrontdistribution.Properties.ViewerCertificate.MinimumProtocolVersion isn't TLSv1.1 or TLSv1.2" + "actualValue": "Resources.cloudfrontdistribution.Properties.ViewerCertificate.MinimumProtocolVersion isn't TLSv1.1 or TLSv1.2", + "issueType": "IncorrectValue" }, { "queryName": "Secure Ciphers Disabled", @@ -33,6 +35,7 @@ "searchKey": "Resources.cloudfrontdistribution.Properties.ViewerCertificate.MinimumProtocolVersion", "searchValue": "", "expectedValue": "Resources.cloudfrontdistribution.Properties.ViewerCertificate.MinimumProtocolVersion is TLSv1.1 or TLSv1.2", - "actualValue": "Resources.cloudfrontdistribution.Properties.ViewerCertificate.MinimumProtocolVersion isn't TLSv1.1 or TLSv1.2" + "actualValue": "Resources.cloudfrontdistribution.Properties.ViewerCertificate.MinimumProtocolVersion isn't TLSv1.1 or TLSv1.2", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/security_group_egress_cidr_open_to_world/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/security_group_egress_cidr_open_to_world/test/positive_expected_result.json index 63ebb37cecb..4dcc1e6651b 100644 --- a/assets/queries/cloudFormation/aws/security_group_egress_cidr_open_to_world/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/security_group_egress_cidr_open_to_world/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].CidrIp", "searchValue": "", "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].CidrIp should not be open to the world", - "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].CidrIp is open to the world" + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].CidrIp is open to the world", + "issueType": "IncorrectValue" }, { "queryName": "Security Group Egress CIDR Open To World", @@ -21,7 +22,8 @@ "searchKey": "Resources.OutboundRule.Properties.CidrIpv6", "searchValue": "", "expectedValue": "Resources.OutboundRule.Properties.CidrIpv6 should not be open to the world", - "actualValue": "Resources.OutboundRule.Properties.CidrIpv6 is open to the world" + "actualValue": "Resources.OutboundRule.Properties.CidrIpv6 is open to the world", + "issueType": "IncorrectValue" }, { "queryName": "Security Group Egress CIDR Open To World", @@ -33,7 +35,8 @@ "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].CidrIp", "searchValue": "", "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].CidrIp should not be open to the world", - "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].CidrIp is open to the world" + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].CidrIp is open to the world", + "issueType": "IncorrectValue" }, { "queryName": "Security Group Egress CIDR Open To World", @@ -45,6 +48,7 @@ "searchKey": "Resources.OutboundRule.Properties.CidrIpv6", "searchValue": "", "expectedValue": "Resources.OutboundRule.Properties.CidrIpv6 should not be open to the world", - "actualValue": "Resources.OutboundRule.Properties.CidrIpv6 is open to the world" + "actualValue": "Resources.OutboundRule.Properties.CidrIpv6 is open to the world", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/security_group_egress_with_all_protocols/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/security_group_egress_with_all_protocols/test/positive_expected_result.json index f24aad6d38c..8dc012c9c23 100644 --- a/assets/queries/cloudFormation/aws/security_group_egress_with_all_protocols/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/security_group_egress_with_all_protocols/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress.IpProtocol", "searchValue": "", "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].IpProtocol should not be set to '-1'", - "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].IpProtocol is set to '-1'" + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].IpProtocol is set to '-1'", + "issueType": "IncorrectValue" }, { "queryName": "Security Group Egress With All Protocols", @@ -21,7 +22,8 @@ "searchKey": "Resources.OutboundRule.Properties.IpProtocol", "searchValue": "", "expectedValue": "Resources.OutboundRule.Properties.IpProtocol should not be set to '-1'", - "actualValue": "Resources.OutboundRule.Properties.IpProtocol is set to '-1'" + "actualValue": "Resources.OutboundRule.Properties.IpProtocol is set to '-1'", + "issueType": "IncorrectValue" }, { "queryName": "Security Group Egress With All Protocols", @@ -33,7 +35,8 @@ "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress.IpProtocol", "searchValue": "", "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].IpProtocol should not be set to '-1'", - "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].IpProtocol is set to '-1'" + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].IpProtocol is set to '-1'", + "issueType": "IncorrectValue" }, { "queryName": "Security Group Egress With All Protocols", @@ -45,6 +48,7 @@ "searchKey": "Resources.OutboundRule.Properties.IpProtocol", "searchValue": "", "expectedValue": "Resources.OutboundRule.Properties.IpProtocol should not be set to '-1'", - "actualValue": "Resources.OutboundRule.Properties.IpProtocol is set to '-1'" + "actualValue": "Resources.OutboundRule.Properties.IpProtocol is set to '-1'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/security_group_egress_with_port_range/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/security_group_egress_with_port_range/test/positive_expected_result.json index 217e6f20759..d85b2bd21c9 100644 --- a/assets/queries/cloudFormation/aws/security_group_egress_with_port_range/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/security_group_egress_with_port_range/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0]", "searchValue": "", "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].FromPort should equal to Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].ToPort", - "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].FromPort is not equal to Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].ToPort" + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].FromPort is not equal to Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].ToPort", + "issueType": "IncorrectValue" }, { "queryName": "Security Group Egress With Port Range", @@ -21,7 +22,8 @@ "searchKey": "Resources.OutboundRule.Properties", "searchValue": "", "expectedValue": "Resources.OutboundRule.Properties.FromPort should equal to Resources.OutboundRule.Properties.ToPort", - "actualValue": "Resources.OutboundRule.Properties.FromPort is not equal to Resources.OutboundRule.Properties.ToPort" + "actualValue": "Resources.OutboundRule.Properties.FromPort is not equal to Resources.OutboundRule.Properties.ToPort", + "issueType": "IncorrectValue" }, { "queryName": "Security Group Egress With Port Range", @@ -33,7 +35,8 @@ "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0]", "searchValue": "", "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].FromPort should equal to Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].ToPort", - "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].FromPort is not equal to Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].ToPort" + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].FromPort is not equal to Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].ToPort", + "issueType": "IncorrectValue" }, { "queryName": "Security Group Egress With Port Range", @@ -45,6 +48,7 @@ "searchKey": "Resources.OutboundRule.Properties", "searchValue": "", "expectedValue": "Resources.OutboundRule.Properties.FromPort should equal to Resources.OutboundRule.Properties.ToPort", - "actualValue": "Resources.OutboundRule.Properties.FromPort is not equal to Resources.OutboundRule.Properties.ToPort" + "actualValue": "Resources.OutboundRule.Properties.FromPort is not equal to Resources.OutboundRule.Properties.ToPort", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/security_group_ingress_has_cidr_not_recommended/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/security_group_ingress_has_cidr_not_recommended/test/positive_expected_result.json index 25c324350dc..82872b5effd 100644 --- a/assets/queries/cloudFormation/aws/security_group_ingress_has_cidr_not_recommended/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/security_group_ingress_has_cidr_not_recommended/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress.CidrIp", "searchValue": "", "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].CidrIp should not be /32", - "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].CidrIp is /32" + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].CidrIp is /32", + "issueType": "IncorrectValue" }, { "queryName": "Security Group Ingress Has CIDR Not Recommended", @@ -21,7 +22,8 @@ "searchKey": "Resources.InboundRule.Properties.CidrIpv6", "searchValue": "", "expectedValue": "Resources.InboundRule.Properties.CidrIpv6 should not be /128", - "actualValue": "Resources.InboundRule.Properties.CidrIpv6 is /128" + "actualValue": "Resources.InboundRule.Properties.CidrIpv6 is /128", + "issueType": "IncorrectValue" }, { "queryName": "Security Group Ingress Has CIDR Not Recommended", @@ -33,7 +35,8 @@ "searchKey": "Resources.InboundRule.Properties.CidrIpv6", "searchValue": "", "expectedValue": "Resources.InboundRule.Properties.CidrIpv6 should not be /128", - "actualValue": "Resources.InboundRule.Properties.CidrIpv6 is /128" + "actualValue": "Resources.InboundRule.Properties.CidrIpv6 is /128", + "issueType": "IncorrectValue" }, { "queryName": "Security Group Ingress Has CIDR Not Recommended", @@ -45,6 +48,7 @@ "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress.CidrIp", "searchValue": "", "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].CidrIp should not be /32", - "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].CidrIp is /32" + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].CidrIp is /32", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/security_group_ingress_with_all_protocols/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/security_group_ingress_with_all_protocols/test/positive_expected_result.json index f8866739f61..1554e2db865 100644 --- a/assets/queries/cloudFormation/aws/security_group_ingress_with_all_protocols/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/security_group_ingress_with_all_protocols/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress.IpProtocol", "searchValue": "", "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].IpProtocol should not be set to '-1'", - "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].IpProtocol is set to '-1'" + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].IpProtocol is set to '-1'", + "issueType": "IncorrectValue" }, { "queryName": "Security Group Ingress With All Protocols", @@ -21,7 +22,8 @@ "searchKey": "Resources.InboundRule.Properties.IpProtocol", "searchValue": "", "expectedValue": "Resources.InboundRule.Properties.IpProtocol should not be set to '-1'", - "actualValue": "Resources.InboundRule.Properties.IpProtocol is set to '-1'" + "actualValue": "Resources.InboundRule.Properties.IpProtocol is set to '-1'", + "issueType": "IncorrectValue" }, { "queryName": "Security Group Ingress With All Protocols", @@ -33,7 +35,8 @@ "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress.IpProtocol", "searchValue": "", "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].IpProtocol should not be set to '-1'", - "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].IpProtocol is set to '-1'" + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].IpProtocol is set to '-1'", + "issueType": "IncorrectValue" }, { "queryName": "Security Group Ingress With All Protocols", @@ -45,6 +48,7 @@ "searchKey": "Resources.InboundRule.Properties.IpProtocol", "searchValue": "", "expectedValue": "Resources.InboundRule.Properties.IpProtocol should not be set to '-1'", - "actualValue": "Resources.InboundRule.Properties.IpProtocol is set to '-1'" + "actualValue": "Resources.InboundRule.Properties.IpProtocol is set to '-1'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/security_group_ingress_with_port_range/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/security_group_ingress_with_port_range/test/positive_expected_result.json index f40b2adba09..5ee98d71926 100644 --- a/assets/queries/cloudFormation/aws/security_group_ingress_with_port_range/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/security_group_ingress_with_port_range/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress", "searchValue": "", "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].FromPort should equal to Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].ToPort", - "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].FromPort is not equal to Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].ToPort" + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].FromPort is not equal to Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].ToPort", + "issueType": "IncorrectValue" }, { "queryName": "Security Group Ingress With Port Range", @@ -21,7 +22,8 @@ "searchKey": "Resources.InboundRule.Properties", "searchValue": "", "expectedValue": "Resources.InboundRule.Properties.FromPort should equal to Resources.InboundRule.Properties.ToPort", - "actualValue": "Resources.InboundRule.Properties.FromPort is not equal to Resources.InboundRule.Properties.ToPort" + "actualValue": "Resources.InboundRule.Properties.FromPort is not equal to Resources.InboundRule.Properties.ToPort", + "issueType": "IncorrectValue" }, { "queryName": "Security Group Ingress With Port Range", @@ -33,7 +35,8 @@ "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress", "searchValue": "", "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].FromPort should equal to Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].ToPort", - "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].FromPort is not equal to Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].ToPort" + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].FromPort is not equal to Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].ToPort", + "issueType": "IncorrectValue" }, { "queryName": "Security Group Ingress With Port Range", @@ -45,6 +48,7 @@ "searchKey": "Resources.InboundRule.Properties", "searchValue": "", "expectedValue": "Resources.InboundRule.Properties.FromPort should equal to Resources.InboundRule.Properties.ToPort", - "actualValue": "Resources.InboundRule.Properties.FromPort is not equal to Resources.InboundRule.Properties.ToPort" + "actualValue": "Resources.InboundRule.Properties.FromPort is not equal to Resources.InboundRule.Properties.ToPort", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/security_group_rule_without_description/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/security_group_rule_without_description/test/positive_expected_result.json index 6399dc8c05e..9a6d5b35dfa 100644 --- a/assets/queries/cloudFormation/aws/security_group_rule_without_description/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/security_group_rule_without_description/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.InstanceSecurityGroup.Properties", "searchValue": "", "expectedValue": "Resources.InstanceSecurityGroup.Properties.GroupDescription should be set", - "actualValue": "Resources.InstanceSecurityGroup.Properties.GroupDescription is undefined" + "actualValue": "Resources.InstanceSecurityGroup.Properties.GroupDescription is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Security Group Rule Without Description", @@ -21,7 +22,8 @@ "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress", "searchValue": "", "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].Description should be set", - "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].Description is undefined" + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].Description is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Security Group Rule Without Description", @@ -33,7 +35,8 @@ "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress", "searchValue": "", "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].Description should be set", - "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].Description is undefined" + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].Description is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Security Group Rule Without Description", @@ -45,7 +48,8 @@ "searchKey": "Resources.OutboundRule.Properties", "searchValue": "", "expectedValue": "Resources.OutboundRule.Properties.Description should be set", - "actualValue": "Resources.OutboundRule.Properties.Description is undefined" + "actualValue": "Resources.OutboundRule.Properties.Description is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Security Group Rule Without Description", @@ -57,7 +61,8 @@ "searchKey": "Resources.InboundRule.Properties", "searchValue": "", "expectedValue": "Resources.InboundRule.Properties.Description should be set", - "actualValue": "Resources.InboundRule.Properties.Description is undefined" + "actualValue": "Resources.InboundRule.Properties.Description is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Security Group Rule Without Description", @@ -69,7 +74,8 @@ "searchKey": "Resources.LegacySecurityGroup.Properties", "searchValue": "", "expectedValue": "Resources.LegacySecurityGroup.Properties.GroupDescription should be set", - "actualValue": "Resources.LegacySecurityGroup.Properties.GroupDescription is undefined" + "actualValue": "Resources.LegacySecurityGroup.Properties.GroupDescription is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Security Group Rule Without Description", @@ -81,7 +87,8 @@ "searchKey": "Resources.InstanceSecurityGroup.Properties", "searchValue": "", "expectedValue": "Resources.InstanceSecurityGroup.Properties.GroupDescription should be set", - "actualValue": "Resources.InstanceSecurityGroup.Properties.GroupDescription is undefined" + "actualValue": "Resources.InstanceSecurityGroup.Properties.GroupDescription is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Security Group Rule Without Description", @@ -93,7 +100,8 @@ "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress", "searchValue": "", "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].Description should be set", - "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].Description is undefined" + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].Description is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Security Group Rule Without Description", @@ -105,7 +113,8 @@ "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress", "searchValue": "", "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].Description should be set", - "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].Description is undefined" + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].Description is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Security Group Rule Without Description", @@ -117,7 +126,8 @@ "searchKey": "Resources.OutboundRule.Properties", "searchValue": "", "expectedValue": "Resources.OutboundRule.Properties.Description should be set", - "actualValue": "Resources.OutboundRule.Properties.Description is undefined" + "actualValue": "Resources.OutboundRule.Properties.Description is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Security Group Rule Without Description", @@ -129,7 +139,8 @@ "searchKey": "Resources.InboundRule.Properties", "searchValue": "", "expectedValue": "Resources.InboundRule.Properties.Description should be set", - "actualValue": "Resources.InboundRule.Properties.Description is undefined" + "actualValue": "Resources.InboundRule.Properties.Description is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Security Group Rule Without Description", @@ -141,6 +152,7 @@ "searchKey": "Resources.LegacySecurityGroup.Properties", "searchValue": "", "expectedValue": "Resources.LegacySecurityGroup.Properties.GroupDescription should be set", - "actualValue": "Resources.LegacySecurityGroup.Properties.GroupDescription is undefined" + "actualValue": "Resources.LegacySecurityGroup.Properties.GroupDescription is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/security_groups_allows_unrestricted_outbound_traffic/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/security_groups_allows_unrestricted_outbound_traffic/test/positive_expected_result.json index 0b2afca1b33..75c508498e8 100644 --- a/assets/queries/cloudFormation/aws/security_groups_allows_unrestricted_outbound_traffic/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/security_groups_allows_unrestricted_outbound_traffic/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.Positive1_security_group.Properties.SecurityGroupEgress[0]", "searchValue": "", "expectedValue": "'Resources.Positive1_security_group.Properties.SecurityGroupEgress[0]' should not have IpProtocol set to '-1' and CidrIp set to '0.0.0.0/0' simultaneously", - "actualValue": "'Resources.Positive1_security_group.Properties.SecurityGroupEgress[0]' has IpProtocol set to '-1' and CidrIp set to '0.0.0.0/0'." + "actualValue": "'Resources.Positive1_security_group.Properties.SecurityGroupEgress[0]' has IpProtocol set to '-1' and CidrIp set to '0.0.0.0/0'.", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups Allows Unrestricted Outbound Traffic", @@ -21,7 +22,8 @@ "searchKey": "Resources.Positive1_egress_ipv4.Properties", "searchValue": "", "expectedValue": "'Resources.Positive1_egress_ipv4.Properties' should not have IpProtocol set to '-1' and CidrIp set to '0.0.0.0/0' simultaneously", - "actualValue": "'Resources.Positive1_egress_ipv4.Properties' has IpProtocol set to '-1' and CidrIp set to '0.0.0.0/0'." + "actualValue": "'Resources.Positive1_egress_ipv4.Properties' has IpProtocol set to '-1' and CidrIp set to '0.0.0.0/0'.", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups Allows Unrestricted Outbound Traffic", @@ -33,7 +35,8 @@ "searchKey": "Resources.Positive1_egress_ipv6.Properties", "searchValue": "", "expectedValue": "'Resources.Positive1_egress_ipv6.Properties' should not have IpProtocol set to '-1' and CidrIpv6 set to '::/0' simultaneously", - "actualValue": "'Resources.Positive1_egress_ipv6.Properties' has IpProtocol set to '-1' and CidrIpv6 set to '::/0'." + "actualValue": "'Resources.Positive1_egress_ipv6.Properties' has IpProtocol set to '-1' and CidrIpv6 set to '::/0'.", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups Allows Unrestricted Outbound Traffic", @@ -45,7 +48,8 @@ "searchKey": "Resources.Positive2_security_group.Properties.SecurityGroupEgress[0]", "searchValue": "", "expectedValue": "'Resources.Positive2_security_group.Properties.SecurityGroupEgress[0]' should not have IpProtocol set to '-1' and CidrIpv6 set to '::/0' simultaneously", - "actualValue": "'Resources.Positive2_security_group.Properties.SecurityGroupEgress[0]' has IpProtocol set to '-1' and CidrIpv6 set to '::/0'." + "actualValue": "'Resources.Positive2_security_group.Properties.SecurityGroupEgress[0]' has IpProtocol set to '-1' and CidrIpv6 set to '::/0'.", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups Allows Unrestricted Outbound Traffic", @@ -57,7 +61,8 @@ "searchKey": "Resources.Positive2_egress_ipv6.Properties", "searchValue": "", "expectedValue": "'Resources.Positive2_egress_ipv6.Properties' should not have IpProtocol set to '-1' and CidrIpv6 set to '0:0:0:0:0:0:0:0/0' simultaneously", - "actualValue": "'Resources.Positive2_egress_ipv6.Properties' has IpProtocol set to '-1' and CidrIpv6 set to '0:0:0:0:0:0:0:0/0'." + "actualValue": "'Resources.Positive2_egress_ipv6.Properties' has IpProtocol set to '-1' and CidrIpv6 set to '0:0:0:0:0:0:0:0/0'.", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups Allows Unrestricted Outbound Traffic", @@ -69,7 +74,8 @@ "searchKey": "Resources.Positive3_security_group.Properties.SecurityGroupEgress[0]", "searchValue": "", "expectedValue": "'Resources.Positive3_security_group.Properties.SecurityGroupEgress[0]' should not have IpProtocol set to '-1' and CidrIp set to '0.0.0.0/0' simultaneously", - "actualValue": "'Resources.Positive3_security_group.Properties.SecurityGroupEgress[0]' has IpProtocol set to '-1' and CidrIp set to '0.0.0.0/0'." + "actualValue": "'Resources.Positive3_security_group.Properties.SecurityGroupEgress[0]' has IpProtocol set to '-1' and CidrIp set to '0.0.0.0/0'.", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups Allows Unrestricted Outbound Traffic", @@ -81,7 +87,8 @@ "searchKey": "Resources.Positive3_egress_ipv4.Properties", "searchValue": "", "expectedValue": "'Resources.Positive3_egress_ipv4.Properties' should not have IpProtocol set to '-1' and CidrIp set to '0.0.0.0/0' simultaneously", - "actualValue": "'Resources.Positive3_egress_ipv4.Properties' has IpProtocol set to '-1' and CidrIp set to '0.0.0.0/0'." + "actualValue": "'Resources.Positive3_egress_ipv4.Properties' has IpProtocol set to '-1' and CidrIp set to '0.0.0.0/0'.", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups Allows Unrestricted Outbound Traffic", @@ -93,7 +100,8 @@ "searchKey": "Resources.Positive3_egress_ipv6.Properties", "searchValue": "", "expectedValue": "'Resources.Positive3_egress_ipv6.Properties' should not have IpProtocol set to '-1' and CidrIpv6 set to '::/0' simultaneously", - "actualValue": "'Resources.Positive3_egress_ipv6.Properties' has IpProtocol set to '-1' and CidrIpv6 set to '::/0'." + "actualValue": "'Resources.Positive3_egress_ipv6.Properties' has IpProtocol set to '-1' and CidrIpv6 set to '::/0'.", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups Allows Unrestricted Outbound Traffic", @@ -105,7 +113,8 @@ "searchKey": "Resources.Positive4_security_group.Properties.SecurityGroupEgress[0]", "searchValue": "", "expectedValue": "'Resources.Positive4_security_group.Properties.SecurityGroupEgress[0]' should not have IpProtocol set to '-1' and CidrIpv6 set to '::/0' simultaneously", - "actualValue": "'Resources.Positive4_security_group.Properties.SecurityGroupEgress[0]' has IpProtocol set to '-1' and CidrIpv6 set to '::/0'." + "actualValue": "'Resources.Positive4_security_group.Properties.SecurityGroupEgress[0]' has IpProtocol set to '-1' and CidrIpv6 set to '::/0'.", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups Allows Unrestricted Outbound Traffic", @@ -117,6 +126,7 @@ "searchKey": "Resources.Positive4_egress_ipv6.Properties", "searchValue": "", "expectedValue": "'Resources.Positive4_egress_ipv6.Properties' should not have IpProtocol set to '-1' and CidrIpv6 set to '0:0:0:0:0:0:0:0/0' simultaneously", - "actualValue": "'Resources.Positive4_egress_ipv6.Properties' has IpProtocol set to '-1' and CidrIpv6 set to '0:0:0:0:0:0:0:0/0'." + "actualValue": "'Resources.Positive4_egress_ipv6.Properties' has IpProtocol set to '-1' and CidrIpv6 set to '0:0:0:0:0:0:0:0/0'.", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/security_groups_unrestricted_access_to_rdp/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/security_groups_unrestricted_access_to_rdp/test/positive_expected_result.json index e4a8321cae8..60cf121d82b 100644 --- a/assets/queries/cloudFormation/aws/security_groups_unrestricted_access_to_rdp/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/security_groups_unrestricted_access_to_rdp/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress", "searchValue": "", "expectedValue": "None of the Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress should have port 3389", - "actualValue": "One of the Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress has port 3389" + "actualValue": "One of the Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress has port 3389", + "issueType": "IncorrectValue" }, { "queryName": "Security Group Unrestricted Access To RDP", @@ -21,6 +22,7 @@ "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress", "searchValue": "", "expectedValue": "None of the Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress should have port 3389", - "actualValue": "One of the Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress has port 3389" + "actualValue": "One of the Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress has port 3389", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/security_groups_with_exhibited_admin_ports/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/security_groups_with_exhibited_admin_ports/test/positive_expected_result.json index fc84292aa77..debaf896792 100644 --- a/assets/queries/cloudFormation/aws/security_groups_with_exhibited_admin_ports/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/security_groups_with_exhibited_admin_ports/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.Positive1_security_group.Properties.SecurityGroupIngress[0]", "searchValue": "", "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", - "actualValue": "'Resources.Positive1_security_group.Properties.SecurityGroupIngress[0]' is exposed and contains port(s): 20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389" + "actualValue": "'Resources.Positive1_security_group.Properties.SecurityGroupIngress[0]' is exposed and contains port(s): 20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups With Exposed Admin Ports", @@ -21,7 +22,8 @@ "searchKey": "Resources.Positive1_ingress_ipv4.Properties", "searchValue": "", "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", - "actualValue": "'Resources.Positive1_ingress_ipv4.Properties' is exposed and contains port(s): 20, 21, 22, 23" + "actualValue": "'Resources.Positive1_ingress_ipv4.Properties' is exposed and contains port(s): 20, 21, 22, 23", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups With Exposed Admin Ports", @@ -33,7 +35,8 @@ "searchKey": "Resources.Positive1_ingress_ipv6.Properties", "searchValue": "", "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", - "actualValue": "'Resources.Positive1_ingress_ipv6.Properties' is exposed and contains port(s): 2049" + "actualValue": "'Resources.Positive1_ingress_ipv6.Properties' is exposed and contains port(s): 2049", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups With Exposed Admin Ports", @@ -45,7 +48,8 @@ "searchKey": "Resources.Positive2_security_group.Properties.SecurityGroupIngress[0]", "searchValue": "", "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", - "actualValue": "'Resources.Positive2_security_group.Properties.SecurityGroupIngress[0]' is exposed and contains port(s): 20, 21, 22, 23" + "actualValue": "'Resources.Positive2_security_group.Properties.SecurityGroupIngress[0]' is exposed and contains port(s): 20, 21, 22, 23", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups With Exposed Admin Ports", @@ -57,7 +61,8 @@ "searchKey": "Resources.Positive2_security_group.Properties.SecurityGroupIngress[1]", "searchValue": "", "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", - "actualValue": "'Resources.Positive2_security_group.Properties.SecurityGroupIngress[1]' is exposed and contains port(s): 20, 21, 22, 23" + "actualValue": "'Resources.Positive2_security_group.Properties.SecurityGroupIngress[1]' is exposed and contains port(s): 20, 21, 22, 23", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups With Exposed Admin Ports", @@ -69,7 +74,8 @@ "searchKey": "Resources.Positive2_security_group.Properties.SecurityGroupIngress[2]", "searchValue": "", "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", - "actualValue": "'Resources.Positive2_security_group.Properties.SecurityGroupIngress[2]' is exposed and contains port(s): 20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389" + "actualValue": "'Resources.Positive2_security_group.Properties.SecurityGroupIngress[2]' is exposed and contains port(s): 20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups With Exposed Admin Ports", @@ -81,7 +87,8 @@ "searchKey": "Resources.Positive2_ingress_ipv4.Properties", "searchValue": "", "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", - "actualValue": "'Resources.Positive2_ingress_ipv4.Properties' is exposed and contains port(s): 20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389" + "actualValue": "'Resources.Positive2_ingress_ipv4.Properties' is exposed and contains port(s): 20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups With Exposed Admin Ports", @@ -93,7 +100,8 @@ "searchKey": "Resources.Positive1_ingress_ipv6.Properties", "searchValue": "", "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", - "actualValue": "'Resources.Positive1_ingress_ipv6.Properties' is exposed and contains port(s): 20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389" + "actualValue": "'Resources.Positive1_ingress_ipv6.Properties' is exposed and contains port(s): 20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups With Exposed Admin Ports", @@ -105,7 +113,8 @@ "searchKey": "Resources.Positive1_security_group.Properties.SecurityGroupIngress[0]", "searchValue": "", "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", - "actualValue": "'Resources.Positive1_security_group.Properties.SecurityGroupIngress[0]' is exposed and contains port(s): 20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389" + "actualValue": "'Resources.Positive1_security_group.Properties.SecurityGroupIngress[0]' is exposed and contains port(s): 20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups With Exposed Admin Ports", @@ -117,7 +126,8 @@ "searchKey": "Resources.Positive1_ingress_ipv4.Properties", "searchValue": "", "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", - "actualValue": "'Resources.Positive1_ingress_ipv4.Properties' is exposed and contains port(s): 20, 21, 22, 23" + "actualValue": "'Resources.Positive1_ingress_ipv4.Properties' is exposed and contains port(s): 20, 21, 22, 23", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups With Exposed Admin Ports", @@ -129,7 +139,8 @@ "searchKey": "Resources.Positive1_ingress_ipv6.Properties", "searchValue": "", "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", - "actualValue": "'Resources.Positive1_ingress_ipv6.Properties' is exposed and contains port(s): 2049" + "actualValue": "'Resources.Positive1_ingress_ipv6.Properties' is exposed and contains port(s): 2049", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups With Exposed Admin Ports", @@ -141,7 +152,8 @@ "searchKey": "Resources.Positive2_security_group.Properties.SecurityGroupIngress[0]", "searchValue": "", "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", - "actualValue": "'Resources.Positive2_security_group.Properties.SecurityGroupIngress[0]' is exposed and contains port(s): 20, 21, 22, 23" + "actualValue": "'Resources.Positive2_security_group.Properties.SecurityGroupIngress[0]' is exposed and contains port(s): 20, 21, 22, 23", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups With Exposed Admin Ports", @@ -153,7 +165,8 @@ "searchKey": "Resources.Positive2_security_group.Properties.SecurityGroupIngress[1]", "searchValue": "", "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", - "actualValue": "'Resources.Positive2_security_group.Properties.SecurityGroupIngress[1]' is exposed and contains port(s): 20, 21, 22, 23" + "actualValue": "'Resources.Positive2_security_group.Properties.SecurityGroupIngress[1]' is exposed and contains port(s): 20, 21, 22, 23", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups With Exposed Admin Ports", @@ -165,7 +178,8 @@ "searchKey": "Resources.Positive2_security_group.Properties.SecurityGroupIngress[2]", "searchValue": "", "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", - "actualValue": "'Resources.Positive2_security_group.Properties.SecurityGroupIngress[2]' is exposed and contains port(s): 20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389" + "actualValue": "'Resources.Positive2_security_group.Properties.SecurityGroupIngress[2]' is exposed and contains port(s): 20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups With Exposed Admin Ports", @@ -177,7 +191,8 @@ "searchKey": "Resources.Positive2_ingress_ipv4.Properties", "searchValue": "", "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", - "actualValue": "'Resources.Positive2_ingress_ipv4.Properties' is exposed and contains port(s): 20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389" + "actualValue": "'Resources.Positive2_ingress_ipv4.Properties' is exposed and contains port(s): 20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups With Exposed Admin Ports", @@ -189,6 +204,7 @@ "searchKey": "Resources.Positive1_ingress_ipv6.Properties", "searchValue": "", "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", - "actualValue": "'Resources.Positive1_ingress_ipv6.Properties' is exposed and contains port(s): 20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389" + "actualValue": "'Resources.Positive1_ingress_ipv6.Properties' is exposed and contains port(s): 20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/security_groups_with_meta_ip/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/security_groups_with_meta_ip/test/positive_expected_result.json index bc4ebfd6e72..829f04cc12b 100644 --- a/assets/queries/cloudFormation/aws/security_groups_with_meta_ip/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/security_groups_with_meta_ip/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.Positive1_security_group_1.Properties.SecurityGroupIngress[0].CidrIp", "searchValue": "", "expectedValue": "No ingress should have a 'CidrIp' set to '0.0.0.0/0' with 'IpProtocol' set to '-1'.", - "actualValue": "'Resources.Positive1_security_group_1.Properties.SecurityGroupIngress[0].CidrIp' has CidrIp equal to 0.0.0.0/0 with 'IpProtocol' set to '-1'." + "actualValue": "'Resources.Positive1_security_group_1.Properties.SecurityGroupIngress[0].CidrIp' has CidrIp equal to 0.0.0.0/0 with 'IpProtocol' set to '-1'.", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups With Meta IP", @@ -21,7 +22,8 @@ "searchKey": "Resources.Positive1_security_group_1.Properties.SecurityGroupIngress[1].CidrIpv6", "searchValue": "", "expectedValue": "No ingress should have a 'CidrIpv6' set to '::/0' with 'IpProtocol' set to '-1'.", - "actualValue": "'Resources.Positive1_security_group_1.Properties.SecurityGroupIngress[1].CidrIpv6' has CidrIpv6 equal to ::/0 with 'IpProtocol' set to '-1'." + "actualValue": "'Resources.Positive1_security_group_1.Properties.SecurityGroupIngress[1].CidrIpv6' has CidrIpv6 equal to ::/0 with 'IpProtocol' set to '-1'.", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups With Meta IP", @@ -33,7 +35,8 @@ "searchKey": "Resources.Positive1_ingress_ipv4_1.Properties.CidrIp", "searchValue": "", "expectedValue": "No ingress should have a 'CidrIp' set to '0.0.0.0/0' with 'IpProtocol' set to '-1'.", - "actualValue": "'Resources.Positive1_ingress_ipv4_1.Properties.CidrIp' has CidrIp equal to 0.0.0.0/0 with 'IpProtocol' set to '-1'." + "actualValue": "'Resources.Positive1_ingress_ipv4_1.Properties.CidrIp' has CidrIp equal to 0.0.0.0/0 with 'IpProtocol' set to '-1'.", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups With Meta IP", @@ -45,7 +48,8 @@ "searchKey": "Resources.Positive1_ingress_ipv6_1.Properties.CidrIpv6", "searchValue": "", "expectedValue": "No ingress should have a 'CidrIpv6' set to '::/0' with 'IpProtocol' set to '-1'.", - "actualValue": "'Resources.Positive1_ingress_ipv6_1.Properties.CidrIpv6' has CidrIpv6 equal to ::/0 with 'IpProtocol' set to '-1'." + "actualValue": "'Resources.Positive1_ingress_ipv6_1.Properties.CidrIpv6' has CidrIpv6 equal to ::/0 with 'IpProtocol' set to '-1'.", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups With Meta IP", @@ -57,7 +61,8 @@ "searchKey": "Resources.Positive1_security_group_2.Properties.SecurityGroupIngress[0].CidrIp", "searchValue": "", "expectedValue": "No ingress should have a 'CidrIp' set to '0.0.0.0/0' with all 65535 ports open.", - "actualValue": "'Resources.Positive1_security_group_2.Properties.SecurityGroupIngress[0].CidrIp' has CidrIp equal to 0.0.0.0/0 with all 65535 ports open." + "actualValue": "'Resources.Positive1_security_group_2.Properties.SecurityGroupIngress[0].CidrIp' has CidrIp equal to 0.0.0.0/0 with all 65535 ports open.", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups With Meta IP", @@ -69,7 +74,8 @@ "searchKey": "Resources.Positive1_security_group_2.Properties.SecurityGroupIngress[1].CidrIpv6", "searchValue": "", "expectedValue": "No ingress should have a 'CidrIpv6' set to '::/0' with all 65535 ports open.", - "actualValue": "'Resources.Positive1_security_group_2.Properties.SecurityGroupIngress[1].CidrIpv6' has CidrIpv6 equal to ::/0 with all 65535 ports open." + "actualValue": "'Resources.Positive1_security_group_2.Properties.SecurityGroupIngress[1].CidrIpv6' has CidrIpv6 equal to ::/0 with all 65535 ports open.", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups With Meta IP", @@ -81,7 +87,8 @@ "searchKey": "Resources.Positive1_ingress_ipv4_2.Properties.CidrIp", "searchValue": "", "expectedValue": "No ingress should have a 'CidrIp' set to '0.0.0.0/0' with all 65535 ports open.", - "actualValue": "'Resources.Positive1_ingress_ipv4_2.Properties.CidrIp' has CidrIp equal to 0.0.0.0/0 with all 65535 ports open." + "actualValue": "'Resources.Positive1_ingress_ipv4_2.Properties.CidrIp' has CidrIp equal to 0.0.0.0/0 with all 65535 ports open.", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups With Meta IP", @@ -93,7 +100,8 @@ "searchKey": "Resources.Positive1_ingress_ipv6_2.Properties.CidrIpv6", "searchValue": "", "expectedValue": "No ingress should have a 'CidrIpv6' set to '::/0' with all 65535 ports open.", - "actualValue": "'Resources.Positive1_ingress_ipv6_2.Properties.CidrIpv6' has CidrIpv6 equal to ::/0 with all 65535 ports open." + "actualValue": "'Resources.Positive1_ingress_ipv6_2.Properties.CidrIpv6' has CidrIpv6 equal to ::/0 with all 65535 ports open.", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups With Meta IP", @@ -105,7 +113,8 @@ "searchKey": "Resources.Positive1_security_group_1.Properties.SecurityGroupIngress[0].CidrIp", "searchValue": "", "expectedValue": "No ingress should have a 'CidrIp' set to '0.0.0.0/0' with 'IpProtocol' set to '-1'.", - "actualValue": "'Resources.Positive1_security_group_1.Properties.SecurityGroupIngress[0].CidrIp' has CidrIp equal to 0.0.0.0/0 with 'IpProtocol' set to '-1'." + "actualValue": "'Resources.Positive1_security_group_1.Properties.SecurityGroupIngress[0].CidrIp' has CidrIp equal to 0.0.0.0/0 with 'IpProtocol' set to '-1'.", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups With Meta IP", @@ -117,7 +126,8 @@ "searchKey": "Resources.Positive1_security_group_1.Properties.SecurityGroupIngress[1].CidrIpv6", "searchValue": "", "expectedValue": "No ingress should have a 'CidrIpv6' set to '::/0' with 'IpProtocol' set to '-1'.", - "actualValue": "'Resources.Positive1_security_group_1.Properties.SecurityGroupIngress[1].CidrIpv6' has CidrIpv6 equal to ::/0 with 'IpProtocol' set to '-1'." + "actualValue": "'Resources.Positive1_security_group_1.Properties.SecurityGroupIngress[1].CidrIpv6' has CidrIpv6 equal to ::/0 with 'IpProtocol' set to '-1'.", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups With Meta IP", @@ -129,7 +139,8 @@ "searchKey": "Resources.Positive1_ingress_ipv4_1.Properties.CidrIp", "searchValue": "", "expectedValue": "No ingress should have a 'CidrIp' set to '0.0.0.0/0' with 'IpProtocol' set to '-1'.", - "actualValue": "'Resources.Positive1_ingress_ipv4_1.Properties.CidrIp' has CidrIp equal to 0.0.0.0/0 with 'IpProtocol' set to '-1'." + "actualValue": "'Resources.Positive1_ingress_ipv4_1.Properties.CidrIp' has CidrIp equal to 0.0.0.0/0 with 'IpProtocol' set to '-1'.", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups With Meta IP", @@ -141,7 +152,8 @@ "searchKey": "Resources.Positive1_ingress_ipv6_1.Properties.CidrIpv6", "searchValue": "", "expectedValue": "No ingress should have a 'CidrIpv6' set to '::/0' with 'IpProtocol' set to '-1'.", - "actualValue": "'Resources.Positive1_ingress_ipv6_1.Properties.CidrIpv6' has CidrIpv6 equal to ::/0 with 'IpProtocol' set to '-1'." + "actualValue": "'Resources.Positive1_ingress_ipv6_1.Properties.CidrIpv6' has CidrIpv6 equal to ::/0 with 'IpProtocol' set to '-1'.", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups With Meta IP", @@ -153,7 +165,8 @@ "searchKey": "Resources.Positive1_security_group_2.Properties.SecurityGroupIngress[0].CidrIp", "searchValue": "", "expectedValue": "No ingress should have a 'CidrIp' set to '0.0.0.0/0' with all 65535 ports open.", - "actualValue": "'Resources.Positive1_security_group_2.Properties.SecurityGroupIngress[0].CidrIp' has CidrIp equal to 0.0.0.0/0 with all 65535 ports open." + "actualValue": "'Resources.Positive1_security_group_2.Properties.SecurityGroupIngress[0].CidrIp' has CidrIp equal to 0.0.0.0/0 with all 65535 ports open.", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups With Meta IP", @@ -165,7 +178,8 @@ "searchKey": "Resources.Positive1_security_group_2.Properties.SecurityGroupIngress[1].CidrIpv6", "searchValue": "", "expectedValue": "No ingress should have a 'CidrIpv6' set to '::/0' with all 65535 ports open.", - "actualValue": "'Resources.Positive1_security_group_2.Properties.SecurityGroupIngress[1].CidrIpv6' has CidrIpv6 equal to ::/0 with all 65535 ports open." + "actualValue": "'Resources.Positive1_security_group_2.Properties.SecurityGroupIngress[1].CidrIpv6' has CidrIpv6 equal to ::/0 with all 65535 ports open.", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups With Meta IP", @@ -177,7 +191,8 @@ "searchKey": "Resources.Positive1_ingress_ipv4_2.Properties.CidrIp", "searchValue": "", "expectedValue": "No ingress should have a 'CidrIp' set to '0.0.0.0/0' with all 65535 ports open.", - "actualValue": "'Resources.Positive1_ingress_ipv4_2.Properties.CidrIp' has CidrIp equal to 0.0.0.0/0 with all 65535 ports open." + "actualValue": "'Resources.Positive1_ingress_ipv4_2.Properties.CidrIp' has CidrIp equal to 0.0.0.0/0 with all 65535 ports open.", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups With Meta IP", @@ -189,6 +204,7 @@ "searchKey": "Resources.Positive1_ingress_ipv6_2.Properties.CidrIpv6", "searchValue": "", "expectedValue": "No ingress should have a 'CidrIpv6' set to '::/0' with all 65535 ports open.", - "actualValue": "'Resources.Positive1_ingress_ipv6_2.Properties.CidrIpv6' has CidrIpv6 equal to ::/0 with all 65535 ports open." + "actualValue": "'Resources.Positive1_ingress_ipv6_2.Properties.CidrIpv6' has CidrIpv6 equal to ::/0 with all 65535 ports open.", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/security_groups_with_unrestricted_access_to_ssh/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/security_groups_with_unrestricted_access_to_ssh/test/positive_expected_result.json index e0f44dfe275..e3dcd832068 100644 --- a/assets/queries/cloudFormation/aws/security_groups_with_unrestricted_access_to_ssh/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/security_groups_with_unrestricted_access_to_ssh/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "", "expectedValue": "'Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]' should not open the SSH port (22)", - "actualValue": "'Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]' opens the SSH port (22)" + "actualValue": "'Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]' opens the SSH port (22)", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", @@ -21,7 +22,8 @@ "searchKey": "Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]", "searchValue": "", "expectedValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' should not open the SSH port (22)", - "actualValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' opens the SSH port (22)" + "actualValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' opens the SSH port (22)", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", @@ -33,7 +35,8 @@ "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]", "searchValue": "", "expectedValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' should not open the SSH port (22)", - "actualValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' opens the SSH port (22)" + "actualValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' opens the SSH port (22)", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", @@ -45,7 +48,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "", "expectedValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' should not open the SSH port (22)", - "actualValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' opens the SSH port (22)" + "actualValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' opens the SSH port (22)", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", @@ -57,7 +61,8 @@ "searchKey": "Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]", "searchValue": "", "expectedValue": "'Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]' should not open the SSH port (22)", - "actualValue": "'Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]' opens the SSH port (22)" + "actualValue": "'Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]' opens the SSH port (22)", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", @@ -69,7 +74,8 @@ "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]", "searchValue": "", "expectedValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' should not open the SSH port (22)", - "actualValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' opens the SSH port (22)" + "actualValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' opens the SSH port (22)", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", @@ -81,7 +87,8 @@ "searchKey": "Resources.IPv4Ingress1.Properties", "searchValue": "", "expectedValue": "'Resources.IPv4Ingress1.Properties' should not open the SSH port (22)", - "actualValue": "'Resources.IPv4Ingress1.Properties' opens the SSH port (22)" + "actualValue": "'Resources.IPv4Ingress1.Properties' opens the SSH port (22)", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", @@ -93,7 +100,8 @@ "searchKey": "Resources.IPv4Ingress2.Properties", "searchValue": "", "expectedValue": "'Resources.IPv4Ingress2.Properties' should not open the SSH port (22)", - "actualValue": "'Resources.IPv4Ingress2.Properties' opens the SSH port (22)" + "actualValue": "'Resources.IPv4Ingress2.Properties' opens the SSH port (22)", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", @@ -105,7 +113,8 @@ "searchKey": "Resources.IPv6Ingress1.Properties", "searchValue": "", "expectedValue": "'Resources.IPv6Ingress1.Properties' should not open the SSH port (22)", - "actualValue": "'Resources.IPv6Ingress1.Properties' opens the SSH port (22)" + "actualValue": "'Resources.IPv6Ingress1.Properties' opens the SSH port (22)", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", @@ -117,7 +126,8 @@ "searchKey": "Resources.IPv6Ingress2.Properties", "searchValue": "", "expectedValue": "'Resources.IPv6Ingress2.Properties' should not open the SSH port (22)", - "actualValue": "'Resources.IPv6Ingress2.Properties' opens the SSH port (22)" + "actualValue": "'Resources.IPv6Ingress2.Properties' opens the SSH port (22)", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", @@ -129,7 +139,8 @@ "searchKey": "Resources.IPv6Ingress3.Properties", "searchValue": "", "expectedValue": "'Resources.IPv6Ingress3.Properties' should not open the SSH port (22)", - "actualValue": "'Resources.IPv6Ingress3.Properties' opens the SSH port (22)" + "actualValue": "'Resources.IPv6Ingress3.Properties' opens the SSH port (22)", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", @@ -141,7 +152,8 @@ "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", "searchValue": "", "expectedValue": "'Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]' should not open the SSH port (22)", - "actualValue": "'Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]' opens the SSH port (22)" + "actualValue": "'Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]' opens the SSH port (22)", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", @@ -153,7 +165,8 @@ "searchKey": "Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]", "searchValue": "", "expectedValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' should not open the SSH port (22)", - "actualValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' opens the SSH port (22)" + "actualValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' opens the SSH port (22)", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", @@ -165,7 +178,8 @@ "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]", "searchValue": "", "expectedValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' should not open the SSH port (22)", - "actualValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' opens the SSH port (22)" + "actualValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' opens the SSH port (22)", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", @@ -177,7 +191,8 @@ "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", "searchValue": "", "expectedValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' should not open the SSH port (22)", - "actualValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' opens the SSH port (22)" + "actualValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' opens the SSH port (22)", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", @@ -189,7 +204,8 @@ "searchKey": "Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]", "searchValue": "", "expectedValue": "'Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]' should not open the SSH port (22)", - "actualValue": "'Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]' opens the SSH port (22)" + "actualValue": "'Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]' opens the SSH port (22)", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", @@ -201,7 +217,8 @@ "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]", "searchValue": "", "expectedValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' should not open the SSH port (22)", - "actualValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' opens the SSH port (22)" + "actualValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' opens the SSH port (22)", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", @@ -213,7 +230,8 @@ "searchKey": "Resources.IPv4Ingress1.Properties", "searchValue": "", "expectedValue": "'Resources.IPv4Ingress1.Properties' should not open the SSH port (22)", - "actualValue": "'Resources.IPv4Ingress1.Properties' opens the SSH port (22)" + "actualValue": "'Resources.IPv4Ingress1.Properties' opens the SSH port (22)", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", @@ -225,7 +243,8 @@ "searchKey": "Resources.IPv4Ingress2.Properties", "searchValue": "", "expectedValue": "'Resources.IPv4Ingress2.Properties' should not open the SSH port (22)", - "actualValue": "'Resources.IPv4Ingress2.Properties' opens the SSH port (22)" + "actualValue": "'Resources.IPv4Ingress2.Properties' opens the SSH port (22)", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", @@ -237,7 +256,8 @@ "searchKey": "Resources.IPv6Ingress1.Properties", "searchValue": "", "expectedValue": "'Resources.IPv6Ingress1.Properties' should not open the SSH port (22)", - "actualValue": "'Resources.IPv6Ingress1.Properties' opens the SSH port (22)" + "actualValue": "'Resources.IPv6Ingress1.Properties' opens the SSH port (22)", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", @@ -249,7 +269,8 @@ "searchKey": "Resources.IPv6Ingress2.Properties", "searchValue": "", "expectedValue": "'Resources.IPv6Ingress2.Properties' should not open the SSH port (22)", - "actualValue": "'Resources.IPv6Ingress2.Properties' opens the SSH port (22)" + "actualValue": "'Resources.IPv6Ingress2.Properties' opens the SSH port (22)", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", @@ -261,6 +282,7 @@ "searchKey": "Resources.IPv6Ingress3.Properties", "searchValue": "", "expectedValue": "'Resources.IPv6Ingress3.Properties' should not open the SSH port (22)", - "actualValue": "'Resources.IPv6Ingress3.Properties' opens the SSH port (22)" + "actualValue": "'Resources.IPv6Ingress3.Properties' opens the SSH port (22)", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/security_groups_without_vpc_attached/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/security_groups_without_vpc_attached/test/positive_expected_result.json index e00fb3be657..f34bd23c196 100644 --- a/assets/queries/cloudFormation/aws/security_groups_without_vpc_attached/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/security_groups_without_vpc_attached/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.InstanceSecurityGroup.Properties.VpcId.Ref", "searchValue": "", "expectedValue": "Resources.InstanceSecurityGroup.Properties.VpcId.Ref should be defined", - "actualValue": "Resources.InstanceSecurityGroup.Properties.VpcId.Ref is undefined" + "actualValue": "Resources.InstanceSecurityGroup.Properties.VpcId.Ref is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Security Groups Without VPC Attached", @@ -21,6 +22,7 @@ "searchKey": "Resources.InstanceSecurityGroup.Properties.VpcId.Ref", "searchValue": "", "expectedValue": "Resources.InstanceSecurityGroup.Properties.VpcId.Ref should be defined", - "actualValue": "Resources.InstanceSecurityGroup.Properties.VpcId.Ref is undefined" + "actualValue": "Resources.InstanceSecurityGroup.Properties.VpcId.Ref is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/shield_advanced_not_in_use/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/shield_advanced_not_in_use/test/positive_expected_result.json index a692c7a7c9d..078306d265c 100644 --- a/assets/queries/cloudFormation/aws/shield_advanced_not_in_use/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/shield_advanced_not_in_use/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.HostedZone", "searchValue": "", "expectedValue": "Resources.HostedZone has shield advanced associated", - "actualValue": "Resources.HostedZone does not have shield advanced associated" + "actualValue": "Resources.HostedZone does not have shield advanced associated", + "issueType": "MissingAttribute" }, { "queryName": "Shield Advanced Not In Use", @@ -21,6 +22,7 @@ "searchKey": "Resources.HostedZone", "searchValue": "", "expectedValue": "Resources.HostedZone has shield advanced associated", - "actualValue": "Resources.HostedZone does not have shield advanced associated" + "actualValue": "Resources.HostedZone does not have shield advanced associated", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json index 048f37dc9dd..21b09c5811e 100644 --- a/assets/queries/cloudFormation/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.snsPolicy.Properties.PolicyDocument", "searchValue": "", "expectedValue": "Resources.snsPolicy.Properties.PolicyDocument.Statement shouldn't contain '*' for an AWS Principal", - "actualValue": "Resources.snsPolicy.Properties.PolicyDocument.Statement contains '*' in an AWS Principal" + "actualValue": "Resources.snsPolicy.Properties.PolicyDocument.Statement contains '*' in an AWS Principal", + "issueType": "IncorrectValue" }, { "queryName": "SNS Topic is Publicly Accessible", @@ -21,7 +22,8 @@ "searchKey": "Resources.snsPolicy.Properties.PolicyDocument", "searchValue": "", "expectedValue": "Resources.snsPolicy.Properties.PolicyDocument.Statement shouldn't contain '*' for an AWS Principal", - "actualValue": "Resources.snsPolicy.Properties.PolicyDocument.Statement contains '*' in an AWS Principal" + "actualValue": "Resources.snsPolicy.Properties.PolicyDocument.Statement contains '*' in an AWS Principal", + "issueType": "IncorrectValue" }, { "queryName": "SNS Topic is Publicly Accessible", @@ -33,7 +35,8 @@ "searchKey": "Resources.mysnspolicy0.Properties.PolicyDocument", "searchValue": "", "expectedValue": "Resources.mysnspolicy0.Properties.PolicyDocument.Statement shouldn't contain '*' for an AWS Principal", - "actualValue": "Resources.mysnspolicy0.Properties.PolicyDocument.Statement contains '*' in an AWS Principal" + "actualValue": "Resources.mysnspolicy0.Properties.PolicyDocument.Statement contains '*' in an AWS Principal", + "issueType": "IncorrectValue" }, { "queryName": "SNS Topic is Publicly Accessible", @@ -45,6 +48,7 @@ "searchKey": "Resources.snsPolicy.Properties.PolicyDocument", "searchValue": "", "expectedValue": "Resources.snsPolicy.Properties.PolicyDocument.Statement shouldn't contain '*' for an AWS Principal", - "actualValue": "Resources.snsPolicy.Properties.PolicyDocument.Statement contains '*' in an AWS Principal" + "actualValue": "Resources.snsPolicy.Properties.PolicyDocument.Statement contains '*' in an AWS Principal", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/test/positive_expected_result.json index 19a619113c8..904204c936e 100644 --- a/assets/queries/cloudFormation/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.mysnspolicy.Properties.PolicyDocument", "searchValue": "", "expectedValue": "Resources.mysnspolicy.Properties.PolicyDocument.Statement has Effect 'Allow' and Action", - "actualValue": "Resources.mysnspolicy.Properties.PolicyDocument.Statement has Effect 'Allow' and NotAction" + "actualValue": "Resources.mysnspolicy.Properties.PolicyDocument.Statement has Effect 'Allow' and NotAction", + "issueType": "IncorrectValue" }, { "queryName": "SNS Topic Publicity Has Allow and NotAction Simultaneously", @@ -21,6 +22,7 @@ "searchKey": "Resources.mysnspolicy.Properties.PolicyDocument", "searchValue": "", "expectedValue": "Resources.mysnspolicy.Properties.PolicyDocument.Statement has Effect 'Allow' and Action", - "actualValue": "Resources.mysnspolicy.Properties.PolicyDocument.Statement has Effect 'Allow' and NotAction" + "actualValue": "Resources.mysnspolicy.Properties.PolicyDocument.Statement has Effect 'Allow' and NotAction", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/sns_topic_without_kms_master_key_id/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/sns_topic_without_kms_master_key_id/test/positive_expected_result.json index a8c5f931d10..27ff35447df 100644 --- a/assets/queries/cloudFormation/aws/sns_topic_without_kms_master_key_id/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/sns_topic_without_kms_master_key_id/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.MySNSTopic.Properties", "searchValue": "", "expectedValue": "Resources.MySNSTopic.Properties.KmsMasterKeyId should be defined", - "actualValue": "Resources.MySNSTopic.Properties.KmsMasterKeyId is undefined" + "actualValue": "Resources.MySNSTopic.Properties.KmsMasterKeyId is undefined", + "issueType": "MissingAttribute" }, { "queryName": "SNS Topic Without KmsMasterKeyId", @@ -21,6 +22,7 @@ "searchKey": "Resources.MySNSTopic.Properties", "searchValue": "", "expectedValue": "Resources.MySNSTopic.Properties.KmsMasterKeyId should be defined", - "actualValue": "Resources.MySNSTopic.Properties.KmsMasterKeyId is undefined" + "actualValue": "Resources.MySNSTopic.Properties.KmsMasterKeyId is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/sqs_policy_with_public_access/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/sqs_policy_with_public_access/test/positive_expected_result.json index a90290583f5..68b6fc5fbea 100644 --- a/assets/queries/cloudFormation/aws/sqs_policy_with_public_access/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/sqs_policy_with_public_access/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.SampleSQSPolicy.Properties.PolicyDocument", "searchValue": "", "expectedValue": "Resources.SampleSQSPolicy.Properties.PolicyDocument.Statement.Principal should not have wildcards when Effect=Allow and Action contains one of [SQS:AddPermission, SQS:CreateQueue, SQS:DeleteQueue, SQS:RemovePermission, SQS:TagQueue, SQS:UnTagQueue]", - "actualValue": "Resources.SampleSQSPolicy.Properties.PolicyDocument.Statement.Principal has wildcards, Effect is Allow and Action contains SQS:CreateQueue" + "actualValue": "Resources.SampleSQSPolicy.Properties.PolicyDocument.Statement.Principal has wildcards, Effect is Allow and Action contains SQS:CreateQueue", + "issueType": "IncorrectValue" }, { "queryName": "SQS Policy With Public Access", @@ -21,7 +22,8 @@ "searchKey": "Resources.SampleSQSPolicy.Properties.PolicyDocument", "searchValue": "", "expectedValue": "Resources.SampleSQSPolicy.Properties.PolicyDocument.Statement.Principal should not have wildcards when Effect=Allow and Action contains one of [SQS:AddPermission, SQS:CreateQueue, SQS:DeleteQueue, SQS:RemovePermission, SQS:TagQueue, SQS:UnTagQueue]", - "actualValue": "Resources.SampleSQSPolicy.Properties.PolicyDocument.Statement.Principal has wildcards, Effect is Allow and Action contains SQS:AddPermission" + "actualValue": "Resources.SampleSQSPolicy.Properties.PolicyDocument.Statement.Principal has wildcards, Effect is Allow and Action contains SQS:AddPermission", + "issueType": "IncorrectValue" }, { "queryName": "SQS Policy With Public Access", @@ -33,7 +35,8 @@ "searchKey": "Resources.SampleSQSPolicy.Properties.PolicyDocument", "searchValue": "", "expectedValue": "Resources.SampleSQSPolicy.Properties.PolicyDocument.Statement.Principal should not have wildcards when Effect=Allow and Action contains one of [SQS:AddPermission, SQS:CreateQueue, SQS:DeleteQueue, SQS:RemovePermission, SQS:TagQueue, SQS:UnTagQueue]", - "actualValue": "Resources.SampleSQSPolicy.Properties.PolicyDocument.Statement.Principal has wildcards, Effect is Allow and Action contains SQS:CreateQueue" + "actualValue": "Resources.SampleSQSPolicy.Properties.PolicyDocument.Statement.Principal has wildcards, Effect is Allow and Action contains SQS:CreateQueue", + "issueType": "IncorrectValue" }, { "queryName": "SQS Policy With Public Access", @@ -45,6 +48,7 @@ "searchKey": "Resources.SampleSQSPolicy.Properties.PolicyDocument", "searchValue": "", "expectedValue": "Resources.SampleSQSPolicy.Properties.PolicyDocument.Statement.Principal should not have wildcards when Effect=Allow and Action contains one of [SQS:AddPermission, SQS:CreateQueue, SQS:DeleteQueue, SQS:RemovePermission, SQS:TagQueue, SQS:UnTagQueue]", - "actualValue": "Resources.SampleSQSPolicy.Properties.PolicyDocument.Statement.Principal has wildcards, Effect is Allow and Action contains SQS:AddPermission" + "actualValue": "Resources.SampleSQSPolicy.Properties.PolicyDocument.Statement.Principal has wildcards, Effect is Allow and Action contains SQS:AddPermission", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/sqs_with_sse_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/sqs_with_sse_disabled/test/positive_expected_result.json index eb331bf69a5..d2ca6e027c3 100644 --- a/assets/queries/cloudFormation/aws/sqs_with_sse_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/sqs_with_sse_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.MyQueue.Properties", "searchValue": "", "expectedValue": "Resources.MyQueue.Properties.KmsMasterKeyId should be set or SqsManagedSseEnabled set to true", - "actualValue": "Resources.MyQueue.Properties.KmsMasterKeyId is undefined and SqsManagedSseEnabled not enabled" + "actualValue": "Resources.MyQueue.Properties.KmsMasterKeyId is undefined and SqsManagedSseEnabled not enabled", + "issueType": "MissingAttribute" }, { "queryName": "SQS With SSE Disabled", @@ -21,7 +22,8 @@ "searchKey": "Resources.MyQueue2.Properties", "searchValue": "", "expectedValue": "Resources.MyQueue2.Properties.KmsMasterKeyId should be set or SqsManagedSseEnabled set to true", - "actualValue": "Resources.MyQueue2.Properties.KmsMasterKeyId is undefined and SqsManagedSseEnabled not enabled" + "actualValue": "Resources.MyQueue2.Properties.KmsMasterKeyId is undefined and SqsManagedSseEnabled not enabled", + "issueType": "MissingAttribute" }, { "queryName": "SQS With SSE Disabled", @@ -33,7 +35,8 @@ "searchKey": "Resources.MyQueue.Properties", "searchValue": "", "expectedValue": "Resources.MyQueue.Properties.KmsMasterKeyId should be set or SqsManagedSseEnabled set to true", - "actualValue": "Resources.MyQueue.Properties.KmsMasterKeyId is undefined and SqsManagedSseEnabled not enabled" + "actualValue": "Resources.MyQueue.Properties.KmsMasterKeyId is undefined and SqsManagedSseEnabled not enabled", + "issueType": "MissingAttribute" }, { "queryName": "SQS With SSE Disabled", @@ -45,6 +48,7 @@ "searchKey": "Resources.MyQueue2.Properties", "searchValue": "", "expectedValue": "Resources.MyQueue2.Properties.KmsMasterKeyId should be set or SqsManagedSseEnabled set to true", - "actualValue": "Resources.MyQueue2.Properties.KmsMasterKeyId is undefined and SqsManagedSseEnabled not enabled" + "actualValue": "Resources.MyQueue2.Properties.KmsMasterKeyId is undefined and SqsManagedSseEnabled not enabled", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/stack_notifications_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/stack_notifications_disabled/test/positive_expected_result.json index d187c03d952..8fa841e6bfc 100644 --- a/assets/queries/cloudFormation/aws/stack_notifications_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/stack_notifications_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.myStackWithParams.Properties", "searchValue": "", "expectedValue": "Resources.myStackWithParams.Properties.NotificationARNs should be set", - "actualValue": "Resources.myStackWithParams.Properties.NotificationARNs is undefined" + "actualValue": "Resources.myStackWithParams.Properties.NotificationARNs is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Stack Notifications Disabled", @@ -21,6 +22,7 @@ "searchKey": "Resources.myStackWithParams.Properties", "searchValue": "", "expectedValue": "Resources.myStackWithParams.Properties.NotificationARNs should be set", - "actualValue": "Resources.myStackWithParams.Properties.NotificationARNs is undefined" + "actualValue": "Resources.myStackWithParams.Properties.NotificationARNs is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/stack_retention_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/stack_retention_disabled/test/positive_expected_result.json index 73ca9dc6939..c8f46c01e35 100644 --- a/assets/queries/cloudFormation/aws/stack_retention_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/stack_retention_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.stackset3.Properties.AutoDeployment.RetainStacksOnAccountRemoval", "searchValue": "", "expectedValue": "Resources.stackset3.Properties.AutoDeployment.RetainStacksOnAccountRemoval is true", - "actualValue": "Resources.stackset3.Properties.AutoDeployment.RetainStacksOnAccountRemoval is false" + "actualValue": "Resources.stackset3.Properties.AutoDeployment.RetainStacksOnAccountRemoval is false", + "issueType": "IncorrectValue" }, { "queryName": "Stack Retention Disabled", @@ -21,7 +22,8 @@ "searchKey": "Resources.stackset4.Properties.AutoDeployment", "searchValue": "", "expectedValue": "Resources.stackset4.Properties.AutoDeployment.RetainStacksOnAccountRemoval should be set", - "actualValue": "Resources.stackset4.Properties.AutoDeployment.RetainStacksOnAccountRemoval is undefined" + "actualValue": "Resources.stackset4.Properties.AutoDeployment.RetainStacksOnAccountRemoval is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Stack Retention Disabled", @@ -33,7 +35,8 @@ "searchKey": "Resources.stackset5.Properties.AutoDeployment.Enabled", "searchValue": "", "expectedValue": "Resources.stackset5.Properties.AutoDeployment.Enabled is true", - "actualValue": "Resources.stackset5.Properties.AutoDeployment.Enabled is false" + "actualValue": "Resources.stackset5.Properties.AutoDeployment.Enabled is false", + "issueType": "IncorrectValue" }, { "queryName": "Stack Retention Disabled", @@ -45,7 +48,8 @@ "searchKey": "Resources.stackset6.Properties.AutoDeployment", "searchValue": "", "expectedValue": "Resources.stackset6.Properties.AutoDeployment.Enabled should be set", - "actualValue": "Resources.stackset6.Properties.AutoDeployment.Enabled is undefined" + "actualValue": "Resources.stackset6.Properties.AutoDeployment.Enabled is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Stack Retention Disabled", @@ -57,7 +61,8 @@ "searchKey": "Resources.stackset7.Properties", "searchValue": "", "expectedValue": "Resources.stackset7.Properties.AutoDeployment should be set", - "actualValue": "Resources.stackset7.Properties.AutoDeployment is undefined" + "actualValue": "Resources.stackset7.Properties.AutoDeployment is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Stack Retention Disabled", @@ -69,7 +74,8 @@ "searchKey": "Resources.stackset8.Properties.AutoDeployment.RetainStacksOnAccountRemoval", "searchValue": "", "expectedValue": "Resources.stackset8.Properties.AutoDeployment.RetainStacksOnAccountRemoval is true", - "actualValue": "Resources.stackset8.Properties.AutoDeployment.RetainStacksOnAccountRemoval is false" + "actualValue": "Resources.stackset8.Properties.AutoDeployment.RetainStacksOnAccountRemoval is false", + "issueType": "IncorrectValue" }, { "queryName": "Stack Retention Disabled", @@ -81,7 +87,8 @@ "searchKey": "Resources.stackset9.Properties.AutoDeployment", "searchValue": "", "expectedValue": "Resources.stackset9.Properties.AutoDeployment.RetainStacksOnAccountRemoval should be set", - "actualValue": "Resources.stackset9.Properties.AutoDeployment.RetainStacksOnAccountRemoval is undefined" + "actualValue": "Resources.stackset9.Properties.AutoDeployment.RetainStacksOnAccountRemoval is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Stack Retention Disabled", @@ -93,7 +100,8 @@ "searchKey": "Resources.stackset10.Properties.AutoDeployment.Enabled", "searchValue": "", "expectedValue": "Resources.stackset10.Properties.AutoDeployment.Enabled is true", - "actualValue": "Resources.stackset10.Properties.AutoDeployment.Enabled is false" + "actualValue": "Resources.stackset10.Properties.AutoDeployment.Enabled is false", + "issueType": "IncorrectValue" }, { "queryName": "Stack Retention Disabled", @@ -105,7 +113,8 @@ "searchKey": "Resources.stackset11.Properties.AutoDeployment", "searchValue": "", "expectedValue": "Resources.stackset11.Properties.AutoDeployment.Enabled should be set", - "actualValue": "Resources.stackset11.Properties.AutoDeployment.Enabled is undefined" + "actualValue": "Resources.stackset11.Properties.AutoDeployment.Enabled is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Stack Retention Disabled", @@ -117,7 +126,8 @@ "searchKey": "Resources.stackset12.Properties", "searchValue": "", "expectedValue": "Resources.stackset12.Properties.AutoDeployment should be set", - "actualValue": "Resources.stackset12.Properties.AutoDeployment is undefined" + "actualValue": "Resources.stackset12.Properties.AutoDeployment is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Stack Retention Disabled", @@ -129,7 +139,8 @@ "searchKey": "Resources.stackset3.Properties.AutoDeployment.RetainStacksOnAccountRemoval", "searchValue": "", "expectedValue": "Resources.stackset3.Properties.AutoDeployment.RetainStacksOnAccountRemoval is true", - "actualValue": "Resources.stackset3.Properties.AutoDeployment.RetainStacksOnAccountRemoval is false" + "actualValue": "Resources.stackset3.Properties.AutoDeployment.RetainStacksOnAccountRemoval is false", + "issueType": "IncorrectValue" }, { "queryName": "Stack Retention Disabled", @@ -141,7 +152,8 @@ "searchKey": "Resources.stackset4.Properties.AutoDeployment", "searchValue": "", "expectedValue": "Resources.stackset4.Properties.AutoDeployment.RetainStacksOnAccountRemoval should be set", - "actualValue": "Resources.stackset4.Properties.AutoDeployment.RetainStacksOnAccountRemoval is undefined" + "actualValue": "Resources.stackset4.Properties.AutoDeployment.RetainStacksOnAccountRemoval is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Stack Retention Disabled", @@ -153,7 +165,8 @@ "searchKey": "Resources.stackset5.Properties.AutoDeployment.Enabled", "searchValue": "", "expectedValue": "Resources.stackset5.Properties.AutoDeployment.Enabled is true", - "actualValue": "Resources.stackset5.Properties.AutoDeployment.Enabled is false" + "actualValue": "Resources.stackset5.Properties.AutoDeployment.Enabled is false", + "issueType": "IncorrectValue" }, { "queryName": "Stack Retention Disabled", @@ -165,7 +178,8 @@ "searchKey": "Resources.stackset6.Properties.AutoDeployment", "searchValue": "", "expectedValue": "Resources.stackset6.Properties.AutoDeployment.Enabled should be set", - "actualValue": "Resources.stackset6.Properties.AutoDeployment.Enabled is undefined" + "actualValue": "Resources.stackset6.Properties.AutoDeployment.Enabled is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Stack Retention Disabled", @@ -177,6 +191,7 @@ "searchKey": "Resources.stackset7.Properties", "searchValue": "", "expectedValue": "Resources.stackset7.Properties.AutoDeployment should be set", - "actualValue": "Resources.stackset7.Properties.AutoDeployment is undefined" + "actualValue": "Resources.stackset7.Properties.AutoDeployment is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/support_has_no_role_associated/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/support_has_no_role_associated/test/positive_expected_result.json index 4948f2761c1..63d12c374e5 100644 --- a/assets/queries/cloudFormation/aws/support_has_no_role_associated/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/support_has_no_role_associated/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.noRoles", "searchValue": "", "expectedValue": "'Resources.noRoles.Roles' should be set", - "actualValue": "'Resources.noRoles.Roles' is undefined" + "actualValue": "'Resources.noRoles.Roles' is undefined", + "issueType": "IncorrectValue" }, { "queryName": "Support Has No Role Associated", @@ -21,7 +22,8 @@ "searchKey": "Resources.noUsers", "searchValue": "", "expectedValue": "'Resources.noUsers.Users' should be set", - "actualValue": "'Resources.noUsers.Users' is undefined" + "actualValue": "'Resources.noUsers.Users' is undefined", + "issueType": "IncorrectValue" }, { "queryName": "Support Has No Role Associated", @@ -33,7 +35,8 @@ "searchKey": "Resources.noGroups", "searchValue": "", "expectedValue": "'Resources.noGroups.Groups' should be set", - "actualValue": "'Resources.noGroups.Groups' is undefined" + "actualValue": "'Resources.noGroups.Groups' is undefined", + "issueType": "IncorrectValue" }, { "queryName": "Support Has No Role Associated", @@ -45,7 +48,8 @@ "searchKey": "Resources.noRoles", "searchValue": "", "expectedValue": "'Resources.noRoles.Roles' should be set", - "actualValue": "'Resources.noRoles.Roles' is undefined" + "actualValue": "'Resources.noRoles.Roles' is undefined", + "issueType": "IncorrectValue" }, { "queryName": "Support Has No Role Associated", @@ -57,7 +61,8 @@ "searchKey": "Resources.noUsers", "searchValue": "", "expectedValue": "'Resources.noUsers.Users' should be set", - "actualValue": "'Resources.noUsers.Users' is undefined" + "actualValue": "'Resources.noUsers.Users' is undefined", + "issueType": "IncorrectValue" }, { "queryName": "Support Has No Role Associated", @@ -69,6 +74,7 @@ "searchKey": "Resources.noGroups", "searchValue": "", "expectedValue": "'Resources.noGroups.Groups' should be set", - "actualValue": "'Resources.noGroups.Groups' is undefined" + "actualValue": "'Resources.noGroups.Groups' is undefined", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/tags_not_copied_to_rds_cluster_snapshot/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/tags_not_copied_to_rds_cluster_snapshot/test/positive_expected_result.json index 7a36bc94f59..09937f2e5c5 100644 --- a/assets/queries/cloudFormation/aws/tags_not_copied_to_rds_cluster_snapshot/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/tags_not_copied_to_rds_cluster_snapshot/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.MyDBInstance.Properties.CopyTagsToSnapshot", "searchValue": "", "expectedValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' should be set to true", - "actualValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' is set to false" + "actualValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Tags Not Copied to RDS Cluster Snapshot", @@ -21,7 +22,8 @@ "searchKey": "Resources.MyDBCluster.Properties.CopyTagsToSnapshot", "searchValue": "", "expectedValue": "'Resources.MyDBCluster.Properties.CopyTagsToSnapshot' should be set to true", - "actualValue": "'Resources.MyDBCluster.Properties.CopyTagsToSnapshot' is set to false" + "actualValue": "'Resources.MyDBCluster.Properties.CopyTagsToSnapshot' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Tags Not Copied to RDS Cluster Snapshot", @@ -33,7 +35,8 @@ "searchKey": "Resources.MyDBInstance.Properties.CopyTagsToSnapshot", "searchValue": "", "expectedValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' should be set to true", - "actualValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' is set to false" + "actualValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Tags Not Copied to RDS Cluster Snapshot", @@ -45,7 +48,8 @@ "searchKey": "Resources.MyDBCluster.Properties.CopyTagsToSnapshot", "searchValue": "", "expectedValue": "'Resources.MyDBCluster.Properties.CopyTagsToSnapshot' should be set to true", - "actualValue": "'Resources.MyDBCluster.Properties.CopyTagsToSnapshot' is set to false" + "actualValue": "'Resources.MyDBCluster.Properties.CopyTagsToSnapshot' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Tags Not Copied to RDS Cluster Snapshot", @@ -57,7 +61,8 @@ "searchKey": "Resources.MyDBInstance.Properties.CopyTagsToSnapshot", "searchValue": "", "expectedValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' should be set to true", - "actualValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' is set to false" + "actualValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Tags Not Copied to RDS Cluster Snapshot", @@ -69,7 +74,8 @@ "searchKey": "Resources.MyDBCluster.Properties.CopyTagsToSnapshot", "searchValue": "", "expectedValue": "'Resources.MyDBCluster.Properties.CopyTagsToSnapshot' should be set to true", - "actualValue": "'Resources.MyDBCluster.Properties.CopyTagsToSnapshot' is set to false" + "actualValue": "'Resources.MyDBCluster.Properties.CopyTagsToSnapshot' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Tags Not Copied to RDS Cluster Snapshot", @@ -81,7 +87,8 @@ "searchKey": "Resources.MyDBInstance.Properties.CopyTagsToSnapshot", "searchValue": "", "expectedValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' should be set to true", - "actualValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' is set to false" + "actualValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Tags Not Copied to RDS Cluster Snapshot", @@ -93,7 +100,8 @@ "searchKey": "Resources.MyDBCluster.Properties.CopyTagsToSnapshot", "searchValue": "", "expectedValue": "'Resources.MyDBCluster.Properties.CopyTagsToSnapshot' should be set to true", - "actualValue": "'Resources.MyDBCluster.Properties.CopyTagsToSnapshot' is set to false" + "actualValue": "'Resources.MyDBCluster.Properties.CopyTagsToSnapshot' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Tags Not Copied to RDS Cluster Snapshot", @@ -105,7 +113,8 @@ "searchKey": "Resources.MyDBInstance.Properties", "searchValue": "", "expectedValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' should be set to true", - "actualValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' is not defined" + "actualValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Tags Not Copied to RDS Cluster Snapshot", @@ -117,7 +126,8 @@ "searchKey": "Resources.MyDBCluster.Properties", "searchValue": "", "expectedValue": "'Resources.MyDBCluster.Properties.CopyTagsToSnapshot' should be set to true", - "actualValue": "'Resources.MyDBCluster.Properties.CopyTagsToSnapshot' is not defined" + "actualValue": "'Resources.MyDBCluster.Properties.CopyTagsToSnapshot' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Tags Not Copied to RDS Cluster Snapshot", @@ -129,7 +139,8 @@ "searchKey": "Resources.MyDBInstance.Properties", "searchValue": "", "expectedValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' should be set to true", - "actualValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' is not defined" + "actualValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Tags Not Copied to RDS Cluster Snapshot", @@ -141,6 +152,7 @@ "searchKey": "Resources.MyDBCluster.Properties", "searchValue": "", "expectedValue": "'Resources.MyDBCluster.Properties.CopyTagsToSnapshot' should be set to true", - "actualValue": "'Resources.MyDBCluster.Properties.CopyTagsToSnapshot' is not defined" + "actualValue": "'Resources.MyDBCluster.Properties.CopyTagsToSnapshot' is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/tcp_or_udp_protocol_network_acl_entry_allows_all_ports/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/tcp_or_udp_protocol_network_acl_entry_allows_all_ports/test/positive_expected_result.json index 85a31735ed9..3769f7565f2 100644 --- a/assets/queries/cloudFormation/aws/tcp_or_udp_protocol_network_acl_entry_allows_all_ports/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/tcp_or_udp_protocol_network_acl_entry_allows_all_ports/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.InboundRule2.Properties.PortRange", "searchValue": "", "expectedValue": "Resources.InboundRule2.Properties.PortRange.To should be set", - "actualValue": "Resources.InboundRule2.Properties.PortRange.To is undefined" + "actualValue": "Resources.InboundRule2.Properties.PortRange.To is undefined", + "issueType": "MissingAttribute" }, { "queryName": "TCP UDP Protocol Network ACL Entry Allows All Ports", @@ -21,7 +22,8 @@ "searchKey": "Resources.InboundRule3.Properties.PortRange", "searchValue": "", "expectedValue": "Resources.InboundRule3.Properties.PortRange.From should be set", - "actualValue": "Resources.InboundRule3.Properties.PortRange.From is undefined" + "actualValue": "Resources.InboundRule3.Properties.PortRange.From is undefined", + "issueType": "MissingAttribute" }, { "queryName": "TCP UDP Protocol Network ACL Entry Allows All Ports", @@ -33,7 +35,8 @@ "searchKey": "Resources.InboundRule4.Properties", "searchValue": "", "expectedValue": "Resources.InboundRule4.Properties.PortRange should be set", - "actualValue": "Resources.InboundRule4.Properties.PortRange is undefined" + "actualValue": "Resources.InboundRule4.Properties.PortRange is undefined", + "issueType": "MissingAttribute" }, { "queryName": "TCP UDP Protocol Network ACL Entry Allows All Ports", @@ -45,7 +48,8 @@ "searchKey": "Resources.InboundRule5.Properties.PortRange", "searchValue": "", "expectedValue": "Resources.InboundRule5.Properties.PortRange should not allow all ports", - "actualValue": "Resources.InboundRule5.Properties.PortRange allows all ports" + "actualValue": "Resources.InboundRule5.Properties.PortRange allows all ports", + "issueType": "MissingAttribute" }, { "queryName": "TCP UDP Protocol Network ACL Entry Allows All Ports", @@ -57,7 +61,8 @@ "searchKey": "Resources.InboundRule2.Properties.PortRange", "searchValue": "", "expectedValue": "Resources.InboundRule2.Properties.PortRange.To should be set", - "actualValue": "Resources.InboundRule2.Properties.PortRange.To is undefined" + "actualValue": "Resources.InboundRule2.Properties.PortRange.To is undefined", + "issueType": "MissingAttribute" }, { "queryName": "TCP UDP Protocol Network ACL Entry Allows All Ports", @@ -69,7 +74,8 @@ "searchKey": "Resources.InboundRule3.Properties.PortRange", "searchValue": "", "expectedValue": "Resources.InboundRule3.Properties.PortRange.From should be set", - "actualValue": "Resources.InboundRule3.Properties.PortRange.From is undefined" + "actualValue": "Resources.InboundRule3.Properties.PortRange.From is undefined", + "issueType": "MissingAttribute" }, { "queryName": "TCP UDP Protocol Network ACL Entry Allows All Ports", @@ -81,7 +87,8 @@ "searchKey": "Resources.InboundRule4.Properties", "searchValue": "", "expectedValue": "Resources.InboundRule4.Properties.PortRange should be set", - "actualValue": "Resources.InboundRule4.Properties.PortRange is undefined" + "actualValue": "Resources.InboundRule4.Properties.PortRange is undefined", + "issueType": "MissingAttribute" }, { "queryName": "TCP UDP Protocol Network ACL Entry Allows All Ports", @@ -93,6 +100,7 @@ "searchKey": "Resources.InboundRule5.Properties.PortRange", "searchValue": "", "expectedValue": "Resources.InboundRule5.Properties.PortRange should not allow all ports", - "actualValue": "Resources.InboundRule5.Properties.PortRange allows all ports" + "actualValue": "Resources.InboundRule5.Properties.PortRange allows all ports", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/unknown_port_exposed_to_internet/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/unknown_port_exposed_to_internet/test/positive_expected_result.json index 56f0dc2ccda..95a73193823 100644 --- a/assets/queries/cloudFormation/aws/unknown_port_exposed_to_internet/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/unknown_port_exposed_to_internet/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.Positive1IPv4.Properties.SecurityGroupIngress[0]", "searchValue": "", "expectedValue": "'Resources.Positive1IPv4.Properties.SecurityGroupIngress[0]' should not open unknown ports to the Internet", - "actualValue": "'Resources.Positive1IPv4.Properties.SecurityGroupIngress[0]' opens unknown ports to the Internet" + "actualValue": "'Resources.Positive1IPv4.Properties.SecurityGroupIngress[0]' opens unknown ports to the Internet", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Port Exposed To Internet", @@ -21,7 +22,8 @@ "searchKey": "Resources.Positive1IPv4.Properties.SecurityGroupIngress[1]", "searchValue": "", "expectedValue": "'Resources.Positive1IPv4.Properties.SecurityGroupIngress[1]' should not open unknown ports to the Internet", - "actualValue": "'Resources.Positive1IPv4.Properties.SecurityGroupIngress[1]' opens unknown ports to the Internet" + "actualValue": "'Resources.Positive1IPv4.Properties.SecurityGroupIngress[1]' opens unknown ports to the Internet", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Port Exposed To Internet", @@ -33,7 +35,8 @@ "searchKey": "Resources.IPv4Ingress1.Properties", "searchValue": "", "expectedValue": "'Resources.IPv4Ingress1.Properties' should not open unknown ports to the Internet", - "actualValue": "'Resources.IPv4Ingress1.Properties' opens unknown ports to the Internet" + "actualValue": "'Resources.IPv4Ingress1.Properties' opens unknown ports to the Internet", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Port Exposed To Internet", @@ -45,7 +48,8 @@ "searchKey": "Resources.IPv4Ingress2.Properties", "searchValue": "", "expectedValue": "'Resources.IPv4Ingress2.Properties' should not open unknown ports to the Internet", - "actualValue": "'Resources.IPv4Ingress2.Properties' opens unknown ports to the Internet" + "actualValue": "'Resources.IPv4Ingress2.Properties' opens unknown ports to the Internet", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Port Exposed To Internet", @@ -57,7 +61,8 @@ "searchKey": "Resources.Positive1IPv6.Properties.SecurityGroupIngress[0]", "searchValue": "", "expectedValue": "'Resources.Positive1IPv6.Properties.SecurityGroupIngress[0]' should not open unknown ports to the Internet", - "actualValue": "'Resources.Positive1IPv6.Properties.SecurityGroupIngress[0]' opens unknown ports to the Internet" + "actualValue": "'Resources.Positive1IPv6.Properties.SecurityGroupIngress[0]' opens unknown ports to the Internet", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Port Exposed To Internet", @@ -69,7 +74,8 @@ "searchKey": "Resources.Positive1IPv6.Properties.SecurityGroupIngress[1]", "searchValue": "", "expectedValue": "'Resources.Positive1IPv6.Properties.SecurityGroupIngress[1]' should not open unknown ports to the Internet", - "actualValue": "'Resources.Positive1IPv6.Properties.SecurityGroupIngress[1]' opens unknown ports to the Internet" + "actualValue": "'Resources.Positive1IPv6.Properties.SecurityGroupIngress[1]' opens unknown ports to the Internet", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Port Exposed To Internet", @@ -81,7 +87,8 @@ "searchKey": "Resources.IPv6Ingress1.Properties", "searchValue": "", "expectedValue": "'Resources.IPv6Ingress1.Properties' should not open unknown ports to the Internet", - "actualValue": "'Resources.IPv6Ingress1.Properties' opens unknown ports to the Internet" + "actualValue": "'Resources.IPv6Ingress1.Properties' opens unknown ports to the Internet", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Port Exposed To Internet", @@ -93,7 +100,8 @@ "searchKey": "Resources.IPv6Ingress2.Properties", "searchValue": "", "expectedValue": "'Resources.IPv6Ingress2.Properties' should not open unknown ports to the Internet", - "actualValue": "'Resources.IPv6Ingress2.Properties' opens unknown ports to the Internet" + "actualValue": "'Resources.IPv6Ingress2.Properties' opens unknown ports to the Internet", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Port Exposed To Internet", @@ -105,7 +113,8 @@ "searchKey": "Resources.Positive1IPv4.Properties.SecurityGroupIngress[0]", "searchValue": "", "expectedValue": "'Resources.Positive1IPv4.Properties.SecurityGroupIngress[0]' should not open unknown ports to the Internet", - "actualValue": "'Resources.Positive1IPv4.Properties.SecurityGroupIngress[0]' opens unknown ports to the Internet" + "actualValue": "'Resources.Positive1IPv4.Properties.SecurityGroupIngress[0]' opens unknown ports to the Internet", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Port Exposed To Internet", @@ -117,7 +126,8 @@ "searchKey": "Resources.Positive1IPv4.Properties.SecurityGroupIngress[1]", "searchValue": "", "expectedValue": "'Resources.Positive1IPv4.Properties.SecurityGroupIngress[1]' should not open unknown ports to the Internet", - "actualValue": "'Resources.Positive1IPv4.Properties.SecurityGroupIngress[1]' opens unknown ports to the Internet" + "actualValue": "'Resources.Positive1IPv4.Properties.SecurityGroupIngress[1]' opens unknown ports to the Internet", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Port Exposed To Internet", @@ -129,7 +139,8 @@ "searchKey": "Resources.IPv4Ingress1.Properties", "searchValue": "", "expectedValue": "'Resources.IPv4Ingress1.Properties' should not open unknown ports to the Internet", - "actualValue": "'Resources.IPv4Ingress1.Properties' opens unknown ports to the Internet" + "actualValue": "'Resources.IPv4Ingress1.Properties' opens unknown ports to the Internet", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Port Exposed To Internet", @@ -141,7 +152,8 @@ "searchKey": "Resources.IPv4Ingress2.Properties", "searchValue": "", "expectedValue": "'Resources.IPv4Ingress2.Properties' should not open unknown ports to the Internet", - "actualValue": "'Resources.IPv4Ingress2.Properties' opens unknown ports to the Internet" + "actualValue": "'Resources.IPv4Ingress2.Properties' opens unknown ports to the Internet", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Port Exposed To Internet", @@ -153,7 +165,8 @@ "searchKey": "Resources.Positive1IPv6.Properties.SecurityGroupIngress[0]", "searchValue": "", "expectedValue": "'Resources.Positive1IPv6.Properties.SecurityGroupIngress[0]' should not open unknown ports to the Internet", - "actualValue": "'Resources.Positive1IPv6.Properties.SecurityGroupIngress[0]' opens unknown ports to the Internet" + "actualValue": "'Resources.Positive1IPv6.Properties.SecurityGroupIngress[0]' opens unknown ports to the Internet", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Port Exposed To Internet", @@ -165,7 +178,8 @@ "searchKey": "Resources.Positive1IPv6.Properties.SecurityGroupIngress[1]", "searchValue": "", "expectedValue": "'Resources.Positive1IPv6.Properties.SecurityGroupIngress[1]' should not open unknown ports to the Internet", - "actualValue": "'Resources.Positive1IPv6.Properties.SecurityGroupIngress[1]' opens unknown ports to the Internet" + "actualValue": "'Resources.Positive1IPv6.Properties.SecurityGroupIngress[1]' opens unknown ports to the Internet", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Port Exposed To Internet", @@ -177,7 +191,8 @@ "searchKey": "Resources.IPv6Ingress1.Properties", "searchValue": "", "expectedValue": "'Resources.IPv6Ingress1.Properties' should not open unknown ports to the Internet", - "actualValue": "'Resources.IPv6Ingress1.Properties' opens unknown ports to the Internet" + "actualValue": "'Resources.IPv6Ingress1.Properties' opens unknown ports to the Internet", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Port Exposed To Internet", @@ -189,6 +204,7 @@ "searchKey": "Resources.IPv6Ingress2.Properties", "searchValue": "", "expectedValue": "'Resources.IPv6Ingress2.Properties' should not open unknown ports to the Internet", - "actualValue": "'Resources.IPv6Ingress2.Properties' opens unknown ports to the Internet" + "actualValue": "'Resources.IPv6Ingress2.Properties' opens unknown ports to the Internet", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/unrestricted_security_group_ingress/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/unrestricted_security_group_ingress/test/positive_expected_result.json index b449c7da75d..01db2fa3e4c 100644 --- a/assets/queries/cloudFormation/aws/unrestricted_security_group_ingress/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/unrestricted_security_group_ingress/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress", "searchValue": "", "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].CidrIp should not be open to the world (0.0.0.0/0)", - "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].CidrIp is open to the world (0.0.0.0/0)" + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].CidrIp is open to the world (0.0.0.0/0)", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted Security Group Ingress", @@ -21,7 +22,8 @@ "searchKey": "Resources.InboundRule.Properties.CidrIpv6", "searchValue": "", "expectedValue": "Resources.InboundRule.Properties.CidrIpv6 should not be open to the world (::/0)", - "actualValue": "Resources.InboundRule.Properties.CidrIpv6 is open to the world (::/0)" + "actualValue": "Resources.InboundRule.Properties.CidrIpv6 is open to the world (::/0)", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted Security Group Ingress", @@ -33,7 +35,8 @@ "searchKey": "Resources.InboundRule.Properties.CidrIpv6", "searchValue": "", "expectedValue": "Resources.InboundRule.Properties.CidrIpv6 should not be open to the world (::/0)", - "actualValue": "Resources.InboundRule.Properties.CidrIpv6 is open to the world (::/0)" + "actualValue": "Resources.InboundRule.Properties.CidrIpv6 is open to the world (::/0)", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted Security Group Ingress", @@ -45,6 +48,7 @@ "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress", "searchValue": "", "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].CidrIp should not be open to the world (0.0.0.0/0)", - "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].CidrIp is open to the world (0.0.0.0/0)" + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].CidrIp is open to the world (0.0.0.0/0)", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/unscanned_ecr_image/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/unscanned_ecr_image/test/positive_expected_result.json index 7cc8d435010..c539ad2880a 100644 --- a/assets/queries/cloudFormation/aws/unscanned_ecr_image/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/unscanned_ecr_image/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.MyRepository3.Properties", "searchValue": "", "expectedValue": "Resources.MyRepository3.Properties.ImageScanningConfiguration should be defined", - "actualValue": "Resources.MyRepository3.Properties.ImageScanningConfiguration is undefined" + "actualValue": "Resources.MyRepository3.Properties.ImageScanningConfiguration is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Unscanned ECR Image", @@ -21,7 +22,8 @@ "searchKey": "Resources.MyRepository4.Properties.ImageScanningConfiguration.ScanOnPush", "searchValue": "", "expectedValue": "Resources.MyRepository4.Properties.ImageScanningConfiguration.ScanOnPush should be set to true", - "actualValue": "Resources.MyRepository4.Properties.ImageScanningConfiguration.ScanOnPush is set to false" + "actualValue": "Resources.MyRepository4.Properties.ImageScanningConfiguration.ScanOnPush is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Unscanned ECR Image", @@ -33,7 +35,8 @@ "searchKey": "Resources.MyRepository5.Properties", "searchValue": "", "expectedValue": "Resources.MyRepository5.Properties.ImageScanningConfiguration should be defined", - "actualValue": "Resources.MyRepository5.Properties.ImageScanningConfiguration is undefined" + "actualValue": "Resources.MyRepository5.Properties.ImageScanningConfiguration is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Unscanned ECR Image", @@ -45,6 +48,7 @@ "searchKey": "Resources.MyRepository6.Properties.ImageScanningConfiguration.ScanOnPush", "searchValue": "", "expectedValue": "Resources.MyRepository6.Properties.ImageScanningConfiguration.ScanOnPush should be set to true", - "actualValue": "Resources.MyRepository6.Properties.ImageScanningConfiguration.ScanOnPush is set to false" + "actualValue": "Resources.MyRepository6.Properties.ImageScanningConfiguration.ScanOnPush is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/user_data_contains_encoded_private_key/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/user_data_contains_encoded_private_key/test/positive_expected_result.json index 2fc3337ad1c..95c564b82f5 100644 --- a/assets/queries/cloudFormation/aws/user_data_contains_encoded_private_key/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/user_data_contains_encoded_private_key/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.myLaunchConfig3.Properties.UserData", "searchValue": "", "expectedValue": "'Resources.myLaunchConfig3.Properties.UserData' shouldn't contain RSA Private Key", - "actualValue": "'Resources.myLaunchConfig3.Properties.UserData' contains RSA Private Key" + "actualValue": "'Resources.myLaunchConfig3.Properties.UserData' contains RSA Private Key", + "issueType": "IncorrectValue" }, { "queryName": "User Data Contains Encoded Private Key", @@ -21,6 +22,7 @@ "searchKey": "Resources.myLaunchConfig4.Properties.UserData", "searchValue": "", "expectedValue": "'Resources.myLaunchConfig4.Properties.UserData' shouldn't contain RSA Private Key", - "actualValue": "'Resources.myLaunchConfig4.Properties.UserData' contains RSA Private Key" + "actualValue": "'Resources.myLaunchConfig4.Properties.UserData' contains RSA Private Key", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/user_iam_missing_password_reset_required/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/user_iam_missing_password_reset_required/test/positive_expected_result.json index 076bde69639..3ec53ab3732 100644 --- a/assets/queries/cloudFormation/aws/user_iam_missing_password_reset_required/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/user_iam_missing_password_reset_required/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.myuser.Properties.LoginProfile.PasswordResetRequired", "searchValue": "", "expectedValue": "'Resources.myuser.Properties.LoginProfile.PasswordResetRequired' should be configured as true", - "actualValue": "'Resources.myuser.Properties.LoginProfile.PasswordResetRequired' is configured as false" + "actualValue": "'Resources.myuser.Properties.LoginProfile.PasswordResetRequired' is configured as false", + "issueType": "IncorrectValue" }, { "queryName": "IAM User Without Password Reset", @@ -21,7 +22,8 @@ "searchKey": "Resources.newuser.Properties.LoginProfile", "searchValue": "", "expectedValue": "'Resources.newuser.Properties.LoginProfile' should also include PasswordResetRequired property set to true", - "actualValue": "'Resources.newuser.Properties.LoginProfile' contains only Password property" + "actualValue": "'Resources.newuser.Properties.LoginProfile' contains only Password property", + "issueType": "MissingAttribute" }, { "queryName": "IAM User Without Password Reset", @@ -33,7 +35,8 @@ "searchKey": "Resources.topuser.Properties", "searchValue": "", "expectedValue": "'Resources.topuser.Properties' should be configured with LoginProfile with PasswordResetRequired property set to true", - "actualValue": "'Resources.topuser.Properties' does not include LoginProfile" + "actualValue": "'Resources.topuser.Properties' does not include LoginProfile", + "issueType": "MissingAttribute" }, { "queryName": "IAM User Without Password Reset", @@ -45,7 +48,8 @@ "searchKey": "Resources.myuser.Properties.LoginProfile.PasswordResetRequired", "searchValue": "", "expectedValue": "'Resources.myuser.Properties.LoginProfile.PasswordResetRequired' should be configured as true", - "actualValue": "'Resources.myuser.Properties.LoginProfile.PasswordResetRequired' is configured as false" + "actualValue": "'Resources.myuser.Properties.LoginProfile.PasswordResetRequired' is configured as false", + "issueType": "IncorrectValue" }, { "queryName": "IAM User Without Password Reset", @@ -57,7 +61,8 @@ "searchKey": "Resources.newuser.Properties.LoginProfile", "searchValue": "", "expectedValue": "'Resources.newuser.Properties.LoginProfile' should also include PasswordResetRequired property set to true", - "actualValue": "'Resources.newuser.Properties.LoginProfile' contains only Password property" + "actualValue": "'Resources.newuser.Properties.LoginProfile' contains only Password property", + "issueType": "MissingAttribute" }, { "queryName": "IAM User Without Password Reset", @@ -69,7 +74,8 @@ "searchKey": "Resources.topuser.Properties", "searchValue": "", "expectedValue": "'Resources.topuser.Properties' should be configured with LoginProfile with PasswordResetRequired property set to true", - "actualValue": "'Resources.topuser.Properties' does not include LoginProfile" + "actualValue": "'Resources.topuser.Properties' does not include LoginProfile", + "issueType": "MissingAttribute" }, { "queryName": "IAM User Without Password Reset", @@ -81,6 +87,7 @@ "searchKey": "Resources.myuser.Properties.LoginProfile.PasswordResetRequired", "searchValue": "", "expectedValue": "'Resources.myuser.Properties.LoginProfile.PasswordResetRequired' should be configured as true", - "actualValue": "'Resources.myuser.Properties.LoginProfile.PasswordResetRequired' is configured as false" + "actualValue": "'Resources.myuser.Properties.LoginProfile.PasswordResetRequired' is configured as false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/vpc_attached_with_too_many_gateways/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/vpc_attached_with_too_many_gateways/test/positive_expected_result.json index 94322f33c65..58508114460 100644 --- a/assets/queries/cloudFormation/aws/vpc_attached_with_too_many_gateways/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/vpc_attached_with_too_many_gateways/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.myVPC", "searchValue": "", "expectedValue": "'Resources.myVPC' should not be attached with a number of gateways close to or out of limit (>3)", - "actualValue": "'Resources.myVPC' is attached with a number of gateways close to or out of limit (>3)" + "actualValue": "'Resources.myVPC' is attached with a number of gateways close to or out of limit (>3)", + "issueType": "IncorrectValue" }, { "queryName": "VPC Attached With Too Many Gateways", @@ -21,6 +22,7 @@ "searchKey": "Resources.myVPC", "searchValue": "", "expectedValue": "'Resources.myVPC' should not be attached with a number of gateways close to or out of limit (>3)", - "actualValue": "'Resources.myVPC' is attached with a number of gateways close to or out of limit (>3)" + "actualValue": "'Resources.myVPC' is attached with a number of gateways close to or out of limit (>3)", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/vpc_flowlogs_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/vpc_flowlogs_disabled/test/positive_expected_result.json index 0326d049be1..2d10a9a40ba 100644 --- a/assets/queries/cloudFormation/aws/vpc_flowlogs_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/vpc_flowlogs_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.MyVPC", "searchValue": "", "expectedValue": "Resources.MyVPC has a FlowLogs resource associated", - "actualValue": "Resources.MyVPC doesn't have a FlowLogs resource associated" + "actualValue": "Resources.MyVPC doesn't have a FlowLogs resource associated", + "issueType": "MissingAttribute" }, { "queryName": "VPC FlowLogs Disabled", @@ -21,6 +22,7 @@ "searchKey": "Resources.MyVPC", "searchValue": "", "expectedValue": "Resources.MyVPC has a FlowLogs resource associated", - "actualValue": "Resources.MyVPC doesn't have a FlowLogs resource associated" + "actualValue": "Resources.MyVPC doesn't have a FlowLogs resource associated", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/vpc_without_attached_subnet/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/vpc_without_attached_subnet/test/positive_expected_result.json index 548a14e7988..0b7440fe893 100644 --- a/assets/queries/cloudFormation/aws/vpc_without_attached_subnet/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/vpc_without_attached_subnet/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.myVPC_1", "searchValue": "", "expectedValue": "'Resources.myVPC_1' should be attached to resources", - "actualValue": "'Resources.myVPC_1' is not attached to resources" + "actualValue": "'Resources.myVPC_1' is not attached to resources", + "issueType": "MissingAttribute" }, { "queryName": "VPC Without Attached Subnet", @@ -21,6 +22,7 @@ "searchKey": "Resources.myVPC_1", "searchValue": "", "expectedValue": "'Resources.myVPC_1' should be attached to resources", - "actualValue": "'Resources.myVPC_1' is not attached to resources" + "actualValue": "'Resources.myVPC_1' is not attached to resources", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/vpc_without_network_firewall/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/vpc_without_network_firewall/test/positive_expected_result.json index 0a5e73e0b8c..1e72eaa1af7 100644 --- a/assets/queries/cloudFormation/aws/vpc_without_network_firewall/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/vpc_without_network_firewall/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.myVPC11", "searchValue": "", "expectedValue": "'Resources.myVPC11' should be associated with a AWS Network Firewall", - "actualValue": "'Resources.myVPC11' is not associated with a AWS Network Firewall" + "actualValue": "'Resources.myVPC11' is not associated with a AWS Network Firewall", + "issueType": "MissingAttribute" }, { "queryName": "VPC Without Network Firewall", @@ -21,6 +22,7 @@ "searchKey": "Resources.myVPC11", "searchValue": "", "expectedValue": "'Resources.myVPC11' should be associated with a AWS Network Firewall", - "actualValue": "'Resources.myVPC11' is not associated with a AWS Network Firewall" + "actualValue": "'Resources.myVPC11' is not associated with a AWS Network Firewall", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/vulnerable_default_ssl_certificate/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/vulnerable_default_ssl_certificate/test/positive_expected_result.json index 576b1448a3a..03c316c4175 100644 --- a/assets/queries/cloudFormation/aws/vulnerable_default_ssl_certificate/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/vulnerable_default_ssl_certificate/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate", "searchValue": "MinimumProtocolVersion", "expectedValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.MinimumProtocolVersion should be defined", - "actualValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.MinimumProtocolVersion is not defined" + "actualValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.MinimumProtocolVersion is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Vulnerable Default SSL Certificate", @@ -21,7 +22,8 @@ "searchKey": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate", "searchValue": "SslSupportMethod", "expectedValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.SslSupportMethod should be defined", - "actualValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.SslSupportMethod is not defined" + "actualValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.SslSupportMethod is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Vulnerable Default SSL Certificate", @@ -33,7 +35,8 @@ "searchKey": "Resources.myDistribution.Properties.DistributionConfig.CloudfrontDefaultCertificate", "searchValue": "", "expectedValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.CloudfrontDefaultCertificate should be set to 'false' or not defined.", - "actualValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.CloudfrontDefaultCertificate is 'true'." + "actualValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.CloudfrontDefaultCertificate is 'true'.", + "issueType": "IncorrectValue" }, { "queryName": "Vulnerable Default SSL Certificate", @@ -45,7 +48,8 @@ "searchKey": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate", "searchValue": "MinimumProtocolVersion", "expectedValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.MinimumProtocolVersion should be defined", - "actualValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.MinimumProtocolVersion is not defined" + "actualValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.MinimumProtocolVersion is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Vulnerable Default SSL Certificate", @@ -57,7 +61,8 @@ "searchKey": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate", "searchValue": "SslSupportMethod", "expectedValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.SslSupportMethod should be defined", - "actualValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.SslSupportMethod is not defined" + "actualValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.SslSupportMethod is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Vulnerable Default SSL Certificate", @@ -69,6 +74,7 @@ "searchKey": "Resources.myDistribution.Properties.DistributionConfig.CloudfrontDefaultCertificate", "searchValue": "", "expectedValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.CloudfrontDefaultCertificate should be set to 'false' or not defined.", - "actualValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.CloudfrontDefaultCertificate is 'true'." + "actualValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.CloudfrontDefaultCertificate is 'true'.", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/webacl_allow_defaultaction/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/webacl_allow_defaultaction/test/positive_expected_result.json index 16536eacce4..0211788f576 100644 --- a/assets/queries/cloudFormation/aws/webacl_allow_defaultaction/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/webacl_allow_defaultaction/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.MyWebACL.Properties.DefaultAction.Type", "searchValue": "", "expectedValue": "Resources.MyWebACL.Properties.DefaultAction.Type should not be ALLOW", - "actualValue": "Resources.MyWebACL.Properties.DefaultAction.Type is set to ALLOW" + "actualValue": "Resources.MyWebACL.Properties.DefaultAction.Type is set to ALLOW", + "issueType": "IncorrectValue" }, { "queryName": "Permissive Web ACL Default Action", @@ -21,6 +22,7 @@ "searchKey": "Resources.MyWebACL.Properties.DefaultAction.Type", "searchValue": "", "expectedValue": "Resources.MyWebACL.Properties.DefaultAction.Type should not be ALLOW", - "actualValue": "Resources.MyWebACL.Properties.DefaultAction.Type is set to ALLOW" + "actualValue": "Resources.MyWebACL.Properties.DefaultAction.Type is set to ALLOW", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/wildcard_in_acm_certificate_domain_name/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/wildcard_in_acm_certificate_domain_name/test/positive_expected_result.json index 0e1366a5e2b..e17d11ff591 100644 --- a/assets/queries/cloudFormation/aws/wildcard_in_acm_certificate_domain_name/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/wildcard_in_acm_certificate_domain_name/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.Certificate.Properties.DomainName", "searchValue": "", "expectedValue": "'Resources.Certificate.Properties.DomainName' should not contain '*'", - "actualValue": "'Resources.Certificate.Properties.DomainName' contains '*'" + "actualValue": "'Resources.Certificate.Properties.DomainName' contains '*'", + "issueType": "IncorrectValue" }, { "queryName": "Wildcard In ACM Certificate Domain Name", @@ -21,6 +22,7 @@ "searchKey": "Resources.Certificate.Properties.DomainName", "searchValue": "", "expectedValue": "'Resources.Certificate.Properties.DomainName' should not contain '*'", - "actualValue": "'Resources.Certificate.Properties.DomainName' contains '*'" + "actualValue": "'Resources.Certificate.Properties.DomainName' contains '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/workspace_without_encryption/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/workspace_without_encryption/test/positive_expected_result.json index d60af33c334..4dd5710e072 100644 --- a/assets/queries/cloudFormation/aws/workspace_without_encryption/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/workspace_without_encryption/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.MyWorkSpace.Properties", "searchValue": "", "expectedValue": "Resources.MyWorkSpace.Properties should have the property UserVolumeEncryptionEnabled set to true", - "actualValue": "Resources.MyWorkSpace.Properties does not have the UserVolumeEncryptionEnabled property set" + "actualValue": "Resources.MyWorkSpace.Properties does not have the UserVolumeEncryptionEnabled property set", + "issueType": "MissingAttribute" }, { "queryName": "Workspace Without Encryption", @@ -21,7 +22,8 @@ "searchKey": "Resources.MyWorkSpace2.Properties.UserVolumeEncryptionEnabled", "searchValue": "", "expectedValue": "Resources.MyWorkSpace2.Properties.UserVolumeEncryptionEnabled should be set to true", - "actualValue": "Resources.MyWorkSpace2.Properties.UserVolumeEncryptionEnabled is not set to true" + "actualValue": "Resources.MyWorkSpace2.Properties.UserVolumeEncryptionEnabled is not set to true", + "issueType": "IncorrectValue" }, { "queryName": "Workspace Without Encryption", @@ -33,7 +35,8 @@ "searchKey": "Resources.MyWorkSpace.Properties", "searchValue": "", "expectedValue": "Resources.MyWorkSpace.Properties should have the property UserVolumeEncryptionEnabled set to true", - "actualValue": "Resources.MyWorkSpace.Properties does not have the UserVolumeEncryptionEnabled property set" + "actualValue": "Resources.MyWorkSpace.Properties does not have the UserVolumeEncryptionEnabled property set", + "issueType": "MissingAttribute" }, { "queryName": "Workspace Without Encryption", @@ -45,6 +48,7 @@ "searchKey": "Resources.MyWorkSpace2.Properties.UserVolumeEncryptionEnabled", "searchValue": "", "expectedValue": "Resources.MyWorkSpace2.Properties.UserVolumeEncryptionEnabled should be set to true", - "actualValue": "Resources.MyWorkSpace2.Properties.UserVolumeEncryptionEnabled is not set to true" + "actualValue": "Resources.MyWorkSpace2.Properties.UserVolumeEncryptionEnabled is not set to true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws_bom/cassandra/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_bom/cassandra/test/positive_expected_result.json index 36f12f1aaa1..4a835802b3c 100644 --- a/assets/queries/cloudFormation/aws_bom/cassandra/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_bom/cassandra/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.myNewTable1", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS Cassandra", @@ -21,6 +22,7 @@ "searchKey": "Resources.myNewTable2", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws_bom/dynamo/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_bom/dynamo/test/positive_expected_result.json index 9f2b1d1f490..76519ad45d6 100644 --- a/assets/queries/cloudFormation/aws_bom/dynamo/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_bom/dynamo/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.DynamoDBOnDemandTable2", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS DynamoDB", @@ -21,7 +22,8 @@ "searchKey": "Resources.DynamoDBOnDemandTable2", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS DynamoDB", @@ -33,7 +35,8 @@ "searchKey": "Resources.DynamoDBOnDemandTable2", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS DynamoDB", @@ -45,7 +48,8 @@ "searchKey": "Resources.DynamoDBOnDemandTable2", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS DynamoDB", @@ -57,6 +61,7 @@ "searchKey": "Resources.DynamoDBOnDemandTable2", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws_bom/ebs/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_bom/ebs/test/positive_expected_result.json index 8be7b6b73b8..c08c496a934 100644 --- a/assets/queries/cloudFormation/aws_bom/ebs/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_bom/ebs/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.NewVolume", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS EBS", @@ -21,7 +22,8 @@ "searchKey": "Resources.NewVolume", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS EBS", @@ -33,7 +35,8 @@ "searchKey": "Resources.NewVolume", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS EBS", @@ -45,7 +48,8 @@ "searchKey": "Resources.NewVolume", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS EBS", @@ -57,7 +61,8 @@ "searchKey": "Resources.NewVolume", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS EBS", @@ -69,6 +74,7 @@ "searchKey": "Resources.NewVolume", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws_bom/efs/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_bom/efs/test/positive_expected_result.json index 1521c2d1d1e..783176d5fff 100644 --- a/assets/queries/cloudFormation/aws_bom/efs/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_bom/efs/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.FileSystemResource", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS EFS", @@ -21,7 +22,8 @@ "searchKey": "Resources.FileSystemResource", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS EFS", @@ -33,7 +35,8 @@ "searchKey": "Resources.FileSystemResource", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS EFS", @@ -45,6 +48,7 @@ "searchKey": "Resources.FileSystemResource", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws_bom/elasticache/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_bom/elasticache/test/positive_expected_result.json index 7a19222038e..431081e0fcf 100644 --- a/assets/queries/cloudFormation/aws_bom/elasticache/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_bom/elasticache/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.ElasticacheCluster", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS Elasticache", @@ -21,7 +22,8 @@ "searchKey": "Resources.ElasticacheCluster", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS Elasticache", @@ -33,6 +35,7 @@ "searchKey": "Resources.ElasticacheCluster", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws_bom/kinesis/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_bom/kinesis/test/positive_expected_result.json index 3112db77d21..7624332c3ab 100644 --- a/assets/queries/cloudFormation/aws_bom/kinesis/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_bom/kinesis/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.MyStream", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS Kinesis", @@ -21,6 +22,7 @@ "searchKey": "Resources.MyStream2", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws_bom/mq/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_bom/mq/test/positive_expected_result.json index b8a18b65e73..8778877a1a2 100644 --- a/assets/queries/cloudFormation/aws_bom/mq/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_bom/mq/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.BasicBroker", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS MQ", @@ -21,7 +22,8 @@ "searchKey": "Resources.BasicBroker2", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS MQ", @@ -33,6 +35,7 @@ "searchKey": "Resources.BasicBroker", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws_bom/msk/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_bom/msk/test/positive_expected_result.json index b26c8a8039e..c8fbf2f5809 100644 --- a/assets/queries/cloudFormation/aws_bom/msk/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_bom/msk/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.TestCluster", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS MSK", @@ -21,6 +22,7 @@ "searchKey": "Resources.TestCluster3", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws_bom/rds/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_bom/rds/test/positive_expected_result.json index 26495d6dd78..36a0ede1af8 100644 --- a/assets/queries/cloudFormation/aws_bom/rds/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_bom/rds/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.DBInstanceSample1", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS RDS", @@ -21,7 +22,8 @@ "searchKey": "Resources.DBInstanceSample2", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS RDS", @@ -33,7 +35,8 @@ "searchKey": "Resources.DBInstanceRefSample2", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS RDS", @@ -45,7 +48,8 @@ "searchKey": "Resources.DBInstanceSample3", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS RDS", @@ -57,7 +61,8 @@ "searchKey": "Resources.DBInstanceRefSample3", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS RDS", @@ -69,7 +74,8 @@ "searchKey": "Resources.DBInstanceSample4", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS RDS", @@ -81,7 +87,8 @@ "searchKey": "Resources.DBInstanceSample5", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS RDS", @@ -93,7 +100,8 @@ "searchKey": "Resources.DBInstanceSample6", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS RDS", @@ -105,6 +113,7 @@ "searchKey": "Resources.DBInstanceSample5", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws_bom/s3_bucket/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_bom/s3_bucket/test/positive_expected_result.json index 2504e450c28..9dea73b01b4 100644 --- a/assets/queries/cloudFormation/aws_bom/s3_bucket/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_bom/s3_bucket/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.MyBucket", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS S3 Buckets", @@ -21,6 +22,7 @@ "searchKey": "Resources.JenkinsArtifacts03", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws_bom/sns/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_bom/sns/test/positive_expected_result.json index cc94b9502b4..81114bfcec6 100644 --- a/assets/queries/cloudFormation/aws_bom/sns/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_bom/sns/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.SnsTopic", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS SNS", @@ -21,6 +22,7 @@ "searchKey": "Resources.SnsTopic", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws_bom/sqs/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_bom/sqs/test/positive_expected_result.json index d4391fe7d26..e222aa57b14 100644 --- a/assets/queries/cloudFormation/aws_bom/sqs/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_bom/sqs/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.MyQueue", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS SQS", @@ -21,6 +22,7 @@ "searchKey": "Resources.MyQueue", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws_sam/serverless_api_access_logging_setting_undefined/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_sam/serverless_api_access_logging_setting_undefined/test/positive_expected_result.json index 17122460ba1..db2d62cfccd 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_api_access_logging_setting_undefined/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_sam/serverless_api_access_logging_setting_undefined/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.ApiGatewayApi.Properties", "searchValue": "", "expectedValue": "Resources.ApiGatewayApi.Properties.%!d(string=AccessLogSetting) should be defined and not null", - "actualValue": "Resources.ApiGatewayApi.Properties.%!d(string=AccessLogSetting) is undefined or null" + "actualValue": "Resources.ApiGatewayApi.Properties.%!d(string=AccessLogSetting) is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Serverless API Access Logging Setting Undefined", @@ -21,6 +22,7 @@ "searchKey": "Resources.HttpApi.Properties", "searchValue": "", "expectedValue": "Resources.HttpApi.Properties.%!d(string=AccessLogSettings) should be defined and not null", - "actualValue": "Resources.HttpApi.Properties.%!d(string=AccessLogSettings) is undefined or null" + "actualValue": "Resources.HttpApi.Properties.%!d(string=AccessLogSettings) is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws_sam/serverless_api_cache_cluster_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_sam/serverless_api_cache_cluster_disabled/test/positive_expected_result.json index d9f65d6a43a..b9eac517ef5 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_api_cache_cluster_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_sam/serverless_api_cache_cluster_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.ApiGatewayApi.Properties", "searchValue": "", "expectedValue": "Resources.ApiGatewayApi.Properties.CacheClusterEnabled should be defined and not null", - "actualValue": "Resources.ApiGatewayApi.Properties.CacheClusterEnabled is undefined or null" + "actualValue": "Resources.ApiGatewayApi.Properties.CacheClusterEnabled is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Serverless API Cache Cluster Disabled", @@ -21,7 +22,8 @@ "searchKey": "Resources.ApiGatewayApi2.Properties.CacheClusterEnabled", "searchValue": "", "expectedValue": "Resources.ApiGatewayApi2.Properties.CacheClusterEnabled should be set to true", - "actualValue": "Resources.ApiGatewayApi2.Properties.CacheClusterEnabled is set to false" + "actualValue": "Resources.ApiGatewayApi2.Properties.CacheClusterEnabled is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Serverless API Cache Cluster Disabled", @@ -33,6 +35,7 @@ "searchKey": "Resources.ApiGatewayApi2.Properties.CacheClusterEnabled", "searchValue": "", "expectedValue": "Resources.ApiGatewayApi2.Properties.CacheClusterEnabled should be set to true", - "actualValue": "Resources.ApiGatewayApi2.Properties.CacheClusterEnabled is set to false" + "actualValue": "Resources.ApiGatewayApi2.Properties.CacheClusterEnabled is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws_sam/serverless_api_endpoint_config_not_private/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_sam/serverless_api_endpoint_config_not_private/test/positive_expected_result.json index 77cbc417c12..82f9b86c596 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_api_endpoint_config_not_private/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_sam/serverless_api_endpoint_config_not_private/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.ApiGatewayApi.Properties", "searchValue": "", "expectedValue": "'Resources.ApiGatewayApi.EndpointConfiguration' should be defined and not null", - "actualValue": "'Resources.ApiGatewayApi.EndpointConfiguration' is undefined or null" + "actualValue": "'Resources.ApiGatewayApi.EndpointConfiguration' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Serverless API Endpoint Config Not Private", @@ -21,7 +22,8 @@ "searchKey": "Resources.ApiGatewayApi2.Properties.EndpointConfiguration", "searchValue": "", "expectedValue": "'Resources.ApiGatewayApi2.EndpointConfiguration.Types' should be defined and not null", - "actualValue": "'Resources.ApiGatewayApi2.EndpointConfiguration.Types' is undefined or null" + "actualValue": "'Resources.ApiGatewayApi2.EndpointConfiguration.Types' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Serverless API Endpoint Config Not Private", @@ -33,6 +35,7 @@ "searchKey": "Resources.ApiGatewayApi3.Properties.EndpointConfiguration.Types", "searchValue": "", "expectedValue": "'Resources.ApiGatewayApi3.EndpointConfiguration.Types' should contain 'PRIVATE'", - "actualValue": "'Resources.ApiGatewayApi3.EndpointConfiguration.Types' does not contain 'PRIVATE'" + "actualValue": "'Resources.ApiGatewayApi3.EndpointConfiguration.Types' does not contain 'PRIVATE'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws_sam/serverless_api_without_content_encoding/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_sam/serverless_api_without_content_encoding/test/positive_expected_result.json index 001f7fd30c0..3ae1477336b 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_api_without_content_encoding/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_sam/serverless_api_without_content_encoding/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.ApiGatewayApi.Properties", "searchValue": "", "expectedValue": "Resources.ApiGatewayApi.Properties.MinimumCompressionSize should be defined and not null", - "actualValue": "Resources.ApiGatewayApi.Properties.MinimumCompressionSize is not defined or null" + "actualValue": "Resources.ApiGatewayApi.Properties.MinimumCompressionSize is not defined or null", + "issueType": "MissingAttribute" }, { "queryName": "Serverless API Without Content Encoding", @@ -21,7 +22,8 @@ "searchKey": "Resources.ApiGatewayApi2.Properties.MinimumCompressionSize", "searchValue": "", "expectedValue": "Resources.ApiGatewayApi2.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760", - "actualValue": "Resources.ApiGatewayApi2.Properties.MinimumCompressionSize is set but smaller than 0 or greater than 10485759" + "actualValue": "Resources.ApiGatewayApi2.Properties.MinimumCompressionSize is set but smaller than 0 or greater than 10485759", + "issueType": "IncorrectValue" }, { "queryName": "Serverless API Without Content Encoding", @@ -33,6 +35,7 @@ "searchKey": "Resources.ApiGatewayApi3.Properties.MinimumCompressionSize", "searchValue": "", "expectedValue": "Resources.ApiGatewayApi3.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760", - "actualValue": "Resources.ApiGatewayApi3.Properties.MinimumCompressionSize is set but smaller than 0 or greater than 10485759" + "actualValue": "Resources.ApiGatewayApi3.Properties.MinimumCompressionSize is set but smaller than 0 or greater than 10485759", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws_sam/serverless_api_xray_tracing_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_sam/serverless_api_xray_tracing_disabled/test/positive_expected_result.json index 84f0cffe7db..f0ebc529be8 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_api_xray_tracing_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_sam/serverless_api_xray_tracing_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.ApiGatewayApi.Properties", "searchValue": "", "expectedValue": "Resources.ApiGatewayApi.Properties.TracingEnabled should be defined and not null", - "actualValue": "Resources.ApiGatewayApi.Properties.TracingEnabled is undefined or null" + "actualValue": "Resources.ApiGatewayApi.Properties.TracingEnabled is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Serverless API X-Ray Tracing Disabled", @@ -21,7 +22,8 @@ "searchKey": "Resources.ApiGatewayApi2.Properties.TracingEnabled", "searchValue": "", "expectedValue": "Resources.ApiGatewayApi2.Properties.TracingEnabled should be set to true", - "actualValue": "Resources.ApiGatewayApi2.Properties.TracingEnabled is set to false" + "actualValue": "Resources.ApiGatewayApi2.Properties.TracingEnabled is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Serverless API X-Ray Tracing Disabled", @@ -33,6 +35,7 @@ "searchKey": "Resources.ApiGatewayApi2.Properties.TracingEnabled", "searchValue": "", "expectedValue": "Resources.ApiGatewayApi2.Properties.TracingEnabled should be set to true", - "actualValue": "Resources.ApiGatewayApi2.Properties.TracingEnabled is set to false" + "actualValue": "Resources.ApiGatewayApi2.Properties.TracingEnabled is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws_sam/serverless_function_environment_variables_not_encrypted/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_sam/serverless_function_environment_variables_not_encrypted/test/positive_expected_result.json index 41347aff1c2..e388795c3ce 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_function_environment_variables_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_sam/serverless_function_environment_variables_not_encrypted/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "Resources.Function.Properties", "searchValue": "", "expectedValue": "'Resources.Function.Properties.KmsKeyArn' should be defined and not null", - "actualValue": "'Resources.Function.Properties.KmsKeyArn' is undefined or null" + "actualValue": "'Resources.Function.Properties.KmsKeyArn' is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws_sam/serverless_function_without_dead_letter_queue/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_sam/serverless_function_without_dead_letter_queue/test/positive_expected_result.json index e6f93907520..0b03cf2753b 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_function_without_dead_letter_queue/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_sam/serverless_function_without_dead_letter_queue/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "Resources.Function.Properties", "searchValue": "", "expectedValue": "'Resources.Function.Properties.DeadLetterConfig' should be defined and not null", - "actualValue": "'Resources.Function.Properties.DeadLetterConfig' is undefined or null" + "actualValue": "'Resources.Function.Properties.DeadLetterConfig' is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws_sam/serverless_function_without_tags/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_sam/serverless_function_without_tags/test/positive_expected_result.json index 7c7911b51cd..b440b41f38e 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_function_without_tags/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_sam/serverless_function_without_tags/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "Resources.Function.Properties", "searchValue": "", "expectedValue": "'Resources.Function.Properties.Tags' should be defined and not null", - "actualValue": "'Resources.Function.Properties.Tags' is undefined or null" + "actualValue": "'Resources.Function.Properties.Tags' is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws_sam/serverless_function_without_unique_iam_role/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_sam/serverless_function_without_unique_iam_role/test/positive_expected_result.json index 8ccf40ad17a..8e8058d47b1 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_function_without_unique_iam_role/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_sam/serverless_function_without_unique_iam_role/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.Function1.Properties.Role", "searchValue": "", "expectedValue": "Resource.Function1.Properties.Role is only assigned to the function in question", - "actualValue": "Resource.Function1.Properties.Role is assigned to another funtion" + "actualValue": "Resource.Function1.Properties.Role is assigned to another funtion", + "issueType": "IncorrectValue" }, { "queryName": "Serverless Function Without Unique IAM Role", @@ -21,7 +22,8 @@ "searchKey": "Resources.Function2.Properties.Role", "searchValue": "", "expectedValue": "Resource.Function2.Properties.Role is only assigned to the function in question", - "actualValue": "Resource.Function2.Properties.Role is assigned to another funtion" + "actualValue": "Resource.Function2.Properties.Role is assigned to another funtion", + "issueType": "IncorrectValue" }, { "queryName": "Serverless Function Without Unique IAM Role", @@ -33,7 +35,8 @@ "searchKey": "Resources.Function1.Properties.Role", "searchValue": "", "expectedValue": "Resource.Function1.Properties.Role is only assigned to the function in question", - "actualValue": "Resource.Function1.Properties.Role is assigned to another funtion" + "actualValue": "Resource.Function1.Properties.Role is assigned to another funtion", + "issueType": "IncorrectValue" }, { "queryName": "Serverless Function Without Unique IAM Role", @@ -45,6 +48,7 @@ "searchKey": "Resources.Function2.Properties.Role", "searchValue": "", "expectedValue": "Resource.Function2.Properties.Role is only assigned to the function in question", - "actualValue": "Resource.Function2.Properties.Role is assigned to another funtion" + "actualValue": "Resource.Function2.Properties.Role is assigned to another funtion", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws_sam/serverless_function_without_x-ray_tracing/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_sam/serverless_function_without_x-ray_tracing/test/positive_expected_result.json index a0f70d66bd0..d2fb58e3ff0 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_function_without_x-ray_tracing/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_sam/serverless_function_without_x-ray_tracing/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "Resources.Function1.Properties", "searchValue": "", "expectedValue": "Property 'TracingConfig' should be defined and not null", - "actualValue": "Property 'TracingConfig' is undefined or null" + "actualValue": "Property 'TracingConfig' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Serverless Function Without X-Ray Tracing", @@ -21,6 +22,7 @@ "searchKey": "Resources.Function2.Properties.Tracing", "searchValue": "", "expectedValue": "'Tracing' should be set to 'Active'", - "actualValue": "'Tracing' is set to 'PassThrough'" + "actualValue": "'Tracing' is set to 'PassThrough'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json b/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json index 31ca12db562..c321548d307 100644 --- a/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json +++ b/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Password in URL", @@ -21,7 +22,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Slack Webhook", @@ -33,7 +35,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - MSTeams Webhook", @@ -45,7 +48,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Password in URL", @@ -57,7 +61,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Slack Webhook", @@ -69,7 +74,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - MSTeams Webhook", @@ -81,7 +87,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Generic Password", @@ -93,7 +100,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Password in URL", @@ -105,7 +113,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Slack Webhook", @@ -117,7 +126,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - MSTeams Webhook", @@ -129,7 +139,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Asymmetric private key", @@ -141,7 +152,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - AWS Access Key", @@ -153,7 +165,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - AWS Secret Key", @@ -165,7 +178,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - AWS Access Key", @@ -177,7 +191,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - AWS Secret Key", @@ -189,7 +204,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - K8s Environment Variable Password", @@ -201,7 +217,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - K8s Environment Variable Password", @@ -213,7 +230,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Generic Password", @@ -225,7 +243,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Google OAuth", @@ -237,7 +256,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Slack Token", @@ -249,7 +269,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Generic Password", @@ -261,7 +282,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Stripe API Key", @@ -273,7 +295,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Google API Key", @@ -285,7 +308,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Heroku API Key", @@ -297,7 +321,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Generic Token", @@ -309,7 +334,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Generic API Key", @@ -321,7 +347,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Square Access Token", @@ -333,7 +360,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Picatic API Key", @@ -345,7 +373,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Amazon MWS Auth Token", @@ -357,7 +386,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - MailChimp API Key", @@ -369,7 +399,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - SendGrid API Key", @@ -381,7 +412,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Generic Private Key", @@ -393,7 +425,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Generic Token", @@ -405,7 +438,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Generic Token", @@ -417,7 +451,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Generic Token", @@ -429,7 +464,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Mailgun API Key", @@ -441,7 +477,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Generic Password", @@ -453,7 +490,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Stripe Restricted API Key", @@ -465,7 +503,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Twilio API Key", @@ -477,7 +516,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - PayPal Braintree Access Token", @@ -489,7 +529,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Facebook Access Token", @@ -501,7 +542,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Square OAuth Secret", @@ -513,7 +555,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Google OAuth Access Token", @@ -525,7 +568,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Putty User Key File Content", @@ -537,7 +581,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Generic Secret", @@ -549,7 +594,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - CloudFormation Secret Template", @@ -561,7 +607,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Generic Secret", @@ -573,7 +620,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Generic Password", @@ -585,7 +633,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - AWS Context-specific credential", @@ -597,7 +646,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - AWS Certificate", @@ -609,7 +659,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Asymmetric private key", @@ -621,7 +672,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Generic Access Key", @@ -633,7 +685,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Generic Token", @@ -645,7 +698,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Generic Secret", @@ -657,7 +711,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Generic Password", @@ -669,7 +724,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Generic Password", @@ -681,7 +737,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Generic Password", @@ -693,7 +750,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Google OAuth", @@ -705,7 +763,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Generic Secret", @@ -717,7 +776,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Generic Password", @@ -729,7 +789,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Generic Private Key", @@ -741,7 +802,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Generic Secret", @@ -753,7 +815,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Generic Password on YAML files when value in tuple", @@ -765,7 +828,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Generic Password on YAML files when value in tuple", @@ -777,7 +841,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Dockerfile ENV hardcoded password with omitted equals", @@ -789,7 +854,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Generic Password", @@ -801,7 +867,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Generic Password", @@ -813,7 +880,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Generic Password", @@ -825,7 +893,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Generic Password", @@ -837,7 +906,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Generic Secret", @@ -849,7 +919,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Generic Password", @@ -861,7 +932,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Generic Password", @@ -873,7 +945,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Generic Password", @@ -885,7 +958,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Generic Password", @@ -897,7 +971,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Generic Password", @@ -909,7 +984,8 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Generic Password", @@ -921,6 +997,7 @@ "searchKey": "", "searchValue": "", "expectedValue": "Hardcoded secret key should not appear in source", - "actualValue": "Hardcoded secret key appears in source" + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" } ] diff --git a/assets/queries/crossplane/aws/cloudfront_logging_disabled/test/positive_expected_result.json b/assets/queries/crossplane/aws/cloudfront_logging_disabled/test/positive_expected_result.json index 268be93d0cf..3bceb7d2fd4 100644 --- a/assets/queries/crossplane/aws/cloudfront_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/crossplane/aws/cloudfront_logging_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig.logging.enabled", "searchValue": "", "expectedValue": "CloudFront logging enabled attribute should be set to true", - "actualValue": "CloudFront logging enabled attribute is set to false" + "actualValue": "CloudFront logging enabled attribute is set to false", + "issueType": "IncorrectValue" }, { "queryName": "CloudFront Logging Disabled", @@ -21,7 +22,8 @@ "searchKey": "spec.resources.base.metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig.logging.enabled", "searchValue": "", "expectedValue": "CloudFront logging enabled attribute should be set to true", - "actualValue": "CloudFront logging enabled attribute is set to false" + "actualValue": "CloudFront logging enabled attribute is set to false", + "issueType": "IncorrectValue" }, { "queryName": "CloudFront Logging Disabled", @@ -33,7 +35,8 @@ "searchKey": "metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig", "searchValue": "", "expectedValue": "CloudFront logging enabled attribute should be defined and set to true", - "actualValue": "CloudFront logging is not defined" + "actualValue": "CloudFront logging is not defined", + "issueType": "MissingAttribute" }, { "queryName": "CloudFront Logging Disabled", @@ -45,7 +48,8 @@ "searchKey": "spec.resources.base.metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig", "searchValue": "", "expectedValue": "CloudFront logging enabled attribute should be defined and set to true", - "actualValue": "CloudFront logging is not defined" + "actualValue": "CloudFront logging is not defined", + "issueType": "MissingAttribute" }, { "queryName": "CloudFront Logging Disabled", @@ -57,7 +61,8 @@ "searchKey": "metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig.logging", "searchValue": "", "expectedValue": "CloudFront logging enabled attribute should be defined and set to true", - "actualValue": "CloudFront enable is not defined" + "actualValue": "CloudFront enable is not defined", + "issueType": "MissingAttribute" }, { "queryName": "CloudFront Logging Disabled", @@ -69,6 +74,7 @@ "searchKey": "spec.resources.base.metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig.logging", "searchValue": "", "expectedValue": "CloudFront logging enabled attribute should be defined and set to true", - "actualValue": "CloudFront enable is not defined" + "actualValue": "CloudFront enable is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/crossplane/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json b/assets/queries/crossplane/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json index 1c6fba2f4c5..a141c22534a 100644 --- a/assets/queries/crossplane/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json +++ b/assets/queries/crossplane/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig.viewerCertificate.minimumProtocolVersion", "searchValue": "", "expectedValue": "'viewerCertificate.minimumProtocolVersion' should be TLSv1.2_x", - "actualValue": "'viewerCertificate.minimumProtocolVersion' is TLSv1.1_2016" + "actualValue": "'viewerCertificate.minimumProtocolVersion' is TLSv1.1_2016", + "issueType": "IncorrectValue" }, { "queryName": "CloudFront Without Minimum Protocol TLS 1.2", @@ -21,7 +22,8 @@ "searchKey": "spec.resources.base.metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig.viewerCertificate.minimumProtocolVersion", "searchValue": "", "expectedValue": "'viewerCertificate.minimumProtocolVersion' should be TLSv1.2_x", - "actualValue": "'viewerCertificate.minimumProtocolVersion' is TLSv1.1_2016" + "actualValue": "'viewerCertificate.minimumProtocolVersion' is TLSv1.1_2016", + "issueType": "IncorrectValue" }, { "queryName": "CloudFront Without Minimum Protocol TLS 1.2", @@ -33,7 +35,8 @@ "searchKey": "metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig", "searchValue": "", "expectedValue": "'viewerCertificate.minimumProtocolVersion' should be defined and set to TLSv1.2_x", - "actualValue": "'viewerCertificate' is not defined" + "actualValue": "'viewerCertificate' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "CloudFront Without Minimum Protocol TLS 1.2", @@ -45,7 +48,8 @@ "searchKey": "spec.resources.base.metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig", "searchValue": "", "expectedValue": "'viewerCertificate.minimumProtocolVersion' should be defined and set to TLSv1.2_x", - "actualValue": "'viewerCertificate' is not defined" + "actualValue": "'viewerCertificate' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "CloudFront Without Minimum Protocol TLS 1.2", @@ -57,7 +61,8 @@ "searchKey": "metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig.viewerCertificate", "searchValue": "", "expectedValue": "'viewerCertificate.minimumProtocolVersion' should be defined and set to TLSv1.2_x", - "actualValue": "'minimumProtocolVersion' is not defined" + "actualValue": "'minimumProtocolVersion' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "CloudFront Without Minimum Protocol TLS 1.2", @@ -69,6 +74,7 @@ "searchKey": "spec.resources.base.metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig.viewerCertificate", "searchValue": "", "expectedValue": "'viewerCertificate.minimumProtocolVersion' should be defined and set to TLSv1.2_x", - "actualValue": "'minimumProtocolVersion' is not defined" + "actualValue": "'minimumProtocolVersion' is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/crossplane/aws/cloudfront_without_waf/test/positive_expected_result.json b/assets/queries/crossplane/aws/cloudfront_without_waf/test/positive_expected_result.json index 599f562d815..d5bed5f4808 100644 --- a/assets/queries/crossplane/aws/cloudfront_without_waf/test/positive_expected_result.json +++ b/assets/queries/crossplane/aws/cloudfront_without_waf/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig", "searchValue": "", "expectedValue": "'webACLID' should be defined", - "actualValue": "'webACLID' is not defined" + "actualValue": "'webACLID' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "CloudFront Without WAF", @@ -21,6 +22,7 @@ "searchKey": "spec.resources.base.metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig", "searchValue": "", "expectedValue": "'webACLID' should be defined", - "actualValue": "'webACLID' is not defined" + "actualValue": "'webACLID' is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/crossplane/aws/cloudwatch_without_retention_period_specified/test/positive_expected_result.json b/assets/queries/crossplane/aws/cloudwatch_without_retention_period_specified/test/positive_expected_result.json index e9f7a4945ed..2fe9fc2fa4e 100644 --- a/assets/queries/crossplane/aws/cloudwatch_without_retention_period_specified/test/positive_expected_result.json +++ b/assets/queries/crossplane/aws/cloudwatch_without_retention_period_specified/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{lg-3}}.spec.forProvider.retentionInDays", "searchValue": "", "expectedValue": "retentionInDays should be set to a valid value", - "actualValue": "retentionInDays is set to a invalid value" + "actualValue": "retentionInDays is set to a invalid value", + "issueType": "IncorrectValue" }, { "queryName": "CloudWatch Without Retention Period Specified", @@ -21,7 +22,8 @@ "searchKey": "spec.resources.base.metadata.name={{lg-4}}.spec.forProvider.retentionInDays", "searchValue": "", "expectedValue": "retentionInDays should be set to a valid value", - "actualValue": "retentionInDays is set to a invalid value" + "actualValue": "retentionInDays is set to a invalid value", + "issueType": "IncorrectValue" }, { "queryName": "CloudWatch Without Retention Period Specified", @@ -33,7 +35,8 @@ "searchKey": "metadata.name={{lg-5}}.spec.forProvider", "searchValue": "", "expectedValue": "retentionInDays should be set to a valid value", - "actualValue": "retentionInDays is undefined" + "actualValue": "retentionInDays is undefined", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch Without Retention Period Specified", @@ -45,6 +48,7 @@ "searchKey": "spec.resources.base.metadata.name={{lg-6}}.spec.forProvider", "searchValue": "", "expectedValue": "retentionInDays should be set to a valid value", - "actualValue": "retentionInDays is undefined" + "actualValue": "retentionInDays is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/crossplane/aws/db_instance_storage_not_encrypted/test/positive_expected_result.json b/assets/queries/crossplane/aws/db_instance_storage_not_encrypted/test/positive_expected_result.json index f780445fe4c..f326f4668c8 100644 --- a/assets/queries/crossplane/aws/db_instance_storage_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/crossplane/aws/db_instance_storage_not_encrypted/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{rds3}}.spec.forProvider.storageEncrypted", "searchValue": "", "expectedValue": "storageEncrypted should be set to true", - "actualValue": "storageEncrypted is set to false" + "actualValue": "storageEncrypted is set to false", + "issueType": "IncorrectValue" }, { "queryName": "DB Instance Storage Not Encrypted", @@ -21,7 +22,8 @@ "searchKey": "spec.resources.base.metadata.name={{rds4}}.spec.forProvider.storageEncrypted", "searchValue": "", "expectedValue": "storageEncrypted should be set to true", - "actualValue": "storageEncrypted is set to false" + "actualValue": "storageEncrypted is set to false", + "issueType": "IncorrectValue" }, { "queryName": "DB Instance Storage Not Encrypted", @@ -33,7 +35,8 @@ "searchKey": ".metadata.name={{rds5}}.spec.forProvider", "searchValue": "", "expectedValue": "storageEncrypted should be defined and set to true", - "actualValue": "storageEncrypted is not defined" + "actualValue": "storageEncrypted is not defined", + "issueType": "MissingAttribute" }, { "queryName": "DB Instance Storage Not Encrypted", @@ -45,6 +48,7 @@ "searchKey": "spec.resources.base..metadata.name={{rds6}}.spec.forProvider", "searchValue": "", "expectedValue": "storageEncrypted should be defined and set to true", - "actualValue": "storageEncrypted is not defined" + "actualValue": "storageEncrypted is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/crossplane/aws/db_security_group_has_public_interface/test/positive_expected_result.json b/assets/queries/crossplane/aws/db_security_group_has_public_interface/test/positive_expected_result.json index f03da4c3024..e2ab7118ed2 100644 --- a/assets/queries/crossplane/aws/db_security_group_has_public_interface/test/positive_expected_result.json +++ b/assets/queries/crossplane/aws/db_security_group_has_public_interface/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{ec2-rule2}}.spec.forProvider.ingress.ipRanges.cidrIp={{0.0.0.0/0}}", "searchValue": "", "expectedValue": "ingress rule should not contain '0.0.0.0/0'", - "actualValue": "ingress rule contains '0.0.0.0/0'" + "actualValue": "ingress rule contains '0.0.0.0/0'", + "issueType": "IncorrectValue" }, { "queryName": "DB Security Group Has Public Interface", @@ -21,6 +22,7 @@ "searchKey": "spec.resources.base.metadata.name={{ec2-rule5}}.spec.forProvider.ingress.ipRanges.cidrIp={{0.0.0.0/0}}", "searchValue": "", "expectedValue": "ingress rule should not contain '0.0.0.0/0'", - "actualValue": "ingress rule contains '0.0.0.0/0'" + "actualValue": "ingress rule contains '0.0.0.0/0'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/crossplane/aws/docdb_logging_disabled/test/positive_expected_result.json b/assets/queries/crossplane/aws/docdb_logging_disabled/test/positive_expected_result.json index f3af297e096..5616621e8fc 100644 --- a/assets/queries/crossplane/aws/docdb_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/crossplane/aws/docdb_logging_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{example-cluster-autogen-password}}.spec.forProvider", "searchValue": "", "expectedValue": "DBCluster.enableCloudwatchLogsExports should be defined", - "actualValue": "DBCluster.enableCloudwatchLogsExports is undefined" + "actualValue": "DBCluster.enableCloudwatchLogsExports is undefined", + "issueType": "MissingAttribute" }, { "queryName": "DocDB Logging Is Disabled", @@ -21,7 +22,8 @@ "searchKey": "metadata.name={{example-cluster-autogen-password}}.spec.forProvider.enableCloudwatchLogsExports", "searchValue": "", "expectedValue": "DBCluster.enableCloudwatchLogsExports should have all following values: audit, profiler", - "actualValue": "DBCluster.enableCloudwatchLogsExports has the following missing values: audit, profiler" + "actualValue": "DBCluster.enableCloudwatchLogsExports has the following missing values: audit, profiler", + "issueType": "IncorrectValue" }, { "queryName": "DocDB Logging Is Disabled", @@ -33,6 +35,7 @@ "searchKey": "metadata.name={{example-cluster-autogen-password}}.spec.forProvider.enableCloudwatchLogsExports", "searchValue": "", "expectedValue": "DBCluster.enableCloudwatchLogsExports should have all following values: audit, profiler", - "actualValue": "DBCluster.enableCloudwatchLogsExports has the following missing values: profiler" + "actualValue": "DBCluster.enableCloudwatchLogsExports has the following missing values: profiler", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/crossplane/aws/ecs_cluster_with_container_insights_disabled/test/positive_expected_result.json b/assets/queries/crossplane/aws/ecs_cluster_with_container_insights_disabled/test/positive_expected_result.json index b43d00b635e..767e502692e 100644 --- a/assets/queries/crossplane/aws/ecs_cluster_with_container_insights_disabled/test/positive_expected_result.json +++ b/assets/queries/crossplane/aws/ecs_cluster_with_container_insights_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{example}}.spec.forProvider", "searchValue": "", "expectedValue": "Cluster.spec.forProvider.settings should be defined and have a ClusterSetting which name is 'containerInsights' with 'enabled' value", - "actualValue": "Cluster.spec.forProvider.settings is not defined" + "actualValue": "Cluster.spec.forProvider.settings is not defined", + "issueType": "MissingAttribute" }, { "queryName": "ECS Cluster with Container Insights Disabled", @@ -21,7 +22,8 @@ "searchKey": "metadata.name={{example}}.spec.forProvider.settings", "searchValue": "", "expectedValue": "Cluster.spec.forProvider.settings should have a ClusterSetting which name is 'containerInsights' with 'enabled' value", - "actualValue": "Cluster.spec.forProvider.settings doesn't have a ClusterSetting which name is 'containerInsights' with 'enabled' value" + "actualValue": "Cluster.spec.forProvider.settings doesn't have a ClusterSetting which name is 'containerInsights' with 'enabled' value", + "issueType": "MissingAttribute" }, { "queryName": "ECS Cluster with Container Insights Disabled", @@ -33,6 +35,7 @@ "searchKey": "metadata.name={{example}}.spec.forProvider.settings", "searchValue": "", "expectedValue": "Cluster.spec.forProvider.settings should have a ClusterSetting which name is 'containerInsights' with 'enabled' value", - "actualValue": "Cluster.spec.forProvider.settings doesn't have a ClusterSetting which name is 'containerInsights' with 'enabled' value" + "actualValue": "Cluster.spec.forProvider.settings doesn't have a ClusterSetting which name is 'containerInsights' with 'enabled' value", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/crossplane/aws/efs_not_encrypted/test/positive_expected_result.json b/assets/queries/crossplane/aws/efs_not_encrypted/test/positive_expected_result.json index a030c9df321..2689372110f 100644 --- a/assets/queries/crossplane/aws/efs_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/crossplane/aws/efs_not_encrypted/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{example3}}.spec.forProvider.encrypted", "searchValue": "", "expectedValue": "encrypted should be set to true", - "actualValue": "encrypted is set to false" + "actualValue": "encrypted is set to false", + "issueType": "IncorrectValue" }, { "queryName": "EFS Not Encrypted", @@ -21,7 +22,8 @@ "searchKey": "spec.resources.base.metadata.name={{example4}}.spec.forProvider.encrypted", "searchValue": "", "expectedValue": "encrypted should be set to true", - "actualValue": "encrypted is set to false" + "actualValue": "encrypted is set to false", + "issueType": "IncorrectValue" }, { "queryName": "EFS Not Encrypted", @@ -33,7 +35,8 @@ "searchKey": "metadata.name={{example5}}.spec.forProvider", "searchValue": "", "expectedValue": "encrypted should be defined and set to true", - "actualValue": "encrypted is not defined" + "actualValue": "encrypted is not defined", + "issueType": "MissingAttribute" }, { "queryName": "EFS Not Encrypted", @@ -45,6 +48,7 @@ "searchKey": "spec.resources.base.metadata.name={{example6}}.spec.forProvider", "searchValue": "", "expectedValue": "encrypted should be defined and set to true", - "actualValue": "encrypted is not defined" + "actualValue": "encrypted is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/crossplane/aws/efs_without_kms/test/positive_expected_result.json b/assets/queries/crossplane/aws/efs_without_kms/test/positive_expected_result.json index fd1feecc9b1..dd95c06767e 100644 --- a/assets/queries/crossplane/aws/efs_without_kms/test/positive_expected_result.json +++ b/assets/queries/crossplane/aws/efs_without_kms/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{example3}}.spec.forProvider", "searchValue": "", "expectedValue": "kmsKeyID should be defined", - "actualValue": "kmsKeyID is not defined" + "actualValue": "kmsKeyID is not defined", + "issueType": "MissingAttribute" }, { "queryName": "EFS Without KMS", @@ -21,6 +22,7 @@ "searchKey": "spec.resources.base.metadata.name={{example4}}.spec.forProvider", "searchValue": "", "expectedValue": "kmsKeyID should be defined", - "actualValue": "kmsKeyID is not defined" + "actualValue": "kmsKeyID is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/crossplane/aws/elb_using_weak_ciphers/test/positive_expected_result.json b/assets/queries/crossplane/aws/elb_using_weak_ciphers/test/positive_expected_result.json index 63737426ccd..39219ffeba1 100644 --- a/assets/queries/crossplane/aws/elb_using_weak_ciphers/test/positive_expected_result.json +++ b/assets/queries/crossplane/aws/elb_using_weak_ciphers/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{test-listener}}.spec.forProvider.sslPolicy", "searchValue": "", "expectedValue": "sslPolicy should use a secure protocol or cipher", - "actualValue": "sslPolicy is using a weak cipher" + "actualValue": "sslPolicy is using a weak cipher", + "issueType": "IncorrectValue" }, { "queryName": "ELB Using Weak Ciphers", @@ -21,6 +22,7 @@ "searchKey": "spec.resources.base.metadata.name={{test-listener2}}.spec.forProvider.sslPolicy", "searchValue": "", "expectedValue": "sslPolicy should use a secure protocol or cipher", - "actualValue": "sslPolicy is using a weak cipher" + "actualValue": "sslPolicy is using a weak cipher", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/crossplane/aws/neptune_database_cluster_encryption_disabled/test/positive_expected_result.json b/assets/queries/crossplane/aws/neptune_database_cluster_encryption_disabled/test/positive_expected_result.json index 8f2de4995d8..edcad6960ad 100644 --- a/assets/queries/crossplane/aws/neptune_database_cluster_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/crossplane/aws/neptune_database_cluster_encryption_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{sample-cluster3}}.spec.forProvider", "searchValue": "", "expectedValue": "storageEncrypted should be defined and set to true", - "actualValue": "storageEncrypted is not defined" + "actualValue": "storageEncrypted is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Neptune Database Cluster Encryption Disabled", @@ -21,7 +22,8 @@ "searchKey": "spec.resources.base.metadata.name={{sample-cluster4}}.spec.forProvider", "searchValue": "", "expectedValue": "storageEncrypted should be defined and set to true", - "actualValue": "storageEncrypted is not defined" + "actualValue": "storageEncrypted is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Neptune Database Cluster Encryption Disabled", @@ -33,7 +35,8 @@ "searchKey": "metadata.name={{sample-cluster3}}.spec.forProvider.storageEncrypted", "searchValue": "", "expectedValue": "storageEncrypted should be defined and set to true", - "actualValue": "storageEncrypted is set to false" + "actualValue": "storageEncrypted is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Neptune Database Cluster Encryption Disabled", @@ -45,6 +48,7 @@ "searchKey": "spec.resources.base.metadata.name={{sample-cluster4}}.spec.forProvider.storageEncrypted", "searchValue": "", "expectedValue": "storageEncrypted should be defined and set to true", - "actualValue": "storageEncrypted is set to false" + "actualValue": "storageEncrypted is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json b/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json index 0642c0580f0..3534ba369b2 100644 --- a/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{sample-cluster3}}.spec.forProvider.publiclyAccessible", "searchValue": "", "expectedValue": "publiclyAccessible should be set to false", - "actualValue": "publiclyAccessible is set to true" + "actualValue": "publiclyAccessible is set to true", + "issueType": "MissingAttribute" }, { "queryName": "RDS DB Instance Publicly Accessible", @@ -21,6 +22,7 @@ "searchKey": "metadata.name={{my-rds-instance}}.spec.forProvider.dbSubnetGroupName", "searchValue": "", "expectedValue": "dbSubnetGroupName' subnets not being part of a VPC that has an Internet gateway attached to it", - "actualValue": "dbSubnetGroupName' subnets are part of a VPC that has an Internet gateway attached to it" + "actualValue": "dbSubnetGroupName' subnets are part of a VPC that has an Internet gateway attached to it", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/crossplane/aws/sqs_with_sse_disabled/test/positive_expected_result.json b/assets/queries/crossplane/aws/sqs_with_sse_disabled/test/positive_expected_result.json index 83095e16d34..071fc8f14c4 100644 --- a/assets/queries/crossplane/aws/sqs_with_sse_disabled/test/positive_expected_result.json +++ b/assets/queries/crossplane/aws/sqs_with_sse_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{test-queue3}}.spec.forProvider", "searchValue": "", "expectedValue": "kmsMasterKeyId should be defined", - "actualValue": "kmsMasterKeyId is not defined" + "actualValue": "kmsMasterKeyId is not defined", + "issueType": "MissingAttribute" }, { "queryName": "SQS With SSE Disabled", @@ -21,6 +22,7 @@ "searchKey": "spec.resources.base.metadata.name={{test-queue4}}.spec.forProvider", "searchValue": "", "expectedValue": "kmsMasterKeyId should be defined", - "actualValue": "kmsMasterKeyId is not defined" + "actualValue": "kmsMasterKeyId is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/crossplane/azure/aks_rbac_disabled/test/positive_expected_result.json b/assets/queries/crossplane/azure/aks_rbac_disabled/test/positive_expected_result.json index 609be2c3a80..f70fd5ca559 100644 --- a/assets/queries/crossplane/azure/aks_rbac_disabled/test/positive_expected_result.json +++ b/assets/queries/crossplane/azure/aks_rbac_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{anais-crossplane-demo}}.spec.disableRBAC", "searchValue": "", "expectedValue": "disableRBAC should be set to false", - "actualValue": "disableRBAC is set to true" + "actualValue": "disableRBAC is set to true", + "issueType": "IncorrectValue" }, { "queryName": "AKS RBAC Disabled", @@ -21,6 +22,7 @@ "searchKey": "spec.resources.base.metadata.name={{anais-crossplane-demo}}.spec.disableRBAC", "searchValue": "", "expectedValue": "disableRBAC should be set to false", - "actualValue": "disableRBAC is set to true" + "actualValue": "disableRBAC is set to true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/crossplane/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json b/assets/queries/crossplane/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json index 3df89612441..70e33fdffa1 100644 --- a/assets/queries/crossplane/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json +++ b/assets/queries/crossplane/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "metadata.name={{azureRedis3}}.spec.forProvider.enableNonSslPort", "searchValue": "", "expectedValue": "enableNonSslPort should be set to false or undefined", - "actualValue": "enableNonSslPort is set to true" + "actualValue": "enableNonSslPort is set to true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/crossplane/gcp/cloud_storage_bucket_logging_not_enabled/test/positive_expected_result.json b/assets/queries/crossplane/gcp/cloud_storage_bucket_logging_not_enabled/test/positive_expected_result.json index 1cbfa0bdecc..72722e2cce5 100644 --- a/assets/queries/crossplane/gcp/cloud_storage_bucket_logging_not_enabled/test/positive_expected_result.json +++ b/assets/queries/crossplane/gcp/cloud_storage_bucket_logging_not_enabled/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "metadata.name={{bucketSample}}.spec", "searchValue": "", "expectedValue": "Bucket logging should be defined", - "actualValue": "Bucket logging is not defined" + "actualValue": "Bucket logging is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/crossplane/gcp/google_container_node_pool_auto_repair_disabled/test/positive_expected_result.json b/assets/queries/crossplane/gcp/google_container_node_pool_auto_repair_disabled/test/positive_expected_result.json index ca33f06225f..05fb33cab97 100644 --- a/assets/queries/crossplane/gcp/google_container_node_pool_auto_repair_disabled/test/positive_expected_result.json +++ b/assets/queries/crossplane/gcp/google_container_node_pool_auto_repair_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{cluster-np}}.spec.forProvider", "searchValue": "", "expectedValue": "management should be defined with autoRepair set to true", - "actualValue": "management is not defined" + "actualValue": "management is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Google Container Node Pool Auto Repair Disabled", @@ -21,6 +22,7 @@ "searchKey": "metadata.name={{cluster-np}}.spec.forProvider.management.autoRepair", "searchValue": "", "expectedValue": "autoRepair should be set to true", - "actualValue": "autoRepair is set to false" + "actualValue": "autoRepair is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerCompose/cgroup_not_default/test/positive_expected_result.json b/assets/queries/dockerCompose/cgroup_not_default/test/positive_expected_result.json index 999c594978f..59ff5effdf4 100644 --- a/assets/queries/dockerCompose/cgroup_not_default/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/cgroup_not_default/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "services.iperfclient.cgroup_parent", "searchValue": "", "expectedValue": "Cgroup_parent should be undefined", - "actualValue": "Cgroup_parent is defined. Only use this when strictly required." + "actualValue": "Cgroup_parent is defined. Only use this when strictly required.", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerCompose/container_capabilities_unrestricted/test/positive_expected_result.json b/assets/queries/dockerCompose/container_capabilities_unrestricted/test/positive_expected_result.json index b216b285e8c..3367a79817a 100644 --- a/assets/queries/dockerCompose/container_capabilities_unrestricted/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/container_capabilities_unrestricted/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "services.webapp", "searchValue": "", "expectedValue": "Docker compose file to have 'cap_drop' attribute", - "actualValue": "Docker compose file doesn't have 'cap_drop' attribute. Make sure your container only has necessary capabilities." + "actualValue": "Docker compose file doesn't have 'cap_drop' attribute. Make sure your container only has necessary capabilities.", + "issueType": "MissingAttribute" }, { "queryName": "Container Capabilities Unrestricted", @@ -21,7 +22,8 @@ "searchKey": "services.webapp.cap_add", "searchValue": "", "expectedValue": "Make sure you only add the necessary capabilities to your container.", - "actualValue": "Docker compose file has 'cap_add' attribute." + "actualValue": "Docker compose file has 'cap_add' attribute.", + "issueType": "IncorrectValue" }, { "queryName": "Container Capabilities Unrestricted", @@ -33,7 +35,8 @@ "searchKey": "services.webapp.cap_add", "searchValue": "", "expectedValue": "Make sure you only add the necessary capabilities to your container.", - "actualValue": "Docker compose file has 'cap_add' attribute." + "actualValue": "Docker compose file has 'cap_add' attribute.", + "issueType": "IncorrectValue" }, { "queryName": "Container Capabilities Unrestricted", @@ -45,7 +48,8 @@ "searchKey": "services.webapp.cap_add", "searchValue": "", "expectedValue": "Make sure you only add the necessary capabilities to your container.", - "actualValue": "Docker compose file has 'cap_add' attribute." + "actualValue": "Docker compose file has 'cap_add' attribute.", + "issueType": "IncorrectValue" }, { "queryName": "Container Capabilities Unrestricted", @@ -57,6 +61,7 @@ "searchKey": "services.webapp", "searchValue": "", "expectedValue": "Docker compose file to have 'cap_drop' attribute", - "actualValue": "Docker compose file doesn't have 'cap_drop' attribute. Make sure your container only has necessary capabilities." + "actualValue": "Docker compose file doesn't have 'cap_drop' attribute. Make sure your container only has necessary capabilities.", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerCompose/container_traffic_not_bound_to_host_interface/test/positive_expected_result.json b/assets/queries/dockerCompose/container_traffic_not_bound_to_host_interface/test/positive_expected_result.json index 112e4553581..48a1da16ac1 100644 --- a/assets/queries/dockerCompose/container_traffic_not_bound_to_host_interface/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/container_traffic_not_bound_to_host_interface/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "services.webapp.ports", "searchValue": "", "expectedValue": "Docker compose file to have 'ports' attribute bound to a specific host interface.", - "actualValue": "Docker compose file doesn't have 'ports' attribute bound to a specific host interface" + "actualValue": "Docker compose file doesn't have 'ports' attribute bound to a specific host interface", + "issueType": "IncorrectValue" }, { "queryName": "Container Traffic Not Bound To Host Interface", @@ -21,7 +22,8 @@ "searchKey": "services.webapp.ports", "searchValue": "", "expectedValue": "Docker compose file to have 'ports' attribute bound to a specific host interface.", - "actualValue": "Docker compose file doesn't have 'ports' attribute bound to a specific host interface" + "actualValue": "Docker compose file doesn't have 'ports' attribute bound to a specific host interface", + "issueType": "IncorrectValue" }, { "queryName": "Container Traffic Not Bound To Host Interface", @@ -33,6 +35,7 @@ "searchKey": "services.webapp.ports", "searchValue": "", "expectedValue": "Docker compose file to have 'ports' attribute bound to a specific host interface.", - "actualValue": "Docker compose file doesn't have 'ports' attribute bound to a specific host interface" + "actualValue": "Docker compose file doesn't have 'ports' attribute bound to a specific host interface", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerCompose/cpus_not_limited/test/positive_expected_result.json b/assets/queries/dockerCompose/cpus_not_limited/test/positive_expected_result.json index 8f8fee222fc..5f852b4d893 100644 --- a/assets/queries/dockerCompose/cpus_not_limited/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/cpus_not_limited/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "services.zapzop.deploy.resources.limits", "searchValue": "", "expectedValue": "'deploy.resources.limits.cpus' should be defined", - "actualValue": "'deploy.resources.limits.cpus' is not defined" + "actualValue": "'deploy.resources.limits.cpus' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Cpus Not Limited", @@ -21,7 +22,8 @@ "searchKey": "services.criwhat", "searchValue": "", "expectedValue": "For cpus priority should be declared.", - "actualValue": "There is no cpus priority declared." + "actualValue": "There is no cpus priority declared.", + "issueType": "MissingAttribute" }, { "queryName": "Cpus Not Limited", @@ -33,7 +35,8 @@ "searchKey": "services.zapzop", "searchValue": "", "expectedValue": "'deploy.resources.limits.cpus' should be defined", - "actualValue": "'deploy' is not defined" + "actualValue": "'deploy' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Cpus Not Limited", @@ -45,7 +48,8 @@ "searchKey": "services.zapzop.deploy", "searchValue": "", "expectedValue": "'deploy.resources' should be defined", - "actualValue": "'deploy.resources' is not defined" + "actualValue": "'deploy.resources' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Cpus Not Limited", @@ -57,7 +61,8 @@ "searchKey": "services.redis.deploy", "searchValue": "", "expectedValue": "'deploy.resources' should be defined", - "actualValue": "'deploy.resources' is not defined" + "actualValue": "'deploy.resources' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Cpus Not Limited", @@ -69,6 +74,7 @@ "searchKey": "services.zapzop.deploy.resources", "searchValue": "", "expectedValue": "'deploy.resources.limits' should be defined", - "actualValue": "'deploy.resources.limits' is not defined" + "actualValue": "'deploy.resources.limits' is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerCompose/default_seccomp_profile_disabled/test/positive_expected_result.json b/assets/queries/dockerCompose/default_seccomp_profile_disabled/test/positive_expected_result.json index 6074dde60cd..9301ecb1d83 100644 --- a/assets/queries/dockerCompose/default_seccomp_profile_disabled/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/default_seccomp_profile_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "services.demo.security_opt", "searchValue": "", "expectedValue": "Seccomp default profile to not be disabled.", - "actualValue": "Seccomp default profile is disabled." + "actualValue": "Seccomp default profile is disabled.", + "issueType": "IncorrectValue" }, { "queryName": "Default Seccomp Profile Disabled", @@ -21,6 +22,7 @@ "searchKey": "services.example.security_opt", "searchValue": "", "expectedValue": "Seccomp default profile to not be disabled.", - "actualValue": "Seccomp default profile is disabled." + "actualValue": "Seccomp default profile is disabled.", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerCompose/docker_socket_mounted_in_container/test/positive_expected_result.json b/assets/queries/dockerCompose/docker_socket_mounted_in_container/test/positive_expected_result.json index a88eef9f96f..e0d6a3574f3 100644 --- a/assets/queries/dockerCompose/docker_socket_mounted_in_container/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/docker_socket_mounted_in_container/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "services.service1.volumes", "searchValue": "", "expectedValue": "To not have docker socket named 'docker.sock' mounted in a volume", - "actualValue": "There is a docker socket named 'docker.sock' mounted in a volume" + "actualValue": "There is a docker socket named 'docker.sock' mounted in a volume", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerCompose/healthcheck_not_set/test/positive_expected_result.json b/assets/queries/dockerCompose/healthcheck_not_set/test/positive_expected_result.json index 1c36d0b3744..e73e4eb0589 100644 --- a/assets/queries/dockerCompose/healthcheck_not_set/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/healthcheck_not_set/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "services.lelele-service", "searchValue": "", "expectedValue": "Healthcheck should be defined.", - "actualValue": "Healthcheck is not defined." + "actualValue": "Healthcheck is not defined.", + "issueType": "MissingAttribute" }, { "queryName": "Healthcheck Not Set", @@ -21,7 +22,8 @@ "searchKey": "services.lelele-service.healthcheck.disable", "searchValue": "", "expectedValue": "Healthcheck should be enabled.", - "actualValue": "Healthcheck is disabled." + "actualValue": "Healthcheck is disabled.", + "issueType": "IncorrectValue" }, { "queryName": "Healthcheck Not Set", @@ -33,6 +35,7 @@ "searchKey": "services.lelele-service.healthcheck.test", "searchValue": "", "expectedValue": "Healthcheck should be enabled.", - "actualValue": "Healthcheck is disabled." + "actualValue": "Healthcheck is disabled.", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerCompose/host_namespace_is_shared/test/positive_expected_result.json b/assets/queries/dockerCompose/host_namespace_is_shared/test/positive_expected_result.json index da189b93119..681ab8af043 100644 --- a/assets/queries/dockerCompose/host_namespace_is_shared/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/host_namespace_is_shared/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "services.service_name_1.pid", "searchValue": "", "expectedValue": "There shouldn't be pid mode declared as host", - "actualValue": "There is a pid mode declared as host" + "actualValue": "There is a pid mode declared as host", + "issueType": "IncorrectValue" }, { "queryName": "Host Namespace is Shared", @@ -21,7 +22,8 @@ "searchKey": "services.service_name_2.pid", "searchValue": "", "expectedValue": "There shouldn't be pid mode declared as host", - "actualValue": "There is a pid mode declared as host" + "actualValue": "There is a pid mode declared as host", + "issueType": "IncorrectValue" }, { "queryName": "Host Namespace is Shared", @@ -33,6 +35,7 @@ "searchKey": "services.internal.pid", "searchValue": "", "expectedValue": "There shouldn't be pid mode declared as host", - "actualValue": "There is a pid mode declared as host" + "actualValue": "There is a pid mode declared as host", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerCompose/memory_not_limited/test/positive_expected_result.json b/assets/queries/dockerCompose/memory_not_limited/test/positive_expected_result.json index a79c98cfdc7..ff31cd36a7b 100644 --- a/assets/queries/dockerCompose/memory_not_limited/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/memory_not_limited/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "services.zapzop.deploy.resources.limits", "searchValue": "", "expectedValue": "'deploy.resources.limits.memory' should be defined", - "actualValue": "'deploy.resources.limits.memory' is not defined" + "actualValue": "'deploy.resources.limits.memory' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Memory Not Limited", @@ -21,7 +22,8 @@ "searchKey": "services.criwhat", "searchValue": "", "expectedValue": "For mem_limit should be declared.", - "actualValue": "There is no mem_limit declared." + "actualValue": "There is no mem_limit declared.", + "issueType": "MissingAttribute" }, { "queryName": "Memory Not Limited", @@ -33,7 +35,8 @@ "searchKey": "services.zapzop", "searchValue": "", "expectedValue": "'deploy.resources.limits.memory' should be defined", - "actualValue": "'deploy' is not defined" + "actualValue": "'deploy' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Memory Not Limited", @@ -45,7 +48,8 @@ "searchKey": "services.zapzop.deploy", "searchValue": "", "expectedValue": "'deploy.resources' should be defined", - "actualValue": "'deploy.resources' is not defined" + "actualValue": "'deploy.resources' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Memory Not Limited", @@ -57,7 +61,8 @@ "searchKey": "services.zapzop.deploy.resources", "searchValue": "", "expectedValue": "'deploy.resources.limits' should be defined", - "actualValue": "'deploy.resources.limits' is not defined" + "actualValue": "'deploy.resources.limits' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Memory Not Limited", @@ -69,6 +74,7 @@ "searchKey": "services.redis.deploy", "searchValue": "", "expectedValue": "'deploy.resources' should be defined", - "actualValue": "'deploy.resources' is not defined" + "actualValue": "'deploy.resources' is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerCompose/no_new_privileges_not_set/test/positive_expected_result.json b/assets/queries/dockerCompose/no_new_privileges_not_set/test/positive_expected_result.json index d6c8b511d4f..cbe6879f3a6 100644 --- a/assets/queries/dockerCompose/no_new_privileges_not_set/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/no_new_privileges_not_set/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "services.service-service-service.security_opt", "searchValue": "", "expectedValue": "no-new-privileges should be set in security_opt.", - "actualValue": "no-new-privileges is not set in security_opt" + "actualValue": "no-new-privileges is not set in security_opt", + "issueType": "MissingAttribute" }, { "queryName": "No New Privileges Not Set", @@ -21,6 +22,7 @@ "searchKey": "services.service-service-service.security_opt", "searchValue": "", "expectedValue": "no-new-privileges should be set in security_opt.", - "actualValue": "no-new-privileges is not set in security_opt" + "actualValue": "no-new-privileges is not set in security_opt", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerCompose/pids_limit_not_set/test/positive_expected_result.json b/assets/queries/dockerCompose/pids_limit_not_set/test/positive_expected_result.json index 9aa8fd1fc1e..8680ec27ced 100644 --- a/assets/queries/dockerCompose/pids_limit_not_set/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/pids_limit_not_set/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "services.auth", "searchValue": "", "expectedValue": "Pids_limit should be defined.", - "actualValue": "Pids_limit is not defined." + "actualValue": "Pids_limit is not defined.", + "issueType": "MissingAttribute" }, { "queryName": "Pids Limit Not Set", @@ -21,6 +22,7 @@ "searchKey": "services.auth.pids_limit", "searchValue": "", "expectedValue": "Pids_limit should be limited.", - "actualValue": "Pids_limit is not limited." + "actualValue": "Pids_limit is not limited.", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerCompose/privileged_containers_enabled/test/positive_expected_result.json b/assets/queries/dockerCompose/privileged_containers_enabled/test/positive_expected_result.json index 59dc78bf972..2ff067e4b04 100644 --- a/assets/queries/dockerCompose/privileged_containers_enabled/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/privileged_containers_enabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "services.webapp.privileged", "searchValue": "", "expectedValue": "Docker compose file to have 'privileged' attribute set to false or not set", - "actualValue": "Docker compose file has 'privileged' attribute as true" + "actualValue": "Docker compose file has 'privileged' attribute as true", + "issueType": "IncorrectValue" }, { "queryName": "Privileged Containers Enabled", @@ -21,6 +22,7 @@ "searchKey": "services.webapp.privileged", "searchValue": "", "expectedValue": "Docker compose file to have 'privileged' attribute set to false or not set", - "actualValue": "Docker compose file has 'privileged' attribute as true" + "actualValue": "Docker compose file has 'privileged' attribute as true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerCompose/privileged_ports_mapped_in_container/test/positive_expected_result.json b/assets/queries/dockerCompose/privileged_ports_mapped_in_container/test/positive_expected_result.json index fe98f83384b..12504201b0e 100644 --- a/assets/queries/dockerCompose/privileged_ports_mapped_in_container/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/privileged_ports_mapped_in_container/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "services.dhcpd.ports", "searchValue": "", "expectedValue": "Docker compose file to have 'ports' attribute not set to privileged ports (<1024).", - "actualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024)." + "actualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024).", + "issueType": "IncorrectValue" }, { "queryName": "Privileged Ports Mapped In Container", @@ -21,7 +22,8 @@ "searchKey": "services.dhcp_client.ports", "searchValue": "", "expectedValue": "Docker compose file to have 'ports' attribute not set to privileged ports (<1024).", - "actualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024)." + "actualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024).", + "issueType": "IncorrectValue" }, { "queryName": "Privileged Ports Mapped In Container", @@ -33,7 +35,8 @@ "searchKey": "services.webapp.ports", "searchValue": "", "expectedValue": "Docker compose file to have 'ports' attribute not set to privileged ports (<1024).", - "actualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024)." + "actualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024).", + "issueType": "IncorrectValue" }, { "queryName": "Privileged Ports Mapped In Container", @@ -45,7 +48,8 @@ "searchKey": "services.webapp.ports", "searchValue": "", "expectedValue": "Docker compose file to have 'ports' attribute not set to privileged ports (<1024).", - "actualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024)." + "actualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024).", + "issueType": "IncorrectValue" }, { "queryName": "Privileged Ports Mapped In Container", @@ -57,7 +61,8 @@ "searchKey": "services.webapp.ports", "searchValue": "", "expectedValue": "Docker compose file to have 'ports' attribute not set to privileged ports (<1024).", - "actualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024)." + "actualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024).", + "issueType": "IncorrectValue" }, { "queryName": "Privileged Ports Mapped In Container", @@ -69,7 +74,8 @@ "searchKey": "services.webapp.ports", "searchValue": "", "expectedValue": "Docker compose file to have 'ports' attribute not set to privileged ports (<1024).", - "actualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024)." + "actualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024).", + "issueType": "IncorrectValue" }, { "queryName": "Privileged Ports Mapped In Container", @@ -81,7 +87,8 @@ "searchKey": "services.webapp.ports", "searchValue": "", "expectedValue": "Docker compose file to have 'ports' attribute not set to privileged ports (<1024).", - "actualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024)." + "actualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024).", + "issueType": "IncorrectValue" }, { "queryName": "Privileged Ports Mapped In Container", @@ -93,7 +100,8 @@ "searchKey": "services.webapp.ports", "searchValue": "", "expectedValue": "Docker compose file to have 'ports' attribute not set to privileged ports (<1024).", - "actualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024)." + "actualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024).", + "issueType": "IncorrectValue" }, { "queryName": "Privileged Ports Mapped In Container", @@ -105,7 +113,8 @@ "searchKey": "services.webapp.ports", "searchValue": "", "expectedValue": "Docker compose file to have 'ports' attribute not set to privileged ports (<1024).", - "actualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024)." + "actualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024).", + "issueType": "IncorrectValue" }, { "queryName": "Privileged Ports Mapped In Container", @@ -117,7 +126,8 @@ "searchKey": "services.webapp.ports", "searchValue": "", "expectedValue": "Docker compose file to have 'ports' attribute not set to privileged ports (<1024).", - "actualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024)." + "actualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024).", + "issueType": "IncorrectValue" }, { "queryName": "Privileged Ports Mapped In Container", @@ -129,7 +139,8 @@ "searchKey": "services.webapp.ports", "searchValue": "", "expectedValue": "Docker compose file to have 'ports' attribute not set to privileged ports (<1024).", - "actualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024)." + "actualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024).", + "issueType": "IncorrectValue" }, { "queryName": "Privileged Ports Mapped In Container", @@ -141,7 +152,8 @@ "searchKey": "services.webapp.ports", "searchValue": "", "expectedValue": "Docker compose file to have 'ports' attribute not set to privileged ports (<1024).", - "actualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024)." + "actualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024).", + "issueType": "IncorrectValue" }, { "queryName": "Privileged Ports Mapped In Container", @@ -153,6 +165,7 @@ "searchKey": "services.webapp.ports", "searchValue": "", "expectedValue": "Docker compose file to have 'ports' attribute not set to privileged ports (<1024).", - "actualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024)." + "actualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024).", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerCompose/restart_policy_on_failure_not_set_to_5/test/positive_expected_result.json b/assets/queries/dockerCompose/restart_policy_on_failure_not_set_to_5/test/positive_expected_result.json index a81de66ab40..2febc333310 100644 --- a/assets/queries/dockerCompose/restart_policy_on_failure_not_set_to_5/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/restart_policy_on_failure_not_set_to_5/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "services.customer.restart", "searchValue": "", "expectedValue": "on-failure restart attempts should be 5", - "actualValue": "on-failure restart attempts are not 5" + "actualValue": "on-failure restart attempts are not 5", + "issueType": "IncorrectValue" }, { "queryName": "Restart Policy On Failure Not Set To 5", @@ -21,7 +22,8 @@ "searchKey": "services.customer.deploy.restart_policy.max_attempts", "searchValue": "", "expectedValue": "on-failure restart attempts should be 5", - "actualValue": "on-failure restart attempts are not 5" + "actualValue": "on-failure restart attempts are not 5", + "issueType": "IncorrectValue" }, { "queryName": "Restart Policy On Failure Not Set To 5", @@ -33,7 +35,8 @@ "searchKey": "services.name_of_service.restart", "searchValue": "", "expectedValue": "on-failure restart attempts should be 5", - "actualValue": "on-failure restart attempts are not 5" + "actualValue": "on-failure restart attempts are not 5", + "issueType": "IncorrectValue" }, { "queryName": "Restart Policy On Failure Not Set To 5", @@ -45,7 +48,8 @@ "searchKey": "services.customer.restart", "searchValue": "", "expectedValue": "on-failure restart attempts should be 5", - "actualValue": "on-failure restart attempts are not 5" + "actualValue": "on-failure restart attempts are not 5", + "issueType": "IncorrectValue" }, { "queryName": "Restart Policy On Failure Not Set To 5", @@ -57,6 +61,7 @@ "searchKey": "services.customer.deploy.restart_policy.max_attempts", "searchValue": "", "expectedValue": "on-failure restart attempts should be 5", - "actualValue": "on-failure restart attempts are not 5" + "actualValue": "on-failure restart attempts are not 5", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerCompose/security_opt_not_set/test/positive_expected_result.json b/assets/queries/dockerCompose/security_opt_not_set/test/positive_expected_result.json index 359e44f9a7d..5201908f65b 100644 --- a/assets/queries/dockerCompose/security_opt_not_set/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/security_opt_not_set/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "services.webapp", "searchValue": "", "expectedValue": "Docker compose file to have 'security_opt' attribute", - "actualValue": "Docker compose file does not have 'security_opt' attribute" + "actualValue": "Docker compose file does not have 'security_opt' attribute", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerCompose/shared_host_ipc_namespace/test/positive_expected_result.json b/assets/queries/dockerCompose/shared_host_ipc_namespace/test/positive_expected_result.json index 874e39666fd..6c4d1823789 100644 --- a/assets/queries/dockerCompose/shared_host_ipc_namespace/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/shared_host_ipc_namespace/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "services.webapp.privileged", "searchValue": "", "expectedValue": "Docker compose file to have 'ipc' attribute not set to host, or not set", - "actualValue": "Docker compose file has 'ipc' attribute as host" + "actualValue": "Docker compose file has 'ipc' attribute as host", + "issueType": "IncorrectValue" }, { "queryName": "Shared Host IPC Namespace", @@ -21,6 +22,7 @@ "searchKey": "services.webapp.privileged", "searchValue": "", "expectedValue": "Docker compose file to have 'ipc' attribute not set to host, or not set", - "actualValue": "Docker compose file has 'ipc' attribute as host" + "actualValue": "Docker compose file has 'ipc' attribute as host", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerCompose/shared_host_network_namespace/test/positive_expected_result.json b/assets/queries/dockerCompose/shared_host_network_namespace/test/positive_expected_result.json index d6cf0d7fbc7..ba31d4715fe 100644 --- a/assets/queries/dockerCompose/shared_host_network_namespace/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/shared_host_network_namespace/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "services.mongo.network_mode", "searchValue": "", "expectedValue": "There shouldn't be network mode declared as host", - "actualValue": "There is a network mode declared as host" + "actualValue": "There is a network mode declared as host", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerCompose/shared_host_user_namespace/test/positive_expected_result.json b/assets/queries/dockerCompose/shared_host_user_namespace/test/positive_expected_result.json index b9413b201e6..15827711f59 100644 --- a/assets/queries/dockerCompose/shared_host_user_namespace/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/shared_host_user_namespace/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "services.service1.userns_mode", "searchValue": "", "expectedValue": "Attribute 'userns_mode' should not be set or not set to host", - "actualValue": "Attribute 'userns_mode' is set to host" + "actualValue": "Attribute 'userns_mode' is set to host", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerCompose/shared_volumes_between_containers/test/positive_expected_result.json b/assets/queries/dockerCompose/shared_volumes_between_containers/test/positive_expected_result.json index 49bf1d74bbc..ef23bb84191 100644 --- a/assets/queries/dockerCompose/shared_volumes_between_containers/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/shared_volumes_between_containers/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "services.frontend.volumes", "searchValue": "shared", "expectedValue": "There shouldn't be volumes shared between containers", - "actualValue": "Volume ./logic:/app shared between containers" + "actualValue": "Volume ./logic:/app shared between containers", + "issueType": "IncorrectValue" }, { "queryName": "Shared Volumes Between Containers", @@ -21,7 +22,8 @@ "searchKey": "services.backend.volumes", "searchValue": "shared", "expectedValue": "There shouldn't be volumes shared between containers", - "actualValue": "Volume ./logic:/app shared between containers" + "actualValue": "Volume ./logic:/app shared between containers", + "issueType": "IncorrectValue" }, { "queryName": "Shared Volumes Between Containers", @@ -33,7 +35,8 @@ "searchKey": "services.app.volumes", "searchValue": "created-and-shared", "expectedValue": "There shouldn't be volumes created and shared between containers", - "actualValue": "Volume shared-volume created and shared between containers" + "actualValue": "Volume shared-volume created and shared between containers", + "issueType": "IncorrectValue" }, { "queryName": "Shared Volumes Between Containers", @@ -45,6 +48,7 @@ "searchKey": "services.checker.volumes", "searchValue": "created-and-shared", "expectedValue": "There shouldn't be volumes created and shared between containers", - "actualValue": "Volume shared-volume created and shared between containers" + "actualValue": "Volume shared-volume created and shared between containers", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerCompose/volume_has_sensitive_host_directory/test/positive_expected_result.json b/assets/queries/dockerCompose/volume_has_sensitive_host_directory/test/positive_expected_result.json index b71575c3566..715d5f99fe4 100644 --- a/assets/queries/dockerCompose/volume_has_sensitive_host_directory/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/volume_has_sensitive_host_directory/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "services.backup.volumes", "searchValue": "", "expectedValue": "There shouldn't be sensitive directory mounted as a volume", - "actualValue": "There is a sensitive directory (/var/lib/backup/data) mounted as a volume" + "actualValue": "There is a sensitive directory (/var/lib/backup/data) mounted as a volume", + "issueType": "IncorrectValue" }, { "queryName": "Volume Has Sensitive Host Directory", @@ -21,7 +22,8 @@ "searchKey": "volumes.vol.driver_opts.device", "searchValue": "", "expectedValue": "There shouldn't be sensitive directory mounted as a volume", - "actualValue": "There is a sensitive directory (/var/lib/backup/data) mounted as a volume" + "actualValue": "There is a sensitive directory (/var/lib/backup/data) mounted as a volume", + "issueType": "IncorrectValue" }, { "queryName": "Volume Has Sensitive Host Directory", @@ -33,7 +35,8 @@ "searchKey": "volumes.wp-content.driver_opts.mountpoint", "searchValue": "", "expectedValue": "There shouldn't be sensitive directory mounted as a volume", - "actualValue": "There is a sensitive directory (/var/data) mounted as a volume" + "actualValue": "There is a sensitive directory (/var/data) mounted as a volume", + "issueType": "IncorrectValue" }, { "queryName": "Volume Has Sensitive Host Directory", @@ -45,6 +48,7 @@ "searchKey": "services.yesno.volumes.source", "searchValue": "", "expectedValue": "There shouldn't be sensitive directory mounted as a volume", - "actualValue": "There is a sensitive directory (/etc/exercise) mounted as a volume" + "actualValue": "There is a sensitive directory (/etc/exercise) mounted as a volume", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerCompose/volume_mounted_in_multiple_containers/test/positive_expected_result.json b/assets/queries/dockerCompose/volume_mounted_in_multiple_containers/test/positive_expected_result.json index 6ff6e19a3ea..f6a6f6aee59 100644 --- a/assets/queries/dockerCompose/volume_mounted_in_multiple_containers/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/volume_mounted_in_multiple_containers/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "services.old8k.volumes.bind.propagation", "searchValue": "", "expectedValue": "Volumes should not be mounted in multiple containers", - "actualValue": "Volumes are being mounted in multiple containers, mode: rshared" + "actualValue": "Volumes are being mounted in multiple containers, mode: rshared", + "issueType": "IncorrectValue" }, { "queryName": "Volume Mounted In Multiple Containers", @@ -21,7 +22,8 @@ "searchKey": "services.old8k.volumes.bind.propagation", "searchValue": "", "expectedValue": "Volumes should not be mounted in multiple containers", - "actualValue": "Volumes are being mounted in multiple containers, mode: shared" + "actualValue": "Volumes are being mounted in multiple containers, mode: shared", + "issueType": "IncorrectValue" }, { "queryName": "Volume Mounted In Multiple Containers", @@ -33,7 +35,8 @@ "searchKey": "services.old8k.volumes.bind.propagation", "searchValue": "", "expectedValue": "Volumes should not be mounted in multiple containers", - "actualValue": "Volumes are being mounted in multiple containers, mode: rslave" + "actualValue": "Volumes are being mounted in multiple containers, mode: rslave", + "issueType": "IncorrectValue" }, { "queryName": "Volume Mounted In Multiple Containers", @@ -45,6 +48,7 @@ "searchKey": "services.old8k.volumes.bind.propagation", "searchValue": "", "expectedValue": "Volumes should not be mounted in multiple containers", - "actualValue": "Volumes are being mounted in multiple containers, mode: slave" + "actualValue": "Volumes are being mounted in multiple containers, mode: slave", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/add_instead_of_copy/test/positive_expected_result.json b/assets/queries/dockerfile/add_instead_of_copy/test/positive_expected_result.json index 86b794f6305..7085fc2ce9e 100644 --- a/assets/queries/dockerfile/add_instead_of_copy/test/positive_expected_result.json +++ b/assets/queries/dockerfile/add_instead_of_copy/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "FROM={{openjdk:10-jdk}}.{{ADD ${JAR_FILE} app.jar}}", "searchValue": "", "expectedValue": "'COPY' ${JAR_FILE}", - "actualValue": "'ADD' ${JAR_FILE}" + "actualValue": "'ADD' ${JAR_FILE}", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/apk_add_using_local_cache_path/test/positive_expected_result.json b/assets/queries/dockerfile/apk_add_using_local_cache_path/test/positive_expected_result.json index c14be805eb3..0cfa8811afb 100644 --- a/assets/queries/dockerfile/apk_add_using_local_cache_path/test/positive_expected_result.json +++ b/assets/queries/dockerfile/apk_add_using_local_cache_path/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "FROM={{gliderlabs/alpine:3.3}}.{{RUN apk add --update-cache python}}", "searchValue": "", "expectedValue": "'RUN' should not contain 'apk add' command without '--no-cache' switch", - "actualValue": "'RUN' contains 'apk add' command without '--no-cache' switch" + "actualValue": "'RUN' contains 'apk add' command without '--no-cache' switch", + "issueType": "IncorrectValue" }, { "queryName": "Apk Add Using Local Cache Path", @@ -21,6 +22,7 @@ "searchKey": "FROM={{gliderlabs/alpine:3.3}}.{{RUN apk add --update-cache python}}", "searchValue": "", "expectedValue": "'RUN' should not contain 'apk add' command without '--no-cache' switch", - "actualValue": "'RUN' contains 'apk add' command without '--no-cache' switch" + "actualValue": "'RUN' contains 'apk add' command without '--no-cache' switch", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/test/positive_expected_result.json b/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/test/positive_expected_result.json index 549219c477e..f7522ad38f9 100644 --- a/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/test/positive_expected_result.json +++ b/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "FROM={{busybox1}}.RUN={{apt-get update && apt-get install --no-install-recommends -y python}}", "searchValue": "", "expectedValue": "After using apt-get install, the apt-get lists should be deleted", - "actualValue": "After using apt-get install, the apt-get lists were not deleted" + "actualValue": "After using apt-get install, the apt-get lists were not deleted", + "issueType": "IncorrectValue" }, { "queryName": "Apt Get Install Lists Were Not Deleted", @@ -21,7 +22,8 @@ "searchKey": "FROM={{busybox2}}.RUN={{apt-get install python}}", "searchValue": "", "expectedValue": "After using apt-get install, the apt-get lists should be deleted", - "actualValue": "After using apt-get install, the apt-get lists were not deleted" + "actualValue": "After using apt-get install, the apt-get lists were not deleted", + "issueType": "IncorrectValue" }, { "queryName": "Apt Get Install Lists Were Not Deleted", @@ -33,7 +35,8 @@ "searchKey": "FROM={{busybox3}}.RUN={{apt-get update && apt-get install --no-install-recommends -y python}}", "searchValue": "", "expectedValue": "After using apt-get install, the apt-get lists should be deleted", - "actualValue": "After using apt-get install, the apt-get lists were not deleted" + "actualValue": "After using apt-get install, the apt-get lists were not deleted", + "issueType": "IncorrectValue" }, { "queryName": "Apt Get Install Lists Were Not Deleted", @@ -45,7 +48,8 @@ "searchKey": "FROM={{busybox4}}.RUN={{apt-get update && apt-get install --no-install-recommends -y python}}", "searchValue": "", "expectedValue": "After using apt-get install, the apt-get lists should be deleted", - "actualValue": "After using apt-get install, the apt-get lists were not deleted" + "actualValue": "After using apt-get install, the apt-get lists were not deleted", + "issueType": "IncorrectValue" }, { "queryName": "Apt Get Install Lists Were Not Deleted", @@ -57,6 +61,7 @@ "searchKey": "FROM={{busybox5}}.RUN={{set -eux; \tapt-get update; \tapt-get install -y --no-install-recommends package=0.0.0}}", "searchValue": "", "expectedValue": "After using apt-get install, the apt-get lists should be deleted", - "actualValue": "After using apt-get install, the apt-get lists were not deleted" + "actualValue": "After using apt-get install, the apt-get lists were not deleted", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/test/positive_expected_result.json b/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/test/positive_expected_result.json index b51583a87bc..f2fb0fee127 100644 --- a/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/test/positive_expected_result.json +++ b/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "FROM={{busybox}}.RUN={{apt-get install python}}", "searchValue": "python", "expectedValue": "Package 'python' has version defined", - "actualValue": "Package 'python' does not have version defined" + "actualValue": "Package 'python' does not have version defined", + "issueType": "MissingAttribute" }, { "queryName": "Apt Get Install Pin Version Not Defined", @@ -21,7 +22,8 @@ "searchKey": "FROM={{busybox}}.{{RUN [\"apt-get\", \"install\", \"python\"]}}", "searchValue": "python", "expectedValue": "Package 'python' has version defined", - "actualValue": "Package 'python' does not have version defined" + "actualValue": "Package 'python' does not have version defined", + "issueType": "MissingAttribute" }, { "queryName": "Apt Get Install Pin Version Not Defined", @@ -33,7 +35,8 @@ "searchKey": "FROM={{busybox2}}.RUN={{apt-get install -y -t python}}", "searchValue": "python", "expectedValue": "Package 'python' has version defined", - "actualValue": "Package 'python' does not have version defined" + "actualValue": "Package 'python' does not have version defined", + "issueType": "MissingAttribute" }, { "queryName": "Apt Get Install Pin Version Not Defined", @@ -45,7 +48,8 @@ "searchKey": "FROM={{busybox3}}.RUN={{apt-get update && apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", "searchValue": "python-pip", "expectedValue": "Package 'python-pip' has version defined", - "actualValue": "Package 'python-pip' does not have version defined" + "actualValue": "Package 'python-pip' does not have version defined", + "issueType": "MissingAttribute" }, { "queryName": "Apt Get Install Pin Version Not Defined", @@ -57,7 +61,8 @@ "searchKey": "FROM={{busybox3}}.RUN={{apt-get update && apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", "searchValue": "python-qt4", "expectedValue": "Package 'python-qt4' has version defined", - "actualValue": "Package 'python-qt4' does not have version defined" + "actualValue": "Package 'python-qt4' does not have version defined", + "issueType": "MissingAttribute" }, { "queryName": "Apt Get Install Pin Version Not Defined", @@ -69,7 +74,8 @@ "searchKey": "FROM={{busybox3}}.RUN={{apt-get update && apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", "searchValue": "python3-pip", "expectedValue": "Package 'python3-pip' has version defined", - "actualValue": "Package 'python3-pip' does not have version defined" + "actualValue": "Package 'python3-pip' does not have version defined", + "issueType": "MissingAttribute" }, { "queryName": "Apt Get Install Pin Version Not Defined", @@ -81,7 +87,8 @@ "searchKey": "FROM={{busybox3}}.RUN={{apt-get update && apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", "searchValue": "python3-pyqt5", "expectedValue": "Package 'python3-pyqt5' has version defined", - "actualValue": "Package 'python3-pyqt5' does not have version defined" + "actualValue": "Package 'python3-pyqt5' does not have version defined", + "issueType": "MissingAttribute" }, { "queryName": "Apt Get Install Pin Version Not Defined", @@ -93,7 +100,8 @@ "searchKey": "FROM={{busybox3}}.RUN={{apt-get update && apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", "searchValue": "python-pyside", "expectedValue": "Package 'python-pyside' has version defined", - "actualValue": "Package 'python-pyside' does not have version defined" + "actualValue": "Package 'python-pyside' does not have version defined", + "issueType": "MissingAttribute" }, { "queryName": "Apt Get Install Pin Version Not Defined", @@ -105,7 +113,8 @@ "searchKey": "FROM={{busybox4}}.RUN={{apt-get install python}}", "searchValue": "python", "expectedValue": "Package 'python' has version defined", - "actualValue": "Package 'python' does not have version defined" + "actualValue": "Package 'python' does not have version defined", + "issueType": "MissingAttribute" }, { "queryName": "Apt Get Install Pin Version Not Defined", @@ -117,7 +126,8 @@ "searchKey": "FROM={{busybox4}}.{{RUN [\"apt-get\", \"install\", \"python\"]}}", "searchValue": "python", "expectedValue": "Package 'python' has version defined", - "actualValue": "Package 'python' does not have version defined" + "actualValue": "Package 'python' does not have version defined", + "issueType": "MissingAttribute" }, { "queryName": "Apt Get Install Pin Version Not Defined", @@ -129,7 +139,8 @@ "searchKey": "FROM={{busybox5}}.RUN={{apt-get install -y -t python}}", "searchValue": "python", "expectedValue": "Package 'python' has version defined", - "actualValue": "Package 'python' does not have version defined" + "actualValue": "Package 'python' does not have version defined", + "issueType": "MissingAttribute" }, { "queryName": "Apt Get Install Pin Version Not Defined", @@ -141,7 +152,8 @@ "searchKey": "FROM={{busybox6}}.RUN={{apt-get update ; apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", "searchValue": "python-pip", "expectedValue": "Package 'python-pip' has version defined", - "actualValue": "Package 'python-pip' does not have version defined" + "actualValue": "Package 'python-pip' does not have version defined", + "issueType": "MissingAttribute" }, { "queryName": "Apt Get Install Pin Version Not Defined", @@ -153,7 +165,8 @@ "searchKey": "FROM={{busybox6}}.RUN={{apt-get update ; apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", "searchValue": "python-pyside", "expectedValue": "Package 'python-pyside' has version defined", - "actualValue": "Package 'python-pyside' does not have version defined" + "actualValue": "Package 'python-pyside' does not have version defined", + "issueType": "MissingAttribute" }, { "queryName": "Apt Get Install Pin Version Not Defined", @@ -165,7 +178,8 @@ "searchKey": "FROM={{busybox6}}.RUN={{apt-get update ; apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", "searchValue": "python-qt4", "expectedValue": "Package 'python-qt4' has version defined", - "actualValue": "Package 'python-qt4' does not have version defined" + "actualValue": "Package 'python-qt4' does not have version defined", + "issueType": "MissingAttribute" }, { "queryName": "Apt Get Install Pin Version Not Defined", @@ -177,7 +191,8 @@ "searchKey": "FROM={{busybox6}}.RUN={{apt-get update ; apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", "searchValue": "python3-pyqt5", "expectedValue": "Package 'python3-pyqt5' has version defined", - "actualValue": "Package 'python3-pyqt5' does not have version defined" + "actualValue": "Package 'python3-pyqt5' does not have version defined", + "issueType": "MissingAttribute" }, { "queryName": "Apt Get Install Pin Version Not Defined", @@ -189,6 +204,7 @@ "searchKey": "FROM={{busybox6}}.RUN={{apt-get update ; apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", "searchValue": "python3-pip", "expectedValue": "Package 'python3-pip' has version defined", - "actualValue": "Package 'python3-pip' does not have version defined" + "actualValue": "Package 'python3-pip' does not have version defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/positive_expected_result.json b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/positive_expected_result.json index 5100fabf723..1299f262bed 100644 --- a/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/positive_expected_result.json +++ b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "FROM={{node:12}}.{{RUN apt-get install python=2.7}}", "searchValue": "", "expectedValue": "{{RUN apt-get install python=2.7}} should avoid manual input", - "actualValue": "{{RUN apt-get install python=2.7}} doesn't avoid manual input" + "actualValue": "{{RUN apt-get install python=2.7}} doesn't avoid manual input", + "issueType": "IncorrectValue" }, { "queryName": "APT-GET Missing Flags To Avoid Manual Input", @@ -21,7 +22,8 @@ "searchKey": "FROM={{node:12}}.{{RUN apt-get install apt-utils}}", "searchValue": "", "expectedValue": "{{RUN apt-get install apt-utils}} should avoid manual input", - "actualValue": "{{RUN apt-get install apt-utils}} doesn't avoid manual input" + "actualValue": "{{RUN apt-get install apt-utils}} doesn't avoid manual input", + "issueType": "IncorrectValue" }, { "queryName": "APT-GET Missing Flags To Avoid Manual Input", @@ -33,7 +35,8 @@ "searchKey": "FROM={{node:12}}.{{RUN [\"apt-get\", \"install\", \"apt-utils\"]}}", "searchValue": "", "expectedValue": "{{RUN [\"apt-get\", \"install\", \"apt-utils\"]}} should avoid manual input", - "actualValue": "{{RUN [\"apt-get\", \"install\", \"apt-utils\"]}} doesn't avoid manual input" + "actualValue": "{{RUN [\"apt-get\", \"install\", \"apt-utils\"]}} doesn't avoid manual input", + "issueType": "IncorrectValue" }, { "queryName": "APT-GET Missing Flags To Avoid Manual Input", @@ -45,7 +48,8 @@ "searchKey": "FROM={{node:12}}.{{RUN sudo apt-get install python=2.7}}", "searchValue": "", "expectedValue": "{{RUN sudo apt-get install python=2.7}} should avoid manual input", - "actualValue": "{{RUN sudo apt-get install python=2.7}} doesn't avoid manual input" + "actualValue": "{{RUN sudo apt-get install python=2.7}} doesn't avoid manual input", + "issueType": "IncorrectValue" }, { "queryName": "APT-GET Missing Flags To Avoid Manual Input", @@ -57,7 +61,8 @@ "searchKey": "FROM={{node:12}}.{{RUN sudo apt-get install apt-utils}}", "searchValue": "", "expectedValue": "{{RUN sudo apt-get install apt-utils}} should avoid manual input", - "actualValue": "{{RUN sudo apt-get install apt-utils}} doesn't avoid manual input" + "actualValue": "{{RUN sudo apt-get install apt-utils}} doesn't avoid manual input", + "issueType": "IncorrectValue" }, { "queryName": "APT-GET Missing Flags To Avoid Manual Input", @@ -69,7 +74,8 @@ "searchKey": "FROM={{node:12}}.{{RUN [\"sudo\", \"apt-get\", \"install\", \"apt-utils\"]}}", "searchValue": "", "expectedValue": "{{RUN [\"sudo\", \"apt-get\", \"install\", \"apt-utils\"]}} should avoid manual input", - "actualValue": "{{RUN [\"sudo\", \"apt-get\", \"install\", \"apt-utils\"]}} doesn't avoid manual input" + "actualValue": "{{RUN [\"sudo\", \"apt-get\", \"install\", \"apt-utils\"]}} doesn't avoid manual input", + "issueType": "IncorrectValue" }, { "queryName": "APT-GET Missing Flags To Avoid Manual Input", @@ -81,7 +87,8 @@ "searchKey": "FROM={{node:12}}.{{RUN DUMMY=test apt-get install python=2.7}}", "searchValue": "", "expectedValue": "{{RUN DUMMY=test apt-get install python=2.7}} should avoid manual input", - "actualValue": "{{RUN DUMMY=test apt-get install python=2.7}} doesn't avoid manual input" + "actualValue": "{{RUN DUMMY=test apt-get install python=2.7}} doesn't avoid manual input", + "issueType": "IncorrectValue" }, { "queryName": "APT-GET Missing Flags To Avoid Manual Input", @@ -93,7 +100,8 @@ "searchKey": "FROM={{node:12}}.{{RUN [\"sudo\", \"apt-get\", \"-q\" ,\"install\", \"apt-utils\"]}}", "searchValue": "", "expectedValue": "{{RUN [\"sudo\", \"apt-get\", \"-q\" ,\"install\", \"apt-utils\"]}} should avoid manual input", - "actualValue": "{{RUN [\"sudo\", \"apt-get\", \"-q\" ,\"install\", \"apt-utils\"]}} doesn't avoid manual input" + "actualValue": "{{RUN [\"sudo\", \"apt-get\", \"-q\" ,\"install\", \"apt-utils\"]}} doesn't avoid manual input", + "issueType": "IncorrectValue" }, { "queryName": "APT-GET Missing Flags To Avoid Manual Input", @@ -105,7 +113,8 @@ "searchKey": "FROM={{node:12}}.{{RUN sudo apt-get -q install apt-utils}}", "searchValue": "", "expectedValue": "{{RUN sudo apt-get -q install apt-utils}} should avoid manual input", - "actualValue": "{{RUN sudo apt-get -q install apt-utils}} doesn't avoid manual input" + "actualValue": "{{RUN sudo apt-get -q install apt-utils}} doesn't avoid manual input", + "issueType": "IncorrectValue" }, { "queryName": "APT-GET Missing Flags To Avoid Manual Input", @@ -117,7 +126,8 @@ "searchKey": "FROM={{node:12}}.{{RUN [\"sudo\", \"apt-get\", \"--quiet\", \"install\", \"apt-utils\"] }}", "searchValue": "", "expectedValue": "{{RUN [\"sudo\", \"apt-get\", \"--quiet\", \"install\", \"apt-utils\"] }} should avoid manual input", - "actualValue": "{{RUN [\"sudo\", \"apt-get\", \"--quiet\", \"install\", \"apt-utils\"] }} doesn't avoid manual input" + "actualValue": "{{RUN [\"sudo\", \"apt-get\", \"--quiet\", \"install\", \"apt-utils\"] }} doesn't avoid manual input", + "issueType": "IncorrectValue" }, { "queryName": "APT-GET Missing Flags To Avoid Manual Input", @@ -129,7 +139,8 @@ "searchKey": "FROM={{node:12}}.{{RUN sudo apt-get --quiet install apt-utils}}", "searchValue": "", "expectedValue": "{{RUN sudo apt-get --quiet install apt-utils}} should avoid manual input", - "actualValue": "{{RUN sudo apt-get --quiet install apt-utils}} doesn't avoid manual input" + "actualValue": "{{RUN sudo apt-get --quiet install apt-utils}} doesn't avoid manual input", + "issueType": "IncorrectValue" }, { "queryName": "APT-GET Missing Flags To Avoid Manual Input", @@ -141,7 +152,8 @@ "searchKey": "FROM={{node:12}}.{{RUN sudo apt-get --quiet install sl}}", "searchValue": "", "expectedValue": "{{RUN sudo apt-get --quiet install sl}} should avoid manual input", - "actualValue": "{{RUN sudo apt-get --quiet install sl}} doesn't avoid manual input" + "actualValue": "{{RUN sudo apt-get --quiet install sl}} doesn't avoid manual input", + "issueType": "IncorrectValue" }, { "queryName": "APT-GET Missing Flags To Avoid Manual Input", @@ -153,7 +165,8 @@ "searchKey": "FROM={{node:12}}.{{RUN [\"apt-get\", \"--quiet\" ,\"install\", \"apt-utils\"] }}", "searchValue": "", "expectedValue": "{{RUN [\"apt-get\", \"--quiet\" ,\"install\", \"apt-utils\"] }} should avoid manual input", - "actualValue": "{{RUN [\"apt-get\", \"--quiet\" ,\"install\", \"apt-utils\"] }} doesn't avoid manual input" + "actualValue": "{{RUN [\"apt-get\", \"--quiet\" ,\"install\", \"apt-utils\"] }} doesn't avoid manual input", + "issueType": "IncorrectValue" }, { "queryName": "APT-GET Missing Flags To Avoid Manual Input", @@ -165,7 +178,8 @@ "searchKey": "FROM={{node:12}}.{{RUN sudo apt-get -q install sl}}", "searchValue": "", "expectedValue": "{{RUN sudo apt-get -q install sl}} should avoid manual input", - "actualValue": "{{RUN sudo apt-get -q install sl}} doesn't avoid manual input" + "actualValue": "{{RUN sudo apt-get -q install sl}} doesn't avoid manual input", + "issueType": "IncorrectValue" }, { "queryName": "APT-GET Missing Flags To Avoid Manual Input", @@ -177,6 +191,7 @@ "searchKey": "FROM={{node:12}}.{{RUN [\"apt-get\", \"-q\", \"install\", \"apt-utils\"] }}", "searchValue": "", "expectedValue": "{{RUN [\"apt-get\", \"-q\", \"install\", \"apt-utils\"] }} should avoid manual input", - "actualValue": "{{RUN [\"apt-get\", \"-q\", \"install\", \"apt-utils\"] }} doesn't avoid manual input" + "actualValue": "{{RUN [\"apt-get\", \"-q\", \"install\", \"apt-utils\"] }} doesn't avoid manual input", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/apt_get_not_avoiding_additional_packages/test/positive_expected_result.json b/assets/queries/dockerfile/apt_get_not_avoiding_additional_packages/test/positive_expected_result.json index 4a5e2602100..448ff08f8a1 100644 --- a/assets/queries/dockerfile/apt_get_not_avoiding_additional_packages/test/positive_expected_result.json +++ b/assets/queries/dockerfile/apt_get_not_avoiding_additional_packages/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "FROM={{node:12}}.{{RUN apt-get install apt-utils}}", "searchValue": "", "expectedValue": "'RUN apt-get install apt-utils' uses '--no-install-recommends' flag to avoid installing additional packages", - "actualValue": "'RUN apt-get install apt-utils' does not use '--no-install-recommends' flag to avoid installing additional packages" + "actualValue": "'RUN apt-get install apt-utils' does not use '--no-install-recommends' flag to avoid installing additional packages", + "issueType": "IncorrectValue" }, { "queryName": "APT-GET Not Avoiding Additional Packages", @@ -21,6 +22,7 @@ "searchKey": "FROM={{node:12}}.{{RUN [\"apt-get\", \"install\", \"apt-utils\"]}}", "searchValue": "", "expectedValue": "'RUN [\"apt-get\", \"install\", \"apt-utils\"]' uses '--no-install-recommends' flag to avoid installing additional packages", - "actualValue": "'RUN [\"apt-get\", \"install\", \"apt-utils\"]' does not use '--no-install-recommends' flag to avoid installing additional packages" + "actualValue": "'RUN [\"apt-get\", \"install\", \"apt-utils\"]' does not use '--no-install-recommends' flag to avoid installing additional packages", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/changing_default_shell_using_run_command/test/positive_expected_result.json b/assets/queries/dockerfile/changing_default_shell_using_run_command/test/positive_expected_result.json index 923094cc76c..1e630afe2f8 100644 --- a/assets/queries/dockerfile/changing_default_shell_using_run_command/test/positive_expected_result.json +++ b/assets/queries/dockerfile/changing_default_shell_using_run_command/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "FROM={{alpine:3.5}}.{{RUN ln -sfv /bin/bash /bin/sh}}", "searchValue": "", "expectedValue": "{{RUN ln -sfv /bin/bash /bin/sh}} should use the SHELL command to change the default shell", - "actualValue": "{{RUN ln -sfv /bin/bash /bin/sh}} uses the RUN command to change the default shell" + "actualValue": "{{RUN ln -sfv /bin/bash /bin/sh}} uses the RUN command to change the default shell", + "issueType": "IncorrectValue" }, { "queryName": "Changing Default Shell Using RUN Command", @@ -21,6 +22,7 @@ "searchKey": "FROM={{alpine:3.5}}.{{RUN powershell -command}}", "searchValue": "", "expectedValue": "{{RUN powershell -command}} should use the SHELL command to change the default shell", - "actualValue": "{{RUN powershell -command}} uses the RUN command to change the default shell" + "actualValue": "{{RUN powershell -command}} uses the RUN command to change the default shell", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/chown_flag_exists/test/positive_expected_result.json b/assets/queries/dockerfile/chown_flag_exists/test/positive_expected_result.json index 54e3c2446ae..b934c1b88f7 100644 --- a/assets/queries/dockerfile/chown_flag_exists/test/positive_expected_result.json +++ b/assets/queries/dockerfile/chown_flag_exists/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "FROM={{python:3.7}}.{{COPY --chown=patrick:patrick app /app}}", "searchValue": "", "expectedValue": "The 'Dockerfile' shouldn´t contain the 'chown' flag", - "actualValue": "The 'Dockerfile' contains the 'chown' flag" + "actualValue": "The 'Dockerfile' contains the 'chown' flag", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/copy_from_references_current_from_alias/test/positive_expected_result.json b/assets/queries/dockerfile/copy_from_references_current_from_alias/test/positive_expected_result.json index 9a13059745b..b5249f83750 100644 --- a/assets/queries/dockerfile/copy_from_references_current_from_alias/test/positive_expected_result.json +++ b/assets/queries/dockerfile/copy_from_references_current_from_alias/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "FROM={{myimage:tag as dep}}.{{COPY --from=dep /binary /}}", "searchValue": "", "expectedValue": "COPY --from should not reference the current FROM alias", - "actualValue": "COPY --from references the current FROM alias" + "actualValue": "COPY --from references the current FROM alias", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/copy_with_more_than_two_arguments_not_ending_with_slash/test/positive_expected_result.json b/assets/queries/dockerfile/copy_with_more_than_two_arguments_not_ending_with_slash/test/positive_expected_result.json index e58d7076817..ee7168d1d79 100644 --- a/assets/queries/dockerfile/copy_with_more_than_two_arguments_not_ending_with_slash/test/positive_expected_result.json +++ b/assets/queries/dockerfile/copy_with_more_than_two_arguments_not_ending_with_slash/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "FROM={{node:carbon2}}.COPY={{package.json}}", "searchValue": "", "expectedValue": "When COPY command has more than two arguments, the last one should end with a slash", - "actualValue": "COPY command has more than two arguments and the last one does not end with a slash" + "actualValue": "COPY command has more than two arguments and the last one does not end with a slash", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/curl_or_wget_instead_of_add/test/positive_expected_result.json b/assets/queries/dockerfile/curl_or_wget_instead_of_add/test/positive_expected_result.json index 3232b33a68b..d4e80e825a9 100644 --- a/assets/queries/dockerfile/curl_or_wget_instead_of_add/test/positive_expected_result.json +++ b/assets/queries/dockerfile/curl_or_wget_instead_of_add/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "FROM={{openjdk:10-jdk}}.{{ADD https://example.com/big.tar.xz /usr/src/things/}}", "searchValue": "", "expectedValue": "Should use 'curl' or 'wget' to download https://example.com/big.tar.xz", - "actualValue": "'ADD' https://example.com/big.tar.xz" + "actualValue": "'ADD' https://example.com/big.tar.xz", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/exposing_port_22/test/positive_expected_result.json b/assets/queries/dockerfile/exposing_port_22/test/positive_expected_result.json index 077cf24c00c..fab7a292549 100644 --- a/assets/queries/dockerfile/exposing_port_22/test/positive_expected_result.json +++ b/assets/queries/dockerfile/exposing_port_22/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "FROM={{gliderlabs/alpine:3.3}}.{{EXPOSE 3000 80 443 22}}", "searchValue": "", "expectedValue": "'EXPOSE' shouldn't contain the port 22 ", - "actualValue": "'EXPOSE' contains the port 22 " + "actualValue": "'EXPOSE' contains the port 22 ", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/gem_install_without_version/test/positive_expected_result.json b/assets/queries/dockerfile/gem_install_without_version/test/positive_expected_result.json index 7dab9f6db79..f88fdab63e9 100644 --- a/assets/queries/dockerfile/gem_install_without_version/test/positive_expected_result.json +++ b/assets/queries/dockerfile/gem_install_without_version/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "FROM={{alpine:3.5}}.{{RUN gem install bundler}}", "searchValue": "", "expectedValue": "RUN gem install bundler is 'gem install :'", - "actualValue": "RUN gem install bundler is 'gem install ', you should use 'gem install :" + "actualValue": "RUN gem install bundler is 'gem install ', you should use 'gem install :", + "issueType": "IncorrectValue" }, { "queryName": "Gem Install Without Version", @@ -21,7 +22,8 @@ "searchKey": "FROM={{alpine:3.5}}.{{RUN [\"gem\", \"install\", \"blunder\"]}}", "searchValue": "", "expectedValue": "RUN [\"gem\", \"install\", \"blunder\"] is 'gem install :'", - "actualValue": "RUN [\"gem\", \"install\", \"blunder\"] is 'gem install ', you should use 'gem install :" + "actualValue": "RUN [\"gem\", \"install\", \"blunder\"] is 'gem install ', you should use 'gem install :", + "issueType": "IncorrectValue" }, { "queryName": "Gem Install Without Version", @@ -33,6 +35,7 @@ "searchKey": "FROM={{alpine:3.5}}.{{RUN gem install grpc -v ${GRPC_RUBY_VERSION} blunder}}", "searchValue": "", "expectedValue": "RUN gem install grpc -v ${GRPC_RUBY_VERSION} blunder is 'gem install :'", - "actualValue": "RUN gem install grpc -v ${GRPC_RUBY_VERSION} blunder is 'gem install ', you should use 'gem install :" + "actualValue": "RUN gem install grpc -v ${GRPC_RUBY_VERSION} blunder is 'gem install ', you should use 'gem install :", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/healthcheck_instruction_missing/test/positive_expected_result.json b/assets/queries/dockerfile/healthcheck_instruction_missing/test/positive_expected_result.json index b7881a7a5a2..78c0530155b 100644 --- a/assets/queries/dockerfile/healthcheck_instruction_missing/test/positive_expected_result.json +++ b/assets/queries/dockerfile/healthcheck_instruction_missing/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "FROM={{node:alpine}}", "searchValue": "", "expectedValue": "Dockerfile should contain instruction 'HEALTHCHECK'", - "actualValue": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" + "actualValue": "Dockerfile doesn't contain instruction 'HEALTHCHECK'", + "issueType": "MissingAttribute" }, { "queryName": "Healthcheck Instruction Missing", @@ -21,6 +22,7 @@ "searchKey": "FROM={{alpine:latest }}", "searchValue": "", "expectedValue": "Dockerfile should contain instruction 'HEALTHCHECK'", - "actualValue": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" + "actualValue": "Dockerfile doesn't contain instruction 'HEALTHCHECK'", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/image_version_not_explicit/test/positive_expected_result.json b/assets/queries/dockerfile/image_version_not_explicit/test/positive_expected_result.json index 5e04309310c..ae90389ff41 100644 --- a/assets/queries/dockerfile/image_version_not_explicit/test/positive_expected_result.json +++ b/assets/queries/dockerfile/image_version_not_explicit/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "FROM={{alpine}}", "searchValue": "", "expectedValue": "FROM alpine:'version'", - "actualValue": "FROM alpine'" + "actualValue": "FROM alpine'", + "issueType": "MissingAttribute" }, { "queryName": "Image Version Not Explicit", @@ -21,7 +22,8 @@ "searchKey": "FROM={{construction AS final}}", "searchValue": "", "expectedValue": "FROM construction:'version'", - "actualValue": "FROM construction'" + "actualValue": "FROM construction'", + "issueType": "MissingAttribute" }, { "queryName": "Image Version Not Explicit", @@ -33,7 +35,8 @@ "searchKey": "FROM={{positive4 }}", "searchValue": "", "expectedValue": "FROM positive4:'version'", - "actualValue": "FROM positive4'" + "actualValue": "FROM positive4'", + "issueType": "MissingAttribute" }, { "queryName": "Image Version Not Explicit", @@ -45,7 +48,8 @@ "searchKey": "FROM={{positive42}}", "searchValue": "", "expectedValue": "FROM positive42:'version'", - "actualValue": "FROM positive42'" + "actualValue": "FROM positive42'", + "issueType": "MissingAttribute" }, { "queryName": "Image Version Not Explicit", @@ -57,7 +61,8 @@ "searchKey": "FROM={{test_fail_1}}", "searchValue": "", "expectedValue": "FROM test_fail_1:'version'", - "actualValue": "FROM test_fail_1'" + "actualValue": "FROM test_fail_1'", + "issueType": "MissingAttribute" }, { "queryName": "Image Version Not Explicit", @@ -69,6 +74,7 @@ "searchKey": "FROM={{test3 AS test_fail_2}}", "searchValue": "", "expectedValue": "FROM test3:'version'", - "actualValue": "FROM test3'" + "actualValue": "FROM test3'", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/image_version_using_latest/test/positive_expected_result.json b/assets/queries/dockerfile/image_version_using_latest/test/positive_expected_result.json index 47ad68702c9..097b3f3e02d 100644 --- a/assets/queries/dockerfile/image_version_using_latest/test/positive_expected_result.json +++ b/assets/queries/dockerfile/image_version_using_latest/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "FROM={{alpine:latest}}", "searchValue": "", "expectedValue": "FROM alpine:latest:'version' where version should not be 'latest'", - "actualValue": "FROM alpine:latest'" + "actualValue": "FROM alpine:latest'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/last_user_is_root/test/positive_expected_result.json b/assets/queries/dockerfile/last_user_is_root/test/positive_expected_result.json index 79e344543ec..e377fb693b1 100644 --- a/assets/queries/dockerfile/last_user_is_root/test/positive_expected_result.json +++ b/assets/queries/dockerfile/last_user_is_root/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "FROM={{alpine:2.6}}.{{USER root}}", "searchValue": "", "expectedValue": "Last User shouldn't be root", - "actualValue": "Last User is root" + "actualValue": "Last User is root", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/maintainer_instruction_being_used/test/positive_expected_result.json b/assets/queries/dockerfile/maintainer_instruction_being_used/test/positive_expected_result.json index 30656b7473e..fa27642d14d 100644 --- a/assets/queries/dockerfile/maintainer_instruction_being_used/test/positive_expected_result.json +++ b/assets/queries/dockerfile/maintainer_instruction_being_used/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "FROM={{alpine:3.5}}.MAINTAINER={{\"SvenDowideit@home.org.au\"}}", "searchValue": "", "expectedValue": "Maintainer instruction being used in Label 'LABEL maintainer=\"SvenDowideit@home.org.au\"'", - "actualValue": "Maintainer instruction not being used in Label 'MAINTAINER \"SvenDowideit@home.org.au\"'" + "actualValue": "Maintainer instruction not being used in Label 'MAINTAINER \"SvenDowideit@home.org.au\"'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/missing_dnf_clean_all/test/positive_expected_result.json b/assets/queries/dockerfile/missing_dnf_clean_all/test/positive_expected_result.json index 44ebdd411f9..ac58d253573 100644 --- a/assets/queries/dockerfile/missing_dnf_clean_all/test/positive_expected_result.json +++ b/assets/queries/dockerfile/missing_dnf_clean_all/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "FROM={{fedora:27}}.RUN={{set -uex && dnf config-manager --add-repo https://download.docker.com/linux/fedora/docker-ce.repo && sed -i 's/\\$releasever/26/g' /etc/yum.repos.d/docker-ce.repo && dnf install -vy docker-ce}}", "searchValue": "", "expectedValue": "After installing a package with dnf, command 'dnf clean all' should run.", - "actualValue": "Command `dnf clean all` is not being run after installing packages." + "actualValue": "Command `dnf clean all` is not being run after installing packages.", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/missing_flag_from_dnf_install/test/positive_expected_result.json b/assets/queries/dockerfile/missing_flag_from_dnf_install/test/positive_expected_result.json index fac30bcf83c..03ce6b81d68 100644 --- a/assets/queries/dockerfile/missing_flag_from_dnf_install/test/positive_expected_result.json +++ b/assets/queries/dockerfile/missing_flag_from_dnf_install/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "FROM={{fedora:27}}.RUN={{set -uex && dnf config-manager --set-enabled docker-ce-test && dnf install docker-ce && dnf clean all}}", "searchValue": "dnf install docker-ce", "expectedValue": "When running `dnf install`, `-y` or `--assumeyes` switch should be set to avoid build failure ", - "actualValue": "Command `RUN={{dnf install docker-ce}}` doesn't have the `-y` or `--assumeyes` switch set" + "actualValue": "Command `RUN={{dnf install docker-ce}}` doesn't have the `-y` or `--assumeyes` switch set", + "issueType": "IncorrectValue" }, { "queryName": "Missing Flag From Dnf Install", @@ -21,7 +22,8 @@ "searchKey": "FROM={{fedora:28}}.RUN={{dnf in docker-ce}}", "searchValue": "dnf in docker-ce", "expectedValue": "When running `dnf install`, `-y` or `--assumeyes` switch should be set to avoid build failure ", - "actualValue": "Command `RUN={{dnf in docker-ce}}` doesn't have the `-y` or `--assumeyes` switch set" + "actualValue": "Command `RUN={{dnf in docker-ce}}` doesn't have the `-y` or `--assumeyes` switch set", + "issueType": "IncorrectValue" }, { "queryName": "Missing Flag From Dnf Install", @@ -33,7 +35,8 @@ "searchKey": "FROM={{fedora:27}}.RUN={{set -uex; dnf config-manager --set-enabled docker-ce-test; dnf install docker-ce; dnf clean all}}", "searchValue": "set -uex; dnf config-manager --set-enabled docker-ce-test; dnf install docker-ce; dnf clean all", "expectedValue": "When running `dnf install`, `-y` or `--assumeyes` switch should be set to avoid build failure ", - "actualValue": "Command `RUN={{set -uex; dnf config-manager --set-enabled docker-ce-test; dnf install docker-ce; dnf clean all}}` doesn't have the `-y` or `--assumeyes` switch set" + "actualValue": "Command `RUN={{set -uex; dnf config-manager --set-enabled docker-ce-test; dnf install docker-ce; dnf clean all}}` doesn't have the `-y` or `--assumeyes` switch set", + "issueType": "IncorrectValue" }, { "queryName": "Missing Flag From Dnf Install", @@ -45,7 +48,8 @@ "searchKey": "FROM={{fedora:28}}.RUN={{dnf in docker-ce}}", "searchValue": "dnf in docker-ce", "expectedValue": "When running `dnf install`, `-y` or `--assumeyes` switch should be set to avoid build failure ", - "actualValue": "Command `RUN={{dnf in docker-ce}}` doesn't have the `-y` or `--assumeyes` switch set" + "actualValue": "Command `RUN={{dnf in docker-ce}}` doesn't have the `-y` or `--assumeyes` switch set", + "issueType": "IncorrectValue" }, { "queryName": "Missing Flag From Dnf Install", @@ -57,7 +61,8 @@ "searchKey": "FROM={{fedora:27}}.RUN={{microdnf install openssl-libs-1:1.1.1k-6.el8_5.x86_64 zlib-1.2.11-18.el8_5.x86_64 && microdnf clean all}}", "searchValue": "microdnf install openssl-libs-1:1.1.1k-6.el8_5.x86_64 zlib-1.2.11-18.el8_5.x86_64", "expectedValue": "When running `dnf install`, `-y` or `--assumeyes` switch should be set to avoid build failure ", - "actualValue": "Command `RUN={{microdnf install openssl-libs-1:1.1.1k-6.el8_5.x86_64 zlib-1.2.11-18.el8_5.x86_64}}` doesn't have the `-y` or `--assumeyes` switch set" + "actualValue": "Command `RUN={{microdnf install openssl-libs-1:1.1.1k-6.el8_5.x86_64 zlib-1.2.11-18.el8_5.x86_64}}` doesn't have the `-y` or `--assumeyes` switch set", + "issueType": "IncorrectValue" }, { "queryName": "Missing Flag From Dnf Install", @@ -69,6 +74,7 @@ "searchKey": "FROM={{${BASE_CONTAINER_REGISTRY:-mcr.microsoft.com}/azure-cli AS installer}}.RUN={{tdnf install jq tar libicu python3-requests python3-yaml}}", "searchValue": "tdnf install jq tar libicu python3-requests python3-yaml", "expectedValue": "When running `dnf install`, `-y` or `--assumeyes` switch should be set to avoid build failure ", - "actualValue": "Command `RUN={{tdnf install jq tar libicu python3-requests python3-yaml}}` doesn't have the `-y` or `--assumeyes` switch set" + "actualValue": "Command `RUN={{tdnf install jq tar libicu python3-requests python3-yaml}}` doesn't have the `-y` or `--assumeyes` switch set", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/missing_user_instruction/test/positive_expected_result.json b/assets/queries/dockerfile/missing_user_instruction/test/positive_expected_result.json index 1564337d4a8..785c0f99182 100644 --- a/assets/queries/dockerfile/missing_user_instruction/test/positive_expected_result.json +++ b/assets/queries/dockerfile/missing_user_instruction/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "FROM={{python:2.7}}", "searchValue": "", "expectedValue": "The 'Dockerfile' should contain the 'USER' instruction", - "actualValue": "The 'Dockerfile' does not contain any 'USER' instruction" + "actualValue": "The 'Dockerfile' does not contain any 'USER' instruction", + "issueType": "MissingAttribute" }, { "queryName": "Missing User Instruction", @@ -21,6 +22,7 @@ "searchKey": "FROM={{alpine:latest }}", "searchValue": "", "expectedValue": "The 'Dockerfile' should contain the 'USER' instruction", - "actualValue": "The 'Dockerfile' does not contain any 'USER' instruction" + "actualValue": "The 'Dockerfile' does not contain any 'USER' instruction", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/missing_version_specification_in_dnf_install/test/positive_expected_result.json b/assets/queries/dockerfile/missing_version_specification_in_dnf_install/test/positive_expected_result.json index 37c192357b2..73294cdce5c 100644 --- a/assets/queries/dockerfile/missing_version_specification_in_dnf_install/test/positive_expected_result.json +++ b/assets/queries/dockerfile/missing_version_specification_in_dnf_install/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "FROM={{fedora:latest}}.{{RUN dnf -y update && dnf -y install httpd && dnf clean all}}", "searchValue": "", "expectedValue": "Package version should be specified when using 'dnf install'", - "actualValue": "Package version should be pinned when running ´dnf install´" + "actualValue": "Package version should be pinned when running ´dnf install´", + "issueType": "IncorrectValue" }, { "queryName": "Missing Version Specification In dnf install", @@ -21,6 +22,7 @@ "searchKey": "FROM={{fedora:latest}}.{{RUN [\"dnf\", \"install\", \"httpd\"]}}", "searchValue": "", "expectedValue": "Package version should be specified when using 'dnf install'", - "actualValue": "Package version should be pinned when running ´dnf install´" + "actualValue": "Package version should be pinned when running ´dnf install´", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/missing_zypper_clean/test/positive_expected_result.json b/assets/queries/dockerfile/missing_zypper_clean/test/positive_expected_result.json index aea344f727d..5e04d5e79fe 100644 --- a/assets/queries/dockerfile/missing_zypper_clean/test/positive_expected_result.json +++ b/assets/queries/dockerfile/missing_zypper_clean/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "FROM={{busybox:1.0}}.{{RUN zypper install}}", "searchValue": "", "expectedValue": "There should be a zypper clean after a zypper usage", - "actualValue": "The command 'zypper install' does not have a zypper clean after it" + "actualValue": "The command 'zypper install' does not have a zypper clean after it", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/missing_zypper_non_interactive_switch/test/positive_expected_result.json b/assets/queries/dockerfile/missing_zypper_non_interactive_switch/test/positive_expected_result.json index f71df8e527b..230a507ca26 100644 --- a/assets/queries/dockerfile/missing_zypper_non_interactive_switch/test/positive_expected_result.json +++ b/assets/queries/dockerfile/missing_zypper_non_interactive_switch/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "FROM={{busybox:1.0}}.{{RUN zypper install httpd && zypper clean}}", "searchValue": "", "expectedValue": "zypper usages should have the non-interactive switch activated", - "actualValue": "The command 'RUN zypper install httpd && zypper clean' does not have the non-interactive switch activated (-y | --no-confirm)" + "actualValue": "The command 'RUN zypper install httpd && zypper clean' does not have the non-interactive switch activated (-y | --no-confirm)", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/multiple_cmd_instructions_listed/test/positive_expected_result.json b/assets/queries/dockerfile/multiple_cmd_instructions_listed/test/positive_expected_result.json index 60a333b9f20..869c126fc1d 100644 --- a/assets/queries/dockerfile/multiple_cmd_instructions_listed/test/positive_expected_result.json +++ b/assets/queries/dockerfile/multiple_cmd_instructions_listed/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "FROM={{alpine:latest }}.{{CMD [\"./app\"] }}", "searchValue": "", "expectedValue": "There should be only one CMD instruction", - "actualValue": "There are 2 CMD instructions" + "actualValue": "There are 2 CMD instructions", + "issueType": "RedundantAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/test/positive_expected_result.json b/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/test/positive_expected_result.json index 428c325df00..9f42ee34840 100644 --- a/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/test/positive_expected_result.json +++ b/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "FROM={{alpine:latest }}.{{ENTRYPOINT [ \"/opt/app/run.sh\", \"--port\", \"8080\" ]}}", "searchValue": "", "expectedValue": "There should be only one ENTRYPOINT instruction", - "actualValue": "There are 2 ENTRYPOINT instructions" + "actualValue": "There are 2 ENTRYPOINT instructions", + "issueType": "RedundantAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/test/positive_expected_result.json b/assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/test/positive_expected_result.json index 5bf17f8e884..7ae705bdf8d 100644 --- a/assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/test/positive_expected_result.json +++ b/assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "FROM={{ubuntu}}.{{RUN apt-get install -y wget}}", "searchValue": "", "expectedValue": "There isn´t any RUN instruction that could be grouped", - "actualValue": "There are RUN instructions that could be grouped" + "actualValue": "There are RUN instructions that could be grouped", + "issueType": "RedundantAttribute" }, { "queryName": "Multiple RUN, ADD, COPY, Instructions Listed", @@ -21,7 +22,8 @@ "searchKey": "FROM={{ubuntu}}.{{COPY README.md ./}}", "searchValue": "", "expectedValue": "There isn´t any COPY instruction that could be grouped", - "actualValue": "There are COPY instructions that could be grouped" + "actualValue": "There are COPY instructions that could be grouped", + "issueType": "RedundantAttribute" }, { "queryName": "Multiple RUN, ADD, COPY, Instructions Listed", @@ -33,6 +35,7 @@ "searchKey": "FROM={{ubuntu}}.{{ADD cairo.spec /rpmbuild/SOURCES}}", "searchValue": "", "expectedValue": "There isn´t any ADD instruction that could be grouped", - "actualValue": "There are ADD instructions that could be grouped" + "actualValue": "There are ADD instructions that could be grouped", + "issueType": "RedundantAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/test/positive_expected_result.json b/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/test/positive_expected_result.json index c4699fea866..35627cab296 100644 --- a/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/test/positive_expected_result.json +++ b/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "FROM={{alpine:3.5}}.{{CMD [python, /usr/src/app/app.py] }}", "searchValue": "", "expectedValue": "{{CMD [python, /usr/src/app/app.py] }} should be in the JSON Notation", - "actualValue": "{{CMD [python, /usr/src/app/app.py] }} isn't in JSON Notation" + "actualValue": "{{CMD [python, /usr/src/app/app.py] }} isn't in JSON Notation", + "issueType": "IncorrectValue" }, { "queryName": "Not Using JSON In CMD And ENTRYPOINT Arguments", @@ -21,6 +22,7 @@ "searchKey": "FROM={{alpine:3.5}}.{{ENTRYPOINT [top, -b]}}", "searchValue": "", "expectedValue": "{{ENTRYPOINT [top, -b]}} should be in the JSON Notation", - "actualValue": "{{ENTRYPOINT [top, -b]}} isn't in JSON Notation" + "actualValue": "{{ENTRYPOINT [top, -b]}} isn't in JSON Notation", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/npm_install_without_pinned_version/test/positive_expected_result.json b/assets/queries/dockerfile/npm_install_without_pinned_version/test/positive_expected_result.json index 0b4412080b6..c651cc8fe21 100644 --- a/assets/queries/dockerfile/npm_install_without_pinned_version/test/positive_expected_result.json +++ b/assets/queries/dockerfile/npm_install_without_pinned_version/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "FROM={{node:12}}.{{RUN npm install sax}}", "searchValue": "", "expectedValue": "'RUN npm install sax' uses npm install with a pinned version", - "actualValue": "'RUN npm install sax' does not uses npm install with a pinned version" + "actualValue": "'RUN npm install sax' does not uses npm install with a pinned version", + "issueType": "IncorrectValue" }, { "queryName": "NPM Install Command Without Pinned Version", @@ -21,7 +22,8 @@ "searchKey": "FROM={{node:12}}.{{RUN npm install sax --no-cache}}", "searchValue": "", "expectedValue": "'RUN npm install sax --no-cache' uses npm install with a pinned version", - "actualValue": "'RUN npm install sax --no-cache' does not uses npm install with a pinned version" + "actualValue": "'RUN npm install sax --no-cache' does not uses npm install with a pinned version", + "issueType": "IncorrectValue" }, { "queryName": "NPM Install Command Without Pinned Version", @@ -33,7 +35,8 @@ "searchKey": "FROM={{node:12}}.{{RUN npm install sax | grep fail && npm install sax@latest}}", "searchValue": "", "expectedValue": "'RUN npm install sax | grep fail && npm install sax@latest' uses npm install with a pinned version", - "actualValue": "'RUN npm install sax | grep fail && npm install sax@latest' does not uses npm install with a pinned version" + "actualValue": "'RUN npm install sax | grep fail && npm install sax@latest' does not uses npm install with a pinned version", + "issueType": "IncorrectValue" }, { "queryName": "NPM Install Command Without Pinned Version", @@ -45,7 +48,8 @@ "searchKey": "FROM={{node:12}}.{{RUN npm install sax@latest | grep fail && npm install sax}}", "searchValue": "", "expectedValue": "'RUN npm install sax@latest | grep fail && npm install sax' uses npm install with a pinned version", - "actualValue": "'RUN npm install sax@latest | grep fail && npm install sax' does not uses npm install with a pinned version" + "actualValue": "'RUN npm install sax@latest | grep fail && npm install sax' does not uses npm install with a pinned version", + "issueType": "IncorrectValue" }, { "queryName": "NPM Install Command Without Pinned Version", @@ -57,7 +61,8 @@ "searchKey": "FROM={{node:12}}.{{RUN npm install sax | grep fail && npm install sax}}", "searchValue": "", "expectedValue": "'RUN npm install sax | grep fail && npm install sax' uses npm install with a pinned version", - "actualValue": "'RUN npm install sax | grep fail && npm install sax' does not uses npm install with a pinned version" + "actualValue": "'RUN npm install sax | grep fail && npm install sax' does not uses npm install with a pinned version", + "issueType": "IncorrectValue" }, { "queryName": "NPM Install Command Without Pinned Version", @@ -69,7 +74,8 @@ "searchKey": "FROM={{node:12}}.{{RUN npm i -g @angular/cli}}", "searchValue": "", "expectedValue": "'RUN npm i -g @angular/cli' uses npm install with a pinned version", - "actualValue": "'RUN npm i -g @angular/cli' does not uses npm install with a pinned version" + "actualValue": "'RUN npm i -g @angular/cli' does not uses npm install with a pinned version", + "issueType": "IncorrectValue" }, { "queryName": "NPM Install Command Without Pinned Version", @@ -81,6 +87,7 @@ "searchKey": "FROM={{node:12}}.{{RUN [\"npm\",\"add\",\"sax\"]}}", "searchValue": "", "expectedValue": "'RUN [\"npm\",\"add\",\"sax\"]' uses npm install with a pinned version", - "actualValue": "'RUN [\"npm\",\"add\",\"sax\"]' does not uses npm install with a pinned version" + "actualValue": "'RUN [\"npm\",\"add\",\"sax\"]' does not uses npm install with a pinned version", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/pip_install_keeping_cached_packages/test/positive_expected_result.json b/assets/queries/dockerfile/pip_install_keeping_cached_packages/test/positive_expected_result.json index 53c06626976..5f8421f8e88 100644 --- a/assets/queries/dockerfile/pip_install_keeping_cached_packages/test/positive_expected_result.json +++ b/assets/queries/dockerfile/pip_install_keeping_cached_packages/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "FROM={{python:3}}.{{pip install --upgrade pip && pip install nibabel pydicom matplotlib pillow && pip install med2image}}", "searchValue": "", "expectedValue": "The '--no-cache-dir' flag should be set when running 'pip/pip3 install'", - "actualValue": "The '--no-cache-dir' flag isn't set when running 'pip/pip3 install'" + "actualValue": "The '--no-cache-dir' flag isn't set when running 'pip/pip3 install'", + "issueType": "IncorrectValue" }, { "queryName": "Pip install Keeping Cached Packages", @@ -21,7 +22,8 @@ "searchKey": "FROM={{python:3.1}}.{{pip install --upgrade pip}}", "searchValue": "", "expectedValue": "The '--no-cache-dir' flag should be set when running 'pip/pip3 install'", - "actualValue": "The '--no-cache-dir' flag isn't set when running 'pip/pip3 install'" + "actualValue": "The '--no-cache-dir' flag isn't set when running 'pip/pip3 install'", + "issueType": "IncorrectValue" }, { "queryName": "Pip install Keeping Cached Packages", @@ -33,7 +35,8 @@ "searchKey": "FROM={{python:3.1}}.{{python -m pip install nibabel pydicom matplotlib pillow}}", "searchValue": "", "expectedValue": "The '--no-cache-dir' flag should be set when running 'pip/pip3 install'", - "actualValue": "The '--no-cache-dir' flag isn't set when running 'pip/pip3 install'" + "actualValue": "The '--no-cache-dir' flag isn't set when running 'pip/pip3 install'", + "issueType": "IncorrectValue" }, { "queryName": "Pip install Keeping Cached Packages", @@ -45,7 +48,8 @@ "searchKey": "FROM={{python:3.1}}.{{pip3 install requests=2.7.0}}", "searchValue": "", "expectedValue": "The '--no-cache-dir' flag should be set when running 'pip/pip3 install'", - "actualValue": "The '--no-cache-dir' flag isn't set when running 'pip/pip3 install'" + "actualValue": "The '--no-cache-dir' flag isn't set when running 'pip/pip3 install'", + "issueType": "IncorrectValue" }, { "queryName": "Pip install Keeping Cached Packages", @@ -57,6 +61,7 @@ "searchKey": "FROM={{python:3.1}}.{{RUN [\"pip3\", \"install\", \"requests=2.7.0\"]}}", "searchValue": "", "expectedValue": "The '--no-cache-dir' flag should be set when running 'pip/pip3 install'", - "actualValue": "The '--no-cache-dir' flag isn't set when running 'pip/pip3 install'" + "actualValue": "The '--no-cache-dir' flag isn't set when running 'pip/pip3 install'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/run_command_cd_instead_of_workdir/test/positive_expected_result.json b/assets/queries/dockerfile/run_command_cd_instead_of_workdir/test/positive_expected_result.json index 17ea89b4445..0c60624072b 100644 --- a/assets/queries/dockerfile/run_command_cd_instead_of_workdir/test/positive_expected_result.json +++ b/assets/queries/dockerfile/run_command_cd_instead_of_workdir/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "FROM={{nginx}}.RUN={{cd /../share/nginx/html}}", "searchValue": "", "expectedValue": "Using WORKDIR to change directory", - "actualValue": "RUN cd /../share/nginx/html'" + "actualValue": "RUN cd /../share/nginx/html'", + "issueType": "IncorrectValue" }, { "queryName": "RUN Instruction Using 'cd' Instead of WORKDIR", @@ -21,7 +22,8 @@ "searchKey": "FROM={{nginx}}.RUN={{cd ../share/nginx/html}}", "searchValue": "", "expectedValue": "Using WORKDIR to change directory", - "actualValue": "RUN cd ../share/nginx/html'" + "actualValue": "RUN cd ../share/nginx/html'", + "issueType": "IncorrectValue" }, { "queryName": "RUN Instruction Using 'cd' Instead of WORKDIR", @@ -33,6 +35,7 @@ "searchKey": "FROM={{nginx}}.RUN={{cd /usr/../share/nginx/html}}", "searchValue": "", "expectedValue": "Using WORKDIR to change directory", - "actualValue": "RUN cd /usr/../share/nginx/html'" + "actualValue": "RUN cd /usr/../share/nginx/html'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/run_using_apt/test/positive_expected_result.json b/assets/queries/dockerfile/run_using_apt/test/positive_expected_result.json index 816ea71bd55..6defb236b76 100644 --- a/assets/queries/dockerfile/run_using_apt/test/positive_expected_result.json +++ b/assets/queries/dockerfile/run_using_apt/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "FROM={{busybox:1.0}}.{{RUN apt install curl}}", "searchValue": "", "expectedValue": "RUN instructions should not use the 'apt' program", - "actualValue": "RUN instruction is invoking the 'apt' program" + "actualValue": "RUN instruction is invoking the 'apt' program", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/run_using_sudo/test/positive_expected_result.json b/assets/queries/dockerfile/run_using_sudo/test/positive_expected_result.json index 0c443a95fd8..d09c622b0cc 100644 --- a/assets/queries/dockerfile/run_using_sudo/test/positive_expected_result.json +++ b/assets/queries/dockerfile/run_using_sudo/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "FROM={{alpine:3.5}}.RUN={{sudo pip install --upgrade pip}}", "searchValue": "", "expectedValue": "RUN instruction shouldn't contain sudo", - "actualValue": "RUN instruction contains sudo" + "actualValue": "RUN instruction contains sudo", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/run_using_wget_and_curl/test/positive_expected_result.json b/assets/queries/dockerfile/run_using_wget_and_curl/test/positive_expected_result.json index 665d395140c..7fa351280dc 100644 --- a/assets/queries/dockerfile/run_using_wget_and_curl/test/positive_expected_result.json +++ b/assets/queries/dockerfile/run_using_wget_and_curl/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "FROM={{debian}}.{{RUN curl http://bing.com}}", "searchValue": "", "expectedValue": "Exclusively using 'wget' or 'curl'", - "actualValue": "Using both 'wget' and 'curl'" + "actualValue": "Using both 'wget' and 'curl'", + "issueType": "RedundantAttribute" }, { "queryName": "Run Using 'wget' and 'curl'", @@ -21,7 +22,8 @@ "searchKey": "FROM={{baseImage}}.{{RUN curl http://bing.com}}", "searchValue": "", "expectedValue": "Exclusively using 'wget' or 'curl'", - "actualValue": "Using both 'wget' and 'curl'" + "actualValue": "Using both 'wget' and 'curl'", + "issueType": "RedundantAttribute" }, { "queryName": "Run Using 'wget' and 'curl'", @@ -33,6 +35,7 @@ "searchKey": "FROM={{baseImage}}.{{RUN [\"curl\", \"http://bing.com\"]}}", "searchValue": "", "expectedValue": "Exclusively using 'wget' or 'curl'", - "actualValue": "Using both 'wget' and 'curl'" + "actualValue": "Using both 'wget' and 'curl'", + "issueType": "RedundantAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/run_utilities_and_posix_commands/test/positive_expected_result.json b/assets/queries/dockerfile/run_utilities_and_posix_commands/test/positive_expected_result.json index 5035c16d89a..8b9ca535e0e 100644 --- a/assets/queries/dockerfile/run_utilities_and_posix_commands/test/positive_expected_result.json +++ b/assets/queries/dockerfile/run_utilities_and_posix_commands/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "FROM={{golang:1.12.0-stretch}}.{{RUN top}}", "searchValue": "", "expectedValue": "There should be no dangerous commands or utilities executed", - "actualValue": "Run instruction is executing the top command" + "actualValue": "Run instruction is executing the top command", + "issueType": "IncorrectValue" }, { "queryName": "Run Utilities And POSIX Commands", @@ -21,6 +22,7 @@ "searchKey": "FROM={{golang:1.12.0-stretch}}.{{RUN [\"ps\", \"-d\"]}}", "searchValue": "", "expectedValue": "There should be no dangerous commands or utilities executed", - "actualValue": "Run instruction is executing the ps command" + "actualValue": "Run instruction is executing the ps command", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/same_alias_in_different_froms/test/positive_expected_result.json b/assets/queries/dockerfile/same_alias_in_different_froms/test/positive_expected_result.json index 8230525a6a9..56e924736d0 100644 --- a/assets/queries/dockerfile/same_alias_in_different_froms/test/positive_expected_result.json +++ b/assets/queries/dockerfile/same_alias_in_different_froms/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "FROM={{build}}", "searchValue": "", "expectedValue": "Different FROM commands don't have the same alias defined", - "actualValue": "Different FROM commands with with the same alias 'build' defined" + "actualValue": "Different FROM commands with with the same alias 'build' defined", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/shell_running_a_pipe_without_pipefail_flag/test/positive_expected_result.json b/assets/queries/dockerfile/shell_running_a_pipe_without_pipefail_flag/test/positive_expected_result.json index f54f5c2b364..b8d98368725 100644 --- a/assets/queries/dockerfile/shell_running_a_pipe_without_pipefail_flag/test/positive_expected_result.json +++ b/assets/queries/dockerfile/shell_running_a_pipe_without_pipefail_flag/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "FROM={{node:12}}.{{RUN zsh ./some_output | ./some_script}}", "searchValue": "zsh", "expectedValue": "'RUN zsh ./some_output | ./some_script' has pipefail option set for pipe command with shell zsh.", - "actualValue": "'RUN zsh ./some_output | ./some_script' does not have pipefail option set for pipe command with shell zsh." + "actualValue": "'RUN zsh ./some_output | ./some_script' does not have pipefail option set for pipe command with shell zsh.", + "issueType": "MissingAttribute" }, { "queryName": "Shell Running A Pipe Without Pipefail Flag", @@ -21,6 +22,7 @@ "searchKey": "FROM={{node:12}}.{{RUN [ \"/bin/bash\", \"./some_output\", \"|\", \"./some_script\" ]}}", "searchValue": "/bin/bash", "expectedValue": "'RUN [ '/bin/bash', './some_output', '|', './some_script' ]' has pipefail option set for pipe command with shell /bin/bash.", - "actualValue": "'RUN [ '/bin/bash', './some_output', '|', './some_script' ]' does not have pipefail option set for pipe command with shell /bin/bash." + "actualValue": "'RUN [ '/bin/bash', './some_output', '|', './some_script' ]' does not have pipefail option set for pipe command with shell /bin/bash.", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/unix_ports_out_of_range/test/positive_expected_result.json b/assets/queries/dockerfile/unix_ports_out_of_range/test/positive_expected_result.json index 540bbe80f90..05170343f09 100644 --- a/assets/queries/dockerfile/unix_ports_out_of_range/test/positive_expected_result.json +++ b/assets/queries/dockerfile/unix_ports_out_of_range/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "FROM={{gliderlabs/alpine:3.3}}.{{EXPOSE 65536/tcp 80 443 22}}", "searchValue": "", "expectedValue": "'EXPOSE' should not contain ports out of range [0, 65535]", - "actualValue": "'EXPOSE' contains ports out of range [0, 65535]" + "actualValue": "'EXPOSE' contains ports out of range [0, 65535]", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/unpinned_package_version_in_apk_add/test/positive_expected_result.json b/assets/queries/dockerfile/unpinned_package_version_in_apk_add/test/positive_expected_result.json index fd583f9c28c..facbf34123c 100644 --- a/assets/queries/dockerfile/unpinned_package_version_in_apk_add/test/positive_expected_result.json +++ b/assets/queries/dockerfile/unpinned_package_version_in_apk_add/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "FROM={{alpine:3.9}}.{{RUN apk add --update py-pip}}", "searchValue": "", "expectedValue": "RUN instruction with 'apk add ' should use package pinning form 'apk add ='", - "actualValue": "RUN instruction apk add --update py-pip does not use package pinning form" + "actualValue": "RUN instruction apk add --update py-pip does not use package pinning form", + "issueType": "IncorrectValue" }, { "queryName": "Unpinned Package Version in Apk Add", @@ -21,7 +22,8 @@ "searchKey": "FROM={{alpine:3.7}}.{{RUN apk add py-pip && apk add tea}}", "searchValue": "", "expectedValue": "RUN instruction with 'apk add ' should use package pinning form 'apk add ='", - "actualValue": "RUN instruction apk add py-pip && apk add tea does not use package pinning form" + "actualValue": "RUN instruction apk add py-pip && apk add tea does not use package pinning form", + "issueType": "IncorrectValue" }, { "queryName": "Unpinned Package Version in Apk Add", @@ -33,7 +35,8 @@ "searchKey": "FROM={{alpine:3.7}}.{{RUN apk add py-pip && rm -rf /tmp/*}}", "searchValue": "", "expectedValue": "RUN instruction with 'apk add ' should use package pinning form 'apk add ='", - "actualValue": "RUN instruction apk add py-pip && rm -rf /tmp/* does not use package pinning form" + "actualValue": "RUN instruction apk add py-pip && rm -rf /tmp/* does not use package pinning form", + "issueType": "IncorrectValue" }, { "queryName": "Unpinned Package Version in Apk Add", @@ -45,7 +48,8 @@ "searchKey": "FROM={{alpine:3.7}}.{{RUN apk add --dir /dir libimagequant && minidlna}}", "searchValue": "", "expectedValue": "RUN instruction with 'apk add ' should use package pinning form 'apk add ='", - "actualValue": "RUN instruction apk add --dir /dir libimagequant && minidlna does not use package pinning form" + "actualValue": "RUN instruction apk add --dir /dir libimagequant && minidlna does not use package pinning form", + "issueType": "IncorrectValue" }, { "queryName": "Unpinned Package Version in Apk Add", @@ -57,6 +61,7 @@ "searchKey": "FROM={{alpine:3.7}}.{{RUN [\"apk\", \"add\", \"py-pip\"]}}", "searchValue": "py-pip", "expectedValue": "RUN instruction with 'apk add ' should use package pinning form 'apk add ='", - "actualValue": "RUN instruction py-pip does not use package pinning form" + "actualValue": "RUN instruction py-pip does not use package pinning form", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/positive_expected_result.json b/assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/positive_expected_result.json index 1df44711bab..ad45b094ca2 100644 --- a/assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/positive_expected_result.json +++ b/assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "FROM={{alpine:3.9}}.{{RUN pip install --user pip}}", "searchValue": "", "expectedValue": "RUN instruction with 'pip/pip3 install ' should use package pinning form 'pip/pip3 install ='", - "actualValue": "RUN instruction pip install --user pip does not use package pinning form" + "actualValue": "RUN instruction pip install --user pip does not use package pinning form", + "issueType": "IncorrectValue" }, { "queryName": "Unpinned Package Version in Pip Install", @@ -21,7 +22,8 @@ "searchKey": "FROM={{alpine:3.9}}.{{RUN [\"pip\", \"install\", \"connexion\"]}}", "searchValue": "", "expectedValue": "RUN instruction with 'pip/pip3 install ' should use package pinning form 'pip/pip3 install ='", - "actualValue": "RUN instruction connexion does not use package pinning form" + "actualValue": "RUN instruction connexion does not use package pinning form", + "issueType": "IncorrectValue" }, { "queryName": "Unpinned Package Version in Pip Install", @@ -33,7 +35,8 @@ "searchKey": "FROM={{alpine:3.7}}.{{RUN pip install connexion}}", "searchValue": "", "expectedValue": "RUN instruction with 'pip/pip3 install ' should use package pinning form 'pip/pip3 install ='", - "actualValue": "RUN instruction pip install connexion does not use package pinning form" + "actualValue": "RUN instruction pip install connexion does not use package pinning form", + "issueType": "IncorrectValue" }, { "queryName": "Unpinned Package Version in Pip Install", @@ -45,6 +48,7 @@ "searchKey": "FROM={{alpine:3.7}}.{{RUN pip3 install requests}}", "searchValue": "", "expectedValue": "RUN instruction with 'pip/pip3 install ' should use package pinning form 'pip/pip3 install ='", - "actualValue": "RUN instruction pip3 install requests does not use package pinning form" + "actualValue": "RUN instruction pip3 install requests does not use package pinning form", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/update_instruction_alone/test/positive_expected_result.json b/assets/queries/dockerfile/update_instruction_alone/test/positive_expected_result.json index f5c28029c51..1fd2b45e20b 100644 --- a/assets/queries/dockerfile/update_instruction_alone/test/positive_expected_result.json +++ b/assets/queries/dockerfile/update_instruction_alone/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "FROM={{alpine:latest}}.RUN={{apk add nginx}}", "searchValue": "", "expectedValue": "Instruction 'RUN apk [\"add\"]' should be combined with 'RUN apk [\"update\"]' in the same 'RUN' statement", - "actualValue": "Instruction 'RUN apk [\"add\"]' isn't combined with 'RUN apk [\"update\"] in the same 'RUN' statement" + "actualValue": "Instruction 'RUN apk [\"add\"]' isn't combined with 'RUN apk [\"update\"] in the same 'RUN' statement", + "issueType": "IncorrectValue" }, { "queryName": "Update Instruction Alone", @@ -21,7 +22,8 @@ "searchKey": "FROM={{opensuse:latest}}.RUN={{zypper install nginx}}", "searchValue": "", "expectedValue": "Instruction 'RUN zypper [\"install\"]' should be combined with 'RUN zypper [\"refresh\"]' in the same 'RUN' statement", - "actualValue": "Instruction 'RUN zypper [\"install\"]' isn't combined with 'RUN zypper [\"refresh\"] in the same 'RUN' statement" + "actualValue": "Instruction 'RUN zypper [\"install\"]' isn't combined with 'RUN zypper [\"refresh\"] in the same 'RUN' statement", + "issueType": "IncorrectValue" }, { "queryName": "Update Instruction Alone", @@ -33,7 +35,8 @@ "searchKey": "FROM={{debian:latest}}.RUN={{apt install nginx}}", "searchValue": "", "expectedValue": "Instruction 'RUN apt [\"install\"]' should be combined with 'RUN apt [\"update\"]' in the same 'RUN' statement", - "actualValue": "Instruction 'RUN apt [\"install\"]' isn't combined with 'RUN apt [\"update\"] in the same 'RUN' statement" + "actualValue": "Instruction 'RUN apt [\"install\"]' isn't combined with 'RUN apt [\"update\"] in the same 'RUN' statement", + "issueType": "IncorrectValue" }, { "queryName": "Update Instruction Alone", @@ -45,7 +48,8 @@ "searchKey": "FROM={{centos:latest}}.RUN={{yum install nginx}}", "searchValue": "", "expectedValue": "Instruction 'RUN yum [\"install\"]' should be combined with 'RUN yum [\"update\"]' in the same 'RUN' statement", - "actualValue": "Instruction 'RUN yum [\"install\"]' isn't combined with 'RUN yum [\"update\"] in the same 'RUN' statement" + "actualValue": "Instruction 'RUN yum [\"install\"]' isn't combined with 'RUN yum [\"update\"] in the same 'RUN' statement", + "issueType": "IncorrectValue" }, { "queryName": "Update Instruction Alone", @@ -57,7 +61,8 @@ "searchKey": "FROM={{fedora:latest}}.RUN={{dnf install nginx}}", "searchValue": "", "expectedValue": "Instruction 'RUN dnf [\"install\"]' should be combined with 'RUN dnf [\"update\"]' in the same 'RUN' statement", - "actualValue": "Instruction 'RUN dnf [\"install\"]' isn't combined with 'RUN dnf [\"update\"] in the same 'RUN' statement" + "actualValue": "Instruction 'RUN dnf [\"install\"]' isn't combined with 'RUN dnf [\"update\"] in the same 'RUN' statement", + "issueType": "IncorrectValue" }, { "queryName": "Update Instruction Alone", @@ -69,7 +74,8 @@ "searchKey": "FROM={{archlinux:latest}}.RUN={{pacman -S nginx}}", "searchValue": "", "expectedValue": "Instruction 'RUN pacman [\"-S\"]' should be combined with 'RUN pacman [\"-Syu\"]' in the same 'RUN' statement", - "actualValue": "Instruction 'RUN pacman [\"-S\"]' isn't combined with 'RUN pacman [\"-Syu\"] in the same 'RUN' statement" + "actualValue": "Instruction 'RUN pacman [\"-S\"]' isn't combined with 'RUN pacman [\"-Syu\"] in the same 'RUN' statement", + "issueType": "IncorrectValue" }, { "queryName": "Update Instruction Alone", @@ -81,6 +87,7 @@ "searchKey": "FROM={{ubuntu:18.04}}.RUN={{apt-get install -y --no-install-recommends mysql-client && rm -rf /var/lib/apt/lists/*}}", "searchValue": "", "expectedValue": "Instruction 'RUN apt-get [\"install\", \"source-install\", \"reinstall\"]' should be combined with 'RUN apt-get [\"update\"]' in the same 'RUN' statement", - "actualValue": "Instruction 'RUN apt-get [\"install\", \"source-install\", \"reinstall\"]' isn't combined with 'RUN apt-get [\"update\"] in the same 'RUN' statement" + "actualValue": "Instruction 'RUN apt-get [\"install\", \"source-install\", \"reinstall\"]' isn't combined with 'RUN apt-get [\"update\"] in the same 'RUN' statement", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/using_platform_with_from/test/positive_expected_result.json b/assets/queries/dockerfile/using_platform_with_from/test/positive_expected_result.json index 64123d2c56a..850cd425ec2 100644 --- a/assets/queries/dockerfile/using_platform_with_from/test/positive_expected_result.json +++ b/assets/queries/dockerfile/using_platform_with_from/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "FROM={{--platform=arm64 baseimage as baseimage-build}}.{{FROM --platform=arm64 baseimage as baseimage-build}}", "searchValue": "", "expectedValue": "FROM={{--platform=arm64 baseimage as baseimage-build}}.{{FROM --platform=arm64 baseimage as baseimage-build}} should not use the '--platform' flag", - "actualValue": "FROM={{--platform=arm64 baseimage as baseimage-build}}.{{FROM --platform=arm64 baseimage as baseimage-build}} is using the '--platform' flag" + "actualValue": "FROM={{--platform=arm64 baseimage as baseimage-build}}.{{FROM --platform=arm64 baseimage as baseimage-build}} is using the '--platform' flag", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/using_unnamed_build_stages/test/positive_expected_result.json b/assets/queries/dockerfile/using_unnamed_build_stages/test/positive_expected_result.json index eccad898edb..2090276787a 100644 --- a/assets/queries/dockerfile/using_unnamed_build_stages/test/positive_expected_result.json +++ b/assets/queries/dockerfile/using_unnamed_build_stages/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "FROM={{alpine:latest }}.{{COPY --from=0 /go/src/github.com/foo/href-counter/app ./}}", "searchValue": "", "expectedValue": "COPY '--from' should reference a previously defined FROM alias", - "actualValue": "COPY '--from' does not reference a previously defined FROM alias" + "actualValue": "COPY '--from' does not reference a previously defined FROM alias", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/workdir_path_not_absolute/test/positive_expected_result.json b/assets/queries/dockerfile/workdir_path_not_absolute/test/positive_expected_result.json index 97efe4064b6..45a6fd96292 100644 --- a/assets/queries/dockerfile/workdir_path_not_absolute/test/positive_expected_result.json +++ b/assets/queries/dockerfile/workdir_path_not_absolute/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "FROM={{alpine:3.5}}.WORKDIR={{workdir}}", "searchValue": "", "expectedValue": "'WORKDIR' Command has absolute path", - "actualValue": "'WORKDIR' Command doesn't have absolute path" + "actualValue": "'WORKDIR' Command doesn't have absolute path", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/yum_clean_all_missing/test/positive_expected_result.json b/assets/queries/dockerfile/yum_clean_all_missing/test/positive_expected_result.json index abf120ee488..7cfc60ad5a2 100644 --- a/assets/queries/dockerfile/yum_clean_all_missing/test/positive_expected_result.json +++ b/assets/queries/dockerfile/yum_clean_all_missing/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "FROM={{alpine:3.4}}.{{RUN yum clean all yum -y install}}", "searchValue": "", "expectedValue": "{{RUN yum clean all yum -y install}} should have 'yum clean all' after 'yum install' command", - "actualValue": "{{RUN yum clean all yum -y install}} doesn't have 'yum clean all' after 'yum install' command" + "actualValue": "{{RUN yum clean all yum -y install}} doesn't have 'yum clean all' after 'yum install' command", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/yum_install_allows_manual_input/test/positive_expected_result.json b/assets/queries/dockerfile/yum_install_allows_manual_input/test/positive_expected_result.json index b1ff288c4cd..1fe16d58499 100644 --- a/assets/queries/dockerfile/yum_install_allows_manual_input/test/positive_expected_result.json +++ b/assets/queries/dockerfile/yum_install_allows_manual_input/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "FROM={{alpine:3.5}}.{{RUN sudo yum install bundler}}", "searchValue": "", "expectedValue": "{{RUN sudo yum install bundler}} should avoid manual input", - "actualValue": "{{RUN sudo yum install bundler}} doesn't avoid manual input" + "actualValue": "{{RUN sudo yum install bundler}} doesn't avoid manual input", + "issueType": "IncorrectValue" }, { "queryName": "Yum Install Allows Manual Input", @@ -21,6 +22,7 @@ "searchKey": "FROM={{alpine:3.5}}.{{RUN [\"sudo yum\", \"install\", \"bundler\"]}}", "searchValue": "", "expectedValue": "{{RUN [\"sudo yum\", \"install\", \"bundler\"]}} should avoid manual input", - "actualValue": "{{RUN [\"sudo yum\", \"install\", \"bundler\"]}} doesn't avoid manual input" + "actualValue": "{{RUN [\"sudo yum\", \"install\", \"bundler\"]}} doesn't avoid manual input", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/yum_install_without_version/test/positive_expected_result.json b/assets/queries/dockerfile/yum_install_without_version/test/positive_expected_result.json index 8e3bc26b4b7..a56c2d6bf52 100644 --- a/assets/queries/dockerfile/yum_install_without_version/test/positive_expected_result.json +++ b/assets/queries/dockerfile/yum_install_without_version/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "FROM={{opensuse/leap:15.2}}.{{RUN yum install -y httpd && yum clean all}}", "searchValue": "httpd", "expectedValue": "The package version should always be specified when using yum install", - "actualValue": "No version is specified in package 'httpd'" + "actualValue": "No version is specified in package 'httpd'", + "issueType": "IncorrectValue" }, { "queryName": "Yum install Without Version", @@ -21,6 +22,7 @@ "searchKey": "FROM={{opensuse/leap:15.2}}.{{RUN [\"yum\", \"install\", \"httpd\"]}}", "searchValue": "httpd", "expectedValue": "The package version should always be specified when using yum install", - "actualValue": "No version is specified in package 'httpd'" + "actualValue": "No version is specified in package 'httpd'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/zypper_install_without_version/test/positive_expected_result.json b/assets/queries/dockerfile/zypper_install_without_version/test/positive_expected_result.json index 3fb2409327b..1d78bb3d3f0 100644 --- a/assets/queries/dockerfile/zypper_install_without_version/test/positive_expected_result.json +++ b/assets/queries/dockerfile/zypper_install_without_version/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "FROM={{opensuse/leap:15.2}}.{{RUN zypper install -y httpd && zypper clean}}", "searchValue": "httpd", "expectedValue": "The package version should always be specified when using zypper install", - "actualValue": "No version is specified in package 'httpd'" + "actualValue": "No version is specified in package 'httpd'", + "issueType": "IncorrectValue" }, { "queryName": "Zypper Install Without Version", @@ -21,6 +22,7 @@ "searchKey": "FROM={{opensuse/leap:15.2}}.{{RUN [\"zypper\", \"install\", \"http\"]}}", "searchValue": "http", "expectedValue": "The package version should always be specified when using zypper install", - "actualValue": "No version is specified in package 'http'" + "actualValue": "No version is specified in package 'http'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/bigquery_database_is_public/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/bigquery_database_is_public/test/positive_expected_result.json index 95480ce494c..85f11c17a2e 100644 --- a/assets/queries/googleDeploymentManager/gcp/bigquery_database_is_public/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/bigquery_database_is_public/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "resources.name={{bigquery}}.properties.access[0].specialGroup", "searchValue": "", "expectedValue": "'access[0].specialGroup' should not equal to 'allAuthenticatedUsers'", - "actualValue": "'access[0].specialGroup' is equal to 'allAuthenticatedUsers'" + "actualValue": "'access[0].specialGroup' is equal to 'allAuthenticatedUsers'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/bucket_without_versioning/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/bucket_without_versioning/test/positive_expected_result.json index dcf77c43997..98182c6e640 100644 --- a/assets/queries/googleDeploymentManager/gcp/bucket_without_versioning/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/bucket_without_versioning/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources.name={{bucket}}.properties", "searchValue": "", "expectedValue": "'versioning' should be defined and not null", - "actualValue": "'versioning' is undefined or null" + "actualValue": "'versioning' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Bucket Without Versioning", @@ -21,6 +22,7 @@ "searchKey": "resources.name={{bucket}}.properties.versioning.enabled", "searchValue": "", "expectedValue": "'versioning.enabled' should be true", - "actualValue": "'versioning.enabled' is false" + "actualValue": "'versioning.enabled' is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/client_certificate_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/client_certificate_disabled/test/positive_expected_result.json index f5b94306321..eb467c30819 100644 --- a/assets/queries/googleDeploymentManager/gcp/client_certificate_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/client_certificate_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources.name={{cluster}}.properties", "searchValue": "", "expectedValue": "'masterAuth' should be defined and not null", - "actualValue": "'masterAuth' is undefined or null" + "actualValue": "'masterAuth' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Client Certificate Disabled", @@ -21,7 +22,8 @@ "searchKey": "resources.name={{cluster}}.properties.masterAuth", "searchValue": "", "expectedValue": "'masterAuth.clientCertificateConfig' should be defined and not null", - "actualValue": "'masterAuth.clientCertificateConfig' is undefined or null" + "actualValue": "'masterAuth.clientCertificateConfig' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Client Certificate Disabled", @@ -33,6 +35,7 @@ "searchKey": "resources.name={{cluster}}.properties.masterAuth.clientCertificateConfig.issueClientCertificate", "searchValue": "", "expectedValue": "'masterAuth.clientCertificateConfig.issueClientCertificate' should be true", - "actualValue": "'masterAuth.clientCertificateConfig.issueClientCertificate' is false" + "actualValue": "'masterAuth.clientCertificateConfig.issueClientCertificate' is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/cloud_dns_without_dnnsec/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/cloud_dns_without_dnnsec/test/positive_expected_result.json index 8b65ba4586b..519ac620978 100644 --- a/assets/queries/googleDeploymentManager/gcp/cloud_dns_without_dnnsec/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/cloud_dns_without_dnnsec/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources.name={{dns}}.properties", "searchValue": "", "expectedValue": "'dnssecConfig' should be defined and not null", - "actualValue": "'dnssecConfig' is undefined or null" + "actualValue": "'dnssecConfig' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Cloud DNS Without DNSSEC", @@ -21,7 +22,8 @@ "searchKey": "resources.name={{dns2}}.properties.dnssecConfig", "searchValue": "", "expectedValue": "'state' should be defined and not null", - "actualValue": "'state' is undefined or null" + "actualValue": "'state' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Cloud DNS Without DNSSEC", @@ -33,6 +35,7 @@ "searchKey": "resources.name={{dns3}}.properties.dnssecConfig.state", "searchValue": "", "expectedValue": "'state' should be set to 'on'", - "actualValue": "'state' is not set to 'on'" + "actualValue": "'state' is not set to 'on'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/cloud_storage_anonymous_or_publicly_accessible/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/cloud_storage_anonymous_or_publicly_accessible/test/positive_expected_result.json index 2711d52ce75..8b7072d9f37 100644 --- a/assets/queries/googleDeploymentManager/gcp/cloud_storage_anonymous_or_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/cloud_storage_anonymous_or_publicly_accessible/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources.name={{storage-bucket}}.properties", "searchValue": "acl", "expectedValue": "'acl' should be defined", - "actualValue": "'acl' is undefined or null" + "actualValue": "'acl' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Cloud Storage Anonymous or Publicly Accessible", @@ -21,7 +22,8 @@ "searchKey": "resources.name={{storage-bucket}}.properties", "searchValue": "defaultObjectAcl", "expectedValue": "'defaultObjectAcl' should be defined", - "actualValue": "'defaultObjectAcl' is undefined or null" + "actualValue": "'defaultObjectAcl' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Cloud Storage Anonymous or Publicly Accessible", @@ -33,7 +35,8 @@ "searchKey": "resources.name={{storage-bucket}}.properties", "searchValue": "acl", "expectedValue": "'acl' should be defined", - "actualValue": "'acl' is undefined or null" + "actualValue": "'acl' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Cloud Storage Anonymous or Publicly Accessible", @@ -45,7 +48,8 @@ "searchKey": "resources.name={{storage-bucket}}.properties.defaultObjectAcl[0].entity", "searchValue": "", "expectedValue": "properties.defaultObjectAcl[0].entity should not equal to 'allUsers' or 'AllAuthenticatedUsers'", - "actualValue": "properties.defaultObjectAcl[0].entity is equal to 'allUsers' or 'AllAuthenticatedUsers'" + "actualValue": "properties.defaultObjectAcl[0].entity is equal to 'allUsers' or 'AllAuthenticatedUsers'", + "issueType": "IncorrectValue" }, { "queryName": "Cloud Storage Anonymous or Publicly Accessible", @@ -57,7 +61,8 @@ "searchKey": "resources.name={{storage-bucket}}.properties.acl[0].entity", "searchValue": "", "expectedValue": "properties.acl[0].entity should not equal to 'allUsers' or 'AllAuthenticatedUsers'", - "actualValue": "properties.acl[0].entity is equal to 'allUsers' or 'AllAuthenticatedUsers'" + "actualValue": "properties.acl[0].entity is equal to 'allUsers' or 'AllAuthenticatedUsers'", + "issueType": "IncorrectValue" }, { "queryName": "Cloud Storage Anonymous or Publicly Accessible", @@ -69,6 +74,7 @@ "searchKey": "resources.name={{storage-bucket}}.properties.defaultObjectAcl[0].entity", "searchValue": "", "expectedValue": "properties.defaultObjectAcl[0].entity should not equal to 'allUsers' or 'AllAuthenticatedUsers'", - "actualValue": "properties.defaultObjectAcl[0].entity is equal to 'allUsers' or 'AllAuthenticatedUsers'" + "actualValue": "properties.defaultObjectAcl[0].entity is equal to 'allUsers' or 'AllAuthenticatedUsers'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_is_publicly_accessible/test/positive_expected_result.json index 15831fba1bc..a6ecc906fe1 100644 --- a/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_is_publicly_accessible/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources.name={{bucket-access-control}}.properties.entity", "searchValue": "", "expectedValue": "'entity' should not equal to 'allUsers' or 'allAuthenticatedUsers'", - "actualValue": "'entity' is equal to 'allUsers'" + "actualValue": "'entity' is equal to 'allUsers'", + "issueType": "IncorrectValue" }, { "queryName": "Cloud Storage Bucket Is Publicly Accessible", @@ -21,6 +22,7 @@ "searchKey": "resources.name={{bucket-access-control}}.properties.entity", "searchValue": "", "expectedValue": "'entity' should not equal to 'allUsers' or 'allAuthenticatedUsers'", - "actualValue": "'entity' is equal to 'allAuthenticatedUsers'" + "actualValue": "'entity' is equal to 'allAuthenticatedUsers'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_versioning_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_versioning_disabled/test/positive_expected_result.json index 7e3a4f6ec01..d3dc37b107f 100644 --- a/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_versioning_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_versioning_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources.name={{a-new-pubsub-topic}}.properties", "searchValue": "", "expectedValue": "'versioning' should be defined and not null", - "actualValue": "'versioning' is undefined or null" + "actualValue": "'versioning' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Cloud Storage Bucket Versioning Disabled", @@ -21,6 +22,7 @@ "searchKey": "resources.name={{a-new-pubsub-topic2}}.properties.versioning.enabled", "searchValue": "", "expectedValue": "'enabled' should be set to true", - "actualValue": "'enabled' is set to false" + "actualValue": "'enabled' is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/cluster_labels_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/cluster_labels_disabled/test/positive_expected_result.json index 40ccbde7e14..db5746a2476 100644 --- a/assets/queries/googleDeploymentManager/gcp/cluster_labels_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/cluster_labels_disabled/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "resources.name={{cluster}}.properties", "searchValue": "", "expectedValue": "'resourceLabels' should be defined and not null", - "actualValue": "'resourceLabels' is undefined or null" + "actualValue": "'resourceLabels' is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/cluster_master_authentication_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/cluster_master_authentication_disabled/test/positive_expected_result.json index bdbb15c2ac8..cee8bf856c5 100644 --- a/assets/queries/googleDeploymentManager/gcp/cluster_master_authentication_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/cluster_master_authentication_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources.name={{cluster}}.properties", "searchValue": "", "expectedValue": "'masterAuth' should be defined and not null", - "actualValue": "'masterAuth' is undefined or null" + "actualValue": "'masterAuth' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Cluster Master Authentication Disabled", @@ -21,7 +22,8 @@ "searchKey": "resources.name={{cluster}}.properties.masterAuth", "searchValue": "", "expectedValue": "Attribute 'masterAuth.username' should be defined and Attribute 'masterAuth.password' should be defined", - "actualValue": "Attribute 'masterAuth.username' is undefined or attribute 'masterAuth.password' is undefined" + "actualValue": "Attribute 'masterAuth.username' is undefined or attribute 'masterAuth.password' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Cluster Master Authentication Disabled", @@ -33,6 +35,7 @@ "searchKey": "resources.name={{cluster}}.properties.masterAuth", "searchValue": "", "expectedValue": "Attribute 'masterAuth.username' should be defined and Attribute 'masterAuth.password' should be defined", - "actualValue": "Attribute 'masterAuth.username' is undefined or attribute 'masterAuth.password' is undefined" + "actualValue": "Attribute 'masterAuth.username' is undefined or attribute 'masterAuth.password' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/compute_instance_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/compute_instance_is_publicly_accessible/test/positive_expected_result.json index ab3e26fed29..7d01fe20e06 100644 --- a/assets/queries/googleDeploymentManager/gcp/compute_instance_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/compute_instance_is_publicly_accessible/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "resources.name={{instance}}.properties.networkInterfaces", "searchValue": "", "expectedValue": "'accessConfigs' should be undefined", - "actualValue": "'accessConfigs' is defined and not null" + "actualValue": "'accessConfigs' is defined and not null", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/cos_node_image_not_used/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/cos_node_image_not_used/test/positive_expected_result.json index 6865f03d752..b8dd023b16d 100644 --- a/assets/queries/googleDeploymentManager/gcp/cos_node_image_not_used/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/cos_node_image_not_used/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "resources.name={{nodePool}}.properties.config.imageType", "searchValue": "", "expectedValue": "'config.imageType' should start with 'cos'", - "actualValue": "'config.imageType' is ubuntu" + "actualValue": "'config.imageType' is ubuntu", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/disk_encryption_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/disk_encryption_disabled/test/positive_expected_result.json index 6c58690ea95..416318a34e0 100644 --- a/assets/queries/googleDeploymentManager/gcp/disk_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/disk_encryption_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources.name={{vm-template}}.properties.disks", "searchValue": "", "expectedValue": "'diskEncryptionKey' should be defined and not null", - "actualValue": "'diskEncryptionKey' is undefined or null" + "actualValue": "'diskEncryptionKey' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Disk Encryption Disabled", @@ -21,7 +22,8 @@ "searchKey": "resources.name={{disk-3-data}}.properties.disks", "searchValue": "", "expectedValue": "'diskEncryptionKey' should be defined and not null", - "actualValue": "'diskEncryptionKey' is undefined or null" + "actualValue": "'diskEncryptionKey' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Disk Encryption Disabled", @@ -33,7 +35,8 @@ "searchKey": "resources.name={{vm-template2}}.properties.disks.diskEncryptionKey", "searchValue": "", "expectedValue": "'disk_encryption_key.rawKey' or 'disk_encryption_key.kmsKeyName' should be defined and not null", - "actualValue": "'disk_encryption_key.rawKey' and 'disk_encryption_key.kmsKeyName' are undefined or null" + "actualValue": "'disk_encryption_key.rawKey' and 'disk_encryption_key.kmsKeyName' are undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Disk Encryption Disabled", @@ -45,7 +48,8 @@ "searchKey": "resources.name={{disk-4-data}}.properties.diskEncryptionKey", "searchValue": "", "expectedValue": "'disk_encryption_key.rawKey' or 'disk_encryption_key.kmsKeyName' should be defined and not null", - "actualValue": "'disk_encryption_key.rawKey' and 'disk_encryption_key.kmsKeyName' are undefined or null" + "actualValue": "'disk_encryption_key.rawKey' and 'disk_encryption_key.kmsKeyName' are undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Disk Encryption Disabled", @@ -57,7 +61,8 @@ "searchKey": "resources.name={{vm-template3}}.properties.disks.diskEncryptionKey.rawKey", "searchValue": "", "expectedValue": "'diskEncryptionKey.rawKey' should not be empty", - "actualValue": "'diskEncryptionKey.rawKey' is empty" + "actualValue": "'diskEncryptionKey.rawKey' is empty", + "issueType": "IncorrectValue" }, { "queryName": "Disk Encryption Disabled", @@ -69,6 +74,7 @@ "searchKey": "resources.name={{disk-5-data}}.properties.diskEncryptionKey.rawKey", "searchValue": "", "expectedValue": "'diskEncryptionKey.rawKey' should not be empty", - "actualValue": "'diskEncryptionKey.rawKey' is empty" + "actualValue": "'diskEncryptionKey.rawKey' is empty", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/dnssec_using_rsasha1/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/dnssec_using_rsasha1/test/positive_expected_result.json index cd15a1ba760..79ef6be4a0b 100644 --- a/assets/queries/googleDeploymentManager/gcp/dnssec_using_rsasha1/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/dnssec_using_rsasha1/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "resources.name={{dns}}.properties.dnssecConfig.defaultKeySpecs", "searchValue": "", "expectedValue": "'algorithm' should not equal to 'rsasha1'", - "actualValue": "'algorithm' is equal to 'rsasha1'" + "actualValue": "'algorithm' is equal to 'rsasha1'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/gke_legacy_authorization_enabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/gke_legacy_authorization_enabled/test/positive_expected_result.json index 70c53794bd5..226c33c006e 100644 --- a/assets/queries/googleDeploymentManager/gcp/gke_legacy_authorization_enabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/gke_legacy_authorization_enabled/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "resources.name={{cluster}}.properties.legacyAbac.enabled", "searchValue": "", "expectedValue": "'legacyAbac.enabled' should be false", - "actualValue": "'legacyAbac.enabled' is true" + "actualValue": "'legacyAbac.enabled' is true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/gke_master_authorized_networks_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/gke_master_authorized_networks_disabled/test/positive_expected_result.json index 389b421cebe..cdfe7583537 100644 --- a/assets/queries/googleDeploymentManager/gcp/gke_master_authorized_networks_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/gke_master_authorized_networks_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources.name={{my-cluster}}.properties", "searchValue": "", "expectedValue": "'masterAuthorizedNetworksConfig' should be defined and not null", - "actualValue": "'masterAuthorizedNetworksConfig' is undefined or null" + "actualValue": "'masterAuthorizedNetworksConfig' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "GKE Master Authorized Networks Disabled", @@ -21,6 +22,7 @@ "searchKey": "resources.name={{my-cluster}}.properties.masterAuthorizedNetworksConfig.enabled", "searchValue": "", "expectedValue": "'masterAuthorizedNetworksConfig.enabled' should be true", - "actualValue": "'masterAuthorizedNetworksConfig.enabled' is false" + "actualValue": "'masterAuthorizedNetworksConfig.enabled' is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/google_storage_bucket_level_access_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/google_storage_bucket_level_access_disabled/test/positive_expected_result.json index e594e299b81..68888327cca 100644 --- a/assets/queries/googleDeploymentManager/gcp/google_storage_bucket_level_access_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/google_storage_bucket_level_access_disabled/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "resources.name={{a-new-pubsub-topic1}}.properties.iamConfiguration.uniformBucketLevelAccess.enabled", "searchValue": "", "expectedValue": "'enabled' should be set to true", - "actualValue": "'enabled' is set to false" + "actualValue": "'enabled' is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/ip_aliasing_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/ip_aliasing_disabled/test/positive_expected_result.json index 6aefa9b9ae7..fdd872f3ddb 100644 --- a/assets/queries/googleDeploymentManager/gcp/ip_aliasing_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/ip_aliasing_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources.name={{cluster}}.properties", "searchValue": "", "expectedValue": "'ipAllocationPolicy' should be defined and not null", - "actualValue": "'ipAllocationPolicy' is undefined or null" + "actualValue": "'ipAllocationPolicy' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "IP Aliasing Disabled", @@ -21,7 +22,8 @@ "searchKey": "resources.name={{cluster}}.properties.ipAllocationPolicy", "searchValue": "", "expectedValue": "'ipAllocationPolicy.useIpAliases' should be defined and not null", - "actualValue": "'ipAllocationPolicy.useIpAliases' is undefined or null" + "actualValue": "'ipAllocationPolicy.useIpAliases' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "IP Aliasing Disabled", @@ -33,6 +35,7 @@ "searchKey": "resources.name={{cluster}}.properties.ipAllocationPolicy.useIpAliases", "searchValue": "", "expectedValue": "'ipAllocationPolicy.useIpAliases' should be true", - "actualValue": "'ipAllocationPolicy.useIpAliases' is false" + "actualValue": "'ipAllocationPolicy.useIpAliases' is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/ip_forwarding_enabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/ip_forwarding_enabled/test/positive_expected_result.json index 0a802b62933..0ebe7100832 100644 --- a/assets/queries/googleDeploymentManager/gcp/ip_forwarding_enabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/ip_forwarding_enabled/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "resources.name={{vm-template}}.properties.canIpForward", "searchValue": "", "expectedValue": "'canIpForward' should not be set to true", - "actualValue": "'canIpForward' is set to true" + "actualValue": "'canIpForward' is set to true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/mysql_instance_with_local_infile_on/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/mysql_instance_with_local_infile_on/test/positive_expected_result.json index eb81eb611d1..f381d3775ba 100644 --- a/assets/queries/googleDeploymentManager/gcp/mysql_instance_with_local_infile_on/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/mysql_instance_with_local_infile_on/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "resources.name={{db-instance}}.properties.settings.databaseFlags[0]", "searchValue": "", "expectedValue": "'settings.databaseFlags[0]' should be 'off'", - "actualValue": "'settings.databaseFlags[0]' is equal to 'on'" + "actualValue": "'settings.databaseFlags[0]' is equal to 'on'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/network_policy_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/network_policy_disabled/test/positive_expected_result.json index e0fad579f92..879664fa66f 100644 --- a/assets/queries/googleDeploymentManager/gcp/network_policy_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/network_policy_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources.name={{cluster}}.properties", "searchValue": "addonsConfig", "expectedValue": "'addonsConfig' should be defined and not null", - "actualValue": "'addonsConfig' is undefined or null" + "actualValue": "'addonsConfig' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Network Policy Disabled", @@ -21,7 +22,8 @@ "searchKey": "resources.name={{cluster}}.properties", "searchValue": "networkPolicy", "expectedValue": "'networkPolicy' should be defined and not null", - "actualValue": "'networkPolicy' is undefined or null" + "actualValue": "'networkPolicy' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Network Policy Disabled", @@ -33,7 +35,8 @@ "searchKey": "resources.name={{cluster}}.properties", "searchValue": "addonsConfig", "expectedValue": "'addonsConfig' should be defined and not null", - "actualValue": "'addonsConfig' is undefined or null" + "actualValue": "'addonsConfig' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Network Policy Disabled", @@ -45,7 +48,8 @@ "searchKey": "resources.name={{cluster}}.properties.networkPolicy.enabled", "searchValue": "", "expectedValue": "'networkPolicy.enabled' should be true", - "actualValue": "'networkPolicy.enabled' is false" + "actualValue": "'networkPolicy.enabled' is false", + "issueType": "IncorrectValue" }, { "queryName": "Network Policy Disabled", @@ -57,7 +61,8 @@ "searchKey": "resources.name={{cluster}}.properties", "searchValue": "networkPolicy", "expectedValue": "'networkPolicy' should be defined and not null", - "actualValue": "'networkPolicy' is undefined or null" + "actualValue": "'networkPolicy' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Network Policy Disabled", @@ -69,7 +74,8 @@ "searchKey": "resources.name={{cluster}}.properties.addonsConfig.networkPolicyConfig.disabled", "searchValue": "", "expectedValue": "'addonsConfig.networkPolicyConfig.disabled' should be false", - "actualValue": "'addonsConfig.networkPolicyConfig.disabled' is true" + "actualValue": "'addonsConfig.networkPolicyConfig.disabled' is true", + "issueType": "IncorrectValue" }, { "queryName": "Network Policy Disabled", @@ -81,7 +87,8 @@ "searchKey": "resources.name={{cluster}}.properties.networkPolicy.enabled", "searchValue": "", "expectedValue": "'networkPolicy.enabled' should be true", - "actualValue": "'networkPolicy.enabled' is false" + "actualValue": "'networkPolicy.enabled' is false", + "issueType": "IncorrectValue" }, { "queryName": "Network Policy Disabled", @@ -93,6 +100,7 @@ "searchKey": "resources.name={{cluster}}.properties.addonsConfig.networkPolicyConfig.disabled", "searchValue": "", "expectedValue": "'addonsConfig.networkPolicyConfig.disabled' should be false", - "actualValue": "'addonsConfig.networkPolicyConfig.disabled' is true" + "actualValue": "'addonsConfig.networkPolicyConfig.disabled' is true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/node_auto_upgrade_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/node_auto_upgrade_disabled/test/positive_expected_result.json index a69ad964be8..62fdf307ef5 100644 --- a/assets/queries/googleDeploymentManager/gcp/node_auto_upgrade_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/node_auto_upgrade_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources.name={{cluster}}.properties", "searchValue": "", "expectedValue": "'nodePools' should be defined and not null", - "actualValue": "'nodePools' is undefined or null" + "actualValue": "'nodePools' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Node Auto Upgrade Disabled", @@ -21,7 +22,8 @@ "searchKey": "resources.name={{cluster}}.properties.nodePools", "searchValue": "", "expectedValue": "'nodePools.management' should be defined and not null", - "actualValue": "'nodePools.management' is undefined or null" + "actualValue": "'nodePools.management' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Node Auto Upgrade Disabled", @@ -33,7 +35,8 @@ "searchKey": "resources.name={{cluster}}.properties.nodePools.management", "searchValue": "", "expectedValue": "'nodePools.management.autoUpgrade' should be defined and not null", - "actualValue": "'nodePools.management.autoUpgrade' is undefined or null" + "actualValue": "'nodePools.management.autoUpgrade' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Node Auto Upgrade Disabled", @@ -45,6 +48,7 @@ "searchKey": "resources.name={{cluster}}.properties.nodePools.management.autoUpgrade", "searchValue": "", "expectedValue": "'nodePools.management.autoUpgrade' should be true", - "actualValue": "'nodePools.management.autoUpgrade' is false" + "actualValue": "'nodePools.management.autoUpgrade' is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/not_proper_email_account_in_use/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/not_proper_email_account_in_use/test/positive_expected_result.json index ec912321112..9a337e24254 100644 --- a/assets/queries/googleDeploymentManager/gcp/not_proper_email_account_in_use/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/not_proper_email_account_in_use/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "accessControl.gcpIamPolicy.bindings[%!s(int=0)].members.user:jane@gmail.com", "searchValue": "", "expectedValue": "'members' cannot contain Gmail account addresses", - "actualValue": "'members' has email address: user:jane@gmail.com" + "actualValue": "'members' has email address: user:jane@gmail.com", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/os_login_is_disabled_for_vm_instance/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/os_login_is_disabled_for_vm_instance/test/positive_expected_result.json index b1834162f8d..65803809a5c 100644 --- a/assets/queries/googleDeploymentManager/gcp/os_login_is_disabled_for_vm_instance/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/os_login_is_disabled_for_vm_instance/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "resources.name={{vm}}.properties.metadata.items[0]", "searchValue": "", "expectedValue": "'metadata.items[0]'.value should be true", - "actualValue": "'metadata.items[0]'.value is false" + "actualValue": "'metadata.items[0]'.value is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/private_cluster_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/private_cluster_disabled/test/positive_expected_result.json index 02e964ea94f..527098846ba 100644 --- a/assets/queries/googleDeploymentManager/gcp/private_cluster_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/private_cluster_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources.name={{mycluster}}.properties", "searchValue": "", "expectedValue": "'privateClusterConfig' should be defined and not null", - "actualValue": "'privateClusterConfig' is undefined or null" + "actualValue": "'privateClusterConfig' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Private Cluster Disabled", @@ -21,7 +22,8 @@ "searchKey": "resources.name={{mycluster2}}.properties.privateClusterConfig", "searchValue": "", "expectedValue": "'enablePrivateNodes' should be defined and not null", - "actualValue": "'enablePrivateNodes' is undefined or null" + "actualValue": "'enablePrivateNodes' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Private Cluster Disabled", @@ -33,6 +35,7 @@ "searchKey": "resources.name={{mycluster2}}.properties.privateClusterConfig.enablePrivateEndpoint", "searchValue": "", "expectedValue": "'enablePrivateEndpoint' should be set to true", - "actualValue": "'enablePrivateEndpoint' is set to false" + "actualValue": "'enablePrivateEndpoint' is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/test/positive_expected_result.json index 60fa7d25fa9..2e01e68ddf3 100644 --- a/assets/queries/googleDeploymentManager/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources.name={{vm}}.properties", "searchValue": "", "expectedValue": "'metadata' should be defined and not null", - "actualValue": "'metadata' is undefined or null" + "actualValue": "'metadata' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Project-wide SSH Keys Are Enabled In VM Instances", @@ -21,7 +22,8 @@ "searchKey": "resources.name={{vm}}.properties.metadata.items", "searchValue": "", "expectedValue": "'metadata.items' should have 'block-project-ssh-keys'", - "actualValue": "'metadata.items' does not have 'block-project-ssh-keys'" + "actualValue": "'metadata.items' does not have 'block-project-ssh-keys'", + "issueType": "MissingAttribute" }, { "queryName": "Project-wide SSH Keys Are Enabled In VM Instances", @@ -33,6 +35,7 @@ "searchKey": "resources.name={{vm}}.properties.metadata.items[1].key", "searchValue": "", "expectedValue": "'metadata.items[1].value' should be true", - "actualValue": "'metadata.items[1].value' is false" + "actualValue": "'metadata.items[1].value' is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/rdp_access_is_not_restricted/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/rdp_access_is_not_restricted/test/positive_expected_result.json index 273bdd42844..8ed9d9682db 100644 --- a/assets/queries/googleDeploymentManager/gcp/rdp_access_is_not_restricted/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/rdp_access_is_not_restricted/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources.name={{firewall}}.properties.allowed", "searchValue": "", "expectedValue": "'allowed.ports' to not include RDP port 3389", - "actualValue": "'allowed.ports' includes RDP port 3389" + "actualValue": "'allowed.ports' includes RDP port 3389", + "issueType": "IncorrectValue" }, { "queryName": "RDP Access Is Not Restricted", @@ -21,7 +22,8 @@ "searchKey": "resources.name={{firewall}}.properties.allowed", "searchValue": "", "expectedValue": "'allowed.ports' to not include RDP port 3389", - "actualValue": "'allowed.ports' includes RDP port 3389" + "actualValue": "'allowed.ports' includes RDP port 3389", + "issueType": "IncorrectValue" }, { "queryName": "RDP Access Is Not Restricted", @@ -33,6 +35,7 @@ "searchKey": "resources.name={{firewall}}.properties.allowed", "searchValue": "", "expectedValue": "'allowed.ports' to not include RDP port 3389", - "actualValue": "'allowed.ports' includes RDP port 3389" + "actualValue": "'allowed.ports' includes RDP port 3389", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/shielded_vm_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/shielded_vm_disabled/test/positive_expected_result.json index c440145bc5a..ee785541ee6 100644 --- a/assets/queries/googleDeploymentManager/gcp/shielded_vm_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/shielded_vm_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources.name={{vm-template}}.properties", "searchValue": "", "expectedValue": "'shieldedInstanceConfig' should be defined and not null", - "actualValue": "'shieldedInstanceConfig' is undefined or null" + "actualValue": "'shieldedInstanceConfig' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Shielded VM Disabled", @@ -21,7 +22,8 @@ "searchKey": "resources.name={{vm-template2}}.properties.shieldedInstanceConfig", "searchValue": "enableIntegrityMonitoring", "expectedValue": "'enableIntegrityMonitoring' should be defined and not null", - "actualValue": "'enableIntegrityMonitoring' is undefined or null" + "actualValue": "'enableIntegrityMonitoring' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Shielded VM Disabled", @@ -33,7 +35,8 @@ "searchKey": "resources.name={{vm-template2}}.properties.shieldedInstanceConfig", "searchValue": "enableVtpm", "expectedValue": "'enableVtpm' should be defined and not null", - "actualValue": "'enableVtpm' is undefined or null" + "actualValue": "'enableVtpm' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Shielded VM Disabled", @@ -45,6 +48,7 @@ "searchKey": "resources.name={{vm-template2}}.properties.shieldedInstanceConfig.enableSecureBoot", "searchValue": "", "expectedValue": "'enableSecureBoot' should be set to true", - "actualValue": "'enableSecureBoot' is set to false" + "actualValue": "'enableSecureBoot' is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/sql_db_instance_backup_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/sql_db_instance_backup_disabled/test/positive_expected_result.json index 9fd2a201b3f..532443b1f7d 100644 --- a/assets/queries/googleDeploymentManager/gcp/sql_db_instance_backup_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/sql_db_instance_backup_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources.name={{sql-instance}}.properties.settings", "searchValue": "", "expectedValue": "'settings.backupConfiguration' should be defined and not null", - "actualValue": "'settings.backupConfiguration' is undefined or null" + "actualValue": "'settings.backupConfiguration' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "SQL DB Instance Backup Disabled", @@ -21,7 +22,8 @@ "searchKey": "resources.name={{sql-instance}}.properties.settings.backupConfiguration", "searchValue": "", "expectedValue": "'settings.backupConfiguration.enabled' should be defined and not null", - "actualValue": "'settings.backupConfiguration.enabled' is undefined or null" + "actualValue": "'settings.backupConfiguration.enabled' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "SQL DB Instance Backup Disabled", @@ -33,6 +35,7 @@ "searchKey": "resources.name={{sql-instance}}.properties.settings.backupConfiguration.enabled", "searchValue": "", "expectedValue": "'settings.backupConfiguration.enabled' should be true", - "actualValue": "'settings.backupConfiguration.enabled' is false" + "actualValue": "'settings.backupConfiguration.enabled' is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json index 286a84637bd..a473198ff1c 100644 --- a/assets/queries/googleDeploymentManager/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources.name={{sql-instance}}.properties.settings", "searchValue": "", "expectedValue": "'settings.ipConfiguration' should be defined and not null", - "actualValue": "'settings.ipConfiguration' is undefined or null" + "actualValue": "'settings.ipConfiguration' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "SQL DB Instance With SSL Disabled", @@ -21,7 +22,8 @@ "searchKey": "resources.name={{sql-instance}}.properties.settings.ipConfiguration", "searchValue": "", "expectedValue": "'settings.ipConfiguration.requireSsl' should be defined and not null", - "actualValue": "'settings.ipConfiguration.requireSsl' is undefined or null" + "actualValue": "'settings.ipConfiguration.requireSsl' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "SQL DB Instance With SSL Disabled", @@ -33,6 +35,7 @@ "searchKey": "resources.name={{sql-instance}}.properties.settings.ipConfiguration.requireSsl", "searchValue": "", "expectedValue": "'settings.ipConfiguration.requireSsl' should be true", - "actualValue": "'settings.ipConfiguration.requireSsl' is false" + "actualValue": "'settings.ipConfiguration.requireSsl' is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/ssh_access_is_not_restricted/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/ssh_access_is_not_restricted/test/positive_expected_result.json index 6dfd6951963..e5c12d3e133 100644 --- a/assets/queries/googleDeploymentManager/gcp/ssh_access_is_not_restricted/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/ssh_access_is_not_restricted/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources.name={{firewall}}.properties.allowed[%!d(string=22)].ports=%!s(MISSING)", "searchValue": "", "expectedValue": "'allowed[0].ports' to not include SSH port 22", - "actualValue": "'allowed[0].ports' includes SSH port 22" + "actualValue": "'allowed[0].ports' includes SSH port 22", + "issueType": "IncorrectValue" }, { "queryName": "SSH Access Is Not Restricted", @@ -21,7 +22,8 @@ "searchKey": "resources.name={{firewall}}.properties.allowed[%!d(string=21-3390)].ports=%!s(MISSING)", "searchValue": "", "expectedValue": "'allowed[0].ports' to not include SSH port 22", - "actualValue": "'allowed[0].ports' includes SSH port 22" + "actualValue": "'allowed[0].ports' includes SSH port 22", + "issueType": "IncorrectValue" }, { "queryName": "SSH Access Is Not Restricted", @@ -33,6 +35,7 @@ "searchKey": "resources.name={{firewall}}.properties.allowed[%!d(string=0-65535)].ports=%!s(MISSING)", "searchValue": "", "expectedValue": "'allowed[0].ports' to not include SSH port 22", - "actualValue": "'allowed[0].ports' includes SSH port 22" + "actualValue": "'allowed[0].ports' includes SSH port 22", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/stackdriver_logging_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/stackdriver_logging_disabled/test/positive_expected_result.json index 9f8a8c39301..3239e2e0bda 100644 --- a/assets/queries/googleDeploymentManager/gcp/stackdriver_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/stackdriver_logging_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources.name={{cluster}}.properties", "searchValue": "", "expectedValue": "'loggingService' should be defined and not null", - "actualValue": "'loggingService' is undefined or null" + "actualValue": "'loggingService' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Stackdriver Logging Disabled", @@ -21,6 +22,7 @@ "searchKey": "resources.name={{cluster}}.properties.loggingService", "searchValue": "", "expectedValue": "'loggingService' to not be none", - "actualValue": "'loggingService' is none" + "actualValue": "'loggingService' is none", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/stackdriver_monitoring_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/stackdriver_monitoring_disabled/test/positive_expected_result.json index 6c69f150622..93c497c5c60 100644 --- a/assets/queries/googleDeploymentManager/gcp/stackdriver_monitoring_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/stackdriver_monitoring_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources.name={{my-cluster}}.properties", "searchValue": "", "expectedValue": "'monitoringService' should be defined and not null", - "actualValue": "'monitoringService' is undefined or null" + "actualValue": "'monitoringService' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Stackdriver Monitoring Disabled", @@ -21,6 +22,7 @@ "searchKey": "resources.name={{my-cluster}}.properties.monitoringService", "searchValue": "", "expectedValue": "'monitoringService' to not be 'none'", - "actualValue": "'monitoringService' is 'none'" + "actualValue": "'monitoringService' is 'none'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp_bom/pd/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp_bom/pd/test/positive_expected_result.json index f0578349398..09c29295fc0 100644 --- a/assets/queries/googleDeploymentManager/gcp_bom/pd/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp_bom/pd/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources.name={{disk-1-data}}", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - GCP PD", @@ -21,7 +22,8 @@ "searchKey": "resources.name={{disk-2-data}}", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - GCP PD", @@ -33,7 +35,8 @@ "searchKey": "resources.name={{disk-3-data}}", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - GCP PD", @@ -45,7 +48,8 @@ "searchKey": "resources.name={{disk-4-data}}", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - GCP PD", @@ -57,6 +61,7 @@ "searchKey": "resources.name={{disk-5-data}}", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp_bom/pst/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp_bom/pst/test/positive_expected_result.json index 6e553a34a75..b7fe5e1e802 100644 --- a/assets/queries/googleDeploymentManager/gcp_bom/pst/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp_bom/pst/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources.name={{topic-1}}", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - GCP PST", @@ -21,6 +22,7 @@ "searchKey": "resources.name={{topic-2}}", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp_bom/sb/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp_bom/sb/test/positive_expected_result.json index 5fb24ab6920..fe7087ee2f2 100644 --- a/assets/queries/googleDeploymentManager/gcp_bom/sb/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp_bom/sb/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources.name={{sample-input}}", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - GCP SB", @@ -21,7 +22,8 @@ "searchKey": "resources.name={{sample-input2}}", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - GCP SB", @@ -33,7 +35,8 @@ "searchKey": "resources.name={{sample-input3}}", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - GCP SB", @@ -45,7 +48,8 @@ "searchKey": "resources.name={{sample-input4}}", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - GCP SB", @@ -57,6 +61,7 @@ "searchKey": "resources.name={{sample-input5}}", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" } -] \ No newline at end of file +] diff --git a/assets/queries/grpc/enum_name_not_camel_case/test/positive_expected_result.json b/assets/queries/grpc/enum_name_not_camel_case/test/positive_expected_result.json index d76e18dfebd..4de8507ec89 100644 --- a/assets/queries/grpc/enum_name_not_camel_case/test/positive_expected_result.json +++ b/assets/queries/grpc/enum_name_not_camel_case/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "enum[noInitCap]", "searchValue": "", "expectedValue": "Enum Name should follow CamelCase (Initial Letter is Capital)", - "actualValue": "Enum Name doesn't follow CamelCase" + "actualValue": "Enum Name doesn't follow CamelCase", + "issueType": "IncorrectValue" }, { "queryName": "Enum Name Not CamelCase", @@ -21,7 +22,8 @@ "searchKey": "enum[NOT_CAMEL_CASE]", "searchValue": "", "expectedValue": "Enum Name should follow CamelCase (Initial Letter is Capital)", - "actualValue": "Enum Name doesn't follow CamelCase" + "actualValue": "Enum Name doesn't follow CamelCase", + "issueType": "IncorrectValue" }, { "queryName": "Enum Name Not CamelCase", @@ -33,6 +35,7 @@ "searchKey": "enum[ALLCAPS]", "searchValue": "", "expectedValue": "Enum Name should follow CamelCase (Initial Letter is Capital)", - "actualValue": "Enum Name doesn't follow CamelCase" + "actualValue": "Enum Name doesn't follow CamelCase", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/always_admit_admission_control_plugin_set/test/positive_expected_result.json b/assets/queries/k8s/always_admit_admission_control_plugin_set/test/positive_expected_result.json index dc763817f70..0d54b89d6c8 100644 --- a/assets/queries/k8s/always_admit_admission_control_plugin_set/test/positive_expected_result.json +++ b/assets/queries/k8s/always_admit_admission_control_plugin_set/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--enable-admission-plugins flag should not contain 'AlwaysAdmit' plugin", - "actualValue": "--enable-admission-plugins flag contains 'AlwaysAdmit' plugin" + "actualValue": "--enable-admission-plugins flag contains 'AlwaysAdmit' plugin", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/always_pull_images_admission_control_plugin_not_set/test/positive_expected_result.json b/assets/queries/k8s/always_pull_images_admission_control_plugin_not_set/test/positive_expected_result.json index e56989575a4..86d66bc314a 100644 --- a/assets/queries/k8s/always_pull_images_admission_control_plugin_not_set/test/positive_expected_result.json +++ b/assets/queries/k8s/always_pull_images_admission_control_plugin_not_set/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--enable-admission-plugins flag should contain 'AlwaysPullImages' plugin", - "actualValue": "--enable-admission-plugins flag does not contain 'AlwaysPullImages' plugin" + "actualValue": "--enable-admission-plugins flag does not contain 'AlwaysPullImages' plugin", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/anonymous_auth_is_not_set_to_false/test/positive_expected_result.json b/assets/queries/k8s/anonymous_auth_is_not_set_to_false/test/positive_expected_result.json index 099c55003ef..3abcfaf702c 100644 --- a/assets/queries/k8s/anonymous_auth_is_not_set_to_false/test/positive_expected_result.json +++ b/assets/queries/k8s/anonymous_auth_is_not_set_to_false/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--anonymous-auth flag should be set to false", - "actualValue": "--anonymous-auth flag is set to true" + "actualValue": "--anonymous-auth flag is set to true", + "issueType": "IncorrectValue" }, { "queryName": "Anonymous Auth Is Not Set To False", @@ -21,7 +22,8 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--anonymous-auth flag should be set to false", - "actualValue": "--anonymous-auth flag is set to true" + "actualValue": "--anonymous-auth flag is set to true", + "issueType": "IncorrectValue" }, { "queryName": "Anonymous Auth Is Not Set To False", @@ -33,7 +35,8 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--anonymous-auth flag should be set to false", - "actualValue": "--anonymous-auth flag is set to true" + "actualValue": "--anonymous-auth flag is set to true", + "issueType": "IncorrectValue" }, { "queryName": "Anonymous Auth Is Not Set To False", @@ -45,7 +48,8 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--anonymous-auth flag should be set to false", - "actualValue": "--anonymous-auth flag is set to true" + "actualValue": "--anonymous-auth flag is set to true", + "issueType": "IncorrectValue" }, { "queryName": "Anonymous Auth Is Not Set To False", @@ -57,7 +61,8 @@ "searchKey": "kind={{KubeletConfiguration}}.authentication.enabled", "searchValue": "", "expectedValue": "authentication.anonymous.enabled attribute should be false", - "actualValue": "authentication.anonymous.enabled attribute is true" + "actualValue": "authentication.anonymous.enabled attribute is true", + "issueType": "IncorrectValue" }, { "queryName": "Anonymous Auth Is Not Set To False", @@ -69,6 +74,7 @@ "searchKey": "kind={{KubeletConfiguration}}.authentication.enabled", "searchValue": "", "expectedValue": "authentication.anonymous.enabled attribute should be false", - "actualValue": "authentication.anonymous.enabled attribute is true" + "actualValue": "authentication.anonymous.enabled attribute is true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/audit_log_maxage_not_properly_set/test/positive_expected_result.json b/assets/queries/k8s/audit_log_maxage_not_properly_set/test/positive_expected_result.json index 710d1e1cd4d..f0d0aa9dc17 100644 --- a/assets/queries/k8s/audit_log_maxage_not_properly_set/test/positive_expected_result.json +++ b/assets/queries/k8s/audit_log_maxage_not_properly_set/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--audit-log-maxage flag should be set to 30 or more days", - "actualValue": "--audit-log-maxage flag is set to less than 30 days" + "actualValue": "--audit-log-maxage flag is set to less than 30 days", + "issueType": "IncorrectValue" }, { "queryName": "Audit Log Maxage Not Properly Set", @@ -21,7 +22,8 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--audit-log-maxage flag should be defined and set to 30 or more days", - "actualValue": "--audit-log-maxage flag is not defined" + "actualValue": "--audit-log-maxage flag is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Audit Log Maxage Not Properly Set", @@ -33,7 +35,8 @@ "searchKey": "metadata.name={{dummy}}.spec.template.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--audit-log-maxage flag should be defined and set to 30 or more days", - "actualValue": "--audit-log-maxage flag is not defined" + "actualValue": "--audit-log-maxage flag is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Audit Log Maxage Not Properly Set", @@ -45,7 +48,8 @@ "searchKey": "metadata.name={{dummy-config}}.spec.template.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--audit-log-maxage flag should be defined and set to 30 or more days", - "actualValue": "--audit-log-maxage flag is not defined" + "actualValue": "--audit-log-maxage flag is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Audit Log Maxage Not Properly Set", @@ -57,7 +61,8 @@ "searchKey": "metadata.name={{dummy-rev}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--audit-log-maxage flag should be defined and set to 30 or more days", - "actualValue": "--audit-log-maxage flag is not defined" + "actualValue": "--audit-log-maxage flag is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Audit Log Maxage Not Properly Set", @@ -69,6 +74,7 @@ "searchKey": "metadata.name={{dummy-cs}}.spec.template.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--audit-log-maxage flag should be defined and set to 30 or more days", - "actualValue": "--audit-log-maxage flag is not defined" + "actualValue": "--audit-log-maxage flag is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/audit_log_maxbackup_not_properly_set/test/positive_expected_result.json b/assets/queries/k8s/audit_log_maxbackup_not_properly_set/test/positive_expected_result.json index f75e8071dad..47444e0e2f8 100644 --- a/assets/queries/k8s/audit_log_maxbackup_not_properly_set/test/positive_expected_result.json +++ b/assets/queries/k8s/audit_log_maxbackup_not_properly_set/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--audit-log-maxbackup flag should be set to 10 or more files", - "actualValue": "--audit-log-maxbackup flag is set to less than 10 files" + "actualValue": "--audit-log-maxbackup flag is set to less than 10 files", + "issueType": "IncorrectValue" }, { "queryName": "Audit Log Maxbackup Not Properly Set", @@ -21,7 +22,8 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--audit-log-maxbackup flag should be defined and set to 10 or more files", - "actualValue": "--audit-log-maxbackup flag is not defined" + "actualValue": "--audit-log-maxbackup flag is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Audit Log Maxbackup Not Properly Set", @@ -33,7 +35,8 @@ "searchKey": "metadata.name={{dummy}}.spec.template.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--audit-log-maxbackup flag should be set to 10 or more files", - "actualValue": "--audit-log-maxbackup flag is set to less than 10 files" + "actualValue": "--audit-log-maxbackup flag is set to less than 10 files", + "issueType": "IncorrectValue" }, { "queryName": "Audit Log Maxbackup Not Properly Set", @@ -45,7 +48,8 @@ "searchKey": "metadata.name={{dummy-config}}.spec.template.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--audit-log-maxbackup flag should be set to 10 or more files", - "actualValue": "--audit-log-maxbackup flag is set to less than 10 files" + "actualValue": "--audit-log-maxbackup flag is set to less than 10 files", + "issueType": "IncorrectValue" }, { "queryName": "Audit Log Maxbackup Not Properly Set", @@ -57,7 +61,8 @@ "searchKey": "metadata.name={{dummy-rev}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--audit-log-maxbackup flag should be set to 10 or more files", - "actualValue": "--audit-log-maxbackup flag is set to less than 10 files" + "actualValue": "--audit-log-maxbackup flag is set to less than 10 files", + "issueType": "IncorrectValue" }, { "queryName": "Audit Log Maxbackup Not Properly Set", @@ -69,6 +74,7 @@ "searchKey": "metadata.name={{dummy-cs}}.spec.template.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--audit-log-maxbackup flag should be set to 10 or more files", - "actualValue": "--audit-log-maxbackup flag is set to less than 10 files" + "actualValue": "--audit-log-maxbackup flag is set to less than 10 files", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/audit_log_maxsize_not_properly_set/test/positive_expected_result.json b/assets/queries/k8s/audit_log_maxsize_not_properly_set/test/positive_expected_result.json index 8d9b1a14b34..d3f21ce01dd 100644 --- a/assets/queries/k8s/audit_log_maxsize_not_properly_set/test/positive_expected_result.json +++ b/assets/queries/k8s/audit_log_maxsize_not_properly_set/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--audit-log-maxsize flag should be set to 100 or more MegaBytes", - "actualValue": "--audit-log-maxsize flag is set to less than 100 MegaBytes" + "actualValue": "--audit-log-maxsize flag is set to less than 100 MegaBytes", + "issueType": "IncorrectValue" }, { "queryName": "Audit Log Maxsize Not Properly Set", @@ -21,7 +22,8 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--audit-log-maxsize flag should be defined and set to 100 or more MegaBytes", - "actualValue": "--audit-log-maxsize flag is not defined" + "actualValue": "--audit-log-maxsize flag is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Audit Log Maxsize Not Properly Set", @@ -33,7 +35,8 @@ "searchKey": "metadata.name={{dummy}}.spec.template.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--audit-log-maxsize flag should be set to 100 or more MegaBytes", - "actualValue": "--audit-log-maxsize flag is set to less than 100 MegaBytes" + "actualValue": "--audit-log-maxsize flag is set to less than 100 MegaBytes", + "issueType": "IncorrectValue" }, { "queryName": "Audit Log Maxsize Not Properly Set", @@ -45,7 +48,8 @@ "searchKey": "metadata.name={{dummy-config}}.spec.template.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--audit-log-maxsize flag should be set to 100 or more MegaBytes", - "actualValue": "--audit-log-maxsize flag is set to less than 100 MegaBytes" + "actualValue": "--audit-log-maxsize flag is set to less than 100 MegaBytes", + "issueType": "IncorrectValue" }, { "queryName": "Audit Log Maxsize Not Properly Set", @@ -57,7 +61,8 @@ "searchKey": "metadata.name={{dummy-rev}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--audit-log-maxsize flag should be set to 100 or more MegaBytes", - "actualValue": "--audit-log-maxsize flag is set to less than 100 MegaBytes" + "actualValue": "--audit-log-maxsize flag is set to less than 100 MegaBytes", + "issueType": "IncorrectValue" }, { "queryName": "Audit Log Maxsize Not Properly Set", @@ -69,6 +74,7 @@ "searchKey": "metadata.name={{dummy-cs}}.spec.template.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--audit-log-maxsize flag should be set to 100 or more MegaBytes", - "actualValue": "--audit-log-maxsize flag is set to less than 100 MegaBytes" + "actualValue": "--audit-log-maxsize flag is set to less than 100 MegaBytes", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/audit_log_path_not_set/test/positive_expected_result.json b/assets/queries/k8s/audit_log_path_not_set/test/positive_expected_result.json index f1aade87734..d8442ae14b4 100644 --- a/assets/queries/k8s/audit_log_path_not_set/test/positive_expected_result.json +++ b/assets/queries/k8s/audit_log_path_not_set/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--audit-log-path flag should be defined", - "actualValue": "--audit-log-path flag is not defined" + "actualValue": "--audit-log-path flag is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Audit Log Path Not Set", @@ -21,7 +22,8 @@ "searchKey": "metadata.name={{dummy}}.spec.template.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--audit-log-path flag should be defined", - "actualValue": "--audit-log-path flag is not defined" + "actualValue": "--audit-log-path flag is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Audit Log Path Not Set", @@ -33,7 +35,8 @@ "searchKey": "metadata.name={{dummy-config}}.spec.template.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--audit-log-path flag should be defined", - "actualValue": "--audit-log-path flag is not defined" + "actualValue": "--audit-log-path flag is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Audit Log Path Not Set", @@ -45,7 +48,8 @@ "searchKey": "metadata.name={{dummy-rev}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--audit-log-path flag should be defined", - "actualValue": "--audit-log-path flag is not defined" + "actualValue": "--audit-log-path flag is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Audit Log Path Not Set", @@ -57,6 +61,7 @@ "searchKey": "metadata.name={{dummy-cs}}.spec.template.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--audit-log-path flag should be defined", - "actualValue": "--audit-log-path flag is not defined" + "actualValue": "--audit-log-path flag is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/audit_policy_file_not_defined/test/positive_expected_result.json b/assets/queries/k8s/audit_policy_file_not_defined/test/positive_expected_result.json index 4faba1037b1..3544eae1a1e 100644 --- a/assets/queries/k8s/audit_policy_file_not_defined/test/positive_expected_result.json +++ b/assets/queries/k8s/audit_policy_file_not_defined/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--audit-policy-file flag should be defined", - "actualValue": "--audit-policy-file is not defined" + "actualValue": "--audit-policy-file is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Audit Policy File Not Defined", @@ -21,7 +22,8 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--audit-policy-file flag should have a valid file", - "actualValue": "--audit-policy-file does not have a valid file" + "actualValue": "--audit-policy-file does not have a valid file", + "issueType": "IncorrectValue" }, { "queryName": "Audit Policy File Not Defined", @@ -33,6 +35,7 @@ "searchKey": "metadata.name={{dummy}}.spec.template.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--audit-policy-file flag should be defined", - "actualValue": "--audit-policy-file is not defined" + "actualValue": "--audit-policy-file is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/audit_policy_not_cover_key_security_concerns/test/positive_expected_result.json b/assets/queries/k8s/audit_policy_not_cover_key_security_concerns/test/positive_expected_result.json index 06f9cd8edbf..7eee5a7de9c 100644 --- a/assets/queries/k8s/audit_policy_not_cover_key_security_concerns/test/positive_expected_result.json +++ b/assets/queries/k8s/audit_policy_not_cover_key_security_concerns/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "kind={{Policy}}.rules", "searchValue": "pods/exec", "expectedValue": "Resource 'pods/exec' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", - "actualValue": "Resource 'pods/exec' is currently defined with the following levels '[]'" + "actualValue": "Resource 'pods/exec' is currently defined with the following levels '[]'", + "issueType": "MissingAttribute" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", @@ -21,7 +22,8 @@ "searchKey": "kind={{Policy}}.rules", "searchValue": "pods", "expectedValue": "Resource 'pods' should be defined in one of following levels '[\"Metadata\"]'", - "actualValue": "Resource 'pods' is currently defined with the following levels '[]'" + "actualValue": "Resource 'pods' is currently defined with the following levels '[]'", + "issueType": "MissingAttribute" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", @@ -33,7 +35,8 @@ "searchKey": "kind={{Policy}}.rules", "searchValue": "secrets", "expectedValue": "Resource 'secrets' should be defined in one of following levels '[\"Metadata\"]'", - "actualValue": "Resource 'secrets' is currently defined with the following levels '[]'" + "actualValue": "Resource 'secrets' is currently defined with the following levels '[]'", + "issueType": "MissingAttribute" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", @@ -45,7 +48,8 @@ "searchKey": "kind={{Policy}}.rules", "searchValue": "deployments", "expectedValue": "Resource 'deployments' should be defined in one of following levels '[\"Metadata\"]'", - "actualValue": "Resource 'deployments' is currently defined with the following levels '[]'" + "actualValue": "Resource 'deployments' is currently defined with the following levels '[]'", + "issueType": "MissingAttribute" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", @@ -57,7 +61,8 @@ "searchKey": "kind={{Policy}}.rules", "searchValue": "pods/proxy", "expectedValue": "Resource 'pods/proxy' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", - "actualValue": "Resource 'pods/proxy' is currently defined with the following levels '[]'" + "actualValue": "Resource 'pods/proxy' is currently defined with the following levels '[]'", + "issueType": "MissingAttribute" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", @@ -69,7 +74,8 @@ "searchKey": "kind={{Policy}}.rules", "searchValue": "configmaps", "expectedValue": "Resource 'configmaps' should be defined in one of following levels '[\"Metadata\"]'", - "actualValue": "Resource 'configmaps' is currently defined with the following levels '[]'" + "actualValue": "Resource 'configmaps' is currently defined with the following levels '[]'", + "issueType": "MissingAttribute" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", @@ -81,7 +87,8 @@ "searchKey": "kind={{Policy}}.rules", "searchValue": "services/proxy", "expectedValue": "Resource 'services/proxy' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", - "actualValue": "Resource 'services/proxy' is currently defined with the following levels '[]'" + "actualValue": "Resource 'services/proxy' is currently defined with the following levels '[]'", + "issueType": "MissingAttribute" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", @@ -93,7 +100,8 @@ "searchKey": "kind={{Policy}}.rules", "searchValue": "tokenreviews", "expectedValue": "Resource 'tokenreviews' should be defined in one of following levels '[\"Metadata\"]'", - "actualValue": "Resource 'tokenreviews' is currently defined with the following levels '[]'" + "actualValue": "Resource 'tokenreviews' is currently defined with the following levels '[]'", + "issueType": "MissingAttribute" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", @@ -105,7 +113,8 @@ "searchKey": "kind={{Policy}}.rules", "searchValue": "pods/portforward", "expectedValue": "Resource 'pods/portforward' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", - "actualValue": "Resource 'pods/portforward' is currently defined with the following levels '[]'" + "actualValue": "Resource 'pods/portforward' is currently defined with the following levels '[]'", + "issueType": "MissingAttribute" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", @@ -117,7 +126,8 @@ "searchKey": "kind={{Policy}}.rules", "searchValue": "pods/exec", "expectedValue": "Resource 'pods/exec' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", - "actualValue": "Resource 'pods/exec' is currently defined with the following levels '[]'" + "actualValue": "Resource 'pods/exec' is currently defined with the following levels '[]'", + "issueType": "MissingAttribute" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", @@ -129,7 +139,8 @@ "searchKey": "kind={{Policy}}.rules", "searchValue": "pods/portforward", "expectedValue": "Resource 'pods/portforward' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", - "actualValue": "Resource 'pods/portforward' is currently defined with the following levels '[]'" + "actualValue": "Resource 'pods/portforward' is currently defined with the following levels '[]'", + "issueType": "MissingAttribute" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", @@ -141,7 +152,8 @@ "searchKey": "kind={{Policy}}.rules", "searchValue": "pods/proxy", "expectedValue": "Resource 'pods/proxy' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", - "actualValue": "Resource 'pods/proxy' is currently defined with the following levels '[]'" + "actualValue": "Resource 'pods/proxy' is currently defined with the following levels '[]'", + "issueType": "MissingAttribute" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", @@ -153,7 +165,8 @@ "searchKey": "kind={{Policy}}.rules", "searchValue": "secrets", "expectedValue": "Resource 'secrets' should be defined in one of following levels '[\"Metadata\"]'", - "actualValue": "Resource 'secrets' is currently defined with the following levels '[]'" + "actualValue": "Resource 'secrets' is currently defined with the following levels '[]'", + "issueType": "MissingAttribute" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", @@ -165,7 +178,8 @@ "searchKey": "kind={{Policy}}.rules", "searchValue": "tokenreviews", "expectedValue": "Resource 'tokenreviews' should be defined in one of following levels '[\"Metadata\"]'", - "actualValue": "Resource 'tokenreviews' is currently defined with the following levels '[]'" + "actualValue": "Resource 'tokenreviews' is currently defined with the following levels '[]'", + "issueType": "MissingAttribute" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", @@ -177,7 +191,8 @@ "searchKey": "kind={{Policy}}.rules", "searchValue": "configmaps", "expectedValue": "Resource 'configmaps' should be defined in one of following levels '[\"Metadata\"]'", - "actualValue": "Resource 'configmaps' is currently defined with the following levels '[]'" + "actualValue": "Resource 'configmaps' is currently defined with the following levels '[]'", + "issueType": "MissingAttribute" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", @@ -189,7 +204,8 @@ "searchKey": "kind={{Policy}}.rules", "searchValue": "services/proxy", "expectedValue": "Resource 'services/proxy' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", - "actualValue": "Resource 'services/proxy' is currently defined with the following levels '[]'" + "actualValue": "Resource 'services/proxy' is currently defined with the following levels '[]'", + "issueType": "MissingAttribute" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", @@ -201,6 +217,7 @@ "searchKey": "kind={{Policy}}.rules", "searchValue": "deployments", "expectedValue": "Resource 'deployments' should be defined in one of following levels '[\"Metadata\"]'", - "actualValue": "Resource 'deployments' is currently defined with the following levels '[]'" + "actualValue": "Resource 'deployments' is currently defined with the following levels '[]'", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/authorization_mode_node_not_set/test/positive_expected_result.json b/assets/queries/k8s/authorization_mode_node_not_set/test/positive_expected_result.json index d6f711b4d8d..279df677e88 100644 --- a/assets/queries/k8s/authorization_mode_node_not_set/test/positive_expected_result.json +++ b/assets/queries/k8s/authorization_mode_node_not_set/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--authorization-mode flag should contain 'Node' mode", - "actualValue": "--authorization-mode flag does not contain 'Node' mode" + "actualValue": "--authorization-mode flag does not contain 'Node' mode", + "issueType": "MissingAttribute" }, { "queryName": "Authorization Mode Node Not Set", @@ -21,6 +22,7 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--authorization-mode flag should contain 'Node' mode", - "actualValue": "--authorization-mode flag does not contain 'Node' mode" + "actualValue": "--authorization-mode flag does not contain 'Node' mode", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/authorization_mode_rbac_not_set/test/positive_expected_result.json b/assets/queries/k8s/authorization_mode_rbac_not_set/test/positive_expected_result.json index 7e9b2f5803f..a1770850263 100644 --- a/assets/queries/k8s/authorization_mode_rbac_not_set/test/positive_expected_result.json +++ b/assets/queries/k8s/authorization_mode_rbac_not_set/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--authorization-mode flag should contain 'RBAC' mode", - "actualValue": "--authorization-mode flag does not contain 'RBAC' mode" + "actualValue": "--authorization-mode flag does not contain 'RBAC' mode", + "issueType": "MissingAttribute" }, { "queryName": "Authorization Mode RBAC Not Set", @@ -21,6 +22,7 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--authorization-mode flag should contain 'RBAC' mode", - "actualValue": "--authorization-mode flag does not contain 'RBAC' mode" + "actualValue": "--authorization-mode flag does not contain 'RBAC' mode", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/authorization_mode_set_to_always_allow/test/positive_expected_result.json b/assets/queries/k8s/authorization_mode_set_to_always_allow/test/positive_expected_result.json index 6b228a66bbb..9418748b8c6 100644 --- a/assets/queries/k8s/authorization_mode_set_to_always_allow/test/positive_expected_result.json +++ b/assets/queries/k8s/authorization_mode_set_to_always_allow/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--authorization-mode flag to not have 'AlwaysAllow' mode", - "actualValue": "--authorization-mode flag contains 'AlwaysAllow' mode" + "actualValue": "--authorization-mode flag contains 'AlwaysAllow' mode", + "issueType": "IncorrectValue" }, { "queryName": "Authorization Mode Set To Always Allow", @@ -21,7 +22,8 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--authorization-mode flag to not have 'AlwaysAllow' mode", - "actualValue": "--authorization-mode flag contains 'AlwaysAllow' mode" + "actualValue": "--authorization-mode flag contains 'AlwaysAllow' mode", + "issueType": "IncorrectValue" }, { "queryName": "Authorization Mode Set To Always Allow", @@ -33,7 +35,8 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--authorization-mode flag to not have 'AlwaysAllow' mode", - "actualValue": "--authorization-mode flag contains 'AlwaysAllow' mode" + "actualValue": "--authorization-mode flag contains 'AlwaysAllow' mode", + "issueType": "IncorrectValue" }, { "queryName": "Authorization Mode Set To Always Allow", @@ -45,7 +48,8 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--authorization-mode flag to not have 'AlwaysAllow' mode", - "actualValue": "--authorization-mode flag contains 'AlwaysAllow' mode" + "actualValue": "--authorization-mode flag contains 'AlwaysAllow' mode", + "issueType": "IncorrectValue" }, { "queryName": "Authorization Mode Set To Always Allow", @@ -57,7 +61,8 @@ "searchKey": "kind={{KubeletConfiguration}}.authorization.mode", "searchValue": "", "expectedValue": "authorization.mode attribute should not be 'AlwaysAllow'", - "actualValue": "authorization.mode attribute is equal to 'AlwaysAllow'" + "actualValue": "authorization.mode attribute is equal to 'AlwaysAllow'", + "issueType": "IncorrectValue" }, { "queryName": "Authorization Mode Set To Always Allow", @@ -69,6 +74,7 @@ "searchKey": "kind={{KubeletConfiguration}}.authorization.mode", "searchValue": "", "expectedValue": "authorization.mode attribute should not be 'AlwaysAllow'", - "actualValue": "authorization.mode attribute is equal to 'AlwaysAllow'" + "actualValue": "authorization.mode attribute is equal to 'AlwaysAllow'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/auto_tls_set_to_true/test/positive_expected_result.json b/assets/queries/k8s/auto_tls_set_to_true/test/positive_expected_result.json index 0ab9a6e4207..7f09ac4142b 100644 --- a/assets/queries/k8s/auto_tls_set_to_true/test/positive_expected_result.json +++ b/assets/queries/k8s/auto_tls_set_to_true/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "metadata.name={{app-etcd-deployment}}.spec.template.spec.containers.name={{database}}.command", "searchValue": "", "expectedValue": "--auto-tls flag should be set to false or not be defined", - "actualValue": "--auto-tls flag is set to true" + "actualValue": "--auto-tls flag is set to true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/basic_auth_file_is_set/test/positive_expected_result.json b/assets/queries/k8s/basic_auth_file_is_set/test/positive_expected_result.json index 44429b617fe..ca658595b76 100644 --- a/assets/queries/k8s/basic_auth_file_is_set/test/positive_expected_result.json +++ b/assets/queries/k8s/basic_auth_file_is_set/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--basic-auth-file flag should not be set", - "actualValue": "--basic-auth-file flag is set" + "actualValue": "--basic-auth-file flag is set", + "issueType": "IncorrectValue" }, { "queryName": "Basic Auth File Is Set", @@ -21,6 +22,7 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--basic-auth-file flag should not be set", - "actualValue": "--basic-auth-file flag is set" + "actualValue": "--basic-auth-file flag is set", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/bind_address_not_properly_set/test/positive_expected_result.json b/assets/queries/k8s/bind_address_not_properly_set/test/positive_expected_result.json index 64ee59c0794..37f387af819 100644 --- a/assets/queries/k8s/bind_address_not_properly_set/test/positive_expected_result.json +++ b/assets/queries/k8s/bind_address_not_properly_set/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--bind-address flag should not be set to 127.0.0.1", - "actualValue": "--bind-address flag is set to a 127.0.01" + "actualValue": "--bind-address flag is set to a 127.0.01", + "issueType": "IncorrectValue" }, { "queryName": "Bind Address Not Properly Set", @@ -21,7 +22,8 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--bind-address flag should not be set to 127.0.0.1", - "actualValue": "--bind-address flag is set to a 127.0.01" + "actualValue": "--bind-address flag is set to a 127.0.01", + "issueType": "IncorrectValue" }, { "queryName": "Bind Address Not Properly Set", @@ -33,7 +35,8 @@ "searchKey": "metadata.name={{kube-scheduler}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--bind-address flag should not be set to 127.0.0.1", - "actualValue": "--bind-address flag is set to a 127.0.01" + "actualValue": "--bind-address flag is set to a 127.0.01", + "issueType": "IncorrectValue" }, { "queryName": "Bind Address Not Properly Set", @@ -45,6 +48,7 @@ "searchKey": "metadata.name={{kube-scheduler}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--bind-address flag should not be set to 127.0.0.1", - "actualValue": "--bind-address flag is set to a 127.0.01" + "actualValue": "--bind-address flag is set to a 127.0.01", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/client_certificate_authentication_not_setup_properly/test/positive_expected_result.json b/assets/queries/k8s/client_certificate_authentication_not_setup_properly/test/positive_expected_result.json index 5f34a59ca82..bcf6f02308d 100644 --- a/assets/queries/k8s/client_certificate_authentication_not_setup_properly/test/positive_expected_result.json +++ b/assets/queries/k8s/client_certificate_authentication_not_setup_properly/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "Client Certification should have a .pem or .crt file", - "actualValue": "Client Certification is not properly set" + "actualValue": "Client Certification is not properly set", + "issueType": "IncorrectValue" }, { "queryName": "Client Certificate Authentication Not Setup Properly", @@ -21,7 +22,8 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "Client Certification should have a .pem or .crt file", - "actualValue": "Client Certification is not properly set" + "actualValue": "Client Certification is not properly set", + "issueType": "IncorrectValue" }, { "queryName": "Client Certificate Authentication Not Setup Properly", @@ -33,7 +35,8 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "Client Certification should be set", - "actualValue": "Client Certification is not set" + "actualValue": "Client Certification is not set", + "issueType": "MissingAttribute" }, { "queryName": "Client Certificate Authentication Not Setup Properly", @@ -45,7 +48,8 @@ "searchKey": "kind={{KubeletConfiguration}}", "searchValue": "", "expectedValue": "Client Certification should have a .pem or .crt file", - "actualValue": "Client Certification is not properly set" + "actualValue": "Client Certification is not properly set", + "issueType": "IncorrectValue" }, { "queryName": "Client Certificate Authentication Not Setup Properly", @@ -57,7 +61,8 @@ "searchKey": "kind={{KubeletConfiguration}}", "searchValue": "", "expectedValue": "Client Certification should be set", - "actualValue": "Client Certification is not set" + "actualValue": "Client Certification is not set", + "issueType": "MissingAttribute" }, { "queryName": "Client Certificate Authentication Not Setup Properly", @@ -69,6 +74,7 @@ "searchKey": "kind={{KubeletConfiguration}}", "searchValue": "", "expectedValue": "Client Certification should be set", - "actualValue": "Client Certification is not set" + "actualValue": "Client Certification is not set", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/cluster_admin_role_binding_with_super_user_permissions/test/positive_expected_result.json b/assets/queries/k8s/cluster_admin_role_binding_with_super_user_permissions/test/positive_expected_result.json index 5e006de808d..307c04c80a7 100644 --- a/assets/queries/k8s/cluster_admin_role_binding_with_super_user_permissions/test/positive_expected_result.json +++ b/assets/queries/k8s/cluster_admin_role_binding_with_super_user_permissions/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "metadata.name={{tiller-clusterrolebinding}}.roleRef.name=cluster-admin", "searchValue": "", "expectedValue": "Resource name 'tiller-clusterrolebinding' of kind 'ClusterRoleBinding' isn't binding 'cluster-admin' role with superuser permissions", - "actualValue": "Resource name 'tiller-clusterrolebinding' of kind 'ClusterRoleBinding' is binding 'cluster-admin' role with superuser permissions" + "actualValue": "Resource name 'tiller-clusterrolebinding' of kind 'ClusterRoleBinding' is binding 'cluster-admin' role with superuser permissions", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/cluster_allows_unsafe_sysctls/test/positive_expected_result.json b/assets/queries/k8s/cluster_allows_unsafe_sysctls/test/positive_expected_result.json index d3a12a87e3a..5fd149d1f66 100644 --- a/assets/queries/k8s/cluster_allows_unsafe_sysctls/test/positive_expected_result.json +++ b/assets/queries/k8s/cluster_allows_unsafe_sysctls/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{sysctl-example}}.spec.securityContext.sysctls.name={{net.core.somaxconn}}", "searchValue": "", "expectedValue": "metadata.name={{sysctl-example}}.spec.securityContext.sysctls.name={{net.core.somaxconn}} should not be used", - "actualValue": "metadata.name={{sysctl-example}}.spec.securityContext.sysctls.name={{net.core.somaxconn}} is an unsafe sysctl" + "actualValue": "metadata.name={{sysctl-example}}.spec.securityContext.sysctls.name={{net.core.somaxconn}} is an unsafe sysctl", + "issueType": "IncorrectValue" }, { "queryName": "Cluster Allows Unsafe Sysctls", @@ -21,7 +22,8 @@ "searchKey": "metadata.name={{sysctl-example}}.spec.securityContext.sysctls.name={{kernel.msgmax}}", "searchValue": "", "expectedValue": "metadata.name={{sysctl-example}}.spec.securityContext.sysctls.name={{kernel.msgmax}} should not be used", - "actualValue": "metadata.name={{sysctl-example}}.spec.securityContext.sysctls.name={{kernel.msgmax}} is an unsafe sysctl" + "actualValue": "metadata.name={{sysctl-example}}.spec.securityContext.sysctls.name={{kernel.msgmax}} is an unsafe sysctl", + "issueType": "IncorrectValue" }, { "queryName": "Cluster Allows Unsafe Sysctls", @@ -33,7 +35,8 @@ "searchKey": "metadata.name={{sysctl-psp}}.spec.allowedUnsafeSysctls", "searchValue": "", "expectedValue": "metadata.name={{sysctl-psp}}.spec.allowedUnsafeSysctls should be undefined", - "actualValue": "metadata.name={{sysctl-psp}}.spec.allowedUnsafeSysctls is defined" + "actualValue": "metadata.name={{sysctl-psp}}.spec.allowedUnsafeSysctls is defined", + "issueType": "IncorrectValue" }, { "queryName": "Cluster Allows Unsafe Sysctls", @@ -45,6 +48,7 @@ "searchKey": "metadata.name={{test-app}}.spec.template.spec.securityContext.sysctls.name={{kernel.sem}}", "searchValue": "", "expectedValue": "metadata.name={{test-app}}.spec.template.spec.securityContext.sysctls.name={{kernel.sem}} should not be used", - "actualValue": "metadata.name={{test-app}}.spec.template.spec.securityContext.sysctls.name={{kernel.sem}} is an unsafe sysctl" + "actualValue": "metadata.name={{test-app}}.spec.template.spec.securityContext.sysctls.name={{kernel.sem}} is an unsafe sysctl", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/cni_plugin_does_not_support_network_policies/test/positive_expected_result.json b/assets/queries/k8s/cni_plugin_does_not_support_network_policies/test/positive_expected_result.json index 06ce3211228..cd1b45ada05 100644 --- a/assets/queries/k8s/cni_plugin_does_not_support_network_policies/test/positive_expected_result.json +++ b/assets/queries/k8s/cni_plugin_does_not_support_network_policies/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "plugins", "searchValue": "", "expectedValue": "Plugins should not contain a plugin that does not support Network Policies", - "actualValue": "Plugins contains a plugin that does not support Network Policies" + "actualValue": "Plugins contains a plugin that does not support Network Policies", + "issueType": "IncorrectValue" }, { "queryName": "CNI Plugin Does Not Support Network Policies", @@ -21,6 +22,7 @@ "searchKey": "data.cni-conf.json", "searchValue": "", "expectedValue": "Plugins should not contain a plugin that does not support Network Policies", - "actualValue": "Plugins contains a plugin that does not support Network Policies" + "actualValue": "Plugins contains a plugin that does not support Network Policies", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/container_is_privileged/test/positive_expected_result.json b/assets/queries/k8s/container_is_privileged/test/positive_expected_result.json index 8e2aed8b61d..666f63fb445 100644 --- a/assets/queries/k8s/container_is_privileged/test/positive_expected_result.json +++ b/assets/queries/k8s/container_is_privileged/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{security-context-demo-4}}.spec.containers.name={{sec-ctx-4}}.securityContext.privileged", "searchValue": "", "expectedValue": "metadata.name={{security-context-demo-4}}.spec.containers.name={{sec-ctx-4}}.securityContext.privileged is unset or false", - "actualValue": "metadata.name={{security-context-demo-4}}.spec.containers.name={{sec-ctx-4}}.securityContext.privileged is true" + "actualValue": "metadata.name={{security-context-demo-4}}.spec.containers.name={{sec-ctx-4}}.securityContext.privileged is true", + "issueType": "IncorrectValue" }, { "queryName": "Container Is Privileged", @@ -21,7 +22,8 @@ "searchKey": "metadata.name={{security-context-demo-5}}.spec.initContainers.name={{sec-ctx-4}}.securityContext.privileged", "searchValue": "", "expectedValue": "metadata.name={{security-context-demo-5}}.spec.initContainers.name={{sec-ctx-4}}.securityContext.privileged is unset or false", - "actualValue": "metadata.name={{security-context-demo-5}}.spec.initContainers.name={{sec-ctx-4}}.securityContext.privileged is true" + "actualValue": "metadata.name={{security-context-demo-5}}.spec.initContainers.name={{sec-ctx-4}}.securityContext.privileged is true", + "issueType": "IncorrectValue" }, { "queryName": "Container Is Privileged", @@ -33,6 +35,7 @@ "searchKey": "metadata.name={{test-deployment}}.spec.template.spec.containers.name={{pause}}.securityContext.privileged", "searchValue": "", "expectedValue": "metadata.name={{test-deployment}}.spec.template.spec.containers.name={{pause}}.securityContext.privileged is unset or false", - "actualValue": "metadata.name={{test-deployment}}.spec.template.spec.containers.name={{pause}}.securityContext.privileged is true" + "actualValue": "metadata.name={{test-deployment}}.spec.template.spec.containers.name={{pause}}.securityContext.privileged is true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/container_runs_unmasked/test/positive_expected_result.json b/assets/queries/k8s/container_runs_unmasked/test/positive_expected_result.json index fa8ebb41a9b..b4a620fc654 100644 --- a/assets/queries/k8s/container_runs_unmasked/test/positive_expected_result.json +++ b/assets/queries/k8s/container_runs_unmasked/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "metadata.name={{restricted}}.spec.allowedProcMountTypes", "searchValue": "", "expectedValue": "AllowedProcMountTypes should contain the value Default", - "actualValue": "AllowedProcMountTypes contains the value Unmasked" + "actualValue": "AllowedProcMountTypes contains the value Unmasked", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/containers_run_with_low_uid/test/positive_expected_result.json b/assets/queries/k8s/containers_run_with_low_uid/test/positive_expected_result.json index 6c525980ea5..59868bb41e4 100644 --- a/assets/queries/k8s/containers_run_with_low_uid/test/positive_expected_result.json +++ b/assets/queries/k8s/containers_run_with_low_uid/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext.runAsUser=2000", "searchValue": "Pod", "expectedValue": "1 metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext.runAsUser should be set to a UID >= 10000", - "actualValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext.runAsUser is set to a low UID" + "actualValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext.runAsUser is set to a low UID", + "issueType": "IncorrectValue" }, { "queryName": "Container Running With Low UID", @@ -21,7 +22,8 @@ "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}", "searchValue": "StatefulSet", "expectedValue": "3 metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser should be defined", - "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser is undefined" + "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Container Running With Low UID", @@ -33,7 +35,8 @@ "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}", "searchValue": "Deployment", "expectedValue": "3 metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser should be defined", - "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser is undefined" + "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Container Running With Low UID", @@ -45,7 +48,8 @@ "searchKey": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext.runAsUser=333", "searchValue": "Pod", "expectedValue": "1 metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext.runAsUser should be set to a UID >= 10000", - "actualValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext.runAsUser is set to a low UID" + "actualValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext.runAsUser is set to a low UID", + "issueType": "IncorrectValue" }, { "queryName": "Container Running With Low UID", @@ -57,7 +61,8 @@ "searchKey": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-200}}.securityContext.runAsUser=340", "searchValue": "Pod", "expectedValue": "1 metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-200}}.securityContext.runAsUser should be set to a UID >= 10000", - "actualValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-200}}.securityContext.runAsUser is set to a low UID" + "actualValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-200}}.securityContext.runAsUser is set to a low UID", + "issueType": "IncorrectValue" }, { "queryName": "Container Running With Low UID", @@ -69,7 +74,8 @@ "searchKey": "metadata.name={{containers-runs-as-root}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext.runAsUser=13", "searchValue": "Pod", "expectedValue": "1 metadata.name={{containers-runs-as-root}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext.runAsUser should be set to a UID >= 10000", - "actualValue": "metadata.name={{containers-runs-as-root}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext.runAsUser is set to a low UID" + "actualValue": "metadata.name={{containers-runs-as-root}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext.runAsUser is set to a low UID", + "issueType": "IncorrectValue" }, { "queryName": "Container Running With Low UID", @@ -81,7 +87,8 @@ "searchKey": "metadata.name={{securitydemo}}.spec.template.spec.securityContext.runAsUser=1200", "searchValue": "Deployment", "expectedValue": "2 metadata.name={{securitydemo}}.spec.template.spec.securityContext.runAsUser should be set to a UID >= 10000", - "actualValue": "metadata.name={{securitydemo}}.spec.template.spec.securityContext.runAsUser is set to a low UID" + "actualValue": "metadata.name={{securitydemo}}.spec.template.spec.securityContext.runAsUser is set to a low UID", + "issueType": "IncorrectValue" }, { "queryName": "Container Running With Low UID", @@ -93,7 +100,8 @@ "searchKey": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext", "searchValue": "Deployment", "expectedValue": "3 metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext.runAsUser should be defined", - "actualValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext.runAsUser is undefined" + "actualValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext.runAsUser is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Container Running With Low UID", @@ -105,7 +113,8 @@ "searchKey": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext", "searchValue": "Deployment", "expectedValue": "3 metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext.runAsUser should be defined", - "actualValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext.runAsUser is undefined" + "actualValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext.runAsUser is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Container Running With Low UID", @@ -117,7 +126,8 @@ "searchKey": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext.runAsUser=1234", "searchValue": "Deployment", "expectedValue": "1 metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext.runAsUser should be set to a UID >= 10000", - "actualValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext.runAsUser is set to a low UID" + "actualValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext.runAsUser is set to a low UID", + "issueType": "IncorrectValue" }, { "queryName": "Container Running With Low UID", @@ -129,7 +139,8 @@ "searchKey": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext.runAsUser=5678", "searchValue": "Deployment", "expectedValue": "1 metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext.runAsUser should be set to a UID >= 10000", - "actualValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext.runAsUser is set to a low UID" + "actualValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext.runAsUser is set to a low UID", + "issueType": "IncorrectValue" }, { "queryName": "Container Running With Low UID", @@ -141,7 +152,8 @@ "searchKey": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext.runAsUser=1234", "searchValue": "Deployment", "expectedValue": "1 metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext.runAsUser should be set to a UID >= 10000", - "actualValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext.runAsUser is set to a low UID" + "actualValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext.runAsUser is set to a low UID", + "issueType": "IncorrectValue" }, { "queryName": "Container Running With Low UID", @@ -153,7 +165,8 @@ "searchKey": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}", "searchValue": "Deployment", "expectedValue": "3 metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext.runAsUser should be defined", - "actualValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext.runAsUser is undefined" + "actualValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext.runAsUser is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Container Running With Low UID", @@ -165,7 +178,8 @@ "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser=1", "searchValue": "StatefulSet", "expectedValue": "1 metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser should be set to a UID >= 10000", - "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser is set to a low UID" + "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser is set to a low UID", + "issueType": "IncorrectValue" }, { "queryName": "Container Running With Low UID", @@ -177,7 +191,8 @@ "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser=1", "searchValue": "Deployment", "expectedValue": "1 metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser should be set to a UID >= 10000", - "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser is set to a low UID" + "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser is set to a low UID", + "issueType": "IncorrectValue" }, { "queryName": "Container Running With Low UID", @@ -189,7 +204,8 @@ "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser=1000", "searchValue": "StatefulSet", "expectedValue": "2 metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser should be set to a UID >= 10000", - "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser is set to a low UID" + "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser is set to a low UID", + "issueType": "IncorrectValue" }, { "queryName": "Container Running With Low UID", @@ -201,6 +217,7 @@ "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser=1000", "searchValue": "Deployment", "expectedValue": "2 metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser should be set to a UID >= 10000", - "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser is set to a low UID" + "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser is set to a low UID", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/containers_running_as_root/test/positive_expected_result.json b/assets/queries/k8s/containers_running_as_root/test/positive_expected_result.json index 6e0172c76d3..4eb3f3b0722 100644 --- a/assets/queries/k8s/containers_running_as_root/test/positive_expected_result.json +++ b/assets/queries/k8s/containers_running_as_root/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext.runAsUser", "searchValue": "Pod", "expectedValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext runAsUser is higher than 0 and/or 'runAsNonRoot' is true", - "actualValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext runAsUser is 0 and 'runAsNonRoot' is false" + "actualValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext runAsUser is 0 and 'runAsNonRoot' is false", + "issueType": "IncorrectValue" }, { "queryName": "Container Running As Root", @@ -21,7 +22,8 @@ "searchKey": "metadata.name={{security-context-demo-3}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext.runAsUser", "searchValue": "Pod", "expectedValue": "metadata.name={{security-context-demo-3}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext runAsUser is higher than 0 and/or 'runAsNonRoot' is true", - "actualValue": "metadata.name={{security-context-demo-3}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext runAsUser is 0 and 'runAsNonRoot' is false" + "actualValue": "metadata.name={{security-context-demo-3}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext runAsUser is 0 and 'runAsNonRoot' is false", + "issueType": "IncorrectValue" }, { "queryName": "Container Running As Root", @@ -33,7 +35,8 @@ "searchKey": "metadata.name={{security-context-demo-4}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext.runAsUser", "searchValue": "Pod", "expectedValue": "metadata.name={{security-context-demo-4}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext runAsUser is higher than 0 and/or 'runAsNonRoot' is true", - "actualValue": "metadata.name={{security-context-demo-4}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext runAsUser is 0 and 'runAsNonRoot' is false" + "actualValue": "metadata.name={{security-context-demo-4}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext runAsUser is 0 and 'runAsNonRoot' is false", + "issueType": "IncorrectValue" }, { "queryName": "Container Running As Root", @@ -45,7 +48,8 @@ "searchKey": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext.runAsUser", "searchValue": "Pod", "expectedValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext runAsUser is higher than 0 and/or 'runAsNonRoot' is true", - "actualValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext runAsUser is 0 and 'runAsNonRoot' is false" + "actualValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext runAsUser is 0 and 'runAsNonRoot' is false", + "issueType": "IncorrectValue" }, { "queryName": "Container Running As Root", @@ -57,7 +61,8 @@ "searchKey": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-200}}.securityContext.runAsUser", "searchValue": "Pod", "expectedValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-200}}.securityContext runAsUser is higher than 0 and/or 'runAsNonRoot' is true", - "actualValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-200}}.securityContext runAsUser is 0 and 'runAsNonRoot' is false" + "actualValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-200}}.securityContext runAsUser is 0 and 'runAsNonRoot' is false", + "issueType": "IncorrectValue" }, { "queryName": "Container Running As Root", @@ -69,7 +74,8 @@ "searchKey": "metadata.name={{containers-runs-as-root}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext.runAsUser", "searchValue": "Pod", "expectedValue": "metadata.name={{containers-runs-as-root}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext runAsUser is higher than 0 and/or 'runAsNonRoot' is true", - "actualValue": "metadata.name={{containers-runs-as-root}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext runAsUser is 0 and 'runAsNonRoot' is false" + "actualValue": "metadata.name={{containers-runs-as-root}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext runAsUser is 0 and 'runAsNonRoot' is false", + "issueType": "IncorrectValue" }, { "queryName": "Container Running As Root", @@ -81,7 +87,8 @@ "searchKey": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-1}}", "searchValue": "Pod", "expectedValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-1}}.securityContext.runAsUser is higher than 0 and/or 'runAsNonRoot' is true", - "actualValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-1}}.securityContext.runAsUser is 0 and 'runAsNonRoot' is false" + "actualValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-1}}.securityContext.runAsUser is 0 and 'runAsNonRoot' is false", + "issueType": "MissingAttribute" }, { "queryName": "Container Running As Root", @@ -93,7 +100,8 @@ "searchKey": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext.runAsUser", "searchValue": "Pod", "expectedValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext runAsUser is higher than 0 and/or 'runAsNonRoot' is true", - "actualValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext runAsUser is 0 and 'runAsNonRoot' is false" + "actualValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext runAsUser is 0 and 'runAsNonRoot' is false", + "issueType": "IncorrectValue" }, { "queryName": "Container Running As Root", @@ -105,7 +113,8 @@ "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser", "searchValue": "StatefulSet", "expectedValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext runAsUser is higher than 0 and/or 'runAsNonRoot' is true", - "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext runAsUser is 0 and 'runAsNonRoot' is false" + "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext runAsUser is 0 and 'runAsNonRoot' is false", + "issueType": "IncorrectValue" }, { "queryName": "Container Running As Root", @@ -117,7 +126,8 @@ "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser", "searchValue": "Deployment", "expectedValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext runAsUser is higher than 0 and/or 'runAsNonRoot' is true", - "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext runAsUser is 0 and 'runAsNonRoot' is false" + "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext runAsUser is 0 and 'runAsNonRoot' is false", + "issueType": "IncorrectValue" }, { "queryName": "Container Running As Root", @@ -129,7 +139,8 @@ "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser", "searchValue": "StatefulSet", "expectedValue": "metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser is higher than 0 and/or 'runAsNonRoot' is true", - "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser is 0 and 'runAsNonRoot' is false" + "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser is 0 and 'runAsNonRoot' is false", + "issueType": "IncorrectValue" }, { "queryName": "Container Running As Root", @@ -141,7 +152,8 @@ "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser", "searchValue": "Deployment", "expectedValue": "metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser is higher than 0 and/or 'runAsNonRoot' is true", - "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser is 0 and 'runAsNonRoot' is false" + "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser is 0 and 'runAsNonRoot' is false", + "issueType": "IncorrectValue" }, { "queryName": "Container Running As Root", @@ -153,7 +165,8 @@ "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}", "searchValue": "StatefulSet", "expectedValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser is higher than 0 and/or 'runAsNonRoot' is true", - "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser is 0 and 'runAsNonRoot' is false" + "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser is 0 and 'runAsNonRoot' is false", + "issueType": "MissingAttribute" }, { "queryName": "Container Running As Root", @@ -165,6 +178,7 @@ "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}", "searchValue": "Deployment", "expectedValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser is higher than 0 and/or 'runAsNonRoot' is true", - "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser is 0 and 'runAsNonRoot' is false" + "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser is 0 and 'runAsNonRoot' is false", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/containers_with_added_capabilities/test/positive_expected_result.json b/assets/queries/k8s/containers_with_added_capabilities/test/positive_expected_result.json index b079a11b61a..9bd3272dcd7 100644 --- a/assets/queries/k8s/containers_with_added_capabilities/test/positive_expected_result.json +++ b/assets/queries/k8s/containers_with_added_capabilities/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{pod2}}.spec.containers.name={{app}}.securityContext.capabilities.add", "searchValue": "", "expectedValue": "metadata.name={{pod2}}.spec.containers.name={{app}} has no capability added other than NET_BIND_SERVICE", - "actualValue": "metadata.name={{pod2}}.spec.containers.name={{app}} has a capability added other than NET_BIND_SERVICE" + "actualValue": "metadata.name={{pod2}}.spec.containers.name={{app}} has a capability added other than NET_BIND_SERVICE", + "issueType": "IncorrectValue" }, { "queryName": "Containers With Added Capabilities", @@ -21,6 +22,7 @@ "searchKey": "metadata.name={{pod3}}.spec.initContainers.name={{app}}.securityContext.capabilities.add", "searchValue": "", "expectedValue": "metadata.name={{pod3}}.spec.initContainers.name={{app}} has no capability added other than NET_BIND_SERVICE", - "actualValue": "metadata.name={{pod3}}.spec.initContainers.name={{app}} has a capability added other than NET_BIND_SERVICE" + "actualValue": "metadata.name={{pod3}}.spec.initContainers.name={{app}} has a capability added other than NET_BIND_SERVICE", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/containers_with_sys_admin_capabilities/test/positive_expected_result.json b/assets/queries/k8s/containers_with_sys_admin_capabilities/test/positive_expected_result.json index 99f93877274..1281bffaf22 100644 --- a/assets/queries/k8s/containers_with_sys_admin_capabilities/test/positive_expected_result.json +++ b/assets/queries/k8s/containers_with_sys_admin_capabilities/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "metadata.name={{pod4}}.spec.containers.name={{app}}.securityContext.capabilities.add", "searchValue": "", "expectedValue": "spec.containers.name=app should not use CAP_SYS_ADMIN Linux capability", - "actualValue": "spec.containers.name=app uses CAP_SYS_ADMIN Linux capability" + "actualValue": "spec.containers.name=app uses CAP_SYS_ADMIN Linux capability", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/cpu_limits_not_set/test/positive_expected_result.json b/assets/queries/k8s/cpu_limits_not_set/test/positive_expected_result.json index a038a0f11aa..ddb2a053613 100644 --- a/assets/queries/k8s/cpu_limits_not_set/test/positive_expected_result.json +++ b/assets/queries/k8s/cpu_limits_not_set/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{frontend}}.spec.containers.name={{app}}.resources.limits", "searchValue": "", "expectedValue": "spec.containers.name=app has CPU limits", - "actualValue": "spec.containers.name=app doesn't have CPU limits" + "actualValue": "spec.containers.name=app doesn't have CPU limits", + "issueType": "MissingAttribute" }, { "queryName": "CPU Limits Not Set", @@ -21,7 +22,8 @@ "searchKey": "metadata.name={{frontend}}.spec.containers.name={{log-aggregator}}.resources", "searchValue": "", "expectedValue": "spec.containers.name=log-aggregator has limits defined", - "actualValue": "spec.containers.name=log-aggregator doesn't have limits defined" + "actualValue": "spec.containers.name=log-aggregator doesn't have limits defined", + "issueType": "MissingAttribute" }, { "queryName": "CPU Limits Not Set", @@ -33,7 +35,8 @@ "searchKey": "metadata.name={{dummy-config}}.spec.template.spec.containers.name={{app}}.resources.limits", "searchValue": "", "expectedValue": "spec.template.spec.containers.name=app has CPU limits", - "actualValue": "spec.template.spec.containers.name=app doesn't have CPU limits" + "actualValue": "spec.template.spec.containers.name=app doesn't have CPU limits", + "issueType": "MissingAttribute" }, { "queryName": "CPU Limits Not Set", @@ -45,6 +48,7 @@ "searchKey": "metadata.name={{dummy-config}}.spec.template.spec.containers.name={{log-aggregator}}.resources", "searchValue": "", "expectedValue": "spec.template.spec.containers.name=log-aggregator has limits defined", - "actualValue": "spec.template.spec.containers.name=log-aggregator doesn't have limits defined" + "actualValue": "spec.template.spec.containers.name=log-aggregator doesn't have limits defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/cpu_requests_not_set/test/positive_expected_result.json b/assets/queries/k8s/cpu_requests_not_set/test/positive_expected_result.json index c4fe70767c7..7c0c0e5ba76 100644 --- a/assets/queries/k8s/cpu_requests_not_set/test/positive_expected_result.json +++ b/assets/queries/k8s/cpu_requests_not_set/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{frontend}}.spec.containers.name={{app}}.resources.requests", "searchValue": "Pod", "expectedValue": "spec.containers.name={{app}}.resources.requests should have CPU requests", - "actualValue": "spec.containers.name={{app}}.resources.requests doesn't have CPU requests" + "actualValue": "spec.containers.name={{app}}.resources.requests doesn't have CPU requests", + "issueType": "MissingAttribute" }, { "queryName": "CPU Requests Not Set", @@ -21,7 +22,8 @@ "searchKey": "metadata.name={{frontend}}.spec.containers.name=log-aggregator", "searchValue": "Pod", "expectedValue": "spec.containers.name=log-aggregator should have resources defined", - "actualValue": "spec.containers.name=log-aggregator doesn't have resources defined" + "actualValue": "spec.containers.name=log-aggregator doesn't have resources defined", + "issueType": "MissingAttribute" }, { "queryName": "CPU Requests Not Set", @@ -33,7 +35,8 @@ "searchKey": "metadata.name={{dummy-config}}.spec.template.spec.containers.name={{app}}.resources.requests", "searchValue": "Configuration", "expectedValue": "spec.template.spec.containers.name={{app}}.resources.requests should have CPU requests", - "actualValue": "spec.template.spec.containers.name={{app}}.resources.requests doesn't have CPU requests" + "actualValue": "spec.template.spec.containers.name={{app}}.resources.requests doesn't have CPU requests", + "issueType": "MissingAttribute" }, { "queryName": "CPU Requests Not Set", @@ -45,6 +48,7 @@ "searchKey": "metadata.name={{dummy-config}}.spec.template.spec.containers.name={{log-aggregator}}.resources", "searchValue": "Configuration", "expectedValue": "spec.template.spec.containers.name=log-aggregator.resources should have requests defined", - "actualValue": "spec.template.spec.containers.name=log-aggregator.resources doesn't have requests defined" + "actualValue": "spec.template.spec.containers.name=log-aggregator.resources doesn't have requests defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/cronjob_deadline_not_configured/test/positive_expected_result.json b/assets/queries/k8s/cronjob_deadline_not_configured/test/positive_expected_result.json index af74fa5a362..098f6a97758 100644 --- a/assets/queries/k8s/cronjob_deadline_not_configured/test/positive_expected_result.json +++ b/assets/queries/k8s/cronjob_deadline_not_configured/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "metadata.name={{hello}}.spec", "searchValue": "", "expectedValue": "spec.startingDeadlineSeconds should be defined", - "actualValue": "spec.startingDeadlineSeconds is not defined" + "actualValue": "spec.startingDeadlineSeconds is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/dashboard_is_enabled/test/positive_expected_result.json b/assets/queries/k8s/dashboard_is_enabled/test/positive_expected_result.json index 04bcfa0ce99..6fe2c80a90d 100644 --- a/assets/queries/k8s/dashboard_is_enabled/test/positive_expected_result.json +++ b/assets/queries/k8s/dashboard_is_enabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{kubernetes-dashboard-1}}.spec.template.spec.containers.name={{kubernetes-dashboard}}.image", "searchValue": "", "expectedValue": "metadata.name={{kubernetes-dashboard-1}}.spec.template.spec.containers.name={{kubernetes-dashboard}}.image has not kubernetes-dashboard deployed", - "actualValue": "metadata.name={{kubernetes-dashboard-1}}.spec.template.spec.containers.name={{kubernetes-dashboard}}.image has kubernetes-dashboard deployed" + "actualValue": "metadata.name={{kubernetes-dashboard-1}}.spec.template.spec.containers.name={{kubernetes-dashboard}}.image has kubernetes-dashboard deployed", + "issueType": "IncorrectValue" }, { "queryName": "Dashboard Is Enabled", @@ -21,6 +22,7 @@ "searchKey": "metadata.name={{myapp-pod}}.spec.initContainers.name={{init-myservice}}.image", "searchValue": "", "expectedValue": "metadata.name={{myapp-pod}}.spec.initContainers.name={{init-myservice}}.image has not kubernetes-dashboard deployed", - "actualValue": "metadata.name={{myapp-pod}}.spec.initContainers.name={{init-myservice}}.image has kubernetes-dashboard deployed" + "actualValue": "metadata.name={{myapp-pod}}.spec.initContainers.name={{init-myservice}}.image has kubernetes-dashboard deployed", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/deployment_has_no_pod_anti_affinity/test/positive_expected_result.json b/assets/queries/k8s/deployment_has_no_pod_anti_affinity/test/positive_expected_result.json index 18234a79f24..74294337c9c 100644 --- a/assets/queries/k8s/deployment_has_no_pod_anti_affinity/test/positive_expected_result.json +++ b/assets/queries/k8s/deployment_has_no_pod_anti_affinity/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{label-mismatch}}.spec.template.spec.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution.labelSelector.matchLabels", "searchValue": "", "expectedValue": "'spec.template.spec.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].labelSelector.matchLabels' match any label on template metadata", - "actualValue": "'spec.template.spec.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].labelSelector.matchLabels' don't match any label on template metadata" + "actualValue": "'spec.template.spec.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].labelSelector.matchLabels' don't match any label on template metadata", + "issueType": "IncorrectValue" }, { "queryName": "Deployment Has No PodAntiAffinity", @@ -21,6 +22,7 @@ "searchKey": "metadata.name={{no-affinity}}.spec.template.spec", "searchValue": "", "expectedValue": "'spec.template.spec.affinity' should be set", - "actualValue": "'spec.template.spec.affinity' is undefined" + "actualValue": "'spec.template.spec.affinity' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/deployment_without_pod_disruption_budget/test/positive_expected_result.json b/assets/queries/k8s/deployment_without_pod_disruption_budget/test/positive_expected_result.json index e9a9dad1a77..62ce2de54c6 100644 --- a/assets/queries/k8s/deployment_without_pod_disruption_budget/test/positive_expected_result.json +++ b/assets/queries/k8s/deployment_without_pod_disruption_budget/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "metadata.name={{nginx-deployment}}.spec.selector.matchLabels", "searchValue": "", "expectedValue": "metadata.name=nginx-deployment is targeted by a PodDisruptionBudget", - "actualValue": "metadata.name=nginx-deployment is not targeted by a PodDisruptionBudget" + "actualValue": "metadata.name=nginx-deployment is not targeted by a PodDisruptionBudget", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/docker_daemon_socket_is_exposed_to_containers/test/positive_expected_result.json b/assets/queries/k8s/docker_daemon_socket_is_exposed_to_containers/test/positive_expected_result.json index 3e14f5600a7..191ccd4362a 100644 --- a/assets/queries/k8s/docker_daemon_socket_is_exposed_to_containers/test/positive_expected_result.json +++ b/assets/queries/k8s/docker_daemon_socket_is_exposed_to_containers/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{test-pd}}.spec.volumes.name={{test-volume}}.hostPath.path", "searchValue": "", "expectedValue": "metadata.name={{test-pd}}.spec.volumes.name={{test-volume}}.hostPath.path should not be '/var/run/docker.sock'", - "actualValue": "metadata.name={{test-pd}}.spec.volumes.name={{test-volume}}.hostPath.path is '/var/run/docker.sock'" + "actualValue": "metadata.name={{test-pd}}.spec.volumes.name={{test-volume}}.hostPath.path is '/var/run/docker.sock'", + "issueType": "IncorrectValue" }, { "queryName": "Docker Daemon Socket is Exposed to Containers", @@ -21,7 +22,8 @@ "searchKey": "metadata.name={{node-manager}}.spec.template.spec.volumes.name={{test-volume}}.hostPath.path", "searchValue": "", "expectedValue": "metadata.name={{node-manager}}.spec.template.spec.volumes.name={{test-volume}}.hostPath.path should not be '/var/run/docker.sock'", - "actualValue": "metadata.name={{node-manager}}.spec.template.spec.volumes.name={{test-volume}}.hostPath.path is '/var/run/docker.sock'" + "actualValue": "metadata.name={{node-manager}}.spec.template.spec.volumes.name={{test-volume}}.hostPath.path is '/var/run/docker.sock'", + "issueType": "IncorrectValue" }, { "queryName": "Docker Daemon Socket is Exposed to Containers", @@ -33,6 +35,7 @@ "searchKey": "metadata.name={{hello}}.spec.jobTemplate.spec.template.spec.volumes.name={{test-volume}}.hostPath.path", "searchValue": "", "expectedValue": "metadata.name={{hello}}.spec.jobTemplate.spec.template.spec.volumes.name={{test-volume}}.hostPath.path should not be '/var/run/docker.sock'", - "actualValue": "metadata.name={{hello}}.spec.jobTemplate.spec.template.spec.volumes.name={{test-volume}}.hostPath.path is '/var/run/docker.sock'" + "actualValue": "metadata.name={{hello}}.spec.jobTemplate.spec.template.spec.volumes.name={{test-volume}}.hostPath.path is '/var/run/docker.sock'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/encryption_provider_config_is_not_defined/test/positive_expected_result.json b/assets/queries/k8s/encryption_provider_config_is_not_defined/test/positive_expected_result.json index d782f1221d5..912cb3859a7 100644 --- a/assets/queries/k8s/encryption_provider_config_is_not_defined/test/positive_expected_result.json +++ b/assets/queries/k8s/encryption_provider_config_is_not_defined/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--encryption-provider-config flag should be defined", - "actualValue": "--encryption-provider-config flag is not defined" + "actualValue": "--encryption-provider-config flag is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/encryption_provider_not_properly_configured/test/positive_expected_result.json b/assets/queries/k8s/encryption_provider_not_properly_configured/test/positive_expected_result.json index 18ef79f6754..754d64a15f6 100644 --- a/assets/queries/k8s/encryption_provider_not_properly_configured/test/positive_expected_result.json +++ b/assets/queries/k8s/encryption_provider_not_properly_configured/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "kind={{EncryptionConfiguration}}.providers", "searchValue": "", "expectedValue": "aescbc, kms or secretbox provider should be defined", - "actualValue": "aescbc, kms or secretbox provider is not defined" + "actualValue": "aescbc, kms or secretbox provider is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/ensure_administrative_boundaries_between_resources/test/positive_expected_result.json b/assets/queries/k8s/ensure_administrative_boundaries_between_resources/test/positive_expected_result.json index e7b6e1ae496..02d4bb7bfc5 100644 --- a/assets/queries/k8s/ensure_administrative_boundaries_between_resources/test/positive_expected_result.json +++ b/assets/queries/k8s/ensure_administrative_boundaries_between_resources/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "metadata.namespace={{cosmic-namespace}}", "searchValue": "", "expectedValue": "ensure that these namespaces are the ones you need and are adequately administered as per your requirements.", - "actualValue": "namespaces in use: cosmic-namespace" + "actualValue": "namespaces in use: cosmic-namespace", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/etcd_client_certificate_authentication_set_to_false/test/positive_expected_result.json b/assets/queries/k8s/etcd_client_certificate_authentication_set_to_false/test/positive_expected_result.json index ccd0456bfe6..d7f69b895de 100644 --- a/assets/queries/k8s/etcd_client_certificate_authentication_set_to_false/test/positive_expected_result.json +++ b/assets/queries/k8s/etcd_client_certificate_authentication_set_to_false/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{app-etcd-deployment}}.spec.template.spec.containers.name={{database}}.command", "searchValue": "", "expectedValue": "--client-cert-auth flag should be set to true", - "actualValue": "--client-cert-auth flag is set to false" + "actualValue": "--client-cert-auth flag is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Etcd Client Certificate Authentication Set To False", @@ -21,6 +22,7 @@ "searchKey": "metadata.name={{app-etcd-deployment}}.spec.template.spec.containers.name={{database}}.command", "searchValue": "", "expectedValue": "--client-cert-auth flag should be defined and set to true", - "actualValue": "--client-cert-auth flag is not defined" + "actualValue": "--client-cert-auth flag is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/etcd_client_certificate_file_not_defined/test/positive_expected_result.json b/assets/queries/k8s/etcd_client_certificate_file_not_defined/test/positive_expected_result.json index c826b9afd41..3c24b50c023 100644 --- a/assets/queries/k8s/etcd_client_certificate_file_not_defined/test/positive_expected_result.json +++ b/assets/queries/k8s/etcd_client_certificate_file_not_defined/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--etcd-cafile flag should be defined", - "actualValue": "--etcd-cafile flag is not defined" + "actualValue": "--etcd-cafile flag is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/etcd_peer_client_certificate_authentication_set_to_false/test/positive_expected_result.json b/assets/queries/k8s/etcd_peer_client_certificate_authentication_set_to_false/test/positive_expected_result.json index 1bc7d32661c..34d547c30b6 100644 --- a/assets/queries/k8s/etcd_peer_client_certificate_authentication_set_to_false/test/positive_expected_result.json +++ b/assets/queries/k8s/etcd_peer_client_certificate_authentication_set_to_false/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{app-etcd-deployment}}.spec.template.spec.containers.name={{database}}.command", "searchValue": "", "expectedValue": "--peer-client-cert-auth flag should be set to true", - "actualValue": "--peer-client-cert-auth flag is set to false" + "actualValue": "--peer-client-cert-auth flag is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Etcd Peer Client Certificate Authentication Set To False", @@ -21,6 +22,7 @@ "searchKey": "metadata.name={{app-etcd-deployment}}.spec.template.spec.containers.name={{database}}.command", "searchValue": "", "expectedValue": "--peer-client-cert-auth flag should be defined and set to true", - "actualValue": "--peer-client-cert-auth flag is not defined" + "actualValue": "--peer-client-cert-auth flag is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/etcd_peer_tls_certificate_files_not_properly_set/test/positive_expected_result.json b/assets/queries/k8s/etcd_peer_tls_certificate_files_not_properly_set/test/positive_expected_result.json index 95560df89b5..6f94672c4e0 100644 --- a/assets/queries/k8s/etcd_peer_tls_certificate_files_not_properly_set/test/positive_expected_result.json +++ b/assets/queries/k8s/etcd_peer_tls_certificate_files_not_properly_set/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{app-etcd-deployment}}.spec.template.spec.containers.name={{database}}.command", "searchValue": "Deployment--peer-key-file", "expectedValue": "--peer-key-file flag should be defined", - "actualValue": "--peer-key-file flag is not defined" + "actualValue": "--peer-key-file flag is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Etcd Peer TLS Certificate Files Not Properly Set", @@ -21,7 +22,8 @@ "searchKey": "metadata.name={{app-etcd-deployment2}}.spec.template.spec.containers.name={{database}}.command", "searchValue": "Deployment--peer-cert-file", "expectedValue": "--peer-cert-file flag should be defined", - "actualValue": "--peer-cert-file flag is not defined" + "actualValue": "--peer-cert-file flag is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Etcd Peer TLS Certificate Files Not Properly Set", @@ -33,6 +35,7 @@ "searchKey": "metadata.name={{app-etcd-deployment}}.spec.template.spec.containers.name={{database}}.command", "searchValue": "Deployment--peer-cert-file", "expectedValue": "--peer-cert-file flag should be defined", - "actualValue": "--peer-cert-file flag is not defined" + "actualValue": "--peer-cert-file flag is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/etcd_tls_certificate_files_not_properly_set/test/positive_expected_result.json b/assets/queries/k8s/etcd_tls_certificate_files_not_properly_set/test/positive_expected_result.json index a7f5943944c..f5f8792830f 100644 --- a/assets/queries/k8s/etcd_tls_certificate_files_not_properly_set/test/positive_expected_result.json +++ b/assets/queries/k8s/etcd_tls_certificate_files_not_properly_set/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{app-etcd-deployment}}.spec.template.spec.containers.name={{database}}.command", "searchValue": "Deployment--key-file", "expectedValue": "--key-file flag should be defined", - "actualValue": "--key-file flag is not defined" + "actualValue": "--key-file flag is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Etcd TLS Certificate Files Not Properly Set", @@ -21,7 +22,8 @@ "searchKey": "metadata.name={{app-etcd-deployment2}}.spec.template.spec.containers.name={{database}}.command", "searchValue": "Deployment--key-file", "expectedValue": "--key-file flag should be defined", - "actualValue": "--key-file flag is not defined" + "actualValue": "--key-file flag is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Etcd TLS Certificate Files Not Properly Set", @@ -33,6 +35,7 @@ "searchKey": "metadata.name={{app-etcd-deployment}}.spec.template.spec.containers.name={{database}}.command", "searchValue": "Deployment--cert-file", "expectedValue": "--cert-file flag should be defined", - "actualValue": "--cert-file flag is not defined" + "actualValue": "--cert-file flag is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/etcd_tls_certificate_not_properly_configured/test/positive_expected_result.json b/assets/queries/k8s/etcd_tls_certificate_not_properly_configured/test/positive_expected_result.json index 220f6476fbe..e8ecce52052 100644 --- a/assets/queries/k8s/etcd_tls_certificate_not_properly_configured/test/positive_expected_result.json +++ b/assets/queries/k8s/etcd_tls_certificate_not_properly_configured/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "Pod--etcd-certfile", "expectedValue": "--etcd-certfile flag should be defined", - "actualValue": "--etcd-certfile flag is not defined" + "actualValue": "--etcd-certfile flag is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Etcd TLS Certificate Not Properly Configured", @@ -21,7 +22,8 @@ "searchKey": "metadata.name={{command-demo2}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "Pod--etcd-keyfile", "expectedValue": "--etcd-keyfile flag should be defined", - "actualValue": "--etcd-keyfile flag is not defined" + "actualValue": "--etcd-keyfile flag is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Etcd TLS Certificate Not Properly Configured", @@ -33,6 +35,7 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "Pod--etcd-keyfile", "expectedValue": "--etcd-keyfile flag should be defined", - "actualValue": "--etcd-keyfile flag is not defined" + "actualValue": "--etcd-keyfile flag is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/event_rate_limit_admission_control_plugin_not_set/test/positive_expected_result.json b/assets/queries/k8s/event_rate_limit_admission_control_plugin_not_set/test/positive_expected_result.json index edbae2576b9..84e3c9ca56d 100644 --- a/assets/queries/k8s/event_rate_limit_admission_control_plugin_not_set/test/positive_expected_result.json +++ b/assets/queries/k8s/event_rate_limit_admission_control_plugin_not_set/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--enable-admission-plugins flag should contain 'EventRateLimit' plugin", - "actualValue": "--enable-admission-plugins flag does not contain 'EventRateLimit' plugin" + "actualValue": "--enable-admission-plugins flag does not contain 'EventRateLimit' plugin", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/hpa_targeted_deployments_with_configured_replica_count/test/positive_expected_result.json b/assets/queries/k8s/hpa_targeted_deployments_with_configured_replica_count/test/positive_expected_result.json index 7951adcb160..3df547c4461 100644 --- a/assets/queries/k8s/hpa_targeted_deployments_with_configured_replica_count/test/positive_expected_result.json +++ b/assets/queries/k8s/hpa_targeted_deployments_with_configured_replica_count/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "metadata.name={{php-apache-1}}.spec.replicas", "searchValue": "", "expectedValue": "metadata.name={{php-apache-1}}.spec.replicas should be undefined", - "actualValue": "metadata.name={{php-apache-1}}.spec.replicas is defined" + "actualValue": "metadata.name={{php-apache-1}}.spec.replicas is defined", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/hpa_targets_invalid_object/test/positive_expected_result.json b/assets/queries/k8s/hpa_targets_invalid_object/test/positive_expected_result.json index 09d491084be..d316462049d 100644 --- a/assets/queries/k8s/hpa_targets_invalid_object/test/positive_expected_result.json +++ b/assets/queries/k8s/hpa_targets_invalid_object/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "spec.metrics", "searchValue": "", "expectedValue": "spec.metrics[0] is a valid object ", - "actualValue": "spec.metrics[0] is an invalid object " + "actualValue": "spec.metrics[0] is an invalid object ", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/image_policy_webhook_admission_control_plugin_not_set/test/positive_expected_result.json b/assets/queries/k8s/image_policy_webhook_admission_control_plugin_not_set/test/positive_expected_result.json index c749059091b..8f9d5e1d48f 100644 --- a/assets/queries/k8s/image_policy_webhook_admission_control_plugin_not_set/test/positive_expected_result.json +++ b/assets/queries/k8s/image_policy_webhook_admission_control_plugin_not_set/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--enable-admission-plugins flag should contain 'ImagePolicyWebhook' plugin", - "actualValue": "--enable-admission-plugins flag does not contain 'ImagePolicyWebhook' plugin" + "actualValue": "--enable-admission-plugins flag does not contain 'ImagePolicyWebhook' plugin", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/image_pull_policy_of_container_is_not_always/test/positive_expected_result.json b/assets/queries/k8s/image_pull_policy_of_container_is_not_always/test/positive_expected_result.json index 1373fdcbed9..b67bc6cd3c9 100644 --- a/assets/queries/k8s/image_pull_policy_of_container_is_not_always/test/positive_expected_result.json +++ b/assets/queries/k8s/image_pull_policy_of_container_is_not_always/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{private-image-test-always}}.spec.containers.name={{uses-private-image}}.imagePullPolicy", "searchValue": "Pod", "expectedValue": "metadata.name={{private-image-test-always}}.spec.containers.name={{uses-private-image}}.imagePullPolicy should be set to 'Always'", - "actualValue": "metadata.name={{private-image-test-always}}.spec.containers.name={{uses-private-image}}.imagePullPolicy relies on mutable images in cache" + "actualValue": "metadata.name={{private-image-test-always}}.spec.containers.name={{uses-private-image}}.imagePullPolicy relies on mutable images in cache", + "issueType": "MissingAttribute" }, { "queryName": "Image Pull Policy Of The Container Is Not Set To Always", @@ -21,7 +22,8 @@ "searchKey": "metadata.name={{deployment-with-image-pull-policy}}.spec.template.spec.containers.name={{nginx}}.imagePullPolicy", "searchValue": "Deployment", "expectedValue": "metadata.name={{deployment-with-image-pull-policy}}.spec.template.spec.containers.name={{nginx}}.imagePullPolicy should be set to 'Always'", - "actualValue": "metadata.name={{deployment-with-image-pull-policy}}.spec.template.spec.containers.name={{nginx}}.imagePullPolicy relies on mutable images in cache" + "actualValue": "metadata.name={{deployment-with-image-pull-policy}}.spec.template.spec.containers.name={{nginx}}.imagePullPolicy relies on mutable images in cache", + "issueType": "MissingAttribute" }, { "queryName": "Image Pull Policy Of The Container Is Not Set To Always", @@ -33,6 +35,7 @@ "searchKey": "metadata.name={{deployment-with-image-pull-policy1}}.spec.template.spec.containers.name={{nginx}}", "searchValue": "Deployment", "expectedValue": "metadata.name={{deployment-with-image-pull-policy1}}.spec.template.spec.containers.name={{nginx}}.imagePullPolicy should be set to 'Always'", - "actualValue": "metadata.name={{deployment-with-image-pull-policy1}}.spec.template.spec.containers.name={{nginx}}.imagePullPolicy relies on mutable images in cache" + "actualValue": "metadata.name={{deployment-with-image-pull-policy1}}.spec.template.spec.containers.name={{nginx}}.imagePullPolicy relies on mutable images in cache", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/image_without_digest/test/positive_expected_result.json b/assets/queries/k8s/image_without_digest/test/positive_expected_result.json index c6a8ca7e04c..7ccfd4bfc1a 100644 --- a/assets/queries/k8s/image_without_digest/test/positive_expected_result.json +++ b/assets/queries/k8s/image_without_digest/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "metadata.name={{private-image-test-1}}.spec.containers.name={{uses-private-image}}.image", "searchValue": "Pod", "expectedValue": "metadata.name={{private-image-test-1}}.spec.containers.name={{uses-private-image}}.image should specify the image with a digest", - "actualValue": "metadata.name={{private-image-test-1}}.spec.containers.name={{uses-private-image}}.image does not include an image digest" + "actualValue": "metadata.name={{private-image-test-1}}.spec.containers.name={{uses-private-image}}.image does not include an image digest", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/incorrect_volume_claim_access_mode_read_write_once/test/positive_expected_result.json b/assets/queries/k8s/incorrect_volume_claim_access_mode_read_write_once/test/positive_expected_result.json index 7c637184ebf..70fcbcbfc14 100644 --- a/assets/queries/k8s/incorrect_volume_claim_access_mode_read_write_once/test/positive_expected_result.json +++ b/assets/queries/k8s/incorrect_volume_claim_access_mode_read_write_once/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name=web.spec.volumeClaimTemplates", "searchValue": "", "expectedValue": "metadata.name=web.spec.volumeClaimTemplates has only one template with a 'ReadWriteOnce'", - "actualValue": "metadata.name=web.spec.volumeClaimTemplates has multiple templates with 'ReadWriteOnce'" + "actualValue": "metadata.name=web.spec.volumeClaimTemplates has multiple templates with 'ReadWriteOnce'", + "issueType": "IncorrectValue" }, { "queryName": "Incorrect Volume Claim Access Mode ReadWriteOnce", @@ -21,6 +22,7 @@ "searchKey": "metadata.name=web2.spec.volumeClaimTemplates", "searchValue": "", "expectedValue": "metadata.name=web2.spec.volumeClaimTemplates has one template with a 'ReadWriteOnce'", - "actualValue": "metadata.name=web2.spec.volumeClaimTemplates does not have a template with a 'ReadWriteOnce'" + "actualValue": "metadata.name=web2.spec.volumeClaimTemplates does not have a template with a 'ReadWriteOnce'", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/ingress_controller_exposes_workload/test/positive_expected_result.json b/assets/queries/k8s/ingress_controller_exposes_workload/test/positive_expected_result.json index 05f6afb09e5..2866e0565ec 100644 --- a/assets/queries/k8s/ingress_controller_exposes_workload/test/positive_expected_result.json +++ b/assets/queries/k8s/ingress_controller_exposes_workload/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "metadata.name={{app-ingress}}.spec.rules.http.paths.backend", "searchValue": "", "expectedValue": "metadata.name=app-ingress should not be exposing the workload", - "actualValue": "metadata.name=app-ingress is exposing the workload" + "actualValue": "metadata.name=app-ingress is exposing the workload", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/insecure_bind_address_set/test/positive_expected_result.json b/assets/queries/k8s/insecure_bind_address_set/test/positive_expected_result.json index 46dd0470595..3024c1a316e 100644 --- a/assets/queries/k8s/insecure_bind_address_set/test/positive_expected_result.json +++ b/assets/queries/k8s/insecure_bind_address_set/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--insecure-bind-address flag should not be set", - "actualValue": "--insecure-bind-address flag is set" + "actualValue": "--insecure-bind-address flag is set", + "issueType": "IncorrectValue" }, { "queryName": "Insecure Bind Address Set", @@ -21,6 +22,7 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--insecure-bind-address flag should not be set", - "actualValue": "--insecure-bind-address flag is set" + "actualValue": "--insecure-bind-address flag is set", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/insecure_port_not_properly_set/test/positive_expected_result.json b/assets/queries/k8s/insecure_port_not_properly_set/test/positive_expected_result.json index e4e306a4485..f1825fc2200 100644 --- a/assets/queries/k8s/insecure_port_not_properly_set/test/positive_expected_result.json +++ b/assets/queries/k8s/insecure_port_not_properly_set/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--insecure-port flag should be set to 0", - "actualValue": "--insecure-port flag is not properly set" + "actualValue": "--insecure-port flag is not properly set", + "issueType": "IncorrectValue" }, { "queryName": "Insecure Port Not Properly Set", @@ -21,6 +22,7 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--insecure-port flag should be defined and set to 0", - "actualValue": "--insecure-port flag is not defined" + "actualValue": "--insecure-port flag is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/invalid_image/test/positive_expected_result.json b/assets/queries/k8s/invalid_image/test/positive_expected_result.json index 1f5fd1d6bd4..d9a17432255 100644 --- a/assets/queries/k8s/invalid_image/test/positive_expected_result.json +++ b/assets/queries/k8s/invalid_image/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{private-image-test-3}}.spec.containers.name={{uses-private-image-container}}.image", "searchValue": "", "expectedValue": "metadata.name={{private-image-test-3}}.spec.containers.name={{uses-private-image-container}}.image tag is provided and not latest", - "actualValue": "metadata.name={{private-image-test-3}}.spec.containers.name={{uses-private-image-container}}.image tag is not provided or latest" + "actualValue": "metadata.name={{private-image-test-3}}.spec.containers.name={{uses-private-image-container}}.image tag is not provided or latest", + "issueType": "MissingAttribute" }, { "queryName": "Invalid Image Tag", @@ -21,6 +22,7 @@ "searchKey": "metadata.name={{private-image-test-33}}.spec.containers.name={{uses-private-image-container}}.image", "searchValue": "", "expectedValue": "metadata.name={{private-image-test-33}}.spec.containers.name={{uses-private-image-container}}.image tag is provided and not latest", - "actualValue": "metadata.name={{private-image-test-33}}.spec.containers.name={{uses-private-image-container}}.image tag is not provided or latest" + "actualValue": "metadata.name={{private-image-test-33}}.spec.containers.name={{uses-private-image-container}}.image tag is not provided or latest", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/kubelet_certificate_authority_not_set/test/positive_expected_result.json b/assets/queries/k8s/kubelet_certificate_authority_not_set/test/positive_expected_result.json index 602bde7ded3..5781c68f742 100644 --- a/assets/queries/k8s/kubelet_certificate_authority_not_set/test/positive_expected_result.json +++ b/assets/queries/k8s/kubelet_certificate_authority_not_set/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--kubelet-certificate-authority flag should be set", - "actualValue": "--kubelet-certificate-authority flag is not set" + "actualValue": "--kubelet-certificate-authority flag is not set", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/kubelet_client_certificate_or_key_not_set/test/positive_expected_result.json b/assets/queries/k8s/kubelet_client_certificate_or_key_not_set/test/positive_expected_result.json index 7a939d7299f..12c28b071fd 100644 --- a/assets/queries/k8s/kubelet_client_certificate_or_key_not_set/test/positive_expected_result.json +++ b/assets/queries/k8s/kubelet_client_certificate_or_key_not_set/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "Pod--kubelet-client-certificate", "expectedValue": "--kubelet-client-certificate flag should be set", - "actualValue": "--kubelet-client-certificate flag is not set" + "actualValue": "--kubelet-client-certificate flag is not set", + "issueType": "MissingAttribute" }, { "queryName": "Kubelet Client Certificate Or Key Not Set", @@ -21,7 +22,8 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "Pod--kubelet-client-key", "expectedValue": "--kubelet-client-key flag should be set", - "actualValue": "--kubelet-client-key flag is not set" + "actualValue": "--kubelet-client-key flag is not set", + "issueType": "MissingAttribute" }, { "queryName": "Kubelet Client Certificate Or Key Not Set", @@ -33,7 +35,8 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "Pod--kubelet-client-key", "expectedValue": "--kubelet-client-key flag should be set", - "actualValue": "--kubelet-client-key flag is not set" + "actualValue": "--kubelet-client-key flag is not set", + "issueType": "MissingAttribute" }, { "queryName": "Kubelet Client Certificate Or Key Not Set", @@ -45,7 +48,8 @@ "searchKey": "metadata.name={{command-demo2}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "Pod--kubelet-client-certificate", "expectedValue": "--kubelet-client-certificate flag should be set", - "actualValue": "--kubelet-client-certificate flag is not set" + "actualValue": "--kubelet-client-certificate flag is not set", + "issueType": "MissingAttribute" }, { "queryName": "Kubelet Client Certificate Or Key Not Set", @@ -57,6 +61,7 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "Pod--kubelet-client-certificate", "expectedValue": "--kubelet-client-certificate flag should be set", - "actualValue": "--kubelet-client-certificate flag is not set" + "actualValue": "--kubelet-client-certificate flag is not set", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/kubelet_client_periodic_certificate_switch_disabled/test/positive_expected_result.json b/assets/queries/k8s/kubelet_client_periodic_certificate_switch_disabled/test/positive_expected_result.json index 0ddce75b1a0..969189d456a 100644 --- a/assets/queries/k8s/kubelet_client_periodic_certificate_switch_disabled/test/positive_expected_result.json +++ b/assets/queries/k8s/kubelet_client_periodic_certificate_switch_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--rotate-certificates flag should be true", - "actualValue": "--rotate-certificates flag is false" + "actualValue": "--rotate-certificates flag is false", + "issueType": "IncorrectValue" }, { "queryName": "Kubelet Client Periodic Certificate Switch Disabled", @@ -21,7 +22,8 @@ "searchKey": "kind={{KubeletConfiguration}}.rotateCertificates", "searchValue": "", "expectedValue": "rotateCertificates should be true", - "actualValue": "rotateCertificates is false" + "actualValue": "rotateCertificates is false", + "issueType": "IncorrectValue" }, { "queryName": "Kubelet Client Periodic Certificate Switch Disabled", @@ -33,7 +35,8 @@ "searchKey": "kind={{KubeletConfiguration}}.rotateCertificates", "searchValue": "", "expectedValue": "rotateCertificates should be true", - "actualValue": "rotateCertificates is not set (default is false)" + "actualValue": "rotateCertificates is not set (default is false)", + "issueType": "MissingAttribute" }, { "queryName": "Kubelet Client Periodic Certificate Switch Disabled", @@ -45,6 +48,7 @@ "searchKey": "kind={{KubeletConfiguration}}.rotateCertificates", "searchValue": "", "expectedValue": "rotateCertificates should be true", - "actualValue": "rotateCertificates is not set (default is false)" + "actualValue": "rotateCertificates is not set (default is false)", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/kubelet_event_qps_not_properly_set/test/positive_expected_result.json b/assets/queries/k8s/kubelet_event_qps_not_properly_set/test/positive_expected_result.json index dc93300e34b..cf82906b7be 100644 --- a/assets/queries/k8s/kubelet_event_qps_not_properly_set/test/positive_expected_result.json +++ b/assets/queries/k8s/kubelet_event_qps_not_properly_set/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--event-qps flag should be set to 0", - "actualValue": "--event-qps flag is not set to 0" + "actualValue": "--event-qps flag is not set to 0", + "issueType": "IncorrectValue" }, { "queryName": "Kubelet Event QPS Not Properly Set", @@ -21,7 +22,8 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--event-qps flag should be set to 0", - "actualValue": "--event-qps flag is not set to 0" + "actualValue": "--event-qps flag is not set to 0", + "issueType": "IncorrectValue" }, { "queryName": "Kubelet Event QPS Not Properly Set", @@ -33,7 +35,8 @@ "searchKey": "kind={{KubeletConfiguration}}.eventRecordQPS", "searchValue": "", "expectedValue": "eventRecordQPS flag should set to 0", - "actualValue": "eventRecordQPS flag is not set to 0" + "actualValue": "eventRecordQPS flag is not set to 0", + "issueType": "IncorrectValue" }, { "queryName": "Kubelet Event QPS Not Properly Set", @@ -45,6 +48,7 @@ "searchKey": "kind={{KubeletConfiguration}}", "searchValue": "", "expectedValue": "eventRecordQPS flag should set to 0", - "actualValue": "eventRecordQPS flag is not defined" + "actualValue": "eventRecordQPS flag is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/kubelet_hostname_override_is_set/test/positive_expected_result.json b/assets/queries/k8s/kubelet_hostname_override_is_set/test/positive_expected_result.json index d1a2db55878..36c70b5a958 100644 --- a/assets/queries/k8s/kubelet_hostname_override_is_set/test/positive_expected_result.json +++ b/assets/queries/k8s/kubelet_hostname_override_is_set/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--hostname-override= flag should not be defined", - "actualValue": "--hostname-override= flag is defined" + "actualValue": "--hostname-override= flag is defined", + "issueType": "IncorrectValue" }, { "queryName": "Kubelet Hostname Override Is Set", @@ -21,6 +22,7 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--hostname-override= flag should not be defined", - "actualValue": "--hostname-override= flag is defined" + "actualValue": "--hostname-override= flag is defined", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/kubelet_https_set_to_false/test/positive_expected_result.json b/assets/queries/k8s/kubelet_https_set_to_false/test/positive_expected_result.json index 73a603f094c..b7d9b70b0ab 100644 --- a/assets/queries/k8s/kubelet_https_set_to_false/test/positive_expected_result.json +++ b/assets/queries/k8s/kubelet_https_set_to_false/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--kubelet-https flag should be set to true or not be defined", - "actualValue": "--kubelet-https flag is set to false" + "actualValue": "--kubelet-https flag is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/kubelet_not_managing_ip_tables/test/positive_expected_result.json b/assets/queries/k8s/kubelet_not_managing_ip_tables/test/positive_expected_result.json index b10fe3d9a0d..26d3ca76597 100644 --- a/assets/queries/k8s/kubelet_not_managing_ip_tables/test/positive_expected_result.json +++ b/assets/queries/k8s/kubelet_not_managing_ip_tables/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--make-iptables-util-chains flag should be true", - "actualValue": "--make-iptables-util-chains= flag is false" + "actualValue": "--make-iptables-util-chains= flag is false", + "issueType": "IncorrectValue" }, { "queryName": "Kubelet Not Managing Ip Tables", @@ -21,7 +22,8 @@ "searchKey": "kind={{KubeletConfiguration}}.makeIPTablesUtilChains", "searchValue": "", "expectedValue": "makeIPTablesUtilChains should be true", - "actualValue": "makeIPTablesUtilChains is false" + "actualValue": "makeIPTablesUtilChains is false", + "issueType": "IncorrectValue" }, { "queryName": "Kubelet Not Managing Ip Tables", @@ -33,6 +35,7 @@ "searchKey": "kind={{KubeletConfiguration}}.makeIPTablesUtilChains", "searchValue": "", "expectedValue": "makeIPTablesUtilChains should be true", - "actualValue": "makeIPTablesUtilChains is false" + "actualValue": "makeIPTablesUtilChains is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/test/positive_expected_result.json b/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/test/positive_expected_result.json index 86312abd078..477a469bffa 100644 --- a/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/test/positive_expected_result.json +++ b/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--protect-kernel-defaults flag should not be set to false", - "actualValue": "--protect-kernel-defaults flag is set to false" + "actualValue": "--protect-kernel-defaults flag is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Kubelet Protect Kernel Defaults Set To False", @@ -21,7 +22,8 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--protect-kernel-defaults flag should not be set to false", - "actualValue": "--protect-kernel-defaults flag is set to false" + "actualValue": "--protect-kernel-defaults flag is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Kubelet Protect Kernel Defaults Set To False", @@ -33,7 +35,8 @@ "searchKey": "kind={{KubeletConfiguration}}.protectKernelDefaults", "searchValue": "", "expectedValue": "protectKernelDefaults flag should defined to true", - "actualValue": "protectKernelDefaults flag is set to false" + "actualValue": "protectKernelDefaults flag is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Kubelet Protect Kernel Defaults Set To False", @@ -45,6 +48,7 @@ "searchKey": "kind={{KubeletConfiguration}}", "searchValue": "", "expectedValue": "protectKernelDefaults flag should defined to true", - "actualValue": "protectKernelDefaults flag is not defined" + "actualValue": "protectKernelDefaults flag is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/test/positive_expected_result.json b/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/test/positive_expected_result.json index 029fcc7a2cf..200d09bc55e 100644 --- a/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/test/positive_expected_result.json +++ b/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--read-only-port flag should be '0'", - "actualValue": "--read-only-port flag is not set to '0'" + "actualValue": "--read-only-port flag is not set to '0'", + "issueType": "IncorrectValue" }, { "queryName": "Kubelet Read Only Port Is Not Set To Zero", @@ -21,7 +22,8 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--read-only-port flag should be '0'", - "actualValue": "--read-only-port flag is not set to '0'" + "actualValue": "--read-only-port flag is not set to '0'", + "issueType": "IncorrectValue" }, { "queryName": "Kubelet Read Only Port Is Not Set To Zero", @@ -33,7 +35,8 @@ "searchKey": "kind={{KubeletConfiguration}}.readOnlyPort", "searchValue": "", "expectedValue": "readOnlyPort attribute to have value of 0", - "actualValue": "readOnlyPort attribute has value of 1" + "actualValue": "readOnlyPort attribute has value of 1", + "issueType": "IncorrectValue" }, { "queryName": "Kubelet Read Only Port Is Not Set To Zero", @@ -45,6 +48,7 @@ "searchKey": "kind={{KubeletConfiguration}}.readOnlyPort", "searchValue": "", "expectedValue": "readOnlyPort attribute to have value of 0", - "actualValue": "readOnlyPort attribute has value of 1" + "actualValue": "readOnlyPort attribute has value of 1", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/kubelet_streaming_connection_timeout_disabled/test/positive_expected_result.json b/assets/queries/k8s/kubelet_streaming_connection_timeout_disabled/test/positive_expected_result.json index 2ec96dc2d06..cead41ef3b4 100644 --- a/assets/queries/k8s/kubelet_streaming_connection_timeout_disabled/test/positive_expected_result.json +++ b/assets/queries/k8s/kubelet_streaming_connection_timeout_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--streaming-connection-idle-timeout flag not should be 0", - "actualValue": "--streaming-connection-idle-timeout flag is 0" + "actualValue": "--streaming-connection-idle-timeout flag is 0", + "issueType": "IncorrectValue" }, { "queryName": "Kubelet Streaming Connection Timeout Disabled", @@ -21,7 +22,8 @@ "searchKey": "kind={{KubeletConfiguration}}.streamingConnectionIdleTimeout", "searchValue": "", "expectedValue": "streamingConnectionIdleTimeout not should be 0s", - "actualValue": "streamingConnectionIdleTimeout is 0s" + "actualValue": "streamingConnectionIdleTimeout is 0s", + "issueType": "IncorrectValue" }, { "queryName": "Kubelet Streaming Connection Timeout Disabled", @@ -33,6 +35,7 @@ "searchKey": "kind={{KubeletConfiguration}}.streamingConnectionIdleTimeout", "searchValue": "", "expectedValue": "streamingConnectionIdleTimeout not should be 0s", - "actualValue": "streamingConnectionIdleTimeout is 0s" + "actualValue": "streamingConnectionIdleTimeout is 0s", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/liveness_probe_is_not_defined/test/positive_expected_result.json b/assets/queries/k8s/liveness_probe_is_not_defined/test/positive_expected_result.json index 7157a7620d0..8f67bc72813 100644 --- a/assets/queries/k8s/liveness_probe_is_not_defined/test/positive_expected_result.json +++ b/assets/queries/k8s/liveness_probe_is_not_defined/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "metadata.name={{liveness-exec}}.spec.containers.name={{liveness}}", "searchValue": "Pod", "expectedValue": "metadata.name={{liveness-exec}}.spec.containers.name={{liveness}}.livenessProbe should be defined", - "actualValue": "metadata.name={{liveness-exec}}.spec.containers.name={{liveness}}.livenessProbe is undefined" + "actualValue": "metadata.name={{liveness-exec}}.spec.containers.name={{liveness}}.livenessProbe is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/memory_limits_not_defined/test/positive_expected_result.json b/assets/queries/k8s/memory_limits_not_defined/test/positive_expected_result.json index 40548c625da..36f251aa9bc 100644 --- a/assets/queries/k8s/memory_limits_not_defined/test/positive_expected_result.json +++ b/assets/queries/k8s/memory_limits_not_defined/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{memory-demo-1}}.spec.containers.name={{memory-demo-ctr}}", "searchValue": "", "expectedValue": "metadata.name={{memory-demo-1}}.spec.containers.name={{memory-demo-ctr}}.resources.limits.memory should be defined", - "actualValue": "metadata.name={{memory-demo-1}}.spec.containers.name={{memory-demo-ctr}}.resources.limits.memory is undefined" + "actualValue": "metadata.name={{memory-demo-1}}.spec.containers.name={{memory-demo-ctr}}.resources.limits.memory is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Memory Limits Not Defined", @@ -21,7 +22,8 @@ "searchKey": "metadata.name={{memory-demo-2}}.spec.containers.name={{memory-demo-ctr}}", "searchValue": "", "expectedValue": "metadata.name={{memory-demo-2}}.spec.containers.name={{memory-demo-ctr}}.resources.limits.memory should be defined", - "actualValue": "metadata.name={{memory-demo-2}}.spec.containers.name={{memory-demo-ctr}}.resources.limits.memory is undefined" + "actualValue": "metadata.name={{memory-demo-2}}.spec.containers.name={{memory-demo-ctr}}.resources.limits.memory is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Memory Limits Not Defined", @@ -33,7 +35,8 @@ "searchKey": "metadata.name={{memory-demo-3}}.spec.containers.name={{memory-demo-ctr}}", "searchValue": "", "expectedValue": "metadata.name={{memory-demo-3}}.spec.containers.name={{memory-demo-ctr}}.resources.limits.memory should be defined", - "actualValue": "metadata.name={{memory-demo-3}}.spec.containers.name={{memory-demo-ctr}}.resources.limits.memory is undefined" + "actualValue": "metadata.name={{memory-demo-3}}.spec.containers.name={{memory-demo-ctr}}.resources.limits.memory is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Memory Limits Not Defined", @@ -45,7 +48,8 @@ "searchKey": "metadata.name={{memory-demo-4}}.spec.containers.name={{memory-demo-ctr}}", "searchValue": "", "expectedValue": "metadata.name={{memory-demo-4}}.spec.containers.name={{memory-demo-ctr}}.resources.limits.memory should be defined", - "actualValue": "metadata.name={{memory-demo-4}}.spec.containers.name={{memory-demo-ctr}}.resources.limits.memory is undefined" + "actualValue": "metadata.name={{memory-demo-4}}.spec.containers.name={{memory-demo-ctr}}.resources.limits.memory is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Memory Limits Not Defined", @@ -57,6 +61,7 @@ "searchKey": "metadata.name={{test-deployment}}.spec.template.spec.containers.name={{pause}}", "searchValue": "", "expectedValue": "metadata.name={{test-deployment}}.spec.template.spec.containers.name={{pause}}.resources.limits.memory should be defined", - "actualValue": "metadata.name={{test-deployment}}.spec.template.spec.containers.name={{pause}}.resources.limits.memory is undefined" + "actualValue": "metadata.name={{test-deployment}}.spec.template.spec.containers.name={{pause}}.resources.limits.memory is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/memory_requests_not_defined/test/positive_expected_result.json b/assets/queries/k8s/memory_requests_not_defined/test/positive_expected_result.json index 291a8fa1b52..25797086a5f 100644 --- a/assets/queries/k8s/memory_requests_not_defined/test/positive_expected_result.json +++ b/assets/queries/k8s/memory_requests_not_defined/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{memory-demo}}.spec.containers.name={{memory-demo-ctr-1}}", "searchValue": "Pod", "expectedValue": "metadata.name={{memory-demo}}.spec.containers.name={{memory-demo-ctr-1}}.resources.requests.memory should be defined", - "actualValue": "metadata.name={{memory-demo}}.spec.containers.name={{memory-demo-ctr-1}}.resources.requests.memory is undefined" + "actualValue": "metadata.name={{memory-demo}}.spec.containers.name={{memory-demo-ctr-1}}.resources.requests.memory is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Memory Requests Not Defined", @@ -21,7 +22,8 @@ "searchKey": "metadata.name={{memory-demo-1}}.spec.containers.name={{memory-demo-ctr-2}}", "searchValue": "Pod", "expectedValue": "metadata.name={{memory-demo-1}}.spec.containers.name={{memory-demo-ctr-2}}.resources.requests.memory should be defined", - "actualValue": "metadata.name={{memory-demo-1}}.spec.containers.name={{memory-demo-ctr-2}}.resources.requests.memory is undefined" + "actualValue": "metadata.name={{memory-demo-1}}.spec.containers.name={{memory-demo-ctr-2}}.resources.requests.memory is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Memory Requests Not Defined", @@ -33,7 +35,8 @@ "searchKey": "metadata.name={{memory-demo-2}}.spec.containers.name={{memory-demo-ctr-3}}", "searchValue": "Pod", "expectedValue": "metadata.name={{memory-demo-2}}.spec.containers.name={{memory-demo-ctr-3}}.resources.requests.memory should be defined", - "actualValue": "metadata.name={{memory-demo-2}}.spec.containers.name={{memory-demo-ctr-3}}.resources.requests.memory is undefined" + "actualValue": "metadata.name={{memory-demo-2}}.spec.containers.name={{memory-demo-ctr-3}}.resources.requests.memory is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Memory Requests Not Defined", @@ -45,7 +48,8 @@ "searchKey": "metadata.name={{memory-demo-3}}.spec.containers.name={{memory-demo-ctr-4}}", "searchValue": "Pod", "expectedValue": "metadata.name={{memory-demo-3}}.spec.containers.name={{memory-demo-ctr-4}}.resources.requests.memory should be defined", - "actualValue": "metadata.name={{memory-demo-3}}.spec.containers.name={{memory-demo-ctr-4}}.resources.requests.memory is undefined" + "actualValue": "metadata.name={{memory-demo-3}}.spec.containers.name={{memory-demo-ctr-4}}.resources.requests.memory is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Memory Requests Not Defined", @@ -57,6 +61,7 @@ "searchKey": "metadata.name={{test-deployment2}}.spec.template.spec.containers.name={{pause}}", "searchValue": "Deployment", "expectedValue": "metadata.name={{test-deployment2}}.spec.template.spec.containers.name={{pause}}.resources.requests.memory should be defined", - "actualValue": "metadata.name={{test-deployment2}}.spec.template.spec.containers.name={{pause}}.resources.requests.memory is undefined" + "actualValue": "metadata.name={{test-deployment2}}.spec.template.spec.containers.name={{pause}}.resources.requests.memory is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/metadata_label_is_invalid/test/positive_expected_result.json b/assets/queries/k8s/metadata_label_is_invalid/test/positive_expected_result.json index 3d6d292ef8f..018149001f2 100644 --- a/assets/queries/k8s/metadata_label_is_invalid/test/positive_expected_result.json +++ b/assets/queries/k8s/metadata_label_is_invalid/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "metadata.name={{goproxy}}.labels.app", "searchValue": "Pod", "expectedValue": "'metadata.labels.{{app}}' has valid label g**dy.l+bel.", - "actualValue": "'metadata.labels.{{app}}' has invalid label g**dy.l+bel." + "actualValue": "'metadata.labels.{{app}}' has invalid label g**dy.l+bel.", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/missing_app_armor_config/test/positive_expected_result.json b/assets/queries/k8s/missing_app_armor_config/test/positive_expected_result.json index 0f2516f27c7..f26422b38fe 100644 --- a/assets/queries/k8s/missing_app_armor_config/test/positive_expected_result.json +++ b/assets/queries/k8s/missing_app_armor_config/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{hello-apparmor-1}}", "searchValue": "Podcontainer.apparmor.security.beta.kubernetes.io/hello1", "expectedValue": "metadata.name={{hello-apparmor-1}}.annotations[container.apparmor.security.beta.kubernetes.io/hello1] should be set to 'runtime/default' or 'localhost'", - "actualValue": "metadata.name={{hello-apparmor-1}}.annotations[container.apparmor.security.beta.kubernetes.io/hello1] does not specify a valid AppArmor profile" + "actualValue": "metadata.name={{hello-apparmor-1}}.annotations[container.apparmor.security.beta.kubernetes.io/hello1] does not specify a valid AppArmor profile", + "issueType": "IncorrectValue" }, { "queryName": "Missing AppArmor Profile", @@ -21,7 +22,8 @@ "searchKey": "metadata.name={{hello-apparmor-1}}", "searchValue": "Podcontainer.apparmor.security.beta.kubernetes.io/hello2", "expectedValue": "metadata.name={{hello-apparmor-1}}.annotations[container.apparmor.security.beta.kubernetes.io/hello2] should be set to 'runtime/default' or 'localhost'", - "actualValue": "metadata.name={{hello-apparmor-1}}.annotations[container.apparmor.security.beta.kubernetes.io/hello2] does not specify a valid AppArmor profile" + "actualValue": "metadata.name={{hello-apparmor-1}}.annotations[container.apparmor.security.beta.kubernetes.io/hello2] does not specify a valid AppArmor profile", + "issueType": "IncorrectValue" }, { "queryName": "Missing AppArmor Profile", @@ -33,7 +35,8 @@ "searchKey": "metadata.name={{hello-apparmor-1}}.annotations", "searchValue": "Podcontainers2", "expectedValue": "metadata.name={{hello-apparmor-1}}.annotations should specify an AppArmor profile for container {{hello3}}", - "actualValue": "metadata.name={{hello-apparmor-1}}.annotations does not specify an AppArmor profile for container {{hello3}}" + "actualValue": "metadata.name={{hello-apparmor-1}}.annotations does not specify an AppArmor profile for container {{hello3}}", + "issueType": "MissingAttribute" }, { "queryName": "Missing AppArmor Profile", @@ -45,6 +48,7 @@ "searchKey": "metadata.name={{ubuntu-test1}}.spec.template.metadata", "searchValue": "Deploymentcontainer.apparmor.security.beta.kubernetes.io/ubuntu-1-container", "expectedValue": "metadata.name={{ubuntu-test1}}.spec.template.metadata.annotations[container.apparmor.security.beta.kubernetes.io/ubuntu-1-container] should be set to 'runtime/default' or 'localhost'", - "actualValue": "metadata.name={{ubuntu-test1}}.spec.template.metadata.annotations[container.apparmor.security.beta.kubernetes.io/ubuntu-1-container] does not specify a valid AppArmor profile" + "actualValue": "metadata.name={{ubuntu-test1}}.spec.template.metadata.annotations[container.apparmor.security.beta.kubernetes.io/ubuntu-1-container] does not specify a valid AppArmor profile", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/namespace_lifecycle_admission_control_plugin_disabled/test/positive_expected_result.json b/assets/queries/k8s/namespace_lifecycle_admission_control_plugin_disabled/test/positive_expected_result.json index 141ab3a4af8..cb763c90c49 100644 --- a/assets/queries/k8s/namespace_lifecycle_admission_control_plugin_disabled/test/positive_expected_result.json +++ b/assets/queries/k8s/namespace_lifecycle_admission_control_plugin_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--disable-admission-plugins flag should not contain 'NamespaceLifecycle' plugin", - "actualValue": "--disable-admission-plugins flag contains 'NamespaceLifecycle' plugin" + "actualValue": "--disable-admission-plugins flag contains 'NamespaceLifecycle' plugin", + "issueType": "IncorrectValue" }, { "queryName": "Namespace Lifecycle Admission Control Plugin Disabled", @@ -21,6 +22,7 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--disable-admission-plugins flag should not contain 'NamespaceLifecycle' plugin", - "actualValue": "--disable-admission-plugins flag contains 'NamespaceLifecycle' plugin" + "actualValue": "--disable-admission-plugins flag contains 'NamespaceLifecycle' plugin", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/net_raw_capabilities_disabled_for_psp/test/positive_expected_result.json b/assets/queries/k8s/net_raw_capabilities_disabled_for_psp/test/positive_expected_result.json index 48bb34ebea7..8314374f1e3 100644 --- a/assets/queries/k8s/net_raw_capabilities_disabled_for_psp/test/positive_expected_result.json +++ b/assets/queries/k8s/net_raw_capabilities_disabled_for_psp/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{restricted}}.spec.requiredDropCapabilities", "searchValue": "", "expectedValue": "spec.requiredDropCapabilities 'is ALL or NET_RAW'", - "actualValue": "spec.requiredDropCapabilities 'is not ALL or NET_RAW'" + "actualValue": "spec.requiredDropCapabilities 'is not ALL or NET_RAW'", + "issueType": "IncorrectValue" }, { "queryName": "NET_RAW Capabilities Disabled for PSP", @@ -21,6 +22,7 @@ "searchKey": "metadata.name={{restricted2}}.spec.requiredDropCapabilities", "searchValue": "", "expectedValue": "spec.requiredDropCapabilities 'is ALL or NET_RAW'", - "actualValue": "spec.requiredDropCapabilities 'is not ALL or NET_RAW'" + "actualValue": "spec.requiredDropCapabilities 'is not ALL or NET_RAW'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/net_raw_capabilities_not_being_dropped/test/positive_expected_result.json b/assets/queries/k8s/net_raw_capabilities_not_being_dropped/test/positive_expected_result.json index 5c6e514c2d9..64986eddf4a 100644 --- a/assets/queries/k8s/net_raw_capabilities_not_being_dropped/test/positive_expected_result.json +++ b/assets/queries/k8s/net_raw_capabilities_not_being_dropped/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{example}}.spec.containers.name={{payment}}.securityContext.capabilities.drop", "searchValue": "Pod", "expectedValue": "metadata.name={{example}}.spec.containers.name={{payment}}.securityContext.capabilities.drop includes ALL or NET_RAW", - "actualValue": "metadata.name={{example}}.spec.containers.name={{payment}}.securityContext.capabilities.drop does not include ALL or NET_RAW" + "actualValue": "metadata.name={{example}}.spec.containers.name={{payment}}.securityContext.capabilities.drop does not include ALL or NET_RAW", + "issueType": "IncorrectValue" }, { "queryName": "NET_RAW Capabilities Not Being Dropped", @@ -21,7 +22,8 @@ "searchKey": "metadata.name={{example}}.spec.containers.name={{payment2}}", "searchValue": "Pod", "expectedValue": "metadata.name={{example}}.spec.containers.name={{payment2}}.securityContext.capabilities.drop should be defined", - "actualValue": "metadata.name={{example}}.spec.containers.name={{payment2}}.securityContext.capabilities.drop is undefined" + "actualValue": "metadata.name={{example}}.spec.containers.name={{payment2}}.securityContext.capabilities.drop is undefined", + "issueType": "MissingAttribute" }, { "queryName": "NET_RAW Capabilities Not Being Dropped", @@ -33,7 +35,8 @@ "searchKey": "metadata.name={{example}}.spec.containers.name={{payment4}}", "searchValue": "Pod", "expectedValue": "metadata.name={{example}}.spec.containers.name={{payment4}}.securityContext.capabilities.drop should be defined", - "actualValue": "metadata.name={{example}}.spec.containers.name={{payment4}}.securityContext.capabilities.drop is undefined" + "actualValue": "metadata.name={{example}}.spec.containers.name={{payment4}}.securityContext.capabilities.drop is undefined", + "issueType": "MissingAttribute" }, { "queryName": "NET_RAW Capabilities Not Being Dropped", @@ -45,7 +48,8 @@ "searchKey": "metadata.name={{example}}.spec.containers.name={{payment3}}", "searchValue": "Pod", "expectedValue": "metadata.name={{example}}.spec.containers.name={{payment3}}.securityContext.capabilities.drop should be defined", - "actualValue": "metadata.name={{example}}.spec.containers.name={{payment3}}.securityContext.capabilities.drop is undefined" + "actualValue": "metadata.name={{example}}.spec.containers.name={{payment3}}.securityContext.capabilities.drop is undefined", + "issueType": "MissingAttribute" }, { "queryName": "NET_RAW Capabilities Not Being Dropped", @@ -57,6 +61,7 @@ "searchKey": "metadata.name={{redis-unhealthy-deployment}}.spec.template.spec.containers.name={{redis}}", "searchValue": "Deployment", "expectedValue": "metadata.name={{redis-unhealthy-deployment}}.spec.template.spec.containers.name={{redis}}.securityContext.capabilities.drop should be defined", - "actualValue": "metadata.name={{redis-unhealthy-deployment}}.spec.template.spec.containers.name={{redis}}.securityContext.capabilities.drop is undefined" + "actualValue": "metadata.name={{redis-unhealthy-deployment}}.spec.template.spec.containers.name={{redis}}.securityContext.capabilities.drop is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/network_policy_is_not_targeting_any_pod/test/positive_expected_result.json b/assets/queries/k8s/network_policy_is_not_targeting_any_pod/test/positive_expected_result.json index fdc6749c295..4beacb587fa 100644 --- a/assets/queries/k8s/network_policy_is_not_targeting_any_pod/test/positive_expected_result.json +++ b/assets/queries/k8s/network_policy_is_not_targeting_any_pod/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "metadata.name={{test-network-policy}}.spec.podSelector.matchLabels.app", "searchValue": "", "expectedValue": "'spec.podSelector.matchLabels.app' is targeting at least a pod", - "actualValue": "'spec.podSelector.matchLabels.app' is not targeting any pod" + "actualValue": "'spec.podSelector.matchLabels.app' is not targeting any pod", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/no_drop_capabilities_for_containers/test/positive_expected_result.json b/assets/queries/k8s/no_drop_capabilities_for_containers/test/positive_expected_result.json index f6fbf239f20..18a33c6e2fa 100644 --- a/assets/queries/k8s/no_drop_capabilities_for_containers/test/positive_expected_result.json +++ b/assets/queries/k8s/no_drop_capabilities_for_containers/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{nginx-deployment}}.spec.containers.name={{payment}}.securityContext.capabilities", "searchValue": "Deployment", "expectedValue": "spec.containers[payment].securityContext.capabilities.drop should be defined", - "actualValue": "spec.containers[payment].securityContext.capabilities.drop is not defined" + "actualValue": "spec.containers[payment].securityContext.capabilities.drop is not defined", + "issueType": "MissingAttribute" }, { "queryName": "No Drop Capabilities for Containers", @@ -21,7 +22,8 @@ "searchKey": "metadata.name={{nginx-deployment}}.spec.containers.name={{payment2}}.securityContext", "searchValue": "Deployment", "expectedValue": "metadata.name={{nginx-deployment}}.spec.containers.name={{payment2}}.securityContext.capabilities should be set", - "actualValue": "metadata.name={{nginx-deployment}}.spec.containers.name={{payment2}}.securityContext.capabilities is undefined" + "actualValue": "metadata.name={{nginx-deployment}}.spec.containers.name={{payment2}}.securityContext.capabilities is undefined", + "issueType": "MissingAttribute" }, { "queryName": "No Drop Capabilities for Containers", @@ -33,6 +35,7 @@ "searchKey": "metadata.name={{nginx-deployment}}.spec.containers.name=payment3", "searchValue": "Deployment", "expectedValue": "metadata.name={{nginx-deployment}}.spec.containers.name=payment3.securityContext should be set", - "actualValue": "metadata.name={{nginx-deployment}}.spec.containers.name=payment3.securityContext is undefined" + "actualValue": "metadata.name={{nginx-deployment}}.spec.containers.name=payment3.securityContext is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/node_restriction_admission_control_plugin_not_set/test/positive_expected_result.json b/assets/queries/k8s/node_restriction_admission_control_plugin_not_set/test/positive_expected_result.json index 564d04938cb..b4ed3a12d19 100644 --- a/assets/queries/k8s/node_restriction_admission_control_plugin_not_set/test/positive_expected_result.json +++ b/assets/queries/k8s/node_restriction_admission_control_plugin_not_set/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--enable-admission-plugins flag should contain 'NodeRestriction' plugin", - "actualValue": "--enable-admission-plugins flag does not contain 'NodeRestriction' plugin" + "actualValue": "--enable-admission-plugins flag does not contain 'NodeRestriction' plugin", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/non_kube_system_pod_with_host_mount/test/positive_expected_result.json b/assets/queries/k8s/non_kube_system_pod_with_host_mount/test/positive_expected_result.json index 0b170aa4093..5ca0a63d3d1 100644 --- a/assets/queries/k8s/non_kube_system_pod_with_host_mount/test/positive_expected_result.json +++ b/assets/queries/k8s/non_kube_system_pod_with_host_mount/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{fluentd-elasticsearch}}.spec.template.spec.volumes.name={{varlog}}.hostPath.path", "searchValue": "", "expectedValue": "Resource name 'fluentd-elasticsearch' of kind 'DaemonSet' in non kube-system namespace 'default' should not have hostPath '/var/log' mounted", - "actualValue": "Resource name 'fluentd-elasticsearch' of kind 'DaemonSet' in non kube-system namespace 'default' has a hostPath '/var/log' mounted" + "actualValue": "Resource name 'fluentd-elasticsearch' of kind 'DaemonSet' in non kube-system namespace 'default' has a hostPath '/var/log' mounted", + "issueType": "IncorrectValue" }, { "queryName": "Non Kube System Pod With Host Mount", @@ -21,7 +22,8 @@ "searchKey": "metadata.name={{fluentd-elasticsearch}}.spec.template.spec.volumes.name={{varlibdockercontainers}}.hostPath.path", "searchValue": "", "expectedValue": "Resource name 'fluentd-elasticsearch' of kind 'DaemonSet' in non kube-system namespace 'default' should not have hostPath '/var/lib/docker/containers' mounted", - "actualValue": "Resource name 'fluentd-elasticsearch' of kind 'DaemonSet' in non kube-system namespace 'default' has a hostPath '/var/lib/docker/containers' mounted" + "actualValue": "Resource name 'fluentd-elasticsearch' of kind 'DaemonSet' in non kube-system namespace 'default' has a hostPath '/var/lib/docker/containers' mounted", + "issueType": "IncorrectValue" }, { "queryName": "Non Kube System Pod With Host Mount", @@ -33,7 +35,8 @@ "searchKey": "metadata.name={{redis}}.spec.volumes.name={{redis-storage}}.hostPath.path", "searchValue": "", "expectedValue": "Resource name 'redis' of kind 'Pod' in non kube-system namespace 'default' should not have hostPath '/var/redis/data' mounted", - "actualValue": "Resource name 'redis' of kind 'Pod' in non kube-system namespace 'default' has a hostPath '/var/redis/data' mounted" + "actualValue": "Resource name 'redis' of kind 'Pod' in non kube-system namespace 'default' has a hostPath '/var/redis/data' mounted", + "issueType": "IncorrectValue" }, { "queryName": "Non Kube System Pod With Host Mount", @@ -45,7 +48,8 @@ "searchKey": "metadata.name={{redis-memcache}}.spec.volumes.name={{redis-storage}}.hostPath.path", "searchValue": "", "expectedValue": "Resource name 'redis-memcache' of kind 'Pod' in non kube-system namespace 'memcache' should not have hostPath '/var/redis/data' mounted", - "actualValue": "Resource name 'redis-memcache' of kind 'Pod' in non kube-system namespace 'memcache' has a hostPath '/var/redis/data' mounted" + "actualValue": "Resource name 'redis-memcache' of kind 'Pod' in non kube-system namespace 'memcache' has a hostPath '/var/redis/data' mounted", + "issueType": "IncorrectValue" }, { "queryName": "Non Kube System Pod With Host Mount", @@ -57,7 +61,8 @@ "searchKey": "metadata.name={{nginx-deployment}}.spec.template.spec.volumes.name={{static-page-dir}}.hostPath.path", "searchValue": "", "expectedValue": "Resource name 'nginx-deployment' of kind 'Deployment' in non kube-system namespace 'default' should not have hostPath '/var/local/static' mounted", - "actualValue": "Resource name 'nginx-deployment' of kind 'Deployment' in non kube-system namespace 'default' has a hostPath '/var/local/static' mounted" + "actualValue": "Resource name 'nginx-deployment' of kind 'Deployment' in non kube-system namespace 'default' has a hostPath '/var/local/static' mounted", + "issueType": "IncorrectValue" }, { "queryName": "Non Kube System Pod With Host Mount", @@ -69,7 +74,8 @@ "searchKey": "metadata.name={{nginx-deployment-undefined-ns}}.spec.template.spec.volumes.name={{static-page-dir}}.hostPath.path", "searchValue": "", "expectedValue": "Resource name 'nginx-deployment-undefined-ns' of kind 'Deployment' in a non kube-system namespace 'default' should not have hostPath '/var/local/static' mounted", - "actualValue": "Resource name 'nginx-deployment-undefined-ns' of kind 'Deployment' in a non kube-system namespace 'default' has a hostPath '/var/local/static' mounted" + "actualValue": "Resource name 'nginx-deployment-undefined-ns' of kind 'Deployment' in a non kube-system namespace 'default' has a hostPath '/var/local/static' mounted", + "issueType": "IncorrectValue" }, { "queryName": "Non Kube System Pod With Host Mount", @@ -81,7 +87,8 @@ "searchKey": "metadata.name={{pv-001}}.spec.hostPath.path", "searchValue": "", "expectedValue": "PersistentVolume name 'pv-001' of kind 'PersistentVolume' in non kube-system namespace 'default' should not mount a host sensitive OS directory '/' with hostPath", - "actualValue": "PersistentVolume name 'pv-001' of kind 'PersistentVolume' in non kube-system namespace 'default' is mounting a host sensitive OS directory '/' with hostPath" + "actualValue": "PersistentVolume name 'pv-001' of kind 'PersistentVolume' in non kube-system namespace 'default' is mounting a host sensitive OS directory '/' with hostPath", + "issueType": "IncorrectValue" }, { "queryName": "Non Kube System Pod With Host Mount", @@ -93,7 +100,8 @@ "searchKey": "metadata.name={{pv-002}}.hostPath.path", "searchValue": "", "expectedValue": "PersistentVolume name 'pv-002' of kind 'PersistentVolume' in non kube-system namespace 'default' should not mount a host sensitive OS directory '/boot' with hostPath", - "actualValue": "PersistentVolume name 'pv-002' of kind 'PersistentVolume' in non kube-system namespace 'default' is mounting a host sensitive OS directory '/boot' with hostPath" + "actualValue": "PersistentVolume name 'pv-002' of kind 'PersistentVolume' in non kube-system namespace 'default' is mounting a host sensitive OS directory '/boot' with hostPath", + "issueType": "IncorrectValue" }, { "queryName": "Non Kube System Pod With Host Mount", @@ -105,6 +113,7 @@ "searchKey": "metadata.name={{dummy-rev}}.spec.volumes.name={{redis-storage}}.hostPath.path", "searchValue": "", "expectedValue": "Resource name 'dummy-rev' of kind 'Revision' in non kube-system namespace 'knative-sequence' should not have hostPath '/var/redis/data' mounted", - "actualValue": "Resource name 'dummy-rev' of kind 'Revision' in non kube-system namespace 'knative-sequence' has a hostPath '/var/redis/data' mounted" + "actualValue": "Resource name 'dummy-rev' of kind 'Revision' in non kube-system namespace 'knative-sequence' has a hostPath '/var/redis/data' mounted", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/not_limited_capabilities_for_pod_security_policy/test/positive_expected_result.json b/assets/queries/k8s/not_limited_capabilities_for_pod_security_policy/test/positive_expected_result.json index 0225bd045ae..59d1a8bfc24 100644 --- a/assets/queries/k8s/not_limited_capabilities_for_pod_security_policy/test/positive_expected_result.json +++ b/assets/queries/k8s/not_limited_capabilities_for_pod_security_policy/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "metadata.name={{restricted}}.spec", "searchValue": "", "expectedValue": "metadata.name={{restricted}}.spec.requiredDropCapabilities should be defined", - "actualValue": "metadata.name={{restricted}}.spec.requiredDropCapabilities is undefined" + "actualValue": "metadata.name={{restricted}}.spec.requiredDropCapabilities is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/not_unique_certificate_authority/test/positive_expected_result.json b/assets/queries/k8s/not_unique_certificate_authority/test/positive_expected_result.json index 44d93e87928..7a6d154af0e 100644 --- a/assets/queries/k8s/not_unique_certificate_authority/test/positive_expected_result.json +++ b/assets/queries/k8s/not_unique_certificate_authority/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "metadata.name={{database}}.spec.template.spec.containers.name={{database}}.command", "searchValue": "", "expectedValue": "Trusted Certificate Authentication File should not be the same of a Client Certificate Authentication File", - "actualValue": "Trusted Certificate Authentication File is the same of a Client Certificate Authentication File" + "actualValue": "Trusted Certificate Authentication File is the same of a Client Certificate Authentication File", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/object_is_using_a_deprecated_api_version/test/positive_expected_result.json b/assets/queries/k8s/object_is_using_a_deprecated_api_version/test/positive_expected_result.json index 3988e992d71..42939bc2cea 100644 --- a/assets/queries/k8s/object_is_using_a_deprecated_api_version/test/positive_expected_result.json +++ b/assets/queries/k8s/object_is_using_a_deprecated_api_version/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "apiVersion={{apps/v1beta1}}", "searchValue": "Deployment", "expectedValue": "metadata.name={{nginx-deployment}}.apiVersion of Deployment should be {{apps/v1}}", - "actualValue": "metadata.name={{nginx-deployment}}.apiVersion of Deployment is deprecated and is {{apps/v1beta1}}" + "actualValue": "metadata.name={{nginx-deployment}}.apiVersion of Deployment is deprecated and is {{apps/v1beta1}}", + "issueType": "IncorrectValue" }, { "queryName": "Object Is Using A Deprecated API Version", @@ -21,7 +22,8 @@ "searchKey": "apiVersion={{apps/v1beta2}}", "searchValue": "DaemonSet", "expectedValue": "metadata.name={{fluentd-elasticsearch}}.apiVersion of DaemonSet should be {{apps/v1}}", - "actualValue": "metadata.name={{fluentd-elasticsearch}}.apiVersion of DaemonSet is deprecated and is {{apps/v1beta2}}" + "actualValue": "metadata.name={{fluentd-elasticsearch}}.apiVersion of DaemonSet is deprecated and is {{apps/v1beta2}}", + "issueType": "IncorrectValue" }, { "queryName": "Object Is Using A Deprecated API Version", @@ -33,7 +35,8 @@ "searchKey": "apiVersion={{extensions/v1beta1}}", "searchValue": "Ingress", "expectedValue": "metadata.name={{minimal-ingress}}.apiVersion of Ingress should be {{networking.k8s.io/v1}}", - "actualValue": "metadata.name={{minimal-ingress}}.apiVersion of Ingress is deprecated and is {{extensions/v1beta1}}" + "actualValue": "metadata.name={{minimal-ingress}}.apiVersion of Ingress is deprecated and is {{extensions/v1beta1}}", + "issueType": "IncorrectValue" }, { "queryName": "Object Is Using A Deprecated API Version", @@ -45,7 +48,8 @@ "searchKey": "apiVersion={{networking.k8s.io/v1beta1}}", "searchValue": "Ingress", "expectedValue": "metadata.name={{minimal-ingress1}}.apiVersion of Ingress should be {{networking.k8s.io/v1}}", - "actualValue": "metadata.name={{minimal-ingress1}}.apiVersion of Ingress is deprecated and is {{networking.k8s.io/v1beta1}}" + "actualValue": "metadata.name={{minimal-ingress1}}.apiVersion of Ingress is deprecated and is {{networking.k8s.io/v1beta1}}", + "issueType": "IncorrectValue" }, { "queryName": "Object Is Using A Deprecated API Version", @@ -57,6 +61,7 @@ "searchKey": "apiVersion={{batch/v1beta1}}", "searchValue": "CronJob", "expectedValue": "metadata.name={{hello}}.apiVersion of CronJob should be {{batch/v1}}", - "actualValue": "metadata.name={{hello}}.apiVersion of CronJob is deprecated and is {{batch/v1beta1}}" + "actualValue": "metadata.name={{hello}}.apiVersion of CronJob is deprecated and is {{batch/v1beta1}}", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/peer_auto_tls_set_to_true/test/positive_expected_result.json b/assets/queries/k8s/peer_auto_tls_set_to_true/test/positive_expected_result.json index a09bf60c8e7..eca763f4e76 100644 --- a/assets/queries/k8s/peer_auto_tls_set_to_true/test/positive_expected_result.json +++ b/assets/queries/k8s/peer_auto_tls_set_to_true/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "metadata.name={{app-etcd-deployment}}.spec.template.spec.containers.name={{database}}.command", "searchValue": "", "expectedValue": "--peer-auto-tls flag should be set to false or not be defined", - "actualValue": "--peer-auto-tls flag is set to true" + "actualValue": "--peer-auto-tls flag is set to true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/permissive_access_to_create_pods/test/positive_expected_result.json b/assets/queries/k8s/permissive_access_to_create_pods/test/positive_expected_result.json index 458fa2e8fb8..36bcb61bec2 100644 --- a/assets/queries/k8s/permissive_access_to_create_pods/test/positive_expected_result.json +++ b/assets/queries/k8s/permissive_access_to_create_pods/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{secret-reader}}.rules.verbs.create", "searchValue": "ClusterRole/create", "expectedValue": "metadata.name=secret-reader.rules.verbs should not contain the value 'create' when metadata.name=secret-reader.rules.resources contains the value 'pods'", - "actualValue": "metadata.name=secret-reader.rules.verbs contains the value 'create' and metadata.name=secret-reader.rules.resources contains the value 'pods'" + "actualValue": "metadata.name=secret-reader.rules.verbs contains the value 'create' and metadata.name=secret-reader.rules.resources contains the value 'pods'", + "issueType": "IncorrectValue" }, { "queryName": "Permissive Access to Create Pods", @@ -21,7 +22,8 @@ "searchKey": "metadata.name={{secret-reader2}}.rules.verbs.create", "searchValue": "Role/create", "expectedValue": "metadata.name=secret-reader2.rules.verbs should not contain the value 'create' when metadata.name=secret-reader2.rules.resources contains a wildcard value", - "actualValue": "metadata.name=secret-reader2.rules.verbs contains the value 'create' and metadata.name=secret-reader2.rules.resources contains a wildcard value" + "actualValue": "metadata.name=secret-reader2.rules.verbs contains the value 'create' and metadata.name=secret-reader2.rules.resources contains a wildcard value", + "issueType": "IncorrectValue" }, { "queryName": "Permissive Access to Create Pods", @@ -33,7 +35,8 @@ "searchKey": "metadata.name={{secret-reader3}}.rules.verbs.*", "searchValue": "ClusterRole/*", "expectedValue": "metadata.name=secret-reader3.rules.verbs should not contain a wildcard value when metadata.name=secret-reader3.rules.resources contains the value 'pods'", - "actualValue": "metadata.name=secret-reader3.rules.verbs contains a wildcard value and metadata.name=secret-reader3.rules.resources contains the value 'pods'" + "actualValue": "metadata.name=secret-reader3.rules.verbs contains a wildcard value and metadata.name=secret-reader3.rules.resources contains the value 'pods'", + "issueType": "IncorrectValue" }, { "queryName": "Permissive Access to Create Pods", @@ -45,7 +48,8 @@ "searchKey": "metadata.name={{secret-reader4}}.rules.verbs.*", "searchValue": "Role/*", "expectedValue": "metadata.name=secret-reader4.rules.verbs should not contain a wildcard value when metadata.name=secret-reader4.rules.resources contains a wildcard value", - "actualValue": "metadata.name=secret-reader4.rules.verbs contains a wildcard value and metadata.name=secret-reader4.rules.resources contains a wildcard value" + "actualValue": "metadata.name=secret-reader4.rules.verbs contains a wildcard value and metadata.name=secret-reader4.rules.resources contains a wildcard value", + "issueType": "IncorrectValue" }, { "queryName": "Permissive Access to Create Pods", @@ -57,7 +61,8 @@ "searchKey": "metadata.name={{secret-reader5}}.rules.verbs.c*e", "searchValue": "ClusterRole/*", "expectedValue": "metadata.name=secret-reader5.rules.verbs should not contain a wildcard value when metadata.name=secret-reader5.rules.resources contains the value 'pods'", - "actualValue": "metadata.name=secret-reader5.rules.verbs contains a wildcard value and metadata.name=secret-reader5.rules.resources contains the value 'pods'" + "actualValue": "metadata.name=secret-reader5.rules.verbs contains a wildcard value and metadata.name=secret-reader5.rules.resources contains the value 'pods'", + "issueType": "IncorrectValue" }, { "queryName": "Permissive Access to Create Pods", @@ -69,7 +74,8 @@ "searchKey": "metadata.name={{secret-reader6}}.rules.verbs.create", "searchValue": "ClusterRole/create", "expectedValue": "metadata.name=secret-reader6.rules.verbs should not contain the value 'create' when metadata.name=secret-reader6.rules.resources contains a wildcard value", - "actualValue": "metadata.name=secret-reader6.rules.verbs contains the value 'create' and metadata.name=secret-reader6.rules.resources contains a wildcard value" + "actualValue": "metadata.name=secret-reader6.rules.verbs contains the value 'create' and metadata.name=secret-reader6.rules.resources contains a wildcard value", + "issueType": "IncorrectValue" }, { "queryName": "Permissive Access to Create Pods", @@ -81,6 +87,7 @@ "searchKey": "metadata.name={{secret-reader}}.rules.verbs.create", "searchValue": "ClusterRole/create", "expectedValue": "metadata.name=secret-reader.rules.verbs should not contain the value 'create' when metadata.name=secret-reader.rules.resources contains a wildcard value", - "actualValue": "metadata.name=secret-reader.rules.verbs contains the value 'create' and metadata.name=secret-reader.rules.resources contains a wildcard value" + "actualValue": "metadata.name=secret-reader.rules.verbs contains the value 'create' and metadata.name=secret-reader.rules.resources contains a wildcard value", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/pod_misconfigured_network_policy/test/positive_expected_result.json b/assets/queries/k8s/pod_misconfigured_network_policy/test/positive_expected_result.json index 536e57bf60c..17ba30abbd3 100644 --- a/assets/queries/k8s/pod_misconfigured_network_policy/test/positive_expected_result.json +++ b/assets/queries/k8s/pod_misconfigured_network_policy/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name=positive1-pod", "searchValue": "", "expectedValue": "Pod positive1-pod should have ingress and egress rules in matching NetworkPolicy", - "actualValue": "Pod positive1-pod has no ingress or egress rules in matching NetworkPolicy" + "actualValue": "Pod positive1-pod has no ingress or egress rules in matching NetworkPolicy", + "issueType": "MissingAttribute" }, { "queryName": "Pod Misconfigured Network Policy", @@ -21,6 +22,7 @@ "searchKey": "metadata.name=positive2-pod", "searchValue": "", "expectedValue": "Pod positive2-pod should have ingress and egress rules in matching NetworkPolicy", - "actualValue": "Pod positive2-pod has no ingress or egress rules in matching NetworkPolicy" + "actualValue": "Pod positive2-pod has no ingress or egress rules in matching NetworkPolicy", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/pod_or_container_without_limit_range/test/positive_expected_result.json b/assets/queries/k8s/pod_or_container_without_limit_range/test/positive_expected_result.json index 501787780a1..2180a1f1a45 100644 --- a/assets/queries/k8s/pod_or_container_without_limit_range/test/positive_expected_result.json +++ b/assets/queries/k8s/pod_or_container_without_limit_range/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{frontend1}}", "searchValue": "Pod", "expectedValue": "metadata.name={{frontend1}} has a 'LimitRange' policy associated", - "actualValue": "metadata.name={{frontend1}} does not have a 'LimitRange' policy associated" + "actualValue": "metadata.name={{frontend1}} does not have a 'LimitRange' policy associated", + "issueType": "MissingAttribute" }, { "queryName": "Pod or Container Without LimitRange", @@ -21,7 +22,8 @@ "searchKey": "metadata.name={{frontend2}}", "searchValue": "Pod", "expectedValue": "metadata.name={{frontend2}} has a 'LimitRange' policy associated", - "actualValue": "metadata.name={{frontend2}} does not have a 'LimitRange' policy associated" + "actualValue": "metadata.name={{frontend2}} does not have a 'LimitRange' policy associated", + "issueType": "MissingAttribute" }, { "queryName": "Pod or Container Without LimitRange", @@ -33,7 +35,8 @@ "searchKey": "metadata.name={{fluentd-elasticsearch}}", "searchValue": "DaemonSet", "expectedValue": "metadata.name={{fluentd-elasticsearch}} has a 'LimitRange' policy associated", - "actualValue": "metadata.name={{fluentd-elasticsearch}} does not have a 'LimitRange' policy associated" + "actualValue": "metadata.name={{fluentd-elasticsearch}} does not have a 'LimitRange' policy associated", + "issueType": "MissingAttribute" }, { "queryName": "Pod or Container Without LimitRange", @@ -45,6 +48,7 @@ "searchKey": "metadata.name={{webcontent}}", "searchValue": "PersistentVolumeClaim", "expectedValue": "metadata.name={{webcontent}} has a 'LimitRange' policy associated", - "actualValue": "metadata.name={{webcontent}} does not have a 'LimitRange' policy associated" + "actualValue": "metadata.name={{webcontent}} does not have a 'LimitRange' policy associated", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/pod_or_container_without_resource_quota/test/positive_expected_result.json b/assets/queries/k8s/pod_or_container_without_resource_quota/test/positive_expected_result.json index ebaa57606c9..0cb711bad53 100644 --- a/assets/queries/k8s/pod_or_container_without_resource_quota/test/positive_expected_result.json +++ b/assets/queries/k8s/pod_or_container_without_resource_quota/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{pod1}}", "searchValue": "Pod", "expectedValue": "metadata.name={{pod1}} has a 'ResourceQuota' policy associated", - "actualValue": "metadata.name={{pod1}} does not have a 'ResourceQuota' policy associated" + "actualValue": "metadata.name={{pod1}} does not have a 'ResourceQuota' policy associated", + "issueType": "MissingAttribute" }, { "queryName": "Pod or Container Without ResourceQuota", @@ -21,7 +22,8 @@ "searchKey": "metadata.name={{pod2}}", "searchValue": "Pod", "expectedValue": "metadata.name={{pod2}} has a 'ResourceQuota' policy associated", - "actualValue": "metadata.name={{pod2}} does not have a 'ResourceQuota' policy associated" + "actualValue": "metadata.name={{pod2}} does not have a 'ResourceQuota' policy associated", + "issueType": "MissingAttribute" }, { "queryName": "Pod or Container Without ResourceQuota", @@ -33,7 +35,8 @@ "searchKey": "metadata.name={{fluentd-elasticsearch}}", "searchValue": "DaemonSet", "expectedValue": "metadata.name={{fluentd-elasticsearch}} has a 'ResourceQuota' policy associated", - "actualValue": "metadata.name={{fluentd-elasticsearch}} does not have a 'ResourceQuota' policy associated" + "actualValue": "metadata.name={{fluentd-elasticsearch}} does not have a 'ResourceQuota' policy associated", + "issueType": "MissingAttribute" }, { "queryName": "Pod or Container Without ResourceQuota", @@ -45,6 +48,7 @@ "searchKey": "metadata.name={{webcontent}}", "searchValue": "PersistentVolumeClaim", "expectedValue": "metadata.name={{webcontent}} has a 'ResourceQuota' policy associated", - "actualValue": "metadata.name={{webcontent}} does not have a 'ResourceQuota' policy associated" + "actualValue": "metadata.name={{webcontent}} does not have a 'ResourceQuota' policy associated", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/pod_or_container_without_security_context/test/positive_expected_result.json b/assets/queries/k8s/pod_or_container_without_security_context/test/positive_expected_result.json index 1e3825c75ed..0280b96ca93 100644 --- a/assets/queries/k8s/pod_or_container_without_security_context/test/positive_expected_result.json +++ b/assets/queries/k8s/pod_or_container_without_security_context/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{frontend}}.spec", "searchValue": "", "expectedValue": "metadata.name={{frontend}}.spec has a security context", - "actualValue": "metadata.name={{frontend}}.spec does not have a security context" + "actualValue": "metadata.name={{frontend}}.spec does not have a security context", + "issueType": "MissingAttribute" }, { "queryName": "Pod or Container Without Security Context", @@ -21,6 +22,7 @@ "searchKey": "metadata.name={{frontend}}.spec.containers.name=log-aggregator", "searchValue": "Pod", "expectedValue": "spec.containers.name=log-aggregator has a security context", - "actualValue": "spec.containers.name=log-aggregator does not have a security context" + "actualValue": "spec.containers.name=log-aggregator does not have a security context", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/pod_security_policy_admission_control_plugin_not_set/test/positive_expected_result.json b/assets/queries/k8s/pod_security_policy_admission_control_plugin_not_set/test/positive_expected_result.json index 4512b68fda0..b9e046c8bcb 100644 --- a/assets/queries/k8s/pod_security_policy_admission_control_plugin_not_set/test/positive_expected_result.json +++ b/assets/queries/k8s/pod_security_policy_admission_control_plugin_not_set/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--enable-admission-plugins flag should contain 'PodSecurityPolicy' plugin", - "actualValue": "--enable-admission-plugins flag does not contain 'PodSecurityPolicy' plugin" + "actualValue": "--enable-admission-plugins flag does not contain 'PodSecurityPolicy' plugin", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/privilege_escalation_allowed/test/positive_expected_result.json b/assets/queries/k8s/privilege_escalation_allowed/test/positive_expected_result.json index 06caca82f06..c78b1f4b416 100644 --- a/assets/queries/k8s/privilege_escalation_allowed/test/positive_expected_result.json +++ b/assets/queries/k8s/privilege_escalation_allowed/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{pod2}}.spec.containers.name={{app}}.securityContext.allowPrivilegeEscalation", "searchValue": "Pod", "expectedValue": "metadata.name={{pod2}}.spec.containers.name={{app}}.securityContext.allowPrivilegeEscalation should be set to false", - "actualValue": "metadata.name={{pod2}}.spec.containers.name={{app}}.securityContext.allowPrivilegeEscalation is true" + "actualValue": "metadata.name={{pod2}}.spec.containers.name={{app}}.securityContext.allowPrivilegeEscalation is true", + "issueType": "IncorrectValue" }, { "queryName": "Privilege Escalation Allowed", @@ -21,7 +22,8 @@ "searchKey": "metadata.name={{pod2}}.spec.containers.name={{log-aggregator}}", "searchValue": "Pod", "expectedValue": "metadata.name={{pod2}}.spec.containers.name={{log-aggregator}}.securityContext.allowPrivilegeEscalation should be set and should be set to false", - "actualValue": "metadata.name={{pod2}}.spec.containers.name={{log-aggregator}}.securityContext.allowPrivilegeEscalation is undefined" + "actualValue": "metadata.name={{pod2}}.spec.containers.name={{log-aggregator}}.securityContext.allowPrivilegeEscalation is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Privilege Escalation Allowed", @@ -33,7 +35,8 @@ "searchKey": "metadata.name={{example-priv}}.spec.containers.name={{payment}}", "searchValue": "Pod", "expectedValue": "metadata.name={{example-priv}}.spec.containers.name={{payment}}.securityContext.allowPrivilegeEscalation should be set and should be set to false", - "actualValue": "metadata.name={{example-priv}}.spec.containers.name={{payment}}.securityContext.allowPrivilegeEscalation is undefined" + "actualValue": "metadata.name={{example-priv}}.spec.containers.name={{payment}}.securityContext.allowPrivilegeEscalation is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Privilege Escalation Allowed", @@ -45,7 +48,8 @@ "searchKey": "metadata.name={{example-priv}}.spec.containers.name={{payment2}}", "searchValue": "Pod", "expectedValue": "metadata.name={{example-priv}}.spec.containers.name={{payment2}}.securityContext.allowPrivilegeEscalation should be set and should be set to false", - "actualValue": "metadata.name={{example-priv}}.spec.containers.name={{payment2}}.securityContext.allowPrivilegeEscalation is undefined" + "actualValue": "metadata.name={{example-priv}}.spec.containers.name={{payment2}}.securityContext.allowPrivilegeEscalation is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Privilege Escalation Allowed", @@ -57,6 +61,7 @@ "searchKey": "metadata.name={{example-priv}}.spec.containers.name={{payment4}}", "searchValue": "Pod", "expectedValue": "metadata.name={{example-priv}}.spec.containers.name={{payment4}}.securityContext.allowPrivilegeEscalation should be set and should be set to false", - "actualValue": "metadata.name={{example-priv}}.spec.containers.name={{payment4}}.securityContext.allowPrivilegeEscalation is undefined" + "actualValue": "metadata.name={{example-priv}}.spec.containers.name={{payment4}}.securityContext.allowPrivilegeEscalation is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/profiling_not_set_to_false/test/positive_expected_result.json b/assets/queries/k8s/profiling_not_set_to_false/test/positive_expected_result.json index 6df2daf7b97..13f175a635f 100644 --- a/assets/queries/k8s/profiling_not_set_to_false/test/positive_expected_result.json +++ b/assets/queries/k8s/profiling_not_set_to_false/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--profiling flag should be set to false", - "actualValue": "--profiling flag is set to true" + "actualValue": "--profiling flag is set to true", + "issueType": "IncorrectValue" }, { "queryName": "Profiling Not Set To False", @@ -21,7 +22,8 @@ "searchKey": "metadata.name={{command-demo-1}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--profiling flag should be defined and set to false", - "actualValue": "--profiling flag is not defined" + "actualValue": "--profiling flag is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Profiling Not Set To False", @@ -33,7 +35,8 @@ "searchKey": "metadata.name={{kube-controller-manager-master-3}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--profiling flag should be set to false", - "actualValue": "--profiling flag is set to true" + "actualValue": "--profiling flag is set to true", + "issueType": "IncorrectValue" }, { "queryName": "Profiling Not Set To False", @@ -45,7 +48,8 @@ "searchKey": "metadata.name={{kube-controller-manager-master-4}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--profiling flag should be defined and set to false", - "actualValue": "--profiling flag is not defined" + "actualValue": "--profiling flag is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Profiling Not Set To False", @@ -57,7 +61,8 @@ "searchKey": "kind={{KubeSchedulerConfiguration}}", "searchValue": "", "expectedValue": "enableProfiling argument flag should be defined and set to false", - "actualValue": "enableProfiling argument is not defined" + "actualValue": "enableProfiling argument is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Profiling Not Set To False", @@ -69,7 +74,8 @@ "searchKey": "kind={{KubeSchedulerConfiguration}}.enableProfiling", "searchValue": "", "expectedValue": "enableProfiling argument flag should be set to false", - "actualValue": "enableProfiling argument is set to true" + "actualValue": "enableProfiling argument is set to true", + "issueType": "IncorrectValue" }, { "queryName": "Profiling Not Set To False", @@ -81,6 +87,7 @@ "searchKey": "metadata.name={{kube-scheduler-master-2}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--profiling flag should be set to false", - "actualValue": "--profiling flag is set to true" + "actualValue": "--profiling flag is set to true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/psp_allows_privilege_escalation/test/positive_expected_result.json b/assets/queries/k8s/psp_allows_privilege_escalation/test/positive_expected_result.json index 7c0133004a3..820e96f08a8 100644 --- a/assets/queries/k8s/psp_allows_privilege_escalation/test/positive_expected_result.json +++ b/assets/queries/k8s/psp_allows_privilege_escalation/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{privileged}}.spec.allowPrivilegeEscalation", "searchValue": "", "expectedValue": "Attribute 'allowPrivilegeEscalation' should be set to false", - "actualValue": "Attribute 'allowPrivilegeEscalation' is true" + "actualValue": "Attribute 'allowPrivilegeEscalation' is true", + "issueType": "IncorrectValue" }, { "queryName": "PSP Allows Privilege Escalation", @@ -21,6 +22,7 @@ "searchKey": "metadata.name={{privileged2}}.spec", "searchValue": "", "expectedValue": "Attribute 'allowPrivilegeEscalation' should be set", - "actualValue": "Attribute 'allowPrivilegeEscalation' is undefined" + "actualValue": "Attribute 'allowPrivilegeEscalation' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/psp_allows_sharing_host_ipc/test/positive_expected_result.json b/assets/queries/k8s/psp_allows_sharing_host_ipc/test/positive_expected_result.json index e3d4910135a..56cad85120f 100644 --- a/assets/queries/k8s/psp_allows_sharing_host_ipc/test/positive_expected_result.json +++ b/assets/queries/k8s/psp_allows_sharing_host_ipc/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "metadata.name={{example}}.spec.hostIPC", "searchValue": "", "expectedValue": "'spec.hostIPC' should be set to false or undefined", - "actualValue": "'spec.hostIPC' is true" + "actualValue": "'spec.hostIPC' is true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/psp_allows_sharing_host_pid/test/positive_expected_result.json b/assets/queries/k8s/psp_allows_sharing_host_pid/test/positive_expected_result.json index a1f811e241a..6b41fd2461a 100644 --- a/assets/queries/k8s/psp_allows_sharing_host_pid/test/positive_expected_result.json +++ b/assets/queries/k8s/psp_allows_sharing_host_pid/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "metadata.name={{example}}.spec.hostPID", "searchValue": "", "expectedValue": "'spec.hostPID' should be set to false or undefined", - "actualValue": "'spec.hostPID' is true" + "actualValue": "'spec.hostPID' is true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/psp_containers_share_host_network_namespace/test/positive_expected_result.json b/assets/queries/k8s/psp_containers_share_host_network_namespace/test/positive_expected_result.json index e835a809df2..4d2caf0419a 100644 --- a/assets/queries/k8s/psp_containers_share_host_network_namespace/test/positive_expected_result.json +++ b/assets/queries/k8s/psp_containers_share_host_network_namespace/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "metadata.name={{privileged}}.spec.hostNetwork", "searchValue": "", "expectedValue": "'spec.hostNetwork' should be set to false or undefined", - "actualValue": "'spec.hostNetwork' is true" + "actualValue": "'spec.hostNetwork' is true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/psp_set_to_privileged/test/positive_expected_result.json b/assets/queries/k8s/psp_set_to_privileged/test/positive_expected_result.json index 893e3ce5440..82abb4fa6c7 100644 --- a/assets/queries/k8s/psp_set_to_privileged/test/positive_expected_result.json +++ b/assets/queries/k8s/psp_set_to_privileged/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "metadata.name={{example}}.spec.privileged", "searchValue": "", "expectedValue": "metadata.name={{example}}.spec.privileged should be set to false", - "actualValue": "metadata.name={{example}}.spec.privileged is true" + "actualValue": "metadata.name={{example}}.spec.privileged is true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/psp_with_added_capabilities/test/positive_expected_result.json b/assets/queries/k8s/psp_with_added_capabilities/test/positive_expected_result.json index 2d78278f168..e021bcfbc50 100644 --- a/assets/queries/k8s/psp_with_added_capabilities/test/positive_expected_result.json +++ b/assets/queries/k8s/psp_with_added_capabilities/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "metadata.name={{privileged}}.spec.allowedCapabilities", "searchValue": "", "expectedValue": "PodSecurityPolicy should not have allowed capabilities", - "actualValue": "PodSecurityPolicy has allowed capabilities" + "actualValue": "PodSecurityPolicy has allowed capabilities", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/psp_with_unrestricted_access_to_host_path/test/positive_expected_result.json b/assets/queries/k8s/psp_with_unrestricted_access_to_host_path/test/positive_expected_result.json index 561f62b391d..df41d0189c8 100644 --- a/assets/queries/k8s/psp_with_unrestricted_access_to_host_path/test/positive_expected_result.json +++ b/assets/queries/k8s/psp_with_unrestricted_access_to_host_path/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{example}}.spec", "searchValue": "", "expectedValue": "'spec.allowedHostPaths' should be defined and not null", - "actualValue": "'spec.allowedHostPaths' is undefined or null" + "actualValue": "'spec.allowedHostPaths' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "PSP With Unrestricted Access to Host Path", @@ -21,7 +22,8 @@ "searchKey": "metadata.name={{example}}.spec.allowedHostPaths", "searchValue": "", "expectedValue": "'spec.allowedHostPaths[0].readOnly' should be set to true", - "actualValue": "'spec.allowedHostPaths[0].readOnly' is undefined or null" + "actualValue": "'spec.allowedHostPaths[0].readOnly' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "PSP With Unrestricted Access to Host Path", @@ -33,6 +35,7 @@ "searchKey": "metadata.name={{example}}.spec.allowedHostPaths.readOnly", "searchValue": "", "expectedValue": "'spec.allowedHostPaths[0].readOnly' should be set to true", - "actualValue": "'spec.allowedHostPaths[0].readOnly' is set to false" + "actualValue": "'spec.allowedHostPaths[0].readOnly' is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/rbac_roles_allow_privilege_escalation/test/positive_expected_result.json b/assets/queries/k8s/rbac_roles_allow_privilege_escalation/test/positive_expected_result.json index 6c7c104a38e..e47dd5d3576 100644 --- a/assets/queries/k8s/rbac_roles_allow_privilege_escalation/test/positive_expected_result.json +++ b/assets/queries/k8s/rbac_roles_allow_privilege_escalation/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "metadata.name={{rbac-binder}}.rules", "searchValue": "", "expectedValue": "metadata.name={{rbac-binder}}.rules[0].verbs should not include the 'bind' and/or 'escalate' permission", - "actualValue": "metadata.name={{rbac-binder}}.rules[0].verbs includes the 'bind' and/or 'escalate' permission" + "actualValue": "metadata.name={{rbac-binder}}.rules[0].verbs includes the 'bind' and/or 'escalate' permission", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/rbac_roles_with_attach_permission/test/positive_expected_result.json b/assets/queries/k8s/rbac_roles_with_attach_permission/test/positive_expected_result.json index 1c472ec7495..c3387546b1c 100644 --- a/assets/queries/k8s/rbac_roles_with_attach_permission/test/positive_expected_result.json +++ b/assets/queries/k8s/rbac_roles_with_attach_permission/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "metadata.name={{allow-attach}}.rules", "searchValue": "", "expectedValue": "metadata.name={{allow-attach}}.rules[0].resources should not include the 'pods/attach' resource", - "actualValue": "metadata.name={{allow-attach}}.rules[0].resources includes the 'pods/attach' resource" + "actualValue": "metadata.name={{allow-attach}}.rules[0].resources includes the 'pods/attach' resource", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/rbac_roles_with_exec_permission/test/positive_expected_result.json b/assets/queries/k8s/rbac_roles_with_exec_permission/test/positive_expected_result.json index b638fe92841..a1bee40cba2 100644 --- a/assets/queries/k8s/rbac_roles_with_exec_permission/test/positive_expected_result.json +++ b/assets/queries/k8s/rbac_roles_with_exec_permission/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "metadata.name={{allow-exec}}.rules", "searchValue": "", "expectedValue": "metadata.name={{allow-exec}}.rules[0].resources should not include the 'pods/exec' resource", - "actualValue": "metadata.name={{allow-exec}}.rules[0].resources includes the 'pods/exec' resource" + "actualValue": "metadata.name={{allow-exec}}.rules[0].resources includes the 'pods/exec' resource", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/rbac_roles_with_impersonate_permission/test/positive_expected_result.json b/assets/queries/k8s/rbac_roles_with_impersonate_permission/test/positive_expected_result.json index 37ce0180115..9219c1b9721 100644 --- a/assets/queries/k8s/rbac_roles_with_impersonate_permission/test/positive_expected_result.json +++ b/assets/queries/k8s/rbac_roles_with_impersonate_permission/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "metadata.name={{impersonator-role}}.rules", "searchValue": "", "expectedValue": "metadata.name={{impersonator-role}}.rules[0].verbs should not include the 'impersonate' verb", - "actualValue": "metadata.name={{impersonator-role}}.rules[0].verbs includes the 'impersonate' verb" + "actualValue": "metadata.name={{impersonator-role}}.rules[0].verbs includes the 'impersonate' verb", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/rbac_roles_with_portforwarding_permissions/test/positive_expected_result.json b/assets/queries/k8s/rbac_roles_with_portforwarding_permissions/test/positive_expected_result.json index 943434315df..b311affb6a6 100644 --- a/assets/queries/k8s/rbac_roles_with_portforwarding_permissions/test/positive_expected_result.json +++ b/assets/queries/k8s/rbac_roles_with_portforwarding_permissions/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "metadata.name={{allow-port-forward}}.rules", "searchValue": "", "expectedValue": "metadata.name={{allow-port-forward}}.rules[0].resources should not include the 'pods/portforward' resource", - "actualValue": "metadata.name={{allow-port-forward}}.rules[0].resources includes the 'pods/portforward' resource" + "actualValue": "metadata.name={{allow-port-forward}}.rules[0].resources includes the 'pods/portforward' resource", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/rbac_roles_with_read_secrets_permissions/test/positive_expected_result.json b/assets/queries/k8s/rbac_roles_with_read_secrets_permissions/test/positive_expected_result.json index ed671e00154..06f516847d1 100644 --- a/assets/queries/k8s/rbac_roles_with_read_secrets_permissions/test/positive_expected_result.json +++ b/assets/queries/k8s/rbac_roles_with_read_secrets_permissions/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{role-secret-reader}}.rules", "searchValue": "Role0", "expectedValue": "metadata.name={{role-secret-reader}}.rules[0] should not be granted read access to Secrets objects", - "actualValue": "metadata.name={{role-secret-reader}}.rules[0] is granted read access (verbs: get, watch, list) to Secrets objects" + "actualValue": "metadata.name={{role-secret-reader}}.rules[0] is granted read access (verbs: get, watch, list) to Secrets objects", + "issueType": "IncorrectValue" }, { "queryName": "RBAC Roles with Read Secrets Permissions", @@ -21,6 +22,7 @@ "searchKey": "metadata.name={{cluster-role-secret-reader}}.rules", "searchValue": "ClusterRole0", "expectedValue": "metadata.name={{cluster-role-secret-reader}}.rules[0] should not be granted read access to Secrets objects", - "actualValue": "metadata.name={{cluster-role-secret-reader}}.rules[0] is granted read access (verbs: get, watch, list) to Secrets objects" + "actualValue": "metadata.name={{cluster-role-secret-reader}}.rules[0] is granted read access (verbs: get, watch, list) to Secrets objects", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/rbac_wildcard_in_rule/test/positive_expected_result.json b/assets/queries/k8s/rbac_wildcard_in_rule/test/positive_expected_result.json index 4746d7f9d9d..08a232840ac 100644 --- a/assets/queries/k8s/rbac_wildcard_in_rule/test/positive_expected_result.json +++ b/assets/queries/k8s/rbac_wildcard_in_rule/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{configmap-modifier}}.rules", "searchValue": "", "expectedValue": "metadata.name={{configmap-modifier}}.rules[0].apiGroups should list the minimal set of needed objects or actions", - "actualValue": "metadata.name={{configmap-modifier}}.rules[0].apiGroups uses wildcards to specify objects or actions" + "actualValue": "metadata.name={{configmap-modifier}}.rules[0].apiGroups uses wildcards to specify objects or actions", + "issueType": "IncorrectValue" }, { "queryName": "RBAC Wildcard In Rule", @@ -21,7 +22,8 @@ "searchKey": "metadata.name={{configmap-modifier}}.rules", "searchValue": "", "expectedValue": "metadata.name={{configmap-modifier}}.rules[0].verbs should list the minimal set of needed objects or actions", - "actualValue": "metadata.name={{configmap-modifier}}.rules[0].verbs uses wildcards to specify objects or actions" + "actualValue": "metadata.name={{configmap-modifier}}.rules[0].verbs uses wildcards to specify objects or actions", + "issueType": "IncorrectValue" }, { "queryName": "RBAC Wildcard In Rule", @@ -33,7 +35,8 @@ "searchKey": "metadata.name={{configmap-modifier1}}.rules", "searchValue": "", "expectedValue": "metadata.name={{configmap-modifier1}}.rules[0].apiGroups should list the minimal set of needed objects or actions", - "actualValue": "metadata.name={{configmap-modifier1}}.rules[0].apiGroups uses wildcards to specify objects or actions" + "actualValue": "metadata.name={{configmap-modifier1}}.rules[0].apiGroups uses wildcards to specify objects or actions", + "issueType": "IncorrectValue" }, { "queryName": "RBAC Wildcard In Rule", @@ -45,7 +48,8 @@ "searchKey": "metadata.name={{configmap-modifier1}}.rules", "searchValue": "", "expectedValue": "metadata.name={{configmap-modifier1}}.rules[0].resources should list the minimal set of needed objects or actions", - "actualValue": "metadata.name={{configmap-modifier1}}.rules[0].resources uses wildcards to specify objects or actions" + "actualValue": "metadata.name={{configmap-modifier1}}.rules[0].resources uses wildcards to specify objects or actions", + "issueType": "IncorrectValue" }, { "queryName": "RBAC Wildcard In Rule", @@ -57,7 +61,8 @@ "searchKey": "metadata.name={{configmap-modifier1}}.rules", "searchValue": "", "expectedValue": "metadata.name={{configmap-modifier1}}.rules[0].verbs should list the minimal set of needed objects or actions", - "actualValue": "metadata.name={{configmap-modifier1}}.rules[0].verbs uses wildcards to specify objects or actions" + "actualValue": "metadata.name={{configmap-modifier1}}.rules[0].verbs uses wildcards to specify objects or actions", + "issueType": "IncorrectValue" }, { "queryName": "RBAC Wildcard In Rule", @@ -69,7 +74,8 @@ "searchKey": "metadata.name={{configmap-modifier2}}.rules", "searchValue": "", "expectedValue": "metadata.name={{configmap-modifier2}}.rules[0].apiGroups should list the minimal set of needed objects or actions", - "actualValue": "metadata.name={{configmap-modifier2}}.rules[0].apiGroups uses wildcards to specify objects or actions" + "actualValue": "metadata.name={{configmap-modifier2}}.rules[0].apiGroups uses wildcards to specify objects or actions", + "issueType": "IncorrectValue" }, { "queryName": "RBAC Wildcard In Rule", @@ -81,6 +87,7 @@ "searchKey": "metadata.name={{configmap-modifier2}}.rules", "searchValue": "", "expectedValue": "metadata.name={{configmap-modifier2}}.rules[0].resources should list the minimal set of needed objects or actions", - "actualValue": "metadata.name={{configmap-modifier2}}.rules[0].resources uses wildcards to specify objects or actions" + "actualValue": "metadata.name={{configmap-modifier2}}.rules[0].resources uses wildcards to specify objects or actions", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/readiness_probe_is_not_configured/test/positive_expected_result.json b/assets/queries/k8s/readiness_probe_is_not_configured/test/positive_expected_result.json index 04c1ddfef68..decf98cb907 100644 --- a/assets/queries/k8s/readiness_probe_is_not_configured/test/positive_expected_result.json +++ b/assets/queries/k8s/readiness_probe_is_not_configured/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "metadata.name={{goproxy}}.spec.containers.name={{goproxy}}", "searchValue": "Pod", "expectedValue": "metadata.name={{goproxy}}.spec.containers.name={{goproxy}}.readinessProbe should be defined", - "actualValue": "metadata.name={{goproxy}}.spec.containers.name={{goproxy}}.readinessProbe is undefined" + "actualValue": "metadata.name={{goproxy}}.spec.containers.name={{goproxy}}.readinessProbe is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/request_timeout_not_properly_set/test/positive_expected_result.json b/assets/queries/k8s/request_timeout_not_properly_set/test/positive_expected_result.json index 1542d52bc1b..9b94eb16a19 100644 --- a/assets/queries/k8s/request_timeout_not_properly_set/test/positive_expected_result.json +++ b/assets/queries/k8s/request_timeout_not_properly_set/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--request-timeout flag should not be set to more than 300 seconds", - "actualValue": "--request-timeout flag is set to more than 300 seconds" + "actualValue": "--request-timeout flag is set to more than 300 seconds", + "issueType": "IncorrectValue" }, { "queryName": "Request Timeout Not Properly Set", @@ -21,7 +22,8 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--request-timeout flag should not be set to more than 300 seconds", - "actualValue": "--request-timeout flag is set to more than 300 seconds" + "actualValue": "--request-timeout flag is set to more than 300 seconds", + "issueType": "IncorrectValue" }, { "queryName": "Request Timeout Not Properly Set", @@ -33,7 +35,8 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--request-timeout flag should not be set to more than 300 seconds", - "actualValue": "--request-timeout flag is set to more than 300 seconds" + "actualValue": "--request-timeout flag is set to more than 300 seconds", + "issueType": "IncorrectValue" }, { "queryName": "Request Timeout Not Properly Set", @@ -45,7 +48,8 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--request-timeout flag should not be set to more than 300 seconds", - "actualValue": "--request-timeout flag is set to more than 300 seconds" + "actualValue": "--request-timeout flag is set to more than 300 seconds", + "issueType": "IncorrectValue" }, { "queryName": "Request Timeout Not Properly Set", @@ -57,7 +61,8 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--request-timeout flag should not be set to more than 300 seconds", - "actualValue": "--request-timeout flag is set to more than 300 seconds" + "actualValue": "--request-timeout flag is set to more than 300 seconds", + "issueType": "IncorrectValue" }, { "queryName": "Request Timeout Not Properly Set", @@ -69,6 +74,7 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--request-timeout flag should not be set to more than 300 seconds", - "actualValue": "--request-timeout flag is set to more than 300 seconds" + "actualValue": "--request-timeout flag is set to more than 300 seconds", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/role_binding_to_default_service_account/test/positive_expected_result.json b/assets/queries/k8s/role_binding_to_default_service_account/test/positive_expected_result.json index 238d7302b72..c6243a10b6c 100644 --- a/assets/queries/k8s/role_binding_to_default_service_account/test/positive_expected_result.json +++ b/assets/queries/k8s/role_binding_to_default_service_account/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "subjects.name=default", "searchValue": "", "expectedValue": "subjects.kind=ServiceAccount.name should not be default", - "actualValue": "subjects.kind=ServiceAccount.name is default" + "actualValue": "subjects.kind=ServiceAccount.name is default", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/root_ca_file_not_defined/test/positive_expected_result.json b/assets/queries/k8s/root_ca_file_not_defined/test/positive_expected_result.json index 3779ea672ba..5a27956d7fb 100644 --- a/assets/queries/k8s/root_ca_file_not_defined/test/positive_expected_result.json +++ b/assets/queries/k8s/root_ca_file_not_defined/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--root-ca-file flag should be defined", - "actualValue": "--root-ca-file flag is not defined" + "actualValue": "--root-ca-file flag is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/root_container_not_mounted_as_read_only/test/positive_expected_result.json b/assets/queries/k8s/root_container_not_mounted_as_read_only/test/positive_expected_result.json index 9571544079c..7d97639ea43 100644 --- a/assets/queries/k8s/root_container_not_mounted_as_read_only/test/positive_expected_result.json +++ b/assets/queries/k8s/root_container_not_mounted_as_read_only/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{rootfalse}}.spec.containers.name={{contain1_1}}.securityContext.readOnlyRootFilesystem", "searchValue": "Pod", "expectedValue": "metadata.name={{rootfalse}}.spec.containers.name={{contain1_1}}.securityContext.readOnlyRootFilesystem is true", - "actualValue": "metadata.name={{rootfalse}}.spec.containers.name={{contain1_1}}.securityContext.readOnlyRootFilesystem is false" + "actualValue": "metadata.name={{rootfalse}}.spec.containers.name={{contain1_1}}.securityContext.readOnlyRootFilesystem is false", + "issueType": "IncorrectValue" }, { "queryName": "Root Container Not Mounted Read-only", @@ -21,6 +22,7 @@ "searchKey": "metadata.name={{noroot}}.spec.containers.name={{contain1_2}}", "searchValue": "Pod", "expectedValue": "metadata.name={{noroot}}.spec.containers.name={{contain1_2}}.securityContext.readOnlyRootFilesystem should be set to true", - "actualValue": "metadata.name={{noroot}}.spec.containers.name={{contain1_2}}.securityContext.readOnlyRootFilesystem is undefined" + "actualValue": "metadata.name={{noroot}}.spec.containers.name={{contain1_2}}.securityContext.readOnlyRootFilesystem is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/root_containers_admitted/test/positive_expected_result.json b/assets/queries/k8s/root_containers_admitted/test/positive_expected_result.json index cb3b5493e52..cffaead53ad 100644 --- a/assets/queries/k8s/root_containers_admitted/test/positive_expected_result.json +++ b/assets/queries/k8s/root_containers_admitted/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{restricted}}.spec.privileged", "searchValue": "", "expectedValue": "metadata.name={{restricted}}.spec.privileged should be set to 'false'", - "actualValue": "metadata.name={{restricted}}.spec.privileged is set to 'true'" + "actualValue": "metadata.name={{restricted}}.spec.privileged is set to 'true'", + "issueType": "IncorrectValue" }, { "queryName": "Root Containers Admitted", @@ -21,7 +22,8 @@ "searchKey": "metadata.name={{restricted}}.spec.allowPrivilegeEscalation", "searchValue": "", "expectedValue": "metadata.name={{restricted}}.spec.allowPrivilegeEscalation should be set to 'false'", - "actualValue": "metadata.name={{restricted}}.spec.allowPrivilegeEscalation is set to 'true'" + "actualValue": "metadata.name={{restricted}}.spec.allowPrivilegeEscalation is set to 'true'", + "issueType": "IncorrectValue" }, { "queryName": "Root Containers Admitted", @@ -33,7 +35,8 @@ "searchKey": "metadata.name={{restricted}}.spec.runAsUser.rule", "searchValue": "", "expectedValue": "metadata.name={{restricted}}.spec.runAsUser.rule is equal to 'MustRunAsNonRoot'", - "actualValue": "metadata.name={{restricted}}.spec.runAsUser.rule is not equal to 'MustRunAsNonRoot'" + "actualValue": "metadata.name={{restricted}}.spec.runAsUser.rule is not equal to 'MustRunAsNonRoot'", + "issueType": "IncorrectValue" }, { "queryName": "Root Containers Admitted", @@ -45,7 +48,8 @@ "searchKey": "metadata.name={{restricted}}.spec.supplementalGroups.rule", "searchValue": "", "expectedValue": "metadata.name={{restricted}}.spec.supplementalGroups limits its ranges", - "actualValue": "metadata.name={{restricted}}.spec.supplementalGroups does not limit its ranges" + "actualValue": "metadata.name={{restricted}}.spec.supplementalGroups does not limit its ranges", + "issueType": "IncorrectValue" }, { "queryName": "Root Containers Admitted", @@ -57,6 +61,7 @@ "searchKey": "metadata.name={{restricted}}.spec.fsGroup", "searchValue": "", "expectedValue": "metadata.name{{restricted}}.spec.fsGroup should not allow range '0' (root)", - "actualValue": "metadata.name={{restricted}}.spec.fsGroup allows range '0' (root)" + "actualValue": "metadata.name={{restricted}}.spec.fsGroup allows range '0' (root)", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/rotate_kubelet_server_certificate_not_active/test/positive_expected_result.json b/assets/queries/k8s/rotate_kubelet_server_certificate_not_active/test/positive_expected_result.json index 846ec83a764..10148fd6824 100644 --- a/assets/queries/k8s/rotate_kubelet_server_certificate_not_active/test/positive_expected_result.json +++ b/assets/queries/k8s/rotate_kubelet_server_certificate_not_active/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "kind={{KubeletConfiguration}}.featureGates", "searchValue": "", "expectedValue": "RotateKubeletServerCertificates should be true", - "actualValue": "RotateKubeletServerCertificate is false" + "actualValue": "RotateKubeletServerCertificate is false", + "issueType": "IncorrectValue" }, { "queryName": "Rotate Kubelet Server Certificate Not Active", @@ -21,7 +22,8 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--feature-gates=RotateKubeletServerCertificate flag should be true", - "actualValue": "--feature-gates=RotateKubeletServerCertificate flag is false" + "actualValue": "--feature-gates=RotateKubeletServerCertificate flag is false", + "issueType": "IncorrectValue" }, { "queryName": "Rotate Kubelet Server Certificate Not Active", @@ -33,7 +35,8 @@ "searchKey": "kind={{KubeletConfiguration}}.featureGates", "searchValue": "", "expectedValue": "RotateKubeletServerCertificates should be true", - "actualValue": "RotateKubeletServerCertificate is false" + "actualValue": "RotateKubeletServerCertificate is false", + "issueType": "IncorrectValue" }, { "queryName": "Rotate Kubelet Server Certificate Not Active", @@ -45,6 +48,7 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container7}}.command", "searchValue": "", "expectedValue": "--feature-gates=RotateKubeletServerCertificate flag should be true", - "actualValue": "--feature-gates=RotateKubeletServerCertificate flag is false" + "actualValue": "--feature-gates=RotateKubeletServerCertificate flag is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/seccomp_profile_is_not_configured/test/positive_expected_result.json b/assets/queries/k8s/seccomp_profile_is_not_configured/test/positive_expected_result.json index 39d70289a22..43799dd744b 100644 --- a/assets/queries/k8s/seccomp_profile_is_not_configured/test/positive_expected_result.json +++ b/assets/queries/k8s/seccomp_profile_is_not_configured/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{pod-test-1}}.spec.containers.name={{foobar}}", "searchValue": "Pod", "expectedValue": "metadata.name={{pod-test-1}}.spec.containers.name={{foobar}}.securityContext.seccompProfile.type should be defined", - "actualValue": "metadata.name={{pod-test-1}}.spec.containers.name={{foobar}}.securityContext.seccompProfile.type is undefined" + "actualValue": "metadata.name={{pod-test-1}}.spec.containers.name={{foobar}}.securityContext.seccompProfile.type is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Seccomp Profile Is Not Configured", @@ -21,7 +22,8 @@ "searchKey": "metadata.name={{pod-test-2}}.spec.containers.name={{foobar}}", "searchValue": "Pod", "expectedValue": "metadata.name={{pod-test-2}}.spec.containers.name={{foobar}}.securityContext.seccompProfile.type should be defined", - "actualValue": "metadata.name={{pod-test-2}}.spec.containers.name={{foobar}}.securityContext.seccompProfile.type is undefined" + "actualValue": "metadata.name={{pod-test-2}}.spec.containers.name={{foobar}}.securityContext.seccompProfile.type is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Seccomp Profile Is Not Configured", @@ -33,7 +35,8 @@ "searchKey": "metadata.name={{pod-test-3}}.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName", "searchValue": "Pod", "expectedValue": "metadata.name={{pod-test-3}}.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is 'runtime/default'", - "actualValue": "metadata.name={{pod-test-3}}.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is 'rntim/dfl'" + "actualValue": "metadata.name={{pod-test-3}}.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is 'rntim/dfl'", + "issueType": "IncorrectValue" }, { "queryName": "Seccomp Profile Is Not Configured", @@ -45,7 +48,8 @@ "searchKey": "metadata.name={{hello}}.spec.jobTemplate.spec.template.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName", "searchValue": "CronJob", "expectedValue": "metadata.name={{hello}}.spec.jobTemplate.spec.template.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is 'runtime/default'", - "actualValue": "metadata.name={{hello}}.spec.jobTemplate.spec.template.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is 'rntim/dfl'" + "actualValue": "metadata.name={{hello}}.spec.jobTemplate.spec.template.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is 'rntim/dfl'", + "issueType": "IncorrectValue" }, { "queryName": "Seccomp Profile Is Not Configured", @@ -57,7 +61,8 @@ "searchKey": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext", "searchValue": "Deployment", "expectedValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext.seccompProfile.type should be defined", - "actualValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext.seccompProfile.type is undefined" + "actualValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext.seccompProfile.type is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Seccomp Profile Is Not Configured", @@ -69,7 +74,8 @@ "searchKey": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext", "searchValue": "Deployment", "expectedValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext.seccompProfile.type should be defined", - "actualValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext.seccompProfile.type is undefined" + "actualValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext.seccompProfile.type is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Seccomp Profile Is Not Configured", @@ -81,7 +87,8 @@ "searchKey": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext.seccompProfile.type=Unconfined", "searchValue": "Deployment", "expectedValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext.seccompProfile.type should be set to 'RuntimeDefault' or 'Localhost'", - "actualValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext.seccompProfile.type is set to 'Unconfined'" + "actualValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext.seccompProfile.type is set to 'Unconfined'", + "issueType": "IncorrectValue" }, { "queryName": "Seccomp Profile Is Not Configured", @@ -93,6 +100,7 @@ "searchKey": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext.seccompProfile.type=Unconfined", "searchValue": "Deployment", "expectedValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext.seccompProfile.type should be set to 'RuntimeDefault' or 'Localhost'", - "actualValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext.seccompProfile.type is set to 'Unconfined'" + "actualValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext.seccompProfile.type is set to 'Unconfined'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/secrets_as_environment_variables/test/positive_expected_result.json b/assets/queries/k8s/secrets_as_environment_variables/test/positive_expected_result.json index ed3cb95c723..3ee80c8689f 100644 --- a/assets/queries/k8s/secrets_as_environment_variables/test/positive_expected_result.json +++ b/assets/queries/k8s/secrets_as_environment_variables/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{secret-env-pod}}.spec.containers.env.name={{SECRET_USERNAME}}.valueFrom.secretKeyRef", "searchValue": "Pod", "expectedValue": "'spec.containers.name={{mycontainer}}.env.name={{SECRET_USERNAME}}.valueFrom.secretKeyRef' should be undefined", - "actualValue": "'spec.containers.name={{mycontainer}}.env.name={{SECRET_USERNAME}}.valueFrom.secretKeyRef' is defined" + "actualValue": "'spec.containers.name={{mycontainer}}.env.name={{SECRET_USERNAME}}.valueFrom.secretKeyRef' is defined", + "issueType": "IncorrectValue" }, { "queryName": "Secrets As Environment Variables", @@ -21,7 +22,8 @@ "searchKey": "metadata.name={{secret-env-pod}}.spec.containers.env.name={{SECRET_PASSWORD}}.valueFrom.secretKeyRef", "searchValue": "Pod", "expectedValue": "'spec.containers.name={{mycontainer}}.env.name={{SECRET_PASSWORD}}.valueFrom.secretKeyRef' should be undefined", - "actualValue": "'spec.containers.name={{mycontainer}}.env.name={{SECRET_PASSWORD}}.valueFrom.secretKeyRef' is defined" + "actualValue": "'spec.containers.name={{mycontainer}}.env.name={{SECRET_PASSWORD}}.valueFrom.secretKeyRef' is defined", + "issueType": "IncorrectValue" }, { "queryName": "Secrets As Environment Variables", @@ -33,6 +35,7 @@ "searchKey": "metadata.name={{envfrom-secret}}.spec.containers.name={{envars-test-container}}.envFrom", "searchValue": "Pod", "expectedValue": "'spec.containers.name={{envars-test-container}}.envFrom.secretRef' should be undefined", - "actualValue": "'spec.containers.name={{envars-test-container}}.envFrom.secretRef' is defined" + "actualValue": "'spec.containers.name={{envars-test-container}}.envFrom.secretRef' is defined", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/secure_port_set_to_zero/test/positive_expected_result.json b/assets/queries/k8s/secure_port_set_to_zero/test/positive_expected_result.json index 98a3e1a7d5d..443a1f27101 100644 --- a/assets/queries/k8s/secure_port_set_to_zero/test/positive_expected_result.json +++ b/assets/queries/k8s/secure_port_set_to_zero/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--secure-port flag should not be set to 0", - "actualValue": "--secure-port flag is set to 0" + "actualValue": "--secure-port flag is set to 0", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/security_context_deny_admission_control_plugin_not_set/test/positive_expected_result.json b/assets/queries/k8s/security_context_deny_admission_control_plugin_not_set/test/positive_expected_result.json index e4e8916f328..c5a50461825 100644 --- a/assets/queries/k8s/security_context_deny_admission_control_plugin_not_set/test/positive_expected_result.json +++ b/assets/queries/k8s/security_context_deny_admission_control_plugin_not_set/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--enable-admission-plugins flag should contain 'SecurityContextDeny' plugin if 'PodSecurityPolicy' plugin should not be set", - "actualValue": "--enable-admission-plugins flag does not contain 'SecurityContextDeny' plugin" + "actualValue": "--enable-admission-plugins flag does not contain 'SecurityContextDeny' plugin", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/service_account_admission_control_plugin_disabled/test/positive_expected_result.json b/assets/queries/k8s/service_account_admission_control_plugin_disabled/test/positive_expected_result.json index 2baeeabcaa3..88318277318 100644 --- a/assets/queries/k8s/service_account_admission_control_plugin_disabled/test/positive_expected_result.json +++ b/assets/queries/k8s/service_account_admission_control_plugin_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--disable-admission-plugins flag should not contain 'ServiceAccount' plugin", - "actualValue": "--disable-admission-plugins flag contains 'ServiceAccount' plugin" + "actualValue": "--disable-admission-plugins flag contains 'ServiceAccount' plugin", + "issueType": "IncorrectValue" }, { "queryName": "Service Account Admission Control Plugin Disabled", @@ -21,6 +22,7 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--disable-admission-plugins flag should not contain 'ServiceAccount' plugin", - "actualValue": "--disable-admission-plugins flag contains 'ServiceAccount' plugin" + "actualValue": "--disable-admission-plugins flag contains 'ServiceAccount' plugin", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/service_account_allows_access_secrets/test/positive_expected_result.json b/assets/queries/k8s/service_account_allows_access_secrets/test/positive_expected_result.json index a3cebcecced..1f4d5156d2d 100644 --- a/assets/queries/k8s/service_account_allows_access_secrets/test/positive_expected_result.json +++ b/assets/queries/k8s/service_account_allows_access_secrets/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{testRoleVulnerable}}.rules", "searchValue": "Role", "expectedValue": "The metadata.name={{testRoleVulnerable}}.rules.verbs should not contain the following verbs: [[\"get\", \"watch\", \"list\"]]", - "actualValue": "The metadata.name={{testRoleVulnerable}}.rules.verbs contain the following verbs: [[\"get\", \"watch\", \"list\"]]" + "actualValue": "The metadata.name={{testRoleVulnerable}}.rules.verbs contain the following verbs: [[\"get\", \"watch\", \"list\"]]", + "issueType": "IncorrectValue" }, { "queryName": "ServiceAccount Allows Access Secrets", @@ -21,7 +22,8 @@ "searchKey": "metadata.name={{testRoleVulnerable2}}.rules", "searchValue": "Role", "expectedValue": "The metadata.name={{testRoleVulnerable2}}.rules.verbs should not contain the following verbs: [[\"*\"]]", - "actualValue": "The metadata.name={{testRoleVulnerable2}}.rules.verbs contain the following verbs: [[\"*\"]]" + "actualValue": "The metadata.name={{testRoleVulnerable2}}.rules.verbs contain the following verbs: [[\"*\"]]", + "issueType": "IncorrectValue" }, { "queryName": "ServiceAccount Allows Access Secrets", @@ -33,6 +35,7 @@ "searchKey": "metadata.name={{testClusterRoleVulnerable}}.rules", "searchValue": "ClusterRole", "expectedValue": "The metadata.name={{testClusterRoleVulnerable}}.rules.verbs should not contain the following verbs: [[\"update\", \"list\"]]", - "actualValue": "The metadata.name={{testClusterRoleVulnerable}}.rules.verbs contain the following verbs: [[\"update\", \"list\"]]" + "actualValue": "The metadata.name={{testClusterRoleVulnerable}}.rules.verbs contain the following verbs: [[\"update\", \"list\"]]", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/service_account_key_file_not_properly_set/test/positive_expected_result.json b/assets/queries/k8s/service_account_key_file_not_properly_set/test/positive_expected_result.json index c2028b2d191..8bb6ac5d250 100644 --- a/assets/queries/k8s/service_account_key_file_not_properly_set/test/positive_expected_result.json +++ b/assets/queries/k8s/service_account_key_file_not_properly_set/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--service-account-key-file flag should be defined and have a PEM encoded file", - "actualValue": "--service-account-key-file flag is not defined" + "actualValue": "--service-account-key-file flag is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/service_account_lookup_set_to_false/test/positive_expected_result.json b/assets/queries/k8s/service_account_lookup_set_to_false/test/positive_expected_result.json index cd5e4358f69..2f55e5781f7 100644 --- a/assets/queries/k8s/service_account_lookup_set_to_false/test/positive_expected_result.json +++ b/assets/queries/k8s/service_account_lookup_set_to_false/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--service-account-lookup flag should be set to true", - "actualValue": "--service-account-lookup flag is set to false" + "actualValue": "--service-account-lookup flag is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/service_account_name_undefined_or_empty/test/positive_expected_result.json b/assets/queries/k8s/service_account_name_undefined_or_empty/test/positive_expected_result.json index c927cf115bb..3dd5c03127e 100644 --- a/assets/queries/k8s/service_account_name_undefined_or_empty/test/positive_expected_result.json +++ b/assets/queries/k8s/service_account_name_undefined_or_empty/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{nginx.container}}.spec", "searchValue": "", "expectedValue": "metadata.name=nginx.container.spec.serviceAccountName should be defined", - "actualValue": "metadata.name=nginx.container.spec.serviceAccountName is undefined" + "actualValue": "metadata.name=nginx.container.spec.serviceAccountName is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Service Account Name Undefined Or Empty", @@ -21,7 +22,8 @@ "searchKey": "metadata.name={{nginx2.container.group}}.spec", "searchValue": "", "expectedValue": "metadata.name=nginx2.container.group.spec.serviceAccountName should be defined", - "actualValue": "metadata.name=nginx2.container.group.spec.serviceAccountName is undefined" + "actualValue": "metadata.name=nginx2.container.group.spec.serviceAccountName is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Service Account Name Undefined Or Empty", @@ -33,6 +35,7 @@ "searchKey": "metadata.name={{nginx3}}.spec.serviceAccountName", "searchValue": "", "expectedValue": "metadata.name=nginx3.spec.serviceAccountName should not be empty", - "actualValue": "metadata.name=nginx3.spec.serviceAccountName is empty" + "actualValue": "metadata.name=nginx3.spec.serviceAccountName is empty", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/service_account_private_key_file_not_defined/test/positive_expected_result.json b/assets/queries/k8s/service_account_private_key_file_not_defined/test/positive_expected_result.json index e29c93811f6..08b017f7974 100644 --- a/assets/queries/k8s/service_account_private_key_file_not_defined/test/positive_expected_result.json +++ b/assets/queries/k8s/service_account_private_key_file_not_defined/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--service-account-private-key-file flag should be defined", - "actualValue": "--service-account-private-key-file flag is not defined" + "actualValue": "--service-account-private-key-file flag is not defined", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/service_account_token_automount_not_disabled/test/positive_expected_result.json b/assets/queries/k8s/service_account_token_automount_not_disabled/test/positive_expected_result.json index 8cf1bbede10..c8c1e0e5514 100644 --- a/assets/queries/k8s/service_account_token_automount_not_disabled/test/positive_expected_result.json +++ b/assets/queries/k8s/service_account_token_automount_not_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{security-context-demo}}.spec", "searchValue": "Pod", "expectedValue": "metadata.name={{security-context-demo}}.spec.automountServiceAccountToken should be defined and set to false", - "actualValue": "metadata.name={{security-context-demo}}.spec.automountServiceAccountToken is undefined" + "actualValue": "metadata.name={{security-context-demo}}.spec.automountServiceAccountToken is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Service Account Token Automount Not Disabled", @@ -21,7 +22,8 @@ "searchKey": "metadata.name={{security.context.demo}}.spec.automountServiceAccountToken", "searchValue": "Pod", "expectedValue": "metadata.name={{security.context.demo}}.spec.automountServiceAccountToken should be set to false", - "actualValue": "metadata.name={{security.context.demo}}.spec.automountServiceAccountToken is true" + "actualValue": "metadata.name={{security.context.demo}}.spec.automountServiceAccountToken is true", + "issueType": "IncorrectValue" }, { "queryName": "Service Account Token Automount Not Disabled", @@ -33,7 +35,8 @@ "searchKey": "metadata.name={{dummy-config}}.spec.template.spec.automountServiceAccountToken", "searchValue": "Configuration", "expectedValue": "metadata.name={{dummy-config}}.spec.template.spec.automountServiceAccountToken should be set to false", - "actualValue": "metadata.name={{dummy-config}}.spec.template.spec.automountServiceAccountToken is true" + "actualValue": "metadata.name={{dummy-config}}.spec.template.spec.automountServiceAccountToken is true", + "issueType": "IncorrectValue" }, { "queryName": "Service Account Token Automount Not Disabled", @@ -45,6 +48,7 @@ "searchKey": "metadata.name={{redistest-sa}}.automountServiceAccountToken", "searchValue": "", "expectedValue": "metadata.name={{redistest-sa}}.automountServiceAccountToken should be set to false", - "actualValue": "metadata.name={{redistest-sa}}.automountServiceAccountToken is true" + "actualValue": "metadata.name={{redistest-sa}}.automountServiceAccountToken is true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/service_does_not_target_pod/test/positive_expected_result.json b/assets/queries/k8s/service_does_not_target_pod/test/positive_expected_result.json index 9e9a72fd557..f2e25bd57a6 100644 --- a/assets/queries/k8s/service_does_not_target_pod/test/positive_expected_result.json +++ b/assets/queries/k8s/service_does_not_target_pod/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{helloworld2}}.spec.selector", "searchValue": "", "expectedValue": "metadata.name={{helloworld2}}.spec.selector label refers to a Pod label", - "actualValue": "metadata.name={{helloworld2}}.spec.selector label does not match with any Pod label" + "actualValue": "metadata.name={{helloworld2}}.spec.selector label does not match with any Pod label", + "issueType": "IncorrectValue" }, { "queryName": "Service Does Not Target Pod", @@ -21,6 +22,7 @@ "searchKey": "metadata.name={{helloworld3}}.spec.ports.port={{9377}}", "searchValue": "", "expectedValue": "metadata.name={{helloworld3}}.spec.ports.port={{9377}} has a Pod port", - "actualValue": "metadata.name={{helloworld3}}.spec.ports.port={{9377}} does not have a Pod port" + "actualValue": "metadata.name={{helloworld3}}.spec.ports.port={{9377}} does not have a Pod port", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/service_type_is_nodeport/test/positive_expected_result.json b/assets/queries/k8s/service_type_is_nodeport/test/positive_expected_result.json index 68d6aace0cb..7d1ec0305f8 100644 --- a/assets/queries/k8s/service_type_is_nodeport/test/positive_expected_result.json +++ b/assets/queries/k8s/service_type_is_nodeport/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "metadata.name={{my-service}}.spec.type", "searchValue": "", "expectedValue": "spec.type should not be 'NodePort'", - "actualValue": "spec.type is 'NodePort'" + "actualValue": "spec.type is 'NodePort'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/service_with_external_load_balancer/test/positive_expected_result.json b/assets/queries/k8s/service_with_external_load_balancer/test/positive_expected_result.json index 1c20e34863f..8a4064cabae 100644 --- a/assets/queries/k8s/service_with_external_load_balancer/test/positive_expected_result.json +++ b/assets/queries/k8s/service_with_external_load_balancer/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{sample-service 05}}", "searchValue": "", "expectedValue": "'metadata.annotations' should be set", - "actualValue": "'metadata.annotations' is undefined" + "actualValue": "'metadata.annotations' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Service With External Load Balancer", @@ -21,7 +22,8 @@ "searchKey": "metadata.name={{sample-service 05334443}}.annotations", "searchValue": "", "expectedValue": "metadata.name={{sample-service 05334443}} using an external Load Balancer provider by cloud provider", - "actualValue": "metadata.name={{sample-service 05334443}} is exposing a workload, not using an external Load Balancer provider by cloud provider" + "actualValue": "metadata.name={{sample-service 05334443}} is exposing a workload, not using an external Load Balancer provider by cloud provider", + "issueType": "IncorrectValue" }, { "queryName": "Service With External Load Balancer", @@ -33,7 +35,8 @@ "searchKey": "metadata.name={{sample-service 07}}.annotations", "searchValue": "", "expectedValue": "metadata.name={{sample-service 07}} using an external Load Balancer provider by cloud provider", - "actualValue": "metadata.name={{sample-service 07}} is exposing a workload, not using an external Load Balancer provider by cloud provider" + "actualValue": "metadata.name={{sample-service 07}} is exposing a workload, not using an external Load Balancer provider by cloud provider", + "issueType": "IncorrectValue" }, { "queryName": "Service With External Load Balancer", @@ -45,7 +48,8 @@ "searchKey": "metadata.name={{sample-service 08}}.annotations", "searchValue": "", "expectedValue": "metadata.name={{sample-service 08}} using an external Load Balancer provider by cloud provider", - "actualValue": "metadata.name={{sample-service 08}} is exposing a workload, not using an external Load Balancer provider by cloud provider" + "actualValue": "metadata.name={{sample-service 08}} is exposing a workload, not using an external Load Balancer provider by cloud provider", + "issueType": "IncorrectValue" }, { "queryName": "Service With External Load Balancer", @@ -57,6 +61,7 @@ "searchKey": "metadata.name={{sample-service 09}}.annotations", "searchValue": "", "expectedValue": "metadata.name={{sample-service 09}} using an external Load Balancer provider by cloud provider", - "actualValue": "metadata.name={{sample-service 09}} is exposing a workload, not using an external Load Balancer provider by cloud provider" + "actualValue": "metadata.name={{sample-service 09}} is exposing a workload, not using an external Load Balancer provider by cloud provider", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/shared_host_ipc_namespace/test/positive_expected_result.json b/assets/queries/k8s/shared_host_ipc_namespace/test/positive_expected_result.json index 5035c6adad2..237de028992 100644 --- a/assets/queries/k8s/shared_host_ipc_namespace/test/positive_expected_result.json +++ b/assets/queries/k8s/shared_host_ipc_namespace/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{security-context-demo}}.spec.hostIPC", "searchValue": "", "expectedValue": "'spec.hostIPC' should be set to false or undefined", - "actualValue": "'spec.hostIPC' is true" + "actualValue": "'spec.hostIPC' is true", + "issueType": "IncorrectValue" }, { "queryName": "Shared Host IPC Namespace", @@ -21,6 +22,7 @@ "searchKey": "metadata.name={{dummy-config}}.spec.template.spec.hostIPC", "searchValue": "", "expectedValue": "'spec.template.spec.hostIPC' should be set to false or undefined", - "actualValue": "'spec.template.spec.hostIPC' is true" + "actualValue": "'spec.template.spec.hostIPC' is true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/shared_host_network_namespace/test/positive_expected_result.json b/assets/queries/k8s/shared_host_network_namespace/test/positive_expected_result.json index 92fb308a190..77040526e0a 100644 --- a/assets/queries/k8s/shared_host_network_namespace/test/positive_expected_result.json +++ b/assets/queries/k8s/shared_host_network_namespace/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{security-context-demo}}.spec.hostNetwork", "searchValue": "", "expectedValue": "'spec.hostNetwork' should be set to false or undefined", - "actualValue": "'spec.hostNetwork' is true" + "actualValue": "'spec.hostNetwork' is true", + "issueType": "IncorrectValue" }, { "queryName": "Shared Host Network Namespace", @@ -21,6 +22,7 @@ "searchKey": "metadata.name={{dummy-config}}.spec.template.spec.hostNetwork", "searchValue": "", "expectedValue": "'spec.template.spec.hostNetwork' should be set to false or undefined", - "actualValue": "'spec.template.spec.hostNetwork' is true" + "actualValue": "'spec.template.spec.hostNetwork' is true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/shared_host_pid_namespace/test/positive_expected_result.json b/assets/queries/k8s/shared_host_pid_namespace/test/positive_expected_result.json index a49d0e71858..10b40b54953 100644 --- a/assets/queries/k8s/shared_host_pid_namespace/test/positive_expected_result.json +++ b/assets/queries/k8s/shared_host_pid_namespace/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{security-context-demo}}.spec.hostPID", "searchValue": "", "expectedValue": "'spec.hostPID' should be set to false or undefined", - "actualValue": "'spec.hostPID' is true" + "actualValue": "'spec.hostPID' is true", + "issueType": "IncorrectValue" }, { "queryName": "Shared Host PID Namespace", @@ -21,6 +22,7 @@ "searchKey": "metadata.name={{dummy-config}}.spec.template.spec.hostPID", "searchValue": "", "expectedValue": "'spec.template.spec.hostPID' should be set to false or undefined", - "actualValue": "'spec.template.spec.hostPID' is true" + "actualValue": "'spec.template.spec.hostPID' is true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/shared_service_account/test/positive_expected_result.json b/assets/queries/k8s/shared_service_account/test/positive_expected_result.json index 0e171f32309..bd097d53573 100644 --- a/assets/queries/k8s/shared_service_account/test/positive_expected_result.json +++ b/assets/queries/k8s/shared_service_account/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{pod1}}.spec.serviceAccountName", "searchValue": "", "expectedValue": "'spec.serviceAccountName' should not be shared with other workloads", - "actualValue": "'spec.serviceAccountName' is shared with other workloads" + "actualValue": "'spec.serviceAccountName' is shared with other workloads", + "issueType": "IncorrectValue" }, { "queryName": "Shared Service Account", @@ -21,6 +22,7 @@ "searchKey": "metadata.name={{pod2}}.spec.serviceAccountName", "searchValue": "", "expectedValue": "'spec.serviceAccountName' should not be shared with other workloads", - "actualValue": "'spec.serviceAccountName' is shared with other workloads" + "actualValue": "'spec.serviceAccountName' is shared with other workloads", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/statefulset_has_no_pod_anti_affinity/test/positive_expected_result.json b/assets/queries/k8s/statefulset_has_no_pod_anti_affinity/test/positive_expected_result.json index 6453b857040..ef88cbf0a09 100644 --- a/assets/queries/k8s/statefulset_has_no_pod_anti_affinity/test/positive_expected_result.json +++ b/assets/queries/k8s/statefulset_has_no_pod_anti_affinity/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{zk-mismatch}}.spec.template.spec.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution.labelSelector.matchLabels", "searchValue": "", "expectedValue": "'spec.template.spec.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].labelSelector.matchLabels' match any label on template metadata", - "actualValue": "'spec.template.spec.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].labelSelector.matchLabels' don't match any label on template metadata" + "actualValue": "'spec.template.spec.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].labelSelector.matchLabels' don't match any label on template metadata", + "issueType": "IncorrectValue" }, { "queryName": "StatefulSet Has No PodAntiAffinity", @@ -21,6 +22,7 @@ "searchKey": "metadata.name={{zk-noaffinity}}.spec.template.spec.affinity", "searchValue": "", "expectedValue": "'spec.template.spec.affinity.podAntiAffinity' should be set", - "actualValue": "'spec.template.spec.affinity.podAntiAffinity' is undefined" + "actualValue": "'spec.template.spec.affinity.podAntiAffinity' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/statefulset_requests_storage/test/positive_expected_result.json b/assets/queries/k8s/statefulset_requests_storage/test/positive_expected_result.json index 108dfa73096..155c90c2a7a 100644 --- a/assets/queries/k8s/statefulset_requests_storage/test/positive_expected_result.json +++ b/assets/queries/k8s/statefulset_requests_storage/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{web}}.spec.volumeClaimTemplates.spec.resources.requests.storage=1Gi", "searchValue": "", "expectedValue": "metadata.name={{web}}.spec.volumeClaimTemplates.spec.resources.requests.storage should not be set", - "actualValue": "metadata.name={{web}}.spec.volumeClaimTemplates.spec.resources.requests.storage is set to 1Gi" + "actualValue": "metadata.name={{web}}.spec.volumeClaimTemplates.spec.resources.requests.storage is set to 1Gi", + "issueType": "IncorrectValue" }, { "queryName": "StatefulSet Requests Storage", @@ -21,7 +22,8 @@ "searchKey": "metadata.name={{web2}}.spec.volumeClaimTemplates.spec.resources.requests.storage=1Gi", "searchValue": "", "expectedValue": "metadata.name={{web2}}.spec.volumeClaimTemplates.spec.resources.requests.storage should not be set", - "actualValue": "metadata.name={{web2}}.spec.volumeClaimTemplates.spec.resources.requests.storage is set to 1Gi" + "actualValue": "metadata.name={{web2}}.spec.volumeClaimTemplates.spec.resources.requests.storage is set to 1Gi", + "issueType": "IncorrectValue" }, { "queryName": "StatefulSet Requests Storage", @@ -33,6 +35,7 @@ "searchKey": "metadata.name={{web2}}.spec.volumeClaimTemplates.spec.resources.requests.storage=2Gi", "searchValue": "", "expectedValue": "metadata.name={{web2}}.spec.volumeClaimTemplates.spec.resources.requests.storage should not be set", - "actualValue": "metadata.name={{web2}}.spec.volumeClaimTemplates.spec.resources.requests.storage is set to 2Gi" + "actualValue": "metadata.name={{web2}}.spec.volumeClaimTemplates.spec.resources.requests.storage is set to 2Gi", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/statefulset_without_pod_disruption_budget/test/positive_expected_result.json b/assets/queries/k8s/statefulset_without_pod_disruption_budget/test/positive_expected_result.json index c5de8cb9d0a..bbaadccd4d2 100644 --- a/assets/queries/k8s/statefulset_without_pod_disruption_budget/test/positive_expected_result.json +++ b/assets/queries/k8s/statefulset_without_pod_disruption_budget/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "metadata.name={{web}}.spec.selector.matchLabels", "searchValue": "", "expectedValue": "metadata.name=web is targeted by a PodDisruptionBudget", - "actualValue": "metadata.name=web is not targeted by a PodDisruptionBudget" + "actualValue": "metadata.name=web is not targeted by a PodDisruptionBudget", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/statefulset_without_service_name/test/positive_expected_result.json b/assets/queries/k8s/statefulset_without_service_name/test/positive_expected_result.json index 592e41ae003..c3883bbfb40 100644 --- a/assets/queries/k8s/statefulset_without_service_name/test/positive_expected_result.json +++ b/assets/queries/k8s/statefulset_without_service_name/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "metadata.name=web.spec.serviceName", "searchValue": "", "expectedValue": "metadata.name=web.spec.serviceName should refer to a Headless Service", - "actualValue": "metadata.name=web.spec.serviceName doesn't refers to a Headless Service" + "actualValue": "metadata.name=web.spec.serviceName doesn't refers to a Headless Service", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/terminated_pod_garbage_collector_threshold_not_properly_set/test/positive_expected_result.json b/assets/queries/k8s/terminated_pod_garbage_collector_threshold_not_properly_set/test/positive_expected_result.json index c42c54d2fbf..551cd775df4 100644 --- a/assets/queries/k8s/terminated_pod_garbage_collector_threshold_not_properly_set/test/positive_expected_result.json +++ b/assets/queries/k8s/terminated_pod_garbage_collector_threshold_not_properly_set/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--terminated-pod-gc-threshold flag should be set between 0 and 12501", - "actualValue": "--terminated-pod-gc-threshold flag is set to a incorrect value" + "actualValue": "--terminated-pod-gc-threshold flag is set to a incorrect value", + "issueType": "IncorrectValue" }, { "queryName": "Terminated Pod Garbage Collector Threshold Not Properly Set", @@ -21,6 +22,7 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--terminated-pod-gc-threshold flag should be set between 0 and 12501", - "actualValue": "--terminated-pod-gc-threshold flag is set to a incorrect value" + "actualValue": "--terminated-pod-gc-threshold flag is set to a incorrect value", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/tiller_deployment_is_accessible_from_within_the_cluster/test/positive_expected_result.json b/assets/queries/k8s/tiller_deployment_is_accessible_from_within_the_cluster/test/positive_expected_result.json index 7d57696d764..4ac2c3a103e 100644 --- a/assets/queries/k8s/tiller_deployment_is_accessible_from_within_the_cluster/test/positive_expected_result.json +++ b/assets/queries/k8s/tiller_deployment_is_accessible_from_within_the_cluster/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name=tiller-bad-args.spec.template.spec.containers.args", "searchValue": "", "expectedValue": "'spec.template.spec.containers[tiller-v2].args' sets the container to listen to localhost", - "actualValue": "'spec.template.spec.containers[tiller-v2].args' is not setting the container to listen to localhost" + "actualValue": "'spec.template.spec.containers[tiller-v2].args' is not setting the container to listen to localhost", + "issueType": "IncorrectValue" }, { "queryName": "Tiller Deployment Is Accessible From Within The Cluster", @@ -21,6 +22,7 @@ "searchKey": "metadata.name=tiller-deploy-no-args.spec.template.spec.containers", "searchValue": "", "expectedValue": "'spec.template.spec.containers[tiller-v2].args' should be set", - "actualValue": "'spec.template.spec.containers[tiller-v2].args' is undefined" + "actualValue": "'spec.template.spec.containers[tiller-v2].args' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/tiller_is_deployed/test/positive_expected_result.json b/assets/queries/k8s/tiller_is_deployed/test/positive_expected_result.json index 106dbc2ca73..1fa902013b0 100644 --- a/assets/queries/k8s/tiller_is_deployed/test/positive_expected_result.json +++ b/assets/queries/k8s/tiller_is_deployed/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{tiller-deploy}}", "searchValue": "Deployment", "expectedValue": "'metadata' of Deployment should not refer to any Tiller resource", - "actualValue": "'metadata' of Deployment refers to a Tiller resource" + "actualValue": "'metadata' of Deployment refers to a Tiller resource", + "issueType": "IncorrectValue" }, { "queryName": "Tiller (Helm v2) Is Deployed", @@ -21,7 +22,8 @@ "searchKey": "metadata.name={{tiller-deploy}}.spec.containers", "searchValue": "Deployment", "expectedValue": "'spec.containers' of Deployment shouldn't have any Tiller containers", - "actualValue": "'spec.containers' of Deployment contains a Tiller container" + "actualValue": "'spec.containers' of Deployment contains a Tiller container", + "issueType": "IncorrectValue" }, { "queryName": "Tiller (Helm v2) Is Deployed", @@ -33,7 +35,8 @@ "searchKey": "metadata.name={{tiller-deploy}}.spec.template.metadata", "searchValue": "Deployment", "expectedValue": "'spec.template.metadata' should not refer to any Tiller resource%!(EXTRA string=Deployment)", - "actualValue": "'spec.template.metadata' refers to a Tiller resource%!(EXTRA string=Deployment)" + "actualValue": "'spec.template.metadata' refers to a Tiller resource%!(EXTRA string=Deployment)", + "issueType": "IncorrectValue" }, { "queryName": "Tiller (Helm v2) Is Deployed", @@ -45,6 +48,7 @@ "searchKey": "metadata.name={{tiller-deploy}}.spec.template.spec.containers", "searchValue": "Deployment", "expectedValue": "'spec.template.spec.containers' of Deployment shouldn't have any Tiller containers", - "actualValue": "'spec.template.spec.containers' of Deployment contains a Tiller container" + "actualValue": "'spec.template.spec.containers' of Deployment contains a Tiller container", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/tiller_service_is_not_deleted/test/positive_expected_result.json b/assets/queries/k8s/tiller_service_is_not_deleted/test/positive_expected_result.json index a880bf40141..49d2818fe7e 100644 --- a/assets/queries/k8s/tiller_service_is_not_deleted/test/positive_expected_result.json +++ b/assets/queries/k8s/tiller_service_is_not_deleted/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{tiller-deploy}}", "searchValue": "Service", "expectedValue": "metadata.name of Service should not contain 'tiller'", - "actualValue": "metadata.name of Service contains 'tiller'" + "actualValue": "metadata.name of Service contains 'tiller'", + "issueType": "IncorrectValue" }, { "queryName": "Tiller Service Is Not Deleted", @@ -21,7 +22,8 @@ "searchKey": "metadata.name={{tiller-deploy}}", "searchValue": "Service", "expectedValue": "metadata.labels of Service should not have values that contain 'tiller'", - "actualValue": "metadata.labels.Service of name contains 'tiller'" + "actualValue": "metadata.labels.Service of name contains 'tiller'", + "issueType": "IncorrectValue" }, { "queryName": "Tiller Service Is Not Deleted", @@ -33,6 +35,7 @@ "searchKey": "metadata.name={{tiller-deploy}}.spec.selector.name", "searchValue": "Service", "expectedValue": "spec.selector of Service should not have values that contain 'tiller'", - "actualValue": "spec.selector.Service of name contains 'tiller'" + "actualValue": "spec.selector.Service of name contains 'tiller'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/tls_connection_certificate_not_setup/test/positive_expected_result.json b/assets/queries/k8s/tls_connection_certificate_not_setup/test/positive_expected_result.json index e8cb16c7bd9..7d92097a8c3 100644 --- a/assets/queries/k8s/tls_connection_certificate_not_setup/test/positive_expected_result.json +++ b/assets/queries/k8s/tls_connection_certificate_not_setup/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "--tls-cert-file", "expectedValue": "TLS --tls-cert-file connection setting should be set", - "actualValue": "TLS --tls-cert-file connection not set" + "actualValue": "TLS --tls-cert-file connection not set", + "issueType": "MissingAttribute" }, { "queryName": "TSL Connection Certificate Not Setup", @@ -21,7 +22,8 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "--tls-private-key-file", "expectedValue": "TLS --tls-private-key-file connection setting should be set", - "actualValue": "TLS --tls-private-key-file connection not set" + "actualValue": "TLS --tls-private-key-file connection not set", + "issueType": "MissingAttribute" }, { "queryName": "TSL Connection Certificate Not Setup", @@ -33,7 +35,8 @@ "searchKey": "kind={{KubeletConfiguration}}", "searchValue": "tlsCertFile", "expectedValue": "TLS tlsCertFile connection setting should be set", - "actualValue": "TLS tlsCertFile connection not set" + "actualValue": "TLS tlsCertFile connection not set", + "issueType": "MissingAttribute" }, { "queryName": "TSL Connection Certificate Not Setup", @@ -45,7 +48,8 @@ "searchKey": "kind={{KubeletConfiguration}}", "searchValue": "tlsPrivateKeyFile", "expectedValue": "TLS tlsPrivateKeyFile connection setting should be set", - "actualValue": "TLS tlsPrivateKeyFile connection not set" + "actualValue": "TLS tlsPrivateKeyFile connection not set", + "issueType": "MissingAttribute" }, { "queryName": "TSL Connection Certificate Not Setup", @@ -57,6 +61,7 @@ "searchKey": "kind={{KubeletConfiguration}}", "searchValue": "tlsPrivateKeyFile", "expectedValue": "TLS tlsPrivateKeyFile connection setting should be set", - "actualValue": "TLS tlsPrivateKeyFile connection not set" + "actualValue": "TLS tlsPrivateKeyFile connection not set", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/token_auth_file_is_set/test/positive_expected_result.json b/assets/queries/k8s/token_auth_file_is_set/test/positive_expected_result.json index a9cadcefad1..eeb10a51b6b 100644 --- a/assets/queries/k8s/token_auth_file_is_set/test/positive_expected_result.json +++ b/assets/queries/k8s/token_auth_file_is_set/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--token-auth-file flag should not be set", - "actualValue": "--token-auth-file flag is set" + "actualValue": "--token-auth-file flag is set", + "issueType": "IncorrectValue" }, { "queryName": "Token Auth File Is Set", @@ -21,6 +22,7 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--token-auth-file flag should not be set", - "actualValue": "--token-auth-file flag is set" + "actualValue": "--token-auth-file flag is set", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/use_service_account_credentials_not_set_to_true/test/positive_expected_result.json b/assets/queries/k8s/use_service_account_credentials_not_set_to_true/test/positive_expected_result.json index 797263586b9..525ec8c58dc 100644 --- a/assets/queries/k8s/use_service_account_credentials_not_set_to_true/test/positive_expected_result.json +++ b/assets/queries/k8s/use_service_account_credentials_not_set_to_true/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--use-service-account-credentials flag should be set to true", - "actualValue": "--use-service-account-credentials flag is set to false" + "actualValue": "--use-service-account-credentials flag is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Use Service Account Credentials Not Set To True", @@ -21,6 +22,7 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "--use-service-account-credentials flag should be defined and set to true", - "actualValue": "--use-service-account-credentials flag is not defined" + "actualValue": "--use-service-account-credentials flag is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/using_kubernetes_native_secret_management/test/positive_expected_result.json b/assets/queries/k8s/using_kubernetes_native_secret_management/test/positive_expected_result.json index df275fbd3a6..639745ba31d 100644 --- a/assets/queries/k8s/using_kubernetes_native_secret_management/test/positive_expected_result.json +++ b/assets/queries/k8s/using_kubernetes_native_secret_management/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "metadata.name={{cluster-secrets}}", "searchValue": "", "expectedValue": "External secret storage should be used", - "actualValue": "External secret storage is not in use" + "actualValue": "External secret storage is not in use", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/using_unrecommended_namespace/test/positive_expected_result.json b/assets/queries/k8s/using_unrecommended_namespace/test/positive_expected_result.json index 3fec034ac08..fec5611be06 100644 --- a/assets/queries/k8s/using_unrecommended_namespace/test/positive_expected_result.json +++ b/assets/queries/k8s/using_unrecommended_namespace/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{frontend}}.namespace", "searchValue": "Pod", "expectedValue": "'metadata.namespace' should not be set to default, kube-system or kube-public", - "actualValue": "'metadata.namespace' is set to default" + "actualValue": "'metadata.namespace' is set to default", + "issueType": "IncorrectValue" }, { "queryName": "Using Unrecommended Namespace", @@ -21,7 +22,8 @@ "searchKey": "kind={{Pod}}.metadata.name={{frontend2}}", "searchValue": "Pod", "expectedValue": "metadata.namespace should be defined and not null", - "actualValue": "metadata.namespace is undefined or null" + "actualValue": "metadata.namespace is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Using Unrecommended Namespace", @@ -33,7 +35,8 @@ "searchKey": "metadata.name={{mongo.db.collection.com}}.namespace", "searchValue": "Pod", "expectedValue": "'metadata.namespace' should not be set to default, kube-system or kube-public", - "actualValue": "'metadata.namespace' is set to kube-public" + "actualValue": "'metadata.namespace' is set to kube-public", + "issueType": "IncorrectValue" }, { "queryName": "Using Unrecommended Namespace", @@ -45,7 +48,8 @@ "searchKey": "metadata.name={{mongo.db.collection.com}}.namespace", "searchValue": "Pod", "expectedValue": "'metadata.namespace' should not be set to default, kube-system or kube-public", - "actualValue": "'metadata.namespace' is set to kube-system" + "actualValue": "'metadata.namespace' is set to kube-system", + "issueType": "IncorrectValue" }, { "queryName": "Using Unrecommended Namespace", @@ -57,6 +61,7 @@ "searchKey": "metadata.name={{dummy-config}}.namespace", "searchValue": "Configuration", "expectedValue": "'metadata.namespace' should not be set to default, kube-system or kube-public", - "actualValue": "'metadata.namespace' is set to default" + "actualValue": "'metadata.namespace' is set to default", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/test/positive_expected_result.json b/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/test/positive_expected_result.json index 8c399248f90..35e74dd64b0 100644 --- a/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/test/positive_expected_result.json +++ b/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-0}}", "searchValue": "PodreadOnly", "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-0}} should be defined and set to true and Enabled, respectively", - "actualValue": "Either readOnly or recursiveReadOnly is missing in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-0}}" + "actualValue": "Either readOnly or recursiveReadOnly is missing in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-0}}", + "issueType": "MissingAttribute" }, { "queryName": "Volume Mount With OS Directory Write Permissions", @@ -21,7 +22,8 @@ "searchKey": "metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}}", "searchValue": "PodreadOnly", "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}} should be defined and set to true and Enabled, respectively", - "actualValue": "Either readOnly or recursiveReadOnly is missing in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}}" + "actualValue": "Either readOnly or recursiveReadOnly is missing in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}}", + "issueType": "MissingAttribute" }, { "queryName": "Volume Mount With OS Directory Write Permissions", @@ -33,7 +35,8 @@ "searchKey": "metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}}", "searchValue": "PodrecursiveReadOnly", "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}} are set to true and Enabled, respectively", - "actualValue": "The properties readOnly or recursiveReadOnly in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}} are set to false or Disabled, respectively" + "actualValue": "The properties readOnly or recursiveReadOnly in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}} are set to false or Disabled, respectively", + "issueType": "IncorrectValue" }, { "queryName": "Volume Mount With OS Directory Write Permissions", @@ -45,7 +48,8 @@ "searchKey": "metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-0}}", "searchValue": "PodreadOnly", "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-0}} should be defined and set to true and Enabled, respectively", - "actualValue": "Either readOnly or recursiveReadOnly is missing in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-0}}" + "actualValue": "Either readOnly or recursiveReadOnly is missing in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-0}}", + "issueType": "MissingAttribute" }, { "queryName": "Volume Mount With OS Directory Write Permissions", @@ -57,7 +61,8 @@ "searchKey": "metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-1}}", "searchValue": "PodreadOnly", "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-1}} are set to true and Enabled, respectively", - "actualValue": "The properties readOnly or recursiveReadOnly in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-1}} are set to false or Disabled, respectively" + "actualValue": "The properties readOnly or recursiveReadOnly in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-1}} are set to false or Disabled, respectively", + "issueType": "IncorrectValue" }, { "queryName": "Volume Mount With OS Directory Write Permissions", @@ -69,7 +74,8 @@ "searchKey": "metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-1}}", "searchValue": "PodrecursiveReadOnly", "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-1}} should be defined and set to true and Enabled, respectively", - "actualValue": "Either readOnly or recursiveReadOnly is missing in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-1}}" + "actualValue": "Either readOnly or recursiveReadOnly is missing in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-1}}", + "issueType": "MissingAttribute" }, { "queryName": "Volume Mount With OS Directory Write Permissions", @@ -81,7 +87,8 @@ "searchKey": "metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-0}}", "searchValue": "PodreadOnly", "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-0}} are set to true and Enabled, respectively", - "actualValue": "The properties readOnly or recursiveReadOnly in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-0}} are set to false or Disabled, respectively" + "actualValue": "The properties readOnly or recursiveReadOnly in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-0}} are set to false or Disabled, respectively", + "issueType": "IncorrectValue" }, { "queryName": "Volume Mount With OS Directory Write Permissions", @@ -93,7 +100,8 @@ "searchKey": "metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}}", "searchValue": "PodreadOnly", "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}} are set to true and Enabled, respectively", - "actualValue": "The properties readOnly or recursiveReadOnly in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}} are set to false or Disabled, respectively" + "actualValue": "The properties readOnly or recursiveReadOnly in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}} are set to false or Disabled, respectively", + "issueType": "IncorrectValue" }, { "queryName": "Volume Mount With OS Directory Write Permissions", @@ -105,7 +113,8 @@ "searchKey": "metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-0}}", "searchValue": "PodrecursiveReadOnly", "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-0}} should be defined and set to true and Enabled, respectively", - "actualValue": "Either readOnly or recursiveReadOnly is missing in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-0}}" + "actualValue": "Either readOnly or recursiveReadOnly is missing in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-0}}", + "issueType": "MissingAttribute" }, { "queryName": "Volume Mount With OS Directory Write Permissions", @@ -117,6 +126,7 @@ "searchKey": "metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-1}}", "searchValue": "PodrecursiveReadOnly", "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-1}} are set to true and Enabled, respectively", - "actualValue": "The properties readOnly or recursiveReadOnly in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-1}} are set to false or Disabled, respectively" + "actualValue": "The properties readOnly or recursiveReadOnly in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-1}} are set to false or Disabled, respectively", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/k8s/weak_tls_cipher_suites/test/positive_expected_result.json b/assets/queries/k8s/weak_tls_cipher_suites/test/positive_expected_result.json index 07574051422..f9496076444 100644 --- a/assets/queries/k8s/weak_tls_cipher_suites/test/positive_expected_result.json +++ b/assets/queries/k8s/weak_tls_cipher_suites/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "TLS cipher suites should use strong ciphers", - "actualValue": "TLS cipher suites uses a weak cipher" + "actualValue": "TLS cipher suites uses a weak cipher", + "issueType": "IncorrectValue" }, { "queryName": "Weak TLS Cipher Suites", @@ -21,7 +22,8 @@ "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", "searchValue": "", "expectedValue": "TLS cipher suites should use strong ciphers", - "actualValue": "TLS cipher suites uses a weak cipher" + "actualValue": "TLS cipher suites uses a weak cipher", + "issueType": "IncorrectValue" }, { "queryName": "Weak TLS Cipher Suites", @@ -33,7 +35,8 @@ "searchKey": "kind={{KubeletConfiguration}}.tlsCipherSuites", "searchValue": "", "expectedValue": "TLS cipher suites should use strong ciphers", - "actualValue": "TLS cipher suites uses a weak cipher" + "actualValue": "TLS cipher suites uses a weak cipher", + "issueType": "IncorrectValue" }, { "queryName": "Weak TLS Cipher Suites", @@ -45,6 +48,7 @@ "searchKey": "kind={{KubeletConfiguration}}", "searchValue": "", "expectedValue": "KubeletConfiguration should have 'tlsCipherSuites' attribute with strong ciphers defined", - "actualValue": "TLS cipher suites are not defined" + "actualValue": "TLS cipher suites are not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/workload_host_port_not_specified/test/positive_expected_result.json b/assets/queries/k8s/workload_host_port_not_specified/test/positive_expected_result.json index e7c4b1c0aa9..13ec0f8e57a 100644 --- a/assets/queries/k8s/workload_host_port_not_specified/test/positive_expected_result.json +++ b/assets/queries/k8s/workload_host_port_not_specified/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name=firstpod.spec.containers.name=container.ports", "searchValue": "", "expectedValue": "spec[firstpod].containers[container].ports[10.0.0.1].hostPort should not be defined", - "actualValue": "spec[firstpod].containers[container].ports[10.0.0.1].hostPort is defined" + "actualValue": "spec[firstpod].containers[container].ports[10.0.0.1].hostPort is defined", + "issueType": "IncorrectValue" }, { "queryName": "Workload Host Port Not Specified", @@ -21,6 +22,7 @@ "searchKey": "metadata.name=secondpod.spec.template.spec.containers.name=container2.ports", "searchValue": "", "expectedValue": "spec[secondpod].template.spec.containers[container2].ports[10.0.0.2].hostPort should not be defined", - "actualValue": "spec[secondpod].template.spec.containers[container2].ports[10.0.0.2].hostPort is defined" + "actualValue": "spec[secondpod].template.spec.containers[container2].ports[10.0.0.2].hostPort is defined", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/workload_mounting_with_sensitive_os_directory/test/positive_expected_result.json b/assets/queries/k8s/workload_mounting_with_sensitive_os_directory/test/positive_expected_result.json index e0cd3d03ece..d389dd00e09 100644 --- a/assets/queries/k8s/workload_mounting_with_sensitive_os_directory/test/positive_expected_result.json +++ b/assets/queries/k8s/workload_mounting_with_sensitive_os_directory/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{exporter-prometheus-node-exporter}}.spec.template.spec.volumes.name={{proc}}.hostPath.path", "searchValue": "", "expectedValue": "Workload name 'exporter-prometheus-node-exporter' of kind 'DaemonSet' should not mount a host sensitive OS directory '/proc' with hostPath", - "actualValue": "Workload name 'exporter-prometheus-node-exporter' of kind 'DaemonSet' is mounting a host sensitive OS directory '/proc' with hostPath" + "actualValue": "Workload name 'exporter-prometheus-node-exporter' of kind 'DaemonSet' is mounting a host sensitive OS directory '/proc' with hostPath", + "issueType": "IncorrectValue" }, { "queryName": "Workload Mounting With Sensitive OS Directory", @@ -21,7 +22,8 @@ "searchKey": "metadata.name={{exporter-prometheus-node-exporter}}.spec.template.spec.volumes.name={{sys}}.hostPath.path", "searchValue": "", "expectedValue": "Workload name 'exporter-prometheus-node-exporter' of kind 'DaemonSet' should not mount a host sensitive OS directory '/sys' with hostPath", - "actualValue": "Workload name 'exporter-prometheus-node-exporter' of kind 'DaemonSet' is mounting a host sensitive OS directory '/sys' with hostPath" + "actualValue": "Workload name 'exporter-prometheus-node-exporter' of kind 'DaemonSet' is mounting a host sensitive OS directory '/sys' with hostPath", + "issueType": "IncorrectValue" }, { "queryName": "Workload Mounting With Sensitive OS Directory", @@ -33,7 +35,8 @@ "searchKey": "metadata.name={{fluentd-elasticsearch}}.spec.template.spec.volumes.name={{varlog}}.hostPath.path", "searchValue": "", "expectedValue": "Workload name 'fluentd-elasticsearch' of kind 'DaemonSet' should not mount a host sensitive OS directory '/var/log' with hostPath", - "actualValue": "Workload name 'fluentd-elasticsearch' of kind 'DaemonSet' is mounting a host sensitive OS directory '/var/log' with hostPath" + "actualValue": "Workload name 'fluentd-elasticsearch' of kind 'DaemonSet' is mounting a host sensitive OS directory '/var/log' with hostPath", + "issueType": "IncorrectValue" }, { "queryName": "Workload Mounting With Sensitive OS Directory", @@ -45,7 +48,8 @@ "searchKey": "metadata.name={{fluentd-elasticsearch}}.spec.template.spec.volumes.name={{varlibdockercontainers}}.hostPath.path", "searchValue": "", "expectedValue": "Workload name 'fluentd-elasticsearch' of kind 'DaemonSet' should not mount a host sensitive OS directory '/var/lib/docker/containers' with hostPath", - "actualValue": "Workload name 'fluentd-elasticsearch' of kind 'DaemonSet' is mounting a host sensitive OS directory '/var/lib/docker/containers' with hostPath" + "actualValue": "Workload name 'fluentd-elasticsearch' of kind 'DaemonSet' is mounting a host sensitive OS directory '/var/lib/docker/containers' with hostPath", + "issueType": "IncorrectValue" }, { "queryName": "Workload Mounting With Sensitive OS Directory", @@ -57,7 +61,8 @@ "searchKey": "metadata.name={{nginx-deployment}}.spec.template.spec.volumes.name={{static-page-dir}}.hostPath.path", "searchValue": "", "expectedValue": "Workload name 'nginx-deployment' of kind 'Deployment' should not mount a host sensitive OS directory '/var/local/static' with hostPath", - "actualValue": "Workload name 'nginx-deployment' of kind 'Deployment' is mounting a host sensitive OS directory '/var/local/static' with hostPath" + "actualValue": "Workload name 'nginx-deployment' of kind 'Deployment' is mounting a host sensitive OS directory '/var/local/static' with hostPath", + "issueType": "IncorrectValue" }, { "queryName": "Workload Mounting With Sensitive OS Directory", @@ -69,7 +74,8 @@ "searchKey": "metadata.name={{nginx-deployment-undefined-ns}}.spec.template.spec.volumes.name={{static-page-dir}}.hostPath.path", "searchValue": "", "expectedValue": "Workload name 'nginx-deployment-undefined-ns' of kind 'Deployment' should not mount a host sensitive OS directory '/root/local/static' with hostPath", - "actualValue": "Workload name 'nginx-deployment-undefined-ns' of kind 'Deployment' is mounting a host sensitive OS directory '/root/local/static' with hostPath" + "actualValue": "Workload name 'nginx-deployment-undefined-ns' of kind 'Deployment' is mounting a host sensitive OS directory '/root/local/static' with hostPath", + "issueType": "IncorrectValue" }, { "queryName": "Workload Mounting With Sensitive OS Directory", @@ -81,7 +87,8 @@ "searchKey": "metadata.name={{redis-memcache}}.spec.volumes.name={{redis-storage}}.hostPath.path", "searchValue": "", "expectedValue": "Workload name 'redis-memcache' of kind 'Pod' should not mount a host sensitive OS directory '/var/redis/data' with hostPath", - "actualValue": "Workload name 'redis-memcache' of kind 'Pod' is mounting a host sensitive OS directory '/var/redis/data' with hostPath" + "actualValue": "Workload name 'redis-memcache' of kind 'Pod' is mounting a host sensitive OS directory '/var/redis/data' with hostPath", + "issueType": "IncorrectValue" }, { "queryName": "Workload Mounting With Sensitive OS Directory", @@ -93,7 +100,8 @@ "searchKey": "metadata.name={{web-server-pod}}.spec.volumes.name={{nginx-host-config}}.hostPath.path", "searchValue": "", "expectedValue": "Workload name 'web-server-pod' of kind 'Pod' should not mount a host sensitive OS directory '/etc/nginx' with hostPath", - "actualValue": "Workload name 'web-server-pod' of kind 'Pod' is mounting a host sensitive OS directory '/etc/nginx' with hostPath" + "actualValue": "Workload name 'web-server-pod' of kind 'Pod' is mounting a host sensitive OS directory '/etc/nginx' with hostPath", + "issueType": "IncorrectValue" }, { "queryName": "Workload Mounting With Sensitive OS Directory", @@ -105,7 +113,8 @@ "searchKey": "metadata.name={{malicious-pod}}.spec.volumes.name={{rootdir}}.hostPath.path", "searchValue": "", "expectedValue": "Workload name 'malicious-pod' of kind 'Pod' should not mount a host sensitive OS directory '/' with hostPath", - "actualValue": "Workload name 'malicious-pod' of kind 'Pod' is mounting a host sensitive OS directory '/' with hostPath" + "actualValue": "Workload name 'malicious-pod' of kind 'Pod' is mounting a host sensitive OS directory '/' with hostPath", + "issueType": "IncorrectValue" }, { "queryName": "Workload Mounting With Sensitive OS Directory", @@ -117,7 +126,8 @@ "searchKey": "metadata.name={{dood}}.spec.volumes.name={{docker-sock}}.hostPath.path", "searchValue": "", "expectedValue": "Workload name 'dood' of kind 'Pod' should not mount a host sensitive OS directory '/var/run' with hostPath", - "actualValue": "Workload name 'dood' of kind 'Pod' is mounting a host sensitive OS directory '/var/run' with hostPath" + "actualValue": "Workload name 'dood' of kind 'Pod' is mounting a host sensitive OS directory '/var/run' with hostPath", + "issueType": "IncorrectValue" }, { "queryName": "Workload Mounting With Sensitive OS Directory", @@ -129,7 +139,8 @@ "searchKey": "metadata.name={{pv-001}}.spec.hostPath.path", "searchValue": "", "expectedValue": "PersistentVolume name 'pv-001' of kind 'PersistentVolume' should not mount a host sensitive OS directory '/dev/tty1' with hostPath", - "actualValue": "PersistentVolume name 'pv-001' of kind 'PersistentVolume' is mounting a host sensitive OS directory '/dev/tty1' with hostPath" + "actualValue": "PersistentVolume name 'pv-001' of kind 'PersistentVolume' is mounting a host sensitive OS directory '/dev/tty1' with hostPath", + "issueType": "IncorrectValue" }, { "queryName": "Workload Mounting With Sensitive OS Directory", @@ -141,7 +152,8 @@ "searchKey": "metadata.name={{pv-002}}.spec.hostPath.path", "searchValue": "", "expectedValue": "PersistentVolume name 'pv-002' of kind 'PersistentVolume' should not mount a host sensitive OS directory '/boot' with hostPath", - "actualValue": "PersistentVolume name 'pv-002' of kind 'PersistentVolume' is mounting a host sensitive OS directory '/boot' with hostPath" + "actualValue": "PersistentVolume name 'pv-002' of kind 'PersistentVolume' is mounting a host sensitive OS directory '/boot' with hostPath", + "issueType": "IncorrectValue" }, { "queryName": "Workload Mounting With Sensitive OS Directory", @@ -153,6 +165,7 @@ "searchKey": "metadata.name={{dummy-config}}.spec.template.spec.volumes.name={{rootdir}}.hostPath.path", "searchValue": "", "expectedValue": "Workload name 'dummy-config' of kind 'Configuration' should not mount a host sensitive OS directory '/' with hostPath", - "actualValue": "Workload name 'dummy-config' of kind 'Configuration' is mounting a host sensitive OS directory '/' with hostPath" + "actualValue": "Workload name 'dummy-config' of kind 'Configuration' is mounting a host sensitive OS directory '/' with hostPath", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/knative/serving_revision_spec_without_timeout_settings/test/positive_expected_result.json b/assets/queries/knative/serving_revision_spec_without_timeout_settings/test/positive_expected_result.json index 537d41a52ed..53d5fa8a777 100644 --- a/assets/queries/knative/serving_revision_spec_without_timeout_settings/test/positive_expected_result.json +++ b/assets/queries/knative/serving_revision_spec_without_timeout_settings/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "metadata.name={{dummy}}.spec.template.spec", "searchValue": "", "expectedValue": "Service should have 'timeoutSeconds' defined in 'template.spec'", - "actualValue": "Service 'timeoutSeconds' is not defined in 'template.spec'" + "actualValue": "Service 'timeoutSeconds' is not defined in 'template.spec'", + "issueType": "MissingAttribute" }, { "queryName": "Serving Revision Spec Without Timeout Seconds", @@ -21,6 +22,7 @@ "searchKey": "metadata.name={{dummy}}.spec.template.spec.timeoutSeconds", "searchValue": "", "expectedValue": "Service should have 'timeoutSeconds' defined to a value higher than '0'", - "actualValue": "Service 'timeoutSeconds' is set to '0'" + "actualValue": "Service 'timeoutSeconds' is set to '0'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/2.0/basepath_with_wrong_format/test/positive_expected_result.json b/assets/queries/openAPI/2.0/basepath_with_wrong_format/test/positive_expected_result.json index 3f986925495..2682355a567 100644 --- a/assets/queries/openAPI/2.0/basepath_with_wrong_format/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/basepath_with_wrong_format/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "basePath={{api/incorrect}}", "searchValue": "", "expectedValue": "'basePath' value matches the pattern '^/'", - "actualValue": "'basePath' value doesn't match the pattern '^/'" + "actualValue": "'basePath' value doesn't match the pattern '^/'", + "issueType": "IncorrectValue" }, { "queryName": "BasePath With Wrong Format", @@ -21,6 +22,7 @@ "searchKey": "basePath={{api/incorrect}}", "searchValue": "", "expectedValue": "'basePath' value matches the pattern '^/'", - "actualValue": "'basePath' value doesn't match the pattern '^/'" + "actualValue": "'basePath' value doesn't match the pattern '^/'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/2.0/body_parameter_with_wrong_property/test/positive_expected_result.json b/assets/queries/openAPI/2.0/body_parameter_with_wrong_property/test/positive_expected_result.json index 21c0c252d9b..9693951755e 100644 --- a/assets/queries/openAPI/2.0/body_parameter_with_wrong_property/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/body_parameter_with_wrong_property/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.get.parameters.desc", "searchValue": "", "expectedValue": "{\"type\": \"string\"} is a valid property for body parameter", - "actualValue": "{\"type\": \"string\"} is not a valid property for body parameter" + "actualValue": "{\"type\": \"string\"} is not a valid property for body parameter", + "issueType": "IncorrectValue" }, { "queryName": "Body Parameter With Wrong Property", @@ -21,7 +22,8 @@ "searchKey": "parameters.limitParam.desc", "searchValue": "", "expectedValue": "{\"type\": \"string\"} is a valid property for body parameter", - "actualValue": "{\"type\": \"string\"} is not a valid property for body parameter" + "actualValue": "{\"type\": \"string\"} is not a valid property for body parameter", + "issueType": "IncorrectValue" }, { "queryName": "Body Parameter With Wrong Property", @@ -33,7 +35,8 @@ "searchKey": "paths.{{/}}.get.parameters.desc", "searchValue": "", "expectedValue": "{\"type\": \"string\"} is a valid property for body parameter", - "actualValue": "{\"type\": \"string\"} is not a valid property for body parameter" + "actualValue": "{\"type\": \"string\"} is not a valid property for body parameter", + "issueType": "IncorrectValue" }, { "queryName": "Body Parameter With Wrong Property", @@ -45,6 +48,7 @@ "searchKey": "parameters.limitParam.desc", "searchValue": "", "expectedValue": "{\"type\": \"string\"} is a valid property for body parameter", - "actualValue": "{\"type\": \"string\"} is not a valid property for body parameter" + "actualValue": "{\"type\": \"string\"} is not a valid property for body parameter", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/2.0/body_parameter_without_schema/test/positive_expected_result.json b/assets/queries/openAPI/2.0/body_parameter_without_schema/test/positive_expected_result.json index fae329c4d50..e1362f8c381 100644 --- a/assets/queries/openAPI/2.0/body_parameter_without_schema/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/body_parameter_without_schema/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.get.parameters.name=limit2", "searchValue": "", "expectedValue": "'schema' should be set", - "actualValue": "'schema' is undefined" + "actualValue": "'schema' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Body Parameter Without Schema", @@ -21,7 +22,8 @@ "searchKey": "parameters.name=limit", "searchValue": "", "expectedValue": "'schema' should be set", - "actualValue": "'schema' is undefined" + "actualValue": "'schema' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Body Parameter Without Schema", @@ -33,7 +35,8 @@ "searchKey": "paths.{{/}}.get.parameters.name=limit2", "searchValue": "", "expectedValue": "'schema' should be set", - "actualValue": "'schema' is undefined" + "actualValue": "'schema' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Body Parameter Without Schema", @@ -45,6 +48,7 @@ "searchKey": "parameters.name=limit", "searchValue": "", "expectedValue": "'schema' should be set", - "actualValue": "'schema' is undefined" + "actualValue": "'schema' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/2.0/constraining_enum_property/test/positive_expected_result.json b/assets/queries/openAPI/2.0/constraining_enum_property/test/positive_expected_result.json index 7df036ca432..bb6a22b4d1d 100644 --- a/assets/queries/openAPI/2.0/constraining_enum_property/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/constraining_enum_property/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.get.parameters.schema.$ref=#/definitions/Category", "searchValue": "", "expectedValue": "Type numeric should not have enum and constraining keywords", - "actualValue": "Type numeric has enum and minimum" + "actualValue": "Type numeric has enum and minimum", + "issueType": "IncorrectValue" }, { "queryName": "Constraining Enum Property", @@ -21,7 +22,8 @@ "searchKey": "paths.{{/}}.get.parameters.schema.$ref=#/definitions/Category", "searchValue": "", "expectedValue": "Type string should not have enum and constraining keywords", - "actualValue": "Type string has enum and maxLength" + "actualValue": "Type string has enum and maxLength", + "issueType": "IncorrectValue" }, { "queryName": "Constraining Enum Property", @@ -33,7 +35,8 @@ "searchKey": "definitions.Category.properties.id.minimum", "searchValue": "", "expectedValue": "Type numeric should not have enum and constraining keywords", - "actualValue": "Type numeric has enum and minimum" + "actualValue": "Type numeric has enum and minimum", + "issueType": "IncorrectValue" }, { "queryName": "Constraining Enum Property", @@ -45,7 +48,8 @@ "searchKey": "definitions.Category.properties.name.maxLength", "searchValue": "", "expectedValue": "Type string should not have enum and constraining keywords", - "actualValue": "Type string has enum and maxLength" + "actualValue": "Type string has enum and maxLength", + "issueType": "IncorrectValue" }, { "queryName": "Constraining Enum Property", @@ -57,7 +61,8 @@ "searchKey": "paths.{{/}}.get.parameters.schema.$ref=#/definitions/Category", "searchValue": "", "expectedValue": "Type numeric should not have enum and constraining keywords", - "actualValue": "Type numeric has enum and minimum" + "actualValue": "Type numeric has enum and minimum", + "issueType": "IncorrectValue" }, { "queryName": "Constraining Enum Property", @@ -69,7 +74,8 @@ "searchKey": "paths.{{/}}.get.parameters.schema.$ref=#/definitions/Category", "searchValue": "", "expectedValue": "Type string should not have enum and constraining keywords", - "actualValue": "Type string has enum and maxLength" + "actualValue": "Type string has enum and maxLength", + "issueType": "IncorrectValue" }, { "queryName": "Constraining Enum Property", @@ -81,7 +87,8 @@ "searchKey": "definitions.Category.properties.id.minimum", "searchValue": "", "expectedValue": "Type numeric should not have enum and constraining keywords", - "actualValue": "Type numeric has enum and minimum" + "actualValue": "Type numeric has enum and minimum", + "issueType": "IncorrectValue" }, { "queryName": "Constraining Enum Property", @@ -93,6 +100,7 @@ "searchKey": "definitions.Category.properties.name.maxLength", "searchValue": "", "expectedValue": "Type string should not have enum and constraining keywords", - "actualValue": "Type string has enum and maxLength" + "actualValue": "Type string has enum and maxLength", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/2.0/file_parameter_with_wrong_consumes_property/test/positive_expected_result.json b/assets/queries/openAPI/2.0/file_parameter_with_wrong_consumes_property/test/positive_expected_result.json index 88fb0744514..75937285f43 100644 --- a/assets/queries/openAPI/2.0/file_parameter_with_wrong_consumes_property/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/file_parameter_with_wrong_consumes_property/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.get.parameters", "searchValue": "", "expectedValue": "Operation or global 'consumes' field should have declared 'multipart/form-data', 'application/x-www-form-urlencoded' or both when there is a file type parameter", - "actualValue": "Operation or global 'consumes' field doesn't have declared 'multipart/form-data', 'application/x-www-form-urlencoded' or both when there is a file type parameter" + "actualValue": "Operation or global 'consumes' field doesn't have declared 'multipart/form-data', 'application/x-www-form-urlencoded' or both when there is a file type parameter", + "issueType": "IncorrectValue" }, { "queryName": "File Parameter With Wrong Consumes Property", @@ -21,6 +22,7 @@ "searchKey": "paths.{{/}}.get.parameters", "searchValue": "", "expectedValue": "Operation or global 'consumes' field should have declared 'multipart/form-data', 'application/x-www-form-urlencoded' or both when there is a file type parameter", - "actualValue": "Operation or global 'consumes' field doesn't have declared 'multipart/form-data', 'application/x-www-form-urlencoded' or both when there is a file type parameter" + "actualValue": "Operation or global 'consumes' field doesn't have declared 'multipart/form-data', 'application/x-www-form-urlencoded' or both when there is a file type parameter", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/2.0/global_schemes_uses_http/test/positive_expected_result.json b/assets/queries/openAPI/2.0/global_schemes_uses_http/test/positive_expected_result.json index 4d5eeafd560..f7384b7903b 100644 --- a/assets/queries/openAPI/2.0/global_schemes_uses_http/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/global_schemes_uses_http/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "schemes.http", "searchValue": "", "expectedValue": "The Scheme list uses only 'HTTPS' protocol", - "actualValue": "The Scheme list uses 'HTTP' protocol" + "actualValue": "The Scheme list uses 'HTTP' protocol", + "issueType": "IncorrectValue" }, { "queryName": "Global Schemes Uses HTTP", @@ -21,6 +22,7 @@ "searchKey": "schemes.http", "searchValue": "", "expectedValue": "The Scheme list uses only 'HTTPS' protocol", - "actualValue": "The Scheme list uses 'HTTP' protocol" + "actualValue": "The Scheme list uses 'HTTP' protocol", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/2.0/global_security_using_password_flow/test/positive_expected_result.json b/assets/queries/openAPI/2.0/global_security_using_password_flow/test/positive_expected_result.json index 6f2eff2f6d5..53cc01b345c 100644 --- a/assets/queries/openAPI/2.0/global_security_using_password_flow/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/global_security_using_password_flow/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "security.{{oAuth2AuthCodeNeg2}}", "searchValue": "", "expectedValue": "'security' should not be using 'password' flow in OAuth2 authentication", - "actualValue": "'security' is using 'password' flow in OAuth2 authentication" + "actualValue": "'security' is using 'password' flow in OAuth2 authentication", + "issueType": "IncorrectValue" }, { "queryName": "Global Security Using Password Flow", @@ -21,6 +22,7 @@ "searchKey": "security.{{oAuth2AuthCodeNeg2}}", "searchValue": "", "expectedValue": "'security' should not be using 'password' flow in OAuth2 authentication", - "actualValue": "'security' is using 'password' flow in OAuth2 authentication" + "actualValue": "'security' is using 'password' flow in OAuth2 authentication", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/2.0/host_with_invalid_pattern/test/positive_expected_result.json b/assets/queries/openAPI/2.0/host_with_invalid_pattern/test/positive_expected_result.json index 38b56a626c0..06de4298cc2 100644 --- a/assets/queries/openAPI/2.0/host_with_invalid_pattern/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/host_with_invalid_pattern/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "host", "searchValue": "", "expectedValue": "Host should be a valid name or IP", - "actualValue": "kics.io/test is not valid IP or name" + "actualValue": "kics.io/test is not valid IP or name", + "issueType": "IncorrectValue" }, { "queryName": "Host With Invalid Pattern", @@ -21,6 +22,7 @@ "searchKey": "host", "searchValue": "", "expectedValue": "Host should be a valid name or IP", - "actualValue": "kics.io/test is not valid IP or name" + "actualValue": "kics.io/test is not valid IP or name", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/2.0/implicit_flow_oauth2/test/positive_expected_result.json b/assets/queries/openAPI/2.0/implicit_flow_oauth2/test/positive_expected_result.json index b5449a33cca..4eb32fbae22 100644 --- a/assets/queries/openAPI/2.0/implicit_flow_oauth2/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/implicit_flow_oauth2/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "securityDefinitions.oAuth2AuthCodeNeg2.flow=implicit", "searchValue": "", "expectedValue": "OAuth2 security definitions flow should not use implicit flow", - "actualValue": "OAuth2 security definitions flow is using implicit flow" + "actualValue": "OAuth2 security definitions flow is using implicit flow", + "issueType": "IncorrectValue" }, { "queryName": "Implicit Flow in OAuth2 (v2)", @@ -21,6 +22,7 @@ "searchKey": "securityDefinitions.oAuth2AuthCodeNeg2.flow=implicit", "searchValue": "", "expectedValue": "OAuth2 security definitions flow should not use implicit flow", - "actualValue": "OAuth2 security definitions flow is using implicit flow" + "actualValue": "OAuth2 security definitions flow is using implicit flow", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/2.0/invalid_media_type_value/test/positive_expected_result.json b/assets/queries/openAPI/2.0/invalid_media_type_value/test/positive_expected_result.json index 644a75914fe..9322a056571 100644 --- a/assets/queries/openAPI/2.0/invalid_media_type_value/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/invalid_media_type_value/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.get.produces.image/ png", "searchValue": "", "expectedValue": "The Media Type should be a valid value", - "actualValue": "The Media Type is a invalid value" + "actualValue": "The Media Type is a invalid value", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Media Type Value (v2)", @@ -21,7 +22,8 @@ "searchKey": "paths.{{/}}.get.consumes.application/ x-www-form-urlencoded", "searchValue": "", "expectedValue": "The Media Type should be a valid value", - "actualValue": "The Media Type is a invalid value" + "actualValue": "The Media Type is a invalid value", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Media Type Value (v2)", @@ -33,7 +35,8 @@ "searchKey": "paths.{{/}}.get.produces.image/ png", "searchValue": "", "expectedValue": "The Media Type should be a valid value", - "actualValue": "The Media Type is a invalid value" + "actualValue": "The Media Type is a invalid value", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Media Type Value (v2)", @@ -45,6 +48,7 @@ "searchKey": "paths.{{/}}.get.consumes.application/ x-www-form-urlencoded", "searchValue": "", "expectedValue": "The Media Type should be a valid value", - "actualValue": "The Media Type is a invalid value" + "actualValue": "The Media Type is a invalid value", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/2.0/invalid_oauth2_token_url/test/positive_expected_result.json b/assets/queries/openAPI/2.0/invalid_oauth2_token_url/test/positive_expected_result.json index b16e4e15a8f..f8a20c131d5 100644 --- a/assets/queries/openAPI/2.0/invalid_oauth2_token_url/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/invalid_oauth2_token_url/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "securityDefinitions.oAuth2AuthCodeNeg3.tokenUrl", "searchValue": "", "expectedValue": "OAuth2 security definition flow tokenUrl must be set with a valid URL", - "actualValue": "OAuth2 security definition flow tokenUrl has an invalid URL" + "actualValue": "OAuth2 security definition flow tokenUrl has an invalid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid OAuth2 Token URL (v2)", @@ -21,6 +22,7 @@ "searchKey": "securityDefinitions.oAuth2AuthCodeNeg3.tokenUrl", "searchValue": "", "expectedValue": "OAuth2 security definition flow tokenUrl must be set with a valid URL", - "actualValue": "OAuth2 security definition flow tokenUrl has an invalid URL" + "actualValue": "OAuth2 security definition flow tokenUrl has an invalid URL", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/2.0/invalid_oauth_authorization_url/test/positive_expected_result.json b/assets/queries/openAPI/2.0/invalid_oauth_authorization_url/test/positive_expected_result.json index d755bcd101a..bfda648e57b 100644 --- a/assets/queries/openAPI/2.0/invalid_oauth_authorization_url/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/invalid_oauth_authorization_url/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "securityDefinitions.api_key.authorizationUrl", "searchValue": "", "expectedValue": "OAuth2 security schema flow tokenUrl must be set with a valid URL", - "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL" + "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid OAuth2 Authorization URL (v2)", @@ -21,7 +22,8 @@ "searchKey": "securityDefinitions.petstore_auth.authorizationUrl", "searchValue": "", "expectedValue": "OAuth2 security schema flow tokenUrl must be set with a valid URL", - "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL" + "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid OAuth2 Authorization URL (v2)", @@ -33,7 +35,8 @@ "searchKey": "securityDefinitions.api_key.authorizationUrl", "searchValue": "", "expectedValue": "OAuth2 security schema flow tokenUrl must be set with a valid URL", - "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL" + "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid OAuth2 Authorization URL (v2)", @@ -45,6 +48,7 @@ "searchKey": "securityDefinitions.petstore_auth.authorizationUrl", "searchValue": "", "expectedValue": "OAuth2 security schema flow tokenUrl must be set with a valid URL", - "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL" + "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/2.0/json_reference_does_not_exists_parameter/test/positive_expected_result.json b/assets/queries/openAPI/2.0/json_reference_does_not_exists_parameter/test/positive_expected_result.json index ee3c61b8ca4..23e67efdc55 100644 --- a/assets/queries/openAPI/2.0/json_reference_does_not_exists_parameter/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/json_reference_does_not_exists_parameter/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.get.parameters.$ref={{#/parameters/maxParam}}", "searchValue": "", "expectedValue": "maxParam from #/parameters/maxParam should be declared on parameters", - "actualValue": "maxParam from #/parameters/maxParam is not declared on parameters" + "actualValue": "maxParam from #/parameters/maxParam is not declared on parameters", + "issueType": "MissingAttribute" }, { "queryName": "Parameter JSON Reference Does Not Exist (v2)", @@ -21,6 +22,7 @@ "searchKey": "paths.{{/}}.get.parameters.$ref={{#/parameters/maxParam}}", "searchValue": "", "expectedValue": "maxParam from #/parameters/maxParam should be declared on parameters", - "actualValue": "maxParam from #/parameters/maxParam is not declared on parameters" + "actualValue": "maxParam from #/parameters/maxParam is not declared on parameters", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/2.0/json_reference_does_not_exists_response/test/positive_expected_result.json b/assets/queries/openAPI/2.0/json_reference_does_not_exists_response/test/positive_expected_result.json index 017c8503acc..cafede0aefa 100644 --- a/assets/queries/openAPI/2.0/json_reference_does_not_exists_response/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/json_reference_does_not_exists_response/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.get.responses.200.$ref=#/responses/Succes", "searchValue": "", "expectedValue": "Succes from #/responses/Succes should be declared on responses", - "actualValue": "Succes from #/responses/Succes is not declared on responses" + "actualValue": "Succes from #/responses/Succes is not declared on responses", + "issueType": "MissingAttribute" }, { "queryName": "Responses JSON Reference Does Not Exists (v2)", @@ -21,6 +22,7 @@ "searchKey": "paths.{{/}}.get.responses.200.$ref=#/responses/Succes", "searchValue": "", "expectedValue": "Succes from #/responses/Succes should be declared on responses", - "actualValue": "Succes from #/responses/Succes is not declared on responses" + "actualValue": "Succes from #/responses/Succes is not declared on responses", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/2.0/json_reference_does_not_exists_schema/test/positive_expected_result.json b/assets/queries/openAPI/2.0/json_reference_does_not_exists_schema/test/positive_expected_result.json index ee42a323381..95b83b18172 100644 --- a/assets/queries/openAPI/2.0/json_reference_does_not_exists_schema/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/json_reference_does_not_exists_schema/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.get.responses.200.schema.$ref=#/definitions/Use", "searchValue": "", "expectedValue": "Use from #/definitions/Use should be declared on definitions", - "actualValue": "Use from #/definitions/Use is not declared on definitions" + "actualValue": "Use from #/definitions/Use is not declared on definitions", + "issueType": "MissingAttribute" }, { "queryName": "Schema JSON Reference Does Not Exist (v2)", @@ -21,6 +22,7 @@ "searchKey": "paths.{{/}}.get.responses.200.schema.$ref=#/definitions/Use", "searchValue": "", "expectedValue": "Use from #/definitions/Use should be declared on definitions", - "actualValue": "Use from #/definitions/Use is not declared on definitions" + "actualValue": "Use from #/definitions/Use is not declared on definitions", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/2.0/multi_body_parameters_same_operation/test/positive_expected_result.json b/assets/queries/openAPI/2.0/multi_body_parameters_same_operation/test/positive_expected_result.json index ddc0accae5c..9a366fd6aed 100644 --- a/assets/queries/openAPI/2.0/multi_body_parameters_same_operation/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/multi_body_parameters_same_operation/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.get.parameters", "searchValue": "", "expectedValue": "Operation's parameters should have just one body type parameter", - "actualValue": "Operation's parameters has more than one body type parameter" + "actualValue": "Operation's parameters has more than one body type parameter", + "issueType": "IncorrectValue" }, { "queryName": "Multiple Body Parameters In The Same Operation", @@ -21,6 +22,7 @@ "searchKey": "paths.{{/}}.get.parameters", "searchValue": "", "expectedValue": "Operation's parameters should have just one body type parameter", - "actualValue": "Operation's parameters has more than one body type parameter" + "actualValue": "Operation's parameters has more than one body type parameter", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/2.0/multi_collectionformat_not_valid_in_parameter/test/positive_expected_result.json b/assets/queries/openAPI/2.0/multi_collectionformat_not_valid_in_parameter/test/positive_expected_result.json index a432fbb5e4f..64d23cc6c72 100644 --- a/assets/queries/openAPI/2.0/multi_collectionformat_not_valid_in_parameter/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/multi_collectionformat_not_valid_in_parameter/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.get.parameters.name=limit2.in", "searchValue": "", "expectedValue": "'in' field should be 'query' or 'formData'", - "actualValue": "'in' field is path" + "actualValue": "'in' field is path", + "issueType": "IncorrectValue" }, { "queryName": "Multi 'collectionformat' Not Valid For 'in' Parameter", @@ -21,7 +22,8 @@ "searchKey": "parameters.name=limit.in", "searchValue": "", "expectedValue": "'in' field should be 'query' or 'formData'", - "actualValue": "'in' field is path" + "actualValue": "'in' field is path", + "issueType": "IncorrectValue" }, { "queryName": "Multi 'collectionformat' Not Valid For 'in' Parameter", @@ -33,7 +35,8 @@ "searchKey": "paths.{{/}}.get.parameters.name=limit2.in", "searchValue": "", "expectedValue": "'in' field should be 'query' or 'formData'", - "actualValue": "'in' field is path" + "actualValue": "'in' field is path", + "issueType": "IncorrectValue" }, { "queryName": "Multi 'collectionformat' Not Valid For 'in' Parameter", @@ -45,6 +48,7 @@ "searchKey": "parameters.name=limit.in", "searchValue": "", "expectedValue": "'in' field should be 'query' or 'formData'", - "actualValue": "'in' field is path" + "actualValue": "'in' field is path", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/2.0/non_body_parameter_with_schema/test/positive_expected_result.json b/assets/queries/openAPI/2.0/non_body_parameter_with_schema/test/positive_expected_result.json index 5ab53f82361..af085dfff51 100644 --- a/assets/queries/openAPI/2.0/non_body_parameter_with_schema/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/non_body_parameter_with_schema/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.get.parameters.name=limit2.schema", "searchValue": "", "expectedValue": "'schema' should not be set", - "actualValue": "'schema' is set" + "actualValue": "'schema' is set", + "issueType": "IncorrectValue" }, { "queryName": "Non Body Parameter Without Schema", @@ -21,7 +22,8 @@ "searchKey": "parameters.name=limit.schema", "searchValue": "", "expectedValue": "'schema' should not be set", - "actualValue": "'schema' is set" + "actualValue": "'schema' is set", + "issueType": "IncorrectValue" }, { "queryName": "Non Body Parameter Without Schema", @@ -33,7 +35,8 @@ "searchKey": "paths.{{/}}.get.parameters.name=limit2.schema", "searchValue": "", "expectedValue": "'schema' should not be set", - "actualValue": "'schema' is set" + "actualValue": "'schema' is set", + "issueType": "IncorrectValue" }, { "queryName": "Non Body Parameter Without Schema", @@ -45,6 +48,7 @@ "searchKey": "parameters.name=limit.schema", "searchValue": "", "expectedValue": "'schema' should not be set", - "actualValue": "'schema' is set" + "actualValue": "'schema' is set", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/2.0/non_oauth2_security_requirement_defining_oauth2_scopes/test/positive_expected_result.json b/assets/queries/openAPI/2.0/non_oauth2_security_requirement_defining_oauth2_scopes/test/positive_expected_result.json index 5267c3eb902..f8f6533f1ea 100644 --- a/assets/queries/openAPI/2.0/non_oauth2_security_requirement_defining_oauth2_scopes/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/non_oauth2_security_requirement_defining_oauth2_scopes/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "security.petstore_auth", "searchValue": "", "expectedValue": "security scheme petstore_auth should specify scopes for type 'basic'", - "actualValue": "security scheme petstore_auth doesn't specify scopes for type 'basic'" + "actualValue": "security scheme petstore_auth doesn't specify scopes for type 'basic'", + "issueType": "IncorrectValue" }, { "queryName": "Non OAuth2 Security Requirement Defining OAuth2 Scopes", @@ -21,6 +22,7 @@ "searchKey": "security.petstore_auth", "searchValue": "", "expectedValue": "security scheme petstore_auth should specify scopes for type 'basic'", - "actualValue": "security scheme petstore_auth doesn't specify scopes for type 'basic'" + "actualValue": "security scheme petstore_auth doesn't specify scopes for type 'basic'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/2.0/object_without_required_property/test/positive_expected_result.json b/assets/queries/openAPI/2.0/object_without_required_property/test/positive_expected_result.json index adaa8558502..42d06a05fbc 100644 --- a/assets/queries/openAPI/2.0/object_without_required_property/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/object_without_required_property/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "info.", "searchValue": "", "expectedValue": "info has all required fields", - "actualValue": "info is missing required fields" + "actualValue": "info is missing required fields", + "issueType": "IncorrectValue" }, { "queryName": "Object Without Required Property (v2)", @@ -21,7 +22,8 @@ "searchKey": "parameters.{{limitParam}}", "searchValue": "", "expectedValue": "Parameter object has 'type' defined", - "actualValue": "Parameter object does not have 'type' defined" + "actualValue": "Parameter object does not have 'type' defined", + "issueType": "IncorrectValue" }, { "queryName": "Object Without Required Property (v2)", @@ -33,7 +35,8 @@ "searchKey": "info.", "searchValue": "", "expectedValue": "info has all required fields", - "actualValue": "info is missing required fields" + "actualValue": "info is missing required fields", + "issueType": "IncorrectValue" }, { "queryName": "Object Without Required Property (v2)", @@ -45,6 +48,7 @@ "searchKey": "parameters.{{limitParam}}", "searchValue": "", "expectedValue": "Parameter object has 'type' defined", - "actualValue": "Parameter object does not have 'type' defined" + "actualValue": "Parameter object does not have 'type' defined", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/2.0/operation_example_mismatch_produces_mediatype/test/positive_expected_result.json b/assets/queries/openAPI/2.0/operation_example_mismatch_produces_mediatype/test/positive_expected_result.json index afc715b318a..6d0eda861cb 100644 --- a/assets/queries/openAPI/2.0/operation_example_mismatch_produces_mediatype/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/operation_example_mismatch_produces_mediatype/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.get.responses.{{200}}.examples.{{text/csv}}", "searchValue": "", "expectedValue": "Example MimeType should be listed on produces", - "actualValue": "Example MimeType is not listed on produces" + "actualValue": "Example MimeType is not listed on produces", + "issueType": "MissingAttribute" }, { "queryName": "Operation Example Mismatch Produces MimeType", @@ -21,6 +22,7 @@ "searchKey": "paths.{{/}}.get.responses.{{200}}.examples.{{text/csv}}", "searchValue": "", "expectedValue": "Example MimeType should be listed on produces", - "actualValue": "Example MimeType is not listed on produces" + "actualValue": "Example MimeType is not listed on produces", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/2.0/operation_object_parameters_with_body_and_formatdata/test/positive_expected_result.json b/assets/queries/openAPI/2.0/operation_object_parameters_with_body_and_formatdata/test/positive_expected_result.json index 1739aa31b8d..5b9b26fa967 100644 --- a/assets/queries/openAPI/2.0/operation_object_parameters_with_body_and_formatdata/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/operation_object_parameters_with_body_and_formatdata/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.get.parameters", "searchValue": "", "expectedValue": "operation object parameters only use one of 'body' or 'formatData' locations", - "actualValue": "operation object parameters use both 'body' and 'formatData' locations" + "actualValue": "operation object parameters use both 'body' and 'formatData' locations", + "issueType": "IncorrectValue" }, { "queryName": "Operation Object Parameters With 'body' And 'formatData' locations", @@ -21,6 +22,7 @@ "searchKey": "paths.{{/}}.get.parameters", "searchValue": "", "expectedValue": "operation object parameters only use one of 'body' or 'formatData' locations", - "actualValue": "operation object parameters use both 'body' and 'formatData' locations" + "actualValue": "operation object parameters use both 'body' and 'formatData' locations", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/2.0/operation_object_without_consumes/test/positive_expected_result.json b/assets/queries/openAPI/2.0/operation_object_without_consumes/test/positive_expected_result.json index 203832ebe1d..5ecdd0af134 100644 --- a/assets/queries/openAPI/2.0/operation_object_without_consumes/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/operation_object_without_consumes/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.put", "searchValue": "", "expectedValue": "paths.{{/}}.put 'consumes' should be defined", - "actualValue": "paths.{{/}}.put 'consumes' is missing" + "actualValue": "paths.{{/}}.put 'consumes' is missing", + "issueType": "MissingAttribute" }, { "queryName": "Operation Object Without 'consumes'", @@ -21,6 +22,7 @@ "searchKey": "paths.{{/}}.put", "searchValue": "", "expectedValue": "paths.{{/}}.put 'consumes' should be defined", - "actualValue": "paths.{{/}}.put 'consumes' is missing" + "actualValue": "paths.{{/}}.put 'consumes' is missing", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/2.0/operation_object_without_produces/test/positive_expected_result.json b/assets/queries/openAPI/2.0/operation_object_without_produces/test/positive_expected_result.json index 7e9bc65dcc4..b8fe5f39c8a 100644 --- a/assets/queries/openAPI/2.0/operation_object_without_produces/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/operation_object_without_produces/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.get", "searchValue": "", "expectedValue": "paths.{{/}}.get 'produces' should be defined", - "actualValue": "paths.{{/}}.get 'produces' is missing" + "actualValue": "paths.{{/}}.get 'produces' is missing", + "issueType": "MissingAttribute" }, { "queryName": "Operation Object Without 'produces'", @@ -21,6 +22,7 @@ "searchKey": "paths.{{/}}.get", "searchValue": "", "expectedValue": "paths.{{/}}.get 'produces' should be defined", - "actualValue": "paths.{{/}}.get 'produces' is missing" + "actualValue": "paths.{{/}}.get 'produces' is missing", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/2.0/operation_summary_too_long/test/positive_expected_result.json b/assets/queries/openAPI/2.0/operation_summary_too_long/test/positive_expected_result.json index 75de419f123..14bf2d167ba 100644 --- a/assets/queries/openAPI/2.0/operation_summary_too_long/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/operation_summary_too_long/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.{{get}}.summary", "searchValue": "", "expectedValue": "Operation summary should not be less than 120 characters", - "actualValue": "Operation summary is less than 120 characters" + "actualValue": "Operation summary is less than 120 characters", + "issueType": "IncorrectValue" }, { "queryName": "Operation Summary Too Long", @@ -21,6 +22,7 @@ "searchKey": "paths.{{/}}.{{get}}.summary", "searchValue": "", "expectedValue": "Operation summary should not be less than 120 characters", - "actualValue": "Operation summary is less than 120 characters" + "actualValue": "Operation summary is less than 120 characters", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/2.0/operation_using_basic_auth/test/positive_expected_result.json b/assets/queries/openAPI/2.0/operation_using_basic_auth/test/positive_expected_result.json index ae4d5f7aa3a..445a40bcf04 100644 --- a/assets/queries/openAPI/2.0/operation_using_basic_auth/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/operation_using_basic_auth/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.{{get}}.security.{{oAuth2AuthCodeNeg2}}", "searchValue": "", "expectedValue": "Operation Object should not be using basic authentication", - "actualValue": "Operation Object is using basic authentication" + "actualValue": "Operation Object is using basic authentication", + "issueType": "IncorrectValue" }, { "queryName": "Operation Using Basic Auth", @@ -21,6 +22,7 @@ "searchKey": "paths.{{/}}.{{get}}.security.{{oAuth2AuthCodeNeg2}}", "searchValue": "", "expectedValue": "Operation Object should not be using basic authentication", - "actualValue": "Operation Object is using basic authentication" + "actualValue": "Operation Object is using basic authentication", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/2.0/operation_using_implicit_flow/test/positive_expected_result.json b/assets/queries/openAPI/2.0/operation_using_implicit_flow/test/positive_expected_result.json index ab8801882c4..482c89314b7 100644 --- a/assets/queries/openAPI/2.0/operation_using_implicit_flow/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/operation_using_implicit_flow/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.{{get}}.security.{{oAuth2AuthCodeNeg2}}", "searchValue": "", "expectedValue": "Operation Object should not be using implicit flow", - "actualValue": "Operation Object is using implicit flow" + "actualValue": "Operation Object is using implicit flow", + "issueType": "IncorrectValue" }, { "queryName": "Operation Using Implicit Flow", @@ -21,6 +22,7 @@ "searchKey": "paths.{{/}}.{{get}}.security.{{oAuth2AuthCodeNeg2}}", "searchValue": "", "expectedValue": "Operation Object should not be using implicit flow", - "actualValue": "Operation Object is using implicit flow" + "actualValue": "Operation Object is using implicit flow", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/2.0/operation_using_password_flow/test/positive_expected_result.json b/assets/queries/openAPI/2.0/operation_using_password_flow/test/positive_expected_result.json index 4cef6239dd9..ec0926ca890 100644 --- a/assets/queries/openAPI/2.0/operation_using_password_flow/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/operation_using_password_flow/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.{{get}}.security.{{oAuth2AuthCodeNeg2}}", "searchValue": "", "expectedValue": "Operation Object should not be using 'password' flow in OAuth2 authentication", - "actualValue": "Operation Object is using 'password' flow in OAuth2 authentication" + "actualValue": "Operation Object is using 'password' flow in OAuth2 authentication", + "issueType": "IncorrectValue" }, { "queryName": "Operation Using Password Flow", @@ -21,6 +22,7 @@ "searchKey": "paths.{{/}}.{{get}}.security.{{oAuth2AuthCodeNeg2}}", "searchValue": "", "expectedValue": "Operation Object should not be using 'password' flow in OAuth2 authentication", - "actualValue": "Operation Object is using 'password' flow in OAuth2 authentication" + "actualValue": "Operation Object is using 'password' flow in OAuth2 authentication", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/2.0/parameter_file_type_not_in_formdata/test/positive_expected_result.json b/assets/queries/openAPI/2.0/parameter_file_type_not_in_formdata/test/positive_expected_result.json index 2b7564dc311..5e7a8605b94 100644 --- a/assets/queries/openAPI/2.0/parameter_file_type_not_in_formdata/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/parameter_file_type_not_in_formdata/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.get.parameters.name=limit2", "searchValue": "", "expectedValue": "'schema' should be set", - "actualValue": "'schema' is undefined" + "actualValue": "'schema' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Parameter File Type Not In 'formData'", @@ -21,7 +22,8 @@ "searchKey": "parameters.name=limit", "searchValue": "", "expectedValue": "'schema' should be set", - "actualValue": "'schema' is undefined" + "actualValue": "'schema' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Parameter File Type Not In 'formData'", @@ -33,7 +35,8 @@ "searchKey": "paths.{{/}}.get.parameters.name=limit2", "searchValue": "", "expectedValue": "'schema' should be set", - "actualValue": "'schema' is undefined" + "actualValue": "'schema' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Parameter File Type Not In 'formData'", @@ -45,6 +48,7 @@ "searchKey": "parameters.name=limit", "searchValue": "", "expectedValue": "'schema' should be set", - "actualValue": "'schema' is undefined" + "actualValue": "'schema' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/2.0/parameter_object_incorrect_ref/test/positive_expected_result.json b/assets/queries/openAPI/2.0/parameter_object_incorrect_ref/test/positive_expected_result.json index 1c32ce4a0ed..79db3c98be1 100644 --- a/assets/queries/openAPI/2.0/parameter_object_incorrect_ref/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/parameter_object_incorrect_ref/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.get.parameters.$ref=#/definitions/User", "searchValue": "", "expectedValue": "Parameters ref points to '#/parameters'", - "actualValue": "Parameters ref doesn't point to '#/parameters'" + "actualValue": "Parameters ref doesn't point to '#/parameters'", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Object With Incorrect Ref (v2)", @@ -21,6 +22,7 @@ "searchKey": "paths.{{/}}.get.parameters.$ref=#/definitions/User", "searchValue": "", "expectedValue": "Parameters ref points to '#/parameters'", - "actualValue": "Parameters ref doesn't point to '#/parameters'" + "actualValue": "Parameters ref doesn't point to '#/parameters'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/2.0/path_scheme_accepts_http/test/positive_expected_result.json b/assets/queries/openAPI/2.0/path_scheme_accepts_http/test/positive_expected_result.json index b0d2c0eec64..d57a530626d 100644 --- a/assets/queries/openAPI/2.0/path_scheme_accepts_http/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/path_scheme_accepts_http/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.{{get}}.schemes.http", "searchValue": "", "expectedValue": "The Scheme list uses only 'HTTPS' protocol", - "actualValue": "The Scheme list uses 'HTTP' protocol" + "actualValue": "The Scheme list uses 'HTTP' protocol", + "issueType": "IncorrectValue" }, { "queryName": "Path Scheme Accepts HTTP (v2)", @@ -21,6 +22,7 @@ "searchKey": "paths.{{/}}.{{get}}.schemes.http", "searchValue": "", "expectedValue": "The Scheme list uses only 'HTTPS' protocol", - "actualValue": "The Scheme list uses 'HTTP' protocol" + "actualValue": "The Scheme list uses 'HTTP' protocol", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/2.0/property_not_unique/test/positive_expected_result.json b/assets/queries/openAPI/2.0/property_not_unique/test/positive_expected_result.json index dae6776af56..24d0a403610 100644 --- a/assets/queries/openAPI/2.0/property_not_unique/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/property_not_unique/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.get.parameters.schema.properties.name", "searchValue": "", "expectedValue": "'name' property is unique throughout the whole API", - "actualValue": "'name' property is not unique throughout the whole API" + "actualValue": "'name' property is not unique throughout the whole API", + "issueType": "IncorrectValue" }, { "queryName": "Property Not Unique", @@ -21,7 +22,8 @@ "searchKey": "paths.{{/}}.get.parameters.schema.properties.address", "searchValue": "", "expectedValue": "'address' property is unique throughout the whole API", - "actualValue": "'address' property is not unique throughout the whole API" + "actualValue": "'address' property is not unique throughout the whole API", + "issueType": "IncorrectValue" }, { "queryName": "Property Not Unique", @@ -33,7 +35,8 @@ "searchKey": "paths.{{/}}.get.parameters.schema.properties.age", "searchValue": "", "expectedValue": "'age' property is unique throughout the whole API", - "actualValue": "'age' property is not unique throughout the whole API" + "actualValue": "'age' property is not unique throughout the whole API", + "issueType": "IncorrectValue" }, { "queryName": "Property Not Unique", @@ -45,7 +48,8 @@ "searchKey": "parameters.limitParam.properties.name", "searchValue": "", "expectedValue": "'name' property is unique throughout the whole API", - "actualValue": "'name' property is not unique throughout the whole API" + "actualValue": "'name' property is not unique throughout the whole API", + "issueType": "IncorrectValue" }, { "queryName": "Property Not Unique", @@ -57,7 +61,8 @@ "searchKey": "parameters.limitParam.properties.address", "searchValue": "", "expectedValue": "'address' property is unique throughout the whole API", - "actualValue": "'address' property is not unique throughout the whole API" + "actualValue": "'address' property is not unique throughout the whole API", + "issueType": "IncorrectValue" }, { "queryName": "Property Not Unique", @@ -69,7 +74,8 @@ "searchKey": "parameters.limitParam.properties.age", "searchValue": "", "expectedValue": "'age' property is unique throughout the whole API", - "actualValue": "'age' property is not unique throughout the whole API" + "actualValue": "'age' property is not unique throughout the whole API", + "issueType": "IncorrectValue" }, { "queryName": "Property Not Unique", @@ -81,7 +87,8 @@ "searchKey": "paths.{{/}}.get.parameters.schema.properties.name", "searchValue": "", "expectedValue": "'name' property is unique throughout the whole API", - "actualValue": "'name' property is not unique throughout the whole API" + "actualValue": "'name' property is not unique throughout the whole API", + "issueType": "IncorrectValue" }, { "queryName": "Property Not Unique", @@ -93,7 +100,8 @@ "searchKey": "paths.{{/}}.get.parameters.schema.properties.address", "searchValue": "", "expectedValue": "'address' property is unique throughout the whole API", - "actualValue": "'address' property is not unique throughout the whole API" + "actualValue": "'address' property is not unique throughout the whole API", + "issueType": "IncorrectValue" }, { "queryName": "Property Not Unique", @@ -105,7 +113,8 @@ "searchKey": "paths.{{/}}.get.parameters.schema.properties.age", "searchValue": "", "expectedValue": "'age' property is unique throughout the whole API", - "actualValue": "'age' property is not unique throughout the whole API" + "actualValue": "'age' property is not unique throughout the whole API", + "issueType": "IncorrectValue" }, { "queryName": "Property Not Unique", @@ -117,7 +126,8 @@ "searchKey": "parameters.limitParam.properties.name", "searchValue": "", "expectedValue": "'name' property is unique throughout the whole API", - "actualValue": "'name' property is not unique throughout the whole API" + "actualValue": "'name' property is not unique throughout the whole API", + "issueType": "IncorrectValue" }, { "queryName": "Property Not Unique", @@ -129,7 +139,8 @@ "searchKey": "parameters.limitParam.properties.address", "searchValue": "", "expectedValue": "'address' property is unique throughout the whole API", - "actualValue": "'address' property is not unique throughout the whole API" + "actualValue": "'address' property is not unique throughout the whole API", + "issueType": "IncorrectValue" }, { "queryName": "Property Not Unique", @@ -141,6 +152,7 @@ "searchKey": "parameters.limitParam.properties.age", "searchValue": "", "expectedValue": "'age' property is unique throughout the whole API", - "actualValue": "'age' property is not unique throughout the whole API" + "actualValue": "'age' property is not unique throughout the whole API", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/2.0/response_object_incorrect_ref/test/positive_expected_result.json b/assets/queries/openAPI/2.0/response_object_incorrect_ref/test/positive_expected_result.json index 176962678f1..f935f08d2ae 100644 --- a/assets/queries/openAPI/2.0/response_object_incorrect_ref/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/response_object_incorrect_ref/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.get.responses.{{200}}.$ref", "searchValue": "", "expectedValue": "Response ref points to '#/responses'", - "actualValue": "Response ref doesn't point to '#/responses'" + "actualValue": "Response ref doesn't point to '#/responses'", + "issueType": "IncorrectValue" }, { "queryName": "Response Object With Incorrect Ref (v2)", @@ -21,6 +22,7 @@ "searchKey": "paths.{{/}}.get.responses.{{200}}.$ref", "searchValue": "", "expectedValue": "Response ref points to '#/responses'", - "actualValue": "Response ref doesn't point to '#/responses'" + "actualValue": "Response ref doesn't point to '#/responses'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/2.0/schema_object_incorrect_ref/test/positive_expected_result.json b/assets/queries/openAPI/2.0/schema_object_incorrect_ref/test/positive_expected_result.json index 2bc6075b04e..024dc5760ad 100644 --- a/assets/queries/openAPI/2.0/schema_object_incorrect_ref/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/schema_object_incorrect_ref/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "responses.Success.schema.$ref", "searchValue": "", "expectedValue": "Schema ref points to '#/definitions'", - "actualValue": "Schema ref doesn't point to '#/definitions'" + "actualValue": "Schema ref doesn't point to '#/definitions'", + "issueType": "IncorrectValue" }, { "queryName": "Schema Object Incorrect Ref (v2)", @@ -21,6 +22,7 @@ "searchKey": "responses.Success.schema.$ref", "searchValue": "", "expectedValue": "Schema ref points to '#/definitions'", - "actualValue": "Schema ref doesn't point to '#/definitions'" + "actualValue": "Schema ref doesn't point to '#/definitions'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/2.0/schema_with_additional_properties_set_as_boolean/test/positive_expected_result.json b/assets/queries/openAPI/2.0/schema_with_additional_properties_set_as_boolean/test/positive_expected_result.json index 2f0e9f942e2..187792791b9 100644 --- a/assets/queries/openAPI/2.0/schema_with_additional_properties_set_as_boolean/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/schema_with_additional_properties_set_as_boolean/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.get.responses.200.schema.additionalProperties", "searchValue": "", "expectedValue": "'additionalProperties' should be set as an object value", - "actualValue": "'additionalProperties' is set as a boolean value" + "actualValue": "'additionalProperties' is set as a boolean value", + "issueType": "IncorrectValue" }, { "queryName": "Schema with 'additionalProperties' set as Boolean", @@ -21,7 +22,8 @@ "searchKey": "paths.{{/}}.get.responses.200.schema.additionalProperties", "searchValue": "", "expectedValue": "'additionalProperties' should be set as an object value", - "actualValue": "'additionalProperties' is set as a boolean value" + "actualValue": "'additionalProperties' is set as a boolean value", + "issueType": "IncorrectValue" }, { "queryName": "Schema with 'additionalProperties' set as Boolean", @@ -33,7 +35,8 @@ "searchKey": "paths.{{/}}.get.responses.200.schema.additionalProperties.$ref=#/definitions/User", "searchValue": "", "expectedValue": "'additionalProperties' should be set as an object value", - "actualValue": "'additionalProperties' is set as a boolean value" + "actualValue": "'additionalProperties' is set as a boolean value", + "issueType": "IncorrectValue" }, { "queryName": "Schema with 'additionalProperties' set as Boolean", @@ -45,7 +48,8 @@ "searchKey": "definitions.User.additionalProperties", "searchValue": "", "expectedValue": "'additionalProperties' should be set as an object value", - "actualValue": "'additionalProperties' is set as a boolean value" + "actualValue": "'additionalProperties' is set as a boolean value", + "issueType": "IncorrectValue" }, { "queryName": "Schema with 'additionalProperties' set as Boolean", @@ -57,7 +61,8 @@ "searchKey": "paths.{{/}}.get.responses.200.schema.additionalProperties.$ref=#/definitions/User", "searchValue": "", "expectedValue": "'additionalProperties' should be set as an object value", - "actualValue": "'additionalProperties' is set as a boolean value" + "actualValue": "'additionalProperties' is set as a boolean value", + "issueType": "IncorrectValue" }, { "queryName": "Schema with 'additionalProperties' set as Boolean", @@ -69,6 +74,7 @@ "searchKey": "definitions.User.additionalProperties", "searchValue": "", "expectedValue": "'additionalProperties' should be set as an object value", - "actualValue": "'additionalProperties' is set as a boolean value" + "actualValue": "'additionalProperties' is set as a boolean value", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/2.0/schemes_uses_http copy/test/positive_expected_result.json b/assets/queries/openAPI/2.0/schemes_uses_http copy/test/positive_expected_result.json index a6673f2ab39..760520014d2 100644 --- a/assets/queries/openAPI/2.0/schemes_uses_http copy/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/schemes_uses_http copy/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.get.schemes.http", "searchValue": "", "expectedValue": "The Scheme list uses only 'HTTPS' protocol", - "actualValue": "The Scheme list uses 'HTTP' protocol" + "actualValue": "The Scheme list uses 'HTTP' protocol", + "issueType": "IncorrectValue" }, { "queryName": "Schemes Uses HTTP", @@ -21,6 +22,7 @@ "searchKey": "paths.{{/}}.get.schemes.http", "searchValue": "", "expectedValue": "The Scheme list uses only 'HTTPS' protocol", - "actualValue": "The Scheme list uses 'HTTP' protocol" + "actualValue": "The Scheme list uses 'HTTP' protocol", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/2.0/security_definitions_allows_password_flow/test/positive_expected_result.json b/assets/queries/openAPI/2.0/security_definitions_allows_password_flow/test/positive_expected_result.json index 6e72c3820ea..dac7bb86cb0 100644 --- a/assets/queries/openAPI/2.0/security_definitions_allows_password_flow/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/security_definitions_allows_password_flow/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "securityDefinitions.{{oAuth2AuthCodeNeg2}}.flow", "searchValue": "", "expectedValue": "security definition should not allow 'password' flow in OAuth2 authentication", - "actualValue": "security definition allows 'password' flow in OAuth2 authentication" + "actualValue": "security definition allows 'password' flow in OAuth2 authentication", + "issueType": "IncorrectValue" }, { "queryName": "Security Definitions Allows Password Flow", @@ -21,6 +22,7 @@ "searchKey": "securityDefinitions.{{oAuth2AuthCodeNeg2}}.flow", "searchValue": "", "expectedValue": "security definition should not allow 'password' flow in OAuth2 authentication", - "actualValue": "security definition allows 'password' flow in OAuth2 authentication" + "actualValue": "security definition allows 'password' flow in OAuth2 authentication", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/2.0/security_definitions_undefined_or_empty/test/positive_expected_result.json b/assets/queries/openAPI/2.0/security_definitions_undefined_or_empty/test/positive_expected_result.json index 189abc763fe..8b36380cfca 100644 --- a/assets/queries/openAPI/2.0/security_definitions_undefined_or_empty/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/security_definitions_undefined_or_empty/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "swagger", "searchValue": "", "expectedValue": "'securityDefinitions' should be set and not empty", - "actualValue": "'securityDefinitions' is undefined or empty" + "actualValue": "'securityDefinitions' is undefined or empty", + "issueType": "MissingAttribute" }, { "queryName": "Security Definitions Undefined or Empty", @@ -21,7 +22,8 @@ "searchKey": "swagger", "searchValue": "", "expectedValue": "'securityDefinitions' should be set and not empty", - "actualValue": "'securityDefinitions' is undefined or empty" + "actualValue": "'securityDefinitions' is undefined or empty", + "issueType": "MissingAttribute" }, { "queryName": "Security Definitions Undefined or Empty", @@ -33,7 +35,8 @@ "searchKey": "swagger", "searchValue": "", "expectedValue": "'securityDefinitions' should be set and not empty", - "actualValue": "'securityDefinitions' is undefined or empty" + "actualValue": "'securityDefinitions' is undefined or empty", + "issueType": "MissingAttribute" }, { "queryName": "Security Definitions Undefined or Empty", @@ -45,6 +48,7 @@ "searchKey": "swagger", "searchValue": "", "expectedValue": "'securityDefinitions' should be set and not empty", - "actualValue": "'securityDefinitions' is undefined or empty" + "actualValue": "'securityDefinitions' is undefined or empty", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/2.0/security_definitions_using_basic_auth/test/positive_expected_result.json b/assets/queries/openAPI/2.0/security_definitions_using_basic_auth/test/positive_expected_result.json index 69908135820..78ba1679e70 100644 --- a/assets/queries/openAPI/2.0/security_definitions_using_basic_auth/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/security_definitions_using_basic_auth/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "securityDefinitions.{{oAuth2AuthCodeNeg2}}.type", "searchValue": "", "expectedValue": "security definition should not be using basic authentication", - "actualValue": "security definition is using basic authentication" + "actualValue": "security definition is using basic authentication", + "issueType": "IncorrectValue" }, { "queryName": "Security Definitions Using Basic Auth", @@ -21,6 +22,7 @@ "searchKey": "securityDefinitions.{{oAuth2AuthCodeNeg2}}.type", "searchValue": "", "expectedValue": "security definition should not be using basic authentication", - "actualValue": "security definition is using basic authentication" + "actualValue": "security definition is using basic authentication", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/2.0/security_requirement_not_defined_in_security_definition/test/positive_expected_result.json b/assets/queries/openAPI/2.0/security_requirement_not_defined_in_security_definition/test/positive_expected_result.json index 7c52e1a27a8..041754a86c0 100644 --- a/assets/queries/openAPI/2.0/security_requirement_not_defined_in_security_definition/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/security_requirement_not_defined_in_security_definition/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "security.petstore_auth", "searchValue": "", "expectedValue": "petstore_auth should be defined in 'securityDefinitions'", - "actualValue": "petstore_auth is not defined in 'securityDefinitions'" + "actualValue": "petstore_auth is not defined in 'securityDefinitions'", + "issueType": "IncorrectValue" }, { "queryName": "Security Requirement Not Defined In Security Definition", @@ -21,7 +22,8 @@ "searchKey": "security.petstore_auth", "searchValue": "", "expectedValue": "petstore_auth should be defined in 'securityDefinitions'", - "actualValue": "petstore_auth is not defined in 'securityDefinitions'" + "actualValue": "petstore_auth is not defined in 'securityDefinitions'", + "issueType": "IncorrectValue" }, { "queryName": "Security Requirement Not Defined In Security Definition", @@ -33,7 +35,8 @@ "searchKey": "paths.{{/}}.get.security.petstore_auth", "searchValue": "", "expectedValue": "petstore_auth should be defined in 'securityDefinitions'", - "actualValue": "petstore_auth is not defined in 'securityDefinitions'" + "actualValue": "petstore_auth is not defined in 'securityDefinitions'", + "issueType": "IncorrectValue" }, { "queryName": "Security Requirement Not Defined In Security Definition", @@ -45,6 +48,7 @@ "searchKey": "paths.{{/}}.get.security.petstore_auth", "searchValue": "", "expectedValue": "petstore_auth should be defined in 'securityDefinitions'", - "actualValue": "petstore_auth is not defined in 'securityDefinitions'" + "actualValue": "petstore_auth is not defined in 'securityDefinitions'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/2.0/undefined_security_scope_global_security/test/positive_expected_result.json b/assets/queries/openAPI/2.0/undefined_security_scope_global_security/test/positive_expected_result.json index fd90113405f..4677f970704 100644 --- a/assets/queries/openAPI/2.0/undefined_security_scope_global_security/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/undefined_security_scope_global_security/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "security.{{oAuth2AuthCodeNeg2}}", "searchValue": "", "expectedValue": "scope error:api should be defined on 'securityDefinitions'", - "actualValue": "scope error:api is not defined on 'securityDefinitions'" + "actualValue": "scope error:api is not defined on 'securityDefinitions'", + "issueType": "IncorrectValue" }, { "queryName": "Undefined Scope 'securityDefinition' On Global 'security' Field", @@ -21,6 +22,7 @@ "searchKey": "security.{{oAuth2AuthCodeNeg2}}", "searchValue": "", "expectedValue": "scope error:api should be defined on 'securityDefinitions'", - "actualValue": "scope error:api is not defined on 'securityDefinitions'" + "actualValue": "scope error:api is not defined on 'securityDefinitions'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/2.0/undefined_security_scope_security_operations/test/positive_expected_result.json b/assets/queries/openAPI/2.0/undefined_security_scope_security_operations/test/positive_expected_result.json index f3c8a64a205..cd57a0d9b20 100644 --- a/assets/queries/openAPI/2.0/undefined_security_scope_security_operations/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/undefined_security_scope_security_operations/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.{{get}}.security", "searchValue": "", "expectedValue": "scope error:api should be defined on 'securityDefinitions'", - "actualValue": "scope error:api is not defined on 'securityDefinitions'" + "actualValue": "scope error:api is not defined on 'securityDefinitions'", + "issueType": "IncorrectValue" }, { "queryName": "Undefined Scope 'securityDefinition' On 'security' Field On Operations", @@ -21,6 +22,7 @@ "searchKey": "paths.{{/}}.{{get}}.security", "searchValue": "", "expectedValue": "scope error:api should be defined on 'securityDefinitions'", - "actualValue": "scope error:api is not defined on 'securityDefinitions'" + "actualValue": "scope error:api is not defined on 'securityDefinitions'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/2.0/unknown_prefix/test/positive_expected_result.json b/assets/queries/openAPI/2.0/unknown_prefix/test/positive_expected_result.json index 7b636ed8793..50119d0e530 100644 --- a/assets/queries/openAPI/2.0/unknown_prefix/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/unknown_prefix/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.get.produces", "searchValue": "", "expectedValue": "paths.{{/}}.get.produces has only known prefixes", - "actualValue": "aplication/json on 'paths.{{/}}.get.produces' is an unknown prefix" + "actualValue": "aplication/json on 'paths.{{/}}.get.produces' is an unknown prefix", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Prefix (v2)", @@ -21,7 +22,8 @@ "searchKey": "produces", "searchValue": "", "expectedValue": "produces has only known prefixes", - "actualValue": "aplication/json on 'produces' is an unknown prefix" + "actualValue": "aplication/json on 'produces' is an unknown prefix", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Prefix (v2)", @@ -33,7 +35,8 @@ "searchKey": "paths.{{/}}.get.produces", "searchValue": "", "expectedValue": "paths.{{/}}.get.produces has only known prefixes", - "actualValue": "aplication/json on 'paths.{{/}}.get.produces' is an unknown prefix" + "actualValue": "aplication/json on 'paths.{{/}}.get.produces' is an unknown prefix", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Prefix (v2)", @@ -45,6 +48,7 @@ "searchKey": "produces", "searchValue": "", "expectedValue": "produces has only known prefixes", - "actualValue": "aplication/json on 'produces' is an unknown prefix" + "actualValue": "aplication/json on 'produces' is an unknown prefix", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/2.0/unknown_property/test/positive_expected_result.json b/assets/queries/openAPI/2.0/unknown_property/test/positive_expected_result.json index 67aba00f259..458e32c0304 100644 --- a/assets/queries/openAPI/2.0/unknown_property/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/unknown_property/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.parameters.descripption", "searchValue": "", "expectedValue": "The field 'descripption' is known in the parameters object", - "actualValue": "The field 'descripption' is unknown in the parameters object" + "actualValue": "The field 'descripption' is unknown in the parameters object", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Property (v2)", @@ -21,7 +22,8 @@ "searchKey": "definitions.ErrorModel.propppperties", "searchValue": "", "expectedValue": "The field 'propppperties' is known in the definitions object", - "actualValue": "The field 'propppperties' is unknown in the definitions object" + "actualValue": "The field 'propppperties' is unknown in the definitions object", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Property (v2)", @@ -33,7 +35,8 @@ "searchKey": "info.contact.nameee", "searchValue": "", "expectedValue": "The field 'nameee' is known in the contact object", - "actualValue": "The field 'nameee' is unknown in the contact object" + "actualValue": "The field 'nameee' is unknown in the contact object", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Property (v2)", @@ -45,7 +48,8 @@ "searchKey": "taggs", "searchValue": "", "expectedValue": "The field 'taggs' is known in the openapi object", - "actualValue": "The field 'taggs' is unknown in the openapi object" + "actualValue": "The field 'taggs' is unknown in the openapi object", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Property (v2)", @@ -57,7 +61,8 @@ "searchKey": "paths.{{/}}.parameters.descripption", "searchValue": "", "expectedValue": "The field 'descripption' is known in the parameters object", - "actualValue": "The field 'descripption' is unknown in the parameters object" + "actualValue": "The field 'descripption' is unknown in the parameters object", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Property (v2)", @@ -69,7 +74,8 @@ "searchKey": "definitions.ErrorModel.propppperties", "searchValue": "", "expectedValue": "The field 'propppperties' is known in the definitions object", - "actualValue": "The field 'propppperties' is unknown in the definitions object" + "actualValue": "The field 'propppperties' is unknown in the definitions object", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Property (v2)", @@ -81,7 +87,8 @@ "searchKey": "info.contact.nameee", "searchValue": "", "expectedValue": "The field 'nameee' is known in the contact object", - "actualValue": "The field 'nameee' is unknown in the contact object" + "actualValue": "The field 'nameee' is unknown in the contact object", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Property (v2)", @@ -93,6 +100,7 @@ "searchKey": "taggs", "searchValue": "", "expectedValue": "The field 'taggs' is known in the openapi object", - "actualValue": "The field 'taggs' is unknown in the openapi object" + "actualValue": "The field 'taggs' is unknown in the openapi object", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/2.0/unused_parameter_definition/test/positive_expected_result.json b/assets/queries/openAPI/2.0/unused_parameter_definition/test/positive_expected_result.json index e39f0bf945a..4d0aeb2b1eb 100644 --- a/assets/queries/openAPI/2.0/unused_parameter_definition/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/unused_parameter_definition/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "parameters.{{limitParam}}", "searchValue": "", "expectedValue": "parameter definition 'limitParam' is used", - "actualValue": "parameter definition 'limitParam' is not being used" + "actualValue": "parameter definition 'limitParam' is not being used", + "issueType": "MissingAttribute" }, { "queryName": "Global Parameter Definition Not Being Used", @@ -21,6 +22,7 @@ "searchKey": "parameters.{{limitParam}}", "searchValue": "", "expectedValue": "parameter definition 'limitParam' is used", - "actualValue": "parameter definition 'limitParam' is not being used" + "actualValue": "parameter definition 'limitParam' is not being used", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/2.0/unused_response_definition/test/positive_expected_result.json b/assets/queries/openAPI/2.0/unused_response_definition/test/positive_expected_result.json index 2156936a20b..1a448cebbc3 100644 --- a/assets/queries/openAPI/2.0/unused_response_definition/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/unused_response_definition/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "responses.{{IllegalInput}}", "searchValue": "", "expectedValue": "responses definition 'IllegalInput' is used", - "actualValue": "responses definition 'IllegalInput' is not being used" + "actualValue": "responses definition 'IllegalInput' is not being used", + "issueType": "MissingAttribute" }, { "queryName": "Global Responses Definition Not Being Used", @@ -21,7 +22,8 @@ "searchKey": "responses.{{GeneralError}}", "searchValue": "", "expectedValue": "responses definition 'GeneralError' is used", - "actualValue": "responses definition 'GeneralError' is not being used" + "actualValue": "responses definition 'GeneralError' is not being used", + "issueType": "MissingAttribute" }, { "queryName": "Global Responses Definition Not Being Used", @@ -33,7 +35,8 @@ "searchKey": "responses.{{IllegalInput}}", "searchValue": "", "expectedValue": "responses definition 'IllegalInput' is used", - "actualValue": "responses definition 'IllegalInput' is not being used" + "actualValue": "responses definition 'IllegalInput' is not being used", + "issueType": "MissingAttribute" }, { "queryName": "Global Responses Definition Not Being Used", @@ -45,6 +48,7 @@ "searchKey": "responses.{{GeneralError}}", "searchValue": "", "expectedValue": "responses definition 'GeneralError' is used", - "actualValue": "responses definition 'GeneralError' is not being used" + "actualValue": "responses definition 'GeneralError' is not being used", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/2.0/unused_schema_definition/test/positive_expected_result.json b/assets/queries/openAPI/2.0/unused_schema_definition/test/positive_expected_result.json index e776fcb8070..f51befe8909 100644 --- a/assets/queries/openAPI/2.0/unused_schema_definition/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/unused_schema_definition/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "definitions.{{Tag}}", "searchValue": "", "expectedValue": "responses definition 'Tag' is used", - "actualValue": "responses definition 'Tag' is not being used" + "actualValue": "responses definition 'Tag' is not being used", + "issueType": "MissingAttribute" }, { "queryName": "Global Schema Definition Not Being Used", @@ -21,6 +22,7 @@ "searchKey": "definitions.{{Tag}}", "searchValue": "", "expectedValue": "responses definition 'Tag' is used", - "actualValue": "responses definition 'Tag' is not being used" + "actualValue": "responses definition 'Tag' is not being used", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/additional_properties_too_permissive/test/positive_expected_result.json b/assets/queries/openAPI/3.0/additional_properties_too_permissive/test/positive_expected_result.json index 54373f551d3..22a9616ec74 100644 --- a/assets/queries/openAPI/3.0/additional_properties_too_permissive/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/additional_properties_too_permissive/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.get.responses.200.schema.additionalProperties", "searchValue": "", "expectedValue": "'additionalProperties' should be set to false", - "actualValue": "'additionalProperties' is set true" + "actualValue": "'additionalProperties' is set true", + "issueType": "IncorrectValue" }, { "queryName": "Additional Properties Too Permissive", @@ -21,7 +22,8 @@ "searchKey": "paths.{{/}}.get.responses.200.schema.additionalProperties", "searchValue": "", "expectedValue": "'additionalProperties' should be set to false", - "actualValue": "'additionalProperties' is set true" + "actualValue": "'additionalProperties' is set true", + "issueType": "IncorrectValue" }, { "queryName": "Additional Properties Too Permissive", @@ -33,7 +35,8 @@ "searchKey": "components.schemas.MyObject.oneOf", "searchValue": "", "expectedValue": "'additionalProperties' should be set to false", - "actualValue": "'additionalProperties' is set true" + "actualValue": "'additionalProperties' is set true", + "issueType": "IncorrectValue" }, { "queryName": "Additional Properties Too Permissive", @@ -45,7 +48,8 @@ "searchKey": "components.schemas.MyObject.oneOf", "searchValue": "", "expectedValue": "'additionalProperties' should be set to false", - "actualValue": "'additionalProperties' is set true" + "actualValue": "'additionalProperties' is set true", + "issueType": "IncorrectValue" }, { "queryName": "Additional Properties Too Permissive", @@ -57,7 +61,8 @@ "searchKey": "paths.{{/}}.get.responses.200.schema", "searchValue": "", "expectedValue": "'additionalProperties' needs to be set and to false", - "actualValue": "'additionalProperties' is not set" + "actualValue": "'additionalProperties' is not set", + "issueType": "MissingAttribute" }, { "queryName": "Additional Properties Too Permissive", @@ -69,6 +74,7 @@ "searchKey": "paths.{{/}}.get.responses.200.schema", "searchValue": "", "expectedValue": "'additionalProperties' needs to be set and to false", - "actualValue": "'additionalProperties' is not set" + "actualValue": "'additionalProperties' is not set", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/additional_properties_too_restrective/test/positive_expected_result.json b/assets/queries/openAPI/3.0/additional_properties_too_restrective/test/positive_expected_result.json index 797d7e22bc8..14a709c079b 100644 --- a/assets/queries/openAPI/3.0/additional_properties_too_restrective/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/additional_properties_too_restrective/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "components.schemas.MyObject.oneOf", "searchValue": "", "expectedValue": "'additionalProperties' should not be false", - "actualValue": "'additionalProperties' is false" + "actualValue": "'additionalProperties' is false", + "issueType": "IncorrectValue" }, { "queryName": "Additional Properties Too Restrictive", @@ -21,7 +22,8 @@ "searchKey": "components.schemas.MyObject.oneOf", "searchValue": "", "expectedValue": "'additionalProperties' should not be false", - "actualValue": "'additionalProperties' is false" + "actualValue": "'additionalProperties' is false", + "issueType": "IncorrectValue" }, { "queryName": "Additional Properties Too Restrictive", @@ -33,7 +35,8 @@ "searchKey": "paths.{{/}}.get.responses.200.schema.allOf", "searchValue": "", "expectedValue": "'additionalProperties' should not be false", - "actualValue": "'additionalProperties' is false" + "actualValue": "'additionalProperties' is false", + "issueType": "IncorrectValue" }, { "queryName": "Additional Properties Too Restrictive", @@ -45,6 +48,7 @@ "searchKey": "paths.{{/}}.get.responses.200.schema.allOf", "searchValue": "", "expectedValue": "'additionalProperties' should not be false", - "actualValue": "'additionalProperties' is false" + "actualValue": "'additionalProperties' is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/api_key_exposed_in_global_security_scheme/test/positive_expected_result.json b/assets/queries/openAPI/3.0/api_key_exposed_in_global_security_scheme/test/positive_expected_result.json index f0e4ca5f277..404aa269d11 100644 --- a/assets/queries/openAPI/3.0/api_key_exposed_in_global_security_scheme/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/api_key_exposed_in_global_security_scheme/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "components.securitySchemes.apiKey1", "searchValue": "", "expectedValue": "The API Key should not be transported over network", - "actualValue": "The API Key is transported over network" + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue" }, { "queryName": "API Key Exposed In Global Security Scheme", @@ -21,7 +22,8 @@ "searchKey": "components.securitySchemes.apiKey2", "searchValue": "", "expectedValue": "The API Key should not be transported over network", - "actualValue": "The API Key is transported over network" + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue" }, { "queryName": "API Key Exposed In Global Security Scheme", @@ -33,7 +35,8 @@ "searchKey": "components.securitySchemes.apiKey3", "searchValue": "", "expectedValue": "The API Key should not be transported over network", - "actualValue": "The API Key is transported over network" + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue" }, { "queryName": "API Key Exposed In Global Security Scheme", @@ -45,7 +48,8 @@ "searchKey": "components.securitySchemes.apiKey1", "searchValue": "", "expectedValue": "The API Key should not be transported over network", - "actualValue": "The API Key is transported over network" + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue" }, { "queryName": "API Key Exposed In Global Security Scheme", @@ -57,7 +61,8 @@ "searchKey": "components.securitySchemes.apiKey2", "searchValue": "", "expectedValue": "The API Key should not be transported over network", - "actualValue": "The API Key is transported over network" + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue" }, { "queryName": "API Key Exposed In Global Security Scheme", @@ -69,6 +74,7 @@ "searchKey": "components.securitySchemes.apiKey3", "searchValue": "", "expectedValue": "The API Key should not be transported over network", - "actualValue": "The API Key is transported over network" + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/callback_object_incorrect_ref/test/positive_expected_result.json b/assets/queries/openAPI/3.0/callback_object_incorrect_ref/test/positive_expected_result.json index d3eec7eda59..89370773f01 100644 --- a/assets/queries/openAPI/3.0/callback_object_incorrect_ref/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/callback_object_incorrect_ref/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.get.callbacks.{{myEvent}}.$ref", "searchValue": "", "expectedValue": "Callback ref points to '#/components/callbacks'", - "actualValue": "Callback ref does not point to '#/components/callbacks'" + "actualValue": "Callback ref does not point to '#/components/callbacks'", + "issueType": "IncorrectValue" }, { "queryName": "Callback Object With Incorrect Ref", @@ -21,6 +22,7 @@ "searchKey": "paths.{{/}}.get.callbacks.{{myEvent}}.$ref", "searchValue": "", "expectedValue": "Callback ref points to '#/components/callbacks'", - "actualValue": "Callback ref does not point to '#/components/callbacks'" + "actualValue": "Callback ref does not point to '#/components/callbacks'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/cleartext_credentials_with_basic_auth_for_operation/test/positive_expected_result.json b/assets/queries/openAPI/3.0/cleartext_credentials_with_basic_auth_for_operation/test/positive_expected_result.json index 994fffe94d1..ec02d186ffb 100644 --- a/assets/queries/openAPI/3.0/cleartext_credentials_with_basic_auth_for_operation/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/cleartext_credentials_with_basic_auth_for_operation/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.{{get}}.security.{{regularSecurity}}", "searchValue": "", "expectedValue": "paths.{{/}}.{{get}} operation should not allow cleartext credentials over unencrypted channel", - "actualValue": "paths.{{/}}.{{get}} operation allows cleartext credentials over unencrypted channel" + "actualValue": "paths.{{/}}.{{get}} operation allows cleartext credentials over unencrypted channel", + "issueType": "IncorrectValue" }, { "queryName": "Cleartext Credentials With Basic Authentication For Operation", @@ -21,6 +22,7 @@ "searchKey": "paths.{{/}}.{{get}}.security.{{regularSecurity}}", "searchValue": "", "expectedValue": "paths.{{/}}.{{get}} operation should not allow cleartext credentials over unencrypted channel", - "actualValue": "paths.{{/}}.{{get}} operation allows cleartext credentials over unencrypted channel" + "actualValue": "paths.{{/}}.{{get}} operation allows cleartext credentials over unencrypted channel", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/components_callback_definition_unused/test/positive_expected_result.json b/assets/queries/openAPI/3.0/components_callback_definition_unused/test/positive_expected_result.json index 334341c235a..c4aad0f3286 100644 --- a/assets/queries/openAPI/3.0/components_callback_definition_unused/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/components_callback_definition_unused/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "components.callbacks.{{inProgress}}", "searchValue": "", "expectedValue": "Callback should be used as reference somewhere", - "actualValue": "Callback is not used as reference" + "actualValue": "Callback is not used as reference", + "issueType": "IncorrectValue" }, { "queryName": "Components Callback Definition Is Unused", @@ -21,6 +22,7 @@ "searchKey": "components.callbacks.{{inProgress}}", "searchValue": "", "expectedValue": "Callback should be used as reference somewhere", - "actualValue": "Callback is not used as reference" + "actualValue": "Callback is not used as reference", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/components_example_definition_unused/test/positive_expected_result.json b/assets/queries/openAPI/3.0/components_example_definition_unused/test/positive_expected_result.json index dd1bf691ac1..b4658d17078 100644 --- a/assets/queries/openAPI/3.0/components_example_definition_unused/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/components_example_definition_unused/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "components.examples.{{objectExample}}", "searchValue": "", "expectedValue": "Example should be used as reference somewhere", - "actualValue": "Example is not used as reference" + "actualValue": "Example is not used as reference", + "issueType": "IncorrectValue" }, { "queryName": "Components Example Definition Is Unused", @@ -21,6 +22,7 @@ "searchKey": "components.examples.{{objectExample}}", "searchValue": "", "expectedValue": "Example should be used as reference somewhere", - "actualValue": "Example is not used as reference" + "actualValue": "Example is not used as reference", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/components_header_definition_unused/test/positive_expected_result.json b/assets/queries/openAPI/3.0/components_header_definition_unused/test/positive_expected_result.json index 5aea4b3e861..62486ef99c6 100644 --- a/assets/queries/openAPI/3.0/components_header_definition_unused/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/components_header_definition_unused/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "components.headers.{{xPages}}", "searchValue": "", "expectedValue": "Header should be used as reference somewhere", - "actualValue": "Header is not used as reference" + "actualValue": "Header is not used as reference", + "issueType": "IncorrectValue" }, { "queryName": "Components Header Definition Is Unused", @@ -21,6 +22,7 @@ "searchKey": "components.headers.{{xPages}}", "searchValue": "", "expectedValue": "Header should be used as reference somewhere", - "actualValue": "Header is not used as reference" + "actualValue": "Header is not used as reference", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/components_link_definition_unused/test/positive_expected_result.json b/assets/queries/openAPI/3.0/components_link_definition_unused/test/positive_expected_result.json index 7a03f0c5600..10f72c402c3 100644 --- a/assets/queries/openAPI/3.0/components_link_definition_unused/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/components_link_definition_unused/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "components.links.{{APIRepository}}", "searchValue": "", "expectedValue": "Link should be used as reference somewhere", - "actualValue": "Link is not used as reference" + "actualValue": "Link is not used as reference", + "issueType": "IncorrectValue" }, { "queryName": "Components Link Definition Is Unused", @@ -21,6 +22,7 @@ "searchKey": "components.links.{{APIRepository}}", "searchValue": "", "expectedValue": "Link should be used as reference somewhere", - "actualValue": "Link is not used as reference" + "actualValue": "Link is not used as reference", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/components_object_fixed_field_key_improperly_named/test/positive_expected_result.json b/assets/queries/openAPI/3.0/components_object_fixed_field_key_improperly_named/test/positive_expected_result.json index 0def5b31f1c..7b2a620c615 100644 --- a/assets/queries/openAPI/3.0/components_object_fixed_field_key_improperly_named/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/components_object_fixed_field_key_improperly_named/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "components.{{schemas}}.{{General Error}}", "searchValue": "", "expectedValue": "components.{{schemas}}.{{General Error}} is properly named", - "actualValue": "components.{{schemas}}.{{General Error}}is improperly named" + "actualValue": "components.{{schemas}}.{{General Error}}is improperly named", + "issueType": "IncorrectValue" }, { "queryName": "Components Object Fixed Field Key Improperly Named", @@ -21,6 +22,7 @@ "searchKey": "components.{{schemas}}.{{General Error}}", "searchValue": "", "expectedValue": "components.{{schemas}}.{{General Error}} is properly named", - "actualValue": "components.{{schemas}}.{{General Error}}is improperly named" + "actualValue": "components.{{schemas}}.{{General Error}}is improperly named", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/components_parameter_definition_unused/test/positive_expected_result.json b/assets/queries/openAPI/3.0/components_parameter_definition_unused/test/positive_expected_result.json index 5fa04bb0a83..36b84bf9fab 100644 --- a/assets/queries/openAPI/3.0/components_parameter_definition_unused/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/components_parameter_definition_unused/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "components.parameters.{{limitParam}}", "searchValue": "", "expectedValue": "Parameter should be used as reference somewhere", - "actualValue": "Parameter is not used as reference" + "actualValue": "Parameter is not used as reference", + "issueType": "IncorrectValue" }, { "queryName": "Components Parameter Definition Is Unused", @@ -21,6 +22,7 @@ "searchKey": "components.parameters.{{limitParam}}", "searchValue": "", "expectedValue": "Parameter should be used as reference somewhere", - "actualValue": "Parameter is not used as reference" + "actualValue": "Parameter is not used as reference", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/components_request_body_definition_unused/test/positive_expected_result.json b/assets/queries/openAPI/3.0/components_request_body_definition_unused/test/positive_expected_result.json index 0e87d34785e..b8bafc1f574 100644 --- a/assets/queries/openAPI/3.0/components_request_body_definition_unused/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/components_request_body_definition_unused/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "components.requestBodies.{{MyObjectBody}}", "searchValue": "", "expectedValue": "Request body should be used as reference somewhere", - "actualValue": "Request body is not used as reference" + "actualValue": "Request body is not used as reference", + "issueType": "IncorrectValue" }, { "queryName": "Components Request Body Definition Is Unused", @@ -21,6 +22,7 @@ "searchKey": "components.requestBodies.{{MyObjectBody}}", "searchValue": "", "expectedValue": "Request body should be used as reference somewhere", - "actualValue": "Request body is not used as reference" + "actualValue": "Request body is not used as reference", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/components_response_definition_unused/test/positive_expected_result.json b/assets/queries/openAPI/3.0/components_response_definition_unused/test/positive_expected_result.json index 3e75884d972..4dfd75f8fab 100644 --- a/assets/queries/openAPI/3.0/components_response_definition_unused/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/components_response_definition_unused/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "components.responses.{{NotFound}}", "searchValue": "", "expectedValue": "Response should be used as reference somewhere", - "actualValue": "Response is not used as reference" + "actualValue": "Response is not used as reference", + "issueType": "IncorrectValue" }, { "queryName": "Components Response Definition Is Unused", @@ -21,6 +22,7 @@ "searchKey": "components.responses.{{NotFound}}", "searchValue": "", "expectedValue": "Response should be used as reference somewhere", - "actualValue": "Response is not used as reference" + "actualValue": "Response is not used as reference", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/components_schema_definition_unused/test/positive_expected_result.json b/assets/queries/openAPI/3.0/components_schema_definition_unused/test/positive_expected_result.json index b1791c21965..1badaf8d26d 100644 --- a/assets/queries/openAPI/3.0/components_schema_definition_unused/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/components_schema_definition_unused/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "components.schemas.{{MyObject2}}", "searchValue": "", "expectedValue": "Schema should be used as reference somewhere", - "actualValue": "Schema is not used as reference" + "actualValue": "Schema is not used as reference", + "issueType": "IncorrectValue" }, { "queryName": "Components Schema Definition Is Unused", @@ -21,6 +22,7 @@ "searchKey": "components.schemas.{{MyObject2}}", "searchValue": "", "expectedValue": "Schema should be used as reference somewhere", - "actualValue": "Schema is not used as reference" + "actualValue": "Schema is not used as reference", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/empty_array/test/positive_expected_result.json b/assets/queries/openAPI/3.0/empty_array/test/positive_expected_result.json index 10a36e5c2f6..aa917578531 100644 --- a/assets/queries/openAPI/3.0/empty_array/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/empty_array/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "security", "searchValue": "", "expectedValue": "The array should not be empty", - "actualValue": "The array is empty" + "actualValue": "The array is empty", + "issueType": "IncorrectValue" }, { "queryName": "Empty Array", @@ -21,6 +22,7 @@ "searchKey": "security", "searchValue": "", "expectedValue": "The array should not be empty", - "actualValue": "The array is empty" + "actualValue": "The array is empty", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/encoding_header_content_type_improperly_defined/test/positive_expected_result.json b/assets/queries/openAPI/3.0/encoding_header_content_type_improperly_defined/test/positive_expected_result.json index c3b50685f60..0b9f0805919 100644 --- a/assets/queries/openAPI/3.0/encoding_header_content_type_improperly_defined/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/encoding_header_content_type_improperly_defined/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "components.responses.{{ResponseExample}}.content.{{application/json}}.encoding.{{profileImage}}", "searchValue": "", "expectedValue": "components.responses.{{ResponseExample}}.content.{{application/json}}.encoding.{{profileImage}} should not define 'Content-Type' in the 'headers' field", - "actualValue": "components.responses.{{ResponseExample}}.content.{{application/json}}.encoding.{{profileImage}} defines 'Content-Type' in the 'headers' field" + "actualValue": "components.responses.{{ResponseExample}}.content.{{application/json}}.encoding.{{profileImage}} defines 'Content-Type' in the 'headers' field", + "issueType": "IncorrectValue" }, { "queryName": "Encoding Header 'Content-Type' Improperly Defined", @@ -21,7 +22,8 @@ "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.encoding.{{profileImage}}", "searchValue": "", "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.encoding.{{profileImage}} should not define 'Content-Type' in the 'headers' field", - "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.encoding.{{profileImage}} defines 'Content-Type' in the 'headers' field" + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.encoding.{{profileImage}} defines 'Content-Type' in the 'headers' field", + "issueType": "IncorrectValue" }, { "queryName": "Encoding Header 'Content-Type' Improperly Defined", @@ -33,7 +35,8 @@ "searchKey": "components.responses.{{ResponseExample}}.content.{{application/json}}.encoding.{{profileImage}}", "searchValue": "", "expectedValue": "components.responses.{{ResponseExample}}.content.{{application/json}}.encoding.{{profileImage}} should not define 'Content-Type' in the 'headers' field", - "actualValue": "components.responses.{{ResponseExample}}.content.{{application/json}}.encoding.{{profileImage}} defines 'Content-Type' in the 'headers' field" + "actualValue": "components.responses.{{ResponseExample}}.content.{{application/json}}.encoding.{{profileImage}} defines 'Content-Type' in the 'headers' field", + "issueType": "IncorrectValue" }, { "queryName": "Encoding Header 'Content-Type' Improperly Defined", @@ -45,6 +48,7 @@ "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.encoding.{{profileImage}}", "searchValue": "", "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.encoding.{{profileImage}} should not define 'Content-Type' in the 'headers' field", - "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.encoding.{{profileImage}} defines 'Content-Type' in the 'headers' field" + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.encoding.{{profileImage}} defines 'Content-Type' in the 'headers' field", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/encoding_map_key_mismatch_schema_defined_properties/test/positive_expected_result.json b/assets/queries/openAPI/3.0/encoding_map_key_mismatch_schema_defined_properties/test/positive_expected_result.json index ac527e3a573..74f04fab96d 100644 --- a/assets/queries/openAPI/3.0/encoding_map_key_mismatch_schema_defined_properties/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/encoding_map_key_mismatch_schema_defined_properties/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "components.responses.{{ResponseExample}}.content.{{application/json}}.encoding.{{profileImage}}", "searchValue": "", "expectedValue": "components.responses.{{ResponseExample}}.content.{{application/json}}.encoding.{{profileImage}} should be set in schema defined properties", - "actualValue": "components.responses.{{ResponseExample}}.content.{{application/json}}.encoding.{{profileImage}} is not set in schema defined properties" + "actualValue": "components.responses.{{ResponseExample}}.content.{{application/json}}.encoding.{{profileImage}} is not set in schema defined properties", + "issueType": "IncorrectValue" }, { "queryName": "Encoding Map Key Mismatch Schema Defined Properties", @@ -21,7 +22,8 @@ "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.encoding.{{profileImage}}", "searchValue": "", "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.encoding.{{profileImage}} should be set in schema defined properties", - "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.encoding.{{profileImage}} is not set in schema defined properties" + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.encoding.{{profileImage}} is not set in schema defined properties", + "issueType": "IncorrectValue" }, { "queryName": "Encoding Map Key Mismatch Schema Defined Properties", @@ -33,7 +35,8 @@ "searchKey": "components.responses.{{ResponseExample}}.content.{{application/json}}.encoding.{{profileImage}}", "searchValue": "", "expectedValue": "components.responses.{{ResponseExample}}.content.{{application/json}}.encoding.{{profileImage}} should be set in schema defined properties", - "actualValue": "components.responses.{{ResponseExample}}.content.{{application/json}}.encoding.{{profileImage}} is not set in schema defined properties" + "actualValue": "components.responses.{{ResponseExample}}.content.{{application/json}}.encoding.{{profileImage}} is not set in schema defined properties", + "issueType": "IncorrectValue" }, { "queryName": "Encoding Map Key Mismatch Schema Defined Properties", @@ -45,6 +48,7 @@ "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.encoding.{{profileImage}}", "searchValue": "", "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.encoding.{{profileImage}} should be set in schema defined properties", - "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.encoding.{{profileImage}} is not set in schema defined properties" + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.encoding.{{profileImage}} is not set in schema defined properties", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/example_json_reference_outside_components_examples/test/positive_expected_result.json b/assets/queries/openAPI/3.0/example_json_reference_outside_components_examples/test/positive_expected_result.json index 864368635ad..ca000953d06 100644 --- a/assets/queries/openAPI/3.0/example_json_reference_outside_components_examples/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/example_json_reference_outside_components_examples/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.post.requestBody.content.{{application/json}}.examples.Address.$ref", "searchValue": "", "expectedValue": "#/components/schemas/Address should be declared on components.schemas", - "actualValue": "#/components/schemas/Address is not declared on components.schemas" + "actualValue": "#/components/schemas/Address is not declared on components.schemas", + "issueType": "MissingAttribute" }, { "queryName": "Example JSON Reference Outside Components Examples", @@ -21,6 +22,7 @@ "searchKey": "paths.{{/}}.post.requestBody.content.{{application/json}}.examples.Address.$ref", "searchValue": "", "expectedValue": "#/components/schemas/Address should be declared on components.schemas", - "actualValue": "#/components/schemas/Address is not declared on components.schemas" + "actualValue": "#/components/schemas/Address is not declared on components.schemas", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/global_security_scheme_using_basic_authentication/test/positive_expected_result.json b/assets/queries/openAPI/3.0/global_security_scheme_using_basic_authentication/test/positive_expected_result.json index fb4621f1d4f..4fab04ea7f2 100644 --- a/assets/queries/openAPI/3.0/global_security_scheme_using_basic_authentication/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/global_security_scheme_using_basic_authentication/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "components.securitySchemes.{{regularSecurity}}", "searchValue": "", "expectedValue": "components.securitySchemes.{{regularSecurity}} global security should not allow basic authentication", - "actualValue": "components.securitySchemes.{{regularSecurity}} global security allows basic authentication" + "actualValue": "components.securitySchemes.{{regularSecurity}} global security allows basic authentication", + "issueType": "IncorrectValue" }, { "queryName": "Global Security Scheme Using Basic Authentication", @@ -21,6 +22,7 @@ "searchKey": "components.securitySchemes.{{regularSecurity}}", "searchValue": "", "expectedValue": "components.securitySchemes.{{regularSecurity}} global security should not allow basic authentication", - "actualValue": "components.securitySchemes.{{regularSecurity}} global security allows basic authentication" + "actualValue": "components.securitySchemes.{{regularSecurity}} global security allows basic authentication", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/global_server_uses_http/test/positive_expected_result.json b/assets/queries/openAPI/3.0/global_server_uses_http/test/positive_expected_result.json index be68342373e..3f57cc64607 100644 --- a/assets/queries/openAPI/3.0/global_server_uses_http/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/global_server_uses_http/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "servers.url.http://staging.gigantic-server.com/v1", "searchValue": "", "expectedValue": "Global servers' URL should use HTTPS protocol", - "actualValue": "Global servers' URL are not using HTTPS protocol" + "actualValue": "Global servers' URL are not using HTTPS protocol", + "issueType": "IncorrectValue" }, { "queryName": "Global Server Object Uses HTTP", @@ -21,7 +22,8 @@ "searchKey": "servers.url.http://staging.gigantic-server.com/v1", "searchValue": "", "expectedValue": "Global servers' URL should use HTTPS protocol", - "actualValue": "Global servers' URL are not using HTTPS protocol" + "actualValue": "Global servers' URL are not using HTTPS protocol", + "issueType": "IncorrectValue" }, { "queryName": "Global Server Object Uses HTTP", @@ -33,6 +35,7 @@ "searchKey": "openapi", "searchValue": "", "expectedValue": "Global servers array should be defined", - "actualValue": "Global servers array is not defined" + "actualValue": "Global servers array is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/header_object_with_incorrect_ref/test/positive_expected_result.json b/assets/queries/openAPI/3.0/header_object_with_incorrect_ref/test/positive_expected_result.json index 01da2d0217f..7204fd06cb0 100644 --- a/assets/queries/openAPI/3.0/header_object_with_incorrect_ref/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/header_object_with_incorrect_ref/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "components.responses.ResponseExample.content.{{application/json}}.encoding.code.headers.{{X-Rate-Limit-Limit}}.$ref", "searchValue": "", "expectedValue": "Response ref points to '#/components/headers'", - "actualValue": "Response ref does not point to '#/components/headers'" + "actualValue": "Response ref does not point to '#/components/headers'", + "issueType": "IncorrectValue" }, { "queryName": "Header Object With Incorrect Ref", @@ -21,7 +22,8 @@ "searchKey": "paths.{{/}}.get.responses.6xx.headers.{{X-Rate-Limit-Limit}}.$ref", "searchValue": "", "expectedValue": "Response ref points to '#/components/headers'", - "actualValue": "Response ref does not point to '#/components/headers'" + "actualValue": "Response ref does not point to '#/components/headers'", + "issueType": "IncorrectValue" }, { "queryName": "Header Object With Incorrect Ref", @@ -33,7 +35,8 @@ "searchKey": "components.responses.ResponseExample.content.{{application/json}}.encoding.code.headers.{{X-Rate-Limit-Limit}}.$ref", "searchValue": "", "expectedValue": "Response ref points to '#/components/headers'", - "actualValue": "Response ref does not point to '#/components/headers'" + "actualValue": "Response ref does not point to '#/components/headers'", + "issueType": "IncorrectValue" }, { "queryName": "Header Object With Incorrect Ref", @@ -45,6 +48,7 @@ "searchKey": "paths.{{/}}.get.responses.6xx.headers.{{X-Rate-Limit-Limit}}.$ref", "searchValue": "", "expectedValue": "Response ref points to '#/components/headers'", - "actualValue": "Response ref does not point to '#/components/headers'" + "actualValue": "Response ref does not point to '#/components/headers'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/header_object_without_schema/test/positive_expected_result.json b/assets/queries/openAPI/3.0/header_object_without_schema/test/positive_expected_result.json index f7e620c8614..314401a03e3 100644 --- a/assets/queries/openAPI/3.0/header_object_without_schema/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/header_object_without_schema/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "components.responses.ResponseExample.content.{{application/json}}.encoding.code.{{X-Rate-Limit-Limit}}", "searchValue": "", "expectedValue": "components.responses.ResponseExample.content.{{application/json}}.encoding.code.{{X-Rate-Limit-Limit}} has schema defined", - "actualValue": "components.responses.ResponseExample.content.{{application/json}}.encoding.code.{{X-Rate-Limit-Limit}} does not have schema defined" + "actualValue": "components.responses.ResponseExample.content.{{application/json}}.encoding.code.{{X-Rate-Limit-Limit}} does not have schema defined", + "issueType": "MissingAttribute" }, { "queryName": "Header Object Without Schema", @@ -21,7 +22,8 @@ "searchKey": "paths.{{/}}.get.responses.6xx.{{X-Rate-Limit-Limit}}", "searchValue": "", "expectedValue": "paths.{{/}}.get.responses.6xx.{{X-Rate-Limit-Limit}} has schema defined", - "actualValue": "paths.{{/}}.get.responses.6xx.{{X-Rate-Limit-Limit}} does not have schema defined" + "actualValue": "paths.{{/}}.get.responses.6xx.{{X-Rate-Limit-Limit}} does not have schema defined", + "issueType": "MissingAttribute" }, { "queryName": "Header Object Without Schema", @@ -33,7 +35,8 @@ "searchKey": "components.responses.ResponseExample.content.{{application/json}}.encoding.code.{{X-Rate-Limit-Limit}}", "searchValue": "", "expectedValue": "components.responses.ResponseExample.content.{{application/json}}.encoding.code.{{X-Rate-Limit-Limit}} has schema defined", - "actualValue": "components.responses.ResponseExample.content.{{application/json}}.encoding.code.{{X-Rate-Limit-Limit}} does not have schema defined" + "actualValue": "components.responses.ResponseExample.content.{{application/json}}.encoding.code.{{X-Rate-Limit-Limit}} does not have schema defined", + "issueType": "MissingAttribute" }, { "queryName": "Header Object Without Schema", @@ -45,6 +48,7 @@ "searchKey": "paths.{{/}}.get.responses.6xx.{{X-Rate-Limit-Limit}}", "searchValue": "", "expectedValue": "paths.{{/}}.get.responses.6xx.{{X-Rate-Limit-Limit}} has schema defined", - "actualValue": "paths.{{/}}.get.responses.6xx.{{X-Rate-Limit-Limit}} does not have schema defined" + "actualValue": "paths.{{/}}.get.responses.6xx.{{X-Rate-Limit-Limit}} does not have schema defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/invalid_content_type_for_multiple_files_upload/test/positive_expected_result.json b/assets/queries/openAPI/3.0/invalid_content_type_for_multiple_files_upload/test/positive_expected_result.json index ebd2c9029f6..220735b0a2b 100644 --- a/assets/queries/openAPI/3.0/invalid_content_type_for_multiple_files_upload/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/invalid_content_type_for_multiple_files_upload/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.{{get}}.requestBody.content.{{application/json}}", "searchValue": "", "expectedValue": "paths.{{/}}.{{get}}.requestBody.content.{{application/json}} should be set to 'multipart/form-data'", - "actualValue": "paths.{{/}}.{{get}}.requestBody.content.{{application/json}} is not set to 'multipart/form-data'" + "actualValue": "paths.{{/}}.{{get}}.requestBody.content.{{application/json}} is not set to 'multipart/form-data'", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Content Type For Multiple Files Upload", @@ -21,7 +22,8 @@ "searchKey": "components.requestBodies.{{CreateCustomer}}.content.{{application/json}}", "searchValue": "", "expectedValue": "components.requestBodies.{{CreateCustomer}}.content.{{application/json}} should be set to 'multipart/form-data'", - "actualValue": "components.requestBodies.{{CreateCustomer}}.content.{{application/json}} is not set to 'multipart/form-data'" + "actualValue": "components.requestBodies.{{CreateCustomer}}.content.{{application/json}} is not set to 'multipart/form-data'", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Content Type For Multiple Files Upload", @@ -33,7 +35,8 @@ "searchKey": "paths.{{/}}.{{get}}.requestBody.content.{{application/json}}", "searchValue": "", "expectedValue": "paths.{{/}}.{{get}}.requestBody.content.{{application/json}} should be set to 'multipart/form-data'", - "actualValue": "paths.{{/}}.{{get}}.requestBody.content.{{application/json}} is not set to 'multipart/form-data'" + "actualValue": "paths.{{/}}.{{get}}.requestBody.content.{{application/json}} is not set to 'multipart/form-data'", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Content Type For Multiple Files Upload", @@ -45,6 +48,7 @@ "searchKey": "components.requestBodies.{{CreateCustomer}}.content.{{application/json}}", "searchValue": "", "expectedValue": "components.requestBodies.{{CreateCustomer}}.content.{{application/json}} should be set to 'multipart/form-data'", - "actualValue": "components.requestBodies.{{CreateCustomer}}.content.{{application/json}} is not set to 'multipart/form-data'" + "actualValue": "components.requestBodies.{{CreateCustomer}}.content.{{application/json}} is not set to 'multipart/form-data'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/invalid_media_type_value/test/positive_expected_result.json b/assets/queries/openAPI/3.0/invalid_media_type_value/test/positive_expected_result.json index ca1b251aea1..8aaa8ad1cc9 100644 --- a/assets/queries/openAPI/3.0/invalid_media_type_value/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/invalid_media_type_value/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.get.requestBody.content.multipart/form- data", "searchValue": "", "expectedValue": "The Media Type should be a valid value", - "actualValue": "The Media Type is an invalid value" + "actualValue": "The Media Type is an invalid value", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Media Type Value (v3)", @@ -21,6 +22,7 @@ "searchKey": "paths.{{/}}.get.requestBody.content.multipart/form- data", "searchValue": "", "expectedValue": "The Media Type should be a valid value", - "actualValue": "The Media Type is an invalid value" + "actualValue": "The Media Type is an invalid value", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/invalid_oauth2_token_url/test/positive_expected_result.json b/assets/queries/openAPI/3.0/invalid_oauth2_token_url/test/positive_expected_result.json index e7c726d2f93..0fcab0b60a4 100644 --- a/assets/queries/openAPI/3.0/invalid_oauth2_token_url/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/invalid_oauth2_token_url/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "components.securitySchemes.oAuth2AuthCodePos1.flows.authorizationCode.tokenUrl", "searchValue": "", "expectedValue": "OAuth2 security schema flow tokenUrl must be set with a valid URL", - "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL" + "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid OAuth2 Token URL (v3)", @@ -21,7 +22,8 @@ "searchKey": "components.securitySchemes.oAuth2AuthCodePos2.flows.password.tokenUrl", "searchValue": "", "expectedValue": "OAuth2 security schema flow tokenUrl must be set with a valid URL", - "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL" + "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid OAuth2 Token URL (v3)", @@ -33,7 +35,8 @@ "searchKey": "components.securitySchemes.oAuth2AuthCodePos3.flows.clientCredentials.tokenUrl", "searchValue": "", "expectedValue": "OAuth2 security schema flow tokenUrl must be set with a valid URL", - "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL" + "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid OAuth2 Token URL (v3)", @@ -45,7 +48,8 @@ "searchKey": "components.securitySchemes.oAuth2AuthCodePos1.flows.authorizationCode.tokenUrl", "searchValue": "", "expectedValue": "OAuth2 security schema flow tokenUrl must be set with a valid URL", - "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL" + "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid OAuth2 Token URL (v3)", @@ -57,7 +61,8 @@ "searchKey": "components.securitySchemes.oAuth2AuthCodePos2.flows.password.tokenUrl", "searchValue": "", "expectedValue": "OAuth2 security schema flow tokenUrl must be set with a valid URL", - "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL" + "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid OAuth2 Token URL (v3)", @@ -69,6 +74,7 @@ "searchKey": "components.securitySchemes.oAuth2AuthCodePos3.flows.clientCredentials.tokenUrl", "searchValue": "", "expectedValue": "OAuth2 security schema flow tokenUrl must be set with a valid URL", - "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL" + "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/invalid_oauth_authorization_url/test/positive_expected_result.json b/assets/queries/openAPI/3.0/invalid_oauth_authorization_url/test/positive_expected_result.json index 1df1cb31fab..e4cf10b3020 100644 --- a/assets/queries/openAPI/3.0/invalid_oauth_authorization_url/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/invalid_oauth_authorization_url/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "components.securitySchemes.oAuth2AuthCodeNeg2.flows.authorizationCode.authorizationUrl", "searchValue": "", "expectedValue": "OAuth2 security schema flow tokenUrl must be set with a valid URL", - "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL" + "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid OAuth2 Authorization URL (v3)", @@ -21,7 +22,8 @@ "searchKey": "components.securitySchemes.oAuth2AuthCodeNeg2.flows.implicit.authorizationUrl", "searchValue": "", "expectedValue": "OAuth2 security schema flow tokenUrl must be set with a valid URL", - "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL" + "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid OAuth2 Authorization URL (v3)", @@ -33,7 +35,8 @@ "searchKey": "components.securitySchemes.oAuth2AuthCodeNeg2.flows.authorizationCode.authorizationUrl", "searchValue": "", "expectedValue": "OAuth2 security schema flow tokenUrl must be set with a valid URL", - "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL" + "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid OAuth2 Authorization URL (v3)", @@ -45,6 +48,7 @@ "searchKey": "components.securitySchemes.oAuth2AuthCodeNeg2.flows.implicit.authorizationUrl", "searchValue": "", "expectedValue": "OAuth2 security schema flow tokenUrl must be set with a valid URL", - "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL" + "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/json_reference_does_not_exists_callback/test/positive_expected_result.json b/assets/queries/openAPI/3.0/json_reference_does_not_exists_callback/test/positive_expected_result.json index bbb7ccf38fd..fe70ed5ea9d 100644 --- a/assets/queries/openAPI/3.0/json_reference_does_not_exists_callback/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/json_reference_does_not_exists_callback/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.get.callbacks.myEvent.$ref", "searchValue": "", "expectedValue": "inProgress from #/components/callbacks/inProgress should be declared on components.callbacks", - "actualValue": "inProgress from #/components/callbacks/inProgress is not declared on components.callbacks" + "actualValue": "inProgress from #/components/callbacks/inProgress is not declared on components.callbacks", + "issueType": "MissingAttribute" }, { "queryName": "Callback JSON Reference Does Not Exist", @@ -21,6 +22,7 @@ "searchKey": "paths.{{/}}.get.callbacks.myEvent.$ref", "searchValue": "", "expectedValue": "inProgress from #/components/callbacks/inProgress should be declared on components.callbacks", - "actualValue": "inProgress from #/components/callbacks/inProgress is not declared on components.callbacks" + "actualValue": "inProgress from #/components/callbacks/inProgress is not declared on components.callbacks", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/json_reference_does_not_exists_example/test/positive_expected_result.json b/assets/queries/openAPI/3.0/json_reference_does_not_exists_example/test/positive_expected_result.json index 5ceac8c3110..be519e4121b 100644 --- a/assets/queries/openAPI/3.0/json_reference_does_not_exists_example/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/json_reference_does_not_exists_example/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.examples.objectExample.$ref", "searchValue": "", "expectedValue": "wrongExample from #/components/examples/wrongExample should be declared on components.examples", - "actualValue": "wrongExample from #/components/examples/wrongExample is not declared on components.examples" + "actualValue": "wrongExample from #/components/examples/wrongExample is not declared on components.examples", + "issueType": "MissingAttribute" }, { "queryName": "Example JSON Reference Does Not Exist", @@ -21,6 +22,7 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.examples.objectExample.$ref", "searchValue": "", "expectedValue": "wrongExample from #/components/examples/wrongExample should be declared on components.examples", - "actualValue": "wrongExample from #/components/examples/wrongExample is not declared on components.examples" + "actualValue": "wrongExample from #/components/examples/wrongExample is not declared on components.examples", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/json_reference_does_not_exists_header/test/positive_expected_result.json b/assets/queries/openAPI/3.0/json_reference_does_not_exists_header/test/positive_expected_result.json index 4fe7e700bab..d52dc44070e 100644 --- a/assets/queries/openAPI/3.0/json_reference_does_not_exists_header/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/json_reference_does_not_exists_header/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.headers.X-Pages.$ref", "searchValue": "", "expectedValue": "wPages from #/components/headers/wPages should be declared on components.headers", - "actualValue": "wPages from #/components/headers/wPages is not declared on components.headers" + "actualValue": "wPages from #/components/headers/wPages is not declared on components.headers", + "issueType": "MissingAttribute" }, { "queryName": "Header JSON Reference Does Not Exist", @@ -21,6 +22,7 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.headers.X-Pages.$ref", "searchValue": "", "expectedValue": "wPages from #/components/headers/wPages should be declared on components.headers", - "actualValue": "wPages from #/components/headers/wPages is not declared on components.headers" + "actualValue": "wPages from #/components/headers/wPages is not declared on components.headers", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/json_reference_does_not_exists_link/test/positive_expected_result.json b/assets/queries/openAPI/3.0/json_reference_does_not_exists_link/test/positive_expected_result.json index 88e646bec27..023d39158de 100644 --- a/assets/queries/openAPI/3.0/json_reference_does_not_exists_link/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/json_reference_does_not_exists_link/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.get.responses.200.links.$ref", "searchValue": "", "expectedValue": "APIWrongRepository from #/components/links/APIWrongRepository should be declared on components.links", - "actualValue": "APIWrongRepository from #/components/links/APIWrongRepository is not declared on components.links" + "actualValue": "APIWrongRepository from #/components/links/APIWrongRepository is not declared on components.links", + "issueType": "MissingAttribute" }, { "queryName": "Link JSON Reference Does Not Exist", @@ -21,6 +22,7 @@ "searchKey": "paths.{{/}}.get.responses.200.links.$ref", "searchValue": "", "expectedValue": "APIWrongRepository from #/components/links/APIWrongRepository should be declared on components.links", - "actualValue": "APIWrongRepository from #/components/links/APIWrongRepository is not declared on components.links" + "actualValue": "APIWrongRepository from #/components/links/APIWrongRepository is not declared on components.links", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/json_reference_does_not_exists_parameter/test/positive_expected_result.json b/assets/queries/openAPI/3.0/json_reference_does_not_exists_parameter/test/positive_expected_result.json index e9d2d807427..fc49f650877 100644 --- a/assets/queries/openAPI/3.0/json_reference_does_not_exists_parameter/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/json_reference_does_not_exists_parameter/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.get.parameters.$ref={{#/components/parameters/wrongParameter}}", "searchValue": "", "expectedValue": "wrongParameter from #/components/parameters/wrongParameter should be declared on components.parameters", - "actualValue": "wrongParameter from #/components/parameters/wrongParameter is not declared on components.parameters" + "actualValue": "wrongParameter from #/components/parameters/wrongParameter is not declared on components.parameters", + "issueType": "MissingAttribute" }, { "queryName": "Parameter JSON Reference Does Not Exist (v3)", @@ -21,6 +22,7 @@ "searchKey": "paths.{{/}}.get.parameters.$ref={{#/components/parameters/wrongParameter}}", "searchValue": "", "expectedValue": "wrongParameter from #/components/parameters/wrongParameter should be declared on components.parameters", - "actualValue": "wrongParameter from #/components/parameters/wrongParameter is not declared on components.parameters" + "actualValue": "wrongParameter from #/components/parameters/wrongParameter is not declared on components.parameters", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/json_reference_does_not_exists_request_body/test/positive_expected_result.json b/assets/queries/openAPI/3.0/json_reference_does_not_exists_request_body/test/positive_expected_result.json index 64eecff8c31..6ec18472a5f 100644 --- a/assets/queries/openAPI/3.0/json_reference_does_not_exists_request_body/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/json_reference_does_not_exists_request_body/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.get.requestBody.$ref", "searchValue": "", "expectedValue": "MyWrongObjectBody from #/components/requestBodies/MyWrongObjectBody should be declared on components.requestBodies", - "actualValue": "MyWrongObjectBody from #/components/requestBodies/MyWrongObjectBody is not declared on components.requestBodies" + "actualValue": "MyWrongObjectBody from #/components/requestBodies/MyWrongObjectBody is not declared on components.requestBodies", + "issueType": "MissingAttribute" }, { "queryName": "Request Body JSON Reference Does Not Exist", @@ -21,6 +22,7 @@ "searchKey": "paths.{{/}}.get.requestBody.$ref", "searchValue": "", "expectedValue": "MyWrongObjectBody from #/components/requestBodies/MyWrongObjectBody should be declared on components.requestBodies", - "actualValue": "MyWrongObjectBody from #/components/requestBodies/MyWrongObjectBody is not declared on components.requestBodies" + "actualValue": "MyWrongObjectBody from #/components/requestBodies/MyWrongObjectBody is not declared on components.requestBodies", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/json_reference_does_not_exists_response/test/positive_expected_result.json b/assets/queries/openAPI/3.0/json_reference_does_not_exists_response/test/positive_expected_result.json index 79d6442c871..a1bbc548b88 100644 --- a/assets/queries/openAPI/3.0/json_reference_does_not_exists_response/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/json_reference_does_not_exists_response/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.get.responses.404.$ref", "searchValue": "", "expectedValue": "NotRight from #/components/responses/NotRight should be declared on components.responses", - "actualValue": "NotRight from #/components/responses/NotRight is not declared on components.responses" + "actualValue": "NotRight from #/components/responses/NotRight is not declared on components.responses", + "issueType": "MissingAttribute" }, { "queryName": "Response JSON Reference Does Not Exist (v3)", @@ -21,6 +22,7 @@ "searchKey": "paths.{{/}}.get.responses.404.$ref", "searchValue": "", "expectedValue": "NotRight from #/components/responses/NotRight should be declared on components.responses", - "actualValue": "NotRight from #/components/responses/NotRight is not declared on components.responses" + "actualValue": "NotRight from #/components/responses/NotRight is not declared on components.responses", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/json_reference_does_not_exists_schema/test/positive_expected_result.json b/assets/queries/openAPI/3.0/json_reference_does_not_exists_schema/test/positive_expected_result.json index 898974faa16..b17b708a97f 100644 --- a/assets/queries/openAPI/3.0/json_reference_does_not_exists_schema/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/json_reference_does_not_exists_schema/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.get.responses.200.$ref", "searchValue": "", "expectedValue": "MyWrongObject from #/components/schemas/MyWrongObject should be declared on components.schemas", - "actualValue": "MyWrongObject from #/components/schemas/MyWrongObject is not declared on components.schemas" + "actualValue": "MyWrongObject from #/components/schemas/MyWrongObject is not declared on components.schemas", + "issueType": "MissingAttribute" }, { "queryName": "Schema JSON Reference Does Not Exist (v3)", @@ -21,6 +22,7 @@ "searchKey": "paths.{{/}}.get.responses.200.$ref", "searchValue": "", "expectedValue": "MyWrongObject from #/components/schemas/MyWrongObject should be declared on components.schemas", - "actualValue": "MyWrongObject from #/components/schemas/MyWrongObject is not declared on components.schemas" + "actualValue": "MyWrongObject from #/components/schemas/MyWrongObject is not declared on components.schemas", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/link_object_incorrect_ref/test/positive_expected_result.json b/assets/queries/openAPI/3.0/link_object_incorrect_ref/test/positive_expected_result.json index 9d81dd14019..1d512cf4cbd 100644 --- a/assets/queries/openAPI/3.0/link_object_incorrect_ref/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/link_object_incorrect_ref/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "components.responses.NotFound.links.{{l}}.$ref", "searchValue": "", "expectedValue": "Link ref points to '#/components/links'", - "actualValue": "Link ref does not point to '#/components/links'" + "actualValue": "Link ref does not point to '#/components/links'", + "issueType": "IncorrectValue" }, { "queryName": "Link Object Incorrect Ref", @@ -21,7 +22,8 @@ "searchKey": "paths.{{/}}.get.responses.200.links.{{l}}.$ref", "searchValue": "", "expectedValue": "Link ref points to '#/components/links'", - "actualValue": "Link ref does not point to '#/components/links'" + "actualValue": "Link ref does not point to '#/components/links'", + "issueType": "IncorrectValue" }, { "queryName": "Link Object Incorrect Ref", @@ -33,7 +35,8 @@ "searchKey": "components.responses.NotFound.links.{{l}}.$ref", "searchValue": "", "expectedValue": "Link ref points to '#/components/links'", - "actualValue": "Link ref does not point to '#/components/links'" + "actualValue": "Link ref does not point to '#/components/links'", + "issueType": "IncorrectValue" }, { "queryName": "Link Object Incorrect Ref", @@ -45,6 +48,7 @@ "searchKey": "paths.{{/}}.get.responses.200.links.{{l}}.$ref", "searchValue": "", "expectedValue": "Link ref points to '#/components/links'", - "actualValue": "Link ref does not point to '#/components/links'" + "actualValue": "Link ref does not point to '#/components/links'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/link_object_operation_id_does_not_target_an_operation_object/test/positive_expected_result.json b/assets/queries/openAPI/3.0/link_object_operation_id_does_not_target_an_operation_object/test/positive_expected_result.json index 333f4756552..c3b8594f577 100644 --- a/assets/queries/openAPI/3.0/link_object_operation_id_does_not_target_an_operation_object/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/link_object_operation_id_does_not_target_an_operation_object/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "components.responses.{{200}}.links.{{address}}.operationId", "searchValue": "", "expectedValue": "components.responses.200.links.address.operationId points to an operationId of an operation object", - "actualValue": "components.responses.200.links.address.operationId does not point to an operationId of an operation object" + "actualValue": "components.responses.200.links.address.operationId does not point to an operationId of an operation object", + "issueType": "IncorrectValue" }, { "queryName": "Link Object OperationId Does Not Target Operation Object", @@ -21,7 +22,8 @@ "searchKey": "paths.{{/test}}.{{get}}.responses.{{200}}.links.{{address}}.operationId", "searchValue": "", "expectedValue": "paths/test.get.responses.200.links.address.operationId points to an operationId of an operation object", - "actualValue": "paths./test.get.responses.200.links.address.operationId does not point to an operationId of an operation object" + "actualValue": "paths./test.get.responses.200.links.address.operationId does not point to an operationId of an operation object", + "issueType": "IncorrectValue" }, { "queryName": "Link Object OperationId Does Not Target Operation Object", @@ -33,7 +35,8 @@ "searchKey": "components.links.{{address}}.operationId", "searchValue": "", "expectedValue": "components.links.{{address}}.operationId points to an operationId of an operation object", - "actualValue": "components.links.{{address}}.operationId does not point to an operationId of an operation object" + "actualValue": "components.links.{{address}}.operationId does not point to an operationId of an operation object", + "issueType": "IncorrectValue" }, { "queryName": "Link Object OperationId Does Not Target Operation Object", @@ -45,7 +48,8 @@ "searchKey": "components.responses.{{200}}.links.{{address}}.operationId", "searchValue": "", "expectedValue": "components.responses.200.links.address.operationId points to an operationId of an operation object", - "actualValue": "components.responses.200.links.address.operationId does not point to an operationId of an operation object" + "actualValue": "components.responses.200.links.address.operationId does not point to an operationId of an operation object", + "issueType": "IncorrectValue" }, { "queryName": "Link Object OperationId Does Not Target Operation Object", @@ -57,7 +61,8 @@ "searchKey": "paths.{{/test}}.{{get}}.responses.{{200}}.links.{{address}}.operationId", "searchValue": "", "expectedValue": "paths/test.get.responses.200.links.address.operationId points to an operationId of an operation object", - "actualValue": "paths./test.get.responses.200.links.address.operationId does not point to an operationId of an operation object" + "actualValue": "paths./test.get.responses.200.links.address.operationId does not point to an operationId of an operation object", + "issueType": "IncorrectValue" }, { "queryName": "Link Object OperationId Does Not Target Operation Object", @@ -69,6 +74,7 @@ "searchKey": "components.links.{{address}}.operationId", "searchValue": "", "expectedValue": "components.links.{{address}}.operationId points to an operationId of an operation object", - "actualValue": "components.links.{{address}}.operationId does not point to an operationId of an operation object" + "actualValue": "components.links.{{address}}.operationId does not point to an operationId of an operation object", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/link_object_with_both_operation_id_and_operation_ref/test/positive_expected_result.json b/assets/queries/openAPI/3.0/link_object_with_both_operation_id_and_operation_ref/test/positive_expected_result.json index bffa6c7d1dc..3eca9abdc5e 100644 --- a/assets/queries/openAPI/3.0/link_object_with_both_operation_id_and_operation_ref/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/link_object_with_both_operation_id_and_operation_ref/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "components.responses.{{200}}.links.{{address}}", "searchValue": "", "expectedValue": "components.responses.200.links.address has both 'operationId' and 'operationRef' defined", - "actualValue": "components.responses.200.links.address does not have both 'operationId' and 'operationRef' defined" + "actualValue": "components.responses.200.links.address does not have both 'operationId' and 'operationRef' defined", + "issueType": "IncorrectValue" }, { "queryName": "Link Object With Both 'operationId' And 'operationRef'", @@ -21,7 +22,8 @@ "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}", "searchValue": "", "expectedValue": "paths/.get.responses.200.links.address has both 'operationId' and 'operationRef' defined", - "actualValue": "paths./.get.responses.200.links.address does not have both 'operationId' and 'operationRef' defined" + "actualValue": "paths./.get.responses.200.links.address does not have both 'operationId' and 'operationRef' defined", + "issueType": "IncorrectValue" }, { "queryName": "Link Object With Both 'operationId' And 'operationRef'", @@ -33,7 +35,8 @@ "searchKey": "components.links.{{address}}", "searchValue": "", "expectedValue": "components.links.address has both 'operationId' and 'operationRef' defined", - "actualValue": "components.links.address does not have both 'operationId' and 'operationRef' defined" + "actualValue": "components.links.address does not have both 'operationId' and 'operationRef' defined", + "issueType": "IncorrectValue" }, { "queryName": "Link Object With Both 'operationId' And 'operationRef'", @@ -45,7 +48,8 @@ "searchKey": "components.responses.{{200}}.links.{{address}}", "searchValue": "", "expectedValue": "components.responses.200.links.address has both 'operationId' and 'operationRef' defined", - "actualValue": "components.responses.200.links.address does not have both 'operationId' and 'operationRef' defined" + "actualValue": "components.responses.200.links.address does not have both 'operationId' and 'operationRef' defined", + "issueType": "IncorrectValue" }, { "queryName": "Link Object With Both 'operationId' And 'operationRef'", @@ -57,7 +61,8 @@ "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}", "searchValue": "", "expectedValue": "paths/.get.responses.200.links.address has both 'operationId' and 'operationRef' defined", - "actualValue": "paths./.get.responses.200.links.address does not have both 'operationId' and 'operationRef' defined" + "actualValue": "paths./.get.responses.200.links.address does not have both 'operationId' and 'operationRef' defined", + "issueType": "IncorrectValue" }, { "queryName": "Link Object With Both 'operationId' And 'operationRef'", @@ -69,6 +74,7 @@ "searchKey": "components.links.{{address}}", "searchValue": "", "expectedValue": "components.links.address has both 'operationId' and 'operationRef' defined", - "actualValue": "components.links.address does not have both 'operationId' and 'operationRef' defined" + "actualValue": "components.links.address does not have both 'operationId' and 'operationRef' defined", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/media_type_object_without_schema/test/positive_expected_result.json b/assets/queries/openAPI/3.0/media_type_object_without_schema/test/positive_expected_result.json index 6c6df7a6c1a..72ed49d48ab 100644 --- a/assets/queries/openAPI/3.0/media_type_object_without_schema/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/media_type_object_without_schema/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content[application/json]", "searchValue": "", "expectedValue": "The attribute 'schema' should be set", - "actualValue": "The attribute 'schema' is undefined" + "actualValue": "The attribute 'schema' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Media Type Object Without Schema", @@ -21,7 +22,8 @@ "searchKey": "components.requestBodies.NewItem.content[multipart/data]", "searchValue": "", "expectedValue": "The attribute 'schema' should be set", - "actualValue": "The attribute 'schema' is undefined" + "actualValue": "The attribute 'schema' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Media Type Object Without Schema", @@ -33,7 +35,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content[application/json]", "searchValue": "", "expectedValue": "The attribute 'schema' should be set", - "actualValue": "The attribute 'schema' is undefined" + "actualValue": "The attribute 'schema' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Media Type Object Without Schema", @@ -45,7 +48,8 @@ "searchKey": "paths.{{/}}.get.requestBody.content[multipart/form-data]", "searchValue": "", "expectedValue": "The attribute 'schema' should be set", - "actualValue": "The attribute 'schema' is undefined" + "actualValue": "The attribute 'schema' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Media Type Object Without Schema", @@ -57,7 +61,8 @@ "searchKey": "paths.{{/}}.requestBody.content[text/plain]", "searchValue": "", "expectedValue": "The attribute 'schema' should be set", - "actualValue": "The attribute 'schema' is undefined" + "actualValue": "The attribute 'schema' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Media Type Object Without Schema", @@ -69,7 +74,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content[application/json]", "searchValue": "", "expectedValue": "The attribute 'schema' should be set", - "actualValue": "The attribute 'schema' is undefined" + "actualValue": "The attribute 'schema' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Media Type Object Without Schema", @@ -81,7 +87,8 @@ "searchKey": "components.requestBodies.NewItem.content[multipart/form-data]", "searchValue": "", "expectedValue": "The attribute 'schema' should be set", - "actualValue": "The attribute 'schema' is undefined" + "actualValue": "The attribute 'schema' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Media Type Object Without Schema", @@ -93,7 +100,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content[application/json]", "searchValue": "", "expectedValue": "The attribute 'schema' should be set", - "actualValue": "The attribute 'schema' is undefined" + "actualValue": "The attribute 'schema' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Media Type Object Without Schema", @@ -105,7 +113,8 @@ "searchKey": "paths.{{/}}.get.requestBody.content[multipart/form-data]", "searchValue": "", "expectedValue": "The attribute 'schema' should be set", - "actualValue": "The attribute 'schema' is undefined" + "actualValue": "The attribute 'schema' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Media Type Object Without Schema", @@ -117,6 +126,7 @@ "searchKey": "paths.{{/}}.requestBody.content[text/plain]", "searchValue": "", "expectedValue": "The attribute 'schema' should be set", - "actualValue": "The attribute 'schema' is undefined" + "actualValue": "The attribute 'schema' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/oauth2_with_implicit_flow/test/positive_expected_result.json b/assets/queries/openAPI/3.0/oauth2_with_implicit_flow/test/positive_expected_result.json index e997e7589fd..dc33d65495b 100644 --- a/assets/queries/openAPI/3.0/oauth2_with_implicit_flow/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/oauth2_with_implicit_flow/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "components.securitySchemes.{{petstore_auth}}.flows.implicit", "searchValue": "", "expectedValue": "components.securitySchemes.{{petstore_auth}}.flows should not use 'implicit' flow", - "actualValue": "components.securitySchemes.{{petstore_auth}}.flows is using 'implicit' flow" + "actualValue": "components.securitySchemes.{{petstore_auth}}.flows is using 'implicit' flow", + "issueType": "IncorrectValue" }, { "queryName": "OAuth2 With Implicit Flow", @@ -21,7 +22,8 @@ "searchKey": "components.securitySchemes.{{petstore_auth}}.flows.implicit", "searchValue": "", "expectedValue": "components.securitySchemes.{{petstore_auth}}.flows should not use 'implicit' flow", - "actualValue": "components.securitySchemes.{{petstore_auth}}.flows is using 'implicit' flow" + "actualValue": "components.securitySchemes.{{petstore_auth}}.flows is using 'implicit' flow", + "issueType": "IncorrectValue" }, { "queryName": "OAuth2 With Implicit Flow", @@ -33,7 +35,8 @@ "searchKey": "components.securitySchemes.{{oAuth2AuthCode}}.flows.implicit", "searchValue": "", "expectedValue": "components.securitySchemes.{{oAuth2AuthCode}}.flows should not use 'implicit' flow", - "actualValue": "components.securitySchemes.{{oAuth2AuthCode}}.flows is using 'implicit' flow" + "actualValue": "components.securitySchemes.{{oAuth2AuthCode}}.flows is using 'implicit' flow", + "issueType": "IncorrectValue" }, { "queryName": "OAuth2 With Implicit Flow", @@ -45,7 +48,8 @@ "searchKey": "components.securitySchemes.{{oAuth2AuthCode}}.flows.implicit", "searchValue": "", "expectedValue": "components.securitySchemes.{{oAuth2AuthCode}}.flows should not use 'implicit' flow", - "actualValue": "components.securitySchemes.{{oAuth2AuthCode}}.flows is using 'implicit' flow" + "actualValue": "components.securitySchemes.{{oAuth2AuthCode}}.flows is using 'implicit' flow", + "issueType": "IncorrectValue" }, { "queryName": "OAuth2 With Implicit Flow", @@ -57,6 +61,7 @@ "searchKey": "components.securitySchemes.{{oAuth2AuthCode2}}.flows.implicit", "searchValue": "", "expectedValue": "components.securitySchemes.{{oAuth2AuthCode2}}.flows should not use 'implicit' flow", - "actualValue": "components.securitySchemes.{{oAuth2AuthCode2}}.flows is using 'implicit' flow" + "actualValue": "components.securitySchemes.{{oAuth2AuthCode2}}.flows is using 'implicit' flow", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/oauth2_with_password_flow/test/positive_expected_result.json b/assets/queries/openAPI/3.0/oauth2_with_password_flow/test/positive_expected_result.json index 9af1ae7febe..817536de59b 100644 --- a/assets/queries/openAPI/3.0/oauth2_with_password_flow/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/oauth2_with_password_flow/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "components.securitySchemes.{{petstore_auth}}.flows.password", "searchValue": "", "expectedValue": "components.securitySchemes.{{petstore_auth}}.flows do not contain an 'password' flow", - "actualValue": "components.securitySchemes.{{petstore_auth}}.flows contain an 'password' flow" + "actualValue": "components.securitySchemes.{{petstore_auth}}.flows contain an 'password' flow", + "issueType": "IncorrectValue" }, { "queryName": "OAuth2 With Password Flow", @@ -21,6 +22,7 @@ "searchKey": "components.securitySchemes.{{petstore_auth}}.flows.password", "searchValue": "", "expectedValue": "components.securitySchemes.{{petstore_auth}}.flows do not contain an 'password' flow", - "actualValue": "components.securitySchemes.{{petstore_auth}}.flows contain an 'password' flow" + "actualValue": "components.securitySchemes.{{petstore_auth}}.flows contain an 'password' flow", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/object_without_required_property/test/positive_expected_result.json b/assets/queries/openAPI/3.0/object_without_required_property/test/positive_expected_result.json index 2b0295ceb88..a9fdab49fbc 100644 --- a/assets/queries/openAPI/3.0/object_without_required_property/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/object_without_required_property/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "info", "searchValue": "", "expectedValue": "info has all required fields", - "actualValue": "info is missing required fields" + "actualValue": "info is missing required fields", + "issueType": "IncorrectValue" }, { "queryName": "Object Without Required Property (v3)", @@ -21,7 +22,8 @@ "searchKey": "info", "searchValue": "", "expectedValue": "info has all required fields", - "actualValue": "info is missing required fields" + "actualValue": "info is missing required fields", + "issueType": "IncorrectValue" }, { "queryName": "Object Without Required Property (v3)", @@ -33,7 +35,8 @@ "searchKey": "paths.{{/}}.get", "searchValue": "", "expectedValue": "get has all required fields", - "actualValue": "get is missing required fields" + "actualValue": "get is missing required fields", + "issueType": "IncorrectValue" }, { "queryName": "Object Without Required Property (v3)", @@ -45,7 +48,8 @@ "searchKey": "paths.{{/}}.get.servers", "searchValue": "", "expectedValue": "servers has all required fields", - "actualValue": "servers is missing required fields" + "actualValue": "servers is missing required fields", + "issueType": "IncorrectValue" }, { "queryName": "Object Without Required Property (v3)", @@ -57,7 +61,8 @@ "searchKey": "paths.{{/}}.get", "searchValue": "", "expectedValue": "get has all required fields", - "actualValue": "get is missing required fields" + "actualValue": "get is missing required fields", + "issueType": "IncorrectValue" }, { "queryName": "Object Without Required Property (v3)", @@ -69,7 +74,8 @@ "searchKey": "paths.{{/}}.get.servers", "searchValue": "", "expectedValue": "servers has all required fields", - "actualValue": "servers is missing required fields" + "actualValue": "servers is missing required fields", + "issueType": "IncorrectValue" }, { "queryName": "Object Without Required Property (v3)", @@ -81,7 +87,8 @@ "searchKey": "paths.{{/}}.get.requestBody", "searchValue": "", "expectedValue": "requestBody has all required fields", - "actualValue": "requestBody is missing required fields" + "actualValue": "requestBody is missing required fields", + "issueType": "IncorrectValue" }, { "queryName": "Object Without Required Property (v3)", @@ -93,7 +100,8 @@ "searchKey": "components.requestBodies.MyObjectBody", "searchValue": "", "expectedValue": "requestBodies has all required fields", - "actualValue": "requestBodies is missing required fields" + "actualValue": "requestBodies is missing required fields", + "issueType": "IncorrectValue" }, { "queryName": "Object Without Required Property (v3)", @@ -105,7 +113,8 @@ "searchKey": "components.requestBodies.MyObjectBody_2", "searchValue": "", "expectedValue": "requestBodies has all required fields", - "actualValue": "requestBodies is missing required fields" + "actualValue": "requestBodies is missing required fields", + "issueType": "IncorrectValue" }, { "queryName": "Object Without Required Property (v3)", @@ -117,7 +126,8 @@ "searchKey": "paths.{{/}}.get.requestBody", "searchValue": "", "expectedValue": "requestBody has all required fields", - "actualValue": "requestBody is missing required fields" + "actualValue": "requestBody is missing required fields", + "issueType": "IncorrectValue" }, { "queryName": "Object Without Required Property (v3)", @@ -129,7 +139,8 @@ "searchKey": "components.requestBodies.MyObjectBody", "searchValue": "", "expectedValue": "requestBodies has all required fields", - "actualValue": "requestBodies is missing required fields" + "actualValue": "requestBodies is missing required fields", + "issueType": "IncorrectValue" }, { "queryName": "Object Without Required Property (v3)", @@ -141,7 +152,8 @@ "searchKey": "components.requestBodies.MyObjectBody_2", "searchValue": "", "expectedValue": "requestBodies has all required fields", - "actualValue": "requestBodies is missing required fields" + "actualValue": "requestBodies is missing required fields", + "issueType": "IncorrectValue" }, { "queryName": "Object Without Required Property (v3)", @@ -153,7 +165,8 @@ "searchKey": "paths.{{/}}.get.responses.200", "searchValue": "", "expectedValue": "responses has all required fields", - "actualValue": "responses is missing required fields" + "actualValue": "responses is missing required fields", + "issueType": "IncorrectValue" }, { "queryName": "Object Without Required Property (v3)", @@ -165,7 +178,8 @@ "searchKey": "paths.{{/}}.get.parameters", "searchValue": "", "expectedValue": "parameters has all required fields", - "actualValue": "parameters is missing required fields" + "actualValue": "parameters is missing required fields", + "issueType": "IncorrectValue" }, { "queryName": "Object Without Required Property (v3)", @@ -177,7 +191,8 @@ "searchKey": "components.parameters.IdParam", "searchValue": "", "expectedValue": "parameters has all required fields", - "actualValue": "parameters is missing required fields" + "actualValue": "parameters is missing required fields", + "issueType": "IncorrectValue" }, { "queryName": "Object Without Required Property (v3)", @@ -189,7 +204,8 @@ "searchKey": "paths.{{/}}.get.responses.200", "searchValue": "", "expectedValue": "responses has all required fields", - "actualValue": "responses is missing required fields" + "actualValue": "responses is missing required fields", + "issueType": "IncorrectValue" }, { "queryName": "Object Without Required Property (v3)", @@ -201,7 +217,8 @@ "searchKey": "paths.{{/}}.get.parameters", "searchValue": "", "expectedValue": "parameters has all required fields", - "actualValue": "parameters is missing required fields" + "actualValue": "parameters is missing required fields", + "issueType": "IncorrectValue" }, { "queryName": "Object Without Required Property (v3)", @@ -213,6 +230,7 @@ "searchKey": "components.parameters.IdParam", "searchValue": "", "expectedValue": "parameters has all required fields", - "actualValue": "parameters is missing required fields" + "actualValue": "parameters is missing required fields", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/parameter_object_content_with_multiple_entries/test/positive_expected_result.json b/assets/queries/openAPI/3.0/parameter_object_content_with_multiple_entries/test/positive_expected_result.json index addd1d153d6..f1b56fb6d8b 100644 --- a/assets/queries/openAPI/3.0/parameter_object_content_with_multiple_entries/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/parameter_object_content_with_multiple_entries/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths./.get.parameters", "searchValue": "", "expectedValue": "paths./.get.parameters.0.content has one entry", - "actualValue": "paths./.get.parameters.0.content has multiple entries" + "actualValue": "paths./.get.parameters.0.content has multiple entries", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Object Content With Multiple Entries", @@ -21,7 +22,8 @@ "searchKey": "paths./user/{id}.parameters", "searchValue": "", "expectedValue": "paths./user/{id}.parameters.0.content has one entry", - "actualValue": "paths./user/{id}.parameters.0.content has multiple entries" + "actualValue": "paths./user/{id}.parameters.0.content has multiple entries", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Object Content With Multiple Entries", @@ -33,7 +35,8 @@ "searchKey": "components.parameters", "searchValue": "", "expectedValue": "components.parameters.idParam.content has one entry", - "actualValue": "components.parameters.idParam.content has multiple entries" + "actualValue": "components.parameters.idParam.content has multiple entries", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Object Content With Multiple Entries", @@ -45,7 +48,8 @@ "searchKey": "paths./.get.parameters", "searchValue": "", "expectedValue": "paths./.get.parameters.0.content has one entry", - "actualValue": "paths./.get.parameters.0.content has multiple entries" + "actualValue": "paths./.get.parameters.0.content has multiple entries", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Object Content With Multiple Entries", @@ -57,7 +61,8 @@ "searchKey": "paths./user/{id}.parameters", "searchValue": "", "expectedValue": "paths./user/{id}.parameters.0.content has one entry", - "actualValue": "paths./user/{id}.parameters.0.content has multiple entries" + "actualValue": "paths./user/{id}.parameters.0.content has multiple entries", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Object Content With Multiple Entries", @@ -69,6 +74,7 @@ "searchKey": "components.parameters", "searchValue": "", "expectedValue": "components.parameters.idParam.content has one entry", - "actualValue": "components.parameters.idParam.content has multiple entries" + "actualValue": "components.parameters.idParam.content has multiple entries", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/parameter_object_incorrect_ref/test/positive_expected_result.json b/assets/queries/openAPI/3.0/parameter_object_incorrect_ref/test/positive_expected_result.json index 2962bc89391..486e8250950 100644 --- a/assets/queries/openAPI/3.0/parameter_object_incorrect_ref/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/parameter_object_incorrect_ref/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.parameters.$ref=#path/parameters/idParam", "searchValue": "", "expectedValue": "Parameter Object ref points to '#/components/parameters'", - "actualValue": "Parameter Object ref doesn't point to '#/components/parameters'" + "actualValue": "Parameter Object ref doesn't point to '#/components/parameters'", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Object With Incorrect Ref (v3)", @@ -21,7 +22,8 @@ "searchKey": "paths.{{/}}.parameters.$ref=#components/schemas/idParam", "searchValue": "", "expectedValue": "Parameter Object ref points to '#/components/parameters'", - "actualValue": "Parameter Object ref doesn't point to '#/components/parameters'" + "actualValue": "Parameter Object ref doesn't point to '#/components/parameters'", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Object With Incorrect Ref (v3)", @@ -33,7 +35,8 @@ "searchKey": "paths.{{/user/id}}.get.parameters.$ref=#path/parameters/idParam", "searchValue": "", "expectedValue": "Parameter Object ref points to '#/components/parameters'", - "actualValue": "Parameter Object ref doesn't point to '#/components/parameters'" + "actualValue": "Parameter Object ref doesn't point to '#/components/parameters'", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Object With Incorrect Ref (v3)", @@ -45,7 +48,8 @@ "searchKey": "paths.{{/}}.parameters.$ref=#path/parameters/idParam", "searchValue": "", "expectedValue": "Parameter Object ref points to '#/components/parameters'", - "actualValue": "Parameter Object ref doesn't point to '#/components/parameters'" + "actualValue": "Parameter Object ref doesn't point to '#/components/parameters'", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Object With Incorrect Ref (v3)", @@ -57,7 +61,8 @@ "searchKey": "paths.{{/}}.parameters.$ref=#components/schemas/idParam", "searchValue": "", "expectedValue": "Parameter Object ref points to '#/components/parameters'", - "actualValue": "Parameter Object ref doesn't point to '#/components/parameters'" + "actualValue": "Parameter Object ref doesn't point to '#/components/parameters'", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Object With Incorrect Ref (v3)", @@ -69,6 +74,7 @@ "searchKey": "paths.{{/user/id}}.get.parameters.$ref=#path/parameters/idParam", "searchValue": "", "expectedValue": "Parameter Object ref points to '#/components/parameters'", - "actualValue": "Parameter Object ref doesn't point to '#/components/parameters'" + "actualValue": "Parameter Object ref doesn't point to '#/components/parameters'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/parameter_object_schema_content/test/positive_expected_result.json b/assets/queries/openAPI/3.0/parameter_object_schema_content/test/positive_expected_result.json index ba6706ef7da..74fa8623901 100644 --- a/assets/queries/openAPI/3.0/parameter_object_schema_content/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/parameter_object_schema_content/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.parameters.name={{id}}", "searchValue": "", "expectedValue": "Parameter Object shouldn't have both 'schema' and 'content' defined", - "actualValue": "Parameter Object has both 'schema' and 'content' defined" + "actualValue": "Parameter Object has both 'schema' and 'content' defined", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Object With Schema And Content", @@ -21,7 +22,8 @@ "searchKey": "paths./users/{id}.get.parameters.name={{id}}", "searchValue": "", "expectedValue": "Parameter Object shouldn't have both 'schema' and 'content' defined", - "actualValue": "Parameter Object has both 'schema' and 'content' defined" + "actualValue": "Parameter Object has both 'schema' and 'content' defined", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Object With Schema And Content", @@ -33,7 +35,8 @@ "searchKey": "paths.{{/}}.parameters.name={{id}}", "searchValue": "", "expectedValue": "Parameter Object shouldn't have both 'schema' and 'content' defined", - "actualValue": "Parameter Object has both 'schema' and 'content' defined" + "actualValue": "Parameter Object has both 'schema' and 'content' defined", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Object With Schema And Content", @@ -45,7 +48,8 @@ "searchKey": "paths./users/{id}.get.parameters.name={{id}}", "searchValue": "", "expectedValue": "Parameter Object shouldn't have both 'schema' and 'content' defined", - "actualValue": "Parameter Object has both 'schema' and 'content' defined" + "actualValue": "Parameter Object has both 'schema' and 'content' defined", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Object With Schema And Content", @@ -57,7 +61,8 @@ "searchKey": "openapi.components.parameters.name={{limit}}", "searchValue": "", "expectedValue": "Parameter Object shouldn't have both 'schema' and 'content' defined", - "actualValue": "Parameter Object has both 'schema' and 'content' defined" + "actualValue": "Parameter Object has both 'schema' and 'content' defined", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Object With Schema And Content", @@ -69,6 +74,7 @@ "searchKey": "openapi.components.parameters.name={{limit}}", "searchValue": "", "expectedValue": "Parameter Object shouldn't have both 'schema' and 'content' defined", - "actualValue": "Parameter Object has both 'schema' and 'content' defined" + "actualValue": "Parameter Object has both 'schema' and 'content' defined", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/parameter_object_undefined_type/test/positive_expected_result.json b/assets/queries/openAPI/3.0/parameter_object_undefined_type/test/positive_expected_result.json index 92cfb0e2434..44495c9079f 100644 --- a/assets/queries/openAPI/3.0/parameter_object_undefined_type/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/parameter_object_undefined_type/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.parameters.name={{id}}", "searchValue": "", "expectedValue": "paths.{{/}}.parameters type should be defined%!(EXTRA string=id)", - "actualValue": "paths.{{/}}.parameters type is not defined%!(EXTRA string=id)" + "actualValue": "paths.{{/}}.parameters type is not defined%!(EXTRA string=id)", + "issueType": "MissingAttribute" }, { "queryName": "Parameter Object With Undefined Type", @@ -21,7 +22,8 @@ "searchKey": "paths.{{/users/{id}}}.{{get}}.parameters.name={{id}}", "searchValue": "", "expectedValue": "paths.{{/users/{id}}}.{{get}}.parameters type should be defined%!(EXTRA string=id)", - "actualValue": "paths.{{/users/{id}}}.{{get}}.parameters type is not defined%!(EXTRA string=id)" + "actualValue": "paths.{{/users/{id}}}.{{get}}.parameters type is not defined%!(EXTRA string=id)", + "issueType": "MissingAttribute" }, { "queryName": "Parameter Object With Undefined Type", @@ -33,7 +35,8 @@ "searchKey": "paths.{{/}}.parameters.name={{id}}", "searchValue": "", "expectedValue": "paths.{{/}}.parameters type should be defined%!(EXTRA string=id)", - "actualValue": "paths.{{/}}.parameters type is not defined%!(EXTRA string=id)" + "actualValue": "paths.{{/}}.parameters type is not defined%!(EXTRA string=id)", + "issueType": "MissingAttribute" }, { "queryName": "Parameter Object With Undefined Type", @@ -45,7 +48,8 @@ "searchKey": "paths.{{/users/{id}}}.{{get}}.parameters.name={{id}}", "searchValue": "", "expectedValue": "paths.{{/users/{id}}}.{{get}}.parameters type should be defined%!(EXTRA string=id)", - "actualValue": "paths.{{/users/{id}}}.{{get}}.parameters type is not defined%!(EXTRA string=id)" + "actualValue": "paths.{{/users/{id}}}.{{get}}.parameters type is not defined%!(EXTRA string=id)", + "issueType": "MissingAttribute" }, { "queryName": "Parameter Object With Undefined Type", @@ -57,7 +61,8 @@ "searchKey": "openapi.components.parameters.name={{id}}", "searchValue": "", "expectedValue": "openapi.components.parameters type should be defined%!(EXTRA string=id)", - "actualValue": "openapi.components.parameters type is not defined%!(EXTRA string=id)" + "actualValue": "openapi.components.parameters type is not defined%!(EXTRA string=id)", + "issueType": "MissingAttribute" }, { "queryName": "Parameter Object With Undefined Type", @@ -69,6 +74,7 @@ "searchKey": "openapi.components.parameters.name={{id}}", "searchValue": "", "expectedValue": "openapi.components.parameters type should be defined%!(EXTRA string=id)", - "actualValue": "openapi.components.parameters type is not defined%!(EXTRA string=id)" + "actualValue": "openapi.components.parameters type is not defined%!(EXTRA string=id)", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/parameter_object_without_schema/test/positive_expected_result.json b/assets/queries/openAPI/3.0/parameter_object_without_schema/test/positive_expected_result.json index f5f70bb3f82..0e11c76c875 100644 --- a/assets/queries/openAPI/3.0/parameter_object_without_schema/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/parameter_object_without_schema/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.get.parameters", "searchValue": "", "expectedValue": "The attribute 'schema' should be set", - "actualValue": "The attribute 'schema' is undefined" + "actualValue": "The attribute 'schema' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Parameter Object Without Schema", @@ -21,7 +22,8 @@ "searchKey": "paths.{{/user/}}.parameters", "searchValue": "", "expectedValue": "The attribute 'schema' should be set", - "actualValue": "The attribute 'schema' is undefined" + "actualValue": "The attribute 'schema' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Parameter Object Without Schema", @@ -33,7 +35,8 @@ "searchKey": "components.parameters", "searchValue": "", "expectedValue": "The attribute 'schema' should be set", - "actualValue": "The attribute 'schema' is undefined" + "actualValue": "The attribute 'schema' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Parameter Object Without Schema", @@ -45,7 +48,8 @@ "searchKey": "paths.{{/}}.get.parameters", "searchValue": "", "expectedValue": "The attribute 'schema' should be set", - "actualValue": "The attribute 'schema' is undefined" + "actualValue": "The attribute 'schema' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Parameter Object Without Schema", @@ -57,7 +61,8 @@ "searchKey": "paths.{{/user/}}.parameters", "searchValue": "", "expectedValue": "The attribute 'schema' should be set", - "actualValue": "The attribute 'schema' is undefined" + "actualValue": "The attribute 'schema' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Parameter Object Without Schema", @@ -69,6 +74,7 @@ "searchKey": "components.parameters", "searchValue": "", "expectedValue": "The attribute 'schema' should be set", - "actualValue": "The attribute 'schema' is undefined" + "actualValue": "The attribute 'schema' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/path_server_uses_http/test/positive_expected_result.json b/assets/queries/openAPI/3.0/path_server_uses_http/test/positive_expected_result.json index 50571ef317c..169df0fda70 100644 --- a/assets/queries/openAPI/3.0/path_server_uses_http/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/path_server_uses_http/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.{{get}}.servers.url={{http://staging.gigantic-server.com/v1}}", "searchValue": "", "expectedValue": "Path Server Object url uses 'HTTPS' protocol", - "actualValue": "Path Server Object url uses 'HTTP' protocol" + "actualValue": "Path Server Object url uses 'HTTP' protocol", + "issueType": "IncorrectValue" }, { "queryName": "Path Server Object Uses HTTP (v3)", @@ -21,6 +22,7 @@ "searchKey": "paths.{{/}}.{{get}}.servers.url={{http://api.gigantic-server.com/v1}}", "searchValue": "", "expectedValue": "Path Server Object url uses 'HTTPS' protocol", - "actualValue": "Path Server Object url uses 'HTTP' protocol" + "actualValue": "Path Server Object url uses 'HTTP' protocol", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/property_allow_empty_value_ignored/test/positive_expected_result.json b/assets/queries/openAPI/3.0/property_allow_empty_value_ignored/test/positive_expected_result.json index 42b54cdca26..13670d64c13 100644 --- a/assets/queries/openAPI/3.0/property_allow_empty_value_ignored/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/property_allow_empty_value_ignored/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.parameters.allowEmptyValue", "searchValue": "", "expectedValue": "Property 'allowEmptyValue' should not be ignored", - "actualValue": "Property 'allowEmptyValue' is ignored (due to one of the following cases: {\"sytle\": \"simple\", \"explode\": false}, {\"sytle\": \"simple\", \"explode\": true}, {\"sytle\": \"spaceDelimited\", \"explode\": false}, {\"sytle\": \"pipeDelimited\", \"explode\": false}, or {\"sytle\": \"deepObject\", \"explode\": true})" + "actualValue": "Property 'allowEmptyValue' is ignored (due to one of the following cases: {\"sytle\": \"simple\", \"explode\": false}, {\"sytle\": \"simple\", \"explode\": true}, {\"sytle\": \"spaceDelimited\", \"explode\": false}, {\"sytle\": \"pipeDelimited\", \"explode\": false}, or {\"sytle\": \"deepObject\", \"explode\": true})", + "issueType": "IncorrectValue" }, { "queryName": "Property 'allowEmptyValue' Ignored", @@ -21,7 +22,8 @@ "searchKey": "paths.{{/}}.parameters.allowEmptyValue", "searchValue": "", "expectedValue": "Property 'allowEmptyValue' should not be ignored", - "actualValue": "Property 'allowEmptyValue' is ignored (due to one of the following cases: {\"sytle\": \"simple\", \"explode\": false}, {\"sytle\": \"simple\", \"explode\": true}, {\"sytle\": \"spaceDelimited\", \"explode\": false}, {\"sytle\": \"pipeDelimited\", \"explode\": false}, or {\"sytle\": \"deepObject\", \"explode\": true})" + "actualValue": "Property 'allowEmptyValue' is ignored (due to one of the following cases: {\"sytle\": \"simple\", \"explode\": false}, {\"sytle\": \"simple\", \"explode\": true}, {\"sytle\": \"spaceDelimited\", \"explode\": false}, {\"sytle\": \"pipeDelimited\", \"explode\": false}, or {\"sytle\": \"deepObject\", \"explode\": true})", + "issueType": "IncorrectValue" }, { "queryName": "Property 'allowEmptyValue' Ignored", @@ -33,7 +35,8 @@ "searchKey": "paths.{{/}}.parameters.allowEmptyValue", "searchValue": "", "expectedValue": "Property 'allowEmptyValue' should not be ignored", - "actualValue": "Property 'allowEmptyValue' is ignored (due to one of the following cases: {\"sytle\": \"simple\", \"explode\": false}, {\"sytle\": \"simple\", \"explode\": true}, {\"sytle\": \"spaceDelimited\", \"explode\": false}, {\"sytle\": \"pipeDelimited\", \"explode\": false}, or {\"sytle\": \"deepObject\", \"explode\": true})" + "actualValue": "Property 'allowEmptyValue' is ignored (due to one of the following cases: {\"sytle\": \"simple\", \"explode\": false}, {\"sytle\": \"simple\", \"explode\": true}, {\"sytle\": \"spaceDelimited\", \"explode\": false}, {\"sytle\": \"pipeDelimited\", \"explode\": false}, or {\"sytle\": \"deepObject\", \"explode\": true})", + "issueType": "IncorrectValue" }, { "queryName": "Property 'allowEmptyValue' Ignored", @@ -45,7 +48,8 @@ "searchKey": "paths.{{/}}.parameters.allowEmptyValue", "searchValue": "", "expectedValue": "Property 'allowEmptyValue' should not be ignored", - "actualValue": "Property 'allowEmptyValue' is ignored (due to one of the following cases: {\"sytle\": \"simple\", \"explode\": false}, {\"sytle\": \"simple\", \"explode\": true}, {\"sytle\": \"spaceDelimited\", \"explode\": false}, {\"sytle\": \"pipeDelimited\", \"explode\": false}, or {\"sytle\": \"deepObject\", \"explode\": true})" + "actualValue": "Property 'allowEmptyValue' is ignored (due to one of the following cases: {\"sytle\": \"simple\", \"explode\": false}, {\"sytle\": \"simple\", \"explode\": true}, {\"sytle\": \"spaceDelimited\", \"explode\": false}, {\"sytle\": \"pipeDelimited\", \"explode\": false}, or {\"sytle\": \"deepObject\", \"explode\": true})", + "issueType": "IncorrectValue" }, { "queryName": "Property 'allowEmptyValue' Ignored", @@ -57,7 +61,8 @@ "searchKey": "paths.{{/}}.parameters.allowEmptyValue", "searchValue": "", "expectedValue": "Property 'allowEmptyValue' should not be ignored", - "actualValue": "Property 'allowEmptyValue' is ignored (due to one of the following cases: {\"sytle\": \"simple\", \"explode\": false}, {\"sytle\": \"simple\", \"explode\": true}, {\"sytle\": \"spaceDelimited\", \"explode\": false}, {\"sytle\": \"pipeDelimited\", \"explode\": false}, or {\"sytle\": \"deepObject\", \"explode\": true})" + "actualValue": "Property 'allowEmptyValue' is ignored (due to one of the following cases: {\"sytle\": \"simple\", \"explode\": false}, {\"sytle\": \"simple\", \"explode\": true}, {\"sytle\": \"spaceDelimited\", \"explode\": false}, {\"sytle\": \"pipeDelimited\", \"explode\": false}, or {\"sytle\": \"deepObject\", \"explode\": true})", + "issueType": "IncorrectValue" }, { "queryName": "Property 'allowEmptyValue' Ignored", @@ -69,6 +74,7 @@ "searchKey": "paths.{{/}}.parameters.allowEmptyValue", "searchValue": "", "expectedValue": "Property 'allowEmptyValue' should not be ignored", - "actualValue": "Property 'allowEmptyValue' is ignored (due to one of the following cases: {\"sytle\": \"simple\", \"explode\": false}, {\"sytle\": \"simple\", \"explode\": true}, {\"sytle\": \"spaceDelimited\", \"explode\": false}, {\"sytle\": \"pipeDelimited\", \"explode\": false}, or {\"sytle\": \"deepObject\", \"explode\": true})" + "actualValue": "Property 'allowEmptyValue' is ignored (due to one of the following cases: {\"sytle\": \"simple\", \"explode\": false}, {\"sytle\": \"simple\", \"explode\": true}, {\"sytle\": \"spaceDelimited\", \"explode\": false}, {\"sytle\": \"pipeDelimited\", \"explode\": false}, or {\"sytle\": \"deepObject\", \"explode\": true})", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/property_allow_reserved_encoding_object_ignored/test/positive_expected_result.json b/assets/queries/openAPI/3.0/property_allow_reserved_encoding_object_ignored/test/positive_expected_result.json index b20b76e0c7c..bf70fa4ea3f 100644 --- a/assets/queries/openAPI/3.0/property_allow_reserved_encoding_object_ignored/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/property_allow_reserved_encoding_object_ignored/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "components.requestBodies.{{NewItem}}.content.{{multipart/data}}", "searchValue": "", "expectedValue": "components.requestBodies.{{NewItem}}.content.{{multipart/data}} should be 'application/x-www-form-urlencoded' when 'allowReserved' is set", - "actualValue": "components.requestBodies.{{NewItem}}.content.{{multipart/data}} is not 'application/x-www-form-urlencoded' when 'allowReserved' is set" + "actualValue": "components.requestBodies.{{NewItem}}.content.{{multipart/data}} is not 'application/x-www-form-urlencoded' when 'allowReserved' is set", + "issueType": "IncorrectValue" }, { "queryName": "Property 'allowReserved' of Encoding Object Ignored", @@ -21,7 +22,8 @@ "searchKey": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/form-data}}", "searchValue": "", "expectedValue": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/form-data}} should be 'application/x-www-form-urlencoded' when 'allowReserved' is set", - "actualValue": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/form-data}} is not 'application/x-www-form-urlencoded' when 'allowReserved' is set" + "actualValue": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/form-data}} is not 'application/x-www-form-urlencoded' when 'allowReserved' is set", + "issueType": "IncorrectValue" }, { "queryName": "Property 'allowReserved' of Encoding Object Ignored", @@ -33,7 +35,8 @@ "searchKey": "components.requestBodies.{{NewItem}}.content.{{multipart/form-data}}", "searchValue": "", "expectedValue": "components.requestBodies.{{NewItem}}.content.{{multipart/form-data}} should be 'application/x-www-form-urlencoded' when 'allowReserved' is set", - "actualValue": "components.requestBodies.{{NewItem}}.content.{{multipart/form-data}} is not 'application/x-www-form-urlencoded' when 'allowReserved' is set" + "actualValue": "components.requestBodies.{{NewItem}}.content.{{multipart/form-data}} is not 'application/x-www-form-urlencoded' when 'allowReserved' is set", + "issueType": "IncorrectValue" }, { "queryName": "Property 'allowReserved' of Encoding Object Ignored", @@ -45,6 +48,7 @@ "searchKey": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/form-data}}", "searchValue": "", "expectedValue": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/form-data}} should be 'application/x-www-form-urlencoded' when 'allowReserved' is set", - "actualValue": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/form-data}} is not 'application/x-www-form-urlencoded' when 'allowReserved' is set" + "actualValue": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/form-data}} is not 'application/x-www-form-urlencoded' when 'allowReserved' is set", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/property_allow_reserved_improperly_defined/test/positive_expected_result.json b/assets/queries/openAPI/3.0/property_allow_reserved_improperly_defined/test/positive_expected_result.json index 03511e236c2..94f9f17af64 100644 --- a/assets/queries/openAPI/3.0/property_allow_reserved_improperly_defined/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/property_allow_reserved_improperly_defined/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.parameters.name={{id}}", "searchValue": "", "expectedValue": "paths.{{/}}.parameters.name={{id}} should have 'in' set to 'query' when 'allowReserved' is set", - "actualValue": "paths.{{/}}.parameters.name={{id}} does not have 'in' set to 'query' when 'allowReserved' is set" + "actualValue": "paths.{{/}}.parameters.name={{id}} does not have 'in' set to 'query' when 'allowReserved' is set", + "issueType": "IncorrectValue" }, { "queryName": "Property 'allowReserved' Improperly Defined", @@ -21,7 +22,8 @@ "searchKey": "paths./users/{id}.get.parameters.name={{id}}", "searchValue": "", "expectedValue": "paths./users/{id}.get.parameters.name={{id}} should have 'in' set to 'query' when 'allowReserved' is set", - "actualValue": "paths./users/{id}.get.parameters.name={{id}} does not have 'in' set to 'query' when 'allowReserved' is set" + "actualValue": "paths./users/{id}.get.parameters.name={{id}} does not have 'in' set to 'query' when 'allowReserved' is set", + "issueType": "IncorrectValue" }, { "queryName": "Property 'allowReserved' Improperly Defined", @@ -33,7 +35,8 @@ "searchKey": "paths.{{/}}.parameters.name={{id}}", "searchValue": "", "expectedValue": "paths.{{/}}.parameters.name={{id}} should have 'in' set to 'query' when 'allowReserved' is set", - "actualValue": "paths.{{/}}.parameters.name={{id}} does not have 'in' set to 'query' when 'allowReserved' is set" + "actualValue": "paths.{{/}}.parameters.name={{id}} does not have 'in' set to 'query' when 'allowReserved' is set", + "issueType": "IncorrectValue" }, { "queryName": "Property 'allowReserved' Improperly Defined", @@ -45,7 +48,8 @@ "searchKey": "paths./users/{id}.get.parameters.name={{id}}", "searchValue": "", "expectedValue": "paths./users/{id}.get.parameters.name={{id}} should have 'in' set to 'query' when 'allowReserved' is set", - "actualValue": "paths./users/{id}.get.parameters.name={{id}} does not have 'in' set to 'query' when 'allowReserved' is set" + "actualValue": "paths./users/{id}.get.parameters.name={{id}} does not have 'in' set to 'query' when 'allowReserved' is set", + "issueType": "IncorrectValue" }, { "queryName": "Property 'allowReserved' Improperly Defined", @@ -57,7 +61,8 @@ "searchKey": "paths.{{/}}.parameters.name={{id}}", "searchValue": "", "expectedValue": "paths.{{/}}.parameters.name={{id}} should have 'in' set to 'query' when 'allowReserved' is set", - "actualValue": "paths.{{/}}.parameters.name={{id}} does not have 'in' set to 'query' when 'allowReserved' is set" + "actualValue": "paths.{{/}}.parameters.name={{id}} does not have 'in' set to 'query' when 'allowReserved' is set", + "issueType": "IncorrectValue" }, { "queryName": "Property 'allowReserved' Improperly Defined", @@ -69,6 +74,7 @@ "searchKey": "paths.{{/}}.parameters.name={{id}}", "searchValue": "", "expectedValue": "paths.{{/}}.parameters.name={{id}} should have 'in' set to 'query' when 'allowReserved' is set", - "actualValue": "paths.{{/}}.parameters.name={{id}} does not have 'in' set to 'query' when 'allowReserved' is set" + "actualValue": "paths.{{/}}.parameters.name={{id}} does not have 'in' set to 'query' when 'allowReserved' is set", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/property_explode_encoding_object_ignored/test/positive_expected_result.json b/assets/queries/openAPI/3.0/property_explode_encoding_object_ignored/test/positive_expected_result.json index c492ff850b1..77b6b58af3e 100644 --- a/assets/queries/openAPI/3.0/property_explode_encoding_object_ignored/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/property_explode_encoding_object_ignored/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "components.requestBodies.{{NewItem}}.content.{{multipart/data}}", "searchValue": "", "expectedValue": "components.requestBodies.{{NewItem}}.content.{{multipart/data}} should be 'application/x-www-form-urlencoded' when 'explode' is set", - "actualValue": "components.requestBodies.{{NewItem}}.content.{{multipart/data}} is not 'application/x-www-form-urlencoded' when 'explode' is set" + "actualValue": "components.requestBodies.{{NewItem}}.content.{{multipart/data}} is not 'application/x-www-form-urlencoded' when 'explode' is set", + "issueType": "IncorrectValue" }, { "queryName": "Property 'explode' of Encoding Object Ignored", @@ -21,7 +22,8 @@ "searchKey": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/form-data}}", "searchValue": "", "expectedValue": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/form-data}} should be 'application/x-www-form-urlencoded' when 'explode' is set", - "actualValue": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/form-data}} is not 'application/x-www-form-urlencoded' when 'explode' is set" + "actualValue": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/form-data}} is not 'application/x-www-form-urlencoded' when 'explode' is set", + "issueType": "IncorrectValue" }, { "queryName": "Property 'explode' of Encoding Object Ignored", @@ -33,7 +35,8 @@ "searchKey": "components.requestBodies.{{NewItem}}.content.{{multipart/form-data}}", "searchValue": "", "expectedValue": "components.requestBodies.{{NewItem}}.content.{{multipart/form-data}} should be 'application/x-www-form-urlencoded' when 'explode' is set", - "actualValue": "components.requestBodies.{{NewItem}}.content.{{multipart/form-data}} is not 'application/x-www-form-urlencoded' when 'explode' is set" + "actualValue": "components.requestBodies.{{NewItem}}.content.{{multipart/form-data}} is not 'application/x-www-form-urlencoded' when 'explode' is set", + "issueType": "IncorrectValue" }, { "queryName": "Property 'explode' of Encoding Object Ignored", @@ -45,6 +48,7 @@ "searchKey": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/form-data}}", "searchValue": "", "expectedValue": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/form-data}} should be 'application/x-www-form-urlencoded' when 'explode' is set", - "actualValue": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/form-data}} is not 'application/x-www-form-urlencoded' when 'explode' is set" + "actualValue": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/form-data}} is not 'application/x-www-form-urlencoded' when 'explode' is set", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/property_type_encoding_object_ignored/test/positive_expected_result.json b/assets/queries/openAPI/3.0/property_type_encoding_object_ignored/test/positive_expected_result.json index 8a16acfde0b..0ea20132cd2 100644 --- a/assets/queries/openAPI/3.0/property_type_encoding_object_ignored/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/property_type_encoding_object_ignored/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "components.requestBodies.{{NewItem}}.content.{{multipart/data}}", "searchValue": "", "expectedValue": "components.requestBodies.{{NewItem}}.content.{{multipart/data}} should be 'application/x-www-form-urlencoded' when 'style' is set", - "actualValue": "components.requestBodies.{{NewItem}}.content.{{multipart/data}} is not 'application/x-www-form-urlencoded' when 'style' is set" + "actualValue": "components.requestBodies.{{NewItem}}.content.{{multipart/data}} is not 'application/x-www-form-urlencoded' when 'style' is set", + "issueType": "IncorrectValue" }, { "queryName": "Property 'style' of Encoding Object Ignored", @@ -21,7 +22,8 @@ "searchKey": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/data}}", "searchValue": "", "expectedValue": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/data}} should be 'application/x-www-form-urlencoded' when 'style' is set", - "actualValue": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/data}} is not 'application/x-www-form-urlencoded' when 'style' is set" + "actualValue": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/data}} is not 'application/x-www-form-urlencoded' when 'style' is set", + "issueType": "IncorrectValue" }, { "queryName": "Property 'style' of Encoding Object Ignored", @@ -33,7 +35,8 @@ "searchKey": "components.requestBodies.{{NewItem}}.content.{{multipart/data}}", "searchValue": "", "expectedValue": "components.requestBodies.{{NewItem}}.content.{{multipart/data}} should be 'application/x-www-form-urlencoded' when 'style' is set", - "actualValue": "components.requestBodies.{{NewItem}}.content.{{multipart/data}} is not 'application/x-www-form-urlencoded' when 'style' is set" + "actualValue": "components.requestBodies.{{NewItem}}.content.{{multipart/data}} is not 'application/x-www-form-urlencoded' when 'style' is set", + "issueType": "IncorrectValue" }, { "queryName": "Property 'style' of Encoding Object Ignored", @@ -45,6 +48,7 @@ "searchKey": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/data}}", "searchValue": "", "expectedValue": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/data}} should be 'application/x-www-form-urlencoded' when 'style' is set", - "actualValue": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/data}} is not 'application/x-www-form-urlencoded' when 'style' is set" + "actualValue": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/data}} is not 'application/x-www-form-urlencoded' when 'style' is set", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/request_body_incorrect_ref/test/positive_expected_result.json b/assets/queries/openAPI/3.0/request_body_incorrect_ref/test/positive_expected_result.json index aa684b5065b..fb1a8bce307 100644 --- a/assets/queries/openAPI/3.0/request_body_incorrect_ref/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/request_body_incorrect_ref/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.get.requestBody.$ref", "searchValue": "", "expectedValue": "Request body ref points to '#/components/requestBodies'", - "actualValue": "Request body ref doesn't point to '#/components/requestBodies'" + "actualValue": "Request body ref doesn't point to '#/components/requestBodies'", + "issueType": "IncorrectValue" }, { "queryName": "Request Body With Incorrect Ref", @@ -21,6 +22,7 @@ "searchKey": "paths.{{/}}.get.requestBody.$ref", "searchValue": "", "expectedValue": "Request body ref points to '#/components/requestBodies'", - "actualValue": "Request body ref doesn't point to '#/components/requestBodies'" + "actualValue": "Request body ref doesn't point to '#/components/requestBodies'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/request_body_object_with_incorrect_media_type/test/positive_expected_result.json b/assets/queries/openAPI/3.0/request_body_object_with_incorrect_media_type/test/positive_expected_result.json index 5b1945e46b0..fcce9ac31d7 100644 --- a/assets/queries/openAPI/3.0/request_body_object_with_incorrect_media_type/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/request_body_object_with_incorrect_media_type/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "components.requestBodies.{{NewItem}}.content.{{application/json}}.encoding", "searchValue": "", "expectedValue": "components.requestBodies.{{NewItem}}.content.{{application/json}} should be 'multipart' or 'application/x-www-form-urlencoded' when 'encoding' is set", - "actualValue": "components.requestBodies.{{NewItem}}.content.{{application/json}} is not 'multipart' or 'application/x-www-form-urlencoded' when 'encoding' is set" + "actualValue": "components.requestBodies.{{NewItem}}.content.{{application/json}} is not 'multipart' or 'application/x-www-form-urlencoded' when 'encoding' is set", + "issueType": "IncorrectValue" }, { "queryName": "Request Body Object With Incorrect Media Type", @@ -21,7 +22,8 @@ "searchKey": "paths.{{/}}.{{get}}.requestBody.content.{{application/octet-stream}}", "searchValue": "", "expectedValue": "paths.{{/}}.{{get}}.requestBody.content.{{application/octet-stream}} should be 'multipart' or 'application/x-www-form-urlencoded' when 'encoding' is set", - "actualValue": "paths.{{/}}.{{get}}.requestBody.content.{{application/octet-stream}} is not 'multipart' or 'application/x-www-form-urlencoded' when 'encoding' is set" + "actualValue": "paths.{{/}}.{{get}}.requestBody.content.{{application/octet-stream}} is not 'multipart' or 'application/x-www-form-urlencoded' when 'encoding' is set", + "issueType": "IncorrectValue" }, { "queryName": "Request Body Object With Incorrect Media Type", @@ -33,7 +35,8 @@ "searchKey": "components.requestBodies.{{NewItem}}.content.{{application/json}}.encoding", "searchValue": "", "expectedValue": "components.requestBodies.{{NewItem}}.content.{{application/json}} should be 'multipart' or 'application/x-www-form-urlencoded' when 'encoding' is set", - "actualValue": "components.requestBodies.{{NewItem}}.content.{{application/json}} is not 'multipart' or 'application/x-www-form-urlencoded' when 'encoding' is set" + "actualValue": "components.requestBodies.{{NewItem}}.content.{{application/json}} is not 'multipart' or 'application/x-www-form-urlencoded' when 'encoding' is set", + "issueType": "IncorrectValue" }, { "queryName": "Request Body Object With Incorrect Media Type", @@ -45,6 +48,7 @@ "searchKey": "paths.{{/}}.{{get}}.requestBody.content.{{application/octet-stream}}", "searchValue": "", "expectedValue": "paths.{{/}}.{{get}}.requestBody.content.{{application/octet-stream}} should be 'multipart' or 'application/x-www-form-urlencoded' when 'encoding' is set", - "actualValue": "paths.{{/}}.{{get}}.requestBody.content.{{application/octet-stream}} is not 'multipart' or 'application/x-www-form-urlencoded' when 'encoding' is set" + "actualValue": "paths.{{/}}.{{get}}.requestBody.content.{{application/octet-stream}} is not 'multipart' or 'application/x-www-form-urlencoded' when 'encoding' is set", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/response_object_incorrect_ref/test/positive_expected_result.json b/assets/queries/openAPI/3.0/response_object_incorrect_ref/test/positive_expected_result.json index d0afed9e3b7..9d200a6650b 100644 --- a/assets/queries/openAPI/3.0/response_object_incorrect_ref/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/response_object_incorrect_ref/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.get.responses.{{200}}.$ref", "searchValue": "", "expectedValue": "Response ref points to '#/components/responses'", - "actualValue": "Response ref does not point to '#/components/responses'" + "actualValue": "Response ref does not point to '#/components/responses'", + "issueType": "IncorrectValue" }, { "queryName": "Response Object With Incorrect Ref (v3)", @@ -21,6 +22,7 @@ "searchKey": "paths.{{/}}.get.responses.{{200}}.$ref", "searchValue": "", "expectedValue": "Response ref points to '#/components/responses'", - "actualValue": "Response ref does not point to '#/components/responses'" + "actualValue": "Response ref does not point to '#/components/responses'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/schema_object_incorrect_ref/test/positive_expected_result.json b/assets/queries/openAPI/3.0/schema_object_incorrect_ref/test/positive_expected_result.json index 0e9be12db4f..7c01336a2dc 100644 --- a/assets/queries/openAPI/3.0/schema_object_incorrect_ref/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/schema_object_incorrect_ref/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref", "searchValue": "", "expectedValue": "Schema reference points to '#components/schemas'", - "actualValue": "Schema reference does not point to '#components/schemas'" + "actualValue": "Schema reference does not point to '#components/schemas'", + "issueType": "IncorrectValue" }, { "queryName": "Schema Object Incorrect Ref (v3)", @@ -21,7 +22,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.$ref", "searchValue": "", "expectedValue": "Schema reference points to '#components/schemas'", - "actualValue": "Schema reference does not point to '#components/schemas'" + "actualValue": "Schema reference does not point to '#components/schemas'", + "issueType": "IncorrectValue" }, { "queryName": "Schema Object Incorrect Ref (v3)", @@ -33,7 +35,8 @@ "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref", "searchValue": "", "expectedValue": "Schema reference points to '#components/schemas'", - "actualValue": "Schema reference does not point to '#components/schemas'" + "actualValue": "Schema reference does not point to '#components/schemas'", + "issueType": "IncorrectValue" }, { "queryName": "Schema Object Incorrect Ref (v3)", @@ -45,6 +48,7 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.$ref", "searchValue": "", "expectedValue": "Schema reference points to '#components/schemas'", - "actualValue": "Schema reference does not point to '#components/schemas'" + "actualValue": "Schema reference does not point to '#components/schemas'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/schema_with_both_read_only_and_write_only/test/positive_expected_result.json b/assets/queries/openAPI/3.0/schema_with_both_read_only_and_write_only/test/positive_expected_result.json index d6a2128b230..6049d19bcf6 100644 --- a/assets/queries/openAPI/3.0/schema_with_both_read_only_and_write_only/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/schema_with_both_read_only_and_write_only/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "components.schemas.{{GeneralError}}", "searchValue": "", "expectedValue": "components.schemas.{{GeneralError}} should not have both 'writeOnly' and 'readOnly' set to true", - "actualValue": "components.schemas.{{GeneralError}} has both 'writeOnly' and 'readOnly' set to true" + "actualValue": "components.schemas.{{GeneralError}} has both 'writeOnly' and 'readOnly' set to true", + "issueType": "IncorrectValue" }, { "queryName": "Schema With Both ReadOnly And WriteOnly", @@ -21,7 +22,8 @@ "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema", "searchValue": "", "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema should not have both 'writeOnly' and 'readOnly' set to true", - "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema has both 'writeOnly' and 'readOnly' set to true" + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema has both 'writeOnly' and 'readOnly' set to true", + "issueType": "IncorrectValue" }, { "queryName": "Schema With Both ReadOnly And WriteOnly", @@ -33,7 +35,8 @@ "searchKey": "components.schemas.{{GeneralError}}", "searchValue": "", "expectedValue": "components.schemas.{{GeneralError}} should not have both 'writeOnly' and 'readOnly' set to true", - "actualValue": "components.schemas.{{GeneralError}} has both 'writeOnly' and 'readOnly' set to true" + "actualValue": "components.schemas.{{GeneralError}} has both 'writeOnly' and 'readOnly' set to true", + "issueType": "IncorrectValue" }, { "queryName": "Schema With Both ReadOnly And WriteOnly", @@ -45,6 +48,7 @@ "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema", "searchValue": "", "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema should not have both 'writeOnly' and 'readOnly' set to true", - "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema has both 'writeOnly' and 'readOnly' set to true" + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema has both 'writeOnly' and 'readOnly' set to true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/security_field_undefined/test/positive_expected_result.json b/assets/queries/openAPI/3.0/security_field_undefined/test/positive_expected_result.json index 431102b6e6a..aa0ed1d7b00 100644 --- a/assets/queries/openAPI/3.0/security_field_undefined/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/security_field_undefined/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "security.petstore_auth", "searchValue": "", "expectedValue": "security[0].petstore_auth should be defined in '#/components/securitySchemes'", - "actualValue": "security[0].petstore_auth is not defined in '#/components/securitySchemes'" + "actualValue": "security[0].petstore_auth is not defined in '#/components/securitySchemes'", + "issueType": "MissingAttribute" }, { "queryName": "Security Field Undefined", @@ -21,7 +22,8 @@ "searchKey": "security.petstore_auth", "searchValue": "", "expectedValue": "security[0].petstore_auth should be defined in '#/components/securitySchemes'", - "actualValue": "security[0].petstore_auth is not defined in '#/components/securitySchemes'" + "actualValue": "security[0].petstore_auth is not defined in '#/components/securitySchemes'", + "issueType": "MissingAttribute" }, { "queryName": "Security Field Undefined", @@ -33,7 +35,8 @@ "searchKey": "security.petstore_auth", "searchValue": "", "expectedValue": "security[0].petstore_auth should be defined in '#/components/securitySchemes'", - "actualValue": "security[0].petstore_auth is not defined in '#/components/securitySchemes'" + "actualValue": "security[0].petstore_auth is not defined in '#/components/securitySchemes'", + "issueType": "MissingAttribute" }, { "queryName": "Security Field Undefined", @@ -45,6 +48,7 @@ "searchKey": "security.petstore_auth", "searchValue": "", "expectedValue": "security[0].petstore_auth should be defined in '#/components/securitySchemes'", - "actualValue": "security[0].petstore_auth is not defined in '#/components/securitySchemes'" + "actualValue": "security[0].petstore_auth is not defined in '#/components/securitySchemes'", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/security_operation_field_undefined/test/positive_expected_result.json b/assets/queries/openAPI/3.0/security_operation_field_undefined/test/positive_expected_result.json index cbf66a5907c..427054ebf4a 100644 --- a/assets/queries/openAPI/3.0/security_operation_field_undefined/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/security_operation_field_undefined/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.{{get}}.petstore_auth", "searchValue": "", "expectedValue": "paths.{{/}}.{{get}}.security[0].petstore_auth should be defined in '#/components/securitySchemes'", - "actualValue": "paths.{{/}}.{{get}}.security[0].petstore_auth is not defined in '#/components/securitySchemes'" + "actualValue": "paths.{{/}}.{{get}}.security[0].petstore_auth is not defined in '#/components/securitySchemes'", + "issueType": "MissingAttribute" }, { "queryName": "Security Operation Field Undefined", @@ -21,7 +22,8 @@ "searchKey": "paths.{{/}}.{{get}}.petstore_auth", "searchValue": "", "expectedValue": "paths.{{/}}.{{get}}.security[0].petstore_auth should be defined in '#/components/securitySchemes'", - "actualValue": "paths.{{/}}.{{get}}.security[0].petstore_auth is not defined in '#/components/securitySchemes'" + "actualValue": "paths.{{/}}.{{get}}.security[0].petstore_auth is not defined in '#/components/securitySchemes'", + "issueType": "MissingAttribute" }, { "queryName": "Security Operation Field Undefined", @@ -33,7 +35,8 @@ "searchKey": "paths.{{/}}.{{get}}.petstore_auth", "searchValue": "", "expectedValue": "paths.{{/}}.{{get}}.security[0].petstore_auth should be defined in '#/components/securitySchemes'", - "actualValue": "paths.{{/}}.{{get}}.security[0].petstore_auth is not defined in '#/components/securitySchemes'" + "actualValue": "paths.{{/}}.{{get}}.security[0].petstore_auth is not defined in '#/components/securitySchemes'", + "issueType": "MissingAttribute" }, { "queryName": "Security Operation Field Undefined", @@ -45,6 +48,7 @@ "searchKey": "paths.{{/}}.{{get}}.petstore_auth", "searchValue": "", "expectedValue": "paths.{{/}}.{{get}}.security[0].petstore_auth should be defined in '#/components/securitySchemes'", - "actualValue": "paths.{{/}}.{{get}}.security[0].petstore_auth is not defined in '#/components/securitySchemes'" + "actualValue": "paths.{{/}}.{{get}}.security[0].petstore_auth is not defined in '#/components/securitySchemes'", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/security_requirement_object_with_wrong_scopes/test/positive_expected_result.json b/assets/queries/openAPI/3.0/security_requirement_object_with_wrong_scopes/test/positive_expected_result.json index 92b3557a20e..8fbf2f1545c 100644 --- a/assets/queries/openAPI/3.0/security_requirement_object_with_wrong_scopes/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/security_requirement_object_with_wrong_scopes/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "security.api_key", "searchValue": "", "expectedValue": "'security.api_key' has no scopes defined for security scheme of type 'apiKey'", - "actualValue": "'security.api_key' has no scopes defined for security scheme of type 'apiKey'" + "actualValue": "'security.api_key' has no scopes defined for security scheme of type 'apiKey'", + "issueType": "IncorrectValue" }, { "queryName": "Security Requirement Object With Wrong Scopes", @@ -21,7 +22,8 @@ "searchKey": "security.api_key", "searchValue": "", "expectedValue": "'security.api_key' has no scopes defined for security scheme of type 'apiKey'", - "actualValue": "'security.api_key' has no scopes defined for security scheme of type 'apiKey'" + "actualValue": "'security.api_key' has no scopes defined for security scheme of type 'apiKey'", + "issueType": "IncorrectValue" }, { "queryName": "Security Requirement Object With Wrong Scopes", @@ -33,7 +35,8 @@ "searchKey": "paths.{{/pets}}.get.security.api_key", "searchValue": "", "expectedValue": "'security.api_key' has no scopes defined for security scheme of type 'apiKey'", - "actualValue": "'security.api_key' has no scopes defined for security scheme of type 'apiKey'" + "actualValue": "'security.api_key' has no scopes defined for security scheme of type 'apiKey'", + "issueType": "IncorrectValue" }, { "queryName": "Security Requirement Object With Wrong Scopes", @@ -45,6 +48,7 @@ "searchKey": "paths.{{/pets}}.get.security.api_key", "searchValue": "", "expectedValue": "'security.api_key' has no scopes defined for security scheme of type 'apiKey'", - "actualValue": "'security.api_key' has no scopes defined for security scheme of type 'apiKey'" + "actualValue": "'security.api_key' has no scopes defined for security scheme of type 'apiKey'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/security_scheme_undefined/test/positive_expected_result.json b/assets/queries/openAPI/3.0/security_scheme_undefined/test/positive_expected_result.json index 7655f0ffeb1..5c42a706442 100644 --- a/assets/queries/openAPI/3.0/security_scheme_undefined/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/security_scheme_undefined/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "openapi", "searchValue": "", "expectedValue": "A security scheme on components should be defined", - "actualValue": "Components is not defined" + "actualValue": "Components is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Field 'securityScheme' On Components Is Undefined", @@ -21,7 +22,8 @@ "searchKey": "components", "searchValue": "", "expectedValue": "A security scheme on components should be defined", - "actualValue": "A security scheme is not defined" + "actualValue": "A security scheme is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Field 'securityScheme' On Components Is Undefined", @@ -33,7 +35,8 @@ "searchKey": "components.securitySchemes", "searchValue": "", "expectedValue": "A security scheme on components should be defined", - "actualValue": "A security scheme is an empty object" + "actualValue": "A security scheme is an empty object", + "issueType": "IncorrectValue" }, { "queryName": "Field 'securityScheme' On Components Is Undefined", @@ -45,7 +48,8 @@ "searchKey": "openapi", "searchValue": "", "expectedValue": "A security scheme on components should be defined", - "actualValue": "Components is not defined" + "actualValue": "Components is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Field 'securityScheme' On Components Is Undefined", @@ -57,7 +61,8 @@ "searchKey": "components", "searchValue": "", "expectedValue": "A security scheme on components should be defined", - "actualValue": "A security scheme is not defined" + "actualValue": "A security scheme is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Field 'securityScheme' On Components Is Undefined", @@ -69,6 +74,7 @@ "searchKey": "components.securitySchemes", "searchValue": "", "expectedValue": "A security scheme on components should be defined", - "actualValue": "A security scheme is an empty object" + "actualValue": "A security scheme is an empty object", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/security_scheme_using_http_basic/test/positive_expected_result.json b/assets/queries/openAPI/3.0/security_scheme_using_http_basic/test/positive_expected_result.json index fdc10d377e7..802ad4a765a 100644 --- a/assets/queries/openAPI/3.0/security_scheme_using_http_basic/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/security_scheme_using_http_basic/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "components.securitySchemes.{{petstore_auth}}.scheme", "searchValue": "", "expectedValue": "components.securitySchemes.{{petstore_auth}} should not use 'basic' authentication", - "actualValue": "components.securitySchemes.{{petstore_auth}} uses 'basic' authentication" + "actualValue": "components.securitySchemes.{{petstore_auth}} uses 'basic' authentication", + "issueType": "IncorrectValue" }, { "queryName": "Security Scheme Using HTTP Basic", @@ -21,6 +22,7 @@ "searchKey": "components.securitySchemes.{{petstore_auth}}.scheme", "searchValue": "", "expectedValue": "components.securitySchemes.{{petstore_auth}} should not use 'basic' authentication", - "actualValue": "components.securitySchemes.{{petstore_auth}} uses 'basic' authentication" + "actualValue": "components.securitySchemes.{{petstore_auth}} uses 'basic' authentication", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/security_scheme_using_http_digest/test/positive_expected_result.json b/assets/queries/openAPI/3.0/security_scheme_using_http_digest/test/positive_expected_result.json index 288fa877959..181a883e1d9 100644 --- a/assets/queries/openAPI/3.0/security_scheme_using_http_digest/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/security_scheme_using_http_digest/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "components.securitySchemes.{{petstore_auth}}.scheme", "searchValue": "", "expectedValue": "components.securitySchemes.{{petstore_auth}} should not use 'digest' authentication", - "actualValue": "components.securitySchemes.{{petstore_auth}} uses 'digest' authentication" + "actualValue": "components.securitySchemes.{{petstore_auth}} uses 'digest' authentication", + "issueType": "IncorrectValue" }, { "queryName": "Security Scheme Using HTTP Digest", @@ -21,6 +22,7 @@ "searchKey": "components.securitySchemes.{{petstore_auth}}.scheme", "searchValue": "", "expectedValue": "components.securitySchemes.{{petstore_auth}} should not use 'digest' authentication", - "actualValue": "components.securitySchemes.{{petstore_auth}} uses 'digest' authentication" + "actualValue": "components.securitySchemes.{{petstore_auth}} uses 'digest' authentication", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/security_scheme_using_http_negotiate/test/positive_expected_result.json b/assets/queries/openAPI/3.0/security_scheme_using_http_negotiate/test/positive_expected_result.json index 959daea3ae1..192f59478c5 100644 --- a/assets/queries/openAPI/3.0/security_scheme_using_http_negotiate/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/security_scheme_using_http_negotiate/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "components.securitySchemes.{{petstore_auth}}.scheme", "searchValue": "", "expectedValue": "components.securitySchemes.{{petstore_auth}} should not use 'negotiate' authentication", - "actualValue": "components.securitySchemes.{{petstore_auth}} uses 'negotiate' authentication" + "actualValue": "components.securitySchemes.{{petstore_auth}} uses 'negotiate' authentication", + "issueType": "IncorrectValue" }, { "queryName": "Security Scheme Using HTTP Negotiate", @@ -21,6 +22,7 @@ "searchKey": "components.securitySchemes.{{petstore_auth}}.scheme", "searchValue": "", "expectedValue": "components.securitySchemes.{{petstore_auth}} should not use 'negotiate' authentication", - "actualValue": "components.securitySchemes.{{petstore_auth}} uses 'negotiate' authentication" + "actualValue": "components.securitySchemes.{{petstore_auth}} uses 'negotiate' authentication", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/security_schemes_http_unknown_scheme/test/positive_expected_result.json b/assets/queries/openAPI/3.0/security_schemes_http_unknown_scheme/test/positive_expected_result.json index 2be7ab9fdab..23ea85d3778 100644 --- a/assets/queries/openAPI/3.0/security_schemes_http_unknown_scheme/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/security_schemes_http_unknown_scheme/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "components.securitySchemes.{{petstore_auth}}.scheme", "searchValue": "", "expectedValue": "components.securitySchemes.{{petstore_auth}}.scheme is registered in the IANA Authentication Scheme registry", - "actualValue": "components.securitySchemes.{{petstore_auth}}.scheme is not registered in the IANA Authentication Scheme registry" + "actualValue": "components.securitySchemes.{{petstore_auth}}.scheme is not registered in the IANA Authentication Scheme registry", + "issueType": "IncorrectValue" }, { "queryName": "Security Scheme HTTP Unknown Scheme", @@ -21,6 +22,7 @@ "searchKey": "components.securitySchemes.{{petstore_auth}}.scheme", "searchValue": "", "expectedValue": "components.securitySchemes.{{petstore_auth}}.scheme is registered in the IANA Authentication Scheme registry", - "actualValue": "components.securitySchemes.{{petstore_auth}}.scheme is not registered in the IANA Authentication Scheme registry" + "actualValue": "components.securitySchemes.{{petstore_auth}}.scheme is not registered in the IANA Authentication Scheme registry", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/security_schemes_using_oauth/test/positive_expected_result.json b/assets/queries/openAPI/3.0/security_schemes_using_oauth/test/positive_expected_result.json index 7aca478e95e..b987e334f12 100644 --- a/assets/queries/openAPI/3.0/security_schemes_using_oauth/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/security_schemes_using_oauth/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "components.securitySchemes.{{petstore_auth}}", "searchValue": "", "expectedValue": "components.securitySchemes.{{petstore_auth}} should not use oauth 1.0 security scheme", - "actualValue": "components.securitySchemes.{{petstore_auth}} uses oauth 1.0 security scheme" + "actualValue": "components.securitySchemes.{{petstore_auth}} uses oauth 1.0 security scheme", + "issueType": "IncorrectValue" }, { "queryName": "Security Scheme Using Oauth 1.0", @@ -21,6 +22,7 @@ "searchKey": "components.securitySchemes.{{petstore_auth}}", "searchValue": "", "expectedValue": "components.securitySchemes.{{petstore_auth}} should not use oauth 1.0 security scheme", - "actualValue": "components.securitySchemes.{{petstore_auth}} uses oauth 1.0 security scheme" + "actualValue": "components.securitySchemes.{{petstore_auth}} uses oauth 1.0 security scheme", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/server_object_variable_not_used/test/positive_expected_result.json b/assets/queries/openAPI/3.0/server_object_variable_not_used/test/positive_expected_result.json index 3af703f568b..ebbdb1de06d 100644 --- a/assets/queries/openAPI/3.0/server_object_variable_not_used/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/server_object_variable_not_used/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.variables.{{another}}", "searchValue": "", "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.variables.{{another}} is used in 'paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url'", - "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.variables.{{another}} is not used in 'paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url'" + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.variables.{{another}} is not used in 'paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url'", + "issueType": "IncorrectValue" }, { "queryName": "Server Object Variable Not Used", @@ -21,7 +22,8 @@ "searchKey": "paths.{{/}}.{{get}}.servers.variables.{{base}}", "searchValue": "", "expectedValue": "paths.{{/}}.{{get}}.servers.variables.{{base}} is used in 'paths.{{/}}.{{get}}.servers.{{0}}.url'", - "actualValue": "paths.{{/}}.{{get}}.servers.variables.{{base}} is not used in 'paths.{{/}}.{{get}}.servers.{{0}}.url '" + "actualValue": "paths.{{/}}.{{get}}.servers.variables.{{base}} is not used in 'paths.{{/}}.{{get}}.servers.{{0}}.url '", + "issueType": "IncorrectValue" }, { "queryName": "Server Object Variable Not Used", @@ -33,7 +35,8 @@ "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.variables.{{another}}", "searchValue": "", "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.variables.{{another}} is used in 'paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url'", - "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.variables.{{another}} is not used in 'paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url'" + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.variables.{{another}} is not used in 'paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url'", + "issueType": "IncorrectValue" }, { "queryName": "Server Object Variable Not Used", @@ -45,6 +48,7 @@ "searchKey": "paths.{{/}}.{{get}}.servers.variables.{{base}}", "searchValue": "", "expectedValue": "paths.{{/}}.{{get}}.servers.variables.{{base}} is used in 'paths.{{/}}.{{get}}.servers.{{0}}.url'", - "actualValue": "paths.{{/}}.{{get}}.servers.variables.{{base}} is not used in 'paths.{{/}}.{{get}}.servers.{{0}}.url '" + "actualValue": "paths.{{/}}.{{get}}.servers.variables.{{base}} is not used in 'paths.{{/}}.{{get}}.servers.{{0}}.url '", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/server_url_not_absolute/test/positive_expected_result.json b/assets/queries/openAPI/3.0/server_url_not_absolute/test/positive_expected_result.json index 055c0f32061..65f23ae6648 100644 --- a/assets/queries/openAPI/3.0/server_url_not_absolute/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/server_url_not_absolute/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url", "searchValue": "", "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url has an absolute URL", - "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url does not have an absolute URL" + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url does not have an absolute URL", + "issueType": "IncorrectValue" }, { "queryName": "Server URL Not Absolute", @@ -21,7 +22,8 @@ "searchKey": "paths.{{/}}.{{get}}.servers.url=/development.gigantic-server.com/v1", "searchValue": "", "expectedValue": "paths.{{/}}.{{get}}.servers.{{0}}.url has an absolute URL", - "actualValue": "paths.{{/}}.{{get}}.servers.{{0}}.url does not have an absolute URL" + "actualValue": "paths.{{/}}.{{get}}.servers.{{0}}.url does not have an absolute URL", + "issueType": "IncorrectValue" }, { "queryName": "Server URL Not Absolute", @@ -33,7 +35,8 @@ "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url", "searchValue": "", "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url has an absolute URL", - "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url does not have an absolute URL" + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url does not have an absolute URL", + "issueType": "IncorrectValue" }, { "queryName": "Server URL Not Absolute", @@ -45,6 +48,7 @@ "searchKey": "paths.{{/}}.{{get}}.servers.url=/development.gigantic-server.com/v1", "searchValue": "", "expectedValue": "paths.{{/}}.{{get}}.servers.{{0}}.url has an absolute URL", - "actualValue": "paths.{{/}}.{{get}}.servers.{{0}}.url does not have an absolute URL" + "actualValue": "paths.{{/}}.{{get}}.servers.{{0}}.url does not have an absolute URL", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/server_url_uses_undefined_variables/test/positive_expected_result.json b/assets/queries/openAPI/3.0/server_url_uses_undefined_variables/test/positive_expected_result.json index 28c28545c07..b1e16150003 100644 --- a/assets/queries/openAPI/3.0/server_url_uses_undefined_variables/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/server_url_uses_undefined_variables/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url", "searchValue": "", "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url uses server object variables defined in the server object variables", - "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url does not use server object variables defined in the server object variables" + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url does not use server object variables defined in the server object variables", + "issueType": "IncorrectValue" }, { "queryName": "Server URL Uses Undefined Variables", @@ -21,7 +22,8 @@ "searchKey": "paths.{{/}}.{{get}}.servers.url=https://development.{server}.com/{base}", "searchValue": "", "expectedValue": "paths.{{/}}.{{get}}.servers.{{0}}.url uses server object variables defined in the server object variables", - "actualValue": "paths.{{/}}.{{get}}.servers.{{0}}.url does not use server object variables defined in the server object variables" + "actualValue": "paths.{{/}}.{{get}}.servers.{{0}}.url does not use server object variables defined in the server object variables", + "issueType": "IncorrectValue" }, { "queryName": "Server URL Uses Undefined Variables", @@ -33,7 +35,8 @@ "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url", "searchValue": "", "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url uses server object variables defined in the server object variables", - "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url does not use server object variables defined in the server object variables" + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url does not use server object variables defined in the server object variables", + "issueType": "IncorrectValue" }, { "queryName": "Server URL Uses Undefined Variables", @@ -45,6 +48,7 @@ "searchKey": "paths.{{/}}.{{get}}.servers.url=https://development.{server}.com/{base}", "searchValue": "", "expectedValue": "paths.{{/}}.{{get}}.servers.{{0}}.url uses server object variables defined in the server object variables", - "actualValue": "paths.{{/}}.{{get}}.servers.{{0}}.url does not use server object variables defined in the server object variables" + "actualValue": "paths.{{/}}.{{get}}.servers.{{0}}.url does not use server object variables defined in the server object variables", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/servers_undefined/test/positive_expected_result.json b/assets/queries/openAPI/3.0/servers_undefined/test/positive_expected_result.json index 259f3866727..d59185ca9f2 100644 --- a/assets/queries/openAPI/3.0/servers_undefined/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/servers_undefined/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "openapi", "searchValue": "", "expectedValue": "Servers array has at least one server defined", - "actualValue": "Servers array does not have at least one server defined" + "actualValue": "Servers array does not have at least one server defined", + "issueType": "MissingAttribute" }, { "queryName": "Servers Array Undefined", @@ -21,7 +22,8 @@ "searchKey": "servers", "searchValue": "", "expectedValue": "Servers array has at least one server defined", - "actualValue": "Servers array is empty" + "actualValue": "Servers array is empty", + "issueType": "IncorrectValue" }, { "queryName": "Servers Array Undefined", @@ -33,7 +35,8 @@ "searchKey": "openapi", "searchValue": "", "expectedValue": "Servers array has at least one server defined", - "actualValue": "Servers array does not have at least one server defined" + "actualValue": "Servers array does not have at least one server defined", + "issueType": "MissingAttribute" }, { "queryName": "Servers Array Undefined", @@ -45,6 +48,7 @@ "searchKey": "servers", "searchValue": "", "expectedValue": "Servers array has at least one server defined", - "actualValue": "Servers array is empty" + "actualValue": "Servers array is empty", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/success_response_code_undefined_trace_operation/test/positive_expected_result.json b/assets/queries/openAPI/3.0/success_response_code_undefined_trace_operation/test/positive_expected_result.json index e26c0470ede..032063b58c6 100644 --- a/assets/queries/openAPI/3.0/success_response_code_undefined_trace_operation/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/success_response_code_undefined_trace_operation/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/item}}.trace.responses", "searchValue": "", "expectedValue": "Trace should have the '200' successful code set", - "actualValue": "Trace does not have the '200' successful code set" + "actualValue": "Trace does not have the '200' successful code set", + "issueType": "MissingAttribute" }, { "queryName": "Success Response Code Undefined for Trace Operation", @@ -21,6 +22,7 @@ "searchKey": "paths.{{/item}}.trace.responses", "searchValue": "", "expectedValue": "Trace should have the '200' successful code set", - "actualValue": "Trace does not have the '200' successful code set" + "actualValue": "Trace does not have the '200' successful code set", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/undefined_security_scope_global_security/test/positive_expected_result.json b/assets/queries/openAPI/3.0/undefined_security_scope_global_security/test/positive_expected_result.json index ce0b36f1e71..1e4cf39ab6b 100644 --- a/assets/queries/openAPI/3.0/undefined_security_scope_global_security/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/undefined_security_scope_global_security/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "security.{{oAuth2AuthCodeNeg2}}", "searchValue": "", "expectedValue": "scope error:api should be defined on 'securityShemes'", - "actualValue": "scope error:api is not defined on 'securityShemes'" + "actualValue": "scope error:api is not defined on 'securityShemes'", + "issueType": "IncorrectValue" }, { "queryName": "Undefined Scope 'securityScheme' On Global 'security' Field", @@ -21,7 +22,8 @@ "searchKey": "security", "searchValue": "", "expectedValue": "scope error:api should be defined on 'securityShemes'", - "actualValue": "scope error:api is not defined on 'securityShemes'" + "actualValue": "scope error:api is not defined on 'securityShemes'", + "issueType": "IncorrectValue" }, { "queryName": "Undefined Scope 'securityScheme' On Global 'security' Field", @@ -33,7 +35,8 @@ "searchKey": "security.{{oAuth2AuthCodeNeg2}}", "searchValue": "", "expectedValue": "scope error:api should be defined on 'securityShemes'", - "actualValue": "scope error:api is not defined on 'securityShemes'" + "actualValue": "scope error:api is not defined on 'securityShemes'", + "issueType": "IncorrectValue" }, { "queryName": "Undefined Scope 'securityScheme' On Global 'security' Field", @@ -45,6 +48,7 @@ "searchKey": "security", "searchValue": "", "expectedValue": "scope error:api should be defined on 'securityShemes'", - "actualValue": "scope error:api is not defined on 'securityShemes'" + "actualValue": "scope error:api is not defined on 'securityShemes'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/undefined_security_scope_security_operations/test/positive_expected_result.json b/assets/queries/openAPI/3.0/undefined_security_scope_security_operations/test/positive_expected_result.json index 0063c3fce08..6e24f0ec8b5 100644 --- a/assets/queries/openAPI/3.0/undefined_security_scope_security_operations/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/undefined_security_scope_security_operations/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.{{get}}.security.{{oAuth2AuthCodeNeg2}}", "searchValue": "", "expectedValue": "scope error:api should be defined on 'securityShemes'", - "actualValue": "scope error:api is not defined on 'securityShemes'" + "actualValue": "scope error:api is not defined on 'securityShemes'", + "issueType": "IncorrectValue" }, { "queryName": "Undefined Scope 'securityScheme' On 'security' Field On Operations", @@ -21,7 +22,8 @@ "searchKey": "paths.{{/}}.{{get}}.security", "searchValue": "", "expectedValue": "scope error:api should be defined on 'securityShemes'", - "actualValue": "scope error:api is not defined on 'securityShemes'" + "actualValue": "scope error:api is not defined on 'securityShemes'", + "issueType": "IncorrectValue" }, { "queryName": "Undefined Scope 'securityScheme' On 'security' Field On Operations", @@ -33,7 +35,8 @@ "searchKey": "paths.{{/}}.{{get}}.security.{{oAuth2AuthCodeNeg2}}", "searchValue": "", "expectedValue": "scope error:api should be defined on 'securityShemes'", - "actualValue": "scope error:api is not defined on 'securityShemes'" + "actualValue": "scope error:api is not defined on 'securityShemes'", + "issueType": "IncorrectValue" }, { "queryName": "Undefined Scope 'securityScheme' On 'security' Field On Operations", @@ -45,6 +48,7 @@ "searchKey": "paths.{{/}}.{{get}}.security", "searchValue": "", "expectedValue": "scope error:api should be defined on 'securityShemes'", - "actualValue": "scope error:api is not defined on 'securityShemes'" + "actualValue": "scope error:api is not defined on 'securityShemes'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/unknown_prefix/test/positive_expected_result.json b/assets/queries/openAPI/3.0/unknown_prefix/test/positive_expected_result.json index 7bd1190c95b..0bbfeaaee4d 100644 --- a/assets/queries/openAPI/3.0/unknown_prefix/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/unknown_prefix/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "components.responses.ResponseExample.content.{{applicasdsadtion/json}}", "searchValue": "", "expectedValue": "components.responses.ResponseExample.content.{{applicasdsadtion/json}} is a known prefix", - "actualValue": "components.responses.ResponseExample.content.{{applicasdsadtion/json}} is an unknown prefix" + "actualValue": "components.responses.ResponseExample.content.{{applicasdsadtion/json}} is an unknown prefix", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Prefix (v3)", @@ -21,7 +22,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{ddddd/json}}", "searchValue": "", "expectedValue": "paths.{{/}}.get.responses.200.content.{{ddddd/json}} is a known prefix", - "actualValue": "paths.{{/}}.get.responses.200.content.{{ddddd/json}} is an unknown prefix" + "actualValue": "paths.{{/}}.get.responses.200.content.{{ddddd/json}} is an unknown prefix", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Prefix (v3)", @@ -33,7 +35,8 @@ "searchKey": "components.responses.ResponseExample.content.{{sssssss/json}}", "searchValue": "", "expectedValue": "components.responses.ResponseExample.content.{{sssssss/json}} is a known prefix", - "actualValue": "components.responses.ResponseExample.content.{{sssssss/json}} is an unknown prefix" + "actualValue": "components.responses.ResponseExample.content.{{sssssss/json}} is an unknown prefix", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Prefix (v3)", @@ -45,6 +48,7 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{applicatisdsdsdon/json}}", "searchValue": "", "expectedValue": "paths.{{/}}.get.responses.200.content.{{applicatisdsdsdon/json}} is a known prefix", - "actualValue": "paths.{{/}}.get.responses.200.content.{{applicatisdsdsdon/json}} is an unknown prefix" + "actualValue": "paths.{{/}}.get.responses.200.content.{{applicatisdsdsdon/json}} is an unknown prefix", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/unknown_property/test/positive_expected_result.json b/assets/queries/openAPI/3.0/unknown_property/test/positive_expected_result.json index 28370b9b65a..0505237918b 100644 --- a/assets/queries/openAPI/3.0/unknown_property/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/unknown_property/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.get.responses.200.descrinnption", "searchValue": "", "expectedValue": "The field 'descrinnption' is known in the responses object", - "actualValue": "The field 'descrinnption' is unknown in the responses object" + "actualValue": "The field 'descrinnption' is unknown in the responses object", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Property (v3)", @@ -21,7 +22,8 @@ "searchKey": "tags.desdddcription", "searchValue": "", "expectedValue": "The field 'desdddcription' is known in the tags object", - "actualValue": "The field 'desdddcription' is unknown in the tags object" + "actualValue": "The field 'desdddcription' is unknown in the tags object", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Property (v3)", @@ -33,7 +35,8 @@ "searchKey": "infjnjnjno", "searchValue": "", "expectedValue": "The field 'infjnjnjno' is known in the openapi object", - "actualValue": "The field 'infjnjnjno' is unknown in the openapi object" + "actualValue": "The field 'infjnjnjno' is unknown in the openapi object", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Property (v3)", @@ -45,7 +48,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.tybhbhbpe:", "searchValue": "", "expectedValue": "The field 'tybhbhbpe:' is known in the schema object", - "actualValue": "The field 'tybhbhbpe:' is unknown in the schema object" + "actualValue": "The field 'tybhbhbpe:' is unknown in the schema object", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Property (v3)", @@ -57,7 +61,8 @@ "searchKey": "paths.{{/}}.get.callbacks.inProgress.{{{$request.body#/inProgressUrl}}}.pbhbhbost", "searchValue": "", "expectedValue": "The field 'pbhbhbost' is known in the callbacks object", - "actualValue": "The field 'pbhbhbost' is unknown in the callbacks object" + "actualValue": "The field 'pbhbhbost' is unknown in the callbacks object", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Property (v3)", @@ -69,7 +74,8 @@ "searchKey": "paths.{{/}}.get.responses.200.descrinnption", "searchValue": "", "expectedValue": "The field 'descrinnption' is known in the responses object", - "actualValue": "The field 'descrinnption' is unknown in the responses object" + "actualValue": "The field 'descrinnption' is unknown in the responses object", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Property (v3)", @@ -81,7 +87,8 @@ "searchKey": "tags.desdddcription", "searchValue": "", "expectedValue": "The field 'desdddcription' is known in the tags object", - "actualValue": "The field 'desdddcription' is unknown in the tags object" + "actualValue": "The field 'desdddcription' is unknown in the tags object", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Property (v3)", @@ -93,7 +100,8 @@ "searchKey": "infjnjnjno", "searchValue": "", "expectedValue": "The field 'infjnjnjno' is known in the openapi object", - "actualValue": "The field 'infjnjnjno' is unknown in the openapi object" + "actualValue": "The field 'infjnjnjno' is unknown in the openapi object", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Property (v3)", @@ -105,7 +113,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.tybhbhbpe", "searchValue": "", "expectedValue": "The field 'tybhbhbpe' is known in the schema object", - "actualValue": "The field 'tybhbhbpe' is unknown in the schema object" + "actualValue": "The field 'tybhbhbpe' is unknown in the schema object", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Property (v3)", @@ -117,6 +126,7 @@ "searchKey": "paths.{{/}}.get.callbacks.inProgress.{{{$request.body#/inProgressUrl}}}.pbhbhbost", "searchValue": "", "expectedValue": "The field 'pbhbhbost' is known in the callbacks object", - "actualValue": "The field 'pbhbhbost' is unknown in the callbacks object" + "actualValue": "The field 'pbhbhbost' is unknown in the callbacks object", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/api_key_exposed_in_global_security/test/positive_expected_result.json b/assets/queries/openAPI/general/api_key_exposed_in_global_security/test/positive_expected_result.json index 107316aa105..bf4c4ed1b53 100644 --- a/assets/queries/openAPI/general/api_key_exposed_in_global_security/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/api_key_exposed_in_global_security/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "security.apiKey2", "searchValue": "", "expectedValue": "The API Key should not be transported over network", - "actualValue": "The API Key is transported over network" + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue" }, { "queryName": "API Key Exposed In Global Security (v3)", @@ -21,7 +22,8 @@ "searchKey": "security.apiKey3", "searchValue": "", "expectedValue": "The API Key should not be transported over network", - "actualValue": "The API Key is transported over network" + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue" }, { "queryName": "API Key Exposed In Global Security (v3)", @@ -33,7 +35,8 @@ "searchKey": "security.apiKey1", "searchValue": "", "expectedValue": "The API Key should not be transported over network", - "actualValue": "The API Key is transported over network" + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue" }, { "queryName": "API Key Exposed In Global Security (v3)", @@ -45,7 +48,8 @@ "searchKey": "security.apiKey1", "searchValue": "", "expectedValue": "The API Key should not be transported over network", - "actualValue": "The API Key is transported over network" + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue" }, { "queryName": "API Key Exposed In Global Security (v3)", @@ -57,7 +61,8 @@ "searchKey": "security.apiKey2", "searchValue": "", "expectedValue": "The API Key should not be transported over network", - "actualValue": "The API Key is transported over network" + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue" }, { "queryName": "API Key Exposed In Global Security (v3)", @@ -69,7 +74,8 @@ "searchKey": "security.apiKey3", "searchValue": "", "expectedValue": "The API Key should not be transported over network", - "actualValue": "The API Key is transported over network" + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue" }, { "queryName": "API Key Exposed In Global Security (v2)", @@ -81,7 +87,8 @@ "searchKey": "security.apiKey3", "searchValue": "", "expectedValue": "The API Key should not be transported over network", - "actualValue": "The API Key is transported over network" + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue" }, { "queryName": "API Key Exposed In Global Security (v2)", @@ -93,7 +100,8 @@ "searchKey": "security.apiKey1", "searchValue": "", "expectedValue": "The API Key should not be transported over network", - "actualValue": "The API Key is transported over network" + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue" }, { "queryName": "API Key Exposed In Global Security (v2)", @@ -105,7 +113,8 @@ "searchKey": "security.apiKey1", "searchValue": "", "expectedValue": "The API Key should not be transported over network", - "actualValue": "The API Key is transported over network" + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue" }, { "queryName": "API Key Exposed In Global Security (v2)", @@ -117,6 +126,7 @@ "searchKey": "security.apiKey3", "searchValue": "", "expectedValue": "The API Key should not be transported over network", - "actualValue": "The API Key is transported over network" + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/api_key_exposed_in_operation_security/test/positive_expected_result.json b/assets/queries/openAPI/general/api_key_exposed_in_operation_security/test/positive_expected_result.json index fa4005980df..f28632c1e37 100644 --- a/assets/queries/openAPI/general/api_key_exposed_in_operation_security/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/api_key_exposed_in_operation_security/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths./pets.post.security.apiKey1", "searchValue": "", "expectedValue": "The API Key should not be transported over network", - "actualValue": "The API Key is transported over network" + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue" }, { "queryName": "API Key Exposed In Operation Security (v3)", @@ -21,7 +22,8 @@ "searchKey": "paths./pets.post.security.apiKey2", "searchValue": "", "expectedValue": "The API Key should not be transported over network", - "actualValue": "The API Key is transported over network" + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue" }, { "queryName": "API Key Exposed In Operation Security (v3)", @@ -33,7 +35,8 @@ "searchKey": "paths./pets.post.security.apiKey3", "searchValue": "", "expectedValue": "The API Key should not be transported over network", - "actualValue": "The API Key is transported over network" + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue" }, { "queryName": "API Key Exposed In Operation Security (v3)", @@ -45,7 +48,8 @@ "searchKey": "paths./pets.post.security.apiKey1", "searchValue": "", "expectedValue": "The API Key should not be transported over network", - "actualValue": "The API Key is transported over network" + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue" }, { "queryName": "API Key Exposed In Operation Security (v3)", @@ -57,7 +61,8 @@ "searchKey": "paths./pets.post.security.apiKey2", "searchValue": "", "expectedValue": "The API Key should not be transported over network", - "actualValue": "The API Key is transported over network" + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue" }, { "queryName": "API Key Exposed In Operation Security (v3)", @@ -69,7 +74,8 @@ "searchKey": "paths./pets.post.security.apiKey3", "searchValue": "", "expectedValue": "The API Key should not be transported over network", - "actualValue": "The API Key is transported over network" + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue" }, { "queryName": "API Key Exposed In Operation Security (v2)", @@ -81,7 +87,8 @@ "searchKey": "paths./pets.post.security.apiKey1", "searchValue": "", "expectedValue": "The API Key should not be transported over network", - "actualValue": "The API Key is transported over network" + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue" }, { "queryName": "API Key Exposed In Operation Security (v2)", @@ -93,7 +100,8 @@ "searchKey": "paths./pets.post.security.apiKey3", "searchValue": "", "expectedValue": "The API Key should not be transported over network", - "actualValue": "The API Key is transported over network" + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue" }, { "queryName": "API Key Exposed In Operation Security (v2)", @@ -105,7 +113,8 @@ "searchKey": "paths./pets.post.security.apiKey1", "searchValue": "", "expectedValue": "The API Key should not be transported over network", - "actualValue": "The API Key is transported over network" + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue" }, { "queryName": "API Key Exposed In Operation Security (v2)", @@ -117,6 +126,7 @@ "searchKey": "paths./pets.post.security.apiKey3", "searchValue": "", "expectedValue": "The API Key should not be transported over network", - "actualValue": "The API Key is transported over network" + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/array_items_has_no_type/test/positive_expected_result.json b/assets/queries/openAPI/general/array_items_has_no_type/test/positive_expected_result.json index ceb40b99ade..d1ad717e4f8 100644 --- a/assets/queries/openAPI/general/array_items_has_no_type/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/array_items_has_no_type/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "components.schemas.MyIntArray.items", "searchValue": "", "expectedValue": "components.schemas.MyIntArray.items should have type, anyOf.type, $ref or anyOf.$ref should be defined", - "actualValue": "components.schemas.MyIntArray.items have type, anyOf.type, $ref or anyOf.$ref is undefined" + "actualValue": "components.schemas.MyIntArray.items have type, anyOf.type, $ref or anyOf.$ref is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Array Items Has No Type (v3)", @@ -21,7 +22,8 @@ "searchKey": "paths.{{/}}.get.responses.201.content.{{application/x-www-form-urlencoded}}.schema.items", "searchValue": "", "expectedValue": "paths.{{/}}.get.responses.201.content.{{application/x-www-form-urlencoded}}.schema.items should have type, anyOf.type, $ref or anyOf.$ref should be defined", - "actualValue": "paths.{{/}}.get.responses.201.content.{{application/x-www-form-urlencoded}}.schema.items have type, anyOf.type, $ref or anyOf.$ref is undefined" + "actualValue": "paths.{{/}}.get.responses.201.content.{{application/x-www-form-urlencoded}}.schema.items have type, anyOf.type, $ref or anyOf.$ref is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Array Items Has No Type (v3)", @@ -33,7 +35,8 @@ "searchKey": "paths.{{/}}.get.responses.201.content.{{application/x-www-form-urlencoded}}.schema.items", "searchValue": "", "expectedValue": "paths.{{/}}.get.responses.201.content.{{application/x-www-form-urlencoded}}.schema.items should have type, anyOf.type, $ref or anyOf.$ref should be defined", - "actualValue": "paths.{{/}}.get.responses.201.content.{{application/x-www-form-urlencoded}}.schema.items have type, anyOf.type, $ref or anyOf.$ref is undefined" + "actualValue": "paths.{{/}}.get.responses.201.content.{{application/x-www-form-urlencoded}}.schema.items have type, anyOf.type, $ref or anyOf.$ref is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Array Items Has No Type (v3)", @@ -45,7 +48,8 @@ "searchKey": "components.schemas.MyIntArray.items", "searchValue": "", "expectedValue": "components.schemas.MyIntArray.items should have type, anyOf.type, $ref or anyOf.$ref should be defined", - "actualValue": "components.schemas.MyIntArray.items have type, anyOf.type, $ref or anyOf.$ref is undefined" + "actualValue": "components.schemas.MyIntArray.items have type, anyOf.type, $ref or anyOf.$ref is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Array Items Has No Type (v3)", @@ -57,7 +61,8 @@ "searchKey": "paths.{{/}}.get.responses.201.content.{{application/x-www-form-urlencoded}}.schema.items", "searchValue": "", "expectedValue": "paths.{{/}}.get.responses.201.content.{{application/x-www-form-urlencoded}}.schema.items should have type, anyOf.type, $ref or anyOf.$ref should be defined", - "actualValue": "paths.{{/}}.get.responses.201.content.{{application/x-www-form-urlencoded}}.schema.items have type, anyOf.type, $ref or anyOf.$ref is undefined" + "actualValue": "paths.{{/}}.get.responses.201.content.{{application/x-www-form-urlencoded}}.schema.items have type, anyOf.type, $ref or anyOf.$ref is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Array Items Has No Type (v3)", @@ -69,7 +74,8 @@ "searchKey": "paths.{{/}}.get.responses.201.content.{{application/x-www-form-urlencoded}}.schema.items", "searchValue": "", "expectedValue": "paths.{{/}}.get.responses.201.content.{{application/x-www-form-urlencoded}}.schema.items should have type, anyOf.type, $ref or anyOf.$ref should be defined", - "actualValue": "paths.{{/}}.get.responses.201.content.{{application/x-www-form-urlencoded}}.schema.items have type, anyOf.type, $ref or anyOf.$ref is undefined" + "actualValue": "paths.{{/}}.get.responses.201.content.{{application/x-www-form-urlencoded}}.schema.items have type, anyOf.type, $ref or anyOf.$ref is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Array Items Has No Type (v2)", @@ -81,7 +87,8 @@ "searchKey": "paths.{{/}}.get.parameters.schema.items", "searchValue": "", "expectedValue": "paths.{{/}}.get.parameters.schema.items should have type, anyOf.type, $ref or anyOf.$ref should be defined", - "actualValue": "paths.{{/}}.get.parameters.schema.items have type, anyOf.type, $ref or anyOf.$ref is undefined" + "actualValue": "paths.{{/}}.get.parameters.schema.items have type, anyOf.type, $ref or anyOf.$ref is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Array Items Has No Type (v2)", @@ -93,6 +100,7 @@ "searchKey": "paths.{{/}}.get.parameters.schema.items", "searchValue": "", "expectedValue": "paths.{{/}}.get.parameters.schema.items should have type, anyOf.type, $ref or anyOf.$ref should be defined", - "actualValue": "paths.{{/}}.get.parameters.schema.items have type, anyOf.type, $ref or anyOf.$ref is undefined" + "actualValue": "paths.{{/}}.get.parameters.schema.items have type, anyOf.type, $ref or anyOf.$ref is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/array_without_maximum_number_items/test/positive_expected_result.json b/assets/queries/openAPI/general/array_without_maximum_number_items/test/positive_expected_result.json index 7d3554055b6..6840d819ab8 100644 --- a/assets/queries/openAPI/general/array_without_maximum_number_items/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/array_without_maximum_number_items/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "components.schemas.GeneralError.properties.message.type", "searchValue": "", "expectedValue": "Array schema has 'maxItems' set", - "actualValue": "Array schema has 'maxItems' undefined" + "actualValue": "Array schema has 'maxItems' undefined", + "issueType": "MissingAttribute" }, { "queryName": "Array Without Maximum Number of Items (v3)", @@ -21,7 +22,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.message.type", "searchValue": "", "expectedValue": "Array schema has 'maxItems' set", - "actualValue": "Array schema has 'maxItems' undefined" + "actualValue": "Array schema has 'maxItems' undefined", + "issueType": "MissingAttribute" }, { "queryName": "Array Without Maximum Number of Items (v3)", @@ -33,7 +35,8 @@ "searchKey": "components.schemas.GeneralError.properties.message.type", "searchValue": "", "expectedValue": "Array schema has 'maxItems' set", - "actualValue": "Array schema has 'maxItems' undefined" + "actualValue": "Array schema has 'maxItems' undefined", + "issueType": "MissingAttribute" }, { "queryName": "Array Without Maximum Number of Items (v3)", @@ -45,7 +48,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.message.type", "searchValue": "", "expectedValue": "Array schema has 'maxItems' set", - "actualValue": "Array schema has 'maxItems' undefined" + "actualValue": "Array schema has 'maxItems' undefined", + "issueType": "MissingAttribute" }, { "queryName": "Array Without Maximum Number of Items (v2)", @@ -57,7 +61,8 @@ "searchKey": "paths.{{/}}.parameters.schema.properties.message.type", "searchValue": "", "expectedValue": "Array schema has 'maxItems' set", - "actualValue": "Array schema has 'maxItems' undefined" + "actualValue": "Array schema has 'maxItems' undefined", + "issueType": "MissingAttribute" }, { "queryName": "Array Without Maximum Number of Items (v2)", @@ -69,6 +74,7 @@ "searchKey": "paths.{{/}}.parameters.schema.properties.message.type", "searchValue": "", "expectedValue": "Array schema has 'maxItems' set", - "actualValue": "Array schema has 'maxItems' undefined" + "actualValue": "Array schema has 'maxItems' undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/default_invalid/test/positive_expected_result.json b/assets/queries/openAPI/general/default_invalid/test/positive_expected_result.json index 3aaf46d205a..c324581ff92 100644 --- a/assets/queries/openAPI/general/default_invalid/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/default_invalid/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.default", "searchValue": "", "expectedValue": "The field 'default' should be consistent with the type", - "actualValue": "The field 'default' is not consistent with the type" + "actualValue": "The field 'default' is not consistent with the type", + "issueType": "IncorrectValue" }, { "queryName": "Default Invalid (v2)", @@ -21,7 +22,8 @@ "searchKey": "paths.{{/}}.get.responses.200.schema.default", "searchValue": "", "expectedValue": "The field 'default' should be consistent with the type", - "actualValue": "The field 'default' is not consistent with the type" + "actualValue": "The field 'default' is not consistent with the type", + "issueType": "IncorrectValue" }, { "queryName": "Default Invalid (v3)", @@ -33,7 +35,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.default", "searchValue": "", "expectedValue": "The field 'default' should be consistent with the type", - "actualValue": "The field 'default' is not consistent with the type" + "actualValue": "The field 'default' is not consistent with the type", + "issueType": "IncorrectValue" }, { "queryName": "Default Invalid (v3)", @@ -45,7 +48,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.default", "searchValue": "", "expectedValue": "The field 'default' should be consistent with the type", - "actualValue": "The field 'default' is not consistent with the type" + "actualValue": "The field 'default' is not consistent with the type", + "issueType": "IncorrectValue" }, { "queryName": "Default Invalid (v3)", @@ -57,7 +61,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.default", "searchValue": "", "expectedValue": "The field 'default' should be consistent with the type", - "actualValue": "The field 'default' is not consistent with the type" + "actualValue": "The field 'default' is not consistent with the type", + "issueType": "IncorrectValue" }, { "queryName": "Default Invalid (v3)", @@ -69,7 +74,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.default", "searchValue": "", "expectedValue": "The field 'default' should be consistent with the type", - "actualValue": "The field 'default' is not consistent with the type" + "actualValue": "The field 'default' is not consistent with the type", + "issueType": "IncorrectValue" }, { "queryName": "Default Invalid (v3)", @@ -81,7 +87,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.default", "searchValue": "", "expectedValue": "The field 'default' should be consistent with the type", - "actualValue": "The field 'default' is not consistent with the type" + "actualValue": "The field 'default' is not consistent with the type", + "issueType": "IncorrectValue" }, { "queryName": "Default Invalid (v3)", @@ -93,7 +100,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.default", "searchValue": "", "expectedValue": "The field 'default' should be consistent with the type", - "actualValue": "The field 'default' is not consistent with the type" + "actualValue": "The field 'default' is not consistent with the type", + "issueType": "IncorrectValue" }, { "queryName": "Default Invalid (v3)", @@ -105,7 +113,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.default", "searchValue": "", "expectedValue": "The field 'default' should be consistent with the type", - "actualValue": "The field 'default' is not consistent with the type" + "actualValue": "The field 'default' is not consistent with the type", + "issueType": "IncorrectValue" }, { "queryName": "Default Invalid (v2)", @@ -117,6 +126,7 @@ "searchKey": "paths.{{/}}.get.responses.200.schema.default", "searchValue": "", "expectedValue": "The field 'default' should be consistent with the type", - "actualValue": "The field 'default' is not consistent with the type" + "actualValue": "The field 'default' is not consistent with the type", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/default_response_undefined_operations/test/positive_expected_result.json b/assets/queries/openAPI/general/default_response_undefined_operations/test/positive_expected_result.json index dc579f3b1cf..2716ca02c81 100644 --- a/assets/queries/openAPI/general/default_response_undefined_operations/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/default_response_undefined_operations/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/item}}.{{patch}}.responses", "searchValue": "", "expectedValue": "Default field should be defined on responses", - "actualValue": "Default field is not defined on responses" + "actualValue": "Default field is not defined on responses", + "issueType": "MissingAttribute" }, { "queryName": "Default Response Undefined On Operations (v3)", @@ -21,7 +22,8 @@ "searchKey": "paths.{{/item}}.{{delete}}.responses", "searchValue": "", "expectedValue": "Default field should be defined on responses", - "actualValue": "Default field is not defined on responses" + "actualValue": "Default field is not defined on responses", + "issueType": "MissingAttribute" }, { "queryName": "Default Response Undefined On Operations (v3)", @@ -33,7 +35,8 @@ "searchKey": "paths.{{/item}}.{{patch}}.responses", "searchValue": "", "expectedValue": "Default field should be defined on responses", - "actualValue": "Default field is not defined on responses" + "actualValue": "Default field is not defined on responses", + "issueType": "MissingAttribute" }, { "queryName": "Default Response Undefined On Operations (v3)", @@ -45,7 +48,8 @@ "searchKey": "paths.{{/item}}.{{patch}}.responses", "searchValue": "", "expectedValue": "Default field should be defined on responses", - "actualValue": "Default field is not defined on responses" + "actualValue": "Default field is not defined on responses", + "issueType": "MissingAttribute" }, { "queryName": "Default Response Undefined On Operations (v3)", @@ -57,7 +61,8 @@ "searchKey": "paths.{{/item}}.{{delete}}.responses", "searchValue": "", "expectedValue": "Default field should be defined on responses", - "actualValue": "Default field is not defined on responses" + "actualValue": "Default field is not defined on responses", + "issueType": "MissingAttribute" }, { "queryName": "Default Response Undefined On Operations (v3)", @@ -69,7 +74,8 @@ "searchKey": "paths.{{/item}}.{{patch}}.responses", "searchValue": "", "expectedValue": "Default field should be defined on responses", - "actualValue": "Default field is not defined on responses" + "actualValue": "Default field is not defined on responses", + "issueType": "MissingAttribute" }, { "queryName": "Default Response Undefined On Operations (v2)", @@ -81,7 +87,8 @@ "searchKey": "paths.{{/item}}.{{delete}}.responses", "searchValue": "", "expectedValue": "Default field should be defined on responses", - "actualValue": "Default field is not defined on responses" + "actualValue": "Default field is not defined on responses", + "issueType": "MissingAttribute" }, { "queryName": "Default Response Undefined On Operations (v2)", @@ -93,7 +100,8 @@ "searchKey": "paths.{{/item}}.{{patch}}.responses", "searchValue": "", "expectedValue": "Default field should be defined on responses", - "actualValue": "Default field is not defined on responses" + "actualValue": "Default field is not defined on responses", + "issueType": "MissingAttribute" }, { "queryName": "Default Response Undefined On Operations (v2)", @@ -105,7 +113,8 @@ "searchKey": "paths.{{/item}}.{{delete}}.responses", "searchValue": "", "expectedValue": "Default field should be defined on responses", - "actualValue": "Default field is not defined on responses" + "actualValue": "Default field is not defined on responses", + "issueType": "MissingAttribute" }, { "queryName": "Default Response Undefined On Operations (v2)", @@ -117,6 +126,7 @@ "searchKey": "paths.{{/item}}.{{patch}}.responses", "searchValue": "", "expectedValue": "Default field should be defined on responses", - "actualValue": "Default field is not defined on responses" + "actualValue": "Default field is not defined on responses", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/example_not_compliant_with_schema_type/test/positive_expected_result.json b/assets/queries/openAPI/general/example_not_compliant_with_schema_type/test/positive_expected_result.json index 105bd0cdd11..482b043dbea 100644 --- a/assets/queries/openAPI/general/example_not_compliant_with_schema_type/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/example_not_compliant_with_schema_type/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.examples.object", "searchValue": "", "expectedValue": "paths./.get.responses.200.content.application/json.examples.%!s(MISSING)' should not be compliant with the schema type", - "actualValue": "paths./.get.responses.200.content.application/json.examples.%!s(MISSING) is not compliant with the schema type" + "actualValue": "paths./.get.responses.200.content.application/json.examples.%!s(MISSING) is not compliant with the schema type", + "issueType": "IncorrectValue" }, { "queryName": "Example Not Compliant With Schema Type (v2)", @@ -21,7 +22,8 @@ "searchKey": "paths.{{/}}.get.parameters.example", "searchValue": "", "expectedValue": "paths.{{/}}.get.parameters.example should not be compliant with the schema type", - "actualValue": "paths.{{/}}.get.parameters.example is not compliant with the schema type" + "actualValue": "paths.{{/}}.get.parameters.example is not compliant with the schema type", + "issueType": "IncorrectValue" }, { "queryName": "Example Not Compliant With Schema Type (v2)", @@ -33,7 +35,8 @@ "searchKey": "definitions.Tag.example", "searchValue": "", "expectedValue": "definitions.Tag.example should not be compliant with the schema type", - "actualValue": "definitions.Tag.example is not compliant with the schema type" + "actualValue": "definitions.Tag.example is not compliant with the schema type", + "issueType": "IncorrectValue" }, { "queryName": "Example Not Compliant With Schema Type (v2)", @@ -45,7 +48,8 @@ "searchKey": "definitions.Tag.example", "searchValue": "", "expectedValue": "definitions.Tag.example should not be compliant with the schema type", - "actualValue": "definitions.Tag.example is not compliant with the schema type" + "actualValue": "definitions.Tag.example is not compliant with the schema type", + "issueType": "IncorrectValue" }, { "queryName": "Example Not Compliant With Schema Type (v3)", @@ -57,7 +61,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.examples.object", "searchValue": "", "expectedValue": "paths./.get.responses.200.content.application/json.examples.%!s(MISSING)' should not be compliant with the schema type", - "actualValue": "paths./.get.responses.200.content.application/json.examples.%!s(MISSING) is not compliant with the schema type" + "actualValue": "paths./.get.responses.200.content.application/json.examples.%!s(MISSING) is not compliant with the schema type", + "issueType": "IncorrectValue" }, { "queryName": "Example Not Compliant With Schema Type (v3)", @@ -69,7 +74,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.examples.foo_2", "searchValue": "", "expectedValue": "paths./.get.responses.200.content.application/json.examples.%!s(MISSING)' should not be compliant with the schema type", - "actualValue": "paths./.get.responses.200.content.application/json.examples.%!s(MISSING) is not compliant with the schema type" + "actualValue": "paths./.get.responses.200.content.application/json.examples.%!s(MISSING) is not compliant with the schema type", + "issueType": "IncorrectValue" }, { "queryName": "Example Not Compliant With Schema Type (v3)", @@ -81,7 +87,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.examples.foo_2", "searchValue": "", "expectedValue": "paths./.get.responses.200.content.application/json.examples.%!s(MISSING)' should not be compliant with the schema type", - "actualValue": "paths./.get.responses.200.content.application/json.examples.%!s(MISSING) is not compliant with the schema type" + "actualValue": "paths./.get.responses.200.content.application/json.examples.%!s(MISSING) is not compliant with the schema type", + "issueType": "IncorrectValue" }, { "queryName": "Example Not Compliant With Schema Type (v3)", @@ -93,7 +100,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.example", "searchValue": "", "expectedValue": "paths./.get.responses.200.content.application/json.example should not be compliant with the schema type", - "actualValue": "paths./.get.responses.200.content.application/json.example is not compliant with the schema type" + "actualValue": "paths./.get.responses.200.content.application/json.example is not compliant with the schema type", + "issueType": "IncorrectValue" }, { "queryName": "Example Not Compliant With Schema Type (v3)", @@ -105,7 +113,8 @@ "searchKey": "paths.{{/}}.get.responses.400.content.{{application/json}}.example", "searchValue": "", "expectedValue": "paths./.get.responses.400.content.application/json.example should not be compliant with the schema type", - "actualValue": "paths./.get.responses.400.content.application/json.example is not compliant with the schema type" + "actualValue": "paths./.get.responses.400.content.application/json.example is not compliant with the schema type", + "issueType": "IncorrectValue" }, { "queryName": "Example Not Compliant With Schema Type (v3)", @@ -117,7 +126,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.example", "searchValue": "", "expectedValue": "paths./.get.responses.200.content.application/json.example should not be compliant with the schema type", - "actualValue": "paths./.get.responses.200.content.application/json.example is not compliant with the schema type" + "actualValue": "paths./.get.responses.200.content.application/json.example is not compliant with the schema type", + "issueType": "IncorrectValue" }, { "queryName": "Example Not Compliant With Schema Type (v3)", @@ -129,7 +139,8 @@ "searchKey": "paths.{{/}}.get.responses.400.content.{{application/json}}.example", "searchValue": "", "expectedValue": "paths./.get.responses.400.content.application/json.example should not be compliant with the schema type", - "actualValue": "paths./.get.responses.400.content.application/json.example is not compliant with the schema type" + "actualValue": "paths./.get.responses.400.content.application/json.example is not compliant with the schema type", + "issueType": "IncorrectValue" }, { "queryName": "Example Not Compliant With Schema Type (v3)", @@ -141,7 +152,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.examples.foo", "searchValue": "", "expectedValue": "paths./.get.responses.200.content.application/json.examples.%!s(MISSING)' should not be compliant with the schema type", - "actualValue": "paths./.get.responses.200.content.application/json.examples.%!s(MISSING) is not compliant with the schema type" + "actualValue": "paths./.get.responses.200.content.application/json.examples.%!s(MISSING) is not compliant with the schema type", + "issueType": "IncorrectValue" }, { "queryName": "Example Not Compliant With Schema Type (v3)", @@ -153,7 +165,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.examples.foo", "searchValue": "", "expectedValue": "paths./.get.responses.200.content.application/json.examples.%!s(MISSING)' should not be compliant with the schema type", - "actualValue": "paths./.get.responses.200.content.application/json.examples.%!s(MISSING) is not compliant with the schema type" + "actualValue": "paths./.get.responses.200.content.application/json.examples.%!s(MISSING) is not compliant with the schema type", + "issueType": "IncorrectValue" }, { "queryName": "Example Not Compliant With Schema Type (v2)", @@ -165,6 +178,7 @@ "searchKey": "paths.{{/}}.get.parameters.example", "searchValue": "", "expectedValue": "paths.{{/}}.get.parameters.example should not be compliant with the schema type", - "actualValue": "paths.{{/}}.get.parameters.example is not compliant with the schema type" + "actualValue": "paths.{{/}}.get.parameters.example is not compliant with the schema type", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/global_security_field_undefined/test/positive_expected_result.json b/assets/queries/openAPI/general/global_security_field_undefined/test/positive_expected_result.json index 41d33ed0f93..ffcc2bc4f50 100644 --- a/assets/queries/openAPI/general/global_security_field_undefined/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/global_security_field_undefined/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "openapi", "searchValue": "", "expectedValue": "A default security property should be defined", - "actualValue": "A default security property is not defined" + "actualValue": "A default security property is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Global Security Field Is Undefined (v3)", @@ -21,7 +22,8 @@ "searchKey": "openapi", "searchValue": "", "expectedValue": "A default security property should be defined", - "actualValue": "A default security property is not defined" + "actualValue": "A default security property is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Global Security Field Is Undefined (v2)", @@ -33,7 +35,8 @@ "searchKey": "swagger", "searchValue": "", "expectedValue": "A default security property should be defined", - "actualValue": "A default security property is not defined" + "actualValue": "A default security property is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Global Security Field Is Undefined (v2)", @@ -45,6 +48,7 @@ "searchKey": "swagger", "searchValue": "", "expectedValue": "A default security property should be defined", - "actualValue": "A default security property is not defined" + "actualValue": "A default security property is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/header_parameter_named_as_accept/test/positive_expected_result.json b/assets/queries/openAPI/general/header_parameter_named_as_accept/test/positive_expected_result.json index cfd67d2dc78..70666443603 100644 --- a/assets/queries/openAPI/general/header_parameter_named_as_accept/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/header_parameter_named_as_accept/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.parameters.name=Accept", "searchValue": "", "expectedValue": "paths.{{/}}.parameters.name=Accept should not be 'Accept'", - "actualValue": "paths.{{/}}.parameters.name=Accept is 'Accept'" + "actualValue": "paths.{{/}}.parameters.name=Accept is 'Accept'", + "issueType": "IncorrectValue" }, { "queryName": "Header Parameter Named as 'Accept' (v3)", @@ -21,7 +22,8 @@ "searchKey": "paths.{{/users/{id}}}.get.parameters.name=Accept", "searchValue": "", "expectedValue": "paths.{{/users/{id}}}.get.parameters.name=Accept should not be 'Accept'", - "actualValue": "paths.{{/users/{id}}}.get.parameters.name=Accept is 'Accept'" + "actualValue": "paths.{{/users/{id}}}.get.parameters.name=Accept is 'Accept'", + "issueType": "IncorrectValue" }, { "queryName": "Header Parameter Named as 'Accept' (v3)", @@ -33,7 +35,8 @@ "searchKey": "paths.{{/}}.parameters.name=Accept", "searchValue": "", "expectedValue": "paths.{{/}}.parameters.name=Accept should not be 'Accept'", - "actualValue": "paths.{{/}}.parameters.name=Accept is 'Accept'" + "actualValue": "paths.{{/}}.parameters.name=Accept is 'Accept'", + "issueType": "IncorrectValue" }, { "queryName": "Header Parameter Named as 'Accept' (v3)", @@ -45,7 +48,8 @@ "searchKey": "paths.{{/users/{id}}}.get.parameters.name=Accept", "searchValue": "", "expectedValue": "paths.{{/users/{id}}}.get.parameters.name=Accept should not be 'Accept'", - "actualValue": "paths.{{/users/{id}}}.get.parameters.name=Accept is 'Accept'" + "actualValue": "paths.{{/users/{id}}}.get.parameters.name=Accept is 'Accept'", + "issueType": "IncorrectValue" }, { "queryName": "Header Parameter Named as 'Accept' (v3)", @@ -57,7 +61,8 @@ "searchKey": "paths.{{/}}.parameters.name=Accept", "searchValue": "", "expectedValue": "paths.{{/}}.parameters.name=Accept should not be 'Accept'", - "actualValue": "paths.{{/}}.parameters.name=Accept is 'Accept'" + "actualValue": "paths.{{/}}.parameters.name=Accept is 'Accept'", + "issueType": "IncorrectValue" }, { "queryName": "Header Parameter Named as 'Accept' (v3)", @@ -69,7 +74,8 @@ "searchKey": "paths.{{/}}.parameters.name=Accept", "searchValue": "", "expectedValue": "paths.{{/}}.parameters.name=Accept should not be 'Accept'", - "actualValue": "paths.{{/}}.parameters.name=Accept is 'Accept'" + "actualValue": "paths.{{/}}.parameters.name=Accept is 'Accept'", + "issueType": "IncorrectValue" }, { "queryName": "Header Parameter Named as 'Accept' (v2)", @@ -81,7 +87,8 @@ "searchKey": "paths.{{/}}.parameters.name=Accept", "searchValue": "", "expectedValue": "paths.{{/}}.parameters.name=Accept should not be 'Accept'", - "actualValue": "paths.{{/}}.parameters.name=Accept is 'Accept'" + "actualValue": "paths.{{/}}.parameters.name=Accept is 'Accept'", + "issueType": "IncorrectValue" }, { "queryName": "Header Parameter Named as 'Accept' (v2)", @@ -93,7 +100,8 @@ "searchKey": "parameters.limitParam.name=Accept", "searchValue": "", "expectedValue": "parameters.limitParam.name=Accept should not be 'Accept'", - "actualValue": "parameters.limitParam.name=Accept is 'Accept'" + "actualValue": "parameters.limitParam.name=Accept is 'Accept'", + "issueType": "IncorrectValue" }, { "queryName": "Header Parameter Named as 'Accept' (v2)", @@ -105,7 +113,8 @@ "searchKey": "paths.{{/}}.parameters.name=Accept", "searchValue": "", "expectedValue": "paths.{{/}}.parameters.name=Accept should not be 'Accept'", - "actualValue": "paths.{{/}}.parameters.name=Accept is 'Accept'" + "actualValue": "paths.{{/}}.parameters.name=Accept is 'Accept'", + "issueType": "IncorrectValue" }, { "queryName": "Header Parameter Named as 'Accept' (v2)", @@ -117,6 +126,7 @@ "searchKey": "parameters.limitParam.name=Accept", "searchValue": "", "expectedValue": "parameters.limitParam.name=Accept should not be 'Accept'", - "actualValue": "parameters.limitParam.name=Accept is 'Accept'" + "actualValue": "parameters.limitParam.name=Accept is 'Accept'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/header_parameter_named_as_authorization/test/positive_expected_result.json b/assets/queries/openAPI/general/header_parameter_named_as_authorization/test/positive_expected_result.json index dd35511ba3c..eceb38f6f4e 100644 --- a/assets/queries/openAPI/general/header_parameter_named_as_authorization/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/header_parameter_named_as_authorization/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.parameters.name=Authorization", "searchValue": "", "expectedValue": "paths.{{/}}.parameters.name=Authorization should not be 'Authorization", - "actualValue": "paths.{{/}}.parameters.name=Authorization is 'Authorization'" + "actualValue": "paths.{{/}}.parameters.name=Authorization is 'Authorization'", + "issueType": "IncorrectValue" }, { "queryName": "Header Parameter Named as 'Authorization' (v3)", @@ -21,7 +22,8 @@ "searchKey": "paths.{{/users/{id}}}.get.parameters.name=Authorization", "searchValue": "", "expectedValue": "paths.{{/users/{id}}}.get.parameters.name=Authorization should not be 'Authorization", - "actualValue": "paths.{{/users/{id}}}.get.parameters.name=Authorization is 'Authorization'" + "actualValue": "paths.{{/users/{id}}}.get.parameters.name=Authorization is 'Authorization'", + "issueType": "IncorrectValue" }, { "queryName": "Header Parameter Named as 'Authorization' (v3)", @@ -33,7 +35,8 @@ "searchKey": "paths.{{/}}.parameters.name=Authorization", "searchValue": "", "expectedValue": "paths.{{/}}.parameters.name=Authorization should not be 'Authorization", - "actualValue": "paths.{{/}}.parameters.name=Authorization is 'Authorization'" + "actualValue": "paths.{{/}}.parameters.name=Authorization is 'Authorization'", + "issueType": "IncorrectValue" }, { "queryName": "Header Parameter Named as 'Authorization' (v3)", @@ -45,7 +48,8 @@ "searchKey": "paths.{{/users/{id}}}.get.parameters.name=Authorization", "searchValue": "", "expectedValue": "paths.{{/users/{id}}}.get.parameters.name=Authorization should not be 'Authorization", - "actualValue": "paths.{{/users/{id}}}.get.parameters.name=Authorization is 'Authorization'" + "actualValue": "paths.{{/users/{id}}}.get.parameters.name=Authorization is 'Authorization'", + "issueType": "IncorrectValue" }, { "queryName": "Header Parameter Named as 'Authorization' (v3)", @@ -57,7 +61,8 @@ "searchKey": "paths.{{/}}.parameters.name=Authorization", "searchValue": "", "expectedValue": "paths.{{/}}.parameters.name=Authorization should not be 'Authorization", - "actualValue": "paths.{{/}}.parameters.name=Authorization is 'Authorization'" + "actualValue": "paths.{{/}}.parameters.name=Authorization is 'Authorization'", + "issueType": "IncorrectValue" }, { "queryName": "Header Parameter Named as 'Authorization' (v3)", @@ -69,7 +74,8 @@ "searchKey": "paths.{{/}}.parameters.name=Authorization", "searchValue": "", "expectedValue": "paths.{{/}}.parameters.name=Authorization should not be 'Authorization", - "actualValue": "paths.{{/}}.parameters.name=Authorization is 'Authorization'" + "actualValue": "paths.{{/}}.parameters.name=Authorization is 'Authorization'", + "issueType": "IncorrectValue" }, { "queryName": "Header Parameter Named as 'Authorization' (v2)", @@ -81,7 +87,8 @@ "searchKey": "paths.{{/}}.parameters.name=Authorization", "searchValue": "", "expectedValue": "paths.{{/}}.parameters.name=Authorization should not be 'Authorization", - "actualValue": "paths.{{/}}.parameters.name=Authorization is 'Authorization'" + "actualValue": "paths.{{/}}.parameters.name=Authorization is 'Authorization'", + "issueType": "IncorrectValue" }, { "queryName": "Header Parameter Named as 'Authorization' (v2)", @@ -93,7 +100,8 @@ "searchKey": "parameters.limitParam.name=Authorization", "searchValue": "", "expectedValue": "parameters.limitParam.name=Authorization should not be 'Authorization", - "actualValue": "parameters.limitParam.name=Authorization is 'Authorization'" + "actualValue": "parameters.limitParam.name=Authorization is 'Authorization'", + "issueType": "IncorrectValue" }, { "queryName": "Header Parameter Named as 'Authorization' (v2)", @@ -105,7 +113,8 @@ "searchKey": "paths.{{/}}.parameters.name=Authorization", "searchValue": "", "expectedValue": "paths.{{/}}.parameters.name=Authorization should not be 'Authorization", - "actualValue": "paths.{{/}}.parameters.name=Authorization is 'Authorization'" + "actualValue": "paths.{{/}}.parameters.name=Authorization is 'Authorization'", + "issueType": "IncorrectValue" }, { "queryName": "Header Parameter Named as 'Authorization' (v2)", @@ -117,6 +126,7 @@ "searchKey": "parameters.limitParam.name=Authorization", "searchValue": "", "expectedValue": "parameters.limitParam.name=Authorization should not be 'Authorization", - "actualValue": "parameters.limitParam.name=Authorization is 'Authorization'" + "actualValue": "parameters.limitParam.name=Authorization is 'Authorization'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/header_parameter_named_as_content_type/test/positive_expected_result.json b/assets/queries/openAPI/general/header_parameter_named_as_content_type/test/positive_expected_result.json index 518268e2371..61ca95b98f9 100644 --- a/assets/queries/openAPI/general/header_parameter_named_as_content_type/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/header_parameter_named_as_content_type/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.parameters.name=Content-Type", "searchValue": "", "expectedValue": "paths.{{/}}.parameters.name=Content-Type should not be 'Content-Type", - "actualValue": "paths.{{/}}.parameters.name=Content-Type is 'Content-Type'" + "actualValue": "paths.{{/}}.parameters.name=Content-Type is 'Content-Type'", + "issueType": "IncorrectValue" }, { "queryName": "Header Parameter Named as 'Content-Type' (v3)", @@ -21,7 +22,8 @@ "searchKey": "paths.{{/users/{id}}}.get.parameters.name=Content-Type", "searchValue": "", "expectedValue": "paths.{{/users/{id}}}.get.parameters.name=Content-Type should not be 'Content-Type", - "actualValue": "paths.{{/users/{id}}}.get.parameters.name=Content-Type is 'Content-Type'" + "actualValue": "paths.{{/users/{id}}}.get.parameters.name=Content-Type is 'Content-Type'", + "issueType": "IncorrectValue" }, { "queryName": "Header Parameter Named as 'Content-Type' (v3)", @@ -33,7 +35,8 @@ "searchKey": "paths.{{/}}.parameters.name=Content-Type", "searchValue": "", "expectedValue": "paths.{{/}}.parameters.name=Content-Type should not be 'Content-Type", - "actualValue": "paths.{{/}}.parameters.name=Content-Type is 'Content-Type'" + "actualValue": "paths.{{/}}.parameters.name=Content-Type is 'Content-Type'", + "issueType": "IncorrectValue" }, { "queryName": "Header Parameter Named as 'Content-Type' (v3)", @@ -45,7 +48,8 @@ "searchKey": "paths.{{/users/{id}}}.get.parameters.name=Content-Type", "searchValue": "", "expectedValue": "paths.{{/users/{id}}}.get.parameters.name=Content-Type should not be 'Content-Type", - "actualValue": "paths.{{/users/{id}}}.get.parameters.name=Content-Type is 'Content-Type'" + "actualValue": "paths.{{/users/{id}}}.get.parameters.name=Content-Type is 'Content-Type'", + "issueType": "IncorrectValue" }, { "queryName": "Header Parameter Named as 'Content-Type' (v3)", @@ -57,7 +61,8 @@ "searchKey": "paths.{{/}}.parameters.name=Content-Type", "searchValue": "", "expectedValue": "paths.{{/}}.parameters.name=Content-Type should not be 'Content-Type", - "actualValue": "paths.{{/}}.parameters.name=Content-Type is 'Content-Type'" + "actualValue": "paths.{{/}}.parameters.name=Content-Type is 'Content-Type'", + "issueType": "IncorrectValue" }, { "queryName": "Header Parameter Named as 'Content-Type' (v3)", @@ -69,7 +74,8 @@ "searchKey": "paths.{{/}}.parameters.name=Content-Type", "searchValue": "", "expectedValue": "paths.{{/}}.parameters.name=Content-Type should not be 'Content-Type", - "actualValue": "paths.{{/}}.parameters.name=Content-Type is 'Content-Type'" + "actualValue": "paths.{{/}}.parameters.name=Content-Type is 'Content-Type'", + "issueType": "IncorrectValue" }, { "queryName": "Header Parameter Named as 'Content-Type' (v2)", @@ -81,7 +87,8 @@ "searchKey": "paths.{{/}}.parameters.name=Content-Type", "searchValue": "", "expectedValue": "paths.{{/}}.parameters.name=Content-Type should not be 'Content-Type", - "actualValue": "paths.{{/}}.parameters.name=Content-Type is 'Content-Type'" + "actualValue": "paths.{{/}}.parameters.name=Content-Type is 'Content-Type'", + "issueType": "IncorrectValue" }, { "queryName": "Header Parameter Named as 'Content-Type' (v2)", @@ -93,7 +100,8 @@ "searchKey": "parameters.limitParam.name=Content-Type", "searchValue": "", "expectedValue": "parameters.limitParam.name=Content-Type should not be 'Content-Type", - "actualValue": "parameters.limitParam.name=Content-Type is 'Content-Type'" + "actualValue": "parameters.limitParam.name=Content-Type is 'Content-Type'", + "issueType": "IncorrectValue" }, { "queryName": "Header Parameter Named as 'Content-Type' (v2)", @@ -105,7 +113,8 @@ "searchKey": "paths.{{/}}.parameters.name=Content-Type", "searchValue": "", "expectedValue": "paths.{{/}}.parameters.name=Content-Type should not be 'Content-Type", - "actualValue": "paths.{{/}}.parameters.name=Content-Type is 'Content-Type'" + "actualValue": "paths.{{/}}.parameters.name=Content-Type is 'Content-Type'", + "issueType": "IncorrectValue" }, { "queryName": "Header Parameter Named as 'Content-Type' (v2)", @@ -117,6 +126,7 @@ "searchKey": "parameters.limitParam.name=Content-Type", "searchValue": "", "expectedValue": "parameters.limitParam.name=Content-Type should not be 'Content-Type", - "actualValue": "parameters.limitParam.name=Content-Type is 'Content-Type'" + "actualValue": "parameters.limitParam.name=Content-Type is 'Content-Type'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/header_response_name_is_invalid/test/positive_expected_result.json b/assets/queries/openAPI/general/header_response_name_is_invalid/test/positive_expected_result.json index d7226494532..674b22cbad4 100644 --- a/assets/queries/openAPI/general/header_response_name_is_invalid/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/header_response_name_is_invalid/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.{{get}}.responses.{{6xx}}.headers.{{Content-Type}}", "searchValue": "", "expectedValue": "paths.{{/}}.{{get}}.responses.{{6xx}}.headers should not contain 'Content-Type'", - "actualValue": "paths.{{/}}.{{get}}.responses.{{6xx}}.headers contains 'Content-Type'" + "actualValue": "paths.{{/}}.{{get}}.responses.{{6xx}}.headers contains 'Content-Type'", + "issueType": "IncorrectValue" }, { "queryName": "Header Response Name Is Invalid (v3)", @@ -21,7 +22,8 @@ "searchKey": "paths.{{/}}.{{get}}.responses.{{6xx}}.headers.{{Content-Type}}", "searchValue": "", "expectedValue": "paths.{{/}}.{{get}}.responses.{{6xx}}.headers should not contain 'Content-Type'", - "actualValue": "paths.{{/}}.{{get}}.responses.{{6xx}}.headers contains 'Content-Type'" + "actualValue": "paths.{{/}}.{{get}}.responses.{{6xx}}.headers contains 'Content-Type'", + "issueType": "IncorrectValue" }, { "queryName": "Header Response Name Is Invalid (v2)", @@ -33,7 +35,8 @@ "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.$ref=#/responses/Success", "searchValue": "", "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.headers should not contain 'Accept'", - "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.headers contains 'Accept'" + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.headers contains 'Accept'", + "issueType": "IncorrectValue" }, { "queryName": "Header Response Name Is Invalid (v2)", @@ -45,7 +48,8 @@ "searchKey": "responses.{{Success}}.headers.{{Accept}}", "searchValue": "", "expectedValue": "responses.{{Success}}.headers should not contain 'Accept'", - "actualValue": "responses.{{Success}}.headers contains 'Accept'" + "actualValue": "responses.{{Success}}.headers contains 'Accept'", + "issueType": "IncorrectValue" }, { "queryName": "Header Response Name Is Invalid (v2)", @@ -57,7 +61,8 @@ "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.$ref=#/responses/Success", "searchValue": "", "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.headers should not contain 'Accept'", - "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.headers contains 'Accept'" + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.headers contains 'Accept'", + "issueType": "IncorrectValue" }, { "queryName": "Header Response Name Is Invalid (v2)", @@ -69,6 +74,7 @@ "searchKey": "responses.{{Success}}.headers.{{Accept}}", "searchValue": "", "expectedValue": "responses.{{Success}}.headers should not contain 'Accept'", - "actualValue": "responses.{{Success}}.headers contains 'Accept'" + "actualValue": "responses.{{Success}}.headers contains 'Accept'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/invalid_contact_email/test/positive_expected_result.json b/assets/queries/openAPI/general/invalid_contact_email/test/positive_expected_result.json index a5f54641d7d..b87a7d03da6 100644 --- a/assets/queries/openAPI/general/invalid_contact_email/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/invalid_contact_email/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "info.contact.email", "searchValue": "", "expectedValue": "info.contact.email has a valid email", - "actualValue": "info.contact.email has an invalid email" + "actualValue": "info.contact.email has an invalid email", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Contact Email (v3)", @@ -21,7 +22,8 @@ "searchKey": "info.contact.email", "searchValue": "", "expectedValue": "info.contact.email has a valid email", - "actualValue": "info.contact.email has an invalid email" + "actualValue": "info.contact.email has an invalid email", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Contact Email (v2)", @@ -33,7 +35,8 @@ "searchKey": "info.contact.email", "searchValue": "", "expectedValue": "info.contact.email has a valid email", - "actualValue": "info.contact.email has an invalid email" + "actualValue": "info.contact.email has an invalid email", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Contact Email (v2)", @@ -45,6 +48,7 @@ "searchKey": "info.contact.email", "searchValue": "", "expectedValue": "info.contact.email has a valid email", - "actualValue": "info.contact.email has an invalid email" + "actualValue": "info.contact.email has an invalid email", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/invalid_contact_url/test/positive_expected_result.json b/assets/queries/openAPI/general/invalid_contact_url/test/positive_expected_result.json index ee8de5780d3..087298dba58 100644 --- a/assets/queries/openAPI/general/invalid_contact_url/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/invalid_contact_url/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "info.contact.url", "searchValue": "", "expectedValue": "info.contact.url has a valid URL", - "actualValue": "info.contact.url has an invalid URL" + "actualValue": "info.contact.url has an invalid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Contact URL (v3)", @@ -21,7 +22,8 @@ "searchKey": "info.contact.url", "searchValue": "", "expectedValue": "info.contact.url has a valid URL", - "actualValue": "info.contact.url has an invalid URL" + "actualValue": "info.contact.url has an invalid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Contact URL (v2)", @@ -33,7 +35,8 @@ "searchKey": "info.contact.url", "searchValue": "", "expectedValue": "info.contact.url has a valid URL", - "actualValue": "info.contact.url has an invalid URL" + "actualValue": "info.contact.url has an invalid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Contact URL (v2)", @@ -45,6 +48,7 @@ "searchKey": "info.contact.url", "searchValue": "", "expectedValue": "info.contact.url has a valid URL", - "actualValue": "info.contact.url has an invalid URL" + "actualValue": "info.contact.url has an invalid URL", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/invalid_format/test/positive_expected_result.json b/assets/queries/openAPI/general/invalid_format/test/positive_expected_result.json index c470df1ccab..9ca5660dacd 100644 --- a/assets/queries/openAPI/general/invalid_format/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/invalid_format/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.get.responses.200.$ref=#/components/schemas/MyObject", "searchValue": "", "expectedValue": "number is float or double formats", - "actualValue": "number is int32 format" + "actualValue": "number is int32 format", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Format (v3)", @@ -21,7 +22,8 @@ "searchKey": "paths.{{/}}.get.responses.200.$ref=#/components/schemas/MyObject", "searchValue": "", "expectedValue": "integer is int32 or int64 formats", - "actualValue": "integer is double format" + "actualValue": "integer is double format", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Format (v3)", @@ -33,7 +35,8 @@ "searchKey": "paths.{{/}}.parameters.schema.items.properties.myObject.$ref=#/components/schemas/MyObject", "searchValue": "", "expectedValue": "integer is int32 or int64 formats", - "actualValue": "integer is double format" + "actualValue": "integer is double format", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Format (v3)", @@ -45,7 +48,8 @@ "searchKey": "paths.{{/}}.parameters.schema.items.properties.myObject.$ref=#/components/schemas/MyObject", "searchValue": "", "expectedValue": "number is float or double formats", - "actualValue": "number is int32 format" + "actualValue": "number is int32 format", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Format (v3)", @@ -57,7 +61,8 @@ "searchKey": "paths.{{/}}.parameters.schema.items.properties.length.format=float", "searchValue": "", "expectedValue": "integer is int32 or int64 formats", - "actualValue": "integer is float format" + "actualValue": "integer is float format", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Format (v3)", @@ -69,7 +74,8 @@ "searchKey": "components.schemas.MyObject.properties.id.format=double", "searchValue": "", "expectedValue": "integer is int32 or int64 formats", - "actualValue": "integer is double format" + "actualValue": "integer is double format", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Format (v3)", @@ -81,7 +87,8 @@ "searchKey": "components.schemas.MyObject.properties.percentage.format=int32", "searchValue": "", "expectedValue": "number is float or double formats", - "actualValue": "number is int32 format" + "actualValue": "number is int32 format", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Format (v3)", @@ -93,7 +100,8 @@ "searchKey": "paths.{{/}}.get.responses.200.$ref=#/components/schemas/MyObject", "searchValue": "", "expectedValue": "integer is int32 or int64 formats", - "actualValue": "integer is double format" + "actualValue": "integer is double format", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Format (v3)", @@ -105,7 +113,8 @@ "searchKey": "paths.{{/}}.get.responses.200.$ref=#/components/schemas/MyObject", "searchValue": "", "expectedValue": "number is float or double formats", - "actualValue": "number is int32 format" + "actualValue": "number is int32 format", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Format (v3)", @@ -117,7 +126,8 @@ "searchKey": "paths.{{/}}.parameters.schema.items.properties.myObject.$ref=#/components/schemas/MyObject", "searchValue": "", "expectedValue": "number is float or double formats", - "actualValue": "number is int32 format" + "actualValue": "number is int32 format", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Format (v3)", @@ -129,7 +139,8 @@ "searchKey": "paths.{{/}}.parameters.schema.items.properties.myObject.$ref=#/components/schemas/MyObject", "searchValue": "", "expectedValue": "integer is int32 or int64 formats", - "actualValue": "integer is double format" + "actualValue": "integer is double format", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Format (v3)", @@ -141,7 +152,8 @@ "searchKey": "paths.{{/}}.parameters.schema.items.properties.length.format=float", "searchValue": "", "expectedValue": "integer is int32 or int64 formats", - "actualValue": "integer is float format" + "actualValue": "integer is float format", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Format (v3)", @@ -153,7 +165,8 @@ "searchKey": "components.schemas.MyObject.properties.id.format=double", "searchValue": "", "expectedValue": "integer is int32 or int64 formats", - "actualValue": "integer is double format" + "actualValue": "integer is double format", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Format (v3)", @@ -165,7 +178,8 @@ "searchKey": "components.schemas.MyObject.properties.percentage.format=int32", "searchValue": "", "expectedValue": "number is float or double formats", - "actualValue": "number is int32 format" + "actualValue": "number is int32 format", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Format (v2)", @@ -177,7 +191,8 @@ "searchKey": "paths.{{/}}.parameters.schema.items.properties.percentage.format=int32", "searchValue": "", "expectedValue": "number is float or double formats", - "actualValue": "number is int32 format" + "actualValue": "number is int32 format", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Format (v2)", @@ -189,6 +204,7 @@ "searchKey": "paths.{{/}}.parameters.schema.items.properties.percentage.format=int32", "searchValue": "", "expectedValue": "number is float or double formats", - "actualValue": "number is int32 format" + "actualValue": "number is int32 format", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/invalid_global_external_documentation_url/test/positive_expected_result.json b/assets/queries/openAPI/general/invalid_global_external_documentation_url/test/positive_expected_result.json index beaefd124b4..cc181bfa982 100644 --- a/assets/queries/openAPI/general/invalid_global_external_documentation_url/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/invalid_global_external_documentation_url/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "externalDocs.url", "searchValue": "", "expectedValue": "externalDocs.url has a valid URL", - "actualValue": "externalDocs.url does not have a valid URL" + "actualValue": "externalDocs.url does not have a valid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Global External Documentation URL (v3)", @@ -21,7 +22,8 @@ "searchKey": "externalDocs.url", "searchValue": "", "expectedValue": "externalDocs.url has a valid URL", - "actualValue": "externalDocs.url does not have a valid URL" + "actualValue": "externalDocs.url does not have a valid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Global External Documentation URL (v2)", @@ -33,7 +35,8 @@ "searchKey": "externalDocs.url", "searchValue": "", "expectedValue": "externalDocs.url has a valid URL", - "actualValue": "externalDocs.url does not have a valid URL" + "actualValue": "externalDocs.url does not have a valid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Global External Documentation URL (v2)", @@ -45,6 +48,7 @@ "searchKey": "externalDocs.url", "searchValue": "", "expectedValue": "externalDocs.url has a valid URL", - "actualValue": "externalDocs.url does not have a valid URL" + "actualValue": "externalDocs.url does not have a valid URL", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/invalid_license_url/test/positive_expected_result.json b/assets/queries/openAPI/general/invalid_license_url/test/positive_expected_result.json index 9fc2d56d01a..737dfa58fa0 100644 --- a/assets/queries/openAPI/general/invalid_license_url/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/invalid_license_url/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "info.license.url", "searchValue": "", "expectedValue": "info.license.url has a valid URL", - "actualValue": "info.license.url has an invalid URL" + "actualValue": "info.license.url has an invalid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid License URL (v3)", @@ -21,7 +22,8 @@ "searchKey": "info.license.url", "searchValue": "", "expectedValue": "info.license.url has a valid URL", - "actualValue": "info.license.url has an invalid URL" + "actualValue": "info.license.url has an invalid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid License URL (v2)", @@ -33,7 +35,8 @@ "searchKey": "info.license.url", "searchValue": "", "expectedValue": "info.license.url has a valid URL", - "actualValue": "info.license.url has an invalid URL" + "actualValue": "info.license.url has an invalid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid License URL (v2)", @@ -45,6 +48,7 @@ "searchKey": "info.license.url", "searchValue": "", "expectedValue": "info.license.url has a valid URL", - "actualValue": "info.license.url has an invalid URL" + "actualValue": "info.license.url has an invalid URL", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/invalid_operation_external_documentation_url/test/positive_expected_result.json b/assets/queries/openAPI/general/invalid_operation_external_documentation_url/test/positive_expected_result.json index 48c58cf8ccc..b78a783a1f2 100644 --- a/assets/queries/openAPI/general/invalid_operation_external_documentation_url/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/invalid_operation_external_documentation_url/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.{{get}}.externalDocs.url", "searchValue": "", "expectedValue": "paths.{{/}}.{{get}}.externalDocs.url has a valid URL", - "actualValue": "paths.{{/}}.{{get}}.externalDocs.url has a invalid URL" + "actualValue": "paths.{{/}}.{{get}}.externalDocs.url has a invalid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Operation External Documentation URL (v3)", @@ -21,7 +22,8 @@ "searchKey": "paths.{{/}}.{{get}}.externalDocs.url", "searchValue": "", "expectedValue": "paths.{{/}}.{{get}}.externalDocs.url has a valid URL", - "actualValue": "paths.{{/}}.{{get}}.externalDocs.url has a invalid URL" + "actualValue": "paths.{{/}}.{{get}}.externalDocs.url has a invalid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Operation External Documentation URL (v2)", @@ -33,7 +35,8 @@ "searchKey": "paths.{{/}}.{{get}}.externalDocs.url", "searchValue": "", "expectedValue": "paths.{{/}}.{{get}}.externalDocs.url has a valid URL", - "actualValue": "paths.{{/}}.{{get}}.externalDocs.url has a invalid URL" + "actualValue": "paths.{{/}}.{{get}}.externalDocs.url has a invalid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Operation External Documentation URL (v2)", @@ -45,6 +48,7 @@ "searchKey": "paths.{{/}}.{{get}}.externalDocs.url", "searchValue": "", "expectedValue": "paths.{{/}}.{{get}}.externalDocs.url has a valid URL", - "actualValue": "paths.{{/}}.{{get}}.externalDocs.url has a invalid URL" + "actualValue": "paths.{{/}}.{{get}}.externalDocs.url has a invalid URL", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/invalid_schema_external_documentation_url/test/positive_expected_result.json b/assets/queries/openAPI/general/invalid_schema_external_documentation_url/test/positive_expected_result.json index f998034d9f9..a44cb972002 100644 --- a/assets/queries/openAPI/general/invalid_schema_external_documentation_url/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/invalid_schema_external_documentation_url/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "components.schemas.{{User}}.externalDocs.url", "searchValue": "", "expectedValue": "Schema External Documentation URL should be a valid URL", - "actualValue": "Schema External Documentation URL is not a valid URL" + "actualValue": "Schema External Documentation URL is not a valid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Schema External Documentation URL (v3)", @@ -21,7 +22,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.externalDocs.url", "searchValue": "", "expectedValue": "Schema External Documentation URL should be a valid URL", - "actualValue": "Schema External Documentation URL is not a valid URL" + "actualValue": "Schema External Documentation URL is not a valid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Schema External Documentation URL (v3)", @@ -33,7 +35,8 @@ "searchKey": "components.schemas.{{User}}.externalDocs.url", "searchValue": "", "expectedValue": "Schema External Documentation URL should be a valid URL", - "actualValue": "Schema External Documentation URL is not a valid URL" + "actualValue": "Schema External Documentation URL is not a valid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Schema External Documentation URL (v3)", @@ -45,7 +48,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.externalDocs.url", "searchValue": "", "expectedValue": "Schema External Documentation URL should be a valid URL", - "actualValue": "Schema External Documentation URL is not a valid URL" + "actualValue": "Schema External Documentation URL is not a valid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Schema External Documentation URL (v2)", @@ -57,7 +61,8 @@ "searchKey": "paths.{{/}}.get.responses.200.schema.externalDocs.url", "searchValue": "", "expectedValue": "Schema External Documentation URL should be a valid URL", - "actualValue": "Schema External Documentation URL is not a valid URL" + "actualValue": "Schema External Documentation URL is not a valid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Schema External Documentation URL (v2)", @@ -69,7 +74,8 @@ "searchKey": "paths.{{/}}.get.responses.200.schema.externalDocs.url", "searchValue": "", "expectedValue": "Schema External Documentation URL should be a valid URL", - "actualValue": "Schema External Documentation URL is not a valid URL" + "actualValue": "Schema External Documentation URL is not a valid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Schema External Documentation URL (v2)", @@ -81,7 +87,8 @@ "searchKey": "definitions.{{User}}.externalDocs.url", "searchValue": "", "expectedValue": "Schema External Documentation URL should be a valid URL", - "actualValue": "Schema External Documentation URL is not a valid URL" + "actualValue": "Schema External Documentation URL is not a valid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Schema External Documentation URL (v2)", @@ -93,6 +100,7 @@ "searchKey": "definitions.{{User}}.externalDocs.url", "searchValue": "", "expectedValue": "Schema External Documentation URL should be a valid URL", - "actualValue": "Schema External Documentation URL is not a valid URL" + "actualValue": "Schema External Documentation URL is not a valid URL", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/invalid_tag_external_documentation_url/test/positive_expected_result.json b/assets/queries/openAPI/general/invalid_tag_external_documentation_url/test/positive_expected_result.json index f7d9f8c1fa0..3fc63ae3a20 100644 --- a/assets/queries/openAPI/general/invalid_tag_external_documentation_url/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/invalid_tag_external_documentation_url/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "tags.name=pets", "searchValue": "", "expectedValue": "tags[0].externalDocs.url has a valid URL", - "actualValue": "tags[0].externalDocs.url has an invalid URL" + "actualValue": "tags[0].externalDocs.url has an invalid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Tag External Documentation URL (v3)", @@ -21,7 +22,8 @@ "searchKey": "tags.name=store", "searchValue": "", "expectedValue": "tags[1].externalDocs.url has a valid URL", - "actualValue": "tags[1].externalDocs.url has an invalid URL" + "actualValue": "tags[1].externalDocs.url has an invalid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Tag External Documentation URL (v3)", @@ -33,7 +35,8 @@ "searchKey": "tags.name=pets", "searchValue": "", "expectedValue": "tags[0].externalDocs.url has a valid URL", - "actualValue": "tags[0].externalDocs.url has an invalid URL" + "actualValue": "tags[0].externalDocs.url has an invalid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Tag External Documentation URL (v3)", @@ -45,7 +48,8 @@ "searchKey": "tags.name=store", "searchValue": "", "expectedValue": "tags[1].externalDocs.url has a valid URL", - "actualValue": "tags[1].externalDocs.url has an invalid URL" + "actualValue": "tags[1].externalDocs.url has an invalid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Tag External Documentation URL (v2)", @@ -57,7 +61,8 @@ "searchKey": "tags.name=pets", "searchValue": "", "expectedValue": "tags[0].externalDocs.url has a valid URL", - "actualValue": "tags[0].externalDocs.url has an invalid URL" + "actualValue": "tags[0].externalDocs.url has an invalid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Tag External Documentation URL (v2)", @@ -69,7 +74,8 @@ "searchKey": "tags.name=store", "searchValue": "", "expectedValue": "tags[1].externalDocs.url has a valid URL", - "actualValue": "tags[1].externalDocs.url has an invalid URL" + "actualValue": "tags[1].externalDocs.url has an invalid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Tag External Documentation URL (v2)", @@ -81,7 +87,8 @@ "searchKey": "tags.name=pets", "searchValue": "", "expectedValue": "tags[0].externalDocs.url has a valid URL", - "actualValue": "tags[0].externalDocs.url has an invalid URL" + "actualValue": "tags[0].externalDocs.url has an invalid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Tag External Documentation URL (v2)", @@ -93,6 +100,7 @@ "searchKey": "tags.name=store", "searchValue": "", "expectedValue": "tags[1].externalDocs.url has a valid URL", - "actualValue": "tags[1].externalDocs.url has an invalid URL" + "actualValue": "tags[1].externalDocs.url has an invalid URL", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/items_undefined/test/positive_expected_result.json b/assets/queries/openAPI/general/items_undefined/test/positive_expected_result.json index 01830d8041c..c9e1fa9f3bc 100644 --- a/assets/queries/openAPI/general/items_undefined/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/items_undefined/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "components.schemas.GeneralError", "searchValue": "", "expectedValue": "Array items property should be defined", - "actualValue": "Array items property is undefined" + "actualValue": "Array items property is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Items Undefined (v3)", @@ -21,7 +22,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema", "searchValue": "", "expectedValue": "Array items property should be defined", - "actualValue": "Array items property is undefined" + "actualValue": "Array items property is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Items Undefined (v3)", @@ -33,7 +35,8 @@ "searchKey": "components.schemas.GeneralError", "searchValue": "", "expectedValue": "Array items property should be defined", - "actualValue": "Array items property is undefined" + "actualValue": "Array items property is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Items Undefined (v3)", @@ -45,7 +48,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema", "searchValue": "", "expectedValue": "Array items property should be defined", - "actualValue": "Array items property is undefined" + "actualValue": "Array items property is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Items Undefined (v2)", @@ -57,7 +61,8 @@ "searchKey": "paths.{{/users}}.get.responses.200.schema", "searchValue": "", "expectedValue": "Array items property should be defined", - "actualValue": "Array items property is undefined" + "actualValue": "Array items property is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Items Undefined (v2)", @@ -69,6 +74,7 @@ "searchKey": "paths.{{/users}}.get.responses.200.schema", "searchValue": "", "expectedValue": "Array items property should be defined", - "actualValue": "Array items property is undefined" + "actualValue": "Array items property is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/json_object_schema_without_properties/test/positive_expected_result.json b/assets/queries/openAPI/general/json_object_schema_without_properties/test/positive_expected_result.json index 292a49a7150..39802601fd9 100644 --- a/assets/queries/openAPI/general/json_object_schema_without_properties/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/json_object_schema_without_properties/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref", "searchValue": "", "expectedValue": "Schema of the JSON object should have 'properties' defined", - "actualValue": "Schema of the JSON object does not have 'properties' defined" + "actualValue": "Schema of the JSON object does not have 'properties' defined", + "issueType": "MissingAttribute" }, { "queryName": "JSON Object Schema Without Properties (v3)", @@ -21,7 +22,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.$ref", "searchValue": "", "expectedValue": "Schema of the JSON object should have 'properties' defined", - "actualValue": "Schema of the JSON object does not have 'properties' defined" + "actualValue": "Schema of the JSON object does not have 'properties' defined", + "issueType": "MissingAttribute" }, { "queryName": "JSON Object Schema Without Properties (v3)", @@ -33,7 +35,8 @@ "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref", "searchValue": "", "expectedValue": "Schema of the JSON object should have 'properties' defined", - "actualValue": "Schema of the JSON object does not have 'properties' defined" + "actualValue": "Schema of the JSON object does not have 'properties' defined", + "issueType": "MissingAttribute" }, { "queryName": "JSON Object Schema Without Properties (v3)", @@ -45,7 +48,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.$ref", "searchValue": "", "expectedValue": "Schema of the JSON object should have 'properties' defined", - "actualValue": "Schema of the JSON object does not have 'properties' defined" + "actualValue": "Schema of the JSON object does not have 'properties' defined", + "issueType": "MissingAttribute" }, { "queryName": "JSON Object Schema Without Properties (v2)", @@ -57,7 +61,8 @@ "searchKey": "paths.{{/}}.get.responses.200.schema.$ref", "searchValue": "", "expectedValue": "Schema of the JSON object should have 'properties' defined", - "actualValue": "Schema of the JSON object does not have 'properties' defined" + "actualValue": "Schema of the JSON object does not have 'properties' defined", + "issueType": "MissingAttribute" }, { "queryName": "JSON Object Schema Without Properties (v2)", @@ -69,6 +74,7 @@ "searchKey": "paths.{{/}}.get.responses.200.schema.$ref", "searchValue": "", "expectedValue": "Schema of the JSON object should have 'properties' defined", - "actualValue": "Schema of the JSON object does not have 'properties' defined" + "actualValue": "Schema of the JSON object does not have 'properties' defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/json_object_schema_without_type/test/positive_expected_result.json b/assets/queries/openAPI/general/json_object_schema_without_type/test/positive_expected_result.json index 5c83f559945..63adcac878d 100644 --- a/assets/queries/openAPI/general/json_object_schema_without_type/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/json_object_schema_without_type/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref", "searchValue": "", "expectedValue": "Schema of the JSON object should have 'type' defined", - "actualValue": "Schema of the JSON object does not have 'type' defined" + "actualValue": "Schema of the JSON object does not have 'type' defined", + "issueType": "MissingAttribute" }, { "queryName": "JSON Object Schema Without Type (v3)", @@ -21,7 +22,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.$ref", "searchValue": "", "expectedValue": "Schema of the JSON object should have 'type' defined", - "actualValue": "Schema of the JSON object does not have 'type' defined" + "actualValue": "Schema of the JSON object does not have 'type' defined", + "issueType": "MissingAttribute" }, { "queryName": "JSON Object Schema Without Type (v3)", @@ -33,7 +35,8 @@ "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref", "searchValue": "", "expectedValue": "Schema of the JSON object should have 'type' defined", - "actualValue": "Schema of the JSON object does not have 'type' defined" + "actualValue": "Schema of the JSON object does not have 'type' defined", + "issueType": "MissingAttribute" }, { "queryName": "JSON Object Schema Without Type (v3)", @@ -45,7 +48,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.$ref", "searchValue": "", "expectedValue": "Schema of the JSON object should have 'type' defined", - "actualValue": "Schema of the JSON object does not have 'type' defined" + "actualValue": "Schema of the JSON object does not have 'type' defined", + "issueType": "MissingAttribute" }, { "queryName": "JSON Object Schema Without Type (v2)", @@ -57,7 +61,8 @@ "searchKey": "paths.{{/}}.get.responses.200.schema.$ref", "searchValue": "", "expectedValue": "Schema of the JSON object should have 'type' defined", - "actualValue": "Schema of the JSON object does not have 'type' defined" + "actualValue": "Schema of the JSON object does not have 'type' defined", + "issueType": "MissingAttribute" }, { "queryName": "JSON Object Schema Without Type (v2)", @@ -69,6 +74,7 @@ "searchKey": "paths.{{/}}.get.responses.200.schema.$ref", "searchValue": "", "expectedValue": "Schema of the JSON object should have 'type' defined", - "actualValue": "Schema of the JSON object does not have 'type' defined" + "actualValue": "Schema of the JSON object does not have 'type' defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/json_ref_alongside_properties/test/positive_expected_result.json b/assets/queries/openAPI/general/json_ref_alongside_properties/test/positive_expected_result.json index 849b03b5bc2..b1db17887ee 100644 --- a/assets/queries/openAPI/general/json_ref_alongside_properties/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/json_ref_alongside_properties/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema", "searchValue": "", "expectedValue": "Only '$ref' property should be declared or other properties declared without '$ref'", - "actualValue": "Property '$ref'alongside other properties" + "actualValue": "Property '$ref'alongside other properties", + "issueType": "MissingAttribute" }, { "queryName": "JSON '$ref' alongside other properties (v3)", @@ -21,7 +22,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema", "searchValue": "", "expectedValue": "Only '$ref' property should be declared or other properties declared without '$ref'", - "actualValue": "Property '$ref'alongside other properties" + "actualValue": "Property '$ref'alongside other properties", + "issueType": "MissingAttribute" }, { "queryName": "JSON '$ref' alongside other properties (v2)", @@ -33,7 +35,8 @@ "searchKey": "paths.{{/}}.get.responses.200.schema", "searchValue": "", "expectedValue": "Only '$ref' property should be declared or other properties declared without '$ref'", - "actualValue": "Property '$ref'alongside other properties" + "actualValue": "Property '$ref'alongside other properties", + "issueType": "MissingAttribute" }, { "queryName": "JSON '$ref' alongside other properties (v2)", @@ -45,6 +48,7 @@ "searchKey": "paths.{{/}}.get.responses.200.schema", "searchValue": "", "expectedValue": "Only '$ref' property should be declared or other properties declared without '$ref'", - "actualValue": "Property '$ref'alongside other properties" + "actualValue": "Property '$ref'alongside other properties", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/maximum_length_undefined/test/positive_expected_result.json b/assets/queries/openAPI/general/maximum_length_undefined/test/positive_expected_result.json index f92e806d5da..3f2d706360b 100644 --- a/assets/queries/openAPI/general/maximum_length_undefined/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/maximum_length_undefined/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "components.schemas.GeneralError.properties.code.type", "searchValue": "", "expectedValue": "'maxLength' should be defined", - "actualValue": "'maxLength' is undefined" + "actualValue": "'maxLength' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Maximum Length Undefined (v3)", @@ -21,7 +22,8 @@ "searchKey": "components.schemas.GeneralError.properties.message.type", "searchValue": "", "expectedValue": "'maxLength' should be defined", - "actualValue": "'maxLength' is undefined" + "actualValue": "'maxLength' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Maximum Length Undefined (v3)", @@ -33,7 +35,8 @@ "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", "searchValue": "", "expectedValue": "'maxLength' should be defined", - "actualValue": "'maxLength' is undefined" + "actualValue": "'maxLength' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Maximum Length Undefined (v3)", @@ -45,7 +48,8 @@ "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", "searchValue": "", "expectedValue": "'maxLength' should be defined", - "actualValue": "'maxLength' is undefined" + "actualValue": "'maxLength' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Maximum Length Undefined (v3)", @@ -57,7 +61,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code.type", "searchValue": "", "expectedValue": "'maxLength' should be defined", - "actualValue": "'maxLength' is undefined" + "actualValue": "'maxLength' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Maximum Length Undefined (v3)", @@ -69,7 +74,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.message.type", "searchValue": "", "expectedValue": "'maxLength' should be defined", - "actualValue": "'maxLength' is undefined" + "actualValue": "'maxLength' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Maximum Length Undefined (v3)", @@ -81,7 +87,8 @@ "searchKey": "components.schemas.GeneralError.properties.code.type", "searchValue": "", "expectedValue": "'maxLength' should be defined", - "actualValue": "'maxLength' is undefined" + "actualValue": "'maxLength' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Maximum Length Undefined (v3)", @@ -93,7 +100,8 @@ "searchKey": "components.schemas.GeneralError.properties.message.type", "searchValue": "", "expectedValue": "'maxLength' should be defined", - "actualValue": "'maxLength' is undefined" + "actualValue": "'maxLength' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Maximum Length Undefined (v3)", @@ -105,7 +113,8 @@ "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", "searchValue": "", "expectedValue": "'maxLength' should be defined", - "actualValue": "'maxLength' is undefined" + "actualValue": "'maxLength' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Maximum Length Undefined (v3)", @@ -117,7 +126,8 @@ "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", "searchValue": "", "expectedValue": "'maxLength' should be defined", - "actualValue": "'maxLength' is undefined" + "actualValue": "'maxLength' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Maximum Length Undefined (v3)", @@ -129,7 +139,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code.type", "searchValue": "", "expectedValue": "'maxLength' should be defined", - "actualValue": "'maxLength' is undefined" + "actualValue": "'maxLength' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Maximum Length Undefined (v3)", @@ -141,7 +152,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.message.type", "searchValue": "", "expectedValue": "'maxLength' should be defined", - "actualValue": "'maxLength' is undefined" + "actualValue": "'maxLength' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Maximum Length Undefined (v2)", @@ -153,7 +165,8 @@ "searchKey": "paths.{{/}}.get.responses.200.schema.properties.code.type", "searchValue": "", "expectedValue": "'maxLength' should be defined", - "actualValue": "'maxLength' is undefined" + "actualValue": "'maxLength' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Maximum Length Undefined (v2)", @@ -165,7 +178,8 @@ "searchKey": "paths.{{/}}.get.responses.200.schema.properties.message.type", "searchValue": "", "expectedValue": "'maxLength' should be defined", - "actualValue": "'maxLength' is undefined" + "actualValue": "'maxLength' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Maximum Length Undefined (v2)", @@ -177,7 +191,8 @@ "searchKey": "paths.{{/}}.get.responses.200.schema.properties.code.type", "searchValue": "", "expectedValue": "'maxLength' should be defined", - "actualValue": "'maxLength' is undefined" + "actualValue": "'maxLength' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Maximum Length Undefined (v2)", @@ -189,7 +204,8 @@ "searchKey": "paths.{{/}}.get.responses.200.schema.properties.message.type", "searchValue": "", "expectedValue": "'maxLength' should be defined", - "actualValue": "'maxLength' is undefined" + "actualValue": "'maxLength' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Maximum Length Undefined (v2)", @@ -201,7 +217,8 @@ "searchKey": "paths.{{/}}.get.responses.200.schema.properties.code.type", "searchValue": "", "expectedValue": "'maxLength' should be defined", - "actualValue": "'maxLength' is undefined" + "actualValue": "'maxLength' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Maximum Length Undefined (v2)", @@ -213,7 +230,8 @@ "searchKey": "paths.{{/}}.get.responses.200.schema.properties.message.type", "searchValue": "", "expectedValue": "'maxLength' should be defined", - "actualValue": "'maxLength' is undefined" + "actualValue": "'maxLength' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Maximum Length Undefined (v2)", @@ -225,7 +243,8 @@ "searchKey": "paths.{{/}}.get.responses.200.schema.properties.message.type", "searchValue": "", "expectedValue": "'maxLength' should be defined", - "actualValue": "'maxLength' is undefined" + "actualValue": "'maxLength' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Maximum Length Undefined (v3)", @@ -237,7 +256,8 @@ "searchKey": "paths.{{/api/adjectives}}.get.parameters.schema.type", "searchValue": "", "expectedValue": "'maxLength' should be defined", - "actualValue": "'maxLength' is undefined" + "actualValue": "'maxLength' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Maximum Length Undefined (v3)", @@ -249,6 +269,7 @@ "searchKey": "paths.{{/api/adjectives}}.get.parameters.schema.type", "searchValue": "", "expectedValue": "'maxLength' should be defined", - "actualValue": "'maxLength' is undefined" + "actualValue": "'maxLength' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/no_global_and_operation_security_defined/test/positive_expected_result.json b/assets/queries/openAPI/general/no_global_and_operation_security_defined/test/positive_expected_result.json index 33a0b9c3ade..cb75d676a8c 100644 --- a/assets/queries/openAPI/general/no_global_and_operation_security_defined/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/no_global_and_operation_security_defined/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.{{get}}", "searchValue": "", "expectedValue": "A security schema should be used", - "actualValue": "No security schema is used" + "actualValue": "No security schema is used", + "issueType": "MissingAttribute" }, { "queryName": "No Global And Operation Security Defined (v3)", @@ -21,7 +22,8 @@ "searchKey": "paths.{{/}}.{{patch}}", "searchValue": "", "expectedValue": "A security schema should be used", - "actualValue": "No security schema is used" + "actualValue": "No security schema is used", + "issueType": "MissingAttribute" }, { "queryName": "No Global And Operation Security Defined (v3)", @@ -33,7 +35,8 @@ "searchKey": "paths.{{/}}.{{get}}", "searchValue": "", "expectedValue": "A security schema should be used", - "actualValue": "No security schema is used" + "actualValue": "No security schema is used", + "issueType": "MissingAttribute" }, { "queryName": "No Global And Operation Security Defined (v3)", @@ -45,7 +48,8 @@ "searchKey": "paths.{{/}}.{{patch}}", "searchValue": "", "expectedValue": "A security schema should be used", - "actualValue": "No security schema is used" + "actualValue": "No security schema is used", + "issueType": "MissingAttribute" }, { "queryName": "No Global And Operation Security Defined (v2)", @@ -57,7 +61,8 @@ "searchKey": "paths.{{/}}.{{get}}", "searchValue": "", "expectedValue": "A security schema should be used", - "actualValue": "No security schema is used" + "actualValue": "No security schema is used", + "issueType": "MissingAttribute" }, { "queryName": "No Global And Operation Security Defined (v2)", @@ -69,6 +74,7 @@ "searchKey": "paths.{{/}}.{{get}}", "searchValue": "", "expectedValue": "A security schema should be used", - "actualValue": "No security schema is used" + "actualValue": "No security schema is used", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/non_array_schema_with_items/test/positive_expected_result.json b/assets/queries/openAPI/general/non_array_schema_with_items/test/positive_expected_result.json index 4e69ac13d70..49d38fc219a 100644 --- a/assets/queries/openAPI/general/non_array_schema_with_items/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/non_array_schema_with_items/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "components.schemas.GeneralError.items", "searchValue": "", "expectedValue": "Schema items property should be undefined", - "actualValue": "Schema items property is defined" + "actualValue": "Schema items property is defined", + "issueType": "IncorrectValue" }, { "queryName": "Non-Array Schema With Items (v3)", @@ -21,7 +22,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.items", "searchValue": "", "expectedValue": "Schema items property should be undefined", - "actualValue": "Schema items property is defined" + "actualValue": "Schema items property is defined", + "issueType": "IncorrectValue" }, { "queryName": "Non-Array Schema With Items (v3)", @@ -33,7 +35,8 @@ "searchKey": "components.schemas.GeneralError.items", "searchValue": "", "expectedValue": "Schema items property should be undefined", - "actualValue": "Schema items property is defined" + "actualValue": "Schema items property is defined", + "issueType": "IncorrectValue" }, { "queryName": "Non-Array Schema With Items (v3)", @@ -45,7 +48,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.items", "searchValue": "", "expectedValue": "Schema items property should be undefined", - "actualValue": "Schema items property is defined" + "actualValue": "Schema items property is defined", + "issueType": "IncorrectValue" }, { "queryName": "Non-Array Schema With Items (v2)", @@ -57,7 +61,8 @@ "searchKey": "paths.{{/users}}.get.responses.200.schema.items.$ref=#/definitions/User", "searchValue": "", "expectedValue": "Schema items property should be undefined", - "actualValue": "Schema items property is defined" + "actualValue": "Schema items property is defined", + "issueType": "IncorrectValue" }, { "queryName": "Non-Array Schema With Items (v2)", @@ -69,7 +74,8 @@ "searchKey": "definitions.User.properties.name.items", "searchValue": "", "expectedValue": "Schema items property should be undefined", - "actualValue": "Schema items property is defined" + "actualValue": "Schema items property is defined", + "issueType": "IncorrectValue" }, { "queryName": "Non-Array Schema With Items (v2)", @@ -81,7 +87,8 @@ "searchKey": "paths.{{/users}}.get.responses.200.schema.items.$ref=#/definitions/User", "searchValue": "", "expectedValue": "Schema items property should be undefined", - "actualValue": "Schema items property is defined" + "actualValue": "Schema items property is defined", + "issueType": "IncorrectValue" }, { "queryName": "Non-Array Schema With Items (v2)", @@ -93,6 +100,7 @@ "searchKey": "definitions.User.properties.name.items", "searchValue": "", "expectedValue": "Schema items property should be undefined", - "actualValue": "Schema items property is defined" + "actualValue": "Schema items property is defined", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/numeric_schema_without_format/test/positive_expected_result.json b/assets/queries/openAPI/general/numeric_schema_without_format/test/positive_expected_result.json index 3659b32104f..cd707491e08 100644 --- a/assets/queries/openAPI/general/numeric_schema_without_format/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/numeric_schema_without_format/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "components.schemas.GeneralError.properties.code.type", "searchValue": "", "expectedValue": "Numeric schema should have 'format' defined", - "actualValue": "Numeric schema does not have 'format' defined" + "actualValue": "Numeric schema does not have 'format' defined", + "issueType": "MissingAttribute" }, { "queryName": "Numeric Schema Without Format (v3)", @@ -21,7 +22,8 @@ "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", "searchValue": "", "expectedValue": "Numeric schema should have 'format' defined", - "actualValue": "Numeric schema does not have 'format' defined" + "actualValue": "Numeric schema does not have 'format' defined", + "issueType": "MissingAttribute" }, { "queryName": "Numeric Schema Without Format (v3)", @@ -33,7 +35,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code.type", "searchValue": "", "expectedValue": "Numeric schema should have 'format' defined", - "actualValue": "Numeric schema does not have 'format' defined" + "actualValue": "Numeric schema does not have 'format' defined", + "issueType": "MissingAttribute" }, { "queryName": "Numeric Schema Without Format (v3)", @@ -45,7 +48,8 @@ "searchKey": "components.schemas.GeneralError.properties.code.type", "searchValue": "", "expectedValue": "Numeric schema should have 'format' defined", - "actualValue": "Numeric schema does not have 'format' defined" + "actualValue": "Numeric schema does not have 'format' defined", + "issueType": "MissingAttribute" }, { "queryName": "Numeric Schema Without Format (v3)", @@ -57,7 +61,8 @@ "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", "searchValue": "", "expectedValue": "Numeric schema should have 'format' defined", - "actualValue": "Numeric schema does not have 'format' defined" + "actualValue": "Numeric schema does not have 'format' defined", + "issueType": "MissingAttribute" }, { "queryName": "Numeric Schema Without Format (v3)", @@ -69,7 +74,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code.type", "searchValue": "", "expectedValue": "Numeric schema should have 'format' defined", - "actualValue": "Numeric schema does not have 'format' defined" + "actualValue": "Numeric schema does not have 'format' defined", + "issueType": "MissingAttribute" }, { "queryName": "Numeric Schema Without Format (v2)", @@ -81,7 +87,8 @@ "searchKey": "paths.{{/}}.get.responses.200.schema.properties.code.type", "searchValue": "", "expectedValue": "Numeric schema should have 'format' defined", - "actualValue": "Numeric schema does not have 'format' defined" + "actualValue": "Numeric schema does not have 'format' defined", + "issueType": "MissingAttribute" }, { "queryName": "Numeric Schema Without Format (v2)", @@ -93,6 +100,7 @@ "searchKey": "paths.{{/}}.get.responses.200.schema.properties.code.type", "searchValue": "", "expectedValue": "Numeric schema should have 'format' defined", - "actualValue": "Numeric schema does not have 'format' defined" + "actualValue": "Numeric schema does not have 'format' defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/numeric_schema_without_maximum/test/positive_expected_result.json b/assets/queries/openAPI/general/numeric_schema_without_maximum/test/positive_expected_result.json index c96788fb5eb..d6b444a7183 100644 --- a/assets/queries/openAPI/general/numeric_schema_without_maximum/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/numeric_schema_without_maximum/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "components.schemas.GeneralError.properties.code.type", "searchValue": "", "expectedValue": "Numeric schema should have 'maximum' defined", - "actualValue": "Numeric schema does not have 'maximum' defined" + "actualValue": "Numeric schema does not have 'maximum' defined", + "issueType": "MissingAttribute" }, { "queryName": "Numeric Schema Without Maximum (v3)", @@ -21,7 +22,8 @@ "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", "searchValue": "", "expectedValue": "Numeric schema should have 'maximum' defined", - "actualValue": "Numeric schema does not have 'maximum' defined" + "actualValue": "Numeric schema does not have 'maximum' defined", + "issueType": "MissingAttribute" }, { "queryName": "Numeric Schema Without Maximum (v3)", @@ -33,7 +35,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code.type", "searchValue": "", "expectedValue": "Numeric schema should have 'maximum' defined", - "actualValue": "Numeric schema does not have 'maximum' defined" + "actualValue": "Numeric schema does not have 'maximum' defined", + "issueType": "MissingAttribute" }, { "queryName": "Numeric Schema Without Maximum (v3)", @@ -45,7 +48,8 @@ "searchKey": "components.schemas.GeneralError.properties.code.type", "searchValue": "", "expectedValue": "Numeric schema should have 'maximum' defined", - "actualValue": "Numeric schema does not have 'maximum' defined" + "actualValue": "Numeric schema does not have 'maximum' defined", + "issueType": "MissingAttribute" }, { "queryName": "Numeric Schema Without Maximum (v3)", @@ -57,7 +61,8 @@ "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", "searchValue": "", "expectedValue": "Numeric schema should have 'maximum' defined", - "actualValue": "Numeric schema does not have 'maximum' defined" + "actualValue": "Numeric schema does not have 'maximum' defined", + "issueType": "MissingAttribute" }, { "queryName": "Numeric Schema Without Maximum (v3)", @@ -69,7 +74,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code.type", "searchValue": "", "expectedValue": "Numeric schema should have 'maximum' defined", - "actualValue": "Numeric schema does not have 'maximum' defined" + "actualValue": "Numeric schema does not have 'maximum' defined", + "issueType": "MissingAttribute" }, { "queryName": "Numeric Schema Without Maximum (v2)", @@ -81,7 +87,8 @@ "searchKey": "paths.{{/}}.get.responses.200.schema.properties.code.type", "searchValue": "", "expectedValue": "Numeric schema should have 'maximum' defined", - "actualValue": "Numeric schema does not have 'maximum' defined" + "actualValue": "Numeric schema does not have 'maximum' defined", + "issueType": "MissingAttribute" }, { "queryName": "Numeric Schema Without Maximum (v2)", @@ -93,6 +100,7 @@ "searchKey": "paths.{{/}}.get.responses.200.schema.properties.code.type", "searchValue": "", "expectedValue": "Numeric schema should have 'maximum' defined", - "actualValue": "Numeric schema does not have 'maximum' defined" + "actualValue": "Numeric schema does not have 'maximum' defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/numeric_schema_without_minimum/test/positive_expected_result.json b/assets/queries/openAPI/general/numeric_schema_without_minimum/test/positive_expected_result.json index 3c3e8cd434d..3da88123176 100644 --- a/assets/queries/openAPI/general/numeric_schema_without_minimum/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/numeric_schema_without_minimum/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "components.schemas.GeneralError.properties.code.type", "searchValue": "", "expectedValue": "Numeric schema should have 'minimum' defined", - "actualValue": "Numeric schema does not have 'minimum' defined" + "actualValue": "Numeric schema does not have 'minimum' defined", + "issueType": "MissingAttribute" }, { "queryName": "Numeric Schema Without Minimum (v3)", @@ -21,7 +22,8 @@ "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", "searchValue": "", "expectedValue": "Numeric schema should have 'minimum' defined", - "actualValue": "Numeric schema does not have 'minimum' defined" + "actualValue": "Numeric schema does not have 'minimum' defined", + "issueType": "MissingAttribute" }, { "queryName": "Numeric Schema Without Minimum (v3)", @@ -33,7 +35,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code.type", "searchValue": "", "expectedValue": "Numeric schema should have 'minimum' defined", - "actualValue": "Numeric schema does not have 'minimum' defined" + "actualValue": "Numeric schema does not have 'minimum' defined", + "issueType": "MissingAttribute" }, { "queryName": "Numeric Schema Without Minimum (v3)", @@ -45,7 +48,8 @@ "searchKey": "components.schemas.GeneralError.properties.code.type", "searchValue": "", "expectedValue": "Numeric schema should have 'minimum' defined", - "actualValue": "Numeric schema does not have 'minimum' defined" + "actualValue": "Numeric schema does not have 'minimum' defined", + "issueType": "MissingAttribute" }, { "queryName": "Numeric Schema Without Minimum (v3)", @@ -57,7 +61,8 @@ "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", "searchValue": "", "expectedValue": "Numeric schema should have 'minimum' defined", - "actualValue": "Numeric schema does not have 'minimum' defined" + "actualValue": "Numeric schema does not have 'minimum' defined", + "issueType": "MissingAttribute" }, { "queryName": "Numeric Schema Without Minimum (v3)", @@ -69,7 +74,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code.type", "searchValue": "", "expectedValue": "Numeric schema should have 'minimum' defined", - "actualValue": "Numeric schema does not have 'minimum' defined" + "actualValue": "Numeric schema does not have 'minimum' defined", + "issueType": "MissingAttribute" }, { "queryName": "Numeric Schema Without Minimum (v2)", @@ -81,7 +87,8 @@ "searchKey": "paths.{{/}}.get.responses.200.schema.properties.code.type", "searchValue": "", "expectedValue": "Numeric schema should have 'minimum' defined", - "actualValue": "Numeric schema does not have 'minimum' defined" + "actualValue": "Numeric schema does not have 'minimum' defined", + "issueType": "MissingAttribute" }, { "queryName": "Numeric Schema Without Minimum (v2)", @@ -93,6 +100,7 @@ "searchKey": "paths.{{/}}.get.responses.200.schema.properties.code.type", "searchValue": "", "expectedValue": "Numeric schema should have 'minimum' defined", - "actualValue": "Numeric schema does not have 'minimum' defined" + "actualValue": "Numeric schema does not have 'minimum' defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/object_using_enum_with_keyword/test/positive_expected_result.json b/assets/queries/openAPI/general/object_using_enum_with_keyword/test/positive_expected_result.json index 67d3826c2a2..1490bf2bba0 100644 --- a/assets/queries/openAPI/general/object_using_enum_with_keyword/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/object_using_enum_with_keyword/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "components.schemas.Cat.allOf.huntingSkill", "searchValue": "", "expectedValue": "Cat.allOf.components.schemas.properties.huntingSkill should not contain 'enum' and schema keyword", - "actualValue": "Cat.allOf.components.schemas.properties.huntingSkill contains 'enum' and schema keyword 'minLength'" + "actualValue": "Cat.allOf.components.schemas.properties.huntingSkill contains 'enum' and schema keyword 'minLength'", + "issueType": "IncorrectValue" }, { "queryName": "Object Using Enum With Keyword (v3)", @@ -21,7 +22,8 @@ "searchKey": "components.schemas.Cat.allOf.huntingSkill", "searchValue": "", "expectedValue": "Cat.allOf.components.schemas.properties.huntingSkill should not contain 'enum' and schema keyword", - "actualValue": "Cat.allOf.components.schemas.properties.huntingSkill contains 'enum' and schema keyword 'minLength'" + "actualValue": "Cat.allOf.components.schemas.properties.huntingSkill contains 'enum' and schema keyword 'minLength'", + "issueType": "IncorrectValue" }, { "queryName": "Object Using Enum With Keyword (v2)", @@ -33,7 +35,8 @@ "searchKey": "definitions.Cat.allOf.huntingSkill", "searchValue": "", "expectedValue": "Cat.allOf.definitions.properties.huntingSkill should not contain 'enum' and schema keyword", - "actualValue": "Cat.allOf.definitions.properties.huntingSkill contains 'enum' and schema keyword 'minLength'" + "actualValue": "Cat.allOf.definitions.properties.huntingSkill contains 'enum' and schema keyword 'minLength'", + "issueType": "IncorrectValue" }, { "queryName": "Object Using Enum With Keyword (v2)", @@ -45,7 +48,8 @@ "searchKey": "definitions.Cat.allOf.huntingSkill", "searchValue": "", "expectedValue": "Cat.allOf.definitions.properties.huntingSkill should not contain 'enum' and schema keyword", - "actualValue": "Cat.allOf.definitions.properties.huntingSkill contains 'enum' and schema keyword 'minLength'" + "actualValue": "Cat.allOf.definitions.properties.huntingSkill contains 'enum' and schema keyword 'minLength'", + "issueType": "IncorrectValue" }, { "queryName": "Object Using Enum With Keyword (v2)", @@ -57,7 +61,8 @@ "searchKey": "paths.{{/}}.get.parameters.schema.huntingSkill", "searchValue": "", "expectedValue": "/.get.parameters.paths.schema.properties.huntingSkill should not contain 'enum' and schema keyword", - "actualValue": "/.get.parameters.paths.schema.properties.huntingSkill contains 'enum' and schema keyword 'minLength'" + "actualValue": "/.get.parameters.paths.schema.properties.huntingSkill contains 'enum' and schema keyword 'minLength'", + "issueType": "IncorrectValue" }, { "queryName": "Object Using Enum With Keyword (v2)", @@ -69,6 +74,7 @@ "searchKey": "paths.{{/}}.get.parameters.schema.huntingSkill", "searchValue": "", "expectedValue": "/.get.parameters.paths.schema.properties.huntingSkill should not contain 'enum' and schema keyword", - "actualValue": "/.get.parameters.paths.schema.properties.huntingSkill contains 'enum' and schema keyword 'minLength'" + "actualValue": "/.get.parameters.paths.schema.properties.huntingSkill contains 'enum' and schema keyword 'minLength'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/operation_id_not_unique/test/positive_expected_result.json b/assets/queries/openAPI/general/operation_id_not_unique/test/positive_expected_result.json index 79eaeae58b1..51f561b6005 100644 --- a/assets/queries/openAPI/general/operation_id_not_unique/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/operation_id_not_unique/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.{{get}}.operationId", "searchValue": "", "expectedValue": "paths.{{/}}.{{get}}.operationId is unique", - "actualValue": "paths.{{/}}.{{get}}.operationId is not unique" + "actualValue": "paths.{{/}}.{{get}}.operationId is not unique", + "issueType": "IncorrectValue" }, { "queryName": "OperationId Not Unique (v3)", @@ -21,7 +22,8 @@ "searchKey": "paths.{{/}}.{{post}}.operationId", "searchValue": "", "expectedValue": "paths.{{/}}.{{post}}.operationId is unique", - "actualValue": "paths.{{/}}.{{post}}.operationId is not unique" + "actualValue": "paths.{{/}}.{{post}}.operationId is not unique", + "issueType": "IncorrectValue" }, { "queryName": "OperationId Not Unique (v3)", @@ -33,7 +35,8 @@ "searchKey": "paths.{{/}}.{{get}}.operationId", "searchValue": "", "expectedValue": "paths.{{/}}.{{get}}.operationId is unique", - "actualValue": "paths.{{/}}.{{get}}.operationId is not unique" + "actualValue": "paths.{{/}}.{{get}}.operationId is not unique", + "issueType": "IncorrectValue" }, { "queryName": "OperationId Not Unique (v3)", @@ -45,7 +48,8 @@ "searchKey": "paths.{{/}}.{{post}}.operationId", "searchValue": "", "expectedValue": "paths.{{/}}.{{post}}.operationId is unique", - "actualValue": "paths.{{/}}.{{post}}.operationId is not unique" + "actualValue": "paths.{{/}}.{{post}}.operationId is not unique", + "issueType": "IncorrectValue" }, { "queryName": "OperationId Not Unique (v2)", @@ -57,7 +61,8 @@ "searchKey": "paths.{{/}}.{{get}}.operationId", "searchValue": "", "expectedValue": "paths.{{/}}.{{get}}.operationId is unique", - "actualValue": "paths.{{/}}.{{get}}.operationId is not unique" + "actualValue": "paths.{{/}}.{{get}}.operationId is not unique", + "issueType": "IncorrectValue" }, { "queryName": "OperationId Not Unique (v2)", @@ -69,7 +74,8 @@ "searchKey": "paths.{{/}}.{{post}}.operationId", "searchValue": "", "expectedValue": "paths.{{/}}.{{post}}.operationId is unique", - "actualValue": "paths.{{/}}.{{post}}.operationId is not unique" + "actualValue": "paths.{{/}}.{{post}}.operationId is not unique", + "issueType": "IncorrectValue" }, { "queryName": "OperationId Not Unique (v2)", @@ -81,7 +87,8 @@ "searchKey": "paths.{{/}}.{{get}}.operationId", "searchValue": "", "expectedValue": "paths.{{/}}.{{get}}.operationId is unique", - "actualValue": "paths.{{/}}.{{get}}.operationId is not unique" + "actualValue": "paths.{{/}}.{{get}}.operationId is not unique", + "issueType": "IncorrectValue" }, { "queryName": "OperationId Not Unique (v2)", @@ -93,6 +100,7 @@ "searchKey": "paths.{{/}}.{{post}}.operationId", "searchValue": "", "expectedValue": "paths.{{/}}.{{post}}.operationId is unique", - "actualValue": "paths.{{/}}.{{post}}.operationId is not unique" + "actualValue": "paths.{{/}}.{{post}}.operationId is not unique", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/operation_without_successful_http_status_code/test/positive_expected_result.json b/assets/queries/openAPI/general/operation_without_successful_http_status_code/test/positive_expected_result.json index 8ce9c7a53bf..02cf840f8d6 100644 --- a/assets/queries/openAPI/general/operation_without_successful_http_status_code/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/operation_without_successful_http_status_code/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.{{get}}.responses", "searchValue": "", "expectedValue": "paths.{{/}}.{{get}}.responses has at least one successful HTTP status code defined", - "actualValue": "paths.{{/}}.{{get}}.responses does not have at least one successful HTTP status code defined" + "actualValue": "paths.{{/}}.{{get}}.responses does not have at least one successful HTTP status code defined", + "issueType": "MissingAttribute" }, { "queryName": "Operation Without Successful HTTP Status Code (v3)", @@ -21,7 +22,8 @@ "searchKey": "paths.{{/}}.{{get}}.responses", "searchValue": "", "expectedValue": "paths.{{/}}.{{get}}.responses has at least one successful HTTP status code defined", - "actualValue": "paths.{{/}}.{{get}}.responses does not have at least one successful HTTP status code defined" + "actualValue": "paths.{{/}}.{{get}}.responses does not have at least one successful HTTP status code defined", + "issueType": "MissingAttribute" }, { "queryName": "Operation Without Successful HTTP Status Code (v2)", @@ -33,7 +35,8 @@ "searchKey": "paths.{{/}}.{{get}}.responses", "searchValue": "", "expectedValue": "paths.{{/}}.{{get}}.responses has at least one successful HTTP status code defined", - "actualValue": "paths.{{/}}.{{get}}.responses does not have at least one successful HTTP status code defined" + "actualValue": "paths.{{/}}.{{get}}.responses does not have at least one successful HTTP status code defined", + "issueType": "MissingAttribute" }, { "queryName": "Operation Without Successful HTTP Status Code (v2)", @@ -45,6 +48,7 @@ "searchKey": "paths.{{/}}.{{get}}.responses", "searchValue": "", "expectedValue": "paths.{{/}}.{{get}}.responses has at least one successful HTTP status code defined", - "actualValue": "paths.{{/}}.{{get}}.responses does not have at least one successful HTTP status code defined" + "actualValue": "paths.{{/}}.{{get}}.responses does not have at least one successful HTTP status code defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/parameter_objects_headers_dup_name/test/positive_expected_result.json b/assets/queries/openAPI/general/parameter_objects_headers_dup_name/test/positive_expected_result.json index ebed1594db1..790415688fa 100644 --- a/assets/queries/openAPI/general/parameter_objects_headers_dup_name/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/parameter_objects_headers_dup_name/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.get.parameters.name=id", "searchValue": "", "expectedValue": "", - "actualValue": "Parameter Object with location 'header' has duplicate names (name=id)" + "actualValue": "Parameter Object with location 'header' has duplicate names (name=id)", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Objects Headers With Duplicated Name (v3)", @@ -21,7 +22,8 @@ "searchKey": "paths.{{/}}.get.parameters.name=ID", "searchValue": "", "expectedValue": "", - "actualValue": "Parameter Object with location 'header' has duplicate names (name=ID)" + "actualValue": "Parameter Object with location 'header' has duplicate names (name=ID)", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Objects Headers With Duplicated Name (v3)", @@ -33,7 +35,8 @@ "searchKey": "paths.{{/}}.parameters.name=token", "searchValue": "", "expectedValue": "", - "actualValue": "Parameter Object with location 'header' has duplicate names (name=token)" + "actualValue": "Parameter Object with location 'header' has duplicate names (name=token)", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Objects Headers With Duplicated Name (v3)", @@ -45,7 +48,8 @@ "searchKey": "paths.{{/}}.parameters.name=Token", "searchValue": "", "expectedValue": "", - "actualValue": "Parameter Object with location 'header' has duplicate names (name=Token)" + "actualValue": "Parameter Object with location 'header' has duplicate names (name=Token)", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Objects Headers With Duplicated Name (v3)", @@ -57,7 +61,8 @@ "searchKey": "paths.{{/}}.get.parameters.name=id", "searchValue": "", "expectedValue": "", - "actualValue": "Parameter Object with location 'header' has duplicate names (name=id)" + "actualValue": "Parameter Object with location 'header' has duplicate names (name=id)", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Objects Headers With Duplicated Name (v3)", @@ -69,7 +74,8 @@ "searchKey": "paths.{{/}}.get.parameters.name=ID", "searchValue": "", "expectedValue": "", - "actualValue": "Parameter Object with location 'header' has duplicate names (name=ID)" + "actualValue": "Parameter Object with location 'header' has duplicate names (name=ID)", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Objects Headers With Duplicated Name (v3)", @@ -81,7 +87,8 @@ "searchKey": "paths.{{/}}.parameters.name=token", "searchValue": "", "expectedValue": "", - "actualValue": "Parameter Object with location 'header' has duplicate names (name=token)" + "actualValue": "Parameter Object with location 'header' has duplicate names (name=token)", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Objects Headers With Duplicated Name (v3)", @@ -93,7 +100,8 @@ "searchKey": "paths.{{/}}.parameters.name=Token", "searchValue": "", "expectedValue": "", - "actualValue": "Parameter Object with location 'header' has duplicate names (name=Token)" + "actualValue": "Parameter Object with location 'header' has duplicate names (name=Token)", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Objects Headers With Duplicated Name (v3)", @@ -105,7 +113,8 @@ "searchKey": "components.parameters.token.name=token", "searchValue": "", "expectedValue": "", - "actualValue": "Parameter Object with location 'header' has duplicate names (name=token)" + "actualValue": "Parameter Object with location 'header' has duplicate names (name=token)", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Objects Headers With Duplicated Name (v3)", @@ -117,7 +126,8 @@ "searchKey": "components.parameters.Token.name=Token", "searchValue": "", "expectedValue": "", - "actualValue": "Parameter Object with location 'header' has duplicate names (name=Token)" + "actualValue": "Parameter Object with location 'header' has duplicate names (name=Token)", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Objects Headers With Duplicated Name (v3)", @@ -129,7 +139,8 @@ "searchKey": "components.parameters.token.name=token", "searchValue": "", "expectedValue": "", - "actualValue": "Parameter Object with location 'header' has duplicate names (name=token)" + "actualValue": "Parameter Object with location 'header' has duplicate names (name=token)", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Objects Headers With Duplicated Name (v3)", @@ -141,7 +152,8 @@ "searchKey": "components.parameters.Token.name=Token", "searchValue": "", "expectedValue": "", - "actualValue": "Parameter Object with location 'header' has duplicate names (name=Token)" + "actualValue": "Parameter Object with location 'header' has duplicate names (name=Token)", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Objects Headers With Duplicated Name (v2)", @@ -153,7 +165,8 @@ "searchKey": "paths.{{/}}.parameters.name=Token", "searchValue": "", "expectedValue": "", - "actualValue": "Parameter Object with location 'header' has duplicate names (name=Token)" + "actualValue": "Parameter Object with location 'header' has duplicate names (name=Token)", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Objects Headers With Duplicated Name (v2)", @@ -165,7 +178,8 @@ "searchKey": "paths.{{/}}.parameters.name=token", "searchValue": "", "expectedValue": "", - "actualValue": "Parameter Object with location 'header' has duplicate names (name=token)" + "actualValue": "Parameter Object with location 'header' has duplicate names (name=token)", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Objects Headers With Duplicated Name (v2)", @@ -177,7 +191,8 @@ "searchKey": "parameters.oneParam.name=Token2", "searchValue": "", "expectedValue": "", - "actualValue": "Parameter Object with location 'header' has duplicate names (name=Token2)" + "actualValue": "Parameter Object with location 'header' has duplicate names (name=Token2)", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Objects Headers With Duplicated Name (v2)", @@ -189,7 +204,8 @@ "searchKey": "parameters.anotherParam.name=token2", "searchValue": "", "expectedValue": "", - "actualValue": "Parameter Object with location 'header' has duplicate names (name=token2)" + "actualValue": "Parameter Object with location 'header' has duplicate names (name=token2)", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Objects Headers With Duplicated Name (v2)", @@ -201,7 +217,8 @@ "searchKey": "paths.{{/}}.parameters.name=Token", "searchValue": "", "expectedValue": "", - "actualValue": "Parameter Object with location 'header' has duplicate names (name=Token)" + "actualValue": "Parameter Object with location 'header' has duplicate names (name=Token)", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Objects Headers With Duplicated Name (v2)", @@ -213,7 +230,8 @@ "searchKey": "paths.{{/}}.parameters.name=token", "searchValue": "", "expectedValue": "", - "actualValue": "Parameter Object with location 'header' has duplicate names (name=token)" + "actualValue": "Parameter Object with location 'header' has duplicate names (name=token)", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Objects Headers With Duplicated Name (v2)", @@ -225,7 +243,8 @@ "searchKey": "parameters.oneParam.name=Token2", "searchValue": "", "expectedValue": "", - "actualValue": "Parameter Object with location 'header' has duplicate names (name=Token2)" + "actualValue": "Parameter Object with location 'header' has duplicate names (name=Token2)", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Objects Headers With Duplicated Name (v2)", @@ -237,6 +256,7 @@ "searchKey": "parameters.anotherParam.name=token2", "searchValue": "", "expectedValue": "", - "actualValue": "Parameter Object with location 'header' has duplicate names (name=token2)" + "actualValue": "Parameter Object with location 'header' has duplicate names (name=token2)", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/parameters_name_in_not_unique/test/positive_expected_result.json b/assets/queries/openAPI/general/parameters_name_in_not_unique/test/positive_expected_result.json index b2afc16f845..cc0a543f54a 100644 --- a/assets/queries/openAPI/general/parameters_name_in_not_unique/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/parameters_name_in_not_unique/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "components.parameters.limitJSONParam.name", "searchValue": "", "expectedValue": "Parameter has unique 'name' and 'in' combinations", - "actualValue": "Parameter does not have unique 'name' and 'in' combinations" + "actualValue": "Parameter does not have unique 'name' and 'in' combinations", + "issueType": "IncorrectValue" }, { "queryName": "Parameters Name In Combination Not Unique (v3)", @@ -21,7 +22,8 @@ "searchKey": "components.parameters.otherJSONParam.name", "searchValue": "", "expectedValue": "Parameter has unique 'name' and 'in' combinations", - "actualValue": "Parameter does not have unique 'name' and 'in' combinations" + "actualValue": "Parameter does not have unique 'name' and 'in' combinations", + "issueType": "IncorrectValue" }, { "queryName": "Parameters Name In Combination Not Unique (v3)", @@ -33,7 +35,8 @@ "searchKey": "components.parameters.limitParam.name", "searchValue": "", "expectedValue": "Parameter has unique 'name' and 'in' combinations", - "actualValue": "Parameter does not have unique 'name' and 'in' combinations" + "actualValue": "Parameter does not have unique 'name' and 'in' combinations", + "issueType": "IncorrectValue" }, { "queryName": "Parameters Name In Combination Not Unique (v3)", @@ -45,7 +48,8 @@ "searchKey": "components.parameters.otherParam.name", "searchValue": "", "expectedValue": "Parameter has unique 'name' and 'in' combinations", - "actualValue": "Parameter does not have unique 'name' and 'in' combinations" + "actualValue": "Parameter does not have unique 'name' and 'in' combinations", + "issueType": "IncorrectValue" }, { "queryName": "Parameters Name In Combination Not Unique (v2)", @@ -57,7 +61,8 @@ "searchKey": "paths.{{/}}.get.parameters.name", "searchValue": "", "expectedValue": "Parameter has unique 'name' and 'in' combinations", - "actualValue": "Parameter does not have unique 'name' and 'in' combinations" + "actualValue": "Parameter does not have unique 'name' and 'in' combinations", + "issueType": "IncorrectValue" }, { "queryName": "Parameters Name In Combination Not Unique (v2)", @@ -69,6 +74,7 @@ "searchKey": "paths.{{/}}.get.parameters.name", "searchValue": "", "expectedValue": "Parameter has unique 'name' and 'in' combinations", - "actualValue": "Parameter does not have unique 'name' and 'in' combinations" + "actualValue": "Parameter does not have unique 'name' and 'in' combinations", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/path_ambiguous/test/positive_expected_result.json b/assets/queries/openAPI/general/path_ambiguous/test/positive_expected_result.json index 41ea5025a2c..8fe02567fad 100644 --- a/assets/queries/openAPI/general/path_ambiguous/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/path_ambiguous/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths./users/{id}", "searchValue": "", "expectedValue": "There shouldn't be ambiguous path", - "actualValue": "There is ambiguous path" + "actualValue": "There is ambiguous path", + "issueType": "IncorrectValue" }, { "queryName": "Path Is Ambiguous (v3)", @@ -21,7 +22,8 @@ "searchKey": "paths./users/{ids}", "searchValue": "", "expectedValue": "There shouldn't be ambiguous path", - "actualValue": "There is ambiguous path" + "actualValue": "There is ambiguous path", + "issueType": "IncorrectValue" }, { "queryName": "Path Is Ambiguous (v3)", @@ -33,7 +35,8 @@ "searchKey": "paths./users/{id}", "searchValue": "", "expectedValue": "There shouldn't be ambiguous path", - "actualValue": "There is ambiguous path" + "actualValue": "There is ambiguous path", + "issueType": "IncorrectValue" }, { "queryName": "Path Is Ambiguous (v3)", @@ -45,7 +48,8 @@ "searchKey": "paths./users/{ids}", "searchValue": "", "expectedValue": "There shouldn't be ambiguous path", - "actualValue": "There is ambiguous path" + "actualValue": "There is ambiguous path", + "issueType": "IncorrectValue" }, { "queryName": "Path Is Ambiguous (v2)", @@ -57,7 +61,8 @@ "searchKey": "paths./users/{id}", "searchValue": "", "expectedValue": "There shouldn't be ambiguous path", - "actualValue": "There is ambiguous path" + "actualValue": "There is ambiguous path", + "issueType": "IncorrectValue" }, { "queryName": "Path Is Ambiguous (v2)", @@ -69,7 +74,8 @@ "searchKey": "paths./users/{ids}", "searchValue": "", "expectedValue": "There shouldn't be ambiguous path", - "actualValue": "There is ambiguous path" + "actualValue": "There is ambiguous path", + "issueType": "IncorrectValue" }, { "queryName": "Path Is Ambiguous (v2)", @@ -81,7 +87,8 @@ "searchKey": "paths./users/{id}", "searchValue": "", "expectedValue": "There shouldn't be ambiguous path", - "actualValue": "There is ambiguous path" + "actualValue": "There is ambiguous path", + "issueType": "IncorrectValue" }, { "queryName": "Path Is Ambiguous (v2)", @@ -93,6 +100,7 @@ "searchKey": "paths./users/{ids}", "searchValue": "", "expectedValue": "There shouldn't be ambiguous path", - "actualValue": "There is ambiguous path" + "actualValue": "There is ambiguous path", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/path_parameter_not_required/test/positive_expected_result.json b/assets/queries/openAPI/general/path_parameter_not_required/test/positive_expected_result.json index 11fd8ba9da9..f7a1e03ca84 100644 --- a/assets/queries/openAPI/general/path_parameter_not_required/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/path_parameter_not_required/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.parameters.name={{id}}", "searchValue": "", "expectedValue": "Path parameter should have the field 'required' set to 'true' for location 'path'", - "actualValue": "Path parameter does not have the field 'required' set to 'true' for location 'path'" + "actualValue": "Path parameter does not have the field 'required' set to 'true' for location 'path'", + "issueType": "MissingAttribute" }, { "queryName": "Path Parameter Not Required (v3)", @@ -21,7 +22,8 @@ "searchKey": "paths.{{/}}.parameters.name={{id}}", "searchValue": "", "expectedValue": "Path parameter should have the field 'required' set to 'true' for location 'path'", - "actualValue": "Path parameter does not have the field 'required' set to 'true' for location 'path'" + "actualValue": "Path parameter does not have the field 'required' set to 'true' for location 'path'", + "issueType": "MissingAttribute" }, { "queryName": "Path Parameter Not Required (v3)", @@ -33,7 +35,8 @@ "searchKey": "paths.{{/}}.parameters.name={{id}}", "searchValue": "", "expectedValue": "Path parameter should have the field 'required' set to 'true' for location 'path'", - "actualValue": "Path parameter does not have the field 'required' set to 'true' for location 'path'" + "actualValue": "Path parameter does not have the field 'required' set to 'true' for location 'path'", + "issueType": "MissingAttribute" }, { "queryName": "Path Parameter Not Required (v3)", @@ -45,7 +48,8 @@ "searchKey": "paths.{{/}}.parameters.name={{id}}", "searchValue": "", "expectedValue": "Path parameter should have the field 'required' set to 'true' for location 'path'", - "actualValue": "Path parameter does not have the field 'required' set to 'true' for location 'path'" + "actualValue": "Path parameter does not have the field 'required' set to 'true' for location 'path'", + "issueType": "MissingAttribute" }, { "queryName": "Path Parameter Not Required (v3)", @@ -57,7 +61,8 @@ "searchKey": "components.parameters.name={{id}}", "searchValue": "", "expectedValue": "Path parameter should have the field 'required' set to 'true' for location 'path'", - "actualValue": "Path parameter does not have the field 'required' set to 'true' for location 'path'" + "actualValue": "Path parameter does not have the field 'required' set to 'true' for location 'path'", + "issueType": "MissingAttribute" }, { "queryName": "Path Parameter Not Required (v3)", @@ -69,7 +74,8 @@ "searchKey": "components.parameters.name={{nameAPI}}", "searchValue": "", "expectedValue": "Path parameter should have the field 'required' set to 'true' for location 'path'", - "actualValue": "Path parameter does not have the field 'required' set to 'true' for location 'path'" + "actualValue": "Path parameter does not have the field 'required' set to 'true' for location 'path'", + "issueType": "MissingAttribute" }, { "queryName": "Path Parameter Not Required (v3)", @@ -81,7 +87,8 @@ "searchKey": "components.parameters.name={{id}}", "searchValue": "", "expectedValue": "Path parameter should have the field 'required' set to 'true' for location 'path'", - "actualValue": "Path parameter does not have the field 'required' set to 'true' for location 'path'" + "actualValue": "Path parameter does not have the field 'required' set to 'true' for location 'path'", + "issueType": "MissingAttribute" }, { "queryName": "Path Parameter Not Required (v3)", @@ -93,7 +100,8 @@ "searchKey": "components.parameters.name={{nameAPI}}", "searchValue": "", "expectedValue": "Path parameter should have the field 'required' set to 'true' for location 'path'", - "actualValue": "Path parameter does not have the field 'required' set to 'true' for location 'path'" + "actualValue": "Path parameter does not have the field 'required' set to 'true' for location 'path'", + "issueType": "MissingAttribute" }, { "queryName": "Path Parameter Not Required (v2)", @@ -105,7 +113,8 @@ "searchKey": "paths.{{/}}.parameters.name={{id}}", "searchValue": "", "expectedValue": "Path parameter should have the field 'required' set to 'true' for location 'path'", - "actualValue": "Path parameter does not have the field 'required' set to 'true' for location 'path'" + "actualValue": "Path parameter does not have the field 'required' set to 'true' for location 'path'", + "issueType": "MissingAttribute" }, { "queryName": "Path Parameter Not Required (v2)", @@ -117,6 +126,7 @@ "searchKey": "paths.{{/}}.parameters.name={{id}}", "searchValue": "", "expectedValue": "Path parameter should have the field 'required' set to 'true' for location 'path'", - "actualValue": "Path parameter does not have the field 'required' set to 'true' for location 'path'" + "actualValue": "Path parameter does not have the field 'required' set to 'true' for location 'path'", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/path_parameter_with_no_corresponding_template_path/test/positive_expected_result.json b/assets/queries/openAPI/general/path_parameter_with_no_corresponding_template_path/test/positive_expected_result.json index f44994b7552..e4dcab5a98d 100644 --- a/assets/queries/openAPI/general/path_parameter_with_no_corresponding_template_path/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/path_parameter_with_no_corresponding_template_path/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths./yada/foo.get.parameters.name={{id}}", "searchValue": "", "expectedValue": "Path parameter 'id' should have an template path parameter with the same name and 'in' set to 'path'", - "actualValue": "Path parameter 'id' does not have an template path parameter with the same name and 'in' set to 'path'" + "actualValue": "Path parameter 'id' does not have an template path parameter with the same name and 'in' set to 'path'", + "issueType": "IncorrectValue" }, { "queryName": "Path Parameter With No Corresponding Template Path (v3)", @@ -21,7 +22,8 @@ "searchKey": "paths./.get.parameters.name={{id}}", "searchValue": "", "expectedValue": "Path parameter 'id' should have an template path parameter with the same name and 'in' set to 'path'", - "actualValue": "Path parameter 'id' does not have an template path parameter with the same name and 'in' set to 'path'" + "actualValue": "Path parameter 'id' does not have an template path parameter with the same name and 'in' set to 'path'", + "issueType": "IncorrectValue" }, { "queryName": "Path Parameter With No Corresponding Template Path (v2)", @@ -33,7 +35,8 @@ "searchKey": "paths./people/foo.get.parameters.name={{id}}", "searchValue": "", "expectedValue": "Path parameter 'id' should have an template path parameter with the same name and 'in' set to 'path'", - "actualValue": "Path parameter 'id' does not have an template path parameter with the same name and 'in' set to 'path'" + "actualValue": "Path parameter 'id' does not have an template path parameter with the same name and 'in' set to 'path'", + "issueType": "IncorrectValue" }, { "queryName": "Path Parameter With No Corresponding Template Path (v2)", @@ -45,6 +48,7 @@ "searchKey": "paths./people/foo.get.parameters.name={{id}}", "searchValue": "", "expectedValue": "Path parameter 'id' should have an template path parameter with the same name and 'in' set to 'path'", - "actualValue": "Path parameter 'id' does not have an template path parameter with the same name and 'in' set to 'path'" + "actualValue": "Path parameter 'id' does not have an template path parameter with the same name and 'in' set to 'path'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/path_template_empty/test/positive_expected_result.json b/assets/queries/openAPI/general/path_template_empty/test/positive_expected_result.json index 69d8cf3a923..573791e2960 100644 --- a/assets/queries/openAPI/general/path_template_empty/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/path_template_empty/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths./users/{}", "searchValue": "", "expectedValue": "The path template should not be empty", - "actualValue": "The path template is empty" + "actualValue": "The path template is empty", + "issueType": "MissingAttribute" }, { "queryName": "Path Template is Empty (v3)", @@ -21,7 +22,8 @@ "searchKey": "paths./users/{}", "searchValue": "", "expectedValue": "The path template should not be empty", - "actualValue": "The path template is empty" + "actualValue": "The path template is empty", + "issueType": "MissingAttribute" }, { "queryName": "Path Template is Empty (v2)", @@ -33,7 +35,8 @@ "searchKey": "paths./users/{}", "searchValue": "", "expectedValue": "The path template should not be empty", - "actualValue": "The path template is empty" + "actualValue": "The path template is empty", + "issueType": "MissingAttribute" }, { "queryName": "Path Template is Empty (v2)", @@ -45,6 +48,7 @@ "searchKey": "paths./users/{}", "searchValue": "", "expectedValue": "The path template should not be empty", - "actualValue": "The path template is empty" + "actualValue": "The path template is empty", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/path_without_operation/test/positive_expected_result.json b/assets/queries/openAPI/general/path_without_operation/test/positive_expected_result.json index 4568214dbe0..9c3d9bd0c24 100644 --- a/assets/queries/openAPI/general/path_without_operation/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/path_without_operation/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}", "searchValue": "", "expectedValue": "paths.{{/}} has at least one operation object defined", - "actualValue": "paths.{{/}} does not have at least one operation object defined" + "actualValue": "paths.{{/}} does not have at least one operation object defined", + "issueType": "MissingAttribute" }, { "queryName": "Path Without Operation (v3)", @@ -21,7 +22,8 @@ "searchKey": "paths.{{/}}", "searchValue": "", "expectedValue": "paths.{{/}} has at least one operation object defined", - "actualValue": "paths.{{/}} does not have at least one operation object defined" + "actualValue": "paths.{{/}} does not have at least one operation object defined", + "issueType": "MissingAttribute" }, { "queryName": "Path Without Operation (v2)", @@ -33,7 +35,8 @@ "searchKey": "paths.{{/}}", "searchValue": "", "expectedValue": "paths.{{/}} has at least one operation object defined", - "actualValue": "paths.{{/}} does not have at least one operation object defined" + "actualValue": "paths.{{/}} does not have at least one operation object defined", + "issueType": "MissingAttribute" }, { "queryName": "Path Without Operation (v2)", @@ -45,6 +48,7 @@ "searchKey": "paths.{{/}}", "searchValue": "", "expectedValue": "paths.{{/}} has at least one operation object defined", - "actualValue": "paths.{{/}} does not have at least one operation object defined" + "actualValue": "paths.{{/}} does not have at least one operation object defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/paths_object_empty/test/positive_expected_result.json b/assets/queries/openAPI/general/paths_object_empty/test/positive_expected_result.json index 80651865c02..95f1627bcfd 100644 --- a/assets/queries/openAPI/general/paths_object_empty/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/paths_object_empty/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths", "searchValue": "", "expectedValue": "The Paths Object should should not be empty", - "actualValue": "The Paths Object is empty" + "actualValue": "The Paths Object is empty", + "issueType": "IncorrectValue" }, { "queryName": "Paths Object is Empty (v2)", @@ -21,7 +22,8 @@ "searchKey": "paths", "searchValue": "", "expectedValue": "The Paths Object should should not be empty", - "actualValue": "The Paths Object is empty" + "actualValue": "The Paths Object is empty", + "issueType": "IncorrectValue" }, { "queryName": "Paths Object is Empty (v3)", @@ -33,7 +35,8 @@ "searchKey": "paths", "searchValue": "", "expectedValue": "The Paths Object should should not be empty", - "actualValue": "The Paths Object is empty" + "actualValue": "The Paths Object is empty", + "issueType": "IncorrectValue" }, { "queryName": "Paths Object is Empty (v2)", @@ -45,6 +48,7 @@ "searchKey": "paths", "searchValue": "", "expectedValue": "The Paths Object should should not be empty", - "actualValue": "The Paths Object is empty" + "actualValue": "The Paths Object is empty", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/pattern_undefined/test/positive_expected_result.json b/assets/queries/openAPI/general/pattern_undefined/test/positive_expected_result.json index f5c4b8ed5c2..fb1c467438a 100644 --- a/assets/queries/openAPI/general/pattern_undefined/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/pattern_undefined/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "components.schemas.GeneralError.properties.code.type", "searchValue": "", "expectedValue": "'pattern' should be defined", - "actualValue": "'pattern' is undefined" + "actualValue": "'pattern' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Pattern Undefined (v3)", @@ -21,7 +22,8 @@ "searchKey": "components.schemas.GeneralError.properties.message.type", "searchValue": "", "expectedValue": "'pattern' should be defined", - "actualValue": "'pattern' is undefined" + "actualValue": "'pattern' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Pattern Undefined (v3)", @@ -33,7 +35,8 @@ "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", "searchValue": "", "expectedValue": "'pattern' should be defined", - "actualValue": "'pattern' is undefined" + "actualValue": "'pattern' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Pattern Undefined (v3)", @@ -45,7 +48,8 @@ "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", "searchValue": "", "expectedValue": "'pattern' should be defined", - "actualValue": "'pattern' is undefined" + "actualValue": "'pattern' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Pattern Undefined (v3)", @@ -57,7 +61,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code.type", "searchValue": "", "expectedValue": "'pattern' should be defined", - "actualValue": "'pattern' is undefined" + "actualValue": "'pattern' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Pattern Undefined (v3)", @@ -69,7 +74,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.message.type", "searchValue": "", "expectedValue": "'pattern' should be defined", - "actualValue": "'pattern' is undefined" + "actualValue": "'pattern' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Pattern Undefined (v3)", @@ -81,7 +87,8 @@ "searchKey": "components.schemas.GeneralError.properties.code.type", "searchValue": "", "expectedValue": "'pattern' should be defined", - "actualValue": "'pattern' is undefined" + "actualValue": "'pattern' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Pattern Undefined (v3)", @@ -93,7 +100,8 @@ "searchKey": "components.schemas.GeneralError.properties.message.type", "searchValue": "", "expectedValue": "'pattern' should be defined", - "actualValue": "'pattern' is undefined" + "actualValue": "'pattern' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Pattern Undefined (v3)", @@ -105,7 +113,8 @@ "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", "searchValue": "", "expectedValue": "'pattern' should be defined", - "actualValue": "'pattern' is undefined" + "actualValue": "'pattern' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Pattern Undefined (v3)", @@ -117,7 +126,8 @@ "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", "searchValue": "", "expectedValue": "'pattern' should be defined", - "actualValue": "'pattern' is undefined" + "actualValue": "'pattern' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Pattern Undefined (v3)", @@ -129,7 +139,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code.type", "searchValue": "", "expectedValue": "'pattern' should be defined", - "actualValue": "'pattern' is undefined" + "actualValue": "'pattern' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Pattern Undefined (v3)", @@ -141,7 +152,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.message.type", "searchValue": "", "expectedValue": "'pattern' should be defined", - "actualValue": "'pattern' is undefined" + "actualValue": "'pattern' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Pattern Undefined (v2)", @@ -153,7 +165,8 @@ "searchKey": "paths.{{/}}.get.responses.200.schema.properties.code.type", "searchValue": "", "expectedValue": "'pattern' should be defined", - "actualValue": "'pattern' is undefined" + "actualValue": "'pattern' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Pattern Undefined (v2)", @@ -165,7 +178,8 @@ "searchKey": "paths.{{/}}.get.responses.200.schema.properties.message.type", "searchValue": "", "expectedValue": "'pattern' should be defined", - "actualValue": "'pattern' is undefined" + "actualValue": "'pattern' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Pattern Undefined (v2)", @@ -177,7 +191,8 @@ "searchKey": "paths.{{/}}.get.responses.200.schema.properties.code.type", "searchValue": "", "expectedValue": "'pattern' should be defined", - "actualValue": "'pattern' is undefined" + "actualValue": "'pattern' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Pattern Undefined (v2)", @@ -189,6 +204,7 @@ "searchKey": "paths.{{/}}.get.responses.200.schema.properties.message.type", "searchValue": "", "expectedValue": "'pattern' should be defined", - "actualValue": "'pattern' is undefined" + "actualValue": "'pattern' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/properties_missing_required_property/test/positive_expected_result.json b/assets/queries/openAPI/general/properties_missing_required_property/test/positive_expected_result.json index c9181301ecd..128384b6869 100644 --- a/assets/queries/openAPI/general/properties_missing_required_property/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/properties_missing_required_property/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "components.requestBodies.NewItem.content.{{application/x-www-form-urlencoded}}.schema.properties.code.required.name", "searchValue": "", "expectedValue": "components.requestBodies.NewItem.content.{{application/x-www-form-urlencoded}}.schema.properties.code.required.name should be defined", - "actualValue": "components.requestBodies.NewItem.content.{{application/x-www-form-urlencoded}}.schema.properties.code.required.name is missing" + "actualValue": "components.requestBodies.NewItem.content.{{application/x-www-form-urlencoded}}.schema.properties.code.required.name is missing", + "issueType": "MissingAttribute" }, { "queryName": "Properties Missing Required Property (v3)", @@ -21,7 +22,8 @@ "searchKey": "components.requestBodies.NewItem.content.{{application/x-www-form-urlencoded}}.schema.properties.code.required.name", "searchValue": "", "expectedValue": "components.requestBodies.NewItem.content.{{application/x-www-form-urlencoded}}.schema.properties.code.required.name should be defined", - "actualValue": "components.requestBodies.NewItem.content.{{application/x-www-form-urlencoded}}.schema.properties.code.required.name is missing" + "actualValue": "components.requestBodies.NewItem.content.{{application/x-www-form-urlencoded}}.schema.properties.code.required.name is missing", + "issueType": "MissingAttribute" }, { "queryName": "Properties Missing Required Property (v3)", @@ -33,7 +35,8 @@ "searchKey": "paths.{{/}}.parameters.schema.properties.code.required.name", "searchValue": "", "expectedValue": "paths.{{/}}.parameters.schema.properties.code.required.name should be defined", - "actualValue": "paths.{{/}}.parameters.schema.properties.code.required.name is missing" + "actualValue": "paths.{{/}}.parameters.schema.properties.code.required.name is missing", + "issueType": "MissingAttribute" }, { "queryName": "Properties Missing Required Property (v3)", @@ -45,7 +48,8 @@ "searchKey": "paths.{{/}}.parameters.schema.properties.code.required.name", "searchValue": "", "expectedValue": "paths.{{/}}.parameters.schema.properties.code.required.name should be defined", - "actualValue": "paths.{{/}}.parameters.schema.properties.code.required.name is missing" + "actualValue": "paths.{{/}}.parameters.schema.properties.code.required.name is missing", + "issueType": "MissingAttribute" }, { "queryName": "Properties Missing Required Property (v2)", @@ -57,7 +61,8 @@ "searchKey": "definitions.MyObject.properties.code.required.name", "searchValue": "", "expectedValue": "definitions.MyObject.properties.code.required.name should be defined", - "actualValue": "definitions.MyObject.properties.code.required.name is missing" + "actualValue": "definitions.MyObject.properties.code.required.name is missing", + "issueType": "MissingAttribute" }, { "queryName": "Properties Missing Required Property (v2)", @@ -69,6 +74,7 @@ "searchKey": "definitions.MyObject.properties.code.required.name", "searchValue": "", "expectedValue": "definitions.MyObject.properties.code.required.name should be defined", - "actualValue": "definitions.MyObject.properties.code.required.name is missing" + "actualValue": "definitions.MyObject.properties.code.required.name is missing", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/property_allow_empty_value_improperly_defined/test/positive_expected_result.json b/assets/queries/openAPI/general/property_allow_empty_value_improperly_defined/test/positive_expected_result.json index e70e5c2a858..24ded796175 100644 --- a/assets/queries/openAPI/general/property_allow_empty_value_improperly_defined/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/property_allow_empty_value_improperly_defined/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.parameters.name={{id}}", "searchValue": "", "expectedValue": "'parameters' should have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set", - "actualValue": "'parameters' does not have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set" + "actualValue": "'parameters' does not have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set", + "issueType": "IncorrectValue" }, { "queryName": "Property 'allowEmptyValue' Improperly Defined (v3)", @@ -21,7 +22,8 @@ "searchKey": "paths.{{/users/{id}}}.get.parameters.name={{id}}", "searchValue": "", "expectedValue": "'parameters' should have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set", - "actualValue": "'parameters' does not have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set" + "actualValue": "'parameters' does not have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set", + "issueType": "IncorrectValue" }, { "queryName": "Property 'allowEmptyValue' Improperly Defined (v3)", @@ -33,7 +35,8 @@ "searchKey": "paths.{{/}}.parameters.name={{id}}", "searchValue": "", "expectedValue": "'parameters' should have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set", - "actualValue": "'parameters' does not have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set" + "actualValue": "'parameters' does not have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set", + "issueType": "IncorrectValue" }, { "queryName": "Property 'allowEmptyValue' Improperly Defined (v3)", @@ -45,7 +48,8 @@ "searchKey": "paths.{{/users/{id}}}.get.parameters.name={{id}}", "searchValue": "", "expectedValue": "'parameters' should have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set", - "actualValue": "'parameters' does not have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set" + "actualValue": "'parameters' does not have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set", + "issueType": "IncorrectValue" }, { "queryName": "Property 'allowEmptyValue' Improperly Defined (v3)", @@ -57,7 +61,8 @@ "searchKey": "paths.{{/}}.parameters.name={{id}}", "searchValue": "", "expectedValue": "'parameters' should have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set", - "actualValue": "'parameters' does not have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set" + "actualValue": "'parameters' does not have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set", + "issueType": "IncorrectValue" }, { "queryName": "Property 'allowEmptyValue' Improperly Defined (v3)", @@ -69,7 +74,8 @@ "searchKey": "paths.{{/}}.parameters.name={{id}}", "searchValue": "", "expectedValue": "'parameters' should have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set", - "actualValue": "'parameters' does not have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set" + "actualValue": "'parameters' does not have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set", + "issueType": "IncorrectValue" }, { "queryName": "Property 'allowEmptyValue' Improperly Defined (v2)", @@ -81,7 +87,8 @@ "searchKey": "paths.{{/}}.parameters.name={{metadata}}", "searchValue": "", "expectedValue": "'parameters' should have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set", - "actualValue": "'parameters' does not have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set" + "actualValue": "'parameters' does not have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set", + "issueType": "IncorrectValue" }, { "queryName": "Property 'allowEmptyValue' Improperly Defined (v2)", @@ -93,6 +100,7 @@ "searchKey": "paths.{{/}}.parameters.name={{metadata}}", "searchValue": "", "expectedValue": "'parameters' should have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set", - "actualValue": "'parameters' does not have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set" + "actualValue": "'parameters' does not have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/property_defining_maximum_not_greater_than_minimum/test/positive_expected_result.json b/assets/queries/openAPI/general/property_defining_maximum_not_greater_than_minimum/test/positive_expected_result.json index c1872d4782d..7d812b7d47a 100644 --- a/assets/queries/openAPI/general/property_defining_maximum_not_greater_than_minimum/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/property_defining_maximum_not_greater_than_minimum/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "components.schemas.GeneralError.properties.code", "searchValue": "", "expectedValue": "Numeric schema value should not have 'minimum' larger than 'maximum'", - "actualValue": "Numeric schema value has 'minimum' larger than 'maximum'" + "actualValue": "Numeric schema value has 'minimum' larger than 'maximum'", + "issueType": "IncorrectValue" }, { "queryName": "Property Defining Minimum Greater Than Maximum (v3)", @@ -21,7 +22,8 @@ "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", "searchValue": "", "expectedValue": "Numeric schema value should not have 'minimum' larger than 'maximum'", - "actualValue": "Numeric schema value has 'minimum' larger than 'maximum'" + "actualValue": "Numeric schema value has 'minimum' larger than 'maximum'", + "issueType": "IncorrectValue" }, { "queryName": "Property Defining Minimum Greater Than Maximum (v3)", @@ -33,7 +35,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code", "searchValue": "", "expectedValue": "Numeric schema value should not have 'minimum' larger than 'maximum'", - "actualValue": "Numeric schema value has 'minimum' larger than 'maximum'" + "actualValue": "Numeric schema value has 'minimum' larger than 'maximum'", + "issueType": "IncorrectValue" }, { "queryName": "Property Defining Minimum Greater Than Maximum (v3)", @@ -45,7 +48,8 @@ "searchKey": "components.schemas.GeneralError.properties.code", "searchValue": "", "expectedValue": "Numeric schema value should not have 'minimum' larger than 'maximum'", - "actualValue": "Numeric schema value has 'minimum' larger than 'maximum'" + "actualValue": "Numeric schema value has 'minimum' larger than 'maximum'", + "issueType": "IncorrectValue" }, { "queryName": "Property Defining Minimum Greater Than Maximum (v3)", @@ -57,7 +61,8 @@ "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", "searchValue": "", "expectedValue": "Numeric schema value should not have 'minimum' larger than 'maximum'", - "actualValue": "Numeric schema value has 'minimum' larger than 'maximum'" + "actualValue": "Numeric schema value has 'minimum' larger than 'maximum'", + "issueType": "IncorrectValue" }, { "queryName": "Property Defining Minimum Greater Than Maximum (v3)", @@ -69,7 +74,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code", "searchValue": "", "expectedValue": "Numeric schema value should not have 'minimum' larger than 'maximum'", - "actualValue": "Numeric schema value has 'minimum' larger than 'maximum'" + "actualValue": "Numeric schema value has 'minimum' larger than 'maximum'", + "issueType": "IncorrectValue" }, { "queryName": "Property Defining Minimum Greater Than Maximum (v3)", @@ -81,7 +87,8 @@ "searchKey": "components.schemas.GeneralError.properties.code", "searchValue": "", "expectedValue": "String schema value should not have 'minLength' larger than 'maxLength'", - "actualValue": "String schema value has 'minLength' larger than 'maxLength'" + "actualValue": "String schema value has 'minLength' larger than 'maxLength'", + "issueType": "IncorrectValue" }, { "queryName": "Property Defining Minimum Greater Than Maximum (v3)", @@ -93,7 +100,8 @@ "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", "searchValue": "", "expectedValue": "String schema value should not have 'minLength' larger than 'maxLength'", - "actualValue": "String schema value has 'minLength' larger than 'maxLength'" + "actualValue": "String schema value has 'minLength' larger than 'maxLength'", + "issueType": "IncorrectValue" }, { "queryName": "Property Defining Minimum Greater Than Maximum (v3)", @@ -105,7 +113,8 @@ "searchKey": "components.schemas.GeneralError.properties.message", "searchValue": "", "expectedValue": "Array schema value should not have 'minItems' larger than 'maxItems'", - "actualValue": "Array schema value has 'minItems' larger than 'maxItems'" + "actualValue": "Array schema value has 'minItems' larger than 'maxItems'", + "issueType": "IncorrectValue" }, { "queryName": "Property Defining Minimum Greater Than Maximum (v2)", @@ -117,6 +126,7 @@ "searchKey": "definitions.GeneralError.properties.code", "searchValue": "", "expectedValue": "Numeric schema value should not have 'minimum' larger than 'maximum'", - "actualValue": "Numeric schema value has 'minimum' larger than 'maximum'" + "actualValue": "Numeric schema value has 'minimum' larger than 'maximum'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/required_property_default_value/test/positive_expected_result.json b/assets/queries/openAPI/general/required_property_default_value/test/positive_expected_result.json index 64fa03c5739..42a98e9ad28 100644 --- a/assets/queries/openAPI/general/required_property_default_value/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/required_property_default_value/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.get.responses.200.$ref=#/components/schemas/MyObject", "searchValue": "", "expectedValue": "Required properties should not have default defined", - "actualValue": "Required properties with default defined" + "actualValue": "Required properties with default defined", + "issueType": "IncorrectValue" }, { "queryName": "Required Property With Default Value (v3)", @@ -21,7 +22,8 @@ "searchKey": "components.schemas.MyObject.properties.{{id}}.default", "searchValue": "", "expectedValue": "Required properties should not have default defined", - "actualValue": "Required properties with default defined" + "actualValue": "Required properties with default defined", + "issueType": "IncorrectValue" }, { "queryName": "Required Property With Default Value (v3)", @@ -33,7 +35,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.{{id}}.default", "searchValue": "", "expectedValue": "Required properties should not have default defined", - "actualValue": "Required properties with default defined" + "actualValue": "Required properties with default defined", + "issueType": "IncorrectValue" }, { "queryName": "Required Property With Default Value (v3)", @@ -45,7 +48,8 @@ "searchKey": "paths.{{/}}.get.responses.200.$ref=#/components/schemas/MyObject", "searchValue": "", "expectedValue": "Required properties should not have default defined", - "actualValue": "Required properties with default defined" + "actualValue": "Required properties with default defined", + "issueType": "IncorrectValue" }, { "queryName": "Required Property With Default Value (v3)", @@ -57,7 +61,8 @@ "searchKey": "components.schemas.MyObject.properties.{{id}}.default", "searchValue": "", "expectedValue": "Required properties should not have default defined", - "actualValue": "Required properties with default defined" + "actualValue": "Required properties with default defined", + "issueType": "IncorrectValue" }, { "queryName": "Required Property With Default Value (v3)", @@ -69,7 +74,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.{{id}}.default", "searchValue": "", "expectedValue": "Required properties should not have default defined", - "actualValue": "Required properties with default defined" + "actualValue": "Required properties with default defined", + "issueType": "IncorrectValue" }, { "queryName": "Required Property With Default Value (v2)", @@ -81,7 +87,8 @@ "searchKey": "paths.{{/}}.post.parameters.schema.properties.{{id}}.default", "searchValue": "", "expectedValue": "Required properties should not have default defined", - "actualValue": "Required properties with default defined" + "actualValue": "Required properties with default defined", + "issueType": "IncorrectValue" }, { "queryName": "Required Property With Default Value (v2)", @@ -93,6 +100,7 @@ "searchKey": "paths.{{/}}.post.parameters.schema.properties.{{id}}.default", "searchValue": "", "expectedValue": "Required properties should not have default defined", - "actualValue": "Required properties with default defined" + "actualValue": "Required properties with default defined", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/response_code_missing/test/positive_expected_result.json b/assets/queries/openAPI/general/response_code_missing/test/positive_expected_result.json index abc645c831d..d47a904f382 100644 --- a/assets/queries/openAPI/general/response_code_missing/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/response_code_missing/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/item}}.{{put}}.responses", "searchValue": "400 response", "expectedValue": "400 response should be set", - "actualValue": "400 response is undefined" + "actualValue": "400 response is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Response Code Missing (v3)", @@ -21,7 +22,8 @@ "searchKey": "paths.{{/item}}.{{put}}.responses", "searchValue": "415 response", "expectedValue": "415 response should be set", - "actualValue": "415 response is undefined" + "actualValue": "415 response is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Response Code Missing (v3)", @@ -33,7 +35,8 @@ "searchKey": "paths.{{/item}}.{{put}}.responses", "searchValue": "500 response", "expectedValue": "500 response should be set", - "actualValue": "500 response is undefined" + "actualValue": "500 response is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Response Code Missing (v3)", @@ -45,7 +48,8 @@ "searchKey": "paths.{{/item}}.{{put}}.responses", "searchValue": "429 response", "expectedValue": "429 response should be set", - "actualValue": "429 response is undefined" + "actualValue": "429 response is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Response Code Missing (v3)", @@ -57,7 +61,8 @@ "searchKey": "paths.{{/item}}.{{put}}.responses", "searchValue": "404 response", "expectedValue": "404 response should be set", - "actualValue": "404 response is undefined" + "actualValue": "404 response is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Response Code Missing (v3)", @@ -69,7 +74,8 @@ "searchKey": "paths.{{/item}}.{{options}}.responses", "searchValue": "200 response", "expectedValue": "200 response should be set", - "actualValue": "200 response is undefined" + "actualValue": "200 response is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Response Code Missing (v3)", @@ -81,7 +87,8 @@ "searchKey": "paths.{{/item}}.{{options}}.responses", "searchValue": "400 response", "expectedValue": "400 response should be set", - "actualValue": "400 response is undefined" + "actualValue": "400 response is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Response Code Missing (v3)", @@ -93,7 +100,8 @@ "searchKey": "paths.{{/item}}.{{options}}.responses", "searchValue": "429 response", "expectedValue": "429 response should be set", - "actualValue": "429 response is undefined" + "actualValue": "429 response is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Response Code Missing (v3)", @@ -105,7 +113,8 @@ "searchKey": "paths.{{/item}}.{{options}}.responses", "searchValue": "500 response", "expectedValue": "500 response should be set", - "actualValue": "500 response is undefined" + "actualValue": "500 response is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Response Code Missing (v3)", @@ -117,7 +126,8 @@ "searchKey": "paths.{{/item}}.{{put}}.responses", "searchValue": "401 response", "expectedValue": "401 response should be set when security field is defined", - "actualValue": "401 response is undefined when security field is defined" + "actualValue": "401 response is undefined when security field is defined", + "issueType": "MissingAttribute" }, { "queryName": "Response Code Missing (v3)", @@ -129,7 +139,8 @@ "searchKey": "paths.{{/item}}.{{put}}.responses", "searchValue": "403 response", "expectedValue": "403 response should be set when security field is defined", - "actualValue": "403 response is undefined when security field is defined" + "actualValue": "403 response is undefined when security field is defined", + "issueType": "MissingAttribute" }, { "queryName": "Response Code Missing (v3)", @@ -141,7 +152,8 @@ "searchKey": "paths.{{/item}}.{{put}}.responses", "searchValue": "400 response", "expectedValue": "400 response should be set", - "actualValue": "400 response is undefined" + "actualValue": "400 response is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Response Code Missing (v3)", @@ -153,7 +165,8 @@ "searchKey": "paths.{{/item}}.{{put}}.responses", "searchValue": "429 response", "expectedValue": "429 response should be set", - "actualValue": "429 response is undefined" + "actualValue": "429 response is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Response Code Missing (v3)", @@ -165,7 +178,8 @@ "searchKey": "paths.{{/item}}.{{put}}.responses", "searchValue": "404 response", "expectedValue": "404 response should be set", - "actualValue": "404 response is undefined" + "actualValue": "404 response is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Response Code Missing (v3)", @@ -177,7 +191,8 @@ "searchKey": "paths.{{/item}}.{{put}}.responses", "searchValue": "415 response", "expectedValue": "415 response should be set", - "actualValue": "415 response is undefined" + "actualValue": "415 response is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Response Code Missing (v3)", @@ -189,7 +204,8 @@ "searchKey": "paths.{{/item}}.{{put}}.responses", "searchValue": "500 response", "expectedValue": "500 response should be set", - "actualValue": "500 response is undefined" + "actualValue": "500 response is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Response Code Missing (v3)", @@ -201,7 +217,8 @@ "searchKey": "paths.{{/item}}.{{options}}.responses", "searchValue": "500 response", "expectedValue": "500 response should be set", - "actualValue": "500 response is undefined" + "actualValue": "500 response is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Response Code Missing (v3)", @@ -213,7 +230,8 @@ "searchKey": "paths.{{/item}}.{{options}}.responses", "searchValue": "200 response", "expectedValue": "200 response should be set", - "actualValue": "200 response is undefined" + "actualValue": "200 response is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Response Code Missing (v3)", @@ -225,7 +243,8 @@ "searchKey": "paths.{{/item}}.{{options}}.responses", "searchValue": "400 response", "expectedValue": "400 response should be set", - "actualValue": "400 response is undefined" + "actualValue": "400 response is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Response Code Missing (v3)", @@ -237,7 +256,8 @@ "searchKey": "paths.{{/item}}.{{options}}.responses", "searchValue": "429 response", "expectedValue": "429 response should be set", - "actualValue": "429 response is undefined" + "actualValue": "429 response is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Response Code Missing (v3)", @@ -249,7 +269,8 @@ "searchKey": "paths.{{/item}}.{{put}}.responses", "searchValue": "403 response", "expectedValue": "403 response should be set when security field is defined", - "actualValue": "403 response is undefined when security field is defined" + "actualValue": "403 response is undefined when security field is defined", + "issueType": "MissingAttribute" }, { "queryName": "Response Code Missing (v3)", @@ -261,7 +282,8 @@ "searchKey": "paths.{{/item}}.{{put}}.responses", "searchValue": "401 response", "expectedValue": "401 response should be set when security field is defined", - "actualValue": "401 response is undefined when security field is defined" + "actualValue": "401 response is undefined when security field is defined", + "issueType": "MissingAttribute" }, { "queryName": "Response Code Missing (v2)", @@ -273,7 +295,8 @@ "searchKey": "paths.{{/item}}.{{put}}.responses", "searchValue": "401 response", "expectedValue": "401 response should be set when security field is defined", - "actualValue": "401 response is undefined when security field is defined" + "actualValue": "401 response is undefined when security field is defined", + "issueType": "MissingAttribute" }, { "queryName": "Response Code Missing (v2)", @@ -285,7 +308,8 @@ "searchKey": "paths.{{/item}}.{{put}}.responses", "searchValue": "403 response", "expectedValue": "403 response should be set when security field is defined", - "actualValue": "403 response is undefined when security field is defined" + "actualValue": "403 response is undefined when security field is defined", + "issueType": "MissingAttribute" }, { "queryName": "Response Code Missing (v2)", @@ -297,7 +321,8 @@ "searchKey": "paths.{{/item}}.{{put}}.responses", "searchValue": "401 response", "expectedValue": "401 response should be set when security field is defined", - "actualValue": "401 response is undefined when security field is defined" + "actualValue": "401 response is undefined when security field is defined", + "issueType": "MissingAttribute" }, { "queryName": "Response Code Missing (v2)", @@ -309,6 +334,7 @@ "searchKey": "paths.{{/item}}.{{put}}.responses", "searchValue": "403 response", "expectedValue": "403 response should be set when security field is defined", - "actualValue": "403 response is undefined when security field is defined" + "actualValue": "403 response is undefined when security field is defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/response_operations_body_schema_incorrect_defined/test/positive_expected_result.json b/assets/queries/openAPI/general/response_operations_body_schema_incorrect_defined/test/positive_expected_result.json index b1b9d168de5..3feaf1a564a 100644 --- a/assets/queries/openAPI/general/response_operations_body_schema_incorrect_defined/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/response_operations_body_schema_incorrect_defined/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.{{delete}}.responses.{{204}}.content", "searchValue": "", "expectedValue": "paths.{{/}}.{{delete}}.responses.{{204}}.content should not be defined", - "actualValue": "paths.{{/}}.{{delete}}.responses.{{204}}.content is defined" + "actualValue": "paths.{{/}}.{{delete}}.responses.{{204}}.content is defined", + "issueType": "IncorrectValue" }, { "queryName": "Response on operations that should not have a body has declared content (v3)", @@ -21,7 +22,8 @@ "searchKey": "paths.{{/}}.responses.{{200}}.content", "searchValue": "", "expectedValue": "paths.{{/}}.responses.{{200}}.content should not be defined", - "actualValue": "paths.{{/}}.responses.{{200}}.content is defined" + "actualValue": "paths.{{/}}.responses.{{200}}.content is defined", + "issueType": "IncorrectValue" }, { "queryName": "Response on operations that should not have a body has declared content (v3)", @@ -33,7 +35,8 @@ "searchKey": "paths.{{/}}.{{delete}}.responses.{{204}}.content", "searchValue": "", "expectedValue": "paths.{{/}}.{{delete}}.responses.{{204}}.content should not be defined", - "actualValue": "paths.{{/}}.{{delete}}.responses.{{204}}.content is defined" + "actualValue": "paths.{{/}}.{{delete}}.responses.{{204}}.content is defined", + "issueType": "IncorrectValue" }, { "queryName": "Response on operations that should not have a body has declared content (v3)", @@ -45,7 +48,8 @@ "searchKey": "paths.{{/}}.responses.{{200}}.content", "searchValue": "", "expectedValue": "paths.{{/}}.responses.{{200}}.content should not be defined", - "actualValue": "paths.{{/}}.responses.{{200}}.content is defined" + "actualValue": "paths.{{/}}.responses.{{200}}.content is defined", + "issueType": "IncorrectValue" }, { "queryName": "Response on operations that should not have a body has declared content (v2)", @@ -57,7 +61,8 @@ "searchKey": "paths.{{/}}.responses.{{200}}.schema", "searchValue": "", "expectedValue": "paths.{{/}}.responses.{{200}}.schema should not be defined", - "actualValue": "paths.{{/}}.responses.{{200}}.schema is defined" + "actualValue": "paths.{{/}}.responses.{{200}}.schema is defined", + "issueType": "IncorrectValue" }, { "queryName": "Response on operations that should not have a body has declared content (v2)", @@ -69,6 +74,7 @@ "searchKey": "paths.{{/}}.responses.{{200}}.schema", "searchValue": "", "expectedValue": "paths.{{/}}.responses.{{200}}.schema should not be defined", - "actualValue": "paths.{{/}}.responses.{{200}}.schema is defined" + "actualValue": "paths.{{/}}.responses.{{200}}.schema is defined", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/response_operations_body_schema_undefined/test/positive_expected_result.json b/assets/queries/openAPI/general/response_operations_body_schema_undefined/test/positive_expected_result.json index f39cce57811..d38430d0265 100644 --- a/assets/queries/openAPI/general/response_operations_body_schema_undefined/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/response_operations_body_schema_undefined/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths./.get.responses.200", "searchValue": "", "expectedValue": "paths./.get.responses.200.content should be defined", - "actualValue": "paths./.get.responses.200.content is undefined" + "actualValue": "paths./.get.responses.200.content is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Response on operations that should have a body has undefined schema (v2)", @@ -21,7 +22,8 @@ "searchKey": "paths./.get.responses.200", "searchValue": "", "expectedValue": "paths./.get.responses.200.schema should be defined", - "actualValue": "paths./.get.responses.200.schema is undefined" + "actualValue": "paths./.get.responses.200.schema is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Response on operations that should have a body has undefined schema (v3)", @@ -33,7 +35,8 @@ "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}", "searchValue": "", "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema should be defined", - "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema is undefined" + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Response on operations that should have a body has undefined schema (v3)", @@ -45,7 +48,8 @@ "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/pdf}}", "searchValue": "", "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/pdf}}.schema should be defined", - "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/pdf}}.schema is undefined" + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/pdf}}.schema is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Response on operations that should have a body has undefined schema (v3)", @@ -57,7 +61,8 @@ "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}", "searchValue": "", "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema should be defined", - "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema is undefined" + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Response on operations that should have a body has undefined schema (v3)", @@ -69,7 +74,8 @@ "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.content", "searchValue": "", "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.content should have at least one content-type defined", - "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content has no content-type defined" + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content has no content-type defined", + "issueType": "MissingAttribute" }, { "queryName": "Response on operations that should have a body has undefined schema (v3)", @@ -81,7 +87,8 @@ "searchKey": "paths./.get.responses.200", "searchValue": "", "expectedValue": "paths./.get.responses.200.content should be defined", - "actualValue": "paths./.get.responses.200.content is undefined" + "actualValue": "paths./.get.responses.200.content is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Response on operations that should have a body has undefined schema (v3)", @@ -93,7 +100,8 @@ "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}", "searchValue": "", "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema should be defined", - "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema is undefined" + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Response on operations that should have a body has undefined schema (v3)", @@ -105,7 +113,8 @@ "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/pdf}}", "searchValue": "", "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/pdf}}.schema should be defined", - "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/pdf}}.schema is undefined" + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/pdf}}.schema is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Response on operations that should have a body has undefined schema (v3)", @@ -117,7 +126,8 @@ "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}", "searchValue": "", "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema should be defined", - "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema is undefined" + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Response on operations that should have a body has undefined schema (v3)", @@ -129,7 +139,8 @@ "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.content", "searchValue": "", "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.content should have at least one content-type defined", - "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content has no content-type defined" + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content has no content-type defined", + "issueType": "MissingAttribute" }, { "queryName": "Response on operations that should have a body has undefined schema (v2)", @@ -141,6 +152,7 @@ "searchKey": "paths./.get.responses.200", "searchValue": "", "expectedValue": "paths./.get.responses.200.schema should be defined", - "actualValue": "paths./.get.responses.200.schema is undefined" + "actualValue": "paths./.get.responses.200.schema is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/responses_object_is_empty/test/positive_expected_result.json b/assets/queries/openAPI/general/responses_object_is_empty/test/positive_expected_result.json index 3bbd6bfe547..25f16bbd753 100644 --- a/assets/queries/openAPI/general/responses_object_is_empty/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/responses_object_is_empty/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.get.responses", "searchValue": "", "expectedValue": "'responses' should not be empty", - "actualValue": "'responses' is empty" + "actualValue": "'responses' is empty", + "issueType": "IncorrectValue" }, { "queryName": "Responses Object Is Empty (v3)", @@ -21,7 +22,8 @@ "searchKey": "components.responses", "searchValue": "", "expectedValue": "'responses' should not be empty", - "actualValue": "'responses' is empty" + "actualValue": "'responses' is empty", + "issueType": "IncorrectValue" }, { "queryName": "Responses Object Is Empty (v3)", @@ -33,7 +35,8 @@ "searchKey": "paths.{{/}}.get.responses", "searchValue": "", "expectedValue": "'responses' should not be empty", - "actualValue": "'responses' is empty" + "actualValue": "'responses' is empty", + "issueType": "IncorrectValue" }, { "queryName": "Responses Object Is Empty (v3)", @@ -45,7 +48,8 @@ "searchKey": "components.responses", "searchValue": "", "expectedValue": "'responses' should not be empty", - "actualValue": "'responses' is empty" + "actualValue": "'responses' is empty", + "issueType": "IncorrectValue" }, { "queryName": "Responses Object Is Empty (v2)", @@ -57,7 +61,8 @@ "searchKey": "paths.{{/}}.get.responses", "searchValue": "", "expectedValue": "'responses' should not be empty", - "actualValue": "'responses' is empty" + "actualValue": "'responses' is empty", + "issueType": "IncorrectValue" }, { "queryName": "Responses Object Is Empty (v2)", @@ -69,6 +74,7 @@ "searchKey": "paths.{{/}}.get.responses", "searchValue": "", "expectedValue": "'responses' should not be empty", - "actualValue": "'responses' is empty" + "actualValue": "'responses' is empty", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/responses_wrong_http_status_code/test/positive_expected_result.json b/assets/queries/openAPI/general/responses_wrong_http_status_code/test/positive_expected_result.json index 6edaca60d8e..c8891f27ae2 100644 --- a/assets/queries/openAPI/general/responses_wrong_http_status_code/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/responses_wrong_http_status_code/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.{{get}}.responses.{{50}}", "searchValue": "", "expectedValue": "HTTP responses status codes should be in range of [200-599]", - "actualValue": "HTTP responses status codes are not in range of [200-599]" + "actualValue": "HTTP responses status codes are not in range of [200-599]", + "issueType": "IncorrectValue" }, { "queryName": "Responses With Wrong HTTP Status Code (v3)", @@ -21,7 +22,8 @@ "searchKey": "paths.{{/}}.{{get}}.responses.{{6xx}}", "searchValue": "", "expectedValue": "HTTP responses status codes should be in range of [200-599]", - "actualValue": "HTTP responses status codes are not in range of [200-599]" + "actualValue": "HTTP responses status codes are not in range of [200-599]", + "issueType": "IncorrectValue" }, { "queryName": "Responses With Wrong HTTP Status Code (v3)", @@ -33,7 +35,8 @@ "searchKey": "paths.{{/}}.{{get}}.responses.{{50}}", "searchValue": "", "expectedValue": "HTTP responses status codes should be in range of [200-599]", - "actualValue": "HTTP responses status codes are not in range of [200-599]" + "actualValue": "HTTP responses status codes are not in range of [200-599]", + "issueType": "IncorrectValue" }, { "queryName": "Responses With Wrong HTTP Status Code (v3)", @@ -45,7 +48,8 @@ "searchKey": "paths.{{/}}.{{get}}.responses.{{6xx}}", "searchValue": "", "expectedValue": "HTTP responses status codes should be in range of [200-599]", - "actualValue": "HTTP responses status codes are not in range of [200-599]" + "actualValue": "HTTP responses status codes are not in range of [200-599]", + "issueType": "IncorrectValue" }, { "queryName": "Responses With Wrong HTTP Status Code (v2)", @@ -57,7 +61,8 @@ "searchKey": "paths.{{/}}.{{get}}.responses.{{50}}", "searchValue": "", "expectedValue": "HTTP responses status codes should be in range of [200-599]", - "actualValue": "HTTP responses status codes are not in range of [200-599]" + "actualValue": "HTTP responses status codes are not in range of [200-599]", + "issueType": "IncorrectValue" }, { "queryName": "Responses With Wrong HTTP Status Code (v2)", @@ -69,7 +74,8 @@ "searchKey": "paths.{{/}}.{{get}}.responses.{{6xx}}", "searchValue": "", "expectedValue": "HTTP responses status codes should be in range of [200-599]", - "actualValue": "HTTP responses status codes are not in range of [200-599]" + "actualValue": "HTTP responses status codes are not in range of [200-599]", + "issueType": "IncorrectValue" }, { "queryName": "Responses With Wrong HTTP Status Code (v2)", @@ -81,7 +87,8 @@ "searchKey": "paths.{{/}}.{{get}}.responses.{{50}}", "searchValue": "", "expectedValue": "HTTP responses status codes should be in range of [200-599]", - "actualValue": "HTTP responses status codes are not in range of [200-599]" + "actualValue": "HTTP responses status codes are not in range of [200-599]", + "issueType": "IncorrectValue" }, { "queryName": "Responses With Wrong HTTP Status Code (v2)", @@ -93,6 +100,7 @@ "searchKey": "paths.{{/}}.{{get}}.responses.{{6xx}}", "searchValue": "", "expectedValue": "HTTP responses status codes should be in range of [200-599]", - "actualValue": "HTTP responses status codes are not in range of [200-599]" + "actualValue": "HTTP responses status codes are not in range of [200-599]", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/schema_discriminator_mismatch_defined_properties/test/positive_expected_result.json b/assets/queries/openAPI/general/schema_discriminator_mismatch_defined_properties/test/positive_expected_result.json index 42cb8b1290c..0959a336abd 100644 --- a/assets/queries/openAPI/general/schema_discriminator_mismatch_defined_properties/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/schema_discriminator_mismatch_defined_properties/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "components.schemas.{{GeneralError}}.discriminator.propertyName", "searchValue": "", "expectedValue": "components.schemas.{{GeneralError}}.discriminator.propertyName should be set in 'properties'", - "actualValue": "components.schemas.{{GeneralError}}.discriminator.propertyName is not set in 'properties'" + "actualValue": "components.schemas.{{GeneralError}}.discriminator.propertyName is not set in 'properties'", + "issueType": "IncorrectValue" }, { "queryName": "Schema Discriminator Mismatch Defined Properties (v3)", @@ -21,7 +22,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.discriminator.propertyName", "searchValue": "", "expectedValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) should be set in 'properties'", - "actualValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) is not set in 'properties'" + "actualValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) is not set in 'properties'", + "issueType": "IncorrectValue" }, { "queryName": "Schema Discriminator Mismatch Defined Properties (v3)", @@ -33,7 +35,8 @@ "searchKey": "components.schemas.{{GeneralError}}.discriminator.propertyName", "searchValue": "", "expectedValue": "components.schemas.{{GeneralError}}.discriminator.propertyName should be set in 'properties'", - "actualValue": "components.schemas.{{GeneralError}}.discriminator.propertyName is not set in 'properties'" + "actualValue": "components.schemas.{{GeneralError}}.discriminator.propertyName is not set in 'properties'", + "issueType": "IncorrectValue" }, { "queryName": "Schema Discriminator Mismatch Defined Properties (v3)", @@ -45,7 +48,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.discriminator.propertyName", "searchValue": "", "expectedValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) should be set in 'properties'", - "actualValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) is not set in 'properties'" + "actualValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) is not set in 'properties'", + "issueType": "IncorrectValue" }, { "queryName": "Schema Discriminator Mismatch Defined Properties (v2)", @@ -57,7 +61,8 @@ "searchKey": "definitions.{{GeneralError}}.discriminator", "searchValue": "", "expectedValue": "definitions.{{GeneralError}}.discriminator should be set in 'properties'", - "actualValue": "definitions.{{GeneralError}}.discriminator is not set in 'properties'" + "actualValue": "definitions.{{GeneralError}}.discriminator is not set in 'properties'", + "issueType": "IncorrectValue" }, { "queryName": "Schema Discriminator Mismatch Defined Properties (v2)", @@ -69,7 +74,8 @@ "searchKey": "definitions.{{GeneralError}}.discriminator", "searchValue": "", "expectedValue": "definitions.{{GeneralError}}.discriminator should be set in 'properties'", - "actualValue": "definitions.{{GeneralError}}.discriminator is not set in 'properties'" + "actualValue": "definitions.{{GeneralError}}.discriminator is not set in 'properties'", + "issueType": "IncorrectValue" }, { "queryName": "Schema Discriminator Mismatch Defined Properties (v2)", @@ -81,7 +87,8 @@ "searchKey": "paths.{{/}}.get.responses.200.discriminator", "searchValue": "", "expectedValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) should be set in 'properties'", - "actualValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) is not set in 'properties'" + "actualValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) is not set in 'properties'", + "issueType": "IncorrectValue" }, { "queryName": "Schema Discriminator Mismatch Defined Properties (v2)", @@ -93,6 +100,7 @@ "searchKey": "paths.{{/}}.get.responses.200.discriminator", "searchValue": "", "expectedValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) should be set in 'properties'", - "actualValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) is not set in 'properties'" + "actualValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) is not set in 'properties'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/schema_discriminator_not_required/test/positive_expected_result.json b/assets/queries/openAPI/general/schema_discriminator_not_required/test/positive_expected_result.json index 664d458f5f6..8c01cede84b 100644 --- a/assets/queries/openAPI/general/schema_discriminator_not_required/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/schema_discriminator_not_required/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "components.schemas.{{GeneralError}}.discriminator.propertyName", "searchValue": "", "expectedValue": "components.schemas.{{GeneralError}}.discriminator.propertyName is a required property", - "actualValue": "components.schemas.{{GeneralError}}.discriminator.propertyName is not a required property" + "actualValue": "components.schemas.{{GeneralError}}.discriminator.propertyName is not a required property", + "issueType": "IncorrectValue" }, { "queryName": "Schema Discriminator Not Required (v3)", @@ -21,7 +22,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.discriminator.propertyName", "searchValue": "", "expectedValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) is a required property", - "actualValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) is not a required property" + "actualValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) is not a required property", + "issueType": "IncorrectValue" }, { "queryName": "Schema Discriminator Not Required (v3)", @@ -33,7 +35,8 @@ "searchKey": "components.schemas.{{GeneralError}}.discriminator.propertyName", "searchValue": "", "expectedValue": "components.schemas.{{GeneralError}}.discriminator.propertyName is a required property", - "actualValue": "components.schemas.{{GeneralError}}.discriminator.propertyName is not a required property" + "actualValue": "components.schemas.{{GeneralError}}.discriminator.propertyName is not a required property", + "issueType": "IncorrectValue" }, { "queryName": "Schema Discriminator Not Required (v3)", @@ -45,7 +48,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.discriminator.propertyName", "searchValue": "", "expectedValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) is a required property", - "actualValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) is not a required property" + "actualValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) is not a required property", + "issueType": "IncorrectValue" }, { "queryName": "Schema Discriminator Not Required (v2)", @@ -57,7 +61,8 @@ "searchKey": "definitions.{{GeneralError}}.discriminator", "searchValue": "", "expectedValue": "definitions.{{GeneralError}}.discriminator is a required property", - "actualValue": "definitions.{{GeneralError}}.discriminator is not a required property" + "actualValue": "definitions.{{GeneralError}}.discriminator is not a required property", + "issueType": "IncorrectValue" }, { "queryName": "Schema Discriminator Not Required (v2)", @@ -69,7 +74,8 @@ "searchKey": "definitions.{{GeneralError}}.discriminator", "searchValue": "", "expectedValue": "definitions.{{GeneralError}}.discriminator is a required property", - "actualValue": "definitions.{{GeneralError}}.discriminator is not a required property" + "actualValue": "definitions.{{GeneralError}}.discriminator is not a required property", + "issueType": "IncorrectValue" }, { "queryName": "Schema Discriminator Not Required (v2)", @@ -81,7 +87,8 @@ "searchKey": "paths.{{/}}.get.responses.200.discriminator", "searchValue": "", "expectedValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) is a required property", - "actualValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) is not a required property" + "actualValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) is not a required property", + "issueType": "IncorrectValue" }, { "queryName": "Schema Discriminator Not Required (v2)", @@ -93,6 +100,7 @@ "searchKey": "paths.{{/}}.get.responses.200.discriminator", "searchValue": "", "expectedValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) is a required property", - "actualValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) is not a required property" + "actualValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) is not a required property", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/schema_discriminator_property_not_string/test/positive_expected_result.json b/assets/queries/openAPI/general/schema_discriminator_property_not_string/test/positive_expected_result.json index 4c075f9874c..8cd08255472 100644 --- a/assets/queries/openAPI/general/schema_discriminator_property_not_string/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/schema_discriminator_property_not_string/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "components.schemas.{{GeneralError}}.discriminator.propertyName", "searchValue": "", "expectedValue": "components.schemas.{{GeneralError}}.discriminator.propertyName should be set to string", - "actualValue": "components.schemas.{{GeneralError}}.discriminator.propertyName is not set to string" + "actualValue": "components.schemas.{{GeneralError}}.discriminator.propertyName is not set to string", + "issueType": "IncorrectValue" }, { "queryName": "Schema Discriminator Property Not String (v3)", @@ -21,7 +22,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.discriminator.propertyName", "searchValue": "", "expectedValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) should be set to string", - "actualValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) is not set to string" + "actualValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) is not set to string", + "issueType": "IncorrectValue" }, { "queryName": "Schema Discriminator Property Not String (v3)", @@ -33,7 +35,8 @@ "searchKey": "components.schemas.{{GeneralError}}.discriminator.propertyName", "searchValue": "", "expectedValue": "components.schemas.{{GeneralError}}.discriminator.propertyName should be set to string", - "actualValue": "components.schemas.{{GeneralError}}.discriminator.propertyName is not set to string" + "actualValue": "components.schemas.{{GeneralError}}.discriminator.propertyName is not set to string", + "issueType": "IncorrectValue" }, { "queryName": "Schema Discriminator Property Not String (v3)", @@ -45,7 +48,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.discriminator.propertyName", "searchValue": "", "expectedValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) should be set to string", - "actualValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) is not set to string" + "actualValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) is not set to string", + "issueType": "IncorrectValue" }, { "queryName": "Schema Discriminator Property Not String (v2)", @@ -57,7 +61,8 @@ "searchKey": "definitions.{{GeneralError}}.discriminator", "searchValue": "", "expectedValue": "definitions.{{GeneralError}}.discriminator should be set to string", - "actualValue": "definitions.{{GeneralError}}.discriminator is not set to string" + "actualValue": "definitions.{{GeneralError}}.discriminator is not set to string", + "issueType": "IncorrectValue" }, { "queryName": "Schema Discriminator Property Not String (v2)", @@ -69,7 +74,8 @@ "searchKey": "definitions.{{GeneralError}}.discriminator", "searchValue": "", "expectedValue": "definitions.{{GeneralError}}.discriminator should be set to string", - "actualValue": "definitions.{{GeneralError}}.discriminator is not set to string" + "actualValue": "definitions.{{GeneralError}}.discriminator is not set to string", + "issueType": "IncorrectValue" }, { "queryName": "Schema Discriminator Property Not String (v2)", @@ -81,7 +87,8 @@ "searchKey": "paths.{{/}}.get.responses.200.discriminator", "searchValue": "", "expectedValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) should be set to string", - "actualValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) is not set to string" + "actualValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) is not set to string", + "issueType": "IncorrectValue" }, { "queryName": "Schema Discriminator Property Not String (v2)", @@ -93,6 +100,7 @@ "searchKey": "paths.{{/}}.get.responses.200.discriminator", "searchValue": "", "expectedValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) should be set to string", - "actualValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) is not set to string" + "actualValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) is not set to string", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/schema_enum_invalid/test/positive_expected_result.json b/assets/queries/openAPI/general/schema_enum_invalid/test/positive_expected_result.json index 32b5425aa4e..db68a4606bd 100644 --- a/assets/queries/openAPI/general/schema_enum_invalid/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/schema_enum_invalid/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.get.responses.201.content.{{text/html}}.schema.enum", "searchValue": "", "expectedValue": "The field 'enum' should be consistent with the schema's type", - "actualValue": "The field 'enum' is not consistent with the schema's type" + "actualValue": "The field 'enum' is not consistent with the schema's type", + "issueType": "IncorrectValue" }, { "queryName": "Schema Enum Invalid (v3)", @@ -21,7 +22,8 @@ "searchKey": "paths.{{/}}.get.responses.201.content.{{text/html}}.schema.enum", "searchValue": "", "expectedValue": "The field 'enum' should be consistent with the schema's type", - "actualValue": "The field 'enum' is not consistent with the schema's type" + "actualValue": "The field 'enum' is not consistent with the schema's type", + "issueType": "IncorrectValue" }, { "queryName": "Schema Enum Invalid (v3)", @@ -33,7 +35,8 @@ "searchKey": "paths.{{/}}.get.responses.201.content.{{text/html}}.schema.enum", "searchValue": "", "expectedValue": "The field 'enum' should be consistent with the schema's type", - "actualValue": "The field 'enum' is not consistent with the schema's type" + "actualValue": "The field 'enum' is not consistent with the schema's type", + "issueType": "IncorrectValue" }, { "queryName": "Schema Enum Invalid (v3)", @@ -45,7 +48,8 @@ "searchKey": "paths.{{/}}.get.responses.201.content.{{text/html}}.schema.enum", "searchValue": "", "expectedValue": "The field 'enum' should be consistent with the schema's type", - "actualValue": "The field 'enum' is not consistent with the schema's type" + "actualValue": "The field 'enum' is not consistent with the schema's type", + "issueType": "IncorrectValue" }, { "queryName": "Schema Enum Invalid (v2)", @@ -57,7 +61,8 @@ "searchKey": "paths.{{/}}.get.responses.200.$ref=#/definitions/User", "searchValue": "", "expectedValue": "The field 'enum' should be consistent with the schema's type", - "actualValue": "The field 'enum' is not consistent with the schema's type" + "actualValue": "The field 'enum' is not consistent with the schema's type", + "issueType": "IncorrectValue" }, { "queryName": "Schema Enum Invalid (v2)", @@ -69,7 +74,8 @@ "searchKey": "definitions.User.properties.name.enum", "searchValue": "", "expectedValue": "The field 'enum' should be consistent with the schema's type", - "actualValue": "The field 'enum' is not consistent with the schema's type" + "actualValue": "The field 'enum' is not consistent with the schema's type", + "issueType": "IncorrectValue" }, { "queryName": "Schema Enum Invalid (v2)", @@ -81,7 +87,8 @@ "searchKey": "paths.{{/}}.get.responses.200.$ref=#/definitions/User", "searchValue": "", "expectedValue": "The field 'enum' should be consistent with the schema's type", - "actualValue": "The field 'enum' is not consistent with the schema's type" + "actualValue": "The field 'enum' is not consistent with the schema's type", + "issueType": "IncorrectValue" }, { "queryName": "Schema Enum Invalid (v2)", @@ -93,6 +100,7 @@ "searchKey": "definitions.User.properties.name.enum", "searchValue": "", "expectedValue": "The field 'enum' should be consistent with the schema's type", - "actualValue": "The field 'enum' is not consistent with the schema's type" + "actualValue": "The field 'enum' is not consistent with the schema's type", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/schema_object_empty/test/positive_expected_result.json b/assets/queries/openAPI/general/schema_object_empty/test/positive_expected_result.json index f8caeac711c..c95197fd5d9 100644 --- a/assets/queries/openAPI/general/schema_object_empty/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/schema_object_empty/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "components.schemas.{{GeneralError}}", "searchValue": "", "expectedValue": "The Schema Object should not be empty", - "actualValue": "The Schema Object is empty" + "actualValue": "The Schema Object is empty", + "issueType": "IncorrectValue" }, { "queryName": "Schema Object is Empty (v3)", @@ -21,7 +22,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema", "searchValue": "", "expectedValue": "The Schema Object should not be empty", - "actualValue": "The Schema Object is empty" + "actualValue": "The Schema Object is empty", + "issueType": "IncorrectValue" }, { "queryName": "Schema Object is Empty (v3)", @@ -33,7 +35,8 @@ "searchKey": "components.schemas.{{GeneralError}}", "searchValue": "", "expectedValue": "The Schema Object should not be empty", - "actualValue": "The Schema Object is empty" + "actualValue": "The Schema Object is empty", + "issueType": "IncorrectValue" }, { "queryName": "Schema Object is Empty (v3)", @@ -45,7 +48,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema", "searchValue": "", "expectedValue": "The Schema Object should not be empty", - "actualValue": "The Schema Object is empty" + "actualValue": "The Schema Object is empty", + "issueType": "IncorrectValue" }, { "queryName": "Schema Object is Empty (v2)", @@ -57,7 +61,8 @@ "searchKey": "paths.{{/}}.get.responses.200.schema", "searchValue": "", "expectedValue": "The Schema Object should not be empty", - "actualValue": "The Schema Object is empty" + "actualValue": "The Schema Object is empty", + "issueType": "IncorrectValue" }, { "queryName": "Schema Object is Empty (v2)", @@ -69,7 +74,8 @@ "searchKey": "paths.{{/}}.get.responses.200.schema", "searchValue": "", "expectedValue": "The Schema Object should not be empty", - "actualValue": "The Schema Object is empty" + "actualValue": "The Schema Object is empty", + "issueType": "IncorrectValue" }, { "queryName": "Schema Object is Empty (v2)", @@ -81,7 +87,8 @@ "searchKey": "definitions.{{GeneralError}}", "searchValue": "", "expectedValue": "The Schema Object should not be empty", - "actualValue": "The Schema Object is empty" + "actualValue": "The Schema Object is empty", + "issueType": "IncorrectValue" }, { "queryName": "Schema Object is Empty (v2)", @@ -93,6 +100,7 @@ "searchKey": "definitions.{{GeneralError}}", "searchValue": "", "expectedValue": "The Schema Object should not be empty", - "actualValue": "The Schema Object is empty" + "actualValue": "The Schema Object is empty", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/schema_object_properties_with_duplicated_keys/test/positive_expected_result.json b/assets/queries/openAPI/general/schema_object_properties_with_duplicated_keys/test/positive_expected_result.json index 4a7fa9d433b..d1a40736b51 100644 --- a/assets/queries/openAPI/general/schema_object_properties_with_duplicated_keys/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/schema_object_properties_with_duplicated_keys/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "components.schemas.ErrorModel.code", "searchValue": "", "expectedValue": "'code' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", - "actualValue": "'code' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'" + "actualValue": "'code' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "issueType": "IncorrectValue" }, { "queryName": "Schema Object Properties With Duplicated Keys (v3)", @@ -21,7 +22,8 @@ "searchKey": "components.schemas.ErrorModel.allOf.code", "searchValue": "", "expectedValue": "'code' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", - "actualValue": "'code' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'" + "actualValue": "'code' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "issueType": "IncorrectValue" }, { "queryName": "Schema Object Properties With Duplicated Keys (v3)", @@ -33,7 +35,8 @@ "searchKey": "components.schemas.ErrorModel.additionalProperties.code", "searchValue": "", "expectedValue": "'code' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", - "actualValue": "'code' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'" + "actualValue": "'code' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "issueType": "IncorrectValue" }, { "queryName": "Schema Object Properties With Duplicated Keys (v3)", @@ -45,7 +48,8 @@ "searchKey": "components.schemas.ErrorModel.code", "searchValue": "", "expectedValue": "'code' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", - "actualValue": "'code' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'" + "actualValue": "'code' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "issueType": "IncorrectValue" }, { "queryName": "Schema Object Properties With Duplicated Keys (v3)", @@ -57,7 +61,8 @@ "searchKey": "components.schemas.ErrorModel.allOf.code", "searchValue": "", "expectedValue": "'code' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", - "actualValue": "'code' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'" + "actualValue": "'code' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "issueType": "IncorrectValue" }, { "queryName": "Schema Object Properties With Duplicated Keys (v3)", @@ -69,7 +74,8 @@ "searchKey": "components.schemas.ErrorModel.additionalProperties.code", "searchValue": "", "expectedValue": "'code' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", - "actualValue": "'code' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'" + "actualValue": "'code' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "issueType": "IncorrectValue" }, { "queryName": "Schema Object Properties With Duplicated Keys (v3)", @@ -81,7 +87,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.message", "searchValue": "", "expectedValue": "'message' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", - "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'" + "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "issueType": "IncorrectValue" }, { "queryName": "Schema Object Properties With Duplicated Keys (v3)", @@ -93,7 +100,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.allOf.message", "searchValue": "", "expectedValue": "'message' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", - "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'" + "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "issueType": "IncorrectValue" }, { "queryName": "Schema Object Properties With Duplicated Keys (v3)", @@ -105,7 +113,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.additionalProperties.message", "searchValue": "", "expectedValue": "'message' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", - "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'" + "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "issueType": "IncorrectValue" }, { "queryName": "Schema Object Properties With Duplicated Keys (v3)", @@ -117,7 +126,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.message", "searchValue": "", "expectedValue": "'message' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", - "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'" + "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "issueType": "IncorrectValue" }, { "queryName": "Schema Object Properties With Duplicated Keys (v3)", @@ -129,7 +139,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.allOf.message", "searchValue": "", "expectedValue": "'message' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", - "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'" + "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "issueType": "IncorrectValue" }, { "queryName": "Schema Object Properties With Duplicated Keys (v3)", @@ -141,7 +152,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.additionalProperties.message", "searchValue": "", "expectedValue": "'message' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", - "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'" + "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "issueType": "IncorrectValue" }, { "queryName": "Schema Object Properties With Duplicated Keys (v2)", @@ -153,7 +165,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.message", "searchValue": "", "expectedValue": "'message' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", - "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'" + "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "issueType": "IncorrectValue" }, { "queryName": "Schema Object Properties With Duplicated Keys (v2)", @@ -165,7 +178,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.allOf.message", "searchValue": "", "expectedValue": "'message' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", - "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'" + "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "issueType": "IncorrectValue" }, { "queryName": "Schema Object Properties With Duplicated Keys (v2)", @@ -177,7 +191,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.additionalProperties.message", "searchValue": "", "expectedValue": "'message' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", - "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'" + "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "issueType": "IncorrectValue" }, { "queryName": "Schema Object Properties With Duplicated Keys (v2)", @@ -189,7 +204,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.message", "searchValue": "", "expectedValue": "'message' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", - "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'" + "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "issueType": "IncorrectValue" }, { "queryName": "Schema Object Properties With Duplicated Keys (v2)", @@ -201,7 +217,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.allOf.message", "searchValue": "", "expectedValue": "'message' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", - "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'" + "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "issueType": "IncorrectValue" }, { "queryName": "Schema Object Properties With Duplicated Keys (v2)", @@ -213,6 +230,7 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.additionalProperties.message", "searchValue": "", "expectedValue": "'message' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", - "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'" + "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/schema_object_with_circular_ref/test/positive_expected_result.json b/assets/queries/openAPI/general/schema_object_with_circular_ref/test/positive_expected_result.json index 972c9736c1c..b674915c724 100644 --- a/assets/queries/openAPI/general/schema_object_with_circular_ref/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/schema_object_with_circular_ref/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "components.schemas.ExtendedErrorModel.allOf.$ref=#/components/schemas/ExtendedErrorModel", "searchValue": "", "expectedValue": "components.schemas.ExtendedErrorModel.allOf should not reference own schema", - "actualValue": "components.schemas.ExtendedErrorModel.allOf reference own schema" + "actualValue": "components.schemas.ExtendedErrorModel.allOf reference own schema", + "issueType": "IncorrectValue" }, { "queryName": "Schema Object With Circular Ref (v2)", @@ -21,7 +22,8 @@ "searchKey": "definitions.ExtendedErrorModel.allOf.$ref=#/definitions/ExtendedErrorModel", "searchValue": "", "expectedValue": "definitions.ExtendedErrorModel.allOf should not reference own schema", - "actualValue": "definitions.ExtendedErrorModel.allOf reference own schema" + "actualValue": "definitions.ExtendedErrorModel.allOf reference own schema", + "issueType": "IncorrectValue" }, { "queryName": "Schema Object With Circular Ref (v3)", @@ -33,7 +35,8 @@ "searchKey": "components.schemas.ExtendedErrorModel.allOf.$ref=#/components/schemas/ExtendedErrorModel", "searchValue": "", "expectedValue": "components.schemas.ExtendedErrorModel.allOf should not reference own schema", - "actualValue": "components.schemas.ExtendedErrorModel.allOf reference own schema" + "actualValue": "components.schemas.ExtendedErrorModel.allOf reference own schema", + "issueType": "IncorrectValue" }, { "queryName": "Schema Object With Circular Ref (v2)", @@ -45,6 +48,7 @@ "searchKey": "definitions.ExtendedErrorModel.allOf.$ref=#/definitions/ExtendedErrorModel", "searchValue": "", "expectedValue": "definitions.ExtendedErrorModel.allOf should not reference own schema", - "actualValue": "definitions.ExtendedErrorModel.allOf reference own schema" + "actualValue": "definitions.ExtendedErrorModel.allOf reference own schema", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/schema_required_property_undefined/test/positive_expected_result.json b/assets/queries/openAPI/general/schema_required_property_undefined/test/positive_expected_result.json index 9bd1e12a8b7..b65c2af41aa 100644 --- a/assets/queries/openAPI/general/schema_required_property_undefined/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/schema_required_property_undefined/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "components.GeneralError.schema", "searchValue": "", "expectedValue": "Schema should have all required properties defined", - "actualValue": "Schema has required properties that are not defined" + "actualValue": "Schema has required properties that are not defined", + "issueType": "MissingAttribute" }, { "queryName": "Schema Has A Required Property Undefined (v3)", @@ -21,7 +22,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema", "searchValue": "", "expectedValue": "Schema should have all required properties defined", - "actualValue": "Schema has required properties that are not defined" + "actualValue": "Schema has required properties that are not defined", + "issueType": "MissingAttribute" }, { "queryName": "Schema Has A Required Property Undefined (v3)", @@ -33,7 +35,8 @@ "searchKey": "components.GeneralError.schema", "searchValue": "", "expectedValue": "Schema should have all required properties defined", - "actualValue": "Schema has required properties that are not defined" + "actualValue": "Schema has required properties that are not defined", + "issueType": "MissingAttribute" }, { "queryName": "Schema Has A Required Property Undefined (v3)", @@ -45,7 +48,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema", "searchValue": "", "expectedValue": "Schema should have all required properties defined", - "actualValue": "Schema has required properties that are not defined" + "actualValue": "Schema has required properties that are not defined", + "issueType": "MissingAttribute" }, { "queryName": "Schema Has A Required Property Undefined (v2)", @@ -57,7 +61,8 @@ "searchKey": "paths.{{/}}.get.responses.200.schema", "searchValue": "", "expectedValue": "Schema should have all required properties defined", - "actualValue": "Schema has required properties that are not defined" + "actualValue": "Schema has required properties that are not defined", + "issueType": "MissingAttribute" }, { "queryName": "Schema Has A Required Property Undefined (v2)", @@ -69,6 +74,7 @@ "searchKey": "paths.{{/}}.get.responses.200.schema", "searchValue": "", "expectedValue": "Schema should have all required properties defined", - "actualValue": "Schema has required properties that are not defined" + "actualValue": "Schema has required properties that are not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/security_empty_array/test/positive_expected_result.json b/assets/queries/openAPI/general/security_empty_array/test/positive_expected_result.json index 417b11d4038..6c0e45fd913 100644 --- a/assets/queries/openAPI/general/security_empty_array/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/security_empty_array/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "security", "searchValue": "", "expectedValue": "A default security schema should be defined", - "actualValue": "A default security schema is not defined" + "actualValue": "A default security schema is not defined", + "issueType": "IncorrectValue" }, { "queryName": "Global Security Field Has An Empty Array (v3)", @@ -21,7 +22,8 @@ "searchKey": "security", "searchValue": "", "expectedValue": "A default security schema should be defined", - "actualValue": "A default security schema is not defined" + "actualValue": "A default security schema is not defined", + "issueType": "IncorrectValue" }, { "queryName": "Global Security Field Has An Empty Array (v2)", @@ -33,7 +35,8 @@ "searchKey": "security", "searchValue": "", "expectedValue": "A default security schema should be defined", - "actualValue": "A default security schema is not defined" + "actualValue": "A default security schema is not defined", + "issueType": "IncorrectValue" }, { "queryName": "Global Security Field Has An Empty Array (v2)", @@ -45,6 +48,7 @@ "searchKey": "security", "searchValue": "", "expectedValue": "A default security schema should be defined", - "actualValue": "A default security schema is not defined" + "actualValue": "A default security schema is not defined", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/security_empty_object_definition/test/positive_expected_result.json b/assets/queries/openAPI/general/security_empty_object_definition/test/positive_expected_result.json index b37931a2e7d..75cf91b30e5 100644 --- a/assets/queries/openAPI/general/security_empty_object_definition/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/security_empty_object_definition/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "security", "searchValue": "", "expectedValue": "Global security field definition should not have an empty object", - "actualValue": "Global security field definition has an empty object" + "actualValue": "Global security field definition has an empty object", + "issueType": "IncorrectValue" }, { "queryName": "Global security field has an empty object (v2)", @@ -21,7 +22,8 @@ "searchKey": "security", "searchValue": "", "expectedValue": "Global security field definition should not have an empty object", - "actualValue": "Global security field definition has an empty object" + "actualValue": "Global security field definition has an empty object", + "issueType": "IncorrectValue" }, { "queryName": "Global security field has an empty object (v2)", @@ -33,7 +35,8 @@ "searchKey": "security", "searchValue": "", "expectedValue": "Global security field definition should not have an empty object", - "actualValue": "Global security field definition has an empty object" + "actualValue": "Global security field definition has an empty object", + "issueType": "IncorrectValue" }, { "queryName": "Global security field has an empty object (v2)", @@ -45,7 +48,8 @@ "searchKey": "security", "searchValue": "", "expectedValue": "Global security field definition should not have an empty object", - "actualValue": "Global security field definition has an empty object" + "actualValue": "Global security field definition has an empty object", + "issueType": "IncorrectValue" }, { "queryName": "Global security field has an empty object (v3)", @@ -57,7 +61,8 @@ "searchKey": "security", "searchValue": "", "expectedValue": "Global security field definition should not have an empty object", - "actualValue": "Global security field definition has an empty object" + "actualValue": "Global security field definition has an empty object", + "issueType": "IncorrectValue" }, { "queryName": "Global security field has an empty object (v3)", @@ -69,7 +74,8 @@ "searchKey": "security", "searchValue": "", "expectedValue": "Global security field definition should not have an empty object", - "actualValue": "Global security field definition has an empty object" + "actualValue": "Global security field definition has an empty object", + "issueType": "IncorrectValue" }, { "queryName": "Global security field has an empty object (v3)", @@ -81,7 +87,8 @@ "searchKey": "security", "searchValue": "", "expectedValue": "Global security field definition should not have an empty object", - "actualValue": "Global security field definition has an empty object" + "actualValue": "Global security field definition has an empty object", + "issueType": "IncorrectValue" }, { "queryName": "Global security field has an empty object (v3)", @@ -93,7 +100,8 @@ "searchKey": "security", "searchValue": "", "expectedValue": "Global security field definition should not have an empty object", - "actualValue": "Global security field definition has an empty object" + "actualValue": "Global security field definition has an empty object", + "issueType": "IncorrectValue" }, { "queryName": "Global security field has an empty object (v3)", @@ -105,7 +113,8 @@ "searchKey": "security", "searchValue": "", "expectedValue": "Global security field definition should not have an empty object", - "actualValue": "Global security field definition has an empty object" + "actualValue": "Global security field definition has an empty object", + "issueType": "IncorrectValue" }, { "queryName": "Global security field has an empty object (v3)", @@ -117,7 +126,8 @@ "searchKey": "security", "searchValue": "", "expectedValue": "Global security field definition should not have an empty object", - "actualValue": "Global security field definition has an empty object" + "actualValue": "Global security field definition has an empty object", + "issueType": "IncorrectValue" }, { "queryName": "Global security field has an empty object (v3)", @@ -129,7 +139,8 @@ "searchKey": "security", "searchValue": "", "expectedValue": "Global security field definition should not have an empty object", - "actualValue": "Global security field definition has an empty object" + "actualValue": "Global security field definition has an empty object", + "issueType": "IncorrectValue" }, { "queryName": "Global security field has an empty object (v2)", @@ -141,6 +152,7 @@ "searchKey": "security", "searchValue": "", "expectedValue": "Global security field definition should not have an empty object", - "actualValue": "Global security field definition has an empty object" + "actualValue": "Global security field definition has an empty object", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/security_operations_empty_array/test/positive_expected_result.json b/assets/queries/openAPI/general/security_operations_empty_array/test/positive_expected_result.json index fb6857c2aec..18678ebd0f4 100644 --- a/assets/queries/openAPI/general/security_operations_empty_array/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/security_operations_empty_array/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.{{get}}.security", "searchValue": "", "expectedValue": "Security operation field array, when declared, should not be empty", - "actualValue": "Security operation field array is declared and empty" + "actualValue": "Security operation field array is declared and empty", + "issueType": "IncorrectValue" }, { "queryName": "Security Field On Operations Has An Empty Array (v2)", @@ -21,7 +22,8 @@ "searchKey": "paths.{{/}}.{{get}}.security", "searchValue": "", "expectedValue": "Security operation field array, when declared, should not be empty", - "actualValue": "Security operation field array is declared and empty" + "actualValue": "Security operation field array is declared and empty", + "issueType": "IncorrectValue" }, { "queryName": "Security Field On Operations Has An Empty Array (v3)", @@ -33,7 +35,8 @@ "searchKey": "paths.{{/}}.{{patch}}.security", "searchValue": "", "expectedValue": "Security operation field array, when declared, should not be empty", - "actualValue": "Security operation field array is declared and empty" + "actualValue": "Security operation field array is declared and empty", + "issueType": "IncorrectValue" }, { "queryName": "Security Field On Operations Has An Empty Array (v3)", @@ -45,7 +48,8 @@ "searchKey": "paths.{{/}}.{{patch}}.security", "searchValue": "", "expectedValue": "Security operation field array, when declared, should not be empty", - "actualValue": "Security operation field array is declared and empty" + "actualValue": "Security operation field array is declared and empty", + "issueType": "IncorrectValue" }, { "queryName": "Security Field On Operations Has An Empty Array (v3)", @@ -57,7 +61,8 @@ "searchKey": "paths.{{/apis}}.{{get}}.security", "searchValue": "", "expectedValue": "Security operation field array, when declared, should not be empty", - "actualValue": "Security operation field array is declared and empty" + "actualValue": "Security operation field array is declared and empty", + "issueType": "IncorrectValue" }, { "queryName": "Security Field On Operations Has An Empty Array (v3)", @@ -69,7 +74,8 @@ "searchKey": "paths.{{/}}.{{get}}.security", "searchValue": "", "expectedValue": "Security operation field array, when declared, should not be empty", - "actualValue": "Security operation field array is declared and empty" + "actualValue": "Security operation field array is declared and empty", + "issueType": "IncorrectValue" }, { "queryName": "Security Field On Operations Has An Empty Array (v3)", @@ -81,7 +87,8 @@ "searchKey": "paths.{{/}}.{{patch}}.security", "searchValue": "", "expectedValue": "Security operation field array, when declared, should not be empty", - "actualValue": "Security operation field array is declared and empty" + "actualValue": "Security operation field array is declared and empty", + "issueType": "IncorrectValue" }, { "queryName": "Security Field On Operations Has An Empty Array (v3)", @@ -93,7 +100,8 @@ "searchKey": "paths.{{/}}.{{patch}}.security", "searchValue": "", "expectedValue": "Security operation field array, when declared, should not be empty", - "actualValue": "Security operation field array is declared and empty" + "actualValue": "Security operation field array is declared and empty", + "issueType": "IncorrectValue" }, { "queryName": "Security Field On Operations Has An Empty Array (v3)", @@ -105,7 +113,8 @@ "searchKey": "paths.{{/apis}}.{{get}}.security", "searchValue": "", "expectedValue": "Security operation field array, when declared, should not be empty", - "actualValue": "Security operation field array is declared and empty" + "actualValue": "Security operation field array is declared and empty", + "issueType": "IncorrectValue" }, { "queryName": "Security Field On Operations Has An Empty Array (v2)", @@ -117,6 +126,7 @@ "searchKey": "paths.{{/}}.{{get}}.security", "searchValue": "", "expectedValue": "Security operation field array, when declared, should not be empty", - "actualValue": "Security operation field array is declared and empty" + "actualValue": "Security operation field array is declared and empty", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/security_operations_empty_object_definition/test/positive_expected_result.json b/assets/queries/openAPI/general/security_operations_empty_object_definition/test/positive_expected_result.json index 66aa9ac5376..0a5f5ea85c0 100644 --- a/assets/queries/openAPI/general/security_operations_empty_object_definition/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/security_operations_empty_object_definition/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.{{get}}.security", "searchValue": "", "expectedValue": "Security operation field should not be empty object", - "actualValue": "Security operation field is an empty object" + "actualValue": "Security operation field is an empty object", + "issueType": "IncorrectValue" }, { "queryName": "Security Field On Operations Has An Empty Object Definition (v2)", @@ -21,7 +22,8 @@ "searchKey": "paths.{{/}}.{{get}}.security", "searchValue": "", "expectedValue": "Security operation field should not be empty object", - "actualValue": "Security operation field is an empty object" + "actualValue": "Security operation field is an empty object", + "issueType": "IncorrectValue" }, { "queryName": "Security Field On Operations Has An Empty Object Definition (v3)", @@ -33,7 +35,8 @@ "searchKey": "paths.{{/}}.{{patch}}.security", "searchValue": "", "expectedValue": "Security operation field array should not have an empty object", - "actualValue": "Security operation field array has an empty object" + "actualValue": "Security operation field array has an empty object", + "issueType": "IncorrectValue" }, { "queryName": "Security Field On Operations Has An Empty Object Definition (v3)", @@ -45,7 +48,8 @@ "searchKey": "paths.{{/}}.{{patch}}.security", "searchValue": "", "expectedValue": "Security operation field array should not have an empty object", - "actualValue": "Security operation field array has an empty object" + "actualValue": "Security operation field array has an empty object", + "issueType": "IncorrectValue" }, { "queryName": "Security Field On Operations Has An Empty Object Definition (v3)", @@ -57,7 +61,8 @@ "searchKey": "paths.{{/apis}}.{{get}}.security", "searchValue": "", "expectedValue": "Security operation field should not be empty object", - "actualValue": "Security operation field is an empty object" + "actualValue": "Security operation field is an empty object", + "issueType": "IncorrectValue" }, { "queryName": "Security Field On Operations Has An Empty Object Definition (v3)", @@ -69,7 +74,8 @@ "searchKey": "paths.{{/}}.{{get}}.security", "searchValue": "", "expectedValue": "Security operation field should not be empty object", - "actualValue": "Security operation field is an empty object" + "actualValue": "Security operation field is an empty object", + "issueType": "IncorrectValue" }, { "queryName": "Security Field On Operations Has An Empty Object Definition (v3)", @@ -81,7 +87,8 @@ "searchKey": "paths.{{/}}.{{patch}}.security", "searchValue": "", "expectedValue": "Security operation field array should not have an empty object", - "actualValue": "Security operation field array has an empty object" + "actualValue": "Security operation field array has an empty object", + "issueType": "IncorrectValue" }, { "queryName": "Security Field On Operations Has An Empty Object Definition (v3)", @@ -93,7 +100,8 @@ "searchKey": "paths.{{/}}.{{patch}}.security", "searchValue": "", "expectedValue": "Security operation field array should not have an empty object", - "actualValue": "Security operation field array has an empty object" + "actualValue": "Security operation field array has an empty object", + "issueType": "IncorrectValue" }, { "queryName": "Security Field On Operations Has An Empty Object Definition (v3)", @@ -105,7 +113,8 @@ "searchKey": "paths.{{/apis}}.{{get}}.security", "searchValue": "", "expectedValue": "Security operation field should not be empty object", - "actualValue": "Security operation field is an empty object" + "actualValue": "Security operation field is an empty object", + "issueType": "IncorrectValue" }, { "queryName": "Security Field On Operations Has An Empty Object Definition (v2)", @@ -117,6 +126,7 @@ "searchKey": "paths.{{/}}.{{get}}.security", "searchValue": "", "expectedValue": "Security operation field should not be empty object", - "actualValue": "Security operation field is an empty object" + "actualValue": "Security operation field is an empty object", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/string_schema_with_broad_pattern/test/positive_expected_result.json b/assets/queries/openAPI/general/string_schema_with_broad_pattern/test/positive_expected_result.json index 5bb02212817..63464cbd47e 100644 --- a/assets/queries/openAPI/general/string_schema_with_broad_pattern/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/string_schema_with_broad_pattern/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "components.schemas.GeneralError.properties.code.pattern", "searchValue": "", "expectedValue": "String schema has 'pattern' restricted", - "actualValue": "String schema does not have 'pattern' restricted" + "actualValue": "String schema does not have 'pattern' restricted", + "issueType": "IncorrectValue" }, { "queryName": "String Schema with Broad Pattern (v3)", @@ -21,7 +22,8 @@ "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", "searchValue": "", "expectedValue": "String schema has 'pattern' restricted", - "actualValue": "String schema does not have 'pattern' restricted" + "actualValue": "String schema does not have 'pattern' restricted", + "issueType": "IncorrectValue" }, { "queryName": "String Schema with Broad Pattern (v3)", @@ -33,7 +35,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code.pattern", "searchValue": "", "expectedValue": "String schema has 'pattern' restricted", - "actualValue": "String schema does not have 'pattern' restricted" + "actualValue": "String schema does not have 'pattern' restricted", + "issueType": "IncorrectValue" }, { "queryName": "String Schema with Broad Pattern (v3)", @@ -45,7 +48,8 @@ "searchKey": "components.schemas.GeneralError.properties.code.pattern", "searchValue": "", "expectedValue": "String schema has 'pattern' restricted", - "actualValue": "String schema does not have 'pattern' restricted" + "actualValue": "String schema does not have 'pattern' restricted", + "issueType": "IncorrectValue" }, { "queryName": "String Schema with Broad Pattern (v3)", @@ -57,7 +61,8 @@ "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", "searchValue": "", "expectedValue": "String schema has 'pattern' restricted", - "actualValue": "String schema does not have 'pattern' restricted" + "actualValue": "String schema does not have 'pattern' restricted", + "issueType": "IncorrectValue" }, { "queryName": "String Schema with Broad Pattern (v3)", @@ -69,7 +74,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code.pattern", "searchValue": "", "expectedValue": "String schema has 'pattern' restricted", - "actualValue": "String schema does not have 'pattern' restricted" + "actualValue": "String schema does not have 'pattern' restricted", + "issueType": "IncorrectValue" }, { "queryName": "String Schema with Broad Pattern (v2)", @@ -81,7 +87,8 @@ "searchKey": "paths.{{/}}.get.responses.200.schema.properties.message.pattern", "searchValue": "", "expectedValue": "String schema has 'pattern' restricted", - "actualValue": "String schema does not have 'pattern' restricted" + "actualValue": "String schema does not have 'pattern' restricted", + "issueType": "IncorrectValue" }, { "queryName": "String Schema with Broad Pattern (v2)", @@ -93,6 +100,7 @@ "searchKey": "paths.{{/}}.get.responses.200.schema.properties.message.pattern", "searchValue": "", "expectedValue": "String schema has 'pattern' restricted", - "actualValue": "String schema does not have 'pattern' restricted" + "actualValue": "String schema does not have 'pattern' restricted", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/success_response_code_undefined_delete_operation/test/positive_expected_result.json b/assets/queries/openAPI/general/success_response_code_undefined_delete_operation/test/positive_expected_result.json index 27f11d2bdb6..2a7df26a10f 100644 --- a/assets/queries/openAPI/general/success_response_code_undefined_delete_operation/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/success_response_code_undefined_delete_operation/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/item}}.delete.responses", "searchValue": "", "expectedValue": "Delete should have at least one successful code (200, 201, 202 or 204)", - "actualValue": "Delete does not have any successful code" + "actualValue": "Delete does not have any successful code", + "issueType": "MissingAttribute" }, { "queryName": "Success Response Code Undefined for Delete Operation (v3)", @@ -21,7 +22,8 @@ "searchKey": "paths.{{/item}}.delete.responses", "searchValue": "", "expectedValue": "Delete should have at least one successful code (200, 201, 202 or 204)", - "actualValue": "Delete does not have any successful code" + "actualValue": "Delete does not have any successful code", + "issueType": "MissingAttribute" }, { "queryName": "Success Response Code Undefined for Delete Operation (v3)", @@ -33,7 +35,8 @@ "searchKey": "paths.{{/item}}.delete.responses", "searchValue": "", "expectedValue": "Delete should have at least one successful code (200, 201, 202 or 204)", - "actualValue": "Delete does not have any successful code" + "actualValue": "Delete does not have any successful code", + "issueType": "MissingAttribute" }, { "queryName": "Success Response Code Undefined for Delete Operation (v3)", @@ -45,7 +48,8 @@ "searchKey": "paths.{{/item}}.delete.responses", "searchValue": "", "expectedValue": "Delete should have at least one successful code (200, 201, 202 or 204)", - "actualValue": "Delete does not have any successful code" + "actualValue": "Delete does not have any successful code", + "issueType": "MissingAttribute" }, { "queryName": "Success Response Code Undefined for Delete Operation (v2)", @@ -57,7 +61,8 @@ "searchKey": "paths.{{/item}}.delete.responses", "searchValue": "", "expectedValue": "Delete should have at least one successful code (200, 201, 202 or 204)", - "actualValue": "Delete does not have any successful code" + "actualValue": "Delete does not have any successful code", + "issueType": "MissingAttribute" }, { "queryName": "Success Response Code Undefined for Delete Operation (v2)", @@ -69,6 +74,7 @@ "searchKey": "paths.{{/item}}.delete.responses", "searchValue": "", "expectedValue": "Delete should have at least one successful code (200, 201, 202 or 204)", - "actualValue": "Delete does not have any successful code" + "actualValue": "Delete does not have any successful code", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/success_response_code_undefined_get_operation/test/positive_expected_result.json b/assets/queries/openAPI/general/success_response_code_undefined_get_operation/test/positive_expected_result.json index 6cfc03a87e0..4fb28cc82e8 100644 --- a/assets/queries/openAPI/general/success_response_code_undefined_get_operation/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/success_response_code_undefined_get_operation/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/item}}.get.responses", "searchValue": "", "expectedValue": "Get should have at least one successful code (200 or 202)", - "actualValue": "Get does not have any successful code" + "actualValue": "Get does not have any successful code", + "issueType": "MissingAttribute" }, { "queryName": "Success Response Code Undefined for Get Operation (v2)", @@ -21,7 +22,8 @@ "searchKey": "paths.{{/item}}.get.responses", "searchValue": "", "expectedValue": "Get should have at least one successful code (200 or 202)", - "actualValue": "Get does not have any successful code" + "actualValue": "Get does not have any successful code", + "issueType": "MissingAttribute" }, { "queryName": "Success Response Code Undefined for Get Operation (v3)", @@ -33,7 +35,8 @@ "searchKey": "paths.{{/item}}.get.responses", "searchValue": "", "expectedValue": "Get should have at least one successful code (200 or 202)", - "actualValue": "Get does not have any successful code" + "actualValue": "Get does not have any successful code", + "issueType": "MissingAttribute" }, { "queryName": "Success Response Code Undefined for Get Operation (v3)", @@ -45,6 +48,7 @@ "searchKey": "paths.{{/item}}.get.responses", "searchValue": "", "expectedValue": "Get should have at least one successful code (200 or 202)", - "actualValue": "Get does not have any successful code" + "actualValue": "Get does not have any successful code", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/success_response_code_undefined_head_operation/test/positive_expected_result.json b/assets/queries/openAPI/general/success_response_code_undefined_head_operation/test/positive_expected_result.json index 324fa8b5326..50c1b74ff20 100644 --- a/assets/queries/openAPI/general/success_response_code_undefined_head_operation/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/success_response_code_undefined_head_operation/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/item}}.head.responses", "searchValue": "", "expectedValue": "Head should have at least one successful code (200 or 202)", - "actualValue": "Head does not have any successful code" + "actualValue": "Head does not have any successful code", + "issueType": "MissingAttribute" }, { "queryName": "Success Response Code Undefined for Head Operation (v3)", @@ -21,7 +22,8 @@ "searchKey": "paths.{{/item}}.head.responses", "searchValue": "", "expectedValue": "Head should have at least one successful code (200 or 202)", - "actualValue": "Head does not have any successful code" + "actualValue": "Head does not have any successful code", + "issueType": "MissingAttribute" }, { "queryName": "Success Response Code Undefined for Head Operation (v2)", @@ -33,7 +35,8 @@ "searchKey": "paths.{{/item}}.head.responses", "searchValue": "", "expectedValue": "Head should have at least one successful code (200 or 202)", - "actualValue": "Head does not have any successful code" + "actualValue": "Head does not have any successful code", + "issueType": "MissingAttribute" }, { "queryName": "Success Response Code Undefined for Head Operation (v2)", @@ -45,6 +48,7 @@ "searchKey": "paths.{{/item}}.head.responses", "searchValue": "", "expectedValue": "Head should have at least one successful code (200 or 202)", - "actualValue": "Head does not have any successful code" + "actualValue": "Head does not have any successful code", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/success_response_code_undefined_patch_operation/test/positive_expected_result.json b/assets/queries/openAPI/general/success_response_code_undefined_patch_operation/test/positive_expected_result.json index 0335f30647c..3ee49a5bd1d 100644 --- a/assets/queries/openAPI/general/success_response_code_undefined_patch_operation/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/success_response_code_undefined_patch_operation/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/item}}.patch.responses", "searchValue": "", "expectedValue": "Patch should have at least one successful code (200, 201, 202 or 204)", - "actualValue": "Patch does not have any successful code" + "actualValue": "Patch does not have any successful code", + "issueType": "MissingAttribute" }, { "queryName": "Success Response Code Undefined for Patch Operation (v3)", @@ -21,7 +22,8 @@ "searchKey": "paths.{{/item}}.patch.responses", "searchValue": "", "expectedValue": "Patch should have at least one successful code (200, 201, 202 or 204)", - "actualValue": "Patch does not have any successful code" + "actualValue": "Patch does not have any successful code", + "issueType": "MissingAttribute" }, { "queryName": "Success Response Code Undefined for Patch Operation (v3)", @@ -33,7 +35,8 @@ "searchKey": "paths.{{/item}}.patch.responses", "searchValue": "", "expectedValue": "Patch should have at least one successful code (200, 201, 202 or 204)", - "actualValue": "Patch does not have any successful code" + "actualValue": "Patch does not have any successful code", + "issueType": "MissingAttribute" }, { "queryName": "Success Response Code Undefined for Patch Operation (v3)", @@ -45,7 +48,8 @@ "searchKey": "paths.{{/item}}.patch.responses", "searchValue": "", "expectedValue": "Patch should have at least one successful code (200, 201, 202 or 204)", - "actualValue": "Patch does not have any successful code" + "actualValue": "Patch does not have any successful code", + "issueType": "MissingAttribute" }, { "queryName": "Success Response Code Undefined for Patch Operation (v2)", @@ -57,7 +61,8 @@ "searchKey": "paths.{{/item}}.patch.responses", "searchValue": "", "expectedValue": "Patch should have at least one successful code (200, 201, 202 or 204)", - "actualValue": "Patch does not have any successful code" + "actualValue": "Patch does not have any successful code", + "issueType": "MissingAttribute" }, { "queryName": "Success Response Code Undefined for Patch Operation (v2)", @@ -69,6 +74,7 @@ "searchKey": "paths.{{/item}}.patch.responses", "searchValue": "", "expectedValue": "Patch should have at least one successful code (200, 201, 202 or 204)", - "actualValue": "Patch does not have any successful code" + "actualValue": "Patch does not have any successful code", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/success_response_code_undefined_post_operation/test/positive_expected_result.json b/assets/queries/openAPI/general/success_response_code_undefined_post_operation/test/positive_expected_result.json index bb355d39e02..f4c6f5e3edf 100644 --- a/assets/queries/openAPI/general/success_response_code_undefined_post_operation/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/success_response_code_undefined_post_operation/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/item}}.post.responses", "searchValue": "", "expectedValue": "Post should have at least one successful code (200, 201, 202 or 204)", - "actualValue": "Post does not have any successful code" + "actualValue": "Post does not have any successful code", + "issueType": "MissingAttribute" }, { "queryName": "Success Response Code Undefined for Post Operation (v3)", @@ -21,7 +22,8 @@ "searchKey": "paths.{{/item}}.post.responses", "searchValue": "", "expectedValue": "Post should have at least one successful code (200, 201, 202 or 204)", - "actualValue": "Post does not have any successful code" + "actualValue": "Post does not have any successful code", + "issueType": "MissingAttribute" }, { "queryName": "Success Response Code Undefined for Post Operation (v3)", @@ -33,7 +35,8 @@ "searchKey": "paths.{{/item}}.post.responses", "searchValue": "", "expectedValue": "Post should have at least one successful code (200, 201, 202 or 204)", - "actualValue": "Post does not have any successful code" + "actualValue": "Post does not have any successful code", + "issueType": "MissingAttribute" }, { "queryName": "Success Response Code Undefined for Post Operation (v3)", @@ -45,7 +48,8 @@ "searchKey": "paths.{{/item}}.post.responses", "searchValue": "", "expectedValue": "Post should have at least one successful code (200, 201, 202 or 204)", - "actualValue": "Post does not have any successful code" + "actualValue": "Post does not have any successful code", + "issueType": "MissingAttribute" }, { "queryName": "Success Response Code Undefined for Post Operation (v2)", @@ -57,7 +61,8 @@ "searchKey": "paths.{{/item}}.post.responses", "searchValue": "", "expectedValue": "Post should have at least one successful code (200, 201, 202 or 204)", - "actualValue": "Post does not have any successful code" + "actualValue": "Post does not have any successful code", + "issueType": "MissingAttribute" }, { "queryName": "Success Response Code Undefined for Post Operation (v2)", @@ -69,6 +74,7 @@ "searchKey": "paths.{{/item}}.post.responses", "searchValue": "", "expectedValue": "Post should have at least one successful code (200, 201, 202 or 204)", - "actualValue": "Post does not have any successful code" + "actualValue": "Post does not have any successful code", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/success_response_code_undefined_put_operation/test/positive_expected_result.json b/assets/queries/openAPI/general/success_response_code_undefined_put_operation/test/positive_expected_result.json index 1e0db472041..cc3e89c6234 100644 --- a/assets/queries/openAPI/general/success_response_code_undefined_put_operation/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/success_response_code_undefined_put_operation/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/item}}.put.responses", "searchValue": "", "expectedValue": "Put should have at least one successful code (200, 201, 202 or 204)", - "actualValue": "Put does not have any successful code" + "actualValue": "Put does not have any successful code", + "issueType": "MissingAttribute" }, { "queryName": "Success Response Code Undefined for Put Operation (v3)", @@ -21,7 +22,8 @@ "searchKey": "paths.{{/item}}.put.responses", "searchValue": "", "expectedValue": "Put should have at least one successful code (200, 201, 202 or 204)", - "actualValue": "Put does not have any successful code" + "actualValue": "Put does not have any successful code", + "issueType": "MissingAttribute" }, { "queryName": "Success Response Code Undefined for Put Operation (v3)", @@ -33,7 +35,8 @@ "searchKey": "paths.{{/item}}.put.responses", "searchValue": "", "expectedValue": "Put should have at least one successful code (200, 201, 202 or 204)", - "actualValue": "Put does not have any successful code" + "actualValue": "Put does not have any successful code", + "issueType": "MissingAttribute" }, { "queryName": "Success Response Code Undefined for Put Operation (v3)", @@ -45,7 +48,8 @@ "searchKey": "paths.{{/item}}.put.responses", "searchValue": "", "expectedValue": "Put should have at least one successful code (200, 201, 202 or 204)", - "actualValue": "Put does not have any successful code" + "actualValue": "Put does not have any successful code", + "issueType": "MissingAttribute" }, { "queryName": "Success Response Code Undefined for Put Operation (v2)", @@ -57,7 +61,8 @@ "searchKey": "paths.{{/item}}.put.responses", "searchValue": "", "expectedValue": "Put should have at least one successful code (200, 201, 202 or 204)", - "actualValue": "Put does not have any successful code" + "actualValue": "Put does not have any successful code", + "issueType": "MissingAttribute" }, { "queryName": "Success Response Code Undefined for Put Operation (v2)", @@ -69,6 +74,7 @@ "searchKey": "paths.{{/item}}.put.responses", "searchValue": "", "expectedValue": "Put should have at least one successful code (200, 201, 202 or 204)", - "actualValue": "Put does not have any successful code" + "actualValue": "Put does not have any successful code", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/template_path_parameter_with_no_corresponding_path_parameter/test/positive_expected_result.json b/assets/queries/openAPI/general/template_path_parameter_with_no_corresponding_path_parameter/test/positive_expected_result.json index c694cfe97c0..805ca08a8d9 100644 --- a/assets/queries/openAPI/general/template_path_parameter_with_no_corresponding_path_parameter/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/template_path_parameter_with_no_corresponding_path_parameter/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths./users/{test-id}.get.parameters.name=test-id", "searchValue": "", "expectedValue": "Template path parameter should have an operation parameter with the same name and 'in' set to 'path'", - "actualValue": "Template path parameter does not have an operation parameter with the same name and 'in' set to 'path'" + "actualValue": "Template path parameter does not have an operation parameter with the same name and 'in' set to 'path'", + "issueType": "IncorrectValue" }, { "queryName": "Template Path With No Corresponding Path Parameter (v3)", @@ -21,7 +22,8 @@ "searchKey": "paths./users/{blabla}.get.parameters.name=id", "searchValue": "", "expectedValue": "Template path parameter should have an operation parameter with the same name and 'in' set to 'path'", - "actualValue": "Template path parameter does not have an operation parameter with the same name and 'in' set to 'path'" + "actualValue": "Template path parameter does not have an operation parameter with the same name and 'in' set to 'path'", + "issueType": "IncorrectValue" }, { "queryName": "Template Path With No Corresponding Path Parameter (v3)", @@ -33,7 +35,8 @@ "searchKey": "paths./people/{id}.get.parameters", "searchValue": "", "expectedValue": "Template path parameters should be defined for operation", - "actualValue": "Template path parameters is not defined for operation" + "actualValue": "Template path parameters is not defined for operation", + "issueType": "MissingAttribute" }, { "queryName": "Template Path With No Corresponding Path Parameter (v3)", @@ -45,7 +48,8 @@ "searchKey": "paths./users/{id}.get.parameters", "searchValue": "", "expectedValue": "Template path parameters should be defined for operation", - "actualValue": "Template path parameters is not defined for operation" + "actualValue": "Template path parameters is not defined for operation", + "issueType": "MissingAttribute" }, { "queryName": "Template Path With No Corresponding Path Parameter (v3)", @@ -57,7 +61,8 @@ "searchKey": "paths./people/{id}.get.parameters", "searchValue": "", "expectedValue": "Template path parameters should be defined for operation", - "actualValue": "Template path parameters is not defined for operation" + "actualValue": "Template path parameters is not defined for operation", + "issueType": "MissingAttribute" }, { "queryName": "Template Path With No Corresponding Path Parameter (v3)", @@ -69,7 +74,8 @@ "searchKey": "paths./users/{id}.get.parameters", "searchValue": "", "expectedValue": "Template path parameters should be defined for operation", - "actualValue": "Template path parameters is not defined for operation" + "actualValue": "Template path parameters is not defined for operation", + "issueType": "MissingAttribute" }, { "queryName": "Template Path With No Corresponding Path Parameter (v2)", @@ -81,7 +87,8 @@ "searchKey": "paths./users/{test-id}.get.parameters.name=test-id", "searchValue": "", "expectedValue": "Template path parameter should have an operation parameter with the same name and 'in' set to 'path'", - "actualValue": "Template path parameter does not have an operation parameter with the same name and 'in' set to 'path'" + "actualValue": "Template path parameter does not have an operation parameter with the same name and 'in' set to 'path'", + "issueType": "IncorrectValue" }, { "queryName": "Template Path With No Corresponding Path Parameter (v2)", @@ -93,7 +100,8 @@ "searchKey": "paths./users/{blabla}.get.parameters.name=id", "searchValue": "", "expectedValue": "Template path parameter should have an operation parameter with the same name and 'in' set to 'path'", - "actualValue": "Template path parameter does not have an operation parameter with the same name and 'in' set to 'path'" + "actualValue": "Template path parameter does not have an operation parameter with the same name and 'in' set to 'path'", + "issueType": "IncorrectValue" }, { "queryName": "Template Path With No Corresponding Path Parameter (v2)", @@ -105,7 +113,8 @@ "searchKey": "paths./people/{id}.get.parameters", "searchValue": "", "expectedValue": "Template path parameters should be defined for operation", - "actualValue": "Template path parameters is not defined for operation" + "actualValue": "Template path parameters is not defined for operation", + "issueType": "MissingAttribute" }, { "queryName": "Template Path With No Corresponding Path Parameter (v2)", @@ -117,7 +126,8 @@ "searchKey": "paths./users/{id}.get.parameters", "searchValue": "", "expectedValue": "Template path parameters should be defined for operation", - "actualValue": "Template path parameters is not defined for operation" + "actualValue": "Template path parameters is not defined for operation", + "issueType": "MissingAttribute" }, { "queryName": "Template Path With No Corresponding Path Parameter (v2)", @@ -129,7 +139,8 @@ "searchKey": "paths./people/{id}.get.parameters", "searchValue": "", "expectedValue": "Template path parameters should be defined for operation", - "actualValue": "Template path parameters is not defined for operation" + "actualValue": "Template path parameters is not defined for operation", + "issueType": "MissingAttribute" }, { "queryName": "Template Path With No Corresponding Path Parameter (v2)", @@ -141,6 +152,7 @@ "searchKey": "paths./users/{id}.get.parameters", "searchValue": "", "expectedValue": "Template path parameters should be defined for operation", - "actualValue": "Template path parameters is not defined for operation" + "actualValue": "Template path parameters is not defined for operation", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/type_has_invalid_keyword/test/positive_expected_result.json b/assets/queries/openAPI/general/type_has_invalid_keyword/test/positive_expected_result.json index 6f565a68bc7..eced447a997 100644 --- a/assets/queries/openAPI/general/type_has_invalid_keyword/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/type_has_invalid_keyword/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.$ref=#/components/schemas/MyObject", "searchValue": "", "expectedValue": "There shouldn't be any invalid keywords", - "actualValue": "Keyword pattern is not valid for type number" + "actualValue": "Keyword pattern is not valid for type number", + "issueType": "IncorrectValue" }, { "queryName": "Type Has Invalid Keyword (v3)", @@ -21,7 +22,8 @@ "searchKey": "components.schemas.MyObject.properties.phones.items.pattern", "searchValue": "", "expectedValue": "There shouldn't be any invalid keywords", - "actualValue": "Keyword pattern is not valid for type number" + "actualValue": "Keyword pattern is not valid for type number", + "issueType": "IncorrectValue" }, { "queryName": "Type Has Invalid Keyword (v2)", @@ -33,7 +35,8 @@ "searchKey": "paths.{{/}}.get.responses.200.headers.X-Rate-Limit-Limit.minLength", "searchValue": "", "expectedValue": "There shouldn't be any invalid keywords", - "actualValue": "Keyword minLength is not valid for type integer" + "actualValue": "Keyword minLength is not valid for type integer", + "issueType": "IncorrectValue" }, { "queryName": "Type Has Invalid Keyword (v3)", @@ -45,7 +48,8 @@ "searchKey": "components.schemas.PointGenre.minimum", "searchValue": "", "expectedValue": "There shouldn't be any invalid keywords", - "actualValue": "Keyword minimum is not valid for type string" + "actualValue": "Keyword minimum is not valid for type string", + "issueType": "IncorrectValue" }, { "queryName": "Type Has Invalid Keyword (v3)", @@ -57,7 +61,8 @@ "searchKey": "components.schemas.PointGenre.maximum", "searchValue": "", "expectedValue": "There shouldn't be any invalid keywords", - "actualValue": "Keyword maximum is not valid for type string" + "actualValue": "Keyword maximum is not valid for type string", + "issueType": "IncorrectValue" }, { "queryName": "Type Has Invalid Keyword (v3)", @@ -69,7 +74,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.$ref=#/components/schemas/MyObject", "searchValue": "", "expectedValue": "There shouldn't be any invalid keywords", - "actualValue": "Keyword minLength is not valid for type integer" + "actualValue": "Keyword minLength is not valid for type integer", + "issueType": "IncorrectValue" }, { "queryName": "Type Has Invalid Keyword (v3)", @@ -81,7 +87,8 @@ "searchKey": "components.schemas.MyObject.properties.id.minLength", "searchValue": "", "expectedValue": "There shouldn't be any invalid keywords", - "actualValue": "Keyword minLength is not valid for type integer" + "actualValue": "Keyword minLength is not valid for type integer", + "issueType": "IncorrectValue" }, { "queryName": "Type Has Invalid Keyword (v3)", @@ -93,7 +100,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.$ref=#/components/schemas/MyObject", "searchValue": "", "expectedValue": "There shouldn't be any invalid keywords", - "actualValue": "Keyword required is not valid for type string" + "actualValue": "Keyword required is not valid for type string", + "issueType": "IncorrectValue" }, { "queryName": "Type Has Invalid Keyword (v3)", @@ -105,7 +113,8 @@ "searchKey": "components.schemas.MyObject.properties.name.required", "searchValue": "", "expectedValue": "There shouldn't be any invalid keywords", - "actualValue": "Keyword required is not valid for type string" + "actualValue": "Keyword required is not valid for type string", + "issueType": "IncorrectValue" }, { "queryName": "Type Has Invalid Keyword (v3)", @@ -117,7 +126,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.$ref=#/components/schemas/MyObject", "searchValue": "", "expectedValue": "There shouldn't be any invalid keywords", - "actualValue": "Keyword pattern is not valid for type number" + "actualValue": "Keyword pattern is not valid for type number", + "issueType": "IncorrectValue" }, { "queryName": "Type Has Invalid Keyword (v3)", @@ -129,7 +139,8 @@ "searchKey": "components.schemas.MyObject.properties.phones.items.pattern", "searchValue": "", "expectedValue": "There shouldn't be any invalid keywords", - "actualValue": "Keyword pattern is not valid for type number" + "actualValue": "Keyword pattern is not valid for type number", + "issueType": "IncorrectValue" }, { "queryName": "Type Has Invalid Keyword (v3)", @@ -141,7 +152,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.$ref=#/components/schemas/MyObject", "searchValue": "", "expectedValue": "There shouldn't be any invalid keywords", - "actualValue": "Keyword minLength is not valid for type integer" + "actualValue": "Keyword minLength is not valid for type integer", + "issueType": "IncorrectValue" }, { "queryName": "Type Has Invalid Keyword (v3)", @@ -153,7 +165,8 @@ "searchKey": "components.schemas.MyObject.properties.id.minLength", "searchValue": "", "expectedValue": "There shouldn't be any invalid keywords", - "actualValue": "Keyword minLength is not valid for type integer" + "actualValue": "Keyword minLength is not valid for type integer", + "issueType": "IncorrectValue" }, { "queryName": "Type Has Invalid Keyword (v3)", @@ -165,7 +178,8 @@ "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.$ref=#/components/schemas/MyObject", "searchValue": "", "expectedValue": "There shouldn't be any invalid keywords", - "actualValue": "Keyword pattern is not valid for type number" + "actualValue": "Keyword pattern is not valid for type number", + "issueType": "IncorrectValue" }, { "queryName": "Type Has Invalid Keyword (v3)", @@ -177,7 +191,8 @@ "searchKey": "components.schemas.MyObject.properties.phones.items.pattern", "searchValue": "", "expectedValue": "There shouldn't be any invalid keywords", - "actualValue": "Keyword pattern is not valid for type number" + "actualValue": "Keyword pattern is not valid for type number", + "issueType": "IncorrectValue" }, { "queryName": "Type Has Invalid Keyword (v2)", @@ -189,7 +204,8 @@ "searchKey": "paths.{{/}}.parameters.schema.properties.phones.items.pattern", "searchValue": "", "expectedValue": "There shouldn't be any invalid keywords", - "actualValue": "Keyword pattern is not valid for type number" + "actualValue": "Keyword pattern is not valid for type number", + "issueType": "IncorrectValue" }, { "queryName": "Type Has Invalid Keyword (v2)", @@ -201,7 +217,8 @@ "searchKey": "paths.{{/}}.parameters.maximum", "searchValue": "", "expectedValue": "There shouldn't be any invalid keywords", - "actualValue": "Keyword maximum is not valid for type string" + "actualValue": "Keyword maximum is not valid for type string", + "issueType": "IncorrectValue" }, { "queryName": "Type Has Invalid Keyword (v2)", @@ -213,7 +230,8 @@ "searchKey": "paths.{{/}}.parameters.schema.properties.phones.items.pattern", "searchValue": "", "expectedValue": "There shouldn't be any invalid keywords", - "actualValue": "Keyword pattern is not valid for type number" + "actualValue": "Keyword pattern is not valid for type number", + "issueType": "IncorrectValue" }, { "queryName": "Type Has Invalid Keyword (v2)", @@ -225,7 +243,8 @@ "searchKey": "paths.{{/}}.parameters.maximum", "searchValue": "", "expectedValue": "There shouldn't be any invalid keywords", - "actualValue": "Keyword maximum is not valid for type string" + "actualValue": "Keyword maximum is not valid for type string", + "issueType": "IncorrectValue" }, { "queryName": "Type Has Invalid Keyword (v2)", @@ -237,6 +256,7 @@ "searchKey": "paths.{{/}}.get.responses.200.headers.X-Rate-Limit-Limit.minLength", "searchValue": "", "expectedValue": "There shouldn't be any invalid keywords", - "actualValue": "Keyword minLength is not valid for type integer" + "actualValue": "Keyword minLength is not valid for type integer", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/pulumi/aws/amazon_dms_replication_instance_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/pulumi/aws/amazon_dms_replication_instance_is_publicly_accessible/test/positive_expected_result.json index bedbf7e6541..523b1e4a9ce 100644 --- a/assets/queries/pulumi/aws/amazon_dms_replication_instance_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/amazon_dms_replication_instance_is_publicly_accessible/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources[test].properties.publiclyAccessible", "searchValue": "", "expectedValue": "Attribute 'publiclyAccessible' is should be set to 'false'", - "actualValue": "Attribute 'publiclyAccessible' is defined to 'true'" + "actualValue": "Attribute 'publiclyAccessible' is defined to 'true'", + "issueType": "IncorrectValue" }, { "queryName": "Amazon DMS Replication Instance Is Publicly Accessible", @@ -21,6 +22,7 @@ "searchKey": "resources[test].properties", "searchValue": "", "expectedValue": "Attribute 'publiclyAccessible' should be defined", - "actualValue": "Attribute 'publiclyAccessible' is not defined" + "actualValue": "Attribute 'publiclyAccessible' is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/pulumi/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json b/assets/queries/pulumi/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json index ba22407898e..f27170489eb 100644 --- a/assets/queries/pulumi/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "resources[example].properties", "searchValue": "", "expectedValue": "Attribute 'accessLogSettings' should be defined", - "actualValue": "Attribute 'accessLogSettings' is not defined" + "actualValue": "Attribute 'accessLogSettings' is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/pulumi/aws/api_gateway_without_ssl_certificate/test/positive_expected_result.json b/assets/queries/pulumi/aws/api_gateway_without_ssl_certificate/test/positive_expected_result.json index 8c9807ba22d..7bcd3334254 100644 --- a/assets/queries/pulumi/aws/api_gateway_without_ssl_certificate/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/api_gateway_without_ssl_certificate/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "resources[example].properties", "searchValue": "", "expectedValue": "Attribute 'clientCertificateId' should be defined", - "actualValue": "Attribute 'clientCertificateId' is not defined" + "actualValue": "Attribute 'clientCertificateId' is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/pulumi/aws/docdb_logging_disabled/test/positive_expected_result.json b/assets/queries/pulumi/aws/docdb_logging_disabled/test/positive_expected_result.json index 243c1aa8084..f31d10a919a 100644 --- a/assets/queries/pulumi/aws/docdb_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/docdb_logging_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources[aws:docdb/cluster].properties", "searchValue": "", "expectedValue": "aws:docdb:Cluster.enabledCloudwatchLogsExports should be defined", - "actualValue": "aws:docdb:Cluster.enabledCloudwatchLogsExports is undefined" + "actualValue": "aws:docdb:Cluster.enabledCloudwatchLogsExports is undefined", + "issueType": "MissingAttribute" }, { "queryName": "DocDB Logging Is Disabled", @@ -21,7 +22,8 @@ "searchKey": "resources[aws:docdb/cluster].properties.enabledCloudwatchLogsExports", "searchValue": "", "expectedValue": "aws:docdb:Cluster.enabledCloudwatchLogsExports should have all following values: audit, profiler", - "actualValue": "aws:docdb:Cluster.enabledCloudwatchLogsExports has the following missing values: audit, profiler" + "actualValue": "aws:docdb:Cluster.enabledCloudwatchLogsExports has the following missing values: audit, profiler", + "issueType": "IncorrectValue" }, { "queryName": "DocDB Logging Is Disabled", @@ -33,6 +35,7 @@ "searchKey": "resources[aws:docdb/cluster].properties.enabledCloudwatchLogsExports", "searchValue": "", "expectedValue": "aws:docdb:Cluster.enabledCloudwatchLogsExports should have all following values: audit, profiler", - "actualValue": "aws:docdb:Cluster.enabledCloudwatchLogsExports has the following missing values: profiler" + "actualValue": "aws:docdb:Cluster.enabledCloudwatchLogsExports has the following missing values: profiler", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/pulumi/aws/dynamodb_table_not_encrypted/test/positive_expected_result.json b/assets/queries/pulumi/aws/dynamodb_table_not_encrypted/test/positive_expected_result.json index 92d4afad49b..8f47dad463d 100644 --- a/assets/queries/pulumi/aws/dynamodb_table_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/dynamodb_table_not_encrypted/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources[example].properties", "searchValue": "", "expectedValue": "Attribute 'serverSideEncryption' should be defined", - "actualValue": "Attribute 'serverSideEncryption' is not defined" + "actualValue": "Attribute 'serverSideEncryption' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "DynamoDB Table Not Encrypted", @@ -21,6 +22,7 @@ "searchKey": "resources[example].properties.serverSideEncryption.enabled", "searchValue": "", "expectedValue": "Attribute 'enabled' in 'serverSideEncryption' should be set to true", - "actualValue": "Attribute 'enabled' in 'serverSideEncryption' is set to false" + "actualValue": "Attribute 'enabled' in 'serverSideEncryption' is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/pulumi/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive_expected_result.json b/assets/queries/pulumi/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive_expected_result.json index ca5eb6afda5..70969733724 100644 --- a/assets/queries/pulumi/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources[example].properties", "searchValue": "", "expectedValue": "Attribute 'pointInTimeRecovery' should be defined", - "actualValue": "Attribute 'pointInTimeRecovery' is not defined" + "actualValue": "Attribute 'pointInTimeRecovery' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "DynamoDB Table Point In Time Recovery Disabled", @@ -21,6 +22,7 @@ "searchKey": "resources[example].properties.pointInTimeRecovery.enabled", "searchValue": "", "expectedValue": "Attribute 'enabled' in 'pointInTimeRecovery' should be set to true", - "actualValue": "Attribute 'enabled' in 'pointInTimeRecovery' is set to false" + "actualValue": "Attribute 'enabled' in 'pointInTimeRecovery' is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/pulumi/aws/ec2_instance_monitoring_disabled/test/positive_expected_result.json b/assets/queries/pulumi/aws/ec2_instance_monitoring_disabled/test/positive_expected_result.json index c43f364e2e4..4fb19239a84 100644 --- a/assets/queries/pulumi/aws/ec2_instance_monitoring_disabled/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/ec2_instance_monitoring_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources[example].properties", "searchValue": "", "expectedValue": "Attribute 'monitoring' should be defined and set to true", - "actualValue": "Attribute 'monitoring' is not defined" + "actualValue": "Attribute 'monitoring' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "EC2 Instance Monitoring Disabled", @@ -21,6 +22,7 @@ "searchKey": "resources[example].properties.monitoring", "searchValue": "", "expectedValue": "Attribute 'monitoring' should be set to true", - "actualValue": "Attribute 'monitoring' is set to false" + "actualValue": "Attribute 'monitoring' is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/pulumi/aws/ec2_not_ebs_optimized/test/positive_expected_result.json b/assets/queries/pulumi/aws/ec2_not_ebs_optimized/test/positive_expected_result.json index c37b65f9112..67f1a9b691d 100644 --- a/assets/queries/pulumi/aws/ec2_not_ebs_optimized/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/ec2_not_ebs_optimized/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources[example].properties.ebsOptimized", "searchValue": "", "expectedValue": "Attribute 'ebsOptimized' should be set to true", - "actualValue": "Attribute 'ebsOptimized' is set to false" + "actualValue": "Attribute 'ebsOptimized' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Not EBS Optimized", @@ -21,6 +22,7 @@ "searchKey": "resources[example].properties", "searchValue": "", "expectedValue": "Attribute 'ebsOptimized' should be defined and set to true", - "actualValue": "Attribute 'ebsOptimized' is not defined" + "actualValue": "Attribute 'ebsOptimized' is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/test/positive_expected_result.json b/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/test/positive_expected_result.json index 322effeeea6..22eec5f18f8 100644 --- a/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources[foo].properties.settings", "searchValue": "", "expectedValue": "Attribute 'settings' should have a ClusterSetting named 'containerInsights' which value is 'enabled'", - "actualValue": "Attribute 'settings' doesn't have a ClusterSetting named 'containerInsights' which value is 'enabled'" + "actualValue": "Attribute 'settings' doesn't have a ClusterSetting named 'containerInsights' which value is 'enabled'", + "issueType": "IncorrectValue" }, { "queryName": "ECS Cluster with Container Insights Disabled", @@ -21,7 +22,8 @@ "searchKey": "resources[foo].properties.settings", "searchValue": "", "expectedValue": "Attribute 'settings' should have a ClusterSetting named 'containerInsights' which value is 'enabled'", - "actualValue": "Attribute 'settings' doesn't have a ClusterSetting named 'containerInsights' which value is 'enabled'" + "actualValue": "Attribute 'settings' doesn't have a ClusterSetting named 'containerInsights' which value is 'enabled'", + "issueType": "IncorrectValue" }, { "queryName": "ECS Cluster with Container Insights Disabled", @@ -33,6 +35,7 @@ "searchKey": "resources[foo].properties", "searchValue": "", "expectedValue": "Attribute 'settings' should be defined and have a ClusterSetting named 'containerInsights' which value is 'enabled'", - "actualValue": "Attribute 'settings' is not defined" + "actualValue": "Attribute 'settings' is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/pulumi/aws/elasticache_nodes_not_created_across_multi_az/test/positive_expected_result.json b/assets/queries/pulumi/aws/elasticache_nodes_not_created_across_multi_az/test/positive_expected_result.json index 7c1dd964178..7e130bfef9c 100644 --- a/assets/queries/pulumi/aws/elasticache_nodes_not_created_across_multi_az/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/elasticache_nodes_not_created_across_multi_az/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources[example].properties.azMode", "searchValue": "", "expectedValue": "Attribute 'azMode' should be set to 'cross-az' in multi nodes cluster", - "actualValue": "Attribute 'azMode' is set to single-az" + "actualValue": "Attribute 'azMode' is set to single-az", + "issueType": "IncorrectValue" }, { "queryName": "ElastiCache Nodes Not Created Across Multi AZ", @@ -21,6 +22,7 @@ "searchKey": "resources[example].properties", "searchValue": "", "expectedValue": "Attribute 'azMode' should be defined and set to 'cross-az' in multi nodes cluster", - "actualValue": "Attribute 'azMode' is not defined" + "actualValue": "Attribute 'azMode' is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/pulumi/aws/elasticache_redis_cluster_without_backup/test/positive_expected_result.json b/assets/queries/pulumi/aws/elasticache_redis_cluster_without_backup/test/positive_expected_result.json index 34c55f0284a..3ef30d5780e 100644 --- a/assets/queries/pulumi/aws/elasticache_redis_cluster_without_backup/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/elasticache_redis_cluster_without_backup/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources[example].properties.snapshotRetentionLimit", "searchValue": "", "expectedValue": "Attribute 'snapshotRetentionLimit' should be set to higher than 0", - "actualValue": "Attribute 'snapshotRetentionLimit' is set to 0" + "actualValue": "Attribute 'snapshotRetentionLimit' is set to 0", + "issueType": "IncorrectValue" }, { "queryName": "ElastiCache Redis Cluster Without Backup", @@ -21,6 +22,7 @@ "searchKey": "resources[example].properties", "searchValue": "", "expectedValue": "Attribute 'snapshotRetentionLimit' should be defined and set to higher than 0", - "actualValue": "Attribute 'snapshotRetentionLimit' is not defined" + "actualValue": "Attribute 'snapshotRetentionLimit' is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/pulumi/aws/elasticsearch_logs_disabled/test/positive_expected_result.json b/assets/queries/pulumi/aws/elasticsearch_logs_disabled/test/positive_expected_result.json index 9e513efc584..9f6bc0006f3 100644 --- a/assets/queries/pulumi/aws/elasticsearch_logs_disabled/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/elasticsearch_logs_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources.exampleDomain.properties", "searchValue": "", "expectedValue": "Attribute 'logPublishingOptions' should be defined", - "actualValue": "Attribute 'logPublishingOptions' is not defined" + "actualValue": "Attribute 'logPublishingOptions' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Elasticsearch Logs Disabled", @@ -21,7 +22,8 @@ "searchKey": "resources.exampleDomain.properties.logPublishingOptions[0].logType", "searchValue": "", "expectedValue": "Attribute 'enabled' should be defined and set to 'true'", - "actualValue": "Attribute 'enabled' is not defined" + "actualValue": "Attribute 'enabled' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Elasticsearch Logs Disabled", @@ -33,6 +35,7 @@ "searchKey": "resources.exampleDomain.properties.logPublishingOptions[0].logType", "searchValue": "", "expectedValue": "Attribute 'enabled' should be set to 'true'", - "actualValue": "Attribute 'enabled' is set to 'false'" + "actualValue": "Attribute 'enabled' is set to 'false'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/pulumi/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json b/assets/queries/pulumi/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json index 3bc67a746c9..0beacf62270 100644 --- a/assets/queries/pulumi/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "resources[%!s(int=0)].properties.domainEndpointOptions.enforceHTTPS", "searchValue": "", "expectedValue": "resources[%!s(int=0)].properties.domainEndpointOptions.enforceHTTPS should be set to 'true'", - "actualValue": "resources[%!s(int=0)].properties.domainEndpointOptions.enforceHTTPS is set to 'false'" + "actualValue": "resources[%!s(int=0)].properties.domainEndpointOptions.enforceHTTPS is set to 'false'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/pulumi/aws/iam_password_without_minimum_length/test/positive_expected_result.json b/assets/queries/pulumi/aws/iam_password_without_minimum_length/test/positive_expected_result.json index e72ac4ecadd..4cd878cbfe4 100644 --- a/assets/queries/pulumi/aws/iam_password_without_minimum_length/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/iam_password_without_minimum_length/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources[example].properties", "searchValue": "", "expectedValue": "Attribute 'minimumPasswordLength' should be defined and set to 14 or higher", - "actualValue": "Attribute 'minimumPasswordLength' is not defined" + "actualValue": "Attribute 'minimumPasswordLength' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "IAM Password Without Minimum Length", @@ -21,6 +22,7 @@ "searchKey": "resources[example].properties.minimumPasswordLength", "searchValue": "", "expectedValue": "Attribute 'minimumPasswordLength' should be set to 14 or higher", - "actualValue": "Attribute 'minimumPasswordLength' is set to less than 14" + "actualValue": "Attribute 'minimumPasswordLength' is set to less than 14", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json b/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json index f2e9651c05b..6f525859ba7 100644 --- a/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "resources[default].properties.publiclyAccessible", "searchValue": "", "expectedValue": "'resources.default.properties.publiclyAccessible' should be set to 'false'", - "actualValue": "'resources.default.properties.publiclyAccessible' is set to 'true'" + "actualValue": "'resources.default.properties.publiclyAccessible' is set to 'true'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/pulumi/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json b/assets/queries/pulumi/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json index 09a49d6e81c..27765e2fd0b 100644 --- a/assets/queries/pulumi/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json +++ b/assets/queries/pulumi/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "resources[redis].properties.enableNonSslPort", "searchValue": "", "expectedValue": "Redis Cache should have attribute 'enableNonSslPort' set to false", - "actualValue": "Redis Cache has attribute 'enableNonSslPort' set to true" + "actualValue": "Redis Cache has attribute 'enableNonSslPort' set to true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/pulumi/azure/storage_account_not_forcing_https/test/positive_expected_result.json b/assets/queries/pulumi/azure/storage_account_not_forcing_https/test/positive_expected_result.json index a97d4f1fbc1..d43771f3c87 100644 --- a/assets/queries/pulumi/azure/storage_account_not_forcing_https/test/positive_expected_result.json +++ b/assets/queries/pulumi/azure/storage_account_not_forcing_https/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "resources[storageAccount].properties.enableHttpsTrafficOnly", "searchValue": "", "expectedValue": "Storage Account should have attribute 'enableHttpsTrafficOnly' set to true", - "actualValue": "Storage Account has attribute 'enableHttpsTrafficOnly' set to false" + "actualValue": "Storage Account has attribute 'enableHttpsTrafficOnly' set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/pulumi/gcp/cloud_storage_bucket_logging_not_enabled/test/positive_expected_result.json b/assets/queries/pulumi/gcp/cloud_storage_bucket_logging_not_enabled/test/positive_expected_result.json index 2b286e65553..65b5a40f459 100644 --- a/assets/queries/pulumi/gcp/cloud_storage_bucket_logging_not_enabled/test/positive_expected_result.json +++ b/assets/queries/pulumi/gcp/cloud_storage_bucket_logging_not_enabled/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "resources[example].properties", "searchValue": "", "expectedValue": "Storage Bucket should have attribute 'logging' defined", - "actualValue": "Storage Bucket attribute 'logging' is not defined" + "actualValue": "Storage Bucket attribute 'logging' is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/pulumi/gcp/google_compute_ssl_policy_weak_cipher_in_use/test/positive_expected_result.json b/assets/queries/pulumi/gcp/google_compute_ssl_policy_weak_cipher_in_use/test/positive_expected_result.json index e3c45bf4759..e3171e8884b 100644 --- a/assets/queries/pulumi/gcp/google_compute_ssl_policy_weak_cipher_in_use/test/positive_expected_result.json +++ b/assets/queries/pulumi/gcp/google_compute_ssl_policy_weak_cipher_in_use/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources[example].properties", "searchValue": "", "expectedValue": "SSLPolicy should have 'minTlsVersion' defined and set to 'TLS_1_2'", - "actualValue": "SSLPolicy 'minTlsVersion' attribute is not defined" + "actualValue": "SSLPolicy 'minTlsVersion' attribute is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Google Compute SSL Policy Weak Cipher In Use", @@ -21,6 +22,7 @@ "searchKey": "resources[example].properties.minTlsVersion", "searchValue": "", "expectedValue": "SSLPolicy should have 'minTlsVersion' set to 'TLS_1_2'", - "actualValue": "SSLPolicy 'minTlsVersion' attribute is set to TLS_1_1" + "actualValue": "SSLPolicy 'minTlsVersion' attribute is set to TLS_1_1", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/pulumi/kubernetes/missing_app_armor_config/test/positive_expected_result.json b/assets/queries/pulumi/kubernetes/missing_app_armor_config/test/positive_expected_result.json index f8c5e8abbda..44475966547 100644 --- a/assets/queries/pulumi/kubernetes/missing_app_armor_config/test/positive_expected_result.json +++ b/assets/queries/pulumi/kubernetes/missing_app_armor_config/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resources[pod].properties.metadata", "searchValue": "", "expectedValue": "Pod should have annotation 'container.apparmor.security.beta.kubernetes.io' defined", - "actualValue": "Pod does not have annotations defined in metadata" + "actualValue": "Pod does not have annotations defined in metadata", + "issueType": "MissingAttribute" }, { "queryName": "Missing App Armor Config", @@ -21,7 +22,8 @@ "searchKey": "resources[pod].properties.metadata", "searchValue": "", "expectedValue": "Pod should have annotation 'container.apparmor.security.beta.kubernetes.io' defined", - "actualValue": "Pod does not have annotations defined in metadata" + "actualValue": "Pod does not have annotations defined in metadata", + "issueType": "MissingAttribute" }, { "queryName": "Missing App Armor Config", @@ -33,6 +35,7 @@ "searchKey": "resources[pod].properties.metadata.annotations", "searchValue": "", "expectedValue": "Pod should have annotation 'container.apparmor.security.beta.kubernetes.io' defined", - "actualValue": "Pod does not have annotation 'container.apparmor.security.beta.kubernetes.io' defined" + "actualValue": "Pod does not have annotation 'container.apparmor.security.beta.kubernetes.io' defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/pulumi/kubernetes/psp_set_to_privileged/test/positive_expected_result.json b/assets/queries/pulumi/kubernetes/psp_set_to_privileged/test/positive_expected_result.json index b3ab3ff2105..937e1084c79 100644 --- a/assets/queries/pulumi/kubernetes/psp_set_to_privileged/test/positive_expected_result.json +++ b/assets/queries/pulumi/kubernetes/psp_set_to_privileged/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "resources[example].properties.spec.privileged", "searchValue": "", "expectedValue": "PSP should have 'privileged' set to false or not defined", - "actualValue": "PSP has 'privileged' set to true" + "actualValue": "PSP has 'privileged' set to true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/serverlessFW/serverless_api_access_logging_setting_undefined/test/positive_expected_result.json b/assets/queries/serverlessFW/serverless_api_access_logging_setting_undefined/test/positive_expected_result.json index 09b73040026..d747c505cbd 100644 --- a/assets/queries/serverlessFW/serverless_api_access_logging_setting_undefined/test/positive_expected_result.json +++ b/assets/queries/serverlessFW/serverless_api_access_logging_setting_undefined/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "provider.logs.restApi.accessLogging", "searchValue": "", "expectedValue": "provider.logs.restApi should have 'accessLogging' set to true", - "actualValue": "provider.logs.restApi has 'accessLogging' set to false" + "actualValue": "provider.logs.restApi has 'accessLogging' set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/serverlessFW/serverless_api_endpoint_config_not_private/test/positive_expected_result.json b/assets/queries/serverlessFW/serverless_api_endpoint_config_not_private/test/positive_expected_result.json index 97e27ef7442..cf970a5bcc2 100644 --- a/assets/queries/serverlessFW/serverless_api_endpoint_config_not_private/test/positive_expected_result.json +++ b/assets/queries/serverlessFW/serverless_api_endpoint_config_not_private/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "provider", "searchValue": "", "expectedValue": "endpointType should be defined and set to PRIVATE", - "actualValue": "endpointType is not defined" + "actualValue": "endpointType is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Serverless API Endpoint Config Not Private", @@ -21,6 +22,7 @@ "searchKey": "provider.endpointType", "searchValue": "", "expectedValue": "endpointType should be set to PRIVATE", - "actualValue": "endpointType is not set to PRIVATE" + "actualValue": "endpointType is not set to PRIVATE", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/serverlessFW/serverless_api_without_content_encoding/test/positive_expected_result.json b/assets/queries/serverlessFW/serverless_api_without_content_encoding/test/positive_expected_result.json index d176e9aedea..1f2df0ff7b1 100644 --- a/assets/queries/serverlessFW/serverless_api_without_content_encoding/test/positive_expected_result.json +++ b/assets/queries/serverlessFW/serverless_api_without_content_encoding/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "provider.apiGateway", "searchValue": "", "expectedValue": "apiGateway should have 'minimumCompressionSize' defined and set to a recommended value", - "actualValue": "apiGateway does not have 'minimumCompressionSize' defined" + "actualValue": "apiGateway does not have 'minimumCompressionSize' defined", + "issueType": "MissingAttribute" }, { "queryName": "Serverless API Without Content Encoding", @@ -21,6 +22,7 @@ "searchKey": "provider.apiGateway.minimumCompressionSize", "searchValue": "", "expectedValue": "'minimumCompressionSize' should be set to a recommended value", - "actualValue": "'minimumCompressionSize' is set a unrecommended value" + "actualValue": "'minimumCompressionSize' is set a unrecommended value", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/serverlessFW/serverless_api_xray_tracing_disabled/test/positive_expected_result.json b/assets/queries/serverlessFW/serverless_api_xray_tracing_disabled/test/positive_expected_result.json index 225ccd889e7..6cd25ca0866 100644 --- a/assets/queries/serverlessFW/serverless_api_xray_tracing_disabled/test/positive_expected_result.json +++ b/assets/queries/serverlessFW/serverless_api_xray_tracing_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "provider.tracing.apiGateway", "searchValue": "", "expectedValue": "tracing should have 'apiGateway' set to true", - "actualValue": "'apiGateway' is set to false" + "actualValue": "'apiGateway' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Serverless API X-Ray Tracing Disabled", @@ -21,6 +22,7 @@ "searchKey": "provider.tracing", "searchValue": "", "expectedValue": "tracing should have 'apiGateway' defined and set to true", - "actualValue": "'apiGateway' is not defined within tracing" + "actualValue": "'apiGateway' is not defined within tracing", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/serverlessFW/serverless_function_environment_variables_not_encrypted/test/positive_expected_result.json b/assets/queries/serverlessFW/serverless_function_environment_variables_not_encrypted/test/positive_expected_result.json index 15a4729637c..c4d940ca380 100644 --- a/assets/queries/serverlessFW/serverless_function_environment_variables_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/serverlessFW/serverless_function_environment_variables_not_encrypted/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "provider", "searchValue": "", "expectedValue": "'kmsKeyArn' should be defined inside the provider", - "actualValue": "'kmsKeyArn' is not defined" + "actualValue": "'kmsKeyArn' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Serverless Function Environment Variables Not Encrypted", @@ -21,7 +22,8 @@ "searchKey": "functions.hello", "searchValue": "", "expectedValue": "'kmsKeyArn' should be defined inside the function", - "actualValue": "'kmsKeyArn' is not defined" + "actualValue": "'kmsKeyArn' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Serverless Function Environment Variables Not Encrypted", @@ -33,6 +35,7 @@ "searchKey": "provider", "searchValue": "", "expectedValue": "'kmsKeyArn' should be defined inside the provider", - "actualValue": "'kmsKeyArn' is not defined" + "actualValue": "'kmsKeyArn' is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/serverlessFW/serverless_function_without_dead_letter_queue/test/positive_expected_result.json b/assets/queries/serverlessFW/serverless_function_without_dead_letter_queue/test/positive_expected_result.json index 5209c30a8ee..1463f5f473c 100644 --- a/assets/queries/serverlessFW/serverless_function_without_dead_letter_queue/test/positive_expected_result.json +++ b/assets/queries/serverlessFW/serverless_function_without_dead_letter_queue/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "functions.hello", "searchValue": "", "expectedValue": "'onError' should be defined inside the function", - "actualValue": "'onError' is not defined" + "actualValue": "'onError' is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/serverlessFW/serverless_function_without_tags/test/positive_expected_result.json b/assets/queries/serverlessFW/serverless_function_without_tags/test/positive_expected_result.json index 69cea04e5fb..df62e22df1f 100644 --- a/assets/queries/serverlessFW/serverless_function_without_tags/test/positive_expected_result.json +++ b/assets/queries/serverlessFW/serverless_function_without_tags/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "functions.hello", "searchValue": "", "expectedValue": "'tags' should be defined inside the function", - "actualValue": "'tags' is not defined" + "actualValue": "'tags' is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/serverlessFW/serverless_function_without_unique_iam_role/test/positive_expected_result.json b/assets/queries/serverlessFW/serverless_function_without_unique_iam_role/test/positive_expected_result.json index 4d4c4c1c69e..c274f254afd 100644 --- a/assets/queries/serverlessFW/serverless_function_without_unique_iam_role/test/positive_expected_result.json +++ b/assets/queries/serverlessFW/serverless_function_without_unique_iam_role/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "functions.hello", "searchValue": "", "expectedValue": "'role' should be defined inside the function", - "actualValue": "'role' is not defined" + "actualValue": "'role' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Serverless Function Without Unique IAM Role", @@ -21,6 +22,7 @@ "searchKey": "functions[%!s(int=0)].hello", "searchValue": "", "expectedValue": "'role' should be defined inside the function", - "actualValue": "'role' is not defined" + "actualValue": "'role' is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/serverlessFW/serverless_function_without_x-ray_tracing/test/positive_expected_result.json b/assets/queries/serverlessFW/serverless_function_without_x-ray_tracing/test/positive_expected_result.json index 851ee62b37f..62794054503 100644 --- a/assets/queries/serverlessFW/serverless_function_without_x-ray_tracing/test/positive_expected_result.json +++ b/assets/queries/serverlessFW/serverless_function_without_x-ray_tracing/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "functions.hello.tracing", "searchValue": "", "expectedValue": "'tracing' should be set to Active", - "actualValue": "'tracing' is not set to Active" + "actualValue": "'tracing' is not set to Active", + "issueType": "IncorrectValue" }, { "queryName": "Serverless Function Without X-Ray Tracing", @@ -21,6 +22,7 @@ "searchKey": "functions.hello", "searchValue": "", "expectedValue": "'tracing' should be defined and set to Active", - "actualValue": "'tracing' is not defined" + "actualValue": "'tracing' is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/serverlessFW/serverless_role_with_full_privileges/test/positive_expected_result.json b/assets/queries/serverlessFW/serverless_role_with_full_privileges/test/positive_expected_result.json index 82d3c2dba49..6d3f5929bce 100644 --- a/assets/queries/serverlessFW/serverless_role_with_full_privileges/test/positive_expected_result.json +++ b/assets/queries/serverlessFW/serverless_role_with_full_privileges/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "provider.iam.role.statements[0]", "searchValue": "", "expectedValue": "Statement should not give admin privileges", - "actualValue": "Statement gives admin privileges" + "actualValue": "Statement gives admin privileges", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/action_trail_logging_all_regions_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/action_trail_logging_all_regions_disabled/test/positive_expected_result.json index 3ea58369b43..d192a104a31 100644 --- a/assets/queries/terraform/alicloud/action_trail_logging_all_regions_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/action_trail_logging_all_regions_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "alicloud_actiontrail_trail[actiontrail2].trail_region", "searchValue": "", "expectedValue": "'trail_region' should be set to All", - "actualValue": "'trail_region' is not set to All" + "actualValue": "'trail_region' is not set to All", + "issueType": "IncorrectValue" }, { "queryName": "Action Trail Logging For All Regions Disabled", @@ -21,7 +22,8 @@ "searchKey": "alicloud_actiontrail_trail[actiontrail3].event_rw", "searchValue": "", "expectedValue": "'event_rw' should be set to All", - "actualValue": "'event_rw' is not set to All" + "actualValue": "'event_rw' is not set to All", + "issueType": "IncorrectValue" }, { "queryName": "Action Trail Logging For All Regions Disabled", @@ -33,7 +35,8 @@ "searchKey": "alicloud_actiontrail_trail[actiontrail3].trail_region", "searchValue": "", "expectedValue": "'trail_region' should be set to All", - "actualValue": "'trail_region' is not set to All" + "actualValue": "'trail_region' is not set to All", + "issueType": "IncorrectValue" }, { "queryName": "Action Trail Logging For All Regions Disabled", @@ -45,7 +48,8 @@ "searchKey": "alicloud_actiontrail_trail[actiontrail4].event_rw", "searchValue": "", "expectedValue": "'event_rw' should be set to All", - "actualValue": "'event_rw' is not set to All" + "actualValue": "'event_rw' is not set to All", + "issueType": "IncorrectValue" }, { "queryName": "Action Trail Logging For All Regions Disabled", @@ -57,7 +61,8 @@ "searchKey": "alicloud_actiontrail_trail[actiontrail4].trail_region", "searchValue": "", "expectedValue": "'trail_region' should be set to All", - "actualValue": "'trail_region' is not set to All" + "actualValue": "'trail_region' is not set to All", + "issueType": "IncorrectValue" }, { "queryName": "Action Trail Logging For All Regions Disabled", @@ -69,7 +74,8 @@ "searchKey": "alicloud_actiontrail_trail[actiontrail5].trail_region", "searchValue": "", "expectedValue": "'trail_region' should be set to All", - "actualValue": "'trail_region' is not set to All" + "actualValue": "'trail_region' is not set to All", + "issueType": "IncorrectValue" }, { "queryName": "Action Trail Logging For All Regions Disabled", @@ -81,7 +87,8 @@ "searchKey": "alicloud_actiontrail_trail[actiontrail6].event_rw", "searchValue": "", "expectedValue": "'event_rw' should be set to All", - "actualValue": "'event_rw' is not set to All" + "actualValue": "'event_rw' is not set to All", + "issueType": "IncorrectValue" }, { "queryName": "Action Trail Logging For All Regions Disabled", @@ -93,7 +100,8 @@ "searchKey": "alicloud_actiontrail_trail[actiontrail6].trail_region", "searchValue": "", "expectedValue": "'trail_region' should be set to All", - "actualValue": "'trail_region' is not set to All" + "actualValue": "'trail_region' is not set to All", + "issueType": "IncorrectValue" }, { "queryName": "Action Trail Logging For All Regions Disabled", @@ -105,7 +113,8 @@ "searchKey": "alicloud_actiontrail_trail[actiontrail7].event_rw", "searchValue": "", "expectedValue": "'event_rw' should be set to All", - "actualValue": "'event_rw' is not set to All" + "actualValue": "'event_rw' is not set to All", + "issueType": "IncorrectValue" }, { "queryName": "Action Trail Logging For All Regions Disabled", @@ -117,7 +126,8 @@ "searchKey": "alicloud_actiontrail_trail[actiontrail7].trail_region", "searchValue": "", "expectedValue": "'trail_region' should be set to All", - "actualValue": "'trail_region' is not set to All" + "actualValue": "'trail_region' is not set to All", + "issueType": "IncorrectValue" }, { "queryName": "Action Trail Logging For All Regions Disabled", @@ -129,7 +139,8 @@ "searchKey": "alicloud_actiontrail_trail[actiontrail8]", "searchValue": "trail_region", "expectedValue": "'trail_region' should be set.", - "actualValue": "'trail_region' is not set." + "actualValue": "'trail_region' is not set.", + "issueType": "MissingAttribute" }, { "queryName": "Action Trail Logging For All Regions Disabled", @@ -141,7 +152,8 @@ "searchKey": "alicloud_actiontrail_trail[actiontrail9]", "searchValue": "event_rw", "expectedValue": "'event_rw' should be set.", - "actualValue": "'event_rw' is not set." + "actualValue": "'event_rw' is not set.", + "issueType": "MissingAttribute" }, { "queryName": "Action Trail Logging For All Regions Disabled", @@ -153,7 +165,8 @@ "searchKey": "alicloud_actiontrail_trail[actiontrail10]", "searchValue": "event_rw", "expectedValue": "'event_rw' should be set.", - "actualValue": "'event_rw' is not set." + "actualValue": "'event_rw' is not set.", + "issueType": "MissingAttribute" }, { "queryName": "Action Trail Logging For All Regions Disabled", @@ -165,6 +178,7 @@ "searchKey": "alicloud_actiontrail_trail[actiontrail10]", "searchValue": "oss_bucket_name", "expectedValue": "oss_bucket_name should be set.", - "actualValue": "oss_bucket_name is not set." + "actualValue": "oss_bucket_name is not set.", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/actiontrail_trail_oss_bucket_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/alicloud/actiontrail_trail_oss_bucket_is_publicly_accessible/test/positive_expected_result.json index f0742b89184..d99f2c1efb0 100644 --- a/assets/queries/terraform/alicloud/actiontrail_trail_oss_bucket_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/actiontrail_trail_oss_bucket_is_publicly_accessible/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "alicloud_oss_bucket[actiontrail3].acl", "searchValue": "", "expectedValue": "'alicloud_oss_bucket[actiontrail3].oss_bucket_name' is private", - "actualValue": "'alicloud_oss_bucket[actiontrail3].oss_bucket_name' is public-read" + "actualValue": "'alicloud_oss_bucket[actiontrail3].oss_bucket_name' is public-read", + "issueType": "IncorrectValue" }, { "queryName": "ActionTrail Trail OSS Bucket is Publicly Accessible", @@ -21,6 +22,7 @@ "searchKey": "alicloud_oss_bucket[actiontrail4].acl", "searchValue": "", "expectedValue": "'alicloud_oss_bucket[actiontrail4].oss_bucket_name' is private", - "actualValue": "'alicloud_oss_bucket[actiontrail4].oss_bucket_name' is public-read-write" + "actualValue": "'alicloud_oss_bucket[actiontrail4].oss_bucket_name' is public-read-write", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/alb_listening_on_http/test/positive_expected_result.json b/assets/queries/terraform/alicloud/alb_listening_on_http/test/positive_expected_result.json index 92ceedcc1e0..1204cfb2866 100644 --- a/assets/queries/terraform/alicloud/alb_listening_on_http/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/alb_listening_on_http/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "alicloud_alb_listener[positive].listener_protocol", "searchValue": "", "expectedValue": "'alicloud_alb_listener[positive].listener_protocol' should not be 'HTTP'", - "actualValue": "'alicloud_alb_listener[positive].listener_protocol' is 'HTTP'" + "actualValue": "'alicloud_alb_listener[positive].listener_protocol' is 'HTTP'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/api_gateway_api_protocol_not_https/test/positive_expected_result.json b/assets/queries/terraform/alicloud/api_gateway_api_protocol_not_https/test/positive_expected_result.json index 310fc341a50..fbdb48b85ea 100644 --- a/assets/queries/terraform/alicloud/api_gateway_api_protocol_not_https/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/api_gateway_api_protocol_not_https/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "alicloud_api_gateway_api[apiGatewayApi].request_config.protocol", "searchValue": "", "expectedValue": "'protocol' value should be 'HTTPS'", - "actualValue": "'protocol' value is 'HTTP' or 'HTTP,HTTPS'" + "actualValue": "'protocol' value is 'HTTP' or 'HTTP,HTTPS'", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway API Protocol Not HTTPS", @@ -21,7 +22,8 @@ "searchKey": "alicloud_api_gateway_api[apiGatewayApi].request_config.protocol", "searchValue": "", "expectedValue": "'protocol' value should be 'HTTPS'", - "actualValue": "'protocol' value is 'HTTP' or 'HTTP,HTTPS'" + "actualValue": "'protocol' value is 'HTTP' or 'HTTP,HTTPS'", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway API Protocol Not HTTPS", @@ -33,6 +35,7 @@ "searchKey": "alicloud_api_gateway_api[apiGatewayApi].request_config.protocol", "searchValue": "", "expectedValue": "'protocol' value should be 'HTTPS'", - "actualValue": "'protocol' value is 'HTTP' or 'HTTP,HTTPS'" + "actualValue": "'protocol' value is 'HTTP' or 'HTTP,HTTPS'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/cmk_is_unusable/test/positive_expected_result.json b/assets/queries/terraform/alicloud/cmk_is_unusable/test/positive_expected_result.json index 362679cc85e..2ce2ebb0a71 100644 --- a/assets/queries/terraform/alicloud/cmk_is_unusable/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/cmk_is_unusable/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "alicloud_kms_key[key]", "searchValue": "", "expectedValue": "alicloud_kms_key[key].is_enabled should be set to true", - "actualValue": "alicloud_kms_key[key].is_enabled is not set" + "actualValue": "alicloud_kms_key[key].is_enabled is not set", + "issueType": "MissingAttribute" }, { "queryName": "CMK Is Unusable", @@ -21,6 +22,7 @@ "searchKey": "alicloud_kms_key[key].is_enabled", "searchValue": "", "expectedValue": "alicloud_kms_key[key].is_enabled should be set to true", - "actualValue": "alicloud_kms_key[key].is_enabled is set to false" + "actualValue": "alicloud_kms_key[key].is_enabled is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/cs_kubernetes_node_pool_auto_repair_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/cs_kubernetes_node_pool_auto_repair_disabled/test/positive_expected_result.json index c908c4bb41a..5a9a42be3cc 100644 --- a/assets/queries/terraform/alicloud/cs_kubernetes_node_pool_auto_repair_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/cs_kubernetes_node_pool_auto_repair_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "alicloud_cs_kubernetes_node_pool[default2]", "searchValue": "", "expectedValue": "For the resource alicloud_cs_kubernetes_node_pool[default2] to have a 'management' block containing 'auto_repair' set to true.", - "actualValue": "The resource alicloud_cs_kubernetes_node_pool[default2] does not have a 'management' block." + "actualValue": "The resource alicloud_cs_kubernetes_node_pool[default2] does not have a 'management' block.", + "issueType": "MissingAttribute" }, { "queryName": "CS Kubernetes Node Pool Auto Repair Disabled", @@ -21,7 +22,8 @@ "searchKey": "alicloud_cs_kubernetes_node_pool[default3].resource.management.auto_repair ", "searchValue": "", "expectedValue": "For the resource alicloud_cs_kubernetes_node_pool[default3] to have 'auto_repair' set to true.", - "actualValue": "The resource alicloud_cs_kubernetes_node_pool[default3] has 'auto_repair' set to false." + "actualValue": "The resource alicloud_cs_kubernetes_node_pool[default3] has 'auto_repair' set to false.", + "issueType": "IncorrectValue" }, { "queryName": "CS Kubernetes Node Pool Auto Repair Disabled", @@ -33,6 +35,7 @@ "searchKey": "alicloud_cs_kubernetes_node_pool[default4].management", "searchValue": "", "expectedValue": "For the resource alicloud_cs_kubernetes_node_pool[default4] to have a 'management' block containing 'auto_repair' set to true.", - "actualValue": "The resource alicloud_cs_kubernetes_node_pool[default4] has a 'management' block but it doesn't contain 'auto_repair' " + "actualValue": "The resource alicloud_cs_kubernetes_node_pool[default4] has a 'management' block but it doesn't contain 'auto_repair' ", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/disk_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/disk_encryption_disabled/test/positive_expected_result.json index bfad0468fca..57d2e1dbf38 100644 --- a/assets/queries/terraform/alicloud/disk_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/disk_encryption_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "alicloud_disk[disk_encryption1]", "searchValue": "", "expectedValue": "[disk_encryption1] has encryption enabled", - "actualValue": "[disk_encryption1] does not have encryption enabled" + "actualValue": "[disk_encryption1] does not have encryption enabled", + "issueType": "MissingAttribute" }, { "queryName": "Disk Encryption Disabled", @@ -21,6 +22,7 @@ "searchKey": "alicloud_disk[disk_encryption2].encrypted", "searchValue": "", "expectedValue": "[disk_encryption2] has encryption set to true", - "actualValue": "[disk_encryption2] has encryption set to false" + "actualValue": "[disk_encryption2] has encryption set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/ecs_data_disk_kms_key_id_undefined/test/positive_expected_result.json b/assets/queries/terraform/alicloud/ecs_data_disk_kms_key_id_undefined/test/positive_expected_result.json index 71894e81597..85c41af67d1 100644 --- a/assets/queries/terraform/alicloud/ecs_data_disk_kms_key_id_undefined/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/ecs_data_disk_kms_key_id_undefined/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "alicloud_disk[ecs_disk]", "searchValue": "", "expectedValue": "[ecs_disk] has kms key id defined", - "actualValue": "[ecs_disk] does not have kms key id defined" + "actualValue": "[ecs_disk] does not have kms key id defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/high_kms_key_rotation_period/test/positive_expected_result.json b/assets/queries/terraform/alicloud/high_kms_key_rotation_period/test/positive_expected_result.json index a8338602b1e..95695e00b4a 100644 --- a/assets/queries/terraform/alicloud/high_kms_key_rotation_period/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/high_kms_key_rotation_period/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "alicloud_kms_key[keypos1].rotation_interval", "searchValue": "", "expectedValue": "'automatic_rotation' should be set to Enabled", - "actualValue": "'automatic_rotation' is set to Disabled" + "actualValue": "'automatic_rotation' is set to Disabled", + "issueType": "IncorrectValue" }, { "queryName": "High KMS Key Rotation Period", @@ -21,7 +22,8 @@ "searchKey": "alicloud_kms_key[keypos1].rotation_interval", "searchValue": "", "expectedValue": "'rotation_interval' value should not be higher than a year", - "actualValue": "'rotation_interval' value is higher than a year" + "actualValue": "'rotation_interval' value is higher than a year", + "issueType": "IncorrectValue" }, { "queryName": "High KMS Key Rotation Period", @@ -33,7 +35,8 @@ "searchKey": "alicloud_kms_key[keypos1].rotation_interval", "searchValue": "", "expectedValue": "'rotation_interval' value should not be higher than a year", - "actualValue": "'rotation_interval' value is higher than a year" + "actualValue": "'rotation_interval' value is higher than a year", + "issueType": "IncorrectValue" }, { "queryName": "High KMS Key Rotation Period", @@ -45,6 +48,7 @@ "searchKey": "alicloud_kms_key[keypos1].rotation_interval", "searchValue": "", "expectedValue": "'automatic_rotation' should be defined and set to Enabled", - "actualValue": "'automatic_rotation' is not defined" + "actualValue": "'automatic_rotation' is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/kubernetes_cluster_without_terway_as_cni_network_plugin/test/positive_expected_result.json b/assets/queries/terraform/alicloud/kubernetes_cluster_without_terway_as_cni_network_plugin/test/positive_expected_result.json index e3f368f397d..247bafa47d5 100644 --- a/assets/queries/terraform/alicloud/kubernetes_cluster_without_terway_as_cni_network_plugin/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/kubernetes_cluster_without_terway_as_cni_network_plugin/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "alicloud_cs_kubernetes[positive1]", "searchValue": "terway-eniip", "expectedValue": "alicloud_cs_kubernetes[positive1].addons specifies the terway-eniip", - "actualValue": "alicloud_cs_kubernetes[positive1].addons does not specify the terway-eniip" + "actualValue": "alicloud_cs_kubernetes[positive1].addons does not specify the terway-eniip", + "issueType": "MissingAttribute" }, { "queryName": "Kubernetes Cluster Without Terway as CNI Network Plugin", @@ -21,7 +22,8 @@ "searchKey": "alicloud_cs_kubernetes[positive1]", "searchValue": "pod_vswitch_ids", "expectedValue": "alicloud_cs_kubernetes[positive1].pod_vswitch_ids should be defined and not null", - "actualValue": "alicloud_cs_kubernetes[positive1].pod_vswitch_ids is undefined or null" + "actualValue": "alicloud_cs_kubernetes[positive1].pod_vswitch_ids is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Kubernetes Cluster Without Terway as CNI Network Plugin", @@ -33,7 +35,8 @@ "searchKey": "alicloud_cs_kubernetes[positive2]", "searchValue": "pod_vswitch_ids", "expectedValue": "alicloud_cs_kubernetes[positive2].pod_vswitch_ids should be defined and not null", - "actualValue": "alicloud_cs_kubernetes[positive2].pod_vswitch_ids is undefined or null" + "actualValue": "alicloud_cs_kubernetes[positive2].pod_vswitch_ids is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Kubernetes Cluster Without Terway as CNI Network Plugin", @@ -45,6 +48,7 @@ "searchKey": "alicloud_cs_kubernetes[positive3]", "searchValue": "terway-eniip", "expectedValue": "alicloud_cs_kubernetes[positive3].addons specifies the terway-eniip", - "actualValue": "alicloud_cs_kubernetes[positive3].addons does not specify the terway-eniip" + "actualValue": "alicloud_cs_kubernetes[positive3].addons does not specify the terway-eniip", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/launch_template_is_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/alicloud/launch_template_is_not_encrypted/test/positive_expected_result.json index 732c22b5263..a0351d0105d 100644 --- a/assets/queries/terraform/alicloud/launch_template_is_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/launch_template_is_not_encrypted/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "alicloud_launch_template[templatepos1].encrypted", "searchValue": "", "expectedValue": "alicloud_launch_template[templatepos1].encrypted should be true", - "actualValue": "alicloud_launch_template[templatepos1].encrypted is false" + "actualValue": "alicloud_launch_template[templatepos1].encrypted is false", + "issueType": "IncorrectValue" }, { "queryName": "Launch Template Is Not Encrypted", @@ -21,6 +22,7 @@ "searchKey": "alicloud_launch_template[templatepos2]", "searchValue": "", "expectedValue": "alicloud_launch_template[templatepos2] 'encrypted' should be defined and set to true", - "actualValue": "alicloud_launch_template[templatepos2] 'encrypted' argument is not defined" + "actualValue": "alicloud_launch_template[templatepos2] 'encrypted' argument is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/log_retention_is_not_greater_than_90_days/test/positive_expected_result.json b/assets/queries/terraform/alicloud/log_retention_is_not_greater_than_90_days/test/positive_expected_result.json index 1e7a509b6f8..04912ec4512 100644 --- a/assets/queries/terraform/alicloud/log_retention_is_not_greater_than_90_days/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/log_retention_is_not_greater_than_90_days/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "alicloud_log_store[example2]", "searchValue": "", "expectedValue": "For attribute 'retention_period' should be set and over 90 days.", - "actualValue": "The attribute 'retention_period' is undefined. The default duration when undefined is 30 days, which is too short." + "actualValue": "The attribute 'retention_period' is undefined. The default duration when undefined is 30 days, which is too short.", + "issueType": "MissingAttribute" }, { "queryName": "Log Retention Is Not Greater Than 90 Days", @@ -21,6 +22,7 @@ "searchKey": "alicloud_log_store[example4].retention_period", "searchValue": "", "expectedValue": "For the attribite 'retention_period' should be set to 90+ days", - "actualValue": "The attribute 'retention_period' is not set to 90+ days" + "actualValue": "The attribute 'retention_period' is not set to 90+ days", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/nas_file_system_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/alicloud/nas_file_system_not_encrypted/test/positive_expected_result.json index b5d4dd785a2..f1660784d80 100644 --- a/assets/queries/terraform/alicloud/nas_file_system_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/nas_file_system_not_encrypted/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "alicloud_nas_file_system[foopos].encrypt_type", "searchValue": "", "expectedValue": "alicloud_nas_file_system[foopos].encrypt_type' should not be 0", - "actualValue": "alicloud_nas_file_system[foopos].encrypt_type' is 0" + "actualValue": "alicloud_nas_file_system[foopos].encrypt_type' is 0", + "issueType": "IncorrectValue" }, { "queryName": "NAS File System Not Encrypted", @@ -21,6 +22,7 @@ "searchKey": "alicloud_nas_file_system[foopos2]", "searchValue": "", "expectedValue": "alicloud_nas_file_system[foopos2].encrypt_type' should be defined and the value different from 0 ", - "actualValue": "alicloud_nas_file_system[foopos2].encrypt_type' is undefined" + "actualValue": "alicloud_nas_file_system[foopos2].encrypt_type' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/nas_file_system_without_kms/test/positive_expected_result.json b/assets/queries/terraform/alicloud/nas_file_system_without_kms/test/positive_expected_result.json index d8b46f0c41b..dfb0f669a3d 100644 --- a/assets/queries/terraform/alicloud/nas_file_system_without_kms/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/nas_file_system_without_kms/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "alicloud_nas_file_system[foo]", "searchValue": "", "expectedValue": "alicloud_nas_file_system[foo].encrypt_type' should be defined and set to 2'", - "actualValue": "alicloud_nas_file_system[foo].encrypt_type' is not defined" + "actualValue": "alicloud_nas_file_system[foo].encrypt_type' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "NAS File System Without KMS", @@ -21,6 +22,7 @@ "searchKey": "alicloud_nas_file_system[fooabr]", "searchValue": "", "expectedValue": "alicloud_nas_file_system[fooabr].encrypt_type' should be set to 2'", - "actualValue": "alicloud_nas_file_system[fooabr].encrypt_type' is not set to 2 " + "actualValue": "alicloud_nas_file_system[fooabr].encrypt_type' is not set to 2 ", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/no_ros_stack_policy/test/positive_expected_result.json b/assets/queries/terraform/alicloud/no_ros_stack_policy/test/positive_expected_result.json index 36614686c62..24d0c0dd624 100644 --- a/assets/queries/terraform/alicloud/no_ros_stack_policy/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/no_ros_stack_policy/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "alicloud_ros_stack[pos]", "searchValue": "stack_policy", "expectedValue": "The stack should have the attribute 'stack_policy_body' or 'stack_policy_url' defined", - "actualValue": "The stack has neither 'stack_policy_body' nor 'stack_policy_url' defined" + "actualValue": "The stack has neither 'stack_policy_body' nor 'stack_policy_url' defined", + "issueType": "MissingAttribute" }, { "queryName": "No ROS Stack Policy", @@ -21,7 +22,8 @@ "searchKey": "alicloud_ros_stack[pos]", "searchValue": "stack_policy_during_update", "expectedValue": "The stack should have the attribute 'stack_policy_during_update_body' or 'stack_policy_during_update_url' defined", - "actualValue": "The stack has neither 'stack_policy_during_update_body' nor 'stack_policy_during_update_url' defined" + "actualValue": "The stack has neither 'stack_policy_during_update_body' nor 'stack_policy_during_update_url' defined", + "issueType": "MissingAttribute" }, { "queryName": "No ROS Stack Policy", @@ -33,7 +35,8 @@ "searchKey": "alicloud_ros_stack[pos2]", "searchValue": "stack_policy_during_update", "expectedValue": "The stack should have the attribute 'stack_policy_during_update_body' or 'stack_policy_during_update_url' defined", - "actualValue": "The stack has neither 'stack_policy_during_update_body' nor 'stack_policy_during_update_url' defined" + "actualValue": "The stack has neither 'stack_policy_during_update_body' nor 'stack_policy_during_update_url' defined", + "issueType": "MissingAttribute" }, { "queryName": "No ROS Stack Policy", @@ -45,6 +48,7 @@ "searchKey": "alicloud_ros_stack[pos3]", "searchValue": "stack_policy", "expectedValue": "The stack should have the attribute 'stack_policy_body' or 'stack_policy_url' defined", - "actualValue": "The stack has neither 'stack_policy_body' nor 'stack_policy_url' defined" + "actualValue": "The stack has neither 'stack_policy_body' nor 'stack_policy_url' defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/oss_bucket_allows_all_actions_from_all_principals/test/positive_expected_result.json b/assets/queries/terraform/alicloud/oss_bucket_allows_all_actions_from_all_principals/test/positive_expected_result.json index 5958c046ad0..c6dda2f17cd 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_allows_all_actions_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/oss_bucket_allows_all_actions_from_all_principals/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "alicloud_oss_bucket[bucket-policy1].policy", "searchValue": "", "expectedValue": "alicloud_oss_bucket[bucket-policy1].policy to not accept delete action from all principals", - "actualValue": "alicloud_oss_bucket[bucket-policy1].policy accepts delete action from all principals" + "actualValue": "alicloud_oss_bucket[bucket-policy1].policy accepts delete action from all principals", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/oss_bucket_allows_delete_from_all_principals/test/positive_expected_result.json b/assets/queries/terraform/alicloud/oss_bucket_allows_delete_from_all_principals/test/positive_expected_result.json index 4abf8e62f9d..0167d3414e3 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_allows_delete_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/oss_bucket_allows_delete_from_all_principals/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "alicloud_oss_bucket[bucket-policy1].policy", "searchValue": "", "expectedValue": "alicloud_oss_bucket[bucket-policy1].policy to not accept delete action from all principals", - "actualValue": "alicloud_oss_bucket[bucket-policy1].policy accepts delete action from all principals" + "actualValue": "alicloud_oss_bucket[bucket-policy1].policy accepts delete action from all principals", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/oss_bucket_allows_list_action_from_all_principals/test/positive_expected_result.json b/assets/queries/terraform/alicloud/oss_bucket_allows_list_action_from_all_principals/test/positive_expected_result.json index b6a9b8f7062..1419fd6e221 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_allows_list_action_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/oss_bucket_allows_list_action_from_all_principals/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "alicloud_oss_bucket[bucket-policy1].policy", "searchValue": "", "expectedValue": "alicloud_oss_bucket[bucket-policy1].policy to not accept list action from all principals", - "actualValue": "alicloud_oss_bucket[bucket-policy1].policy accepts list action from all principals" + "actualValue": "alicloud_oss_bucket[bucket-policy1].policy accepts list action from all principals", + "issueType": "IncorrectValue" }, { "queryName": "OSS Bucket Allows List Action From All Principals", @@ -21,6 +22,7 @@ "searchKey": "alicloud_oss_bucket[bucket-policy5].policy", "searchValue": "", "expectedValue": "alicloud_oss_bucket[bucket-policy5].policy to not accept list action from all principals", - "actualValue": "alicloud_oss_bucket[bucket-policy5].policy accepts list action from all principals" + "actualValue": "alicloud_oss_bucket[bucket-policy5].policy accepts list action from all principals", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/oss_bucket_allows_put_action_from_all_principals/test/positive_expected_result.json b/assets/queries/terraform/alicloud/oss_bucket_allows_put_action_from_all_principals/test/positive_expected_result.json index b9f7de90805..c35206b0dab 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_allows_put_action_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/oss_bucket_allows_put_action_from_all_principals/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "alicloud_oss_bucket[bucket-policy4].policy", "searchValue": "", "expectedValue": "alicloud_oss_bucket[bucket-policy4].policy to not accept put action from all principals", - "actualValue": "alicloud_oss_bucket[bucket-policy4].policy accepts put action from all principals" + "actualValue": "alicloud_oss_bucket[bucket-policy4].policy accepts put action from all principals", + "issueType": "IncorrectValue" }, { "queryName": "OSS Bucket Allows Put Action From All Principals", @@ -21,6 +22,7 @@ "searchKey": "alicloud_oss_bucket[bucket-policy5].policy", "searchValue": "", "expectedValue": "alicloud_oss_bucket[bucket-policy5].policy to not accept put action from all principals", - "actualValue": "alicloud_oss_bucket[bucket-policy5].policy accepts put action from all principals" + "actualValue": "alicloud_oss_bucket[bucket-policy5].policy accepts put action from all principals", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/oss_bucket_cmk_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/oss_bucket_cmk_encryption_disabled/test/positive_expected_result.json index 7aa0bdf28f2..7e586598530 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_cmk_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/oss_bucket_cmk_encryption_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "alicloud_oss_bucket[bucket_cmk_encryption2].server_side_encryption_rule", "searchValue": "", "expectedValue": "[bucket_cmk_encryption2].policy has kms master key id defined", - "actualValue": "[bucket_cmk_encryption2].policy does not kms master key id defined" + "actualValue": "[bucket_cmk_encryption2].policy does not kms master key id defined", + "issueType": "MissingAttribute" }, { "queryName": "OSS Bucket Encryption Using CMK Disabled", @@ -21,6 +22,7 @@ "searchKey": "alicloud_oss_bucket[bucket_cmk_encryption3]", "searchValue": "", "expectedValue": "[bucket_cmk_encryption3].policy has server side encryption rule and kms master key id defined", - "actualValue": "[bucket_cmk_encryption3].policy does not have server side encryption rule and kms master key id defined" + "actualValue": "[bucket_cmk_encryption3].policy does not have server side encryption rule and kms master key id defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/oss_bucket_has_static_website/test/positive_expected_result.json b/assets/queries/terraform/alicloud/oss_bucket_has_static_website/test/positive_expected_result.json index a572977805d..7842248e234 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_has_static_website/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/oss_bucket_has_static_website/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "alicloud_oss_bucket[bucket-website1].website", "searchValue": "", "expectedValue": "'website' to not be used.", - "actualValue": "'website' is being used." + "actualValue": "'website' is being used.", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/oss_bucket_ip_restriction_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/oss_bucket_ip_restriction_disabled/test/positive_expected_result.json index 67810b7795b..b66b83be97d 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_ip_restriction_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/oss_bucket_ip_restriction_disabled/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "alicloud_oss_bucket[bucket-policy].policy", "searchValue": "", "expectedValue": "[bucket-policy].policy has restricted ip access", - "actualValue": "[bucket-policy].policy does not restrict access via ip" + "actualValue": "[bucket-policy].policy does not restrict access via ip", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/oss_bucket_lifecycle_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/oss_bucket_lifecycle_disabled/test/positive_expected_result.json index fdb99a9b853..0bb46ff390b 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_lifecycle_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/oss_bucket_lifecycle_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "alicloud_oss_bucket[oss_bucket_lifecycle_enabled2].lifecycle_rule.enabled", "searchValue": "", "expectedValue": "'lifecycle_rule' should be set and enabled", - "actualValue": "'lifecycle_rule' is set but disabled" + "actualValue": "'lifecycle_rule' is set but disabled", + "issueType": "IncorrectValue" }, { "queryName": "OSS Bucket Lifecycle Rule Disabled", @@ -21,6 +22,7 @@ "searchKey": "alicloud_oss_bucket[oss_bucket_lifecycle_enabled3]", "searchValue": "", "expectedValue": "'lifecycle_rule' should be set and enabled", - "actualValue": "'lifecycle_rule' is not set" + "actualValue": "'lifecycle_rule' is not set", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/oss_bucket_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/oss_bucket_logging_disabled/test/positive_expected_result.json index caa8044296d..382b1920e19 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/oss_bucket_logging_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "alicloud_oss_bucket[bucket_logging2]", "searchValue": "", "expectedValue": "bucket_logging2 has logging enabled", - "actualValue": "bucket_logging2 does not have logging enabled" + "actualValue": "bucket_logging2 does not have logging enabled", + "issueType": "IncorrectValue" }, { "queryName": "OSS Bucket Logging Disabled", @@ -21,6 +22,7 @@ "searchKey": "alicloud_oss_bucket[bucket_logging1].logging_isenable", "searchValue": "", "expectedValue": "bucket_logging1 'logging_isenable' argument should be set to true", - "actualValue": "bucket_logging1 'logging_isenable' argument is set to false" + "actualValue": "bucket_logging1 'logging_isenable' argument is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/oss_bucket_public_access_enabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/oss_bucket_public_access_enabled/test/positive_expected_result.json index 13a3dc4c63e..051948f755a 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_public_access_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/oss_bucket_public_access_enabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "alicloud_oss_bucket[bucket_public_access_enabled2].acl", "searchValue": "", "expectedValue": "'acl' should be set to private or not set", - "actualValue": "'acl' is public-read" + "actualValue": "'acl' is public-read", + "issueType": "IncorrectValue" }, { "queryName": "OSS Bucket Public Access Enabled", @@ -21,6 +22,7 @@ "searchKey": "alicloud_oss_bucket[bucket_public_access_enabled3].acl", "searchValue": "", "expectedValue": "'acl' should be set to private or not set", - "actualValue": "'acl' is public-read-write" + "actualValue": "'acl' is public-read-write", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/oss_bucket_transfer_acceleration_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/oss_bucket_transfer_acceleration_disabled/test/positive_expected_result.json index 758fc7c84d8..cb8446f47fc 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_transfer_acceleration_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/oss_bucket_transfer_acceleration_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "alicloud_oss_bucket[bucket-accelerate].transfer_acceleration.enabled", "searchValue": "", "expectedValue": "'transfer_acceleration.enabled' should be defined and set to true", - "actualValue": "'transfer_acceleration.enabled' is false" + "actualValue": "'transfer_acceleration.enabled' is false", + "issueType": "IncorrectValue" }, { "queryName": "OSS Bucket Transfer Acceleration Disabled", @@ -21,6 +22,7 @@ "searchKey": "alicloud_oss_bucket[bucket-accelerate2]", "searchValue": "", "expectedValue": "'transfer_acceleration.enabled' should be defined and set to true", - "actualValue": "'transfer_acceleration' is missing" + "actualValue": "'transfer_acceleration' is missing", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/oss_bucket_versioning_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/oss_bucket_versioning_disabled/test/positive_expected_result.json index ab679738ac0..e1604c633ca 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_versioning_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/oss_bucket_versioning_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "alicloud_oss_bucket[bucket-versioning2].versioning.status", "searchValue": "", "expectedValue": "'versioning.status' should be enabled", - "actualValue": "'versioning.status' is suspended" + "actualValue": "'versioning.status' is suspended", + "issueType": "IncorrectValue" }, { "queryName": "OSS Bucket Versioning Disabled", @@ -21,6 +22,7 @@ "searchKey": "alicloud_oss_bucket[bucket-versioning3]", "searchValue": "", "expectedValue": "'versioning.status' should be defined and set to enabled", - "actualValue": "'versioning' is missing" + "actualValue": "'versioning' is missing", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/oss_buckets_securetransport_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/oss_buckets_securetransport_disabled/test/positive_expected_result.json index 5dd2b210e92..d07ba0e829d 100644 --- a/assets/queries/terraform/alicloud/oss_buckets_securetransport_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/oss_buckets_securetransport_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "alicloud_oss_bucket[bucket-securetransport1].policy", "searchValue": "", "expectedValue": "bucket-securetransport1[%!s(MISSING)].policy should not accept HTTP Requests", - "actualValue": "bucket-securetransport1[%!s(MISSING)].policy accepts HTTP Requests" + "actualValue": "bucket-securetransport1[%!s(MISSING)].policy accepts HTTP Requests", + "issueType": "IncorrectValue" }, { "queryName": "OSS Buckets Secure Transport Disabled", @@ -21,6 +22,7 @@ "searchKey": "alicloud_oss_bucket[bucket-securetransport3].policy", "searchValue": "", "expectedValue": "bucket-securetransport3[%!s(MISSING)].policy should not accept HTTP Requests", - "actualValue": "bucket-securetransport3[%!s(MISSING)].policy accepts HTTP Requests" + "actualValue": "bucket-securetransport3[%!s(MISSING)].policy accepts HTTP Requests", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/public_security_group_rule_all_ports_or_protocols/test/positive_expected_result.json b/assets/queries/terraform/alicloud/public_security_group_rule_all_ports_or_protocols/test/positive_expected_result.json index 82e36c0a722..fbea86c0a80 100644 --- a/assets/queries/terraform/alicloud/public_security_group_rule_all_ports_or_protocols/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/public_security_group_rule_all_ports_or_protocols/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "alicloud_security_group_rule[allow_all_tcp].cidr_ip", "searchValue": "", "expectedValue": "cidr_ip should not be '0.0.0.0/0' when ip_protocol is equal to all", - "actualValue": "cidr_ip is '0.0.0.0/0' when ip_protocol is equal to all" + "actualValue": "cidr_ip is '0.0.0.0/0' when ip_protocol is equal to all", + "issueType": "IncorrectValue" }, { "queryName": "Public Security Group Rule All Ports or Protocols", @@ -21,7 +22,8 @@ "searchKey": "alicloud_security_group_rule[allow_all_tcp].cidr_ip", "searchValue": "", "expectedValue": "cidr_ip should not be '0.0.0.0/0' for the specified protocol", - "actualValue": "cidr_ip '0.0.0.0/0' exposes all ports for the gre protocol" + "actualValue": "cidr_ip '0.0.0.0/0' exposes all ports for the gre protocol", + "issueType": "IncorrectValue" }, { "queryName": "Public Security Group Rule All Ports or Protocols", @@ -33,6 +35,7 @@ "searchKey": "alicloud_security_group_rule[allow_all_tcp].cidr_ip", "searchValue": "", "expectedValue": "cidr_ip should not be '0.0.0.0/0' for the specified protocol", - "actualValue": "cidr_ip '0.0.0.0/0' exposes all ports for the tcp protocol" + "actualValue": "cidr_ip '0.0.0.0/0' exposes all ports for the tcp protocol", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/public_security_group_rule_sensitive_port/test/positive_expected_result.json b/assets/queries/terraform/alicloud/public_security_group_rule_sensitive_port/test/positive_expected_result.json index 6426a8ad7f2..d54f48947d1 100644 --- a/assets/queries/terraform/alicloud/public_security_group_rule_sensitive_port/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/public_security_group_rule_sensitive_port/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "alicloud_security_group_rule[allow_all_tcp].port_range", "searchValue": "20", "expectedValue": "tcp:20 port should not be allowed", - "actualValue": "tcp:20 port is allowed" + "actualValue": "tcp:20 port is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Public Security Group Rule Sensitive Port", @@ -21,7 +22,8 @@ "searchKey": "alicloud_security_group_rule[allow_all_tcp].port_range", "searchValue": "4333", "expectedValue": "udp:4333 port should not be allowed", - "actualValue": "udp:4333 port is allowed" + "actualValue": "udp:4333 port is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Public Security Group Rule Sensitive Port", @@ -33,6 +35,7 @@ "searchKey": "alicloud_security_group_rule[allow_all_tcp].port_range", "searchValue": "445", "expectedValue": "all:445 port should not be allowed", - "actualValue": "all:445 port is allowed" + "actualValue": "all:445 port is allowed", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/public_security_group_rule_unknown_port/test/positive_expected_result.json b/assets/queries/terraform/alicloud/public_security_group_rule_unknown_port/test/positive_expected_result.json index 06ad12e8742..01e657a0dde 100644 --- a/assets/queries/terraform/alicloud/public_security_group_rule_unknown_port/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/public_security_group_rule_unknown_port/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "alicloud_security_group_rule[allow_all_tcp].port_range", "searchValue": "", "expectedValue": "port_range should not contain unknown ports and should not be exposed to the entire Internet", - "actualValue": "port_range contains unknown ports and are exposed to the entire Internet" + "actualValue": "port_range contains unknown ports and are exposed to the entire Internet", + "issueType": "IncorrectValue" }, { "queryName": "Public Security Group Rule Unknown Port", @@ -21,6 +22,7 @@ "searchKey": "alicloud_security_group_rule[allow_all_tcp].port_range", "searchValue": "", "expectedValue": "port_range should not contain ports unknown and should not be exposed to the entire Internet", - "actualValue": "port_range contains ports unknown and are exposed to the entire Internet" + "actualValue": "port_range contains ports unknown and are exposed to the entire Internet", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/ram_account_password_policy_max_login_attempts_unrecommended/test/positive_expected_result.json b/assets/queries/terraform/alicloud/ram_account_password_policy_max_login_attempts_unrecommended/test/positive_expected_result.json index eaea19ce202..b925a169dec 100644 --- a/assets/queries/terraform/alicloud/ram_account_password_policy_max_login_attempts_unrecommended/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/ram_account_password_policy_max_login_attempts_unrecommended/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "alicloud_ram_account_password_policy[corporate].max_login_attempts", "searchValue": "", "expectedValue": "'max_login_attempts' should be set to 5 or less", - "actualValue": "'max_login_attempts' is above than 5" + "actualValue": "'max_login_attempts' is above than 5", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/ram_account_password_policy_max_password_age_unrecommended/test/positive_expected_result.json b/assets/queries/terraform/alicloud/ram_account_password_policy_max_password_age_unrecommended/test/positive_expected_result.json index d87a3f6dc6c..c516558dbae 100644 --- a/assets/queries/terraform/alicloud/ram_account_password_policy_max_password_age_unrecommended/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/ram_account_password_policy_max_password_age_unrecommended/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "alicloud_ram_account_password_policy[corporate]", "searchValue": "", "expectedValue": "'max_password_age' should be higher than 0 and lower than 91", - "actualValue": "'max_password_age' is not defined" + "actualValue": "'max_password_age' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Ram Account Password Policy Max Password Age Unrecommended", @@ -21,7 +22,8 @@ "searchKey": "alicloud_ram_account_password_policy[corporate].max_password_age", "searchValue": "", "expectedValue": "'max_password_age' should be higher than 0 and lower than 91", - "actualValue": "'max_password_age' is higher than 90" + "actualValue": "'max_password_age' is higher than 90", + "issueType": "IncorrectValue" }, { "queryName": "Ram Account Password Policy Max Password Age Unrecommended", @@ -33,6 +35,7 @@ "searchKey": "alicloud_ram_account_password_policy[corporate].max_password_age", "searchValue": "", "expectedValue": "'max_password_age' should be higher than 0 and lower than 91", - "actualValue": "'max_password_age' is equal to 0" + "actualValue": "'max_password_age' is equal to 0", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_minimum_length/test/positive_expected_result.json b/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_minimum_length/test/positive_expected_result.json index 7a89976c101..d797f792b53 100644 --- a/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_minimum_length/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_minimum_length/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "alicloud_ram_account_password_policy[corporate].minimum_password_length", "searchValue": "", "expectedValue": "'minimum_password_length' should be defined and set to 14 or above", - "actualValue": "'minimum_password_length' is lower than 14" + "actualValue": "'minimum_password_length' is lower than 14", + "issueType": "IncorrectValue" }, { "queryName": "Ram Account Password Policy Not Required Minimum Length", @@ -21,6 +22,7 @@ "searchKey": "alicloud_ram_account_password_policy[corporate]", "searchValue": "", "expectedValue": "'minimum_password_length' should be defined and set to 14 or above ", - "actualValue": "'minimum_password_length' is not defined" + "actualValue": "'minimum_password_length' is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_numbers/test/positive_expected_result.json b/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_numbers/test/positive_expected_result.json index 218be58f2e5..c4fce56d8e7 100644 --- a/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_numbers/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_numbers/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "alicloud_ram_account_password_policy[corporate].require_numbers", "searchValue": "", "expectedValue": "'require_numbers' should be defined and set to true", - "actualValue": "'require_numbers' is false" + "actualValue": "'require_numbers' is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_symbols/test/positive_expected_result.json b/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_symbols/test/positive_expected_result.json index 6ff1d6ccc2d..e0f8e40441d 100644 --- a/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_symbols/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_symbols/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "resource.alicloud_ram_account_password_policy[corporate2].require_symbols", "searchValue": "", "expectedValue": "resource.alicloud_ram_account_password_policy[corporate2].require_symbols should be set to 'true'", - "actualValue": "resource.alicloud_ram_account_password_policy[corporate2].require_symbols is configured as 'false'" + "actualValue": "resource.alicloud_ram_account_password_policy[corporate2].require_symbols is configured as 'false'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/ram_account_password_policy_without_reuse_prevention/test/positive_expected_result.json b/assets/queries/terraform/alicloud/ram_account_password_policy_without_reuse_prevention/test/positive_expected_result.json index 1bebe8d10f8..41034ea347c 100644 --- a/assets/queries/terraform/alicloud/ram_account_password_policy_without_reuse_prevention/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/ram_account_password_policy_without_reuse_prevention/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "alicloud_ram_account_password_policy[corporate]", "searchValue": "", "expectedValue": "'password_reuse_prevention' should be defined and equal or lower than 24", - "actualValue": "'password_reuse_prevention' is not defined" + "actualValue": "'password_reuse_prevention' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "RAM Account Password Policy without Reuse Prevention", @@ -21,6 +22,7 @@ "searchKey": "alicloud_ram_account_password_policy[corporate].password_reuse_prevention", "searchValue": "", "expectedValue": "'password_reuse_prevention' should be equal or less 24", - "actualValue": "'password_reuse_prevention' is higher than 24" + "actualValue": "'password_reuse_prevention' is higher than 24", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_lowercase_character/test/positive_expected_result.json b/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_lowercase_character/test/positive_expected_result.json index 8d2a35e2bfd..357bc6b0a30 100644 --- a/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_lowercase_character/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_lowercase_character/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "alicloud_ram_account_password_policy[corporate].require_lowercase_characters", "searchValue": "", "expectedValue": "'require_lowercase_characters' should be defined and set to true", - "actualValue": "'require_lowercase_characters' is false" + "actualValue": "'require_lowercase_characters' is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_uppercase_character/test/positive_expected_result.json b/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_uppercase_character/test/positive_expected_result.json index d9e05a3c2d3..4c67caf2a89 100644 --- a/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_uppercase_character/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_uppercase_character/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "alicloud_ram_account_password_policy[corporate].require_uppercase_characters", "searchValue": "", "expectedValue": "'require_uppercase_characters' should be defined and set to true", - "actualValue": "'require_uppercase_characters' is false" + "actualValue": "'require_uppercase_characters' is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/ram_policy_admin_access_not_attached_to_users_groups_roles/test/positive_expected_result.json b/assets/queries/terraform/alicloud/ram_policy_admin_access_not_attached_to_users_groups_roles/test/positive_expected_result.json index 534e32eace8..3f1fe5c8a09 100644 --- a/assets/queries/terraform/alicloud/ram_policy_admin_access_not_attached_to_users_groups_roles/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/ram_policy_admin_access_not_attached_to_users_groups_roles/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "alicloud_ram_user_policy_attachment[attach].policy_name", "searchValue": "", "expectedValue": "alicloud_ram_policy[policy4] should not give admin access to any user, group or role", - "actualValue": "alicloud_ram_policy[policy4] is attached to a user, group or role and gives admin access" + "actualValue": "alicloud_ram_policy[policy4] is attached to a user, group or role and gives admin access", + "issueType": "IncorrectValue" }, { "queryName": "Ram Policy Admin Access Not Attached to Users Groups Roles", @@ -21,7 +22,8 @@ "searchKey": "alicloud_ram_group_policy_attachment[attach].policy_name", "searchValue": "", "expectedValue": "alicloud_ram_policy[policy5] should not give admin access to any user, group or role", - "actualValue": "alicloud_ram_policy[policy5] is attached to a user, group or role and gives admin access" + "actualValue": "alicloud_ram_policy[policy5] is attached to a user, group or role and gives admin access", + "issueType": "IncorrectValue" }, { "queryName": "Ram Policy Admin Access Not Attached to Users Groups Roles", @@ -33,6 +35,7 @@ "searchKey": "alicloud_ram_role_policy_attachment[attach].policy_name", "searchValue": "", "expectedValue": "alicloud_ram_policy[policy6] should not give admin access to any user, group or role", - "actualValue": "alicloud_ram_policy[policy6] is attached to a user, group or role and gives admin access" + "actualValue": "alicloud_ram_policy[policy6] is attached to a user, group or role and gives admin access", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/ram_policy_attached_to_user/test/positive_expected_result.json b/assets/queries/terraform/alicloud/ram_policy_attached_to_user/test/positive_expected_result.json index 300f724f727..de4bad59878 100644 --- a/assets/queries/terraform/alicloud/ram_policy_attached_to_user/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/ram_policy_attached_to_user/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "alicloud_ram_user_policy_attachment[attach]", "searchValue": "", "expectedValue": "alicloud_ram_user_policy_attachment[attach] should be undefined", - "actualValue": "alicloud_ram_user_policy_attachment[attach] is defined" + "actualValue": "alicloud_ram_user_policy_attachment[attach] is defined", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/ram_security_preference_not_enforce_mfa/test/positive_expected_result.json b/assets/queries/terraform/alicloud/ram_security_preference_not_enforce_mfa/test/positive_expected_result.json index 22f0d1ff731..c20997f13f1 100644 --- a/assets/queries/terraform/alicloud/ram_security_preference_not_enforce_mfa/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/ram_security_preference_not_enforce_mfa/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "alicloud_ram_security_preference[example1]", "searchValue": "", "expectedValue": "'enforce_mfa_for_login' should be defined and set to true", - "actualValue": "'enforce_mfa_for_login' is not defined" + "actualValue": "'enforce_mfa_for_login' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "RAM Security Preference Not Enforce MFA Login", @@ -21,6 +22,7 @@ "searchKey": "alicloud_ram_security_preference[example2]", "searchValue": "", "expectedValue": "'enforce_mfa_for_login' should be set to true", - "actualValue": "'enforce_mfa_for_login' is set to 'false'" + "actualValue": "'enforce_mfa_for_login' is set to 'false'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/rds_instance_address_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/alicloud/rds_instance_address_publicly_accessible/test/positive_expected_result.json index dc65104a23f..6545ecb4847 100644 --- a/assets/queries/terraform/alicloud/rds_instance_address_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/rds_instance_address_publicly_accessible/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "alicloud_db_instance[example].address", "searchValue": "", "expectedValue": "'address' should not be set to '0.0.0.0/0'", - "actualValue": "'address' is set to '0.0.0.0/0'" + "actualValue": "'address' is set to '0.0.0.0/0'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/rds_instance_events_not_logged/test/positive_expected_result.json b/assets/queries/terraform/alicloud/rds_instance_events_not_logged/test/positive_expected_result.json index 3279b040c89..f51b894acc0 100644 --- a/assets/queries/terraform/alicloud/rds_instance_events_not_logged/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/rds_instance_events_not_logged/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "alicloud_log_audit[example].variable_map.rds_enabled", "searchValue": "", "expectedValue": "'rds_enabled' parameter value should be 'true'", - "actualValue": "'rds_enabled' parameter value is 'false'" + "actualValue": "'rds_enabled' parameter value is 'false'", + "issueType": "IncorrectValue" }, { "queryName": "RDS Instance Events Not Logged", @@ -21,6 +22,7 @@ "searchKey": "alicloud_log_audit[example].variable_map", "searchValue": "", "expectedValue": "'rds_enabled' parameter value should be 'true'", - "actualValue": "'rds_enabled' parameter is not defined" + "actualValue": "'rds_enabled' parameter is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/rds_instance_log_connections_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/rds_instance_log_connections_disabled/test/positive_expected_result.json index 15026ea0250..28ccca5025b 100644 --- a/assets/queries/terraform/alicloud/rds_instance_log_connections_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/rds_instance_log_connections_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "alicloud_db_instance[default].parameters", "searchValue": "", "expectedValue": "'log_connections' parameter should be defined and value should be 'ON'", - "actualValue": "'log_connections' parameter is not defined" + "actualValue": "'log_connections' parameter is not defined", + "issueType": "MissingAttribute" }, { "queryName": "RDS Instance Log Connections Disabled", @@ -21,7 +22,8 @@ "searchKey": "alicloud_db_instance[default].parameters[2].value", "searchValue": "", "expectedValue": "'log_connections' parameter value should be 'ON'", - "actualValue": "'log_connections' parameter value is 'OFF'" + "actualValue": "'log_connections' parameter value is 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "RDS Instance Log Connections Disabled", @@ -33,6 +35,7 @@ "searchKey": "alicloud_db_instance[default]", "searchValue": "", "expectedValue": "'log_connections' parameter should be defined and value should be 'ON' in parameters array", - "actualValue": "'log_connections' parameter is not defined in parameters array" + "actualValue": "'log_connections' parameter is not defined in parameters array", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/rds_instance_log_disconnections_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/rds_instance_log_disconnections_disabled/test/positive_expected_result.json index b3b6c0716ad..704367e7f76 100644 --- a/assets/queries/terraform/alicloud/rds_instance_log_disconnections_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/rds_instance_log_disconnections_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "alicloud_db_instance[default].parameters[2].value", "searchValue": "", "expectedValue": "'log_disconnections' parameter value should be 'ON'", - "actualValue": "'log_disconnections' parameter value is 'OFF'" + "actualValue": "'log_disconnections' parameter value is 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "RDS Instance Log Disconnections Disabled", @@ -21,7 +22,8 @@ "searchKey": "alicloud_db_instance[default].parameters", "searchValue": "", "expectedValue": "'log_disconnections' parameter should be defined and value should be 'ON'", - "actualValue": "'log_disconnections' parameter is not defined" + "actualValue": "'log_disconnections' parameter is not defined", + "issueType": "MissingAttribute" }, { "queryName": "RDS Instance Log Disconnections Disabled", @@ -33,6 +35,7 @@ "searchKey": "alicloud_db_instance[default]]", "searchValue": "", "expectedValue": "'log_disconnections' parameter should be defined and value should be 'ON' in parametes array", - "actualValue": "'log_disconnections' parameter is not defined in parametes array" + "actualValue": "'log_disconnections' parameter is not defined in parametes array", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/rds_instance_log_duration_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/rds_instance_log_duration_disabled/test/positive_expected_result.json index 6a6d8b9e94b..6209e60c7e8 100644 --- a/assets/queries/terraform/alicloud/rds_instance_log_duration_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/rds_instance_log_duration_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "alicloud_db_instance[default].parameters[2].value", "searchValue": "", "expectedValue": "'log_duration' parameter value should be 'ON'", - "actualValue": "'log_duration' parameter value is 'OFF'" + "actualValue": "'log_duration' parameter value is 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "RDS Instance Log Duration Disabled", @@ -21,7 +22,8 @@ "searchKey": "alicloud_db_instance[default].parameters", "searchValue": "", "expectedValue": "'log_duration' parameter should be defined and value should be 'ON'", - "actualValue": "'log_duration' parameter is not defined" + "actualValue": "'log_duration' parameter is not defined", + "issueType": "MissingAttribute" }, { "queryName": "RDS Instance Log Duration Disabled", @@ -33,6 +35,7 @@ "searchKey": "alicloud_db_instance[default]]", "searchValue": "", "expectedValue": "'log_duration' parameter should be defined and value should be 'ON' in parameters array", - "actualValue": "'log_duration' parameter is not defined in parameters array" + "actualValue": "'log_duration' parameter is not defined in parameters array", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/rds_instance_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/alicloud/rds_instance_publicly_accessible/test/positive_expected_result.json index fe8036a0197..a9148e1ea19 100644 --- a/assets/queries/terraform/alicloud/rds_instance_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/rds_instance_publicly_accessible/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "alicloud_db_instance[default].security_ips[0]", "searchValue": "", "expectedValue": "'0.0.0.0' should not be in 'security_ips' list", - "actualValue": "'0.0.0.0' is in 'security_ips' list" + "actualValue": "'0.0.0.0' is in 'security_ips' list", + "issueType": "IncorrectValue" }, { "queryName": "RDS DB Instance Publicly Accessible", @@ -21,6 +22,7 @@ "searchKey": "alicloud_db_instance[default].security_ips[0]", "searchValue": "", "expectedValue": "'0.0.0.0/0' should not be in 'security_ips' list", - "actualValue": "'0.0.0.0/0' is in 'security_ips' list" + "actualValue": "'0.0.0.0/0' is in 'security_ips' list", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/rds_instance_retention_not_recommended/test/positive_expected_result.json b/assets/queries/terraform/alicloud/rds_instance_retention_not_recommended/test/positive_expected_result.json index 90504004d6e..2fb13dc74d4 100644 --- a/assets/queries/terraform/alicloud/rds_instance_retention_not_recommended/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/rds_instance_retention_not_recommended/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "alicloud_db_instance[default]", "searchValue": "sql_collector_status", "expectedValue": "'sql_collector_status' should be defined and set to Enabled and 'sql_collector_config_value' should be defined and set to 180 or more", - "actualValue": "'sql_collector_status' is not defined" + "actualValue": "'sql_collector_status' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "RDS Instance Retention Period Not Recommended", @@ -21,7 +22,8 @@ "searchKey": "alicloud_db_instance[default]", "searchValue": "sql_collector_config_value", "expectedValue": "'sql_collector_status' should be defined and set to Enabled and 'sql_collector_config_value' should be defined and set to 180 or more", - "actualValue": "'sql_collector_config_value' is not defined" + "actualValue": "'sql_collector_config_value' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "RDS Instance Retention Period Not Recommended", @@ -33,7 +35,8 @@ "searchKey": "alicloud_db_instance[default]", "searchValue": "sql_collector_config_value", "expectedValue": "'sql_collector_status' should be defined and set to Enabled and 'sql_collector_config_value' should be defined and set to 180 or more", - "actualValue": "'sql_collector_config_value' is not defined" + "actualValue": "'sql_collector_config_value' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "RDS Instance Retention Period Not Recommended", @@ -45,7 +48,8 @@ "searchKey": "alicloud_db_instance[default].sql_collector_status", "searchValue": "", "expectedValue": "'sql_collector_status' should be defined and set to Enabled and 'sql_collector_config_value' should be defined and set to 180 or more", - "actualValue": "'sql_collector_status' is set to 'Disabled'" + "actualValue": "'sql_collector_status' is set to 'Disabled'", + "issueType": "IncorrectValue" }, { "queryName": "RDS Instance Retention Period Not Recommended", @@ -57,7 +61,8 @@ "searchKey": "alicloud_db_instance[default]", "searchValue": "sql_collector_config_value", "expectedValue": "'sql_collector_status' should be defined and set to Enabled and 'sql_collector_config_value' should be defined and set to 180 or more", - "actualValue": "'sql_collector_config_value' is not defined" + "actualValue": "'sql_collector_config_value' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "RDS Instance Retention Period Not Recommended", @@ -69,6 +74,7 @@ "searchKey": "alicloud_db_instance[default].sql_collector_config_value", "searchValue": "", "expectedValue": "'sql_collector_status' should be defined and set to Enabled and 'sql_collector_config_value' should be defined and set to 180 or more", - "actualValue": "'sql_collector_config_value' is set to 30" + "actualValue": "'sql_collector_config_value' is set to 30", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/rds_instance_ssl_action_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/rds_instance_ssl_action_disabled/test/positive_expected_result.json index 03b969c0c2b..8330599b7f2 100644 --- a/assets/queries/terraform/alicloud/rds_instance_ssl_action_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/rds_instance_ssl_action_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "alicloud_db_instance[default].ssl_action", "searchValue": "", "expectedValue": "'ssl_action' value should be 'Open'", - "actualValue": "'ssl_action' value is 'Close'" + "actualValue": "'ssl_action' value is 'Close'", + "issueType": "IncorrectValue" }, { "queryName": "RDS Instance SSL Action Disabled", @@ -21,6 +22,7 @@ "searchKey": "alicloud_db_instance[default]", "searchValue": "", "expectedValue": "'ssl_action' value should be 'Open'", - "actualValue": "'ssl_action' is not defined" + "actualValue": "'ssl_action' is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/rds_instance_tde_status_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/rds_instance_tde_status_disabled/test/positive_expected_result.json index cc42667a8fb..8438af6f17f 100644 --- a/assets/queries/terraform/alicloud/rds_instance_tde_status_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/rds_instance_tde_status_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "alicloud_db_instance[default].tde_status", "searchValue": "", "expectedValue": "'tde_status' value should be 'Enabled'", - "actualValue": "'tde_status' value is set to 'Disabled'" + "actualValue": "'tde_status' value is set to 'Disabled'", + "issueType": "IncorrectValue" }, { "queryName": "RDS Instance TDE Status Disabled", @@ -21,7 +22,8 @@ "searchKey": "alicloud_db_instance[default]", "searchValue": "", "expectedValue": "'tde_status' value should be 'Enabled'", - "actualValue": "'tde_status' is not declared" + "actualValue": "'tde_status' is not declared", + "issueType": "MissingAttribute" }, { "queryName": "RDS Instance TDE Status Disabled", @@ -33,7 +35,8 @@ "searchKey": "alicloud_db_instance[default].tde_status", "searchValue": "", "expectedValue": "'tde_status' value should be 'Enabled'", - "actualValue": "'tde_status' value is set to 'Disabled'" + "actualValue": "'tde_status' value is set to 'Disabled'", + "issueType": "IncorrectValue" }, { "queryName": "RDS Instance TDE Status Disabled", @@ -45,6 +48,7 @@ "searchKey": "alicloud_db_instance[default]", "searchValue": "", "expectedValue": "'tde_status' value should be 'Enabled'", - "actualValue": "'tde_status' is not declared" + "actualValue": "'tde_status' is not declared", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/ros_stack_notifications_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/ros_stack_notifications_disabled/test/positive_expected_result.json index 4b27b4e1260..244d3c2667a 100644 --- a/assets/queries/terraform/alicloud/ros_stack_notifications_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/ros_stack_notifications_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "alicloud_ros_stack[example]", "searchValue": "", "expectedValue": "stack 'notification_urls' should have urls", - "actualValue": "stack 'notification_urls' is empty" + "actualValue": "stack 'notification_urls' is empty", + "issueType": "IncorrectValue" }, { "queryName": "ROS Stack Notifications Disabled", @@ -21,6 +22,7 @@ "searchKey": "alicloud_ros_stack[example]", "searchValue": "", "expectedValue": "stack 'notification_urls' should be defined", - "actualValue": "stack 'notification_urls' is not defined" + "actualValue": "stack 'notification_urls' is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/ros_stack_retention_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/ros_stack_retention_disabled/test/positive_expected_result.json index 0c22d0d8580..6042fc5c135 100644 --- a/assets/queries/terraform/alicloud/ros_stack_retention_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/ros_stack_retention_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "alicloud_ros_stack_instance[example].retain_stacks", "searchValue": "", "expectedValue": "alicloud_ros_stack_instance[example].retain_stacks should be true ", - "actualValue": "alicloud_ros_stack_instance[example].retain_stacks is false" + "actualValue": "alicloud_ros_stack_instance[example].retain_stacks is false", + "issueType": "IncorrectValue" }, { "queryName": "ROS Stack Retention Disabled", @@ -21,6 +22,7 @@ "searchKey": "alicloud_ros_stack_instance[example]", "searchValue": "", "expectedValue": "alicloud_ros_stack_instance[example].retain_stacks should be defined and not null", - "actualValue": "alicloud_ros_stack_instance[example].retain_stacks is undefined" + "actualValue": "alicloud_ros_stack_instance[example].retain_stacks is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/ros_stack_without_template/test/positive_expected_result.json b/assets/queries/terraform/alicloud/ros_stack_without_template/test/positive_expected_result.json index 0078b4a6a49..23ea89e77b8 100644 --- a/assets/queries/terraform/alicloud/ros_stack_without_template/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/ros_stack_without_template/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "alicloud_ros_stack[example]", "searchValue": "", "expectedValue": "Attribute 'template_body' or Attribute 'template_url' should be set.", - "actualValue": "Both Attribute 'template_body' and Attribute 'template_url' are undefined." + "actualValue": "Both Attribute 'template_body' and Attribute 'template_url' are undefined.", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/slb_policy_with_insecure_tls_version_in_use/test/positive_expected_result.json b/assets/queries/terraform/alicloud/slb_policy_with_insecure_tls_version_in_use/test/positive_expected_result.json index 88832f8e675..07175950c76 100644 --- a/assets/queries/terraform/alicloud/slb_policy_with_insecure_tls_version_in_use/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/slb_policy_with_insecure_tls_version_in_use/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "alicloud_slb_tls_cipher_policy[positive].tls_versions", "searchValue": "", "expectedValue": "alicloud_slb_tls_cipher_policy[positive].tls_versions to use secure TLS versions", - "actualValue": "alicloud_slb_tls_cipher_policy[positive].tls_versions uses insecure TLS versions" + "actualValue": "alicloud_slb_tls_cipher_policy[positive].tls_versions uses insecure TLS versions", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/vpc_flow_logs_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/vpc_flow_logs_disabled/test/positive_expected_result.json index 519d932de54..2fdab292efa 100644 --- a/assets/queries/terraform/alicloud/vpc_flow_logs_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/vpc_flow_logs_disabled/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "alicloud_vpc[main]", "searchValue": "", "expectedValue": "alicloud_vpc[main] is associated with an 'alicloud_vpc_flow_log'", - "actualValue": "alicloud_vpc[main] is not associated with an 'alicloud_vpc_flow_log'" + "actualValue": "alicloud_vpc[main] is not associated with an 'alicloud_vpc_flow_log'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/alb_deletion_protection_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/alb_deletion_protection_disabled/test/positive_expected_result.json index 28d2004fcd4..d5479d64bec 100644 --- a/assets/queries/terraform/aws/alb_deletion_protection_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/alb_deletion_protection_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_alb[positive1].enable_deletion_protection", "searchValue": "", "expectedValue": "'enable_deletion_protection' should be set to true", - "actualValue": "'enable_deletion_protection' is set to false" + "actualValue": "'enable_deletion_protection' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "ALB Deletion Protection Disabled", @@ -21,7 +22,8 @@ "searchKey": "aws_alb[positive2]", "searchValue": "", "expectedValue": "'enable_deletion_protection' should be defined and set to true", - "actualValue": "'enable_deletion_protection' is undefined or null" + "actualValue": "'enable_deletion_protection' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "ALB Deletion Protection Disabled", @@ -33,7 +35,8 @@ "searchKey": "aws_lb[positive3].enable_deletion_protection", "searchValue": "", "expectedValue": "'enable_deletion_protection' should be set to true", - "actualValue": "'enable_deletion_protection' is set to false" + "actualValue": "'enable_deletion_protection' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "ALB Deletion Protection Disabled", @@ -45,7 +48,8 @@ "searchKey": "aws_lb[positive4]", "searchValue": "", "expectedValue": "'enable_deletion_protection' should be defined and set to true", - "actualValue": "'enable_deletion_protection' is undefined or null" + "actualValue": "'enable_deletion_protection' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "ALB Deletion Protection Disabled", @@ -57,7 +61,8 @@ "searchKey": "module[alb].enable_deletion_protection", "searchValue": "", "expectedValue": "'enable_deletion_protection' should be set to true", - "actualValue": "'enable_deletion_protection' is set to false" + "actualValue": "'enable_deletion_protection' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "ALB Deletion Protection Disabled", @@ -69,6 +74,7 @@ "searchKey": "module[alb]", "searchValue": "", "expectedValue": "'enable_deletion_protection' should be defined and set to true", - "actualValue": "'enable_deletion_protection' is undefined or null" + "actualValue": "'enable_deletion_protection' is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/positive_expected_result.json b/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/positive_expected_result.json index 7f6863e8a68..445482f1cb3 100644 --- a/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_alb[foo]", "searchValue": "", "expectedValue": "'aws_alb[foo]' should not be 'internal' and has a 'aws_wafregional_web_acl_association' associated", - "actualValue": "'aws_alb[foo]' is not 'internal' and does not have a 'aws_wafregional_web_acl_association' associated" + "actualValue": "'aws_alb[foo]' is not 'internal' and does not have a 'aws_wafregional_web_acl_association' associated", + "issueType": "MissingAttribute" }, { "queryName": "ALB Is Not Integrated With WAF", @@ -21,6 +22,7 @@ "searchKey": "aws_lb[alb]", "searchValue": "", "expectedValue": "'aws_lb[alb]' should not be 'internal' and has a 'aws_wafregional_web_acl_association' associated", - "actualValue": "'aws_lb[alb]' is not 'internal' and does not have a 'aws_wafregional_web_acl_association' associated" + "actualValue": "'aws_lb[alb]' is not 'internal' and does not have a 'aws_wafregional_web_acl_association' associated", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/alb_listening_on_http/test/positive_expected_result.json b/assets/queries/terraform/aws/alb_listening_on_http/test/positive_expected_result.json index 6b5d68157f3..76b950f3a36 100644 --- a/assets/queries/terraform/aws/alb_listening_on_http/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/alb_listening_on_http/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_lb_listener[listener5].default_action.redirect.protocol", "searchValue": "", "expectedValue": "'default_action.redirect.protocol' should be equal to 'HTTPS'", - "actualValue": "'default_action.redirect.protocol' is equal 'HTTP'" + "actualValue": "'default_action.redirect.protocol' is equal 'HTTP'", + "issueType": "IncorrectValue" }, { "queryName": "ALB Listening on HTTP", @@ -21,6 +22,7 @@ "searchKey": "aws_lb_listener[listener].default_action", "searchValue": "", "expectedValue": "'default_action.redirect.protocol' should be equal to 'HTTPS'", - "actualValue": "'default_action.redirect' is missing" + "actualValue": "'default_action.redirect' is missing", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/alb_not_dropping_invalid_headers/test/positive_expected_result.json b/assets/queries/terraform/aws/alb_not_dropping_invalid_headers/test/positive_expected_result.json index 7622c12ba71..403e81699a1 100644 --- a/assets/queries/terraform/aws/alb_not_dropping_invalid_headers/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/alb_not_dropping_invalid_headers/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_alb[{{disabled_1}}]", "searchValue": "", "expectedValue": "aws_alb[{{disabled_1}}].drop_invalid_header_fields should be set to true", - "actualValue": "aws_alb[{{disabled_1}}].drop_invalid_header_fields is missing" + "actualValue": "aws_alb[{{disabled_1}}].drop_invalid_header_fields is missing", + "issueType": "MissingAttribute" }, { "queryName": "ALB Not Dropping Invalid Headers", @@ -21,7 +22,8 @@ "searchKey": "aws_alb[{{disabled_2}}].drop_invalid_header_fields", "searchValue": "", "expectedValue": "aws_alb[{{disabled_2}}].drop_invalid_header_fields should be set to true", - "actualValue": "aws_alb[{{disabled_2}}].drop_invalid_header_fields is set to false" + "actualValue": "aws_alb[{{disabled_2}}].drop_invalid_header_fields is set to false", + "issueType": "IncorrectValue" }, { "queryName": "ALB Not Dropping Invalid Headers", @@ -33,7 +35,8 @@ "searchKey": "aws_lb[{{disabled_1}}]", "searchValue": "", "expectedValue": "aws_lb[{{disabled_1}}].drop_invalid_header_fields should be set to true", - "actualValue": "aws_lb[{{disabled_1}}].drop_invalid_header_fields is missing" + "actualValue": "aws_lb[{{disabled_1}}].drop_invalid_header_fields is missing", + "issueType": "MissingAttribute" }, { "queryName": "ALB Not Dropping Invalid Headers", @@ -45,7 +48,8 @@ "searchKey": "aws_lb[{{disabled_2}}].drop_invalid_header_fields", "searchValue": "", "expectedValue": "aws_lb[{{disabled_2}}].drop_invalid_header_fields should be set to true", - "actualValue": "aws_lb[{{disabled_2}}].drop_invalid_header_fields is set to false" + "actualValue": "aws_lb[{{disabled_2}}].drop_invalid_header_fields is set to false", + "issueType": "IncorrectValue" }, { "queryName": "ALB Not Dropping Invalid Headers", @@ -57,7 +61,8 @@ "searchKey": "aws_alb[{{disabled_1}}]", "searchValue": "", "expectedValue": "aws_alb[{{disabled_1}}].drop_invalid_header_fields should be set to true", - "actualValue": "aws_alb[{{disabled_1}}].drop_invalid_header_fields is missing" + "actualValue": "aws_alb[{{disabled_1}}].drop_invalid_header_fields is missing", + "issueType": "MissingAttribute" }, { "queryName": "ALB Not Dropping Invalid Headers", @@ -69,7 +74,8 @@ "searchKey": "aws_lb[{{disabled_2}}].drop_invalid_header_fields", "searchValue": "", "expectedValue": "aws_lb[{{disabled_2}}].drop_invalid_header_fields should be set to true", - "actualValue": "aws_lb[{{disabled_2}}].drop_invalid_header_fields is set to false" + "actualValue": "aws_lb[{{disabled_2}}].drop_invalid_header_fields is set to false", + "issueType": "IncorrectValue" }, { "queryName": "ALB Not Dropping Invalid Headers", @@ -81,7 +87,8 @@ "searchKey": "module[alb].drop_invalid_header_fields", "searchValue": "", "expectedValue": "module[alb].drop_invalid_header_fields should be set to true", - "actualValue": "module[alb].drop_invalid_header_fields is set to false" + "actualValue": "module[alb].drop_invalid_header_fields is set to false", + "issueType": "IncorrectValue" }, { "queryName": "ALB Not Dropping Invalid Headers", @@ -93,7 +100,8 @@ "searchKey": "module[alb]", "searchValue": "", "expectedValue": "module[alb].drop_invalid_header_fields should be set to true", - "actualValue": "module[alb].drop_invalid_header_fields is missing" + "actualValue": "module[alb].drop_invalid_header_fields is missing", + "issueType": "MissingAttribute" }, { "queryName": "ALB Not Dropping Invalid Headers", @@ -105,6 +113,7 @@ "searchKey": "module[alb]", "searchValue": "", "expectedValue": "module[alb].drop_invalid_header_fields should be set to true", - "actualValue": "module[alb].drop_invalid_header_fields is missing" + "actualValue": "module[alb].drop_invalid_header_fields is missing", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/amazon_dms_replication_instance_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/aws/amazon_dms_replication_instance_is_publicly_accessible/test/positive_expected_result.json index 1d7750ff86f..5c9ae06a034 100644 --- a/assets/queries/terraform/aws/amazon_dms_replication_instance_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/amazon_dms_replication_instance_is_publicly_accessible/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_dms_replication_instance[test].publicly_accessible", "searchValue": "", "expectedValue": "aws_dms_replication_instance[test].publicly_accessible should be set to false", - "actualValue": "aws_dms_replication_instance[test].publicly_accessible is set to true" + "actualValue": "aws_dms_replication_instance[test].publicly_accessible is set to true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/amazon_mq_broker_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/amazon_mq_broker_encryption_disabled/test/positive_expected_result.json index 66812a61840..d5aa689f21b 100644 --- a/assets/queries/terraform/aws/amazon_mq_broker_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/amazon_mq_broker_encryption_disabled/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "resource.aws_mq_broker[positive1]", "searchValue": "", "expectedValue": "resource.aws_mq_broker[positive1].encryption_options should be defined", - "actualValue": "resource.aws_mq_broker[positive1].encryption_options is not defined" + "actualValue": "resource.aws_mq_broker[positive1].encryption_options is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/ami_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/ami_not_encrypted/test/positive_expected_result.json index 0168cfa6a6c..17752f768ce 100644 --- a/assets/queries/terraform/aws/ami_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ami_not_encrypted/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_ami[positive1].ebs_block_device", "searchValue": "", "expectedValue": "One of 'rule.ebs_block_device.encrypted' should be 'true'", - "actualValue": "'rule.ebs_block_device' is undefined" + "actualValue": "'rule.ebs_block_device' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "AMI Not Encrypted", @@ -21,7 +22,8 @@ "searchKey": "aws_ami[positive2].ebs_block_device.encrypted", "searchValue": "", "expectedValue": "One of 'rule.ebs_block_device.encrypted' should be 'true'", - "actualValue": "One of 'rule.ebs_block_device.encrypted' is not 'true'" + "actualValue": "One of 'rule.ebs_block_device.encrypted' is not 'true'", + "issueType": "IncorrectValue" }, { "queryName": "AMI Not Encrypted", @@ -33,6 +35,7 @@ "searchKey": "aws_ami[positive3]", "searchValue": "", "expectedValue": "One of 'rule.ebs_block_device.encrypted' should be 'true'", - "actualValue": "One of 'rule.ebs_block_device' is undefined" + "actualValue": "One of 'rule.ebs_block_device' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/ami_shared_with_multiple_accounts/test/positive_expected_result.json b/assets/queries/terraform/aws/ami_shared_with_multiple_accounts/test/positive_expected_result.json index 47437d0df94..7570b8c27fb 100644 --- a/assets/queries/terraform/aws/ami_shared_with_multiple_accounts/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ami_shared_with_multiple_accounts/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_ami_launch_permission[positive1].image_id", "searchValue": "", "expectedValue": "'aws_ami_launch_permission[positive1].image_id' should not be shared with multiple accounts", - "actualValue": "'aws_ami_launch_permission[positive1].image_id' is shared with multiple accounts" + "actualValue": "'aws_ami_launch_permission[positive1].image_id' is shared with multiple accounts", + "issueType": "IncorrectValue" }, { "queryName": "AMI Shared With Multiple Accounts", @@ -21,6 +22,7 @@ "searchKey": "aws_ami_launch_permission[positive2].image_id", "searchValue": "", "expectedValue": "'aws_ami_launch_permission[positive2].image_id' should not be shared with multiple accounts", - "actualValue": "'aws_ami_launch_permission[positive2].image_id' is shared with multiple accounts" + "actualValue": "'aws_ami_launch_permission[positive2].image_id' is shared with multiple accounts", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json index 80290297fe8..12dc6f36af7 100644 --- a/assets/queries/terraform/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_api_gateway_stage[positive10]", "searchValue": "access_log_settings", "expectedValue": "'access_log_settings' should be defined", - "actualValue": "'access_log_settings' is not defined" + "actualValue": "'access_log_settings' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway Access Logging Disabled", @@ -21,7 +22,8 @@ "searchKey": "aws_apigatewayv2_stage[positive11]", "searchValue": "access_log_settings", "expectedValue": "'access_log_settings' should be defined", - "actualValue": "'access_log_settings' is not defined" + "actualValue": "'access_log_settings' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway Access Logging Disabled", @@ -33,7 +35,8 @@ "searchKey": "aws_api_gateway_method_settings[allpositive2].settings.logging_level", "searchValue": "", "expectedValue": "aws_api_gateway_method_settings[allpositive2].settings.logging_level should be defined and not null", - "actualValue": "aws_api_gateway_method_settings[allpositive2].settings.logging_level isn't defined or is null" + "actualValue": "aws_api_gateway_method_settings[allpositive2].settings.logging_level isn't defined or is null", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway Access Logging Disabled", @@ -45,7 +48,8 @@ "searchKey": "aws_apigatewayv2_stage[positive21].default_route_settings.logging_level", "searchValue": "", "expectedValue": "aws_apigatewayv2_stage[positive21].default_route_settings.logging_level should be defined and not null", - "actualValue": "aws_apigatewayv2_stage[positive21].default_route_settings.logging_level isn't defined or is null" + "actualValue": "aws_apigatewayv2_stage[positive21].default_route_settings.logging_level isn't defined or is null", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway Access Logging Disabled", @@ -57,7 +61,8 @@ "searchKey": "aws_api_gateway_method_settings[allpositive3].settings", "searchValue": "", "expectedValue": "aws_api_gateway_method_settings[allpositive3].settings.logging_level should be defined and not null", - "actualValue": "aws_api_gateway_method_settings[allpositive3].settings.logging_level isn't defined or is null" + "actualValue": "aws_api_gateway_method_settings[allpositive3].settings.logging_level isn't defined or is null", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway Access Logging Disabled", @@ -69,7 +74,8 @@ "searchKey": "aws_apigatewayv2_stage[positive31].default_route_settings", "searchValue": "", "expectedValue": "aws_apigatewayv2_stage[positive31].default_route_settings.logging_level should be defined and not null", - "actualValue": "aws_apigatewayv2_stage[positive31].default_route_settings.logging_level isn't defined or is null" + "actualValue": "aws_apigatewayv2_stage[positive31].default_route_settings.logging_level isn't defined or is null", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway Access Logging Disabled", @@ -81,7 +87,8 @@ "searchKey": "aws_api_gateway_method_settings[allpositive4]", "searchValue": "", "expectedValue": "aws_api_gateway_method_settings[allpositive4].settings should be defined and not null", - "actualValue": "aws_api_gateway_method_settings[allpositive4].settings isn't defined or is null" + "actualValue": "aws_api_gateway_method_settings[allpositive4].settings isn't defined or is null", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway Access Logging Disabled", @@ -93,7 +100,8 @@ "searchKey": "aws_apigatewayv2_stage[positive41]", "searchValue": "default_route_settings", "expectedValue": "aws_apigatewayv2_stage[positive41].default_route_settings should be defined and not null", - "actualValue": "aws_apigatewayv2_stage[positive41].default_route_settings isn't defined or is null" + "actualValue": "aws_apigatewayv2_stage[positive41].default_route_settings isn't defined or is null", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway Access Logging Disabled", @@ -105,7 +113,8 @@ "searchKey": "aws_api_gateway_method_settings[allpositive5].settings.logging_level", "searchValue": "", "expectedValue": "aws_api_gateway_method_settings[allpositive5].settings.logging_level should not be set to OFF", - "actualValue": "aws_api_gateway_method_settings[allpositive5].settings.logging_level is set to OFF" + "actualValue": "aws_api_gateway_method_settings[allpositive5].settings.logging_level is set to OFF", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Access Logging Disabled", @@ -117,7 +126,8 @@ "searchKey": "aws_apigatewayv2_stage[positive51].default_route_settings.logging_level", "searchValue": "", "expectedValue": "aws_apigatewayv2_stage[positive51].default_route_settings.logging_level should not be set to OFF", - "actualValue": "aws_apigatewayv2_stage[positive51].default_route_settings.logging_level is set to OFF" + "actualValue": "aws_apigatewayv2_stage[positive51].default_route_settings.logging_level is set to OFF", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Access Logging Disabled", @@ -129,7 +139,8 @@ "searchKey": "aws_api_gateway_method_settings[allpositive6].settings", "searchValue": "", "expectedValue": "aws_api_gateway_method_settings[allpositive6].settings.logging_level should be defined and not null", - "actualValue": "aws_api_gateway_method_settings[allpositive6].settings.logging_level isn't defined or is null" + "actualValue": "aws_api_gateway_method_settings[allpositive6].settings.logging_level isn't defined or is null", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway Access Logging Disabled", @@ -141,7 +152,8 @@ "searchKey": "aws_apigatewayv2_stage[positive61].default_route_settings", "searchValue": "", "expectedValue": "aws_apigatewayv2_stage[positive61].default_route_settings.logging_level should be defined and not null", - "actualValue": "aws_apigatewayv2_stage[positive61].default_route_settings.logging_level isn't defined or is null" + "actualValue": "aws_apigatewayv2_stage[positive61].default_route_settings.logging_level isn't defined or is null", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway Access Logging Disabled", @@ -153,6 +165,7 @@ "searchKey": "aws_api_gateway_stage[positive70]", "searchValue": "aws_api_gateway_method_settings", "expectedValue": "aws_api_gateway_stage[positive70]'s corresponding aws_api_gateway_method_settings should be defined and not null", - "actualValue": "aws_api_gateway_stage[positive70]'s corresponding aws_api_gateway_method_settings isn't defined or is null" + "actualValue": "aws_api_gateway_stage[positive70]'s corresponding aws_api_gateway_method_settings isn't defined or is null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/api_gateway_deployment_without_access_log_setting/test/positive_expected_result.json b/assets/queries/terraform/aws/api_gateway_deployment_without_access_log_setting/test/positive_expected_result.json index eda78f06cce..5c761b5c04d 100644 --- a/assets/queries/terraform/aws/api_gateway_deployment_without_access_log_setting/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/api_gateway_deployment_without_access_log_setting/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_api_gateway_deployment[examplee]", "searchValue": "", "expectedValue": "aws_api_gateway_deployment[examplee] has a 'aws_api_gateway_stage' resource associated with 'access_log_settings' set", - "actualValue": "aws_api_gateway_deployment[examplee] doesn't have a 'aws_api_gateway_stage' resource associated with 'access_log_settings' set" + "actualValue": "aws_api_gateway_deployment[examplee] doesn't have a 'aws_api_gateway_stage' resource associated with 'access_log_settings' set", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Deployment Without Access Log Setting", @@ -21,7 +22,8 @@ "searchKey": "aws_api_gateway_deployment[example3]", "searchValue": "", "expectedValue": "aws_api_gateway_deployment[example3] has a 'aws_api_gateway_stage' resource associated with 'access_log_settings' set", - "actualValue": "aws_api_gateway_deployment[example3] doesn't have a 'aws_api_gateway_stage' resource associated with 'access_log_settings' set" + "actualValue": "aws_api_gateway_deployment[example3] doesn't have a 'aws_api_gateway_stage' resource associated with 'access_log_settings' set", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Deployment Without Access Log Setting", @@ -33,6 +35,7 @@ "searchKey": "aws_api_gateway_deployment[example4]", "searchValue": "", "expectedValue": "aws_api_gateway_deployment[example4].stage_description should be set", - "actualValue": "aws_api_gateway_deployment[example4].stage_description is undefined" + "actualValue": "aws_api_gateway_deployment[example4].stage_description is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/test/positive_expected_result.json b/assets/queries/terraform/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/test/positive_expected_result.json index ea26a071f69..275f5fbe0d5 100644 --- a/assets/queries/terraform/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_api_gateway_deployment[positive1]", "searchValue": "", "expectedValue": "aws_api_gateway_deployment[positive1] has a 'aws_api_gateway_usage_plan' resource associated. ", - "actualValue": "aws_api_gateway_deployment[positive1] doesn't have a 'aws_api_gateway_usage_plan' resource associated." + "actualValue": "aws_api_gateway_deployment[positive1] doesn't have a 'aws_api_gateway_usage_plan' resource associated.", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Deployment Without API Gateway UsagePlan Associated", @@ -21,7 +22,8 @@ "searchKey": "aws_api_gateway_deployment[positive2]", "searchValue": "", "expectedValue": "aws_api_gateway_deployment[positive2] has a 'aws_api_gateway_usage_plan' resource associated. ", - "actualValue": "aws_api_gateway_deployment[positive2] doesn't have a 'aws_api_gateway_usage_plan' resource associated." + "actualValue": "aws_api_gateway_deployment[positive2] doesn't have a 'aws_api_gateway_usage_plan' resource associated.", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Deployment Without API Gateway UsagePlan Associated", @@ -33,7 +35,8 @@ "searchKey": "aws_api_gateway_deployment[aws_api_gateway_deployment.positive1]", "searchValue": "", "expectedValue": "aws_api_gateway_deployment[aws_api_gateway_deployment.positive1] has a 'aws_api_gateway_usage_plan' resource associated. ", - "actualValue": "aws_api_gateway_deployment[aws_api_gateway_deployment.positive1] doesn't have a 'aws_api_gateway_usage_plan' resource associated." + "actualValue": "aws_api_gateway_deployment[aws_api_gateway_deployment.positive1] doesn't have a 'aws_api_gateway_usage_plan' resource associated.", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Deployment Without API Gateway UsagePlan Associated", @@ -45,6 +48,7 @@ "searchKey": "aws_api_gateway_deployment[aws_api_gateway_deployment.positive2]", "searchValue": "", "expectedValue": "aws_api_gateway_deployment[aws_api_gateway_deployment.positive2] has a 'aws_api_gateway_usage_plan' resource associated. ", - "actualValue": "aws_api_gateway_deployment[aws_api_gateway_deployment.positive2] doesn't have a 'aws_api_gateway_usage_plan' resource associated." + "actualValue": "aws_api_gateway_deployment[aws_api_gateway_deployment.positive2] doesn't have a 'aws_api_gateway_usage_plan' resource associated.", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/api_gateway_endpoint_config_is_not_private/test/positive_expected_result.json b/assets/queries/terraform/aws/api_gateway_endpoint_config_is_not_private/test/positive_expected_result.json index 63f3e25a8b5..20e69a6639c 100644 --- a/assets/queries/terraform/aws/api_gateway_endpoint_config_is_not_private/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/api_gateway_endpoint_config_is_not_private/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_api_gateway_rest_api[positive1].endpoint_configuration.types[%!s(int=0)]", "searchValue": "", "expectedValue": "'aws_api_gateway_rest_api.aws_api_gateway_rest_api.types' should be 'PRIVATE'.", - "actualValue": "'aws_api_gateway_rest_api.aws_api_gateway_rest_api.types' is not 'PRIVATE'." + "actualValue": "'aws_api_gateway_rest_api.aws_api_gateway_rest_api.types' is not 'PRIVATE'.", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/api_gateway_method_does_not_contains_an_api_key/test/positive_expected_result.json b/assets/queries/terraform/aws/api_gateway_method_does_not_contains_an_api_key/test/positive_expected_result.json index 4bd724621fd..4078d1198ac 100644 --- a/assets/queries/terraform/aws/api_gateway_method_does_not_contains_an_api_key/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/api_gateway_method_does_not_contains_an_api_key/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resource.aws_api_gateway_method[positive1]", "searchValue": "", "expectedValue": "resource.aws_api_gateway_method[positive1].api_key_required should be defined", - "actualValue": "resource.aws_api_gateway_method[positive1].api_key_required is undefined" + "actualValue": "resource.aws_api_gateway_method[positive1].api_key_required is undefined", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway Method Does Not Contains An API Key", @@ -21,6 +22,7 @@ "searchKey": "resource.aws_api_gateway_method[positive2].api_key_required", "searchValue": "", "expectedValue": "resource.aws_api_gateway_method[positive2].api_key_required should be 'true'", - "actualValue": "resource.aws_api_gateway_method[positive2].api_key_required is 'false'" + "actualValue": "resource.aws_api_gateway_method[positive2].api_key_required is 'false'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/api_gateway_method_settings_cache_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/api_gateway_method_settings_cache_not_encrypted/test/positive_expected_result.json index 91157d40427..36e55a88c5f 100644 --- a/assets/queries/terraform/aws/api_gateway_method_settings_cache_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/api_gateway_method_settings_cache_not_encrypted/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_api_gateway_method_settings[{{path_specific}}].settings.cache_data_encrypted", "searchValue": "", "expectedValue": "aws_api_gateway_method_settings.settings.cache_data_encrypted should be set to true", - "actualValue": "aws_api_gateway_method_settings.settings.cache_data_encrypted is set to false" + "actualValue": "aws_api_gateway_method_settings.settings.cache_data_encrypted is set to false", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Method Settings Cache Not Encrypted", @@ -21,6 +22,7 @@ "searchKey": "aws_api_gateway_method_settings[{{path_specific_2}}].settings", "searchValue": "", "expectedValue": "aws_api_gateway_method_settings.settings.cache_data_encrypted should be set to true", - "actualValue": "aws_api_gateway_method_settings.settings.cache_data_encrypted is missing" + "actualValue": "aws_api_gateway_method_settings.settings.cache_data_encrypted is missing", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/api_gateway_stage_without_api_gateway_usage_plan_associated/test/positive_expected_result.json b/assets/queries/terraform/aws/api_gateway_stage_without_api_gateway_usage_plan_associated/test/positive_expected_result.json index 8fd77034128..9b5b2d4c3ce 100644 --- a/assets/queries/terraform/aws/api_gateway_stage_without_api_gateway_usage_plan_associated/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/api_gateway_stage_without_api_gateway_usage_plan_associated/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_api_gateway_stage[positive1]", "searchValue": "", "expectedValue": "aws_api_gateway_stage[positive1] has a 'aws_api_gateway_usage_plan' resource associated. ", - "actualValue": "aws_api_gateway_stage[positive1] doesn't have a 'aws_api_gateway_usage_plan' resource associated." + "actualValue": "aws_api_gateway_stage[positive1] doesn't have a 'aws_api_gateway_usage_plan' resource associated.", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Stage Without API Gateway UsagePlan Associated", @@ -21,6 +22,7 @@ "searchKey": "aws_api_gateway_stage[positive2]", "searchValue": "", "expectedValue": "aws_api_gateway_stage[positive2] has a 'aws_api_gateway_usage_plan' resource associated. ", - "actualValue": "aws_api_gateway_stage[positive2] doesn't have a 'aws_api_gateway_usage_plan' resource associated." + "actualValue": "aws_api_gateway_stage[positive2] doesn't have a 'aws_api_gateway_usage_plan' resource associated.", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/api_gateway_with_cloudwatch_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/api_gateway_with_cloudwatch_logging_disabled/test/positive_expected_result.json index b3e6d0170cc..2c6d540ac75 100644 --- a/assets/queries/terraform/aws/api_gateway_with_cloudwatch_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/api_gateway_with_cloudwatch_logging_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_api_gateway_stage[positive1]", "searchValue": "", "expectedValue": "'aws_cloudwatch_log_group' for 'aws_api_gateway_stage[positive1]' should be defined and use the correct naming convention", - "actualValue": "'aws_cloudwatch_log_group' for 'aws_api_gateway_stage[positive1]' is undefined or is not using the correct naming convention" + "actualValue": "'aws_cloudwatch_log_group' for 'aws_api_gateway_stage[positive1]' is undefined or is not using the correct naming convention", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway With CloudWatch Logging Disabled", @@ -21,7 +22,8 @@ "searchKey": "aws_api_gateway_stage[positive2].access_log_settings.destination_arn", "searchValue": "", "expectedValue": "'aws_api_gateway_stage[positive2].access_log_settings.destination_arn' should reference a valid 'aws_cloudwatch_log_group' arn", - "actualValue": "'aws_api_gateway_stage[positive2].access_log_settings.destination_arn' does not reference a valid 'aws_cloudwatch_log_group' arn" + "actualValue": "'aws_api_gateway_stage[positive2].access_log_settings.destination_arn' does not reference a valid 'aws_cloudwatch_log_group' arn", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway With CloudWatch Logging Disabled", @@ -33,7 +35,8 @@ "searchKey": "aws_api_gateway_stage[positive3].access_log_settings.destination_arn", "searchValue": "", "expectedValue": "'aws_api_gateway_stage[positive3].access_log_settings.destination_arn' should reference a valid 'aws_cloudwatch_log_group' arn", - "actualValue": "'aws_api_gateway_stage[positive3].access_log_settings.destination_arn' does not reference a valid 'aws_cloudwatch_log_group' arn" + "actualValue": "'aws_api_gateway_stage[positive3].access_log_settings.destination_arn' does not reference a valid 'aws_cloudwatch_log_group' arn", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway With CloudWatch Logging Disabled", @@ -45,6 +48,7 @@ "searchKey": "aws_api_gateway_stage[positive4]", "searchValue": "", "expectedValue": "'aws_cloudwatch_log_group' for 'aws_api_gateway_stage[positive4]' should be defined and use the correct naming convention", - "actualValue": "'aws_cloudwatch_log_group' for 'aws_api_gateway_stage[positive4]' is undefined or is not using the correct naming convention" + "actualValue": "'aws_cloudwatch_log_group' for 'aws_api_gateway_stage[positive4]' is undefined or is not using the correct naming convention", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/api_gateway_with_invalid_compression/test/positive_expected_result.json b/assets/queries/terraform/aws/api_gateway_with_invalid_compression/test/positive_expected_result.json index 7ad8a4a563c..0553915cd39 100644 --- a/assets/queries/terraform/aws/api_gateway_with_invalid_compression/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/api_gateway_with_invalid_compression/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_api_gateway_rest_api[positive1]", "searchValue": "", "expectedValue": "Attribute 'minimum_compression_size' should be set and have a value greater than -1 and smaller than 10485760", - "actualValue": "Attribute 'minimum_compression_size' is undefined" + "actualValue": "Attribute 'minimum_compression_size' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway With Invalid Compression", @@ -21,7 +22,8 @@ "searchKey": "aws_api_gateway_rest_api[positive2].minimum_compression_size", "searchValue": "", "expectedValue": "Attribute 'minimum_compression_size' should be greater than -1 and smaller than 10485760", - "actualValue": "Attribute 'minimum_compression_size' is -1" + "actualValue": "Attribute 'minimum_compression_size' is -1", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway With Invalid Compression", @@ -33,6 +35,7 @@ "searchKey": "aws_api_gateway_rest_api[positive3].minimum_compression_size", "searchValue": "", "expectedValue": "Attribute 'minimum_compression_size' should be greater than -1 and smaller than 10485760", - "actualValue": "Attribute 'minimum_compression_size' is 10485760" + "actualValue": "Attribute 'minimum_compression_size' is 10485760", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/api_gateway_with_open_access/test/positive_expected_result.json b/assets/queries/terraform/aws/api_gateway_with_open_access/test/positive_expected_result.json index 810be375519..2b11f8d9e46 100644 --- a/assets/queries/terraform/aws/api_gateway_with_open_access/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/api_gateway_with_open_access/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_api_gateway_method[positive1].http_method", "searchValue": "", "expectedValue": "aws_api_gateway_method.authorization should only be 'NONE' if http_method is 'OPTIONS'", - "actualValue": "aws_api_gateway_method[positive1].authorization type is 'NONE' and http_method is not ''OPTIONS'" + "actualValue": "aws_api_gateway_method[positive1].authorization type is 'NONE' and http_method is not ''OPTIONS'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/api_gateway_without_configured_authorizer/test/positive_expected_result.json b/assets/queries/terraform/aws/api_gateway_without_configured_authorizer/test/positive_expected_result.json index 635729b3eb5..722af942cb7 100644 --- a/assets/queries/terraform/aws/api_gateway_without_configured_authorizer/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/api_gateway_without_configured_authorizer/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_api_gateway_rest_api[demo2]", "searchValue": "", "expectedValue": "API Gateway REST API should be associated with an API Gateway Authorizer", - "actualValue": "API Gateway REST API is not associated with an API Gateway Authorizer" + "actualValue": "API Gateway REST API is not associated with an API Gateway Authorizer", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/api_gateway_without_security_policy/test/positive_expected_result.json b/assets/queries/terraform/aws/api_gateway_without_security_policy/test/positive_expected_result.json index 7b87ae0cfcc..0ef51803589 100644 --- a/assets/queries/terraform/aws/api_gateway_without_security_policy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/api_gateway_without_security_policy/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_api_gateway_domain_name[example]", "searchValue": "", "expectedValue": "aws_api_gateway_domain_name[example].security_policy should be set", - "actualValue": "aws_api_gateway_domain_name[example].security_policy is undefined" + "actualValue": "aws_api_gateway_domain_name[example].security_policy is undefined", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway Without Security Policy", @@ -21,6 +22,7 @@ "searchKey": "aws_api_gateway_domain_name[example2].security_policy", "searchValue": "", "expectedValue": "aws_api_gateway_domain_name[example2].security_policy should be set to TLS_1_2", - "actualValue": "aws_api_gateway_domain_name[example2].security_policy is set to TLS_1_0" + "actualValue": "aws_api_gateway_domain_name[example2].security_policy is set to TLS_1_0", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/api_gateway_without_ssl_certificate/test/positive_expected_result.json b/assets/queries/terraform/aws/api_gateway_without_ssl_certificate/test/positive_expected_result.json index fc8f01acdc4..baa3168f372 100644 --- a/assets/queries/terraform/aws/api_gateway_without_ssl_certificate/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/api_gateway_without_ssl_certificate/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_api_gateway_stage[positive1]", "searchValue": "", "expectedValue": "Attribute 'client_certificate_id' should be set", - "actualValue": "Attribute 'client_certificate_id' is undefined" + "actualValue": "Attribute 'client_certificate_id' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/api_gateway_without_waf/test/positive_expected_result.json b/assets/queries/terraform/aws/api_gateway_without_waf/test/positive_expected_result.json index 48890cad7ec..499722f04b8 100644 --- a/assets/queries/terraform/aws/api_gateway_without_waf/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/api_gateway_without_waf/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_api_gateway_stage[positive1]", "searchValue": "", "expectedValue": "API Gateway Stage should be associated with a Web Application Firewall", - "actualValue": "API Gateway Stage is not associated with a Web Application Firewall" + "actualValue": "API Gateway Stage is not associated with a Web Application Firewall", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/api_gateway_xray_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/api_gateway_xray_disabled/test/positive_expected_result.json index 6343aa7764c..a94bb2ecf03 100644 --- a/assets/queries/terraform/aws/api_gateway_xray_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/api_gateway_xray_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_api_gateway_stage[positive1].xray_tracing_enabled", "searchValue": "", "expectedValue": "'aws_api_gateway_stage[positive1].xray_tracing_enabled' should be true", - "actualValue": "'aws_api_gateway_stage[positive1].xray_tracing_enabled' is false" + "actualValue": "'aws_api_gateway_stage[positive1].xray_tracing_enabled' is false", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway X-Ray Disabled", @@ -21,6 +22,7 @@ "searchKey": "aws_api_gateway_stage[positive2].xray_tracing_enabled", "searchValue": "", "expectedValue": "'aws_api_gateway_stage[positive2].xray_tracing_enabled' should be set", - "actualValue": "'aws_api_gateway_stage[positive2].xray_tracing_enabled' is undefined" + "actualValue": "'aws_api_gateway_stage[positive2].xray_tracing_enabled' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/athena_database_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/athena_database_not_encrypted/test/positive_expected_result.json index f6b719e087c..5a79f6b4b99 100644 --- a/assets/queries/terraform/aws/athena_database_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/athena_database_not_encrypted/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_athena_database[{{hoge}}]", "searchValue": "", "expectedValue": "aws_athena_database[{{hoge}}] encryption_configuration should be defined", - "actualValue": "aws_athena_database[{{hoge}}] encryption_configuration is missing" + "actualValue": "aws_athena_database[{{hoge}}] encryption_configuration is missing", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/athena_workgroup_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/athena_workgroup_not_encrypted/test/positive_expected_result.json index b978a4250aa..0b921ea419c 100644 --- a/assets/queries/terraform/aws/athena_workgroup_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/athena_workgroup_not_encrypted/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_athena_workgroup[{{example}}]", "searchValue": "", "expectedValue": "aws_athena_workgroup[{{example}}].configuration.result_configuration.encryption_configuration should be defined", - "actualValue": "aws_athena_workgroup[{{example}}].configuration is missing" + "actualValue": "aws_athena_workgroup[{{example}}].configuration is missing", + "issueType": "MissingAttribute" }, { "queryName": "Athena Workgroup Not Encrypted", @@ -21,7 +22,8 @@ "searchKey": "aws_athena_workgroup[{{example_2}}].configuration", "searchValue": "", "expectedValue": "aws_athena_workgroup[{{example_2}}].configuration.result_configuration.encryption_configuration should be defined", - "actualValue": "aws_athena_workgroup[{{example_2}}].configuration.result_configuration is missing" + "actualValue": "aws_athena_workgroup[{{example_2}}].configuration.result_configuration is missing", + "issueType": "MissingAttribute" }, { "queryName": "Athena Workgroup Not Encrypted", @@ -33,6 +35,7 @@ "searchKey": "aws_athena_workgroup[{{example_3}}].configuration.result_configuration", "searchValue": "", "expectedValue": "aws_athena_workgroup[{{example_3}}].configuration.result_configuration.encryption_configuration should be defined", - "actualValue": "aws_athena_workgroup[{{example_3}}].configuration.result_configuration.encryption_configuration is missing" + "actualValue": "aws_athena_workgroup[{{example_3}}].configuration.result_configuration.encryption_configuration is missing", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/aurora_with_disabled_at_rest_encryption/test/positive_expected_result.json b/assets/queries/terraform/aws/aurora_with_disabled_at_rest_encryption/test/positive_expected_result.json index 18268fd0e76..a7f9aee8d97 100644 --- a/assets/queries/terraform/aws/aurora_with_disabled_at_rest_encryption/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/aurora_with_disabled_at_rest_encryption/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_rds_cluster[{{my_cluster}}].storage_encrypted", "searchValue": "", "expectedValue": "aws_rds_cluster.storage_encrypted should be set to 'true'", - "actualValue": "aws_rds_cluster.storage_encrypted is set to 'false'" + "actualValue": "aws_rds_cluster.storage_encrypted is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "Aurora With Disabled at Rest Encryption", @@ -21,6 +22,7 @@ "searchKey": "aws_rds_cluster[{{my_cluster}}]", "searchValue": "", "expectedValue": "aws_rds_cluster.storage_encrypted should be defined and set to 'true'", - "actualValue": "aws_rds_cluster.storage_encrypted is undefined" + "actualValue": "aws_rds_cluster.storage_encrypted is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/authentication_without_mfa/test/positive_expected_result.json b/assets/queries/terraform/aws/authentication_without_mfa/test/positive_expected_result.json index 91c1eb54c0b..74c0b63a18b 100644 --- a/assets/queries/terraform/aws/authentication_without_mfa/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/authentication_without_mfa/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_iam_user_policy[positive1].policy", "searchValue": "", "expectedValue": "'policy.Statement.Principal.AWS' should contain ':mfa/' or 'policy.Statement.Condition.BoolIfExists.aws:MultiFactorAuthPresent' should be set to true", - "actualValue": "'policy.Statement.Principal.AWS' doesn't contain ':mfa/' or 'policy.Statement.Condition.BoolIfExists.aws:MultiFactorAuthPresent' is set to false" + "actualValue": "'policy.Statement.Principal.AWS' doesn't contain ':mfa/' or 'policy.Statement.Condition.BoolIfExists.aws:MultiFactorAuthPresent' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Authentication Without MFA", @@ -21,6 +22,7 @@ "searchKey": "aws_iam_user_policy[positive2].policy", "searchValue": "", "expectedValue": "The attributes 'policy.Statement.Condition', 'policy.Statement.Condition.BoolIfExists', and 'policy.Statement.Condition.BoolIfExists.aws:MultiFactorAuthPresent' should be defined and not null", - "actualValue": "The attribute(s) 'policy.Statement.Condition' or/and 'policy.Statement.Condition.BoolIfExists' or/and 'policy.Statement.Condition.BoolIfExists.aws:MultiFactorAuthPresent' is/are undefined or null" + "actualValue": "The attribute(s) 'policy.Statement.Condition' or/and 'policy.Statement.Condition.BoolIfExists' or/and 'policy.Statement.Condition.BoolIfExists.aws:MultiFactorAuthPresent' is/are undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/auto_scaling_group_with_no_associated_elb/test/positive_expected_result.json b/assets/queries/terraform/aws/auto_scaling_group_with_no_associated_elb/test/positive_expected_result.json index 460e02125fb..faf8ac7b9f7 100644 --- a/assets/queries/terraform/aws/auto_scaling_group_with_no_associated_elb/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/auto_scaling_group_with_no_associated_elb/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_autoscaling_group[bar]", "searchValue": "", "expectedValue": "aws_autoscaling_group[bar].load_balancers should be set and not empty", - "actualValue": "aws_autoscaling_group[bar].load_balancers is undefined" + "actualValue": "aws_autoscaling_group[bar].load_balancers is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Auto Scaling Group With No Associated ELB", @@ -21,7 +22,8 @@ "searchKey": "aws_autoscaling_group[positive2].load_balancers", "searchValue": "", "expectedValue": "aws_autoscaling_group[positive2].load_balancers should be set and not empty", - "actualValue": "aws_autoscaling_group[positive2].load_balancers is empty" + "actualValue": "aws_autoscaling_group[positive2].load_balancers is empty", + "issueType": "IncorrectValue" }, { "queryName": "Auto Scaling Group With No Associated ELB", @@ -33,7 +35,8 @@ "searchKey": "module[positive3]", "searchValue": "", "expectedValue": "'load_balancers' should be set and not empty", - "actualValue": "'load_balancers' is undefined" + "actualValue": "'load_balancers' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Auto Scaling Group With No Associated ELB", @@ -45,7 +48,8 @@ "searchKey": "module[positive4].load_balancers", "searchValue": "", "expectedValue": "'load_balancers' should be set and not empty", - "actualValue": "'load_balancers' is undefined" + "actualValue": "'load_balancers' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Auto Scaling Group With No Associated ELB", @@ -57,7 +61,8 @@ "searchKey": "aws_autoscaling_group[foo]", "searchValue": "", "expectedValue": "aws_autoscaling_group[foo].load_balancers should be set and not empty", - "actualValue": "aws_autoscaling_group[foo].load_balancers is undefined" + "actualValue": "aws_autoscaling_group[foo].load_balancers is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Auto Scaling Group With No Associated ELB", @@ -69,6 +74,7 @@ "searchKey": "aws_autoscaling_group[foo]", "searchValue": "", "expectedValue": "aws_autoscaling_group[foo].load_balancers should be set and not empty", - "actualValue": "aws_autoscaling_group[foo].load_balancers is undefined" + "actualValue": "aws_autoscaling_group[foo].load_balancers is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/automatic_minor_upgrades_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/automatic_minor_upgrades_disabled/test/positive_expected_result.json index c478399975a..b102aa7a35e 100644 --- a/assets/queries/terraform/aws/automatic_minor_upgrades_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/automatic_minor_upgrades_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_db_instance[positive1].auto_minor_version_upgrade", "searchValue": "", "expectedValue": "'auto_minor_version_upgrade' should be set to true", - "actualValue": "'auto_minor_version_upgrade' is set to false" + "actualValue": "'auto_minor_version_upgrade' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Automatic Minor Upgrades Disabled", @@ -21,6 +22,7 @@ "searchKey": "module[db].auto_minor_version_upgrade", "searchValue": "", "expectedValue": "'auto_minor_version_upgrade' should be set to true", - "actualValue": "'auto_minor_version_upgrade' is set to false" + "actualValue": "'auto_minor_version_upgrade' is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/autoscaling_groups_supply_tags/test/positive_expected_result.json b/assets/queries/terraform/aws/autoscaling_groups_supply_tags/test/positive_expected_result.json index a16291f859d..fe59242f656 100644 --- a/assets/queries/terraform/aws/autoscaling_groups_supply_tags/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/autoscaling_groups_supply_tags/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_autoscaling_group[positive1]", "searchValue": "", "expectedValue": "'tags' or 'tag' should be defined and not null", - "actualValue": "'tags' and 'tag' are undefined or null" + "actualValue": "'tags' and 'tag' are undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Autoscaling Groups Supply Tags", @@ -21,6 +22,7 @@ "searchKey": "module[asg]", "searchValue": "", "expectedValue": "'tags' should be defined and not null", - "actualValue": "'tags' is undefined or null" + "actualValue": "'tags' is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/aws_eip_not_attached_to_any_instance/test/positive_expected_result.json b/assets/queries/terraform/aws/aws_eip_not_attached_to_any_instance/test/positive_expected_result.json index 24abda55dd3..d3f3355c826 100644 --- a/assets/queries/terraform/aws/aws_eip_not_attached_to_any_instance/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/aws_eip_not_attached_to_any_instance/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_eip[ok_eip]", "searchValue": "", "expectedValue": "All EIPs should be attached", - "actualValue": "EIP is missing domain field set to \"vpc\"" + "actualValue": "EIP is missing domain field set to \"vpc\"", + "issueType": "MissingAttribute" }, { "queryName": "AWS EIP not attached to any instance", @@ -21,7 +22,8 @@ "searchKey": "aws_eip[web_eip]", "searchValue": "", "expectedValue": "All EIPs should be attached", - "actualValue": "EIP is missing domain field set to \"vpc\"" + "actualValue": "EIP is missing domain field set to \"vpc\"", + "issueType": "MissingAttribute" }, { "queryName": "AWS EIP not attached to any instance", @@ -33,7 +35,8 @@ "searchKey": "aws_eip[nat_eip]", "searchValue": "", "expectedValue": "All EIPs should be attached", - "actualValue": "EIP is not attached" + "actualValue": "EIP is not attached", + "issueType": "MissingAttribute" }, { "queryName": "AWS EIP not attached to any instance", @@ -45,7 +48,8 @@ "searchKey": "aws_eip[transfer_eip]", "searchValue": "", "expectedValue": "All EIPs should be attached", - "actualValue": "EIP is not attached" + "actualValue": "EIP is not attached", + "issueType": "MissingAttribute" }, { "queryName": "AWS EIP not attached to any instance", @@ -57,7 +61,8 @@ "searchKey": "aws_eip[one]", "searchValue": "", "expectedValue": "All EIPs should be attached", - "actualValue": "EIP is not attached" + "actualValue": "EIP is not attached", + "issueType": "MissingAttribute" }, { "queryName": "AWS EIP not attached to any instance", @@ -69,7 +74,8 @@ "searchKey": "aws_eip[ok_eip]", "searchValue": "", "expectedValue": "All EIPs should be attached", - "actualValue": "Vpc is not set to true" + "actualValue": "Vpc is not set to true", + "issueType": "MissingAttribute" }, { "queryName": "AWS EIP not attached to any instance", @@ -81,7 +87,8 @@ "searchKey": "aws_eip[ok_eip]", "searchValue": "", "expectedValue": "All EIPs should be attached", - "actualValue": "Domain is not set to \"vpc\"" + "actualValue": "Domain is not set to \"vpc\"", + "issueType": "MissingAttribute" }, { "queryName": "AWS EIP not attached to any instance", @@ -93,7 +100,8 @@ "searchKey": "aws_eip[eip_example]", "searchValue": "", "expectedValue": "All EIPs should be attached", - "actualValue": "EIP is not attached" + "actualValue": "EIP is not attached", + "issueType": "MissingAttribute" }, { "queryName": "AWS EIP not attached to any instance", @@ -105,6 +113,7 @@ "searchKey": "aws_eip[web_eip]", "searchValue": "", "expectedValue": "All EIPs should be attached", - "actualValue": "EIP is not attached" + "actualValue": "EIP is not attached", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/aws_password_policy_with_unchangeable_passwords/test/positive_expected_result.json b/assets/queries/terraform/aws/aws_password_policy_with_unchangeable_passwords/test/positive_expected_result.json index 33071341077..390cdf5c29c 100644 --- a/assets/queries/terraform/aws/aws_password_policy_with_unchangeable_passwords/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/aws_password_policy_with_unchangeable_passwords/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_iam_account_password_policy[positive2].allow_users_to_change_password", "searchValue": "", "expectedValue": "'allow_users_to_change_password' should equal 'true'", - "actualValue": "'allow_users_to_change_password' is equal 'false'" + "actualValue": "'allow_users_to_change_password' is equal 'false'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/batch_job_definition_with_privileged_container_properties/test/positive_expected_result.json b/assets/queries/terraform/aws/batch_job_definition_with_privileged_container_properties/test/positive_expected_result.json index 605456dca1e..08c59e01ee5 100644 --- a/assets/queries/terraform/aws/batch_job_definition_with_privileged_container_properties/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/batch_job_definition_with_privileged_container_properties/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_batch_job_definition[positive1].container_properties.privileged", "searchValue": "", "expectedValue": "aws_batch_job_definition[positive1].container_properties.privileged should be 'false' or not set", - "actualValue": "aws_batch_job_definition[positive1].container_properties.privileged is 'true'" + "actualValue": "aws_batch_job_definition[positive1].container_properties.privileged is 'true'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/block_device_is_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/block_device_is_not_encrypted/test/positive_expected_result.json index 181570059ee..881e2b89223 100644 --- a/assets/queries/terraform/aws/block_device_is_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/block_device_is_not_encrypted/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_launch_configuration[example1].ebs_block_device", "searchValue": "", "expectedValue": "aws_launch_configuration[example1].ebs_block_device.encrypted should be set", - "actualValue": "aws_launch_configuration[example1].ebs_block_device.encrypted is undefined" + "actualValue": "aws_launch_configuration[example1].ebs_block_device.encrypted is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Block Device Is Not Encrypted", @@ -21,7 +22,8 @@ "searchKey": "aws_launch_configuration[example2].ebs_block_device.encrypted", "searchValue": "", "expectedValue": "aws_launch_configuration[example2].ebs_block_device.encrypted should be true", - "actualValue": "aws_launch_configuration[example2].ebs_block_device.encrypted is false" + "actualValue": "aws_launch_configuration[example2].ebs_block_device.encrypted is false", + "issueType": "IncorrectValue" }, { "queryName": "Block Device Is Not Encrypted", @@ -33,7 +35,8 @@ "searchKey": "aws_launch_configuration[example3].root_block_device.encrypted", "searchValue": "", "expectedValue": "aws_launch_configuration[example3].root_block_device.encrypted should be true", - "actualValue": "aws_launch_configuration[example3].root_block_device.encrypted is false" + "actualValue": "aws_launch_configuration[example3].root_block_device.encrypted is false", + "issueType": "IncorrectValue" }, { "queryName": "Block Device Is Not Encrypted", @@ -45,7 +48,8 @@ "searchKey": "module[asg].ebs_block_device.0", "searchValue": "", "expectedValue": "'encrypted' should be defined", - "actualValue": "'encrypted' is undefined" + "actualValue": "'encrypted' is undefined", + "issueType": "IncorrectValue" }, { "queryName": "Block Device Is Not Encrypted", @@ -57,7 +61,8 @@ "searchKey": "module[asg].root_block_device.0", "searchValue": "", "expectedValue": "'encrypted' should be defined", - "actualValue": "'encrypted' is undefined" + "actualValue": "'encrypted' is undefined", + "issueType": "IncorrectValue" }, { "queryName": "Block Device Is Not Encrypted", @@ -69,7 +74,8 @@ "searchKey": "module[asg2].block_device_mappings.0.ebs", "searchValue": "", "expectedValue": "'encrypted' should be defined", - "actualValue": "'encrypted' is undefined" + "actualValue": "'encrypted' is undefined", + "issueType": "IncorrectValue" }, { "queryName": "Block Device Is Not Encrypted", @@ -81,7 +87,8 @@ "searchKey": "module[asg2].block_device_mappings.1.ebs", "searchValue": "", "expectedValue": "'encrypted' should be defined", - "actualValue": "'encrypted' is undefined" + "actualValue": "'encrypted' is undefined", + "issueType": "IncorrectValue" }, { "queryName": "Block Device Is Not Encrypted", @@ -93,7 +100,8 @@ "searchKey": "module[asg].ebs_block_device.0.encrypted", "searchValue": "", "expectedValue": "'encrypted' should be true", - "actualValue": "'encrypted' is false" + "actualValue": "'encrypted' is false", + "issueType": "IncorrectValue" }, { "queryName": "Block Device Is Not Encrypted", @@ -105,7 +113,8 @@ "searchKey": "module[asg].root_block_device.0", "searchValue": "", "expectedValue": "'encrypted' should be defined", - "actualValue": "'encrypted' is undefined" + "actualValue": "'encrypted' is undefined", + "issueType": "IncorrectValue" }, { "queryName": "Block Device Is Not Encrypted", @@ -117,7 +126,8 @@ "searchKey": "module[asg2].block_device_mappings.1.ebs.encrypted", "searchValue": "", "expectedValue": "'encrypted' should be true", - "actualValue": "'encrypted' is false" + "actualValue": "'encrypted' is false", + "issueType": "IncorrectValue" }, { "queryName": "Block Device Is Not Encrypted", @@ -129,7 +139,8 @@ "searchKey": "module[asg2].block_device_mappings.0.ebs", "searchValue": "", "expectedValue": "'encrypted' should be defined", - "actualValue": "'encrypted' is undefined" + "actualValue": "'encrypted' is undefined", + "issueType": "IncorrectValue" }, { "queryName": "Block Device Is Not Encrypted", @@ -141,7 +152,8 @@ "searchKey": "module[asg].ebs_block_device.0", "searchValue": "", "expectedValue": "'encrypted' should be defined", - "actualValue": "'encrypted' is undefined" + "actualValue": "'encrypted' is undefined", + "issueType": "IncorrectValue" }, { "queryName": "Block Device Is Not Encrypted", @@ -153,7 +165,8 @@ "searchKey": "module[asg].root_block_device.0.encrypted", "searchValue": "", "expectedValue": "'encrypted' should be true", - "actualValue": "'encrypted' is false" + "actualValue": "'encrypted' is false", + "issueType": "IncorrectValue" }, { "queryName": "Block Device Is Not Encrypted", @@ -165,7 +178,8 @@ "searchKey": "module[asg2].block_device_mappings.1.ebs.encrypted", "searchValue": "", "expectedValue": "'encrypted' should be true", - "actualValue": "'encrypted' is false" + "actualValue": "'encrypted' is false", + "issueType": "IncorrectValue" }, { "queryName": "Block Device Is Not Encrypted", @@ -177,7 +191,8 @@ "searchKey": "module[asg2].block_device_mappings.0.ebs.encrypted", "searchValue": "", "expectedValue": "'encrypted' should be true", - "actualValue": "'encrypted' is false" + "actualValue": "'encrypted' is false", + "issueType": "IncorrectValue" }, { "queryName": "Block Device Is Not Encrypted", @@ -189,7 +204,8 @@ "searchKey": "aws_instance[example1].root_block_device.encrypted", "searchValue": "", "expectedValue": "aws_instance[example1].root_block_device.encrypted should be true", - "actualValue": "aws_instance[example1].root_block_device.encrypted is false" + "actualValue": "aws_instance[example1].root_block_device.encrypted is false", + "issueType": "IncorrectValue" }, { "queryName": "Block Device Is Not Encrypted", @@ -201,7 +217,8 @@ "searchKey": "aws_instance[example2].ebs_block_device.encrypted", "searchValue": "", "expectedValue": "aws_instance[example2].ebs_block_device.encrypted should be true", - "actualValue": "aws_instance[example2].ebs_block_device.encrypted is false" + "actualValue": "aws_instance[example2].ebs_block_device.encrypted is false", + "issueType": "IncorrectValue" }, { "queryName": "Block Device Is Not Encrypted", @@ -213,7 +230,8 @@ "searchKey": "aws_instance[example1].root_block_device", "searchValue": "", "expectedValue": "aws_instance[example1].root_block_device.encrypted should be set", - "actualValue": "aws_instance[example1].root_block_device.encrypted is undefined" + "actualValue": "aws_instance[example1].root_block_device.encrypted is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Block Device Is Not Encrypted", @@ -225,7 +243,8 @@ "searchKey": "aws_instance[example2].ebs_block_device", "searchValue": "", "expectedValue": "aws_instance[example2].ebs_block_device.encrypted should be set", - "actualValue": "aws_instance[example2].ebs_block_device.encrypted is undefined" + "actualValue": "aws_instance[example2].ebs_block_device.encrypted is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Block Device Is Not Encrypted", @@ -237,7 +256,8 @@ "searchKey": "module[positive7-aws6].root_block_device.encrypted", "searchValue": "", "expectedValue": "'encrypted' should be true", - "actualValue": "'encrypted' is false" + "actualValue": "'encrypted' is false", + "issueType": "IncorrectValue" }, { "queryName": "Block Device Is Not Encrypted", @@ -249,7 +269,8 @@ "searchKey": "module[positive7-legacy].root_block_device.0.encrypted", "searchValue": "", "expectedValue": "'encrypted' should be true", - "actualValue": "'encrypted' is false" + "actualValue": "'encrypted' is false", + "issueType": "IncorrectValue" }, { "queryName": "Block Device Is Not Encrypted", @@ -261,7 +282,8 @@ "searchKey": "module[positive8-aws6].root_block_device.encrypted", "searchValue": "", "expectedValue": "'encrypted' should be true", - "actualValue": "'encrypted' is false" + "actualValue": "'encrypted' is false", + "issueType": "IncorrectValue" }, { "queryName": "Block Device Is Not Encrypted", @@ -273,7 +295,8 @@ "searchKey": "module[positive8-legacy].root_block_device.0.encrypted", "searchValue": "", "expectedValue": "'encrypted' should be true", - "actualValue": "'encrypted' is false" + "actualValue": "'encrypted' is false", + "issueType": "IncorrectValue" }, { "queryName": "Block Device Is Not Encrypted", @@ -285,7 +308,8 @@ "searchKey": "module[positive9-aws6].root_block_device", "searchValue": "", "expectedValue": "'encrypted' should be defined", - "actualValue": "'encrypted' is undefined" + "actualValue": "'encrypted' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Block Device Is Not Encrypted", @@ -297,6 +321,7 @@ "searchKey": "module[positive9-legacy].root_block_device.0", "searchValue": "", "expectedValue": "'encrypted' should be defined", - "actualValue": "'encrypted' is undefined" + "actualValue": "'encrypted' is undefined", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/ca_certificate_identifier_is_outdated/test/positive_expected_result.json b/assets/queries/terraform/aws/ca_certificate_identifier_is_outdated/test/positive_expected_result.json index 324d1659b1d..a319d031382 100644 --- a/assets/queries/terraform/aws/ca_certificate_identifier_is_outdated/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ca_certificate_identifier_is_outdated/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_db_instance[positive1].ca_cert_identifier", "searchValue": "", "expectedValue": "'aws_db_instance.ca_cert_identifier' should be one provided by Amazon RDS.", - "actualValue": "'aws_db_instance.ca_cert_identifier' is 'rds-ca-2015'" + "actualValue": "'aws_db_instance.ca_cert_identifier' is 'rds-ca-2015'", + "issueType": "IncorrectValue" }, { "queryName": "CA Certificate Identifier Is Outdated", @@ -21,6 +22,7 @@ "searchKey": "module[db].ca_cert_identifier", "searchValue": "", "expectedValue": "'ca_cert_identifier' should be one provided by Amazon RDS.", - "actualValue": "'ca_cert_identifier' is 'rds-ca-2015'" + "actualValue": "'ca_cert_identifier' is 'rds-ca-2015'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cdn_configuration_is_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cdn_configuration_is_missing/test/positive_expected_result.json index 4b15c214909..7bfd745273e 100644 --- a/assets/queries/terraform/aws/cdn_configuration_is_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cdn_configuration_is_missing/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resource.aws_cloudfront_distribution[positive1].enabled", "searchValue": "", "expectedValue": "resource.aws_cloudfront_distribution[positive1].enabled should be set to 'true'", - "actualValue": "resource.aws_cloudfront_distribution[positive1].enabled is configured as 'false'" + "actualValue": "resource.aws_cloudfront_distribution[positive1].enabled is configured as 'false'", + "issueType": "IncorrectValue" }, { "queryName": "CDN Configuration Is Missing", @@ -21,7 +22,8 @@ "searchKey": "resource.aws_cloudfront_distribution[positive2]", "searchValue": "origin", "expectedValue": "resource.aws_cloudfront_distribution[positive2].origin should be defined", - "actualValue": "resource.aws_cloudfront_distribution[positive2].origin is not defined" + "actualValue": "resource.aws_cloudfront_distribution[positive2].origin is not defined", + "issueType": "MissingAttribute" }, { "queryName": "CDN Configuration Is Missing", @@ -33,6 +35,7 @@ "searchKey": "resource.aws_cloudfront_distribution[positive2]", "searchValue": "enabled", "expectedValue": "resource.aws_cloudfront_distribution[positive2].enabled should be set to 'true'", - "actualValue": "resource.aws_cloudfront_distribution[positive2].enabled is not defined" + "actualValue": "resource.aws_cloudfront_distribution[positive2].enabled is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/certificate_has_expired/test/positive_expected_result.json b/assets/queries/terraform/aws/certificate_has_expired/test/positive_expected_result.json index 557332fb54e..6b0c62e5411 100644 --- a/assets/queries/terraform/aws/certificate_has_expired/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/certificate_has_expired/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_api_gateway_domain_name[example2].certificate_body", "searchValue": "", "expectedValue": "aws_api_gateway_domain_name[example2].certificate_body should not have expired", - "actualValue": "aws_api_gateway_domain_name[example2].certificate_body has expired" + "actualValue": "aws_api_gateway_domain_name[example2].certificate_body has expired", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/certificate_rsa_key_bytes_lower_than_256/test/positive_expected_result.json b/assets/queries/terraform/aws/certificate_rsa_key_bytes_lower_than_256/test/positive_expected_result.json index acc5253dd4c..ee33fd5194f 100644 --- a/assets/queries/terraform/aws/certificate_rsa_key_bytes_lower_than_256/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/certificate_rsa_key_bytes_lower_than_256/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_api_gateway_domain_name[example].certificate_body", "searchValue": "", "expectedValue": "aws_api_gateway_domain_name[example].certificate_body uses a RSA key with a length equal to or higher than 256 bytes", - "actualValue": "aws_api_gateway_domain_name[example].certificate_body does not use a RSA key with a length equal to or higher than 256 bytes" + "actualValue": "aws_api_gateway_domain_name[example].certificate_body does not use a RSA key with a length equal to or higher than 256 bytes", + "issueType": "IncorrectValue" }, { "queryName": "Certificate RSA Key Bytes Lower Than 256", @@ -21,6 +22,7 @@ "searchKey": "aws_iam_server_certificate[test_cert2].certificate_body", "searchValue": "", "expectedValue": "aws_iam_server_certificate[test_cert2].certificate_body uses a RSA key with a length equal to or higher than 256 bytes", - "actualValue": "aws_iam_server_certificate[test_cert2].certificate_body does not use a RSA key with a length equal to or higher than 256 bytes" + "actualValue": "aws_iam_server_certificate[test_cert2].certificate_body does not use a RSA key with a length equal to or higher than 256 bytes", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cloudfront_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudfront_logging_disabled/test/positive_expected_result.json index 572d3200d74..d001abed431 100644 --- a/assets/queries/terraform/aws/cloudfront_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudfront_logging_disabled/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_cloudfront_distribution[positive1]", "searchValue": "", "expectedValue": "aws_cloudfront_distribution[positive1].logging_config should be defined", - "actualValue": "aws_cloudfront_distribution[positive1].logging_config is undefined" + "actualValue": "aws_cloudfront_distribution[positive1].logging_config is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cloudfront_viewer_protocol_policy_allows_http/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudfront_viewer_protocol_policy_allows_http/test/positive_expected_result.json index 585f9b3379b..6a37435bd13 100644 --- a/assets/queries/terraform/aws/cloudfront_viewer_protocol_policy_allows_http/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudfront_viewer_protocol_policy_allows_http/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resource.aws_cloudfront_distribution[positive1].default_cache_behavior.viewer_protocol_policy", "searchValue": "", "expectedValue": "resource.aws_cloudfront_distribution[positive1].default_cache_behavior.viewer_protocol_policy should be 'https-only' or 'redirect-to-https'", - "actualValue": "resource.aws_cloudfront_distribution[positive1].default_cache_behavior.viewer_protocol_policy isn't 'https-only' or 'redirect-to-https'" + "actualValue": "resource.aws_cloudfront_distribution[positive1].default_cache_behavior.viewer_protocol_policy isn't 'https-only' or 'redirect-to-https'", + "issueType": "IncorrectValue" }, { "queryName": "Cloudfront Viewer Protocol Policy Allows HTTP", @@ -21,6 +22,7 @@ "searchKey": "resource.aws_cloudfront_distribution[positive2].ordered_cache_behavior.{{/content/immutable/*}}.viewer_protocol_policy", "searchValue": "", "expectedValue": "resource.aws_cloudfront_distribution[positive2].ordered_cache_behavior.viewer_protocol_policy should be 'https-only' or 'redirect-to-https'", - "actualValue": "resource.aws_cloudfront_distribution[positive2].ordered_cache_behavior.viewer_protocol_policy isn't 'https-only' or 'redirect-to-https'" + "actualValue": "resource.aws_cloudfront_distribution[positive2].ordered_cache_behavior.viewer_protocol_policy isn't 'https-only' or 'redirect-to-https'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json index 6168a09cac1..6035ce72396 100644 --- a/assets/queries/terraform/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resource.aws_cloudfront_distribution[positive1]", "searchValue": "", "expectedValue": "resource.aws_cloudfront_distribution[positive1].viewer_certificate' should be defined and not null", - "actualValue": "resource.aws_cloudfront_distribution[positive1].viewer_certificate' is undefined or null" + "actualValue": "resource.aws_cloudfront_distribution[positive1].viewer_certificate' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "CloudFront Without Minimum Protocol TLS 1.2", @@ -21,7 +22,8 @@ "searchKey": "resource.aws_cloudfront_distribution[positive2].viewer_certificate.minimum_protocol_version", "searchValue": "", "expectedValue": "resource.aws_cloudfront_distribution[positive2].viewer_certificate.minimum_protocol_version' should be TLSv1.2_x", - "actualValue": "resource.aws_cloudfront_distribution[positive2].viewer_certificate.minimum_protocol_version' is TLSv1_2016" + "actualValue": "resource.aws_cloudfront_distribution[positive2].viewer_certificate.minimum_protocol_version' is TLSv1_2016", + "issueType": "IncorrectValue" }, { "queryName": "CloudFront Without Minimum Protocol TLS 1.2", @@ -33,7 +35,8 @@ "searchKey": "resource.aws_cloudfront_distribution[positive3].viewer_certificate.cloudfront_default_certificate", "searchValue": "", "expectedValue": "resource.aws_cloudfront_distribution[positive3].viewer_certificate.cloudfront_default_certificate' should be 'false'", - "actualValue": "resource.aws_cloudfront_distribution[positive3].viewer_certificate.cloudfront_default_certificate' is 'true'" + "actualValue": "resource.aws_cloudfront_distribution[positive3].viewer_certificate.cloudfront_default_certificate' is 'true'", + "issueType": "IncorrectValue" }, { "queryName": "CloudFront Without Minimum Protocol TLS 1.2", @@ -45,6 +48,7 @@ "searchKey": "resource.aws_cloudfront_distribution[positive4].viewer_certificate", "searchValue": "", "expectedValue": "resource.aws_cloudfront_distribution[positive4].viewer_certificate.minimum_protocol_version' should be defined and not null", - "actualValue": "resource.aws_cloudfront_distribution[positive4].viewer_certificate.minimum_protocol_version' is undefined or null" + "actualValue": "resource.aws_cloudfront_distribution[positive4].viewer_certificate.minimum_protocol_version' is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cloudfront_without_waf/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudfront_without_waf/test/positive_expected_result.json index 5913946941e..1678f37e7b1 100755 --- a/assets/queries/terraform/aws/cloudfront_without_waf/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudfront_without_waf/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_cloudfront_distribution[positive1].web_acl_id", "searchValue": "", "expectedValue": "'web_acl_id' should exist", - "actualValue": "'web_acl_id' is missing" + "actualValue": "'web_acl_id' is missing", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cloudtrail_log_file_validation_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudtrail_log_file_validation_disabled/test/positive_expected_result.json index 2003ccc8096..3e02e7a4ba1 100644 --- a/assets/queries/terraform/aws/cloudtrail_log_file_validation_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudtrail_log_file_validation_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_cloudtrail[positive1]", "searchValue": "", "expectedValue": "'aws_cloudtrail[positive1].enable_log_file_validation' should be set", - "actualValue": "'aws_cloudtrail[positive1].enable_log_file_validation' is undefined" + "actualValue": "'aws_cloudtrail[positive1].enable_log_file_validation' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "CloudTrail Log File Validation Disabled", @@ -21,6 +22,7 @@ "searchKey": "aws_cloudtrail[positive2].enable_log_file_validation", "searchValue": "", "expectedValue": "'aws_cloudtrail[positive2].enable_log_file_validation' should be true", - "actualValue": "'aws_cloudtrail[positive2].enable_log_file_validation' is false" + "actualValue": "'aws_cloudtrail[positive2].enable_log_file_validation' is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cloudtrail_log_files_not_encrypted_with_kms/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudtrail_log_files_not_encrypted_with_kms/test/positive_expected_result.json index f966105eab2..c81d9d29281 100644 --- a/assets/queries/terraform/aws/cloudtrail_log_files_not_encrypted_with_kms/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudtrail_log_files_not_encrypted_with_kms/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_cloudtrail[positive1]", "searchValue": "", "expectedValue": "aws_cloudtrail[positive1].kms_key_id should be defined and not null", - "actualValue": "aws_cloudtrail[positive1].kms_key_id is undefined or null" + "actualValue": "aws_cloudtrail[positive1].kms_key_id is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_is_publicly_accessible/test/positive_expected_result.json index 7f2de5087a1..a949760373e 100644 --- a/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_is_publicly_accessible/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_s3_bucket[b].acl", "searchValue": "", "expectedValue": "aws_s3_bucket[b] to not be publicly accessible", - "actualValue": "aws_s3_bucket[b] is publicly accessible" + "actualValue": "aws_s3_bucket[b] is publicly accessible", + "issueType": "IncorrectValue" }, { "queryName": "CloudTrail Log Files S3 Bucket is Publicly Accessible", @@ -21,7 +22,8 @@ "searchKey": "module[s3_bucket].acl", "searchValue": "", "expectedValue": "module[s3_bucket] to not be publicly accessible", - "actualValue": "module[s3_bucket] is publicly accessible" + "actualValue": "module[s3_bucket] is publicly accessible", + "issueType": "IncorrectValue" }, { "queryName": "CloudTrail Log Files S3 Bucket is Publicly Accessible", @@ -33,6 +35,7 @@ "searchKey": "module[s3_bucket].acl", "searchValue": "", "expectedValue": "module[s3_bucket] to not be publicly accessible", - "actualValue": "module[s3_bucket] is publicly accessible" + "actualValue": "module[s3_bucket] is publicly accessible", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_with_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_with_logging_disabled/test/positive_expected_result.json index 0e972c5820a..dcd89ddb202 100644 --- a/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_with_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_with_logging_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_s3_bucket[foo]", "searchValue": "", "expectedValue": "aws_s3_bucket[foo] to have 'logging' defined", - "actualValue": "aws_s3_bucket[foo] does not have 'logging' defined" + "actualValue": "aws_s3_bucket[foo] does not have 'logging' defined", + "issueType": "MissingAttribute" }, { "queryName": "CloudTrail Log Files S3 Bucket with Logging Disabled", @@ -21,7 +22,8 @@ "searchKey": "module[foo]", "searchValue": "", "expectedValue": "'logging' should be defined", - "actualValue": "'logging' is undefined" + "actualValue": "'logging' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "CloudTrail Log Files S3 Bucket with Logging Disabled", @@ -33,6 +35,7 @@ "searchKey": "aws_s3_bucket[bb]", "searchValue": "", "expectedValue": "aws_s3_bucket[bb] to have 'logging' defined", - "actualValue": "aws_s3_bucket[bb] does not have 'logging' defined" + "actualValue": "aws_s3_bucket[bb] does not have 'logging' defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cloudtrail_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudtrail_logging_disabled/test/positive_expected_result.json index b9076c93df5..f7cc8bfd439 100644 --- a/assets/queries/terraform/aws/cloudtrail_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudtrail_logging_disabled/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_cloudtrail.positive1.enable_logging", "searchValue": "", "expectedValue": "aws_cloudtrail.positive1.enable_logging should be true", - "actualValue": "aws_cloudtrail.positive1.enable_logging is false" + "actualValue": "aws_cloudtrail.positive1.enable_logging is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cloudtrail_multi_region_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudtrail_multi_region_disabled/test/positive_expected_result.json index 0c235a74a72..443eb15b4d4 100644 --- a/assets/queries/terraform/aws/cloudtrail_multi_region_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudtrail_multi_region_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_cloudtrail[positive1]", "searchValue": "", "expectedValue": "aws_cloudtrail[positive1].is_multi_region_trail should be defined and not null", - "actualValue": "aws_cloudtrail[positive1].is_multi_region_trail is undefined or null" + "actualValue": "aws_cloudtrail[positive1].is_multi_region_trail is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "CloudTrail Multi Region Disabled", @@ -21,7 +22,8 @@ "searchKey": "aws_cloudtrail[positive2].is_multi_region_trail", "searchValue": "", "expectedValue": "aws_cloudtrail[positive2].is_multi_region_trail should be set to true", - "actualValue": "aws_cloudtrail[positive2].is_multi_region_trail is set to false" + "actualValue": "aws_cloudtrail[positive2].is_multi_region_trail is set to false", + "issueType": "IncorrectValue" }, { "queryName": "CloudTrail Multi Region Disabled", @@ -33,6 +35,7 @@ "searchKey": "aws_cloudtrail[positive3].include_global_service_events", "searchValue": "", "expectedValue": "aws_cloudtrail[positive3].include_global_service_events should be undefined or set to true", - "actualValue": "aws_cloudtrail[positive3].include_global_service_events is set to false" + "actualValue": "aws_cloudtrail[positive3].include_global_service_events is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cloudtrail_not_integrated_with_cloudwatch/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudtrail_not_integrated_with_cloudwatch/test/positive_expected_result.json index 5409436d20a..bddc46a57ba 100644 --- a/assets/queries/terraform/aws/cloudtrail_not_integrated_with_cloudwatch/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudtrail_not_integrated_with_cloudwatch/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_cloudtrail[positive1]", "searchValue": "cloud_watch_logs_group_arn", "expectedValue": "aws_cloudtrail[positive1].cloud_watch_logs_group_arn should be defined and not null", - "actualValue": "aws_cloudtrail[positive1].cloud_watch_logs_group_arn is undefined or null" + "actualValue": "aws_cloudtrail[positive1].cloud_watch_logs_group_arn is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "CloudTrail Not Integrated With CloudWatch", @@ -21,6 +22,7 @@ "searchKey": "aws_cloudtrail[positive1]", "searchValue": "cloud_watch_logs_role_arn", "expectedValue": "aws_cloudtrail[positive1].cloud_watch_logs_role_arn should be defined and not null", - "actualValue": "aws_cloudtrail[positive1].cloud_watch_logs_role_arn is undefined or null" + "actualValue": "aws_cloudtrail[positive1].cloud_watch_logs_role_arn is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cloudtrail_sns_topic_name_undefined/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudtrail_sns_topic_name_undefined/test/positive_expected_result.json index 85bd3ca51d8..98432ba7783 100644 --- a/assets/queries/terraform/aws/cloudtrail_sns_topic_name_undefined/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudtrail_sns_topic_name_undefined/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_cloudtrail[positive1]", "searchValue": "", "expectedValue": "'aws_cloudtrail[positive1].sns_topic_name' should be set and should not be null", - "actualValue": "'aws_cloudtrail[positive1].sns_topic_name' is undefined or null" + "actualValue": "'aws_cloudtrail[positive1].sns_topic_name' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "CloudTrail SNS Topic Name Undefined", @@ -21,6 +22,7 @@ "searchKey": "aws_cloudtrail[positive2]", "searchValue": "", "expectedValue": "'aws_cloudtrail[positive2].sns_topic_name' should be set and should not be null", - "actualValue": "'aws_cloudtrail[positive2].sns_topic_name' is undefined or null" + "actualValue": "'aws_cloudtrail[positive2].sns_topic_name' is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cloudwatch_aws_config_configuration_changes_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_aws_config_configuration_changes_alarm_missing/test/positive_expected_result.json index adf34418527..ab391933226 100644 --- a/assets/queries/terraform/aws/cloudwatch_aws_config_configuration_changes_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_aws_config_configuration_changes_alarm_missing/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resource", "searchValue": "", "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) } and be associated an aws_cloudwatch_metric_alarm", - "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) } or not associated with any aws_cloudwatch_metric_alarm" + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch AWS Config Configuration Changes Alarm Missing", @@ -21,7 +22,8 @@ "searchKey": "resource", "searchValue": "", "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) } and be associated an aws_cloudwatch_metric_alarm", - "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) } or not associated with any aws_cloudwatch_metric_alarm" + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch AWS Config Configuration Changes Alarm Missing", @@ -33,7 +35,8 @@ "searchKey": "resource", "searchValue": "", "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) } and be associated an aws_cloudwatch_metric_alarm", - "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) } or not associated with any aws_cloudwatch_metric_alarm" + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch AWS Config Configuration Changes Alarm Missing", @@ -45,6 +48,7 @@ "searchKey": "resource", "searchValue": "", "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) } and be associated an aws_cloudwatch_metric_alarm", - "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) } or not associated with any aws_cloudwatch_metric_alarm" + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cloudwatch_aws_organizations_changes_missing_alarm/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_aws_organizations_changes_missing_alarm/test/positive_expected_result.json index be32284b090..42811e3501a 100644 --- a/assets/queries/terraform/aws/cloudwatch_aws_organizations_changes_missing_alarm/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_aws_organizations_changes_missing_alarm/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resource", "searchValue": "", "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventSource = \"organizations.amazonaws.com\") && (($.eventName = AcceptHandshake) || ($.eventName = AttachPolicy) || ($.eventName = CreateAccount) || ($.eventName = PutBucketLifecycle) || ($.eventName = CreateOrganizationalUnit) || ($.eventName = CreatePolicy) || ($.eventName = DeclineHandshake) || ($.eventName = DeleteOrganization) || ($.eventName = DeleteOrganizationalUnit) || ($.eventName = DeletePolicy) || ($.eventName = DetachPolicy) || ($.eventName = DisablePolicyType) || ($.eventName = EnablePolicyType) || ($.eventName = InviteAccountToOrganization) || ($.eventName = LeaveOrganization) || ($.eventName = MoveAccount) || ($.eventName = RemoveAccountFromOrganization) || ($.eventName = UpdatePolicy) || ($.eventName = UpdateOrganizationalUni)) } and be associated an aws_cloudwatch_metric_alarm", - "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventSource = \"organizations.amazonaws.com\") && (($.eventName = AcceptHandshake) || ($.eventName = AttachPolicy) || ($.eventName = CreateAccount) || ($.eventName = PutBucketLifecycle) || ($.eventName = CreateOrganizationalUnit) || ($.eventName = CreatePolicy) || ($.eventName = DeclineHandshake) || ($.eventName = DeleteOrganization) || ($.eventName = DeleteOrganizationalUnit) || ($.eventName = DeletePolicy) || ($.eventName = DetachPolicy) || ($.eventName = DisablePolicyType) || ($.eventName = EnablePolicyType) || ($.eventName = InviteAccountToOrganization) || ($.eventName = LeaveOrganization) || ($.eventName = MoveAccount) || ($.eventName = RemoveAccountFromOrganization) || ($.eventName = UpdatePolicy) || ($.eventName = UpdateOrganizationalUni)) } or not associated with any aws_cloudwatch_metric_alarm" + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventSource = \"organizations.amazonaws.com\") && (($.eventName = AcceptHandshake) || ($.eventName = AttachPolicy) || ($.eventName = CreateAccount) || ($.eventName = PutBucketLifecycle) || ($.eventName = CreateOrganizationalUnit) || ($.eventName = CreatePolicy) || ($.eventName = DeclineHandshake) || ($.eventName = DeleteOrganization) || ($.eventName = DeleteOrganizationalUnit) || ($.eventName = DeletePolicy) || ($.eventName = DetachPolicy) || ($.eventName = DisablePolicyType) || ($.eventName = EnablePolicyType) || ($.eventName = InviteAccountToOrganization) || ($.eventName = LeaveOrganization) || ($.eventName = MoveAccount) || ($.eventName = RemoveAccountFromOrganization) || ($.eventName = UpdatePolicy) || ($.eventName = UpdateOrganizationalUni)) } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch AWS Organizations Changes Missing Alarm", @@ -21,6 +22,7 @@ "searchKey": "resource", "searchValue": "", "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventSource = \"organizations.amazonaws.com\") && (($.eventName = AcceptHandshake) || ($.eventName = AttachPolicy) || ($.eventName = CreateAccount) || ($.eventName = PutBucketLifecycle) || ($.eventName = CreateOrganizationalUnit) || ($.eventName = CreatePolicy) || ($.eventName = DeclineHandshake) || ($.eventName = DeleteOrganization) || ($.eventName = DeleteOrganizationalUnit) || ($.eventName = DeletePolicy) || ($.eventName = DetachPolicy) || ($.eventName = DisablePolicyType) || ($.eventName = EnablePolicyType) || ($.eventName = InviteAccountToOrganization) || ($.eventName = LeaveOrganization) || ($.eventName = MoveAccount) || ($.eventName = RemoveAccountFromOrganization) || ($.eventName = UpdatePolicy) || ($.eventName = UpdateOrganizationalUni)) } and be associated an aws_cloudwatch_metric_alarm", - "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventSource = \"organizations.amazonaws.com\") && (($.eventName = AcceptHandshake) || ($.eventName = AttachPolicy) || ($.eventName = CreateAccount) || ($.eventName = PutBucketLifecycle) || ($.eventName = CreateOrganizationalUnit) || ($.eventName = CreatePolicy) || ($.eventName = DeclineHandshake) || ($.eventName = DeleteOrganization) || ($.eventName = DeleteOrganizationalUnit) || ($.eventName = DeletePolicy) || ($.eventName = DetachPolicy) || ($.eventName = DisablePolicyType) || ($.eventName = EnablePolicyType) || ($.eventName = InviteAccountToOrganization) || ($.eventName = LeaveOrganization) || ($.eventName = MoveAccount) || ($.eventName = RemoveAccountFromOrganization) || ($.eventName = UpdatePolicy) || ($.eventName = UpdateOrganizationalUni)) } or not associated with any aws_cloudwatch_metric_alarm" + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventSource = \"organizations.amazonaws.com\") && (($.eventName = AcceptHandshake) || ($.eventName = AttachPolicy) || ($.eventName = CreateAccount) || ($.eventName = PutBucketLifecycle) || ($.eventName = CreateOrganizationalUnit) || ($.eventName = CreatePolicy) || ($.eventName = DeclineHandshake) || ($.eventName = DeleteOrganization) || ($.eventName = DeleteOrganizationalUnit) || ($.eventName = DeletePolicy) || ($.eventName = DetachPolicy) || ($.eventName = DisablePolicyType) || ($.eventName = EnablePolicyType) || ($.eventName = InviteAccountToOrganization) || ($.eventName = LeaveOrganization) || ($.eventName = MoveAccount) || ($.eventName = RemoveAccountFromOrganization) || ($.eventName = UpdatePolicy) || ($.eventName = UpdateOrganizationalUni)) } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cloudwatch_changes_to_nacl_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_changes_to_nacl_alarm_missing/test/positive_expected_result.json index abc9d08c593..738792f764b 100644 --- a/assets/queries/terraform/aws/cloudwatch_changes_to_nacl_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_changes_to_nacl_alarm_missing/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resource", "searchValue": "", "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) } and be associated an aws_cloudwatch_metric_alarm", - "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) } or not associated with any aws_cloudwatch_metric_alarm" + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch Changes To NACL Alarm Missing", @@ -21,6 +22,7 @@ "searchKey": "resource", "searchValue": "", "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) } and be associated an aws_cloudwatch_metric_alarm", - "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) } or not associated with any aws_cloudwatch_metric_alarm" + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cloudwatch_cloudtrail_configuration_changes_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_cloudtrail_configuration_changes_alarm_missing/test/positive_expected_result.json index a3cb30423c4..77c18b393e0 100644 --- a/assets/queries/terraform/aws/cloudwatch_cloudtrail_configuration_changes_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_cloudtrail_configuration_changes_alarm_missing/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resource", "searchValue": "", "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) } and be associated an aws_cloudwatch_metric_alarm", - "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) } or not associated with any aws_cloudwatch_metric_alarm" + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" }, { "queryName": "Cloudwatch Cloudtrail Configuration Changes Alarm Missing", @@ -21,7 +22,8 @@ "searchKey": "resource", "searchValue": "", "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) } and be associated an aws_cloudwatch_metric_alarm", - "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) } or not associated with any aws_cloudwatch_metric_alarm" + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" }, { "queryName": "Cloudwatch Cloudtrail Configuration Changes Alarm Missing", @@ -33,6 +35,7 @@ "searchKey": "resource", "searchValue": "", "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) } and be associated an aws_cloudwatch_metric_alarm", - "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) } or not associated with any aws_cloudwatch_metric_alarm" + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cloudwatch_disabling_or_scheduled_deletion_of_customer_created_cmk_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_disabling_or_scheduled_deletion_of_customer_created_cmk_alarm_missing/test/positive_expected_result.json index eb1399be268..c89016b95f4 100644 --- a/assets/queries/terraform/aws/cloudwatch_disabling_or_scheduled_deletion_of_customer_created_cmk_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_disabling_or_scheduled_deletion_of_customer_created_cmk_alarm_missing/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resource", "searchValue": "", "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern{ ($.eventSource = kms.amazonaws.com) && (($.eventName = DisableKey) || ($.eventName = ScheduleKeyDeletion)) } and be associated an aws_cloudwatch_metric_alarm", - "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern{ ($.eventSource = kms.amazonaws.com) && (($.eventName = DisableKey) || ($.eventName = ScheduleKeyDeletion)) } or not associated with any aws_cloudwatch_metric_alarm" + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern{ ($.eventSource = kms.amazonaws.com) && (($.eventName = DisableKey) || ($.eventName = ScheduleKeyDeletion)) } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing", @@ -21,7 +22,8 @@ "searchKey": "resource", "searchValue": "", "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern{ ($.eventSource = kms.amazonaws.com) && (($.eventName = DisableKey) || ($.eventName = ScheduleKeyDeletion)) } and be associated an aws_cloudwatch_metric_alarm", - "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern{ ($.eventSource = kms.amazonaws.com) && (($.eventName = DisableKey) || ($.eventName = ScheduleKeyDeletion)) } or not associated with any aws_cloudwatch_metric_alarm" + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern{ ($.eventSource = kms.amazonaws.com) && (($.eventName = DisableKey) || ($.eventName = ScheduleKeyDeletion)) } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing", @@ -33,6 +35,7 @@ "searchKey": "resource", "searchValue": "", "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern{ ($.eventSource = kms.amazonaws.com) && (($.eventName = DisableKey) || ($.eventName = ScheduleKeyDeletion)) } and be associated an aws_cloudwatch_metric_alarm", - "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern{ ($.eventSource = kms.amazonaws.com) && (($.eventName = DisableKey) || ($.eventName = ScheduleKeyDeletion)) } or not associated with any aws_cloudwatch_metric_alarm" + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern{ ($.eventSource = kms.amazonaws.com) && (($.eventName = DisableKey) || ($.eventName = ScheduleKeyDeletion)) } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cloudwatch_iam_policy_changes_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_iam_policy_changes_alarm_missing/test/positive_expected_result.json index 7c33a865651..08095adfa69 100644 --- a/assets/queries/terraform/aws/cloudwatch_iam_policy_changes_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_iam_policy_changes_alarm_missing/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resource", "searchValue": "", "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern {($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)} and be associated an aws_cloudwatch_metric_alarm", - "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern {($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)} or not associated with any aws_cloudwatch_metric_alarm" + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern {($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)} or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch IAM Policy Changes Alarm Missing", @@ -21,6 +22,7 @@ "searchKey": "resource", "searchValue": "", "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern {($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)} and be associated an aws_cloudwatch_metric_alarm", - "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern {($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)} or not associated with any aws_cloudwatch_metric_alarm" + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern {($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)} or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cloudwatch_log_group_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_log_group_not_encrypted/test/positive_expected_result.json index e2d2cc06d80..09fe236bad9 100644 --- a/assets/queries/terraform/aws/cloudwatch_log_group_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_log_group_not_encrypted/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_cloudwatch_log_group[negative1]", "searchValue": "", "expectedValue": "Attribute 'kms_key_id' should be set", - "actualValue": "Attribute 'kms_key_id' is undefined" + "actualValue": "Attribute 'kms_key_id' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cloudwatch_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_logging_disabled/test/positive_expected_result.json index 9e8dcefaa53..2187e7b3912 100644 --- a/assets/queries/terraform/aws/cloudwatch_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_logging_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_route53_zone[no_query_log]", "searchValue": "", "expectedValue": "'aws_route53_query_log' should be set for respective 'aws_route53_zone'", - "actualValue": "'aws_route53_query_log' is undefined" + "actualValue": "'aws_route53_query_log' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch Logging Disabled", @@ -21,6 +22,7 @@ "searchKey": "aws_route53_query_log[log_group_mismatch].cloudwatch_log_group_arn", "searchValue": "", "expectedValue": "'aws_route53_query_log' log group refers to the query log", - "actualValue": "'aws_route53_query_log' log group does not match with the log name" + "actualValue": "'aws_route53_query_log' log group does not match with the log name", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cloudwatch_logs_destination_with_vulnerable_policy/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_logs_destination_with_vulnerable_policy/test/positive_expected_result.json index 5323eee3f3b..7dd0a4d2aec 100644 --- a/assets/queries/terraform/aws/cloudwatch_logs_destination_with_vulnerable_policy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_logs_destination_with_vulnerable_policy/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_cloudwatch_log_destination_policy[test_destination_policy].access_policy", "searchValue": "", "expectedValue": "aws_cloudwatch_log_destination_policy[test_destination_policy].access_policy should not have wildcard in 'principals' and 'actions'", - "actualValue": "aws_cloudwatch_log_destination_policy[test_destination_policy].access_policy has wildcard in 'principals' or 'actions'" + "actualValue": "aws_cloudwatch_log_destination_policy[test_destination_policy].access_policy has wildcard in 'principals' or 'actions'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cloudwatch_management_console_auth_failed_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_management_console_auth_failed_alarm_missing/test/positive_expected_result.json index 5e1fe0d5f11..2285b1bd9d0 100644 --- a/assets/queries/terraform/aws/cloudwatch_management_console_auth_failed_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_management_console_auth_failed_alarm_missing/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resource", "searchValue": "", "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { $.eventName = ConsoleLogin && $.errorMessage = \"Failed authentication\" } and be associated an aws_cloudwatch_metric_alarm", - "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { $.eventName = ConsoleLogin && $.errorMessage = \"Failed authentication\" } or not associated with any aws_cloudwatch_metric_alarm" + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { $.eventName = ConsoleLogin && $.errorMessage = \"Failed authentication\" } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch Management Console Auth Failed Alarm Missing", @@ -21,7 +22,8 @@ "searchKey": "resource", "searchValue": "", "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { $.eventName = ConsoleLogin && $.errorMessage = \"Failed authentication\" } and be associated an aws_cloudwatch_metric_alarm", - "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { $.eventName = ConsoleLogin && $.errorMessage = \"Failed authentication\" } or not associated with any aws_cloudwatch_metric_alarm" + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { $.eventName = ConsoleLogin && $.errorMessage = \"Failed authentication\" } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch Management Console Auth Failed Alarm Missing", @@ -33,7 +35,8 @@ "searchKey": "resource", "searchValue": "", "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { $.eventName = ConsoleLogin && $.errorMessage = \"Failed authentication\" } and be associated an aws_cloudwatch_metric_alarm", - "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { $.eventName = ConsoleLogin && $.errorMessage = \"Failed authentication\" } or not associated with any aws_cloudwatch_metric_alarm" + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { $.eventName = ConsoleLogin && $.errorMessage = \"Failed authentication\" } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch Management Console Auth Failed Alarm Missing", @@ -45,6 +48,7 @@ "searchKey": "resource", "searchValue": "", "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { $.eventName = ConsoleLogin && $.errorMessage = \"Failed authentication\" } and be associated an aws_cloudwatch_metric_alarm", - "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { $.eventName = ConsoleLogin && $.errorMessage = \"Failed authentication\" } or not associated with any aws_cloudwatch_metric_alarm" + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { $.eventName = ConsoleLogin && $.errorMessage = \"Failed authentication\" } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cloudwatch_management_console_sign_in_without_mfa_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_management_console_sign_in_without_mfa_alarm_missing/test/positive_expected_result.json index 6780d7fe132..73efd65bed0 100644 --- a/assets/queries/terraform/aws/cloudwatch_management_console_sign_in_without_mfa_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_management_console_sign_in_without_mfa_alarm_missing/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resource", "searchValue": "", "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") } and be associated an aws_cloudwatch_metric_alarm", - "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") } or not associated with any aws_cloudwatch_metric_alarm" + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch Console Sign-in Without MFA Alarm Missing", @@ -21,7 +22,8 @@ "searchKey": "resource", "searchValue": "", "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") } and be associated an aws_cloudwatch_metric_alarm", - "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") } or not associated with any aws_cloudwatch_metric_alarm" + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch Console Sign-in Without MFA Alarm Missing", @@ -33,7 +35,8 @@ "searchKey": "resource", "searchValue": "", "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") } and be associated an aws_cloudwatch_metric_alarm", - "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") } or not associated with any aws_cloudwatch_metric_alarm" + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch Console Sign-in Without MFA Alarm Missing", @@ -45,6 +48,7 @@ "searchKey": "resource", "searchValue": "", "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") } and be associated an aws_cloudwatch_metric_alarm", - "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") } or not associated with any aws_cloudwatch_metric_alarm" + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cloudwatch_metrics_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_metrics_disabled/test/positive_expected_result.json index 6179f223ddf..ef7ee460a9a 100644 --- a/assets/queries/terraform/aws/cloudwatch_metrics_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_metrics_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_api_gateway_method_settings[positive1].settings.metrics_enabled", "searchValue": "", "expectedValue": "aws_api_gateway_method_settings[positive1].settings.metrics_enabled should be true", - "actualValue": "aws_api_gateway_method_settings[positive1].settings.metrics_enabled is false" + "actualValue": "aws_api_gateway_method_settings[positive1].settings.metrics_enabled is false", + "issueType": "IncorrectValue" }, { "queryName": "CloudWatch Metrics Disabled", @@ -21,6 +22,7 @@ "searchKey": "aws_api_gateway_method_settings[positive2].settings", "searchValue": "", "expectedValue": "aws_api_gateway_method_settings[positive2].settings.metrics_enabled should be defined and not null", - "actualValue": "aws_api_gateway_method_settings[positive2].settings.metrics_enabled is undefined or null" + "actualValue": "aws_api_gateway_method_settings[positive2].settings.metrics_enabled is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cloudwatch_network_gateways_changes_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_network_gateways_changes_alarm_missing/test/positive_expected_result.json index d2c1adc7dfc..d01e24d1da0 100644 --- a/assets/queries/terraform/aws/cloudwatch_network_gateways_changes_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_network_gateways_changes_alarm_missing/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resource", "searchValue": "", "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) } and be associated an aws_cloudwatch_metric_alarm", - "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) } or not associated with any aws_cloudwatch_metric_alarm" + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch Network Gateways Changes Alarm Missing", @@ -21,7 +22,8 @@ "searchKey": "resource", "searchValue": "", "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) } and be associated an aws_cloudwatch_metric_alarm", - "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) } or not associated with any aws_cloudwatch_metric_alarm" + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch Network Gateways Changes Alarm Missing", @@ -33,6 +35,7 @@ "searchKey": "resource", "searchValue": "", "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) } and be associated an aws_cloudwatch_metric_alarm", - "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) } or not associated with any aws_cloudwatch_metric_alarm" + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cloudwatch_root_account_use_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_root_account_use_alarm_missing/test/positive_expected_result.json index 9902443340a..ecbf9ab1a42 100644 --- a/assets/queries/terraform/aws/cloudwatch_root_account_use_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_root_account_use_alarm_missing/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resource", "searchValue": "", "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" } and be associated an aws_cloudwatch_metric_alarm", - "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" } or not associated with any aws_cloudwatch_metric_alarm" + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch Root Account Use Missing", @@ -21,7 +22,8 @@ "searchKey": "resource", "searchValue": "", "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" } and be associated an aws_cloudwatch_metric_alarm", - "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" } or not associated with any aws_cloudwatch_metric_alarm" + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch Root Account Use Missing", @@ -33,7 +35,8 @@ "searchKey": "resource", "searchValue": "", "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" } and be associated an aws_cloudwatch_metric_alarm", - "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" } or not associated with any aws_cloudwatch_metric_alarm" + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch Root Account Use Missing", @@ -45,6 +48,7 @@ "searchKey": "resource", "searchValue": "", "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" } and be associated an aws_cloudwatch_metric_alarm", - "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" } or not associated with any aws_cloudwatch_metric_alarm" + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cloudwatch_route_table_changes_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_route_table_changes_alarm_missing/test/positive_expected_result.json index 36560263475..1d57480ebf1 100644 --- a/assets/queries/terraform/aws/cloudwatch_route_table_changes_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_route_table_changes_alarm_missing/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resource", "searchValue": "", "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) } and be associated an aws_cloudwatch_metric_alarm", - "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) } or not associated with any aws_cloudwatch_metric_alarm" + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch Route Table Changes Alarm Missing", @@ -21,7 +22,8 @@ "searchKey": "resource", "searchValue": "", "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) } and be associated an aws_cloudwatch_metric_alarm", - "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) } or not associated with any aws_cloudwatch_metric_alarm" + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch Route Table Changes Alarm Missing", @@ -33,6 +35,7 @@ "searchKey": "resource", "searchValue": "", "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) } and be associated an aws_cloudwatch_metric_alarm", - "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) } or not associated with any aws_cloudwatch_metric_alarm" + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cloudwatch_s3_policy_change_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_s3_policy_change_alarm_missing/test/positive_expected_result.json index 1733d571d9e..4bee97cb1f4 100644 --- a/assets/queries/terraform/aws/cloudwatch_s3_policy_change_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_s3_policy_change_alarm_missing/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_cloudwatch_log_metric_filter[cis_s3_bucket_policy_change_metric_filter]", "searchValue": "", "expectedValue": "aws_cloudwatch_log_metric_filter should be associated an aws_cloudwatch_metric_alarm", - "actualValue": "aws_cloudwatch_log_metric_filter not associated with any aws_cloudwatch_metric_alarm" + "actualValue": "aws_cloudwatch_log_metric_filter not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch S3 policy Change Alarm Missing", @@ -21,7 +22,8 @@ "searchKey": "aws_cloudwatch_log_metric_filter.cis_s3_bucket_policy_change_metric_filter", "searchValue": "", "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern $.eventSource equal to `s3.amazonaws.com` and $.eventName equal to `PutBucketAcl`, `PutBucketPolicy`, `PutBucketCors`, `PutBucketLifecycle`, `PutBucketReplication`, `DeleteBucketPolicy`, `DeleteBucketCors`, `DeleteBucketLifecycle` and `DeleteBucketReplication`", - "actualValue": "aws_cloudwatch_log_metric_filter with wrong pattern" + "actualValue": "aws_cloudwatch_log_metric_filter with wrong pattern", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch S3 policy Change Alarm Missing", @@ -33,7 +35,8 @@ "searchKey": "aws_cloudwatch_log_metric_filter.cis_no_mfa_console_signin_metric_filter", "searchValue": "", "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern $.eventSource equal to `s3.amazonaws.com` and $.eventName equal to `PutBucketAcl`, `PutBucketPolicy`, `PutBucketCors`, `PutBucketLifecycle`, `PutBucketReplication`, `DeleteBucketPolicy`, `DeleteBucketCors`, `DeleteBucketLifecycle` and `DeleteBucketReplication`", - "actualValue": "aws_cloudwatch_log_metric_filter with wrong pattern" + "actualValue": "aws_cloudwatch_log_metric_filter with wrong pattern", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch S3 policy Change Alarm Missing", @@ -45,7 +48,8 @@ "searchKey": "aws_cloudwatch_log_metric_filter.cis_s3_bucket_policy_change_metric_filter", "searchValue": "", "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern $.eventSource equal to `s3.amazonaws.com` and $.eventName equal to `PutBucketAcl`, `PutBucketPolicy`, `PutBucketCors`, `PutBucketLifecycle`, `PutBucketReplication`, `DeleteBucketPolicy`, `DeleteBucketCors`, `DeleteBucketLifecycle` and `DeleteBucketReplication`", - "actualValue": "aws_cloudwatch_log_metric_filter with wrong pattern" + "actualValue": "aws_cloudwatch_log_metric_filter with wrong pattern", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch S3 policy Change Alarm Missing", @@ -57,7 +61,8 @@ "searchKey": "aws_cloudwatch_log_metric_filter.cis_s3_bucket_policy_change_metric_filter", "searchValue": "", "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern $.eventSource equal to `s3.amazonaws.com` and $.eventName equal to `PutBucketAcl`, `PutBucketPolicy`, `PutBucketCors`, `PutBucketLifecycle`, `PutBucketReplication`, `DeleteBucketPolicy`, `DeleteBucketCors`, `DeleteBucketLifecycle` and `DeleteBucketReplication`", - "actualValue": "aws_cloudwatch_log_metric_filter with wrong pattern" + "actualValue": "aws_cloudwatch_log_metric_filter with wrong pattern", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch S3 policy Change Alarm Missing", @@ -69,7 +74,8 @@ "searchKey": "aws_cloudwatch_log_metric_filter.cis_s3_bucket_policy_change_metric_filter", "searchValue": "", "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern $.eventSource equal to `s3.amazonaws.com` and $.eventName equal to `PutBucketAcl`, `PutBucketPolicy`, `PutBucketCors`, `PutBucketLifecycle`, `PutBucketReplication`, `DeleteBucketPolicy`, `DeleteBucketCors`, `DeleteBucketLifecycle` and `DeleteBucketReplication`", - "actualValue": "aws_cloudwatch_log_metric_filter with wrong pattern" + "actualValue": "aws_cloudwatch_log_metric_filter with wrong pattern", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch S3 policy Change Alarm Missing", @@ -81,7 +87,8 @@ "searchKey": "aws_cloudwatch_log_metric_filter.cis_s3_bucket_policy_change_metric_filter", "searchValue": "", "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern $.eventSource equal to `s3.amazonaws.com` and $.eventName equal to `PutBucketAcl`, `PutBucketPolicy`, `PutBucketCors`, `PutBucketLifecycle`, `PutBucketReplication`, `DeleteBucketPolicy`, `DeleteBucketCors`, `DeleteBucketLifecycle` and `DeleteBucketReplication`", - "actualValue": "aws_cloudwatch_log_metric_filter with wrong pattern" + "actualValue": "aws_cloudwatch_log_metric_filter with wrong pattern", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch S3 policy Change Alarm Missing", @@ -93,6 +100,7 @@ "searchKey": "aws_cloudwatch_log_metric_filter.cis_no_mfa_console_signin_metric_filter", "searchValue": "", "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern $.eventSource equal to `s3.amazonaws.com` and $.eventName equal to `PutBucketAcl`, `PutBucketPolicy`, `PutBucketCors`, `PutBucketLifecycle`, `PutBucketReplication`, `DeleteBucketPolicy`, `DeleteBucketCors`, `DeleteBucketLifecycle` and `DeleteBucketReplication`", - "actualValue": "aws_cloudwatch_log_metric_filter with wrong pattern" + "actualValue": "aws_cloudwatch_log_metric_filter with wrong pattern", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cloudwatch_security_group_changes_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_security_group_changes_alarm_missing/test/positive_expected_result.json index 854b6698f44..96d18826383 100644 --- a/assets/queries/terraform/aws/cloudwatch_security_group_changes_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_security_group_changes_alarm_missing/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resource", "searchValue": "", "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup)} and be associated an aws_cloudwatch_metric_alarm", - "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup)} or not associated with any aws_cloudwatch_metric_alarm" + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup)} or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" }, { "queryName": "Cloudwatch Security Group Changes Alarm Missing", @@ -21,7 +22,8 @@ "searchKey": "resource", "searchValue": "", "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup)} and be associated an aws_cloudwatch_metric_alarm", - "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup)} or not associated with any aws_cloudwatch_metric_alarm" + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup)} or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" }, { "queryName": "Cloudwatch Security Group Changes Alarm Missing", @@ -33,6 +35,7 @@ "searchKey": "resource", "searchValue": "", "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup)} and be associated an aws_cloudwatch_metric_alarm", - "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup)} or not associated with any aws_cloudwatch_metric_alarm" + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup)} or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cloudwatch_unauthorized_access_defined_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_unauthorized_access_defined_alarm_missing/test/positive_expected_result.json index fbae50e7450..93c89cf8339 100644 --- a/assets/queries/terraform/aws/cloudwatch_unauthorized_access_defined_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_unauthorized_access_defined_alarm_missing/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resource", "searchValue": "", "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { $.errorCode = *UnauthorizedOperation || $.errorCode = AccessDenied* } and be associated an aws_cloudwatch_metric_alarm", - "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { $.errorCode = *UnauthorizedOperation || $.errorCode = AccessDenied* } or not associated with any aws_cloudwatch_metric_alarm" + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { $.errorCode = *UnauthorizedOperation || $.errorCode = AccessDenied* } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch Unauthorized Access Alarm Missing", @@ -21,7 +22,8 @@ "searchKey": "resource", "searchValue": "", "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { $.errorCode = *UnauthorizedOperation || $.errorCode = AccessDenied* } and be associated an aws_cloudwatch_metric_alarm", - "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { $.errorCode = *UnauthorizedOperation || $.errorCode = AccessDenied* } or not associated with any aws_cloudwatch_metric_alarm" + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { $.errorCode = *UnauthorizedOperation || $.errorCode = AccessDenied* } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch Unauthorized Access Alarm Missing", @@ -33,7 +35,8 @@ "searchKey": "resource", "searchValue": "", "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { $.errorCode = *UnauthorizedOperation || $.errorCode = AccessDenied* } and be associated an aws_cloudwatch_metric_alarm", - "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { $.errorCode = *UnauthorizedOperation || $.errorCode = AccessDenied* } or not associated with any aws_cloudwatch_metric_alarm" + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { $.errorCode = *UnauthorizedOperation || $.errorCode = AccessDenied* } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch Unauthorized Access Alarm Missing", @@ -45,6 +48,7 @@ "searchKey": "resource", "searchValue": "", "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { $.errorCode = *UnauthorizedOperation || $.errorCode = AccessDenied* } and be associated an aws_cloudwatch_metric_alarm", - "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { $.errorCode = *UnauthorizedOperation || $.errorCode = AccessDenied* } or not associated with any aws_cloudwatch_metric_alarm" + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { $.errorCode = *UnauthorizedOperation || $.errorCode = AccessDenied* } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cloudwatch_vpc_changes_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_vpc_changes_alarm_missing/test/positive_expected_result.json index c5cf5280637..417c7895794 100644 --- a/assets/queries/terraform/aws/cloudwatch_vpc_changes_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_vpc_changes_alarm_missing/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resource", "searchValue": "", "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) } and be associated an aws_cloudwatch_metric_alarm", - "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) } or not associated with any aws_cloudwatch_metric_alarm" + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch VPC Changes Alarm Missing", @@ -21,7 +22,8 @@ "searchKey": "resource", "searchValue": "", "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) } and be associated an aws_cloudwatch_metric_alarm", - "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) } or not associated with any aws_cloudwatch_metric_alarm" + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch VPC Changes Alarm Missing", @@ -33,6 +35,7 @@ "searchKey": "resource", "searchValue": "", "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) } and be associated an aws_cloudwatch_metric_alarm", - "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) } or not associated with any aws_cloudwatch_metric_alarm" + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cloudwatch_without_retention_period_specified/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_without_retention_period_specified/test/positive_expected_result.json index 635797e514b..3739021d0e1 100644 --- a/assets/queries/terraform/aws/cloudwatch_without_retention_period_specified/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_without_retention_period_specified/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_cloudwatch_log_group[positive1]", "searchValue": "", "expectedValue": "Attribute 'retention_in_days' should be set and valid", - "actualValue": "Attribute 'retention_in_days' is undefined" + "actualValue": "Attribute 'retention_in_days' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch Without Retention Period Specified", @@ -21,6 +22,7 @@ "searchKey": "aws_cloudwatch_log_group[positive2].retention_in_days", "searchValue": "", "expectedValue": "Attribute 'retention_in_days' should be set and valid", - "actualValue": "Attribute 'retention_in_days' is set but invalid" + "actualValue": "Attribute 'retention_in_days' is set but invalid", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cmk_is_unusable/test/positive_expected_result.json b/assets/queries/terraform/aws/cmk_is_unusable/test/positive_expected_result.json index 4089042d009..ee19906d346 100644 --- a/assets/queries/terraform/aws/cmk_is_unusable/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cmk_is_unusable/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_kms_key[a].is_enabled", "searchValue": "", "expectedValue": "aws_kms_key[a].is_enabled should be set to true", - "actualValue": "aws_kms_key[a].is_enabled is set to false" + "actualValue": "aws_kms_key[a].is_enabled is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cmk_rotation_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/cmk_rotation_disabled/test/positive_expected_result.json index d3cbee653a8..97d5075302f 100644 --- a/assets/queries/terraform/aws/cmk_rotation_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cmk_rotation_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_kms_key[positive1]", "searchValue": "", "expectedValue": "aws_kms_key[positive1].enable_key_rotation should be set to true", - "actualValue": "aws_kms_key[positive1].enable_key_rotation is undefined" + "actualValue": "aws_kms_key[positive1].enable_key_rotation is undefined", + "issueType": "MissingAttribute" }, { "queryName": "CMK Rotation Disabled", @@ -21,7 +22,8 @@ "searchKey": "aws_kms_key[positive2]", "searchValue": "", "expectedValue": "aws_kms_key[positive2].enable_key_rotation should be set to true", - "actualValue": "aws_kms_key[positive2].enable_key_rotation is false" + "actualValue": "aws_kms_key[positive2].enable_key_rotation is false", + "issueType": "IncorrectValue" }, { "queryName": "CMK Rotation Disabled", @@ -33,7 +35,8 @@ "searchKey": "aws_kms_key[positive3]", "searchValue": "", "expectedValue": "aws_kms_key[positive3].enable_key_rotation should be set to true", - "actualValue": "aws_kms_key[positive3].enable_key_rotation is false" + "actualValue": "aws_kms_key[positive3].enable_key_rotation is false", + "issueType": "IncorrectValue" }, { "queryName": "CMK Rotation Disabled", @@ -45,7 +48,8 @@ "searchKey": "aws_kms_key[positive4]", "searchValue": "", "expectedValue": "aws_kms_key[positive4].enable_key_rotation should be set to true", - "actualValue": "aws_kms_key[positive4].enable_key_rotation is false" + "actualValue": "aws_kms_key[positive4].enable_key_rotation is false", + "issueType": "IncorrectValue" }, { "queryName": "CMK Rotation Disabled", @@ -57,6 +61,7 @@ "searchKey": "aws_kms_key[positive5]", "searchValue": "", "expectedValue": "aws_kms_key[positive5].enable_key_rotation should be set to false", - "actualValue": "aws_kms_key[positive5].enable_key_rotation is true" + "actualValue": "aws_kms_key[positive5].enable_key_rotation is true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/codebuild_project_encrypted_with_aws_managed_key/test/positive_expected_result.json b/assets/queries/terraform/aws/codebuild_project_encrypted_with_aws_managed_key/test/positive_expected_result.json index f3c5e321f47..54de250cea0 100644 --- a/assets/queries/terraform/aws/codebuild_project_encrypted_with_aws_managed_key/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/codebuild_project_encrypted_with_aws_managed_key/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_codebuild_project[project-cloudrail-test].encryption_key", "searchValue": "", "expectedValue": "CodeBuild Project should not be encrypted with AWS managed key", - "actualValue": "CodeBuild Project is encrypted with AWS managed key" + "actualValue": "CodeBuild Project is encrypted with AWS managed key", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cognito_userpool_without_mfa/test/positive_expected_result.json b/assets/queries/terraform/aws/cognito_userpool_without_mfa/test/positive_expected_result.json index 15fa3d8917f..d2098381d30 100644 --- a/assets/queries/terraform/aws/cognito_userpool_without_mfa/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cognito_userpool_without_mfa/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_cognito_user_pool[positive1]", "searchValue": "", "expectedValue": "aws_cognito_user_pool[positive1].mfa_configuration should be set", - "actualValue": "aws_cognito_user_pool[positive1].mfa_configuration is undefined" + "actualValue": "aws_cognito_user_pool[positive1].mfa_configuration is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Cognito UserPool Without MFA", @@ -21,7 +22,8 @@ "searchKey": "aws_cognito_user_pool[positive2]", "searchValue": "", "expectedValue": "aws_cognito_user_pool[positive2].mfa_configuration should be set to 'ON' or 'OPTIONAL", - "actualValue": "aws_cognito_user_pool[positive2].mfa_configuration is set to 'OFF'" + "actualValue": "aws_cognito_user_pool[positive2].mfa_configuration is set to 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "Cognito UserPool Without MFA", @@ -33,6 +35,7 @@ "searchKey": "aws_cognito_user_pool[positive3]", "searchValue": "", "expectedValue": "aws_cognito_user_pool[positive3] should have 'sms_configuration' or 'software_token_mfa_configuration' defined", - "actualValue": "aws_cognito_user_pool[positive3] doesn't have 'sms_configuration' or 'software_token_mfa_configuration' defined" + "actualValue": "aws_cognito_user_pool[positive3] doesn't have 'sms_configuration' or 'software_token_mfa_configuration' defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/config_configuration_aggregator_to_all_regions_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/config_configuration_aggregator_to_all_regions_disabled/test/positive_expected_result.json index 17f350ac225..1bd884ddead 100644 --- a/assets/queries/terraform/aws/config_configuration_aggregator_to_all_regions_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/config_configuration_aggregator_to_all_regions_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_config_configuration_aggregator[positive1].account_aggregation_source", "searchValue": "", "expectedValue": "'aws_config_configuration_aggregator[positive1].account_aggregation_source.all_regions' should be set to true", - "actualValue": "'aws_config_configuration_aggregator[positive1].account_aggregation_source.all_regions' is undefined" + "actualValue": "'aws_config_configuration_aggregator[positive1].account_aggregation_source.all_regions' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Configuration Aggregator to All Regions Disabled", @@ -21,6 +22,7 @@ "searchKey": "aws_config_configuration_aggregator[positive2].organization_aggregation_source.all_regions", "searchValue": "", "expectedValue": "'aws_config_configuration_aggregator[positive2].organization_aggregation_source.all_regions' should be set to true", - "actualValue": "'aws_config_configuration_aggregator[positive2].organization_aggregation_source.all_regions' is set to false" + "actualValue": "'aws_config_configuration_aggregator[positive2].organization_aggregation_source.all_regions' is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/config_rule_for_encrypted_volumes_is_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/config_rule_for_encrypted_volumes_is_disabled/test/positive_expected_result.json index 03ac1b43fcf..39a4ba5f48b 100644 --- a/assets/queries/terraform/aws/config_rule_for_encrypted_volumes_is_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/config_rule_for_encrypted_volumes_is_disabled/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_config_config_rule", "searchValue": "", "expectedValue": "There should be a 'aws_config_config_rule' resource with source id: 'ENCRYPTED_VOLUMES'", - "actualValue": "No 'aws_config_config_rule' resource has source id: 'ENCRYPTED_VOLUMES'" + "actualValue": "No 'aws_config_config_rule' resource has source id: 'ENCRYPTED_VOLUMES'", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/test/positive_expected_result.json b/assets/queries/terraform/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/test/positive_expected_result.json index 548a8e41dcc..6d12038b5ff 100644 --- a/assets/queries/terraform/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_iam_role[positive1].assume_role_policy", "searchValue": "", "expectedValue": "'assume_role_policy' requires external ID or MFA", - "actualValue": "'assume_role_policy' does not require external ID or MFA" + "actualValue": "'assume_role_policy' does not require external ID or MFA", + "issueType": "IncorrectValue" }, { "queryName": "Cross-Account IAM Assume Role Policy Without ExternalId or MFA", @@ -21,7 +22,8 @@ "searchKey": "aws_iam_role[positive2].assume_role_policy", "searchValue": "", "expectedValue": "'assume_role_policy' requires external ID or MFA", - "actualValue": "'assume_role_policy' does not require external ID or MFA" + "actualValue": "'assume_role_policy' does not require external ID or MFA", + "issueType": "IncorrectValue" }, { "queryName": "Cross-Account IAM Assume Role Policy Without ExternalId or MFA", @@ -33,6 +35,7 @@ "searchKey": "aws_iam_role[positive3].assume_role_policy", "searchValue": "", "expectedValue": "'assume_role_policy' requires external ID or MFA", - "actualValue": "'assume_role_policy' does not require external ID or MFA" + "actualValue": "'assume_role_policy' does not require external ID or MFA", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/dax_cluster_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/dax_cluster_not_encrypted/test/positive_expected_result.json index 164631f4afe..6f980b95df0 100644 --- a/assets/queries/terraform/aws/dax_cluster_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/dax_cluster_not_encrypted/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_dax_cluster[{{bar_1}}]", "searchValue": "", "expectedValue": "aws_dax_cluster.server_side_encryption.enabled should be set to true", - "actualValue": "aws_dax_cluster.server_side_encryption is missing" + "actualValue": "aws_dax_cluster.server_side_encryption is missing", + "issueType": "MissingAttribute" }, { "queryName": "DAX Cluster Not Encrypted", @@ -21,7 +22,8 @@ "searchKey": "aws_dax_cluster[{{bar_2}}].server_side_encryption", "searchValue": "", "expectedValue": "aws_dax_cluster.server_side_encryption.enabled should be set to true", - "actualValue": "aws_dax_cluster.server_side_encryption.enabled is missing" + "actualValue": "aws_dax_cluster.server_side_encryption.enabled is missing", + "issueType": "MissingAttribute" }, { "queryName": "DAX Cluster Not Encrypted", @@ -33,6 +35,7 @@ "searchKey": "aws_dax_cluster[{{bar_3}}].server_side_encryption.enabled", "searchValue": "", "expectedValue": "aws_dax_cluster.server_side_encryption.enabled should be set to true", - "actualValue": "aws_dax_cluster.server_side_encryption.enabled is set to false" + "actualValue": "aws_dax_cluster.server_side_encryption.enabled is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/db_instance_storage_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/db_instance_storage_not_encrypted/test/positive_expected_result.json index 730ab1dc0c1..c5f3430d7fc 100644 --- a/assets/queries/terraform/aws/db_instance_storage_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/db_instance_storage_not_encrypted/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_db_instance[positive1].storage_encrypted", "searchValue": "", "expectedValue": "'storage_encrypted' should be set to true", - "actualValue": "'storage_encrypted' is set to false" + "actualValue": "'storage_encrypted' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "DB Instance Storage Not Encrypted", @@ -21,7 +22,8 @@ "searchKey": "aws_db_instance[positive2]", "searchValue": "", "expectedValue": "'storage_encrypted' should be set to true", - "actualValue": "'storage_encrypted' is undefined or null" + "actualValue": "'storage_encrypted' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "DB Instance Storage Not Encrypted", @@ -33,7 +35,8 @@ "searchKey": "module[db]", "searchValue": "", "expectedValue": "'storage_encrypted' should be set to true", - "actualValue": "'storage_encrypted' is undefined or null" + "actualValue": "'storage_encrypted' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "DB Instance Storage Not Encrypted", @@ -45,6 +48,7 @@ "searchKey": "module[db].storage_encrypted", "searchValue": "", "expectedValue": "'storage_encrypted' should be set to true", - "actualValue": "'storage_encrypted' is set to false" + "actualValue": "'storage_encrypted' is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/db_security_group_has_public_interface/test/positive_expected_result.json b/assets/queries/terraform/aws/db_security_group_has_public_interface/test/positive_expected_result.json index 017bb765229..9e1a03deed3 100644 --- a/assets/queries/terraform/aws/db_security_group_has_public_interface/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/db_security_group_has_public_interface/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_db_security_group[positive1].ingress.cidr", "searchValue": "", "expectedValue": "'aws_db_security_group[positive1].ingress.cidr' should not be '0.0.0.0/0' or '::/0'", - "actualValue": "'aws_db_security_group[positive1].ingress.cidr' is '0.0.0.0/0'" + "actualValue": "'aws_db_security_group[positive1].ingress.cidr' is '0.0.0.0/0'", + "issueType": "IncorrectValue" }, { "queryName": "DB Security Group Has Public Interface", @@ -21,6 +22,7 @@ "searchKey": "aws_db_security_group[positive1].ingress.cidr", "searchValue": "", "expectedValue": "'aws_db_security_group[positive1].ingress[1].cidr' should not be '0.0.0.0/0' or '::/0'", - "actualValue": "'aws_db_security_group[positive1].ingress[1].cidr' is '0.0.0.0/0'" + "actualValue": "'aws_db_security_group[positive1].ingress[1].cidr' is '0.0.0.0/0'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/db_security_group_open_to_large_scope/test/positive_expected_result.json b/assets/queries/terraform/aws/db_security_group_open_to_large_scope/test/positive_expected_result.json index daebc1d0802..ccd13e7e588 100644 --- a/assets/queries/terraform/aws/db_security_group_open_to_large_scope/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/db_security_group_open_to_large_scope/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_db_security_group[positive1].ingress.cidr", "searchValue": "", "expectedValue": "'aws_db_security_group.ingress.cidr' > 24", - "actualValue": "'aws_db_security_group.ingress.cidr' <= 24" + "actualValue": "'aws_db_security_group.ingress.cidr' <= 24", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/db_security_group_with_public_scope/test/positive_expected_result.json b/assets/queries/terraform/aws/db_security_group_with_public_scope/test/positive_expected_result.json index 144be67a3d9..2f3e3c79b67 100644 --- a/assets/queries/terraform/aws/db_security_group_with_public_scope/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/db_security_group_with_public_scope/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_db_security_group[positive1].ingress.cidr", "searchValue": "", "expectedValue": "'aws_db_security_group.ingress.cidr' != 0.0.0.0/0", - "actualValue": "'aws_db_security_group.ingress.cidr'= 0.0.0.0/0" + "actualValue": "'aws_db_security_group.ingress.cidr'= 0.0.0.0/0", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/default_security_groups_with_unrestricted_traffic/test/positive_expected_result.json b/assets/queries/terraform/aws/default_security_groups_with_unrestricted_traffic/test/positive_expected_result.json index 97d0dee825a..695ff81d62c 100644 --- a/assets/queries/terraform/aws/default_security_groups_with_unrestricted_traffic/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/default_security_groups_with_unrestricted_traffic/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_default_security_group[positive1]", "searchValue": "", "expectedValue": "ingress.cidr_blocks or egress.cidr_blocks diferent from '0.0.0.0/0' and '::/0'", - "actualValue": "ingress.cidr_blocks or egress.cidr_blocks are equal to '0.0.0.0/0' or '::/0'" + "actualValue": "ingress.cidr_blocks or egress.cidr_blocks are equal to '0.0.0.0/0' or '::/0'", + "issueType": "IncorrectValue" }, { "queryName": "Default Security Groups With Unrestricted Traffic", @@ -21,7 +22,8 @@ "searchKey": "aws_default_security_group[positive2]", "searchValue": "", "expectedValue": "ingress.cidr_blocks or egress.cidr_blocks diferent from '0.0.0.0/0' and '::/0'", - "actualValue": "ingress.cidr_blocks or egress.cidr_blocks are equal to '0.0.0.0/0' or '::/0'" + "actualValue": "ingress.cidr_blocks or egress.cidr_blocks are equal to '0.0.0.0/0' or '::/0'", + "issueType": "IncorrectValue" }, { "queryName": "Default Security Groups With Unrestricted Traffic", @@ -33,6 +35,7 @@ "searchKey": "aws_default_security_group[positive3]", "searchValue": "", "expectedValue": "ingress.cidr_blocks or egress.cidr_blocks diferent from '0.0.0.0/0' and '::/0'", - "actualValue": "ingress.cidr_blocks or egress.cidr_blocks are equal to '0.0.0.0/0' or '::/0'" + "actualValue": "ingress.cidr_blocks or egress.cidr_blocks are equal to '0.0.0.0/0' or '::/0'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/default_vpc_exists/test/positive_expected_result.json b/assets/queries/terraform/aws/default_vpc_exists/test/positive_expected_result.json index 157076b96c7..34211980a41 100644 --- a/assets/queries/terraform/aws/default_vpc_exists/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/default_vpc_exists/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_default_vpc[positive1]", "searchValue": "", "expectedValue": "'aws_default_vpc' should not exist", - "actualValue": "'aws_default_vpc' exists" + "actualValue": "'aws_default_vpc' exists", + "issueType": "IncorrectValue" }, { "queryName": "Default VPC Exists", @@ -21,6 +22,7 @@ "searchKey": "vpc.default_vpc_name", "searchValue": "", "expectedValue": "'aws_default_vpc' should not exist", - "actualValue": "'aws_default_vpc' exists" + "actualValue": "'aws_default_vpc' exists", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/docdb_cluster_encrypted_with_aws_managed_key/test/positive_expected_result.json b/assets/queries/terraform/aws/docdb_cluster_encrypted_with_aws_managed_key/test/positive_expected_result.json index 5908642ae0f..7033d4d3e02 100644 --- a/assets/queries/terraform/aws/docdb_cluster_encrypted_with_aws_managed_key/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/docdb_cluster_encrypted_with_aws_managed_key/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_docdb_cluster[test2].kms_key_id", "searchValue": "", "expectedValue": "DOCDB Cluster should not be encrypted with AWS managed key", - "actualValue": "DOCDB Cluster is encrypted with AWS managed key" + "actualValue": "DOCDB Cluster is encrypted with AWS managed key", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/docdb_cluster_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/docdb_cluster_not_encrypted/test/positive_expected_result.json index ff59b96eec9..5c2c01584ab 100644 --- a/assets/queries/terraform/aws/docdb_cluster_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/docdb_cluster_not_encrypted/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_docdb_cluster[{{docdb}}]", "searchValue": "", "expectedValue": "aws_docdb_cluster.storage_encrypted should be set to true", - "actualValue": "aws_docdb_cluster.storage_encrypted is missing" + "actualValue": "aws_docdb_cluster.storage_encrypted is missing", + "issueType": "MissingAttribute" }, { "queryName": "DOCDB Cluster Not Encrypted", @@ -21,6 +22,7 @@ "searchKey": "aws_docdb_cluster[{{docdb_2}}].storage_encrypted", "searchValue": "", "expectedValue": "aws_docdb_cluster.storage_encrypted should be set to true", - "actualValue": "aws_docdb_cluster.storage_encrypted is set to false" + "actualValue": "aws_docdb_cluster.storage_encrypted is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/docdb_cluster_without_kms/test/positive_expected_result.json b/assets/queries/terraform/aws/docdb_cluster_without_kms/test/positive_expected_result.json index 19960badf32..baace016c76 100644 --- a/assets/queries/terraform/aws/docdb_cluster_without_kms/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/docdb_cluster_without_kms/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_docdb_cluster[{{docdb}}]", "searchValue": "", "expectedValue": "aws_docdb_cluster.kms_key_id should be defined and not null", - "actualValue": "aws_docdb_cluster.kms_key_id is undefined or null" + "actualValue": "aws_docdb_cluster.kms_key_id is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/docdb_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/docdb_logging_disabled/test/positive_expected_result.json index cc2027c46e7..c3f9659e4d9 100644 --- a/assets/queries/terraform/aws/docdb_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/docdb_logging_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_docdb_cluster[{{positive1}}]", "searchValue": "", "expectedValue": "aws_docdb_cluster.enabled_cloudwatch_logs_exports should be defined", - "actualValue": "aws_docdb_cluster.enabled_cloudwatch_logs_exports is undefined" + "actualValue": "aws_docdb_cluster.enabled_cloudwatch_logs_exports is undefined", + "issueType": "MissingAttribute" }, { "queryName": "DocDB Logging Is Disabled", @@ -21,7 +22,8 @@ "searchKey": "aws_docdb_cluster[{{positive2}}].enabled_cloudwatch_logs_exports", "searchValue": "", "expectedValue": "aws_docdb_cluster.enabled_cloudwatch_logs_exports should have all following values: audit, profiler", - "actualValue": "aws_docdb_cluster.enabled_cloudwatch_logs_exports is empty" + "actualValue": "aws_docdb_cluster.enabled_cloudwatch_logs_exports is empty", + "issueType": "IncorrectValue" }, { "queryName": "DocDB Logging Is Disabled", @@ -33,7 +35,8 @@ "searchKey": "aws_docdb_cluster[{{positive3}}].enabled_cloudwatch_logs_exports", "searchValue": "", "expectedValue": "aws_docdb_cluster.enabled_cloudwatch_logs_exports should have all following values: audit, profiler", - "actualValue": "aws_docdb_cluster.enabled_cloudwatch_logs_exports has the following missing values: audit" + "actualValue": "aws_docdb_cluster.enabled_cloudwatch_logs_exports has the following missing values: audit", + "issueType": "IncorrectValue" }, { "queryName": "DocDB Logging Is Disabled", @@ -45,6 +48,7 @@ "searchKey": "aws_docdb_cluster[{{positive4}}].enabled_cloudwatch_logs_exports", "searchValue": "", "expectedValue": "aws_docdb_cluster.enabled_cloudwatch_logs_exports should have all following values: audit, profiler", - "actualValue": "aws_docdb_cluster.enabled_cloudwatch_logs_exports has the following missing values: profiler" + "actualValue": "aws_docdb_cluster.enabled_cloudwatch_logs_exports has the following missing values: profiler", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/dynamodb_table_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/dynamodb_table_not_encrypted/test/positive_expected_result.json index ee1079103a0..3a5e0e13e03 100644 --- a/assets/queries/terraform/aws/dynamodb_table_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/dynamodb_table_not_encrypted/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_dynamodb_table[{{example}}]", "searchValue": "", "expectedValue": "aws_dynamodb_table.server_side_encryption.enabled should be set to true", - "actualValue": "aws_dynamodb_table.server_side_encryption is missing" + "actualValue": "aws_dynamodb_table.server_side_encryption is missing", + "issueType": "MissingAttribute" }, { "queryName": "DynamoDB Table Not Encrypted", @@ -21,6 +22,7 @@ "searchKey": "aws_dynamodb_table[{{example_2}}].server_side_encryption.enabled", "searchValue": "", "expectedValue": "aws_dynamodb_table.server_side_encryption.enabled should be set to true", - "actualValue": "aws_dynamodb_table.server_side_encryption.enabled is set to false" + "actualValue": "aws_dynamodb_table.server_side_encryption.enabled is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive_expected_result.json index 6330405a3fe..69ec1493e39 100644 --- a/assets/queries/terraform/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_dynamodb_table[{{basic-dynamodb-table}}].point_in_time_recovery.enabled", "searchValue": "", "expectedValue": "aws_dynamodb_table.point_in_time_recovery.enabled should be set to true", - "actualValue": "aws_dynamodb_table.point_in_time_recovery.enabled is set to false" + "actualValue": "aws_dynamodb_table.point_in_time_recovery.enabled is set to false", + "issueType": "IncorrectValue" }, { "queryName": "DynamoDB Table Point In Time Recovery Disabled", @@ -21,6 +22,7 @@ "searchKey": "aws_dynamodb_table[{{basic-dynamodb-table}}]", "searchValue": "", "expectedValue": "aws_dynamodb_table.point_in_time_recovery.enabled should be enabled", - "actualValue": "aws_dynamodb_table.point_in_time_recovery is missing" + "actualValue": "aws_dynamodb_table.point_in_time_recovery is missing", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/dynamodb_vpc_endpoint_without_route_table_association/test/positive_expected_result.json b/assets/queries/terraform/aws/dynamodb_vpc_endpoint_without_route_table_association/test/positive_expected_result.json index 1aec53fef37..7a202b1a81a 100644 --- a/assets/queries/terraform/aws/dynamodb_vpc_endpoint_without_route_table_association/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/dynamodb_vpc_endpoint_without_route_table_association/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_vpc_endpoint[dynamodb-vpce-gw].vpc_id", "searchValue": "", "expectedValue": "Dynamodb VPC Endpoint should be associated with Route Table Association", - "actualValue": "Dynamodb VPC Endpoint is not associated with Route Table Association" + "actualValue": "Dynamodb VPC Endpoint is not associated with Route Table Association", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/ebs_default_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/ebs_default_encryption_disabled/test/positive_expected_result.json index fdb3ffdef27..20a0ccc203e 100644 --- a/assets/queries/terraform/aws/ebs_default_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ebs_default_encryption_disabled/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_ebs_encryption_by_default[positive1].enabled", "searchValue": "", "expectedValue": "'aws_ebs_encryption_by_default.encrypted' should be true", - "actualValue": "'aws_ebs_encryption_by_default.encrypted' is false" + "actualValue": "'aws_ebs_encryption_by_default.encrypted' is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/ebs_volume_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/ebs_volume_encryption_disabled/test/positive_expected_result.json index d74f9744586..6fa8ca87a7d 100644 --- a/assets/queries/terraform/aws/ebs_volume_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ebs_volume_encryption_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_ebs_volume[positive1].encrypted", "searchValue": "", "expectedValue": "One of 'aws_ebs_volume.encrypted' should be 'true'", - "actualValue": "One of 'aws_ebs_volume.encrypted' is 'false'" + "actualValue": "One of 'aws_ebs_volume.encrypted' is 'false'", + "issueType": "IncorrectValue" }, { "queryName": "EBS Volume Encryption Disabled", @@ -21,6 +22,7 @@ "searchKey": "aws_ebs_volume[positive2]", "searchValue": "", "expectedValue": "One of 'aws_ebs_volume.encrypted' should be defined", - "actualValue": "One of 'aws_ebs_volume.encrypted' is undefined" + "actualValue": "One of 'aws_ebs_volume.encrypted' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/ebs_volume_snapshot_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/ebs_volume_snapshot_not_encrypted/test/positive_expected_result.json index 02df74e7e6d..07a7f486dfe 100644 --- a/assets/queries/terraform/aws/ebs_volume_snapshot_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ebs_volume_snapshot_not_encrypted/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_ebs_volume[positive1].encrypted", "searchValue": "", "expectedValue": "'aws_ebs_volume[positive1].encrypted' associated with aws_ebs_snapshot[positive1] should be true", - "actualValue": "'aws_ebs_volume[positive1].encrypted' associated with aws_ebs_snapshot[positive1] is false" + "actualValue": "'aws_ebs_volume[positive1].encrypted' associated with aws_ebs_snapshot[positive1] is false", + "issueType": "IncorrectValue" }, { "queryName": "EBS Volume Snapshot Not Encrypted", @@ -21,6 +22,7 @@ "searchKey": "aws_ebs_snapshot[positive2]", "searchValue": "", "expectedValue": "'aws_ebs_volume[positive2].encrypted' associated with aws_ebs_snapshot[positive2] should be set", - "actualValue": "'aws_ebs_volume[positive2].encrypted' associated with aws_ebs_snapshot[positive2] is undefined" + "actualValue": "'aws_ebs_volume[positive2].encrypted' associated with aws_ebs_snapshot[positive2] is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/ec2_instance_has_public_ip/test/positive_expected_result.json b/assets/queries/terraform/aws/ec2_instance_has_public_ip/test/positive_expected_result.json index 59f475155b7..930b509fdd9 100644 --- a/assets/queries/terraform/aws/ec2_instance_has_public_ip/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ec2_instance_has_public_ip/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_instance.web2", "searchValue": "", "expectedValue": "'associate_public_ip_address' should be defined and not null", - "actualValue": "'associate_public_ip_address' is undefined or null" + "actualValue": "'associate_public_ip_address' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "EC2 Instance Has Public IP", @@ -21,7 +22,8 @@ "searchKey": "aws_instance.web3.associate_public_ip_address", "searchValue": "", "expectedValue": "'associate_public_ip_address' should be set to false", - "actualValue": "'associate_public_ip_address' is true" + "actualValue": "'associate_public_ip_address' is true", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Instance Has Public IP", @@ -33,7 +35,8 @@ "searchKey": "module[ec2_instance]", "searchValue": "", "expectedValue": "'associate_public_ip_address' should be defined and not null", - "actualValue": "'associate_public_ip_address' is undefined or null" + "actualValue": "'associate_public_ip_address' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "EC2 Instance Has Public IP", @@ -45,6 +48,7 @@ "searchKey": "module[ec2_instance].associate_public_ip_address", "searchValue": "", "expectedValue": "'associate_public_ip_address' should be set to false", - "actualValue": "'associate_public_ip_address' is true" + "actualValue": "'associate_public_ip_address' is true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/ec2_instance_monitoring_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/ec2_instance_monitoring_disabled/test/positive_expected_result.json index 39207b68bf9..cf6fc7891f8 100644 --- a/assets/queries/terraform/aws/ec2_instance_monitoring_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ec2_instance_monitoring_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_instance.{{monitoring_positive1}}", "searchValue": "", "expectedValue": "'monitoring' should be defined and not null", - "actualValue": "'monitoring' is undefined or null" + "actualValue": "'monitoring' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "EC2 Instance Monitoring Disabled", @@ -21,7 +22,8 @@ "searchKey": "aws_instance.{{monitoring_positive2}}.monitoring", "searchValue": "", "expectedValue": "monitoring_positive2.'monitoring' should be set to true", - "actualValue": "monitoring_positive2.'monitoring' is set to false" + "actualValue": "monitoring_positive2.'monitoring' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Instance Monitoring Disabled", @@ -33,7 +35,8 @@ "searchKey": "module[ec2_instance]", "searchValue": "", "expectedValue": "'monitoring' should be defined and not null", - "actualValue": "'monitoring' is undefined or null" + "actualValue": "'monitoring' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "EC2 Instance Monitoring Disabled", @@ -45,7 +48,8 @@ "searchKey": "module[ec2_instance].monitoring", "searchValue": "", "expectedValue": "ec2_instance.'monitoring' should be set to true", - "actualValue": "ec2_instance.'monitoring' is set to false" + "actualValue": "ec2_instance.'monitoring' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Instance Monitoring Disabled", @@ -57,6 +61,7 @@ "searchKey": "aws_instance.{{cdktf-test}}.monitoring", "searchValue": "", "expectedValue": "cdktf-test.'monitoring' should be set to true", - "actualValue": "cdktf-test.'monitoring' is set to false" + "actualValue": "cdktf-test.'monitoring' is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/ec2_instance_using_api_keys/test/positive_expected_result.json b/assets/queries/terraform/aws/ec2_instance_using_api_keys/test/positive_expected_result.json index 799566a505a..a99e769f7f3 100644 --- a/assets/queries/terraform/aws/ec2_instance_using_api_keys/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ec2_instance_using_api_keys/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_instance[positive1]", "searchValue": "", "expectedValue": "aws_instance[positive1] should be using iam_instance_profile to assign a role with permissions", - "actualValue": "aws_instance[positive1].user_data is being used to configure AWS API keys" + "actualValue": "aws_instance[positive1].user_data is being used to configure AWS API keys", + "issueType": "MissingAttribute" }, { "queryName": "EC2 Instance Using API Keys", @@ -21,7 +22,8 @@ "searchKey": "module[ec2_instance]", "searchValue": "", "expectedValue": "module[ec2_instance] should be using iam_instance_profile to assign a role with permissions", - "actualValue": "module[ec2_instance].user_data is being used to configure AWS API keys" + "actualValue": "module[ec2_instance].user_data is being used to configure AWS API keys", + "issueType": "MissingAttribute" }, { "queryName": "EC2 Instance Using API Keys", @@ -33,7 +35,8 @@ "searchKey": "module[ec2_instance]", "searchValue": "", "expectedValue": "module[ec2_instance] should be using iam_instance_profile to assign a role with permissions", - "actualValue": "module[ec2_instance].user_data is being used to configure AWS API keys" + "actualValue": "module[ec2_instance].user_data is being used to configure AWS API keys", + "issueType": "MissingAttribute" }, { "queryName": "EC2 Instance Using API Keys", @@ -45,7 +48,8 @@ "searchKey": "module[ec2_instance]", "searchValue": "", "expectedValue": "module[ec2_instance] should be using iam_instance_profile to assign a role with permissions", - "actualValue": "module[ec2_instance].user_data is being used to configure AWS API keys" + "actualValue": "module[ec2_instance].user_data is being used to configure AWS API keys", + "issueType": "MissingAttribute" }, { "queryName": "EC2 Instance Using API Keys", @@ -57,7 +61,8 @@ "searchKey": "aws_instance[positive2]", "searchValue": "", "expectedValue": "aws_instance[positive2] should be using iam_instance_profile to assign a role with permissions", - "actualValue": "aws_instance[positive2].user_data is being used to configure AWS API keys" + "actualValue": "aws_instance[positive2].user_data is being used to configure AWS API keys", + "issueType": "MissingAttribute" }, { "queryName": "EC2 Instance Using API Keys", @@ -69,7 +74,8 @@ "searchKey": "aws_instance[positive3]", "searchValue": "", "expectedValue": "aws_instance[positive3] should be using iam_instance_profile to assign a role with permissions", - "actualValue": "aws_instance[positive3].user_data is being used to configure AWS API keys" + "actualValue": "aws_instance[positive3].user_data is being used to configure AWS API keys", + "issueType": "MissingAttribute" }, { "queryName": "EC2 Instance Using API Keys", @@ -81,7 +87,8 @@ "searchKey": "aws_instance[positive4]", "searchValue": "", "expectedValue": "aws_instance[positive4] should be using iam_instance_profile to assign a role with permissions", - "actualValue": "aws_instance[positive4].user_data is being used to configure AWS API keys" + "actualValue": "aws_instance[positive4].user_data is being used to configure AWS API keys", + "issueType": "MissingAttribute" }, { "queryName": "EC2 Instance Using API Keys", @@ -93,7 +100,8 @@ "searchKey": "aws_instance[positive5]", "searchValue": "", "expectedValue": "aws_instance[positive5] should be using iam_instance_profile to assign a role with permissions", - "actualValue": "aws_instance[positive5].user_data is being used to configure AWS API keys" + "actualValue": "aws_instance[positive5].user_data is being used to configure AWS API keys", + "issueType": "MissingAttribute" }, { "queryName": "EC2 Instance Using API Keys", @@ -105,7 +113,8 @@ "searchKey": "aws_instance[positive6]", "searchValue": "", "expectedValue": "aws_instance[positive6] should be using iam_instance_profile to assign a role with permissions", - "actualValue": "aws_instance[positive6].user_data is being used to configure AWS API keys" + "actualValue": "aws_instance[positive6].user_data is being used to configure AWS API keys", + "issueType": "MissingAttribute" }, { "queryName": "EC2 Instance Using API Keys", @@ -117,7 +126,8 @@ "searchKey": "aws_instance[positive7].provisioner", "searchValue": "", "expectedValue": "aws_instance[positive7].provisioner.remote-exec should be used to configure AWS API keys", - "actualValue": "aws_instance[positive7] should be using iam_instance_profile to assign a role with permissions" + "actualValue": "aws_instance[positive7] should be using iam_instance_profile to assign a role with permissions", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Instance Using API Keys", @@ -129,7 +139,8 @@ "searchKey": "aws_instance[positive8].provisioner", "searchValue": "", "expectedValue": "aws_instance[positive8].provisioner.file should be used to configure AWS API keys", - "actualValue": "aws_instance[positive8] should be using iam_instance_profile to assign a role with permissions" + "actualValue": "aws_instance[positive8] should be using iam_instance_profile to assign a role with permissions", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Instance Using API Keys", @@ -141,6 +152,7 @@ "searchKey": "aws_instance[positive9].provisioner", "searchValue": "", "expectedValue": "aws_instance[positive9].provisioner.remote-exec should be used to configure AWS API keys", - "actualValue": "aws_instance[positive9] should be using iam_instance_profile to assign a role with permissions" + "actualValue": "aws_instance[positive9] should be using iam_instance_profile to assign a role with permissions", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/ec2_instance_using_default_security_group/test/positive_expected_result.json b/assets/queries/terraform/aws/ec2_instance_using_default_security_group/test/positive_expected_result.json index 99ba448a0e1..ed74cd1bdf9 100644 --- a/assets/queries/terraform/aws/ec2_instance_using_default_security_group/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ec2_instance_using_default_security_group/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_instance[positive1].security_groups", "searchValue": "", "expectedValue": "aws_instance[positive1].security_groups should not be using default security group", - "actualValue": "aws_instance[positive1].security_groups is using at least one default security group" + "actualValue": "aws_instance[positive1].security_groups is using at least one default security group", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Instance Using Default Security Group", @@ -21,6 +22,7 @@ "searchKey": "aws_instance[positive2].vpc_security_group_ids", "searchValue": "", "expectedValue": "aws_instance[positive2].vpc_security_group_ids should not be using default security group", - "actualValue": "aws_instance[positive2].vpc_security_group_ids is using at least one default security group" + "actualValue": "aws_instance[positive2].vpc_security_group_ids is using at least one default security group", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/ec2_instance_using_default_vpc/test/positive_expected_result.json b/assets/queries/terraform/aws/ec2_instance_using_default_vpc/test/positive_expected_result.json index 0e607948d02..98158e9f133 100644 --- a/assets/queries/terraform/aws/ec2_instance_using_default_vpc/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ec2_instance_using_default_vpc/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_instance[positive1].subnet_id", "searchValue": "", "expectedValue": "aws_instance[positive1].subnet_id should not be associated with a default VPC", - "actualValue": "aws_instance[positive1].subnet_id is associated with a default VPC" + "actualValue": "aws_instance[positive1].subnet_id is associated with a default VPC", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/ec2_not_ebs_optimized/test/positive_expected_result.json b/assets/queries/terraform/aws/ec2_not_ebs_optimized/test/positive_expected_result.json index b81a5174634..be29eecc0d9 100644 --- a/assets/queries/terraform/aws/ec2_not_ebs_optimized/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ec2_not_ebs_optimized/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_instance[{{web}}]", "searchValue": "", "expectedValue": "'ebs_optimized' should be set to true", - "actualValue": "'ebs_optimized' is undefined or null" + "actualValue": "'ebs_optimized' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "EC2 Not EBS Optimized", @@ -21,7 +22,8 @@ "searchKey": "aws_instance[{{web}}].ebs_optimized", "searchValue": "", "expectedValue": "'ebs_optimized' should be set to true", - "actualValue": "'ebs_optimized' is set to false" + "actualValue": "'ebs_optimized' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Not EBS Optimized", @@ -33,7 +35,8 @@ "searchKey": "module[ec2_instance]", "searchValue": "", "expectedValue": "'ebs_optimized' should be set to true", - "actualValue": "'ebs_optimized' is undefined or null" + "actualValue": "'ebs_optimized' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "EC2 Not EBS Optimized", @@ -45,6 +48,7 @@ "searchKey": "module[ec2_instance].ebs_optimized", "searchValue": "", "expectedValue": "'ebs_optimized' should be set to true", - "actualValue": "'ebs_optimized' is set to false" + "actualValue": "'ebs_optimized' is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/ecr_image_tag_not_immutable/test/positive_expected_result.json b/assets/queries/terraform/aws/ecr_image_tag_not_immutable/test/positive_expected_result.json index 6cb99b686a1..85a7e65611f 100644 --- a/assets/queries/terraform/aws/ecr_image_tag_not_immutable/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ecr_image_tag_not_immutable/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_ecr_repository.foo2.image_tag_mutability", "searchValue": "", "expectedValue": "aws_ecr_repository.foo2.image_tag_mutability should be 'IMMUTABLE'", - "actualValue": "aws_ecr_repository.foo2.image_tag_mutability is 'MUTABLE'" + "actualValue": "aws_ecr_repository.foo2.image_tag_mutability is 'MUTABLE'", + "issueType": "IncorrectValue" }, { "queryName": "ECR Image Tag Not Immutable", @@ -21,6 +22,7 @@ "searchKey": "aws_ecr_repository.foo3", "searchValue": "", "expectedValue": "aws_ecr_repository.foo3.image_tag_mutability should be defined and not null", - "actualValue": "aws_ecr_repository.foo3.image_tag_mutability is undefined or null" + "actualValue": "aws_ecr_repository.foo3.image_tag_mutability is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/ecr_repository_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/aws/ecr_repository_is_publicly_accessible/test/positive_expected_result.json index ed568773a62..fcd9ff17659 100644 --- a/assets/queries/terraform/aws/ecr_repository_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ecr_repository_is_publicly_accessible/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_ecr_repository_policy[positive2].policy", "searchValue": "", "expectedValue": "'Statement.Principal' shouldn't contain '*'", - "actualValue": "'Statement.Principal' contains '*'" + "actualValue": "'Statement.Principal' contains '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/ecr_repository_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/ecr_repository_not_encrypted/test/positive_expected_result.json index 8919ccc3870..feff26fda4a 100644 --- a/assets/queries/terraform/aws/ecr_repository_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ecr_repository_not_encrypted/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_ecr_repository[foo]", "searchValue": "", "expectedValue": "'encryption_configuration' should be defined with 'KMS' as encryption type and a KMS key ARN", - "actualValue": "'encryption_configuration' is undefined or null" + "actualValue": "'encryption_configuration' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "ECR Repository Not Encrypted With CMK", @@ -21,6 +22,7 @@ "searchKey": "aws_ecr_repository[fooX].encryption_configuration", "searchValue": "", "expectedValue": "'encryption_configuration.encryption_type' should be set to 'KMS' and 'encryption_configuration.kms_key' specifies a KMS key ARN", - "actualValue": "'encryption_configuration.encryption_type' is not set to 'KMS' and/or 'encryption_configuration.kms_key' does not specify a KMS key ARN" + "actualValue": "'encryption_configuration.encryption_type' is not set to 'KMS' and/or 'encryption_configuration.kms_key' does not specify a KMS key ARN", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/ecr_repository_without_policy/test/positive_expected_result.json b/assets/queries/terraform/aws/ecr_repository_without_policy/test/positive_expected_result.json index 8e0da04b887..9fc1778b6f8 100644 --- a/assets/queries/terraform/aws/ecr_repository_without_policy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ecr_repository_without_policy/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_ecr_repository[foo]", "searchValue": "", "expectedValue": "aws_ecr_repository[foo] has policies attached", - "actualValue": "aws_ecr_repository[foo] doesn't have policies attached" + "actualValue": "aws_ecr_repository[foo] doesn't have policies attached", + "issueType": "MissingAttribute" }, { "queryName": "ECR Repository Without Policy", @@ -21,6 +22,7 @@ "searchKey": "aws_ecr_repository[foo2]", "searchValue": "", "expectedValue": "aws_ecr_repository[foo2] has policies attached", - "actualValue": "aws_ecr_repository[foo2] doesn't have policies attached" + "actualValue": "aws_ecr_repository[foo2] doesn't have policies attached", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/ecs_cluster_container_insights_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/ecs_cluster_container_insights_disabled/test/positive_expected_result.json index d294c36ba80..8b9b824870f 100644 --- a/assets/queries/terraform/aws/ecs_cluster_container_insights_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ecs_cluster_container_insights_disabled/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_ecs_cluster[foo]", "searchValue": "", "expectedValue": "'aws_ecs_cluster[foo].setting.name' should be set to 'containerInsights' and 'aws_ecs_cluster[foo].setting.value' should be set to 'enabled'", - "actualValue": "'aws_ecs_cluster[foo].setting.name' is not set to 'containerInsights' and/or 'aws_ecs_cluster[foo].setting.value' is not set to 'enabled'" + "actualValue": "'aws_ecs_cluster[foo].setting.name' is not set to 'containerInsights' and/or 'aws_ecs_cluster[foo].setting.value' is not set to 'enabled'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/ecs_service_admin_role_is_present/test/positive_expected_result.json b/assets/queries/terraform/aws/ecs_service_admin_role_is_present/test/positive_expected_result.json index 037a254a6ea..c640fb1c125 100644 --- a/assets/queries/terraform/aws/ecs_service_admin_role_is_present/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ecs_service_admin_role_is_present/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_ecs_service[positive1].iam_role", "searchValue": "", "expectedValue": "'aws_ecs_service[positive1].iam_role' should not equal to 'admin'", - "actualValue": "'aws_ecs_service[positive1].iam_role' is equal to 'admin'" + "actualValue": "'aws_ecs_service[positive1].iam_role' is equal to 'admin'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/ecs_service_without_running_tasks/test/positive_expected_result.json b/assets/queries/terraform/aws/ecs_service_without_running_tasks/test/positive_expected_result.json index eb466e32790..669150c7f58 100644 --- a/assets/queries/terraform/aws/ecs_service_without_running_tasks/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ecs_service_without_running_tasks/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_ecs_service[positive1]", "searchValue": "", "expectedValue": "'aws_ecs_service[positive1]' has at least 1 task running", - "actualValue": "'aws_ecs_service[positive1]' must have at least 1 task running" + "actualValue": "'aws_ecs_service[positive1]' must have at least 1 task running", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/ecs_services_assigned_with_public_ip_address/test/positive_expected_result.json b/assets/queries/terraform/aws/ecs_services_assigned_with_public_ip_address/test/positive_expected_result.json index 325bc151ad3..9ce62c25069 100644 --- a/assets/queries/terraform/aws/ecs_services_assigned_with_public_ip_address/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ecs_services_assigned_with_public_ip_address/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_ecs_service[example_ecs_service].network_configuration.assign_public_ip", "searchValue": "", "expectedValue": "'aws_ecs_service[example_ecs_service].network_configuration.assign_public_ip' should be set to 'false'(default value is 'false')", - "actualValue": "'aws_ecs_service[example_ecs_service].network_configuration.assign_public_ip' is set to true" + "actualValue": "'aws_ecs_service[example_ecs_service].network_configuration.assign_public_ip' is set to true", + "issueType": "IncorrectValue" }, { "queryName": "ECS Services assigned with public IP address", @@ -21,6 +22,7 @@ "searchKey": "module[ecs].services.frontend.assign_public_ip", "searchValue": "", "expectedValue": "'module[ecs].services.frontend.assign_public_ip' should be set to 'false'(default value is 'false')", - "actualValue": "'module[ecs].services.frontend.assign_public_ip' is set to true" + "actualValue": "'module[ecs].services.frontend.assign_public_ip' is set to true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/ecs_task_definition_network_mode_not_recommended/test/positive_expected_result.json b/assets/queries/terraform/aws/ecs_task_definition_network_mode_not_recommended/test/positive_expected_result.json index 01781e2a6a2..48c28da9917 100644 --- a/assets/queries/terraform/aws/ecs_task_definition_network_mode_not_recommended/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ecs_task_definition_network_mode_not_recommended/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_ecs_task_definition[positive1].network_mode", "searchValue": "", "expectedValue": "'network_mode' should equal to 'awsvpc'", - "actualValue": "'network_mode' is equal to 'none'" + "actualValue": "'network_mode' is equal to 'none'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/efs_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/efs_not_encrypted/test/positive_expected_result.json index eb1ff71faae..9ba0b45eceb 100644 --- a/assets/queries/terraform/aws/efs_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/efs_not_encrypted/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_efs_file_system[positive1]", "searchValue": "", "expectedValue": "aws_efs_file_system[positive1].encrypted' should be defined and not null", - "actualValue": "aws_efs_file_system[positive1].encrypted' is undefined or null" + "actualValue": "aws_efs_file_system[positive1].encrypted' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "EFS Not Encrypted", @@ -21,6 +22,7 @@ "searchKey": "aws_efs_file_system[positive2].encrypted", "searchValue": "", "expectedValue": "aws_efs_file_system[positive2].encrypted' should be true", - "actualValue": "aws_efs_file_system[positive2].encrypted' is false" + "actualValue": "aws_efs_file_system[positive2].encrypted' is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/efs_volume_with_disabled_transit_encryption/test/positive_expected_result.json b/assets/queries/terraform/aws/efs_volume_with_disabled_transit_encryption/test/positive_expected_result.json index 4fc6e3f1825..ad6f43880af 100644 --- a/assets/queries/terraform/aws/efs_volume_with_disabled_transit_encryption/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/efs_volume_with_disabled_transit_encryption/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_ecs_task_definition[{{service}}].volume.efs_volume_configuration.transit_encryption", "searchValue": "", "expectedValue": "aws_ecs_task_definition.volume.efs_volume_configuration.transit_encryption value should be 'ENABLED'", - "actualValue": "aws_ecs_task_definition.volume.efs_volume_configuration.transit_encryption value is 'DISABLED'" + "actualValue": "aws_ecs_task_definition.volume.efs_volume_configuration.transit_encryption value is 'DISABLED'", + "issueType": "IncorrectValue" }, { "queryName": "EFS Volume With Disabled Transit Encryption", @@ -21,7 +22,8 @@ "searchKey": "aws_ecs_task_definition[{{service_2}}].volume.efs_volume_configuration", "searchValue": "", "expectedValue": "aws_ecs_task_definition.volume.efs_volume_configuration.transit_encryption value should be 'ENABLED'", - "actualValue": "aws_ecs_task_definition.volume.efs_volume_configuration.transit_encryption is missing" + "actualValue": "aws_ecs_task_definition.volume.efs_volume_configuration.transit_encryption is missing", + "issueType": "MissingAttribute" }, { "queryName": "EFS Volume With Disabled Transit Encryption", @@ -33,6 +35,7 @@ "searchKey": "aws_ecs_task_definition[{{service_2}}].volume", "searchValue": "", "expectedValue": "aws_ecs_task_definition.volume.efs_volume_configuration value should be defined", - "actualValue": "aws_ecs_task_definition.volume.efs_volume_configuration is not set" + "actualValue": "aws_ecs_task_definition.volume.efs_volume_configuration is not set", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/efs_with_vulnerable_policy/test/positive_expected_result.json b/assets/queries/terraform/aws/efs_with_vulnerable_policy/test/positive_expected_result.json index 0637e361f12..566568a6bae 100644 --- a/assets/queries/terraform/aws/efs_with_vulnerable_policy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/efs_with_vulnerable_policy/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_efs_file_system_policy[not_secure_policy].policy", "searchValue": "", "expectedValue": "aws_efs_file_system_policy[not_secure_policy].policy should not have wildcard in 'Action' and 'Principal'", - "actualValue": "aws_efs_file_system_policy[not_secure_policy].policy has wildcard in 'Action' or 'Principal'" + "actualValue": "aws_efs_file_system_policy[not_secure_policy].policy has wildcard in 'Action' or 'Principal'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/efs_without_kms/test/positive_expected_result.json b/assets/queries/terraform/aws/efs_without_kms/test/positive_expected_result.json index 09ed987a26d..8acad4a443a 100644 --- a/assets/queries/terraform/aws/efs_without_kms/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/efs_without_kms/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_efs_file_system[positive1]", "searchValue": "", "expectedValue": "aws_efs_file_system[positive1].kms_key_id' should be defined'", - "actualValue": "aws_efs_file_system[positive1].kms_key_id' is undefined" + "actualValue": "aws_efs_file_system[positive1].kms_key_id' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/eks_cluster_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/eks_cluster_encryption_disabled/test/positive_expected_result.json index eec21cdaef0..3c5fe608135 100644 --- a/assets/queries/terraform/aws/eks_cluster_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/eks_cluster_encryption_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_eks_cluster[positive1]", "searchValue": "", "expectedValue": "'encryption_config' should be defined and not null", - "actualValue": "'encryption_config' is undefined or null" + "actualValue": "'encryption_config' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "EKS Cluster Encryption Disabled", @@ -21,6 +22,7 @@ "searchKey": "aws_eks_cluster[positive2].encryption_config.resources", "searchValue": "", "expectedValue": "'secrets' should be defined", - "actualValue": "'secrets' is undefined" + "actualValue": "'secrets' is undefined", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/eks_cluster_has_public_access/test/positive_expected_result.json b/assets/queries/terraform/aws/eks_cluster_has_public_access/test/positive_expected_result.json index ff70284f637..16e96bd38d6 100644 --- a/assets/queries/terraform/aws/eks_cluster_has_public_access/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/eks_cluster_has_public_access/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_eks_cluster[positive1].vpc_config.endpoint_public_access", "searchValue": "", "expectedValue": "'vpc_config.endpoint_public_access' should equal 'false'", - "actualValue": "'vpc_config.endpoint_public_access' is equal 'true'" + "actualValue": "'vpc_config.endpoint_public_access' is equal 'true'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/eks_cluster_has_public_access_cidrs/test/positive_expected_result.json b/assets/queries/terraform/aws/eks_cluster_has_public_access_cidrs/test/positive_expected_result.json index 8207e36976e..ac639909ae9 100644 --- a/assets/queries/terraform/aws/eks_cluster_has_public_access_cidrs/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/eks_cluster_has_public_access_cidrs/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_eks_cluster[positive1].vpc_config.public_access_cidrs", "searchValue": "", "expectedValue": "One of 'vpc_config.public_access_cidrs' not equal '0.0.0.0/0'", - "actualValue": "One of 'vpc_config.public_access_cidrs' is equal '0.0.0.0/0'" + "actualValue": "One of 'vpc_config.public_access_cidrs' is equal '0.0.0.0/0'", + "issueType": "IncorrectValue" }, { "queryName": "EKS Cluster Has Public Access CIDRs", @@ -21,6 +22,7 @@ "searchKey": "aws_eks_cluster[positive2].vpc_config.public_access_cidrs", "searchValue": "", "expectedValue": "'vpc_config.public_access_cidrs' should exist", - "actualValue": "'vpc_config.public_access_cidrs' is missing" + "actualValue": "'vpc_config.public_access_cidrs' is missing", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/eks_cluster_log_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/eks_cluster_log_disabled/test/positive_expected_result.json index 0dd0e7242ae..29a9efef712 100644 --- a/assets/queries/terraform/aws/eks_cluster_log_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/eks_cluster_log_disabled/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_eks_cluster[positive1]", "searchValue": "", "expectedValue": "'enabled_cluster_log_types' should be defined and not null", - "actualValue": "'enabled_cluster_log_types' is undefined or null" + "actualValue": "'enabled_cluster_log_types' is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/eks_node_group_remote_access_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/eks_node_group_remote_access_disabled/test/positive_expected_result.json index 78901ccb38e..c1bb19ff4ce 100644 --- a/assets/queries/terraform/aws/eks_node_group_remote_access_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/eks_node_group_remote_access_disabled/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_eks_node_group[positive].remote_access", "searchValue": "", "expectedValue": "'aws_eks_node_group[positive].remote_access.source_security_groups_ids' should be defined and not null", - "actualValue": "'aws_eks_node_group[positive].remote_access.source_security_groups_ids' is undefined or null" + "actualValue": "'aws_eks_node_group[positive].remote_access.source_security_groups_ids' is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/elasticache_nodes_not_created_across_multi_az/test/positive_expected_result.json b/assets/queries/terraform/aws/elasticache_nodes_not_created_across_multi_az/test/positive_expected_result.json index 98b2d7f16ea..e9622391b50 100644 --- a/assets/queries/terraform/aws/elasticache_nodes_not_created_across_multi_az/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elasticache_nodes_not_created_across_multi_az/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_elasticache_cluster[positive1]", "searchValue": "", "expectedValue": "'az_mode' should be set and must be 'cross-az' in multi nodes cluster", - "actualValue": "'az_mode' is undefined" + "actualValue": "'az_mode' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "ElastiCache Nodes Not Created Across Multi AZ", @@ -21,6 +22,7 @@ "searchKey": "aws_elasticache_cluster[positive2].az_mode", "searchValue": "", "expectedValue": "'az_mode' should be 'cross-az' in multi nodes cluster", - "actualValue": "'az_mode' is 'single-az'" + "actualValue": "'az_mode' is 'single-az'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/elasticache_redis_cluster_without_backup/test/positive_expected_result.json b/assets/queries/terraform/aws/elasticache_redis_cluster_without_backup/test/positive_expected_result.json index e72bae0eee2..58d39fa68a4 100644 --- a/assets/queries/terraform/aws/elasticache_redis_cluster_without_backup/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elasticache_redis_cluster_without_backup/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_elasticache_cluster[positive1]", "searchValue": "", "expectedValue": "'snapshot_retention_limit' should be higher than 0", - "actualValue": "'snapshot_retention_limit' is undefined" + "actualValue": "'snapshot_retention_limit' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "ElastiCache Redis Cluster Without Backup", @@ -21,6 +22,7 @@ "searchKey": "aws_elasticache_cluster[positive2].snapshot_retention_limit", "searchValue": "", "expectedValue": "'snapshot_retention_limit' should be higher than 0", - "actualValue": "'snapshot_retention_limit' is 0" + "actualValue": "'snapshot_retention_limit' is 0", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_rest/test/positive_expected_result.json b/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_rest/test/positive_expected_result.json index 61e9da60835..ace4bac44fa 100644 --- a/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_rest/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_rest/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_elasticache_replication_group[example]", "searchValue": "", "expectedValue": "The attribute 'at_rest_encryption_enabled' should be set to true", - "actualValue": "The attribute 'at_rest_encryption_enabled' is undefined" + "actualValue": "The attribute 'at_rest_encryption_enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "ElastiCache Replication Group Not Encrypted At Rest", @@ -21,6 +22,7 @@ "searchKey": "aws_elasticache_replication_group[example2].at_rest_encryption_enabled", "searchValue": "", "expectedValue": "The attribute 'at_rest_encryption_enabled' should be set to true", - "actualValue": "The attribute 'at_rest_encryption_enabled' is not set to true" + "actualValue": "The attribute 'at_rest_encryption_enabled' is not set to true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_transit/test/positive_expected_result.json b/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_transit/test/positive_expected_result.json index 850884bd04c..7795b6cf7d9 100644 --- a/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_transit/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_transit/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_elasticache_replication_group[example]", "searchValue": "", "expectedValue": "The attribute 'transit_encryption_enabled' should be set to true", - "actualValue": "The attribute 'transit_encryption_enabled' is undefined" + "actualValue": "The attribute 'transit_encryption_enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "ElastiCache Replication Group Not Encrypted At Transit", @@ -21,6 +22,7 @@ "searchKey": "aws_elasticache_replication_group[example].transit_encryption_enabled", "searchValue": "", "expectedValue": "The attribute 'transit_encryption_enabled' should be set to true", - "actualValue": "The attribute 'transit_encryption_enabled' is not set to true" + "actualValue": "The attribute 'transit_encryption_enabled' is not set to true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/elasticache_using_default_port/test/positive_expected_result.json b/assets/queries/terraform/aws/elasticache_using_default_port/test/positive_expected_result.json index e4019556d8c..25d0fc9c4d4 100644 --- a/assets/queries/terraform/aws/elasticache_using_default_port/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elasticache_using_default_port/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_elasticache_cluster[positive1]", "searchValue": "", "expectedValue": "aws_elasticache_cluster.port should be defined and not null", - "actualValue": "aws_elasticache_cluster.port is undefined or null" + "actualValue": "aws_elasticache_cluster.port is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "ElastiCache Using Default Port", @@ -21,7 +22,8 @@ "searchKey": "aws_elasticache_cluster[positive2]", "searchValue": "", "expectedValue": "aws_elasticache_cluster.port should be defined and not null", - "actualValue": "aws_elasticache_cluster.port is undefined or null" + "actualValue": "aws_elasticache_cluster.port is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "ElastiCache Using Default Port", @@ -33,7 +35,8 @@ "searchKey": "aws_elasticache_cluster[positive3].port", "searchValue": "", "expectedValue": "'port' should not be set to 6379", - "actualValue": "'port' is set to 6379" + "actualValue": "'port' is set to 6379", + "issueType": "IncorrectValue" }, { "queryName": "ElastiCache Using Default Port", @@ -45,6 +48,7 @@ "searchKey": "aws_elasticache_cluster[positive2].port", "searchValue": "", "expectedValue": "'port' should not be set to 11211", - "actualValue": "'port' is set to 11211" + "actualValue": "'port' is set to 11211", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/elasticache_without_vpc/test/positive_expected_result.json b/assets/queries/terraform/aws/elasticache_without_vpc/test/positive_expected_result.json index eeee4d47f1c..9adf79f6789 100644 --- a/assets/queries/terraform/aws/elasticache_without_vpc/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elasticache_without_vpc/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_elasticache_cluster[positive1]", "searchValue": "", "expectedValue": "'aws_elasticache_cluster[positive1].subnet_group_name' should be defined and not null'", - "actualValue": "'aws_elasticache_cluster[positive1].subnet_group_name' is undefined or null" + "actualValue": "'aws_elasticache_cluster[positive1].subnet_group_name' is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/elasticsearch_domain_not_encrypted_node_to_node/test/positive_expected_result.json b/assets/queries/terraform/aws/elasticsearch_domain_not_encrypted_node_to_node/test/positive_expected_result.json index 0803cf20dd2..5c5ee80c1aa 100644 --- a/assets/queries/terraform/aws/elasticsearch_domain_not_encrypted_node_to_node/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elasticsearch_domain_not_encrypted_node_to_node/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_elasticsearch_domain[{{positive1}}]", "searchValue": "", "expectedValue": "The attribute 'node_to_node_encryption' should be set to true", - "actualValue": "The attribute 'node_to_node_encryption' is undefined" + "actualValue": "The attribute 'node_to_node_encryption' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Elasticsearch Domain Not Encrypted Node To Node", @@ -21,6 +22,7 @@ "searchKey": "aws_elasticsearch_domain[{{positive1}}].node_to_node_encryption.enabled", "searchValue": "", "expectedValue": "The attribute 'node_to_node_encryption' should be set to true", - "actualValue": "The attribute 'node_to_node_encryption' is not set to true" + "actualValue": "The attribute 'node_to_node_encryption' is not set to true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/elasticsearch_domain_with_vulnerable_policy/test/positive_expected_result.json b/assets/queries/terraform/aws/elasticsearch_domain_with_vulnerable_policy/test/positive_expected_result.json index c3f30adae2e..16a879b2f9f 100644 --- a/assets/queries/terraform/aws/elasticsearch_domain_with_vulnerable_policy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elasticsearch_domain_with_vulnerable_policy/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_elasticsearch_domain_policy[main].access_policies", "searchValue": "", "expectedValue": "aws_elasticsearch_domain_policy[main].access_policies should not have wildcard in 'Action' and 'Principal'", - "actualValue": "aws_elasticsearch_domain_policy[main].access_policies has wildcard in 'Action' or 'Principal'" + "actualValue": "aws_elasticsearch_domain_policy[main].access_policies has wildcard in 'Action' or 'Principal'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/elasticsearch_encryption_with_kms_is_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/elasticsearch_encryption_with_kms_is_disabled/test/positive_expected_result.json index e024e33c995..0ef82a1157f 100644 --- a/assets/queries/terraform/aws/elasticsearch_encryption_with_kms_is_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elasticsearch_encryption_with_kms_is_disabled/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_elasticsearch_domain[positive1].encrypt_at_rest", "searchValue": "", "expectedValue": "'aws_elasticsearch_domain[positive1].encrypt_at_rest.kms_key_id' should be set with encryption at rest", - "actualValue": "'aws_elasticsearch_domain[positive1].encrypt_at_rest.kms_key_id' is undefined" + "actualValue": "'aws_elasticsearch_domain[positive1].encrypt_at_rest.kms_key_id' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/elasticsearch_logs_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/elasticsearch_logs_disabled/test/positive_expected_result.json index c23737710af..82e73a4e397 100644 --- a/assets/queries/terraform/aws/elasticsearch_logs_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elasticsearch_logs_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_elasticsearch_domain[{{positive1}}].log_publishing_options.enabled", "searchValue": "", "expectedValue": "'log_publishing_options.enabled' should be true", - "actualValue": "'log_publishing_options.enabled' is false" + "actualValue": "'log_publishing_options.enabled' is false", + "issueType": "IncorrectValue" }, { "queryName": "Elasticsearch Log Disabled", @@ -21,6 +22,7 @@ "searchKey": "aws_elasticsearch_domain[{{positive2}}]", "searchValue": "", "expectedValue": "'log_publishing_options' should be defined and not null", - "actualValue": "'log_publishing_options' is undefined or null" + "actualValue": "'log_publishing_options' is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/elasticsearch_not_encrypted_at_rest/test/positive_expected_result.json b/assets/queries/terraform/aws/elasticsearch_not_encrypted_at_rest/test/positive_expected_result.json index 4c69509cbf9..ca2f6bb233d 100644 --- a/assets/queries/terraform/aws/elasticsearch_not_encrypted_at_rest/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elasticsearch_not_encrypted_at_rest/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_elasticsearch_domain[positive1]", "searchValue": "", "expectedValue": "'encrypt_at_rest' should be set and enabled", - "actualValue": "'encrypt_at_rest' is undefined" + "actualValue": "'encrypt_at_rest' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "ElasticSearch Not Encrypted At Rest", @@ -21,6 +22,7 @@ "searchKey": "aws_elasticsearch_domain[positive2].encrypt_at_rest.enabled", "searchValue": "", "expectedValue": "'encrypt_at_rest.enabled' should be true", - "actualValue": "'encrypt_at_rest.enabled' is false" + "actualValue": "'encrypt_at_rest.enabled' is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json index 310b0513d3e..1e70b9a61a5 100644 --- a/assets/queries/terraform/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_elasticsearch_domain[{{example}}]", "searchValue": "", "expectedValue": "The attribute 'enforce_https' should be set to 'true'", - "actualValue": "The attribute 'enforce_https' is set to 'false'" + "actualValue": "The attribute 'enforce_https' is set to 'false'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/elasticsearch_without_iam_authentication/test/positive_expected_result.json b/assets/queries/terraform/aws/elasticsearch_without_iam_authentication/test/positive_expected_result.json index c931b6699a9..8b3880ce36b 100644 --- a/assets/queries/terraform/aws/elasticsearch_without_iam_authentication/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elasticsearch_without_iam_authentication/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_elasticsearch_domain[example]", "searchValue": "", "expectedValue": "Elasticsearch Domain ensure IAM Authentication", - "actualValue": "Elasticsearch Domain does not ensure IAM Authentication" + "actualValue": "Elasticsearch Domain does not ensure IAM Authentication", + "issueType": "IncorrectValue" }, { "queryName": "Elasticsearch Without IAM Authentication", @@ -21,6 +22,7 @@ "searchKey": "aws_elasticsearch_domain[example2]", "searchValue": "", "expectedValue": "Elasticsearch Domain ensure IAM Authentication", - "actualValue": "Elasticsearch Domain does not ensure IAM Authentication" + "actualValue": "Elasticsearch Domain does not ensure IAM Authentication", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/elasticsearch_without_slow_logs/test/positive_expected_result.json b/assets/queries/terraform/aws/elasticsearch_without_slow_logs/test/positive_expected_result.json index 6aff8d5b8c3..efc23241fc3 100644 --- a/assets/queries/terraform/aws/elasticsearch_without_slow_logs/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elasticsearch_without_slow_logs/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_elasticsearch_domain[{{positive1}}].log_publishing_options.log_type", "searchValue": "", "expectedValue": "'log_publishing_options.log_type' should not be INDEX_SLOW_LOGS or SEARCH_SLOW_LOGS ", - "actualValue": "'log_publishing_options.enabled' is ES_APPLICATION_LOGS or AUDIT_LOGS" + "actualValue": "'log_publishing_options.enabled' is ES_APPLICATION_LOGS or AUDIT_LOGS", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/elb_access_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/elb_access_logging_disabled/test/positive_expected_result.json index d1a1d73ddcd..369bf6309fb 100644 --- a/assets/queries/terraform/aws/elb_access_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elb_access_logging_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_elb[{{postive1}}].access_logs.enabled", "searchValue": "", "expectedValue": "'aws_elb[{{postive1}}].access_logs.enabled' should be true", - "actualValue": "'aws_elb[{{postive1}}].access_logs.enabled' is false" + "actualValue": "'aws_elb[{{postive1}}].access_logs.enabled' is false", + "issueType": "IncorrectValue" }, { "queryName": "ELB Access Log Disabled", @@ -21,7 +22,8 @@ "searchKey": "aws_elb[{{postive2}}]", "searchValue": "", "expectedValue": "'aws_elb[{{postive2}}].access_logs' should be defined and not null", - "actualValue": "'aws_elb[{{postive2}}].access_logs' is undefined or null" + "actualValue": "'aws_elb[{{postive2}}].access_logs' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "ELB Access Log Disabled", @@ -33,7 +35,8 @@ "searchKey": "module[elb_http]", "searchValue": "", "expectedValue": "'access_logs' should be defined and not null", - "actualValue": "'access_logs' is undefined or null" + "actualValue": "'access_logs' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "ELB Access Log Disabled", @@ -45,6 +48,7 @@ "searchKey": "module[elb_http].access_logs.enabled", "searchValue": "", "expectedValue": "'access_logs.enabled' should be true", - "actualValue": "'access_logs.enabled' is false" + "actualValue": "'access_logs.enabled' is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/elb_using_insecure_protocols/test/positive_expected_result.json b/assets/queries/terraform/aws/elb_using_insecure_protocols/test/positive_expected_result.json index 74630d30609..e761cdc0ab0 100644 --- a/assets/queries/terraform/aws/elb_using_insecure_protocols/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elb_using_insecure_protocols/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_load_balancer_policy[positive4].policy_attribute[1].name", "searchValue": "", "expectedValue": "'aws_load_balancer_policy[positive4].policy_attribute[Protocol-TLSv1]' should not be an insecure protocol", - "actualValue": "'aws_load_balancer_policy[positive4].policy_attribute[Protocol-TLSv1]' is an insecure protocol" + "actualValue": "'aws_load_balancer_policy[positive4].policy_attribute[Protocol-TLSv1]' is an insecure protocol", + "issueType": "IncorrectValue" }, { "queryName": "ELB Using Insecure Protocols", @@ -21,6 +22,7 @@ "searchKey": "aws_load_balancer_policy[positive5].policy_attribute.name", "searchValue": "", "expectedValue": "'aws_load_balancer_policy[positive5].policy_attribute[Protocol-SSLv3]' should not be an insecure protocol", - "actualValue": "'aws_load_balancer_policy[positive5].policy_attribute[Protocol-SSLv3]' is an insecure protocol" + "actualValue": "'aws_load_balancer_policy[positive5].policy_attribute[Protocol-SSLv3]' is an insecure protocol", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/elb_using_weak_ciphers/test/positive_expected_result.json b/assets/queries/terraform/aws/elb_using_weak_ciphers/test/positive_expected_result.json index 0f17deed02f..b68ab27569a 100644 --- a/assets/queries/terraform/aws/elb_using_weak_ciphers/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elb_using_weak_ciphers/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_load_balancer_policy[positive4]", "searchValue": "", "expectedValue": "'aws_load_balancer_policy[positive4].policy_attribute[TLS_RSA_ARCFOUR_128_SHA1].name' should not be a weak cipher", - "actualValue": "'aws_load_balancer_policy[positive4].policy_attribute[TLS_RSA_ARCFOUR_128_SHA1].name' is a weak cipher" + "actualValue": "'aws_load_balancer_policy[positive4].policy_attribute[TLS_RSA_ARCFOUR_128_SHA1].name' is a weak cipher", + "issueType": "IncorrectValue" }, { "queryName": "ELB Using Weak Ciphers", @@ -21,7 +22,8 @@ "searchKey": "aws_load_balancer_policy[positive5].policy_attribute.name", "searchValue": "", "expectedValue": "'aws_load_balancer_policy[positive5].policy_attribute[DES-CBC3-SHA].name' should not be a weak cipher", - "actualValue": "'aws_load_balancer_policy[positive5].policy_attribute[DES-CBC3-SHA].name' is a weak cipher" + "actualValue": "'aws_load_balancer_policy[positive5].policy_attribute[DES-CBC3-SHA].name' is a weak cipher", + "issueType": "IncorrectValue" }, { "queryName": "ELB Using Weak Ciphers", @@ -33,6 +35,7 @@ "searchKey": "aws_load_balancer_policy[positive6].policy_attribute.name", "searchValue": "", "expectedValue": "'aws_load_balancer_policy[positive6].policy_attribute[TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384].name' should not be a weak cipher", - "actualValue": "'aws_load_balancer_policy[positive6].policy_attribute[TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384].name' is a weak cipher" + "actualValue": "'aws_load_balancer_policy[positive6].policy_attribute[TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384].name' is a weak cipher", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/elb_v2_lb_access_log_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/elb_v2_lb_access_log_disabled/test/positive_expected_result.json index b3cdb52c7d8..78277651a2c 100644 --- a/assets/queries/terraform/aws/elb_v2_lb_access_log_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elb_v2_lb_access_log_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_lb[test].access_logs.enabled", "searchValue": "", "expectedValue": "'access_logs.enabled' should be defined and set to true", - "actualValue": "'access_logs.enabled' is not set to true" + "actualValue": "'access_logs.enabled' is not set to true", + "issueType": "IncorrectValue" }, { "queryName": "ELBv2 LB Access Log Disabled", @@ -21,7 +22,8 @@ "searchKey": "aws_lb[test].access_logs", "searchValue": "", "expectedValue": "'access_logs.enabled' should be defined and set to true", - "actualValue": "'access_logs.enabled' is undefined" + "actualValue": "'access_logs.enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "ELBv2 LB Access Log Disabled", @@ -33,7 +35,8 @@ "searchKey": "aws_lb[test]", "searchValue": "", "expectedValue": "'access_logs.enabled' should be defined and set to true", - "actualValue": "'access_logs' is undefined" + "actualValue": "'access_logs' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "ELBv2 LB Access Log Disabled", @@ -45,7 +48,8 @@ "searchKey": "aws_alb[test].access_logs.enabled", "searchValue": "", "expectedValue": "'access_logs.enabled' should be defined and set to true", - "actualValue": "'access_logs.enabled' is not set to true" + "actualValue": "'access_logs.enabled' is not set to true", + "issueType": "IncorrectValue" }, { "queryName": "ELBv2 LB Access Log Disabled", @@ -57,7 +61,8 @@ "searchKey": "aws_alb[test].access_logs", "searchValue": "", "expectedValue": "'access_logs.enabled' should be defined and set to true", - "actualValue": "'access_logs.enabled' is undefined" + "actualValue": "'access_logs.enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "ELBv2 LB Access Log Disabled", @@ -69,6 +74,7 @@ "searchKey": "aws_alb[test]", "searchValue": "", "expectedValue": "'access_logs.enabled' should be defined and set to true", - "actualValue": "'access_logs' is undefined" + "actualValue": "'access_logs' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/emr_without_vpc/test/positive_expected_result.json b/assets/queries/terraform/aws/emr_without_vpc/test/positive_expected_result.json index 33b7e847667..8e1a25f0dbc 100644 --- a/assets/queries/terraform/aws/emr_without_vpc/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/emr_without_vpc/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_emr_cluster[positive1]", "searchValue": "", "expectedValue": "'aws_emr_cluster[positive1].subnet_id' or 'aws_emr_cluster[positive1].subnet_ids' should be defined and not null'", - "actualValue": "'aws_emr_cluster[positive1].subnet_id' or 'aws_emr_cluster[positive1].subnet_ids' is undefined or null" + "actualValue": "'aws_emr_cluster[positive1].subnet_id' or 'aws_emr_cluster[positive1].subnet_ids' is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/global_accelerator_flow_logs_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/global_accelerator_flow_logs_disabled/test/positive_expected_result.json index 118e14c0095..c88d9efcfa5 100644 --- a/assets/queries/terraform/aws/global_accelerator_flow_logs_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/global_accelerator_flow_logs_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_globalaccelerator_accelerator[{{positive1}}]", "searchValue": "", "expectedValue": "aws_globalaccelerator_accelerator[{{positive1}}].flow_logs_enabled should be defined and not null", - "actualValue": "aws_globalaccelerator_accelerator[{{positive1}}].flow_logs_enabled is undefined or null" + "actualValue": "aws_globalaccelerator_accelerator[{{positive1}}].flow_logs_enabled is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Global Accelerator Flow Logs Disabled", @@ -21,7 +22,8 @@ "searchKey": "aws_globalaccelerator_accelerator[{{positive2}}].attributes", "searchValue": "", "expectedValue": "aws_globalaccelerator_accelerator[{{positive2}}].flow_logs_enabled should be defined and not null", - "actualValue": "aws_globalaccelerator_accelerator[{{positive2}}].flow_logs_enabled is undefined or null" + "actualValue": "aws_globalaccelerator_accelerator[{{positive2}}].flow_logs_enabled is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Global Accelerator Flow Logs Disabled", @@ -33,6 +35,7 @@ "searchKey": "aws_globalaccelerator_accelerator[{{positive3}}].attributes.flow_logs_enabled", "searchValue": "", "expectedValue": "aws_globalaccelerator_accelerator[{{positive3}}].flow_logs_enabled should be true", - "actualValue": "aws_globalaccelerator_accelerator[{{positive3}}].flow_logs_enabled is false" + "actualValue": "aws_globalaccelerator_accelerator[{{positive3}}].flow_logs_enabled is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/glue_data_catalog_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/glue_data_catalog_encryption_disabled/test/positive_expected_result.json index 513ad7e1542..a0401343ce9 100644 --- a/assets/queries/terraform/aws/glue_data_catalog_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/glue_data_catalog_encryption_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_glue_data_catalog_encryption_settings[positive1].data_catalog_encryption_settings.connection_password_encryption.return_connection_password_encrypted", "searchValue": "", "expectedValue": "'return_connection_password_encrypted' should be set to true", - "actualValue": "'return_connection_password_encrypted' is not set to true" + "actualValue": "'return_connection_password_encrypted' is not set to true", + "issueType": "IncorrectValue" }, { "queryName": "Glue Data Catalog Encryption Disabled", @@ -21,7 +22,8 @@ "searchKey": "aws_glue_data_catalog_encryption_settings[positive2].data_catalog_encryption_settings.connection_password_encryption", "searchValue": "", "expectedValue": "'aws_kms_key_id' should be defined and not null", - "actualValue": "'aws_kms_key_id' is undefined or null" + "actualValue": "'aws_kms_key_id' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Glue Data Catalog Encryption Disabled", @@ -33,7 +35,8 @@ "searchKey": "aws_glue_data_catalog_encryption_settings[positive3].data_catalog_encryption_settings.encryption_at_rest.catalog_encryption_mode", "searchValue": "", "expectedValue": "'catalog_encryption_mode' should be set to 'SSE-KMS'", - "actualValue": "'catalog_encryption_mode' is not set to 'SSE-KMS'" + "actualValue": "'catalog_encryption_mode' is not set to 'SSE-KMS'", + "issueType": "IncorrectValue" }, { "queryName": "Glue Data Catalog Encryption Disabled", @@ -45,6 +48,7 @@ "searchKey": "aws_glue_data_catalog_encryption_settings[positive4].data_catalog_encryption_settings.encryption_at_rest", "searchValue": "", "expectedValue": "'sse_aws_kms_key_id' should be defined and not null", - "actualValue": "'sse_aws_kms_key_id' is undefined or null" + "actualValue": "'sse_aws_kms_key_id' is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/glue_security_configuration_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/glue_security_configuration_encryption_disabled/test/positive_expected_result.json index 9bf671512ce..1a5804fd91a 100644 --- a/assets/queries/terraform/aws/glue_security_configuration_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/glue_security_configuration_encryption_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_glue_security_configuration[positive1].encryption_configuration.cloudwatch_encryption", "searchValue": "", "expectedValue": "aws_glue_security_configuration[positive1].encryption_configuration.cloudwatch_encryption has 'kms_key_arn' defined and not null", - "actualValue": "aws_glue_security_configuration[positive1].encryption_configuration.cloudwatch_encryption has 'kms_key_arn' undefined or null" + "actualValue": "aws_glue_security_configuration[positive1].encryption_configuration.cloudwatch_encryption has 'kms_key_arn' undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Glue Security Configuration Encryption Disabled", @@ -21,7 +22,8 @@ "searchKey": "aws_glue_security_configuration[positive2].encryption_configuration.job_bookmarks_encryption.job_bookmarks_encryption_mode", "searchValue": "", "expectedValue": "'job_bookmarks_encryption_mode' should be set to 'CSE-KMS'", - "actualValue": "'job_bookmarks_encryption_mode' is not set to 'CSE-KMS'" + "actualValue": "'job_bookmarks_encryption_mode' is not set to 'CSE-KMS'", + "issueType": "MissingAttribute" }, { "queryName": "Glue Security Configuration Encryption Disabled", @@ -33,6 +35,7 @@ "searchKey": "aws_glue_security_configuration[positive2].job_bookmarks_encryption", "searchValue": "", "expectedValue": "aws_glue_security_configuration[positive2].job_bookmarks_encryption has 'job_bookmarks_encryption_mode' defined and not null", - "actualValue": "aws_glue_security_configKeyiguration[positive2].job_bookmarks_encryption has 'job_bookmarks_encryption_mode' undefined or null" + "actualValue": "aws_glue_security_configKeyiguration[positive2].job_bookmarks_encryption has 'job_bookmarks_encryption_mode' undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/glue_with_vulnerable_policy/test/positive_expected_result.json b/assets/queries/terraform/aws/glue_with_vulnerable_policy/test/positive_expected_result.json index efba0f17bcc..b0349b72111 100644 --- a/assets/queries/terraform/aws/glue_with_vulnerable_policy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/glue_with_vulnerable_policy/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_glue_resource_policy[example].policy", "searchValue": "", "expectedValue": "aws_glue_resource_policy[example].policy should not have wildcard in 'principals' and 'actions'", - "actualValue": "aws_glue_resource_policy[example].policy has wildcard in 'principals' or 'actions'" + "actualValue": "aws_glue_resource_policy[example].policy has wildcard in 'principals' or 'actions'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive_expected_result.json index 46afccf8074..a6bf1dd3d95 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_iam_group[cosmic]", "searchValue": "", "expectedValue": "group cosmic shouldn't be associated with a policy that has Action set to 'glue:UpdateDevEndpoint' and Resource set to '*'", - "actualValue": "group cosmic is associated with a policy that has Action set to 'glue:UpdateDevEndpoint' and Resource set to '*'" + "actualValue": "group cosmic is associated with a policy that has Action set to 'glue:UpdateDevEndpoint' and Resource set to '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive_expected_result.json index 519cbc203f1..e072f39bb08 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_iam_group[cosmic]", "searchValue": "", "expectedValue": "group cosmic should not be associated with a policy that has Action set to 'iam:AddUserToGroup' and Resource set to '*'", - "actualValue": "group cosmic is associated with a policy that has Action set to 'iam:AddUserToGroup' and Resource set to '*'" + "actualValue": "group cosmic is associated with a policy that has Action set to 'iam:AddUserToGroup' and Resource set to '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive_expected_result.json index b39d394a828..8646fae9957 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_iam_group[cosmic]", "searchValue": "", "expectedValue": "group cosmic shouldn't be associated with a policy that has Action set to 'iam:AttachGroupPolicy' and Resource set to '*'", - "actualValue": "group cosmic is associated with a policy that has Action set to 'iam:AttachGroupPolicy' and Resource set to '*'" + "actualValue": "group cosmic is associated with a policy that has Action set to 'iam:AttachGroupPolicy' and Resource set to '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive_expected_result.json index 880d18cfdfa..b1b55f66035 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_iam_group[cosmic]", "searchValue": "", "expectedValue": "group cosmic should not be associated with a policy that has Action set to 'iam:AttachRolePolicy' and Resource set to '*'", - "actualValue": "group cosmic is associated with a policy that has Action set to 'iam:AttachRolePolicy' and Resource set to '*'" + "actualValue": "group cosmic is associated with a policy that has Action set to 'iam:AttachRolePolicy' and Resource set to '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive_expected_result.json index 5b5681cf5b9..3fad1f6b9f0 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_iam_group[cosmic]", "searchValue": "", "expectedValue": "group cosmic shouldn't be associated with a policy that has Action set to 'iam:AttachUserPolicy' and Resource set to '*'", - "actualValue": "group cosmic is associated with a policy that has Action set to 'iam:AttachUserPolicy' and Resource set to '*'" + "actualValue": "group cosmic is associated with a policy that has Action set to 'iam:AttachUserPolicy' and Resource set to '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive_expected_result.json index acb504d1ca9..a3f3c06f407 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_iam_group[cosmic]", "searchValue": "", "expectedValue": "group cosmic should not be associated with a policy that has Action set to 'iam:CreateAccessKey' and Resource set to '*'", - "actualValue": "group cosmic is associated with a policy that has Action set to 'iam:CreateAccessKey' and Resource set to '*'" + "actualValue": "group cosmic is associated with a policy that has Action set to 'iam:CreateAccessKey' and Resource set to '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive_expected_result.json index c348efe0f7d..80e7c9dc8f2 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_iam_group[cosmic]", "searchValue": "", "expectedValue": "group cosmic shouldn't be associated with a policy that has Action set to 'iam:CreateLoginProfile' and Resource set to '*'", - "actualValue": "group cosmic is associated with a policy that has Action set to 'iam:CreateLoginProfile' and Resource set to '*'" + "actualValue": "group cosmic is associated with a policy that has Action set to 'iam:CreateLoginProfile' and Resource set to '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive_expected_result.json index 96ac75d21d5..657f71c3db1 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_iam_group[cosmic]", "searchValue": "", "expectedValue": "group cosmic shouldn't be associated with a policy that has Action set to 'iam:CreatePolicyVersion' and Resource set to '*'", - "actualValue": "group cosmic is associated with a policy that has Action set to 'iam:CreatePolicyVersion' and Resource set to '*'" + "actualValue": "group cosmic is associated with a policy that has Action set to 'iam:CreatePolicyVersion' and Resource set to '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive_expected_result.json index e7e72a7b15d..42c03a36a7a 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_iam_group[cosmic]", "searchValue": "", "expectedValue": "group cosmic shouldn't be associated with a policy that has Action set to 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'", - "actualValue": "group cosmic is associated with a policy that has Action set to 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'" + "actualValue": "group cosmic is associated with a policy that has Action set to 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive_expected_result.json index 324d63e5618..780eea30dcb 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_iam_group[cosmic]", "searchValue": "", "expectedValue": "group cosmic shouldn't be associated with a policy that has Action set to 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'", - "actualValue": "group cosmic is associated with a policy that has Action set to 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'" + "actualValue": "group cosmic is associated with a policy that has Action set to 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive_expected_result.json index 6a6fcc01075..ee7929dc132 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_iam_group[cosmic]", "searchValue": "", "expectedValue": "group cosmic shouldn't be associated with a policy that has Action set to 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'", - "actualValue": "group cosmic is associated with a policy that has Action set to 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'" + "actualValue": "group cosmic is associated with a policy that has Action set to 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/test/positive_expected_result.json index 2f230c7ff41..e3589e480c8 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_iam_group[cosmic]", "searchValue": "", "expectedValue": "group cosmic shouldn't be associated with a policy that has Action set to 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'", - "actualValue": "group cosmic is associated with a policy that has Action set to 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'" + "actualValue": "group cosmic is associated with a policy that has Action set to 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive_expected_result.json index e918e315ffd..366e28e0ee1 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_iam_group[cosmic]", "searchValue": "", "expectedValue": "group cosmic shouldn't be associated with a policy that has Action set to 'iam:PutGroupPolicy' and Resource set to '*'", - "actualValue": "group cosmic is associated with a policy that has Action set to 'iam:PutGroupPolicy' and Resource set to '*'" + "actualValue": "group cosmic is associated with a policy that has Action set to 'iam:PutGroupPolicy' and Resource set to '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive_expected_result.json index 1b78fd177dc..e6391d89f46 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_iam_group[cosmic]", "searchValue": "", "expectedValue": "group cosmic should not be associated with a policy that has Action set to 'iam:PutRolePolicy' and Resource set to '*'", - "actualValue": "group cosmic is associated with a policy that has Action set to 'iam:PutRolePolicy' and Resource set to '*'" + "actualValue": "group cosmic is associated with a policy that has Action set to 'iam:PutRolePolicy' and Resource set to '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive_expected_result.json index e8fc952c59b..9d6c80d0b00 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_iam_group[cosmic]", "searchValue": "", "expectedValue": "group cosmic should not be associated with a policy that has Action set to 'iam:PutUserPolicy' and Resource set to '*'", - "actualValue": "group cosmic is associated with a policy that has Action set to 'iam:PutUserPolicy' and Resource set to '*'" + "actualValue": "group cosmic is associated with a policy that has Action set to 'iam:PutUserPolicy' and Resource set to '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive_expected_result.json index 7f9977e6320..7e190815b66 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_iam_group[cosmic]", "searchValue": "", "expectedValue": "group cosmic shouldn't be associated with a policy that has Action set to 'iam:SetDefaultPolicyVersion' and Resource set to '*'", - "actualValue": "group cosmic is associated with a policy that has Action set to 'iam:SetDefaultPolicyVersion' and Resource set to '*'" + "actualValue": "group cosmic is associated with a policy that has Action set to 'iam:SetDefaultPolicyVersion' and Resource set to '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive_expected_result.json index d34c3f5cec2..b40a1fcf201 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_iam_group[cosmic]", "searchValue": "", "expectedValue": "group cosmic shouldn't be associated with a policy that has Action set to 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'", - "actualValue": "group cosmic is associated with a policy that has Action set to 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'" + "actualValue": "group cosmic is associated with a policy that has Action set to 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive_expected_result.json index af3ba554011..1edd6a7e705 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_iam_group[cosmic]", "searchValue": "", "expectedValue": "group cosmic shouldn't be associated with a policy that has Action set to 'iam:UpdateLoginProfile' and Resource set to '*'", - "actualValue": "group cosmic is associated with a policy that has Action set to 'iam:UpdateLoginProfile' and Resource set to '*'" + "actualValue": "group cosmic is associated with a policy that has Action set to 'iam:UpdateLoginProfile' and Resource set to '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive_expected_result.json index 2b12ddf844f..ffa0c9e766c 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_iam_group[cosmic]", "searchValue": "", "expectedValue": "group cosmic shouldn't be associated with a policy that has Action set to 'lambda:UpdateFunctionCode' and Resource set to '*'", - "actualValue": "group cosmic is associated with a policy that has Action set to 'lambda:UpdateFunctionCode' and Resource set to '*'" + "actualValue": "group cosmic is associated with a policy that has Action set to 'lambda:UpdateFunctionCode' and Resource set to '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/guardduty_detector_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/guardduty_detector_disabled/test/positive_expected_result.json index b081585b2d5..fcac8237ca3 100644 --- a/assets/queries/terraform/aws/guardduty_detector_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/guardduty_detector_disabled/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_guardduty_detector[positive1].enable", "searchValue": "", "expectedValue": "GuardDuty Detector should be Enabled", - "actualValue": "GuardDuty Detector is not Enabled" + "actualValue": "GuardDuty Detector is not Enabled", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/hardcoded_aws_access_key/test/positive_expected_result.json b/assets/queries/terraform/aws/hardcoded_aws_access_key/test/positive_expected_result.json index a592a605291..de93c7c26df 100644 --- a/assets/queries/terraform/aws/hardcoded_aws_access_key/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/hardcoded_aws_access_key/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "module[ec2_instance].user_data", "searchValue": "", "expectedValue": "'user_data' shouldn't contain hardcoded access key", - "actualValue": "'user_data' contains hardcoded access key" + "actualValue": "'user_data' contains hardcoded access key", + "issueType": "IncorrectValue" }, { "queryName": "Hardcoded AWS Access Key", @@ -21,6 +22,7 @@ "searchKey": "aws_instance[positive1].user_data", "searchValue": "", "expectedValue": "'user_data' shouldn't contain hardcoded access key", - "actualValue": "'user_data' contains hardcoded access key" + "actualValue": "'user_data' contains hardcoded access key", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/hardcoded_aws_access_key_in_lambda/test/positive_expected_result.json b/assets/queries/terraform/aws/hardcoded_aws_access_key_in_lambda/test/positive_expected_result.json index ed3fe6962a1..8dd54f1be2b 100644 --- a/assets/queries/terraform/aws/hardcoded_aws_access_key_in_lambda/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/hardcoded_aws_access_key_in_lambda/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_lambda_function[positive2].environment.variables.foo", "searchValue": "", "expectedValue": "'environment.variables' shouldn't contain AWS Access Key", - "actualValue": "'environment.variables' contains AWS Access Key" + "actualValue": "'environment.variables' contains AWS Access Key", + "issueType": "IncorrectValue" }, { "queryName": "Hardcoded AWS Access Key In Lambda", @@ -21,6 +22,7 @@ "searchKey": "aws_lambda_function[positive3].environment.variables.foo", "searchValue": "", "expectedValue": "'environment.variables' shouldn't contain AWS Access Key", - "actualValue": "'environment.variables' contains AWS Access Key" + "actualValue": "'environment.variables' contains AWS Access Key", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/http_port_open/test/positive_expected_result.json b/assets/queries/terraform/aws/http_port_open/test/positive_expected_result.json index d55e4892cae..37742d592c8 100644 --- a/assets/queries/terraform/aws/http_port_open/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/http_port_open/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_security_group[positive1-1].ingress", "searchValue": "", "expectedValue": "aws_security_group[positive1-1].ingress should not open the HTTP port (80)", - "actualValue": "aws_security_group[positive1-1].ingress opens the HTTP port (80)" + "actualValue": "aws_security_group[positive1-1].ingress opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", @@ -21,7 +22,8 @@ "searchKey": "aws_security_group[positive1-2].ingress[1]", "searchValue": "", "expectedValue": "aws_security_group[positive1-2].ingress[1] should not open the HTTP port (80)", - "actualValue": "aws_security_group[positive1-2].ingress[1] opens the HTTP port (80)" + "actualValue": "aws_security_group[positive1-2].ingress[1] opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", @@ -33,7 +35,8 @@ "searchKey": "aws_security_group[positive1-3].ingress", "searchValue": "", "expectedValue": "aws_security_group[positive1-3].ingress should not open the HTTP port (80)", - "actualValue": "aws_security_group[positive1-3].ingress opens the HTTP port (80)" + "actualValue": "aws_security_group[positive1-3].ingress opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", @@ -45,7 +48,8 @@ "searchKey": "aws_security_group[positive1-4].ingress[1]", "searchValue": "", "expectedValue": "aws_security_group[positive1-4].ingress[1] should not open the HTTP port (80)", - "actualValue": "aws_security_group[positive1-4].ingress[1] opens the HTTP port (80)" + "actualValue": "aws_security_group[positive1-4].ingress[1] opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", @@ -57,7 +61,8 @@ "searchKey": "aws_security_group[positive1-5].ingress", "searchValue": "", "expectedValue": "aws_security_group[positive1-5].ingress should not open the HTTP port (80)", - "actualValue": "aws_security_group[positive1-5].ingress opens the HTTP port (80)" + "actualValue": "aws_security_group[positive1-5].ingress opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", @@ -69,7 +74,8 @@ "searchKey": "aws_security_group[positive1-6].ingress", "searchValue": "", "expectedValue": "aws_security_group[positive1-6].ingress should not open the HTTP port (80)", - "actualValue": "aws_security_group[positive1-6].ingress opens the HTTP port (80)" + "actualValue": "aws_security_group[positive1-6].ingress opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", @@ -81,7 +87,8 @@ "searchKey": "aws_security_group[positive1-7].ingress", "searchValue": "", "expectedValue": "aws_security_group[positive1-7].ingress should not open the HTTP port (80)", - "actualValue": "aws_security_group[positive1-7].ingress opens the HTTP port (80)" + "actualValue": "aws_security_group[positive1-7].ingress opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", @@ -93,7 +100,8 @@ "searchKey": "aws_vpc_security_group_ingress_rule[positive2-1]", "searchValue": "", "expectedValue": "aws_vpc_security_group_ingress_rule[positive2-1] should not open the HTTP port (80)", - "actualValue": "aws_vpc_security_group_ingress_rule[positive2-1] opens the HTTP port (80)" + "actualValue": "aws_vpc_security_group_ingress_rule[positive2-1] opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", @@ -105,7 +113,8 @@ "searchKey": "aws_vpc_security_group_ingress_rule[positive2-2]", "searchValue": "", "expectedValue": "aws_vpc_security_group_ingress_rule[positive2-2] should not open the HTTP port (80)", - "actualValue": "aws_vpc_security_group_ingress_rule[positive2-2] opens the HTTP port (80)" + "actualValue": "aws_vpc_security_group_ingress_rule[positive2-2] opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", @@ -117,7 +126,8 @@ "searchKey": "aws_security_group_rule[positive3-1]", "searchValue": "", "expectedValue": "aws_security_group_rule[positive3-1] should not open the HTTP port (80)", - "actualValue": "aws_security_group_rule[positive3-1] opens the HTTP port (80)" + "actualValue": "aws_security_group_rule[positive3-1] opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", @@ -129,7 +139,8 @@ "searchKey": "aws_security_group_rule[positive3-2]", "searchValue": "", "expectedValue": "aws_security_group_rule[positive3-2] should not open the HTTP port (80)", - "actualValue": "aws_security_group_rule[positive3-2] opens the HTTP port (80)" + "actualValue": "aws_security_group_rule[positive3-2] opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", @@ -141,7 +152,8 @@ "searchKey": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0", "searchValue": "", "expectedValue": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0 should not open the HTTP port (80)", - "actualValue": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0 opens the HTTP port (80)" + "actualValue": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0 opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", @@ -153,7 +165,8 @@ "searchKey": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0", "searchValue": "", "expectedValue": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0 should not open the HTTP port (80)", - "actualValue": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0 opens the HTTP port (80)" + "actualValue": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0 opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", @@ -165,7 +178,8 @@ "searchKey": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0", "searchValue": "", "expectedValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0 should not open the HTTP port (80)", - "actualValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0 opens the HTTP port (80)" + "actualValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0 opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", @@ -177,7 +191,8 @@ "searchKey": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2", "searchValue": "", "expectedValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2 should not open the HTTP port (80)", - "actualValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2 opens the HTTP port (80)" + "actualValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2 opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", @@ -189,7 +204,8 @@ "searchKey": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0", "searchValue": "", "expectedValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0 should not open the HTTP port (80)", - "actualValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0 opens the HTTP port (80)" + "actualValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0 opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", @@ -201,6 +217,7 @@ "searchKey": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2", "searchValue": "", "expectedValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2 should not open the HTTP port (80)", - "actualValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2 opens the HTTP port (80)" + "actualValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2 opens the HTTP port (80)", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/iam_access_analyzer_not_enabled/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_access_analyzer_not_enabled/test/positive_expected_result.json index 313ccf7f292..3f90f19af1e 100644 --- a/assets/queries/terraform/aws/iam_access_analyzer_not_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_access_analyzer_not_enabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resource", "searchValue": "", "expectedValue": "'aws_accessanalyzer_analyzer' should be set", - "actualValue": "'aws_accessanalyzer_analyzer' is undefined" + "actualValue": "'aws_accessanalyzer_analyzer' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "IAM Access Analyzer Not Enabled", @@ -21,6 +22,7 @@ "searchKey": "resource", "searchValue": "", "expectedValue": "'aws_accessanalyzer_analyzer' should be set", - "actualValue": "'aws_accessanalyzer_analyzer' is undefined" + "actualValue": "'aws_accessanalyzer_analyzer' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/iam_access_key_is_exposed/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_access_key_is_exposed/test/positive_expected_result.json index 70afe79455b..f8db9043450 100644 --- a/assets/queries/terraform/aws/iam_access_key_is_exposed/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_access_key_is_exposed/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_iam_access_key[positive1].user", "searchValue": "", "expectedValue": "'aws_iam_access_key[positive1].user' should not be 'root' for an active access key", - "actualValue": "'aws_iam_access_key[positive1].user' is 'root' for an active access key" + "actualValue": "'aws_iam_access_key[positive1].user' is 'root' for an active access key", + "issueType": "IncorrectValue" }, { "queryName": "IAM Access Key Is Exposed", @@ -21,6 +22,7 @@ "searchKey": "aws_iam_access_key[positive2].user", "searchValue": "", "expectedValue": "'aws_iam_access_key[positive2].user' should not be 'root' for an active access key", - "actualValue": "'aws_iam_access_key[positive2].user' is 'root' for an active access key" + "actualValue": "'aws_iam_access_key[positive2].user' is 'root' for an active access key", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/iam_database_auth_not_enabled/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_database_auth_not_enabled/test/positive_expected_result.json index 80042cb9566..832d5d6b85b 100644 --- a/assets/queries/terraform/aws/iam_database_auth_not_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_database_auth_not_enabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_db_instance[positive1].iam_database_authentication_enabled", "searchValue": "", "expectedValue": "'iam_database_authentication_enabled' should be set to true", - "actualValue": "'iam_database_authentication_enabled' is set to false" + "actualValue": "'iam_database_authentication_enabled' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "IAM Database Auth Not Enabled", @@ -21,7 +22,8 @@ "searchKey": "aws_db_instance[positive1]", "searchValue": "", "expectedValue": "'iam_database_authentication_enabled' should be set to true", - "actualValue": "'iam_database_authentication_enabled' is undefined or null" + "actualValue": "'iam_database_authentication_enabled' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "IAM Database Auth Not Enabled", @@ -33,7 +35,8 @@ "searchKey": "module[db]", "searchValue": "", "expectedValue": "'iam_database_authentication_enabled' should be set to true", - "actualValue": "'iam_database_authentication_enabled' is undefined or null" + "actualValue": "'iam_database_authentication_enabled' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "IAM Database Auth Not Enabled", @@ -45,6 +48,7 @@ "searchKey": "module[db].iam_database_authentication_enabled", "searchValue": "", "expectedValue": "'iam_database_authentication_enabled' should be set to true", - "actualValue": "'iam_database_authentication_enabled' is set to false" + "actualValue": "'iam_database_authentication_enabled' is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/iam_db_cluster_auth_not_enabled/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_db_cluster_auth_not_enabled/test/positive_expected_result.json index cbf99c5095f..5b3adfb3cc1 100644 --- a/assets/queries/terraform/aws/iam_db_cluster_auth_not_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_db_cluster_auth_not_enabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_rds_cluster[positive1].iam_database_authentication_enabled", "searchValue": "", "expectedValue": "'iam_database_authentication_enabled' should be set to true", - "actualValue": "'iam_database_authentication_enabled' is defined to false" + "actualValue": "'iam_database_authentication_enabled' is defined to false", + "issueType": "MissingAttribute" }, { "queryName": "IAM DB Cluster Auth Not Enabled", @@ -21,7 +22,8 @@ "searchKey": "aws_rds_cluster[example_postgres]", "searchValue": "", "expectedValue": "'iam_database_authentication_enabled' should be set to true", - "actualValue": "'iam_database_authentication_enabled' is undefined" + "actualValue": "'iam_database_authentication_enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "IAM DB Cluster Auth Not Enabled", @@ -33,7 +35,8 @@ "searchKey": "module[aurora_cluster].iam_database_authentication_enabled", "searchValue": "", "expectedValue": "'iam_database_authentication_enabled' should be set to true", - "actualValue": "'iam_database_authentication_enabled' is defined to false" + "actualValue": "'iam_database_authentication_enabled' is defined to false", + "issueType": "MissingAttribute" }, { "queryName": "IAM DB Cluster Auth Not Enabled", @@ -45,7 +48,8 @@ "searchKey": "module[aurora_cluster]", "searchValue": "", "expectedValue": "'iam_database_authentication_enabled' should be set to true", - "actualValue": "'iam_database_authentication_enabled' is undefined" + "actualValue": "'iam_database_authentication_enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "IAM DB Cluster Auth Not Enabled", @@ -57,7 +61,8 @@ "searchKey": "module[aurora_cluster]", "searchValue": "", "expectedValue": "'iam_database_authentication_enabled' should be set to true", - "actualValue": "'iam_database_authentication_enabled' is undefined" + "actualValue": "'iam_database_authentication_enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "IAM DB Cluster Auth Not Enabled", @@ -69,7 +74,8 @@ "searchKey": "module[aurora_cluster].iam_database_authentication_enabled", "searchValue": "", "expectedValue": "'iam_database_authentication_enabled' should be set to true", - "actualValue": "'iam_database_authentication_enabled' is defined to false" + "actualValue": "'iam_database_authentication_enabled' is defined to false", + "issueType": "MissingAttribute" }, { "queryName": "IAM DB Cluster Auth Not Enabled", @@ -81,7 +87,8 @@ "searchKey": "module[aurora_cluster].iam_database_authentication_enabled", "searchValue": "", "expectedValue": "'iam_database_authentication_enabled' should be set to true", - "actualValue": "'iam_database_authentication_enabled' is defined to false" + "actualValue": "'iam_database_authentication_enabled' is defined to false", + "issueType": "MissingAttribute" }, { "queryName": "IAM DB Cluster Auth Not Enabled", @@ -93,7 +100,8 @@ "searchKey": "module[aurora_cluster]", "searchValue": "", "expectedValue": "'iam_database_authentication_enabled' should be set to true", - "actualValue": "'iam_database_authentication_enabled' is undefined" + "actualValue": "'iam_database_authentication_enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "IAM DB Cluster Auth Not Enabled", @@ -105,7 +113,8 @@ "searchKey": "module[aurora_cluster].iam_database_authentication_enabled", "searchValue": "", "expectedValue": "'iam_database_authentication_enabled' should be set to true", - "actualValue": "'iam_database_authentication_enabled' is defined to false" + "actualValue": "'iam_database_authentication_enabled' is defined to false", + "issueType": "MissingAttribute" }, { "queryName": "IAM DB Cluster Auth Not Enabled", @@ -117,7 +126,8 @@ "searchKey": "module[aurora_cluster]", "searchValue": "", "expectedValue": "'iam_database_authentication_enabled' should be set to true", - "actualValue": "'iam_database_authentication_enabled' is undefined" + "actualValue": "'iam_database_authentication_enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "IAM DB Cluster Auth Not Enabled", @@ -129,7 +139,8 @@ "searchKey": "module[aurora_cluster].iam_database_authentication_enabled", "searchValue": "", "expectedValue": "'iam_database_authentication_enabled' should be set to true", - "actualValue": "'iam_database_authentication_enabled' is defined to false" + "actualValue": "'iam_database_authentication_enabled' is defined to false", + "issueType": "MissingAttribute" }, { "queryName": "IAM DB Cluster Auth Not Enabled", @@ -141,7 +152,8 @@ "searchKey": "aws_rds_cluster[positive2]", "searchValue": "", "expectedValue": "'iam_database_authentication_enabled' should be set to true", - "actualValue": "'iam_database_authentication_enabled' is undefined" + "actualValue": "'iam_database_authentication_enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "IAM DB Cluster Auth Not Enabled", @@ -153,7 +165,8 @@ "searchKey": "module[aurora_cluster]", "searchValue": "", "expectedValue": "'iam_database_authentication_enabled' should be set to true", - "actualValue": "'iam_database_authentication_enabled' is undefined" + "actualValue": "'iam_database_authentication_enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "IAM DB Cluster Auth Not Enabled", @@ -165,7 +178,8 @@ "searchKey": "aws_rds_cluster[positive3]", "searchValue": "", "expectedValue": "'iam_database_authentication_enabled' should be set to true", - "actualValue": "'iam_database_authentication_enabled' is undefined" + "actualValue": "'iam_database_authentication_enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "IAM DB Cluster Auth Not Enabled", @@ -177,7 +191,8 @@ "searchKey": "aws_rds_cluster[positive4].iam_database_authentication_enabled", "searchValue": "", "expectedValue": "'iam_database_authentication_enabled' should be set to true", - "actualValue": "'iam_database_authentication_enabled' is defined to false" + "actualValue": "'iam_database_authentication_enabled' is defined to false", + "issueType": "MissingAttribute" }, { "queryName": "IAM DB Cluster Auth Not Enabled", @@ -189,7 +204,8 @@ "searchKey": "aws_rds_cluster[positive5].iam_database_authentication_enabled", "searchValue": "", "expectedValue": "'iam_database_authentication_enabled' should be set to true", - "actualValue": "'iam_database_authentication_enabled' is defined to false" + "actualValue": "'iam_database_authentication_enabled' is defined to false", + "issueType": "MissingAttribute" }, { "queryName": "IAM DB Cluster Auth Not Enabled", @@ -201,7 +217,8 @@ "searchKey": "aws_rds_cluster[positive6]", "searchValue": "", "expectedValue": "'iam_database_authentication_enabled' should be set to true", - "actualValue": "'iam_database_authentication_enabled' is undefined" + "actualValue": "'iam_database_authentication_enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "IAM DB Cluster Auth Not Enabled", @@ -213,7 +230,8 @@ "searchKey": "aws_rds_cluster[example_postgres].iam_database_authentication_enabled", "searchValue": "", "expectedValue": "'iam_database_authentication_enabled' should be set to true", - "actualValue": "'iam_database_authentication_enabled' is defined to false" + "actualValue": "'iam_database_authentication_enabled' is defined to false", + "issueType": "MissingAttribute" }, { "queryName": "IAM DB Cluster Auth Not Enabled", @@ -225,7 +243,8 @@ "searchKey": "aws_rds_cluster[example_postgres]", "searchValue": "", "expectedValue": "'iam_database_authentication_enabled' should be set to true", - "actualValue": "'iam_database_authentication_enabled' is undefined" + "actualValue": "'iam_database_authentication_enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "IAM DB Cluster Auth Not Enabled", @@ -237,6 +256,7 @@ "searchKey": "aws_rds_cluster[example_postgres].iam_database_authentication_enabled", "searchValue": "", "expectedValue": "'iam_database_authentication_enabled' should be set to true", - "actualValue": "'iam_database_authentication_enabled' is defined to false" + "actualValue": "'iam_database_authentication_enabled' is defined to false", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/iam_group_without_users/test/positive2/positive_expected_result.json b/assets/queries/terraform/aws/iam_group_without_users/test/positive2/positive_expected_result.json index 45c5f0a56c4..675439f08cd 100644 --- a/assets/queries/terraform/aws/iam_group_without_users/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_group_without_users/test/positive2/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_iam_group[group2]", "searchValue": "", "expectedValue": "aws_iam_group[group2] should be associated with an aws_iam_group_membership that has at least one user set", - "actualValue": "aws_iam_group[group2] is not associated with an aws_iam_group_membership that has at least one user set" + "actualValue": "aws_iam_group[group2] is not associated with an aws_iam_group_membership that has at least one user set", + "issueType": "MissingAttribute" }, { "queryName": "IAM Group Without Users", @@ -21,6 +22,7 @@ "searchKey": "aws_iam_group[group3]", "searchValue": "", "expectedValue": "aws_iam_group[group3] should be associated with an aws_iam_group_membership that has at least one user set", - "actualValue": "aws_iam_group[group3] is not associated with an aws_iam_group_membership that has at least one user set" + "actualValue": "aws_iam_group[group3] is not associated with an aws_iam_group_membership that has at least one user set", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/iam_group_without_users/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_group_without_users/test/positive_expected_result.json index 57b1272290f..464a0b09f4d 100644 --- a/assets/queries/terraform/aws/iam_group_without_users/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_group_without_users/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_iam_group[group2]", "searchValue": "", "expectedValue": "aws_iam_group[group2] should be associated with an aws_iam_group_membership that has at least one user set", - "actualValue": "aws_iam_group[group2] is not associated with an aws_iam_group_membership that has at least one user set" + "actualValue": "aws_iam_group[group2] is not associated with an aws_iam_group_membership that has at least one user set", + "issueType": "MissingAttribute" }, { "queryName": "IAM Group Without Users", @@ -21,6 +22,7 @@ "searchKey": "aws_iam_group[group3]", "searchValue": "", "expectedValue": "aws_iam_group[group3] should be associated with an aws_iam_group_membership that has at least one user set", - "actualValue": "aws_iam_group[group3] is not associated with an aws_iam_group_membership that has at least one user set" + "actualValue": "aws_iam_group[group3] is not associated with an aws_iam_group_membership that has at least one user set", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/iam_password_without_minimum_length/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_password_without_minimum_length/test/positive_expected_result.json index 923fea78263..95fab2573d6 100644 --- a/assets/queries/terraform/aws/iam_password_without_minimum_length/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_password_without_minimum_length/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_iam_account_password_policy[positive1]", "searchValue": "", "expectedValue": "'minimum_password_length' should be set and no less than 14", - "actualValue": "'minimum_password_length' is undefined" + "actualValue": "'minimum_password_length' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "IAM Password Without Minimum Length", @@ -21,6 +22,7 @@ "searchKey": "aws_iam_account_password_policy[positive2].minimum_password_length", "searchValue": "", "expectedValue": "'minimum_password_length' should be set and no less than 14", - "actualValue": "'minimum_password_length' is less than 14" + "actualValue": "'minimum_password_length' is less than 14", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/iam_policies_attached_to_user/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_policies_attached_to_user/test/positive_expected_result.json index 3b7bb1f8a31..fb75fab87aa 100755 --- a/assets/queries/terraform/aws/iam_policies_attached_to_user/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_policies_attached_to_user/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_iam_policy_attachment[{{positive1_3}}].users", "searchValue": "", "expectedValue": "'users' is redundant", - "actualValue": "'users' exists" + "actualValue": "'users' exists", + "issueType": "RedundantAttribute" }, { "queryName": "IAM Policies Attached To User", @@ -21,7 +22,8 @@ "searchKey": "aws_iam_user_policy[{{positive2_3}}].user", "searchValue": "", "expectedValue": "'user' is redundant", - "actualValue": "'user' exists" + "actualValue": "'user' exists", + "issueType": "RedundantAttribute" }, { "queryName": "IAM Policies Attached To User", @@ -33,6 +35,7 @@ "searchKey": "aws_iam_user_policy_attachment[{{test-attach}}].user", "searchValue": "", "expectedValue": "'user' is redundant", - "actualValue": "'user' exists" + "actualValue": "'user' exists", + "issueType": "RedundantAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/iam_policies_with_full_privileges/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_policies_with_full_privileges/test/positive_expected_result.json index a5cbd7f8543..413010fdac4 100644 --- a/assets/queries/terraform/aws/iam_policies_with_full_privileges/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_policies_with_full_privileges/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_iam_role_policy[positive1].policy", "searchValue": "", "expectedValue": "'policy.Statement.Action' shouldn't contain '*' or 'iam:*'", - "actualValue": "'policy.Statement.Action' contains '*' or 'iam:*'" + "actualValue": "'policy.Statement.Action' contains '*' or 'iam:*'", + "issueType": "IncorrectValue" }, { "queryName": "IAM Policies With Full Privileges", @@ -21,7 +22,8 @@ "searchKey": "aws_iam_policy_document[example].statement", "searchValue": "", "expectedValue": "'statement.actions' shouldn't contain '*' or 'iam:*'", - "actualValue": "'statement.actions' contains '*' or 'iam:*'" + "actualValue": "'statement.actions' contains '*' or 'iam:*'", + "issueType": "IncorrectValue" }, { "queryName": "IAM Policies With Full Privileges", @@ -33,7 +35,8 @@ "searchKey": "aws_iam_policy_document[example].statement[1]", "searchValue": "", "expectedValue": "'statement.actions' shouldn't contain '*' or 'iam:*'", - "actualValue": "'statement.actions' contains '*' or 'iam:*'" + "actualValue": "'statement.actions' contains '*' or 'iam:*'", + "issueType": "IncorrectValue" }, { "queryName": "IAM Policies With Full Privileges", @@ -45,7 +48,8 @@ "searchKey": "aws_iam_policy_document[example].statement[2]", "searchValue": "", "expectedValue": "'statement.actions' shouldn't contain '*' or 'iam:*'", - "actualValue": "'statement.actions' contains '*' or 'iam:*'" + "actualValue": "'statement.actions' contains '*' or 'iam:*'", + "issueType": "IncorrectValue" }, { "queryName": "IAM Policies With Full Privileges", @@ -57,7 +61,8 @@ "searchKey": "aws_iam_role_policy[positive3].policy", "searchValue": "", "expectedValue": "'policy.Statement.Action' shouldn't contain '*' or 'iam:*'", - "actualValue": "'policy.Statement.Action' contains '*' or 'iam:*'" + "actualValue": "'policy.Statement.Action' contains '*' or 'iam:*'", + "issueType": "IncorrectValue" }, { "queryName": "IAM Policies With Full Privileges", @@ -69,7 +74,8 @@ "searchKey": "aws_iam_policy_document[example].statement", "searchValue": "", "expectedValue": "'statement.actions' shouldn't contain '*' or 'iam:*'", - "actualValue": "'statement.actions' contains '*' or 'iam:*'" + "actualValue": "'statement.actions' contains '*' or 'iam:*'", + "issueType": "IncorrectValue" }, { "queryName": "IAM Policies With Full Privileges", @@ -81,7 +87,8 @@ "searchKey": "aws_iam_user_policy[positive4-1].policy", "searchValue": "", "expectedValue": "'policy.Statement.Action' shouldn't contain '*' or 'iam:*'", - "actualValue": "'policy.Statement.Action' contains '*' or 'iam:*'" + "actualValue": "'policy.Statement.Action' contains '*' or 'iam:*'", + "issueType": "IncorrectValue" }, { "queryName": "IAM Policies With Full Privileges", @@ -93,7 +100,8 @@ "searchKey": "aws_iam_user_policy[positive4-2].policy", "searchValue": "", "expectedValue": "'policy.Statement.Action' shouldn't contain '*' or 'iam:*'", - "actualValue": "'policy.Statement.Action' contains '*' or 'iam:*'" + "actualValue": "'policy.Statement.Action' contains '*' or 'iam:*'", + "issueType": "IncorrectValue" }, { "queryName": "IAM Policies With Full Privileges", @@ -105,7 +113,8 @@ "searchKey": "aws_iam_group_policy[positive5-1].policy", "searchValue": "", "expectedValue": "'policy.Statement.Action' shouldn't contain '*' or 'iam:*'", - "actualValue": "'policy.Statement.Action' contains '*' or 'iam:*'" + "actualValue": "'policy.Statement.Action' contains '*' or 'iam:*'", + "issueType": "IncorrectValue" }, { "queryName": "IAM Policies With Full Privileges", @@ -117,7 +126,8 @@ "searchKey": "aws_iam_group_policy[positive5-2].policy", "searchValue": "", "expectedValue": "'policy.Statement.Action' shouldn't contain '*' or 'iam:*'", - "actualValue": "'policy.Statement.Action' contains '*' or 'iam:*'" + "actualValue": "'policy.Statement.Action' contains '*' or 'iam:*'", + "issueType": "IncorrectValue" }, { "queryName": "IAM Policies With Full Privileges", @@ -129,7 +139,8 @@ "searchKey": "aws_iam_policy[positive6-1].policy", "searchValue": "", "expectedValue": "'policy.Statement.Action' shouldn't contain '*' or 'iam:*'", - "actualValue": "'policy.Statement.Action' contains '*' or 'iam:*'" + "actualValue": "'policy.Statement.Action' contains '*' or 'iam:*'", + "issueType": "IncorrectValue" }, { "queryName": "IAM Policies With Full Privileges", @@ -141,6 +152,7 @@ "searchKey": "aws_iam_policy[positive6-2].policy", "searchValue": "", "expectedValue": "'policy.Statement.Action' shouldn't contain '*' or 'iam:*'", - "actualValue": "'policy.Statement.Action' contains '*' or 'iam:*'" + "actualValue": "'policy.Statement.Action' contains '*' or 'iam:*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/iam_policy_allows_for_data_exfiltration/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_policy_allows_for_data_exfiltration/test/positive_expected_result.json index 223188e63ec..33272fffaf4 100644 --- a/assets/queries/terraform/aws/iam_policy_allows_for_data_exfiltration/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_policy_allows_for_data_exfiltration/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_iam_policy[positive1].policy", "searchValue": "ssm:GetParameters, ssm:GetParameter, s3:GetObject, ssm:GetParametersByPath, secretsmanager:GetSecretValue", "expectedValue": "'positive1.policy.Statement.Action[1]' shouldn't contain illegal actions", - "actualValue": "'positive1.policy.Statement.Action[1]' contains [ssm:GetParameters, ssm:GetParameter, s3:GetObject, ssm:GetParametersByPath, secretsmanager:GetSecretValue]" + "actualValue": "'positive1.policy.Statement.Action[1]' contains [ssm:GetParameters, ssm:GetParameter, s3:GetObject, ssm:GetParametersByPath, secretsmanager:GetSecretValue]", + "issueType": "IncorrectValue" }, { "queryName": "IAM policy allows for data exfiltration", @@ -21,7 +22,8 @@ "searchKey": "aws_iam_policy[positive1].policy", "searchValue": "secretsmanager:GetSecretValue", "expectedValue": "'positive1.policy.Statement.Action[0]' shouldn't contain illegal actions", - "actualValue": "'positive1.policy.Statement.Action[0]' contains [secretsmanager:GetSecretValue]" + "actualValue": "'positive1.policy.Statement.Action[0]' contains [secretsmanager:GetSecretValue]", + "issueType": "IncorrectValue" }, { "queryName": "IAM policy allows for data exfiltration", @@ -33,7 +35,8 @@ "searchKey": "aws_iam_policy[positive2].policy", "searchValue": "*", "expectedValue": "'positive2.policy.Statement.Action[0]' shouldn't contain illegal actions", - "actualValue": "'positive2.policy.Statement.Action[0]' contains [*]" + "actualValue": "'positive2.policy.Statement.Action[0]' contains [*]", + "issueType": "IncorrectValue" }, { "queryName": "IAM policy allows for data exfiltration", @@ -45,7 +48,8 @@ "searchKey": "aws_iam_group_policy[positive3].policy", "searchValue": "*", "expectedValue": "'positive3.policy.Statement.Action[0]' shouldn't contain illegal actions", - "actualValue": "'positive3.policy.Statement.Action[0]' contains [*]" + "actualValue": "'positive3.policy.Statement.Action[0]' contains [*]", + "issueType": "IncorrectValue" }, { "queryName": "IAM policy allows for data exfiltration", @@ -57,7 +61,8 @@ "searchKey": "aws_iam_group_policy[positive3].policy", "searchValue": "*", "expectedValue": "'positive3.policy.Statement.Action[1]' shouldn't contain illegal actions", - "actualValue": "'positive3.policy.Statement.Action[1]' contains [*]" + "actualValue": "'positive3.policy.Statement.Action[1]' contains [*]", + "issueType": "IncorrectValue" }, { "queryName": "IAM policy allows for data exfiltration", @@ -69,7 +74,8 @@ "searchKey": "aws_iam_user_policy[positive4].policy", "searchValue": "s3:GetObject", "expectedValue": "'positive4.policy.Statement.Action[1]' shouldn't contain illegal actions", - "actualValue": "'positive4.policy.Statement.Action[1]' contains [s3:GetObject]" + "actualValue": "'positive4.policy.Statement.Action[1]' contains [s3:GetObject]", + "issueType": "IncorrectValue" }, { "queryName": "IAM policy allows for data exfiltration", @@ -81,7 +87,8 @@ "searchKey": "aws_iam_user_policy[positive4].policy", "searchValue": "s3:GetObject", "expectedValue": "'positive4.policy.Statement.Action[0]' shouldn't contain illegal actions", - "actualValue": "'positive4.policy.Statement.Action[0]' contains [s3:GetObject]" + "actualValue": "'positive4.policy.Statement.Action[0]' contains [s3:GetObject]", + "issueType": "IncorrectValue" }, { "queryName": "IAM policy allows for data exfiltration", @@ -93,7 +100,8 @@ "searchKey": "aws_iam_role_policy[positive5].policy", "searchValue": "ssm:GetParameters", "expectedValue": "'positive5.policy.Statement.Action[0]' shouldn't contain illegal actions", - "actualValue": "'positive5.policy.Statement.Action[0]' contains [ssm:GetParameters]" + "actualValue": "'positive5.policy.Statement.Action[0]' contains [ssm:GetParameters]", + "issueType": "IncorrectValue" }, { "queryName": "IAM policy allows for data exfiltration", @@ -105,7 +113,8 @@ "searchKey": "aws_iam_role_policy[positive5].policy", "searchValue": "ssm:GetParameters", "expectedValue": "'positive5.policy.Statement.Action[1]' shouldn't contain illegal actions", - "actualValue": "'positive5.policy.Statement.Action[1]' contains [ssm:GetParameters]" + "actualValue": "'positive5.policy.Statement.Action[1]' contains [ssm:GetParameters]", + "issueType": "IncorrectValue" }, { "queryName": "IAM policy allows for data exfiltration", @@ -117,7 +126,8 @@ "searchKey": "aws_iam_policy_document[positive6].statement.actions", "searchValue": "s3:GetObject, ssm:GetParameter, ssm:GetParameters, ssm:GetParametersByPath, secretsmanager:GetSecretValue, *, s3:*", "expectedValue": "'aws_iam_policy_document[positive6].statement.actions' shouldn't contain illegal actions", - "actualValue": "'aws_iam_policy_document[positive6].statement.actions' contains [s3:GetObject, ssm:GetParameter, ssm:GetParameters, ssm:GetParametersByPath, secretsmanager:GetSecretValue, *, s3:*]" + "actualValue": "'aws_iam_policy_document[positive6].statement.actions' contains [s3:GetObject, ssm:GetParameter, ssm:GetParameters, ssm:GetParametersByPath, secretsmanager:GetSecretValue, *, s3:*]", + "issueType": "IncorrectValue" }, { "queryName": "IAM policy allows for data exfiltration", @@ -129,7 +139,8 @@ "searchKey": "aws_iam_policy_document[positive6_array].statement[0].actions", "searchValue": "s3:GetObject", "expectedValue": "'aws_iam_policy_document[positive6_array].statement[0].actions' shouldn't contain illegal actions", - "actualValue": "'aws_iam_policy_document[positive6_array].statement[0].actions' contains [s3:GetObject]" + "actualValue": "'aws_iam_policy_document[positive6_array].statement[0].actions' contains [s3:GetObject]", + "issueType": "IncorrectValue" }, { "queryName": "IAM policy allows for data exfiltration", @@ -141,7 +152,8 @@ "searchKey": "aws_iam_policy_document[positive6_array].statement[1].actions", "searchValue": "*", "expectedValue": "'aws_iam_policy_document[positive6_array].statement[1].actions' shouldn't contain illegal actions", - "actualValue": "'aws_iam_policy_document[positive6_array].statement[1].actions' contains [*]" + "actualValue": "'aws_iam_policy_document[positive6_array].statement[1].actions' contains [*]", + "issueType": "IncorrectValue" }, { "queryName": "IAM policy allows for data exfiltration", @@ -153,6 +165,7 @@ "searchKey": "iam_policy.policy", "searchValue": "secretsmanager:GetSecretValue", "expectedValue": "'iam_policy.policy.Statement.Action[0]' shouldn't contain illegal actions", - "actualValue": "'iam_policy.policy.Statement.Action[0]' contains [secretsmanager:GetSecretValue]" + "actualValue": "'iam_policy.policy.Statement.Action[0]' contains [secretsmanager:GetSecretValue]", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/iam_policy_grants_assumerole_permission_across_all_services/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_policy_grants_assumerole_permission_across_all_services/test/positive_expected_result.json index 972ef06895c..cc7624765a0 100644 --- a/assets/queries/terraform/aws/iam_policy_grants_assumerole_permission_across_all_services/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_policy_grants_assumerole_permission_across_all_services/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_iam_role[positive1].assume_role_policy", "searchValue": "", "expectedValue": "'assume_role_policy.Statement.Principal' shouldn't contain '*'", - "actualValue": "'assume_role_policy.Statement.Principal' contains '*'" + "actualValue": "'assume_role_policy.Statement.Principal' contains '*'", + "issueType": "IncorrectValue" }, { "queryName": "IAM Policy Grants 'AssumeRole' Permission Across All Services", @@ -21,6 +22,7 @@ "searchKey": "aws_iam_role[positive2].assume_role_policy", "searchValue": "", "expectedValue": "'assume_role_policy.Statement.Principal' shouldn't contain '*'", - "actualValue": "'assume_role_policy.Statement.Principal' contains '*'" + "actualValue": "'assume_role_policy.Statement.Principal' contains '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/iam_policy_grants_full_permissions/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_policy_grants_full_permissions/test/positive_expected_result.json index ba1a9700051..bf1c6f00550 100644 --- a/assets/queries/terraform/aws/iam_policy_grants_full_permissions/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_policy_grants_full_permissions/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_iam_user_policy[positive3].policy", "searchValue": "", "expectedValue": "'policy.Statement.Resource' and 'policy.Statement.Action' should not equal '*'", - "actualValue": "'policy.Statement.Resource' and 'policy.Statement.Action' are equal to '*'" + "actualValue": "'policy.Statement.Resource' and 'policy.Statement.Action' are equal to '*'", + "issueType": "IncorrectValue" }, { "queryName": "IAM Policy Grants Full Permissions", @@ -21,7 +22,8 @@ "searchKey": "aws_iam_policy[s3-permission].policy", "searchValue": "", "expectedValue": "'policy.Statement.Resource' and 'policy.Statement.Action' should not equal '*'", - "actualValue": "'policy.Statement.Resource' and 'policy.Statement.Action' are equal to '*'" + "actualValue": "'policy.Statement.Resource' and 'policy.Statement.Action' are equal to '*'", + "issueType": "IncorrectValue" }, { "queryName": "IAM Policy Grants Full Permissions", @@ -33,7 +35,8 @@ "searchKey": "aws_iam_policy_document[example-0]", "searchValue": "", "expectedValue": "'statement.resources' and 'statement.actions' should not contain '*'", - "actualValue": "'statement.resources' and 'statement.actions' contain '*'" + "actualValue": "'statement.resources' and 'statement.actions' contain '*'", + "issueType": "IncorrectValue" }, { "queryName": "IAM Policy Grants Full Permissions", @@ -45,7 +48,8 @@ "searchKey": "aws_iam_policy_document[example-1]", "searchValue": "", "expectedValue": "'statement.resources' and 'statement.actions' should not contain '*'", - "actualValue": "'statement.resources' and 'statement.actions' contain '*'" + "actualValue": "'statement.resources' and 'statement.actions' contain '*'", + "issueType": "IncorrectValue" }, { "queryName": "IAM Policy Grants Full Permissions", @@ -57,6 +61,7 @@ "searchKey": "aws_iam_policy_document[example-2]", "searchValue": "", "expectedValue": "'statement.resources' and 'statement.actions' should not contain '*'", - "actualValue": "'statement.resources' and 'statement.actions' contain '*'" + "actualValue": "'statement.resources' and 'statement.actions' contain '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/iam_role_allows_all_principals_to_assume/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_role_allows_all_principals_to_assume/test/positive_expected_result.json index fb4154fcd27..ef2db9cee20 100644 --- a/assets/queries/terraform/aws/iam_role_allows_all_principals_to_assume/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_role_allows_all_principals_to_assume/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_iam_role[positive2].assume_role_policy.Principal.AWS", "searchValue": "", "expectedValue": "'assume_role_policy.Statement.Principal.AWS' should not contain ':root'", - "actualValue": "'assume_role_policy.Statement.Principal.AWS' contains ':root'" + "actualValue": "'assume_role_policy.Statement.Principal.AWS' contains ':root'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/iam_role_policy_passrole_allows_all/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_role_policy_passrole_allows_all/test/positive_expected_result.json index eca5f595a0f..55434ce8013 100644 --- a/assets/queries/terraform/aws/iam_role_policy_passrole_allows_all/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_role_policy_passrole_allows_all/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_iam_role_policy[test_policy].policy", "searchValue": "", "expectedValue": "'aws_iam_role_policy.policy.Statement.Action' iam:passrole shouldn't have Resource '*'", - "actualValue": "'aws_iam_role_policy.policy.Statement.Action' iam:passrole has Resource '*'" + "actualValue": "'aws_iam_role_policy.policy.Statement.Action' iam:passrole has Resource '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/iam_role_with_full_privileges/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_role_with_full_privileges/test/positive_expected_result.json index 4731bdf5e28..1d6f981cae2 100644 --- a/assets/queries/terraform/aws/iam_role_with_full_privileges/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_role_with_full_privileges/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_iam_role[positive1].assume_role_policy", "searchValue": "", "expectedValue": "assume_role_policy.Statement.Action should not equal to, nor contain '*'", - "actualValue": "assume_role_policy.Statement.Action is equal to or contains '*'" + "actualValue": "assume_role_policy.Statement.Action is equal to or contains '*'", + "issueType": "IncorrectValue" }, { "queryName": "IAM Role With Full Privileges", @@ -21,6 +22,7 @@ "searchKey": "aws_iam_role[positive2].assume_role_policy", "searchValue": "", "expectedValue": "assume_role_policy.Statement.Action should not equal to, nor contain '*'", - "actualValue": "assume_role_policy.Statement.Action is equal to or contains '*'" + "actualValue": "assume_role_policy.Statement.Action is equal to or contains '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/iam_user_policy_without_mfa/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_user_policy_without_mfa/test/positive_expected_result.json index e6c056029c5..9d4227b6086 100644 --- a/assets/queries/terraform/aws/iam_user_policy_without_mfa/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_user_policy_without_mfa/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_iam_user_policy[positive3].policy", "searchValue": "", "expectedValue": "'policy.Statement.Principal.AWS' should contain ':mfa/' or 'policy.Statement.Condition.BoolIfExists.aws:MultiFactorAuthPresent' should be set to true", - "actualValue": "'policy.Statement.Principal.AWS' doesn't contain ':mfa/' or 'policy.Statement.Condition.BoolIfExists.aws:MultiFactorAuthPresent' is set to false" + "actualValue": "'policy.Statement.Principal.AWS' doesn't contain ':mfa/' or 'policy.Statement.Condition.BoolIfExists.aws:MultiFactorAuthPresent' is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/iam_user_too_many_access_keys/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_user_too_many_access_keys/test/positive_expected_result.json index c0a23f6865a..5a376648e5f 100644 --- a/assets/queries/terraform/aws/iam_user_too_many_access_keys/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_user_too_many_access_keys/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_iam_access_key[positive1].user", "searchValue": "", "expectedValue": "One Access Key associated with the same IAM User", - "actualValue": "More than one Access Key associated with the same IAM User" + "actualValue": "More than one Access Key associated with the same IAM User", + "issueType": "IncorrectValue" }, { "queryName": "IAM User Has Too Many Access Keys", @@ -21,6 +22,7 @@ "searchKey": "aws_iam_access_key[positive2].user", "searchValue": "", "expectedValue": "One Access Key associated with the same IAM User", - "actualValue": "More than one Access Key associated with the same IAM User" + "actualValue": "More than one Access Key associated with the same IAM User", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/iam_user_with_access_to_console/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_user_with_access_to_console/test/positive_expected_result.json index 5824109ffb3..b31828a5d33 100644 --- a/assets/queries/terraform/aws/iam_user_with_access_to_console/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_user_with_access_to_console/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_iam_user.example.name", "searchValue": "", "expectedValue": "aws_iam_user.example.name shouldn't have aws_iam_user_login_profile", - "actualValue": "aws_iam_user.example.name has aws_iam_user_login_profile" + "actualValue": "aws_iam_user.example.name has aws_iam_user_login_profile", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/instance_uses_metadata_service_IMDSv1/test/positive_expected_result.json b/assets/queries/terraform/aws/instance_uses_metadata_service_IMDSv1/test/positive_expected_result.json index 133c71feebe..e5ac24fc395 100644 --- a/assets/queries/terraform/aws/instance_uses_metadata_service_IMDSv1/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/instance_uses_metadata_service_IMDSv1/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_instance[positive1_1].metadata_options.http_tokens", "searchValue": "", "expectedValue": "'aws_instance[positive1_1].metadata_options.http_tokens' should be defined to 'required'", - "actualValue": "'aws_instance[positive1_1].metadata_options.http_tokens' is not defined to 'required'" + "actualValue": "'aws_instance[positive1_1].metadata_options.http_tokens' is not defined to 'required'", + "issueType": "IncorrectValue" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -21,7 +22,8 @@ "searchKey": "aws_launch_configuration[positive1_2].metadata_options.http_tokens", "searchValue": "", "expectedValue": "'aws_launch_configuration[positive1_2].metadata_options.http_tokens' should be defined to 'required'", - "actualValue": "'aws_launch_configuration[positive1_2].metadata_options.http_tokens' is not defined to 'required'" + "actualValue": "'aws_launch_configuration[positive1_2].metadata_options.http_tokens' is not defined to 'required'", + "issueType": "IncorrectValue" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -33,7 +35,8 @@ "searchKey": "aws_launch_template[positive1_3].metadata_options.http_tokens", "searchValue": "", "expectedValue": "'aws_launch_template[positive1_3].metadata_options.http_tokens' should be defined to 'required'", - "actualValue": "'aws_launch_template[positive1_3].metadata_options.http_tokens' is not defined to 'required'" + "actualValue": "'aws_launch_template[positive1_3].metadata_options.http_tokens' is not defined to 'required'", + "issueType": "IncorrectValue" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -45,7 +48,8 @@ "searchKey": "module[positive10_instance].metadata_options", "searchValue": "", "expectedValue": "'module[positive10_instance].metadata_options.http_tokens' should be defined to 'required'", - "actualValue": "'module[positive10_instance].metadata_options.http_tokens' is not defined" + "actualValue": "'module[positive10_instance].metadata_options.http_tokens' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -57,7 +61,8 @@ "searchKey": "module[positive10_launch_config].metadata_options", "searchValue": "", "expectedValue": "'module[positive10_launch_config].metadata_options.http_tokens' should be defined to 'required'", - "actualValue": "'module[positive10_launch_config].metadata_options.http_tokens' is not defined" + "actualValue": "'module[positive10_launch_config].metadata_options.http_tokens' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -69,7 +74,8 @@ "searchKey": "aws_instance[positive2_1].metadata_options.http_tokens", "searchValue": "", "expectedValue": "'aws_instance[positive2_1].metadata_options.http_tokens' should be defined to 'required'", - "actualValue": "'aws_instance[positive2_1].metadata_options.http_tokens' is not defined to 'required'" + "actualValue": "'aws_instance[positive2_1].metadata_options.http_tokens' is not defined to 'required'", + "issueType": "IncorrectValue" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -81,7 +87,8 @@ "searchKey": "aws_launch_configuration[positive2_2].metadata_options.http_tokens", "searchValue": "", "expectedValue": "'aws_launch_configuration[positive2_2].metadata_options.http_tokens' should be defined to 'required'", - "actualValue": "'aws_launch_configuration[positive2_2].metadata_options.http_tokens' is not defined to 'required'" + "actualValue": "'aws_launch_configuration[positive2_2].metadata_options.http_tokens' is not defined to 'required'", + "issueType": "IncorrectValue" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -93,7 +100,8 @@ "searchKey": "aws_launch_template[positive2_3].metadata_options.http_tokens", "searchValue": "", "expectedValue": "'aws_launch_template[positive2_3].metadata_options.http_tokens' should be defined to 'required'", - "actualValue": "'aws_launch_template[positive2_3].metadata_options.http_tokens' is not defined to 'required'" + "actualValue": "'aws_launch_template[positive2_3].metadata_options.http_tokens' is not defined to 'required'", + "issueType": "IncorrectValue" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -105,7 +113,8 @@ "searchKey": "aws_instance[positive3_1].metadata_options", "searchValue": "", "expectedValue": "'aws_instance[positive3_1].metadata_options.http_tokens' should be defined to 'required'", - "actualValue": "'aws_instance[positive3_1].metadata_options.http_tokens' is not defined" + "actualValue": "'aws_instance[positive3_1].metadata_options.http_tokens' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -117,7 +126,8 @@ "searchKey": "aws_launch_configuration[positive3_2].metadata_options", "searchValue": "", "expectedValue": "'aws_launch_configuration[positive3_2].metadata_options.http_tokens' should be defined to 'required'", - "actualValue": "'aws_launch_configuration[positive3_2].metadata_options.http_tokens' is not defined" + "actualValue": "'aws_launch_configuration[positive3_2].metadata_options.http_tokens' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -129,7 +139,8 @@ "searchKey": "aws_launch_template[positive3_3].metadata_options", "searchValue": "", "expectedValue": "'aws_launch_template[positive3_3].metadata_options.http_tokens' should be defined to 'required'", - "actualValue": "'aws_launch_template[positive3_3].metadata_options.http_tokens' is not defined" + "actualValue": "'aws_launch_template[positive3_3].metadata_options.http_tokens' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -141,7 +152,8 @@ "searchKey": "aws_instance[positive4_1]", "searchValue": "", "expectedValue": "'aws_instance[positive4_1].metadata_options' should be defined with 'http_tokens' field set to 'required'", - "actualValue": "'aws_instance[positive4_1].metadata_options' is not defined" + "actualValue": "'aws_instance[positive4_1].metadata_options' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -153,7 +165,8 @@ "searchKey": "aws_launch_configuration[positive4_2]", "searchValue": "", "expectedValue": "'aws_launch_configuration[positive4_2].metadata_options' should be defined with 'http_tokens' field set to 'required'", - "actualValue": "'aws_launch_configuration[positive4_2].metadata_options' is not defined" + "actualValue": "'aws_launch_configuration[positive4_2].metadata_options' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -165,7 +178,8 @@ "searchKey": "aws_launch_template[positive4_3]", "searchValue": "", "expectedValue": "'aws_launch_template[positive4_3].metadata_options' should be defined with 'http_tokens' field set to 'required'", - "actualValue": "'aws_launch_template[positive4_3].metadata_options' is not defined" + "actualValue": "'aws_launch_template[positive4_3].metadata_options' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -177,7 +191,8 @@ "searchKey": "aws_instance[positive5_1].metadata_options", "searchValue": "", "expectedValue": "'aws_instance[positive5_1].metadata_options.http_tokens' should be defined to 'required'", - "actualValue": "'aws_instance[positive5_1].metadata_options.http_tokens' is not defined" + "actualValue": "'aws_instance[positive5_1].metadata_options.http_tokens' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -189,7 +204,8 @@ "searchKey": "aws_launch_configuration[positive5_2].metadata_options", "searchValue": "", "expectedValue": "'aws_launch_configuration[positive5_2].metadata_options.http_tokens' should be defined to 'required'", - "actualValue": "'aws_launch_configuration[positive5_2].metadata_options.http_tokens' is not defined" + "actualValue": "'aws_launch_configuration[positive5_2].metadata_options.http_tokens' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -201,7 +217,8 @@ "searchKey": "aws_launch_template[positive5_3].metadata_options", "searchValue": "", "expectedValue": "'aws_launch_template[positive5_3].metadata_options.http_tokens' should be defined to 'required'", - "actualValue": "'aws_launch_template[positive5_3].metadata_options.http_tokens' is not defined" + "actualValue": "'aws_launch_template[positive5_3].metadata_options.http_tokens' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -213,7 +230,8 @@ "searchKey": "module[positive6_instance].metadata_options.http_tokens", "searchValue": "", "expectedValue": "'module[positive6_instance].metadata_options.http_tokens' should be defined to 'required'", - "actualValue": "'module[positive6_instance].metadata_options.http_tokens' is not defined to 'required'" + "actualValue": "'module[positive6_instance].metadata_options.http_tokens' is not defined to 'required'", + "issueType": "IncorrectValue" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -225,7 +243,8 @@ "searchKey": "module[positive6_launch_config].metadata_options.http_tokens", "searchValue": "", "expectedValue": "'module[positive6_launch_config].metadata_options.http_tokens' should be defined to 'required'", - "actualValue": "'module[positive6_launch_config].metadata_options.http_tokens' is not defined to 'required'" + "actualValue": "'module[positive6_launch_config].metadata_options.http_tokens' is not defined to 'required'", + "issueType": "IncorrectValue" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -237,7 +256,8 @@ "searchKey": "module[positive7_instance].metadata_options.http_tokens", "searchValue": "", "expectedValue": "'module[positive7_instance].metadata_options.http_tokens' should be defined to 'required'", - "actualValue": "'module[positive7_instance].metadata_options.http_tokens' is not defined to 'required'" + "actualValue": "'module[positive7_instance].metadata_options.http_tokens' is not defined to 'required'", + "issueType": "IncorrectValue" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -249,7 +269,8 @@ "searchKey": "module[positive7_launch_config].metadata_options.http_tokens", "searchValue": "", "expectedValue": "'module[positive7_launch_config].metadata_options.http_tokens' should be defined to 'required'", - "actualValue": "'module[positive7_launch_config].metadata_options.http_tokens' is not defined to 'required'" + "actualValue": "'module[positive7_launch_config].metadata_options.http_tokens' is not defined to 'required'", + "issueType": "IncorrectValue" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -261,7 +282,8 @@ "searchKey": "module[positive8_instance].metadata_options", "searchValue": "", "expectedValue": "'module[positive8_instance].metadata_options.http_tokens' should be defined to 'required'", - "actualValue": "'module[positive8_instance].metadata_options.http_tokens' is not defined" + "actualValue": "'module[positive8_instance].metadata_options.http_tokens' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -273,7 +295,8 @@ "searchKey": "module[positive8_launch_config].metadata_options", "searchValue": "", "expectedValue": "'module[positive8_launch_config].metadata_options.http_tokens' should be defined to 'required'", - "actualValue": "'module[positive8_launch_config].metadata_options.http_tokens' is not defined" + "actualValue": "'module[positive8_launch_config].metadata_options.http_tokens' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -285,7 +308,8 @@ "searchKey": "module[positive9_instance]", "searchValue": "", "expectedValue": "'module[positive9_instance].metadata_options' should be defined with 'http_tokens' field set to 'required'", - "actualValue": "'module[positive9_instance].metadata_options' is not defined" + "actualValue": "'module[positive9_instance].metadata_options' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -297,6 +321,7 @@ "searchKey": "module[positive9_launch_config]", "searchValue": "", "expectedValue": "'module[positive9_launch_config].metadata_options' should be defined with 'http_tokens' field set to 'required'", - "actualValue": "'module[positive9_launch_config].metadata_options' is not defined" + "actualValue": "'module[positive9_launch_config].metadata_options' is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/instance_with_no_vpc/test/positive_expected_result.json b/assets/queries/terraform/aws/instance_with_no_vpc/test/positive_expected_result.json index 7148f481e49..c804a933422 100644 --- a/assets/queries/terraform/aws/instance_with_no_vpc/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/instance_with_no_vpc/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_instance[positive1]", "searchValue": "", "expectedValue": "Attribute 'vpc_security_group_ids' should be defined and not null", - "actualValue": "Attribute 'vpc_security_group_ids' is undefined or null" + "actualValue": "Attribute 'vpc_security_group_ids' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Instance With No VPC", @@ -21,6 +22,7 @@ "searchKey": "module[ec2_instance]", "searchValue": "", "expectedValue": "Attribute 'vpc_security_group_ids' should be defined and not null", - "actualValue": "Attribute 'vpc_security_group_ids' is undefined or null" + "actualValue": "Attribute 'vpc_security_group_ids' is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/kinesis_not_encrypted_with_kms/test/positive_expected_result.json b/assets/queries/terraform/aws/kinesis_not_encrypted_with_kms/test/positive_expected_result.json index 1ddedae021d..f8cd0c8c805 100644 --- a/assets/queries/terraform/aws/kinesis_not_encrypted_with_kms/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/kinesis_not_encrypted_with_kms/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_kinesis_stream[positive1]", "searchValue": "", "expectedValue": "aws_kinesis_stream[positive1].encryption_type should be set", - "actualValue": "aws_kinesis_stream[positive1].encryption_type is undefined" + "actualValue": "aws_kinesis_stream[positive1].encryption_type is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Kinesis Not Encrypted With KMS", @@ -21,7 +22,8 @@ "searchKey": "aws_kinesis_stream[positive2].encryption_type", "searchValue": "", "expectedValue": "aws_kinesis_stream[positive2].encryption_type should be set and not NONE", - "actualValue": "aws_kinesis_stream[positive2].encryption_type is set but NONE" + "actualValue": "aws_kinesis_stream[positive2].encryption_type is set but NONE", + "issueType": "IncorrectValue" }, { "queryName": "Kinesis Not Encrypted With KMS", @@ -33,6 +35,7 @@ "searchKey": "aws_kinesis_stream[positive3]", "searchValue": "", "expectedValue": "aws_kinesis_stream[positive3].kms_key_id should be set", - "actualValue": "aws_kinesis_stream[positive3].kms_key_id is undefined" + "actualValue": "aws_kinesis_stream[positive3].kms_key_id is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/kinesis_sse_not_configured/test/positive_expected_result.json b/assets/queries/terraform/aws/kinesis_sse_not_configured/test/positive_expected_result.json index 90e97ea4742..8197b9736aa 100644 --- a/assets/queries/terraform/aws/kinesis_sse_not_configured/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/kinesis_sse_not_configured/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_kinesis_firehose_delivery_stream[positive2]", "searchValue": "", "expectedValue": "Attribute 'server_side_encryption' should be set", - "actualValue": "Attribute 'server_side_encryption' is undefined" + "actualValue": "Attribute 'server_side_encryption' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Kinesis SSE Not Configured", @@ -21,7 +22,8 @@ "searchKey": "aws_kinesis_firehose_delivery_stream[positive3].server_side_encryption.enabled", "searchValue": "", "expectedValue": "Attribute 'server_side_encryption' should be enabled", - "actualValue": "Attribute 'server_side_encryption' is not enabled" + "actualValue": "Attribute 'server_side_encryption' is not enabled", + "issueType": "IncorrectValue" }, { "queryName": "Kinesis SSE Not Configured", @@ -33,7 +35,8 @@ "searchKey": "aws_kinesis_firehose_delivery_stream[positive4].server_side_encryption.key_type", "searchValue": "", "expectedValue": "Attribute 'key_type' should be valid", - "actualValue": "Attribute 'key_type' is invalid" + "actualValue": "Attribute 'key_type' is invalid", + "issueType": "IncorrectValue" }, { "queryName": "Kinesis SSE Not Configured", @@ -45,6 +48,7 @@ "searchKey": "aws_kinesis_firehose_delivery_stream[positive5].server_side_encryption", "searchValue": "", "expectedValue": "Attribute 'key_type' should be CUSTOMER_MANAGED_CMK and attribute 'key_arn' should be set", - "actualValue": "Attribute 'key_type' is CUSTOMER_MANAGED_CMK and attribute 'key_arn' is undefined" + "actualValue": "Attribute 'key_type' is CUSTOMER_MANAGED_CMK and attribute 'key_arn' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/kms_key_with_full_permissions/test/positive_expected_result.json b/assets/queries/terraform/aws/kms_key_with_full_permissions/test/positive_expected_result.json index 6ad5b9e6a53..96b8e50b759 100644 --- a/assets/queries/terraform/aws/kms_key_with_full_permissions/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/kms_key_with_full_permissions/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_kms_key[positive1].policy", "searchValue": "", "expectedValue": "aws_kms_key[positive1].policy should not have wildcard in 'Action' and 'Principal'", - "actualValue": "aws_kms_key[positive1].policy has wildcard in 'Action' or 'Principal'" + "actualValue": "aws_kms_key[positive1].policy has wildcard in 'Action' or 'Principal'", + "issueType": "IncorrectValue" }, { "queryName": "KMS Key With Vulnerable Policy", @@ -21,7 +22,8 @@ "searchKey": "aws_kms_key[positive1].policy", "searchValue": "", "expectedValue": "aws_kms_key[positive1].policy should not have wildcard in 'Action' and 'Principal'", - "actualValue": "aws_kms_key[positive1].policy has wildcard in 'Action' or 'Principal'" + "actualValue": "aws_kms_key[positive1].policy has wildcard in 'Action' or 'Principal'", + "issueType": "IncorrectValue" }, { "queryName": "KMS Key With Vulnerable Policy", @@ -33,6 +35,7 @@ "searchKey": "aws_kms_key[positive3]", "searchValue": "", "expectedValue": "aws_kms_key[positive3].policy should be defined and not null", - "actualValue": "aws_kms_key[positive3].policy is undefined or null" + "actualValue": "aws_kms_key[positive3].policy is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/kms_key_with_no_deletion_window/test/positive_expected_result.json b/assets/queries/terraform/aws/kms_key_with_no_deletion_window/test/positive_expected_result.json index a9f8e572bb1..03500191e9c 100644 --- a/assets/queries/terraform/aws/kms_key_with_no_deletion_window/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/kms_key_with_no_deletion_window/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_kms_key[positive1]", "searchValue": "", "expectedValue": "aws_kms_key[positive1].deletion_window_in_days should be set and valid", - "actualValue": "aws_kms_key[positive1].deletion_window_in_days is undefined" + "actualValue": "aws_kms_key[positive1].deletion_window_in_days is undefined", + "issueType": "MissingAttribute" }, { "queryName": "KMS Key With No Deletion Window", @@ -21,6 +22,7 @@ "searchKey": "aws_kms_key[positive2].deletion_window_in_days", "searchValue": "", "expectedValue": "aws_kms_key[positive2].deletion_window_in_days should be set and valid", - "actualValue": "aws_kms_key[positive2].deletion_window_in_days is set but invalid" + "actualValue": "aws_kms_key[positive2].deletion_window_in_days is set but invalid", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/lambda_function_with_privileged_role/test/positive_expected_result.json b/assets/queries/terraform/aws/lambda_function_with_privileged_role/test/positive_expected_result.json index c83001fc2fe..b4ef345fefe 100644 --- a/assets/queries/terraform/aws/lambda_function_with_privileged_role/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/lambda_function_with_privileged_role/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_lambda_function[positivefunction1].role", "searchValue": "positiverole1/aws_iam_role_policy_attachment[positiverolepolicyattachment1]/positivecustomermanagedpolicy1/1", "expectedValue": "aws_lambda_function[positivefunction1].role shouldn't have privileged permissions through attached managed policy", - "actualValue": "aws_lambda_function[positivefunction1].role has been provided privileged permissions through attached managed policy 'positivecustomermanagedpolicy1'. Provided privileged permissions: 'iam:CreateLoginProfile'. List of privileged permissions '[\"iam:CreatePolicyVersion\", \"iam:SetDefaultPolicyVersion\", \"iam:CreateAccessKey\", \"iam:CreateLoginProfile\", \"iam:UpdateLoginProfile\", \"iam:AttachUserPolicy\", \"iam:AttachGroupPolicy\", \"iam:AttachRolePolicy\", \"iam:PutUserPolicy\", \"iam:PutGroupPolicy\", \"iam:PutRolePolicy\", \"iam:AddUserToGroup\", \"iam:UpdateAssumeRolePolicy\", \"iam:PassRole\", \"iam:CreateServiceLinkedRole\", \"sts:AssumeRole\", \"iam:*\", \"sts:*\"]'" + "actualValue": "aws_lambda_function[positivefunction1].role has been provided privileged permissions through attached managed policy 'positivecustomermanagedpolicy1'. Provided privileged permissions: 'iam:CreateLoginProfile'. List of privileged permissions '[\"iam:CreatePolicyVersion\", \"iam:SetDefaultPolicyVersion\", \"iam:CreateAccessKey\", \"iam:CreateLoginProfile\", \"iam:UpdateLoginProfile\", \"iam:AttachUserPolicy\", \"iam:AttachGroupPolicy\", \"iam:AttachRolePolicy\", \"iam:PutUserPolicy\", \"iam:PutGroupPolicy\", \"iam:PutRolePolicy\", \"iam:AddUserToGroup\", \"iam:UpdateAssumeRolePolicy\", \"iam:PassRole\", \"iam:CreateServiceLinkedRole\", \"sts:AssumeRole\", \"iam:*\", \"sts:*\"]'", + "issueType": "IncorrectValue" }, { "queryName": "Lambda Function With Privileged Role", @@ -21,7 +22,8 @@ "searchKey": "aws_lambda_function[positivefunction1].role", "searchValue": "positiverole1/aws_iam_role_policy_attachment[positiverolepolicyattachment1]/positivecustomermanagedpolicy1/0", "expectedValue": "aws_lambda_function[positivefunction1].role shouldn't have privileged permissions through attached managed policy", - "actualValue": "aws_lambda_function[positivefunction1].role has been provided privileged permissions through attached managed policy 'positivecustomermanagedpolicy1'. Provided privileged permissions: 'sts:AssumeRole'. List of privileged permissions '[\"iam:CreatePolicyVersion\", \"iam:SetDefaultPolicyVersion\", \"iam:CreateAccessKey\", \"iam:CreateLoginProfile\", \"iam:UpdateLoginProfile\", \"iam:AttachUserPolicy\", \"iam:AttachGroupPolicy\", \"iam:AttachRolePolicy\", \"iam:PutUserPolicy\", \"iam:PutGroupPolicy\", \"iam:PutRolePolicy\", \"iam:AddUserToGroup\", \"iam:UpdateAssumeRolePolicy\", \"iam:PassRole\", \"iam:CreateServiceLinkedRole\", \"sts:AssumeRole\", \"iam:*\", \"sts:*\"]'" + "actualValue": "aws_lambda_function[positivefunction1].role has been provided privileged permissions through attached managed policy 'positivecustomermanagedpolicy1'. Provided privileged permissions: 'sts:AssumeRole'. List of privileged permissions '[\"iam:CreatePolicyVersion\", \"iam:SetDefaultPolicyVersion\", \"iam:CreateAccessKey\", \"iam:CreateLoginProfile\", \"iam:UpdateLoginProfile\", \"iam:AttachUserPolicy\", \"iam:AttachGroupPolicy\", \"iam:AttachRolePolicy\", \"iam:PutUserPolicy\", \"iam:PutGroupPolicy\", \"iam:PutRolePolicy\", \"iam:AddUserToGroup\", \"iam:UpdateAssumeRolePolicy\", \"iam:PassRole\", \"iam:CreateServiceLinkedRole\", \"sts:AssumeRole\", \"iam:*\", \"sts:*\"]'", + "issueType": "IncorrectValue" }, { "queryName": "Lambda Function With Privileged Role", @@ -33,7 +35,8 @@ "searchKey": "aws_lambda_function[positivefunction1].role", "searchValue": "positiverole1/aws_iam_policy_attachment[positivedirectpolicyattachment1]/positivecustomermanagedpolicy2/0", "expectedValue": "aws_lambda_function[positivefunction1].role shouldn't have privileged permissions through attached managed policy", - "actualValue": "aws_lambda_function[positivefunction1].role has been provided privileged permissions through attached managed policy 'positivecustomermanagedpolicy2'. Provided privileged permissions: 'sts:AssumeRole'. List of privileged permissions '[\"iam:CreatePolicyVersion\", \"iam:SetDefaultPolicyVersion\", \"iam:CreateAccessKey\", \"iam:CreateLoginProfile\", \"iam:UpdateLoginProfile\", \"iam:AttachUserPolicy\", \"iam:AttachGroupPolicy\", \"iam:AttachRolePolicy\", \"iam:PutUserPolicy\", \"iam:PutGroupPolicy\", \"iam:PutRolePolicy\", \"iam:AddUserToGroup\", \"iam:UpdateAssumeRolePolicy\", \"iam:PassRole\", \"iam:CreateServiceLinkedRole\", \"sts:AssumeRole\", \"iam:*\", \"sts:*\"]'" + "actualValue": "aws_lambda_function[positivefunction1].role has been provided privileged permissions through attached managed policy 'positivecustomermanagedpolicy2'. Provided privileged permissions: 'sts:AssumeRole'. List of privileged permissions '[\"iam:CreatePolicyVersion\", \"iam:SetDefaultPolicyVersion\", \"iam:CreateAccessKey\", \"iam:CreateLoginProfile\", \"iam:UpdateLoginProfile\", \"iam:AttachUserPolicy\", \"iam:AttachGroupPolicy\", \"iam:AttachRolePolicy\", \"iam:PutUserPolicy\", \"iam:PutGroupPolicy\", \"iam:PutRolePolicy\", \"iam:AddUserToGroup\", \"iam:UpdateAssumeRolePolicy\", \"iam:PassRole\", \"iam:CreateServiceLinkedRole\", \"sts:AssumeRole\", \"iam:*\", \"sts:*\"]'", + "issueType": "IncorrectValue" }, { "queryName": "Lambda Function With Privileged Role", @@ -45,7 +48,8 @@ "searchKey": "aws_lambda_function[positivefunction1].role", "searchValue": "positiverole1/positiveinlinepolicy1/0", "expectedValue": "aws_lambda_function[positivefunction1].role shouldn't have privileged permissions through attached inline policy.", - "actualValue": "aws_lambda_function[positivefunction1].role has been provided privileged permissions through attached inline policy. Provided privileged permissions: 'iam:*'. List of privileged permissions '[\"iam:CreatePolicyVersion\", \"iam:SetDefaultPolicyVersion\", \"iam:CreateAccessKey\", \"iam:CreateLoginProfile\", \"iam:UpdateLoginProfile\", \"iam:AttachUserPolicy\", \"iam:AttachGroupPolicy\", \"iam:AttachRolePolicy\", \"iam:PutUserPolicy\", \"iam:PutGroupPolicy\", \"iam:PutRolePolicy\", \"iam:AddUserToGroup\", \"iam:UpdateAssumeRolePolicy\", \"iam:PassRole\", \"iam:CreateServiceLinkedRole\", \"sts:AssumeRole\", \"iam:*\", \"sts:*\"]'" + "actualValue": "aws_lambda_function[positivefunction1].role has been provided privileged permissions through attached inline policy. Provided privileged permissions: 'iam:*'. List of privileged permissions '[\"iam:CreatePolicyVersion\", \"iam:SetDefaultPolicyVersion\", \"iam:CreateAccessKey\", \"iam:CreateLoginProfile\", \"iam:UpdateLoginProfile\", \"iam:AttachUserPolicy\", \"iam:AttachGroupPolicy\", \"iam:AttachRolePolicy\", \"iam:PutUserPolicy\", \"iam:PutGroupPolicy\", \"iam:PutRolePolicy\", \"iam:AddUserToGroup\", \"iam:UpdateAssumeRolePolicy\", \"iam:PassRole\", \"iam:CreateServiceLinkedRole\", \"sts:AssumeRole\", \"iam:*\", \"sts:*\"]'", + "issueType": "IncorrectValue" }, { "queryName": "Lambda Function With Privileged Role", @@ -57,6 +61,7 @@ "searchKey": "aws_lambda_function[positivefunction2].role", "searchValue": "positiverole2/aws_iam_policy_attachment[positivedirectpolicyattachment2]", "expectedValue": "aws_lambda_function[positivefunction2].role shouldn't have privileged permissions", - "actualValue": "aws_lambda_function[positivefunction2].role has been provided privileged permissions through attached pre-existing managed policy 'arn:aws:iam::policy/AmazonPersonalizeFullAccess'." + "actualValue": "aws_lambda_function[positivefunction2].role has been provided privileged permissions through attached pre-existing managed policy 'arn:aws:iam::policy/AmazonPersonalizeFullAccess'.", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/lambda_function_without_dead_letter_queue/test/positive_expected_result.json b/assets/queries/terraform/aws/lambda_function_without_dead_letter_queue/test/positive_expected_result.json index 67416c9f06b..5410419b6b4 100644 --- a/assets/queries/terraform/aws/lambda_function_without_dead_letter_queue/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/lambda_function_without_dead_letter_queue/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_lambda_function[lambda_without_dlq]", "searchValue": "", "expectedValue": "'aws_lambda_function[lambda_without_dlq].dead_letter_config' should be defined and not null", - "actualValue": "'aws_lambda_function[lambda_without_dlq].dead_letter_config' is undefined or null" + "actualValue": "'aws_lambda_function[lambda_without_dlq].dead_letter_config' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Lambda Function Without Dead Letter Queue", @@ -21,7 +22,8 @@ "searchKey": "aws_lambda_function[lambda_with_incomplete_dlq].dead_letter_config.target_arn", "searchValue": "", "expectedValue": "'aws_lambda_function[lambda_with_incomplete_dlq].dead_letter_config.target_arn' should be defined and not empty", - "actualValue": "'aws_lambda_function[lambda_with_incomplete_dlq].dead_letter_config.target_arn' is empty" + "actualValue": "'aws_lambda_function[lambda_with_incomplete_dlq].dead_letter_config.target_arn' is empty", + "issueType": "MissingAttribute" }, { "queryName": "Lambda Function Without Dead Letter Queue", @@ -33,7 +35,8 @@ "searchKey": "module[lambda_with_incomplete_dlq]", "searchValue": "", "expectedValue": "'module[lambda_with_incomplete_dlq].dead_letter_target_arn' should be defined and not null", - "actualValue": "'module[lambda_with_incomplete_dlq].dead_letter_target_arn' is undefined or null" + "actualValue": "'module[lambda_with_incomplete_dlq].dead_letter_target_arn' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Lambda Function Without Dead Letter Queue", @@ -45,6 +48,7 @@ "searchKey": "module[lambda_with_incomplete_dlq].dead_letter_target_arn", "searchValue": "", "expectedValue": "'module[lambda_with_incomplete_dlq].dead_letter_target_arn' should be defined and not empty", - "actualValue": "'module[lambda_with_incomplete_dlq].dead_letter_target_arn' is empty" + "actualValue": "'module[lambda_with_incomplete_dlq].dead_letter_target_arn' is empty", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/lambda_functions_without_x-ray_tracing/test/positive_expected_result.json b/assets/queries/terraform/aws/lambda_functions_without_x-ray_tracing/test/positive_expected_result.json index 6a3539f69ad..bfeb45022b5 100644 --- a/assets/queries/terraform/aws/lambda_functions_without_x-ray_tracing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/lambda_functions_without_x-ray_tracing/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_lambda_function[test_lambda2].tracing_config.mode", "searchValue": "", "expectedValue": "aws_lambda_function[test_lambda2].tracing_config.mode should be set to 'Active'", - "actualValue": "aws_lambda_function[test_lambda2].tracing_config.mode is set to 'PassThrough'" + "actualValue": "aws_lambda_function[test_lambda2].tracing_config.mode is set to 'PassThrough'", + "issueType": "IncorrectValue" }, { "queryName": "Lambda Functions Without X-Ray Tracing", @@ -21,6 +22,7 @@ "searchKey": "aws_lambda_function[test_lambda3]", "searchValue": "", "expectedValue": "aws_lambda_function[test_lambda3].tracing_config should be defined and not null", - "actualValue": "aws_lambda_function[test_lambda3].tracing_config is undefined or null" + "actualValue": "aws_lambda_function[test_lambda3].tracing_config is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/lambda_iam_invokefunction_misconfigured/test/positive_expected_result.json b/assets/queries/terraform/aws/lambda_iam_invokefunction_misconfigured/test/positive_expected_result.json index 052b3c4eaf0..e71a2c79515 100644 --- a/assets/queries/terraform/aws/lambda_iam_invokefunction_misconfigured/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/lambda_iam_invokefunction_misconfigured/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_iam_policy[positive1policy].policy", "searchValue": "", "expectedValue": "[positive1policy].policy should be misconfigured", - "actualValue": "[positive1policy].policy allows access to function (unqualified ARN) and its sub-resources, add another statement with \":*\" to function name" + "actualValue": "[positive1policy].policy allows access to function (unqualified ARN) and its sub-resources, add another statement with \":*\" to function name", + "issueType": "IncorrectValue" }, { "queryName": "Lambda IAM InvokeFunction Misconfigured", @@ -21,7 +22,8 @@ "searchKey": "aws_iam_policy[positive2policy].policy", "searchValue": "", "expectedValue": "[positive2policy].policy should be misconfigured", - "actualValue": "[positive2policy].policy allows access to function (unqualified ARN) and its sub-resources, add another statement with \":*\" to function name" + "actualValue": "[positive2policy].policy allows access to function (unqualified ARN) and its sub-resources, add another statement with \":*\" to function name", + "issueType": "IncorrectValue" }, { "queryName": "Lambda IAM InvokeFunction Misconfigured", @@ -33,7 +35,8 @@ "searchKey": "aws_iam_policy[positive3policy].policy", "searchValue": "", "expectedValue": "[positive3policy].policy should be misconfigured", - "actualValue": "[positive3policy].policy allows access to function (unqualified ARN) and its sub-resources, add another statement with \":*\" to function name" + "actualValue": "[positive3policy].policy allows access to function (unqualified ARN) and its sub-resources, add another statement with \":*\" to function name", + "issueType": "IncorrectValue" }, { "queryName": "Lambda IAM InvokeFunction Misconfigured", @@ -45,7 +48,8 @@ "searchKey": "aws_iam_policy[positive4policy].policy", "searchValue": "", "expectedValue": "[positive4policy].policy should be misconfigured", - "actualValue": "[positive4policy].policy allows access to function (unqualified ARN) and its sub-resources, add another statement with \":*\" to function name" + "actualValue": "[positive4policy].policy allows access to function (unqualified ARN) and its sub-resources, add another statement with \":*\" to function name", + "issueType": "IncorrectValue" }, { "queryName": "Lambda IAM InvokeFunction Misconfigured", @@ -57,7 +61,8 @@ "searchKey": "aws_iam_policy[positive5policy].policy", "searchValue": "", "expectedValue": "[positive5policy].policy should be misconfigured", - "actualValue": "[positive5policy].policy allows access to function (unqualified ARN) and its sub-resources, add another statement with \":*\" to function name" + "actualValue": "[positive5policy].policy allows access to function (unqualified ARN) and its sub-resources, add another statement with \":*\" to function name", + "issueType": "IncorrectValue" }, { "queryName": "Lambda IAM InvokeFunction Misconfigured", @@ -69,6 +74,7 @@ "searchKey": "aws_iam_policy[positive6policy].policy", "searchValue": "", "expectedValue": "[positive6policy].policy should be misconfigured", - "actualValue": "[positive6policy].policy allows access to function (unqualified ARN) and its sub-resources, add another statement with \":*\" to function name" + "actualValue": "[positive6policy].policy allows access to function (unqualified ARN) and its sub-resources, add another statement with \":*\" to function name", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/lambda_permission_misconfigured/test/positive_expected_result.json b/assets/queries/terraform/aws/lambda_permission_misconfigured/test/positive_expected_result.json index e2062a47879..499f9e699ea 100644 --- a/assets/queries/terraform/aws/lambda_permission_misconfigured/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/lambda_permission_misconfigured/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_lambda_permission[positive1].action", "searchValue": "", "expectedValue": "aws_lambda_permission[name].action should be 'lambda:InvokeFunction'%!(EXTRA string=positive1)", - "actualValue": "aws_lambda_permission[name].action is positive1%!(EXTRA string=lambda:DeleteFunction)" + "actualValue": "aws_lambda_permission[name].action is positive1%!(EXTRA string=lambda:DeleteFunction)", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/lambda_permission_principal_is_wildcard/test/positive_expected_result.json b/assets/queries/terraform/aws/lambda_permission_principal_is_wildcard/test/positive_expected_result.json index 64c72a56c5e..03be7124099 100644 --- a/assets/queries/terraform/aws/lambda_permission_principal_is_wildcard/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/lambda_permission_principal_is_wildcard/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_lambda_permission[positive1].principal", "searchValue": "", "expectedValue": "aws_lambda_permission[positive1].principal shouldn't contain a wildcard", - "actualValue": "aws_lambda_permission[positive1].principal contains a wildcard" + "actualValue": "aws_lambda_permission[positive1].principal contains a wildcard", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/lambda_with_vulnerable_policy/test/positive_expected_result.json b/assets/queries/terraform/aws/lambda_with_vulnerable_policy/test/positive_expected_result.json index f5acc0f9159..1add9b096aa 100644 --- a/assets/queries/terraform/aws/lambda_with_vulnerable_policy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/lambda_with_vulnerable_policy/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_lambda_permission[all].action", "searchValue": "", "expectedValue": "aws_lambda_permission[all].action should not have wildcard", - "actualValue": "aws_lambda_permission[all].action has wildcard" + "actualValue": "aws_lambda_permission[all].action has wildcard", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/misconfigured_password_policy_expiration/test/positive_expected_result.json b/assets/queries/terraform/aws/misconfigured_password_policy_expiration/test/positive_expected_result.json index c124b17d0c5..0aee23580d3 100644 --- a/assets/queries/terraform/aws/misconfigured_password_policy_expiration/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/misconfigured_password_policy_expiration/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_iam_account_password_policy[positive1].max_password_age", "searchValue": "", "expectedValue": "'max_password_age' should be lower than 90", - "actualValue": "'max_password_age' is higher than 90" + "actualValue": "'max_password_age' is higher than 90", + "issueType": "IncorrectValue" }, { "queryName": "Misconfigured Password Policy Expiration", @@ -21,6 +22,7 @@ "searchKey": "aws_iam_account_password_policy[positive2]", "searchValue": "", "expectedValue": "'max_password_age' should exist", - "actualValue": "'max_password_age' is missing" + "actualValue": "'max_password_age' is missing", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/missing_cluster_log_types/test/positive_expected_result.json b/assets/queries/terraform/aws/missing_cluster_log_types/test/positive_expected_result.json index b2f85ef073f..193b3e65f83 100755 --- a/assets/queries/terraform/aws/missing_cluster_log_types/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/missing_cluster_log_types/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_eks_cluster[positive1].enabled_cluster_log_types", "searchValue": "", "expectedValue": "'enabled_cluster_log_types' has all log types", - "actualValue": "'enabled_cluster_log_types' has missing log types" + "actualValue": "'enabled_cluster_log_types' has missing log types", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/mq_broker_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/aws/mq_broker_is_publicly_accessible/test/positive_expected_result.json index bee4623dde4..cab23350503 100644 --- a/assets/queries/terraform/aws/mq_broker_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/mq_broker_is_publicly_accessible/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_mq_broker[positive1].publicly_accessible", "searchValue": "", "expectedValue": "'publicly_accessible' should be undefined or set to false", - "actualValue": "'publicly_accessible' is set to true" + "actualValue": "'publicly_accessible' is set to true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/mq_broker_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/mq_broker_logging_disabled/test/positive_expected_result.json index 3e131a2ae03..9dcd2dc8799 100644 --- a/assets/queries/terraform/aws/mq_broker_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/mq_broker_logging_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_mq_broker[positive1]", "searchValue": "", "expectedValue": "'logs' should be set and enabling general AND audit logging", - "actualValue": "'logs' is undefined" + "actualValue": "'logs' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "MQ Broker Logging Disabled", @@ -21,7 +22,8 @@ "searchKey": "aws_mq_broker[positive2].logs", "searchValue": "", "expectedValue": "'general' and 'audit' logging should be set to true", - "actualValue": "'general' and/or 'audit' is undefined" + "actualValue": "'general' and/or 'audit' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "MQ Broker Logging Disabled", @@ -33,6 +35,7 @@ "searchKey": "aws_mq_broker[positive3].logs.general", "searchValue": "", "expectedValue": "'general' and 'audit' logging should be set to true", - "actualValue": "'general' is set to false" + "actualValue": "'general' is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/msk_broker_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/aws/msk_broker_is_publicly_accessible/test/positive_expected_result.json index 64470411842..1d9dc8cc348 100644 --- a/assets/queries/terraform/aws/msk_broker_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/msk_broker_is_publicly_accessible/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_msk_cluster[positive1].broker_node_group_info.connectivity_info.public_access.type", "searchValue": "", "expectedValue": "aws_msk_cluster[positive1].broker_node_group_info.connectivity_info.public_access.type should be set to 'DISABLED' or undefined", - "actualValue": "aws_msk_cluster[positive1].broker_node_group_info.connectivity_info.public_access.type is set to 'SERVICE_PROVIDED_EIPS'" + "actualValue": "aws_msk_cluster[positive1].broker_node_group_info.connectivity_info.public_access.type is set to 'SERVICE_PROVIDED_EIPS'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/msk_cluster_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/msk_cluster_encryption_disabled/test/positive_expected_result.json index ffe11b747bc..23a5bc1e110 100644 --- a/assets/queries/terraform/aws/msk_cluster_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/msk_cluster_encryption_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "msk_cluster[positive1]", "searchValue": "", "expectedValue": "Should have 'rule.encryption_info' and, if 'rule.encryption_info.encryption_in_transit' is assigned, 'in_cluster' should be 'true' and 'client_broker' should be TLS", - "actualValue": "'rule.encryption_info' is unassigned or property 'in_cluster' is 'false' or property 'client_broker' is not 'TLS'" + "actualValue": "'rule.encryption_info' is unassigned or property 'in_cluster' is 'false' or property 'client_broker' is not 'TLS'", + "issueType": "MissingAttribute" }, { "queryName": "MSK Cluster Encryption Disabled", @@ -21,7 +22,8 @@ "searchKey": "msk_cluster[positive2].encryption_info.encryption_in_transit.client_broker", "searchValue": "", "expectedValue": "Should have 'rule.encryption_info' and, if 'rule.encryption_info.encryption_in_transit' is assigned, 'in_cluster' should be 'true' and 'client_broker' should be TLS", - "actualValue": "'rule.encryption_info' is unassigned or property 'in_cluster' is 'false' or property 'client_broker' is not 'TLS'" + "actualValue": "'rule.encryption_info' is unassigned or property 'in_cluster' is 'false' or property 'client_broker' is not 'TLS'", + "issueType": "MissingAttribute" }, { "queryName": "MSK Cluster Encryption Disabled", @@ -33,7 +35,8 @@ "searchKey": "msk_cluster[positive3].encryption_info.encryption_in_transit.in_cluster", "searchValue": "", "expectedValue": "Should have 'rule.encryption_info' and, if 'rule.encryption_info.encryption_in_transit' is assigned, 'in_cluster' should be 'true' and 'client_broker' should be TLS", - "actualValue": "'rule.encryption_info' is unassigned or property 'in_cluster' is 'false' or property 'client_broker' is not 'TLS'" + "actualValue": "'rule.encryption_info' is unassigned or property 'in_cluster' is 'false' or property 'client_broker' is not 'TLS'", + "issueType": "MissingAttribute" }, { "queryName": "MSK Cluster Encryption Disabled", @@ -45,6 +48,7 @@ "searchKey": "msk_cluster[positive4].encryption_info.encryption_in_transit.in_cluster and msk_cluster[positive4].encryption_infoencryption_in_transit.client_broker", "searchValue": "", "expectedValue": "Should have 'rule.encryption_info' and, if 'rule.encryption_info.encryption_in_transit' is assigned, 'in_cluster' should be 'true' and 'client_broker' should be TLS", - "actualValue": "'rule.encryption_info' is unassigned or property 'in_cluster' is 'false' or property 'client_broker' is not 'TLS'" + "actualValue": "'rule.encryption_info' is unassigned or property 'in_cluster' is 'false' or property 'client_broker' is not 'TLS'", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/msk_cluster_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/msk_cluster_logging_disabled/test/positive_expected_result.json index 2f55151a57e..80e2cda9a3d 100644 --- a/assets/queries/terraform/aws/msk_cluster_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/msk_cluster_logging_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_msk_cluster[positive1].logging_info.broker_logs.cloudwatch_logs.enabled", "searchValue": "", "expectedValue": "'rule.logging_info.broker_logs.enabled' should be 'true' in every entry", - "actualValue": "msk_cluster[positive1].logging_info.broker_logs.cloudwatch_logs.enabled is false" + "actualValue": "msk_cluster[positive1].logging_info.broker_logs.cloudwatch_logs.enabled is false", + "issueType": "MissingAttribute" }, { "queryName": "MSK Cluster Logging Disabled", @@ -21,7 +22,8 @@ "searchKey": "aws_msk_cluster[positive1].logging_info.broker_logs.firehose", "searchValue": "", "expectedValue": "'rule.logging_info.broker_logs.enabled' should be 'true' in every entry", - "actualValue": "msk_cluster[positive1].logging_info.broker_logs.firehose.enabled is missing" + "actualValue": "msk_cluster[positive1].logging_info.broker_logs.firehose.enabled is missing", + "issueType": "MissingAttribute" }, { "queryName": "MSK Cluster Logging Disabled", @@ -33,6 +35,7 @@ "searchKey": "aws_msk_cluster[positive2]", "searchValue": "", "expectedValue": "'rule.logging_info' should exist", - "actualValue": "'rule.logging_info' does not exist" + "actualValue": "'rule.logging_info' does not exist", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/neptune_cluster_instance_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/aws/neptune_cluster_instance_is_publicly_accessible/test/positive_expected_result.json index 7cb2e58e1bd..2100e30b045 100644 --- a/assets/queries/terraform/aws/neptune_cluster_instance_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/neptune_cluster_instance_is_publicly_accessible/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_neptune_cluster_instance[example].publicly_accessible", "searchValue": "", "expectedValue": "aws_neptune_cluster_instance[example].publicly_accessible should be set to false", - "actualValue": "aws_neptune_cluster_instance[example].publicly_accessible is set to true" + "actualValue": "aws_neptune_cluster_instance[example].publicly_accessible is set to true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/neptune_cluster_with_iam_database_authentication_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/neptune_cluster_with_iam_database_authentication_disabled/test/positive_expected_result.json index 2873cc599eb..baaed3ac89a 100644 --- a/assets/queries/terraform/aws/neptune_cluster_with_iam_database_authentication_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/neptune_cluster_with_iam_database_authentication_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_neptune_cluster[positive1]", "searchValue": "", "expectedValue": "'iam_database_authentication_enabled' should be set to true", - "actualValue": "'iam_database_authentication_enabled' is undefined" + "actualValue": "'iam_database_authentication_enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Neptune Cluster With IAM Database Authentication Disabled", @@ -21,6 +22,7 @@ "searchKey": "aws_neptune_cluster[positive2].iam_database_authentication_enabled", "searchValue": "", "expectedValue": "'iam_database_authentication_enabled' should be set to true", - "actualValue": "'iam_database_authentication_enabled' is set to false" + "actualValue": "'iam_database_authentication_enabled' is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/neptune_database_cluster_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/neptune_database_cluster_encryption_disabled/test/positive_expected_result.json index 8280dba1df5..a57d188a5ab 100644 --- a/assets/queries/terraform/aws/neptune_database_cluster_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/neptune_database_cluster_encryption_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_neptune_cluster[positive1]", "searchValue": "", "expectedValue": "'storage_encrypted' should be set with value true", - "actualValue": "'storage_encrypted' is undefined" + "actualValue": "'storage_encrypted' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Neptune Database Cluster Encryption Disabled", @@ -21,6 +22,7 @@ "searchKey": "aws_neptune_cluster[positive2].storage_encrypted", "searchValue": "", "expectedValue": "'storage_encrypted' should be true", - "actualValue": "'storage_encrypted' is false" + "actualValue": "'storage_encrypted' is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/neptune_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/neptune_logging_disabled/test/positive_expected_result.json index 45a1be23cdd..0ebe9387ad9 100644 --- a/assets/queries/terraform/aws/neptune_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/neptune_logging_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_neptune_cluster[{{postive1}}]", "searchValue": "", "expectedValue": "aws_neptune_cluster.enable_cloudwatch_logs_exports should be defined", - "actualValue": "aws_neptune_cluster.enable_cloudwatch_logs_exports is undefined" + "actualValue": "aws_neptune_cluster.enable_cloudwatch_logs_exports is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Neptune Logging Is Disabled", @@ -21,7 +22,8 @@ "searchKey": "aws_neptune_cluster[{{postive2}}].enable_cloudwatch_logs_exports", "searchValue": "", "expectedValue": "aws_neptune_cluster.enable_cloudwatch_logs_exports should have all following values: audit", - "actualValue": "aws_neptune_cluster.enable_cloudwatch_logs_exports is empty" + "actualValue": "aws_neptune_cluster.enable_cloudwatch_logs_exports is empty", + "issueType": "IncorrectValue" }, { "queryName": "Neptune Logging Is Disabled", @@ -33,7 +35,8 @@ "searchKey": "aws_neptune_cluster[{{postive3}}].enable_cloudwatch_logs_exports", "searchValue": "", "expectedValue": "aws_neptune_cluster.enable_cloudwatch_logs_exports should have all following values: audit", - "actualValue": "aws_neptune_cluster.enable_cloudwatch_logs_exports has the following missing values: audit" + "actualValue": "aws_neptune_cluster.enable_cloudwatch_logs_exports has the following missing values: audit", + "issueType": "IncorrectValue" }, { "queryName": "Neptune Logging Is Disabled", @@ -45,6 +48,7 @@ "searchKey": "aws_neptune_cluster[{{postive3}}].enable_cloudwatch_logs_exports", "searchValue": "", "expectedValue": "aws_neptune_cluster.enable_cloudwatch_logs_exports should have all following values: audit", - "actualValue": "aws_neptune_cluster.enable_cloudwatch_logs_exports has the following missing values: audit" + "actualValue": "aws_neptune_cluster.enable_cloudwatch_logs_exports has the following missing values: audit", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_rdp/test/positive_expected_result.json b/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_rdp/test/positive_expected_result.json index ec99799dc41..b393a658ecc 100644 --- a/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_rdp/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_rdp/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_network_acl[positive1].ingress", "searchValue": "", "expectedValue": "aws_network_acl[positive1].ingress[0] 'RDP' (TCP:3389) should not be public", - "actualValue": "aws_network_acl[positive1].ingress[0] 'RDP' (TCP:3389) is public" + "actualValue": "aws_network_acl[positive1].ingress[0] 'RDP' (TCP:3389) is public", + "issueType": "IncorrectValue" }, { "queryName": "Network ACL With Unrestricted Access To RDP", @@ -21,7 +22,8 @@ "searchKey": "aws_network_acl_rule[postive2]", "searchValue": "", "expectedValue": "aws_network_acl[postive2] 'RDP' (TCP:3389) should not be public", - "actualValue": "aws_network_acl[postive2] 'RDP' (TCP:3389) is public" + "actualValue": "aws_network_acl[postive2] 'RDP' (TCP:3389) is public", + "issueType": "IncorrectValue" }, { "queryName": "Network ACL With Unrestricted Access To RDP", @@ -33,7 +35,8 @@ "searchKey": "aws_network_acl[positive3].ingress", "searchValue": "", "expectedValue": "aws_network_acl[positive3].ingress 'RDP' (TCP:3389) should not be public", - "actualValue": "aws_network_acl[positive3].ingress 'RDP' (TCP:3389) is public" + "actualValue": "aws_network_acl[positive3].ingress 'RDP' (TCP:3389) is public", + "issueType": "IncorrectValue" }, { "queryName": "Network ACL With Unrestricted Access To RDP", @@ -45,6 +48,7 @@ "searchKey": "module[vpc].default_network_acl_ingress", "searchValue": "", "expectedValue": "module[vpc].default_network_acl_ingress[0] 'RDP' (TCP:3389) should not be public", - "actualValue": "module[vpc].default_network_acl_ingress[0] 'RDP' (TCP:3389) is public" + "actualValue": "module[vpc].default_network_acl_ingress[0] 'RDP' (TCP:3389) is public", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_ssh/test/positive_expected_result.json b/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_ssh/test/positive_expected_result.json index 5e2a34db643..9f8431a1b0d 100644 --- a/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_ssh/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_ssh/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_network_acl[positive1].ingress", "searchValue": "", "expectedValue": "aws_network_acl[positive1].ingress[0] 'SSH' (Port:22) should not be public", - "actualValue": "aws_network_acl[positive1].ingress[0] 'SSH' (Port:22) is public" + "actualValue": "aws_network_acl[positive1].ingress[0] 'SSH' (Port:22) is public", + "issueType": "IncorrectValue" }, { "queryName": "Network ACL With Unrestricted Access To SSH", @@ -21,7 +22,8 @@ "searchKey": "aws_network_acl_rule[postive2]", "searchValue": "", "expectedValue": "aws_network_acl[postive2] 'SSH' (TCP:22) should not be public", - "actualValue": "aws_network_acl[postive2] 'SSH' (TCP:22) is public" + "actualValue": "aws_network_acl[postive2] 'SSH' (TCP:22) is public", + "issueType": "IncorrectValue" }, { "queryName": "Network ACL With Unrestricted Access To SSH", @@ -33,7 +35,8 @@ "searchKey": "aws_network_acl[positive3].ingress", "searchValue": "", "expectedValue": "aws_network_acl[positive3].ingress 'SSH' (TCP:22) should not be public", - "actualValue": "aws_network_acl[positive3].ingress 'SSH' (TCP:22) is public" + "actualValue": "aws_network_acl[positive3].ingress 'SSH' (TCP:22) is public", + "issueType": "IncorrectValue" }, { "queryName": "Network ACL With Unrestricted Access To SSH", @@ -45,6 +48,7 @@ "searchKey": "module[vpc].default_network_acl_ingress", "searchValue": "", "expectedValue": "aws_network_acl[vpc].ingress[0] 'SSH' (Port:22) should not be public", - "actualValue": "aws_network_acl[vpc].ingress[0] 'SSH' (Port:22) is public" + "actualValue": "aws_network_acl[vpc].ingress[0] 'SSH' (Port:22) is public", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/no_password_policy_enabled/test/positive_expected_result.json b/assets/queries/terraform/aws/no_password_policy_enabled/test/positive_expected_result.json index f644ea9a2fd..347a7c459b9 100644 --- a/assets/queries/terraform/aws/no_password_policy_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/no_password_policy_enabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_iam_user_login_profile[positive2].password_reset_required", "searchValue": "", "expectedValue": "Attribute 'password_reset_required' should be true", - "actualValue": "Attribute 'password_reset_required' is false" + "actualValue": "Attribute 'password_reset_required' is false", + "issueType": "IncorrectValue" }, { "queryName": "No Password Policy Enabled", @@ -21,7 +22,8 @@ "searchKey": "aws_iam_user_login_profile[positive3].password_length", "searchValue": "", "expectedValue": "Attribute 'password_length' should be 14 or greater", - "actualValue": "Attribute 'password_length' is smaller than 14" + "actualValue": "Attribute 'password_length' is smaller than 14", + "issueType": "IncorrectValue" }, { "queryName": "No Password Policy Enabled", @@ -33,7 +35,8 @@ "searchKey": "aws_iam_user_login_profile[positive6].password_length", "searchValue": "", "expectedValue": "Attribute 'password_length' should be 14 or greater", - "actualValue": "Attribute 'password_length' is smaller than 14" + "actualValue": "Attribute 'password_length' is smaller than 14", + "issueType": "IncorrectValue" }, { "queryName": "No Password Policy Enabled", @@ -45,7 +48,8 @@ "searchKey": "aws_iam_user_login_profile[positive7].password_reset_required", "searchValue": "", "expectedValue": "Attribute 'password_reset_required' should be true", - "actualValue": "Attribute 'password_reset_required' is false" + "actualValue": "Attribute 'password_reset_required' is false", + "issueType": "IncorrectValue" }, { "queryName": "No Password Policy Enabled", @@ -57,6 +61,7 @@ "searchKey": "aws_iam_user_login_profile[positive7].password_length", "searchValue": "", "expectedValue": "Attribute 'password_length' should be 14 or greater", - "actualValue": "Attribute 'password_length' is smaller than 14" + "actualValue": "Attribute 'password_length' is smaller than 14", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/no_stack_policy/test/positive_expected_result.json b/assets/queries/terraform/aws/no_stack_policy/test/positive_expected_result.json index 79e34ffe9a1..8b1d93f1cce 100644 --- a/assets/queries/terraform/aws/no_stack_policy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/no_stack_policy/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_cloudformation_stack[positive1]", "searchValue": "", "expectedValue": "Attribute 'policy_body' or Attribute 'policy_url' should be set", - "actualValue": "Both Attribute 'policy_body' and Attribute 'policy_url' are undefined" + "actualValue": "Both Attribute 'policy_body' and Attribute 'policy_url' are undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/password_without_reuse_prevention/test/positive_expected_result.json b/assets/queries/terraform/aws/password_without_reuse_prevention/test/positive_expected_result.json index 06d53a4ba48..9a10bd76ce5 100644 --- a/assets/queries/terraform/aws/password_without_reuse_prevention/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/password_without_reuse_prevention/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_iam_account_password_policy[positive1].password_reuse_prevention", "searchValue": "", "expectedValue": "'password_reuse_prevention' should be 24", - "actualValue": "'password_reuse_prevention' is lower than 24" + "actualValue": "'password_reuse_prevention' is lower than 24", + "issueType": "IncorrectValue" }, { "queryName": "Password Without Reuse Prevention", @@ -21,6 +22,7 @@ "searchKey": "aws_iam_account_password_policy[positive2]", "searchValue": "", "expectedValue": "'password_reuse_prevention' should be set with value 24", - "actualValue": "'password_reuse_prevention' is undefined" + "actualValue": "'password_reuse_prevention' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/policy_without_principal/test/positive_expected_result.json b/assets/queries/terraform/aws/policy_without_principal/test/positive_expected_result.json index 464291507d2..c3258440288 100644 --- a/assets/queries/terraform/aws/policy_without_principal/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/policy_without_principal/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_kms_key[secure_policy].policy", "searchValue": "", "expectedValue": "'Principal' should be defined", - "actualValue": "'Principal' is undefined" + "actualValue": "'Principal' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/postgres_rds_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/postgres_rds_logging_disabled/test/positive_expected_result.json index a5f2ffb0773..bd26a8dc33a 100644 --- a/assets/queries/terraform/aws/postgres_rds_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/postgres_rds_logging_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_db_parameter_group.postgres_logging", "searchValue": "", "expectedValue": "aws_db_parameter_group's log_statement and log_min_duration_statement should be set to 'all' and '1'", - "actualValue": "aws_db_parameter_group's log_statement and log_min_duration_statement are not set or both have the wrong value" + "actualValue": "aws_db_parameter_group's log_statement and log_min_duration_statement are not set or both have the wrong value", + "issueType": "IncorrectValue" }, { "queryName": "Postgres RDS logging disabled", @@ -21,7 +22,8 @@ "searchKey": "aws_db_parameter_group.postgres_logging", "searchValue": "", "expectedValue": "aws_db_parameter_group's log_statement and log_min_duration_statement should be set to 'all' and '1'", - "actualValue": "aws_db_parameter_group's log_statement has the wrong value" + "actualValue": "aws_db_parameter_group's log_statement has the wrong value", + "issueType": "IncorrectValue" }, { "queryName": "Postgres RDS logging disabled", @@ -33,7 +35,8 @@ "searchKey": "aws_db_parameter_group.postgres_logging", "searchValue": "", "expectedValue": "aws_db_parameter_group's log_statement and log_min_duration_statement should be set to 'all' and '1'", - "actualValue": "aws_db_parameter_group's log_min_duration_statement has the wrong value" + "actualValue": "aws_db_parameter_group's log_min_duration_statement has the wrong value", + "issueType": "IncorrectValue" }, { "queryName": "Postgres RDS logging disabled", @@ -45,7 +48,8 @@ "searchKey": "aws_db_parameter_group.postgres_logging", "searchValue": "", "expectedValue": "aws_db_parameter_group's log_statement and log_min_duration_statement should be defined", - "actualValue": "aws_db_parameter_group's log_statement and log_min_duration_statement are undefined" + "actualValue": "aws_db_parameter_group's log_statement and log_min_duration_statement are undefined", + "issueType": "MissingAttribute" }, { "queryName": "Postgres RDS logging disabled", @@ -57,7 +61,8 @@ "searchKey": "aws_db_parameter_group.example", "searchValue": "", "expectedValue": "aws_db_parameter_group's log_statement and log_min_duration_statement should be defined", - "actualValue": "aws_db_parameter_group's log_statement and log_min_duration_statement are undefined" + "actualValue": "aws_db_parameter_group's log_statement and log_min_duration_statement are undefined", + "issueType": "MissingAttribute" }, { "queryName": "Postgres RDS logging disabled", @@ -69,6 +74,7 @@ "searchKey": "aws_db_parameter_group.example", "searchValue": "", "expectedValue": "aws_db_parameter_group's log_statement and log_min_duration_statement should be defined", - "actualValue": "aws_db_parameter_group's log_statement and log_min_duration_statement are undefined" + "actualValue": "aws_db_parameter_group's log_statement and log_min_duration_statement are undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/public_and_private_ec2_share_role/test/positive_expected_result.json b/assets/queries/terraform/aws/public_and_private_ec2_share_role/test/positive_expected_result.json index 68372ed1039..a6999e6920b 100644 --- a/assets/queries/terraform/aws/public_and_private_ec2_share_role/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/public_and_private_ec2_share_role/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_instance[pub_ins].iam_instance_profile", "searchValue": "", "expectedValue": "Public and private instances should not share the same role", - "actualValue": "Public and private instances share the same role" + "actualValue": "Public and private instances share the same role", + "issueType": "IncorrectValue" }, { "queryName": "Public and Private EC2 Share Role", @@ -21,6 +22,7 @@ "searchKey": "module[ec2_public_instance].iam_instance_profile", "searchValue": "", "expectedValue": "Public and private instances should not share the same role", - "actualValue": "Public and private instances share the same role" + "actualValue": "Public and private instances share the same role", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/public_lambda_via_api_gateway/test/positive_expected_result.json b/assets/queries/terraform/aws/public_lambda_via_api_gateway/test/positive_expected_result.json index 0a473b8b38a..868f22c0e3b 100755 --- a/assets/queries/terraform/aws/public_lambda_via_api_gateway/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/public_lambda_via_api_gateway/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_lambda_permission[apigw].source_arn", "searchValue": "", "expectedValue": "'source_arn' should not equal '/*/*'", - "actualValue": "'source_arn' is equal '/*/*'" + "actualValue": "'source_arn' is equal '/*/*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/rds_associated_with_public_subnet/test/positive_expected_result.json b/assets/queries/terraform/aws/rds_associated_with_public_subnet/test/positive_expected_result.json index a7f9330f110..b555fb423ee 100644 --- a/assets/queries/terraform/aws/rds_associated_with_public_subnet/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/rds_associated_with_public_subnet/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_db_instance[positive1].db_subnet_group_name", "searchValue": "", "expectedValue": "RDS should not be running in a public subnet", - "actualValue": "RDS is running in a public subnet" + "actualValue": "RDS is running in a public subnet", + "issueType": "IncorrectValue" }, { "queryName": "RDS Associated with Public Subnet", @@ -21,6 +22,7 @@ "searchKey": "aws_db_instance[positive2].db_subnet_group_name", "searchValue": "", "expectedValue": "RDS should not be running in a public subnet", - "actualValue": "RDS is running in a public subnet" + "actualValue": "RDS is running in a public subnet", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/rds_cluster_with_backup_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/rds_cluster_with_backup_disabled/test/positive_expected_result.json index 996b5495d93..623d36527c8 100644 --- a/assets/queries/terraform/aws/rds_cluster_with_backup_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/rds_cluster_with_backup_disabled/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_rds_cluster[{{postgresql}}]", "searchValue": "", "expectedValue": "aws_rds_cluster.backup_retention_period should be defined and not null", - "actualValue": "aws_rds_cluster.backup_retention_period is undefined or null" + "actualValue": "aws_rds_cluster.backup_retention_period is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/rds_database_cluster_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/rds_database_cluster_not_encrypted/test/positive_expected_result.json index e76d9bbe638..4835dfbd999 100644 --- a/assets/queries/terraform/aws/rds_database_cluster_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/rds_database_cluster_not_encrypted/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_db_cluster_snapshot[positive1]", "searchValue": "", "expectedValue": "aws_db_cluster_snapshot.db_cluster_identifier' should be encrypted", - "actualValue": "aws_db_cluster_snapshot.db_cluster_identifier' is not encrypted" + "actualValue": "aws_db_cluster_snapshot.db_cluster_identifier' is not encrypted", + "issueType": "IncorrectValue" }, { "queryName": "RDS Database Cluster not Encrypted", @@ -21,6 +22,7 @@ "searchKey": "aws_db_cluster_snapshot[positive2]", "searchValue": "", "expectedValue": "aws_db_cluster_snapshot.db_cluster_identifier' should be encrypted", - "actualValue": "aws_db_cluster_snapshot.db_cluster_identifier' is not encrypted" + "actualValue": "aws_db_cluster_snapshot.db_cluster_identifier' is not encrypted", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json index 99682da0ed1..d1b8463fdac 100644 --- a/assets/queries/terraform/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_db_instance[positive1].publicly_accessible", "searchValue": "", "expectedValue": "'publicly_accessible' should be set to false or undefined", - "actualValue": "'publicly_accessible' is set to true" + "actualValue": "'publicly_accessible' is set to true", + "issueType": "IncorrectValue" }, { "queryName": "RDS DB Instance Publicly Accessible", @@ -21,6 +22,7 @@ "searchKey": "module[db].publicly_accessible", "searchValue": "", "expectedValue": "'publicly_accessible' should be set to false or undefined", - "actualValue": "'publicly_accessible' is set to true" + "actualValue": "'publicly_accessible' is set to true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/rds_storage_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/rds_storage_not_encrypted/test/positive_expected_result.json index b57858d721a..c8e95930463 100644 --- a/assets/queries/terraform/aws/rds_storage_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/rds_storage_not_encrypted/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_rds_cluster[positive1]", "searchValue": "", "expectedValue": "aws_rds_cluster.storage_encrypted should be set to true", - "actualValue": "aws_rds_cluster.storage_encrypted is undefined" + "actualValue": "aws_rds_cluster.storage_encrypted is undefined", + "issueType": "MissingAttribute" }, { "queryName": "RDS Storage Not Encrypted", @@ -21,6 +22,7 @@ "searchKey": "aws_rds_cluster[positive3].storage_encrypted", "searchValue": "", "expectedValue": "aws_rds_cluster.storage_encrypted should be set to true", - "actualValue": "aws_rds_cluster.storage_encrypted is set to false" + "actualValue": "aws_rds_cluster.storage_encrypted is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/rds_using_default_port/test/positive_expected_result.json b/assets/queries/terraform/aws/rds_using_default_port/test/positive_expected_result.json index 6fbd7bdd5ff..24b763e3ad6 100644 --- a/assets/queries/terraform/aws/rds_using_default_port/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/rds_using_default_port/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_db_instance[positive1].port", "searchValue": "", "expectedValue": "aws_db_instance[positive1].port should not be set to 3306", - "actualValue": "aws_db_instance[positive1].port is set to 3306" + "actualValue": "aws_db_instance[positive1].port is set to 3306", + "issueType": "IncorrectValue" }, { "queryName": "RDS Using Default Port", @@ -21,7 +22,8 @@ "searchKey": "aws_db_instance[positive2].port", "searchValue": "", "expectedValue": "aws_db_instance[positive2].port should not be set to 5432", - "actualValue": "aws_db_instance[positive2].port is set to 5432" + "actualValue": "aws_db_instance[positive2].port is set to 5432", + "issueType": "IncorrectValue" }, { "queryName": "RDS Using Default Port", @@ -33,7 +35,8 @@ "searchKey": "aws_db_instance[positive3].port", "searchValue": "", "expectedValue": "aws_db_instance[positive3].port should not be set to 1521", - "actualValue": "aws_db_instance[positive3].port is set to 1521" + "actualValue": "aws_db_instance[positive3].port is set to 1521", + "issueType": "IncorrectValue" }, { "queryName": "RDS Using Default Port", @@ -45,6 +48,7 @@ "searchKey": "aws_db_instance[positive4].port", "searchValue": "", "expectedValue": "aws_db_instance[positive4].port should not be set to 1433", - "actualValue": "aws_db_instance[positive4].port is set to 1433" + "actualValue": "aws_db_instance[positive4].port is set to 1433", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/rds_with_backup_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/rds_with_backup_disabled/test/positive_expected_result.json index 1d71fb67662..2796e8ba858 100644 --- a/assets/queries/terraform/aws/rds_with_backup_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/rds_with_backup_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_db_instance[positive1].backup_retention_period", "searchValue": "", "expectedValue": "'backup_retention_period' should not equal '0'", - "actualValue": "'backup_retention_period' is equal '0'" + "actualValue": "'backup_retention_period' is equal '0'", + "issueType": "IncorrectValue" }, { "queryName": "RDS With Backup Disabled", @@ -21,7 +22,8 @@ "searchKey": "module[db].backup_retention_period", "searchValue": "", "expectedValue": "'backup_retention_period' should not equal '0'", - "actualValue": "'backup_retention_period' is equal '0'" + "actualValue": "'backup_retention_period' is equal '0'", + "issueType": "IncorrectValue" }, { "queryName": "RDS With Backup Disabled", @@ -33,7 +35,8 @@ "searchKey": "aws_db_instance[positive1]", "searchValue": "", "expectedValue": "'backup_retention_period' should be defined, and bigger than '0'", - "actualValue": "'backup_retention_period' is not defined" + "actualValue": "'backup_retention_period' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "RDS With Backup Disabled", @@ -45,6 +48,7 @@ "searchKey": "module[db]", "searchValue": "", "expectedValue": "'backup_retention_period' should be defined, and bigger than '0'", - "actualValue": "'backup_retention_period' is not defined" + "actualValue": "'backup_retention_period' is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/rds_without_logging/test/positive_expected_result.json b/assets/queries/terraform/aws/rds_without_logging/test/positive_expected_result.json index 2cd70ffe5e3..a5101e12b89 100644 --- a/assets/queries/terraform/aws/rds_without_logging/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/rds_without_logging/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_db_instance[positive1]", "searchValue": "", "expectedValue": "'enabled_cloudwatch_logs_exports' should be defined", - "actualValue": "'enabled_cloudwatch_logs_exports' is undefined" + "actualValue": "'enabled_cloudwatch_logs_exports' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "RDS Without Logging", @@ -21,7 +22,8 @@ "searchKey": "aws_db_instance[positive2].enabled_cloudwatch_logs_exports", "searchValue": "", "expectedValue": "'enabled_cloudwatch_logs_exports' has one or more values", - "actualValue": "'enabled_cloudwatch_logs_exports' is empty" + "actualValue": "'enabled_cloudwatch_logs_exports' is empty", + "issueType": "IncorrectValue" }, { "queryName": "RDS Without Logging", @@ -33,7 +35,8 @@ "searchKey": "module[db]", "searchValue": "", "expectedValue": "'enabled_cloudwatch_logs_exports' should be defined", - "actualValue": "'enabled_cloudwatch_logs_exports' is undefined" + "actualValue": "'enabled_cloudwatch_logs_exports' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "RDS Without Logging", @@ -45,6 +48,7 @@ "searchKey": "module[db].enabled_cloudwatch_logs_exports", "searchValue": "", "expectedValue": "'enabled_cloudwatch_logs_exports' has one or more values", - "actualValue": "'enabled_cloudwatch_logs_exports' is empty" + "actualValue": "'enabled_cloudwatch_logs_exports' is empty", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/redis_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/redis_disabled/test/positive_expected_result.json index 88331d705b4..9f268ac8d3a 100644 --- a/assets/queries/terraform/aws/redis_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/redis_disabled/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "resource.aws_elasticache_cluster[positive1].engine", "searchValue": "", "expectedValue": "resource.aws_elasticache_cluster[positive1].engine should have Redis enabled", - "actualValue": "resource.aws_elasticache_cluster[positive1].engine doesn't enable Redis" + "actualValue": "resource.aws_elasticache_cluster[positive1].engine doesn't enable Redis", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/redis_not_compliant/test/positive_expected_result.json b/assets/queries/terraform/aws/redis_not_compliant/test/positive_expected_result.json index 7061cabe7bf..ce218010e5e 100644 --- a/assets/queries/terraform/aws/redis_not_compliant/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/redis_not_compliant/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_elasticache_cluster[positive1].engine_version", "searchValue": "", "expectedValue": "aws_elasticache_cluster[positive1].engine_version should be compliant with the requirements", - "actualValue": "aws_elasticache_cluster[positive1].engine_version isn't compliant with the requirements" + "actualValue": "aws_elasticache_cluster[positive1].engine_version isn't compliant with the requirements", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/redshift_cluster_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/redshift_cluster_logging_disabled/test/positive_expected_result.json index 3ddeaa127c5..0402077cf2d 100644 --- a/assets/queries/terraform/aws/redshift_cluster_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/redshift_cluster_logging_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_redshift_cluster[positive1].logging.enable", "searchValue": "", "expectedValue": "'aws_redshift_cluster.logging' should be true", - "actualValue": "'aws_redshift_cluster.logging' is false" + "actualValue": "'aws_redshift_cluster.logging' is false", + "issueType": "IncorrectValue" }, { "queryName": "Redshift Cluster Logging Disabled", @@ -21,6 +22,7 @@ "searchKey": "aws_redshift_cluster[positive2]", "searchValue": "", "expectedValue": "'aws_redshift_cluster.logging' should be true", - "actualValue": "'aws_redshift_cluster.logging' is undefined" + "actualValue": "'aws_redshift_cluster.logging' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/redshift_cluster_without_vpc/test/positive_expected_result.json b/assets/queries/terraform/aws/redshift_cluster_without_vpc/test/positive_expected_result.json index 611c2843e92..867af4da97a 100644 --- a/assets/queries/terraform/aws/redshift_cluster_without_vpc/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/redshift_cluster_without_vpc/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_redshift_cluster[positive1]", "searchValue": "cluster_subnet_group_name", "expectedValue": "aws_redshift_cluster[positive1].cluster_subnet_group_name should be set", - "actualValue": "aws_redshift_cluster[positive1].cluster_subnet_group_name is undefined" + "actualValue": "aws_redshift_cluster[positive1].cluster_subnet_group_name is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Redshift Cluster Without VPC", @@ -21,6 +22,7 @@ "searchKey": "aws_redshift_cluster[positive1]", "searchValue": "vpc_security_group_ids", "expectedValue": "aws_redshift_cluster[positive1].vpc_security_group_ids should be set", - "actualValue": "aws_redshift_cluster[positive1].vpc_security_group_ids is undefined" + "actualValue": "aws_redshift_cluster[positive1].vpc_security_group_ids is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/redshift_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/redshift_not_encrypted/test/positive_expected_result.json index 1838316ef92..f000b61b61f 100644 --- a/assets/queries/terraform/aws/redshift_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/redshift_not_encrypted/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_redshift_cluster[positive1]", "searchValue": "", "expectedValue": "aws_redshift_cluster.encrypted should be defined and not null", - "actualValue": "aws_redshift_cluster.encrypted is undefined or null" + "actualValue": "aws_redshift_cluster.encrypted is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Redshift Not Encrypted", @@ -21,6 +22,7 @@ "searchKey": "aws_redshift_cluster[positive2].encrypted", "searchValue": "", "expectedValue": "aws_redshift_cluster.encrypted should be set to false", - "actualValue": "aws_redshift_cluster.encrypted is true" + "actualValue": "aws_redshift_cluster.encrypted is true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/redshift_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/aws/redshift_publicly_accessible/test/positive_expected_result.json index 475a4a6e7b1..dcceb19d953 100644 --- a/assets/queries/terraform/aws/redshift_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/redshift_publicly_accessible/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_redshift_cluster[positive1]", "searchValue": "", "expectedValue": "aws_redshift_cluster.publicly_accessible should be defined and not null", - "actualValue": "aws_redshift_cluster.publicly_accessible is undefined or null" + "actualValue": "aws_redshift_cluster.publicly_accessible is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Redshift Publicly Accessible", @@ -21,6 +22,7 @@ "searchKey": "aws_redshift_cluster[positive2].publicly_accessible", "searchValue": "", "expectedValue": "aws_redshift_cluster.publicly_accessible should be set to false", - "actualValue": "aws_redshift_cluster.publicly_accessible is true" + "actualValue": "aws_redshift_cluster.publicly_accessible is true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/redshift_using_default_port/test/positive_expected_result.json b/assets/queries/terraform/aws/redshift_using_default_port/test/positive_expected_result.json index 1b2e553b8f4..ca4d0e8d381 100644 --- a/assets/queries/terraform/aws/redshift_using_default_port/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/redshift_using_default_port/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_redshift_cluster[positive1]", "searchValue": "", "expectedValue": "aws_redshift_cluster.port should be defined and not null", - "actualValue": "aws_redshift_cluster.port is undefined or null" + "actualValue": "aws_redshift_cluster.port is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Redshift Using Default Port", @@ -21,6 +22,7 @@ "searchKey": "aws_redshift_cluster[positive2].port", "searchValue": "", "expectedValue": "aws_redshift_cluster.port should not be set to 5439", - "actualValue": "aws_redshift_cluster.port is set to 5439" + "actualValue": "aws_redshift_cluster.port is set to 5439", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/remote_desktop_port_open_to_internet/test/positive_expected_result.json b/assets/queries/terraform/aws/remote_desktop_port_open_to_internet/test/positive_expected_result.json index 1b2f12fb396..dcecda069b3 100644 --- a/assets/queries/terraform/aws/remote_desktop_port_open_to_internet/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/remote_desktop_port_open_to_internet/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_security_group[positive1-1].ingress", "searchValue": "", "expectedValue": "aws_security_group[positive1-1].ingress shouldn't open the remote desktop port (3389)", - "actualValue": "aws_security_group[positive1-1].ingress opens the remote desktop port (3389)" + "actualValue": "aws_security_group[positive1-1].ingress opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", @@ -21,7 +22,8 @@ "searchKey": "aws_security_group[positive1-2].ingress[1]", "searchValue": "", "expectedValue": "aws_security_group[positive1-2].ingress[1] shouldn't open the remote desktop port (3389)", - "actualValue": "aws_security_group[positive1-2].ingress[1] opens the remote desktop port (3389)" + "actualValue": "aws_security_group[positive1-2].ingress[1] opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", @@ -33,7 +35,8 @@ "searchKey": "aws_security_group[positive1-3].ingress", "searchValue": "", "expectedValue": "aws_security_group[positive1-3].ingress shouldn't open the remote desktop port (3389)", - "actualValue": "aws_security_group[positive1-3].ingress opens the remote desktop port (3389)" + "actualValue": "aws_security_group[positive1-3].ingress opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", @@ -45,7 +48,8 @@ "searchKey": "aws_security_group[positive1-4].ingress[1]", "searchValue": "", "expectedValue": "aws_security_group[positive1-4].ingress[1] shouldn't open the remote desktop port (3389)", - "actualValue": "aws_security_group[positive1-4].ingress[1] opens the remote desktop port (3389)" + "actualValue": "aws_security_group[positive1-4].ingress[1] opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", @@ -57,7 +61,8 @@ "searchKey": "aws_security_group[positive1-5].ingress", "searchValue": "", "expectedValue": "aws_security_group[positive1-5].ingress shouldn't open the remote desktop port (3389)", - "actualValue": "aws_security_group[positive1-5].ingress opens the remote desktop port (3389)" + "actualValue": "aws_security_group[positive1-5].ingress opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", @@ -69,7 +74,8 @@ "searchKey": "aws_security_group[positive1-6].ingress", "searchValue": "", "expectedValue": "aws_security_group[positive1-6].ingress shouldn't open the remote desktop port (3389)", - "actualValue": "aws_security_group[positive1-6].ingress opens the remote desktop port (3389)" + "actualValue": "aws_security_group[positive1-6].ingress opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", @@ -81,7 +87,8 @@ "searchKey": "aws_security_group[positive1-7].ingress", "searchValue": "", "expectedValue": "aws_security_group[positive1-7].ingress shouldn't open the remote desktop port (3389)", - "actualValue": "aws_security_group[positive1-7].ingress opens the remote desktop port (3389)" + "actualValue": "aws_security_group[positive1-7].ingress opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", @@ -93,7 +100,8 @@ "searchKey": "aws_vpc_security_group_ingress_rule[positive2-1]", "searchValue": "", "expectedValue": "aws_vpc_security_group_ingress_rule[positive2-1] shouldn't open the remote desktop port (3389)", - "actualValue": "aws_vpc_security_group_ingress_rule[positive2-1] opens the remote desktop port (3389)" + "actualValue": "aws_vpc_security_group_ingress_rule[positive2-1] opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", @@ -105,7 +113,8 @@ "searchKey": "aws_vpc_security_group_ingress_rule[positive2-2]", "searchValue": "", "expectedValue": "aws_vpc_security_group_ingress_rule[positive2-2] shouldn't open the remote desktop port (3389)", - "actualValue": "aws_vpc_security_group_ingress_rule[positive2-2] opens the remote desktop port (3389)" + "actualValue": "aws_vpc_security_group_ingress_rule[positive2-2] opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", @@ -117,7 +126,8 @@ "searchKey": "aws_security_group_rule[positive3-1]", "searchValue": "", "expectedValue": "aws_security_group_rule[positive3-1] shouldn't open the remote desktop port (3389)", - "actualValue": "aws_security_group_rule[positive3-1] opens the remote desktop port (3389)" + "actualValue": "aws_security_group_rule[positive3-1] opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", @@ -129,7 +139,8 @@ "searchKey": "aws_security_group_rule[positive3-2]", "searchValue": "", "expectedValue": "aws_security_group_rule[positive3-2] shouldn't open the remote desktop port (3389)", - "actualValue": "aws_security_group_rule[positive3-2] opens the remote desktop port (3389)" + "actualValue": "aws_security_group_rule[positive3-2] opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", @@ -141,7 +152,8 @@ "searchKey": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0", "searchValue": "", "expectedValue": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0 shouldn't open the remote desktop port (3389)", - "actualValue": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0 opens the remote desktop port (3389)" + "actualValue": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0 opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", @@ -153,7 +165,8 @@ "searchKey": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0", "searchValue": "", "expectedValue": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0 shouldn't open the remote desktop port (3389)", - "actualValue": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0 opens the remote desktop port (3389)" + "actualValue": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0 opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", @@ -165,7 +178,8 @@ "searchKey": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0", "searchValue": "", "expectedValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0 shouldn't open the remote desktop port (3389)", - "actualValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0 opens the remote desktop port (3389)" + "actualValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0 opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", @@ -177,7 +191,8 @@ "searchKey": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2", "searchValue": "", "expectedValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2 shouldn't open the remote desktop port (3389)", - "actualValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2 opens the remote desktop port (3389)" + "actualValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2 opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", @@ -189,7 +204,8 @@ "searchKey": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0", "searchValue": "", "expectedValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0 shouldn't open the remote desktop port (3389)", - "actualValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0 opens the remote desktop port (3389)" + "actualValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0 opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", @@ -201,6 +217,7 @@ "searchKey": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2", "searchValue": "", "expectedValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2 shouldn't open the remote desktop port (3389)", - "actualValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2 opens the remote desktop port (3389)" + "actualValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2 opens the remote desktop port (3389)", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/resource_not_using_tags/test/positive_expected_result.json b/assets/queries/terraform/aws/resource_not_using_tags/test/positive_expected_result.json index 2f9752f1056..252f97e0f89 100644 --- a/assets/queries/terraform/aws/resource_not_using_tags/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/resource_not_using_tags/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_acm_certificate[{{cert}}]", "searchValue": "", "expectedValue": "aws_acm_certificate[{{cert}}].tags should be defined and not null", - "actualValue": "aws_acm_certificate[{{cert}}].tags is undefined or null" + "actualValue": "aws_acm_certificate[{{cert}}].tags is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Resource Not Using Tags", @@ -21,6 +22,7 @@ "searchKey": "aws_acm_certificate[{{cert_2}}].tags", "searchValue": "", "expectedValue": "aws_acm_certificate[{{cert_2}}].tags has additional tags defined other than 'Name'", - "actualValue": "aws_acm_certificate[{{cert_2}}].tags does not have additional tags defined other than 'Name'" + "actualValue": "aws_acm_certificate[{{cert_2}}].tags does not have additional tags defined other than 'Name'", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/rest_api_with_vulnerable_policy/test/positive_expected_result.json b/assets/queries/terraform/aws/rest_api_with_vulnerable_policy/test/positive_expected_result.json index 2f50451221e..0ae120d8523 100644 --- a/assets/queries/terraform/aws/rest_api_with_vulnerable_policy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/rest_api_with_vulnerable_policy/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_api_gateway_rest_api_policy[test].policy", "searchValue": "", "expectedValue": "aws_api_gateway_rest_api_policy[test].policy should not have wildcard in 'Action' and 'Principal'", - "actualValue": "aws_api_gateway_rest_api_policy[test].policy has wildcard in 'Action' or 'Principal'" + "actualValue": "aws_api_gateway_rest_api_policy[test].policy has wildcard in 'Action' or 'Principal'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive_expected_result.json index 346ad53db77..2c23b6c1b3b 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_iam_role[cosmic]", "searchValue": "", "expectedValue": "role cosmic shouldn't be associated with a policy that has Action set to 'glue:UpdateDevEndpoint' and Resource set to '*'", - "actualValue": "role cosmic is associated with a policy that has Action set to 'glue:UpdateDevEndpoint' and Resource set to '*'" + "actualValue": "role cosmic is associated with a policy that has Action set to 'glue:UpdateDevEndpoint' and Resource set to '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive_expected_result.json index b8aa0eea650..43216084773 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_iam_role[cosmic]", "searchValue": "", "expectedValue": "role cosmic shouldn't be associated with a policy that has Action set to 'iam:AddUserToGroup' and Resource set to '*'", - "actualValue": "role cosmic is associated with a policy that has Action set to 'iam:AddUserToGroup' and Resource set to '*'" + "actualValue": "role cosmic is associated with a policy that has Action set to 'iam:AddUserToGroup' and Resource set to '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive_expected_result.json index 5c51971ad56..923adfa5b97 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_iam_role[cosmic]", "searchValue": "", "expectedValue": "role cosmic shouldn't be associated with a policy that has Action set to 'iam:AttachGroupPolicy' and Resource set to '*'", - "actualValue": "role cosmic is associated with a policy that has Action set to 'iam:AttachGroupPolicy' and Resource set to '*'" + "actualValue": "role cosmic is associated with a policy that has Action set to 'iam:AttachGroupPolicy' and Resource set to '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive_expected_result.json index 0c5076fb9fe..1bf48cf0ed7 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_iam_role[cosmic]", "searchValue": "", "expectedValue": "role cosmic shouldn't be associated with a policy that has Action set to 'iam:AttachRolePolicy' and Resource set to '*'", - "actualValue": "role cosmic is associated with a policy that has Action set to 'iam:AttachRolePolicy' and Resource set to '*'" + "actualValue": "role cosmic is associated with a policy that has Action set to 'iam:AttachRolePolicy' and Resource set to '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive_expected_result.json index 49ea6c17007..4e57e3d1e8b 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_iam_role[cosmic]", "searchValue": "", "expectedValue": "role cosmic shouldn't be associated with a policy that has Action set to 'iam:AttachUserPolicy' and Resource set to '*'", - "actualValue": "role cosmic is associated with a policy that has Action set to 'iam:AttachUserPolicy' and Resource set to '*'" + "actualValue": "role cosmic is associated with a policy that has Action set to 'iam:AttachUserPolicy' and Resource set to '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive_expected_result.json index 305c71805ad..d256f74e075 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_iam_role[cosmic]", "searchValue": "", "expectedValue": "role cosmic shouldn't be associated with a policy that has Action set to 'iam:CreateAccessKey' and Resource set to '*'", - "actualValue": "role cosmic is associated with a policy that has Action set to 'iam:CreateAccessKey' and Resource set to '*'" + "actualValue": "role cosmic is associated with a policy that has Action set to 'iam:CreateAccessKey' and Resource set to '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive_expected_result.json index efb1c9dd352..fa0a4099e5c 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_iam_role[cosmic]", "searchValue": "", "expectedValue": "role cosmic shouldn't be associated with a policy that has Action set to 'iam:CreateLoginProfile' and Resource set to '*'", - "actualValue": "role cosmic is associated with a policy that has Action set to 'iam:CreateLoginProfile' and Resource set to '*'" + "actualValue": "role cosmic is associated with a policy that has Action set to 'iam:CreateLoginProfile' and Resource set to '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive_expected_result.json index e1d81329d60..f5a48046cda 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_iam_role[cosmic]", "searchValue": "", "expectedValue": "role cosmic shouldn't be associated with a policy that has Action set to 'iam:CreatePolicyVersion' and Resource set to '*'", - "actualValue": "role cosmic is associated with a policy that has Action set to 'iam:CreatePolicyVersion' and Resource set to '*'" + "actualValue": "role cosmic is associated with a policy that has Action set to 'iam:CreatePolicyVersion' and Resource set to '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive_expected_result.json index 9d798ec4014..60233503bfe 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_iam_role[cosmic]", "searchValue": "", "expectedValue": "role cosmic shouldn't be associated with a policy that has Action set to 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'", - "actualValue": "role cosmic is associated with a policy that has Action set to 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'" + "actualValue": "role cosmic is associated with a policy that has Action set to 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive_expected_result.json index 47105681bc7..46103b35ea7 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_iam_role[cosmic]", "searchValue": "", "expectedValue": "role cosmic shouldn't be associated with a policy that has Action set to 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'", - "actualValue": "role cosmic is associated with a policy that has Action set to 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'" + "actualValue": "role cosmic is associated with a policy that has Action set to 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive_expected_result.json index 2aa287cdfcf..03dd540192a 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_iam_role[cosmic]", "searchValue": "", "expectedValue": "role cosmic shouldn't be associated with a policy that has Action set to 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'", - "actualValue": "role cosmic is associated with a policy that has Action set to 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'" + "actualValue": "role cosmic is associated with a policy that has Action set to 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction/test/positive_expected_result.json index 0a6877fa64f..336dad4c267 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_iam_role[cosmic]", "searchValue": "", "expectedValue": "role cosmic shouldn't be associated with a policy that has Action set to 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'", - "actualValue": "role cosmic is associated with a policy that has Action set to 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'" + "actualValue": "role cosmic is associated with a policy that has Action set to 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive_expected_result.json index 9cd0ad6703a..26fd8683c01 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_iam_role[cosmic]", "searchValue": "", "expectedValue": "role cosmic shouldn't be associated with a policy that has Action set to 'iam:PutGroupPolicy' and Resource set to '*'", - "actualValue": "role cosmic is associated with a policy that has Action set to 'iam:PutGroupPolicy' and Resource set to '*'" + "actualValue": "role cosmic is associated with a policy that has Action set to 'iam:PutGroupPolicy' and Resource set to '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive_expected_result.json index c89df2361a1..f3a8389c6aa 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_iam_role[cosmic]", "searchValue": "", "expectedValue": "role cosmic should not be associated with a policy that has Action set to 'iam:PutRolePolicy' and Resource set to '*'", - "actualValue": "role cosmic is associated with a policy that has Action set to 'iam:PutRolePolicy' and Resource set to '*'" + "actualValue": "role cosmic is associated with a policy that has Action set to 'iam:PutRolePolicy' and Resource set to '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive_expected_result.json index 1dc78bdb5d2..7ff2299fddb 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_iam_role[cosmic]", "searchValue": "", "expectedValue": "role cosmic should not be associated with a policy that has Action set to 'iam:PutUserPolicy' and Resource set to '*'", - "actualValue": "role cosmic is associated with a policy that has Action set to 'iam:PutUserPolicy' and Resource set to '*'" + "actualValue": "role cosmic is associated with a policy that has Action set to 'iam:PutUserPolicy' and Resource set to '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive_expected_result.json index 0b6a24e2c12..41be0b979ea 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_iam_role[cosmic]", "searchValue": "", "expectedValue": "role cosmic shouldn't be associated with a policy that has Action set to 'iam:SetDefaultPolicyVersion' and Resource set to '*'", - "actualValue": "role cosmic is associated with a policy that has Action set to 'iam:SetDefaultPolicyVersion' and Resource set to '*'" + "actualValue": "role cosmic is associated with a policy that has Action set to 'iam:SetDefaultPolicyVersion' and Resource set to '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive_expected_result.json index 0069f76ecb9..279abc96275 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_iam_role[cosmic]", "searchValue": "", "expectedValue": "role cosmic shouldn't be associated with a policy that has Action set to 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'", - "actualValue": "role cosmic is associated with a policy that has Action set to 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'" + "actualValue": "role cosmic is associated with a policy that has Action set to 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive_expected_result.json index fd11bdc17a1..8ed2d75fbd5 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_iam_role[cosmic]", "searchValue": "", "expectedValue": "role cosmic shouldn't be associated with a policy that has Action set to 'iam:UpdateLoginProfile' and Resource set to '*'", - "actualValue": "role cosmic is associated with a policy that has Action set to 'iam:UpdateLoginProfile' and Resource set to '*'" + "actualValue": "role cosmic is associated with a policy that has Action set to 'iam:UpdateLoginProfile' and Resource set to '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive_expected_result.json index ad32b6503e8..b33507c1625 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_iam_role[cosmic]", "searchValue": "", "expectedValue": "role cosmic shouldn't be associated with a policy that has Action set to 'lambda:UpdateFunctionCode' and Resource set to '*'", - "actualValue": "role cosmic is associated with a policy that has Action set to 'lambda:UpdateFunctionCode' and Resource set to '*'" + "actualValue": "role cosmic is associated with a policy that has Action set to 'lambda:UpdateFunctionCode' and Resource set to '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/root_account_has_active_access_keys/test/positive_expected_result.json b/assets/queries/terraform/aws/root_account_has_active_access_keys/test/positive_expected_result.json index ccdf898a4d7..557b13d8c2b 100644 --- a/assets/queries/terraform/aws/root_account_has_active_access_keys/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/root_account_has_active_access_keys/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_iam_access_key[positive1]", "searchValue": "", "expectedValue": "'aws_iam_access_key[positive1].status' should be defined and set to 'Inactive'", - "actualValue": "'aws_iam_access_key[positive1].status' is undefined, that defaults to 'Active'" + "actualValue": "'aws_iam_access_key[positive1].status' is undefined, that defaults to 'Active'", + "issueType": "MissingAttribute" }, { "queryName": "Root Account Has Active Access Keys", @@ -21,6 +22,7 @@ "searchKey": "aws_iam_access_key[positive2].status", "searchValue": "", "expectedValue": "'aws_iam_access_key[positive2].status' should be defined and set to 'Inactive'", - "actualValue": "'aws_iam_access_key[positive2].status' is set to 'Active'" + "actualValue": "'aws_iam_access_key[positive2].status' is set to 'Active'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/route53_record_undefined/test/positive_expected_result.json b/assets/queries/terraform/aws/route53_record_undefined/test/positive_expected_result.json index 65d6c98fc0f..286f8979730 100644 --- a/assets/queries/terraform/aws/route53_record_undefined/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/route53_record_undefined/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_route53_record[example].records", "searchValue": "", "expectedValue": "aws_route53_record.records should be defined", - "actualValue": "aws_route53_record.records is undefined" + "actualValue": "aws_route53_record.records is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/s3_bucket_access_to_any_principal/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_access_to_any_principal/test/positive_expected_result.json index 2432cba3b11..fcd7b9b0f1e 100644 --- a/assets/queries/terraform/aws/s3_bucket_access_to_any_principal/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_access_to_any_principal/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_s3_bucket_policy[positive1].policy", "searchValue": "", "expectedValue": "aws_s3_bucket_policy[positive1].policy.Principal should not equal to, nor contain '*'", - "actualValue": "aws_s3_bucket_policy[positive1].policy.Principal is equal to or contains '*'" + "actualValue": "aws_s3_bucket_policy[positive1].policy.Principal is equal to or contains '*'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Access to Any Principal", @@ -21,6 +22,7 @@ "searchKey": "module[s3_bucket].policy", "searchValue": "", "expectedValue": "'policy.Principal' should not equal to, nor contain '*'", - "actualValue": "'policy.Principal' is equal to or contains '*'" + "actualValue": "'policy.Principal' is equal to or contains '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/s3_bucket_acl_allows_read_or_write_to_all_users/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_acl_allows_read_or_write_to_all_users/test/positive_expected_result.json index 1582f0b709d..e19041b5117 100644 --- a/assets/queries/terraform/aws/s3_bucket_acl_allows_read_or_write_to_all_users/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_acl_allows_read_or_write_to_all_users/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_s3_bucket[positive1].acl=public-read", "searchValue": "", "expectedValue": "'acl' should equal to 'private'", - "actualValue": "'acl' is equal 'public-read'" + "actualValue": "'acl' is equal 'public-read'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", @@ -21,7 +22,8 @@ "searchKey": "aws_s3_bucket[positive2].acl=public-read-write", "searchValue": "", "expectedValue": "'acl' should equal to 'private'", - "actualValue": "'acl' is equal 'public-read-write'" + "actualValue": "'acl' is equal 'public-read-write'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", @@ -33,7 +35,8 @@ "searchKey": "module[s3_bucket].acl", "searchValue": "", "expectedValue": "'acl' should equal to 'private'", - "actualValue": "'acl' is equal 'public-read'" + "actualValue": "'acl' is equal 'public-read'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", @@ -45,7 +48,8 @@ "searchKey": "module[s3_bucket].acl", "searchValue": "", "expectedValue": "'acl' should equal to 'private'", - "actualValue": "'acl' is equal 'public-read-write'" + "actualValue": "'acl' is equal 'public-read-write'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", @@ -57,7 +61,8 @@ "searchKey": "aws_s3_bucket_acl[example_bucket_acl].acl", "searchValue": "", "expectedValue": "aws_s3_bucket_acl[example_bucket_acl].acl should be private", - "actualValue": "aws_s3_bucket_acl[public-read].acl is %!s(MISSING)" + "actualValue": "aws_s3_bucket_acl[public-read].acl is %!s(MISSING)", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", @@ -69,6 +74,7 @@ "searchKey": "aws_s3_bucket_acl[example_bucket_acl].acl", "searchValue": "", "expectedValue": "aws_s3_bucket_acl[example_bucket_acl].acl should be private", - "actualValue": "aws_s3_bucket_acl[public-read-write].acl is %!s(MISSING)" + "actualValue": "aws_s3_bucket_acl[public-read-write].acl is %!s(MISSING)", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/test/positive_expected_result.json index 8619423f1d7..44a7b9e1be7 100644 --- a/assets/queries/terraform/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_s3_bucket[positive1].acl", "searchValue": "", "expectedValue": "aws_s3_bucket[positive1].acl should be private", - "actualValue": "aws_s3_bucket[positive1].acl is authenticated-read" + "actualValue": "aws_s3_bucket[positive1].acl is authenticated-read", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket ACL Allows Read to Any Authenticated User", @@ -21,7 +22,8 @@ "searchKey": "module[s3_bucket].acl", "searchValue": "", "expectedValue": "'acl' should be private", - "actualValue": "'acl' is authenticated-read" + "actualValue": "'acl' is authenticated-read", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket ACL Allows Read to Any Authenticated User", @@ -33,6 +35,7 @@ "searchKey": "aws_s3_bucket_acl[example_bucket_acl].acl", "searchValue": "", "expectedValue": "aws_s3_bucket_acl[example_bucket_acl].acl should be private", - "actualValue": "aws_s3_bucket_acl[example_bucket_acl].acl is authenticated-read" + "actualValue": "aws_s3_bucket_acl[example_bucket_acl].acl is authenticated-read", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/s3_bucket_acl_grants_write_acp_permission/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_acl_grants_write_acp_permission/test/positive_expected_result.json index bc6051dbe53..3c51e4cf41e 100644 --- a/assets/queries/terraform/aws/s3_bucket_acl_grants_write_acp_permission/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_acl_grants_write_acp_permission/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_s3_bucket_acl[example].access_control_policy.grant.permission", "searchValue": "", "expectedValue": "Should not be granted Write_ACP permission to the aws_s3_bucket_acl", - "actualValue": "Write_ACP permission is granted to the aws_s3_bucket_acl" + "actualValue": "Write_ACP permission is granted to the aws_s3_bucket_acl", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket ACL Grants WRITE_ACP Permission", @@ -21,6 +22,7 @@ "searchKey": "aws_s3_bucket_acl[example].access_control_policy.grant[1].permission", "searchValue": "", "expectedValue": "Should not be granted Write_ACP permission to the aws_s3_bucket_acl", - "actualValue": "Write_ACP permission is granted to the aws_s3_bucket_acl" + "actualValue": "Write_ACP permission is granted to the aws_s3_bucket_acl", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/s3_bucket_allows_delete_action_from_all_principals/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_allows_delete_action_from_all_principals/test/positive_expected_result.json index a9aed14a579..630a35cb95d 100644 --- a/assets/queries/terraform/aws/s3_bucket_allows_delete_action_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_allows_delete_action_from_all_principals/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_s3_bucket_policy[positive1].policy", "searchValue": "", "expectedValue": "aws_s3_bucket_policy[positive1].policy.Action should not be a 'Delete' action", - "actualValue": "aws_s3_bucket_policy[positive1].policy.Action is a 'Delete' action" + "actualValue": "aws_s3_bucket_policy[positive1].policy.Action is a 'Delete' action", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows Delete Action From All Principals", @@ -21,7 +22,8 @@ "searchKey": "aws_s3_bucket_policy[positive2].policy", "searchValue": "", "expectedValue": "aws_s3_bucket_policy[positive2].policy.Action should not be a 'Delete' action", - "actualValue": "aws_s3_bucket_policy[positive2].policy.Action is a 'Delete' action" + "actualValue": "aws_s3_bucket_policy[positive2].policy.Action is a 'Delete' action", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows Delete Action From All Principals", @@ -33,7 +35,8 @@ "searchKey": "module[s3_bucket].policy", "searchValue": "", "expectedValue": "'policy.Statement.Action' should not be a 'Delete' action", - "actualValue": "'policy.Statement.Action' is a 'Delete' action" + "actualValue": "'policy.Statement.Action' is a 'Delete' action", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows Delete Action From All Principals", @@ -45,7 +48,8 @@ "searchKey": "aws_s3_bucket_policy[positive4].policy", "searchValue": "", "expectedValue": "aws_s3_bucket_policy[positive4].policy.Action should not be a 'Delete' action", - "actualValue": "aws_s3_bucket_policy[positive4].policy.Action is a 'Delete' action" + "actualValue": "aws_s3_bucket_policy[positive4].policy.Action is a 'Delete' action", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows Delete Action From All Principals", @@ -57,7 +61,8 @@ "searchKey": "aws_s3_bucket_policy[positive5].policy", "searchValue": "", "expectedValue": "aws_s3_bucket_policy[positive5].policy.Action should not be a 'Delete' action", - "actualValue": "aws_s3_bucket_policy[positive5].policy.Action is a 'Delete' action" + "actualValue": "aws_s3_bucket_policy[positive5].policy.Action is a 'Delete' action", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows Delete Action From All Principals", @@ -69,6 +74,7 @@ "searchKey": "aws_s3_bucket_policy[positive6].policy", "searchValue": "", "expectedValue": "aws_s3_bucket_policy[positive6].policy.Action should not be a 'Delete' action", - "actualValue": "aws_s3_bucket_policy[positive6].policy.Action is a 'Delete' action" + "actualValue": "aws_s3_bucket_policy[positive6].policy.Action is a 'Delete' action", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/s3_bucket_allows_get_action_from_all_principals/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_allows_get_action_from_all_principals/test/positive_expected_result.json index 458993abfc3..482ac304458 100644 --- a/assets/queries/terraform/aws/s3_bucket_allows_get_action_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_allows_get_action_from_all_principals/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_s3_bucket_policy[positive2].policy.Action", "searchValue": "", "expectedValue": "aws_s3_bucket_policy[positive2].policy.Action should not be a 'Get' action", - "actualValue": "aws_s3_bucket_policy[positive2].policy.Action is a 'Get' action" + "actualValue": "aws_s3_bucket_policy[positive2].policy.Action is a 'Get' action", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows Get Action From All Principals", @@ -21,7 +22,8 @@ "searchKey": "aws_s3_bucket_policy[positive3].policy.Action", "searchValue": "", "expectedValue": "aws_s3_bucket_policy[positive3].policy.Action should not be a 'Get' action", - "actualValue": "aws_s3_bucket_policy[positive3].policy.Action is a 'Get' action" + "actualValue": "aws_s3_bucket_policy[positive3].policy.Action is a 'Get' action", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows Get Action From All Principals", @@ -33,6 +35,7 @@ "searchKey": "module[s3_bucket].policy.Action", "searchValue": "", "expectedValue": "module[s3_bucket].policy.Action should not be a 'Get' action", - "actualValue": "module[s3_bucket].policy.Action is a 'Get' action" + "actualValue": "module[s3_bucket].policy.Action is a 'Get' action", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/s3_bucket_allows_list_action_from_all_principals/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_allows_list_action_from_all_principals/test/positive_expected_result.json index 066acf83d99..1929e85a5a7 100644 --- a/assets/queries/terraform/aws/s3_bucket_allows_list_action_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_allows_list_action_from_all_principals/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_s3_bucket_policy[positive1].policy", "searchValue": "", "expectedValue": "'policy.Statement.Action' should not be a 'List' action when 'policy.Statement.Principal' contains '*'", - "actualValue": "'policy.Statement.Action' is a 'List' action when 'policy.Statement.Principal' contains '*'" + "actualValue": "'policy.Statement.Action' is a 'List' action when 'policy.Statement.Principal' contains '*'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows List Action From All Principals", @@ -21,7 +22,8 @@ "searchKey": "aws_s3_bucket_policy[positive2].policy", "searchValue": "", "expectedValue": "'policy.Statement.Action' should not be a 'List' action when 'policy.Statement.Principal' contains '*'", - "actualValue": "'policy.Statement.Action' is a 'List' action when 'policy.Statement.Principal' contains '*'" + "actualValue": "'policy.Statement.Action' is a 'List' action when 'policy.Statement.Principal' contains '*'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows List Action From All Principals", @@ -33,6 +35,7 @@ "searchKey": "module[s3_bucket].policy", "searchValue": "", "expectedValue": "'policy.Statement.Action' should not be a 'List' action when 'policy.Statement.Principal' contains '*'", - "actualValue": "'policy.Statement.Action' is a 'List' action when 'policy.Statement.Principal' contains '*'" + "actualValue": "'policy.Statement.Action' is a 'List' action when 'policy.Statement.Principal' contains '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/s3_bucket_allows_public_acl/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_allows_public_acl/test/positive_expected_result.json index 6d1e2a33b63..80f3fa1d260 100644 --- a/assets/queries/terraform/aws/s3_bucket_allows_public_acl/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_allows_public_acl/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_s3_bucket_public_access_block[positive2].block_public_acls", "searchValue": "", "expectedValue": "'block_public_acls' should equal 'true'", - "actualValue": "'block_public_acls' is equal 'false'" + "actualValue": "'block_public_acls' is equal 'false'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows Public ACL", @@ -21,7 +22,8 @@ "searchKey": "aws_s3_bucket_public_access_block[positive3]", "searchValue": "", "expectedValue": "'block_public_acls' should equal 'true'", - "actualValue": "'block_public_acls' is missing" + "actualValue": "'block_public_acls' is missing", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Allows Public ACL", @@ -33,7 +35,8 @@ "searchKey": "module[s3_bucket].block_public_acls", "searchValue": "", "expectedValue": "'block_public_acls' should equal 'true'", - "actualValue": "'block_public_acls' is equal 'false'" + "actualValue": "'block_public_acls' is equal 'false'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows Public ACL", @@ -45,6 +48,7 @@ "searchKey": "module[s3_bucket]", "searchValue": "", "expectedValue": "'block_public_acls' should equal 'true'", - "actualValue": "'block_public_acls' is missing" + "actualValue": "'block_public_acls' is missing", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/s3_bucket_allows_put_action_from_all_principals/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_allows_put_action_from_all_principals/test/positive_expected_result.json index d4a9aa2a2f5..0e611f16da9 100644 --- a/assets/queries/terraform/aws/s3_bucket_allows_put_action_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_allows_put_action_from_all_principals/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_s3_bucket_policy[positive1].policy", "searchValue": "", "expectedValue": "aws_s3_bucket_policy[positive1].policy.Statement.Action should not be a 'Put' action", - "actualValue": "aws_s3_bucket_policy[positive1].policy.Statement.Action is a 'Put' action" + "actualValue": "aws_s3_bucket_policy[positive1].policy.Statement.Action is a 'Put' action", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows Put Action From All Principals", @@ -21,7 +22,8 @@ "searchKey": "aws_s3_bucket_policy[positive2].policy", "searchValue": "", "expectedValue": "aws_s3_bucket_policy[positive2].policy.Statement.Action should not be a 'Put' action", - "actualValue": "aws_s3_bucket_policy[positive2].policy.Statement.Action is a 'Put' action" + "actualValue": "aws_s3_bucket_policy[positive2].policy.Statement.Action is a 'Put' action", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows Put Action From All Principals", @@ -33,6 +35,7 @@ "searchKey": "module[s3_bucket].policy", "searchValue": "", "expectedValue": "'policy.Statement.Action' should not be a 'Put' action", - "actualValue": "'policy.Statement.Action' is a 'Put' action" + "actualValue": "'policy.Statement.Action' is a 'Put' action", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/s3_bucket_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_logging_disabled/test/positive_expected_result.json index 6b6c57f96a6..0e3070b7b24 100644 --- a/assets/queries/terraform/aws/s3_bucket_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_logging_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_s3_bucket[positive1]", "searchValue": "", "expectedValue": "'logging' should be defined and not null", - "actualValue": "'logging' is undefined or null" + "actualValue": "'logging' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Logging Disabled", @@ -21,7 +22,8 @@ "searchKey": "module[s3_bucket]", "searchValue": "", "expectedValue": "'logging' should be defined and not null", - "actualValue": "'logging' is undefined or null" + "actualValue": "'logging' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Logging Disabled", @@ -33,6 +35,7 @@ "searchKey": "aws_s3_bucket[examplee]", "searchValue": "", "expectedValue": "'logging' should be defined and not null", - "actualValue": "'logging' is undefined or null" + "actualValue": "'logging' is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/s3_bucket_notifications_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_notifications_disabled/test/positive_expected_result.json index 20c56317982..09b4c0f55bf 100644 --- a/assets/queries/terraform/aws/s3_bucket_notifications_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_notifications_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_sns_topic[topic2]", "searchValue": "", "expectedValue": "aws_sns_topic.topic2 should be evoked in aws_s3_bucket_notification ", - "actualValue": "aws_sns_topic.topic2 is not properly evoked in aws_s3_bucket_notification " + "actualValue": "aws_sns_topic.topic2 is not properly evoked in aws_s3_bucket_notification ", + "issueType": "MissingAttribute" }, { "queryName": "S3 bucket notifications disabled", @@ -21,7 +22,8 @@ "searchKey": "aws_sns_topic[topic1]", "searchValue": "", "expectedValue": "'aws_s3_bucket_notification' should be defined and not null", - "actualValue": "'aws_s3_bucket_notification' is undefined or null" + "actualValue": "'aws_s3_bucket_notification' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "S3 bucket notifications disabled", @@ -33,7 +35,8 @@ "searchKey": "aws_sqs_queue[queue]", "searchValue": "", "expectedValue": "'aws_s3_bucket_notification' should be defined and not null", - "actualValue": "'aws_s3_bucket_notification' is undefined or null" + "actualValue": "'aws_s3_bucket_notification' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "S3 bucket notifications disabled", @@ -45,7 +48,8 @@ "searchKey": "aws_lambda_function[func]", "searchValue": "", "expectedValue": "'aws_s3_bucket_notification' should be defined and not null", - "actualValue": "'aws_s3_bucket_notification' is undefined or null" + "actualValue": "'aws_s3_bucket_notification' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "S3 bucket notifications disabled", @@ -57,7 +61,8 @@ "searchKey": "aws_sqs_queue[queue2]", "searchValue": "", "expectedValue": "aws_sqs_queue.queue2 should be evoked in aws_s3_bucket_notification ", - "actualValue": "aws_sqs_queue.queue2 is not properly evoked in aws_s3_bucket_notification " + "actualValue": "aws_sqs_queue.queue2 is not properly evoked in aws_s3_bucket_notification ", + "issueType": "MissingAttribute" }, { "queryName": "S3 bucket notifications disabled", @@ -69,7 +74,8 @@ "searchKey": "aws_lambda_function[func2]", "searchValue": "", "expectedValue": "aws_lambda_function.func2 should be evoked in aws_s3_bucket_notification ", - "actualValue": "aws_lambda_function.func2 is not properly evoked in aws_s3_bucket_notification " + "actualValue": "aws_lambda_function.func2 is not properly evoked in aws_s3_bucket_notification ", + "issueType": "MissingAttribute" }, { "queryName": "S3 bucket notifications disabled", @@ -81,7 +87,8 @@ "searchKey": "aws_sns_topic[topic]", "searchValue": "", "expectedValue": "aws_sns_topic.topic should be evoked in aws_s3_bucket_notification ", - "actualValue": "aws_sns_topic.topic is not properly evoked in aws_s3_bucket_notification " + "actualValue": "aws_sns_topic.topic is not properly evoked in aws_s3_bucket_notification ", + "issueType": "MissingAttribute" }, { "queryName": "S3 bucket notifications disabled", @@ -93,7 +100,8 @@ "searchKey": "aws_sqs_queue[queue]", "searchValue": "", "expectedValue": "aws_sqs_queue.queue should be evoked in aws_s3_bucket_notification ", - "actualValue": "aws_sqs_queue.queue is not properly evoked in aws_s3_bucket_notification " + "actualValue": "aws_sqs_queue.queue is not properly evoked in aws_s3_bucket_notification ", + "issueType": "MissingAttribute" }, { "queryName": "S3 bucket notifications disabled", @@ -105,7 +113,8 @@ "searchKey": "aws_lambda_function[func]", "searchValue": "", "expectedValue": "aws_lambda_function.func should be evoked in aws_s3_bucket_notification ", - "actualValue": "aws_lambda_function.func is not properly evoked in aws_s3_bucket_notification " + "actualValue": "aws_lambda_function.func is not properly evoked in aws_s3_bucket_notification ", + "issueType": "MissingAttribute" }, { "queryName": "S3 bucket notifications disabled", @@ -117,7 +126,8 @@ "searchKey": "aws_sns_topic[topic]", "searchValue": "", "expectedValue": "aws_sns_topic.topic should be evoked in aws_s3_bucket_notification ", - "actualValue": "aws_sns_topic.topic is not properly evoked in aws_s3_bucket_notification " + "actualValue": "aws_sns_topic.topic is not properly evoked in aws_s3_bucket_notification ", + "issueType": "MissingAttribute" }, { "queryName": "S3 bucket notifications disabled", @@ -129,7 +139,8 @@ "searchKey": "aws_sqs_queue[queue]", "searchValue": "", "expectedValue": "aws_sqs_queue.queue should be evoked in aws_s3_bucket_notification ", - "actualValue": "aws_sqs_queue.queue is not properly evoked in aws_s3_bucket_notification " + "actualValue": "aws_sqs_queue.queue is not properly evoked in aws_s3_bucket_notification ", + "issueType": "MissingAttribute" }, { "queryName": "S3 bucket notifications disabled", @@ -141,6 +152,7 @@ "searchKey": "aws_lambda_function[func]", "searchValue": "", "expectedValue": "aws_lambda_function.func should be evoked in aws_s3_bucket_notification ", - "actualValue": "aws_lambda_function.func is not properly evoked in aws_s3_bucket_notification " + "actualValue": "aws_lambda_function.func is not properly evoked in aws_s3_bucket_notification ", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/s3_bucket_object_level_cloudtrail_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_object_level_cloudtrail_logging_disabled/test/positive_expected_result.json index 24aec265596..55424177865 100644 --- a/assets/queries/terraform/aws/s3_bucket_object_level_cloudtrail_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_object_level_cloudtrail_logging_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_cloudtrail[example].event_selector", "searchValue": "", "expectedValue": "'read_write_type' should be defined and not null", - "actualValue": "'read_write_type' is undefined or null" + "actualValue": "'read_write_type' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Object Level CloudTrail Logging Disabled", @@ -21,6 +22,7 @@ "searchKey": "aws_cloudtrail[example2].event_selector.read_write_type", "searchValue": "", "expectedValue": "'read_write_type' should be set to 'All'", - "actualValue": "'read_write_type' is not set to 'All'" + "actualValue": "'read_write_type' is not set to 'All'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/s3_bucket_object_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_object_not_encrypted/test/positive_expected_result.json index deed22ebeff..4f2ec42d08b 100644 --- a/assets/queries/terraform/aws/s3_bucket_object_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_object_not_encrypted/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_s3_bucket_object[{{examplebucket_object}}]", "searchValue": "", "expectedValue": "aws_s3_bucket_object.server_side_encryption should be defined and not null", - "actualValue": "aws_s3_bucket_object.server_side_encryption is undefined or null" + "actualValue": "aws_s3_bucket_object.server_side_encryption is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/s3_bucket_policy_accepts_http_requests/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_policy_accepts_http_requests/test/positive_expected_result.json index 32aaa3b7b09..0ddc5a50dc1 100644 --- a/assets/queries/terraform/aws/s3_bucket_policy_accepts_http_requests/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_policy_accepts_http_requests/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_s3_bucket_policy[b].policy", "searchValue": "", "expectedValue": "aws_s3_bucket_policy[b].policy should not accept HTTP Requests", - "actualValue": "aws_s3_bucket_policy[b].policy accepts HTTP Requests" + "actualValue": "aws_s3_bucket_policy[b].policy accepts HTTP Requests", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Policy Accepts HTTP Requests", @@ -21,7 +22,8 @@ "searchKey": "aws_s3_bucket[b2].policy", "searchValue": "", "expectedValue": "aws_s3_bucket[b2].policy should not accept HTTP Requests", - "actualValue": "aws_s3_bucket[b2].policy accepts HTTP Requests" + "actualValue": "aws_s3_bucket[b2].policy accepts HTTP Requests", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Policy Accepts HTTP Requests", @@ -33,7 +35,8 @@ "searchKey": "module[s3_bucket].policy", "searchValue": "", "expectedValue": "'policy' should not accept HTTP Requests", - "actualValue": "'policy' accepts HTTP Requests" + "actualValue": "'policy' accepts HTTP Requests", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Policy Accepts HTTP Requests", @@ -45,7 +48,8 @@ "searchKey": "aws_s3_bucket[pos4].policy", "searchValue": "", "expectedValue": "aws_s3_bucket[pos4].policy should not accept HTTP Requests", - "actualValue": "aws_s3_bucket[pos4].policy accepts HTTP Requests" + "actualValue": "aws_s3_bucket[pos4].policy accepts HTTP Requests", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Policy Accepts HTTP Requests", @@ -57,6 +61,7 @@ "searchKey": "aws_s3_bucket[pos5].policy", "searchValue": "", "expectedValue": "aws_s3_bucket[pos5].policy should not accept HTTP Requests", - "actualValue": "aws_s3_bucket[pos5].policy accepts HTTP Requests" + "actualValue": "aws_s3_bucket[pos5].policy accepts HTTP Requests", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/s3_bucket_public_acl_overridden_by_public_access_block/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_public_acl_overridden_by_public_access_block/test/positive_expected_result.json index 31d6704f57c..054a3e1ba03 100644 --- a/assets/queries/terraform/aws/s3_bucket_public_acl_overridden_by_public_access_block/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_public_acl_overridden_by_public_access_block/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_s3_bucket[public-bucket].acl", "searchValue": "", "expectedValue": "S3 Bucket public ACL to not be overridden by S3 bucket Public Access Block", - "actualValue": "S3 Bucket public ACL is overridden by S3 bucket Public Access Block" + "actualValue": "S3 Bucket public ACL is overridden by S3 bucket Public Access Block", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Public ACL Overridden By Public Access Block", @@ -21,7 +22,8 @@ "searchKey": "module[s3_bucket].acl", "searchValue": "", "expectedValue": "S3 Bucket public ACL to not be overridden by public access block", - "actualValue": "S3 Bucket public ACL is overridden by public access block" + "actualValue": "S3 Bucket public ACL is overridden by public access block", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Public ACL Overridden By Public Access Block", @@ -33,6 +35,7 @@ "searchKey": "aws_s3_bucket_acl[example_bucket_acl].acl", "searchValue": "", "expectedValue": "S3 Bucket public ACL to not be overridden by S3 bucket Public Access Block", - "actualValue": "S3 Bucket public ACL is overridden by S3 bucket Public Access Block" + "actualValue": "S3 Bucket public ACL is overridden by S3 bucket Public Access Block", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/s3_bucket_with_all_permissions/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_with_all_permissions/test/positive_expected_result.json index 6d21930a357..f1e2e3947b9 100644 --- a/assets/queries/terraform/aws/s3_bucket_with_all_permissions/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_with_all_permissions/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_s3_bucket[positive1].policy", "searchValue": "", "expectedValue": "'policy.Statement' should not allow all actions to all principal", - "actualValue": "'policy.Statement' allows all actions to all principal" + "actualValue": "'policy.Statement' allows all actions to all principal", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket With All Permissions", @@ -21,6 +22,7 @@ "searchKey": "module[s3_bucket].policy", "searchValue": "", "expectedValue": "'policy.Statement' should not allow all actions to all principal", - "actualValue": "'policy.Statement' allows all actions to all principal" + "actualValue": "'policy.Statement' allows all actions to all principal", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/s3_bucket_with_public_policy/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_with_public_policy/test/positive_expected_result.json index 2b1eebb8aaf..19ac05aff02 100644 --- a/assets/queries/terraform/aws/s3_bucket_with_public_policy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_with_public_policy/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_s3_bucket_public_access_block[allow_public].block_public_policy", "searchValue": "", "expectedValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' should be defined to true", - "actualValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' is defined to false" + "actualValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' is defined to false", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows Public Policy", @@ -21,7 +22,8 @@ "searchKey": "aws_s3_account_public_access_block[allow_public_acc]", "searchValue": "", "expectedValue": "'aws_s3_account_public_access_block[allow_public_acc].block_public_policy' should be defined to true", - "actualValue": "'aws_s3_account_public_access_block[allow_public_acc].block_public_policy' is not defined (defaults to false)" + "actualValue": "'aws_s3_account_public_access_block[allow_public_acc].block_public_policy' is not defined (defaults to false)", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Allows Public Policy", @@ -33,7 +35,8 @@ "searchKey": "aws_s3_bucket_public_access_block[allow_public].block_public_policy", "searchValue": "", "expectedValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' should be defined to true", - "actualValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' is defined to false" + "actualValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' is defined to false", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows Public Policy", @@ -45,7 +48,8 @@ "searchKey": "aws_s3_bucket_public_access_block[allow_public]", "searchValue": "", "expectedValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' should be defined to true", - "actualValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' is not defined (defaults to false)" + "actualValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' is not defined (defaults to false)", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Allows Public Policy", @@ -57,7 +61,8 @@ "searchKey": "aws_s3_bucket_public_access_block[allow_public]", "searchValue": "", "expectedValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' should be defined to true", - "actualValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' is not defined (defaults to false)" + "actualValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' is not defined (defaults to false)", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Allows Public Policy", @@ -69,7 +74,8 @@ "searchKey": "aws_s3_bucket_public_access_block[allow_public].block_public_policy", "searchValue": "", "expectedValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' should be defined to true", - "actualValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' is defined to false" + "actualValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' is defined to false", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows Public Policy", @@ -81,7 +87,8 @@ "searchKey": "aws_s3_bucket_public_access_block[allow_public]", "searchValue": "", "expectedValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' should be defined to true", - "actualValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' is not defined (defaults to false)" + "actualValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' is not defined (defaults to false)", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Allows Public Policy", @@ -93,7 +100,8 @@ "searchKey": "aws_s3_bucket_public_access_block[allow_public].block_public_policy", "searchValue": "", "expectedValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' should be defined to true", - "actualValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' is defined to false" + "actualValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' is defined to false", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows Public Policy", @@ -105,7 +113,8 @@ "searchKey": "aws_s3_bucket_public_access_block[allow_public].block_public_policy", "searchValue": "", "expectedValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' should be defined to true", - "actualValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' is defined to false" + "actualValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' is defined to false", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows Public Policy", @@ -117,6 +126,7 @@ "searchKey": "aws_s3_account_public_access_block[allow_public_acc].block_public_policy", "searchValue": "", "expectedValue": "'aws_s3_account_public_access_block[allow_public_acc].block_public_policy' should be defined to true", - "actualValue": "'aws_s3_account_public_access_block[allow_public_acc].block_public_policy' is defined to false" + "actualValue": "'aws_s3_account_public_access_block[allow_public_acc].block_public_policy' is defined to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/s3_bucket_with_unsecured_cors_rule/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_with_unsecured_cors_rule/test/positive_expected_result.json index 7309169461b..52d5283f0c7 100644 --- a/assets/queries/terraform/aws/s3_bucket_with_unsecured_cors_rule/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_with_unsecured_cors_rule/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_s3_bucket[positive1].cors_rule", "searchValue": "", "expectedValue": "'cors_rule' to not allow all methods, all headers or several origins", - "actualValue": "'cors_rule' allows all methods, all headers or several origins" + "actualValue": "'cors_rule' allows all methods, all headers or several origins", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket with Unsecured CORS Rule", @@ -21,7 +22,8 @@ "searchKey": "aws_s3_bucket[positive2].cors_rule", "searchValue": "", "expectedValue": "'cors_rule' to not allow all methods, all headers or several origins", - "actualValue": "'cors_rule' allows all methods, all headers or several origins" + "actualValue": "'cors_rule' allows all methods, all headers or several origins", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket with Unsecured CORS Rule", @@ -33,7 +35,8 @@ "searchKey": "module[s3_bucket].cors_rule", "searchValue": "", "expectedValue": "'cors_rule' to not allow all methods, all headers or several origins", - "actualValue": "'cors_rule' allows all methods, all headers or several origins" + "actualValue": "'cors_rule' allows all methods, all headers or several origins", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket with Unsecured CORS Rule", @@ -45,7 +48,8 @@ "searchKey": "module[s3_bucket].cors_rule", "searchValue": "", "expectedValue": "'cors_rule' to not allow all methods, all headers or several origins", - "actualValue": "'cors_rule' allows all methods, all headers or several origins" + "actualValue": "'cors_rule' allows all methods, all headers or several origins", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket with Unsecured CORS Rule", @@ -57,6 +61,7 @@ "searchKey": "aws_s3_bucket_cors_configuration[example].cors_rule", "searchValue": "", "expectedValue": "'cors_rule' to not allow all methods, all headers or several origins", - "actualValue": "'cors_rule' allows all methods, all headers or several origins" + "actualValue": "'cors_rule' allows all methods, all headers or several origins", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive_expected_result.json index 478d50a067a..137e2b5c3f2 100755 --- a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_s3_bucket[positive1].versioning", "searchValue": "mfa_delete", "expectedValue": "'mfa_delete' should be set to true", - "actualValue": "'mfa_delete' is undefined or null" + "actualValue": "'mfa_delete' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Without Enabled MFA Delete", @@ -21,7 +22,8 @@ "searchKey": "aws_s3_bucket[positive2].versioning.mfa_delete", "searchValue": "", "expectedValue": "'mfa_delete' should be set to true", - "actualValue": "'mfa_delete' is set to false" + "actualValue": "'mfa_delete' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Without Enabled MFA Delete", @@ -33,7 +35,8 @@ "searchKey": "aws_s3_bucket[positive3].versioning", "searchValue": "mfa_delete", "expectedValue": "'mfa_delete' should be set to true", - "actualValue": "'mfa_delete' is undefined or null" + "actualValue": "'mfa_delete' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Without Enabled MFA Delete", @@ -45,7 +48,8 @@ "searchKey": "aws_s3_bucket[positive3].versioning.enabled", "searchValue": "", "expectedValue": "'enabled' should be set to true", - "actualValue": "'enabled' is set to false" + "actualValue": "'enabled' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Without Enabled MFA Delete", @@ -57,7 +61,8 @@ "searchKey": "module[s3_bucket].versioning", "searchValue": "mfa_delete", "expectedValue": "'mfa_delete' should be set to true", - "actualValue": "'mfa_delete' is undefined or null" + "actualValue": "'mfa_delete' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Without Enabled MFA Delete", @@ -69,7 +74,8 @@ "searchKey": "module[s3_bucket].versioning.mfa_delete", "searchValue": "", "expectedValue": "'mfa_delete' should be set to true", - "actualValue": "'mfa_delete' is set to false" + "actualValue": "'mfa_delete' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Without Enabled MFA Delete", @@ -81,7 +87,8 @@ "searchKey": "module[s3_bucket].versioning", "searchValue": "mfa_delete", "expectedValue": "'mfa_delete' should be set to true", - "actualValue": "'mfa_delete' is undefined or null" + "actualValue": "'mfa_delete' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Without Enabled MFA Delete", @@ -93,7 +100,8 @@ "searchKey": "module[s3_bucket].versioning.enabled", "searchValue": "", "expectedValue": "'enabled' should be set to true", - "actualValue": "'enabled' is set to false" + "actualValue": "'enabled' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Without Enabled MFA Delete", @@ -105,7 +113,8 @@ "searchKey": "aws_s3_bucket_versioning[example2].versioning_configuration.mfa_delete", "searchValue": "", "expectedValue": "'versioning_configuration.mfa_delete' should be set to 'Enabled'", - "actualValue": "'versioning_configuration.mfa_delete' is set to 'Disabled'" + "actualValue": "'versioning_configuration.mfa_delete' is set to 'Disabled'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Without Enabled MFA Delete", @@ -117,6 +126,7 @@ "searchKey": "aws_s3_bucket_versioning[example].versioning_configuration.status", "searchValue": "", "expectedValue": "'versioning_configuration.status' should be set to 'Enabled'", - "actualValue": "'versioning_configuration.status' is set to 'Disabled'" + "actualValue": "'versioning_configuration.status' is set to 'Disabled'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/s3_bucket_without_ignore_public_acl/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_without_ignore_public_acl/test/positive_expected_result.json index f39c7f69463..194ac0e1e4d 100755 --- a/assets/queries/terraform/aws/s3_bucket_without_ignore_public_acl/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_without_ignore_public_acl/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_s3_bucket_public_access_block[positive2].ignore_public_acls", "searchValue": "", "expectedValue": "'ignore_public_acls' should equal 'true'", - "actualValue": "'ignore_public_acls' is equal 'false'" + "actualValue": "'ignore_public_acls' is equal 'false'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Without Ignore Public ACL", @@ -21,7 +22,8 @@ "searchKey": "module[s3_bucket].ignore_public_acls", "searchValue": "", "expectedValue": "'ignore_public_acls' should equal 'true'", - "actualValue": "'ignore_public_acls' is equal 'false'" + "actualValue": "'ignore_public_acls' is equal 'false'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Without Ignore Public ACL", @@ -33,7 +35,8 @@ "searchKey": "module[s3_bucket].ignore_public_acls", "searchValue": "", "expectedValue": "'ignore_public_acls' should equal 'true'", - "actualValue": "'ignore_public_acls' is missing" + "actualValue": "'ignore_public_acls' is missing", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Without Ignore Public ACL", @@ -45,6 +48,7 @@ "searchKey": "aws_s3_bucket_public_access_block[positive2]", "searchValue": "", "expectedValue": "'ignore_public_acls' should equal 'true'", - "actualValue": "'ignore_public_acls' is missing" + "actualValue": "'ignore_public_acls' is missing", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/s3_bucket_without_restriction_of_public_bucket/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_without_restriction_of_public_bucket/test/positive_expected_result.json index b47ae7c6712..0232301b8ab 100755 --- a/assets/queries/terraform/aws/s3_bucket_without_restriction_of_public_bucket/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_without_restriction_of_public_bucket/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_s3_bucket_public_access_block[restrict_public].restrict_public_buckets", "searchValue": "", "expectedValue": "'restrict_public_buckets' should equal 'true'", - "actualValue": "'restrict_public_buckets' is equal to 'false'" + "actualValue": "'restrict_public_buckets' is equal to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Without Restriction Of Public Bucket", @@ -21,6 +22,7 @@ "searchKey": "aws_s3_bucket_public_access_block[restrict_public].restrict_public_buckets", "searchValue": "", "expectedValue": "'restrict_public_buckets' should equal 'true'", - "actualValue": "'restrict_public_buckets' is equal to 'false'" + "actualValue": "'restrict_public_buckets' is equal to 'false'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/s3_bucket_without_versioning/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_without_versioning/test/positive_expected_result.json index fff2e4e37c0..82fb79b9edc 100755 --- a/assets/queries/terraform/aws/s3_bucket_without_versioning/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_without_versioning/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_s3_bucket[positive1].versioning.enabled", "searchValue": "", "expectedValue": "'versioning.enabled' should be true", - "actualValue": "'versioning.enabled' is set to false" + "actualValue": "'versioning.enabled' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Without Versioning", @@ -21,7 +22,8 @@ "searchKey": "aws_s3_bucket[positive2]", "searchValue": "", "expectedValue": "'versioning' should be true", - "actualValue": "'versioning' is undefined or null" + "actualValue": "'versioning' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Without Versioning", @@ -33,7 +35,8 @@ "searchKey": "aws_s3_bucket[positive3].versioning", "searchValue": "", "expectedValue": "'versioning.enabled' should be true", - "actualValue": "'versioning.enabled' is undefined or null" + "actualValue": "'versioning.enabled' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Without Versioning", @@ -45,7 +48,8 @@ "searchKey": "module[s3_bucket].versioning.enabled", "searchValue": "", "expectedValue": "'versioning.enabled' should be true", - "actualValue": "'versioning.enabled' is set to false" + "actualValue": "'versioning.enabled' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Without Versioning", @@ -57,7 +61,8 @@ "searchKey": "module[s3_bucket].versioning", "searchValue": "", "expectedValue": "'versioning.enabled' should be true", - "actualValue": "'versioning.enabled' is undefined or null" + "actualValue": "'versioning.enabled' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Without Versioning", @@ -69,7 +74,8 @@ "searchKey": "module[s3_bucket]", "searchValue": "", "expectedValue": "'versioning' should be true", - "actualValue": "'versioning' is undefined or null" + "actualValue": "'versioning' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Without Versioning", @@ -81,7 +87,8 @@ "searchKey": "aws_s3_bucket_versioning[example].versioning_configuration.status", "searchValue": "", "expectedValue": "'versioning_configuration.status' should be set to 'Enabled'", - "actualValue": "'versioning_configuration.status' is set to 'Suspended'" + "actualValue": "'versioning_configuration.status' is set to 'Suspended'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Without Versioning", @@ -93,6 +100,7 @@ "searchKey": "aws_s3_bucket[b2]", "searchValue": "", "expectedValue": "'versioning' should be true", - "actualValue": "'versioning' is undefined or null" + "actualValue": "'versioning' is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/s3_static_website_host_enabled/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_static_website_host_enabled/test/positive_expected_result.json index aebaa8c519b..6f0ce4bfedd 100644 --- a/assets/queries/terraform/aws/s3_static_website_host_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_static_website_host_enabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resource.aws_s3_bucket[positive1].website", "searchValue": "", "expectedValue": "resource.aws_s3_bucket[positive1].website to not have static websites inside", - "actualValue": "resource.aws_s3_bucket[positive1].website does have static websites inside" + "actualValue": "resource.aws_s3_bucket[positive1].website does have static websites inside", + "issueType": "IncorrectValue" }, { "queryName": "S3 Static Website Host Enabled", @@ -21,7 +22,8 @@ "searchKey": "module[s3_bucket].website", "searchValue": "", "expectedValue": "'website' to not have static websites inside", - "actualValue": "'website' does have static websites inside" + "actualValue": "'website' does have static websites inside", + "issueType": "IncorrectValue" }, { "queryName": "S3 Static Website Host Enabled", @@ -33,6 +35,7 @@ "searchKey": "aws_s3_bucket[buc]", "searchValue": "", "expectedValue": "'aws_s3_bucket' to not have 'aws_s3_bucket_website_configuration' associated", - "actualValue": "'aws_s3_bucket' has 'aws_s3_bucket_website_configuration' associated" + "actualValue": "'aws_s3_bucket' has 'aws_s3_bucket_website_configuration' associated", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/sagemaker_endpoint_configuration_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/sagemaker_endpoint_configuration_encryption_disabled/test/positive_expected_result.json index 19c75c3aa0a..ad74016d8ef 100644 --- a/assets/queries/terraform/aws/sagemaker_endpoint_configuration_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sagemaker_endpoint_configuration_encryption_disabled/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_sagemaker_endpoint_configuration[positive]", "searchValue": "", "expectedValue": "aws_sagemaker_endpoint_configuration[positive] should be defined and not null", - "actualValue": "aws_sagemaker_endpoint_configuration[positive] is undefined or null" + "actualValue": "aws_sagemaker_endpoint_configuration[positive] is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/sagemaker_notebook_instance_without_kms/test/positive_expected_result.json b/assets/queries/terraform/aws/sagemaker_notebook_instance_without_kms/test/positive_expected_result.json index a02f3e70535..ffc9c2242d8 100644 --- a/assets/queries/terraform/aws/sagemaker_notebook_instance_without_kms/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sagemaker_notebook_instance_without_kms/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_sagemaker_notebook_instance[{{ni}}]", "searchValue": "", "expectedValue": "aws_sagemaker_notebook_instance.kms_key_id should be defined and not null", - "actualValue": "aws_sagemaker_notebook_instance.kms_key_id is undefined or null" + "actualValue": "aws_sagemaker_notebook_instance.kms_key_id is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/secrets_manager_with_vulnerable_policy/test/positive_expected_result.json b/assets/queries/terraform/aws/secrets_manager_with_vulnerable_policy/test/positive_expected_result.json index 22e18c5763c..61dc98aa3e8 100644 --- a/assets/queries/terraform/aws/secrets_manager_with_vulnerable_policy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/secrets_manager_with_vulnerable_policy/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_secretsmanager_secret_policy[example].policy", "searchValue": "", "expectedValue": "aws_secretsmanager_secret_policy[example].policy should not have wildcard in 'Principal' and 'Action'", - "actualValue": "aws_secretsmanager_secret_policy[example].policy has wildcard in 'Principal' or 'Action'" + "actualValue": "aws_secretsmanager_secret_policy[example].policy has wildcard in 'Principal' or 'Action'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/secretsmanager_secret_encrypted_with_aws_managed_key/test/positive_expected_result.json b/assets/queries/terraform/aws/secretsmanager_secret_encrypted_with_aws_managed_key/test/positive_expected_result.json index 59ab109cd2f..722d1f5df2a 100644 --- a/assets/queries/terraform/aws/secretsmanager_secret_encrypted_with_aws_managed_key/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/secretsmanager_secret_encrypted_with_aws_managed_key/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_secretsmanager_secret[test2].kms_key_id", "searchValue": "", "expectedValue": "Secrets Manager secret should not be encrypted with AWS managed key", - "actualValue": "Secrets Manager secret is encrypted with AWS managed key" + "actualValue": "Secrets Manager secret is encrypted with AWS managed key", + "issueType": "IncorrectValue" }, { "queryName": "Secretsmanager Secret Encrypted With AWS Managed Key", @@ -21,6 +22,7 @@ "searchKey": "aws_secretsmanager_secret[test].kms_key_id", "searchValue": "", "expectedValue": "Secrets Manager secret should not be encrypted with AWS managed key", - "actualValue": "Secrets Manager secret is encrypted with AWS managed key" + "actualValue": "Secrets Manager secret is encrypted with AWS managed key", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/secretsmanager_secret_without_kms/test/positive_expected_result.json b/assets/queries/terraform/aws/secretsmanager_secret_without_kms/test/positive_expected_result.json index 354203060d9..43f8e2bae56 100644 --- a/assets/queries/terraform/aws/secretsmanager_secret_without_kms/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/secretsmanager_secret_without_kms/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_secretsmanager_secret[{{example}}]", "searchValue": "", "expectedValue": "aws_secretsmanager_secret.kms_key_id should be defined and not null", - "actualValue": "aws_secretsmanager_secret.kms_key_id is undefined or null" + "actualValue": "aws_secretsmanager_secret.kms_key_id is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/secure_ciphers_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/secure_ciphers_disabled/test/positive_expected_result.json index 32f6bb5d90e..181c999383f 100644 --- a/assets/queries/terraform/aws/secure_ciphers_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/secure_ciphers_disabled/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "resource.aws_cloudfront_distribution[positive1].viewer_certificate.minimum_protocol_version", "searchValue": "", "expectedValue": "resource.aws_cloudfront_distribution[positive1].viewer_certificate.minimum_protocol_version should start with TLSv1.1 or TLSv1.2", - "actualValue": "resource.aws_cloudfront_distribution[positive1].viewer_certificate.minimum_protocol_version doesn't start with TLSv1.1 or TLSv1.2" + "actualValue": "resource.aws_cloudfront_distribution[positive1].viewer_certificate.minimum_protocol_version doesn't start with TLSv1.1 or TLSv1.2", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/security_group_rules_without_description/test/positive_expected_result.json b/assets/queries/terraform/aws/security_group_rules_without_description/test/positive_expected_result.json index cf305a71ef8..af63f134165 100644 --- a/assets/queries/terraform/aws/security_group_rules_without_description/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/security_group_rules_without_description/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_security_group[positive1].ingress", "searchValue": "", "expectedValue": "aws_security_group[positive1].ingress.description should be defined and not null", - "actualValue": "aws_security_group[positive1].ingress.description is undefined or null" + "actualValue": "aws_security_group[positive1].ingress.description is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Security Group Rule Without Description", @@ -21,7 +22,8 @@ "searchKey": "aws_security_group[positive1].egress", "searchValue": "", "expectedValue": "aws_security_group[positive1].egress.description should be defined and not null", - "actualValue": "aws_security_group[positive1].egress.description is undefined or null" + "actualValue": "aws_security_group[positive1].egress.description is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Security Group Rule Without Description", @@ -33,7 +35,8 @@ "searchKey": "aws_security_group[positive2-1].ingress.0", "searchValue": "", "expectedValue": "aws_security_group[positive2-1].ingress[0].description should be defined and not null", - "actualValue": "aws_security_group[positive2-1].ingress[0].description is undefined or null" + "actualValue": "aws_security_group[positive2-1].ingress[0].description is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Security Group Rule Without Description", @@ -45,7 +48,8 @@ "searchKey": "aws_security_group[positive2-1].ingress.1", "searchValue": "", "expectedValue": "aws_security_group[positive2-1].ingress[1].description should be defined and not null", - "actualValue": "aws_security_group[positive2-1].ingress[1].description is undefined or null" + "actualValue": "aws_security_group[positive2-1].ingress[1].description is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Security Group Rule Without Description", @@ -57,7 +61,8 @@ "searchKey": "aws_security_group[positive2-2].egress.0", "searchValue": "", "expectedValue": "aws_security_group[positive2-2].egress[0].description should be defined and not null", - "actualValue": "aws_security_group[positive2-2].egress[0].description is undefined or null" + "actualValue": "aws_security_group[positive2-2].egress[0].description is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Security Group Rule Without Description", @@ -69,7 +74,8 @@ "searchKey": "aws_security_group[positive2-2].egress.1", "searchValue": "", "expectedValue": "aws_security_group[positive2-2].egress[1].description should be defined and not null", - "actualValue": "aws_security_group[positive2-2].egress[1].description is undefined or null" + "actualValue": "aws_security_group[positive2-2].egress[1].description is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Security Group Rule Without Description", @@ -81,7 +87,8 @@ "searchKey": "aws_security_group_rule[positive3-1]", "searchValue": "", "expectedValue": "aws_security_group_rule[positive3-1].description should be defined and not null", - "actualValue": "aws_security_group_rule[positive3-1].description is undefined or null" + "actualValue": "aws_security_group_rule[positive3-1].description is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Security Group Rule Without Description", @@ -93,7 +100,8 @@ "searchKey": "aws_security_group_rule[positive3-2]", "searchValue": "", "expectedValue": "aws_security_group_rule[positive3-2].description should be defined and not null", - "actualValue": "aws_security_group_rule[positive3-2].description is undefined or null" + "actualValue": "aws_security_group_rule[positive3-2].description is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Security Group Rule Without Description", @@ -105,7 +113,8 @@ "searchKey": "aws_vpc_security_group_ingress_rule[positive4-1]", "searchValue": "", "expectedValue": "aws_vpc_security_group_ingress_rule[positive4-1].description should be defined and not null", - "actualValue": "aws_vpc_security_group_ingress_rule[positive4-1].description is undefined or null" + "actualValue": "aws_vpc_security_group_ingress_rule[positive4-1].description is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Security Group Rule Without Description", @@ -117,7 +126,8 @@ "searchKey": "aws_vpc_security_group_egress_rule[positive4-2]", "searchValue": "", "expectedValue": "aws_vpc_security_group_egress_rule[positive4-2].description should be defined and not null", - "actualValue": "aws_vpc_security_group_egress_rule[positive4-2].description is undefined or null" + "actualValue": "aws_vpc_security_group_egress_rule[positive4-2].description is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Security Group Rule Without Description", @@ -129,7 +139,8 @@ "searchKey": "module[positive5_ipv4_array].ingress_with_cidr_blocks.0", "searchValue": "", "expectedValue": "module[positive5_ipv4_array].ingress_with_cidr_blocks.0.description should be defined and not null", - "actualValue": "module[positive5_ipv4_array].ingress_with_cidr_blocks.0.description is undefined or null" + "actualValue": "module[positive5_ipv4_array].ingress_with_cidr_blocks.0.description is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Security Group Rule Without Description", @@ -141,7 +152,8 @@ "searchKey": "module[positive5_ipv4_array].ingress_with_cidr_blocks.1", "searchValue": "", "expectedValue": "module[positive5_ipv4_array].ingress_with_cidr_blocks.1.description should be defined and not null", - "actualValue": "module[positive5_ipv4_array].ingress_with_cidr_blocks.1.description is undefined or null" + "actualValue": "module[positive5_ipv4_array].ingress_with_cidr_blocks.1.description is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Security Group Rule Without Description", @@ -153,7 +165,8 @@ "searchKey": "module[positive5_ipv4_array].egress_with_cidr_blocks.0", "searchValue": "", "expectedValue": "module[positive5_ipv4_array].egress_with_cidr_blocks.0.description should be defined and not null", - "actualValue": "module[positive5_ipv4_array].egress_with_cidr_blocks.0.description is undefined or null" + "actualValue": "module[positive5_ipv4_array].egress_with_cidr_blocks.0.description is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Security Group Rule Without Description", @@ -165,7 +178,8 @@ "searchKey": "module[positive5_ipv4_array].egress_with_cidr_blocks.1", "searchValue": "", "expectedValue": "module[positive5_ipv4_array].egress_with_cidr_blocks.1.description should be defined and not null", - "actualValue": "module[positive5_ipv4_array].egress_with_cidr_blocks.1.description is undefined or null" + "actualValue": "module[positive5_ipv4_array].egress_with_cidr_blocks.1.description is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Security Group Rule Without Description", @@ -177,7 +191,8 @@ "searchKey": "module[positive5_ipv6_array].ingress_with_ipv6_cidr_blocks.0", "searchValue": "", "expectedValue": "module[positive5_ipv6_array].ingress_with_ipv6_cidr_blocks.0.description should be defined and not null", - "actualValue": "module[positive5_ipv6_array].ingress_with_ipv6_cidr_blocks.0.description is undefined or null" + "actualValue": "module[positive5_ipv6_array].ingress_with_ipv6_cidr_blocks.0.description is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Security Group Rule Without Description", @@ -189,7 +204,8 @@ "searchKey": "module[positive5_ipv6_array].ingress_with_ipv6_cidr_blocks.1", "searchValue": "", "expectedValue": "module[positive5_ipv6_array].ingress_with_ipv6_cidr_blocks.1.description should be defined and not null", - "actualValue": "module[positive5_ipv6_array].ingress_with_ipv6_cidr_blocks.1.description is undefined or null" + "actualValue": "module[positive5_ipv6_array].ingress_with_ipv6_cidr_blocks.1.description is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Security Group Rule Without Description", @@ -201,7 +217,8 @@ "searchKey": "module[positive5_ipv6_array].egress_with_ipv6_cidr_blocks.0", "searchValue": "", "expectedValue": "module[positive5_ipv6_array].egress_with_ipv6_cidr_blocks.0.description should be defined and not null", - "actualValue": "module[positive5_ipv6_array].egress_with_ipv6_cidr_blocks.0.description is undefined or null" + "actualValue": "module[positive5_ipv6_array].egress_with_ipv6_cidr_blocks.0.description is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Security Group Rule Without Description", @@ -213,6 +230,7 @@ "searchKey": "module[positive5_ipv6_array].egress_with_ipv6_cidr_blocks.1", "searchValue": "", "expectedValue": "module[positive5_ipv6_array].egress_with_ipv6_cidr_blocks.1.description should be defined and not null", - "actualValue": "module[positive5_ipv6_array].egress_with_ipv6_cidr_blocks.1.description is undefined or null" + "actualValue": "module[positive5_ipv6_array].egress_with_ipv6_cidr_blocks.1.description is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/security_group_with_unrestricted_access_to_ssh/test/positive_expected_result.json b/assets/queries/terraform/aws/security_group_with_unrestricted_access_to_ssh/test/positive_expected_result.json index b1d91903609..479c5a485fd 100644 --- a/assets/queries/terraform/aws/security_group_with_unrestricted_access_to_ssh/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/security_group_with_unrestricted_access_to_ssh/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_security_group[positive1-1].ingress", "searchValue": "", "expectedValue": "aws_security_group[positive1-1].ingress 'SSH' (Port:22) should not be open", - "actualValue": "aws_security_group[positive1-1].ingress 'SSH' (Port:22) is open" + "actualValue": "aws_security_group[positive1-1].ingress 'SSH' (Port:22) is open", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", @@ -21,7 +22,8 @@ "searchKey": "aws_security_group[positive1-2].ingress[1]", "searchValue": "", "expectedValue": "aws_security_group[positive1-2].ingress[1] 'SSH' (Port:22) should not be open", - "actualValue": "aws_security_group[positive1-2].ingress[1] 'SSH' (Port:22) is open" + "actualValue": "aws_security_group[positive1-2].ingress[1] 'SSH' (Port:22) is open", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", @@ -33,7 +35,8 @@ "searchKey": "aws_security_group[positive1-3].ingress", "searchValue": "", "expectedValue": "aws_security_group[positive1-3].ingress 'SSH' (Port:22) should not be open", - "actualValue": "aws_security_group[positive1-3].ingress 'SSH' (Port:22) is open" + "actualValue": "aws_security_group[positive1-3].ingress 'SSH' (Port:22) is open", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", @@ -45,7 +48,8 @@ "searchKey": "aws_security_group[positive1-4].ingress[1]", "searchValue": "", "expectedValue": "aws_security_group[positive1-4].ingress[1] 'SSH' (Port:22) should not be open", - "actualValue": "aws_security_group[positive1-4].ingress[1] 'SSH' (Port:22) is open" + "actualValue": "aws_security_group[positive1-4].ingress[1] 'SSH' (Port:22) is open", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", @@ -57,7 +61,8 @@ "searchKey": "aws_security_group[positive1-5].ingress", "searchValue": "", "expectedValue": "aws_security_group[positive1-5].ingress 'SSH' (Port:22) should not be open", - "actualValue": "aws_security_group[positive1-5].ingress 'SSH' (Port:22) is open" + "actualValue": "aws_security_group[positive1-5].ingress 'SSH' (Port:22) is open", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", @@ -69,7 +74,8 @@ "searchKey": "aws_security_group[positive1-6].ingress", "searchValue": "", "expectedValue": "aws_security_group[positive1-6].ingress 'SSH' (Port:22) should not be open", - "actualValue": "aws_security_group[positive1-6].ingress 'SSH' (Port:22) is open" + "actualValue": "aws_security_group[positive1-6].ingress 'SSH' (Port:22) is open", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", @@ -81,7 +87,8 @@ "searchKey": "aws_security_group[positive1-7].ingress", "searchValue": "", "expectedValue": "aws_security_group[positive1-7].ingress 'SSH' (Port:22) should not be open", - "actualValue": "aws_security_group[positive1-7].ingress 'SSH' (Port:22) is open" + "actualValue": "aws_security_group[positive1-7].ingress 'SSH' (Port:22) is open", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", @@ -93,7 +100,8 @@ "searchKey": "aws_vpc_security_group_ingress_rule[positive2-1]", "searchValue": "", "expectedValue": "aws_vpc_security_group_ingress_rule[positive2-1] 'SSH' (Port:22) should not be open", - "actualValue": "aws_vpc_security_group_ingress_rule[positive2-1] 'SSH' (Port:22) is open" + "actualValue": "aws_vpc_security_group_ingress_rule[positive2-1] 'SSH' (Port:22) is open", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", @@ -105,7 +113,8 @@ "searchKey": "aws_vpc_security_group_ingress_rule[positive2-2]", "searchValue": "", "expectedValue": "aws_vpc_security_group_ingress_rule[positive2-2] 'SSH' (Port:22) should not be open", - "actualValue": "aws_vpc_security_group_ingress_rule[positive2-2] 'SSH' (Port:22) is open" + "actualValue": "aws_vpc_security_group_ingress_rule[positive2-2] 'SSH' (Port:22) is open", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", @@ -117,7 +126,8 @@ "searchKey": "aws_security_group_rule[positive3-1]", "searchValue": "", "expectedValue": "aws_security_group_rule[positive3-1] 'SSH' (Port:22) should not be open", - "actualValue": "aws_security_group_rule[positive3-1] 'SSH' (Port:22) is open" + "actualValue": "aws_security_group_rule[positive3-1] 'SSH' (Port:22) is open", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", @@ -129,7 +139,8 @@ "searchKey": "aws_security_group_rule[positive3-2]", "searchValue": "", "expectedValue": "aws_security_group_rule[positive3-2] 'SSH' (Port:22) should not be open", - "actualValue": "aws_security_group_rule[positive3-2] 'SSH' (Port:22) is open" + "actualValue": "aws_security_group_rule[positive3-2] 'SSH' (Port:22) is open", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", @@ -141,7 +152,8 @@ "searchKey": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0", "searchValue": "", "expectedValue": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0 'SSH' (Port:22) should not be open", - "actualValue": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0 'SSH' (Port:22) is open" + "actualValue": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0 'SSH' (Port:22) is open", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", @@ -153,7 +165,8 @@ "searchKey": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0", "searchValue": "", "expectedValue": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0 'SSH' (Port:22) should not be open", - "actualValue": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0 'SSH' (Port:22) is open" + "actualValue": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0 'SSH' (Port:22) is open", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", @@ -165,7 +178,8 @@ "searchKey": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0", "searchValue": "", "expectedValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0 'SSH' (Port:22) should not be open", - "actualValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0 'SSH' (Port:22) is open" + "actualValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0 'SSH' (Port:22) is open", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", @@ -177,7 +191,8 @@ "searchKey": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2", "searchValue": "", "expectedValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2 'SSH' (Port:22) should not be open", - "actualValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2 'SSH' (Port:22) is open" + "actualValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2 'SSH' (Port:22) is open", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", @@ -189,7 +204,8 @@ "searchKey": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0", "searchValue": "", "expectedValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0 'SSH' (Port:22) should not be open", - "actualValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0 'SSH' (Port:22) is open" + "actualValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0 'SSH' (Port:22) is open", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", @@ -201,6 +217,7 @@ "searchKey": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2", "searchValue": "", "expectedValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2 'SSH' (Port:22) should not be open", - "actualValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2 'SSH' (Port:22) is open" + "actualValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2 'SSH' (Port:22) is open", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/security_group_without_description/test/positive_expected_result.json b/assets/queries/terraform/aws/security_group_without_description/test/positive_expected_result.json index 14c557dc747..4567071f326 100644 --- a/assets/queries/terraform/aws/security_group_without_description/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/security_group_without_description/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_security_group[positive1-1]", "searchValue": "", "expectedValue": "aws_security_group[positive1-1] description should be defined and not null", - "actualValue": "aws_security_group[positive1-1] description is undefined or null" + "actualValue": "aws_security_group[positive1-1] description is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Security Group Without Description", @@ -21,7 +22,8 @@ "searchKey": "aws_security_group[positive1-2]", "searchValue": "", "expectedValue": "aws_security_group[positive1-2] description should be defined and not null", - "actualValue": "aws_security_group[positive1-2] description is undefined or null" + "actualValue": "aws_security_group[positive1-2] description is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Security Group Without Description", @@ -33,7 +35,8 @@ "searchKey": "module[positive2-1]", "searchValue": "", "expectedValue": "module[positive2-1] description should be defined and not null", - "actualValue": "module[positive2-1] description is undefined or null" + "actualValue": "module[positive2-1] description is undefined or null", + "issueType": "IncorrectValue" }, { "queryName": "Security Group Without Description", @@ -45,6 +48,7 @@ "searchKey": "module[positive2-2]", "searchValue": "", "expectedValue": "module[positive2-2] description should be defined and not null", - "actualValue": "module[positive2-2] description is undefined or null" + "actualValue": "module[positive2-2] description is undefined or null", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/security_groups_not_used/test/positive_expected_result.json b/assets/queries/terraform/aws/security_groups_not_used/test/positive_expected_result.json index 7f756751d1a..cef644b07dc 100644 --- a/assets/queries/terraform/aws/security_groups_not_used/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/security_groups_not_used/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_security_group[allow_tls]", "searchValue": "", "expectedValue": "'aws_security_group[allow_tls]' should be used", - "actualValue": "'aws_security_group[allow_tls]' is not used" + "actualValue": "'aws_security_group[allow_tls]' is not used", + "issueType": "IncorrectValue" }, { "queryName": "Security Group Not Used", @@ -21,7 +22,8 @@ "searchKey": "aws_security_group[unused-sg]", "searchValue": "", "expectedValue": "'aws_security_group[unused-sg]' should be used", - "actualValue": "'aws_security_group[unused-sg]' is not used" + "actualValue": "'aws_security_group[unused-sg]' is not used", + "issueType": "IncorrectValue" }, { "queryName": "Security Group Not Used", @@ -33,7 +35,8 @@ "searchKey": "aws_security_group[unused_sg]", "searchValue": "", "expectedValue": "'aws_security_group[unused_sg]' should be used", - "actualValue": "'aws_security_group[unused_sg]' is not used" + "actualValue": "'aws_security_group[unused_sg]' is not used", + "issueType": "IncorrectValue" }, { "queryName": "Security Group Not Used", @@ -45,7 +48,8 @@ "searchKey": "aws_security_group[unused_sg]", "searchValue": "", "expectedValue": "'aws_security_group[unused_sg]' should be used", - "actualValue": "'aws_security_group[unused_sg]' is not used" + "actualValue": "'aws_security_group[unused_sg]' is not used", + "issueType": "IncorrectValue" }, { "queryName": "Security Group Not Used", @@ -57,7 +61,8 @@ "searchKey": "aws_security_group[example]", "searchValue": "", "expectedValue": "'aws_security_group[example]' should be used", - "actualValue": "'aws_security_group[example]' is not used" + "actualValue": "'aws_security_group[example]' is not used", + "issueType": "IncorrectValue" }, { "queryName": "Security Group Not Used", @@ -69,7 +74,8 @@ "searchKey": "aws_security_group[default_name]", "searchValue": "", "expectedValue": "'aws_security_group[default_name]' should be used", - "actualValue": "'aws_security_group[default_name]' is not used" + "actualValue": "'aws_security_group[default_name]' is not used", + "issueType": "IncorrectValue" }, { "queryName": "Security Group Not Used", @@ -81,7 +87,8 @@ "searchKey": "aws_security_group[unused_sg]", "searchValue": "", "expectedValue": "'aws_security_group[unused_sg]' should be used", - "actualValue": "'aws_security_group[unused_sg]' is not used" + "actualValue": "'aws_security_group[unused_sg]' is not used", + "issueType": "IncorrectValue" }, { "queryName": "Security Group Not Used", @@ -93,6 +100,7 @@ "searchKey": "aws_security_group[default_name]", "searchValue": "", "expectedValue": "'aws_security_group[default_name]' should be used", - "actualValue": "'aws_security_group[default_name]' is not used" + "actualValue": "'aws_security_group[default_name]' is not used", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json b/assets/queries/terraform/aws/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json index bfcf5db1e19..5cb1204e248 100644 --- a/assets/queries/terraform/aws/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_security_group[positive1_ipv4_1].ingress", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -21,7 +22,8 @@ "searchKey": "aws_security_group[positive1_ipv4_1].ingress", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -33,7 +35,8 @@ "searchKey": "aws_security_group[positive1_ipv4_2].ingress", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -45,7 +48,8 @@ "searchKey": "aws_security_group[positive1_array_test_ipv4].ingress[0]", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -57,7 +61,8 @@ "searchKey": "aws_security_group[positive1_array_test_ipv4].ingress[1]", "searchValue": "UDP,110", "expectedValue": "POP3 (UDP:110) should not be allowed", - "actualValue": "POP3 (UDP:110) is allowed" + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -69,7 +74,8 @@ "searchKey": "aws_security_group[positive1_ipv6_1].ingress", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -81,7 +87,8 @@ "searchKey": "aws_security_group[positive1_ipv6_1].ingress", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -93,7 +100,8 @@ "searchKey": "aws_security_group[positive1_ipv6_2].ingress", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -105,7 +113,8 @@ "searchKey": "aws_security_group[positive1_array_test_ipv6].ingress[0]", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -117,7 +126,8 @@ "searchKey": "aws_security_group[positive1_array_test_ipv6].ingress[1]", "searchValue": "UDP,110", "expectedValue": "POP3 (UDP:110) should not be allowed", - "actualValue": "POP3 (UDP:110) is allowed" + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -129,7 +139,8 @@ "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_1]", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -141,7 +152,8 @@ "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_1]", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -153,7 +165,8 @@ "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_2]", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -165,7 +178,8 @@ "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_3]", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -177,7 +191,8 @@ "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_4]", "searchValue": "UDP,110", "expectedValue": "POP3 (UDP:110) should not be allowed", - "actualValue": "POP3 (UDP:110) is allowed" + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -189,7 +204,8 @@ "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_1]", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -201,7 +217,8 @@ "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_1]", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -213,7 +230,8 @@ "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_2]", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -225,7 +243,8 @@ "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_3]", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -237,7 +256,8 @@ "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_4]", "searchValue": "UDP,110", "expectedValue": "POP3 (UDP:110) should not be allowed", - "actualValue": "POP3 (UDP:110) is allowed" + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -249,7 +269,8 @@ "searchKey": "aws_security_group_rule[positive3_ipv4_1]", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -261,7 +282,8 @@ "searchKey": "aws_security_group_rule[positive3_ipv4_1]", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -273,7 +295,8 @@ "searchKey": "aws_security_group_rule[positive3_ipv4_2]", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -285,7 +308,8 @@ "searchKey": "aws_security_group_rule[positive3_ipv4_3]", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -297,7 +321,8 @@ "searchKey": "aws_security_group_rule[positive3_ipv4_4]", "searchValue": "UDP,110", "expectedValue": "POP3 (UDP:110) should not be allowed", - "actualValue": "POP3 (UDP:110) is allowed" + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -309,7 +334,8 @@ "searchKey": "aws_security_group_rule[positive3_ipv6_1]", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -321,7 +347,8 @@ "searchKey": "aws_security_group_rule[positive3_ipv6_1]", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -333,7 +360,8 @@ "searchKey": "aws_security_group_rule[positive3_ipv6_2]", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -345,7 +373,8 @@ "searchKey": "aws_security_group_rule[positive3_ipv6_3]", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -357,7 +386,8 @@ "searchKey": "aws_security_group_rule[positive3_ipv6_4]", "searchValue": "UDP,110", "expectedValue": "POP3 (UDP:110) should not be allowed", - "actualValue": "POP3 (UDP:110) is allowed" + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -369,7 +399,8 @@ "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.0", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -381,7 +412,8 @@ "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.0", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -393,7 +425,8 @@ "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.1", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -405,7 +438,8 @@ "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.2", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -417,7 +451,8 @@ "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.3", "searchValue": "UDP,110", "expectedValue": "POP3 (UDP:110) should not be allowed", - "actualValue": "POP3 (UDP:110) is allowed" + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -429,7 +464,8 @@ "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.0", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -441,7 +477,8 @@ "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.0", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -453,7 +490,8 @@ "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.1", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -465,7 +503,8 @@ "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.2", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -477,6 +516,7 @@ "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.3", "searchValue": "UDP,110", "expectedValue": "POP3 (UDP:110) should not be allowed", - "actualValue": "POP3 (UDP:110) is allowed" + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/sensitive_port_is_exposed_to_small_public_network/test/positive_expected_result.json b/assets/queries/terraform/aws/sensitive_port_is_exposed_to_small_public_network/test/positive_expected_result.json index 82a46ee832c..97f2aea2c37 100644 --- a/assets/queries/terraform/aws/sensitive_port_is_exposed_to_small_public_network/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sensitive_port_is_exposed_to_small_public_network/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_security_group[positive1_ipv4_1].ingress", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -21,7 +22,8 @@ "searchKey": "aws_security_group[positive1_ipv4_1].ingress", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -33,7 +35,8 @@ "searchKey": "aws_security_group[positive1_ipv4_2].ingress", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -45,7 +48,8 @@ "searchKey": "aws_security_group[positive1_array_test_ipv4].ingress[0]", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -57,7 +61,8 @@ "searchKey": "aws_security_group[positive1_array_test_ipv4].ingress[1]", "searchValue": "UDP,110", "expectedValue": "POP3 (UDP:110) should not be allowed", - "actualValue": "POP3 (UDP:110) is allowed" + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -69,7 +74,8 @@ "searchKey": "aws_security_group[positive1_ipv6_1].ingress", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -81,7 +87,8 @@ "searchKey": "aws_security_group[positive1_ipv6_1].ingress", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -93,7 +100,8 @@ "searchKey": "aws_security_group[positive1_ipv6_2].ingress", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -105,7 +113,8 @@ "searchKey": "aws_security_group[positive1_array_test_ipv6].ingress[0]", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -117,7 +126,8 @@ "searchKey": "aws_security_group[positive1_array_test_ipv6].ingress[1]", "searchValue": "UDP,110", "expectedValue": "POP3 (UDP:110) should not be allowed", - "actualValue": "POP3 (UDP:110) is allowed" + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -129,7 +139,8 @@ "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_1]", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -141,7 +152,8 @@ "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_1]", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -153,7 +165,8 @@ "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_2]", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -165,7 +178,8 @@ "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_3]", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -177,7 +191,8 @@ "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_4]", "searchValue": "UDP,110", "expectedValue": "POP3 (UDP:110) should not be allowed", - "actualValue": "POP3 (UDP:110) is allowed" + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -189,7 +204,8 @@ "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_1]", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -201,7 +217,8 @@ "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_1]", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -213,7 +230,8 @@ "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_2]", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -225,7 +243,8 @@ "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_3]", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -237,7 +256,8 @@ "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_4]", "searchValue": "UDP,110", "expectedValue": "POP3 (UDP:110) should not be allowed", - "actualValue": "POP3 (UDP:110) is allowed" + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -249,7 +269,8 @@ "searchKey": "aws_security_group_rule[positive3_ipv4_1]", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -261,7 +282,8 @@ "searchKey": "aws_security_group_rule[positive3_ipv4_1]", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -273,7 +295,8 @@ "searchKey": "aws_security_group_rule[positive3_ipv4_2]", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -285,7 +308,8 @@ "searchKey": "aws_security_group_rule[positive3_ipv4_3]", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -297,7 +321,8 @@ "searchKey": "aws_security_group_rule[positive3_ipv4_4]", "searchValue": "UDP,110", "expectedValue": "POP3 (UDP:110) should not be allowed", - "actualValue": "POP3 (UDP:110) is allowed" + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -309,7 +334,8 @@ "searchKey": "aws_security_group_rule[positive3_ipv6_1]", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -321,7 +347,8 @@ "searchKey": "aws_security_group_rule[positive3_ipv6_1]", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -333,7 +360,8 @@ "searchKey": "aws_security_group_rule[positive3_ipv6_2]", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -345,7 +373,8 @@ "searchKey": "aws_security_group_rule[positive3_ipv6_3]", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -357,7 +386,8 @@ "searchKey": "aws_security_group_rule[positive3_ipv6_4]", "searchValue": "UDP,110", "expectedValue": "POP3 (UDP:110) should not be allowed", - "actualValue": "POP3 (UDP:110) is allowed" + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -369,7 +399,8 @@ "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.0", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -381,7 +412,8 @@ "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.0", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -393,7 +425,8 @@ "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.1", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -405,7 +438,8 @@ "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.2", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -417,7 +451,8 @@ "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.3", "searchValue": "UDP,110", "expectedValue": "POP3 (UDP:110) should not be allowed", - "actualValue": "POP3 (UDP:110) is allowed" + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -429,7 +464,8 @@ "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.0", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -441,7 +477,8 @@ "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.0", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -453,7 +490,8 @@ "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.1", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -465,7 +503,8 @@ "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.2", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -477,6 +516,7 @@ "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.3", "searchValue": "UDP,110", "expectedValue": "POP3 (UDP:110) should not be allowed", - "actualValue": "POP3 (UDP:110) is allowed" + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/sensitive_port_is_exposed_to_wide_private_network/test/positive_expected_result.json b/assets/queries/terraform/aws/sensitive_port_is_exposed_to_wide_private_network/test/positive_expected_result.json index 1c24cda9e6a..56bc14bb7ef 100644 --- a/assets/queries/terraform/aws/sensitive_port_is_exposed_to_wide_private_network/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sensitive_port_is_exposed_to_wide_private_network/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_security_group[positive1_ipv4_1].ingress", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -21,7 +22,8 @@ "searchKey": "aws_security_group[positive1_ipv4_1].ingress", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -33,7 +35,8 @@ "searchKey": "aws_security_group[positive1_ipv4_2].ingress", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -45,7 +48,8 @@ "searchKey": "aws_security_group[positive1_array_test_ipv4].ingress[0]", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -57,7 +61,8 @@ "searchKey": "aws_security_group[positive1_array_test_ipv4].ingress[1]", "searchValue": "UDP,110", "expectedValue": "POP3 (UDP:110) should not be allowed", - "actualValue": "POP3 (UDP:110) is allowed" + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -69,7 +74,8 @@ "searchKey": "aws_security_group[positive1_ipv6_1].ingress", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -81,7 +87,8 @@ "searchKey": "aws_security_group[positive1_ipv6_1].ingress", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -93,7 +100,8 @@ "searchKey": "aws_security_group[positive1_ipv6_2].ingress", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -105,7 +113,8 @@ "searchKey": "aws_security_group[positive1_array_test_ipv6].ingress[0]", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -117,7 +126,8 @@ "searchKey": "aws_security_group[positive1_array_test_ipv6].ingress[1]", "searchValue": "UDP,110", "expectedValue": "POP3 (UDP:110) should not be allowed", - "actualValue": "POP3 (UDP:110) is allowed" + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -129,7 +139,8 @@ "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_1]", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -141,7 +152,8 @@ "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_1]", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -153,7 +165,8 @@ "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_2]", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -165,7 +178,8 @@ "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_3]", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -177,7 +191,8 @@ "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_4]", "searchValue": "UDP,110", "expectedValue": "POP3 (UDP:110) should not be allowed", - "actualValue": "POP3 (UDP:110) is allowed" + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -189,7 +204,8 @@ "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_1]", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -201,7 +217,8 @@ "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_1]", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -213,7 +230,8 @@ "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_2]", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -225,7 +243,8 @@ "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_3]", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -237,7 +256,8 @@ "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_4]", "searchValue": "UDP,110", "expectedValue": "POP3 (UDP:110) should not be allowed", - "actualValue": "POP3 (UDP:110) is allowed" + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -249,7 +269,8 @@ "searchKey": "aws_security_group_rule[positive3_ipv4_1]", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -261,7 +282,8 @@ "searchKey": "aws_security_group_rule[positive3_ipv4_1]", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -273,7 +295,8 @@ "searchKey": "aws_security_group_rule[positive3_ipv4_2]", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -285,7 +308,8 @@ "searchKey": "aws_security_group_rule[positive3_ipv4_3]", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -297,7 +321,8 @@ "searchKey": "aws_security_group_rule[positive3_ipv4_4]", "searchValue": "UDP,110", "expectedValue": "POP3 (UDP:110) should not be allowed", - "actualValue": "POP3 (UDP:110) is allowed" + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -309,7 +334,8 @@ "searchKey": "aws_security_group_rule[positive3_ipv6_1]", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -321,7 +347,8 @@ "searchKey": "aws_security_group_rule[positive3_ipv6_1]", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -333,7 +360,8 @@ "searchKey": "aws_security_group_rule[positive3_ipv6_2]", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -345,7 +373,8 @@ "searchKey": "aws_security_group_rule[positive3_ipv6_3]", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -357,7 +386,8 @@ "searchKey": "aws_security_group_rule[positive3_ipv6_4]", "searchValue": "UDP,110", "expectedValue": "POP3 (UDP:110) should not be allowed", - "actualValue": "POP3 (UDP:110) is allowed" + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -369,7 +399,8 @@ "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.0", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -381,7 +412,8 @@ "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.0", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -393,7 +425,8 @@ "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.1", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -405,7 +438,8 @@ "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.2", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -417,7 +451,8 @@ "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.3", "searchValue": "UDP,110", "expectedValue": "POP3 (UDP:110) should not be allowed", - "actualValue": "POP3 (UDP:110) is allowed" + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -429,7 +464,8 @@ "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.0", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -441,7 +477,8 @@ "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.0", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -453,7 +490,8 @@ "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.1", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -465,7 +503,8 @@ "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.2", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -477,6 +516,7 @@ "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.3", "searchValue": "UDP,110", "expectedValue": "POP3 (UDP:110) should not be allowed", - "actualValue": "POP3 (UDP:110) is allowed" + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/service_control_policies_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/service_control_policies_disabled/test/positive_expected_result.json index bb9e8c49ce6..905ae31feed 100644 --- a/assets/queries/terraform/aws/service_control_policies_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/service_control_policies_disabled/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_organizations_organization[positive1].feature_set", "searchValue": "", "expectedValue": "'feature_set' should be set to 'ALL' or undefined", - "actualValue": "'feature_set' is set to 'CONSOLIDATED_BILLING'" + "actualValue": "'feature_set' is set to 'CONSOLIDATED_BILLING'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/ses_policy_with_allowed_iam_actions/test/positive_expected_result.json b/assets/queries/terraform/aws/ses_policy_with_allowed_iam_actions/test/positive_expected_result.json index cd1745c3c87..7a5db066b4b 100644 --- a/assets/queries/terraform/aws/ses_policy_with_allowed_iam_actions/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ses_policy_with_allowed_iam_actions/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_ses_identity_policy[positive1].policy", "searchValue": "", "expectedValue": "'policy' should not allow IAM actions to all principals", - "actualValue": "'policy' allows IAM actions to all principals" + "actualValue": "'policy' allows IAM actions to all principals", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/shield_advanced_not_in_use/test/positive_expected_result.json b/assets/queries/terraform/aws/shield_advanced_not_in_use/test/positive_expected_result.json index b40736a9407..0c8b90a931d 100644 --- a/assets/queries/terraform/aws/shield_advanced_not_in_use/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/shield_advanced_not_in_use/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_eip[positive1]", "searchValue": "", "expectedValue": "aws_eip has shield advanced associated", - "actualValue": "aws_eip does not have shield advanced associated" + "actualValue": "aws_eip does not have shield advanced associated", + "issueType": "MissingAttribute" }, { "queryName": "Shield Advanced Not In Use", @@ -21,6 +22,7 @@ "searchKey": "aws_route53_zone[positive2]", "searchValue": "", "expectedValue": "aws_route53_zone has shield advanced associated", - "actualValue": "aws_route53_zone does not have shield advanced associated" + "actualValue": "aws_route53_zone does not have shield advanced associated", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/sns_topic_encrypted_with_aws_managed_key/test/positive_expected_result.json b/assets/queries/terraform/aws/sns_topic_encrypted_with_aws_managed_key/test/positive_expected_result.json index ddece53ffb6..9febcca0905 100644 --- a/assets/queries/terraform/aws/sns_topic_encrypted_with_aws_managed_key/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sns_topic_encrypted_with_aws_managed_key/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_sns_topic[user_updates].kms_master_key_id", "searchValue": "", "expectedValue": "SNS Topic should not be encrypted with AWS managed key", - "actualValue": "SNS Topic is encrypted with AWS managed key" + "actualValue": "SNS Topic is encrypted with AWS managed key", + "issueType": "IncorrectValue" }, { "queryName": "SNS Topic Encrypted With AWS Managed Key", @@ -21,6 +22,7 @@ "searchKey": "aws_sns_topic[test].kms_master_key_id", "searchValue": "", "expectedValue": "SNS Topic should not be encrypted with AWS managed key", - "actualValue": "SNS Topic is encrypted with AWS managed key" + "actualValue": "SNS Topic is encrypted with AWS managed key", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json index 59aafcf228b..c684f34a5c5 100644 --- a/assets/queries/terraform/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_sns_topic[positive1].policy", "searchValue": "0", "expectedValue": "'Statement[0].Principal.AWS' shouldn't contain '*'", - "actualValue": "'Statement[0].Principal.AWS' contains '*'" + "actualValue": "'Statement[0].Principal.AWS' contains '*'", + "issueType": "IncorrectValue" }, { "queryName": "SNS Topic is Publicly Accessible", @@ -21,7 +22,8 @@ "searchKey": "topic_policy", "searchValue": "0", "expectedValue": "'Statement[0].Principal.AWS' shouldn't contain '*'", - "actualValue": "'Statement[0].Principal.AWS' contains '*'" + "actualValue": "'Statement[0].Principal.AWS' contains '*'", + "issueType": "IncorrectValue" }, { "queryName": "SNS Topic is Publicly Accessible", @@ -33,7 +35,8 @@ "searchKey": "module[sns_topic_with_policy_statements_valid].topic_policy_statements[0].principals", "searchValue": "", "expectedValue": "'topic_policy_statements[0].principals[0].identifiers' shouldn't contain '*' for an AWS Principal", - "actualValue": "'topic_policy_statements[0].principals[0].identifiers' contains '*' for an AWS Principal" + "actualValue": "'topic_policy_statements[0].principals[0].identifiers' contains '*' for an AWS Principal", + "issueType": "IncorrectValue" }, { "queryName": "SNS Topic is Publicly Accessible", @@ -45,7 +48,8 @@ "searchKey": "module[sns_topic_with_policy_statements_not_limited_access].topic_policy_statements[0].principals", "searchValue": "", "expectedValue": "'topic_policy_statements[0].principals[0].identifiers' shouldn't contain '*' for an AWS Principal", - "actualValue": "'topic_policy_statements[0].principals[0].identifiers' contains '*' for an AWS Principal" + "actualValue": "'topic_policy_statements[0].principals[0].identifiers' contains '*' for an AWS Principal", + "issueType": "IncorrectValue" }, { "queryName": "SNS Topic is Publicly Accessible", @@ -57,7 +61,8 @@ "searchKey": "aws_sns_topic[positive1].policy", "searchValue": "0", "expectedValue": "'Statement[0].Principal.AWS' shouldn't contain '*'", - "actualValue": "'Statement[0].Principal.AWS' contains '*'" + "actualValue": "'Statement[0].Principal.AWS' contains '*'", + "issueType": "IncorrectValue" }, { "queryName": "SNS Topic is Publicly Accessible", @@ -69,7 +74,8 @@ "searchKey": "aws_sns_topic[positive1].policy", "searchValue": "2", "expectedValue": "'Statement[2].Principal.AWS' shouldn't contain '*'", - "actualValue": "'Statement[2].Principal.AWS' contains '*'" + "actualValue": "'Statement[2].Principal.AWS' contains '*'", + "issueType": "IncorrectValue" }, { "queryName": "SNS Topic is Publicly Accessible", @@ -81,7 +87,8 @@ "searchKey": "topic_policy", "searchValue": "0", "expectedValue": "'Statement[0].Principal.AWS' shouldn't contain '*'", - "actualValue": "'Statement[0].Principal.AWS' contains '*'" + "actualValue": "'Statement[0].Principal.AWS' contains '*'", + "issueType": "IncorrectValue" }, { "queryName": "SNS Topic is Publicly Accessible", @@ -93,7 +100,8 @@ "searchKey": "topic_policy", "searchValue": "2", "expectedValue": "'Statement[2].Principal.AWS' shouldn't contain '*'", - "actualValue": "'Statement[2].Principal.AWS' contains '*'" + "actualValue": "'Statement[2].Principal.AWS' contains '*'", + "issueType": "IncorrectValue" }, { "queryName": "SNS Topic is Publicly Accessible", @@ -105,7 +113,8 @@ "searchKey": "module[sns_topic_with_policy_statements_valid].topic_policy_statements[0].principals", "searchValue": "", "expectedValue": "'topic_policy_statements[0].principals[0].identifiers' shouldn't contain '*' for an AWS Principal", - "actualValue": "'topic_policy_statements[0].principals[0].identifiers' contains '*' for an AWS Principal" + "actualValue": "'topic_policy_statements[0].principals[0].identifiers' contains '*' for an AWS Principal", + "issueType": "IncorrectValue" }, { "queryName": "SNS Topic is Publicly Accessible", @@ -117,6 +126,7 @@ "searchKey": "module[sns_topic_with_policy_statements_valid].topic_policy_statements[2].principals", "searchValue": "", "expectedValue": "'topic_policy_statements[2].principals[0].identifiers' shouldn't contain '*' for an AWS Principal", - "actualValue": "'topic_policy_statements[2].principals[0].identifiers' contains '*' for an AWS Principal" + "actualValue": "'topic_policy_statements[2].principals[0].identifiers' contains '*' for an AWS Principal", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/sns_topic_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/sns_topic_not_encrypted/test/positive_expected_result.json index 21523b98c59..864176d9d58 100644 --- a/assets/queries/terraform/aws/sns_topic_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sns_topic_not_encrypted/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_sns_topic[user_updates].kms_master_key_id", "searchValue": "", "expectedValue": "SNS Topic should be encrypted", - "actualValue": "SNS Topic is not encrypted" + "actualValue": "SNS Topic is not encrypted", + "issueType": "MissingAttribute" }, { "queryName": "SNS Topic Not Encrypted", @@ -21,6 +22,7 @@ "searchKey": "aws_sns_topic[test]", "searchValue": "", "expectedValue": "SNS Topic should be encrypted", - "actualValue": "SNS Topic is not encrypted" + "actualValue": "SNS Topic is not encrypted", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/test/positive_expected_result.json b/assets/queries/terraform/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/test/positive_expected_result.json index fc37db29869..a0664d91995 100644 --- a/assets/queries/terraform/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_sns_topic_policy[positive2].policy", "searchValue": "", "expectedValue": "aws_sns_topic_policy[positive2].policy shouldn't have 'Effect: Allow' and 'NotAction' simultaneously", - "actualValue": "aws_sns_topic_policy[positive2].policy has 'Effect: Allow' and 'NotAction' simultaneously" + "actualValue": "aws_sns_topic_policy[positive2].policy has 'Effect: Allow' and 'NotAction' simultaneously", + "issueType": "IncorrectValue" }, { "queryName": "SNS Topic Publicity Has Allow and NotAction Simultaneously", @@ -21,6 +22,7 @@ "searchKey": "module[s3_bucket].policy", "searchValue": "", "expectedValue": "module[s3_bucket].policy shouldn't have 'Effect: Allow' and 'NotAction' simultaneously", - "actualValue": "module[s3_bucket].policy has 'Effect: Allow' and 'NotAction' simultaneously" + "actualValue": "module[s3_bucket].policy has 'Effect: Allow' and 'NotAction' simultaneously", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/sql_analysis_services_port_2383_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/aws/sql_analysis_services_port_2383_is_publicly_accessible/test/positive_expected_result.json index 69479ac00d5..21a2817587e 100644 --- a/assets/queries/terraform/aws/sql_analysis_services_port_2383_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sql_analysis_services_port_2383_is_publicly_accessible/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_security_group[positive1-1].ingress", "searchValue": "", "expectedValue": "aws_security_group[positive1-1].ingress shouldn't open SQL Analysis Services Port 2383", - "actualValue": "aws_security_group[positive1-1].ingress opens SQL Analysis Services Port 2383" + "actualValue": "aws_security_group[positive1-1].ingress opens SQL Analysis Services Port 2383", + "issueType": "IncorrectValue" }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", @@ -21,7 +22,8 @@ "searchKey": "aws_security_group[positive1-2].ingress[1]", "searchValue": "", "expectedValue": "aws_security_group[positive1-2].ingress[1] shouldn't open SQL Analysis Services Port 2383", - "actualValue": "aws_security_group[positive1-2].ingress[1] opens SQL Analysis Services Port 2383" + "actualValue": "aws_security_group[positive1-2].ingress[1] opens SQL Analysis Services Port 2383", + "issueType": "IncorrectValue" }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", @@ -33,7 +35,8 @@ "searchKey": "aws_security_group[positive1-3].ingress", "searchValue": "", "expectedValue": "aws_security_group[positive1-3].ingress shouldn't open SQL Analysis Services Port 2383", - "actualValue": "aws_security_group[positive1-3].ingress opens SQL Analysis Services Port 2383" + "actualValue": "aws_security_group[positive1-3].ingress opens SQL Analysis Services Port 2383", + "issueType": "IncorrectValue" }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", @@ -45,7 +48,8 @@ "searchKey": "aws_security_group[positive1-4].ingress[1]", "searchValue": "", "expectedValue": "aws_security_group[positive1-4].ingress[1] shouldn't open SQL Analysis Services Port 2383", - "actualValue": "aws_security_group[positive1-4].ingress[1] opens SQL Analysis Services Port 2383" + "actualValue": "aws_security_group[positive1-4].ingress[1] opens SQL Analysis Services Port 2383", + "issueType": "IncorrectValue" }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", @@ -57,7 +61,8 @@ "searchKey": "aws_security_group[positive1-5].ingress", "searchValue": "", "expectedValue": "aws_security_group[positive1-5].ingress shouldn't open SQL Analysis Services Port 2383", - "actualValue": "aws_security_group[positive1-5].ingress opens SQL Analysis Services Port 2383" + "actualValue": "aws_security_group[positive1-5].ingress opens SQL Analysis Services Port 2383", + "issueType": "IncorrectValue" }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", @@ -69,7 +74,8 @@ "searchKey": "aws_security_group[positive1-6].ingress", "searchValue": "", "expectedValue": "aws_security_group[positive1-6].ingress shouldn't open SQL Analysis Services Port 2383", - "actualValue": "aws_security_group[positive1-6].ingress opens SQL Analysis Services Port 2383" + "actualValue": "aws_security_group[positive1-6].ingress opens SQL Analysis Services Port 2383", + "issueType": "IncorrectValue" }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", @@ -81,7 +87,8 @@ "searchKey": "aws_security_group[positive1-7].ingress", "searchValue": "", "expectedValue": "aws_security_group[positive1-7].ingress shouldn't open SQL Analysis Services Port 2383", - "actualValue": "aws_security_group[positive1-7].ingress opens SQL Analysis Services Port 2383" + "actualValue": "aws_security_group[positive1-7].ingress opens SQL Analysis Services Port 2383", + "issueType": "IncorrectValue" }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", @@ -93,7 +100,8 @@ "searchKey": "aws_vpc_security_group_ingress_rule[positive2-1]", "searchValue": "", "expectedValue": "aws_vpc_security_group_ingress_rule[positive2-1] shouldn't open SQL Analysis Services Port 2383", - "actualValue": "aws_vpc_security_group_ingress_rule[positive2-1] opens SQL Analysis Services Port 2383" + "actualValue": "aws_vpc_security_group_ingress_rule[positive2-1] opens SQL Analysis Services Port 2383", + "issueType": "IncorrectValue" }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", @@ -105,7 +113,8 @@ "searchKey": "aws_vpc_security_group_ingress_rule[positive2-2]", "searchValue": "", "expectedValue": "aws_vpc_security_group_ingress_rule[positive2-2] shouldn't open SQL Analysis Services Port 2383", - "actualValue": "aws_vpc_security_group_ingress_rule[positive2-2] opens SQL Analysis Services Port 2383" + "actualValue": "aws_vpc_security_group_ingress_rule[positive2-2] opens SQL Analysis Services Port 2383", + "issueType": "IncorrectValue" }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", @@ -117,7 +126,8 @@ "searchKey": "aws_security_group_rule[positive3-1]", "searchValue": "", "expectedValue": "aws_security_group_rule[positive3-1] shouldn't open SQL Analysis Services Port 2383", - "actualValue": "aws_security_group_rule[positive3-1] opens SQL Analysis Services Port 2383" + "actualValue": "aws_security_group_rule[positive3-1] opens SQL Analysis Services Port 2383", + "issueType": "IncorrectValue" }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", @@ -129,7 +139,8 @@ "searchKey": "aws_security_group_rule[positive3-2]", "searchValue": "", "expectedValue": "aws_security_group_rule[positive3-2] shouldn't open SQL Analysis Services Port 2383", - "actualValue": "aws_security_group_rule[positive3-2] opens SQL Analysis Services Port 2383" + "actualValue": "aws_security_group_rule[positive3-2] opens SQL Analysis Services Port 2383", + "issueType": "IncorrectValue" }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", @@ -141,7 +152,8 @@ "searchKey": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0", "searchValue": "", "expectedValue": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0 shouldn't open SQL Analysis Services Port 2383", - "actualValue": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0 opens SQL Analysis Services Port 2383" + "actualValue": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0 opens SQL Analysis Services Port 2383", + "issueType": "IncorrectValue" }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", @@ -153,7 +165,8 @@ "searchKey": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0", "searchValue": "", "expectedValue": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0 shouldn't open SQL Analysis Services Port 2383", - "actualValue": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0 opens SQL Analysis Services Port 2383" + "actualValue": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0 opens SQL Analysis Services Port 2383", + "issueType": "IncorrectValue" }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", @@ -165,7 +178,8 @@ "searchKey": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0", "searchValue": "", "expectedValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0 shouldn't open SQL Analysis Services Port 2383", - "actualValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0 opens SQL Analysis Services Port 2383" + "actualValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0 opens SQL Analysis Services Port 2383", + "issueType": "IncorrectValue" }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", @@ -177,7 +191,8 @@ "searchKey": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2", "searchValue": "", "expectedValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2 shouldn't open SQL Analysis Services Port 2383", - "actualValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2 opens SQL Analysis Services Port 2383" + "actualValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2 opens SQL Analysis Services Port 2383", + "issueType": "IncorrectValue" }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", @@ -189,7 +204,8 @@ "searchKey": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0", "searchValue": "", "expectedValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0 shouldn't open SQL Analysis Services Port 2383", - "actualValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0 opens SQL Analysis Services Port 2383" + "actualValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0 opens SQL Analysis Services Port 2383", + "issueType": "IncorrectValue" }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", @@ -201,6 +217,7 @@ "searchKey": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2", "searchValue": "", "expectedValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2 shouldn't open SQL Analysis Services Port 2383", - "actualValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2 opens SQL Analysis Services Port 2383" + "actualValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2 opens SQL Analysis Services Port 2383", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/sqs_policy_allows_all_actions/test/positive_expected_result.json b/assets/queries/terraform/aws/sqs_policy_allows_all_actions/test/positive_expected_result.json index 0f9204212f6..e0a12fdbdb0 100644 --- a/assets/queries/terraform/aws/sqs_policy_allows_all_actions/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sqs_policy_allows_all_actions/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_sqs_queue_policy[positive2].policy", "searchValue": "", "expectedValue": "'policy.Statement.Action' should not equal '*'", - "actualValue": "'policy.Statement.Action' is equal '*'" + "actualValue": "'policy.Statement.Action' is equal '*'", + "issueType": "IncorrectValue" }, { "queryName": "SQS Policy Allows All Actions", @@ -21,6 +22,7 @@ "searchKey": "module[s3_bucket].policy", "searchValue": "", "expectedValue": "'policy.Statement.Action' should not equal '*'", - "actualValue": "'policy.Statement.Action' is equal '*'" + "actualValue": "'policy.Statement.Action' is equal '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/sqs_policy_with_public_access/test/positive_expected_result.json b/assets/queries/terraform/aws/sqs_policy_with_public_access/test/positive_expected_result.json index 73312d39cdc..8a1aa0a6191 100755 --- a/assets/queries/terraform/aws/sqs_policy_with_public_access/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sqs_policy_with_public_access/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_sqs_queue_policy[test].policy", "searchValue": "", "expectedValue": "'policy.Statement.Principal.AWS' should not equal '*'", - "actualValue": "'policy.Statement.Principal.AWS' is equal '*'" + "actualValue": "'policy.Statement.Principal.AWS' is equal '*'", + "issueType": "IncorrectValue" }, { "queryName": "SQS Policy With Public Access", @@ -21,7 +22,8 @@ "searchKey": "aws_sqs_queue_policy[test_aws].policy", "searchValue": "", "expectedValue": "'policy.Statement.Principal.AWS' should not equal '*'", - "actualValue": "'policy.Statement.Principal.AWS' is equal '*'" + "actualValue": "'policy.Statement.Principal.AWS' is equal '*'", + "issueType": "IncorrectValue" }, { "queryName": "SQS Policy With Public Access", @@ -33,6 +35,7 @@ "searchKey": "aws_sqs_queue_policy[test_aws_array].policy", "searchValue": "", "expectedValue": "'policy.Statement.Principal.AWS' should not equal '*'", - "actualValue": "'policy.Statement.Principal.AWS' is equal '*'" + "actualValue": "'policy.Statement.Principal.AWS' is equal '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/sqs_queue_exposed/test/positive_expected_result.json b/assets/queries/terraform/aws/sqs_queue_exposed/test/positive_expected_result.json index 1c2db859a4a..38424a9c4d1 100644 --- a/assets/queries/terraform/aws/sqs_queue_exposed/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sqs_queue_exposed/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_sqs_queue[positive1].policy", "searchValue": "", "expectedValue": "resource.aws_sqs_queue[positive1].policy.Principal shouldn't get the queue publicly accessible", - "actualValue": "resource.aws_sqs_queue[positive1].policy.Principal does get the queue publicly accessible" + "actualValue": "resource.aws_sqs_queue[positive1].policy.Principal does get the queue publicly accessible", + "issueType": "IncorrectValue" }, { "queryName": "SQS Queue Exposed", @@ -21,6 +22,7 @@ "searchKey": "module[user_queue]", "searchValue": "", "expectedValue": "'policy.Principal' shouldn't get the queue publicly accessible", - "actualValue": "'policy.Principal' does get the queue publicly accessible" + "actualValue": "'policy.Principal' does get the queue publicly accessible", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/sqs_vpc_endpoint_without_dns_resolution/test/positive_expected_result.json b/assets/queries/terraform/aws/sqs_vpc_endpoint_without_dns_resolution/test/positive_expected_result.json index 9e18a9b5a68..bd836142a60 100644 --- a/assets/queries/terraform/aws/sqs_vpc_endpoint_without_dns_resolution/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sqs_vpc_endpoint_without_dns_resolution/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_vpc_endpoint[sqs-vpc-endpoint].vpc_id", "searchValue": "", "expectedValue": "'enable_dns_support' should be set to true or undefined", - "actualValue": "'enable_dns_support' is set to false" + "actualValue": "'enable_dns_support' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "SQS VPC Endpoint Without DNS Resolution", @@ -21,6 +22,7 @@ "searchKey": "module[vpc].enable_dns_support", "searchValue": "", "expectedValue": "'enable_dns_support' should be set to true or undefined", - "actualValue": "'enable_dns_support' is set to false" + "actualValue": "'enable_dns_support' is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/sqs_with_sse_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/sqs_with_sse_disabled/test/positive_expected_result.json index 406f1bb8849..f11c2b152fa 100644 --- a/assets/queries/terraform/aws/sqs_with_sse_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sqs_with_sse_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_sqs_queue[positive1]", "searchValue": "", "expectedValue": "aws_sqs_queue[positive1].kms_master_key_id or aws_sqs_queue[positive1].sqs_managed_sse_enabled should be defined and not null", - "actualValue": "aws_sqs_queue[positive1].kms_master_key_id and aws_sqs_queue[positive1].sqs_managed_sse_enabled are undefined or null" + "actualValue": "aws_sqs_queue[positive1].kms_master_key_id and aws_sqs_queue[positive1].sqs_managed_sse_enabled are undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "SQS With SSE Disabled", @@ -21,7 +22,8 @@ "searchKey": "aws_sqs_queue[positive2].kms_master_key_id", "searchValue": "", "expectedValue": "aws_sqs_queue.kms_master_key_id should not be ''", - "actualValue": "aws_sqs_queue.kms_master_key_id is ''" + "actualValue": "aws_sqs_queue.kms_master_key_id is ''", + "issueType": "IncorrectValue" }, { "queryName": "SQS With SSE Disabled", @@ -33,7 +35,8 @@ "searchKey": "aws_sqs_queue[positive3]", "searchValue": "", "expectedValue": "aws_sqs_queue[positive3].kms_master_key_id or aws_sqs_queue[positive3].sqs_managed_sse_enabled should be defined and not null", - "actualValue": "aws_sqs_queue[positive3].kms_master_key_id and aws_sqs_queue[positive3].sqs_managed_sse_enabled are undefined or null" + "actualValue": "aws_sqs_queue[positive3].kms_master_key_id and aws_sqs_queue[positive3].sqs_managed_sse_enabled are undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "SQS With SSE Disabled", @@ -45,7 +48,8 @@ "searchKey": "module[user_queue]", "searchValue": "", "expectedValue": "'kms_master_key_id' should be defined and not null", - "actualValue": "'kms_master_key_id' is undefined or null" + "actualValue": "'kms_master_key_id' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "SQS With SSE Disabled", @@ -57,7 +61,8 @@ "searchKey": "module[user_queue]", "searchValue": "", "expectedValue": "'kms_master_key_id' should not be empty", - "actualValue": "'kms_master_key_id' is empty" + "actualValue": "'kms_master_key_id' is empty", + "issueType": "IncorrectValue" }, { "queryName": "SQS With SSE Disabled", @@ -69,7 +74,8 @@ "searchKey": "module[user_queue]", "searchValue": "", "expectedValue": "'kms_master_key_id' should be defined and not null", - "actualValue": "'kms_master_key_id' is undefined or null" + "actualValue": "'kms_master_key_id' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "SQS With SSE Disabled", @@ -81,6 +87,7 @@ "searchKey": "aws_sqs_queue[positive7].sqs_managed_sse_enabled", "searchValue": "", "expectedValue": "aws_sqs_queue[positive7].sqs_managed_sse_enabled must be set to true", - "actualValue": "aws_sqs_queue[positive7].sqs_managed_sse_enabled is set to false" + "actualValue": "aws_sqs_queue[positive7].sqs_managed_sse_enabled is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/ssm_session_transit_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/ssm_session_transit_encryption_disabled/test/positive_expected_result.json index defa6a2588d..8cd845897c7 100644 --- a/assets/queries/terraform/aws/ssm_session_transit_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ssm_session_transit_encryption_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_ssm_document[positive1].content", "searchValue": "", "expectedValue": "'inputs' should be defined and not null", - "actualValue": "'inputs' is undefined or null" + "actualValue": "'inputs' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "SSM Session Transit Encryption Disabled", @@ -21,6 +22,7 @@ "searchKey": "aws_ssm_document[positive2].content", "searchValue": "", "expectedValue": "'inputs.kmsKeyId' should be defined and not null", - "actualValue": "'inputs.kmsKeyId' is undefined or null" + "actualValue": "'inputs.kmsKeyId' is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/sso_permission_with_inadequate_user_session_duration/test/positive_expected_result.json b/assets/queries/terraform/aws/sso_permission_with_inadequate_user_session_duration/test/positive_expected_result.json index 436bd617b0b..54a98554328 100644 --- a/assets/queries/terraform/aws/sso_permission_with_inadequate_user_session_duration/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sso_permission_with_inadequate_user_session_duration/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_ssoadmin_permission_set[example3].session_duration", "searchValue": "", "expectedValue": "session_duration should not be higher than 1 hour", - "actualValue": "session_duration is higher than 1 hour" + "actualValue": "session_duration is higher than 1 hour", + "issueType": "IncorrectValue" }, { "queryName": "SSO Permission With Inadequate User Session Duration", @@ -21,6 +22,7 @@ "searchKey": "aws_ssoadmin_permission_set[example4].session_duration", "searchValue": "", "expectedValue": "session_duration should not be higher than 1 hour", - "actualValue": "session_duration is higher than 1 hour" + "actualValue": "session_duration is higher than 1 hour", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/sso_policy_with_full_priveleges/test/positive_expected_result.json b/assets/queries/terraform/aws/sso_policy_with_full_priveleges/test/positive_expected_result.json index ee54a85e47f..35e4b065118 100644 --- a/assets/queries/terraform/aws/sso_policy_with_full_priveleges/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sso_policy_with_full_priveleges/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_ssoadmin_permission_set_inline_policy[pos1].inline_policy", "searchValue": "", "expectedValue": "inline_policy.Statement.Action should not equal to, nor contain '*'", - "actualValue": "inline_policy.Statement.Action is equal to or contains '*'" + "actualValue": "inline_policy.Statement.Action is equal to or contains '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/sso_policy_with_full_priveleges_copy/test/positive_expected_result.json b/assets/queries/terraform/aws/sso_policy_with_full_priveleges_copy/test/positive_expected_result.json index a1559043527..219a84dc70c 100644 --- a/assets/queries/terraform/aws/sso_policy_with_full_priveleges_copy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sso_policy_with_full_priveleges_copy/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_identitystore_user[example]", "searchValue": "", "expectedValue": "aws_identitystore_user resource should not be used", - "actualValue": "aws_identitystore_user resource is used" + "actualValue": "aws_identitystore_user resource is used", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/stack_notifications_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/stack_notifications_disabled/test/positive_expected_result.json index 5631fa5a5d1..c62f8cc14b5 100644 --- a/assets/queries/terraform/aws/stack_notifications_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/stack_notifications_disabled/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_cloudformation_stack[positive1]", "searchValue": "", "expectedValue": "Attribute 'notification_arns' should be set", - "actualValue": "Attribute 'notification_arns' is undefined" + "actualValue": "Attribute 'notification_arns' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/stack_retention_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/stack_retention_disabled/test/positive_expected_result.json index 887207cb36b..296ef5c45eb 100644 --- a/assets/queries/terraform/aws/stack_retention_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/stack_retention_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_cloudformation_stack_set_instance[positive1].retain_stack", "searchValue": "", "expectedValue": "aws_cloudformation_stack_set_instance[positive1].retain_stack should be true ", - "actualValue": "aws_cloudformation_stack_set_instance[positive1].retain_stack is false" + "actualValue": "aws_cloudformation_stack_set_instance[positive1].retain_stack is false", + "issueType": "IncorrectValue" }, { "queryName": "Stack Retention Disabled", @@ -21,6 +22,7 @@ "searchKey": "aws_cloudformation_stack_set_instance[positive2]", "searchValue": "", "expectedValue": "aws_cloudformation_stack_set_instance[positive2].retain_stack should be defined and not null", - "actualValue": "aws_cloudformation_stack_set_instance[positive2].retain_stack is undefined or null" + "actualValue": "aws_cloudformation_stack_set_instance[positive2].retain_stack is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/stack_without_template/test/positive_expected_result.json b/assets/queries/terraform/aws/stack_without_template/test/positive_expected_result.json index cab9abd7791..24e635897bd 100644 --- a/assets/queries/terraform/aws/stack_without_template/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/stack_without_template/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_cloudformation_stack[positive1]", "searchValue": "", "expectedValue": "Attribute 'template_body' or Attribute 'template_url' should be set", - "actualValue": "Both Attribute 'template_body' and Attribute 'template_url' are undefined" + "actualValue": "Both Attribute 'template_body' and Attribute 'template_url' are undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/tags_not_copied_to_rds_cluster_snapshot/test/positive_expected_result.json b/assets/queries/terraform/aws/tags_not_copied_to_rds_cluster_snapshot/test/positive_expected_result.json index 1f31d1f5354..2e9c6c6fc49 100644 --- a/assets/queries/terraform/aws/tags_not_copied_to_rds_cluster_snapshot/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/tags_not_copied_to_rds_cluster_snapshot/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_rds_cluster[example].copy_tags_to_snapshot", "searchValue": "", "expectedValue": "'aws_rds_cluster[example].copy_tags_to_snapshot' should be set to true", - "actualValue": "'aws_rds_cluster[example].copy_tags_to_snapshot' is set to false" + "actualValue": "'aws_rds_cluster[example].copy_tags_to_snapshot' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Tags Not Copied to RDS Cluster Snapshot", @@ -21,7 +22,8 @@ "searchKey": "aws_rds_cluster[example]", "searchValue": "", "expectedValue": "'aws_rds_cluster[example].copy_tags_to_snapshot' should be defined to true", - "actualValue": "'aws_rds_cluster[example].copy_tags_to_snapshot' is not defined" + "actualValue": "'aws_rds_cluster[example].copy_tags_to_snapshot' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Tags Not Copied to RDS Cluster Snapshot", @@ -33,7 +35,8 @@ "searchKey": "aws_db_instance[example].copy_tags_to_snapshot", "searchValue": "", "expectedValue": "'aws_db_instance[example].copy_tags_to_snapshot' should be set to true", - "actualValue": "'aws_db_instance[example].copy_tags_to_snapshot' is set to false" + "actualValue": "'aws_db_instance[example].copy_tags_to_snapshot' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Tags Not Copied to RDS Cluster Snapshot", @@ -45,7 +48,8 @@ "searchKey": "aws_db_instance[example]", "searchValue": "", "expectedValue": "'aws_db_instance[example].copy_tags_to_snapshot' should be defined to true", - "actualValue": "'aws_db_instance[example].copy_tags_to_snapshot' is not defined" + "actualValue": "'aws_db_instance[example].copy_tags_to_snapshot' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Tags Not Copied to RDS Cluster Snapshot", @@ -57,7 +61,8 @@ "searchKey": "module[rds_cluster].copy_tags_to_snapshot", "searchValue": "", "expectedValue": "'module[rds_cluster].copy_tags_to_snapshot' should be set to true", - "actualValue": "'module[rds_cluster].copy_tags_to_snapshot' is set to false" + "actualValue": "'module[rds_cluster].copy_tags_to_snapshot' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Tags Not Copied to RDS Cluster Snapshot", @@ -69,6 +74,7 @@ "searchKey": "module[rds_cluster]", "searchValue": "", "expectedValue": "'module[rds_cluster].copy_tags_to_snapshot' should be defined to true", - "actualValue": "'module[rds_cluster].copy_tags_to_snapshot' is not defined" + "actualValue": "'module[rds_cluster].copy_tags_to_snapshot' is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/unknown_port_exposed_to_internet/test/positive_expected_result.json b/assets/queries/terraform/aws/unknown_port_exposed_to_internet/test/positive_expected_result.json index cf55ccd2caf..9540a361c90 100644 --- a/assets/queries/terraform/aws/unknown_port_exposed_to_internet/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/unknown_port_exposed_to_internet/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_security_group[positive1-1].ingress", "searchValue": "", "expectedValue": "aws_security_group[positive1-1].ingress ports are known", - "actualValue": "aws_security_group[positive1-1].ingress ports are unknown and exposed to the entire Internet" + "actualValue": "aws_security_group[positive1-1].ingress ports are unknown and exposed to the entire Internet", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Port Exposed To Internet", @@ -21,7 +22,8 @@ "searchKey": "aws_security_group[positive1-2].ingress[1]", "searchValue": "", "expectedValue": "aws_security_group[positive1-2].ingress[1] ports are known", - "actualValue": "aws_security_group[positive1-2].ingress[1] ports are unknown and exposed to the entire Internet" + "actualValue": "aws_security_group[positive1-2].ingress[1] ports are unknown and exposed to the entire Internet", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Port Exposed To Internet", @@ -33,7 +35,8 @@ "searchKey": "aws_security_group[positive1-3].ingress", "searchValue": "", "expectedValue": "aws_security_group[positive1-3].ingress ports are known", - "actualValue": "aws_security_group[positive1-3].ingress ports are unknown and exposed to the entire Internet" + "actualValue": "aws_security_group[positive1-3].ingress ports are unknown and exposed to the entire Internet", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Port Exposed To Internet", @@ -45,7 +48,8 @@ "searchKey": "aws_security_group[positive1-4].ingress[1]", "searchValue": "", "expectedValue": "aws_security_group[positive1-4].ingress[1] ports are known", - "actualValue": "aws_security_group[positive1-4].ingress[1] ports are unknown and exposed to the entire Internet" + "actualValue": "aws_security_group[positive1-4].ingress[1] ports are unknown and exposed to the entire Internet", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Port Exposed To Internet", @@ -57,7 +61,8 @@ "searchKey": "aws_security_group[positive1-5].ingress", "searchValue": "", "expectedValue": "aws_security_group[positive1-5].ingress ports are known", - "actualValue": "aws_security_group[positive1-5].ingress ports are unknown and exposed to the entire Internet" + "actualValue": "aws_security_group[positive1-5].ingress ports are unknown and exposed to the entire Internet", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Port Exposed To Internet", @@ -69,7 +74,8 @@ "searchKey": "aws_security_group[positive1-6].ingress", "searchValue": "", "expectedValue": "aws_security_group[positive1-6].ingress ports are known", - "actualValue": "aws_security_group[positive1-6].ingress ports are unknown and exposed to the entire Internet" + "actualValue": "aws_security_group[positive1-6].ingress ports are unknown and exposed to the entire Internet", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Port Exposed To Internet", @@ -81,7 +87,8 @@ "searchKey": "aws_security_group[positive1-7].ingress", "searchValue": "", "expectedValue": "aws_security_group[positive1-7].ingress ports are known", - "actualValue": "aws_security_group[positive1-7].ingress ports are unknown and exposed to the entire Internet" + "actualValue": "aws_security_group[positive1-7].ingress ports are unknown and exposed to the entire Internet", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Port Exposed To Internet", @@ -93,7 +100,8 @@ "searchKey": "aws_vpc_security_group_ingress_rule[positive2-1]", "searchValue": "", "expectedValue": "aws_vpc_security_group_ingress_rule[positive2-1] ports are known", - "actualValue": "aws_vpc_security_group_ingress_rule[positive2-1] ports are unknown and exposed to the entire Internet" + "actualValue": "aws_vpc_security_group_ingress_rule[positive2-1] ports are unknown and exposed to the entire Internet", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Port Exposed To Internet", @@ -105,7 +113,8 @@ "searchKey": "aws_vpc_security_group_ingress_rule[positive2-2]", "searchValue": "", "expectedValue": "aws_vpc_security_group_ingress_rule[positive2-2] ports are known", - "actualValue": "aws_vpc_security_group_ingress_rule[positive2-2] ports are unknown and exposed to the entire Internet" + "actualValue": "aws_vpc_security_group_ingress_rule[positive2-2] ports are unknown and exposed to the entire Internet", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Port Exposed To Internet", @@ -117,7 +126,8 @@ "searchKey": "aws_security_group_rule[positive3-1]", "searchValue": "", "expectedValue": "aws_security_group_rule[positive3-1] ports are known", - "actualValue": "aws_security_group_rule[positive3-1] ports are unknown and exposed to the entire Internet" + "actualValue": "aws_security_group_rule[positive3-1] ports are unknown and exposed to the entire Internet", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Port Exposed To Internet", @@ -129,7 +139,8 @@ "searchKey": "aws_security_group_rule[positive3-2]", "searchValue": "", "expectedValue": "aws_security_group_rule[positive3-2] ports are known", - "actualValue": "aws_security_group_rule[positive3-2] ports are unknown and exposed to the entire Internet" + "actualValue": "aws_security_group_rule[positive3-2] ports are unknown and exposed to the entire Internet", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Port Exposed To Internet", @@ -141,7 +152,8 @@ "searchKey": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0", "searchValue": "", "expectedValue": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0 ports are known", - "actualValue": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0 ports are unknown and exposed to the entire Internet" + "actualValue": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0 ports are unknown and exposed to the entire Internet", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Port Exposed To Internet", @@ -153,7 +165,8 @@ "searchKey": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0", "searchValue": "", "expectedValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0 ports are known", - "actualValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0 ports are unknown and exposed to the entire Internet" + "actualValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0 ports are unknown and exposed to the entire Internet", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Port Exposed To Internet", @@ -165,7 +178,8 @@ "searchKey": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2", "searchValue": "", "expectedValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2 ports are known", - "actualValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2 ports are unknown and exposed to the entire Internet" + "actualValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2 ports are unknown and exposed to the entire Internet", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Port Exposed To Internet", @@ -177,7 +191,8 @@ "searchKey": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0", "searchValue": "", "expectedValue": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0 ports are known", - "actualValue": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0 ports are unknown and exposed to the entire Internet" + "actualValue": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0 ports are unknown and exposed to the entire Internet", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Port Exposed To Internet", @@ -189,7 +204,8 @@ "searchKey": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0", "searchValue": "", "expectedValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0 ports are known", - "actualValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0 ports are unknown and exposed to the entire Internet" + "actualValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0 ports are unknown and exposed to the entire Internet", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Port Exposed To Internet", @@ -201,6 +217,7 @@ "searchKey": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2", "searchValue": "", "expectedValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2 ports are known", - "actualValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2 ports are unknown and exposed to the entire Internet" + "actualValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2 ports are unknown and exposed to the entire Internet", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/unrestricted_security_group_ingress/test/positive_expected_result.json b/assets/queries/terraform/aws/unrestricted_security_group_ingress/test/positive_expected_result.json index 4937b2cefad..eacceb00f18 100644 --- a/assets/queries/terraform/aws/unrestricted_security_group_ingress/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/unrestricted_security_group_ingress/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_security_group[positive1-ipv4].ingress.cidr_blocks", "searchValue": "", "expectedValue": "aws_security_group[positive1-ipv4].ingress.cidr_blocks should not contain '0.0.0.0/0'", - "actualValue": "aws_security_group[positive1-ipv4].ingress.cidr_blocks contains '0.0.0.0/0'" + "actualValue": "aws_security_group[positive1-ipv4].ingress.cidr_blocks contains '0.0.0.0/0'", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted Security Group Ingress", @@ -21,7 +22,8 @@ "searchKey": "aws_security_group[positive1-ipv6].ingress.ipv6_cidr_blocks", "searchValue": "", "expectedValue": "aws_security_group[positive1-ipv6].ingress.ipv6_cidr_blocks should not contain '::/0'", - "actualValue": "aws_security_group[positive1-ipv6].ingress.ipv6_cidr_blocks contains '::/0'" + "actualValue": "aws_security_group[positive1-ipv6].ingress.ipv6_cidr_blocks contains '::/0'", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted Security Group Ingress", @@ -33,7 +35,8 @@ "searchKey": "aws_security_group[positive1-ipv4_array].ingress[1].cidr_blocks", "searchValue": "", "expectedValue": "aws_security_group[positive1-ipv4_array].ingress[1].cidr_blocks should not contain '0.0.0.0/0'", - "actualValue": "aws_security_group[positive1-ipv4_array].ingress[1].cidr_blocks contains '0.0.0.0/0'" + "actualValue": "aws_security_group[positive1-ipv4_array].ingress[1].cidr_blocks contains '0.0.0.0/0'", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted Security Group Ingress", @@ -45,7 +48,8 @@ "searchKey": "aws_security_group[positive1-ipv6_array].ingress[1].ipv6_cidr_blocks", "searchValue": "", "expectedValue": "aws_security_group[positive1-ipv6_array].ingress[1].ipv6_cidr_blocks should not contain '::/0'", - "actualValue": "aws_security_group[positive1-ipv6_array].ingress[1].ipv6_cidr_blocks contains '::/0'" + "actualValue": "aws_security_group[positive1-ipv6_array].ingress[1].ipv6_cidr_blocks contains '::/0'", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted Security Group Ingress", @@ -57,7 +61,8 @@ "searchKey": "aws_vpc_security_group_ingress_rule[positive2-ipv4].cidr_ipv4", "searchValue": "", "expectedValue": "aws_vpc_security_group_ingress_rule[positive2-ipv4].cidr_ipv4 should not be equal to '0.0.0.0/0'", - "actualValue": "aws_vpc_security_group_ingress_rule[positive2-ipv4].cidr_ipv4 is equal to '0.0.0.0/0'" + "actualValue": "aws_vpc_security_group_ingress_rule[positive2-ipv4].cidr_ipv4 is equal to '0.0.0.0/0'", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted Security Group Ingress", @@ -69,7 +74,8 @@ "searchKey": "aws_vpc_security_group_ingress_rule[positive2-ipv6_1].cidr_ipv6", "searchValue": "", "expectedValue": "aws_vpc_security_group_ingress_rule[positive2-ipv6_1].cidr_ipv6 should not be equal to '::/0'", - "actualValue": "aws_vpc_security_group_ingress_rule[positive2-ipv6_1].cidr_ipv6 is equal to '::/0'" + "actualValue": "aws_vpc_security_group_ingress_rule[positive2-ipv6_1].cidr_ipv6 is equal to '::/0'", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted Security Group Ingress", @@ -81,7 +87,8 @@ "searchKey": "aws_vpc_security_group_ingress_rule[positive2-ipv6_2].cidr_ipv6", "searchValue": "", "expectedValue": "aws_vpc_security_group_ingress_rule[positive2-ipv6_2].cidr_ipv6 should not be equal to '0000:0000:0000:0000:0000:0000:0000:0000/0'", - "actualValue": "aws_vpc_security_group_ingress_rule[positive2-ipv6_2].cidr_ipv6 is equal to '0000:0000:0000:0000:0000:0000:0000:0000/0'" + "actualValue": "aws_vpc_security_group_ingress_rule[positive2-ipv6_2].cidr_ipv6 is equal to '0000:0000:0000:0000:0000:0000:0000:0000/0'", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted Security Group Ingress", @@ -93,7 +100,8 @@ "searchKey": "aws_security_group_rule[positive3-ipv4].cidr_blocks", "searchValue": "", "expectedValue": "aws_security_group_rule[positive3-ipv4].cidr_blocks' should not contain '0.0.0.0/0'", - "actualValue": "aws_security_group_rule[positive3-ipv4].cidr_blocks' contains '0.0.0.0/0'" + "actualValue": "aws_security_group_rule[positive3-ipv4].cidr_blocks' contains '0.0.0.0/0'", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted Security Group Ingress", @@ -105,7 +113,8 @@ "searchKey": "aws_security_group_rule[positive3-ipv6_1].ipv6_cidr_blocks", "searchValue": "", "expectedValue": "aws_security_group_rule[positive3-ipv6_1].ipv6_cidr_blocks should not contain '::/0'", - "actualValue": "aws_security_group_rule[positive3-ipv6_1].ipv6_cidr_blocks contains '::/0'" + "actualValue": "aws_security_group_rule[positive3-ipv6_1].ipv6_cidr_blocks contains '::/0'", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted Security Group Ingress", @@ -117,7 +126,8 @@ "searchKey": "aws_security_group_rule[positive3-ipv6_2].ipv6_cidr_blocks", "searchValue": "", "expectedValue": "aws_security_group_rule[positive3-ipv6_2].ipv6_cidr_blocks should not contain '0:0:0:0:0:0:0:0/0'", - "actualValue": "aws_security_group_rule[positive3-ipv6_2].ipv6_cidr_blocks contains '0:0:0:0:0:0:0:0/0'" + "actualValue": "aws_security_group_rule[positive3-ipv6_2].ipv6_cidr_blocks contains '0:0:0:0:0:0:0:0/0'", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted Security Group Ingress", @@ -129,7 +139,8 @@ "searchKey": "module[positive4-ipv4].ingress_cidr_blocks", "searchValue": "", "expectedValue": "module[positive4-ipv4].ingress_cidr_blocks should not contain '0.0.0.0/0'", - "actualValue": "module[positive4-ipv4].ingress_cidr_blocks contains '0.0.0.0/0'" + "actualValue": "module[positive4-ipv4].ingress_cidr_blocks contains '0.0.0.0/0'", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted Security Group Ingress", @@ -141,7 +152,8 @@ "searchKey": "module[positive4-ipv4_array].ingress_cidr_blocks", "searchValue": "", "expectedValue": "module[positive4-ipv4_array].ingress_cidr_blocks should not contain '0.0.0.0/0'", - "actualValue": "module[positive4-ipv4_array].ingress_cidr_blocks contains '0.0.0.0/0'" + "actualValue": "module[positive4-ipv4_array].ingress_cidr_blocks contains '0.0.0.0/0'", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted Security Group Ingress", @@ -153,7 +165,8 @@ "searchKey": "module[positive4-ipv6].ingress_ipv6_cidr_blocks", "searchValue": "", "expectedValue": "module[positive4-ipv6].ingress_ipv6_cidr_blocks should not contain '::/0'", - "actualValue": "module[positive4-ipv6].ingress_ipv6_cidr_blocks contains '::/0'" + "actualValue": "module[positive4-ipv6].ingress_ipv6_cidr_blocks contains '::/0'", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted Security Group Ingress", @@ -165,7 +178,8 @@ "searchKey": "module[positive4-ipv6_array].ingress_ipv6_cidr_blocks", "searchValue": "", "expectedValue": "module[positive4-ipv6_array].ingress_ipv6_cidr_blocks should not contain '::/0'", - "actualValue": "module[positive4-ipv6_array].ingress_ipv6_cidr_blocks contains '::/0'" + "actualValue": "module[positive4-ipv6_array].ingress_ipv6_cidr_blocks contains '::/0'", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted Security Group Ingress", @@ -177,7 +191,8 @@ "searchKey": "module[positive4-whole_ingresses].ingress_with_cidr_blocks[0].cidr_blocks", "searchValue": "", "expectedValue": "module[positive4-whole_ingresses].ingress_with_cidr_blocks[0].cidr_blocks should not contain '0.0.0.0/0'", - "actualValue": "module[positive4-whole_ingresses].ingress_with_cidr_blocks[0].cidr_blocks contains '0.0.0.0/0'" + "actualValue": "module[positive4-whole_ingresses].ingress_with_cidr_blocks[0].cidr_blocks contains '0.0.0.0/0'", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted Security Group Ingress", @@ -189,7 +204,8 @@ "searchKey": "module[positive4-whole_ingresses].ingress_with_cidr_blocks[2].cidr_blocks", "searchValue": "", "expectedValue": "module[positive4-whole_ingresses].ingress_with_cidr_blocks[2].cidr_blocks should not contain '0.0.0.0/0'", - "actualValue": "module[positive4-whole_ingresses].ingress_with_cidr_blocks[2].cidr_blocks contains '0.0.0.0/0'" + "actualValue": "module[positive4-whole_ingresses].ingress_with_cidr_blocks[2].cidr_blocks contains '0.0.0.0/0'", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted Security Group Ingress", @@ -201,7 +217,8 @@ "searchKey": "module[positive4-whole_ingresses].ingress_with_ipv6_cidr_blocks[0].ipv6_cidr_blocks", "searchValue": "", "expectedValue": "module[positive4-whole_ingresses].ingress_with_ipv6_cidr_blocks[0].ipv6_cidr_blocks should not contain '::/0'", - "actualValue": "module[positive4-whole_ingresses].ingress_with_ipv6_cidr_blocks[0].ipv6_cidr_blocks contains '::/0'" + "actualValue": "module[positive4-whole_ingresses].ingress_with_ipv6_cidr_blocks[0].ipv6_cidr_blocks contains '::/0'", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted Security Group Ingress", @@ -213,6 +230,7 @@ "searchKey": "module[positive4-whole_ingresses].ingress_with_ipv6_cidr_blocks[2].ipv6_cidr_blocks", "searchValue": "", "expectedValue": "module[positive4-whole_ingresses].ingress_with_ipv6_cidr_blocks[2].ipv6_cidr_blocks should not contain '::/0'", - "actualValue": "module[positive4-whole_ingresses].ingress_with_ipv6_cidr_blocks[2].ipv6_cidr_blocks contains '::/0'" + "actualValue": "module[positive4-whole_ingresses].ingress_with_ipv6_cidr_blocks[2].ipv6_cidr_blocks contains '::/0'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/unscanned_ecr_image/test/positive_expected_result.json b/assets/queries/terraform/aws/unscanned_ecr_image/test/positive_expected_result.json index ff23612b9a6..b459d3636b5 100644 --- a/assets/queries/terraform/aws/unscanned_ecr_image/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/unscanned_ecr_image/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_ecr_repository[positive1]", "searchValue": "", "expectedValue": "aws_ecr_repository[positive1].image_scanning_configuration should be defined", - "actualValue": "aws_ecr_repository[positive1].image_scanning_configuration is undefined" + "actualValue": "aws_ecr_repository[positive1].image_scanning_configuration is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Unscanned ECR Image", @@ -21,6 +22,7 @@ "searchKey": "aws_ecr_repository[positive2].image_scanning_configuration.scan_on_push", "searchValue": "", "expectedValue": "aws_ecr_repository[positive2].image_scanning_configuration.scan_on_push is true", - "actualValue": "aws_ecr_repository[positive2].image_scanning_configuration.scan_on_push is false" + "actualValue": "aws_ecr_repository[positive2].image_scanning_configuration.scan_on_push is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/user_data_contains_encoded_private_key/test/positive_expected_result.json b/assets/queries/terraform/aws/user_data_contains_encoded_private_key/test/positive_expected_result.json index 372a19e0c54..0d75a3a47d6 100644 --- a/assets/queries/terraform/aws/user_data_contains_encoded_private_key/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_data_contains_encoded_private_key/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_launch_configuration[positive1].user_data_base64", "searchValue": "", "expectedValue": "aws_launch_configuration[positive1].user_data_base64 shouldn't contain RSA Private Key", - "actualValue": "aws_launch_configuration[positive1].user_data_base64 contains RSA Private Key" + "actualValue": "aws_launch_configuration[positive1].user_data_base64 contains RSA Private Key", + "issueType": "IncorrectValue" }, { "queryName": "User Data Contains Encoded Private Key", @@ -21,7 +22,8 @@ "searchKey": "module[positive2].user_data_base64", "searchValue": "", "expectedValue": "'user_data_base64' shouldn't contain RSA Private Key", - "actualValue": "'user_data_base64' contains RSA Private Key" + "actualValue": "'user_data_base64' contains RSA Private Key", + "issueType": "IncorrectValue" }, { "queryName": "User Data Contains Encoded Private Key", @@ -33,6 +35,7 @@ "searchKey": "module[positive3].user_data_base64", "searchValue": "", "expectedValue": "'user_data_base64' shouldn't contain RSA Private Key", - "actualValue": "'user_data_base64' contains RSA Private Key" + "actualValue": "'user_data_base64' contains RSA Private Key", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive_expected_result.json index 86fece58bd3..775f3a36689 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_iam_user[cosmic]", "searchValue": "", "expectedValue": "user cosmic shouldn't be associated with a policy that has Action set to 'glue:UpdateDevEndpoint' and Resource set to '*'", - "actualValue": "user cosmic is associated with a policy that has Action set to 'glue:UpdateDevEndpoint' and Resource set to '*'" + "actualValue": "user cosmic is associated with a policy that has Action set to 'glue:UpdateDevEndpoint' and Resource set to '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive_expected_result.json index 6506b6d3887..895fbe56621 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_iam_user[cosmic]", "searchValue": "", "expectedValue": "user cosmic should not be associated with a policy that has Action set to 'iam:AddUserToGroup' and Resource set to '*'", - "actualValue": "user cosmic is associated with a policy that has Action set to 'iam:AddUserToGroup' and Resource set to '*'" + "actualValue": "user cosmic is associated with a policy that has Action set to 'iam:AddUserToGroup' and Resource set to '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive_expected_result.json index bfe335e4541..a276e8a00f6 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_iam_user[cosmic]", "searchValue": "", "expectedValue": "user cosmic shouldn't be associated with a policy that has Action set to 'iam:AttachGroupPolicy' and Resource set to '*'", - "actualValue": "user cosmic is associated with a policy that has Action set to 'iam:AttachGroupPolicy' and Resource set to '*'" + "actualValue": "user cosmic is associated with a policy that has Action set to 'iam:AttachGroupPolicy' and Resource set to '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive_expected_result.json index 65dec54b285..03bf5b03d6b 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_iam_user[cosmic]", "searchValue": "", "expectedValue": "user cosmic shouldn't be associated with a policy that has Action set to 'iam:AttachRolePolicy' and Resource set to '*'", - "actualValue": "user cosmic is associated with a policy that has Action set to 'iam:AttachRolePolicy' and Resource set to '*'" + "actualValue": "user cosmic is associated with a policy that has Action set to 'iam:AttachRolePolicy' and Resource set to '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive_expected_result.json index 7b68a3acc0f..babf50a738f 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_iam_user[cosmic]", "searchValue": "", "expectedValue": "user cosmic shouldn't be associated with a policy that has Action set to 'iam:AttachUserPolicy' and Resource set to '*'", - "actualValue": "user cosmic is associated with a policy that has Action set to 'iam:AttachUserPolicy' and Resource set to '*'" + "actualValue": "user cosmic is associated with a policy that has Action set to 'iam:AttachUserPolicy' and Resource set to '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive_expected_result.json index 221f4ff9051..6878918ca5d 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_iam_user[cosmic]", "searchValue": "", "expectedValue": "user cosmic shouldn't be associated with a policy that has Action set to 'iam:CreateAccessKey' and Resource set to '*'", - "actualValue": "user cosmic is associated with a policy that has Action set to 'iam:CreateAccessKey' and Resource set to '*'" + "actualValue": "user cosmic is associated with a policy that has Action set to 'iam:CreateAccessKey' and Resource set to '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive_expected_result.json index 7743f71e7f9..e8ae7279fa6 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_iam_user[cosmic]", "searchValue": "", "expectedValue": "user cosmic shouldn't be associated with a policy that has Action set to 'iam:CreateLoginProfile' and Resource set to '*'", - "actualValue": "user cosmic is associated with a policy that has Action set to 'iam:CreateLoginProfile' and Resource set to '*'" + "actualValue": "user cosmic is associated with a policy that has Action set to 'iam:CreateLoginProfile' and Resource set to '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive_expected_result.json index cc76bb32da3..e3067651e6f 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_iam_user[cosmic]", "searchValue": "", "expectedValue": "user cosmic shouldn't be associated with a policy that has Action set to 'iam:CreatePolicyVersion' and Resource set to '*'", - "actualValue": "user cosmic is associated with a policy that has Action set to 'iam:CreatePolicyVersion' and Resource set to '*'" + "actualValue": "user cosmic is associated with a policy that has Action set to 'iam:CreatePolicyVersion' and Resource set to '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive_expected_result.json index d836714b8fc..125cd680b5d 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_iam_user[cosmic]", "searchValue": "", "expectedValue": "user cosmic shouldn't be associated with a policy that has Action set to 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'", - "actualValue": "user cosmic is associated with a policy that has Action set to 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'" + "actualValue": "user cosmic is associated with a policy that has Action set to 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive_expected_result.json index 243d3547686..5f82e7abef2 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_iam_user[cosmic]", "searchValue": "", "expectedValue": "user cosmic shouldn't be associated with a policy that has Action set to 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'", - "actualValue": "user cosmic is associated with a policy that has Action set to 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'" + "actualValue": "user cosmic is associated with a policy that has Action set to 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive_expected_result.json index 607020b0631..97de3fa3a19 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_iam_user[cosmic]", "searchValue": "", "expectedValue": "user cosmic shouldn't be associated with a policy that has Action set to 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'", - "actualValue": "user cosmic is associated with a policy that has Action set to 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'" + "actualValue": "user cosmic is associated with a policy that has Action set to 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/test/positive_expected_result.json index 89e1f94c3c0..e593e3320d3 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_iam_user[cosmic]", "searchValue": "", "expectedValue": "user cosmic shouldn't be associated with a policy that has Action set to 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'", - "actualValue": "user cosmic is associated with a policy that has Action set to 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'" + "actualValue": "user cosmic is associated with a policy that has Action set to 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive_expected_result.json index 02631e87c98..d0805e13daa 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_iam_user[cosmic]", "searchValue": "", "expectedValue": "user cosmic should not be associated with a policy that has Action set to 'iam:PutGroupPolicy' and Resource set to '*'", - "actualValue": "user cosmic is associated with a policy that has Action set to 'iam:PutGroupPolicy' and Resource set to '*'" + "actualValue": "user cosmic is associated with a policy that has Action set to 'iam:PutGroupPolicy' and Resource set to '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive_expected_result.json index 36eac1c4ad6..569d2314d18 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_iam_user[cosmic]", "searchValue": "", "expectedValue": "user cosmic should not be associated with a policy that has Action set to 'iam:PutRolePolicy' and Resource set to '*'", - "actualValue": "user cosmic is associated with a policy that has Action set to 'iam:PutRolePolicy' and Resource set to '*'" + "actualValue": "user cosmic is associated with a policy that has Action set to 'iam:PutRolePolicy' and Resource set to '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive_expected_result.json index addbd6ba4de..0fc79e327b2 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_iam_user[cosmic]", "searchValue": "", "expectedValue": "user cosmic should not be associated with a policy that has Action set to 'iam:PutUserPolicy' and Resource set to '*'", - "actualValue": "user cosmic is associated with a policy that has Action set to 'iam:PutUserPolicy' and Resource set to '*'" + "actualValue": "user cosmic is associated with a policy that has Action set to 'iam:PutUserPolicy' and Resource set to '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive_expected_result.json index 50d9b999ae7..ff7a393c774 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_iam_user[cosmic]", "searchValue": "", "expectedValue": "user cosmic shouldn't be associated with a policy that has Action set to 'iam:SetDefaultPolicyVersion' and Resource set to '*'", - "actualValue": "user cosmic is associated with a policy that has Action set to 'iam:SetDefaultPolicyVersion' and Resource set to '*'" + "actualValue": "user cosmic is associated with a policy that has Action set to 'iam:SetDefaultPolicyVersion' and Resource set to '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive_expected_result.json index 6aa1d8472a4..9323b323d47 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_iam_user[cosmic]", "searchValue": "", "expectedValue": "user cosmic shouldn't be associated with a policy that has Action set to 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'", - "actualValue": "user cosmic is associated with a policy that has Action set to 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'" + "actualValue": "user cosmic is associated with a policy that has Action set to 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive_expected_result.json index d2c8c2832d0..3b80234df31 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_iam_user[cosmic]", "searchValue": "", "expectedValue": "user cosmic shouldn't be associated with a policy that has Action set to 'iam:UpdateLoginProfile' and Resource set to '*'", - "actualValue": "user cosmic is associated with a policy that has Action set to 'iam:UpdateLoginProfile' and Resource set to '*'" + "actualValue": "user cosmic is associated with a policy that has Action set to 'iam:UpdateLoginProfile' and Resource set to '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive_expected_result.json index 34e08533f35..40b21e493c9 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_iam_user[cosmic]", "searchValue": "", "expectedValue": "user cosmic shouldn't be associated with a policy that has Action set to 'lambda:UpdateFunctionCode' and Resource set to '*'", - "actualValue": "user cosmic is associated with a policy that has Action set to 'lambda:UpdateFunctionCode' and Resource set to '*'" + "actualValue": "user cosmic is associated with a policy that has Action set to 'lambda:UpdateFunctionCode' and Resource set to '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/vpc_default_security_group_accepts_all_traffic/test/positive_expected_result.json b/assets/queries/terraform/aws/vpc_default_security_group_accepts_all_traffic/test/positive_expected_result.json index b7f1a816e84..f7aef4ff73d 100644 --- a/assets/queries/terraform/aws/vpc_default_security_group_accepts_all_traffic/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/vpc_default_security_group_accepts_all_traffic/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_default_security_group[{{default}}].ingress", "searchValue": "", "expectedValue": "aws_default_security_group[{{default}}] should not have 'ingress' defined", - "actualValue": "aws_default_security_group[{{default}}] has 'ingress' defined" + "actualValue": "aws_default_security_group[{{default}}] has 'ingress' defined", + "issueType": "IncorrectValue" }, { "queryName": "VPC Default Security Group Accepts All Traffic", @@ -21,7 +22,8 @@ "searchKey": "aws_default_security_group[{{default}}].egress", "searchValue": "", "expectedValue": "aws_default_security_group[{{default}}] should not have 'egress' defined", - "actualValue": "aws_default_security_group[{{default}}] has 'egress' defined" + "actualValue": "aws_default_security_group[{{default}}] has 'egress' defined", + "issueType": "IncorrectValue" }, { "queryName": "VPC Default Security Group Accepts All Traffic", @@ -33,7 +35,8 @@ "searchKey": "aws_default_security_group[{{default3}}].ingress", "searchValue": "", "expectedValue": "aws_default_security_group[{{default3}}] should not have 'ingress' defined", - "actualValue": "aws_default_security_group[{{default3}}] has 'ingress' defined" + "actualValue": "aws_default_security_group[{{default3}}] has 'ingress' defined", + "issueType": "IncorrectValue" }, { "queryName": "VPC Default Security Group Accepts All Traffic", @@ -45,7 +48,8 @@ "searchKey": "aws_default_security_group[{{default3}}].ingress.ipv6_cidr_blocks", "searchValue": "", "expectedValue": "'ingress' should be undefined", - "actualValue": "'ingress' accepts all traffic" + "actualValue": "'ingress' accepts all traffic", + "issueType": "IncorrectValue" }, { "queryName": "VPC Default Security Group Accepts All Traffic", @@ -57,7 +61,8 @@ "searchKey": "aws_default_security_group[{{default3}}].egress", "searchValue": "", "expectedValue": "aws_default_security_group[{{default3}}] should not have 'egress' defined", - "actualValue": "aws_default_security_group[{{default3}}] has 'egress' defined" + "actualValue": "aws_default_security_group[{{default3}}] has 'egress' defined", + "issueType": "IncorrectValue" }, { "queryName": "VPC Default Security Group Accepts All Traffic", @@ -69,6 +74,7 @@ "searchKey": "aws_default_security_group[{{default3}}].egress.cidr_blocks", "searchValue": "", "expectedValue": "'egress' should be undefined", - "actualValue": "'egress' accepts all traffic" + "actualValue": "'egress' accepts all traffic", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/vpc_flowlogs_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/vpc_flowlogs_disabled/test/positive_expected_result.json index e9ed95958b8..1c31e190d77 100644 --- a/assets/queries/terraform/aws/vpc_flowlogs_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/vpc_flowlogs_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_flow_log[example]", "searchValue": "", "expectedValue": "aws_flow_log[example].vpc_id should be defined and not null", - "actualValue": "aws_flow_log[example].vpc_id is undefined or null" + "actualValue": "aws_flow_log[example].vpc_id is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "VPC FlowLogs Disabled", @@ -21,7 +22,8 @@ "searchKey": "aws_vpc[main]", "searchValue": "", "expectedValue": "aws_vpc[main] should be the same as Flow Logs VPC id", - "actualValue": "aws_vpc[main] is not the same as Flow Logs VPC id" + "actualValue": "aws_vpc[main] is not the same as Flow Logs VPC id", + "issueType": "IncorrectValue" }, { "queryName": "VPC FlowLogs Disabled", @@ -33,7 +35,8 @@ "searchKey": "vpc.enable_flow_log", "searchValue": "", "expectedValue": "vpc.enable_flow_log should be set to true", - "actualValue": "vpc.enable_flow_log is set to false" + "actualValue": "vpc.enable_flow_log is set to false", + "issueType": "IncorrectValue" }, { "queryName": "VPC FlowLogs Disabled", @@ -45,6 +48,7 @@ "searchKey": "vpc", "searchValue": "", "expectedValue": "vpc.enable_flow_log should be set to true", - "actualValue": "vpc.enable_flow_log is undefined" + "actualValue": "vpc.enable_flow_log is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/vpc_peering_route_table_with_unrestricted_cidr/test/positive_expected_result.json b/assets/queries/terraform/aws/vpc_peering_route_table_with_unrestricted_cidr/test/positive_expected_result.json index 74ac3449d73..de791251567 100644 --- a/assets/queries/terraform/aws/vpc_peering_route_table_with_unrestricted_cidr/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/vpc_peering_route_table_with_unrestricted_cidr/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_route_table[public_route_table].route", "searchValue": "", "expectedValue": "aws_route_table[public_route_table].route restricts CIDR", - "actualValue": "aws_route_table[public_route_table].route does not restrict CIDR" + "actualValue": "aws_route_table[public_route_table].route does not restrict CIDR", + "issueType": "IncorrectValue" }, { "queryName": "VPC Peering Route Table with Unrestricted CIDR", @@ -21,7 +22,8 @@ "searchKey": "aws_route[private_route2]", "searchValue": "", "expectedValue": "aws_route[private_route2] restricts CIDR", - "actualValue": "aws_route[private_route2] does not restrict CIDR" + "actualValue": "aws_route[private_route2] does not restrict CIDR", + "issueType": "IncorrectValue" }, { "queryName": "VPC Peering Route Table with Unrestricted CIDR", @@ -33,7 +35,8 @@ "searchKey": "aws_route_table[public_route_table].route", "searchValue": "", "expectedValue": "aws_route_table[public_route_table].route restricts CIDR", - "actualValue": "aws_route_table[public_route_table].route does not restrict CIDR" + "actualValue": "aws_route_table[public_route_table].route does not restrict CIDR", + "issueType": "IncorrectValue" }, { "queryName": "VPC Peering Route Table with Unrestricted CIDR", @@ -45,6 +48,7 @@ "searchKey": "aws_route_table[art_nat_gw_out].route", "searchValue": "", "expectedValue": "aws_route_table[art_nat_gw_out].route restricts CIDR", - "actualValue": "aws_route_table[art_nat_gw_out].route does not restrict CIDR" + "actualValue": "aws_route_table[art_nat_gw_out].route does not restrict CIDR", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/vpc_subnet_assigns_public_ip/test/positive_expected_result.json b/assets/queries/terraform/aws/vpc_subnet_assigns_public_ip/test/positive_expected_result.json index 93338a250c4..72b85dd60f1 100644 --- a/assets/queries/terraform/aws/vpc_subnet_assigns_public_ip/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/vpc_subnet_assigns_public_ip/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_subnet[positive].map_public_ip_on_launch", "searchValue": "", "expectedValue": "aws_subnet[positive].map_public_ip_on_launch should be set to false or undefined", - "actualValue": "aws_subnet[positive].map_public_ip_on_launch is set to true" + "actualValue": "aws_subnet[positive].map_public_ip_on_launch is set to true", + "issueType": "IncorrectValue" }, { "queryName": "VPC Subnet Assigns Public IP", @@ -21,7 +22,8 @@ "searchKey": "vpc.map_public_ip_on_launch", "searchValue": "", "expectedValue": "vpc.map_public_ip_on_launch should be set to false", - "actualValue": "vpc.map_public_ip_on_launch is set to true" + "actualValue": "vpc.map_public_ip_on_launch is set to true", + "issueType": "IncorrectValue" }, { "queryName": "VPC Subnet Assigns Public IP", @@ -33,6 +35,7 @@ "searchKey": "vpc", "searchValue": "", "expectedValue": "vpc.map_public_ip_on_launch should be set to false", - "actualValue": "vpc.map_public_ip_on_launch is set undefined" + "actualValue": "vpc.map_public_ip_on_launch is set undefined", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/vpc_without_network_firewall/test/positive_expected_result.json b/assets/queries/terraform/aws/vpc_without_network_firewall/test/positive_expected_result.json index b58d641838c..71bbb147dbb 100644 --- a/assets/queries/terraform/aws/vpc_without_network_firewall/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/vpc_without_network_firewall/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "aws_vpc[positive]", "searchValue": "", "expectedValue": "aws_vpc[positive] has an 'aws_networkfirewall_firewall' associated", - "actualValue": "aws_vpc[positive] does not have an 'aws_networkfirewall_firewall' associated" + "actualValue": "aws_vpc[positive] does not have an 'aws_networkfirewall_firewall' associated", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/vulnerable_default_ssl_certificate/test/positive_expected_result.json b/assets/queries/terraform/aws/vulnerable_default_ssl_certificate/test/positive_expected_result.json index 696814a654d..624ecf9f3ec 100644 --- a/assets/queries/terraform/aws/vulnerable_default_ssl_certificate/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/vulnerable_default_ssl_certificate/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_cloudfront_distribution[positive2]", "searchValue": "", "expectedValue": "aws_cloudfront_distribution[positive2].viewer_certificate should be defined and not null", - "actualValue": "aws_cloudfront_distribution[positive2].viewer_certificate is undefined or null" + "actualValue": "aws_cloudfront_distribution[positive2].viewer_certificate is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Vulnerable Default SSL Certificate", @@ -21,7 +22,8 @@ "searchKey": "aws_cloudfront_distribution[positive3].viewer_certificate", "searchValue": "cloudfront_default_certificate", "expectedValue": "Attribute 'cloudfront_default_certificate' should be 'false' or not defined", - "actualValue": "Attribute 'cloudfront_default_certificate' is 'true'" + "actualValue": "Attribute 'cloudfront_default_certificate' is 'true'", + "issueType": "IncorrectValue" }, { "queryName": "Vulnerable Default SSL Certificate", @@ -33,7 +35,8 @@ "searchKey": "aws_cloudfront_distribution[positive4].viewer_certificate", "searchValue": "minimum_protocol_version", "expectedValue": "Attributes 'ssl_support_method' and 'minimum_protocol_version' should be defined when one of 'acm_certificate_arn' or 'iam_certificate_id' is declared.", - "actualValue": "Attribute 'minimum_protocol_version' is not defined" + "actualValue": "Attribute 'minimum_protocol_version' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Vulnerable Default SSL Certificate", @@ -45,6 +48,7 @@ "searchKey": "aws_cloudfront_distribution[positive4].viewer_certificate", "searchValue": "ssl_support_method", "expectedValue": "Attributes 'ssl_support_method' and 'minimum_protocol_version' should be defined when one of 'acm_certificate_arn' or 'iam_certificate_id' is declared.", - "actualValue": "Attribute 'ssl_support_method' is not defined" + "actualValue": "Attribute 'ssl_support_method' is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/workspaces_workspace_volume_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/workspaces_workspace_volume_not_encrypted/test/positive_expected_result.json index 19fdc8044fc..6777429dc42 100644 --- a/assets/queries/terraform/aws/workspaces_workspace_volume_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/workspaces_workspace_volume_not_encrypted/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_workspaces_workspace[{{example}}].workspace_properties.user_volume_size_gib", "searchValue": "", "expectedValue": "aws_workspaces_workspace.user_volume_encryption_enabled should be set to true", - "actualValue": "aws_workspaces_workspace.user_volume_encryption_enabled is missing" + "actualValue": "aws_workspaces_workspace.user_volume_encryption_enabled is missing", + "issueType": "MissingAttribute" }, { "queryName": "Workspaces Workspace Volume Not Encrypted", @@ -21,7 +22,8 @@ "searchKey": "aws_workspaces_workspace[{{example_2}}].workspace_properties.root_volume_size_gib", "searchValue": "", "expectedValue": "aws_workspaces_workspace.root_volume_encryption_enabled should be set to true", - "actualValue": "aws_workspaces_workspace.root_volume_encryption_enabled is missing" + "actualValue": "aws_workspaces_workspace.root_volume_encryption_enabled is missing", + "issueType": "MissingAttribute" }, { "queryName": "Workspaces Workspace Volume Not Encrypted", @@ -33,7 +35,8 @@ "searchKey": "aws_workspaces_workspace[{{example_3}}].workspace_properties.user_volume_size_gib", "searchValue": "", "expectedValue": "aws_workspaces_workspace.user_volume_encryption_enabled should be set to true", - "actualValue": "aws_workspaces_workspace.user_volume_encryption_enabled is missing" + "actualValue": "aws_workspaces_workspace.user_volume_encryption_enabled is missing", + "issueType": "MissingAttribute" }, { "queryName": "Workspaces Workspace Volume Not Encrypted", @@ -45,7 +48,8 @@ "searchKey": "aws_workspaces_workspace[{{example_3}}].workspace_properties.root_volume_size_gib", "searchValue": "", "expectedValue": "aws_workspaces_workspace.root_volume_encryption_enabled should be set to true", - "actualValue": "aws_workspaces_workspace.root_volume_encryption_enabled is missing" + "actualValue": "aws_workspaces_workspace.root_volume_encryption_enabled is missing", + "issueType": "MissingAttribute" }, { "queryName": "Workspaces Workspace Volume Not Encrypted", @@ -57,7 +61,8 @@ "searchKey": "aws_workspaces_workspace[{{example_4}}].root_volume_encryption_enabled", "searchValue": "", "expectedValue": "aws_workspaces_workspace.root_volume_encryption_enabled should be set to true", - "actualValue": "aws_workspaces_workspace.root_volume_encryption_enabled is set to false" + "actualValue": "aws_workspaces_workspace.root_volume_encryption_enabled is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Workspaces Workspace Volume Not Encrypted", @@ -69,6 +74,7 @@ "searchKey": "aws_workspaces_workspace[{{example_4}}].user_volume_encryption_enabled", "searchValue": "", "expectedValue": "aws_workspaces_workspace.user_volume_encryption_enabled should be set to true", - "actualValue": "aws_workspaces_workspace.user_volume_encryption_enabled is set to false" + "actualValue": "aws_workspaces_workspace.user_volume_encryption_enabled is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws_bom/dynamo/test/positive_expected_result.json b/assets/queries/terraform/aws_bom/dynamo/test/positive_expected_result.json index 6605b759bae..b4a972c090f 100644 --- a/assets/queries/terraform/aws_bom/dynamo/test/positive_expected_result.json +++ b/assets/queries/terraform/aws_bom/dynamo/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_dynamodb_table[basic-dynamodb-table]", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS DynamoDB", @@ -21,7 +22,8 @@ "searchKey": "aws_dynamodb_table[example2-table]", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS DynamoDB", @@ -33,7 +35,8 @@ "searchKey": "aws_dynamodb_table[example3-table]", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS DynamoDB", @@ -45,6 +48,7 @@ "searchKey": "aws_dynamodb_table[example3-table]", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws_bom/ebs/test/positive_expected_result.json b/assets/queries/terraform/aws_bom/ebs/test/positive_expected_result.json index 552f37e9995..17737b89b39 100644 --- a/assets/queries/terraform/aws_bom/ebs/test/positive_expected_result.json +++ b/assets/queries/terraform/aws_bom/ebs/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_ebs_volume[positive1]", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS EBS", @@ -21,6 +22,7 @@ "searchKey": "aws_ebs_volume[positive2]", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws_bom/efs/test/positive_expected_result.json b/assets/queries/terraform/aws_bom/efs/test/positive_expected_result.json index c2e053c16b7..09e622abc00 100644 --- a/assets/queries/terraform/aws_bom/efs/test/positive_expected_result.json +++ b/assets/queries/terraform/aws_bom/efs/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_efs_file_system[positive1]", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS EFS", @@ -21,6 +22,7 @@ "searchKey": "aws_efs_file_system[positive2]", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws_bom/elasticache/test/positive_expected_result.json b/assets/queries/terraform/aws_bom/elasticache/test/positive_expected_result.json index 4b2a74e2fb8..16d7b961897 100644 --- a/assets/queries/terraform/aws_bom/elasticache/test/positive_expected_result.json +++ b/assets/queries/terraform/aws_bom/elasticache/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_elasticache_cluster[positive1]", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS Elasticache", @@ -21,7 +22,8 @@ "searchKey": "aws_elasticache_cluster[positive2]", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS Elasticache", @@ -33,7 +35,8 @@ "searchKey": "aws_elasticache_cluster[positive3]", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS Elasticache", @@ -45,7 +48,8 @@ "searchKey": "aws_elasticache_cluster[positive4]", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS Elasticache", @@ -57,7 +61,8 @@ "searchKey": "aws_elasticache_cluster[positive5]", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS Elasticache", @@ -69,6 +74,7 @@ "searchKey": "aws_elasticache_cluster[positive6]", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws_bom/kinesis/test/positive_expected_result.json b/assets/queries/terraform/aws_bom/kinesis/test/positive_expected_result.json index e2f051249cc..b21aa2ecbbf 100644 --- a/assets/queries/terraform/aws_bom/kinesis/test/positive_expected_result.json +++ b/assets/queries/terraform/aws_bom/kinesis/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_kinesis_stream[positive1]", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS Kinesis", @@ -21,6 +22,7 @@ "searchKey": "aws_kinesis_stream[positive2]", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws_bom/mq/test/positive_expected_result.json b/assets/queries/terraform/aws_bom/mq/test/positive_expected_result.json index 48bb4fd43ee..9b318d28ff4 100644 --- a/assets/queries/terraform/aws_bom/mq/test/positive_expected_result.json +++ b/assets/queries/terraform/aws_bom/mq/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_mq_broker[positive1]", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS MQ", @@ -21,6 +22,7 @@ "searchKey": "aws_mq_broker[positive2]", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws_bom/msk/test/positive_expected_result.json b/assets/queries/terraform/aws_bom/msk/test/positive_expected_result.json index 1e040b55f45..63ceed2a643 100644 --- a/assets/queries/terraform/aws_bom/msk/test/positive_expected_result.json +++ b/assets/queries/terraform/aws_bom/msk/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_msk_cluster[positive1]", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS MSK", @@ -21,6 +22,7 @@ "searchKey": "aws_msk_cluster[positive2]", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws_bom/rds/test/positive_expected_result.json b/assets/queries/terraform/aws_bom/rds/test/positive_expected_result.json index b24c7c3f38b..8b60101ff58 100644 --- a/assets/queries/terraform/aws_bom/rds/test/positive_expected_result.json +++ b/assets/queries/terraform/aws_bom/rds/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_rds_cluster_instance[cluster_instances]", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS RDS", @@ -21,7 +22,8 @@ "searchKey": "aws_db_instance[default]", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS RDS", @@ -33,6 +35,7 @@ "searchKey": "aws_db_instance[sample3]", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws_bom/s3_bucket/test/positive_expected_result.json b/assets/queries/terraform/aws_bom/s3_bucket/test/positive_expected_result.json index 9af2f6af42a..d8b5bc5e2e3 100644 --- a/assets/queries/terraform/aws_bom/s3_bucket/test/positive_expected_result.json +++ b/assets/queries/terraform/aws_bom/s3_bucket/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_s3_bucket[positive1]", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS S3 Buckets", @@ -21,7 +22,8 @@ "searchKey": "aws_s3_bucket[positive10]", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS S3 Buckets", @@ -33,7 +35,8 @@ "searchKey": "aws_s3_bucket[positive2]", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS S3 Buckets", @@ -45,7 +48,8 @@ "searchKey": "aws_s3_bucket[positive3]", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS S3 Buckets", @@ -57,7 +61,8 @@ "searchKey": "aws_s3_bucket[positive4]", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS S3 Buckets", @@ -69,7 +74,8 @@ "searchKey": "aws_s3_bucket[positive5]", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS S3 Buckets", @@ -81,7 +87,8 @@ "searchKey": "aws_s3_bucket[positive6]", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS S3 Buckets", @@ -93,7 +100,8 @@ "searchKey": "aws_s3_bucket[positive7]", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS S3 Buckets", @@ -105,7 +113,8 @@ "searchKey": "aws_s3_bucket[positive8]", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS S3 Buckets", @@ -117,6 +126,7 @@ "searchKey": "aws_s3_bucket[positive9]", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws_bom/sns/test/positive_expected_result.json b/assets/queries/terraform/aws_bom/sns/test/positive_expected_result.json index 6151eb90bc8..93bb81c0fe6 100644 --- a/assets/queries/terraform/aws_bom/sns/test/positive_expected_result.json +++ b/assets/queries/terraform/aws_bom/sns/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_sns_topic[positive1]", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS SNS", @@ -21,7 +22,8 @@ "searchKey": "aws_sns_topic[positive2]", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS SNS", @@ -33,7 +35,8 @@ "searchKey": "aws_sns_topic[positive3]", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS SNS", @@ -45,7 +48,8 @@ "searchKey": "aws_sns_topic[positive4]", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS SNS", @@ -57,6 +61,7 @@ "searchKey": "aws_sns_topic[positive5]", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws_bom/sqs/test/positive_expected_result.json b/assets/queries/terraform/aws_bom/sqs/test/positive_expected_result.json index 6e2c087837f..d5e149669c0 100644 --- a/assets/queries/terraform/aws_bom/sqs/test/positive_expected_result.json +++ b/assets/queries/terraform/aws_bom/sqs/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "aws_sqs_queue[positive1]", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS SQS", @@ -21,7 +22,8 @@ "searchKey": "aws_sqs_queue[positive2]", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS SQS", @@ -33,7 +35,8 @@ "searchKey": "aws_sqs_queue[positive3]", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS SQS", @@ -45,7 +48,8 @@ "searchKey": "aws_sqs_queue[positive4]", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS SQS", @@ -57,6 +61,7 @@ "searchKey": "aws_sqs_queue[positive5]", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test/positive2/positive_expected_result.json index 60fc3ab71aa..336dc0b6303 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test/positive2/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_1].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update network security group' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_1]' resource monitors 'create or update network security group' events but sets 1 filter(s): caller" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_1]' resource monitors 'create or update network security group' events but sets 1 filter(s): caller", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Create Or Update Network Security Group Not Configured", @@ -21,7 +22,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_2].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update network security group' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_2]' resource monitors 'create or update network security group' events but sets 1 filter(s): level" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_2]' resource monitors 'create or update network security group' events but sets 1 filter(s): level", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Create Or Update Network Security Group Not Configured", @@ -33,7 +35,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_3].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update network security group' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_3]' resource monitors 'create or update network security group' events but sets 1 filter(s): levels" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_3]' resource monitors 'create or update network security group' events but sets 1 filter(s): levels", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Create Or Update Network Security Group Not Configured", @@ -45,7 +48,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_4].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update network security group' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_4]' resource monitors 'create or update network security group' events but sets 1 filter(s): status" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_4]' resource monitors 'create or update network security group' events but sets 1 filter(s): status", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Create Or Update Network Security Group Not Configured", @@ -57,7 +61,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_5].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update network security group' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_5]' resource monitors 'create or update network security group' events but sets 1 filter(s): statuses" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_5]' resource monitors 'create or update network security group' events but sets 1 filter(s): statuses", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Create Or Update Network Security Group Not Configured", @@ -69,7 +74,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_6].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update network security group' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_6]' resource monitors 'create or update network security group' events but sets 1 filter(s): sub_status" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_6]' resource monitors 'create or update network security group' events but sets 1 filter(s): sub_status", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Create Or Update Network Security Group Not Configured", @@ -81,6 +87,7 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_7].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update network security group' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'create or update network security group' events but sets 1 filter(s): sub_statuses" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'create or update network security group' events but sets 1 filter(s): sub_statuses", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test/positive3/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test/positive3/positive_expected_result.json index ab1a40bcdbd..179bf881999 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test/positive3/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test/positive3/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive3_1].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update network security group' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_1]' resource monitors 'create or update network security group' events but is missing an 'action.action_group_id' field" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_1]' resource monitors 'create or update network security group' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Create Or Update Network Security Group Not Configured", @@ -21,6 +22,7 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive3_2].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update network security group' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_2]' resource monitors 'create or update network security group' events but is missing an 'action.action_group_id' field" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_2]' resource monitors 'create or update network security group' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test/positive4/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test/positive4/positive_expected_result.json index bd10e919864..d92246170f6 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test/positive4/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test/positive4/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive4_1].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update network security group' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_1]' resource monitors 'create or update network security group' events but is missing an 'action.action_group_id' field" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_1]' resource monitors 'create or update network security group' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test/positive2/positive_expected_result.json index 91105343032..7ff8e7fb1d9 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test/positive2/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_1].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update public ip address rule' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_1]' resource monitors 'create or update public ip address rule' events but sets 1 filter(s): caller" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_1]' resource monitors 'create or update public ip address rule' events but sets 1 filter(s): caller", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Create or Update Public IP Address Rule Not Configured", @@ -21,7 +22,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_2].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update public ip address rule' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_2]' resource monitors 'create or update public ip address rule' events but sets 1 filter(s): level" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_2]' resource monitors 'create or update public ip address rule' events but sets 1 filter(s): level", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Create or Update Public IP Address Rule Not Configured", @@ -33,7 +35,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_3].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update public ip address rule' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_3]' resource monitors 'create or update public ip address rule' events but sets 1 filter(s): levels" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_3]' resource monitors 'create or update public ip address rule' events but sets 1 filter(s): levels", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Create or Update Public IP Address Rule Not Configured", @@ -45,7 +48,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_4].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update public ip address rule' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_4]' resource monitors 'create or update public ip address rule' events but sets 1 filter(s): status" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_4]' resource monitors 'create or update public ip address rule' events but sets 1 filter(s): status", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Create or Update Public IP Address Rule Not Configured", @@ -57,7 +61,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_5].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update public ip address rule' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_5]' resource monitors 'create or update public ip address rule' events but sets 1 filter(s): statuses" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_5]' resource monitors 'create or update public ip address rule' events but sets 1 filter(s): statuses", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Create or Update Public IP Address Rule Not Configured", @@ -69,7 +74,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_6].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update public ip address rule' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_6]' resource monitors 'create or update public ip address rule' events but sets 1 filter(s): sub_status" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_6]' resource monitors 'create or update public ip address rule' events but sets 1 filter(s): sub_status", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Create or Update Public IP Address Rule Not Configured", @@ -81,6 +87,7 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_7].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update public ip address rule' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'create or update public ip address rule' events but sets 1 filter(s): sub_statuses" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'create or update public ip address rule' events but sets 1 filter(s): sub_statuses", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test/positive3/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test/positive3/positive_expected_result.json index 5df8899e9d1..294deee2ff2 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test/positive3/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test/positive3/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive3_1].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update public ip address rule' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_1]' resource monitors 'create or update public ip address rule' events but is missing an 'action.action_group_id' field" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_1]' resource monitors 'create or update public ip address rule' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Create or Update Public IP Address Rule Not Configured", @@ -21,6 +22,7 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive3_2].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update public ip address rule' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_2]' resource monitors 'create or update public ip address rule' events but is missing an 'action.action_group_id' field" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_2]' resource monitors 'create or update public ip address rule' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test/positive4/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test/positive4/positive_expected_result.json index d3d0bff0da8..850cd054bf2 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test/positive4/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test/positive4/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive4_1].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update public ip address rule' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_1]' resource monitors 'create or update public ip address rule' events but is missing an 'action.action_group_id' field" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_1]' resource monitors 'create or update public ip address rule' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive2/positive_expected_result.json index 54bc3360ee5..597cd9bece9 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive2/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_1].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update security solution' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_1]' resource monitors 'create or update security solution' events but sets 1 filter(s): caller" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_1]' resource monitors 'create or update security solution' events but sets 1 filter(s): caller", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Create or Update Security Solution Not Configured", @@ -21,7 +22,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_2].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update security solution' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_2]' resource monitors 'create or update security solution' events but sets 1 filter(s): level" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_2]' resource monitors 'create or update security solution' events but sets 1 filter(s): level", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Create or Update Security Solution Not Configured", @@ -33,7 +35,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_3].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update security solution' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_3]' resource monitors 'create or update security solution' events but sets 1 filter(s): levels" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_3]' resource monitors 'create or update security solution' events but sets 1 filter(s): levels", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Create or Update Security Solution Not Configured", @@ -45,7 +48,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_4].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update security solution' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_4]' resource monitors 'create or update security solution' events but sets 1 filter(s): status" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_4]' resource monitors 'create or update security solution' events but sets 1 filter(s): status", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Create or Update Security Solution Not Configured", @@ -57,7 +61,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_5].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update security solution' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_5]' resource monitors 'create or update security solution' events but sets 1 filter(s): statuses" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_5]' resource monitors 'create or update security solution' events but sets 1 filter(s): statuses", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Create or Update Security Solution Not Configured", @@ -69,7 +74,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_6].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update security solution' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_6]' resource monitors 'create or update security solution' events but sets 1 filter(s): sub_status" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_6]' resource monitors 'create or update security solution' events but sets 1 filter(s): sub_status", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Create or Update Security Solution Not Configured", @@ -81,6 +87,7 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_7].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update security solution' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'create or update security solution' events but sets 1 filter(s): sub_statuses" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'create or update security solution' events but sets 1 filter(s): sub_statuses", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive3/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive3/positive_expected_result.json index a22f2a4cd3f..c3b20b3b3b5 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive3/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive3/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive3_1].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update security solution' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_1]' resource monitors 'create or update security solution' events but is missing an 'action.action_group_id' field" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_1]' resource monitors 'create or update security solution' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Create or Update Security Solution Not Configured", @@ -21,6 +22,7 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive3_2].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update security solution' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_2]' resource monitors 'create or update security solution' events but is missing an 'action.action_group_id' field" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_2]' resource monitors 'create or update security solution' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive4/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive4/positive_expected_result.json index 706eaab97dd..469654d3c63 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive4/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive4/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive4_1].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update security solution' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_1]' resource monitors 'create or update security solution' events but is missing an 'action.action_group_id' field" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_1]' resource monitors 'create or update security solution' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test/positive2/positive_expected_result.json index 94ecfe7f81e..2c3c947c21c 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test/positive2/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_1].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update SQL server firewall rule' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_1]' resource monitors 'create or update SQL server firewall rule' events but sets 1 filter(s): caller" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_1]' resource monitors 'create or update SQL server firewall rule' events but sets 1 filter(s): caller", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Create or Update SQL Server Firewall Rule Not Configured", @@ -21,7 +22,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_2].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update SQL server firewall rule' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_2]' resource monitors 'create or update SQL server firewall rule' events but sets 1 filter(s): level" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_2]' resource monitors 'create or update SQL server firewall rule' events but sets 1 filter(s): level", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Create or Update SQL Server Firewall Rule Not Configured", @@ -33,7 +35,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_3].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update SQL server firewall rule' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_3]' resource monitors 'create or update SQL server firewall rule' events but sets 1 filter(s): levels" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_3]' resource monitors 'create or update SQL server firewall rule' events but sets 1 filter(s): levels", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Create or Update SQL Server Firewall Rule Not Configured", @@ -45,7 +48,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_4].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update SQL server firewall rule' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_4]' resource monitors 'create or update SQL server firewall rule' events but sets 1 filter(s): status" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_4]' resource monitors 'create or update SQL server firewall rule' events but sets 1 filter(s): status", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Create or Update SQL Server Firewall Rule Not Configured", @@ -57,7 +61,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_5].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update SQL server firewall rule' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_5]' resource monitors 'create or update SQL server firewall rule' events but sets 1 filter(s): statuses" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_5]' resource monitors 'create or update SQL server firewall rule' events but sets 1 filter(s): statuses", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Create or Update SQL Server Firewall Rule Not Configured", @@ -69,7 +74,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_6].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update SQL server firewall rule' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_6]' resource monitors 'create or update SQL server firewall rule' events but sets 1 filter(s): sub_status" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_6]' resource monitors 'create or update SQL server firewall rule' events but sets 1 filter(s): sub_status", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Create or Update SQL Server Firewall Rule Not Configured", @@ -81,6 +87,7 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_7].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update SQL server firewall rule' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'create or update SQL server firewall rule' events but sets 1 filter(s): sub_statuses" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'create or update SQL server firewall rule' events but sets 1 filter(s): sub_statuses", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test/positive3/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test/positive3/positive_expected_result.json index e7493c47e74..cec6fbeb0dc 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test/positive3/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test/positive3/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive3_1].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update SQL server firewall rule' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_1]' resource monitors 'create or update SQL server firewall rule' events but is missing an 'action.action_group_id' field" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_1]' resource monitors 'create or update SQL server firewall rule' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Create or Update SQL Server Firewall Rule Not Configured", @@ -21,6 +22,7 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive3_2].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update SQL server firewall rule' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_2]' resource monitors 'create or update SQL server firewall rule' events but is missing an 'action.action_group_id' field" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_2]' resource monitors 'create or update SQL server firewall rule' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test/positive4/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test/positive4/positive_expected_result.json index df5122e2306..6d43af35cbf 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test/positive4/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test/positive4/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive4_1].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update SQL server firewall rule' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_1]' resource monitors 'create or update SQL server firewall rule' events but is missing an 'action.action_group_id' field" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_1]' resource monitors 'create or update SQL server firewall rule' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive2/positive_expected_result.json index 784cbd5f074..964202ed200 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive2/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_1].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create policy assignment' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_1]' resource monitors 'create policy assignment' events but sets 1 filter(s): caller" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_1]' resource monitors 'create policy assignment' events but sets 1 filter(s): caller", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Create Policy Assignment Not Configured", @@ -21,7 +22,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_2].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create policy assignment' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_2]' resource monitors 'create policy assignment' events but sets 1 filter(s): level" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_2]' resource monitors 'create policy assignment' events but sets 1 filter(s): level", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Create Policy Assignment Not Configured", @@ -33,7 +35,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_3].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create policy assignment' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_3]' resource monitors 'create policy assignment' events but sets 1 filter(s): levels" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_3]' resource monitors 'create policy assignment' events but sets 1 filter(s): levels", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Create Policy Assignment Not Configured", @@ -45,7 +48,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_4].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create policy assignment' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_4]' resource monitors 'create policy assignment' events but sets 1 filter(s): status" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_4]' resource monitors 'create policy assignment' events but sets 1 filter(s): status", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Create Policy Assignment Not Configured", @@ -57,7 +61,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_5].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create policy assignment' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_5]' resource monitors 'create policy assignment' events but sets 1 filter(s): statuses" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_5]' resource monitors 'create policy assignment' events but sets 1 filter(s): statuses", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Create Policy Assignment Not Configured", @@ -69,7 +74,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_6].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create policy assignment' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_6]' resource monitors 'create policy assignment' events but sets 1 filter(s): sub_status" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_6]' resource monitors 'create policy assignment' events but sets 1 filter(s): sub_status", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Create Policy Assignment Not Configured", @@ -81,6 +87,7 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_7].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create policy assignment' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'create policy assignment' events but sets 1 filter(s): sub_statuses" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'create policy assignment' events but sets 1 filter(s): sub_statuses", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive3/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive3/positive_expected_result.json index 08b63f2af71..b067fab08ae 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive3/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive3/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive3_1].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create policy assignment' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_1]' resource monitors 'create policy assignment' events but is missing an 'action.action_group_id' field" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_1]' resource monitors 'create policy assignment' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Create Policy Assignment Not Configured", @@ -21,6 +22,7 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive3_2].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create policy assignment' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_2]' resource monitors 'create policy assignment' events but is missing an 'action.action_group_id' field" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_2]' resource monitors 'create policy assignment' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive4/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive4/positive_expected_result.json index ac5b35db21c..b4e9edbdb07 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive4/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive4/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive4_1].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create policy assignment' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_1]' resource monitors 'create policy assignment' events but is missing an 'action.action_group_id' field" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_1]' resource monitors 'create policy assignment' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test/positive2/positive_expected_result.json index 45185f5ebaf..ff09964966c 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test/positive2/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_1].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete network security group' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_1]' resource monitors 'delete network security group' events but sets 1 filter(s): caller" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_1]' resource monitors 'delete network security group' events but sets 1 filter(s): caller", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Delete Network Security Group Not Configured", @@ -21,7 +22,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_2].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete network security group' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_2]' resource monitors 'delete network security group' events but sets 1 filter(s): level" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_2]' resource monitors 'delete network security group' events but sets 1 filter(s): level", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Delete Network Security Group Not Configured", @@ -33,7 +35,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_3].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete network security group' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_3]' resource monitors 'delete network security group' events but sets 1 filter(s): levels" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_3]' resource monitors 'delete network security group' events but sets 1 filter(s): levels", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Delete Network Security Group Not Configured", @@ -45,7 +48,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_4].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete network security group' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_4]' resource monitors 'delete network security group' events but sets 1 filter(s): status" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_4]' resource monitors 'delete network security group' events but sets 1 filter(s): status", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Delete Network Security Group Not Configured", @@ -57,7 +61,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_5].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete network security group' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_5]' resource monitors 'delete network security group' events but sets 1 filter(s): statuses" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_5]' resource monitors 'delete network security group' events but sets 1 filter(s): statuses", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Delete Network Security Group Not Configured", @@ -69,7 +74,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_6].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete network security group' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_6]' resource monitors 'delete network security group' events but sets 1 filter(s): sub_status" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_6]' resource monitors 'delete network security group' events but sets 1 filter(s): sub_status", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Delete Network Security Group Not Configured", @@ -81,6 +87,7 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_7].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete network security group' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'delete network security group' events but sets 1 filter(s): sub_statuses" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'delete network security group' events but sets 1 filter(s): sub_statuses", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test/positive3/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test/positive3/positive_expected_result.json index 26f9a0b97bb..e4b4964176e 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test/positive3/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test/positive3/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive3_1].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete network security group' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_1]' resource monitors 'delete network security group' events but is missing an 'action.action_group_id' field" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_1]' resource monitors 'delete network security group' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Delete Network Security Group Not Configured", @@ -21,6 +22,7 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive3_2].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete network security group' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_2]' resource monitors 'delete network security group' events but is missing an 'action.action_group_id' field" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_2]' resource monitors 'delete network security group' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test/positive4/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test/positive4/positive_expected_result.json index 261f0cf667b..26dff104b80 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test/positive4/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test/positive4/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive4_1].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete network security group' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_1]' resource monitors 'delete network security group' events but is missing an 'action.action_group_id' field" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_1]' resource monitors 'delete network security group' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive2/positive_expected_result.json index 7ddeaaff973..35b82d416f0 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive2/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_1].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete policy assignment' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_1]' resource monitors 'delete policy assignment' events but sets 1 filter(s): caller" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_1]' resource monitors 'delete policy assignment' events but sets 1 filter(s): caller", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Delete Policy Assignment Not Configured", @@ -21,7 +22,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_2].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete policy assignment' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_2]' resource monitors 'delete policy assignment' events but sets 1 filter(s): level" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_2]' resource monitors 'delete policy assignment' events but sets 1 filter(s): level", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Delete Policy Assignment Not Configured", @@ -33,7 +35,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_3].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete policy assignment' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_3]' resource monitors 'delete policy assignment' events but sets 1 filter(s): levels" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_3]' resource monitors 'delete policy assignment' events but sets 1 filter(s): levels", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Delete Policy Assignment Not Configured", @@ -45,7 +48,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_4].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete policy assignment' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_4]' resource monitors 'delete policy assignment' events but sets 1 filter(s): status" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_4]' resource monitors 'delete policy assignment' events but sets 1 filter(s): status", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Delete Policy Assignment Not Configured", @@ -57,7 +61,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_5].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete policy assignment' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_5]' resource monitors 'delete policy assignment' events but sets 1 filter(s): statuses" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_5]' resource monitors 'delete policy assignment' events but sets 1 filter(s): statuses", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Delete Policy Assignment Not Configured", @@ -69,7 +74,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_6].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete policy assignment' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_6]' resource monitors 'delete policy assignment' events but sets 1 filter(s): sub_status" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_6]' resource monitors 'delete policy assignment' events but sets 1 filter(s): sub_status", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Delete Policy Assignment Not Configured", @@ -81,6 +87,7 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_7].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete policy assignment' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'delete policy assignment' events but sets 1 filter(s): sub_statuses" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'delete policy assignment' events but sets 1 filter(s): sub_statuses", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive3/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive3/positive_expected_result.json index 8ecfd89e35d..2c5de57b736 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive3/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive3/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive3_1].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete policy assignment' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_1]' resource monitors 'delete policy assignment' events but is missing an 'action.action_group_id' field" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_1]' resource monitors 'delete policy assignment' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Delete Policy Assignment Not Configured", @@ -21,6 +22,7 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive3_2].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete policy assignment' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_2]' resource monitors 'delete policy assignment' events but is missing an 'action.action_group_id' field" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_2]' resource monitors 'delete policy assignment' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive4/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive4/positive_expected_result.json index c21d49cc9fa..9ba78182036 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive4/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive4/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive4_1].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete policy assignment' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_1]' resource monitors 'delete policy assignment' events but is missing an 'action.action_group_id' field" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_1]' resource monitors 'delete policy assignment' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive2/positive_expected_result.json index a3ba0417b4d..a6785159d2b 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive2/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_1].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete public ip address rule' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_1]' resource monitors 'delete public ip address rule' events but sets 1 filter(s): caller" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_1]' resource monitors 'delete public ip address rule' events but sets 1 filter(s): caller", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule Not Configured", @@ -21,7 +22,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_2].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete public ip address rule' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_2]' resource monitors 'delete public ip address rule' events but sets 1 filter(s): level" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_2]' resource monitors 'delete public ip address rule' events but sets 1 filter(s): level", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule Not Configured", @@ -33,7 +35,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_3].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete public ip address rule' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_3]' resource monitors 'delete public ip address rule' events but sets 1 filter(s): levels" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_3]' resource monitors 'delete public ip address rule' events but sets 1 filter(s): levels", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule Not Configured", @@ -45,7 +48,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_4].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete public ip address rule' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_4]' resource monitors 'delete public ip address rule' events but sets 1 filter(s): status" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_4]' resource monitors 'delete public ip address rule' events but sets 1 filter(s): status", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule Not Configured", @@ -57,7 +61,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_5].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete public ip address rule' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_5]' resource monitors 'delete public ip address rule' events but sets 1 filter(s): statuses" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_5]' resource monitors 'delete public ip address rule' events but sets 1 filter(s): statuses", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule Not Configured", @@ -69,7 +74,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_6].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete public ip address rule' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_6]' resource monitors 'delete public ip address rule' events but sets 1 filter(s): sub_status" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_6]' resource monitors 'delete public ip address rule' events but sets 1 filter(s): sub_status", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule Not Configured", @@ -81,6 +87,7 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_7].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete public ip address rule' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'delete public ip address rule' events but sets 1 filter(s): sub_statuses" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'delete public ip address rule' events but sets 1 filter(s): sub_statuses", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive3/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive3/positive_expected_result.json index a35ea356314..4243047eeac 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive3/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive3/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive3_1].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete public ip address rule' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_1]' resource monitors 'delete public ip address rule' events but is missing an 'action.action_group_id' field" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_1]' resource monitors 'delete public ip address rule' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule Not Configured", @@ -21,6 +22,7 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive3_2].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete public ip address rule' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_2]' resource monitors 'delete public ip address rule' events but is missing an 'action.action_group_id' field" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_2]' resource monitors 'delete public ip address rule' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive4/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive4/positive_expected_result.json index 7e15fb7e801..0b69ffeb281 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive4/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive4/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive4_1].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete public ip address rule' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_1]' resource monitors 'delete public ip address rule' events but is missing an 'action.action_group_id' field" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_1]' resource monitors 'delete public ip address rule' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive2/positive_expected_result.json index c7271b650f5..65ae119ef43 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive2/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_1].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete security solution' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_1]' resource monitors 'delete security solution' events but sets 1 filter(s): caller" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_1]' resource monitors 'delete security solution' events but sets 1 filter(s): caller", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Delete Security Solution Not Configured", @@ -21,7 +22,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_2].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete security solution' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_2]' resource monitors 'delete security solution' events but sets 1 filter(s): level" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_2]' resource monitors 'delete security solution' events but sets 1 filter(s): level", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Delete Security Solution Not Configured", @@ -33,7 +35,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_3].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete security solution' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_3]' resource monitors 'delete security solution' events but sets 1 filter(s): levels" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_3]' resource monitors 'delete security solution' events but sets 1 filter(s): levels", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Delete Security Solution Not Configured", @@ -45,7 +48,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_4].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete security solution' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_4]' resource monitors 'delete security solution' events but sets 1 filter(s): status" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_4]' resource monitors 'delete security solution' events but sets 1 filter(s): status", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Delete Security Solution Not Configured", @@ -57,7 +61,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_5].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete security solution' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_5]' resource monitors 'delete security solution' events but sets 1 filter(s): statuses" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_5]' resource monitors 'delete security solution' events but sets 1 filter(s): statuses", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Delete Security Solution Not Configured", @@ -69,7 +74,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_6].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete security solution' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_6]' resource monitors 'delete security solution' events but sets 1 filter(s): sub_status" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_6]' resource monitors 'delete security solution' events but sets 1 filter(s): sub_status", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Delete Security Solution Not Configured", @@ -81,6 +87,7 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_7].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete security solution' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'delete security solution' events but sets 1 filter(s): sub_statuses" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'delete security solution' events but sets 1 filter(s): sub_statuses", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive3/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive3/positive_expected_result.json index 4502b71fe72..329d18cf11b 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive3/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive3/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive3_1].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete security solution' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_1]' resource monitors 'delete security solution' events but is missing an 'action.action_group_id' field" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_1]' resource monitors 'delete security solution' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Delete Security Solution Not Configured", @@ -21,6 +22,7 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive3_2].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete security solution' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_2]' resource monitors 'delete security solution' events but is missing an 'action.action_group_id' field" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_2]' resource monitors 'delete security solution' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive4/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive4/positive_expected_result.json index d94e0cbab76..d35f1c8a28d 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive4/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive4/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive4_1].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete security solution' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_1]' resource monitors 'delete security solution' events but is missing an 'action.action_group_id' field" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_1]' resource monitors 'delete security solution' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test/positive2/positive_expected_result.json index 60e226c54cd..8dbdfc9b502 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test/positive2/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_1].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete SQL server firewall rule' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_1]' resource monitors 'delete SQL server firewall rule' events but sets 1 filter(s): caller" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_1]' resource monitors 'delete SQL server firewall rule' events but sets 1 filter(s): caller", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Delete SQL Server Firewall Rule Not Configured", @@ -21,7 +22,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_2].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete SQL server firewall rule' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_2]' resource monitors 'delete SQL server firewall rule' events but sets 1 filter(s): level" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_2]' resource monitors 'delete SQL server firewall rule' events but sets 1 filter(s): level", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Delete SQL Server Firewall Rule Not Configured", @@ -33,7 +35,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_3].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete SQL server firewall rule' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_3]' resource monitors 'delete SQL server firewall rule' events but sets 1 filter(s): levels" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_3]' resource monitors 'delete SQL server firewall rule' events but sets 1 filter(s): levels", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Delete SQL Server Firewall Rule Not Configured", @@ -45,7 +48,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_4].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete SQL server firewall rule' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_4]' resource monitors 'delete SQL server firewall rule' events but sets 1 filter(s): status" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_4]' resource monitors 'delete SQL server firewall rule' events but sets 1 filter(s): status", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Delete SQL Server Firewall Rule Not Configured", @@ -57,7 +61,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_5].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete SQL server firewall rule' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_5]' resource monitors 'delete SQL server firewall rule' events but sets 1 filter(s): statuses" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_5]' resource monitors 'delete SQL server firewall rule' events but sets 1 filter(s): statuses", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Delete SQL Server Firewall Rule Not Configured", @@ -69,7 +74,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_6].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete SQL server firewall rule' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_6]' resource monitors 'delete SQL server firewall rule' events but sets 1 filter(s): sub_status" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_6]' resource monitors 'delete SQL server firewall rule' events but sets 1 filter(s): sub_status", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Delete SQL Server Firewall Rule Not Configured", @@ -81,6 +87,7 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_7].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete SQL server firewall rule' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'delete SQL server firewall rule' events but sets 1 filter(s): sub_statuses" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'delete SQL server firewall rule' events but sets 1 filter(s): sub_statuses", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test/positive3/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test/positive3/positive_expected_result.json index c963ea02261..0a102b1a769 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test/positive3/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test/positive3/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive3_1].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete SQL server firewall rule' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_1]' resource monitors 'delete SQL server firewall rule' events but is missing an 'action.action_group_id' field" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_1]' resource monitors 'delete SQL server firewall rule' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Delete SQL Server Firewall Rule Not Configured", @@ -21,6 +22,7 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive3_2].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete SQL server firewall rule' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_2]' resource monitors 'delete SQL server firewall rule' events but is missing an 'action.action_group_id' field" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_2]' resource monitors 'delete SQL server firewall rule' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test/positive4/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test/positive4/positive_expected_result.json index e4d24cc8a78..326a5849595 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test/positive4/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test/positive4/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive4_1].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete SQL server firewall rule' events should be defined", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_1]' resource monitors 'delete SQL server firewall rule' events but is missing an 'action.action_group_id' field" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_1]' resource monitors 'delete SQL server firewall rule' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive2/positive_expected_result.json index b3c31f2da35..b7f6d538473 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive2/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_1].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'ServiceHealth' events should be defined for each subscription", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_1]' resource monitors 'ServiceHealth' events but does not include 'Incident' in its 'criteria.service_health.events' array" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_1]' resource monitors 'ServiceHealth' events but does not include 'Incident' in its 'criteria.service_health.events' array", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Service Health Not Configured", @@ -21,7 +22,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_2].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'ServiceHealth' events should be defined for each subscription", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_2]' resource monitors 'ServiceHealth' events but does not include 'Incident' in its 'criteria.service_health.events' array" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_2]' resource monitors 'ServiceHealth' events but does not include 'Incident' in its 'criteria.service_health.events' array", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Service Health Not Configured", @@ -33,6 +35,7 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive2_3].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'ServiceHealth' events should be defined for each subscription", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_3]' resource monitors 'ServiceHealth' events but does not include 'Incident' in its 'criteria.service_health.events' array" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_3]' resource monitors 'ServiceHealth' events but does not include 'Incident' in its 'criteria.service_health.events' array", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive3/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive3/positive_expected_result.json index 5f632daab2f..9fd50727f0d 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive3/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive3/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive3_1].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'ServiceHealth' events should be defined for each subscription", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_1]' resource monitors 'ServiceHealth' events but is missing an 'action.action_group_id' field" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_1]' resource monitors 'ServiceHealth' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Service Health Not Configured", @@ -21,6 +22,7 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive3_2].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'ServiceHealth' events should be defined for each subscription", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_2]' resource monitors 'ServiceHealth' events but is missing an 'action.action_group_id' field" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_2]' resource monitors 'ServiceHealth' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive4/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive4/positive_expected_result.json index 91bb4c9350b..3da970dbc2d 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive4/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive4/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive4_1].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'ServiceHealth' events should be defined for each subscription", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_1]' resource monitors 'ServiceHealth' events but does not include 'Incident' in its 'criteria.service_health.events' array" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_1]' resource monitors 'ServiceHealth' events but does not include 'Incident' in its 'criteria.service_health.events' array", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Service Health Not Configured", @@ -21,6 +22,7 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive4_2].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'ServiceHealth' events should be defined for each subscription", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_2]' resource monitors 'ServiceHealth' events but does not include 'Incident' in its 'criteria.service_health.events' array" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_2]' resource monitors 'ServiceHealth' events but does not include 'Incident' in its 'criteria.service_health.events' array", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive5/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive5/positive_expected_result.json index 853ffb9e106..6e7e066b1e1 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive5/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive5/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive5_1].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'ServiceHealth' events should be defined for each subscription", - "actualValue": "The 'azurerm_monitor_activity_log_alert[positive5_1]' resource monitors 'ServiceHealth' events but is missing an 'action.action_group_id' field" + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive5_1]' resource monitors 'ServiceHealth' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive6/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive6/positive_expected_result.json index 3d390cdb6ff..3d5f0de3f52 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive6/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive6/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "azurerm_subscription[positive6]", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'ServiceHealth' events should be defined for each subscription", - "actualValue": "There is not a single 'azurerm_monitor_activity_log_alert' resource associated with the 'positive6' subscription" + "actualValue": "There is not a single 'azurerm_monitor_activity_log_alert' resource associated with the 'positive6' subscription", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive_expected_result.json index 85145bad6b6..5d091be6df9 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive1_1].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'ServiceHealth' events should be defined for each subscription", - "actualValue": "None of the 'azurerm_monitor_activity_log_alert' resources monitor 'ServiceHealth' events" + "actualValue": "None of the 'azurerm_monitor_activity_log_alert' resources monitor 'ServiceHealth' events", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Service Health Not Configured", @@ -21,6 +22,7 @@ "searchKey": "azurerm_monitor_activity_log_alert[positive1_2].criteria", "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'ServiceHealth' events should be defined for each subscription", - "actualValue": "None of the 'azurerm_monitor_activity_log_alert' resources monitor 'ServiceHealth' events" + "actualValue": "None of the 'azurerm_monitor_activity_log_alert' resources monitor 'ServiceHealth' events", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/ad_admin_not_configured_for_sql_server/test/positive_expected_result.json b/assets/queries/terraform/azure/ad_admin_not_configured_for_sql_server/test/positive_expected_result.json index 0375911bc73..b7ab0c856ef 100644 --- a/assets/queries/terraform/azure/ad_admin_not_configured_for_sql_server/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/ad_admin_not_configured_for_sql_server/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "azurerm_sql_server[positive2]", "searchValue": "", "expectedValue": "A 'azurerm_sql_active_directory_administrator' should be defined for 'azurerm_sql_server[positive2]'", - "actualValue": "A 'azurerm_sql_active_directory_administrator' is not defined for 'azurerm_sql_server[positive2]'" + "actualValue": "A 'azurerm_sql_active_directory_administrator' is not defined for 'azurerm_sql_server[positive2]'", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/admin_user_enabled_for_container_registry/test/positive_expected_result.json b/assets/queries/terraform/azure/admin_user_enabled_for_container_registry/test/positive_expected_result.json index 9a8f6feb23a..fadcebc561b 100644 --- a/assets/queries/terraform/azure/admin_user_enabled_for_container_registry/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/admin_user_enabled_for_container_registry/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "azurerm_container_registry[positive2].admin_enabled", "searchValue": "", "expectedValue": "'admin_enabled' equal 'false'", - "actualValue": "'admin_enabled' equal 'true'" + "actualValue": "'admin_enabled' equal 'true'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/aks_disk_encryption_set_id_undefined/test/positive_expected_result.json b/assets/queries/terraform/azure/aks_disk_encryption_set_id_undefined/test/positive_expected_result.json index 1955cf168bc..e4448d1b44e 100644 --- a/assets/queries/terraform/azure/aks_disk_encryption_set_id_undefined/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/aks_disk_encryption_set_id_undefined/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "azurerm_kubernetes_cluster[positive]", "searchValue": "", "expectedValue": "'azurerm_kubernetes_cluster[positive].disk_encryption_set_id' should be defined and not null", - "actualValue": "'azurerm_kubernetes_cluster[positive].disk_encryption_set_id' is undefined or null" + "actualValue": "'azurerm_kubernetes_cluster[positive].disk_encryption_set_id' is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/aks_network_policy_misconfigured/test/positive_expected_result.json b/assets/queries/terraform/azure/aks_network_policy_misconfigured/test/positive_expected_result.json index 1eaa0593206..222a3c6eb23 100644 --- a/assets/queries/terraform/azure/aks_network_policy_misconfigured/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/aks_network_policy_misconfigured/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_kubernetes_cluster[positive1].network_profile", "searchValue": "", "expectedValue": "'azurerm_kubernetes_cluster[positive1].network_profile.network_policy' should be set to either 'azure' or 'calico'", - "actualValue": "'azurerm_kubernetes_cluster[positive1].network_profile.network_policy' is undefined" + "actualValue": "'azurerm_kubernetes_cluster[positive1].network_profile.network_policy' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "AKS Network Policy Misconfigured", @@ -21,7 +22,8 @@ "searchKey": "azurerm_kubernetes_cluster[positive2]", "searchValue": "", "expectedValue": "'azurerm_kubernetes_cluster[positive2].network_profile' should be set", - "actualValue": "'azurerm_kubernetes_cluster[positive2].network_profile' is undefined" + "actualValue": "'azurerm_kubernetes_cluster[positive2].network_profile' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "AKS Network Policy Misconfigured", @@ -33,6 +35,7 @@ "searchKey": "azurerm_kubernetes_cluster[positive3].network_profile.network_policy", "searchValue": "", "expectedValue": "'azurerm_kubernetes_cluster[positive3].network_profile.network_policy' should be either 'azure' or 'calico'", - "actualValue": "'azurerm_kubernetes_cluster[positive3].network_profile.network_policy' is roxanne" + "actualValue": "'azurerm_kubernetes_cluster[positive3].network_profile.network_policy' is roxanne", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/aks_private_cluster_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/aks_private_cluster_disabled/test/positive_expected_result.json index a32127af4ce..9f0db80f3a8 100644 --- a/assets/queries/terraform/azure/aks_private_cluster_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/aks_private_cluster_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_kubernetes_cluster[positive1].private_cluster_enabled", "searchValue": "", "expectedValue": "'azurerm_kubernetes_cluster[positive1].private_cluster_enabled' should be set to true", - "actualValue": "'azurerm_kubernetes_cluster[positive1].private_cluster_enabled' is set to false" + "actualValue": "'azurerm_kubernetes_cluster[positive1].private_cluster_enabled' is set to false", + "issueType": "MissingAttribute" }, { "queryName": "AKS Private Cluster Disabled", @@ -21,6 +22,7 @@ "searchKey": "azurerm_kubernetes_cluster[positive2]", "searchValue": "", "expectedValue": "'azurerm_kubernetes_cluster[positive2].private_cluster_enabled' should be defined and set to true", - "actualValue": "'azurerm_kubernetes_cluster[positive2].private_cluster_enabled' is undefined" + "actualValue": "'azurerm_kubernetes_cluster[positive2].private_cluster_enabled' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/aks_rbac_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/aks_rbac_disabled/test/positive_expected_result.json index 5d7789ec977..151d84342ad 100644 --- a/assets/queries/terraform/azure/aks_rbac_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/aks_rbac_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_kubernetes_cluster[positive1].role_based_access_control_enabled", "searchValue": "", "expectedValue": "'azurerm_kubernetes_cluster[positive1].role_based_access_control_enabled' should be set to true", - "actualValue": "'azurerm_kubernetes_cluster[positive1].role_based_access_control_enabled' is not set to true" + "actualValue": "'azurerm_kubernetes_cluster[positive1].role_based_access_control_enabled' is not set to true", + "issueType": "IncorrectValue" }, { "queryName": "AKS RBAC Disabled", @@ -21,6 +22,7 @@ "searchKey": "azurerm_kubernetes_cluster[positive2].role_based_access_control.enabled", "searchValue": "", "expectedValue": "'azurerm_kubernetes_cluster[positive2].role_based_access_control.enabled' should be set to true", - "actualValue": "'azurerm_kubernetes_cluster[positive2].role_based_access_control.enabled' is not set to true" + "actualValue": "'azurerm_kubernetes_cluster[positive2].role_based_access_control.enabled' is not set to true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/aks_uses_azure_policies_addon_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/aks_uses_azure_policies_addon_disabled/test/positive_expected_result.json index e799707f1ac..85ef3a4cef6 100644 --- a/assets/queries/terraform/azure/aks_uses_azure_policies_addon_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/aks_uses_azure_policies_addon_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_kubernetes_cluster[positive1].addon_profile.azure_policy.enabled", "searchValue": "", "expectedValue": "'azurerm_kubernetes_cluster[positive1].addon_profile.azure_policy.enabled' should be set to true", - "actualValue": "'azurerm_kubernetes_cluster[positive1].addon_profile.azure_policy.enabled' is set to false" + "actualValue": "'azurerm_kubernetes_cluster[positive1].addon_profile.azure_policy.enabled' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "AKS Uses Azure Policies Add-On Disabled", @@ -21,7 +22,8 @@ "searchKey": "azurerm_kubernetes_cluster[positive2].azure_policy_enabled", "searchValue": "", "expectedValue": "'azurerm_kubernetes_cluster[positive2].azure_policy_enabled' should be set to true", - "actualValue": "'azurerm_kubernetes_cluster[positive2].azure_policy_enabled' is set to false" + "actualValue": "'azurerm_kubernetes_cluster[positive2].azure_policy_enabled' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "AKS Uses Azure Policies Add-On Disabled", @@ -33,7 +35,8 @@ "searchKey": "azurerm_kubernetes_cluster[positive3].addon_profile", "searchValue": "", "expectedValue": "'azurerm_kubernetes_cluster[positive3].addon_profile.azure_policy' should be defined and set to true", - "actualValue": "'azurerm_kubernetes_cluster[positive3].addon_profile.azure_policy' is undefined or null" + "actualValue": "'azurerm_kubernetes_cluster[positive3].addon_profile.azure_policy' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "AKS Uses Azure Policies Add-On Disabled", @@ -45,6 +48,7 @@ "searchKey": "azurerm_kubernetes_cluster[positive4]", "searchValue": "", "expectedValue": "'azurerm_kubernetes_cluster[positive4]' should use Azure Policies", - "actualValue": "'azurerm_kubernetes_cluster[positive4]' does not use Azure Policies" + "actualValue": "'azurerm_kubernetes_cluster[positive4]' does not use Azure Policies", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/aks_without_audit_logs/test/positive_expected_result.json b/assets/queries/terraform/azure/aks_without_audit_logs/test/positive_expected_result.json index 4900c394e25..e1c5eafb7b3 100644 --- a/assets/queries/terraform/azure/aks_without_audit_logs/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/aks_without_audit_logs/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_monitor_diagnostic_setting[aks_diagnostics_pos1_1].enabled_log.category", "searchValue": "", "expectedValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos1_1].enabled_log.category' should be defined to 'kube-audit' or 'kube-audit-admin'", - "actualValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos1_1].enabled_log.category' is not defined to 'kube-audit' or 'kube-audit-admin'" + "actualValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos1_1].enabled_log.category' is not defined to 'kube-audit' or 'kube-audit-admin'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - AKS Without Audit Logs", @@ -21,7 +22,8 @@ "searchKey": "azurerm_monitor_diagnostic_setting[aks_diagnostics_pos1_2].enabled_log[0].category", "searchValue": "", "expectedValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos1_2].enabled_log[0].category' should be defined to 'kube-audit' or 'kube-audit-admin'", - "actualValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos1_2].enabled_log[0].category' is not defined to 'kube-audit' or 'kube-audit-admin'" + "actualValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos1_2].enabled_log[0].category' is not defined to 'kube-audit' or 'kube-audit-admin'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - AKS Without Audit Logs", @@ -33,7 +35,8 @@ "searchKey": "azurerm_monitor_diagnostic_setting[aks_diagnostics_pos1_2].enabled_log[1].category", "searchValue": "", "expectedValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos1_2].enabled_log[1].category' should be defined to 'kube-audit' or 'kube-audit-admin'", - "actualValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos1_2].enabled_log[1].category' is not defined to 'kube-audit' or 'kube-audit-admin'" + "actualValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos1_2].enabled_log[1].category' is not defined to 'kube-audit' or 'kube-audit-admin'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - AKS Without Audit Logs", @@ -45,7 +48,8 @@ "searchKey": "azurerm_monitor_diagnostic_setting[aks_diagnostics_pos2_1].log.category", "searchValue": "", "expectedValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos2_1].log.category' should be defined to 'kube-audit' or 'kube-audit-admin' and 'enabled' field set to 'true'", - "actualValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos2_1].log.category' is not defined to 'kube-audit' or 'kube-audit-admin'" + "actualValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos2_1].log.category' is not defined to 'kube-audit' or 'kube-audit-admin'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - AKS Without Audit Logs", @@ -57,7 +61,8 @@ "searchKey": "azurerm_monitor_diagnostic_setting[aks_diagnostics_pos2_2].log[0].category", "searchValue": "", "expectedValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos2_2].log[0].category' should be defined to 'kube-audit' or 'kube-audit-admin' and 'enabled' field set to 'true'", - "actualValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos2_2].log[0].category' is not defined to 'kube-audit' or 'kube-audit-admin'" + "actualValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos2_2].log[0].category' is not defined to 'kube-audit' or 'kube-audit-admin'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - AKS Without Audit Logs", @@ -69,7 +74,8 @@ "searchKey": "azurerm_monitor_diagnostic_setting[aks_diagnostics_pos2_2].log[1].category", "searchValue": "", "expectedValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos2_2].log[1].category' should be defined to 'kube-audit' or 'kube-audit-admin' and 'enabled' field set to 'true'", - "actualValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos2_2].log[1].category' is not defined to 'kube-audit' or 'kube-audit-admin'" + "actualValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos2_2].log[1].category' is not defined to 'kube-audit' or 'kube-audit-admin'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - AKS Without Audit Logs", @@ -81,7 +87,8 @@ "searchKey": "azurerm_monitor_diagnostic_setting[aks_diagnostics_pos3_1].log.enabled", "searchValue": "", "expectedValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos3_1]' should enable audit logging through a 'azurerm_monitor_diagnostic_setting'", - "actualValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos3_1]' has the 'enabled' field set to 'false' instead of 'true'" + "actualValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos3_1]' has the 'enabled' field set to 'false' instead of 'true'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - AKS Without Audit Logs", @@ -93,7 +100,8 @@ "searchKey": "azurerm_monitor_diagnostic_setting[aks_diagnostics_pos3_2].log[0].enabled", "searchValue": "", "expectedValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos3_2]' should enable audit logging through a 'azurerm_monitor_diagnostic_setting'", - "actualValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos3_2]' has the 'enabled' field set to 'false' instead of 'true'" + "actualValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos3_2]' has the 'enabled' field set to 'false' instead of 'true'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - AKS Without Audit Logs", @@ -105,6 +113,7 @@ "searchKey": "azurerm_monitor_diagnostic_setting[aks_diagnostics_pos3_2].log[1].enabled", "searchValue": "", "expectedValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos3_2]' should enable audit logging through a 'azurerm_monitor_diagnostic_setting'", - "actualValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos3_2]' has the 'enabled' field set to 'false' instead of 'true'" + "actualValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos3_2]' has the 'enabled' field set to 'false' instead of 'true'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/app_service_authentication_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/app_service_authentication_disabled/test/positive_expected_result.json index 5efadc84d2d..e513c8a17b0 100644 --- a/assets/queries/terraform/azure/app_service_authentication_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/app_service_authentication_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_app_service[positive1]", "searchValue": "", "expectedValue": "'azurerm_app_service[positive1].auth_settings' should be defined", - "actualValue": "'azurerm_app_service[positive1].auth_settings' is not defined" + "actualValue": "'azurerm_app_service[positive1].auth_settings' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "App Service Authentication Disabled", @@ -21,7 +22,8 @@ "searchKey": "azurerm_windows_web_app[positive10].auth_settings_v2.auth_enabled", "searchValue": "", "expectedValue": "'azurerm_windows_web_app[positive10].auth_settings_v2.auth_enabled' should be defined to 'true'", - "actualValue": "'azurerm_windows_web_app[positive10].auth_settings_v2.auth_enabled' is defined to 'false'" + "actualValue": "'azurerm_windows_web_app[positive10].auth_settings_v2.auth_enabled' is defined to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "App Service Authentication Disabled", @@ -33,7 +35,8 @@ "searchKey": "azurerm_windows_web_app[positive11].auth_settings_v2", "searchValue": "", "expectedValue": "'azurerm_windows_web_app[positive11].auth_settings_v2.auth_enabled' should be defined (default value is 'false')", - "actualValue": "'azurerm_windows_web_app[positive11].auth_settings_v2.auth_enabled' is not defined" + "actualValue": "'azurerm_windows_web_app[positive11].auth_settings_v2.auth_enabled' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "App Service Authentication Disabled", @@ -45,7 +48,8 @@ "searchKey": "azurerm_windows_web_app[positive12].auth_settings_v2.auth_enabled", "searchValue": "", "expectedValue": "'azurerm_windows_web_app[positive12].auth_settings_v2.auth_enabled' should be defined to 'true'", - "actualValue": "'azurerm_windows_web_app[positive12].auth_settings_v2.auth_enabled' is defined to 'false'" + "actualValue": "'azurerm_windows_web_app[positive12].auth_settings_v2.auth_enabled' is defined to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "App Service Authentication Disabled", @@ -57,7 +61,8 @@ "searchKey": "azurerm_linux_web_app[positive13].auth_settings_v2", "searchValue": "", "expectedValue": "'azurerm_linux_web_app[positive13].auth_settings_v2.auth_enabled' should be defined (default value is 'false')", - "actualValue": "'azurerm_linux_web_app[positive13].auth_settings_v2.auth_enabled' is not defined" + "actualValue": "'azurerm_linux_web_app[positive13].auth_settings_v2.auth_enabled' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "App Service Authentication Disabled", @@ -69,7 +74,8 @@ "searchKey": "azurerm_linux_web_app[positive14].auth_settings_v2.auth_enabled", "searchValue": "", "expectedValue": "'azurerm_linux_web_app[positive14].auth_settings_v2.auth_enabled' should be defined to 'true'", - "actualValue": "'azurerm_linux_web_app[positive14].auth_settings_v2.auth_enabled' is defined to 'false'" + "actualValue": "'azurerm_linux_web_app[positive14].auth_settings_v2.auth_enabled' is defined to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "App Service Authentication Disabled", @@ -81,7 +87,8 @@ "searchKey": "'azurerm_app_service[positive2].auth_settings.enabled'", "searchValue": "", "expectedValue": "'azurerm_app_service[positive2].auth_settings.enabled' should be defined to 'true'", - "actualValue": "'azurerm_app_service[positive2].auth_settings.enabled' is defined to 'false'" + "actualValue": "'azurerm_app_service[positive2].auth_settings.enabled' is defined to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "App Service Authentication Disabled", @@ -93,7 +100,8 @@ "searchKey": "azurerm_linux_web_app[positive3]", "searchValue": "", "expectedValue": "'azurerm_linux_web_app[positive3].auth_settings' or 'azurerm_linux_web_app[positive3].auth_settings_v2' should be defined", - "actualValue": "'azurerm_linux_web_app[positive3].auth_settings' and 'azurerm_linux_web_app[positive3].auth_settings_v2' are not defined" + "actualValue": "'azurerm_linux_web_app[positive3].auth_settings' and 'azurerm_linux_web_app[positive3].auth_settings_v2' are not defined", + "issueType": "MissingAttribute" }, { "queryName": "App Service Authentication Disabled", @@ -105,7 +113,8 @@ "searchKey": "'azurerm_linux_web_app[positive4].auth_settings.enabled'", "searchValue": "", "expectedValue": "'azurerm_linux_web_app[positive4].auth_settings.enabled' should be defined to 'true'", - "actualValue": "'azurerm_linux_web_app[positive4].auth_settings.enabled' is defined to 'false'" + "actualValue": "'azurerm_linux_web_app[positive4].auth_settings.enabled' is defined to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "App Service Authentication Disabled", @@ -117,7 +126,8 @@ "searchKey": "azurerm_linux_web_app[positive5].auth_settings_v2", "searchValue": "", "expectedValue": "'azurerm_linux_web_app[positive5].auth_settings_v2.auth_enabled' should be defined (default value is 'false')", - "actualValue": "'azurerm_linux_web_app[positive5].auth_settings_v2.auth_enabled' is not defined" + "actualValue": "'azurerm_linux_web_app[positive5].auth_settings_v2.auth_enabled' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "App Service Authentication Disabled", @@ -129,7 +139,8 @@ "searchKey": "azurerm_linux_web_app[positive6].auth_settings_v2.auth_enabled", "searchValue": "", "expectedValue": "'azurerm_linux_web_app[positive6].auth_settings_v2.auth_enabled' should be defined to 'true'", - "actualValue": "'azurerm_linux_web_app[positive6].auth_settings_v2.auth_enabled' is defined to 'false'" + "actualValue": "'azurerm_linux_web_app[positive6].auth_settings_v2.auth_enabled' is defined to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "App Service Authentication Disabled", @@ -141,7 +152,8 @@ "searchKey": "azurerm_windows_web_app[positive7]", "searchValue": "", "expectedValue": "'azurerm_windows_web_app[positive7].auth_settings' or 'azurerm_windows_web_app[positive7].auth_settings_v2' should be defined", - "actualValue": "'azurerm_windows_web_app[positive7].auth_settings' and 'azurerm_windows_web_app[positive7].auth_settings_v2' are not defined" + "actualValue": "'azurerm_windows_web_app[positive7].auth_settings' and 'azurerm_windows_web_app[positive7].auth_settings_v2' are not defined", + "issueType": "MissingAttribute" }, { "queryName": "App Service Authentication Disabled", @@ -153,7 +165,8 @@ "searchKey": "'azurerm_windows_web_app[positive8].auth_settings.enabled'", "searchValue": "", "expectedValue": "'azurerm_windows_web_app[positive8].auth_settings.enabled' should be defined to 'true'", - "actualValue": "'azurerm_windows_web_app[positive8].auth_settings.enabled' is defined to 'false'" + "actualValue": "'azurerm_windows_web_app[positive8].auth_settings.enabled' is defined to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "App Service Authentication Disabled", @@ -165,6 +178,7 @@ "searchKey": "azurerm_windows_web_app[positive9].auth_settings_v2", "searchValue": "", "expectedValue": "'azurerm_windows_web_app[positive9].auth_settings_v2.auth_enabled' should be defined (default value is 'false')", - "actualValue": "'azurerm_windows_web_app[positive9].auth_settings_v2.auth_enabled' is not defined" + "actualValue": "'azurerm_windows_web_app[positive9].auth_settings_v2.auth_enabled' is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/app_service_ftps_enforce_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/app_service_ftps_enforce_disabled/test/positive_expected_result.json index c841fdd1796..f4ef242772c 100644 --- a/assets/queries/terraform/azure/app_service_ftps_enforce_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/app_service_ftps_enforce_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_app_service[positive1].site_config.ftps_state", "searchValue": "", "expectedValue": "'azurerm_app_service[positive1].site_config.ftps_state' should not be set to 'AllAllowed'", - "actualValue": "'azurerm_app_service[positive1].site_config.ftps_state' is set to 'AllAllowed'" + "actualValue": "'azurerm_app_service[positive1].site_config.ftps_state' is set to 'AllAllowed'", + "issueType": "IncorrectValue" }, { "queryName": "App Service FTPS Enforce Disabled", @@ -21,7 +22,8 @@ "searchKey": "azurerm_linux_web_app[positive2].site_config.ftps_state", "searchValue": "", "expectedValue": "'azurerm_linux_web_app[positive2].site_config.ftps_state' should not be set to 'AllAllowed'", - "actualValue": "'azurerm_linux_web_app[positive2].site_config.ftps_state' is set to 'AllAllowed'" + "actualValue": "'azurerm_linux_web_app[positive2].site_config.ftps_state' is set to 'AllAllowed'", + "issueType": "IncorrectValue" }, { "queryName": "App Service FTPS Enforce Disabled", @@ -33,6 +35,7 @@ "searchKey": "azurerm_windows_web_app[positive3].site_config.ftps_state", "searchValue": "", "expectedValue": "'azurerm_windows_web_app[positive3].site_config.ftps_state' should not be set to 'AllAllowed'", - "actualValue": "'azurerm_windows_web_app[positive3].site_config.ftps_state' is set to 'AllAllowed'" + "actualValue": "'azurerm_windows_web_app[positive3].site_config.ftps_state' is set to 'AllAllowed'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/app_service_http2_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/app_service_http2_disabled/test/positive_expected_result.json index b6f1224cbce..ae1c2ac6f54 100644 --- a/assets/queries/terraform/azure/app_service_http2_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/app_service_http2_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_app_service[positive1]", "searchValue": "", "expectedValue": "'azurerm_app_service[positive1].site_config' should be defined and not null", - "actualValue": "'azurerm_app_service[positive1].site_config' is undefined or null" + "actualValue": "'azurerm_app_service[positive1].site_config' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "App Service HTTP2 Disabled", @@ -21,7 +22,8 @@ "searchKey": "azurerm_app_service[positive2].site_config", "searchValue": "", "expectedValue": "'azurerm_app_service[positive2].site_config.http2_enabled' should be defined and not null", - "actualValue": "'azurerm_app_service[positive2].site_config.http2_enabled' is undefined or null" + "actualValue": "'azurerm_app_service[positive2].site_config.http2_enabled' is undefined or null", + "issueType": "IncorrectValue" }, { "queryName": "App Service HTTP2 Disabled", @@ -33,7 +35,8 @@ "searchKey": "azurerm_app_service[positive3].site_config.http2_enabled", "searchValue": "", "expectedValue": "'azurerm_app_service[positive3].site_config.http2_enabled' should be set to true", - "actualValue": "'azurerm_app_service[positive3].site_config.http2_enabled' is set to false" + "actualValue": "'azurerm_app_service[positive3].site_config.http2_enabled' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "App Service HTTP2 Disabled", @@ -45,7 +48,8 @@ "searchKey": "azurerm_linux_web_app[positive4].site_config", "searchValue": "", "expectedValue": "'azurerm_linux_web_app[positive4].site_config.http2_enabled' should be defined and not null", - "actualValue": "'azurerm_linux_web_app[positive4].site_config.http2_enabled' is undefined or null" + "actualValue": "'azurerm_linux_web_app[positive4].site_config.http2_enabled' is undefined or null", + "issueType": "IncorrectValue" }, { "queryName": "App Service HTTP2 Disabled", @@ -57,7 +61,8 @@ "searchKey": "azurerm_linux_web_app[positive5].site_config.http2_enabled", "searchValue": "", "expectedValue": "'azurerm_linux_web_app[positive5].site_config.http2_enabled' should be set to true", - "actualValue": "'azurerm_linux_web_app[positive5].site_config.http2_enabled' is set to false" + "actualValue": "'azurerm_linux_web_app[positive5].site_config.http2_enabled' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "App Service HTTP2 Disabled", @@ -69,7 +74,8 @@ "searchKey": "azurerm_windows_web_app[positive6].site_config.http2_enabled", "searchValue": "", "expectedValue": "'azurerm_windows_web_app[positive6].site_config.http2_enabled' should be set to true", - "actualValue": "'azurerm_windows_web_app[positive6].site_config.http2_enabled' is set to false" + "actualValue": "'azurerm_windows_web_app[positive6].site_config.http2_enabled' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "App Service HTTP2 Disabled", @@ -81,7 +87,8 @@ "searchKey": "azurerm_windows_web_app[positive7].site_config", "searchValue": "", "expectedValue": "'azurerm_windows_web_app[positive7].site_config.http2_enabled' should be defined and not null", - "actualValue": "'azurerm_windows_web_app[positive7].site_config.http2_enabled' is undefined or null" + "actualValue": "'azurerm_windows_web_app[positive7].site_config.http2_enabled' is undefined or null", + "issueType": "IncorrectValue" }, { "queryName": "App Service HTTP2 Disabled", @@ -93,7 +100,8 @@ "searchKey": "azurerm_linux_web_app[positive8]", "searchValue": "", "expectedValue": "'azurerm_linux_web_app[positive8].site_config' should be defined and not null", - "actualValue": "'azurerm_linux_web_app[positive8].site_config' is undefined or null" + "actualValue": "'azurerm_linux_web_app[positive8].site_config' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "App Service HTTP2 Disabled", @@ -105,6 +113,7 @@ "searchKey": "azurerm_windows_web_app[positive9]", "searchValue": "", "expectedValue": "'azurerm_windows_web_app[positive9].site_config' should be defined and not null", - "actualValue": "'azurerm_windows_web_app[positive9].site_config' is undefined or null" + "actualValue": "'azurerm_windows_web_app[positive9].site_config' is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/app_service_managed_identity_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/app_service_managed_identity_disabled/test/positive_expected_result.json index a4db467da03..baeaf554f75 100644 --- a/assets/queries/terraform/azure/app_service_managed_identity_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/app_service_managed_identity_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_app_service[positive1-1]", "searchValue": "", "expectedValue": "'azurerm_app_service[positive1-1].identity' should be defined and not null", - "actualValue": "'azurerm_app_service[positive1-1].identity' is undefined or null" + "actualValue": "'azurerm_app_service[positive1-1].identity' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "App Service Managed Identity Disabled", @@ -21,7 +22,8 @@ "searchKey": "azurerm_linux_web_app[positive1-2]", "searchValue": "", "expectedValue": "'azurerm_linux_web_app[positive1-2].identity' should be defined and not null", - "actualValue": "'azurerm_linux_web_app[positive1-2].identity' is undefined or null" + "actualValue": "'azurerm_linux_web_app[positive1-2].identity' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "App Service Managed Identity Disabled", @@ -33,6 +35,7 @@ "searchKey": "azurerm_windows_web_app[positive1-3]", "searchValue": "", "expectedValue": "'azurerm_windows_web_app[positive1-3].identity' should be defined and not null", - "actualValue": "'azurerm_windows_web_app[positive1-3].identity' is undefined or null" + "actualValue": "'azurerm_windows_web_app[positive1-3].identity' is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/app_service_not_using_latest_tls_encryption_version/test/positive_expected_result.json b/assets/queries/terraform/azure/app_service_not_using_latest_tls_encryption_version/test/positive_expected_result.json index 6e3844dcab6..3c4b0d5345a 100644 --- a/assets/queries/terraform/azure/app_service_not_using_latest_tls_encryption_version/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/app_service_not_using_latest_tls_encryption_version/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_app_service[positive1-1].site_config.min_tls_version", "searchValue": "", "expectedValue": "'azurerm_app_service[positive1-1].site_config.min_tls_version' should be set to '1.2'", - "actualValue": "'azurerm_app_service[positive1-1].site_config.min_tls_version' is not set to '1.2'" + "actualValue": "'azurerm_app_service[positive1-1].site_config.min_tls_version' is not set to '1.2'", + "issueType": "IncorrectValue" }, { "queryName": "App Service Not Using Latest TLS Encryption Version", @@ -21,7 +22,8 @@ "searchKey": "azurerm_app_service[positive1-2].site_config.min_tls_version", "searchValue": "", "expectedValue": "'azurerm_app_service[positive1-2].site_config.min_tls_version' should be set to '1.2'", - "actualValue": "'azurerm_app_service[positive1-2].site_config.min_tls_version' is not set to '1.2'" + "actualValue": "'azurerm_app_service[positive1-2].site_config.min_tls_version' is not set to '1.2'", + "issueType": "IncorrectValue" }, { "queryName": "App Service Not Using Latest TLS Encryption Version", @@ -33,7 +35,8 @@ "searchKey": "azurerm_linux_web_app[positive2-1].site_config.minimum_tls_version", "searchValue": "", "expectedValue": "'azurerm_linux_web_app[positive2-1].site_config.minimum_tls_version' should be set to '1.3'", - "actualValue": "'azurerm_linux_web_app[positive2-1].site_config.minimum_tls_version' is not set to '1.3'" + "actualValue": "'azurerm_linux_web_app[positive2-1].site_config.minimum_tls_version' is not set to '1.3'", + "issueType": "IncorrectValue" }, { "queryName": "App Service Not Using Latest TLS Encryption Version", @@ -45,7 +48,8 @@ "searchKey": "azurerm_linux_web_app[positive2-2].site_config", "searchValue": "", "expectedValue": "'azurerm_linux_web_app[positive2-2].site_config.minimum_tls_version' should be defined and set to '1.3'", - "actualValue": "'azurerm_linux_web_app[positive2-2].site_config.minimum_tls_version' is not defined" + "actualValue": "'azurerm_linux_web_app[positive2-2].site_config.minimum_tls_version' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "App Service Not Using Latest TLS Encryption Version", @@ -57,7 +61,8 @@ "searchKey": "azurerm_linux_web_app[positive2-3]", "searchValue": "", "expectedValue": "'azurerm_linux_web_app[positive2-3].site_config.minimum_tls_version' should be defined and set to '1.3'", - "actualValue": "'azurerm_linux_web_app[positive2-3].site_config' is not defined" + "actualValue": "'azurerm_linux_web_app[positive2-3].site_config' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "App Service Not Using Latest TLS Encryption Version", @@ -69,7 +74,8 @@ "searchKey": "azurerm_linux_web_app[positive2-4].site_config.minimum_tls_version", "searchValue": "", "expectedValue": "'azurerm_linux_web_app[positive2-4].site_config.minimum_tls_version' should be set to '1.3'", - "actualValue": "'azurerm_linux_web_app[positive2-4].site_config.minimum_tls_version' is not set to '1.3'" + "actualValue": "'azurerm_linux_web_app[positive2-4].site_config.minimum_tls_version' is not set to '1.3'", + "issueType": "IncorrectValue" }, { "queryName": "App Service Not Using Latest TLS Encryption Version", @@ -81,7 +87,8 @@ "searchKey": "azurerm_windows_web_app[positive3-1].site_config.minimum_tls_version", "searchValue": "", "expectedValue": "'azurerm_windows_web_app[positive3-1].site_config.minimum_tls_version' should be set to '1.3'", - "actualValue": "'azurerm_windows_web_app[positive3-1].site_config.minimum_tls_version' is not set to '1.3'" + "actualValue": "'azurerm_windows_web_app[positive3-1].site_config.minimum_tls_version' is not set to '1.3'", + "issueType": "IncorrectValue" }, { "queryName": "App Service Not Using Latest TLS Encryption Version", @@ -93,7 +100,8 @@ "searchKey": "azurerm_windows_web_app[positive3-2].site_config", "searchValue": "", "expectedValue": "'azurerm_windows_web_app[positive3-2].site_config.minimum_tls_version' should be defined and set to '1.3'", - "actualValue": "'azurerm_windows_web_app[positive3-2].site_config.minimum_tls_version' is not defined" + "actualValue": "'azurerm_windows_web_app[positive3-2].site_config.minimum_tls_version' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "App Service Not Using Latest TLS Encryption Version", @@ -105,7 +113,8 @@ "searchKey": "azurerm_windows_web_app[positive3-3]", "searchValue": "", "expectedValue": "'azurerm_windows_web_app[positive3-3].site_config.minimum_tls_version' should be defined and set to '1.3'", - "actualValue": "'azurerm_windows_web_app[positive3-3].site_config' is not defined" + "actualValue": "'azurerm_windows_web_app[positive3-3].site_config' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "App Service Not Using Latest TLS Encryption Version", @@ -117,6 +126,7 @@ "searchKey": "azurerm_windows_web_app[positive3-4].site_config.minimum_tls_version", "searchValue": "", "expectedValue": "'azurerm_windows_web_app[positive3-4].site_config.minimum_tls_version' should be set to '1.3'", - "actualValue": "'azurerm_windows_web_app[positive3-4].site_config.minimum_tls_version' is not set to '1.3'" + "actualValue": "'azurerm_windows_web_app[positive3-4].site_config.minimum_tls_version' is not set to '1.3'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/app_service_slot_managed_identity_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/app_service_slot_managed_identity_disabled/test/positive_expected_result.json index 9ee999570cb..9ef7b6be976 100644 --- a/assets/queries/terraform/azure/app_service_slot_managed_identity_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/app_service_slot_managed_identity_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_app_service_slot[positive1]", "searchValue": "", "expectedValue": "'type' field should have the values 'SystemAssigned' or 'UserAssigned' defined inside the 'identity' block", - "actualValue": "'identity' block is not defined" + "actualValue": "'identity' block is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Beta - App Service Slot Managed Identity Disabled", @@ -21,7 +22,8 @@ "searchKey": "azurerm_linux_web_app_slot[positive2]", "searchValue": "", "expectedValue": "'type' field should have the values 'SystemAssigned' or 'UserAssigned' defined inside the 'identity' block", - "actualValue": "'identity' block is not defined" + "actualValue": "'identity' block is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Beta - App Service Slot Managed Identity Disabled", @@ -33,6 +35,7 @@ "searchKey": "azurerm_windows_web_app_slot[positive3]", "searchValue": "", "expectedValue": "'type' field should have the values 'SystemAssigned' or 'UserAssigned' defined inside the 'identity' block", - "actualValue": "'identity' block is not defined" + "actualValue": "'identity' block is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/app_service_without_latest_php_version/test/positive_expected_result.json b/assets/queries/terraform/azure/app_service_without_latest_php_version/test/positive_expected_result.json index a6ced035b7a..39d10196361 100644 --- a/assets/queries/terraform/azure/app_service_without_latest_php_version/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/app_service_without_latest_php_version/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_app_service[example4].site_config.php_version", "searchValue": "", "expectedValue": "for the attribute 'php_version' should be the latest avaliable stable version (8.1)", - "actualValue": "'php_version' is not the latest avaliable stable version (8.1)" + "actualValue": "'php_version' is not the latest avaliable stable version (8.1)", + "issueType": "IncorrectValue" }, { "queryName": "App Service Without Latest PHP Version", @@ -21,7 +22,8 @@ "searchKey": "azurerm_windows_web_app[example5].site_config.application_stack.php_version", "searchValue": "", "expectedValue": "for the attribute 'php_version' should be the latest avaliable stable version (8.1)", - "actualValue": "'php_version' is not the latest avaliable stable version (8.1)" + "actualValue": "'php_version' is not the latest avaliable stable version (8.1)", + "issueType": "IncorrectValue" }, { "queryName": "App Service Without Latest PHP Version", @@ -33,6 +35,7 @@ "searchKey": "azurerm_linux_web_app[example6].site_config.application_stack.php_version", "searchValue": "", "expectedValue": "for the attribute 'php_version' should be the latest avaliable stable version (8.1)", - "actualValue": "'php_version' is not the latest avaliable stable version (8.1)" + "actualValue": "'php_version' is not the latest avaliable stable version (8.1)", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/app_service_without_latest_python_version/test/positive_expected_result.json b/assets/queries/terraform/azure/app_service_without_latest_python_version/test/positive_expected_result.json index 27ab98de006..f2157c2c33f 100644 --- a/assets/queries/terraform/azure/app_service_without_latest_python_version/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/app_service_without_latest_python_version/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_app_service[example4].site_config.python_version", "searchValue": "", "expectedValue": "attribute 'python_version' should be the latest avaliable stable version (3.10)", - "actualValue": "'python_version' is not the latest avaliable stable version (3.10)" + "actualValue": "'python_version' is not the latest avaliable stable version (3.10)", + "issueType": "IncorrectValue" }, { "queryName": "App Service Without Latest Python Version", @@ -21,7 +22,8 @@ "searchKey": "azurerm_windows_web_app[example5].site_config.application_stack.python_version", "searchValue": "", "expectedValue": "attribute 'python_version' should be the latest avaliable stable version (3.10)", - "actualValue": "'python_version' is not the latest avaliable stable version (3.10)" + "actualValue": "'python_version' is not the latest avaliable stable version (3.10)", + "issueType": "IncorrectValue" }, { "queryName": "App Service Without Latest Python Version", @@ -33,6 +35,7 @@ "searchKey": "azurerm_linux_web_app[example6].site_config.application_stack.python_version", "searchValue": "", "expectedValue": "attribute 'python_version' should be the latest avaliable stable version (3.10)", - "actualValue": "'python_version' is not the latest avaliable stable version (3.10)" + "actualValue": "'python_version' is not the latest avaliable stable version (3.10)", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/azure_active_directory_authentication/test/positive_expected_result.json b/assets/queries/terraform/azure/azure_active_directory_authentication/test/positive_expected_result.json index 76eebda59ca..515467342db 100644 --- a/assets/queries/terraform/azure/azure_active_directory_authentication/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/azure_active_directory_authentication/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_service_fabric_cluster[positive1].azure_active_directory", "searchValue": "", "expectedValue": "'azurerm_service_fabric_cluster[positive1].azure_active_directory.tenant_id' should be defined and not null", - "actualValue": "'azurerm_service_fabric_cluster[positive1].azure_active_directory.tenant_id' is undefined or null" + "actualValue": "'azurerm_service_fabric_cluster[positive1].azure_active_directory.tenant_id' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Azure Active Directory Authentication", @@ -21,6 +22,7 @@ "searchKey": "azurerm_service_fabric_cluster[positive2]", "searchValue": "", "expectedValue": "'azurerm_service_fabric_cluster[positive2].azure_active_directory' should be defined and not null", - "actualValue": "'azurerm_service_fabric_cluster[positive2].azure_active_directory' is undefined or null" + "actualValue": "'azurerm_service_fabric_cluster[positive2].azure_active_directory' is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/azure_app_service_client_certificate_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/azure_app_service_client_certificate_disabled/test/positive_expected_result.json index 1bb23fe62e6..00779e22de2 100644 --- a/assets/queries/terraform/azure/azure_app_service_client_certificate_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/azure_app_service_client_certificate_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_app_service[positive1-1]", "searchValue": "", "expectedValue": "'azurerm_app_service[positive1-1].client_cert_enabled' should be defined and set to true", - "actualValue": "'azurerm_app_service[positive1-1].client_cert_enabled' is undefined" + "actualValue": "'azurerm_app_service[positive1-1].client_cert_enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Azure App Service Client Certificate Disabled", @@ -21,7 +22,8 @@ "searchKey": "azurerm_app_service[positive1-2].client_cert_enabled", "searchValue": "", "expectedValue": "'azurerm_app_service[positive1-2].client_cert_enabled' should be set to true", - "actualValue": "'azurerm_app_service[positive1-2].client_cert_enabled' is set to false" + "actualValue": "'azurerm_app_service[positive1-2].client_cert_enabled' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Azure App Service Client Certificate Disabled", @@ -33,7 +35,8 @@ "searchKey": "azurerm_app_service[positive1-3].client_cert_enabled", "searchValue": "", "expectedValue": "'azurerm_app_service[positive1-3].client_cert_enabled' or 'azurerm_app_service[positive1-3].site_config.http2_enabled' is true", - "actualValue": "'azurerm_app_service[positive1-3].client_cert_enabled' and 'azurerm_app_service[positive1-3].site_config.http2_enabled' are set to false" + "actualValue": "'azurerm_app_service[positive1-3].client_cert_enabled' and 'azurerm_app_service[positive1-3].site_config.http2_enabled' are set to false", + "issueType": "IncorrectValue" }, { "queryName": "Azure App Service Client Certificate Disabled", @@ -45,7 +48,8 @@ "searchKey": "azurerm_app_service[positive1-4]", "searchValue": "", "expectedValue": "'azurerm_app_service[positive1-4].client_cert_enabled' should be defined and set to true", - "actualValue": "'azurerm_app_service[positive1-4].client_cert_enabled' is undefined" + "actualValue": "'azurerm_app_service[positive1-4].client_cert_enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Azure App Service Client Certificate Disabled", @@ -57,7 +61,8 @@ "searchKey": "azurerm_app_service[positive1-5]", "searchValue": "", "expectedValue": "'azurerm_app_service[positive1-5].client_cert_enabled' should be defined and set to true", - "actualValue": "'azurerm_app_service[positive1-5].client_cert_enabled' is undefined" + "actualValue": "'azurerm_app_service[positive1-5].client_cert_enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Azure App Service Client Certificate Disabled", @@ -69,7 +74,8 @@ "searchKey": "azurerm_app_service[positive1-6].client_cert_enabled", "searchValue": "", "expectedValue": "'azurerm_app_service[positive1-6].client_cert_enabled' should be set to true", - "actualValue": "'azurerm_app_service[positive1-6].client_cert_enabled' is set to false" + "actualValue": "'azurerm_app_service[positive1-6].client_cert_enabled' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Azure App Service Client Certificate Disabled", @@ -81,7 +87,8 @@ "searchKey": "azurerm_linux_web_app[positive2-1]", "searchValue": "", "expectedValue": "'azurerm_linux_web_app[positive2-1].client_certificate_enabled' should be defined and set to true", - "actualValue": "'azurerm_linux_web_app[positive2-1].client_cert_enabled' is undefined" + "actualValue": "'azurerm_linux_web_app[positive2-1].client_cert_enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Azure App Service Client Certificate Disabled", @@ -93,7 +100,8 @@ "searchKey": "azurerm_linux_web_app[positive2-2].client_certificate_enabled", "searchValue": "", "expectedValue": "'azurerm_linux_web_app[positive2-2].client_certificate_enabled' should be set to true", - "actualValue": "'azurerm_linux_web_app[positive2-2].client_certificate_enabled' is set to false" + "actualValue": "'azurerm_linux_web_app[positive2-2].client_certificate_enabled' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Azure App Service Client Certificate Disabled", @@ -105,7 +113,8 @@ "searchKey": "azurerm_linux_web_app[positive2-3].client_certificate_enabled", "searchValue": "", "expectedValue": "'azurerm_linux_web_app[positive2-3].client_certificate_enabled' or 'azurerm_linux_web_app[positive2-3].site_config.http2_enabled' is true", - "actualValue": "'azurerm_linux_web_app[positive2-3].client_certificate_enabled' and 'azurerm_linux_web_app[positive2-3].site_config.http2_enabled' are set to false" + "actualValue": "'azurerm_linux_web_app[positive2-3].client_certificate_enabled' and 'azurerm_linux_web_app[positive2-3].site_config.http2_enabled' are set to false", + "issueType": "IncorrectValue" }, { "queryName": "Azure App Service Client Certificate Disabled", @@ -117,7 +126,8 @@ "searchKey": "azurerm_linux_web_app[positive2-4]", "searchValue": "", "expectedValue": "'azurerm_linux_web_app[positive2-4].client_certificate_enabled' should be defined and set to true", - "actualValue": "'azurerm_linux_web_app[positive2-4].client_cert_enabled' is undefined" + "actualValue": "'azurerm_linux_web_app[positive2-4].client_cert_enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Azure App Service Client Certificate Disabled", @@ -129,7 +139,8 @@ "searchKey": "azurerm_windows_web_app[positive3-1]", "searchValue": "", "expectedValue": "'azurerm_windows_web_app[positive3-1].client_certificate_enabled' should be defined and set to true", - "actualValue": "'azurerm_windows_web_app[positive3-1].client_cert_enabled' is undefined" + "actualValue": "'azurerm_windows_web_app[positive3-1].client_cert_enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Azure App Service Client Certificate Disabled", @@ -141,7 +152,8 @@ "searchKey": "azurerm_windows_web_app[positive3-2].client_certificate_enabled", "searchValue": "", "expectedValue": "'azurerm_windows_web_app[positive3-2].client_certificate_enabled' should be set to true", - "actualValue": "'azurerm_windows_web_app[positive3-2].client_certificate_enabled' is set to false" + "actualValue": "'azurerm_windows_web_app[positive3-2].client_certificate_enabled' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Azure App Service Client Certificate Disabled", @@ -153,7 +165,8 @@ "searchKey": "azurerm_windows_web_app[positive3-3].client_certificate_enabled", "searchValue": "", "expectedValue": "'azurerm_windows_web_app[positive3-3].client_certificate_enabled' or 'azurerm_windows_web_app[positive3-3].site_config.http2_enabled' is true", - "actualValue": "'azurerm_windows_web_app[positive3-3].client_certificate_enabled' and 'azurerm_windows_web_app[positive3-3].site_config.http2_enabled' are set to false" + "actualValue": "'azurerm_windows_web_app[positive3-3].client_certificate_enabled' and 'azurerm_windows_web_app[positive3-3].site_config.http2_enabled' are set to false", + "issueType": "IncorrectValue" }, { "queryName": "Azure App Service Client Certificate Disabled", @@ -165,6 +178,7 @@ "searchKey": "azurerm_windows_web_app[positive3-4]", "searchValue": "", "expectedValue": "'azurerm_windows_web_app[positive3-4].client_certificate_enabled' should be defined and set to true", - "actualValue": "'azurerm_windows_web_app[positive3-4].client_cert_enabled' is undefined" + "actualValue": "'azurerm_windows_web_app[positive3-4].client_cert_enabled' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/azure_cognitive_search_public_network_access_enabled/test/positive_expected_result.json b/assets/queries/terraform/azure/azure_cognitive_search_public_network_access_enabled/test/positive_expected_result.json index 852e5369594..9f34d13c186 100644 --- a/assets/queries/terraform/azure/azure_cognitive_search_public_network_access_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/azure_cognitive_search_public_network_access_enabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_search_service[positive1].public_network_access_enabled", "searchValue": "", "expectedValue": "'azurerm_search_service[positive1].public_network_access_enabled' should be set to false", - "actualValue": "'azurerm_search_service[positive1].public_network_access_enabled' is set to true" + "actualValue": "'azurerm_search_service[positive1].public_network_access_enabled' is set to true", + "issueType": "IncorrectValue" }, { "queryName": "Azure Cognitive Search Public Network Access Enabled", @@ -21,6 +22,7 @@ "searchKey": "azurerm_search_service[positive2]", "searchValue": "", "expectedValue": "'azurerm_search_service[positive2].public_network_access_enabled' should be defined and set to false", - "actualValue": "'azurerm_search_service[positive2].public_network_access_enabled' is undefined or null" + "actualValue": "'azurerm_search_service[positive2].public_network_access_enabled' is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/azure_container_registry_with_broad_permissions/test/positive_expected_result.json b/assets/queries/terraform/azure/azure_container_registry_with_broad_permissions/test/positive_expected_result.json index 754a67b9b53..b6343280a5c 100644 --- a/assets/queries/terraform/azure/azure_container_registry_with_broad_permissions/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/azure_container_registry_with_broad_permissions/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_role_assignment[positive1].role_definition_name", "searchValue": "", "expectedValue": "'azurerm_role_assignment[positive1].role_definition_name' should be set to 'AcrPull'", - "actualValue": "'azurerm_role_assignment[positive1].role_definition_name' is set to 'AcrPush'" + "actualValue": "'azurerm_role_assignment[positive1].role_definition_name' is set to 'AcrPush'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Azure Container Registry With Broad Permissions", @@ -21,6 +22,7 @@ "searchKey": "azurerm_role_assignment[positive2].role_definition_id", "searchValue": "", "expectedValue": "'azurerm_role_assignment[positive2].role_definition_id' should be set to '7f951dda-4ed3-4680-a7ca-43fe172d538d'", - "actualValue": "'azurerm_role_assignment[positive2].role_definition_id' is set to '8311e382-0749-4cb8-b61a-304f252e45ec'" + "actualValue": "'azurerm_role_assignment[positive2].role_definition_id' is set to '8311e382-0749-4cb8-b61a-304f252e45ec'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/azure_container_registry_with_no_locks/test/positive_expected_result.json b/assets/queries/terraform/azure/azure_container_registry_with_no_locks/test/positive_expected_result.json index 5559bd7ad67..ee602eb08ca 100644 --- a/assets/queries/terraform/azure/azure_container_registry_with_no_locks/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/azure_container_registry_with_no_locks/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "azurerm_container_registry[acr]", "searchValue": "", "expectedValue": "'azurerm_container_registry[acr] scope' should contain azurerm_management_lock'", - "actualValue": "'azurerm_container_registry[acr] scope' does not contain azurerm_management_lock'" + "actualValue": "'azurerm_container_registry[acr] scope' does not contain azurerm_management_lock'", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/azure_front_door_waf_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/azure_front_door_waf_disabled/test/positive_expected_result.json index 92d0ab2ff1c..b065095a38c 100644 --- a/assets/queries/terraform/azure/azure_front_door_waf_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/azure_front_door_waf_disabled/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "azurerm_frontdoor[positive].frontend_endpoint", "searchValue": "", "expectedValue": "'azurerm_frontdoor[positive].frontend_endpoint.web_application_firewall_policy_link_id' should be defined and not null", - "actualValue": "'azurerm_frontdoor[positive].frontend_endpoint.web_application_firewall_policy_link_id' is undefined or null" + "actualValue": "'azurerm_frontdoor[positive].frontend_endpoint.web_application_firewall_policy_link_id' is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/azure_instance_using_basic_authentication/test/positive_expected_result.json b/assets/queries/terraform/azure/azure_instance_using_basic_authentication/test/positive_expected_result.json index f7834bb84c5..d3f0a8ee4da 100644 --- a/assets/queries/terraform/azure/azure_instance_using_basic_authentication/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/azure_instance_using_basic_authentication/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_virtual_machine[positive1].os_profile_linux_config.disable_password_authentication", "searchValue": "", "expectedValue": "'azurerm_virtual_machine[positive1].os_profile_linux_config.disable_password_authentication' should be set to 'true'", - "actualValue": "'azurerm_virtual_machine[positive1].os_profile_linux_config.disable_password_authentication' is set to 'false'" + "actualValue": "'azurerm_virtual_machine[positive1].os_profile_linux_config.disable_password_authentication' is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "Azure Instance Using Basic Authentication", @@ -21,7 +22,8 @@ "searchKey": "azurerm_linux_virtual_machine[positive2].disable_password_authentication", "searchValue": "", "expectedValue": "'azurerm_linux_virtual_machine[positive2].disable_password_authentication' should be set to 'true'", - "actualValue": "'azurerm_linux_virtual_machine[positive2].disable_password_authentication' is set to 'false'" + "actualValue": "'azurerm_linux_virtual_machine[positive2].disable_password_authentication' is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "Azure Instance Using Basic Authentication", @@ -33,7 +35,8 @@ "searchKey": "azurerm_linux_virtual_machine_scale_set[positive3].disable_password_authentication", "searchValue": "", "expectedValue": "'azurerm_linux_virtual_machine_scale_set[positive3].disable_password_authentication' should be set to 'true'", - "actualValue": "'azurerm_linux_virtual_machine_scale_set[positive3].disable_password_authentication' is set to 'false'" + "actualValue": "'azurerm_linux_virtual_machine_scale_set[positive3].disable_password_authentication' is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "Azure Instance Using Basic Authentication", @@ -45,6 +48,7 @@ "searchKey": "azurerm_virtual_machine_scale_set[positive4].os_profile_linux_config.disable_password_authentication", "searchValue": "", "expectedValue": "'azurerm_virtual_machine_scale_set[positive4].os_profile_linux_config.disable_password_authentication' should be set to 'true'", - "actualValue": "'azurerm_virtual_machine_scale_set[positive4].os_profile_linux_config.disable_password_authentication' is set to 'false'" + "actualValue": "'azurerm_virtual_machine_scale_set[positive4].os_profile_linux_config.disable_password_authentication' is set to 'false'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/backup_vault_without_immutability/test/positive_expected_result.json b/assets/queries/terraform/azure/backup_vault_without_immutability/test/positive_expected_result.json index a74fa971921..aef1221ea1f 100644 --- a/assets/queries/terraform/azure/backup_vault_without_immutability/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/backup_vault_without_immutability/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_data_protection_backup_vault[positive1]", "searchValue": "", "expectedValue": "'azurerm_data_protection_backup_vault[positive1].immutability' should be set and enabled", - "actualValue": "'azurerm_data_protection_backup_vault[positive1].immutability' is undefined or null" + "actualValue": "'azurerm_data_protection_backup_vault[positive1].immutability' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Backup Vault Without Immutability", @@ -21,6 +22,7 @@ "searchKey": "azurerm_data_protection_backup_vault[positive2].immutability", "searchValue": "", "expectedValue": "'azurerm_data_protection_backup_vault[positive2].immutability' should be set and enabled", - "actualValue": "'azurerm_data_protection_backup_vault[positive2].immutability' is set to 'Disabled'" + "actualValue": "'azurerm_data_protection_backup_vault[positive2].immutability' is set to 'Disabled'", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/backup_vault_without_soft_delete/test/positive_expected_result.json b/assets/queries/terraform/azure/backup_vault_without_soft_delete/test/positive_expected_result.json index b5bfbf55d1f..ab6c447c689 100644 --- a/assets/queries/terraform/azure/backup_vault_without_soft_delete/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/backup_vault_without_soft_delete/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "azurerm_data_protection_backup_vault[positive].soft_delete", "searchValue": "", "expectedValue": "'azurerm_data_protection_backup_vault[positive].soft_delete' should not be set to 'off'", - "actualValue": "'azurerm_data_protection_backup_vault[positive].soft_delete' is set to 'off'" + "actualValue": "'azurerm_data_protection_backup_vault[positive].soft_delete' is set to 'off'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/blob_storage_without_soft_delete/test/positive_expected_result.json b/assets/queries/terraform/azure/blob_storage_without_soft_delete/test/positive_expected_result.json index 8320b9588b9..b9c4413aeac 100644 --- a/assets/queries/terraform/azure/blob_storage_without_soft_delete/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/blob_storage_without_soft_delete/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_storage_account[positive1]", "searchValue": "", "expectedValue": "'azurerm_storage_account[positive1].blob_properties.delete_retention_policy' should be defined and not null", - "actualValue": "'azurerm_storage_account[positive1].blob_properties' is undefined or null" + "actualValue": "'azurerm_storage_account[positive1].blob_properties' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Blob Storage Without Soft Delete", @@ -21,7 +22,8 @@ "searchKey": "azurerm_storage_account[positive2].blob_properties", "searchValue": "", "expectedValue": "'azurerm_storage_account[positive2].blob_properties.delete_retention_policy' should be defined and not null", - "actualValue": "'azurerm_storage_account[positive2].blob_properties.delete_retention_policy' is undefined or null" + "actualValue": "'azurerm_storage_account[positive2].blob_properties.delete_retention_policy' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Blob Storage Without Soft Delete", @@ -33,6 +35,7 @@ "searchKey": "azurerm_storage_account[positive3].blob_properties.delete_retention_policy.days", "searchValue": "", "expectedValue": "'azurerm_storage_account[positive3].blob_properties.delete_retention_policy.days' should be set to a value higher than '6'", - "actualValue": "'azurerm_storage_account[positive3].blob_properties.delete_retention_policy.days' is set to '5'" + "actualValue": "'azurerm_storage_account[positive3].blob_properties.delete_retention_policy.days' is set to '5'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/container_app_managed_identity_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/container_app_managed_identity_disabled/test/positive_expected_result.json index 4e6dd734eec..f2fa176aa39 100644 --- a/assets/queries/terraform/azure/container_app_managed_identity_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/container_app_managed_identity_disabled/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "azurerm_container_app[positive]", "searchValue": "", "expectedValue": "'type' field should have the values 'SystemAssigned' or 'UserAssigned' defined inside the 'identity' block", - "actualValue": "'identity' block is not defined" + "actualValue": "'identity' block is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/container_group_managed_identity_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/container_group_managed_identity_disabled/test/positive_expected_result.json index 79d7eac8029..1e5dd8ee4f8 100644 --- a/assets/queries/terraform/azure/container_group_managed_identity_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/container_group_managed_identity_disabled/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "azurerm_container_group[positive]", "searchValue": "", "expectedValue": "'type' field should have the values 'SystemAssigned' and 'UserAssigned' defined inside the 'identity' block", - "actualValue": "'identity' block is not defined" + "actualValue": "'identity' block is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/container_instances_not_using_private_virtual_networks/test/positive_expected_result.json b/assets/queries/terraform/azure/container_instances_not_using_private_virtual_networks/test/positive_expected_result.json index 8ff7a287bc6..b7aab152601 100644 --- a/assets/queries/terraform/azure/container_instances_not_using_private_virtual_networks/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/container_instances_not_using_private_virtual_networks/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_container_group[positive1]", "searchValue": "", "expectedValue": "'ip_address_type' should be set to 'Private'", - "actualValue": "'ip_address_type' is not defined" + "actualValue": "'ip_address_type' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Container Instances Not Using Private Virtual Networks", @@ -21,7 +22,8 @@ "searchKey": "azurerm_container_group[positive2].ip_address_type", "searchValue": "", "expectedValue": "'ip_address_type' should be set to 'Private'", - "actualValue": "'ip_address_type' is defined to 'Public'" + "actualValue": "'ip_address_type' is defined to 'Public'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Container Instances Not Using Private Virtual Networks", @@ -33,6 +35,7 @@ "searchKey": "azurerm_container_group[positive3].ip_address_type", "searchValue": "", "expectedValue": "'ip_address_type' should be set to 'Private'", - "actualValue": "'ip_address_type' is defined to 'None'" + "actualValue": "'ip_address_type' is defined to 'None'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/containers_without_soft_delete/test/positive_expected_result.json b/assets/queries/terraform/azure/containers_without_soft_delete/test/positive_expected_result.json index fce7517c716..1df09ee4932 100644 --- a/assets/queries/terraform/azure/containers_without_soft_delete/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/containers_without_soft_delete/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_storage_account[positive1]", "searchValue": "", "expectedValue": "'azurerm_storage_account[positive1].blob_properties.container_delete_retention_policy' should be defined and not null", - "actualValue": "'azurerm_storage_account[positive1].blob_properties' is undefined or null" + "actualValue": "'azurerm_storage_account[positive1].blob_properties' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Containers Without Soft Delete", @@ -21,7 +22,8 @@ "searchKey": "azurerm_storage_account[positive2].blob_properties", "searchValue": "", "expectedValue": "'azurerm_storage_account[positive2].blob_properties.container_delete_retention_policy' should be defined and not null", - "actualValue": "'azurerm_storage_account[positive2].blob_properties.container_delete_retention_policy' is undefined or null" + "actualValue": "'azurerm_storage_account[positive2].blob_properties.container_delete_retention_policy' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Containers Without Soft Delete", @@ -33,6 +35,7 @@ "searchKey": "azurerm_storage_account[positive3].blob_properties.container_delete_retention_policy.days", "searchValue": "", "expectedValue": "'azurerm_storage_account[positive3].blob_properties.container_delete_retention_policy.days' should be set to a value higher than '6'", - "actualValue": "'azurerm_storage_account[positive3].blob_properties.container_delete_retention_policy' is set to '5'" + "actualValue": "'azurerm_storage_account[positive3].blob_properties.container_delete_retention_policy' is set to '5'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/cosmos_db_account_without_tags/test/positive_expected_result.json b/assets/queries/terraform/azure/cosmos_db_account_without_tags/test/positive_expected_result.json index c0795748e77..b81ad5c4908 100644 --- a/assets/queries/terraform/azure/cosmos_db_account_without_tags/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/cosmos_db_account_without_tags/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "azurerm_cosmosdb_account[positive1]", "searchValue": "", "expectedValue": "azurerm_cosmosdb_account[positive1].tags should be defined'", - "actualValue": "azurerm_cosmosdb_account[positive1].tags is undefined'" + "actualValue": "azurerm_cosmosdb_account[positive1].tags is undefined'", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/cosmosdb_account_ip_range_filter_not_set/test/positive_expected_result.json b/assets/queries/terraform/azure/cosmosdb_account_ip_range_filter_not_set/test/positive_expected_result.json index 55e88234f96..22ea67d8e9e 100644 --- a/assets/queries/terraform/azure/cosmosdb_account_ip_range_filter_not_set/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/cosmosdb_account_ip_range_filter_not_set/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "azurerm_cosmosdb_account[positive1].ip_range_filter", "searchValue": "", "expectedValue": "'azurerm_cosmosdb_account[positive1].ip_range_filter' should be set", - "actualValue": "'azurerm_cosmosdb_account[positive1].ip_range_filter' is undefined" + "actualValue": "'azurerm_cosmosdb_account[positive1].ip_range_filter' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/dashboard_is_enabled/test/positive_expected_result.json b/assets/queries/terraform/azure/dashboard_is_enabled/test/positive_expected_result.json index 80d637ea683..f8995cebf67 100644 --- a/assets/queries/terraform/azure/dashboard_is_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/dashboard_is_enabled/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "azurerm_kubernetes_cluster[positive1].addon_profile.kube_dashboard.enabled", "searchValue": "", "expectedValue": "'azurerm_kubernetes_cluster[positive1].addon_profile.kube_dashboard.enabled' should be set to false or undefined", - "actualValue": "'azurerm_kubernetes_cluster[positive1].addon_profile.kube_dashboard.enabled' is true" + "actualValue": "'azurerm_kubernetes_cluster[positive1].addon_profile.kube_dashboard.enabled' is true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/databricks_diagnostic_logging_not_configured/test/positive_expected_result.json b/assets/queries/terraform/azure/databricks_diagnostic_logging_not_configured/test/positive_expected_result.json index 17358bc32c4..31233566500 100644 --- a/assets/queries/terraform/azure/databricks_diagnostic_logging_not_configured/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/databricks_diagnostic_logging_not_configured/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_databricks_workspace[example_pos1]", "searchValue": "", "expectedValue": "'azurerm_databricks_workspace' should be associated with 'azurerm_monitor_diagnostic_setting' resources that log all required logs to valid destinations", - "actualValue": "'azurerm_databricks_workspace' is not associated with an 'azurerm_monitor_diagnostic_setting' resource" + "actualValue": "'azurerm_databricks_workspace' is not associated with an 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Databricks Diagnostic Logging Not Configured", @@ -21,7 +22,8 @@ "searchKey": "azurerm_databricks_workspace[example_pos2]", "searchValue": "", "expectedValue": "'azurerm_databricks_workspace' should be associated with 'azurerm_monitor_diagnostic_setting' resources that log all required logs to valid destinations", - "actualValue": "'azurerm_databricks_workspace' is associated with 3 'azurerm_monitor_diagnostic_setting' resource(s), but is missing logs for 3 category(s): 'Filesystem', 'jobs', 'notebook'" + "actualValue": "'azurerm_databricks_workspace' is associated with 3 'azurerm_monitor_diagnostic_setting' resource(s), but is missing logs for 3 category(s): 'Filesystem', 'jobs', 'notebook'", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Databricks Diagnostic Logging Not Configured", @@ -33,7 +35,8 @@ "searchKey": "azurerm_databricks_workspace[example_pos3]", "searchValue": "", "expectedValue": "'azurerm_databricks_workspace' should be associated with 'azurerm_monitor_diagnostic_setting' resources that log all required logs to valid destinations", - "actualValue": "'azurerm_databricks_workspace' is associated with 4 'azurerm_monitor_diagnostic_setting' resource(s), but is missing logs for 1 category(s): 'notebook'" + "actualValue": "'azurerm_databricks_workspace' is associated with 4 'azurerm_monitor_diagnostic_setting' resource(s), but is missing logs for 1 category(s): 'notebook'", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Databricks Diagnostic Logging Not Configured", @@ -45,7 +48,8 @@ "searchKey": "azurerm_databricks_workspace[example_pos4]", "searchValue": "", "expectedValue": "'azurerm_databricks_workspace' should be associated with 'azurerm_monitor_diagnostic_setting' resources that log all required logs to valid destinations", - "actualValue": "'azurerm_databricks_workspace' is not associated with an 'azurerm_monitor_diagnostic_setting' resource" + "actualValue": "'azurerm_databricks_workspace' is not associated with an 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Databricks Diagnostic Logging Not Configured", @@ -57,6 +61,7 @@ "searchKey": "azurerm_databricks_workspace[example_pos5]", "searchValue": "", "expectedValue": "'azurerm_databricks_workspace' should be associated with 'azurerm_monitor_diagnostic_setting' resources that log all required logs to valid destinations", - "actualValue": "'azurerm_databricks_workspace' is associated with 2 'azurerm_monitor_diagnostic_setting' resource(s), but is missing logs for 5 category(s): 'Filesystem', 'accounts', 'clusters', 'jobs', 'notebook'" + "actualValue": "'azurerm_databricks_workspace' is associated with 2 'azurerm_monitor_diagnostic_setting' resource(s), but is missing logs for 5 category(s): 'Filesystem', 'accounts', 'clusters', 'jobs', 'notebook'", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/databricks_workspace_using_default_virtual_network/test/positive_expected_result.json b/assets/queries/terraform/azure/databricks_workspace_using_default_virtual_network/test/positive_expected_result.json index 1459e304643..42b4f66f88d 100644 --- a/assets/queries/terraform/azure/databricks_workspace_using_default_virtual_network/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/databricks_workspace_using_default_virtual_network/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_databricks_workspace[example_1]", "searchValue": "", "expectedValue": "'azurerm_databricks_workspace[example_1].custom_parameters.virtual_network_id' should be defined and not empty", - "actualValue": "'azurerm_databricks_workspace[example_1].custom_parameters' is undefined or empty" + "actualValue": "'azurerm_databricks_workspace[example_1].custom_parameters' is undefined or empty", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Databricks Workspace Using Default Virtual Network", @@ -21,6 +22,7 @@ "searchKey": "azurerm_databricks_workspace[example_2].custom_parameters", "searchValue": "", "expectedValue": "'azurerm_databricks_workspace[example_2].custom_parameters.virtual_network_id' should be defined and not null", - "actualValue": "'azurerm_databricks_workspace[example_2].custom_parameters.virtual_network_id' is undefined or null" + "actualValue": "'azurerm_databricks_workspace[example_2].custom_parameters.virtual_network_id' is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/databricks_workspace_without_cmk/test/positive_expected_result.json b/assets/queries/terraform/azure/databricks_workspace_without_cmk/test/positive_expected_result.json index 89f280ce726..f4b125c1fa2 100644 --- a/assets/queries/terraform/azure/databricks_workspace_without_cmk/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/databricks_workspace_without_cmk/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_databricks_workspace[positive1]", "searchValue": "", "expectedValue": "'azurerm_databricks_workspace[positive1].managed_disk_cmk_key_vault_key_id' should be defined and not null", - "actualValue": "'azurerm_databricks_workspace[positive1].managed_disk_cmk_key_vault_key_id' is undefined or null" + "actualValue": "'azurerm_databricks_workspace[positive1].managed_disk_cmk_key_vault_key_id' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Databricks Workspace Without CMK", @@ -21,7 +22,8 @@ "searchKey": "azurerm_databricks_workspace[positive2].customer_managed_key_enabled", "searchValue": "", "expectedValue": "'azurerm_databricks_workspace[positive2].customer_managed_key_enabled' should be defined and set to true", - "actualValue": "'azurerm_databricks_workspace[positive2].customer_managed_key_enabled' is set to false" + "actualValue": "'azurerm_databricks_workspace[positive2].customer_managed_key_enabled' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Databricks Workspace Without CMK", @@ -33,7 +35,8 @@ "searchKey": "azurerm_databricks_workspace[positive3].customer_managed_key_enabled", "searchValue": "", "expectedValue": "'azurerm_databricks_workspace[positive3].customer_managed_key_enabled' should be defined and set to true", - "actualValue": "'azurerm_databricks_workspace[positive3].customer_managed_key_enabled' is set to false" + "actualValue": "'azurerm_databricks_workspace[positive3].customer_managed_key_enabled' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Databricks Workspace Without CMK", @@ -45,7 +48,8 @@ "searchKey": "azurerm_databricks_workspace[positive4]", "searchValue": "", "expectedValue": "'azurerm_databricks_workspace[positive4].customer_managed_key_enabled' should be defined and set to true", - "actualValue": "'azurerm_databricks_workspace[positive4].customer_managed_key_enabled' is undefined or null" + "actualValue": "'azurerm_databricks_workspace[positive4].customer_managed_key_enabled' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Databricks Workspace Without CMK", @@ -57,6 +61,7 @@ "searchKey": "azurerm_databricks_workspace[positive5]", "searchValue": "", "expectedValue": "'azurerm_databricks_workspace[positive5].customer_managed_key_enabled' should be defined and set to true", - "actualValue": "'azurerm_databricks_workspace[positive5].customer_managed_key_enabled' is undefined or null" + "actualValue": "'azurerm_databricks_workspace[positive5].customer_managed_key_enabled' is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/default_azure_storage_account_network_access_is_too_permissive/test/positive_expected_result.json b/assets/queries/terraform/azure/default_azure_storage_account_network_access_is_too_permissive/test/positive_expected_result.json index 47f102745d3..6dce666ede5 100644 --- a/assets/queries/terraform/azure/default_azure_storage_account_network_access_is_too_permissive/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/default_azure_storage_account_network_access_is_too_permissive/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_storage_account[positive1].network_rules.default_action", "searchValue": "", "expectedValue": "azurerm_storage_account.network_rules.default_action should be set to 'Deny'", - "actualValue": "azurerm_storage_account.network_rules.default_action is set to 'Allow'" + "actualValue": "azurerm_storage_account.network_rules.default_action is set to 'Allow'", + "issueType": "IncorrectValue" }, { "queryName": "Default Azure Storage Account Network Access Is Too Permissive", @@ -21,7 +22,8 @@ "searchKey": "azurerm_storage_account_network_rules[positive2].default_action", "searchValue": "", "expectedValue": "azurerm_storage_account_network_rules.default_action should be set to 'Deny'", - "actualValue": "azurerm_storage_account_network_rules.default_action is set to 'Allow'" + "actualValue": "azurerm_storage_account_network_rules.default_action is set to 'Allow'", + "issueType": "IncorrectValue" }, { "queryName": "Default Azure Storage Account Network Access Is Too Permissive", @@ -33,7 +35,8 @@ "searchKey": "azurerm_storage_account[positive3].public_network_access_enabled", "searchValue": "", "expectedValue": "azurerm_storage_account.public_network_access_enabled should be set to 'false'", - "actualValue": "azurerm_storage_account.public_network_access_enabled set to 'true'" + "actualValue": "azurerm_storage_account.public_network_access_enabled set to 'true'", + "issueType": "IncorrectValue" }, { "queryName": "Default Azure Storage Account Network Access Is Too Permissive", @@ -45,6 +48,7 @@ "searchKey": "azurerm_storage_account[positive4].public_network_access_enabled", "searchValue": "", "expectedValue": "azurerm_storage_account.public_network_access_enabled should be set to 'false'", - "actualValue": "azurerm_storage_account.public_network_access_enabled is not set (default is 'true')" + "actualValue": "azurerm_storage_account.public_network_access_enabled is not set (default is 'true')", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/diagnostic_settings_without_appropriate_logging/test/positive_expected_result.json b/assets/queries/terraform/azure/diagnostic_settings_without_appropriate_logging/test/positive_expected_result.json index f91439f890a..95536a8c0ee 100644 --- a/assets/queries/terraform/azure/diagnostic_settings_without_appropriate_logging/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/diagnostic_settings_without_appropriate_logging/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_monitor_diagnostic_setting[positive1_1]", "searchValue": "", "expectedValue": "'azurerm_monitor_diagnostic_setting[positive1_1].enabled_log' objects should be defined for all 4 main categories", - "actualValue": "'azurerm_monitor_diagnostic_setting[positive1_1]' does not define a single 'enabled_log' object" + "actualValue": "'azurerm_monitor_diagnostic_setting[positive1_1]' does not define a single 'enabled_log' object", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Diagnostic Settings Without Appropriate Logging", @@ -21,7 +22,8 @@ "searchKey": "azurerm_monitor_diagnostic_setting[positive1_2]", "searchValue": "", "expectedValue": "'azurerm_monitor_diagnostic_setting[positive1_2].enabled_log' objects should enable logging for all 4 main categories", - "actualValue": "'azurerm_monitor_diagnostic_setting[positive1_2].enabled_log' objects do not enable logging for 3 of the main categories: 'Alert', 'Policy', 'Security'" + "actualValue": "'azurerm_monitor_diagnostic_setting[positive1_2].enabled_log' objects do not enable logging for 3 of the main categories: 'Alert', 'Policy', 'Security'", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Diagnostic Settings Without Appropriate Logging", @@ -33,7 +35,8 @@ "searchKey": "azurerm_monitor_diagnostic_setting[positive1_3]", "searchValue": "", "expectedValue": "'azurerm_monitor_diagnostic_setting[positive1_3].enabled_log' objects should enable logging for all 4 main categories", - "actualValue": "'azurerm_monitor_diagnostic_setting[positive1_3].enabled_log' objects do not enable logging for 2 of the main categories: 'Policy', 'Security'" + "actualValue": "'azurerm_monitor_diagnostic_setting[positive1_3].enabled_log' objects do not enable logging for 2 of the main categories: 'Policy', 'Security'", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Diagnostic Settings Without Appropriate Logging", @@ -45,7 +48,8 @@ "searchKey": "azurerm_monitor_diagnostic_setting[positive2_1]", "searchValue": "", "expectedValue": "'azurerm_monitor_diagnostic_setting[positive2_1].log' objects should enable logging for all 4 main categories", - "actualValue": "'azurerm_monitor_diagnostic_setting[positive2_1].log' objects do not enable logging for 3 of the main categories: 'Alert', 'Policy', 'Security'" + "actualValue": "'azurerm_monitor_diagnostic_setting[positive2_1].log' objects do not enable logging for 3 of the main categories: 'Alert', 'Policy', 'Security'", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Diagnostic Settings Without Appropriate Logging", @@ -57,7 +61,8 @@ "searchKey": "azurerm_monitor_diagnostic_setting[positive2_2]", "searchValue": "", "expectedValue": "'azurerm_monitor_diagnostic_setting[positive2_2].log' objects should enable logging for all 4 main categories", - "actualValue": "'azurerm_monitor_diagnostic_setting[positive2_2].log' objects do not enable logging for 4 of the main categories: 'Administrative', 'Alert', 'Policy', 'Security'" + "actualValue": "'azurerm_monitor_diagnostic_setting[positive2_2].log' objects do not enable logging for 4 of the main categories: 'Administrative', 'Alert', 'Policy', 'Security'", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Diagnostic Settings Without Appropriate Logging", @@ -69,7 +74,8 @@ "searchKey": "azurerm_monitor_diagnostic_setting[positive2_3]", "searchValue": "", "expectedValue": "'azurerm_monitor_diagnostic_setting[positive2_3].log' objects should enable logging for all 4 main categories", - "actualValue": "'azurerm_monitor_diagnostic_setting[positive2_3].log' objects do not enable logging for 2 of the main categories: 'Alert', 'Policy'" + "actualValue": "'azurerm_monitor_diagnostic_setting[positive2_3].log' objects do not enable logging for 2 of the main categories: 'Alert', 'Policy'", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Diagnostic Settings Without Appropriate Logging", @@ -81,6 +87,7 @@ "searchKey": "azurerm_monitor_diagnostic_setting[positive2_4]", "searchValue": "", "expectedValue": "'azurerm_monitor_diagnostic_setting[positive2_4].log' objects should enable logging for all 4 main categories", - "actualValue": "'azurerm_monitor_diagnostic_setting[positive2_4].log' objects do not enable logging for 1 of the main categories: 'Administrative'" + "actualValue": "'azurerm_monitor_diagnostic_setting[positive2_4].log' objects do not enable logging for 1 of the main categories: 'Administrative'", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/disk_encryption_on_managed_disk_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/disk_encryption_on_managed_disk_disabled/test/positive_expected_result.json index e9f875bcb95..5e8285fe0d9 100644 --- a/assets/queries/terraform/azure/disk_encryption_on_managed_disk_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/disk_encryption_on_managed_disk_disabled/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "azurerm_managed_disk[positive1]", "searchValue": "", "expectedValue": "'azurerm_managed_disk[positive1]' should set a 'disk_encryption_set_id' or 'secure_vm_disk_encryption_set_id'", - "actualValue": "'azurerm_managed_disk[positive1]' does not set a disk encryption id field" + "actualValue": "'azurerm_managed_disk[positive1]' does not set a disk encryption id field", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/email_alerts_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/email_alerts_disabled/test/positive_expected_result.json index ea1ef930a27..b18a896e329 100644 --- a/assets/queries/terraform/azure/email_alerts_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/email_alerts_disabled/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "azurerm_security_center_contact[positive1].alert_notifications", "searchValue": "", "expectedValue": "'azurerm_security_center_contact.positive1.alert_notifications' should be true", - "actualValue": "'azurerm_security_center_contact.positive1.alert_notifications' is false" + "actualValue": "'azurerm_security_center_contact.positive1.alert_notifications' is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/encryption_on_managed_disk_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/encryption_on_managed_disk_disabled/test/positive_expected_result.json index 5b842ca330a..a01bdcd7b7f 100644 --- a/assets/queries/terraform/azure/encryption_on_managed_disk_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/encryption_on_managed_disk_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_managed_disk[positive1].encryption_settings.enabled", "searchValue": "", "expectedValue": "'azurerm_managed_disk[positive1].encryption_settings.enabled' should be set to true", - "actualValue": "'azurerm_managed_disk[positive1].encryption_settings.enabled' is set to false" + "actualValue": "'azurerm_managed_disk[positive1].encryption_settings.enabled' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Encryption On Managed Disk Disabled", @@ -21,7 +22,8 @@ "searchKey": "azurerm_managed_disk[positive2]", "searchValue": "", "expectedValue": "'azurerm_managed_disk[positive2].encryption_settings' should be defined and not null", - "actualValue": "'azurerm_managed_disk[positive2].encryption_settings' is undefined or null" + "actualValue": "'azurerm_managed_disk[positive2].encryption_settings' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Encryption On Managed Disk Disabled", @@ -33,7 +35,8 @@ "searchKey": "azurerm_managed_disk[positive3].encryption_settings", "searchValue": "", "expectedValue": "'azurerm_managed_disk[positive3].encryption_settings' should be defined and not null", - "actualValue": "'azurerm_managed_disk[positive3].encryption_settings' is set to '{}" + "actualValue": "'azurerm_managed_disk[positive3].encryption_settings' is set to '{}", + "issueType": "IncorrectValue" }, { "queryName": "Encryption On Managed Disk Disabled", @@ -45,6 +48,7 @@ "searchKey": "azurerm_managed_disk[positive4].encryption_settings", "searchValue": "", "expectedValue": "'azurerm_managed_disk[positive4].encryption_settings' should be defined and not null", - "actualValue": "'azurerm_managed_disk[positive4].encryption_settings' is set to '[]" + "actualValue": "'azurerm_managed_disk[positive4].encryption_settings' is set to '[]", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/file_share_without_soft_delete/test/positive_expected_result.json b/assets/queries/terraform/azure/file_share_without_soft_delete/test/positive_expected_result.json index 78ec920b971..022be120ee7 100644 --- a/assets/queries/terraform/azure/file_share_without_soft_delete/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/file_share_without_soft_delete/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_storage_account[positive1]", "searchValue": "", "expectedValue": "'azurerm_storage_account[positive1].share_properties.retention_policy' should be defined and not null", - "actualValue": "'azurerm_storage_account[positive1].share_properties' is undefined or null" + "actualValue": "'azurerm_storage_account[positive1].share_properties' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - File Share Without Soft Delete", @@ -21,6 +22,7 @@ "searchKey": "azurerm_storage_account[positive2].share_properties", "searchValue": "", "expectedValue": "'azurerm_storage_account[positive2].share_properties.retention_policy' should be defined and not null", - "actualValue": "'azurerm_storage_account[positive2].share_properties.retention_policy' is undefined or null" + "actualValue": "'azurerm_storage_account[positive2].share_properties.retention_policy' is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/test/positive_expected_result.json b/assets/queries/terraform/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/test/positive_expected_result.json index e747a7e1905..0793bff0a62 100644 --- a/assets/queries/terraform/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "azurerm_redis_firewall_rule[positive1].start_ip", "searchValue": "", "expectedValue": "'azurerm_redis_firewall_rule[positive1].start_ip' and 'end_ip' should allow no more than 255 hosts", - "actualValue": "'azurerm_redis_firewall_rule[positive1].start_ip' and 'end_ip' allow %!s(int=33554432) hosts" + "actualValue": "'azurerm_redis_firewall_rule[positive1].start_ip' and 'end_ip' allow %!s(int=33554432) hosts", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/function_app_authentication_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/function_app_authentication_disabled/test/positive_expected_result.json index 511f0616e90..f5bed1e0c53 100644 --- a/assets/queries/terraform/azure/function_app_authentication_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/function_app_authentication_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_function_app[positive1-1]", "searchValue": "", "expectedValue": "'azurerm_function_app[positive1-1].auth_settings' should be defined", - "actualValue": "'azurerm_function_app[positive1-1].auth_settings' is not defined" + "actualValue": "'azurerm_function_app[positive1-1].auth_settings' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Function App Authentication Disabled", @@ -21,7 +22,8 @@ "searchKey": "'azurerm_function_app[positive1-2].auth_settings.enabled'", "searchValue": "", "expectedValue": "'azurerm_function_app[positive1-2].auth_settings.enabled' should be defined to 'true'", - "actualValue": "'azurerm_function_app[positive1-2].auth_settings.enabled' is defined to 'false'" + "actualValue": "'azurerm_function_app[positive1-2].auth_settings.enabled' is defined to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "Function App Authentication Disabled", @@ -33,7 +35,8 @@ "searchKey": "azurerm_linux_function_app[positive2-1]", "searchValue": "", "expectedValue": "'azurerm_linux_function_app[positive2-1].auth_settings' or 'azurerm_linux_function_app[positive2-1].auth_settings_v2' should be defined", - "actualValue": "'azurerm_linux_function_app[positive2-1].auth_settings' and 'azurerm_linux_function_app[positive2-1].auth_settings_v2' are not defined" + "actualValue": "'azurerm_linux_function_app[positive2-1].auth_settings' and 'azurerm_linux_function_app[positive2-1].auth_settings_v2' are not defined", + "issueType": "MissingAttribute" }, { "queryName": "Function App Authentication Disabled", @@ -45,7 +48,8 @@ "searchKey": "'azurerm_linux_function_app[positive2-2].auth_settings.enabled'", "searchValue": "", "expectedValue": "'azurerm_linux_function_app[positive2-2].auth_settings.enabled' should be defined to 'true'", - "actualValue": "'azurerm_linux_function_app[positive2-2].auth_settings.enabled' is defined to 'false'" + "actualValue": "'azurerm_linux_function_app[positive2-2].auth_settings.enabled' is defined to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "Function App Authentication Disabled", @@ -57,7 +61,8 @@ "searchKey": "azurerm_linux_function_app[positive2-3].auth_settings_v2", "searchValue": "", "expectedValue": "'azurerm_linux_function_app[positive2-3].auth_settings_v2.auth_enabled' should be defined (default value is 'false')", - "actualValue": "'azurerm_linux_function_app[positive2-3].auth_settings_v2.auth_enabled' is not defined" + "actualValue": "'azurerm_linux_function_app[positive2-3].auth_settings_v2.auth_enabled' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Function App Authentication Disabled", @@ -69,7 +74,8 @@ "searchKey": "azurerm_linux_function_app[positive2-4].auth_settings_v2.auth_enabled", "searchValue": "", "expectedValue": "'azurerm_linux_function_app[positive2-4].auth_settings_v2.auth_enabled' should be defined to 'true'", - "actualValue": "'azurerm_linux_function_app[positive2-4].auth_settings_v2.auth_enabled' is defined to 'false'" + "actualValue": "'azurerm_linux_function_app[positive2-4].auth_settings_v2.auth_enabled' is defined to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "Function App Authentication Disabled", @@ -81,7 +87,8 @@ "searchKey": "azurerm_linux_function_app[positive2-5].auth_settings_v2", "searchValue": "", "expectedValue": "'azurerm_linux_function_app[positive2-5].auth_settings_v2.auth_enabled' should be defined (default value is 'false')", - "actualValue": "'azurerm_linux_function_app[positive2-5].auth_settings_v2.auth_enabled' is not defined" + "actualValue": "'azurerm_linux_function_app[positive2-5].auth_settings_v2.auth_enabled' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Function App Authentication Disabled", @@ -93,7 +100,8 @@ "searchKey": "azurerm_linux_function_app[positive2-6].auth_settings_v2.auth_enabled", "searchValue": "", "expectedValue": "'azurerm_linux_function_app[positive2-6].auth_settings_v2.auth_enabled' should be defined to 'true'", - "actualValue": "'azurerm_linux_function_app[positive2-6].auth_settings_v2.auth_enabled' is defined to 'false'" + "actualValue": "'azurerm_linux_function_app[positive2-6].auth_settings_v2.auth_enabled' is defined to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "Function App Authentication Disabled", @@ -105,7 +113,8 @@ "searchKey": "azurerm_windows_function_app[positive3-1]", "searchValue": "", "expectedValue": "'azurerm_windows_function_app[positive3-1].auth_settings' or 'azurerm_windows_function_app[positive3-1].auth_settings_v2' should be defined", - "actualValue": "'azurerm_windows_function_app[positive3-1].auth_settings' and 'azurerm_windows_function_app[positive3-1].auth_settings_v2' are not defined" + "actualValue": "'azurerm_windows_function_app[positive3-1].auth_settings' and 'azurerm_windows_function_app[positive3-1].auth_settings_v2' are not defined", + "issueType": "MissingAttribute" }, { "queryName": "Function App Authentication Disabled", @@ -117,7 +126,8 @@ "searchKey": "'azurerm_windows_function_app[positive3-2].auth_settings.enabled'", "searchValue": "", "expectedValue": "'azurerm_windows_function_app[positive3-2].auth_settings.enabled' should be defined to 'true'", - "actualValue": "'azurerm_windows_function_app[positive3-2].auth_settings.enabled' is defined to 'false'" + "actualValue": "'azurerm_windows_function_app[positive3-2].auth_settings.enabled' is defined to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "Function App Authentication Disabled", @@ -129,7 +139,8 @@ "searchKey": "azurerm_windows_function_app[positive3-3].auth_settings_v2", "searchValue": "", "expectedValue": "'azurerm_windows_function_app[positive3-3].auth_settings_v2.auth_enabled' should be defined (default value is 'false')", - "actualValue": "'azurerm_windows_function_app[positive3-3].auth_settings_v2.auth_enabled' is not defined" + "actualValue": "'azurerm_windows_function_app[positive3-3].auth_settings_v2.auth_enabled' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Function App Authentication Disabled", @@ -141,7 +152,8 @@ "searchKey": "azurerm_windows_function_app[positive3-4].auth_settings_v2.auth_enabled", "searchValue": "", "expectedValue": "'azurerm_windows_function_app[positive3-4].auth_settings_v2.auth_enabled' should be defined to 'true'", - "actualValue": "'azurerm_windows_function_app[positive3-4].auth_settings_v2.auth_enabled' is defined to 'false'" + "actualValue": "'azurerm_windows_function_app[positive3-4].auth_settings_v2.auth_enabled' is defined to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "Function App Authentication Disabled", @@ -153,7 +165,8 @@ "searchKey": "azurerm_windows_function_app[positive3-5].auth_settings_v2", "searchValue": "", "expectedValue": "'azurerm_windows_function_app[positive3-5].auth_settings_v2.auth_enabled' should be defined (default value is 'false')", - "actualValue": "'azurerm_windows_function_app[positive3-5].auth_settings_v2.auth_enabled' is not defined" + "actualValue": "'azurerm_windows_function_app[positive3-5].auth_settings_v2.auth_enabled' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Function App Authentication Disabled", @@ -165,6 +178,7 @@ "searchKey": "azurerm_windows_function_app[positive3-6].auth_settings_v2.auth_enabled", "searchValue": "", "expectedValue": "'azurerm_windows_function_app[positive3-6].auth_settings_v2.auth_enabled' should be defined to 'true'", - "actualValue": "'azurerm_windows_function_app[positive3-6].auth_settings_v2.auth_enabled' is defined to 'false'" + "actualValue": "'azurerm_windows_function_app[positive3-6].auth_settings_v2.auth_enabled' is defined to 'false'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/positive_expected_result.json b/assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/positive_expected_result.json index a7bdc1b606c..7677e6c29af 100644 --- a/assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_function_app[positive1-1]", "searchValue": "", "expectedValue": "'azurerm_function_app[positive1-1].client_cert_mode' should be defined and not null", - "actualValue": "'azurerm_function_app[positive1-1].client_cert_mode' is undefined or null" + "actualValue": "'azurerm_function_app[positive1-1].client_cert_mode' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Function App Client Certificates Unrequired", @@ -21,7 +22,8 @@ "searchKey": "azurerm_function_app[positive1-2].client_cert_mode", "searchValue": "", "expectedValue": "'azurerm_function_app[positive1-2].client_cert_mode' should be set to 'Required'", - "actualValue": "'azurerm_function_app[positive1-2].client_cert_mode' is not set to 'Required'" + "actualValue": "'azurerm_function_app[positive1-2].client_cert_mode' is not set to 'Required'", + "issueType": "IncorrectValue" }, { "queryName": "Function App Client Certificates Unrequired", @@ -33,7 +35,8 @@ "searchKey": "azurerm_linux_function_app[positive2-1]", "searchValue": "", "expectedValue": "'azurerm_linux_function_app[positive2-1].client_certificate_mode' should be defined and not null", - "actualValue": "'azurerm_linux_function_app[positive2-1].client_certificate_mode' is undefined or null" + "actualValue": "'azurerm_linux_function_app[positive2-1].client_certificate_mode' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Function App Client Certificates Unrequired", @@ -45,7 +48,8 @@ "searchKey": "azurerm_linux_function_app[positive2-2].client_certificate_mode", "searchValue": "", "expectedValue": "'azurerm_linux_function_app[positive2-2].client_certificate_mode' should be set to 'Required'", - "actualValue": "'azurerm_linux_function_app[positive2-2].client_certificate_mode' is not set to 'Required'" + "actualValue": "'azurerm_linux_function_app[positive2-2].client_certificate_mode' is not set to 'Required'", + "issueType": "IncorrectValue" }, { "queryName": "Function App Client Certificates Unrequired", @@ -57,7 +61,8 @@ "searchKey": "azurerm_windows_function_app[positive3-1]", "searchValue": "", "expectedValue": "'azurerm_windows_function_app[positive3-1].client_certificate_mode' should be defined and not null", - "actualValue": "'azurerm_windows_function_app[positive3-1].client_certificate_mode' is undefined or null" + "actualValue": "'azurerm_windows_function_app[positive3-1].client_certificate_mode' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Function App Client Certificates Unrequired", @@ -69,6 +74,7 @@ "searchKey": "azurerm_windows_function_app[positive3-2].client_certificate_mode", "searchValue": "", "expectedValue": "'azurerm_windows_function_app[positive3-2].client_certificate_mode' should be set to 'Required'", - "actualValue": "'azurerm_windows_function_app[positive3-2].client_certificate_mode' is not set to 'Required'" + "actualValue": "'azurerm_windows_function_app[positive3-2].client_certificate_mode' is not set to 'Required'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/function_app_deployment_slot_not_using_latest_tls_encryption_version/test/positive_expected_result.json b/assets/queries/terraform/azure/function_app_deployment_slot_not_using_latest_tls_encryption_version/test/positive_expected_result.json index 85a6bc271be..ca859b9fd16 100644 --- a/assets/queries/terraform/azure/function_app_deployment_slot_not_using_latest_tls_encryption_version/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/function_app_deployment_slot_not_using_latest_tls_encryption_version/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_linux_function_app_slot[positive1].site_config.minimum_tls_version", "searchValue": "", "expectedValue": "'site_config.minimum_tls_version' should be defined to '1.2' or higher", - "actualValue": "'site_config.minimum_tls_version' is defined to '1.1'" + "actualValue": "'site_config.minimum_tls_version' is defined to '1.1'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Function App Deployment Slot Not Using Latest TLS Encryption Version", @@ -21,6 +22,7 @@ "searchKey": "azurerm_windows_function_app_slot[positive2].site_config.minimum_tls_version", "searchValue": "", "expectedValue": "'site_config.minimum_tls_version' should be defined to '1.2' or higher", - "actualValue": "'site_config.minimum_tls_version' is defined to '1.1'" + "actualValue": "'site_config.minimum_tls_version' is defined to '1.1'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/test/positive_expected_result.json index 39787a060a1..fd732bd5e5b 100644 --- a/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_function_app[positive1-1].site_config.ftps_state", "searchValue": "", "expectedValue": "'azurerm_function_app[positive1-1].site_config.ftps_state' should not be set to 'AllAllowed'", - "actualValue": "'azurerm_function_app[positive1-1].site_config.ftps_state' is set to 'AllAllowed'" + "actualValue": "'azurerm_function_app[positive1-1].site_config.ftps_state' is set to 'AllAllowed'", + "issueType": "IncorrectValue" }, { "queryName": "Function App FTPS Enforce Disabled", @@ -21,7 +22,8 @@ "searchKey": "azurerm_function_app[positive1-2].site_config'", "searchValue": "", "expectedValue": "'azurerm_function_app[positive1-2].site_config.ftps_state' should be defined and not null", - "actualValue": "'azurerm_function_app[positive1-2].site_config.ftps_state' is undefined or null" + "actualValue": "'azurerm_function_app[positive1-2].site_config.ftps_state' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Function App FTPS Enforce Disabled", @@ -33,7 +35,8 @@ "searchKey": "azurerm_function_app[positive1-3]'", "searchValue": "", "expectedValue": "'azurerm_function_app[positive1-3].site_config.ftps_state' should be defined and not null", - "actualValue": "'azurerm_function_app[positive1-3].site_config.ftps_state' is undefined or null" + "actualValue": "'azurerm_function_app[positive1-3].site_config.ftps_state' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Function App FTPS Enforce Disabled", @@ -45,7 +48,8 @@ "searchKey": "azurerm_linux_function_app[positive2].site_config.ftps_state", "searchValue": "", "expectedValue": "'azurerm_linux_function_app[positive2].site_config.ftps_state' should not be set to 'AllAllowed'", - "actualValue": "'azurerm_linux_function_app[positive2].site_config.ftps_state' is set to 'AllAllowed'" + "actualValue": "'azurerm_linux_function_app[positive2].site_config.ftps_state' is set to 'AllAllowed'", + "issueType": "IncorrectValue" }, { "queryName": "Function App FTPS Enforce Disabled", @@ -57,6 +61,7 @@ "searchKey": "azurerm_windows_function_app[positive3].site_config.ftps_state", "searchValue": "", "expectedValue": "'azurerm_windows_function_app[positive3].site_config.ftps_state' should not be set to 'AllAllowed'", - "actualValue": "'azurerm_windows_function_app[positive3].site_config.ftps_state' is set to 'AllAllowed'" + "actualValue": "'azurerm_windows_function_app[positive3].site_config.ftps_state' is set to 'AllAllowed'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/function_app_http2_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/function_app_http2_disabled/test/positive_expected_result.json index dd527f0ad35..ac87ccc1c85 100644 --- a/assets/queries/terraform/azure/function_app_http2_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/function_app_http2_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_function_app[positive1-1]", "searchValue": "", "expectedValue": "'azurerm_function_app[positive1-1].site_config' should be defined and not null", - "actualValue": "'azurerm_function_app[positive1-1].site_config' is undefined or null" + "actualValue": "'azurerm_function_app[positive1-1].site_config' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Function App HTTP2 Disabled", @@ -21,7 +22,8 @@ "searchKey": "azurerm_function_app[positive1-2].site_config", "searchValue": "", "expectedValue": "'azurerm_function_app[positive1-2].site_config.http2_enabled' should be defined and not null", - "actualValue": "'azurerm_function_app[positive1-2].site_config.http2_enabled' is undefined or null" + "actualValue": "'azurerm_function_app[positive1-2].site_config.http2_enabled' is undefined or null", + "issueType": "IncorrectValue" }, { "queryName": "Function App HTTP2 Disabled", @@ -33,7 +35,8 @@ "searchKey": "azurerm_function_app[positive1-3].site_config.http2_enabled", "searchValue": "", "expectedValue": "'azurerm_function_app[positive1-3].site_config.http2_enabled' should be set to true", - "actualValue": "'azurerm_function_app[positive1-3].site_config.http2_enabled' is set to false" + "actualValue": "'azurerm_function_app[positive1-3].site_config.http2_enabled' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Function App HTTP2 Disabled", @@ -45,7 +48,8 @@ "searchKey": "azurerm_linux_function_app[positive2-1]", "searchValue": "", "expectedValue": "'azurerm_linux_function_app[positive2-1].site_config' should be defined and not null", - "actualValue": "'azurerm_linux_function_app[positive2-1].site_config' is undefined or null" + "actualValue": "'azurerm_linux_function_app[positive2-1].site_config' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Function App HTTP2 Disabled", @@ -57,7 +61,8 @@ "searchKey": "azurerm_linux_function_app[positive2-2].site_config", "searchValue": "", "expectedValue": "'azurerm_linux_function_app[positive2-2].site_config.http2_enabled' should be defined and not null", - "actualValue": "'azurerm_linux_function_app[positive2-2].site_config.http2_enabled' is undefined or null" + "actualValue": "'azurerm_linux_function_app[positive2-2].site_config.http2_enabled' is undefined or null", + "issueType": "IncorrectValue" }, { "queryName": "Function App HTTP2 Disabled", @@ -69,7 +74,8 @@ "searchKey": "azurerm_linux_function_app[positive2-3].site_config.http2_enabled", "searchValue": "", "expectedValue": "'azurerm_linux_function_app[positive2-3].site_config.http2_enabled' should be set to true", - "actualValue": "'azurerm_linux_function_app[positive2-3].site_config.http2_enabled' is set to false" + "actualValue": "'azurerm_linux_function_app[positive2-3].site_config.http2_enabled' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Function App HTTP2 Disabled", @@ -81,7 +87,8 @@ "searchKey": "azurerm_windows_function_app[positive3-1]", "searchValue": "", "expectedValue": "'azurerm_windows_function_app[positive3-1].site_config' should be defined and not null", - "actualValue": "'azurerm_windows_function_app[positive3-1].site_config' is undefined or null" + "actualValue": "'azurerm_windows_function_app[positive3-1].site_config' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Function App HTTP2 Disabled", @@ -93,7 +100,8 @@ "searchKey": "azurerm_windows_function_app[positive3-2].site_config", "searchValue": "", "expectedValue": "'azurerm_windows_function_app[positive3-2].site_config.http2_enabled' should be defined and not null", - "actualValue": "'azurerm_windows_function_app[positive3-2].site_config.http2_enabled' is undefined or null" + "actualValue": "'azurerm_windows_function_app[positive3-2].site_config.http2_enabled' is undefined or null", + "issueType": "IncorrectValue" }, { "queryName": "Function App HTTP2 Disabled", @@ -105,6 +113,7 @@ "searchKey": "azurerm_windows_function_app[positive3-3].site_config.http2_enabled", "searchValue": "", "expectedValue": "'azurerm_windows_function_app[positive3-3].site_config.http2_enabled' should be set to true", - "actualValue": "'azurerm_windows_function_app[positive3-3].site_config.http2_enabled' is set to false" + "actualValue": "'azurerm_windows_function_app[positive3-3].site_config.http2_enabled' is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/function_app_managed_identity_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/function_app_managed_identity_disabled/test/positive_expected_result.json index 9f6f7ca3b96..1135d70385d 100644 --- a/assets/queries/terraform/azure/function_app_managed_identity_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/function_app_managed_identity_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_function_app[positive1]", "searchValue": "", "expectedValue": "'azurerm_function_app[positive1].identity' should be defined and not null", - "actualValue": "'azurerm_function_app[positive1].identity' is undefined or null" + "actualValue": "'azurerm_function_app[positive1].identity' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Function App Managed Identity Disabled", @@ -21,7 +22,8 @@ "searchKey": "azurerm_linux_function_app[positive2]", "searchValue": "", "expectedValue": "'azurerm_linux_function_app[positive2].identity' should be defined and not null", - "actualValue": "'azurerm_linux_function_app[positive2].identity' is undefined or null" + "actualValue": "'azurerm_linux_function_app[positive2].identity' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Function App Managed Identity Disabled", @@ -33,6 +35,7 @@ "searchKey": "azurerm_windows_function_app[positive3]", "searchValue": "", "expectedValue": "'azurerm_windows_function_app[positive3].identity' should be defined and not null", - "actualValue": "'azurerm_windows_function_app[positive3].identity' is undefined or null" + "actualValue": "'azurerm_windows_function_app[positive3].identity' is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/test/positive_expected_result.json b/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/test/positive_expected_result.json index cb8dc13c9bb..baf4e891299 100644 --- a/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_function_app[positive1-1].site_config.min_tls_version", "searchValue": "", "expectedValue": "'azurerm_function_app[positive1-1].site_config.min_tls_version' should be set to '1.2'", - "actualValue": "'azurerm_function_app[positive1-1].site_config.min_tls_version' is not set to '1.2'" + "actualValue": "'azurerm_function_app[positive1-1].site_config.min_tls_version' is not set to '1.2'", + "issueType": "IncorrectValue" }, { "queryName": "Function App Not Using Latest TLS Encryption Version", @@ -21,7 +22,8 @@ "searchKey": "azurerm_function_app[positive1-2].site_config.min_tls_version", "searchValue": "", "expectedValue": "'azurerm_function_app[positive1-2].site_config.min_tls_version' should be set to '1.2'", - "actualValue": "'azurerm_function_app[positive1-2].site_config.min_tls_version' is not set to '1.2'" + "actualValue": "'azurerm_function_app[positive1-2].site_config.min_tls_version' is not set to '1.2'", + "issueType": "IncorrectValue" }, { "queryName": "Function App Not Using Latest TLS Encryption Version", @@ -33,7 +35,8 @@ "searchKey": "azurerm_linux_function_app[positive2-1].site_config.minimum_tls_version", "searchValue": "", "expectedValue": "'azurerm_linux_function_app[positive2-1].site_config.minimum_tls_version' should be set to '1.3'", - "actualValue": "'azurerm_linux_function_app[positive2-1].site_config.minimum_tls_version' is not set to '1.3'" + "actualValue": "'azurerm_linux_function_app[positive2-1].site_config.minimum_tls_version' is not set to '1.3'", + "issueType": "IncorrectValue" }, { "queryName": "Function App Not Using Latest TLS Encryption Version", @@ -45,7 +48,8 @@ "searchKey": "azurerm_linux_function_app[positive2-2].site_config.minimum_tls_version", "searchValue": "", "expectedValue": "'azurerm_linux_function_app[positive2-2].site_config.minimum_tls_version' should be set to '1.3'", - "actualValue": "'azurerm_linux_function_app[positive2-2].site_config.minimum_tls_version' is not set to '1.3'" + "actualValue": "'azurerm_linux_function_app[positive2-2].site_config.minimum_tls_version' is not set to '1.3'", + "issueType": "IncorrectValue" }, { "queryName": "Function App Not Using Latest TLS Encryption Version", @@ -57,7 +61,8 @@ "searchKey": "azurerm_linux_function_app[positive2-3].site_config", "searchValue": "", "expectedValue": "'azurerm_linux_function_app[positive2-3].site_config.minimum_tls_version' should be defined and set to '1.3'", - "actualValue": "'azurerm_linux_function_app[positive2-3].site_config.minimum_tls_version' is not defined" + "actualValue": "'azurerm_linux_function_app[positive2-3].site_config.minimum_tls_version' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Function App Not Using Latest TLS Encryption Version", @@ -69,7 +74,8 @@ "searchKey": "azurerm_linux_function_app[positive2-4]", "searchValue": "", "expectedValue": "'azurerm_linux_function_app[positive2-4].site_config.minimum_tls_version' should be defined and set to '1.3'", - "actualValue": "'azurerm_linux_function_app[positive2-4].site_config' is not defined" + "actualValue": "'azurerm_linux_function_app[positive2-4].site_config' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Function App Not Using Latest TLS Encryption Version", @@ -81,7 +87,8 @@ "searchKey": "azurerm_windows_function_app[positive3-1].site_config.minimum_tls_version", "searchValue": "", "expectedValue": "'azurerm_windows_function_app[positive3-1].site_config.minimum_tls_version' should be set to '1.3'", - "actualValue": "'azurerm_windows_function_app[positive3-1].site_config.minimum_tls_version' is not set to '1.3'" + "actualValue": "'azurerm_windows_function_app[positive3-1].site_config.minimum_tls_version' is not set to '1.3'", + "issueType": "IncorrectValue" }, { "queryName": "Function App Not Using Latest TLS Encryption Version", @@ -93,7 +100,8 @@ "searchKey": "azurerm_windows_function_app[positive3-2].site_config.minimum_tls_version", "searchValue": "", "expectedValue": "'azurerm_windows_function_app[positive3-2].site_config.minimum_tls_version' should be set to '1.3'", - "actualValue": "'azurerm_windows_function_app[positive3-2].site_config.minimum_tls_version' is not set to '1.3'" + "actualValue": "'azurerm_windows_function_app[positive3-2].site_config.minimum_tls_version' is not set to '1.3'", + "issueType": "IncorrectValue" }, { "queryName": "Function App Not Using Latest TLS Encryption Version", @@ -105,7 +113,8 @@ "searchKey": "azurerm_windows_function_app[positive3-3].site_config", "searchValue": "", "expectedValue": "'azurerm_windows_function_app[positive3-3].site_config.minimum_tls_version' should be defined and set to '1.3'", - "actualValue": "'azurerm_windows_function_app[positive3-3].site_config.minimum_tls_version' is not defined" + "actualValue": "'azurerm_windows_function_app[positive3-3].site_config.minimum_tls_version' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Function App Not Using Latest TLS Encryption Version", @@ -117,6 +126,7 @@ "searchKey": "azurerm_windows_function_app[positive3-4]", "searchValue": "", "expectedValue": "'azurerm_windows_function_app[positive3-4].site_config.minimum_tls_version' should be defined and set to '1.3'", - "actualValue": "'azurerm_windows_function_app[positive3-4].site_config' is not defined" + "actualValue": "'azurerm_windows_function_app[positive3-4].site_config' is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/geo_redundancy_is_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/geo_redundancy_is_disabled/test/positive_expected_result.json index 51244779f67..12428b200b5 100644 --- a/assets/queries/terraform/azure/geo_redundancy_is_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/geo_redundancy_is_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_postgresql_server[positive1]", "searchValue": "", "expectedValue": "'azurerm_postgresql_server.positive1.geo_redundant_backup_enabled' should be set", - "actualValue": "'azurerm_postgresql_server.positive1.geo_redundant_backup_enabled' is undefined" + "actualValue": "'azurerm_postgresql_server.positive1.geo_redundant_backup_enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Geo Redundancy Is Disabled", @@ -21,6 +22,7 @@ "searchKey": "azurerm_postgresql_server[positive2].geo_redundant_backup_enabled", "searchValue": "", "expectedValue": "'azurerm_postgresql_server.positive2.geo_redundant_backup_enabled' should be true", - "actualValue": "'azurerm_postgresql_server.positive2.geo_redundant_backup_enabled' is false" + "actualValue": "'azurerm_postgresql_server.positive2.geo_redundant_backup_enabled' is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/key_expiration_not_set/test/positive_expected_result.json b/assets/queries/terraform/azure/key_expiration_not_set/test/positive_expected_result.json index fdabadd4f83..4e1a229abf0 100644 --- a/assets/queries/terraform/azure/key_expiration_not_set/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/key_expiration_not_set/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "azurerm_key_vault_key[positive1]", "searchValue": "", "expectedValue": "'expiration_date' should exist", - "actualValue": "'expiration_date' is missing" + "actualValue": "'expiration_date' is missing", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/key_vault_purge_protection_is_enabled/test/positive_expected_result.json b/assets/queries/terraform/azure/key_vault_purge_protection_is_enabled/test/positive_expected_result.json index 516d2a36d59..c04fe3a9410 100644 --- a/assets/queries/terraform/azure/key_vault_purge_protection_is_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/key_vault_purge_protection_is_enabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_key_vault[positive1].purge_protection_enabled", "searchValue": "", "expectedValue": "'purge_protection_enabled' field should be set to true", - "actualValue": "'purge_protection_enabled' is not set to true" + "actualValue": "'purge_protection_enabled' is not set to true", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Key Vault Purge Protection Is Enabled", @@ -21,6 +22,7 @@ "searchKey": "azurerm_key_vault[positive2]", "searchValue": "", "expectedValue": "'purge_protection_enabled' should be defined and set to true", - "actualValue": "'purge_protection_enabled' is not defined" + "actualValue": "'purge_protection_enabled' is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/key_vault_secrets_content_type_undefined/test/positive_expected_result.json b/assets/queries/terraform/azure/key_vault_secrets_content_type_undefined/test/positive_expected_result.json index 0739a212202..0ebb419b5a1 100644 --- a/assets/queries/terraform/azure/key_vault_secrets_content_type_undefined/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/key_vault_secrets_content_type_undefined/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "azurerm_key_vault_secret[positive]", "searchValue": "", "expectedValue": "'azurerm_key_vault_secret[positive].content_type' should be defined and not null", - "actualValue": "'azurerm_key_vault_secret[positive].content_type' is undefined or null" + "actualValue": "'azurerm_key_vault_secret[positive].content_type' is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/key_vault_without_hsm_protection/test/positive_expected_result.json b/assets/queries/terraform/azure/key_vault_without_hsm_protection/test/positive_expected_result.json index 93a60fd1403..32e166cce46 100644 --- a/assets/queries/terraform/azure/key_vault_without_hsm_protection/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/key_vault_without_hsm_protection/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_key_vault_key[positive1].key_type", "searchValue": "", "expectedValue": "'azurerm_key_vault_key[positive1].key_type' should be set to an HSM-backed type ('RSA-HSM' or 'EC-HSM')", - "actualValue": "'azurerm_key_vault_key[positive1].key_type' is set to 'RSA'" + "actualValue": "'azurerm_key_vault_key[positive1].key_type' is set to 'RSA'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Key Vault Without HSM Protection", @@ -21,6 +22,7 @@ "searchKey": "azurerm_key_vault_key[positive2].key_type", "searchValue": "", "expectedValue": "'azurerm_key_vault_key[positive2].key_type' should be set to an HSM-backed type ('RSA-HSM' or 'EC-HSM')", - "actualValue": "'azurerm_key_vault_key[positive2].key_type' is set to 'EC'" + "actualValue": "'azurerm_key_vault_key[positive2].key_type' is set to 'EC'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/kubernetes_cluster_managed_identity_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/kubernetes_cluster_managed_identity_disabled/test/positive_expected_result.json index e3faac5991c..4dcacb1c04b 100644 --- a/assets/queries/terraform/azure/kubernetes_cluster_managed_identity_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/kubernetes_cluster_managed_identity_disabled/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "azurerm_kubernetes_cluster[positive]", "searchValue": "", "expectedValue": "'type' field should have the values 'SystemAssigned' or 'UserAssigned' defined inside the 'identity' block", - "actualValue": "'identity' block is not defined" + "actualValue": "'identity' block is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/log_retention_is_not_set/test/positive_expected_result.json b/assets/queries/terraform/azure/log_retention_is_not_set/test/positive_expected_result.json index f9f689e41bc..106193284d7 100644 --- a/assets/queries/terraform/azure/log_retention_is_not_set/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/log_retention_is_not_set/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_postgresql_configuration[positive1].value", "searchValue": "", "expectedValue": "'azurerm_postgresql_configuration.positive1.value' should be 'ON'", - "actualValue": "'azurerm_postgresql_configuration.positive1.value' is 'OFF'" + "actualValue": "'azurerm_postgresql_configuration.positive1.value' is 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "Log Retention Is Not Set", @@ -21,7 +22,8 @@ "searchKey": "azurerm_postgresql_configuration[positive2].value", "searchValue": "", "expectedValue": "'azurerm_postgresql_configuration.positive2.value' should be 'ON'", - "actualValue": "'azurerm_postgresql_configuration.positive2.value' is 'OFF'" + "actualValue": "'azurerm_postgresql_configuration.positive2.value' is 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "Log Retention Is Not Set", @@ -33,6 +35,7 @@ "searchKey": "azurerm_postgresql_configuration[positive3].value", "searchValue": "", "expectedValue": "'azurerm_postgresql_configuration.positive3.value' should be 'ON'", - "actualValue": "'azurerm_postgresql_configuration.positive3.value' is 'OFF'" + "actualValue": "'azurerm_postgresql_configuration.positive3.value' is 'OFF'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/logic_app_managed_identity_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/logic_app_managed_identity_disabled/test/positive_expected_result.json index 521b01e54e4..c0752d18e93 100644 --- a/assets/queries/terraform/azure/logic_app_managed_identity_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/logic_app_managed_identity_disabled/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "azurerm_logic_app_standard[positive]", "searchValue": "", "expectedValue": "'type' field should have the values 'SystemAssigned' or 'UserAssigned' defined inside the 'identity' block", - "actualValue": "'identity' block is not defined" + "actualValue": "'identity' block is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/mariadb_public_network_access_enabled/test/positive_expected_result.json b/assets/queries/terraform/azure/mariadb_public_network_access_enabled/test/positive_expected_result.json index 1c72a55b7d2..3a0319eba12 100644 --- a/assets/queries/terraform/azure/mariadb_public_network_access_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/mariadb_public_network_access_enabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_mariadb_server[positive].public_network_access_enabled", "searchValue": "", "expectedValue": "'azurerm_mariadb_server[positive].public_network_access_enabled.enabled' should be set to false", - "actualValue": "'azurerm_mariadb_server[positive].public_network_access_enabled.enabled' is not set to false" + "actualValue": "'azurerm_mariadb_server[positive].public_network_access_enabled.enabled' is not set to false", + "issueType": "IncorrectValue" }, { "queryName": "MariaDB Server Public Network Access Enabled", @@ -21,6 +22,7 @@ "searchKey": "azurerm_mariadb_server[positive2]", "searchValue": "", "expectedValue": "'azurerm_mariadb_server[positive2].public_network_access_enabled' should be defined and not null", - "actualValue": "'azurerm_mariadb_server[positive2].public_network_access_enabled' is undefined or null" + "actualValue": "'azurerm_mariadb_server[positive2].public_network_access_enabled' is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/mariadb_server_georedundant_backup_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/mariadb_server_georedundant_backup_disabled/test/positive_expected_result.json index 36090bec04b..a20b74bb6bd 100644 --- a/assets/queries/terraform/azure/mariadb_server_georedundant_backup_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/mariadb_server_georedundant_backup_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_mariadb_server[positive1].geo_redundant_backup_enabled", "searchValue": "", "expectedValue": "'azurerm_mariadb_server[positive1].geo_redundant_backup_enabled' should be set to true", - "actualValue": "'azurerm_mariadb_server[positive1].geo_redundant_backup_enabled' is set to false" + "actualValue": "'azurerm_mariadb_server[positive1].geo_redundant_backup_enabled' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "MariaDB Server Geo-redundant Backup Disabled", @@ -21,6 +22,7 @@ "searchKey": "azurerm_mariadb_server[positive2]", "searchValue": "", "expectedValue": "'azurerm_mariadb_server[positive2].geo_redundant_backup_enabled' should be defined and set to true", - "actualValue": "'azurerm_mariadb_server[positive2].geo_redundant_backup_enabled' is undefined or null" + "actualValue": "'azurerm_mariadb_server[positive2].geo_redundant_backup_enabled' is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/mssql_not_using_latest_tls_encryption_version/test/positive_expected_result.json b/assets/queries/terraform/azure/mssql_not_using_latest_tls_encryption_version/test/positive_expected_result.json index 91babeb91cd..32b490dfb8b 100644 --- a/assets/queries/terraform/azure/mssql_not_using_latest_tls_encryption_version/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/mssql_not_using_latest_tls_encryption_version/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "azurerm_mssql_server[positive1].minimum_tls_version", "searchValue": "", "expectedValue": "'minimum_tls_version' should be defined to '1.2'", - "actualValue": "'minimum_tls_version' is defined to '1.1'" + "actualValue": "'minimum_tls_version' is defined to '1.1'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/mssql_server_auditing_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/mssql_server_auditing_disabled/test/positive_expected_result.json index 7d3f9005860..f2f8cde8b2a 100644 --- a/assets/queries/terraform/azure/mssql_server_auditing_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/mssql_server_auditing_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_mssql_server[example]", "searchValue": "", "expectedValue": "'azurerm_mssql_server[example]' resource should have a 'azurerm_mssql_server_extended_auditing_policy' resource associated", - "actualValue": "'azurerm_mssql_server[example]' resource does not have a 'azurerm_mssql_server_extended_auditing_policy' resource associated" + "actualValue": "'azurerm_mssql_server[example]' resource does not have a 'azurerm_mssql_server_extended_auditing_policy' resource associated", + "issueType": "MissingAttribute" }, { "queryName": "MSSQL Server Auditing Disabled", @@ -21,6 +22,7 @@ "searchKey": "azurerm_mssql_server[example]", "searchValue": "", "expectedValue": "'azurerm_mssql_server[example]' resource should have a 'azurerm_mssql_server_extended_auditing_policy' resource associated", - "actualValue": "'azurerm_mssql_server[example]' resource does not have a 'azurerm_mssql_server_extended_auditing_policy' resource associated" + "actualValue": "'azurerm_mssql_server[example]' resource does not have a 'azurerm_mssql_server_extended_auditing_policy' resource associated", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/mssql_server_database_with_alerts_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/mssql_server_database_with_alerts_disabled/test/positive_expected_result.json index aa4610e84bb..a16adfaa2f5 100644 --- a/assets/queries/terraform/azure/mssql_server_database_with_alerts_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/mssql_server_database_with_alerts_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_mssql_server_security_alert_policy[positive1].disabled_alerts", "searchValue": "", "expectedValue": "'azurerm_mssql_server_security_alert_policy.positive1.disabled_alerts' should be empty", - "actualValue": "'azurerm_mssql_server_security_alert_policy.positive1.disabled_alerts' is not empty" + "actualValue": "'azurerm_mssql_server_security_alert_policy.positive1.disabled_alerts' is not empty", + "issueType": "IncorrectValue" }, { "queryName": "MSSQL Server Database With Alerts Disabled", @@ -21,7 +22,8 @@ "searchKey": "azurerm_mssql_server_security_alert_policy[positive2].state", "searchValue": "", "expectedValue": "'azurerm_mssql_server_security_alert_policy.positive2.state' should be enabled", - "actualValue": "'azurerm_mssql_server_security_alert_policy.positive2.state' is not enabled" + "actualValue": "'azurerm_mssql_server_security_alert_policy.positive2.state' is not enabled", + "issueType": "IncorrectValue" }, { "queryName": "MSSQL Server Database With Alerts Disabled", @@ -33,6 +35,7 @@ "searchKey": "azurerm_mssql_server[example]", "searchValue": "", "expectedValue": "Security alert policy should be defined and enabled", - "actualValue": "Security alert policy is undefined" + "actualValue": "Security alert policy is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/mssql_server_public_network_access_enabled/test/positive_expected_result.json b/assets/queries/terraform/azure/mssql_server_public_network_access_enabled/test/positive_expected_result.json index 89ab1f6d079..0756178b902 100644 --- a/assets/queries/terraform/azure/mssql_server_public_network_access_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/mssql_server_public_network_access_enabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_mssql_server[positive1]", "searchValue": "", "expectedValue": "'azurerm_mssql_server[positive1].public_network_access_enabled' should be defined and not null", - "actualValue": "'azurerm_mssql_server[positive1].public_network_access_enabled' is undefined or null" + "actualValue": "'azurerm_mssql_server[positive1].public_network_access_enabled' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "MSSQL Server Public Network Access Enabled", @@ -21,6 +22,7 @@ "searchKey": "azurerm_mssql_server[positive2].public_network_access_enabled", "searchValue": "", "expectedValue": "'azurerm_mssql_server[positive2].public_network_access_enabled' should be set to false", - "actualValue": "'azurerm_mssql_server[positive2].public_network_access_enabled' is set to true" + "actualValue": "'azurerm_mssql_server[positive2].public_network_access_enabled' is set to true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/mysql_server_public_access_enabled/test/positive_expected_result.json b/assets/queries/terraform/azure/mysql_server_public_access_enabled/test/positive_expected_result.json index 5431c4b09cf..3155fa75f14 100644 --- a/assets/queries/terraform/azure/mysql_server_public_access_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/mysql_server_public_access_enabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_mysql_server[positive1]", "searchValue": "", "expectedValue": "'azurerm_mysql_server[positive1].public_network_access_enabled' should be defined", - "actualValue": "'azurerm_mysql_server[positive1].public_network_access_enabled' is undefined" + "actualValue": "'azurerm_mysql_server[positive1].public_network_access_enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "MySQL Server Public Access Enabled", @@ -21,6 +22,7 @@ "searchKey": "azurerm_mysql_server[positive2].public_network_access_enabled", "searchValue": "", "expectedValue": "'azurerm_mysql_server[positive2].public_network_access_enabled' should be set to false", - "actualValue": "'azurerm_mysql_server[positive2].public_network_access_enabled' is set to true" + "actualValue": "'azurerm_mysql_server[positive2].public_network_access_enabled' is set to true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/mysql_ssl_connection_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/mysql_ssl_connection_disabled/test/positive_expected_result.json index 56b951271d6..c27feed42d6 100644 --- a/assets/queries/terraform/azure/mysql_ssl_connection_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/mysql_ssl_connection_disabled/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "azurerm_mysql_server[positive1].ssl_enforcement_enabled", "searchValue": "", "expectedValue": "'azurerm_mysql_server.positive1.ssl_enforcement_enabled' should equal 'true'", - "actualValue": "'azurerm_mysql_server.positive1.ssl_enforcement_enabled' is equal 'false'" + "actualValue": "'azurerm_mysql_server.positive1.ssl_enforcement_enabled' is equal 'false'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/network_interfaces_ip_forwarding_enabled/test/positive_expected_result.json b/assets/queries/terraform/azure/network_interfaces_ip_forwarding_enabled/test/positive_expected_result.json index d13858fb296..b807d352786 100644 --- a/assets/queries/terraform/azure/network_interfaces_ip_forwarding_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/network_interfaces_ip_forwarding_enabled/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "azurerm_network_interface[positive].enable_ip_forwarding", "searchValue": "", "expectedValue": "'azurerm_network_interface[positive].enable_ip_forwarding' should be set to false or undefined", - "actualValue": "'azurerm_network_interface[positive].enable_ip_forwarding' is set to true" + "actualValue": "'azurerm_network_interface[positive].enable_ip_forwarding' is set to true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/network_interfaces_with_public_ip/test/positive_expected_result.json b/assets/queries/terraform/azure/network_interfaces_with_public_ip/test/positive_expected_result.json index 5303ec34f32..3c22ccd471f 100644 --- a/assets/queries/terraform/azure/network_interfaces_with_public_ip/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/network_interfaces_with_public_ip/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "azurerm_network_interface[positive].ip_configuration.public_ip_address_id", "searchValue": "", "expectedValue": "'azurerm_network_interface[positive].ip_configuration.public_ip_address_id' should be undefined", - "actualValue": "'azurerm_network_interface[positive].ip_configuration.public_ip_address_id' is defined" + "actualValue": "'azurerm_network_interface[positive].ip_configuration.public_ip_address_id' is defined", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/network_watcher_flow_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/network_watcher_flow_disabled/test/positive_expected_result.json index eb6aace7d7e..524de8d4743 100644 --- a/assets/queries/terraform/azure/network_watcher_flow_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/network_watcher_flow_disabled/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "azurerm_network_watcher_flow_log[positive1].enable", "searchValue": "", "expectedValue": "azurerm_network_watcher_flow_log.enabled should be true", - "actualValue": "azurerm_network_watcher_flow_log.enabled is false" + "actualValue": "azurerm_network_watcher_flow_log.enabled is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/postgresql_log_checkpoints_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/postgresql_log_checkpoints_disabled/test/positive_expected_result.json index a407f8db2eb..b20bf51dff6 100644 --- a/assets/queries/terraform/azure/postgresql_log_checkpoints_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/postgresql_log_checkpoints_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_postgresql_configuration[positive1].value", "searchValue": "", "expectedValue": "'azurerm_postgresql_configuration.positive1.value' should be 'ON'", - "actualValue": "'azurerm_postgresql_configuration.positive1.value' is 'OFF'" + "actualValue": "'azurerm_postgresql_configuration.positive1.value' is 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Log Checkpoints Disabled", @@ -21,7 +22,8 @@ "searchKey": "azurerm_postgresql_configuration[positive2].value", "searchValue": "", "expectedValue": "'azurerm_postgresql_configuration.positive2.value' should be 'ON'", - "actualValue": "'azurerm_postgresql_configuration.positive2.value' is 'OFF'" + "actualValue": "'azurerm_postgresql_configuration.positive2.value' is 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Log Checkpoints Disabled", @@ -33,6 +35,7 @@ "searchKey": "azurerm_postgresql_configuration[positive3].value", "searchValue": "", "expectedValue": "'azurerm_postgresql_configuration.positive3.value' should be 'ON'", - "actualValue": "'azurerm_postgresql_configuration.positive3.value' is 'OFF'" + "actualValue": "'azurerm_postgresql_configuration.positive3.value' is 'OFF'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/postgresql_log_connections_not_set/test/positive_expected_result.json b/assets/queries/terraform/azure/postgresql_log_connections_not_set/test/positive_expected_result.json index b804c0729f8..82acb9e3778 100644 --- a/assets/queries/terraform/azure/postgresql_log_connections_not_set/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/postgresql_log_connections_not_set/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_postgresql_configuration[positive1].value", "searchValue": "", "expectedValue": "'azurerm_postgresql_configuration.positive1.value' should be 'ON'", - "actualValue": "'azurerm_postgresql_configuration.positive1.value' is 'OFF'" + "actualValue": "'azurerm_postgresql_configuration.positive1.value' is 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Log Connections Not Set", @@ -21,7 +22,8 @@ "searchKey": "azurerm_postgresql_configuration[positive2].value", "searchValue": "", "expectedValue": "'azurerm_postgresql_configuration.positive2.value' should be 'ON'", - "actualValue": "'azurerm_postgresql_configuration.positive2.value' is 'OFF'" + "actualValue": "'azurerm_postgresql_configuration.positive2.value' is 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Log Connections Not Set", @@ -33,6 +35,7 @@ "searchKey": "azurerm_postgresql_configuration[positive3].value", "searchValue": "", "expectedValue": "'azurerm_postgresql_configuration.positive3.value' should be 'ON'", - "actualValue": "'azurerm_postgresql_configuration.positive3.value' is 'OFF'" + "actualValue": "'azurerm_postgresql_configuration.positive3.value' is 'OFF'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/postgresql_log_disconnections_not_set/test/positive_expected_result.json b/assets/queries/terraform/azure/postgresql_log_disconnections_not_set/test/positive_expected_result.json index 3c28765b2aa..12f17c55ca6 100644 --- a/assets/queries/terraform/azure/postgresql_log_disconnections_not_set/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/postgresql_log_disconnections_not_set/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_postgresql_configuration[positive1].value", "searchValue": "", "expectedValue": "'azurerm_postgresql_configuration.positive1.value' should be 'ON'", - "actualValue": "'azurerm_postgresql_configuration.positive1.value' is 'OFF'" + "actualValue": "'azurerm_postgresql_configuration.positive1.value' is 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Log Disconnections Not Set", @@ -21,7 +22,8 @@ "searchKey": "azurerm_postgresql_configuration[positive2].value", "searchValue": "", "expectedValue": "'azurerm_postgresql_configuration.positive2.value' should be 'ON'", - "actualValue": "'azurerm_postgresql_configuration.positive2.value' is 'OFF'" + "actualValue": "'azurerm_postgresql_configuration.positive2.value' is 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Log Disconnections Not Set", @@ -33,6 +35,7 @@ "searchKey": "azurerm_postgresql_configuration[positive3].value", "searchValue": "", "expectedValue": "'azurerm_postgresql_configuration.positive3.value' should be 'ON'", - "actualValue": "'azurerm_postgresql_configuration.positive3.value' is 'OFF'" + "actualValue": "'azurerm_postgresql_configuration.positive3.value' is 'OFF'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/postgresql_log_duration_not_set/test/positive_expected_result.json b/assets/queries/terraform/azure/postgresql_log_duration_not_set/test/positive_expected_result.json index 23a63868c9c..4f0d718b715 100644 --- a/assets/queries/terraform/azure/postgresql_log_duration_not_set/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/postgresql_log_duration_not_set/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_postgresql_configuration[positive1].value", "searchValue": "", "expectedValue": "'azurerm_postgresql_configuration.positive1.value' should be 'ON'", - "actualValue": "'azurerm_postgresql_configuration.positive1.value' is 'OFF'" + "actualValue": "'azurerm_postgresql_configuration.positive1.value' is 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Log Duration Not Set", @@ -21,7 +22,8 @@ "searchKey": "azurerm_postgresql_configuration[positive2].value", "searchValue": "", "expectedValue": "'azurerm_postgresql_configuration.positive2.value' should be 'ON'", - "actualValue": "'azurerm_postgresql_configuration.positive2.value' is 'OFF'" + "actualValue": "'azurerm_postgresql_configuration.positive2.value' is 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Log Duration Not Set", @@ -33,6 +35,7 @@ "searchKey": "azurerm_postgresql_configuration[positive3].value", "searchValue": "", "expectedValue": "'azurerm_postgresql_configuration.positive3.value' should be 'ON'", - "actualValue": "'azurerm_postgresql_configuration.positive3.value' is 'OFF'" + "actualValue": "'azurerm_postgresql_configuration.positive3.value' is 'OFF'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/postgresql_not_using_latest_tls_encryption_version/test/positive_expected_result.json b/assets/queries/terraform/azure/postgresql_not_using_latest_tls_encryption_version/test/positive_expected_result.json index 517d31e5c16..f8d4156e16a 100644 --- a/assets/queries/terraform/azure/postgresql_not_using_latest_tls_encryption_version/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/postgresql_not_using_latest_tls_encryption_version/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "azurerm_postgresql_server[negative2].minimum_tls_version", "searchValue": "", "expectedValue": "'ssl_minimal_tls_version_enforced' should be defined to 'TLS1_2'", - "actualValue": "'ssl_minimal_tls_version_enforced' is defined to 'TLS1_1'" + "actualValue": "'ssl_minimal_tls_version_enforced' is defined to 'TLS1_1'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/postgresql_server_infrastructure_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/postgresql_server_infrastructure_encryption_disabled/test/positive_expected_result.json index c00c73e4b7f..7259aa1e8c5 100644 --- a/assets/queries/terraform/azure/postgresql_server_infrastructure_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/postgresql_server_infrastructure_encryption_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_postgresql_server[positive1].infrastructure_encryption_enabled", "searchValue": "", "expectedValue": "'azurerm_postgresql_server[positive1].infrastructure_encryption_enabled' should be set to true", - "actualValue": "'azurerm_postgresql_server[positive1].infrastructure_encryption_enabled' is set to false" + "actualValue": "'azurerm_postgresql_server[positive1].infrastructure_encryption_enabled' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Server Infrastructure Encryption Disabled", @@ -21,6 +22,7 @@ "searchKey": "azurerm_postgresql_server[positive2]", "searchValue": "", "expectedValue": "'azurerm_postgresql_server[positive2].infrastructure_encryption_enabled' should be defined and set to true", - "actualValue": "'azurerm_postgresql_server[positive2].infrastructure_encryption_enabled' is undefined or null" + "actualValue": "'azurerm_postgresql_server[positive2].infrastructure_encryption_enabled' is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/postgresql_server_threat_detection_policy_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/postgresql_server_threat_detection_policy_disabled/test/positive_expected_result.json index eaaa64d6218..ec286844ce8 100644 --- a/assets/queries/terraform/azure/postgresql_server_threat_detection_policy_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/postgresql_server_threat_detection_policy_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_postgresql_server[positive1].threat_detection_policy.enabled", "searchValue": "", "expectedValue": "'azurerm_postgresql_server[positive1].threat_detection_policy.enabled' should be set to true", - "actualValue": "'azurerm_postgresql_server[positive1].threat_detection_policy.enabled' is set to false" + "actualValue": "'azurerm_postgresql_server[positive1].threat_detection_policy.enabled' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Server Threat Detection Policy Disabled", @@ -21,6 +22,7 @@ "searchKey": "azurerm_postgresql_server[positive2]", "searchValue": "", "expectedValue": "'azurerm_postgresql_server[positive2].threat_detection_policy' is a defined object", - "actualValue": "'azurerm_postgresql_server[positive2].threat_detection_policy' is undefined or null" + "actualValue": "'azurerm_postgresql_server[positive2].threat_detection_policy' is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/postgresql_server_without_connection_throttling/test/positive_expected_result.json b/assets/queries/terraform/azure/postgresql_server_without_connection_throttling/test/positive_expected_result.json index a0d83f6a76f..5c18dcbbf77 100644 --- a/assets/queries/terraform/azure/postgresql_server_without_connection_throttling/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/postgresql_server_without_connection_throttling/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_postgresql_configuration[positive1].value", "searchValue": "", "expectedValue": "'azurerm_postgresql_configuration.positive1.value' should be 'ON'", - "actualValue": "'azurerm_postgresql_configuration.positive1.value' is 'OFF'" + "actualValue": "'azurerm_postgresql_configuration.positive1.value' is 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Server Without Connection Throttling", @@ -21,7 +22,8 @@ "searchKey": "azurerm_postgresql_configuration[positive2].value", "searchValue": "", "expectedValue": "'azurerm_postgresql_configuration.positive2.value' should be 'ON'", - "actualValue": "'azurerm_postgresql_configuration.positive2.value' is 'OFF'" + "actualValue": "'azurerm_postgresql_configuration.positive2.value' is 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Server Without Connection Throttling", @@ -33,6 +35,7 @@ "searchKey": "azurerm_postgresql_configuration[positive3].value", "searchValue": "", "expectedValue": "'azurerm_postgresql_configuration.positive3.value' should be 'ON'", - "actualValue": "'azurerm_postgresql_configuration.positive3.value' is 'OFF'" + "actualValue": "'azurerm_postgresql_configuration.positive3.value' is 'OFF'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/public_storage_account/test/positive_expected_result.json b/assets/queries/terraform/azure/public_storage_account/test/positive_expected_result.json index 4cbea672242..049cd15757d 100644 --- a/assets/queries/terraform/azure/public_storage_account/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/public_storage_account/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_storage_account[positive1].network_rules.ip_rules", "searchValue": "", "expectedValue": "'network_rules.ip_rules' should not contain 0.0.0.0/0", - "actualValue": "'network_rules.ip_rules' contains 0.0.0.0/0" + "actualValue": "'network_rules.ip_rules' contains 0.0.0.0/0", + "issueType": "IncorrectValue" }, { "queryName": "Public Storage Account", @@ -21,7 +22,8 @@ "searchKey": "azurerm_storage_account[positive2].network_rules", "searchValue": "", "expectedValue": "'network_rules.ip_rules' should be defined and not null", - "actualValue": "'network_rules.default_action' is 'Allow' and 'network_rules.ip_rules' is undefined or null" + "actualValue": "'network_rules.default_action' is 'Allow' and 'network_rules.ip_rules' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Public Storage Account", @@ -33,7 +35,8 @@ "searchKey": "azurerm_storage_account_network_rules[positive3].ip_rules", "searchValue": "", "expectedValue": "ip_rules[0] should not contain 0.0.0.0/0", - "actualValue": "ip_rules[0] contains 0.0.0.0/0" + "actualValue": "ip_rules[0] contains 0.0.0.0/0", + "issueType": "IncorrectValue" }, { "queryName": "Public Storage Account", @@ -45,7 +48,8 @@ "searchKey": "azurerm_storage_account_network_rules[positive4]", "searchValue": "", "expectedValue": "'ip_rules' should be defined and not null", - "actualValue": "'default_action' is set to 'Allow' and 'ip_rules' is undefined or null" + "actualValue": "'default_action' is set to 'Allow' and 'ip_rules' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Public Storage Account", @@ -57,6 +61,7 @@ "searchKey": "azurerm_storage_account[positive5].allow_blob_public_access", "searchValue": "", "expectedValue": "'allow_blob_public_access' should be set to false or undefined", - "actualValue": "'allow_blob_public_access' is set to true" + "actualValue": "'allow_blob_public_access' is set to true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/rdp_is_exposed_to_the_internet/test/positive_expected_result.json b/assets/queries/terraform/azure/rdp_is_exposed_to_the_internet/test/positive_expected_result.json index eabe1ac3c5d..c6f55480aaa 100644 --- a/assets/queries/terraform/azure/rdp_is_exposed_to_the_internet/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/rdp_is_exposed_to_the_internet/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_network_security_rule[positive1].destination_port_range", "searchValue": "", "expectedValue": "'azurerm_network_security_rule.positive1.destination_port_range' cannot be 3389", - "actualValue": "'azurerm_network_security_rule.positive1.destination_port_range' might be 3389" + "actualValue": "'azurerm_network_security_rule.positive1.destination_port_range' might be 3389", + "issueType": "IncorrectValue" }, { "queryName": "RDP Is Exposed To The Internet", @@ -21,7 +22,8 @@ "searchKey": "azurerm_network_security_rule[positive2].destination_port_range", "searchValue": "", "expectedValue": "'azurerm_network_security_rule.positive2.destination_port_range' cannot be 3389", - "actualValue": "'azurerm_network_security_rule.positive2.destination_port_range' might be 3389" + "actualValue": "'azurerm_network_security_rule.positive2.destination_port_range' might be 3389", + "issueType": "IncorrectValue" }, { "queryName": "RDP Is Exposed To The Internet", @@ -33,7 +35,8 @@ "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", "searchValue": "", "expectedValue": "'azurerm_network_security_rule.positive3.destination_port_range' cannot be 3389", - "actualValue": "'azurerm_network_security_rule.positive3.destination_port_range' might be 3389" + "actualValue": "'azurerm_network_security_rule.positive3.destination_port_range' might be 3389", + "issueType": "IncorrectValue" }, { "queryName": "RDP Is Exposed To The Internet", @@ -45,7 +48,8 @@ "searchKey": "azurerm_network_security_rule[positive4].destination_port_range", "searchValue": "", "expectedValue": "'azurerm_network_security_rule.positive4.destination_port_range' cannot be 3389", - "actualValue": "'azurerm_network_security_rule.positive4.destination_port_range' might be 3389" + "actualValue": "'azurerm_network_security_rule.positive4.destination_port_range' might be 3389", + "issueType": "IncorrectValue" }, { "queryName": "RDP Is Exposed To The Internet", @@ -57,7 +61,8 @@ "searchKey": "azurerm_network_security_rule[positive5].destination_port_range", "searchValue": "", "expectedValue": "'azurerm_network_security_rule.positive5.destination_port_range' cannot be 3389", - "actualValue": "'azurerm_network_security_rule.positive5.destination_port_range' might be 3389" + "actualValue": "'azurerm_network_security_rule.positive5.destination_port_range' might be 3389", + "issueType": "IncorrectValue" }, { "queryName": "RDP Is Exposed To The Internet", @@ -69,7 +74,8 @@ "searchKey": "azurerm_network_security_rule[positive6].destination_port_range", "searchValue": "", "expectedValue": "'azurerm_network_security_rule.positive6.destination_port_range' cannot be 3389", - "actualValue": "'azurerm_network_security_rule.positive6.destination_port_range' might be 3389" + "actualValue": "'azurerm_network_security_rule.positive6.destination_port_range' might be 3389", + "issueType": "IncorrectValue" }, { "queryName": "RDP Is Exposed To The Internet", @@ -81,7 +87,8 @@ "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", "searchValue": "", "expectedValue": "'azurerm_network_security_rule.positive7.destination_port_range' cannot be 3389", - "actualValue": "'azurerm_network_security_rule.positive7.destination_port_range' might be 3389" + "actualValue": "'azurerm_network_security_rule.positive7.destination_port_range' might be 3389", + "issueType": "IncorrectValue" }, { "queryName": "RDP Is Exposed To The Internet", @@ -93,7 +100,8 @@ "searchKey": "azurerm_network_security_rule[positive8].destination_port_range", "searchValue": "", "expectedValue": "'azurerm_network_security_rule.positive8.destination_port_range' cannot be 3389", - "actualValue": "'azurerm_network_security_rule.positive8.destination_port_range' might be 3389" + "actualValue": "'azurerm_network_security_rule.positive8.destination_port_range' might be 3389", + "issueType": "IncorrectValue" }, { "queryName": "RDP Is Exposed To The Internet", @@ -105,7 +113,8 @@ "searchKey": "azurerm_network_security_rule[positive9].destination_port_range", "searchValue": "", "expectedValue": "'azurerm_network_security_rule.positive9.destination_port_range' cannot be 3389", - "actualValue": "'azurerm_network_security_rule.positive9.destination_port_range' might be 3389" + "actualValue": "'azurerm_network_security_rule.positive9.destination_port_range' might be 3389", + "issueType": "IncorrectValue" }, { "queryName": "RDP Is Exposed To The Internet", @@ -117,7 +126,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "", "expectedValue": "'azurerm_network_security_rule.positive10.destination_port_range' cannot be 3389", - "actualValue": "'azurerm_network_security_rule.positive10.destination_port_range' might be 3389" + "actualValue": "'azurerm_network_security_rule.positive10.destination_port_range' might be 3389", + "issueType": "IncorrectValue" }, { "queryName": "RDP Is Exposed To The Internet", @@ -129,7 +139,8 @@ "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive11}}.destination_port_range", "searchValue": "", "expectedValue": "'destination_port_range' cannot be 3389", - "actualValue": "'destination_port_range' might be 3389" + "actualValue": "'destination_port_range' might be 3389", + "issueType": "IncorrectValue" }, { "queryName": "RDP Is Exposed To The Internet", @@ -141,7 +152,8 @@ "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive12}}.destination_port_range", "searchValue": "", "expectedValue": "'destination_port_range' cannot be 3389", - "actualValue": "'destination_port_range' might be 3389" + "actualValue": "'destination_port_range' might be 3389", + "issueType": "IncorrectValue" }, { "queryName": "RDP Is Exposed To The Internet", @@ -153,7 +165,8 @@ "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive13}}.destination_port_range", "searchValue": "", "expectedValue": "'destination_port_range' cannot be 3389", - "actualValue": "'destination_port_range' might be 3389" + "actualValue": "'destination_port_range' might be 3389", + "issueType": "IncorrectValue" }, { "queryName": "RDP Is Exposed To The Internet", @@ -165,7 +178,8 @@ "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive14}}.destination_port_range", "searchValue": "", "expectedValue": "'destination_port_range' cannot be 3389", - "actualValue": "'destination_port_range' might be 3389" + "actualValue": "'destination_port_range' might be 3389", + "issueType": "IncorrectValue" }, { "queryName": "RDP Is Exposed To The Internet", @@ -177,7 +191,8 @@ "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive15}}.destination_port_range", "searchValue": "", "expectedValue": "'destination_port_range' cannot be 3389", - "actualValue": "'destination_port_range' might be 3389" + "actualValue": "'destination_port_range' might be 3389", + "issueType": "IncorrectValue" }, { "queryName": "RDP Is Exposed To The Internet", @@ -189,7 +204,8 @@ "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive16}}.destination_port_range", "searchValue": "", "expectedValue": "'destination_port_range' cannot be 3389", - "actualValue": "'destination_port_range' might be 3389" + "actualValue": "'destination_port_range' might be 3389", + "issueType": "IncorrectValue" }, { "queryName": "RDP Is Exposed To The Internet", @@ -201,7 +217,8 @@ "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive17}}.destination_port_range", "searchValue": "", "expectedValue": "'destination_port_range' cannot be 3389", - "actualValue": "'destination_port_range' might be 3389" + "actualValue": "'destination_port_range' might be 3389", + "issueType": "IncorrectValue" }, { "queryName": "RDP Is Exposed To The Internet", @@ -213,7 +230,8 @@ "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive18}}.destination_port_range", "searchValue": "", "expectedValue": "'destination_port_range' cannot be 3389", - "actualValue": "'destination_port_range' might be 3389" + "actualValue": "'destination_port_range' might be 3389", + "issueType": "IncorrectValue" }, { "queryName": "RDP Is Exposed To The Internet", @@ -225,7 +243,8 @@ "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive19}}.destination_port_range", "searchValue": "", "expectedValue": "'destination_port_range' cannot be 3389", - "actualValue": "'destination_port_range' might be 3389" + "actualValue": "'destination_port_range' might be 3389", + "issueType": "IncorrectValue" }, { "queryName": "RDP Is Exposed To The Internet", @@ -237,6 +256,7 @@ "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive20}}.destination_port_range", "searchValue": "", "expectedValue": "'destination_port_range' cannot be 3389", - "actualValue": "'destination_port_range' might be 3389" + "actualValue": "'destination_port_range' might be 3389", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/recovery_services_vaut_with_public_network_access/test/positive_expected_result.json b/assets/queries/terraform/azure/recovery_services_vaut_with_public_network_access/test/positive_expected_result.json index b7e9068f382..08e8c7d153d 100644 --- a/assets/queries/terraform/azure/recovery_services_vaut_with_public_network_access/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/recovery_services_vaut_with_public_network_access/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_recovery_services_vault[positive1]", "searchValue": "", "expectedValue": "'azurerm_recovery_services_vault[positive1].public_network_access_enabled' should be defined and set to false", - "actualValue": "'azurerm_recovery_services_vault[positive1].public_network_access_enabled' is undefined or null" + "actualValue": "'azurerm_recovery_services_vault[positive1].public_network_access_enabled' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Recovery Services Vault With Public Network Access", @@ -21,6 +22,7 @@ "searchKey": "azurerm_recovery_services_vault[positive2].public_network_access_enabled", "searchValue": "", "expectedValue": "'azurerm_recovery_services_vault[positive2].public_network_access_enabled' should be defined and set to false", - "actualValue": "'azurerm_recovery_services_vault[positive2].public_network_access_enabled' is set to true" + "actualValue": "'azurerm_recovery_services_vault[positive2].public_network_access_enabled' is set to true", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/recovery_services_vaut_without_immutability/test/positive_expected_result.json b/assets/queries/terraform/azure/recovery_services_vaut_without_immutability/test/positive_expected_result.json index da757697fdd..7dffc13926c 100644 --- a/assets/queries/terraform/azure/recovery_services_vaut_without_immutability/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/recovery_services_vaut_without_immutability/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_recovery_services_vault[positive1]", "searchValue": "", "expectedValue": "'azurerm_recovery_services_vault[positive1].immutability' should be set and enabled", - "actualValue": "'azurerm_recovery_services_vault[positive1].immutability' is undefined or null" + "actualValue": "'azurerm_recovery_services_vault[positive1].immutability' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Recovery Services Vault Without Immutability", @@ -21,6 +22,7 @@ "searchKey": "azurerm_recovery_services_vault[positive2].immutability", "searchValue": "", "expectedValue": "'azurerm_recovery_services_vault[positive2].immutability' should be set and enabled", - "actualValue": "'azurerm_recovery_services_vault[positive2].immutability' is set to 'Disabled'" + "actualValue": "'azurerm_recovery_services_vault[positive2].immutability' is set to 'Disabled'", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/recovery_services_vaut_without_soft_delete/test/positive_expected_result.json b/assets/queries/terraform/azure/recovery_services_vaut_without_soft_delete/test/positive_expected_result.json index cf12c8fddb7..9a1c5136961 100644 --- a/assets/queries/terraform/azure/recovery_services_vaut_without_soft_delete/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/recovery_services_vaut_without_soft_delete/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "azurerm_recovery_services_vault[positive].soft_delete_enabled", "searchValue": "", "expectedValue": "'azurerm_recovery_services_vault[positive].soft_delete_enabled' should not be set to false", - "actualValue": "'azurerm_recovery_services_vault[positive].soft_delete_enabled' is set to false" + "actualValue": "'azurerm_recovery_services_vault[positive].soft_delete_enabled' is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json b/assets/queries/terraform/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json index e6ad11a14f1..6d16a5bbc9e 100644 --- a/assets/queries/terraform/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "azurerm_redis_cache[positive1].enable_non_ssl_port", "searchValue": "", "expectedValue": "'azurerm_redis_cache[positive1].enable_non_ssl_port' should be set to false or undefined (false as default)", - "actualValue": "'azurerm_redis_cache[positive1].enable_non_ssl_port' is true" + "actualValue": "'azurerm_redis_cache[positive1].enable_non_ssl_port' is true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/redis_cache_managed_identity_is_not_set_to_system_assigned/test/positive_expected_result.json b/assets/queries/terraform/azure/redis_cache_managed_identity_is_not_set_to_system_assigned/test/positive_expected_result.json index c9e44c26792..3026c335fe2 100644 --- a/assets/queries/terraform/azure/redis_cache_managed_identity_is_not_set_to_system_assigned/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/redis_cache_managed_identity_is_not_set_to_system_assigned/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_redis_cache[positive1]", "searchValue": "", "expectedValue": "'identity' block should have 'SystemAssigned' defined on 'type' field", - "actualValue": "'identity' block is not defined" + "actualValue": "'identity' block is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Redis Cache Managed Identity Is Not Set To System Assigned", @@ -21,6 +22,7 @@ "searchKey": "azurerm_redis_cache[positive2]", "searchValue": "", "expectedValue": "'identity' block should have 'SystemAssigned' defined on 'type' field", - "actualValue": "'identity' block does not have 'SystemAssigned' defined on 'type' field" + "actualValue": "'identity' block does not have 'SystemAssigned' defined on 'type' field", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/redis_cache_not_using_latest_tls_encryption_version/test/positive_expected_result.json b/assets/queries/terraform/azure/redis_cache_not_using_latest_tls_encryption_version/test/positive_expected_result.json index c0a06065027..4e4b5d8f631 100644 --- a/assets/queries/terraform/azure/redis_cache_not_using_latest_tls_encryption_version/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/redis_cache_not_using_latest_tls_encryption_version/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_redis_cache[positive1].minimum_tls_version", "searchValue": "", "expectedValue": "'minimum_tls_version' should be defined and set to '1.2'", - "actualValue": "'minimum_tls_version' is defined to '1.1'" + "actualValue": "'minimum_tls_version' is defined to '1.1'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Redis Cache Not Using Latest TLS Encryption Version", @@ -21,6 +22,7 @@ "searchKey": "azurerm_redis_cache[positive2]", "searchValue": "", "expectedValue": "'minimum_tls_version' should be defined and set to '1.2'", - "actualValue": "'minimum_tls_version' is not defined" + "actualValue": "'minimum_tls_version' is not defined", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/redis_entirely_accessible/test/positive_expected_result.json b/assets/queries/terraform/azure/redis_entirely_accessible/test/positive_expected_result.json index 2f28393dba9..81761fbb02e 100644 --- a/assets/queries/terraform/azure/redis_entirely_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/redis_entirely_accessible/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "azurerm_redis_firewall_rule[positive2].start_ip", "searchValue": "", "expectedValue": "'azurerm_redis_firewall_rule[positive2]' start_ip and end_ip should not equal to '0.0.0.0'", - "actualValue": "'azurerm_redis_firewall_rule[positive2]' start_ip and end_ip are equal to '0.0.0.0'" + "actualValue": "'azurerm_redis_firewall_rule[positive2]' start_ip and end_ip are equal to '0.0.0.0'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/redis_not_updated_regularly/test/positive_expected_result.json b/assets/queries/terraform/azure/redis_not_updated_regularly/test/positive_expected_result.json index 86d4c053381..60850407fbb 100644 --- a/assets/queries/terraform/azure/redis_not_updated_regularly/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/redis_not_updated_regularly/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "azurerm_redis_cache[positive1]", "searchValue": "", "expectedValue": "'azurerm_redis_cache[positive1].patch_schedule' should be defined and not null", - "actualValue": "'azurerm_redis_cache[positive1].patch_schedule' is undefined or null" + "actualValue": "'azurerm_redis_cache[positive1].patch_schedule' is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/redis_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/azure/redis_publicly_accessible/test/positive_expected_result.json index 69793b960f5..a94b32362c2 100644 --- a/assets/queries/terraform/azure/redis_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/redis_publicly_accessible/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "azurerm_redis_firewall_rule[positive2].start_ip", "searchValue": "", "expectedValue": "'azurerm_redis_firewall_rule[positive2]' ip range should be private", - "actualValue": "'azurerm_redis_firewall_rule[positive2]' ip range is not private" + "actualValue": "'azurerm_redis_firewall_rule[positive2]' ip range is not private", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/resource_without_diagnostic_settings/test/positive_expected_result.json b/assets/queries/terraform/azure/resource_without_diagnostic_settings/test/positive_expected_result.json index 0a106c65958..ba09c8ea710 100644 --- a/assets/queries/terraform/azure/resource_without_diagnostic_settings/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/resource_without_diagnostic_settings/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_subscription[positive1_1]", "searchValue": "", "expectedValue": "'azurerm_subscription[positive1_1]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_subscription[positive1_1]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + "actualValue": "'azurerm_subscription[positive1_1]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Resource Without Diagnostic Settings", @@ -21,7 +22,8 @@ "searchKey": "azurerm_subscription[positive1_2]", "searchValue": "", "expectedValue": "'azurerm_subscription[positive1_2]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_subscription[positive1_2]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + "actualValue": "'azurerm_subscription[positive1_2]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Resource Without Diagnostic Settings", @@ -33,7 +35,8 @@ "searchKey": "azurerm_key_vault[pos_example]", "searchValue": "", "expectedValue": "'azurerm_key_vault[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_key_vault[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + "actualValue": "'azurerm_key_vault[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Resource Without Diagnostic Settings", @@ -45,7 +48,8 @@ "searchKey": "azurerm_application_gateway[pos_example]", "searchValue": "", "expectedValue": "'azurerm_application_gateway[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_application_gateway[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + "actualValue": "'azurerm_application_gateway[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Resource Without Diagnostic Settings", @@ -57,7 +61,8 @@ "searchKey": "azurerm_firewall[pos_example]", "searchValue": "", "expectedValue": "'azurerm_firewall[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_firewall[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + "actualValue": "'azurerm_firewall[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Resource Without Diagnostic Settings", @@ -69,7 +74,8 @@ "searchKey": "azurerm_lb[pos_example]", "searchValue": "", "expectedValue": "'azurerm_lb[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_lb[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + "actualValue": "'azurerm_lb[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Resource Without Diagnostic Settings", @@ -81,7 +87,8 @@ "searchKey": "azurerm_public_ip[pos_example]", "searchValue": "", "expectedValue": "'azurerm_public_ip[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_public_ip[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + "actualValue": "'azurerm_public_ip[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Resource Without Diagnostic Settings", @@ -93,7 +100,8 @@ "searchKey": "azurerm_frontdoor[pos_example]", "searchValue": "", "expectedValue": "'azurerm_frontdoor[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_frontdoor[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + "actualValue": "'azurerm_frontdoor[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Resource Without Diagnostic Settings", @@ -105,7 +113,8 @@ "searchKey": "azurerm_cdn_frontdoor_profile[pos_example]", "searchValue": "", "expectedValue": "'azurerm_cdn_frontdoor_profile[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_cdn_frontdoor_profile[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + "actualValue": "'azurerm_cdn_frontdoor_profile[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Resource Without Diagnostic Settings", @@ -117,7 +126,8 @@ "searchKey": "azurerm_cdn_frontdoor_endpoint[pos_example]", "searchValue": "", "expectedValue": "'azurerm_cdn_frontdoor_endpoint[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_cdn_frontdoor_endpoint[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + "actualValue": "'azurerm_cdn_frontdoor_endpoint[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Resource Without Diagnostic Settings", @@ -129,7 +139,8 @@ "searchKey": "azurerm_cdn_profile[pos_example]", "searchValue": "", "expectedValue": "'azurerm_cdn_profile[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_cdn_profile[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + "actualValue": "'azurerm_cdn_profile[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Resource Without Diagnostic Settings", @@ -141,7 +152,8 @@ "searchKey": "azurerm_cdn_endpoint[pos_example]", "searchValue": "", "expectedValue": "'azurerm_cdn_endpoint[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_cdn_endpoint[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + "actualValue": "'azurerm_cdn_endpoint[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Resource Without Diagnostic Settings", @@ -153,7 +165,8 @@ "searchKey": "azurerm_storage_account[pos_example]", "searchValue": "", "expectedValue": "'azurerm_storage_account[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_storage_account[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + "actualValue": "'azurerm_storage_account[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Resource Without Diagnostic Settings", @@ -165,7 +178,8 @@ "searchKey": "azurerm_mssql_server[pos_example]", "searchValue": "", "expectedValue": "'azurerm_mssql_server[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_mssql_server[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + "actualValue": "'azurerm_mssql_server[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Resource Without Diagnostic Settings", @@ -177,7 +191,8 @@ "searchKey": "azurerm_mssql_managed_instance[pos_example]", "searchValue": "", "expectedValue": "'azurerm_mssql_managed_instance[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_mssql_managed_instance[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + "actualValue": "'azurerm_mssql_managed_instance[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Resource Without Diagnostic Settings", @@ -189,7 +204,8 @@ "searchKey": "azurerm_mssql_database[pos_example]", "searchValue": "", "expectedValue": "'azurerm_mssql_database[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_mssql_database[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + "actualValue": "'azurerm_mssql_database[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Resource Without Diagnostic Settings", @@ -201,7 +217,8 @@ "searchKey": "azurerm_cosmosdb_account[pos_example]", "searchValue": "", "expectedValue": "'azurerm_cosmosdb_account[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_cosmosdb_account[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + "actualValue": "'azurerm_cosmosdb_account[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Resource Without Diagnostic Settings", @@ -213,7 +230,8 @@ "searchKey": "azurerm_linux_web_app[pos_example]", "searchValue": "", "expectedValue": "'azurerm_linux_web_app[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_linux_web_app[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + "actualValue": "'azurerm_linux_web_app[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Resource Without Diagnostic Settings", @@ -225,7 +243,8 @@ "searchKey": "azurerm_windows_web_app[pos_example]", "searchValue": "", "expectedValue": "'azurerm_windows_web_app[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_windows_web_app[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + "actualValue": "'azurerm_windows_web_app[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Resource Without Diagnostic Settings", @@ -237,7 +256,8 @@ "searchKey": "azurerm_linux_function_app[pos_example]", "searchValue": "", "expectedValue": "'azurerm_linux_function_app[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_linux_function_app[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + "actualValue": "'azurerm_linux_function_app[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Resource Without Diagnostic Settings", @@ -249,7 +269,8 @@ "searchKey": "azurerm_windows_function_app[pos_example]", "searchValue": "", "expectedValue": "'azurerm_windows_function_app[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_windows_function_app[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + "actualValue": "'azurerm_windows_function_app[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Resource Without Diagnostic Settings", @@ -261,7 +282,8 @@ "searchKey": "azurerm_kubernetes_cluster[pos_example]", "searchValue": "", "expectedValue": "'azurerm_kubernetes_cluster[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_kubernetes_cluster[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + "actualValue": "'azurerm_kubernetes_cluster[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Resource Without Diagnostic Settings", @@ -273,7 +295,8 @@ "searchKey": "azurerm_eventhub_namespace[pos_example]", "searchValue": "", "expectedValue": "'azurerm_eventhub_namespace[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_eventhub_namespace[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + "actualValue": "'azurerm_eventhub_namespace[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Resource Without Diagnostic Settings", @@ -285,7 +308,8 @@ "searchKey": "azurerm_servicebus_namespace[pos_example]", "searchValue": "", "expectedValue": "'azurerm_servicebus_namespace[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_servicebus_namespace[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + "actualValue": "'azurerm_servicebus_namespace[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Resource Without Diagnostic Settings", @@ -297,7 +321,8 @@ "searchKey": "azurerm_container_registry[pos_example]", "searchValue": "", "expectedValue": "'azurerm_container_registry[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_container_registry[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + "actualValue": "'azurerm_container_registry[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Resource Without Diagnostic Settings", @@ -309,6 +334,7 @@ "searchKey": "azurerm_api_management[pos_example]", "searchValue": "", "expectedValue": "'azurerm_api_management[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_api_management[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + "actualValue": "'azurerm_api_management[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/role_assignment_not_limit_guest_users_permissions/test/positive_expected_result.json b/assets/queries/terraform/azure/role_assignment_not_limit_guest_users_permissions/test/positive_expected_result.json index a3e9ec8e4fa..e7ce302849e 100644 --- a/assets/queries/terraform/azure/role_assignment_not_limit_guest_users_permissions/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/role_assignment_not_limit_guest_users_permissions/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "azurerm_role_assignment[example].role_definition_id", "searchValue": "", "expectedValue": "azurerm_role_assignment[example].role_definition_id limits guest user permissions", - "actualValue": "azurerm_role_assignment[example].role_definition_id does not limit guest user permissions" + "actualValue": "azurerm_role_assignment[example].role_definition_id does not limit guest user permissions", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/role_definition_allows_custom_role_creation/test/positive_expected_result.json b/assets/queries/terraform/azure/role_definition_allows_custom_role_creation/test/positive_expected_result.json index 5235694e919..d8f73a2a4eb 100644 --- a/assets/queries/terraform/azure/role_definition_allows_custom_role_creation/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/role_definition_allows_custom_role_creation/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_role_definition[example2].permissions.actions", "searchValue": "", "expectedValue": "azurerm_role_definition[example2].permissions.actions should not allow custom role creation", - "actualValue": "azurerm_role_definition[example2].permissions.actions allows custom role creation" + "actualValue": "azurerm_role_definition[example2].permissions.actions allows custom role creation", + "issueType": "IncorrectValue" }, { "queryName": "Role Definition Allows Custom Role Creation", @@ -21,6 +22,7 @@ "searchKey": "azurerm_role_definition[example].permissions.actions", "searchValue": "", "expectedValue": "azurerm_role_definition[example].permissions.actions should not allow custom role creation", - "actualValue": "azurerm_role_definition[example].permissions.actions allows custom role creation" + "actualValue": "azurerm_role_definition[example].permissions.actions allows custom role creation", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/secret_expiration_not_set/test/positive_expected_result.json b/assets/queries/terraform/azure/secret_expiration_not_set/test/positive_expected_result.json index 4cb2b292e08..5e85dc650ca 100644 --- a/assets/queries/terraform/azure/secret_expiration_not_set/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/secret_expiration_not_set/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "azurerm_key_vault_secret[positive1]", "searchValue": "", "expectedValue": "'expiration_date' should exist", - "actualValue": "'expiration_date' is missing" + "actualValue": "'expiration_date' is missing", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/security_center_pricing_tier_is_not_standard/test/positive_expected_result.json b/assets/queries/terraform/azure/security_center_pricing_tier_is_not_standard/test/positive_expected_result.json index 42168377f15..0e0ccd61505 100644 --- a/assets/queries/terraform/azure/security_center_pricing_tier_is_not_standard/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/security_center_pricing_tier_is_not_standard/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "azurerm_security_center_subscription_pricing[positive1].tier", "searchValue": "", "expectedValue": "'azurerm_security_center_subscription_pricing.positive1.tier' is 'Standard'", - "actualValue": "'azurerm_security_center_subscription_pricing.positive1.tier' is 'Free'" + "actualValue": "'azurerm_security_center_subscription_pricing.positive1.tier' is 'Free'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/security_contact_email/test/positive_expected_result.json b/assets/queries/terraform/azure/security_contact_email/test/positive_expected_result.json index b3e43cc4697..43c152e4301 100644 --- a/assets/queries/terraform/azure/security_contact_email/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/security_contact_email/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "azurerm_security_center_contact[positive]", "searchValue": "", "expectedValue": "'azurerm_security_center_contact[positive].email' should be defined and not null", - "actualValue": "'azurerm_security_center_contact[positive].email' is undefined or null" + "actualValue": "'azurerm_security_center_contact[positive].email' is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/security_group_is_not_configured/test/positive_expected_result.json b/assets/queries/terraform/azure/security_group_is_not_configured/test/positive_expected_result.json index c528f8591be..80a2286cc82 100644 --- a/assets/queries/terraform/azure/security_group_is_not_configured/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/security_group_is_not_configured/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azure_virtual_network[positive1].subnet", "searchValue": "", "expectedValue": "'azure_virtual_network[positive1].subnet.security_group' should be defined and not null", - "actualValue": "'azure_virtual_network[positive1].subnet.security_group' is undefined or null" + "actualValue": "'azure_virtual_network[positive1].subnet.security_group' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Security Group is Not Configured", @@ -21,6 +22,7 @@ "searchKey": "azure_virtual_network[positive2].subnet.security_group", "searchValue": "", "expectedValue": "'azure_virtual_network[positive2].subnet.security_group' should not be empty", - "actualValue": "'azure_virtual_network[positive2].subnet.security_group' is empty" + "actualValue": "'azure_virtual_network[positive2].subnet.security_group' is empty", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json index d3624caf085..10142964e78 100644 --- a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_network_security_rule[positive1].destination_port_range", "searchValue": "UDP,61621", "expectedValue": "Cassandra OpsCenter (UDP:61621) should not be allowed", - "actualValue": "Cassandra OpsCenter (UDP61621) is allowed" + "actualValue": "Cassandra OpsCenter (UDP61621) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -21,7 +22,8 @@ "searchKey": "azurerm_network_security_rule[positive2].destination_port_range", "searchValue": "TCP,23", "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP23) is allowed" + "actualValue": "Telnet (TCP23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -33,7 +35,8 @@ "searchKey": "azurerm_network_security_rule[positive2].destination_port_range", "searchValue": "TCP,25", "expectedValue": "SMTP (TCP:25) should not be allowed", - "actualValue": "SMTP (TCP25) is allowed" + "actualValue": "SMTP (TCP25) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -45,7 +48,8 @@ "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP22) is allowed" + "actualValue": "SSH (TCP22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -57,7 +61,8 @@ "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", "searchValue": "TCP,23", "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP23) is allowed" + "actualValue": "Telnet (TCP23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -69,7 +74,8 @@ "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP22) is allowed" + "actualValue": "SSH (UDP22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -81,7 +87,8 @@ "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", "searchValue": "UDP,23", "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP23) is allowed" + "actualValue": "Telnet (UDP23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -93,7 +100,8 @@ "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", "searchValue": "UDP,21", "expectedValue": "FTP (UDP:21) should not be allowed", - "actualValue": "FTP (UDP21) is allowed" + "actualValue": "FTP (UDP21) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -105,7 +113,8 @@ "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", "searchValue": "TCP,21", "expectedValue": "FTP (TCP:21) should not be allowed", - "actualValue": "FTP (TCP21) is allowed" + "actualValue": "FTP (TCP21) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -117,7 +126,8 @@ "searchKey": "azurerm_network_security_rule[positive4].destination_port_range", "searchValue": "TCP,23", "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP23) is allowed" + "actualValue": "Telnet (TCP23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -129,7 +139,8 @@ "searchKey": "azurerm_network_security_rule[positive4].destination_port_range", "searchValue": "UDP,23", "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP23) is allowed" + "actualValue": "Telnet (UDP23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -141,7 +152,8 @@ "searchKey": "azurerm_network_security_rule[positive5].destination_port_range", "searchValue": "UDP,23", "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP23) is allowed" + "actualValue": "Telnet (UDP23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -153,7 +165,8 @@ "searchKey": "azurerm_network_security_rule[positive6].destination_port_range", "searchValue": "TCP,23", "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP23) is allowed" + "actualValue": "Telnet (TCP23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -165,7 +178,8 @@ "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", "searchValue": "UDP,23", "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP23) is allowed" + "actualValue": "Telnet (UDP23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -177,7 +191,8 @@ "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", "searchValue": "UDP,25", "expectedValue": "SMTP (UDP:25) should not be allowed", - "actualValue": "SMTP (UDP25) is allowed" + "actualValue": "SMTP (UDP25) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -189,7 +204,8 @@ "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP22) is allowed" + "actualValue": "SSH (UDP22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -201,7 +217,8 @@ "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", "searchValue": "UDP,53", "expectedValue": "DNS (UDP:53) should not be allowed", - "actualValue": "DNS (UDP53) is allowed" + "actualValue": "DNS (UDP53) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -213,7 +230,8 @@ "searchKey": "azurerm_network_security_rule[positive8].destination_port_range", "searchValue": "TCP,23", "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP23) is allowed" + "actualValue": "Telnet (TCP23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -225,7 +243,8 @@ "searchKey": "azurerm_network_security_rule[positive9].destination_port_range", "searchValue": "TCP,23", "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP23) is allowed" + "actualValue": "Telnet (TCP23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -237,7 +256,8 @@ "searchKey": "azurerm_network_security_rule[positive9].destination_port_range", "searchValue": "UDP,23", "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP23) is allowed" + "actualValue": "Telnet (UDP23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -249,7 +269,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "UDP,80", "expectedValue": "HTTP (UDP:80) should not be allowed", - "actualValue": "HTTP (UDP80) is allowed" + "actualValue": "HTTP (UDP80) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -261,7 +282,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "UDP,138", "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed", - "actualValue": "NetBIOS Datagram Service (UDP138) is allowed" + "actualValue": "NetBIOS Datagram Service (UDP138) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -273,7 +295,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "TCP,23", "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP23) is allowed" + "actualValue": "Telnet (TCP23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -285,7 +308,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "TCP,20", "expectedValue": "FTP (TCP:20) should not be allowed", - "actualValue": "FTP (TCP20) is allowed" + "actualValue": "FTP (TCP20) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -297,7 +321,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "TCP,21", "expectedValue": "FTP (TCP:21) should not be allowed", - "actualValue": "FTP (TCP21) is allowed" + "actualValue": "FTP (TCP21) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -309,7 +334,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "TCP,137", "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed", - "actualValue": "NetBIOS Name Service (TCP137) is allowed" + "actualValue": "NetBIOS Name Service (TCP137) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -321,7 +347,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP22) is allowed" + "actualValue": "SSH (TCP22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -333,7 +360,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "UDP,53", "expectedValue": "DNS (UDP:53) should not be allowed", - "actualValue": "DNS (UDP53) is allowed" + "actualValue": "DNS (UDP53) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -345,7 +373,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "UDP,20", "expectedValue": "FTP (UDP:20) should not be allowed", - "actualValue": "FTP (UDP20) is allowed" + "actualValue": "FTP (UDP20) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -357,7 +386,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "UDP,135", "expectedValue": "MSSQL Debugger (UDP:135) should not be allowed", - "actualValue": "MSSQL Debugger (UDP135) is allowed" + "actualValue": "MSSQL Debugger (UDP135) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -369,7 +399,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "TCP,138", "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed", - "actualValue": "NetBIOS Datagram Service (TCP138) is allowed" + "actualValue": "NetBIOS Datagram Service (TCP138) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -381,7 +412,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "TCP,110", "expectedValue": "POP3 (TCP:110) should not be allowed", - "actualValue": "POP3 (TCP110) is allowed" + "actualValue": "POP3 (TCP110) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -393,7 +425,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP22) is allowed" + "actualValue": "SSH (UDP22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -405,7 +438,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "TCP,53", "expectedValue": "DNS (TCP:53) should not be allowed", - "actualValue": "DNS (TCP53) is allowed" + "actualValue": "DNS (TCP53) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -417,7 +451,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "TCP,80", "expectedValue": "HTTP (TCP:80) should not be allowed", - "actualValue": "HTTP (TCP80) is allowed" + "actualValue": "HTTP (TCP80) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -429,7 +464,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "TCP,25", "expectedValue": "SMTP (TCP:25) should not be allowed", - "actualValue": "SMTP (TCP25) is allowed" + "actualValue": "SMTP (TCP25) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -441,7 +477,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "UDP,25", "expectedValue": "SMTP (UDP:25) should not be allowed", - "actualValue": "SMTP (UDP25) is allowed" + "actualValue": "SMTP (UDP25) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -453,7 +490,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "UDP,21", "expectedValue": "FTP (UDP:21) should not be allowed", - "actualValue": "FTP (UDP21) is allowed" + "actualValue": "FTP (UDP21) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -465,7 +503,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "TCP,135", "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed", - "actualValue": "MSSQL Debugger (TCP135) is allowed" + "actualValue": "MSSQL Debugger (TCP135) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -477,7 +516,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "UDP,137", "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed", - "actualValue": "NetBIOS Name Service (UDP137) is allowed" + "actualValue": "NetBIOS Name Service (UDP137) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -489,7 +529,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "UDP,139", "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed", - "actualValue": "NetBIOS Session Service (UDP139) is allowed" + "actualValue": "NetBIOS Session Service (UDP139) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -501,7 +542,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "UDP,110", "expectedValue": "POP3 (UDP:110) should not be allowed", - "actualValue": "POP3 (UDP110) is allowed" + "actualValue": "POP3 (UDP110) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -513,7 +555,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "TCP,139", "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed", - "actualValue": "NetBIOS Session Service (TCP139) is allowed" + "actualValue": "NetBIOS Session Service (TCP139) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", @@ -525,6 +568,7 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "UDP,23", "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP23) is allowed" + "actualValue": "Telnet (UDP23) is allowed", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_small_public_network/test/positive_expected_result.json b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_small_public_network/test/positive_expected_result.json index 310efd0159c..86acfa28b0a 100644 --- a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_small_public_network/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_small_public_network/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_network_security_rule[positive1].destination_port_range", "searchValue": "UDP,61621", "expectedValue": "Cassandra OpsCenter (UDP:61621) should not be allowed", - "actualValue": "Cassandra OpsCenter (UDP:61621) is allowed" + "actualValue": "Cassandra OpsCenter (UDP:61621) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -21,7 +22,8 @@ "searchKey": "azurerm_network_security_rule[positive2].destination_port_range", "searchValue": "TCP,23", "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP:23) is allowed" + "actualValue": "Telnet (TCP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -33,7 +35,8 @@ "searchKey": "azurerm_network_security_rule[positive2].destination_port_range", "searchValue": "TCP,25", "expectedValue": "SMTP (TCP:25) should not be allowed", - "actualValue": "SMTP (TCP:25) is allowed" + "actualValue": "SMTP (TCP:25) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -45,7 +48,8 @@ "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", "searchValue": "UDP,21", "expectedValue": "FTP (UDP:21) should not be allowed", - "actualValue": "FTP (UDP:21) is allowed" + "actualValue": "FTP (UDP:21) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -57,7 +61,8 @@ "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", "searchValue": "TCP,23", "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP:23) is allowed" + "actualValue": "Telnet (TCP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -69,7 +74,8 @@ "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", "searchValue": "TCP,21", "expectedValue": "FTP (TCP:21) should not be allowed", - "actualValue": "FTP (TCP:21) is allowed" + "actualValue": "FTP (TCP:21) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -81,7 +87,8 @@ "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -93,7 +100,8 @@ "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", "searchValue": "UDP,23", "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP:23) is allowed" + "actualValue": "Telnet (UDP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -105,7 +113,8 @@ "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -117,7 +126,8 @@ "searchKey": "azurerm_network_security_rule[positive4].destination_port_range", "searchValue": "TCP,23", "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP:23) is allowed" + "actualValue": "Telnet (TCP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -129,7 +139,8 @@ "searchKey": "azurerm_network_security_rule[positive4].destination_port_range", "searchValue": "UDP,23", "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP:23) is allowed" + "actualValue": "Telnet (UDP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -141,7 +152,8 @@ "searchKey": "azurerm_network_security_rule[positive5].destination_port_range", "searchValue": "UDP,23", "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP:23) is allowed" + "actualValue": "Telnet (UDP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -153,7 +165,8 @@ "searchKey": "azurerm_network_security_rule[positive6].destination_port_range", "searchValue": "TCP,23", "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP:23) is allowed" + "actualValue": "Telnet (TCP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -165,7 +178,8 @@ "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", "searchValue": "UDP,23", "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP:23) is allowed" + "actualValue": "Telnet (UDP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -177,7 +191,8 @@ "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", "searchValue": "UDP,53", "expectedValue": "DNS (UDP:53) should not be allowed", - "actualValue": "DNS (UDP:53) is allowed" + "actualValue": "DNS (UDP:53) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -189,7 +204,8 @@ "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -201,7 +217,8 @@ "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", "searchValue": "UDP,25", "expectedValue": "SMTP (UDP:25) should not be allowed", - "actualValue": "SMTP (UDP:25) is allowed" + "actualValue": "SMTP (UDP:25) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -213,7 +230,8 @@ "searchKey": "azurerm_network_security_rule[positive8].destination_port_range", "searchValue": "TCP,23", "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP:23) is allowed" + "actualValue": "Telnet (TCP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -225,7 +243,8 @@ "searchKey": "azurerm_network_security_rule[positive9].destination_port_range", "searchValue": "TCP,23", "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP:23) is allowed" + "actualValue": "Telnet (TCP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -237,7 +256,8 @@ "searchKey": "azurerm_network_security_rule[positive9].destination_port_range", "searchValue": "UDP,23", "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP:23) is allowed" + "actualValue": "Telnet (UDP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -249,7 +269,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "UDP,135", "expectedValue": "MSSQL Debugger (UDP:135) should not be allowed", - "actualValue": "MSSQL Debugger (UDP:135) is allowed" + "actualValue": "MSSQL Debugger (UDP:135) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -261,7 +282,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "UDP,23", "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP:23) is allowed" + "actualValue": "Telnet (UDP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -273,7 +295,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "UDP,80", "expectedValue": "HTTP (UDP:80) should not be allowed", - "actualValue": "HTTP (UDP:80) is allowed" + "actualValue": "HTTP (UDP:80) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -285,7 +308,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "UDP,110", "expectedValue": "POP3 (UDP:110) should not be allowed", - "actualValue": "POP3 (UDP:110) is allowed" + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -297,7 +321,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "TCP,20", "expectedValue": "FTP (TCP:20) should not be allowed", - "actualValue": "FTP (TCP:20) is allowed" + "actualValue": "FTP (TCP:20) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -309,7 +334,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "UDP,20", "expectedValue": "FTP (UDP:20) should not be allowed", - "actualValue": "FTP (UDP:20) is allowed" + "actualValue": "FTP (UDP:20) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -321,7 +347,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "TCP,138", "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed", - "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed" + "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -333,7 +360,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "TCP,139", "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed", - "actualValue": "NetBIOS Session Service (TCP:139) is allowed" + "actualValue": "NetBIOS Session Service (TCP:139) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -345,7 +373,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "TCP,22", "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -357,7 +386,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "TCP,137", "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed", - "actualValue": "NetBIOS Name Service (TCP:137) is allowed" + "actualValue": "NetBIOS Name Service (TCP:137) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -369,7 +399,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "UDP,25", "expectedValue": "SMTP (UDP:25) should not be allowed", - "actualValue": "SMTP (UDP:25) is allowed" + "actualValue": "SMTP (UDP:25) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -381,7 +412,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "UDP,138", "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed", - "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed" + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -393,7 +425,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "UDP,22", "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -405,7 +438,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "TCP,21", "expectedValue": "FTP (TCP:21) should not be allowed", - "actualValue": "FTP (TCP:21) is allowed" + "actualValue": "FTP (TCP:21) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -417,7 +451,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "UDP,21", "expectedValue": "FTP (UDP:21) should not be allowed", - "actualValue": "FTP (UDP:21) is allowed" + "actualValue": "FTP (UDP:21) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -429,7 +464,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "TCP,25", "expectedValue": "SMTP (TCP:25) should not be allowed", - "actualValue": "SMTP (TCP:25) is allowed" + "actualValue": "SMTP (TCP:25) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -441,7 +477,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "TCP,80", "expectedValue": "HTTP (TCP:80) should not be allowed", - "actualValue": "HTTP (TCP:80) is allowed" + "actualValue": "HTTP (TCP:80) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -453,7 +490,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "UDP,137", "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed" + "actualValue": "NetBIOS Name Service (UDP:137) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -465,7 +503,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "TCP,23", "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP:23) is allowed" + "actualValue": "Telnet (TCP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -477,7 +516,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "TCP,135", "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed", - "actualValue": "MSSQL Debugger (TCP:135) is allowed" + "actualValue": "MSSQL Debugger (TCP:135) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -489,7 +529,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "TCP,53", "expectedValue": "DNS (TCP:53) should not be allowed", - "actualValue": "DNS (TCP:53) is allowed" + "actualValue": "DNS (TCP:53) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -501,7 +542,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "UDP,53", "expectedValue": "DNS (UDP:53) should not be allowed", - "actualValue": "DNS (UDP:53) is allowed" + "actualValue": "DNS (UDP:53) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -513,7 +555,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "UDP,139", "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed", - "actualValue": "NetBIOS Session Service (UDP:139) is allowed" + "actualValue": "NetBIOS Session Service (UDP:139) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", @@ -525,6 +568,7 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "TCP,110", "expectedValue": "POP3 (TCP:110) should not be allowed", - "actualValue": "POP3 (TCP:110) is allowed" + "actualValue": "POP3 (TCP:110) is allowed", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_wide_private_network/test/positive_expected_result.json b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_wide_private_network/test/positive_expected_result.json index 50de9fc5c1d..a74e5c24baf 100644 --- a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_wide_private_network/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_wide_private_network/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_network_security_rule[positive1].destination_port_range", "searchValue": "UDP:61621", "expectedValue": "Cassandra OpsCenter (UDP:61621) should not be allowed", - "actualValue": "Cassandra OpsCenter (UDP:61621) is allowed" + "actualValue": "Cassandra OpsCenter (UDP:61621) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -21,7 +22,8 @@ "searchKey": "azurerm_network_security_rule[positive2].destination_port_range", "searchValue": "TCP:25", "expectedValue": "SMTP (TCP:25) should not be allowed", - "actualValue": "SMTP (TCP:25) is allowed" + "actualValue": "SMTP (TCP:25) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -33,7 +35,8 @@ "searchKey": "azurerm_network_security_rule[positive2].destination_port_range", "searchValue": "TCP:23", "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP:23) is allowed" + "actualValue": "Telnet (TCP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -45,7 +48,8 @@ "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", "searchValue": "TCP:23", "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP:23) is allowed" + "actualValue": "Telnet (TCP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -57,7 +61,8 @@ "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", "searchValue": "TCP:22", "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -69,7 +74,8 @@ "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", "searchValue": "UDP:22", "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -81,7 +87,8 @@ "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", "searchValue": "UDP:21", "expectedValue": "FTP (UDP:21) should not be allowed", - "actualValue": "FTP (UDP:21) is allowed" + "actualValue": "FTP (UDP:21) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -93,7 +100,8 @@ "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", "searchValue": "UDP:23", "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP:23) is allowed" + "actualValue": "Telnet (UDP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -105,7 +113,8 @@ "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", "searchValue": "TCP:21", "expectedValue": "FTP (TCP:21) should not be allowed", - "actualValue": "FTP (TCP:21) is allowed" + "actualValue": "FTP (TCP:21) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -117,7 +126,8 @@ "searchKey": "azurerm_network_security_rule[positive4].destination_port_range", "searchValue": "TCP:23", "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP:23) is allowed" + "actualValue": "Telnet (TCP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -129,7 +139,8 @@ "searchKey": "azurerm_network_security_rule[positive4].destination_port_range", "searchValue": "UDP:23", "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP:23) is allowed" + "actualValue": "Telnet (UDP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -141,7 +152,8 @@ "searchKey": "azurerm_network_security_rule[positive5].destination_port_range", "searchValue": "UDP:23", "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP:23) is allowed" + "actualValue": "Telnet (UDP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -153,7 +165,8 @@ "searchKey": "azurerm_network_security_rule[positive6].destination_port_range", "searchValue": "TCP:23", "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP:23) is allowed" + "actualValue": "Telnet (TCP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -165,7 +178,8 @@ "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", "searchValue": "UDP:25", "expectedValue": "SMTP (UDP:25) should not be allowed", - "actualValue": "SMTP (UDP:25) is allowed" + "actualValue": "SMTP (UDP:25) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -177,7 +191,8 @@ "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", "searchValue": "UDP:22", "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -189,7 +204,8 @@ "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", "searchValue": "UDP:23", "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP:23) is allowed" + "actualValue": "Telnet (UDP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -201,7 +217,8 @@ "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", "searchValue": "UDP:53", "expectedValue": "DNS (UDP:53) should not be allowed", - "actualValue": "DNS (UDP:53) is allowed" + "actualValue": "DNS (UDP:53) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -213,7 +230,8 @@ "searchKey": "azurerm_network_security_rule[positive8].destination_port_range", "searchValue": "TCP:23", "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP:23) is allowed" + "actualValue": "Telnet (TCP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -225,7 +243,8 @@ "searchKey": "azurerm_network_security_rule[positive9].destination_port_range", "searchValue": "UDP:23", "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP:23) is allowed" + "actualValue": "Telnet (UDP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -237,7 +256,8 @@ "searchKey": "azurerm_network_security_rule[positive9].destination_port_range", "searchValue": "TCP:23", "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP:23) is allowed" + "actualValue": "Telnet (TCP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -249,7 +269,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "UDP:22", "expectedValue": "SSH (UDP:22) should not be allowed", - "actualValue": "SSH (UDP:22) is allowed" + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -261,7 +282,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "UDP:23", "expectedValue": "Telnet (UDP:23) should not be allowed", - "actualValue": "Telnet (UDP:23) is allowed" + "actualValue": "Telnet (UDP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -273,7 +295,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "UDP:21", "expectedValue": "FTP (UDP:21) should not be allowed", - "actualValue": "FTP (UDP:21) is allowed" + "actualValue": "FTP (UDP:21) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -285,7 +308,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "UDP:80", "expectedValue": "HTTP (UDP:80) should not be allowed", - "actualValue": "HTTP (UDP:80) is allowed" + "actualValue": "HTTP (UDP:80) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -297,7 +321,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "TCP:21", "expectedValue": "FTP (TCP:21) should not be allowed", - "actualValue": "FTP (TCP:21) is allowed" + "actualValue": "FTP (TCP:21) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -309,7 +334,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "TCP:138", "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed", - "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed" + "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -321,7 +347,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "UDP:137", "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed", - "actualValue": "NetBIOS Name Service (UDP:137) is allowed" + "actualValue": "NetBIOS Name Service (UDP:137) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -333,7 +360,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "UDP:110", "expectedValue": "POP3 (UDP:110) should not be allowed", - "actualValue": "POP3 (UDP:110) is allowed" + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -345,7 +373,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "TCP:20", "expectedValue": "FTP (TCP:20) should not be allowed", - "actualValue": "FTP (TCP:20) is allowed" + "actualValue": "FTP (TCP:20) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -357,7 +386,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "TCP:135", "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed", - "actualValue": "MSSQL Debugger (TCP:135) is allowed" + "actualValue": "MSSQL Debugger (TCP:135) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -369,7 +399,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "UDP:138", "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed", - "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed" + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -381,7 +412,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "TCP:110", "expectedValue": "POP3 (TCP:110) should not be allowed", - "actualValue": "POP3 (TCP:110) is allowed" + "actualValue": "POP3 (TCP:110) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -393,7 +425,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "UDP:53", "expectedValue": "DNS (UDP:53) should not be allowed", - "actualValue": "DNS (UDP:53) is allowed" + "actualValue": "DNS (UDP:53) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -405,7 +438,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "TCP:80", "expectedValue": "HTTP (TCP:80) should not be allowed", - "actualValue": "HTTP (TCP:80) is allowed" + "actualValue": "HTTP (TCP:80) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -417,7 +451,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "TCP:23", "expectedValue": "Telnet (TCP:23) should not be allowed", - "actualValue": "Telnet (TCP:23) is allowed" + "actualValue": "Telnet (TCP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -429,7 +464,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "TCP:139", "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed", - "actualValue": "NetBIOS Session Service (TCP:139) is allowed" + "actualValue": "NetBIOS Session Service (TCP:139) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -441,7 +477,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "UDP:139", "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed", - "actualValue": "NetBIOS Session Service (UDP:139) is allowed" + "actualValue": "NetBIOS Session Service (UDP:139) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -453,7 +490,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "TCP:22", "expectedValue": "SSH (TCP:22) should not be allowed", - "actualValue": "SSH (TCP:22) is allowed" + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -465,7 +503,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "UDP:20", "expectedValue": "FTP (UDP:20) should not be allowed", - "actualValue": "FTP (UDP:20) is allowed" + "actualValue": "FTP (UDP:20) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -477,7 +516,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "TCP:137", "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed", - "actualValue": "NetBIOS Name Service (TCP:137) is allowed" + "actualValue": "NetBIOS Name Service (TCP:137) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -489,7 +529,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "TCP:53", "expectedValue": "DNS (TCP:53) should not be allowed", - "actualValue": "DNS (TCP:53) is allowed" + "actualValue": "DNS (TCP:53) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -501,7 +542,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "UDP:135", "expectedValue": "MSSQL Debugger (UDP:135) should not be allowed", - "actualValue": "MSSQL Debugger (UDP:135) is allowed" + "actualValue": "MSSQL Debugger (UDP:135) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -513,7 +555,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "TCP:25", "expectedValue": "SMTP (TCP:25) should not be allowed", - "actualValue": "SMTP (TCP:25) is allowed" + "actualValue": "SMTP (TCP:25) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", @@ -525,6 +568,7 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "UDP:25", "expectedValue": "SMTP (UDP:25) should not be allowed", - "actualValue": "SMTP (UDP:25) is allowed" + "actualValue": "SMTP (UDP:25) is allowed", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/service_without_resource_logging/test/positive_expected_result.json b/assets/queries/terraform/azure/service_without_resource_logging/test/positive_expected_result.json index 3b8bf0a3a2f..a499967b128 100644 --- a/assets/queries/terraform/azure/service_without_resource_logging/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/service_without_resource_logging/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_app_service[positive1_1]", "searchValue": "", "expectedValue": "'azurerm_app_service' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_app_service' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + "actualValue": "'azurerm_app_service' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Service Without Resource Logging", @@ -21,7 +22,8 @@ "searchKey": "azurerm_windows_web_app[positive1_2]", "searchValue": "", "expectedValue": "'azurerm_windows_web_app' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_windows_web_app' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + "actualValue": "'azurerm_windows_web_app' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Service Without Resource Logging", @@ -33,7 +35,8 @@ "searchKey": "azurerm_linux_web_app[positive1_3]", "searchValue": "", "expectedValue": "'azurerm_linux_web_app' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_linux_web_app' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + "actualValue": "'azurerm_linux_web_app' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Service Without Resource Logging", @@ -45,7 +48,8 @@ "searchKey": "azurerm_batch_account[positive1_4]", "searchValue": "", "expectedValue": "'azurerm_batch_account' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_batch_account' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + "actualValue": "'azurerm_batch_account' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Service Without Resource Logging", @@ -57,7 +61,8 @@ "searchKey": "azurerm_eventhub[positive1_5]", "searchValue": "", "expectedValue": "'azurerm_eventhub' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_eventhub' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + "actualValue": "'azurerm_eventhub' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Service Without Resource Logging", @@ -69,7 +74,8 @@ "searchKey": "azurerm_storage_account[positive1_6]", "searchValue": "", "expectedValue": "'azurerm_storage_account' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_storage_account' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + "actualValue": "'azurerm_storage_account' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Service Without Resource Logging", @@ -81,7 +87,8 @@ "searchKey": "azurerm_iothub[positive1_7]", "searchValue": "", "expectedValue": "'azurerm_iothub' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_iothub' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + "actualValue": "'azurerm_iothub' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Service Without Resource Logging", @@ -93,7 +100,8 @@ "searchKey": "azurerm_search_service[positive1_8]", "searchValue": "", "expectedValue": "'azurerm_search_service' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_search_service' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + "actualValue": "'azurerm_search_service' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Service Without Resource Logging", @@ -105,7 +113,8 @@ "searchKey": "azurerm_servicebus_namespace[positive1_9]", "searchValue": "", "expectedValue": "'azurerm_servicebus_namespace' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_servicebus_namespace' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + "actualValue": "'azurerm_servicebus_namespace' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Service Without Resource Logging", @@ -117,7 +126,8 @@ "searchKey": "azurerm_stream_analytics_job[positive1_10]", "searchValue": "", "expectedValue": "'azurerm_stream_analytics_job' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_stream_analytics_job' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + "actualValue": "'azurerm_stream_analytics_job' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Service Without Resource Logging", @@ -129,7 +139,8 @@ "searchKey": "azurerm_application_gateway[positive1_11]", "searchValue": "", "expectedValue": "'azurerm_application_gateway' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_application_gateway' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + "actualValue": "'azurerm_application_gateway' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Service Without Resource Logging", @@ -141,7 +152,8 @@ "searchKey": "azurerm_logic_app_standard[positive1_12]", "searchValue": "", "expectedValue": "'azurerm_logic_app_standard' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_logic_app_standard' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + "actualValue": "'azurerm_logic_app_standard' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Service Without Resource Logging", @@ -153,7 +165,8 @@ "searchKey": "azurerm_data_lake_analytics_account[positive2_1]", "searchValue": "", "expectedValue": "'azurerm_data_lake_analytics_account' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_data_lake_analytics_account' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + "actualValue": "'azurerm_data_lake_analytics_account' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Service Without Resource Logging", @@ -165,6 +178,7 @@ "searchKey": "azurerm_data_lake_store[positive2_2]", "searchValue": "", "expectedValue": "'azurerm_data_lake_store' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", - "actualValue": "'azurerm_data_lake_store' is not associated with a 'azurerm_monitor_diagnostic_setting' resource" + "actualValue": "'azurerm_data_lake_store' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/small_activity_log_retention_period/test/positive_expected_result.json b/assets/queries/terraform/azure/small_activity_log_retention_period/test/positive_expected_result.json index 56caad58ce1..215fdf67561 100644 --- a/assets/queries/terraform/azure/small_activity_log_retention_period/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/small_activity_log_retention_period/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_monitor_log_profile[positive1].retention_policy.days", "searchValue": "", "expectedValue": "'azurerm_monitor_log_profile[positive1].retention_policy.days' should be greater than or equal to 365 days or 0 (indefinitely)", - "actualValue": "'azurerm_monitor_log_profile[positive1].retention_policy.days' is less than 365 days or different than 0 (indefinitely)" + "actualValue": "'azurerm_monitor_log_profile[positive1].retention_policy.days' is less than 365 days or different than 0 (indefinitely)", + "issueType": "IncorrectValue" }, { "queryName": "Small Activity Log Retention Period", @@ -21,7 +22,8 @@ "searchKey": "azurerm_monitor_log_profile[positive2].retention_policy", "searchValue": "", "expectedValue": "'azurerm_monitor_log_profile[positive2].retention_policy.days' should be defined and not null", - "actualValue": "'azurerm_monitor_log_profile[positive2].retention_policy.days' is undefined or null" + "actualValue": "'azurerm_monitor_log_profile[positive2].retention_policy.days' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Small Activity Log Retention Period", @@ -33,6 +35,7 @@ "searchKey": "azurerm_monitor_log_profile[positive3].retention_policy.enabled", "searchValue": "", "expectedValue": "'azurerm_monitor_log_profile[positive3].retention_policy.enabled' should be set to true", - "actualValue": "'azurerm_monitor_log_profile[positive3].retention_policy.enabled' is set to false" + "actualValue": "'azurerm_monitor_log_profile[positive3].retention_policy.enabled' is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/small_flow_logs_retention_period/test/positive_expected_result.json b/assets/queries/terraform/azure/small_flow_logs_retention_period/test/positive_expected_result.json index 9d91e3ce741..3e49e0281e7 100644 --- a/assets/queries/terraform/azure/small_flow_logs_retention_period/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/small_flow_logs_retention_period/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_network_watcher_flow_log[positive1].retention_policy.days", "searchValue": "", "expectedValue": "'positive1.retention_policy.days' should be bigger than 90)", - "actualValue": "'retention_policy.days' is less than 90 [89])" + "actualValue": "'retention_policy.days' is less than 90 [89])", + "issueType": "IncorrectValue" }, { "queryName": "Small Flow Logs Retention Period", @@ -21,7 +22,8 @@ "searchKey": "azurerm_network_watcher_flow_log[positive2].retention_policy.days", "searchValue": "", "expectedValue": "'positive2.retention_policy.days' should be bigger than 90)", - "actualValue": "'retention_policy.days' is less than 90 [3])" + "actualValue": "'retention_policy.days' is less than 90 [3])", + "issueType": "IncorrectValue" }, { "queryName": "Small Flow Logs Retention Period", @@ -33,7 +35,8 @@ "searchKey": "azurerm_network_watcher_flow_log[positive3]", "searchValue": "", "expectedValue": "'positive3.retention_policy' should exist)", - "actualValue": "'positive3.retention_policy' doesn't exist)" + "actualValue": "'positive3.retention_policy' doesn't exist)", + "issueType": "MissingAttribute" }, { "queryName": "Small Flow Logs Retention Period", @@ -45,6 +48,7 @@ "searchKey": "azurerm_network_watcher_flow_log[positive4].retention_policy.enabled", "searchValue": "", "expectedValue": "'positive4.retention_policy' should be enabled)", - "actualValue": "'positive4.retention_policy' is disabled)" + "actualValue": "'positive4.retention_policy' is disabled)", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/small_msql_server_audit_retention/test/positive_expected_result.json b/assets/queries/terraform/azure/small_msql_server_audit_retention/test/positive_expected_result.json index c48a6bad891..f73a0eac754 100644 --- a/assets/queries/terraform/azure/small_msql_server_audit_retention/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/small_msql_server_audit_retention/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_sql_database[positive1].extended_auditing_policy", "searchValue": "", "expectedValue": "extended_auditing_policy.retention_in_days should be defined and bigger than 90", - "actualValue": "extended_auditing_policy.retention_in_days is not defined" + "actualValue": "extended_auditing_policy.retention_in_days is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Small MSSQL Server Audit Retention", @@ -21,7 +22,8 @@ "searchKey": "azurerm_sql_database[positive2].extended_auditing_policy.retention_in_days", "searchValue": "", "expectedValue": "'positive2.extended_auditing_policy.retention_in_days' should be bigger than 90", - "actualValue": "'extended_auditing_policy.retention_in_days' is 90" + "actualValue": "'extended_auditing_policy.retention_in_days' is 90", + "issueType": "MissingAttribute" }, { "queryName": "Small MSSQL Server Audit Retention", @@ -33,7 +35,8 @@ "searchKey": "azurerm_sql_database[positive3].extended_auditing_policy.retention_in_days", "searchValue": "", "expectedValue": "'positive3.extended_auditing_policy.retention_in_days' should be bigger than 90", - "actualValue": "'extended_auditing_policy.retention_in_days' is 0" + "actualValue": "'extended_auditing_policy.retention_in_days' is 0", + "issueType": "MissingAttribute" }, { "queryName": "Small MSSQL Server Audit Retention", @@ -45,6 +48,7 @@ "searchKey": "azurerm_sql_server[positive4].extended_auditing_policy.retention_in_days", "searchValue": "", "expectedValue": "'positive4.extended_auditing_policy.retention_in_days' should be bigger than 90", - "actualValue": "'extended_auditing_policy.retention_in_days' is 20" + "actualValue": "'extended_auditing_policy.retention_in_days' is 20", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/small_mssql_audit_retention_period/test/positive_expected_result.json b/assets/queries/terraform/azure/small_mssql_audit_retention_period/test/positive_expected_result.json index 8bb815e7ab7..f2fe0fe6a13 100644 --- a/assets/queries/terraform/azure/small_mssql_audit_retention_period/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/small_mssql_audit_retention_period/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_mssql_database[positive1].extended_auditing_policy.retention_in_days", "searchValue": "", "expectedValue": "'positive1.extended_auditing_policy.retention_in_days' should be bigger than 90", - "actualValue": "'extended_auditing_policy.retention_in_days' is 6" + "actualValue": "'extended_auditing_policy.retention_in_days' is 6", + "issueType": "IncorrectValue" }, { "queryName": "Small MSSQL Audit Retention Period", @@ -21,7 +22,8 @@ "searchKey": "azurerm_mssql_database[positive2].extended_auditing_policy.retention_in_days", "searchValue": "", "expectedValue": "'positive2.extended_auditing_policy.retention_in_days' should be bigger than 90", - "actualValue": "'extended_auditing_policy.retention_in_days' is 90" + "actualValue": "'extended_auditing_policy.retention_in_days' is 90", + "issueType": "IncorrectValue" }, { "queryName": "Small MSSQL Audit Retention Period", @@ -33,7 +35,8 @@ "searchKey": "azurerm_mssql_database[positive3].extended_auditing_policy.retention_in_days", "searchValue": "", "expectedValue": "'positive3.extended_auditing_policy.retention_in_days' should be bigger than 90", - "actualValue": "'extended_auditing_policy.retention_in_days' is 0" + "actualValue": "'extended_auditing_policy.retention_in_days' is 0", + "issueType": "IncorrectValue" }, { "queryName": "Small MSSQL Audit Retention Period", @@ -45,6 +48,7 @@ "searchKey": "azurerm_mssql_server[positive4].extended_auditing_policy.retention_in_days", "searchValue": "", "expectedValue": "'positive4.extended_auditing_policy.retention_in_days' should be bigger than 90", - "actualValue": "'extended_auditing_policy.retention_in_days' is 20" + "actualValue": "'extended_auditing_policy.retention_in_days' is 20", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/small_postgresql_db_server_log_retention_period/test/positive_expected_result.json b/assets/queries/terraform/azure/small_postgresql_db_server_log_retention_period/test/positive_expected_result.json index 72fb759a8fb..2bc35c7c8d9 100644 --- a/assets/queries/terraform/azure/small_postgresql_db_server_log_retention_period/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/small_postgresql_db_server_log_retention_period/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "azurerm_postgresql_configuration[positive1].value", "searchValue": "", "expectedValue": "'azurerm_postgresql_configuration[positive1].value' is greater than 3 and less than 8", - "actualValue": "'azurerm_postgresql_configuration[positive1].value' is %!s(int=2)" + "actualValue": "'azurerm_postgresql_configuration[positive1].value' is %!s(int=2)", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/sql_database_audit_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/sql_database_audit_disabled/test/positive_expected_result.json index 4c9abb5934d..7e1d38fbe80 100644 --- a/assets/queries/terraform/azure/sql_database_audit_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/sql_database_audit_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_sql_database[positive4].threat_detection_policy.state", "searchValue": "", "expectedValue": "'threat_detection_policy.state' equal 'Enabled'", - "actualValue": "'threat_detection_policy.state' equal 'Disabled'" + "actualValue": "'threat_detection_policy.state' equal 'Disabled'", + "issueType": "IncorrectValue" }, { "queryName": "SQL Database Audit Disabled", @@ -21,6 +22,7 @@ "searchKey": "azurerm_sql_database[positive5].threat_detection_policy", "searchValue": "", "expectedValue": "'threat_detection_policy' should exist", - "actualValue": "'threat_detection_policy' is missing" + "actualValue": "'threat_detection_policy' is missing", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/sql_database_without_data_encryption/test/positive_expected_result.json b/assets/queries/terraform/azure/sql_database_without_data_encryption/test/positive_expected_result.json index ad97f8258d8..7bc9cf24a45 100644 --- a/assets/queries/terraform/azure/sql_database_without_data_encryption/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/sql_database_without_data_encryption/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "azurerm_mssql_database[example].transparent_data_encryption_enabled", "searchValue": "", "expectedValue": "'azurerm_mssql_database[example].transparent_data_encryption_enabled' should be set to 'true'", - "actualValue": "'azurerm_mssql_database[example].transparent_data_encryption_enabled' is set to 'false'" + "actualValue": "'azurerm_mssql_database[example].transparent_data_encryption_enabled' is set to 'false'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/sql_server_alert_email_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/sql_server_alert_email_disabled/test/positive_expected_result.json index e3b739b4596..44123935310 100644 --- a/assets/queries/terraform/azure/sql_server_alert_email_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/sql_server_alert_email_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_mssql_server_security_alert_policy[positive1]", "searchValue": "", "expectedValue": "'azurerm_mssql_server_security_alert_policy[positive1].email_account_admins' should be defined", - "actualValue": "'azurerm_mssql_server_security_alert_policy[positive1].email_account_admins' is undefined" + "actualValue": "'azurerm_mssql_server_security_alert_policy[positive1].email_account_admins' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "SQL Server Alert Email Disabled", @@ -21,6 +22,7 @@ "searchKey": "azurerm_mssql_server_security_alert_policy[positive2].email_account_admins", "searchValue": "", "expectedValue": "'azurerm_mssql_server_security_alert_policy[positive2].email_account_admins' should be true", - "actualValue": "'azurerm_mssql_server_security_alert_policy[positive2].email_account_admins' is false" + "actualValue": "'azurerm_mssql_server_security_alert_policy[positive2].email_account_admins' is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/sql_server_auditing_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/sql_server_auditing_disabled/test/positive_expected_result.json index 88786df09c2..ee9e82e96fb 100644 --- a/assets/queries/terraform/azure/sql_server_auditing_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/sql_server_auditing_disabled/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "azurerm_sql_server[positive1]", "searchValue": "", "expectedValue": "'azurerm_sql_server.positive1.extended_auditing_policy' should exist", - "actualValue": "'azurerm_sql_server.positive1.extended_auditing_policy' does not exist" + "actualValue": "'azurerm_sql_server.positive1.extended_auditing_policy' does not exist", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test/positive_expected_result.json b/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test/positive_expected_result.json index 468de3a191b..257265fafea 100644 --- a/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_sql_firewall_rule[positive1]", "searchValue": "", "expectedValue": "azurerm_sql_firewall_rule.start_ip_address different from 0.0.0.0 and end_ip_address different from 0.0.0.0 or 255.255.255.255", - "actualValue": "azurerm_sql_firewall_rule.start_ip_address equal to 0.0.0.0 and end_ip_address equal to 0.0.0.0 or 255.255.255.255" + "actualValue": "azurerm_sql_firewall_rule.start_ip_address equal to 0.0.0.0 and end_ip_address equal to 0.0.0.0 or 255.255.255.255", + "issueType": "IncorrectValue" }, { "queryName": "SQLServer Ingress From Any IP", @@ -21,7 +22,8 @@ "searchKey": "azurerm_mssql_firewall_rule[positive1]", "searchValue": "", "expectedValue": "azurerm_mssql_firewall_rule.start_ip_address different from 0.0.0.0 and end_ip_address different from 0.0.0.0 or 255.255.255.255", - "actualValue": "azurerm_mssql_firewall_rule.start_ip_address equal to 0.0.0.0 and end_ip_address equal to 0.0.0.0 or 255.255.255.255" + "actualValue": "azurerm_mssql_firewall_rule.start_ip_address equal to 0.0.0.0 and end_ip_address equal to 0.0.0.0 or 255.255.255.255", + "issueType": "IncorrectValue" }, { "queryName": "SQLServer Ingress From Any IP", @@ -33,7 +35,8 @@ "searchKey": "azurerm_mariadb_firewall_rule[example]", "searchValue": "", "expectedValue": "azurerm_mariadb_firewall_rule.start_ip_address different from 0.0.0.0 and end_ip_address different from 0.0.0.0 or 255.255.255.255", - "actualValue": "azurerm_mariadb_firewall_rule.start_ip_address equal to 0.0.0.0 and end_ip_address equal to 0.0.0.0 or 255.255.255.255" + "actualValue": "azurerm_mariadb_firewall_rule.start_ip_address equal to 0.0.0.0 and end_ip_address equal to 0.0.0.0 or 255.255.255.255", + "issueType": "IncorrectValue" }, { "queryName": "SQLServer Ingress From Any IP", @@ -45,7 +48,8 @@ "searchKey": "azurerm_postgresql_firewall_rule[example]", "searchValue": "", "expectedValue": "azurerm_postgresql_firewall_rule.start_ip_address different from 0.0.0.0 and end_ip_address different from 0.0.0.0 or 255.255.255.255", - "actualValue": "azurerm_postgresql_firewall_rule.start_ip_address equal to 0.0.0.0 and end_ip_address equal to 0.0.0.0 or 255.255.255.255" + "actualValue": "azurerm_postgresql_firewall_rule.start_ip_address equal to 0.0.0.0 and end_ip_address equal to 0.0.0.0 or 255.255.255.255", + "issueType": "IncorrectValue" }, { "queryName": "SQLServer Ingress From Any IP", @@ -57,7 +61,8 @@ "searchKey": "azurerm_postgresql_flexible_server_firewall_rule[example]", "searchValue": "", "expectedValue": "azurerm_postgresql_flexible_server_firewall_rule.start_ip_address different from 0.0.0.0 and end_ip_address different from 0.0.0.0 or 255.255.255.255", - "actualValue": "azurerm_postgresql_flexible_server_firewall_rule.start_ip_address equal to 0.0.0.0 and end_ip_address equal to 0.0.0.0 or 255.255.255.255" + "actualValue": "azurerm_postgresql_flexible_server_firewall_rule.start_ip_address equal to 0.0.0.0 and end_ip_address equal to 0.0.0.0 or 255.255.255.255", + "issueType": "IncorrectValue" }, { "queryName": "SQLServer Ingress From Any IP", @@ -69,6 +74,7 @@ "searchKey": "azurerm_mysql_flexible_server_firewall_rule[example]", "searchValue": "", "expectedValue": "azurerm_mysql_flexible_server_firewall_rule.start_ip_address different from 0.0.0.0 and end_ip_address different from 0.0.0.0 or 255.255.255.255", - "actualValue": "azurerm_mysql_flexible_server_firewall_rule.start_ip_address equal to 0.0.0.0 and end_ip_address equal to 0.0.0.0 or 255.255.255.255" + "actualValue": "azurerm_mysql_flexible_server_firewall_rule.start_ip_address equal to 0.0.0.0 and end_ip_address equal to 0.0.0.0 or 255.255.255.255", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/sql_server_predictable_active_directory_admin_account_name/test/positive_expected_result.json b/assets/queries/terraform/azure/sql_server_predictable_active_directory_admin_account_name/test/positive_expected_result.json index ca094f36ca7..1163eaaa27f 100644 --- a/assets/queries/terraform/azure/sql_server_predictable_active_directory_admin_account_name/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/sql_server_predictable_active_directory_admin_account_name/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_sql_active_directory_administrator[positive3].login", "searchValue": "", "expectedValue": "'azurerm_sql_active_directory_administrator[positive3].login' should not be empty'", - "actualValue": "'azurerm_sql_active_directory_administrator[positive3].login' is empty" + "actualValue": "'azurerm_sql_active_directory_administrator[positive3].login' is empty", + "issueType": "IncorrectValue" }, { "queryName": "SQL Server Predictable Active Directory Account Name", @@ -21,6 +22,7 @@ "searchKey": "azurerm_sql_active_directory_administrator[positive4].login", "searchValue": "", "expectedValue": "'azurerm_sql_active_directory_administrator[positive4].login' should not be predictable'", - "actualValue": "'azurerm_sql_active_directory_administrator[positive4].login' is predictable" + "actualValue": "'azurerm_sql_active_directory_administrator[positive4].login' is predictable", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/sql_server_predictable_admin_account_name/test/positive_expected_result.json b/assets/queries/terraform/azure/sql_server_predictable_admin_account_name/test/positive_expected_result.json index c70a25e5c41..ceba7882239 100644 --- a/assets/queries/terraform/azure/sql_server_predictable_admin_account_name/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/sql_server_predictable_admin_account_name/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_sql_server[positive3].administrator_login", "searchValue": "", "expectedValue": "'azurerm_sql_server[positive3].administrator_login' should not be empty'", - "actualValue": "'azurerm_sql_server[positive3].administrator_login' is empty" + "actualValue": "'azurerm_sql_server[positive3].administrator_login' is empty", + "issueType": "IncorrectValue" }, { "queryName": "SQL Server Predictable Admin Account Name", @@ -21,6 +22,7 @@ "searchKey": "azurerm_sql_server[positive4].administrator_login", "searchValue": "", "expectedValue": "'azurerm_sql_server[positive4].administrator_login' should not be predictable'", - "actualValue": "'azurerm_sql_server[positive4].administrator_login' is predictable" + "actualValue": "'azurerm_sql_server[positive4].administrator_login' is predictable", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/ssh_is_exposed_to_the_internet/test/positive_expected_result.json b/assets/queries/terraform/azure/ssh_is_exposed_to_the_internet/test/positive_expected_result.json index bdef12452de..54d23e10f66 100644 --- a/assets/queries/terraform/azure/ssh_is_exposed_to_the_internet/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/ssh_is_exposed_to_the_internet/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_network_security_rule[positive1].destination_port_range", "searchValue": "", "expectedValue": "'azurerm_network_security_rule.positive1.destination_port_range' cannot be 22", - "actualValue": "'azurerm_network_security_rule.positive1.destination_port_range' might be 22" + "actualValue": "'azurerm_network_security_rule.positive1.destination_port_range' might be 22", + "issueType": "IncorrectValue" }, { "queryName": "SSH Is Exposed To The Internet", @@ -21,7 +22,8 @@ "searchKey": "azurerm_network_security_rule[positive2].destination_port_range", "searchValue": "", "expectedValue": "'azurerm_network_security_rule.positive2.destination_port_range' cannot be 22", - "actualValue": "'azurerm_network_security_rule.positive2.destination_port_range' might be 22" + "actualValue": "'azurerm_network_security_rule.positive2.destination_port_range' might be 22", + "issueType": "IncorrectValue" }, { "queryName": "SSH Is Exposed To The Internet", @@ -33,7 +35,8 @@ "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", "searchValue": "", "expectedValue": "'azurerm_network_security_rule.positive3.destination_port_range' cannot be 22", - "actualValue": "'azurerm_network_security_rule.positive3.destination_port_range' might be 22" + "actualValue": "'azurerm_network_security_rule.positive3.destination_port_range' might be 22", + "issueType": "IncorrectValue" }, { "queryName": "SSH Is Exposed To The Internet", @@ -45,7 +48,8 @@ "searchKey": "azurerm_network_security_rule[positive4].destination_port_range", "searchValue": "", "expectedValue": "'azurerm_network_security_rule.positive4.destination_port_range' cannot be 22", - "actualValue": "'azurerm_network_security_rule.positive4.destination_port_range' might be 22" + "actualValue": "'azurerm_network_security_rule.positive4.destination_port_range' might be 22", + "issueType": "IncorrectValue" }, { "queryName": "SSH Is Exposed To The Internet", @@ -57,7 +61,8 @@ "searchKey": "azurerm_network_security_rule[positive5].destination_port_range", "searchValue": "", "expectedValue": "'azurerm_network_security_rule.positive5.destination_port_range' cannot be 22", - "actualValue": "'azurerm_network_security_rule.positive5.destination_port_range' might be 22" + "actualValue": "'azurerm_network_security_rule.positive5.destination_port_range' might be 22", + "issueType": "IncorrectValue" }, { "queryName": "SSH Is Exposed To The Internet", @@ -69,7 +74,8 @@ "searchKey": "azurerm_network_security_rule[positive6].destination_port_range", "searchValue": "", "expectedValue": "'azurerm_network_security_rule.positive6.destination_port_range' cannot be 22", - "actualValue": "'azurerm_network_security_rule.positive6.destination_port_range' might be 22" + "actualValue": "'azurerm_network_security_rule.positive6.destination_port_range' might be 22", + "issueType": "IncorrectValue" }, { "queryName": "SSH Is Exposed To The Internet", @@ -81,7 +87,8 @@ "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", "searchValue": "", "expectedValue": "'azurerm_network_security_rule.positive7.destination_port_range' cannot be 22", - "actualValue": "'azurerm_network_security_rule.positive7.destination_port_range' might be 22" + "actualValue": "'azurerm_network_security_rule.positive7.destination_port_range' might be 22", + "issueType": "IncorrectValue" }, { "queryName": "SSH Is Exposed To The Internet", @@ -93,7 +100,8 @@ "searchKey": "azurerm_network_security_rule[positive8].destination_port_range", "searchValue": "", "expectedValue": "'azurerm_network_security_rule.positive8.destination_port_range' cannot be 22", - "actualValue": "'azurerm_network_security_rule.positive8.destination_port_range' might be 22" + "actualValue": "'azurerm_network_security_rule.positive8.destination_port_range' might be 22", + "issueType": "IncorrectValue" }, { "queryName": "SSH Is Exposed To The Internet", @@ -105,7 +113,8 @@ "searchKey": "azurerm_network_security_rule[positive9].destination_port_range", "searchValue": "", "expectedValue": "'azurerm_network_security_rule.positive9.destination_port_range' cannot be 22", - "actualValue": "'azurerm_network_security_rule.positive9.destination_port_range' might be 22" + "actualValue": "'azurerm_network_security_rule.positive9.destination_port_range' might be 22", + "issueType": "IncorrectValue" }, { "queryName": "SSH Is Exposed To The Internet", @@ -117,7 +126,8 @@ "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", "searchValue": "", "expectedValue": "'azurerm_network_security_rule.positive10.destination_port_range' cannot be 22", - "actualValue": "'azurerm_network_security_rule.positive10.destination_port_range' might be 22" + "actualValue": "'azurerm_network_security_rule.positive10.destination_port_range' might be 22", + "issueType": "IncorrectValue" }, { "queryName": "SSH Is Exposed To The Internet", @@ -129,7 +139,8 @@ "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive11}}.destination_port_range", "searchValue": "", "expectedValue": "'destination_port_range' cannot be 22", - "actualValue": "'destination_port_range' might be 22" + "actualValue": "'destination_port_range' might be 22", + "issueType": "IncorrectValue" }, { "queryName": "SSH Is Exposed To The Internet", @@ -141,7 +152,8 @@ "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive12}}.destination_port_range", "searchValue": "", "expectedValue": "'destination_port_range' cannot be 22", - "actualValue": "'destination_port_range' might be 22" + "actualValue": "'destination_port_range' might be 22", + "issueType": "IncorrectValue" }, { "queryName": "SSH Is Exposed To The Internet", @@ -153,7 +165,8 @@ "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive13}}.destination_port_range", "searchValue": "", "expectedValue": "'destination_port_range' cannot be 22", - "actualValue": "'destination_port_range' might be 22" + "actualValue": "'destination_port_range' might be 22", + "issueType": "IncorrectValue" }, { "queryName": "SSH Is Exposed To The Internet", @@ -165,7 +178,8 @@ "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive14}}.destination_port_range", "searchValue": "", "expectedValue": "'destination_port_range' cannot be 22", - "actualValue": "'destination_port_range' might be 22" + "actualValue": "'destination_port_range' might be 22", + "issueType": "IncorrectValue" }, { "queryName": "SSH Is Exposed To The Internet", @@ -177,7 +191,8 @@ "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive15}}.destination_port_range", "searchValue": "", "expectedValue": "'destination_port_range' cannot be 22", - "actualValue": "'destination_port_range' might be 22" + "actualValue": "'destination_port_range' might be 22", + "issueType": "IncorrectValue" }, { "queryName": "SSH Is Exposed To The Internet", @@ -189,7 +204,8 @@ "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive16}}.destination_port_range", "searchValue": "", "expectedValue": "'destination_port_range' cannot be 22", - "actualValue": "'destination_port_range' might be 22" + "actualValue": "'destination_port_range' might be 22", + "issueType": "IncorrectValue" }, { "queryName": "SSH Is Exposed To The Internet", @@ -201,7 +217,8 @@ "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive17}}.destination_port_range", "searchValue": "", "expectedValue": "'destination_port_range' cannot be 22", - "actualValue": "'destination_port_range' might be 22" + "actualValue": "'destination_port_range' might be 22", + "issueType": "IncorrectValue" }, { "queryName": "SSH Is Exposed To The Internet", @@ -213,7 +230,8 @@ "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive18}}.destination_port_range", "searchValue": "", "expectedValue": "'destination_port_range' cannot be 22", - "actualValue": "'destination_port_range' might be 22" + "actualValue": "'destination_port_range' might be 22", + "issueType": "IncorrectValue" }, { "queryName": "SSH Is Exposed To The Internet", @@ -225,7 +243,8 @@ "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive19}}.destination_port_range", "searchValue": "", "expectedValue": "'destination_port_range' cannot be 22", - "actualValue": "'destination_port_range' might be 22" + "actualValue": "'destination_port_range' might be 22", + "issueType": "IncorrectValue" }, { "queryName": "SSH Is Exposed To The Internet", @@ -237,6 +256,7 @@ "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive20}}.destination_port_range", "searchValue": "", "expectedValue": "'destination_port_range' cannot be 22", - "actualValue": "'destination_port_range' might be 22" + "actualValue": "'destination_port_range' might be 22", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/ssl_enforce_is_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/ssl_enforce_is_disabled/test/positive_expected_result.json index 718cba9c4af..a7af4ec274d 100644 --- a/assets/queries/terraform/azure/ssl_enforce_is_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/ssl_enforce_is_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_postgresql_server[positive1].ssl_enforcement_enabled", "searchValue": "", "expectedValue": "'azurerm_postgresql_server.positive1.ssl_enforcement_enabled' should equal 'true'", - "actualValue": "'azurerm_postgresql_server.positive1.ssl_enforcement_enabled' is equal 'false'" + "actualValue": "'azurerm_postgresql_server.positive1.ssl_enforcement_enabled' is equal 'false'", + "issueType": "IncorrectValue" }, { "queryName": "SSL Enforce Disabled", @@ -21,6 +22,7 @@ "searchKey": "azurerm_postgresql_server[positive2].ssl_enforcement_enabled", "searchValue": "", "expectedValue": "'azurerm_postgresql_server.positive2.ssl_enforcement_enabled' should equal 'true'", - "actualValue": "'azurerm_postgresql_server.positive2.ssl_enforcement_enabled' is not defined" + "actualValue": "'azurerm_postgresql_server.positive2.ssl_enforcement_enabled' is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/storage_account_not_forcing_https/test/positive_expected_result.json b/assets/queries/terraform/azure/storage_account_not_forcing_https/test/positive_expected_result.json index 2e17e562801..a859ed03eec 100644 --- a/assets/queries/terraform/azure/storage_account_not_forcing_https/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/storage_account_not_forcing_https/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_storage_account[example1].enable_https_traffic_only", "searchValue": "", "expectedValue": "'azurerm_storage_account.example1.enable_https_traffic_only' equals 'true'", - "actualValue": "'azurerm_storage_account.example1.enable_https_traffic_only' equals 'false'" + "actualValue": "'azurerm_storage_account.example1.enable_https_traffic_only' equals 'false'", + "issueType": "IncorrectValue" }, { "queryName": "Storage Account Not Forcing HTTPS", @@ -21,7 +22,8 @@ "searchKey": "azurerm_storage_account[example2]", "searchValue": "", "expectedValue": "'azurerm_storage_account.example2.enable_https_traffic_only' equals 'true', or (since Terraform v4.0) 'azurerm_storage_account.example2.https_traffic_only_enabled' equals 'true'", - "actualValue": "Neither 'azurerm_storage_account.example2.enable_https_traffic_only' nor 'azurerm_storage_account.example2.https_traffic_only_enabled' exists" + "actualValue": "Neither 'azurerm_storage_account.example2.enable_https_traffic_only' nor 'azurerm_storage_account.example2.https_traffic_only_enabled' exists", + "issueType": "MissingAttribute" }, { "queryName": "Storage Account Not Forcing HTTPS", @@ -33,7 +35,8 @@ "searchKey": "azurerm_storage_account[example1].https_traffic_only_enabled", "searchValue": "", "expectedValue": "'azurerm_storage_account.example1.https_traffic_only_enabled' equals 'true'", - "actualValue": "'azurerm_storage_account.example1.https_traffic_only_enabled' equals 'false'" + "actualValue": "'azurerm_storage_account.example1.https_traffic_only_enabled' equals 'false'", + "issueType": "IncorrectValue" }, { "queryName": "Storage Account Not Forcing HTTPS", @@ -45,6 +48,7 @@ "searchKey": "azurerm_storage_account[example2]", "searchValue": "", "expectedValue": "'azurerm_storage_account.example2.enable_https_traffic_only' equals 'true', or (since Terraform v4.0) 'azurerm_storage_account.example2.https_traffic_only_enabled' equals 'true'", - "actualValue": "Neither 'azurerm_storage_account.example2.enable_https_traffic_only' nor 'azurerm_storage_account.example2.https_traffic_only_enabled' exists" + "actualValue": "Neither 'azurerm_storage_account.example2.enable_https_traffic_only' nor 'azurerm_storage_account.example2.https_traffic_only_enabled' exists", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/storage_account_not_using_latest_smb_protocol_version/test/positive_expected_result.json b/assets/queries/terraform/azure/storage_account_not_using_latest_smb_protocol_version/test/positive_expected_result.json index afefea58f0c..124a2fefaa0 100644 --- a/assets/queries/terraform/azure/storage_account_not_using_latest_smb_protocol_version/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/storage_account_not_using_latest_smb_protocol_version/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_storage_account[positive1]", "searchValue": "", "expectedValue": "'azurerm_storage_account[positive1].share_properties.smb.versions' should be defined and exclusively include 'SMB3.1.1'", - "actualValue": "'azurerm_storage_account[positive1].share_properties' is undefined or null" + "actualValue": "'azurerm_storage_account[positive1].share_properties' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Storage Account Not Using Latest SMB Protocol Version", @@ -21,7 +22,8 @@ "searchKey": "azurerm_storage_account[positive2].share_properties", "searchValue": "", "expectedValue": "'azurerm_storage_account[positive2].share_properties.smb.versions' should be defined and exclusively include 'SMB3.1.1'", - "actualValue": "'azurerm_storage_account[positive2].share_properties.smb' is undefined or null" + "actualValue": "'azurerm_storage_account[positive2].share_properties.smb' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Storage Account Not Using Latest SMB Protocol Version", @@ -33,7 +35,8 @@ "searchKey": "azurerm_storage_account[positive3].share_properties.smb", "searchValue": "", "expectedValue": "'azurerm_storage_account[positive3].share_properties.smb.versions' should be defined and exclusively include 'SMB3.1.1'", - "actualValue": "'azurerm_storage_account[positive3].share_properties.smb.versions' is undefined or null" + "actualValue": "'azurerm_storage_account[positive3].share_properties.smb.versions' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Storage Account Not Using Latest SMB Protocol Version", @@ -45,7 +48,8 @@ "searchKey": "azurerm_storage_account[positive4].share_properties.smb.versions", "searchValue": "", "expectedValue": "'azurerm_storage_account[positive4].share_properties.smb.versions' should be defined and exclusively include 'SMB3.1.1'", - "actualValue": "'azurerm_storage_account[positive4].share_properties.smb.versions' is empty or null" + "actualValue": "'azurerm_storage_account[positive4].share_properties.smb.versions' is empty or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Storage Account Not Using Latest SMB Protocol Version", @@ -57,7 +61,8 @@ "searchKey": "azurerm_storage_account[positive5].share_properties.smb.versions", "searchValue": "", "expectedValue": "'azurerm_storage_account[positive5].share_properties.smb.versions' should be defined and exclusively include 'SMB3.1.1'", - "actualValue": "'azurerm_storage_account[positive5].share_properties.smb.versions' does not include 'SMB3.1.1' and instead includes 2 outdated version(s)" + "actualValue": "'azurerm_storage_account[positive5].share_properties.smb.versions' does not include 'SMB3.1.1' and instead includes 2 outdated version(s)", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Storage Account Not Using Latest SMB Protocol Version", @@ -69,6 +74,7 @@ "searchKey": "azurerm_storage_account[positive6].share_properties.smb.versions", "searchValue": "", "expectedValue": "'azurerm_storage_account[positive6].share_properties.smb.versions' should be defined and exclusively include 'SMB3.1.1'", - "actualValue": "'azurerm_storage_account[positive6].share_properties.smb.versions' includes 'SMB3.1.1' but also includes 1 outdated version(s)" + "actualValue": "'azurerm_storage_account[positive6].share_properties.smb.versions' includes 'SMB3.1.1' but also includes 1 outdated version(s)", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/storage_account_not_using_latest_tls_encryption_version/test/positive_expected_result.json b/assets/queries/terraform/azure/storage_account_not_using_latest_tls_encryption_version/test/positive_expected_result.json index e10e07298fe..ae0bf5a4813 100644 --- a/assets/queries/terraform/azure/storage_account_not_using_latest_tls_encryption_version/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/storage_account_not_using_latest_tls_encryption_version/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "azurerm_storage_account[positive2].min_tls_version", "searchValue": "", "expectedValue": "'azurerm_storage_account[positive2].min_tls_version' is 'TLS1_2'", - "actualValue": "'azurerm_storage_account[positive2].min_tls_version' is not 'TLS1_2'" + "actualValue": "'azurerm_storage_account[positive2].min_tls_version' is not 'TLS1_2'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/storage_account_using_unsafe_smb_channel_encryption/test/positive_expected_result.json b/assets/queries/terraform/azure/storage_account_using_unsafe_smb_channel_encryption/test/positive_expected_result.json index f3023001b45..55a4af632b0 100644 --- a/assets/queries/terraform/azure/storage_account_using_unsafe_smb_channel_encryption/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/storage_account_using_unsafe_smb_channel_encryption/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_storage_account[positive1]", "searchValue": "", "expectedValue": "'azurerm_storage_account[positive1].share_properties.smb.channel_encryption_type' should be defined and exclusively include 'AES-256-GCM'", - "actualValue": "'azurerm_storage_account[positive1].share_properties' is undefined or null" + "actualValue": "'azurerm_storage_account[positive1].share_properties' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Storage Account Using Unsafe SMB Channel Encryption", @@ -21,7 +22,8 @@ "searchKey": "azurerm_storage_account[positive2].share_properties", "searchValue": "", "expectedValue": "'azurerm_storage_account[positive2].share_properties.smb.channel_encryption_type' should be defined and exclusively include 'AES-256-GCM'", - "actualValue": "'azurerm_storage_account[positive2].share_properties.smb' is undefined or null" + "actualValue": "'azurerm_storage_account[positive2].share_properties.smb' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Storage Account Using Unsafe SMB Channel Encryption", @@ -33,7 +35,8 @@ "searchKey": "azurerm_storage_account[positive3].share_properties.smb", "searchValue": "", "expectedValue": "'azurerm_storage_account[positive3].share_properties.smb.channel_encryption_type' should be defined and exclusively include 'AES-256-GCM'", - "actualValue": "'azurerm_storage_account[positive3].share_properties.smb.channel_encryption_type' is undefined or null" + "actualValue": "'azurerm_storage_account[positive3].share_properties.smb.channel_encryption_type' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Storage Account Using Unsafe SMB Channel Encryption", @@ -45,7 +48,8 @@ "searchKey": "azurerm_storage_account[positive4].share_properties.smb.channel_encryption_type", "searchValue": "", "expectedValue": "'azurerm_storage_account[positive4].share_properties.smb.channel_encryption_type' should be defined and exclusively include 'AES-256-GCM'", - "actualValue": "'azurerm_storage_account[positive4].share_properties.smb.channel_encryption_type' is empty or null" + "actualValue": "'azurerm_storage_account[positive4].share_properties.smb.channel_encryption_type' is empty or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Storage Account Using Unsafe SMB Channel Encryption", @@ -57,7 +61,8 @@ "searchKey": "azurerm_storage_account[positive5].share_properties.smb.channel_encryption_type", "searchValue": "", "expectedValue": "'azurerm_storage_account[positive5].share_properties.smb.channel_encryption_type' should be defined and exclusively include 'AES-256-GCM'", - "actualValue": "'azurerm_storage_account[positive5].share_properties.smb.channel_encryption_type' does not include 'AES-256-GCM' and instead includes 2 weaker encryption standard(s)" + "actualValue": "'azurerm_storage_account[positive5].share_properties.smb.channel_encryption_type' does not include 'AES-256-GCM' and instead includes 2 weaker encryption standard(s)", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Storage Account Using Unsafe SMB Channel Encryption", @@ -69,6 +74,7 @@ "searchKey": "azurerm_storage_account[positive6].share_properties.smb.channel_encryption_type", "searchValue": "", "expectedValue": "'azurerm_storage_account[positive6].share_properties.smb.channel_encryption_type' should be defined and exclusively include 'AES-256-GCM'", - "actualValue": "'azurerm_storage_account[positive6].share_properties.smb.channel_encryption_type' includes 'AES-256-GCM' but also includes 1 weaker encryption standard(s)" + "actualValue": "'azurerm_storage_account[positive6].share_properties.smb.channel_encryption_type' includes 'AES-256-GCM' but also includes 1 weaker encryption standard(s)", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/storage_account_with_cross_tenant_replication_enabled/test/positive_expected_result.json b/assets/queries/terraform/azure/storage_account_with_cross_tenant_replication_enabled/test/positive_expected_result.json index 6825db819a6..2a8cba91ba7 100644 --- a/assets/queries/terraform/azure/storage_account_with_cross_tenant_replication_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/storage_account_with_cross_tenant_replication_enabled/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "azurerm_storage_account[positive1].cross_tenant_replication_enabled", "searchValue": "", "expectedValue": "'azurerm_storage_account[positive1].cross_tenant_replication_enabled' should be set to false", - "actualValue": "'azurerm_storage_account[positive1].cross_tenant_replication_enabled' is set to true" + "actualValue": "'azurerm_storage_account[positive1].cross_tenant_replication_enabled' is set to true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/storage_account_with_shared_access_key/test/positive_expected_result.json b/assets/queries/terraform/azure/storage_account_with_shared_access_key/test/positive_expected_result.json index 579dfd25c5a..59be052fe26 100644 --- a/assets/queries/terraform/azure/storage_account_with_shared_access_key/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/storage_account_with_shared_access_key/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_storage_account[positive1]", "searchValue": "", "expectedValue": "'azurerm_storage_account[positive1].shared_access_key_enabled' should be defined and set to false", - "actualValue": "'azurerm_storage_account[positive1].shared_access_key_enabled' is undefined or null" + "actualValue": "'azurerm_storage_account[positive1].shared_access_key_enabled' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Storage Account With Shared Access Key", @@ -21,6 +22,7 @@ "searchKey": "azurerm_storage_account[positive2].shared_access_key_enabled", "searchValue": "", "expectedValue": "'azurerm_storage_account[positive2].shared_access_key_enabled' should be defined and set to false", - "actualValue": "'azurerm_storage_account[positive2].shared_access_key_enabled' is set to 'true'" + "actualValue": "'azurerm_storage_account[positive2].shared_access_key_enabled' is set to 'true'", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/storage_account_without_cmk/test/positive_expected_result.json b/assets/queries/terraform/azure/storage_account_without_cmk/test/positive_expected_result.json index 61dfca38b3b..f026c8c8303 100644 --- a/assets/queries/terraform/azure/storage_account_without_cmk/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/storage_account_without_cmk/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "azurerm_storage_account[positive1_1]", "searchValue": "", "expectedValue": "'azurerm_storage_account[positive1_1] must be associated with a 'azurerm_storage_account_customer_managed_key' resource and the block 'customer_managed_key' should be set", - "actualValue": "'azurerm_storage_account[positive1_1] is not associated with a 'azurerm_storage_account_customer_managed_key' resource and the 'customer_managed_key' block is undefined or null" + "actualValue": "'azurerm_storage_account[positive1_1] is not associated with a 'azurerm_storage_account_customer_managed_key' resource and the 'customer_managed_key' block is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/storage_account_without_delete_lock/test/positive_expected_result.json b/assets/queries/terraform/azure/storage_account_without_delete_lock/test/positive_expected_result.json index 0f881fb68f5..49ddd510ec1 100644 --- a/assets/queries/terraform/azure/storage_account_without_delete_lock/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/storage_account_without_delete_lock/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_storage_account[example_pos1]", "searchValue": "", "expectedValue": "'azurerm_storage_account[example_pos1]' should be associated with an 'azurerm_management_lock' where lock_level is set to 'CanNotDelete'", - "actualValue": "'azurerm_storage_account[example_pos1]' is not associated with an 'azurerm_management_lock'" + "actualValue": "'azurerm_storage_account[example_pos1]' is not associated with an 'azurerm_management_lock'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Storage Account Without Delete Lock", @@ -21,7 +22,8 @@ "searchKey": "azurerm_storage_account[example_pos2]", "searchValue": "", "expectedValue": "'azurerm_storage_account[example_pos2]' should be associated with an 'azurerm_management_lock' where lock_level is set to 'CanNotDelete'", - "actualValue": "'azurerm_storage_account[example_pos2]' is not associated with an 'azurerm_management_lock'" + "actualValue": "'azurerm_storage_account[example_pos2]' is not associated with an 'azurerm_management_lock'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Storage Account Without Delete Lock", @@ -33,7 +35,8 @@ "searchKey": "azurerm_storage_account[example_pos3]", "searchValue": "", "expectedValue": "'azurerm_storage_account[example_pos3]' should be associated with an 'azurerm_management_lock' where lock_level is set to 'CanNotDelete'", - "actualValue": "'azurerm_storage_account[example_pos3]' is associated with 'azurerm_management_lock[storage_delete_lock_pos3]' but lock_level is 'ReadOnly'" + "actualValue": "'azurerm_storage_account[example_pos3]' is associated with 'azurerm_management_lock[storage_delete_lock_pos3]' but lock_level is 'ReadOnly'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Storage Account Without Delete Lock", @@ -45,7 +48,8 @@ "searchKey": "azurerm_storage_account[example_pos4]", "searchValue": "", "expectedValue": "'azurerm_storage_account[example_pos4]' should be associated with an 'azurerm_management_lock' where lock_level is set to 'CanNotDelete'", - "actualValue": "'azurerm_storage_account[example_pos4]' is not associated with an 'azurerm_management_lock'" + "actualValue": "'azurerm_storage_account[example_pos4]' is not associated with an 'azurerm_management_lock'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Storage Account Without Delete Lock", @@ -57,6 +61,7 @@ "searchKey": "azurerm_storage_account[example_pos5]", "searchValue": "", "expectedValue": "'azurerm_storage_account[example_pos5]' should be associated with an 'azurerm_management_lock' where lock_level is set to 'CanNotDelete'", - "actualValue": "'azurerm_storage_account[example_pos5]' is not associated with an 'azurerm_management_lock'" + "actualValue": "'azurerm_storage_account[example_pos5]' is not associated with an 'azurerm_management_lock'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/storage_container_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/azure/storage_container_is_publicly_accessible/test/positive_expected_result.json index 4dd402a0587..ebc4fa215f0 100644 --- a/assets/queries/terraform/azure/storage_container_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/storage_container_is_publicly_accessible/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "azurerm_storage_container[positive1].container_access_type", "searchValue": "", "expectedValue": "'container_access_type' should equal to 'private'", - "actualValue": "'container_access_type' is not equal to 'private'" + "actualValue": "'container_access_type' is not equal to 'private'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/storage_share_allows_all_acl_permissions/test/positive_expected_result.json b/assets/queries/terraform/azure/storage_share_allows_all_acl_permissions/test/positive_expected_result.json index 8b51c3de3a3..ed550f732aa 100644 --- a/assets/queries/terraform/azure/storage_share_allows_all_acl_permissions/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/storage_share_allows_all_acl_permissions/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "azurerm_storage_share[default_storage_share].acl.access_policy.permissions", "searchValue": "", "expectedValue": "azurerm_storage_share[default_storage_share].acl.access_policy.permissions should not allow all ACL permissions", - "actualValue": "azurerm_storage_share[default_storage_share].acl.access_policy.permissions allows all ACL permissions" + "actualValue": "azurerm_storage_share[default_storage_share].acl.access_policy.permissions allows all ACL permissions", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/storage_table_allows_all_acl_permissions/test/positive_expected_result.json b/assets/queries/terraform/azure/storage_table_allows_all_acl_permissions/test/positive_expected_result.json index f3b56d753c9..7de50858638 100644 --- a/assets/queries/terraform/azure/storage_table_allows_all_acl_permissions/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/storage_table_allows_all_acl_permissions/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "azurerm_storage_table[table_resource].acl.permissions", "searchValue": "", "expectedValue": "azurerm_storage_table[table_resource].acl.permissions should not allow all ACL permissions", - "actualValue": "azurerm_storage_table[table_resource].acl.permissions allows all ACL permissions" + "actualValue": "azurerm_storage_table[table_resource].acl.permissions allows all ACL permissions", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/trusted_microsoft_services_not_enabled/test/positive_expected_result.json b/assets/queries/terraform/azure/trusted_microsoft_services_not_enabled/test/positive_expected_result.json index 7e2f5ed8a68..c2dd967ea0f 100644 --- a/assets/queries/terraform/azure/trusted_microsoft_services_not_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/trusted_microsoft_services_not_enabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_storage_account_network_rules[positive1].bypass", "searchValue": "", "expectedValue": "'bypass' should contain 'AzureServices'", - "actualValue": "'bypass' does not contain 'AzureServices'" + "actualValue": "'bypass' does not contain 'AzureServices'", + "issueType": "IncorrectValue" }, { "queryName": "Trusted Microsoft Services Not Enabled", @@ -21,6 +22,7 @@ "searchKey": "azurerm_storage_account[positive2].network_rules.bypass", "searchValue": "", "expectedValue": "'network_rules.bypass' should contain 'AzureServices'", - "actualValue": "'network_rules.bypass' does not contain 'AzureServices'" + "actualValue": "'network_rules.bypass' does not contain 'AzureServices'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/unrestricted_sql_server_access/test/positive_expected_result.json b/assets/queries/terraform/azure/unrestricted_sql_server_access/test/positive_expected_result.json index dc2725a133e..6a4e69e5984 100644 --- a/assets/queries/terraform/azure/unrestricted_sql_server_access/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/unrestricted_sql_server_access/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_sql_firewall_rule[positive3-legacy].start_ip_address", "searchValue": "", "expectedValue": "'azurerm_sql_firewall_rule[positive3-legacy].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' should be less than 256", - "actualValue": "'azurerm_sql_firewall_rule[positive3-legacy].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256" + "actualValue": "'azurerm_sql_firewall_rule[positive3-legacy].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted SQL Server Access", @@ -21,7 +22,8 @@ "searchKey": "azurerm_sql_firewall_rule[positive4-legacy].start_ip_address", "searchValue": "", "expectedValue": "'azurerm_sql_firewall_rule[positive4-legacy].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' should be less than 256", - "actualValue": "'azurerm_sql_firewall_rule[positive4-legacy].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256" + "actualValue": "'azurerm_sql_firewall_rule[positive4-legacy].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted SQL Server Access", @@ -33,7 +35,8 @@ "searchKey": "azurerm_sql_firewall_rule[positive5-legacy].start_ip_address", "searchValue": "", "expectedValue": "'azurerm_sql_firewall_rule[positive5-legacy].start_ip_address' Firewall rules should not have both 'start_ip_address' and 'end_ip_address' set to '0.0.0.0'.", - "actualValue": "'azurerm_sql_firewall_rule[positive5-legacy].start_ip_address' Both 'start_ip_address' and 'end_ip_address' are set to '0.0.0.0'" + "actualValue": "'azurerm_sql_firewall_rule[positive5-legacy].start_ip_address' Both 'start_ip_address' and 'end_ip_address' are set to '0.0.0.0'", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted SQL Server Access", @@ -45,7 +48,8 @@ "searchKey": "azurerm_mssql_firewall_rule[positive3].start_ip_address", "searchValue": "", "expectedValue": "'azurerm_mssql_firewall_rule[positive3].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' should be less than 256", - "actualValue": "'azurerm_mssql_firewall_rule[positive3].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256" + "actualValue": "'azurerm_mssql_firewall_rule[positive3].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted SQL Server Access", @@ -57,7 +61,8 @@ "searchKey": "azurerm_mssql_firewall_rule[positive4].start_ip_address", "searchValue": "", "expectedValue": "'azurerm_mssql_firewall_rule[positive4].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' should be less than 256", - "actualValue": "'azurerm_mssql_firewall_rule[positive4].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256" + "actualValue": "'azurerm_mssql_firewall_rule[positive4].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted SQL Server Access", @@ -69,7 +74,8 @@ "searchKey": "azurerm_mssql_firewall_rule[positive5].start_ip_address", "searchValue": "", "expectedValue": "'azurerm_mssql_firewall_rule[positive5].start_ip_address' Firewall rules should not have both 'start_ip_address' and 'end_ip_address' set to '0.0.0.0'.", - "actualValue": "'azurerm_mssql_firewall_rule[positive5].start_ip_address' Both 'start_ip_address' and 'end_ip_address' are set to '0.0.0.0'" + "actualValue": "'azurerm_mssql_firewall_rule[positive5].start_ip_address' Both 'start_ip_address' and 'end_ip_address' are set to '0.0.0.0'", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted SQL Server Access", @@ -81,7 +87,8 @@ "searchKey": "azurerm_mariadb_firewall_rule[mariadb_fw1].start_ip_address", "searchValue": "", "expectedValue": "'azurerm_mariadb_firewall_rule[mariadb_fw1].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' should be less than 256", - "actualValue": "'azurerm_mariadb_firewall_rule[mariadb_fw1].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256" + "actualValue": "'azurerm_mariadb_firewall_rule[mariadb_fw1].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted SQL Server Access", @@ -93,7 +100,8 @@ "searchKey": "azurerm_mariadb_firewall_rule[mariadb_fw2].start_ip_address", "searchValue": "", "expectedValue": "'azurerm_mariadb_firewall_rule[mariadb_fw2].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' should be less than 256", - "actualValue": "'azurerm_mariadb_firewall_rule[mariadb_fw2].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256" + "actualValue": "'azurerm_mariadb_firewall_rule[mariadb_fw2].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted SQL Server Access", @@ -105,7 +113,8 @@ "searchKey": "azurerm_mariadb_firewall_rule[mariadb_fw3].start_ip_address", "searchValue": "", "expectedValue": "'azurerm_mariadb_firewall_rule[mariadb_fw3].start_ip_address' Firewall rules should not have both 'start_ip_address' and 'end_ip_address' set to '0.0.0.0'.", - "actualValue": "'azurerm_mariadb_firewall_rule[mariadb_fw3].start_ip_address' Both 'start_ip_address' and 'end_ip_address' are set to '0.0.0.0'" + "actualValue": "'azurerm_mariadb_firewall_rule[mariadb_fw3].start_ip_address' Both 'start_ip_address' and 'end_ip_address' are set to '0.0.0.0'", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted SQL Server Access", @@ -117,7 +126,8 @@ "searchKey": "azurerm_postgresql_firewall_rule[psql_fw1].start_ip_address", "searchValue": "", "expectedValue": "'azurerm_postgresql_firewall_rule[psql_fw1].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' should be less than 256", - "actualValue": "'azurerm_postgresql_firewall_rule[psql_fw1].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256" + "actualValue": "'azurerm_postgresql_firewall_rule[psql_fw1].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted SQL Server Access", @@ -129,7 +139,8 @@ "searchKey": "azurerm_postgresql_firewall_rule[psql_fw2].start_ip_address", "searchValue": "", "expectedValue": "'azurerm_postgresql_firewall_rule[psql_fw2].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' should be less than 256", - "actualValue": "'azurerm_postgresql_firewall_rule[psql_fw2].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256" + "actualValue": "'azurerm_postgresql_firewall_rule[psql_fw2].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted SQL Server Access", @@ -141,7 +152,8 @@ "searchKey": "azurerm_postgresql_firewall_rule[psql_fw3].start_ip_address", "searchValue": "", "expectedValue": "'azurerm_postgresql_firewall_rule[psql_fw3].start_ip_address' Firewall rules should not have both 'start_ip_address' and 'end_ip_address' set to '0.0.0.0'.", - "actualValue": "'azurerm_postgresql_firewall_rule[psql_fw3].start_ip_address' Both 'start_ip_address' and 'end_ip_address' are set to '0.0.0.0'" + "actualValue": "'azurerm_postgresql_firewall_rule[psql_fw3].start_ip_address' Both 'start_ip_address' and 'end_ip_address' are set to '0.0.0.0'", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted SQL Server Access", @@ -153,7 +165,8 @@ "searchKey": "azurerm_postgresql_flexible_server_firewall_rule[psqlflex_fw1].start_ip_address", "searchValue": "", "expectedValue": "'azurerm_postgresql_flexible_server_firewall_rule[psqlflex_fw1].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' should be less than 256", - "actualValue": "'azurerm_postgresql_flexible_server_firewall_rule[psqlflex_fw1].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256" + "actualValue": "'azurerm_postgresql_flexible_server_firewall_rule[psqlflex_fw1].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted SQL Server Access", @@ -165,7 +178,8 @@ "searchKey": "azurerm_postgresql_flexible_server_firewall_rule[psqlflex_fw2].start_ip_address", "searchValue": "", "expectedValue": "'azurerm_postgresql_flexible_server_firewall_rule[psqlflex_fw2].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' should be less than 256", - "actualValue": "'azurerm_postgresql_flexible_server_firewall_rule[psqlflex_fw2].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256" + "actualValue": "'azurerm_postgresql_flexible_server_firewall_rule[psqlflex_fw2].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted SQL Server Access", @@ -177,7 +191,8 @@ "searchKey": "azurerm_postgresql_flexible_server_firewall_rule[psqlflex_fw3].start_ip_address", "searchValue": "", "expectedValue": "'azurerm_postgresql_flexible_server_firewall_rule[psqlflex_fw3].start_ip_address' Firewall rules should not have both 'start_ip_address' and 'end_ip_address' set to '0.0.0.0'.", - "actualValue": "'azurerm_postgresql_flexible_server_firewall_rule[psqlflex_fw3].start_ip_address' Both 'start_ip_address' and 'end_ip_address' are set to '0.0.0.0'" + "actualValue": "'azurerm_postgresql_flexible_server_firewall_rule[psqlflex_fw3].start_ip_address' Both 'start_ip_address' and 'end_ip_address' are set to '0.0.0.0'", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted SQL Server Access", @@ -189,7 +204,8 @@ "searchKey": "azurerm_mysql_flexible_server_firewall_rule[mysqlflex_fw1].start_ip_address", "searchValue": "", "expectedValue": "'azurerm_mysql_flexible_server_firewall_rule[mysqlflex_fw1].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' should be less than 256", - "actualValue": "'azurerm_mysql_flexible_server_firewall_rule[mysqlflex_fw1].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256" + "actualValue": "'azurerm_mysql_flexible_server_firewall_rule[mysqlflex_fw1].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted SQL Server Access", @@ -201,7 +217,8 @@ "searchKey": "azurerm_mysql_flexible_server_firewall_rule[mysqlflex_fw2].start_ip_address", "searchValue": "", "expectedValue": "'azurerm_mysql_flexible_server_firewall_rule[mysqlflex_fw2].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' should be less than 256", - "actualValue": "'azurerm_mysql_flexible_server_firewall_rule[mysqlflex_fw2].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256" + "actualValue": "'azurerm_mysql_flexible_server_firewall_rule[mysqlflex_fw2].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted SQL Server Access", @@ -213,6 +230,7 @@ "searchKey": "azurerm_mysql_flexible_server_firewall_rule[mysqlflex_fw3].start_ip_address", "searchValue": "", "expectedValue": "'azurerm_mysql_flexible_server_firewall_rule[mysqlflex_fw3].start_ip_address' Firewall rules should not have both 'start_ip_address' and 'end_ip_address' set to '0.0.0.0'.", - "actualValue": "'azurerm_mysql_flexible_server_firewall_rule[mysqlflex_fw3].start_ip_address' Both 'start_ip_address' and 'end_ip_address' are set to '0.0.0.0'" + "actualValue": "'azurerm_mysql_flexible_server_firewall_rule[mysqlflex_fw3].start_ip_address' Both 'start_ip_address' and 'end_ip_address' are set to '0.0.0.0'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/use_of_user_access_administrator_role_is_not_restricted/test/positive_expected_result.json b/assets/queries/terraform/azure/use_of_user_access_administrator_role_is_not_restricted/test/positive_expected_result.json index 572ea2bb01b..48f39578b63 100644 --- a/assets/queries/terraform/azure/use_of_user_access_administrator_role_is_not_restricted/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/use_of_user_access_administrator_role_is_not_restricted/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_role_assignment[positive1].role_definition_name", "searchValue": "", "expectedValue": "'role_definition_name' field should not be defined to 'User Access Administrator'", - "actualValue": "'role_definition_name' field is defined with 'User Access Administrator'" + "actualValue": "'role_definition_name' field is defined with 'User Access Administrator'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Use Of User Access Administrator Role Is Not Restricted", @@ -21,7 +22,8 @@ "searchKey": "azurerm_role_assignment[positive2].role_definition_id", "searchValue": "", "expectedValue": "'role_definition_id' field should not have an id associated with the 'User Access Administrator' role.", - "actualValue": "'role_definition_id' field have an id associated with the 'User Access Administrator' role." + "actualValue": "'role_definition_id' field have an id associated with the 'User Access Administrator' role.", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Use Of User Access Administrator Role Is Not Restricted", @@ -33,7 +35,8 @@ "searchKey": "azurerm_role_assignment[positive3].role_definition_name", "searchValue": "", "expectedValue": "'role_definition_name' field should not be defined to 'User Access Administrator'", - "actualValue": "'role_definition_name' field is defined with 'User Access Administrator'" + "actualValue": "'role_definition_name' field is defined with 'User Access Administrator'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Use Of User Access Administrator Role Is Not Restricted", @@ -45,7 +48,8 @@ "searchKey": "azurerm_role_assignment[positive4].role_definition_id", "searchValue": "", "expectedValue": "'role_definition_id' field should not have an id associated with the 'User Access Administrator' role.", - "actualValue": "'role_definition_id' field have an id associated with the 'User Access Administrator' role." + "actualValue": "'role_definition_id' field have an id associated with the 'User Access Administrator' role.", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Use Of User Access Administrator Role Is Not Restricted", @@ -57,7 +61,8 @@ "searchKey": "azurerm_role_assignment[positive5].role_definition_name", "searchValue": "", "expectedValue": "'role_definition_name' field should not be defined to 'User Access Administrator'", - "actualValue": "'role_definition_name' field is defined with 'User Access Administrator'" + "actualValue": "'role_definition_name' field is defined with 'User Access Administrator'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Use Of User Access Administrator Role Is Not Restricted", @@ -69,6 +74,7 @@ "searchKey": "azurerm_role_assignment[positive6].role_definition_id", "searchValue": "", "expectedValue": "'role_definition_id' field should not have an id associated with the 'User Access Administrator' role.", - "actualValue": "'role_definition_id' field have an id associated with the 'User Access Administrator' role." + "actualValue": "'role_definition_id' field have an id associated with the 'User Access Administrator' role.", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/vault_auditing_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/vault_auditing_disabled/test/positive_expected_result.json index ad756c56662..2a094d441be 100644 --- a/assets/queries/terraform/azure/vault_auditing_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/vault_auditing_disabled/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "azurerm_key_vault[example1]", "searchValue": "", "expectedValue": "'azurerm_key_vault' should be associated with 'azurerm_monitor_diagnostic_setting'", - "actualValue": "'azurerm_key_vault' is not associated with 'azurerm_monitor_diagnostic_setting'" + "actualValue": "'azurerm_key_vault' is not associated with 'azurerm_monitor_diagnostic_setting'", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/virtual_network_with_ddos_protection_plan_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/virtual_network_with_ddos_protection_plan_disabled/test/positive_expected_result.json index 2a13f8bc1b5..7d1b073ee74 100644 --- a/assets/queries/terraform/azure/virtual_network_with_ddos_protection_plan_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/virtual_network_with_ddos_protection_plan_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_virtual_network[positive1]", "searchValue": "", "expectedValue": "'azurerm_virtual_network[positive1].ddos_protection_plan' should be defined and not null", - "actualValue": "'azurerm_virtual_network[positive1].ddos_protection_plan' is undefined or null" + "actualValue": "'azurerm_virtual_network[positive1].ddos_protection_plan' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Virtual Network with DDoS Protection Plan disabled", @@ -21,6 +22,7 @@ "searchKey": "azurerm_virtual_network[positive1].ddos_protection_plan.enable", "searchValue": "", "expectedValue": "'azurerm_virtual_network[positive1].ddos_protection_plan.enable' should be set to true", - "actualValue": "'azurerm_virtual_network[positive1].ddos_protection_plan.enable' is set to false" + "actualValue": "'azurerm_virtual_network[positive1].ddos_protection_plan.enable' is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/vm_not_attached_to_network/test/positive_expected_result.json b/assets/queries/terraform/azure/vm_not_attached_to_network/test/positive_expected_result.json index 16edfac11ba..65dea32711c 100644 --- a/assets/queries/terraform/azure/vm_not_attached_to_network/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/vm_not_attached_to_network/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "azurerm_virtual_machine[positive1].network_interface_ids", "searchValue": "", "expectedValue": "'azurerm_virtual_machine[positive1].network_interface_ids' list should not be empty", - "actualValue": "'azurerm_virtual_machine[positive1].network_interface_ids' list is empty" + "actualValue": "'azurerm_virtual_machine[positive1].network_interface_ids' list is empty", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/vm_with_automatic_updates_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/vm_with_automatic_updates_disabled/test/positive_expected_result.json index 1bb544b86ad..4ddf0825d0c 100644 --- a/assets/queries/terraform/azure/vm_with_automatic_updates_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/vm_with_automatic_updates_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_windows_virtual_machine[positive1].enable_automatic_updates", "searchValue": "", "expectedValue": "'azurerm_windows_virtual_machine[positive1].enable_automatic_updates' should be set to 'true'", - "actualValue": "'azurerm_windows_virtual_machine[positive1].enable_automatic_updates' is set to 'false'" + "actualValue": "'azurerm_windows_virtual_machine[positive1].enable_automatic_updates' is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - VM With Automatic Updates Disabled", @@ -21,7 +22,8 @@ "searchKey": "azurerm_windows_virtual_machine[positive2].automatic_updates_enabled", "searchValue": "", "expectedValue": "'azurerm_windows_virtual_machine[positive2].automatic_updates_enabled' should be set to 'true'", - "actualValue": "'azurerm_windows_virtual_machine[positive2].automatic_updates_enabled' is set to 'false'" + "actualValue": "'azurerm_windows_virtual_machine[positive2].automatic_updates_enabled' is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - VM With Automatic Updates Disabled", @@ -33,6 +35,7 @@ "searchKey": "azurerm_windows_virtual_machine_scale_set[positive3].enable_automatic_updates", "searchValue": "", "expectedValue": "'azurerm_windows_virtual_machine_scale_set[positive3].enable_automatic_updates' should be set to 'true'", - "actualValue": "'azurerm_windows_virtual_machine_scale_set[positive3].enable_automatic_updates' is set to 'false'" + "actualValue": "'azurerm_windows_virtual_machine_scale_set[positive3].enable_automatic_updates' is set to 'false'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/vm_with_extension_operations_enabled/test/positive_expected_result.json b/assets/queries/terraform/azure/vm_with_extension_operations_enabled/test/positive_expected_result.json index 1cea3e387fe..fb22c202543 100644 --- a/assets/queries/terraform/azure/vm_with_extension_operations_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/vm_with_extension_operations_enabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_linux_virtual_machine[positive1_1]", "searchValue": "", "expectedValue": "'azurerm_linux_virtual_machine[positive1_1].allow_extension_operations' should be defined and set to 'false'", - "actualValue": "'azurerm_linux_virtual_machine[positive1_1].allow_extension_operations' is undefined or null" + "actualValue": "'azurerm_linux_virtual_machine[positive1_1].allow_extension_operations' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - VM With Extension Operations Enabled", @@ -21,7 +22,8 @@ "searchKey": "azurerm_linux_virtual_machine[positive1_2].allow_extension_operations", "searchValue": "", "expectedValue": "'azurerm_linux_virtual_machine[positive1_2].allow_extension_operations' should be defined and set to 'false'", - "actualValue": "'azurerm_linux_virtual_machine[positive1_2].allow_extension_operations' is set to 'true'" + "actualValue": "'azurerm_linux_virtual_machine[positive1_2].allow_extension_operations' is set to 'true'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - VM With Extension Operations Enabled", @@ -33,7 +35,8 @@ "searchKey": "azurerm_linux_virtual_machine_scale_set[positive2_1]", "searchValue": "", "expectedValue": "'azurerm_linux_virtual_machine_scale_set[positive2_1].extension_operations_enabled' should be defined and set to 'false'", - "actualValue": "'azurerm_linux_virtual_machine_scale_set[positive2_1].extension_operations_enabled' is undefined or null" + "actualValue": "'azurerm_linux_virtual_machine_scale_set[positive2_1].extension_operations_enabled' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - VM With Extension Operations Enabled", @@ -45,7 +48,8 @@ "searchKey": "azurerm_linux_virtual_machine_scale_set[positive2_2].extension_operations_enabled", "searchValue": "", "expectedValue": "'azurerm_linux_virtual_machine_scale_set[positive2_2].extension_operations_enabled' should be defined and set to 'false'", - "actualValue": "'azurerm_linux_virtual_machine_scale_set[positive2_2].extension_operations_enabled' is set to 'true'" + "actualValue": "'azurerm_linux_virtual_machine_scale_set[positive2_2].extension_operations_enabled' is set to 'true'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - VM With Extension Operations Enabled", @@ -57,7 +61,8 @@ "searchKey": "azurerm_windows_virtual_machine[positive3_1]", "searchValue": "", "expectedValue": "'azurerm_windows_virtual_machine[positive3_1].allow_extension_operations' should be defined and set to 'false'", - "actualValue": "'azurerm_windows_virtual_machine[positive3_1].allow_extension_operations' is undefined or null" + "actualValue": "'azurerm_windows_virtual_machine[positive3_1].allow_extension_operations' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - VM With Extension Operations Enabled", @@ -69,7 +74,8 @@ "searchKey": "azurerm_windows_virtual_machine[positive3_2].allow_extension_operations", "searchValue": "", "expectedValue": "'azurerm_windows_virtual_machine[positive3_2].allow_extension_operations' should be defined and set to 'false'", - "actualValue": "'azurerm_windows_virtual_machine[positive3_2].allow_extension_operations' is set to 'true'" + "actualValue": "'azurerm_windows_virtual_machine[positive3_2].allow_extension_operations' is set to 'true'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - VM With Extension Operations Enabled", @@ -81,7 +87,8 @@ "searchKey": "azurerm_windows_virtual_machine_scale_set[positive4_1]", "searchValue": "", "expectedValue": "'azurerm_windows_virtual_machine_scale_set[positive4_1].extension_operations_enabled' should be defined and set to 'false'", - "actualValue": "'azurerm_windows_virtual_machine_scale_set[positive4_1].extension_operations_enabled' is undefined or null" + "actualValue": "'azurerm_windows_virtual_machine_scale_set[positive4_1].extension_operations_enabled' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - VM With Extension Operations Enabled", @@ -93,6 +100,7 @@ "searchKey": "azurerm_windows_virtual_machine_scale_set[positive4_2].extension_operations_enabled", "searchValue": "", "expectedValue": "'azurerm_windows_virtual_machine_scale_set[positive4_2].extension_operations_enabled' should be defined and set to 'false'", - "actualValue": "'azurerm_windows_virtual_machine_scale_set[positive4_2].extension_operations_enabled' is set to 'true'" + "actualValue": "'azurerm_windows_virtual_machine_scale_set[positive4_2].extension_operations_enabled' is set to 'true'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/vm_without_admin_ssh_public_key_set/test/positive_expected_result.json b/assets/queries/terraform/azure/vm_without_admin_ssh_public_key_set/test/positive_expected_result.json index edff4848e9b..0330d390752 100644 --- a/assets/queries/terraform/azure/vm_without_admin_ssh_public_key_set/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/vm_without_admin_ssh_public_key_set/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_linux_virtual_machine[positive1_1]", "searchValue": "", "expectedValue": "'azurerm_linux_virtual_machine[positive1_1].admin_ssh_key.public_key' should be defined and not null", - "actualValue": "'azurerm_linux_virtual_machine[positive1_1].admin_ssh_key' is undefined or null" + "actualValue": "'azurerm_linux_virtual_machine[positive1_1].admin_ssh_key' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - VM Without Admin SSH Public Key Set", @@ -21,7 +22,8 @@ "searchKey": "azurerm_linux_virtual_machine[positive1_2].admin_ssh_key", "searchValue": "", "expectedValue": "'azurerm_linux_virtual_machine[positive1_2].admin_ssh_key.public_key' should be defined and not null", - "actualValue": "'azurerm_linux_virtual_machine[positive1_2].admin_ssh_key.public_key' is undefined or null" + "actualValue": "'azurerm_linux_virtual_machine[positive1_2].admin_ssh_key.public_key' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - VM Without Admin SSH Public Key Set", @@ -33,7 +35,8 @@ "searchKey": "azurerm_linux_virtual_machine[positive1_3].admin_ssh_key[0]", "searchValue": "", "expectedValue": "'azurerm_linux_virtual_machine[positive1_3].admin_ssh_key.public_key' should be defined and not null", - "actualValue": "'azurerm_linux_virtual_machine[positive1_3].admin_ssh_key[0].public_key' is undefined or null" + "actualValue": "'azurerm_linux_virtual_machine[positive1_3].admin_ssh_key[0].public_key' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - VM Without Admin SSH Public Key Set", @@ -45,7 +48,8 @@ "searchKey": "azurerm_linux_virtual_machine[positive1_3].admin_ssh_key[1]", "searchValue": "", "expectedValue": "'azurerm_linux_virtual_machine[positive1_3].admin_ssh_key.public_key' should be defined and not null", - "actualValue": "'azurerm_linux_virtual_machine[positive1_3].admin_ssh_key[1].public_key' is undefined or null" + "actualValue": "'azurerm_linux_virtual_machine[positive1_3].admin_ssh_key[1].public_key' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - VM Without Admin SSH Public Key Set", @@ -57,7 +61,8 @@ "searchKey": "azurerm_linux_virtual_machine_scale_set[positive2_1]", "searchValue": "", "expectedValue": "'azurerm_linux_virtual_machine_scale_set[positive2_1].admin_ssh_key.public_key' should be defined and not null", - "actualValue": "'azurerm_linux_virtual_machine_scale_set[positive2_1].admin_ssh_key' is undefined or null" + "actualValue": "'azurerm_linux_virtual_machine_scale_set[positive2_1].admin_ssh_key' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - VM Without Admin SSH Public Key Set", @@ -69,7 +74,8 @@ "searchKey": "azurerm_linux_virtual_machine_scale_set[positive2_2].admin_ssh_key", "searchValue": "", "expectedValue": "'azurerm_linux_virtual_machine_scale_set[positive2_2].admin_ssh_key.public_key' should be defined and not null", - "actualValue": "'azurerm_linux_virtual_machine_scale_set[positive2_2].admin_ssh_key.public_key' is undefined or null" + "actualValue": "'azurerm_linux_virtual_machine_scale_set[positive2_2].admin_ssh_key.public_key' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - VM Without Admin SSH Public Key Set", @@ -81,7 +87,8 @@ "searchKey": "azurerm_linux_virtual_machine_scale_set[positive2_3].admin_ssh_key[0]", "searchValue": "", "expectedValue": "'azurerm_linux_virtual_machine_scale_set[positive2_3].admin_ssh_key.public_key' should be defined and not null", - "actualValue": "'azurerm_linux_virtual_machine_scale_set[positive2_3].admin_ssh_key[0].public_key' is undefined or null" + "actualValue": "'azurerm_linux_virtual_machine_scale_set[positive2_3].admin_ssh_key[0].public_key' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - VM Without Admin SSH Public Key Set", @@ -93,7 +100,8 @@ "searchKey": "azurerm_linux_virtual_machine_scale_set[positive2_3].admin_ssh_key[1]", "searchValue": "", "expectedValue": "'azurerm_linux_virtual_machine_scale_set[positive2_3].admin_ssh_key.public_key' should be defined and not null", - "actualValue": "'azurerm_linux_virtual_machine_scale_set[positive2_3].admin_ssh_key[1].public_key' is undefined or null" + "actualValue": "'azurerm_linux_virtual_machine_scale_set[positive2_3].admin_ssh_key[1].public_key' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - VM Without Admin SSH Public Key Set", @@ -105,6 +113,7 @@ "searchKey": "azurerm_linux_virtual_machine[module.example_module.azurerm_linux_virtual_machine.example_vm[0]].admin_ssh_key", "searchValue": "", "expectedValue": "'azurerm_linux_virtual_machine[module.example_module.azurerm_linux_virtual_machine.example_vm[0]].admin_ssh_key.public_key' should be defined and not null", - "actualValue": "'azurerm_linux_virtual_machine[module.example_module.azurerm_linux_virtual_machine.example_vm[0]].admin_ssh_key' is undefined or null" + "actualValue": "'azurerm_linux_virtual_machine[module.example_module.azurerm_linux_virtual_machine.example_vm[0]].admin_ssh_key' is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/vm_without_encryption_at_host/test/positive_expected_result.json b/assets/queries/terraform/azure/vm_without_encryption_at_host/test/positive_expected_result.json index da2bce90227..f2d66b38026 100644 --- a/assets/queries/terraform/azure/vm_without_encryption_at_host/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/vm_without_encryption_at_host/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_linux_virtual_machine[positive1_1]", "searchValue": "", "expectedValue": "'azurerm_linux_virtual_machine[positive1_1].encryption_at_host_enabled' should be defined and set to 'true'", - "actualValue": "'azurerm_linux_virtual_machine[positive1_1].encryption_at_host_enabled' is undefined or null" + "actualValue": "'azurerm_linux_virtual_machine[positive1_1].encryption_at_host_enabled' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - VM Without Encryption At Host", @@ -21,7 +22,8 @@ "searchKey": "azurerm_linux_virtual_machine[positive1_2].encryption_at_host_enabled", "searchValue": "", "expectedValue": "'azurerm_linux_virtual_machine[positive1_2].encryption_at_host_enabled' should be defined and set to 'true'", - "actualValue": "'azurerm_linux_virtual_machine[positive1_2].encryption_at_host_enabled' is set to 'false'" + "actualValue": "'azurerm_linux_virtual_machine[positive1_2].encryption_at_host_enabled' is set to 'false'", + "issueType": "MissingAttribute" }, { "queryName": "Beta - VM Without Encryption At Host", @@ -33,7 +35,8 @@ "searchKey": "azurerm_linux_virtual_machine_scale_set[positive2_1]", "searchValue": "", "expectedValue": "'azurerm_linux_virtual_machine_scale_set[positive2_1].encryption_at_host_enabled' should be defined and set to 'true'", - "actualValue": "'azurerm_linux_virtual_machine_scale_set[positive2_1].encryption_at_host_enabled' is undefined or null" + "actualValue": "'azurerm_linux_virtual_machine_scale_set[positive2_1].encryption_at_host_enabled' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - VM Without Encryption At Host", @@ -45,7 +48,8 @@ "searchKey": "azurerm_linux_virtual_machine_scale_set[positive2_2].encryption_at_host_enabled", "searchValue": "", "expectedValue": "'azurerm_linux_virtual_machine_scale_set[positive2_2].encryption_at_host_enabled' should be defined and set to 'true'", - "actualValue": "'azurerm_linux_virtual_machine_scale_set[positive2_2].encryption_at_host_enabled' is set to 'false'" + "actualValue": "'azurerm_linux_virtual_machine_scale_set[positive2_2].encryption_at_host_enabled' is set to 'false'", + "issueType": "MissingAttribute" }, { "queryName": "Beta - VM Without Encryption At Host", @@ -57,7 +61,8 @@ "searchKey": "azurerm_windows_virtual_machine[positive3_1]", "searchValue": "", "expectedValue": "'azurerm_windows_virtual_machine[positive3_1].encryption_at_host_enabled' should be defined and set to 'true'", - "actualValue": "'azurerm_windows_virtual_machine[positive3_1].encryption_at_host_enabled' is undefined or null" + "actualValue": "'azurerm_windows_virtual_machine[positive3_1].encryption_at_host_enabled' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - VM Without Encryption At Host", @@ -69,7 +74,8 @@ "searchKey": "azurerm_windows_virtual_machine[positive3_2].encryption_at_host_enabled", "searchValue": "", "expectedValue": "'azurerm_windows_virtual_machine[positive3_2].encryption_at_host_enabled' should be defined and set to 'true'", - "actualValue": "'azurerm_windows_virtual_machine[positive3_2].encryption_at_host_enabled' is set to 'false'" + "actualValue": "'azurerm_windows_virtual_machine[positive3_2].encryption_at_host_enabled' is set to 'false'", + "issueType": "MissingAttribute" }, { "queryName": "Beta - VM Without Encryption At Host", @@ -81,7 +87,8 @@ "searchKey": "azurerm_windows_virtual_machine_scale_set[positive4_1]", "searchValue": "", "expectedValue": "'azurerm_windows_virtual_machine_scale_set[positive4_1].encryption_at_host_enabled' should be defined and set to 'true'", - "actualValue": "'azurerm_windows_virtual_machine_scale_set[positive4_1].encryption_at_host_enabled' is undefined or null" + "actualValue": "'azurerm_windows_virtual_machine_scale_set[positive4_1].encryption_at_host_enabled' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - VM Without Encryption At Host", @@ -93,6 +100,7 @@ "searchKey": "azurerm_windows_virtual_machine_scale_set[positive4_2].encryption_at_host_enabled", "searchValue": "", "expectedValue": "'azurerm_windows_virtual_machine_scale_set[positive4_2].encryption_at_host_enabled' should be defined and set to 'true'", - "actualValue": "'azurerm_windows_virtual_machine_scale_set[positive4_2].encryption_at_host_enabled' is set to 'false'" + "actualValue": "'azurerm_windows_virtual_machine_scale_set[positive4_2].encryption_at_host_enabled' is set to 'false'", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/vm_without_managed_disk/test/positive_expected_result.json b/assets/queries/terraform/azure/vm_without_managed_disk/test/positive_expected_result.json index 88364de5d2c..41213e66efc 100644 --- a/assets/queries/terraform/azure/vm_without_managed_disk/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/vm_without_managed_disk/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_virtual_machine[positive1]", "searchValue": "", "expectedValue": "'azurerm_virtual_machine[positive1].storage_os_disk' should be defined and not null", - "actualValue": "'azurerm_virtual_machine[positive1].storage_os_disk' is undefined or null" + "actualValue": "'azurerm_virtual_machine[positive1].storage_os_disk' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - VM Without Managed Disk", @@ -21,7 +22,8 @@ "searchKey": "azurerm_virtual_machine[positive1_2].storage_os_disk.vhd_uri", "searchValue": "", "expectedValue": "'azurerm_virtual_machine[positive1_2].storage_os_disk.vhd_uri' should not be set", - "actualValue": "'azurerm_virtual_machine[positive1_2].storage_os_disk.vhd_uri' is set" + "actualValue": "'azurerm_virtual_machine[positive1_2].storage_os_disk.vhd_uri' is set", + "issueType": "IncorrectValue" }, { "queryName": "Beta - VM Without Managed Disk", @@ -33,7 +35,8 @@ "searchKey": "azurerm_virtual_machine[positive1_3].storage_os_disk", "searchValue": "", "expectedValue": "'azurerm_virtual_machine[positive1_3].storage_os_disk' should define a 'managed_disk_id' or 'managed_disk_type'", - "actualValue": "'azurerm_virtual_machine[positive1_3].storage_os_disk' does not define or sets to null 'managed_disk_id' and 'managed_disk_type'" + "actualValue": "'azurerm_virtual_machine[positive1_3].storage_os_disk' does not define or sets to null 'managed_disk_id' and 'managed_disk_type'", + "issueType": "MissingAttribute" }, { "queryName": "Beta - VM Without Managed Disk", @@ -45,7 +48,8 @@ "searchKey": "azurerm_linux_virtual_machine[positive2]", "searchValue": "", "expectedValue": "'azurerm_linux_virtual_machine[positive2].os_managed_disk_id' should be defined and not null", - "actualValue": "'azurerm_linux_virtual_machine[positive2].os_managed_disk_id' is undefined or null" + "actualValue": "'azurerm_linux_virtual_machine[positive2].os_managed_disk_id' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - VM Without Managed Disk", @@ -57,7 +61,8 @@ "searchKey": "azurerm_windows_virtual_machine[positive3]", "searchValue": "", "expectedValue": "'azurerm_windows_virtual_machine[positive3].os_managed_disk_id' should be defined and not null", - "actualValue": "'azurerm_windows_virtual_machine[positive3].os_managed_disk_id' is undefined or null" + "actualValue": "'azurerm_windows_virtual_machine[positive3].os_managed_disk_id' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - VM Without Managed Disk", @@ -69,7 +74,8 @@ "searchKey": "azurerm_virtual_machine_scale_set[positive4_1].storage_profile_os_disk.vhd_containers", "searchValue": "", "expectedValue": "'azurerm_virtual_machine_scale_set[positive4_1].storage_profile_os_disk.vhd_containers' should not be set", - "actualValue": "'azurerm_virtual_machine_scale_set[positive4_1].storage_profile_os_disk.vhd_containers' is set" + "actualValue": "'azurerm_virtual_machine_scale_set[positive4_1].storage_profile_os_disk.vhd_containers' is set", + "issueType": "IncorrectValue" }, { "queryName": "Beta - VM Without Managed Disk", @@ -81,7 +87,8 @@ "searchKey": "azurerm_virtual_machine_scale_set[positive4_2].storage_profile_os_disk", "searchValue": "", "expectedValue": "'azurerm_virtual_machine_scale_set[positive4_2].storage_profile_os_disk.managed_disk_type' should be defined and not null", - "actualValue": "'azurerm_virtual_machine_scale_set[positive4_2].storage_profile_os_disk.managed_disk_type' is undefined or null" + "actualValue": "'azurerm_virtual_machine_scale_set[positive4_2].storage_profile_os_disk.managed_disk_type' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - VM Without Managed Disk", @@ -93,7 +100,8 @@ "searchKey": "azurerm_virtual_machine[positive5].storage_os_disk.vhd_uri", "searchValue": "", "expectedValue": "'azurerm_virtual_machine[positive5].storage_os_disk.vhd_uri' should not be set", - "actualValue": "'azurerm_virtual_machine[positive5].storage_os_disk.vhd_uri' is set" + "actualValue": "'azurerm_virtual_machine[positive5].storage_os_disk.vhd_uri' is set", + "issueType": "IncorrectValue" }, { "queryName": "Beta - VM Without Managed Disk", @@ -105,6 +113,7 @@ "searchKey": "azurerm_virtual_machine[positive6].storage_os_disk", "searchValue": "", "expectedValue": "'azurerm_virtual_machine[positive6].storage_os_disk' should define a 'managed_disk_id' or 'managed_disk_type'", - "actualValue": "'azurerm_virtual_machine[positive6].storage_os_disk' does not define or sets to null 'managed_disk_id' and 'managed_disk_type'" + "actualValue": "'azurerm_virtual_machine[positive6].storage_os_disk' does not define or sets to null 'managed_disk_id' and 'managed_disk_type'", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/waf_is_disabled_for_azure_application_gateway/test/positive_expected_result.json b/assets/queries/terraform/azure/waf_is_disabled_for_azure_application_gateway/test/positive_expected_result.json index d96c7a5700e..9c85a4f7958 100644 --- a/assets/queries/terraform/azure/waf_is_disabled_for_azure_application_gateway/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/waf_is_disabled_for_azure_application_gateway/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_application_gateway[positive1].waf_configuration.enabled", "searchValue": "", "expectedValue": "'azurerm_application_gateway[positive1].waf_configuration.enabled' is true", - "actualValue": "'azurerm_application_gateway[positive1].waf_configuration.enabled' is false" + "actualValue": "'azurerm_application_gateway[positive1].waf_configuration.enabled' is false", + "issueType": "IncorrectValue" }, { "queryName": "WAF Is Disabled For Azure Application Gateway", @@ -21,6 +22,7 @@ "searchKey": "azurerm_application_gateway[positive2]", "searchValue": "", "expectedValue": "'azurerm_application_gateway[positive2]' should be set", - "actualValue": "'azurerm_application_gateway[positive2]' is undefined" + "actualValue": "'azurerm_application_gateway[positive2]' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/web_app_accepting_traffic_other_than_https/test/positive_expected_result.json b/assets/queries/terraform/azure/web_app_accepting_traffic_other_than_https/test/positive_expected_result.json index 7145270bf15..edada78b86b 100644 --- a/assets/queries/terraform/azure/web_app_accepting_traffic_other_than_https/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/web_app_accepting_traffic_other_than_https/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "azurerm_app_service[positive1-1].https_only", "searchValue": "", "expectedValue": "'azurerm_app_service[positive1-1].https_only' should be set to true", - "actualValue": "'azurerm_app_service[positive1-1].https_only' is not set to true" + "actualValue": "'azurerm_app_service[positive1-1].https_only' is not set to true", + "issueType": "IncorrectValue" }, { "queryName": "Web App Accepting Traffic Other Than HTTPS", @@ -21,7 +22,8 @@ "searchKey": "azurerm_app_service[positive1-2]", "searchValue": "", "expectedValue": "'azurerm_app_service[positive1-2].https_only' should be defined and set to true", - "actualValue": "'azurerm_app_service[positive1-2].https_only' is undefined" + "actualValue": "'azurerm_app_service[positive1-2].https_only' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Web App Accepting Traffic Other Than HTTPS", @@ -33,7 +35,8 @@ "searchKey": "azurerm_linux_web_app[positive2-1].https_only", "searchValue": "", "expectedValue": "'azurerm_linux_web_app[positive2-1].https_only' should be set to true", - "actualValue": "'azurerm_linux_web_app[positive2-1].https_only' is not set to true" + "actualValue": "'azurerm_linux_web_app[positive2-1].https_only' is not set to true", + "issueType": "IncorrectValue" }, { "queryName": "Web App Accepting Traffic Other Than HTTPS", @@ -45,7 +48,8 @@ "searchKey": "azurerm_linux_web_app[positive2-2]", "searchValue": "", "expectedValue": "'azurerm_linux_web_app[positive2-2].https_only' should be defined and set to true", - "actualValue": "'azurerm_linux_web_app[positive2-2].https_only' is undefined" + "actualValue": "'azurerm_linux_web_app[positive2-2].https_only' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Web App Accepting Traffic Other Than HTTPS", @@ -57,7 +61,8 @@ "searchKey": "azurerm_windows_web_app[positive3-1].https_only", "searchValue": "", "expectedValue": "'azurerm_windows_web_app[positive3-1].https_only' should be set to true", - "actualValue": "'azurerm_windows_web_app[positive3-1].https_only' is not set to true" + "actualValue": "'azurerm_windows_web_app[positive3-1].https_only' is not set to true", + "issueType": "IncorrectValue" }, { "queryName": "Web App Accepting Traffic Other Than HTTPS", @@ -69,6 +74,7 @@ "searchKey": "azurerm_windows_web_app[positive3-2]", "searchValue": "", "expectedValue": "'azurerm_windows_web_app[positive3-2].https_only' should be defined and set to true", - "actualValue": "'azurerm_windows_web_app[positive3-2].https_only' is undefined" + "actualValue": "'azurerm_windows_web_app[positive3-2].https_only' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/databricks/autoscale_badly_setup/test/positive_expected_result.json b/assets/queries/terraform/databricks/autoscale_badly_setup/test/positive_expected_result.json index bc89eebbda0..652161e6cae 100644 --- a/assets/queries/terraform/databricks/autoscale_badly_setup/test/positive_expected_result.json +++ b/assets/queries/terraform/databricks/autoscale_badly_setup/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "databricks_cluster[positive1].autoscale", "searchValue": "max_workers", "expectedValue": "'databricks_cluster[positive1].autoscale.max_workers' should not be empty", - "actualValue": "'databricks_cluster[positive1].autoscale.max_workers' is not setup'" + "actualValue": "'databricks_cluster[positive1].autoscale.max_workers' is not setup'", + "issueType": "MissingAttribute" }, { "queryName": "Databricks Autoscale Badly Setup", @@ -21,6 +22,7 @@ "searchKey": "databricks_cluster[positive2].autoscale", "searchValue": "min_workers", "expectedValue": "'databricks_cluster[positive2].autoscale.min_workers' should not be empty", - "actualValue": "'databricks_cluster[positive2].autoscale.min_workers' is not setup'" + "actualValue": "'databricks_cluster[positive2].autoscale.min_workers' is not setup'", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive_expected_result.json b/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive_expected_result.json index a507859c6b4..4e04aa39d11 100644 --- a/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive_expected_result.json +++ b/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "databricks_cluster[positive1].aws_attributes.availability", "searchValue": "", "expectedValue": "'databricks_cluster[positive1].aws_attributes.availability' should not be equal to 'SPOT'", - "actualValue": "'databricks_cluster[positive1].aws_attributes.availability' is equal to 'SPOT'" + "actualValue": "'databricks_cluster[positive1].aws_attributes.availability' is equal to 'SPOT'", + "issueType": "IncorrectValue" }, { "queryName": "Check Databricks Cluster AWS Attribute Best Practices", @@ -21,7 +22,8 @@ "searchKey": "databricks_cluster[positive2].aws_attributes.first_on_demand", "searchValue": "", "expectedValue": "'databricks_cluster[positive2].aws_attributes.first_on_demand' should not be equal to '0'", - "actualValue": "'databricks_cluster[positive2].aws_attributes.first_on_demand' is equal to '0'" + "actualValue": "'databricks_cluster[positive2].aws_attributes.first_on_demand' is equal to '0'", + "issueType": "IncorrectValue" }, { "queryName": "Check Databricks Cluster AWS Attribute Best Practices", @@ -33,7 +35,8 @@ "searchKey": "databricks_cluster[positive3].aws_attributes.first_on_demand", "searchValue": "", "expectedValue": "'databricks_cluster[positive3].aws_attributes.first_on_demand' should present", - "actualValue": "'databricks_cluster[positive3].aws_attributes.first_on_demand' is not present" + "actualValue": "'databricks_cluster[positive3].aws_attributes.first_on_demand' is not present", + "issueType": "IncorrectValue" }, { "queryName": "Check Databricks Cluster AWS Attribute Best Practices", @@ -45,6 +48,7 @@ "searchKey": "databricks_cluster[positive4].aws_attributes.zone_id", "searchValue": "", "expectedValue": "'databricks_cluster[positive4].aws_attributes.zone_id' should be egal to 'auto'", - "actualValue": "'databricks_cluster[positive4].aws_attributes.zone_id' is not equal to 'auto'" + "actualValue": "'databricks_cluster[positive4].aws_attributes.zone_id' is not equal to 'auto'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/databricks/cluster_azure_attributes/test/positive_expected_result.json b/assets/queries/terraform/databricks/cluster_azure_attributes/test/positive_expected_result.json index ce09dc6db2f..b13bc6b4a6c 100644 --- a/assets/queries/terraform/databricks/cluster_azure_attributes/test/positive_expected_result.json +++ b/assets/queries/terraform/databricks/cluster_azure_attributes/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "databricks_cluster[positive1].azure_attributes.availability", "searchValue": "", "expectedValue": "'databricks_cluster[positive1].azure_attributes.availability' should not be equal to 'SPOT'", - "actualValue": "'databricks_cluster[positive1].azure_attributes.availability' is equal to 'SPOT'" + "actualValue": "'databricks_cluster[positive1].azure_attributes.availability' is equal to 'SPOT'", + "issueType": "IncorrectValue" }, { "queryName": "Check Databricks Cluster Azure Attribute Best Practices", @@ -21,7 +22,8 @@ "searchKey": "databricks_cluster[positive2].azure_attributes.first_on_demand", "searchValue": "", "expectedValue": "'databricks_cluster[positive2].azure_attributes.first_on_demand' should not be equal to '0'", - "actualValue": "'databricks_cluster[positive2].azure_attributes.first_on_demand' is equal to '0'" + "actualValue": "'databricks_cluster[positive2].azure_attributes.first_on_demand' is equal to '0'", + "issueType": "IncorrectValue" }, { "queryName": "Check Databricks Cluster Azure Attribute Best Practices", @@ -33,6 +35,7 @@ "searchKey": "databricks_cluster[positive3].azure_attributes.first_on_demand", "searchValue": "", "expectedValue": "'databricks_cluster[positive3].azure_attributes.first_on_demand' should present", - "actualValue": "'databricks_cluster[positive3].azure_attributes.first_on_demand' is not present" + "actualValue": "'databricks_cluster[positive3].azure_attributes.first_on_demand' is not present", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/databricks/cluster_gcp_attributes/test/positive_expected_result.json b/assets/queries/terraform/databricks/cluster_gcp_attributes/test/positive_expected_result.json index 456c8c9a43e..1517f2fc6b9 100644 --- a/assets/queries/terraform/databricks/cluster_gcp_attributes/test/positive_expected_result.json +++ b/assets/queries/terraform/databricks/cluster_gcp_attributes/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "databricks_cluster[positive].gcp_attributes.availability", "searchValue": "", "expectedValue": "'databricks_cluster[positive].gcp_attributes.availability' should not be equal to 'SPOT'", - "actualValue": "'databricks_cluster[positive].gcp_attributes.availability' is equal to 'SPOT'" + "actualValue": "'databricks_cluster[positive].gcp_attributes.availability' is equal to 'SPOT'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/databricks/databricks_permissions/test/positive_expected_result.json b/assets/queries/terraform/databricks/databricks_permissions/test/positive_expected_result.json index 6a0b81d1623..a55c5df403d 100755 --- a/assets/queries/terraform/databricks/databricks_permissions/test/positive_expected_result.json +++ b/assets/queries/terraform/databricks/databricks_permissions/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "databricks_job[positive1_error]", "searchValue": "", "expectedValue": "'databricks_job[positive1_error]' should have permissions", - "actualValue": "'databricks_job[positive1_error]' doesn't have permission associated" + "actualValue": "'databricks_job[positive1_error]' doesn't have permission associated", + "issueType": "MissingAttribute" }, { "queryName": "Databricks Cluster or Job With None Or Insecure Permission(s)", @@ -21,7 +22,8 @@ "searchKey": "databricks_cluster[positive2_error]", "searchValue": "", "expectedValue": "'databricks_cluster[positive2_error]' should have permissions", - "actualValue": "'databricks_cluster[positive2_error]' doesn't have permission associated" + "actualValue": "'databricks_cluster[positive2_error]' doesn't have permission associated", + "issueType": "MissingAttribute" }, { "queryName": "Databricks Cluster or Job With None Or Insecure Permission(s)", @@ -33,7 +35,8 @@ "searchKey": "databricks_permissions.[positive3]", "searchValue": "", "expectedValue": "'databricks_permissions[positive3]' should not have permission_level == 'IS_OWNER' without service_principal_name associated", - "actualValue": "'databricks_permissions[positive3]' have permission_level == 'IS_OWNER' without service_principal_name associated" + "actualValue": "'databricks_permissions[positive3]' have permission_level == 'IS_OWNER' without service_principal_name associated", + "issueType": "IncorrectValue" }, { "queryName": "Databricks Cluster or Job With None Or Insecure Permission(s)", @@ -45,6 +48,7 @@ "searchKey": "databricks_permissions.[positive4]", "searchValue": "", "expectedValue": "'databricks_permissions[positive4]' should not have permission_level == 'IS_OWNER' without service_principal_name associated", - "actualValue": "'databricks_permissions[positive4]' have permission_level == 'IS_OWNER' without service_principal_name associated" + "actualValue": "'databricks_permissions[positive4]' have permission_level == 'IS_OWNER' without service_principal_name associated", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/databricks/group_without_user_or_instance_profile/test/positive_expected_result.json b/assets/queries/terraform/databricks/group_without_user_or_instance_profile/test/positive_expected_result.json index 95d3fe2c25a..645fb4acc7a 100644 --- a/assets/queries/terraform/databricks/group_without_user_or_instance_profile/test/positive_expected_result.json +++ b/assets/queries/terraform/databricks/group_without_user_or_instance_profile/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "databricks_group[positive_group_2]", "searchValue": "", "expectedValue": "aws_databricks_group[positive_group_2] should be associated with an databricks_group_member that has at least one user set", - "actualValue": "aws_databricks_group[positive_group_2] is not associated with an databricks_group_member that has at least one user set" + "actualValue": "aws_databricks_group[positive_group_2] is not associated with an databricks_group_member that has at least one user set", + "issueType": "MissingAttribute" }, { "queryName": "Databricks Group Without User Or Instance Profile", @@ -21,6 +22,7 @@ "searchKey": "databricks_group[positive_group2]", "searchValue": "", "expectedValue": "aws_databricks_group[positive_group2] should be associated with an databricks_group_member that has at least one user set", - "actualValue": "aws_databricks_group[positive_group2] is not associated with an databricks_group_member that has at least one user set" + "actualValue": "aws_databricks_group[positive_group2] is not associated with an databricks_group_member that has at least one user set", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/databricks/indefinitely_obo_token/test/positive_expected_result.json b/assets/queries/terraform/databricks/indefinitely_obo_token/test/positive_expected_result.json index b27290565ac..858aba2229a 100644 --- a/assets/queries/terraform/databricks/indefinitely_obo_token/test/positive_expected_result.json +++ b/assets/queries/terraform/databricks/indefinitely_obo_token/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "databricks_obo_token[positive]", "searchValue": "", "expectedValue": "'databricks_obo_token[positive]' should not have indefinitely lifetime", - "actualValue": "'databricks_obo_token[positive]' have an indefinitely lifetime" + "actualValue": "'databricks_obo_token[positive]' have an indefinitely lifetime", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/databricks/indefinitely_token/test/positive_expected_result.json b/assets/queries/terraform/databricks/indefinitely_token/test/positive_expected_result.json index 039e9ee6f61..f8c2f6356f4 100644 --- a/assets/queries/terraform/databricks/indefinitely_token/test/positive_expected_result.json +++ b/assets/queries/terraform/databricks/indefinitely_token/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "databricks_token[positive]", "searchValue": "", "expectedValue": "'databricks_token[positive]' should not have indefinitely lifetime", - "actualValue": "'databricks_token[positive]' have an indefinitely lifetime" + "actualValue": "'databricks_token[positive]' have an indefinitely lifetime", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/databricks/unrestricted_acl/test/positive_expected_result.json b/assets/queries/terraform/databricks/unrestricted_acl/test/positive_expected_result.json index 0c05d569d7c..74ee01386ea 100644 --- a/assets/queries/terraform/databricks/unrestricted_acl/test/positive_expected_result.json +++ b/assets/queries/terraform/databricks/unrestricted_acl/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "databricks_ip_access_list[positive1].ip_addresses", "searchValue": "", "expectedValue": "'databricks_ip_access_list[positive1].ip_addresses' should not be equal to '0.0.0.0/0' or '::/0'", - "actualValue": "'databricks_ip_access_list[positive1].ip_addresses' is equal to '0.0.0.0/0' or '::/0'" + "actualValue": "'databricks_ip_access_list[positive1].ip_addresses' is equal to '0.0.0.0/0' or '::/0'", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted Databricks ACL", @@ -21,6 +22,7 @@ "searchKey": "databricks_ip_access_list[positive2].ip_addresses", "searchValue": "", "expectedValue": "'databricks_ip_access_list[positive2].ip_addresses' should not be equal to '0.0.0.0/0' or '::/0'", - "actualValue": "'databricks_ip_access_list[positive2].ip_addresses' is equal to '0.0.0.0/0' or '::/0'" + "actualValue": "'databricks_ip_access_list[positive2].ip_addresses' is equal to '0.0.0.0/0' or '::/0'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/databricks/use_lts_spark_version/test/positive_expected_result.json b/assets/queries/terraform/databricks/use_lts_spark_version/test/positive_expected_result.json index 2cfe91a140a..e9d78bea7c7 100644 --- a/assets/queries/terraform/databricks/use_lts_spark_version/test/positive_expected_result.json +++ b/assets/queries/terraform/databricks/use_lts_spark_version/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "databricks_spark_version[postive1_gpu_ml].long_term_support", "searchValue": "", "expectedValue": "'databricks_spark_version[postive1_gpu_ml]' should be a LTS version'", - "actualValue": "'databricks_spark_version[postive1_gpu_ml]' is not a LTS version'" + "actualValue": "'databricks_spark_version[postive1_gpu_ml]' is not a LTS version'", + "issueType": "IncorrectValue" }, { "queryName": "Check use no LTS Spark Version", @@ -21,7 +22,8 @@ "searchKey": "databricks_spark_version[positive2_gpu_ml].long_term_support", "searchValue": "", "expectedValue": "'databricks_spark_version[positive2_gpu_ml]' should be a LTS version'", - "actualValue": "'databricks_spark_version[positive2_gpu_ml]' is not a LTS version'" + "actualValue": "'databricks_spark_version[positive2_gpu_ml]' is not a LTS version'", + "issueType": "IncorrectValue" }, { "queryName": "Check use no LTS Spark Version", @@ -33,6 +35,7 @@ "searchKey": "databricks_cluster[positive3_research].spark_version", "searchValue": "", "expectedValue": "'databricks_cluster[positive3_research].spark_version' should be a LTS version'", - "actualValue": "'databricks_cluster[positive3_research].spark_version' is not a LTS version'" + "actualValue": "'databricks_cluster[positive3_research].spark_version' is not a LTS version'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/databricks/use_spark_submit_task/test/positive_expected_result.json b/assets/queries/terraform/databricks/use_spark_submit_task/test/positive_expected_result.json index 4ed97df7829..98b962bbc60 100644 --- a/assets/queries/terraform/databricks/use_spark_submit_task/test/positive_expected_result.json +++ b/assets/queries/terraform/databricks/use_spark_submit_task/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "databricks_job[positive].task.spark_submit_task", "searchValue": "", "expectedValue": "'databricks_job[positive].task.spark_submit_task' should not contains to 'spark_submit_task'", - "actualValue": "'databricks_job[positive].task.spark_submit_task' contains to 'spark_submit_task'" + "actualValue": "'databricks_job[positive].task.spark_submit_task' contains to 'spark_submit_task'", + "issueType": "IncorrectValue" }, { "queryName": "Job's Task is Legacy (spark_submit_task)", @@ -21,6 +22,7 @@ "searchKey": "databricks_job[positive].task.spark_submit_task", "searchValue": "", "expectedValue": "'databricks_job[positive].task.spark_submit_task' should not contains to 'spark_submit_task'", - "actualValue": "'databricks_job[positive].task.spark_submit_task' contains to 'spark_submit_task'" + "actualValue": "'databricks_job[positive].task.spark_submit_task' contains to 'spark_submit_task'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/bigquery_dataset_is_public/test/positive_expected_result.json b/assets/queries/terraform/gcp/bigquery_dataset_is_public/test/positive_expected_result.json index 31997baa8f5..6ab98f4fd6c 100644 --- a/assets/queries/terraform/gcp/bigquery_dataset_is_public/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/bigquery_dataset_is_public/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "google_bigquery_dataset[positive1].access.special_group", "searchValue": "", "expectedValue": "'access.special_group' should not equal to 'allAuthenticatedUsers'", - "actualValue": "'access.special_group' is equal to 'allAuthenticatedUsers'" + "actualValue": "'access.special_group' is equal to 'allAuthenticatedUsers'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/cloud_asset_inventory_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/cloud_asset_inventory_disabled/test/positive_expected_result.json index 637fea7daa2..a0e8490f848 100644 --- a/assets/queries/terraform/gcp/cloud_asset_inventory_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/cloud_asset_inventory_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "google_project_service[positive1_1].service", "searchValue": "", "expectedValue": "At least one 'google_project_service.service' field should contain or be equal to 'cloudasset.googleapis.com'", - "actualValue": "No 'google_project_service.service' field contains or is equal to 'cloudasset.googleapis.com'" + "actualValue": "No 'google_project_service.service' field contains or is equal to 'cloudasset.googleapis.com'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Cloud Asset Inventory Disabled", @@ -21,7 +22,8 @@ "searchKey": "google_project_service[positive1_2].service", "searchValue": "", "expectedValue": "At least one 'google_project_service.service' field should contain or be equal to 'cloudasset.googleapis.com'", - "actualValue": "No 'google_project_service.service' field contains or is equal to 'cloudasset.googleapis.com'" + "actualValue": "No 'google_project_service.service' field contains or is equal to 'cloudasset.googleapis.com'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Cloud Asset Inventory Disabled", @@ -33,7 +35,8 @@ "searchKey": "google_project_service[positive_2].service", "searchValue": "", "expectedValue": "At least one 'google_project_service.service' field should contain or be equal to 'cloudasset.googleapis.com'", - "actualValue": "No 'google_project_service.service' field contains or is equal to 'cloudasset.googleapis.com'" + "actualValue": "No 'google_project_service.service' field contains or is equal to 'cloudasset.googleapis.com'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Cloud Asset Inventory Disabled", @@ -45,7 +48,8 @@ "searchKey": "google_project_service[positive_3].service", "searchValue": "", "expectedValue": "At least one 'google_project_service.service' field should contain or be equal to 'cloudasset.googleapis.com'", - "actualValue": "No 'google_project_service.service' field contains or is equal to 'cloudasset.googleapis.com'" + "actualValue": "No 'google_project_service.service' field contains or is equal to 'cloudasset.googleapis.com'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Cloud Asset Inventory Disabled", @@ -57,7 +61,8 @@ "searchKey": "google_project_service[positive_4].service", "searchValue": "", "expectedValue": "At least one 'google_project_service.service' field should contain or be equal to 'cloudasset.googleapis.com'", - "actualValue": "No 'google_project_service.service' field contains or is equal to 'cloudasset.googleapis.com'" + "actualValue": "No 'google_project_service.service' field contains or is equal to 'cloudasset.googleapis.com'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Cloud Asset Inventory Disabled", @@ -69,7 +74,8 @@ "searchKey": "google_project_service[positive_5].service", "searchValue": "", "expectedValue": "At least one 'google_project_service.service' field should contain or be equal to 'cloudasset.googleapis.com'", - "actualValue": "No 'google_project_service.service' field contains or is equal to 'cloudasset.googleapis.com'" + "actualValue": "No 'google_project_service.service' field contains or is equal to 'cloudasset.googleapis.com'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Cloud Asset Inventory Disabled", @@ -81,6 +87,7 @@ "searchKey": "google_project_service[positive_6].service", "searchValue": "", "expectedValue": "At least one 'google_project_service.service' field should contain or be equal to 'cloudasset.googleapis.com'", - "actualValue": "No 'google_project_service.service' field contains or is equal to 'cloudasset.googleapis.com'" + "actualValue": "No 'google_project_service.service' field contains or is equal to 'cloudasset.googleapis.com'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/cloud_dns_without_dnssec/test/positive_expected_result.json b/assets/queries/terraform/gcp/cloud_dns_without_dnssec/test/positive_expected_result.json index 0f2ddcdfb0c..5a091a97c03 100755 --- a/assets/queries/terraform/gcp/cloud_dns_without_dnssec/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/cloud_dns_without_dnssec/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "google_dns_managed_zone[positive1].dnssec_config.state", "searchValue": "", "expectedValue": "'dnssec_config.state' should equal to 'on'", - "actualValue": "'dnssec_config.state' is not equal to 'on'" + "actualValue": "'dnssec_config.state' is not equal to 'on'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/cloud_storage_anonymous_or_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/gcp/cloud_storage_anonymous_or_publicly_accessible/test/positive_expected_result.json index b765ddbb451..eaea1c8d870 100644 --- a/assets/queries/terraform/gcp/cloud_storage_anonymous_or_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/cloud_storage_anonymous_or_publicly_accessible/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "google_storage_bucket_iam_binding[positive1].members", "searchValue": "", "expectedValue": "'google_storage_bucket_iam_binding[positive1].members' should not be null", - "actualValue": "'google_storage_bucket_iam_binding[positive1].members' is null" + "actualValue": "'google_storage_bucket_iam_binding[positive1].members' is null", + "issueType": "IncorrectValue" }, { "queryName": "Cloud Storage Anonymous or Publicly Accessible", @@ -21,7 +22,8 @@ "searchKey": "google_storage_bucket_iam_binding[positive2].members", "searchValue": "", "expectedValue": "'google_storage_bucket_iam_binding[positive2].members' should not have 'allUsers'", - "actualValue": "'google_storage_bucket_iam_binding[positive2].members' has 'allUsers'" + "actualValue": "'google_storage_bucket_iam_binding[positive2].members' has 'allUsers'", + "issueType": "IncorrectValue" }, { "queryName": "Cloud Storage Anonymous or Publicly Accessible", @@ -33,6 +35,7 @@ "searchKey": "google_storage_bucket_iam_binding[positive3].members", "searchValue": "", "expectedValue": "'google_storage_bucket_iam_binding[positive3].members' should not have 'allAuthenticatedUsers'", - "actualValue": "'google_storage_bucket_iam_binding[positive3].members' has 'allAuthenticatedUsers'" + "actualValue": "'google_storage_bucket_iam_binding[positive3].members' has 'allAuthenticatedUsers'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/cloud_storage_bucket_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/gcp/cloud_storage_bucket_is_publicly_accessible/test/positive_expected_result.json index e499b24b7fe..608efe833c7 100644 --- a/assets/queries/terraform/gcp/cloud_storage_bucket_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/cloud_storage_bucket_is_publicly_accessible/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "google_storage_bucket_iam_member[positive1].member", "searchValue": "", "expectedValue": "'member' not equal to 'allUsers' nor 'allAuthenticatedUsers'", - "actualValue": "'member' equal to 'allUsers'" + "actualValue": "'member' equal to 'allUsers'", + "issueType": "IncorrectValue" }, { "queryName": "Cloud Storage Bucket Is Publicly Accessible", @@ -21,6 +22,7 @@ "searchKey": "google_storage_bucket_iam_member[positive2].members", "searchValue": "", "expectedValue": "None of the 'members' equal to 'allUsers' nor 'allAuthenticatedUsers'", - "actualValue": "One of the 'members' equal to 'allUsers' or 'allAuthenticatedUsers'" + "actualValue": "One of the 'members' equal to 'allUsers' or 'allAuthenticatedUsers'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/cloud_storage_bucket_logging_not_enabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/cloud_storage_bucket_logging_not_enabled/test/positive_expected_result.json index cf8705c56d0..f233536a73d 100644 --- a/assets/queries/terraform/gcp/cloud_storage_bucket_logging_not_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/cloud_storage_bucket_logging_not_enabled/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "google_storage_bucket[positive1]", "searchValue": "", "expectedValue": "'google_storage_bucket.logging' should be set", - "actualValue": "'google_storage_bucket.logging' is undefined" + "actualValue": "'google_storage_bucket.logging' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/cloud_storage_bucket_versioning_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/cloud_storage_bucket_versioning_disabled/test/positive_expected_result.json index 370ce45bc1f..23380919c6d 100644 --- a/assets/queries/terraform/gcp/cloud_storage_bucket_versioning_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/cloud_storage_bucket_versioning_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "google_storage_bucket[positive1].versioning.enabled", "searchValue": "", "expectedValue": "'versioning.enabled' should be true", - "actualValue": "'versioning.enabled' is false" + "actualValue": "'versioning.enabled' is false", + "issueType": "IncorrectValue" }, { "queryName": "Cloud Storage Bucket Versioning Disabled", @@ -21,6 +22,7 @@ "searchKey": "google_storage_bucket[positive2]", "searchValue": "", "expectedValue": "'versioning' should be defined and not null", - "actualValue": "'versioning' it undefined or null" + "actualValue": "'versioning' it undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/cluster_labels_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/cluster_labels_disabled/test/positive_expected_result.json index 6fd8e847f03..b003a6fe6dc 100644 --- a/assets/queries/terraform/gcp/cluster_labels_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/cluster_labels_disabled/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "google_container_cluster[positive1]", "searchValue": "", "expectedValue": "Attribute 'resource_labels' should be defined", - "actualValue": "Attribute 'resource_labels' is undefined" + "actualValue": "Attribute 'resource_labels' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/cluster_without_network_policy_support_enabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/cluster_without_network_policy_support_enabled/test/positive_expected_result.json index e0ae56d3831..c21b85e4e19 100644 --- a/assets/queries/terraform/gcp/cluster_without_network_policy_support_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/cluster_without_network_policy_support_enabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "google_container_cluster[positive1]", "searchValue": "", "expectedValue": "'google_container_cluster[positive1].network_policy' should be defined and not null", - "actualValue": "'google_container_cluster[positive1].network_policy' is undefined or null" + "actualValue": "'google_container_cluster[positive1].network_policy' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Cluster Without Network Policy Support Enabled", @@ -21,6 +22,7 @@ "searchKey": "google_container_cluster[positive2].network_policy.enabled", "searchValue": "", "expectedValue": "'google_container_cluster[positive2].network_policy.enabled' should be set to 'true'", - "actualValue": "'google_container_cluster[positive2].network_policy.enabled' is set to 'false'" + "actualValue": "'google_container_cluster[positive2].network_policy.enabled' is set to 'false'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/cos_node_image_not_used/test/positive_expected_result.json b/assets/queries/terraform/gcp/cos_node_image_not_used/test/positive_expected_result.json index 88694892264..4b68429ca8f 100644 --- a/assets/queries/terraform/gcp/cos_node_image_not_used/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/cos_node_image_not_used/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "google_container_node_pool[positive2].node_config.image_type", "searchValue": "", "expectedValue": "'node_config.image_type' should start with 'COS'", - "actualValue": "'node_config.image_type' does not start with 'COS'" + "actualValue": "'node_config.image_type' does not start with 'COS'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/disk_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/disk_encryption_disabled/test/positive_expected_result.json index 10f5fbaed02..a5c1337e44b 100644 --- a/assets/queries/terraform/gcp/disk_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/disk_encryption_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "google_compute_disk[positive1]", "searchValue": "", "expectedValue": "'google_compute_disk[positive1].disk_encryption_key' should be defined and not null", - "actualValue": "'google_compute_disk[positive1].disk_encryption_key' is undefined or null" + "actualValue": "'google_compute_disk[positive1].disk_encryption_key' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Disk Encryption Disabled", @@ -21,7 +22,8 @@ "searchKey": "google_compute_disk[positive2].disk_encryption_key", "searchValue": "", "expectedValue": "'google_compute_disk[positive2].disk_encryption_key.raw_key' or 'google_compute_disk[%!s(MISSING)].disk_encryption_key.kms_key_self_link' should be defined and not null", - "actualValue": "'google_compute_disk[positive2].disk_encryption_key.raw_key' and 'google_compute_disk[%!s(MISSING)].disk_encryption_key.kms_key_self_link' are undefined or null" + "actualValue": "'google_compute_disk[positive2].disk_encryption_key.raw_key' and 'google_compute_disk[%!s(MISSING)].disk_encryption_key.kms_key_self_link' are undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Disk Encryption Disabled", @@ -33,7 +35,8 @@ "searchKey": "google_compute_disk[positive3].disk_encryption_key.raw_key", "searchValue": "", "expectedValue": "'google_compute_disk[positive3].disk_encryption_key.raw_key' should not be empty or null", - "actualValue": "'google_compute_disk[positive3].disk_encryption_key.raw_key' is not empty or null" + "actualValue": "'google_compute_disk[positive3].disk_encryption_key.raw_key' is not empty or null", + "issueType": "IncorrectValue" }, { "queryName": "Disk Encryption Disabled", @@ -45,6 +48,7 @@ "searchKey": "google_compute_disk[positive4].disk_encryption_key.kms_key_self_link", "searchValue": "", "expectedValue": "'google_compute_disk[positive4].disk_encryption_key.kms_key_self_link' should not be empty or null", - "actualValue": "'google_compute_disk[positive4].disk_encryption_key.kms_key_self_link' is not empty or null" + "actualValue": "'google_compute_disk[positive4].disk_encryption_key.kms_key_self_link' is not empty or null", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/dnssec_using_rsasha1/test/positive_expected_result.json b/assets/queries/terraform/gcp/dnssec_using_rsasha1/test/positive_expected_result.json index dd883e0e11a..3d32eeae072 100644 --- a/assets/queries/terraform/gcp/dnssec_using_rsasha1/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/dnssec_using_rsasha1/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "google_dns_managed_zone[positive1].dnssec_config.default_key_specs.algorithm", "searchValue": "", "expectedValue": "dnssec_config.default_key_specs.algorithm shouldn't be 'rsasha1'", - "actualValue": "dnssec_config.default_key_specs.algorithm is 'rsasha1'" + "actualValue": "dnssec_config.default_key_specs.algorithm is 'rsasha1'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/ensure_essential_contacts_is_configured_for_organization/test/positive_expected_result.json b/assets/queries/terraform/gcp/ensure_essential_contacts_is_configured_for_organization/test/positive_expected_result.json index d078e2c88ec..e05a3f56376 100644 --- a/assets/queries/terraform/gcp/ensure_essential_contacts_is_configured_for_organization/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/ensure_essential_contacts_is_configured_for_organization/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "google_essential_contacts_contact[positive1].notification_category_subscription_field", "searchValue": "", "expectedValue": "'notification_category_subscription_field' should have 'ALL' value or all 'LEGAL', 'SUSPENSION', 'TECHNICAL' and 'SECURITY' values defined", - "actualValue": "'notification_category_subscription_field' does not have 'ALL' value or all 'LEGAL', 'SUSPENSION', 'TECHNICAL' and 'SECURITY' values defined" + "actualValue": "'notification_category_subscription_field' does not have 'ALL' value or all 'LEGAL', 'SUSPENSION', 'TECHNICAL' and 'SECURITY' values defined", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Ensure Essential Contacts Is Configured For Organization", @@ -21,7 +22,8 @@ "searchKey": "google_essential_contacts_contact[positive2].notification_category_subscription_field", "searchValue": "", "expectedValue": "'notification_category_subscription_field' should have 'ALL' value or all 'LEGAL', 'SUSPENSION', 'TECHNICAL' and 'SECURITY' values defined", - "actualValue": "'notification_category_subscription_field' does not have 'ALL' value or all 'LEGAL', 'SUSPENSION', 'TECHNICAL' and 'SECURITY' values defined" + "actualValue": "'notification_category_subscription_field' does not have 'ALL' value or all 'LEGAL', 'SUSPENSION', 'TECHNICAL' and 'SECURITY' values defined", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Ensure Essential Contacts Is Configured For Organization", @@ -33,7 +35,8 @@ "searchKey": "google_essential_contacts_contact[positive3].notification_category_subscription_field", "searchValue": "", "expectedValue": "'notification_category_subscription_field' should have 'ALL' value or all 'LEGAL', 'SUSPENSION', 'TECHNICAL' and 'SECURITY' values defined", - "actualValue": "'notification_category_subscription_field' does not have 'ALL' value or all 'LEGAL', 'SUSPENSION', 'TECHNICAL' and 'SECURITY' values defined" + "actualValue": "'notification_category_subscription_field' does not have 'ALL' value or all 'LEGAL', 'SUSPENSION', 'TECHNICAL' and 'SECURITY' values defined", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Ensure Essential Contacts Is Configured For Organization", @@ -45,6 +48,7 @@ "searchKey": "google_essential_contacts_contact[positive4].notification_category_subscription_field", "searchValue": "", "expectedValue": "'notification_category_subscription_field' should have 'ALL' value or all 'LEGAL', 'SUSPENSION', 'TECHNICAL' and 'SECURITY' values defined", - "actualValue": "'notification_category_subscription_field' does not have 'ALL' value or all 'LEGAL', 'SUSPENSION', 'TECHNICAL' and 'SECURITY' values defined" + "actualValue": "'notification_category_subscription_field' does not have 'ALL' value or all 'LEGAL', 'SUSPENSION', 'TECHNICAL' and 'SECURITY' values defined", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/ensure_gke_version_management_is_automated_using_release_channels/test/positive_expected_result.json b/assets/queries/terraform/gcp/ensure_gke_version_management_is_automated_using_release_channels/test/positive_expected_result.json index 8f36ff6a25d..da19deb875e 100644 --- a/assets/queries/terraform/gcp/ensure_gke_version_management_is_automated_using_release_channels/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/ensure_gke_version_management_is_automated_using_release_channels/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "google_container_cluster[positive1]", "searchValue": "", "expectedValue": "'channel' should be defined to 'STABLE' or 'REGULAR' inside the 'release_channel' block", - "actualValue": "'release_channel' block is not defined" + "actualValue": "'release_channel' block is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Ensure GKE Version Management Is Automated Using Release Channels", @@ -21,7 +22,8 @@ "searchKey": "google_container_cluster[positive2].release_channel.channel", "searchValue": "", "expectedValue": "'channel' should be defined to 'STABLE' or 'REGULAR' inside the 'release_channel' block", - "actualValue": "'release_channel.channel' is defined to 'UNSPECIFIED'" + "actualValue": "'release_channel.channel' is defined to 'UNSPECIFIED'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Ensure GKE Version Management Is Automated Using Release Channels", @@ -33,7 +35,8 @@ "searchKey": "google_container_cluster[positive3].release_channel.channel", "searchValue": "", "expectedValue": "'channel' should be defined to 'STABLE' or 'REGULAR' inside the 'release_channel' block", - "actualValue": "'release_channel.channel' is defined to 'RAPID'" + "actualValue": "'release_channel.channel' is defined to 'RAPID'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Ensure GKE Version Management Is Automated Using Release Channels", @@ -45,6 +48,7 @@ "searchKey": "google_container_cluster[positive4].release_channel.channel", "searchValue": "", "expectedValue": "'channel' should be defined to 'STABLE' or 'REGULAR' inside the 'release_channel' block", - "actualValue": "'release_channel.channel' is defined to 'EXTENDED'" + "actualValue": "'release_channel.channel' is defined to 'EXTENDED'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/gke_legacy_authorization_enabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/gke_legacy_authorization_enabled/test/positive_expected_result.json index 57435e11e34..c97eec51bcb 100644 --- a/assets/queries/terraform/gcp/gke_legacy_authorization_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/gke_legacy_authorization_enabled/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "google_container_cluster[positive1].enable_legacy_abac", "searchValue": "", "expectedValue": "Attribute 'enable_legacy_abac' should be set to false", - "actualValue": "Attribute 'enable_legacy_abac' is true" + "actualValue": "Attribute 'enable_legacy_abac' is true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/gke_using_default_service_account/test/positive_expected_result.json b/assets/queries/terraform/gcp/gke_using_default_service_account/test/positive_expected_result.json index 40f093f5801..2d68e3c1810 100644 --- a/assets/queries/terraform/gcp/gke_using_default_service_account/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/gke_using_default_service_account/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "google_container_cluster[positive1].node_config", "searchValue": "", "expectedValue": "'service_account' should not be default", - "actualValue": "'service_account' is default" + "actualValue": "'service_account' is default", + "issueType": "IncorrectValue" }, { "queryName": "GKE Using Default Service Account", @@ -21,6 +22,7 @@ "searchKey": "google_container_cluster[positive2].node_config.service_account", "searchValue": "", "expectedValue": "'service_account' should not be default", - "actualValue": "'service_account' is default" + "actualValue": "'service_account' is default", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/google_compute_network_using_default_firewall_rule/test/positive_expected_result.json b/assets/queries/terraform/gcp/google_compute_network_using_default_firewall_rule/test/positive_expected_result.json index 543a1a3435e..204e0e1189a 100644 --- a/assets/queries/terraform/gcp/google_compute_network_using_default_firewall_rule/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/google_compute_network_using_default_firewall_rule/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "google_compute_network[positive1]", "searchValue": "", "expectedValue": "'google_compute_network[positive1]' should not be using a default firewall rule", - "actualValue": "'google_compute_network[positive1]' is using a default firewall rule" + "actualValue": "'google_compute_network[positive1]' is using a default firewall rule", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_all_ports/test/positive_expected_result.json b/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_all_ports/test/positive_expected_result.json index 6a49d5cdbd4..89fb4db968d 100644 --- a/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_all_ports/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_all_ports/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "google_compute_network[positive1]", "searchValue": "", "expectedValue": "'google_compute_network[positive1]' should not be using a firewall rule that allows access to all ports", - "actualValue": "'google_compute_network[positive1]' is using a firewall rule that allows access to all ports" + "actualValue": "'google_compute_network[positive1]' is using a firewall rule that allows access to all ports", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_port_range/test/positive_expected_result.json b/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_port_range/test/positive_expected_result.json index 0d857e1adcd..802d7d959ba 100644 --- a/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_port_range/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_port_range/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "google_compute_network[positive1]", "searchValue": "", "expectedValue": "'google_compute_network[positive1]' should not be using a firewall rule that allows access to port range", - "actualValue": "'google_compute_network[positive1]' is using a firewall rule that allows access to port range" + "actualValue": "'google_compute_network[positive1]' is using a firewall rule that allows access to port range", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/google_compute_ssl_policy_weak_cipher_in_use/test/positive_expected_result.json b/assets/queries/terraform/gcp/google_compute_ssl_policy_weak_cipher_in_use/test/positive_expected_result.json index 75ca6b58cf9..fb5c85bd02c 100644 --- a/assets/queries/terraform/gcp/google_compute_ssl_policy_weak_cipher_in_use/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/google_compute_ssl_policy_weak_cipher_in_use/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "google_compute_ssl_policy[positive1].min_tls_version", "searchValue": "", "expectedValue": "google_compute_ssl_policy[positive1].min_tls_version should be TLS_1_2", - "actualValue": "google_compute_ssl_policy[positive1].min_tls_version is not TLS_1_2" + "actualValue": "google_compute_ssl_policy[positive1].min_tls_version is not TLS_1_2", + "issueType": "IncorrectValue" }, { "queryName": "Google Compute SSL Policy Weak Cipher In Use", @@ -21,6 +22,7 @@ "searchKey": "google_compute_ssl_policy[positive2].min_tls_version", "searchValue": "", "expectedValue": "google_compute_ssl_policy[positive2].min_tls_version should be TLS_1_2", - "actualValue": "google_compute_ssl_policy[positive2].min_tls_version is undefined" + "actualValue": "google_compute_ssl_policy[positive2].min_tls_version is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/google_compute_subnetwork_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/google_compute_subnetwork_logging_disabled/test/positive_expected_result.json index abb439a3ebc..baa5d6434b1 100644 --- a/assets/queries/terraform/gcp/google_compute_subnetwork_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/google_compute_subnetwork_logging_disabled/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "google_compute_subnetwork[positive1]", "searchValue": "", "expectedValue": "'google_compute_subnetwork[positive1].log_config' should be defined and not null", - "actualValue": "'google_compute_subnetwork[positive1].log_config' is undefined or null" + "actualValue": "'google_compute_subnetwork[positive1].log_config' is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/google_compute_subnetwork_with_private_google_access_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/google_compute_subnetwork_with_private_google_access_disabled/test/positive_expected_result.json index 5e20ebd5a35..5a549037366 100644 --- a/assets/queries/terraform/gcp/google_compute_subnetwork_with_private_google_access_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/google_compute_subnetwork_with_private_google_access_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "google_compute_subnetwork[positive1]", "searchValue": "", "expectedValue": "'google_compute_subnetwork[positive1].private_ip_google_access' should be defined and not null", - "actualValue": "'google_compute_subnetwork[positive1].private_ip_google_access' is undefined or null" + "actualValue": "'google_compute_subnetwork[positive1].private_ip_google_access' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Google Compute Subnetwork with Private Google Access Disabled", @@ -21,6 +22,7 @@ "searchKey": "google_compute_subnetwork[positive2].private_ip_google_access", "searchValue": "", "expectedValue": "'google_compute_subnetwork[positive2].private_ip_google_access' should be set to true", - "actualValue": "'google_compute_subnetwork[positive2].private_ip_google_access' is set to false" + "actualValue": "'google_compute_subnetwork[positive2].private_ip_google_access' is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/google_container_node_pool_auto_repair_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/google_container_node_pool_auto_repair_disabled/test/positive_expected_result.json index 8ddf3fedd08..d06be56f71b 100644 --- a/assets/queries/terraform/gcp/google_container_node_pool_auto_repair_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/google_container_node_pool_auto_repair_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "google_container_node_pool[positive2].management.auto_repair", "searchValue": "", "expectedValue": "google_container_node_pool[positive2].management.auto_repair should be true", - "actualValue": "google_container_node_pool[positive2].management.auto_repair is false" + "actualValue": "google_container_node_pool[positive2].management.auto_repair is false", + "issueType": "IncorrectValue" }, { "queryName": "Google Container Node Pool Auto Repair Disabled", @@ -21,6 +22,7 @@ "searchKey": "google_container_node_pool[positive3].management", "searchValue": "", "expectedValue": "google_container_node_pool[positive3].management.auto_repair should be defined and not null", - "actualValue": "google_container_node_pool[positive3].management.auto_repair is undefined or null" + "actualValue": "google_container_node_pool[positive3].management.auto_repair is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/google_dns_policy_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/google_dns_policy_logging_disabled/test/positive_expected_result.json index 18f7c9cac99..5e000bcc8a5 100644 --- a/assets/queries/terraform/gcp/google_dns_policy_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/google_dns_policy_logging_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "google_dns_policy[example-policy]", "searchValue": "", "expectedValue": "'google_dns_policy[example-policy].enable_logging' should be defined and set to true", - "actualValue": "'google_dns_policy[example-policy].enable_logging' is undefined or null" + "actualValue": "'google_dns_policy[example-policy].enable_logging' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Google DNS Policy Logging Disabled", @@ -21,6 +22,7 @@ "searchKey": "google_dns_policy[example-policy-2].enable_logging", "searchValue": "", "expectedValue": "'google_dns_policy[example-policy-2].enable_logging' should be defined and set to true", - "actualValue": "'google_dns_policy[example-policy-2].enable_logging' is set to false" + "actualValue": "'google_dns_policy[example-policy-2].enable_logging' is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/google_kubernetes_engine_cluster_has_alpha_features_enabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/google_kubernetes_engine_cluster_has_alpha_features_enabled/test/positive_expected_result.json index f46a02d75a1..ebe185c64bf 100644 --- a/assets/queries/terraform/gcp/google_kubernetes_engine_cluster_has_alpha_features_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/google_kubernetes_engine_cluster_has_alpha_features_enabled/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "google_container_cluster[positive].enable_kubernetes_alpha", "searchValue": "", "expectedValue": "'enable_kubernetes_alpha' should only be defined to 'false'", - "actualValue": "'enable_kubernetes_alpha' is defined to 'true'" + "actualValue": "'enable_kubernetes_alpha' is defined to 'true'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/google_project_auto_create_network_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/google_project_auto_create_network_disabled/test/positive_expected_result.json index 61632e9772b..7839b924700 100644 --- a/assets/queries/terraform/gcp/google_project_auto_create_network_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/google_project_auto_create_network_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "google_project[positive1].auto_create_network", "searchValue": "", "expectedValue": "google_project[positive1].auto_create_network should be set to false", - "actualValue": "google_project[positive1].auto_create_network is true" + "actualValue": "google_project[positive1].auto_create_network is true", + "issueType": "IncorrectValue" }, { "queryName": "Google Project Auto Create Network Disabled", @@ -21,6 +22,7 @@ "searchKey": "google_project[positive2]", "searchValue": "", "expectedValue": "google_project[positive2].auto_create_network should be set to false", - "actualValue": "google_project[positive2].auto_create_network is undefined" + "actualValue": "google_project[positive2].auto_create_network is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/google_project_iam_binding_service_account_has_token_creator_or_account_user_role/test/positive_expected_result.json b/assets/queries/terraform/gcp/google_project_iam_binding_service_account_has_token_creator_or_account_user_role/test/positive_expected_result.json index 40a38fc5e82..609582034f6 100644 --- a/assets/queries/terraform/gcp/google_project_iam_binding_service_account_has_token_creator_or_account_user_role/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/google_project_iam_binding_service_account_has_token_creator_or_account_user_role/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "google_project_iam_binding[positive1].role", "searchValue": "", "expectedValue": "google_project_iam_binding[positive1].role should not be Service Account Token Creator", - "actualValue": "google_project_iam_binding[positive1].role is Service Account Token Creator" + "actualValue": "google_project_iam_binding[positive1].role is Service Account Token Creator", + "issueType": "IncorrectValue" }, { "queryName": "Google Project IAM Binding Service Account has Token Creator or Account User Role", @@ -21,7 +22,8 @@ "searchKey": "google_project_iam_binding[positive2].role", "searchValue": "", "expectedValue": "google_project_iam_binding[positive2].role should not be Service Account Token Creator", - "actualValue": "google_project_iam_binding[positive2].role is Service Account Token Creator" + "actualValue": "google_project_iam_binding[positive2].role is Service Account Token Creator", + "issueType": "IncorrectValue" }, { "queryName": "Google Project IAM Binding Service Account has Token Creator or Account User Role", @@ -33,7 +35,8 @@ "searchKey": "google_project_iam_binding[positive3].role", "searchValue": "", "expectedValue": "google_project_iam_binding[positive3].role should not be Service Account User", - "actualValue": "google_project_iam_binding[positive3].role is Service Account User" + "actualValue": "google_project_iam_binding[positive3].role is Service Account User", + "issueType": "IncorrectValue" }, { "queryName": "Google Project IAM Binding Service Account has Token Creator or Account User Role", @@ -45,6 +48,7 @@ "searchKey": "google_project_iam_binding[positive4].role", "searchValue": "", "expectedValue": "google_project_iam_binding[positive4].role should not be Service Account User", - "actualValue": "google_project_iam_binding[positive4].role is Service Account User" + "actualValue": "google_project_iam_binding[positive4].role is Service Account User", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_admin_role/test/positive_expected_result.json b/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_admin_role/test/positive_expected_result.json index 1ef4e26e886..cf3cd655850 100644 --- a/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_admin_role/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_admin_role/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "google_project_iam_member[positive1].role", "searchValue": "", "expectedValue": "google_project_iam_member[positive1].role should not be admin", - "actualValue": "google_project_iam_member[positive1].role is admin" + "actualValue": "google_project_iam_member[positive1].role is admin", + "issueType": "IncorrectValue" }, { "queryName": "Google Project IAM Member Service Account Has Admin Role", @@ -21,6 +22,7 @@ "searchKey": "google_project_iam_member[positive2].role", "searchValue": "", "expectedValue": "google_project_iam_member[positive2].role should not be admin", - "actualValue": "google_project_iam_member[positive2].role is admin" + "actualValue": "google_project_iam_member[positive2].role is admin", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_token_creator_or_account_user_role/test/positive_expected_result.json b/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_token_creator_or_account_user_role/test/positive_expected_result.json index 4f5b136e606..6ab76f699d3 100644 --- a/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_token_creator_or_account_user_role/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_token_creator_or_account_user_role/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "google_project_iam_member[positive1].role", "searchValue": "", "expectedValue": "google_project_iam_member[positive1].role should be Service Account Token Creator", - "actualValue": "google_project_iam_member[positive1].role is not Service Account Token Creator" + "actualValue": "google_project_iam_member[positive1].role is not Service Account Token Creator", + "issueType": "IncorrectValue" }, { "queryName": "Google Project IAM Member Service Account has Token Creator or Account User Role", @@ -21,6 +22,7 @@ "searchKey": "google_project_iam_member[positive2].role", "searchValue": "", "expectedValue": "google_project_iam_member[positive2].role should be Service Account User", - "actualValue": "google_project_iam_member[positive2].role is not Service Account User" + "actualValue": "google_project_iam_member[positive2].role is not Service Account User", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/google_storage_bucket_level_access_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/google_storage_bucket_level_access_disabled/test/positive_expected_result.json index 1e0c6561458..0dfc67ee9e2 100644 --- a/assets/queries/terraform/gcp/google_storage_bucket_level_access_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/google_storage_bucket_level_access_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "google_storage_bucket[positive1].uniform_bucket_level_access", "searchValue": "", "expectedValue": "google_storage_bucket[positive1].uniform_bucket_level_access should be true", - "actualValue": "google_storage_bucket[positive1].uniform_bucket_level_access is false" + "actualValue": "google_storage_bucket[positive1].uniform_bucket_level_access is false", + "issueType": "IncorrectValue" }, { "queryName": "Google Storage Bucket Level Access Disabled", @@ -21,6 +22,7 @@ "searchKey": "google_storage_bucket[positive2]", "searchValue": "", "expectedValue": "google_storage_bucket[positive2].uniform_bucket_level_access should be defined and not null", - "actualValue": "google_storage_bucket[positive2].uniform_bucket_level_access is undefined or null" + "actualValue": "google_storage_bucket[positive2].uniform_bucket_level_access is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/high_google_kms_crypto_key_rotation_period/test/positive_expected_result.json b/assets/queries/terraform/gcp/high_google_kms_crypto_key_rotation_period/test/positive_expected_result.json index 5b59125a37e..2a4c61f06ac 100644 --- a/assets/queries/terraform/gcp/high_google_kms_crypto_key_rotation_period/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/high_google_kms_crypto_key_rotation_period/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "google_kms_crypto_key[positive1].rotation_period", "searchValue": "", "expectedValue": "'google_kms_crypto_key.rotation_period' should be less or equal to 7776000", - "actualValue": "'google_kms_crypto_key.rotation_period' exceeds 7776000" + "actualValue": "'google_kms_crypto_key.rotation_period' exceeds 7776000", + "issueType": "IncorrectValue" }, { "queryName": "High Google KMS Crypto Key Rotation Period", @@ -21,6 +22,7 @@ "searchKey": "google_kms_crypto_key[positive2]", "searchValue": "", "expectedValue": "'google_kms_crypto_key.rotation_period' should be defined with a value less or equal to 7776000", - "actualValue": "'google_kms_crypto_key.rotation_period' is undefined" + "actualValue": "'google_kms_crypto_key.rotation_period' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/iam_audit_not_properly_configured/test/positive_expected_result.json b/assets/queries/terraform/gcp/iam_audit_not_properly_configured/test/positive_expected_result.json index 667709ac2d3..b22f9fb9ac7 100644 --- a/assets/queries/terraform/gcp/iam_audit_not_properly_configured/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/iam_audit_not_properly_configured/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "google_project_iam_audit_config[positive1].service", "searchValue": "", "expectedValue": "'service' must be 'allServices'", - "actualValue": "'service' is 'some_specific_service'" + "actualValue": "'service' is 'some_specific_service'", + "issueType": "IncorrectValue" }, { "queryName": "IAM Audit Not Properly Configured", @@ -21,7 +22,8 @@ "searchKey": "google_project_iam_audit_config[positive1].audit_log_config.exempted_members", "searchValue": "", "expectedValue": "'exempted_members' should be empty", - "actualValue": "'exempted_members' is not empty" + "actualValue": "'exempted_members' is not empty", + "issueType": "IncorrectValue" }, { "queryName": "IAM Audit Not Properly Configured", @@ -33,7 +35,8 @@ "searchKey": "google_project_iam_audit_config[positive2].audit_log_config.log_type", "searchValue": "", "expectedValue": "'log_type' must be one of 'DATA_READ', 'DATA_WRITE', or 'ADMIN_READ'", - "actualValue": "'log_type' is INVALID_TYPE" + "actualValue": "'log_type' is INVALID_TYPE", + "issueType": "IncorrectValue" }, { "queryName": "IAM Audit Not Properly Configured", @@ -45,6 +48,7 @@ "searchKey": "google_project_iam_audit_config[positive2].audit_log_config.exempted_members", "searchValue": "", "expectedValue": "'exempted_members' should be empty", - "actualValue": "'exempted_members' is not empty" + "actualValue": "'exempted_members' is not empty", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/ip_aliasing_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/ip_aliasing_disabled/test/positive_expected_result.json index 85dcf2dfd92..926e63436e5 100644 --- a/assets/queries/terraform/gcp/ip_aliasing_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/ip_aliasing_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "google_container_cluster[positive1]", "searchValue": "", "expectedValue": "Attributes 'ip_allocation_policy' and 'networking_mode' should be defined", - "actualValue": "Attributes 'ip_allocation_policy' and 'networking_mode' are undefined" + "actualValue": "Attributes 'ip_allocation_policy' and 'networking_mode' are undefined", + "issueType": "MissingAttribute" }, { "queryName": "IP Aliasing Disabled", @@ -21,7 +22,8 @@ "searchKey": "google_container_cluster[positive2]", "searchValue": "", "expectedValue": "Attribute 'ip_allocation_policy' should be defined", - "actualValue": "Attribute 'ip_allocation_policy' is undefined" + "actualValue": "Attribute 'ip_allocation_policy' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "IP Aliasing Disabled", @@ -33,6 +35,7 @@ "searchKey": "google_container_cluster[positive3]", "searchValue": "", "expectedValue": "Attribute 'networking_mode' should be VPC_NATIVE", - "actualValue": "Attribute 'networking_mode' is ROUTES" + "actualValue": "Attribute 'networking_mode' is ROUTES", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/ip_forwarding_enabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/ip_forwarding_enabled/test/positive_expected_result.json index 90192b2d63d..a5d47289805 100644 --- a/assets/queries/terraform/gcp/ip_forwarding_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/ip_forwarding_enabled/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "google_compute_instance[appserver].can_ip_forward", "searchValue": "", "expectedValue": "Attribute 'can_ip_forward' should be set to false or Attribute 'can_ip_forward' should be undefined", - "actualValue": "Attribute 'can_ip_forward' is true" + "actualValue": "Attribute 'can_ip_forward' is true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/kms_admin_and_crypto_key_roles_in_use/test/positive_expected_result.json b/assets/queries/terraform/gcp/kms_admin_and_crypto_key_roles_in_use/test/positive_expected_result.json index ab4e384dc9d..5a303618d58 100644 --- a/assets/queries/terraform/gcp/kms_admin_and_crypto_key_roles_in_use/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/kms_admin_and_crypto_key_roles_in_use/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "google_project_iam_policy[positive1].policy_data", "searchValue": "", "expectedValue": "google_iam_policy[positive1].policy_data should not assign a KMS admin role and CryptoKey role to the same member", - "actualValue": "google_iam_policy[positive1].policy_data assigns a KMS admin role and CryptoKey role to the same member" + "actualValue": "google_iam_policy[positive1].policy_data assigns a KMS admin role and CryptoKey role to the same member", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/kms_crypto_key_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/gcp/kms_crypto_key_publicly_accessible/test/positive_expected_result.json index b166ad9aa63..e9184b997ec 100644 --- a/assets/queries/terraform/gcp/kms_crypto_key_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/kms_crypto_key_publicly_accessible/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "google_kms_crypto_key_iam_policy[positive1].policy_data", "searchValue": "", "expectedValue": "KMS crypto key should not be publicly accessible", - "actualValue": "KMS crypto key is publicly accessible" + "actualValue": "KMS crypto key is publicly accessible", + "issueType": "IncorrectValue" }, { "queryName": "KMS Crypto Key is Publicly Accessible", @@ -21,6 +22,7 @@ "searchKey": "google_kms_crypto_key_iam_policy[positive2].policy_data", "searchValue": "", "expectedValue": "KMS crypto key should not be publicly accessible", - "actualValue": "KMS crypto key is publicly accessible" + "actualValue": "KMS crypto key is publicly accessible", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/kubernetes_web_ui_is_not_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/kubernetes_web_ui_is_not_disabled/test/positive_expected_result.json index 169dfb60390..55062e0154c 100644 --- a/assets/queries/terraform/gcp/kubernetes_web_ui_is_not_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/kubernetes_web_ui_is_not_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "google_container_cluster[positive1].addons_config.kubernetes_dashboard.disabled", "searchValue": "", "expectedValue": "'kuberneters_dashboard' should not be enabled inside the 'addons_config block'", - "actualValue": "'kuberneters_dashboard' is enabled inside the 'addons_config block'" + "actualValue": "'kuberneters_dashboard' is enabled inside the 'addons_config block'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Kubernetes Web UI Is Not Disabled", @@ -21,7 +22,8 @@ "searchKey": "google_container_cluster[positive2]", "searchValue": "", "expectedValue": "'kubernetes_dashboard' should be defined and disabled inside the 'addons_config_version' block for GKE versions below 1.10", - "actualValue": "'addons_config' block is not defined with the 'kubernetes_dashboard' disabled" + "actualValue": "'addons_config' block is not defined with the 'kubernetes_dashboard' disabled", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Kubernetes Web UI Is Not Disabled", @@ -33,7 +35,8 @@ "searchKey": "google_container_cluster[positive3].addons_config", "searchValue": "", "expectedValue": "'kubernetes_dashboard' should be defined and disabled inside the 'addons_config_version' block for GKE versions below 1.10", - "actualValue": "'kubernetes_dashboard' is not defined inside the 'addons_config_version' block" + "actualValue": "'kubernetes_dashboard' is not defined inside the 'addons_config_version' block", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Kubernetes Web UI Is Not Disabled", @@ -45,7 +48,8 @@ "searchKey": "google_container_cluster[positive4].addons_config.kubernetes_dashboard.disabled", "searchValue": "", "expectedValue": "'kuberneters_dashboard' should not be enabled inside the 'addons_config block'", - "actualValue": "'kuberneters_dashboard' is enabled inside the 'addons_config block'" + "actualValue": "'kuberneters_dashboard' is enabled inside the 'addons_config block'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Kubernetes Web UI Is Not Disabled", @@ -57,6 +61,7 @@ "searchKey": "google_container_cluster[positive5].addons_config.kubernetes_dashboard.disabled", "searchValue": "", "expectedValue": "'kuberneters_dashboard' should not be enabled inside the 'addons_config block'", - "actualValue": "'kuberneters_dashboard' is enabled inside the 'addons_config block'" + "actualValue": "'kuberneters_dashboard' is enabled inside the 'addons_config block'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/legacy_client_certificate_auth_enabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/legacy_client_certificate_auth_enabled/test/positive_expected_result.json index 8e58a8d4ee0..d0dfbe2664b 100644 --- a/assets/queries/terraform/gcp/legacy_client_certificate_auth_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/legacy_client_certificate_auth_enabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "google_container_cluster[positive1].master_auth", "searchValue": "", "expectedValue": "If 'master_auth' is defined, subattribute 'client_certificate_config' should be defined", - "actualValue": "Attribute 'client_certificate_config' in 'master_auth' is undefined" + "actualValue": "Attribute 'client_certificate_config' in 'master_auth' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Legacy Client Certificate Auth Enabled", @@ -21,6 +22,7 @@ "searchKey": "google_container_cluster[positive2].master_auth.client_certificate_config.issue_client_certificate", "searchValue": "", "expectedValue": "Attribute 'issue_client_certificate' in 'client_certificate_config' should be false", - "actualValue": "Attribute 'issue_client_certificate' in 'client_certificate_config' is true" + "actualValue": "Attribute 'issue_client_certificate' in 'client_certificate_config' is true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/legacy_networks_do_not_exist_for_older_google_projects/test/positive_expected_result.json b/assets/queries/terraform/gcp/legacy_networks_do_not_exist_for_older_google_projects/test/positive_expected_result.json index 67736ef2fbe..cc87d61371c 100644 --- a/assets/queries/terraform/gcp/legacy_networks_do_not_exist_for_older_google_projects/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/legacy_networks_do_not_exist_for_older_google_projects/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "google_compute_network[vpc_network_network].auto_create_subnetworks", "searchValue": "", "expectedValue": "'auto_create_subnetworks' should be defined to false", - "actualValue": "'auto_create_subnetworks' is defined to true" + "actualValue": "'auto_create_subnetworks' is defined to true", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Legacy Networks Do Not Exist For Older Google Projects", @@ -21,7 +22,8 @@ "searchKey": "google_compute_network[legacy_network].auto_create_subnetworks", "searchValue": "", "expectedValue": "'auto_create_subnetworks' should be defined to false", - "actualValue": "'auto_create_subnetworks' is defined to true" + "actualValue": "'auto_create_subnetworks' is defined to true", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Legacy Networks Do Not Exist For Older Google Projects", @@ -33,7 +35,8 @@ "searchKey": "google_compute_network[legacy_network].auto_create_subnetworks", "searchValue": "", "expectedValue": "'auto_create_subnetworks' should be defined to false", - "actualValue": "'auto_create_subnetworks' is defined to true" + "actualValue": "'auto_create_subnetworks' is defined to true", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Legacy Networks Do Not Exist For Older Google Projects", @@ -45,7 +48,8 @@ "searchKey": "google_compute_network[vpc_network_network]", "searchValue": "", "expectedValue": "'auto_create_subnetworks' should be defined to false", - "actualValue": "'auto_create_subnetworks' is not defined" + "actualValue": "'auto_create_subnetworks' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Legacy Networks Do Not Exist For Older Google Projects", @@ -57,7 +61,8 @@ "searchKey": "google_compute_network[legacy_network]", "searchValue": "", "expectedValue": "'auto_create_subnetworks' should be defined to false", - "actualValue": "'auto_create_subnetworks' is not defined" + "actualValue": "'auto_create_subnetworks' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Legacy Networks Do Not Exist For Older Google Projects", @@ -69,6 +74,7 @@ "searchKey": "google_compute_network[legacy_network]", "searchValue": "", "expectedValue": "'auto_create_subnetworks' should be defined to false", - "actualValue": "'auto_create_subnetworks' is not defined" + "actualValue": "'auto_create_subnetworks' is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/logs_and_alerts_missing_audit_configuration_changes/test/positive_expected_result.json b/assets/queries/terraform/gcp/logs_and_alerts_missing_audit_configuration_changes/test/positive_expected_result.json index 74038b49683..227ad67914a 100644 --- a/assets/queries/terraform/gcp/logs_and_alerts_missing_audit_configuration_changes/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/logs_and_alerts_missing_audit_configuration_changes/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "google_logging_metric[audit_config_change].filter", "searchValue": "", "expectedValue": "At least one 'google_logging_metric' resource should capture all audit configuration changes", - "actualValue": "No 'google_logging_metric' resource captures all audit configuration changes" + "actualValue": "No 'google_logging_metric' resource captures all audit configuration changes", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Logs And Alerts Missing Audit Configuration Changes", @@ -21,7 +22,8 @@ "searchKey": "google_logging_metric[audit_config_change].filter", "searchValue": "", "expectedValue": "At least one 'google_logging_metric' resource should capture all audit configuration changes", - "actualValue": "No 'google_logging_metric' resource captures all audit configuration changes" + "actualValue": "No 'google_logging_metric' resource captures all audit configuration changes", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Logs And Alerts Missing Audit Configuration Changes", @@ -33,7 +35,8 @@ "searchKey": "google_logging_metric[audit_config_change].filter", "searchValue": "", "expectedValue": "At least one 'google_logging_metric' resource should capture all audit configuration changes", - "actualValue": "No 'google_logging_metric' resource captures all audit configuration changes" + "actualValue": "No 'google_logging_metric' resource captures all audit configuration changes", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Logs And Alerts Missing Audit Configuration Changes", @@ -45,7 +48,8 @@ "searchKey": "google_monitoring_alert_policy[audit_config_alert].conditions.condition_threshold.filter", "searchValue": "", "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture all audit configuration changes", - "actualValue": "No 'google_monitoring_alert_policy' resource captures all audit configuration changes" + "actualValue": "No 'google_monitoring_alert_policy' resource captures all audit configuration changes", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Logs And Alerts Missing Audit Configuration Changes", @@ -57,7 +61,8 @@ "searchKey": "google_monitoring_alert_policy[audit_config_alert].conditions.condition_matched_log.filter", "searchValue": "", "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture all audit configuration changes", - "actualValue": "No 'google_monitoring_alert_policy' resource captures all audit configuration changes" + "actualValue": "No 'google_monitoring_alert_policy' resource captures all audit configuration changes", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Logs And Alerts Missing Audit Configuration Changes", @@ -69,7 +74,8 @@ "searchKey": "google_monitoring_alert_policy[audit_config_alert]", "searchValue": "", "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture all audit configuration changes", - "actualValue": "The 'google_monitoring_alert_policy[audit_config_alert]' resource captures all audit configuration changes but does not define a proper 'notification_channels'" + "actualValue": "The 'google_monitoring_alert_policy[audit_config_alert]' resource captures all audit configuration changes but does not define a proper 'notification_channels'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Logs And Alerts Missing Audit Configuration Changes", @@ -81,7 +87,8 @@ "searchKey": "google_monitoring_alert_policy[audit_config_alert]", "searchValue": "", "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture all audit configuration changes", - "actualValue": "The 'google_monitoring_alert_policy[audit_config_alert]' resource captures all audit configuration changes but does not define a proper 'notification_channels'" + "actualValue": "The 'google_monitoring_alert_policy[audit_config_alert]' resource captures all audit configuration changes but does not define a proper 'notification_channels'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Logs And Alerts Missing Audit Configuration Changes", @@ -93,7 +100,8 @@ "searchKey": "google_monitoring_alert_policy[audit_config_alert].conditions.condition_threshold.filter", "searchValue": "", "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture all audit configuration changes", - "actualValue": "No 'google_monitoring_alert_policy' resource captures all audit configuration changes" + "actualValue": "No 'google_monitoring_alert_policy' resource captures all audit configuration changes", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Logs And Alerts Missing Audit Configuration Changes", @@ -105,7 +113,8 @@ "searchKey": "google_logging_metric[audit_config_change].filter", "searchValue": "", "expectedValue": "At least one 'google_logging_metric' resource should capture all audit configuration changes", - "actualValue": "No 'google_logging_metric' resource captures all audit configuration changes" + "actualValue": "No 'google_logging_metric' resource captures all audit configuration changes", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Logs And Alerts Missing Audit Configuration Changes", @@ -117,7 +126,8 @@ "searchKey": "google_logging_metric[audit_config_change].filter", "searchValue": "", "expectedValue": "At least one 'google_logging_metric' resource should capture all audit configuration changes", - "actualValue": "No 'google_logging_metric' resource captures all audit configuration changes" + "actualValue": "No 'google_logging_metric' resource captures all audit configuration changes", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Logs And Alerts Missing Audit Configuration Changes", @@ -129,6 +139,7 @@ "searchKey": "google_logging_metric[audit_config_change].filter", "searchValue": "", "expectedValue": "At least one 'google_logging_metric' resource should capture all audit configuration changes", - "actualValue": "No 'google_logging_metric' resource captures all audit configuration changes" + "actualValue": "No 'google_logging_metric' resource captures all audit configuration changes", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/logs_and_alerts_missing_custom_role_changes/test/positive_expected_result.json b/assets/queries/terraform/gcp/logs_and_alerts_missing_custom_role_changes/test/positive_expected_result.json index 9cd771f189f..5fc2d907944 100644 --- a/assets/queries/terraform/gcp/logs_and_alerts_missing_custom_role_changes/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/logs_and_alerts_missing_custom_role_changes/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "google_logging_metric[audit_config_change].filter", "searchValue": "", "expectedValue": "At least one 'google_logging_metric' resource should capture all custom role changes", - "actualValue": "'google_logging_metric[audit_config_change].filter' is applied to the wrong resource type" + "actualValue": "'google_logging_metric[audit_config_change].filter' is applied to the wrong resource type", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Logs And Alerts Missing Custom Role Changes", @@ -21,7 +22,8 @@ "searchKey": "google_monitoring_alert_policy[audit_config_alert].conditions.condition_threshold.filter", "searchValue": "", "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture all custom role changes", - "actualValue": "No 'google_monitoring_alert_policy' resource captures all custom role changes" + "actualValue": "No 'google_monitoring_alert_policy' resource captures all custom role changes", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Logs And Alerts Missing Custom Role Changes", @@ -33,7 +35,8 @@ "searchKey": "google_monitoring_alert_policy[audit_config_alert].conditions.condition_matched_log.filter", "searchValue": "", "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture all custom role changes", - "actualValue": "No 'google_monitoring_alert_policy' resource captures all custom role changes" + "actualValue": "No 'google_monitoring_alert_policy' resource captures all custom role changes", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Logs And Alerts Missing Custom Role Changes", @@ -45,7 +48,8 @@ "searchKey": "google_monitoring_alert_policy[audit_config_alert]", "searchValue": "", "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture all custom role changes", - "actualValue": "The 'google_monitoring_alert_policy[audit_config_alert]' resource captures all custom role changes but does not define a proper 'notification_channels'" + "actualValue": "The 'google_monitoring_alert_policy[audit_config_alert]' resource captures all custom role changes but does not define a proper 'notification_channels'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Logs And Alerts Missing Custom Role Changes", @@ -57,7 +61,8 @@ "searchKey": "google_monitoring_alert_policy[audit_config_alert]", "searchValue": "", "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture all custom role changes", - "actualValue": "The 'google_monitoring_alert_policy[audit_config_alert]' resource captures all custom role changes but does not define a proper 'notification_channels'" + "actualValue": "The 'google_monitoring_alert_policy[audit_config_alert]' resource captures all custom role changes but does not define a proper 'notification_channels'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Logs And Alerts Missing Custom Role Changes", @@ -69,7 +74,8 @@ "searchKey": "google_monitoring_alert_policy[audit_config_alert].conditions.condition_threshold.filter", "searchValue": "", "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture all custom role changes", - "actualValue": "No 'google_monitoring_alert_policy' resource captures all custom role changes" + "actualValue": "No 'google_monitoring_alert_policy' resource captures all custom role changes", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Logs And Alerts Missing Custom Role Changes", @@ -81,7 +87,8 @@ "searchKey": "google_logging_metric[audit_config_change].filter", "searchValue": "", "expectedValue": "At least one 'google_logging_metric' resource should capture all custom role changes", - "actualValue": "'google_logging_metric[audit_config_change].filter' is applied to the wrong resource type" + "actualValue": "'google_logging_metric[audit_config_change].filter' is applied to the wrong resource type", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Logs And Alerts Missing Custom Role Changes", @@ -93,7 +100,8 @@ "searchKey": "google_logging_metric[audit_config_change].filter", "searchValue": "", "expectedValue": "At least one 'google_logging_metric' resource should capture all custom role changes", - "actualValue": "'google_logging_metric[audit_config_change].filter' does not capture all custom role changes for resource type 'iam_role'" + "actualValue": "'google_logging_metric[audit_config_change].filter' does not capture all custom role changes for resource type 'iam_role'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Logs And Alerts Missing Custom Role Changes", @@ -105,6 +113,7 @@ "searchKey": "google_logging_metric[audit_config_change].filter", "searchValue": "", "expectedValue": "At least one 'google_logging_metric' resource should capture all custom role changes", - "actualValue": "'google_logging_metric[audit_config_change].filter' does not capture all custom role changes for resource type 'iam_role'" + "actualValue": "'google_logging_metric[audit_config_change].filter' does not capture all custom role changes for resource type 'iam_role'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/logs_and_alerts_missing_project_ownership_assignment_and_changes/test/positive_expected_result.json b/assets/queries/terraform/gcp/logs_and_alerts_missing_project_ownership_assignment_and_changes/test/positive_expected_result.json index 8a595ae74c5..7bc772a93cb 100644 --- a/assets/queries/terraform/gcp/logs_and_alerts_missing_project_ownership_assignment_and_changes/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/logs_and_alerts_missing_project_ownership_assignment_and_changes/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "google_logging_metric[audit_config_change].filter", "searchValue": "", "expectedValue": "At least one 'google_logging_metric' resource should capture project ownership assignment and changes", - "actualValue": "No 'google_logging_metric' resource captures project ownership assignment and changes" + "actualValue": "No 'google_logging_metric' resource captures project ownership assignment and changes", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Logs And Alerts Missing Project Ownership Assignment And Changes", @@ -21,7 +22,8 @@ "searchKey": "google_logging_metric[audit_config_change].filter", "searchValue": "", "expectedValue": "At least one 'google_logging_metric' resource should capture project ownership assignment and changes", - "actualValue": "No 'google_logging_metric' resource captures project ownership assignment and changes" + "actualValue": "No 'google_logging_metric' resource captures project ownership assignment and changes", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Logs And Alerts Missing Project Ownership Assignment And Changes", @@ -33,7 +35,8 @@ "searchKey": "google_logging_metric[audit_config_change].filter", "searchValue": "", "expectedValue": "At least one 'google_logging_metric' resource should capture project ownership assignment and changes", - "actualValue": "No 'google_logging_metric' resource captures project ownership assignment and changes" + "actualValue": "No 'google_logging_metric' resource captures project ownership assignment and changes", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Logs And Alerts Missing Project Ownership Assignment And Changes", @@ -45,7 +48,8 @@ "searchKey": "google_logging_metric[audit_config_change].filter", "searchValue": "", "expectedValue": "At least one 'google_logging_metric' resource should capture project ownership assignment and changes", - "actualValue": "No 'google_logging_metric' resource captures project ownership assignment and changes" + "actualValue": "No 'google_logging_metric' resource captures project ownership assignment and changes", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Logs And Alerts Missing Project Ownership Assignment And Changes", @@ -57,7 +61,8 @@ "searchKey": "google_logging_metric[audit_config_change].filter", "searchValue": "", "expectedValue": "At least one 'google_logging_metric' resource should capture project ownership assignment and changes", - "actualValue": "No 'google_logging_metric' resource captures project ownership assignment and changes" + "actualValue": "No 'google_logging_metric' resource captures project ownership assignment and changes", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Logs And Alerts Missing Project Ownership Assignment And Changes", @@ -69,7 +74,8 @@ "searchKey": "google_logging_metric[audit_config_change].filter", "searchValue": "", "expectedValue": "At least one 'google_logging_metric' resource should capture project ownership assignment and changes", - "actualValue": "No 'google_logging_metric' resource captures project ownership assignment and changes" + "actualValue": "No 'google_logging_metric' resource captures project ownership assignment and changes", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Logs And Alerts Missing Project Ownership Assignment And Changes", @@ -81,7 +87,8 @@ "searchKey": "google_monitoring_alert_policy[audit_config_alert].conditions.condition_threshold.filter", "searchValue": "", "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture project ownership assignment and changes", - "actualValue": "No 'google_monitoring_alert_policy' resource captures project ownership assignment and changes" + "actualValue": "No 'google_monitoring_alert_policy' resource captures project ownership assignment and changes", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Logs And Alerts Missing Project Ownership Assignment And Changes", @@ -93,7 +100,8 @@ "searchKey": "google_monitoring_alert_policy[audit_config_alert].conditions.condition_matched_log.filter", "searchValue": "", "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture project ownership assignment and changes", - "actualValue": "No 'google_monitoring_alert_policy' resource captures project ownership assignment and changes" + "actualValue": "No 'google_monitoring_alert_policy' resource captures project ownership assignment and changes", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Logs And Alerts Missing Project Ownership Assignment And Changes", @@ -105,7 +113,8 @@ "searchKey": "google_monitoring_alert_policy[audit_config_alert]", "searchValue": "", "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture project ownership assignment and changes", - "actualValue": "The 'google_monitoring_alert_policy[audit_config_alert]' resource captures project ownership assignment and changes but does not define a proper 'notification_channels'" + "actualValue": "The 'google_monitoring_alert_policy[audit_config_alert]' resource captures project ownership assignment and changes but does not define a proper 'notification_channels'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Logs And Alerts Missing Project Ownership Assignment And Changes", @@ -117,7 +126,8 @@ "searchKey": "google_monitoring_alert_policy[audit_config_alert]", "searchValue": "", "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture project ownership assignment and changes", - "actualValue": "The 'google_monitoring_alert_policy[audit_config_alert]' resource captures project ownership assignment and changes but does not define a proper 'notification_channels'" + "actualValue": "The 'google_monitoring_alert_policy[audit_config_alert]' resource captures project ownership assignment and changes but does not define a proper 'notification_channels'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Logs And Alerts Missing Project Ownership Assignment And Changes", @@ -129,7 +139,8 @@ "searchKey": "google_monitoring_alert_policy[audit_config_alert].conditions.condition_threshold.filter", "searchValue": "", "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture project ownership assignment and changes", - "actualValue": "No 'google_monitoring_alert_policy' resource captures project ownership assignment and changes" + "actualValue": "No 'google_monitoring_alert_policy' resource captures project ownership assignment and changes", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Logs And Alerts Missing Project Ownership Assignment And Changes", @@ -141,7 +152,8 @@ "searchKey": "google_logging_metric[audit_config_change].filter", "searchValue": "", "expectedValue": "At least one 'google_logging_metric' resource should capture project ownership assignment and changes", - "actualValue": "No 'google_logging_metric' resource captures project ownership assignment and changes" + "actualValue": "No 'google_logging_metric' resource captures project ownership assignment and changes", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Logs And Alerts Missing Project Ownership Assignment And Changes", @@ -153,7 +165,8 @@ "searchKey": "google_logging_metric[positive8].filter", "searchValue": "", "expectedValue": "At least one 'google_logging_metric' resource should capture project ownership assignment and changes", - "actualValue": "No 'google_logging_metric' resource captures project ownership assignment and changes" + "actualValue": "No 'google_logging_metric' resource captures project ownership assignment and changes", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Logs And Alerts Missing Project Ownership Assignment And Changes", @@ -165,6 +178,7 @@ "searchKey": "google_logging_metric[positive9].filter", "searchValue": "", "expectedValue": "At least one 'google_logging_metric' resource should capture project ownership assignment and changes", - "actualValue": "No 'google_logging_metric' resource captures project ownership assignment and changes" + "actualValue": "No 'google_logging_metric' resource captures project ownership assignment and changes", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/network_policy_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/network_policy_disabled/test/positive_expected_result.json index 7140d02b210..f86f143ace7 100644 --- a/assets/queries/terraform/gcp/network_policy_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/network_policy_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "google_container_cluster[positive1]", "searchValue": "", "expectedValue": "Attribute 'network_policy' should be defined and Attribute 'addons_config' should be defined", - "actualValue": "Attribute 'network_policy' is undefined or Attribute 'addons_config' is undefined" + "actualValue": "Attribute 'network_policy' is undefined or Attribute 'addons_config' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Network Policy Disabled", @@ -21,7 +22,8 @@ "searchKey": "google_container_cluster[positive2]", "searchValue": "", "expectedValue": "Attribute 'network_policy' should be defined and Attribute 'addons_config' should be defined", - "actualValue": "Attribute 'network_policy' is undefined or Attribute 'addons_config' is undefined" + "actualValue": "Attribute 'network_policy' is undefined or Attribute 'addons_config' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Network Policy Disabled", @@ -33,7 +35,8 @@ "searchKey": "google_container_cluster[positive3]", "searchValue": "", "expectedValue": "Attribute 'network_policy' should be defined and Attribute 'addons_config' should be defined", - "actualValue": "Attribute 'network_policy' is undefined or Attribute 'addons_config' is undefined" + "actualValue": "Attribute 'network_policy' is undefined or Attribute 'addons_config' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Network Policy Disabled", @@ -45,7 +48,8 @@ "searchKey": "google_container_cluster[positive4].addons_config", "searchValue": "", "expectedValue": "Attribute 'addons_config.network_policy_config' should be defined", - "actualValue": "Attribute 'addons_config.network_policy_config' is undefined" + "actualValue": "Attribute 'addons_config.network_policy_config' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Network Policy Disabled", @@ -57,7 +61,8 @@ "searchKey": "google_container_cluster[positive5].network_policy.enabled", "searchValue": "", "expectedValue": "Attribute 'network_policy.enabled' should be true", - "actualValue": "Attribute 'network_policy.enabled' is false" + "actualValue": "Attribute 'network_policy.enabled' is false", + "issueType": "IncorrectValue" }, { "queryName": "Network Policy Disabled", @@ -69,6 +74,7 @@ "searchKey": "google_container_cluster[positive6].addons_config.network_policy_config.disabled", "searchValue": "", "expectedValue": "Attribute 'addons_config.network_policy_config.disabled' should be set to false", - "actualValue": "Attribute 'addons_config.network_policy_config.disabled' is true" + "actualValue": "Attribute 'addons_config.network_policy_config.disabled' is true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/node_auto_upgrade_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/node_auto_upgrade_disabled/test/positive_expected_result.json index aaf4af611f4..59f9f50b7a9 100644 --- a/assets/queries/terraform/gcp/node_auto_upgrade_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/node_auto_upgrade_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "google_container_node_pool[positive1]", "searchValue": "", "expectedValue": "google_container_node_pool.management should be defined and not null", - "actualValue": "google_container_node_pool.management is undefined or null" + "actualValue": "google_container_node_pool.management is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Node Auto Upgrade Disabled", @@ -21,7 +22,8 @@ "searchKey": "google_container_node_pool[positive2].management", "searchValue": "", "expectedValue": "management.auto_upgrade should be defined and not null", - "actualValue": "management.auto_upgrade is undefined or null" + "actualValue": "management.auto_upgrade is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Node Auto Upgrade Disabled", @@ -33,6 +35,7 @@ "searchKey": "google_container_node_pool[positive3].management.auto_upgrade", "searchValue": "", "expectedValue": "management.auto_upgrade should be true", - "actualValue": "management.auto_upgrade is false" + "actualValue": "management.auto_upgrade is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/not_proper_email_account_in_use/test/positive_expected_result.json b/assets/queries/terraform/gcp/not_proper_email_account_in_use/test/positive_expected_result.json index 75f93b0726a..0934b77ef5e 100644 --- a/assets/queries/terraform/gcp/not_proper_email_account_in_use/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/not_proper_email_account_in_use/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "google_project_iam_binding[positive1].members.user:jane@gmail.com", "searchValue": "", "expectedValue": "'members' cannot contain Gmail account addresses", - "actualValue": "'members' has email address: user:jane@gmail.com" + "actualValue": "'members' has email address: user:jane@gmail.com", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/os_login_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/os_login_disabled/test/positive_expected_result.json index 591b6328cdb..5ce1d80d79d 100644 --- a/assets/queries/terraform/gcp/os_login_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/os_login_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "google_compute_project_metadata[positive1].metadata.enable-oslogin", "searchValue": "", "expectedValue": "google_compute_project_metadata[positive1].metadata['enable-oslogin'] should be true", - "actualValue": "google_compute_project_metadata[positive1].metadata['enable-oslogin'] is false" + "actualValue": "google_compute_project_metadata[positive1].metadata['enable-oslogin'] is false", + "issueType": "IncorrectValue" }, { "queryName": "OSLogin Disabled", @@ -21,6 +22,7 @@ "searchKey": "google_compute_project_metadata[positive2].metadata", "searchValue": "", "expectedValue": "google_compute_project_metadata[positive2].metadata['enable-oslogin'] should be true", - "actualValue": "google_compute_project_metadata[positive2].metadata['enable-oslogin'] is undefined" + "actualValue": "google_compute_project_metadata[positive2].metadata['enable-oslogin'] is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/os_login_is_disabled_for_vm_instance/test/positive_expected_result.json b/assets/queries/terraform/gcp/os_login_is_disabled_for_vm_instance/test/positive_expected_result.json index 2cd77f1f7f5..092fdb628c4 100644 --- a/assets/queries/terraform/gcp/os_login_is_disabled_for_vm_instance/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/os_login_is_disabled_for_vm_instance/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "google_compute_instance[positive1].metadata.enable-oslogin", "searchValue": "", "expectedValue": "google_compute_instance[positive1].metadata.enable-oslogin should be true or undefined", - "actualValue": "google_compute_instance[positive1].metadata.enable-oslogin is false" + "actualValue": "google_compute_instance[positive1].metadata.enable-oslogin is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/outdated_gke_version/test/positive_expected_result.json b/assets/queries/terraform/gcp/outdated_gke_version/test/positive_expected_result.json index 9c8f7a90535..fa40ee71130 100644 --- a/assets/queries/terraform/gcp/outdated_gke_version/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/outdated_gke_version/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "google_container_cluster[positive1]", "searchValue": "", "expectedValue": "GKE should not be using outated versions on min_master_version or node_version 1.25", - "actualValue": "GKE is using outated versions on min_master_version or node_version" + "actualValue": "GKE is using outated versions on min_master_version or node_version", + "issueType": "IncorrectValue" }, { "queryName": "Outdated GKE Version", @@ -21,6 +22,7 @@ "searchKey": "google_container_cluster[positive2]", "searchValue": "", "expectedValue": "GKE should not be using outated versions on min_master_version or node_version 1.25", - "actualValue": "GKE is using outated versions on min_master_version or node_version" + "actualValue": "GKE is using outated versions on min_master_version or node_version", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/pod_security_policy_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/pod_security_policy_disabled/test/positive_expected_result.json index 3d23cacdd82..6880fed062c 100644 --- a/assets/queries/terraform/gcp/pod_security_policy_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/pod_security_policy_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "google_container_cluster[positive1]", "searchValue": "", "expectedValue": "Attribute 'pod_security_policy_config' should be defined", - "actualValue": "Attribute 'pod_security_policy_config' is undefined" + "actualValue": "Attribute 'pod_security_policy_config' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Pod Security Policy Disabled", @@ -21,6 +22,7 @@ "searchKey": "google_container_cluster[positive2].pod_security_policy_config.enabled", "searchValue": "", "expectedValue": "Attribute 'enabled' of 'pod_security_policy_config' should be true", - "actualValue": "Attribute 'enabled' of 'pod_security_policy_config' is false" + "actualValue": "Attribute 'enabled' of 'pod_security_policy_config' is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/private_cluster_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/private_cluster_disabled/test/positive_expected_result.json index 5099e7b5734..9c25c337f45 100644 --- a/assets/queries/terraform/gcp/private_cluster_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/private_cluster_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "google_container_cluster[positive1]", "searchValue": "", "expectedValue": "Attribute 'private_cluster_config' should be defined and not null", - "actualValue": "Attribute 'private_cluster_config' is undefined or null" + "actualValue": "Attribute 'private_cluster_config' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Private Cluster Disabled", @@ -21,7 +22,8 @@ "searchKey": "google_container_cluster[positive2].private_cluster_config", "searchValue": "", "expectedValue": "Attribute 'private_cluster_config.enable_private_endpoint' should be defined and Attribute 'private_cluster_config.enable_private_nodes' should be defined", - "actualValue": "Attribute 'private_cluster_config.enable_private_endpoint' is undefined or Attribute 'private_cluster_config.enable_private_nodes' is undefined" + "actualValue": "Attribute 'private_cluster_config.enable_private_endpoint' is undefined or Attribute 'private_cluster_config.enable_private_nodes' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Private Cluster Disabled", @@ -33,7 +35,8 @@ "searchKey": "google_container_cluster[positive3].private_cluster_config", "searchValue": "", "expectedValue": "Attribute 'private_cluster_config.enable_private_endpoint' should be defined and Attribute 'private_cluster_config.enable_private_nodes' should be defined", - "actualValue": "Attribute 'private_cluster_config.enable_private_endpoint' is undefined or Attribute 'private_cluster_config.enable_private_nodes' is undefined" + "actualValue": "Attribute 'private_cluster_config.enable_private_endpoint' is undefined or Attribute 'private_cluster_config.enable_private_nodes' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Private Cluster Disabled", @@ -45,7 +48,8 @@ "searchKey": "google_container_cluster[positive4].private_cluster_config", "searchValue": "", "expectedValue": "Attribute 'private_cluster_config.enable_private_endpoint' should be defined and Attribute 'private_cluster_config.enable_private_nodes' should be defined", - "actualValue": "Attribute 'private_cluster_config.enable_private_endpoint' is undefined or Attribute 'private_cluster_config.enable_private_nodes' is undefined" + "actualValue": "Attribute 'private_cluster_config.enable_private_endpoint' is undefined or Attribute 'private_cluster_config.enable_private_nodes' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Private Cluster Disabled", @@ -57,7 +61,8 @@ "searchKey": "google_container_cluster[positive5].private_cluster_config", "searchValue": "", "expectedValue": "Attribute 'private_cluster_config.enable_private_endpoint' should be true and Attribute 'private_cluster_config.enable_private_nodes' should be true", - "actualValue": "Attribute 'private_cluster_config.enable_private_endpoint' is false or Attribute 'private_cluster_config.enable_private_nodes' is false" + "actualValue": "Attribute 'private_cluster_config.enable_private_endpoint' is false or Attribute 'private_cluster_config.enable_private_nodes' is false", + "issueType": "IncorrectValue" }, { "queryName": "Private Cluster Disabled", @@ -69,7 +74,8 @@ "searchKey": "google_container_cluster[positive6].private_cluster_config", "searchValue": "", "expectedValue": "Attribute 'private_cluster_config.enable_private_endpoint' should be true and Attribute 'private_cluster_config.enable_private_nodes' should be true", - "actualValue": "Attribute 'private_cluster_config.enable_private_endpoint' is false or Attribute 'private_cluster_config.enable_private_nodes' is false" + "actualValue": "Attribute 'private_cluster_config.enable_private_endpoint' is false or Attribute 'private_cluster_config.enable_private_nodes' is false", + "issueType": "IncorrectValue" }, { "queryName": "Private Cluster Disabled", @@ -81,6 +87,7 @@ "searchKey": "google_container_cluster[positive7].private_cluster_config", "searchValue": "", "expectedValue": "Attribute 'private_cluster_config.enable_private_endpoint' should be true and Attribute 'private_cluster_config.enable_private_nodes' should be true", - "actualValue": "Attribute 'private_cluster_config.enable_private_endpoint' is false or Attribute 'private_cluster_config.enable_private_nodes' is false" + "actualValue": "Attribute 'private_cluster_config.enable_private_endpoint' is false or Attribute 'private_cluster_config.enable_private_nodes' is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/test/positive_expected_result.json b/assets/queries/terraform/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/test/positive_expected_result.json index c2e18dab666..c26b6fe9510 100644 --- a/assets/queries/terraform/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "google_compute_instance[positive1].metadata.block-project-ssh-keys", "searchValue": "", "expectedValue": "google_compute_instance[positive1].metadata.block-project-ssh-keys should be true", - "actualValue": "google_compute_instance[positive1].metadata.block-project-ssh-keys is false" + "actualValue": "google_compute_instance[positive1].metadata.block-project-ssh-keys is false", + "issueType": "IncorrectValue" }, { "queryName": "Project-wide SSH Keys Are Enabled In VM Instances", @@ -21,6 +22,7 @@ "searchKey": "google_compute_instance[positive2]", "searchValue": "", "expectedValue": "google_compute_instance[positive2].metadata should be set", - "actualValue": "google_compute_instance[positive2].metadata is undefined" + "actualValue": "google_compute_instance[positive2].metadata is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/rdp_access_is_not_restricted/test/positive_expected_result.json b/assets/queries/terraform/gcp/rdp_access_is_not_restricted/test/positive_expected_result.json index ac8e4bad842..a49ae4d75fb 100644 --- a/assets/queries/terraform/gcp/rdp_access_is_not_restricted/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/rdp_access_is_not_restricted/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "google_compute_firewall[positive1].allow.ports", "searchValue": "", "expectedValue": "'google_compute_firewall[positive1].allow.ports' should not include RDP port 3389", - "actualValue": "'google_compute_firewall[positive1].allow.ports' includes RDP port 3389" + "actualValue": "'google_compute_firewall[positive1].allow.ports' includes RDP port 3389", + "issueType": "IncorrectValue" }, { "queryName": "RDP Access Is Not Restricted", @@ -21,7 +22,8 @@ "searchKey": "google_compute_firewall[positive2].allow.ports", "searchValue": "", "expectedValue": "'google_compute_firewall[positive2].allow.ports' should not include RDP port 3389", - "actualValue": "'google_compute_firewall[positive2].allow.ports' includes RDP port 3389" + "actualValue": "'google_compute_firewall[positive2].allow.ports' includes RDP port 3389", + "issueType": "IncorrectValue" }, { "queryName": "RDP Access Is Not Restricted", @@ -33,6 +35,7 @@ "searchKey": "google_compute_firewall[positive3].allow.ports", "searchValue": "", "expectedValue": "'google_compute_firewall[positive3].allow.ports' should not include RDP port 3389", - "actualValue": "'google_compute_firewall[positive3].allow.ports' includes RDP port 3389" + "actualValue": "'google_compute_firewall[positive3].allow.ports' includes RDP port 3389", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/service_account_with_improper_privileges/test/positive_expected_result.json b/assets/queries/terraform/gcp/service_account_with_improper_privileges/test/positive_expected_result.json index 1949f606e31..c1b427379d6 100644 --- a/assets/queries/terraform/gcp/service_account_with_improper_privileges/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/service_account_with_improper_privileges/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "google_iam_policy[admin].binding.role", "searchValue": "", "expectedValue": "google_iam_policy[admin].binding.role should not have admin, editor, owner, or write privileges for service account member", - "actualValue": "google_iam_policy[admin].binding.role has admin, editor, owner, or write privilege for service account member" + "actualValue": "google_iam_policy[admin].binding.role has admin, editor, owner, or write privilege for service account member", + "issueType": "IncorrectValue" }, { "queryName": "Service Account with Improper Privileges", @@ -21,7 +22,8 @@ "searchKey": "google_project_iam_binding[project1].role", "searchValue": "", "expectedValue": "google_project_iam_binding[project1].role should not have admin, editor, owner, or write privileges for service account member", - "actualValue": "google_project_iam_binding[project1].role has admin, editor, owner, or write privilege for service account member" + "actualValue": "google_project_iam_binding[project1].role has admin, editor, owner, or write privilege for service account member", + "issueType": "IncorrectValue" }, { "queryName": "Service Account with Improper Privileges", @@ -33,7 +35,8 @@ "searchKey": "google_project_iam_member[project2].role", "searchValue": "", "expectedValue": "google_project_iam_member[project2].role should not have admin, editor, owner, or write privileges for service account member", - "actualValue": "google_project_iam_member[project2].role has admin, editor, owner, or write privilege for service account member" + "actualValue": "google_project_iam_member[project2].role has admin, editor, owner, or write privilege for service account member", + "issueType": "IncorrectValue" }, { "queryName": "Service Account with Improper Privileges", @@ -45,7 +48,8 @@ "searchKey": "google_iam_policy[admin].binding[1].role", "searchValue": "", "expectedValue": "google_iam_policy[admin].binding[1].role should not have admin, editor, owner, or write privileges for service account member", - "actualValue": "google_iam_policy[admin].binding[1].role has admin, editor, owner, or write privilege for service account member" + "actualValue": "google_iam_policy[admin].binding[1].role has admin, editor, owner, or write privilege for service account member", + "issueType": "IncorrectValue" }, { "queryName": "Service Account with Improper Privileges", @@ -57,7 +61,8 @@ "searchKey": "google_iam_policy[admin].binding[0].role", "searchValue": "", "expectedValue": "google_iam_policy[admin].binding[0].role should not have admin, editor, owner, or write privileges for service account member", - "actualValue": "google_iam_policy[admin].binding[0].role has admin, editor, owner, or write privilege for service account member" + "actualValue": "google_iam_policy[admin].binding[0].role has admin, editor, owner, or write privilege for service account member", + "issueType": "IncorrectValue" }, { "queryName": "Service Account with Improper Privileges", @@ -69,6 +74,7 @@ "searchKey": "google_iam_policy[admin].binding[1].role", "searchValue": "", "expectedValue": "google_iam_policy[admin].binding[1].role should not have admin, editor, owner, or write privileges for service account member", - "actualValue": "google_iam_policy[admin].binding[1].role has admin, editor, owner, or write privilege for service account member" + "actualValue": "google_iam_policy[admin].binding[1].role has admin, editor, owner, or write privilege for service account member", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/shielded_gke_node_do_not_have_integrity_monitoring_enabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/shielded_gke_node_do_not_have_integrity_monitoring_enabled/test/positive_expected_result.json index ec52c83ebc2..fd5585b3ac0 100644 --- a/assets/queries/terraform/gcp/shielded_gke_node_do_not_have_integrity_monitoring_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/shielded_gke_node_do_not_have_integrity_monitoring_enabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "google_container_cluster[positive1].node_config.shielded_instance_config.enable_integrity_monitoring", "searchValue": "", "expectedValue": "'node_config.shielded_instance_config.enable_integrity_monitoring' should be defined to 'true'", - "actualValue": "'node_config.shielded_instance_config.enable_integrity_monitoring' is not defined to 'true'" + "actualValue": "'node_config.shielded_instance_config.enable_integrity_monitoring' is not defined to 'true'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Shielded GKE Node Do Not Have Integrity Monitoring Enabled", @@ -21,6 +22,7 @@ "searchKey": "google_container_node_pool[positive2].node_config.shielded_instance_config.enable_integrity_monitoring", "searchValue": "", "expectedValue": "'node_config.shielded_instance_config.enable_integrity_monitoring' should be defined to 'true'", - "actualValue": "'node_config.shielded_instance_config.enable_integrity_monitoring' is not defined to 'true'" + "actualValue": "'node_config.shielded_instance_config.enable_integrity_monitoring' is not defined to 'true'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/shielded_gke_nodes_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/shielded_gke_nodes_disabled/test/positive_expected_result.json index 1edc3f22f57..a4f9323050d 100644 --- a/assets/queries/terraform/gcp/shielded_gke_nodes_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/shielded_gke_nodes_disabled/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "google_container_cluster[false].enable_shielded_nodes", "searchValue": "", "expectedValue": "google_container_cluster.enable_shielded_nodes should be set to true", - "actualValue": "google_container_cluster.enable_shielded_nodes is set to false" + "actualValue": "google_container_cluster.enable_shielded_nodes is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/shielded_vm_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/shielded_vm_disabled/test/positive_expected_result.json index 9a6ce5b9cb3..7b2b90ac54b 100644 --- a/assets/queries/terraform/gcp/shielded_vm_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/shielded_vm_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "google_compute_instance[appserver1]", "searchValue": "", "expectedValue": "Attribute 'shielded_instance_config' should be defined and not null", - "actualValue": "Attribute 'shielded_instance_config' is undefined or null" + "actualValue": "Attribute 'shielded_instance_config' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Shielded VM Disabled", @@ -21,7 +22,8 @@ "searchKey": "google_compute_instance[appserver2].shielded_instance_config", "searchValue": "", "expectedValue": "Attribute 'shielded_instance_config.enable_integrity_monitoring' should be defined", - "actualValue": "Attribute 'shielded_instance_config.enable_integrity_monitoring' is undefined" + "actualValue": "Attribute 'shielded_instance_config.enable_integrity_monitoring' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Shielded VM Disabled", @@ -33,7 +35,8 @@ "searchKey": "google_compute_instance[appserver3].shielded_instance_config", "searchValue": "", "expectedValue": "Attribute 'shielded_instance_config.enable_vtpm' should be defined", - "actualValue": "Attribute 'shielded_instance_config.enable_vtpm' is undefined" + "actualValue": "Attribute 'shielded_instance_config.enable_vtpm' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Shielded VM Disabled", @@ -45,7 +48,8 @@ "searchKey": "google_compute_instance[appserver4].shielded_instance_config", "searchValue": "", "expectedValue": "Attribute 'shielded_instance_config.enable_secure_boot' should be defined", - "actualValue": "Attribute 'shielded_instance_config.enable_secure_boot' is undefined" + "actualValue": "Attribute 'shielded_instance_config.enable_secure_boot' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Shielded VM Disabled", @@ -57,7 +61,8 @@ "searchKey": "google_compute_instance[appserver5].shielded_instance_config.enable_secure_boot", "searchValue": "", "expectedValue": "Attribute 'shielded_instance_config.enable_secure_boot' should be true", - "actualValue": "Attribute 'shielded_instance_config.enable_secure_boot' is false" + "actualValue": "Attribute 'shielded_instance_config.enable_secure_boot' is false", + "issueType": "IncorrectValue" }, { "queryName": "Shielded VM Disabled", @@ -69,7 +74,8 @@ "searchKey": "google_compute_instance[appserver6].shielded_instance_config.enable_vtpm", "searchValue": "", "expectedValue": "Attribute 'shielded_instance_config.enable_vtpm' should be true", - "actualValue": "Attribute 'shielded_instance_config.enable_vtpm' is false" + "actualValue": "Attribute 'shielded_instance_config.enable_vtpm' is false", + "issueType": "IncorrectValue" }, { "queryName": "Shielded VM Disabled", @@ -81,6 +87,7 @@ "searchKey": "google_compute_instance[appserver7].shielded_instance_config.enable_integrity_monitoring", "searchValue": "", "expectedValue": "Attribute 'shielded_instance_config.enable_integrity_monitoring' should be true", - "actualValue": "Attribute 'shielded_instance_config.enable_integrity_monitoring' is false" + "actualValue": "Attribute 'shielded_instance_config.enable_integrity_monitoring' is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/sql_db_instance_backup_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_backup_disabled/test/positive_expected_result.json index e1c37bfcb5b..79a7a8b7b14 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_backup_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_backup_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "google_sql_database_instance[positive1].settings", "searchValue": "", "expectedValue": "settings.backup_configuration should be defined and not null", - "actualValue": "settings.backup_configuration is undefined or null" + "actualValue": "settings.backup_configuration is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "SQL DB Instance Backup Disabled", @@ -21,7 +22,8 @@ "searchKey": "google_sql_database_instance[positive2].settings.backup_configuration", "searchValue": "", "expectedValue": "settings.backup_configuration.enabled should be defined and not null", - "actualValue": "settings.backup_configuration.enabled is undefined or null" + "actualValue": "settings.backup_configuration.enabled is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "SQL DB Instance Backup Disabled", @@ -33,6 +35,7 @@ "searchKey": "google_sql_database_instance[positive3].settings.backup_configuration.enabled", "searchValue": "", "expectedValue": "settings.backup_configuration.enabled should be true", - "actualValue": "settings.backup_configuration.enabled is false" + "actualValue": "settings.backup_configuration.enabled is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/sql_db_instance_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_is_publicly_accessible/test/positive_expected_result.json index c23ac264399..34cb34c7377 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_is_publicly_accessible/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "google_sql_database_instance[positive1].settings", "searchValue": "", "expectedValue": "'ip_configuration' should be defined and allow only trusted networks", - "actualValue": "'ip_configuration' is not defined" + "actualValue": "'ip_configuration' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "SQL DB Instance Publicly Accessible", @@ -21,7 +22,8 @@ "searchKey": "google_sql_database_instance[positive2].settings.ip_configuration.authorized_networks.value=0.0.0.0/0", "searchValue": "", "expectedValue": "'authorized_network' address should be trusted", - "actualValue": "'authorized_network' address is not restricted: '0.0.0.0/0'" + "actualValue": "'authorized_network' address is not restricted: '0.0.0.0/0'", + "issueType": "IncorrectValue" }, { "queryName": "SQL DB Instance Publicly Accessible", @@ -33,7 +35,8 @@ "searchKey": "google_sql_database_instance[positive3].settings.ip_configuration.ipv4_enabled", "searchValue": "", "expectedValue": "'ipv4_enabled' should be disabled and 'private_network' should be defined when there are no authorized networks", - "actualValue": "'ipv4_enabled' is enabled when there are no authorized networks" + "actualValue": "'ipv4_enabled' is enabled when there are no authorized networks", + "issueType": "IncorrectValue" }, { "queryName": "SQL DB Instance Publicly Accessible", @@ -45,6 +48,7 @@ "searchKey": "google_sql_database_instance[positive4].settings.ip_configuration", "searchValue": "", "expectedValue": "'ipv4_enabled' should be disabled and 'private_network' should be defined when there are no authorized networks", - "actualValue": "'private_network' is not defined when there are no authorized networks" + "actualValue": "'private_network' is not defined when there are no authorized networks", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_contained_database_authentication/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_contained_database_authentication/test/positive_expected_result.json index 01eb85d321a..2b7e622e9e2 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_contained_database_authentication/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_contained_database_authentication/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "google_sql_database_instance[positive_1].settings.database_flags[1].name", "searchValue": "", "expectedValue": "'google_sql_database_instance[positive_1].settings.database_flags' should set 'contained database authentication' to 'off'", - "actualValue": "'google_sql_database_instance[positive_1].settings.database_flags' sets 'contained database authentication' to 'on'" + "actualValue": "'google_sql_database_instance[positive_1].settings.database_flags' sets 'contained database authentication' to 'on'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - SQL DB Instance With Contained Database Authentication", @@ -21,6 +22,7 @@ "searchKey": "google_sql_database_instance[positive_2].settings.database_flags.name", "searchValue": "", "expectedValue": "'google_sql_database_instance[positive_2].settings.database_flags' should set 'contained database authentication' to 'off'", - "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' sets 'contained database authentication' to 'on'" + "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' sets 'contained database authentication' to 'on'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/positive_expected_result.json index 09c0fb85dab..974db57aad7 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "google_sql_database_instance[positive_1]", "searchValue": "", "expectedValue": "'google_sql_database_instance[positive_1].settings.database_flags' should be defined and set 'skip_show_database' to 'on'", - "actualValue": "'google_sql_database_instance[positive_1].settings' is undefined or null" + "actualValue": "'google_sql_database_instance[positive_1].settings' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - SQL DB Instance With Exposed Show Privileges", @@ -21,7 +22,8 @@ "searchKey": "google_sql_database_instance[positive_2].settings", "searchValue": "", "expectedValue": "'google_sql_database_instance[positive_2].settings.database_flags' should be defined and set 'skip_show_database' to 'on'", - "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' is undefined or null" + "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - SQL DB Instance With Exposed Show Privileges", @@ -33,7 +35,8 @@ "searchKey": "google_sql_database_instance[positive_3].settings.database_flags", "searchValue": "", "expectedValue": "'google_sql_database_instance[positive_3].settings.database_flags' should be defined and set 'skip_show_database' to 'on'", - "actualValue": "'google_sql_database_instance[positive_3].settings.database_flags' does not set 'skip_show_database'" + "actualValue": "'google_sql_database_instance[positive_3].settings.database_flags' does not set 'skip_show_database'", + "issueType": "MissingAttribute" }, { "queryName": "Beta - SQL DB Instance With Exposed Show Privileges", @@ -45,7 +48,8 @@ "searchKey": "google_sql_database_instance[positive_4].settings.database_flags[1].name", "searchValue": "", "expectedValue": "'google_sql_database_instance[positive_4].settings.database_flags' should be defined and set 'skip_show_database' to 'on'", - "actualValue": "'google_sql_database_instance[positive_4].settings.database_flags' sets 'skip_show_database' to 'off'" + "actualValue": "'google_sql_database_instance[positive_4].settings.database_flags' sets 'skip_show_database' to 'off'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - SQL DB Instance With Exposed Show Privileges", @@ -57,6 +61,7 @@ "searchKey": "google_sql_database_instance[positive_5].settings.database_flags.name", "searchValue": "", "expectedValue": "'google_sql_database_instance[positive_5].settings.database_flags' should be defined and set 'skip_show_database' to 'on'", - "actualValue": "'google_sql_database_instance[positive_5].settings.database_flags' sets 'skip_show_database' to 'off'" + "actualValue": "'google_sql_database_instance[positive_5].settings.database_flags' sets 'skip_show_database' to 'off'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_exposed_trace_logs/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_exposed_trace_logs/test/positive_expected_result.json index 2b19b871ee3..8b5fe634da3 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_exposed_trace_logs/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_exposed_trace_logs/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "google_sql_database_instance[positive_1]", "searchValue": "", "expectedValue": "'google_sql_database_instance[positive_1].settings.database_flags' should be defined and set '3625' to 'on'", - "actualValue": "'google_sql_database_instance[positive_1].settings' is undefined or null" + "actualValue": "'google_sql_database_instance[positive_1].settings' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - SQL DB Instance With Exposed Trace Logs", @@ -21,7 +22,8 @@ "searchKey": "google_sql_database_instance[positive_2].settings", "searchValue": "", "expectedValue": "'google_sql_database_instance[positive_2].settings.database_flags' should be defined and set '3625' to 'on'", - "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' is undefined or null" + "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - SQL DB Instance With Exposed Trace Logs", @@ -33,7 +35,8 @@ "searchKey": "google_sql_database_instance[positive_3].settings.database_flags", "searchValue": "", "expectedValue": "'google_sql_database_instance[positive_3].settings.database_flags' should be defined and set '3625' to 'on'", - "actualValue": "'google_sql_database_instance[positive_3].settings.database_flags' does not set '3625'" + "actualValue": "'google_sql_database_instance[positive_3].settings.database_flags' does not set '3625'", + "issueType": "MissingAttribute" }, { "queryName": "Beta - SQL DB Instance With Exposed Trace Logs", @@ -45,7 +48,8 @@ "searchKey": "google_sql_database_instance[positive_4].settings.database_flags[1].name", "searchValue": "", "expectedValue": "'google_sql_database_instance[positive_4].settings.database_flags' should be defined and set '3625' to 'on'", - "actualValue": "'google_sql_database_instance[positive_4].settings.database_flags' sets '3625' to 'off'" + "actualValue": "'google_sql_database_instance[positive_4].settings.database_flags' sets '3625' to 'off'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - SQL DB Instance With Exposed Trace Logs", @@ -57,6 +61,7 @@ "searchKey": "google_sql_database_instance[positive_5].settings.database_flags.name", "searchValue": "", "expectedValue": "'google_sql_database_instance[positive_5].settings.database_flags' should be defined and set '3625' to 'on'", - "actualValue": "'google_sql_database_instance[positive_5].settings.database_flags' sets '3625' to 'off'" + "actualValue": "'google_sql_database_instance[positive_5].settings.database_flags' sets '3625' to 'off'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_external_scripts_enabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_external_scripts_enabled/test/positive_expected_result.json index 7af09017f05..30f406ef4de 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_external_scripts_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_external_scripts_enabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "google_sql_database_instance[positive_1].settings.database_flags[1].name", "searchValue": "", "expectedValue": "'google_sql_database_instance[positive_1].settings.database_flags' should set 'external scripts enabled' to 'off'", - "actualValue": "'google_sql_database_instance[positive_1].settings.database_flags' sets 'external scripts enabled' to 'on'" + "actualValue": "'google_sql_database_instance[positive_1].settings.database_flags' sets 'external scripts enabled' to 'on'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - SQL DB Instance With External Scripts Enabled", @@ -21,6 +22,7 @@ "searchKey": "google_sql_database_instance[positive_2].settings.database_flags.name", "searchValue": "", "expectedValue": "'google_sql_database_instance[positive_2].settings.database_flags' should set 'external scripts enabled' to 'off'", - "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' sets 'external scripts enabled' to 'on'" + "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' sets 'external scripts enabled' to 'on'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_global_user_options/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_global_user_options/test/positive_expected_result.json index a4384e79016..25142b6757e 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_global_user_options/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_global_user_options/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "google_sql_database_instance[positive_1].settings.database_flags[1].name", "searchValue": "", "expectedValue": "'google_sql_database_instance[positive_1].settings.database_flags' should set 'user options' to '0'", - "actualValue": "'google_sql_database_instance[positive_1].settings.database_flags' sets 'user options' to '32'" + "actualValue": "'google_sql_database_instance[positive_1].settings.database_flags' sets 'user options' to '32'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - SQL DB Instance With Global User Options", @@ -21,6 +22,7 @@ "searchKey": "google_sql_database_instance[positive_2].settings.database_flags.name", "searchValue": "", "expectedValue": "'google_sql_database_instance[positive_2].settings.database_flags' should set 'user options' to '0'", - "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' sets 'user options' to '16'" + "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' sets 'user options' to '16'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_limited_user_connections/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_limited_user_connections/test/positive_expected_result.json index 2adfedd5499..7cbb77b570a 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_limited_user_connections/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_limited_user_connections/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "google_sql_database_instance[positive_1].settings.database_flags[1].name", "searchValue": "", "expectedValue": "'google_sql_database_instance[positive_1].settings.database_flags' should be defined and set 'user connections' to '0'", - "actualValue": "'google_sql_database_instance[positive_1].settings.database_flags' sets 'user connections' to '1001'" + "actualValue": "'google_sql_database_instance[positive_1].settings.database_flags' sets 'user connections' to '1001'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - SQL DB Instance With Limited User Connections", @@ -21,6 +22,7 @@ "searchKey": "google_sql_database_instance[positive_2].settings.database_flags.name", "searchValue": "", "expectedValue": "'google_sql_database_instance[positive_2].settings.database_flags' should be defined and set 'user connections' to '0'", - "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' sets 'user connections' to '1000'" + "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' sets 'user connections' to '1000'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test/positive_expected_result.json index 1a33a452279..e568db1dd84 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "google_sql_database_instance[positive_1]", "searchValue": "", "expectedValue": "'google_sql_database_instance[positive_1].settings.database_flags' should be defined and set 'local_infile' to 'off'", - "actualValue": "'google_sql_database_instance[positive_1].settings' is undefined or null" + "actualValue": "'google_sql_database_instance[positive_1].settings' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - SQL DB Instance With Local Data Loading Enabled", @@ -21,7 +22,8 @@ "searchKey": "google_sql_database_instance[positive_2].settings", "searchValue": "", "expectedValue": "'google_sql_database_instance[positive_2].settings.database_flags' should be defined and set 'local_infile' to 'off'", - "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' is undefined or null" + "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - SQL DB Instance With Local Data Loading Enabled", @@ -33,7 +35,8 @@ "searchKey": "google_sql_database_instance[positive_3].settings.database_flags", "searchValue": "", "expectedValue": "'google_sql_database_instance[positive_3].settings.database_flags' should be defined and set 'local_infile' to 'off'", - "actualValue": "'google_sql_database_instance[positive_3].settings.database_flags' does not set 'local_infile'" + "actualValue": "'google_sql_database_instance[positive_3].settings.database_flags' does not set 'local_infile'", + "issueType": "MissingAttribute" }, { "queryName": "Beta - SQL DB Instance With Local Data Loading Enabled", @@ -45,7 +48,8 @@ "searchKey": "google_sql_database_instance[positive_4].settings.database_flags[1].name", "searchValue": "", "expectedValue": "'google_sql_database_instance[positive_4].settings.database_flags' should be defined and set 'local_infile' to 'off'", - "actualValue": "'google_sql_database_instance[positive_4].settings.database_flags' sets 'local_infile' to 'on'" + "actualValue": "'google_sql_database_instance[positive_4].settings.database_flags' sets 'local_infile' to 'on'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - SQL DB Instance With Local Data Loading Enabled", @@ -57,6 +61,7 @@ "searchKey": "google_sql_database_instance[positive_5].settings.database_flags.name", "searchValue": "", "expectedValue": "'google_sql_database_instance[positive_5].settings.database_flags' should be defined and set 'local_infile' to 'off'", - "actualValue": "'google_sql_database_instance[positive_5].settings.database_flags' sets 'local_infile' to 'on'" + "actualValue": "'google_sql_database_instance[positive_5].settings.database_flags' sets 'local_infile' to 'on'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_minimum_log_duration/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_minimum_log_duration/test/positive_expected_result.json index 006197a5e63..589b787533e 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_minimum_log_duration/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_minimum_log_duration/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "google_sql_database_instance[positive_1].settings.database_flags[1].name", "searchValue": "", "expectedValue": "'google_sql_database_instance[positive_1].settings.database_flags' should set 'log_min_duration_statement' to '-1'", - "actualValue": "'google_sql_database_instance[positive_1].settings.database_flags' sets 'log_min_duration_statement' to '2'" + "actualValue": "'google_sql_database_instance[positive_1].settings.database_flags' sets 'log_min_duration_statement' to '2'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - SQL DB Instance With Minimum Log Duration", @@ -21,6 +22,7 @@ "searchKey": "google_sql_database_instance[positive_2].settings.database_flags.name", "searchValue": "", "expectedValue": "'google_sql_database_instance[positive_2].settings.database_flags' should set 'log_min_duration_statement' to '-1'", - "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' sets 'log_min_duration_statement' to '3'" + "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' sets 'log_min_duration_statement' to '3'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_ownership_chaining_enabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_ownership_chaining_enabled/test/positive_expected_result.json index 72cb28c2d6c..e49688a1dc8 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_ownership_chaining_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_ownership_chaining_enabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "google_sql_database_instance[positive_1].settings.database_flags[1].name", "searchValue": "", "expectedValue": "'google_sql_database_instance[positive_1].settings.database_flags' should set 'cross db ownership chaining' to 'off'", - "actualValue": "'google_sql_database_instance[positive_1].settings.database_flags' sets 'cross db ownership chaining' to 'on'" + "actualValue": "'google_sql_database_instance[positive_1].settings.database_flags' sets 'cross db ownership chaining' to 'on'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - SQL DB Instance With Ownership Chaining Enabled", @@ -21,6 +22,7 @@ "searchKey": "google_sql_database_instance[positive_2].settings.database_flags.name", "searchValue": "", "expectedValue": "'google_sql_database_instance[positive_2].settings.database_flags' should set 'cross db ownership chaining' to 'off'", - "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' sets 'cross db ownership chaining' to 'on'" + "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' sets 'cross db ownership chaining' to 'on'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_remote_access_enabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_remote_access_enabled/test/positive_expected_result.json index 328be6089ed..c525a9d853f 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_remote_access_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_remote_access_enabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "google_sql_database_instance[positive_1]", "searchValue": "", "expectedValue": "'google_sql_database_instance[positive_1].settings.database_flags' should be defined and set 'remote access' to 'off'", - "actualValue": "'google_sql_database_instance[positive_1].settings' is undefined or null" + "actualValue": "'google_sql_database_instance[positive_1].settings' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - SQL DB Instance With Remote Access Enabled", @@ -21,7 +22,8 @@ "searchKey": "google_sql_database_instance[positive_2].settings", "searchValue": "", "expectedValue": "'google_sql_database_instance[positive_2].settings.database_flags' should be defined and set 'remote access' to 'off'", - "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' is undefined or null" + "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - SQL DB Instance With Remote Access Enabled", @@ -33,7 +35,8 @@ "searchKey": "google_sql_database_instance[positive_3].settings.database_flags", "searchValue": "", "expectedValue": "'google_sql_database_instance[positive_3].settings.database_flags' should be defined and set 'remote access' to 'off'", - "actualValue": "'google_sql_database_instance[positive_3].settings.database_flags' does not set 'remote access'" + "actualValue": "'google_sql_database_instance[positive_3].settings.database_flags' does not set 'remote access'", + "issueType": "MissingAttribute" }, { "queryName": "Beta - SQL DB Instance With Remote Access Enabled", @@ -45,7 +48,8 @@ "searchKey": "google_sql_database_instance[positive_4].settings.database_flags[1].name", "searchValue": "", "expectedValue": "'google_sql_database_instance[positive_4].settings.database_flags' should be defined and set 'remote access' to 'off'", - "actualValue": "'google_sql_database_instance[positive_4].settings.database_flags' sets 'remote access' to 'on'" + "actualValue": "'google_sql_database_instance[positive_4].settings.database_flags' sets 'remote access' to 'on'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - SQL DB Instance With Remote Access Enabled", @@ -57,6 +61,7 @@ "searchKey": "google_sql_database_instance[positive_5].settings.database_flags.name", "searchValue": "", "expectedValue": "'google_sql_database_instance[positive_5].settings.database_flags' should be defined and set 'remote access' to 'off'", - "actualValue": "'google_sql_database_instance[positive_5].settings.database_flags' sets 'remote access' to 'on'" + "actualValue": "'google_sql_database_instance[positive_5].settings.database_flags' sets 'remote access' to 'on'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json index dacf7065f52..d68cbaf98c7 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "google_sql_database_instance[positive1].settings", "searchValue": "", "expectedValue": "'settings.ip_configuration' should be defined and not null", - "actualValue": "'settings.ip_configuration' is undefined or null" + "actualValue": "'settings.ip_configuration' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "SQL DB Instance With SSL Disabled", @@ -21,7 +22,8 @@ "searchKey": "google_sql_database_instance[positive2].settings.ip_configuration", "searchValue": "", "expectedValue": "'settings.ip_configuration.require_ssl' should be defined and not null", - "actualValue": "'settings.ip_configuration.require_ssl' is undefined or null" + "actualValue": "'settings.ip_configuration.require_ssl' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "SQL DB Instance With SSL Disabled", @@ -33,6 +35,7 @@ "searchKey": "google_sql_database_instance[positive3].settings.ip_configuration.require_ssl", "searchValue": "", "expectedValue": "'settings.ip_configuration.require_ssl' should be true", - "actualValue": "'settings.ip_configuration.require_ssl' is false" + "actualValue": "'settings.ip_configuration.require_ssl' is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_error_logging_threshold/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_error_logging_threshold/test/positive_expected_result.json index fd09f3081ee..0e8ca988f97 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_error_logging_threshold/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_error_logging_threshold/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "google_sql_database_instance[positive_1].settings.database_flags[1].name", "searchValue": "", "expectedValue": "'google_sql_database_instance[positive_1].settings.database_flags' should set 'log_min_error_statement' to 'ERROR' or a higher severity", - "actualValue": "'google_sql_database_instance[positive_1].settings.database_flags' sets 'log_min_error_statement' to 'NOTICE'" + "actualValue": "'google_sql_database_instance[positive_1].settings.database_flags' sets 'log_min_error_statement' to 'NOTICE'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - SQL DB Instance With Unrecommended Error Logging Threshold", @@ -21,7 +22,8 @@ "searchKey": "google_sql_database_instance[positive_2].settings.database_flags.name", "searchValue": "", "expectedValue": "'google_sql_database_instance[positive_2].settings.database_flags' should set 'log_min_error_statement' to 'ERROR' or a higher severity", - "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' sets 'log_min_error_statement' to 'DEBUG5'" + "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' sets 'log_min_error_statement' to 'DEBUG5'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - SQL DB Instance With Unrecommended Error Logging Threshold", @@ -33,6 +35,7 @@ "searchKey": "google_sql_database_instance[positive_3].settings.database_flags.name", "searchValue": "", "expectedValue": "'google_sql_database_instance[positive_3].settings.database_flags' should set 'log_min_error_statement' to 'ERROR' or a higher severity", - "actualValue": "'google_sql_database_instance[positive_3].settings.database_flags' sets 'log_min_error_statement' to 'DEBUG4'" + "actualValue": "'google_sql_database_instance[positive_3].settings.database_flags' sets 'log_min_error_statement' to 'DEBUG4'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/test/positive_expected_result.json index baeef356b57..f234c246c26 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "google_sql_database_instance[positive_1].settings.database_flags[1].name", "searchValue": "", "expectedValue": "'google_sql_database_instance[positive_1].settings.database_flags' should set 'log_min_messages' to 'WARNING' or a higher severity", - "actualValue": "'google_sql_database_instance[positive_1].settings.database_flags' sets 'log_min_messages' to 'NOTICE'" + "actualValue": "'google_sql_database_instance[positive_1].settings.database_flags' sets 'log_min_messages' to 'NOTICE'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - SQL DB Instance With Unrecommended Logging Threshold", @@ -21,7 +22,8 @@ "searchKey": "google_sql_database_instance[positive_2].settings.database_flags.name", "searchValue": "", "expectedValue": "'google_sql_database_instance[positive_2].settings.database_flags' should set 'log_min_messages' to 'WARNING' or a higher severity", - "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' sets 'log_min_messages' to 'DEBUG5'" + "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' sets 'log_min_messages' to 'DEBUG5'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - SQL DB Instance With Unrecommended Logging Threshold", @@ -33,6 +35,7 @@ "searchKey": "google_sql_database_instance[positive_3].settings.database_flags.name", "searchValue": "", "expectedValue": "'google_sql_database_instance[positive_3].settings.database_flags' should set 'log_min_messages' to 'WARNING' or a higher severity", - "actualValue": "'google_sql_database_instance[positive_3].settings.database_flags' sets 'log_min_messages' to 'INFO'" + "actualValue": "'google_sql_database_instance[positive_3].settings.database_flags' sets 'log_min_messages' to 'INFO'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/sql_db_instance_without_centralized_logging/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_without_centralized_logging/test/positive_expected_result.json index c45513f8add..990b9385a37 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_without_centralized_logging/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_without_centralized_logging/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "google_sql_database_instance[positive_1]", "searchValue": "", "expectedValue": "'google_sql_database_instance[positive_1].settings.database_flags' should be defined and set 'cloudsql.enable_pgaudit' to 'on'", - "actualValue": "'google_sql_database_instance[positive_1].settings' is undefined or null" + "actualValue": "'google_sql_database_instance[positive_1].settings' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - SQL DB Instance Without Centralized Logging", @@ -21,7 +22,8 @@ "searchKey": "google_sql_database_instance[positive_2].settings", "searchValue": "", "expectedValue": "'google_sql_database_instance[positive_2].settings.database_flags' should be defined and set 'cloudsql.enable_pgaudit' to 'on'", - "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' is undefined or null" + "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - SQL DB Instance Without Centralized Logging", @@ -33,7 +35,8 @@ "searchKey": "google_sql_database_instance[positive_3].settings.database_flags", "searchValue": "", "expectedValue": "'google_sql_database_instance[positive_3].settings.database_flags' should set 'cloudsql.enable_pgaudit' to 'on'", - "actualValue": "'google_sql_database_instance[positive_3].settings.database_flags' does not set 'cloudsql.enable_pgaudit'" + "actualValue": "'google_sql_database_instance[positive_3].settings.database_flags' does not set 'cloudsql.enable_pgaudit'", + "issueType": "MissingAttribute" }, { "queryName": "Beta - SQL DB Instance Without Centralized Logging", @@ -45,7 +48,8 @@ "searchKey": "google_sql_database_instance[positive_4].settings.database_flags[1].name", "searchValue": "", "expectedValue": "'google_sql_database_instance[positive_4].settings.database_flags' should set 'cloudsql.enable_pgaudit' to 'on'", - "actualValue": "'google_sql_database_instance[positive_4].settings.database_flags' sets 'cloudsql.enable_pgaudit' to 'off'" + "actualValue": "'google_sql_database_instance[positive_4].settings.database_flags' sets 'cloudsql.enable_pgaudit' to 'off'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - SQL DB Instance Without Centralized Logging", @@ -57,6 +61,7 @@ "searchKey": "google_sql_database_instance[positive_5].settings.database_flags.name", "searchValue": "", "expectedValue": "'google_sql_database_instance[positive_5].settings.database_flags' should set 'cloudsql.enable_pgaudit' to 'on'", - "actualValue": "'google_sql_database_instance[positive_5].settings.database_flags' sets 'cloudsql.enable_pgaudit' to 'off'" + "actualValue": "'google_sql_database_instance[positive_5].settings.database_flags' sets 'cloudsql.enable_pgaudit' to 'off'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/sql_db_instance_without_connections_logging/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_without_connections_logging/test/positive_expected_result.json index 19d25f9d975..06f5a3d8564 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_without_connections_logging/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_without_connections_logging/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "google_sql_database_instance[positive_1]", "searchValue": "", "expectedValue": "'google_sql_database_instance[positive_1].settings.database_flags' should be defined and set 'log_connections' to 'on'", - "actualValue": "'google_sql_database_instance[positive_1].settings' is undefined or null" + "actualValue": "'google_sql_database_instance[positive_1].settings' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - SQL DB Instance Without Connections Logging", @@ -21,7 +22,8 @@ "searchKey": "google_sql_database_instance[positive_2].settings", "searchValue": "", "expectedValue": "'google_sql_database_instance[positive_2].settings.database_flags' should be defined and set 'log_connections' to 'on'", - "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' is undefined or null" + "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - SQL DB Instance Without Connections Logging", @@ -33,7 +35,8 @@ "searchKey": "google_sql_database_instance[positive_3].settings.database_flags", "searchValue": "", "expectedValue": "'google_sql_database_instance[positive_3].settings.database_flags' should be defined and set 'log_connections' to 'on'", - "actualValue": "'google_sql_database_instance[positive_3].settings.database_flags' does not set 'log_connections'" + "actualValue": "'google_sql_database_instance[positive_3].settings.database_flags' does not set 'log_connections'", + "issueType": "MissingAttribute" }, { "queryName": "Beta - SQL DB Instance Without Connections Logging", @@ -45,7 +48,8 @@ "searchKey": "google_sql_database_instance[positive_4].settings.database_flags[1].name", "searchValue": "", "expectedValue": "'google_sql_database_instance[positive_4].settings.database_flags' should be defined and set 'log_connections' to 'on'", - "actualValue": "'google_sql_database_instance[positive_4].settings.database_flags' sets 'log_connections' to 'off'" + "actualValue": "'google_sql_database_instance[positive_4].settings.database_flags' sets 'log_connections' to 'off'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - SQL DB Instance Without Connections Logging", @@ -57,6 +61,7 @@ "searchKey": "google_sql_database_instance[positive_5].settings.database_flags.name", "searchValue": "", "expectedValue": "'google_sql_database_instance[positive_5].settings.database_flags' should be defined and set 'log_connections' to 'on'", - "actualValue": "'google_sql_database_instance[positive_5].settings.database_flags' sets 'log_connections' to 'off'" + "actualValue": "'google_sql_database_instance[positive_5].settings.database_flags' sets 'log_connections' to 'off'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/sql_db_instance_without_disconnections_logging/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_without_disconnections_logging/test/positive_expected_result.json index 2be6b7a284e..3a31923924c 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_without_disconnections_logging/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_without_disconnections_logging/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "google_sql_database_instance[positive_1]", "searchValue": "", "expectedValue": "'google_sql_database_instance[positive_1].settings.database_flags' should be defined and set 'log_disconnections' to 'on'", - "actualValue": "'google_sql_database_instance[positive_1].settings' is undefined or null" + "actualValue": "'google_sql_database_instance[positive_1].settings' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - SQL DB Instance Without Disconnections Logging", @@ -21,7 +22,8 @@ "searchKey": "google_sql_database_instance[positive_2].settings", "searchValue": "", "expectedValue": "'google_sql_database_instance[positive_2].settings.database_flags' should be defined and set 'log_disconnections' to 'on'", - "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' is undefined or null" + "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - SQL DB Instance Without Disconnections Logging", @@ -33,7 +35,8 @@ "searchKey": "google_sql_database_instance[positive_3].settings.database_flags", "searchValue": "", "expectedValue": "'google_sql_database_instance[positive_3].settings.database_flags' should be defined and set 'log_disconnections' to 'on'", - "actualValue": "'google_sql_database_instance[positive_3].settings.database_flags' does not set 'log_disconnections'" + "actualValue": "'google_sql_database_instance[positive_3].settings.database_flags' does not set 'log_disconnections'", + "issueType": "MissingAttribute" }, { "queryName": "Beta - SQL DB Instance Without Disconnections Logging", @@ -45,7 +48,8 @@ "searchKey": "google_sql_database_instance[positive_4].settings.database_flags[1].name", "searchValue": "", "expectedValue": "'google_sql_database_instance[positive_4].settings.database_flags' should be defined and set 'log_disconnections' to 'on'", - "actualValue": "'google_sql_database_instance[positive_4].settings.database_flags' sets 'log_disconnections' to 'off'" + "actualValue": "'google_sql_database_instance[positive_4].settings.database_flags' sets 'log_disconnections' to 'off'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - SQL DB Instance Without Disconnections Logging", @@ -57,6 +61,7 @@ "searchKey": "google_sql_database_instance[positive_5].settings.database_flags.name", "searchValue": "", "expectedValue": "'google_sql_database_instance[positive_5].settings.database_flags' should be defined and set 'log_disconnections' to 'on'", - "actualValue": "'google_sql_database_instance[positive_5].settings.database_flags' sets 'log_disconnections' to 'off'" + "actualValue": "'google_sql_database_instance[positive_5].settings.database_flags' sets 'log_disconnections' to 'off'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/ssh_access_is_not_restricted/test/positive_expected_result.json b/assets/queries/terraform/gcp/ssh_access_is_not_restricted/test/positive_expected_result.json index cae0f257390..3dc9e58d046 100644 --- a/assets/queries/terraform/gcp/ssh_access_is_not_restricted/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/ssh_access_is_not_restricted/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "google_compute_firewall[positive1].allow.ports=22", "searchValue": "", "expectedValue": "'google_compute_firewall[positive1].allow.ports' should not include SSH port 22", - "actualValue": "'google_compute_firewall[positive1].allow.ports' includes SSH port 22" + "actualValue": "'google_compute_firewall[positive1].allow.ports' includes SSH port 22", + "issueType": "IncorrectValue" }, { "queryName": "SSH Access Is Not Restricted", @@ -21,7 +22,8 @@ "searchKey": "google_compute_firewall[positive2].allow.ports=21-3390", "searchValue": "", "expectedValue": "'google_compute_firewall[positive2].allow.ports' should not include SSH port 22", - "actualValue": "'google_compute_firewall[positive2].allow.ports' includes SSH port 22" + "actualValue": "'google_compute_firewall[positive2].allow.ports' includes SSH port 22", + "issueType": "IncorrectValue" }, { "queryName": "SSH Access Is Not Restricted", @@ -33,6 +35,7 @@ "searchKey": "google_compute_firewall[positive3].allow.ports=0-65535", "searchValue": "", "expectedValue": "'google_compute_firewall[positive3].allow.ports' should not include SSH port 22", - "actualValue": "'google_compute_firewall[positive3].allow.ports' includes SSH port 22" + "actualValue": "'google_compute_firewall[positive3].allow.ports' includes SSH port 22", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/stackdriver_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/stackdriver_logging_disabled/test/positive_expected_result.json index aa18711898a..66df0844151 100644 --- a/assets/queries/terraform/gcp/stackdriver_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/stackdriver_logging_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "google_container_cluster[positive1].logging_service", "searchValue": "", "expectedValue": "Attribute 'logging_service' should be undefined or 'logging.googleapis.com/kubernetes'", - "actualValue": "Attribute 'logging_service' is 'none'" + "actualValue": "Attribute 'logging_service' is 'none'", + "issueType": "IncorrectValue" }, { "queryName": "Stackdriver Logging Disabled", @@ -21,6 +22,7 @@ "searchKey": "google_container_cluster[positive2].logging_service", "searchValue": "", "expectedValue": "Attribute 'logging_service' should be undefined or 'logging.googleapis.com/kubernetes'", - "actualValue": "Attribute 'logging_service' is 'logging.googleapis.com'" + "actualValue": "Attribute 'logging_service' is 'logging.googleapis.com'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/stackdriver_monitoring_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/stackdriver_monitoring_disabled/test/positive_expected_result.json index cc7c39a0854..721c34e5416 100644 --- a/assets/queries/terraform/gcp/stackdriver_monitoring_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/stackdriver_monitoring_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "google_container_cluster[positive1].monitoring_service", "searchValue": "", "expectedValue": "Attribute 'monitoring_service' should be undefined or 'monitoring.googleapis.com/kubernetes'", - "actualValue": "Attribute 'monitoring_service' is 'none'" + "actualValue": "Attribute 'monitoring_service' is 'none'", + "issueType": "IncorrectValue" }, { "queryName": "Stackdriver Monitoring Disabled", @@ -21,6 +22,7 @@ "searchKey": "google_container_cluster[positive2].monitoring_service", "searchValue": "", "expectedValue": "Attribute 'monitoring_service' should be undefined or 'monitoring.googleapis.com/kubernetes'", - "actualValue": "Attribute 'monitoring_service' is 'monitoring.googleapis.com'" + "actualValue": "Attribute 'monitoring_service' is 'monitoring.googleapis.com'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/user_with_iam_role/test/positive_expected_result.json b/assets/queries/terraform/gcp/user_with_iam_role/test/positive_expected_result.json index ff9ecabcfee..7f8c9799d88 100644 --- a/assets/queries/terraform/gcp/user_with_iam_role/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/user_with_iam_role/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "google_iam_policy[positive].binding.role", "searchValue": "", "expectedValue": "google_iam_policy[positive].binding.role should not be set", - "actualValue": "google_iam_policy[positive].binding.role is set" + "actualValue": "google_iam_policy[positive].binding.role is set", + "issueType": "IncorrectValue" }, { "queryName": "User with IAM Role", @@ -21,7 +22,8 @@ "searchKey": "google_project_iam_binding[positive2].role", "searchValue": "", "expectedValue": "google_project_iam_binding[positive2].role should not be set", - "actualValue": "google_project_iam_binding[positive2].role is set" + "actualValue": "google_project_iam_binding[positive2].role is set", + "issueType": "IncorrectValue" }, { "queryName": "User with IAM Role", @@ -33,6 +35,7 @@ "searchKey": "google_project_iam_member[positive3].role", "searchValue": "", "expectedValue": "google_project_iam_member[positive3].role should not be set", - "actualValue": "google_project_iam_member[positive3].role is set" + "actualValue": "google_project_iam_member[positive3].role is set", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/using_default_service_account/test/positive_expected_result.json b/assets/queries/terraform/gcp/using_default_service_account/test/positive_expected_result.json index bbeea1addba..7c9cc9b4347 100644 --- a/assets/queries/terraform/gcp/using_default_service_account/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/using_default_service_account/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "google_compute_instance[positive1]", "searchValue": "", "expectedValue": "'google_compute_instance[positive1].service_account' should be defined and not null", - "actualValue": "'google_compute_instance[positive1].service_account' is undefined or null" + "actualValue": "'google_compute_instance[positive1].service_account' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Using Default Service Account", @@ -21,7 +22,8 @@ "searchKey": "google_compute_instance[positive2].service_account", "searchValue": "", "expectedValue": "'google_compute_instance[positive2].service_account.email' should be defined and not null", - "actualValue": "'google_compute_instance[positive2].service_account.email' is undefined or null" + "actualValue": "'google_compute_instance[positive2].service_account.email' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Using Default Service Account", @@ -33,7 +35,8 @@ "searchKey": "google_compute_instance[positive3].service_account.email", "searchValue": "", "expectedValue": "'google_compute_instance[positive3].service_account.email' should not be empty", - "actualValue": "'google_compute_instance[positive3].service_account.email' is empty" + "actualValue": "'google_compute_instance[positive3].service_account.email' is empty", + "issueType": "IncorrectValue" }, { "queryName": "Using Default Service Account", @@ -45,7 +48,8 @@ "searchKey": "google_compute_instance[positive4].service_account.email", "searchValue": "", "expectedValue": "'google_compute_instance[positive4].service_account.email' should not be an email", - "actualValue": "'google_compute_instance[positive4].service_account.email' is an email" + "actualValue": "'google_compute_instance[positive4].service_account.email' is an email", + "issueType": "IncorrectValue" }, { "queryName": "Using Default Service Account", @@ -57,6 +61,7 @@ "searchKey": "google_compute_instance[positive5].service_account.email", "searchValue": "", "expectedValue": "'google_compute_instance[positive5].service_account.email' should not be a default Google Compute Engine service account", - "actualValue": "'google_compute_instance[positive5].service_account.email' is a default Google Compute Engine service account" + "actualValue": "'google_compute_instance[positive5].service_account.email' is a default Google Compute Engine service account", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/vm_serial_ports_are_enabled_for_vm_instances/test/positive_expected_result.json b/assets/queries/terraform/gcp/vm_serial_ports_are_enabled_for_vm_instances/test/positive_expected_result.json index ddadb20aed0..49f6397a274 100644 --- a/assets/queries/terraform/gcp/vm_serial_ports_are_enabled_for_vm_instances/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/vm_serial_ports_are_enabled_for_vm_instances/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "google_compute_instance[positive1].metadata.serial-port-enable", "searchValue": "", "expectedValue": "google_compute_instance[positive1].metadata.serial-port-enable should be set to false or undefined", - "actualValue": "google_compute_instance[positive1].metadata.serial-port-enable is true" + "actualValue": "google_compute_instance[positive1].metadata.serial-port-enable is true", + "issueType": "IncorrectValue" }, { "queryName": "Serial Ports Are Enabled For VM Instances", @@ -21,7 +22,8 @@ "searchKey": "google_compute_project_metadata[positive2].metadata.serial-port-enable", "searchValue": "", "expectedValue": "google_compute_project_metadata[positive2].metadata.serial-port-enable should be set to false or undefined", - "actualValue": "google_compute_project_metadata[positive2].metadata.serial-port-enable is true" + "actualValue": "google_compute_project_metadata[positive2].metadata.serial-port-enable is true", + "issueType": "IncorrectValue" }, { "queryName": "Serial Ports Are Enabled For VM Instances", @@ -33,6 +35,7 @@ "searchKey": "google_compute_project_metadata_item[positive3].value", "searchValue": "", "expectedValue": "google_compute_project_metadata[positive3].value should be set to false", - "actualValue": "google_compute_project_metadata[positive3].value is true" + "actualValue": "google_compute_project_metadata[positive3].value is true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/vm_with_full_cloud_access/test/positive_expected_result.json b/assets/queries/terraform/gcp/vm_with_full_cloud_access/test/positive_expected_result.json index 5dcd78396d1..706b59f9da6 100644 --- a/assets/queries/terraform/gcp/vm_with_full_cloud_access/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/vm_with_full_cloud_access/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "google_compute_instance[positive1].service_account.scopes", "searchValue": "", "expectedValue": "'service_account.scopes' should not contain 'cloud-platform'", - "actualValue": "'service_account.scopes' contains 'cloud-platform'" + "actualValue": "'service_account.scopes' contains 'cloud-platform'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp_bom/dataflow/test/positive_expected_result.json b/assets/queries/terraform/gcp_bom/dataflow/test/positive_expected_result.json index b16f9b8d03e..4dc384b94f7 100644 --- a/assets/queries/terraform/gcp_bom/dataflow/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp_bom/dataflow/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "google_dataflow_job[pubsub_stream]", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - GCP Dataflow", @@ -21,6 +22,7 @@ "searchKey": "google_dataflow_job[pubsub_stream2]", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp_bom/fi/test/positive_expected_result.json b/assets/queries/terraform/gcp_bom/fi/test/positive_expected_result.json index 6abdb96caca..6d2b3d1a8fd 100644 --- a/assets/queries/terraform/gcp_bom/fi/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp_bom/fi/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "google_filestore_instance[instance]", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - GCP FI", @@ -21,7 +22,8 @@ "searchKey": "google_filestore_instance[instance2]", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - GCP FI", @@ -33,6 +35,7 @@ "searchKey": "google_filestore_instance[instance3]", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp_bom/pd/test/positive_expected_result.json b/assets/queries/terraform/gcp_bom/pd/test/positive_expected_result.json index 7fd44dd7362..0f9ce2f3dbf 100644 --- a/assets/queries/terraform/gcp_bom/pd/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp_bom/pd/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "google_compute_disk[positive1]", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - GCP PD", @@ -21,7 +22,8 @@ "searchKey": "google_compute_disk[positive2]", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - GCP PD", @@ -33,7 +35,8 @@ "searchKey": "google_compute_disk[positive3]", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - GCP PD", @@ -45,7 +48,8 @@ "searchKey": "google_compute_disk[positive4]", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - GCP PD", @@ -57,7 +61,8 @@ "searchKey": "google_compute_disk[negative1]", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - GCP PD", @@ -69,6 +74,7 @@ "searchKey": "google_compute_disk[negative2]", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp_bom/pst/test/positive_expected_result.json b/assets/queries/terraform/gcp_bom/pst/test/positive_expected_result.json index ba6ac0cf696..80667acfab2 100644 --- a/assets/queries/terraform/gcp_bom/pst/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp_bom/pst/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "google_pubsub_topic[example1]", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - GCP PST", @@ -21,7 +22,8 @@ "searchKey": "google_pubsub_topic[example2]", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - GCP PST", @@ -33,7 +35,8 @@ "searchKey": "google_pubsub_topic[example3]", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - GCP PST", @@ -45,6 +48,7 @@ "searchKey": "google_pubsub_topic[example4]", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp_bom/redis/test/positive_expected_result.json b/assets/queries/terraform/gcp_bom/redis/test/positive_expected_result.json index 692aa7c1766..b594a13a95e 100644 --- a/assets/queries/terraform/gcp_bom/redis/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp_bom/redis/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "google_redis_instance[cache]", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - GCP Redis", @@ -21,6 +22,7 @@ "searchKey": "google_redis_instance[cache2]", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp_bom/sb/test/positive_expected_result.json b/assets/queries/terraform/gcp_bom/sb/test/positive_expected_result.json index 124b877598e..9ca18871834 100644 --- a/assets/queries/terraform/gcp_bom/sb/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp_bom/sb/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "google_storage_bucket[bucket]", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - GCP SB", @@ -21,7 +22,8 @@ "searchKey": "google_storage_bucket[bucket2]", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - GCP SB", @@ -33,6 +35,7 @@ "searchKey": "google_storage_bucket[bucket3]", "searchValue": "", "expectedValue": "", - "actualValue": "" + "actualValue": "", + "issueType": "BillOfMaterials" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/general/generic_git_module_without_revision/test/positive_expected_result.json b/assets/queries/terraform/general/generic_git_module_without_revision/test/positive_expected_result.json index 6ffadfb72dc..7a6f6619417 100644 --- a/assets/queries/terraform/general/generic_git_module_without_revision/test/positive_expected_result.json +++ b/assets/queries/terraform/general/generic_git_module_without_revision/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "module.{{acm}}.source", "searchValue": "", "expectedValue": "Module 'source' field should have a reference", - "actualValue": "Module 'source' field does not have reference" + "actualValue": "Module 'source' field does not have reference", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/general/name_is_not_snake_case/test/positive_expected_result.json b/assets/queries/terraform/general/name_is_not_snake_case/test/positive_expected_result.json index 9cb2a4c440c..fed6b8ca524 100644 --- a/assets/queries/terraform/general/name_is_not_snake_case/test/positive_expected_result.json +++ b/assets/queries/terraform/general/name_is_not_snake_case/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "resource.aws_eks_cluster.positiveExample", "searchValue": "", "expectedValue": "All names should be on snake case pattern", - "actualValue": "'positiveExample' is not in snake case" + "actualValue": "'positiveExample' is not in snake case", + "issueType": "IncorrectValue" }, { "queryName": "Name Is Not Snake Case", @@ -21,6 +22,7 @@ "searchKey": "module.ACMPositive2", "searchValue": "", "expectedValue": "All names should be on snake case pattern", - "actualValue": "'ACMPositive2' is not in snake case" + "actualValue": "'ACMPositive2' is not in snake case", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/general/output_without_description/test/positive_expected_result.json b/assets/queries/terraform/general/output_without_description/test/positive_expected_result.json index e686d965ab5..28de9e9a510 100644 --- a/assets/queries/terraform/general/output_without_description/test/positive_expected_result.json +++ b/assets/queries/terraform/general/output_without_description/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "output.{{cluster_name}}", "searchValue": "", "expectedValue": "'description' should be defined and not null", - "actualValue": "'description' is undefined or null" + "actualValue": "'description' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Output Without Description", @@ -21,7 +22,8 @@ "searchKey": "output.{{cluster_name}}.description", "searchValue": "", "expectedValue": "'description' should not be empty", - "actualValue": "'description' is empty" + "actualValue": "'description' is empty", + "issueType": "IncorrectValue" }, { "queryName": "Output Without Description", @@ -33,6 +35,7 @@ "searchKey": "output.{{cluster_name}}.description", "searchValue": "", "expectedValue": "'description' should not be empty", - "actualValue": "'description' is empty" + "actualValue": "'description' is empty", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/general/variable_without_description/test/positive_expected_result.json b/assets/queries/terraform/general/variable_without_description/test/positive_expected_result.json index 52c51ee869e..4a0b10e58c5 100644 --- a/assets/queries/terraform/general/variable_without_description/test/positive_expected_result.json +++ b/assets/queries/terraform/general/variable_without_description/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "variable.{{cluster_name}}", "searchValue": "", "expectedValue": "'description' should be defined and not null", - "actualValue": "'description' is undefined or null" + "actualValue": "'description' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Variable Without Description", @@ -21,7 +22,8 @@ "searchKey": "variable.{{cluster_name}}.description", "searchValue": "", "expectedValue": "'description' should not be empty", - "actualValue": "'description' is empty" + "actualValue": "'description' is empty", + "issueType": "IncorrectValue" }, { "queryName": "Variable Without Description", @@ -33,6 +35,7 @@ "searchKey": "variable.{{cluster_name}}.description", "searchValue": "", "expectedValue": "'description' should not be empty", - "actualValue": "'description' is empty" + "actualValue": "'description' is empty", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/general/variable_without_type/test/positive_expected_result.json b/assets/queries/terraform/general/variable_without_type/test/positive_expected_result.json index e4ce822919c..6cad82fe9fb 100644 --- a/assets/queries/terraform/general/variable_without_type/test/positive_expected_result.json +++ b/assets/queries/terraform/general/variable_without_type/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "variable.{{cluster_name}}", "searchValue": "", "expectedValue": "'type' should be defined and not null", - "actualValue": "'type' is undefined or null" + "actualValue": "'type' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Variable Without Type", @@ -21,7 +22,8 @@ "searchKey": "variable.{{cluster_name}}.type", "searchValue": "", "expectedValue": "'type' should not be empty", - "actualValue": "'type' is empty" + "actualValue": "'type' is empty", + "issueType": "IncorrectValue" }, { "queryName": "Variable Without Type", @@ -33,6 +35,7 @@ "searchKey": "variable.{{cluster_name}}.type", "searchValue": "", "expectedValue": "'type' should not be empty", - "actualValue": "'type' is empty" + "actualValue": "'type' is empty", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/github/github_organization_webhook_with_ssl_disabled/test/positive_expected_result.json b/assets/queries/terraform/github/github_organization_webhook_with_ssl_disabled/test/positive_expected_result.json index 6fa0c3ad331..71b0ae32407 100644 --- a/assets/queries/terraform/github/github_organization_webhook_with_ssl_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/github/github_organization_webhook_with_ssl_disabled/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "github_organization_webhook[positive1].configuration.insecure_ssl", "searchValue": "", "expectedValue": "github_organization_webhook[positive1].configuration.insecure_ssl should be set to false", - "actualValue": "github_organization_webhook[positive1].configuration.insecure_ssl is true" + "actualValue": "github_organization_webhook[positive1].configuration.insecure_ssl is true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/github/github_repository_set_to_public/test/positive_expected_result.json b/assets/queries/terraform/github/github_repository_set_to_public/test/positive_expected_result.json index 36f1b0d8f23..11b1cf361b2 100644 --- a/assets/queries/terraform/github/github_repository_set_to_public/test/positive_expected_result.json +++ b/assets/queries/terraform/github/github_repository_set_to_public/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "github_repository[positive1]", "searchValue": "", "expectedValue": "Attribute 'private' or Attribute 'visibility' should be defined and not null", - "actualValue": "Attribute 'private' and Attribute 'visibility' are undefined or null" + "actualValue": "Attribute 'private' and Attribute 'visibility' are undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "GitHub Repository Set To Public", @@ -21,7 +22,8 @@ "searchKey": "github_repository[positive2].private", "searchValue": "", "expectedValue": "Attribute 'private' should be true", - "actualValue": "Attribute 'private' is false" + "actualValue": "Attribute 'private' is false", + "issueType": "IncorrectValue" }, { "queryName": "GitHub Repository Set To Public", @@ -33,6 +35,7 @@ "searchKey": "github_repository[positive3].visibility", "searchValue": "", "expectedValue": "Attribute 'visibility' should be 'private'", - "actualValue": "Attribute 'visibility' is 'public'" + "actualValue": "Attribute 'visibility' is 'public'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/cluster_admin_role_binding_with_super_user_permissions/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/cluster_admin_role_binding_with_super_user_permissions/test/positive_expected_result.json index 402f65437b2..3060432212a 100644 --- a/assets/queries/terraform/kubernetes/cluster_admin_role_binding_with_super_user_permissions/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/cluster_admin_role_binding_with_super_user_permissions/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "kubernetes_cluster_role_binding[example2].role_ref.name", "searchValue": "", "expectedValue": "Resource name 'example2' isn't binding 'cluster-admin' role with superuser permissions", - "actualValue": "Resource name 'example2' is binding 'cluster-admin' role with superuser permissions" + "actualValue": "Resource name 'example2' is binding 'cluster-admin' role with superuser permissions", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/cluster_allows_unsafe_sysctls/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/cluster_allows_unsafe_sysctls/test/positive_expected_result.json index 09af88ddfc2..dd94411a50e 100644 --- a/assets/queries/terraform/kubernetes/cluster_allows_unsafe_sysctls/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/cluster_allows_unsafe_sysctls/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "kubernetes_pod_security_policy[example].spec.allowed_unsafe_sysctls", "searchValue": "", "expectedValue": "kubernetes_pod_security_policy[example].spec.allowed_unsafe_sysctls should be undefined", - "actualValue": "kubernetes_pod_security_policy[example].spec.allowed_unsafe_sysctls is set" + "actualValue": "kubernetes_pod_security_policy[example].spec.allowed_unsafe_sysctls is set", + "issueType": "IncorrectValue" }, { "queryName": "Cluster Allows Unsafe Sysctls", @@ -21,6 +22,7 @@ "searchKey": "kubernetes_pod[test].spec.security_context.sysctl", "searchValue": "", "expectedValue": "kubernetes_pod[test].spec.security_context.sysctl[%!s(int=0)].name should not have an unsafe sysctl", - "actualValue": "kubernetes_pod[test].spec.security_context.sysctl[%!s(int=0)].name has an unsafe sysctl" + "actualValue": "kubernetes_pod[test].spec.security_context.sysctl[%!s(int=0)].name has an unsafe sysctl", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/container_host_pid_is_true/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/container_host_pid_is_true/test/positive_expected_result.json index 8d97436071f..46a41d9b3cf 100644 --- a/assets/queries/terraform/kubernetes/container_host_pid_is_true/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/container_host_pid_is_true/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "kubernetes_pod[positive1].spec.host_pid", "searchValue": "", "expectedValue": "Attribute 'host_pid' should be undefined or false", - "actualValue": "Attribute 'host_pid' is true" + "actualValue": "Attribute 'host_pid' is true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/container_is_privileged/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/container_is_privileged/test/positive_expected_result.json index b719a87f01f..a3cac7b7abc 100644 --- a/assets/queries/terraform/kubernetes/container_is_privileged/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/container_is_privileged/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "kubernetes_pod[positive1].spec.container.name={{example22}}.security_context.privileged", "searchValue": "", "expectedValue": "kubernetes_pod[positive1].spec.container[0].security_context.privileged should be set to false", - "actualValue": "kubernetes_pod[positive1].spec.container[0].security_context.privileged is set to true" + "actualValue": "kubernetes_pod[positive1].spec.container[0].security_context.privileged is set to true", + "issueType": "IncorrectValue" }, { "queryName": "Container Is Privileged", @@ -21,7 +22,8 @@ "searchKey": "kubernetes_pod[positive1].spec.container.name={{example22222}}.security_context.privileged", "searchValue": "", "expectedValue": "kubernetes_pod[positive1].spec.container[1].security_context.privileged should be set to false", - "actualValue": "kubernetes_pod[positive1].spec.container[1].security_context.privileged is set to true" + "actualValue": "kubernetes_pod[positive1].spec.container[1].security_context.privileged is set to true", + "issueType": "IncorrectValue" }, { "queryName": "Container Is Privileged", @@ -33,6 +35,7 @@ "searchKey": "kubernetes_pod[positive2].spec.container.security_context.privileged", "searchValue": "", "expectedValue": "kubernetes_pod[positive2].spec.container.security_context.privileged should not be set to true", - "actualValue": "kubernetes_pod[positive2].spec.container.security_context.privileged is set to true" + "actualValue": "kubernetes_pod[positive2].spec.container.security_context.privileged is set to true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/container_resources_limits_undefined/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/container_resources_limits_undefined/test/positive_expected_result.json index 1a890508a44..20563ea17f9 100644 --- a/assets/queries/terraform/kubernetes/container_resources_limits_undefined/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/container_resources_limits_undefined/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "kubernetes_pod[positive1].spec.container", "searchValue": "", "expectedValue": "kubernetes_pod[positive1].spec.container[0].resources should be set", - "actualValue": "kubernetes_pod[positive1].spec.container[0].resources is undefined" + "actualValue": "kubernetes_pod[positive1].spec.container[0].resources is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Container Resources Limits Undefined", @@ -21,7 +22,8 @@ "searchKey": "kubernetes_pod[positive1].spec.container", "searchValue": "limits", "expectedValue": "kubernetes_pod[positive1].spec.container[1].resources.limits should be set", - "actualValue": "kubernetes_pod[positive1].spec.container[1].resources.limits is undefined" + "actualValue": "kubernetes_pod[positive1].spec.container[1].resources.limits is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Container Resources Limits Undefined", @@ -33,7 +35,8 @@ "searchKey": "kubernetes_pod[positive2].spec.container.resources", "searchValue": "requests", "expectedValue": "kubernetes_pod[positive2].spec.container.resources.requests should be set", - "actualValue": "kubernetes_pod[positive2].spec.container.resources.requests is undefined" + "actualValue": "kubernetes_pod[positive2].spec.container.resources.requests is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Container Resources Limits Undefined", @@ -45,7 +48,8 @@ "searchKey": "kubernetes_pod[positive3].spec.container.resources", "searchValue": "limits", "expectedValue": "kubernetes_pod[positive3].spec.container.resources.limits should be set", - "actualValue": "kubernetes_pod[positive3].spec.container.resources.limits is undefined" + "actualValue": "kubernetes_pod[positive3].spec.container.resources.limits is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Container Resources Limits Undefined", @@ -57,6 +61,7 @@ "searchKey": "kubernetes_pod[positive4].spec.container", "searchValue": "", "expectedValue": "kubernetes_pod[positive4].spec.container.resources should be set", - "actualValue": "kubernetes_pod[positive4].spec.container.resources is undefined" + "actualValue": "kubernetes_pod[positive4].spec.container.resources is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/container_runs_unmasked/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/container_runs_unmasked/test/positive_expected_result.json index 42b11726037..dd8fa5f8dda 100644 --- a/assets/queries/terraform/kubernetes/container_runs_unmasked/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/container_runs_unmasked/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "kubernetes_pod_security_policy[example].spec.allowed_proc_mount_types", "searchValue": "", "expectedValue": "allowed_proc_mount_types should contain the value Default", - "actualValue": "allowed_proc_mount_types contains the value Unmasked" + "actualValue": "allowed_proc_mount_types contains the value Unmasked", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/container_with_added_capabilities/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/container_with_added_capabilities/test/positive_expected_result.json index d4819840ed0..56fc020f90d 100644 --- a/assets/queries/terraform/kubernetes/container_with_added_capabilities/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/container_with_added_capabilities/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "kubernetes_pod[positive1].spec.container", "searchValue": "", "expectedValue": "kubernetes_pod[positive1].spec.container[0].security_context.capabilities.add should be undefined", - "actualValue": "kubernetes_pod[positive1].spec.container[0].security_context.capabilities.add is set" + "actualValue": "kubernetes_pod[positive1].spec.container[0].security_context.capabilities.add is set", + "issueType": "IncorrectValue" }, { "queryName": "Containers With Added Capabilities", @@ -21,7 +22,8 @@ "searchKey": "kubernetes_pod[positive1].spec.container", "searchValue": "", "expectedValue": "kubernetes_pod[positive1].spec.container[1].security_context.capabilities.add should be undefined", - "actualValue": "kubernetes_pod[positive1].spec.container[1].security_context.capabilities.add is set" + "actualValue": "kubernetes_pod[positive1].spec.container[1].security_context.capabilities.add is set", + "issueType": "IncorrectValue" }, { "queryName": "Containers With Added Capabilities", @@ -33,6 +35,7 @@ "searchKey": "kubernetes_pod[positive2].spec.container.security_context.capabilities.add", "searchValue": "", "expectedValue": "kubernetes_pod[positive2].spec.container.security_context.capabilities.add should be undefined", - "actualValue": "kkubernetes_pod[positive2].spec.container.security_context.capabilities.add is set" + "actualValue": "kkubernetes_pod[positive2].spec.container.security_context.capabilities.add is set", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/containers_with_sys_admin_capabilities/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/containers_with_sys_admin_capabilities/test/positive_expected_result.json index 79cc5427ae9..72f446efe35 100644 --- a/assets/queries/terraform/kubernetes/containers_with_sys_admin_capabilities/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/containers_with_sys_admin_capabilities/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "kubernetes_pod[positive1].spec.container", "searchValue": "", "expectedValue": "kubernetes_pod[positive1].spec.container[0].security_context.capabilities.add should not have 'SYS_ADMIN'", - "actualValue": "kubernetes_pod[positive1].spec.container[0].security_context.capabilities.add has 'SYS_ADMIN'" + "actualValue": "kubernetes_pod[positive1].spec.container[0].security_context.capabilities.add has 'SYS_ADMIN'", + "issueType": "IncorrectValue" }, { "queryName": "Containers With Sys Admin Capabilities", @@ -21,7 +22,8 @@ "searchKey": "kubernetes_pod[positive1].spec.container", "searchValue": "", "expectedValue": "kubernetes_pod[positive1].spec.container[1].security_context.capabilities.add should not have 'SYS_ADMIN'", - "actualValue": "kubernetes_pod[positive1].spec.container[1].security_context.capabilities.add has 'SYS_ADMIN'" + "actualValue": "kubernetes_pod[positive1].spec.container[1].security_context.capabilities.add has 'SYS_ADMIN'", + "issueType": "IncorrectValue" }, { "queryName": "Containers With Sys Admin Capabilities", @@ -33,6 +35,7 @@ "searchKey": "kubernetes_pod[positive2].spec.container.security_context.capabilities.add", "searchValue": "", "expectedValue": "kubernetes_pod[positive2].spec.container.security_context.capabilities.add should not have 'SYS_ADMIN'", - "actualValue": "kubernetes_pod[positive2].spec.container.security_context.capabilities.add has 'SYS_ADMIN'" + "actualValue": "kubernetes_pod[positive2].spec.container.security_context.capabilities.add has 'SYS_ADMIN'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/cpu_limits_not_set/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/cpu_limits_not_set/test/positive_expected_result.json index 8112dc2570f..b101e3c7698 100644 --- a/assets/queries/terraform/kubernetes/cpu_limits_not_set/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/cpu_limits_not_set/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "kubernetes_pod[positive1].spec.container", "searchValue": "", "expectedValue": "kubernetes_pod[positive1].spec.container[0].resources should be set", - "actualValue": "kubernetes_pod[positive1].spec.container[0].resources is undefined" + "actualValue": "kubernetes_pod[positive1].spec.container[0].resources is undefined", + "issueType": "MissingAttribute" }, { "queryName": "CPU Limits Not Set", @@ -21,7 +22,8 @@ "searchKey": "kubernetes_pod[positive1].spec.container", "searchValue": "", "expectedValue": "kubernetes_pod[positive1].spec.container[1].resources.limits should be set", - "actualValue": "kubernetes_pod[positive1].spec.container[1].resources.limits is undefined" + "actualValue": "kubernetes_pod[positive1].spec.container[1].resources.limits is undefined", + "issueType": "MissingAttribute" }, { "queryName": "CPU Limits Not Set", @@ -33,7 +35,8 @@ "searchKey": "kubernetes_pod[positive1].spec.container", "searchValue": "", "expectedValue": "kubernetes_pod[positive1].spec.container[2].resources.limits.cpu should be set", - "actualValue": "kubernetes_pod[positive1].spec.container[2].resources.limits.cpu is undefined" + "actualValue": "kubernetes_pod[positive1].spec.container[2].resources.limits.cpu is undefined", + "issueType": "MissingAttribute" }, { "queryName": "CPU Limits Not Set", @@ -45,7 +48,8 @@ "searchKey": "kubernetes_pod[positive2].spec.container", "searchValue": "", "expectedValue": "kubernetes_pod[positive2].spec.container.resources should be set", - "actualValue": "kubernetes_pod[positive2].spec.container.resources is undefined" + "actualValue": "kubernetes_pod[positive2].spec.container.resources is undefined", + "issueType": "MissingAttribute" }, { "queryName": "CPU Limits Not Set", @@ -57,7 +61,8 @@ "searchKey": "kubernetes_pod[positive3].spec.container.resources", "searchValue": "", "expectedValue": "kubernetes_pod[positive3].spec.container.resources.limits should be set", - "actualValue": "kubernetes_pod[positive3].spec.container.resources.limits is undefined" + "actualValue": "kubernetes_pod[positive3].spec.container.resources.limits is undefined", + "issueType": "MissingAttribute" }, { "queryName": "CPU Limits Not Set", @@ -69,6 +74,7 @@ "searchKey": "kubernetes_pod[positive4].spec.container.resources.limits", "searchValue": "", "expectedValue": "kubernetes_pod[positive4].spec.container.resources.limits.cpu should be set", - "actualValue": "kubernetes_pod[positive4].spec.container.resources.limits.cpu is undefined" + "actualValue": "kubernetes_pod[positive4].spec.container.resources.limits.cpu is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/cpu_requests_not_set/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/cpu_requests_not_set/test/positive_expected_result.json index e1ecd1d747e..33f01a4b8f4 100644 --- a/assets/queries/terraform/kubernetes/cpu_requests_not_set/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/cpu_requests_not_set/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "kubernetes_pod[positive1].spec.container", "searchValue": "", "expectedValue": "kubernetes_pod[positive1].spec.container[0].resources should be set", - "actualValue": "kubernetes_pod[positive1].spec.container[0].resources is undefined" + "actualValue": "kubernetes_pod[positive1].spec.container[0].resources is undefined", + "issueType": "MissingAttribute" }, { "queryName": "CPU Requests Not Set", @@ -21,7 +22,8 @@ "searchKey": "kubernetes_pod[positive1].spec.container", "searchValue": "", "expectedValue": "kubernetes_pod[positive1].spec.container[1].resources.requests.cpu should be set", - "actualValue": "kubernetes_pod[positive1].spec.container[1].resources.requests.cpu is undefined" + "actualValue": "kubernetes_pod[positive1].spec.container[1].resources.requests.cpu is undefined", + "issueType": "MissingAttribute" }, { "queryName": "CPU Requests Not Set", @@ -33,7 +35,8 @@ "searchKey": "kubernetes_pod[positive1].spec.container", "searchValue": "", "expectedValue": "kubernetes_pod[positive1].spec.container[2].resources.requests.cpu should be set", - "actualValue": "kubernetes_pod[positive1].spec.container[2].resources.requests.cpu is undefined" + "actualValue": "kubernetes_pod[positive1].spec.container[2].resources.requests.cpu is undefined", + "issueType": "MissingAttribute" }, { "queryName": "CPU Requests Not Set", @@ -45,7 +48,8 @@ "searchKey": "kubernetes_pod[positive2].spec.container", "searchValue": "", "expectedValue": "kubernetes_pod[positive2].spec.container.resources should be set", - "actualValue": "kubernetes_pod[positive2].spec.container.resources is undefined" + "actualValue": "kubernetes_pod[positive2].spec.container.resources is undefined", + "issueType": "MissingAttribute" }, { "queryName": "CPU Requests Not Set", @@ -57,7 +61,8 @@ "searchKey": "kubernetes_pod[positive3].spec.container.resources", "searchValue": "", "expectedValue": "kubernetes_pod[positive3].spec.container.resources.requests should be set", - "actualValue": "kubernetes_pod[positive3].spec.container.resources.requests is undefined" + "actualValue": "kubernetes_pod[positive3].spec.container.resources.requests is undefined", + "issueType": "MissingAttribute" }, { "queryName": "CPU Requests Not Set", @@ -69,6 +74,7 @@ "searchKey": "kubernetes_pod[positive4].spec.container.resources.requests", "searchValue": "", "expectedValue": "kubernetes_pod[positive4].spec.container.resources.requests.cpu should be set", - "actualValue": "kubernetes_pod[positive4].spec.container.resources.requests.cpu is undefined" + "actualValue": "kubernetes_pod[positive4].spec.container.resources.requests.cpu is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/cronjob_deadline_not_configured/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/cronjob_deadline_not_configured/test/positive_expected_result.json index 8583640db19..2bfdc7456fa 100644 --- a/assets/queries/terraform/kubernetes/cronjob_deadline_not_configured/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/cronjob_deadline_not_configured/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "kubernetes_cron_job[demo].spec", "searchValue": "", "expectedValue": "kubernetes_cron_job[demo].spec.starting_deadline_seconds should be set", - "actualValue": "kubernetes_cron_job[demo].spec.starting_deadline_seconds is undefined" + "actualValue": "kubernetes_cron_job[demo].spec.starting_deadline_seconds is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/default_service_account_in_use/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/default_service_account_in_use/test/positive_expected_result.json index 108ab8990f0..71b68df59fe 100644 --- a/assets/queries/terraform/kubernetes/default_service_account_in_use/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/default_service_account_in_use/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "kubernetes_service_account[example]", "searchValue": "", "expectedValue": "kubernetes_service_account[example].automount_service_account_token should be set", - "actualValue": "kubernetes_service_account[example].automount_service_account_token is undefined" + "actualValue": "kubernetes_service_account[example].automount_service_account_token is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Default Service Account In Use", @@ -21,6 +22,7 @@ "searchKey": "kubernetes_service_account[example2].automount_service_account_token", "searchValue": "", "expectedValue": "kubernetes_service_account[example2].automount_service_account_token should be set to false", - "actualValue": "kubernetes_service_account[example2].automount_service_account_token is not set to false" + "actualValue": "kubernetes_service_account[example2].automount_service_account_token is not set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/deployment_has_no_pod_anti_affinity/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/deployment_has_no_pod_anti_affinity/test/positive_expected_result.json index 65ea558811f..e0b8c1585ae 100644 --- a/assets/queries/terraform/kubernetes/deployment_has_no_pod_anti_affinity/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/deployment_has_no_pod_anti_affinity/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "kubernetes_deployment[example].spec.template.spec", "searchValue": "", "expectedValue": "kubernetes_deployment[example].spec.template.spec.affinity should be set", - "actualValue": "kubernetes_deployment[example].spec.template.spec.affinity is undefined" + "actualValue": "kubernetes_deployment[example].spec.template.spec.affinity is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Deployment Has No PodAntiAffinity", @@ -21,7 +22,8 @@ "searchKey": "kubernetes_deployment[example2].spec.template.spec.affinity", "searchValue": "", "expectedValue": "kubernetes_deployment[example2].spec.template.spec.affinity.pod_anti_affinity should be set", - "actualValue": "kubernetes_deployment[example2].spec.template.spec.affinity.pod_anti_affinity is undefined" + "actualValue": "kubernetes_deployment[example2].spec.template.spec.affinity.pod_anti_affinity is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Deployment Has No PodAntiAffinity", @@ -33,7 +35,8 @@ "searchKey": "kubernetes_deployment[example3].spec.template.spec.affinity", "searchValue": "", "expectedValue": "kubernetes_deployment[example3].spec.template.spec.affinity.pod_anti_affinity.preferred_during_scheduling_ignored_during_execution.pod_affinity_term.topology_key should be set to 'kubernetes.io/hostname'", - "actualValue": "kubernetes_deployment[example3].spec.template.spec.affinity.pod_anti_affinity.preferred_during_scheduling_ignored_during_execution.pod_affinity_term.topology_key is invalid or undefined" + "actualValue": "kubernetes_deployment[example3].spec.template.spec.affinity.pod_anti_affinity.preferred_during_scheduling_ignored_during_execution.pod_affinity_term.topology_key is invalid or undefined", + "issueType": "IncorrectValue" }, { "queryName": "Deployment Has No PodAntiAffinity", @@ -45,6 +48,7 @@ "searchKey": "kubernetes_deployment[example4].spec.template.spec.affinity", "searchValue": "", "expectedValue": "kubernetes_deployment[example4].spec.template.spec.affinity.pod_anti_affinity.preferred_during_scheduling_ignored_during_execution.pod_affinity_term.label_selector.match_labels match any label on template metadata", - "actualValue": "kubernetes_deployment[example4].spec.template.spec.affinity.pod_anti_affinity.preferred_during_scheduling_ignored_during_execution.pod_affinity_term.label_selector.match_labels don't match any label on template metadata" + "actualValue": "kubernetes_deployment[example4].spec.template.spec.affinity.pod_anti_affinity.preferred_during_scheduling_ignored_during_execution.pod_affinity_term.label_selector.match_labels don't match any label on template metadata", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/deployment_without_pod_disruption_budget/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/deployment_without_pod_disruption_budget/test/positive_expected_result.json index f87e0bcc98a..b20d6e05aab 100644 --- a/assets/queries/terraform/kubernetes/deployment_without_pod_disruption_budget/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/deployment_without_pod_disruption_budget/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "kubernetes_deployment[example].spec.selector.match_labels", "searchValue": "", "expectedValue": "kubernetes_deployment[example].spec.selector.match_labels is targeted by a PodDisruptionBudget", - "actualValue": "kubernetes_deployment[example].spec.selector.match_labels is not targeted by a PodDisruptionBudget" + "actualValue": "kubernetes_deployment[example].spec.selector.match_labels is not targeted by a PodDisruptionBudget", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/docker_daemon_socket_is_exposed_to_containers/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/docker_daemon_socket_is_exposed_to_containers/test/positive_expected_result.json index 5a6745ced16..b7b28748d1d 100644 --- a/assets/queries/terraform/kubernetes/docker_daemon_socket_is_exposed_to_containers/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/docker_daemon_socket_is_exposed_to_containers/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "kubernetes_pod[test].spec.volume", "searchValue": "", "expectedValue": "spec.volume[0].host_path.path should not be '/var/run/docker.sock'", - "actualValue": "spec.volume[0].host_path.path is '/var/run/docker.sock'" + "actualValue": "spec.volume[0].host_path.path is '/var/run/docker.sock'", + "issueType": "IncorrectValue" }, { "queryName": "Docker Daemon Socket is Exposed to Containers", @@ -21,7 +22,8 @@ "searchKey": "kubernetes_pod[test].spec.volume", "searchValue": "", "expectedValue": "spec.volume[1].host_path.path should not be '/var/run/docker.sock'", - "actualValue": "spec.volume[1].host_path.path is '/var/run/docker.sock'" + "actualValue": "spec.volume[1].host_path.path is '/var/run/docker.sock'", + "issueType": "IncorrectValue" }, { "queryName": "Docker Daemon Socket is Exposed to Containers", @@ -33,7 +35,8 @@ "searchKey": "kubernetes_deployment[example].spec.template.spec.volume", "searchValue": "", "expectedValue": "spec.template.spec.volume[0].host_path.path should not be '/var/run/docker.sock'", - "actualValue": "spec.template.spec.volume[0].host_path.path is '/var/run/docker.sock'" + "actualValue": "spec.template.spec.volume[0].host_path.path is '/var/run/docker.sock'", + "issueType": "IncorrectValue" }, { "queryName": "Docker Daemon Socket is Exposed to Containers", @@ -45,7 +48,8 @@ "searchKey": "kubernetes_deployment[example].spec.template.spec.volume", "searchValue": "", "expectedValue": "spec.template.spec.volume[1].host_path.path should not be '/var/run/docker.sock'", - "actualValue": "spec.template.spec.volume[1].host_path.path is '/var/run/docker.sock'" + "actualValue": "spec.template.spec.volume[1].host_path.path is '/var/run/docker.sock'", + "issueType": "IncorrectValue" }, { "queryName": "Docker Daemon Socket is Exposed to Containers", @@ -57,7 +61,8 @@ "searchKey": "kubernetes_cron_job[demo2].spec.job_template.spec.template.spec.volume", "searchValue": "", "expectedValue": "spec.job_template.spec.template.spec.volume[0].host_path.path should not be '/var/run/docker.sock'", - "actualValue": "spec.job_template.spec.template.spec.volume[0].host_path.path is '/var/run/docker.sock'" + "actualValue": "spec.job_template.spec.template.spec.volume[0].host_path.path is '/var/run/docker.sock'", + "issueType": "IncorrectValue" }, { "queryName": "Docker Daemon Socket is Exposed to Containers", @@ -69,6 +74,7 @@ "searchKey": "kubernetes_cron_job[demo2].spec.job_template.spec.template.spec.volume", "searchValue": "", "expectedValue": "spec.job_template.spec.template.spec.volume[1].host_path.path should not be '/var/run/docker.sock'", - "actualValue": "spec.job_template.spec.template.spec.volume[1].host_path.path is '/var/run/docker.sock'" + "actualValue": "spec.job_template.spec.template.spec.volume[1].host_path.path is '/var/run/docker.sock'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/hpa_targets_invalid_object/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/hpa_targets_invalid_object/test/positive_expected_result.json index ea4a6e70607..195286f613a 100644 --- a/assets/queries/terraform/kubernetes/hpa_targets_invalid_object/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/hpa_targets_invalid_object/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "kubernetes_horizontal_pod_autoscaler[example].spec.metric", "searchValue": "", "expectedValue": "kubernetes_horizontal_pod_autoscaler[example].spec.metric is a valid object", - "actualValue": "kubernetes_horizontal_pod_autoscaler[example].spec.metric is a invalid object" + "actualValue": "kubernetes_horizontal_pod_autoscaler[example].spec.metric is a invalid object", + "issueType": "IncorrectValue" }, { "queryName": "HPA Targets Invalid Object", @@ -21,6 +22,7 @@ "searchKey": "kubernetes_horizontal_pod_autoscaler[example2].spec.metric", "searchValue": "", "expectedValue": "kubernetes_horizontal_pod_autoscaler[example2].spec.metric is a valid object", - "actualValue": "kubernetes_horizontal_pod_autoscaler[example2].spec.metric is a invalid object" + "actualValue": "kubernetes_horizontal_pod_autoscaler[example2].spec.metric is a invalid object", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/image_pull_policy_of_container_is_not_always/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/image_pull_policy_of_container_is_not_always/test/positive_expected_result.json index c53df9cdeea..28ef6f1aa7e 100644 --- a/assets/queries/terraform/kubernetes/image_pull_policy_of_container_is_not_always/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/image_pull_policy_of_container_is_not_always/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "kubernetes_pod[busybox].spec.container.image_pull_policy", "searchValue": "", "expectedValue": "Attribute 'image_pull_policy' should be defined as 'Always'", - "actualValue": "Attribute 'image_pull_policy' is incorrect" + "actualValue": "Attribute 'image_pull_policy' is incorrect", + "issueType": "IncorrectValue" }, { "queryName": "Image Pull Policy Of The Container Is Not Set To Always", @@ -21,6 +22,7 @@ "searchKey": "kubernetes_deployment[example].spec.template.spec.container.image_pull_policy", "searchValue": "", "expectedValue": "Attribute 'image_pull_policy' should be defined as 'Always'", - "actualValue": "Attribute 'image_pull_policy' is incorrect" + "actualValue": "Attribute 'image_pull_policy' is incorrect", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/image_without_digest/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/image_without_digest/test/positive_expected_result.json index 9cb714feb60..b77c91ccd0f 100644 --- a/assets/queries/terraform/kubernetes/image_without_digest/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/image_without_digest/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "kubernetes_pod[positive1].spec.container", "searchValue": "", "expectedValue": "kubernetes_pod[positive1].spec.container[0].image should be set", - "actualValue": "kubernetes_pod[positive1].spec.container[0].image is undefined" + "actualValue": "kubernetes_pod[positive1].spec.container[0].image is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Image Without Digest", @@ -21,7 +22,8 @@ "searchKey": "kubernetes_pod[positive1].spec.container", "searchValue": "", "expectedValue": "kubernetes_pod[positive1].spec.container[1].image should be set", - "actualValue": "kubernetes_pod[positive1].spec.container[1].image is undefined" + "actualValue": "kubernetes_pod[positive1].spec.container[1].image is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Image Without Digest", @@ -33,7 +35,8 @@ "searchKey": "kubernetes_pod[positive2].spec.container", "searchValue": "", "expectedValue": "kubernetes_pod[positive2].spec.container.image should be set", - "actualValue": "kubernetes_pod[positive2].spec.container.image is undefined" + "actualValue": "kubernetes_pod[positive2].spec.container.image is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Image Without Digest", @@ -45,7 +48,8 @@ "searchKey": "kubernetes_pod[positive3].spec.container", "searchValue": "", "expectedValue": "kubernetes_pod[positive3].spec.container[0].image has '@'", - "actualValue": "kubernetes_pod[positive3].spec.container[0].image does not have '@'" + "actualValue": "kubernetes_pod[positive3].spec.container[0].image does not have '@'", + "issueType": "IncorrectValue" }, { "queryName": "Image Without Digest", @@ -57,7 +61,8 @@ "searchKey": "kubernetes_pod[positive3].spec.container", "searchValue": "", "expectedValue": "kubernetes_pod[positive3].spec.container[1].image has '@'", - "actualValue": "kubernetes_pod[positive3].spec.container[1].image does not have '@'" + "actualValue": "kubernetes_pod[positive3].spec.container[1].image does not have '@'", + "issueType": "IncorrectValue" }, { "queryName": "Image Without Digest", @@ -69,6 +74,7 @@ "searchKey": "kubernetes_pod[positive4].spec.container.image", "searchValue": "", "expectedValue": "kubernetes_pod[positive4].spec.container.image has '@'", - "actualValue": "kubernetes_pod[positive4].spec.container.image does not have '@'" + "actualValue": "kubernetes_pod[positive4].spec.container.image does not have '@'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/incorrect_volume_claim_access_mode_read_write_once/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/incorrect_volume_claim_access_mode_read_write_once/test/positive_expected_result.json index 9e7625f7e10..90397c0d861 100644 --- a/assets/queries/terraform/kubernetes/incorrect_volume_claim_access_mode_read_write_once/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/incorrect_volume_claim_access_mode_read_write_once/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "kubernetes_stateful_set[prometheus-1].spec.volume_claim_template", "searchValue": "", "expectedValue": "kubernetes_stateful_set[prometheus-1].spec.volume_claim_template has only one template with a 'ReadWriteOnce'", - "actualValue": "kubernetes_stateful_set[prometheus-1].spec.volume_claim_template has multiple templates with 'ReadWriteOnce'" + "actualValue": "kubernetes_stateful_set[prometheus-1].spec.volume_claim_template has multiple templates with 'ReadWriteOnce'", + "issueType": "IncorrectValue" }, { "queryName": "Incorrect Volume Claim Access Mode ReadWriteOnce", @@ -21,6 +22,7 @@ "searchKey": "kubernetes_stateful_set[prometheus-2].spec.volume_claim_template", "searchValue": "", "expectedValue": "kubernetes_stateful_set[prometheus-2].spec.volume_claim_template has one template with a 'ReadWriteOnce'", - "actualValue": "kubernetes_stateful_set[prometheus-2].spec.volume_claim_template does not have a template with a 'ReadWriteOnce'" + "actualValue": "kubernetes_stateful_set[prometheus-2].spec.volume_claim_template does not have a template with a 'ReadWriteOnce'", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/ingress_controller_exposes_workload/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/ingress_controller_exposes_workload/test/positive_expected_result.json index 3b6a4aafb09..717032cd641 100644 --- a/assets/queries/terraform/kubernetes/ingress_controller_exposes_workload/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/ingress_controller_exposes_workload/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "kubernetes_ingress[example].spec.rule.http.path.backend", "searchValue": "", "expectedValue": "kubernetes_ingress[example] should not be exposing the workload", - "actualValue": "kubernetes_ingress[example] is exposing the workload" + "actualValue": "kubernetes_ingress[example] is exposing the workload", + "issueType": "IncorrectValue" }, { "queryName": "Ingress Controller Exposes Workload", @@ -21,7 +22,8 @@ "searchKey": "kubernetes_ingress[example-ingress-2].spec.rule.http.path.backend", "searchValue": "", "expectedValue": "kubernetes_ingress[example-ingress-2] should not be exposing the workload", - "actualValue": "kubernetes_ingress[example-ingress-2] is exposing the workload" + "actualValue": "kubernetes_ingress[example-ingress-2] is exposing the workload", + "issueType": "IncorrectValue" }, { "queryName": "Ingress Controller Exposes Workload", @@ -33,6 +35,7 @@ "searchKey": "kubernetes_ingress[example-4].spec.rule.http.path.backend", "searchValue": "", "expectedValue": "kubernetes_ingress[example-4] should not be exposing the workload", - "actualValue": "kubernetes_ingress[example-4] is exposing the workload" + "actualValue": "kubernetes_ingress[example-4] is exposing the workload", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/invalid_image/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/invalid_image/test/positive_expected_result.json index 39281e135c0..9ffa218c56f 100644 --- a/assets/queries/terraform/kubernetes/invalid_image/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/invalid_image/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "kubernetes_pod[positive1].spec.container.image", "searchValue": "", "expectedValue": "kubernetes_pod[positive1].spec.container.image should not be empty or latest", - "actualValue": "kubernetes_pod[positive1].spec.container.image is empty or latest" + "actualValue": "kubernetes_pod[positive1].spec.container.image is empty or latest", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Image", @@ -21,7 +22,8 @@ "searchKey": "kubernetes_pod[positive2].spec.container", "searchValue": "", "expectedValue": "kubernetes_pod[positive2].spec.container.image should be set", - "actualValue": "kubernetes_pod[positive2].spec.container.image is undefined" + "actualValue": "kubernetes_pod[positive2].spec.container.image is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Invalid Image", @@ -33,6 +35,7 @@ "searchKey": "kubernetes_pod[positive3].spec.container", "searchValue": "", "expectedValue": "kubernetes_pod[positive3].spec.container[0].image should not be empty or latest", - "actualValue": "kubernetes_pod[positive3].spec.container[0].image is empty or latest" + "actualValue": "kubernetes_pod[positive3].spec.container[0].image is empty or latest", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/liveness_probe_is_not_defined/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/liveness_probe_is_not_defined/test/positive_expected_result.json index 1a93bb893aa..f87e86235a8 100644 --- a/assets/queries/terraform/kubernetes/liveness_probe_is_not_defined/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/liveness_probe_is_not_defined/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "kubernetes_pod[test].spec.container", "searchValue": "", "expectedValue": "Attribute 'livenessProbe' should be defined and not null", - "actualValue": "Attribute 'livenessProbe' is undefined or null" + "actualValue": "Attribute 'livenessProbe' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Liveness Probe Is Not Defined", @@ -21,6 +22,7 @@ "searchKey": "kubernetes_deployment[example].spec.template.spec.container", "searchValue": "", "expectedValue": "Attribute 'livenessProbe' should be defined and not null", - "actualValue": "Attribute 'livenessProbe' is undefined or null" + "actualValue": "Attribute 'livenessProbe' is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/memory_limits_not_defined/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/memory_limits_not_defined/test/positive_expected_result.json index 537f1a9f14c..17a12a37101 100644 --- a/assets/queries/terraform/kubernetes/memory_limits_not_defined/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/memory_limits_not_defined/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "kubernetes_pod[positive1].spec.container", "searchValue": "", "expectedValue": "kubernetes_pod[positive1].spec.container[0].resources.limits.memory should be set", - "actualValue": "kubernetes_pod[positive1].spec.container[0].resources.limits.memory is undefined" + "actualValue": "kubernetes_pod[positive1].spec.container[0].resources.limits.memory is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Memory Limits Not Defined", @@ -21,7 +22,8 @@ "searchKey": "kubernetes_pod[positive1].spec.container", "searchValue": "", "expectedValue": "kubernetes_pod[positive1].spec.container[1].resources.limits.memory should be set", - "actualValue": "kubernetes_pod[positive1].spec.container[1].resources.limits.memory is undefined" + "actualValue": "kubernetes_pod[positive1].spec.container[1].resources.limits.memory is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Memory Limits Not Defined", @@ -33,7 +35,8 @@ "searchKey": "kubernetes_pod[positive2].spec.container", "searchValue": "", "expectedValue": "kubernetes_pod[positive2].spec.container[0].resources should be set", - "actualValue": "kubernetes_pod[positive2].spec.container[0].resources is undefined" + "actualValue": "kubernetes_pod[positive2].spec.container[0].resources is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Memory Limits Not Defined", @@ -45,7 +48,8 @@ "searchKey": "kubernetes_pod[positive2].spec.container", "searchValue": "", "expectedValue": "kubernetes_pod[positive2].spec.container[1].resources should be set", - "actualValue": "kubernetes_pod[positive2].spec.container[1].resources is undefined" + "actualValue": "kubernetes_pod[positive2].spec.container[1].resources is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Memory Limits Not Defined", @@ -57,7 +61,8 @@ "searchKey": "kubernetes_pod[positive3].spec.container", "searchValue": "", "expectedValue": "kubernetes_pod[positive3].spec.container[0].resources.limits should be set", - "actualValue": "kubernetes_pod[positive3].spec.container[0].resources.limits is undefined" + "actualValue": "kubernetes_pod[positive3].spec.container[0].resources.limits is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Memory Limits Not Defined", @@ -69,7 +74,8 @@ "searchKey": "kubernetes_pod[positive3].spec.container", "searchValue": "", "expectedValue": "kubernetes_pod[positive3].spec.container[1].resources.limits should be set", - "actualValue": "kubernetes_pod[positive3].spec.container[1].resources.limits is undefined" + "actualValue": "kubernetes_pod[positive3].spec.container[1].resources.limits is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Memory Limits Not Defined", @@ -81,7 +87,8 @@ "searchKey": "kubernetes_pod[positive4].spec.container.resources.limits", "searchValue": "", "expectedValue": "kubernetes_pod[positive4].spec.container.resources.limits.memory should be set", - "actualValue": "kubernetes_pod[positive4].spec.container.resources.limits.memory is undefined" + "actualValue": "kubernetes_pod[positive4].spec.container.resources.limits.memory is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Memory Limits Not Defined", @@ -93,7 +100,8 @@ "searchKey": "kubernetes_pod[positive5].spec.container", "searchValue": "", "expectedValue": "kubernetes_pod[positive5].spec.container.resources should be set", - "actualValue": "kubernetes_pod[positive5].spec.container.resources is undefined" + "actualValue": "kubernetes_pod[positive5].spec.container.resources is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Memory Limits Not Defined", @@ -105,6 +113,7 @@ "searchKey": "kubernetes_pod[positive6].spec.container.resources", "searchValue": "", "expectedValue": "kubernetes_pod[positive6].spec.container.resources.limits should be set", - "actualValue": "kubernetes_pod[positive6].spec.container.resources.limits is undefined" + "actualValue": "kubernetes_pod[positive6].spec.container.resources.limits is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/memory_requests_not_defined/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/memory_requests_not_defined/test/positive_expected_result.json index 972b2d9ccbc..b644176dd28 100644 --- a/assets/queries/terraform/kubernetes/memory_requests_not_defined/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/memory_requests_not_defined/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "kubernetes_pod[positive1].spec.container", "searchValue": "", "expectedValue": "kubernetes_pod[positive1].spec.container[0].resources.requests.memory should be set", - "actualValue": "kubernetes_pod[positive1].spec.container[0].resources.requests.memory is undefined" + "actualValue": "kubernetes_pod[positive1].spec.container[0].resources.requests.memory is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Memory Requests Not Defined", @@ -21,7 +22,8 @@ "searchKey": "kubernetes_pod[positive1].spec.container", "searchValue": "", "expectedValue": "kubernetes_pod[positive1].spec.container[1].resources.requests.memory should be set", - "actualValue": "kubernetes_pod[positive1].spec.container[1].resources.requests.memory is undefined" + "actualValue": "kubernetes_pod[positive1].spec.container[1].resources.requests.memory is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Memory Requests Not Defined", @@ -33,7 +35,8 @@ "searchKey": "kubernetes_pod[positive2].spec.container", "searchValue": "", "expectedValue": "kubernetes_pod[positive2].spec.container[0].resources should be set", - "actualValue": "kubernetes_pod[positive2].spec.container[0].resources is undefined" + "actualValue": "kubernetes_pod[positive2].spec.container[0].resources is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Memory Requests Not Defined", @@ -45,7 +48,8 @@ "searchKey": "kubernetes_pod[positive2].spec.container", "searchValue": "", "expectedValue": "kubernetes_pod[positive2].spec.container[1].resources should be set", - "actualValue": "kubernetes_pod[positive2].spec.container[1].resources is undefined" + "actualValue": "kubernetes_pod[positive2].spec.container[1].resources is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Memory Requests Not Defined", @@ -57,7 +61,8 @@ "searchKey": "kubernetes_pod[positive3].spec.container", "searchValue": "", "expectedValue": "kubernetes_pod[positive3].spec.container[0].resources.requests should be set", - "actualValue": "kubernetes_pod[positive3].spec.container[0].resources.requests is undefined" + "actualValue": "kubernetes_pod[positive3].spec.container[0].resources.requests is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Memory Requests Not Defined", @@ -69,7 +74,8 @@ "searchKey": "kubernetes_pod[positive3].spec.container", "searchValue": "", "expectedValue": "kubernetes_pod[positive3].spec.container[1].resources.requests should be set", - "actualValue": "kubernetes_pod[positive3].spec.container[1].resources.requests is undefined" + "actualValue": "kubernetes_pod[positive3].spec.container[1].resources.requests is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Memory Requests Not Defined", @@ -81,7 +87,8 @@ "searchKey": "kubernetes_pod[positive4].spec.container.resources.requests", "searchValue": "", "expectedValue": "kubernetes_pod[positive4].spec.container.resources.requests.memory should be set", - "actualValue": "kubernetes_pod[positive4].spec.container.resources.requests.memory is undefined" + "actualValue": "kubernetes_pod[positive4].spec.container.resources.requests.memory is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Memory Requests Not Defined", @@ -93,7 +100,8 @@ "searchKey": "kubernetes_pod[positive5].spec.container", "searchValue": "", "expectedValue": "kubernetes_pod[positive5].spec.container.resources should be set", - "actualValue": "kubernetes_pod[positive5].spec.container.resources is undefined" + "actualValue": "kubernetes_pod[positive5].spec.container.resources is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Memory Requests Not Defined", @@ -105,6 +113,7 @@ "searchKey": "kubernetes_pod[positive6].spec.container.resources", "searchValue": "", "expectedValue": "kubernetes_pod[positive6].spec.container.resources.requests should be set", - "actualValue": "kubernetes_pod[positive6].spec.container.resources.requests is undefined" + "actualValue": "kubernetes_pod[positive6].spec.container.resources.requests is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/metadata_label_is_invalid/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/metadata_label_is_invalid/test/positive_expected_result.json index a15e0f9bb04..587133dcb16 100644 --- a/assets/queries/terraform/kubernetes/metadata_label_is_invalid/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/metadata_label_is_invalid/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "kubernetes_pod[test].metadata.labels", "searchValue": "", "expectedValue": "kubernetes_pod[test].metada.labels[app] has valid label", - "actualValue": "kubernetes_pod[test].metada.labels[app] has invalid label" + "actualValue": "kubernetes_pod[test].metada.labels[app] has invalid label", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/missing_app_armor_config/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/missing_app_armor_config/test/positive_expected_result.json index 64d8e121b55..3f632f79aa4 100644 --- a/assets/queries/terraform/kubernetes/missing_app_armor_config/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/missing_app_armor_config/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "kubernetes_pod[example1].metadata.annotations", "searchValue": "", "expectedValue": "kubernetes_pod[example1].metadata.annotations should contain AppArmor profile config: 'container.apparmor.security.beta.kubernetes.io'", - "actualValue": "kubernetes_pod[example1].metadata.annotations doesn't contain AppArmor profile config: 'container.apparmor.security.beta.kubernetes.io'" + "actualValue": "kubernetes_pod[example1].metadata.annotations doesn't contain AppArmor profile config: 'container.apparmor.security.beta.kubernetes.io'", + "issueType": "IncorrectValue" }, { "queryName": "Missing App Armor Config", @@ -21,6 +22,7 @@ "searchKey": "kubernetes_pod[example2].metadata", "searchValue": "", "expectedValue": "kubernetes_pod[example2].metadata should include annotations for AppArmor profile config", - "actualValue": "kubernetes_pod[example2].metadata doesn't contain AppArmor profile config in annotations" + "actualValue": "kubernetes_pod[example2].metadata doesn't contain AppArmor profile config in annotations", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/net_raw_capabilities_disabled_for_psp/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/net_raw_capabilities_disabled_for_psp/test/positive_expected_result.json index 79d621865c1..d767b2c118e 100644 --- a/assets/queries/terraform/kubernetes/net_raw_capabilities_disabled_for_psp/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/net_raw_capabilities_disabled_for_psp/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "kubernetes_pod_security_policy[example].spec.required_drop_capabilities", "searchValue": "", "expectedValue": "spec.required_drop_capabilities 'is ALL or NET_RAW'", - "actualValue": "spec.required_drop_capabilities 'is not ALL or NET_RAW'" + "actualValue": "spec.required_drop_capabilities 'is not ALL or NET_RAW'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/net_raw_capabilities_not_being_dropped/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/net_raw_capabilities_not_being_dropped/test/positive_expected_result.json index 5e403e66acf..5d06d443fdb 100644 --- a/assets/queries/terraform/kubernetes/net_raw_capabilities_not_being_dropped/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/net_raw_capabilities_not_being_dropped/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "kubernetes_pod[positive1].spec.container", "searchValue": "", "expectedValue": "kubernetes_pod[positive1].spec.container[0].security_context.capabilities.drop should be set", - "actualValue": "kkubernetes_pod[positive1].spec.container[0].security_context.capabilities.drop is undefined" + "actualValue": "kkubernetes_pod[positive1].spec.container[0].security_context.capabilities.drop is undefined", + "issueType": "MissingAttribute" }, { "queryName": "NET_RAW Capabilities Not Being Dropped", @@ -21,7 +22,8 @@ "searchKey": "kubernetes_pod[positive1].spec.container", "searchValue": "", "expectedValue": "kubernetes_pod[positive1].spec.container[1].security_context.capabilities.drop should be set", - "actualValue": "kkubernetes_pod[positive1].spec.container[1].security_context.capabilities.drop is undefined" + "actualValue": "kkubernetes_pod[positive1].spec.container[1].security_context.capabilities.drop is undefined", + "issueType": "MissingAttribute" }, { "queryName": "NET_RAW Capabilities Not Being Dropped", @@ -33,7 +35,8 @@ "searchKey": "kubernetes_pod[positive1].spec.container", "searchValue": "", "expectedValue": "kubernetes_pod[positive1].spec.container[2].security_context.capabilities.drop is ALL or NET_RAW", - "actualValue": "kubernetes_pod[positive1].spec.container[2].security_context.capabilities.drop is not ALL or NET_RAW" + "actualValue": "kubernetes_pod[positive1].spec.container[2].security_context.capabilities.drop is not ALL or NET_RAW", + "issueType": "IncorrectValue" }, { "queryName": "NET_RAW Capabilities Not Being Dropped", @@ -45,7 +48,8 @@ "searchKey": "kubernetes_pod[positive1].spec.container", "searchValue": "", "expectedValue": "kubernetes_pod[positive1].spec.container[3].security_context.capabilities.drop is ALL or NET_RAW", - "actualValue": "kubernetes_pod[positive1].spec.container[3].security_context.capabilities.drop is not ALL or NET_RAW" + "actualValue": "kubernetes_pod[positive1].spec.container[3].security_context.capabilities.drop is not ALL or NET_RAW", + "issueType": "IncorrectValue" }, { "queryName": "NET_RAW Capabilities Not Being Dropped", @@ -57,7 +61,8 @@ "searchKey": "kubernetes_pod[positive1].spec.container", "searchValue": "", "expectedValue": "kubernetes_pod[positive1].spec.container[4].security_context.capabilities should be set", - "actualValue": "kubernetes_pod[positive1].spec.container[4].security_context.capabilities is undefined" + "actualValue": "kubernetes_pod[positive1].spec.container[4].security_context.capabilities is undefined", + "issueType": "MissingAttribute" }, { "queryName": "NET_RAW Capabilities Not Being Dropped", @@ -69,7 +74,8 @@ "searchKey": "kubernetes_pod[positive1].spec.container", "searchValue": "", "expectedValue": "kubernetes_pod[positive1].spec.container[5].security_context.capabilities should be set", - "actualValue": "kubernetes_pod[positive1].spec.container[5].security_context.capabilities is undefined" + "actualValue": "kubernetes_pod[positive1].spec.container[5].security_context.capabilities is undefined", + "issueType": "MissingAttribute" }, { "queryName": "NET_RAW Capabilities Not Being Dropped", @@ -81,7 +87,8 @@ "searchKey": "kubernetes_pod[positive1].spec.container", "searchValue": "", "expectedValue": "kubernetes_pod[positive1].spec.container[6].security_context should be set", - "actualValue": "kubernetes_pod[positive1].spec.container[6].security_context is undefined" + "actualValue": "kubernetes_pod[positive1].spec.container[6].security_context is undefined", + "issueType": "MissingAttribute" }, { "queryName": "NET_RAW Capabilities Not Being Dropped", @@ -93,7 +100,8 @@ "searchKey": "kubernetes_pod[positive1].spec.container", "searchValue": "", "expectedValue": "kubernetes_pod[positive1].spec.container[7].security_context should be set", - "actualValue": "kubernetes_pod[positive1].spec.container[7].security_context is undefined" + "actualValue": "kubernetes_pod[positive1].spec.container[7].security_context is undefined", + "issueType": "MissingAttribute" }, { "queryName": "NET_RAW Capabilities Not Being Dropped", @@ -105,7 +113,8 @@ "searchKey": "kubernetes_pod[positive2].spec.container.security_context.capabilities", "searchValue": "", "expectedValue": "kubernetes_pod[positive2].spec.container.security_context.capabilities.drop should be set", - "actualValue": "kubernetes_pod[positive2].spec.container.security_context.capabilities.drop is undefined" + "actualValue": "kubernetes_pod[positive2].spec.container.security_context.capabilities.drop is undefined", + "issueType": "MissingAttribute" }, { "queryName": "NET_RAW Capabilities Not Being Dropped", @@ -117,7 +126,8 @@ "searchKey": "kubernetes_pod[positive3].spec.container.security_context.capabilities.drop", "searchValue": "", "expectedValue": "kubernetes_pod[positive3].spec.container.security_context.capabilities.drop is ALL or NET_RAW", - "actualValue": "kubernetes_pod[positive3].spec.container.security_context.capabilities.drop is not ALL or NET_RAW" + "actualValue": "kubernetes_pod[positive3].spec.container.security_context.capabilities.drop is not ALL or NET_RAW", + "issueType": "IncorrectValue" }, { "queryName": "NET_RAW Capabilities Not Being Dropped", @@ -129,7 +139,8 @@ "searchKey": "kubernetes_pod[positive4].spec.container.security_context", "searchValue": "", "expectedValue": "kubernetes_pod[positive4].spec.container.security_context.capabilities should be set", - "actualValue": "kubernetes_pod[positive4].spec.container.security_context.capabilities is undefined" + "actualValue": "kubernetes_pod[positive4].spec.container.security_context.capabilities is undefined", + "issueType": "MissingAttribute" }, { "queryName": "NET_RAW Capabilities Not Being Dropped", @@ -141,6 +152,7 @@ "searchKey": "kubernetes_pod[positive5].spec.container", "searchValue": "", "expectedValue": "kubernetes_pod[positive5].spec.container.security_context should be set", - "actualValue": "kubernetes_pod[positive5].spec.container.security_context is undefined" + "actualValue": "kubernetes_pod[positive5].spec.container.security_context is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/network_policy_is_not_targeting_any_pod/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/network_policy_is_not_targeting_any_pod/test/positive_expected_result.json index 5ec7cf83b42..b991ca5e966 100644 --- a/assets/queries/terraform/kubernetes/network_policy_is_not_targeting_any_pod/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/network_policy_is_not_targeting_any_pod/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "kubernetes_network_policy[example].spec.pod_selector.match_labels", "searchValue": "", "expectedValue": "kubernetes_network_policy[example].spec.pod_selector.match_labels is targeting at least a pod", - "actualValue": "kubernetes_network_policy[example].spec.pod_selector.match_labels is not targeting any pod" + "actualValue": "kubernetes_network_policy[example].spec.pod_selector.match_labels is not targeting any pod", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/no_drop_capabilities_for_containers/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/no_drop_capabilities_for_containers/test/positive_expected_result.json index 518b3ef1268..903ee2edcf9 100644 --- a/assets/queries/terraform/kubernetes/no_drop_capabilities_for_containers/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/no_drop_capabilities_for_containers/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "kubernetes_pod[test10].spec.container", "searchValue": "", "expectedValue": "kubernetes_pod[test10].spec.container[0].security_context.capabilities.drop should be set", - "actualValue": "kubernetes_pod[test10].spec.container[0].security_context.capabilities.drop is undefined" + "actualValue": "kubernetes_pod[test10].spec.container[0].security_context.capabilities.drop is undefined", + "issueType": "MissingAttribute" }, { "queryName": "No Drop Capabilities for Containers", @@ -21,7 +22,8 @@ "searchKey": "kubernetes_pod[test10].spec.container", "searchValue": "", "expectedValue": "kubernetes_pod[test10].spec.container[1].security_context.capabilities.drop should be set", - "actualValue": "kubernetes_pod[test10].spec.container[1].security_context.capabilities.drop is undefined" + "actualValue": "kubernetes_pod[test10].spec.container[1].security_context.capabilities.drop is undefined", + "issueType": "MissingAttribute" }, { "queryName": "No Drop Capabilities for Containers", @@ -33,7 +35,8 @@ "searchKey": "kubernetes_pod[test11].spec.container.security_context.capabilities", "searchValue": "", "expectedValue": "kubernetes_pod[test11].spec.container.security_context.capabilities.drop should be set", - "actualValue": "kubernetes_pod[test11].spec.container.security_context.capabilities.drop is undefined" + "actualValue": "kubernetes_pod[test11].spec.container.security_context.capabilities.drop is undefined", + "issueType": "IncorrectValue" }, { "queryName": "No Drop Capabilities for Containers", @@ -45,7 +48,8 @@ "searchKey": "kubernetes_pod[test20].spec.container", "searchValue": "", "expectedValue": "kubernetes_pod[test20].spec.container[0].security_context.capabilities should be set", - "actualValue": "kubernetes_pod[test20].spec.container[0].security_context.capabilities is undefined" + "actualValue": "kubernetes_pod[test20].spec.container[0].security_context.capabilities is undefined", + "issueType": "MissingAttribute" }, { "queryName": "No Drop Capabilities for Containers", @@ -57,7 +61,8 @@ "searchKey": "kubernetes_pod[test20].spec.container", "searchValue": "", "expectedValue": "kubernetes_pod[test20].spec.container[1].security_context.capabilities should be set", - "actualValue": "kubernetes_pod[test20].spec.container[1].security_context.capabilities is undefined" + "actualValue": "kubernetes_pod[test20].spec.container[1].security_context.capabilities is undefined", + "issueType": "MissingAttribute" }, { "queryName": "No Drop Capabilities for Containers", @@ -69,7 +74,8 @@ "searchKey": "kubernetes_pod[test21].spec.container.security_context", "searchValue": "", "expectedValue": "kubernetes_pod[test21].spec.container.security_context.capabilities should be set", - "actualValue": "kubernetes_pod[test21].spec.container.security_context.capabilities is undefined" + "actualValue": "kubernetes_pod[test21].spec.container.security_context.capabilities is undefined", + "issueType": "MissingAttribute" }, { "queryName": "No Drop Capabilities for Containers", @@ -81,7 +87,8 @@ "searchKey": "kubernetes_pod[test30].spec.container", "searchValue": "", "expectedValue": "kubernetes_pod[test30].spec.container[0].security_context should be set", - "actualValue": "kubernetes_pod[test30].spec.container[0].security_context is undefined" + "actualValue": "kubernetes_pod[test30].spec.container[0].security_context is undefined", + "issueType": "MissingAttribute" }, { "queryName": "No Drop Capabilities for Containers", @@ -93,7 +100,8 @@ "searchKey": "kubernetes_pod[test30].spec.container", "searchValue": "", "expectedValue": "kubernetes_pod[test30].spec.container[1].security_context should be set", - "actualValue": "kubernetes_pod[test30].spec.container[1].security_context is undefined" + "actualValue": "kubernetes_pod[test30].spec.container[1].security_context is undefined", + "issueType": "MissingAttribute" }, { "queryName": "No Drop Capabilities for Containers", @@ -105,6 +113,7 @@ "searchKey": "kubernetes_pod[test31].spec.container", "searchValue": "", "expectedValue": "kubernetes_pod[test31].spec.container.security_context should be set", - "actualValue": "kubernetes_pod[test31].spec.container.security_context is undefined" + "actualValue": "kubernetes_pod[test31].spec.container.security_context is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/non_kube_system_pod_with_host_mount/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/non_kube_system_pod_with_host_mount/test/positive_expected_result.json index 6b2d4613317..f23b522a8ba 100644 --- a/assets/queries/terraform/kubernetes/non_kube_system_pod_with_host_mount/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/non_kube_system_pod_with_host_mount/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "kubernetes_pod[test].spec.volume.host_path.path", "searchValue": "", "expectedValue": "Resource name 'terraform-example' in non kube-system namespace 'kube' should not have host_path '/var/log' mounted", - "actualValue": "Resource name 'terraform-example' in non kube-system namespace 'kube' has a host_path '/var/log' mounted" + "actualValue": "Resource name 'terraform-example' in non kube-system namespace 'kube' has a host_path '/var/log' mounted", + "issueType": "IncorrectValue" }, { "queryName": "Non Kube System Pod With Host Mount", @@ -21,7 +22,8 @@ "searchKey": "kubernetes_pod[test2].spec.volume.host_path.path", "searchValue": "", "expectedValue": "Resource name 'terraform-example2' in non kube-system namespace 'default' should not have host_path '/var/log' mounted", - "actualValue": "Resource name 'terraform-example2' in non kube-system namespace 'default' has a host_path '/var/log' mounted" + "actualValue": "Resource name 'terraform-example2' in non kube-system namespace 'default' has a host_path '/var/log' mounted", + "issueType": "IncorrectValue" }, { "queryName": "Non Kube System Pod With Host Mount", @@ -33,7 +35,8 @@ "searchKey": "kubernetes_persistent_volume[test3].spec.volume.host_path.path", "searchValue": "", "expectedValue": "Resource name 'terraform-example3' in non kube-system namespace 'kube' should not have host_path '/var/log' mounted", - "actualValue": "Resource name 'terraform-example3' in non kube-system namespace 'kube' has a host_path '/var/log' mounted" + "actualValue": "Resource name 'terraform-example3' in non kube-system namespace 'kube' has a host_path '/var/log' mounted", + "issueType": "IncorrectValue" }, { "queryName": "Non Kube System Pod With Host Mount", @@ -45,6 +48,7 @@ "searchKey": "kubernetes_persistent_volume[test4].spec.volume.host_path.path", "searchValue": "", "expectedValue": "Resource name 'terraform-example4' in non kube-system namespace 'default' should not have host_path '/var/log' mounted", - "actualValue": "Resource name 'terraform-example4' in non kube-system namespace 'default' has a host_path '/var/log' mounted" + "actualValue": "Resource name 'terraform-example4' in non kube-system namespace 'default' has a host_path '/var/log' mounted", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/permissive_access_to_create_pods/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/permissive_access_to_create_pods/test/positive_expected_result.json index a2bae68ecc3..bc3f00953a5 100644 --- a/assets/queries/terraform/kubernetes/permissive_access_to_create_pods/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/permissive_access_to_create_pods/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "kubernetes_role[example1].rule.verbs.create", "searchValue": "create/pods", "expectedValue": "kubernetes_role[example1].rule.verbs should not contain the value 'create' when kubernetes_role[example1].rule.resources contains the value 'pods'", - "actualValue": "kubernetes_role[example1].rule.verbs contains the value 'create' and kubernetes_role[example1].rule.resources contains the value 'pods'" + "actualValue": "kubernetes_role[example1].rule.verbs contains the value 'create' and kubernetes_role[example1].rule.resources contains the value 'pods'", + "issueType": "IncorrectValue" }, { "queryName": "Permissive Access to Create Pods", @@ -21,7 +22,8 @@ "searchKey": "kubernetes_role[example2].rule.verbs.create", "searchValue": "create/*", "expectedValue": "kubernetes_role[example2].rule.verbs should not contain the value 'create' when kubernetes_role[example2].rule.resources contains a wildcard value", - "actualValue": "kubernetes_role[example2].rule.verbs contains the value 'create' and kubernetes_role[example2].rule.resources contains a wildcard value" + "actualValue": "kubernetes_role[example2].rule.verbs contains the value 'create' and kubernetes_role[example2].rule.resources contains a wildcard value", + "issueType": "IncorrectValue" }, { "queryName": "Permissive Access to Create Pods", @@ -33,7 +35,8 @@ "searchKey": "kubernetes_role[example3].rule.verbs.*", "searchValue": "*/pods", "expectedValue": "kubernetes_role[example3].rule.verbs should not contain a wildcard value when kubernetes_role[example3].rule.resources contains the value 'pods'", - "actualValue": "kubernetes_role[example3].rule.verbs contains a wildcard value and kubernetes_role[example3].rule.resources contains the value 'pods'" + "actualValue": "kubernetes_role[example3].rule.verbs contains a wildcard value and kubernetes_role[example3].rule.resources contains the value 'pods'", + "issueType": "IncorrectValue" }, { "queryName": "Permissive Access to Create Pods", @@ -45,7 +48,8 @@ "searchKey": "kubernetes_role[example4].rule.verbs.*", "searchValue": "*/*", "expectedValue": "kubernetes_role[example4].rule.verbs should not contain a wildcard value when kubernetes_role[example4].rule.resources contains a wildcard value", - "actualValue": "kubernetes_role[example4].rule.verbs contains a wildcard value and kubernetes_role[example4].rule.resources contains a wildcard value" + "actualValue": "kubernetes_role[example4].rule.verbs contains a wildcard value and kubernetes_role[example4].rule.resources contains a wildcard value", + "issueType": "IncorrectValue" }, { "queryName": "Permissive Access to Create Pods", @@ -57,7 +61,8 @@ "searchKey": "kubernetes_cluster_role[example1].rule.verbs.create", "searchValue": "create/pods", "expectedValue": "kubernetes_cluster_role[example1].rule.verbs should not contain the value 'create' when kubernetes_cluster_role[example1].rule.resources contains the value 'pods'", - "actualValue": "kubernetes_cluster_role[example1].rule.verbs contains the value 'create' and kubernetes_cluster_role[example1].rule.resources contains the value 'pods'" + "actualValue": "kubernetes_cluster_role[example1].rule.verbs contains the value 'create' and kubernetes_cluster_role[example1].rule.resources contains the value 'pods'", + "issueType": "IncorrectValue" }, { "queryName": "Permissive Access to Create Pods", @@ -69,7 +74,8 @@ "searchKey": "kubernetes_cluster_role[example2].rule.verbs.create", "searchValue": "create/*", "expectedValue": "kubernetes_cluster_role[example2].rule.verbs should not contain the value 'create' when kubernetes_cluster_role[example2].rule.resources contains a wildcard value", - "actualValue": "kubernetes_cluster_role[example2].rule.verbs contains the value 'create' and kubernetes_cluster_role[example2].rule.resources contains a wildcard value" + "actualValue": "kubernetes_cluster_role[example2].rule.verbs contains the value 'create' and kubernetes_cluster_role[example2].rule.resources contains a wildcard value", + "issueType": "IncorrectValue" }, { "queryName": "Permissive Access to Create Pods", @@ -81,7 +87,8 @@ "searchKey": "kubernetes_cluster_role[example3].rule.verbs.*", "searchValue": "*/*", "expectedValue": "kubernetes_cluster_role[example3].rule.verbs should not contain a wildcard value when kubernetes_cluster_role[example3].rule.resources contains a wildcard value", - "actualValue": "kubernetes_cluster_role[example3].rule.verbs contains a wildcard value and kubernetes_cluster_role[example3].rule.resources contains a wildcard value" + "actualValue": "kubernetes_cluster_role[example3].rule.verbs contains a wildcard value and kubernetes_cluster_role[example3].rule.resources contains a wildcard value", + "issueType": "IncorrectValue" }, { "queryName": "Permissive Access to Create Pods", @@ -93,6 +100,7 @@ "searchKey": "kubernetes_cluster_role[example4].rule.verbs.*", "searchValue": "*/pods", "expectedValue": "kubernetes_cluster_role[example4].rule.verb should not contain a wildcard value when kubernetes_cluster_role[example4].rule.resources contains the value 'pods'", - "actualValue": "kubernetes_cluster_role[example4].rule.verb contains a wildcard value and kubernetes_cluster_role[example4].rule.resources contains the value 'pods'" + "actualValue": "kubernetes_cluster_role[example4].rule.verb contains a wildcard value and kubernetes_cluster_role[example4].rule.resources contains the value 'pods'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/pod_or_container_without_security_context/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/pod_or_container_without_security_context/test/positive_expected_result.json index 513896bd13b..cb8fffff383 100644 --- a/assets/queries/terraform/kubernetes/pod_or_container_without_security_context/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/pod_or_container_without_security_context/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "kubernetes_pod[positive1].spec", "searchValue": "", "expectedValue": "kubernetes_pod[positive1].spec.security_context should be set", - "actualValue": "kubernetes_pod[positive1].spec.security_context is undefined" + "actualValue": "kubernetes_pod[positive1].spec.security_context is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Pod or Container Without Security Context", @@ -21,7 +22,8 @@ "searchKey": "kubernetes_pod[positive1].spec.container", "searchValue": "", "expectedValue": "kubernetes_pod[positive1].spec.container[0].security_context should be set", - "actualValue": "kubernetes_pod[positive1].spec.container[0].security_context is undefined" + "actualValue": "kubernetes_pod[positive1].spec.container[0].security_context is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Pod or Container Without Security Context", @@ -33,7 +35,8 @@ "searchKey": "kubernetes_pod[positive1].spec.container", "searchValue": "", "expectedValue": "kubernetes_pod[positive1].spec.container[1].security_context should be set", - "actualValue": "kubernetes_pod[positive1].spec.container[1].security_context is undefined" + "actualValue": "kubernetes_pod[positive1].spec.container[1].security_context is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Pod or Container Without Security Context", @@ -45,7 +48,8 @@ "searchKey": "kubernetes_pod[positive2].spec", "searchValue": "", "expectedValue": "kubernetes_pod[positive2].spec.security_context should be set", - "actualValue": "kubernetes_pod[positive2].spec.security_context is undefined" + "actualValue": "kubernetes_pod[positive2].spec.security_context is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Pod or Container Without Security Context", @@ -57,6 +61,7 @@ "searchKey": "kubernetes_pod[positive2].spec.container", "searchValue": "", "expectedValue": "kubernetes_pod[positive2].spec.container.security_context should be set", - "actualValue": "kubernetes_pod[positive2].spec.container.security_context is undefined" + "actualValue": "kubernetes_pod[positive2].spec.container.security_context is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/privilege_escalation_allowed/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/privilege_escalation_allowed/test/positive_expected_result.json index 13381cb4761..3feb8e570fa 100644 --- a/assets/queries/terraform/kubernetes/privilege_escalation_allowed/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/privilege_escalation_allowed/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "kubernetes_pod[positive1].spec.container.name={{example22}}.security_context.allow_privilege_escalation", "searchValue": "", "expectedValue": "kubernetes_pod[positive1].spec.container[0].security_context.allow_privilege_escalation should not be set to true", - "actualValue": "kubernetes_pod[positive1].spec.container[0].security_context.allow_privilege_escalation is set to true" + "actualValue": "kubernetes_pod[positive1].spec.container[0].security_context.allow_privilege_escalation is set to true", + "issueType": "IncorrectValue" }, { "queryName": "Privilege Escalation Allowed", @@ -21,7 +22,8 @@ "searchKey": "kubernetes_pod[positive1].spec.container.name={{example22222}}.security_context.allow_privilege_escalation", "searchValue": "", "expectedValue": "kubernetes_pod[positive1].spec.container[1].security_context.allow_privilege_escalation should not be set to true", - "actualValue": "kubernetes_pod[positive1].spec.container[1].security_context.allow_privilege_escalation is set to true" + "actualValue": "kubernetes_pod[positive1].spec.container[1].security_context.allow_privilege_escalation is set to true", + "issueType": "IncorrectValue" }, { "queryName": "Privilege Escalation Allowed", @@ -33,6 +35,7 @@ "searchKey": "kubernetes_pod[positive2].spec.container.security_context.allow_privilege_escalation", "searchValue": "", "expectedValue": "kubernetes_pod[positive2].spec.container.security_context.allow_privilege_escalation should not be set to true", - "actualValue": "kubernetes_pod[positive2].spec.container.security_context.allow_privilege_escalation is set to true" + "actualValue": "kubernetes_pod[positive2].spec.container.security_context.allow_privilege_escalation is set to true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/psp_allows_containers_to_share_the_host_network_namespace/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/psp_allows_containers_to_share_the_host_network_namespace/test/positive_expected_result.json index 49d7c37a7a9..19282f91fec 100644 --- a/assets/queries/terraform/kubernetes/psp_allows_containers_to_share_the_host_network_namespace/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/psp_allows_containers_to_share_the_host_network_namespace/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "kubernetes_pod_security_policy[example].spec.host_network", "searchValue": "", "expectedValue": "'spec.hostNetwork' should be set to false or undefined", - "actualValue": "'spec.hostNetwork' is true" + "actualValue": "'spec.hostNetwork' is true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/psp_allows_privilege_escalation/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/psp_allows_privilege_escalation/test/positive_expected_result.json index a332d08a775..9514f955cc7 100644 --- a/assets/queries/terraform/kubernetes/psp_allows_privilege_escalation/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/psp_allows_privilege_escalation/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "kubernetes_pod_security_policy[example].spec.allow_privilege_escalation", "searchValue": "", "expectedValue": "kubernetes_pod_security_policy[example].spec.allow_privilege_escalation should be set to false", - "actualValue": "kubernetes_pod_security_policy[example].spec.allow_privilege_escalation is set to true" + "actualValue": "kubernetes_pod_security_policy[example].spec.allow_privilege_escalation is set to true", + "issueType": "IncorrectValue" }, { "queryName": "PSP Allows Privilege Escalation", @@ -21,6 +22,7 @@ "searchKey": "kubernetes_pod_security_policy[example2].spec", "searchValue": "", "expectedValue": "kubernetes_pod_security_policy[example2].spec.allow_privilege_escalation should be set", - "actualValue": "kubernetes_pod_security_policy[example2].spec.allow_privilege_escalation is undefined" + "actualValue": "kubernetes_pod_security_policy[example2].spec.allow_privilege_escalation is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/psp_allows_sharing_host_ipc/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/psp_allows_sharing_host_ipc/test/positive_expected_result.json index 0e9b5f8636e..74a7600a9fd 100644 --- a/assets/queries/terraform/kubernetes/psp_allows_sharing_host_ipc/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/psp_allows_sharing_host_ipc/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "kubernetes_pod_security_policy[example2].spec.host_ipc", "searchValue": "", "expectedValue": "Attribute 'host_ipc' should be undefined or false", - "actualValue": "Attribute 'host_ipc' is true" + "actualValue": "Attribute 'host_ipc' is true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/psp_set_to_privileged/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/psp_set_to_privileged/test/positive_expected_result.json index 68ce8a91dd8..cc2dd2e30f1 100644 --- a/assets/queries/terraform/kubernetes/psp_set_to_privileged/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/psp_set_to_privileged/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "kubernetes_pod_security_policy[example].spec.privileged", "searchValue": "", "expectedValue": "kubernetes_pod_security_policy[example].spec.privileged should be set to false", - "actualValue": "kubernetes_pod_security_policy[example].spec.privileged is not set to false" + "actualValue": "kubernetes_pod_security_policy[example].spec.privileged is not set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/psp_with_added_capabilities/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/psp_with_added_capabilities/test/positive_expected_result.json index 25bf35f3042..7bdea3ee5ef 100644 --- a/assets/queries/terraform/kubernetes/psp_with_added_capabilities/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/psp_with_added_capabilities/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "kubernetes_pod_security_policy[example].spec.allowed_capabilities", "searchValue": "", "expectedValue": "Pod Security Policy example should not have allowed capabilities", - "actualValue": "Pod Security Policy example has allowed capabilities" + "actualValue": "Pod Security Policy example has allowed capabilities", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/rbac_roles_with_read_secrets_permissions/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/rbac_roles_with_read_secrets_permissions/test/positive_expected_result.json index 71e4d835f8b..b2eca4b5a64 100644 --- a/assets/queries/terraform/kubernetes/rbac_roles_with_read_secrets_permissions/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/rbac_roles_with_read_secrets_permissions/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "kubernetes_role[example1].rule", "searchValue": "", "expectedValue": "Rules don't give access to 'secrets' resources", - "actualValue": "Some rule is giving access to 'secrets' resources" + "actualValue": "Some rule is giving access to 'secrets' resources", + "issueType": "IncorrectValue" }, { "queryName": "RBAC Roles with Read Secrets Permissions", @@ -21,7 +22,8 @@ "searchKey": "kubernetes_cluster_role[example2].rule", "searchValue": "", "expectedValue": "Rules don't give access to 'secrets' resources", - "actualValue": "Some rule is giving access to 'secrets' resources" + "actualValue": "Some rule is giving access to 'secrets' resources", + "issueType": "IncorrectValue" }, { "queryName": "RBAC Roles with Read Secrets Permissions", @@ -33,7 +35,8 @@ "searchKey": "kubernetes_role[example3].rule", "searchValue": "", "expectedValue": "Rules don't give access to 'secrets' resources", - "actualValue": "Some rule is giving access to 'secrets' resources" + "actualValue": "Some rule is giving access to 'secrets' resources", + "issueType": "IncorrectValue" }, { "queryName": "RBAC Roles with Read Secrets Permissions", @@ -45,6 +48,7 @@ "searchKey": "kubernetes_cluster_role[example4].rule", "searchValue": "", "expectedValue": "Rules don't give access to 'secrets' resources", - "actualValue": "Some rule is giving access to 'secrets' resources" + "actualValue": "Some rule is giving access to 'secrets' resources", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/readiness_probe_is_not_configured/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/readiness_probe_is_not_configured/test/positive_expected_result.json index 774d5f64491..09b5f5ba6af 100644 --- a/assets/queries/terraform/kubernetes/readiness_probe_is_not_configured/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/readiness_probe_is_not_configured/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "kubernetes_pod[test].spec.container", "searchValue": "", "expectedValue": "kubernetes_pod[test].spec.container.readiness_probe should be set", - "actualValue": "kubernetes_pod[test].spec.container.readiness_probe is undefined" + "actualValue": "kubernetes_pod[test].spec.container.readiness_probe is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Readiness Probe Is Not Configured", @@ -21,7 +22,8 @@ "searchKey": "kubernetes_pod[test2].spec.container", "searchValue": "", "expectedValue": "kubernetes_pod[test2].spec.container[0].readiness_probe should be set", - "actualValue": "kubernetes_pod[test2].spec.container[0].readiness_probe is undefined" + "actualValue": "kubernetes_pod[test2].spec.container[0].readiness_probe is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Readiness Probe Is Not Configured", @@ -33,6 +35,7 @@ "searchKey": "kubernetes_pod[test2].spec.container", "searchValue": "", "expectedValue": "kubernetes_pod[test2].spec.container[1].readiness_probe should be set", - "actualValue": "kubernetes_pod[test2].spec.container[1].readiness_probe is undefined" + "actualValue": "kubernetes_pod[test2].spec.container[1].readiness_probe is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/role_binding_to_default_service_account/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/role_binding_to_default_service_account/test/positive_expected_result.json index f36e75c76ee..71b7f036efd 100644 --- a/assets/queries/terraform/kubernetes/role_binding_to_default_service_account/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/role_binding_to_default_service_account/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "resource.kubernetes_role_binding[example]", "searchValue": "", "expectedValue": "resource.kubernetes_role_binding[example].subject[1].name should not be default", - "actualValue": "resource.kubernetes_role_binding[example].subject[1].name is default" + "actualValue": "resource.kubernetes_role_binding[example].subject[1].name is default", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/root_container_not_mounted_as_read_only/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/root_container_not_mounted_as_read_only/test/positive_expected_result.json index 1a1077e269b..480eb6c3108 100644 --- a/assets/queries/terraform/kubernetes/root_container_not_mounted_as_read_only/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/root_container_not_mounted_as_read_only/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "kubernetes_pod[positive1].spec.container.name={{example22}}.security_context.read_only_root_filesystem", "searchValue": "", "expectedValue": "kubernetes_pod[positive1].spec.container[0].security_context.read_only_root_filesystem should be set to true", - "actualValue": "kubernetes_pod[positive1].spec.container[0].security_context.read_only_root_filesystem is not set to true" + "actualValue": "kubernetes_pod[positive1].spec.container[0].security_context.read_only_root_filesystem is not set to true", + "issueType": "IncorrectValue" }, { "queryName": "Root Container Not Mounted As Read-only", @@ -21,7 +22,8 @@ "searchKey": "kubernetes_pod[positive1].spec.container.name={{example22222}}", "searchValue": "", "expectedValue": "kubernetes_pod[positive1].spec.container[%!d(string={\"env\": {\"name\": \"environment\", \"value\": \"test\"}, \"image\": \"nginx:1.7.9\", \"liveness_probe\": {\"http_get\": {\"http_header\": {\"name\": \"X-Custom-Header\", \"value\": \"Awesome\"}, \"path\": \"/nginx_status\", \"port\": 80}, \"initial_delay_seconds\": 3, \"period_seconds\": 3}, \"name\": \"example22222\", \"port\": {\"container_port\": 8080}})].security_context should be set", - "actualValue": "kkubernetes_pod[positive1].spec.container[%!d(string={\"env\": {\"name\": \"environment\", \"value\": \"test\"}, \"image\": \"nginx:1.7.9\", \"liveness_probe\": {\"http_get\": {\"http_header\": {\"name\": \"X-Custom-Header\", \"value\": \"Awesome\"}, \"path\": \"/nginx_status\", \"port\": 80}, \"initial_delay_seconds\": 3, \"period_seconds\": 3}, \"name\": \"example22222\", \"port\": {\"container_port\": 8080}})].security_context is undefined" + "actualValue": "kkubernetes_pod[positive1].spec.container[%!d(string={\"env\": {\"name\": \"environment\", \"value\": \"test\"}, \"image\": \"nginx:1.7.9\", \"liveness_probe\": {\"http_get\": {\"http_header\": {\"name\": \"X-Custom-Header\", \"value\": \"Awesome\"}, \"path\": \"/nginx_status\", \"port\": 80}, \"initial_delay_seconds\": 3, \"period_seconds\": 3}, \"name\": \"example22222\", \"port\": {\"container_port\": 8080}})].security_context is undefined", + "issueType": "IncorrectValue" }, { "queryName": "Root Container Not Mounted As Read-only", @@ -33,6 +35,7 @@ "searchKey": "kubernetes_pod[positive2].spec.container.security_context", "searchValue": "", "expectedValue": "kubernetes_pod[positive2].spec.container.security_context.read_only_root_filesystem should be set", - "actualValue": "kubernetes_pod[positive2].spec.container.security_context.read_only_root_filesystem is undefined" + "actualValue": "kubernetes_pod[positive2].spec.container.security_context.read_only_root_filesystem is undefined", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/root_containers_admitted/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/root_containers_admitted/test/positive_expected_result.json index 1d7f7dfbb30..fbb1afd142f 100644 --- a/assets/queries/terraform/kubernetes/root_containers_admitted/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/root_containers_admitted/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "kubernetes_pod_security_policy[example].spec.privileged", "searchValue": "", "expectedValue": "kubernetes_pod_security_policy[example].spec.privileged should be set to false", - "actualValue": "kubernetes_pod_security_policy[example].spec.privileged is set to true" + "actualValue": "kubernetes_pod_security_policy[example].spec.privileged is set to true", + "issueType": "IncorrectValue" }, { "queryName": "Root Containers Admitted", @@ -21,7 +22,8 @@ "searchKey": "kubernetes_pod_security_policy[example].spec.allow_privilege_escalation", "searchValue": "", "expectedValue": "kubernetes_pod_security_policy[example].spec.allow_privilege_escalation should be set to false", - "actualValue": "kubernetes_pod_security_policy[example].spec.allow_privilege_escalation is set to true" + "actualValue": "kubernetes_pod_security_policy[example].spec.allow_privilege_escalation is set to true", + "issueType": "IncorrectValue" }, { "queryName": "Root Containers Admitted", @@ -33,7 +35,8 @@ "searchKey": "kubernetes_pod_security_policy[example].spec.run_as_user.rule", "searchValue": "", "expectedValue": "kubernetes_pod_security_policy[example].spec.run_as_user.rule is equal to 'MustRunAsNonRoot'", - "actualValue": "kubernetes_pod_security_policy[example].spec.run_as_user.rule is not equal to 'MustRunAsNonRoot'" + "actualValue": "kubernetes_pod_security_policy[example].spec.run_as_user.rule is not equal to 'MustRunAsNonRoot'", + "issueType": "IncorrectValue" }, { "queryName": "Root Containers Admitted", @@ -45,7 +48,8 @@ "searchKey": "kubernetes_pod_security_policy[example].spec.supplemental_groups.rule", "searchValue": "", "expectedValue": "kubernetes_pod_security_policy[example].spec.supplemental_groups.rule limits its ranges", - "actualValue": "kubernetes_pod_security_policy[example].spec.supplemental_groups.rule does not limit its ranges" + "actualValue": "kubernetes_pod_security_policy[example].spec.supplemental_groups.rule does not limit its ranges", + "issueType": "IncorrectValue" }, { "queryName": "Root Containers Admitted", @@ -57,6 +61,7 @@ "searchKey": "kubernetes_pod_security_policy[example].spec.fs_group.range.min", "searchValue": "", "expectedValue": "kubernetes_pod_security_policy[example].spec.fs_group.range.min should not allow range '0' (root)", - "actualValue": "kubernetes_pod_security_policy[example].spec.fs_group.range.min allows range '0' (root)" + "actualValue": "kubernetes_pod_security_policy[example].spec.fs_group.range.min allows range '0' (root)", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/secoomp_profile_is_not_configured/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/secoomp_profile_is_not_configured/test/positive_expected_result.json index e2613747a9f..7b8d3a81f35 100644 --- a/assets/queries/terraform/kubernetes/secoomp_profile_is_not_configured/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/secoomp_profile_is_not_configured/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "kubernetes_pod[pod1].metadata", "searchValue": "", "expectedValue": "kubernetes_pod[pod1].metadata.annotations should be set", - "actualValue": "kubernetes_pod[pod1].metadata.annotations is undefined" + "actualValue": "kubernetes_pod[pod1].metadata.annotations is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Seccomp Profile Is Not Configured", @@ -21,7 +22,8 @@ "searchKey": "kubernetes_pod[pod2].metadata.annotations", "searchValue": "", "expectedValue": "kubernetes_pod[pod2].metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName should be set", - "actualValue": "kubernetes_pod[pod2].metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is undefined" + "actualValue": "kubernetes_pod[pod2].metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Seccomp Profile Is Not Configured", @@ -33,7 +35,8 @@ "searchKey": "kubernetes_pod[pod3].metadata.annotations", "searchValue": "", "expectedValue": "kubernetes_pod[pod3].metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is 'runtime/default'", - "actualValue": "kubernetes_pod[pod3].metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is 'rntim/dfl'" + "actualValue": "kubernetes_pod[pod3].metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is 'rntim/dfl'", + "issueType": "IncorrectValue" }, { "queryName": "Seccomp Profile Is Not Configured", @@ -45,7 +48,8 @@ "searchKey": "kubernetes_cron_job[cron1].spec.job_template.spec.template.metadata", "searchValue": "", "expectedValue": "kubernetes_cron_job[cron1].spec.job_template.spec.template.metadata.annotations should be set", - "actualValue": "kubernetes_cron_job[cron1].spec.job_template.spec.template.metadata.annotations is undefined" + "actualValue": "kubernetes_cron_job[cron1].spec.job_template.spec.template.metadata.annotations is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Seccomp Profile Is Not Configured", @@ -57,7 +61,8 @@ "searchKey": "kubernetes_cron_job[cron2].spec.job_template.spec.template.metadata.annotations", "searchValue": "", "expectedValue": "kubernetes_cron_job[cron2].spec.job_template.spec.template.metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName should be set", - "actualValue": "kubernetes_cron_job[cron2].spec.job_template.spec.template.metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is undefined" + "actualValue": "kubernetes_cron_job[cron2].spec.job_template.spec.template.metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Seccomp Profile Is Not Configured", @@ -69,7 +74,8 @@ "searchKey": "kubernetes_cron_job[cron3].spec.job_template.spec.template.metadata.annotations", "searchValue": "", "expectedValue": "kubernetes_cron_job[cron3].spec.job_template.spec.template.metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is 'runtime/default'", - "actualValue": "kubernetes_cron_job[cron3].spec.job_template.spec.template.metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is 'rntim/dfl'" + "actualValue": "kubernetes_cron_job[cron3].spec.job_template.spec.template.metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is 'rntim/dfl'", + "issueType": "IncorrectValue" }, { "queryName": "Seccomp Profile Is Not Configured", @@ -81,7 +87,8 @@ "searchKey": "kubernetes_deployment[deployment1].spec.template.metadata", "searchValue": "", "expectedValue": "kubernetes_deployment[deployment1].spec.template.metadata.annotations should be set", - "actualValue": "kubernetes_deployment[deployment1].spec.template.metadata.annotations is undefined" + "actualValue": "kubernetes_deployment[deployment1].spec.template.metadata.annotations is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Seccomp Profile Is Not Configured", @@ -93,7 +100,8 @@ "searchKey": "kubernetes_deployment[deployment2].spec.template.metadata.annotations", "searchValue": "", "expectedValue": "kubernetes_deployment[deployment2].spec.template.metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName should be set", - "actualValue": "kubernetes_deployment[deployment2].spec.template.metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is undefined" + "actualValue": "kubernetes_deployment[deployment2].spec.template.metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Seccomp Profile Is Not Configured", @@ -105,6 +113,7 @@ "searchKey": "kubernetes_deployment[deployment3].spec.template.metadata.annotations", "searchValue": "", "expectedValue": "kubernetes_deployment[deployment3].spec.template.metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is 'runtime/default'", - "actualValue": "kubernetes_deployment[deployment3].spec.template.metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is 'rntim/dfl'" + "actualValue": "kubernetes_deployment[deployment3].spec.template.metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is 'rntim/dfl'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/secrets_as_environment_variables/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/secrets_as_environment_variables/test/positive_expected_result.json index 46945ccf300..100ad87ea1d 100644 --- a/assets/queries/terraform/kubernetes/secrets_as_environment_variables/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/secrets_as_environment_variables/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "kubernetes_pod[test].spec.container.env", "searchValue": "", "expectedValue": "kubernetes_pod[test].spec.container.env.value_from.secret_key_ref should be undefined", - "actualValue": "kubernetes_pod[test].spec.container.env.value_from.secret_key_ref is set" + "actualValue": "kubernetes_pod[test].spec.container.env.value_from.secret_key_ref is set", + "issueType": "IncorrectValue" }, { "queryName": "Secrets As Environment Variables", @@ -21,6 +22,7 @@ "searchKey": "kubernetes_pod[test].spec.container.env_from", "searchValue": "", "expectedValue": "kubernetes_pod[test].spec.container.env_from.secret_ref should be undefined", - "actualValue": "kubernetes_pod[test].spec.container.env_from.secret_ref is set" + "actualValue": "kubernetes_pod[test].spec.container.env_from.secret_ref is set", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/service_account_allows_access_secrets/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/service_account_allows_access_secrets/test/positive_expected_result.json index e03300ed3a7..48a474d485e 100644 --- a/assets/queries/terraform/kubernetes/service_account_allows_access_secrets/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/service_account_allows_access_secrets/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "kubernetes_cluster_role[cluster_role_name].rule", "searchValue": "", "expectedValue": "kubernetes_cluster_role[cluster_role_name].rule.verbs should not contain the following verbs: [\"get\", \"watch\", \"list\", \"*\"]", - "actualValue": "kubernetes_cluster_role[cluster_role_name].rule.verbs contain one of the following verbs: [\"get\", \"watch\", \"list\", \"*\"]" + "actualValue": "kubernetes_cluster_role[cluster_role_name].rule.verbs contain one of the following verbs: [\"get\", \"watch\", \"list\", \"*\"]", + "issueType": "IncorrectValue" }, { "queryName": "Service Account Allows Access Secrets", @@ -21,6 +22,7 @@ "searchKey": "kubernetes_role[role_name].rule", "searchValue": "", "expectedValue": "kubernetes_role[role_name].rule.verbs should not contain the following verbs: [\"get\", \"watch\", \"list\", \"*\"]", - "actualValue": "kubernetes_role[role_name].rule.verbs contain one of the following verbs: [\"get\", \"watch\", \"list\", \"*\"]" + "actualValue": "kubernetes_role[role_name].rule.verbs contain one of the following verbs: [\"get\", \"watch\", \"list\", \"*\"]", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/service_account_name_undefined_or_empty/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/service_account_name_undefined_or_empty/test/positive_expected_result.json index ea8448b8383..af3d51eb554 100644 --- a/assets/queries/terraform/kubernetes/service_account_name_undefined_or_empty/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/service_account_name_undefined_or_empty/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "kubernetes_pod[test1].spec", "searchValue": "", "expectedValue": "kubernetes_pod[test1].spec.service_account_name should be defined and not null", - "actualValue": "kubernetes_pod[test1].spec.service_account_name is undefined or null" + "actualValue": "kubernetes_pod[test1].spec.service_account_name is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Service Account Name Undefined Or Empty", @@ -21,7 +22,8 @@ "searchKey": "kubernetes_pod[test2].spec", "searchValue": "", "expectedValue": "kubernetes_pod[test2].spec.service_account_name should be defined and not null", - "actualValue": "kubernetes_pod[test2].spec.service_account_name is undefined or null" + "actualValue": "kubernetes_pod[test2].spec.service_account_name is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Service Account Name Undefined Or Empty", @@ -33,6 +35,7 @@ "searchKey": "kubernetes_pod[test3].spec.service_account_name", "searchValue": "", "expectedValue": "kubernetes_pod[test3].spec.service_account_name is correct", - "actualValue": "kubernetes_pod[test3].spec.service_account_name is null or empty" + "actualValue": "kubernetes_pod[test3].spec.service_account_name is null or empty", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/service_account_token_automount_not_disabled/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/service_account_token_automount_not_disabled/test/positive_expected_result.json index 3b82851defc..fee1c8f83c7 100644 --- a/assets/queries/terraform/kubernetes/service_account_token_automount_not_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/service_account_token_automount_not_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "kubernetes_deployment[example].spec.template.spec", "searchValue": "", "expectedValue": "kubernetes_deployment[example].spec.template.spec.automount_service_account_token should be set", - "actualValue": "kubernetes_deployment[example].spec.template.spec.automount_service_account_token is undefined" + "actualValue": "kubernetes_deployment[example].spec.template.spec.automount_service_account_token is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Service Account Token Automount Not Disabled", @@ -21,7 +22,8 @@ "searchKey": "kubernetes_daemonset[example2].spec.template.spec.automount_service_account_token", "searchValue": "", "expectedValue": "kubernetes_daemonset[example2].spec.template.spec.automount_service_account_token should be set to false", - "actualValue": "kubernetes_daemonset[example2].spec.template.spec.automount_service_account_token is set to true" + "actualValue": "kubernetes_daemonset[example2].spec.template.spec.automount_service_account_token is set to true", + "issueType": "IncorrectValue" }, { "queryName": "Service Account Token Automount Not Disabled", @@ -33,7 +35,8 @@ "searchKey": "kubernetes_cron_job[demo3].spec.job_template.spec.template.spec.automount_service_account_token", "searchValue": "", "expectedValue": "kubernetes_cron_job[demo3].spec.job_template.spec.template.spec.automount_service_account_token should be set to false", - "actualValue": "kubernetes_cron_job[demo3].spec.job_template.spec.template.spec.automount_service_account_token is set to true" + "actualValue": "kubernetes_cron_job[demo3].spec.job_template.spec.template.spec.automount_service_account_token is set to true", + "issueType": "IncorrectValue" }, { "queryName": "Service Account Token Automount Not Disabled", @@ -45,6 +48,7 @@ "searchKey": "kubernetes_pod[test6].spec", "searchValue": "", "expectedValue": "kubernetes_pod[test6].spec.automount_service_account_token should be set", - "actualValue": "kubernetes_pod[test6].spec.automount_service_account_token is undefined" + "actualValue": "kubernetes_pod[test6].spec.automount_service_account_token is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/service_type_is_nodeport/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/service_type_is_nodeport/test/positive_expected_result.json index 832a53c4f06..3d51d740b89 100644 --- a/assets/queries/terraform/kubernetes/service_type_is_nodeport/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/service_type_is_nodeport/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "kubernetes_service[example].spec.type", "searchValue": "", "expectedValue": "kubernetes_service[example].spec.type should not be 'NodePort'", - "actualValue": "kubernetes_service[example].spec.type is 'NodePort'" + "actualValue": "kubernetes_service[example].spec.type is 'NodePort'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/service_with_external_load_balancer/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/service_with_external_load_balancer/test/positive_expected_result.json index d29964838cc..7ebf5b9f61f 100644 --- a/assets/queries/terraform/kubernetes/service_with_external_load_balancer/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/service_with_external_load_balancer/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "kubernetes_service[example1].metadata.name.annotations", "searchValue": "", "expectedValue": "metadata.annotations using an external Load Balancer provider by cloud provider%!(EXTRA string=example1)", - "actualValue": "metadata.annotations is exposing a workload, not using an external Load Balancer provider by cloud provider%!(EXTRA string=example1)" + "actualValue": "metadata.annotations is exposing a workload, not using an external Load Balancer provider by cloud provider%!(EXTRA string=example1)", + "issueType": "IncorrectValue" }, { "queryName": "Service With External Load Balancer", @@ -21,7 +22,8 @@ "searchKey": "kubernetes_service[example2].metadata.name", "searchValue": "", "expectedValue": "'metadata.annotations' should be set", - "actualValue": "'metadata.annotations' is undefined" + "actualValue": "'metadata.annotations' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Service With External Load Balancer", @@ -33,7 +35,8 @@ "searchKey": "kubernetes_service[example2].metadata.name.annotations", "searchValue": "", "expectedValue": "metadata.annotations using an external Load Balancer provider by cloud provider%!(EXTRA string=example2)", - "actualValue": "metadata.annotations is exposing a workload, not using an external Load Balancer provider by cloud provider%!(EXTRA string=example2)" + "actualValue": "metadata.annotations is exposing a workload, not using an external Load Balancer provider by cloud provider%!(EXTRA string=example2)", + "issueType": "IncorrectValue" }, { "queryName": "Service With External Load Balancer", @@ -45,7 +48,8 @@ "searchKey": "kubernetes_service[example3].metadata.name.annotations", "searchValue": "", "expectedValue": "metadata.annotations using an external Load Balancer provider by cloud provider%!(EXTRA string=example3)", - "actualValue": "metadata.annotations is exposing a workload, not using an external Load Balancer provider by cloud provider%!(EXTRA string=example3)" + "actualValue": "metadata.annotations is exposing a workload, not using an external Load Balancer provider by cloud provider%!(EXTRA string=example3)", + "issueType": "IncorrectValue" }, { "queryName": "Service With External Load Balancer", @@ -57,6 +61,7 @@ "searchKey": "kubernetes_service[example4].metadata.name.annotations", "searchValue": "", "expectedValue": "metadata.annotations using an external Load Balancer provider by cloud provider%!(EXTRA string=example4)", - "actualValue": "metadata.annotations is exposing a workload, not using an external Load Balancer provider by cloud provider%!(EXTRA string=example4)" + "actualValue": "metadata.annotations is exposing a workload, not using an external Load Balancer provider by cloud provider%!(EXTRA string=example4)", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/shared_host_ipc_namespace/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/shared_host_ipc_namespace/test/positive_expected_result.json index f7d12d51c1f..2a17a1fde39 100644 --- a/assets/queries/terraform/kubernetes/shared_host_ipc_namespace/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/shared_host_ipc_namespace/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "kubernetes_pod[positive1].spec.host_ipc", "searchValue": "", "expectedValue": "Attribute 'host_ipc' should be undefined or false", - "actualValue": "Attribute 'host_ipc' is true" + "actualValue": "Attribute 'host_ipc' is true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/shared_host_network_namespace/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/shared_host_network_namespace/test/positive_expected_result.json index 3cd08925eba..0fe96c66e02 100644 --- a/assets/queries/terraform/kubernetes/shared_host_network_namespace/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/shared_host_network_namespace/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "kubernetes_pod[test].spec.host_network", "searchValue": "", "expectedValue": "kubernetes_pod[test].spec.host_network should be undefined or set to false", - "actualValue": "kubernetes_pod[test].spec.host_network is set to true" + "actualValue": "kubernetes_pod[test].spec.host_network is set to true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/shared_service_account/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/shared_service_account/test/positive_expected_result.json index 67ef70c8822..31eee55164f 100644 --- a/assets/queries/terraform/kubernetes/shared_service_account/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/shared_service_account/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "kubernetes_pod[with_pod_affinity].spec.service_account_name", "searchValue": "", "expectedValue": "kubernetes_pod[with_pod_affinity].spec.service_account_name should not be shared with other workloads", - "actualValue": "kubernetes_pod[with_pod_affinity].spec.service_account_name is shared with other workloads" + "actualValue": "kubernetes_pod[with_pod_affinity].spec.service_account_name is shared with other workloads", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/statefulset_requests_storage/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/statefulset_requests_storage/test/positive_expected_result.json index 4b339980c99..963d6877f85 100644 --- a/assets/queries/terraform/kubernetes/statefulset_requests_storage/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/statefulset_requests_storage/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "kubernetes_stateful_set[prometheus].spec.volume_claim_template.spec.resources.requests.storage", "searchValue": "", "expectedValue": "kubernetes_stateful_set[prometheus].spec.volume_claim_template.spec.resources.requests.storage should not be set", - "actualValue": "kubernetes_stateful_set[prometheus].spec.volume_claim_template.spec.resources.requests.storage is set to 16Gi" + "actualValue": "kubernetes_stateful_set[prometheus].spec.volume_claim_template.spec.resources.requests.storage is set to 16Gi", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/statefulset_without_pod_disruption_budget/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/statefulset_without_pod_disruption_budget/test/positive_expected_result.json index 74c4d5deb17..bec725226cc 100644 --- a/assets/queries/terraform/kubernetes/statefulset_without_pod_disruption_budget/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/statefulset_without_pod_disruption_budget/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "kubernetes_stateful_set[prometheus].spec.selector.match_labels", "searchValue": "", "expectedValue": "kubernetes_stateful_set[prometheus].spec.selector.match_labels is targeted by a PodDisruptionBudget", - "actualValue": "kubernetes_stateful_set[prometheus].spec.selector.match_labels is not targeted by a PodDisruptionBudget" + "actualValue": "kubernetes_stateful_set[prometheus].spec.selector.match_labels is not targeted by a PodDisruptionBudget", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/statefulset_without_service_name/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/statefulset_without_service_name/test/positive_expected_result.json index 3e60fe36654..bb462420cdc 100644 --- a/assets/queries/terraform/kubernetes/statefulset_without_service_name/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/statefulset_without_service_name/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "kubernetes_stateful_set[prometheus].spec.service_name", "searchValue": "", "expectedValue": "kubernetes_stateful_set[prometheus].spec.service_name should refer to a Headless Service", - "actualValue": "kubernetes_stateful_set[prometheus].spec.service_name does not refer to a Headless Service" + "actualValue": "kubernetes_stateful_set[prometheus].spec.service_name does not refer to a Headless Service", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/tiller_is_deployed/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/tiller_is_deployed/test/positive_expected_result.json index cd4dff31bc9..552506df2d2 100644 --- a/assets/queries/terraform/kubernetes/tiller_is_deployed/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/tiller_is_deployed/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "kubernetes_pod[positive1].metadata", "searchValue": "", "expectedValue": "kubernetes_pod[positive1].metadata should not refer any to a Tiller resource", - "actualValue": "kubernetes_pod[positive1].metadata refers to a Tiller resource" + "actualValue": "kubernetes_pod[positive1].metadata refers to a Tiller resource", + "issueType": "IncorrectValue" }, { "queryName": "Tiller (Helm v2) Is Deployed", @@ -21,7 +22,8 @@ "searchKey": "kubernetes_pod[positive1].spec.container", "searchValue": "", "expectedValue": "kubernetes_pod[positive1].spec.container[0].image shouldn't have any Tiller containers", - "actualValue": "kubernetes_pod[positive1].spec.container[0].image contains a Tiller container" + "actualValue": "kubernetes_pod[positive1].spec.container[0].image contains a Tiller container", + "issueType": "IncorrectValue" }, { "queryName": "Tiller (Helm v2) Is Deployed", @@ -33,7 +35,8 @@ "searchKey": "kubernetes_pod[positive2].spec.container.image", "searchValue": "", "expectedValue": "kubernetes_pod[positive2].spec.container.image shouldn't have any Tiller containers", - "actualValue": "kubernetes_pod[positive2].spec.container.image contains a Tiller container" + "actualValue": "kubernetes_pod[positive2].spec.container.image contains a Tiller container", + "issueType": "IncorrectValue" }, { "queryName": "Tiller (Helm v2) Is Deployed", @@ -45,7 +48,8 @@ "searchKey": "kubernetes_deployment[example].spec.template.metadata", "searchValue": "", "expectedValue": "kubernetes_deployment[example].spec.template.metadata should not refer to any Tiller resource", - "actualValue": "kubernetes_deployment[example].spec.template.metadata does not refer to any Tiller resource" + "actualValue": "kubernetes_deployment[example].spec.template.metadata does not refer to any Tiller resource", + "issueType": "IncorrectValue" }, { "queryName": "Tiller (Helm v2) Is Deployed", @@ -57,6 +61,7 @@ "searchKey": "kubernetes_deployment[example].spec.template.spec.container.image", "searchValue": "", "expectedValue": "kubernetes_deployment[example].spec.template.spec.container.image shouldn't have any Tiller containers", - "actualValue": "kubernetes_deployment[example].spec.template.spec.container.image contains a Tiller container" + "actualValue": "kubernetes_deployment[example].spec.template.spec.container.image contains a Tiller container", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/using_default_namespace/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/using_default_namespace/test/positive_expected_result.json index dae7713c256..37d8b606ae0 100644 --- a/assets/queries/terraform/kubernetes/using_default_namespace/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/using_default_namespace/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "kubernetes_pod[test].metadata.namespace", "searchValue": "", "expectedValue": "kubernetes_pod[test].metadata.namespace should not be set to 'default'", - "actualValue": "kubernetes_pod[test].metadata.namespace is set to 'default'" + "actualValue": "kubernetes_pod[test].metadata.namespace is set to 'default'", + "issueType": "IncorrectValue" }, { "queryName": "Using Default Namespace", @@ -21,6 +22,7 @@ "searchKey": "kubernetes_cron_job[test2].metadata", "searchValue": "", "expectedValue": "kubernetes_cron_job[test2].metadata should be set", - "actualValue": "kubernetes_cron_job[test2].metadata is undefined" + "actualValue": "kubernetes_cron_job[test2].metadata is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/volume_mount_with_os_directory_write_permissions/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/volume_mount_with_os_directory_write_permissions/test/positive_expected_result.json index a867516865d..70b3aefc3c0 100644 --- a/assets/queries/terraform/kubernetes/volume_mount_with_os_directory_write_permissions/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/volume_mount_with_os_directory_write_permissions/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "kubernetes_pod[test10].spec.container.volume_mount", "searchValue": "", "expectedValue": "kubernetes_pod[test10].spec.container.volume_mount.read_only should be set", - "actualValue": "kubernetes_pod[test10].spec.container.volume_mount.read_only is undefined" + "actualValue": "kubernetes_pod[test10].spec.container.volume_mount.read_only is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Volume Mount With OS Directory Write Permissions", @@ -21,7 +22,8 @@ "searchKey": "kubernetes_pod[test11].spec.container.volume_mount", "searchValue": "", "expectedValue": "kubernetes_pod[test11].spec.container[0].volume_mount.read_only should be set", - "actualValue": "kubernetes_pod[test11].spec.container[0].volume_mount.read_only is undefined" + "actualValue": "kubernetes_pod[test11].spec.container[0].volume_mount.read_only is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Volume Mount With OS Directory Write Permissions", @@ -33,7 +35,8 @@ "searchKey": "kubernetes_pod[test11].spec.container.volume_mount", "searchValue": "", "expectedValue": "kubernetes_pod[test11].spec.container[1].volume_mount.read_only should be set", - "actualValue": "kubernetes_pod[test11].spec.container[1].volume_mount.read_only is undefined" + "actualValue": "kubernetes_pod[test11].spec.container[1].volume_mount.read_only is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Volume Mount With OS Directory Write Permissions", @@ -45,7 +48,8 @@ "searchKey": "kubernetes_pod[test12].spec.container.volume_mount", "searchValue": "", "expectedValue": "kubernetes_pod[test12].spec.container[0].volume_mount[0].read_only should be set", - "actualValue": "kubernetes_pod[test12].spec.container[0].volume_mount[0].read_only is undefined" + "actualValue": "kubernetes_pod[test12].spec.container[0].volume_mount[0].read_only is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Volume Mount With OS Directory Write Permissions", @@ -57,7 +61,8 @@ "searchKey": "kubernetes_pod[test12].spec.container.volume_mount", "searchValue": "", "expectedValue": "kubernetes_pod[test12].spec.container[0].volume_mount[1].read_only should be set", - "actualValue": "kubernetes_pod[test12].spec.container[0].volume_mount[1].read_only is undefined" + "actualValue": "kubernetes_pod[test12].spec.container[0].volume_mount[1].read_only is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Volume Mount With OS Directory Write Permissions", @@ -69,7 +74,8 @@ "searchKey": "kubernetes_pod[test13].spec.container.volume_mount", "searchValue": "", "expectedValue": "kubernetes_pod[test13].spec.container.volume_mount[0].read_only should be set", - "actualValue": "kubernetes_pod[test13].spec.container.volume_mount[0].read_only is undefined" + "actualValue": "kubernetes_pod[test13].spec.container.volume_mount[0].read_only is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Volume Mount With OS Directory Write Permissions", @@ -81,7 +87,8 @@ "searchKey": "kubernetes_pod[test13].spec.container.volume_mount", "searchValue": "", "expectedValue": "kubernetes_pod[test13].spec.container.volume_mount[1].read_only should be set", - "actualValue": "kubernetes_pod[test13].spec.container.volume_mount[1].read_only is undefined" + "actualValue": "kubernetes_pod[test13].spec.container.volume_mount[1].read_only is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Volume Mount With OS Directory Write Permissions", @@ -93,7 +100,8 @@ "searchKey": "kubernetes_pod[test20].spec.container.volume_mount.read_only", "searchValue": "", "expectedValue": "kubernetes_pod[test20].spec.container.volume_mount.read_only should be set to true", - "actualValue": "kubernetes_pod[test20].spec.container.volume_mount.read_only is set to false" + "actualValue": "kubernetes_pod[test20].spec.container.volume_mount.read_only is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Volume Mount With OS Directory Write Permissions", @@ -105,7 +113,8 @@ "searchKey": "kubernetes_pod[test21].spec.container.volume_mount.read_only", "searchValue": "", "expectedValue": "kubernetes_pod[test21].spec.container[0].volume_mount.read_only should be set to true", - "actualValue": "kubernetes_pod[test21].spec.container[0].volume_mount.read_only is set to false" + "actualValue": "kubernetes_pod[test21].spec.container[0].volume_mount.read_only is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Volume Mount With OS Directory Write Permissions", @@ -117,7 +126,8 @@ "searchKey": "kubernetes_pod[test21].spec.container.volume_mount.read_only", "searchValue": "", "expectedValue": "kubernetes_pod[test21].spec.container[1].volume_mount.read_only should be set to true", - "actualValue": "kubernetes_pod[test21].spec.container[1].volume_mount.read_only is set to false" + "actualValue": "kubernetes_pod[test21].spec.container[1].volume_mount.read_only is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Volume Mount With OS Directory Write Permissions", @@ -129,7 +139,8 @@ "searchKey": "kubernetes_pod[test22].spec.container.volume_mount.read_only", "searchValue": "", "expectedValue": "kubernetes_pod[test22].spec.container[0].volume_mount[0].read_only should be set to true", - "actualValue": "kubernetes_pod[test22].spec.container[0].volume_mount[0].read_only is set to false" + "actualValue": "kubernetes_pod[test22].spec.container[0].volume_mount[0].read_only is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Volume Mount With OS Directory Write Permissions", @@ -141,7 +152,8 @@ "searchKey": "kubernetes_pod[test22].spec.container.volume_mount.read_only", "searchValue": "", "expectedValue": "kubernetes_pod[test22].spec.container[0].volume_mount[1].read_only should be set to true", - "actualValue": "kubernetes_pod[test22].spec.container[0].volume_mount[1].read_only is set to false" + "actualValue": "kubernetes_pod[test22].spec.container[0].volume_mount[1].read_only is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Volume Mount With OS Directory Write Permissions", @@ -153,7 +165,8 @@ "searchKey": "kubernetes_pod[test23].spec.container.volume_mount.read_only", "searchValue": "", "expectedValue": "kubernetes_pod[test23].spec.container.volume_mount[0].read_only should be set to true", - "actualValue": "kubernetes_pod[test23].spec.container.volume_mount[0].read_only is set to false" + "actualValue": "kubernetes_pod[test23].spec.container.volume_mount[0].read_only is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Volume Mount With OS Directory Write Permissions", @@ -165,6 +178,7 @@ "searchKey": "kubernetes_pod[test23].spec.container.volume_mount.read_only", "searchValue": "", "expectedValue": "kubernetes_pod[test23].spec.container.volume_mount[1].read_only should be set to true", - "actualValue": "kubernetes_pod[test23].spec.container.volume_mount[1].read_only is set to false" + "actualValue": "kubernetes_pod[test23].spec.container.volume_mount[1].read_only is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/workload_host_port_not_specified/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/workload_host_port_not_specified/test/positive_expected_result.json index 16e0ff72318..38dd32edbbf 100644 --- a/assets/queries/terraform/kubernetes/workload_host_port_not_specified/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/workload_host_port_not_specified/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "kubernetes_pod[test].spec.container.port", "searchValue": "", "expectedValue": "Attribute 'host_port' should be defined and not null", - "actualValue": "Attribute 'host_port' is undefined or null" + "actualValue": "Attribute 'host_port' is undefined or null", + "issueType": "IncorrectValue" }, { "queryName": "Workload Host Port Not Specified", @@ -21,6 +22,7 @@ "searchKey": "kubernetes_deployment[example].spec.template.spec.container.port", "searchValue": "", "expectedValue": "Attribute 'host_port' should be defined and not null", - "actualValue": "Attribute 'host_port' is undefined or null" + "actualValue": "Attribute 'host_port' is undefined or null", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/workload_mounting_with_sensitive_os_directory/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/workload_mounting_with_sensitive_os_directory/test/positive_expected_result.json index 79715364995..bff75f2e890 100644 --- a/assets/queries/terraform/kubernetes/workload_mounting_with_sensitive_os_directory/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/workload_mounting_with_sensitive_os_directory/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "kubernetes_pod[test1].spec.volume.host_path.path", "searchValue": "", "expectedValue": "Workload name 'terraform-example1' should not mount a host sensitive OS directory '/var/log' with host_path", - "actualValue": "Workload name 'terraform-example1' is mounting a host sensitive OS directory '/var/log' with host_path" + "actualValue": "Workload name 'terraform-example1' is mounting a host sensitive OS directory '/var/log' with host_path", + "issueType": "IncorrectValue" }, { "queryName": "Workload Mounting With Sensitive OS Directory", @@ -21,6 +22,7 @@ "searchKey": "kubernetes_persistent_volume[test2].spec.volume.host_path.path", "searchValue": "", "expectedValue": "Workload name 'terraform-example2' should not mount a host sensitive OS directory '/var/log' with host_path", - "actualValue": "Workload name 'terraform-example2' is mounting a host sensitive OS directory '/var/log' with host_path" + "actualValue": "Workload name 'terraform-example2' is mounting a host sensitive OS directory '/var/log' with host_path", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/nifcloud/computing_instance_has_common_private/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/computing_instance_has_common_private/test/positive_expected_result.json index ecee4586061..c9840f830d6 100644 --- a/assets/queries/terraform/nifcloud/computing_instance_has_common_private/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/computing_instance_has_common_private/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "nifcloud_instance[positive]", "searchValue": "", "expectedValue": "'nifcloud_instance[positive]' should use a private LAN to isolate the private side network from the shared network", - "actualValue": "'nifcloud_instance[positive]' has common private network" + "actualValue": "'nifcloud_instance[positive]' has common private network", + "issueType": "IncorrectValue" }, { "queryName": "Nifcloud Computing Has Common Private Network", @@ -21,6 +22,7 @@ "searchKey": "nifcloud_instance[positive]", "searchValue": "", "expectedValue": "'nifcloud_instance[positive]' should use a private LAN to isolate the private side network from the shared network", - "actualValue": "'nifcloud_instance[positive]' has common private network" + "actualValue": "'nifcloud_instance[positive]' has common private network", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/nifcloud/computing_instance_has_public_ingress_sgr/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/computing_instance_has_public_ingress_sgr/test/positive_expected_result.json index a1ce6f1c761..4202cb9c10d 100644 --- a/assets/queries/terraform/nifcloud/computing_instance_has_public_ingress_sgr/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/computing_instance_has_public_ingress_sgr/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "nifcloud_security_group_rule[positive]", "searchValue": "", "expectedValue": "'nifcloud_security_group_rule[positive]' set a more restrictive cidr range", - "actualValue": "'nifcloud_security_group_rule[positive]' allows traffic from /0" + "actualValue": "'nifcloud_security_group_rule[positive]' allows traffic from /0", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/nifcloud/computing_instance_security_group_undefined/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/computing_instance_security_group_undefined/test/positive_expected_result.json index d15a907a398..a98b0ebf084 100644 --- a/assets/queries/terraform/nifcloud/computing_instance_security_group_undefined/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/computing_instance_security_group_undefined/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "nifcloud_instance[positive]", "searchValue": "", "expectedValue": "'nifcloud_instance[positive]' should include a security_group for security purposes", - "actualValue": "'nifcloud_instance[positive]' does not have a security_group" + "actualValue": "'nifcloud_instance[positive]' does not have a security_group", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/nifcloud/computing_security_group_description_undefined/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/computing_security_group_description_undefined/test/positive_expected_result.json index 7d507ebf978..01212fa5cbb 100644 --- a/assets/queries/terraform/nifcloud/computing_security_group_description_undefined/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/computing_security_group_description_undefined/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "nifcloud_security_group[positive]", "searchValue": "", "expectedValue": "'nifcloud_security_group[positive]' should include a description for auditing purposes", - "actualValue": "'nifcloud_security_group[positive]' does not have a description" + "actualValue": "'nifcloud_security_group[positive]' does not have a description", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/nifcloud/computing_security_group_rule_description_undefined/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/computing_security_group_rule_description_undefined/test/positive_expected_result.json index 59f236db36f..6b01d1aaa34 100644 --- a/assets/queries/terraform/nifcloud/computing_security_group_rule_description_undefined/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/computing_security_group_rule_description_undefined/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "nifcloud_security_group_rule[positive]", "searchValue": "", "expectedValue": "'nifcloud_security_group_rule[positive]' should include a description for auditing purposes", - "actualValue": "'nifcloud_security_group_rule[positive]' does not have a description" + "actualValue": "'nifcloud_security_group_rule[positive]' does not have a description", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/nifcloud/db_does_not_have_long_backup_retention/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/db_does_not_have_long_backup_retention/test/positive_expected_result.json index 1bac7c5632d..e88ee9d745a 100644 --- a/assets/queries/terraform/nifcloud/db_does_not_have_long_backup_retention/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/db_does_not_have_long_backup_retention/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "nifcloud_db_instance[positive]", "searchValue": "", "expectedValue": "'nifcloud_db_instance[positive]' should have backup retention of at least 7 days", - "actualValue": "'nifcloud_db_instance[positive]' doesn't have a backup retention period defined" + "actualValue": "'nifcloud_db_instance[positive]' doesn't have a backup retention period defined", + "issueType": "MissingAttribute" }, { "queryName": "Nifcloud Low RDB Backup Retention Period", @@ -21,6 +22,7 @@ "searchKey": "nifcloud_db_instance[positive]", "searchValue": "", "expectedValue": "'nifcloud_db_instance[positive]' should have backup retention of at least 7 days", - "actualValue": "'nifcloud_db_instance[positive]' has backup retention period of '%!s(int=5)' which is less than minimum of 7 days" + "actualValue": "'nifcloud_db_instance[positive]' has backup retention period of '%!s(int=5)' which is less than minimum of 7 days", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/nifcloud/db_has_public_access/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/db_has_public_access/test/positive_expected_result.json index 6593714ee40..438010573d7 100644 --- a/assets/queries/terraform/nifcloud/db_has_public_access/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/db_has_public_access/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "nifcloud_db_instance[positive]", "searchValue": "", "expectedValue": "'nifcloud_db_instance[positive]' should not use publicly accessible set to true. You should limit all access to the minimum that is required for your application to function.", - "actualValue": "'nifcloud_db_instance[positive]' has publicly accessible set to true." + "actualValue": "'nifcloud_db_instance[positive]' has publicly accessible set to true.", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/nifcloud/db_instance_has_common_private/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/db_instance_has_common_private/test/positive_expected_result.json index 921652ee7d1..5b1b12fe52b 100644 --- a/assets/queries/terraform/nifcloud/db_instance_has_common_private/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/db_instance_has_common_private/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "nifcloud_db_instance[positive]", "searchValue": "", "expectedValue": "'nifcloud_db_instance[positive]' should use a private LAN to isolate the private side network from the shared network", - "actualValue": "'nifcloud_db_instance[positive]' has common private network" + "actualValue": "'nifcloud_db_instance[positive]' has common private network", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/nifcloud/db_security_group_description_undefined/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/db_security_group_description_undefined/test/positive_expected_result.json index 5b8de087c84..d79fb8925c5 100644 --- a/assets/queries/terraform/nifcloud/db_security_group_description_undefined/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/db_security_group_description_undefined/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "nifcloud_db_security_group[positive]", "searchValue": "", "expectedValue": "'nifcloud_db_security_group[positive]' should include a description for auditing purposes.", - "actualValue": "'nifcloud_db_security_group[positive]' does not have a description." + "actualValue": "'nifcloud_db_security_group[positive]' does not have a description.", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/nifcloud/db_security_group_has_public_ingress_sgr/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/db_security_group_has_public_ingress_sgr/test/positive_expected_result.json index c6e97ff1ff0..10767b01cda 100644 --- a/assets/queries/terraform/nifcloud/db_security_group_has_public_ingress_sgr/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/db_security_group_has_public_ingress_sgr/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "nifcloud_db_security_group[positive]", "searchValue": "", "expectedValue": "'nifcloud_db_security_group[positive]' set a more restrictive cidr range", - "actualValue": "'nifcloud_db_security_group[positive]' allows traffic from /0" + "actualValue": "'nifcloud_db_security_group[positive]' allows traffic from /0", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/nifcloud/dns_has_verified_record/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/dns_has_verified_record/test/positive_expected_result.json index f3776357501..18f58b01e5c 100644 --- a/assets/queries/terraform/nifcloud/dns_has_verified_record/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/dns_has_verified_record/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "nifcloud_dns_record[positive]", "searchValue": "", "expectedValue": "Verified records should be removed from 'nifcloud_dns_record[positive]'.", - "actualValue": "'nifcloud_dns_record[positive]' has risk of DNS records being used by others." + "actualValue": "'nifcloud_dns_record[positive]' has risk of DNS records being used by others.", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/nifcloud/elb_has_common_private/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/elb_has_common_private/test/positive_expected_result.json index b8f2e140106..83af1e5229c 100644 --- a/assets/queries/terraform/nifcloud/elb_has_common_private/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/elb_has_common_private/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "nifcloud_elb[positive]", "searchValue": "", "expectedValue": "'nifcloud_elb[positive]' should use a private LAN to isolate the private side network from the shared network", - "actualValue": "'nifcloud_elb[positive]' has common private network" + "actualValue": "'nifcloud_elb[positive]' has common private network", + "issueType": "IncorrectValue" }, { "queryName": "Nifcloud ELB Has Common Private Network", @@ -21,6 +22,7 @@ "searchKey": "nifcloud_elb[positive]", "searchValue": "", "expectedValue": "'nifcloud_elb[positive]' should use a private LAN to isolate the private side network from the shared network", - "actualValue": "'nifcloud_elb[positive]' has common private network" + "actualValue": "'nifcloud_elb[positive]' has common private network", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/nifcloud/elb_listener_use_http/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/elb_listener_use_http/test/positive_expected_result.json index 1a81466118c..4540ebf4176 100644 --- a/assets/queries/terraform/nifcloud/elb_listener_use_http/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/elb_listener_use_http/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "nifcloud_elb_listener[positive]", "searchValue": "", "expectedValue": "'nifcloud_elb_listener[positive]' should switch to HTTPS to benefit from TLS security features.", - "actualValue": "'nifcloud_elb_listener[positive]' using HTTP protocol." + "actualValue": "'nifcloud_elb_listener[positive]' using HTTP protocol.", + "issueType": "IncorrectValue" }, { "queryName": "Nifcloud ELB Listener Using HTTP Protocol", @@ -21,6 +22,7 @@ "searchKey": "nifcloud_elb_listener[positive]", "searchValue": "", "expectedValue": "'nifcloud_elb_listener[positive]' should switch to HTTPS to benefit from TLS security features.", - "actualValue": "'nifcloud_elb_listener[positive]' using HTTP protocol." + "actualValue": "'nifcloud_elb_listener[positive]' using HTTP protocol.", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/nifcloud/elb_use_http/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/elb_use_http/test/positive_expected_result.json index 8b42737b72e..9def187ec56 100644 --- a/assets/queries/terraform/nifcloud/elb_use_http/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/elb_use_http/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "nifcloud_elb[positive]", "searchValue": "", "expectedValue": "'nifcloud_elb[positive]' should switch to HTTPS to benefit from TLS security features.", - "actualValue": "'nifcloud_elb[positive]' using HTTP protocol." + "actualValue": "'nifcloud_elb[positive]' using HTTP protocol.", + "issueType": "IncorrectValue" }, { "queryName": "Nifcloud ELB Using HTTP Protocol", @@ -21,6 +22,7 @@ "searchKey": "nifcloud_elb[positive]", "searchValue": "", "expectedValue": "'nifcloud_elb[positive]' should switch to HTTPS to benefit from TLS security features", - "actualValue": "'nifcloud_elb[positive]' use HTTP protocol" + "actualValue": "'nifcloud_elb[positive]' use HTTP protocol", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/nifcloud/load_balancer_listener_use_http/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/load_balancer_listener_use_http/test/positive_expected_result.json index 694f40e0f9a..7c51487080c 100644 --- a/assets/queries/terraform/nifcloud/load_balancer_listener_use_http/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/load_balancer_listener_use_http/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "nifcloud_load_balancer_listener[positive]", "searchValue": "", "expectedValue": "'nifcloud_load_balancer_listener[positive]' should switch to HTTPS to benefit from TLS security features.", - "actualValue": "'nifcloud_load_balancer_listener[positive]' using HTTP port." + "actualValue": "'nifcloud_load_balancer_listener[positive]' using HTTP port.", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/nifcloud/load_balancer_use_http/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/load_balancer_use_http/test/positive_expected_result.json index befc9333dce..8a7fea43529 100644 --- a/assets/queries/terraform/nifcloud/load_balancer_use_http/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/load_balancer_use_http/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "nifcloud_load_balancer[positive]", "searchValue": "", "expectedValue": "'nifcloud_load_balancer[positive]' should switch to HTTPS to benefit from TLS security features.", - "actualValue": "'nifcloud_load_balancer[positive]' using HTTP port." + "actualValue": "'nifcloud_load_balancer[positive]' using HTTP port.", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/nifcloud/load_balancer_use_insecure_tls_policy_id/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/load_balancer_use_insecure_tls_policy_id/test/positive_expected_result.json index f73799b4f70..6e6560c5315 100644 --- a/assets/queries/terraform/nifcloud/load_balancer_use_insecure_tls_policy_id/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/load_balancer_use_insecure_tls_policy_id/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "nifcloud_load_balancer[positive]", "searchValue": "", "expectedValue": "'nifcloud_load_balancer[positive]' should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.", - "actualValue": "'nifcloud_load_balancer[positive]' using outdated SSL policy." + "actualValue": "'nifcloud_load_balancer[positive]' using outdated SSL policy.", + "issueType": "MissingAttribute" }, { "queryName": "Nifcloud LB Using Insecure TLS Policy ID", @@ -21,6 +22,7 @@ "searchKey": "nifcloud_load_balancer[positive]", "searchValue": "", "expectedValue": "'nifcloud_load_balancer[positive]' should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.", - "actualValue": "'nifcloud_load_balancer[positive]' using outdated SSL policy." + "actualValue": "'nifcloud_load_balancer[positive]' using outdated SSL policy.", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/nifcloud/load_balancer_use_insecure_tls_policy_name/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/load_balancer_use_insecure_tls_policy_name/test/positive_expected_result.json index 51043d96ebb..8e38d219dfc 100644 --- a/assets/queries/terraform/nifcloud/load_balancer_use_insecure_tls_policy_name/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/load_balancer_use_insecure_tls_policy_name/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "nifcloud_load_balancer[positive]", "searchValue": "", "expectedValue": "'nifcloud_load_balancer[positive]' should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.", - "actualValue": "'nifcloud_load_balancer[positive]' using outdated SSL policy." + "actualValue": "'nifcloud_load_balancer[positive]' using outdated SSL policy.", + "issueType": "MissingAttribute" }, { "queryName": "Nifcloud LB Using Insecure TLS Policy Name", @@ -21,6 +22,7 @@ "searchKey": "nifcloud_load_balancer[positive]", "searchValue": "", "expectedValue": "'nifcloud_load_balancer[positive]' should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.", - "actualValue": "'nifcloud_load_balancer[positive]' using outdated SSL policy." + "actualValue": "'nifcloud_load_balancer[positive]' using outdated SSL policy.", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/nifcloud/nas_instance_has_common_private/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/nas_instance_has_common_private/test/positive_expected_result.json index 075eac54bdf..6f72ef6ed86 100644 --- a/assets/queries/terraform/nifcloud/nas_instance_has_common_private/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/nas_instance_has_common_private/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "nifcloud_nas_instance[positive]", "searchValue": "", "expectedValue": "'nifcloud_nas_instance[positive]' should use a private LAN to isolate the private side network from the shared network", - "actualValue": "'nifcloud_nas_instance[positive]' has common private network" + "actualValue": "'nifcloud_nas_instance[positive]' has common private network", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/nifcloud/nas_security_group_description_undefined/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/nas_security_group_description_undefined/test/positive_expected_result.json index 55369ab2f26..0ceff88141b 100644 --- a/assets/queries/terraform/nifcloud/nas_security_group_description_undefined/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/nas_security_group_description_undefined/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "nifcloud_nas_security_group[positive]", "searchValue": "", "expectedValue": "'nifcloud_nas_security_group[positive]' should include a description for auditing purposes", - "actualValue": "'nifcloud_nas_security_group[positive]' does not have a description" + "actualValue": "'nifcloud_nas_security_group[positive]' does not have a description", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/nifcloud/nas_security_group_has_public_ingress_sgr/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/nas_security_group_has_public_ingress_sgr/test/positive_expected_result.json index 813017e4797..9f0e56150c9 100644 --- a/assets/queries/terraform/nifcloud/nas_security_group_has_public_ingress_sgr/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/nas_security_group_has_public_ingress_sgr/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "nifcloud_nas_security_group[positive]", "searchValue": "", "expectedValue": "'nifcloud_nas_security_group[positive]' set a more restrictive cidr range", - "actualValue": "'nifcloud_nas_security_group[positive]' allows traffic from /0" + "actualValue": "'nifcloud_nas_security_group[positive]' allows traffic from /0", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/nifcloud/router_has_common_private/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/router_has_common_private/test/positive_expected_result.json index 1b2fbf2ce33..65bcc8ec9fc 100644 --- a/assets/queries/terraform/nifcloud/router_has_common_private/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/router_has_common_private/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "nifcloud_router[positive]", "searchValue": "", "expectedValue": "'nifcloud_router[positive]' should use a private LAN to isolate the private side network from the shared network.", - "actualValue": "'nifcloud_router[positive]' has common private network." + "actualValue": "'nifcloud_router[positive]' has common private network.", + "issueType": "IncorrectValue" }, { "queryName": "Nifcloud Router Has Common Private Network", @@ -21,6 +22,7 @@ "searchKey": "nifcloud_router[positive]", "searchValue": "", "expectedValue": "'nifcloud_router[positive]' should use a private LAN to isolate the private side network from the shared network.", - "actualValue": "'nifcloud_router[positive]' has common private network." + "actualValue": "'nifcloud_router[positive]' has common private network.", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/nifcloud/router_security_group_undefined/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/router_security_group_undefined/test/positive_expected_result.json index 485d0e333fe..2d4cd2e6d75 100644 --- a/assets/queries/terraform/nifcloud/router_security_group_undefined/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/router_security_group_undefined/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "nifcloud_router[positive]", "searchValue": "", "expectedValue": "'nifcloud_router[positive]' should include a security_group for security purposes", - "actualValue": "'nifcloud_router[positive]' does not have a security_group" + "actualValue": "'nifcloud_router[positive]' does not have a security_group", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/nifcloud/vpn_gateway_security_group_undefined/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/vpn_gateway_security_group_undefined/test/positive_expected_result.json index adf042d30ab..88e4905373f 100644 --- a/assets/queries/terraform/nifcloud/vpn_gateway_security_group_undefined/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/vpn_gateway_security_group_undefined/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "nifcloud_vpn_gateway[positive]", "searchValue": "", "expectedValue": "'nifcloud_vpn_gateway[positive]' should include a security_group for security purposes.", - "actualValue": "'nifcloud_vpn_gateway[positive]' does not have a security_group defined." + "actualValue": "'nifcloud_vpn_gateway[positive]' does not have a security_group defined.", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/tencentcloud/cdb_instance_internet_service_enabled/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/cdb_instance_internet_service_enabled/test/positive_expected_result.json index f65d667b077..efd8c7193d2 100644 --- a/assets/queries/terraform/tencentcloud/cdb_instance_internet_service_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/tencentcloud/cdb_instance_internet_service_enabled/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "tencentcloud_mysql_instance[example].internet_service", "searchValue": "", "expectedValue": "[example] has 'internet_service' set to 0 or undefined", - "actualValue": "[example] has 'internet_service' set to 1" + "actualValue": "[example] has 'internet_service' set to 1", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/tencentcloud/cdb_instance_using_default_intranet_port/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/cdb_instance_using_default_intranet_port/test/positive_expected_result.json index 4c092144c44..1dd56045d6e 100644 --- a/assets/queries/terraform/tencentcloud/cdb_instance_using_default_intranet_port/test/positive_expected_result.json +++ b/assets/queries/terraform/tencentcloud/cdb_instance_using_default_intranet_port/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "tencentcloud_mysql_instance[example].intranet_port", "searchValue": "", "expectedValue": "[example] has 'intranet_port' set to non 3306", - "actualValue": "[example] has 'intranet_port' set to 3306" + "actualValue": "[example] has 'intranet_port' set to 3306", + "issueType": "IncorrectValue" }, { "queryName": "CDB Instance Internet Using Default Intranet Port", @@ -21,6 +22,7 @@ "searchKey": "tencentcloud_mysql_instance[example]", "searchValue": "", "expectedValue": "[example] 'intranet_port' should be set and the value should not be 3306", - "actualValue": "[example] does not set 'intranet_port'" + "actualValue": "[example] does not set 'intranet_port'", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/tencentcloud/cdb_instance_without_backup_policy/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/cdb_instance_without_backup_policy/test/positive_expected_result.json index e842b2d7764..4788f18ea6b 100644 --- a/assets/queries/terraform/tencentcloud/cdb_instance_without_backup_policy/test/positive_expected_result.json +++ b/assets/queries/terraform/tencentcloud/cdb_instance_without_backup_policy/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "tencentcloud_mysql_instance[none_backup_policy]", "searchValue": "", "expectedValue": "tencentcloud_mysql_instance[none_backup_policy] should have 'tencentcloud_mysql_backup_policy'", - "actualValue": "tencentcloud_mysql_instance[none_backup_policy] does not have 'tencentcloud_mysql_backup_policy'" + "actualValue": "tencentcloud_mysql_instance[none_backup_policy] does not have 'tencentcloud_mysql_backup_policy'", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/tencentcloud/clb_instance_log_setting_disabled/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/clb_instance_log_setting_disabled/test/positive_expected_result.json index 41f06a32f6e..ce271a49f8d 100644 --- a/assets/queries/terraform/tencentcloud/clb_instance_log_setting_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/tencentcloud/clb_instance_log_setting_disabled/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "tencentcloud_clb_instance[internal_clb]", "searchValue": "", "expectedValue": "tencentcloud_clb_instance[internal_clb] should set 'log_set_id' and 'log_topic_id'", - "actualValue": "tencentcloud_clb_instance[internal_clb] not set 'log_set_id' and 'log_topic_id'" + "actualValue": "tencentcloud_clb_instance[internal_clb] not set 'log_set_id' and 'log_topic_id'", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/tencentcloud/clb_listener_using_insecure_protocols/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/clb_listener_using_insecure_protocols/test/positive_expected_result.json index ad71e6e7670..c9f5359da85 100644 --- a/assets/queries/terraform/tencentcloud/clb_listener_using_insecure_protocols/test/positive_expected_result.json +++ b/assets/queries/terraform/tencentcloud/clb_listener_using_insecure_protocols/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "tencentcloud_clb_listener[listener].protocol", "searchValue": "", "expectedValue": "tencentcloud_clb_listener[listener].protocol[HTTP] should not be an insecure protocol", - "actualValue": "tencentcloud_clb_listener[listener].protocol[HTTP] is an insecure protocol" + "actualValue": "tencentcloud_clb_listener[listener].protocol[HTTP] is an insecure protocol", + "issueType": "IncorrectValue" }, { "queryName": "CLB Listener Using Insecure Protocols", @@ -21,7 +22,8 @@ "searchKey": "tencentcloud_clb_listener[listener].protocol", "searchValue": "", "expectedValue": "tencentcloud_clb_listener[listener].protocol[TCP] should not be an insecure protocol", - "actualValue": "tencentcloud_clb_listener[listener].protocol[TCP] is an insecure protocol" + "actualValue": "tencentcloud_clb_listener[listener].protocol[TCP] is an insecure protocol", + "issueType": "IncorrectValue" }, { "queryName": "CLB Listener Using Insecure Protocols", @@ -33,6 +35,7 @@ "searchKey": "tencentcloud_clb_listener[listener].protocol", "searchValue": "", "expectedValue": "tencentcloud_clb_listener[listener].protocol[UDP] should not be an insecure protocol", - "actualValue": "tencentcloud_clb_listener[listener].protocol[UDP] is an insecure protocol" + "actualValue": "tencentcloud_clb_listener[listener].protocol[UDP] is an insecure protocol", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/tencentcloud/cvm_instance_disable_monitor_service/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/cvm_instance_disable_monitor_service/test/positive_expected_result.json index 1e7fb34d727..26a0fe823d1 100644 --- a/assets/queries/terraform/tencentcloud/cvm_instance_disable_monitor_service/test/positive_expected_result.json +++ b/assets/queries/terraform/tencentcloud/cvm_instance_disable_monitor_service/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "tencentcloud_instance[cvm_postpaid].disable_monitor_service", "searchValue": "", "expectedValue": "[cvm_postpaid] 'disable_monitor_service' should be set to false", - "actualValue": "[cvm_postpaid] 'disable_monitor_service' is true" + "actualValue": "[cvm_postpaid] 'disable_monitor_service' is true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/tencentcloud/cvm_instance_has_public_ip/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/cvm_instance_has_public_ip/test/positive_expected_result.json index ff3e4a9b91a..0b123241734 100644 --- a/assets/queries/terraform/tencentcloud/cvm_instance_has_public_ip/test/positive_expected_result.json +++ b/assets/queries/terraform/tencentcloud/cvm_instance_has_public_ip/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "tencentcloud_instance[cvm_postpaid].allocate_public_ip", "searchValue": "", "expectedValue": "[cvm_postpaid] 'allocate_public_ip' should be set to false", - "actualValue": "[cvm_postpaid] 'allocate_public_ip' is true" + "actualValue": "[cvm_postpaid] 'allocate_public_ip' is true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/tencentcloud/cvm_instance_using_default_security_group/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/cvm_instance_using_default_security_group/test/positive_expected_result.json index d8800abe35f..68f6b0fde8a 100644 --- a/assets/queries/terraform/tencentcloud/cvm_instance_using_default_security_group/test/positive_expected_result.json +++ b/assets/queries/terraform/tencentcloud/cvm_instance_using_default_security_group/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "tencentcloud_instance[cvm_postpaid].orderly_security_groups", "searchValue": "", "expectedValue": "tencentcloud_instance[cvm_postpaid].orderly_security_groups should not contain 'default'", - "actualValue": "tencentcloud_instance[cvm_postpaid].orderly_security_groups contains 'default'" + "actualValue": "tencentcloud_instance[cvm_postpaid].orderly_security_groups contains 'default'", + "issueType": "IncorrectValue" }, { "queryName": "CVM Instance Using Default Security Group", @@ -21,6 +22,7 @@ "searchKey": "tencentcloud_instance[cvm_postpaid].security_groups", "searchValue": "", "expectedValue": "tencentcloud_instance[cvm_postpaid].security_groups should not contain 'default'", - "actualValue": "tencentcloud_instance[cvm_postpaid].security_groups contains 'default'" + "actualValue": "tencentcloud_instance[cvm_postpaid].security_groups contains 'default'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/tencentcloud/cvm_instance_using_default_vpc/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/cvm_instance_using_default_vpc/test/positive_expected_result.json index 0478e8be2ca..02050382a42 100644 --- a/assets/queries/terraform/tencentcloud/cvm_instance_using_default_vpc/test/positive_expected_result.json +++ b/assets/queries/terraform/tencentcloud/cvm_instance_using_default_vpc/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "tencentcloud_instance[cvm_postpaid].vpc_id", "searchValue": "", "expectedValue": "tencentcloud_instance[cvm_postpaid].vpc_id should not contain 'default'", - "actualValue": "tencentcloud_instance[cvm_postpaid].vpc_id contains 'default'" + "actualValue": "tencentcloud_instance[cvm_postpaid].vpc_id contains 'default'", + "issueType": "IncorrectValue" }, { "queryName": "CVM Instance Using Default VPC", @@ -21,6 +22,7 @@ "searchKey": "tencentcloud_instance[cvm_postpaid].subnet_id", "searchValue": "", "expectedValue": "tencentcloud_instance[cvm_postpaid].subnet_id should not be associated with a default Subnet", - "actualValue": "tencentcloud_instance[cvm_postpaid].subnet_id is associated with a default Subnet" + "actualValue": "tencentcloud_instance[cvm_postpaid].subnet_id is associated with a default Subnet", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/tencentcloud/cvm_instance_using_user_data/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/cvm_instance_using_user_data/test/positive_expected_result.json index 82c7901073c..5f2ed30eed7 100644 --- a/assets/queries/terraform/tencentcloud/cvm_instance_using_user_data/test/positive_expected_result.json +++ b/assets/queries/terraform/tencentcloud/cvm_instance_using_user_data/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "tencentcloud_instance[cvm_postpaid].user_data", "searchValue": "", "expectedValue": "tencentcloud_instance[cvm_postpaid] should be using 'cam_role_name' to assign a role with permissions", - "actualValue": "tencentcloud_instance[cvm_postpaid].user_data is being used to configure API secret keys" + "actualValue": "tencentcloud_instance[cvm_postpaid].user_data is being used to configure API secret keys", + "issueType": "IncorrectValue" }, { "queryName": "CVM Instance Using User Data", @@ -21,7 +22,8 @@ "searchKey": "tencentcloud_instance[cvm_postpaid].user_data", "searchValue": "", "expectedValue": "tencentcloud_instance[cvm_postpaid] should be using 'cam_role_name' to assign a role with permissions", - "actualValue": "tencentcloud_instance[cvm_postpaid].user_data is being used to configure API secret keys" + "actualValue": "tencentcloud_instance[cvm_postpaid].user_data is being used to configure API secret keys", + "issueType": "IncorrectValue" }, { "queryName": "CVM Instance Using User Data", @@ -33,7 +35,8 @@ "searchKey": "tencentcloud_instance[cvm_postpaid].user_data", "searchValue": "", "expectedValue": "tencentcloud_instance[cvm_postpaid] should be using 'cam_role_name' to assign a role with permissions", - "actualValue": "tencentcloud_instance[cvm_postpaid].user_data is being used to configure API secret keys" + "actualValue": "tencentcloud_instance[cvm_postpaid].user_data is being used to configure API secret keys", + "issueType": "IncorrectValue" }, { "queryName": "CVM Instance Using User Data", @@ -45,6 +48,7 @@ "searchKey": "tencentcloud_instance[cvm_postpaid].user_data", "searchValue": "", "expectedValue": "tencentcloud_instance[cvm_postpaid] should be using 'cam_role_name' to assign a role with permissions", - "actualValue": "tencentcloud_instance[cvm_postpaid].user_data is being used to configure API secret keys" + "actualValue": "tencentcloud_instance[cvm_postpaid].user_data is being used to configure API secret keys", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/tencentcloud/disk_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/disk_encryption_disabled/test/positive_expected_result.json index c86aebfbef7..f7da0200eeb 100644 --- a/assets/queries/terraform/tencentcloud/disk_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/tencentcloud/disk_encryption_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "tencentcloud_cbs_storage[encrytion_positive1]", "searchValue": "", "expectedValue": "[encrytion_positive1] has encryption enabled", - "actualValue": "[encrytion_positive1] does not have encryption enabled" + "actualValue": "[encrytion_positive1] does not have encryption enabled", + "issueType": "MissingAttribute" }, { "queryName": "Disk Encryption Disabled", @@ -21,6 +22,7 @@ "searchKey": "tencentcloud_cbs_storage[encrytion_positive2].encrypt", "searchValue": "", "expectedValue": "[encrytion_positive2] has encryption set to true", - "actualValue": "[encrytion_positive2] has encryption set to false" + "actualValue": "[encrytion_positive2] has encryption set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/tencentcloud/security_group_rule_set_accepts_all_traffic/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/security_group_rule_set_accepts_all_traffic/test/positive_expected_result.json index 45e028271bd..aa25aad7420 100644 --- a/assets/queries/terraform/tencentcloud/security_group_rule_set_accepts_all_traffic/test/positive_expected_result.json +++ b/assets/queries/terraform/tencentcloud/security_group_rule_set_accepts_all_traffic/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "tencentcloud_security_group_rule_set[base].ingress", "searchValue": "", "expectedValue": "tencentcloud_security_group_rule_set[base] ingress should not be set to accept all traffic", - "actualValue": "tencentcloud_security_group_rule_set[base] ingress is set to accept all traffic" + "actualValue": "tencentcloud_security_group_rule_set[base] ingress is set to accept all traffic", + "issueType": "IncorrectValue" }, { "queryName": "Security Group Rule Set Accepts All Traffic", @@ -21,7 +22,8 @@ "searchKey": "tencentcloud_security_group_rule_set[base].ingress", "searchValue": "", "expectedValue": "tencentcloud_security_group_rule_set[base] ingress should not be set to accept all traffic", - "actualValue": "tencentcloud_security_group_rule_set[base] ingress accept all traffic" + "actualValue": "tencentcloud_security_group_rule_set[base] ingress accept all traffic", + "issueType": "IncorrectValue" }, { "queryName": "Security Group Rule Set Accepts All Traffic", @@ -33,7 +35,8 @@ "searchKey": "tencentcloud_security_group_rule_set[base].ingress", "searchValue": "", "expectedValue": "tencentcloud_security_group_rule_set[base] ingress should not set accept all traffic", - "actualValue": "tencentcloud_security_group_rule_set[base] ingress accept all traffic" + "actualValue": "tencentcloud_security_group_rule_set[base] ingress accept all traffic", + "issueType": "IncorrectValue" }, { "queryName": "Security Group Rule Set Accepts All Traffic", @@ -45,6 +48,7 @@ "searchKey": "tencentcloud_security_group_rule_set[base].ingress", "searchValue": "", "expectedValue": "tencentcloud_security_group_rule_set[base] ingress should not be set to accept all traffic", - "actualValue": "tencentcloud_security_group_rule_set[base] ingress is set to accept all traffic" + "actualValue": "tencentcloud_security_group_rule_set[base] ingress is set to accept all traffic", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/tencentcloud/tke_cluster_encryption_protection_disabled/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/tke_cluster_encryption_protection_disabled/test/positive_expected_result.json index 5804192e93c..7c5d9097d25 100644 --- a/assets/queries/terraform/tencentcloud/tke_cluster_encryption_protection_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/tencentcloud/tke_cluster_encryption_protection_disabled/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "tencentcloud_kubernetes_cluster[none_encryption_protection]", "searchValue": "", "expectedValue": "tencentcloud_kubernetes_cluster[none_encryption_protection] should have 'tencentcloud_kubernetes_encryption_protection' enabled", - "actualValue": "tencentcloud_kubernetes_cluster[none_encryption_protection] does not have 'tencentcloud_kubernetes_encryption_protection' enabled or is undefined" + "actualValue": "tencentcloud_kubernetes_cluster[none_encryption_protection] does not have 'tencentcloud_kubernetes_encryption_protection' enabled or is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/test/positive_expected_result.json index eab94f2ffb6..d8c80529b33 100644 --- a/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/test/positive_expected_result.json +++ b/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "tencentcloud_kubernetes_cluster[example].master_config.public_ip_assigned", "searchValue": "", "expectedValue": "tencentcloud_kubernetes_cluster[example].master_config.public_ip_assigned should be equal to 'false'", - "actualValue": "tencentcloud_kubernetes_cluster[example].master_config.public_ip_assigned is equal to 'true'" + "actualValue": "tencentcloud_kubernetes_cluster[example].master_config.public_ip_assigned is equal to 'true'", + "issueType": "IncorrectValue" }, { "queryName": "TKE Cluster Has Public Access", @@ -21,7 +22,8 @@ "searchKey": "tencentcloud_kubernetes_cluster[example].worker_config.public_ip_assigned", "searchValue": "", "expectedValue": "tencentcloud_kubernetes_cluster[example].worker_config.public_ip_assigned should equal 'false'", - "actualValue": "tencentcloud_kubernetes_cluster[example].worker_config.public_ip_assigned is equal 'true'" + "actualValue": "tencentcloud_kubernetes_cluster[example].worker_config.public_ip_assigned is equal 'true'", + "issueType": "IncorrectValue" }, { "queryName": "TKE Cluster Has Public Access", @@ -33,7 +35,8 @@ "searchKey": "tencentcloud_kubernetes_cluster[example].master_config.internet_max_bandwidth_out", "searchValue": "", "expectedValue": "tencentcloud_kubernetes_cluster[example].master_config.internet_max_bandwidth_out should equal '0' or undefined", - "actualValue": "tencentcloud_kubernetes_cluster[example].master_config.internet_max_bandwidth_out is not equal '0'" + "actualValue": "tencentcloud_kubernetes_cluster[example].master_config.internet_max_bandwidth_out is not equal '0'", + "issueType": "IncorrectValue" }, { "queryName": "TKE Cluster Has Public Access", @@ -45,7 +48,8 @@ "searchKey": "tencentcloud_kubernetes_cluster[example].worker_config.internet_max_bandwidth_out", "searchValue": "", "expectedValue": "tencentcloud_kubernetes_cluster[example].worker_config.internet_max_bandwidth_out should equal '0' or undefined", - "actualValue": "tencentcloud_kubernetes_cluster[example].worker_config.internet_max_bandwidth_out is defined and not equal to '0'" + "actualValue": "tencentcloud_kubernetes_cluster[example].worker_config.internet_max_bandwidth_out is defined and not equal to '0'", + "issueType": "IncorrectValue" }, { "queryName": "TKE Cluster Has Public Access", @@ -57,7 +61,8 @@ "searchKey": "tencentcloud_kubernetes_cluster[example].master_config.public_ip_assigned", "searchValue": "", "expectedValue": "tencentcloud_kubernetes_cluster[example].master_config.public_ip_assigned should be equal to 'false'", - "actualValue": "tencentcloud_kubernetes_cluster[example].master_config.public_ip_assigned is equal 'true'" + "actualValue": "tencentcloud_kubernetes_cluster[example].master_config.public_ip_assigned is equal 'true'", + "issueType": "IncorrectValue" }, { "queryName": "TKE Cluster Has Public Access", @@ -69,7 +74,8 @@ "searchKey": "tencentcloud_kubernetes_cluster[example].master_config.public_ip_assigned", "searchValue": "", "expectedValue": "tencentcloud_kubernetes_cluster[example].master_config.public_ip_assigned should be equal to 'false'", - "actualValue": "tencentcloud_kubernetes_cluster[example].master_config.public_ip_assigned is equal 'true'" + "actualValue": "tencentcloud_kubernetes_cluster[example].master_config.public_ip_assigned is equal 'true'", + "issueType": "IncorrectValue" }, { "queryName": "TKE Cluster Has Public Access", @@ -81,7 +87,8 @@ "searchKey": "tencentcloud_kubernetes_cluster[example].worker_config.public_ip_assigned", "searchValue": "", "expectedValue": "tencentcloud_kubernetes_cluster[example].worker_config.public_ip_assigned should equal 'false'", - "actualValue": "tencentcloud_kubernetes_cluster[example].worker_config.public_ip_assigned is equal 'true'" + "actualValue": "tencentcloud_kubernetes_cluster[example].worker_config.public_ip_assigned is equal 'true'", + "issueType": "IncorrectValue" }, { "queryName": "TKE Cluster Has Public Access", @@ -93,7 +100,8 @@ "searchKey": "tencentcloud_kubernetes_cluster[example].worker_config.public_ip_assigned", "searchValue": "", "expectedValue": "tencentcloud_kubernetes_cluster[example].worker_config.public_ip_assigned should equal 'false'", - "actualValue": "tencentcloud_kubernetes_cluster[example].worker_config.public_ip_assigned is equal 'true'" + "actualValue": "tencentcloud_kubernetes_cluster[example].worker_config.public_ip_assigned is equal 'true'", + "issueType": "IncorrectValue" }, { "queryName": "TKE Cluster Has Public Access", @@ -105,7 +113,8 @@ "searchKey": "tencentcloud_kubernetes_cluster[example].master_config.internet_max_bandwidth_out", "searchValue": "", "expectedValue": "tencentcloud_kubernetes_cluster[example].master_config.internet_max_bandwidth_out should equal '0' or null", - "actualValue": "tencentcloud_kubernetes_cluster[example].master_config.internet_max_bandwidth_out is not equal '0'" + "actualValue": "tencentcloud_kubernetes_cluster[example].master_config.internet_max_bandwidth_out is not equal '0'", + "issueType": "IncorrectValue" }, { "queryName": "TKE Cluster Has Public Access", @@ -117,7 +126,8 @@ "searchKey": "tencentcloud_kubernetes_cluster[example].master_config.internet_max_bandwidth_out", "searchValue": "", "expectedValue": "tencentcloud_kubernetes_cluster[example].master_config.internet_max_bandwidth_out should equal '0' or null", - "actualValue": "tencentcloud_kubernetes_cluster[example].master_config.internet_max_bandwidth_out is not equal '0'" + "actualValue": "tencentcloud_kubernetes_cluster[example].master_config.internet_max_bandwidth_out is not equal '0'", + "issueType": "IncorrectValue" }, { "queryName": "TKE Cluster Has Public Access", @@ -129,7 +139,8 @@ "searchKey": "tencentcloud_kubernetes_cluster[example].worker_config.internet_max_bandwidth_out", "searchValue": "", "expectedValue": "tencentcloud_kubernetes_cluster[example].worker_config.internet_max_bandwidth_out should be equal to '0' or null", - "actualValue": "tencentcloud_kubernetes_cluster[example].worker_config.internet_max_bandwidth_out is defined and not equal to '0'" + "actualValue": "tencentcloud_kubernetes_cluster[example].worker_config.internet_max_bandwidth_out is defined and not equal to '0'", + "issueType": "IncorrectValue" }, { "queryName": "TKE Cluster Has Public Access", @@ -141,6 +152,7 @@ "searchKey": "tencentcloud_kubernetes_cluster[example].worker_config.internet_max_bandwidth_out", "searchValue": "", "expectedValue": "tencentcloud_kubernetes_cluster[example].worker_config.internet_max_bandwidth_out should be equal to '0' or null", - "actualValue": "tencentcloud_kubernetes_cluster[example].worker_config.internet_max_bandwidth_out is defined and not equal to '0'" + "actualValue": "tencentcloud_kubernetes_cluster[example].worker_config.internet_max_bandwidth_out is defined and not equal to '0'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/tencentcloud/tke_cluster_log_disabled/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/tke_cluster_log_disabled/test/positive_expected_result.json index d77060a7ec6..20f48e54099 100644 --- a/assets/queries/terraform/tencentcloud/tke_cluster_log_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/tencentcloud/tke_cluster_log_disabled/test/positive_expected_result.json @@ -9,7 +9,8 @@ "searchKey": "tencentcloud_kubernetes_cluster[managed_cluster].log_agent.enabled", "searchValue": "", "expectedValue": "tencentcloud_kubernetes_cluster[managed_cluster].log_agent.enabled should be set to 'true'", - "actualValue": "tencentcloud_kubernetes_cluster[managed_cluster].log_agent.enabled is not set to 'true'" + "actualValue": "tencentcloud_kubernetes_cluster[managed_cluster].log_agent.enabled is not set to 'true'", + "issueType": "IncorrectValue" }, { "queryName": "TKE Cluster Log Agent Is Not Enabled", @@ -21,6 +22,7 @@ "searchKey": "tencentcloud_kubernetes_cluster[managed_cluster]", "searchValue": "", "expectedValue": "'log_agent' should be defined and not null", - "actualValue": "'log_agent' is undefined or null" + "actualValue": "'log_agent' is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/tencentcloud/vpc_flow_log_disabled/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/vpc_flow_log_disabled/test/positive_expected_result.json index 486fc25d222..8aa76c84a0b 100644 --- a/assets/queries/terraform/tencentcloud/vpc_flow_log_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/tencentcloud/vpc_flow_log_disabled/test/positive_expected_result.json @@ -9,6 +9,7 @@ "searchKey": "tencentcloud_vpc_flow_log_config[config].enable", "searchValue": "", "expectedValue": "[config] should have enable set to true", - "actualValue": "[config] has enable set to false" + "actualValue": "[config] has enable set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/failed_queries_report.csv b/failed_queries_report.csv new file mode 100644 index 00000000000..bdf25292cae --- /dev/null +++ b/failed_queries_report.csv @@ -0,0 +1,41 @@ +Query,Status,Tipo de erro,No expected (errado),Valor correto (actual),Notas +ansible/aws/instance_uses_metadata_service_IMDSv1,,issueType errado,IncorrectValue,MissingAttribute, +terraform/nifcloud/load_balancer_use_insecure_tls_policy_name,,issueType errado,MissingAttribute,IncorrectValue, +azureResourceManager/sql_server_database_without_auditing,,issueType errado,MissingAttribute,IncorrectValue, +azureResourceManager/storage_logging_for_read_write_delete_requests_disabled,,issueType errado,MissingAttribute,IncorrectValue, +azureResourceManager/website_with_client_certificate_auth_disabled,,issueType errado,MissingAttribute,IncorrectValue, +openAPI/2.0/security_definitions_undefined_or_empty,,issueType errado,MissingAttribute,IncorrectValue, +terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured,,issueType errado,MissingAttribute,IncorrectValue, +terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured,,issueType errado,MissingAttribute,IncorrectValue, +terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured,,issueType errado,MissingAttribute,IncorrectValue, +terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured,,issueType errado,MissingAttribute,IncorrectValue, +terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured,,issueType errado,MissingAttribute,IncorrectValue, +terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured,,issueType errado,MissingAttribute,IncorrectValue, +terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured,,issueType errado,MissingAttribute,IncorrectValue, +terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured,,issueType errado,MissingAttribute,IncorrectValue, +terraform/azure/activity_log_alert_for_delete_security_solution_not_configured,,issueType errado,MissingAttribute,IncorrectValue, +terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured,,issueType errado,MissingAttribute,IncorrectValue, +terraform/azure/activity_log_alert_for_service_health_not_configured,,issueType errado,MissingAttribute,IncorrectValue, +terraform/azure/backup_vault_without_immutability,,issueType errado,MissingAttribute,IncorrectValue, +terraform/azure/diagnostic_settings_without_appropriate_logging,,issueType errado,MissingAttribute,IncorrectValue, +terraform/azure/recovery_services_vaut_with_public_network_access,,issueType errado,MissingAttribute,IncorrectValue, +terraform/azure/recovery_services_vaut_without_immutability,,issueType errado,MissingAttribute,IncorrectValue, +terraform/azure/storage_account_not_using_latest_smb_protocol_version,,issueType errado,MissingAttribute,IncorrectValue, +terraform/azure/storage_account_using_unsafe_smb_channel_encryption,,issueType errado,MissingAttribute,IncorrectValue, +terraform/azure/storage_account_with_shared_access_key,,issueType errado,MissingAttribute,IncorrectValue, +terraform/azure/storage_account_without_delete_lock,,issueType errado,IncorrectValue,MissingAttribute, +terraform/azure/vm_without_encryption_at_host,,issueType errado,MissingAttribute,IncorrectValue, +k8s/image_pull_policy_of_container_is_not_always,,issueType errado,MissingAttribute,IncorrectValue, +openAPI/general/path_parameter_not_required,,issueType errado,MissingAttribute,IncorrectValue, +terraform/aws/api_gateway_access_logging_disabled,,issueType errado,MissingAttribute,IncorrectValue, +terraform/aws/auto_scaling_group_with_no_associated_elb,,issueType errado,MissingAttribute,IncorrectValue, +terraform/aws/glue_security_configuration_encryption_disabled,,issueType errado,MissingAttribute,IncorrectValue, +terraform/aws/msk_cluster_encryption_disabled,,issueType errado,MissingAttribute,IncorrectValue, +terraform/aws/msk_cluster_logging_disabled,,issueType errado,MissingAttribute,IncorrectValue, +terraform/aws/rds_with_backup_disabled,,issueType errado,MissingAttribute,IncorrectValue, +terraform/aws/sns_topic_not_encrypted,,issueType errado,MissingAttribute,IncorrectValue, +cloudFormation/aws/elb_with_security_group_without_outbound_rules,,issueType errado,MissingAttribute,IncorrectValue, +cloudFormation/aws/elb_without_secure_protocol,,issueType errado,MissingAttribute,IncorrectValue, +cloudFormation/aws/neptune_logging_is_disabled,,issueType errado,MissingAttribute,IncorrectValue, +cloudFormation/aws/secretsmanager_secret_without_kms,,issueType errado,IncorrectValue,MissingAttribute, +dockerfile/apt_get_install_pin_version_not_defined,,issueType errado,MissingAttribute,IncorrectValue, diff --git a/test/queries_test.go b/test/queries_test.go index 5974aa985cf..4cb269a01bd 100644 --- a/test/queries_test.go +++ b/test/queries_test.go @@ -406,7 +406,8 @@ func requireEqualVulnerabilities(tb testing.TB, expected, actual []model.Vulnera require.Equal(tb, expectedItem.SearchKey, actualItem.SearchKey, "Invalid searchKey for query %s\n Expected: %s\n Actual: %s", dir, expectedItem.SearchKey, actualItem.SearchKey) require.Equal(tb, expectedItem.SearchValue, actualItem.SearchValue, "Invalid searchValue for query %s\n Expected: %s\n Actual: %s", dir, expectedItem.SearchValue, actualItem.SearchValue) require.Equal(tb, expectedItem.KeyExpectedValue, actualItem.KeyExpectedValue, "Invalid expected value for query: %s\n Expected: %s\n Actual: %s", dir, expectedItem.KeyExpectedValue, actualItem.KeyExpectedValue) - require.Equal(tb, expectedItem.KeyActualValue, actualItem.KeyActualValue, "Invalid actual value for query: %s\n Expected: %s\n Actual: %s", dir, actualItem.KeyActualValue, actualItem.KeyActualValue) + require.Equal(tb, expectedItem.KeyActualValue, actualItem.KeyActualValue, "Invalid actual value for query: %s\n Expected: %s\n Actual: %s", dir, expectedItem.KeyActualValue, actualItem.KeyActualValue) + require.Equal(tb, expectedItem.IssueType, actualItem.IssueType, "Invalid issue type for query %s\n Expected: %s\n Actual: %s", dir, expectedItem.IssueType, actualItem.IssueType) } } From fc103ad930348fc5c8fcd61d552c0b7680559fc3 Mon Sep 17 00:00:00 2001 From: Ricardo Jesus <219317970+cx-ricardo-jesus@users.noreply.github.com> Date: Tue, 17 Mar 2026 16:03:32 +0000 Subject: [PATCH 19/22] changed the issueType to its correct value form several querie's positive_expected_result.json --- .../fix_issue_types.py | 230 ++++++++++++++++++ .../fix_remaining.py | 203 ++++++++++++++++ .../test/positive_expected_result.json | 24 +- .../test/positive_expected_result.json | 18 +- .../test/positive_expected_result.json | 28 +-- .../test/positive_expected_result.json | 12 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 2 +- .../test/positive_expected_result.json | 4 +- .../test/positive_expected_result.json | 4 +- .../test/positive_expected_result.json | 4 +- .../test/positive_expected_result.json | 4 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 4 +- .../test/positive_expected_result.json | 2 +- .../test/positive_expected_result.json | 2 +- .../test/positive_expected_result.json | 6 +- .../test/positive_expected_result.json | 2 +- .../test/positive_expected_result.json | 2 +- .../test/positive_expected_result.json | 2 +- .../positive2/positive_expected_result.json | 14 +- .../positive2/positive_expected_result.json | 14 +- .../positive2/positive_expected_result.json | 14 +- .../positive2/positive_expected_result.json | 14 +- .../positive2/positive_expected_result.json | 14 +- .../positive2/positive_expected_result.json | 14 +- .../positive2/positive_expected_result.json | 14 +- .../positive2/positive_expected_result.json | 14 +- .../positive2/positive_expected_result.json | 14 +- .../positive2/positive_expected_result.json | 14 +- .../positive2/positive_expected_result.json | 2 +- .../positive4/positive_expected_result.json | 4 +- .../test/positive_expected_result.json | 4 +- .../test/positive_expected_result.json | 2 +- .../test/positive_expected_result.json | 4 +- .../test/positive_expected_result.json | 2 +- .../test/positive_expected_result.json | 2 +- .../test/positive_expected_result.json | 6 +- .../test/positive_expected_result.json | 6 +- .../test/positive_expected_result.json | 2 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 8 +- .../test/positive_expected_result.json | 2 +- test/queries_test.go | 2 +- 45 files changed, 602 insertions(+), 169 deletions(-) create mode 100644 .github/scripts/generate-positive-expective-results/fix_issue_types.py create mode 100644 .github/scripts/generate-positive-expective-results/fix_remaining.py diff --git a/.github/scripts/generate-positive-expective-results/fix_issue_types.py b/.github/scripts/generate-positive-expective-results/fix_issue_types.py new file mode 100644 index 00000000000..387a6c4beb3 --- /dev/null +++ b/.github/scripts/generate-positive-expective-results/fix_issue_types.py @@ -0,0 +1,230 @@ +""" +Fix incorrect issueType values in positive_expected_result.json for specific failing queries. + +Runs a KICS scan for each failing query, extracts the correct issueType per result +from the scan output, and patches the existing positive_expected_result.json files +without touching any other field. + +Usage: + python fix_issue_types.py # run fixes + python fix_issue_types.py --dry # dry run (report only, no writes) +""" + +import json +import subprocess +import sys +import tempfile +from pathlib import Path + +KICS_ROOT = Path(__file__).resolve().parents[3] +ASSETS_QUERIES_DIR = KICS_ROOT / "assets" / "queries" +GO_ENTRY_POINT = str(KICS_ROOT / "cmd" / "console" / "main.go") + +FAILING_QUERIES = [ + "ansible/aws/instance_uses_metadata_service_IMDSv1", + "terraform/nifcloud/load_balancer_use_insecure_tls_policy_name", + "azureResourceManager/sql_server_database_without_auditing", + "azureResourceManager/storage_logging_for_read_write_delete_requests_disabled", + "azureResourceManager/website_with_client_certificate_auth_disabled", + "openAPI/2.0/security_definitions_undefined_or_empty", + "terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured", + "terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured", + "terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured", + "terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured", + "terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured", + "terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured", + "terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured", + "terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured", + "terraform/azure/activity_log_alert_for_delete_security_solution_not_configured", + "terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured", + "terraform/azure/activity_log_alert_for_service_health_not_configured", + "terraform/azure/backup_vault_without_immutability", + "terraform/azure/diagnostic_settings_without_appropriate_logging", + "terraform/azure/recovery_services_vaut_with_public_network_access", + "terraform/azure/recovery_services_vaut_without_immutability", + "terraform/azure/storage_account_not_using_latest_smb_protocol_version", + "terraform/azure/storage_account_using_unsafe_smb_channel_encryption", + "terraform/azure/storage_account_with_shared_access_key", + "terraform/azure/storage_account_without_delete_lock", + "terraform/azure/vm_without_encryption_at_host", + "k8s/image_pull_policy_of_container_is_not_always", + "openAPI/general/path_parameter_not_required", + "terraform/aws/api_gateway_access_logging_disabled", + "terraform/aws/auto_scaling_group_with_no_associated_elb", + "terraform/aws/glue_security_configuration_encryption_disabled", + "terraform/aws/msk_cluster_encryption_disabled", + "terraform/aws/msk_cluster_logging_disabled", + "terraform/aws/rds_with_backup_disabled", + "terraform/aws/sns_topic_not_encrypted", + "cloudFormation/aws/elb_with_security_group_without_outbound_rules", + "cloudFormation/aws/elb_without_secure_protocol", + "cloudFormation/aws/neptune_logging_is_disabled", + "cloudFormation/aws/secretsmanager_secret_without_kms", + "dockerfile/apt_get_install_pin_version_not_defined", +] + + +def get_query_id(query_dir: Path) -> str: + with open(query_dir / "metadata.json", "r", encoding="utf-8") as f: + return json.load(f)["id"] + + +def run_scan(query_dir: Path, query_id: str) -> dict | None: + """Run KICS scan and return the parsed JSON results.""" + with tempfile.TemporaryDirectory() as tmpdir: + test_path = str(query_dir / "test") + payload_path = str(query_dir / "payloads") + output_file = Path(tmpdir) / "results.json" + + cmd = [ + "go", "run", GO_ENTRY_POINT, "scan", + "-p", test_path, + "-o", tmpdir, + "--output-name", "results.json", + "-i", query_id, + "-d", f"{payload_path}/all_payloads.json", + "-v", + "--experimental-queries", + "--bom", + "--enable-openapi-refs", + ] + + subprocess.run(cmd, cwd=str(KICS_ROOT), capture_output=True) + + if not output_file.is_file(): + return None + + with open(output_file, "r", encoding="utf-8") as f: + return json.load(f) + + +def build_issue_type_map(scan_data: dict) -> dict[tuple, str]: + """Build a map from (filename, line) -> issue_type from scan results.""" + it_map: dict[tuple, str] = {} + + for section in ("queries", "bill_of_materials"): + for q in scan_data.get(section, []): + for f in q.get("files", []): + file_path = Path(f.get("file_name", "")) + filename = file_path.name + line = f.get("line", 0) + issue_type = f.get("issue_type", "") + expected_value = f.get("expected_value", "") + actual_value = f.get("actual_value", "") + + if issue_type: + # Primary key: (filename, line) + it_map[(filename, line)] = issue_type + # Fallback key with more specificity + it_map[(filename, line, expected_value, actual_value)] = issue_type + + return it_map + + +def find_expected_result_files(query_dir: Path) -> list[Path]: + test_dir = query_dir / "test" + if not test_dir.is_dir(): + return [] + return sorted(test_dir.rglob("positive_expected_result.json")) + + +def patch_expected_results(query_dir: Path, it_map: dict[tuple, str], dry: bool) -> dict: + stats = {"fixed": 0, "unchanged": 0, "not_found": 0} + + for rf in find_expected_result_files(query_dir): + with open(rf, "r", encoding="utf-8") as f: + entries = json.load(f) + + if not isinstance(entries, list): + continue + + modified = False + for entry in entries: + filename = entry.get("filename", "") + line = entry.get("line", 0) + expected_value = entry.get("expectedValue", "") + actual_value = entry.get("actualValue", "") + current_it = entry.get("issueType", "") + + # Try specific key first, then fallback + correct_it = it_map.get( + (filename, line, expected_value, actual_value), + it_map.get((filename, line)) + ) + + if correct_it is None: + stats["not_found"] += 1 + continue + + if current_it != correct_it: + entry["issueType"] = correct_it + stats["fixed"] += 1 + modified = True + else: + stats["unchanged"] += 1 + + if modified and not dry: + with open(rf, "w", encoding="utf-8") as f: + json.dump(entries, f, indent=2, ensure_ascii=False) + f.write("\n") + + return stats + + +def main() -> None: + dry = "--dry" in sys.argv + if dry: + print("=== DRY RUN ===\n") + + total = len(FAILING_QUERIES) + total_fixed = 0 + total_not_found = 0 + failed_scans = [] + + for i, q in enumerate(FAILING_QUERIES, 1): + query_dir = ASSETS_QUERIES_DIR / q + if not query_dir.is_dir(): + print(f"[{i}/{total}] SKIP (not found): {q}") + continue + + query_id = get_query_id(query_dir) + print(f"[{i}/{total}] Scanning: {q} (id={query_id})") + + scan_data = run_scan(query_dir, query_id) + if scan_data is None: + print(f" ERROR: scan produced no output") + failed_scans.append(q) + continue + + it_map = build_issue_type_map(scan_data) + if not it_map: + print(f" WARNING: no results from scan") + failed_scans.append(q) + continue + + stats = patch_expected_results(query_dir, it_map, dry) + total_fixed += stats["fixed"] + total_not_found += stats["not_found"] + + if stats["fixed"]: + print(f" Fixed {stats['fixed']} entries (unchanged: {stats['unchanged']})") + else: + print(f" No changes needed (unchanged: {stats['unchanged']})") + + if stats["not_found"]: + print(f" WARNING: {stats['not_found']} entries could not be matched") + + print(f"\n{'='*60}") + print(f"Total fixed : {total_fixed}") + print(f"Not matched : {total_not_found}") + print(f"Failed scans : {len(failed_scans)}") + + if failed_scans: + print("\nFailed scans:") + for q in failed_scans: + print(f" - {q}") + sys.exit(1) + + +if __name__ == "__main__": + main() diff --git a/.github/scripts/generate-positive-expective-results/fix_remaining.py b/.github/scripts/generate-positive-expective-results/fix_remaining.py new file mode 100644 index 00000000000..12de1ede098 --- /dev/null +++ b/.github/scripts/generate-positive-expective-results/fix_remaining.py @@ -0,0 +1,203 @@ +""" +Fix the remaining queries that failed in fix_issue_types.py: +- activity_log_alert queries: need per-subdirectory scans +- elb_with_security_group_without_outbound_rules: unmatched entries +- activity_log_alert_for_service_health_not_configured: unmatched entries + +Usage: + python fix_remaining.py + python fix_remaining.py --dry +""" + +import json +import subprocess +import sys +import tempfile +from pathlib import Path + +KICS_ROOT = Path(__file__).resolve().parents[3] +ASSETS_QUERIES_DIR = KICS_ROOT / "assets" / "queries" +GO_ENTRY_POINT = str(KICS_ROOT / "cmd" / "console" / "main.go") + +REMAINING_QUERIES = [ + "terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured", + "terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured", + "terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured", + "terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured", + "terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured", + "terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured", + "terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured", + "terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured", + "terraform/azure/activity_log_alert_for_delete_security_solution_not_configured", + "terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured", + "terraform/azure/activity_log_alert_for_service_health_not_configured", + "cloudFormation/aws/elb_with_security_group_without_outbound_rules", +] + + +def get_query_id(query_dir: Path) -> str: + with open(query_dir / "metadata.json", "r", encoding="utf-8") as f: + return json.load(f)["id"] + + +def run_scan(scan_path: str, query_id: str, payload_path: str) -> dict | None: + with tempfile.TemporaryDirectory() as tmpdir: + cmd = [ + "go", "run", GO_ENTRY_POINT, "scan", + "-p", scan_path, + "-o", tmpdir, + "--output-name", "results.json", + "-i", query_id, + "-d", f"{payload_path}/all_payloads.json", + "-v", + "--experimental-queries", + "--bom", + "--enable-openapi-refs", + ] + subprocess.run(cmd, cwd=str(KICS_ROOT), capture_output=True) + output_file = Path(tmpdir) / "results.json" + if not output_file.is_file(): + return None + with open(output_file, "r", encoding="utf-8") as f: + return json.load(f) + + +def build_issue_type_map(scan_data: dict) -> dict[tuple, str]: + it_map: dict[tuple, str] = {} + for section in ("queries", "bill_of_materials"): + for q in scan_data.get(section, []): + for f in q.get("files", []): + file_path = Path(f.get("file_name", "")) + filename = file_path.name + line = f.get("line", 0) + issue_type = f.get("issue_type", "") + expected_value = f.get("expected_value", "") + actual_value = f.get("actual_value", "") + if issue_type: + it_map[(filename, line)] = issue_type + it_map[(filename, line, expected_value, actual_value)] = issue_type + return it_map + + +def get_scan_dirs(test_dir: Path) -> list[tuple[Path, Path | None]]: + """Return list of (scan_dir, expected_result_file) pairs. + + For queries with positive subdirectories (positive2/, positive3/), + we need to scan each subdirectory separately. + Also scan top-level for the main positive_expected_result.json. + """ + pairs = [] + + # Top-level: scan the whole test dir but only match top-level expected results + top_expected = test_dir / "positive_expected_result.json" + if top_expected.is_file(): + # Scan only the top-level positive files (not in subdirs) + pairs.append((test_dir, top_expected)) + + # Subdirectories with their own positive_expected_result.json + for subdir in sorted(test_dir.iterdir()): + if subdir.is_dir() and subdir.name.startswith("positive"): + sub_expected = subdir / "positive_expected_result.json" + if sub_expected.is_file(): + pairs.append((subdir, sub_expected)) + + return pairs + + +def patch_file(expected_file: Path, it_map: dict[tuple, str], dry: bool) -> dict: + stats = {"fixed": 0, "unchanged": 0, "not_found": 0} + + with open(expected_file, "r", encoding="utf-8") as f: + entries = json.load(f) + + if not isinstance(entries, list): + return stats + + modified = False + for entry in entries: + filename = entry.get("filename", "") + line = entry.get("line", 0) + expected_value = entry.get("expectedValue", "") + actual_value = entry.get("actualValue", "") + current_it = entry.get("issueType", "") + + correct_it = it_map.get( + (filename, line, expected_value, actual_value), + it_map.get((filename, line)) + ) + + if correct_it is None: + stats["not_found"] += 1 + print(f" NOT FOUND: {filename}:{line}") + continue + + if current_it != correct_it: + entry["issueType"] = correct_it + stats["fixed"] += 1 + modified = True + else: + stats["unchanged"] += 1 + + if modified and not dry: + with open(expected_file, "w", encoding="utf-8") as f: + json.dump(entries, f, indent=2, ensure_ascii=False) + f.write("\n") + + return stats + + +def process_query(query_path: str, dry: bool) -> dict: + query_dir = ASSETS_QUERIES_DIR / query_path + query_id = get_query_id(query_dir) + test_dir = query_dir / "test" + payload_path = str(query_dir / "payloads") + + total_stats = {"fixed": 0, "unchanged": 0, "not_found": 0} + + scan_pairs = get_scan_dirs(test_dir) + + for scan_dir, expected_file in scan_pairs: + scan_data = run_scan(str(scan_dir), query_id, payload_path) + if scan_data is None: + print(f" No scan output for {scan_dir.name}") + continue + + it_map = build_issue_type_map(scan_data) + if not it_map: + print(f" No results for {scan_dir.name}") + continue + + stats = patch_file(expected_file, it_map, dry) + for k in total_stats: + total_stats[k] += stats[k] + + return total_stats + + +def main(): + dry = "--dry" in sys.argv + if dry: + print("=== DRY RUN ===\n") + + total_fixed = 0 + total_not_found = 0 + total = len(REMAINING_QUERIES) + + for i, q in enumerate(REMAINING_QUERIES, 1): + print(f"[{i}/{total}] {q}") + stats = process_query(q, dry) + total_fixed += stats["fixed"] + total_not_found += stats["not_found"] + + if stats["fixed"]: + print(f" Fixed {stats['fixed']} (unchanged: {stats['unchanged']})") + else: + print(f" No changes (unchanged: {stats['unchanged']})") + + print(f"\n{'='*60}") + print(f"Total fixed : {total_fixed}") + print(f"Not matched : {total_not_found}") + + +if __name__ == "__main__": + main() diff --git a/assets/queries/ansible/aws/instance_uses_metadata_service_IMDSv1/test/positive_expected_result.json b/assets/queries/ansible/aws/instance_uses_metadata_service_IMDSv1/test/positive_expected_result.json index 54d2b94f9b4..c0500ed6945 100644 --- a/assets/queries/ansible/aws/instance_uses_metadata_service_IMDSv1/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/instance_uses_metadata_service_IMDSv1/test/positive_expected_result.json @@ -62,7 +62,7 @@ "searchValue": "", "expectedValue": "'amazon.aws.ec2_instance.metadata_options' should be defined with 'http_tokens' field set to 'required'", "actualValue": "'amazon.aws.ec2_instance.metadata_options' is not defined", - "issueType": "IncorrectValue" + "issueType": "MissingAttribute" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -75,7 +75,7 @@ "searchValue": "", "expectedValue": "'community.aws.autoscaling_launch_config.metadata_options' should be defined with 'http_tokens' field set to 'required'", "actualValue": "'community.aws.autoscaling_launch_config.metadata_options' is not defined", - "issueType": "IncorrectValue" + "issueType": "MissingAttribute" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -88,7 +88,7 @@ "searchValue": "", "expectedValue": "'community.aws.ec2_instance.metadata_options' should be defined with 'http_tokens' field set to 'required'", "actualValue": "'community.aws.ec2_instance.metadata_options' is not defined", - "issueType": "IncorrectValue" + "issueType": "MissingAttribute" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -101,7 +101,7 @@ "searchValue": "", "expectedValue": "'community.aws.ec2_lc.metadata_options' should be defined with 'http_tokens' field set to 'required'", "actualValue": "'community.aws.ec2_lc.metadata_options' is not defined", - "issueType": "IncorrectValue" + "issueType": "MissingAttribute" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -166,7 +166,7 @@ "searchValue": "", "expectedValue": "'amazon.aws.ec2_instance.metadata_options.http_tokens' should be defined to 'required'", "actualValue": "'amazon.aws.ec2_instance.metadata_options.http_tokens' is not defined", - "issueType": "IncorrectValue" + "issueType": "MissingAttribute" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -179,7 +179,7 @@ "searchValue": "", "expectedValue": "'community.aws.autoscaling_launch_config.metadata_options.http_tokens' should be defined to 'required'", "actualValue": "'community.aws.autoscaling_launch_config.metadata_options.http_tokens' is not defined", - "issueType": "IncorrectValue" + "issueType": "MissingAttribute" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -192,7 +192,7 @@ "searchValue": "", "expectedValue": "'community.aws.ec2_instance.metadata_options.http_tokens' should be defined to 'required'", "actualValue": "'community.aws.ec2_instance.metadata_options.http_tokens' is not defined", - "issueType": "IncorrectValue" + "issueType": "MissingAttribute" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -205,7 +205,7 @@ "searchValue": "", "expectedValue": "'community.aws.ec2_lc.metadata_options.http_tokens' should be defined to 'required'", "actualValue": "'community.aws.ec2_lc.metadata_options.http_tokens' is not defined", - "issueType": "IncorrectValue" + "issueType": "MissingAttribute" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -218,7 +218,7 @@ "searchValue": "", "expectedValue": "'amazon.aws.ec2_instance.metadata_options.http_tokens' should be defined to 'required'", "actualValue": "'amazon.aws.ec2_instance.metadata_options.http_tokens' is not defined", - "issueType": "IncorrectValue" + "issueType": "MissingAttribute" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -231,7 +231,7 @@ "searchValue": "", "expectedValue": "'community.aws.autoscaling_launch_config.metadata_options.http_tokens' should be defined to 'required'", "actualValue": "'community.aws.autoscaling_launch_config.metadata_options.http_tokens' is not defined", - "issueType": "IncorrectValue" + "issueType": "MissingAttribute" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -244,7 +244,7 @@ "searchValue": "", "expectedValue": "'community.aws.ec2_instance.metadata_options.http_tokens' should be defined to 'required'", "actualValue": "'community.aws.ec2_instance.metadata_options.http_tokens' is not defined", - "issueType": "IncorrectValue" + "issueType": "MissingAttribute" }, { "queryName": "Instance Uses Metadata Service IMDSv1", @@ -257,6 +257,6 @@ "searchValue": "", "expectedValue": "'community.aws.ec2_lc.metadata_options.http_tokens' should be defined to 'required'", "actualValue": "'community.aws.ec2_lc.metadata_options.http_tokens' is not defined", - "issueType": "IncorrectValue" + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/azureResourceManager/sql_server_database_without_auditing/test/positive_expected_result.json b/assets/queries/azureResourceManager/sql_server_database_without_auditing/test/positive_expected_result.json index a38c5914b43..6782965d029 100644 --- a/assets/queries/azureResourceManager/sql_server_database_without_auditing/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/sql_server_database_without_auditing/test/positive_expected_result.json @@ -36,7 +36,7 @@ "searchValue": "", "expectedValue": "resource 'sqlServer1' should have an enabled 'auditingsettings' resource", "actualValue": "resource 'sqlServer1' is missing an enabled 'auditingsettings' resource", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "SQL Server Database Without Auditing", @@ -49,7 +49,7 @@ "searchValue": "", "expectedValue": "resource 'sqlDatabase1' should have an enabled 'auditingsettings' resource", "actualValue": "resource 'sqlDatabase1' is missing an enabled 'auditingsettings' resource", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "SQL Server Database Without Auditing", @@ -62,7 +62,7 @@ "searchValue": "", "expectedValue": "resource 'sqlServer1' should have an enabled 'auditingsettings' resource", "actualValue": "resource 'sqlServer1' is missing an enabled 'auditingsettings' resource", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "SQL Server Database Without Auditing", @@ -127,7 +127,7 @@ "searchValue": "", "expectedValue": "resource 'sqlServer1' should have an enabled 'auditingsettings' resource", "actualValue": "resource 'sqlServer1' is missing an enabled 'auditingsettings' resource", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "SQL Server Database Without Auditing", @@ -140,7 +140,7 @@ "searchValue": "", "expectedValue": "resource 'sqlServer1/sqlDatabase1' should have an enabled 'auditingsettings' resource", "actualValue": "resource 'sqlServer1/sqlDatabase1' is missing an enabled 'auditingsettings' resource", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "SQL Server Database Without Auditing", @@ -153,7 +153,7 @@ "searchValue": "", "expectedValue": "resource 'sqlServer1' should have an enabled 'auditingsettings' resource", "actualValue": "resource 'sqlServer1' is missing an enabled 'auditingsettings' resource", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "SQL Server Database Without Auditing", @@ -166,7 +166,7 @@ "searchValue": "", "expectedValue": "resource 'sqlDatabase1' should have an enabled 'auditingsettings' resource", "actualValue": "resource 'sqlDatabase1' is missing an enabled 'auditingsettings' resource", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "SQL Server Database Without Auditing", @@ -179,7 +179,7 @@ "searchValue": "", "expectedValue": "resource 'sqlServer1' should have an enabled 'auditingsettings' resource", "actualValue": "resource 'sqlServer1' is missing an enabled 'auditingsettings' resource", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "SQL Server Database Without Auditing", @@ -192,6 +192,6 @@ "searchValue": "", "expectedValue": "resource 'sqlServer1' should have an enabled 'auditingsettings' resource", "actualValue": "resource 'sqlServer1' is missing an enabled 'auditingsettings' resource", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/azureResourceManager/storage_logging_for_read_write_delete_requests_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/storage_logging_for_read_write_delete_requests_disabled/test/positive_expected_result.json index db4a16bb087..3dcf6994c34 100644 --- a/assets/queries/azureResourceManager/storage_logging_for_read_write_delete_requests_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/storage_logging_for_read_write_delete_requests_disabled/test/positive_expected_result.json @@ -10,7 +10,7 @@ "searchValue": "", "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Read' method", "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Read' method", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -23,7 +23,7 @@ "searchValue": "", "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Write' method", "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Write' method", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -36,7 +36,7 @@ "searchValue": "", "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Delete' method", "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Delete' method", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -49,7 +49,7 @@ "searchValue": "", "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Read' method", "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Read' method", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -62,7 +62,7 @@ "searchValue": "", "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Write' method", "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Write' method", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -75,7 +75,7 @@ "searchValue": "", "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Delete' method", "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Delete' method", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -153,7 +153,7 @@ "searchValue": "", "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Read' method", "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Read' method", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -166,7 +166,7 @@ "searchValue": "", "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Read' method", "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Read' method", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -179,7 +179,7 @@ "searchValue": "", "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Delete' method", "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Delete' method", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -257,7 +257,7 @@ "searchValue": "", "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Read' method", "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Read' method", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -270,7 +270,7 @@ "searchValue": "", "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Write' method", "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Write' method", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -283,7 +283,7 @@ "searchValue": "", "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Delete' method", "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Delete' method", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -322,7 +322,7 @@ "searchValue": "", "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Write' method", "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Write' method", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", @@ -361,7 +361,7 @@ "searchValue": "", "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Read' method", "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Read' method", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", diff --git a/assets/queries/azureResourceManager/website_with_client_certificate_auth_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/website_with_client_certificate_auth_disabled/test/positive_expected_result.json index 6c2122f3df8..d1578cc4b54 100644 --- a/assets/queries/azureResourceManager/website_with_client_certificate_auth_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/website_with_client_certificate_auth_disabled/test/positive_expected_result.json @@ -36,7 +36,7 @@ "searchValue": "", "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' property value set to true", "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' set to true", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Website with Client Certificate Auth Disabled", @@ -49,7 +49,7 @@ "searchValue": "", "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' property value set to true", "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' set to true", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Website with Client Certificate Auth Disabled", @@ -88,7 +88,7 @@ "searchValue": "", "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' property value set to true", "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' set to true", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Website with Client Certificate Auth Disabled", @@ -101,7 +101,7 @@ "searchValue": "", "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' property value set to true", "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' set to true", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Website with Client Certificate Auth Disabled", @@ -114,7 +114,7 @@ "searchValue": "", "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' property value or 'http20Enabled' field set to true", "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' or 'http20Enabled' set to true", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Website with Client Certificate Auth Disabled", @@ -127,7 +127,7 @@ "searchValue": "", "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' property value or 'http20Enabled' field set to true", "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' or 'http20Enabled' set to true", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Website with Client Certificate Auth Disabled", diff --git a/assets/queries/cloudFormation/aws/elb_with_security_group_without_outbound_rules/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elb_with_security_group_without_outbound_rules/test/positive_expected_result.json index 596865cc02f..2430bf779c7 100644 --- a/assets/queries/cloudFormation/aws/elb_with_security_group_without_outbound_rules/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elb_with_security_group_without_outbound_rules/test/positive_expected_result.json @@ -88,7 +88,7 @@ "searchValue": "", "expectedValue": "'Resources.MySG.Properties.SecurityGroupEgress' should not be empty", "actualValue": "'Resources.MySG.Properties.SecurityGroupEgress' is empty", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "ELB With Security Group Without Outbound Rules", @@ -101,7 +101,7 @@ "searchValue": "", "expectedValue": "'Resources.MySG.Properties.SecurityGroupEgress' should not be empty", "actualValue": "'Resources.MySG.Properties.SecurityGroupEgress' is empty", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "ELB With Security Group Without Outbound Rules", @@ -114,7 +114,7 @@ "searchValue": "", "expectedValue": "'Resources.MySGv2.Properties.SecurityGroupEgress' should not be empty", "actualValue": "'Resources.MySGv2.Properties.SecurityGroupEgress' is empty", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "ELB With Security Group Without Outbound Rules", @@ -127,7 +127,7 @@ "searchValue": "", "expectedValue": "'Resources.MySGv2.Properties.SecurityGroupEgress' should not be empty", "actualValue": "'Resources.MySGv2.Properties.SecurityGroupEgress' is empty", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "ELB With Security Group Without Outbound Rules", diff --git a/assets/queries/cloudFormation/aws/elb_without_secure_protocol/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elb_without_secure_protocol/test/positive_expected_result.json index e8def9748c3..45bbe75ee7e 100644 --- a/assets/queries/cloudFormation/aws/elb_without_secure_protocol/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elb_without_secure_protocol/test/positive_expected_result.json @@ -10,7 +10,7 @@ "searchValue": "", "expectedValue": "'Resources.MyLoadBalancer.Listeners.InstanceProtocol' should be set to 'SSL' or 'HTTPS'", "actualValue": "'Resources.MyLoadBalancer.Listeners.InstanceProtocol' isn't set to 'SSL' or 'HTTPS'", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "ELB Without Secure Protocol", @@ -23,7 +23,7 @@ "searchValue": "", "expectedValue": "'Resources.MyLoadBalancer.Listeners.Protocol' should be set to 'SSL' or 'HTTPS'", "actualValue": "'Resources.MyLoadBalancer.Listeners.Protocol' isn't set to 'SSL' or 'HTTPS'", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "ELB Without Secure Protocol", @@ -36,7 +36,7 @@ "searchValue": "", "expectedValue": "'Resources.MyLoadBalancer.Listeners.InstanceProtocol' should be set to 'SSL' or 'HTTPS'", "actualValue": "'Resources.MyLoadBalancer.Listeners.InstanceProtocol' isn't set to 'SSL' or 'HTTPS'", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "ELB Without Secure Protocol", @@ -49,6 +49,6 @@ "searchValue": "", "expectedValue": "'Resources.MyLoadBalancer.Listeners.Protocol' should be set to 'SSL' or 'HTTPS'", "actualValue": "'Resources.MyLoadBalancer.Listeners.Protocol' isn't set to 'SSL' or 'HTTPS'", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/neptune_logging_is_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/neptune_logging_is_disabled/test/positive_expected_result.json index 38a5db6fdb3..88cb9299bb5 100644 --- a/assets/queries/cloudFormation/aws/neptune_logging_is_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/neptune_logging_is_disabled/test/positive_expected_result.json @@ -75,7 +75,7 @@ "searchValue": "", "expectedValue": "'Resources.Prod.Properties' should have 'EnableCloudwatchLogsExports' enabled ", "actualValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' is set to null", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Neptune Logging Is Disabled", diff --git a/assets/queries/cloudFormation/aws/secretsmanager_secret_without_kms/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/secretsmanager_secret_without_kms/test/positive_expected_result.json index a0a37ee5070..20760e80ab1 100644 --- a/assets/queries/cloudFormation/aws/secretsmanager_secret_without_kms/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/secretsmanager_secret_without_kms/test/positive_expected_result.json @@ -10,7 +10,7 @@ "searchValue": "", "expectedValue": "'Resources.MySecret.Properties.KmsKeyId' should be defined and not null", "actualValue": "'Resources.MySecret.Properties.KmsKeyId' is undefined or null", - "issueType": "IncorrectValue" + "issueType": "MissingAttribute" }, { "queryName": "Secretsmanager Secret Without KMS", @@ -23,7 +23,7 @@ "searchValue": "", "expectedValue": "'Resources.MySecret.Properties.KmsKeyId' should be defined and not null", "actualValue": "'Resources.MySecret.Properties.KmsKeyId' is undefined or null", - "issueType": "IncorrectValue" + "issueType": "MissingAttribute" }, { "queryName": "Secretsmanager Secret Without KMS", diff --git a/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/test/positive_expected_result.json b/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/test/positive_expected_result.json index f2fb0fee127..28afb15a410 100644 --- a/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/test/positive_expected_result.json +++ b/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/test/positive_expected_result.json @@ -23,7 +23,7 @@ "searchValue": "python", "expectedValue": "Package 'python' has version defined", "actualValue": "Package 'python' does not have version defined", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Apt Get Install Pin Version Not Defined", @@ -127,7 +127,7 @@ "searchValue": "python", "expectedValue": "Package 'python' has version defined", "actualValue": "Package 'python' does not have version defined", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Apt Get Install Pin Version Not Defined", diff --git a/assets/queries/k8s/image_pull_policy_of_container_is_not_always/test/positive_expected_result.json b/assets/queries/k8s/image_pull_policy_of_container_is_not_always/test/positive_expected_result.json index b67bc6cd3c9..37f3c034ba0 100644 --- a/assets/queries/k8s/image_pull_policy_of_container_is_not_always/test/positive_expected_result.json +++ b/assets/queries/k8s/image_pull_policy_of_container_is_not_always/test/positive_expected_result.json @@ -10,7 +10,7 @@ "searchValue": "Pod", "expectedValue": "metadata.name={{private-image-test-always}}.spec.containers.name={{uses-private-image}}.imagePullPolicy should be set to 'Always'", "actualValue": "metadata.name={{private-image-test-always}}.spec.containers.name={{uses-private-image}}.imagePullPolicy relies on mutable images in cache", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Image Pull Policy Of The Container Is Not Set To Always", @@ -23,7 +23,7 @@ "searchValue": "Deployment", "expectedValue": "metadata.name={{deployment-with-image-pull-policy}}.spec.template.spec.containers.name={{nginx}}.imagePullPolicy should be set to 'Always'", "actualValue": "metadata.name={{deployment-with-image-pull-policy}}.spec.template.spec.containers.name={{nginx}}.imagePullPolicy relies on mutable images in cache", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Image Pull Policy Of The Container Is Not Set To Always", diff --git a/assets/queries/openAPI/2.0/security_definitions_undefined_or_empty/test/positive_expected_result.json b/assets/queries/openAPI/2.0/security_definitions_undefined_or_empty/test/positive_expected_result.json index 8b36380cfca..99d741c0033 100644 --- a/assets/queries/openAPI/2.0/security_definitions_undefined_or_empty/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/security_definitions_undefined_or_empty/test/positive_expected_result.json @@ -10,7 +10,7 @@ "searchValue": "", "expectedValue": "'securityDefinitions' should be set and not empty", "actualValue": "'securityDefinitions' is undefined or empty", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Security Definitions Undefined or Empty", @@ -23,7 +23,7 @@ "searchValue": "", "expectedValue": "'securityDefinitions' should be set and not empty", "actualValue": "'securityDefinitions' is undefined or empty", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Security Definitions Undefined or Empty", diff --git a/assets/queries/openAPI/general/path_parameter_not_required/test/positive_expected_result.json b/assets/queries/openAPI/general/path_parameter_not_required/test/positive_expected_result.json index f7a1e03ca84..c51f895e0d0 100644 --- a/assets/queries/openAPI/general/path_parameter_not_required/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/path_parameter_not_required/test/positive_expected_result.json @@ -10,7 +10,7 @@ "searchValue": "", "expectedValue": "Path parameter should have the field 'required' set to 'true' for location 'path'", "actualValue": "Path parameter does not have the field 'required' set to 'true' for location 'path'", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Path Parameter Not Required (v3)", @@ -23,7 +23,7 @@ "searchValue": "", "expectedValue": "Path parameter should have the field 'required' set to 'true' for location 'path'", "actualValue": "Path parameter does not have the field 'required' set to 'true' for location 'path'", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Path Parameter Not Required (v3)", @@ -62,7 +62,7 @@ "searchValue": "", "expectedValue": "Path parameter should have the field 'required' set to 'true' for location 'path'", "actualValue": "Path parameter does not have the field 'required' set to 'true' for location 'path'", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Path Parameter Not Required (v3)", @@ -88,7 +88,7 @@ "searchValue": "", "expectedValue": "Path parameter should have the field 'required' set to 'true' for location 'path'", "actualValue": "Path parameter does not have the field 'required' set to 'true' for location 'path'", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Path Parameter Not Required (v3)", diff --git a/assets/queries/terraform/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json index 12dc6f36af7..47cf2e026d5 100644 --- a/assets/queries/terraform/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json @@ -36,7 +36,7 @@ "searchValue": "", "expectedValue": "aws_api_gateway_method_settings[allpositive2].settings.logging_level should be defined and not null", "actualValue": "aws_api_gateway_method_settings[allpositive2].settings.logging_level isn't defined or is null", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Access Logging Disabled", @@ -49,7 +49,7 @@ "searchValue": "", "expectedValue": "aws_apigatewayv2_stage[positive21].default_route_settings.logging_level should be defined and not null", "actualValue": "aws_apigatewayv2_stage[positive21].default_route_settings.logging_level isn't defined or is null", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Access Logging Disabled", diff --git a/assets/queries/terraform/aws/auto_scaling_group_with_no_associated_elb/test/positive_expected_result.json b/assets/queries/terraform/aws/auto_scaling_group_with_no_associated_elb/test/positive_expected_result.json index faf8ac7b9f7..554e6ef543d 100644 --- a/assets/queries/terraform/aws/auto_scaling_group_with_no_associated_elb/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/auto_scaling_group_with_no_associated_elb/test/positive_expected_result.json @@ -49,7 +49,7 @@ "searchValue": "", "expectedValue": "'load_balancers' should be set and not empty", "actualValue": "'load_balancers' is undefined", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Auto Scaling Group With No Associated ELB", diff --git a/assets/queries/terraform/aws/glue_security_configuration_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/glue_security_configuration_encryption_disabled/test/positive_expected_result.json index 1a5804fd91a..2cdbff2cc14 100644 --- a/assets/queries/terraform/aws/glue_security_configuration_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/glue_security_configuration_encryption_disabled/test/positive_expected_result.json @@ -23,7 +23,7 @@ "searchValue": "", "expectedValue": "'job_bookmarks_encryption_mode' should be set to 'CSE-KMS'", "actualValue": "'job_bookmarks_encryption_mode' is not set to 'CSE-KMS'", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Glue Security Configuration Encryption Disabled", diff --git a/assets/queries/terraform/aws/msk_cluster_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/msk_cluster_encryption_disabled/test/positive_expected_result.json index 23a5bc1e110..5a6a4cc4398 100644 --- a/assets/queries/terraform/aws/msk_cluster_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/msk_cluster_encryption_disabled/test/positive_expected_result.json @@ -23,7 +23,7 @@ "searchValue": "", "expectedValue": "Should have 'rule.encryption_info' and, if 'rule.encryption_info.encryption_in_transit' is assigned, 'in_cluster' should be 'true' and 'client_broker' should be TLS", "actualValue": "'rule.encryption_info' is unassigned or property 'in_cluster' is 'false' or property 'client_broker' is not 'TLS'", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "MSK Cluster Encryption Disabled", @@ -36,7 +36,7 @@ "searchValue": "", "expectedValue": "Should have 'rule.encryption_info' and, if 'rule.encryption_info.encryption_in_transit' is assigned, 'in_cluster' should be 'true' and 'client_broker' should be TLS", "actualValue": "'rule.encryption_info' is unassigned or property 'in_cluster' is 'false' or property 'client_broker' is not 'TLS'", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "MSK Cluster Encryption Disabled", @@ -49,6 +49,6 @@ "searchValue": "", "expectedValue": "Should have 'rule.encryption_info' and, if 'rule.encryption_info.encryption_in_transit' is assigned, 'in_cluster' should be 'true' and 'client_broker' should be TLS", "actualValue": "'rule.encryption_info' is unassigned or property 'in_cluster' is 'false' or property 'client_broker' is not 'TLS'", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/msk_cluster_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/msk_cluster_logging_disabled/test/positive_expected_result.json index 80e2cda9a3d..ba98ac1fda7 100644 --- a/assets/queries/terraform/aws/msk_cluster_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/msk_cluster_logging_disabled/test/positive_expected_result.json @@ -10,7 +10,7 @@ "searchValue": "", "expectedValue": "'rule.logging_info.broker_logs.enabled' should be 'true' in every entry", "actualValue": "msk_cluster[positive1].logging_info.broker_logs.cloudwatch_logs.enabled is false", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "MSK Cluster Logging Disabled", diff --git a/assets/queries/terraform/aws/rds_with_backup_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/rds_with_backup_disabled/test/positive_expected_result.json index 2796e8ba858..24a0b21819a 100644 --- a/assets/queries/terraform/aws/rds_with_backup_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/rds_with_backup_disabled/test/positive_expected_result.json @@ -49,6 +49,6 @@ "searchValue": "", "expectedValue": "'backup_retention_period' should be defined, and bigger than '0'", "actualValue": "'backup_retention_period' is not defined", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/sns_topic_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/sns_topic_not_encrypted/test/positive_expected_result.json index 864176d9d58..209d6369ec2 100644 --- a/assets/queries/terraform/aws/sns_topic_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sns_topic_not_encrypted/test/positive_expected_result.json @@ -10,7 +10,7 @@ "searchValue": "", "expectedValue": "SNS Topic should be encrypted", "actualValue": "SNS Topic is not encrypted", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "SNS Topic Not Encrypted", diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test/positive2/positive_expected_result.json index 336dc0b6303..edf5475dc6c 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test/positive2/positive_expected_result.json @@ -10,7 +10,7 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update network security group' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_1]' resource monitors 'create or update network security group' events but sets 1 filter(s): caller", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Create Or Update Network Security Group Not Configured", @@ -23,7 +23,7 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update network security group' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_2]' resource monitors 'create or update network security group' events but sets 1 filter(s): level", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Create Or Update Network Security Group Not Configured", @@ -36,7 +36,7 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update network security group' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_3]' resource monitors 'create or update network security group' events but sets 1 filter(s): levels", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Create Or Update Network Security Group Not Configured", @@ -49,7 +49,7 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update network security group' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_4]' resource monitors 'create or update network security group' events but sets 1 filter(s): status", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Create Or Update Network Security Group Not Configured", @@ -62,7 +62,7 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update network security group' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_5]' resource monitors 'create or update network security group' events but sets 1 filter(s): statuses", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Create Or Update Network Security Group Not Configured", @@ -75,7 +75,7 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update network security group' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_6]' resource monitors 'create or update network security group' events but sets 1 filter(s): sub_status", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Create Or Update Network Security Group Not Configured", @@ -88,6 +88,6 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update network security group' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'create or update network security group' events but sets 1 filter(s): sub_statuses", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test/positive2/positive_expected_result.json index 7ff8e7fb1d9..5a203f537d9 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test/positive2/positive_expected_result.json @@ -10,7 +10,7 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update public ip address rule' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_1]' resource monitors 'create or update public ip address rule' events but sets 1 filter(s): caller", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Create or Update Public IP Address Rule Not Configured", @@ -23,7 +23,7 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update public ip address rule' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_2]' resource monitors 'create or update public ip address rule' events but sets 1 filter(s): level", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Create or Update Public IP Address Rule Not Configured", @@ -36,7 +36,7 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update public ip address rule' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_3]' resource monitors 'create or update public ip address rule' events but sets 1 filter(s): levels", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Create or Update Public IP Address Rule Not Configured", @@ -49,7 +49,7 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update public ip address rule' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_4]' resource monitors 'create or update public ip address rule' events but sets 1 filter(s): status", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Create or Update Public IP Address Rule Not Configured", @@ -62,7 +62,7 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update public ip address rule' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_5]' resource monitors 'create or update public ip address rule' events but sets 1 filter(s): statuses", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Create or Update Public IP Address Rule Not Configured", @@ -75,7 +75,7 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update public ip address rule' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_6]' resource monitors 'create or update public ip address rule' events but sets 1 filter(s): sub_status", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Create or Update Public IP Address Rule Not Configured", @@ -88,6 +88,6 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update public ip address rule' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'create or update public ip address rule' events but sets 1 filter(s): sub_statuses", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive2/positive_expected_result.json index 597cd9bece9..44836406ce2 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive2/positive_expected_result.json @@ -10,7 +10,7 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update security solution' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_1]' resource monitors 'create or update security solution' events but sets 1 filter(s): caller", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Create or Update Security Solution Not Configured", @@ -23,7 +23,7 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update security solution' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_2]' resource monitors 'create or update security solution' events but sets 1 filter(s): level", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Create or Update Security Solution Not Configured", @@ -36,7 +36,7 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update security solution' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_3]' resource monitors 'create or update security solution' events but sets 1 filter(s): levels", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Create or Update Security Solution Not Configured", @@ -49,7 +49,7 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update security solution' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_4]' resource monitors 'create or update security solution' events but sets 1 filter(s): status", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Create or Update Security Solution Not Configured", @@ -62,7 +62,7 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update security solution' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_5]' resource monitors 'create or update security solution' events but sets 1 filter(s): statuses", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Create or Update Security Solution Not Configured", @@ -75,7 +75,7 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update security solution' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_6]' resource monitors 'create or update security solution' events but sets 1 filter(s): sub_status", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Create or Update Security Solution Not Configured", @@ -88,6 +88,6 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update security solution' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'create or update security solution' events but sets 1 filter(s): sub_statuses", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test/positive2/positive_expected_result.json index 2c3c947c21c..ec13bb65dee 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test/positive2/positive_expected_result.json @@ -10,7 +10,7 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update SQL server firewall rule' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_1]' resource monitors 'create or update SQL server firewall rule' events but sets 1 filter(s): caller", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Create or Update SQL Server Firewall Rule Not Configured", @@ -23,7 +23,7 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update SQL server firewall rule' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_2]' resource monitors 'create or update SQL server firewall rule' events but sets 1 filter(s): level", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Create or Update SQL Server Firewall Rule Not Configured", @@ -36,7 +36,7 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update SQL server firewall rule' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_3]' resource monitors 'create or update SQL server firewall rule' events but sets 1 filter(s): levels", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Create or Update SQL Server Firewall Rule Not Configured", @@ -49,7 +49,7 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update SQL server firewall rule' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_4]' resource monitors 'create or update SQL server firewall rule' events but sets 1 filter(s): status", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Create or Update SQL Server Firewall Rule Not Configured", @@ -62,7 +62,7 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update SQL server firewall rule' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_5]' resource monitors 'create or update SQL server firewall rule' events but sets 1 filter(s): statuses", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Create or Update SQL Server Firewall Rule Not Configured", @@ -75,7 +75,7 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update SQL server firewall rule' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_6]' resource monitors 'create or update SQL server firewall rule' events but sets 1 filter(s): sub_status", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Create or Update SQL Server Firewall Rule Not Configured", @@ -88,6 +88,6 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update SQL server firewall rule' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'create or update SQL server firewall rule' events but sets 1 filter(s): sub_statuses", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive2/positive_expected_result.json index 964202ed200..666456076c8 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive2/positive_expected_result.json @@ -10,7 +10,7 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create policy assignment' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_1]' resource monitors 'create policy assignment' events but sets 1 filter(s): caller", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Create Policy Assignment Not Configured", @@ -23,7 +23,7 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create policy assignment' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_2]' resource monitors 'create policy assignment' events but sets 1 filter(s): level", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Create Policy Assignment Not Configured", @@ -36,7 +36,7 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create policy assignment' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_3]' resource monitors 'create policy assignment' events but sets 1 filter(s): levels", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Create Policy Assignment Not Configured", @@ -49,7 +49,7 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create policy assignment' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_4]' resource monitors 'create policy assignment' events but sets 1 filter(s): status", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Create Policy Assignment Not Configured", @@ -62,7 +62,7 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create policy assignment' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_5]' resource monitors 'create policy assignment' events but sets 1 filter(s): statuses", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Create Policy Assignment Not Configured", @@ -75,7 +75,7 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create policy assignment' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_6]' resource monitors 'create policy assignment' events but sets 1 filter(s): sub_status", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Create Policy Assignment Not Configured", @@ -88,6 +88,6 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create policy assignment' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'create policy assignment' events but sets 1 filter(s): sub_statuses", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test/positive2/positive_expected_result.json index ff09964966c..621384b8e21 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test/positive2/positive_expected_result.json @@ -10,7 +10,7 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete network security group' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_1]' resource monitors 'delete network security group' events but sets 1 filter(s): caller", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Delete Network Security Group Not Configured", @@ -23,7 +23,7 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete network security group' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_2]' resource monitors 'delete network security group' events but sets 1 filter(s): level", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Delete Network Security Group Not Configured", @@ -36,7 +36,7 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete network security group' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_3]' resource monitors 'delete network security group' events but sets 1 filter(s): levels", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Delete Network Security Group Not Configured", @@ -49,7 +49,7 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete network security group' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_4]' resource monitors 'delete network security group' events but sets 1 filter(s): status", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Delete Network Security Group Not Configured", @@ -62,7 +62,7 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete network security group' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_5]' resource monitors 'delete network security group' events but sets 1 filter(s): statuses", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Delete Network Security Group Not Configured", @@ -75,7 +75,7 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete network security group' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_6]' resource monitors 'delete network security group' events but sets 1 filter(s): sub_status", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Delete Network Security Group Not Configured", @@ -88,6 +88,6 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete network security group' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'delete network security group' events but sets 1 filter(s): sub_statuses", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive2/positive_expected_result.json index 35b82d416f0..636cb17340e 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive2/positive_expected_result.json @@ -10,7 +10,7 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete policy assignment' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_1]' resource monitors 'delete policy assignment' events but sets 1 filter(s): caller", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Delete Policy Assignment Not Configured", @@ -23,7 +23,7 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete policy assignment' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_2]' resource monitors 'delete policy assignment' events but sets 1 filter(s): level", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Delete Policy Assignment Not Configured", @@ -36,7 +36,7 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete policy assignment' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_3]' resource monitors 'delete policy assignment' events but sets 1 filter(s): levels", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Delete Policy Assignment Not Configured", @@ -49,7 +49,7 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete policy assignment' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_4]' resource monitors 'delete policy assignment' events but sets 1 filter(s): status", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Delete Policy Assignment Not Configured", @@ -62,7 +62,7 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete policy assignment' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_5]' resource monitors 'delete policy assignment' events but sets 1 filter(s): statuses", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Delete Policy Assignment Not Configured", @@ -75,7 +75,7 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete policy assignment' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_6]' resource monitors 'delete policy assignment' events but sets 1 filter(s): sub_status", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Delete Policy Assignment Not Configured", @@ -88,6 +88,6 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete policy assignment' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'delete policy assignment' events but sets 1 filter(s): sub_statuses", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive2/positive_expected_result.json index a6785159d2b..9eaa815c278 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive2/positive_expected_result.json @@ -10,7 +10,7 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete public ip address rule' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_1]' resource monitors 'delete public ip address rule' events but sets 1 filter(s): caller", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule Not Configured", @@ -23,7 +23,7 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete public ip address rule' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_2]' resource monitors 'delete public ip address rule' events but sets 1 filter(s): level", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule Not Configured", @@ -36,7 +36,7 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete public ip address rule' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_3]' resource monitors 'delete public ip address rule' events but sets 1 filter(s): levels", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule Not Configured", @@ -49,7 +49,7 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete public ip address rule' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_4]' resource monitors 'delete public ip address rule' events but sets 1 filter(s): status", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule Not Configured", @@ -62,7 +62,7 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete public ip address rule' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_5]' resource monitors 'delete public ip address rule' events but sets 1 filter(s): statuses", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule Not Configured", @@ -75,7 +75,7 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete public ip address rule' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_6]' resource monitors 'delete public ip address rule' events but sets 1 filter(s): sub_status", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule Not Configured", @@ -88,6 +88,6 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete public ip address rule' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'delete public ip address rule' events but sets 1 filter(s): sub_statuses", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive2/positive_expected_result.json index 65ae119ef43..a9f84a5dc33 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive2/positive_expected_result.json @@ -10,7 +10,7 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete security solution' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_1]' resource monitors 'delete security solution' events but sets 1 filter(s): caller", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Delete Security Solution Not Configured", @@ -23,7 +23,7 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete security solution' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_2]' resource monitors 'delete security solution' events but sets 1 filter(s): level", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Delete Security Solution Not Configured", @@ -36,7 +36,7 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete security solution' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_3]' resource monitors 'delete security solution' events but sets 1 filter(s): levels", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Delete Security Solution Not Configured", @@ -49,7 +49,7 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete security solution' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_4]' resource monitors 'delete security solution' events but sets 1 filter(s): status", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Delete Security Solution Not Configured", @@ -62,7 +62,7 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete security solution' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_5]' resource monitors 'delete security solution' events but sets 1 filter(s): statuses", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Delete Security Solution Not Configured", @@ -75,7 +75,7 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete security solution' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_6]' resource monitors 'delete security solution' events but sets 1 filter(s): sub_status", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Delete Security Solution Not Configured", @@ -88,6 +88,6 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete security solution' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'delete security solution' events but sets 1 filter(s): sub_statuses", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test/positive2/positive_expected_result.json index 8dbdfc9b502..9f01f349459 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test/positive2/positive_expected_result.json @@ -10,7 +10,7 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete SQL server firewall rule' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_1]' resource monitors 'delete SQL server firewall rule' events but sets 1 filter(s): caller", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Delete SQL Server Firewall Rule Not Configured", @@ -23,7 +23,7 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete SQL server firewall rule' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_2]' resource monitors 'delete SQL server firewall rule' events but sets 1 filter(s): level", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Delete SQL Server Firewall Rule Not Configured", @@ -36,7 +36,7 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete SQL server firewall rule' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_3]' resource monitors 'delete SQL server firewall rule' events but sets 1 filter(s): levels", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Delete SQL Server Firewall Rule Not Configured", @@ -49,7 +49,7 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete SQL server firewall rule' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_4]' resource monitors 'delete SQL server firewall rule' events but sets 1 filter(s): status", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Delete SQL Server Firewall Rule Not Configured", @@ -62,7 +62,7 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete SQL server firewall rule' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_5]' resource monitors 'delete SQL server firewall rule' events but sets 1 filter(s): statuses", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Delete SQL Server Firewall Rule Not Configured", @@ -75,7 +75,7 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete SQL server firewall rule' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_6]' resource monitors 'delete SQL server firewall rule' events but sets 1 filter(s): sub_status", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Delete SQL Server Firewall Rule Not Configured", @@ -88,6 +88,6 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete SQL server firewall rule' events should be defined", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'delete SQL server firewall rule' events but sets 1 filter(s): sub_statuses", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive2/positive_expected_result.json index b7f6d538473..116c34733ec 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive2/positive_expected_result.json @@ -10,7 +10,7 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'ServiceHealth' events should be defined for each subscription", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_1]' resource monitors 'ServiceHealth' events but does not include 'Incident' in its 'criteria.service_health.events' array", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Service Health Not Configured", diff --git a/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive4/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive4/positive_expected_result.json index 3da970dbc2d..9279938a24d 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive4/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive4/positive_expected_result.json @@ -10,7 +10,7 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'ServiceHealth' events should be defined for each subscription", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_1]' resource monitors 'ServiceHealth' events but does not include 'Incident' in its 'criteria.service_health.events' array", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Service Health Not Configured", @@ -23,6 +23,6 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'ServiceHealth' events should be defined for each subscription", "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_2]' resource monitors 'ServiceHealth' events but does not include 'Incident' in its 'criteria.service_health.events' array", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive_expected_result.json index 5d091be6df9..92bb58dac95 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive_expected_result.json @@ -10,7 +10,7 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'ServiceHealth' events should be defined for each subscription", "actualValue": "None of the 'azurerm_monitor_activity_log_alert' resources monitor 'ServiceHealth' events", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Service Health Not Configured", @@ -23,6 +23,6 @@ "searchValue": "", "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'ServiceHealth' events should be defined for each subscription", "actualValue": "None of the 'azurerm_monitor_activity_log_alert' resources monitor 'ServiceHealth' events", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/backup_vault_without_immutability/test/positive_expected_result.json b/assets/queries/terraform/azure/backup_vault_without_immutability/test/positive_expected_result.json index aef1221ea1f..856440e3a9b 100644 --- a/assets/queries/terraform/azure/backup_vault_without_immutability/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/backup_vault_without_immutability/test/positive_expected_result.json @@ -23,6 +23,6 @@ "searchValue": "", "expectedValue": "'azurerm_data_protection_backup_vault[positive2].immutability' should be set and enabled", "actualValue": "'azurerm_data_protection_backup_vault[positive2].immutability' is set to 'Disabled'", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/diagnostic_settings_without_appropriate_logging/test/positive_expected_result.json b/assets/queries/terraform/azure/diagnostic_settings_without_appropriate_logging/test/positive_expected_result.json index 95536a8c0ee..3592b3a5781 100644 --- a/assets/queries/terraform/azure/diagnostic_settings_without_appropriate_logging/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/diagnostic_settings_without_appropriate_logging/test/positive_expected_result.json @@ -62,7 +62,7 @@ "searchValue": "", "expectedValue": "'azurerm_monitor_diagnostic_setting[positive2_2].log' objects should enable logging for all 4 main categories", "actualValue": "'azurerm_monitor_diagnostic_setting[positive2_2].log' objects do not enable logging for 4 of the main categories: 'Administrative', 'Alert', 'Policy', 'Security'", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - Diagnostic Settings Without Appropriate Logging", @@ -88,6 +88,6 @@ "searchValue": "", "expectedValue": "'azurerm_monitor_diagnostic_setting[positive2_4].log' objects should enable logging for all 4 main categories", "actualValue": "'azurerm_monitor_diagnostic_setting[positive2_4].log' objects do not enable logging for 1 of the main categories: 'Administrative'", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/recovery_services_vaut_with_public_network_access/test/positive_expected_result.json b/assets/queries/terraform/azure/recovery_services_vaut_with_public_network_access/test/positive_expected_result.json index 08e8c7d153d..2fc56212a8f 100644 --- a/assets/queries/terraform/azure/recovery_services_vaut_with_public_network_access/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/recovery_services_vaut_with_public_network_access/test/positive_expected_result.json @@ -23,6 +23,6 @@ "searchValue": "", "expectedValue": "'azurerm_recovery_services_vault[positive2].public_network_access_enabled' should be defined and set to false", "actualValue": "'azurerm_recovery_services_vault[positive2].public_network_access_enabled' is set to true", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/recovery_services_vaut_without_immutability/test/positive_expected_result.json b/assets/queries/terraform/azure/recovery_services_vaut_without_immutability/test/positive_expected_result.json index 7dffc13926c..7d61eebbf89 100644 --- a/assets/queries/terraform/azure/recovery_services_vaut_without_immutability/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/recovery_services_vaut_without_immutability/test/positive_expected_result.json @@ -23,6 +23,6 @@ "searchValue": "", "expectedValue": "'azurerm_recovery_services_vault[positive2].immutability' should be set and enabled", "actualValue": "'azurerm_recovery_services_vault[positive2].immutability' is set to 'Disabled'", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/storage_account_not_using_latest_smb_protocol_version/test/positive_expected_result.json b/assets/queries/terraform/azure/storage_account_not_using_latest_smb_protocol_version/test/positive_expected_result.json index 124a2fefaa0..0375a882fd5 100644 --- a/assets/queries/terraform/azure/storage_account_not_using_latest_smb_protocol_version/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/storage_account_not_using_latest_smb_protocol_version/test/positive_expected_result.json @@ -49,7 +49,7 @@ "searchValue": "", "expectedValue": "'azurerm_storage_account[positive4].share_properties.smb.versions' should be defined and exclusively include 'SMB3.1.1'", "actualValue": "'azurerm_storage_account[positive4].share_properties.smb.versions' is empty or null", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - Storage Account Not Using Latest SMB Protocol Version", @@ -62,7 +62,7 @@ "searchValue": "", "expectedValue": "'azurerm_storage_account[positive5].share_properties.smb.versions' should be defined and exclusively include 'SMB3.1.1'", "actualValue": "'azurerm_storage_account[positive5].share_properties.smb.versions' does not include 'SMB3.1.1' and instead includes 2 outdated version(s)", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - Storage Account Not Using Latest SMB Protocol Version", @@ -75,6 +75,6 @@ "searchValue": "", "expectedValue": "'azurerm_storage_account[positive6].share_properties.smb.versions' should be defined and exclusively include 'SMB3.1.1'", "actualValue": "'azurerm_storage_account[positive6].share_properties.smb.versions' includes 'SMB3.1.1' but also includes 1 outdated version(s)", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/storage_account_using_unsafe_smb_channel_encryption/test/positive_expected_result.json b/assets/queries/terraform/azure/storage_account_using_unsafe_smb_channel_encryption/test/positive_expected_result.json index 55a4af632b0..c7654c2a85c 100644 --- a/assets/queries/terraform/azure/storage_account_using_unsafe_smb_channel_encryption/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/storage_account_using_unsafe_smb_channel_encryption/test/positive_expected_result.json @@ -49,7 +49,7 @@ "searchValue": "", "expectedValue": "'azurerm_storage_account[positive4].share_properties.smb.channel_encryption_type' should be defined and exclusively include 'AES-256-GCM'", "actualValue": "'azurerm_storage_account[positive4].share_properties.smb.channel_encryption_type' is empty or null", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - Storage Account Using Unsafe SMB Channel Encryption", @@ -62,7 +62,7 @@ "searchValue": "", "expectedValue": "'azurerm_storage_account[positive5].share_properties.smb.channel_encryption_type' should be defined and exclusively include 'AES-256-GCM'", "actualValue": "'azurerm_storage_account[positive5].share_properties.smb.channel_encryption_type' does not include 'AES-256-GCM' and instead includes 2 weaker encryption standard(s)", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - Storage Account Using Unsafe SMB Channel Encryption", @@ -75,6 +75,6 @@ "searchValue": "", "expectedValue": "'azurerm_storage_account[positive6].share_properties.smb.channel_encryption_type' should be defined and exclusively include 'AES-256-GCM'", "actualValue": "'azurerm_storage_account[positive6].share_properties.smb.channel_encryption_type' includes 'AES-256-GCM' but also includes 1 weaker encryption standard(s)", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/storage_account_with_shared_access_key/test/positive_expected_result.json b/assets/queries/terraform/azure/storage_account_with_shared_access_key/test/positive_expected_result.json index 59be052fe26..47e96c3c172 100644 --- a/assets/queries/terraform/azure/storage_account_with_shared_access_key/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/storage_account_with_shared_access_key/test/positive_expected_result.json @@ -23,6 +23,6 @@ "searchValue": "", "expectedValue": "'azurerm_storage_account[positive2].shared_access_key_enabled' should be defined and set to false", "actualValue": "'azurerm_storage_account[positive2].shared_access_key_enabled' is set to 'true'", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/storage_account_without_delete_lock/test/positive_expected_result.json b/assets/queries/terraform/azure/storage_account_without_delete_lock/test/positive_expected_result.json index 49ddd510ec1..2056b7f190f 100644 --- a/assets/queries/terraform/azure/storage_account_without_delete_lock/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/storage_account_without_delete_lock/test/positive_expected_result.json @@ -10,7 +10,7 @@ "searchValue": "", "expectedValue": "'azurerm_storage_account[example_pos1]' should be associated with an 'azurerm_management_lock' where lock_level is set to 'CanNotDelete'", "actualValue": "'azurerm_storage_account[example_pos1]' is not associated with an 'azurerm_management_lock'", - "issueType": "IncorrectValue" + "issueType": "MissingAttribute" }, { "queryName": "Beta - Storage Account Without Delete Lock", @@ -23,7 +23,7 @@ "searchValue": "", "expectedValue": "'azurerm_storage_account[example_pos2]' should be associated with an 'azurerm_management_lock' where lock_level is set to 'CanNotDelete'", "actualValue": "'azurerm_storage_account[example_pos2]' is not associated with an 'azurerm_management_lock'", - "issueType": "IncorrectValue" + "issueType": "MissingAttribute" }, { "queryName": "Beta - Storage Account Without Delete Lock", @@ -49,7 +49,7 @@ "searchValue": "", "expectedValue": "'azurerm_storage_account[example_pos4]' should be associated with an 'azurerm_management_lock' where lock_level is set to 'CanNotDelete'", "actualValue": "'azurerm_storage_account[example_pos4]' is not associated with an 'azurerm_management_lock'", - "issueType": "IncorrectValue" + "issueType": "MissingAttribute" }, { "queryName": "Beta - Storage Account Without Delete Lock", @@ -62,6 +62,6 @@ "searchValue": "", "expectedValue": "'azurerm_storage_account[example_pos5]' should be associated with an 'azurerm_management_lock' where lock_level is set to 'CanNotDelete'", "actualValue": "'azurerm_storage_account[example_pos5]' is not associated with an 'azurerm_management_lock'", - "issueType": "IncorrectValue" + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/azure/vm_without_encryption_at_host/test/positive_expected_result.json b/assets/queries/terraform/azure/vm_without_encryption_at_host/test/positive_expected_result.json index f2d66b38026..312c5dc06e9 100644 --- a/assets/queries/terraform/azure/vm_without_encryption_at_host/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/vm_without_encryption_at_host/test/positive_expected_result.json @@ -23,7 +23,7 @@ "searchValue": "", "expectedValue": "'azurerm_linux_virtual_machine[positive1_2].encryption_at_host_enabled' should be defined and set to 'true'", "actualValue": "'azurerm_linux_virtual_machine[positive1_2].encryption_at_host_enabled' is set to 'false'", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - VM Without Encryption At Host", @@ -49,7 +49,7 @@ "searchValue": "", "expectedValue": "'azurerm_linux_virtual_machine_scale_set[positive2_2].encryption_at_host_enabled' should be defined and set to 'true'", "actualValue": "'azurerm_linux_virtual_machine_scale_set[positive2_2].encryption_at_host_enabled' is set to 'false'", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - VM Without Encryption At Host", @@ -75,7 +75,7 @@ "searchValue": "", "expectedValue": "'azurerm_windows_virtual_machine[positive3_2].encryption_at_host_enabled' should be defined and set to 'true'", "actualValue": "'azurerm_windows_virtual_machine[positive3_2].encryption_at_host_enabled' is set to 'false'", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" }, { "queryName": "Beta - VM Without Encryption At Host", @@ -101,6 +101,6 @@ "searchValue": "", "expectedValue": "'azurerm_windows_virtual_machine_scale_set[positive4_2].encryption_at_host_enabled' should be defined and set to 'true'", "actualValue": "'azurerm_windows_virtual_machine_scale_set[positive4_2].encryption_at_host_enabled' is set to 'false'", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/nifcloud/load_balancer_use_insecure_tls_policy_name/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/load_balancer_use_insecure_tls_policy_name/test/positive_expected_result.json index 8e38d219dfc..241c6c53bb9 100644 --- a/assets/queries/terraform/nifcloud/load_balancer_use_insecure_tls_policy_name/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/load_balancer_use_insecure_tls_policy_name/test/positive_expected_result.json @@ -23,6 +23,6 @@ "searchValue": "", "expectedValue": "'nifcloud_load_balancer[positive]' should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.", "actualValue": "'nifcloud_load_balancer[positive]' using outdated SSL policy.", - "issueType": "MissingAttribute" + "issueType": "IncorrectValue" } ] diff --git a/test/queries_test.go b/test/queries_test.go index 4cb269a01bd..34125156c3f 100644 --- a/test/queries_test.go +++ b/test/queries_test.go @@ -407,7 +407,7 @@ func requireEqualVulnerabilities(tb testing.TB, expected, actual []model.Vulnera require.Equal(tb, expectedItem.SearchValue, actualItem.SearchValue, "Invalid searchValue for query %s\n Expected: %s\n Actual: %s", dir, expectedItem.SearchValue, actualItem.SearchValue) require.Equal(tb, expectedItem.KeyExpectedValue, actualItem.KeyExpectedValue, "Invalid expected value for query: %s\n Expected: %s\n Actual: %s", dir, expectedItem.KeyExpectedValue, actualItem.KeyExpectedValue) require.Equal(tb, expectedItem.KeyActualValue, actualItem.KeyActualValue, "Invalid actual value for query: %s\n Expected: %s\n Actual: %s", dir, expectedItem.KeyActualValue, actualItem.KeyActualValue) - require.Equal(tb, expectedItem.IssueType, actualItem.IssueType, "Invalid issue type for query %s\n Expected: %s\n Actual: %s", dir, expectedItem.IssueType, actualItem.IssueType) + require.Equal(tb, expectedItem.IssueType, actualItem.IssueType, "Invalid issue type for query %s\n Expected[%s]%s: %s\n Actual[%s]: %s\n Ex\n", dir, expectedItem.FileName, expectedItem.IssueType, actualItem.FileName, actualItem.IssueType) } } From 2e55374e5e8f72e2989d31e307871588e2413ad5 Mon Sep 17 00:00:00 2001 From: Ricardo Jesus <219317970+cx-ricardo-jesus@users.noreply.github.com> Date: Tue, 17 Mar 2026 16:55:24 +0000 Subject: [PATCH 20/22] changed go version to 1.25.8 and changed go and git images from the Dockerfile --- .../fix_issue_types.py | 230 ------------------ .../fix_remaining.py | 203 ---------------- Dockerfile | 4 +- docker/Dockerfile.alpine | 2 +- docker/Dockerfile.debian | 2 +- docker/Dockerfile.ubi8 | 6 +- 6 files changed, 7 insertions(+), 440 deletions(-) delete mode 100644 .github/scripts/generate-positive-expective-results/fix_issue_types.py delete mode 100644 .github/scripts/generate-positive-expective-results/fix_remaining.py diff --git a/.github/scripts/generate-positive-expective-results/fix_issue_types.py b/.github/scripts/generate-positive-expective-results/fix_issue_types.py deleted file mode 100644 index 387a6c4beb3..00000000000 --- a/.github/scripts/generate-positive-expective-results/fix_issue_types.py +++ /dev/null @@ -1,230 +0,0 @@ -""" -Fix incorrect issueType values in positive_expected_result.json for specific failing queries. - -Runs a KICS scan for each failing query, extracts the correct issueType per result -from the scan output, and patches the existing positive_expected_result.json files -without touching any other field. - -Usage: - python fix_issue_types.py # run fixes - python fix_issue_types.py --dry # dry run (report only, no writes) -""" - -import json -import subprocess -import sys -import tempfile -from pathlib import Path - -KICS_ROOT = Path(__file__).resolve().parents[3] -ASSETS_QUERIES_DIR = KICS_ROOT / "assets" / "queries" -GO_ENTRY_POINT = str(KICS_ROOT / "cmd" / "console" / "main.go") - -FAILING_QUERIES = [ - "ansible/aws/instance_uses_metadata_service_IMDSv1", - "terraform/nifcloud/load_balancer_use_insecure_tls_policy_name", - "azureResourceManager/sql_server_database_without_auditing", - "azureResourceManager/storage_logging_for_read_write_delete_requests_disabled", - "azureResourceManager/website_with_client_certificate_auth_disabled", - "openAPI/2.0/security_definitions_undefined_or_empty", - "terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured", - "terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured", - "terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured", - "terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured", - "terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured", - "terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured", - "terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured", - "terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured", - "terraform/azure/activity_log_alert_for_delete_security_solution_not_configured", - "terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured", - "terraform/azure/activity_log_alert_for_service_health_not_configured", - "terraform/azure/backup_vault_without_immutability", - "terraform/azure/diagnostic_settings_without_appropriate_logging", - "terraform/azure/recovery_services_vaut_with_public_network_access", - "terraform/azure/recovery_services_vaut_without_immutability", - "terraform/azure/storage_account_not_using_latest_smb_protocol_version", - "terraform/azure/storage_account_using_unsafe_smb_channel_encryption", - "terraform/azure/storage_account_with_shared_access_key", - "terraform/azure/storage_account_without_delete_lock", - "terraform/azure/vm_without_encryption_at_host", - "k8s/image_pull_policy_of_container_is_not_always", - "openAPI/general/path_parameter_not_required", - "terraform/aws/api_gateway_access_logging_disabled", - "terraform/aws/auto_scaling_group_with_no_associated_elb", - "terraform/aws/glue_security_configuration_encryption_disabled", - "terraform/aws/msk_cluster_encryption_disabled", - "terraform/aws/msk_cluster_logging_disabled", - "terraform/aws/rds_with_backup_disabled", - "terraform/aws/sns_topic_not_encrypted", - "cloudFormation/aws/elb_with_security_group_without_outbound_rules", - "cloudFormation/aws/elb_without_secure_protocol", - "cloudFormation/aws/neptune_logging_is_disabled", - "cloudFormation/aws/secretsmanager_secret_without_kms", - "dockerfile/apt_get_install_pin_version_not_defined", -] - - -def get_query_id(query_dir: Path) -> str: - with open(query_dir / "metadata.json", "r", encoding="utf-8") as f: - return json.load(f)["id"] - - -def run_scan(query_dir: Path, query_id: str) -> dict | None: - """Run KICS scan and return the parsed JSON results.""" - with tempfile.TemporaryDirectory() as tmpdir: - test_path = str(query_dir / "test") - payload_path = str(query_dir / "payloads") - output_file = Path(tmpdir) / "results.json" - - cmd = [ - "go", "run", GO_ENTRY_POINT, "scan", - "-p", test_path, - "-o", tmpdir, - "--output-name", "results.json", - "-i", query_id, - "-d", f"{payload_path}/all_payloads.json", - "-v", - "--experimental-queries", - "--bom", - "--enable-openapi-refs", - ] - - subprocess.run(cmd, cwd=str(KICS_ROOT), capture_output=True) - - if not output_file.is_file(): - return None - - with open(output_file, "r", encoding="utf-8") as f: - return json.load(f) - - -def build_issue_type_map(scan_data: dict) -> dict[tuple, str]: - """Build a map from (filename, line) -> issue_type from scan results.""" - it_map: dict[tuple, str] = {} - - for section in ("queries", "bill_of_materials"): - for q in scan_data.get(section, []): - for f in q.get("files", []): - file_path = Path(f.get("file_name", "")) - filename = file_path.name - line = f.get("line", 0) - issue_type = f.get("issue_type", "") - expected_value = f.get("expected_value", "") - actual_value = f.get("actual_value", "") - - if issue_type: - # Primary key: (filename, line) - it_map[(filename, line)] = issue_type - # Fallback key with more specificity - it_map[(filename, line, expected_value, actual_value)] = issue_type - - return it_map - - -def find_expected_result_files(query_dir: Path) -> list[Path]: - test_dir = query_dir / "test" - if not test_dir.is_dir(): - return [] - return sorted(test_dir.rglob("positive_expected_result.json")) - - -def patch_expected_results(query_dir: Path, it_map: dict[tuple, str], dry: bool) -> dict: - stats = {"fixed": 0, "unchanged": 0, "not_found": 0} - - for rf in find_expected_result_files(query_dir): - with open(rf, "r", encoding="utf-8") as f: - entries = json.load(f) - - if not isinstance(entries, list): - continue - - modified = False - for entry in entries: - filename = entry.get("filename", "") - line = entry.get("line", 0) - expected_value = entry.get("expectedValue", "") - actual_value = entry.get("actualValue", "") - current_it = entry.get("issueType", "") - - # Try specific key first, then fallback - correct_it = it_map.get( - (filename, line, expected_value, actual_value), - it_map.get((filename, line)) - ) - - if correct_it is None: - stats["not_found"] += 1 - continue - - if current_it != correct_it: - entry["issueType"] = correct_it - stats["fixed"] += 1 - modified = True - else: - stats["unchanged"] += 1 - - if modified and not dry: - with open(rf, "w", encoding="utf-8") as f: - json.dump(entries, f, indent=2, ensure_ascii=False) - f.write("\n") - - return stats - - -def main() -> None: - dry = "--dry" in sys.argv - if dry: - print("=== DRY RUN ===\n") - - total = len(FAILING_QUERIES) - total_fixed = 0 - total_not_found = 0 - failed_scans = [] - - for i, q in enumerate(FAILING_QUERIES, 1): - query_dir = ASSETS_QUERIES_DIR / q - if not query_dir.is_dir(): - print(f"[{i}/{total}] SKIP (not found): {q}") - continue - - query_id = get_query_id(query_dir) - print(f"[{i}/{total}] Scanning: {q} (id={query_id})") - - scan_data = run_scan(query_dir, query_id) - if scan_data is None: - print(f" ERROR: scan produced no output") - failed_scans.append(q) - continue - - it_map = build_issue_type_map(scan_data) - if not it_map: - print(f" WARNING: no results from scan") - failed_scans.append(q) - continue - - stats = patch_expected_results(query_dir, it_map, dry) - total_fixed += stats["fixed"] - total_not_found += stats["not_found"] - - if stats["fixed"]: - print(f" Fixed {stats['fixed']} entries (unchanged: {stats['unchanged']})") - else: - print(f" No changes needed (unchanged: {stats['unchanged']})") - - if stats["not_found"]: - print(f" WARNING: {stats['not_found']} entries could not be matched") - - print(f"\n{'='*60}") - print(f"Total fixed : {total_fixed}") - print(f"Not matched : {total_not_found}") - print(f"Failed scans : {len(failed_scans)}") - - if failed_scans: - print("\nFailed scans:") - for q in failed_scans: - print(f" - {q}") - sys.exit(1) - - -if __name__ == "__main__": - main() diff --git a/.github/scripts/generate-positive-expective-results/fix_remaining.py b/.github/scripts/generate-positive-expective-results/fix_remaining.py deleted file mode 100644 index 12de1ede098..00000000000 --- a/.github/scripts/generate-positive-expective-results/fix_remaining.py +++ /dev/null @@ -1,203 +0,0 @@ -""" -Fix the remaining queries that failed in fix_issue_types.py: -- activity_log_alert queries: need per-subdirectory scans -- elb_with_security_group_without_outbound_rules: unmatched entries -- activity_log_alert_for_service_health_not_configured: unmatched entries - -Usage: - python fix_remaining.py - python fix_remaining.py --dry -""" - -import json -import subprocess -import sys -import tempfile -from pathlib import Path - -KICS_ROOT = Path(__file__).resolve().parents[3] -ASSETS_QUERIES_DIR = KICS_ROOT / "assets" / "queries" -GO_ENTRY_POINT = str(KICS_ROOT / "cmd" / "console" / "main.go") - -REMAINING_QUERIES = [ - "terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured", - "terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured", - "terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured", - "terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured", - "terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured", - "terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured", - "terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured", - "terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured", - "terraform/azure/activity_log_alert_for_delete_security_solution_not_configured", - "terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured", - "terraform/azure/activity_log_alert_for_service_health_not_configured", - "cloudFormation/aws/elb_with_security_group_without_outbound_rules", -] - - -def get_query_id(query_dir: Path) -> str: - with open(query_dir / "metadata.json", "r", encoding="utf-8") as f: - return json.load(f)["id"] - - -def run_scan(scan_path: str, query_id: str, payload_path: str) -> dict | None: - with tempfile.TemporaryDirectory() as tmpdir: - cmd = [ - "go", "run", GO_ENTRY_POINT, "scan", - "-p", scan_path, - "-o", tmpdir, - "--output-name", "results.json", - "-i", query_id, - "-d", f"{payload_path}/all_payloads.json", - "-v", - "--experimental-queries", - "--bom", - "--enable-openapi-refs", - ] - subprocess.run(cmd, cwd=str(KICS_ROOT), capture_output=True) - output_file = Path(tmpdir) / "results.json" - if not output_file.is_file(): - return None - with open(output_file, "r", encoding="utf-8") as f: - return json.load(f) - - -def build_issue_type_map(scan_data: dict) -> dict[tuple, str]: - it_map: dict[tuple, str] = {} - for section in ("queries", "bill_of_materials"): - for q in scan_data.get(section, []): - for f in q.get("files", []): - file_path = Path(f.get("file_name", "")) - filename = file_path.name - line = f.get("line", 0) - issue_type = f.get("issue_type", "") - expected_value = f.get("expected_value", "") - actual_value = f.get("actual_value", "") - if issue_type: - it_map[(filename, line)] = issue_type - it_map[(filename, line, expected_value, actual_value)] = issue_type - return it_map - - -def get_scan_dirs(test_dir: Path) -> list[tuple[Path, Path | None]]: - """Return list of (scan_dir, expected_result_file) pairs. - - For queries with positive subdirectories (positive2/, positive3/), - we need to scan each subdirectory separately. - Also scan top-level for the main positive_expected_result.json. - """ - pairs = [] - - # Top-level: scan the whole test dir but only match top-level expected results - top_expected = test_dir / "positive_expected_result.json" - if top_expected.is_file(): - # Scan only the top-level positive files (not in subdirs) - pairs.append((test_dir, top_expected)) - - # Subdirectories with their own positive_expected_result.json - for subdir in sorted(test_dir.iterdir()): - if subdir.is_dir() and subdir.name.startswith("positive"): - sub_expected = subdir / "positive_expected_result.json" - if sub_expected.is_file(): - pairs.append((subdir, sub_expected)) - - return pairs - - -def patch_file(expected_file: Path, it_map: dict[tuple, str], dry: bool) -> dict: - stats = {"fixed": 0, "unchanged": 0, "not_found": 0} - - with open(expected_file, "r", encoding="utf-8") as f: - entries = json.load(f) - - if not isinstance(entries, list): - return stats - - modified = False - for entry in entries: - filename = entry.get("filename", "") - line = entry.get("line", 0) - expected_value = entry.get("expectedValue", "") - actual_value = entry.get("actualValue", "") - current_it = entry.get("issueType", "") - - correct_it = it_map.get( - (filename, line, expected_value, actual_value), - it_map.get((filename, line)) - ) - - if correct_it is None: - stats["not_found"] += 1 - print(f" NOT FOUND: {filename}:{line}") - continue - - if current_it != correct_it: - entry["issueType"] = correct_it - stats["fixed"] += 1 - modified = True - else: - stats["unchanged"] += 1 - - if modified and not dry: - with open(expected_file, "w", encoding="utf-8") as f: - json.dump(entries, f, indent=2, ensure_ascii=False) - f.write("\n") - - return stats - - -def process_query(query_path: str, dry: bool) -> dict: - query_dir = ASSETS_QUERIES_DIR / query_path - query_id = get_query_id(query_dir) - test_dir = query_dir / "test" - payload_path = str(query_dir / "payloads") - - total_stats = {"fixed": 0, "unchanged": 0, "not_found": 0} - - scan_pairs = get_scan_dirs(test_dir) - - for scan_dir, expected_file in scan_pairs: - scan_data = run_scan(str(scan_dir), query_id, payload_path) - if scan_data is None: - print(f" No scan output for {scan_dir.name}") - continue - - it_map = build_issue_type_map(scan_data) - if not it_map: - print(f" No results for {scan_dir.name}") - continue - - stats = patch_file(expected_file, it_map, dry) - for k in total_stats: - total_stats[k] += stats[k] - - return total_stats - - -def main(): - dry = "--dry" in sys.argv - if dry: - print("=== DRY RUN ===\n") - - total_fixed = 0 - total_not_found = 0 - total = len(REMAINING_QUERIES) - - for i, q in enumerate(REMAINING_QUERIES, 1): - print(f"[{i}/{total}] {q}") - stats = process_query(q, dry) - total_fixed += stats["fixed"] - total_not_found += stats["not_found"] - - if stats["fixed"]: - print(f" Fixed {stats['fixed']} (unchanged: {stats['unchanged']})") - else: - print(f" No changes (unchanged: {stats['unchanged']})") - - print(f"\n{'='*60}") - print(f"Total fixed : {total_fixed}") - print(f"Not matched : {total_not_found}") - - -if __name__ == "__main__": - main() diff --git a/Dockerfile b/Dockerfile index a9ce17650fe..b848bd2b9d6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM checkmarx/go:1.26.0-r0@sha256:bbc945863cdee21f4bab2e80b4bd481cfee5c13ece8e576136bc478a5f6ad34d AS build_env +FROM checkmarx/go:1.26.1-r1@sha256:3984b97600a32d5a9ff14cc4b8029572a762082d98fb9788bbc4050d4f45d9d2 AS build_env # Copy the source from the current directory to the Working Directory inside the container WORKDIR /app @@ -29,7 +29,7 @@ RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build \ # Runtime image # Ignore no User Cmd since KICS container is stopped afer scan # kics-scan ignore-line -FROM checkmarx/git:2.53.0-r0@sha256:f46c18d1ae724ca35faa4884289e8203294e52cafb17717e3875ab2c636a0a7e +FROM checkmarx/git:2.53.0-r0@sha256:6f398e9772fc0271cbdd77b065a09c9244004fbda17c1c58ba01b412a4292bde ENV TERM xterm-256color diff --git a/docker/Dockerfile.alpine b/docker/Dockerfile.alpine index 74659e3d16a..47caa36a8ea 100644 --- a/docker/Dockerfile.alpine +++ b/docker/Dockerfile.alpine @@ -1,4 +1,4 @@ -FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.25.7-alpine AS build_env +FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.25.8-alpine AS build_env # Install build dependencies RUN apk add --no-cache git diff --git a/docker/Dockerfile.debian b/docker/Dockerfile.debian index db9f7bd30c8..f74b5517dd8 100644 --- a/docker/Dockerfile.debian +++ b/docker/Dockerfile.debian @@ -3,7 +3,7 @@ # it does not define an ENTRYPOINT as this is a requirement described here: # https://docs.microsoft.com/en-us/azure/devops/pipelines/process/container-phases?view=azure-devops#linux-based-containers # -FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.25.7-bookworm as build_env +FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.25.8-bookworm as build_env # Create a group and user RUN groupadd checkmarx && useradd -g checkmarx -M -s /bin/bash checkmarx USER checkmarx diff --git a/docker/Dockerfile.ubi8 b/docker/Dockerfile.ubi8 index e9caa31353f..85a39dc998e 100644 --- a/docker/Dockerfile.ubi8 +++ b/docker/Dockerfile.ubi8 @@ -4,10 +4,10 @@ WORKDIR /build ENV PATH=$PATH:/usr/local/go/bin -ADD https://golang.org/dl/go1.25.7.linux-amd64.tar.gz . +ADD https://golang.org/dl/go1.25.8.linux-amd64.tar.gz . RUN yum install git gcc -y \ - && rm -rf /usr/local/go && tar -C /usr/local -xzf go1.25.7.linux-amd64.tar.gz \ - && rm -f go1.25.7.linux-amd64.tar.gz + && rm -rf /usr/local/go && tar -C /usr/local -xzf go1.25.8.linux-amd64.tar.gz \ + && rm -f go1.25.8.linux-amd64.tar.gz ENV GOPRIVATE=github.com/Checkmarx/* ARG VERSION="development" From 401b1c0fba5039c5661fb0131c62879592bf2262 Mon Sep 17 00:00:00 2001 From: Ricardo Jesus <219317970+cx-ricardo-jesus@users.noreply.github.com> Date: Tue, 17 Mar 2026 16:58:33 +0000 Subject: [PATCH 21/22] removed unnecessary csv file --- failed_queries_report.csv | 41 --------------------------------------- 1 file changed, 41 deletions(-) delete mode 100644 failed_queries_report.csv diff --git a/failed_queries_report.csv b/failed_queries_report.csv deleted file mode 100644 index bdf25292cae..00000000000 --- a/failed_queries_report.csv +++ /dev/null @@ -1,41 +0,0 @@ -Query,Status,Tipo de erro,No expected (errado),Valor correto (actual),Notas -ansible/aws/instance_uses_metadata_service_IMDSv1,,issueType errado,IncorrectValue,MissingAttribute, -terraform/nifcloud/load_balancer_use_insecure_tls_policy_name,,issueType errado,MissingAttribute,IncorrectValue, -azureResourceManager/sql_server_database_without_auditing,,issueType errado,MissingAttribute,IncorrectValue, -azureResourceManager/storage_logging_for_read_write_delete_requests_disabled,,issueType errado,MissingAttribute,IncorrectValue, -azureResourceManager/website_with_client_certificate_auth_disabled,,issueType errado,MissingAttribute,IncorrectValue, -openAPI/2.0/security_definitions_undefined_or_empty,,issueType errado,MissingAttribute,IncorrectValue, -terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured,,issueType errado,MissingAttribute,IncorrectValue, -terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured,,issueType errado,MissingAttribute,IncorrectValue, -terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured,,issueType errado,MissingAttribute,IncorrectValue, -terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured,,issueType errado,MissingAttribute,IncorrectValue, -terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured,,issueType errado,MissingAttribute,IncorrectValue, -terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured,,issueType errado,MissingAttribute,IncorrectValue, -terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured,,issueType errado,MissingAttribute,IncorrectValue, -terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured,,issueType errado,MissingAttribute,IncorrectValue, -terraform/azure/activity_log_alert_for_delete_security_solution_not_configured,,issueType errado,MissingAttribute,IncorrectValue, -terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured,,issueType errado,MissingAttribute,IncorrectValue, -terraform/azure/activity_log_alert_for_service_health_not_configured,,issueType errado,MissingAttribute,IncorrectValue, -terraform/azure/backup_vault_without_immutability,,issueType errado,MissingAttribute,IncorrectValue, -terraform/azure/diagnostic_settings_without_appropriate_logging,,issueType errado,MissingAttribute,IncorrectValue, -terraform/azure/recovery_services_vaut_with_public_network_access,,issueType errado,MissingAttribute,IncorrectValue, -terraform/azure/recovery_services_vaut_without_immutability,,issueType errado,MissingAttribute,IncorrectValue, -terraform/azure/storage_account_not_using_latest_smb_protocol_version,,issueType errado,MissingAttribute,IncorrectValue, -terraform/azure/storage_account_using_unsafe_smb_channel_encryption,,issueType errado,MissingAttribute,IncorrectValue, -terraform/azure/storage_account_with_shared_access_key,,issueType errado,MissingAttribute,IncorrectValue, -terraform/azure/storage_account_without_delete_lock,,issueType errado,IncorrectValue,MissingAttribute, -terraform/azure/vm_without_encryption_at_host,,issueType errado,MissingAttribute,IncorrectValue, -k8s/image_pull_policy_of_container_is_not_always,,issueType errado,MissingAttribute,IncorrectValue, -openAPI/general/path_parameter_not_required,,issueType errado,MissingAttribute,IncorrectValue, -terraform/aws/api_gateway_access_logging_disabled,,issueType errado,MissingAttribute,IncorrectValue, -terraform/aws/auto_scaling_group_with_no_associated_elb,,issueType errado,MissingAttribute,IncorrectValue, -terraform/aws/glue_security_configuration_encryption_disabled,,issueType errado,MissingAttribute,IncorrectValue, -terraform/aws/msk_cluster_encryption_disabled,,issueType errado,MissingAttribute,IncorrectValue, -terraform/aws/msk_cluster_logging_disabled,,issueType errado,MissingAttribute,IncorrectValue, -terraform/aws/rds_with_backup_disabled,,issueType errado,MissingAttribute,IncorrectValue, -terraform/aws/sns_topic_not_encrypted,,issueType errado,MissingAttribute,IncorrectValue, -cloudFormation/aws/elb_with_security_group_without_outbound_rules,,issueType errado,MissingAttribute,IncorrectValue, -cloudFormation/aws/elb_without_secure_protocol,,issueType errado,MissingAttribute,IncorrectValue, -cloudFormation/aws/neptune_logging_is_disabled,,issueType errado,MissingAttribute,IncorrectValue, -cloudFormation/aws/secretsmanager_secret_without_kms,,issueType errado,IncorrectValue,MissingAttribute, -dockerfile/apt_get_install_pin_version_not_defined,,issueType errado,MissingAttribute,IncorrectValue, From 1a74bf9becad89539fcc1b353952ae7704318774 Mon Sep 17 00:00:00 2001 From: Ricardo Jesus <219317970+cx-ricardo-jesus@users.noreply.github.com> Date: Wed, 18 Mar 2026 10:25:48 +0000 Subject: [PATCH 22/22] added fields to positive_expected_results.json --- .../test/positive_expected_result.json | 294 +++++++++++++++++- .../test/positive_expected_result.json | 91 ++++++ 2 files changed, 381 insertions(+), 4 deletions(-) diff --git a/assets/queries/cloudFormation/aws/efs_volume_with_disabled_transit_encryption/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/efs_volume_with_disabled_transit_encryption/test/positive_expected_result.json index a12f2c4f974..ab230f55393 100644 --- a/assets/queries/cloudFormation/aws/efs_volume_with_disabled_transit_encryption/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/efs_volume_with_disabled_transit_encryption/test/positive_expected_result.json @@ -12,6 +12,19 @@ "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption is disabled", "issueType": "IncorrectValue" }, + { + "queryName": "EFS Volume With Disabled Transit Encryption", + "severity": "MEDIUM", + "line": 26, + "filename": "positive1.yaml", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption should be enabled", + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption is disabled", + "issueType": "IncorrectValue" + }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", @@ -25,6 +38,19 @@ "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption is not defined (set to DISABLED by default)", "issueType": "MissingAttribute" }, + { + "queryName": "EFS Volume With Disabled Transit Encryption", + "severity": "MEDIUM", + "line": 22, + "filename": "positive2.yaml", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption should be defined", + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption is not defined (set to DISABLED by default)", + "issueType": "MissingAttribute" + }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", @@ -38,6 +64,19 @@ "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration is not defined", "issueType": "MissingAttribute" }, + { + "queryName": "EFS Volume With Disabled Transit Encryption", + "severity": "MEDIUM", + "line": 21, + "filename": "positive3.yaml", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[0]", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration should be defined", + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration is not defined", + "issueType": "MissingAttribute" + }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", @@ -51,6 +90,32 @@ "actualValue": "Resources.taskdefinition.Properties.Volumes is not defined", "issueType": "MissingAttribute" }, + { + "queryName": "EFS Volume With Disabled Transit Encryption", + "severity": "MEDIUM", + "line": 4, + "filename": "positive4.yaml", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes should be defined", + "actualValue": "Resources.taskdefinition.Properties.Volumes is not defined", + "issueType": "MissingAttribute" + }, + { + "queryName": "EFS Volume With Disabled Transit Encryption", + "severity": "MEDIUM", + "line": 45, + "filename": "positive5.json", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption should be enabled", + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption is disabled", + "issueType": "IncorrectValue" + }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", @@ -67,14 +132,40 @@ { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", - "line": 34, + "line": 41, + "filename": "positive6.json", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[0]", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration should be defined", + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration is not defined", + "issueType": "MissingAttribute" + }, + { + "queryName": "EFS Volume With Disabled Transit Encryption", + "severity": "MEDIUM", + "line": 32, "filename": "positive6.yaml", "resourceType": "AWS::ECS::TaskDefinition", "resourceName": "taskdefinition", - "searchKey": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration", + "searchKey": "Resources.taskdefinition.Properties.Volumes[0]", "searchValue": "", - "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption should be defined", - "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption is not defined (set to DISABLED by default)", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration should be defined", + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration is not defined", + "issueType": "MissingAttribute" + }, + { + "queryName": "EFS Volume With Disabled Transit Encryption", + "severity": "MEDIUM", + "line": 41, + "filename": "positive7.json", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[0]", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration should be defined", + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration is not defined", "issueType": "MissingAttribute" }, { @@ -90,6 +181,19 @@ "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration is not defined", "issueType": "MissingAttribute" }, + { + "queryName": "EFS Volume With Disabled Transit Encryption", + "severity": "MEDIUM", + "line": 7, + "filename": "positive8.json", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes should be defined", + "actualValue": "Resources.taskdefinition.Properties.Volumes is not defined", + "issueType": "MissingAttribute" + }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", @@ -102,5 +206,187 @@ "expectedValue": "Resources.taskdefinition.Properties.Volumes should be defined", "actualValue": "Resources.taskdefinition.Properties.Volumes is not defined", "issueType": "MissingAttribute" + }, + { + "queryName": "EFS Volume With Disabled Transit Encryption", + "severity": "MEDIUM", + "line": 30, + "filename": "positive9.json", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption should be enabled", + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption is disabled", + "issueType": "IncorrectValue" + }, + { + "queryName": "EFS Volume With Disabled Transit Encryption", + "severity": "MEDIUM", + "line": 39, + "filename": "positive9.json", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[1].EFSVolumeConfiguration.TransitEncryption", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[1].EFSVolumeConfiguration.TransitEncryption should be enabled", + "actualValue": "Resources.taskdefinition.Properties.Volumes[1].EFSVolumeConfiguration.TransitEncryption is disabled", + "issueType": "IncorrectValue" + }, + { + "queryName": "EFS Volume With Disabled Transit Encryption", + "severity": "MEDIUM", + "line": 22, + "filename": "positive9.yaml", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption should be enabled", + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption is disabled", + "issueType": "IncorrectValue" + }, + { + "queryName": "EFS Volume With Disabled Transit Encryption", + "severity": "MEDIUM", + "line": 29, + "filename": "positive9.yaml", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[1].EFSVolumeConfiguration.TransitEncryption", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[1].EFSVolumeConfiguration.TransitEncryption should be enabled", + "actualValue": "Resources.taskdefinition.Properties.Volumes[1].EFSVolumeConfiguration.TransitEncryption is disabled", + "issueType": "IncorrectValue" + }, + { + "queryName": "EFS Volume With Disabled Transit Encryption", + "severity": "MEDIUM", + "line": 27, + "filename": "positive10.json", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption should be defined", + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption is not defined (set to DISABLED by default)", + "issueType": "MissingAttribute" + }, + { + "queryName": "EFS Volume With Disabled Transit Encryption", + "severity": "MEDIUM", + "line": 35, + "filename": "positive10.json", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[1].EFSVolumeConfiguration", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[1].EFSVolumeConfiguration.TransitEncryption should be defined", + "actualValue": "Resources.taskdefinition.Properties.Volumes[1].EFSVolumeConfiguration.TransitEncryption is not defined (set to DISABLED by default)", + "issueType": "MissingAttribute" + }, + { + "queryName": "EFS Volume With Disabled Transit Encryption", + "severity": "MEDIUM", + "line": 19, + "filename": "positive10.yaml", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption should be defined", + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption is not defined (set to DISABLED by default)", + "issueType": "MissingAttribute" + }, + { + "queryName": "EFS Volume With Disabled Transit Encryption", + "severity": "MEDIUM", + "line": 25, + "filename": "positive10.yaml", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[1].EFSVolumeConfiguration", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[1].EFSVolumeConfiguration.TransitEncryption should be defined", + "actualValue": "Resources.taskdefinition.Properties.Volumes[1].EFSVolumeConfiguration.TransitEncryption is not defined (set to DISABLED by default)", + "issueType": "MissingAttribute" + }, + { + "queryName": "EFS Volume With Disabled Transit Encryption", + "severity": "MEDIUM", + "line": 26, + "filename": "positive11.json", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[0]", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration should be defined", + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration is not defined", + "issueType": "MissingAttribute" + }, + { + "queryName": "EFS Volume With Disabled Transit Encryption", + "severity": "MEDIUM", + "line": 32, + "filename": "positive11.json", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[1]", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[1].EFSVolumeConfiguration should be defined", + "actualValue": "Resources.taskdefinition.Properties.Volumes[1].EFSVolumeConfiguration is not defined", + "issueType": "MissingAttribute" + }, + { + "queryName": "EFS Volume With Disabled Transit Encryption", + "severity": "MEDIUM", + "line": 18, + "filename": "positive11.yaml", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[0]", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration should be defined", + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration is not defined", + "issueType": "MissingAttribute" + }, + { + "queryName": "EFS Volume With Disabled Transit Encryption", + "severity": "MEDIUM", + "line": 22, + "filename": "positive11.yaml", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[1]", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[1].EFSVolumeConfiguration should be defined", + "actualValue": "Resources.taskdefinition.Properties.Volumes[1].EFSVolumeConfiguration is not defined", + "issueType": "MissingAttribute" + }, + { + "queryName": "EFS Volume With Disabled Transit Encryption", + "severity": "MEDIUM", + "line": 39, + "filename": "positive12.json", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[1].EFSVolumeConfiguration.TransitEncryption", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[1].EFSVolumeConfiguration.TransitEncryption should be enabled", + "actualValue": "Resources.taskdefinition.Properties.Volumes[1].EFSVolumeConfiguration.TransitEncryption is disabled", + "issueType": "IncorrectValue" + }, + { + "queryName": "EFS Volume With Disabled Transit Encryption", + "severity": "MEDIUM", + "line": 29, + "filename": "positive12.yaml", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[1].EFSVolumeConfiguration.TransitEncryption", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[1].EFSVolumeConfiguration.TransitEncryption should be enabled", + "actualValue": "Resources.taskdefinition.Properties.Volumes[1].EFSVolumeConfiguration.TransitEncryption is disabled", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/efs_volume_with_disabled_transit_encryption/test/positive_expected_result.json b/assets/queries/terraform/aws/efs_volume_with_disabled_transit_encryption/test/positive_expected_result.json index ad6f43880af..8623ca288da 100644 --- a/assets/queries/terraform/aws/efs_volume_with_disabled_transit_encryption/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/efs_volume_with_disabled_transit_encryption/test/positive_expected_result.json @@ -37,5 +37,96 @@ "expectedValue": "aws_ecs_task_definition.volume.efs_volume_configuration value should be defined", "actualValue": "aws_ecs_task_definition.volume.efs_volume_configuration is not set", "issueType": "MissingAttribute" + }, + { + "queryName": "EFS Volume With Disabled Transit Encryption", + "severity": "MEDIUM", + "line": 11, + "filename": "positive4.tf", + "resourceType": "aws_ecs_task_definition", + "resourceName": "service_4", + "searchKey": "aws_ecs_task_definition[{{service_4}}].volume[0].efs_volume_configuration.transit_encryption", + "searchValue": "", + "expectedValue": "aws_ecs_task_definition.volume.efs_volume_configuration.transit_encryption value should be 'ENABLED'", + "actualValue": "aws_ecs_task_definition.volume.efs_volume_configuration.transit_encryption value is 'DISABLED'", + "issueType": "IncorrectValue" + }, + { + "queryName": "EFS Volume With Disabled Transit Encryption", + "severity": "MEDIUM", + "line": 26, + "filename": "positive4.tf", + "resourceType": "aws_ecs_task_definition", + "resourceName": "service_4", + "searchKey": "aws_ecs_task_definition[{{service_4}}].volume[1].efs_volume_configuration.transit_encryption", + "searchValue": "", + "expectedValue": "aws_ecs_task_definition.volume.efs_volume_configuration.transit_encryption value should be 'ENABLED'", + "actualValue": "aws_ecs_task_definition.volume.efs_volume_configuration.transit_encryption value is 'DISABLED'", + "issueType": "IncorrectValue" + }, + { + "queryName": "EFS Volume With Disabled Transit Encryption", + "severity": "MEDIUM", + "line": 8, + "filename": "positive5.tf", + "resourceType": "aws_ecs_task_definition", + "resourceName": "service_5", + "searchKey": "aws_ecs_task_definition[{{service_5}}].volume[0].efs_volume_configuration", + "searchValue": "", + "expectedValue": "aws_ecs_task_definition.volume.efs_volume_configuration.transit_encryption value should be 'ENABLED'", + "actualValue": "aws_ecs_task_definition.volume.efs_volume_configuration.transit_encryption is missing", + "issueType": "MissingAttribute" + }, + { + "queryName": "EFS Volume With Disabled Transit Encryption", + "severity": "MEDIUM", + "line": 22, + "filename": "positive5.tf", + "resourceType": "aws_ecs_task_definition", + "resourceName": "service_5", + "searchKey": "aws_ecs_task_definition[{{service_5}}].volume[1].efs_volume_configuration", + "searchValue": "", + "expectedValue": "aws_ecs_task_definition.volume.efs_volume_configuration.transit_encryption value should be 'ENABLED'", + "actualValue": "aws_ecs_task_definition.volume.efs_volume_configuration.transit_encryption is missing", + "issueType": "MissingAttribute" + }, + { + "queryName": "EFS Volume With Disabled Transit Encryption", + "severity": "MEDIUM", + "line": 5, + "filename": "positive6.tf", + "resourceType": "aws_ecs_task_definition", + "resourceName": "service_6", + "searchKey": "aws_ecs_task_definition[{{service_6}}].volume[0]", + "searchValue": "", + "expectedValue": "aws_ecs_task_definition.volume.efs_volume_configuration value should be defined", + "actualValue": "aws_ecs_task_definition.volume.efs_volume_configuration is not set", + "issueType": "MissingAttribute" + }, + { + "queryName": "EFS Volume With Disabled Transit Encryption", + "severity": "MEDIUM", + "line": 9, + "filename": "positive6.tf", + "resourceType": "aws_ecs_task_definition", + "resourceName": "service_6", + "searchKey": "aws_ecs_task_definition[{{service_6}}].volume[1]", + "searchValue": "", + "expectedValue": "aws_ecs_task_definition.volume.efs_volume_configuration value should be defined", + "actualValue": "aws_ecs_task_definition.volume.efs_volume_configuration is not set", + "issueType": "MissingAttribute" + }, + { + "queryName": "EFS Volume With Disabled Transit Encryption", + "severity": "MEDIUM", + "line": 26, + "filename": "positive7.tf", + "resourceType": "aws_ecs_task_definition", + "resourceName": "service_7", + "searchKey": "aws_ecs_task_definition[{{service_7}}].volume[1].efs_volume_configuration.transit_encryption", + "searchValue": "", + "expectedValue": "aws_ecs_task_definition.volume.efs_volume_configuration.transit_encryption value should be 'ENABLED'", + "actualValue": "aws_ecs_task_definition.volume.efs_volume_configuration.transit_encryption value is 'DISABLED'", + "issueType": "IncorrectValue" } ]